[pulseaudio-discuss] [PATCH] module: Fix unsafe iteration
David Henningsson
david.henningsson at canonical.com
Fri Dec 5 06:14:27 PST 2014
It looks like this could cause a problem in case somebody (ab)uses the
API like:
pa_module_unload_request(m, true);
pa_module_unload(c, m, true);
...later on, the deferred event triggers, and modules_pending_unload now
has dangling pointers.
I'm not sure this is ever encountered in the current code base, but now
we're no longer resilient to this type of (ab)use.
On 2014-12-05 14:56, Tanu Kaskinen wrote:
> This fixes an issue when requesting module unload for
> module-bluetooth-discover. When unloading the module, it also unloads
> module-bluez4-discover and/or module-bluez5-discover, and that
> invalidated the state variable that was used for iterating through the
> modules idxset.
>
> The pa_module.unload_requested flag could now otherwise be removed,
> but it's still being (ab)used in the bluetooth modules.
> ---
> src/pulsecore/core.c | 5 +++++
> src/pulsecore/core.h | 1 +
> src/pulsecore/module.c | 7 +++----
> 3 files changed, 9 insertions(+), 4 deletions(-)
>
> diff --git a/src/pulsecore/core.c b/src/pulsecore/core.c
> index e461963..258ee2a 100644
> --- a/src/pulsecore/core.c
> +++ b/src/pulsecore/core.c
> @@ -116,6 +116,8 @@ pa_core* pa_core_new(pa_mainloop_api *m, bool shared, size_t shm_size) {
> c->deferred_volume_safety_margin_usec = 8000;
> c->deferred_volume_extra_delay_usec = 0;
>
> + c->modules_pending_unload = pa_hashmap_new(NULL, NULL);
> +
> c->module_defer_unload_event = NULL;
> c->scache_auto_unload_event = NULL;
>
> @@ -204,6 +206,9 @@ static void core_free(pa_object *o) {
> pa_assert(pa_hashmap_isempty(c->shared));
> pa_hashmap_free(c->shared);
>
> + pa_assert(pa_hashmap_isempty(c->modules_pending_unload));
> + pa_hashmap_free(c->modules_pending_unload);
> +
> pa_subscription_free_all(c);
>
> if (c->exit_event)
> diff --git a/src/pulsecore/core.h b/src/pulsecore/core.h
> index 1f9df73..b0d1211 100644
> --- a/src/pulsecore/core.h
> +++ b/src/pulsecore/core.h
> @@ -164,6 +164,7 @@ struct pa_core {
> int deferred_volume_extra_delay_usec;
>
> pa_defer_event *module_defer_unload_event;
> + pa_hashmap *modules_pending_unload; /* pa_module -> pa_module (hashmap-as-a-set) */
>
> pa_defer_event *subscription_defer_event;
> PA_LLIST_HEAD(pa_subscription, subscriptions);
> diff --git a/src/pulsecore/module.c b/src/pulsecore/module.c
> index bee8a20..ce87f84 100644
> --- a/src/pulsecore/module.c
> +++ b/src/pulsecore/module.c
> @@ -303,16 +303,14 @@ void pa_module_unload_all(pa_core *c) {
> }
>
> static void defer_cb(pa_mainloop_api*api, pa_defer_event *e, void *userdata) {
> - void *state = NULL;
> pa_core *c = PA_CORE(userdata);
> pa_module *m;
>
> pa_core_assert_ref(c);
> api->defer_enable(e, 0);
>
> - while ((m = pa_idxset_iterate(c->modules, &state, NULL)))
> - if (m->unload_requested)
> - pa_module_unload(c, m, true);
> + while ((m = pa_hashmap_steal_first(c->modules_pending_unload)))
> + pa_module_unload(c, m, true);
> }
>
> void pa_module_unload_request(pa_module *m, bool force) {
> @@ -322,6 +320,7 @@ void pa_module_unload_request(pa_module *m, bool force) {
> return;
>
> m->unload_requested = true;
> + pa_hashmap_put(m->core->modules_pending_unload, m, m);
>
> if (!m->core->module_defer_unload_event)
> m->core->module_defer_unload_event = m->core->mainloop->defer_new(m->core->mainloop, defer_cb, m->core);
>
--
David Henningsson, Canonical Ltd.
https://launchpad.net/~diwic
More information about the pulseaudio-discuss
mailing list