From 5d72f1542422ac6e26e8af6aaebfca66f369139f Mon Sep 17 00:00:00 2001
From: Chen Qun <kuhn.chenqun@huawei.com>
Date: Tue, 14 Sep 2021 14:21:46 +0800
Subject: [PATCH 1/3] vfio/common: Add address alignment check in
 vfio_listener_region_del

Both vfio_listener_region_add and vfio_listener_region_del have
reference counting operations on ram section->mr. If the 'iova'
and 'llend' of the ram section do not pass the alignment
check, the ram section should not be mapped or unmapped. It means
that the reference counting should not be changed.

However, the address alignment check is missing in
vfio_listener_region_del. This makes memory_region_unref will
be unconditional called and causes unintended problems in some
scenarios.

Signed-off-by: Kunkun Jiang <jiangkunkun@huawei.com>
---
 ...address-alignment-check-in-vfio_list.patch | 53 +++++++++++++++++++
 1 file changed, 53 insertions(+)
 create mode 100644 vfio-common-Add-address-alignment-check-in-vfio_list.patch

diff --git a/vfio-common-Add-address-alignment-check-in-vfio_list.patch b/vfio-common-Add-address-alignment-check-in-vfio_list.patch
new file mode 100644
index 00000000..0aacdcd0
--- /dev/null
+++ b/vfio-common-Add-address-alignment-check-in-vfio_list.patch
@@ -0,0 +1,53 @@
+From 0a6ee00461c784ef547b8f071ad147fcb89875b6 Mon Sep 17 00:00:00 2001
+From: Kunkun Jiang <jiangkunkun@huawei.com>
+Date: Tue, 14 Sep 2021 14:21:46 +0800
+Subject: [PATCH] vfio/common: Add address alignment check in
+ vfio_listener_region_del
+
+Both vfio_listener_region_add and vfio_listener_region_del have
+reference counting operations on ram section->mr. If the 'iova'
+and 'llend' of the ram section do not pass the alignment
+check, the ram section should not be mapped or unmapped. It means
+that the reference counting should not be changed.
+
+However, the address alignment check is missing in
+vfio_listener_region_del. This makes memory_region_unref will
+be unconditional called and causes unintended problems in some
+scenarios.
+
+Signed-off-by: Kunkun Jiang <jiangkunkun@huawei.com>
+---
+ hw/vfio/common.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/hw/vfio/common.c b/hw/vfio/common.c
+index de166dd5f9..6d6a4c6dee 100644
+--- a/hw/vfio/common.c
++++ b/hw/vfio/common.c
+@@ -1149,6 +1149,8 @@ static void vfio_listener_region_del(MemoryListener *listener,
+                                      MemoryRegionSection *section)
+ {
+     VFIOContainer *container = container_of(listener, VFIOContainer, listener);
++    hwaddr iova;
++    Int128 llend;
+ 
+     if (vfio_listener_skipped_section(section)) {
+         trace_vfio_listener_region_del_skip(
+@@ -1198,6 +1200,14 @@ static void vfio_listener_region_del(MemoryListener *listener,
+          */
+     }
+ 
++    iova = REAL_HOST_PAGE_ALIGN(section->offset_within_address_space);
++    llend = int128_make64(section->offset_within_address_space);
++    llend = int128_add(llend, section->size);
++    llend = int128_and(llend, int128_exts64(qemu_real_host_page_mask));
++    if (int128_ge(int128_make64(iova), llend)) {
++        return;
++    }
++
+     vfio_dma_unmap_ram_section(container, section);
+ 
+     memory_region_unref(section->mr);
+-- 
+2.27.0
+
-- 
Gitee


From 0e5f414f811527a895dd977165896fb1781a88fc Mon Sep 17 00:00:00 2001
From: Chen Qun <kuhn.chenqun@huawei.com>
Date: Tue, 14 Sep 2021 21:28:11 +0800
Subject: [PATCH 2/3] spec: Update patch and changelog with !195 vfio/common:
 Add address alignment check in vfio_listener_region_del  !195

vfio/common: Add address alignment check in vfio_listener_region_del

Signed-off-by: Chen Qun<kuhn.chenqun@huawei.com>
---
 qemu.spec | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/qemu.spec b/qemu.spec
index 57dd698e..6afc007b 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -557,6 +557,7 @@ Patch0544: vfio-Add-vfio_prereg_listener_global_log_start-stop-.patch
 Patch0545: hw-arm-smmuv3-Post-load-stage-1-configurations-to-th.patch
 Patch0546: usbredir-fix-free-call.patch
 Patch0547: vfio-common-Fix-incorrect-address-alignment-in-vfio_.patch
+Patch0548: vfio-common-Add-address-alignment-check-in-vfio_list.patch
 
 BuildRequires: flex
 BuildRequires: gcc
@@ -960,6 +961,9 @@ getent passwd qemu >/dev/null || \
 %endif
 
 %changelog
+* Tue Sep 14 2021 Chen Qun <kuhn.chenqun@huawei.com>
+- vfio/common: Add address alignment check in vfio_listener_region_del
+
 * Wed Sep 08 2021 Chen Qun <kuhn.chenqun@huawei.com>
 - vfio/common: Fix incorrect address alignment in vfio_dma_map_ram_section
 
-- 
Gitee


From c85bfe75378299a7d49cc0be15a0247a4bd22715 Mon Sep 17 00:00:00 2001
From: Chen Qun <kuhn.chenqun@huawei.com>
Date: Tue, 14 Sep 2021 21:28:14 +0800
Subject: [PATCH 3/3] spec: Update release version with !195

increase release verison by one

Signed-off-by: Chen Qun <kuhn.chenqun@huawei.com>
---
 qemu.spec | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/qemu.spec b/qemu.spec
index 6afc007b..410e6767 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -1,6 +1,6 @@
 Name: qemu
 Version: 4.1.0
-Release: 79
+Release: 80
 Epoch: 2
 Summary: QEMU is a generic and open source machine emulator and virtualizer
 License: GPLv2 and BSD and MIT and CC-BY-SA-4.0
-- 
Gitee