From 8323d2e90150bb86a12d00a16269c69a24efc896 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michel=20D=C3=A4nzer?= <michel.daenzer@amd.com>
Date: Wed, 24 Dec 2014 11:46:18 +0900
Subject: [PATCH] glamor: Call glamor_pixmap_destroy_fbo from
 glamor_set_pixmap_private
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Calling glamor_purge_fbo directly was incorrect for large pixmaps.

Fixes use-after free with large pixmaps:

==2029== Invalid write of size 8                                                                                                                                      ~
==2029==    at 0x85F93AD: __xorg_list_del (list.h:184)
==2029==    by 0x85F93AD: xorg_list_del (list.h:204)
==2029==    by 0x85F93AD: glamor_fbo_expire (glamor_fbo.c:280)
==2029==    by 0x85F95CA: glamor_pixmap_fbo_cache_put (glamor_fbo.c:159)
==2029==    by 0x85D7AB5: glamor_destroy_textured_pixmap (glamor.c:228)
==2029==    by 0xC1BDDC4: radeon_glamor_destroy_pixmap (radeon_glamor.c:272)
==2029==    by 0x519D00: damageDestroyPixmap (damage.c:1473)
==2029==    by 0x4DD307: XvDestroyPixmap (xvmain.c:370)
==2029==    by 0x4DB975: ShmDestroyPixmap (shm.c:258)
==2029==    by 0x5098F6: FreePicture (picture.c:1425)
==2029==    by 0x85E678E: glamor_composite_clipped_region (glamor_render.c:1558)
==2029==    by 0x85F763A: glamor_composite_largepixmap_region (glamor_largepixmap.c:1347)
==2029==    by 0x85E7964: _glamor_composite (glamor_render.c:1679)
==2029==    by 0x85E7A38: glamor_composite (glamor_render.c:1758)
==2029==  Address 0x1141d3c0 is 0 bytes inside a block of size 64 free'd
==2029==    at 0x4C29E90: free (vg_replace_malloc.c:473)
==2029==    by 0x85D7167: glamor_set_pixmap_private (glamor.c:570)
==2029==    by 0xC1BDDC4: radeon_glamor_destroy_pixmap (radeon_glamor.c:272)
==2029==    by 0x519D00: damageDestroyPixmap (damage.c:1473)
==2029==    by 0x4DD307: XvDestroyPixmap (xvmain.c:370)
==2029==    by 0x4DB975: ShmDestroyPixmap (shm.c:258)
==2029==    by 0x45B246: doFreeResource (resource.c:875)
==2029==    by 0x45BD5E: FreeResource (resource.c:905)
==2029==    by 0x43444B: ProcFreePixmap (dispatch.c:1422)
==2029==    by 0x43856E: Dispatch (dispatch.c:432)
==2029==    by 0x43C96F: dix_main (main.c:298)
==2029==    by 0x6CFAB44: (below main) (libc-start.c:287)

Signed-off-by: Michel Dänzer <michel.daenzer@amd.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
---
 glamor/glamor.c | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/glamor/glamor.c b/glamor/glamor.c
index e6e8647d5..78e827809 100644
--- a/glamor/glamor.c
+++ b/glamor/glamor.c
@@ -225,7 +225,6 @@ glamor_destroy_textured_pixmap(PixmapPtr pixmap)
 #if GLAMOR_HAS_GBM
             glamor_egl_destroy_pixmap_image(pixmap);
 #endif
-            glamor_pixmap_destroy_fbo(pixmap_priv);
             glamor_set_pixmap_private(pixmap, NULL);
         }
     }
@@ -554,7 +553,6 @@ _X_EXPORT void
 glamor_set_pixmap_private(PixmapPtr pixmap, glamor_pixmap_private *priv)
 {
     glamor_pixmap_private *old_priv;
-    glamor_pixmap_fbo *fbo;
 
     old_priv = dixGetPrivate(&pixmap->devPrivates, &glamor_pixmap_private_key);
 
@@ -565,10 +563,7 @@ glamor_set_pixmap_private(PixmapPtr pixmap, glamor_pixmap_private *priv)
         if (old_priv == NULL)
             return;
 
-        if (old_priv->base.fbo) {
-            fbo = glamor_pixmap_detach_fbo(old_priv);
-            glamor_purge_fbo(fbo);
-        }
+        glamor_pixmap_destroy_fbo(old_priv);
         free(old_priv);
     }