frederik
/
xserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
xserver/hw/xwayland
History
Michel Dänzer 102764b683 xwayland: Clear timer_armed in xwl_present_unrealize_window 
Without this, xwl_present_reset_timer would call
xwl_present_timer_callback if the timer was originally armed over a
second ago. xwl_present_timer_callback would call xwl_present_msc_bump,
which could end up hooking up the window to
xwl_window->frame_callback_list again. This would lead to use-after-free
in xwl_present_cleanup:

  Invalid write of size 8
    at 0x42B65C: __xorg_list_del (list.h:183)
    by 0x42B693: xorg_list_del (list.h:204)
    by 0x42C041: xwl_present_cleanup (xwayland-present.c:354)
    by 0x423669: xwl_destroy_window (xwayland-window.c:770)
    by 0x4FDDC5: compDestroyWindow (compwindow.c:620)
    by 0x5233FB: damageDestroyWindow (damage.c:1590)
    by 0x501C5F: DbeDestroyWindow (dbe.c:1326)
    by 0x4EF35B: FreeWindowResources (window.c:1018)
    by 0x4EF687: DeleteWindow (window.c:1086)
    by 0x4E24B3: doFreeResource (resource.c:885)
    by 0x4E2ED7: FreeClientResources (resource.c:1151)
    by 0x4ACBA4: CloseDownClient (dispatch.c:3546)
  Address 0x12f44980 is 144 bytes inside a block of size 160 free'd
    at 0x48470E4: free (vg_replace_malloc.c:872)
    by 0x423115: xwl_unrealize_window (xwayland-window.c:621)
    by 0x4FCDD8: compUnrealizeWindow (compwindow.c:292)
    by 0x4F3F5C: UnrealizeTree (window.c:2805)
    by 0x4F424B: UnmapWindow (window.c:2863)
    by 0x4EF58C: DeleteWindow (window.c:1075)
    by 0x4E24B3: doFreeResource (resource.c:885)
    by 0x4E2ED7: FreeClientResources (resource.c:1151)
    by 0x4ACBA4: CloseDownClient (dispatch.c:3546)
    by 0x5E27EE: ClientReady (connection.c:599)
    by 0x5E6CB7: ospoll_wait (ospoll.c:657)
    by 0x5DE6CD: WaitForSomething (WaitFor.c:208)
  Block was alloc'd at
    at 0x4849464: calloc (vg_replace_malloc.c:1328)
    by 0x4229CE: ensure_surface_for_window (xwayland-window.c:439)
    by 0x4231E8: xwl_window_set_window_pixmap (xwayland-window.c:647)
    by 0x5232D6: damageSetWindowPixmap (damage.c:1565)
    by 0x4FC7BC: compSetPixmapVisitWindow (compwindow.c:129)
    by 0x4EDB3F: TraverseTree (window.c:441)
    by 0x4FC851: compSetPixmap (compwindow.c:151)
    by 0x4F8C1A: compAllocPixmap (compalloc.c:616)
    by 0x4FC938: compCheckRedirect (compwindow.c:174)
    by 0x4FCD1D: compRealizeWindow (compwindow.c:274)
    by 0x4F36EC: RealizeTree (window.c:2606)
    by 0x4F39F5: MapWindow (window.c:2683)

Fixes: 288ec0e046 ("xwayland/present: Run fallback timer callback after more than a second")
Tested-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Olivier Fourdan <ofourdan@redhat.com>
 		2022-03-15 08:59:19 +00:00
..
man Remove autotools support 2021-10-27 13:15:40 +03:00
.gitignore xwayland: Add wp_viewport wayland extension support 2019-10-12 12:19:14 +02:00
drm.xml wayland: Sync drm.xml with Mesa 2017-07-05 10:13:04 -04:00
meson.build Xwayland: implement drm-lease-v1 2021-12-07 10:02:29 +00:00
xwayland-cursor.c xwayland: Fix cursor color 2022-02-11 10:33:10 +01:00
xwayland-cursor.h xwayland: Add xwl_cursor_clear_frame_cb() 2021-10-25 12:05:42 +00:00
xwayland-cvt.c xwayland: Use libxcvt 2021-08-06 11:29:29 +00:00
xwayland-cvt.h xwayland: Move Xwayland CVT declaration 2019-12-20 16:19:01 +01:00
xwayland-drm-lease.c Xwayland: implement drm-lease-v1 2021-12-07 10:02:29 +00:00
xwayland-drm-lease.h Xwayland: implement drm-lease-v1 2021-12-07 10:02:29 +00:00
xwayland-glamor-eglstream.c xwayland/glamor: Change errors to verbose messages 2021-12-01 15:13:11 +01:00
xwayland-glamor-gbm.c xwayland/glamor: Change errors to verbose messages 2021-12-01 15:13:11 +01:00
xwayland-glamor-xv.c xwayland: Cleanup and remove `xwayland.h` 2019-12-20 16:19:01 +01:00
xwayland-glamor.c xwayland/eglstream: Prefer EGLstream if available 2021-12-02 08:13:49 +00:00
xwayland-glamor.h xwayland/glamor: Add return status to post_damage 2021-05-11 14:08:58 +02:00
xwayland-glx.c xwayland/glx: Flip order of sRGB & non-sRGB fbconfigs 2022-01-14 18:16:01 +01:00
xwayland-glx.h xwayland: Move Xwayland GLX declaration 2019-12-20 16:19:01 +01:00
xwayland-input.c xwayland: Fix a race condition when setting up input devices 2021-12-04 15:55:21 +00:00
xwayland-input.h xwayland: Implement support for touchpad gestures 2021-12-04 15:55:21 +00:00
xwayland-output.c Xwayland: implement drm-lease-v1 2021-12-07 10:02:29 +00:00
xwayland-output.h Xwayland: implement drm-lease-v1 2021-12-07 10:02:29 +00:00
xwayland-pixmap.c xwayland: Rename xwl_pixmap_cb → xwl_buffer_release_cb 2020-07-07 13:47:11 +00:00
xwayland-pixmap.h xwayland: Rename xwl_pixmap_cb → xwl_buffer_release_cb 2020-07-07 13:47:11 +00:00
xwayland-present.c xwayland: Clear timer_armed in xwl_present_unrealize_window 2022-03-15 08:59:19 +00:00
xwayland-present.h xwayland/present: Run fallback timer callback after more than a second 2021-12-24 19:06:47 +01:00
xwayland-screen.c Fix spelling of Xwayland 2021-12-17 16:22:07 +00:00
xwayland-screen.h Xwayland: implement drm-lease-v1 2021-12-07 10:02:29 +00:00
xwayland-shm.c xwayland/shm: Avoid integer overflow on large pixmaps 2021-10-05 10:00:02 +00:00
xwayland-shm.h xwayland: Move SHM declarations to their own header 2019-12-20 16:19:01 +01:00
xwayland-types.h Xwayland: implement drm-lease-v1 2021-12-07 10:02:29 +00:00
xwayland-vidmode.c xwayland: Initialise values in xwlVidModeGetGamma() 2020-07-03 10:56:43 +00:00
xwayland-vidmode.h xwayland: Move Xwayland vidmode declaration 2019-12-20 16:19:01 +01:00
xwayland-window-buffers.c xwayland: Hold window buffer until released 2020-12-10 13:49:42 +01:00
xwayland-window-buffers.h xwayland: Cleanup and remove `xwayland.h` 2019-12-20 16:19:01 +01:00
xwayland-window.c xwayland/present: Fix use-after-free in xwl_unrealize_window() 2022-03-15 08:59:19 +00:00
xwayland-window.h xwayland: port rooted xwayland from wl_shell to xdg-shell protocol 2020-02-28 16:23:58 +00:00
xwayland.c xwayland: Raise the FD limit to the max 2022-01-18 11:10:11 +01:00
xwayland.pc.in xwayland: add -noTouchPointerEmulation 2021-09-06 21:19:46 +00:00