[PULL 0/2] virtio-gpu hotfixes

[PULL 0/2] virtio-gpu hotfixes

[Alex Bennée]

The following changes since commit 98b060da3a4f92b2a994ead5b16a87e783baf77c:

  Update version for v11.0.0 release (2026-04-21 16:28:47 +0100)

are available in the Git repository at:

  https://gitlab.com/stsquad/qemu.git tags/pull-11.1-virtio-gpu-hotfixes-230426-1

for you to fetch changes up to 30fad722ce68316d22b926ba0e6017f0440465df:

  hw/display: don't accidentally autofree existing virgl resources (2026-04-23 16:13:53 +0100)

----------------------------------------------------------------
virtio-gpu fixes:

  - fix build on Windows due to EGL assumption
  - fix use-after-free on virgl resource

----------------------------------------------------------------
Alex Bennée (1):
      hw/display: don't accidentally autofree existing virgl resources

Anthony Roberts (1):
      ui/sdl2: Fix assumption of EGL presence at runtime

 hw/display/virtio-gpu-virgl.c | 6 +++---
 ui/sdl2.c                     | 8 ++++----
 2 files changed, 7 insertions(+), 7 deletions(-)

-- 
2.47.3

[PULL 1/2] ui/sdl2: Fix assumption of EGL presence at runtime

[Alex Bennée]

From: Anthony Roberts <anthony.roberts@linaro.org>

The original commit had a section of code which worked on the assumption
that if OpenGL was enabled at build, it was present on the end user machine,
and calls could be made to it. This is not always the case (such as Windows
on Arm devices).

This line should have also included a runtime check.

This commit moves the relevant line to inside a runtime check for OpenGL.

Fixes: 52053b7e0a0e ("ui/sdl2: Implement dpy dmabuf functions")
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3347
Cc: qemu-stable@nongnu.org
Signed-off-by: Anthony Roberts <anthony.roberts@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-ID: <20260409110256.684-1-anthony.roberts@linaro.org>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>

diff --git a/ui/sdl2.c b/ui/sdl2.c
index aaaede56e0e..987ad334bbe 100644
--- a/ui/sdl2.c
+++ b/ui/sdl2.c
@@ -120,15 +120,15 @@ void sdl2_window_create(struct sdl2_console *scon)
 
         scon->winctx = SDL_GL_CreateContext(scon->real_window);
         SDL_GL_SetSwapInterval(0);
+
+#ifdef CONFIG_OPENGL
+        qemu_egl_display = eglGetCurrentDisplay();
+#endif
     } else {
         /* The SDL renderer is only used by sdl2-2D, when OpenGL is disabled */
         scon->real_renderer = SDL_CreateRenderer(scon->real_window, -1, 0);
     }
 
-#ifdef CONFIG_OPENGL
-    qemu_egl_display = eglGetCurrentDisplay();
-#endif
-
     sdl_update_caption(scon);
 }
 
-- 
2.47.3

[PULL 2/2] hw/display: don't accidentally autofree existing virgl resources

[Alex Bennée]

While sanity checking a create blob operation the use of the auto
freed res variable could lead to inadvertently freeing an existing
blob.

Avoid this by in-lining the virtio_gpu_virgl_find_resource() check as
the value is not needed anyway.

While at it add a comment to the end and use g_steal_pointer to make
it clearer the object lifetime exceeds the function bounds if we pass
all the checks.

Fixes: CVE-2026-6502
Fixes: 7c092f17cce (virtio-gpu: Handle resource blob commands)
Message-ID: 20260417094443.785462-1-alex.bennee@linaro.org
Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
Cc: qemu-stable@nongnu.org
Message-ID: <20260417122703.845442-1-alex.bennee@linaro.org>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>

diff --git a/hw/display/virtio-gpu-virgl.c b/hw/display/virtio-gpu-virgl.c
index b7a2d160ddd..add85bd4e61 100644
--- a/hw/display/virtio-gpu-virgl.c
+++ b/hw/display/virtio-gpu-virgl.c
@@ -830,8 +830,7 @@ static void virgl_cmd_resource_create_blob(VirtIOGPU *g,
         return;
     }
 
-    res = virtio_gpu_virgl_find_resource(g, cblob.resource_id);
-    if (res) {
+    if (virtio_gpu_virgl_find_resource(g, cblob.resource_id)) {
         qemu_log_mask(LOG_GUEST_ERROR, "%s: resource already exists %d\n",
                       __func__, cblob.resource_id);
         cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_RESOURCE_ID;
@@ -884,8 +883,9 @@ static void virgl_cmd_resource_create_blob(VirtIOGPU *g,
 
     res->base.dmabuf_fd = info.fd;
 
+    /* Now live, cleaned up in virtio_gpu_virgl_resource_unref */
     QTAILQ_INSERT_HEAD(&g->reslist, &res->base, next);
-    res = NULL;
+    g_steal_pointer(&res);
 }
 
 static void virgl_cmd_resource_map_blob(VirtIOGPU *g,
-- 
2.47.3

Re: [PULL 0/2] virtio-gpu hotfixes

[Stefan Hajnoczi]

[-- Attachment #1: Type: text/plain, Size: 116 bytes --]

Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/11.1 for any user-visible changes.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]