From 002d7d375465e292a4dbd213a8db1766bc7bdf7a Mon Sep 17 00:00:00 2001 From: Olivier Fourdan Date: Tue, 2 Jul 2024 18:54:10 +0200 Subject: [PATCH] xwayland: Force disposal of windows buffers for root on destroy With explicit buffer synchronization in use, the window buffers use a file descriptor for event notification to keep the buffer alive for synchronization purpose. When running rootful, the root window (which is visible) is destroyed directly from the resource manager on server reset, and the window buffer's eventfd will trigger after the window is destroyed, leading to a use after free and a crash of the xserver. To avoid the issue, check whether the window being destroyed is the root window in rootless mode, and make sure to force the disposal of the window buffers in that case. Signed-off-by: Olivier Fourdan Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1699 Part-of: (cherry picked from commit a5e863963e3d8cef2cf84f7c65832adb78040798) --- hw/xwayland/xwayland-window.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/hw/xwayland/xwayland-window.c b/hw/xwayland/xwayland-window.c index f9e0a81cc..1261ceaed 100644 --- a/hw/xwayland/xwayland-window.c +++ b/hw/xwayland/xwayland-window.c @@ -1647,6 +1647,7 @@ xwl_window_dispose(struct xwl_window *xwl_window) struct xwl_screen *xwl_screen = xwl_window->xwl_screen; struct xwl_seat *xwl_seat; WindowPtr window = xwl_window->toplevel; + ScreenPtr screen = xwl_screen->screen; compUnredirectWindow(serverClient, window, CompositeRedirectManual); @@ -1689,7 +1690,9 @@ xwl_window_dispose(struct xwl_window *xwl_window) xorg_list_del(&xwl_window->link_damage); xorg_list_del(&xwl_window->link_window); - xwl_window_buffers_dispose(xwl_window, FALSE); + /* Special case for the root window in rootful mode */ + xwl_window_buffers_dispose(xwl_window, + (!xwl_screen->rootless && window == screen->root)); if (xwl_window->window_buffers_timer) TimerFree(xwl_window->window_buffers_timer);