packages/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!824 QEMU update to version 6.2.0-80(master)

Browse Source 
From: @JiaboFeng 
Reviewed-by: @aven6 
Signed-off-by: @aven6
This commit is contained in:
openeuler-ci-bot 2023-09-12 01:22:02 +00:00 committed by Gitee
commit b9486ecb15
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
11 changed files with 582 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
accel-kvm-Free-as-when-an-error-occurred.patch Normal file
View File

@ -0,0 +1,35 @@
From 6ccda2ece6d08b1bf0622109c2a1f3eeca813089 Mon Sep 17 00:00:00 2001
From: qihao <qihao_yewu@cmss.chinamobile.com>
Date: Mon, 28 Aug 2023 19:43:06 +0800
Subject: [PATCH] accel/kvm: Free as when an error occurred
cheery-pick from 4625742cd2aeb1400407889a2f7a5b4c75437818
An error may occur after s->as is allocated, for example if the
KVM_CREATE_VM ioctl call fails.
Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Message-id: 20230727073134.134102-6-akihiko.odaki@daynix.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
[PMM: tweaked commit message]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
---
accel/kvm/kvm-all.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c
index 799d993f6c..9c8d3a916e 100644
--- a/accel/kvm/kvm-all.c
+++ b/accel/kvm/kvm-all.c
@@ -2589,6 +2589,7 @@ err:
if (s->fd != -1) {
close(s->fd);
}
+ g_free(s->as);
g_free(s->memory_listener.slots);
return ret;
--
2.41.0.windows.1

58
accel-kvm-Make-kvm_dirty_ring_reaper_init-void.patch Normal file
View File

@ -0,0 +1,58 @@
From e11f4d10f843f46a8659d0134220f8712f15b451 Mon Sep 17 00:00:00 2001
From: qihao <qihao_yewu@cmss.chinamobile.com>
Date: Mon, 28 Aug 2023 19:04:32 +0800
Subject: [PATCH] accel/kvm: Make kvm_dirty_ring_reaper_init() void
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
cheery-pick from 43a5e377f42d1d3ed12ea562196f723b354ce411
The returned value was always zero and had no meaning.
Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Message-id: 20230727073134.134102-7-akihiko.odaki@daynix.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
---
accel/kvm/kvm-all.c | 9 ++-------
1 file changed, 2 insertions(+), 7 deletions(-)
diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c
index 799d993f6c..83881e1d96 100644
--- a/accel/kvm/kvm-all.c
+++ b/accel/kvm/kvm-all.c
@@ -1436,15 +1436,13 @@ static void *kvm_dirty_ring_reaper_thread(void *data)
return NULL;
}
-static int kvm_dirty_ring_reaper_init(KVMState *s)
+static void kvm_dirty_ring_reaper_init(KVMState *s)
{
struct KVMDirtyRingReaper *r = &s->reaper;
qemu_thread_create(&r->reaper_thr, "kvm-reaper",
kvm_dirty_ring_reaper_thread,
s, QEMU_THREAD_JOINABLE);
-
- return 0;
}
static void kvm_region_add(MemoryListener *listener,
@@ -2573,10 +2571,7 @@ static int kvm_init(MachineState *ms)
}
if (s->kvm_dirty_ring_size) {
- ret = kvm_dirty_ring_reaper_init(s);
- if (ret) {
- goto err;
- }
+ kvm_dirty_ring_reaper_init(s);
}
return 0;
--
2.41.0.windows.1

58
chardev-report-the-handshake-error.patch Normal file
View File

@ -0,0 +1,58 @@
From 30f9cc7263e44faf2b43c4fdf3d7c64ffb409502 Mon Sep 17 00:00:00 2001
From: qihao <qihao_yewu@cmss.chinamobile.com>
Date: Mon, 14 Aug 2023 14:37:36 +0800
Subject: [PATCH] chardev: report the handshake error
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
cheery-pick from 81cd34a359a36656d2f6542226235bd318ff8873
This can help to debug connection issues.
Related to:
https://bugzilla.redhat.com/show_bug.cgi?id=2196182
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Message-Id: <20230510072531.3937189-1-marcandre.lureau@redhat.com>
Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
---
chardev/char-socket.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/chardev/char-socket.c b/chardev/char-socket.c
index 459b9b72bd..ef5d3053f3 100644
--- a/chardev/char-socket.c
+++ b/chardev/char-socket.c
@@ -819,8 +819,12 @@ static void tcp_chr_websock_handshake(QIOTask *task, gpointer user_data)
{
Chardev *chr = user_data;
SocketChardev *s = user_data;
+ Error *err = NULL;
- if (qio_task_propagate_error(task, NULL)) {
+ if (qio_task_propagate_error(task, &err)) {
+ error_reportf_err(err,
+ "websock handshake of character device %s failed: ",
+ chr->label);
tcp_chr_disconnect(chr);
} else {
if (s->do_telnetopt) {
@@ -855,8 +859,12 @@ static void tcp_chr_tls_handshake(QIOTask *task,
{
Chardev *chr = user_data;
SocketChardev *s = user_data;
+ Error *err = NULL;
- if (qio_task_propagate_error(task, NULL)) {
+ if (qio_task_propagate_error(task, &err)) {
+ error_reportf_err(err,
+ "TLS handshake of character device %s failed: ",
+ chr->label);
tcp_chr_disconnect(chr);
} else {
if (s->is_websock) {
--
2.41.0.windows.1

57
hw-arm-virt-Check-for-attempt-to-use-TrustZone-with-.patch Normal file
View File

@ -0,0 +1,57 @@
From fd9cd16407e9d98807c631521ff1fcb83bfefac4 Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Mon, 21 Aug 2023 06:21:27 +0000
Subject: [PATCH] hw/arm/virt: Check for attempt to use TrustZone with KVM or
HVF mainline inclusion commit 78255ce392dc8596f9886476ad1e5c3c67f1c10a
category: bugfix
---------------------------------------------------------------
It's not possible to provide the guest with the Security extensions
(TrustZone) when using KVM or HVF, because the hardware
virtualization extensions don't permit running EL3 guest code.
However, we weren't checking for this combination, with the result
that QEMU would assert if you tried it:
$ qemu-system-aarch64 -enable-kvm -machine virt,secure=on -cpu host -display none
Unexpected error in object_property_find_err() at ../../qom/object.c:1304:
qemu-system-aarch64: Property 'host-arm-cpu.secure-memory' not found
Aborted
Check for this combination of options and report an error, in the
same way we already do for attempts to give a KVM or HVF guest the
Virtualization or MTE extensions. Now we will report:
qemu-system-aarch64: mach-virt: KVM does not support providing Security extensions (TrustZone) to the guest CPU
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/961
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220404155301.566542-1-peter.maydell@linaro.org
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
hw/arm/virt.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index 4c876fcf16..93554cccf1 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -2097,6 +2097,13 @@ static void machvirt_init(MachineState *machine)
exit(1);
}
+ if (vms->secure && (kvm_enabled() || hvf_enabled())) {
+ error_report("mach-virt: %s does not support providing "
+ "Security extensions (TrustZone) to the guest CPU",
+ kvm_enabled() ? "KVM" : "HVF");
+ exit(1);
+ }
+
if (vms->virt && (kvm_enabled() || hvf_enabled())) {
error_report("mach-virt: %s does not support providing "
"Virtualization extensions to the guest CPU",
--
2.41.0.windows.1

42
hw-rx-rx-gdbsim-DTB-load-address-aligned-of-16byte.patch Normal file
View File

@ -0,0 +1,42 @@
From 97928027aadb358cdee1a2d0c4152979d867b575 Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Mon, 21 Aug 2023 06:33:49 +0000
Subject: [PATCH] hw/rx: rx-gdbsim DTB load address aligned of 16byte.
mainline inclusion commit bcc6f33b671d223a1d7b81491d45c58b35ed6e3e category:
bugfix
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---------------------------------------------------------------
Linux kernel required alined address of DTB.
But missing align in dtb load function.
Fixed to load to the correct address.
Signed-off-by: Yoshinori Sato <ysato@users.sourceforge.jp>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20220207132758.84403-1-ysato@users.sourceforge.jp>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
hw/rx/rx-gdbsim.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/rx/rx-gdbsim.c b/hw/rx/rx-gdbsim.c
index 75d1fec6ca..887083737b 100644
--- a/hw/rx/rx-gdbsim.c
+++ b/hw/rx/rx-gdbsim.c
@@ -142,7 +142,7 @@ static void rx_gdbsim_init(MachineState *machine)
exit(1);
}
/* DTB is located at the end of SDRAM space. */
- dtb_offset = machine->ram_size - dtb_size;
+ dtb_offset = ROUND_DOWN(machine->ram_size - dtb_size, 16);
rom_add_blob_fixed("dtb", dtb, dtb_size,
SDRAM_BASE + dtb_offset);
/* Set dtb address to R1 */
--
2.41.0.windows.1

39
hw-ssi-Fix-Linux-driver-init-issue-with-xilinx_spi.patch Normal file
View File

@ -0,0 +1,39 @@
From 58a192d877acfe06964d91ef831597f833ac4f0c Mon Sep 17 00:00:00 2001
From: xiaowanghe <xiaowanghe_yewu@cmss.chinamobile.com>
Date: Mon, 14 Aug 2023 18:57:59 -0700
Subject: [PATCH] hw/ssi: Fix Linux driver init issue with xilinx_spi
cherry picked from commit a0eaa126af3c5a43937a22c58cfb9bb36e4a5001
The problem is that the Linux driver expects the master transaction inhibit
bit(R_SPICR_MTI) to be set during driver initialization so that it can
detect the fifo size but QEMU defaults it to zero out of reset. The
datasheet indicates this bit is active on reset.
See page 25, SPI Control Register section:
https://www.xilinx.com/content/dam/xilinx/support/documents/ip_documentation/axi_quad_spi/v3_2/pg153-axi-quad-spi.pdf
Signed-off-by: Chris Rauer <crauer@google.com>
Message-id: 20230323182811.2641044-1-crauer@google.com
Reviewed-by: Edgar E. Iglesias <edgar@zeroasic.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Wanghe Xiao <xiaowanghe_yewu@cmss.chinamobile.com>
---
hw/ssi/xilinx_spi.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/ssi/xilinx_spi.c b/hw/ssi/xilinx_spi.c
index b2819a7ff0..92e7cabf42 100644
--- a/hw/ssi/xilinx_spi.c
+++ b/hw/ssi/xilinx_spi.c
@@ -156,6 +156,7 @@ static void xlx_spi_do_reset(XilinxSPI *s)
txfifo_reset(s);
s->regs[R_SPISSR] = ~0;
+ s->regs[R_SPICR] = R_SPICR_MTI;
xlx_spi_update_irq(s);
xlx_spi_update_cs(s);
}
--
2.41.0.windows.1

83
io-remove-io-watch-if-TLS-channel-is-closed-during-h.patch Normal file
View File

@ -0,0 +1,83 @@
From 979bb24c769a703c96067c9557d433492916aa67 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Tue, 20 Jun 2023 09:45:34 +0100
Subject: [PATCH] io: remove io watch if TLS channel is closed during handshake
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The TLS handshake make take some time to complete, during which time an
I/O watch might be registered with the main loop. If the owner of the
I/O channel invokes qio_channel_close() while the handshake is waiting
to continue the I/O watch must be removed. Failing to remove it will
later trigger the completion callback which the owner is not expecting
to receive. In the case of the VNC server, this results in a SEGV as
vnc_disconnect_start() tries to shutdown a client connection that is
already gone / NULL.
CVE-2023-3354
Reported-by: jiangyegen <jiangyegen@huawei.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
include/io/channel-tls.h | 1 +
io/channel-tls.c | 18 ++++++++++++------
2 files changed, 13 insertions(+), 6 deletions(-)
diff --git a/include/io/channel-tls.h b/include/io/channel-tls.h
index 5672479e9e..26c67f17e2 100644
--- a/include/io/channel-tls.h
+++ b/include/io/channel-tls.h
@@ -48,6 +48,7 @@ struct QIOChannelTLS {
QIOChannel *master;
QCryptoTLSSession *session;
QIOChannelShutdown shutdown;
+ guint hs_ioc_tag;
};
/**
diff --git a/io/channel-tls.c b/io/channel-tls.c
index 2ae1b92fc0..34476e6b7b 100644
--- a/io/channel-tls.c
+++ b/io/channel-tls.c
@@ -195,12 +195,13 @@ static void qio_channel_tls_handshake_task(QIOChannelTLS *ioc,
}
trace_qio_channel_tls_handshake_pending(ioc, status);
- qio_channel_add_watch_full(ioc->master,
- condition,
- qio_channel_tls_handshake_io,
- data,
- NULL,
- context);
+ ioc->hs_ioc_tag =
+ qio_channel_add_watch_full(ioc->master,
+ condition,
+ qio_channel_tls_handshake_io,
+ data,
+ NULL,
+ context);
}
}
@@ -215,6 +216,7 @@ static gboolean qio_channel_tls_handshake_io(QIOChannel *ioc,
QIOChannelTLS *tioc = QIO_CHANNEL_TLS(
qio_task_get_source(task));
+ tioc->hs_ioc_tag = 0;
g_free(data);
qio_channel_tls_handshake_task(tioc, task, context);
@@ -373,6 +375,10 @@ static int qio_channel_tls_close(QIOChannel *ioc,
{
QIOChannelTLS *tioc = QIO_CHANNEL_TLS(ioc);
+ if (tioc->hs_ioc_tag) {
+ g_clear_handle_id(&tioc->hs_ioc_tag, g_source_remove);
+ }
+
return qio_channel_close(tioc->master, errp);
}
--
2.41.0.windows.1

24
qemu.spec
View File

@ -3,7 +3,7 @@
Name: qemu
Version: 6.2.0
Release: 79
Release: 80
Epoch: 10
Summary: QEMU is a generic and open source machine emulator and virtualizer
License: GPLv2 and BSD and MIT and CC-BY-SA-4.0
@ -555,6 +555,16 @@ Patch0540: virtio-crypto-verify-src-dst-buffer-length-for-sym-r.patch
Patch0541: sw_64-Added-sw64-architecture-related-updates.patch
Patch0542: aio-posix-fix-build-failure-io_uring-2.2.patch
Patch0543: test-Fix-test-crypto-secret-when-compiling-without-k.patch
Patch0544: accel-kvm-Free-as-when-an-error-occurred.patch
Patch0545: accel-kvm-Make-kvm_dirty_ring_reaper_init-void.patch
Patch0546: vhost-user-Use-correct-macro-name-TARGET_PPC64.patch
Patch0547: hw-rx-rx-gdbsim-DTB-load-address-aligned-of-16byte.patch
Patch0548: hw-arm-virt-Check-for-attempt-to-use-TrustZone-with-.patch
Patch0549: virtio-iommu-use-after-free-fix.patch
Patch0550: vhost-Drop-unused-eventfd_add-del-hooks.patch
Patch0551: chardev-report-the-handshake-error.patch
Patch0552: hw-ssi-Fix-Linux-driver-init-issue-with-xilinx_spi.patch
Patch0553: io-remove-io-watch-if-TLS-channel-is-closed-during-h.patch
BuildRequires: flex
BuildRequires: gcc
@ -1128,6 +1138,18 @@ getent passwd qemu >/dev/null || \
%endif
%changelog
* Sat Sep 9 2023 <fengjiabo1@huawei.com> - 10:6.2.0-80
- io: remove io watch if TLS channel is closed during handshake
- hw/ssi: Fix Linux driver init issue with xilinx_spi
- chardev: report the handshake error
- vhost: Drop unused eventfd_add|del hooks
- virtio-iommu: use-after-free fix
- hw/arm/virt: Check for attempt to use TrustZone with KVM or HVF
- hw/rx: rx-gdbsim DTB load address aligned of 16byte
- vhost-user: Use correct macro name TARGET_PPC64
- accel/kvm: Make kvm_dirty_ring_reaper_init() void
- accel/kvm: Free as when an error occurred
* Mon Aug 28 2023 <fengjiabo1@huawei.com> - 10:6.2.0-79
- test: Fix test-crypto-secret when compiling without keyring support
- aio-posix: fix build failure io_uring 2.2

63
vhost-Drop-unused-eventfd_add-del-hooks.patch Normal file
View File

@ -0,0 +1,63 @@
From e1c5d60311a7b6dba60284f07fad92dfab688605 Mon Sep 17 00:00:00 2001
From: xiaowanghe <xiaowanghe_yewu@cmss.chinamobile.com>
Date: Sun, 13 Aug 2023 23:18:07 -0700
Subject: [PATCH] vhost: Drop unused eventfd_add|del hooks
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
cherry picked from commit 560a997535937df2ea3716ba56bcbe38be37682f
These hooks were introduced in:
80a1ea3748 ("memory: move ioeventfd ops to MemoryListener", 2012-02-29)
But they seem to be never used. Drop them.
Cc: Richard Henderson <rth@twiddle.net>
Signed-off-by: Peter Xu <peterx@redhat.com>
Message-Id: <20230306193209.516011-1-peterx@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Acked-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Wanghe Xiao <xiaowanghe_yewu@cmss.chinamobile.com>
---
hw/virtio/vhost.c | 14 --------------
1 file changed, 14 deletions(-)
diff --git a/hw/virtio/vhost.c b/hw/virtio/vhost.c
index 3ac6cfde03..2d11e3c2f8 100644
--- a/hw/virtio/vhost.c
+++ b/hw/virtio/vhost.c
@@ -1268,18 +1268,6 @@ static void vhost_virtqueue_stop(struct vhost_dev *dev,
0, virtio_queue_get_desc_size(vdev, idx));
}
-static void vhost_eventfd_add(MemoryListener *listener,
- MemoryRegionSection *section,
- bool match_data, uint64_t data, EventNotifier *e)
-{
-}
-
-static void vhost_eventfd_del(MemoryListener *listener,
- MemoryRegionSection *section,
- bool match_data, uint64_t data, EventNotifier *e)
-{
-}
-
static int vhost_virtqueue_set_busyloop_timeout(struct vhost_dev *dev,
int n, uint32_t timeout)
{
@@ -1413,8 +1401,6 @@ int vhost_dev_init(struct vhost_dev *hdev, void *opaque,
.log_sync = vhost_log_sync,
.log_global_start = vhost_log_global_start,
.log_global_stop = vhost_log_global_stop,
- .eventfd_add = vhost_eventfd_add,
- .eventfd_del = vhost_eventfd_del,
.priority = 10
};
--
2.41.0.windows.1

42
vhost-user-Use-correct-macro-name-TARGET_PPC64.patch Normal file
View File

@ -0,0 +1,42 @@
From f985f564a64e122e55a02f7a22e877f0de2de464 Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Mon, 21 Aug 2023 06:55:57 +0000
Subject: [PATCH] vhost-user: Use correct macro name TARGET_PPC64 mainline
inclusion commit 97252353c1f6ecbb54385c9272378b5788749a16 category: bugfix
---------------------------------------------------------------
The correct name of the macro is TARGET_PPC64.
Fixes: 27598393a232 ("Lift max memory slots limit imposed by vhost-user")
Reported-by: Fabiano Rosas <farosas@linux.ibm.com>
Signed-off-by: Murilo Opsfelder Araujo <muriloo@linux.ibm.com>
Cc: Raphael Norwitz <raphael.norwitz@nutanix.com>
Cc: Peter Turschmid <peter.turschm@nutanix.com>
Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Raphael Norwitz <raphael.norwitz@nutanix.com>
Message-Id: <20220503180108.34506-1-muriloo@linux.ibm.com>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
hw/virtio/vhost-user.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/virtio/vhost-user.c b/hw/virtio/vhost-user.c
index 42a9e16cd9..24f80d5d18 100644
--- a/hw/virtio/vhost-user.c
+++ b/hw/virtio/vhost-user.c
@@ -52,7 +52,7 @@
#include "hw/acpi/acpi.h"
#define VHOST_USER_MAX_RAM_SLOTS ACPI_MAX_RAM_SLOTS
-#elif defined(TARGET_PPC) || defined(TARGET_PPC_64)
+#elif defined(TARGET_PPC) || defined(TARGET_PPC64)
#include "hw/ppc/spapr.h"
#define VHOST_USER_MAX_RAM_SLOTS SPAPR_MAX_RAM_SLOTS
--
2.41.0.windows.1

82
virtio-iommu-use-after-free-fix.patch Normal file
View File

@ -0,0 +1,82 @@
From ab4228f1a5b45450490077a06094670f364b4efc Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Mon, 21 Aug 2023 06:02:21 +0000
Subject: [PATCH] virtio-iommu: use-after-free fix mainline inclusion commit
4bf58c7213b0ab03209a53731c71f0861c35ef91 category: bugfix
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---------------------------------------------------------------
A potential Use-after-free was reported in virtio_iommu_handle_command
when using virtio-iommu:
> I find a potential Use-after-free in QEMU 6.2.0, which is in
> virtio_iommu_handle_command() (./hw/virtio/virtio-iommu.c).
>
>
> Specifically, in the loop body, the variable 'buf' allocated at line 639 can be
> freed by g_free() at line 659. However, if the execution path enters the loop
> body again and the if branch takes true at line 616, the control will directly
> jump to 'out' at line 651. At this time, 'buf' is a freed pointer, which is not
> assigned with an allocated memory but used at line 653. As a result, a UAF bug
> is triggered.
>
>
>
> 599 for (;;) {
> ...
> 615 sz = iov_to_buf(iov, iov_cnt, 0, &head, sizeof(head));
> 616 if (unlikely(sz != sizeof(head))) {
> 617 tail.status = VIRTIO_IOMMU_S_DEVERR;
> 618 goto out;
> 619 }
> ...
> 639 buf = g_malloc0(output_size);
> ...
> 651 out:
> 652 sz = iov_from_buf(elem->in_sg, elem->in_num, 0,
> 653 buf ? buf : &tail, output_size);
> ...
> 659 g_free(buf);
>
> We can fix it by set buf to NULL after freeing it:
>
>
> 651 out:
> 652 sz = iov_from_buf(elem->in_sg, elem->in_num, 0,
> 653 buf ? buf : &tail, output_size);
> ...
> 659 g_free(buf);
> +++ buf = NULL;
> 660 }
Fix as suggested by the reporter.
Signed-off-by: Wentao Liang <Wentao_Liang_g@163.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-id: 20220407095047.50371-1-mst@redhat.com
Message-ID: <20220406040445-mutt-send-email-mst@kernel.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
hw/virtio/virtio-iommu.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/virtio/virtio-iommu.c b/hw/virtio/virtio-iommu.c
index 1b23e8e18c..ed47d4cb64 100644
--- a/hw/virtio/virtio-iommu.c
+++ b/hw/virtio/virtio-iommu.c
@@ -657,6 +657,7 @@ out:
virtio_notify(vdev, vq);
g_free(elem);
g_free(buf);
+ buf = NULL;
}
}
--
2.41.0.windows.1