From 0e56a72f96c16d240093036491e421bfe94d1db5 Mon Sep 17 00:00:00 2001
From: luowei <luowei@kylinos.cn>
Date: Thu, 13 Nov 2025 16:39:59 +0800
Subject: [PATCH] =?UTF-8?q?cursor:heap-use-after-free=20in=20cursor=5Fput?=
 =?UTF-8?q?=20functions=20Spice=20=E7=BA=BF=E7=A8=8B=E4=BC=9A=E8=AE=BF?=
 =?UTF-8?q?=E9=97=AE=20cursor=E6=A8=A1=E5=9D=97=EF=BC=8C=E7=9B=B8=E5=85=B3?=
 =?UTF-8?q?=E5=86=85=E5=AD=98=E5=8F=AF=E8=83=BD=E8=A2=AB=E4=B8=BB=E7=BA=BF?=
 =?UTF-8?q?=20vnc=5Fdpy=5Fcursor=5Fdefine=20=E9=87=8A=E6=94=BE=20vnc=5Fdpy?=
 =?UTF-8?q?=5Fcursor=5Fdefine=E5=92=8Cqxl=5Fspice=5Freset=5Fcursor?=
 =?UTF-8?q?=E5=87=BD=E6=95=B0=E6=B2=A1=E6=9C=89=E5=8A=A0=E9=94=81?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 hw/display/qxl.c   | 2 ++
 ui/spice-display.c | 4 ----
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/hw/display/qxl.c b/hw/display/qxl.c
index 7178dec85d..bf7b8ac008 100644
--- a/hw/display/qxl.c
+++ b/hw/display/qxl.c
@@ -296,11 +296,13 @@ void qxl_spice_reset_cursor(PCIQXLDevice *qxl)
     trace_qxl_spice_reset_cursor(qxl->id);
     spice_qxl_reset_cursor(&qxl->ssd.qxl);
     qemu_mutex_lock(&qxl->track_lock);
+    qemu_mutex_lock(&qxl->ssd.lock);
     qxl->guest_cursor = 0;
     qemu_mutex_unlock(&qxl->track_lock);
     if (qxl->ssd.cursor) {
         cursor_unref(qxl->ssd.cursor);
     }
+    qemu_mutex_unlock(&qxl->ssd.lock);
     qxl->ssd.cursor = cursor_builtin_hidden();
 }
 
diff --git a/ui/spice-display.c b/ui/spice-display.c
index 6eb98a5a5c..a254d49935 100644
--- a/ui/spice-display.c
+++ b/ui/spice-display.c
@@ -462,9 +462,7 @@ void qemu_spice_cursor_refresh_bh(void *opaque)
         QEMUCursor *c = ssd->cursor;
         assert(ssd->dcl.con);
         cursor_ref(c);
-        qemu_mutex_unlock(&ssd->lock);
         dpy_cursor_define(ssd->dcl.con, c);
-        qemu_mutex_lock(&ssd->lock);
         cursor_unref(c);
     }
 
@@ -765,7 +763,6 @@ static void display_mouse_define(DisplayChangeListener *dcl,
 {
     SimpleSpiceDisplay *ssd = container_of(dcl, SimpleSpiceDisplay, dcl);
 
-    qemu_mutex_lock(&ssd->lock);
     cursor_ref(c);
     cursor_unref(ssd->cursor);
     ssd->cursor = c;
@@ -775,7 +772,6 @@ static void display_mouse_define(DisplayChangeListener *dcl,
     ssd->ptr_move = NULL;
     g_free(ssd->ptr_define);
     ssd->ptr_define = qemu_spice_create_cursor_update(ssd, c, 0);
-    qemu_mutex_unlock(&ssd->lock);
     qemu_spice_wakeup(ssd);
 }
 
-- 
Gitee