From 468e3669aac28da5c643ad4e789fedb41a7934ef Mon Sep 17 00:00:00 2001
From: Georg Chini <georg@chini.tk>
Date: Mon, 19 Apr 2021 08:19:50 +0200
Subject: [PATCH] loopback: Fix crash bug

The loopback message may be called after the sink input is already destroyed which causes
a crash. Also memory is leaked because the message object is not correctly freed.

This patch fixes the problems by adding a "dead" flag to the message structure and freeing
the message object on exit.

Part-of: <https://gitlab.freedesktop.org/pulseaudio/pulseaudio/-/merge_requests/541>
---
 src/modules/module-loopback.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/src/modules/module-loopback.c b/src/modules/module-loopback.c
index 4f8ceec46..3f6cda2be 100644
--- a/src/modules/module-loopback.c
+++ b/src/modules/module-loopback.c
@@ -152,6 +152,7 @@ struct userdata {
 struct loopback_msg {
     pa_msgobject parent;
     struct userdata *userdata;
+    bool dead;
 };
 
 PA_DEFINE_PRIVATE_CLASS(loopback_msg, pa_msgobject);
@@ -206,6 +207,9 @@ static void teardown(struct userdata *u) {
     u->adjust_time = 0;
     enable_adjust_timer(u, false);
 
+    if (u->msg)
+        u->msg->dead = true;
+
     /* Handling the asyncmsgq between the source output and the sink input
      * requires some care. When the source output is unlinked, nothing needs
      * to be done for the asyncmsgq, because the source output is the sending
@@ -1227,6 +1231,12 @@ static int loopback_process_msg_cb(pa_msgobject *o, int code, void *userdata, in
     pa_assert_ctl_context();
 
     msg = LOOPBACK_MSG(o);
+
+    /* If messages are processed after a module unload request, they
+     * must be ignored. */
+    if (msg->dead)
+        return 0;
+
     pa_assert_se(u = msg->userdata);
 
     switch (code) {
@@ -1613,6 +1623,7 @@ int pa__init(pa_module *m) {
     u->msg = pa_msgobject_new(loopback_msg);
     u->msg->parent.process_msg = loopback_process_msg_cb;
     u->msg->userdata = u;
+    u->msg->dead = false;
 
     /* The output thread is not yet running, set effective_source_latency directly */
     update_effective_source_latency(u, u->source_output->source, NULL);
@@ -1656,5 +1667,8 @@ void pa__done(pa_module*m) {
     if (u->asyncmsgq)
         pa_asyncmsgq_unref(u->asyncmsgq);
 
+    if (u->msg)
+        loopback_msg_unref(u->msg);
+
     pa_xfree(u);
 }