[PATCH] Allow driver to call DeleteInputDeviceRequest during UnInit
Simon Thum
simon.thum at gmx.de
Wed Jan 13 11:47:29 PST 2010
Oldřich Jedlička wrote:
> When an input driver (like xf86-input-wacom) removes it's devices
> during a call to UnInit, the CloseDownDevices() cannot handle it. The
> "next" variable can become a pointer to freed memory.
>
> The patch fixes the problem by introducing a pointer to the value
> holding the reference to the driver that is currently being freed.
I see the problem, but I don't see why prev is not prone to pointing
into the void. What if DIDR ends up freeing *prev's storage? Not that
it's likely but I also don't see what might rule it out.
>
> Signed-off-by: Oldřich Jedlička <oldium.pro at seznam.cz>
> ---
> dix/devices.c | 18 +++++++++++++-----
> 1 files changed, 13 insertions(+), 5 deletions(-)
>
> diff --git a/dix/devices.c b/dix/devices.c
> index 245a95b..e4bd908 100644
> --- a/dix/devices.c
> +++ b/dix/devices.c
> @@ -884,7 +884,7 @@ CloseDevice(DeviceIntPtr dev)
> void
> CloseDownDevices(void)
> {
> - DeviceIntPtr dev, next;
> + DeviceIntPtr dev, *prev;
>
> /* Float all SDs before closing them. Note that at this point resources
> * (e.g. cursors) have been freed already, so we can't just call
> @@ -897,15 +897,23 @@ CloseDownDevices(void)
> dev->u.master = NULL;
> }
>
> - for (dev = inputInfo.devices; dev; dev = next)
> + for (prev = &inputInfo.devices, dev = *prev; dev; dev = *prev)
> {
> - next = dev->next;
> DeleteInputDeviceRequest(dev);
> + if (*prev == dev)
> + {
> + /* Device not freed, move to the next one */
> + prev = &dev->next;
> + }
> }
> - for (dev = inputInfo.off_devices; dev; dev = next)
> + for (prev = &inputInfo.off_devices, dev = *prev; dev; dev = *prev)
> {
> - next = dev->next;
> DeleteInputDeviceRequest(dev);
> + if (*prev == dev)
> + {
> + /* Device not freed, move to the next one */
> + prev = &dev->next;
> + }
> }
>
> CloseDevice(inputInfo.pointer);
More information about the xorg-devel
mailing list