diff options
| author | Keith Packard <keithp@keithp.com> | 2013-11-03 13:12:40 -0800 |
|---|---|---|
| committer | Keith Packard <keithp@keithp.com> | 2013-11-11 15:16:07 -0800 |
| commit | 41da295eb50fa08eaacd0ecde99f43a716fcb41a (patch) | |
| tree | 27cffe15843774f40a4f3f494952c4a86a56151d /Xext | |
| parent | 719e880d7698d92f9b854b217ef9680aaa446f2e (diff) | |
Trap SIGBUS to handle truncated shared memory segments
If a client passes a section of memory via file descriptor and then
subsequently truncates that file, the underlying pages will be freed
and the addresses invalidated. Subsequent accesses to the page will
fail with a SIGBUS error.
Trap that SIGBUS, figure out which segment was causing the error and
then allocate new pages to fill in for that region. Mark the offending
shared segment as invalid and free the resource ID so that the client
will be able to tell when subsequently attempting to use the segment.
Signed-off-by: Keith Packard <keithp@keithp.com>
v2: Use MAP_FIXED to simplify the recovery logic (Mark Kettenis)
v3: Also catch errors in ShmCreateSegment
Conflicts:
include/dix-config.h.in
include/xorg-config.h.in
Diffstat (limited to 'Xext')
| -rw-r--r-- | Xext/shm.c | 37 | ||||
| -rw-r--r-- | Xext/shmint.h | 5 |
2 files changed, 40 insertions, 2 deletions
diff --git a/Xext/shm.c b/Xext/shm.c index 109a381a0..46ce521af 100644 --- a/Xext/shm.c +++ b/Xext/shm.c @@ -438,9 +438,11 @@ ShmDetachSegment(pointer value, /* must conform to DeleteType */ if (--shmdesc->refcnt) return TRUE; #if SHM_FD_PASSING - if (shmdesc->is_fd) + if (shmdesc->is_fd) { + if (shmdesc->busfault) + busfault_unregister(shmdesc->busfault); munmap(shmdesc->addr, shmdesc->size); - else + } else #endif shmdt(shmdesc->addr); for (prev = &Shmsegs; *prev != shmdesc; prev = &(*prev)->next); @@ -1099,6 +1101,19 @@ ProcShmCreatePixmap(ClientPtr client) } #ifdef SHM_FD_PASSING + +static void +ShmBusfaultNotify(void *context) +{ + ShmDescPtr shmdesc = context; + + ErrorF("shared memory 0x%x truncated by client\n", + (unsigned int) shmdesc->resource); + busfault_unregister(shmdesc->busfault); + shmdesc->busfault = NULL; + FreeResource (shmdesc->resource, RT_NONE); +} + static int ProcShmAttachFd(ClientPtr client) { @@ -1143,6 +1158,15 @@ ProcShmAttachFd(ClientPtr client) shmdesc->refcnt = 1; shmdesc->writable = !stuff->readOnly; shmdesc->size = statb.st_size; + shmdesc->resource = stuff->shmseg; + + shmdesc->busfault = busfault_register_mmap(shmdesc->addr, shmdesc->size, ShmBusfaultNotify, shmdesc); + if (!shmdesc->busfault) { + munmap(shmdesc->addr, shmdesc->size); + free(shmdesc); + return BadAlloc; + } + shmdesc->next = Shmsegs; Shmsegs = shmdesc; @@ -1198,6 +1222,15 @@ ProcShmCreateSegment(ClientPtr client) shmdesc->refcnt = 1; shmdesc->writable = !stuff->readOnly; shmdesc->size = stuff->size; + + shmdesc->busfault = busfault_register_mmap(shmdesc->addr, shmdesc->size, ShmBusfaultNotify, shmdesc); + if (!shmdesc->busfault) { + close(fd); + munmap(shmdesc->addr, shmdesc->size); + free(shmdesc); + return BadAlloc; + } + shmdesc->next = Shmsegs; Shmsegs = shmdesc; diff --git a/Xext/shmint.h b/Xext/shmint.h index 7b3ea9bab..21d6cc4ee 100644 --- a/Xext/shmint.h +++ b/Xext/shmint.h @@ -62,6 +62,10 @@ typedef struct _ShmFuncs { #define SHM_FD_PASSING 1 #endif +#ifdef SHM_FD_PASSING +#include "busfault.h" +#endif + typedef struct _ShmDesc { struct _ShmDesc *next; int shmid; @@ -71,6 +75,7 @@ typedef struct _ShmDesc { unsigned long size; #ifdef SHM_FD_PASSING Bool is_fd; + struct busfault *busfault; XID resource; #endif } ShmDescRec, *ShmDescPtr; |