Accepting request 898228 from home:jziviani:branches:Virtualization

- Fix out-of-bounds write in virgl_cmd_get_capset
  CVE-2021-3546 bsc#1185981
  vhost-user-gpu-abstract-vg_cleanup_mappi.patch
- Fix memory leaks found in the virtio vhost-user GPU device
  CVE-2021-3544
  vhost-user-gpu-fix-leak-in-virgl_cmd_res.patch
  vhost-user-gpu-fix-leak-in-virgl_resourc.patch
  vhost-user-gpu-fix-memory-disclosure-in-.patch
  vhost-user-gpu-fix-memory-leak-in-vg_res.patch
  vhost-user-gpu-fix-memory-leak-while-cal.patch
  vhost-user-gpu-fix-OOB-write-in-virgl_cm.patch
- Fix information disclosure due to uninitialized memory read
  CVE-2021-3545 bsc#1185990
  vhost-user-gpu-fix-resource-leak-in-vg_r.patch

OBS-URL: https://build.opensuse.org/request/show/898228
OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=653

bundles.tar.xz

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:0300c7a1fdea7e0c7c20b707481ea1894523eee636f7746cc50d5d12425036b2
-size 58808
+oid sha256:09f26a3085d3c590edd7686b07b2b616cf634538ca073bba97a28323140081f5
+size 51544

qemu.changes

@@ -1,3 +1,21 @@
+-------------------------------------------------------------------
+Mon Jun  7 18:13:50 UTC 2021 - José Ricardo Ziviani <jose.ziviani@suse.com>
+
+- Fix out-of-bounds write in virgl_cmd_get_capset
+  CVE-2021-3546 bsc#1185981
+  vhost-user-gpu-abstract-vg_cleanup_mappi.patch
+- Fix memory leaks found in the virtio vhost-user GPU device
+  CVE-2021-3544
+  vhost-user-gpu-fix-leak-in-virgl_cmd_res.patch
+  vhost-user-gpu-fix-leak-in-virgl_resourc.patch
+  vhost-user-gpu-fix-memory-disclosure-in-.patch
+  vhost-user-gpu-fix-memory-leak-in-vg_res.patch
+  vhost-user-gpu-fix-memory-leak-while-cal.patch
+  vhost-user-gpu-fix-OOB-write-in-virgl_cm.patch
+- Fix information disclosure due to uninitialized memory read
+  CVE-2021-3545 bsc#1185990
+  vhost-user-gpu-fix-resource-leak-in-vg_r.patch
+
 -------------------------------------------------------------------
 Thu Jun  3 09:43:32 UTC 2021 - Dirk Müller <dmueller@suse.com>
 

qemu.spec

@@ -192,6 +192,14 @@ Patch00056:     vhost-user-blk-Get-more-feature-flags-fr.patch
 Patch00057:     virtio-Fail-if-iommu_platform-is-request.patch
 Patch00058:     vhost-user-blk-Check-that-num-queues-is-.patch
 Patch00059:     vfio-ccw-Permit-missing-IRQs.patch
+Patch00060:     vhost-user-gpu-fix-memory-disclosure-in-.patch
+Patch00061:     vhost-user-gpu-fix-resource-leak-in-vg_r.patch
+Patch00062:     vhost-user-gpu-fix-memory-leak-in-vg_res.patch
+Patch00063:     vhost-user-gpu-fix-memory-leak-while-cal.patch
+Patch00064:     vhost-user-gpu-fix-leak-in-virgl_cmd_res.patch
+Patch00065:     vhost-user-gpu-fix-leak-in-virgl_resourc.patch
+Patch00066:     vhost-user-gpu-fix-OOB-write-in-virgl_cm.patch
+Patch00067:     vhost-user-gpu-abstract-vg_cleanup_mappi.patch
 # Patches applied in roms/seabios/:
 Patch01000:     seabios-use-python2-explicitly-as-needed.patch
 Patch01001:     seabios-switch-to-python3-as-needed.patch
@@ -1084,6 +1092,14 @@ This package records qemu testsuite results and represents successful testing.
 %patch00057 -p1
 %patch00058 -p1
 %patch00059 -p1
+%patch00060 -p1
+%patch00061 -p1
+%patch00062 -p1
+%patch00063 -p1
+%patch00064 -p1
+%patch00065 -p1
+%patch00066 -p1
+%patch00067 -p1
 %patch01000 -p1
 %patch01001 -p1
 %patch01002 -p1

vhost-user-gpu-abstract-vg_cleanup_mappi.patch

@@ -0,0 +1,133 @@
+From: Li Qiang <liq3ea@163.com>
+Date: Sat, 15 May 2021 20:04:03 -0700
+Subject: vhost-user-gpu: abstract vg_cleanup_mapping_iov
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Git-commit: 3ea32d1355d446057c17458238db2749c52ee8f0
+References: CVE-2021-3546 bsc#1185981
+            CVE-2021-3545 bsc#1185990
+            CVE-2021-3544
+
+Currently in vhost-user-gpu, we free resource directly in
+the cleanup case of resource. If we change the cleanup logic
+we need to change several places, also abstruct a
+'vg_create_mapping_iov' can be symmetry with the
+'vg_create_mapping_iov'. This is like what virtio-gpu does,
+no function changed.
+
+Signed-off-by: Li Qiang <liq3ea@163.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20210516030403.107723-9-liq3ea@163.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Jose R. Ziviani <jziviani@suse.de>
+---
+ contrib/vhost-user-gpu/vhost-user-gpu.c | 24 ++++++++++++++++++++----
+ contrib/vhost-user-gpu/virgl.c          |  9 +++++----
+ contrib/vhost-user-gpu/vugpu.h          |  2 +-
+ 3 files changed, 26 insertions(+), 9 deletions(-)
+
+diff --git a/contrib/vhost-user-gpu/vhost-user-gpu.c b/contrib/vhost-user-gpu/vhost-user-gpu.c
+index 770dfad52989b2651eea67fdbb1b..6dc6a44f4e263bfb31ba9ba6ff32 100644
+--- a/contrib/vhost-user-gpu/vhost-user-gpu.c
++++ b/contrib/vhost-user-gpu/vhost-user-gpu.c
+@@ -49,6 +49,8 @@ static char *opt_render_node;
+ static gboolean opt_virgl;
+ 
+ static void vg_handle_ctrl(VuDev *dev, int qidx);
++static void vg_cleanup_mapping(VuGpu *g,
++                               struct virtio_gpu_simple_resource *res);
+ 
+ static const char *
+ vg_cmd_to_string(int cmd)
+@@ -400,7 +402,7 @@ vg_resource_destroy(VuGpu *g,
+     }
+ 
+     vugbm_buffer_destroy(&res->buffer);
+-    g_free(res->iov);
++    vg_cleanup_mapping(g, res);
+     pixman_image_unref(res->image);
+     QTAILQ_REMOVE(&g->reslist, res, next);
+     g_free(res);
+@@ -504,6 +506,22 @@ vg_resource_attach_backing(VuGpu *g,
+     res->iov_cnt = ab.nr_entries;
+ }
+ 
++/* Though currently only free iov, maybe later will do more work. */
++void vg_cleanup_mapping_iov(VuGpu *g,
++                            struct iovec *iov, uint32_t count)
++{
++    g_free(iov);
++}
++
++static void
++vg_cleanup_mapping(VuGpu *g,
++                   struct virtio_gpu_simple_resource *res)
++{
++    vg_cleanup_mapping_iov(g, res->iov, res->iov_cnt);
++    res->iov = NULL;
++    res->iov_cnt = 0;
++}
++
+ static void
+ vg_resource_detach_backing(VuGpu *g,
+                            struct virtio_gpu_ctrl_command *cmd)
+@@ -522,9 +540,7 @@ vg_resource_detach_backing(VuGpu *g,
+         return;
+     }
+ 
+-    g_free(res->iov);
+-    res->iov = NULL;
+-    res->iov_cnt = 0;
++    vg_cleanup_mapping(g, res);
+ }
+ 
+ static void
+diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c
+index 7172104b19d7a79eb7cc3404e09f..3e45e1bd33600fe5d91c0eea3af8 100644
+--- a/contrib/vhost-user-gpu/virgl.c
++++ b/contrib/vhost-user-gpu/virgl.c
+@@ -116,8 +116,9 @@ virgl_cmd_resource_unref(VuGpu *g,
+     virgl_renderer_resource_detach_iov(unref.resource_id,
+                                        &res_iovs,
+                                        &num_iovs);
+-    g_free(res_iovs);
+-
++    if (res_iovs != NULL && num_iovs != 0) {
++        vg_cleanup_mapping_iov(g, res_iovs, num_iovs);
++    }
+     virgl_renderer_resource_unref(unref.resource_id);
+ }
+ 
+@@ -294,7 +295,7 @@ virgl_resource_attach_backing(VuGpu *g,
+     ret = virgl_renderer_resource_attach_iov(att_rb.resource_id,
+                                        res_iovs, att_rb.nr_entries);
+     if (ret != 0) {
+-        g_free(res_iovs);
++        vg_cleanup_mapping_iov(g, res_iovs, att_rb.nr_entries);
+     }
+ }
+ 
+@@ -314,7 +315,7 @@ virgl_resource_detach_backing(VuGpu *g,
+     if (res_iovs == NULL || num_iovs == 0) {
+         return;
+     }
+-    g_free(res_iovs);
++    vg_cleanup_mapping_iov(g, res_iovs, num_iovs);
+ }
+ 
+ static void
+diff --git a/contrib/vhost-user-gpu/vugpu.h b/contrib/vhost-user-gpu/vugpu.h
+index 04d56158123d3ee1c271302d8f8a..e2864bba68e0d9c1228eb7745c50 100644
+--- a/contrib/vhost-user-gpu/vugpu.h
++++ b/contrib/vhost-user-gpu/vugpu.h
+@@ -169,7 +169,7 @@ int     vg_create_mapping_iov(VuGpu *g,
+                               struct virtio_gpu_resource_attach_backing *ab,
+                               struct virtio_gpu_ctrl_command *cmd,
+                               struct iovec **iov);
+-
++void    vg_cleanup_mapping_iov(VuGpu *g, struct iovec *iov, uint32_t count);
+ void    vg_get_display_info(VuGpu *vg, struct virtio_gpu_ctrl_command *cmd);
+ 
+ void    vg_wait_ok(VuGpu *g);

vhost-user-gpu-fix-OOB-write-in-virgl_cm.patch

@@ -0,0 +1,45 @@
+From: Li Qiang <liq3ea@163.com>
+Date: Sat, 15 May 2021 20:04:02 -0700
+Subject: vhost-user-gpu: fix OOB write in 'virgl_cmd_get_capset'
+ (CVE-2021-3546)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Git-commit: 9f22893adcb02580aee5968f32baa2cd109b3ec2
+References: CVE-2021-3546 bsc#1185981
+
+If 'virgl_cmd_get_capset' set 'max_size' to 0,
+the 'virgl_renderer_fill_caps' will write the data after the 'resp'.
+This patch avoid this by checking the returned 'max_size'.
+
+virtio-gpu fix: abd7f08b23 ("display: virtio-gpu-3d: check
+virgl capabilities max_size")
+
+Fixes: CVE-2021-3546
+Reported-by: Li Qiang <liq3ea@163.com>
+Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Li Qiang <liq3ea@163.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20210516030403.107723-8-liq3ea@163.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Jose R. Ziviani <jziviani@suse.de>
+---
+ contrib/vhost-user-gpu/virgl.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c
+index a16a311d80df19294e4330f7d004..7172104b19d7a79eb7cc3404e09f 100644
+--- a/contrib/vhost-user-gpu/virgl.c
++++ b/contrib/vhost-user-gpu/virgl.c
+@@ -177,6 +177,10 @@ virgl_cmd_get_capset(VuGpu *g,
+ 
+     virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
+                                &max_size);
++    if (!max_size) {
++        cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
++        return;
++    }
+     resp = g_malloc0(sizeof(*resp) + max_size);
+ 
+     resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;

vhost-user-gpu-fix-leak-in-virgl_cmd_res.patch

@@ -0,0 +1,55 @@
+From: Li Qiang <liq3ea@163.com>
+Date: Sat, 15 May 2021 20:04:00 -0700
+Subject: vhost-user-gpu: fix leak in 'virgl_cmd_resource_unref'
+ (CVE-2021-3544)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Git-comit: f6091d86ba9ea05f4e111b9b42ee0005c37a6779
+References: CVE-2021-3544
+
+The 'res->iov' will be leaked if the guest trigger following sequences:
+
+	virgl_cmd_create_resource_2d
+	virgl_resource_attach_backing
+	virgl_cmd_resource_unref
+
+This patch fixes this.
+
+Fixes: CVE-2021-3544
+Reported-by: Li Qiang <liq3ea@163.com>
+virtio-gpu fix: 5e8e3c4c75 ("virtio-gpu: fix resource leak
+in virgl_cmd_resource_unref"
+
+Signed-off-by: Li Qiang <liq3ea@163.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20210516030403.107723-6-liq3ea@163.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Jose R. Ziviani <jziviani@suse.de>
+[jrz: tweaked title to not break spec file]
+---
+ contrib/vhost-user-gpu/virgl.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c
+index 6a332d601f8092c5017e903930e5..c669d73a1dbe93d8faa1474462a9 100644
+--- a/contrib/vhost-user-gpu/virgl.c
++++ b/contrib/vhost-user-gpu/virgl.c
+@@ -108,9 +108,16 @@ virgl_cmd_resource_unref(VuGpu *g,
+                          struct virtio_gpu_ctrl_command *cmd)
+ {
+     struct virtio_gpu_resource_unref unref;
++    struct iovec *res_iovs = NULL;
++    int num_iovs = 0;
+ 
+     VUGPU_FILL_CMD(unref);
+ 
++    virgl_renderer_resource_detach_iov(unref.resource_id,
++                                       &res_iovs,
++                                       &num_iovs);
++    g_free(res_iovs);
++
+     virgl_renderer_resource_unref(unref.resource_id);
+ }
+ 

vhost-user-gpu-fix-leak-in-virgl_resourc.patch

@@ -0,0 +1,46 @@
+From: Li Qiang <liq3ea@163.com>
+Date: Sat, 15 May 2021 20:04:01 -0700
+Subject: vhost-user-gpu: fix leak in 'virgl_resource_attach_backing'
+ (CVE-2021-3544)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Git-commit: 63736af5a6571d9def93769431e0d7e38c6677bf
+References: CVE-2021-3544
+
+If 'virgl_renderer_resource_attach_iov' failed, the 'res_iovs' will
+be leaked.
+
+Fixes: CVE-2021-3544
+Reported-by: Li Qiang <liq3ea@163.com>
+virtio-gpu fix: 33243031da ("virtio-gpu-3d: fix memory leak
+in resource attach backing")
+
+Signed-off-by: Li Qiang <liq3ea@163.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20210516030403.107723-7-liq3ea@163.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Jose R. Ziviani <jziviani@suse.de>
+[jrz: tweak title to not break spec file]
+---
+ contrib/vhost-user-gpu/virgl.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c
+index c669d73a1dbe93d8faa1474462a9..a16a311d80df19294e4330f7d004 100644
+--- a/contrib/vhost-user-gpu/virgl.c
++++ b/contrib/vhost-user-gpu/virgl.c
+@@ -287,8 +287,11 @@ virgl_resource_attach_backing(VuGpu *g,
+         return;
+     }
+ 
+-    virgl_renderer_resource_attach_iov(att_rb.resource_id,
++    ret = virgl_renderer_resource_attach_iov(att_rb.resource_id,
+                                        res_iovs, att_rb.nr_entries);
++    if (ret != 0) {
++        g_free(res_iovs);
++    }
+ }
+ 
+ static void

vhost-user-gpu-fix-memory-disclosure-in-.patch

@@ -0,0 +1,39 @@
+From: Li Qiang <liq3ea@163.com>
+Date: Sat, 15 May 2021 20:03:56 -0700
+Subject: vhost-user-gpu: fix memory disclosure in virgl_cmd_get_capset_info
+ (CVE-2021-3545)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Git-commit: 121841b25d72d13f8cad554363138c360f1250ea
+References: CVE-2021-3545 bsc#1185990
+
+Otherwise some of the 'resp' will be leaked to guest.
+
+Fixes: CVE-2021-3545
+Reported-by: Li Qiang <liq3ea@163.com>
+virtio-gpu fix: 42a8dadc74 ("virtio-gpu: fix information leak
+in getting capset info dispatch")
+
+Signed-off-by: Li Qiang <liq3ea@163.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20210516030403.107723-2-liq3ea@163.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Jose R. Ziviani <jziviani@suse.de>
+---
+ contrib/vhost-user-gpu/virgl.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c
+index 9e6660c7ab875fe83f366d040c97..6a332d601f8092c5017e903930e5 100644
+--- a/contrib/vhost-user-gpu/virgl.c
++++ b/contrib/vhost-user-gpu/virgl.c
+@@ -128,6 +128,7 @@ virgl_cmd_get_capset_info(VuGpu *g,
+ 
+     VUGPU_FILL_CMD(info);
+ 
++    memset(&resp, 0, sizeof(resp));
+     if (info.capset_index == 0) {
+         resp.capset_id = VIRTIO_GPU_CAPSET_VIRGL;
+         virgl_renderer_get_cap_set(resp.capset_id,

vhost-user-gpu-fix-memory-leak-in-vg_res.patch

@@ -0,0 +1,44 @@
+From: Li Qiang <liq3ea@163.com>
+Date: Sat, 15 May 2021 20:03:58 -0700
+Subject: vhost-user-gpu: fix memory leak in vg_resource_attach_backing
+ (CVE-2021-3544)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Git-commit: b9f79858a614d95f5de875d0ca31096eaab72c3b
+References: CVE-2021-3544
+
+Check whether the 'res' has already been attach_backing to avoid
+memory leak.
+
+Fixes: CVE-2021-3544
+Reported-by: Li Qiang <liq3ea@163.com>
+virtio-gpu fix: 204f01b309 ("virtio-gpu: fix memory leak
+in resource attach backing")
+
+Signed-off-by: Li Qiang <liq3ea@163.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20210516030403.107723-4-liq3ea@163.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Jose R. Ziviani <jziviani@suse.de>
+---
+ contrib/vhost-user-gpu/vhost-user-gpu.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/contrib/vhost-user-gpu/vhost-user-gpu.c b/contrib/vhost-user-gpu/vhost-user-gpu.c
+index b5e153d0d648def62d5700e686c0..0437e52b64604512607e548d01d8 100644
+--- a/contrib/vhost-user-gpu/vhost-user-gpu.c
++++ b/contrib/vhost-user-gpu/vhost-user-gpu.c
+@@ -489,6 +489,11 @@ vg_resource_attach_backing(VuGpu *g,
+         return;
+     }
+ 
++    if (res->iov) {
++        cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
++        return;
++    }
++
+     ret = vg_create_mapping_iov(g, &ab, cmd, &res->iov);
+     if (ret != 0) {
+         cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;

vhost-user-gpu-fix-memory-leak-while-cal.patch

@@ -0,0 +1,46 @@
+From: Li Qiang <liq3ea@163.com>
+Date: Sat, 15 May 2021 20:03:59 -0700
+Subject: vhost-user-gpu: fix memory leak while calling 'vg_resource_unref'
+ (CVE-2021-3544)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Git-commit: b7afebcf9e6ecf3cf9b5a9b9b731ed04bca6aa3e
+References: CVE-2021-3544
+
+If the guest trigger following sequences, the attach_backing will be leaked:
+
+	vg_resource_create_2d
+	vg_resource_attach_backing
+	vg_resource_unref
+
+This patch fix this by freeing 'res->iov' in vg_resource_destroy.
+
+Fixes: CVE-2021-3544
+Reported-by: Li Qiang <liq3ea@163.com>
+virtio-gpu fix: 5e8e3c4c75 ("virtio-gpu: fix resource leak
+in virgl_cmd_resource_unref")
+
+Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Li Qiang <liq3ea@163.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20210516030403.107723-5-liq3ea@163.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Jose R. Ziviani <jziviani@suse.de>
+---
+ contrib/vhost-user-gpu/vhost-user-gpu.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/contrib/vhost-user-gpu/vhost-user-gpu.c b/contrib/vhost-user-gpu/vhost-user-gpu.c
+index 0437e52b64604512607e548d01d8..770dfad52989b2651eea67fdbb1b 100644
+--- a/contrib/vhost-user-gpu/vhost-user-gpu.c
++++ b/contrib/vhost-user-gpu/vhost-user-gpu.c
+@@ -400,6 +400,7 @@ vg_resource_destroy(VuGpu *g,
+     }
+ 
+     vugbm_buffer_destroy(&res->buffer);
++    g_free(res->iov);
+     pixman_image_unref(res->image);
+     QTAILQ_REMOVE(&g->reslist, res, next);
+     g_free(res);

vhost-user-gpu-fix-resource-leak-in-vg_r.patch

@@ -0,0 +1,37 @@
+From: Li Qiang <liq3ea@163.com>
+Date: Sat, 15 May 2021 20:03:57 -0700
+Subject: vhost-user-gpu: fix resource leak in 'vg_resource_create_2d'
+ (CVE-2021-3544)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Git-commit: 86dd8fac2acc366930a5dc08d3fb1b1e816f4e1e
+References: CVE-2021-3544
+
+Call 'vugbm_buffer_destroy' in error path to avoid resource leak.
+
+Fixes: CVE-2021-3544
+Reported-by: Li Qiang <liq3ea@163.com>
+Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Li Qiang <liq3ea@163.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20210516030403.107723-3-liq3ea@163.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Jose R. Ziviani <jziviani@suse.de>
+---
+ contrib/vhost-user-gpu/vhost-user-gpu.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/contrib/vhost-user-gpu/vhost-user-gpu.c b/contrib/vhost-user-gpu/vhost-user-gpu.c
+index f73f292c9f72395525c51c8bd9fb..b5e153d0d648def62d5700e686c0 100644
+--- a/contrib/vhost-user-gpu/vhost-user-gpu.c
++++ b/contrib/vhost-user-gpu/vhost-user-gpu.c
+@@ -349,6 +349,7 @@ vg_resource_create_2d(VuGpu *g,
+         g_critical("%s: resource creation failed %d %d %d",
+                    __func__, c2d.resource_id, c2d.width, c2d.height);
+         g_free(res);
++        vugbm_buffer_destroy(&res->buffer);
+         cmd->error = VIRTIO_GPU_RESP_ERR_OUT_OF_MEMORY;
+         return;
+     }