[PATCH xf86-input-libinput] Fix crash when using threaded input and the first device goes away
Emil Velikov
emil.l.velikov at gmail.com
Mon Oct 10 09:10:27 UTC 2016
Hi Hans,
On Wednesday, 5 October 2016, Hans de Goede <hdegoede at redhat.com> wrote:
> When the xserver uses threaded input, it keeps a pointer to the InputInfo
> passed into xf86AddEnabledDevice and calls pointer->read_input on events.
>
> But when the first enabled device goes away the pInfo we've passed into
> xf86AddEnabledDevice gets freed and eventually pInfo->read_input gets
> overwritten (or pInfo points to unmapped memory) leading to a segfault.
>
> This commit fixes this by replacing the pInfo passed into
> xf86AddEnabledDevice with a pointer to a global InputInfo stored inside
> the driver_context struct.
>
> Signed-off-by: Hans de Goede <hdegoede at redhat.com <javascript:;>>
> ---
> src/xf86libinput.c | 22 ++++++++++++++++------
> 1 file changed, 16 insertions(+), 6 deletions(-)
>
> diff --git a/src/xf86libinput.c b/src/xf86libinput.c
> index 21f87f5..485e212 100644
> --- a/src/xf86libinput.c
> +++ b/src/xf86libinput.c
> @@ -86,6 +86,7 @@
>
> struct xf86libinput_driver {
> struct libinput *libinput;
> + struct _InputInfoRec InputInfo;
> int device_enabled_count;
> };
>
> @@ -582,7 +583,17 @@ xf86libinput_on(DeviceIntPtr dev)
>
> if (driver_context.device_enabled_count == 0) {
> #if HAVE_THREADED_INPUT
> - xf86AddEnabledDevice(pInfo);
> + /*
> + * The xserver keeps a pointer to the InputInfo passed into
> + * xf86AddEnabledDevice and calls pointer->read_input on
> + * events. Thus we cannot simply pass in our current pInfo
> + * as that will be deleted when the current input device
> gets
> + * unplugged. Instead pass in a pointer to a global
> + * InputInfo inside the driver_context.
> + */
> + driver_context.InputInfo.fd = pInfo->fd;
Reading the above comment makes me wonder about the lifetime of the fd. I
take it that we're not leaking it atm ?
> + driver_context.InputInfo.read_input = pInfo->read_input;
> + xf86AddEnabledDevice(&driver_context.InputInfo);
> #else
> /* Can't use xf86AddEnabledDevice on an epollfd */
> AddEnabledDevice(pInfo->fd);
Can we use the same storage for the !HAVE_THREADED_INPUT code paths ?
> @@ -606,7 +617,7 @@ xf86libinput_off(DeviceIntPtr dev)
>
> if (--driver_context.device_enabled_count == 0) {
> #if HAVE_THREADED_INPUT
> - xf86RemoveEnabledDevice(pInfo);
> + xf86RemoveEnabledDevice(&driver_context.InputInfo);
> #else
> RemoveEnabledDevice(pInfo->fd);
> #endif
> @@ -1923,7 +1934,7 @@ out:
> }
>
> static void
> -xf86libinput_read_input(InputInfoPtr pInfo)
> +xf86libinput_read_input(InputInfoPtr do_not_use)
Worth just dropping the argument and fixing the caller(s)?
Emil
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.x.org/archives/xorg-devel/attachments/20161010/7633af00/attachment.html>
More information about the xorg-devel
mailing list