[PATCH] etnaviv: fix refcnt initialization in etna_screen

Aleksander Morgado aleksander at aleksander.es
Thu Jul 6 23:00:22 UTC 2017


On Thu, Jul 6, 2017 at 11:18 PM, Aleksander Morgado
<aleksander at aleksander.es> wrote:
> Despite being a member of the etna_screen struct, 'refcnt' is used by
> the winsys-specific logic to track the reference count of the object
> managed in a hash table. When the count reaches zero, the pipe screen
> is removed from the table and destroyed.
>
> Fix the logic by initializing the refcnt to 1 when screen created.
> This initialization is done in etna_screen_create(), to follow the
> same logic as in freedreno and virgl.
>

For reference, this is the kind of backtrace I was getting due to this
issue. The dri2_create_image_from_winsys() call was trying run
pscreen->resource_from_handle, but the pscreen had already been freed.

If the item is added to the HT with refcnt = 0, getting an extra
reference from the HT would have set rfcnt = 1, and when that extra
reference was removed it would have gone to rfcnt = 0, triggering at
this point the destroy and removal from the HT, while the original
reference was still around and assumed valid, and finally arriving to
the use-after-free seen here.

01-01 00:00:51.546   621   621 F libc    : Fatal signal 11 (SIGSEGV),
code 1, fault addr 0x0 in tid 621 (ndroid.systemui)
01-01 00:00:51.679  1062  1062 F DEBUG   : *** *** *** *** *** *** ***
*** *** *** *** *** *** *** *** ***
01-01 00:00:51.679  1062  1062 F DEBUG   : Build fingerprint:
'Android/linaro_arm/linaro_arm:7.1.1/N6F26U/aleksa04281944:userdebug/test-keys'
01-01 00:00:51.679  1062  1062 F DEBUG   : Revision: '0'
01-01 00:00:51.679  1062  1062 F DEBUG   : ABI: 'arm'
01-01 00:00:51.680  1062  1062 F DEBUG   : pid: 621, tid: 621, name:
ndroid.systemui  >>> com.android.systemui <<<
01-01 00:00:51.680  1062  1062 F DEBUG   : signal 11 (SIGSEGV), code 1
(SEGV_MAPERR), fault addr 0x0
01-01 00:00:51.680  1062  1062 F DEBUG   :     r0 91e65d00  r1
bec0d3d8  r2 bec0d470  r3 00000006
01-01 00:00:51.681  1062  1062 F DEBUG   :     r4 bec0d470  r5
91e65d00  r6 00000000  r7 bec0d3ea
01-01 00:00:51.681  1062  1062 F DEBUG   :     r8 914deb27  r9
00000000  sl 8ef239c0  fp 00001005
01-01 00:00:51.681  1062  1062 F DEBUG   :     ip bec0cef4  sp
bec0d3c0  lr 91242bd9  pc 00000000  cpsr 20000010
01-01 00:00:52.711  1062  1062 F DEBUG   :
01-01 00:00:52.711  1062  1062 F DEBUG   : backtrace:
01-01 00:00:52.711  1062  1062 F DEBUG   :     #00 pc 00000000  <unknown>
01-01 00:00:52.711  1062  1062 F DEBUG   :     #01 pc 00066bd7
/system/lib/dri/gallium_dri.so (dri2_create_image_from_winsys+462)
01-01 00:00:52.711  1062  1062 F DEBUG   :     #02 pc 00066f49
/system/lib/dri/gallium_dri.so (dri2_create_image_from_fd+592)
01-01 00:00:52.712  1062  1062 F DEBUG   :     #03 pc 00065e07
/system/lib/dri/gallium_dri.so (dri2_from_dma_bufs2+54)
01-01 00:00:52.712  1062  1062 F DEBUG   :     #04 pc 00001fb7
/system/lib/libgbm.so (gbm_dri_bo_import+418)
01-01 00:00:52.712  1062  1062 F DEBUG   :     #05 pc 0000127f
/system/lib/hw/gralloc.gbm.so
(_ZL15validate_handlePK13native_handleP10gbm_device+334)
01-01 00:00:52.712  1062  1062 F DEBUG   :     #06 pc 0000111f
/system/lib/hw/gralloc.gbm.so (gralloc_gbm_handle_register+2)
01-01 00:00:52.712  1062  1062 F DEBUG   :     #07 pc 0000160f
/system/lib/hw/gralloc.gbm.so
(_ZL23gbm_mod_register_bufferPK16gralloc_module_tPK13native_handle+28)
01-01 00:00:52.712  1062  1062 F DEBUG   :     #08 pc 0000cbdd
/system/lib/libui.so
(_ZN7android18Gralloc1On0Adapter6retainEPKNS_13GraphicBufferE+80)
01-01 00:00:52.712  1062  1062 F DEBUG   :     #09 pc 0000f45b
/system/lib/libui.so
(_ZN7android19GraphicBufferMapper14registerBufferEPKNS_13GraphicBufferE+58)
01-01 00:00:52.713  1062  1062 F DEBUG   :     #10 pc 0000e7c5
/system/lib/libui.so
(_ZN7android13GraphicBuffer9unflattenERPKvRjRPKiS4_+300)
01-01 00:00:52.713  1062  1062 F DEBUG   :     #11 pc 00083951
/system/lib/libandroid_runtime.so
(_ZN7android6Parcel17FlattenableHelperINS_13GraphicBufferEE9unflattenEPKvjPKij+20)
01-01 00:00:52.713  1062  1062 F DEBUG   :     #12 pc 00044c23
/system/lib/libbinder.so
(_ZNK7android6Parcel4readERNS0_26FlattenableHelperInterfaceE+338)
01-01 00:00:52.713  1062  1062 F DEBUG   :     #13 pc 000460fd
/system/lib/libgui.so
(_ZN7android23BpGraphicBufferProducer13requestBufferEiPNS_2spINS_13GraphicBufferEEE+128)
01-01 00:00:52.713  1062  1062 F DEBUG   :     #14 pc 00050fc7
/system/lib/libgui.so
(_ZN7android7Surface13dequeueBufferEPP19ANativeWindowBufferPi+322)
01-01 00:00:52.713  1062  1062 F DEBUG   :     #15 pc 0000c931
/system/lib/egl/libGLES_mesa.so (update_buffers+52)
01-01 00:00:52.713  1062  1062 F DEBUG   :     #16 pc 0000ca2d
/system/lib/egl/libGLES_mesa.so (droid_image_get_buffers+16)
01-01 00:00:52.713  1062  1062 F DEBUG   :     #17 pc 00067523
/system/lib/dri/gallium_dri.so (dri2_allocate_textures+378)
01-01 00:00:52.713  1062  1062 F DEBUG   :     #18 pc 000648b7
/system/lib/dri/gallium_dri.so (dri_st_framebuffer_validate+134)
01-01 00:00:52.714  1062  1062 F DEBUG   :     #19 pc 00182237
/system/lib/dri/gallium_dri.so (st_framebuffer_validate+58)
01-01 00:00:52.714  1062  1062 F DEBUG   :     #20 pc 00182b05
/system/lib/dri/gallium_dri.so (st_api_make_current+108)
01-01 00:00:52.714  1062  1062 F DEBUG   :     #21 pc 00064781
/system/lib/dri/gallium_dri.so (dri_make_current+148)
01-01 00:00:52.714  1062  1062 F DEBUG   :     #22 pc 0027215d
/system/lib/dri/gallium_dri.so (driBindContext+36)
01-01 00:00:52.714  1062  1062 F DEBUG   :     #23 pc 0000b9a7
/system/lib/egl/libGLES_mesa.so (dri2_make_current+222)
01-01 00:00:52.714  1062  1062 F DEBUG   :     #24 pc 00003d9d
/system/lib/egl/libGLES_mesa.so (eglMakeCurrent+372)
01-01 00:00:52.714  1062  1062 F DEBUG   :     #25 pc 0000aa61
/system/lib/libEGL.so
(_ZN7android13egl_display_t11makeCurrentEPNS_13egl_context_tES2_PvS3_S3_S3_S3_S3_+192)
01-01 00:00:52.715  1062  1062 F DEBUG   :     #26 pc 0000d1eb
/system/lib/libEGL.so (eglMakeCurrent+290)
01-01 00:00:52.715  1062  1062 F DEBUG   :     #27 pc 00068d2f
/system/lib/libandroid_runtime.so
(_ZN7androidL18jni_eglMakeCurrentEP7_JNIEnvP8_jobjectS3_S3_S3_S3_+82)
01-01 00:00:52.715  1062  1062 F DEBUG   :     #28 pc 0217d767
/system/framework/arm/boot-framework.oat (offset 0x158b000)
(com.google.android.gles_jni.EGLImpl.eglMakeCurrent+170)
01-01 00:00:52.715  1062  1062 F DEBUG   :     #29 pc 0074db67
/system/priv-app/SystemUI/oat/arm/SystemUI.odex (offset 0x5a4000)



-- 
Aleksander
https://aleksander.es


More information about the etnaviv mailing list