summaryrefslogtreecommitdiffstats
path: root/src/etnaviv/drm
diff options
context:
space:
mode:
authorMarek Vasut <[email protected]>2019-06-02 01:07:28 +0200
committerLucas Stach <[email protected]>2019-08-14 10:35:48 +0200
commit23f5f126d5afc7224e0a67398acec7edb3c4941f (patch)
tree4f1b462d6209f254135ac796b6cb1680e3afcd4e /src/etnaviv/drm
parent1ea95e37cc53384193eb2420f3ae17faa163ed0c (diff)
etnaviv: Fix double-free in etna_bo_cache_free()
The following situation can happen in a multithreaded OpenGL application. A BO is submitted from etna_cmd_stream #1 with flags set for read. A BO is submitted from etna_cmd_stream #2 with flags set for write. This triggers a flush on stream #1 and clears the BO's current_stream pointer. If at this point, stream #2 attempts to queue BO again, which does happen, the BO will be added to the submit list twice. The Linux kernel driver correctly detects this and warns about it with "BO at index %u already on submit list" kernel message. However, when cleaning the BO cache in etna_bo_cache_free(), the BO which was submitted twice will also be free()d twice, this triggering a glibc double free detector. The fix is easy, even if the BO does not have current_stream set, iterate over current streams' list of BOs before adding the BO to it and verify that the BO is not yet there. Signed-off-by: Marek Vasut <[email protected]> Reviewed-by: Christian Gmeiner <[email protected]> Reviewed-by: Lucas Stach <[email protected]>
Diffstat (limited to 'src/etnaviv/drm')
-rw-r--r--src/etnaviv/drm/etnaviv_cmd_stream.c8
1 files changed, 3 insertions, 5 deletions
diff --git a/src/etnaviv/drm/etnaviv_cmd_stream.c b/src/etnaviv/drm/etnaviv_cmd_stream.c
index 41350295ef4..e591df297a3 100644
--- a/src/etnaviv/drm/etnaviv_cmd_stream.c
+++ b/src/etnaviv/drm/etnaviv_cmd_stream.c
@@ -150,11 +150,7 @@ static uint32_t bo2idx(struct etna_cmd_stream *stream, struct etna_bo *bo,
pthread_mutex_lock(&idx_lock);
- if (!bo->current_stream) {
- idx = append_bo(stream, bo);
- bo->current_stream = stream;
- bo->idx = idx;
- } else if (bo->current_stream == stream) {
+ if (bo->current_stream == stream) {
idx = bo->idx;
} else {
/* slow-path: */
@@ -165,6 +161,8 @@ static uint32_t bo2idx(struct etna_cmd_stream *stream, struct etna_bo *bo,
/* not found */
idx = append_bo(stream, bo);
}
+ bo->current_stream = stream;
+ bo->idx = idx;
}
pthread_mutex_unlock(&idx_lock);