From 9617de733becb04f547191570978dcbc449bb11e Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Tue, 10 Oct 2023 17:37:37 +0200
Subject: [PATCH] xwayland: Cancel the EI disconnect timer when freed

Xwayland maintains a connection to EI up for 10 minutes after an X11
client has vanished, to avoid going through the connection phase every
time a short lived X11 client comes and goes.

However, if the EI client gets freed (through some other event, e.g. the
user decides to terminate the EI session), Xwayland would still keep the
callback alive and end up trying to free an already freed EI client:

 Invalid read of size 4
    at 0x4C5E6F9: object_unref (util-object.h:89)
    by 0x4C5E6F9: ei_unref (libei.c:77)
    by 0x429525: free_ei (xwayland-xtest.c:224)
    by 0x429A6E: disconnect_timer_cb (xwayland-xtest.c:404)
    by 0x5E63FF: DoTimer (WaitFor.c:276)
    by 0x5E6463: DoTimers (WaitFor.c:290)
    by 0x5E6164: check_timers (WaitFor.c:133)
    by 0x5E61E9: WaitForSomething (WaitFor.c:195)
    by 0x4AD50E: Dispatch (dispatch.c:487)
    by 0x4BBA0B: dix_main (main.c:272)
    by 0x43615D: main (stubmain.c:34)
  Address 0x15cc6ee8 is 8 bytes inside a block of size 240 free'd
    at 0x48452AC: free (vg_replace_malloc.c:974)
    by 0x4C5E729: object_destroy (util-object.h:73)
    by 0x4C5E729: object_unref (util-object.h:91)
    by 0x4C5E729: ei_unref (libei.c:77)
    by 0x429525: free_ei (xwayland-xtest.c:224)
    by 0x42A946: xwl_handle_ei_event (xwayland-xtest.c:804)
    by 0x5EA977: HandleNotifyFd (connection.c:809)
    by 0x5EE8E3: ospoll_wait (ospoll.c:657)
    by 0x5E624D: WaitForSomething (WaitFor.c:208)
    by 0x4AD50E: Dispatch (dispatch.c:487)
    by 0x4BBA0B: dix_main (main.c:272)
    by 0x43615D: main (stubmain.c:34)
  Block was alloc'd at
    at 0x484782C: calloc (vg_replace_malloc.c:1554)
    by 0x4C5E777: ei_create (libei.c:73)
    by 0x4C5E777: ei_create_context (libei.c:97)
    by 0x42994B: setup_ei (xwayland-xtest.c:366)
    by 0x42A383: xwayland_xtest_send_events (xwayland-xtest.c:658)
    by 0x54ED4C: ProcXTestFakeInput (xtest.c:441)
    by 0x54EE56: ProcXTestDispatch (xtest.c:475)
    by 0x4AD6E6: Dispatch (dispatch.c:546)
    by 0x4BBA0B: dix_main (main.c:272)
    by 0x43615D: main (stubmain.c:34)

To avoid that issue, make sure to cancel the timer as soon as a EI
client is freed.

Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
See-also: https://bugzilla.redhat.com/2243076
---
 hw/xwayland/xwayland-xtest.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/xwayland/xwayland-xtest.c b/hw/xwayland/xwayland-xtest.c
index 69686daab..b5eef57e6 100644
--- a/hw/xwayland/xwayland-xtest.c
+++ b/hw/xwayland/xwayland-xtest.c
@@ -200,6 +200,7 @@ free_ei(struct xwl_ei_client *xwl_ei_client)
     struct xwl_abs_device *abs, *tmp;
     ClientPtr client = xwl_ei_client->client;
 
+    TimerCancel(xwl_ei_client->disconnect_timer);
     xorg_list_del(&xwl_ei_client->link);
 
     debug_ei("Removing EI fd=%d\n", xwl_ei_client->ei_fd);