1. 30 Sep, 2020 6 commits
  2. 25 Sep, 2020 1 commit
  3. 08 Sep, 2020 3 commits
  4. 25 Aug, 2020 5 commits
  5. 18 Aug, 2020 13 commits
  6. 12 Aug, 2020 1 commit
  7. 22 Jul, 2020 1 commit
    • Michel Dänzer's avatar
      xwayland: Hold a pixmap reference in struct xwl_present_event · 23c55ec3
      Michel Dänzer authored
      In the log of the commit below, I claimed this wasn't necessary on the
      1.20 branch, but this turned out to be wrong: It meant that
      event->buffer could already be destroyed in xwl_present_free_event,
      resulting in use-after-free and likely a crash.
      Fixes: 22c0808a "xwayland: Free all remaining events in
  8. 21 Jul, 2020 2 commits
  9. 20 Jul, 2020 8 commits
    • Lyude Paul's avatar
      xwayland: Store xwl_tablet_pad in its own private key · ccbcf083
      Lyude Paul authored
      When a slave device causes the master virtual pointer device to change
      device types, the device's private data pointer
      (device->public.devicePrivate) is also changed to match the type of the
      slave device. This can be a problem though, as tablet pad devices will
      set the device's private data pointer to their own xwl_tablet_pad
      struct. This can cause us to dereference the pointer as the wrong type,
      and result in a segfault:
      Thread 1 "Xwayland" received signal SIGSEGV, Segmentation fault.
      wl_proxy_marshal (proxy=0x51, opcode=opcode@entry=0) at src/wayland-client.c:792
      792             va_start(ap, opcode);
      (gdb) bt
      0  wl_proxy_marshal (proxy=0x51, opcode=opcode@entry=0) at
      1  0x00005610b27b6c55 in wl_pointer_set_cursor (hotspot_y=0,
        hotspot_x=0, surface=0x0, serial=<optimized out>, wl_pointer=<optimized
        out>) at /usr/include/wayland-client-protocol.h:4610
      2  xwl_seat_set_cursor (xwl_seat=xwl_seat@entry=0x5610b46d5d10) at
      3  0x00005610b27b6ecd in xwl_set_cursor (device=<optimized out>,
        screen=<optimized out>, cursor=<optimized out>, x=<optimized out>,
        y=<optimized out>) at xwayland-cursor.c:249
      4  0x00005610b2800b46 in miPointerUpdateSprite (pDev=0x5610b4501a30) at
      5  miPointerUpdateSprite (pDev=0x5610b4501a30) at mipointer.c:410
      6  0x00005610b2800e56 in miPointerDisplayCursor (pCursor=0x5610b4b35740,
        pScreen=0x5610b3d54410, pDev=0x5610b4501a30) at mipointer.c:206
      7  miPointerDisplayCursor (pDev=0x5610b4501a30, pScreen=0x5610b3d54410,
        pCursor=0x5610b4b35740) at mipointer.c:194
      8  0x00005610b27ed62b in CursorDisplayCursor (pDev=<optimized out>,
        pScreen=0x5610b3d54410, pCursor=0x5610b4b35740) at cursor.c:168
      9  0x00005610b28773ee in AnimCurDisplayCursor (pDev=0x5610b4501a30,
        pScreen=0x5610b3d54410, pCursor=0x5610b4b35740) at animcur.c:197
      10 0x00005610b28eb4ca in ChangeToCursor (pDev=0x5610b4501a30,
        cursor=0x5610b4b35740) at events.c:938
      11 0x00005610b28ec99f in WindowHasNewCursor
        (pWin=pWin@entry=0x5610b4b2e0c0) at events.c:3362
      12 0x00005610b291102d in ChangeWindowAttributes (pWin=0x5610b4b2e0c0,
        vmask=<optimized out>, vlist=vlist@entry=0x5610b4c41dcc,
        client=client@entry=0x5610b4b2c900) at window.c:1561
      13 0x00005610b28db8e3 in ProcChangeWindowAttributes (client=0x5610b4b2c900)
        at dispatch.c:746
      14 0x00005610b28e1e5b in Dispatch () at dispatch.c:497
      15 0x00005610b28e5f34 in dix_main (argc=16, argv=0x7ffc7a601b68,
        envp=<optimized out>) at main.c:276
      16 0x00007f8828cde042 in __libc_start_main (main=0x5610b27ae930 <main>,
        argc=16, argv=0x7ffc7a601b68, init=<optimized out>, fini=<optimized
        out>, rtld_fini=<optimized out>, stack_end=0x7ffc7a601b58) at
      17 0x00005610b27ae96e in _start () at cursor.c:1064
      Simple reproducer in gnome-shell: open up an Xwayland window, press some
      tablet buttons, lock and unlock the screen. Repeat if it doesn't crash
      the first time.
      So, let's fix this by registering our own device-specific private key
      for storing a backpointer to xwl_tablet_pad, so that all input devices
      have their private data pointers set to their respective xwl_seat.
      Reviewed-by: Peter Hutterer's avatarPeter Hutterer <peter.hutterer@who-t.net>
      Signed-off-by: Lyude Paul's avatarLyude Paul <lyude@redhat.com>
      (cherry picked from commit ba0e789b)
    • SimonPilkington's avatar
      xwayland: Initialise values in xwlVidModeGetGamma() · cc361355
      SimonPilkington authored
      ProcVidModeGetGamma() relies on GetGamma() to initialise values if it
      returns TRUE. Without this, we're sending uninitialised values to
      Fixes: #1040
      (cherry picked from commit 6748a409)
    • Sjoerd Simons's avatar
      xwayland: Fix crashes when there is no pointer · 533cc6ca
      Sjoerd Simons authored
      When running with a weston session without a pointer device (thus with
      the wl_seat not having a pointer) xwayland pointer warping and pointer
      confining should simply be ignored to avoid crashes.
      Signed-off-by: default avatarSjoerd Simons <sjoerd@collabora.com>
      (cherry picked from commit d35f6833)
    • Olivier Fourdan's avatar
      xwayland: Clear private on device removal · 3aa31823
      Olivier Fourdan authored
      Xwayland uses the device private to point to the `xwl_seat`.
      Device may be removed at any time, including on suspend.
      On resume, if the DIX code ends up calling a function that requires the
      `xwl_seat` such as `xwl_set_cursor()` we may end up pointing at random
      Make sure the clear the device private data on removal so that we don't
      try to use it and crash later.
      Signed-off-by: default avatarOlivier Fourdan <ofourdan@redhat.com>
      Reviewed-by: Peter Hutterer's avatarPeter Hutterer <peter.hutterer@who-t.net>
      (cherry picked from commit 4195e803)
    • Michel Dänzer's avatar
      xwayland: Free all remaining events in xwl_present_cleanup · 22c0808a
      Michel Dänzer authored
      At the end of xwl_present_cleanup, these events aren't reachable
      anymore, so if we don't free them first, they're leaked.
      (cherry picked from commit 64565ea344fef0171497952ef75f019cb420fe3b)
      * Simpler backport, no need to keep a reference to the pixmap on the
        1.20 branch.
    • Michel Dänzer's avatar
      xwayland: Always use xwl_present_free_event for freeing Present events · 37779d7f
      Michel Dänzer authored
      Minor cleanup, and will make the next change simpler. No functional
      change intended.
      Reviewed-by: default avatarDave Airlie <airlied@redhat.com>
      (cherry picked from commit 1beffba6)
    • Michel Dänzer's avatar
      present/wnmd: Free flip_queue entries in present_wnmd_clear_window_flip · ba52e5eb
      Michel Dänzer authored
      When present_wnmd_clear_window_flip is done, present_destroy_window
      frees struct present_window_priv, and the events in the flip queue
      become unreachable. So if we don't free them first, they're leaked.
      Also drop the call to present_wnmd_set_abort_flip, which just sets a
      flag in struct present_window_priv and thus can't have any observable
      effect after present_destroy_window.
      Closes: #1042Reviewed-by: default avatarDave Airlie <airlied@redhat.com>
      (cherry picked from commit 1bdedc8d)
    • Michel Dänzer's avatar
      present/wnmd: Keep pixmap pointer in present_wnmd_clear_window_flip · b3310ed5
      Michel Dänzer authored
      The comment was incorrect: Any reference held by the window (see
      present_wnmd_execute) is in addition to the one in struct present_vblank
      (see present_vblank_create). So if we don't drop the latter, the pixmap
      will be leaked.
      Reviewed-by: default avatarDave Airlie <airlied@redhat.com>
      (cherry picked from commit bc9dd1c7)