From a5e863963e3d8cef2cf84f7c65832adb78040798 Mon Sep 17 00:00:00 2001 From: Olivier Fourdan Date: Tue, 2 Jul 2024 18:54:10 +0200 Subject: [PATCH] xwayland: Force disposal of windows buffers for root on destroy With explicit buffer synchronization in use, the window buffers use a file descriptor for event notification to keep the buffer alive for synchronization purpose. When running rootful, the root window (which is visible) is destroyed directly from the resource manager on server reset, and the window buffer's eventfd will trigger after the window is destroyed, leading to a use after free and a crash of the xserver. To avoid the issue, check whether the window being destroyed is the root window in rootless mode, and make sure to force the disposal of the window buffers in that case. Signed-off-by: Olivier Fourdan Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1699 Part-of: --- hw/xwayland/xwayland-window.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/hw/xwayland/xwayland-window.c b/hw/xwayland/xwayland-window.c index 2c5d68bd4..6fe0db891 100644 --- a/hw/xwayland/xwayland-window.c +++ b/hw/xwayland/xwayland-window.c @@ -1649,6 +1649,7 @@ xwl_window_dispose(struct xwl_window *xwl_window) struct xwl_screen *xwl_screen = xwl_window->xwl_screen; struct xwl_seat *xwl_seat; WindowPtr window = xwl_window->toplevel; + ScreenPtr screen = xwl_screen->screen; compUnredirectWindow(serverClient, window, CompositeRedirectManual); @@ -1691,7 +1692,9 @@ xwl_window_dispose(struct xwl_window *xwl_window) xorg_list_del(&xwl_window->link_damage); xorg_list_del(&xwl_window->link_window); - xwl_window_buffers_dispose(xwl_window, FALSE); + /* Special case for the root window in rootful mode */ + xwl_window_buffers_dispose(xwl_window, + (!xwl_screen->rootless && window == screen->root)); if (xwl_window->window_buffers_timer) TimerFree(xwl_window->window_buffers_timer);