[PATCH weston] desktop-shell: destroy shell client surfaces in handle_shell_client_destroy
Derek Foreman
derekf at osg.samsung.com
Fri May 29 07:49:52 PDT 2015
On 29/05/15 04:02 AM, Pekka Paalanen wrote:
> On Tue, 26 May 2015 14:24:37 -0500
> Derek Foreman <derekf at osg.samsung.com> wrote:
>
>> This prevents a use after free when the surfaces are automatically cleaned
>> up later, as shell_client's entry was still in the surface list.
>>
>> Signed-off-by: Derek Foreman <derekf at osg.samsung.com>
>> ---
>>
>> I'm not really well versed in this, so would appreciate extra critical
>> review here, as this trivial patch may be trivially wrong. :)
>>
>> This stops a use after free (as detected by valgrind) when closing, for
>> example, weston-terminal.
>>
>> desktop-shell/shell.c | 5 +++++
>> 1 file changed, 5 insertions(+)
>>
>> diff --git a/desktop-shell/shell.c b/desktop-shell/shell.c
>> index fe620cb..b1bba44 100644
>> --- a/desktop-shell/shell.c
>> +++ b/desktop-shell/shell.c
>> @@ -5817,11 +5817,16 @@ launch_desktop_shell_process(void *data)
>> static void
>> handle_shell_client_destroy(struct wl_listener *listener, void *data)
>> {
>> + struct wl_resource *shsurf_resource, *next;
>> struct shell_client *sc =
>> container_of(listener, struct shell_client, destroy_listener);
>>
>> if (sc->ping_timer)
>> wl_event_source_remove(sc->ping_timer);
>> +
>> + wl_resource_for_each_safe(shsurf_resource, next, &sc->surface_list)
>> + wl_resource_destroy(shsurf_resource);
>> +
>> free(sc);
>> }
>>
>
> Yeah, you cannot go calling wl_resource_destroy() unless the protocol
> specification explicitly states that the protocol object gets destroyed.
>
> However, this is a client destroy handler, which means no requests from
> this client will ever be processed anymore. In that sense this is safe.
> Client destroy handlers get called before the client resources are
> destroyed, that's why this works.
>
> I think this patch is a hack, and may hide actual bugs. Such
> use-after-free problems imply that something is not tracking object
> lifetimes properly. There is a good chance client tear-down is not the
> only case where the bug is hit. Therefore it would be much better to
> fix the object tracking to deal with arbitrary wl_resource destruction
> order, even if the protocol spec says a particular destruction order is
> illegal for a client to do.
>
> That's why: NAK.
Fair enough - how about if I just drop the shell client out of the
linked list at this point instead? I originally wrote it that way but
it felt like a leak. :/
Then the rest of the clean up will proceed normally and nothing will try
to frob the freed linked list node from struct shell_client.
The reason the destruction order matters here is that the surfaces are
all in a linked list with the shell client at the head of it. I'm not
really sure it's an indication of wide scale object lifetime mismanagement?
More information about the wayland-devel
mailing list