There is a double-free security bug in split_2MB_gtt_entry. Here is a calling chain : ppgtt_populate_spt->ppgtt_populate_shadow_entry->split_2MB_gtt_entry. If intel_gvt_dma_map_guest_page failed, it will call ppgtt_invalidate_spt, which will finally call ppgtt_free_spt and kfree(spt). But the caller does not notice that, and it will call ppgtt_free_spt again in the error path. Reference: https://bugzilla.redhat.com/show_bug.cgi?id=2132857
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 2134596]
*** This bug has been marked as a duplicate of bug 2137979 ***