From 08b22c7faf97217ea4d497eec6624fc3dd916d9b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Old=C5=99ich=20Jedli=C4=8Dka?= <oldium.pro@seznam.cz>
Date: Sun, 17 Jan 2010 17:59:03 +0100
Subject: [PATCH] Allow driver to call DeleteInputDeviceRequest during UnInit
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When the input driver (like xf86-input-wacom) removes it's devices
during a call to UnInit, the CloseDownDevices() cannot handle it. The
"next" variable can become a pointer to freed memory.

The patch introduces order-independent device freeing mechanism by
remembering the already freed device ids. The devices can reorder any
time during freeing. No device will be double-freed - if the removing
failed for any reason; some implementations of DeleteInputDeviceRequest
don't free the devices already.

Signed-off-by: Oldřich Jedlička <oldium.pro@seznam.cz>
Reviewed-by: Simon Thum <simon.thum@gmx.de>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
---
 dix/devices.c | 44 +++++++++++++++++++++++++++++++++-----------
 1 file changed, 33 insertions(+), 11 deletions(-)

diff --git a/dix/devices.c b/dix/devices.c
index 92b95ed69..b002150d0 100644
--- a/dix/devices.c
+++ b/dix/devices.c
@@ -876,6 +876,36 @@ CloseDevice(DeviceIntPtr dev)
     xfree(dev);
 }
 
+/**
+ * Shut down all devices of one list and free all resources.
+ */
+static
+void
+CloseDeviceList(DeviceIntPtr *listHead)
+{
+    /* Used to mark devices that we tried to free */
+    Bool freedIds[MAXDEVICES];
+    DeviceIntPtr dev;
+    int i;
+
+    if (listHead == NULL)
+        return;
+
+    for (i = 0; i < MAXDEVICES; i++)
+        freedIds[i] = FALSE;
+
+    dev = *listHead;
+    while (dev != NULL)
+    {
+        freedIds[dev->id] = TRUE;
+        DeleteInputDeviceRequest(dev);
+
+        dev = *listHead;
+        while (dev != NULL && freedIds[dev->id])
+            dev = dev->next;
+    }
+}
+
 /**
  * Shut down all devices, free all resources, etc.
  * Only useful if you're shutting down the server!
@@ -883,7 +913,7 @@ CloseDevice(DeviceIntPtr dev)
 void
 CloseDownDevices(void)
 {
-    DeviceIntPtr dev, next;
+    DeviceIntPtr dev;
 
     /* Float all SDs before closing them. Note that at this point resources
      * (e.g. cursors) have been freed already, so we can't just call
@@ -896,16 +926,8 @@ CloseDownDevices(void)
             dev->u.master = NULL;
     }
 
-    for (dev = inputInfo.devices; dev; dev = next)
-    {
-	next = dev->next;
-        DeleteInputDeviceRequest(dev);
-    }
-    for (dev = inputInfo.off_devices; dev; dev = next)
-    {
-	next = dev->next;
-        DeleteInputDeviceRequest(dev);
-    }
+    CloseDeviceList(&inputInfo.devices);
+    CloseDeviceList(&inputInfo.off_devices);
 
     CloseDevice(inputInfo.pointer);
     CloseDevice(inputInfo.keyboard);