From de955a0f63e17e259b7966bf7c32d605f96d52cc Mon Sep 17 00:00:00 2001 From: Dominique Martinet Date: Sat, 30 Dec 2017 17:16:00 +0100 Subject: [PATCH 1/5] xdg_popup_grab: add listener on seat destroy --- include/wlr/types/wlr_xdg_shell.h | 1 + include/wlr/types/wlr_xdg_shell_v6.h | 1 + types/wlr_xdg_shell.c | 21 +++++++++++++++++++++ types/wlr_xdg_shell_v6.c | 21 +++++++++++++++++++++ 4 files changed, 44 insertions(+) diff --git a/include/wlr/types/wlr_xdg_shell.h b/include/wlr/types/wlr_xdg_shell.h index ad0a626f..a5fa093b 100644 --- a/include/wlr/types/wlr_xdg_shell.h +++ b/include/wlr/types/wlr_xdg_shell.h @@ -53,6 +53,7 @@ struct wlr_xdg_popup_grab { struct wlr_seat *seat; struct wl_list popups; struct wl_list link; // wlr_xdg_shell::popup_grabs + struct wl_listener seat_destroy; }; enum wlr_xdg_surface_role { diff --git a/include/wlr/types/wlr_xdg_shell_v6.h b/include/wlr/types/wlr_xdg_shell_v6.h index d8503d28..a1bdac1b 100644 --- a/include/wlr/types/wlr_xdg_shell_v6.h +++ b/include/wlr/types/wlr_xdg_shell_v6.h @@ -53,6 +53,7 @@ struct wlr_xdg_popup_grab_v6 { struct wlr_seat *seat; struct wl_list popups; struct wl_list link; // wlr_xdg_shell_v6::popup_grabs + struct wl_listener seat_destroy; }; enum wlr_xdg_surface_v6_role { diff --git a/types/wlr_xdg_shell.c b/types/wlr_xdg_shell.c index 5b02088d..f01d81a5 100644 --- a/types/wlr_xdg_shell.c +++ b/types/wlr_xdg_shell.c @@ -131,6 +131,24 @@ static const struct wlr_keyboard_grab_interface xdg_keyboard_grab_impl = { .cancel = xdg_keyboard_grab_cancel, }; +static void xdg_surface_destroy(struct wlr_xdg_surface *surface); + +static void wlr_xdg_popup_grab_handle_seat_destroy( + struct wl_listener *listener, void *data) { + struct wlr_xdg_popup_grab *xdg_grab = + wl_container_of(listener, xdg_grab, seat_destroy); + + wl_list_remove(&xdg_grab->seat_destroy.link); + + struct wlr_xdg_popup *popup, *next; + wl_list_for_each_safe(popup, next, &xdg_grab->popups, grab_link) { + xdg_surface_destroy(popup->base); + } + + wl_list_remove(&xdg_grab->link); + free(xdg_grab); +} + static struct wlr_xdg_popup_grab *xdg_shell_popup_grab_from_seat( struct wlr_xdg_shell *shell, struct wlr_seat *seat) { struct wlr_xdg_popup_grab *xdg_grab; @@ -155,6 +173,9 @@ static struct wlr_xdg_popup_grab *xdg_shell_popup_grab_from_seat( wl_list_insert(&shell->popup_grabs, &xdg_grab->link); xdg_grab->seat = seat; + xdg_grab->seat_destroy.notify = wlr_xdg_popup_grab_handle_seat_destroy; + wl_signal_add(&seat->events.destroy, &xdg_grab->seat_destroy); + return xdg_grab; } diff --git a/types/wlr_xdg_shell_v6.c b/types/wlr_xdg_shell_v6.c index a0c74e6f..2aaa607b 100644 --- a/types/wlr_xdg_shell_v6.c +++ b/types/wlr_xdg_shell_v6.c @@ -131,6 +131,24 @@ static const struct wlr_keyboard_grab_interface xdg_keyboard_grab_impl = { .cancel = xdg_keyboard_grab_cancel, }; +static void xdg_surface_destroy(struct wlr_xdg_surface_v6 *surface); + +static void wlr_xdg_popup_grab_handle_seat_destroy( + struct wl_listener *listener, void *data) { + struct wlr_xdg_popup_grab_v6 *xdg_grab = + wl_container_of(listener, xdg_grab, seat_destroy); + + wl_list_remove(&xdg_grab->seat_destroy.link); + + struct wlr_xdg_popup_v6 *popup, *next; + wl_list_for_each_safe(popup, next, &xdg_grab->popups, grab_link) { + xdg_surface_destroy(popup->base); + } + + wl_list_remove(&xdg_grab->link); + free(xdg_grab); +} + static struct wlr_xdg_popup_grab_v6 *xdg_shell_popup_grab_from_seat( struct wlr_xdg_shell_v6 *shell, struct wlr_seat *seat) { struct wlr_xdg_popup_grab_v6 *xdg_grab; @@ -155,6 +173,9 @@ static struct wlr_xdg_popup_grab_v6 *xdg_shell_popup_grab_from_seat( wl_list_insert(&shell->popup_grabs, &xdg_grab->link); xdg_grab->seat = seat; + xdg_grab->seat_destroy.notify = wlr_xdg_popup_grab_handle_seat_destroy; + wl_signal_add(&seat->events.destroy, &xdg_grab->seat_destroy); + return xdg_grab; } From d9a3c6694281fae6f720f91230e8ec27df8fd82b Mon Sep 17 00:00:00 2001 From: Dominique Martinet Date: Sat, 17 Mar 2018 17:04:51 +0100 Subject: [PATCH 2/5] rootston/output: fix leak in damage_from_surface --- rootston/output.c | 1 + 1 file changed, 1 insertion(+) diff --git a/rootston/output.c b/rootston/output.c index 4146e3e2..22c0d7ed 100644 --- a/rootston/output.c +++ b/rootston/output.c @@ -680,6 +680,7 @@ static void damage_from_surface(struct wlr_surface *surface, } pixman_region32_translate(&damage, box.x, box.y); wlr_output_damage_add(output->damage, &damage); + pixman_region32_fini(&damage); } else { pixman_box32_t *extents = pixman_region32_extents(&surface->current->surface_damage); From b0c2bbebd1c4c50173a01175d049842b79ee7e1b Mon Sep 17 00:00:00 2001 From: Dominique Martinet Date: Sat, 17 Mar 2018 17:06:03 +0100 Subject: [PATCH 3/5] x11 backend: fix various leaks - xcb_query_pointer_reply return value needs to be freed - call XCloseDisplay - remove wl event_source --- backend/x11/backend.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/backend/x11/backend.c b/backend/x11/backend.c index cb29e518..dd2c0a6e 100644 --- a/backend/x11/backend.c +++ b/backend/x11/backend.c @@ -143,6 +143,7 @@ static bool handle_x11_event(struct wlr_x11_backend *x11, xcb_generic_event_t *e }; wlr_signal_emit_safe(&x11->pointer.events.motion_absolute, &abs); + free(pointer); break; } case XCB_CLIENT_MESSAGE: { @@ -317,12 +318,20 @@ static void wlr_x11_backend_destroy(struct wlr_backend *backend) { wlr_signal_emit_safe(&backend->events.destroy, backend); + if (x11->event_source) { + wl_event_source_remove(x11->event_source); + } wl_list_remove(&x11->display_destroy.link); wl_event_source_remove(x11->frame_timer); wlr_egl_finish(&x11->egl); - xcb_disconnect(x11->xcb_conn); + if (x11->xcb_conn) { + xcb_disconnect(x11->xcb_conn); + } + if (x11->xlib_conn) { + XCloseDisplay(x11->xlib_conn); + } free(x11); } From d5e14ab2470032a5f8152c685415724a4734b492 Mon Sep 17 00:00:00 2001 From: Dominique Martinet Date: Sat, 17 Mar 2018 17:11:43 +0100 Subject: [PATCH 4/5] wayland backend: fix use-after free on output destroy ==12021==ERROR: AddressSanitizer: heap-use-after-free on address 0x617000015698 at pc 0x7f1a9abe1c09 bp 0x7ffe9068f6b0 sp 0x7ffe9068f6a0 WRITE of size 4 at 0x617000015698 thread T0 #0 0x7f1a9abe1c08 in pointer_handle_leave ../backend/wayland/wl_seat.c:40 #1 0x7f1a96ae7d1d in ffi_call_unix64 (/lib64/libffi.so.6+0x5d1d) #2 0x7f1a96ae768e in ffi_call (/lib64/libffi.so.6+0x568e) #3 0x7f1a988e0d8a (/lib64/libwayland-client.so.0+0x8d8a) #4 0x7f1a988dd927 (/lib64/libwayland-client.so.0+0x5927) #5 0x7f1a988debe3 in wl_display_dispatch_queue_pending (/lib64/libwayland-client.so.0+0x6be3) #6 0x7f1a9abdd6d6 in dispatch_events ../backend/wayland/backend.c:28 #7 0x7f1a9a968c11 in wl_event_loop_dispatch (/lib64/libwayland-server.so.0+0x9c11) #8 0x7f1a9a967449 in wl_display_run (/lib64/libwayland-server.so.0+0x8449) #9 0x418dff in main ../rootston/main.c:81 #10 0x7f1a99b5ef29 in __libc_start_main (/lib64/libc.so.6+0x20f29) #11 0x4057c9 in _start (/home/shared/wayland/wlroots/build/rootston/rootston+0x4057c9) 0x617000015698 is located 664 bytes inside of 696-byte region [0x617000015400,0x6170000156b8) freed by thread T0 here: #0 0x7f1a9af754b8 in __interceptor_free (/lib64/libasan.so.4+0xde4b8) #1 0x7f1a9abe01ee in wlr_wl_output_destroy ../backend/wayland/output.c:194 #2 0x7f1a9ac12918 in wlr_output_destroy ../types/wlr_output.c:299 #3 0x7f1a9abe061b in xdg_toplevel_handle_close ../backend/wayland/output.c:255 #4 0x7f1a96ae7d1d in ffi_call_unix64 (/lib64/libffi.so.6+0x5d1d) #5 0x7f1a96ae768e in ffi_call (/lib64/libffi.so.6+0x568e) #6 0x7f1a988e0d8a (/lib64/libwayland-client.so.0+0x8d8a) #7 0x7f1a988dd927 (/lib64/libwayland-client.so.0+0x5927) #8 0x7f1a988debe3 in wl_display_dispatch_queue_pending (/lib64/libwayland-client.so.0+0x6be3) #9 0x7f1a9abdd6d6 in dispatch_events ../backend/wayland/backend.c:28 #10 0x7f1a9a968c11 in wl_event_loop_dispatch (/lib64/libwayland-server.so.0+0x9c11) #11 0x7f1a9a967449 in wl_display_run (/lib64/libwayland-server.so.0+0x8449) #12 0x418dff in main ../rootston/main.c:81 #13 0x7f1a99b5ef29 in __libc_start_main (/lib64/libc.so.6+0x20f29) #14 0x4057c9 in _start (/home/shared/wayland/wlroots/build/rootston/rootston+0x4057c9) previously allocated by thread T0 here: #0 0x7f1a9af75a38 in __interceptor_calloc (/lib64/libasan.so.4+0xdea38) #1 0x7f1a9abe0703 in wlr_wl_output_create ../backend/wayland/output.c:272 #2 0x7f1a9abdd8eb in wlr_wl_backend_start ../backend/wayland/backend.c:55 #3 0x7f1a9abbeb49 in wlr_backend_start ../backend/backend.c:28 #4 0x7f1a9abd8ce1 in multi_backend_start ../backend/multi/backend.c:24 #5 0x7f1a9abbeb49 in wlr_backend_start ../backend/backend.c:28 #6 0x418c32 in main ../rootston/main.c:58 #7 0x7f1a99b5ef29 in __libc_start_main (/lib64/libc.so.6+0x20f29) #8 0x4057c9 in _start (/home/shared/wayland/wlroots/build/rootston/rootston+0x4057c9) --- backend/wayland/wl_seat.c | 17 ++++++++++++++++- include/backend/wayland.h | 1 + 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/backend/wayland/wl_seat.c b/backend/wayland/wl_seat.c index 841e693d..6ca59130 100644 --- a/backend/wayland/wl_seat.c +++ b/backend/wayland/wl_seat.c @@ -26,6 +26,11 @@ static void pointer_handle_enter(void *data, struct wl_pointer *wl_pointer, // GNOME sends a pointer enter when the surface is being destroyed return; } + if (wlr_wl_pointer->current_output) { + wl_list_remove(&wlr_wl_pointer->output_destroy_listener.link); + } + wl_signal_add(&output->wlr_output.events.destroy, + &wlr_wl_pointer->output_destroy_listener); wlr_wl_pointer->current_output = output; output->enter_serial = serial; wlr_wl_output_update_cursor(output); @@ -49,7 +54,7 @@ static void pointer_handle_motion(void *data, struct wl_pointer *wl_pointer, struct wlr_wl_pointer *wlr_wl_pointer = (struct wlr_wl_pointer *)dev->pointer; if (!wlr_wl_pointer->current_output) { - wlr_log(L_ERROR, "pointer motion event without current output"); + wlr_log(L_DEBUG, "pointer motion event without current output"); return; } @@ -231,6 +236,14 @@ static struct wlr_input_device *allocate_device(struct wlr_wl_backend *backend, return wlr_device; } +static void wlr_wl_pointer_handle_output_destroy(struct wl_listener *listener, + void *data) { + struct wlr_wl_pointer *wlr_wl_pointer = + wl_container_of(listener, wlr_wl_pointer, output_destroy_listener); + wlr_wl_pointer->current_output = NULL; + wl_list_remove(&wlr_wl_pointer->output_destroy_listener.link); +} + static void seat_handle_capabilities(void *data, struct wl_seat *wl_seat, enum wl_seat_capability caps) { struct wlr_wl_backend *backend = data; @@ -243,6 +256,8 @@ static void seat_handle_capabilities(void *data, struct wl_seat *wl_seat, wlr_log(L_ERROR, "Unable to allocate wlr_wl_pointer"); return; } + wlr_wl_pointer->output_destroy_listener.notify = + wlr_wl_pointer_handle_output_destroy; struct wlr_input_device *wlr_device; if (!(wlr_device = allocate_device(backend, WLR_INPUT_DEVICE_POINTER))) { diff --git a/include/backend/wayland.h b/include/backend/wayland.h index b68208af..00b6ae89 100644 --- a/include/backend/wayland.h +++ b/include/backend/wayland.h @@ -71,6 +71,7 @@ struct wlr_wl_pointer { struct wlr_pointer wlr_pointer; enum wlr_axis_source axis_source; struct wlr_wl_backend_output *current_output; + struct wl_listener output_destroy_listener; }; void wlr_wl_registry_poll(struct wlr_wl_backend *backend); From e86cd4dc33e495c2e5cacd319ba75984ea19a868 Mon Sep 17 00:00:00 2001 From: Dominique Martinet Date: Thu, 22 Mar 2018 19:57:11 +0100 Subject: [PATCH 5/5] wlr_pointer: fix potential null deref if pointer is null here we'd access pointer->events... anyway --- types/wlr_pointer.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/types/wlr_pointer.c b/types/wlr_pointer.c index bc9efd8c..9d5dc08c 100644 --- a/types/wlr_pointer.c +++ b/types/wlr_pointer.c @@ -14,7 +14,10 @@ void wlr_pointer_init(struct wlr_pointer *pointer, } void wlr_pointer_destroy(struct wlr_pointer *pointer) { - if (pointer && pointer->impl && pointer->impl->destroy) { + if (!pointer) { + return; + } + if (pointer->impl && pointer->impl->destroy) { pointer->impl->destroy(pointer); } else { wl_list_remove(&pointer->events.motion.listener_list);