Skip to content

Commit

Permalink
backend/drm, backend/libinput: listen to session destroy
Browse files Browse the repository at this point in the history
This fixes a heap-use-after-free when the session is destroyed before
the backend during wl_display_destroy:

    ==1085==ERROR: AddressSanitizer: heap-use-after-free on address 0x614000000180 at pc 0x7f88e3590c2d bp 0x7ffdc4e33f90 sp 0x7ffdc4e33f80
    READ of size 8 at 0x614000000180 thread T0
        #0 0x7f88e3590c2c in find_device ../subprojects/wlroots/backend/session/session.c:192
        swaywm#1 0x7f88e3590e85 in wlr_session_close_file ../subprojects/wlroots/backend/session/session.c:204
        swaywm#2 0x7f88e357b80c in libinput_close_restricted ../subprojects/wlroots/backend/libinput/backend.c:24
        swaywm#3 0x7f88e21af274  (/lib64/libinput.so.10+0x28274)
        swaywm#4 0x7f88e21aff1d  (/lib64/libinput.so.10+0x28f1d)
        swaywm#5 0x7f88e219ddac  (/lib64/libinput.so.10+0x16dac)
        swaywm#6 0x7f88e21b415d in libinput_unref (/lib64/libinput.so.10+0x2d15d)
        swaywm#7 0x7f88e357c9d6 in backend_destroy ../subprojects/wlroots/backend/libinput/backend.c:130
        swaywm#8 0x7f88e3545a09 in wlr_backend_destroy ../subprojects/wlroots/backend/backend.c:50
        swaywm#9 0x7f88e358981a in multi_backend_destroy ../subprojects/wlroots/backend/multi/backend.c:54
        swaywm#10 0x7f88e358a059 in handle_display_destroy ../subprojects/wlroots/backend/multi/backend.c:107
        swaywm#11 0x7f88e314acde  (/lib64/libwayland-server.so.0+0x8cde)
        swaywm#12 0x7f88e314b466 in wl_display_destroy (/lib64/libwayland-server.so.0+0x9466)
        swaywm#13 0x559fefb52385 in main ../main.c:67
        swaywm#14 0x7f88e2639152 in __libc_start_main (/lib64/libc.so.6+0x27152)
        swaywm#15 0x559fefb4297d in _start (/home/simon/src/glider/build/glider+0x2297d)

    0x614000000180 is located 320 bytes inside of 416-byte region [0x614000000040,0x6140000001e0)
    freed by thread T0 here:
        #0 0x7f88e3d0a6b0 in __interceptor_free /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:122
        swaywm#1 0x7f88e35b51fb in logind_session_destroy ../subprojects/wlroots/backend/session/logind.c:270
        swaywm#2 0x7f88e35905a4 in wlr_session_destroy ../subprojects/wlroots/backend/session/session.c:156
        swaywm#3 0x7f88e358f440 in handle_display_destroy ../subprojects/wlroots/backend/session/session.c:65
        swaywm#4 0x7f88e314acde  (/lib64/libwayland-server.so.0+0x8cde)

    previously allocated by thread T0 here:
        #0 0x7f88e3d0acd8 in __interceptor_calloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:153
        swaywm#1 0x7f88e35b911c in logind_session_create ../subprojects/wlroots/backend/session/logind.c:746
        swaywm#2 0x7f88e358f6b4 in wlr_session_create ../subprojects/wlroots/backend/session/session.c:91
        swaywm#3 0x559fefb51ea6 in main ../main.c:20
        swaywm#4 0x7f88e2639152 in __libc_start_main (/lib64/libc.so.6+0x27152)
  • Loading branch information
emersion authored and aiqs4 committed Dec 19, 2019
1 parent 231abac commit 3d5f77b
Show file tree
Hide file tree
Showing 4 changed files with 22 additions and 0 deletions.
10 changes: 10 additions & 0 deletions backend/drm/backend.c
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ static void backend_destroy(struct wlr_backend *backend) {
wlr_signal_emit_safe(&backend->events.destroy, backend);

wl_list_remove(&drm->display_destroy.link);
wl_list_remove(&drm->session_destroy.link);
wl_list_remove(&drm->session_signal.link);
wl_list_remove(&drm->drm_invalidated.link);

Expand Down Expand Up @@ -135,6 +136,12 @@ static void drm_invalidated(struct wl_listener *listener, void *data) {
scan_drm_connectors(drm);
}

static void handle_session_destroy(struct wl_listener *listener, void *data) {
struct wlr_drm_backend *drm =
wl_container_of(listener, drm, session_destroy);
backend_destroy(&drm->backend);
}

static void handle_display_destroy(struct wl_listener *listener, void *data) {
struct wlr_drm_backend *drm =
wl_container_of(listener, drm, display_destroy);
Expand Down Expand Up @@ -197,6 +204,9 @@ struct wlr_backend *wlr_drm_backend_create(struct wl_display *display,
goto error_event;
}

drm->session_destroy.notify = handle_session_destroy;
wl_signal_add(&session->events.destroy, &drm->session_destroy);

drm->display_destroy.notify = handle_display_destroy;
wl_display_add_destroy_listener(display, &drm->display_destroy);

Expand Down
10 changes: 10 additions & 0 deletions backend/libinput/backend.c
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,7 @@ static void backend_destroy(struct wlr_backend *wlr_backend) {
wlr_signal_emit_safe(&wlr_backend->events.destroy, wlr_backend);

wl_list_remove(&backend->display_destroy.link);
wl_list_remove(&backend->session_destroy.link);
wl_list_remove(&backend->session_signal.link);

wlr_list_finish(&backend->wlr_device_lists);
Expand Down Expand Up @@ -156,6 +157,12 @@ static void session_signal(struct wl_listener *listener, void *data) {
}
}

static void handle_session_destroy(struct wl_listener *listener, void *data) {
struct wlr_libinput_backend *backend =
wl_container_of(listener, backend, session_destroy);
backend_destroy(&backend->backend);
}

static void handle_display_destroy(struct wl_listener *listener, void *data) {
struct wlr_libinput_backend *backend =
wl_container_of(listener, backend, display_destroy);
Expand Down Expand Up @@ -183,6 +190,9 @@ struct wlr_backend *wlr_libinput_backend_create(struct wl_display *display,
backend->session_signal.notify = session_signal;
wl_signal_add(&session->session_signal, &backend->session_signal);

backend->session_destroy.notify = handle_session_destroy;
wl_signal_add(&session->events.destroy, &backend->session_destroy);

backend->display_destroy.notify = handle_display_destroy;
wl_display_add_destroy_listener(display, &backend->display_destroy);

Expand Down
1 change: 1 addition & 0 deletions include/backend/drm/drm.h
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,7 @@ struct wlr_drm_backend {
struct wl_event_source *drm_event;

struct wl_listener display_destroy;
struct wl_listener session_destroy;
struct wl_listener session_signal;
struct wl_listener drm_invalidated;

Expand Down
1 change: 1 addition & 0 deletions include/backend/libinput.h
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ struct wlr_libinput_backend {
struct wl_event_source *input_event;

struct wl_listener display_destroy;
struct wl_listener session_destroy;
struct wl_listener session_signal;

struct wlr_list wlr_device_lists; // list of struct wl_list
Expand Down

0 comments on commit 3d5f77b

Please sign in to comment.