From babdd6ccf757f18ef15b50d9f16c55031a7c1944 Mon Sep 17 00:00:00 2001 From: emersion Date: Tue, 30 Jan 2018 19:45:57 +0100 Subject: backend: fix use-after-free when destroying backends The backend destroy signal is emitted before the output_remove signal is. When the destroy signal is emitted listeners remove their output_remove listener, so the output_remove signal is never received and listeners have an invalid output pointer. The correct way to solve this would be to remove the output_remove signal completely and use the wlr_output.events.destroy signal instead. This isn't yet possible because wl_signal_emit is unsafe and listeners cannot be removed in listeners. --- backend/libinput/backend.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'backend/libinput/backend.c') diff --git a/backend/libinput/backend.c b/backend/libinput/backend.c index c9352051..86477947 100644 --- a/backend/libinput/backend.c +++ b/backend/libinput/backend.c @@ -95,12 +95,12 @@ static bool wlr_libinput_backend_start(struct wlr_backend *_backend) { return true; } -static void wlr_libinput_backend_destroy(struct wlr_backend *_backend) { - if (!_backend) { +static void wlr_libinput_backend_destroy(struct wlr_backend *wlr_backend) { + if (!wlr_backend) { return; } struct wlr_libinput_backend *backend = - (struct wlr_libinput_backend *)_backend; + (struct wlr_libinput_backend *)wlr_backend; for (size_t i = 0; i < backend->wlr_device_lists.length; i++) { struct wl_list *wlr_devices = backend->wlr_device_lists.items[i]; @@ -112,6 +112,8 @@ static void wlr_libinput_backend_destroy(struct wlr_backend *_backend) { free(wlr_devices); } + wl_signal_emit(&wlr_backend->events.destroy, wlr_backend); + wl_list_remove(&backend->display_destroy.link); wl_list_remove(&backend->session_signal.link); -- cgit v1.2.3