meta-pipewire/recipes-multimedia/pipewire/pipewire/0002-Revert-loop-remove-destroy-list.patch

   1 From 16f63a3c8fa227625bade5a9edea22354b347d18 Mon Sep 17 00:00:00 2001
   2 From: =?UTF-8?q?Barnab=C3=A1s=20P=C5=91cze?= <pobrn@protonmail.com>
   3 Date: Fri, 18 Feb 2022 18:36:36 +0100
   4 Subject: [PATCH] Revert "loop: remove destroy list"
   5
   6 This reverts commit c474846c42967c44db069a23b76a29da6f496f33.
   7 In addition, `s->loop` is also checked before dispatching a source.
   8
   9 The destroy list is needed in the presence of threads. The
  10 issue is that a source may be destroyed between `epoll_wait()`
  11 returning and thread loop lock being acquired. If this
  12 source is active, then a use-after-free will be triggered
  13 when the thread loop acquires the lock and starts dispatching
  14 the sources.
  15
  16   thread 1                       thread 2
  17  ----------                     ----------
  18                                 loop_iterate
  19                                   spa_loop_control_hook_before
  20                                     // release lock
  21
  22  pw_thread_loop_lock
  23
  24                                   spa_system_pollfd_wait
  25                                     // assume it returns with source A
  26
  27  pw_loop_destroy_source(..., A)
  28   // frees storage of A
  29
  30  pw_thread_loop_unlock
  31                                   spa_loop_control_hook_after
  32                                     // acquire the lock
  33
  34                                   for (...) {
  35                                     struct spa_source *s = ep[i].data;
  36                                     s->rmask = ep[i].events;
  37                                       // use-after-free if `s` refers to
  38                                       // the previously freed `A`
  39
  40 Fixes #2147
  41
  42 Upstream-Status: Backport [https://gitlab.freedesktop.org/pipewire/pipewire/-/commit/16f63a3c]
  43 Signed-off-by: Scott Murray <scott.murray@konsulko.com>
  44
  45 ---
  46  spa/plugins/support/loop.c | 19 +++++++++++++++++--
  47  1 file changed, 17 insertions(+), 2 deletions(-)
  48
  49 diff --git a/spa/plugins/support/loop.c b/spa/plugins/support/loop.c
  50 index 0588ce770..04739eb2a 100644
  51 --- a/spa/plugins/support/loop.c
  52 +++ b/spa/plugins/support/loop.c
  53 @@ -75,6 +75,7 @@ struct impl {
  54          struct spa_system *system;
  55
  56         struct spa_list source_list;
  57 +       struct spa_list destroy_list;
  58         struct spa_hook_list hooks_list;
  59
  60         int poll_fd;
  61 @@ -325,6 +326,14 @@ static void loop_leave(void *object)
  62                 impl->thread = 0;
  63  }
  64
  65 +static inline void process_destroy(struct impl *impl)
  66 +{
  67 +       struct source_impl *source, *tmp;
  68 +       spa_list_for_each_safe(source, tmp, &impl->destroy_list, link)
  69 +               free(source);
  70 +       spa_list_init(&impl->destroy_list);
  71 +}
  72 +
  73  static int loop_iterate(void *object, int timeout)
  74  {
  75         struct impl *impl = object;
  76 @@ -354,11 +363,14 @@ static int loop_iterate(void *object, int timeout)
  77         }
  78         for (i = 0; i < nfds; i++) {
  79                 struct spa_source *s = ep[i].data;
  80 -               if (SPA_LIKELY(s && s->rmask)) {
  81 +               if (SPA_LIKELY(s && s->rmask && s->loop)) {
  82                         s->priv = NULL;
  83                         s->func(s);
  84                 }
  85         }
  86 +       if (SPA_UNLIKELY(!spa_list_is_empty(&impl->destroy_list)))
  87 +               process_destroy(impl);
  88 +
  89         return nfds;
  90  }
  91
  92 @@ -712,7 +724,7 @@ static void loop_destroy_source(void *object, struct spa_source *source)
  93                 spa_system_close(impl->impl->system, source->fd);
  94                 source->fd = -1;
  95         }
  96 -       free(source);
  97 +       spa_list_insert(&impl->impl->destroy_list, &impl->link);
  98  }
  99
 100  static const struct spa_loop_methods impl_loop = {
 101 @@ -783,6 +795,8 @@ static int impl_clear(struct spa_handle *handle)
 102         spa_list_consume(source, &impl->source_list, link)
 103                 loop_destroy_source(impl, &source->source);
 104
 105 +       process_destroy(impl);
 106 +
 107         spa_system_close(impl->system, impl->ack_fd);
 108         spa_system_close(impl->system, impl->poll_fd);
 109
 110 @@ -844,6 +858,7 @@ impl_init(const struct spa_handle_factory *factory,
 111         impl->poll_fd = res;
 112
 113         spa_list_init(&impl->source_list);
 114 +       spa_list_init(&impl->destroy_list);
 115         spa_hook_list_init(&impl->hooks_list);
 116
 117         impl->buffer_data = SPA_PTR_ALIGN(impl->buffer_mem, MAX_ALIGN, uint8_t);
 118 --
 119 2.35.1
 120