Skip to content

xwayland: Cancel the EI disconnect timer or free

Olivier Fourdan requested to merge ofourdan/xserver:xwayland-xtest-cancel-ei-timer into master

Xwayland maintains a connection to EI up for 10 minutes after an X11 client has vanished, to avoid going through the connection phase every time a short lived X11 client comes and goes.

However, if the EI client gets freed (through some other event, e.g. the user decides to terminate the EI session), Xwayland would still keep the callback alive and end up trying to free an already freed EI client:

 Invalid read of size 4
    at 0x4C5E6F9: object_unref (util-object.h:89)
    by 0x4C5E6F9: ei_unref (libei.c:77)
    by 0x429525: free_ei (xwayland-xtest.c:224)
    by 0x429A6E: disconnect_timer_cb (xwayland-xtest.c:404)
    by 0x5E63FF: DoTimer (WaitFor.c:276)
    by 0x5E6463: DoTimers (WaitFor.c:290)
    by 0x5E6164: check_timers (WaitFor.c:133)
    by 0x5E61E9: WaitForSomething (WaitFor.c:195)
    by 0x4AD50E: Dispatch (dispatch.c:487)
    by 0x4BBA0B: dix_main (main.c:272)
    by 0x43615D: main (stubmain.c:34)
  Address 0x15cc6ee8 is 8 bytes inside a block of size 240 free'd
    at 0x48452AC: free (vg_replace_malloc.c:974)
    by 0x4C5E729: object_destroy (util-object.h:73)
    by 0x4C5E729: object_unref (util-object.h:91)
    by 0x4C5E729: ei_unref (libei.c:77)
    by 0x429525: free_ei (xwayland-xtest.c:224)
    by 0x42A946: xwl_handle_ei_event (xwayland-xtest.c:804)
    by 0x5EA977: HandleNotifyFd (connection.c:809)
    by 0x5EE8E3: ospoll_wait (ospoll.c:657)
    by 0x5E624D: WaitForSomething (WaitFor.c:208)
    by 0x4AD50E: Dispatch (dispatch.c:487)
    by 0x4BBA0B: dix_main (main.c:272)
    by 0x43615D: main (stubmain.c:34)
  Block was alloc'd at
    at 0x484782C: calloc (vg_replace_malloc.c:1554)
    by 0x4C5E777: ei_create (libei.c:73)
    by 0x4C5E777: ei_create_context (libei.c:97)
    by 0x42994B: setup_ei (xwayland-xtest.c:366)
    by 0x42A383: xwayland_xtest_send_events (xwayland-xtest.c:658)
    by 0x54ED4C: ProcXTestFakeInput (xtest.c:441)
    by 0x54EE56: ProcXTestDispatch (xtest.c:475)
    by 0x4AD6E6: Dispatch (dispatch.c:546)
    by 0x4BBA0B: dix_main (main.c:272)
    by 0x43615D: main (stubmain.c:34)

To avoid that issue, make sure to cancel the timer as soon as a EI client is freed.

Signed-off-by: Olivier Fourdan ofourdan@redhat.com See-also: https://bugzilla.redhat.com/2243076

Edited by Olivier Fourdan

Merge request reports