From 5e8b9a3a563047e3998d45e761f7a50e4b0f6cb3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michel=20D=C3=A4nzer?= Date: Wed, 24 Oct 2018 11:23:05 +0200 Subject: [PATCH] xwayland: Use xwl_present_reset_timer in xwl_present_timer_callback Apart from simplifying the code, this should also prevent a condition (which might only be possible with the following fix) reported in https://gitlab.freedesktop.org/wayland/weston/issues/115#note_52467: 1. xwl_present_timer_callback indirectly calls xwl_present_reset_timer -> xwl_present_free_timer 2. xwl_present_timer_callback then returns a non-0 value, so DoTimer calls TimerSet with the old xwl_present_window->frame_timer pointer which was freed in step 1 => use after free Calling xwl_present_reset_timer explicitly passes NULL to TimerSet if step 1 freed xwl_present_window->frame_timer, and it will allocate a new one. --- hw/xwayland/xwayland-present.c | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/hw/xwayland/xwayland-present.c b/hw/xwayland/xwayland-present.c index a1470751a..7c626d742 100644 --- a/hw/xwayland/xwayland-present.c +++ b/hw/xwayland/xwayland-present.c @@ -216,24 +216,15 @@ xwl_present_timer_callback(OsTimerPtr timer, void *arg) { struct xwl_present_window *xwl_present_window = arg; - WindowPtr present_window = xwl_present_window->window; - struct xwl_window *xwl_window = xwl_window_from_window(present_window); xwl_present_window->frame_timer_firing = TRUE; xwl_present_window->msc++; xwl_present_window->ust = GetTimeInMicros(); xwl_present_events_notify(xwl_present_window); + xwl_present_reset_timer(xwl_present_window); - if (xwl_present_has_events(xwl_present_window)) { - /* Still events, restart timer */ - return xwl_present_is_flipping(present_window, xwl_window) ? TIMER_LEN_FLIP : - TIMER_LEN_COPY; - } else { - /* No more events, do not restart timer and delete it instead */ - xwl_present_free_timer(xwl_present_window); - return 0; - } + return 0; } static void