From 102764b683df8932404c2a8f98061120a51b32b0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michel=20D=C3=A4nzer?= <mdaenzer@redhat.com>
Date: Mon, 14 Mar 2022 17:02:02 +0100
Subject: [PATCH] xwayland: Clear timer_armed in xwl_present_unrealize_window

Without this, xwl_present_reset_timer would call
xwl_present_timer_callback if the timer was originally armed over a
second ago. xwl_present_timer_callback would call xwl_present_msc_bump,
which could end up hooking up the window to
xwl_window->frame_callback_list again. This would lead to use-after-free
in xwl_present_cleanup:

  Invalid write of size 8
    at 0x42B65C: __xorg_list_del (list.h:183)
    by 0x42B693: xorg_list_del (list.h:204)
    by 0x42C041: xwl_present_cleanup (xwayland-present.c:354)
    by 0x423669: xwl_destroy_window (xwayland-window.c:770)
    by 0x4FDDC5: compDestroyWindow (compwindow.c:620)
    by 0x5233FB: damageDestroyWindow (damage.c:1590)
    by 0x501C5F: DbeDestroyWindow (dbe.c:1326)
    by 0x4EF35B: FreeWindowResources (window.c:1018)
    by 0x4EF687: DeleteWindow (window.c:1086)
    by 0x4E24B3: doFreeResource (resource.c:885)
    by 0x4E2ED7: FreeClientResources (resource.c:1151)
    by 0x4ACBA4: CloseDownClient (dispatch.c:3546)
  Address 0x12f44980 is 144 bytes inside a block of size 160 free'd
    at 0x48470E4: free (vg_replace_malloc.c:872)
    by 0x423115: xwl_unrealize_window (xwayland-window.c:621)
    by 0x4FCDD8: compUnrealizeWindow (compwindow.c:292)
    by 0x4F3F5C: UnrealizeTree (window.c:2805)
    by 0x4F424B: UnmapWindow (window.c:2863)
    by 0x4EF58C: DeleteWindow (window.c:1075)
    by 0x4E24B3: doFreeResource (resource.c:885)
    by 0x4E2ED7: FreeClientResources (resource.c:1151)
    by 0x4ACBA4: CloseDownClient (dispatch.c:3546)
    by 0x5E27EE: ClientReady (connection.c:599)
    by 0x5E6CB7: ospoll_wait (ospoll.c:657)
    by 0x5DE6CD: WaitForSomething (WaitFor.c:208)
  Block was alloc'd at
    at 0x4849464: calloc (vg_replace_malloc.c:1328)
    by 0x4229CE: ensure_surface_for_window (xwayland-window.c:439)
    by 0x4231E8: xwl_window_set_window_pixmap (xwayland-window.c:647)
    by 0x5232D6: damageSetWindowPixmap (damage.c:1565)
    by 0x4FC7BC: compSetPixmapVisitWindow (compwindow.c:129)
    by 0x4EDB3F: TraverseTree (window.c:441)
    by 0x4FC851: compSetPixmap (compwindow.c:151)
    by 0x4F8C1A: compAllocPixmap (compalloc.c:616)
    by 0x4FC938: compCheckRedirect (compwindow.c:174)
    by 0x4FCD1D: compRealizeWindow (compwindow.c:274)
    by 0x4F36EC: RealizeTree (window.c:2606)
    by 0x4F39F5: MapWindow (window.c:2683)

Fixes: 288ec0e046c4 ("xwayland/present: Run fallback timer callback after more than a second")
Tested-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Olivier Fourdan <ofourdan@redhat.com>
---
 hw/xwayland/xwayland-present.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hw/xwayland/xwayland-present.c b/hw/xwayland/xwayland-present.c
index ed497832c..d727f8419 100644
--- a/hw/xwayland/xwayland-present.c
+++ b/hw/xwayland/xwayland-present.c
@@ -942,6 +942,9 @@ xwl_present_unrealize_window(struct xwl_present_window *xwl_present_window)
      * the frame timer interval.
      */
     xorg_list_del(&xwl_present_window->frame_callback_list);
+
+    /* Make sure the timer callback doesn't get called */
+    xwl_present_window->timer_armed = 0;
     xwl_present_reset_timer(xwl_present_window);
 }