From fd7488b82b9aa5a2cab4110eb3111a849b87e735 Mon Sep 17 00:00:00 2001
From: Miroslav Rezanina <mrezanin@redhat.com>
Date: Mon, 28 Aug 2023 06:54:27 -0400
Subject: [PATCH] * Mon Aug 28 2023 Miroslav Rezanina <mrezanin@redhat.com> -
 6.2.0-39

- kvm-vhost-vdpa-do-not-cleanup-the-vdpa-vhost-net-structu.patch [bz#2215786]
- Resolves: bz#2215786
  (CVE-2023-3301 virt:rhel/qemu-kvm: QEMU: net: triggerable assertion due to race condition in hot-unplug [rhel-8])
---
 ...t-cleanup-the-vdpa-vhost-net-structu.patch | 81 +++++++++++++++++++
 qemu-kvm.spec                                 |  9 ++-
 2 files changed, 89 insertions(+), 1 deletion(-)
 create mode 100644 kvm-vhost-vdpa-do-not-cleanup-the-vdpa-vhost-net-structu.patch

diff --git a/kvm-vhost-vdpa-do-not-cleanup-the-vdpa-vhost-net-structu.patch b/kvm-vhost-vdpa-do-not-cleanup-the-vdpa-vhost-net-structu.patch
new file mode 100644
index 0000000..2679d09
--- /dev/null
+++ b/kvm-vhost-vdpa-do-not-cleanup-the-vdpa-vhost-net-structu.patch
@@ -0,0 +1,81 @@
+From 7b17ef78eee2b30829666f12e87ff1eee3c195b5 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Tue, 15 Aug 2023 19:00:44 -0400
+Subject: [PATCH] vhost-vdpa: do not cleanup the vdpa/vhost-net structures if
+ peer nic is present
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 304: vhost-vdpa: do not cleanup the vdpa/vhost-net structures if peer nic is present
+RH-Bugzilla: 2215786
+RH-Acked-by: Ani Sinha <None>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+RH-Commit: [1/1] 16aa37efdf129f2619cedf9c030222b88eda9e26 (redhat/rhel/src/qemu-kvm/jons-qemu-kvm-2)
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2215786
+CVE: CVE-2023-3301
+Upstream: Merged
+Conflicts: commit babf8b87127a is not present in this release, so the commit does not
+           apply cleanly. The two adjacent munmap() calls introduced by that commit
+           don't seem to be needed for the logics of this change.
+
+commit a0d7215e339b61c7d7a7b3fcf754954d80d93eb8
+Author: Ani Sinha <anisinha@redhat.com>
+Date:   Mon Jun 19 12:22:09 2023 +0530
+
+    vhost-vdpa: do not cleanup the vdpa/vhost-net structures if peer nic is present
+
+    When a peer nic is still attached to the vdpa backend, it is too early to free
+    up the vhost-net and vdpa structures. If these structures are freed here, then
+    QEMU crashes when the guest is being shut down. The following call chain
+    would result in an assertion failure since the pointer returned from
+    vhost_vdpa_get_vhost_net() would be NULL:
+
+    do_vm_stop() -> vm_state_notify() -> virtio_set_status() ->
+    virtio_net_vhost_status() -> get_vhost_net().
+
+    Therefore, we defer freeing up the structures until at guest shutdown
+    time when qemu_cleanup() calls net_cleanup() which then calls
+    qemu_del_net_client() which would eventually call vhost_vdpa_cleanup()
+    again to free up the structures. This time, the loop in net_cleanup()
+    ensures that vhost_vdpa_cleanup() will be called one last time when
+    all the peer nics are detached and freed.
+
+    All unit tests pass with this change.
+
+    CC: imammedo@redhat.com
+    CC: jusual@redhat.com
+    CC: mst@redhat.com
+    Fixes: CVE-2023-3301
+    Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2128929
+    Signed-off-by: Ani Sinha <anisinha@redhat.com>
+    Message-Id: <20230619065209.442185-1-anisinha@redhat.com>
+    Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+    Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ net/vhost-vdpa.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/net/vhost-vdpa.c b/net/vhost-vdpa.c
+index 814f704687..ac48de9495 100644
+--- a/net/vhost-vdpa.c
++++ b/net/vhost-vdpa.c
+@@ -128,6 +128,14 @@ static void vhost_vdpa_cleanup(NetClientState *nc)
+ {
+     VhostVDPAState *s = DO_UPCAST(VhostVDPAState, nc, nc);
+ 
++    /*
++     * If a peer NIC is attached, do not cleanup anything.
++     * Cleanup will happen as a part of qemu_cleanup() -> net_cleanup()
++     * when the guest is shutting down.
++     */
++    if (nc->peer && nc->peer->info->type == NET_CLIENT_DRIVER_NIC) {
++        return;
++    }
+     if (s->vhost_net) {
+         vhost_net_cleanup(s->vhost_net);
+         g_free(s->vhost_net);
+-- 
+2.39.3
+
diff --git a/qemu-kvm.spec b/qemu-kvm.spec
index 12fe32e..d5f12be 100644
--- a/qemu-kvm.spec
+++ b/qemu-kvm.spec
@@ -83,7 +83,7 @@ Obsoletes: %1-rhev <= %{epoch}:%{version}-%{release}
 Summary: QEMU is a machine emulator and virtualizer
 Name: qemu-kvm
 Version: 6.2.0
-Release: 38%{?rcrel}%{?dist}
+Release: 39%{?rcrel}%{?dist}
 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
 Epoch: 15
 License: GPLv2 and GPLv2+ and CC-BY
@@ -779,6 +779,8 @@ Patch308: kvm-i386-sev-Update-checks-and-information-related-to-re.patch
 Patch309: kvm-i386-cpu-Update-how-the-EBX-register-of-CPUID-0x8000.patch
 # For bz#2223947 - [RHEL8.9] qemu core dump with '-cpu host,mpx=off' on Cascadelake host
 Patch310: kvm-target-i386-kvm-Fix-disabling-MPX-on-cpu-host-with-M.patch
+# For bz#2215786 - CVE-2023-3301 virt:rhel/qemu-kvm: QEMU: net: triggerable assertion due to race condition in hot-unplug [rhel-8]
+Patch311: kvm-vhost-vdpa-do-not-cleanup-the-vdpa-vhost-net-structu.patch
 
 BuildRequires: wget
 BuildRequires: rpm-build
@@ -1948,6 +1950,11 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || :
 
 
 %changelog
+* Mon Aug 28 2023 Miroslav Rezanina <mrezanin@redhat.com> - 6.2.0-39
+- kvm-vhost-vdpa-do-not-cleanup-the-vdpa-vhost-net-structu.patch [bz#2215786]
+- Resolves: bz#2215786
+  (CVE-2023-3301 virt:rhel/qemu-kvm: QEMU: net: triggerable assertion due to race condition in hot-unplug [rhel-8])
+
 * Wed Aug 09 2023 Jon Maloy <jmaloy@redhat.com> - 6.2.0-38
 - kvm-qapi-i386-sev-Change-the-reduced-phys-bits-value-fro.patch [bz#2214840]
 - kvm-qemu-options.hx-Update-the-reduced-phys-bits-documen.patch [bz#2214840]