Commit Graph

3840 Commits

Author SHA1 Message Date
Tony Crisci e51829ff7c
Merge pull request #1084 from martinetd/use-after-free
use-after-free fixes (xdg_shell popups, primary selection source, xwm parents)
2018-06-25 11:03:07 -04:00
Dominique Martinet ffd37b664f xdg_shell: destroy children popups with parent surface
popups have a link in parent's surface->popups list and needs
to be freed before:

==6902==ERROR: AddressSanitizer: heap-use-after-free on address 0x6120001a0300 at pc 0x7fc1447acb50 bp 0x7fffd396e680 sp 0x7fffd396e670
WRITE of size 8 at 0x6120001a0300 thread T0
    #0 0x7fc1447acb4f in wl_list_remove ../util/signal.c:55
    #1 0x7fc14477d206 in destroy_xdg_popup_v6 ../types/xdg_shell_v6/wlr_xdg_popup_v6.c:162
    #2 0x7fc1447816e0 in destroy_xdg_surface_v6 ../types/xdg_shell_v6/wlr_xdg_surface_v6.c:108
    #3 0x7fc144a1c025 in destroy_resource src/wayland-server.c:688
    #4 0x7fc144a1c091 in wl_resource_destroy src/wayland-server.c:705
    #5 0x7fc14477fd6f in xdg_client_v6_handle_resource_destroy ../types/xdg_shell_v6/wlr_xdg_shell_v6.c:72
    #6 0x7fc144a1c025 in destroy_resource src/wayland-server.c:688
    #7 0x7fc144a20851  (/lib64/libwayland-server.so.0+0xc851)
    #8 0x7fc144a20d92  (/lib64/libwayland-server.so.0+0xcd92)
    #9 0x7fc144a1c140 in wl_client_destroy src/wayland-server.c:847
    #10 0x7fc144a1c21c in destroy_client_with_error src/wayland-server.c:307
    #11 0x7fc144a1c21c in wl_client_connection_data src/wayland-server.c:330
    #12 0x7fc144a1df01 in wl_event_loop_dispatch src/event-loop.c:641
    #13 0x7fc144a1c601 in wl_display_run src/wayland-server.c:1260
    #14 0x40a2f4 in main ../sway/main.c:433
    #15 0x7fc143ef718a in __libc_start_main ../csu/libc-start.c:308
    #16 0x40b749 in _start (/opt/wayland/bin/sway+0x40b749)

0x6120001a0300 is located 64 bytes inside of 264-byte region [0x6120001a02c0,0x6120001a03c8)
freed by thread T0 here:
    #0 0x7fc14690d880 in __interceptor_free (/lib64/libasan.so.5+0xee880)
    #1 0x7fc1447acce8 in wlr_signal_emit_safe ../util/signal.c:29
    #2 0x7fc1447a3cac in surface_handle_resource_destroy ../types/wlr_surface.c:576
    #3 0x7fc144a1c025 in destroy_resource src/wayland-server.c:688

previously allocated by thread T0 here:
    #0 0x7fc14690de50 in calloc (/lib64/libasan.so.5+0xeee50)
    #1 0x7fc144781d38 in create_xdg_surface_v6 ../types/xdg_shell_v6/wlr_xdg_surface_v6.c:415
    #2 0x7fc14147503d in ffi_call_unix64 (/lib64/libffi.so.6+0x603d)

Alternative would be to have popups listen to the parent's surface
destroy event and remove themselves from the list at this point OR on
their own destroy, whichever happens first, but that seems more
complicated for little benefit.
2018-06-25 17:54:25 +09:00
Dominique Martinet 4a1c9a1925 xwm: fix use-after-free involving parents/children
Happens when e.g. closing gimp.

==24039==ERROR: AddressSanitizer: heap-use-after-free on address 0x6150001a7a78 at pc 0x7f09b09f1bb2 bp 0x7ffcf0237bf0 sp 0x7ffcf0237be0
WRITE of size 8 at 0x6150001a7a78 thread T0
    #0 0x7f09b09f1bb1 in wl_list_remove ../util/signal.c:55
    #1 0x7f09b094cf03 in xwayland_surface_destroy ../xwayland/xwm.c:295
    #2 0x7f09b0950245 in xwm_handle_destroy_notify ../xwayland/xwm.c:717
    #3 0x7f09b095304a in x11_event_handler ../xwayland/xwm.c:1149
    #4 0x7f09b0c68f01 in wl_event_loop_dispatch src/event-loop.c:641
    #5 0x7f09b0c67601 in wl_display_run src/wayland-server.c:1260
    #6 0x40a2f4 in main ../sway/main.c:433
    #7 0x7f09b011018a in __libc_start_main (/lib64/libc.so.6+0x2318a)
    #8 0x40b749 in _start (/opt/wayland/bin/sway+0x40b749)

0x6150001a7a78 is located 120 bytes inside of 496-byte region [0x6150001a7a00,0x6150001a7bf0)
freed by thread T0 here:
    #0 0x7f09b2b58880 in __interceptor_free (/lib64/libasan.so.5+0xee880)
    #1 0x7f09b094d1a1 in xwayland_surface_destroy ../xwayland/xwm.c:315
    #2 0x7f09b0950245 in xwm_handle_destroy_notify ../xwayland/xwm.c:717
    #3 0x7f09b095304a in x11_event_handler ../xwayland/xwm.c:1149
    #4 0x7f09b0c68f01 in wl_event_loop_dispatch src/event-loop.c:641
    #5 0x7f09b0c67601 in wl_display_run src/wayland-server.c:1260
    #6 0x40a2f4 in main ../sway/main.c:433
    #7 0x7f09b011018a in __libc_start_main (/lib64/libc.so.6+0x2318a)
    #8 0x40b749 in _start (/opt/wayland/bin/sway+0x40b749)

previously allocated by thread T0 here:
    #0 0x7f09b2b58e50 in calloc (/lib64/libasan.so.5+0xeee50)
    #1 0x7f09b094b585 in xwayland_surface_create ../xwayland/xwm.c:119
    #2 0x7f09b0950151 in xwm_handle_create_notify ../xwayland/xwm.c:706
    #3 0x7f09b0953032 in x11_event_handler ../xwayland/xwm.c:1146
    #4 0x7f09b0c68f01 in wl_event_loop_dispatch src/event-loop.c:641
    #5 0x7f09b0c67601 in wl_display_run src/wayland-server.c:1260
    #6 0x40a2f4 in main ../sway/main.c:433
    #7 0x7f09b011018a in __libc_start_main (/lib64/libc.so.6+0x2318a)
    #8 0x40b749 in _start (/opt/wayland/bin/sway+0x40b749)
2018-06-25 17:28:44 +09:00
Dominique Martinet 954969698a wlr_primary_selection: fix use-after-free when cancelling source
seat->primary_election_source_destroy points to the source that just got
freed by the cancel.

==7843==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b0004269b0 at pc 0x7fb95bf4ccd0 bp 0x7ffd75013940 s
p 0x7ffd75013930
WRITE of size 8 at 0x60b0004269b0 thread T0
    #0 0x7fb95bf4cccf in wl_list_remove ../util/signal.c:55
    #1 0x7fb95bf3f4c6 in wlr_seat_set_primary_selection ../types/wlr_primary_selection.c:238
    #2 0x7fb95becb1a7 in xwm_handle_selection_event ../xwayland/selection/selection.c:124
    #3 0x7fb95bed2e5d in x11_event_handler ../xwayland/xwm.c:1139
    #4 0x7fb95c1bdf01 in wl_event_loop_dispatch src/event-loop.c:641
    #5 0x7fb95c1bc601 in wl_display_run src/wayland-server.c:1260
    #6 0x40a2f4 in main ../sway/main.c:433
    #7 0x7fb95b69718a in __libc_start_main (/lib64/libc.so.6+0x2318a)
    #8 0x40b749 in _start (/opt/wayland/bin/sway+0x40b749)

0x60b0004269b0 is located 64 bytes inside of 112-byte region [0x60b000426970,0x60b0004269e0)
freed by thread T0 here:
    #0 0x7fb95e0ad880 in __interceptor_free (/lib64/libasan.so.5+0xee880)
    #1 0x7fb95bf3f49e in wlr_seat_set_primary_selection ../types/wlr_primary_selection.c:236
    #2 0x7fb95becb1a7 in xwm_handle_selection_event ../xwayland/selection/selection.c:124
    #3 0x7fb95bed2e5d in x11_event_handler ../xwayland/xwm.c:1139
    #4 0x7fb95c1bdf01 in wl_event_loop_dispatch src/event-loop.c:641

previously allocated by thread T0 here:
    #0 0x7fb95e0ade50 in calloc (/lib64/libasan.so.5+0xeee50)
    #1 0x7fb95bec7ad6 in xwm_selection_get_targets ../xwayland/selection/incoming.c:355
    #2 0x7fb95bec7ad6 in xwm_handle_selection_notify ../xwayland/selection/incoming.c:402
    #3 0x7fb95becb1a7 in xwm_handle_selection_event ../xwayland/selection/selection.c:124
    #4 0x7fb95bed2e5d in x11_event_handler ../xwayland/xwm.c:1139
    #5 0x7fb95c1bdf01 in wl_event_loop_dispatch src/event-loop.c:641

SUMMARY: AddressSanitizer: heap-use-after-free ../util/signal.c:55 in wl_list_remove
Shadow bytes around the buggy address:
  0x0c168007cce0: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd
  0x0c168007ccf0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
  0x0c168007cd00: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c168007cd10: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c168007cd20: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fd fd
=>0x0c168007cd30: fd fd fd fd fd fd[fd]fd fd fd fd fd fa fa fa fa
  0x0c168007cd40: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c168007cd50: fd fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
  0x0c168007cd60: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
  0x0c168007cd70: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
  0x0c168007cd80: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
2018-06-25 17:28:44 +09:00
Rostislav Pehlivanov 5707653e85 examples/dmabuf-capture: move encoding to a separate thread
Drop new frames if too slow. Speeds up encoding significantly, even with vaapi.
2018-06-25 06:41:59 +01:00
Drew DeVault 253a88f030
Merge pull request #1086 from acrisci/input-inhibit-emit-safe
input-inhibit: use wlr_signal_emit_safe
2018-06-24 16:44:53 -07:00
Tony Crisci a2ff144429 input-inhibit: use wlr_signal_emit_safe 2018-06-24 19:33:15 -04:00
Drew DeVault 4c6d80606d
Merge pull request #1085 from acrisci/xdg-popup-grab-fixes
xdg-shell: end pointer and keyboard grab at the same time
2018-06-24 16:07:01 -07:00
Tony Crisci 006edc9dcb xdg-shell: end pointer and keyboard grab at the same time 2018-06-24 18:50:04 -04:00
Tony Crisci 0fa784de0e
Merge pull request #1054 from swaywm/cancel-grab-on-focus-change
rootston: Cancel existing keyboard grab when changing focus
2018-06-24 18:38:52 -04:00
Tony Crisci 356e466d5a use seat function to end grab 2018-06-24 18:18:30 -04:00
Tony Crisci e8c0996b93 Merge branch 'master' into cancel-grab-on-focus-change 2018-06-24 18:16:42 -04:00
Drew DeVault e459fe0ec7
Merge pull request #992 from emersion/screencontent
Implement wlr_export_dmabuf_unstable_v1 protocol
2018-06-22 05:37:07 -07:00
Drew DeVault 47c7674a68
Merge pull request #1075 from emersion/fix-xdg-toplevel-compare
xdg-shell{,-v6}: fix compare_xdg_surface_toplevel_state
2018-06-20 18:54:01 -07:00
emersion 0e3b35c87e
Merge pull request #1072 from emersion/surface-remove-matrices
surface: remove matrices
2018-06-20 21:29:17 +01:00
emersion a59774f364
xdg-shell{,-v6}: fix compare_xdg_surface_toplevel_state 2018-06-20 21:25:01 +01:00
Scott Anderson df876a7cf8
Merge pull request #1073 from tobiasblass/fix_recvmsg_endless_loop
FIX: Suprocess loops endlessly when the control socket closes.
2018-06-21 08:18:37 +12:00
Drew DeVault 637479ce05
Merge pull request #1071 from emersion/remove-wlr-frame-callback
surface: remove wlr_frame_callback
2018-06-20 13:04:26 -07:00
emersion 831b7297a4
surface: remove matrices
These were unused.
2018-06-20 21:01:35 +01:00
Tobias Blass 482fc48c74 FIX: Suprocess loops endlessly when the control socket closes.
recvmsg(3) returns 0 if the connection partner has shut down its socket.
The communicate function considered 0 a successful message, though, and
keeps calling recvmsg(3) again and again.
2018-06-20 22:00:45 +02:00
emersion a6c0e25d36
surface: remove wlr_frame_callback
This removes the need to allocate a structure for frame callbacks.
wl_resource_get_link is used instead.
2018-06-20 20:00:23 +01:00
emersion cc89906ddf
Merge pull request #1067 from emersion/fix-surface-double-release
surface: fix double wl_buffer.release events
2018-06-17 18:24:34 +01:00
Rostislav Pehlivanov ed7d5b0f53 Fix example 2018-06-17 15:19:17 +01:00
emersion 57548b557a
Merge branch 'master' into screencontent 2018-06-17 14:49:18 +01:00
emersion bd0c1b7949
export-dmabuf: update protocol 2018-06-17 14:19:45 +01:00
Rostislav Pehlivanov 9eddcbc376 Update example and protocol 2018-06-17 14:06:52 +01:00
emersion 843621714f
surface: fix double wl_buffer.release events
Prior to this commit, we re-uploaded the buffer even if a new one
wasn't attached. After uploading, we send wl_buffer.release. So,
this sequence of requests resulted in a double release:

    surface.attach(buffer, 0, 0)
    surface.commit()
    <- buffer.release()
    surface.commit()
    <- buffer.release()
2018-06-17 12:49:34 +01:00
Drew DeVault fb118ac996
Merge pull request #1062 from emersion/wlr-buffer-comeback
Add back wlr_buffer
2018-06-16 13:43:14 -07:00
emersion 225aa815b0
buffer: fix wlr_texture leak on failed alloc 2018-06-16 19:01:13 +01:00
emersion ac0f9acb06
Merge pull request #1066 from ammen99/master
layer-shell: check if the surface is mapped in layer_surface_destroy()
2018-06-16 15:44:01 +01:00
Ilia Bozhinov 23707f6504 layer-shell: check whether the surface is mapped in layer_surface_destroy()
If the layer surface has been closed by the compositor, using
layer_surface_close(), then the unmap event is emitted. However, when
the layer surface is later destroyed by the client, the compositor used
to get a second unmap, which is fixed with this commit.
2018-06-16 17:29:53 +03:00
Drew DeVault 8e33deb0be
Merge pull request #1063 from ascent12/multi-seat
Multiseat fixes
2018-06-14 10:37:06 -07:00
emersion da114d5013
buffer: don't destroy DMA-BUF textures with wl_buffer
After some discussions on #wayland, it seems that as soon as you
hold a reference to a DMA-BUF (via EGLImage for instance), the
underlying memory won't get free'd. The client is allowed to
re-use the DMA-BUF and upload something else to it though.
2018-06-14 10:15:14 +01:00
Scott Anderson 964e0a50be Check for seat0 properly 2018-06-14 21:02:32 +12:00
Scott Anderson 47985d2dc5 Multiseat fixes 2018-06-14 20:46:16 +12:00
emersion 73f924b5ec
Merge branch 'remove-surface-texture' into wlr-buffer-comeback 2018-06-14 08:56:49 +01:00
emersion 3a2ef75d3a
Add back wlr_buffer
This reverts commit d27eeaa14c.
2018-06-14 08:51:38 +01:00
Drew DeVault d27eeaa14c Revert "Merge pull request #1050 from emersion/wlr-buffer"
This reverts commit 5e4af4862e, reversing
changes made to 9a1f0e2d5f.
2018-06-13 19:57:42 -04:00
emersion 0378d143d9
surface: remove wlr_surface.texture
The texture is managed by the surface's wlr_buffer now. In
particular, the buffer can destroy the texture early if it becomes
invalid.
2018-06-13 19:38:10 +01:00
emersion d643361c48
Merge pull request #1047 from NotKit/gles2fix
Fix GLES2 renderer to use glGetUniformLocations locations
2018-06-13 15:37:16 +01:00
Drew DeVault 5e4af4862e
Merge pull request #1050 from emersion/wlr-buffer
Introduce wlr_buffer
2018-06-13 05:40:23 -07:00
NeKit 6f29db1044 gles2 renderer: introduce struct wlr_gles2_tex_shader 2018-06-13 13:43:01 +03:00
emersion 38d415dd20
buffer: make wlr_buffer_ref return the buffer 2018-06-11 08:13:35 +01:00
Genki Sky 28d718c0dd rootston: Cancel existing keyboard grab when changing focus
It's possible that a non-default keyboard grab exists when we are trying
to change focus. For example, say there is an XDG popup when we click on
a different window. This popup's keyboard grab will swallow any
keyboard_notify_enter(), meaning the newly-clicked window won't receive
keyboard input.

So, we cancel any existing grabs in roots_seat_set_focus(). Before this
fix, a window would have been set as active but not receive keyboard
entry.

Fixes #233.

Signed-off-by: Genki Sky <sky@genki.is>
2018-06-10 21:47:49 -04:00
Drew DeVault 9a1f0e2d5f
Merge pull request #1052 from VincentVanlaer/egl-damage-khr
Split eglSwapBuffersWithDamage feature detection
2018-06-09 10:19:40 -07:00
Vincent Vanlaer f1a62a3200 Rename egl.exts to match the extension names 2018-06-09 19:11:51 +02:00
emersion 9ea5b1a85e
Merge branch 'master' into wlr-buffer 2018-06-09 17:54:47 +01:00
Vincent Vanlaer 5ec6d8230d Split eglSwapBuffersWithDamage feature detection
Detecting whether eglSwapBuffersWithDamageEXT or
eglSwapBuffersWithDamageKHR is used should be based on the extension
string, not only on the availability of the function.
2018-06-09 11:39:14 +02:00
emersion 9179b438a5
Merge pull request #1051 from RedSoxFan/fix-atti-assert
Fix atti assert in wlr_egl_init
2018-06-09 08:06:24 +01:00
Brian Ashworth 18bbe2d897 Fix atti assert in wlr_egl_init 2018-06-08 20:25:36 -04:00