diff options
author | Olivier Fourdan <ofourdan@redhat.com> | 2020-10-26 18:34:05 +0100 |
---|---|---|
committer | Carlos Garnacho <carlosg@gnome.org> | 2020-10-26 18:19:31 +0000 |
commit | 8711d8d5914df8e19a907105d9fa7139221f21b4 (patch) | |
tree | 8eba0fa5c5a4268c10edf48eac12029f3ea8ff9b /src | |
parent | b1700c3f7b59e75d82ae4dea98c55c8c44e26f3a (diff) | |
download | mutter-8711d8d5914df8e19a907105d9fa7139221f21b4.tar.gz |
backend: Keep a refcount on backend's current_device
Otherwise we might run into a use-after-free and crash on (virtual)
device removal:
Invalid read of size 8
at clutter_input_device_get_device_type (clutter-input-device.c:811)
by update_last_device (meta-backend.c:1282)
by g_main_dispatch (gmain.c:3325)
by g_main_context_dispatch (gmain.c:4016)
by g_main_context_iterate.constprop.0 (gmain.c:4092)
by g_main_loop_run (gmain.c:4290)
by meta_run_main_loop (main.c:708)
by meta_run (main.c:723)
by main (main.c:550)
Address is 32 bytes inside a block of size 504 free'd
at free (vg_replace_malloc.c:538)
by g_type_free_instance (gtype.c:1939)
by clutter_event_free (clutter-event.c:1420)
by _clutter_stage_process_queued_events (clutter-stage.c:830)
by handle_frame_clock_before_frame (clutter-stage-view.c:1064)
by clutter_frame_clock_dispatch (clutter-frame-clock.c:405)
by frame_clock_source_dispatch (clutter-frame-clock.c:456)
by g_main_dispatch (gmain.c:3325)
by g_main_context_dispatch (gmain.c:4016)
by g_main_context_iterate.constprop.0 (gmain.c:4092)
by g_main_loop_run (gmain.c:4290)
by meta_run_main_loop (main.c:708)
by meta_run (main.c:723)
Block was alloc'd at
at malloc (vg_replace_malloc.c:307)
by g_malloc (gmem.c:106)
by g_slice_alloc (gslice.c:1025)
by g_slice_alloc0 (gslice.c:1051)
by g_type_create_instance (gtype.c:1839)
by g_object_new_internal (gobject.c:1939)
by g_object_new_valist (gobject.c:2264)
by g_object_new (gobject.c:1782)
by meta_input_device_native_new_virtual (meta-input-device-native.c:1365)
by meta_virtual_input_device_native_constructed (meta-virtual-input-device-native.c:705)
by g_object_new_internal (gobject.c:1979)
by g_object_new_valist (gobject.c:2264)
Suggested-by: Carlos Garnacho <carlosg@gnome.org>
https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/1529
Diffstat (limited to 'src')
-rw-r--r-- | src/backends/meta-backend.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/src/backends/meta-backend.c b/src/backends/meta-backend.c index ac8cee418..d8e691f3b 100644 --- a/src/backends/meta-backend.c +++ b/src/backends/meta-backend.c @@ -199,6 +199,7 @@ meta_backend_finalize (GObject *object) g_list_free_full (priv->gpus, g_object_unref); + g_clear_object (&priv->current_device); g_clear_object (&priv->monitor_manager); g_clear_object (&priv->orientation_manager); g_clear_object (&priv->input_settings); @@ -412,7 +413,7 @@ on_device_removed (ClutterSeat *seat, gboolean has_touchscreen, has_pointing_device; ClutterInputDeviceType device_type; - priv->current_device = NULL; + g_clear_object (&priv->current_device); g_clear_handle_id (&priv->device_update_idle_id, g_source_remove); device_type = clutter_input_device_get_device_type (device); @@ -1297,7 +1298,7 @@ meta_backend_update_last_device (MetaBackend *backend, clutter_input_device_get_device_mode (device) == CLUTTER_INPUT_MODE_LOGICAL) return; - priv->current_device = device; + g_set_object (&priv->current_device, device); if (priv->device_update_idle_id == 0) { |