[pulseaudio-discuss] [PATCH 1/2] echo-cancel: ignore remaining canceller messages after the module has been unloaded
Tanu Kaskinen
tanuk at iki.fi
Thu Nov 9 12:12:33 UTC 2017
Not ignoring the messages caused crashing due to accessing the userdata
after it had been freed.
BugLink: https://bugs.freedesktop.org/show_bug.cgi?id=103528
---
src/modules/echo-cancel/module-echo-cancel.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/src/modules/echo-cancel/module-echo-cancel.c b/src/modules/echo-cancel/module-echo-cancel.c
index b28d60a60..ee3725abd 100644
--- a/src/modules/echo-cancel/module-echo-cancel.c
+++ b/src/modules/echo-cancel/module-echo-cancel.c
@@ -184,6 +184,7 @@ struct userdata;
struct pa_echo_canceller_msg {
pa_msgobject parent;
+ bool dead;
struct userdata *userdata;
};
@@ -1553,6 +1554,20 @@ static int canceller_process_msg_cb(pa_msgobject *o, int code, void *userdata, i
pa_assert(o);
msg = PA_ECHO_CANCELLER_MSG(o);
+
+ /* When the module is unloaded, there may still remain queued messages for
+ * the canceller. Messages are sent to the main thread using the master
+ * source's asyncmsgq, and that message queue isn't (and can't be, at least
+ * with the current asyncmsgq API) cleared from the canceller messages when
+ * module-echo-cancel is unloaded.
+ *
+ * The userdata may already have been freed at this point, but the
+ * asyncmsgq holds a reference to the pa_echo_canceller_msg object, which
+ * contains a flag to indicate that all remaining messages have to be
+ * ignored. */
+ if (msg->dead)
+ return 0;
+
u = msg->userdata;
switch (code) {
@@ -2149,6 +2164,9 @@ void pa__done(pa_module*m) {
if (u->ec->done)
u->ec->done(u->ec);
+ if (u->ec->msg)
+ u->ec->msg->dead = true;
+
pa_xfree(u->ec);
}
@@ -2327,6 +2345,7 @@ int main(int argc, char* argv[]) {
}
u.ec->done(u.ec);
+ u.ec->msg->dead = true;
out:
if (u.captured_file)
--
2.14.2
More information about the pulseaudio-discuss
mailing list