Skip to content

Commit

Permalink
fix cursorFB uaf and other stuf
Browse files Browse the repository at this point in the history
  • Loading branch information
@ikalco
ikalco committed Jul 15, 2024
1 parent 4e1d430 commit 1e6acce
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 11 deletions.
4 changes: 3 additions & 1 deletion src/backend/Session.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -306,8 +306,10 @@ void Aquamarine::CSession::dispatchUdevEvents() {
dev_t deviceNum = udev_device_get_devnum(device);
SP<CSessionDevice> sessionDevice;
for (auto& sDev : sessionDevices) {
if (sDev->dev == deviceNum)
if (sDev->dev == deviceNum) {
sessionDevice = sDev;
break;
}
}

if (!sessionDevice) {
Expand Down
14 changes: 4 additions & 10 deletions src/backend/drm/DRM.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -796,7 +796,6 @@ void Aquamarine::CDRMBackend::onReady() {
// swapchain has to be created here because allocator is absent in connect if not ready
c->output->swapchain = CSwapchain::create(backend->primaryAllocator, self.lock());
c->output->swapchain->reconfigure(SSwapchainOptions{.length = 0, .scanout = true, .multigpu = !!primary}); // mark the swapchain for scanout
c->output->setCursor(nullptr, {});
c->output->needsFrame = true;

backend->events.newOutput.emit(SP<IOutput>(c->output));
Expand Down Expand Up @@ -1189,7 +1188,6 @@ void Aquamarine::SDRMConnector::connect(drmModeConnector* connector) {
return;

output->swapchain = CSwapchain::create(backend->backend->primaryAllocator, backend->self.lock());
output->setCursor(nullptr, {});
backend->backend->events.newOutput.emit(SP<IOutput>(output));
output->scheduleFrame(IOutput::AQ_SCHEDULE_NEW_CONNECTOR);
}
Expand Down Expand Up @@ -1404,12 +1402,12 @@ bool Aquamarine::CDRMOutput::commitState(bool onlyTest) {
else
data.cursorFB = connector->crtc->cursor->front;

if (data.cursorFB && data.cursorFB->buffer) {
if (data.cursorFB) {
// verify cursor format. This might be wrong on NVIDIA where linear buffers
// fail to be created from gbm
// TODO: add an API to detect this and request drm_dumb linear buffers. Or do something,
// idk
if (data.cursorFB->buffer->dmabuf().modifier == DRM_FORMAT_MOD_INVALID) {
if (data.cursorFB->dead || data.cursorFB->buffer->dmabuf().modifier == DRM_FORMAT_MOD_INVALID) {
TRACE(backend->backend->log(AQ_LOG_TRACE, "drm: Dropping invalid buffer for cursor plane"));
data.cursorFB = nullptr;
}
Expand Down Expand Up @@ -1448,13 +1446,9 @@ bool Aquamarine::CDRMOutput::setCursor(SP<IBuffer> buffer, const Vector2D& hotsp
return false;
}

if (!buffer) {
connector->crtc->pendingCursor.reset();
connector->crtc->cursor->front.reset();
connector->crtc->cursor->back.reset();
connector->crtc->cursor->last.reset();
if (!buffer)
setCursorVisible(false);
} else {
else {
SP<CDRMFB> fb;

if (backend->primary) {
Expand Down

0 comments on commit 1e6acce

Please sign in to comment.