If a compositor is rendering in one thread while dispatching wayland
events in another, a wl_shm_pool_resize() could change the memory
mappings it's rendering from and cause a crash.
Now we defer wl_shm_pool_resize() if the compositor has references on a
pool, and perform the actual resize when it drops those references.
Signed-off-by: Derek Foreman <der...@osg.samsung.com>
---
src/wayland-shm.c | 47 +++++++++++++++++++++++++++++++++++------------
1 file changed, 35 insertions(+), 12 deletions(-)
diff --git a/src/wayland-shm.c b/src/wayland-shm.c
index 6fbf34b..6351259 100644
--- a/src/wayland-shm.c
+++ b/src/wayland-shm.c
@@ -56,6 +56,7 @@ struct wl_shm_pool {
int external_refcount;
char *data;
int32_t size;
+ int32_t new_size;
};
struct wl_shm_buffer {
@@ -74,12 +75,35 @@ struct wl_shm_sigbus_data {
};
static void
+shm_pool_finish_resize(struct wl_shm_pool *pool)
+{
+ void *data;
+
+ if (pool->size == pool->new_size)
+ return;
+
+ data = mremap(pool->data, pool->size, pool->new_size, MREMAP_MAYMOVE);
+ if (data == MAP_FAILED) {
+ wl_resource_post_error(pool->resource,
+ WL_SHM_ERROR_INVALID_FD,
+ "failed mremap");
+ return;
+ }
+
+ pool->data = data;
+ pool->size = pool->new_size;
+}
+
+static void
shm_pool_unref(struct wl_shm_pool *pool, bool external)
{
- if (external)
+ if (external) {
pool->external_refcount--;
- else
+ if (pool->external_refcount == 0)
+ shm_pool_finish_resize(pool);
+ } else {
pool->internal_refcount--;
+ }
if (pool->internal_refcount + pool->external_refcount)
return;
@@ -202,7 +226,6 @@ shm_pool_resize(struct wl_client *client, struct
wl_resource *resource,
int32_t size)
{
struct wl_shm_pool *pool = wl_resource_get_user_data(resource);
- void *data;
if (size < pool->size) {
wl_resource_post_error(resource,
@@ -211,16 +234,15 @@ shm_pool_resize(struct wl_client *client, struct
wl_resource *resource,
return;
}
- data = mremap(pool->data, pool->size, size, MREMAP_MAYMOVE);
- if (data == MAP_FAILED) {
- wl_resource_post_error(resource,
- WL_SHM_ERROR_INVALID_FD,
- "failed mremap");
- return;
- }
+ pool->new_size = size;
- pool->data = data;
- pool->size = size;
+ /* If the compositor has taken references on this pool it
+ * may be caching pointers into it. In that case we
+ * defer the resize (which may move the entire mapping)
+ * until the compositor finishes dereferencing the pool.
+ */
+ if (pool->external_refcount == 0)
+ shm_pool_finish_resize(pool);
}
struct wl_shm_pool_interface shm_pool_interface = {
@@ -251,6 +273,7 @@ shm_create_pool(struct wl_client *client, struct
wl_resource *resource,
pool->internal_refcount = 1;
pool->external_refcount = 0;
pool->size = size;
+ pool->new_size = size;
pool->data = mmap(NULL, size,
PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
if (pool->data == MAP_FAILED) {
--
2.7.0
_______________________________________________
wayland-devel mailing list
wayland-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/wayland-devel
