xserver: Branch 'master'
Adam Jackson
ajax at kemper.freedesktop.org
Thu Feb 16 19:24:26 UTC 2017
dix/pixmap.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
New commits:
commit a6566f9e4dbf9ea9568a14e22cb5d004e10dbd4d
Author: Michel Dänzer <michel.daenzer at amd.com>
Date: Thu Feb 16 16:13:56 2017 +0900
prime: Clear PixmapDirtyUpdateRec::damage when it's destroyed
The root window, and by extension any damage records referencing it,
may be destroyed before shared pixmaps referencing it, which resulted in
use-after-free / double-free in PixmapStopDirtyTracking.
Fixes: b5b292896f64 ("prime: Sync shared pixmap from root window instead of screen pixmap")
Reviewed-by: Adam Jackson <ajax at redhat.com>
Signed-off-by: Michel Dänzer <michel.daenzer at amd.com>
diff --git a/dix/pixmap.c b/dix/pixmap.c
index ef00830..b67a2e8 100644
--- a/dix/pixmap.c
+++ b/dix/pixmap.c
@@ -172,6 +172,14 @@ PixmapPtr PixmapShareToSlave(PixmapPtr pixmap, ScreenPtr slave)
return spix;
}
+static void
+PixmapDirtyDamageDestroy(DamagePtr damage, void *closure)
+{
+ PixmapDirtyUpdatePtr dirty = closure;
+
+ dirty->damage = NULL;
+}
+
Bool
PixmapStartDirtyTracking(PixmapPtr src,
PixmapPtr slave_dst,
@@ -195,10 +203,10 @@ PixmapStartDirtyTracking(PixmapPtr src,
dirty_update->dst_x = dst_x;
dirty_update->dst_y = dst_y;
dirty_update->rotation = rotation;
- dirty_update->damage = DamageCreate(NULL, NULL,
+ dirty_update->damage = DamageCreate(NULL, PixmapDirtyDamageDestroy,
DamageReportNone,
TRUE, src->drawable.pScreen,
- src->drawable.pScreen);
+ dirty_update);
if (rotation != RR_Rotate_0) {
RRTransformCompute(x, y,
@@ -247,7 +255,8 @@ PixmapStopDirtyTracking(PixmapPtr src, PixmapPtr slave_dst)
xorg_list_for_each_entry_safe(ent, safe, &screen->pixmap_dirty_list, ent) {
if (ent->src == src && ent->slave_dst == slave_dst) {
- DamageDestroy(ent->damage);
+ if (ent->damage)
+ DamageDestroy(ent->damage);
xorg_list_del(&ent->ent);
free(ent);
}
More information about the xorg-commit
mailing list