* Mon Aug 28 2023 Miroslav Rezanina <mrezanin@redhat.com> - 6.2.0-39
- kvm-vhost-vdpa-do-not-cleanup-the-vdpa-vhost-net-structu.patch [bz#2215786] - Resolves: bz#2215786 (CVE-2023-3301 virt:rhel/qemu-kvm: QEMU: net: triggerable assertion due to race condition in hot-unplug [rhel-8])
This commit is contained in:
Miroslav Rezanina
parent
5b9676b8f4
commit
fd7488b82b
@ -0,0 +1,81 @@
|
||||
From 7b17ef78eee2b30829666f12e87ff1eee3c195b5 Mon Sep 17 00:00:00 2001
|
||||
From: Jon Maloy <jmaloy@redhat.com>
|
||||
Date: Tue, 15 Aug 2023 19:00:44 -0400
|
||||
Subject: [PATCH] vhost-vdpa: do not cleanup the vdpa/vhost-net structures if
|
||||
peer nic is present
|
||||
|
||||
RH-Author: Jon Maloy <jmaloy@redhat.com>
|
||||
RH-MergeRequest: 304: vhost-vdpa: do not cleanup the vdpa/vhost-net structures if peer nic is present
|
||||
RH-Bugzilla: 2215786
|
||||
RH-Acked-by: Ani Sinha <None>
|
||||
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
|
||||
RH-Commit: [1/1] 16aa37efdf129f2619cedf9c030222b88eda9e26 (redhat/rhel/src/qemu-kvm/jons-qemu-kvm-2)
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2215786
|
||||
CVE: CVE-2023-3301
|
||||
Upstream: Merged
|
||||
Conflicts: commit babf8b87127a is not present in this release, so the commit does not
|
||||
apply cleanly. The two adjacent munmap() calls introduced by that commit
|
||||
don't seem to be needed for the logics of this change.
|
||||
|
||||
commit a0d7215e339b61c7d7a7b3fcf754954d80d93eb8
|
||||
Author: Ani Sinha <anisinha@redhat.com>
|
||||
Date: Mon Jun 19 12:22:09 2023 +0530
|
||||
|
||||
vhost-vdpa: do not cleanup the vdpa/vhost-net structures if peer nic is present
|
||||
|
||||
When a peer nic is still attached to the vdpa backend, it is too early to free
|
||||
up the vhost-net and vdpa structures. If these structures are freed here, then
|
||||
QEMU crashes when the guest is being shut down. The following call chain
|
||||
would result in an assertion failure since the pointer returned from
|
||||
vhost_vdpa_get_vhost_net() would be NULL:
|
||||
|
||||
do_vm_stop() -> vm_state_notify() -> virtio_set_status() ->
|
||||
virtio_net_vhost_status() -> get_vhost_net().
|
||||
|
||||
Therefore, we defer freeing up the structures until at guest shutdown
|
||||
time when qemu_cleanup() calls net_cleanup() which then calls
|
||||
qemu_del_net_client() which would eventually call vhost_vdpa_cleanup()
|
||||
again to free up the structures. This time, the loop in net_cleanup()
|
||||
ensures that vhost_vdpa_cleanup() will be called one last time when
|
||||
all the peer nics are detached and freed.
|
||||
|
||||
All unit tests pass with this change.
|
||||
|
||||
CC: imammedo@redhat.com
|
||||
CC: jusual@redhat.com
|
||||
CC: mst@redhat.com
|
||||
Fixes: CVE-2023-3301
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2128929
|
||||
Signed-off-by: Ani Sinha <anisinha@redhat.com>
|
||||
Message-Id: <20230619065209.442185-1-anisinha@redhat.com>
|
||||
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
|
||||
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
||||
|
||||
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
|
||||
---
|
||||
net/vhost-vdpa.c | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/net/vhost-vdpa.c b/net/vhost-vdpa.c
|
||||
index 814f704687..ac48de9495 100644
|
||||
--- a/net/vhost-vdpa.c
|
||||
+++ b/net/vhost-vdpa.c
|
||||
@@ -128,6 +128,14 @@ static void vhost_vdpa_cleanup(NetClientState *nc)
|
||||
{
|
||||
VhostVDPAState *s = DO_UPCAST(VhostVDPAState, nc, nc);
|
||||
|
||||
+ /*
|
||||
+ * If a peer NIC is attached, do not cleanup anything.
|
||||
+ * Cleanup will happen as a part of qemu_cleanup() -> net_cleanup()
|
||||
+ * when the guest is shutting down.
|
||||
+ */
|
||||
+ if (nc->peer && nc->peer->info->type == NET_CLIENT_DRIVER_NIC) {
|
||||
+ return;
|
||||
+ }
|
||||
if (s->vhost_net) {
|
||||
vhost_net_cleanup(s->vhost_net);
|
||||
g_free(s->vhost_net);
|
||||
--
|
||||
2.39.3
|
||||
|
||||
@ -83,7 +83,7 @@ Obsoletes: %1-rhev <= %{epoch}:%{version}-%{release}
|
||||
Summary: QEMU is a machine emulator and virtualizer
|
||||
Name: qemu-kvm
|
||||
Version: 6.2.0
|
||||
Release: 38%{?rcrel}%{?dist}
|
||||
Release: 39%{?rcrel}%{?dist}
|
||||
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
|
||||
Epoch: 15
|
||||
License: GPLv2 and GPLv2+ and CC-BY
|
||||
@ -779,6 +779,8 @@ Patch308: kvm-i386-sev-Update-checks-and-information-related-to-re.patch
|
||||
Patch309: kvm-i386-cpu-Update-how-the-EBX-register-of-CPUID-0x8000.patch
|
||||
# For bz#2223947 - [RHEL8.9] qemu core dump with '-cpu host,mpx=off' on Cascadelake host
|
||||
Patch310: kvm-target-i386-kvm-Fix-disabling-MPX-on-cpu-host-with-M.patch
|
||||
# For bz#2215786 - CVE-2023-3301 virt:rhel/qemu-kvm: QEMU: net: triggerable assertion due to race condition in hot-unplug [rhel-8]
|
||||
Patch311: kvm-vhost-vdpa-do-not-cleanup-the-vdpa-vhost-net-structu.patch
|
||||
|
||||
BuildRequires: wget
|
||||
BuildRequires: rpm-build
|
||||
@ -1948,6 +1950,11 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || :
|
||||
|
||||
|
||||
%changelog
|
||||
* Mon Aug 28 2023 Miroslav Rezanina <mrezanin@redhat.com> - 6.2.0-39
|
||||
- kvm-vhost-vdpa-do-not-cleanup-the-vdpa-vhost-net-structu.patch [bz#2215786]
|
||||
- Resolves: bz#2215786
|
||||
(CVE-2023-3301 virt:rhel/qemu-kvm: QEMU: net: triggerable assertion due to race condition in hot-unplug [rhel-8])
|
||||
|
||||
* Wed Aug 09 2023 Jon Maloy <jmaloy@redhat.com> - 6.2.0-38
|
||||
- kvm-qapi-i386-sev-Change-the-reduced-phys-bits-value-fro.patch [bz#2214840]
|
||||
- kvm-qemu-options.hx-Update-the-reduced-phys-bits-documen.patch [bz#2214840]
|
||||
|
||||
Loading…
Reference in New Issue
Block a user