| Summary: | weston/wayland: Invalid read/write with rdp-backend.so | ||
|---|---|---|---|
| Product: | Wayland | Reporter: | Mariusz Ceier <mceier+freedesktop> |
| Component: | weston | Assignee: | Wayland bug list <wayland-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | normal | ||
| Priority: | medium | CC: | rdp.effort |
| Version: | unspecified | ||
| Hardware: | x86-64 (AMD64) | ||
| OS: | All | ||
| Whiteboard: | |||
| i915 platform: | i915 features: | ||
| Attachments: |
valgrind log after connecting 6 rdesktop clients to weston
Easy to reproduce with 2 consecutive rdesktops |
||
Does the tree you're testing with contain the following fix: commit aaadc774a7a0cdb4b377d37608e554f470c67d57 Author: Kristian Høgsberg <krh@bitplanet.net> Date: Mon Jul 8 16:20:31 2013 -0400 input: Remove wl_seat global when a seat is destroyed The input code was relying on compositor destruction to clean up the global, but that doesn't work when the global comes and goes dynamically. https://bugs.freedesktop.org/show_bug.cgi?id=65913 ? nope, it doesn't. I use git master and 'git show aadc774a7a0cdb4b377d37608e554f470c67d57 -- ' returns: fatal: bad revision 'aadc774a7a0cdb4b377d37608e554f470c67d57' in both wayland and weston. Sorry, my mistake - I didn't copy whole commit id. Yes I have this commit in weston. rdp_client_activity function in weston/src/compositor-rdp.c frees rdp peer context and rdp peer, which in turn release weston structures e.g. wl_seat
the problem is these structures can still be in use e.g. in registry_bind in wayland-server.c which calls bind_seat with zeroed or often garbage wl_seat.
it's easily reproduceable (at least for me, running under X) with rdesktop :
./weston -Brdp-backend.so
for x in `seq 0 100`; do rdesktop -b -4 127.0.0.1 & done ; killall rdesktop
below is example of contents of wl_seat structure passed to bind_seat:
{base_resource_list = {prev = 0x0, next = 0x0}, global = 0x0, pointer = 0x0, keyboard = 0x0, touch = 0x0, output = 0x0,
destroy_signal = {listener_list = {prev = 0x0, next = 0x0}}, compositor = 0x0, link = {prev = 0x31, next = 0x74ef80},
modifier_state = (unknown: 8153568), saved_kbd_focus = 0x75ef7f, saved_kbd_focus_listener = {link = {prev = 0x74ef80, next = 0x0},
notify = 0x6a1}, drag_resource_list = {prev = 0x0, next = 0x6599d0}, selection_serial = 0, selection_data_source = 0x0,
selection_data_source_listener = {link = {prev = 0x0, next = 0x0}, notify = 0x0}, selection_signal = {listener_list = {prev = 0x0,
next = 0x0}}, num_tp = 0, led_update = 0x0, xkb_info = {keymap = 0x0, keymap_fd = 0, keymap_size = 0, keymap_area = 0x0,
shift_mod = 0, caps_mod = 0, ctrl_mod = 0, alt_mod = 0, mod2_mod = 0, mod3_mod = 0, super_mod = 6658800, mod5_mod = 0,
num_led = 0, caps_led = 0, scroll_led = 0}, xkb_state = {state = 0x0, leds = (unknown: 0)}, input_method = 0x0,
seat_name = 0x65b4a0 "\220>i"}
base_resource_list has NULL in prev and next, which should never happen, unless we're just after calloc/memset or when we removed head of the list (wl_list_remove(&seat->base_resource_list) somewhere).
Hardening, do you have any thoughts on this issue? I think it is a duplicate of #81041, the backtrace is almost the same. I didn't manage to reproduce it here but i've found other bugs when trying. With KRH we had marked it resolved/confirmed as i couldn't reproduce it, we probably should be reopen it. (In reply to comment #6) > I think it is a duplicate of #81041, the backtrace is almost the same. I Sorry it is bug #65913 > didn't manage to reproduce it here but i've found other bugs when trying. > > With KRH we had marked it resolved/confirmed as i couldn't reproduce it, we > probably should be reopen it. Looking carefully at this backtrace, at line 727 (first harmfull notice) my impression is that a client (most probably weston-keyboard) tries to bind a seat that has been released on the server side. Created attachment 83337 [details]
Easy to reproduce with 2 consecutive rdesktops
The backtrace "Easy to reproduce with 2 consecutive rdesktops" is really easy to trigger. * in weston.ini disable modules, give a bad path for weston-keyboard * Connect / disconnect a first rdesktop * Connect / disconnect again rdesktop and you got it I've just sent a patch to the ML to release the keyboard and the pointer before releasing the seat. Assuming this was fixed by the patch. |
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.
Created attachment 82342 [details] valgrind log after connecting 6 rdesktop clients to weston When using weston with rdp-backend, clients other than xfreerdp cause crash. To reproduce this bug: 0. compile weston with rdp-backend (--enable-rdp-compositor) 1. run ./weston -Brdp-backend.so 2. try connecting to weston with rdesktop few times (about 6 or 7) or with Vista RDP client 2 times. I have attached valgrind log, which shows that wayland does some invalid reads and writes in some functions.