[PATCH 3/3] glx: Fix crash when a client exits without deleting GL contexts

Jon TURNEY jon.turney at dronecode.org.uk
Fri Apr 18 04:17:06 PDT 2014 

With the previous patches applied, we now have crash due to use-after-free when
a client exits without deleting all it's GL contexts

On client exit, CloseDownClient first calls glxClientCallback() with
ClientStateGone, which calls __glXFreeContext() directly.

Subsequently CloseDownClient() frees all the clients resources, which leads to
ContextGone() being called for a context resource where the context has already
been freed.

Fix this by modifiying glxClientCallback() to free the context resource.

Also make __glXFreeContext() static, as calling it directly leads to this
problem, instead the context resource should be released.

With the previous patches applied, this can be demonstrated with e.g. glxinfo,
which doesn't delete it's context before exit.

Signed-off-by: Jon TURNEY <jon.turney at dronecode.org.uk>
---
 glx/glxext.c | 5 +++--
 glx/glxext.h | 1 -
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/glx/glxext.c b/glx/glxext.c
index 8c837b0..4794621 100644
--- a/glx/glxext.c
+++ b/glx/glxext.c
@@ -72,6 +72,7 @@ static DevPrivateKeyRec glxClientPrivateKeyRec;
 ** Forward declarations.
 */
 static int __glXDispatch(ClientPtr);
+static GLboolean __glXFreeContext(__GLXcontext * cx);
 
 /*
 ** Called when the extension is reset.
@@ -194,7 +195,7 @@ __glXRemoveFromContextList(__GLXcontext * cx)
 /*
 ** Free a context.
 */
-GLboolean
+static GLboolean
 __glXFreeContext(__GLXcontext * cx)
 {
     if (cx->idExists || cx->currentClient)
@@ -298,7 +299,7 @@ glxClientCallback(CallbackListPtr *list, void *closure, void *data)
             if (c->currentClient == pClient) {
                 c->loseCurrent(c);
                 c->currentClient = NULL;
-                __glXFreeContext(c);
+                FreeResourceByType(c, __glXContextRes, FALSE);
             }
         }
 
diff --git a/glx/glxext.h b/glx/glxext.h
index 3f2dee6..cde0e15 100644
--- a/glx/glxext.h
+++ b/glx/glxext.h
@@ -51,7 +51,6 @@
 #define GLX_RGBA_UNSIGNED_FLOAT_TYPE_EXT   0x20B1
 #endif
 
-extern GLboolean __glXFreeContext(__GLXcontext * glxc);
 extern void __glXFlushContextCache(void);
 
 extern Bool __glXAddContext(__GLXcontext * cx);
-- 
1.8.5.5

More information about the xorg-devel mailing list