Public bug reported: I would like to ask to backport following patch into ubuntu kernels:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=933db73351d359f74b14f4af095808260aff11f9 This bug silently corrupts memory in kmalloc-192 objects. we observed several such cases and have few crashes inside RHEL7/8 VMs with QXL driver. during investigation we have found that the problem exist in mainline. Some details: qxl driver inside guest submit command with reference to allocated struct qxl_release. Host handles it, moves related struct qxl_release to release_ring and trigger interrupt guest handles interrupt and forces gabage collector in qxl driver which wolks through release_ring and removes qxl_release structures. and then main thread calls qxl_release_fence_buffer_objects() it access already freed qxl_release. Solution is to swap the qxl_release_fence_buffer_objects() + qxl_push_{cursor,command}_ring_release() calls. I would note -- direct cherry-pick can be incomplete, old kernels can have few other places where qxl_release_fence_buffer_objects() is called after qxl_push_{cursor,command}_ring_release(). All such places should be fixed, I did it for 4.4, 4.9 and few other stable kernels. We did not have confirmed cases for ubuntu inside VM, however we believe your kernels should be affected too. ** Affects: linux (Ubuntu) Importance: Undecided Status: Incomplete -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1877070 Title: kmalloc-192 slab corruption inside VM with QXL driver Status in linux package in Ubuntu: Incomplete Bug description: I would like to ask to backport following patch into ubuntu kernels: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=933db73351d359f74b14f4af095808260aff11f9 This bug silently corrupts memory in kmalloc-192 objects. we observed several such cases and have few crashes inside RHEL7/8 VMs with QXL driver. during investigation we have found that the problem exist in mainline. Some details: qxl driver inside guest submit command with reference to allocated struct qxl_release. Host handles it, moves related struct qxl_release to release_ring and trigger interrupt guest handles interrupt and forces gabage collector in qxl driver which wolks through release_ring and removes qxl_release structures. and then main thread calls qxl_release_fence_buffer_objects() it access already freed qxl_release. Solution is to swap the qxl_release_fence_buffer_objects() + qxl_push_{cursor,command}_ring_release() calls. I would note -- direct cherry-pick can be incomplete, old kernels can have few other places where qxl_release_fence_buffer_objects() is called after qxl_push_{cursor,command}_ring_release(). All such places should be fixed, I did it for 4.4, 4.9 and few other stable kernels. We did not have confirmed cases for ubuntu inside VM, however we believe your kernels should be affected too. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1877070/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
