From 3d2f09bace0bb5d0ddd93c78b087f4c17a76a8ba Mon Sep 17 00:00:00 2001 From: Dudemanguy Date: Mon, 19 Aug 2024 11:33:36 -0500 Subject: [PATCH] backend/drm: fix a use-after-free The page_flip can be destroyed, but it is unconditionally accessed later on when setting present_flags. Fix this by simply setting the present_flags before the page_flip gets destroyed. --- backend/drm/drm.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/backend/drm/drm.c b/backend/drm/drm.c index 90d24305..1ba8939a 100644 --- a/backend/drm/drm.c +++ b/backend/drm/drm.c @@ -2018,6 +2018,12 @@ static void handle_page_flip(int fd, unsigned seq, if (conn != NULL) { conn->pending_page_flip = NULL; } + + uint32_t present_flags = WLR_OUTPUT_PRESENT_HW_CLOCK | WLR_OUTPUT_PRESENT_HW_COMPLETION; + if (!page_flip->async) { + present_flags |= WLR_OUTPUT_PRESENT_VSYNC; + } + if (page_flip->connectors_len == 0) { drm_page_flip_destroy(page_flip); } @@ -2048,10 +2054,6 @@ static void handle_page_flip(int fd, unsigned seq, drm_fb_move(&layer->current_fb, &layer->queued_fb); } - uint32_t present_flags = WLR_OUTPUT_PRESENT_HW_CLOCK | WLR_OUTPUT_PRESENT_HW_COMPLETION; - if (!page_flip->async) { - present_flags |= WLR_OUTPUT_PRESENT_VSYNC; - } /* Don't report ZERO_COPY in multi-gpu situations, because we had to copy * data between the GPUs, even if we were using the direct scanout * interface.