[Mesa-dev] [Bug 101829] read-after-free in st_framebuffer_validate

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Wed Jul 19 01:40:44 UTC 2017 

https://bugs.freedesktop.org/show_bug.cgi?id=101829

--- Comment #6 from Gert Wollny <gw.fossdev at gmail.com> ---
The patch didn't help on my side. 

I've added some debug output to see what is going on. In summary, stfb->iface
in st_manager.c  is not properly updated and points  to a destroyed buffer,
that is accessed in st_framebuffers_purge, see below:

valgrind  glretrace Downloads/example.trace 
==3152== Memcheck, a memory error detector
==3152== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==3152== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==3152== Command: glretrace Downloads/example.trace
==3152== 
dri_get_drawable: 0x161220b0 refcount: 1
dri_create_buffer 0x161220b0: 0x16122130
driCreateNewDrawable: 0x161220b0 refcount: 1 buffer: 0x16122130
driFetchDrawable (create): 0x16121fa0 refcount: 1
driFetchDrawable: 0x16121fa0 refcount: 2
dri_get_drawable: 0x161220b0 refcount: 2
Bind context 0x16036270 pdp 0x161220b0 prp 0x161220b0 
stdraw= 0x16122520
stread= 0x16122520
st= 0x160ecc10
stfb->iface= 0x16122130
dri_put_drawable: 0x161220b0 refcount: 1
Unbind context 0x16036270 pdp 0x161220b0 prp 0x161220b0 
dri_get_drawable: 0x162791f0 refcount: 1

dri_create_buffer 0x162791f0: 0x16279270 <==== create new buffer (2) 

driCreateNewDrawable: 0x162791f0 refcount: 1 buffer: 0x16279270
driFetchDrawable (create): 0x162790e0 refcount: 1
driFetchDrawable: 0x162790e0 refcount: 2
dri_get_drawable: 0x162791f0 refcount: 2
Bind context 0x16196340 pdp 0x162791f0 prp 0x162791f0 
stdraw= 0x16279550
stread= 0x16279550
st= 0x16246250

in st_framebuffers_purge; 
stfb->iface= 0x16279270     <============================= first use 


dri_put_drawable: 0x162791f0 refcount: 1
Unbind context 0x16196340 pdp 0x162791f0 prp 0x162791f0 
dri_get_drawable: 0x1628b1c0 refcount: 1

dri_create_buffer 0x1628b1c0: 0x1628b240   <==== create new buffer (3)

driCreateNewDrawable: 0x1628b1c0 refcount: 1 buffer: 0x1628b240
driFetchDrawable: 0x1628b0b0 refcount: 1
driFetchDrawable: 0x1628b0b0 refcount: 2
driReleaseDrawables; Drawable: 0x162790e0 refcount: 2
driReleaseDrawables; Readable: 0x162790e0 refcount: 1
dri2DestroyDrawable 0x162791f0
driDestroyDrawable: 0x162791f0 refcount: 1
dri_put_drawable: 0x162791f0 refcount: 0
   --- Destroy

dri_destroy_buffer 0x162791f0: 0x16279270      <====== buffer (2) destroyed 


dri_get_drawable: 0x1628b1c0 refcount: 2
Bind context 0x16196340 pdp 0x1628b1c0 prp 0x1628b1c0 
stdraw= 0x1628d770
stread= 0x1628d770
st= 0x16246250

stfb->iface= 0x16279270     <====== still pointing to the destroyed buffer 
                                    should have been updated to (3) 0x1628b240

==3152== Invalid read of size 4
==3152==    at 0x9CC5D04: st_framebuffers_purge (st_manager.c:510)
==3152==    by 0x9CC5D04: st_api_make_current (st_manager.c:876)
==3152==    by 0x9E709CD: dri_make_current (dri_context.c:278)

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/mesa-dev/attachments/20170719/ca4b46b6/attachment.html>

More information about the mesa-dev mailing list