git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Vasily Averin <vvs@virtuozzo.com>
	Wed, 29 Apr 2020 09:01:24 +0000 (12:01 +0300)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Tue, 5 May 2020 17:15:48 +0000 (19:15 +0200)
commit	500a886a3ac7f4d33638ea5375ef70cc89a5805b
tree	e2a32147d119633e6b2cab87c69c96a8b53b051b	tree \| snapshot
parent	1c78ac39f10c375145f872c9a8a7f6e412d21040	commit \| diff

drm/qxl: qxl_release use after free

commit 933db73351d359f74b14f4af095808260aff11f9 upstream.

qxl_release should not be accesses after qxl_push_*_ring_release() calls:
userspace driver can process submitted command quickly, move qxl_release
into release_ring, generate interrupt and trigger garbage collector.

It can lead to crashes in qxl driver or trigger memory corruption
in some kmalloc-192 slab object

Gerd Hoffmann proposes to swap the qxl_release_fence_buffer_objects() +
qxl_push_{cursor,command}_ring_release() calls to close that race window.

cc: stable@vger.kernel.org
Fixes: f64122c1f6ad ("drm: add new QXL driver. (v1.4)")
Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Link: http://patchwork.freedesktop.org/patch/msgid/fa17b338-66ae-f299-68fe-8d32419d9071@virtuozzo.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
[backported to v4.14-stable]
Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

drivers/gpu/drm/qxl/qxl_cmd.c		diff \| blob \| blame \| history
drivers/gpu/drm/qxl/qxl_display.c		diff \| blob \| blame \| history
drivers/gpu/drm/qxl/qxl_draw.c		diff \| blob \| blame \| history
drivers/gpu/drm/qxl/qxl_ioctl.c		diff \| blob \| blame \| history