From 1345b8377de7b069f2f49142d478bf4fe0f5cfbe Mon Sep 17 00:00:00 2001
From: Chen Qun <kuhn.chenqun@huawei.com>
Date: Mon, 12 Jul 2021 17:30:45 +0800
Subject: [PATCH 1/3] hw/net/rocker_of_dpa: fix double free bug of rocker
 device

The of_dpa_cmd_add_l2_flood function of the rocker device
releases the memory of group->l2_flood.group_ids before
applying for new memory. If the l2_group configured by
the guest does not match the input group->l2_flood.group_ids,
the err_out branch is redirected to release the memory of the
group->l2_flood.group_ids branch. The pointer is not set to
NULL after the memory is freed. When the guest accesses the
of_dpa_cmd_add_l2_flood function again, the memory of
group->l2_flood.group_ids is released again. As a result,
the memory is double free.

Fix that by setting group->l2_flood.group_ids to NULL after free.

Signed-off-by: Jiajie Li <lijiajie11@huawei.com>
Signed-off-by: Qiang Ning <ningqiang1@huawei.com>
---
 ..._dpa-fix-double-free-bug-of-rocker-d.patch | 39 +++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100644 hw-net-rocker_of_dpa-fix-double-free-bug-of-rocker-d.patch

diff --git a/hw-net-rocker_of_dpa-fix-double-free-bug-of-rocker-d.patch b/hw-net-rocker_of_dpa-fix-double-free-bug-of-rocker-d.patch
new file mode 100644
index 00000000..b2497260
--- /dev/null
+++ b/hw-net-rocker_of_dpa-fix-double-free-bug-of-rocker-d.patch
@@ -0,0 +1,39 @@
+From 70573b16a207910019fb71ac0d9342944e6b0c7a Mon Sep 17 00:00:00 2001
+From: Qiang Ning <ningqiang1@huawei.com>
+Date: Mon, 12 Jul 2021 17:30:45 +0800
+Subject: [PATCH] hw/net/rocker_of_dpa: fix double free bug of rocker device
+
+The of_dpa_cmd_add_l2_flood function of the rocker device
+releases the memory of group->l2_flood.group_ids before
+applying for new memory. If the l2_group configured by
+the guest does not match the input group->l2_flood.group_ids,
+the err_out branch is redirected to release the memory of the
+group->l2_flood.group_ids branch. The pointer is not set to
+NULL after the memory is freed. When the guest accesses the
+of_dpa_cmd_add_l2_flood function again, the memory of
+group->l2_flood.group_ids is released again. As a result,
+the memory is double free.
+
+Fix that by setting group->l2_flood.group_ids to NULL after free.
+
+Signed-off-by: Jiajie Li <lijiajie11@huawei.com>
+Signed-off-by: Qiang Ning <ningqiang1@huawei.com>
+---
+ hw/net/rocker/rocker_of_dpa.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/net/rocker/rocker_of_dpa.c b/hw/net/rocker/rocker_of_dpa.c
+index 8e347d1ee4..0c9de5f014 100644
+--- a/hw/net/rocker/rocker_of_dpa.c
++++ b/hw/net/rocker/rocker_of_dpa.c
+@@ -2070,6 +2070,7 @@ static int of_dpa_cmd_add_l2_flood(OfDpa *of_dpa, OfDpaGroup *group,
+ err_out:
+     group->l2_flood.group_count = 0;
+     g_free(group->l2_flood.group_ids);
++    group->l2_flood.group_ids = NULL;
+     g_free(tlvs);
+ 
+     return err;
+-- 
+2.27.0
+
-- 
Gitee


From fbaf94e3e917f35cfb1854f731068f5989dd628f Mon Sep 17 00:00:00 2001
From: Chen Qun <kuhn.chenqun@huawei.com>
Date: Tue, 13 Jul 2021 11:46:28 +0800
Subject: [PATCH 2/3] spec: Update patch and changelog with !154
 hw/net/rocker_of_dpa: fix double free bug of rocker device  !154

hw/net/rocker_of_dpa: fix double free bug of rocker device

Signed-off-by: Chen Qun<kuhn.chenqun@huawei.com>
---
 qemu.spec | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/qemu.spec b/qemu.spec
index 78a5b7c1..087baf03 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -289,6 +289,7 @@ Patch0276: hw-intc-arm_gic-Fix-interrupt-ID-in-GICD_SGIR-regist.patch
 Patch0277: usb-limit-combined-packets-to-1-MiB-CVE-2021-3527.patch
 Patch0278: fix-cve-2020-35504.patch
 Patch0279: fix-cve-2020-35505-esp-ensure-cmdfifo-is-not-empty-a.patch
+Patch0280: hw-net-rocker_of_dpa-fix-double-free-bug-of-rocker-d.patch
 
 BuildRequires: flex
 BuildRequires: bison
@@ -677,6 +678,9 @@ getent passwd qemu >/dev/null || \
 %endif
 
 %changelog
+* Tue Jul 13 2021 Chen Qun <kuhn.chenqun@huawei.com>
+- hw/net/rocker_of_dpa: fix double free bug of rocker device
+
 * Mon Jun 21 2021 Chen Qun <kuhn.chenqun@huawei.com>
 - fix cve-2020-35504 esp: always check current_req is not NULL before use in DMA callbacks
 - fix cve-2020-35505 esp: ensure cmdfifo is not empty and current_dev is non-NULL
-- 
Gitee


From 7c791eee7a02cb29c40eef88bd42c2bc3ce92e38 Mon Sep 17 00:00:00 2001
From: Chen Qun <kuhn.chenqun@huawei.com>
Date: Tue, 13 Jul 2021 11:46:39 +0800
Subject: [PATCH 3/3] spec: Update release version with !154

increase release verison by one

Signed-off-by: Chen Qun <kuhn.chenqun@huawei.com>
---
 qemu.spec | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/qemu.spec b/qemu.spec
index 087baf03..9574f6cc 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -1,6 +1,6 @@
 Name: qemu
 Version: 4.1.0
-Release: 50
+Release: 51
 Epoch: 2
 Summary: QEMU is a generic and open source machine emulator and virtualizer
 License: GPLv2 and BSD and MIT and CC-BY-SA-4.0
-- 
Gitee