https://bugs.kde.org/show_bug.cgi?id=520057
Bug ID: 520057
Summary: kwin_wayland crashes in Output::modeSize() on monitor
input switch — use-after-free in m_state.currentMode
Classification: Plasma
Product: kwin
Version First git-stable-Plasma/5.27
Reported In:
Platform: Kubuntu
OS: Linux
Status: REPORTED
Severity: crash
Priority: NOR
Component: core
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
Switching a physical monitor's input source away from and back to this machine
causes kwin_wayland to crash with SIGSEGV. Reproduces reliably on
every input switch with any Wayland window open. Does not require a VM to be
running.
System:
- kwin 5.27.11 (kwin-wayland 4:5.27.11-0ubuntu3, Ubuntu 24.04)
- Plasma 5.27.12
- Qt 5.15.13
- Kernel 6.8.0-111-generic
- GPU: Intel UHD 770 (ADL-S GT1), Mesa 25.2.8, driver i915
- Single monitor, single GPU
Regression: did not occur on kernel 6.8.0-110. Only started after upgrading
to 6.8.0-111 on 2026-05-01.
Root cause: m_state.currentMode is a dangling pointer after the monitor
disconnect event frees the OutputMode object. A pending QTimer then fires
to send an XdgToplevelWindow configure event, calls Output::modeSize(),
passes the null guard (pointer is non-null but freed), and dereferences
garbage memory at output.cpp:194.
Stack trace:
#0 KWin::OutputMode::size (this=0x300716572) at output.cpp:50
#1 KWin::Output::modeSize at output.cpp:194
return m_state.currentMode ? m_state.currentMode->size() : QSize();
#2 KWin::Output::pixelSize at output.cpp:199
#3 KWin::Output::fractionalGeometry at output.cpp:179
#4 KWin::Workspace::clientArea (PlacementArea) at workspace.cpp:2469
#5 KWin::Workspace::clientArea at workspace.cpp:2492
#6 KWin::XdgToplevelWindow::sendRoleConfigure at xdgshellwindow.cpp:841
#7 KWin::XdgSurfaceWindow::sendConfigure at xdgshellwindow.cpp:131
#8 QTimer::timeout
--
You are receiving this mail because:
You are watching all bug changes.
