This fixes a case where pa__done() is called while AVAHI_MESSAGE_PUBLISH_ALL is waiting for processing. The pa_asyncmsgq_wait_for(AVAHI_MESSAGE_SHUTDOWN_COMPLETE) call will process all pending messages, and processing AVAHI_MESSAGE_PUBLISH_ALL causes publish_all_services(), and that in turn accesses u->services, which has been already freed at this point. If we are shutting down, we shouldn't react to any of the messages that the Avahi thread is sending to the main thread. BugLink: https://bugs.freedesktop.org/show_bug.cgi?id=76184 --- src/modules/module-zeroconf-publish.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/src/modules/module-zeroconf-publish.c b/src/modules/module-zeroconf-publish.c index 35277c2..db92850 100644 --- a/src/modules/module-zeroconf-publish.c +++ b/src/modules/module-zeroconf-publish.c @@ -141,6 +141,8 @@ struct userdata { pa_hook_slot *sink_new_slot, *source_new_slot, *sink_unlink_slot, *source_unlink_slot, *sink_changed_slot, *source_changed_slot; pa_native_protocol *native; + + bool shutting_down; }; /* Runs in PA mainloop context */ @@ -638,6 +640,11 @@ static void unpublish_all_services(struct userdata *u, bool rem) { static int avahi_process_msg(pa_msgobject *o, int code, void *data, int64_t offset, pa_memchunk *chunk) { struct userdata *u = (struct userdata *) data; + pa_assert(u); + + if (u->shutting_down) + return 0; + switch (code) { case AVAHI_MESSAGE_PUBLISH_ALL: publish_all_services(u); @@ -647,10 +654,6 @@ static int avahi_process_msg(pa_msgobject *o, int code, void *data, int64_t offs pa_module_unload(u->core, u->module, true); break; - case AVAHI_MESSAGE_SHUTDOWN_COMPLETE: - /* pa__done() is waiting for this */ - break; - default: pa_assert_not_reached(); } @@ -797,7 +800,7 @@ static void client_free(pa_mainloop_api *api PA_GCC_UNUSED, void *userdata) { if (u->avahi_poll) pa_avahi_poll_free(u->avahi_poll); - pa_asyncmsgq_post(u->thread_mq.outq, PA_MSGOBJECT(u->msg), AVAHI_MESSAGE_SHUTDOWN_COMPLETE, NULL, 0, NULL, NULL); + pa_asyncmsgq_post(u->thread_mq.outq, PA_MSGOBJECT(u->msg), AVAHI_MESSAGE_SHUTDOWN_COMPLETE, u, 0, NULL, NULL); } void pa__done(pa_module*m) { @@ -807,6 +810,8 @@ void pa__done(pa_module*m) { if (!(u = m->userdata)) return; + u->shutting_down = true; + pa_threaded_mainloop_lock(u->mainloop); pa_mainloop_api_once(u->api, client_free, u); pa_threaded_mainloop_unlock(u->mainloop); -- 1.8.3.1