[Kernel-packages] [Bug 1877070] Re: kmalloc-192 slab corruption inside VM with QXL driver

Sun, 05 Jul 2020 21:26:06 -0700 

[Expired for linux (Ubuntu) because there has been no activity for 60
days.]

** Changed in: linux (Ubuntu)
       Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1877070

Title:
  kmalloc-192 slab corruption inside VM with QXL driver

Status in linux package in Ubuntu:
  Expired

Bug description:
  I would like to ask to backport following patch into ubuntu kernels:

  
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=933db73351d359f74b14f4af095808260aff11f9

  This bug silently corrupts memory in kmalloc-192 objects.
  we observed several such cases and have few crashes inside RHEL7/8 VMs with 
QXL driver.
  during investigation we have found that the problem exist in mainline.

  Some details:
  qxl driver inside guest submit command with reference to allocated struct 
qxl_release.
  Host handles it, moves related struct qxl_release to release_ring and trigger 
interrupt
  guest handles interrupt and forces gabage collector in qxl driver
  which wolks through release_ring and removes qxl_release structures.
  and then main thread calls qxl_release_fence_buffer_objects() it access 
already freed qxl_release.
  Solution is to swap the qxl_release_fence_buffer_objects() +
  qxl_push_{cursor,command}_ring_release() calls.

  I would note -- direct  cherry-pick can be incomplete,
  old kernels can have few other places where 
  qxl_release_fence_buffer_objects() is called after
  qxl_push_{cursor,command}_ring_release().
  All such places should be fixed, I did it for 4.4, 4.9 and few other stable 
kernels.

  We did not have confirmed cases for ubuntu inside VM,
  however we believe your kernels should be affected too.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1877070/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to