2023-02-08 18:12:00 +01:00
|
|
|
/* Spa */
|
|
|
|
|
/* SPDX-FileCopyrightText: Copyright © 2018 Wim Taymans */
|
|
|
|
|
/* SPDX-License-Identifier: MIT */
|
2017-06-14 16:10:07 +02:00
|
|
|
|
|
|
|
|
#include <unistd.h>
|
|
|
|
|
#include <errno.h>
|
|
|
|
|
#include <sys/types.h>
|
|
|
|
|
#include <signal.h>
|
|
|
|
|
#include <stdlib.h>
|
|
|
|
|
#include <stdio.h>
|
|
|
|
|
#include <pthread.h>
|
|
|
|
|
|
2017-11-10 13:36:14 +01:00
|
|
|
#include <spa/support/loop.h>
|
2019-06-04 17:07:34 +02:00
|
|
|
#include <spa/support/system.h>
|
2017-11-10 13:36:14 +01:00
|
|
|
#include <spa/support/log.h>
|
|
|
|
|
#include <spa/support/plugin.h>
|
|
|
|
|
#include <spa/utils/list.h>
|
2019-06-21 13:31:34 +02:00
|
|
|
#include <spa/utils/names.h>
|
2019-02-20 17:51:05 +01:00
|
|
|
#include <spa/utils/result.h>
|
2018-08-23 17:47:57 +02:00
|
|
|
#include <spa/utils/type.h>
|
2017-11-10 13:36:14 +01:00
|
|
|
#include <spa/utils/ringbuffer.h>
|
2021-05-18 11:36:13 +10:00
|
|
|
#include <spa/utils/string.h>
|
2017-06-14 16:10:07 +02:00
|
|
|
|
2021-09-27 15:31:35 +10:00
|
|
|
static struct spa_log_topic log_topic = SPA_LOG_TOPIC(0, "spa.loop");
|
|
|
|
|
#undef SPA_LOG_TOPIC_DEFAULT
|
|
|
|
|
#define SPA_LOG_TOPIC_DEFAULT &log_topic
|
2017-06-14 16:10:07 +02:00
|
|
|
|
2022-01-03 11:14:15 +01:00
|
|
|
#define MAX_ALIGN 8
|
|
|
|
|
#define ITEM_ALIGN 8
|
|
|
|
|
#define DATAS_SIZE (4096*8)
|
2022-02-08 10:09:06 +01:00
|
|
|
#define MAX_EP 32
|
2017-06-14 16:10:07 +02:00
|
|
|
|
|
|
|
|
/** \cond */
|
|
|
|
|
|
|
|
|
|
struct invoke_item {
|
|
|
|
|
size_t item_size;
|
|
|
|
|
spa_invoke_func_t func;
|
|
|
|
|
uint32_t seq;
|
|
|
|
|
void *data;
|
2017-11-20 15:26:44 +01:00
|
|
|
size_t size;
|
2017-06-26 10:41:19 +02:00
|
|
|
bool block;
|
2017-06-14 16:10:07 +02:00
|
|
|
void *user_data;
|
2017-06-26 10:41:19 +02:00
|
|
|
int res;
|
2017-06-14 16:10:07 +02:00
|
|
|
};
|
|
|
|
|
|
2019-06-19 18:15:04 +02:00
|
|
|
static int loop_signal_event(void *object, struct spa_source *source);
|
2017-06-26 10:41:19 +02:00
|
|
|
|
2017-06-14 16:10:07 +02:00
|
|
|
struct impl {
|
|
|
|
|
struct spa_handle handle;
|
|
|
|
|
struct spa_loop loop;
|
|
|
|
|
struct spa_loop_control control;
|
|
|
|
|
struct spa_loop_utils utils;
|
|
|
|
|
|
|
|
|
|
struct spa_log *log;
|
2019-06-04 17:07:34 +02:00
|
|
|
struct spa_system *system;
|
2017-06-14 16:10:07 +02:00
|
|
|
|
|
|
|
|
struct spa_list source_list;
|
2022-02-18 18:36:36 +01:00
|
|
|
struct spa_list destroy_list;
|
2017-08-08 16:56:29 +02:00
|
|
|
struct spa_hook_list hooks_list;
|
2017-06-14 16:10:07 +02:00
|
|
|
|
2019-06-06 15:21:40 +02:00
|
|
|
int poll_fd;
|
2017-06-14 16:10:07 +02:00
|
|
|
pthread_t thread;
|
2022-02-08 10:58:36 +01:00
|
|
|
int enter_count;
|
2017-06-14 16:10:07 +02:00
|
|
|
|
2017-06-26 10:41:19 +02:00
|
|
|
struct spa_source *wakeup;
|
|
|
|
|
int ack_fd;
|
2017-06-14 16:10:07 +02:00
|
|
|
|
|
|
|
|
struct spa_ringbuffer buffer;
|
2020-12-21 20:46:13 +01:00
|
|
|
uint8_t *buffer_data;
|
2022-01-03 11:14:15 +01:00
|
|
|
uint8_t buffer_mem[DATAS_SIZE + MAX_ALIGN];
|
2020-09-17 11:45:25 +02:00
|
|
|
|
2022-12-07 21:18:16 +01:00
|
|
|
uint32_t flush_count;
|
2022-02-19 11:44:04 +01:00
|
|
|
unsigned int polling:1;
|
2017-06-14 16:10:07 +02:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
struct source_impl {
|
|
|
|
|
struct spa_source source;
|
|
|
|
|
|
|
|
|
|
struct impl *impl;
|
|
|
|
|
struct spa_list link;
|
|
|
|
|
|
|
|
|
|
union {
|
|
|
|
|
spa_source_io_func_t io;
|
|
|
|
|
spa_source_idle_func_t idle;
|
|
|
|
|
spa_source_event_func_t event;
|
|
|
|
|
spa_source_timer_func_t timer;
|
|
|
|
|
spa_source_signal_func_t signal;
|
|
|
|
|
} func;
|
2022-02-19 15:12:31 +01:00
|
|
|
|
2020-04-14 18:05:45 +02:00
|
|
|
struct spa_source *fallback;
|
2022-02-19 15:12:31 +01:00
|
|
|
|
|
|
|
|
bool close;
|
|
|
|
|
bool enabled;
|
2017-06-14 16:10:07 +02:00
|
|
|
};
|
|
|
|
|
/** \endcond */
|
|
|
|
|
|
2019-05-20 16:11:23 +02:00
|
|
|
static int loop_add_source(void *object, struct spa_source *source)
|
2017-06-14 16:10:07 +02:00
|
|
|
{
|
2019-05-20 16:11:23 +02:00
|
|
|
struct impl *impl = object;
|
2019-05-23 15:11:49 +02:00
|
|
|
source->loop = &impl->loop;
|
2022-02-08 17:21:10 +01:00
|
|
|
source->priv = NULL;
|
2022-02-19 09:40:27 +01:00
|
|
|
source->rmask = 0;
|
2019-06-06 15:21:40 +02:00
|
|
|
return spa_system_pollfd_add(impl->system, impl->poll_fd, source->fd, source->mask, source);
|
2017-06-14 16:10:07 +02:00
|
|
|
}
|
|
|
|
|
|
2019-05-20 16:11:23 +02:00
|
|
|
static int loop_update_source(void *object, struct spa_source *source)
|
2017-06-14 16:10:07 +02:00
|
|
|
{
|
2019-05-20 16:11:23 +02:00
|
|
|
struct impl *impl = object;
|
2022-02-19 14:12:44 +01:00
|
|
|
|
|
|
|
|
spa_assert(source->loop == &impl->loop);
|
|
|
|
|
|
2019-06-06 15:21:40 +02:00
|
|
|
return spa_system_pollfd_mod(impl->system, impl->poll_fd, source->fd, source->mask, source);
|
2017-06-14 16:10:07 +02:00
|
|
|
}
|
|
|
|
|
|
spa: support: loop: fix use-after-free when loop is reentered
The core of the issue is the following: what happens if an
active source is destroyed before it could be dispatched?
For loop-managed sources (`struct source_impl`) this was addressed
by storing all destroyed sources in a list, and only freeing them
after dispatching has been finished. (0eb73f0f06a2e40362990080007db295141f6f1f)
This approach works for both strictly single-threaded
and `pw_thread_loop` loops assuming the loop is not
reentered.
However, if the loop is reentered, there can still be issues.
Assume that in one iteration sources A and B are active,
and returned from the system call, and source B is destroyed
before the loop starts dispatching. Consider what happens when
"A" is dispatched first, and it reenters the loop with timeout 0.
Imagine there are no new events, so `loop_iterate()` will immediately
return, but it will first destroy everything in the destroy list
(this is done at the end of `loop_iterate()`).
And herein lies the problem. In the previous iteration,
there exists a `spa_poll_event` object which points to source "B",
but that has just been destroyed at the end of the recursive
iteration. This will trigger a use-after-free once the previous
iteration inspects it.
Fix that by processing the destroy list right after first
processing the returned `spa_poll_event` objects, and
"detach" the source from the loop and its iterations
in `process_destroy()` before the source is destroyed.
See #2114 #2147
2022-02-19 13:31:01 +01:00
|
|
|
static void detach_source(struct spa_source *source)
|
2017-06-14 16:10:07 +02:00
|
|
|
{
|
2022-02-08 17:21:10 +01:00
|
|
|
struct spa_poll_event *e;
|
2022-02-19 14:12:44 +01:00
|
|
|
|
spa: support: loop: fix use-after-free when loop is reentered
The core of the issue is the following: what happens if an
active source is destroyed before it could be dispatched?
For loop-managed sources (`struct source_impl`) this was addressed
by storing all destroyed sources in a list, and only freeing them
after dispatching has been finished. (0eb73f0f06a2e40362990080007db295141f6f1f)
This approach works for both strictly single-threaded
and `pw_thread_loop` loops assuming the loop is not
reentered.
However, if the loop is reentered, there can still be issues.
Assume that in one iteration sources A and B are active,
and returned from the system call, and source B is destroyed
before the loop starts dispatching. Consider what happens when
"A" is dispatched first, and it reenters the loop with timeout 0.
Imagine there are no new events, so `loop_iterate()` will immediately
return, but it will first destroy everything in the destroy list
(this is done at the end of `loop_iterate()`).
And herein lies the problem. In the previous iteration,
there exists a `spa_poll_event` object which points to source "B",
but that has just been destroyed at the end of the recursive
iteration. This will trigger a use-after-free once the previous
iteration inspects it.
Fix that by processing the destroy list right after first
processing the returned `spa_poll_event` objects, and
"detach" the source from the loop and its iterations
in `process_destroy()` before the source is destroyed.
See #2114 #2147
2022-02-19 13:31:01 +01:00
|
|
|
source->loop = NULL;
|
|
|
|
|
source->rmask = 0;
|
2022-02-19 14:12:44 +01:00
|
|
|
|
2022-02-08 17:21:10 +01:00
|
|
|
if ((e = source->priv)) {
|
|
|
|
|
/* active in an iteration of the loop, remove it from there */
|
|
|
|
|
e->data = NULL;
|
|
|
|
|
source->priv = NULL;
|
2022-02-08 10:09:06 +01:00
|
|
|
}
|
spa: support: loop: fix use-after-free when loop is reentered
The core of the issue is the following: what happens if an
active source is destroyed before it could be dispatched?
For loop-managed sources (`struct source_impl`) this was addressed
by storing all destroyed sources in a list, and only freeing them
after dispatching has been finished. (0eb73f0f06a2e40362990080007db295141f6f1f)
This approach works for both strictly single-threaded
and `pw_thread_loop` loops assuming the loop is not
reentered.
However, if the loop is reentered, there can still be issues.
Assume that in one iteration sources A and B are active,
and returned from the system call, and source B is destroyed
before the loop starts dispatching. Consider what happens when
"A" is dispatched first, and it reenters the loop with timeout 0.
Imagine there are no new events, so `loop_iterate()` will immediately
return, but it will first destroy everything in the destroy list
(this is done at the end of `loop_iterate()`).
And herein lies the problem. In the previous iteration,
there exists a `spa_poll_event` object which points to source "B",
but that has just been destroyed at the end of the recursive
iteration. This will trigger a use-after-free once the previous
iteration inspects it.
Fix that by processing the destroy list right after first
processing the returned `spa_poll_event` objects, and
"detach" the source from the loop and its iterations
in `process_destroy()` before the source is destroyed.
See #2114 #2147
2022-02-19 13:31:01 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int remove_from_poll(struct impl *impl, struct spa_source *source)
|
|
|
|
|
{
|
|
|
|
|
spa_assert(source->loop == &impl->loop);
|
|
|
|
|
|
2019-06-06 15:21:40 +02:00
|
|
|
return spa_system_pollfd_del(impl->system, impl->poll_fd, source->fd);
|
2017-06-14 16:10:07 +02:00
|
|
|
}
|
|
|
|
|
|
spa: support: loop: fix use-after-free when loop is reentered
The core of the issue is the following: what happens if an
active source is destroyed before it could be dispatched?
For loop-managed sources (`struct source_impl`) this was addressed
by storing all destroyed sources in a list, and only freeing them
after dispatching has been finished. (0eb73f0f06a2e40362990080007db295141f6f1f)
This approach works for both strictly single-threaded
and `pw_thread_loop` loops assuming the loop is not
reentered.
However, if the loop is reentered, there can still be issues.
Assume that in one iteration sources A and B are active,
and returned from the system call, and source B is destroyed
before the loop starts dispatching. Consider what happens when
"A" is dispatched first, and it reenters the loop with timeout 0.
Imagine there are no new events, so `loop_iterate()` will immediately
return, but it will first destroy everything in the destroy list
(this is done at the end of `loop_iterate()`).
And herein lies the problem. In the previous iteration,
there exists a `spa_poll_event` object which points to source "B",
but that has just been destroyed at the end of the recursive
iteration. This will trigger a use-after-free once the previous
iteration inspects it.
Fix that by processing the destroy list right after first
processing the returned `spa_poll_event` objects, and
"detach" the source from the loop and its iterations
in `process_destroy()` before the source is destroyed.
See #2114 #2147
2022-02-19 13:31:01 +01:00
|
|
|
static int loop_remove_source(void *object, struct spa_source *source)
|
|
|
|
|
{
|
2022-03-04 16:53:26 +01:00
|
|
|
struct impl *impl = object;
|
|
|
|
|
spa_assert(!impl->polling);
|
|
|
|
|
|
|
|
|
|
int res = remove_from_poll(impl, source);
|
spa: support: loop: fix use-after-free when loop is reentered
The core of the issue is the following: what happens if an
active source is destroyed before it could be dispatched?
For loop-managed sources (`struct source_impl`) this was addressed
by storing all destroyed sources in a list, and only freeing them
after dispatching has been finished. (0eb73f0f06a2e40362990080007db295141f6f1f)
This approach works for both strictly single-threaded
and `pw_thread_loop` loops assuming the loop is not
reentered.
However, if the loop is reentered, there can still be issues.
Assume that in one iteration sources A and B are active,
and returned from the system call, and source B is destroyed
before the loop starts dispatching. Consider what happens when
"A" is dispatched first, and it reenters the loop with timeout 0.
Imagine there are no new events, so `loop_iterate()` will immediately
return, but it will first destroy everything in the destroy list
(this is done at the end of `loop_iterate()`).
And herein lies the problem. In the previous iteration,
there exists a `spa_poll_event` object which points to source "B",
but that has just been destroyed at the end of the recursive
iteration. This will trigger a use-after-free once the previous
iteration inspects it.
Fix that by processing the destroy list right after first
processing the returned `spa_poll_event` objects, and
"detach" the source from the loop and its iterations
in `process_destroy()` before the source is destroyed.
See #2114 #2147
2022-02-19 13:31:01 +01:00
|
|
|
detach_source(source);
|
|
|
|
|
|
|
|
|
|
return res;
|
|
|
|
|
}
|
|
|
|
|
|
2020-11-13 16:50:23 +01:00
|
|
|
static void flush_items(struct impl *impl)
|
2019-08-16 15:04:27 +02:00
|
|
|
{
|
2022-12-07 21:18:16 +01:00
|
|
|
uint32_t index, flush_count;
|
2022-12-08 08:01:40 +01:00
|
|
|
int32_t avail;
|
2019-08-16 15:04:27 +02:00
|
|
|
int res;
|
|
|
|
|
|
2022-12-07 21:18:16 +01:00
|
|
|
flush_count = ++impl->flush_count;
|
2022-12-08 08:01:40 +01:00
|
|
|
avail = spa_ringbuffer_get_read_index(&impl->buffer, &index);
|
|
|
|
|
while (avail > 0) {
|
2019-08-16 15:04:27 +02:00
|
|
|
struct invoke_item *item;
|
|
|
|
|
bool block;
|
2022-12-07 21:18:16 +01:00
|
|
|
spa_invoke_func_t func;
|
2019-08-16 15:04:27 +02:00
|
|
|
|
2021-05-06 13:41:44 +10:00
|
|
|
item = SPA_PTROFF(impl->buffer_data, index & (DATAS_SIZE - 1), struct invoke_item);
|
2019-08-16 15:04:27 +02:00
|
|
|
block = item->block;
|
2022-12-07 21:18:16 +01:00
|
|
|
func = item->func;
|
2019-08-16 15:04:27 +02:00
|
|
|
|
2022-03-28 16:25:00 +02:00
|
|
|
spa_log_trace_fp(impl->log, "%p: flush item %p", impl, item);
|
2022-12-07 21:18:16 +01:00
|
|
|
/* first we remove the function from the item so that recursive
|
|
|
|
|
* calls don't call the callback again. We can't update the
|
|
|
|
|
* read index before we call the function because then the item
|
|
|
|
|
* might get overwritten. */
|
|
|
|
|
item->func = NULL;
|
|
|
|
|
if (func)
|
|
|
|
|
item->res = func(&impl->loop, true, item->seq, item->data,
|
|
|
|
|
item->size, item->user_data);
|
|
|
|
|
|
|
|
|
|
/* if this function did a recursive invoke, it now flushed the
|
|
|
|
|
* ringbuffer and we can exit */
|
|
|
|
|
if (flush_count != impl->flush_count)
|
|
|
|
|
break;
|
|
|
|
|
|
2022-12-08 08:01:40 +01:00
|
|
|
index += item->item_size;
|
|
|
|
|
avail -= item->item_size;
|
|
|
|
|
spa_ringbuffer_read_update(&impl->buffer, index);
|
2019-08-16 15:04:27 +02:00
|
|
|
|
2020-11-13 16:50:23 +01:00
|
|
|
if (block) {
|
2019-08-16 15:04:27 +02:00
|
|
|
if ((res = spa_system_eventfd_write(impl->system, impl->ack_fd, 1)) < 0)
|
2022-11-08 15:45:55 +01:00
|
|
|
spa_log_warn(impl->log, "%p: failed to write event fd:%d: %s",
|
|
|
|
|
impl, impl->ack_fd, spa_strerror(res));
|
2019-08-16 15:04:27 +02:00
|
|
|
}
|
|
|
|
|
}
|
2021-07-26 11:39:48 +02:00
|
|
|
}
|
|
|
|
|
|
2022-12-08 08:01:40 +01:00
|
|
|
static int
|
|
|
|
|
loop_invoke_inthread(struct impl *impl,
|
|
|
|
|
spa_invoke_func_t func,
|
|
|
|
|
uint32_t seq,
|
|
|
|
|
const void *data,
|
|
|
|
|
size_t size,
|
|
|
|
|
bool block,
|
|
|
|
|
void *user_data)
|
|
|
|
|
{
|
|
|
|
|
/* we should probably have a second ringbuffer for the in-thread pending
|
|
|
|
|
* callbacks. A recursive callback when flushing will insert itself
|
|
|
|
|
* before this one. */
|
|
|
|
|
flush_items(impl);
|
|
|
|
|
return func ? func(&impl->loop, true, seq, data, size, user_data) : 0;
|
|
|
|
|
}
|
|
|
|
|
|
2017-06-14 16:10:07 +02:00
|
|
|
static int
|
2019-05-20 16:11:23 +02:00
|
|
|
loop_invoke(void *object,
|
2017-06-26 10:41:19 +02:00
|
|
|
spa_invoke_func_t func,
|
|
|
|
|
uint32_t seq,
|
2017-07-25 19:52:31 +02:00
|
|
|
const void *data,
|
2017-11-20 15:26:44 +01:00
|
|
|
size_t size,
|
2017-06-26 10:41:19 +02:00
|
|
|
bool block,
|
|
|
|
|
void *user_data)
|
2017-06-14 16:10:07 +02:00
|
|
|
{
|
2019-05-20 16:11:23 +02:00
|
|
|
struct impl *impl = object;
|
2017-06-14 16:10:07 +02:00
|
|
|
struct invoke_item *item;
|
|
|
|
|
int res;
|
2020-11-16 15:16:20 +01:00
|
|
|
int32_t filled;
|
|
|
|
|
uint32_t avail, idx, offset, l0;
|
2017-06-14 16:10:07 +02:00
|
|
|
|
2022-12-08 08:01:40 +01:00
|
|
|
/* the ringbuffer can only be written to from one thread, if we are
|
|
|
|
|
* in the same thread as the loop, don't write into the ringbuffer
|
|
|
|
|
* but try to emit the calback right away after flushing what we have */
|
|
|
|
|
if (impl->thread == 0 || pthread_equal(impl->thread, pthread_self()))
|
|
|
|
|
return loop_invoke_inthread(impl, func, seq, data, size, block, user_data);
|
|
|
|
|
|
2020-11-16 15:16:20 +01:00
|
|
|
filled = spa_ringbuffer_get_write_index(&impl->buffer, &idx);
|
|
|
|
|
if (filled < 0 || filled > DATAS_SIZE) {
|
2021-09-27 15:31:35 +10:00
|
|
|
spa_log_warn(impl->log, "%p: queue xrun %d", impl, filled);
|
2020-11-16 15:16:20 +01:00
|
|
|
return -EPIPE;
|
|
|
|
|
}
|
|
|
|
|
avail = DATAS_SIZE - filled;
|
|
|
|
|
if (avail < sizeof(struct invoke_item)) {
|
2021-09-27 15:31:35 +10:00
|
|
|
spa_log_warn(impl->log, "%p: queue full %d", impl, avail);
|
2020-11-16 15:16:20 +01:00
|
|
|
return -EPIPE;
|
|
|
|
|
}
|
|
|
|
|
offset = idx & (DATAS_SIZE - 1);
|
2017-06-14 16:10:07 +02:00
|
|
|
|
2021-07-19 09:53:23 +02:00
|
|
|
/* l0 is remaining size in ringbuffer, this should always be larger than
|
|
|
|
|
* invoke_item, see below */
|
2020-11-16 15:16:20 +01:00
|
|
|
l0 = DATAS_SIZE - offset;
|
|
|
|
|
|
2021-05-06 13:41:44 +10:00
|
|
|
item = SPA_PTROFF(impl->buffer_data, offset, struct invoke_item);
|
2020-11-16 15:16:20 +01:00
|
|
|
item->func = func;
|
|
|
|
|
item->seq = seq;
|
|
|
|
|
item->size = size;
|
2021-07-26 11:39:48 +02:00
|
|
|
item->block = block;
|
2020-11-16 15:16:20 +01:00
|
|
|
item->user_data = user_data;
|
2022-12-07 21:18:16 +01:00
|
|
|
item->res = 0;
|
2022-01-03 11:14:15 +01:00
|
|
|
item->item_size = SPA_ROUND_UP_N(sizeof(struct invoke_item) + size, ITEM_ALIGN);
|
2020-11-16 15:16:20 +01:00
|
|
|
|
2022-03-28 16:25:00 +02:00
|
|
|
spa_log_trace_fp(impl->log, "%p: add item %p filled:%d", impl, item, filled);
|
2020-11-16 15:16:20 +01:00
|
|
|
|
2021-07-19 10:12:15 +02:00
|
|
|
if (l0 >= item->item_size) {
|
2021-07-19 09:53:23 +02:00
|
|
|
/* item + size fit in current ringbuffer idx */
|
2021-05-06 13:41:44 +10:00
|
|
|
item->data = SPA_PTROFF(item, sizeof(struct invoke_item), void);
|
2021-07-19 09:53:23 +02:00
|
|
|
if (l0 < sizeof(struct invoke_item) + item->item_size) {
|
|
|
|
|
/* not enough space for next invoke_item, fill up till the end
|
|
|
|
|
* so that the next item will be at the start */
|
2020-11-16 15:16:20 +01:00
|
|
|
item->item_size = l0;
|
2021-07-19 09:53:23 +02:00
|
|
|
}
|
2020-11-16 15:16:20 +01:00
|
|
|
} else {
|
2021-07-19 09:53:23 +02:00
|
|
|
/* item does not fit, place the invoke_item at idx and start the
|
|
|
|
|
* data at the start of the ringbuffer */
|
2020-11-16 15:16:20 +01:00
|
|
|
item->data = impl->buffer_data;
|
2022-01-03 11:14:15 +01:00
|
|
|
item->item_size = SPA_ROUND_UP_N(l0 + size, ITEM_ALIGN);
|
2020-11-16 15:16:20 +01:00
|
|
|
}
|
2021-07-19 09:53:23 +02:00
|
|
|
if (avail < item->item_size) {
|
2021-09-27 15:31:35 +10:00
|
|
|
spa_log_warn(impl->log, "%p: queue full %d, need %zd", impl, avail,
|
2021-07-19 09:53:23 +02:00
|
|
|
item->item_size);
|
|
|
|
|
return -EPIPE;
|
|
|
|
|
}
|
2020-12-21 20:46:13 +01:00
|
|
|
if (data && size > 0)
|
|
|
|
|
memcpy(item->data, data, size);
|
2017-06-14 16:10:07 +02:00
|
|
|
|
2020-11-16 15:16:20 +01:00
|
|
|
spa_ringbuffer_write_update(&impl->buffer, idx + item->item_size);
|
2017-06-14 16:10:07 +02:00
|
|
|
|
2021-07-26 11:39:48 +02:00
|
|
|
loop_signal_event(impl, impl->wakeup);
|
2017-06-14 16:10:07 +02:00
|
|
|
|
2021-07-26 11:39:48 +02:00
|
|
|
if (block) {
|
2020-11-16 15:16:20 +01:00
|
|
|
uint64_t count = 1;
|
2018-04-19 22:01:18 +02:00
|
|
|
|
2020-11-16 15:16:20 +01:00
|
|
|
spa_loop_control_hook_before(&impl->hooks_list);
|
2018-04-19 22:01:18 +02:00
|
|
|
|
2020-11-16 15:16:20 +01:00
|
|
|
if ((res = spa_system_eventfd_read(impl->system, impl->ack_fd, &count)) < 0)
|
2022-11-08 15:45:55 +01:00
|
|
|
spa_log_warn(impl->log, "%p: failed to read event fd:%d: %s",
|
|
|
|
|
impl, impl->ack_fd, spa_strerror(res));
|
2017-11-14 15:44:48 +01:00
|
|
|
|
2020-11-16 15:16:20 +01:00
|
|
|
spa_loop_control_hook_after(&impl->hooks_list);
|
2018-04-19 22:01:18 +02:00
|
|
|
|
2020-11-16 15:16:20 +01:00
|
|
|
res = item->res;
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
if (seq != SPA_ID_INVALID)
|
|
|
|
|
res = SPA_RESULT_RETURN_ASYNC(seq);
|
|
|
|
|
else
|
|
|
|
|
res = 0;
|
2017-06-14 16:10:07 +02:00
|
|
|
}
|
|
|
|
|
return res;
|
|
|
|
|
}
|
|
|
|
|
|
2017-08-11 19:16:30 +02:00
|
|
|
static void wakeup_func(void *data, uint64_t count)
|
2017-06-14 16:10:07 +02:00
|
|
|
{
|
|
|
|
|
struct impl *impl = data;
|
2020-11-13 16:50:23 +01:00
|
|
|
flush_items(impl);
|
2017-06-14 16:10:07 +02:00
|
|
|
}
|
|
|
|
|
|
2019-05-20 16:11:23 +02:00
|
|
|
static int loop_get_fd(void *object)
|
2017-06-14 16:10:07 +02:00
|
|
|
{
|
2019-05-20 16:11:23 +02:00
|
|
|
struct impl *impl = object;
|
2019-06-06 15:21:40 +02:00
|
|
|
return impl->poll_fd;
|
2017-06-14 16:10:07 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void
|
2019-05-20 16:11:23 +02:00
|
|
|
loop_add_hook(void *object,
|
|
|
|
|
struct spa_hook *hook,
|
|
|
|
|
const struct spa_loop_control_hooks *hooks,
|
|
|
|
|
void *data)
|
2017-06-14 16:10:07 +02:00
|
|
|
{
|
2019-05-20 16:11:23 +02:00
|
|
|
struct impl *impl = object;
|
2023-05-06 00:24:05 +02:00
|
|
|
spa_return_if_fail(SPA_CALLBACK_CHECK(hooks, before, 0));
|
|
|
|
|
spa_return_if_fail(SPA_CALLBACK_CHECK(hooks, after, 0));
|
2017-08-08 16:56:29 +02:00
|
|
|
spa_hook_list_append(&impl->hooks_list, hook, hooks, data);
|
2017-06-14 16:10:07 +02:00
|
|
|
}
|
|
|
|
|
|
2019-05-20 16:11:23 +02:00
|
|
|
static void loop_enter(void *object)
|
2017-06-14 16:10:07 +02:00
|
|
|
{
|
2019-05-20 16:11:23 +02:00
|
|
|
struct impl *impl = object;
|
2022-02-08 10:58:36 +01:00
|
|
|
pthread_t thread_id = pthread_self();
|
|
|
|
|
|
|
|
|
|
if (impl->enter_count == 0) {
|
|
|
|
|
spa_return_if_fail(impl->thread == 0);
|
|
|
|
|
impl->thread = thread_id;
|
|
|
|
|
impl->enter_count = 1;
|
|
|
|
|
} else {
|
|
|
|
|
spa_return_if_fail(impl->enter_count > 0);
|
2023-04-04 12:43:25 +02:00
|
|
|
spa_return_if_fail(pthread_equal(impl->thread, thread_id));
|
2022-02-08 10:58:36 +01:00
|
|
|
impl->enter_count++;
|
|
|
|
|
}
|
2023-05-05 17:41:13 +02:00
|
|
|
spa_log_trace_fp(impl->log, "%p: enter %p", impl, (void *) impl->thread);
|
2017-06-14 16:10:07 +02:00
|
|
|
}
|
|
|
|
|
|
2019-05-20 16:11:23 +02:00
|
|
|
static void loop_leave(void *object)
|
2017-06-14 16:10:07 +02:00
|
|
|
{
|
2019-05-20 16:11:23 +02:00
|
|
|
struct impl *impl = object;
|
2022-02-08 10:58:36 +01:00
|
|
|
pthread_t thread_id = pthread_self();
|
|
|
|
|
|
|
|
|
|
spa_return_if_fail(impl->enter_count > 0);
|
2023-04-04 12:43:25 +02:00
|
|
|
spa_return_if_fail(pthread_equal(impl->thread, thread_id));
|
2022-02-08 10:58:36 +01:00
|
|
|
|
2023-05-05 17:41:13 +02:00
|
|
|
spa_log_trace_fp(impl->log, "%p: leave %p", impl, (void *) impl->thread);
|
2022-02-08 10:58:36 +01:00
|
|
|
|
2022-03-07 10:27:22 +01:00
|
|
|
if (--impl->enter_count == 0) {
|
2022-02-08 10:58:36 +01:00
|
|
|
impl->thread = 0;
|
2022-08-09 20:38:06 +02:00
|
|
|
flush_items(impl);
|
2022-03-07 10:27:22 +01:00
|
|
|
impl->polling = false;
|
|
|
|
|
}
|
2017-06-14 16:10:07 +02:00
|
|
|
}
|
|
|
|
|
|
2023-03-31 18:40:57 +02:00
|
|
|
static int loop_check(void *object)
|
|
|
|
|
{
|
|
|
|
|
struct impl *impl = object;
|
|
|
|
|
pthread_t thread_id = pthread_self();
|
|
|
|
|
return (impl->thread == 0 || pthread_equal(impl->thread, thread_id)) ? 1 : 0;
|
|
|
|
|
}
|
|
|
|
|
|
spa: support: loop: fix use-after-free when loop is reentered
The core of the issue is the following: what happens if an
active source is destroyed before it could be dispatched?
For loop-managed sources (`struct source_impl`) this was addressed
by storing all destroyed sources in a list, and only freeing them
after dispatching has been finished. (0eb73f0f06a2e40362990080007db295141f6f1f)
This approach works for both strictly single-threaded
and `pw_thread_loop` loops assuming the loop is not
reentered.
However, if the loop is reentered, there can still be issues.
Assume that in one iteration sources A and B are active,
and returned from the system call, and source B is destroyed
before the loop starts dispatching. Consider what happens when
"A" is dispatched first, and it reenters the loop with timeout 0.
Imagine there are no new events, so `loop_iterate()` will immediately
return, but it will first destroy everything in the destroy list
(this is done at the end of `loop_iterate()`).
And herein lies the problem. In the previous iteration,
there exists a `spa_poll_event` object which points to source "B",
but that has just been destroyed at the end of the recursive
iteration. This will trigger a use-after-free once the previous
iteration inspects it.
Fix that by processing the destroy list right after first
processing the returned `spa_poll_event` objects, and
"detach" the source from the loop and its iterations
in `process_destroy()` before the source is destroyed.
See #2114 #2147
2022-02-19 13:31:01 +01:00
|
|
|
static inline void free_source(struct source_impl *s)
|
|
|
|
|
{
|
|
|
|
|
detach_source(&s->source);
|
|
|
|
|
free(s);
|
|
|
|
|
}
|
|
|
|
|
|
2022-02-18 18:36:36 +01:00
|
|
|
static inline void process_destroy(struct impl *impl)
|
|
|
|
|
{
|
|
|
|
|
struct source_impl *source, *tmp;
|
spa: support: loop: fix use-after-free when loop is reentered
The core of the issue is the following: what happens if an
active source is destroyed before it could be dispatched?
For loop-managed sources (`struct source_impl`) this was addressed
by storing all destroyed sources in a list, and only freeing them
after dispatching has been finished. (0eb73f0f06a2e40362990080007db295141f6f1f)
This approach works for both strictly single-threaded
and `pw_thread_loop` loops assuming the loop is not
reentered.
However, if the loop is reentered, there can still be issues.
Assume that in one iteration sources A and B are active,
and returned from the system call, and source B is destroyed
before the loop starts dispatching. Consider what happens when
"A" is dispatched first, and it reenters the loop with timeout 0.
Imagine there are no new events, so `loop_iterate()` will immediately
return, but it will first destroy everything in the destroy list
(this is done at the end of `loop_iterate()`).
And herein lies the problem. In the previous iteration,
there exists a `spa_poll_event` object which points to source "B",
but that has just been destroyed at the end of the recursive
iteration. This will trigger a use-after-free once the previous
iteration inspects it.
Fix that by processing the destroy list right after first
processing the returned `spa_poll_event` objects, and
"detach" the source from the loop and its iterations
in `process_destroy()` before the source is destroyed.
See #2114 #2147
2022-02-19 13:31:01 +01:00
|
|
|
|
2022-02-18 18:36:36 +01:00
|
|
|
spa_list_for_each_safe(source, tmp, &impl->destroy_list, link)
|
spa: support: loop: fix use-after-free when loop is reentered
The core of the issue is the following: what happens if an
active source is destroyed before it could be dispatched?
For loop-managed sources (`struct source_impl`) this was addressed
by storing all destroyed sources in a list, and only freeing them
after dispatching has been finished. (0eb73f0f06a2e40362990080007db295141f6f1f)
This approach works for both strictly single-threaded
and `pw_thread_loop` loops assuming the loop is not
reentered.
However, if the loop is reentered, there can still be issues.
Assume that in one iteration sources A and B are active,
and returned from the system call, and source B is destroyed
before the loop starts dispatching. Consider what happens when
"A" is dispatched first, and it reenters the loop with timeout 0.
Imagine there are no new events, so `loop_iterate()` will immediately
return, but it will first destroy everything in the destroy list
(this is done at the end of `loop_iterate()`).
And herein lies the problem. In the previous iteration,
there exists a `spa_poll_event` object which points to source "B",
but that has just been destroyed at the end of the recursive
iteration. This will trigger a use-after-free once the previous
iteration inspects it.
Fix that by processing the destroy list right after first
processing the returned `spa_poll_event` objects, and
"detach" the source from the loop and its iterations
in `process_destroy()` before the source is destroyed.
See #2114 #2147
2022-02-19 13:31:01 +01:00
|
|
|
free_source(source);
|
|
|
|
|
|
2022-02-18 18:36:36 +01:00
|
|
|
spa_list_init(&impl->destroy_list);
|
|
|
|
|
}
|
|
|
|
|
|
2022-06-01 16:36:56 +02:00
|
|
|
struct cancellation_handler_data {
|
|
|
|
|
struct spa_poll_event *ep;
|
|
|
|
|
int ep_count;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static void cancellation_handler(void *closure)
|
|
|
|
|
{
|
|
|
|
|
const struct cancellation_handler_data *data = closure;
|
|
|
|
|
|
|
|
|
|
for (int i = 0; i < data->ep_count; i++) {
|
|
|
|
|
struct spa_source *s = data->ep[i].data;
|
|
|
|
|
if (SPA_LIKELY(s)) {
|
|
|
|
|
s->rmask = 0;
|
|
|
|
|
s->priv = NULL;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-05-05 17:41:37 +02:00
|
|
|
static int loop_iterate_cancel(void *object, int timeout)
|
2017-06-14 16:10:07 +02:00
|
|
|
{
|
2019-05-20 16:11:23 +02:00
|
|
|
struct impl *impl = object;
|
2022-02-08 17:21:10 +01:00
|
|
|
struct spa_poll_event ep[MAX_EP], *e;
|
2019-06-20 17:31:29 +02:00
|
|
|
int i, nfds;
|
2017-06-14 16:10:07 +02:00
|
|
|
|
2022-02-19 11:44:04 +01:00
|
|
|
impl->polling = true;
|
2020-09-16 13:20:19 +02:00
|
|
|
spa_loop_control_hook_before(&impl->hooks_list);
|
2017-06-14 16:10:07 +02:00
|
|
|
|
2022-02-21 17:28:43 +01:00
|
|
|
nfds = spa_system_pollfd_wait(impl->system, impl->poll_fd, ep, SPA_N_ELEMENTS(ep), timeout);
|
2017-06-14 16:10:07 +02:00
|
|
|
|
2020-09-16 13:20:19 +02:00
|
|
|
spa_loop_control_hook_after(&impl->hooks_list);
|
2022-02-19 11:44:04 +01:00
|
|
|
impl->polling = false;
|
2017-06-14 16:10:07 +02:00
|
|
|
|
2022-06-01 16:36:56 +02:00
|
|
|
struct cancellation_handler_data cdata = { ep, nfds };
|
|
|
|
|
pthread_cleanup_push(cancellation_handler, &cdata);
|
|
|
|
|
|
2017-06-14 16:10:07 +02:00
|
|
|
/* first we set all the rmasks, then call the callbacks. The reason is that
|
|
|
|
|
* some callback might also want to look at other sources it manages and
|
|
|
|
|
* can then reset the rmask to suppress the callback */
|
|
|
|
|
for (i = 0; i < nfds; i++) {
|
2019-06-06 15:21:40 +02:00
|
|
|
struct spa_source *s = ep[i].data;
|
2022-03-06 14:56:29 +01:00
|
|
|
|
|
|
|
|
spa_assert(s->loop == &impl->loop);
|
|
|
|
|
|
2022-02-08 17:21:10 +01:00
|
|
|
s->rmask = ep[i].events;
|
|
|
|
|
/* already active in another iteration of the loop,
|
|
|
|
|
* remove it from that iteration */
|
|
|
|
|
if (SPA_UNLIKELY(e = s->priv))
|
|
|
|
|
e->data = NULL;
|
|
|
|
|
s->priv = &ep[i];
|
2017-06-14 16:10:07 +02:00
|
|
|
}
|
spa: support: loop: fix use-after-free when loop is reentered
The core of the issue is the following: what happens if an
active source is destroyed before it could be dispatched?
For loop-managed sources (`struct source_impl`) this was addressed
by storing all destroyed sources in a list, and only freeing them
after dispatching has been finished. (0eb73f0f06a2e40362990080007db295141f6f1f)
This approach works for both strictly single-threaded
and `pw_thread_loop` loops assuming the loop is not
reentered.
However, if the loop is reentered, there can still be issues.
Assume that in one iteration sources A and B are active,
and returned from the system call, and source B is destroyed
before the loop starts dispatching. Consider what happens when
"A" is dispatched first, and it reenters the loop with timeout 0.
Imagine there are no new events, so `loop_iterate()` will immediately
return, but it will first destroy everything in the destroy list
(this is done at the end of `loop_iterate()`).
And herein lies the problem. In the previous iteration,
there exists a `spa_poll_event` object which points to source "B",
but that has just been destroyed at the end of the recursive
iteration. This will trigger a use-after-free once the previous
iteration inspects it.
Fix that by processing the destroy list right after first
processing the returned `spa_poll_event` objects, and
"detach" the source from the loop and its iterations
in `process_destroy()` before the source is destroyed.
See #2114 #2147
2022-02-19 13:31:01 +01:00
|
|
|
|
|
|
|
|
if (SPA_UNLIKELY(!spa_list_is_empty(&impl->destroy_list)))
|
|
|
|
|
process_destroy(impl);
|
|
|
|
|
|
2017-06-14 16:10:07 +02:00
|
|
|
for (i = 0; i < nfds; i++) {
|
2019-06-06 15:21:40 +02:00
|
|
|
struct spa_source *s = ep[i].data;
|
spa: support: loop: fix use-after-free when loop is reentered
The core of the issue is the following: what happens if an
active source is destroyed before it could be dispatched?
For loop-managed sources (`struct source_impl`) this was addressed
by storing all destroyed sources in a list, and only freeing them
after dispatching has been finished. (0eb73f0f06a2e40362990080007db295141f6f1f)
This approach works for both strictly single-threaded
and `pw_thread_loop` loops assuming the loop is not
reentered.
However, if the loop is reentered, there can still be issues.
Assume that in one iteration sources A and B are active,
and returned from the system call, and source B is destroyed
before the loop starts dispatching. Consider what happens when
"A" is dispatched first, and it reenters the loop with timeout 0.
Imagine there are no new events, so `loop_iterate()` will immediately
return, but it will first destroy everything in the destroy list
(this is done at the end of `loop_iterate()`).
And herein lies the problem. In the previous iteration,
there exists a `spa_poll_event` object which points to source "B",
but that has just been destroyed at the end of the recursive
iteration. This will trigger a use-after-free once the previous
iteration inspects it.
Fix that by processing the destroy list right after first
processing the returned `spa_poll_event` objects, and
"detach" the source from the loop and its iterations
in `process_destroy()` before the source is destroyed.
See #2114 #2147
2022-02-19 13:31:01 +01:00
|
|
|
if (SPA_LIKELY(s && s->rmask))
|
2017-06-14 16:10:07 +02:00
|
|
|
s->func(s);
|
2022-02-19 09:42:49 +01:00
|
|
|
}
|
spa: support: loop: fix use-after-free when loop is reentered
The core of the issue is the following: what happens if an
active source is destroyed before it could be dispatched?
For loop-managed sources (`struct source_impl`) this was addressed
by storing all destroyed sources in a list, and only freeing them
after dispatching has been finished. (0eb73f0f06a2e40362990080007db295141f6f1f)
This approach works for both strictly single-threaded
and `pw_thread_loop` loops assuming the loop is not
reentered.
However, if the loop is reentered, there can still be issues.
Assume that in one iteration sources A and B are active,
and returned from the system call, and source B is destroyed
before the loop starts dispatching. Consider what happens when
"A" is dispatched first, and it reenters the loop with timeout 0.
Imagine there are no new events, so `loop_iterate()` will immediately
return, but it will first destroy everything in the destroy list
(this is done at the end of `loop_iterate()`).
And herein lies the problem. In the previous iteration,
there exists a `spa_poll_event` object which points to source "B",
but that has just been destroyed at the end of the recursive
iteration. This will trigger a use-after-free once the previous
iteration inspects it.
Fix that by processing the destroy list right after first
processing the returned `spa_poll_event` objects, and
"detach" the source from the loop and its iterations
in `process_destroy()` before the source is destroyed.
See #2114 #2147
2022-02-19 13:31:01 +01:00
|
|
|
|
2022-06-01 16:36:56 +02:00
|
|
|
pthread_cleanup_pop(true);
|
2022-02-18 18:36:36 +01:00
|
|
|
|
2018-06-01 11:16:53 +02:00
|
|
|
return nfds;
|
2017-06-14 16:10:07 +02:00
|
|
|
}
|
|
|
|
|
|
2023-05-05 17:41:37 +02:00
|
|
|
static int loop_iterate(void *object, int timeout)
|
|
|
|
|
{
|
|
|
|
|
struct impl *impl = object;
|
|
|
|
|
struct spa_poll_event ep[MAX_EP], *e;
|
|
|
|
|
int i, nfds;
|
|
|
|
|
|
|
|
|
|
impl->polling = true;
|
|
|
|
|
spa_loop_control_hook_before(&impl->hooks_list);
|
|
|
|
|
|
|
|
|
|
nfds = spa_system_pollfd_wait(impl->system, impl->poll_fd, ep, SPA_N_ELEMENTS(ep), timeout);
|
|
|
|
|
|
|
|
|
|
spa_loop_control_hook_after(&impl->hooks_list);
|
|
|
|
|
impl->polling = false;
|
|
|
|
|
|
|
|
|
|
/* first we set all the rmasks, then call the callbacks. The reason is that
|
|
|
|
|
* some callback might also want to look at other sources it manages and
|
|
|
|
|
* can then reset the rmask to suppress the callback */
|
|
|
|
|
for (i = 0; i < nfds; i++) {
|
|
|
|
|
struct spa_source *s = ep[i].data;
|
|
|
|
|
|
|
|
|
|
s->rmask = ep[i].events;
|
|
|
|
|
/* already active in another iteration of the loop,
|
|
|
|
|
* remove it from that iteration */
|
|
|
|
|
if (SPA_UNLIKELY(e = s->priv))
|
|
|
|
|
e->data = NULL;
|
|
|
|
|
s->priv = &ep[i];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (SPA_UNLIKELY(!spa_list_is_empty(&impl->destroy_list)))
|
|
|
|
|
process_destroy(impl);
|
|
|
|
|
|
2023-05-05 18:36:08 +02:00
|
|
|
for (i = 0; i < nfds; i++) {
|
|
|
|
|
struct spa_source *s = ep[i].data;
|
|
|
|
|
if (SPA_LIKELY(s && s->rmask))
|
|
|
|
|
s->func(s);
|
|
|
|
|
}
|
2023-05-05 17:41:37 +02:00
|
|
|
for (i = 0; i < nfds; i++) {
|
|
|
|
|
struct spa_source *s = ep[i].data;
|
|
|
|
|
if (SPA_LIKELY(s)) {
|
|
|
|
|
s->rmask = 0;
|
|
|
|
|
s->priv = NULL;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return nfds;
|
|
|
|
|
}
|
|
|
|
|
|
2017-06-14 16:10:07 +02:00
|
|
|
static void source_io_func(struct spa_source *source)
|
|
|
|
|
{
|
2022-02-21 16:24:34 +01:00
|
|
|
struct source_impl *s = SPA_CONTAINER_OF(source, struct source_impl, source);
|
|
|
|
|
spa_log_trace_fp(s->impl->log, "%p: io %08x", s, source->rmask);
|
|
|
|
|
s->func.io(source->data, source->fd, source->rmask);
|
2017-06-14 16:10:07 +02:00
|
|
|
}
|
|
|
|
|
|
2019-05-20 16:11:23 +02:00
|
|
|
static struct spa_source *loop_add_io(void *object,
|
2017-06-14 16:10:07 +02:00
|
|
|
int fd,
|
2019-06-06 15:21:40 +02:00
|
|
|
uint32_t mask,
|
2017-06-14 16:10:07 +02:00
|
|
|
bool close, spa_source_io_func_t func, void *data)
|
|
|
|
|
{
|
2019-05-20 16:11:23 +02:00
|
|
|
struct impl *impl = object;
|
2017-06-14 16:10:07 +02:00
|
|
|
struct source_impl *source;
|
2019-06-20 17:31:29 +02:00
|
|
|
int res;
|
2017-06-14 16:10:07 +02:00
|
|
|
|
|
|
|
|
source = calloc(1, sizeof(struct source_impl));
|
|
|
|
|
if (source == NULL)
|
2019-06-20 17:31:29 +02:00
|
|
|
goto error_exit;
|
2017-06-14 16:10:07 +02:00
|
|
|
|
|
|
|
|
source->source.func = source_io_func;
|
|
|
|
|
source->source.data = data;
|
|
|
|
|
source->source.fd = fd;
|
|
|
|
|
source->source.mask = mask;
|
|
|
|
|
source->impl = impl;
|
|
|
|
|
source->close = close;
|
|
|
|
|
source->func.io = func;
|
|
|
|
|
|
2020-04-14 18:05:45 +02:00
|
|
|
if ((res = loop_add_source(impl, &source->source)) < 0) {
|
|
|
|
|
if (res != -EPERM)
|
|
|
|
|
goto error_exit_free;
|
|
|
|
|
|
|
|
|
|
/* file fds (stdin/stdout/...) give EPERM in epoll. Those fds always
|
|
|
|
|
* return from epoll with the mask set, so we can handle this with
|
|
|
|
|
* an idle source */
|
|
|
|
|
source->source.rmask = mask;
|
|
|
|
|
source->fallback = spa_loop_utils_add_idle(&impl->utils,
|
|
|
|
|
mask & (SPA_IO_IN | SPA_IO_OUT) ? true : false,
|
|
|
|
|
(spa_source_idle_func_t) source_io_func, source);
|
2021-09-27 15:31:35 +10:00
|
|
|
spa_log_trace(impl->log, "%p: adding fallback %p", impl,
|
2020-04-14 18:05:45 +02:00
|
|
|
source->fallback);
|
|
|
|
|
}
|
2017-06-14 16:10:07 +02:00
|
|
|
|
|
|
|
|
spa_list_insert(&impl->source_list, &source->link);
|
|
|
|
|
|
2019-06-20 17:31:29 +02:00
|
|
|
return &source->source;
|
|
|
|
|
|
|
|
|
|
error_exit_free:
|
|
|
|
|
free(source);
|
|
|
|
|
errno = -res;
|
|
|
|
|
error_exit:
|
|
|
|
|
return NULL;
|
2017-06-14 16:10:07 +02:00
|
|
|
}
|
|
|
|
|
|
2019-06-06 15:21:40 +02:00
|
|
|
static int loop_update_io(void *object, struct spa_source *source, uint32_t mask)
|
2017-06-14 16:10:07 +02:00
|
|
|
{
|
2020-04-14 18:05:45 +02:00
|
|
|
struct impl *impl = object;
|
|
|
|
|
struct source_impl *s = SPA_CONTAINER_OF(source, struct source_impl, source);
|
|
|
|
|
int res;
|
2022-02-19 19:38:08 +01:00
|
|
|
|
2022-02-19 14:12:44 +01:00
|
|
|
spa_assert(s->impl == object);
|
2022-02-19 19:17:42 +01:00
|
|
|
spa_assert(source->func == source_io_func);
|
2022-02-19 14:12:44 +01:00
|
|
|
|
2022-02-19 19:38:08 +01:00
|
|
|
spa_log_trace(impl->log, "%p: update %08x -> %08x", s, source->mask, mask);
|
2017-06-14 16:10:07 +02:00
|
|
|
source->mask = mask;
|
2022-02-19 19:38:08 +01:00
|
|
|
|
2020-04-14 18:05:45 +02:00
|
|
|
if (s->fallback)
|
|
|
|
|
res = spa_loop_utils_enable_idle(&impl->utils, s->fallback,
|
|
|
|
|
mask & (SPA_IO_IN | SPA_IO_OUT) ? true : false);
|
|
|
|
|
else
|
|
|
|
|
res = loop_update_source(object, source);
|
|
|
|
|
return res;
|
2017-06-14 16:10:07 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void source_idle_func(struct spa_source *source)
|
|
|
|
|
{
|
2022-02-21 16:24:34 +01:00
|
|
|
struct source_impl *s = SPA_CONTAINER_OF(source, struct source_impl, source);
|
|
|
|
|
s->func.idle(source->data);
|
2017-06-14 16:10:07 +02:00
|
|
|
}
|
|
|
|
|
|
2019-06-19 18:15:04 +02:00
|
|
|
static int loop_enable_idle(void *object, struct spa_source *source, bool enabled)
|
2019-05-23 15:11:49 +02:00
|
|
|
{
|
2022-02-21 16:24:34 +01:00
|
|
|
struct source_impl *s = SPA_CONTAINER_OF(source, struct source_impl, source);
|
2019-06-19 18:15:04 +02:00
|
|
|
int res = 0;
|
2019-05-23 15:11:49 +02:00
|
|
|
|
2022-02-19 14:12:44 +01:00
|
|
|
spa_assert(s->impl == object);
|
2022-02-19 19:17:42 +01:00
|
|
|
spa_assert(source->func == source_idle_func);
|
2022-02-19 14:12:44 +01:00
|
|
|
|
2022-02-21 16:24:34 +01:00
|
|
|
if (enabled && !s->enabled) {
|
|
|
|
|
if ((res = spa_system_eventfd_write(s->impl->system, source->fd, 1)) < 0)
|
2022-11-08 15:45:55 +01:00
|
|
|
spa_log_warn(s->impl->log, "%p: failed to write idle fd:%d: %s",
|
2019-06-04 17:07:34 +02:00
|
|
|
source, source->fd, spa_strerror(res));
|
2022-02-21 16:24:34 +01:00
|
|
|
} else if (!enabled && s->enabled) {
|
2019-06-04 17:07:34 +02:00
|
|
|
uint64_t count;
|
2022-02-21 16:24:34 +01:00
|
|
|
if ((res = spa_system_eventfd_read(s->impl->system, source->fd, &count)) < 0)
|
2022-11-08 15:45:55 +01:00
|
|
|
spa_log_warn(s->impl->log, "%p: failed to read idle fd:%d: %s",
|
2019-06-04 17:07:34 +02:00
|
|
|
source, source->fd, spa_strerror(res));
|
2019-05-23 15:11:49 +02:00
|
|
|
}
|
2022-02-21 16:24:34 +01:00
|
|
|
s->enabled = enabled;
|
2019-06-19 18:15:04 +02:00
|
|
|
return res;
|
2019-05-23 15:11:49 +02:00
|
|
|
}
|
2020-04-14 18:05:45 +02:00
|
|
|
|
2019-05-20 16:11:23 +02:00
|
|
|
static struct spa_source *loop_add_idle(void *object,
|
2017-06-14 16:10:07 +02:00
|
|
|
bool enabled, spa_source_idle_func_t func, void *data)
|
|
|
|
|
{
|
2019-05-20 16:11:23 +02:00
|
|
|
struct impl *impl = object;
|
2017-06-14 16:10:07 +02:00
|
|
|
struct source_impl *source;
|
2019-06-20 17:31:29 +02:00
|
|
|
int res;
|
2017-06-14 16:10:07 +02:00
|
|
|
|
|
|
|
|
source = calloc(1, sizeof(struct source_impl));
|
|
|
|
|
if (source == NULL)
|
2019-06-20 17:31:29 +02:00
|
|
|
goto error_exit;
|
|
|
|
|
|
|
|
|
|
if ((res = spa_system_eventfd_create(impl->system, SPA_FD_CLOEXEC | SPA_FD_NONBLOCK)) < 0)
|
|
|
|
|
goto error_exit_free;
|
2017-06-14 16:10:07 +02:00
|
|
|
|
|
|
|
|
source->source.func = source_idle_func;
|
|
|
|
|
source->source.data = data;
|
2019-06-20 17:31:29 +02:00
|
|
|
source->source.fd = res;
|
2017-06-14 16:10:07 +02:00
|
|
|
source->impl = impl;
|
|
|
|
|
source->close = true;
|
|
|
|
|
source->source.mask = SPA_IO_IN;
|
|
|
|
|
source->func.idle = func;
|
|
|
|
|
|
2019-06-20 17:31:29 +02:00
|
|
|
if ((res = loop_add_source(impl, &source->source)) < 0)
|
|
|
|
|
goto error_exit_close;
|
2017-06-14 16:10:07 +02:00
|
|
|
|
|
|
|
|
spa_list_insert(&impl->source_list, &source->link);
|
|
|
|
|
|
|
|
|
|
if (enabled)
|
2019-05-23 15:11:49 +02:00
|
|
|
loop_enable_idle(impl, &source->source, true);
|
2017-06-14 16:10:07 +02:00
|
|
|
|
2019-06-20 17:31:29 +02:00
|
|
|
return &source->source;
|
2019-06-07 10:11:23 +02:00
|
|
|
|
2019-06-20 17:31:29 +02:00
|
|
|
error_exit_close:
|
|
|
|
|
spa_system_close(impl->system, source->source.fd);
|
|
|
|
|
error_exit_free:
|
2019-06-07 10:11:23 +02:00
|
|
|
free(source);
|
2019-06-20 17:31:29 +02:00
|
|
|
errno = -res;
|
|
|
|
|
error_exit:
|
|
|
|
|
return NULL;
|
2017-06-14 16:10:07 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void source_event_func(struct spa_source *source)
|
|
|
|
|
{
|
2022-02-21 16:24:34 +01:00
|
|
|
struct source_impl *s = SPA_CONTAINER_OF(source, struct source_impl, source);
|
2021-03-27 19:23:34 +01:00
|
|
|
uint64_t count = 0;
|
2019-06-04 17:07:34 +02:00
|
|
|
int res;
|
2017-06-14 16:10:07 +02:00
|
|
|
|
2022-12-01 19:52:23 +01:00
|
|
|
if ((res = spa_system_eventfd_read(s->impl->system, source->fd, &count)) < 0) {
|
|
|
|
|
if (res != -EAGAIN)
|
|
|
|
|
spa_log_warn(s->impl->log, "%p: failed to read event fd:%d: %s",
|
|
|
|
|
source, source->fd, spa_strerror(res));
|
|
|
|
|
return;
|
|
|
|
|
}
|
2022-02-21 16:24:34 +01:00
|
|
|
s->func.event(source->data, count);
|
2017-06-14 16:10:07 +02:00
|
|
|
}
|
|
|
|
|
|
2019-05-20 16:11:23 +02:00
|
|
|
static struct spa_source *loop_add_event(void *object,
|
2017-06-14 16:10:07 +02:00
|
|
|
spa_source_event_func_t func, void *data)
|
|
|
|
|
{
|
2019-05-20 16:11:23 +02:00
|
|
|
struct impl *impl = object;
|
2017-06-14 16:10:07 +02:00
|
|
|
struct source_impl *source;
|
2019-06-20 17:31:29 +02:00
|
|
|
int res;
|
2017-06-14 16:10:07 +02:00
|
|
|
|
|
|
|
|
source = calloc(1, sizeof(struct source_impl));
|
|
|
|
|
if (source == NULL)
|
2019-06-20 17:31:29 +02:00
|
|
|
goto error_exit;
|
|
|
|
|
|
|
|
|
|
if ((res = spa_system_eventfd_create(impl->system, SPA_FD_CLOEXEC | SPA_FD_NONBLOCK)) < 0)
|
|
|
|
|
goto error_exit_free;
|
2017-06-14 16:10:07 +02:00
|
|
|
|
|
|
|
|
source->source.func = source_event_func;
|
|
|
|
|
source->source.data = data;
|
2019-06-20 17:31:29 +02:00
|
|
|
source->source.fd = res;
|
2017-06-14 16:10:07 +02:00
|
|
|
source->source.mask = SPA_IO_IN;
|
|
|
|
|
source->impl = impl;
|
|
|
|
|
source->close = true;
|
|
|
|
|
source->func.event = func;
|
|
|
|
|
|
2019-06-20 17:31:29 +02:00
|
|
|
if ((res = loop_add_source(impl, &source->source)) < 0)
|
|
|
|
|
goto error_exit_close;
|
2017-06-14 16:10:07 +02:00
|
|
|
|
|
|
|
|
spa_list_insert(&impl->source_list, &source->link);
|
|
|
|
|
|
2019-06-20 17:31:29 +02:00
|
|
|
return &source->source;
|
2019-06-07 10:11:23 +02:00
|
|
|
|
2019-06-20 17:31:29 +02:00
|
|
|
error_exit_close:
|
|
|
|
|
spa_system_close(impl->system, source->source.fd);
|
|
|
|
|
error_exit_free:
|
2019-06-07 10:11:23 +02:00
|
|
|
free(source);
|
2019-06-20 17:31:29 +02:00
|
|
|
errno = -res;
|
|
|
|
|
error_exit:
|
|
|
|
|
return NULL;
|
2017-06-14 16:10:07 +02:00
|
|
|
}
|
|
|
|
|
|
2019-06-19 18:15:04 +02:00
|
|
|
static int loop_signal_event(void *object, struct spa_source *source)
|
2017-06-14 16:10:07 +02:00
|
|
|
{
|
2022-02-21 16:24:34 +01:00
|
|
|
struct source_impl *s = SPA_CONTAINER_OF(source, struct source_impl, source);
|
2019-06-04 17:07:34 +02:00
|
|
|
int res;
|
2017-06-14 16:10:07 +02:00
|
|
|
|
2022-02-19 14:12:44 +01:00
|
|
|
spa_assert(s->impl == object);
|
2022-02-19 19:17:42 +01:00
|
|
|
spa_assert(source->func == source_event_func);
|
2022-02-19 14:12:44 +01:00
|
|
|
|
2022-02-21 16:24:34 +01:00
|
|
|
if (SPA_UNLIKELY((res = spa_system_eventfd_write(s->impl->system, source->fd, 1)) < 0))
|
2022-11-08 15:45:55 +01:00
|
|
|
spa_log_warn(s->impl->log, "%p: failed to write event fd:%d: %s",
|
2019-06-04 17:07:34 +02:00
|
|
|
source, source->fd, spa_strerror(res));
|
2019-06-19 18:15:04 +02:00
|
|
|
return res;
|
2017-06-14 16:10:07 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void source_timer_func(struct spa_source *source)
|
|
|
|
|
{
|
2022-02-21 16:24:34 +01:00
|
|
|
struct source_impl *s = SPA_CONTAINER_OF(source, struct source_impl, source);
|
2021-03-27 19:23:34 +01:00
|
|
|
uint64_t expirations = 0;
|
2019-06-04 17:07:34 +02:00
|
|
|
int res;
|
2017-06-14 16:10:07 +02:00
|
|
|
|
2022-02-21 16:24:34 +01:00
|
|
|
if (SPA_UNLIKELY((res = spa_system_timerfd_read(s->impl->system,
|
2022-12-01 19:52:23 +01:00
|
|
|
source->fd, &expirations)) < 0)) {
|
|
|
|
|
if (res != -EAGAIN)
|
|
|
|
|
spa_log_warn(s->impl->log, "%p: failed to read timer fd:%d: %s",
|
|
|
|
|
source, source->fd, spa_strerror(res));
|
|
|
|
|
return;
|
|
|
|
|
}
|
2022-02-21 16:24:34 +01:00
|
|
|
s->func.timer(source->data, expirations);
|
2017-06-14 16:10:07 +02:00
|
|
|
}
|
|
|
|
|
|
2019-05-20 16:11:23 +02:00
|
|
|
static struct spa_source *loop_add_timer(void *object,
|
2017-06-14 16:10:07 +02:00
|
|
|
spa_source_timer_func_t func, void *data)
|
|
|
|
|
{
|
2019-05-20 16:11:23 +02:00
|
|
|
struct impl *impl = object;
|
2017-06-14 16:10:07 +02:00
|
|
|
struct source_impl *source;
|
2019-06-20 17:31:29 +02:00
|
|
|
int res;
|
2017-06-14 16:10:07 +02:00
|
|
|
|
|
|
|
|
source = calloc(1, sizeof(struct source_impl));
|
|
|
|
|
if (source == NULL)
|
2019-06-20 17:31:29 +02:00
|
|
|
goto error_exit;
|
|
|
|
|
|
|
|
|
|
if ((res = spa_system_timerfd_create(impl->system, CLOCK_MONOTONIC,
|
|
|
|
|
SPA_FD_CLOEXEC | SPA_FD_NONBLOCK)) < 0)
|
|
|
|
|
goto error_exit_free;
|
2017-06-14 16:10:07 +02:00
|
|
|
|
|
|
|
|
source->source.func = source_timer_func;
|
|
|
|
|
source->source.data = data;
|
2019-06-20 17:31:29 +02:00
|
|
|
source->source.fd = res;
|
2017-06-14 16:10:07 +02:00
|
|
|
source->source.mask = SPA_IO_IN;
|
|
|
|
|
source->impl = impl;
|
|
|
|
|
source->close = true;
|
|
|
|
|
source->func.timer = func;
|
|
|
|
|
|
2019-06-20 17:31:29 +02:00
|
|
|
if ((res = loop_add_source(impl, &source->source)) < 0)
|
|
|
|
|
goto error_exit_close;
|
2017-06-14 16:10:07 +02:00
|
|
|
|
|
|
|
|
spa_list_insert(&impl->source_list, &source->link);
|
|
|
|
|
|
2019-06-20 17:31:29 +02:00
|
|
|
return &source->source;
|
2019-06-07 10:11:23 +02:00
|
|
|
|
2019-06-20 17:31:29 +02:00
|
|
|
error_exit_close:
|
|
|
|
|
spa_system_close(impl->system, source->source.fd);
|
|
|
|
|
error_exit_free:
|
2019-06-07 10:11:23 +02:00
|
|
|
free(source);
|
2019-06-20 17:31:29 +02:00
|
|
|
errno = -res;
|
|
|
|
|
error_exit:
|
|
|
|
|
return NULL;
|
2017-06-14 16:10:07 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int
|
2019-05-20 16:11:23 +02:00
|
|
|
loop_update_timer(void *object, struct spa_source *source,
|
2017-06-14 16:10:07 +02:00
|
|
|
struct timespec *value, struct timespec *interval, bool absolute)
|
|
|
|
|
{
|
2022-02-19 14:12:44 +01:00
|
|
|
struct source_impl *s = SPA_CONTAINER_OF(source, struct source_impl, source);
|
2017-06-14 16:10:07 +02:00
|
|
|
struct itimerspec its;
|
2019-06-20 17:31:29 +02:00
|
|
|
int flags = 0, res;
|
2017-06-14 16:10:07 +02:00
|
|
|
|
2022-02-19 14:12:44 +01:00
|
|
|
spa_assert(s->impl == object);
|
2022-02-19 19:17:42 +01:00
|
|
|
spa_assert(source->func == source_timer_func);
|
2022-02-19 14:12:44 +01:00
|
|
|
|
2017-06-14 16:10:07 +02:00
|
|
|
spa_zero(its);
|
2020-03-16 12:52:28 +01:00
|
|
|
if (SPA_LIKELY(value)) {
|
2017-06-14 16:10:07 +02:00
|
|
|
its.it_value = *value;
|
|
|
|
|
} else if (interval) {
|
|
|
|
|
its.it_value = *interval;
|
|
|
|
|
absolute = true;
|
|
|
|
|
}
|
2020-03-16 12:52:28 +01:00
|
|
|
if (SPA_UNLIKELY(interval))
|
2017-06-14 16:10:07 +02:00
|
|
|
its.it_interval = *interval;
|
2020-03-16 12:52:28 +01:00
|
|
|
if (SPA_LIKELY(absolute))
|
2019-06-04 17:07:34 +02:00
|
|
|
flags |= SPA_FD_TIMER_ABSTIME;
|
2017-06-14 16:10:07 +02:00
|
|
|
|
2022-02-19 14:12:44 +01:00
|
|
|
if (SPA_UNLIKELY((res = spa_system_timerfd_settime(s->impl->system, source->fd, flags, &its, NULL)) < 0))
|
2019-06-20 17:31:29 +02:00
|
|
|
return res;
|
2017-06-14 16:10:07 +02:00
|
|
|
|
2017-11-13 09:41:41 +01:00
|
|
|
return 0;
|
2017-06-14 16:10:07 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void source_signal_func(struct spa_source *source)
|
|
|
|
|
{
|
2022-02-21 16:24:34 +01:00
|
|
|
struct source_impl *s = SPA_CONTAINER_OF(source, struct source_impl, source);
|
2021-03-27 19:23:34 +01:00
|
|
|
int res, signal_number = 0;
|
2017-06-14 16:10:07 +02:00
|
|
|
|
2022-12-01 19:52:23 +01:00
|
|
|
if ((res = spa_system_signalfd_read(s->impl->system, source->fd, &signal_number)) < 0) {
|
|
|
|
|
if (res != -EAGAIN)
|
|
|
|
|
spa_log_warn(s->impl->log, "%p: failed to read signal fd:%d: %s",
|
|
|
|
|
source, source->fd, spa_strerror(res));
|
|
|
|
|
return;
|
|
|
|
|
}
|
2022-02-21 16:24:34 +01:00
|
|
|
s->func.signal(source->data, signal_number);
|
2017-06-14 16:10:07 +02:00
|
|
|
}
|
|
|
|
|
|
2019-05-20 16:11:23 +02:00
|
|
|
static struct spa_source *loop_add_signal(void *object,
|
2017-06-14 16:10:07 +02:00
|
|
|
int signal_number,
|
|
|
|
|
spa_source_signal_func_t func, void *data)
|
|
|
|
|
{
|
2019-05-20 16:11:23 +02:00
|
|
|
struct impl *impl = object;
|
2017-06-14 16:10:07 +02:00
|
|
|
struct source_impl *source;
|
2019-06-20 17:31:29 +02:00
|
|
|
int res;
|
2017-06-14 16:10:07 +02:00
|
|
|
|
|
|
|
|
source = calloc(1, sizeof(struct source_impl));
|
|
|
|
|
if (source == NULL)
|
2019-06-20 17:31:29 +02:00
|
|
|
goto error_exit;
|
|
|
|
|
|
|
|
|
|
if ((res = spa_system_signalfd_create(impl->system,
|
|
|
|
|
signal_number, SPA_FD_CLOEXEC | SPA_FD_NONBLOCK)) < 0)
|
|
|
|
|
goto error_exit_free;
|
2017-06-14 16:10:07 +02:00
|
|
|
|
|
|
|
|
source->source.func = source_signal_func;
|
|
|
|
|
source->source.data = data;
|
2019-06-20 17:31:29 +02:00
|
|
|
source->source.fd = res;
|
2017-06-14 16:10:07 +02:00
|
|
|
source->source.mask = SPA_IO_IN;
|
|
|
|
|
source->impl = impl;
|
|
|
|
|
source->close = true;
|
|
|
|
|
source->func.signal = func;
|
|
|
|
|
|
2019-06-20 17:31:29 +02:00
|
|
|
if ((res = loop_add_source(impl, &source->source)) < 0)
|
|
|
|
|
goto error_exit_close;
|
2017-06-14 16:10:07 +02:00
|
|
|
|
|
|
|
|
spa_list_insert(&impl->source_list, &source->link);
|
|
|
|
|
|
2019-06-20 17:31:29 +02:00
|
|
|
return &source->source;
|
2019-06-07 10:11:23 +02:00
|
|
|
|
2019-06-20 17:31:29 +02:00
|
|
|
error_exit_close:
|
|
|
|
|
spa_system_close(impl->system, source->source.fd);
|
|
|
|
|
error_exit_free:
|
2019-06-07 10:11:23 +02:00
|
|
|
free(source);
|
2019-06-20 17:31:29 +02:00
|
|
|
errno = -res;
|
|
|
|
|
error_exit:
|
|
|
|
|
return NULL;
|
2017-06-14 16:10:07 +02:00
|
|
|
}
|
|
|
|
|
|
2019-05-20 16:11:23 +02:00
|
|
|
static void loop_destroy_source(void *object, struct spa_source *source)
|
2017-06-14 16:10:07 +02:00
|
|
|
{
|
2022-02-21 16:24:34 +01:00
|
|
|
struct source_impl *s = SPA_CONTAINER_OF(source, struct source_impl, source);
|
2017-06-14 16:10:07 +02:00
|
|
|
|
2022-02-19 14:12:44 +01:00
|
|
|
spa_assert(s->impl == object);
|
|
|
|
|
|
2022-02-21 16:24:34 +01:00
|
|
|
spa_log_trace(s->impl->log, "%p ", s);
|
2020-04-14 18:05:45 +02:00
|
|
|
|
2022-02-21 16:24:34 +01:00
|
|
|
spa_list_remove(&s->link);
|
2017-06-14 16:10:07 +02:00
|
|
|
|
2022-02-21 16:24:34 +01:00
|
|
|
if (s->fallback)
|
|
|
|
|
loop_destroy_source(s->impl, s->fallback);
|
spa: support: loop: fix use-after-free when loop is reentered
The core of the issue is the following: what happens if an
active source is destroyed before it could be dispatched?
For loop-managed sources (`struct source_impl`) this was addressed
by storing all destroyed sources in a list, and only freeing them
after dispatching has been finished. (0eb73f0f06a2e40362990080007db295141f6f1f)
This approach works for both strictly single-threaded
and `pw_thread_loop` loops assuming the loop is not
reentered.
However, if the loop is reentered, there can still be issues.
Assume that in one iteration sources A and B are active,
and returned from the system call, and source B is destroyed
before the loop starts dispatching. Consider what happens when
"A" is dispatched first, and it reenters the loop with timeout 0.
Imagine there are no new events, so `loop_iterate()` will immediately
return, but it will first destroy everything in the destroy list
(this is done at the end of `loop_iterate()`).
And herein lies the problem. In the previous iteration,
there exists a `spa_poll_event` object which points to source "B",
but that has just been destroyed at the end of the recursive
iteration. This will trigger a use-after-free once the previous
iteration inspects it.
Fix that by processing the destroy list right after first
processing the returned `spa_poll_event` objects, and
"detach" the source from the loop and its iterations
in `process_destroy()` before the source is destroyed.
See #2114 #2147
2022-02-19 13:31:01 +01:00
|
|
|
else
|
|
|
|
|
remove_from_poll(s->impl, source);
|
2017-06-14 16:10:07 +02:00
|
|
|
|
2022-02-21 16:24:34 +01:00
|
|
|
if (source->fd != -1 && s->close) {
|
|
|
|
|
spa_system_close(s->impl->system, source->fd);
|
2017-08-08 16:56:29 +02:00
|
|
|
source->fd = -1;
|
|
|
|
|
}
|
spa: support: loop: fix use-after-free when loop is reentered
The core of the issue is the following: what happens if an
active source is destroyed before it could be dispatched?
For loop-managed sources (`struct source_impl`) this was addressed
by storing all destroyed sources in a list, and only freeing them
after dispatching has been finished. (0eb73f0f06a2e40362990080007db295141f6f1f)
This approach works for both strictly single-threaded
and `pw_thread_loop` loops assuming the loop is not
reentered.
However, if the loop is reentered, there can still be issues.
Assume that in one iteration sources A and B are active,
and returned from the system call, and source B is destroyed
before the loop starts dispatching. Consider what happens when
"A" is dispatched first, and it reenters the loop with timeout 0.
Imagine there are no new events, so `loop_iterate()` will immediately
return, but it will first destroy everything in the destroy list
(this is done at the end of `loop_iterate()`).
And herein lies the problem. In the previous iteration,
there exists a `spa_poll_event` object which points to source "B",
but that has just been destroyed at the end of the recursive
iteration. This will trigger a use-after-free once the previous
iteration inspects it.
Fix that by processing the destroy list right after first
processing the returned `spa_poll_event` objects, and
"detach" the source from the loop and its iterations
in `process_destroy()` before the source is destroyed.
See #2114 #2147
2022-02-19 13:31:01 +01:00
|
|
|
|
|
|
|
|
if (!s->impl->polling)
|
|
|
|
|
free_source(s);
|
|
|
|
|
else
|
|
|
|
|
spa_list_insert(&s->impl->destroy_list, &s->link);
|
2017-06-14 16:10:07 +02:00
|
|
|
}
|
|
|
|
|
|
2019-05-20 16:11:23 +02:00
|
|
|
static const struct spa_loop_methods impl_loop = {
|
|
|
|
|
SPA_VERSION_LOOP_METHODS,
|
|
|
|
|
.add_source = loop_add_source,
|
|
|
|
|
.update_source = loop_update_source,
|
|
|
|
|
.remove_source = loop_remove_source,
|
|
|
|
|
.invoke = loop_invoke,
|
2017-06-14 16:10:07 +02:00
|
|
|
};
|
|
|
|
|
|
2023-05-05 17:41:37 +02:00
|
|
|
static const struct spa_loop_control_methods impl_loop_control_cancel = {
|
|
|
|
|
SPA_VERSION_LOOP_CONTROL_METHODS,
|
|
|
|
|
.get_fd = loop_get_fd,
|
|
|
|
|
.add_hook = loop_add_hook,
|
|
|
|
|
.enter = loop_enter,
|
|
|
|
|
.leave = loop_leave,
|
|
|
|
|
.iterate = loop_iterate_cancel,
|
|
|
|
|
.check = loop_check,
|
|
|
|
|
};
|
|
|
|
|
|
2019-05-20 16:11:23 +02:00
|
|
|
static const struct spa_loop_control_methods impl_loop_control = {
|
|
|
|
|
SPA_VERSION_LOOP_CONTROL_METHODS,
|
|
|
|
|
.get_fd = loop_get_fd,
|
|
|
|
|
.add_hook = loop_add_hook,
|
|
|
|
|
.enter = loop_enter,
|
|
|
|
|
.leave = loop_leave,
|
|
|
|
|
.iterate = loop_iterate,
|
2023-03-31 18:40:57 +02:00
|
|
|
.check = loop_check,
|
2017-06-14 16:10:07 +02:00
|
|
|
};
|
|
|
|
|
|
2019-05-20 16:11:23 +02:00
|
|
|
static const struct spa_loop_utils_methods impl_loop_utils = {
|
|
|
|
|
SPA_VERSION_LOOP_UTILS_METHODS,
|
|
|
|
|
.add_io = loop_add_io,
|
|
|
|
|
.update_io = loop_update_io,
|
|
|
|
|
.add_idle = loop_add_idle,
|
|
|
|
|
.enable_idle = loop_enable_idle,
|
|
|
|
|
.add_event = loop_add_event,
|
|
|
|
|
.signal_event = loop_signal_event,
|
|
|
|
|
.add_timer = loop_add_timer,
|
|
|
|
|
.update_timer = loop_update_timer,
|
|
|
|
|
.add_signal = loop_add_signal,
|
|
|
|
|
.destroy_source = loop_destroy_source,
|
2017-06-14 16:10:07 +02:00
|
|
|
};
|
|
|
|
|
|
2019-12-19 13:15:10 +01:00
|
|
|
static int impl_get_interface(struct spa_handle *handle, const char *type, void **interface)
|
2017-06-14 16:10:07 +02:00
|
|
|
{
|
|
|
|
|
struct impl *impl;
|
|
|
|
|
|
2017-11-13 09:41:41 +01:00
|
|
|
spa_return_val_if_fail(handle != NULL, -EINVAL);
|
|
|
|
|
spa_return_val_if_fail(interface != NULL, -EINVAL);
|
2017-06-14 16:10:07 +02:00
|
|
|
|
|
|
|
|
impl = (struct impl *) handle;
|
|
|
|
|
|
2021-05-18 11:36:13 +10:00
|
|
|
if (spa_streq(type, SPA_TYPE_INTERFACE_Loop))
|
2017-06-14 16:10:07 +02:00
|
|
|
*interface = &impl->loop;
|
2021-05-18 11:36:13 +10:00
|
|
|
else if (spa_streq(type, SPA_TYPE_INTERFACE_LoopControl))
|
2017-06-14 16:10:07 +02:00
|
|
|
*interface = &impl->control;
|
2021-05-18 11:36:13 +10:00
|
|
|
else if (spa_streq(type, SPA_TYPE_INTERFACE_LoopUtils))
|
2017-06-14 16:10:07 +02:00
|
|
|
*interface = &impl->utils;
|
2019-12-19 13:15:10 +01:00
|
|
|
else
|
2017-11-13 09:41:41 +01:00
|
|
|
return -ENOENT;
|
2019-12-19 13:15:10 +01:00
|
|
|
|
2017-11-13 09:41:41 +01:00
|
|
|
return 0;
|
2017-06-14 16:10:07 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int impl_clear(struct spa_handle *handle)
|
|
|
|
|
{
|
|
|
|
|
struct impl *impl;
|
2018-09-25 13:05:13 +02:00
|
|
|
struct source_impl *source;
|
2017-06-14 16:10:07 +02:00
|
|
|
|
2017-11-13 09:41:41 +01:00
|
|
|
spa_return_val_if_fail(handle != NULL, -EINVAL);
|
2017-06-14 16:10:07 +02:00
|
|
|
|
|
|
|
|
impl = (struct impl *) handle;
|
|
|
|
|
|
2022-11-08 15:45:55 +01:00
|
|
|
if (impl->enter_count != 0 || impl->polling)
|
|
|
|
|
spa_log_warn(impl->log, "%p: loop is entered %d times polling:%d",
|
|
|
|
|
impl, impl->enter_count, impl->polling);
|
2022-03-05 22:00:18 +01:00
|
|
|
|
2018-09-25 13:05:13 +02:00
|
|
|
spa_list_consume(source, &impl->source_list, link)
|
2019-05-20 16:11:23 +02:00
|
|
|
loop_destroy_source(impl, &source->source);
|
2017-06-14 16:10:07 +02:00
|
|
|
|
2019-06-04 17:07:34 +02:00
|
|
|
spa_system_close(impl->system, impl->ack_fd);
|
2019-06-06 15:21:40 +02:00
|
|
|
spa_system_close(impl->system, impl->poll_fd);
|
2017-06-14 16:10:07 +02:00
|
|
|
|
2017-11-13 09:41:41 +01:00
|
|
|
return 0;
|
2017-06-14 16:10:07 +02:00
|
|
|
}
|
|
|
|
|
|
2018-04-09 10:06:17 +02:00
|
|
|
static size_t
|
|
|
|
|
impl_get_size(const struct spa_handle_factory *factory,
|
|
|
|
|
const struct spa_dict *params)
|
|
|
|
|
{
|
|
|
|
|
return sizeof(struct impl);
|
|
|
|
|
}
|
|
|
|
|
|
2017-06-14 16:10:07 +02:00
|
|
|
static int
|
|
|
|
|
impl_init(const struct spa_handle_factory *factory,
|
|
|
|
|
struct spa_handle *handle,
|
|
|
|
|
const struct spa_dict *info,
|
|
|
|
|
const struct spa_support *support,
|
|
|
|
|
uint32_t n_support)
|
|
|
|
|
{
|
|
|
|
|
struct impl *impl;
|
2023-05-05 17:41:37 +02:00
|
|
|
const char *str;
|
2019-06-18 10:47:12 -04:00
|
|
|
int res;
|
2017-06-14 16:10:07 +02:00
|
|
|
|
2017-11-13 09:41:41 +01:00
|
|
|
spa_return_val_if_fail(factory != NULL, -EINVAL);
|
|
|
|
|
spa_return_val_if_fail(handle != NULL, -EINVAL);
|
2017-06-14 16:10:07 +02:00
|
|
|
|
|
|
|
|
handle->get_interface = impl_get_interface;
|
|
|
|
|
handle->clear = impl_clear;
|
|
|
|
|
|
|
|
|
|
impl = (struct impl *) handle;
|
2019-05-20 16:11:23 +02:00
|
|
|
impl->loop.iface = SPA_INTERFACE_INIT(
|
|
|
|
|
SPA_TYPE_INTERFACE_Loop,
|
|
|
|
|
SPA_VERSION_LOOP,
|
|
|
|
|
&impl_loop, impl);
|
|
|
|
|
impl->control.iface = SPA_INTERFACE_INIT(
|
|
|
|
|
SPA_TYPE_INTERFACE_LoopControl,
|
|
|
|
|
SPA_VERSION_LOOP_CONTROL,
|
|
|
|
|
&impl_loop_control, impl);
|
|
|
|
|
impl->utils.iface = SPA_INTERFACE_INIT(
|
|
|
|
|
SPA_TYPE_INTERFACE_LoopUtils,
|
|
|
|
|
SPA_VERSION_LOOP_UTILS,
|
|
|
|
|
&impl_loop_utils, impl);
|
2017-06-14 16:10:07 +02:00
|
|
|
|
2023-05-05 17:41:37 +02:00
|
|
|
if (info) {
|
|
|
|
|
if ((str = spa_dict_lookup(info, "loop.cancel")) != NULL &&
|
|
|
|
|
spa_atob(str))
|
|
|
|
|
impl->control.iface.cb.funcs = &impl_loop_control_cancel;
|
|
|
|
|
}
|
|
|
|
|
|
2019-12-19 13:15:10 +01:00
|
|
|
impl->log = spa_support_find(support, n_support, SPA_TYPE_INTERFACE_Log);
|
2021-09-27 15:31:35 +10:00
|
|
|
spa_log_topic_init(impl->log, &log_topic);
|
2019-12-19 13:15:10 +01:00
|
|
|
impl->system = spa_support_find(support, n_support, SPA_TYPE_INTERFACE_System);
|
|
|
|
|
|
2019-06-06 15:21:40 +02:00
|
|
|
if (impl->system == NULL) {
|
2021-09-27 15:31:35 +10:00
|
|
|
spa_log_error(impl->log, "%p: a System is needed", impl);
|
2019-06-18 10:47:12 -04:00
|
|
|
res = -EINVAL;
|
2019-06-20 17:31:29 +02:00
|
|
|
goto error_exit;
|
2019-06-06 15:21:40 +02:00
|
|
|
}
|
2017-06-14 16:10:07 +02:00
|
|
|
|
2019-06-20 17:31:29 +02:00
|
|
|
if ((res = spa_system_pollfd_create(impl->system, SPA_FD_CLOEXEC)) < 0) {
|
2021-09-27 15:31:35 +10:00
|
|
|
spa_log_error(impl->log, "%p: can't create pollfd: %s",
|
2019-06-20 17:31:29 +02:00
|
|
|
impl, spa_strerror(res));
|
|
|
|
|
goto error_exit;
|
2019-06-18 10:47:12 -04:00
|
|
|
}
|
2019-06-20 17:31:29 +02:00
|
|
|
impl->poll_fd = res;
|
2017-06-14 16:10:07 +02:00
|
|
|
|
|
|
|
|
spa_list_init(&impl->source_list);
|
2022-02-18 18:36:36 +01:00
|
|
|
spa_list_init(&impl->destroy_list);
|
2017-08-08 16:56:29 +02:00
|
|
|
spa_hook_list_init(&impl->hooks_list);
|
2017-06-14 16:10:07 +02:00
|
|
|
|
2022-01-03 11:14:15 +01:00
|
|
|
impl->buffer_data = SPA_PTR_ALIGN(impl->buffer_mem, MAX_ALIGN, uint8_t);
|
2017-11-15 17:25:36 +01:00
|
|
|
spa_ringbuffer_init(&impl->buffer);
|
2017-06-14 16:10:07 +02:00
|
|
|
|
2019-05-23 15:11:49 +02:00
|
|
|
impl->wakeup = loop_add_event(impl, wakeup_func, impl);
|
2019-06-18 10:47:12 -04:00
|
|
|
if (impl->wakeup == NULL) {
|
|
|
|
|
res = -errno;
|
2021-09-27 15:31:35 +10:00
|
|
|
spa_log_error(impl->log, "%p: can't create wakeup event: %m", impl);
|
2019-06-20 17:31:29 +02:00
|
|
|
goto error_exit_free_poll;
|
2019-06-18 10:47:12 -04:00
|
|
|
}
|
2019-06-20 17:31:29 +02:00
|
|
|
if ((res = spa_system_eventfd_create(impl->system,
|
|
|
|
|
SPA_FD_EVENT_SEMAPHORE | SPA_FD_CLOEXEC)) < 0) {
|
2021-09-27 15:31:35 +10:00
|
|
|
spa_log_error(impl->log, "%p: can't create ack event: %s",
|
2019-06-20 17:31:29 +02:00
|
|
|
impl, spa_strerror(res));
|
|
|
|
|
goto error_exit_free_wakeup;
|
2019-06-18 10:47:12 -04:00
|
|
|
}
|
2019-06-20 17:31:29 +02:00
|
|
|
impl->ack_fd = res;
|
|
|
|
|
|
2021-09-27 15:31:35 +10:00
|
|
|
spa_log_debug(impl->log, "%p: initialized", impl);
|
2017-06-14 16:10:07 +02:00
|
|
|
|
2017-11-13 09:41:41 +01:00
|
|
|
return 0;
|
2019-06-18 10:47:12 -04:00
|
|
|
|
2019-06-20 17:31:29 +02:00
|
|
|
error_exit_free_wakeup:
|
2019-06-18 10:47:12 -04:00
|
|
|
loop_destroy_source(impl, impl->wakeup);
|
2019-06-20 17:31:29 +02:00
|
|
|
error_exit_free_poll:
|
2019-06-18 10:47:12 -04:00
|
|
|
spa_system_close(impl->system, impl->poll_fd);
|
2019-06-20 17:31:29 +02:00
|
|
|
error_exit:
|
2019-06-18 10:47:12 -04:00
|
|
|
return res;
|
2017-06-14 16:10:07 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static const struct spa_interface_info impl_interfaces[] = {
|
2018-08-27 15:03:11 +02:00
|
|
|
{SPA_TYPE_INTERFACE_Loop,},
|
|
|
|
|
{SPA_TYPE_INTERFACE_LoopControl,},
|
|
|
|
|
{SPA_TYPE_INTERFACE_LoopUtils,},
|
2017-06-14 16:10:07 +02:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static int
|
|
|
|
|
impl_enum_interface_info(const struct spa_handle_factory *factory,
|
|
|
|
|
const struct spa_interface_info **info,
|
2017-11-13 09:41:41 +01:00
|
|
|
uint32_t *index)
|
2017-06-14 16:10:07 +02:00
|
|
|
{
|
2017-11-13 09:41:41 +01:00
|
|
|
spa_return_val_if_fail(factory != NULL, -EINVAL);
|
|
|
|
|
spa_return_val_if_fail(info != NULL, -EINVAL);
|
|
|
|
|
spa_return_val_if_fail(index != NULL, -EINVAL);
|
2017-06-14 16:10:07 +02:00
|
|
|
|
2017-11-13 09:41:41 +01:00
|
|
|
if (*index >= SPA_N_ELEMENTS(impl_interfaces))
|
|
|
|
|
return 0;
|
2017-06-14 16:10:07 +02:00
|
|
|
|
2017-11-13 09:41:41 +01:00
|
|
|
*info = &impl_interfaces[(*index)++];
|
|
|
|
|
return 1;
|
2017-06-14 16:10:07 +02:00
|
|
|
}
|
|
|
|
|
|
2019-02-06 11:38:12 +01:00
|
|
|
const struct spa_handle_factory spa_support_loop_factory = {
|
2017-06-14 18:32:39 +02:00
|
|
|
SPA_VERSION_HANDLE_FACTORY,
|
2019-06-21 13:31:34 +02:00
|
|
|
SPA_NAME_SUPPORT_LOOP,
|
2017-06-14 16:10:07 +02:00
|
|
|
NULL,
|
2018-04-09 10:06:17 +02:00
|
|
|
impl_get_size,
|
2017-06-14 16:10:07 +02:00
|
|
|
impl_init,
|
2017-06-14 18:32:39 +02:00
|
|
|
impl_enum_interface_info
|
2017-06-14 16:10:07 +02:00
|
|
|
};
|
