[Mesa-dev] [PATCH] st/dri: Fix dangling pointer to a destroyed dri_drawable

Marek Olšák maraeo at gmail.com
Mon Apr 23 08:33:34 UTC 2018 

Pushed, thanks!

Marek

On Fri, Apr 20, 2018 at 6:29 AM, Johan Klokkhammer Helsing <
johan.helsing at qt.io> wrote:

> If an EGLSurface is created, made current and destroyed, and then a second
> EGLSurface is created. Then the second malloc in driCreateNewDrawable may
> return the same pointer address the first surface's drawable had.
> Consequently, when dri_make_current later tries to determine if it should
> update the texture_stamp it compares the surface's drawable pointer against
> the drawable in the last call to dri_make_current and assumes it's the same
> surface (which it isn't).
>
> When texture_stamp is left unset, then dri_st_framebuffer_validate thinks
> it has already called update_drawable_info for that drawable, leaving it
> unvalidated and this is when bad things starts to happen. In my case it
> manifested itself by the width and height of the surface being unset.
>
> This is fixed this by setting the pointer to NULL before freeing the
> surface.
>
> Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=106126
> Signed-off-by: Johan Klokkhammer Helsing <johan.helsing at qt.io>
> ---
>  src/gallium/state_trackers/dri/dri_drawable.c | 4 ++++
>  1 file changed, 4 insertions(+)
>
> diff --git a/src/gallium/state_trackers/dri/dri_drawable.c
> b/src/gallium/state_trackers/dri/dri_drawable.c
> index e5a7537e47..02328acd98 100644
> --- a/src/gallium/state_trackers/dri/dri_drawable.c
> +++ b/src/gallium/state_trackers/dri/dri_drawable.c
> @@ -185,6 +185,7 @@ fail:
>  void
>  dri_destroy_buffer(__DRIdrawable * dPriv)
>  {
> +   struct dri_context *ctx = dri_context(dPriv->driContextPriv);
>     struct dri_drawable *drawable = dri_drawable(dPriv);
>     struct dri_screen *screen = drawable->screen;
>     struct st_api *stapi = screen->st_api;
> @@ -202,6 +203,9 @@ dri_destroy_buffer(__DRIdrawable * dPriv)
>     /* Notify the st manager that this drawable is no longer valid */
>     stapi->destroy_drawable(stapi, &drawable->base);
>
> +   if (ctx && ctx->dPriv == dPriv)
> +      ctx->dPriv = NULL;
> +
>     FREE(drawable);
>  }
>
> --
> 2.17.0
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/mesa-dev/attachments/20180423/c6d19696/attachment.html>

More information about the mesa-dev mailing list