[PATCH] glamor: Call glamor_pixmap_destroy_fbo from glamor_set_pixmap_private
Michel Dänzer
michel at daenzer.net
Tue Dec 23 19:05:33 PST 2014
Fixing Debian bug report address.
On 24.12.2014 11:46, Michel Dänzer wrote:
> From: Michel Dänzer <michel.daenzer at amd.com>
>
> Calling glamor_purge_fbo directly was incorrect for large pixmaps.
>
> Fixes use-after free with large pixmaps:
>
> ==2029== Invalid write of size 8 ~
> ==2029== at 0x85F93AD: __xorg_list_del (list.h:184)
> ==2029== by 0x85F93AD: xorg_list_del (list.h:204)
> ==2029== by 0x85F93AD: glamor_fbo_expire (glamor_fbo.c:280)
> ==2029== by 0x85F95CA: glamor_pixmap_fbo_cache_put (glamor_fbo.c:159)
> ==2029== by 0x85D7AB5: glamor_destroy_textured_pixmap (glamor.c:228)
> ==2029== by 0xC1BDDC4: radeon_glamor_destroy_pixmap (radeon_glamor.c:272)
> ==2029== by 0x519D00: damageDestroyPixmap (damage.c:1473)
> ==2029== by 0x4DD307: XvDestroyPixmap (xvmain.c:370)
> ==2029== by 0x4DB975: ShmDestroyPixmap (shm.c:258)
> ==2029== by 0x5098F6: FreePicture (picture.c:1425)
> ==2029== by 0x85E678E: glamor_composite_clipped_region (glamor_render.c:1558)
> ==2029== by 0x85F763A: glamor_composite_largepixmap_region (glamor_largepixmap.c:1347)
> ==2029== by 0x85E7964: _glamor_composite (glamor_render.c:1679)
> ==2029== by 0x85E7A38: glamor_composite (glamor_render.c:1758)
> ==2029== Address 0x1141d3c0 is 0 bytes inside a block of size 64 free'd
> ==2029== at 0x4C29E90: free (vg_replace_malloc.c:473)
> ==2029== by 0x85D7167: glamor_set_pixmap_private (glamor.c:570)
> ==2029== by 0xC1BDDC4: radeon_glamor_destroy_pixmap (radeon_glamor.c:272)
> ==2029== by 0x519D00: damageDestroyPixmap (damage.c:1473)
> ==2029== by 0x4DD307: XvDestroyPixmap (xvmain.c:370)
> ==2029== by 0x4DB975: ShmDestroyPixmap (shm.c:258)
> ==2029== by 0x45B246: doFreeResource (resource.c:875)
> ==2029== by 0x45BD5E: FreeResource (resource.c:905)
> ==2029== by 0x43444B: ProcFreePixmap (dispatch.c:1422)
> ==2029== by 0x43856E: Dispatch (dispatch.c:432)
> ==2029== by 0x43C96F: dix_main (main.c:298)
> ==2029== by 0x6CFAB44: (below main) (libc-start.c:287)
>
> Signed-off-by: Michel Dänzer <michel.daenzer at amd.com>
> ---
>
> This fixes https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773709 for me,
> but it might depend on some previous patches for backporting to the 1.16
> branch. Or maybe the first hunk can just be dropped for that.
>
> glamor/glamor.c | 7 +------
> 1 file changed, 1 insertion(+), 6 deletions(-)
>
> diff --git a/glamor/glamor.c b/glamor/glamor.c
> index e6e8647..78e8278 100644
> --- a/glamor/glamor.c
> +++ b/glamor/glamor.c
> @@ -225,7 +225,6 @@ glamor_destroy_textured_pixmap(PixmapPtr pixmap)
> #if GLAMOR_HAS_GBM
> glamor_egl_destroy_pixmap_image(pixmap);
> #endif
> - glamor_pixmap_destroy_fbo(pixmap_priv);
> glamor_set_pixmap_private(pixmap, NULL);
> }
> }
> @@ -554,7 +553,6 @@ _X_EXPORT void
> glamor_set_pixmap_private(PixmapPtr pixmap, glamor_pixmap_private *priv)
> {
> glamor_pixmap_private *old_priv;
> - glamor_pixmap_fbo *fbo;
>
> old_priv = dixGetPrivate(&pixmap->devPrivates, &glamor_pixmap_private_key);
>
> @@ -565,10 +563,7 @@ glamor_set_pixmap_private(PixmapPtr pixmap, glamor_pixmap_private *priv)
> if (old_priv == NULL)
> return;
>
> - if (old_priv->base.fbo) {
> - fbo = glamor_pixmap_detach_fbo(old_priv);
> - glamor_purge_fbo(fbo);
> - }
> + glamor_pixmap_destroy_fbo(old_priv);
> free(old_priv);
> }
>
>
--
Earthling Michel Dänzer | http://www.amd.com
Libre software enthusiast | Mesa and X developer
More information about the xorg-devel
mailing list