From 79dd9ba15170f7054523fc37e10ea564661d648e Mon Sep 17 00:00:00 2001
From: emersion <contact@emersion.fr>
Date: Fri, 28 Sep 2018 10:00:40 +0200
Subject: [PATCH] backend/drm: don't free connector immediately

When a pageflip is pending, we'll get a DRM event for the connector
in the future. We don't want to free the connector immediately
otherwise we'll use-after-free in the pageflip handler.

This commit adds a new state, "DISAPPEARED". This asks the pageflip
handler to destroy the output after it's done pageflipping.
---
 backend/drm/drm.c         | 19 ++++++++++++++-----
 include/backend/drm/drm.h |  4 ++++
 2 files changed, 18 insertions(+), 5 deletions(-)

diff --git a/backend/drm/drm.c b/backend/drm/drm.c
index 8e7c421d..110c2229 100644
--- a/backend/drm/drm.c
+++ b/backend/drm/drm.c
@@ -709,6 +709,7 @@ static bool drm_connector_move_cursor(struct wlr_output *output,
 static void drm_connector_destroy(struct wlr_output *output) {
 	struct wlr_drm_connector *conn = get_drm_connector_from_output(output);
 	drm_connector_cleanup(conn);
+	drmModeFreeCrtc(conn->old_crtc);
 	wl_event_source_remove(conn->retry_pageflip);
 	wl_list_remove(&conn->link);
 	free(conn);
@@ -1088,10 +1089,11 @@ void scan_drm_connectors(struct wlr_drm_backend *drm) {
 		wlr_log(WLR_INFO, "'%s' disappeared", conn->output.name);
 		drm_connector_cleanup(conn);
 
-		drmModeFreeCrtc(conn->old_crtc);
-		wl_event_source_remove(conn->retry_pageflip);
-		wl_list_remove(&conn->link);
-		free(conn);
+		if (conn->pageflip_pending) {
+			conn->state = WLR_DRM_CONN_DISAPPEARED;
+		} else {
+			wlr_output_destroy(&conn->output);
+		}
 	}
 
 	bool changed_outputs[wl_list_length(&drm->outputs)];
@@ -1133,6 +1135,12 @@ static void page_flip_handler(int fd, unsigned seq,
 		get_drm_backend_from_backend(conn->output.backend);
 
 	conn->pageflip_pending = false;
+
+	if (conn->state == WLR_DRM_CONN_DISAPPEARED) {
+		wlr_output_destroy(&conn->output);
+		return;
+	}
+
 	if (conn->state != WLR_DRM_CONN_CONNECTED || conn->crtc == NULL) {
 		return;
 	}
@@ -1193,7 +1201,6 @@ void restore_drm_outputs(struct wlr_drm_backend *drm) {
 
 		drmModeSetCrtc(drm->fd, crtc->crtc_id, crtc->buffer_id, crtc->x, crtc->y,
 			&conn->id, 1, &crtc->mode);
-		drmModeFreeCrtc(crtc);
 	}
 }
 
@@ -1248,6 +1255,8 @@ static void drm_connector_cleanup(struct wlr_drm_connector *conn) {
 		break;
 	case WLR_DRM_CONN_DISCONNECTED:
 		break;
+	case WLR_DRM_CONN_DISAPPEARED:
+		return; // don't change state
 	}
 
 	conn->state = WLR_DRM_CONN_DISCONNECTED;
diff --git a/include/backend/drm/drm.h b/include/backend/drm/drm.h
index ac23cd9a..3b01b64f 100644
--- a/include/backend/drm/drm.h
+++ b/include/backend/drm/drm.h
@@ -104,10 +104,14 @@ struct wlr_drm_backend {
 };
 
 enum wlr_drm_connector_state {
+	// Connector is available but no output is plugged in
 	WLR_DRM_CONN_DISCONNECTED,
+	// An output just has been plugged in and is waiting for a modeset
 	WLR_DRM_CONN_NEEDS_MODESET,
 	WLR_DRM_CONN_CLEANUP,
 	WLR_DRM_CONN_CONNECTED,
+	// Connector disappeared, waiting for being destroyed on next page-flip
+	WLR_DRM_CONN_DISAPPEARED,
 };
 
 struct wlr_drm_mode {