* [scarthgap][PATCH] qemu: fix for CVE-2025-11234
@ 2026-01-23 5:53 Hitendra Prajapati
2026-02-05 7:32 ` [OE-core] " Yoann Congal
2026-02-19 21:44 ` Yoann Congal
0 siblings, 2 replies; 4+ messages in thread
From: Hitendra Prajapati @ 2026-01-23 5:53 UTC (permalink / raw)
To: openembedded-core; +Cc: Hitendra Prajapati
Upstream-Status: Backport from https://gitlab.com/qemu-project/qemu/-/commit/911c814c8cc5f836286bd96694843036db83e99f && https://gitlab.com/qemu-project/qemu/-/commit/cebdbd038e44af56e74272924dc2bf595a51fd8f
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
meta/recipes-devtools/qemu/qemu.inc | 2 +
.../qemu/qemu/CVE-2025-11234-01.patch | 72 ++++++++
.../qemu/qemu/CVE-2025-11234-02.patch | 174 ++++++++++++++++++
3 files changed, 248 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2025-11234-01.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2025-11234-02.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 748a32215e..ba21d57010 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -43,6 +43,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://qemu-guest-agent.udev \
file://CVE-2024-8354.patch \
file://CVE-2025-12464.patch \
+ file://CVE-2025-11234-01.patch \
+ file://CVE-2025-11234-02.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2025-11234-01.patch b/meta/recipes-devtools/qemu/qemu/CVE-2025-11234-01.patch
new file mode 100644
index 0000000000..c3797bc66f
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2025-11234-01.patch
@@ -0,0 +1,72 @@
+From 911c814c8cc5f836286bd96694843036db83e99f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Tue, 30 Sep 2025 11:58:35 +0100
+Subject: [PATCH] io: move websock resource release to close method
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The QIOChannelWebsock object releases all its resources in the
+finalize callback. This is later than desired, as callers expect
+to be able to call qio_channel_close() to fully close a channel
+and release resources related to I/O.
+
+The logic in the finalize method is at most a failsafe to handle
+cases where a consumer forgets to call qio_channel_close.
+
+This adds equivalent logic to the close method to release the
+resources, using g_clear_handle_id/g_clear_pointer to be robust
+against repeated invocations. The finalize method is tweaked
+so that the GSource is removed before releasing the underlying
+channel.
+
+Reviewed-by: Eric Blake <eblake@redhat.com>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit 322c3c4f3abee616a18b3bfe563ec29dd67eae63)
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+
+CVE: CVE-2025-11234
+Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/911c814c8cc5f836286bd96694843036db83e99f]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ io/channel-websock.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/io/channel-websock.c b/io/channel-websock.c
+index de39f0d18..1aac3c88a 100644
+--- a/io/channel-websock.c
++++ b/io/channel-websock.c
+@@ -922,13 +922,13 @@ static void qio_channel_websock_finalize(Object *obj)
+ buffer_free(&ioc->encinput);
+ buffer_free(&ioc->encoutput);
+ buffer_free(&ioc->rawinput);
+- object_unref(OBJECT(ioc->master));
+ if (ioc->io_tag) {
+ g_source_remove(ioc->io_tag);
+ }
+ if (ioc->io_err) {
+ error_free(ioc->io_err);
+ }
++ object_unref(OBJECT(ioc->master));
+ }
+
+
+@@ -1219,6 +1219,15 @@ static int qio_channel_websock_close(QIOChannel *ioc,
+ QIOChannelWebsock *wioc = QIO_CHANNEL_WEBSOCK(ioc);
+
+ trace_qio_channel_websock_close(ioc);
++ buffer_free(&wioc->encinput);
++ buffer_free(&wioc->encoutput);
++ buffer_free(&wioc->rawinput);
++ if (wioc->io_tag) {
++ g_clear_handle_id(&wioc->io_tag, g_source_remove);
++ }
++ if (wioc->io_err) {
++ g_clear_pointer(&wioc->io_err, error_free);
++ }
+ return qio_channel_close(wioc->master, errp);
+ }
+
+--
+2.50.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2025-11234-02.patch b/meta/recipes-devtools/qemu/qemu/CVE-2025-11234-02.patch
new file mode 100644
index 0000000000..364d19457d
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2025-11234-02.patch
@@ -0,0 +1,174 @@
+From cebdbd038e44af56e74272924dc2bf595a51fd8f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Tue, 30 Sep 2025 12:03:15 +0100
+Subject: [PATCH] io: fix use after free in websocket handshake code
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If the QIOChannelWebsock object is freed while it is waiting to
+complete a handshake, a GSource is leaked. This can lead to the
+callback firing later on and triggering a use-after-free in the
+use of the channel. This was observed in the VNC server with the
+following trace from valgrind:
+
+==2523108== Invalid read of size 4
+==2523108== at 0x4054A24: vnc_disconnect_start (vnc.c:1296)
+==2523108== by 0x4054A24: vnc_client_error (vnc.c:1392)
+==2523108== by 0x4068A09: vncws_handshake_done (vnc-ws.c:105)
+==2523108== by 0x44863B4: qio_task_complete (task.c:197)
+==2523108== by 0x448343D: qio_channel_websock_handshake_io (channel-websock.c:588)
+==2523108== by 0x6EDB862: UnknownInlinedFun (gmain.c:3398)
+==2523108== by 0x6EDB862: g_main_context_dispatch_unlocked.lto_priv.0 (gmain.c:4249)
+==2523108== by 0x6EDBAE4: g_main_context_dispatch (gmain.c:4237)
+==2523108== by 0x45EC79F: glib_pollfds_poll (main-loop.c:287)
+==2523108== by 0x45EC79F: os_host_main_loop_wait (main-loop.c:310)
+==2523108== by 0x45EC79F: main_loop_wait (main-loop.c:589)
+==2523108== by 0x423A56D: qemu_main_loop (runstate.c:835)
+==2523108== by 0x454F300: qemu_default_main (main.c:37)
+==2523108== by 0x73D6574: (below main) (libc_start_call_main.h:58)
+==2523108== Address 0x57a6e0dc is 28 bytes inside a block of size 103,608 free'd
+==2523108== at 0x5F2FE43: free (vg_replace_malloc.c:989)
+==2523108== by 0x6EDC444: g_free (gmem.c:208)
+==2523108== by 0x4053F23: vnc_update_client (vnc.c:1153)
+==2523108== by 0x4053F23: vnc_refresh (vnc.c:3225)
+==2523108== by 0x4042881: dpy_refresh (console.c:880)
+==2523108== by 0x4042881: gui_update (console.c:90)
+==2523108== by 0x45EFA1B: timerlist_run_timers.part.0 (qemu-timer.c:562)
+=2523108== by 0x45EC765: main_loop_wait (main-loop.c:600)
+==2523108== by 0x423A56D: qemu_main_loop (runstate.c:835)
+==2523108== by 0x454F300: qemu_default_main (main.c:37)
+==2523108== by 0x73D6574: (below main) (libc_start_call_main.h:58)
+==2523108== Block was alloc'd at
+==2523108== at 0x5F343F3: calloc (vg_replace_malloc.c:1675)
+==2523108== by 0x6EE2F81: g_malloc0 (gmem.c:133)
+==2523108== by 0x4057DA3: vnc_connect (vnc.c:3245)
+==2523108== by 0x448591B: qio_net_listener_channel_func (net-listener.c:54)
+==2523108== by 0x6EDB862: UnknownInlinedFun (gmain.c:3398)
+==2523108== by 0x6EDB862: g_main_context_dispatch_unlocked.lto_priv.0 (gmain.c:4249)
+==2523108== by 0x6EDBAE4: g_main_context_dispatch (gmain.c:4237)
+==2523108== by 0x45EC79F: glib_pollfds_poll (main-loop.c:287)
+==2523108== by 0x45EC79F: os_host_main_loop_wait (main-loop.c:310)
+==2523108== by 0x45EC79F: main_loop_wait (main-loop.c:589)
+==2523108== by 0x423A56D: qemu_main_loop (runstate.c:835)
+==2523108== by 0x454F300: qemu_default_main (main.c:37)
+==2523108== by 0x73D6574: (below main) (libc_start_call_main.h:58)
+==2523108==
+
+The above can be reproduced by launching QEMU with
+
+ $ qemu-system-x86_64 -vnc localhost:0,websocket=5700
+
+and then repeatedly running:
+
+ for i in {1..100}; do
+ (echo -n "GET / HTTP/1.1" && sleep 0.05) | nc -w 1 localhost 5700 &
+ done
+
+CVE-2025-11234
+Reported-by: Grant Millar | Cylo <rid@cylo.io>
+Reviewed-by: Eric Blake <eblake@redhat.com>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit b7a1f2ca45c7865b9e98e02ae605a65fc9458ae9)
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+
+CVE: CVE-2025-11234
+Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/cebdbd038e44af56e74272924dc2bf595a51fd8f]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ include/io/channel-websock.h | 3 ++-
+ io/channel-websock.c | 22 ++++++++++++++++------
+ 2 files changed, 18 insertions(+), 7 deletions(-)
+
+diff --git a/include/io/channel-websock.h b/include/io/channel-websock.h
+index e180827c5..6700cf894 100644
+--- a/include/io/channel-websock.h
++++ b/include/io/channel-websock.h
+@@ -61,7 +61,8 @@ struct QIOChannelWebsock {
+ size_t payload_remain;
+ size_t pong_remain;
+ QIOChannelWebsockMask mask;
+- guint io_tag;
++ guint hs_io_tag; /* tracking handshake task */
++ guint io_tag; /* tracking watch task */
+ Error *io_err;
+ gboolean io_eof;
+ uint8_t opcode;
+diff --git a/io/channel-websock.c b/io/channel-websock.c
+index 1aac3c88a..583ea8618 100644
+--- a/io/channel-websock.c
++++ b/io/channel-websock.c
+@@ -545,6 +545,7 @@ static gboolean qio_channel_websock_handshake_send(QIOChannel *ioc,
+ trace_qio_channel_websock_handshake_fail(ioc, error_get_pretty(err));
+ qio_task_set_error(task, err);
+ qio_task_complete(task);
++ wioc->hs_io_tag = 0;
+ return FALSE;
+ }
+
+@@ -560,6 +561,7 @@ static gboolean qio_channel_websock_handshake_send(QIOChannel *ioc,
+ trace_qio_channel_websock_handshake_complete(ioc);
+ qio_task_complete(task);
+ }
++ wioc->hs_io_tag = 0;
+ return FALSE;
+ }
+ trace_qio_channel_websock_handshake_pending(ioc, G_IO_OUT);
+@@ -586,6 +588,7 @@ static gboolean qio_channel_websock_handshake_io(QIOChannel *ioc,
+ trace_qio_channel_websock_handshake_fail(ioc, error_get_pretty(err));
+ qio_task_set_error(task, err);
+ qio_task_complete(task);
++ wioc->hs_io_tag = 0;
+ return FALSE;
+ }
+ if (ret == 0) {
+@@ -597,7 +600,7 @@ static gboolean qio_channel_websock_handshake_io(QIOChannel *ioc,
+ error_propagate(&wioc->io_err, err);
+
+ trace_qio_channel_websock_handshake_reply(ioc);
+- qio_channel_add_watch(
++ wioc->hs_io_tag = qio_channel_add_watch(
+ wioc->master,
+ G_IO_OUT,
+ qio_channel_websock_handshake_send,
+@@ -907,11 +910,12 @@ void qio_channel_websock_handshake(QIOChannelWebsock *ioc,
+
+ trace_qio_channel_websock_handshake_start(ioc);
+ trace_qio_channel_websock_handshake_pending(ioc, G_IO_IN);
+- qio_channel_add_watch(ioc->master,
+- G_IO_IN,
+- qio_channel_websock_handshake_io,
+- task,
+- NULL);
++ ioc->hs_io_tag = qio_channel_add_watch(
++ ioc->master,
++ G_IO_IN,
++ qio_channel_websock_handshake_io,
++ task,
++ NULL);
+ }
+
+
+@@ -922,6 +926,9 @@ static void qio_channel_websock_finalize(Object *obj)
+ buffer_free(&ioc->encinput);
+ buffer_free(&ioc->encoutput);
+ buffer_free(&ioc->rawinput);
++ if (ioc->hs_io_tag) {
++ g_source_remove(ioc->hs_io_tag);
++ }
+ if (ioc->io_tag) {
+ g_source_remove(ioc->io_tag);
+ }
+@@ -1222,6 +1229,9 @@ static int qio_channel_websock_close(QIOChannel *ioc,
+ buffer_free(&wioc->encinput);
+ buffer_free(&wioc->encoutput);
+ buffer_free(&wioc->rawinput);
++ if (wioc->hs_io_tag) {
++ g_clear_handle_id(&wioc->hs_io_tag, g_source_remove);
++ }
+ if (wioc->io_tag) {
+ g_clear_handle_id(&wioc->io_tag, g_source_remove);
+ }
+--
+2.50.1
+
--
2.50.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [OE-core] [scarthgap][PATCH] qemu: fix for CVE-2025-11234
2026-01-23 5:53 [scarthgap][PATCH] qemu: fix for CVE-2025-11234 Hitendra Prajapati
@ 2026-02-05 7:32 ` Yoann Congal
2026-02-19 21:44 ` Yoann Congal
1 sibling, 0 replies; 4+ messages in thread
From: Yoann Congal @ 2026-02-05 7:32 UTC (permalink / raw)
To: hprajapati, openembedded-core
On Fri Jan 23, 2026 at 6:53 AM CET, Hitendra Prajapati via lists.openembedded.org wrote:
> Upstream-Status: Backport from https://gitlab.com/qemu-project/qemu/-/commit/911c814c8cc5f836286bd96694843036db83e99f && https://gitlab.com/qemu-project/qemu/-/commit/cebdbd038e44af56e74272924dc2bf595a51fd8f
>
> Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> ---
> meta/recipes-devtools/qemu/qemu.inc | 2 +
> .../qemu/qemu/CVE-2025-11234-01.patch | 72 ++++++++
> .../qemu/qemu/CVE-2025-11234-02.patch | 174 ++++++++++++++++++
> 3 files changed, 248 insertions(+)
> create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2025-11234-01.patch
> create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2025-11234-02.patch
Hello,
Could you please check if this fix is needed in whinlatter and master?
I can't take this if it's needed and not present on those branches.
Thanks!
Regards,
--
Yoann Congal
Smile ECS
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [OE-core] [scarthgap][PATCH] qemu: fix for CVE-2025-11234
2026-01-23 5:53 [scarthgap][PATCH] qemu: fix for CVE-2025-11234 Hitendra Prajapati
2026-02-05 7:32 ` [OE-core] " Yoann Congal
@ 2026-02-19 21:44 ` Yoann Congal
2026-02-19 21:51 ` Yoann Congal
1 sibling, 1 reply; 4+ messages in thread
From: Yoann Congal @ 2026-02-19 21:44 UTC (permalink / raw)
To: hprajapati, openembedded-core
Hello,
On Fri Jan 23, 2026 at 6:53 AM CET, Hitendra Prajapati via lists.openembedded.org wrote:
> Upstream-Status: Backport from https://gitlab.com/qemu-project/qemu/-/commit/911c814c8cc5f836286bd96694843036db83e99f && https://gitlab.com/qemu-project/qemu/-/commit/cebdbd038e44af56e74272924dc2bf595a51fd8f
(As the other CVE patches) please remove this Upstream-Status line from commit
message, and add a justification for the patches.
> Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> ---
> meta/recipes-devtools/qemu/qemu.inc | 2 +
> .../qemu/qemu/CVE-2025-11234-01.patch | 72 ++++++++
> .../qemu/qemu/CVE-2025-11234-02.patch | 174 ++++++++++++++++++
> 3 files changed, 248 insertions(+)
> create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2025-11234-01.patch
> create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2025-11234-02.patch
>
> diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
> index 748a32215e..ba21d57010 100644
> --- a/meta/recipes-devtools/qemu/qemu.inc
> +++ b/meta/recipes-devtools/qemu/qemu.inc
> @@ -43,6 +43,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
> file://qemu-guest-agent.udev \
> file://CVE-2024-8354.patch \
> file://CVE-2025-12464.patch \
> + file://CVE-2025-11234-01.patch \
> + file://CVE-2025-11234-02.patch \
> "
> UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
>
> diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2025-11234-01.patch b/meta/recipes-devtools/qemu/qemu/CVE-2025-11234-01.patch
> new file mode 100644
> index 0000000000..c3797bc66f
> --- /dev/null
> +++ b/meta/recipes-devtools/qemu/qemu/CVE-2025-11234-01.patch
> @@ -0,0 +1,72 @@
> +From 911c814c8cc5f836286bd96694843036db83e99f Mon Sep 17 00:00:00 2001
> +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
> +Date: Tue, 30 Sep 2025 11:58:35 +0100
> +Subject: [PATCH] io: move websock resource release to close method
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +The QIOChannelWebsock object releases all its resources in the
> +finalize callback. This is later than desired, as callers expect
> +to be able to call qio_channel_close() to fully close a channel
> +and release resources related to I/O.
> +
> +The logic in the finalize method is at most a failsafe to handle
> +cases where a consumer forgets to call qio_channel_close.
> +
> +This adds equivalent logic to the close method to release the
> +resources, using g_clear_handle_id/g_clear_pointer to be robust
> +against repeated invocations. The finalize method is tweaked
> +so that the GSource is removed before releasing the underlying
> +channel.
> +
> +Reviewed-by: Eric Blake <eblake@redhat.com>
> +Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> +(cherry picked from commit 322c3c4f3abee616a18b3bfe563ec29dd67eae63)
> +Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
> +
> +CVE: CVE-2025-11234
> +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/911c814c8cc5f836286bd96694843036db83e99f]
This backport is weird to decypher, this commit is in the 7.2 branch
(while scarthgap has 8.2). The more easy to understand is
322c3c4f3abee616a18b3bfe563ec29dd67eae63 (on master and in the 10.2.0
release)
> +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> +---
> + io/channel-websock.c | 11 ++++++++++-
> + 1 file changed, 10 insertions(+), 1 deletion(-)
> +
> +diff --git a/io/channel-websock.c b/io/channel-websock.c
> +index de39f0d18..1aac3c88a 100644
> +--- a/io/channel-websock.c
> ++++ b/io/channel-websock.c
> +@@ -922,13 +922,13 @@ static void qio_channel_websock_finalize(Object *obj)
> + buffer_free(&ioc->encinput);
> + buffer_free(&ioc->encoutput);
> + buffer_free(&ioc->rawinput);
> +- object_unref(OBJECT(ioc->master));
> + if (ioc->io_tag) {
> + g_source_remove(ioc->io_tag);
> + }
> + if (ioc->io_err) {
> + error_free(ioc->io_err);
> + }
> ++ object_unref(OBJECT(ioc->master));
> + }
> +
> +
> +@@ -1219,6 +1219,15 @@ static int qio_channel_websock_close(QIOChannel *ioc,
> + QIOChannelWebsock *wioc = QIO_CHANNEL_WEBSOCK(ioc);
> +
> + trace_qio_channel_websock_close(ioc);
> ++ buffer_free(&wioc->encinput);
> ++ buffer_free(&wioc->encoutput);
> ++ buffer_free(&wioc->rawinput);
> ++ if (wioc->io_tag) {
> ++ g_clear_handle_id(&wioc->io_tag, g_source_remove);
> ++ }
> ++ if (wioc->io_err) {
> ++ g_clear_pointer(&wioc->io_err, error_free);
> ++ }
> + return qio_channel_close(wioc->master, errp);
> + }
> +
> +--
> +2.50.1
> +
> diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2025-11234-02.patch b/meta/recipes-devtools/qemu/qemu/CVE-2025-11234-02.patch
> new file mode 100644
> index 0000000000..364d19457d
> --- /dev/null
> +++ b/meta/recipes-devtools/qemu/qemu/CVE-2025-11234-02.patch
> @@ -0,0 +1,174 @@
> +From cebdbd038e44af56e74272924dc2bf595a51fd8f Mon Sep 17 00:00:00 2001
> +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
> +Date: Tue, 30 Sep 2025 12:03:15 +0100
> +Subject: [PATCH] io: fix use after free in websocket handshake code
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +If the QIOChannelWebsock object is freed while it is waiting to
> +complete a handshake, a GSource is leaked. This can lead to the
> +callback firing later on and triggering a use-after-free in the
> +use of the channel. This was observed in the VNC server with the
> +following trace from valgrind:
> +
> +==2523108== Invalid read of size 4
> +==2523108== at 0x4054A24: vnc_disconnect_start (vnc.c:1296)
> +==2523108== by 0x4054A24: vnc_client_error (vnc.c:1392)
> +==2523108== by 0x4068A09: vncws_handshake_done (vnc-ws.c:105)
> +==2523108== by 0x44863B4: qio_task_complete (task.c:197)
> +==2523108== by 0x448343D: qio_channel_websock_handshake_io (channel-websock.c:588)
> +==2523108== by 0x6EDB862: UnknownInlinedFun (gmain.c:3398)
> +==2523108== by 0x6EDB862: g_main_context_dispatch_unlocked.lto_priv.0 (gmain.c:4249)
> +==2523108== by 0x6EDBAE4: g_main_context_dispatch (gmain.c:4237)
> +==2523108== by 0x45EC79F: glib_pollfds_poll (main-loop.c:287)
> +==2523108== by 0x45EC79F: os_host_main_loop_wait (main-loop.c:310)
> +==2523108== by 0x45EC79F: main_loop_wait (main-loop.c:589)
> +==2523108== by 0x423A56D: qemu_main_loop (runstate.c:835)
> +==2523108== by 0x454F300: qemu_default_main (main.c:37)
> +==2523108== by 0x73D6574: (below main) (libc_start_call_main.h:58)
> +==2523108== Address 0x57a6e0dc is 28 bytes inside a block of size 103,608 free'd
> +==2523108== at 0x5F2FE43: free (vg_replace_malloc.c:989)
> +==2523108== by 0x6EDC444: g_free (gmem.c:208)
> +==2523108== by 0x4053F23: vnc_update_client (vnc.c:1153)
> +==2523108== by 0x4053F23: vnc_refresh (vnc.c:3225)
> +==2523108== by 0x4042881: dpy_refresh (console.c:880)
> +==2523108== by 0x4042881: gui_update (console.c:90)
> +==2523108== by 0x45EFA1B: timerlist_run_timers.part.0 (qemu-timer.c:562)
> +=2523108== by 0x45EC765: main_loop_wait (main-loop.c:600)
> +==2523108== by 0x423A56D: qemu_main_loop (runstate.c:835)
> +==2523108== by 0x454F300: qemu_default_main (main.c:37)
> +==2523108== by 0x73D6574: (below main) (libc_start_call_main.h:58)
> +==2523108== Block was alloc'd at
> +==2523108== at 0x5F343F3: calloc (vg_replace_malloc.c:1675)
> +==2523108== by 0x6EE2F81: g_malloc0 (gmem.c:133)
> +==2523108== by 0x4057DA3: vnc_connect (vnc.c:3245)
> +==2523108== by 0x448591B: qio_net_listener_channel_func (net-listener.c:54)
> +==2523108== by 0x6EDB862: UnknownInlinedFun (gmain.c:3398)
> +==2523108== by 0x6EDB862: g_main_context_dispatch_unlocked.lto_priv.0 (gmain.c:4249)
> +==2523108== by 0x6EDBAE4: g_main_context_dispatch (gmain.c:4237)
> +==2523108== by 0x45EC79F: glib_pollfds_poll (main-loop.c:287)
> +==2523108== by 0x45EC79F: os_host_main_loop_wait (main-loop.c:310)
> +==2523108== by 0x45EC79F: main_loop_wait (main-loop.c:589)
> +==2523108== by 0x423A56D: qemu_main_loop (runstate.c:835)
> +==2523108== by 0x454F300: qemu_default_main (main.c:37)
> +==2523108== by 0x73D6574: (below main) (libc_start_call_main.h:58)
> +==2523108==
> +
> +The above can be reproduced by launching QEMU with
> +
> + $ qemu-system-x86_64 -vnc localhost:0,websocket=5700
> +
> +and then repeatedly running:
> +
> + for i in {1..100}; do
> + (echo -n "GET / HTTP/1.1" && sleep 0.05) | nc -w 1 localhost 5700 &
> + done
> +
> +CVE-2025-11234
> +Reported-by: Grant Millar | Cylo <rid@cylo.io>
> +Reviewed-by: Eric Blake <eblake@redhat.com>
> +Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> +(cherry picked from commit b7a1f2ca45c7865b9e98e02ae605a65fc9458ae9)
> +Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
> +
> +CVE: CVE-2025-11234
> +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/cebdbd038e44af56e74272924dc2bf595a51fd8f]
Same idea: b7a1f2ca45c7865b9e98e02ae605a65fc9458ae9 is easier to
understand.
> +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> +---
> + include/io/channel-websock.h | 3 ++-
> + io/channel-websock.c | 22 ++++++++++++++++------
> + 2 files changed, 18 insertions(+), 7 deletions(-)
> +
> +diff --git a/include/io/channel-websock.h b/include/io/channel-websock.h
> +index e180827c5..6700cf894 100644
> +--- a/include/io/channel-websock.h
> ++++ b/include/io/channel-websock.h
> +@@ -61,7 +61,8 @@ struct QIOChannelWebsock {
> + size_t payload_remain;
> + size_t pong_remain;
> + QIOChannelWebsockMask mask;
> +- guint io_tag;
> ++ guint hs_io_tag; /* tracking handshake task */
> ++ guint io_tag; /* tracking watch task */
> + Error *io_err;
> + gboolean io_eof;
> + uint8_t opcode;
> +diff --git a/io/channel-websock.c b/io/channel-websock.c
> +index 1aac3c88a..583ea8618 100644
> +--- a/io/channel-websock.c
> ++++ b/io/channel-websock.c
> +@@ -545,6 +545,7 @@ static gboolean qio_channel_websock_handshake_send(QIOChannel *ioc,
> + trace_qio_channel_websock_handshake_fail(ioc, error_get_pretty(err));
> + qio_task_set_error(task, err);
> + qio_task_complete(task);
> ++ wioc->hs_io_tag = 0;
> + return FALSE;
> + }
> +
> +@@ -560,6 +561,7 @@ static gboolean qio_channel_websock_handshake_send(QIOChannel *ioc,
> + trace_qio_channel_websock_handshake_complete(ioc);
> + qio_task_complete(task);
> + }
> ++ wioc->hs_io_tag = 0;
> + return FALSE;
> + }
> + trace_qio_channel_websock_handshake_pending(ioc, G_IO_OUT);
> +@@ -586,6 +588,7 @@ static gboolean qio_channel_websock_handshake_io(QIOChannel *ioc,
> + trace_qio_channel_websock_handshake_fail(ioc, error_get_pretty(err));
> + qio_task_set_error(task, err);
> + qio_task_complete(task);
> ++ wioc->hs_io_tag = 0;
> + return FALSE;
> + }
> + if (ret == 0) {
> +@@ -597,7 +600,7 @@ static gboolean qio_channel_websock_handshake_io(QIOChannel *ioc,
> + error_propagate(&wioc->io_err, err);
> +
> + trace_qio_channel_websock_handshake_reply(ioc);
> +- qio_channel_add_watch(
> ++ wioc->hs_io_tag = qio_channel_add_watch(
> + wioc->master,
> + G_IO_OUT,
> + qio_channel_websock_handshake_send,
> +@@ -907,11 +910,12 @@ void qio_channel_websock_handshake(QIOChannelWebsock *ioc,
> +
> + trace_qio_channel_websock_handshake_start(ioc);
> + trace_qio_channel_websock_handshake_pending(ioc, G_IO_IN);
> +- qio_channel_add_watch(ioc->master,
> +- G_IO_IN,
> +- qio_channel_websock_handshake_io,
> +- task,
> +- NULL);
> ++ ioc->hs_io_tag = qio_channel_add_watch(
> ++ ioc->master,
> ++ G_IO_IN,
> ++ qio_channel_websock_handshake_io,
> ++ task,
> ++ NULL);
> + }
> +
> +
> +@@ -922,6 +926,9 @@ static void qio_channel_websock_finalize(Object *obj)
> + buffer_free(&ioc->encinput);
> + buffer_free(&ioc->encoutput);
> + buffer_free(&ioc->rawinput);
> ++ if (ioc->hs_io_tag) {
> ++ g_source_remove(ioc->hs_io_tag);
> ++ }
> + if (ioc->io_tag) {
> + g_source_remove(ioc->io_tag);
> + }
> +@@ -1222,6 +1229,9 @@ static int qio_channel_websock_close(QIOChannel *ioc,
> + buffer_free(&wioc->encinput);
> + buffer_free(&wioc->encoutput);
> + buffer_free(&wioc->rawinput);
> ++ if (wioc->hs_io_tag) {
> ++ g_clear_handle_id(&wioc->hs_io_tag, g_source_remove);
> ++ }
> + if (wioc->io_tag) {
> + g_clear_handle_id(&wioc->io_tag, g_source_remove);
> + }
> +--
> +2.50.1
> +
--
Yoann Congal
Smile ECS
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [OE-core] [scarthgap][PATCH] qemu: fix for CVE-2025-11234
2026-02-19 21:44 ` Yoann Congal
@ 2026-02-19 21:51 ` Yoann Congal
0 siblings, 0 replies; 4+ messages in thread
From: Yoann Congal @ 2026-02-19 21:51 UTC (permalink / raw)
To: Yoann Congal, hprajapati, openembedded-core
On Thu Feb 19, 2026 at 10:44 PM CET, Yoann Congal wrote:
> Hello,
>
> On Fri Jan 23, 2026 at 6:53 AM CET, Hitendra Prajapati via lists.openembedded.org wrote:
>> Upstream-Status: Backport from https://gitlab.com/qemu-project/qemu/-/commit/911c814c8cc5f836286bd96694843036db83e99f && https://gitlab.com/qemu-project/qemu/-/commit/cebdbd038e44af56e74272924dc2bf595a51fd8f
>
> (As the other CVE patches) please remove this Upstream-Status line from commit
> message, and add a justification for the patches.
And I forgot to add that this patch is needed on whinlatter (fix was
introduced on 10.0.7 and whinlatter is on 10.0.6), but not on master
(where the current 10.2.0 does contain it).
Can you send the fixed version to whinlatter as well?
Thanks!
>> Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
>> ---
>> meta/recipes-devtools/qemu/qemu.inc | 2 +
>> .../qemu/qemu/CVE-2025-11234-01.patch | 72 ++++++++
>> .../qemu/qemu/CVE-2025-11234-02.patch | 174 ++++++++++++++++++
>> 3 files changed, 248 insertions(+)
>> create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2025-11234-01.patch
>> create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2025-11234-02.patch
>>
>> diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
>> index 748a32215e..ba21d57010 100644
>> --- a/meta/recipes-devtools/qemu/qemu.inc
>> +++ b/meta/recipes-devtools/qemu/qemu.inc
>> @@ -43,6 +43,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
>> file://qemu-guest-agent.udev \
>> file://CVE-2024-8354.patch \
>> file://CVE-2025-12464.patch \
>> + file://CVE-2025-11234-01.patch \
>> + file://CVE-2025-11234-02.patch \
>> "
>> UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
>>
>> diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2025-11234-01.patch b/meta/recipes-devtools/qemu/qemu/CVE-2025-11234-01.patch
>> new file mode 100644
>> index 0000000000..c3797bc66f
>> --- /dev/null
>> +++ b/meta/recipes-devtools/qemu/qemu/CVE-2025-11234-01.patch
>> @@ -0,0 +1,72 @@
>> +From 911c814c8cc5f836286bd96694843036db83e99f Mon Sep 17 00:00:00 2001
>> +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
>> +Date: Tue, 30 Sep 2025 11:58:35 +0100
>> +Subject: [PATCH] io: move websock resource release to close method
>> +MIME-Version: 1.0
>> +Content-Type: text/plain; charset=UTF-8
>> +Content-Transfer-Encoding: 8bit
>> +
>> +The QIOChannelWebsock object releases all its resources in the
>> +finalize callback. This is later than desired, as callers expect
>> +to be able to call qio_channel_close() to fully close a channel
>> +and release resources related to I/O.
>> +
>> +The logic in the finalize method is at most a failsafe to handle
>> +cases where a consumer forgets to call qio_channel_close.
>> +
>> +This adds equivalent logic to the close method to release the
>> +resources, using g_clear_handle_id/g_clear_pointer to be robust
>> +against repeated invocations. The finalize method is tweaked
>> +so that the GSource is removed before releasing the underlying
>> +channel.
>> +
>> +Reviewed-by: Eric Blake <eblake@redhat.com>
>> +Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
>> +(cherry picked from commit 322c3c4f3abee616a18b3bfe563ec29dd67eae63)
>> +Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
>> +
>> +CVE: CVE-2025-11234
>> +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/911c814c8cc5f836286bd96694843036db83e99f]
>
> This backport is weird to decypher, this commit is in the 7.2 branch
> (while scarthgap has 8.2). The more easy to understand is
> 322c3c4f3abee616a18b3bfe563ec29dd67eae63 (on master and in the 10.2.0
> release)
>
>> +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
>> +---
>> + io/channel-websock.c | 11 ++++++++++-
>> + 1 file changed, 10 insertions(+), 1 deletion(-)
>> +
>> +diff --git a/io/channel-websock.c b/io/channel-websock.c
>> +index de39f0d18..1aac3c88a 100644
>> +--- a/io/channel-websock.c
>> ++++ b/io/channel-websock.c
>> +@@ -922,13 +922,13 @@ static void qio_channel_websock_finalize(Object *obj)
>> + buffer_free(&ioc->encinput);
>> + buffer_free(&ioc->encoutput);
>> + buffer_free(&ioc->rawinput);
>> +- object_unref(OBJECT(ioc->master));
>> + if (ioc->io_tag) {
>> + g_source_remove(ioc->io_tag);
>> + }
>> + if (ioc->io_err) {
>> + error_free(ioc->io_err);
>> + }
>> ++ object_unref(OBJECT(ioc->master));
>> + }
>> +
>> +
>> +@@ -1219,6 +1219,15 @@ static int qio_channel_websock_close(QIOChannel *ioc,
>> + QIOChannelWebsock *wioc = QIO_CHANNEL_WEBSOCK(ioc);
>> +
>> + trace_qio_channel_websock_close(ioc);
>> ++ buffer_free(&wioc->encinput);
>> ++ buffer_free(&wioc->encoutput);
>> ++ buffer_free(&wioc->rawinput);
>> ++ if (wioc->io_tag) {
>> ++ g_clear_handle_id(&wioc->io_tag, g_source_remove);
>> ++ }
>> ++ if (wioc->io_err) {
>> ++ g_clear_pointer(&wioc->io_err, error_free);
>> ++ }
>> + return qio_channel_close(wioc->master, errp);
>> + }
>> +
>> +--
>> +2.50.1
>> +
>> diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2025-11234-02.patch b/meta/recipes-devtools/qemu/qemu/CVE-2025-11234-02.patch
>> new file mode 100644
>> index 0000000000..364d19457d
>> --- /dev/null
>> +++ b/meta/recipes-devtools/qemu/qemu/CVE-2025-11234-02.patch
>> @@ -0,0 +1,174 @@
>> +From cebdbd038e44af56e74272924dc2bf595a51fd8f Mon Sep 17 00:00:00 2001
>> +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
>> +Date: Tue, 30 Sep 2025 12:03:15 +0100
>> +Subject: [PATCH] io: fix use after free in websocket handshake code
>> +MIME-Version: 1.0
>> +Content-Type: text/plain; charset=UTF-8
>> +Content-Transfer-Encoding: 8bit
>> +
>> +If the QIOChannelWebsock object is freed while it is waiting to
>> +complete a handshake, a GSource is leaked. This can lead to the
>> +callback firing later on and triggering a use-after-free in the
>> +use of the channel. This was observed in the VNC server with the
>> +following trace from valgrind:
>> +
>> +==2523108== Invalid read of size 4
>> +==2523108== at 0x4054A24: vnc_disconnect_start (vnc.c:1296)
>> +==2523108== by 0x4054A24: vnc_client_error (vnc.c:1392)
>> +==2523108== by 0x4068A09: vncws_handshake_done (vnc-ws.c:105)
>> +==2523108== by 0x44863B4: qio_task_complete (task.c:197)
>> +==2523108== by 0x448343D: qio_channel_websock_handshake_io (channel-websock.c:588)
>> +==2523108== by 0x6EDB862: UnknownInlinedFun (gmain.c:3398)
>> +==2523108== by 0x6EDB862: g_main_context_dispatch_unlocked.lto_priv.0 (gmain.c:4249)
>> +==2523108== by 0x6EDBAE4: g_main_context_dispatch (gmain.c:4237)
>> +==2523108== by 0x45EC79F: glib_pollfds_poll (main-loop.c:287)
>> +==2523108== by 0x45EC79F: os_host_main_loop_wait (main-loop.c:310)
>> +==2523108== by 0x45EC79F: main_loop_wait (main-loop.c:589)
>> +==2523108== by 0x423A56D: qemu_main_loop (runstate.c:835)
>> +==2523108== by 0x454F300: qemu_default_main (main.c:37)
>> +==2523108== by 0x73D6574: (below main) (libc_start_call_main.h:58)
>> +==2523108== Address 0x57a6e0dc is 28 bytes inside a block of size 103,608 free'd
>> +==2523108== at 0x5F2FE43: free (vg_replace_malloc.c:989)
>> +==2523108== by 0x6EDC444: g_free (gmem.c:208)
>> +==2523108== by 0x4053F23: vnc_update_client (vnc.c:1153)
>> +==2523108== by 0x4053F23: vnc_refresh (vnc.c:3225)
>> +==2523108== by 0x4042881: dpy_refresh (console.c:880)
>> +==2523108== by 0x4042881: gui_update (console.c:90)
>> +==2523108== by 0x45EFA1B: timerlist_run_timers.part.0 (qemu-timer.c:562)
>> +=2523108== by 0x45EC765: main_loop_wait (main-loop.c:600)
>> +==2523108== by 0x423A56D: qemu_main_loop (runstate.c:835)
>> +==2523108== by 0x454F300: qemu_default_main (main.c:37)
>> +==2523108== by 0x73D6574: (below main) (libc_start_call_main.h:58)
>> +==2523108== Block was alloc'd at
>> +==2523108== at 0x5F343F3: calloc (vg_replace_malloc.c:1675)
>> +==2523108== by 0x6EE2F81: g_malloc0 (gmem.c:133)
>> +==2523108== by 0x4057DA3: vnc_connect (vnc.c:3245)
>> +==2523108== by 0x448591B: qio_net_listener_channel_func (net-listener.c:54)
>> +==2523108== by 0x6EDB862: UnknownInlinedFun (gmain.c:3398)
>> +==2523108== by 0x6EDB862: g_main_context_dispatch_unlocked.lto_priv.0 (gmain.c:4249)
>> +==2523108== by 0x6EDBAE4: g_main_context_dispatch (gmain.c:4237)
>> +==2523108== by 0x45EC79F: glib_pollfds_poll (main-loop.c:287)
>> +==2523108== by 0x45EC79F: os_host_main_loop_wait (main-loop.c:310)
>> +==2523108== by 0x45EC79F: main_loop_wait (main-loop.c:589)
>> +==2523108== by 0x423A56D: qemu_main_loop (runstate.c:835)
>> +==2523108== by 0x454F300: qemu_default_main (main.c:37)
>> +==2523108== by 0x73D6574: (below main) (libc_start_call_main.h:58)
>> +==2523108==
>> +
>> +The above can be reproduced by launching QEMU with
>> +
>> + $ qemu-system-x86_64 -vnc localhost:0,websocket=5700
>> +
>> +and then repeatedly running:
>> +
>> + for i in {1..100}; do
>> + (echo -n "GET / HTTP/1.1" && sleep 0.05) | nc -w 1 localhost 5700 &
>> + done
>> +
>> +CVE-2025-11234
>> +Reported-by: Grant Millar | Cylo <rid@cylo.io>
>> +Reviewed-by: Eric Blake <eblake@redhat.com>
>> +Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
>> +(cherry picked from commit b7a1f2ca45c7865b9e98e02ae605a65fc9458ae9)
>> +Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
>> +
>> +CVE: CVE-2025-11234
>> +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/cebdbd038e44af56e74272924dc2bf595a51fd8f]
>
> Same idea: b7a1f2ca45c7865b9e98e02ae605a65fc9458ae9 is easier to
> understand.
>> +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
>> +---
>> + include/io/channel-websock.h | 3 ++-
>> + io/channel-websock.c | 22 ++++++++++++++++------
>> + 2 files changed, 18 insertions(+), 7 deletions(-)
>> +
>> +diff --git a/include/io/channel-websock.h b/include/io/channel-websock.h
>> +index e180827c5..6700cf894 100644
>> +--- a/include/io/channel-websock.h
>> ++++ b/include/io/channel-websock.h
>> +@@ -61,7 +61,8 @@ struct QIOChannelWebsock {
>> + size_t payload_remain;
>> + size_t pong_remain;
>> + QIOChannelWebsockMask mask;
>> +- guint io_tag;
>> ++ guint hs_io_tag; /* tracking handshake task */
>> ++ guint io_tag; /* tracking watch task */
>> + Error *io_err;
>> + gboolean io_eof;
>> + uint8_t opcode;
>> +diff --git a/io/channel-websock.c b/io/channel-websock.c
>> +index 1aac3c88a..583ea8618 100644
>> +--- a/io/channel-websock.c
>> ++++ b/io/channel-websock.c
>> +@@ -545,6 +545,7 @@ static gboolean qio_channel_websock_handshake_send(QIOChannel *ioc,
>> + trace_qio_channel_websock_handshake_fail(ioc, error_get_pretty(err));
>> + qio_task_set_error(task, err);
>> + qio_task_complete(task);
>> ++ wioc->hs_io_tag = 0;
>> + return FALSE;
>> + }
>> +
>> +@@ -560,6 +561,7 @@ static gboolean qio_channel_websock_handshake_send(QIOChannel *ioc,
>> + trace_qio_channel_websock_handshake_complete(ioc);
>> + qio_task_complete(task);
>> + }
>> ++ wioc->hs_io_tag = 0;
>> + return FALSE;
>> + }
>> + trace_qio_channel_websock_handshake_pending(ioc, G_IO_OUT);
>> +@@ -586,6 +588,7 @@ static gboolean qio_channel_websock_handshake_io(QIOChannel *ioc,
>> + trace_qio_channel_websock_handshake_fail(ioc, error_get_pretty(err));
>> + qio_task_set_error(task, err);
>> + qio_task_complete(task);
>> ++ wioc->hs_io_tag = 0;
>> + return FALSE;
>> + }
>> + if (ret == 0) {
>> +@@ -597,7 +600,7 @@ static gboolean qio_channel_websock_handshake_io(QIOChannel *ioc,
>> + error_propagate(&wioc->io_err, err);
>> +
>> + trace_qio_channel_websock_handshake_reply(ioc);
>> +- qio_channel_add_watch(
>> ++ wioc->hs_io_tag = qio_channel_add_watch(
>> + wioc->master,
>> + G_IO_OUT,
>> + qio_channel_websock_handshake_send,
>> +@@ -907,11 +910,12 @@ void qio_channel_websock_handshake(QIOChannelWebsock *ioc,
>> +
>> + trace_qio_channel_websock_handshake_start(ioc);
>> + trace_qio_channel_websock_handshake_pending(ioc, G_IO_IN);
>> +- qio_channel_add_watch(ioc->master,
>> +- G_IO_IN,
>> +- qio_channel_websock_handshake_io,
>> +- task,
>> +- NULL);
>> ++ ioc->hs_io_tag = qio_channel_add_watch(
>> ++ ioc->master,
>> ++ G_IO_IN,
>> ++ qio_channel_websock_handshake_io,
>> ++ task,
>> ++ NULL);
>> + }
>> +
>> +
>> +@@ -922,6 +926,9 @@ static void qio_channel_websock_finalize(Object *obj)
>> + buffer_free(&ioc->encinput);
>> + buffer_free(&ioc->encoutput);
>> + buffer_free(&ioc->rawinput);
>> ++ if (ioc->hs_io_tag) {
>> ++ g_source_remove(ioc->hs_io_tag);
>> ++ }
>> + if (ioc->io_tag) {
>> + g_source_remove(ioc->io_tag);
>> + }
>> +@@ -1222,6 +1229,9 @@ static int qio_channel_websock_close(QIOChannel *ioc,
>> + buffer_free(&wioc->encinput);
>> + buffer_free(&wioc->encoutput);
>> + buffer_free(&wioc->rawinput);
>> ++ if (wioc->hs_io_tag) {
>> ++ g_clear_handle_id(&wioc->hs_io_tag, g_source_remove);
>> ++ }
>> + if (wioc->io_tag) {
>> + g_clear_handle_id(&wioc->io_tag, g_source_remove);
>> + }
>> +--
>> +2.50.1
>> +
--
Yoann Congal
Smile ECS
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-02-19 21:51 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-01-23 5:53 [scarthgap][PATCH] qemu: fix for CVE-2025-11234 Hitendra Prajapati
2026-02-05 7:32 ` [OE-core] " Yoann Congal
2026-02-19 21:44 ` Yoann Congal
2026-02-19 21:51 ` Yoann Congal
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox