1. 30 Mar, 2022 1 commit
  2. 24 Mar, 2022 1 commit
    • Michel Dänzer's avatar
      xwayland: Always hook up frame_callback_list in xwl_present_queue_vblank · 1a7e4e72
      Michel Dänzer authored and Olivier Fourdan's avatar Olivier Fourdan committed
      Even if there's no pending frame callback yet.
      
      Without this, if there was no pending frame callback yet in
      xwl_present_queue_vblank, xwl_present_msc_bump would only get called
      from xwl_present_timer_callback, resulting in the MSC ticking at ~58
      Hertz.
      
      Doing this requires some adjustments elsewhere:
      
      1. xwl_present_reset_timer needs to check for a pending frame callback
         as well.
      2. xwl_window_create_frame_callback needs to call
         xwl_present_reset_timer for all child windows hooked up to
         frame_callback_list, to make sure the timer length takes the pending
         frame callback into account.
      3. xwl_present_flip needs to hook up the window to frame_callback_list
         before calling xwl_window_create_frame_callback, for 2. to work.
      
      Closes: #1309
      Fixes: 9b31358c
      
       ("xwayland: Use frame callbacks for Present vblank events")
      Reviewed-by: Olivier Fourdan's avatarOlivier Fourdan <ofourdan@redhat.com>
      (cherry ...
      1a7e4e72
  3. 15 Mar, 2022 3 commits
    • Michel Dänzer's avatar
      xwayland: Clear timer_armed in xwl_present_unrealize_window · 88ed88e8
      Michel Dänzer authored and Olivier Fourdan's avatar Olivier Fourdan committed
      Without this, xwl_present_reset_timer would call
      xwl_present_timer_callback if the timer was originally armed over a
      second ago. xwl_present_timer_callback would call xwl_present_msc_bump,
      which could end up hooking up the window to
      xwl_window->frame_callback_list again. This would lead to use-after-free
      in xwl_present_cleanup:
      
        Invalid write of size 8
          at 0x42B65C: __xorg_list_del (list.h:183)
          by 0x42B693: xorg_list_del (list.h:204)
          by 0x42C041: xwl_present_cleanup (xwayland-present.c:354)
          by 0x423669: xwl_destroy_window (xwayland-window.c:770)
          by 0x4FDDC5: compDestroyWindow (compwindow.c:620)
          by 0x5233FB: damageDestroyWindow (damage.c:1590)
          by 0x501C5F: DbeDestroyWindow (dbe.c:1326)
          by 0x4EF35B: FreeWindowResources (window.c:1018)
          by 0x4EF687: DeleteWindow (window.c:1086)
          by 0x4E24B3: doFreeResource (resource.c:885)
          by 0x4E2ED7: FreeClientResources (resource.c:1151)
          by 0x4ACBA4: CloseDownClient (dispatch.c:3546)
        Address 0x12f44980 is 144 bytes inside a block of size 160 free'd
          at 0x48470E4: free (vg_replace_malloc.c:872)
          by 0x423115: xwl_unrealize_window (xwayland-window.c:621)
          by 0x4FCDD8: compUnrealizeWindow (compwindow.c:292)
          by 0x4F3F5C: UnrealizeTree (window.c:2805)
          by 0x4F424B: UnmapWindow (window.c:2863)
          by 0x4EF58C: DeleteWindow (window.c:1075)
          by 0x4E24B3: doFreeResource (resource.c:885)
          by 0x4E2ED7: FreeClientResources (resource.c:1151)
          by 0x4ACBA4: CloseDownClient (dispatch.c:3546)
          by 0x5E27EE: ClientReady (connection.c:599)
          by 0x5E6CB7: ospoll_wait (ospoll.c:657)
          by 0x5DE6CD: WaitForSomething (WaitFor.c:208)
        Block was alloc'd at
          at 0x4849464: calloc (vg_replace_malloc.c:1328)
          by 0x4229CE: ensure_surface_for_window (xwayland-window.c:439)
          by 0x4231E8: xwl_window_set_window_pixmap (xwayland-window.c:647)
          by 0x5232D6: damageSetWindowPixmap (damage.c:1565)
          by 0x4FC7BC: compSetPixmapVisitWindow (compwindow.c:129)
          by 0x4EDB3F: TraverseTree (window.c:441)
          by 0x4FC851: compSetPixmap (compwindow.c:151)
          by 0x4F8C1A: compAllocPixmap (compalloc.c:616)
          by 0x4FC938: compCheckRedirect (compwindow.c:174)
          by 0x4FCD1D: compRealizeWindow (compwindow.c:274)
          by 0x4F36EC: RealizeTree (window.c:2606)
          by 0x4F39F5: MapWindow (window.c:2683)
      
      Fixes: 288ec0e0
      
       ("xwayland/present: Run fallback timer callback after more than a second")
      Tested-by: Olivier Fourdan's avatarOlivier Fourdan <ofourdan@redhat.com>
      Reviewed-by: Olivier Fourdan's avatarOlivier Fourdan <ofourdan@redhat.com>
      (cherry picked from commit 102764b6)
      88ed88e8
    • Olivier Fourdan's avatar
      xwayland/present: Fix use-after-free in xwl_unrealize_window() · c5b89441
      Olivier Fourdan authored and Olivier Fourdan's avatar Olivier Fourdan committed
      
      
      When a window is unrealized, Xwayland would destroy the Wayland surface
      prior to unrealizing the present window.
      
      xwl_present_flip() will then do a wl_surface_commit() of that surface,
      hence causing a use-after-free:
      
       Invalid read of size 8
          at 0x49F7FD4: wl_proxy_marshal_array_flags (wayland-client.c:852)
          by 0x49F823A: wl_proxy_marshal_flags (wayland-client.c:784)
          by 0x42B877: wl_surface_commit (wayland-client-protocol.h:3914)
          by 0x42CAA7: xwl_present_flip (xwayland-present.c:717)
          by 0x42CD0E: xwl_present_execute (xwayland-present.c:783)
          by 0x42C26D: xwl_present_msc_bump (xwayland-present.c:416)
          by 0x42C2D1: xwl_present_timer_callback (xwayland-present.c:433)
          by 0x42BAC4: xwl_present_reset_timer (xwayland-present.c:149)
          by 0x42D1F8: xwl_present_unrealize_window (xwayland-present.c:945)
          by 0x4230E2: xwl_unrealize_window (xwayland-window.c:616)
          by 0x4FCDD8: compUnrealizeWindow (compwindow.c:292)
          by 0x4F3F5C: UnrealizeTree (window.c:2805)
        Address 0x1390b8d8 is 24 bytes inside a block of size 80 free'd
          at 0x48470E4: free (vg_replace_malloc.c:872)
          by 0x49F8029: wl_proxy_destroy_caller_locks (wayland-client.c:523)
          by 0x49F8029: wl_proxy_marshal_array_flags (wayland-client.c:861)
          by 0x49F823A: wl_proxy_marshal_flags (wayland-client.c:784)
          by 0x421984: wl_surface_destroy (wayland-client-protocol.h:3672)
          by 0x423052: xwl_unrealize_window (xwayland-window.c:599)
          by 0x4FCDD8: compUnrealizeWindow (compwindow.c:292)
          by 0x4F3F5C: UnrealizeTree (window.c:2805)
          by 0x4F424B: UnmapWindow (window.c:2863)
          by 0x4EF58C: DeleteWindow (window.c:1075)
          by 0x4E24B3: doFreeResource (resource.c:885)
          by 0x4E2ED7: FreeClientResources (resource.c:1151)
          by 0x4ACBA4: CloseDownClient (dispatch.c:3546)
        Block was alloc'd at
          at 0x4849464: calloc (vg_replace_malloc.c:1328)
          by 0x49F7F29: zalloc (wayland-private.h:233)
          by 0x49F7F29: proxy_create (wayland-client.c:422)
          by 0x49F7F29: create_outgoing_proxy (wayland-client.c:664)
          by 0x49F7F29: wl_proxy_marshal_array_flags (wayland-client.c:831)
          by 0x49F823A: wl_proxy_marshal_flags (wayland-client.c:784)
          by 0x4218CA: wl_compositor_create_surface (wayland-client-protocol.h:1291)
          by 0x422A0D: ensure_surface_for_window (xwayland-window.c:445)
          by 0x4231E8: xwl_window_set_window_pixmap (xwayland-window.c:647)
          by 0x5232D6: damageSetWindowPixmap (damage.c:1565)
          by 0x4FC7BC: compSetPixmapVisitWindow (compwindow.c:129)
          by 0x4EDB3F: TraverseTree (window.c:441)
          by 0x4FC851: compSetPixmap (compwindow.c:151)
          by 0x4F8C1A: compAllocPixmap (compalloc.c:616)
          by 0x4FC938: compCheckRedirect (compwindow.c:174)
      
      To avoid that, call xwl_present_unrealize_window() before destroying the
      Wayland surface.
      Signed-off-by: Olivier Fourdan's avatarOlivier Fourdan <ofourdan@redhat.com>
      Reviewed-by: Michel Dänzer's avatarMichel Dänzer <mdaenzer@redhat.com>
      (cherry picked from commit 42113ab2)
      c5b89441
    • Olivier Fourdan's avatar
      Xwayland: Do not map the COW by default when rootless · b211df90
      Olivier Fourdan authored and Olivier Fourdan's avatar Olivier Fourdan committed
      The composite overlay window (COW) can be queried from any X11 client,
      not just the X11 compositing manager.
      
      If a client tries to get the composite overlay window, the Xserver will
      map the window and block all pointer events (the window being mapped and
      on top of the stack).
      
      To avoid that issue, unset the "mapped" state of the composite overlay
      window once realized when Xwayland is running rootless.
      
      Note: All Xservers are actually affected by this issue, but with most
      regular X servers, the compositing manager will take care of dealing
      with the composite overlay window, and an X11 client using
      GetOverlayWindow() won't break pointer events for all X11 clients.
      Wayland compositors however usually run Xwayland rootless and have no
      use for the COW.
      
      v2: Avoid registering damage for the COW (Michel)
      v3: Remove the "mapped" test to avoid calling register_damage() if the
          COW is not mapped (Michel)
      
      Closes: #1314
      
      Signed-off-by: Olivier Fourdan's avatarOlivier Fourdan <ofourdan@redhat.com>
      Reviewed-by: Michel Dänzer's avatarMichel Dänzer <mdaenzer@redhat.com>
      (cherry picked from commit 47d33174)
      b211df90
  4. 16 Feb, 2022 1 commit
  5. 11 Feb, 2022 1 commit
  6. 02 Feb, 2022 1 commit
  7. 28 Jan, 2022 1 commit
    • Olivier Fourdan's avatar
      render: Fix build with gcc 12 · 1d98f8b7
      Olivier Fourdan authored
      The xserver fails to compile with the latest gcc 12:
      
       render/picture.c: In function ‘CreateSolidPicture’:
       render/picture.c:874:26: error: array subscript ‘union _SourcePict[0]’ is partly outside array bounds of ‘unsigned char[16]’ [-Werror=array-bounds]
        874 |     pPicture->pSourcePict->type = SourcePictTypeSolidFill;
            |                          ^~
       render/picture.c:868:45: note: object of size 16 allocated by ‘malloc’
        868 |     pPicture->pSourcePict = (SourcePictPtr) malloc(sizeof(PictSolidFill));
            |                                             ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
       render/picture.c: In function ‘CreateLinearGradientPicture’:
       render/picture.c:906:26: error: array subscript ‘union _SourcePict[0]’ is partly outside array bounds of ‘unsigned char[32]’ [-Werror=array-bounds]
        906 |     pPicture->pSourcePict->linear.type = SourcePictTypeLinear;
            |                          ^~
       render/picture.c:899:45: note: object of size 3...
      1d98f8b7
  8. 19 Jan, 2022 1 commit
  9. 18 Jan, 2022 13 commits
  10. 14 Jan, 2022 1 commit
  11. 24 Dec, 2021 1 commit
  12. 20 Dec, 2021 2 commits
  13. 19 Dec, 2021 3 commits
  14. 17 Dec, 2021 1 commit
  15. 16 Dec, 2021 1 commit
  16. 14 Dec, 2021 5 commits
  17. 10 Dec, 2021 1 commit
  18. 08 Dec, 2021 1 commit
  19. 07 Dec, 2021 1 commit