Message ID | 20210505045824.33880-6-liq3ea@163.com |
---|---|
State | New |
Headers | show |
Series | vhost-user-gpu: fix several security issues | expand |
+-- On Tue, 4 May 2021, Li Qiang wrote --+ | diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c | index 6a332d601f..c669d73a1d 100644 | --- a/contrib/vhost-user-gpu/virgl.c | +++ b/contrib/vhost-user-gpu/virgl.c | @@ -108,9 +108,16 @@ virgl_cmd_resource_unref(VuGpu *g, | struct virtio_gpu_ctrl_command *cmd) | { | struct virtio_gpu_resource_unref unref; | + struct iovec *res_iovs = NULL; | + int num_iovs = 0; | | VUGPU_FILL_CMD(unref); | | + virgl_renderer_resource_detach_iov(unref.resource_id, | + &res_iovs, | + &num_iovs); | + g_free(res_iovs); | + | virgl_renderer_resource_unref(unref.resource_id); * Should this also call 'virtio_gpu_cleanup_mapping_iov' similar to 'hw/display/virtio-gpu-3d.c:virgl_cmd_resource_unref'? if (res_iovs != NULL && num_iovs != 0) { virtio_gpu_cleanup_mapping_iov(g, res_iovs, num_iovs); } Thank you. -- - P J P 8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D
P J P <ppandit@redhat.com> 于2021年5月5日周三 下午3:48写道: > > +-- On Tue, 4 May 2021, Li Qiang wrote --+ > | diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c > | index 6a332d601f..c669d73a1d 100644 > | --- a/contrib/vhost-user-gpu/virgl.c > | +++ b/contrib/vhost-user-gpu/virgl.c > | @@ -108,9 +108,16 @@ virgl_cmd_resource_unref(VuGpu *g, > | struct virtio_gpu_ctrl_command *cmd) > | { > | struct virtio_gpu_resource_unref unref; > | + struct iovec *res_iovs = NULL; > | + int num_iovs = 0; > | > | VUGPU_FILL_CMD(unref); > | > | + virgl_renderer_resource_detach_iov(unref.resource_id, > | + &res_iovs, > | + &num_iovs); > | + g_free(res_iovs); > | + > | virgl_renderer_resource_unref(unref.resource_id); > > * Should this also call 'virtio_gpu_cleanup_mapping_iov' similar to > 'hw/display/virtio-gpu-3d.c:virgl_cmd_resource_unref'? > > if (res_iovs != NULL && num_iovs != 0) { > virtio_gpu_cleanup_mapping_iov(g, res_iovs, num_iovs); > } > > No because the resource here contains only 'res->iov' no memory mapping like 'hw/display/virtio-gpu-3d.c:virgl_cmd_resource_unref'. Thanks, Li Qiang > Thank you. > -- > - P J P > 8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D >
diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c index 6a332d601f..c669d73a1d 100644 --- a/contrib/vhost-user-gpu/virgl.c +++ b/contrib/vhost-user-gpu/virgl.c @@ -108,9 +108,16 @@ virgl_cmd_resource_unref(VuGpu *g, struct virtio_gpu_ctrl_command *cmd) { struct virtio_gpu_resource_unref unref; + struct iovec *res_iovs = NULL; + int num_iovs = 0; VUGPU_FILL_CMD(unref); + virgl_renderer_resource_detach_iov(unref.resource_id, + &res_iovs, + &num_iovs); + g_free(res_iovs); + virgl_renderer_resource_unref(unref.resource_id); }
The 'res->iov' will be leaked if the guest trigger following sequences: virgl_cmd_create_resource_2d virgl_resource_attach_backing virgl_cmd_resource_unref This patch fixes this. Signed-off-by: Li Qiang <liq3ea@163.com> --- contrib/vhost-user-gpu/virgl.c | 7 +++++++ 1 file changed, 7 insertions(+)