xserver: Branch 'xwayland-21.1' - 3 commits
GitLab Mirror
gitlab-mirror at kemper.freedesktop.org
Tue Mar 15 10:14:57 UTC 2022
hw/xwayland/xwayland-present.c | 3 +++
hw/xwayland/xwayland-window.c | 39 ++++++++++++++++++++++++---------------
2 files changed, 27 insertions(+), 15 deletions(-)
New commits:
commit 987a34b623b5125ba878828e63da4c01570af96c
Author: Michel Dänzer <mdaenzer at redhat.com>
Date: Mon Mar 14 17:02:02 2022 +0100
xwayland: Clear timer_armed in xwl_present_unrealize_window
Without this, xwl_present_reset_timer would call
xwl_present_timer_callback if the timer was originally armed over a
second ago. xwl_present_timer_callback would call xwl_present_msc_bump,
which could end up hooking up the window to
xwl_window->frame_callback_list again. This would lead to use-after-free
in xwl_present_cleanup:
Invalid write of size 8
at 0x42B65C: __xorg_list_del (list.h:183)
by 0x42B693: xorg_list_del (list.h:204)
by 0x42C041: xwl_present_cleanup (xwayland-present.c:354)
by 0x423669: xwl_destroy_window (xwayland-window.c:770)
by 0x4FDDC5: compDestroyWindow (compwindow.c:620)
by 0x5233FB: damageDestroyWindow (damage.c:1590)
by 0x501C5F: DbeDestroyWindow (dbe.c:1326)
by 0x4EF35B: FreeWindowResources (window.c:1018)
by 0x4EF687: DeleteWindow (window.c:1086)
by 0x4E24B3: doFreeResource (resource.c:885)
by 0x4E2ED7: FreeClientResources (resource.c:1151)
by 0x4ACBA4: CloseDownClient (dispatch.c:3546)
Address 0x12f44980 is 144 bytes inside a block of size 160 free'd
at 0x48470E4: free (vg_replace_malloc.c:872)
by 0x423115: xwl_unrealize_window (xwayland-window.c:621)
by 0x4FCDD8: compUnrealizeWindow (compwindow.c:292)
by 0x4F3F5C: UnrealizeTree (window.c:2805)
by 0x4F424B: UnmapWindow (window.c:2863)
by 0x4EF58C: DeleteWindow (window.c:1075)
by 0x4E24B3: doFreeResource (resource.c:885)
by 0x4E2ED7: FreeClientResources (resource.c:1151)
by 0x4ACBA4: CloseDownClient (dispatch.c:3546)
by 0x5E27EE: ClientReady (connection.c:599)
by 0x5E6CB7: ospoll_wait (ospoll.c:657)
by 0x5DE6CD: WaitForSomething (WaitFor.c:208)
Block was alloc'd at
at 0x4849464: calloc (vg_replace_malloc.c:1328)
by 0x4229CE: ensure_surface_for_window (xwayland-window.c:439)
by 0x4231E8: xwl_window_set_window_pixmap (xwayland-window.c:647)
by 0x5232D6: damageSetWindowPixmap (damage.c:1565)
by 0x4FC7BC: compSetPixmapVisitWindow (compwindow.c:129)
by 0x4EDB3F: TraverseTree (window.c:441)
by 0x4FC851: compSetPixmap (compwindow.c:151)
by 0x4F8C1A: compAllocPixmap (compalloc.c:616)
by 0x4FC938: compCheckRedirect (compwindow.c:174)
by 0x4FCD1D: compRealizeWindow (compwindow.c:274)
by 0x4F36EC: RealizeTree (window.c:2606)
by 0x4F39F5: MapWindow (window.c:2683)
Fixes: 288ec0e046c4 ("xwayland/present: Run fallback timer callback after more than a second")
Tested-by: Olivier Fourdan <ofourdan at redhat.com>
Reviewed-by: Olivier Fourdan <ofourdan at redhat.com>
(cherry picked from commit 102764b683df8932404c2a8f98061120a51b32b0)
diff --git a/hw/xwayland/xwayland-present.c b/hw/xwayland/xwayland-present.c
index 958035c6c..1a99228a1 100644
--- a/hw/xwayland/xwayland-present.c
+++ b/hw/xwayland/xwayland-present.c
@@ -543,6 +543,9 @@ xwl_present_unrealize_window(struct xwl_present_window *xwl_present_window)
* the frame timer interval.
*/
xorg_list_del(&xwl_present_window->frame_callback_list);
+
+ /* Make sure the timer callback doesn't get called */
+ xwl_present_window->timer_armed = 0;
xwl_present_reset_timer(xwl_present_window);
}
commit fdbfda85c7c76e6aa60b9907fb7a9887ee07b8b8
Author: Olivier Fourdan <ofourdan at redhat.com>
Date: Fri Mar 11 12:03:06 2022 +0100
xwayland/present: Fix use-after-free in xwl_unrealize_window()
When a window is unrealized, Xwayland would destroy the Wayland surface
prior to unrealizing the present window.
xwl_present_flip() will then do a wl_surface_commit() of that surface,
hence causing a use-after-free:
Invalid read of size 8
at 0x49F7FD4: wl_proxy_marshal_array_flags (wayland-client.c:852)
by 0x49F823A: wl_proxy_marshal_flags (wayland-client.c:784)
by 0x42B877: wl_surface_commit (wayland-client-protocol.h:3914)
by 0x42CAA7: xwl_present_flip (xwayland-present.c:717)
by 0x42CD0E: xwl_present_execute (xwayland-present.c:783)
by 0x42C26D: xwl_present_msc_bump (xwayland-present.c:416)
by 0x42C2D1: xwl_present_timer_callback (xwayland-present.c:433)
by 0x42BAC4: xwl_present_reset_timer (xwayland-present.c:149)
by 0x42D1F8: xwl_present_unrealize_window (xwayland-present.c:945)
by 0x4230E2: xwl_unrealize_window (xwayland-window.c:616)
by 0x4FCDD8: compUnrealizeWindow (compwindow.c:292)
by 0x4F3F5C: UnrealizeTree (window.c:2805)
Address 0x1390b8d8 is 24 bytes inside a block of size 80 free'd
at 0x48470E4: free (vg_replace_malloc.c:872)
by 0x49F8029: wl_proxy_destroy_caller_locks (wayland-client.c:523)
by 0x49F8029: wl_proxy_marshal_array_flags (wayland-client.c:861)
by 0x49F823A: wl_proxy_marshal_flags (wayland-client.c:784)
by 0x421984: wl_surface_destroy (wayland-client-protocol.h:3672)
by 0x423052: xwl_unrealize_window (xwayland-window.c:599)
by 0x4FCDD8: compUnrealizeWindow (compwindow.c:292)
by 0x4F3F5C: UnrealizeTree (window.c:2805)
by 0x4F424B: UnmapWindow (window.c:2863)
by 0x4EF58C: DeleteWindow (window.c:1075)
by 0x4E24B3: doFreeResource (resource.c:885)
by 0x4E2ED7: FreeClientResources (resource.c:1151)
by 0x4ACBA4: CloseDownClient (dispatch.c:3546)
Block was alloc'd at
at 0x4849464: calloc (vg_replace_malloc.c:1328)
by 0x49F7F29: zalloc (wayland-private.h:233)
by 0x49F7F29: proxy_create (wayland-client.c:422)
by 0x49F7F29: create_outgoing_proxy (wayland-client.c:664)
by 0x49F7F29: wl_proxy_marshal_array_flags (wayland-client.c:831)
by 0x49F823A: wl_proxy_marshal_flags (wayland-client.c:784)
by 0x4218CA: wl_compositor_create_surface (wayland-client-protocol.h:1291)
by 0x422A0D: ensure_surface_for_window (xwayland-window.c:445)
by 0x4231E8: xwl_window_set_window_pixmap (xwayland-window.c:647)
by 0x5232D6: damageSetWindowPixmap (damage.c:1565)
by 0x4FC7BC: compSetPixmapVisitWindow (compwindow.c:129)
by 0x4EDB3F: TraverseTree (window.c:441)
by 0x4FC851: compSetPixmap (compwindow.c:151)
by 0x4F8C1A: compAllocPixmap (compalloc.c:616)
by 0x4FC938: compCheckRedirect (compwindow.c:174)
To avoid that, call xwl_present_unrealize_window() before destroying the
Wayland surface.
Signed-off-by: Olivier Fourdan <ofourdan at redhat.com>
Reviewed-by: Michel Dänzer <mdaenzer at redhat.com>
(cherry picked from commit 42113ab2894251376b2beab7e68f2705f5ce1084)
diff --git a/hw/xwayland/xwayland-window.c b/hw/xwayland/xwayland-window.c
index 152b4d0a6..92bcae326 100644
--- a/hw/xwayland/xwayland-window.c
+++ b/hw/xwayland/xwayland-window.c
@@ -605,16 +605,6 @@ xwl_unrealize_window(WindowPtr window)
if (xwl_window_has_viewport_enabled(xwl_window))
xwl_window_disable_viewport(xwl_window);
- wl_surface_destroy(xwl_window->surface);
- xorg_list_del(&xwl_window->link_damage);
- xorg_list_del(&xwl_window->link_window);
- unregister_damage(window);
-
- xwl_window_buffers_dispose(xwl_window);
-
- if (xwl_window->frame_callback)
- wl_callback_destroy(xwl_window->frame_callback);
-
#ifdef GLAMOR_HAS_GBM
if (xwl_screen->present) {
struct xwl_present_window *xwl_present_window, *tmp;
@@ -627,6 +617,16 @@ xwl_unrealize_window(WindowPtr window)
}
#endif
+ wl_surface_destroy(xwl_window->surface);
+ xorg_list_del(&xwl_window->link_damage);
+ xorg_list_del(&xwl_window->link_window);
+ unregister_damage(window);
+
+ xwl_window_buffers_dispose(xwl_window);
+
+ if (xwl_window->frame_callback)
+ wl_callback_destroy(xwl_window->frame_callback);
+
free(xwl_window);
dixSetPrivate(&window->devPrivates, &xwl_window_private_key, NULL);
commit 00530769f7a968447b75e8375a503a6f6fcc1e7e
Author: Olivier Fourdan <ofourdan at redhat.com>
Date: Mon Feb 21 10:20:09 2022 +0100
Xwayland: Do not map the COW by default when rootless
The composite overlay window (COW) can be queried from any X11 client,
not just the X11 compositing manager.
If a client tries to get the composite overlay window, the Xserver will
map the window and block all pointer events (the window being mapped and
on top of the stack).
To avoid that issue, unset the "mapped" state of the composite overlay
window once realized when Xwayland is running rootless.
Note: All Xservers are actually affected by this issue, but with most
regular X servers, the compositing manager will take care of dealing
with the composite overlay window, and an X11 client using
GetOverlayWindow() won't break pointer events for all X11 clients.
Wayland compositors however usually run Xwayland rootless and have no
use for the COW.
v2: Avoid registering damage for the COW (Michel)
v3: Remove the "mapped" test to avoid calling register_damage() if the
COW is not mapped (Michel)
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1314
Signed-off-by: Olivier Fourdan <ofourdan at redhat.com>
Reviewed-by: Michel Dänzer <mdaenzer at redhat.com>
(cherry picked from commit 47d33174646a6397284f3483f9102608f5508454)
diff --git a/hw/xwayland/xwayland-window.c b/hw/xwayland/xwayland-window.c
index 00f161eda..152b4d0a6 100644
--- a/hw/xwayland/xwayland-window.c
+++ b/hw/xwayland/xwayland-window.c
@@ -522,6 +522,7 @@ Bool
xwl_realize_window(WindowPtr window)
{
ScreenPtr screen = window->drawable.pScreen;
+ CompScreenPtr comp_screen = GetCompScreen(screen);
struct xwl_screen *xwl_screen;
Bool ret;
@@ -535,12 +536,20 @@ xwl_realize_window(WindowPtr window)
if (!ret)
return FALSE;
- if (xwl_screen->rootless && !window->parent) {
- BoxRec box = { 0, 0, xwl_screen->width, xwl_screen->height };
+ if (xwl_screen->rootless) {
+ /* We do not want the COW to be mapped when rootless in Xwayland */
+ if (window == comp_screen->pOverlayWin) {
+ window->mapped = FALSE;
+ return TRUE;
+ }
- RegionReset(&window->winSize, &box);
- RegionNull(&window->clipList);
- RegionNull(&window->borderClip);
+ if (!window->parent) {
+ BoxRec box = { 0, 0, xwl_screen->width, xwl_screen->height };
+
+ RegionReset(&window->winSize, &box);
+ RegionNull(&window->clipList);
+ RegionNull(&window->borderClip);
+ }
}
if (xwl_screen->rootless ?
More information about the xorg-commit
mailing list