b69ad9167a
Include security fixes and other recent "stable" fixes OBS-URL: https://build.opensuse.org/request/show/664459 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=445
104 lines
3.4 KiB
Diff
104 lines
3.4 KiB
Diff
From: Prasad J Pandit <pjp@fedoraproject.org>
|
|
Date: Thu, 13 Dec 2018 01:00:37 +0530
|
|
Subject: pvrdma: release ring object in case of an error
|
|
|
|
create_cq and create_qp routines allocate ring object, but it's
|
|
not released in case of an error, leading to memory leakage.
|
|
|
|
Reported-by: Li Qiang <liq3ea@163.com>
|
|
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
|
Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
|
|
Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
|
|
(cherry picked from commit 509f57c98e7536905bb4902363d0cba66ce7e089)
|
|
[BR: BSC#1119991 CVE-2018-20126]
|
|
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
|
---
|
|
hw/rdma/vmw/pvrdma_cmd.c | 39 ++++++++++++++++++++++++++++-----------
|
|
1 file changed, 28 insertions(+), 11 deletions(-)
|
|
|
|
diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
|
|
index ce2514aacb..51da4a1c40 100644
|
|
--- a/hw/rdma/vmw/pvrdma_cmd.c
|
|
+++ b/hw/rdma/vmw/pvrdma_cmd.c
|
|
@@ -315,6 +315,14 @@ out:
|
|
return rc;
|
|
}
|
|
|
|
+static void destroy_cq_ring(PvrdmaRing *ring)
|
|
+{
|
|
+ pvrdma_ring_free(ring);
|
|
+ /* ring_state was in slot 1, not 0 so need to jump back */
|
|
+ rdma_pci_dma_unmap(ring->dev, --ring->ring_state, TARGET_PAGE_SIZE);
|
|
+ g_free(ring);
|
|
+}
|
|
+
|
|
static int create_cq(PVRDMADev *dev, union pvrdma_cmd_req *req,
|
|
union pvrdma_cmd_resp *rsp)
|
|
{
|
|
@@ -338,6 +346,9 @@ static int create_cq(PVRDMADev *dev, union pvrdma_cmd_req *req,
|
|
|
|
resp->hdr.err = rdma_rm_alloc_cq(&dev->rdma_dev_res, &dev->backend_dev,
|
|
cmd->cqe, &resp->cq_handle, ring);
|
|
+ if (resp->hdr.err) {
|
|
+ destroy_cq_ring(ring);
|
|
+ }
|
|
resp->cqe = cmd->cqe;
|
|
|
|
out:
|
|
@@ -361,10 +372,7 @@ static int destroy_cq(PVRDMADev *dev, union pvrdma_cmd_req *req,
|
|
}
|
|
|
|
ring = (PvrdmaRing *)cq->opaque;
|
|
- pvrdma_ring_free(ring);
|
|
- /* ring_state was in slot 1, not 0 so need to jump back */
|
|
- rdma_pci_dma_unmap(PCI_DEVICE(dev), --ring->ring_state, TARGET_PAGE_SIZE);
|
|
- g_free(ring);
|
|
+ destroy_cq_ring(ring);
|
|
|
|
rdma_rm_dealloc_cq(&dev->rdma_dev_res, cmd->cq_handle);
|
|
|
|
@@ -462,6 +470,17 @@ out:
|
|
return rc;
|
|
}
|
|
|
|
+static void destroy_qp_rings(PvrdmaRing *ring)
|
|
+{
|
|
+ pr_dbg("sring=%p\n", &ring[0]);
|
|
+ pvrdma_ring_free(&ring[0]);
|
|
+ pr_dbg("rring=%p\n", &ring[1]);
|
|
+ pvrdma_ring_free(&ring[1]);
|
|
+
|
|
+ rdma_pci_dma_unmap(ring->dev, ring->ring_state, TARGET_PAGE_SIZE);
|
|
+ g_free(ring);
|
|
+}
|
|
+
|
|
static int create_qp(PVRDMADev *dev, union pvrdma_cmd_req *req,
|
|
union pvrdma_cmd_resp *rsp)
|
|
{
|
|
@@ -492,6 +511,10 @@ static int create_qp(PVRDMADev *dev, union pvrdma_cmd_req *req,
|
|
cmd->max_send_sge, cmd->send_cq_handle,
|
|
cmd->max_recv_wr, cmd->max_recv_sge,
|
|
cmd->recv_cq_handle, rings, &resp->qpn);
|
|
+ if (resp->hdr.err) {
|
|
+ destroy_qp_rings(rings);
|
|
+ return resp->hdr.err;
|
|
+ }
|
|
|
|
resp->max_send_wr = cmd->max_send_wr;
|
|
resp->max_recv_wr = cmd->max_recv_wr;
|
|
@@ -566,13 +589,7 @@ static int destroy_qp(PVRDMADev *dev, union pvrdma_cmd_req *req,
|
|
rdma_rm_dealloc_qp(&dev->rdma_dev_res, cmd->qp_handle);
|
|
|
|
ring = (PvrdmaRing *)qp->opaque;
|
|
- pr_dbg("sring=%p\n", &ring[0]);
|
|
- pvrdma_ring_free(&ring[0]);
|
|
- pr_dbg("rring=%p\n", &ring[1]);
|
|
- pvrdma_ring_free(&ring[1]);
|
|
-
|
|
- rdma_pci_dma_unmap(PCI_DEVICE(dev), ring->ring_state, TARGET_PAGE_SIZE);
|
|
- g_free(ring);
|
|
+ destroy_qp_rings(ring);
|
|
|
|
return 0;
|
|
}
|