1 |
commit: 3f09ddaa0cb5529f43f290d663ab2267d67b2a6c |
2 |
Author: Sam James <sam <AT> gentoo <DOT> org> |
3 |
AuthorDate: Mon Feb 21 03:27:05 2022 +0000 |
4 |
Commit: Sam James <sam <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Feb 21 03:30:19 2022 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3f09ddaa |
7 |
|
8 |
media-video/pipewire: backport 2 crash fixes |
9 |
|
10 |
- backport mpd crash fix |
11 |
- backport "fast volume change" fix |
12 |
|
13 |
Signed-off-by: Sam James <sam <AT> gentoo.org> |
14 |
|
15 |
...7-pulse-server-pending-sample-reply-crash.patch | 101 +++++++++++ |
16 |
....3.47-revert-loop-remove-destroy-list-mpd.patch | 187 +++++++++++++++++++++ |
17 |
...ire-0.3.47.ebuild => pipewire-0.3.47-r1.ebuild} | 3 + |
18 |
3 files changed, 291 insertions(+) |
19 |
|
20 |
diff --git a/media-video/pipewire/files/pipewire-0.3.47-pulse-server-pending-sample-reply-crash.patch b/media-video/pipewire/files/pipewire-0.3.47-pulse-server-pending-sample-reply-crash.patch |
21 |
new file mode 100644 |
22 |
index 000000000000..d4f74a5abcc5 |
23 |
--- /dev/null |
24 |
+++ b/media-video/pipewire/files/pipewire-0.3.47-pulse-server-pending-sample-reply-crash.patch |
25 |
@@ -0,0 +1,101 @@ |
26 |
+https://gitlab.freedesktop.org/pipewire/pipewire/-/commit/d7793501fd012de37fcc8bf09003c60bc4624341.patch |
27 |
+ |
28 |
+From d7793501fd012de37fcc8bf09003c60bc4624341 Mon Sep 17 00:00:00 2001 |
29 |
+From: Wim Taymans <wtaymans@××××××.com> |
30 |
+Date: Sun, 20 Feb 2022 21:34:53 +0100 |
31 |
+Subject: [PATCH] pulse-server: free pending sample reply |
32 |
+ |
33 |
+If the sample finished playing before we finished the roundtrip to |
34 |
+get the sink_index, it will be destroyed. When the roundtrip completes, |
35 |
+it will try to use invalid memoryy and crash. |
36 |
+ |
37 |
+Make sure we destroy all pending replies before destroying the sample |
38 |
+to avoid this problem. |
39 |
+ |
40 |
+Fixes #2151 |
41 |
+--- |
42 |
+ src/modules/module-protocol-pulse/operation.c | 10 ++++++++++ |
43 |
+ src/modules/module-protocol-pulse/operation.h | 1 + |
44 |
+ src/modules/module-protocol-pulse/pending-sample.c | 5 +++++ |
45 |
+ src/modules/module-protocol-pulse/pulse-server.c | 4 ++++ |
46 |
+ 4 files changed, 20 insertions(+) |
47 |
+ |
48 |
+diff --git a/src/modules/module-protocol-pulse/operation.c b/src/modules/module-protocol-pulse/operation.c |
49 |
+index e0e67b374..b1e0eb08d 100644 |
50 |
+--- a/src/modules/module-protocol-pulse/operation.c |
51 |
++++ b/src/modules/module-protocol-pulse/operation.c |
52 |
+@@ -66,6 +66,16 @@ void operation_free(struct operation *o) |
53 |
+ free(o); |
54 |
+ } |
55 |
+ |
56 |
++struct operation *operation_find(struct client *client, uint32_t tag) |
57 |
++{ |
58 |
++ struct operation *o; |
59 |
++ spa_list_for_each(o, &client->operations, link) { |
60 |
++ if (o->tag == tag) |
61 |
++ return o; |
62 |
++ } |
63 |
++ return NULL; |
64 |
++} |
65 |
++ |
66 |
+ void operation_complete(struct operation *o) |
67 |
+ { |
68 |
+ struct client *client = o->client; |
69 |
+diff --git a/src/modules/module-protocol-pulse/operation.h b/src/modules/module-protocol-pulse/operation.h |
70 |
+index d282ee5e5..1fa07cc7b 100644 |
71 |
+--- a/src/modules/module-protocol-pulse/operation.h |
72 |
++++ b/src/modules/module-protocol-pulse/operation.h |
73 |
+@@ -43,6 +43,7 @@ int operation_new(struct client *client, uint32_t tag); |
74 |
+ int operation_new_cb(struct client *client, uint32_t tag, |
75 |
+ void (*callback) (void *data, struct client *client, uint32_t tag), |
76 |
+ void *data); |
77 |
++struct operation *operation_find(struct client *client, uint32_t tag); |
78 |
+ void operation_free(struct operation *o); |
79 |
+ void operation_complete(struct operation *o); |
80 |
+ |
81 |
+diff --git a/src/modules/module-protocol-pulse/pending-sample.c b/src/modules/module-protocol-pulse/pending-sample.c |
82 |
+index 6e5d04fbb..399fc3b54 100644 |
83 |
+--- a/src/modules/module-protocol-pulse/pending-sample.c |
84 |
++++ b/src/modules/module-protocol-pulse/pending-sample.c |
85 |
+@@ -29,6 +29,7 @@ |
86 |
+ #include "client.h" |
87 |
+ #include "internal.h" |
88 |
+ #include "log.h" |
89 |
++#include "operation.h" |
90 |
+ #include "pending-sample.h" |
91 |
+ #include "sample-play.h" |
92 |
+ |
93 |
+@@ -36,10 +37,14 @@ void pending_sample_free(struct pending_sample *ps) |
94 |
+ { |
95 |
+ struct client * const client = ps->client; |
96 |
+ struct impl * const impl = client->impl; |
97 |
++ struct operation *o; |
98 |
+ |
99 |
+ spa_list_remove(&ps->link); |
100 |
+ spa_hook_remove(&ps->listener); |
101 |
+ pw_work_queue_cancel(impl->work_queue, ps, SPA_ID_INVALID); |
102 |
+ |
103 |
++ if ((o = operation_find(client, ps->tag)) != NULL) |
104 |
++ operation_free(o); |
105 |
++ |
106 |
+ sample_play_destroy(ps->play); |
107 |
+ } |
108 |
+diff --git a/src/modules/module-protocol-pulse/pulse-server.c b/src/modules/module-protocol-pulse/pulse-server.c |
109 |
+index 182c3db99..c035840d1 100644 |
110 |
+--- a/src/modules/module-protocol-pulse/pulse-server.c |
111 |
++++ b/src/modules/module-protocol-pulse/pulse-server.c |
112 |
+@@ -2353,6 +2353,10 @@ static void on_sample_done(void *obj, void *data, int res, uint32_t id) |
113 |
+ { |
114 |
+ struct pending_sample *ps = obj; |
115 |
+ struct client *client = ps->client; |
116 |
++ struct operation *o; |
117 |
++ |
118 |
++ if ((o = operation_find(client, ps->tag)) != NULL) |
119 |
++ operation_complete(o); |
120 |
+ |
121 |
+ pending_sample_free(ps); |
122 |
+ client_unref(client); |
123 |
+-- |
124 |
+GitLab |
125 |
+ |
126 |
+ |
127 |
|
128 |
diff --git a/media-video/pipewire/files/pipewire-0.3.47-revert-loop-remove-destroy-list-mpd.patch b/media-video/pipewire/files/pipewire-0.3.47-revert-loop-remove-destroy-list-mpd.patch |
129 |
new file mode 100644 |
130 |
index 000000000000..0e27d65fdb3a |
131 |
--- /dev/null |
132 |
+++ b/media-video/pipewire/files/pipewire-0.3.47-revert-loop-remove-destroy-list-mpd.patch |
133 |
@@ -0,0 +1,187 @@ |
134 |
+Fixes mpd crash. |
135 |
+ |
136 |
+https://gitlab.freedesktop.org/pipewire/pipewire/-/commit/16f63a3c8fa227625bade5a9edea22354b347d18.patch |
137 |
+https://gitlab.freedesktop.org/pipewire/pipewire/-/commit/d1f7e96f821089224ddcacf8e8f506f99c54eb5c.patch |
138 |
+ |
139 |
+From 16f63a3c8fa227625bade5a9edea22354b347d18 Mon Sep 17 00:00:00 2001 |
140 |
+From: =?UTF-8?q?Barnab=C3=A1s=20P=C5=91cze?= <pobrn@××××××××××.com> |
141 |
+Date: Fri, 18 Feb 2022 18:36:36 +0100 |
142 |
+Subject: [PATCH] Revert "loop: remove destroy list" |
143 |
+ |
144 |
+This reverts commit c474846c42967c44db069a23b76a29da6f496f33. |
145 |
+In addition, `s->loop` is also checked before dispatching a source. |
146 |
+ |
147 |
+The destroy list is needed in the presence of threads. The |
148 |
+issue is that a source may be destroyed between `epoll_wait()` |
149 |
+returning and thread loop lock being acquired. If this |
150 |
+source is active, then a use-after-free will be triggered |
151 |
+when the thread loop acquires the lock and starts dispatching |
152 |
+the sources. |
153 |
+ |
154 |
+ thread 1 thread 2 |
155 |
+ ---------- ---------- |
156 |
+ loop_iterate |
157 |
+ spa_loop_control_hook_before |
158 |
+ // release lock |
159 |
+ |
160 |
+ pw_thread_loop_lock |
161 |
+ |
162 |
+ spa_system_pollfd_wait |
163 |
+ // assume it returns with source A |
164 |
+ |
165 |
+ pw_loop_destroy_source(..., A) |
166 |
+ // frees storage of A |
167 |
+ |
168 |
+ pw_thread_loop_unlock |
169 |
+ spa_loop_control_hook_after |
170 |
+ // acquire the lock |
171 |
+ |
172 |
+ for (...) { |
173 |
+ struct spa_source *s = ep[i].data; |
174 |
+ s->rmask = ep[i].events; |
175 |
+ // use-after-free if `s` refers to |
176 |
+ // the previously freed `A` |
177 |
+ |
178 |
+Fixes #2147 |
179 |
+--- |
180 |
+ spa/plugins/support/loop.c | 19 +++++++++++++++++-- |
181 |
+ 1 file changed, 17 insertions(+), 2 deletions(-) |
182 |
+ |
183 |
+diff --git a/spa/plugins/support/loop.c b/spa/plugins/support/loop.c |
184 |
+index 0588ce770..04739eb2a 100644 |
185 |
+--- a/spa/plugins/support/loop.c |
186 |
++++ b/spa/plugins/support/loop.c |
187 |
+@@ -75,6 +75,7 @@ struct impl { |
188 |
+ struct spa_system *system; |
189 |
+ |
190 |
+ struct spa_list source_list; |
191 |
++ struct spa_list destroy_list; |
192 |
+ struct spa_hook_list hooks_list; |
193 |
+ |
194 |
+ int poll_fd; |
195 |
+@@ -325,6 +326,14 @@ static void loop_leave(void *object) |
196 |
+ impl->thread = 0; |
197 |
+ } |
198 |
+ |
199 |
++static inline void process_destroy(struct impl *impl) |
200 |
++{ |
201 |
++ struct source_impl *source, *tmp; |
202 |
++ spa_list_for_each_safe(source, tmp, &impl->destroy_list, link) |
203 |
++ free(source); |
204 |
++ spa_list_init(&impl->destroy_list); |
205 |
++} |
206 |
++ |
207 |
+ static int loop_iterate(void *object, int timeout) |
208 |
+ { |
209 |
+ struct impl *impl = object; |
210 |
+@@ -354,11 +363,14 @@ static int loop_iterate(void *object, int timeout) |
211 |
+ } |
212 |
+ for (i = 0; i < nfds; i++) { |
213 |
+ struct spa_source *s = ep[i].data; |
214 |
+- if (SPA_LIKELY(s && s->rmask)) { |
215 |
++ if (SPA_LIKELY(s && s->rmask && s->loop)) { |
216 |
+ s->priv = NULL; |
217 |
+ s->func(s); |
218 |
+ } |
219 |
+ } |
220 |
++ if (SPA_UNLIKELY(!spa_list_is_empty(&impl->destroy_list))) |
221 |
++ process_destroy(impl); |
222 |
++ |
223 |
+ return nfds; |
224 |
+ } |
225 |
+ |
226 |
+@@ -712,7 +724,7 @@ static void loop_destroy_source(void *object, struct spa_source *source) |
227 |
+ spa_system_close(impl->impl->system, source->fd); |
228 |
+ source->fd = -1; |
229 |
+ } |
230 |
+- free(source); |
231 |
++ spa_list_insert(&impl->impl->destroy_list, &impl->link); |
232 |
+ } |
233 |
+ |
234 |
+ static const struct spa_loop_methods impl_loop = { |
235 |
+@@ -783,6 +795,8 @@ static int impl_clear(struct spa_handle *handle) |
236 |
+ spa_list_consume(source, &impl->source_list, link) |
237 |
+ loop_destroy_source(impl, &source->source); |
238 |
+ |
239 |
++ process_destroy(impl); |
240 |
++ |
241 |
+ spa_system_close(impl->system, impl->ack_fd); |
242 |
+ spa_system_close(impl->system, impl->poll_fd); |
243 |
+ |
244 |
+@@ -844,6 +858,7 @@ impl_init(const struct spa_handle_factory *factory, |
245 |
+ impl->poll_fd = res; |
246 |
+ |
247 |
+ spa_list_init(&impl->source_list); |
248 |
++ spa_list_init(&impl->destroy_list); |
249 |
+ spa_hook_list_init(&impl->hooks_list); |
250 |
+ |
251 |
+ impl->buffer_data = SPA_PTR_ALIGN(impl->buffer_mem, MAX_ALIGN, uint8_t); |
252 |
+-- |
253 |
+GitLab |
254 |
+ |
255 |
+ |
256 |
+From d1f7e96f821089224ddcacf8e8f506f99c54eb5c Mon Sep 17 00:00:00 2001 |
257 |
+From: =?UTF-8?q?Barnab=C3=A1s=20P=C5=91cze?= <pobrn@××××××××××.com> |
258 |
+Date: Fri, 18 Feb 2022 19:27:13 +0100 |
259 |
+Subject: [PATCH] test: loop: add test for destroying source of thread loop |
260 |
+ |
261 |
+Add test which tries to destroy an active source precisely |
262 |
+after the loop has returned from polling but has not yet |
263 |
+acquired the thread loop lock. |
264 |
+--- |
265 |
+ test/test-loop.c | 34 ++++++++++++++++++++++++++++++++++ |
266 |
+ 1 file changed, 34 insertions(+) |
267 |
+ |
268 |
+diff --git a/test/test-loop.c b/test/test-loop.c |
269 |
+index 98b2add09..81f7a117c 100644 |
270 |
+--- a/test/test-loop.c |
271 |
++++ b/test/test-loop.c |
272 |
+@@ -227,11 +227,45 @@ PWTEST(pwtest_loop_recurse2) |
273 |
+ return PWTEST_PASS; |
274 |
+ } |
275 |
+ |
276 |
++PWTEST(thread_loop_destroy_between_poll_and_lock) |
277 |
++{ |
278 |
++ pw_init(NULL, NULL); |
279 |
++ |
280 |
++ struct pw_thread_loop *thread_loop = pw_thread_loop_new("uaf", NULL); |
281 |
++ pwtest_ptr_notnull(thread_loop); |
282 |
++ |
283 |
++ struct pw_loop *loop = pw_thread_loop_get_loop(thread_loop); |
284 |
++ pwtest_ptr_notnull(loop); |
285 |
++ |
286 |
++ int evfd = eventfd(0, 0); |
287 |
++ pwtest_errno_ok(evfd); |
288 |
++ |
289 |
++ struct spa_source *source = pw_loop_add_io(loop, evfd, SPA_IO_IN, true, NULL, NULL); |
290 |
++ pwtest_ptr_notnull(source); |
291 |
++ |
292 |
++ pw_thread_loop_start(thread_loop); |
293 |
++ |
294 |
++ pw_thread_loop_lock(thread_loop); |
295 |
++ { |
296 |
++ write(evfd, &(uint64_t){1}, sizeof(uint64_t)); |
297 |
++ sleep(1); |
298 |
++ pw_loop_destroy_source(loop, source); |
299 |
++ } |
300 |
++ pw_thread_loop_unlock(thread_loop); |
301 |
++ |
302 |
++ pw_thread_loop_destroy(thread_loop); |
303 |
++ |
304 |
++ pw_deinit(); |
305 |
++ |
306 |
++ return PWTEST_PASS; |
307 |
++} |
308 |
++ |
309 |
+ PWTEST_SUITE(support) |
310 |
+ { |
311 |
+ pwtest_add(pwtest_loop_destroy2, PWTEST_NOARG); |
312 |
+ pwtest_add(pwtest_loop_recurse1, PWTEST_NOARG); |
313 |
+ pwtest_add(pwtest_loop_recurse2, PWTEST_NOARG); |
314 |
++ pwtest_add(thread_loop_destroy_between_poll_and_lock, PWTEST_NOARG); |
315 |
+ |
316 |
+ return PWTEST_PASS; |
317 |
+ } |
318 |
+-- |
319 |
+GitLab |
320 |
+ |
321 |
|
322 |
diff --git a/media-video/pipewire/pipewire-0.3.47.ebuild b/media-video/pipewire/pipewire-0.3.47-r1.ebuild |
323 |
similarity index 98% |
324 |
rename from media-video/pipewire/pipewire-0.3.47.ebuild |
325 |
rename to media-video/pipewire/pipewire-0.3.47-r1.ebuild |
326 |
index 1539b089dfa2..25c024b05e01 100644 |
327 |
--- a/media-video/pipewire/pipewire-0.3.47.ebuild |
328 |
+++ b/media-video/pipewire/pipewire-0.3.47-r1.ebuild |
329 |
@@ -123,6 +123,9 @@ DOCS=( {README,INSTALL}.md NEWS ) |
330 |
|
331 |
PATCHES=( |
332 |
"${FILESDIR}"/${PN}-0.3.25-enable-failed-mlock-warning.patch |
333 |
+ |
334 |
+ "${FILESDIR}"/${P}-revert-loop-remove-destroy-list-mpd.patch |
335 |
+ "${FILESDIR}"/${P}-pulse-server-pending-sample-reply-crash.patch |
336 |
) |
337 |
|
338 |
# limitsdfile related code taken from =sys-auth/realtime-base-0.1 |