From b0918b1058a704675fc2590ee9ff3bef6324f734 Mon Sep 17 00:00:00 2001
From: Dominique Martinet <asmadeus@codewreck.org>
Date: Wed, 4 Jul 2018 14:45:35 +0900
Subject: [PATCH] ipc-server: add display destroy listener and remove
 ipc_terminate

wl_event_source_remove() is illegal after display has been destroyed,
so just destroy everything when we still can.

==20392==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000001240 at pc 0x00000048e86e bp 0x7ffe4b557e00 sp 0x7ffe4b557df0
READ of size 8 at 0x607000001240 thread T0
    #0 0x48e86d in wl_list_insert ../common/list.c:149
    #1 0x7fdf673d4d7d in wl_event_source_remove src/event-loop.c:487
    #2 0x41b742 in ipc_terminate ../sway/ipc-server.c:94
    #3 0x40b1ad in main ../sway/main.c:440
    #4 0x7fdf6664c18a in __libc_start_main ../csu/libc-start.c:308
    #5 0x409359 in _start (/opt/wayland/bin/sway+0x409359)

0x607000001240 is located 48 bytes inside of 72-byte region [0x607000001210,0x607000001258)
freed by thread T0 here:
    #0 0x7fdf692c4880 in __interceptor_free (/lib64/libasan.so.5+0xee880)
    #1 0x7fdf673d371a in wl_display_destroy src/wayland-server.c:1097

previously allocated by thread T0 here:
    #0 0x7fdf692c4c48 in malloc (/lib64/libasan.so.5+0xeec48)
    #1 0x7fdf673d4d9e in wl_event_loop_create src/event-loop.c:522
    #2 0x40acb2 in main ../sway/main.c:363
    #3 0x7fdf6664c18a in __libc_start_main ../csu/libc-start.c:308
---
 include/sway/ipc-server.h |  2 --
 sway/ipc-server.c         | 34 ++++++++++++++++++++--------------
 sway/main.c               |  2 --
 3 files changed, 20 insertions(+), 18 deletions(-)

diff --git a/include/sway/ipc-server.h b/include/sway/ipc-server.h
index dd16a175e..026b55541 100644
--- a/include/sway/ipc-server.h
+++ b/include/sway/ipc-server.h
@@ -9,8 +9,6 @@ struct sway_server;
 
 void ipc_init(struct sway_server *server);
 
-void ipc_terminate(void);
-
 struct sockaddr_un *ipc_user_sockaddr(void);
 
 void ipc_event_workspace(struct sway_container *old,
diff --git a/sway/ipc-server.c b/sway/ipc-server.c
index 3e510c2e1..abc2d7cba 100644
--- a/sway/ipc-server.c
+++ b/sway/ipc-server.c
@@ -31,6 +31,7 @@ static int ipc_socket = -1;
 static struct wl_event_source *ipc_event_source =  NULL;
 static struct sockaddr_un *ipc_sockaddr = NULL;
 static list_t *ipc_client_list = NULL;
+static struct wl_listener ipc_display_destroy;
 
 static const char ipc_magic[] = {'i', '3', '-', 'i', 'p', 'c'};
 
@@ -56,6 +57,22 @@ void ipc_client_disconnect(struct ipc_client *client);
 void ipc_client_handle_command(struct ipc_client *client);
 bool ipc_send_reply(struct ipc_client *client, const char *payload, uint32_t payload_length);
 
+static void handle_display_destroy(struct wl_listener *listener, void *data) {
+	if (ipc_event_source) {
+		wl_event_source_remove(ipc_event_source);
+	}
+	close(ipc_socket);
+	unlink(ipc_sockaddr->sun_path);
+
+	list_free(ipc_client_list);
+
+	if (ipc_sockaddr) {
+		free(ipc_sockaddr);
+	}
+
+	wl_list_remove(&ipc_display_destroy.link);
+}
+
 void ipc_init(struct sway_server *server) {
 	ipc_socket = socket(AF_UNIX, SOCK_STREAM | SOCK_NONBLOCK | SOCK_CLOEXEC, 0);
 	if (ipc_socket == -1) {
@@ -85,24 +102,13 @@ void ipc_init(struct sway_server *server) {
 
 	ipc_client_list = create_list();
 
+	ipc_display_destroy.notify = handle_display_destroy;
+	wl_display_add_destroy_listener(server->wl_display, &ipc_display_destroy);
+
 	ipc_event_source = wl_event_loop_add_fd(server->wl_event_loop, ipc_socket,
 			WL_EVENT_READABLE, ipc_handle_connection, server);
 }
 
-void ipc_terminate(void) {
-	if (ipc_event_source) {
-		wl_event_source_remove(ipc_event_source);
-	}
-	close(ipc_socket);
-	unlink(ipc_sockaddr->sun_path);
-
-	list_free(ipc_client_list);
-
-	if (ipc_sockaddr) {
-		free(ipc_sockaddr);
-	}
-}
-
 struct sockaddr_un *ipc_user_sockaddr(void) {
 	struct sockaddr_un *ipc_sockaddr = malloc(sizeof(struct sockaddr_un));
 	if (ipc_sockaddr == NULL) {
diff --git a/sway/main.c b/sway/main.c
index 8b0b8612e..96e41bbcb 100644
--- a/sway/main.c
+++ b/sway/main.c
@@ -437,8 +437,6 @@ int main(int argc, char **argv) {
 
 	server_fini(&server);
 
-	ipc_terminate();
-
 	if (config) {
 		free_config(config);
 	}