Virglrenderer sometimes tries to remove resources from the hash table twice. Which will mess up the ressource hash table and reference counts and therefore and leads to qemu/virglrenderer crashes. Reproducer: (a) guest creates resource foo, id 42. (b) guest creates an object bar referencing resource foo. (c) guest unreferences resource foo. -> resource id 42 is removed from hash. (d) guest creates a new resource baz, re-using id 42. (e) guest destroys object bar. -> resource foo refcount goes down to zero. -> resource id 42 gets removed from hash the second time, but id 42 entry points to resource baz not foo now. Oops. Note that most linux kernel drivers will never ever re-use resource ids due to a bug in the virtio-gpu kms driver, in which case this bug doesn't cause any harm. Root cause is that vrend_renderer_resource_destroy() may call vrend_resource_remove(), depending on the call chain. This is wrong. Only vrend_renderer_resource_unref() which is called when the guest unreferences a resource should remove the id from the hash table by calling vrend_resource_remove(). Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: <Gurchetan Singh gurchetansingh@chromium.org>macos/master
parent
6cbf3287cf
commit
f91a9dd357
Loading…
Reference in new issue