fdo-mirrors/wlroots
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/wlroots/wlroots.git synced 2026-01-12 08:00:23 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
wlroots/render/allocator
History
John Lindgren 16cb509a6e render/allocator: add missing wlr_buffer_finish() in destroy impls 
Fixes use-after-free on exit of labwc running nested:

==50906== Invalid write of size 8
==50906==    at 0x4A85403: wl_list_remove (wayland-util.c:57)
==50906==    by 0x40BBAF9: destroy_wl_buffer (output.c:146)
==50906==    by 0x40B9B4F: backend_destroy (backend.c:488)
==50906==    by 0x409E96F: wlr_backend_destroy (backend.c:68)
==50906==    by 0x40B78A6: multi_backend_destroy (backend.c:62)
==50906==    by 0x409E96F: wlr_backend_destroy (backend.c:68)
==50906==    by 0x4043DA0: server_finish (server.c:788)
==50906==    by 0x403AA85: main (main.c:277)
==50906==  Address 0xb4435e8 is 40 bytes inside a block of size 136 free'd
==50906==    at 0x4A3E8EF: free (vg_replace_malloc.c:989)
==50906==    by 0x409C954: buffer_destroy (shm.c:28)
==50906==    by 0x40E96F4: buffer_consider_destroy (buffer.c:42)
==50906==    by 0x40E9754: wlr_buffer_drop (buffer.c:52)
==50906==    by 0x41498DA: slot_reset (swapchain.c:44)
==50906==    by 0x4149933: wlr_swapchain_destroy (swapchain.c:53)
==50906==    by 0x40CB1FA: wlr_output_finish (output.c:410)
==50906==    by 0x40BE00B: output_destroy (output.c:957)
==50906==    by 0x40CB2FC: wlr_output_destroy (output.c:436)
==50906==    by 0x40B9AFC: backend_destroy (backend.c:481)
==50906==    by 0x409E96F: wlr_backend_destroy (backend.c:68)
==50906==    by 0x40B78A6: multi_backend_destroy (backend.c:62)
==50906==  Block was alloc'd at
==50906==    at 0x4A42C13: calloc (vg_replace_malloc.c:1675)
==50906==    by 0x409CA84: allocator_create_buffer (shm.c:68)
==50906==    by 0x409C7BA: wlr_allocator_create_buffer (allocator.c:186)
==50906==    by 0x4149B80: wlr_swapchain_acquire (swapchain.c:102)
==50906==    by 0x40C90DA: render_cursor_buffer (cursor.c:246)
==50906==    by 0x40C93DC: output_cursor_attempt_hardware (cursor.c:303)
==50906==    by 0x40C9A61: output_cursor_set_texture (cursor.c:420)
==50906==    by 0x40C9738: wlr_output_cursor_set_buffer (cursor.c:352)
==50906==    by 0x40F13A0: output_cursor_set_xcursor_image (wlr_cursor.c:507)
==50906==    by 0x40F1B28: cursor_output_cursor_update (wlr_cursor.c:630)
==50906==    by 0x40F1C2A: cursor_update_outputs (wlr_cursor.c:657)
==50906==    by 0x40F1CF9: wlr_cursor_set_xcursor (wlr_cursor.c:674)

Fixes: 7963ba6a0d
("buffer: introduce wlr_buffer_finish()")
2025-12-20 15:02:08 -05:00
..
allocator.c Assert (almost all) signals have no attached listeners on destroy 2025-01-15 19:53:11 +03:00
drm_dumb.c buffer: introduce wlr_buffer_finish() 2025-01-08 16:06:12 +00:00
gbm.c render/allocator/gbm: insert buffer after export gbm bo 2025-08-25 14:05:13 +08:00
meson.build render/allocator/gbm: require GBM 21.1 2025-06-16 07:43:01 +00:00
shm.c render/allocator: add missing wlr_buffer_finish() in destroy impls 2025-12-20 15:02:08 -05:00
udmabuf.c render/allocator: add missing wlr_buffer_finish() in destroy impls 2025-12-20 15:02:08 -05:00