|
 |
315c3e |
From 23c55ec32973e0a75d723e3f37769dd711c9c59c Mon Sep 17 00:00:00 2001
|
|
|
315c3e |
From: =?UTF-8?q?Michel=20D=C3=A4nzer?= <mdaenzer@redhat.com>
|
|
|
315c3e |
Date: Wed, 22 Jul 2020 18:20:14 +0200
|
|
|
315c3e |
Subject: [PATCH xserver] xwayland: Hold a pixmap reference in struct
|
|
|
315c3e |
xwl_present_event
|
|
|
315c3e |
MIME-Version: 1.0
|
|
|
315c3e |
Content-Type: text/plain; charset=UTF-8
|
|
|
315c3e |
Content-Transfer-Encoding: 8bit
|
|
|
315c3e |
|
|
|
315c3e |
In the log of the commit below, I claimed this wasn't necessary on the
|
|
|
315c3e |
1.20 branch, but this turned out to be wrong: It meant that
|
|
|
315c3e |
event->buffer could already be destroyed in xwl_present_free_event,
|
|
|
315c3e |
resulting in use-after-free and likely a crash.
|
|
|
315c3e |
|
|
|
315c3e |
Fixes: 22c0808ac88f "xwayland: Free all remaining events in
|
|
|
315c3e |
xwl_present_cleanup"
|
|
|
315c3e |
Signed-off-by: Michel Dänzer <mdaenzer@redhat.com>
|
|
|
315c3e |
---
|
|
|
315c3e |
hw/xwayland/xwayland-present.c | 17 +++++++++++++----
|
|
|
315c3e |
hw/xwayland/xwayland.h | 2 +-
|
|
|
315c3e |
2 files changed, 14 insertions(+), 5 deletions(-)
|
|
|
315c3e |
|
|
|
315c3e |
diff --git a/hw/xwayland/xwayland-present.c b/hw/xwayland/xwayland-present.c
|
|
|
315c3e |
index 2cec63f59..f003170a9 100644
|
|
|
315c3e |
--- a/hw/xwayland/xwayland-present.c
|
|
|
315c3e |
+++ b/hw/xwayland/xwayland-present.c
|
|
|
315c3e |
@@ -117,8 +117,16 @@ xwl_present_free_event(struct xwl_present_event *event)
|
|
|
315c3e |
if (!event)
|
|
|
315c3e |
return;
|
|
|
315c3e |
|
|
|
315c3e |
- if (event->buffer)
|
|
|
315c3e |
- wl_buffer_set_user_data(event->buffer, NULL);
|
|
|
315c3e |
+ if (event->pixmap) {
|
|
|
315c3e |
+ if (!event->buffer_released) {
|
|
|
315c3e |
+ struct wl_buffer *buffer =
|
|
|
315c3e |
+ xwl_glamor_pixmap_get_wl_buffer(event->pixmap, NULL);
|
|
|
315c3e |
+
|
|
|
315c3e |
+ wl_buffer_set_user_data(buffer, NULL);
|
|
|
315c3e |
+ }
|
|
|
315c3e |
+
|
|
|
315c3e |
+ dixDestroyPixmap(event->pixmap, event->pixmap->drawable.id);
|
|
|
315c3e |
+ }
|
|
|
315c3e |
|
|
|
315c3e |
xorg_list_del(&event->list);
|
|
|
315c3e |
free(event);
|
|
|
315c3e |
@@ -348,7 +356,7 @@ xwl_present_queue_vblank(WindowPtr present_window,
|
|
|
315c3e |
return BadAlloc;
|
|
|
315c3e |
|
|
|
315c3e |
event->event_id = event_id;
|
|
|
315c3e |
- event->buffer = NULL;
|
|
|
315c3e |
+ event->pixmap = NULL;
|
|
|
315c3e |
event->xwl_present_window = xwl_present_window;
|
|
|
315c3e |
event->target_msc = msc;
|
|
|
315c3e |
|
|
|
315c3e |
@@ -453,11 +461,12 @@ xwl_present_flip(WindowPtr present_window,
|
|
|
315c3e |
if (!event)
|
|
|
315c3e |
return FALSE;
|
|
|
315c3e |
|
|
|
315c3e |
+ pixmap->refcnt++;
|
|
|
315c3e |
buffer = xwl_glamor_pixmap_get_wl_buffer(pixmap, &buffer_created);
|
|
|
315c3e |
|
|
|
315c3e |
event->event_id = event_id;
|
|
|
315c3e |
event->xwl_present_window = xwl_present_window;
|
|
|
315c3e |
- event->buffer = buffer;
|
|
|
315c3e |
+ event->pixmap = pixmap;
|
|
|
315c3e |
event->target_msc = target_msc;
|
|
|
315c3e |
event->pending = TRUE;
|
|
|
315c3e |
event->abort = FALSE;
|
|
|
315c3e |
diff --git a/hw/xwayland/xwayland.h b/hw/xwayland/xwayland.h
|
|
|
315c3e |
index bc5836ec4..b9495b313 100644
|
|
|
315c3e |
--- a/hw/xwayland/xwayland.h
|
|
|
315c3e |
+++ b/hw/xwayland/xwayland.h
|
|
|
315c3e |
@@ -215,7 +215,7 @@ struct xwl_present_event {
|
|
|
315c3e |
Bool buffer_released;
|
|
|
315c3e |
|
|
|
315c3e |
struct xwl_present_window *xwl_present_window;
|
|
|
315c3e |
- struct wl_buffer *buffer;
|
|
|
315c3e |
+ PixmapPtr pixmap;
|
|
|
315c3e |
|
|
|
315c3e |
struct xorg_list list;
|
|
|
315c3e |
};
|
|
|
315c3e |
--
|
|
|
315c3e |
2.26.2
|
|
|
315c3e |
|