From 5ad870f505f8592b26c14a28aa2987cbe0552cd8 Mon Sep 17 00:00:00 2001 From: Michael Olbrich Date: Wed, 15 Feb 2023 16:28:11 +0100 Subject: [PATCH] libweston: clear parent_view when the parent view is destroyed When a view is destroyed then the views of subsurfaces remain until the view list is rebuilt for the next repaint. During that time view->parent_view contains an invalid pointer and weston will crash when it tries to access the view. This happens for a surface with subsurfaces with views on two different outputs with the ivi-shell: When the surface is destroyed then the destroy handler of the ivi-shell (shell_handle_surface_destroy()) may be called first. It will (indirectly) destroy the view of the main surface with weston_view_destroy(). Next the surface destroy handler of the subsurfaces (subsurface_handle_parent_destroy() is called. It will unmap the first view of the subsurface. Here weston_surface_assign_output() is called which tries to find the output of the second view and accesses the now invalid view->parent_view in the process. There are probably other ways to trigger similar crashes. To avoid this, clear view->parent_view when the parent view is destroyed. Fixes 0669d4de4f22 ("libweston: Skip views without a layer assignment in output_mask calculations") Signed-off-by: Michael Olbrich (cherry picked from commit 39796f88e6ed4a33a42c74b743e999294b3e4651) --- libweston/compositor.c | 1 + 1 file changed, 1 insertion(+) diff --git a/libweston/compositor.c b/libweston/compositor.c index 6cfcba25..428e4b5e 100644 --- a/libweston/compositor.c +++ b/libweston/compositor.c @@ -1827,6 +1827,7 @@ transform_parent_handle_parent_destroy(struct wl_listener *listener, geometry.parent_destroy_listener); weston_view_set_transform_parent(view, NULL); + view->parent_view = NULL; } WL_EXPORT void