1. 16 Jul, 2020 1 commit
    • Lyude Paul's avatar
      xwayland: Store xwl_tablet_pad in its own private key · ba0e789b
      Lyude Paul authored
      
      
      When a slave device causes the master virtual pointer device to change
      device types, the device's private data pointer
      (device->public.devicePrivate) is also changed to match the type of the
      slave device. This can be a problem though, as tablet pad devices will
      set the device's private data pointer to their own xwl_tablet_pad
      struct. This can cause us to dereference the pointer as the wrong type,
      and result in a segfault:
      
      Thread 1 "Xwayland" received signal SIGSEGV, Segmentation fault.
      wl_proxy_marshal (proxy=0x51, opcode=opcode@entry=0) at src/wayland-client.c:792
      792             va_start(ap, opcode);
      (gdb) bt
      0  wl_proxy_marshal (proxy=0x51, opcode=opcode@entry=0) at
        src/wayland-client.c:792
      1  0x00005610b27b6c55 in wl_pointer_set_cursor (hotspot_y=0,
        hotspot_x=0, surface=0x0, serial=<optimized out>, wl_pointer=<optimized
        out>) at /usr/include/wayland-client-protocol.h:4610
      2  xwl_seat_set_cursor (xwl_seat=xwl_seat@entry=0x5610b46d5d10) at
        xwayland-cursor.c:137
      3  0x00005610b27b6ecd in xwl_set_cursor (device=<optimized out>,
        screen=<optimized out>, cursor=<optimized out>, x=<optimized out>,
        y=<optimized out>) at xwayland-cursor.c:249
      4  0x00005610b2800b46 in miPointerUpdateSprite (pDev=0x5610b4501a30) at
        mipointer.c:468
      5  miPointerUpdateSprite (pDev=0x5610b4501a30) at mipointer.c:410
      6  0x00005610b2800e56 in miPointerDisplayCursor (pCursor=0x5610b4b35740,
        pScreen=0x5610b3d54410, pDev=0x5610b4501a30) at mipointer.c:206
      7  miPointerDisplayCursor (pDev=0x5610b4501a30, pScreen=0x5610b3d54410,
        pCursor=0x5610b4b35740) at mipointer.c:194
      8  0x00005610b27ed62b in CursorDisplayCursor (pDev=<optimized out>,
        pScreen=0x5610b3d54410, pCursor=0x5610b4b35740) at cursor.c:168
      9  0x00005610b28773ee in AnimCurDisplayCursor (pDev=0x5610b4501a30,
        pScreen=0x5610b3d54410, pCursor=0x5610b4b35740) at animcur.c:197
      10 0x00005610b28eb4ca in ChangeToCursor (pDev=0x5610b4501a30,
        cursor=0x5610b4b35740) at events.c:938
      11 0x00005610b28ec99f in WindowHasNewCursor
        (pWin=pWin@entry=0x5610b4b2e0c0) at events.c:3362
      12 0x00005610b291102d in ChangeWindowAttributes (pWin=0x5610b4b2e0c0,
        vmask=<optimized out>, vlist=vlist@entry=0x5610b4c41dcc,
        client=client@entry=0x5610b4b2c900) at window.c:1561
      13 0x00005610b28db8e3 in ProcChangeWindowAttributes (client=0x5610b4b2c900)
        at dispatch.c:746
      14 0x00005610b28e1e5b in Dispatch () at dispatch.c:497
      15 0x00005610b28e5f34 in dix_main (argc=16, argv=0x7ffc7a601b68,
        envp=<optimized out>) at main.c:276
      16 0x00007f8828cde042 in __libc_start_main (main=0x5610b27ae930 <main>,
        argc=16, argv=0x7ffc7a601b68, init=<optimized out>, fini=<optimized
        out>, rtld_fini=<optimized out>, stack_end=0x7ffc7a601b58) at
        ../csu/libc-start.c:308
      17 0x00005610b27ae96e in _start () at cursor.c:1064
      
      Simple reproducer in gnome-shell: open up an Xwayland window, press some
      tablet buttons, lock and unlock the screen. Repeat if it doesn't crash
      the first time.
      
      So, let's fix this by registering our own device-specific private key
      for storing a backpointer to xwl_tablet_pad, so that all input devices
      have their private data pointers set to their respective xwl_seat.
      Reviewed-by: Peter Hutterer's avatarPeter Hutterer <peter.hutterer@who-t.net>
      Signed-off-by: Lyude Paul's avatarLyude Paul <lyude@redhat.com>
      ba0e789b
  2. 05 Jul, 2020 1 commit
  3. 02 Jul, 2020 1 commit
  4. 20 May, 2020 1 commit
  5. 12 May, 2020 4 commits
  6. 27 Apr, 2020 1 commit
    • Olivier Fourdan's avatar
      xwayland: Fix infinite loop at startup · 785e5906
      Olivier Fourdan authored
      
      
      Mutter recently added headless tests, and when running those tests the
      Wayland compositor runs for a very short time.
      
      Xwayland is spawned by the Wayland compositor and upon startup will
      query the various Wayland protocol supported by the compositor.
      
      To do so, it will do a roundtrip to the Wayland server waiting for
      events it expects.
      
      If the Wayland compositor terminates before Xwayland has got the replies
      it expects, it will loop indefinitely calling `wl_display_roundtrip()`
      continuously.
      
      To avoid that issue, add a new `xwl_screen_roundtrip()` that checks for
      the returned value from `wl_display_roundtrip()` and fails if it is
      negative.
      Signed-off-by: default avatarOlivier Fourdan <ofourdan@redhat.com>
      Reviewed-by: Roman Gilg's avatarRoman Gilg <subdiff@gmail.com>
      Reviewed-by: Jonas Ådahl's avatarJonas Ådahl <jadahl@gmail.com>
      785e5906
  7. 20 Dec, 2019 5 commits
  8. 12 Oct, 2019 1 commit
    • Hans de Goede's avatar
      xwayland: Add support for randr-resolution change emulation using viewport · d99b9ff0
      Hans de Goede authored
      
      
      Add support for per client randr-resolution change emulation using viewport,
      for apps which want to change the resolution when going fullscreen.
      
      Partly based on earlier work on this by Robert Mader <robert.mader@posteo.de>
      
      Note SDL2 and SFML do not restore randr resolution when going from
      fullscreen -> windowed, I believe this is caused by us still reporting the
      desktop resolution when they query the resolution.  This is not a problem
      because when windowed the toplevel window size includes the window-decorations
      so it never matches the emulated resolution.
      
      One exception would be the window being resizable in Windowed mode and the
      user resizing the window so that including decorations it matches the
      emulated resolution *and* the window being at pos 0x0. But this is an
      extreme corner case. Still I will submit patches upstream to SDL2
      and SFML to always restore the desktop resolution under Xwayland,
      disabling resolution emulation all together when going windowed.
      Reviewed-by: default avatarOlivier Fourdan <ofourdan@redhat.com>
      Acked-by: Michel Dänzer's avatarMichel Dänzer <mdaenzer@redhat.com>
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      d99b9ff0
  9. 20 May, 2019 1 commit
    • Olivier Fourdan's avatar
      xwayland: Avoid a crash on pointer enter with a grab · 0a074463
      Olivier Fourdan authored
      
      
      On pointer enter notification, Xwayland checks for an existing pointer
      warp with a `NULL` sprite.
      
      In turn, `xwl_pointer_warp_emulator_maybe_lock()` checks for an existing
      grab and the destination window using `XYToWindow()` which does not
      check for the actual sprite not being `NULL`.
      
      So, in some cases, when the pointer enters the surface and there is an
      existing X11 grab which is not an ownerEvents grab, Xwayland would crash
      trying to dereference the `NULL` sprite pointer:
      
        #0  __GI_raise ()
        #1  __GI_abort () at abort.c:79
        #2  OsAbort () at utils.c:1351
        #3  AbortServer () at log.c:879
        #4  FatalError () at log.c:1017
        #5  OsSigHandler () at osinit.c:156
        #6  OsSigHandler () at osinit.c:110
        #7  <signal handler called>
        #8  XYToWindow (pSprite=0x0, x=0, y=0) at events.c:2880
        #9  xwl_pointer_warp_emulator_maybe_lock () at xwayland-input.c:2673
        #10 pointer_handle_enter () at xwayland-input.c:434
      
      Avoid the crash by simply checking for the sprite being not `NULL` in
      `xwl_pointer_warp_emulator_maybe_lock()`
      Signed-off-by: default avatarOlivier Fourdan <ofourdan@redhat.com>
      Bugzilla: https://bugzilla.redhat.com/1708119
      0a074463
  10. 28 Sep, 2018 1 commit
  11. 26 Sep, 2018 1 commit
  12. 30 Aug, 2018 1 commit
    • Scott Anderson's avatar
      xwayland: use wayland axis_discrete event · cd285922
      Scott Anderson authored
      
      
      This prevents multiple scroll events happening for wayland compositors
      which send axis values other than 10. For example, libinput will
      typically return 15 for each scroll wheel step, and if a wayland
      compositor sends those to xwayland without normalising them, 2 scroll
      wheel steps will end up as 3 xorg scroll events. By listening for the
      discrete_axis event, this will now correctly send only 2 xorg scroll
      events.
      
      The wayland protocol gurantees that there will always be an axis event
      following an axis_discrete event. However, it does not gurantee that
      other events (including other axis_discrete+axis pairs) will not happen
      in between them. So we must keep a list of outstanding axis_discrete
      events.
      Signed-off-by: Scott Anderson's avatarScott Anderson <scott@anderso.nz>
      Reviewed-by: Peter Hutterer's avatarPeter Hutterer <peter.hutterer@who-t.net>
      Signed-off-by: Peter Hutterer's avatarPeter Hutterer <peter.hutterer@who-t.net>
      cd285922
  13. 17 Jun, 2018 1 commit
  14. 18 Apr, 2018 1 commit
    • Olivier Fourdan's avatar
      xwayland: avoid using freed xwl_window on unrealize · 8b8f9007
      Olivier Fourdan authored
      xwl_unrealize_window() would use freed xwl_window which can lead to
      various memory corruption and crashes, as reported by valgrind:
      
       Invalid read of size 8
          at 0x42C802: xwl_present_cleanup (xwayland-present.c:84)
          by 0x42BA67: xwl_unrealize_window (xwayland.c:601)
          by 0x541EE9: compUnrealizeWindow (compwindow.c:285)
          by 0x57E1FA: UnrealizeTree (window.c:2816)
          by 0x581189: UnmapWindow (window.c:2874)
          by 0x54EB26: ProcUnmapWindow (dispatch.c:879)
          by 0x554B7D: Dispatch (dispatch.c:479)
          by 0x558BE5: dix_main (main.c:276)
          by 0x7C4B1BA: (below main) (libc-start.c:308)
        Address 0xf520f60 is 96 bytes inside a block of size 184 free'd
          at 0x4C2EDAC: free (vg_replace_malloc.c:530)
          by 0x42B9FB: xwl_unrealize_window (xwayland.c:624)
          by 0x541EE9: compUnrealizeWindow (compwindow.c:285)
          by 0x57E1FA: UnrealizeTree (window.c:2816)
          by 0x581189: UnmapWindow (window.c:2874)
          by 0x54EB26: ProcUnmapWindow (dispatch.c:879)
          by 0x554B7D: Dispatch (dispatch.c:479)
          by 0x558BE5: dix_main (main.c:276)
          by 0x7C4B1BA: (below main) (libc-start.c:308)
        Block was alloc'd at
          at 0x4C2FB06: calloc (vg_replace_malloc.c:711)
          by 0x42B307: xwl_realize_window (xwayland.c:488)
          by 0x541E59: compRealizeWindow (compwindow.c:268)
          by 0x57DA40: RealizeTree (window.c:2617)
          by 0x580B28: MapWindow (window.c:2694)
          by 0x54EA2A: ProcMapWindow (dispatch.c:845)
          by 0x554B7D: Dispatch (dispatch.c:479)
          by 0x558BE5: dix_main (main.c:276)
          by 0x7C4B1BA: (below main) (libc-start.c:308)
      
      This is because UnrealizeTree() traverses the tree from top to bottom,
      which invalidates the assumption that if the Window doesn't feature an
      xwl_window on its own, it's the xwl_window of its first ancestor with
      one.
      
      This reverts commit 82df2ce3
      
      Reviewed-by: Adam Jackson's avatarAdam Jackson <ajax@redhat.com>
      Signed-off-by: default avatarOlivier Fourdan <ofourdan@redhat.com>
      8b8f9007
  15. 25 Jan, 2018 1 commit
  16. 19 Dec, 2017 1 commit
  17. 06 Dec, 2017 1 commit
  18. 13 Sep, 2017 1 commit
    • Roman Gilg's avatar
      xwayland: Avoid repeatedly looping through window ancestor chain · 82df2ce3
      Roman Gilg authored
      
      
      Calling xwl_window_from_window means looping through the window ancestor
      chain whenever it is called on a child window or on an automatically
      redirected window.
      
      Since these properties and the potential ancestor's xwl_window are constant
      between window realization and unrealization, we can omit the looping by
      always putting the respective xwl_window in the Window's private field on
      its realization. If the Window doesn't feature an xwl_window on its own,
      it's the xwl_window of its first ancestor with one.
      Signed-off-by: Roman Gilg's avatarRoman Gilg <subdiff@gmail.com>
      Reviewed-by: Pekka Paalanen's avatarPekka Paalanen <pekka.paalanen@collabora.co.uk>
      82df2ce3
  19. 05 Sep, 2017 1 commit
    • Olivier Fourdan's avatar
      xwayland: Fix a segfault with pointer locking · cdd0352b
      Olivier Fourdan authored
      Xwayland would crash in some circumstances while trying to issue a
      pointer locking when the cursor is hidden when there is no seat focus
      window set.
      
      The crash signature looks like:
      
       #0  zwp_pointer_constraints_v1_lock_pointer ()
       #1  xwl_pointer_warp_emulator_lock () at xwayland-input.c:2584
       #2  xwl_seat_maybe_lock_on_hidden_cursor () at xwayland-input.c:2756
       #3  xwl_seat_maybe_lock_on_hidden_cursor () at xwayland-input.c:2765
       #4  xwl_seat_cursor_visibility_changed () at xwayland-input.c:2768
       #5  xwl_set_cursor () at xwayland-cursor.c:245
       #6  miPointerUpdateSprite () at mipointer.c:468
       #7  miPointerDisplayCursor () at mipointer.c:206
       #8  CursorDisplayCursor () at cursor.c:150
       #9  AnimCurDisplayCursor () at animcur.c:220
       #10 ChangeToCursor () at events.c:936
       #11 ActivatePointerGrab () at events.c:1542
       #12 GrabDevice () at events.c:5120
       #13 ProcGrabPointer () at events.c:4908
       #14 Dispatch () at dispatch.c:478
       #15 dix_main () at main.c:276
      
      xwl_pointer_warp_emulator_lock() tries to use the surface from the
      xwl_seat->focus_window leading to a NULL pointer dereference when that
      value is NULL.
      
      Check that xwl_seat->focus_window is not NULL earlier in the stack in
      xwl_seat_maybe_lock_on_hidden_cursor() and return early if not the case
      to avoid the crash.
      
      Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=102474
      
      Signed-off-by: default avatarOlivier Fourdan <ofourdan@redhat.com>
      Acked-by: Peter Hutterer's avatarPeter Hutterer <peter.hutterer@who-t.net>
      Signed-off-by: Peter Hutterer's avatarPeter Hutterer <peter.hutterer@who-t.net>
      cdd0352b
  20. 04 Sep, 2017 1 commit
  21. 01 Aug, 2017 1 commit
  22. 12 Jun, 2017 2 commits
  23. 07 Jun, 2017 1 commit
    • Carlos Garnacho's avatar
      xwayland: Lock the pointer if it is confined and has no cursor · ca17f3e9
      Carlos Garnacho authored
      
      
      In the typical pattern in games of "hide cursor, grab with a confineTo,
      warp constantly the pointer to the middle of the window" the last warping
      step is actually rather optional. Some games may choose to just set up a
      grab with confineTo argument, and trust that they'll get correct relative
      X/Y axis values despite the hidden cursor hitting the confinement window
      edge.
      
      To cater for these cases, lock the pointer whenever there is a pointer
      confinement and the cursor is hidden. This ensures the pointer position
      is in sync with the compositor's when it's next shown again, and more
      importantly resorts to the relative pointer for event delivery.
      Signed-off-by: Carlos Garnacho's avatarCarlos Garnacho <carlosg@gnome.org>
      Reviewed-by: Peter Hutterer's avatarPeter Hutterer <peter.hutterer@who-t.net>
      Signed-off-by: Peter Hutterer's avatarPeter Hutterer <peter.hutterer@who-t.net>
      ca17f3e9
  24. 04 May, 2017 1 commit
    • Lyude Paul's avatar
      xwayland: Unconditionally initialize lists in init_tablet_manager_seat() · a06bb730
      Lyude Paul authored
      
      
      In the event that xwayland gets launched on a wayland compositor that
      doesn't yet have support for wp_tablet_manager, we end up skipping the
      initialization of the lists. This is wrong, because regardless of
      whether or not a tablet is present we still attempt to traverse these
      lists later in xwl_set_cursor(), expecting that if the lists are empty
      from no tablet manager that we simply won't execute any loop iterations.
      
      (EE)
      (EE) Backtrace:
      (EE) 0: Xwayland (OsSigHandler+0x3b) [0x4982f9]
      (EE) 1: /lib64/libpthread.so.0 (__restore_rt+0x0) [0x7f73722545bf]
      (EE) 2: Xwayland (xwl_set_cursor+0x9f) [0x429974]
      (EE) 3: Xwayland (miPointerUpdateSprite+0x261) [0x4fe1ca]
      (EE) 4: Xwayland (mieqProcessInputEvents+0x239) [0x4f8d33]
      (EE) 5: Xwayland (ProcessInputEvents+0x9) [0x4282f0]
      (EE) 6: Xwayland (Dispatch+0x42) [0x43e2d4]
      (EE) 7: Xwayland (dix_main+0x5c9) [0x44c6dc]
      (EE) 8: Xwayland (main+0x28) [0x61c523]
      (EE) 9: /lib64/libc.so.6 (__libc_start_main+0xf1) [0x7f7371e9d401]
      (EE) 10: Xwayland (_start+0x2a) [0x4208fa]
      (EE) 11: ? (?+0x2a) [0x2a]
      (EE)
      (EE) Segmentation fault at address 0x28
      (EE)
      Fatal server error:
      (EE) Caught signal 11 (Segmentation fault). Server aborting
      (EE)
      
      Reproduced when trying to run upstream xwayland under fedora 25's weston
      package.
      Signed-off-by: Lyude Paul's avatarLyude <lyude@redhat.com>
      Reviewed-by: Peter Hutterer's avatarPeter Hutterer <peter.hutterer@who-t.net>
      Signed-off-by: Peter Hutterer's avatarPeter Hutterer <peter.hutterer@who-t.net>
      a06bb730
  25. 28 Apr, 2017 8 commits