[PATCH 7/9] dri2: Send events only to known clients

Pauli Nieminen ext-pauli.nieminen at nokia.com
Fri Feb 4 05:39:07 PST 2011 

On 04/02/11 13:34 +1100, ext Christopher James Halse Rogers wrote:
> On Thu, 2011-02-03 at 19:48 +0200, Pauli wrote:
> > From: Pauli Nieminen <ext-pauli.nieminen at nokia.com>
> > 
> > If client disconnects and new client gets same id DRI2 events may end to
> > wrong client. DRI2 reference list can be checked to see if the client
> > still owns the DRI2Drawable.
> > 
> > Signed-off-by: Pauli Nieminen <ext-pauli.nieminen at nokia.com>
> > ---
> >  hw/xfree86/dri2/dri2.c |   25 +++++++++++++++++--------
> >  1 files changed, 17 insertions(+), 8 deletions(-)
> > 
> > diff --git a/hw/xfree86/dri2/dri2.c b/hw/xfree86/dri2/dri2.c
> > index b50206e..12c1f72 100644
> > --- a/hw/xfree86/dri2/dri2.c
> > +++ b/hw/xfree86/dri2/dri2.c
> > @@ -255,7 +255,8 @@ DRI2LookupClientDrawableRef(DRI2DrawablePtr pPriv, ClientPtr client, XID id)
> >      DRI2DrawableRefPtr ref;
> >  
> >      list_for_each_entry(ref, &pPriv->reference_list, link) {
> > -	if (CLIENT_ID(ref->dri2_id) == client->index && ref->id == id)
> > +	if (CLIENT_ID(ref->dri2_id) == client->index &&
> 
> If the client has gone then this isn't this a potential use-after-free?
> 


Good catch. I have to fix that one.

> > +		(id == 0 || ref->id == id))
> >  	    return ref;
> >      }
> >      return NULL;
> > @@ -739,21 +740,24 @@ void
> >  DRI2WaitMSCComplete(ClientPtr client, DRI2DrawablePtr pPriv, int frame,
> >  		    unsigned int tv_sec, unsigned int tv_usec)
> >  {
> > +    DRI2DrawableRefPtr ref = DRI2LookupClientDrawableRef(pPriv, client, 0);
> > +    ClientPtr blockedClient = pPriv->blockedClient;
> > +
> > +    pPriv->blockedClient = NULL;
> > +    pPriv->blockedOnMsc = FALSE;
> >      pPriv->refcnt--;
> >  
> > -    if (pPriv->refcnt == 0) {
> > -	DRI2DrawableGone(pPriv, 0);
> > +    if (ref == NULL) {
> > +	if (pPriv->refcnt == 0)
> > +	    DRI2DrawableGone(pPriv, 0);
> >  	return;
> >      }
> >  
> >      ProcDRI2WaitMSCReply(client, ((CARD64)tv_sec * 1000000) + tv_usec,
> >  			 frame, pPriv->swap_count);
> >  
> > -    if (pPriv->blockedClient)
> > -	AttendClient(pPriv->blockedClient);
> > -
> > -    pPriv->blockedClient = NULL;
> > -    pPriv->blockedOnMsc = FALSE;
> > +    if (blockedClient)
> > +	AttendClient(blockedClient);
> >  }
> >  
> >  static void
> > @@ -806,6 +810,7 @@ DRI2SwapComplete(ClientPtr client, DRI2DrawablePtr pPriv, int frame,
> >  		   DRI2SwapEventPtr swap_complete, void *swap_data)
> >  {
> >      DRI2SwapCompleteDataPtr pSwapData = swap_data;
> > +    DRI2DrawableRefPtr ref = DRI2LookupClientDrawableRef(pPriv, client, 0);
> >      DrawablePtr     pDraw = pPriv->drawable;
> >      CARD64          ust = 0;
> >  
> > @@ -813,6 +818,9 @@ DRI2SwapComplete(ClientPtr client, DRI2DrawablePtr pPriv, int frame,
> >      pPriv->swap_count++;
> >      pPriv->refcnt--;
> >  
> > +    if (ref == NULL)
> > +	goto out;
> > +
> >      if (pDraw) {
> >  	BoxRec          box;
> >  	RegionRec       region;
> > @@ -836,6 +844,7 @@ DRI2SwapComplete(ClientPtr client, DRI2DrawablePtr pPriv, int frame,
> >  
> >      DRI2WakeClient(client, pPriv, frame, tv_sec, tv_usec);
> >  
> > +out:
> >      free_swap_complete_data(pPriv, pSwapData);
> >  
> >      if (pPriv->refcnt == 0)
> 
>

More information about the xorg-devel mailing list