From 7ad4fc282b1f96d619ce2f9f7ed9049c3b894dd4 Mon Sep 17 00:00:00 2001 From: Jon Maloy Date: Thu, 18 Jul 2024 09:42:42 -0400 Subject: [PATCH 1/6] virtio-gpu: free BHs, by implementing unrealize MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit RH-Author: Jon Maloy RH-MergeRequest: 380: QEMU: virtio: DMA reentrancy issue leads to double free vulnerability RH-Jira: RHEL-32276 RH-Acked-by: Gerd Hoffmann RH-Acked-by: Miroslav Rezanina RH-Commit: [1/6] d05c10426afac428d775669748f0aa689c23e787 (redhat/rhel/src/qemu-kvm/jons-qemu-kvm-2) JIRA: https://issues.redhat.com/browse/RHEL-32276 CVE: CVE-2024-3446 Upstream: Merged commit 957d77863e4564454eb97f8f371096843daf4678 Author: Marc-André Lureau Date: Wed Jul 26 21:39:28 2023 +0400 virtio-gpu: free BHs, by implementing unrealize Acked-by: Dongwon Kim Signed-off-by: Marc-André Lureau Message-Id: <20230726173929.690601-2-marcandre.lureau@redhat.com> Signed-off-by: Jon Maloy --- hw/display/virtio-gpu-base.c | 2 +- hw/display/virtio-gpu.c | 10 ++++++++++ include/hw/virtio/virtio-gpu.h | 1 + 3 files changed, 12 insertions(+), 1 deletion(-) diff --git a/hw/display/virtio-gpu-base.c b/hw/display/virtio-gpu-base.c index c8da4806e0..e3ff9dcf38 100644 --- a/hw/display/virtio-gpu-base.c +++ b/hw/display/virtio-gpu-base.c @@ -223,7 +223,7 @@ virtio_gpu_base_set_features(VirtIODevice *vdev, uint64_t features) trace_virtio_gpu_features(((features & virgl) == virgl)); } -static void +void virtio_gpu_base_device_unrealize(DeviceState *qdev) { VirtIOGPUBase *g = VIRTIO_GPU_BASE(qdev); diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c index ecf9079145..e230e5091f 100644 --- a/hw/display/virtio-gpu.c +++ b/hw/display/virtio-gpu.c @@ -1341,6 +1341,15 @@ void virtio_gpu_device_realize(DeviceState *qdev, Error **errp) QTAILQ_INIT(&g->fenceq); } +static void virtio_gpu_device_unrealize(DeviceState *qdev) +{ + VirtIOGPU *g = VIRTIO_GPU(qdev); + + g_clear_pointer(&g->ctrl_bh, qemu_bh_delete); + g_clear_pointer(&g->cursor_bh, qemu_bh_delete); + virtio_gpu_base_device_unrealize(qdev); +} + void virtio_gpu_reset(VirtIODevice *vdev) { VirtIOGPU *g = VIRTIO_GPU(vdev); @@ -1436,6 +1445,7 @@ static void virtio_gpu_class_init(ObjectClass *klass, void *data) vgbc->gl_flushed = virtio_gpu_handle_gl_flushed; vdc->realize = virtio_gpu_device_realize; + vdc->unrealize = virtio_gpu_device_unrealize; vdc->reset = virtio_gpu_reset; vdc->get_config = virtio_gpu_get_config; vdc->set_config = virtio_gpu_set_config; diff --git a/include/hw/virtio/virtio-gpu.h b/include/hw/virtio/virtio-gpu.h index acfba7c76c..4367d005f1 100644 --- a/include/hw/virtio/virtio-gpu.h +++ b/include/hw/virtio/virtio-gpu.h @@ -235,6 +235,7 @@ bool virtio_gpu_base_device_realize(DeviceState *qdev, VirtIOHandleOutput ctrl_cb, VirtIOHandleOutput cursor_cb, Error **errp); +void virtio_gpu_base_device_unrealize(DeviceState *qdev); void virtio_gpu_base_reset(VirtIOGPUBase *g); void virtio_gpu_base_fill_display_info(VirtIOGPUBase *g, struct virtio_gpu_resp_display_info *dpy_info); -- 2.39.3