Re: [PATCH RFC v1]display: fix heap use after free in cursor

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH RFC v1]display: fix heap use after free in cursor_put

From:	Marc-André Lureau
Subject:	Re: [PATCH RFC v1]display: fix heap use after free in cursor_put
Date:	Wed, 10 Apr 2024 17:24:35 +0400

Hi

On Wed, Apr 10, 2024 at 2:06 PM ゞlym <707242047@qq.com> wrote:
>
>

Please send the patch as inline:
https://www.qemu.org/docs/master/devel/submitting-a-patch.html#do-not-send-as-an-attachment

The patch is doing too much changes to the ssd.lock usage without
explaining in detail which race and how it solved it.

In particular, ui/spice-display.c usage seems safer before your
change, since it takes the lock on display_refresh and
display_mouse_define. It properly temporarily releases the lock before
calling the dpy_mouse_set() and dpy_cursor_define() as well.

To me, it looks like the only offender is qxl_spice_reset_cursor(),
which lacks locking before unrefing.

Could you confirm this hypothesis if you are able to reproduce the issue?

thanks

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH RFC v1]display: fix heap use after free in cursor_put, ?glym, 2024/04/10
- Re: [PATCH RFC v1]display: fix heap use after free in cursor_put, Marc-André Lureau <=
  - ?????? [PATCH RFC v1]display: fix heap use after free in cursor_put, ?glym, 2024/04/10

Prev by Date: Re: [PATCH 4/4] tests/qtest/migration: Add postcopy migration qtests to use 'channels' argument instead of uri
Next by Date: Re: [PULL v2 00/20] misc patch queue
Previous by thread: [PATCH RFC v1]display: fix heap use after free in cursor_put
Next by thread: ?????? [PATCH RFC v1]display: fix heap use after free in cursor_put
Index(es):
- Date
- Thread