| From b8e23926c568f2e963af39028b71c472e3023793 Mon Sep 17 00:00:00 2001 |
| From: Li Qiang <liq3ea@gmail.com> |
| Date: Mon, 28 Nov 2016 21:29:25 -0500 |
| Subject: [PATCH] virtio-gpu: call cleanup mapping function in resource destroy |
| |
| If the guest destroy the resource before detach banking, the 'iov' |
| and 'addrs' field in resource is not freed thus leading memory |
| leak issue. This patch avoid this. |
| |
| CVE: CVE-2016-9912 |
| Upstream-Status: Backport |
| |
| Signed-off-by: Li Qiang <liq3ea@gmail.com> |
| Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> |
| Message-id: 1480386565-10077-1-git-send-email-liq3ea@gmail.com |
| Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> |
| Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> |
| --- |
| hw/display/virtio-gpu.c | 3 +++ |
| 1 file changed, 3 insertions(+) |
| |
| diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c |
| index ed2b6d3..6a26258 100644 |
| --- a/hw/display/virtio-gpu.c |
| +++ b/hw/display/virtio-gpu.c |
| @@ -28,6 +28,8 @@ |
| static struct virtio_gpu_simple_resource* |
| virtio_gpu_find_resource(VirtIOGPU *g, uint32_t resource_id); |
| |
| +static void virtio_gpu_cleanup_mapping(struct virtio_gpu_simple_resource *res); |
| + |
| #ifdef CONFIG_VIRGL |
| #include <virglrenderer.h> |
| #define VIRGL(_g, _virgl, _simple, ...) \ |
| @@ -364,6 +366,7 @@ static void virtio_gpu_resource_destroy(VirtIOGPU *g, |
| struct virtio_gpu_simple_resource *res) |
| { |
| pixman_image_unref(res->image); |
| + virtio_gpu_cleanup_mapping(res); |
| QTAILQ_REMOVE(&g->reslist, res, next); |
| g->hostmem -= res->hostmem; |
| g_free(res); |
| -- |
| 1.9.1 |
| |