| Summary: | weston_release_seat() does not release correctly the seat | ||
|---|---|---|---|
| Product: | Wayland | Reporter: | Hardening <rdp.effort> |
| Component: | weston | Assignee: | Wayland bug list <wayland-bugs> |
| Status: | VERIFIED FIXED | QA Contact: | |
| Severity: | major | ||
| Priority: | medium | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux (All) | ||
| Whiteboard: | |||
| i915 platform: | i915 features: | ||
| Attachments: |
valgrind backtrace during the second connexion
This backtrace also occurs sometime. |
||
Created attachment 81167 [details]
This backtrace also occurs sometime.
So the problem is that we've not told the client that that seat is no longer available as a global - and then it tries to use it but the compositor crashes in bind_seat because the memory has been freed. Rob, that's exactly what it is. I even came across this old comment when I did the input refactoring:
/* The global object is destroyed at wl_display_destroy() time. */
which obviously doesn't work and almost fixed it back then. Oh well, thanks for tracking it down. I've committed the following - give it a try and see if it works. Closing this bug for now, but please re-open if it's still broken.
commit aaadc774a7a0cdb4b377d37608e554f470c67d57
Author: Kristian Høgsberg <krh@bitplanet.net>
Date: Mon Jul 8 16:20:31 2013 -0400
input: Remove wl_seat global when a seat is destroyed
The input code was relying on compositor destruction to clean up the
global, but that doesn't work when the global comes and goes dynamically.
https://bugs.freedesktop.org/show_bug.cgi?id=65913
Acked, the patch resolves my case. Thanks, marking this VERIFIED. |
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.
Created attachment 81041 [details] valgrind backtrace during the second connexion The test case is the following: use the RDP compositor. Connect, that creates a seat. Close the RDP window (weston_release_seat() is called during peer finalization). Reconnect and you have the attached backtrace, it looks like the seat has not been released correctly.