drm/i915/gvt/kvmgt: check returned slot for gfn

gfn_to_memslot() may return NULL if the gfn is mmio or invalid. A malicious user might input a bad gfn to panic the host if we don't check it. Signed-off-by: Jike Song <jike.song@intel.com> Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
author: Jike Song <jike.song@intel.com> 2016-12-16 10:51:05 +0800
committer: Zhenyu Wang <zhenyuw@linux.intel.com> 2016-12-26 09:45:29 +0800
commit: faaaa53bdc6750c438887d44f99b60ad97ec74b4 (patch)
tree: 5e1a0e43d3b4f64416770d2800fe98adf228e6f8 /drivers/gpu
parent: bfeca3e5716a16b95a1fb7104e477ca3bd5ed59e (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/drivers/gpu/drm/i915/gvt/kvmgt.c b/drivers/gpu/drm/i915/gvt/kvmgt.c
index 4ba196796846..8b3b071a535e 100644
--- a/drivers/gpu/drm/i915/gvt/kvmgt.c
+++ b/drivers/gpu/drm/i915/gvt/kvmgt.c
@@ -1137,6 +1137,10 @@ static int kvmgt_write_protect_add(unsigned long handle, u64 gfn)
 
 	idx = srcu_read_lock(&kvm->srcu);
 	slot = gfn_to_memslot(kvm, gfn);
+	if (!slot) {
+		srcu_read_unlock(&kvm->srcu, idx);
+		return -EINVAL;
+	}
 
 	spin_lock(&kvm->mmu_lock);
 
@@ -1167,6 +1171,10 @@ static int kvmgt_write_protect_remove(unsigned long handle, u64 gfn)
 
 	idx = srcu_read_lock(&kvm->srcu);
 	slot = gfn_to_memslot(kvm, gfn);
+	if (!slot) {
+		srcu_read_unlock(&kvm->srcu, idx);
+		return -EINVAL;
+	}
 
 	spin_lock(&kvm->mmu_lock);
author	Jike Song <jike.song@intel.com>	2016-12-16 10:51:05 +0800
committer	Zhenyu Wang <zhenyuw@linux.intel.com>	2016-12-26 09:45:29 +0800
commit	faaaa53bdc6750c438887d44f99b60ad97ec74b4 (patch)
tree	5e1a0e43d3b4f64416770d2800fe98adf228e6f8 /drivers/gpu
parent	bfeca3e5716a16b95a1fb7104e477ca3bd5ed59e (diff)