wayland/transaction: Don't free queue node on tear down

The GQueue node for transactions are inlined in the transaction struct,
meaning we should never let the GQueue API free the node itself, as that
actuall frees the transaction itself.

We did this during tear down if there were left-over transactions,
meaning we ended up with use-after-free issues after having popped
transactions from the queue.

Fix this by just popping the link itself, which won't attempt to free
it. It is effectively freed when freeing the transaction itself so we
won't leak any memory.

Fixes: 56260e3e0726c970c572a339e18b1f6ebed3069c
Part-of: <https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/2805>
This commit is contained in:
Jonas Ådahl 2023-01-25 12:45:36 +01:00 committed by Marge Bot
parent 0e6395d932
commit 8abdbbdf24

View File

@ -593,12 +593,18 @@ void
meta_wayland_transaction_finalize (MetaWaylandCompositor *compositor)
{
GQueue *transactions;
MetaWaylandTransaction *transaction;
GList *node;
transactions = meta_wayland_compositor_get_committed_transactions (compositor);
while ((transaction = g_queue_pop_head (transactions)))
meta_wayland_transaction_free (transaction);
while ((node = g_queue_pop_head_link (transactions)))
{
MetaWaylandTransaction *transaction = node->data;
g_assert (node == &transaction->node);
meta_wayland_transaction_free (transaction);
}
}
void