Merge remote-tracking branch 'remotes/kraxel/tags/vga-20210527-pull-request' into staging

virtio-gpu: add blob resource support.
vhost-user-gpu: security fixes.

# gpg: Signature made Thu 27 May 2021 15:23:25 BST
# gpg:                using RSA key A0328CFFB93A17A79901FE7D4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" [full]
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>" [full]
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>" [full]
# Primary key fingerprint: A032 8CFF B93A 17A7 9901  FE7D 4CB6 D8EE D3E8 7138

* remotes/kraxel/tags/vga-20210527-pull-request: (23 commits)
  virtio-gpu: Update cursor data using blob
  virtio-gpu: Add virtio_gpu_set_scanout_blob
  virtio-gpu: Factor out update scanout
  virtio-gpu: Add helpers to create and destroy dmabuf objects
  ui/pixman: Add qemu_pixman_to_drm_format()
  virtio-gpu: Add virtio_gpu_resource_create_blob
  virtio-gpu: Add initial definitions for blob resources
  virtio-gpu: Refactor virtio_gpu_create_mapping_iov
  virtio-gpu: Refactor virtio_gpu_set_scanout
  virtio-gpu: Add virtio_gpu_find_check_resource
  stubs: Add stubs for udmabuf helpers
  virtio-gpu: Add udmabuf helpers
  headers: Add udmabuf.h
  ui: Get the fd associated with udmabuf driver
  hw/display/qxl: Set pci rom address aligned with page size
  vhost-user-gpu: abstract vg_cleanup_mapping_iov
  vhost-user-gpu: fix OOB write in 'virgl_cmd_get_capset' (CVE-2021-3546)
  vhost-user-gpu: fix memory leak in 'virgl_resource_attach_backing' (CVE-2021-3544)
  vhost-user-gpu: fix memory leak in 'virgl_cmd_resource_unref' (CVE-2021-3544)
  vhost-user-gpu: fix memory leak while calling 'vg_resource_unref' (CVE-2021-3544)
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

1 files changed, 26 insertions, 3 deletions

diff --git a/contrib/vhost-user-gpu/vhost-user-gpu.c b/contrib/vhost-user-gpu/vhost-user-gpu.c
index f73f292c9f..6dc6a44f4e 100644
--- a/contrib/vhost-user-gpu/vhost-user-gpu.c
+++ b/contrib/vhost-user-gpu/vhost-user-gpu.c
@@ -49,6 +49,8 @@ static char *opt_render_node;
 static gboolean opt_virgl;
 
 static void vg_handle_ctrl(VuDev *dev, int qidx);
+static void vg_cleanup_mapping(VuGpu *g,
+                               struct virtio_gpu_simple_resource *res);
 
 static const char *
 vg_cmd_to_string(int cmd)
@@ -349,6 +351,7 @@ vg_resource_create_2d(VuGpu *g,
         g_critical("%s: resource creation failed %d %d %d",
                    __func__, c2d.resource_id, c2d.width, c2d.height);
         g_free(res);
+        vugbm_buffer_destroy(&res->buffer);
         cmd->error = VIRTIO_GPU_RESP_ERR_OUT_OF_MEMORY;
         return;
     }
@@ -399,6 +402,7 @@ vg_resource_destroy(VuGpu *g,
     }
 
     vugbm_buffer_destroy(&res->buffer);
+    vg_cleanup_mapping(g, res);
     pixman_image_unref(res->image);
     QTAILQ_REMOVE(&g->reslist, res, next);
     g_free(res);
@@ -488,6 +492,11 @@ vg_resource_attach_backing(VuGpu *g,
         return;
     }
 
+    if (res->iov) {
+        cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
+        return;
+    }
+
     ret = vg_create_mapping_iov(g, &ab, cmd, &res->iov);
     if (ret != 0) {
         cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
@@ -497,6 +506,22 @@ vg_resource_attach_backing(VuGpu *g,
     res->iov_cnt = ab.nr_entries;
 }
 
+/* Though currently only free iov, maybe later will do more work. */
+void vg_cleanup_mapping_iov(VuGpu *g,
+                            struct iovec *iov, uint32_t count)
+{
+    g_free(iov);
+}
+
+static void
+vg_cleanup_mapping(VuGpu *g,
+                   struct virtio_gpu_simple_resource *res)
+{
+    vg_cleanup_mapping_iov(g, res->iov, res->iov_cnt);
+    res->iov = NULL;
+    res->iov_cnt = 0;
+}
+
 static void
 vg_resource_detach_backing(VuGpu *g,
                            struct virtio_gpu_ctrl_command *cmd)
@@ -515,9 +540,7 @@ vg_resource_detach_backing(VuGpu *g,
         return;
     }
 
-    g_free(res->iov);
-    res->iov = NULL;
-    res->iov_cnt = 0;
+    vg_cleanup_mapping(g, res);
 }
 
 static void