[PATCH] server: Fix crash when accessing client which is already freed

Hyunkook Khang hyunkook.khang at lge.com
Wed Sep 21 07:08:41 UTC 2016


While processing pending data, client could be destroyed in the middle of
the process. (e.g. by invoking wl_display_flush_clients()).
In this case, client will be freed, but we are still in the processing data
of the client, so it could cause a crash.

To avoid this, instead of destroying the client directly,
just set the error here and destroy the client where it needs to be.

Signed-off-by: Hyunkook Khang <hyunkook.khang at lge.com>
---
 src/wayland-server.c |    8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/wayland-server.c b/src/wayland-server.c
index 9d7d9c1..89d0bac 100644
--- a/src/wayland-server.c
+++ b/src/wayland-server.c
@@ -1103,10 +1103,16 @@ wl_display_terminate(struct wl_display *display)
 WL_EXPORT void
 wl_display_run(struct wl_display *display)
 {
+	struct wl_client *client, *next;
+
 	display->run = 1;
 
 	while (display->run) {
 		wl_display_flush_clients(display);
+		wl_list_for_each_safe(client, next, &display->client_list, link) {
+			if (client->error)
+				wl_client_destroy(client);
+		}
 		wl_event_loop_dispatch(display->loop, -1);
 	}
 }
@@ -1124,7 +1130,7 @@ wl_display_flush_clients(struct wl_display *display)
 						  WL_EVENT_WRITABLE |
 						  WL_EVENT_READABLE);
 		} else if (ret < 0) {
-			wl_client_destroy(client);
+			client->error = 1;
 		}
 	}
 }
-- 
1.7.9.5



More information about the wayland-devel mailing list