The old code could use gem name as key when inserting it to bo_handles
hash table while trying to remove it from hash table with bo_handle as
key in virgl_hw_res_destroy. This triggers use after free. Also, we
should only reuse resource from bo_handle hash when the handle type is
FD.
Signed-off-by: Lepton Wu <lep...@chromium.org>
---
src/gallium/winsys/virgl/drm/virgl_drm_winsys.c | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/src/gallium/winsys/virgl/drm/virgl_drm_winsys.c
b/src/gallium/winsys/virgl/drm/virgl_drm_winsys.c
index 120e8eda2cd..01811a0e997 100644
--- a/src/gallium/winsys/virgl/drm/virgl_drm_winsys.c
+++ b/src/gallium/winsys/virgl/drm/virgl_drm_winsys.c
@@ -424,13 +424,13 @@ virgl_drm_winsys_resource_create_handle(struct
virgl_winsys *qws,
res = NULL;
goto done;
}
- }
- res = util_hash_table_get(qdws->bo_handles, (void*)(uintptr_t)handle);
- if (res) {
- struct virgl_hw_res *r = NULL;
- virgl_drm_resource_reference(qdws, &r, res);
- goto done;
+ res = util_hash_table_get(qdws->bo_handles, (void*)(uintptr_t)handle);
+ if (res) {
+ struct virgl_hw_res *r = NULL;
+ virgl_drm_resource_reference(qdws, &r, res);
+ goto done;
+ }
}
res = CALLOC_STRUCT(virgl_hw_res);
@@ -469,7 +469,8 @@ virgl_drm_winsys_resource_create_handle(struct virgl_winsys
*qws,
res->num_cs_references = 0;
res->fence_fd = -1;
- util_hash_table_set(qdws->bo_handles, (void *)(uintptr_t)handle, res);
+ util_hash_table_set(qdws->bo_handles, (void *)(uintptr_t)res->bo_handle,
+ res);
done:
mtx_unlock(&qdws->bo_handles_mutex);
--
2.21.0.225.g810b269d1ac-goog
_______________________________________________
mesa-dev mailing list
mesa-dev@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/mesa-dev
