[Mesa-stable] [PATCH v2 4/4] dri/common: clear the loaderPrivate pointer in driDestroyDrawable

Nicolai Hähnle nhaehnle at gmail.com
Thu Feb 2 17:19:28 UTC 2017


From: Nicolai Hähnle <nicolai.haehnle at amd.com>

The GLX specification says about glXDestroyPixmap:

    "The storage for the GLX pixmap will be freed when it is not current
     to any client."

We're not really following this language to the letter: some of the storage
is freed immediately (in particular, the dri3_drawable, which contains both
GLXDRIdrawable and loader_dri3_drawable). So we NULL out the pointers to
that freed storage; the previous patches added the corresponding NULL-pointer
checks.

This fixes memory corruption in piglit
./bin/glx-visuals-depth/stencil -pixmap -auto

Cc: 17.0 <mesa-stable at lists.freedesktop.org>
Reviewed-by: Marek Olšák <marek.olsak at amd.com>
---
 src/mesa/drivers/dri/common/dri_util.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/mesa/drivers/dri/common/dri_util.c b/src/mesa/drivers/dri/common/dri_util.c
index f92eee9..d18c458 100644
--- a/src/mesa/drivers/dri/common/dri_util.c
+++ b/src/mesa/drivers/dri/common/dri_util.c
@@ -638,20 +638,22 @@ static void dri_put_drawable(__DRIdrawable *pdp)
     }
 }
 
 static __DRIdrawable *
 driCreateNewDrawable(__DRIscreen *screen,
                      const __DRIconfig *config,
                      void *data)
 {
     __DRIdrawable *pdraw;
 
+    assert(data != NULL);
+
     pdraw = malloc(sizeof *pdraw);
     if (!pdraw)
 	return NULL;
 
     pdraw->loaderPrivate = data;
 
     pdraw->driScreenPriv = screen;
     pdraw->driContextPriv = NULL;
     pdraw->refcount = 0;
     pdraw->lastStamp = 0;
@@ -667,20 +669,30 @@ driCreateNewDrawable(__DRIscreen *screen,
     }
 
     pdraw->dri2.stamp = pdraw->lastStamp + 1;
 
     return pdraw;
 }
 
 static void
 driDestroyDrawable(__DRIdrawable *pdp)
 {
+    /*
+     * The loader's data structures are going away, even if pdp itself stays
+     * around for the time being because it is currently bound. This happens
+     * when a currently bound GLX pixmap is destroyed.
+     *
+     * Clear out the pointer back into the loader's data structures to avoid
+     * accessing an outdated pointer.
+     */
+    pdp->loaderPrivate = NULL;
+
     dri_put_drawable(pdp);
 }
 
 static __DRIbuffer *
 dri2AllocateBuffer(__DRIscreen *screen,
 		   unsigned int attachment, unsigned int format,
 		   int width, int height)
 {
     return screen->driver->AllocateBuffer(screen, attachment, format,
                                           width, height);
-- 
2.9.3



More information about the mesa-stable mailing list