drm/qxl: qxl_release use after free (933db733) · Commits · Mirrors / git.kernel.org / pub_scm_linux_kernel_git_stable_linux · GitLab

Commit 933db733 authored Apr 29, 2020 by

Vasily Averin Committed by Gerd Hoffmann Apr 29, 2020

drm/qxl: qxl_release use after free

qxl_release should not be accesses after qxl_push_*_ring_release() calls:
userspace driver can process submitted command quickly, move qxl_release
into release_ring, generate interrupt and trigger garbage collector.

It can lead to crashes in qxl driver or trigger memory corruption
in some kmalloc-192 slab object

Gerd Hoffmann proposes to swap the qxl_release_fence_buffer_objects() +
qxl_push_{cursor,command}_ring_release() calls to close that race window.

cc: stable@vger.kernel.org
Fixes: f64122c1

 ("drm: add new QXL driver. (v1.4)")
Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Link: http://patchwork.freedesktop.org/patch/msgid/fa17b338-66ae-f299-68fe-8d32419d9071@virtuozzo.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

parent 5b5703db

Hide whitespace changes

Inline Side-by-side

mirror @mirror
mentioned in commit 500a886a
· May 06, 2020

mentioned in commit 500a886a

mentioned in commit 500a886a3ac7f4d33638ea5375ef70cc89a5805b

Toggle commit list
mirror @mirror
mentioned in commit 39c4c5c7
· May 06, 2020

mentioned in commit 39c4c5c7

mentioned in commit 39c4c5c7389d298951f497595cfb6ac7f222bb70

Toggle commit list
mirror @mirror
mentioned in commit 0d28ac49
· May 07, 2020

mentioned in commit 0d28ac49

mentioned in commit 0d28ac49eba7426828250799d2e76a1918e4dc2e

Toggle commit list
mirror @mirror
mentioned in commit 6eb95b35
· May 07, 2020

mentioned in commit 6eb95b35

mentioned in commit 6eb95b35fd393f5cd2cc011be8f0568fe4675539

Toggle commit list
mirror @mirror
mentioned in commit 368ffc2a
· May 07, 2020

mentioned in commit 368ffc2a

mentioned in commit 368ffc2a3d136ed3985799d1784c430b4d4af507

Toggle commit list

Please register or to comment