fdo-mirrors/wlroots
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/wlroots/wlroots.git synced 2026-01-16 15:50:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
wlroots/render/allocator/shm.c
John Lindgren 16cb509a6e render/allocator: add missing wlr_buffer_finish() in destroy impls 
Fixes use-after-free on exit of labwc running nested:

==50906== Invalid write of size 8
==50906==    at 0x4A85403: wl_list_remove (wayland-util.c:57)
==50906==    by 0x40BBAF9: destroy_wl_buffer (output.c:146)
==50906==    by 0x40B9B4F: backend_destroy (backend.c:488)
==50906==    by 0x409E96F: wlr_backend_destroy (backend.c:68)
==50906==    by 0x40B78A6: multi_backend_destroy (backend.c:62)
==50906==    by 0x409E96F: wlr_backend_destroy (backend.c:68)
==50906==    by 0x4043DA0: server_finish (server.c:788)
==50906==    by 0x403AA85: main (main.c:277)
==50906==  Address 0xb4435e8 is 40 bytes inside a block of size 136 free'd
==50906==    at 0x4A3E8EF: free (vg_replace_malloc.c:989)
==50906==    by 0x409C954: buffer_destroy (shm.c:28)
==50906==    by 0x40E96F4: buffer_consider_destroy (buffer.c:42)
==50906==    by 0x40E9754: wlr_buffer_drop (buffer.c:52)
==50906==    by 0x41498DA: slot_reset (swapchain.c:44)
==50906==    by 0x4149933: wlr_swapchain_destroy (swapchain.c:53)
==50906==    by 0x40CB1FA: wlr_output_finish (output.c:410)
==50906==    by 0x40BE00B: output_destroy (output.c:957)
==50906==    by 0x40CB2FC: wlr_output_destroy (output.c:436)
==50906==    by 0x40B9AFC: backend_destroy (backend.c:481)
==50906==    by 0x409E96F: wlr_backend_destroy (backend.c:68)
==50906==    by 0x40B78A6: multi_backend_destroy (backend.c:62)
==50906==  Block was alloc'd at
==50906==    at 0x4A42C13: calloc (vg_replace_malloc.c:1675)
==50906==    by 0x409CA84: allocator_create_buffer (shm.c:68)
==50906==    by 0x409C7BA: wlr_allocator_create_buffer (allocator.c:186)
==50906==    by 0x4149B80: wlr_swapchain_acquire (swapchain.c:102)
==50906==    by 0x40C90DA: render_cursor_buffer (cursor.c:246)
==50906==    by 0x40C93DC: output_cursor_attempt_hardware (cursor.c:303)
==50906==    by 0x40C9A61: output_cursor_set_texture (cursor.c:420)
==50906==    by 0x40C9738: wlr_output_cursor_set_buffer (cursor.c:352)
==50906==    by 0x40F13A0: output_cursor_set_xcursor_image (wlr_cursor.c:507)
==50906==    by 0x40F1B28: cursor_output_cursor_update (wlr_cursor.c:630)
==50906==    by 0x40F1C2A: cursor_update_outputs (wlr_cursor.c:657)
==50906==    by 0x40F1CF9: wlr_cursor_set_xcursor (wlr_cursor.c:674)

Fixes: 7963ba6a0d
("buffer: introduce wlr_buffer_finish()")
2025-12-20 15:02:08 -05:00

121 lines
3.4 KiB
C
Raw Blame History

#include <assert.h>
#include <drm_fourcc.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <unistd.h>
#include <wlr/interfaces/wlr_buffer.h>
#include <wlr/render/allocator.h>
#include <wlr/render/drm_format_set.h>
#include <wlr/util/log.h>
#include "render/pixel_format.h"
#include "render/allocator/shm.h"
#include "util/shm.h"
static const struct wlr_buffer_impl buffer_impl;
static struct wlr_shm_buffer *shm_buffer_from_buffer(
struct wlr_buffer *wlr_buffer) {
assert(wlr_buffer->impl == &buffer_impl);
struct wlr_shm_buffer *buffer = wl_container_of(wlr_buffer, buffer, base);
return buffer;
}
static void buffer_destroy(struct wlr_buffer *wlr_buffer) {
struct wlr_shm_buffer *buffer = shm_buffer_from_buffer(wlr_buffer);
wlr_buffer_finish(wlr_buffer);
munmap(buffer->data, buffer->size);
close(buffer->shm.fd);
free(buffer);
}
static bool buffer_get_shm(struct wlr_buffer *wlr_buffer,
struct wlr_shm_attributes *shm) {
struct wlr_shm_buffer *buffer = shm_buffer_from_buffer(wlr_buffer);
*shm = buffer->shm;
return true;
}
static bool shm_buffer_begin_data_ptr_access(struct wlr_buffer *wlr_buffer,
uint32_t flags, void **data, uint32_t *format, size_t *stride) {
struct wlr_shm_buffer *buffer = shm_buffer_from_buffer(wlr_buffer);
*data = buffer->data;
*format = buffer->shm.format;
*stride = buffer->shm.stride;
return true;
}
static void shm_buffer_end_data_ptr_access(struct wlr_buffer *wlr_buffer) {
// This space is intentionally left blank
}
static const struct wlr_buffer_impl buffer_impl = {
.destroy = buffer_destroy,
.get_shm = buffer_get_shm,
.begin_data_ptr_access = shm_buffer_begin_data_ptr_access,
.end_data_ptr_access = shm_buffer_end_data_ptr_access,
};
static struct wlr_buffer *allocator_create_buffer(
struct wlr_allocator *wlr_allocator, int width, int height,
const struct wlr_drm_format *format) {
const struct wlr_pixel_format_info *info =
drm_get_pixel_format_info(format->format);
if (info == NULL) {
wlr_log(WLR_ERROR, "Unsupported pixel format 0x%"PRIX32, format->format);
return NULL;
}
struct wlr_shm_buffer *buffer = calloc(1, sizeof(*buffer));
if (buffer == NULL) {
return NULL;
}
wlr_buffer_init(&buffer->base, &buffer_impl, width, height);
// TODO: consider using a single file for multiple buffers
int stride = pixel_format_info_min_stride(info, width); // TODO: align?
buffer->size = stride * height;
buffer->shm.fd = allocate_shm_file(buffer->size);
if (buffer->shm.fd < 0) {
free(buffer);
return NULL;
}
buffer->shm.format = format->format;
buffer->shm.width = width;
buffer->shm.height = height;
buffer->shm.stride = stride;
buffer->shm.offset = 0;
buffer->data = mmap(NULL, buffer->size, PROT_READ | PROT_WRITE, MAP_SHARED,
buffer->shm.fd, 0);
if (buffer->data == MAP_FAILED) {
wlr_log_errno(WLR_ERROR, "mmap failed");
close(buffer->shm.fd);
free(buffer);
return NULL;
}
return &buffer->base;
}
static void allocator_destroy(struct wlr_allocator *wlr_allocator) {
free(wlr_allocator);
}
static const struct wlr_allocator_interface allocator_impl = {
.destroy = allocator_destroy,
.create_buffer = allocator_create_buffer,
};
struct wlr_allocator *wlr_shm_allocator_create(void) {
struct wlr_shm_allocator *allocator = calloc(1, sizeof(*allocator));
if (allocator == NULL) {
return NULL;
}
wlr_allocator_init(&allocator->base, &allocator_impl,
WLR_BUFFER_CAP_DATA_PTR | WLR_BUFFER_CAP_SHM);
wlr_log(WLR_DEBUG, "Created shm allocator");
return &allocator->base;
}
Reference in a new issue View git blame Copy permalink