diff options
| author |  Rouven Czerwinski <rouven@czerwinskis.de> | 2020-04-05 13:37:34 +0200 |
|---|---|---|
| committer |  Simon Ser <contact@emersion.fr> | 2020-04-10 10:20:21 +0200 |
| commit | ac0637708f0adcf9bd754783634b9cdf5acf5a55 (patch) | |
| tree | 8aa1a61de3137fb0b1faa97bc772f21d06fe8f37 | |
| parent | Don't add disabled outputs back to output layout (diff) | |
| download | sway-ac0637708f0adcf9bd754783634b9cdf5acf5a55.tar.gz sway-ac0637708f0adcf9bd754783634b9cdf5acf5a55.tar.zst sway-ac0637708f0adcf9bd754783634b9cdf5acf5a55.zip | |
output: remove damage listeners in damage destroy
Instead of removing the destroy listeners in the output destroy, remove
them in the damage destroy handler. Fixes the following use after free:
==646625==ERROR: AddressSanitizer: heap-use-after-free on address 0x61200017cab8 at pc 0x0000004f8f29 bp 0x7ffdf465ad30 sp 0x7ffdf465ad20
WRITE of size 8 at 0x61200017cab8 thread T0
#0 0x4f8f28 in wl_list_remove ../common/list.c:181
#1 0x43dd24 in handle_destroy ../sway/desktop/output.c:790
(`wl_list_remove(&output->damage_destroy.link);` here, 214e3030e1dce master branch)
#2 0x7f0e573a1c93 in wlr_signal_emit_safe ../util/signal.c:29
#3 0x7f0e57390954 in wlr_output_destroy ../types/wlr_output.c:365
#4 0x7f0e5735e37f in backend_destroy ../backend/x11/backend.c:128
#5 0x7f0e57348147 in wlr_backend_destroy ../backend/backend.c:47
#6 0x7f0e57356f75 in multi_backend_destroy ../backend/multi/backend.c:54
#7 0x7f0e5735710e in handle_display_destroy ../backend/multi/backend.c:107
#8 0x7f0e573f23e4 in wl_display_destroy (/lib64/libwayland-server.so.0+0x93e4)
#9 0x42f0b2 in server_fini ../sway/server.c:177
#10 0x42dd01 in main ../sway/main.c:414
#11 0x7f0e570f7041 in __libc_start_main (/lib64/libc.so.6+0x27041)
#12 0x40e3bd in _start (/opt/wayland/bin/sway+0x40e3bd)
0x61200017cab8 is located 120 bytes inside of 320-byte region [0x61200017ca40,0x61200017cb80)
freed by thread T0 here:
#0 0x7f0e57aa9357 in __interceptor_free (/lib64/libasan.so.6+0xb0357)
#1 0x7f0e5738b877 in wlr_output_damage_destroy ../types/wlr_output_damage.c:143
#2 0x7f0e5738b2b9 in output_handle_destroy ../types/wlr_output_damage.c:13
#3 0x7f0e573a1c93 in wlr_signal_emit_safe ../util/signal.c:29
#4 0x7f0e57390954 in wlr_output_destroy ../types/wlr_output.c:365
#5 0x7f0e5735e37f in backend_destroy ../backend/x11/backend.c:128
#6 0x7f0e57348147 in wlr_backend_destroy ../backend/backend.c:47
#7 0x7f0e57356f75 in multi_backend_destroy ../backend/multi/backend.c:54
#8 0x7f0e5735710e in handle_display_destroy ../backend/multi/backend.c:107
#9 0x7f0e573f23e4 in wl_display_destroy (/lib64/libwayland-server.so.0+0x93e4)
previously allocated by thread T0 here:
#0 0x7f0e57aa9887 in __interceptor_calloc (/lib64/libasan.so.6+0xb0887)
#1 0x7f0e5738b532 in wlr_output_damage_create ../types/wlr_output_damage.c:91
#2 0x43e4a7 in handle_new_output ../sway/desktop/output.c:875
#3 0x7f0e573a1c93 in wlr_signal_emit_safe ../util/signal.c:29
#4 0x7f0e57357261 in new_output_reemit ../backend/multi/backend.c:143
#5 0x7f0e573a1c93 in wlr_signal_emit_safe ../util/signal.c:29
#6 0x7f0e5736030a in wlr_x11_output_create ../backend/x11/output.c:253
#7 0x7f0e5735e309 in backend_start ../backend/x11/backend.c:113
#8 0x7f0e573480fb in wlr_backend_start ../backend/backend.c:36
#9 0x7f0e57356e61 in multi_backend_start ../backend/multi/backend.c:31
#10 0x7f0e573480fb in wlr_backend_start ../backend/backend.c:36
#11 0x42f4ba in server_start ../sway/server.c:205
#12 0x42dbd7 in main ../sway/main.c:394
#13 0x7f0e570f7041 in __libc_start_main (/lib64/libc.so.6+0x27041)
Fixes #5158
| -rw-r--r-- | sway/desktop/output.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/sway/desktop/output.c b/sway/desktop/output.c index 03868b73..367be2d0 100644 --- a/sway/desktop/output.c +++ b/sway/desktop/output.c | |||
| @@ -742,6 +742,10 @@ static void damage_handle_destroy(struct wl_listener *listener, void *data) { | |||
| 742 | return; | 742 | return; |
| 743 | } | 743 | } |
| 744 | output_disable(output); | 744 | output_disable(output); |
| 745 | |||
| 746 | wl_list_remove(&output->damage_destroy.link); | ||
| 747 | wl_list_remove(&output->damage_frame.link); | ||
| 748 | |||
| 745 | transaction_commit_dirty(); | 749 | transaction_commit_dirty(); |
| 746 | } | 750 | } |
| 747 | 751 | ||
| @@ -785,8 +789,6 @@ static void handle_destroy(struct wl_listener *listener, void *data) { | |||
| 785 | wl_list_remove(&output->transform.link); | 789 | wl_list_remove(&output->transform.link); |
| 786 | wl_list_remove(&output->scale.link); | 790 | wl_list_remove(&output->scale.link); |
| 787 | wl_list_remove(&output->present.link); | 791 | wl_list_remove(&output->present.link); |
| 788 | wl_list_remove(&output->damage_destroy.link); | ||
| 789 | wl_list_remove(&output->damage_frame.link); | ||
| 790 | 792 | ||
| 791 | transaction_commit_dirty(); | 793 | transaction_commit_dirty(); |
| 792 | 794 | ||