From: Li Qiang Date: Sun, 16 May 2021 03:04:03 +0000 (-0700) Subject: vhost-user-gpu: abstract vg_cleanup_mapping_iov X-Git-Tag: upstream/4.2.1~58 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=164cb79268a4d7bedecdcad5abe5a6a249961814;p=tools%2Fqemu-arm-static.git vhost-user-gpu: abstract vg_cleanup_mapping_iov Git-commit: 3ea32d1355d446057c17458238db2749c52ee8f0 References: CVE-2021-3546 bsc#1185981 CVE-2021-3545 bsc#1185990 CVE-2021-3544 Currently in vhost-user-gpu, we free resource directly in the cleanup case of resource. If we change the cleanup logic we need to change several places, also abstruct a 'vg_create_mapping_iov' can be symmetry with the 'vg_create_mapping_iov'. This is like what virtio-gpu does, no function changed. Signed-off-by: Li Qiang Reviewed-by: Marc-André Lureau Message-Id: <20210516030403.107723-9-liq3ea@163.com> Signed-off-by: Gerd Hoffmann Signed-off-by: Jose R. Ziviani --- diff --git a/contrib/vhost-user-gpu/main.c b/contrib/vhost-user-gpu/main.c index 9554e8984..75c1aa6ed 100644 --- a/contrib/vhost-user-gpu/main.c +++ b/contrib/vhost-user-gpu/main.c @@ -49,6 +49,8 @@ static char *opt_render_node; static gboolean opt_virgl; static void vg_handle_ctrl(VuDev *dev, int qidx); +static void vg_cleanup_mapping(VuGpu *g, + struct virtio_gpu_simple_resource *res); static const char * vg_cmd_to_string(int cmd) @@ -379,7 +381,7 @@ vg_resource_destroy(VuGpu *g, } vugbm_buffer_destroy(&res->buffer); - g_free(res->iov); + vg_cleanup_mapping(g, res); pixman_image_unref(res->image); QTAILQ_REMOVE(&g->reslist, res, next); g_free(res); @@ -483,6 +485,22 @@ vg_resource_attach_backing(VuGpu *g, res->iov_cnt = ab.nr_entries; } +/* Though currently only free iov, maybe later will do more work. */ +void vg_cleanup_mapping_iov(VuGpu *g, + struct iovec *iov, uint32_t count) +{ + g_free(iov); +} + +static void +vg_cleanup_mapping(VuGpu *g, + struct virtio_gpu_simple_resource *res) +{ + vg_cleanup_mapping_iov(g, res->iov, res->iov_cnt); + res->iov = NULL; + res->iov_cnt = 0; +} + static void vg_resource_detach_backing(VuGpu *g, struct virtio_gpu_ctrl_command *cmd) @@ -501,9 +519,7 @@ vg_resource_detach_backing(VuGpu *g, return; } - g_free(res->iov); - res->iov = NULL; - res->iov_cnt = 0; + vg_cleanup_mapping(g, res); } static void diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c index 1f7678ecb..031e10e8b 100644 --- a/contrib/vhost-user-gpu/virgl.c +++ b/contrib/vhost-user-gpu/virgl.c @@ -113,8 +113,9 @@ virgl_cmd_resource_unref(VuGpu *g, virgl_renderer_resource_detach_iov(unref.resource_id, &res_iovs, &num_iovs); - g_free(res_iovs); - + if (res_iovs != NULL && num_iovs != 0) { + vg_cleanup_mapping_iov(g, res_iovs, num_iovs); + } virgl_renderer_resource_unref(unref.resource_id); } @@ -291,7 +292,7 @@ virgl_resource_attach_backing(VuGpu *g, ret = virgl_renderer_resource_attach_iov(att_rb.resource_id, res_iovs, att_rb.nr_entries); if (ret != 0) { - g_free(res_iovs); + vg_cleanup_mapping_iov(g, res_iovs, att_rb.nr_entries); } } @@ -311,7 +312,7 @@ virgl_resource_detach_backing(VuGpu *g, if (res_iovs == NULL || num_iovs == 0) { return; } - g_free(res_iovs); + vg_cleanup_mapping_iov(g, res_iovs, num_iovs); } static void diff --git a/contrib/vhost-user-gpu/vugpu.h b/contrib/vhost-user-gpu/vugpu.h index 3153c9a6d..284e19aeb 100644 --- a/contrib/vhost-user-gpu/vugpu.h +++ b/contrib/vhost-user-gpu/vugpu.h @@ -164,7 +164,7 @@ int vg_create_mapping_iov(VuGpu *g, struct virtio_gpu_resource_attach_backing *ab, struct virtio_gpu_ctrl_command *cmd, struct iovec **iov); - +void vg_cleanup_mapping_iov(VuGpu *g, struct iovec *iov, uint32_t count); void vg_get_display_info(VuGpu *vg, struct virtio_gpu_ctrl_command *cmd); void vg_wait_ok(VuGpu *g);