SceneNodeData: fix fromSurface() use after free

We must clean up the user data of the wlr_surface for layer surfaces and
lock surfaces as fromSurface() may be called (e.g. by the idle inhibit
implementation) after the scene node has been destroyed but before the
wlr_surface is destroyed.
This commit is contained in:
Isaac Freund 2024-06-13 12:36:00 +02:00
parent e2f3cd8252
commit 28a14c6794
No known key found for this signature in database
GPG Key ID: 86DED400DDFD7A11
2 changed files with 6 additions and 1 deletions

View File

@ -55,7 +55,6 @@ pub fn create(wlr_layer_surface: *wlr.LayerSurfaceV1) error{OutOfMemory}!void {
.scene_layer_surface = try layer_tree.createSceneLayerSurfaceV1(wlr_layer_surface), .scene_layer_surface = try layer_tree.createSceneLayerSurfaceV1(wlr_layer_surface),
.popup_tree = try output.layers.popups.createSceneTree(), .popup_tree = try output.layers.popups.createSceneTree(),
}; };
wlr_layer_surface.data = @intFromPtr(layer_surface);
try SceneNodeData.attach(&layer_surface.scene_layer_surface.tree.node, .{ .layer_surface = layer_surface }); try SceneNodeData.attach(&layer_surface.scene_layer_surface.tree.node, .{ .layer_surface = layer_surface });
try SceneNodeData.attach(&layer_surface.popup_tree.node, .{ .layer_surface = layer_surface }); try SceneNodeData.attach(&layer_surface.popup_tree.node, .{ .layer_surface = layer_surface });
@ -93,6 +92,9 @@ fn handleDestroy(listener: *wl.Listener(*wlr.LayerSurfaceV1), _: *wlr.LayerSurfa
layer_surface.popup_tree.node.destroy(); layer_surface.popup_tree.node.destroy();
// The wlr_surface may outlive the wlr_layer_surface so we must clean up the user data.
layer_surface.wlr_layer_surface.surface.data = 0;
util.gpa.destroy(layer_surface); util.gpa.destroy(layer_surface);
} }

View File

@ -85,6 +85,9 @@ pub fn destroy(lock_surface: *LockSurface) void {
lock_surface.map.link.remove(); lock_surface.map.link.remove();
lock_surface.surface_destroy.link.remove(); lock_surface.surface_destroy.link.remove();
// The wlr_surface may outlive the wlr_lock_surface so we must clean up the user data.
lock_surface.wlr_lock_surface.surface.data = 0;
util.gpa.destroy(lock_surface); util.gpa.destroy(lock_surface);
} }