kernel-fxtec-pro1x/drivers/gpu/drm/qxl
Vasily Averin 0d28ac49eb drm/qxl: qxl_release use after free
commit 933db73351d359f74b14f4af095808260aff11f9 upstream.

qxl_release should not be accesses after qxl_push_*_ring_release() calls:
userspace driver can process submitted command quickly, move qxl_release
into release_ring, generate interrupt and trigger garbage collector.

It can lead to crashes in qxl driver or trigger memory corruption
in some kmalloc-192 slab object

Gerd Hoffmann proposes to swap the qxl_release_fence_buffer_objects() +
qxl_push_{cursor,command}_ring_release() calls to close that race window.

cc: stable@vger.kernel.org
Fixes: f64122c1f6 ("drm: add new QXL driver. (v1.4)")
Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Link: http://patchwork.freedesktop.org/patch/msgid/fa17b338-66ae-f299-68fe-8d32419d9071@virtuozzo.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
[backported to v.4.19 stable]
Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-05-06 08:13:27 +02:00
..
Kconfig
Makefile
qxl_cmd.c drm/qxl: qxl_release use after free 2020-05-06 08:13:27 +02:00
qxl_debugfs.c
qxl_dev.h
qxl_display.c drm/qxl: qxl_release use after free 2020-05-06 08:13:27 +02:00
qxl_draw.c drm/qxl: qxl_release use after free 2020-05-06 08:13:27 +02:00
qxl_drv.c
qxl_drv.h
qxl_dumb.c
qxl_fb.c
qxl_gem.c
qxl_image.c
qxl_ioctl.c drm/qxl: qxl_release use after free 2020-05-06 08:13:27 +02:00
qxl_irq.c
qxl_kms.c
qxl_object.c
qxl_object.h
qxl_prime.c
qxl_release.c
qxl_ttm.c