xf86-video-intel: src/sna/sna_accel.c

Chris Wilson ickle at kemper.freedesktop.org
Mon Nov 5 14:35:42 PST 2012 

 src/sna/sna_accel.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

New commits:
commit 28bda6707d979bca29dbea04e932819de204d920
Author: Chris Wilson <chris at chris-wilson.co.uk>
Date:   Mon Nov 5 22:30:29 2012 +0000

    sna: Prevent use-after-free during partial move-to-gpu
    
    As we reuse the input parameter 'box' to hold the array of boxes that
    need to be migrated, we need to be careful that we do not later confuse
    it with the original input parameter. Otherwise,
    
    ==1315== Invalid read of size 2
    ==1315==    at 0x928B091: box_inplace (sna.h:506)
    ==1315==    by 0x9292278: sna_pixmap_move_area_to_gpu (sna_accel.c:2554)
    ==1315==    by 0x9292C14: sna_drawable_use_bo (sna_accel.c:2774)
    ==1315==    by 0x9356C01: gen7_composite_set_target (gen7_render.c:2448)
    ==1315==    by 0x9357AA2: gen7_render_composite (gen7_render.c:2800)
    ==1315==    by 0x92DB12E: glyphs_to_dst (sna_glyphs.c:552)
    ==1315==    by 0x92DEA8D: sna_glyphs (sna_glyphs.c:1664)
    ==1315==    by 0x4F920E: damageGlyphs (in /tmp/Xorg)
    ==1315==    by 0x4F2FF6: ProcRenderCompositeGlyphs (in /tmp/Xorg)
    ==1315==    by 0x437260: Dispatch (in /tmp/Xorg)
    ==1315==    by 0x426466: main (in /tmp/Xorg)
    ==1315==  Address 0xd637054 is 20 bytes inside a block of size 208,464 free'd
    ==1315==    at 0x4C2A2FC: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
    ==1315==    by 0x92CCFCD: __sna_damage_destroy (sna_damage.c:1469)
    ==1315==    by 0x928AD74: sna_damage_destroy (sna_damage.h:284)
    ==1315==    by 0x9291CB2: sna_pixmap_move_area_to_gpu (sna_accel.c:2470)
    ==1315==    by 0x9292C14: sna_drawable_use_bo (sna_accel.c:2774)
    ==1315==    by 0x9356C01: gen7_composite_set_target (gen7_render.c:2448)
    ==1315==    by 0x9357AA2: gen7_render_composite (gen7_render.c:2800)
    ==1315==    by 0x92DB12E: glyphs_to_dst (sna_glyphs.c:552)
    ==1315==    by 0x92DEA8D: sna_glyphs (sna_glyphs.c:1664)
    ==1315==    by 0x4F920E: damageGlyphs (in /tmp/Xorg)
    ==1315==    by 0x4F2FF6: ProcRenderCompositeGlyphs (in /tmp/Xorg)
    ==1315==    by 0x437260: Dispatch (in /tmp/Xorg)
    
    Reported-by: Matti Ruohonen <kiesus at gmail.com>
    Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=56591
    Signed-off-by: Chris Wilson <chris at chris-wilson.co.uk>

diff --git a/src/sna/sna_accel.c b/src/sna/sna_accel.c
index 447d31a..040a14d 100644
--- a/src/sna/sna_accel.c
+++ b/src/sna/sna_accel.c
@@ -2551,7 +2551,8 @@ done:
 	if (flags & MOVE_WRITE) {
 		priv->clear = false;
 		priv->cpu = false;
-		if (priv->cpu_damage == NULL && box_inplace(pixmap, box)) {
+		if (priv->cpu_damage == NULL &&
+		    box_inplace(pixmap, &r.extents)) {
 			DBG(("%s: large operation on undamaged, promoting to full GPU\n",
 			     __FUNCTION__));
 			sna_damage_all(&priv->gpu_damage,

More information about the xorg-commit mailing list