[PATCH v2] xf86: take next pointer before calling handler

Aaron Plattner aplattner at nvidia.com
Thu Dec 6 15:46:12 PST 2012 

Seems fine.

Reviewed-by: Aaron Plattner <aplattner at nvidia.com>

--
Aaron

On 12/04/2012 02:21 AM, Maarten Lankhorst wrote:
> Stopping acpid before Xorg with valgrind --free-fill=df results in this crash backtrace:
>
> ==2670== Invalid read of size 8
> ==2670==    at 0x1B9CB0: xf86Wakeup (xf86Events.c:276)
> ==2670==    by 0x1687B2: WakeupHandler (dixutils.c:423)
> ==2670==    by 0x334793: WaitForSomething (WaitFor.c:224)
> ==2670==    by 0x159E4B: Dispatch (dispatch.c:357)
> ==2670==    by 0x14AA78: main (main.c:295)
> ==2670==  Address 0x783aa90 is 32 bytes inside a block of size 40 free'd
> ==2670==    at 0x4C2A739: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
> ==2670==    by 0x1BA8CA: removeInputHandler (xf86Events.c:645)
> ==2670==    by 0x1BA96D: xf86RemoveGeneralHandler (xf86Events.c:681)
> ==2670==    by 0x1F106C: lnxCloseACPI (lnx_acpi.c:174)
> ==2670==    by 0x1F0CC7: lnxACPIGetEventFromOs (lnx_acpi.c:68)
> ==2670==    by 0x1CCF49: xf86HandlePMEvents (xf86PM.c:208)
> ==2670==    by 0x1B9CAB: xf86Wakeup (xf86Events.c:279)
> ==2670==    by 0x1687B2: WakeupHandler (dixutils.c:423)
> ==2670==    by 0x334793: WaitForSomething (WaitFor.c:224)
> ==2670==    by 0x159E4B: Dispatch (dispatch.c:357)
> ==2670==    by 0x14AA78: main (main.c:295)
> ==2670==
> ==2670== Invalid read of size 4
> ==2670==    at 0x1B9C29: xf86Wakeup (xf86Events.c:277)
> ==2670==    by 0x1687B2: WakeupHandler (dixutils.c:423)
> ==2670==    by 0x334793: WaitForSomething (WaitFor.c:224)
> ==2670==    by 0x159E4B: Dispatch (dispatch.c:357)
> ==2670==    by 0x14AA78: main (main.c:295)
> ==2670==  Address 0xdfdfdfdfdfdfdff7 is not stack'd, malloc'd or (recently) free'd
> ==2670==
> (EE)==2670==
> ==2670== Process terminating with default action of signal 11 (SIGSEGV): dumping core
>
> Taking a pointer to ih->next before calling the event handler fixes this.
>
> Signed-off-by: Maarten Lankhorst <maarten.lankhorst at canonical.com>
>
> Changes since v1:
> - Use nt_list_for_each_entry_safe, as suggested by Aaron Plattner
>
> ---
> diff --git a/hw/xfree86/common/xf86Events.c b/hw/xfree86/common/xf86Events.c
> index 41ffabd..6082bee 100644
> --- a/hw/xfree86/common/xf86Events.c
> +++ b/hw/xfree86/common/xf86Events.c
> @@ -270,10 +270,10 @@ xf86Wakeup(pointer blockData, int err, pointer pReadmask)
>   	}
>       }
>
> -    if (err >= 0) { /* we don't want the handlers called if select() */
> -	IHPtr ih;   /* returned with an error condition, do we?      */
> -	
> -	for (ih = InputHandlers; ih; ih = ih->next) {
> +    if (err >= 0) {       /* we don't want the handlers called if select() */
> +        IHPtr ih, ih_tmp; /* returned with an error condition, do we?      */
> +
> +        nt_list_for_each_entry_safe(ih, ih_tmp, InputHandlers, next) {
>   	    if (ih->enabled && ih->fd >= 0 && ih->ihproc &&
>   		(FD_ISSET(ih->fd, ((fd_set *)pReadmask)) != 0)) {
>   		ih->ihproc(ih->fd, ih->data);
>
>

More information about the xorg-devel mailing list