summaryrefslogtreecommitdiffstats
path: root/drivers/gpu
diff options
context:
space:
mode:
authorJike Song <jike.song@intel.com>2016-12-16 03:51:05 +0100
committerZhenyu Wang <zhenyuw@linux.intel.com>2016-12-26 02:45:29 +0100
commitfaaaa53bdc6750c438887d44f99b60ad97ec74b4 (patch)
tree5e1a0e43d3b4f64416770d2800fe98adf228e6f8 /drivers/gpu
parentdrm/i915/gvt/kvmgt: dereference the pointer within lock (diff)
downloadlinux-faaaa53bdc6750c438887d44f99b60ad97ec74b4.tar.xz
linux-faaaa53bdc6750c438887d44f99b60ad97ec74b4.zip
drm/i915/gvt/kvmgt: check returned slot for gfn
gfn_to_memslot() may return NULL if the gfn is mmio or invalid. A malicious user might input a bad gfn to panic the host if we don't check it. Signed-off-by: Jike Song <jike.song@intel.com> Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
Diffstat (limited to 'drivers/gpu')
-rw-r--r--drivers/gpu/drm/i915/gvt/kvmgt.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/drivers/gpu/drm/i915/gvt/kvmgt.c b/drivers/gpu/drm/i915/gvt/kvmgt.c
index 4ba196796846..8b3b071a535e 100644
--- a/drivers/gpu/drm/i915/gvt/kvmgt.c
+++ b/drivers/gpu/drm/i915/gvt/kvmgt.c
@@ -1137,6 +1137,10 @@ static int kvmgt_write_protect_add(unsigned long handle, u64 gfn)
idx = srcu_read_lock(&kvm->srcu);
slot = gfn_to_memslot(kvm, gfn);
+ if (!slot) {
+ srcu_read_unlock(&kvm->srcu, idx);
+ return -EINVAL;
+ }
spin_lock(&kvm->mmu_lock);
@@ -1167,6 +1171,10 @@ static int kvmgt_write_protect_remove(unsigned long handle, u64 gfn)
idx = srcu_read_lock(&kvm->srcu);
slot = gfn_to_memslot(kvm, gfn);
+ if (!slot) {
+ srcu_read_unlock(&kvm->srcu, idx);
+ return -EINVAL;
+ }
spin_lock(&kvm->mmu_lock);