Skip to content

Fix a couple of startup notification / xdg_activation crashes

Jonas Ådahl requested to merge jadahl/mutter:wip/startup-notification-fixes into main

Quoting the two commits fixing the crashes:

wayland/activation: Remove token from hash table on timeout

When an activation times out, we'll be signalled two signals on the
startup sequence object: "timeout", and "complete".

Normally, the "complete" signal is emitted when a startup sequence is
completed succesfully by it being used for activation, and in this case,
the xdg_activation implementation should remove the sequence from the
startup notification machinery.

However, in the timeout case, we should not remove it, as the startup
notification machinery itself will deal with this. If we would, we'd end
up with use-after-free issues, as the sequence would be finalized when
removed the first time.

To avoid this, just clean up the Wayland side in the "timeout" signal
handler, leaving the "complete" signal handler early out if it was
already handled by it.

This avoids crashes like:

  0) g_type_check_instance (type_instance=type_instance@entry=0xdd6740)
  1) g_signal_handlers_disconnect_matched (instance=0xdd6740, ...)
  2) meta_startup_notification_remove_sequence (sn=0x4cc890,
                                                seq=0xdd6740) at
       ../src/core/startup-notification.c:544
  3) startup_sequence_timeout (data=0x4cc890, ...) at
       ../src/core/startup-notification.c:504
  4) g_timeout_dispatch (...) at ../glib/gmain.c:4933

and

wayland/activation: Don't grab if no serial or surface was provided

A client can create a token without any seat, serial, or surface. In
this case, we'd still try to grab, which would run into some unforseen
code paths, potentially resulting in the following crash:

  0) meta_wayland_tablet_seat_device_added (tablet_seat=0x55dff4271c90,
                                            device=0x7f87b80655b0) at
       ../src/wayland/meta-wayland-tablet-seat.c:200
  1) meta_wayland_tablet_seat_new (seat=0x0, manager=0x55dff3ec7b40) at
       ../src/wayland/meta-wayland-tablet-seat.c:283
  2) meta_wayland_tablet_manager_ensure_seat (manager=manager@entry=0x55dff3ec7b40,
                                              seat=seat@entry=0x0) at
       ../src/wayland/meta-wayland-tablet-manager.c:239
  3) meta_wayland_tablet_manager_ensure_seat (seat=0x0, manager=0x55dff3ec7b40) at
       ../src/wayland/meta-wayland-touch.c:595
  4) meta_wayland_seat_get_grab_info (seat=0x0, surface=0x55dff43ff5b0,
                                      serial=0, require_pressed=0, x=0x0, y=0x0) at
       ../src/wayland/meta-wayland-seat.c:479
  5) activation_activate (...) at
       ../src/wayland/meta-wayland-activation.c:261

Fix this by not trying to grab if not enough parameters was passed when
creating the token. Also add a test case that reproduces the above
crash.

Reported at https://bugzilla.redhat.com/show_bug.cgi?id=2020933

Merge request reports