Commit Graph

936 Commits

Author SHA1 Message Date
Dominique Martinet 48e8da851d wlr_seat destroy: fix use-after-free when destroying clients
wl_resource_for_each_safe isn't safe to use here because it accesses
the list's head memory one last time at the end of the loop. Work
around this by breaking out early.

==19880==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d0000e6368 at pc 0x7fab68619de2 bp 0x7ffd5c91cee0 sp 0x7ffd5c91ced0
READ of size 8 at 0x60d0000e6368 thread T0
    #0 0x7fab68619de1 in wlr_seat_destroy ../types/seat/wlr_seat.c:179
    #1 0x7fab68619fb9 in handle_display_destroy ../types/seat/wlr_seat.c:196
    #2 0x7fab688e4f8f in wl_priv_signal_emit src/wayland-server.c:2024
    #3 0x7fab688e56ca in wl_display_destroy src/wayland-server.c:1092
    #4 0x40c11e in server_fini ../sway/server.c:138
    #5 0x40b1a8 in main ../sway/main.c:438
    #6 0x7fab67b5e18a in __libc_start_main ../csu/libc-start.c:308
    #7 0x409359 in _start (/opt/wayland/bin/sway+0x409359)

0x60d0000e6368 is located 24 bytes inside of 144-byte region [0x60d0000e6350,0x60d0000e63e0)
freed by thread T0 here:
    #0 0x7fab6a7d6880 in __interceptor_free (/lib64/libasan.so.5+0xee880)
    #1 0x7fab68619805 in seat_client_handle_resource_destroy ../types/seat/wlr_seat.c:97
    #2 0x7fab688e5025 in destroy_resource src/wayland-server.c:688

previously allocated by thread T0 here:
    #0 0x7fab6a7d6e50 in calloc (/lib64/libasan.so.5+0xeee50)
    #1 0x7fab686198df in seat_handle_bind ../types/seat/wlr_seat.c:127
    #2 0x7fab6530503d in ffi_call_unix64 (/lib64/libffi.so.6+0x603d)
2018-07-04 14:50:14 +09:00
Ilia Bozhinov 00ccf5c3ae properly check if the point is inside the surface in wlr_surface_point_accepts_input 2018-07-03 10:29:02 +03:00
Drew DeVault 27cab67b96
Merge pull request #1105 from RyanDwyer/xdg-surface-for-each-popup
Introduce wlr_xdg_surface_for_each_popup
2018-07-01 06:39:06 -07:00
Ryan Dwyer 86f401e827 Introduce wlr_xdg_surface_for_each_popup
It is common to want to iterate an xdg-surface's popups separately from
the toplevel and subsurfaces. For example, popups are typically rendered
on top of most other surfaces.

wlr_xdg_surface_for_each_surface continues to iterate both surfaces and
popups to maintain backwards compatibility.
2018-07-01 23:24:39 +10:00
Dominique Martinet 9ddc2f39d0 wlr_seat destroy: fix use-after-free after primary selection source cancel
the primary_selection_source_destroy list points to memory freed by
that cancel callback, so remove from list before freeing
2018-07-01 21:04:43 +09:00
emersion dbb01cbcd0
screencopy: listen to buffer destroy 2018-06-30 22:18:04 +01:00
emersion 9aaa9ba477
screencopy: make frame resource inert after copy 2018-06-30 22:18:04 +01:00
emersion c421700f3d
screncopy: update protocol 2018-06-30 22:18:04 +01:00
emersion bf7560b7cd
screencopy: add capture_output_region support 2018-06-30 22:18:04 +01:00
emersion 2b9cbaddf3
screencopy: add support for frame flags 2018-06-30 22:18:03 +01:00
emersion bd8be19b79
screencopy: add presentation timestamp 2018-06-30 22:18:03 +01:00
emersion 73755ad348
screencopy-v1: add basic implementation 2018-06-30 22:17:59 +01:00
Dominique Martinet c263f7ca29 s/wlr_subsurface_from_surface/wlr_subsurface_from_wlr_surface/
This was the only x_from_wlr_surface function that lacked the wlr_ prefix,
let's have an API as uniform as possible.
2018-06-30 21:21:13 +09:00
Dominique Martinet 1fef1f88b2 export dmabuf manager_handle_capture_output: fix leak on error
Found through static analysis
2018-06-30 11:47:25 +09:00
Dominique Martinet b3313b7f39 wlr_output: fix scope for 'now'
'when' points to now that was defined in the if, so compiler could reuse
that memory area by the time 'when' is called

Found through static analysis.
2018-06-30 11:38:21 +09:00
Dominique Martinet efef54ccf5 wlr_keyboard: fix mmap leak + logic on close for keymap_fd
mmap leak found through static analysis
2018-06-30 11:38:21 +09:00
emersion ec7d4a0971
Merge pull request #1092 from martinetd/idle_inhibit
Idle inhibit cleanup
2018-06-28 14:33:07 +01:00
Dominique Martinet 93a75769f0 wlr_idle_inhibit_v1: cleanup destroy handlers
- Rename handlers to <type>_handle_resource_destroy and
<type>_handle_destroy to be coherent
 - Make sure we never destroy wl_resources when we shouldn't

Updates #999
2018-06-28 22:04:28 +09:00
Dominique Martinet a3e2a77734 xdg_popup: fix call to to handle_grab for inert popup 2018-06-28 20:28:15 +09:00
Dominique Martinet 970687a01c xdg_shell popup: fix potential segv in handle_destroy
surface could be NULL there if the popup had been made
inert before
2018-06-28 13:54:35 +09:00
Dominique Martinet d0b902b962 wlr_idle: add helper to enable/disable all timers
There was no way to tell wlr_idle to stop processing input events
and rearm timers all the time, such an API is required to have
some form of idle inhibitor.
2018-06-27 22:47:05 +09:00
Dominique Martinet ffd37b664f xdg_shell: destroy children popups with parent surface
popups have a link in parent's surface->popups list and needs
to be freed before:

==6902==ERROR: AddressSanitizer: heap-use-after-free on address 0x6120001a0300 at pc 0x7fc1447acb50 bp 0x7fffd396e680 sp 0x7fffd396e670
WRITE of size 8 at 0x6120001a0300 thread T0
    #0 0x7fc1447acb4f in wl_list_remove ../util/signal.c:55
    #1 0x7fc14477d206 in destroy_xdg_popup_v6 ../types/xdg_shell_v6/wlr_xdg_popup_v6.c:162
    #2 0x7fc1447816e0 in destroy_xdg_surface_v6 ../types/xdg_shell_v6/wlr_xdg_surface_v6.c:108
    #3 0x7fc144a1c025 in destroy_resource src/wayland-server.c:688
    #4 0x7fc144a1c091 in wl_resource_destroy src/wayland-server.c:705
    #5 0x7fc14477fd6f in xdg_client_v6_handle_resource_destroy ../types/xdg_shell_v6/wlr_xdg_shell_v6.c:72
    #6 0x7fc144a1c025 in destroy_resource src/wayland-server.c:688
    #7 0x7fc144a20851  (/lib64/libwayland-server.so.0+0xc851)
    #8 0x7fc144a20d92  (/lib64/libwayland-server.so.0+0xcd92)
    #9 0x7fc144a1c140 in wl_client_destroy src/wayland-server.c:847
    #10 0x7fc144a1c21c in destroy_client_with_error src/wayland-server.c:307
    #11 0x7fc144a1c21c in wl_client_connection_data src/wayland-server.c:330
    #12 0x7fc144a1df01 in wl_event_loop_dispatch src/event-loop.c:641
    #13 0x7fc144a1c601 in wl_display_run src/wayland-server.c:1260
    #14 0x40a2f4 in main ../sway/main.c:433
    #15 0x7fc143ef718a in __libc_start_main ../csu/libc-start.c:308
    #16 0x40b749 in _start (/opt/wayland/bin/sway+0x40b749)

0x6120001a0300 is located 64 bytes inside of 264-byte region [0x6120001a02c0,0x6120001a03c8)
freed by thread T0 here:
    #0 0x7fc14690d880 in __interceptor_free (/lib64/libasan.so.5+0xee880)
    #1 0x7fc1447acce8 in wlr_signal_emit_safe ../util/signal.c:29
    #2 0x7fc1447a3cac in surface_handle_resource_destroy ../types/wlr_surface.c:576
    #3 0x7fc144a1c025 in destroy_resource src/wayland-server.c:688

previously allocated by thread T0 here:
    #0 0x7fc14690de50 in calloc (/lib64/libasan.so.5+0xeee50)
    #1 0x7fc144781d38 in create_xdg_surface_v6 ../types/xdg_shell_v6/wlr_xdg_surface_v6.c:415
    #2 0x7fc14147503d in ffi_call_unix64 (/lib64/libffi.so.6+0x603d)

Alternative would be to have popups listen to the parent's surface
destroy event and remove themselves from the list at this point OR on
their own destroy, whichever happens first, but that seems more
complicated for little benefit.
2018-06-25 17:54:25 +09:00
Dominique Martinet 954969698a wlr_primary_selection: fix use-after-free when cancelling source
seat->primary_election_source_destroy points to the source that just got
freed by the cancel.

==7843==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b0004269b0 at pc 0x7fb95bf4ccd0 bp 0x7ffd75013940 s
p 0x7ffd75013930
WRITE of size 8 at 0x60b0004269b0 thread T0
    #0 0x7fb95bf4cccf in wl_list_remove ../util/signal.c:55
    #1 0x7fb95bf3f4c6 in wlr_seat_set_primary_selection ../types/wlr_primary_selection.c:238
    #2 0x7fb95becb1a7 in xwm_handle_selection_event ../xwayland/selection/selection.c:124
    #3 0x7fb95bed2e5d in x11_event_handler ../xwayland/xwm.c:1139
    #4 0x7fb95c1bdf01 in wl_event_loop_dispatch src/event-loop.c:641
    #5 0x7fb95c1bc601 in wl_display_run src/wayland-server.c:1260
    #6 0x40a2f4 in main ../sway/main.c:433
    #7 0x7fb95b69718a in __libc_start_main (/lib64/libc.so.6+0x2318a)
    #8 0x40b749 in _start (/opt/wayland/bin/sway+0x40b749)

0x60b0004269b0 is located 64 bytes inside of 112-byte region [0x60b000426970,0x60b0004269e0)
freed by thread T0 here:
    #0 0x7fb95e0ad880 in __interceptor_free (/lib64/libasan.so.5+0xee880)
    #1 0x7fb95bf3f49e in wlr_seat_set_primary_selection ../types/wlr_primary_selection.c:236
    #2 0x7fb95becb1a7 in xwm_handle_selection_event ../xwayland/selection/selection.c:124
    #3 0x7fb95bed2e5d in x11_event_handler ../xwayland/xwm.c:1139
    #4 0x7fb95c1bdf01 in wl_event_loop_dispatch src/event-loop.c:641

previously allocated by thread T0 here:
    #0 0x7fb95e0ade50 in calloc (/lib64/libasan.so.5+0xeee50)
    #1 0x7fb95bec7ad6 in xwm_selection_get_targets ../xwayland/selection/incoming.c:355
    #2 0x7fb95bec7ad6 in xwm_handle_selection_notify ../xwayland/selection/incoming.c:402
    #3 0x7fb95becb1a7 in xwm_handle_selection_event ../xwayland/selection/selection.c:124
    #4 0x7fb95bed2e5d in x11_event_handler ../xwayland/xwm.c:1139
    #5 0x7fb95c1bdf01 in wl_event_loop_dispatch src/event-loop.c:641

SUMMARY: AddressSanitizer: heap-use-after-free ../util/signal.c:55 in wl_list_remove
Shadow bytes around the buggy address:
  0x0c168007cce0: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd
  0x0c168007ccf0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
  0x0c168007cd00: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c168007cd10: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c168007cd20: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fd fd
=>0x0c168007cd30: fd fd fd fd fd fd[fd]fd fd fd fd fd fa fa fa fa
  0x0c168007cd40: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c168007cd50: fd fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
  0x0c168007cd60: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
  0x0c168007cd70: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
  0x0c168007cd80: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
2018-06-25 17:28:44 +09:00
Tony Crisci a2ff144429 input-inhibit: use wlr_signal_emit_safe 2018-06-24 19:33:15 -04:00
Tony Crisci 006edc9dcb xdg-shell: end pointer and keyboard grab at the same time 2018-06-24 18:50:04 -04:00
Drew DeVault e459fe0ec7
Merge pull request #992 from emersion/screencontent
Implement wlr_export_dmabuf_unstable_v1 protocol
2018-06-22 05:37:07 -07:00
Drew DeVault 47c7674a68
Merge pull request #1075 from emersion/fix-xdg-toplevel-compare
xdg-shell{,-v6}: fix compare_xdg_surface_toplevel_state
2018-06-20 18:54:01 -07:00
emersion a59774f364
xdg-shell{,-v6}: fix compare_xdg_surface_toplevel_state 2018-06-20 21:25:01 +01:00
emersion a6c0e25d36
surface: remove wlr_frame_callback
This removes the need to allocate a structure for frame callbacks.
wl_resource_get_link is used instead.
2018-06-20 20:00:23 +01:00
emersion 57548b557a
Merge branch 'master' into screencontent 2018-06-17 14:49:18 +01:00
emersion bd0c1b7949
export-dmabuf: update protocol 2018-06-17 14:19:45 +01:00
emersion 843621714f
surface: fix double wl_buffer.release events
Prior to this commit, we re-uploaded the buffer even if a new one
wasn't attached. After uploading, we send wl_buffer.release. So,
this sequence of requests resulted in a double release:

    surface.attach(buffer, 0, 0)
    surface.commit()
    <- buffer.release()
    surface.commit()
    <- buffer.release()
2018-06-17 12:49:34 +01:00
Drew DeVault fb118ac996
Merge pull request #1062 from emersion/wlr-buffer-comeback
Add back wlr_buffer
2018-06-16 13:43:14 -07:00
emersion 225aa815b0
buffer: fix wlr_texture leak on failed alloc 2018-06-16 19:01:13 +01:00
Ilia Bozhinov 23707f6504 layer-shell: check whether the surface is mapped in layer_surface_destroy()
If the layer surface has been closed by the compositor, using
layer_surface_close(), then the unmap event is emitted. However, when
the layer surface is later destroyed by the client, the compositor used
to get a second unmap, which is fixed with this commit.
2018-06-16 17:29:53 +03:00
emersion da114d5013
buffer: don't destroy DMA-BUF textures with wl_buffer
After some discussions on #wayland, it seems that as soon as you
hold a reference to a DMA-BUF (via EGLImage for instance), the
underlying memory won't get free'd. The client is allowed to
re-use the DMA-BUF and upload something else to it though.
2018-06-14 10:15:14 +01:00
Drew DeVault d27eeaa14c Revert "Merge pull request #1050 from emersion/wlr-buffer"
This reverts commit 5e4af4862e, reversing
changes made to 9a1f0e2d5f.
2018-06-13 19:57:42 -04:00
emersion 0378d143d9
surface: remove wlr_surface.texture
The texture is managed by the surface's wlr_buffer now. In
particular, the buffer can destroy the texture early if it becomes
invalid.
2018-06-13 19:38:10 +01:00
emersion 38d415dd20
buffer: make wlr_buffer_ref return the buffer 2018-06-11 08:13:35 +01:00
emersion e4933ab445
Introduce wlr_buffer 2018-06-08 20:06:13 +01:00
emersion 6f895081e1
Merge pull request #1043 from acrisci/drag-icon-unmap
drag-icon map and unmap fixes
2018-06-07 11:18:58 +01:00
emersion 211463ba87
Merge pull request #1045 from ammen99/master
xdg-shells: add a set_parent signal to toplevel surfaces
2018-06-06 21:38:32 +01:00
Tony Crisci 1a07bf95ae
Merge pull request #1044 from emersion/fix-box-intersection
box: fix wlr_box_intersection
2018-06-06 11:59:40 -04:00
Ilia Bozhinov a989104a6b xdg-shells: add a set_parent signal to toplevel surfaces 2018-06-06 17:08:06 +03:00
emersion ed89a24328
box: fix wlr_box_intersection 2018-06-06 08:47:04 +01:00
Tony Crisci 7c888a39c6 update drag position at the right times 2018-06-05 23:45:03 -04:00
Tony Crisci 319ebdf476 add back map event 2018-06-05 22:50:29 -04:00
Tony Crisci 1c75d4e54a rename drag-icon map to unmap 2018-06-05 18:17:42 -04:00
Dominique Martinet c6821f3dd3 wlr_surface: insert subsurfaces in revert order
sibling surfaces were drawn in incorrect order (e.g. latest below).
This attempts to fix that by reverting the order of the list.
2018-06-05 21:02:42 +09:00
Tony Crisci 7206997e95 fix wlr_box_intersection and closest_point 2018-06-04 18:56:57 -04:00