From 5e91587302e85fd6f0e8d5ffbe30182e18c6913f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michel=20D=C3=A4nzer?= Date: Tue, 17 Mar 2020 11:45:22 +0100 Subject: [PATCH] xwayland: Delete all frame_callback_list nodes in xwl_unrealize_window We were only calling xwl_present_unrealize_window for the toplevel window, but the list can contain entries from child windows as well, in which case we were leaving dangling pointers to freed memory. Closes: https://gitlab.freedesktop.org/xorg/xserver/issues/1000 Fixes: c5067feaeea1 "xwayland: Use single frame callback for Present flips and normal updates" Reviewed-by: Olivier Fourdan Tested-by: Olivier Fourdan --- hw/xwayland/xwayland-present.c | 8 +------- hw/xwayland/xwayland-present.h | 2 +- hw/xwayland/xwayland-window.c | 11 +++++++++-- 3 files changed, 11 insertions(+), 10 deletions(-) diff --git a/hw/xwayland/xwayland-present.c b/hw/xwayland/xwayland-present.c index 09fa66a6a..d8ba7b1b3 100644 --- a/hw/xwayland/xwayland-present.c +++ b/hw/xwayland/xwayland-present.c @@ -524,14 +524,8 @@ xwl_present_flips_stop(WindowPtr window) } void -xwl_present_unrealize_window(WindowPtr window) +xwl_present_unrealize_window(struct xwl_present_window *xwl_present_window) { - struct xwl_present_window *xwl_present_window = xwl_present_window_priv(window); - - if (!xwl_present_window || - xorg_list_is_empty(&xwl_present_window->frame_callback_list)) - return; - /* The pending frame callback may never be called, so drop it and shorten * the frame timer interval. */ diff --git a/hw/xwayland/xwayland-present.h b/hw/xwayland/xwayland-present.h index e16357824..d29430205 100644 --- a/hw/xwayland/xwayland-present.h +++ b/hw/xwayland/xwayland-present.h @@ -67,7 +67,7 @@ struct xwl_present_event { void xwl_present_frame_callback(struct xwl_present_window *xwl_present_window); Bool xwl_present_init(ScreenPtr screen); void xwl_present_cleanup(WindowPtr window); -void xwl_present_unrealize_window(WindowPtr window); +void xwl_present_unrealize_window(struct xwl_present_window *xwl_present_window); #endif /* GLAMOR_HAS_GBM */ diff --git a/hw/xwayland/xwayland-window.c b/hw/xwayland/xwayland-window.c index 09c854134..7c5cfb015 100644 --- a/hw/xwayland/xwayland-window.c +++ b/hw/xwayland/xwayland-window.c @@ -607,8 +607,15 @@ xwl_unrealize_window(WindowPtr window) wl_callback_destroy(xwl_window->frame_callback); #ifdef GLAMOR_HAS_GBM - if (xwl_screen->present) - xwl_present_unrealize_window(window); + if (xwl_screen->present) { + struct xwl_present_window *xwl_present_window, *tmp; + + xorg_list_for_each_entry_safe(xwl_present_window, tmp, + &xwl_window->frame_callback_list, + frame_callback_list) { + xwl_present_unrealize_window(xwl_present_window); + } + } #endif free(xwl_window);