wlroots-hyprland/backend/drm/backend.c
Simon Ser 8681e4ab8a backend/drm, backend/libinput: listen to session destroy
This fixes a heap-use-after-free when the session is destroyed before
the backend during wl_display_destroy:

    ==1085==ERROR: AddressSanitizer: heap-use-after-free on address 0x614000000180 at pc 0x7f88e3590c2d bp 0x7ffdc4e33f90 sp 0x7ffdc4e33f80
    READ of size 8 at 0x614000000180 thread T0
        #0 0x7f88e3590c2c in find_device ../subprojects/wlroots/backend/session/session.c:192
        #1 0x7f88e3590e85 in wlr_session_close_file ../subprojects/wlroots/backend/session/session.c:204
        #2 0x7f88e357b80c in libinput_close_restricted ../subprojects/wlroots/backend/libinput/backend.c:24
        #3 0x7f88e21af274  (/lib64/libinput.so.10+0x28274)
        #4 0x7f88e21aff1d  (/lib64/libinput.so.10+0x28f1d)
        #5 0x7f88e219ddac  (/lib64/libinput.so.10+0x16dac)
        #6 0x7f88e21b415d in libinput_unref (/lib64/libinput.so.10+0x2d15d)
        #7 0x7f88e357c9d6 in backend_destroy ../subprojects/wlroots/backend/libinput/backend.c:130
        #8 0x7f88e3545a09 in wlr_backend_destroy ../subprojects/wlroots/backend/backend.c:50
        #9 0x7f88e358981a in multi_backend_destroy ../subprojects/wlroots/backend/multi/backend.c:54
        #10 0x7f88e358a059 in handle_display_destroy ../subprojects/wlroots/backend/multi/backend.c:107
        #11 0x7f88e314acde  (/lib64/libwayland-server.so.0+0x8cde)
        #12 0x7f88e314b466 in wl_display_destroy (/lib64/libwayland-server.so.0+0x9466)
        #13 0x559fefb52385 in main ../main.c:67
        #14 0x7f88e2639152 in __libc_start_main (/lib64/libc.so.6+0x27152)
        #15 0x559fefb4297d in _start (/home/simon/src/glider/build/glider+0x2297d)

    0x614000000180 is located 320 bytes inside of 416-byte region [0x614000000040,0x6140000001e0)
    freed by thread T0 here:
        #0 0x7f88e3d0a6b0 in __interceptor_free /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:122
        #1 0x7f88e35b51fb in logind_session_destroy ../subprojects/wlroots/backend/session/logind.c:270
        #2 0x7f88e35905a4 in wlr_session_destroy ../subprojects/wlroots/backend/session/session.c:156
        #3 0x7f88e358f440 in handle_display_destroy ../subprojects/wlroots/backend/session/session.c:65
        #4 0x7f88e314acde  (/lib64/libwayland-server.so.0+0x8cde)

    previously allocated by thread T0 here:
        #0 0x7f88e3d0acd8 in __interceptor_calloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:153
        #1 0x7f88e35b911c in logind_session_create ../subprojects/wlroots/backend/session/logind.c:746
        #2 0x7f88e358f6b4 in wlr_session_create ../subprojects/wlroots/backend/session/session.c:91
        #3 0x559fefb51ea6 in main ../main.c:20
        #4 0x7f88e2639152 in __libc_start_main (/lib64/libc.so.6+0x27152)
2019-12-01 10:26:12 -05:00

222 lines
6.2 KiB
C

#include <assert.h>
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <wayland-server-core.h>
#include <wlr/backend/interface.h>
#include <wlr/backend/session.h>
#include <wlr/interfaces/wlr_output.h>
#include <wlr/render/egl.h>
#include <wlr/types/wlr_list.h>
#include <wlr/util/log.h>
#include <xf86drm.h>
#include "backend/drm/drm.h"
#include "util/signal.h"
struct wlr_drm_backend *get_drm_backend_from_backend(
struct wlr_backend *wlr_backend) {
assert(wlr_backend_is_drm(wlr_backend));
return (struct wlr_drm_backend *)wlr_backend;
}
static bool backend_start(struct wlr_backend *backend) {
struct wlr_drm_backend *drm = get_drm_backend_from_backend(backend);
scan_drm_connectors(drm);
return true;
}
static void backend_destroy(struct wlr_backend *backend) {
if (!backend) {
return;
}
struct wlr_drm_backend *drm = get_drm_backend_from_backend(backend);
restore_drm_outputs(drm);
struct wlr_drm_connector *conn, *next;
wl_list_for_each_safe(conn, next, &drm->outputs, link) {
wlr_output_destroy(&conn->output);
}
wlr_signal_emit_safe(&backend->events.destroy, backend);
wl_list_remove(&drm->display_destroy.link);
wl_list_remove(&drm->session_destroy.link);
wl_list_remove(&drm->session_signal.link);
wl_list_remove(&drm->drm_invalidated.link);
finish_drm_resources(drm);
finish_drm_renderer(&drm->renderer);
wlr_session_close_file(drm->session, drm->fd);
wl_event_source_remove(drm->drm_event);
free(drm);
}
static struct wlr_renderer *backend_get_renderer(
struct wlr_backend *backend) {
struct wlr_drm_backend *drm = get_drm_backend_from_backend(backend);
if (drm->parent) {
return drm->parent->renderer.wlr_rend;
} else {
return drm->renderer.wlr_rend;
}
}
static clockid_t backend_get_presentation_clock(struct wlr_backend *backend) {
struct wlr_drm_backend *drm = get_drm_backend_from_backend(backend);
return drm->clock;
}
static struct wlr_backend_impl backend_impl = {
.start = backend_start,
.destroy = backend_destroy,
.get_renderer = backend_get_renderer,
.get_presentation_clock = backend_get_presentation_clock,
};
bool wlr_backend_is_drm(struct wlr_backend *b) {
return b->impl == &backend_impl;
}
static void session_signal(struct wl_listener *listener, void *data) {
struct wlr_drm_backend *drm =
wl_container_of(listener, drm, session_signal);
struct wlr_session *session = data;
if (session->active) {
wlr_log(WLR_INFO, "DRM fd resumed");
scan_drm_connectors(drm);
struct wlr_drm_connector *conn;
wl_list_for_each(conn, &drm->outputs, link){
if (conn->output.enabled) {
drm_connector_set_mode(&conn->output,
conn->output.current_mode);
} else {
enable_drm_connector(&conn->output, false);
}
if (!conn->crtc) {
continue;
}
struct wlr_drm_plane *plane = conn->crtc->cursor;
drm->iface->crtc_set_cursor(drm, conn->crtc,
(plane && plane->cursor_enabled) ? plane->surf.back : NULL);
drm->iface->crtc_move_cursor(drm, conn->crtc, conn->cursor_x,
conn->cursor_y);
if (conn->crtc->gamma_table != NULL) {
size_t size = conn->crtc->gamma_table_size;
uint16_t *r = conn->crtc->gamma_table;
uint16_t *g = conn->crtc->gamma_table + size;
uint16_t *b = conn->crtc->gamma_table + 2 * size;
drm->iface->crtc_set_gamma(drm, conn->crtc, size, r, g, b);
} else {
set_drm_connector_gamma(&conn->output, 0, NULL, NULL, NULL);
}
}
} else {
wlr_log(WLR_INFO, "DRM fd paused");
}
}
static void drm_invalidated(struct wl_listener *listener, void *data) {
struct wlr_drm_backend *drm =
wl_container_of(listener, drm, drm_invalidated);
char *name = drmGetDeviceNameFromFd2(drm->fd);
wlr_log(WLR_DEBUG, "%s invalidated", name);
free(name);
scan_drm_connectors(drm);
}
static void handle_session_destroy(struct wl_listener *listener, void *data) {
struct wlr_drm_backend *drm =
wl_container_of(listener, drm, session_destroy);
backend_destroy(&drm->backend);
}
static void handle_display_destroy(struct wl_listener *listener, void *data) {
struct wlr_drm_backend *drm =
wl_container_of(listener, drm, display_destroy);
backend_destroy(&drm->backend);
}
struct wlr_backend *wlr_drm_backend_create(struct wl_display *display,
struct wlr_session *session, int gpu_fd, struct wlr_backend *parent,
wlr_renderer_create_func_t create_renderer_func) {
assert(display && session && gpu_fd >= 0);
assert(!parent || wlr_backend_is_drm(parent));
char *name = drmGetDeviceNameFromFd2(gpu_fd);
drmVersion *version = drmGetVersion(gpu_fd);
wlr_log(WLR_INFO, "Initializing DRM backend for %s (%s)", name, version->name);
free(name);
drmFreeVersion(version);
struct wlr_drm_backend *drm = calloc(1, sizeof(struct wlr_drm_backend));
if (!drm) {
wlr_log_errno(WLR_ERROR, "Allocation failed");
return NULL;
}
wlr_backend_init(&drm->backend, &backend_impl);
drm->session = session;
wl_list_init(&drm->outputs);
drm->fd = gpu_fd;
if (parent != NULL) {
drm->parent = get_drm_backend_from_backend(parent);
}
drm->drm_invalidated.notify = drm_invalidated;
wlr_session_signal_add(session, gpu_fd, &drm->drm_invalidated);
drm->display = display;
struct wl_event_loop *event_loop = wl_display_get_event_loop(display);
drm->drm_event = wl_event_loop_add_fd(event_loop, drm->fd,
WL_EVENT_READABLE, handle_drm_event, NULL);
if (!drm->drm_event) {
wlr_log(WLR_ERROR, "Failed to create DRM event source");
goto error_fd;
}
drm->session_signal.notify = session_signal;
wl_signal_add(&session->session_signal, &drm->session_signal);
if (!check_drm_features(drm)) {
goto error_event;
}
if (!init_drm_resources(drm)) {
goto error_event;
}
if (!init_drm_renderer(drm, &drm->renderer, create_renderer_func)) {
wlr_log(WLR_ERROR, "Failed to initialize renderer");
goto error_event;
}
drm->session_destroy.notify = handle_session_destroy;
wl_signal_add(&session->events.destroy, &drm->session_destroy);
drm->display_destroy.notify = handle_display_destroy;
wl_display_add_destroy_listener(display, &drm->display_destroy);
return &drm->backend;
error_event:
wl_list_remove(&drm->session_signal.link);
wl_event_source_remove(drm->drm_event);
error_fd:
wlr_session_close_file(drm->session, drm->fd);
free(drm);
return NULL;
}