diff --git a/accel-kvm-Free-as-when-an-error-occurred.patch b/accel-kvm-Free-as-when-an-error-occurred.patch new file mode 100644 index 0000000000000000000000000000000000000000..64aa45f85e39c25132fcdea3c2ea047c9d368490 --- /dev/null +++ b/accel-kvm-Free-as-when-an-error-occurred.patch @@ -0,0 +1,35 @@ +From 6ccda2ece6d08b1bf0622109c2a1f3eeca813089 Mon Sep 17 00:00:00 2001 +From: qihao +Date: Mon, 28 Aug 2023 19:43:06 +0800 +Subject: [PATCH] accel/kvm: Free as when an error occurred + +cheery-pick from 4625742cd2aeb1400407889a2f7a5b4c75437818 + +An error may occur after s->as is allocated, for example if the +KVM_CREATE_VM ioctl call fails. + +Signed-off-by: Akihiko Odaki +Message-id: 20230727073134.134102-6-akihiko.odaki@daynix.com +Reviewed-by: Peter Maydell +[PMM: tweaked commit message] +Signed-off-by: Peter Maydell +Signed-off-by: qihao_yewu +--- + accel/kvm/kvm-all.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c +index 799d993f6c..9c8d3a916e 100644 +--- a/accel/kvm/kvm-all.c ++++ b/accel/kvm/kvm-all.c +@@ -2589,6 +2589,7 @@ err: + if (s->fd != -1) { + close(s->fd); + } ++ g_free(s->as); + g_free(s->memory_listener.slots); + + return ret; +-- +2.41.0.windows.1 + diff --git a/accel-kvm-Make-kvm_dirty_ring_reaper_init-void.patch b/accel-kvm-Make-kvm_dirty_ring_reaper_init-void.patch new file mode 100644 index 0000000000000000000000000000000000000000..d65b940990f8107458942c91d0ced7f6a312df0f --- /dev/null +++ b/accel-kvm-Make-kvm_dirty_ring_reaper_init-void.patch @@ -0,0 +1,58 @@ +From e11f4d10f843f46a8659d0134220f8712f15b451 Mon Sep 17 00:00:00 2001 +From: qihao +Date: Mon, 28 Aug 2023 19:04:32 +0800 +Subject: [PATCH] accel/kvm: Make kvm_dirty_ring_reaper_init() void +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +cheery-pick from 43a5e377f42d1d3ed12ea562196f723b354ce411 + +The returned value was always zero and had no meaning. + +Signed-off-by: Akihiko Odaki +Message-id: 20230727073134.134102-7-akihiko.odaki@daynix.com +Reviewed-by: Peter Maydell +Signed-off-by: Peter Maydell +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: qihao_yewu +--- + accel/kvm/kvm-all.c | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c +index 799d993f6c..83881e1d96 100644 +--- a/accel/kvm/kvm-all.c ++++ b/accel/kvm/kvm-all.c +@@ -1436,15 +1436,13 @@ static void *kvm_dirty_ring_reaper_thread(void *data) + return NULL; + } + +-static int kvm_dirty_ring_reaper_init(KVMState *s) ++static void kvm_dirty_ring_reaper_init(KVMState *s) + { + struct KVMDirtyRingReaper *r = &s->reaper; + + qemu_thread_create(&r->reaper_thr, "kvm-reaper", + kvm_dirty_ring_reaper_thread, + s, QEMU_THREAD_JOINABLE); +- +- return 0; + } + + static void kvm_region_add(MemoryListener *listener, +@@ -2573,10 +2571,7 @@ static int kvm_init(MachineState *ms) + } + + if (s->kvm_dirty_ring_size) { +- ret = kvm_dirty_ring_reaper_init(s); +- if (ret) { +- goto err; +- } ++ kvm_dirty_ring_reaper_init(s); + } + + return 0; +-- +2.41.0.windows.1 + diff --git a/chardev-report-the-handshake-error.patch b/chardev-report-the-handshake-error.patch new file mode 100644 index 0000000000000000000000000000000000000000..57066235dd00df0568fb28b2c08b65da47df38b9 --- /dev/null +++ b/chardev-report-the-handshake-error.patch @@ -0,0 +1,58 @@ +From 30f9cc7263e44faf2b43c4fdf3d7c64ffb409502 Mon Sep 17 00:00:00 2001 +From: qihao +Date: Mon, 14 Aug 2023 14:37:36 +0800 +Subject: [PATCH] chardev: report the handshake error +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +cheery-pick from 81cd34a359a36656d2f6542226235bd318ff8873 + +This can help to debug connection issues. + +Related to: +https://bugzilla.redhat.com/show_bug.cgi?id=2196182 + +Signed-off-by: Marc-André Lureau +Reviewed-by: Daniel P. Berrangé +Message-Id: <20230510072531.3937189-1-marcandre.lureau@redhat.com> +Signed-off-by: qihao_yewu +--- + chardev/char-socket.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/chardev/char-socket.c b/chardev/char-socket.c +index 459b9b72bd..ef5d3053f3 100644 +--- a/chardev/char-socket.c ++++ b/chardev/char-socket.c +@@ -819,8 +819,12 @@ static void tcp_chr_websock_handshake(QIOTask *task, gpointer user_data) + { + Chardev *chr = user_data; + SocketChardev *s = user_data; ++ Error *err = NULL; + +- if (qio_task_propagate_error(task, NULL)) { ++ if (qio_task_propagate_error(task, &err)) { ++ error_reportf_err(err, ++ "websock handshake of character device %s failed: ", ++ chr->label); + tcp_chr_disconnect(chr); + } else { + if (s->do_telnetopt) { +@@ -855,8 +859,12 @@ static void tcp_chr_tls_handshake(QIOTask *task, + { + Chardev *chr = user_data; + SocketChardev *s = user_data; ++ Error *err = NULL; + +- if (qio_task_propagate_error(task, NULL)) { ++ if (qio_task_propagate_error(task, &err)) { ++ error_reportf_err(err, ++ "TLS handshake of character device %s failed: ", ++ chr->label); + tcp_chr_disconnect(chr); + } else { + if (s->is_websock) { +-- +2.41.0.windows.1 + diff --git a/hw-arm-virt-Check-for-attempt-to-use-TrustZone-with-.patch b/hw-arm-virt-Check-for-attempt-to-use-TrustZone-with-.patch new file mode 100644 index 0000000000000000000000000000000000000000..f395c38dea1247a63e682d8e0e2bb91051c1ab50 --- /dev/null +++ b/hw-arm-virt-Check-for-attempt-to-use-TrustZone-with-.patch @@ -0,0 +1,57 @@ +From fd9cd16407e9d98807c631521ff1fcb83bfefac4 Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Mon, 21 Aug 2023 06:21:27 +0000 +Subject: [PATCH] hw/arm/virt: Check for attempt to use TrustZone with KVM or + HVF mainline inclusion commit 78255ce392dc8596f9886476ad1e5c3c67f1c10a + category: bugfix + +--------------------------------------------------------------- + +It's not possible to provide the guest with the Security extensions +(TrustZone) when using KVM or HVF, because the hardware +virtualization extensions don't permit running EL3 guest code. +However, we weren't checking for this combination, with the result +that QEMU would assert if you tried it: + +$ qemu-system-aarch64 -enable-kvm -machine virt,secure=on -cpu host -display none +Unexpected error in object_property_find_err() at ../../qom/object.c:1304: +qemu-system-aarch64: Property 'host-arm-cpu.secure-memory' not found +Aborted + +Check for this combination of options and report an error, in the +same way we already do for attempts to give a KVM or HVF guest the +Virtualization or MTE extensions. Now we will report: + +qemu-system-aarch64: mach-virt: KVM does not support providing Security extensions (TrustZone) to the guest CPU + +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/961 +Signed-off-by: Peter Maydell +Reviewed-by: Richard Henderson +Message-id: 20220404155301.566542-1-peter.maydell@linaro.org + +Signed-off-by: tangbinzy +--- + hw/arm/virt.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/hw/arm/virt.c b/hw/arm/virt.c +index 4c876fcf16..93554cccf1 100644 +--- a/hw/arm/virt.c ++++ b/hw/arm/virt.c +@@ -2097,6 +2097,13 @@ static void machvirt_init(MachineState *machine) + exit(1); + } + ++ if (vms->secure && (kvm_enabled() || hvf_enabled())) { ++ error_report("mach-virt: %s does not support providing " ++ "Security extensions (TrustZone) to the guest CPU", ++ kvm_enabled() ? "KVM" : "HVF"); ++ exit(1); ++ } ++ + if (vms->virt && (kvm_enabled() || hvf_enabled())) { + error_report("mach-virt: %s does not support providing " + "Virtualization extensions to the guest CPU", +-- +2.41.0.windows.1 + diff --git a/hw-rx-rx-gdbsim-DTB-load-address-aligned-of-16byte.patch b/hw-rx-rx-gdbsim-DTB-load-address-aligned-of-16byte.patch new file mode 100644 index 0000000000000000000000000000000000000000..b1959c8c107b7a909844a7b96d590cd534e52a54 --- /dev/null +++ b/hw-rx-rx-gdbsim-DTB-load-address-aligned-of-16byte.patch @@ -0,0 +1,42 @@ +From 97928027aadb358cdee1a2d0c4152979d867b575 Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Mon, 21 Aug 2023 06:33:49 +0000 +Subject: [PATCH] hw/rx: rx-gdbsim DTB load address aligned of 16byte. + mainline inclusion commit bcc6f33b671d223a1d7b81491d45c58b35ed6e3e category: + bugfix +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +--------------------------------------------------------------- + +Linux kernel required alined address of DTB. +But missing align in dtb load function. +Fixed to load to the correct address. + +Signed-off-by: Yoshinori Sato +Reviewed-by: Philippe Mathieu-Daudé +Message-Id: <20220207132758.84403-1-ysato@users.sourceforge.jp> +Signed-off-by: Richard Henderson + +Signed-off-by: tangbinzy +--- + hw/rx/rx-gdbsim.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/rx/rx-gdbsim.c b/hw/rx/rx-gdbsim.c +index 75d1fec6ca..887083737b 100644 +--- a/hw/rx/rx-gdbsim.c ++++ b/hw/rx/rx-gdbsim.c +@@ -142,7 +142,7 @@ static void rx_gdbsim_init(MachineState *machine) + exit(1); + } + /* DTB is located at the end of SDRAM space. */ +- dtb_offset = machine->ram_size - dtb_size; ++ dtb_offset = ROUND_DOWN(machine->ram_size - dtb_size, 16); + rom_add_blob_fixed("dtb", dtb, dtb_size, + SDRAM_BASE + dtb_offset); + /* Set dtb address to R1 */ +-- +2.41.0.windows.1 + diff --git a/hw-ssi-Fix-Linux-driver-init-issue-with-xilinx_spi.patch b/hw-ssi-Fix-Linux-driver-init-issue-with-xilinx_spi.patch new file mode 100644 index 0000000000000000000000000000000000000000..4b74eaa48d2e14530138f4a7915c729f4a03b777 --- /dev/null +++ b/hw-ssi-Fix-Linux-driver-init-issue-with-xilinx_spi.patch @@ -0,0 +1,39 @@ +From 58a192d877acfe06964d91ef831597f833ac4f0c Mon Sep 17 00:00:00 2001 +From: xiaowanghe +Date: Mon, 14 Aug 2023 18:57:59 -0700 +Subject: [PATCH] hw/ssi: Fix Linux driver init issue with xilinx_spi + +cherry picked from commit a0eaa126af3c5a43937a22c58cfb9bb36e4a5001 + +The problem is that the Linux driver expects the master transaction inhibit +bit(R_SPICR_MTI) to be set during driver initialization so that it can +detect the fifo size but QEMU defaults it to zero out of reset. The +datasheet indicates this bit is active on reset. + +See page 25, SPI Control Register section: +https://www.xilinx.com/content/dam/xilinx/support/documents/ip_documentation/axi_quad_spi/v3_2/pg153-axi-quad-spi.pdf + +Signed-off-by: Chris Rauer +Message-id: 20230323182811.2641044-1-crauer@google.com +Reviewed-by: Edgar E. Iglesias +Signed-off-by: Peter Maydell +Signed-off-by: Wanghe Xiao +--- + hw/ssi/xilinx_spi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/ssi/xilinx_spi.c b/hw/ssi/xilinx_spi.c +index b2819a7ff0..92e7cabf42 100644 +--- a/hw/ssi/xilinx_spi.c ++++ b/hw/ssi/xilinx_spi.c +@@ -156,6 +156,7 @@ static void xlx_spi_do_reset(XilinxSPI *s) + txfifo_reset(s); + + s->regs[R_SPISSR] = ~0; ++ s->regs[R_SPICR] = R_SPICR_MTI; + xlx_spi_update_irq(s); + xlx_spi_update_cs(s); + } +-- +2.41.0.windows.1 + diff --git a/io-remove-io-watch-if-TLS-channel-is-closed-during-h.patch b/io-remove-io-watch-if-TLS-channel-is-closed-during-h.patch new file mode 100644 index 0000000000000000000000000000000000000000..73205745000ac9d3aa889999a2dc90fe6e64bc77 --- /dev/null +++ b/io-remove-io-watch-if-TLS-channel-is-closed-during-h.patch @@ -0,0 +1,83 @@ +From 979bb24c769a703c96067c9557d433492916aa67 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Tue, 20 Jun 2023 09:45:34 +0100 +Subject: [PATCH] io: remove io watch if TLS channel is closed during handshake +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The TLS handshake make take some time to complete, during which time an +I/O watch might be registered with the main loop. If the owner of the +I/O channel invokes qio_channel_close() while the handshake is waiting +to continue the I/O watch must be removed. Failing to remove it will +later trigger the completion callback which the owner is not expecting +to receive. In the case of the VNC server, this results in a SEGV as +vnc_disconnect_start() tries to shutdown a client connection that is +already gone / NULL. + +CVE-2023-3354 +Reported-by: jiangyegen +Signed-off-by: Daniel P. Berrangé +--- + include/io/channel-tls.h | 1 + + io/channel-tls.c | 18 ++++++++++++------ + 2 files changed, 13 insertions(+), 6 deletions(-) + +diff --git a/include/io/channel-tls.h b/include/io/channel-tls.h +index 5672479e9e..26c67f17e2 100644 +--- a/include/io/channel-tls.h ++++ b/include/io/channel-tls.h +@@ -48,6 +48,7 @@ struct QIOChannelTLS { + QIOChannel *master; + QCryptoTLSSession *session; + QIOChannelShutdown shutdown; ++ guint hs_ioc_tag; + }; + + /** +diff --git a/io/channel-tls.c b/io/channel-tls.c +index 2ae1b92fc0..34476e6b7b 100644 +--- a/io/channel-tls.c ++++ b/io/channel-tls.c +@@ -195,12 +195,13 @@ static void qio_channel_tls_handshake_task(QIOChannelTLS *ioc, + } + + trace_qio_channel_tls_handshake_pending(ioc, status); +- qio_channel_add_watch_full(ioc->master, +- condition, +- qio_channel_tls_handshake_io, +- data, +- NULL, +- context); ++ ioc->hs_ioc_tag = ++ qio_channel_add_watch_full(ioc->master, ++ condition, ++ qio_channel_tls_handshake_io, ++ data, ++ NULL, ++ context); + } + } + +@@ -215,6 +216,7 @@ static gboolean qio_channel_tls_handshake_io(QIOChannel *ioc, + QIOChannelTLS *tioc = QIO_CHANNEL_TLS( + qio_task_get_source(task)); + ++ tioc->hs_ioc_tag = 0; + g_free(data); + qio_channel_tls_handshake_task(tioc, task, context); + +@@ -373,6 +375,10 @@ static int qio_channel_tls_close(QIOChannel *ioc, + { + QIOChannelTLS *tioc = QIO_CHANNEL_TLS(ioc); + ++ if (tioc->hs_ioc_tag) { ++ g_clear_handle_id(&tioc->hs_ioc_tag, g_source_remove); ++ } ++ + return qio_channel_close(tioc->master, errp); + } + +-- +2.41.0.windows.1 + diff --git a/qemu.spec b/qemu.spec index e66f84fc8fff19cb4bc5322ffd980334ead37b80..18fc73479dcf7046511aea1e717d75c762a2e82e 100644 --- a/qemu.spec +++ b/qemu.spec @@ -3,7 +3,7 @@ Name: qemu Version: 6.2.0 -Release: 79 +Release: 80 Epoch: 10 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 @@ -555,6 +555,16 @@ Patch0540: virtio-crypto-verify-src-dst-buffer-length-for-sym-r.patch Patch0541: sw_64-Added-sw64-architecture-related-updates.patch Patch0542: aio-posix-fix-build-failure-io_uring-2.2.patch Patch0543: test-Fix-test-crypto-secret-when-compiling-without-k.patch +Patch0544: accel-kvm-Free-as-when-an-error-occurred.patch +Patch0545: accel-kvm-Make-kvm_dirty_ring_reaper_init-void.patch +Patch0546: vhost-user-Use-correct-macro-name-TARGET_PPC64.patch +Patch0547: hw-rx-rx-gdbsim-DTB-load-address-aligned-of-16byte.patch +Patch0548: hw-arm-virt-Check-for-attempt-to-use-TrustZone-with-.patch +Patch0549: virtio-iommu-use-after-free-fix.patch +Patch0550: vhost-Drop-unused-eventfd_add-del-hooks.patch +Patch0551: chardev-report-the-handshake-error.patch +Patch0552: hw-ssi-Fix-Linux-driver-init-issue-with-xilinx_spi.patch +Patch0553: io-remove-io-watch-if-TLS-channel-is-closed-during-h.patch BuildRequires: flex BuildRequires: gcc @@ -1128,6 +1138,18 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Sat Sep 9 2023 - 10:6.2.0-80 +- io: remove io watch if TLS channel is closed during handshake +- hw/ssi: Fix Linux driver init issue with xilinx_spi +- chardev: report the handshake error +- vhost: Drop unused eventfd_add|del hooks +- virtio-iommu: use-after-free fix +- hw/arm/virt: Check for attempt to use TrustZone with KVM or HVF +- hw/rx: rx-gdbsim DTB load address aligned of 16byte +- vhost-user: Use correct macro name TARGET_PPC64 +- accel/kvm: Make kvm_dirty_ring_reaper_init() void +- accel/kvm: Free as when an error occurred + * Mon Aug 28 2023 - 10:6.2.0-79 - test: Fix test-crypto-secret when compiling without keyring support - aio-posix: fix build failure io_uring 2.2 diff --git a/vhost-Drop-unused-eventfd_add-del-hooks.patch b/vhost-Drop-unused-eventfd_add-del-hooks.patch new file mode 100644 index 0000000000000000000000000000000000000000..672c23595ab84b3304a0e7b791e1c18a896db22c --- /dev/null +++ b/vhost-Drop-unused-eventfd_add-del-hooks.patch @@ -0,0 +1,63 @@ +From e1c5d60311a7b6dba60284f07fad92dfab688605 Mon Sep 17 00:00:00 2001 +From: xiaowanghe +Date: Sun, 13 Aug 2023 23:18:07 -0700 +Subject: [PATCH] vhost: Drop unused eventfd_add|del hooks +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +cherry picked from commit 560a997535937df2ea3716ba56bcbe38be37682f + +These hooks were introduced in: + +80a1ea3748 ("memory: move ioeventfd ops to MemoryListener", 2012-02-29) + +But they seem to be never used. Drop them. + +Cc: Richard Henderson +Signed-off-by: Peter Xu +Message-Id: <20230306193209.516011-1-peterx@redhat.com> +Reviewed-by: Philippe Mathieu-Daudé +Acked-by: Jason Wang +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Wanghe Xiao +--- + hw/virtio/vhost.c | 14 -------------- + 1 file changed, 14 deletions(-) + +diff --git a/hw/virtio/vhost.c b/hw/virtio/vhost.c +index 3ac6cfde03..2d11e3c2f8 100644 +--- a/hw/virtio/vhost.c ++++ b/hw/virtio/vhost.c +@@ -1268,18 +1268,6 @@ static void vhost_virtqueue_stop(struct vhost_dev *dev, + 0, virtio_queue_get_desc_size(vdev, idx)); + } + +-static void vhost_eventfd_add(MemoryListener *listener, +- MemoryRegionSection *section, +- bool match_data, uint64_t data, EventNotifier *e) +-{ +-} +- +-static void vhost_eventfd_del(MemoryListener *listener, +- MemoryRegionSection *section, +- bool match_data, uint64_t data, EventNotifier *e) +-{ +-} +- + static int vhost_virtqueue_set_busyloop_timeout(struct vhost_dev *dev, + int n, uint32_t timeout) + { +@@ -1413,8 +1401,6 @@ int vhost_dev_init(struct vhost_dev *hdev, void *opaque, + .log_sync = vhost_log_sync, + .log_global_start = vhost_log_global_start, + .log_global_stop = vhost_log_global_stop, +- .eventfd_add = vhost_eventfd_add, +- .eventfd_del = vhost_eventfd_del, + .priority = 10 + }; + +-- +2.41.0.windows.1 + diff --git a/vhost-user-Use-correct-macro-name-TARGET_PPC64.patch b/vhost-user-Use-correct-macro-name-TARGET_PPC64.patch new file mode 100644 index 0000000000000000000000000000000000000000..7d469cb1fcf3b75ce98ae13836fb0b6a2780563c --- /dev/null +++ b/vhost-user-Use-correct-macro-name-TARGET_PPC64.patch @@ -0,0 +1,42 @@ +From f985f564a64e122e55a02f7a22e877f0de2de464 Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Mon, 21 Aug 2023 06:55:57 +0000 +Subject: [PATCH] vhost-user: Use correct macro name TARGET_PPC64 mainline + inclusion commit 97252353c1f6ecbb54385c9272378b5788749a16 category: bugfix + +--------------------------------------------------------------- + +The correct name of the macro is TARGET_PPC64. + +Fixes: 27598393a232 ("Lift max memory slots limit imposed by vhost-user") +Reported-by: Fabiano Rosas +Signed-off-by: Murilo Opsfelder Araujo +Cc: Raphael Norwitz +Cc: Peter Turschmid +Reviewed-by: Daniel Henrique Barboza +Reviewed-by: Michael S. Tsirkin +Reviewed-by: Raphael Norwitz +Message-Id: <20220503180108.34506-1-muriloo@linux.ibm.com> +Signed-off-by: Daniel Henrique Barboza + +Signed-off-by: tangbinzy +--- + hw/virtio/vhost-user.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/virtio/vhost-user.c b/hw/virtio/vhost-user.c +index 42a9e16cd9..24f80d5d18 100644 +--- a/hw/virtio/vhost-user.c ++++ b/hw/virtio/vhost-user.c +@@ -52,7 +52,7 @@ + #include "hw/acpi/acpi.h" + #define VHOST_USER_MAX_RAM_SLOTS ACPI_MAX_RAM_SLOTS + +-#elif defined(TARGET_PPC) || defined(TARGET_PPC_64) ++#elif defined(TARGET_PPC) || defined(TARGET_PPC64) + #include "hw/ppc/spapr.h" + #define VHOST_USER_MAX_RAM_SLOTS SPAPR_MAX_RAM_SLOTS + +-- +2.41.0.windows.1 + diff --git a/virtio-iommu-use-after-free-fix.patch b/virtio-iommu-use-after-free-fix.patch new file mode 100644 index 0000000000000000000000000000000000000000..23b4e7a93a2179046e5f624af77eaa7fa4eb5cbf --- /dev/null +++ b/virtio-iommu-use-after-free-fix.patch @@ -0,0 +1,82 @@ +From ab4228f1a5b45450490077a06094670f364b4efc Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Mon, 21 Aug 2023 06:02:21 +0000 +Subject: [PATCH] virtio-iommu: use-after-free fix mainline inclusion commit + 4bf58c7213b0ab03209a53731c71f0861c35ef91 category: bugfix +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +--------------------------------------------------------------- + +A potential Use-after-free was reported in virtio_iommu_handle_command +when using virtio-iommu: + +> I find a potential Use-after-free in QEMU 6.2.0, which is in +> virtio_iommu_handle_command() (./hw/virtio/virtio-iommu.c). +> +> +> Specifically, in the loop body, the variable 'buf' allocated at line 639 can be +> freed by g_free() at line 659. However, if the execution path enters the loop +> body again and the if branch takes true at line 616, the control will directly +> jump to 'out' at line 651. At this time, 'buf' is a freed pointer, which is not +> assigned with an allocated memory but used at line 653. As a result, a UAF bug +> is triggered. +> +> +> +> 599 for (;;) { +> ... +> 615 sz = iov_to_buf(iov, iov_cnt, 0, &head, sizeof(head)); +> 616 if (unlikely(sz != sizeof(head))) { +> 617 tail.status = VIRTIO_IOMMU_S_DEVERR; +> 618 goto out; +> 619 } +> ... +> 639 buf = g_malloc0(output_size); +> ... +> 651 out: +> 652 sz = iov_from_buf(elem->in_sg, elem->in_num, 0, +> 653 buf ? buf : &tail, output_size); +> ... +> 659 g_free(buf); +> +> We can fix it by set ‘buf‘ to NULL after freeing it: +> +> +> 651 out: +> 652 sz = iov_from_buf(elem->in_sg, elem->in_num, 0, +> 653 buf ? buf : &tail, output_size); +> ... +> 659 g_free(buf); +> +++ buf = NULL; +> 660 } + +Fix as suggested by the reporter. + +Signed-off-by: Wentao Liang +Signed-off-by: Michael S. Tsirkin +Message-id: 20220407095047.50371-1-mst@redhat.com +Message-ID: <20220406040445-mutt-send-email-mst@kernel.org> +Signed-off-by: Peter Maydell + +Signed-off-by: tangbinzy +--- + hw/virtio/virtio-iommu.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/virtio/virtio-iommu.c b/hw/virtio/virtio-iommu.c +index 1b23e8e18c..ed47d4cb64 100644 +--- a/hw/virtio/virtio-iommu.c ++++ b/hw/virtio/virtio-iommu.c +@@ -657,6 +657,7 @@ out: + virtio_notify(vdev, vq); + g_free(elem); + g_free(buf); ++ buf = NULL; + } + } + +-- +2.41.0.windows.1 +