[Qemu-commits] [qemu/qemu] 8ec141: vfio: fix use-after-free in display

qemu-commits

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-commits] [qemu/qemu] 8ec141: vfio: fix use-after-free in display

From:	Peter Maydell
Subject:	[Qemu-commits] [qemu/qemu] 8ec141: vfio: fix use-after-free in display
Date:	Thu, 16 Jul 2020 13:15:30 -0700

  Branch: refs/heads/master
  Home:   https://github.com/qemu/qemu
  Commit: 8ec1415935ff4214ef9b47448ff7ac52cfa8b77e
      
https://github.com/qemu/qemu/commit/8ec1415935ff4214ef9b47448ff7ac52cfa8b77e
  Author: Gerd Hoffmann <kraxel@redhat.com>
  Date:   2020-07-16 (Thu, 16 Jul 2020)

  Changed paths:
    M hw/vfio/display.c

  Log Message:
  -----------
  vfio: fix use-after-free in display

Calling ramfb_display_update() might replace the DisplaySurface with the
boot display, which in turn will free the currently active
DisplaySurface.

So clear our DisplaySurface pinter (dpy->region.surface pointer) to (a)
avoid use-after-free and (b) force replacing the boot display with the
real display when switching back.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Alex Williamson <alex.williamson@redhat.com>
Acked-by: Alex Williamson <alex.williamson@redhat.com>
Message-id: 20200713124520.23266-1-kraxel@redhat.com


  Commit: 4084e35068772cf4f81bbae5174019f277c61084
      
https://github.com/qemu/qemu/commit/4084e35068772cf4f81bbae5174019f277c61084
  Author: Gerd Hoffmann <kraxel@redhat.com>
  Date:   2020-07-16 (Thu, 16 Jul 2020)

  Changed paths:
    M hw/usb/dev-storage.c

  Log Message:
  -----------
  usb: fix storage regression

Fix the contition to figure whenever we need to wait for more data or
not.  Simply check the mode, if we are not in DATAIN state any more we
are done already and don't need to go ASYNC.

Fixes: 7ad3d51ebb8a ("usb: add short-packet handling to usb-storage driver")
Reported-by: Sai Pavan Boddu <saipava@xilinx.com>
Tested-by: Paul Zimmerman <pauldzim@gmail.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 20200713062712.1476-1-kraxel@redhat.com


  Commit: 95d1fbabae0cd44156ac4b96d512d143ca7dfd5e
      
https://github.com/qemu/qemu/commit/95d1fbabae0cd44156ac4b96d512d143ca7dfd5e
  Author: Peter Maydell <peter.maydell@linaro.org>
  Date:   2020-07-16 (Thu, 16 Jul 2020)

  Changed paths:
    M hw/usb/dev-storage.c
    M hw/vfio/display.c

  Log Message:
  -----------
  Merge remote-tracking branch 
'remotes/kraxel/tags/fixes-20200716-pull-request' into staging

fixes: usb storage regression, vfio display ramfb bug

# gpg: Signature made Thu 16 Jul 2020 10:30:58 BST
# gpg:                using RSA key 4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" [full]
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>" [full]
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>" [full]
# Primary key fingerprint: A032 8CFF B93A 17A7 9901  FE7D 4CB6 D8EE D3E8 7138

* remotes/kraxel/tags/fixes-20200716-pull-request:
  usb: fix storage regression
  vfio: fix use-after-free in display

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>


Compare: https://github.com/qemu/qemu/compare/175788d4eb91...95d1fbabae0c

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-commits] [qemu/qemu] 8ec141: vfio: fix use-after-free in display, Peter Maydell <=

Prev by Date: [Qemu-commits] [qemu/qemu] f8b332: tpm: tpm_spapr: Exit on TPM backend failures
Next by Date: [Qemu-commits] [qemu/qemu] 1f4367: i368/cpu: Clear env->user_features after loading v...
Previous by thread: [Qemu-commits] [qemu/qemu] f8b332: tpm: tpm_spapr: Exit on TPM backend failures
Next by thread: [Qemu-commits] [qemu/qemu] 1f4367: i368/cpu: Clear env->user_features after loading v...
Index(es):
- Date
- Thread