From patchwork Thu Sep 23 13:04:11 2010 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kristian Hogsberg X-Patchwork-Id: 201932 Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) by demeter1.kernel.org (8.14.4/8.14.3) with ESMTP id o8ND5JlK007083 for ; Thu, 23 Sep 2010 13:05:56 GMT Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id F41FF9F03E for ; Thu, 23 Sep 2010 06:05:18 -0700 (PDT) X-Original-To: intel-gfx@lists.freedesktop.org Delivered-To: intel-gfx@lists.freedesktop.org Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by gabe.freedesktop.org (Postfix) with ESMTP id B51299E97E; Thu, 23 Sep 2010 06:05:09 -0700 (PDT) Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga101.fm.intel.com with ESMTP; 23 Sep 2010 06:05:09 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="4.57,223,1283756400"; d="scan'208";a="840245092" Received: from unknown (HELO intel.com) ([10.255.14.49]) by fmsmga001.fm.intel.com with ESMTP; 23 Sep 2010 06:05:08 -0700 From: =?UTF-8?q?Kristian=20H=C3=B8gsberg?= To: Chris Wilson , Julien Cristau , xorg-devel@lists.freedesktop.org Date: Thu, 23 Sep 2010 09:04:11 -0400 Message-Id: <1285247051-2717-1-git-send-email-krh@bitplanet.net> X-Mailer: git-send-email 1.7.3 In-Reply-To: <1285246256-2306-1-git-send-email-krh@bitplanet.net> References: <1285246256-2306-1-git-send-email-krh@bitplanet.net> MIME-Version: 1.0 Cc: intel-gfx@lists.freedesktop.org Subject: [Intel-gfx] [PATCH v2] glx: Fix use after free in DrawableGone X-BeenThere: intel-gfx@lists.freedesktop.org X-Mailman-Version: 2.1.11 Precedence: list List-Id: Intel graphics driver community testing & development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: intel-gfx-bounces+patchwork-intel-gfx=patchwork.kernel.org@lists.freedesktop.org Errors-To: intel-gfx-bounces+patchwork-intel-gfx=patchwork.kernel.org@lists.freedesktop.org X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.2.3 (demeter1.kernel.org [140.211.167.41]); Thu, 23 Sep 2010 13:05:56 +0000 (UTC) X-MIME-Autoconverted: from base64 to 8bit by demeter1.kernel.org id o8ND5JlK007083 diff --git a/glx/glxext.c b/glx/glxext.c index e203156..f5ebe4f 100644 --- a/glx/glxext.c +++ b/glx/glxext.c @@ -124,7 +124,7 @@ static int glxBlockClients; */ static Bool DrawableGone(__GLXdrawable *glxPriv, XID xid) { - __GLXcontext *c; + __GLXcontext *c, *next; /* If this drawable was created using glx 1.3 drawable * constructors, we added it as a glx drawable resource under both @@ -137,7 +137,8 @@ static Bool DrawableGone(__GLXdrawable *glxPriv, XID xid) FreeResourceByType(glxPriv->drawId, __glXDrawableRes, TRUE); } - for (c = glxAllContexts; c; c = c->next) { + for (c = glxAllContexts; c; c = next) { + next = c->next; if (c->isCurrent && (c->drawPriv == glxPriv || c->readPriv == glxPriv)) { int i; @@ -160,15 +161,13 @@ static Bool DrawableGone(__GLXdrawable *glxPriv, XID xid) } } } - - if (!c->idExists) { - __glXFreeContext(c); - } } if (c->drawPriv == glxPriv) c->drawPriv = NULL; if (c->readPriv == glxPriv) c->readPriv = NULL; + if (!c->idExists && !c->isCurrent) + __glXFreeContext(c); } glxPriv->destroy(glxPriv);