forked from rpms/qemu-kvm
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
93 lines
3.4 KiB
93 lines
3.4 KiB
5 months ago
|
From 7ad4fc282b1f96d619ce2f9f7ed9049c3b894dd4 Mon Sep 17 00:00:00 2001
|
||
|
From: Jon Maloy <jmaloy@redhat.com>
|
||
|
Date: Thu, 18 Jul 2024 09:42:42 -0400
|
||
|
Subject: [PATCH 1/6] virtio-gpu: free BHs, by implementing unrealize
|
||
|
MIME-Version: 1.0
|
||
|
Content-Type: text/plain; charset=UTF-8
|
||
|
Content-Transfer-Encoding: 8bit
|
||
|
|
||
|
RH-Author: Jon Maloy <jmaloy@redhat.com>
|
||
|
RH-MergeRequest: 380: QEMU: virtio: DMA reentrancy issue leads to double free vulnerability
|
||
|
RH-Jira: RHEL-32276
|
||
|
RH-Acked-by: Gerd Hoffmann <None>
|
||
|
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
|
||
|
RH-Commit: [1/6] d05c10426afac428d775669748f0aa689c23e787 (redhat/rhel/src/qemu-kvm/jons-qemu-kvm-2)
|
||
|
|
||
|
JIRA: https://issues.redhat.com/browse/RHEL-32276
|
||
|
CVE: CVE-2024-3446
|
||
|
Upstream: Merged
|
||
|
|
||
|
commit 957d77863e4564454eb97f8f371096843daf4678
|
||
|
Author: Marc-André Lureau <marcandre.lureau@redhat.com>
|
||
|
Date: Wed Jul 26 21:39:28 2023 +0400
|
||
|
|
||
|
virtio-gpu: free BHs, by implementing unrealize
|
||
|
|
||
|
Acked-by: Dongwon Kim <dongwon.kim@intel.com>
|
||
|
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
||
|
Message-Id: <20230726173929.690601-2-marcandre.lureau@redhat.com>
|
||
|
|
||
|
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
|
||
|
---
|
||
|
hw/display/virtio-gpu-base.c | 2 +-
|
||
|
hw/display/virtio-gpu.c | 10 ++++++++++
|
||
|
include/hw/virtio/virtio-gpu.h | 1 +
|
||
|
3 files changed, 12 insertions(+), 1 deletion(-)
|
||
|
|
||
|
diff --git a/hw/display/virtio-gpu-base.c b/hw/display/virtio-gpu-base.c
|
||
|
index c8da4806e0..e3ff9dcf38 100644
|
||
|
--- a/hw/display/virtio-gpu-base.c
|
||
|
+++ b/hw/display/virtio-gpu-base.c
|
||
|
@@ -223,7 +223,7 @@ virtio_gpu_base_set_features(VirtIODevice *vdev, uint64_t features)
|
||
|
trace_virtio_gpu_features(((features & virgl) == virgl));
|
||
|
}
|
||
|
|
||
|
-static void
|
||
|
+void
|
||
|
virtio_gpu_base_device_unrealize(DeviceState *qdev)
|
||
|
{
|
||
|
VirtIOGPUBase *g = VIRTIO_GPU_BASE(qdev);
|
||
|
diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
|
||
|
index ecf9079145..e230e5091f 100644
|
||
|
--- a/hw/display/virtio-gpu.c
|
||
|
+++ b/hw/display/virtio-gpu.c
|
||
|
@@ -1341,6 +1341,15 @@ void virtio_gpu_device_realize(DeviceState *qdev, Error **errp)
|
||
|
QTAILQ_INIT(&g->fenceq);
|
||
|
}
|
||
|
|
||
|
+static void virtio_gpu_device_unrealize(DeviceState *qdev)
|
||
|
+{
|
||
|
+ VirtIOGPU *g = VIRTIO_GPU(qdev);
|
||
|
+
|
||
|
+ g_clear_pointer(&g->ctrl_bh, qemu_bh_delete);
|
||
|
+ g_clear_pointer(&g->cursor_bh, qemu_bh_delete);
|
||
|
+ virtio_gpu_base_device_unrealize(qdev);
|
||
|
+}
|
||
|
+
|
||
|
void virtio_gpu_reset(VirtIODevice *vdev)
|
||
|
{
|
||
|
VirtIOGPU *g = VIRTIO_GPU(vdev);
|
||
|
@@ -1436,6 +1445,7 @@ static void virtio_gpu_class_init(ObjectClass *klass, void *data)
|
||
|
vgbc->gl_flushed = virtio_gpu_handle_gl_flushed;
|
||
|
|
||
|
vdc->realize = virtio_gpu_device_realize;
|
||
|
+ vdc->unrealize = virtio_gpu_device_unrealize;
|
||
|
vdc->reset = virtio_gpu_reset;
|
||
|
vdc->get_config = virtio_gpu_get_config;
|
||
|
vdc->set_config = virtio_gpu_set_config;
|
||
|
diff --git a/include/hw/virtio/virtio-gpu.h b/include/hw/virtio/virtio-gpu.h
|
||
|
index acfba7c76c..4367d005f1 100644
|
||
|
--- a/include/hw/virtio/virtio-gpu.h
|
||
|
+++ b/include/hw/virtio/virtio-gpu.h
|
||
|
@@ -235,6 +235,7 @@ bool virtio_gpu_base_device_realize(DeviceState *qdev,
|
||
|
VirtIOHandleOutput ctrl_cb,
|
||
|
VirtIOHandleOutput cursor_cb,
|
||
|
Error **errp);
|
||
|
+void virtio_gpu_base_device_unrealize(DeviceState *qdev);
|
||
|
void virtio_gpu_base_reset(VirtIOGPUBase *g);
|
||
|
void virtio_gpu_base_fill_display_info(VirtIOGPUBase *g,
|
||
|
struct virtio_gpu_resp_display_info *dpy_info);
|
||
|
--
|
||
|
2.39.3
|
||
|
|