BadAccess errors in ShmAttach due to thread races with XNextRequest() usage in cairo-xlib-surface-shm.c (#49) · Issues · cairo / cairo

BadAccess errors in ShmAttach due to thread races with XNextRequest() usage in cairo-xlib-surface-shm.c

Submitted by Karl Tomlinson

Assigned to Chris Wilson @ickle

Description

_cairo_xlib_display_fini_shm sets pool->attached to XNextRequest() assuming the approaching XShmAttach() will be the next request. https://cgit.freedesktop.org/cairo/tree/src/cairo-xlib-surface-shm.c?id=3f1a6f7225e31057a8af9313f051a1d311df0c69#n602

This assumption can be invalid when another request is performed on another thread before the XShmAttach() reads |request| from the display.

An |attached| sequence number that is too old means that _cairo_xlib_shm_pool_cleanup() can call _cairo_xlib_display_shm_pool_destroy() and so shmdt() before the server processes the ShmAttach request, resulting in BadAccess errors.

Similarly _cairo_xlib_shm_surface_mark_active() is called and uses XNextRequest() before the corresponding request, leading to similar races affecting _cairo_xlib_shm_surface_flush() and get_compositor() and _cairo_xlib_shm_info_cleanup(). I assume _cairo_xlib_shm_surface_get_obdata() has similar issues.

Version: 1.12.16

## Submitted by Karl Tomlinson  
Assigned to **Chris Wilson `@ickle`**

**[Link to original bug (#98883)](https://bugs.freedesktop.org/show_bug.cgi?id=98883)**  
## Description
_cairo_xlib_display_fini_shm sets pool->attached to XNextRequest() assuming
the approaching XShmAttach() will be the next request.
https://cgit.freedesktop.org/cairo/tree/src/cairo-xlib-surface-shm.c?id=3f1a6f7225e31057a8af9313f051a1d311df0c69#n602

This assumption can be invalid when another request is performed on another
thread before the XShmAttach() reads |request| from the display.

An |attached| sequence number that is too old means that 
_cairo_xlib_shm_pool_cleanup() can call _cairo_xlib_display_shm_pool_destroy()
and so shmdt() before the server processes the ShmAttach request, resulting in
BadAccess errors.

Similarly _cairo_xlib_shm_surface_mark_active() is called and uses
XNextRequest() before the corresponding request, leading to similar races
affecting _cairo_xlib_shm_surface_flush() and get_compositor() and
_cairo_xlib_shm_info_cleanup().  I assume _cairo_xlib_shm_surface_get_obdata()
has similar issues.

Version: 1.12.16