[Spice-devel] [PATCH] drm/qxl: qxl_release use after free
Gerd Hoffmann
kraxel at redhat.com
Wed Apr 29 11:40:01 UTC 2020
On Wed, Apr 29, 2020 at 12:01:24PM +0300, Vasily Averin wrote:
> qxl_release should not be accesses after qxl_push_*_ring_release() calls:
> userspace driver can process submitted command quickly, move qxl_release
> into release_ring, generate interrupt and trigger garbage collector.
>
> It can lead to crashes in qxl driver or trigger memory corruption
> in some kmalloc-192 slab object
>
> Gerd Hoffmann proposes to swap the qxl_release_fence_buffer_objects() +
> qxl_push_{cursor,command}_ring_release() calls to close that race window.
>
> cc: stable at vger.kernel.org
> Fixes: f64122c1f6ad ("drm: add new QXL driver. (v1.4)")
> Signed-off-by: Vasily Averin <vvs at virtuozzo.com>
Pushed to drm-misc-fixes.
thanks,
Gerd
More information about the Spice-devel
mailing list