gnome-shell/mutter crash with Xwayland keyboard grabs on O-R windows (e.g. X11 gtk menus)
If Xwayland grabs are enabled, a grab on an override redirect window can cause mutter/gnome-shell to crash.
Steps to reproduce:
-
Enable Xwayland active grabs in mutter (disabled by default)
Set
/org/gnome/mutter/wayland/xwayland-allow-grabs
toTrue
Set
/org/gnome/mutter/wayland/xwayland-grab-access-rules
to['*']
-
Compile and run with X11 backend the attached program xwayland-grab-issue.c
$
gcc xwayland-grab-issue.c -o xwayland-grab-issue -Wall $(pkg-config gtk+-3.0 --cflags --libs)
$
GDK_BACKEND=x11 ./xwayland-grab-issue
-
Click in the window to popen the menu, click again out of the menu to dismiss it, press a key, gnome-shell/mutter will crash.
Core was generated by `/usr/bin/gnome-shell'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x00007fece8b8b74c in notify_modifiers (keyboard=0x7fecbc00e950) at wayland/meta-wayland-keyboard.c:400
400 keyboard->grab->interface->modifiers (keyboard->grab,
(gdb) bt
#0 0x00007fece8b8b74c in notify_modifiers (keyboard=0x7fecbc00e950) at wayland/meta-wayland-keyboard.c:400
#1 0x00007fece8b8c745 in meta_wayland_keyboard_update (keyboard=0x7fecbc00e950, event=0x564bbb7f3ad0) at wayland/meta-wayland-keyboard.c:783
#2 0x00007fece8b41a4b in meta_display_handle_event (event=0x564bbb7f3ad0, display=0x564bb8c66660) at core/events.c:210
#3 0x00007fece8b41a4b in event_callback (event=0x564bbb7f3ad0, data=0x564bb8c66660) at core/events.c:423
#4 0x00007fece9305bd5 in _clutter_event_process_filters (event=event@entry=0x564bbb7f3ad0) at clutter-event.c:1913
#5 0x00007fece9319f9e in emit_keyboard_event (event=0x564bbb7f3ad0, device=0x564bb88141f0) at clutter-main.c:2068
#6 0x00007fece92c94b9 in clutter_input_device_evdev_process_kbd_a11y_event (event=0x564bbb7f3ad0, device=0x564bb88141f0, emit_event_func=0x7fece9319f80 <emit_keyboard_event>) at evdev/clutter-input-device-evdev.c:1191
#7 0x00007fece931a7ce in process_key_event (device=0x564bb88141f0, event=0x564bbb7f3ad0) at clutter-main.c:2100
#8 0x00007fece931a7ce in _clutter_process_event_details (context=0x564bb8966ee0, event=0x564bbb7f3ad0, stage=0x564bb8a98d00)
at clutter-main.c:2194
#9 0x00007fece931a7ce in _clutter_process_event (event=event@entry=0x564bbb7f3ad0) at clutter-main.c:2563
#10 0x00007fece9331448 in _clutter_stage_process_queued_events (stage=0x564bb8a98d00) at clutter-stage.c:1026
#11 0x00007fece931c8d9 in master_clock_process_events (master_clock=0x7fecbc008040, stages=0x564bc24a7940 = {...})
at clutter-master-clock-default.c:364
#12 0x00007fece931c8d9 in clutter_clock_dispatch (source=<optimized out>, callback=<optimized out>, user_data=<optimized out>)
at clutter-master-clock-default.c:561
#13 0x00007fecea6638ad in g_main_context_dispatch () at /lib64/libglib-2.0.so.0
#14 0x00007fecea663c78 in g_main_context_iterate.isra () at /lib64/libglib-2.0.so.0
#15 0x00007fecea663fa2 in g_main_loop_run () at /lib64/libglib-2.0.so.0
#16 0x00007fece8b48fc0 in meta_run () at core/main.c:664
#17 0x0000564bb73634d8 in main (argc=<optimized out>, argv=<optimized out>) at ../src/main.c:525
(gdb) p *keyboard->grab
$1 = {interface = 0x0, keyboard = 0x0}
Reason for this is because the Xwayland grab wasn't cleanup up meta_xwayland_keyboard_grab_end()
as the function bails out early because the active_grab->surface
is NULL
.