Commit 6be37cc5 authored by Peter Maydell's avatar Peter Maydell
Browse files

Merge remote-tracking branch 'remotes/awilliam/tags/vfio-fixes-20170726.0' into staging 



VFIO fixes 2017-07-26

 - Error path use after free bug fixes (Philippe Mathieu-Daudé)

# gpg: Signature made Wed 26 Jul 2017 18:49:00 BST
# gpg:                using RSA key 0x239B9B6E3BB08B22
# gpg: Good signature from "Alex Williamson <alex.williamson@redhat.com>"
# gpg:                 aka "Alex Williamson <alex@shazbot.org>"
# gpg:                 aka "Alex Williamson <alwillia@redhat.com>"
# gpg:                 aka "Alex Williamson <alex.l.williamson@gmail.com>"
# Primary key fingerprint: 42F6 C04E 540B D1A9 9E7B  8A90 239B 9B6E 3BB0 8B22

* remotes/awilliam/tags/vfio-fixes-20170726.0:
  vfio/pci: fix use of freed memory
  vfio/platform: fix use of freed memory

Signed-off-by: default avatarPeter Maydell <peter.maydell@linaro.org>
parents 2dca6d9e 96d2c2c5

hw/vfio/pci.c

+7 −4
Original line number Diff line number Diff line
@@ -257,7 +257,7 @@ static void vfio_intx_update(PCIDevice *pdev) 
static int vfio_intx_enable(VFIOPCIDevice *vdev, Error **errp)

{

    uint8_t pin = vfio_pci_read_config(&vdev->pdev, PCI_INTERRUPT_PIN, 1);

    int ret, argsz;

    int ret, argsz, retval = 0;

    struct vfio_irq_set *irq_set;

    int32_t *pfd;

    Error *err = NULL;
@@ -302,12 +302,12 @@ static int vfio_intx_enable(VFIOPCIDevice *vdev, Error **errp) 
    qemu_set_fd_handler(*pfd, vfio_intx_interrupt, NULL, vdev);



    ret = ioctl(vdev->vbasedev.fd, VFIO_DEVICE_SET_IRQS, irq_set);

    g_free(irq_set);

    if (ret) {

        error_setg_errno(errp, -ret, "failed to setup INTx fd");

        qemu_set_fd_handler(*pfd, NULL, NULL, vdev);

        event_notifier_cleanup(&vdev->intx.interrupt);

        return -errno;

        retval = -errno;

        goto cleanup;

    }



    vfio_intx_enable_kvm(vdev, &err);
@@ -319,7 +319,10 @@ static int vfio_intx_enable(VFIOPCIDevice *vdev, Error **errp) 


    trace_vfio_intx_enable(vdev->vbasedev.name);



    return 0;

cleanup:

    g_free(irq_set);



    return retval;

}



static void vfio_intx_disable(VFIOPCIDevice *vdev)

hw/vfio/platform.c

+1 −1
Original line number Diff line number Diff line
@@ -120,11 +120,11 @@ static int vfio_set_trigger_eventfd(VFIOINTp *intp, 
    *pfd = event_notifier_get_fd(intp->interrupt);

    qemu_set_fd_handler(*pfd, (IOHandler *)handler, NULL, intp);

    ret = ioctl(vbasedev->fd, VFIO_DEVICE_SET_IRQS, irq_set);

    g_free(irq_set);

    if (ret < 0) {

        error_report("vfio: Failed to set trigger eventfd: %m");

        qemu_set_fd_handler(*pfd, NULL, NULL, NULL);

    }

    g_free(irq_set);

    return ret;

}