e_devicemgr: Prevent accessing user_data's member variable after wl_resource_destroy

This patch fixes the following segfault on E20.
Since wl_resource_destroy() triggers freeing the user_data, do not access user_data
after calling wl_resource_destory().

1  (anonymous namespace)::sigSegvHandler (sig=11, info=0xfff0fe10, ucontext=0xfff0fe90) at /usr/src/debug/glibc-2.30-3.14.arm/gwp_asan/segv_handler_posix.cpp:195
2  <signal handler called> ()
3  _e_devicemgr_wl_device_cb_seat_destroy (l=0xf54cb01c, data=<optimized out>) at /usr/src/debug/enlightenment-0.20.0-tz9_34.0.2.arm/src/bin/server/e_devicemgr_wl.c:113
4  wl_priv_signal_final_emit (signal=signal@entry=0x29258f8, data=data@entry=0x29258c8) at /usr/src/debug/wayland-1.22.0-0.arm/builddir/../src/wayland-server.c:2714
5  remove_and_destroy_resource (element=0x29258c8, data=<optimized out>, flags=0) at /usr/src/debug/wayland-1.22.0-0.arm/builddir/../src/wayland-server.c:940
6  for_each_helper (func=func@entry=0xf6e63b31 <remove_and_destroy_resource>, data=data@entry=0x0, entries=<optimized out>, entries=<optimized out>) at /usr/src/debug/wayland-1.22.0-0.arm/builddir/../src/wayland-util.c:444
7  wl_map_for_each (map=map@entry=0x2cb8a28, func=0xf6e63b31 <remove_and_destroy_resource>, data=data@entry=0x0) at /usr/src/debug/wayland-1.22.0-0.arm/builddir/../src/wayland-util.c:458
8  wl_client_destroy (client=0x2cb8a10) at /usr/src/debug/wayland-1.22.0-0.arm/builddir/../src/wayland-server.c:1181

Change-Id: I7ed7230827d494c6fa7487e17074d5d429657557

diff --git a/src/bin/server/e_devicemgr_wl.c b/src/bin/server/e_devicemgr_wl.c
index 4e361f2fce0b196a150d5838397120526177c5bf..00c2340a0e95128301e60429c9ed5ae7165d296a 100644 (file)
--- a/src/bin/server/e_devicemgr_wl.c
+++ b/src/bin/server/e_devicemgr_wl.c
@@ -94,12 +94,15 @@ _e_devicemgr_wl_device_cb_seat_destroy(struct wl_listener *l, void *data)
 {
    struct wl_resource *seat_resource = (struct wl_resource *)data;
    E_Tizen_Devicemgr_User_Data *device_user_data;
+   struct wl_resource *temp = NULL;
 
    DMDBG("Listener(%p) called: seat_resource: %p destroyed", l, seat_resource);
 
    device_user_data = container_of(l, E_Tizen_Devicemgr_User_Data,
                       seat_destroy_listener);
-   if (!device_user_data) return;
+
+   if (seat_resource != device_user_data->seat_res) return;
+   device_user_data->seat_res = NULL;
 
    if (device_user_data->seat_destroy_listener.notify)
      {
@@ -109,11 +112,10 @@ _e_devicemgr_wl_device_cb_seat_destroy(struct wl_listener *l, void *data)
    if (device_user_data->resource)
      {
         DMDBG("Destroy device resource. (res: %u)", wl_resource_get_id(device_user_data->resource));
-        wl_resource_destroy(device_user_data->resource);
+        temp = device_user_data->resource;
         device_user_data->resource = NULL;
+        wl_resource_destroy(temp);
      }
-
-   device_user_data->seat_res = NULL;
 }
 
 static void
@@ -121,12 +123,15 @@ _e_devicemgr_wl_device_cb_manager_destroy(struct wl_listener *l, void *data)
 {
    struct wl_resource *mgr_resource = (struct wl_resource *)data;
    E_Tizen_Devicemgr_User_Data *device_user_data;
+   struct wl_resource *temp = NULL;
 
    DMDBG("Listener(%p) called: mgr_resource: %p destroyed", l, mgr_resource);
 
    device_user_data = container_of(l, E_Tizen_Devicemgr_User_Data,
                       manager_destroy_listener);
-   if (!device_user_data) return;
+
+   if (mgr_resource != device_user_data->mgr_res) return;
+   device_user_data->mgr_res = NULL;
 
    if (device_user_data->manager_destroy_listener.notify)
      {
@@ -136,11 +141,10 @@ _e_devicemgr_wl_device_cb_manager_destroy(struct wl_listener *l, void *data)
    if (device_user_data->resource)
      {
         DMDBG("Destroy device resource. (res: %u)", wl_resource_get_id(device_user_data->resource));
-        wl_resource_destroy(device_user_data->resource);
+        temp = device_user_data->resource;
         device_user_data->resource = NULL;
+        wl_resource_destroy(temp);
      }
-
-   device_user_data->mgr_res = NULL;
 }
 
 static void