On Mon, May 04, 2020 at 02:38:18PM +0300, Vasily Averin wrote:
From 933db73351d359f74b14f4af095808260aff11f9 Mon Sep 17 00:00:00 2001
From: Vasily Averin vvs@virtuozzo.com Date: Wed, 29 Apr 2020 12:01:24 +0300 Subject: drm/qxl: qxl_release use after free
From: Vasily Averin vvs@virtuozzo.com
commit 933db73351d359f74b14f4af095808260aff11f9 upstream. qxl_release should not be accesses after qxl_push_*_ring_release() calls: userspace driver can process submitted command quickly, move qxl_release into release_ring, generate interrupt and trigger garbage collector.
It can lead to crashes in qxl driver or trigger memory corruption in some kmalloc-192 slab object
Gerd Hoffmann proposes to swap the qxl_release_fence_buffer_objects() + qxl_push_{cursor,command}_ring_release() calls to close that race window.
cc: stable@vger.kernel.org Fixes: f64122c1f6ad ("drm: add new QXL driver. (v1.4)") Signed-off-by: Vasily Averin vvs@virtuozzo.com Link: http://patchwork.freedesktop.org/patch/msgid/fa17b338-66ae-f299-68fe-8d32419... Signed-off-by: Gerd Hoffmann kraxel@redhat.com
backported to v4.14-stable
Now replaced, thanks.
greg k-h