Public bug reported: I would like to ask to backport following patch into ubuntu kernels:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=933db73351d359f74b14f4af095808260aff11f9 This bug silently corrupts memory in kmalloc-192 objects. we observed several such cases and have few crashes inside RHEL7/8 VMs with QXL driver. during investigation we have found that the problem exist in mainline. Some details: qxl driver inside guest submit command with reference to allocated struct qxl_release. Host handles it, moves related struct qxl_release to release_ring and trigger interrupt guest handles interrupt and forces gabage collector in qxl driver which wolks through release_ring and removes qxl_release structures. and then main thread calls qxl_release_fence_buffer_objects() it access already freed qxl_release. Solution is to swap the qxl_release_fence_buffer_objects() + qxl_push_{cursor,command}_ring_release() calls. I would note -- direct cherry-pick can be incomplete, old kernels can have few other places where qxl_release_fence_buffer_objects() is called after qxl_push_{cursor,command}_ring_release(). All such places should be fixed, I did it for 4.4, 4.9 and few other stable kernels. We did not have confirmed cases for ubuntu inside VM, however we believe your kernels should be affected too. ** Affects: linux (Ubuntu) Importance: Undecided Status: Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1877070 Title: kmalloc-192 slab corruption inside VM with QXL driver To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1877070/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
