backend: fix use-after-free when destroying backends

The backend destroy signal is emitted before the output_remove
signal is. When the destroy signal is emitted listeners remove
their output_remove listener, so the output_remove signal is never
received and listeners have an invalid output pointer.

The correct way to solve this would be to remove the output_remove
signal completely and use the wlr_output.events.destroy signal
instead. This isn't yet possible because wl_signal_emit is unsafe
and listeners cannot be removed in listeners.
This commit is contained in:
emersion 2018-01-30 19:45:57 +01:00
parent 704130cc11
commit babdd6ccf7
No known key found for this signature in database
GPG key ID: 0FDE7BE0E88F5E48
10 changed files with 27 additions and 13 deletions

View file

@ -37,7 +37,6 @@ void wlr_backend_destroy(struct wlr_backend *backend) {
return; return;
} }
wl_signal_emit(&backend->events.destroy, backend);
if (backend->impl && backend->impl->destroy) { if (backend->impl && backend->impl->destroy) {
backend->impl->destroy(backend); backend->impl->destroy(backend);
} else { } else {

View file

@ -34,6 +34,8 @@ static void wlr_drm_backend_destroy(struct wlr_backend *backend) {
wlr_output_destroy(&conn->output); wlr_output_destroy(&conn->output);
} }
wl_signal_emit(&backend->events.destroy, backend);
wl_list_remove(&drm->display_destroy.link); wl_list_remove(&drm->display_destroy.link);
wl_list_remove(&drm->session_signal.link); wl_list_remove(&drm->session_signal.link);
wl_list_remove(&drm->drm_invalidated.link); wl_list_remove(&drm->drm_invalidated.link);

View file

@ -51,6 +51,8 @@ static void backend_destroy(struct wlr_backend *wlr_backend) {
wlr_input_device_destroy(&input_device->wlr_input_device); wlr_input_device_destroy(&input_device->wlr_input_device);
} }
wl_signal_emit(&wlr_backend->events.destroy, backend);
wlr_egl_finish(&backend->egl); wlr_egl_finish(&backend->egl);
free(backend); free(backend);
} }

View file

@ -62,8 +62,6 @@ static bool output_swap_buffers(struct wlr_output *wlr_output) {
static void output_destroy(struct wlr_output *wlr_output) { static void output_destroy(struct wlr_output *wlr_output) {
struct wlr_headless_output *output = struct wlr_headless_output *output =
(struct wlr_headless_output *)wlr_output; (struct wlr_headless_output *)wlr_output;
wl_signal_emit(&output->backend->backend.events.output_remove,
&output->wlr_output);
wl_list_remove(&output->link); wl_list_remove(&output->link);

View file

@ -95,12 +95,12 @@ static bool wlr_libinput_backend_start(struct wlr_backend *_backend) {
return true; return true;
} }
static void wlr_libinput_backend_destroy(struct wlr_backend *_backend) { static void wlr_libinput_backend_destroy(struct wlr_backend *wlr_backend) {
if (!_backend) { if (!wlr_backend) {
return; return;
} }
struct wlr_libinput_backend *backend = struct wlr_libinput_backend *backend =
(struct wlr_libinput_backend *)_backend; (struct wlr_libinput_backend *)wlr_backend;
for (size_t i = 0; i < backend->wlr_device_lists.length; i++) { for (size_t i = 0; i < backend->wlr_device_lists.length; i++) {
struct wl_list *wlr_devices = backend->wlr_device_lists.items[i]; struct wl_list *wlr_devices = backend->wlr_device_lists.items[i];
@ -112,6 +112,8 @@ static void wlr_libinput_backend_destroy(struct wlr_backend *_backend) {
free(wlr_devices); free(wlr_devices);
} }
wl_signal_emit(&wlr_backend->events.destroy, wlr_backend);
wl_list_remove(&backend->display_destroy.link); wl_list_remove(&backend->display_destroy.link);
wl_list_remove(&backend->session_signal.link); wl_list_remove(&backend->session_signal.link);

View file

@ -42,11 +42,16 @@ static void subbackend_state_destroy(struct subbackend_state *sub) {
static void multi_backend_destroy(struct wlr_backend *wlr_backend) { static void multi_backend_destroy(struct wlr_backend *wlr_backend) {
struct wlr_multi_backend *backend = (struct wlr_multi_backend *)wlr_backend; struct wlr_multi_backend *backend = (struct wlr_multi_backend *)wlr_backend;
wl_list_remove(&backend->display_destroy.link); wl_list_remove(&backend->display_destroy.link);
struct subbackend_state *sub, *next; struct subbackend_state *sub, *next;
wl_list_for_each_safe(sub, next, &backend->backends, link) { wl_list_for_each_safe(sub, next, &backend->backends, link) {
wlr_backend_destroy(sub->backend); wlr_backend_destroy(sub->backend);
} }
// Destroy this backend only after removing all sub-backends
wl_signal_emit(&wlr_backend->events.destroy, backend);
free(backend); free(backend);
} }

View file

@ -64,9 +64,9 @@ static bool wlr_wl_backend_start(struct wlr_backend *_backend) {
return true; return true;
} }
static void wlr_wl_backend_destroy(struct wlr_backend *_backend) { static void wlr_wl_backend_destroy(struct wlr_backend *wlr_backend) {
struct wlr_wl_backend *backend = (struct wlr_wl_backend *)_backend; struct wlr_wl_backend *backend = (struct wlr_wl_backend *)wlr_backend;
if (!_backend) { if (backend == NULL) {
return; return;
} }
@ -80,6 +80,8 @@ static void wlr_wl_backend_destroy(struct wlr_backend *_backend) {
wlr_input_device_destroy(input_device); wlr_input_device_destroy(input_device);
} }
wl_signal_emit(&wlr_backend->events.destroy, wlr_backend);
wl_list_remove(&backend->local_display_destroy.link); wl_list_remove(&backend->local_display_destroy.link);
free(backend->seat_name); free(backend->seat_name);

View file

@ -161,11 +161,12 @@ static bool wlr_wl_output_set_cursor(struct wlr_output *_output,
return true; return true;
} }
static void wlr_wl_output_destroy(struct wlr_output *_output) { static void wlr_wl_output_destroy(struct wlr_output *wlr_output) {
struct wlr_wl_backend_output *output = struct wlr_wl_backend_output *output =
(struct wlr_wl_backend_output *)_output; (struct wlr_wl_backend_output *)wlr_output;
wl_signal_emit(&output->backend->backend.events.output_remove, if (output == NULL) {
&output->wlr_output); return;
}
wl_list_remove(&output->link); wl_list_remove(&output->link);

View file

@ -259,6 +259,8 @@ static void wlr_x11_backend_destroy(struct wlr_backend *backend) {
xkb_state_unref(x11->keyboard_dev.keyboard->xkb_state); xkb_state_unref(x11->keyboard_dev.keyboard->xkb_state);
} }
wl_signal_emit(&backend->events.destroy, backend);
wl_list_remove(&x11->display_destroy.link); wl_list_remove(&x11->display_destroy.link);
wl_event_source_remove(x11->frame_timer); wl_event_source_remove(x11->frame_timer);

View file

@ -286,6 +286,7 @@ void wlr_output_destroy(struct wlr_output *output) {
wlr_output_destroy_global(output); wlr_output_destroy_global(output);
wlr_output_set_fullscreen_surface(output, NULL); wlr_output_set_fullscreen_surface(output, NULL);
wl_signal_emit(&output->backend->events.output_remove, output);
wl_signal_emit(&output->events.destroy, output); wl_signal_emit(&output->events.destroy, output);
struct wlr_output_mode *mode, *tmp_mode; struct wlr_output_mode *mode, *tmp_mode;