Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore: cherry-pick cd98d7c0dae9 from chromium (#30253)
* chore: cherry-pick cd98d7c0dae9 from chromium * chore: update patches Co-authored-by: PatchUp <73610968+patchup[bot]@users.noreply.github.com>
- Loading branch information
1 parent
fe81b86
commit 53bd88d
Showing
2 changed files
with
51 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,50 @@ | ||
| From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 | ||
| From: Peng Huang <penghuang@chromium.org> | ||
| Date: Wed, 7 Jul 2021 20:50:53 +0000 | ||
| Subject: Fix UAF problem in SharedImageInterfaceInProcess | ||
|
|
||
| (cherry picked from commit 38b4905f8d877b27bc2d4ccd4cfc0f82b636deea) | ||
|
|
||
| Bug: 1216822 | ||
| Change-Id: I8ae1f7c406e1899e500ee7ddeaaf18230b1cbcb2 | ||
| Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2971144 | ||
| Commit-Queue: Peng Huang <penghuang@chromium.org> | ||
| Commit-Queue: Vasiliy Telezhnikov <vasilyt@chromium.org> | ||
| Auto-Submit: Peng Huang <penghuang@chromium.org> | ||
| Reviewed-by: Vasiliy Telezhnikov <vasilyt@chromium.org> | ||
| Cr-Original-Commit-Position: refs/heads/master@{#893931} | ||
| Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3011895 | ||
| Auto-Submit: Mason Freed <masonf@chromium.org> | ||
| Reviewed-by: Peng Huang <penghuang@chromium.org> | ||
| Cr-Commit-Position: refs/branch-heads/4515@{#1369} | ||
| Cr-Branched-From: 488fc70865ddaa05324ac00a54a6eb783b4bc41c-refs/heads/master@{#885287} | ||
|
|
||
| diff --git a/gpu/ipc/shared_image_interface_in_process.cc b/gpu/ipc/shared_image_interface_in_process.cc | ||
| index d6169e6b04b4ad4fd17b48507331dee059338610..e28ec015c8efce5d7af3c660d29f325869137b65 100644 | ||
| --- a/gpu/ipc/shared_image_interface_in_process.cc | ||
| +++ b/gpu/ipc/shared_image_interface_in_process.cc | ||
| @@ -93,6 +93,8 @@ void SharedImageInterfaceInProcess::DestroyOnGpu( | ||
| sync_point_client_state_->Destroy(); | ||
| sync_point_client_state_ = nullptr; | ||
| } | ||
| + | ||
| + context_state_ = nullptr; | ||
| completion->Signal(); | ||
| } | ||
|
|
||
| diff --git a/gpu/ipc/shared_image_interface_in_process.h b/gpu/ipc/shared_image_interface_in_process.h | ||
| index 7ce2bc3eb52083b2505fb6d648f192cb5c7247e2..23bc32c0b35145c1cf7a14e519f205c66d5e7f47 100644 | ||
| --- a/gpu/ipc/shared_image_interface_in_process.h | ||
| +++ b/gpu/ipc/shared_image_interface_in_process.h | ||
| @@ -237,10 +237,7 @@ class GL_IN_PROCESS_CONTEXT_EXPORT SharedImageInterfaceInProcess | ||
| // Accessed on GPU thread. | ||
| // TODO(weiliangc): Check whether can be removed when !UsesSync(). | ||
| MailboxManager* mailbox_manager_; | ||
| - // Used to check if context is lost at destruction time. | ||
| - // TODO(weiliangc): SharedImageInterface should become active observer of | ||
| - // whether context is lost. | ||
| - SharedContextState* context_state_; | ||
| + scoped_refptr<SharedContextState> context_state_; | ||
| // Created and only used by this SharedImageInterface. | ||
| SyncPointManager* sync_point_manager_; | ||
| scoped_refptr<SyncPointClientState> sync_point_client_state_; |