[mutter] wayland: Disconnect signals when Wayland compositor object is finalized

[Marge Bot <marge-bot src gnome org>]

commit 39fd32c362dcc0e277f5794d0534aee224343ebd
Author: Michel Dänzer <mdaenzer redhat com>
Date:   Sat Jul 23 16:37:15 2022 +0200

    wayland: Disconnect signals when Wayland compositor object is finalized
    
    Fixes potential use-after-free during mutter shutdown, e.g.:
    
    ==993876== Invalid read of size 8
    ==993876==    at 0x4A4FCA3: meta_wayland_presentation_time_ensure_feedbacks 
(meta-wayland-presentation-time.c:373)
    ==993876==    by 0x4A3F07F: on_presented (meta-wayland.c:282)
    ==993876==    by 0x661B7E9: ??? (in /usr/lib/x86_64-linux-gnu/libffi.so.8.1.0)
    ==993876==    by 0x661A922: ??? (in /usr/lib/x86_64-linux-gnu/libffi.so.8.1.0)
    ==993876==    by 0x4DFF4BC: g_cclosure_marshal_generic_va (gclosure.c:1648)
    ==993876==    by 0x4DFE948: _g_closure_invoke_va (gclosure.c:893)
    ==993876==    by 0x4E17498: g_signal_emit_valist (gsignal.c:3406)
    ==993876==    by 0x4E176BE: g_signal_emit (gsignal.c:3553)
    ==993876==    by 0x51D9DB5: clutter_stage_view_notify_presented (clutter-stage-view.c:1226)
    ==993876==    by 0x499ACD2: frame_cb (meta-stage-view.c:83)
    ==993876==    by 0x499ACD2: frame_cb (meta-stage-view.c:43)
    ==993876==    by 0x50CAA41: notify_event (cogl-onscreen.c:175)
    ==993876==    by 0x50CAA41: _cogl_onscreen_notify_complete (cogl-onscreen.c:545)
    ==993876==    by 0x4A877F5: meta_onscreen_native_notify_frame_complete (meta-onscreen-native.c:211)
    ==993876==  Address 0x24b7be58 is 296 bytes inside a block of size 344 free'd
    ==993876==    at 0x484217B: free (vg_replace_malloc.c:872)
    ==993876==    by 0x4E1F88B: g_type_free_instance (gtype.c:2001)
    ==993876==    by 0x49C793C: meta_context_dispose (meta-context.c:675)
    ==993876==    by 0x4E037E0: g_object_unref (gobject.c:3636)
    ==993876==    by 0x4E037E0: g_object_unref (gobject.c:3553)
    ==993876==    by 0x10F145: glib_autoptr_clear_GObject (gobject-autocleanups.h:27)
    ==993876==    by 0x10F145: glib_autoptr_clear_MetaContext (meta-context.h:32)
    ==993876==    by 0x10F145: glib_autoptr_cleanup_MetaContext (meta-context.h:32)
    ==993876==    by 0x10F145: main (mutter.c:126)
    ==993876==  Block was alloc'd at
    ==993876==    at 0x483F7B5: malloc (vg_replace_malloc.c:381)
    ==993876==    by 0x4B21178: g_malloc (gmem.c:125)
    ==993876==    by 0x4B395C0: g_slice_alloc (gslice.c:1072)
    ==993876==    by 0x4B39C29: g_slice_alloc0 (gslice.c:1098)
    ==993876==    by 0x4E1F544: g_type_create_instance (gtype.c:1901)
    ==993876==    by 0x4E03DFC: g_object_new_internal (gobject.c:2011)
    ==993876==    by 0x4E0538C: g_object_new_with_properties (gobject.c:2181)
    ==993876==    by 0x4E05D40: g_object_new (gobject.c:1821)
    ==993876==    by 0x4A3F864: meta_wayland_compositor_new (meta-wayland.c:585)
    ==993876==    by 0x49C7FA7: meta_context_start (meta-context.c:412)
    ==993876==    by 0x10F065: main (mutter.c:148)
    
    Fixes: 2ce3a050f02c ("wayland: Wire up presentation-time machinery")
    Fixes: 8cff3b84f726 ("wayland/compositor: Process frame callbacks on 'after-update'")
    Part-of: <https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/2527>

 src/wayland/meta-wayland.c | 5 +++++
 1 file changed, 5 insertions(+)
---
diff --git a/src/wayland/meta-wayland.c b/src/wayland/meta-wayland.c
index 677300d907..dd4628c441 100644
--- a/src/wayland/meta-wayland.c
+++ b/src/wayland/meta-wayland.c
@@ -445,6 +445,11 @@ static void
 meta_wayland_compositor_finalize (GObject *object)
 {
   MetaWaylandCompositor *compositor = META_WAYLAND_COMPOSITOR (object);
+  MetaBackend *backend = meta_context_get_backend (compositor->context);
+  ClutterActor *stage = meta_backend_get_stage (backend);
+
+  g_signal_handlers_disconnect_by_func (stage, on_after_update, compositor);
+  g_signal_handlers_disconnect_by_func (stage, on_presented, compositor);
 
   g_clear_object (&compositor->dma_buf_manager);