On Wed, Apr 29, 2020 at 12:01:24PM +0300, Vasily Averin wrote: > qxl_release should not be accesses after qxl_push_*_ring_release() calls: > userspace driver can process submitted command quickly, move qxl_release > into release_ring, generate interrupt and trigger garbage collector. > > It can lead to crashes in qxl driver or trigger memory corruption > in some kmalloc-192 slab object > > Gerd Hoffmann proposes to swap the qxl_release_fence_buffer_objects() + > qxl_push_{cursor,command}_ring_release() calls to close that race window. > > cc: stable@xxxxxxxxxxxxxxx > Fixes: f64122c1f6ad ("drm: add new QXL driver. (v1.4)") > Signed-off-by: Vasily Averin <vvs@xxxxxxxxxxxxx> Pushed to drm-misc-fixes. thanks, Gerd _______________________________________________ Virtualization mailing list Virtualization@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/virtualization