1 files changed, 0 insertions, 113 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/0017-fix-CVE-2018-20126.patch b/meta/recipes-devtools/qemu/qemu/0017-fix-CVE-2018-20126.patch
deleted file mode 100644
index 8329f2cfd0..0000000000
--- a/meta/recipes-devtools/qemu/qemu/0017-fix-CVE-2018-20126.patch
+++ /dev/null
@@ -1,113 +0,0 @@
-CVE: CVE-2018-20126
-Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=509f57c]
-Backport and rebase patch to fix CVE-2018-20126.
-Signed-off-by: Kai Kang <kai.kang@windriver.com>
-From 509f57c98e7536905bb4902363d0cba66ce7e089 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Thu, 13 Dec 2018 01:00:37 +0530
-Subject: [PATCH] pvrdma: release ring object in case of an error
-create_cq and create_qp routines allocate ring object, but it's
-not released in case of an error, leading to memory leakage.
-Reported-by: Li Qiang <liq3ea@163.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
-Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
---
- hw/rdma/vmw/pvrdma_cmd.c | 41 ++++++++++++++++++++++++++++++-----------
- 1 file changed, 30 insertions(+), 11 deletions(-)
-diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
-index 4faeb21..9b6796f 100644
--- a/hw/rdma/vmw/pvrdma_cmd.c
-+++ b/hw/rdma/vmw/pvrdma_cmd.c
-@@ -310,6 +310,14 @@ out:
-     return rc;
- }
- 
-+static void destroy_cq_ring(PvrdmaRing *ring)
-+{
-+    pvrdma_ring_free(ring);
-+    /* ring_state was in slot 1, not 0 so need to jump back */
-+    rdma_pci_dma_unmap(ring->dev, --ring->ring_state, TARGET_PAGE_SIZE);
-+    g_free(ring);
-+}
-+
- static int create_cq(PVRDMADev *dev, union pvrdma_cmd_req *req,
-                      union pvrdma_cmd_resp *rsp)
- {
-@@ -333,6 +341,10 @@ static int create_cq(PVRDMADev *dev, union pvrdma_cmd_req *req,
- 
-     resp->hdr.err = rdma_rm_alloc_cq(&dev->rdma_dev_res, &dev->backend_dev,
-                                      cmd->cqe, &resp->cq_handle, ring);
-+    if (resp->hdr.err) {
-+        destroy_cq_ring(ring);
-+    }
-+
-     resp->cqe = cmd->cqe;
- 
- out:
-@@ -356,10 +368,7 @@ static int destroy_cq(PVRDMADev *dev, union pvrdma_cmd_req *req,
-     }
- 
-     ring = (PvrdmaRing *)cq->opaque;
-    pvrdma_ring_free(ring);
-    /* ring_state was in slot 1, not 0 so need to jump back */
-    rdma_pci_dma_unmap(PCI_DEVICE(dev), --ring->ring_state, TARGET_PAGE_SIZE);
-    g_free(ring);
-+    destroy_cq_ring(ring);
- 
-     rdma_rm_dealloc_cq(&dev->rdma_dev_res, cmd->cq_handle);
- 
-@@ -451,6 +460,17 @@ out:
-     return rc;
- }
- 
-+static void destroy_qp_rings(PvrdmaRing *ring)
-+{
-+    pr_dbg("sring=%p\n", &ring[0]);
-+    pvrdma_ring_free(&ring[0]);
-+    pr_dbg("rring=%p\n", &ring[1]);
-+    pvrdma_ring_free(&ring[1]);
-+
-+    rdma_pci_dma_unmap(ring->dev, ring->ring_state, TARGET_PAGE_SIZE);
-+    g_free(ring);
-+}
-+
- static int create_qp(PVRDMADev *dev, union pvrdma_cmd_req *req,
-                      union pvrdma_cmd_resp *rsp)
- {
-@@ -482,6 +502,11 @@ static int create_qp(PVRDMADev *dev, union pvrdma_cmd_req *req,
-                                      cmd->max_recv_wr, cmd->max_recv_sge,
-                                      cmd->recv_cq_handle, rings, &resp->qpn);
- 
-+    if (resp->hdr.err) {
-+        destroy_qp_rings(rings);
-+        return resp->hdr.err;
-+    }
-+
-     resp->max_send_wr = cmd->max_send_wr;
-     resp->max_recv_wr = cmd->max_recv_wr;
-     resp->max_send_sge = cmd->max_send_sge;
-@@ -555,13 +580,7 @@ static int destroy_qp(PVRDMADev *dev, union pvrdma_cmd_req *req,
-     rdma_rm_dealloc_qp(&dev->rdma_dev_res, cmd->qp_handle);
- 
-     ring = (PvrdmaRing *)qp->opaque;
-    pr_dbg("sring=%p\n", &ring[0]);
-    pvrdma_ring_free(&ring[0]);
-    pr_dbg("rring=%p\n", &ring[1]);
-    pvrdma_ring_free(&ring[1]);
-
-    rdma_pci_dma_unmap(PCI_DEVICE(dev), ring->ring_state, TARGET_PAGE_SIZE);
-    g_free(ring);
-+    destroy_qp_rings(ring);
- 
-     return 0;
- }
-- 
-2.20.1

diff --git a/meta/recipes-devtools/qemu/qemu/0017-fix-CVE-2018-20126.patch b/meta/recipes-devtools/qemu/qemu/0017-fix-CVE-2018-20126.patch deleted file mode 100644 index 8329f2cfd0..0000000000 --- a/meta/recipes-devtools/qemu/qemu/0017-fix-CVE-2018-20126.patch +++ /dev/null
@@ -1,113 +0,0 @@
1	CVE: CVE-2018-20126
2	Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=509f57c]
3
4	Backport and rebase patch to fix CVE-2018-20126.
5
6	Signed-off-by: Kai Kang <kai.kang@windriver.com>
7
8	From 509f57c98e7536905bb4902363d0cba66ce7e089 Mon Sep 17 00:00:00 2001
9	From: Prasad J Pandit <pjp@fedoraproject.org>
10	Date: Thu, 13 Dec 2018 01:00:37 +0530
11	Subject: [PATCH] pvrdma: release ring object in case of an error
12
13	create_cq and create_qp routines allocate ring object, but it's
14	not released in case of an error, leading to memory leakage.
15
16	Reported-by: Li Qiang <liq3ea@163.com>
17	Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
18	Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
19	Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
20	---
21	hw/rdma/vmw/pvrdma_cmd.c \| 41 ++++++++++++++++++++++++++++++-----------
22	1 file changed, 30 insertions(+), 11 deletions(-)
23
24	diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
25	index 4faeb21..9b6796f 100644
26	--- a/hw/rdma/vmw/pvrdma_cmd.c
27	+++ b/hw/rdma/vmw/pvrdma_cmd.c
28	@@ -310,6 +310,14 @@ out:
29	return rc;
30	}
31
32	+static void destroy_cq_ring(PvrdmaRing *ring)
33	+{
34	+ pvrdma_ring_free(ring);
35	+ /* ring_state was in slot 1, not 0 so need to jump back */
36	+ rdma_pci_dma_unmap(ring->dev, --ring->ring_state, TARGET_PAGE_SIZE);
37	+ g_free(ring);
38	+}
39	+
40	static int create_cq(PVRDMADev dev, union pvrdma_cmd_req req,
41	union pvrdma_cmd_resp *rsp)
42	{
43	@@ -333,6 +341,10 @@ static int create_cq(PVRDMADev dev, union pvrdma_cmd_req req,
44
45	resp->hdr.err = rdma_rm_alloc_cq(&dev->rdma_dev_res, &dev->backend_dev,
46	cmd->cqe, &resp->cq_handle, ring);
47	+ if (resp->hdr.err) {
48	+ destroy_cq_ring(ring);
49	+ }
50	+
51	resp->cqe = cmd->cqe;
52
53	out:
54	@@ -356,10 +368,7 @@ static int destroy_cq(PVRDMADev dev, union pvrdma_cmd_req req,
55	}
56
57	ring = (PvrdmaRing *)cq->opaque;
58	- pvrdma_ring_free(ring);
59	- /* ring_state was in slot 1, not 0 so need to jump back */
60	- rdma_pci_dma_unmap(PCI_DEVICE(dev), --ring->ring_state, TARGET_PAGE_SIZE);
61	- g_free(ring);
62	+ destroy_cq_ring(ring);
63
64	rdma_rm_dealloc_cq(&dev->rdma_dev_res, cmd->cq_handle);
65
66	@@ -451,6 +460,17 @@ out:
67	return rc;
68	}
69
70	+static void destroy_qp_rings(PvrdmaRing *ring)
71	+{
72	+ pr_dbg("sring=%p\n", &ring[0]);
73	+ pvrdma_ring_free(&ring[0]);
74	+ pr_dbg("rring=%p\n", &ring[1]);
75	+ pvrdma_ring_free(&ring[1]);
76	+
77	+ rdma_pci_dma_unmap(ring->dev, ring->ring_state, TARGET_PAGE_SIZE);
78	+ g_free(ring);
79	+}
80	+
81	static int create_qp(PVRDMADev dev, union pvrdma_cmd_req req,
82	union pvrdma_cmd_resp *rsp)
83	{
84	@@ -482,6 +502,11 @@ static int create_qp(PVRDMADev dev, union pvrdma_cmd_req req,
85	cmd->max_recv_wr, cmd->max_recv_sge,
86	cmd->recv_cq_handle, rings, &resp->qpn);
87
88	+ if (resp->hdr.err) {
89	+ destroy_qp_rings(rings);
90	+ return resp->hdr.err;
91	+ }
92	+
93	resp->max_send_wr = cmd->max_send_wr;
94	resp->max_recv_wr = cmd->max_recv_wr;
95	resp->max_send_sge = cmd->max_send_sge;
96	@@ -555,13 +580,7 @@ static int destroy_qp(PVRDMADev dev, union pvrdma_cmd_req req,
97	rdma_rm_dealloc_qp(&dev->rdma_dev_res, cmd->qp_handle);
98
99	ring = (PvrdmaRing *)qp->opaque;
100	- pr_dbg("sring=%p\n", &ring[0]);
101	- pvrdma_ring_free(&ring[0]);
102	- pr_dbg("rring=%p\n", &ring[1]);
103	- pvrdma_ring_free(&ring[1]);
104	-
105	- rdma_pci_dma_unmap(PCI_DEVICE(dev), ring->ring_state, TARGET_PAGE_SIZE);
106	- g_free(ring);
107	+ destroy_qp_rings(ring);
108
109	return 0;
110	}
111	--
112	2.20.1
113