When an input driver (like xf86-input-wacom) removes it's devices during a call to UnInit, the CloseDownDevices() cannot handle it. The "next" variable can become a pointer to freed memory.
The patch fixes the problem by introducing a pointer to the value holding the reference to the driver that is currently being freed. Signed-off-by: Oldřich Jedlička <[email protected]> --- dix/devices.c | 18 +++++++++++++----- 1 files changed, 13 insertions(+), 5 deletions(-) diff --git a/dix/devices.c b/dix/devices.c index 245a95b..e4bd908 100644 --- a/dix/devices.c +++ b/dix/devices.c @@ -884,7 +884,7 @@ CloseDevice(DeviceIntPtr dev) void CloseDownDevices(void) { - DeviceIntPtr dev, next; + DeviceIntPtr dev, *prev; /* Float all SDs before closing them. Note that at this point resources * (e.g. cursors) have been freed already, so we can't just call @@ -897,15 +897,23 @@ CloseDownDevices(void) dev->u.master = NULL; } - for (dev = inputInfo.devices; dev; dev = next) + for (prev = &inputInfo.devices, dev = *prev; dev; dev = *prev) { - next = dev->next; DeleteInputDeviceRequest(dev); + if (*prev == dev) + { + /* Device not freed, move to the next one */ + prev = &dev->next; + } } - for (dev = inputInfo.off_devices; dev; dev = next) + for (prev = &inputInfo.off_devices, dev = *prev; dev; dev = *prev) { - next = dev->next; DeleteInputDeviceRequest(dev); + if (*prev == dev) + { + /* Device not freed, move to the next one */ + prev = &dev->next; + } } CloseDevice(inputInfo.pointer); -- 1.6.6 _______________________________________________ xorg-devel mailing list [email protected] http://lists.x.org/mailman/listinfo/xorg-devel
