xserver: Branch 'master' - 2 commits

Keith Packard keithp at kemper.freedesktop.org
Thu Dec 25 13:03:39 PST 2014 

 glamor/glamor.c      |    7 +------
 glamor/glamor_fbo.c  |    2 +-
 glamor/glamor_priv.h |    1 -
 3 files changed, 2 insertions(+), 8 deletions(-)

New commits:
commit 11b85ab2fc944c0645df43180a6c7e2d6a06483a
Author: Michel Dänzer <michel.daenzer at amd.com>
Date:   Wed Dec 24 11:46:46 2014 +0900

    glamor: Make glamor_purge_fbo static
    
    Only called from glamor_fbo.c now.
    
    Signed-off-by: Michel Dänzer <michel.daenzer at amd.com>
    Reviewed-by: Keith Packard <keithp at keithp.com>
    Signed-off-by: Keith Packard <keithp at keithp.com>

diff --git a/glamor/glamor_fbo.c b/glamor/glamor_fbo.c
index d2aabb2..8d73e47 100644
--- a/glamor/glamor_fbo.c
+++ b/glamor/glamor_fbo.c
@@ -126,7 +126,7 @@ glamor_pixmap_fbo_cache_get(glamor_screen_private *glamor_priv,
 #endif
 }
 
-void
+static void
 glamor_purge_fbo(glamor_pixmap_fbo *fbo)
 {
     glamor_make_current(fbo->glamor_priv);
diff --git a/glamor/glamor_priv.h b/glamor/glamor_priv.h
index ffd327e..f699497 100644
--- a/glamor/glamor_priv.h
+++ b/glamor/glamor_priv.h
@@ -653,7 +653,6 @@ glamor_pixmap_fbo *glamor_create_fbo(glamor_screen_private *glamor_priv, int w,
                                      int h, GLenum format, int flag);
 void glamor_destroy_fbo(glamor_pixmap_fbo *fbo);
 void glamor_pixmap_destroy_fbo(glamor_pixmap_private *priv);
-void glamor_purge_fbo(glamor_pixmap_fbo *fbo);
 
 void glamor_init_pixmap_fbo(ScreenPtr screen);
 void glamor_fini_pixmap_fbo(ScreenPtr screen);
commit 8323d2e90150bb86a12d00a16269c69a24efc896
Author: Michel Dänzer <michel.daenzer at amd.com>
Date:   Wed Dec 24 11:46:18 2014 +0900

    glamor: Call glamor_pixmap_destroy_fbo from glamor_set_pixmap_private
    
    Calling glamor_purge_fbo directly was incorrect for large pixmaps.
    
    Fixes use-after free with large pixmaps:
    
    ==2029== Invalid write of size 8                                                                                                                                      ~
    ==2029==    at 0x85F93AD: __xorg_list_del (list.h:184)
    ==2029==    by 0x85F93AD: xorg_list_del (list.h:204)
    ==2029==    by 0x85F93AD: glamor_fbo_expire (glamor_fbo.c:280)
    ==2029==    by 0x85F95CA: glamor_pixmap_fbo_cache_put (glamor_fbo.c:159)
    ==2029==    by 0x85D7AB5: glamor_destroy_textured_pixmap (glamor.c:228)
    ==2029==    by 0xC1BDDC4: radeon_glamor_destroy_pixmap (radeon_glamor.c:272)
    ==2029==    by 0x519D00: damageDestroyPixmap (damage.c:1473)
    ==2029==    by 0x4DD307: XvDestroyPixmap (xvmain.c:370)
    ==2029==    by 0x4DB975: ShmDestroyPixmap (shm.c:258)
    ==2029==    by 0x5098F6: FreePicture (picture.c:1425)
    ==2029==    by 0x85E678E: glamor_composite_clipped_region (glamor_render.c:1558)
    ==2029==    by 0x85F763A: glamor_composite_largepixmap_region (glamor_largepixmap.c:1347)
    ==2029==    by 0x85E7964: _glamor_composite (glamor_render.c:1679)
    ==2029==    by 0x85E7A38: glamor_composite (glamor_render.c:1758)
    ==2029==  Address 0x1141d3c0 is 0 bytes inside a block of size 64 free'd
    ==2029==    at 0x4C29E90: free (vg_replace_malloc.c:473)
    ==2029==    by 0x85D7167: glamor_set_pixmap_private (glamor.c:570)
    ==2029==    by 0xC1BDDC4: radeon_glamor_destroy_pixmap (radeon_glamor.c:272)
    ==2029==    by 0x519D00: damageDestroyPixmap (damage.c:1473)
    ==2029==    by 0x4DD307: XvDestroyPixmap (xvmain.c:370)
    ==2029==    by 0x4DB975: ShmDestroyPixmap (shm.c:258)
    ==2029==    by 0x45B246: doFreeResource (resource.c:875)
    ==2029==    by 0x45BD5E: FreeResource (resource.c:905)
    ==2029==    by 0x43444B: ProcFreePixmap (dispatch.c:1422)
    ==2029==    by 0x43856E: Dispatch (dispatch.c:432)
    ==2029==    by 0x43C96F: dix_main (main.c:298)
    ==2029==    by 0x6CFAB44: (below main) (libc-start.c:287)
    
    Signed-off-by: Michel Dänzer <michel.daenzer at amd.com>
    Reviewed-by: Keith Packard <keithp at keithp.com>
    Signed-off-by: Keith Packard <keithp at keithp.com>

diff --git a/glamor/glamor.c b/glamor/glamor.c
index e6e8647..78e8278 100644
--- a/glamor/glamor.c
+++ b/glamor/glamor.c
@@ -225,7 +225,6 @@ glamor_destroy_textured_pixmap(PixmapPtr pixmap)
 #if GLAMOR_HAS_GBM
             glamor_egl_destroy_pixmap_image(pixmap);
 #endif
-            glamor_pixmap_destroy_fbo(pixmap_priv);
             glamor_set_pixmap_private(pixmap, NULL);
         }
     }
@@ -554,7 +553,6 @@ _X_EXPORT void
 glamor_set_pixmap_private(PixmapPtr pixmap, glamor_pixmap_private *priv)
 {
     glamor_pixmap_private *old_priv;
-    glamor_pixmap_fbo *fbo;
 
     old_priv = dixGetPrivate(&pixmap->devPrivates, &glamor_pixmap_private_key);
 
@@ -565,10 +563,7 @@ glamor_set_pixmap_private(PixmapPtr pixmap, glamor_pixmap_private *priv)
         if (old_priv == NULL)
             return;
 
-        if (old_priv->base.fbo) {
-            fbo = glamor_pixmap_detach_fbo(old_priv);
-            glamor_purge_fbo(fbo);
-        }
+        glamor_pixmap_destroy_fbo(old_priv);
         free(old_priv);
     }

More information about the xorg-commit mailing list