Re: [PATCH 4.19] drm/qxl: qxl_release use after free

From: Greg KH <gregkh@linuxfoundation.org>
To: Vasily Averin <vvs@virtuozzo.com>
Cc: stable@vger.kernel.org, Gerd Hoffmann <kraxel@redhat.com>
Subject: Re: [PATCH 4.19] drm/qxl: qxl_release use after free
Date: Mon, 4 May 2020 18:39:16 +0200	[thread overview]
Message-ID: <20200504163916.GB2724164@kroah.com> (raw)
In-Reply-To: <7f93a18b-45de-457d-6901-f6babce1d56a@virtuozzo.com>

On Mon, May 04, 2020 at 02:36:27PM +0300, Vasily Averin wrote:
> >>From 933db73351d359f74b14f4af095808260aff11f9 Mon Sep 17 00:00:00 2001
> From: Vasily Averin <vvs@virtuozzo.com>
> Date: Wed, 29 Apr 2020 12:01:24 +0300
> Subject: drm/qxl: qxl_release use after free
> 
> From: Vasily Averin <vvs@virtuozzo.com>
> 
> commit 933db73351d359f74b14f4af095808260aff11f9 upstream.
> 
> qxl_release should not be accesses after qxl_push_*_ring_release() calls:
> userspace driver can process submitted command quickly, move qxl_release
> into release_ring, generate interrupt and trigger garbage collector.
> 
> It can lead to crashes in qxl driver or trigger memory corruption
> in some kmalloc-192 slab object
> 
> Gerd Hoffmann proposes to swap the qxl_release_fence_buffer_objects() +
> qxl_push_{cursor,command}_ring_release() calls to close that race window.
> 
> cc: stable@vger.kernel.org
> Fixes: f64122c1f6ad ("drm: add new QXL driver. (v1.4)")
> Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
> Link: http://patchwork.freedesktop.org/patch/msgid/fa17b338-66ae-f299-68fe-8d32419d9071@virtuozzo.com
> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> 
> backported to v.4.19 stable

Now replaced, thansk.

greg k-h