85 lines
2.7 KiB
Diff
85 lines
2.7 KiB
Diff
|
From 23c55ec32973e0a75d723e3f37769dd711c9c59c Mon Sep 17 00:00:00 2001
|
||
|
From: =?UTF-8?q?Michel=20D=C3=A4nzer?= <mdaenzer@redhat.com>
|
||
|
Date: Wed, 22 Jul 2020 18:20:14 +0200
|
||
|
Subject: [PATCH xserver] xwayland: Hold a pixmap reference in struct
|
||
|
xwl_present_event
|
||
|
MIME-Version: 1.0
|
||
|
Content-Type: text/plain; charset=UTF-8
|
||
|
Content-Transfer-Encoding: 8bit
|
||
|
|
||
|
In the log of the commit below, I claimed this wasn't necessary on the
|
||
|
1.20 branch, but this turned out to be wrong: It meant that
|
||
|
event->buffer could already be destroyed in xwl_present_free_event,
|
||
|
resulting in use-after-free and likely a crash.
|
||
|
|
||
|
Fixes: 22c0808ac88f "xwayland: Free all remaining events in
|
||
|
xwl_present_cleanup"
|
||
|
Signed-off-by: Michel Dänzer <mdaenzer@redhat.com>
|
||
|
---
|
||
|
hw/xwayland/xwayland-present.c | 17 +++++++++++++----
|
||
|
hw/xwayland/xwayland.h | 2 +-
|
||
|
2 files changed, 14 insertions(+), 5 deletions(-)
|
||
|
|
||
|
diff --git a/hw/xwayland/xwayland-present.c b/hw/xwayland/xwayland-present.c
|
||
|
index 2cec63f59..f003170a9 100644
|
||
|
--- a/hw/xwayland/xwayland-present.c
|
||
|
+++ b/hw/xwayland/xwayland-present.c
|
||
|
@@ -117,8 +117,16 @@ xwl_present_free_event(struct xwl_present_event *event)
|
||
|
if (!event)
|
||
|
return;
|
||
|
|
||
|
- if (event->buffer)
|
||
|
- wl_buffer_set_user_data(event->buffer, NULL);
|
||
|
+ if (event->pixmap) {
|
||
|
+ if (!event->buffer_released) {
|
||
|
+ struct wl_buffer *buffer =
|
||
|
+ xwl_glamor_pixmap_get_wl_buffer(event->pixmap, NULL);
|
||
|
+
|
||
|
+ wl_buffer_set_user_data(buffer, NULL);
|
||
|
+ }
|
||
|
+
|
||
|
+ dixDestroyPixmap(event->pixmap, event->pixmap->drawable.id);
|
||
|
+ }
|
||
|
|
||
|
xorg_list_del(&event->list);
|
||
|
free(event);
|
||
|
@@ -348,7 +356,7 @@ xwl_present_queue_vblank(WindowPtr present_window,
|
||
|
return BadAlloc;
|
||
|
|
||
|
event->event_id = event_id;
|
||
|
- event->buffer = NULL;
|
||
|
+ event->pixmap = NULL;
|
||
|
event->xwl_present_window = xwl_present_window;
|
||
|
event->target_msc = msc;
|
||
|
|
||
|
@@ -453,11 +461,12 @@ xwl_present_flip(WindowPtr present_window,
|
||
|
if (!event)
|
||
|
return FALSE;
|
||
|
|
||
|
+ pixmap->refcnt++;
|
||
|
buffer = xwl_glamor_pixmap_get_wl_buffer(pixmap, &buffer_created);
|
||
|
|
||
|
event->event_id = event_id;
|
||
|
event->xwl_present_window = xwl_present_window;
|
||
|
- event->buffer = buffer;
|
||
|
+ event->pixmap = pixmap;
|
||
|
event->target_msc = target_msc;
|
||
|
event->pending = TRUE;
|
||
|
event->abort = FALSE;
|
||
|
diff --git a/hw/xwayland/xwayland.h b/hw/xwayland/xwayland.h
|
||
|
index bc5836ec4..b9495b313 100644
|
||
|
--- a/hw/xwayland/xwayland.h
|
||
|
+++ b/hw/xwayland/xwayland.h
|
||
|
@@ -215,7 +215,7 @@ struct xwl_present_event {
|
||
|
Bool buffer_released;
|
||
|
|
||
|
struct xwl_present_window *xwl_present_window;
|
||
|
- struct wl_buffer *buffer;
|
||
|
+ PixmapPtr pixmap;
|
||
|
|
||
|
struct xorg_list list;
|
||
|
};
|
||
|
--
|
||
|
2.26.2
|
||
|
|