output: remove damage listeners in damage destroy #5181
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Emantor
force-pushed
the
fix/after_free_output
branch
from
1d44ceb
to
6a5a070
Compare
|
Code LGTM |
Instead of removing the destroy listeners in the output destroy, remove
them in the damage destroy handler. Fixes the following use after free:
==646625==ERROR: AddressSanitizer: heap-use-after-free on address 0x61200017cab8 at pc 0x0000004f8f29 bp 0x7ffdf465ad30 sp 0x7ffdf465ad20
WRITE of size 8 at 0x61200017cab8 thread T0
#0 0x4f8f28 in wl_list_remove ../common/list.c:181
swaywm#1 0x43dd24 in handle_destroy ../sway/desktop/output.c:790
(`wl_list_remove(&output->damage_destroy.link);` here, 214e3030e1dce master branch)
swaywm#2 0x7f0e573a1c93 in wlr_signal_emit_safe ../util/signal.c:29
swaywm#3 0x7f0e57390954 in wlr_output_destroy ../types/wlr_output.c:365
swaywm#4 0x7f0e5735e37f in backend_destroy ../backend/x11/backend.c:128
swaywm#5 0x7f0e57348147 in wlr_backend_destroy ../backend/backend.c:47
swaywm#6 0x7f0e57356f75 in multi_backend_destroy ../backend/multi/backend.c:54
swaywm#7 0x7f0e5735710e in handle_display_destroy ../backend/multi/backend.c:107
swaywm#8 0x7f0e573f23e4 in wl_display_destroy (/lib64/libwayland-server.so.0+0x93e4)
swaywm#9 0x42f0b2 in server_fini ../sway/server.c:177
swaywm#10 0x42dd01 in main ../sway/main.c:414
swaywm#11 0x7f0e570f7041 in __libc_start_main (/lib64/libc.so.6+0x27041)
swaywm#12 0x40e3bd in _start (/opt/wayland/bin/sway+0x40e3bd)
0x61200017cab8 is located 120 bytes inside of 320-byte region [0x61200017ca40,0x61200017cb80)
freed by thread T0 here:
#0 0x7f0e57aa9357 in __interceptor_free (/lib64/libasan.so.6+0xb0357)
swaywm#1 0x7f0e5738b877 in wlr_output_damage_destroy ../types/wlr_output_damage.c:143
swaywm#2 0x7f0e5738b2b9 in output_handle_destroy ../types/wlr_output_damage.c:13
swaywm#3 0x7f0e573a1c93 in wlr_signal_emit_safe ../util/signal.c:29
swaywm#4 0x7f0e57390954 in wlr_output_destroy ../types/wlr_output.c:365
swaywm#5 0x7f0e5735e37f in backend_destroy ../backend/x11/backend.c:128
swaywm#6 0x7f0e57348147 in wlr_backend_destroy ../backend/backend.c:47
swaywm#7 0x7f0e57356f75 in multi_backend_destroy ../backend/multi/backend.c:54
swaywm#8 0x7f0e5735710e in handle_display_destroy ../backend/multi/backend.c:107
swaywm#9 0x7f0e573f23e4 in wl_display_destroy (/lib64/libwayland-server.so.0+0x93e4)
previously allocated by thread T0 here:
#0 0x7f0e57aa9887 in __interceptor_calloc (/lib64/libasan.so.6+0xb0887)
swaywm#1 0x7f0e5738b532 in wlr_output_damage_create ../types/wlr_output_damage.c:91
swaywm#2 0x43e4a7 in handle_new_output ../sway/desktop/output.c:875
swaywm#3 0x7f0e573a1c93 in wlr_signal_emit_safe ../util/signal.c:29
swaywm#4 0x7f0e57357261 in new_output_reemit ../backend/multi/backend.c:143
swaywm#5 0x7f0e573a1c93 in wlr_signal_emit_safe ../util/signal.c:29
swaywm#6 0x7f0e5736030a in wlr_x11_output_create ../backend/x11/output.c:253
swaywm#7 0x7f0e5735e309 in backend_start ../backend/x11/backend.c:113
swaywm#8 0x7f0e573480fb in wlr_backend_start ../backend/backend.c:36
swaywm#9 0x7f0e57356e61 in multi_backend_start ../backend/multi/backend.c:31
swaywm#10 0x7f0e573480fb in wlr_backend_start ../backend/backend.c:36
swaywm#11 0x42f4ba in server_start ../sway/server.c:205
swaywm#12 0x42dbd7 in main ../sway/main.c:394
swaywm#13 0x7f0e570f7041 in __libc_start_main (/lib64/libc.so.6+0x27041)
Fixes swaywm#5158
Emantor
force-pushed
the
fix/after_free_output
branch
from
6a5a070
to
a308599
Compare
|
Tested after fixing my test setup on NixOS. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Instead of removing the destroy listeners in the output destroy, remove
them in the damage destroy handler. Fixes the following use after free:
Fixes #5158
Draft because I can't currently test. Could you give this a try @martinetd?