xserver: Branch 'master'

Tue Sep 22 19:30:56 UTC 2020

hw/xwayland/xwayland-glamor-eglstream.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

New commits:
commit a5f439dcd21b4fda093cb382bb1a758b434a1444
Author: Olivier Fourdan <ofourdan at redhat.com>
Date:   Mon Sep 14 15:39:10 2020 +0200

    xwayland: Remove pending stream reference when freeing
    
    The EGLStream backend keeps a queue of pending streams for each Xwayland
    window.
    
    However, when this pending queue is freed, the corresponding private
    data may not be cleared (typically if the pixmap for this window has
    changed before the compositor finished attaching the consumer for the
    window's pixmap's original eglstream), leading to a use-after-free and a
    crash when trying to use that data as the window pixmap.
    
    Make sure to clear the private data when the pending stream is freed.
    
    Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1055
    Signed-off-by: Olivier Fourdan <ofourdan at redhat.com>
    Tested-by: Karol Szuster <karolsz9898 at gmail.com>
    Reviewed-by: Adam Jackson <ajax at redhat.com>

diff --git a/hw/xwayland/xwayland-glamor-eglstream.c b/hw/xwayland/xwayland-glamor-eglstream.c
index ee7f95b56..2821f9a58 100644
--- a/hw/xwayland/xwayland-glamor-eglstream.c
+++ b/hw/xwayland/xwayland-glamor-eglstream.c
@@ -437,8 +437,8 @@ xwl_eglstream_consumer_ready_callback(void *data,
     DebugF("eglstream: win %d completes eglstream for pixmap %p, congrats!\n",
            pending->window->drawable.id, pending->pixmap);
 
-    xwl_eglstream_window_set_pending(pending->window, NULL);
 out:
+    xwl_eglstream_window_set_pending(pending->window, NULL);
     xorg_list_del(&pending->link);
     free(pending);
 }
