Module: Mesa Branch: main Commit: db5166718d89ba71f8d12fbdceffb05d7c5e9a03 URL: http://cgit.freedesktop.org/mesa/mesa/commit/?id=db5166718d89ba71f8d12fbdceffb05d7c5e9a03
Author: Boris Brezillon <boris.brezil...@collabora.com> Date: Wed Nov 29 21:02:49 2023 +0100 util/hash_table: Don't leak hash_key_u64 objects when the u64 hash table is destroyed Allocate a ralloc sub-context which takes the u64 hash table as a parent and attach a destructor to it so we can free the hash_key_u64 objects that were allocated by _mesa_hash_table_u64_insert(). The order of creation of this sub-context is crucial: it needs to happen after the _mesa_hash_table_create() call to guarantee that the destructor is called before ht->table and its children are freed, otherwise the _mesa_hash_table_u64_clear() call in the destructor leads to a use-after-free situation. Fixes: ff494361bee7 ("util: rzalloc and free hash_table_u64") Cc: stable Signed-off-by: Boris Brezillon <boris.brezil...@collabora.com> Reviewed-by: Yonggang Luo <luoyongg...@gmail.com> Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/26423> --- src/util/hash_table.c | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/src/util/hash_table.c b/src/util/hash_table.c index 652c8980b92..a76ebbc039e 100644 --- a/src/util/hash_table.c +++ b/src/util/hash_table.c @@ -777,6 +777,13 @@ key_u64_equals(const void *a, const void *b) #define FREED_KEY_VALUE 0 +static void _mesa_hash_table_u64_delete_keys(void *data) +{ + struct hash_table_u64 *ht = ralloc_parent(data); + + _mesa_hash_table_u64_clear(ht); +} + struct hash_table_u64 * _mesa_hash_table_u64_create(void *mem_ctx) { @@ -793,6 +800,31 @@ _mesa_hash_table_u64_create(void *mem_ctx) } else { ht->table = _mesa_hash_table_create(ht, key_u64_hash, key_u64_equals); + + /* Allocate a ralloc sub-context which takes the u64 hash table + * as a parent and attach a destructor to it so we can free the + * hash_key_u64 objects that were allocated by + * _mesa_hash_table_u64_insert(). + * + * The order of creation of this sub-context is crucial: it needs + * to happen after the _mesa_hash_table_create() call to guarantee + * that the destructor is called before ht->table and its children + * are freed, otherwise the _mesa_hash_table_u64_clear() call in the + * destructor leads to a use-after-free situation. + */ + if (ht->table) { + void *dummy_ctx = ralloc_context(ht); + + /* If we can't allocate a sub-context, free the hash table + * immediately and return NULL to avoid future leaks. + */ + if (!dummy_ctx) { + ralloc_free(ht); + return NULL; + } + + ralloc_set_destructor(dummy_ctx, _mesa_hash_table_u64_delete_keys); + } } if (ht->table)