diff options
| author | Jon TURNEY <jon.turney@dronecode.org.uk> | 2014-04-18 12:17:06 +0100 |
|---|---|---|
| committer | Jon TURNEY <jon.turney@dronecode.org.uk> | 2014-12-05 16:41:49 +0000 |
| commit | bc71081f0e3d8ce3aecf2cb168431dbc9fe6a87b (patch) | |
| tree | c1cbba20d8ba1b2405a8c3ddb8bb9dbfa30e7915 /glx | |
| parent | 5c606c0a89e74fa223a99864be11cc3be60a159b (diff) | |
glx: Fix crash when a client exits without deleting GL contexts
With the previous patches applied, we now have crash due to use-after-free when
a client exits without deleting all it's GL contexts
On client exit, CloseDownClient first calls glxClientCallback() with
ClientStateGone, which calls __glXFreeContext() directly.
Subsequently CloseDownClient() frees all the clients resources, which leads to
ContextGone() being called for a context resource where the context has already
been freed.
Fix this by modifiying glxClientCallback() to free the context resource.
Also make __glXFreeContext() static, as calling it directly leads to this
problem, instead the context resource should be released.
With the previous patches applied, this can be demonstrated with e.g. glxinfo,
which doesn't delete it's context before exit.
Signed-off-by: Jon TURNEY <jon.turney@dronecode.org.uk>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Diffstat (limited to 'glx')
| -rw-r--r-- | glx/glxext.c | 5 | ||||
| -rw-r--r-- | glx/glxext.h | 1 |
2 files changed, 3 insertions, 3 deletions
diff --git a/glx/glxext.c b/glx/glxext.c index 978d27112..e41b881f2 100644 --- a/glx/glxext.c +++ b/glx/glxext.c @@ -66,6 +66,7 @@ static DevPrivateKeyRec glxClientPrivateKeyRec; ** Forward declarations. */ static int __glXDispatch(ClientPtr); +static GLboolean __glXFreeContext(__GLXcontext * cx); /* ** Called when the extension is reset. @@ -189,7 +190,7 @@ __glXRemoveFromContextList(__GLXcontext * cx) /* ** Free a context. */ -GLboolean +static GLboolean __glXFreeContext(__GLXcontext * cx) { if (cx->idExists || cx->currentClient) @@ -294,7 +295,7 @@ glxClientCallback(CallbackListPtr *list, void *closure, void *data) c->loseCurrent(c); lastGLContext = NULL; c->currentClient = NULL; - __glXFreeContext(c); + FreeResourceByType(c->id, __glXContextRes, FALSE); } } diff --git a/glx/glxext.h b/glx/glxext.h index 3f2dee696..cde0e1519 100644 --- a/glx/glxext.h +++ b/glx/glxext.h @@ -51,7 +51,6 @@ #define GLX_RGBA_UNSIGNED_FLOAT_TYPE_EXT 0x20B1 #endif -extern GLboolean __glXFreeContext(__GLXcontext * glxc); extern void __glXFlushContextCache(void); extern Bool __glXAddContext(__GLXcontext * cx); |