[PATCH weston v2] desktop-shell: drop shell_client from the head of the surface list on destroy

Ryo Munakata ryomnktml at gmail.com
Thu Aug 6 08:50:19 PDT 2015


On Fri, 29 May 2015 10:46:44 -0500
Derek Foreman <derekf at osg.samsung.com> wrote:

Hi all.

I sent an almost same patch to ML recently, which means this problem hasn't been fixed.

So now:
Reviewed-by: Ryo Munakata <ryomnktml at gmail.com>

This patch has been forgotten for a long time.
Please push it unless anyone has issues with it.

> This prevents a use after free when the surfaces are automatically cleaned
> up later, as shell_client's freed node was still in the surface list.
> 
> Signed-off-by: Derek Foreman <derekf at osg.samsung.com>
> ---
>  desktop-shell/shell.c | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/desktop-shell/shell.c b/desktop-shell/shell.c
> index fe620cb..66e47a3 100644
> --- a/desktop-shell/shell.c
> +++ b/desktop-shell/shell.c
> @@ -5822,6 +5822,13 @@ handle_shell_client_destroy(struct wl_listener *listener, void *data)
>  
>  	if (sc->ping_timer)
>  		wl_event_source_remove(sc->ping_timer);
> +
> +	/* Since we're about to free shell_client, we remove it from the
> +	 * head of the surface list so we don't use that freed list node
> +	 * during surface clean up later on.
> +	 */
> +	wl_list_remove(&sc->surface_list);
> +
>  	free(sc);
>  }
>  
> -- 
> 2.1.4
> 
> _______________________________________________
> wayland-devel mailing list
> wayland-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/wayland-devel


-- 
Ryo Munakata <ryomnktml at gmail.com>


More information about the wayland-devel mailing list