[PULL 0/2] virtio-gpu hotfixes

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PULL 0/2] virtio-gpu hotfixes
@ 2026-04-23 15:19 Alex Bennée
  2026-04-23 15:19 ` [PULL 1/2] ui/sdl2: Fix assumption of EGL presence at runtime Alex Bennée
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Alex Bennée @ 2026-04-23 15:19 UTC (permalink / raw)
  To: qemu-devel; +Cc: Alex Bennée

The following changes since commit 98b060da3a4f92b2a994ead5b16a87e783baf77c:

  Update version for v11.0.0 release (2026-04-21 16:28:47 +0100)

are available in the Git repository at:

  https://gitlab.com/stsquad/qemu.git tags/pull-11.1-virtio-gpu-hotfixes-230426-1

for you to fetch changes up to 30fad722ce68316d22b926ba0e6017f0440465df:

  hw/display: don't accidentally autofree existing virgl resources (2026-04-23 16:13:53 +0100)

----------------------------------------------------------------
virtio-gpu fixes:

  - fix build on Windows due to EGL assumption
  - fix use-after-free on virgl resource

----------------------------------------------------------------
Alex Bennée (1):
      hw/display: don't accidentally autofree existing virgl resources

Anthony Roberts (1):
      ui/sdl2: Fix assumption of EGL presence at runtime

 hw/display/virtio-gpu-virgl.c | 6 +++---
 ui/sdl2.c                     | 8 ++++----
 2 files changed, 7 insertions(+), 7 deletions(-)

-- 
2.47.3



^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PULL 1/2] ui/sdl2: Fix assumption of EGL presence at runtime
  2026-04-23 15:19 [PULL 0/2] virtio-gpu hotfixes Alex Bennée
@ 2026-04-23 15:19 ` Alex Bennée
  2026-04-23 15:19 ` [PULL 2/2] hw/display: don't accidentally autofree existing virgl resources Alex Bennée
  2026-04-25 12:31 ` [PULL 0/2] virtio-gpu hotfixes Stefan Hajnoczi
  2 siblings, 0 replies; 4+ messages in thread
From: Alex Bennée @ 2026-04-23 15:19 UTC (permalink / raw)
  To: qemu-devel
  Cc: Anthony Roberts, qemu-stable, Alex Bennée,
	Marc-André Lureau

From: Anthony Roberts <anthony.roberts@linaro.org>

The original commit had a section of code which worked on the assumption
that if OpenGL was enabled at build, it was present on the end user machine,
and calls could be made to it. This is not always the case (such as Windows
on Arm devices).

This line should have also included a runtime check.

This commit moves the relevant line to inside a runtime check for OpenGL.

Fixes: 52053b7e0a0e ("ui/sdl2: Implement dpy dmabuf functions")
Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/3347
Cc: qemu-stable@nongnu.org
Signed-off-by: Anthony Roberts <anthony.roberts@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-ID: <20260409110256.684-1-anthony.roberts@linaro.org>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>

diff --git a/ui/sdl2.c b/ui/sdl2.c
index aaaede56e0e..987ad334bbe 100644
--- a/ui/sdl2.c
+++ b/ui/sdl2.c
@@ -120,15 +120,15 @@ void sdl2_window_create(struct sdl2_console *scon)
 
         scon->winctx = SDL_GL_CreateContext(scon->real_window);
         SDL_GL_SetSwapInterval(0);
+
+#ifdef CONFIG_OPENGL
+        qemu_egl_display = eglGetCurrentDisplay();
+#endif
     } else {
         /* The SDL renderer is only used by sdl2-2D, when OpenGL is disabled */
         scon->real_renderer = SDL_CreateRenderer(scon->real_window, -1, 0);
     }
 
-#ifdef CONFIG_OPENGL
-    qemu_egl_display = eglGetCurrentDisplay();
-#endif
-
     sdl_update_caption(scon);
 }
 
-- 
2.47.3



^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [PULL 2/2] hw/display: don't accidentally autofree existing virgl resources
  2026-04-23 15:19 [PULL 0/2] virtio-gpu hotfixes Alex Bennée
  2026-04-23 15:19 ` [PULL 1/2] ui/sdl2: Fix assumption of EGL presence at runtime Alex Bennée
@ 2026-04-23 15:19 ` Alex Bennée
  2026-04-25 12:31 ` [PULL 0/2] virtio-gpu hotfixes Stefan Hajnoczi
  2 siblings, 0 replies; 4+ messages in thread
From: Alex Bennée @ 2026-04-23 15:19 UTC (permalink / raw)
  To: qemu-devel
  Cc: Alex Bennée, Manos Pitsidianakis, qemu-stable,
	Dmitry Osipenko, Michael S. Tsirkin, Akihiko Odaki

While sanity checking a create blob operation the use of the auto
freed res variable could lead to inadvertently freeing an existing
blob.

Avoid this by in-lining the virtio_gpu_virgl_find_resource() check as
the value is not needed anyway.

While at it add a comment to the end and use g_steal_pointer to make
it clearer the object lifetime exceeds the function bounds if we pass
all the checks.

Fixes: CVE-2026-6502
Fixes: 7c092f17cce (virtio-gpu: Handle resource blob commands)
Message-ID: 20260417094443.785462-1-alex.bennee@linaro.org
Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
Cc: qemu-stable@nongnu.org
Message-ID: <20260417122703.845442-1-alex.bennee@linaro.org>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>

diff --git a/hw/display/virtio-gpu-virgl.c b/hw/display/virtio-gpu-virgl.c
index b7a2d160ddd..add85bd4e61 100644
--- a/hw/display/virtio-gpu-virgl.c
+++ b/hw/display/virtio-gpu-virgl.c
@@ -830,8 +830,7 @@ static void virgl_cmd_resource_create_blob(VirtIOGPU *g,
         return;
     }
 
-    res = virtio_gpu_virgl_find_resource(g, cblob.resource_id);
-    if (res) {
+    if (virtio_gpu_virgl_find_resource(g, cblob.resource_id)) {
         qemu_log_mask(LOG_GUEST_ERROR, "%s: resource already exists %d\n",
                       __func__, cblob.resource_id);
         cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_RESOURCE_ID;
@@ -884,8 +883,9 @@ static void virgl_cmd_resource_create_blob(VirtIOGPU *g,
 
     res->base.dmabuf_fd = info.fd;
 
+    /* Now live, cleaned up in virtio_gpu_virgl_resource_unref */
     QTAILQ_INSERT_HEAD(&g->reslist, &res->base, next);
-    res = NULL;
+    g_steal_pointer(&res);
 }
 
 static void virgl_cmd_resource_map_blob(VirtIOGPU *g,
-- 
2.47.3



^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PULL 0/2] virtio-gpu hotfixes
  2026-04-23 15:19 [PULL 0/2] virtio-gpu hotfixes Alex Bennée
  2026-04-23 15:19 ` [PULL 1/2] ui/sdl2: Fix assumption of EGL presence at runtime Alex Bennée
  2026-04-23 15:19 ` [PULL 2/2] hw/display: don't accidentally autofree existing virgl resources Alex Bennée
@ 2026-04-25 12:31 ` Stefan Hajnoczi
  2 siblings, 0 replies; 4+ messages in thread
From: Stefan Hajnoczi @ 2026-04-25 12:31 UTC (permalink / raw)
  To: Alex Bennée; +Cc: qemu-devel, Alex Bennée

[-- Attachment #1: Type: text/plain, Size: 116 bytes --]

Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/11.1 for any user-visible changes.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2026-04-25 20:00 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-23 15:19 [PULL 0/2] virtio-gpu hotfixes Alex Bennée
2026-04-23 15:19 ` [PULL 1/2] ui/sdl2: Fix assumption of EGL presence at runtime Alex Bennée
2026-04-23 15:19 ` [PULL 2/2] hw/display: don't accidentally autofree existing virgl resources Alex Bennée
2026-04-25 12:31 ` [PULL 0/2] virtio-gpu hotfixes Stefan Hajnoczi

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.