[PATCH xserver] xwayland: remove dirty window unconditionally on unrealize

Olivier Fourdan ofourdan at redhat.com
Wed Jan 24 16:45:37 UTC 2018


This is a rare occurrence of a crash in Xwayland for which I don't have
the reproducing steps, just a core file.

The backtrace looks as follow:

  #0  raise () from /usr/lib64/libc.so.6
  #1  abort () from /usr/lib64/libc.so.6
  #2  OsAbort () at utils.c:1361
  #3  AbortServer () at log.c:877
  #4  FatalError () at log.c:1015
  #5  OsSigHandler () at osinit.c:154
  #6  <signal handler called>
  #7  xwl_glamor_pixmap_get_wl_buffer () at xwayland-glamor.c:162
  #8  xwl_screen_post_damage () at xwayland.c:514
  #9  block_handler () at xwayland.c:665
  #10 BlockHandler () at dixutils.c:388
  #11 WaitForSomething () at WaitFor.c:219
  #12 Dispatch () at dispatch.c:422
  #13 dix_main () at main.c:287

The crash is caused by dereferencing “xwl_pixmap->buffer” in
xwl_glamor_pixmap_get_wl_buffer() because “xwl_pixmap” is NULL.

Reason for this is because the corresponding pixmap is from the root
window and xwayland is rootless by default.

This can happen if the window was mapped, redirected, damaged and
unredirected immediately, before the damage is processed by Xwayland.

Make sure to remove the dirty window from the damage list on unrealize
to prevent this from happening.

Credit goes to Adam Jackson <ajax at nwnk.net> and Daniel Stone
<daniel at fooishbar.org> for finding the root cause the issue.

Signed-off-by: Olivier Fourdan <ofourdan at redhat.com>
---
 hw/xwayland/xwayland.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/hw/xwayland/xwayland.c b/hw/xwayland/xwayland.c
index ab7cee545..88d31f80b 100644
--- a/hw/xwayland/xwayland.c
+++ b/hw/xwayland/xwayland.c
@@ -587,8 +587,7 @@ xwl_unrealize_window(WindowPtr window)
     }
 
     wl_surface_destroy(xwl_window->surface);
-    if (RegionNotEmpty(DamageRegion(xwl_window->damage)))
-        xorg_list_del(&xwl_window->link_damage);
+    xorg_list_del(&xwl_window->link_damage);
     DamageUnregister(xwl_window->damage);
     DamageDestroy(xwl_window->damage);
     if (xwl_window->frame_callback)
-- 
2.14.3



More information about the xorg-devel mailing list