| Message ID | 20210505045824.33880-6-liq3ea@163.com |
|---|---|
| State | New |
| Headers | show |
| Series | vhost-user-gpu: fix several security issues | expand |
+-- On Tue, 4 May 2021, Li Qiang wrote --+
| diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c
| index 6a332d601f..c669d73a1d 100644
| --- a/contrib/vhost-user-gpu/virgl.c
| +++ b/contrib/vhost-user-gpu/virgl.c
| @@ -108,9 +108,16 @@ virgl_cmd_resource_unref(VuGpu *g,
| struct virtio_gpu_ctrl_command *cmd)
| {
| struct virtio_gpu_resource_unref unref;
| + struct iovec *res_iovs = NULL;
| + int num_iovs = 0;
|
| VUGPU_FILL_CMD(unref);
|
| + virgl_renderer_resource_detach_iov(unref.resource_id,
| + &res_iovs,
| + &num_iovs);
| + g_free(res_iovs);
| +
| virgl_renderer_resource_unref(unref.resource_id);
* Should this also call 'virtio_gpu_cleanup_mapping_iov' similar to
'hw/display/virtio-gpu-3d.c:virgl_cmd_resource_unref'?
if (res_iovs != NULL && num_iovs != 0) {
virtio_gpu_cleanup_mapping_iov(g, res_iovs, num_iovs);
}
Thank you.
--
- P J P
8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D
P J P <ppandit@redhat.com> 于2021年5月5日周三 下午3:48写道: > > +-- On Tue, 4 May 2021, Li Qiang wrote --+ > | diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c > | index 6a332d601f..c669d73a1d 100644 > | --- a/contrib/vhost-user-gpu/virgl.c > | +++ b/contrib/vhost-user-gpu/virgl.c > | @@ -108,9 +108,16 @@ virgl_cmd_resource_unref(VuGpu *g, > | struct virtio_gpu_ctrl_command *cmd) > | { > | struct virtio_gpu_resource_unref unref; > | + struct iovec *res_iovs = NULL; > | + int num_iovs = 0; > | > | VUGPU_FILL_CMD(unref); > | > | + virgl_renderer_resource_detach_iov(unref.resource_id, > | + &res_iovs, > | + &num_iovs); > | + g_free(res_iovs); > | + > | virgl_renderer_resource_unref(unref.resource_id); > > * Should this also call 'virtio_gpu_cleanup_mapping_iov' similar to > 'hw/display/virtio-gpu-3d.c:virgl_cmd_resource_unref'? > > if (res_iovs != NULL && num_iovs != 0) { > virtio_gpu_cleanup_mapping_iov(g, res_iovs, num_iovs); > } > > No because the resource here contains only 'res->iov' no memory mapping like 'hw/display/virtio-gpu-3d.c:virgl_cmd_resource_unref'. Thanks, Li Qiang > Thank you. > -- > - P J P > 8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D >
diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c index 6a332d601f..c669d73a1d 100644 --- a/contrib/vhost-user-gpu/virgl.c +++ b/contrib/vhost-user-gpu/virgl.c @@ -108,9 +108,16 @@ virgl_cmd_resource_unref(VuGpu *g, struct virtio_gpu_ctrl_command *cmd) { struct virtio_gpu_resource_unref unref; + struct iovec *res_iovs = NULL; + int num_iovs = 0; VUGPU_FILL_CMD(unref); + virgl_renderer_resource_detach_iov(unref.resource_id, + &res_iovs, + &num_iovs); + g_free(res_iovs); + virgl_renderer_resource_unref(unref.resource_id); }
The 'res->iov' will be leaked if the guest trigger following sequences: virgl_cmd_create_resource_2d virgl_resource_attach_backing virgl_cmd_resource_unref This patch fixes this. Signed-off-by: Li Qiang <liq3ea@163.com> --- contrib/vhost-user-gpu/virgl.c | 7 +++++++ 1 file changed, 7 insertions(+)