frederik
/
xserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

xwayland: Cancel the EI disconnect timer when freed 

Xwayland maintains a connection to EI up for 10 minutes after an X11
client has vanished, to avoid going through the connection phase every
time a short lived X11 client comes and goes.

However, if the EI client gets freed (through some other event, e.g. the
user decides to terminate the EI session), Xwayland would still keep the
callback alive and end up trying to free an already freed EI client:

 Invalid read of size 4
    at 0x4C5E6F9: object_unref (util-object.h:89)
    by 0x4C5E6F9: ei_unref (libei.c:77)
    by 0x429525: free_ei (xwayland-xtest.c:224)
    by 0x429A6E: disconnect_timer_cb (xwayland-xtest.c:404)
    by 0x5E63FF: DoTimer (WaitFor.c:276)
    by 0x5E6463: DoTimers (WaitFor.c:290)
    by 0x5E6164: check_timers (WaitFor.c:133)
    by 0x5E61E9: WaitForSomething (WaitFor.c:195)
    by 0x4AD50E: Dispatch (dispatch.c:487)
    by 0x4BBA0B: dix_main (main.c:272)
    by 0x43615D: main (stubmain.c:34)
  Address 0x15cc6ee8 is 8 bytes inside a block of size 240 free'd
    at 0x48452AC: free (vg_replace_malloc.c:974)
    by 0x4C5E729: object_destroy (util-object.h:73)
    by 0x4C5E729: object_unref (util-object.h:91)
    by 0x4C5E729: ei_unref (libei.c:77)
    by 0x429525: free_ei (xwayland-xtest.c:224)
    by 0x42A946: xwl_handle_ei_event (xwayland-xtest.c:804)
    by 0x5EA977: HandleNotifyFd (connection.c:809)
    by 0x5EE8E3: ospoll_wait (ospoll.c:657)
    by 0x5E624D: WaitForSomething (WaitFor.c:208)
    by 0x4AD50E: Dispatch (dispatch.c:487)
    by 0x4BBA0B: dix_main (main.c:272)
    by 0x43615D: main (stubmain.c:34)
  Block was alloc'd at
    at 0x484782C: calloc (vg_replace_malloc.c:1554)
    by 0x4C5E777: ei_create (libei.c:73)
    by 0x4C5E777: ei_create_context (libei.c:97)
    by 0x42994B: setup_ei (xwayland-xtest.c:366)
    by 0x42A383: xwayland_xtest_send_events (xwayland-xtest.c:658)
    by 0x54ED4C: ProcXTestFakeInput (xtest.c:441)
    by 0x54EE56: ProcXTestDispatch (xtest.c:475)
    by 0x4AD6E6: Dispatch (dispatch.c:546)
    by 0x4BBA0B: dix_main (main.c:272)
    by 0x43615D: main (stubmain.c:34)

To avoid that issue, make sure to cancel the timer as soon as a EI
client is freed.

Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
See-also: https://bugzilla.redhat.com/2243076
This commit is contained in:
Olivier Fourdan 2023-10-10 17:37:37 +02:00
parent 0076671e24
commit 9617de733b
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
hw/xwayland/xwayland-xtest.c
View File

@ -200,6 +200,7 @@ free_ei(struct xwl_ei_client *xwl_ei_client)
struct xwl_abs_device *abs, *tmp; struct xwl_abs_device *abs, *tmp;
ClientPtr client = xwl_ei_client->client; ClientPtr client = xwl_ei_client->client;
TimerCancel(xwl_ei_client->disconnect_timer);
xorg_list_del(&xwl_ei_client->link); xorg_list_del(&xwl_ei_client->link);
debug_ei("Removing EI fd=%d\n", xwl_ei_client->ei_fd); debug_ei("Removing EI fd=%d\n", xwl_ei_client->ei_fd);