From b56e8c5105c858452ca4eabf15b298fc06dfd3c8 Mon Sep 17 00:00:00 2001 From: Chris Wilson Date: Sat, 1 Sep 2012 12:15:47 +0100 Subject: [PATCH] sna: Nullify gpu_bo after free in case final release is deferred in destroy As we may defer the actual release of the pixmap until after completion of the last shm operation, we need to make sure in that case we mark the GPU bo as released to prevent a use-after-free. Signed-off-by: Chris Wilson --- src/sna/sna_accel.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/sna/sna_accel.c b/src/sna/sna_accel.c index 7dad94b3..7c598f10 100644 --- a/src/sna/sna_accel.c +++ b/src/sna/sna_accel.c @@ -1073,8 +1073,10 @@ static Bool sna_destroy_pixmap(PixmapPtr pixmap) sna = to_sna_from_pixmap(pixmap); /* Always release the gpu bo back to the lower levels of caching */ - if (priv->gpu_bo) + if (priv->gpu_bo) { kgem_bo_destroy(&sna->kgem, priv->gpu_bo); + priv->gpu_bo = NULL; + } if (priv->shm && kgem_bo_is_busy(priv->cpu_bo)) { sna_add_flush_pixmap(sna, priv, priv->cpu_bo);