packages/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
qemu/bugfix-fix-eventfds-may-double-free-when-vm_id-reuse.patch

50 lines
1.6 KiB
Diff
Raw Permalink Normal View History

QEMU update to version 8.2.0-2 - block: bugfix: Don't pause vm when NOSPACE EIO happened - block: enable cache mode of empty cdrom - block/mirror: fix file-system went to read-only after block-mirror - scsi-bus: fix incorrect call for blk_error_retry_reset_timeout() - scsi-bus: fix unmatched object_unref() - block: Add sanity check when setting retry parameters - block-backend: Stop retrying when draining - scsi-disk: Add support for retry on errors - scsi-bus: Refactor the code that retries requests - virtio_blk: Add support for retry on errors - block: Add error retry param setting - block-backend: Add timeout support for retry - block-backend: Enable retry action on errors - block-backend: Add device specific retry callback - block-backend: Introduce retry timer - qapi/block-core: Add retry option for error action - scsi: bugfix: fix division by zero - scsi: cdrom: Fix crash after remote cdrom detached - qemu-pr: fixed ioctl failed for multipath disk - scsi-disk: define props in scsi_block_disk to avoid memleaks - bugfix: fix possible memory leak - bugfix: fix some illegal memory access and memory leak - util/log: add CONFIG_DISABLE_QEMU_LOG macro - log: Add some logs on VM runtime path - bugfix: fix eventfds may double free when vm_id reused in ivshmem - hw/display/macfb: Fix missing ERRP_GUARD() in macfb_nubus_realize() - hw/cxl/cxl-host: Fix missing ERRP_GUARD() in cxl_fixed_memory_window_config() - qemu-img create: 'cache' paramter only use for reg file image - qemu-img: add qemu-img direct create - qemu-img block: set zero flags only when discard_zeros of the block supported - Revert "file-posix: Remove unused s->discard_zeroes" - pcie_sriov: Validate NumVFs (CVE-2024-26327) - hw/nvme: Use pcie_sriov_num_vfs() (CVE-2024-26328) - hw/acpi/cpu: Use CPUState typedef - target/i386/sev: Fix missing ERRP_GUARD() for error_prepend() - virtio-gpu: remove needless condition - hw/i2c/smbus_slave: Add object path on error prints - vfio/pci: Ascend710 change to bar2 quirk - vfio/pci: Ascend910 need 4Bytes quirk in bar0 - vfio/pci: Ascend710 need 4Bytes quirk in bar0 - vfio/pci: Ascend310 need 4Bytes quirk in bar4 - chardev/char-socket: Fix TLS io channels sending too much data to the backend - i386/cpuid: Move leaf 7 to correct group - i386/cpuid: Decrease cpuid_i when skipping CPUID leaf 1F - i386/cpu: Mask with XCR0/XSS mask for FEAT_XSAVE_XCR0_HI and FEAT_XSAVE_XSS_HI leafs - i386/cpu: Clear FEAT_XSAVE_XSS_LO/HI leafs when CPUID_EXT_XSAVE is not available - blkio: Respect memory-alignment for bounce buffer allocations - virtio-gpu: Correct virgl_renderer_resource_get_info() error check - hw/usb: Style cleanup - tests/qemu-iotests: resolved the problem that the 108 test cases in the container fail Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com> (cherry picked from commit 404d45bf9147058a475a8031c454a6c8e0acc123)
2024-03-23 09:20:40 +08:00
From 6588c017de54bab8a11509d43e2ddabf065cfa50 Mon Sep 17 00:00:00 2001
From: jiangdongxu <jiangdongxu1@huawei.com>
Date: Thu, 10 Feb 2022 21:50:28 +0800
Subject: [PATCH] bugfix: fix eventfds may double free when vm_id reused in
ivshmem
As the ivshmem Server-Client Protol describes, when a
client disconnects from the server, server sends disconnect
notifications to the other clients. And the other clients
will free the eventfds of the disconnected client according
to the client ID. If the client ID is reused, the eventfds
may be double freed.
It will be solved by setting eventfds to NULL after freeing
and allocating memory for it when it's used.
Signed-off-by: Peng Liang <liangpeng10@huawei.com>
Signed-off-by: jiangdongxu <jiangdongxu1@huawei.com>
Signed-off-by: Adttil <yangtao286@huawei.com>
---
hw/misc/ivshmem.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/hw/misc/ivshmem.c b/hw/misc/ivshmem.c
index 0447888029..ad9a3c546e 100644
--- a/hw/misc/ivshmem.c
+++ b/hw/misc/ivshmem.c
@@ -400,6 +400,7 @@ static void close_peer_eventfds(IVShmemState *s, int posn)
}
g_free(s->peers[posn].eventfds);
+ s->peers[posn].eventfds = NULL;
s->peers[posn].nb_eventfds = 0;
}
@@ -533,6 +534,10 @@ static void process_msg_connect(IVShmemState *s, uint16_t posn, int fd,
close(fd);
return;
}
+ if (peer->eventfds == NULL) {
+ peer->eventfds = g_new0(EventNotifier, s->vectors);
+ peer->nb_eventfds = 0;
+ }
vector = peer->nb_eventfds++;
IVSHMEM_DPRINTF("eventfds[%d][%d] = %d\n", posn, vector, fd);
--
2.27.0
Reference in New Issue Copy Permalink