Commit Graph

8213 Commits

Author SHA1 Message Date
Marius Vlad
8a610ffe41 compositor/text-backend: Avoid a potential UAF
The text_input_manager might be destroyed upon a compositor shutdown, so
verify if it's still set-up before attemping to use it to avoid a UAF.

Signed-off-by: Marius Vlad <marius.vlad@collabora.com>
2022-07-27 14:15:11 +03:00
Jonas Ådahl
5ffa1962a5 compositor: Add support for wl_surface.offset()
This allows for setting a buffer offset without having to make it part
of the wl_surface.attach request. This is useful for e.g. setting a DND
surface icon hotspot offset when using Vulkan; or doing the same with
EGL without having to use wl_egl_window_resize().

Signed-off-by: Jonas Ådahl <jadahl@gmail.com>
2022-07-26 17:43:01 +00:00
Derek Foreman
4564a40cb0 rdp: Move peer list from output to backend
In the future we'll have multiple output support, which makes storing
the peer list on an output rather tricky.

Signed-off-by: Derek Foreman <derek.foreman@collabora.com>
2022-07-26 17:34:20 +00:00
Michael Olbrich
27d2a4cfab libweston: don't reset the plane for views from other outputs
The paint_node_z_order_list contains all views, not just the ones visible on the
current output. So all views are moved to the primary plane when one output
does not support planes.

This will be relevant with multiple backends: When an output without plane
support is rendered then the views of all other outputs are removed from
the current planes and the corresponding outputs will be repainted
unnecessarily.

So only reset the plane if the view is actually on the current output.

Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
2022-07-26 17:28:15 +00:00
Derek Foreman
2badd284a5 compositor: Load xwayland module first
This is so the systemd-notify module, if used, will notify readiness after
we're ready to accept X connections, instead of before.

Signed-off-by: Derek Foreman <derek.foreman@collabora.com>
2022-07-26 17:20:09 +00:00
Derek Foreman
0972c6b2da compositor: Remove deprecated xwayland loading method
This is awkward and long deprecated, and makes us load xwayland after all
the other modules so we know if we have to load it or not. Let's remove it.

We do still need to prevent loading the module the wrong way, though.

Signed-off-by: Derek Foreman <derek.foreman@collabora.com>
2022-07-26 17:20:09 +00:00
Marius Vlad
78ccc99d0a libweston: Remove runtime render switching
It is only enabled by a debug key binding, currently not tested at all,
and is seems it doesn't really work, so let's remove it. This also
removes it from the man page.

Signed-off-by: Marius Vlad <marius.vlad@collabora.com>
2022-07-26 13:40:43 +00:00
Marius Vlad
6744a6278e clients/window: Bump xdg-shell version to latest
It seems we've missed an update from 3 to 4 (bounds events). With it,
this updates to version 5 which sends the capabilities event. Stubs, as
we're not using them.

Signed-off-by: Marius Vlad <marius.vlad@collabora.com>
2022-07-26 16:17:43 +03:00
Daniel Stone
a8048c5c1c libweston: Properly namespace solid_buffer_values
It's exported by libweston, so shouldn't leak unprefixed types.

Signed-off-by: Daniel Stone <daniels@collabora.com>
2022-07-26 11:52:24 +01:00
Joshua Watt
a09f02d43a libweston: Compute output protection when head is attached
A head may have its output protection set before it is attached to an
output. Recompute the output protection whenever a head is attached to
make sure it correctly set in output.

Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
2022-07-26 13:03:23 +03:00
Daniel Stone
b047f989a5 xdg-shell: Implement xdg-shell v5 capabilities event
This skips over xdg-shell v4, which can be implemented with no changes
as it's just another optional event.

v5 adds a capabilities event, which we send to inform clients of the
window manager's capabilities.

Signed-off-by: Daniel Stone <daniels@collabora.com>
2022-07-26 12:09:04 +03:00
Daniel Stone
1541c44777 libweston-desktop: Add shell capability queries
Allow other components to query which window-management operations are
supported by the shell.

Signed-off-by: Daniel Stone <daniels@collabora.com>
2022-07-26 12:09:04 +03:00
Daniel Stone
28caa08be6 Implement wp_single_pixel_buffer_v1 protocol
This protocol allows clients to create single-pixel RGBA buffers. Now
that we have proper support for these buffers internally within Weston,
we can expose them to clients.

This bumps the build container version, as we now depend on
wayland-protocols v1.26.

Signed-off-by: Daniel Stone <daniels@collabora.com>
2022-07-26 10:26:55 +03:00
Daniel Stone
0dcd000b3a build: Separate unstable and version for wayland-protocols
We want to support staging protocols which have a version too, so don't
assume that anything versioned is unstable.

Signed-off-by: Daniel Stone <daniels@collabora.com>
2022-07-26 10:26:55 +03:00
Pekka Paalanen
9358706743 README: establish no-malloc-failures policy
There are many reasons why trying to handle malloc() returning NULL by
any other way than calling abort() is not beneficial:

- Usually malloc() does not return NULL, thanks to memory overcommit.
  Instead, the program gets SIGSEGV signal when it tries to access the
  memory.

- Trying to handle NULL will create failure paths that are impractical
  to test. There is no way to be sure the compositor still works once
  such path is actually taken.

- Those failure path will clutter the code, increasing maintenance and
  development burden.

- Sometimes there just isn't a good way to handle the failure.

For more discussion, see the issue link below.

Closes: https://gitlab.freedesktop.org/wayland/weston/-/issues/631

Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.com>
2022-07-20 13:07:22 +03:00
Pekka Paalanen
fc26c749df shared/xalloc.h: do not rely on zalloc()
The definition of zalloc is trivial, so let's just have it here instead
of loading libweston/zalloc.h.

Now xalloc.h does not depend on any libweston header, which makes me
feel slightly better. It's more clean.

Who knows, maybe one day libweston/zalloc.h will be removed.

Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.com>
2022-07-20 12:47:11 +03:00
Pekka Paalanen
c95feefbc0 clients/simple-touch: use xzalloc() for buffer
This file relied on shared/xalloc.h to include <libweston/zalloc.h>.
That would be a problem if xalloc.h stopped doing that.

Just use xzalloc().

Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.com>
2022-07-20 12:45:04 +03:00
Pekka Paalanen
9229a45116 shared: rewrite fail_on_null() as abort_oom_if_null()
Recently I learnt that fprintf() is not async-signal-safe. Maybe it also
attempts to allocate memory sometimes. Hence, using it when we
presumably are out of memory is wishful thinking.

Therefore replace that with async-signal-safe code. If you have to check
pointers from traditional signal handlers, now you could do that too!

While doing this, we also lose the string formatting for line number. I
would argue that printing file and line number is not that useful, if
the system really is out of memory. If not out of memory, a core dump
would give us much more detailed information about what went wrong.

clients/window.c had some calls to fail_on_null() and these are simply
replaced. They were used for checking that creating new wl_proxy by
issuing a protocol request worked, and IIRC that only fails on
out-of-memory, so the same rationale applies here.

Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.com>
2022-07-20 12:44:12 +03:00
Pekka Paalanen
cbbf0e59a5 ivi-shell: replace MEM_ALLOC() with mostly xcalloc()
Drop the even more home-grown alloc wrapper and use the xalloc.h
wrappers directly.

xcalloc() is added and used, because calloc() will detect integer
overflows in the size multiplication, while doing a simple
multiplication in the caller is subject to overflows which may result in
allocating not what was expected, subjecting to out-of-bounds access.

All MEM_ALLOC() calls that had a meaningful multiplication in them were
converted to xcalloc(), the rest to xzalloc().

Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.com>
2022-07-20 12:12:22 +03:00
Pekka Paalanen
27cf50462b README: drop note about a cairo build option
That build option has been long gone. cairo-image is the only flavor used
nowadays.

Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.com>
2022-07-20 11:47:16 +03:00
Derek Foreman
c79e1126b6 xwayland: give Xwayland its own session
If we leave xwayland in weston's process group, it can receive
signals from the controlling TTY intended for weston.

The easiest way to see this is to launch weston under gdb, start an
X client, and hit ctrl-c in the gdb session. The Xwayland server
will also catch the SIGINT, and the X client will be disconnected.

Instead, let's call setsid() when launching Xwayland, like we do
for launched clients.

Suggested-by: Hideyuki Nagase <hideyukn@microsoft.com>
Signed-off-by: Derek Foreman <derek.foreman@collabora.com>
2022-07-19 14:19:57 +00:00
Daniel Stone
53f895b476 wet_process: Do not weston_log() after fork()
[common equivalent of 77cf8cb006 in Xwayland from Pekka Paalanen; its
 commit message follows]

Between fork() and exec() in the child process it is only safe to use
async-signal-safe functions. weston_log() definitely is not one, it
allocates memory and does whatnot.

weston_log() is also inappropriate for other reasons: the child process
has its own stream buffers and flight-recorder. No-one looks into the
child process' flight recorder, so messages would be lost there. The
logging machinery might also attempt to write into debug streams,
meaning both parent and child could be writing simultaneously.

It seems that the best we can do is to pre-bake an error message and
only write() it out if exec() fails. There is no mention that even
strerror_r() might be safe to call, so we don't.

Signed-off-by: Daniel Stone <daniels@collabora.com>
2022-07-19 14:12:37 +00:00
Daniel Stone
9ab97ebd72 wet_process: Use custom_env when forking clients
Use the custom_env framework we added for Xwayland when forking to
execute clients. This avoids calling the unsafe getenv in between fork
and exec.

Signed-off-by: Daniel Stone <daniels@collabora.com>
2022-07-19 14:12:37 +00:00
Daniel Stone
8aa4571240 wet_process: Inline child_client_exec()
It was only a small function, and inlining it will allow us to make it
more safe without having to duplicate a ton of stuff.

Signed-off-by: Daniel Stone <daniels@collabora.com>
2022-07-19 14:12:37 +00:00
Daniel Stone
c0a76716c1 wet_process: Use fdstr when executing clients
This doesn't actually stop us from calling setenv() in between fork()
and exec() when starting clients, but gets us closer to Xwayland's safe
implementation by reusing one of the helpers it added.

Signed-off-by: Daniel Stone <daniels@collabora.com>
2022-07-19 14:12:37 +00:00
Daniel Stone
a3175727cb wet_process: Rearrange fork() if tree to case statement
Matches the safe Xwayland implementation more closely and makes it
easier to reuse it.

Signed-off-by: Daniel Stone <daniels@collabora.com>
2022-07-19 14:12:37 +00:00
Daniel Stone
8b238905d7 xwayland: Use os_socketpair_cloexec()
We already have a helper for this; use it.

Signed-off-by: Daniel Stone <daniels@collabora.com>
2022-07-19 14:12:37 +00:00
Daniel Stone
5dbe001661 xwayland: Use custom-env arg handling
Use the arg handling added in the previous commit so that the
environment is completely encapsulated inside the custom env.

Signed-off-by: Daniel Stone <daniels@collabora.com>
2022-07-19 14:12:37 +00:00
Daniel Stone
965d90cbaa desktop-shell: Use custom_env to launch panel clients
Rather than open-coding our own implementation of parsing a string to
construct an envp and an argp, just use custom_env's implementation.

Signed-off-by: Daniel Stone <daniels@collabora.com>
2022-07-19 14:12:37 +00:00
Daniel Stone
2cdb473690 custom-env: Add helper to parse combined env/arg strings
Users like desktop-shell want to parse a provided string containing a
combination of environment and arg, e.g.: ENV=stuff /path/to/thing --good

Add support to custom-env for parsing this, with tests, so we can delete
the custom implementation inside desktop-shell.

Signed-off-by: Daniel Stone <daniels@collabora.com>
2022-07-19 14:12:37 +00:00
Daniel Stone
e568a025e1 custom-env: Add support for argument array
execve() takes the same form for arguments as environment: an array of
constant pointers to mutable strings, terminated by a NULL.

To make it easier for users who want to build up their own argument
strings to pass to execve, add support for argument arrays to custom_env.

Signed-off-by: Daniel Stone <daniels@collabora.com>
2022-07-19 14:12:37 +00:00
Daniel Stone
2a9cae17d8 custom-env: Add tests for environment handling
Test the basic stuff: initialising from a known environment, setting a
new variable, overwriting a previous variable, and getting the resulting
array to pass to execve.

Signed-off-by: Daniel Stone <daniels@collabora.com>
2022-07-19 14:12:37 +00:00
Daniel Stone
fafe5f0fc2 custom-env: Prepare for handling args as well as environment
Rename the bits handling environment variables (currently, all of it),
so we have room to handle args as well.

No functional changes.

Signed-off-by: Daniel Stone <daniels@collabora.com>
2022-07-19 14:12:37 +00:00
Daniel Stone
3af823b69b process-util: Assert we don't finalize twice
Make sure that we only try to finalize once.

Signed-off-by: Daniel Stone <daniels@collabora.com>
2022-07-19 14:12:37 +00:00
Daniel Stone
b685e075cd process-util: Move Xwayland fork helpers to shared
We'll want to reuse these inside desktop-shell as well as the Weston
frontend.

Signed-off-by: Daniel Stone <daniels@collabora.com>
2022-07-19 14:12:37 +00:00
Marius Vlad
7fd22ae44d libweston/compositor: Check whether flushing is allowed
This patch acts as bandaid in the core compositor to avoid the renderer
doing a flush after the buffer has been released. Flushing after release
can happen due to problems in the internal damage tracking, is violating
the protocol, and causes visible glitches.

A more proper fix would be to handle compositor side damage correctly.

Suggested-by: Pekka Paalanen <pekka.paalanen@collabora.com>
Acked-by: Daniel Stone <daniel.stone@collabora.com>
Signed-off-by: Marius Vlad <marius.vlad@collabora.com>
2022-07-15 12:55:30 +03:00
Marius Vlad
50f98b1006 backend-drm/state-propose: Amend an older comment
Since b38b735e20, 'backend-drm: Remove Pixman conditional
for keep_buffer' the Pixman renderer keeps its own reference to buffers
when attached to surfaces, rather than flipping keep_buffer variable for
the surface. Problem is that when switching from the Pixman render to
the GL would not work and could result in a crash upon first repaint.

Signed-off-by: Marius Vlad <marius.vlad@collabora.com>
2022-07-15 12:54:05 +03:00
Pekka Paalanen
764c2aff8f xwayland: do not check execve() return value
Simplifies the code a bit.

Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.com>
2022-07-12 08:30:22 +00:00
Pekka Paalanen
1bd92dac01 xwayland: do not use setenv() after fork()
Between fork() and exec() in the child process it is only safe to use
async-signal-safe functions. Painfully, setenv() is not listed as such.

Therefore we must craft our own custom environment, and we get no help
from libc with that.

Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.com>
2022-07-12 08:30:22 +00:00
Pekka Paalanen
d1b01ffb9a xwayland: use execv()
Constructing argv before-hand is a little easier to look at, but this is
mostly just anticipating more changes to how Weston spawns processes in
general.

Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.com>
2022-07-12 08:30:22 +00:00
Pekka Paalanen
a3d7199bea xwayland: use pipe2()
We are already using pipe2() in many places, even in libweston, so let's
simplify the code here as well - not to mention avoid a theoretical
race.

Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.com>
2022-07-12 08:30:22 +00:00
Pekka Paalanen
4c0bdbfde9 xwayland: do not snprintf() after fork()
Between fork() and exec() in the child process it is only safe to use
async-signal-safe functions. Surprisingly, snprintf() is not such
function. See e.g. https://stackoverflow.com/a/6771799 and how snprintf
is not listed in signal-safety(7) manual.

Therefore we must prepare the fd argument strings before fork(). That is
only possible if we also do not dup() fd in the child process. Hence we
remove the close-on-exec flag instead in the child process which has
copies of the parent's file descriptors. Fortunately fcntl() is safe.

struct fdstr is helping to reduce code clutter a bit.

Additionally, if fork() fails, we now clean up the fds we created.

Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.com>
2022-07-12 08:30:22 +00:00
Pekka Paalanen
99b2b958f9 shared: introduce os_fd_clear_cloexec()
This function will be used between fork() and exec() to remove the
close-on-exec flag. The first user will be compositor/xwayland.c.

Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.com>
2022-07-12 08:30:22 +00:00
Pekka Paalanen
0260b8a0b5 shared: fcntl uses int, not long
fcntl(2) manual says the return type is int, and that F_SETFD takes an
int. So use int.

Noticed by code inspection.

Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.com>
2022-07-12 08:30:22 +00:00
Pekka Paalanen
77cf8cb006 xwayland: do not weston_log() after fork()
Between fork() and exec() in the child process it is only safe to use
async-signal-safe functions. weston_log() definitely is not one, it
allocates memory and does whatnot.

weston_log() is also inappropriate for other reasons: the child process
has its own stream buffers and flight-recorder. No-one looks into the
child process' flight recorder, so messages would be lost there. The
logging machinery might also attempt to write into debug streams,
meaning both parent and child could be writing simultaneously.

It seems that the best we can do is to pre-bake an error message and
only write() it out if exec() fails. There is no mention that even
strerror_r() might be safe to call, so we don't.

Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.com>
2022-07-12 08:30:22 +00:00
Pekka Paalanen
71b40fc76b xwayland: move config reading up
Doing any kind of memory allocation calls between fork() and exec() in
the child process is prone to deadlocks and explosions. In general, only
async-signal-safe functions are safe there.

Move the config access to the parent process before fork() to avoid
problems.

See also:
https://gitlab.freedesktop.org/wayland/weston/-/merge_requests/941#note_1457053

Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.com>
2022-07-12 08:30:22 +00:00
Pekka Paalanen
e88a622434 Revert "xwayland: Don't dup() displayfd pipe"
This reverts commit 4aa885d4af.

Turns out the problem was not about dupping fds at all, but calling
non-async-signal-safe functions like strdup() between fork() and exec()
in the child process.

For more discussion, see:
https://gitlab.freedesktop.org/wayland/weston/-/merge_requests/941#note_1457053

Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.com>
2022-07-12 08:30:22 +00:00
Pekka Paalanen
ff94ba33cd compositor: fix shutdown when xwayland failed to start
This patch fixes the following:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==528956==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7fbc5d66bdd7 bp 0x7ffd465573c0 sp 0x7ffd46557398 T0)
==528956==The signal is caused by a WRITE memory access.
==528956==Hint: address points to the zero page.
    #0 0x7fbc5d66bdd7 in wl_list_remove ../../git/wayland/src/wayland-util.c:56
    #1 0x7fbc5cb8869e in wxw_compositor_destroy ../../git/weston/compositor/xwayland.c:357
    #2 0x7fbc5baf3ca6 in weston_signal_emit_mutable ../../git/weston/shared/signal.c:62
    #3 0x7fbc5ba4d6f9 in weston_compositor_destroy ../../git/weston/libweston/compositor.c:8639
    #4 0x7fbc5cb7a5f2 in wet_main ../../git/weston/compositor/main.c:3772
    #5 0x55bd13de2179 in main ../../git/weston/compositor/executable.c:33
    #6 0x7fbc5be61d09 in __libc_start_main ../csu/libc-start.c:308
    #7 0x55bd13de2099 in _start (/home/pq/local/bin/weston+0x1099)

The problem is triggered by configuring a bad path to Xwayland in
weston.ini, which causes exec() to fail. The fork() succeeded though,
which means the weston_process was already on the watch list, and the
watch can be handled, making sigchl_handler() leave the link
uninitialized.

Making sure the link remains removable fixes this.

Fixes: 18897253d4

Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.com>
2022-07-08 11:56:04 +03:00
Pekka Paalanen
00641368e2 compositor: deprecate cms-static and cms-colord plugins
While developing the new color management, keeping these old plugins
working would require extra work. Let's deprecate these to see if anyone
cares about them, pending removal after the Weston 11.0.0 release.

CI will keep building these in the "Full build" configuration only. Doc
and no-GL builds are no different for these plugins, so there these are
no longer built.

See https://gitlab.freedesktop.org/wayland/weston/-/issues/634

Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.com>
2022-07-06 10:38:44 +00:00
Daniel Stone
18897253d4 xwayland: Add compositor destroy listener to free allocation
Otherwise we just leak this into the void. Not good.

Signed-off-by: Daniel Stone <daniels@collabora.com>
2022-07-05 13:25:37 +01:00