aboutsummaryrefslogtreecommitdiff
path: root/backend/drm
diff options
context:
space:
mode:
authorSimon Ser <contact@emersion.fr>2019-11-30 11:57:37 +0100
committerDrew DeVault <sir@cmpwn.com>2019-12-01 10:26:12 -0500
commit8681e4ab8a2d4c95abd34abf0e0eed3351d11bf0 (patch)
tree46527fccc3240682871543f55f72d80110dcacc6 /backend/drm
parent16f22940d93f38a579ee1f5c5a24d33cecbbe514 (diff)
backend/drm, backend/libinput: listen to session destroy
This fixes a heap-use-after-free when the session is destroyed before the backend during wl_display_destroy: ==1085==ERROR: AddressSanitizer: heap-use-after-free on address 0x614000000180 at pc 0x7f88e3590c2d bp 0x7ffdc4e33f90 sp 0x7ffdc4e33f80 READ of size 8 at 0x614000000180 thread T0 #0 0x7f88e3590c2c in find_device ../subprojects/wlroots/backend/session/session.c:192 #1 0x7f88e3590e85 in wlr_session_close_file ../subprojects/wlroots/backend/session/session.c:204 #2 0x7f88e357b80c in libinput_close_restricted ../subprojects/wlroots/backend/libinput/backend.c:24 #3 0x7f88e21af274 (/lib64/libinput.so.10+0x28274) #4 0x7f88e21aff1d (/lib64/libinput.so.10+0x28f1d) #5 0x7f88e219ddac (/lib64/libinput.so.10+0x16dac) #6 0x7f88e21b415d in libinput_unref (/lib64/libinput.so.10+0x2d15d) #7 0x7f88e357c9d6 in backend_destroy ../subprojects/wlroots/backend/libinput/backend.c:130 #8 0x7f88e3545a09 in wlr_backend_destroy ../subprojects/wlroots/backend/backend.c:50 #9 0x7f88e358981a in multi_backend_destroy ../subprojects/wlroots/backend/multi/backend.c:54 #10 0x7f88e358a059 in handle_display_destroy ../subprojects/wlroots/backend/multi/backend.c:107 #11 0x7f88e314acde (/lib64/libwayland-server.so.0+0x8cde) #12 0x7f88e314b466 in wl_display_destroy (/lib64/libwayland-server.so.0+0x9466) #13 0x559fefb52385 in main ../main.c:67 #14 0x7f88e2639152 in __libc_start_main (/lib64/libc.so.6+0x27152) #15 0x559fefb4297d in _start (/home/simon/src/glider/build/glider+0x2297d) 0x614000000180 is located 320 bytes inside of 416-byte region [0x614000000040,0x6140000001e0) freed by thread T0 here: #0 0x7f88e3d0a6b0 in __interceptor_free /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:122 #1 0x7f88e35b51fb in logind_session_destroy ../subprojects/wlroots/backend/session/logind.c:270 #2 0x7f88e35905a4 in wlr_session_destroy ../subprojects/wlroots/backend/session/session.c:156 #3 0x7f88e358f440 in handle_display_destroy ../subprojects/wlroots/backend/session/session.c:65 #4 0x7f88e314acde (/lib64/libwayland-server.so.0+0x8cde) previously allocated by thread T0 here: #0 0x7f88e3d0acd8 in __interceptor_calloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:153 #1 0x7f88e35b911c in logind_session_create ../subprojects/wlroots/backend/session/logind.c:746 #2 0x7f88e358f6b4 in wlr_session_create ../subprojects/wlroots/backend/session/session.c:91 #3 0x559fefb51ea6 in main ../main.c:20 #4 0x7f88e2639152 in __libc_start_main (/lib64/libc.so.6+0x27152)
Diffstat (limited to 'backend/drm')
-rw-r--r--backend/drm/backend.c10
1 files changed, 10 insertions, 0 deletions
diff --git a/backend/drm/backend.c b/backend/drm/backend.c
index 541e720f..8a10a51e 100644
--- a/backend/drm/backend.c
+++ b/backend/drm/backend.c
@@ -44,6 +44,7 @@ static void backend_destroy(struct wlr_backend *backend) {
wlr_signal_emit_safe(&backend->events.destroy, backend);
wl_list_remove(&drm->display_destroy.link);
+ wl_list_remove(&drm->session_destroy.link);
wl_list_remove(&drm->session_signal.link);
wl_list_remove(&drm->drm_invalidated.link);
@@ -135,6 +136,12 @@ static void drm_invalidated(struct wl_listener *listener, void *data) {
scan_drm_connectors(drm);
}
+static void handle_session_destroy(struct wl_listener *listener, void *data) {
+ struct wlr_drm_backend *drm =
+ wl_container_of(listener, drm, session_destroy);
+ backend_destroy(&drm->backend);
+}
+
static void handle_display_destroy(struct wl_listener *listener, void *data) {
struct wlr_drm_backend *drm =
wl_container_of(listener, drm, display_destroy);
@@ -197,6 +204,9 @@ struct wlr_backend *wlr_drm_backend_create(struct wl_display *display,
goto error_event;
}
+ drm->session_destroy.notify = handle_session_destroy;
+ wl_signal_add(&session->events.destroy, &drm->session_destroy);
+
drm->display_destroy.notify = handle_display_destroy;
wl_display_add_destroy_listener(display, &drm->display_destroy);