From b259485975078087fe6bde2b9e1eccf4ae14120c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michel=20D=C3=A4nzer?= <mdaenzer@redhat.com>
Date: Tue, 17 Mar 2020 11:45:22 +0100
Subject: [PATCH xserver] xwayland: Delete all frame_callback_list nodes in
 xwl_unrealize_window

We were only calling xwl_present_unrealize_window for the toplevel
window, but the list can contain entries from child windows as well,
in which case we were leaving dangling pointers to freed memory.

Closes: https://gitlab.freedesktop.org/xorg/xserver/issues/1000
Fixes: c5067feaeea1 "xwayland: Use single frame callback for Present
                     flips and normal updates"
Reviewed-by: Olivier Fourdan <ofourdan@redhat.com>
Tested-by: Olivier Fourdan <ofourdan@redhat.com>
(cherry picked from commit 5e91587302e85fd6f0e8d5ffbe30182e18c6913f)
---
 hw/xwayland/xwayland-present.c |  8 +-------
 hw/xwayland/xwayland.c         | 11 +++++++++--
 hw/xwayland/xwayland.h         |  2 +-
 3 files changed, 11 insertions(+), 10 deletions(-)

diff --git a/hw/xwayland/xwayland-present.c b/hw/xwayland/xwayland-present.c
index c7c077aaa..5ba7dce08 100644
--- a/hw/xwayland/xwayland-present.c
+++ b/hw/xwayland/xwayland-present.c
@@ -524,14 +524,8 @@ xwl_present_flips_stop(WindowPtr window)
 }
 
 void
-xwl_present_unrealize_window(WindowPtr window)
+xwl_present_unrealize_window(struct xwl_present_window *xwl_present_window)
 {
-    struct xwl_present_window *xwl_present_window = xwl_present_window_priv(window);
-
-    if (!xwl_present_window ||
-        xorg_list_is_empty(&xwl_present_window->frame_callback_list))
-        return;
-
     /* The pending frame callback may never be called, so drop it and shorten
      * the frame timer interval.
      */
diff --git a/hw/xwayland/xwayland.c b/hw/xwayland/xwayland.c
index 5fefa5923..ed9f2e3c2 100644
--- a/hw/xwayland/xwayland.c
+++ b/hw/xwayland/xwayland.c
@@ -700,8 +700,15 @@ xwl_unrealize_window(WindowPtr window)
         wl_callback_destroy(xwl_window->frame_callback);
 
 #ifdef GLAMOR_HAS_GBM
-    if (xwl_screen->present)
-        xwl_present_unrealize_window(window);
+    if (xwl_screen->present) {
+        struct xwl_present_window *xwl_present_window, *tmp;
+
+        xorg_list_for_each_entry_safe(xwl_present_window, tmp,
+                                      &xwl_window->frame_callback_list,
+                                      frame_callback_list) {
+            xwl_present_unrealize_window(xwl_present_window);
+        }
+    }
 #endif
 
     free(xwl_window);
diff --git a/hw/xwayland/xwayland.h b/hw/xwayland/xwayland.h
index a12ec257b..daa719209 100644
--- a/hw/xwayland/xwayland.h
+++ b/hw/xwayland/xwayland.h
@@ -456,7 +456,7 @@ void xwl_glamor_egl_make_current(struct xwl_screen *xwl_screen);
 void xwl_present_frame_callback(struct xwl_present_window *xwl_present_window);
 Bool xwl_present_init(ScreenPtr screen);
 void xwl_present_cleanup(WindowPtr window);
-void xwl_present_unrealize_window(WindowPtr window);
+void xwl_present_unrealize_window(struct xwl_present_window *xwl_present_window);
 #endif /* GLAMOR_HAS_GBM */
 
 #ifdef XV
-- 
2.25.1