aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2018-06-25Merge pull request #1084 from martinetd/use-after-freeTony Crisci
use-after-free fixes (xdg_shell popups, primary selection source, xwm parents)
2018-06-25xdg_shell: destroy children popups with parent surfaceDominique Martinet
popups have a link in parent's surface->popups list and needs to be freed before: ==6902==ERROR: AddressSanitizer: heap-use-after-free on address 0x6120001a0300 at pc 0x7fc1447acb50 bp 0x7fffd396e680 sp 0x7fffd396e670 WRITE of size 8 at 0x6120001a0300 thread T0 #0 0x7fc1447acb4f in wl_list_remove ../util/signal.c:55 #1 0x7fc14477d206 in destroy_xdg_popup_v6 ../types/xdg_shell_v6/wlr_xdg_popup_v6.c:162 #2 0x7fc1447816e0 in destroy_xdg_surface_v6 ../types/xdg_shell_v6/wlr_xdg_surface_v6.c:108 #3 0x7fc144a1c025 in destroy_resource src/wayland-server.c:688 #4 0x7fc144a1c091 in wl_resource_destroy src/wayland-server.c:705 #5 0x7fc14477fd6f in xdg_client_v6_handle_resource_destroy ../types/xdg_shell_v6/wlr_xdg_shell_v6.c:72 #6 0x7fc144a1c025 in destroy_resource src/wayland-server.c:688 #7 0x7fc144a20851 (/lib64/libwayland-server.so.0+0xc851) #8 0x7fc144a20d92 (/lib64/libwayland-server.so.0+0xcd92) #9 0x7fc144a1c140 in wl_client_destroy src/wayland-server.c:847 #10 0x7fc144a1c21c in destroy_client_with_error src/wayland-server.c:307 #11 0x7fc144a1c21c in wl_client_connection_data src/wayland-server.c:330 #12 0x7fc144a1df01 in wl_event_loop_dispatch src/event-loop.c:641 #13 0x7fc144a1c601 in wl_display_run src/wayland-server.c:1260 #14 0x40a2f4 in main ../sway/main.c:433 #15 0x7fc143ef718a in __libc_start_main ../csu/libc-start.c:308 #16 0x40b749 in _start (/opt/wayland/bin/sway+0x40b749) 0x6120001a0300 is located 64 bytes inside of 264-byte region [0x6120001a02c0,0x6120001a03c8) freed by thread T0 here: #0 0x7fc14690d880 in __interceptor_free (/lib64/libasan.so.5+0xee880) #1 0x7fc1447acce8 in wlr_signal_emit_safe ../util/signal.c:29 #2 0x7fc1447a3cac in surface_handle_resource_destroy ../types/wlr_surface.c:576 #3 0x7fc144a1c025 in destroy_resource src/wayland-server.c:688 previously allocated by thread T0 here: #0 0x7fc14690de50 in calloc (/lib64/libasan.so.5+0xeee50) #1 0x7fc144781d38 in create_xdg_surface_v6 ../types/xdg_shell_v6/wlr_xdg_surface_v6.c:415 #2 0x7fc14147503d in ffi_call_unix64 (/lib64/libffi.so.6+0x603d) Alternative would be to have popups listen to the parent's surface destroy event and remove themselves from the list at this point OR on their own destroy, whichever happens first, but that seems more complicated for little benefit.
2018-06-25xwm: fix use-after-free involving parents/childrenDominique Martinet
Happens when e.g. closing gimp. ==24039==ERROR: AddressSanitizer: heap-use-after-free on address 0x6150001a7a78 at pc 0x7f09b09f1bb2 bp 0x7ffcf0237bf0 sp 0x7ffcf0237be0 WRITE of size 8 at 0x6150001a7a78 thread T0 #0 0x7f09b09f1bb1 in wl_list_remove ../util/signal.c:55 #1 0x7f09b094cf03 in xwayland_surface_destroy ../xwayland/xwm.c:295 #2 0x7f09b0950245 in xwm_handle_destroy_notify ../xwayland/xwm.c:717 #3 0x7f09b095304a in x11_event_handler ../xwayland/xwm.c:1149 #4 0x7f09b0c68f01 in wl_event_loop_dispatch src/event-loop.c:641 #5 0x7f09b0c67601 in wl_display_run src/wayland-server.c:1260 #6 0x40a2f4 in main ../sway/main.c:433 #7 0x7f09b011018a in __libc_start_main (/lib64/libc.so.6+0x2318a) #8 0x40b749 in _start (/opt/wayland/bin/sway+0x40b749) 0x6150001a7a78 is located 120 bytes inside of 496-byte region [0x6150001a7a00,0x6150001a7bf0) freed by thread T0 here: #0 0x7f09b2b58880 in __interceptor_free (/lib64/libasan.so.5+0xee880) #1 0x7f09b094d1a1 in xwayland_surface_destroy ../xwayland/xwm.c:315 #2 0x7f09b0950245 in xwm_handle_destroy_notify ../xwayland/xwm.c:717 #3 0x7f09b095304a in x11_event_handler ../xwayland/xwm.c:1149 #4 0x7f09b0c68f01 in wl_event_loop_dispatch src/event-loop.c:641 #5 0x7f09b0c67601 in wl_display_run src/wayland-server.c:1260 #6 0x40a2f4 in main ../sway/main.c:433 #7 0x7f09b011018a in __libc_start_main (/lib64/libc.so.6+0x2318a) #8 0x40b749 in _start (/opt/wayland/bin/sway+0x40b749) previously allocated by thread T0 here: #0 0x7f09b2b58e50 in calloc (/lib64/libasan.so.5+0xeee50) #1 0x7f09b094b585 in xwayland_surface_create ../xwayland/xwm.c:119 #2 0x7f09b0950151 in xwm_handle_create_notify ../xwayland/xwm.c:706 #3 0x7f09b0953032 in x11_event_handler ../xwayland/xwm.c:1146 #4 0x7f09b0c68f01 in wl_event_loop_dispatch src/event-loop.c:641 #5 0x7f09b0c67601 in wl_display_run src/wayland-server.c:1260 #6 0x40a2f4 in main ../sway/main.c:433 #7 0x7f09b011018a in __libc_start_main (/lib64/libc.so.6+0x2318a) #8 0x40b749 in _start (/opt/wayland/bin/sway+0x40b749)
2018-06-25wlr_primary_selection: fix use-after-free when cancelling sourceDominique Martinet
seat->primary_election_source_destroy points to the source that just got freed by the cancel. ==7843==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b0004269b0 at pc 0x7fb95bf4ccd0 bp 0x7ffd75013940 s p 0x7ffd75013930 WRITE of size 8 at 0x60b0004269b0 thread T0 #0 0x7fb95bf4cccf in wl_list_remove ../util/signal.c:55 #1 0x7fb95bf3f4c6 in wlr_seat_set_primary_selection ../types/wlr_primary_selection.c:238 #2 0x7fb95becb1a7 in xwm_handle_selection_event ../xwayland/selection/selection.c:124 #3 0x7fb95bed2e5d in x11_event_handler ../xwayland/xwm.c:1139 #4 0x7fb95c1bdf01 in wl_event_loop_dispatch src/event-loop.c:641 #5 0x7fb95c1bc601 in wl_display_run src/wayland-server.c:1260 #6 0x40a2f4 in main ../sway/main.c:433 #7 0x7fb95b69718a in __libc_start_main (/lib64/libc.so.6+0x2318a) #8 0x40b749 in _start (/opt/wayland/bin/sway+0x40b749) 0x60b0004269b0 is located 64 bytes inside of 112-byte region [0x60b000426970,0x60b0004269e0) freed by thread T0 here: #0 0x7fb95e0ad880 in __interceptor_free (/lib64/libasan.so.5+0xee880) #1 0x7fb95bf3f49e in wlr_seat_set_primary_selection ../types/wlr_primary_selection.c:236 #2 0x7fb95becb1a7 in xwm_handle_selection_event ../xwayland/selection/selection.c:124 #3 0x7fb95bed2e5d in x11_event_handler ../xwayland/xwm.c:1139 #4 0x7fb95c1bdf01 in wl_event_loop_dispatch src/event-loop.c:641 previously allocated by thread T0 here: #0 0x7fb95e0ade50 in calloc (/lib64/libasan.so.5+0xeee50) #1 0x7fb95bec7ad6 in xwm_selection_get_targets ../xwayland/selection/incoming.c:355 #2 0x7fb95bec7ad6 in xwm_handle_selection_notify ../xwayland/selection/incoming.c:402 #3 0x7fb95becb1a7 in xwm_handle_selection_event ../xwayland/selection/selection.c:124 #4 0x7fb95bed2e5d in x11_event_handler ../xwayland/xwm.c:1139 #5 0x7fb95c1bdf01 in wl_event_loop_dispatch src/event-loop.c:641 SUMMARY: AddressSanitizer: heap-use-after-free ../util/signal.c:55 in wl_list_remove Shadow bytes around the buggy address: 0x0c168007cce0: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd 0x0c168007ccf0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa 0x0c168007cd00: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fa 0x0c168007cd10: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c168007cd20: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fd fd =>0x0c168007cd30: fd fd fd fd fd fd[fd]fd fd fd fd fd fa fa fa fa 0x0c168007cd40: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd 0x0c168007cd50: fd fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd 0x0c168007cd60: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa 0x0c168007cd70: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa 0x0c168007cd80: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
2018-06-24Merge pull request #1086 from acrisci/input-inhibit-emit-safeDrew DeVault
input-inhibit: use wlr_signal_emit_safe
2018-06-24input-inhibit: use wlr_signal_emit_safeTony Crisci
2018-06-24Merge pull request #1085 from acrisci/xdg-popup-grab-fixesDrew DeVault
xdg-shell: end pointer and keyboard grab at the same time
2018-06-24xdg-shell: end pointer and keyboard grab at the same timeTony Crisci
2018-06-24Merge pull request #1054 from swaywm/cancel-grab-on-focus-changeTony Crisci
rootston: Cancel existing keyboard grab when changing focus
2018-06-24use seat function to end grabTony Crisci
2018-06-24Merge branch 'master' into cancel-grab-on-focus-changeTony Crisci
2018-06-22Merge pull request #992 from emersion/screencontentDrew DeVault
Implement wlr_export_dmabuf_unstable_v1 protocol
2018-06-20Merge pull request #1075 from emersion/fix-xdg-toplevel-compareDrew DeVault
xdg-shell{,-v6}: fix compare_xdg_surface_toplevel_state
2018-06-20Merge pull request #1072 from emersion/surface-remove-matricesemersion
surface: remove matrices
2018-06-20xdg-shell{,-v6}: fix compare_xdg_surface_toplevel_stateemersion
2018-06-21Merge pull request #1073 from tobiasblass/fix_recvmsg_endless_loopScott Anderson
FIX: Suprocess loops endlessly when the control socket closes.
2018-06-20Merge pull request #1071 from emersion/remove-wlr-frame-callbackDrew DeVault
surface: remove wlr_frame_callback
2018-06-20surface: remove matricesemersion
These were unused.
2018-06-20FIX: Suprocess loops endlessly when the control socket closes.Tobias Blass
recvmsg(3) returns 0 if the connection partner has shut down its socket. The communicate function considered 0 a successful message, though, and keeps calling recvmsg(3) again and again.
2018-06-20surface: remove wlr_frame_callbackemersion
This removes the need to allocate a structure for frame callbacks. wl_resource_get_link is used instead.
2018-06-17Merge pull request #1067 from emersion/fix-surface-double-releaseemersion
surface: fix double wl_buffer.release events
2018-06-17Fix exampleRostislav Pehlivanov
2018-06-17Merge branch 'master' into screencontentemersion
2018-06-17export-dmabuf: update protocolemersion
2018-06-17Update example and protocolRostislav Pehlivanov
2018-06-17surface: fix double wl_buffer.release eventsemersion
Prior to this commit, we re-uploaded the buffer even if a new one wasn't attached. After uploading, we send wl_buffer.release. So, this sequence of requests resulted in a double release: surface.attach(buffer, 0, 0) surface.commit() <- buffer.release() surface.commit() <- buffer.release()
2018-06-16Merge pull request #1062 from emersion/wlr-buffer-comebackDrew DeVault
Add back wlr_buffer
2018-06-16buffer: fix wlr_texture leak on failed allocemersion
2018-06-16Merge pull request #1066 from ammen99/masteremersion
layer-shell: check if the surface is mapped in layer_surface_destroy()
2018-06-16layer-shell: check whether the surface is mapped in layer_surface_destroy()Ilia Bozhinov
If the layer surface has been closed by the compositor, using layer_surface_close(), then the unmap event is emitted. However, when the layer surface is later destroyed by the client, the compositor used to get a second unmap, which is fixed with this commit.
2018-06-14Merge pull request #1063 from ascent12/multi-seatDrew DeVault
Multiseat fixes
2018-06-14buffer: don't destroy DMA-BUF textures with wl_bufferemersion
After some discussions on #wayland, it seems that as soon as you hold a reference to a DMA-BUF (via EGLImage for instance), the underlying memory won't get free'd. The client is allowed to re-use the DMA-BUF and upload something else to it though.
2018-06-14Check for seat0 properlyScott Anderson
2018-06-14Multiseat fixesScott Anderson
2018-06-14Merge branch 'remove-surface-texture' into wlr-buffer-comebackemersion
2018-06-14Add back wlr_bufferemersion
This reverts commit d27eeaa14c9a35c709f09de862aa6d4f0ef9ff83.
2018-06-13Revert "Merge pull request #1050 from emersion/wlr-buffer"Drew DeVault
This reverts commit 5e4af4862e7247528eda0891c11daa1d86786c86, reversing changes made to 9a1f0e2d5fe56870f3bd7d12113742766e89f4e6.
2018-06-13surface: remove wlr_surface.textureemersion
The texture is managed by the surface's wlr_buffer now. In particular, the buffer can destroy the texture early if it becomes invalid.
2018-06-13Merge pull request #1047 from NotKit/gles2fixemersion
Fix GLES2 renderer to use glGetUniformLocations locations
2018-06-13Merge pull request #1050 from emersion/wlr-bufferDrew DeVault
Introduce wlr_buffer
2018-06-13gles2 renderer: introduce struct wlr_gles2_tex_shaderNeKit
2018-06-11buffer: make wlr_buffer_ref return the bufferemersion
2018-06-10rootston: Cancel existing keyboard grab when changing focusGenki Sky
It's possible that a non-default keyboard grab exists when we are trying to change focus. For example, say there is an XDG popup when we click on a different window. This popup's keyboard grab will swallow any keyboard_notify_enter(), meaning the newly-clicked window won't receive keyboard input. So, we cancel any existing grabs in roots_seat_set_focus(). Before this fix, a window would have been set as active but not receive keyboard entry. Fixes #233. Signed-off-by: Genki Sky <sky@genki.is>
2018-06-09Merge pull request #1052 from VincentVanlaer/egl-damage-khrDrew DeVault
Split eglSwapBuffersWithDamage feature detection
2018-06-09Rename egl.exts to match the extension namesVincent Vanlaer
2018-06-09Merge branch 'master' into wlr-bufferemersion
2018-06-09Split eglSwapBuffersWithDamage feature detectionVincent Vanlaer
Detecting whether eglSwapBuffersWithDamageEXT or eglSwapBuffersWithDamageKHR is used should be based on the extension string, not only on the availability of the function.
2018-06-09Merge pull request #1051 from RedSoxFan/fix-atti-assertemersion
Fix atti assert in wlr_egl_init
2018-06-08Fix atti assert in wlr_egl_initBrian Ashworth
2018-06-08Merge branch 'surface-fix-buffer-release'Drew DeVault