[Qemu-commits] [qemu/qemu] d964d3: hw/vfio/pci: fix double free in vfio

qemu-commits

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-commits] [qemu/qemu] d964d3: hw/vfio/pci: fix double free in vfio_

From:	Peter Maydell
Subject:	[Qemu-commits] [qemu/qemu] d964d3: hw/vfio/pci: fix double free in vfio_msi_disable
Date:	Mon, 14 Oct 2019 08:09:29 -0700

  Branch: refs/heads/master
  Home:   https://github.com/qemu/qemu
  Commit: d964d3b5abb5242591a088dacb1dc01e608b5158
      
https://github.com/qemu/qemu/commit/d964d3b5abb5242591a088dacb1dc01e608b5158
  Author: Evgeny Yakovlev <address@hidden>
  Date:   2019-10-10 (Thu, 10 Oct 2019)

  Changed paths:
    M hw/vfio/pci.c

  Log Message:
  -----------
  hw/vfio/pci: fix double free in vfio_msi_disable

The following guest behaviour patter leads to double free in VFIO PCI:

1. Guest enables MSI interrupts
vfio_msi_enable is called, but fails in vfio_enable_vectors.
In our case this was because VFIO GPU device was in D3 state.
Unhappy path in vfio_msi_enable will g_free(vdev->msi_vectors) but not
set this pointer to NULL

2. Guest still sees MSI an enabled after that because emulated config
write is done in vfio_pci_write_config unconditionally before calling
vfio_msi_enable

3. Guest disables MSI interrupts
vfio_msi_disable is called and tries to g_free(vdev->msi_vectors)
in vfio_msi_disable_common => double free

Signed-off-by: Evgeny Yakovlev <address@hidden>
Signed-off-by: Alex Williamson <address@hidden>


  Commit: 22dbfdecc3c52228d3489da3fe81da92b21197bf
      
https://github.com/qemu/qemu/commit/22dbfdecc3c52228d3489da3fe81da92b21197bf
  Author: Peter Maydell <address@hidden>
  Date:   2019-10-14 (Mon, 14 Oct 2019)

  Changed paths:
    M hw/vfio/pci.c

  Log Message:
  -----------
  Merge remote-tracking branch 'remotes/awilliam/tags/vfio-update-20191010.0' 
into staging

VFIO update 2019-10-10

 - Fix MSI error path double free (Evgeny Yakovlev)

# gpg: Signature made Thu 10 Oct 2019 20:07:39 BST
# gpg:                using RSA key 239B9B6E3BB08B22
# gpg: Good signature from "Alex Williamson <address@hidden>" [full]
# gpg:                 aka "Alex Williamson <address@hidden>" [full]
# gpg:                 aka "Alex Williamson <address@hidden>" [full]
# gpg:                 aka "Alex Williamson <address@hidden>" [full]
# Primary key fingerprint: 42F6 C04E 540B D1A9 9E7B  8A90 239B 9B6E 3BB0 8B22

* remotes/awilliam/tags/vfio-update-20191010.0:
  hw/vfio/pci: fix double free in vfio_msi_disable

Signed-off-by: Peter Maydell <address@hidden>


Compare: https://github.com/qemu/qemu/compare/c8b2bc5185c9...22dbfdecc3c5

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-commits] [qemu/qemu] d964d3: hw/vfio/pci: fix double free in vfio_msi_disable, Peter Maydell <=

Prev by Date: [Qemu-commits] [qemu/qemu] 870328: 9p: unsigned type for type, version, path
Next by Date: [Qemu-commits] [qemu/qemu] 8f8d52: migration: use migration_is_active to represent ac...
Previous by thread: [Qemu-commits] [qemu/qemu] 870328: 9p: unsigned type for type, version, path
Next by thread: [Qemu-commits] [qemu/qemu] 8f8d52: migration: use migration_is_active to represent ac...
Index(es):
- Date
- Thread