mirror of
https://gitlab.freedesktop.org/wlroots/wlroots.git
synced 2025-12-25 08:10:04 +01:00
16cb509a6e
Fixes use-after-free on exit of labwc running nested:
==50906== Invalid write of size 8
==50906== at 0x4A85403: wl_list_remove (wayland-util.c:57)
==50906== by 0x40BBAF9: destroy_wl_buffer (output.c:146)
==50906== by 0x40B9B4F: backend_destroy (backend.c:488)
==50906== by 0x409E96F: wlr_backend_destroy (backend.c:68)
==50906== by 0x40B78A6: multi_backend_destroy (backend.c:62)
==50906== by 0x409E96F: wlr_backend_destroy (backend.c:68)
==50906== by 0x4043DA0: server_finish (server.c:788)
==50906== by 0x403AA85: main (main.c:277)
==50906== Address 0xb4435e8 is 40 bytes inside a block of size 136 free'd
==50906== at 0x4A3E8EF: free (vg_replace_malloc.c:989)
==50906== by 0x409C954: buffer_destroy (shm.c:28)
==50906== by 0x40E96F4: buffer_consider_destroy (buffer.c:42)
==50906== by 0x40E9754: wlr_buffer_drop (buffer.c:52)
==50906== by 0x41498DA: slot_reset (swapchain.c:44)
==50906== by 0x4149933: wlr_swapchain_destroy (swapchain.c:53)
==50906== by 0x40CB1FA: wlr_output_finish (output.c:410)
==50906== by 0x40BE00B: output_destroy (output.c:957)
==50906== by 0x40CB2FC: wlr_output_destroy (output.c:436)
==50906== by 0x40B9AFC: backend_destroy (backend.c:481)
==50906== by 0x409E96F: wlr_backend_destroy (backend.c:68)
==50906== by 0x40B78A6: multi_backend_destroy (backend.c:62)
==50906== Block was alloc'd at
==50906== at 0x4A42C13: calloc (vg_replace_malloc.c:1675)
==50906== by 0x409CA84: allocator_create_buffer (shm.c:68)
==50906== by 0x409C7BA: wlr_allocator_create_buffer (allocator.c:186)
==50906== by 0x4149B80: wlr_swapchain_acquire (swapchain.c:102)
==50906== by 0x40C90DA: render_cursor_buffer (cursor.c:246)
==50906== by 0x40C93DC: output_cursor_attempt_hardware (cursor.c:303)
==50906== by 0x40C9A61: output_cursor_set_texture (cursor.c:420)
==50906== by 0x40C9738: wlr_output_cursor_set_buffer (cursor.c:352)
==50906== by 0x40F13A0: output_cursor_set_xcursor_image (wlr_cursor.c:507)
==50906== by 0x40F1B28: cursor_output_cursor_update (wlr_cursor.c:630)
==50906== by 0x40F1C2A: cursor_update_outputs (wlr_cursor.c:657)
==50906== by 0x40F1CF9: wlr_cursor_set_xcursor (wlr_cursor.c:674)
Fixes: 7963ba6a0d
("buffer: introduce wlr_buffer_finish()")
163 lines
4.3 KiB
C
163 lines
4.3 KiB
C
#undef _POSIX_C_SOURCE
|
|
#define _GNU_SOURCE // for memfd_create() and F_ADD_SEALS
|
|
|
|
#include <drm_fourcc.h>
|
|
#include <fcntl.h>
|
|
#include <linux/udmabuf.h>
|
|
#include <stdlib.h>
|
|
#include <sys/ioctl.h>
|
|
#include <sys/mman.h>
|
|
#include <unistd.h>
|
|
|
|
#include <wlr/interfaces/wlr_buffer.h>
|
|
#include <wlr/render/allocator.h>
|
|
#include <wlr/render/drm_format_set.h>
|
|
#include <wlr/util/log.h>
|
|
|
|
#include "render/allocator/udmabuf.h"
|
|
#include "render/pixel_format.h"
|
|
|
|
static bool buffer_get_shm(struct wlr_buffer *wlr_buffer, struct wlr_shm_attributes *shm) {
|
|
struct wlr_udmabuf_buffer *buffer = wl_container_of(wlr_buffer, buffer, base);
|
|
*shm = buffer->shm;
|
|
return true;
|
|
}
|
|
|
|
static bool buffer_get_dmabuf(struct wlr_buffer *wlr_buffer, struct wlr_dmabuf_attributes *dmabuf) {
|
|
struct wlr_udmabuf_buffer *buffer = wl_container_of(wlr_buffer, buffer, base);
|
|
*dmabuf = buffer->dmabuf;
|
|
return true;
|
|
}
|
|
|
|
static void buffer_destroy(struct wlr_buffer *wlr_buffer) {
|
|
struct wlr_udmabuf_buffer *buffer = wl_container_of(wlr_buffer, buffer, base);
|
|
wlr_buffer_finish(wlr_buffer);
|
|
wlr_dmabuf_attributes_finish(&buffer->dmabuf);
|
|
close(buffer->shm.fd);
|
|
free(buffer);
|
|
}
|
|
|
|
static const struct wlr_buffer_impl buffer_impl = {
|
|
.destroy = buffer_destroy,
|
|
.get_shm = buffer_get_shm,
|
|
.get_dmabuf = buffer_get_dmabuf,
|
|
};
|
|
|
|
static struct wlr_buffer *allocator_create_buffer(
|
|
struct wlr_allocator *wlr_allocator, int width, int height,
|
|
const struct wlr_drm_format *format) {
|
|
struct wlr_udmabuf_allocator *allocator = wl_container_of(wlr_allocator, allocator, base);
|
|
|
|
const struct wlr_pixel_format_info *info =
|
|
drm_get_pixel_format_info(format->format);
|
|
if (info == NULL) {
|
|
wlr_log(WLR_ERROR, "Unsupported pixel format 0x%"PRIX32, format->format);
|
|
return NULL;
|
|
}
|
|
|
|
long page_size = sysconf(_SC_PAGE_SIZE);
|
|
if (page_size == -1) {
|
|
wlr_log_errno(WLR_ERROR, "Failed to query page size");
|
|
return NULL;
|
|
}
|
|
|
|
struct wlr_udmabuf_buffer *buffer = calloc(1, sizeof(*buffer));
|
|
if (buffer == NULL) {
|
|
return NULL;
|
|
}
|
|
wlr_buffer_init(&buffer->base, &buffer_impl, width, height);
|
|
|
|
// TODO: consider using a single file for multiple buffers
|
|
int stride = pixel_format_info_min_stride(info, width); // TODO: align?
|
|
size_t size = stride * height;
|
|
if (size % page_size != 0) {
|
|
size += page_size - (size % page_size);
|
|
}
|
|
|
|
int memfd = memfd_create("wlroots", MFD_CLOEXEC | MFD_ALLOW_SEALING);
|
|
if (memfd < 0) {
|
|
wlr_log_errno(WLR_ERROR, "memfd_create() failed");
|
|
goto err_buffer;
|
|
}
|
|
|
|
if (ftruncate(memfd, size) < 0) {
|
|
wlr_log_errno(WLR_ERROR, "ftruncate() failed");
|
|
goto err_memfd;
|
|
}
|
|
|
|
if (fcntl(memfd, F_ADD_SEALS, F_SEAL_SEAL | F_SEAL_SHRINK) < 0) {
|
|
wlr_log_errno(WLR_ERROR, "fcntl(F_ADD_SEALS) failed");
|
|
goto err_memfd;
|
|
}
|
|
|
|
struct udmabuf_create udmabuf_create = {
|
|
.memfd = memfd,
|
|
.flags = UDMABUF_FLAGS_CLOEXEC,
|
|
.offset = 0,
|
|
.size = size,
|
|
};
|
|
int dmabuf_fd = ioctl(allocator->fd, UDMABUF_CREATE, &udmabuf_create);
|
|
if (dmabuf_fd < 0) {
|
|
wlr_log_errno(WLR_ERROR, "ioctl(UDMABUF_CREATE) failed");
|
|
goto err_memfd;
|
|
}
|
|
|
|
buffer->size = size;
|
|
buffer->shm = (struct wlr_shm_attributes){
|
|
.width = width,
|
|
.height = height,
|
|
.format = format->format,
|
|
.offset = 0,
|
|
.stride = stride,
|
|
.fd = memfd,
|
|
};
|
|
buffer->dmabuf = (struct wlr_dmabuf_attributes){
|
|
.width = width,
|
|
.height = height,
|
|
.format = format->format,
|
|
.modifier = DRM_FORMAT_MOD_LINEAR,
|
|
.n_planes = 1,
|
|
.offset[0] = 0,
|
|
.stride[0] = stride,
|
|
.fd[0] = dmabuf_fd,
|
|
};
|
|
|
|
return &buffer->base;
|
|
|
|
err_memfd:
|
|
close(memfd);
|
|
err_buffer:
|
|
free(buffer);
|
|
return NULL;
|
|
}
|
|
|
|
static void allocator_destroy(struct wlr_allocator *wlr_allocator) {
|
|
struct wlr_udmabuf_allocator *allocator = wl_container_of(wlr_allocator, allocator, base);
|
|
close(allocator->fd);
|
|
free(allocator);
|
|
}
|
|
|
|
static const struct wlr_allocator_interface allocator_impl = {
|
|
.destroy = allocator_destroy,
|
|
.create_buffer = allocator_create_buffer,
|
|
};
|
|
|
|
struct wlr_allocator *wlr_udmabuf_allocator_create(void) {
|
|
int fd = open("/dev/udmabuf", O_RDWR | O_CLOEXEC);
|
|
if (fd < 0) {
|
|
wlr_log_errno(WLR_ERROR, "Failed to open /dev/udmabuf");
|
|
return NULL;
|
|
}
|
|
|
|
struct wlr_udmabuf_allocator *allocator = calloc(1, sizeof(*allocator));
|
|
if (allocator == NULL) {
|
|
close(fd);
|
|
return NULL;
|
|
}
|
|
wlr_allocator_init(&allocator->base, &allocator_impl,
|
|
WLR_BUFFER_CAP_SHM | WLR_BUFFER_CAP_DMABUF);
|
|
|
|
allocator->fd = fd;
|
|
|
|
return &allocator->base;
|
|
}
|