render/gbm_allocator: fix gbm_device use-after-free

We need to destroy any gbm_bo we've created before gbm_device_destroy.

Closes: https://github.com/swaywm/wlroots/issues/2601
This commit is contained in:
Simon Ser 2021-01-15 11:26:35 +01:00
parent 9dd059376c
commit c73a8cde83
2 changed files with 29 additions and 5 deletions

View file

@ -8,7 +8,9 @@
struct wlr_gbm_buffer {
struct wlr_buffer base;
struct gbm_bo *gbm_bo;
struct wl_list link; // wlr_gbm_allocator.buffers
struct gbm_bo *gbm_bo; // NULL if the gbm_device has been destroyed
struct wlr_dmabuf_attributes dmabuf;
};
@ -17,6 +19,8 @@ struct wlr_gbm_allocator {
int fd;
struct gbm_device *gbm_device;
struct wl_list buffers; // wlr_gbm_buffer.link
};
/**

View file

@ -16,8 +16,10 @@ static struct wlr_gbm_buffer *get_gbm_buffer_from_buffer(
return (struct wlr_gbm_buffer *)buffer;
}
static struct wlr_gbm_buffer *create_buffer(struct gbm_device *gbm_device,
static struct wlr_gbm_buffer *create_buffer(struct wlr_gbm_allocator *alloc,
int width, int height, const struct wlr_drm_format *format) {
struct gbm_device *gbm_device = alloc->gbm_device;
struct gbm_bo *bo = NULL;
if (format->len > 0) {
bo = gbm_bo_create_with_modifiers(gbm_device, width, height,
@ -43,6 +45,7 @@ static struct wlr_gbm_buffer *create_buffer(struct gbm_device *gbm_device,
}
wlr_buffer_init(&buffer->base, &buffer_impl, width, height);
buffer->gbm_bo = bo;
wl_list_insert(&alloc->buffers, &buffer->link);
wlr_log(WLR_DEBUG, "Allocated %dx%d GBM buffer (format 0x%"PRIX32", "
"modifier 0x%"PRIX64")", buffer->base.width, buffer->base.height,
@ -55,7 +58,10 @@ static void buffer_destroy(struct wlr_buffer *wlr_buffer) {
struct wlr_gbm_buffer *buffer =
get_gbm_buffer_from_buffer(wlr_buffer);
wlr_dmabuf_attributes_finish(&buffer->dmabuf);
gbm_bo_destroy(buffer->gbm_bo);
if (buffer->gbm_bo != NULL) {
gbm_bo_destroy(buffer->gbm_bo);
}
wl_list_remove(&buffer->link);
free(buffer);
}
@ -63,6 +69,10 @@ static bool buffer_create_dmabuf(struct wlr_gbm_buffer *buffer) {
assert(buffer->dmabuf.n_planes == 0);
struct gbm_bo *bo = buffer->gbm_bo;
if (bo == NULL) {
return false;
}
struct wlr_dmabuf_attributes attribs = {0};
attribs.n_planes = gbm_bo_get_plane_count(bo);
@ -146,6 +156,7 @@ struct wlr_gbm_allocator *wlr_gbm_allocator_create(int fd) {
wlr_allocator_init(&alloc->base, &allocator_impl);
alloc->fd = fd;
wl_list_init(&alloc->buffers);
alloc->gbm_device = gbm_create_device(fd);
if (alloc->gbm_device == NULL) {
@ -162,6 +173,16 @@ struct wlr_gbm_allocator *wlr_gbm_allocator_create(int fd) {
static void allocator_destroy(struct wlr_allocator *wlr_alloc) {
struct wlr_gbm_allocator *alloc = get_gbm_alloc_from_alloc(wlr_alloc);
// The gbm_bo objects need to be destroyed before the gbm_device
struct wlr_gbm_buffer *buf, *buf_tmp;
wl_list_for_each_safe(buf, buf_tmp, &alloc->buffers, link) {
gbm_bo_destroy(buf->gbm_bo);
buf->gbm_bo = NULL;
wl_list_remove(&buf->link);
wl_list_init(&buf->link);
}
gbm_device_destroy(alloc->gbm_device);
close(alloc->fd);
free(alloc);
@ -171,8 +192,7 @@ static struct wlr_buffer *allocator_create_buffer(
struct wlr_allocator *wlr_alloc, int width, int height,
const struct wlr_drm_format *format) {
struct wlr_gbm_allocator *alloc = get_gbm_alloc_from_alloc(wlr_alloc);
struct wlr_gbm_buffer *buffer =
create_buffer(alloc->gbm_device, width, height, format);
struct wlr_gbm_buffer *buffer = create_buffer(alloc, width, height, format);
if (buffer == NULL) {
return NULL;
}