mirror of
https://gitlab.freedesktop.org/wlroots/wlroots.git
synced 2025-10-28 05:40:11 -04:00
6d63871f05
surface_commit_destroy() accesses a field from
struct wlr_linux_drm_syncobj_surface_v1, however that struct may have
been free'd earlier:
==1103==ERROR: AddressSanitizer: heap-use-after-free on address 0x7cdef7a6e288 at pc 0x7feefaac335a bp 0x7ffc4de8f570 sp 0x7ffc4de8f560
READ of size 8 at 0x7cdef7a6e288 thread T0
#0 0x7feefaac3359 in surface_commit_destroy ../subprojects/wlroots/types/wlr_linux_drm_syncobj_v1.c:195
#1 0x7feefaac34cd in surface_commit_handle_surface_destroy ../subprojects/wlroots/types/wlr_linux_drm_syncobj_v1.c:211
#2 0x7feefbd194cf in wl_signal_emit_mutable (/usr/lib/libwayland-server.so.0+0x84cf) (BuildId: b9664217748f523995e3f855fa197cf8e59942d1)
#3 0x7feefaa52b22 in surface_handle_resource_destroy ../subprojects/wlroots/types/wlr_compositor.c:730
#4 0x7feefbd1bb9f (/usr/lib/libwayland-server.so.0+0xab9f) (BuildId: b9664217748f523995e3f855fa197cf8e59942d1)
#5 0x7feefaa46a18 in surface_handle_destroy ../subprojects/wlroots/types/wlr_compositor.c:65
#6 0x7feef89afac5 (/usr/lib/libffi.so.8+0x7ac5) (BuildId: d5e3b0d8921923f35438adefa9f864745abc5e90)
#7 0x7feef89ac76a (/usr/lib/libffi.so.8+0x476a) (BuildId: d5e3b0d8921923f35438adefa9f864745abc5e90)
#8 0x7feef89af06d in ffi_call (/usr/lib/libffi.so.8+0x706d) (BuildId: d5e3b0d8921923f35438adefa9f864745abc5e90)
#9 0x7feefbd17531 (/usr/lib/libwayland-server.so.0+0x6531) (BuildId: b9664217748f523995e3f855fa197cf8e59942d1)
#10 0x7feefbd1cd2f (/usr/lib/libwayland-server.so.0+0xbd2f) (BuildId: b9664217748f523995e3f855fa197cf8e59942d1)
#11 0x7feefbd1b181 in wl_event_loop_dispatch (/usr/lib/libwayland-server.so.0+0xa181) (BuildId: b9664217748f523995e3f855fa197cf8e59942d1)
#12 0x7feefbd1d296 in wl_display_run (/usr/lib/libwayland-server.so.0+0xc296) (BuildId: b9664217748f523995e3f855fa197cf8e59942d1)
#13 0x555bf0a55a40 in server_run ../sway/server.c:615
#14 0x555bf0a4a654 in main ../sway/main.c:376
#15 0x7feef9227674 (/usr/lib/libc.so.6+0x27674) (BuildId: 4fe011c94a88e8aeb6f2201b9eb369f42b4a1e9e)
#16 0x7feef9227728 in __libc_start_main (/usr/lib/libc.so.6+0x27728) (BuildId: 4fe011c94a88e8aeb6f2201b9eb369f42b4a1e9e)
#17 0x555bf0a03f54 in _start (/home/leo/code/stuff/sway/build/sway/sway+0x390f54) (BuildId: e3d4e653af1aa0885f0426c403e16fc87c086d33)
0x7cdef7a6e288 is located 8 bytes inside of 176-byte region [0x7cdef7a6e280,0x7cdef7a6e330)
freed by thread T0 here:
#0 0x7feefb71f79d in free /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:51
#1 0x7feefaac29f1 in surface_destroy ../subprojects/wlroots/types/wlr_linux_drm_syncobj_v1.c:84
#2 0x7feefaac2e47 in surface_handle_resource_destroy ../subprojects/wlroots/types/wlr_linux_drm_syncobj_v1.c:143
#3 0x7feefbd1bb9f (/usr/lib/libwayland-server.so.0+0xab9f) (BuildId: b9664217748f523995e3f855fa197cf8e59942d1)
#4 0x7feefaac2a12 in surface_handle_destroy ../subprojects/wlroots/types/wlr_linux_drm_syncobj_v1.c:89
#5 0x7feef89afac5 (/usr/lib/libffi.so.8+0x7ac5) (BuildId: d5e3b0d8921923f35438adefa9f864745abc5e90)
previously allocated by thread T0 here:
#0 0x7feefb7205dd in calloc /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:74
#1 0x7feefaac4abd in manager_handle_get_surface ../subprojects/wlroots/types/wlr_linux_drm_syncobj_v1.c:313
#2 0x7feef89afac5 (/usr/lib/libffi.so.8+0x7ac5) (BuildId: d5e3b0d8921923f35438adefa9f864745abc5e90)
Fix this by storing the struct wlr_surface in the field.
Closes: https://github.com/swaywm/sway/issues/8917
|
||
|---|---|---|
| .. | ||
| buffer | ||
| data_device | ||
| ext_image_capture_source_v1 | ||
| output | ||
| scene | ||
| seat | ||
| tablet_v2 | ||
| xdg_shell | ||
| meson.build | ||
| wlr_alpha_modifier_v1.c | ||
| wlr_color_management_v1.c | ||
| wlr_color_representation_v1.c | ||
| wlr_compositor.c | ||
| wlr_content_type_v1.c | ||
| wlr_cursor.c | ||
| wlr_cursor_shape_v1.c | ||
| wlr_damage_ring.c | ||
| wlr_data_control_v1.c | ||
| wlr_drm.c | ||
| wlr_drm_lease_v1.c | ||
| wlr_export_dmabuf_v1.c | ||
| wlr_ext_data_control_v1.c | ||
| wlr_ext_foreign_toplevel_list_v1.c | ||
| wlr_ext_image_copy_capture_v1.c | ||
| wlr_fixes.c | ||
| wlr_foreign_toplevel_management_v1.c | ||
| wlr_fractional_scale_v1.c | ||
| wlr_gamma_control_v1.c | ||
| wlr_idle_inhibit_v1.c | ||
| wlr_idle_notify_v1.c | ||
| wlr_input_device.c | ||
| wlr_input_method_v2.c | ||
| wlr_keyboard.c | ||
| wlr_keyboard_group.c | ||
| wlr_keyboard_shortcuts_inhibit_v1.c | ||
| wlr_layer_shell_v1.c | ||
| wlr_linux_dmabuf_v1.c | ||
| wlr_linux_drm_syncobj_v1.c | ||
| wlr_output_layer.c | ||
| wlr_output_layout.c | ||
| wlr_output_management_v1.c | ||
| wlr_output_power_management_v1.c | ||
| wlr_output_swapchain_manager.c | ||
| wlr_pointer.c | ||
| wlr_pointer_constraints_v1.c | ||
| wlr_pointer_gestures_v1.c | ||
| wlr_presentation_time.c | ||
| wlr_primary_selection.c | ||
| wlr_primary_selection_v1.c | ||
| wlr_region.c | ||
| wlr_relative_pointer_v1.c | ||
| wlr_screencopy_v1.c | ||
| wlr_security_context_v1.c | ||
| wlr_server_decoration.c | ||
| wlr_session_lock_v1.c | ||
| wlr_shm.c | ||
| wlr_single_pixel_buffer_v1.c | ||
| wlr_subcompositor.c | ||
| wlr_switch.c | ||
| wlr_tablet_pad.c | ||
| wlr_tablet_tool.c | ||
| wlr_tearing_control_v1.c | ||
| wlr_text_input_v3.c | ||
| wlr_touch.c | ||
| wlr_transient_seat_v1.c | ||
| wlr_viewporter.c | ||
| wlr_virtual_keyboard_v1.c | ||
| wlr_virtual_pointer_v1.c | ||
| wlr_xcursor_manager.c | ||
| wlr_xdg_activation_v1.c | ||
| wlr_xdg_decoration_v1.c | ||
| wlr_xdg_dialog_v1.c | ||
| wlr_xdg_foreign_registry.c | ||
| wlr_xdg_foreign_v1.c | ||
| wlr_xdg_foreign_v2.c | ||
| wlr_xdg_output_v1.c | ||
| wlr_xdg_system_bell_v1.c | ||
| wlr_xdg_toplevel_icon_v1.c | ||
| wlr_xdg_toplevel_tag_v1.c | ||