[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug 1888606] [NEW] Heap-use-after-free in virtio_gpu_ctrl_response
|
From: |
Gerd Hoffmann |
|
Subject: |
Re: [Bug 1888606] [NEW] Heap-use-after-free in virtio_gpu_ctrl_response |
|
Date: |
Mon, 3 Aug 2020 08:56:04 +0200 |
Hi,
> > The ASAN trace:
> > ==29798==ERROR: AddressSanitizer: heap-use-after-free on address
> > 0x60d0000050e8 at pc 0x560629814761 bp 0x7ffe916eb1e0 sp 0x7ffe916eb1d8
> > READ of size 8 at 0x60d0000050e8 thread T0
> > #0 0x560629814760 in virtio_gpu_ctrl_response
> > /home/alxndr/Development/qemu/hw/display/virtio-gpu.c:181:42
> > #4 0x56062a8f1c96 in aio_bh_poll
> > /home/alxndr/Development/qemu/util/async.c:164:13
> > #1 0x560629827730 in virtio_gpu_reset
> > /home/alxndr/Development/qemu/hw/display/virtio-gpu.c:1160:9
So it looks like the bottom half accesses stuff released by reset.
Guess the reset should cancel any scheduled bh calls to avoid that ...
Does the patch below help?
thanks,
Gerd
diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
index 5f0dd7c15002..18f0011b5a0a 100644
--- a/hw/display/virtio-gpu.c
+++ b/hw/display/virtio-gpu.c
@@ -1144,6 +1144,9 @@ static void virtio_gpu_reset(VirtIODevice *vdev)
struct virtio_gpu_simple_resource *res, *tmp;
struct virtio_gpu_ctrl_command *cmd;
+ qemu_bh_cancel(g->ctrl_bh);
+ qemu_bh_cancel(g->cursor_bh);
+
#ifdef CONFIG_VIRGL
if (g->parent_obj.use_virgl_renderer) {
virtio_gpu_virgl_reset(g);
- Re: [Bug 1888606] [NEW] Heap-use-after-free in virtio_gpu_ctrl_response,
Gerd Hoffmann <=