From 5c5f0272d9fa9bdcb3a2ef33fff1525ad8fa265c Mon Sep 17 00:00:00 2001 From: "Miguel A. Vico" Date: Wed, 25 Sep 2019 11:28:13 -0700 Subject: [PATCH] compositor: Do not trigger invalid destructors when hotunplugging When hotunplugging a display, the compositor will tear the top-level wet_output object down, freeing its memory. However, destruction of the backend output might be delayed in certain situations (e.g. destroying DRM output while in the middle of a page flip). When the backend output is finally destroyed, it will trigger a destruction callback previously added by the compositor, which point to data belonging to the top-level wet_output object. In order to avoid access to invalid data when the backend output is destroyed after the top-level wet_output object, remove the destruction callback from the corresponding list before freeing the object. Signed-off-by: Miguel A Vico Moya --- compositor/main.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/compositor/main.c b/compositor/main.c index 13ca00f3..6a0c9e55 100644 --- a/compositor/main.c +++ b/compositor/main.c @@ -1859,8 +1859,16 @@ wet_output_from_weston_output(struct weston_output *base) static void wet_output_destroy(struct wet_output *output) { - if (output->output) - weston_output_destroy(output->output); + if (output->output) { + /* output->output destruction may be deferred in some cases (see + * drm_output_destroy()), so we need to forcibly trigger the + * destruction callback now, or otherwise would later access + * data that we are about to free + */ + struct weston_output *save = output->output; + wet_output_handle_destroy(&output->output_destroy_listener, save); + weston_output_destroy(save); + } wl_list_remove(&output->link); free(output);