Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-12-01 16:41:39 +00:00
Code Issues Packages Projects Releases Wiki Activity
933db73351
linux/drivers/gpu/drm/qxl
History
Vasily Averin 933db73351 drm/qxl: qxl_release use after free 
qxl_release should not be accesses after qxl_push_*_ring_release() calls:
userspace driver can process submitted command quickly, move qxl_release
into release_ring, generate interrupt and trigger garbage collector.

It can lead to crashes in qxl driver or trigger memory corruption
in some kmalloc-192 slab object

Gerd Hoffmann proposes to swap the qxl_release_fence_buffer_objects() +
qxl_push_{cursor,command}_ring_release() calls to close that race window.

cc: stable@vger.kernel.org
Fixes: f64122c1f6 ("drm: add new QXL driver. (v1.4)")
Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Link: http://patchwork.freedesktop.org/patch/msgid/fa17b338-66ae-f299-68fe-8d32419d9071@virtuozzo.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2020-04-29 13:21:34 +02:00
..
Kconfig drm/qxl: Fix randbuild error 2019-10-17 14:31:50 +02:00
Makefile treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
qxl_cmd.c drm/qxl: qxl_release use after free 2020-04-29 13:21:34 +02:00
qxl_debugfs.c dma-buf: rename reservation_object to dma_resv 2019-08-13 09:09:30 +02:00
qxl_dev.h drm/qxl: Remove exceding whiteline 2018-10-30 07:19:59 +01:00
qxl_display.c drm/qxl: qxl_release use after free 2020-04-29 13:21:34 +02:00
qxl_draw.c drm/qxl: qxl_release use after free 2020-04-29 13:21:34 +02:00
qxl_drv.c drm/qxl: add drm_driver.release callback. 2020-02-11 11:45:51 +01:00
qxl_drv.h drm/qxl: stop using TTM to call driver internal functions 2019-10-25 11:40:51 +02:00
qxl_dumb.c drm/qxl: use QXL_GEM_DOMAIN_SURFACE for dumb gem objects 2019-01-28 14:24:53 +01:00
qxl_gem.c drm/qxl: use embedded gem object 2019-08-06 08:21:54 +02:00
qxl_image.c drm/qxl: lost qxl_bo_kunmap_atomic_page in qxl_image_init_helper() 2020-04-29 13:21:34 +02:00
qxl_ioctl.c drm/qxl: qxl_release use after free 2020-04-29 13:21:34 +02:00
qxl_irq.c drm/qxl: drop use of drmP.h 2019-07-15 18:11:30 +02:00
qxl_kms.c drm/qxl: reorder calls in qxl_device_fini(). 2020-02-11 11:45:51 +01:00
qxl_object.c drm/qxl: stop using TTM to call driver internal functions 2019-10-25 11:40:51 +02:00
qxl_object.h drm/ttm: use gem vma_node 2019-08-06 08:21:54 +02:00
qxl_prime.c drm/qxl: drop WARN_ONCE() 2019-05-27 13:17:03 +02:00
qxl_release.c drm/ttm: remove pointers to globals 2019-10-25 11:40:51 +02:00
qxl_ttm.c drm/ttm: nuke invalidate_caches callback 2020-01-16 16:35:07 +01:00