mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2025-11-01 22:58:50 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

media-session: fix sm_object ownership

Browse source 
sm_object may be owned by either (i) monitors, created via
sm_media_session_create/export*, or (ii) registry, via
registry_global+bind_object.  However, registry adds the objects to its
globals list when their proxy appears, even if it does not own them.

Only owner should call sm_object_destroy which unrefs obj->handle,
because the sm_object structure is stored inside the handle's user_data
and becomes invalid afterward.

The sm_object_destroy call removes the object from the registry globals
map, so if monitor calls first, there is no problem. However, sometimes
the registry wins the race.

Previously, registry did sm_object_destroy regardless of whether it owns
the object or not, possibly causing the monitor's sm_object_destroy to
refer to freed memory. This could cause segfaults, e.g.

    CARD=XX:XX:XX:XX:XX:XX
    bluetootctl connect $CARD
    while true; do pactl set-card-profile bluez_card.$CARD a2dp-sink; pactl set-card-profile bluez_card.$CARD off; done

leads to a race between bluez5_remove_node and registry_global_remove,
and problems appear when the latter wins.  (As usual, if it doesn't
segfault, a heisenbug appears instead.)

Fix this by keeping track who owns the objects, and having registry
destroy the objects only if it owns them. Otherwise, it just removes
them from its lists.

Also call pw_proxy_unref unconditionally in sm_object_destroy, so its
asserts catch refcounting errors (although now there shouldn't be any).

***

Another problem is conflict between bound_proxy and register_global,
which generates duplicate objects with the same id.  We resolve this by
keeping the object not owned by the registry and discarding the other
one.

This fixes a memory leak, and possible consistency problems in session
modules (due to session_create events for different objects with same
id; now there will be paired session_remove ones in between).
This commit is contained in:
Pauli Virtanen 2021-02-13 15:35:36 +02:00 committed by Wim Taymans
parent 0dee15d0f6
commit 791a38f3fa
2 changed files with 50 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/examples/media-session/media-session.h
View file

@ -83,6 +83,8 @@ struct sm_object {
struct spa_callbacks methods;
struct spa_list data;
unsigned int owned_by_registry:1;
};
int sm_object_add_listener(struct sm_object *obj, struct spa_hook *listener,