diff options
| author | Daniele Castagna <dcastagna@chromium.org> | 2020-12-14 23:03:31 +0000 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2021-01-15 15:38:46 +0000 |
| commit | 13e84c6d06e60c5345f5c5d546b630384b807fdc (patch) | |
| tree | e9e4b996ff3c76691ea97e4793fc5e0aeda1f58d | |
| parent | dba42bf5b0d0feed6d072e047467e1c4e0df763c (diff) | |
[Backport] Security bug 1152645
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2563077:
viz: Destroy |gpu_memory_buffer_factory_| on IOThread
|gpu_memory_buffer_factory_| weak pointers are checked on the
IOThread.
Weak pointers should be invalidated on the same thread that
checks them.
This CL moves the destruction of |gpu_memory_buffer_factory_|
on the IOThread to avoid possible use after free issues.
Bug: 1152645
Change-Id: I0d42814f0e435a3746728515da1f32d08a1252cf
Commit-Queue: Daniele Castagna <dcastagna@chromium.org>
Reviewed-by: Andres Calderon Jaramillo <andrescj@chromium.org>
Cr-Commit-Position: refs/heads/master@{#836827}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
| -rw-r--r-- | chromium/components/viz/service/gl/gpu_service_impl.cc | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/chromium/components/viz/service/gl/gpu_service_impl.cc b/chromium/components/viz/service/gl/gpu_service_impl.cc index 6f84ab4850e..1928bfcca91 100644 --- a/chromium/components/viz/service/gl/gpu_service_impl.cc +++ b/chromium/components/viz/service/gl/gpu_service_impl.cc @@ -207,6 +207,26 @@ GpuServiceImpl::~GpuServiceImpl() { media_gpu_channel_manager_.reset(); gpu_channel_manager_.reset(); + + // Destroy |gpu_memory_buffer_factory_| on the IO thread since its weakptrs + // are checked there. + { + base::WaitableEvent wait; + auto destroy_gmb_factory = base::BindOnce( + [](std::unique_ptr<gpu::GpuMemoryBufferFactory> gmb_factory, + base::WaitableEvent* wait) { + gmb_factory.reset(); + wait->Signal(); + }, + std::move(gpu_memory_buffer_factory_), base::Unretained(&wait)); + if (io_runner_->PostTask(FROM_HERE, std::move(destroy_gmb_factory))) { + // |gpu_memory_buffer_factory_| holds a raw pointer to + // |vulkan_context_provider_|. Waiting here enforces the correct order + // of destruction. + wait.Wait(); + } + } + owned_sync_point_manager_.reset(); // Signal this event before destroying the child process. That way all |