Oldřich Jedlička wrote: > When an input driver (like xf86-input-wacom) removes it's devices > during a call to UnInit, the CloseDownDevices() cannot handle it. The > "next" variable can become a pointer to freed memory. > > The patch fixes the problem by introducing a pointer to the value > holding the reference to the driver that is currently being freed. I see the problem, but I don't see why prev is not prone to pointing into the void. What if DIDR ends up freeing *prev's storage? Not that it's likely but I also don't see what might rule it out.
> > Signed-off-by: Oldřich Jedlička <[email protected]> > --- > dix/devices.c | 18 +++++++++++++----- > 1 files changed, 13 insertions(+), 5 deletions(-) > > diff --git a/dix/devices.c b/dix/devices.c > index 245a95b..e4bd908 100644 > --- a/dix/devices.c > +++ b/dix/devices.c > @@ -884,7 +884,7 @@ CloseDevice(DeviceIntPtr dev) > void > CloseDownDevices(void) > { > - DeviceIntPtr dev, next; > + DeviceIntPtr dev, *prev; > > /* Float all SDs before closing them. Note that at this point resources > * (e.g. cursors) have been freed already, so we can't just call > @@ -897,15 +897,23 @@ CloseDownDevices(void) > dev->u.master = NULL; > } > > - for (dev = inputInfo.devices; dev; dev = next) > + for (prev = &inputInfo.devices, dev = *prev; dev; dev = *prev) > { > - next = dev->next; > DeleteInputDeviceRequest(dev); > + if (*prev == dev) > + { > + /* Device not freed, move to the next one */ > + prev = &dev->next; > + } > } > - for (dev = inputInfo.off_devices; dev; dev = next) > + for (prev = &inputInfo.off_devices, dev = *prev; dev; dev = *prev) > { > - next = dev->next; > DeleteInputDeviceRequest(dev); > + if (*prev == dev) > + { > + /* Device not freed, move to the next one */ > + prev = &dev->next; > + } > } > > CloseDevice(inputInfo.pointer); _______________________________________________ xorg-devel mailing list [email protected] http://lists.x.org/mailman/listinfo/xorg-devel
