{"id":2224439,"url":"http://patchwork.ozlabs.org/api/patches/2224439/?format=json","web_url":"http://patchwork.ozlabs.org/project/qemu-devel/patch/20260417122703.845442-1-alex.bennee@linaro.org/","project":{"id":14,"url":"http://patchwork.ozlabs.org/api/projects/14/?format=json","name":"QEMU Development","link_name":"qemu-devel","list_id":"qemu-devel.nongnu.org","list_email":"qemu-devel@nongnu.org","web_url":"","scm_url":"","webscm_url":"","list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260417122703.845442-1-alex.bennee@linaro.org>","list_archive_url":null,"date":"2026-04-17T12:27:03","name":"[v2] hw/display: don't accidentally autofree existing virgl resources","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"91ee99560ab9680fefcf2ce2fe73dd3ec002abc6","submitter":{"id":39532,"url":"http://patchwork.ozlabs.org/api/people/39532/?format=json","name":"Alex Bennée","email":"alex.bennee@linaro.org"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/qemu-devel/patch/20260417122703.845442-1-alex.bennee@linaro.org/mbox/","series":[{"id":500321,"url":"http://patchwork.ozlabs.org/api/series/500321/?format=json","web_url":"http://patchwork.ozlabs.org/project/qemu-devel/list/?series=500321","date":"2026-04-17T12:27:03","name":"[v2] hw/display: don't accidentally autofree existing virgl resources","version":2,"mbox":"http://patchwork.ozlabs.org/series/500321/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2224439/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2224439/checks/","tags":{},"related":[],"headers":{"Return-Path":"<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256\n header.s=google header.b=O5+ev40i;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists1p.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fxvLQ4z7Vz1yD3\n\tfor <incoming@patchwork.ozlabs.org>; Fri, 17 Apr 2026 22:28:29 +1000 (AEST)","from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists1p.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from <qemu-devel-bounces@nongnu.org>)\n\tid 1wDiIE-0002AD-8F; Fri, 17 Apr 2026 08:27:30 -0400","from eggs.gnu.org ([2001:470:142:3::10])\n by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <alex.bennee@linaro.org>)\n id 1wDiIC-00029U-JI\n for qemu-devel@nongnu.org; Fri, 17 Apr 2026 08:27:28 -0400","from mail-wr1-x42c.google.com ([2a00:1450:4864:20::42c])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.90_1) (envelope-from <alex.bennee@linaro.org>)\n id 1wDiIB-0002dP-35\n for qemu-devel@nongnu.org; Fri, 17 Apr 2026 08:27:28 -0400","by mail-wr1-x42c.google.com with SMTP id\n ffacd0b85a97d-43fe62837baso293370f8f.3\n for <qemu-devel@nongnu.org>; Fri, 17 Apr 2026 05:27:26 -0700 (PDT)","from draig.lan ([185.124.0.195]) by smtp.gmail.com with ESMTPSA id\n ffacd0b85a97d-43fe4e3a381sm4669706f8f.21.2026.04.17.05.27.23\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Fri, 17 Apr 2026 05:27:24 -0700 (PDT)","from draig.lan (localhost [IPv6:::1])\n by draig.lan (Postfix) with ESMTP id BC8A15F94F;\n Fri, 17 Apr 2026 13:27:22 +0100 (BST)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=linaro.org; s=google; t=1776428845; x=1777033645; darn=nongnu.org;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:from:to:cc:subject:date:message-id:reply-to;\n bh=09Ao/kdkItFINOSsUtWmsMGzeiiAB3gnUtxxrN6Tkro=;\n b=O5+ev40i379X/kVixTVEp1lkhj2xZMaxUToDVLf31Ly5QBMX+cA6nqIOq9ZgMePNnL\n uhbheIoKSLJX0fqV8ulKvH8g9Uunayn+QxR1kfL4gb+f3VzCyiQCn+VDZqA9TZip865f\n iNCqB53u65XryHTcX5U1TKX630+8VO57MVnMsAps3rJEKBZVgWijJT1ULy7kQpA3HwzJ\n V2xCJ9Xo3d0MahhuoSogpfKjZlEDXdCP/McYTvdASbF8FnLA12bdcZbhswDwl2FrGEO+\n 98azor5A3wQX2HGHYBdm/gvwIC1jtnz5HywT+RqcqJTtZN0tvajaJm21935ZRXi/8xmD\n Yqjg==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1776428845; x=1777033645;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n :message-id:reply-to;\n bh=09Ao/kdkItFINOSsUtWmsMGzeiiAB3gnUtxxrN6Tkro=;\n b=JSSPsAD4a0V+imELdVkJuI9EQba3VNGIfEmObJ2CiYHFmqoL3VAP4fpcJnhGDqKckL\n IGeUruzlnuk+i5WSE5YUTGnmwK/zIsejasc5kR5Ni7bNAQ8wkgx43T2folvRnGj/n+ZI\n dk/RbfUx7ueppZBj8NFstMei0iDPhJqxVM2x5g0uwb9N/eBdwoKIVFFBqB7kVR/ZVr5b\n 787NkNYnirnd/GXwBKfMNyhZqKOZ3gvzdXGlV1IO6J7CnFf53s8sjskw1JQxou57EBru\n h/bCRFDhTZYwmWa5SKD3yOCiY/LuUKcpsNKDCfMTi55nvhH/7bsBBBFOPR0JedWh2/kg\n n5vw==","X-Gm-Message-State":"AOJu0YyoYfXtHhCbgC+L7/MWDdIkFdYaWkvXRmGED0AtWgoWLNAZ1eXL\n vMLBl66YTCBmOw07LL6A5WbeKKsTOWsWSg/Z+I7g2xB8GceqG2mML30tC2i+QY1uqBo=","X-Gm-Gg":"AeBDietl9ZXYhgcfJzndAj7QUUqAVYZdb7fHWJkv50DS941hAPJqbd54MM/iejf3l9e\n 7sre3AbZMngvCkpFy0wNdCp3mq9Bm9mQjVWxpCKNQseAW5eGMug06/loPCB6q5e/Lob14jwxZ9+\n 1FXug7MaH+97z5DdEf/sBqW01KXeQPLHSaRJ78ShbF2dRXsJ/sS+Shtz6ee50is19l9YzG2VMTz\n YTSBr93oFOEJhaH2Z+wDdWgwcUvEk3cwzDNSX0e7pwvg5xUAc5igiV8n7H52qzezRdC3NoJ2A23\n lkoknwzbR8fUU4gHqhaMLlQk2v4LZP0aKPOhM+NeEkI/yB9NECyqZV0ykSaBGlea1jf9vbOutb/\n LLcNF0ZMdzRd+Fp14+StTRxQys4nSFkODQs3lhBIx8qn+EFrPXKQH37i2rno+Ol8+GIchevLmON\n tnkmWZY3Yv+f5iT2EkkB4JwnLTUk4mYGXBVcEj/UGwXJ45","X-Received":"by 2002:a05:6000:240e:b0:43d:7594:f378 with SMTP id\n ffacd0b85a97d-43fe3e0b18emr4094615f8f.41.1776428845051;\n Fri, 17 Apr 2026 05:27:25 -0700 (PDT)","From":"=?utf-8?q?Alex_Benn=C3=A9e?= <alex.bennee@linaro.org>","To":"qemu-devel@nongnu.org","Cc":"=?utf-8?q?Alex_Benn=C3=A9e?= <alex.bennee@linaro.org>,\n Manos Pitsidianakis <manos.pitsidianakis@linaro.org>, qemu-stable@nongnu.org,\n \"Michael S. Tsirkin\" <mst@redhat.com>,\n Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>,\n Dmitry Osipenko <dmitry.osipenko@collabora.com>","Subject":"[PATCH v2] hw/display: don't accidentally autofree existing virgl\n resources","Date":"Fri, 17 Apr 2026 13:27:03 +0100","Message-ID":"<20260417122703.845442-1-alex.bennee@linaro.org>","X-Mailer":"git-send-email 2.47.3","MIME-Version":"1.0","Content-Type":"text/plain; charset=UTF-8","Content-Transfer-Encoding":"8bit","Received-SPF":"pass client-ip=2a00:1450:4864:20::42c;\n envelope-from=alex.bennee@linaro.org; helo=mail-wr1-x42c.google.com","X-Spam_score_int":"-20","X-Spam_score":"-2.1","X-Spam_bar":"--","X-Spam_report":"(-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,\n DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,\n RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,\n SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no","X-Spam_action":"no action","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"qemu development <qemu-devel.nongnu.org>","List-Unsubscribe":"<https://lists.nongnu.org/mailman/options/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>","List-Archive":"<https://lists.nongnu.org/archive/html/qemu-devel>","List-Post":"<mailto:qemu-devel@nongnu.org>","List-Help":"<mailto:qemu-devel-request@nongnu.org?subject=help>","List-Subscribe":"<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=subscribe>","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org"},"content":"While sanity checking a create blob operation the use of the auto\nfreed res variable could lead to inadvertently freeing an existing\nblob.\n\nAvoid this by in-lining the virtio_gpu_virgl_find_resource() check as\nthe value is not needed anyway.\n\nWhile at it add a comment to the end and use g_steal_pointer to make\nit clearer the object lifetime exceeds the function bounds if we pass\nall the checks.\n\nFixes: CVE-2026-6502\nFixes: 7c092f17cce (virtio-gpu: Handle resource blob commands)\nMessage-ID: 20260417094443.785462-1-alex.bennee@linaro.org\nSigned-off-by: Alex Bennée <alex.bennee@linaro.org>\nReviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>\nCc: qemu-stable@nongnu.org\n---\n hw/display/virtio-gpu-virgl.c | 6 +++---\n 1 file changed, 3 insertions(+), 3 deletions(-)","diff":"diff --git a/hw/display/virtio-gpu-virgl.c b/hw/display/virtio-gpu-virgl.c\nindex b7a2d160ddd..add85bd4e61 100644\n--- a/hw/display/virtio-gpu-virgl.c\n+++ b/hw/display/virtio-gpu-virgl.c\n@@ -830,8 +830,7 @@ static void virgl_cmd_resource_create_blob(VirtIOGPU *g,\n         return;\n     }\n \n-    res = virtio_gpu_virgl_find_resource(g, cblob.resource_id);\n-    if (res) {\n+    if (virtio_gpu_virgl_find_resource(g, cblob.resource_id)) {\n         qemu_log_mask(LOG_GUEST_ERROR, \"%s: resource already exists %d\\n\",\n                       __func__, cblob.resource_id);\n         cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_RESOURCE_ID;\n@@ -884,8 +883,9 @@ static void virgl_cmd_resource_create_blob(VirtIOGPU *g,\n \n     res->base.dmabuf_fd = info.fd;\n \n+    /* Now live, cleaned up in virtio_gpu_virgl_resource_unref */\n     QTAILQ_INSERT_HEAD(&g->reslist, &res->base, next);\n-    res = NULL;\n+    g_steal_pointer(&res);\n }\n \n static void virgl_cmd_resource_map_blob(VirtIOGPU *g,\n","prefixes":["v2"]}