[PATCH joystick] Fix crashes on unplug due to double-free with ABI < 12.
Peter Hutterer
peter.hutterer at who-t.net
Tue Mar 22 16:27:46 PDT 2011
On Tue, Mar 22, 2011 at 10:40:52AM +0200, Timo Aaltonen wrote:
> From: Timo Aaltonen <timo.aaltonen at canonical.com>
>
> With ABI 12 and newer the server removes devices
> hotplugged through the driver. And pInfo->private is shared
> between the keyboard device and actual one, so these combined
> mean there's a double-free which would result in a server crash
> on unplug.
>
> https://bugs.freedesktop.org/show_bug.cgi?id=35391
>
> Signed-off-by: Timo Aaltonen <timo.aaltonen at canonical.com>
> ---
> src/jstk.c | 2 ++
> 1 files changed, 2 insertions(+), 0 deletions(-)
>
> diff --git a/src/jstk.c b/src/jstk.c
> index 9796a46..8fa97c0 100644
> --- a/src/jstk.c
> +++ b/src/jstk.c
> @@ -622,6 +622,7 @@ jstkCoreUnInit(InputDriverPtr drv,
> {
> JoystickDevPtr device = (JoystickDevPtr) pInfo->private;
>
> +#if GET_ABI_MAJOR(ABI_XINPUT_VERSION) < 12
> if (device->keyboard_device != NULL)
> {
> xf86DisableDevice(device->keyboard_device->dev, TRUE);
> @@ -629,6 +630,7 @@ jstkCoreUnInit(InputDriverPtr drv,
> }
>
> free (device);
> +#endif
out of interest: did you test this on ABI 11? if pInfo->private is shared,
the xf86DisableDevice() would call free(device) for the same block of
memory we then call free() on again. my guess is that it should be in an
else block, but I haven't tested it either.
Cheers,
Peter
> pInfo->private = NULL;
> xf86DeleteInput(pInfo, 0);
> }
> --
> 1.7.4.1
More information about the xorg-devel
mailing list