From a4efdbff9216b3b6148c83b3b1d90ef1726e99ed Mon Sep 17 00:00:00 2001
From: Chen Qun <kuhn.chenqun@huawei.com>
Date: Mon, 12 Jul 2021 17:30:45 +0800
Subject: [PATCH 1/3] hw/net/rocker_of_dpa: fix double free bug of rocker
 device

The of_dpa_cmd_add_l2_flood function of the rocker device
releases the memory of group->l2_flood.group_ids before
applying for new memory. If the l2_group configured by
the guest does not match the input group->l2_flood.group_ids,
the err_out branch is redirected to release the memory of the
group->l2_flood.group_ids branch. The pointer is not set to
NULL after the memory is freed. When the guest accesses the
of_dpa_cmd_add_l2_flood function again, the memory of
group->l2_flood.group_ids is released again. As a result,
the memory is double free.

Fix that by setting group->l2_flood.group_ids to NULL after free.

Signed-off-by: Jiajie Li <lijiajie11@huawei.com>
Signed-off-by: Qiang Ning <ningqiang1@huawei.com>
---
 ..._dpa-fix-double-free-bug-of-rocker-d.patch | 39 +++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100644 hw-net-rocker_of_dpa-fix-double-free-bug-of-rocker-d.patch

diff --git a/hw-net-rocker_of_dpa-fix-double-free-bug-of-rocker-d.patch b/hw-net-rocker_of_dpa-fix-double-free-bug-of-rocker-d.patch
new file mode 100644
index 00000000..892ac3b2
--- /dev/null
+++ b/hw-net-rocker_of_dpa-fix-double-free-bug-of-rocker-d.patch
@@ -0,0 +1,39 @@
+From 9997745aade411cc5fe27bb3c314f24698c7e20a Mon Sep 17 00:00:00 2001
+From: Qiang Ning <ningqiang1@huawei.com>
+Date: Mon, 12 Jul 2021 17:30:45 +0800
+Subject: [PATCH] hw/net/rocker_of_dpa: fix double free bug of rocker device
+
+The of_dpa_cmd_add_l2_flood function of the rocker device
+releases the memory of group->l2_flood.group_ids before
+applying for new memory. If the l2_group configured by
+the guest does not match the input group->l2_flood.group_ids,
+the err_out branch is redirected to release the memory of the
+group->l2_flood.group_ids branch. The pointer is not set to
+NULL after the memory is freed. When the guest accesses the
+of_dpa_cmd_add_l2_flood function again, the memory of
+group->l2_flood.group_ids is released again. As a result,
+the memory is double free.
+
+Fix that by setting group->l2_flood.group_ids to NULL after free.
+
+Signed-off-by: Jiajie Li <lijiajie11@huawei.com>
+Signed-off-by: Qiang Ning <ningqiang1@huawei.com>
+---
+ hw/net/rocker/rocker_of_dpa.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/net/rocker/rocker_of_dpa.c b/hw/net/rocker/rocker_of_dpa.c
+index 8e347d1ee4..0c9de5f014 100644
+--- a/hw/net/rocker/rocker_of_dpa.c
++++ b/hw/net/rocker/rocker_of_dpa.c
+@@ -2070,6 +2070,7 @@ static int of_dpa_cmd_add_l2_flood(OfDpa *of_dpa, OfDpaGroup *group,
+ err_out:
+     group->l2_flood.group_count = 0;
+     g_free(group->l2_flood.group_ids);
++    group->l2_flood.group_ids = NULL;
+     g_free(tlvs);
+ 
+     return err;
+-- 
+2.27.0
+
-- 
Gitee


From 051ed0f96d06e3fd786bfbb26fdd433e7196604c Mon Sep 17 00:00:00 2001
From: Chen Qun <kuhn.chenqun@huawei.com>
Date: Tue, 13 Jul 2021 11:46:29 +0800
Subject: [PATCH 2/3] spec: Update patch and changelog with !155
 hw/net/rocker_of_dpa: fix double free bug of rocker device  !155

hw/net/rocker_of_dpa: fix double free bug of rocker device

Signed-off-by: Chen Qun<kuhn.chenqun@huawei.com>
---
 qemu.spec | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/qemu.spec b/qemu.spec
index 777537c9..ee1d5955 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -321,6 +321,7 @@ Patch0308: vhost-user-gpu-fix-OOB-write-in-virgl_cmd_get_capset.patch
 Patch0309: ide-ahci-add-check-to-avoid-null-dereference-CVE-201.patch
 Patch0310: hw-intc-arm_gic-Fix-interrupt-ID-in-GICD_SGIR-regist.patch
 Patch0311: usb-limit-combined-packets-to-1-MiB-CVE-2021-3527.patch
+Patch0312: hw-net-rocker_of_dpa-fix-double-free-bug-of-rocker-d.patch
 
 BuildRequires: flex
 BuildRequires: bison
@@ -708,6 +709,9 @@ getent passwd qemu >/dev/null || \
 %endif
 
 %changelog
+* Tue Jul 13 2021 Chen Qun <kuhn.chenqun@huawei.com>
+- hw/net/rocker_of_dpa: fix double free bug of rocker device
+
 * Mon Jun 21 2021 Chen Qun <kuhn.chenqun@huawei.com>
 - ide: ahci: add check to avoid null dereference (CVE-2019-12067)
 - hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register
-- 
Gitee


From b0ff231b14d64326b7366a819b8d8fee014dcfd4 Mon Sep 17 00:00:00 2001
From: Chen Qun <kuhn.chenqun@huawei.com>
Date: Tue, 13 Jul 2021 11:46:46 +0800
Subject: [PATCH 3/3] spec: Update release version with !155

increase release verison by one

Signed-off-by: Chen Qun <kuhn.chenqun@huawei.com>
---
 qemu.spec | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/qemu.spec b/qemu.spec
index ee1d5955..2209eae3 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -1,6 +1,6 @@
 Name: qemu
 Version: 4.1.0
-Release: 51
+Release: 52
 Epoch: 2
 Summary: QEMU is a generic and open source machine emulator and virtualizer
 License: GPLv2 and BSD and MIT and CC-BY-SA-4.0
-- 
Gitee