On 10/1/25 16:13, Nirmoy Das wrote:
...
>> struct virtio_gpu_vbuffer;
>> struct virtio_gpu_device;
>> @@ -265,6 +271,7 @@ struct virtio_gpu_device {
>> struct work_struct obj_free_work;
>> spinlock_t obj_free_lock;
>> struct list_head obj_free_list;
>> + struct list_head obj_restore;
>
> I am not very familiar with the code but I am curious do we not a lock
> to keep the list same?
There should be a lock to protect list
...
>> void virtio_gpu_cleanup_object(struct virtio_gpu_object *bo)
>> {
>> struct virtio_gpu_device *vgdev = bo->base.base.dev->dev_private;
>> @@ -84,6 +116,7 @@ void virtio_gpu_cleanup_object(struct
>> virtio_gpu_object *bo)
>> drm_gem_object_release(&bo->base.base);
>> kfree(bo);
>> }
>> + virtio_gpu_object_del_restore_list(vgdev, bo);
>
> Is there a possibility to hitting use after free here ? I see kfree(bo)
> before this.
It's UAF bug here. Thanks for the review.
--
Best regards,
Dmitry
