diff options
author | Gerd Hoffmann <kraxel@redhat.com> | 2020-07-13 14:45:20 +0200 |
---|---|---|
committer | Gerd Hoffmann <kraxel@redhat.com> | 2020-07-16 10:20:12 +0200 |
commit | 8ec1415935ff4214ef9b47448ff7ac52cfa8b77e (patch) | |
tree | 0cc177b05ebaa1f5f028487639f51c050030e2e8 /hw/vfio/display.c | |
parent | 8746309137ba470d1b2e8f5ce86ac228625db940 (diff) | |
download | qemu-8ec1415935ff4214ef9b47448ff7ac52cfa8b77e.zip qemu-8ec1415935ff4214ef9b47448ff7ac52cfa8b77e.tar.gz qemu-8ec1415935ff4214ef9b47448ff7ac52cfa8b77e.tar.bz2 |
vfio: fix use-after-free in display
Calling ramfb_display_update() might replace the DisplaySurface with the
boot display, which in turn will free the currently active
DisplaySurface.
So clear our DisplaySurface pinter (dpy->region.surface pointer) to (a)
avoid use-after-free and (b) force replacing the boot display with the
real display when switching back.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Alex Williamson <alex.williamson@redhat.com>
Acked-by: Alex Williamson <alex.williamson@redhat.com>
Message-id: 20200713124520.23266-1-kraxel@redhat.com
Diffstat (limited to 'hw/vfio/display.c')
-rw-r--r-- | hw/vfio/display.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/hw/vfio/display.c b/hw/vfio/display.c index a57a226..3420541 100644 --- a/hw/vfio/display.c +++ b/hw/vfio/display.c @@ -405,6 +405,7 @@ static void vfio_display_region_update(void *opaque) if (!plane.drm_format || !plane.size) { if (dpy->ramfb) { ramfb_display_update(dpy->con, dpy->ramfb); + dpy->region.surface = NULL; } return; } |