Re: When starting Evolution /usr/lib/gdm3/gdm-x-session[2309]: (II) modeset information is printed to syslog

[Chris]

On Wed, 2018-09-05 at 15:16 -0400, Adam Jackson wrote:
> On Sat, 2018-09-01 at 10:24 -0500, Chris wrote:
> 
> > When starting Evolution this is output to syslog and periodically
> > after it's running:
> > 
> > https://pastebin.com/zndBukUG
> 
> Evolution, or something it provokes, is asking the server for the
> list
> of available video modes. It's doing so with XRRGetScreenResources(),
> apparently, which prompts the X server to go re-check every available
> output to see if anything has changed. This is silly, it should be
> using XRRGetScreenResourcesCurrent() and relying on hotplug events to
> trigger re-polling. Now, maybe the X server shouldn't print the modes
> in the log when that happens, but maybe the client shouldn't be ten
> years behind the times in its API usage.
> 
> In other words, I think this is a gnome bug.
> 
> - ajax
> 

Thanks Adam, I have filed a bug report here -
https://bugs.launchpad.net/ubuntu/+source/xorg-server/+bug/1788739
and here
https://bugs.freedesktop.org/show_bug.cgi?id=107841

Since the output refers to /usr/lib/gdm3/gdm-x-session I'm going to
file a bug report on Gnome Bugzilla under gdm and see how that goes.

Chris

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
15:16:34 up 5 days, 4:34, 2 users, load average: 0.71, 1.05, 1.08
Description:Ubuntu 18.04.1 LTS, kernel 4.15.0-33-generic

signature.asc
Description: This is a digitally signed message part
___
xorg@lists.x.org: X.Org support
Archives: http://lists.freedesktop.org/archives/xorg
Info: https://lists.x.org/mailman/listinfo/xorg
Your subscription address: %(user_address)s

Re: When starting Evolution /usr/lib/gdm3/gdm-x-session[2309]: (II) modeset information is printed to syslog

[Adam Jackson]

On Sat, 2018-09-01 at 10:24 -0500, Chris wrote:

> When starting Evolution this is output to syslog and periodically after it's 
> running:
> 
> https://pastebin.com/zndBukUG

Evolution, or something it provokes, is asking the server for the list
of available video modes. It's doing so with XRRGetScreenResources(),
apparently, which prompts the X server to go re-check every available
output to see if anything has changed. This is silly, it should be
using XRRGetScreenResourcesCurrent() and relying on hotplug events to
trigger re-polling. Now, maybe the X server shouldn't print the modes
in the log when that happens, but maybe the client shouldn't be ten
years behind the times in its API usage.

In other words, I think this is a gnome bug.

- ajax
___
xorg@lists.x.org: X.Org support
Archives: http://lists.freedesktop.org/archives/xorg
Info: https://lists.x.org/mailman/listinfo/xorg
Your subscription address: %(user_address)s

Re: Smooth gdm -> GNOME3 session transition broken with 1.20 modesetting driver

[Daniel Stone]

Hi Hans,

On Wed, 5 Sep 2018 at 19:23, Hans de Goede  wrote:
> Under Fedora 29 (xserver-1.20) the transition from GDM to
> the GNOME3 session is no longer smooth, it seems that the
> screen is cleared to black when the Xserver starts instead
> of inheriting the framebuffer contents from GDM as before.
>
> Changing the DDX driver from modesetting to intel fixes this,
> I think this may be caused by the new atomic support in the
> modesetting driver.

It's caused by support for modifiers: this allows Mesa to use a
multi-planar framebuffer (auxiliary compression plane), which the new
X server can't then read back from because drmModeGetFB only supports
a single plane. I've written up the patches to do that[0], but last
time I tried to respin the current mainline was broken and didn't
actually boot. I've actually just picked that up this week and am
planning to send a new series out tomorrow.

[0]: https://lists.freedesktop.org/archives/xorg-devel/2018-March/056363.html

Cheers,
Daniel
___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: https://lists.x.org/mailman/listinfo/xorg-devel

Smooth gdm -> GNOME3 session transition broken with 1.20 modesetting driver

[Hans de Goede]

Hi All,

Under Fedora 29 (xserver-1.20) the transition from GDM to
the GNOME3 session is no longer smooth, it seems that the
screen is cleared to black when the Xserver starts instead
of inheriting the framebuffer contents from GDM as before.

Changing the DDX driver from modesetting to intel fixes this,
I think this may be caused by the new atomic support in the
modesetting driver.

Note if you try to reproduce this on Fedora 29 recent
gdm versions also have some issues (*) which cause the
transition to be non smooth it is best to downgrade
gdm to 3.28.x (from koji) and then try with the intel
ddx vs the modesetting ddx to clearly see the difference.

Regards,

Hans



*) These are mostly fixed, but not entirely yet, see:
https://gitlab.gnome.org/GNOME/gdm/merge_requests/45
___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: https://lists.x.org/mailman/listinfo/xorg-devel

Re: WebKit failing to find GLXFBConfig, confusion around fbconfigs + swrast

[Emil Velikov]

Hi Daniel,

On 27 August 2018 at 09:07, Daniel Drake  wrote:

> Questions:
>
> 1. What should webkit be doing in event of it not being to find a
> GLXFBConfig that corresponds to the X visual of it's window?
>
>
Attempt another config that user(webkit) knows how to work with?

> 2. Why is swrast coming into the picture? Is swrast being used for rendering?
>

You're using the modesetting DDX, so the 2D acceleration comes from
glamor/OpenGL.
When the driver name cannot be retrieved, glamor will use ... well no
driver - aka swrast.

Possible solutions/workarounds:
 - try the intel ddx - not everyone is using it, it sees development
yet no releases :-\
 - audit the codepaths if one cannot get the driver name otherwise

> 4. Why is there still a list of PCI IDs in the X server?
>
Nobody had the time/interest to fix that up. I did fold the 5 (IIRC)
different codepaths in Mesa down to 1.
ETIME and EWORK kind of got in the way of fixing up the X server.

I guess it could go up my priority list, if employer (Collabora) suggests it ;-)

HTH
Emil
___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: https://lists.x.org/mailman/listinfo/xorg-devel

[Bug 107838] kernel mode setting detects unsupported screen resolutions

[bugzilla-daemon]

https://bugs.freedesktop.org/show_bug.cgi?id=107838

Michel Dänzer  changed:

   What|Removed |Added

   Assignee|xorg-driver-ati@lists.x.org |xorg-t...@lists.x.org
  Component|Driver/AMDgpu   |Driver/modesetting

--- Comment #1 from Michel Dänzer  ---
This is the doing of the Xorg modesetting driver, nothing to do with the
kernel.

-- 
You are receiving this mail because:
You are the assignee for the bug.___
xorg-driver-ati mailing list
xorg-driver-ati@lists.x.org
https://lists.x.org/mailman/listinfo/xorg-driver-ati

[PATCH xserver] glx: check for indirect context in CreateContextAttribsARB()

[Olivier Fourdan]

Commit 99f0365b "Add a command line argument for disabling indirect GLX"
added a test to check if indirect context are enabled in
`DoCreateContext()` but `__glXDisp_CreateContextAttribsARB()` doesn't
use `DoCreateContext()` and doesn't check if indirect context is
enabled.

As a result, clients can still manage to create indirect contexts using
`glXCreateContextAttribsARB()` even if indirect contexts are disabled,
which can possibly crash Xservers such as Xwayland or Xephyr when the
context is destroyed.

To avoid the issue, check for `enableIndirectGLX` in
`__glXDisp_CreateContextAttribsARB()` as well.

Fixes: 99f0365b "Add a command line argument for disabling indirect GLX"
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=107508
Signed-off-by: Olivier Fourdan 
---
 glx/createcontext.c | 12 
 1 file changed, 12 insertions(+)

diff --git a/glx/createcontext.c b/glx/createcontext.c
index 7d09c3a1c..24b02ddfb 100644
--- a/glx/createcontext.c
+++ b/glx/createcontext.c
@@ -28,6 +28,7 @@
 #include "glxserver.h"
 #include "glxext.h"
 #include "indirect_dispatch.h"
+#include "opaque.h"
 
 #define ALL_VALID_FLAGS \
 (GLX_CONTEXT_DEBUG_BIT_ARB | GLX_CONTEXT_FORWARD_COMPATIBLE_BIT_ARB \
@@ -320,6 +321,17 @@ __glXDisp_CreateContextAttribsARB(__GLXclientState * cl, 
GLbyte * pc)
 err = BadAlloc;
 }
 else {
+/* Only allow creating indirect GLX contexts if allowed by
+ * server command line.  Indirect GLX is of limited use (since
+ * it's only GL 1.4), it's slower than direct contexts, and
+ * it's a massive attack surface for buffer overflow type
+ * errors.
+ */
+if (!enableIndirectGLX) {
+client->errorValue = req->isDirect;
+return BadValue;
+}
+
 ctx = glxScreen->createContext(glxScreen, config, shareCtx,
req->numAttribs, (uint32_t *) attribs,
);
-- 
2.17.1

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: https://lists.x.org/mailman/listinfo/xorg-devel

[Bug 107838] New: kernel mode setting detects unsupported screen resolutions

[bugzilla-daemon]

https://bugs.freedesktop.org/show_bug.cgi?id=107838

Bug ID: 107838
   Summary: kernel mode setting detects unsupported screen
resolutions
   Product: xorg
   Version: unspecified
  Hardware: Other
OS: All
Status: NEW
  Severity: normal
  Priority: medium
 Component: Driver/AMDgpu
  Assignee: xorg-driver-ati@lists.x.org
  Reporter: germano.massu...@gmail.com
QA Contact: xorg-t...@lists.x.org

Kernel mode setting seems to detect resolutions not supported by the screen, so
you may be stuck in out of range screen error while using certain applications.
Later I tested the installation of xorg-x11-drv-amdgpu Fedora package, and
indeed the problem disappeared

Note: in both tests the machine has been started with grub command line
argument amdgpu.dc=0 due bugreport
https://bugs.freedesktop.org/show_bug.cgi?id=107465


Kernel 4.17.19-200.fc28.x86_64
# lspci -k | grep -iA 3 vga
01:00.0 VGA compatible controller: Advanced Micro Devices, Inc. [AMD/ATI]
Ellesmere [Radeon RX 470/480/570/570X/580/580X] (rev c7)
Subsystem: XFX Pine Group Inc. Radeon RX 480
Kernel driver in use: amdgpu
Kernel modules: amdgpu

Screen ViewSonic VX2268wm

$ xrandr
Screen 0: minimum 320 x 200, current 1680 x 1050, maximum 16384 x 16384
DP-1 disconnected (normal left inverted right x axis y axis)
DP-2 disconnected (normal left inverted right x axis y axis)
DP-3 disconnected (normal left inverted right x axis y axis)
HDMI-1 disconnected (normal left inverted right x axis y axis)
DVI-D-1 connected primary 1680x1050+0+0 (normal left inverted right x axis y
axis) 474mm x 296mm
   1680x1050 59.95 + 120.00*  110.00   100.0059.88  
   1600x1200 85.0075.0070.0065.0060.00  
   1400x1050 74.7659.9859.95  
   1600x900  59.9959.9459.9559.82  
   1280x1024 85.0275.0260.02  
   1440x900  59.90  
   1400x900  59.9659.88  
   1280x960  85.0060.00  
   1440x810  60.0059.97  
   1368x768  59.8859.85  
   1280x800  59.9959.9759.8159.91  
   1152x864  75.00  
   1280x720  60.0059.9959.8659.74  
   1024x768  85.0075.0560.0485.0075.0370.0760.00  
   1024x768i 86.96  
   960x720   85.0075.0060.00  
   928x696   75.0060.05  
   896x672   75.0560.01  
   1024x576  59.9559.9659.9059.82  
   960x600   59.9360.00  
   832x624   74.55  
   960x540   59.9659.9959.6359.82  
   800x600   85.0075.0070.0065.0060.0085.1472.19   
75.0060.3256.25  
   840x525   60.0159.88  
   864x486   59.9259.57  
   700x525   74.7659.98  
   800x450   59.9559.82  
   640x512   85.0275.0260.02  
   700x450   59.9659.88  
   640x480   85.0960.0085.0175.0072.8175.0066.67   
60.0059.94  
   720x405   59.5158.99  
   720x400   85.0470.08  
   684x384   59.8859.85  
   640x400   59.8859.9885.0870.01  
   576x432   75.00  
   640x360   59.8659.8359.8459.32  
   640x350   85.08  
   512x384   85.0075.0370.0760.00  
   512x384i  87.06  
   512x288   60.0059.92  
   416x312   74.66  
   480x270   59.6359.82  
   400x300   85.2772.1975.1260.3256.34  
   432x243   59.9259.57  
   320x240   85.1872.8175.0060.05  
   360x202   59.5159.13  
   360x200   85.04  
   320x200   85.27  
   320x180   59.8459.32  
   320x175   85.27  



$ xrandr output with package xorg-x11-drv-amdgpu installed
Screen 0: minimum 320 x 200, current 1680 x 1050, maximum 16384 x 16384
DisplayPort-0 disconnected (normal left inverted right x axis y axis)
DisplayPort-1 disconnected (normal left inverted right x axis y axis)
DisplayPort-2 disconnected (normal left inverted right x axis y axis)
HDMI-A-0 disconnected (normal left inverted right x axis y axis)
DVI-D-0 connected primary 1680x1050+0+0 (normal left inverted right x axis y
axis) 474mm x 296mm
   1680x1050 59.95 + 120.00*  110.00   100.00  
   1600x1200 60.00  
   1400x1050 59.95  
   1280x1024 75.0260.02  
   1440x900  59.90  
   1280x960  60.00  
   1152x864  75.00  
   1024x768  75.0370.0760.00  
   832x624   74.55  
   800x600   72.1975.0060.3256.25  
   640x480   75.0072.8166.6760.0059.94  
   720x400   70.08  
   640x400   70.01

-- 
You are receiving this mail because:
You are the assignee for the bug.___
xorg-driver-ati mailing list
xorg-driver-ati@lists.x.org
https://lists.x.org/mailman/listinfo/xorg-driver-ati

Re: [PATCH v2] present: fix freed pointer access

[Olivier Fourdan]

Hi,

On Tue, Sep 4, 2018 at 6:28 PM Lionel Landwerlin
 wrote:
>
> Oh well...
> I'm sure you'll be able to fix it faster than me :)
>
> -
> Lionel
>
> On 04/09/2018 16:27, Roman Gilg wrote:
>
> Ok, I just got a failing assert in xwl_present_flips_stop with the patch when 
> opening a context menu in Steam. Seems the xwl_present_flips_stop call is 
> coming in too late now after the presenting window has already been changed.
>
[...]

If I read bug 107314 correctly, the crash occurs after the window has
been destroyed, so what about that other patch:

https://patchwork.freedesktop.org/patch/247271/

** plus ** this patch below (just copied for testing purpose), does it
fix th your crash?

From 676597fcd6ee907f4d3f165dd0b5de746f7c8131 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan 
Date: Wed, 5 Sep 2018 13:08:03 +0200
Subject: [PATCH xserver] xwayland: ignore sync callback if window is destroyed

If the window is destroyed, there is no need to send the vblank notify
event.

This should avoid a crash in present_vblank_notify()

Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=107314
Signed-off-by: Olivier Fourdan 
---
 hw/xwayland/xwayland-present.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/hw/xwayland/xwayland-present.c b/hw/xwayland/xwayland-present.c
index 316e04443..b1751c846 100644
--- a/hw/xwayland/xwayland-present.c
+++ b/hw/xwayland/xwayland-present.c
@@ -276,6 +276,10 @@ xwl_present_sync_callback(void *data,

 event->pending = FALSE;

+/* Is the window destroyed already ? */
+if (!xwl_present_window)
+return;
+
 if (event->abort) {
 /* Event might have been aborted */
 if (event->buffer_released)
-- 
2.17.1
___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: https://lists.x.org/mailman/listinfo/xorg-devel

Re: [PATCH xserver v3] xwayland: Remove xwl_present_window from privates on cleanup

[Lionel Landwerlin]

On 05/09/2018 11:44, Olivier Fourdan wrote:

Hi,

On Wed, Sep 5, 2018 at 12:05 PM Lionel Landwerlin
 wrote:

On 05/09/2018 09:49, Olivier Fourdan wrote:

[...]
This is because `xwl_present_cleanup()` frees the memory but does not
remove it from the window's privates, and `xwl_present_abort_vblank()`
will still find it and hence try to access that freed memory...

Remove `xwl_present_window` from window's privates on cleanup so that no
other function can find and reuse that data once it's freed.

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1616269


We also have this fdo bug :
https://bugs.freedesktop.org/show_bug.cgi?id=107314

Yeap, I know about this bug and the patch you sent, but the backtrace
is different, it doesn't occur on DestroyWindow(), so I doubt this is
the same (unless you tried my fix and it fixes your issue as well...)

Cheers,
Olivier
___



Oops indeed.


___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: https://lists.x.org/mailman/listinfo/xorg-devel

Re: [PATCH xserver v3] xwayland: Remove xwl_present_window from privates on cleanup

[Olivier Fourdan]

Hi,

On Wed, Sep 5, 2018 at 12:05 PM Lionel Landwerlin
 wrote:
>
> On 05/09/2018 09:49, Olivier Fourdan wrote:
> > [...]
> > This is because `xwl_present_cleanup()` frees the memory but does not
> > remove it from the window's privates, and `xwl_present_abort_vblank()`
> > will still find it and hence try to access that freed memory...
> >
> > Remove `xwl_present_window` from window's privates on cleanup so that no
> > other function can find and reuse that data once it's freed.
> >
> > Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1616269
>
>
> We also have this fdo bug :
> https://bugs.freedesktop.org/show_bug.cgi?id=107314

Yeap, I know about this bug and the patch you sent, but the backtrace
is different, it doesn't occur on DestroyWindow(), so I doubt this is
the same (unless you tried my fix and it fixes your issue as well...)

Cheers,
Olivier
___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: https://lists.x.org/mailman/listinfo/xorg-devel

Re: [PATCH xserver v3] xwayland: Remove xwl_present_window from privates on cleanup

[Lionel Landwerlin]

On 05/09/2018 09:49, Olivier Fourdan wrote:

Xwayland's `xwl_destroy_window()` invokes `xwl_present_cleanup()`
before the common `DestroyWindow()`.

But then `DestroyWindow()` calls `present_destroy_window()` which will
possibly end up in `xwl_present_abort_vblank()` which will try to access
data that was previously freed by `xwl_present_cleanup()`:

   Invalid read of size 8
  at 0x434184: xwl_present_abort_vblank (xwayland-present.c:378)
  by 0x53785B: present_wnmd_abort_vblank (present_wnmd.c:651)
  by 0x53695A: present_free_window_vblank (present_screen.c:87)
  by 0x53695A: present_destroy_window (present_screen.c:152)
  by 0x42A90D: xwl_destroy_window (xwayland.c:653)
  by 0x584298: compDestroyWindow (compwindow.c:613)
  by 0x53CEE3: damageDestroyWindow (damage.c:1570)
  by 0x4F1BB8: DbeDestroyWindow (dbe.c:1326)
  by 0x46F7F6: FreeWindowResources (window.c:1031)
  by 0x472847: DeleteWindow (window.c:1099)
  by 0x46B54C: doFreeResource (resource.c:880)
  by 0x46C706: FreeClientResources (resource.c:1146)
  by 0x446ADE: CloseDownClient (dispatch.c:3473)
Address 0x182abde0 is 80 bytes inside a block of size 112 free'd
  at 0x4C2FDAC: free (vg_replace_malloc.c:530)
  by 0x42A937: xwl_destroy_window (xwayland.c:647)
  by 0x584298: compDestroyWindow (compwindow.c:613)
  by 0x53CEE3: damageDestroyWindow (damage.c:1570)
  by 0x4F1BB8: DbeDestroyWindow (dbe.c:1326)
  by 0x46F7F6: FreeWindowResources (window.c:1031)
  by 0x472847: DeleteWindow (window.c:1099)
  by 0x46B54C: doFreeResource (resource.c:880)
  by 0x46C706: FreeClientResources (resource.c:1146)
  by 0x446ADE: CloseDownClient (dispatch.c:3473)
  by 0x446DA5: ProcKillClient (dispatch.c:3279)
  by 0x4476AF: Dispatch (dispatch.c:479)
Block was alloc'd at
  at 0x4C30B06: calloc (vg_replace_malloc.c:711)
  by 0x433F46: xwl_present_window_get_priv (xwayland-present.c:54)
  by 0x434228: xwl_present_get_crtc (xwayland-present.c:302)
  by 0x539728: proc_present_query_capabilities (present_request.c:227)
  by 0x4476AF: Dispatch (dispatch.c:479)
  by 0x44B5B5: dix_main (main.c:276)
  by 0x75F611A: (below main) (libc-start.c:308)

This is because `xwl_present_cleanup()` frees the memory but does not
remove it from the window's privates, and `xwl_present_abort_vblank()`
will still find it and hence try to access that freed memory...

Remove `xwl_present_window` from window's privates on cleanup so that no
other function can find and reuse that data once it's freed.

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1616269



We also have this fdo bug : 
https://bugs.freedesktop.org/show_bug.cgi?id=107314




Signed-off-by: Olivier Fourdan 
---
  v2: Remove leftovers from broken initial patch...
  v3: Rephrase non-sensical explanation of the fix

  hw/xwayland/xwayland-present.c | 5 +
  1 file changed, 5 insertions(+)

diff --git a/hw/xwayland/xwayland-present.c b/hw/xwayland/xwayland-present.c
index 81e0eb9ce..316e04443 100644
--- a/hw/xwayland/xwayland-present.c
+++ b/hw/xwayland/xwayland-present.c
@@ -147,6 +147,11 @@ xwl_present_cleanup(WindowPtr window)
  /* Clear timer */
  xwl_present_free_timer(xwl_present_window);
  
+/* Remove from privates so we don't try to access it later */

+dixSetPrivate(>devPrivates,
+  _present_window_private_key,
+  NULL);
+
  free(xwl_present_window);
  }
  



___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: https://lists.x.org/mailman/listinfo/xorg-devel

[PATCH xserver v3] xwayland: Remove xwl_present_window from privates on cleanup

[Olivier Fourdan]

Xwayland's `xwl_destroy_window()` invokes `xwl_present_cleanup()`
before the common `DestroyWindow()`.

But then `DestroyWindow()` calls `present_destroy_window()` which will
possibly end up in `xwl_present_abort_vblank()` which will try to access
data that was previously freed by `xwl_present_cleanup()`:

  Invalid read of size 8
 at 0x434184: xwl_present_abort_vblank (xwayland-present.c:378)
 by 0x53785B: present_wnmd_abort_vblank (present_wnmd.c:651)
 by 0x53695A: present_free_window_vblank (present_screen.c:87)
 by 0x53695A: present_destroy_window (present_screen.c:152)
 by 0x42A90D: xwl_destroy_window (xwayland.c:653)
 by 0x584298: compDestroyWindow (compwindow.c:613)
 by 0x53CEE3: damageDestroyWindow (damage.c:1570)
 by 0x4F1BB8: DbeDestroyWindow (dbe.c:1326)
 by 0x46F7F6: FreeWindowResources (window.c:1031)
 by 0x472847: DeleteWindow (window.c:1099)
 by 0x46B54C: doFreeResource (resource.c:880)
 by 0x46C706: FreeClientResources (resource.c:1146)
 by 0x446ADE: CloseDownClient (dispatch.c:3473)
   Address 0x182abde0 is 80 bytes inside a block of size 112 free'd
 at 0x4C2FDAC: free (vg_replace_malloc.c:530)
 by 0x42A937: xwl_destroy_window (xwayland.c:647)
 by 0x584298: compDestroyWindow (compwindow.c:613)
 by 0x53CEE3: damageDestroyWindow (damage.c:1570)
 by 0x4F1BB8: DbeDestroyWindow (dbe.c:1326)
 by 0x46F7F6: FreeWindowResources (window.c:1031)
 by 0x472847: DeleteWindow (window.c:1099)
 by 0x46B54C: doFreeResource (resource.c:880)
 by 0x46C706: FreeClientResources (resource.c:1146)
 by 0x446ADE: CloseDownClient (dispatch.c:3473)
 by 0x446DA5: ProcKillClient (dispatch.c:3279)
 by 0x4476AF: Dispatch (dispatch.c:479)
   Block was alloc'd at
 at 0x4C30B06: calloc (vg_replace_malloc.c:711)
 by 0x433F46: xwl_present_window_get_priv (xwayland-present.c:54)
 by 0x434228: xwl_present_get_crtc (xwayland-present.c:302)
 by 0x539728: proc_present_query_capabilities (present_request.c:227)
 by 0x4476AF: Dispatch (dispatch.c:479)
 by 0x44B5B5: dix_main (main.c:276)
 by 0x75F611A: (below main) (libc-start.c:308)

This is because `xwl_present_cleanup()` frees the memory but does not
remove it from the window's privates, and `xwl_present_abort_vblank()`
will still find it and hence try to access that freed memory...

Remove `xwl_present_window` from window's privates on cleanup so that no
other function can find and reuse that data once it's freed.

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1616269
Signed-off-by: Olivier Fourdan 
---
 v2: Remove leftovers from broken initial patch...
 v3: Rephrase non-sensical explanation of the fix

 hw/xwayland/xwayland-present.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/hw/xwayland/xwayland-present.c b/hw/xwayland/xwayland-present.c
index 81e0eb9ce..316e04443 100644
--- a/hw/xwayland/xwayland-present.c
+++ b/hw/xwayland/xwayland-present.c
@@ -147,6 +147,11 @@ xwl_present_cleanup(WindowPtr window)
 /* Clear timer */
 xwl_present_free_timer(xwl_present_window);
 
+/* Remove from privates so we don't try to access it later */
+dixSetPrivate(>devPrivates,
+  _present_window_private_key,
+  NULL);
+
 free(xwl_present_window);
 }
 
-- 
2.17.1

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: https://lists.x.org/mailman/listinfo/xorg-devel

Re: [PATCH xserver v2] xwayland: Remove xwl_present_window from privates on cleanup

[Michel Dänzer]

On 2018-09-05 10:35 a.m., Olivier Fourdan wrote:
> Xwayland's `xwl_destroy_window()` invokes `xwl_present_cleanup()`
> before the common `DestroyWindow()`.
> 
> But then `DestroyWindow()` calls `present_destroy_window()` which will
> possibly end up in `xwl_present_abort_vblank()` which will try to access
> data that was previously freed by `xwl_present_cleanup()`:
> 
>   Invalid read of size 8
>  at 0x434184: xwl_present_abort_vblank (xwayland-present.c:378)
>  by 0x53785B: present_wnmd_abort_vblank (present_wnmd.c:651)
>  by 0x53695A: present_free_window_vblank (present_screen.c:87)
>  by 0x53695A: present_destroy_window (present_screen.c:152)
>  by 0x42A90D: xwl_destroy_window (xwayland.c:653)
>  by 0x584298: compDestroyWindow (compwindow.c:613)
>  by 0x53CEE3: damageDestroyWindow (damage.c:1570)
>  by 0x4F1BB8: DbeDestroyWindow (dbe.c:1326)
>  by 0x46F7F6: FreeWindowResources (window.c:1031)
>  by 0x472847: DeleteWindow (window.c:1099)
>  by 0x46B54C: doFreeResource (resource.c:880)
>  by 0x46C706: FreeClientResources (resource.c:1146)
>  by 0x446ADE: CloseDownClient (dispatch.c:3473)
>Address 0x182abde0 is 80 bytes inside a block of size 112 free'd
>  at 0x4C2FDAC: free (vg_replace_malloc.c:530)
>  by 0x42A937: xwl_destroy_window (xwayland.c:647)
>  by 0x584298: compDestroyWindow (compwindow.c:613)
>  by 0x53CEE3: damageDestroyWindow (damage.c:1570)
>  by 0x4F1BB8: DbeDestroyWindow (dbe.c:1326)
>  by 0x46F7F6: FreeWindowResources (window.c:1031)
>  by 0x472847: DeleteWindow (window.c:1099)
>  by 0x46B54C: doFreeResource (resource.c:880)
>  by 0x46C706: FreeClientResources (resource.c:1146)
>  by 0x446ADE: CloseDownClient (dispatch.c:3473)
>  by 0x446DA5: ProcKillClient (dispatch.c:3279)
>  by 0x4476AF: Dispatch (dispatch.c:479)
>Block was alloc'd at
>  at 0x4C30B06: calloc (vg_replace_malloc.c:711)
>  by 0x433F46: xwl_present_window_get_priv (xwayland-present.c:54)
>  by 0x434228: xwl_present_get_crtc (xwayland-present.c:302)
>  by 0x539728: proc_present_query_capabilities (present_request.c:227)
>  by 0x4476AF: Dispatch (dispatch.c:479)
>  by 0x44B5B5: dix_main (main.c:276)
>  by 0x75F611A: (below main) (libc-start.c:308)
> 
> This is because `xwl_present_cleanup()` frees the memory but does not
> remove it from the window's privates, and `xwl_present_abort_vblank()`
> will still find it and hence try to access that freed memory...
> 
> Clear `xwl_present_cleanup()` after `DestroyWindow()` so that
> `xwl_present_abort_vblank()` can still access valid memory before it's
> freed.

This last paragraph doesn't seem to match the rest of the patch.


-- 
Earthling Michel Dänzer   |   http://www.amd.com
Libre software enthusiast | Mesa and X developer
___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: https://lists.x.org/mailman/listinfo/xorg-devel

[PATCH xserver v2] xwayland: Remove xwl_present_window from privates on cleanup

[Olivier Fourdan]

Xwayland's `xwl_destroy_window()` invokes `xwl_present_cleanup()`
before the common `DestroyWindow()`.

But then `DestroyWindow()` calls `present_destroy_window()` which will
possibly end up in `xwl_present_abort_vblank()` which will try to access
data that was previously freed by `xwl_present_cleanup()`:

  Invalid read of size 8
 at 0x434184: xwl_present_abort_vblank (xwayland-present.c:378)
 by 0x53785B: present_wnmd_abort_vblank (present_wnmd.c:651)
 by 0x53695A: present_free_window_vblank (present_screen.c:87)
 by 0x53695A: present_destroy_window (present_screen.c:152)
 by 0x42A90D: xwl_destroy_window (xwayland.c:653)
 by 0x584298: compDestroyWindow (compwindow.c:613)
 by 0x53CEE3: damageDestroyWindow (damage.c:1570)
 by 0x4F1BB8: DbeDestroyWindow (dbe.c:1326)
 by 0x46F7F6: FreeWindowResources (window.c:1031)
 by 0x472847: DeleteWindow (window.c:1099)
 by 0x46B54C: doFreeResource (resource.c:880)
 by 0x46C706: FreeClientResources (resource.c:1146)
 by 0x446ADE: CloseDownClient (dispatch.c:3473)
   Address 0x182abde0 is 80 bytes inside a block of size 112 free'd
 at 0x4C2FDAC: free (vg_replace_malloc.c:530)
 by 0x42A937: xwl_destroy_window (xwayland.c:647)
 by 0x584298: compDestroyWindow (compwindow.c:613)
 by 0x53CEE3: damageDestroyWindow (damage.c:1570)
 by 0x4F1BB8: DbeDestroyWindow (dbe.c:1326)
 by 0x46F7F6: FreeWindowResources (window.c:1031)
 by 0x472847: DeleteWindow (window.c:1099)
 by 0x46B54C: doFreeResource (resource.c:880)
 by 0x46C706: FreeClientResources (resource.c:1146)
 by 0x446ADE: CloseDownClient (dispatch.c:3473)
 by 0x446DA5: ProcKillClient (dispatch.c:3279)
 by 0x4476AF: Dispatch (dispatch.c:479)
   Block was alloc'd at
 at 0x4C30B06: calloc (vg_replace_malloc.c:711)
 by 0x433F46: xwl_present_window_get_priv (xwayland-present.c:54)
 by 0x434228: xwl_present_get_crtc (xwayland-present.c:302)
 by 0x539728: proc_present_query_capabilities (present_request.c:227)
 by 0x4476AF: Dispatch (dispatch.c:479)
 by 0x44B5B5: dix_main (main.c:276)
 by 0x75F611A: (below main) (libc-start.c:308)

This is because `xwl_present_cleanup()` frees the memory but does not
remove it from the window's privates, and `xwl_present_abort_vblank()`
will still find it and hence try to access that freed memory...

Clear `xwl_present_cleanup()` after `DestroyWindow()` so that
`xwl_present_abort_vblank()` can still access valid memory before it's
freed.

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1616269
Signed-off-by: Olivier Fourdan 
---
 v2: Remove leftovers from broken initial patch...

 hw/xwayland/xwayland-present.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/hw/xwayland/xwayland-present.c b/hw/xwayland/xwayland-present.c
index 81e0eb9ce..316e04443 100644
--- a/hw/xwayland/xwayland-present.c
+++ b/hw/xwayland/xwayland-present.c
@@ -147,6 +147,11 @@ xwl_present_cleanup(WindowPtr window)
 /* Clear timer */
 xwl_present_free_timer(xwl_present_window);
 
+/* Remove from privates so we don't try to access it later */
+dixSetPrivate(>devPrivates,
+  _present_window_private_key,
+  NULL);
+
 free(xwl_present_window);
 }
 
-- 
2.17.1

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: https://lists.x.org/mailman/listinfo/xorg-devel

[PATCH xserver] xwayland: Remove xwl_present_window from privates on cleanup

[Olivier Fourdan]

Xwayland's `xwl_destroy_window()` invokes `xwl_present_cleanup()`
before the common `DestroyWindow()`.

But then `DestroyWindow()` calls `present_destroy_window()` which will
possibly end up in `xwl_present_abort_vblank()` which will try to access
data that was previously freed by `xwl_present_cleanup()`:

  Invalid read of size 8
 at 0x434184: xwl_present_abort_vblank (xwayland-present.c:378)
 by 0x53785B: present_wnmd_abort_vblank (present_wnmd.c:651)
 by 0x53695A: present_free_window_vblank (present_screen.c:87)
 by 0x53695A: present_destroy_window (present_screen.c:152)
 by 0x42A90D: xwl_destroy_window (xwayland.c:653)
 by 0x584298: compDestroyWindow (compwindow.c:613)
 by 0x53CEE3: damageDestroyWindow (damage.c:1570)
 by 0x4F1BB8: DbeDestroyWindow (dbe.c:1326)
 by 0x46F7F6: FreeWindowResources (window.c:1031)
 by 0x472847: DeleteWindow (window.c:1099)
 by 0x46B54C: doFreeResource (resource.c:880)
 by 0x46C706: FreeClientResources (resource.c:1146)
 by 0x446ADE: CloseDownClient (dispatch.c:3473)
   Address 0x182abde0 is 80 bytes inside a block of size 112 free'd
 at 0x4C2FDAC: free (vg_replace_malloc.c:530)
 by 0x42A937: xwl_destroy_window (xwayland.c:647)
 by 0x584298: compDestroyWindow (compwindow.c:613)
 by 0x53CEE3: damageDestroyWindow (damage.c:1570)
 by 0x4F1BB8: DbeDestroyWindow (dbe.c:1326)
 by 0x46F7F6: FreeWindowResources (window.c:1031)
 by 0x472847: DeleteWindow (window.c:1099)
 by 0x46B54C: doFreeResource (resource.c:880)
 by 0x46C706: FreeClientResources (resource.c:1146)
 by 0x446ADE: CloseDownClient (dispatch.c:3473)
 by 0x446DA5: ProcKillClient (dispatch.c:3279)
 by 0x4476AF: Dispatch (dispatch.c:479)
   Block was alloc'd at
 at 0x4C30B06: calloc (vg_replace_malloc.c:711)
 by 0x433F46: xwl_present_window_get_priv (xwayland-present.c:54)
 by 0x434228: xwl_present_get_crtc (xwayland-present.c:302)
 by 0x539728: proc_present_query_capabilities (present_request.c:227)
 by 0x4476AF: Dispatch (dispatch.c:479)
 by 0x44B5B5: dix_main (main.c:276)
 by 0x75F611A: (below main) (libc-start.c:308)

This is because `xwl_present_cleanup()` frees the memory but does not
remove it from the window's privates, and `xwl_present_abort_vblank()`
will still find it and hence try to access that freed memory...

Clear `xwl_present_cleanup()` after `DestroyWindow()` so that
`xwl_present_abort_vblank()` can still access valid memory before it's
freed.

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1616269
Signed-off-by: Olivier Fourdan 
---
 hw/xwayland/xwayland-present.c |  5 +
 hw/xwayland/xwayland.c | 10 +-
 2 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/hw/xwayland/xwayland-present.c b/hw/xwayland/xwayland-present.c
index 81e0eb9ce..316e04443 100644
--- a/hw/xwayland/xwayland-present.c
+++ b/hw/xwayland/xwayland-present.c
@@ -147,6 +147,11 @@ xwl_present_cleanup(WindowPtr window)
 /* Clear timer */
 xwl_present_free_timer(xwl_present_window);
 
+/* Remove from privates so we don't try to access it later */
+dixSetPrivate(>devPrivates,
+  _present_window_private_key,
+  NULL);
+
 free(xwl_present_window);
 }
 
diff --git a/hw/xwayland/xwayland.c b/hw/xwayland/xwayland.c
index 96b4db18c..63d69fb3a 100644
--- a/hw/xwayland/xwayland.c
+++ b/hw/xwayland/xwayland.c
@@ -642,11 +642,6 @@ xwl_destroy_window(WindowPtr window)
 struct xwl_screen *xwl_screen = xwl_screen_get(screen);
 Bool ret;
 
-#ifdef GLAMOR_HAS_GBM
-if (xwl_screen->present)
-xwl_present_cleanup(window);
-#endif
-
 screen->DestroyWindow = xwl_screen->DestroyWindow;
 
 if (screen->DestroyWindow)
@@ -657,6 +652,11 @@ xwl_destroy_window(WindowPtr window)
 xwl_screen->DestroyWindow = screen->DestroyWindow;
 screen->DestroyWindow = xwl_destroy_window;
 
+#ifdef GLAMOR_HAS_GBM
+if (xwl_screen->present)
+xwl_present_cleanup(window);
+#endif
+
 return ret;
 }
 
-- 
2.17.1

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: https://lists.x.org/mailman/listinfo/xorg-devel

Re: [PATCH xserver] xwayland: Clean-up present after destroying common bits

[Olivier Fourdan]

On Wed, Sep 5, 2018 at 9:48 AM Olivier Fourdan  wrote:
>
> Right now, `xwl_destroy_window()` invokes `xwl_present_cleanup()` before
> the common `DestroyWindow()`.
>
> But `DestroyWindow()` calls in `present_destroy_window()` which will
> then end up in `xwl_present_abort_vblank()` which will try to access
> data that was previously freed by `xwl_present_cleanup()`:
>
>   Invalid read of size 8
>  at 0x434184: xwl_present_abort_vblank (xwayland-present.c:378)
>  by 0x53785B: present_wnmd_abort_vblank (present_wnmd.c:651)
>  by 0x53695A: present_free_window_vblank (present_screen.c:87)
>  by 0x53695A: present_destroy_window (present_screen.c:152)
>  by 0x42A90D: xwl_destroy_window (xwayland.c:653)
>  by 0x584298: compDestroyWindow (compwindow.c:613)
>  by 0x53CEE3: damageDestroyWindow (damage.c:1570)
>  by 0x4F1BB8: DbeDestroyWindow (dbe.c:1326)
>  by 0x46F7F6: FreeWindowResources (window.c:1031)
>  by 0x472847: DeleteWindow (window.c:1099)
>  by 0x46B54C: doFreeResource (resource.c:880)
>  by 0x46C706: FreeClientResources (resource.c:1146)
>  by 0x446ADE: CloseDownClient (dispatch.c:3473)
>Address 0x182abde0 is 80 bytes inside a block of size 112 free'd
>  at 0x4C2FDAC: free (vg_replace_malloc.c:530)
>  by 0x42A937: xwl_destroy_window (xwayland.c:647)
>  by 0x584298: compDestroyWindow (compwindow.c:613)
>  by 0x53CEE3: damageDestroyWindow (damage.c:1570)
>  by 0x4F1BB8: DbeDestroyWindow (dbe.c:1326)
>  by 0x46F7F6: FreeWindowResources (window.c:1031)
>  by 0x472847: DeleteWindow (window.c:1099)
>  by 0x46B54C: doFreeResource (resource.c:880)
>  by 0x46C706: FreeClientResources (resource.c:1146)
>  by 0x446ADE: CloseDownClient (dispatch.c:3473)
>  by 0x446DA5: ProcKillClient (dispatch.c:3279)
>  by 0x4476AF: Dispatch (dispatch.c:479)
>Block was alloc'd at
>  at 0x4C30B06: calloc (vg_replace_malloc.c:711)
>  by 0x433F46: xwl_present_window_get_priv (xwayland-present.c:54)
>  by 0x434228: xwl_present_get_crtc (xwayland-present.c:302)
>  by 0x539728: proc_present_query_capabilities (present_request.c:227)
>  by 0x4476AF: Dispatch (dispatch.c:479)
>  by 0x44B5B5: dix_main (main.c:276)
>  by 0x75F611A: (below main) (libc-start.c:308)
>
> Move `xwl_present_cleanup()` after `DestroyWindow()` so that
> `xwl_present_abort_vblank()` can still access valid memory before it's
> freed.
>
> Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1616269
> Signed-off-by: Olivier Fourdan 
> ---
>  hw/xwayland/xwayland.c | 10 +-
>  1 file changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/hw/xwayland/xwayland.c b/hw/xwayland/xwayland.c
> index 96b4db18c..63d69fb3a 100644
> --- a/hw/xwayland/xwayland.c
> +++ b/hw/xwayland/xwayland.c
> @@ -642,11 +642,6 @@ xwl_destroy_window(WindowPtr window)
>  struct xwl_screen *xwl_screen = xwl_screen_get(screen);
>  Bool ret;
>
> -#ifdef GLAMOR_HAS_GBM
> -if (xwl_screen->present)
> -xwl_present_cleanup(window);
> -#endif
> -
>  screen->DestroyWindow = xwl_screen->DestroyWindow;
>
>  if (screen->DestroyWindow)
> @@ -657,6 +652,11 @@ xwl_destroy_window(WindowPtr window)
>  xwl_screen->DestroyWindow = screen->DestroyWindow;
>  screen->DestroyWindow = xwl_destroy_window;
>
> +#ifdef GLAMOR_HAS_GBM
> +if (xwl_screen->present)
> +xwl_present_cleanup(window);
> +#endif
> +
>  return ret;
>  }
>
> --
> 2.17.1
>

Sorry, not enough coffee, I take that back, obviously the crash won't
occur because `xwl_present_cleanup()` will fail to match the window
once the resources have been freed so we return early in
`xwl_present_cleanup()`...

Will try again.

Cheers,
Olivier
___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: https://lists.x.org/mailman/listinfo/xorg-devel

Re: [PATCH xserver] glamor: Add support for exporting depth 16 pixmaps.

[Michel Dänzer]

On 2018-09-05 6:00 a.m., Eric Anholt wrote:
> With a patch to mesa to expose rgb565 pbuffers even on a server with
> only depth 24 and 32 visuals, fixes
> dEQP-EGL.functional.render.single_context.gles2.rgb565_pbuffer.  Those
> pbuffers (or at least something renderable with 565) are required by
> the current CTS for GLES3, and having the server support DRI3 on those
> pixmaps means that we can avoid having a different path for EGL
> pbuffers compared to pixmaps.
> 
> Signed-off-by: Eric Anholt 
> ---
>  glamor/glamor_egl.c | 22 ++
>  1 file changed, 14 insertions(+), 8 deletions(-)
> 
> diff --git a/glamor/glamor_egl.c b/glamor/glamor_egl.c
> index b33d8ef1598e..df278b1a1a02 100644
> --- a/glamor/glamor_egl.c
> +++ b/glamor/glamor_egl.c
> @@ -280,18 +280,24 @@ glamor_make_pixmap_exportable(PixmapPtr pixmap, Bool 
> modifiers_ok)
>  (modifiers_ok || !pixmap_priv->used_modifiers))
>  return TRUE;
>  
> -if (pixmap->drawable.bitsPerPixel != 32) {
> +switch (pixmap->drawable.depth) {
> +case 30:
> +format = GBM_FORMAT_ARGB2101010;
> +break;
> +case 32:
> +case 24:
> +format = GBM_FORMAT_ARGB;
> +break;
> +case 16:
> +format = GBM_FORMAT_RGB565;
> +break;
> +default:
>  xf86DrvMsg(scrn->scrnIndex, X_ERROR,
> -   "Failed to make %dbpp pixmap exportable\n",
> -   pixmap->drawable.bitsPerPixel);
> +   "Failed to make %d depth, %dbpp pixmap exportable\n",
> +   pixmap->drawable.depth, pixmap->drawable.bitsPerPixel);
>  return FALSE;
>  }
>  
> -if (pixmap->drawable.depth == 30)
> - format = GBM_FORMAT_ARGB2101010;
> -else
> -format = GBM_FORMAT_ARGB;
> -
>  #ifdef GBM_BO_WITH_MODIFIERS
>  if (modifiers_ok && glamor_egl->dmabuf_capable) {
>  uint32_t num_modifiers;
>
Reviewed-by: Michel Dänzer 


-- 
Earthling Michel Dänzer   |   http://www.amd.com
Libre software enthusiast | Mesa and X developer
___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: https://lists.x.org/mailman/listinfo/xorg-devel

[PATCH xserver] xwayland: Clean-up present after destroying common bits

[Olivier Fourdan]

Right now, `xwl_destroy_window()` invokes `xwl_present_cleanup()` before
the common `DestroyWindow()`.

But `DestroyWindow()` calls in `present_destroy_window()` which will
then end up in `xwl_present_abort_vblank()` which will try to access
data that was previously freed by `xwl_present_cleanup()`:

  Invalid read of size 8
 at 0x434184: xwl_present_abort_vblank (xwayland-present.c:378)
 by 0x53785B: present_wnmd_abort_vblank (present_wnmd.c:651)
 by 0x53695A: present_free_window_vblank (present_screen.c:87)
 by 0x53695A: present_destroy_window (present_screen.c:152)
 by 0x42A90D: xwl_destroy_window (xwayland.c:653)
 by 0x584298: compDestroyWindow (compwindow.c:613)
 by 0x53CEE3: damageDestroyWindow (damage.c:1570)
 by 0x4F1BB8: DbeDestroyWindow (dbe.c:1326)
 by 0x46F7F6: FreeWindowResources (window.c:1031)
 by 0x472847: DeleteWindow (window.c:1099)
 by 0x46B54C: doFreeResource (resource.c:880)
 by 0x46C706: FreeClientResources (resource.c:1146)
 by 0x446ADE: CloseDownClient (dispatch.c:3473)
   Address 0x182abde0 is 80 bytes inside a block of size 112 free'd
 at 0x4C2FDAC: free (vg_replace_malloc.c:530)
 by 0x42A937: xwl_destroy_window (xwayland.c:647)
 by 0x584298: compDestroyWindow (compwindow.c:613)
 by 0x53CEE3: damageDestroyWindow (damage.c:1570)
 by 0x4F1BB8: DbeDestroyWindow (dbe.c:1326)
 by 0x46F7F6: FreeWindowResources (window.c:1031)
 by 0x472847: DeleteWindow (window.c:1099)
 by 0x46B54C: doFreeResource (resource.c:880)
 by 0x46C706: FreeClientResources (resource.c:1146)
 by 0x446ADE: CloseDownClient (dispatch.c:3473)
 by 0x446DA5: ProcKillClient (dispatch.c:3279)
 by 0x4476AF: Dispatch (dispatch.c:479)
   Block was alloc'd at
 at 0x4C30B06: calloc (vg_replace_malloc.c:711)
 by 0x433F46: xwl_present_window_get_priv (xwayland-present.c:54)
 by 0x434228: xwl_present_get_crtc (xwayland-present.c:302)
 by 0x539728: proc_present_query_capabilities (present_request.c:227)
 by 0x4476AF: Dispatch (dispatch.c:479)
 by 0x44B5B5: dix_main (main.c:276)
 by 0x75F611A: (below main) (libc-start.c:308)

Move `xwl_present_cleanup()` after `DestroyWindow()` so that
`xwl_present_abort_vblank()` can still access valid memory before it's
freed.

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1616269
Signed-off-by: Olivier Fourdan 
---
 hw/xwayland/xwayland.c | 10 +-
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/hw/xwayland/xwayland.c b/hw/xwayland/xwayland.c
index 96b4db18c..63d69fb3a 100644
--- a/hw/xwayland/xwayland.c
+++ b/hw/xwayland/xwayland.c
@@ -642,11 +642,6 @@ xwl_destroy_window(WindowPtr window)
 struct xwl_screen *xwl_screen = xwl_screen_get(screen);
 Bool ret;
 
-#ifdef GLAMOR_HAS_GBM
-if (xwl_screen->present)
-xwl_present_cleanup(window);
-#endif
-
 screen->DestroyWindow = xwl_screen->DestroyWindow;
 
 if (screen->DestroyWindow)
@@ -657,6 +652,11 @@ xwl_destroy_window(WindowPtr window)
 xwl_screen->DestroyWindow = screen->DestroyWindow;
 screen->DestroyWindow = xwl_destroy_window;
 
+#ifdef GLAMOR_HAS_GBM
+if (xwl_screen->present)
+xwl_present_cleanup(window);
+#endif
+
 return ret;
 }
 
-- 
2.17.1

___
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: https://lists.x.org/mailman/listinfo/xorg-devel