From 0532f87f2e4eb6463a3f9cc73434eb7e90c2c4fe Mon Sep 17 00:00:00 2001
From: Chen Qun <kuhn.chenqun@huawei.com>
Date: Mon, 12 Jul 2021 17:30:45 +0800
Subject: [PATCH 1/3] hw/net/rocker_of_dpa: fix double free bug of rocker
 device

The of_dpa_cmd_add_l2_flood function of the rocker device
releases the memory of group->l2_flood.group_ids before
applying for new memory. If the l2_group configured by
the guest does not match the input group->l2_flood.group_ids,
the err_out branch is redirected to release the memory of the
group->l2_flood.group_ids branch. The pointer is not set to
NULL after the memory is freed. When the guest accesses the
of_dpa_cmd_add_l2_flood function again, the memory of
group->l2_flood.group_ids is released again. As a result,
the memory is double free.

Fix that by setting group->l2_flood.group_ids to NULL after free.

Signed-off-by: Jiajie Li <lijiajie11@huawei.com>
Signed-off-by: Qiang Ning <ningqiang1@huawei.com>
---
 ..._dpa-fix-double-free-bug-of-rocker-d.patch | 39 +++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100644 hw-net-rocker_of_dpa-fix-double-free-bug-of-rocker-d.patch

diff --git a/hw-net-rocker_of_dpa-fix-double-free-bug-of-rocker-d.patch b/hw-net-rocker_of_dpa-fix-double-free-bug-of-rocker-d.patch
new file mode 100644
index 0000000..efa47f9
--- /dev/null
+++ b/hw-net-rocker_of_dpa-fix-double-free-bug-of-rocker-d.patch
@@ -0,0 +1,39 @@
+From c5ea78cfd76706b21746bf3881c068c896b3199b Mon Sep 17 00:00:00 2001
+From: Qiang Ning <ningqiang1@huawei.com>
+Date: Mon, 12 Jul 2021 17:30:45 +0800
+Subject: [PATCH] hw/net/rocker_of_dpa: fix double free bug of rocker device
+
+The of_dpa_cmd_add_l2_flood function of the rocker device
+releases the memory of group->l2_flood.group_ids before
+applying for new memory. If the l2_group configured by
+the guest does not match the input group->l2_flood.group_ids,
+the err_out branch is redirected to release the memory of the
+group->l2_flood.group_ids branch. The pointer is not set to
+NULL after the memory is freed. When the guest accesses the
+of_dpa_cmd_add_l2_flood function again, the memory of
+group->l2_flood.group_ids is released again. As a result,
+the memory is double free.
+
+Fix that by setting group->l2_flood.group_ids to NULL after free.
+
+Signed-off-by: Jiajie Li <lijiajie11@huawei.com>
+Signed-off-by: Qiang Ning <ningqiang1@huawei.com>
+---
+ hw/net/rocker/rocker_of_dpa.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/net/rocker/rocker_of_dpa.c b/hw/net/rocker/rocker_of_dpa.c
+index 8e347d1ee4..0c9de5f014 100644
+--- a/hw/net/rocker/rocker_of_dpa.c
++++ b/hw/net/rocker/rocker_of_dpa.c
+@@ -2070,6 +2070,7 @@ static int of_dpa_cmd_add_l2_flood(OfDpa *of_dpa, OfDpaGroup *group,
+ err_out:
+     group->l2_flood.group_count = 0;
+     g_free(group->l2_flood.group_ids);
++    group->l2_flood.group_ids = NULL;
+     g_free(tlvs);
+ 
+     return err;
+-- 
+2.27.0
+
-- 
Gitee


From 8748c2f4d279faeedc1b8bf832260b3d7f6fbbc6 Mon Sep 17 00:00:00 2001
From: Chen Qun <kuhn.chenqun@huawei.com>
Date: Tue, 13 Jul 2021 11:46:27 +0800
Subject: [PATCH 2/3] spec: Update patch and changelog with !153
 hw/net/rocker_of_dpa: fix double free bug of rocker device  !153

hw/net/rocker_of_dpa: fix double free bug of rocker device

Signed-off-by: Chen Qun<kuhn.chenqun@huawei.com>
---
 qemu.spec | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/qemu.spec b/qemu.spec
index 32e5f80..ce4c4c6 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -247,6 +247,7 @@ Patch0234: vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch
 Patch0235: ide-ahci-add-check-to-avoid-null-dereference-CVE-201.patch
 Patch0236: hw-intc-arm_gic-Fix-interrupt-ID-in-GICD_SGIR-regist.patch
 Patch0237: usb-limit-combined-packets-to-1-MiB-CVE-2021-3527.patch
+Patch0238: hw-net-rocker_of_dpa-fix-double-free-bug-of-rocker-d.patch
 
 BuildRequires: flex
 BuildRequires: bison
@@ -592,6 +593,9 @@ getent passwd qemu >/dev/null || \
 %endif
 
 %changelog
+* Tue Jul 13 2021 Chen Qun <kuhn.chenqun@huawei.com>
+- hw/net/rocker_of_dpa: fix double free bug of rocker device
+
 * Mon Jun 21 2021 Chen Qun <kuhn.chenqun@huawei.com>
 - ide: ahci: add check to avoid null dereference (CVE-2019-12067)
 - hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register
-- 
Gitee


From 19c3f225e8473921a87465b6366ac4e230f558bd Mon Sep 17 00:00:00 2001
From: Chen Qun <kuhn.chenqun@huawei.com>
Date: Tue, 13 Jul 2021 11:46:31 +0800
Subject: [PATCH 3/3] spec: Update release version with !153

increase release verison by one

Signed-off-by: Chen Qun <kuhn.chenqun@huawei.com>
---
 qemu.spec | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/qemu.spec b/qemu.spec
index ce4c4c6..0765889 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -1,6 +1,6 @@
 Name: qemu
 Version: 4.1.0
-Release: 43
+Release: 44
 Epoch: 2
 Summary: QEMU is a generic and open source machine emulator and virtualizer
 License: GPLv2 and BSD and MIT and CC-BY
-- 
Gitee