aboutsummaryrefslogtreecommitdiff
path: root/backend
diff options
context:
space:
mode:
authoremersion <contact@emersion.fr>2018-01-30 19:45:57 +0100
committeremersion <contact@emersion.fr>2018-01-30 19:45:57 +0100
commitbabdd6ccf757f18ef15b50d9f16c55031a7c1944 (patch)
tree4e1d065ea0b710c44d362b07cc941cd290d5ac46 /backend
parent704130cc1164604c5b805adf186999269e14c5a5 (diff)
backend: fix use-after-free when destroying backends
The backend destroy signal is emitted before the output_remove signal is. When the destroy signal is emitted listeners remove their output_remove listener, so the output_remove signal is never received and listeners have an invalid output pointer. The correct way to solve this would be to remove the output_remove signal completely and use the wlr_output.events.destroy signal instead. This isn't yet possible because wl_signal_emit is unsafe and listeners cannot be removed in listeners.
Diffstat (limited to 'backend')
-rw-r--r--backend/backend.c1
-rw-r--r--backend/drm/backend.c2
-rw-r--r--backend/headless/backend.c2
-rw-r--r--backend/headless/output.c2
-rw-r--r--backend/libinput/backend.c8
-rw-r--r--backend/multi/backend.c5
-rw-r--r--backend/wayland/backend.c8
-rw-r--r--backend/wayland/output.c9
-rw-r--r--backend/x11/backend.c2
9 files changed, 26 insertions, 13 deletions
diff --git a/backend/backend.c b/backend/backend.c
index a71cf6b8..98b94c5c 100644
--- a/backend/backend.c
+++ b/backend/backend.c
@@ -37,7 +37,6 @@ void wlr_backend_destroy(struct wlr_backend *backend) {
return;
}
- wl_signal_emit(&backend->events.destroy, backend);
if (backend->impl && backend->impl->destroy) {
backend->impl->destroy(backend);
} else {
diff --git a/backend/drm/backend.c b/backend/drm/backend.c
index de69dad5..dc6757a5 100644
--- a/backend/drm/backend.c
+++ b/backend/drm/backend.c
@@ -34,6 +34,8 @@ static void wlr_drm_backend_destroy(struct wlr_backend *backend) {
wlr_output_destroy(&conn->output);
}
+ wl_signal_emit(&backend->events.destroy, backend);
+
wl_list_remove(&drm->display_destroy.link);
wl_list_remove(&drm->session_signal.link);
wl_list_remove(&drm->drm_invalidated.link);
diff --git a/backend/headless/backend.c b/backend/headless/backend.c
index 61409d41..0bf5ec28 100644
--- a/backend/headless/backend.c
+++ b/backend/headless/backend.c
@@ -51,6 +51,8 @@ static void backend_destroy(struct wlr_backend *wlr_backend) {
wlr_input_device_destroy(&input_device->wlr_input_device);
}
+ wl_signal_emit(&wlr_backend->events.destroy, backend);
+
wlr_egl_finish(&backend->egl);
free(backend);
}
diff --git a/backend/headless/output.c b/backend/headless/output.c
index 46f9d212..aac7cc20 100644
--- a/backend/headless/output.c
+++ b/backend/headless/output.c
@@ -62,8 +62,6 @@ static bool output_swap_buffers(struct wlr_output *wlr_output) {
static void output_destroy(struct wlr_output *wlr_output) {
struct wlr_headless_output *output =
(struct wlr_headless_output *)wlr_output;
- wl_signal_emit(&output->backend->backend.events.output_remove,
- &output->wlr_output);
wl_list_remove(&output->link);
diff --git a/backend/libinput/backend.c b/backend/libinput/backend.c
index c9352051..86477947 100644
--- a/backend/libinput/backend.c
+++ b/backend/libinput/backend.c
@@ -95,12 +95,12 @@ static bool wlr_libinput_backend_start(struct wlr_backend *_backend) {
return true;
}
-static void wlr_libinput_backend_destroy(struct wlr_backend *_backend) {
- if (!_backend) {
+static void wlr_libinput_backend_destroy(struct wlr_backend *wlr_backend) {
+ if (!wlr_backend) {
return;
}
struct wlr_libinput_backend *backend =
- (struct wlr_libinput_backend *)_backend;
+ (struct wlr_libinput_backend *)wlr_backend;
for (size_t i = 0; i < backend->wlr_device_lists.length; i++) {
struct wl_list *wlr_devices = backend->wlr_device_lists.items[i];
@@ -112,6 +112,8 @@ static void wlr_libinput_backend_destroy(struct wlr_backend *_backend) {
free(wlr_devices);
}
+ wl_signal_emit(&wlr_backend->events.destroy, wlr_backend);
+
wl_list_remove(&backend->display_destroy.link);
wl_list_remove(&backend->session_signal.link);
diff --git a/backend/multi/backend.c b/backend/multi/backend.c
index 1e574475..78f5c63b 100644
--- a/backend/multi/backend.c
+++ b/backend/multi/backend.c
@@ -42,11 +42,16 @@ static void subbackend_state_destroy(struct subbackend_state *sub) {
static void multi_backend_destroy(struct wlr_backend *wlr_backend) {
struct wlr_multi_backend *backend = (struct wlr_multi_backend *)wlr_backend;
+
wl_list_remove(&backend->display_destroy.link);
+
struct subbackend_state *sub, *next;
wl_list_for_each_safe(sub, next, &backend->backends, link) {
wlr_backend_destroy(sub->backend);
}
+
+ // Destroy this backend only after removing all sub-backends
+ wl_signal_emit(&wlr_backend->events.destroy, backend);
free(backend);
}
diff --git a/backend/wayland/backend.c b/backend/wayland/backend.c
index eca79350..458c9dd0 100644
--- a/backend/wayland/backend.c
+++ b/backend/wayland/backend.c
@@ -64,9 +64,9 @@ static bool wlr_wl_backend_start(struct wlr_backend *_backend) {
return true;
}
-static void wlr_wl_backend_destroy(struct wlr_backend *_backend) {
- struct wlr_wl_backend *backend = (struct wlr_wl_backend *)_backend;
- if (!_backend) {
+static void wlr_wl_backend_destroy(struct wlr_backend *wlr_backend) {
+ struct wlr_wl_backend *backend = (struct wlr_wl_backend *)wlr_backend;
+ if (backend == NULL) {
return;
}
@@ -80,6 +80,8 @@ static void wlr_wl_backend_destroy(struct wlr_backend *_backend) {
wlr_input_device_destroy(input_device);
}
+ wl_signal_emit(&wlr_backend->events.destroy, wlr_backend);
+
wl_list_remove(&backend->local_display_destroy.link);
free(backend->seat_name);
diff --git a/backend/wayland/output.c b/backend/wayland/output.c
index 4a8fb0bf..a9140ff7 100644
--- a/backend/wayland/output.c
+++ b/backend/wayland/output.c
@@ -161,11 +161,12 @@ static bool wlr_wl_output_set_cursor(struct wlr_output *_output,
return true;
}
-static void wlr_wl_output_destroy(struct wlr_output *_output) {
+static void wlr_wl_output_destroy(struct wlr_output *wlr_output) {
struct wlr_wl_backend_output *output =
- (struct wlr_wl_backend_output *)_output;
- wl_signal_emit(&output->backend->backend.events.output_remove,
- &output->wlr_output);
+ (struct wlr_wl_backend_output *)wlr_output;
+ if (output == NULL) {
+ return;
+ }
wl_list_remove(&output->link);
diff --git a/backend/x11/backend.c b/backend/x11/backend.c
index 3bad8d61..44e29be1 100644
--- a/backend/x11/backend.c
+++ b/backend/x11/backend.c
@@ -259,6 +259,8 @@ static void wlr_x11_backend_destroy(struct wlr_backend *backend) {
xkb_state_unref(x11->keyboard_dev.keyboard->xkb_state);
}
+ wl_signal_emit(&backend->events.destroy, backend);
+
wl_list_remove(&x11->display_destroy.link);
wl_event_source_remove(x11->frame_timer);