File CVE-2017-9374-qemuu-usb-ehci-host-memory-leakage-during-hotunplug.patch of Package xen.11298

References: bsc#1043074 CVE-2017-9374

Subject: usb: ehci: fix memory leak in ehci
From: Li Qiang liqiang6-s@360.cn Tue Feb 7 18:42:55 2017 -0800
Date: Tue Feb 21 08:11:42 2017 +0100:
Git: d710e1e7bd3d5bfc26b631f02ae87901ebe646b0

In usb_ehci_init function, it initializes 's->ipacket', but there
is no corresponding function to free this. As the ehci can be hotplug
and unplug, this will leak host memory leak. In order to make the
hierarchy clean, we should add a ehci pci finalize function, then call
the clean function in ehci device.

Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Message-id: 589a85b8.3c2b9d0a.b8e6.1434@mx.google.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

Index: xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/usb/hcd-ehci-pci.c
===================================================================
--- xen-4.5.5-testing.orig/tools/qemu-xen-dir-remote/hw/usb/hcd-ehci-pci.c
+++ xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/usb/hcd-ehci-pci.c
@@ -84,6 +84,14 @@ static void usb_ehci_pci_init(Object *ob
     usb_ehci_init(s, DEVICE(obj));
 }
 
+static void usb_ehci_pci_finalize(Object *obj)
+{
+    EHCIPCIState *i = PCI_EHCI(obj);
+    EHCIState *s = &i->ehci;
+
+    usb_ehci_finalize(s);
+}
+
 static void usb_ehci_pci_write_config(PCIDevice *dev, uint32_t addr,
                                       uint32_t val, int l)
 {
@@ -133,6 +141,7 @@ static const TypeInfo ehci_pci_type_info
     .parent = TYPE_PCI_DEVICE,
     .instance_size = sizeof(EHCIPCIState),
     .instance_init = usb_ehci_pci_init,
+    .instance_finalize = usb_ehci_pci_finalize,
     .abstract = true,
     .class_init = ehci_class_init,
 };
Index: xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/usb/hcd-ehci.c
===================================================================
--- xen-4.5.5-testing.orig/tools/qemu-xen-dir-remote/hw/usb/hcd-ehci.c
+++ xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/usb/hcd-ehci.c
@@ -2600,6 +2600,11 @@ void usb_ehci_init(EHCIState *s, DeviceS
                                 &s->mem_ports);
 }
 
+void usb_ehci_finalize(EHCIState *s)
+{
+    usb_packet_cleanup(&s->ipacket);
+}
+
 /*
  * vim: expandtab ts=4
  */
Index: xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/usb/hcd-ehci.h
===================================================================
--- xen-4.5.5-testing.orig/tools/qemu-xen-dir-remote/hw/usb/hcd-ehci.h
+++ xen-4.5.5-testing/tools/qemu-xen-dir-remote/hw/usb/hcd-ehci.h
@@ -321,6 +321,7 @@ struct EHCIState {
 extern const VMStateDescription vmstate_ehci;
 
 void usb_ehci_init(EHCIState *s, DeviceState *dev);
+void usb_ehci_finalize(EHCIState *s);
 void usb_ehci_realize(EHCIState *s, DeviceState *dev, Error **errp);
 
 #define TYPE_PCI_EHCI "pci-ehci-usb"