0d28ac49eb
commit 933db73351d359f74b14f4af095808260aff11f9 upstream.
qxl_release should not be accesses after qxl_push_*_ring_release() calls:
userspace driver can process submitted command quickly, move qxl_release
into release_ring, generate interrupt and trigger garbage collector.
It can lead to crashes in qxl driver or trigger memory corruption
in some kmalloc-192 slab object
Gerd Hoffmann proposes to swap the qxl_release_fence_buffer_objects() +
qxl_push_{cursor,command}_ring_release() calls to close that race window.
cc: stable@vger.kernel.org
Fixes:
|
||
---|---|---|
.. | ||
Kconfig | ||
Makefile | ||
qxl_cmd.c | ||
qxl_debugfs.c | ||
qxl_dev.h | ||
qxl_display.c | ||
qxl_draw.c | ||
qxl_drv.c | ||
qxl_drv.h | ||
qxl_dumb.c | ||
qxl_fb.c | ||
qxl_gem.c | ||
qxl_image.c | ||
qxl_ioctl.c | ||
qxl_irq.c | ||
qxl_kms.c | ||
qxl_object.c | ||
qxl_object.h | ||
qxl_prime.c | ||
qxl_release.c | ||
qxl_ttm.c |