aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authoremersion <contact@emersion.fr>2018-09-28 10:00:40 +0200
committeremersion <contact@emersion.fr>2018-09-28 10:00:40 +0200
commit79dd9ba15170f7054523fc37e10ea564661d648e (patch)
tree1292835a18abaa6230c048afbfaf8d907d135693
parent19f3804548a37582f65cb4279545564dad0ec0d1 (diff)
backend/drm: don't free connector immediately
When a pageflip is pending, we'll get a DRM event for the connector in the future. We don't want to free the connector immediately otherwise we'll use-after-free in the pageflip handler. This commit adds a new state, "DISAPPEARED". This asks the pageflip handler to destroy the output after it's done pageflipping.
-rw-r--r--backend/drm/drm.c19
-rw-r--r--include/backend/drm/drm.h4
2 files changed, 18 insertions, 5 deletions
diff --git a/backend/drm/drm.c b/backend/drm/drm.c
index 8e7c421d..110c2229 100644
--- a/backend/drm/drm.c
+++ b/backend/drm/drm.c
@@ -709,6 +709,7 @@ static bool drm_connector_move_cursor(struct wlr_output *output,
static void drm_connector_destroy(struct wlr_output *output) {
struct wlr_drm_connector *conn = get_drm_connector_from_output(output);
drm_connector_cleanup(conn);
+ drmModeFreeCrtc(conn->old_crtc);
wl_event_source_remove(conn->retry_pageflip);
wl_list_remove(&conn->link);
free(conn);
@@ -1088,10 +1089,11 @@ void scan_drm_connectors(struct wlr_drm_backend *drm) {
wlr_log(WLR_INFO, "'%s' disappeared", conn->output.name);
drm_connector_cleanup(conn);
- drmModeFreeCrtc(conn->old_crtc);
- wl_event_source_remove(conn->retry_pageflip);
- wl_list_remove(&conn->link);
- free(conn);
+ if (conn->pageflip_pending) {
+ conn->state = WLR_DRM_CONN_DISAPPEARED;
+ } else {
+ wlr_output_destroy(&conn->output);
+ }
}
bool changed_outputs[wl_list_length(&drm->outputs)];
@@ -1133,6 +1135,12 @@ static void page_flip_handler(int fd, unsigned seq,
get_drm_backend_from_backend(conn->output.backend);
conn->pageflip_pending = false;
+
+ if (conn->state == WLR_DRM_CONN_DISAPPEARED) {
+ wlr_output_destroy(&conn->output);
+ return;
+ }
+
if (conn->state != WLR_DRM_CONN_CONNECTED || conn->crtc == NULL) {
return;
}
@@ -1193,7 +1201,6 @@ void restore_drm_outputs(struct wlr_drm_backend *drm) {
drmModeSetCrtc(drm->fd, crtc->crtc_id, crtc->buffer_id, crtc->x, crtc->y,
&conn->id, 1, &crtc->mode);
- drmModeFreeCrtc(crtc);
}
}
@@ -1248,6 +1255,8 @@ static void drm_connector_cleanup(struct wlr_drm_connector *conn) {
break;
case WLR_DRM_CONN_DISCONNECTED:
break;
+ case WLR_DRM_CONN_DISAPPEARED:
+ return; // don't change state
}
conn->state = WLR_DRM_CONN_DISCONNECTED;
diff --git a/include/backend/drm/drm.h b/include/backend/drm/drm.h
index ac23cd9a..3b01b64f 100644
--- a/include/backend/drm/drm.h
+++ b/include/backend/drm/drm.h
@@ -104,10 +104,14 @@ struct wlr_drm_backend {
};
enum wlr_drm_connector_state {
+ // Connector is available but no output is plugged in
WLR_DRM_CONN_DISCONNECTED,
+ // An output just has been plugged in and is waiting for a modeset
WLR_DRM_CONN_NEEDS_MODESET,
WLR_DRM_CONN_CLEANUP,
WLR_DRM_CONN_CONNECTED,
+ // Connector disappeared, waiting for being destroyed on next page-flip
+ WLR_DRM_CONN_DISAPPEARED,
};
struct wlr_drm_mode {