Re: [PATCH RFC v1]display: fix heap use after free in cursor_put

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: "Marc-André Lureau" <marcandre.lureau@redhat.com>
To: ゞlym <707242047@qq.com>
Cc: qemu-devel <qemu-devel@nongnu.org>, kraxel <kraxel@redhat.com>
Subject: Re: [PATCH RFC v1]display: fix heap use after free in cursor_put
Date: Wed, 10 Apr 2024 17:24:35 +0400	[thread overview]
Message-ID: <CAMxuvazoMKnhU8bcSnON2daO7Am4h4oTYrvPjgRhKL8uUCzTFA@mail.gmail.com> (raw)
In-Reply-To: <tencent_BE1012EC266132443B1FA040EF8A60D1EC0A@qq.com>

Hi

On Wed, Apr 10, 2024 at 2:06 PM ゞlym <707242047@qq.com> wrote:
>
>

Please send the patch as inline:
https://www.qemu.org/docs/master/devel/submitting-a-patch.html#do-not-send-as-an-attachment

The patch is doing too much changes to the ssd.lock usage without
explaining in detail which race and how it solved it.

In particular, ui/spice-display.c usage seems safer before your
change, since it takes the lock on display_refresh and
display_mouse_define. It properly temporarily releases the lock before
calling the dpy_mouse_set() and dpy_cursor_define() as well.

To me, it looks like the only offender is qxl_spice_reset_cursor(),
which lacks locking before unrefing.

Could you confirm this hypothesis if you are able to reproduce the issue?

thanks

next      parent reply	other threads:[~2024-04-10 13:25 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <tencent_BE1012EC266132443B1FA040EF8A60D1EC0A@qq.com>
2024-04-10 13:24 ` Marc-André Lureau [this message]
2024-04-11  1:55   ` =?gb18030?B?u9i4tKO6IFtQQVRDSCBSRkMgdjFdZGlzcGxheTogZml4IGhlYXAgdXNlIGFmdGVyIGZyZWUgaW4gY3Vyc29yX3B1dA==?= =?gb18030?B?qWdseW0=?=

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAMxuvazoMKnhU8bcSnON2daO7Am4h4oTYrvPjgRhKL8uUCzTFA@mail.gmail.com \
    --to=marcandre.lureau@redhat.com \
    --cc=707242047@qq.com \
    --cc=kraxel@redhat.com \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).