From e035f2b9c42b39e3eff37d0fe98bfa6422877d7a Mon Sep 17 00:00:00 2001 From: Simon Ser Date: Thu, 8 Jul 2021 13:39:33 +0200 Subject: Fix invalid uses of wl_array_for_each [1] and [2] have introduced new wl_array usage in wlroots, but contains a mistake: wl_array_for_each iterates over pointers to the wl_array entries, not over entries themselves. Fix all wl_array_for_each call sites. Name the variables "ptr" to avoid confusion. Found via ASan: ==148752==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x602000214111 in thread T0 #0 0x7f6ff2235f19 in __interceptor_free /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:127 #1 0x7f6ff1c04004 in wlr_tablet_destroy ../subprojects/wlroots/types/wlr_tablet_tool.c:24 #2 0x7f6ff1b8463c in wlr_input_device_destroy ../subprojects/wlroots/types/wlr_input_device.c:51 #3 0x7f6ff1ab9941 in backend_destroy ../subprojects/wlroots/backend/wayland/backend.c:306 #4 0x7f6ff1a68323 in wlr_backend_destroy ../subprojects/wlroots/backend/backend.c:57 #5 0x7f6ff1ab36b4 in multi_backend_destroy ../subprojects/wlroots/backend/multi/backend.c:57 #6 0x7f6ff1ab417c in handle_display_destroy ../subprojects/wlroots/backend/multi/backend.c:124 #7 0x7f6ff106184e in wl_display_destroy (/usr/lib/libwayland-server.so.0+0x884e) #8 0x55cd1a77c9e5 in server_fini ../sway/server.c:218 #9 0x55cd1a77893f in main ../sway/main.c:400 #10 0x7f6ff04bdb24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24) #11 0x55cd1a73a7ad in _start (/home/simon/src/sway/build/sway/sway+0x33a7ad) 0x602000214111 is located 1 bytes inside of 16-byte region [0x602000214110,0x602000214120) freed by thread T0 here: #0 0x7f6ff2235f19 in __interceptor_free /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:127 #1 0x7f6ff1c04004 in wlr_tablet_destroy ../subprojects/wlroots/types/wlr_tablet_tool.c:24 #2 0x7f6ff1b8463c in wlr_input_device_destroy ../subprojects/wlroots/types/wlr_input_device.c:51 #3 0x7f6ff1ab9941 in backend_destroy ../subprojects/wlroots/backend/wayland/backend.c:306 #4 0x7f6ff1a68323 in wlr_backend_destroy ../subprojects/wlroots/backend/backend.c:57 #5 0x7f6ff1ab36b4 in multi_backend_destroy ../subprojects/wlroots/backend/multi/backend.c:57 #6 0x7f6ff1ab417c in handle_display_destroy ../subprojects/wlroots/backend/multi/backend.c:124 #7 0x7f6ff106184e in wl_display_destroy (/usr/lib/libwayland-server.so.0+0x884e) previously allocated by thread T0 here: #0 0x7f6ff2236279 in __interceptor_malloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:145 #1 0x7f6ff1066d03 in wl_array_add (/usr/lib/libwayland-server.so.0+0xdd03) [1]: https://github.com/swaywm/wlroots/pull/3002 [2]: https://github.com/swaywm/wlroots/pull/3004 --- backend/libinput/backend.c | 8 ++++---- backend/libinput/events.c | 5 +++-- backend/libinput/tablet_tool.c | 11 ++++++----- 3 files changed, 13 insertions(+), 11 deletions(-) (limited to 'backend/libinput') diff --git a/backend/libinput/backend.c b/backend/libinput/backend.c index a9595df2..c7bde4a9 100644 --- a/backend/libinput/backend.c +++ b/backend/libinput/backend.c @@ -141,13 +141,13 @@ static void backend_destroy(struct wlr_backend *wlr_backend) { struct wlr_libinput_backend *backend = get_libinput_backend_from_backend(wlr_backend); - struct wl_list *wlr_devices; - wl_array_for_each(wlr_devices, &backend->wlr_device_lists) { + struct wl_list **wlr_devices_ptr; + wl_array_for_each(wlr_devices_ptr, &backend->wlr_device_lists) { struct wlr_input_device *wlr_dev, *next; - wl_list_for_each_safe(wlr_dev, next, wlr_devices, link) { + wl_list_for_each_safe(wlr_dev, next, *wlr_devices_ptr, link) { wlr_input_device_destroy(wlr_dev); } - free(wlr_devices); + free(*wlr_devices_ptr); } wlr_backend_finish(wlr_backend); diff --git a/backend/libinput/events.c b/backend/libinput/events.c index 1fc8cc09..f149b2f1 100644 --- a/backend/libinput/events.c +++ b/backend/libinput/events.c @@ -220,8 +220,9 @@ static void handle_device_removed(struct wlr_libinput_backend *backend, wlr_input_device_destroy(dev); } size_t i = 0; - struct wl_list *iter; - wl_array_for_each(iter, &backend->wlr_device_lists) { + struct wl_list **ptr; + wl_array_for_each(ptr, &backend->wlr_device_lists) { + struct wl_list *iter = *ptr; if (iter == wlr_devices) { array_remove_at(&backend->wlr_device_lists, i * sizeof(struct wl_list *), sizeof(struct wl_list *)); diff --git a/backend/libinput/tablet_tool.c b/backend/libinput/tablet_tool.c index 8b143e7f..b0427e5f 100644 --- a/backend/libinput/tablet_tool.c +++ b/backend/libinput/tablet_tool.c @@ -48,8 +48,9 @@ static void destroy_tablet(struct wlr_tablet *wlr_tablet) { struct wlr_libinput_tablet *tablet = wl_container_of(wlr_tablet, tablet, wlr_tablet); - struct wlr_libinput_tablet_tool *tool; - wl_array_for_each(tool, &tablet->tools) { + struct wlr_libinput_tablet_tool **tool_ptr; + wl_array_for_each(tool_ptr, &tablet->tools) { + struct wlr_libinput_tablet_tool *tool = *tool_ptr; if (--tool->pad_refs == 0) { destroy_tool(tool); } @@ -151,9 +152,9 @@ static void ensure_tool_reference(struct wlr_libinput_tablet_tool *tool, struct wlr_libinput_tablet *tablet = wl_container_of(wlr_dev, tablet, wlr_tablet); - struct wlr_libinput_tablet_tool *iter; - wl_array_for_each(iter, &tablet->tools) { - if (iter == tool) { // We already have a ref + struct wlr_libinput_tablet_tool **tool_ptr; + wl_array_for_each(tool_ptr, &tablet->tools) { + if (*tool_ptr == tool) { // We already have a ref // XXX: We *could* optimize the tool to the front of // the list here, since we will probably get the next // couple of events from the same tool. -- cgit v1.2.3