xserver: Branch 'master'

GitLab Mirror gitlab-mirror at kemper.freedesktop.org
Wed Oct 11 12:26:08 UTC 2023 

 hw/xwayland/xwayland-xtest.c |    1 +
 1 file changed, 1 insertion(+)

New commits:
commit 9617de733becb04f547191570978dcbc449bb11e
Author: Olivier Fourdan <ofourdan at redhat.com>
Date:   Tue Oct 10 17:37:37 2023 +0200

    xwayland: Cancel the EI disconnect timer when freed
    
    Xwayland maintains a connection to EI up for 10 minutes after an X11
    client has vanished, to avoid going through the connection phase every
    time a short lived X11 client comes and goes.
    
    However, if the EI client gets freed (through some other event, e.g. the
    user decides to terminate the EI session), Xwayland would still keep the
    callback alive and end up trying to free an already freed EI client:
    
     Invalid read of size 4
        at 0x4C5E6F9: object_unref (util-object.h:89)
        by 0x4C5E6F9: ei_unref (libei.c:77)
        by 0x429525: free_ei (xwayland-xtest.c:224)
        by 0x429A6E: disconnect_timer_cb (xwayland-xtest.c:404)
        by 0x5E63FF: DoTimer (WaitFor.c:276)
        by 0x5E6463: DoTimers (WaitFor.c:290)
        by 0x5E6164: check_timers (WaitFor.c:133)
        by 0x5E61E9: WaitForSomething (WaitFor.c:195)
        by 0x4AD50E: Dispatch (dispatch.c:487)
        by 0x4BBA0B: dix_main (main.c:272)
        by 0x43615D: main (stubmain.c:34)
      Address 0x15cc6ee8 is 8 bytes inside a block of size 240 free'd
        at 0x48452AC: free (vg_replace_malloc.c:974)
        by 0x4C5E729: object_destroy (util-object.h:73)
        by 0x4C5E729: object_unref (util-object.h:91)
        by 0x4C5E729: ei_unref (libei.c:77)
        by 0x429525: free_ei (xwayland-xtest.c:224)
        by 0x42A946: xwl_handle_ei_event (xwayland-xtest.c:804)
        by 0x5EA977: HandleNotifyFd (connection.c:809)
        by 0x5EE8E3: ospoll_wait (ospoll.c:657)
        by 0x5E624D: WaitForSomething (WaitFor.c:208)
        by 0x4AD50E: Dispatch (dispatch.c:487)
        by 0x4BBA0B: dix_main (main.c:272)
        by 0x43615D: main (stubmain.c:34)
      Block was alloc'd at
        at 0x484782C: calloc (vg_replace_malloc.c:1554)
        by 0x4C5E777: ei_create (libei.c:73)
        by 0x4C5E777: ei_create_context (libei.c:97)
        by 0x42994B: setup_ei (xwayland-xtest.c:366)
        by 0x42A383: xwayland_xtest_send_events (xwayland-xtest.c:658)
        by 0x54ED4C: ProcXTestFakeInput (xtest.c:441)
        by 0x54EE56: ProcXTestDispatch (xtest.c:475)
        by 0x4AD6E6: Dispatch (dispatch.c:546)
        by 0x4BBA0B: dix_main (main.c:272)
        by 0x43615D: main (stubmain.c:34)
    
    To avoid that issue, make sure to cancel the timer as soon as a EI
    client is freed.
    
    Signed-off-by: Olivier Fourdan <ofourdan at redhat.com>
    Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
    See-also: https://bugzilla.redhat.com/2243076

diff --git a/hw/xwayland/xwayland-xtest.c b/hw/xwayland/xwayland-xtest.c
index 69686daab..b5eef57e6 100644
--- a/hw/xwayland/xwayland-xtest.c
+++ b/hw/xwayland/xwayland-xtest.c
@@ -200,6 +200,7 @@ free_ei(struct xwl_ei_client *xwl_ei_client)
     struct xwl_abs_device *abs, *tmp;
     ClientPtr client = xwl_ei_client->client;
 
+    TimerCancel(xwl_ei_client->disconnect_timer);
     xorg_list_del(&xwl_ei_client->link);
 
     debug_ei("Removing EI fd=%d\n", xwl_ei_client->ei_fd);

More information about the xorg-commit mailing list