diff options
| author | Boris Brezillon <boris.brezillon@collabora.com> | 2023-11-29 21:02:49 +0100 |
|---|---|---|
| committer | Eric Engestrom <eric@engestrom.ch> | 2023-12-17 23:48:00 +0000 |
| commit | e839b0ae2e9b1d342779e723d22e6d4aa58a0da9 (patch) | |
| tree | 9897ac99e2605728ebd0e68cbbbb7c32e279afb9 /src/util | |
| parent | e2427f915cbab0f20cd6b145bb8b38b15277245d (diff) | |
| download | mesa-e839b0ae2e9b1d342779e723d22e6d4aa58a0da9.tar.gz mesa-e839b0ae2e9b1d342779e723d22e6d4aa58a0da9.tar.bz2 mesa-e839b0ae2e9b1d342779e723d22e6d4aa58a0da9.zip | |
util/hash_table: Don't leak hash_key_u64 objects when the u64 hash table is destroyed
Allocate a ralloc sub-context which takes the u64 hash table as a parent
and attach a destructor to it so we can free the hash_key_u64 objects
that were allocated by _mesa_hash_table_u64_insert().
The order of creation of this sub-context is crucial: it needs to happen
after the _mesa_hash_table_create() call to guarantee that the
destructor is called before ht->table and its children are freed,
otherwise the _mesa_hash_table_u64_clear() call in the destructor leads
to a use-after-free situation.
Fixes: ff494361bee7 ("util: rzalloc and free hash_table_u64")
Cc: stable
Signed-off-by: Boris Brezillon <boris.brezillon@collabora.com>
Reviewed-by: Yonggang Luo <luoyonggang@gmail.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/26423>
(cherry picked from commit db5166718d89ba71f8d12fbdceffb05d7c5e9a03)
Diffstat (limited to 'src/util')
| -rw-r--r-- | src/util/hash_table.c | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/src/util/hash_table.c b/src/util/hash_table.c index 652c8980b92..a76ebbc039e 100644 --- a/src/util/hash_table.c +++ b/src/util/hash_table.c @@ -777,6 +777,13 @@ key_u64_equals(const void *a, const void *b) #define FREED_KEY_VALUE 0 +static void _mesa_hash_table_u64_delete_keys(void *data) +{ + struct hash_table_u64 *ht = ralloc_parent(data); + + _mesa_hash_table_u64_clear(ht); +} + struct hash_table_u64 * _mesa_hash_table_u64_create(void *mem_ctx) { @@ -793,6 +800,31 @@ _mesa_hash_table_u64_create(void *mem_ctx) } else { ht->table = _mesa_hash_table_create(ht, key_u64_hash, key_u64_equals); + + /* Allocate a ralloc sub-context which takes the u64 hash table + * as a parent and attach a destructor to it so we can free the + * hash_key_u64 objects that were allocated by + * _mesa_hash_table_u64_insert(). + * + * The order of creation of this sub-context is crucial: it needs + * to happen after the _mesa_hash_table_create() call to guarantee + * that the destructor is called before ht->table and its children + * are freed, otherwise the _mesa_hash_table_u64_clear() call in the + * destructor leads to a use-after-free situation. + */ + if (ht->table) { + void *dummy_ctx = ralloc_context(ht); + + /* If we can't allocate a sub-context, free the hash table + * immediately and return NULL to avoid future leaks. + */ + if (!dummy_ctx) { + ralloc_free(ht); + return NULL; + } + + ralloc_set_destructor(dummy_ctx, _mesa_hash_table_u64_delete_keys); + } } if (ht->table) |