[PATCH] drm/qxl: qxl_release use after free

qxl_release should not be accesses after qxl_push_*_ring_release() calls: userspace driver can process submitted command quickly, move qxl_release into release_ring, generate interrupt and trigger garbage collector. It can lead to crashes in qxl driver or trigger memory corruption in some

Re: [PATCH] drm/qxl: qxl_release use after free

On Wed, Apr 29, 2020 at 12:01:24PM +0300, Vasily Averin wrote: > qxl_release should not be accesses after qxl_push_*_ring_release() calls: > userspace driver can process submitted command quickly, move qxl_release > into release_ring, generate interrupt and trigger garbage collector. > > It can