[RESOLVED] Tint2 rare crash - systray (patched)

News & Development Bug reports
65

Hi @Rhuks

I am curious about a font Voltaire you use. I cannot find it in the repo.

yay voltaire

Volumettf part does not work for me. The wheel up/down does partly work (stange behavior).
When I change it with my part it works. I tested with Ubuntu font.

execp_command = volumettf
execp_font = Voltaire 12.5
My volumettf part

#-------------------------------------

Executor 5

execp = new
execp_name = TTFVOL
execp_command = volumettf
execp_interval = 1
execp_has_icon = 0
execp_cache_icon = 0
execp_continuous = 0
execp_markup = 1
execp_monitor = primary
execp_tooltip = L: simple M: mbmusic W: Volume up/down
execp_lclick_command = mb-music ipc
execp_rclick_command = amixer -D pulse set Master toggle
execp_mclick_command =
execp_uwheel_command = amixer -D pulse set Master 5%+
execp_dwheel_command = amixer -D pulse set Master 5%-
execp_font = Ubuntu 20
execp_font_color = #E9484F 100
execp_padding = 6 0
execp_background_id = 13
execp_centered = 1
execp_icon_w = 35
execp_icon_h = 34

I would suggest.

  • Use a default tint2rc of mabox
  • Use meld and change parts step by step — till things go weird

I did’t check the complete tint2rc file.
The volumettf part and the scripts @napcok mentioned are interesting to look at.

66

Hello!
Sorry for the delay in replying. I was looking for where I get the “inspiration” for that tint2 config.
It was taken from here: Tint2-Collections/PolyTint2/PolyTint2.tint2rc at master · fikriomar16/Tint2-Collections · GitHub (or was it from here?: tint2-theme-collections/minima/minima.tint2rc at master · addy-dclxvi/tint2-theme-collections · GitHub)

I changed the position and colors (back then I was in love with Nordic palette), trying to keep its structure. I do not comment/remove those lines calling those scripts. the only executors I enabled there were MB L/R menus, MB volume and the calendar on clock L-click.

It worked for me seamessly at least for 2 years. A not to old capture: https://forum.maboxlinux.org/uploads/default/original/2X/7/726e210df71d803c8420f5cd73457093bb34b831.jpeg

67

Hi, @muzqs
Regarding the script: in my old ~/.config/tint2/scripts:

-rwxr-xr-x 1 rhuks rhuks 2128 ene 26  2023 audacious.sh
-rwxr-xr-x 1 rhuks rhuks  830 ene 26  2023 desktop
-rwxr-xr-x 1 rhuks rhuks 1116 may  8 05:03 volumettf
-rw-r--r-- 1 rhuks rhuks 1116 nov 13  2025 volumettf-update

uhm… are “volumettf*” the MB tint2 volume scripts, right?

the font: it is an old font (the .zip date is from 2021) I do not remember from where I downloaded it, probably from Font Squirrel or similar.

68

Volumettf-update does not excist in mabox. It looks like just a file in a folder, I dont suspect that file.

Iam sorry, I lost track of the latest status of your tint2 to give any suggestions.

Recapitule: When you use one of the default mabox tint2rc’s tint2 is fine?

1 Like
69

@muzqs
My current tint2 panel in mabox2-top, delivered with my last MB installation. It works perfectly:

  • icons in systray (blueman-applet, nm-applet, xfce4-power-manager, clipit), all of them set through .config/autostart;
  • localsend systray icon does not crash tint2.
  • MB-volume icon works seamlessly (Mwheel, clicks)
  • No stalled processes, nominal CPU temp and % usage.
  • Life is good.
2 Likes
70

Hi @muzqs, can you consider initiating a merge request to upstream Arch? I can confirm that this problem affects standard Arch, and that the package you’ve prepared for Mabox resolves it. Thanks in advance.

71

Hi @korikori and welcome to the forum :slight_smile:

I see that you have created a bug report on the Arch Linux GitLab.

Unfortunately, you sent them a link to a non‑working patch :frowning:
The correct patch is below:
systray-iterator-uaf.patch

From: zackattackz
Subject: [PATCH] systray: fix iterator UAF in on_change_systray

Patch adapted for original tint2 (o9000/tint2) by danieln@maboxlinux.org

on_change_systray() iterates systray.list_icons and calls reparent_icon()
for each icon not yet reparented. If the XEMBED handshake fails,
reparent_icon() calls remove_icon(), which g_slist_remove()s and g_free()s
the current node. The loop then advances via l = l->next on the freed node,
and the next iteration dereferences l->data on garbage memory (SIGSEGV).

Trigger: any tray client that requests dock then destroys its window before
the embed completes — e.g. Steam's transient 200x200 loader icon, Electron
apps (Vesktop/Discord) that tear down their GdkWindow mid-embed.

Fix: capture l->next at the top of the loop body, before any call that
might free the current node. remove_icon() only frees the current node, so
the pre-captured next pointer stays valid.

This is the same iterator-invalidation pattern fixed in uevent_handler() by
the glib2.76 patch (issue #4). That fix addressed one occurrence; this is
the missed sibling in systraybar.c.

Tested with a reproducer that queues N_SYSTEM_TRAY_REQUEST_DOCK events then
destroys the windows before on_change_systray can reparent them:
unpatched → SIGSEGV within a few rounds; patched → all rounds survive.
---
 src/systray/systraybar.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/systray/systraybar.c b/src/systray/systraybar.c
index 2a9fafe..5eb5c6f 100644
--- a/src/systray/systraybar.c
+++ b/src/systray/systraybar.c
@@ -292,9 +292,10 @@ void on_change_systray(void *obj)
     }
 
     TrayWindow *traywin;
-    GSList *l;
+    GSList *l, *next;
     int i;
-    for (i = 1, l = systray.list_icons; l; i++, l = l->next) {
+    for (i = 1, l = systray.list_icons; l; i++, l = next) {
+        next = l->next;
         traywin = (TrayWindow *)l->data;
 
         traywin->y = posy;

I tried to create an account on the Arch GitLab, but unfortunately I wasn’t able to complete the registration.

Can you send them the correct patch — the one included in this post?
In Mabox we’ve been using the patched tint2 for over two weeks now — and it has been 100% confirmed that it fixes the issue.
The problem occurred when launching programs such as Steam, Lutris, LocalSend, Remote Desktop Manager (and probably many others). Now everything works as it should.

It would be good if tint2 were patched in Arch and remained in the official repository.

Update:
All files (PKGBUILD + patches) used to build tint2 in Mabox are available:

repo.maboxlinux.org/contrib/tint2/

2 Likes
72

Quick update on the systray crash fix.

I reached out to @korbel.jak, maintainer of tint2-patched-git on AUR, to ask whether his package includes the iterator UAF fix for on_change_systray().

His reply: yes, it does — but implemented differently. His version restarts iteration from the beginning when a deletion occurs. He noted our fix (capturing l->next before any potential free) is more efficient, since it just continues forward without restarting.

So the good news: tint2-patched-git users are protected from the Steam/Electron SIGSEGV. The approach in the Mabox patched branch is technically the cleaner solution.

Not sure what the next step is from here — submitting the patch upstream to o9000/tint2 would be the logical move.

Snap from AUR…

korbel.jak commented on 2026-05-26 05:03 (UTC)

@musdus

Yes, it does, but differently.

The issue here is that the original code deleted from the list it iterated on at the same time.

Now the iteration stops on deletion and goes from the beginning when that happens. Your fix is more efficient.

musdus commented on 2026-05-25 23:30 (UTC)

Hi @korbel.jak

Does this package include the systray iterator UAF fix? It addresses a SIGSEGV in on_change_systray() triggered by Steam, Electron apps (Vesktop/Discord) and similar tray clients that destroy their window before the XEMBED handshake completes.

From: zackattackz
Subject: [PATCH] systray: fix iterator UAF in on_change_systray

Patch adapted for original tint2 (o9000/tint2) by danieln@maboxlinux.org

on_change_systray() iterates systray.list_icons and calls reparent_icon()
for each icon not yet reparented. If the XEMBED handshake fails,
reparent_icon() calls remove_icon(), which g_slist_remove()s and g_free()s
the current node. The loop then advances via l = l->next on the freed node,
and the next iteration dereferences l->data on garbage memory (SIGSEGV).

Trigger: any tray client that requests dock then destroys its window before
the embed completes — e.g. Steam's transient 200x200 loader icon, Electron
apps (Vesktop/Discord) that tear down their GdkWindow mid-embed.

Fix: capture l->next at the top of the loop body, before any call that
might free the current node. remove_icon() only frees the current node, so
the pre-captured next pointer stays valid.

This is the same iterator-invalidation pattern fixed in uevent_handler() by
the glib2.76 patch (issue #4). That fix addressed one occurrence; this is
the missed sibling in systraybar.c.

Tested with a reproducer that queues N_SYSTEM_TRAY_REQUEST_DOCK events then
destroys the windows before on_change_systray can reparent them:
unpatched → SIGSEGV within a few rounds; patched → all rounds survive.
---
 src/systray/systraybar.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/systray/systraybar.c b/src/systray/systraybar.c
index 2a9fafe..5eb5c6f 100644
--- a/src/systray/systraybar.c
+++ b/src/systray/systraybar.c
@@ -292,9 +292,10 @@ void on_change_systray(void *obj)
     }

     TrayWindow *traywin;
-    GSList *l;
+    GSList *l, *next;
     int i;
-    for (i = 1, l = systray.list_icons; l; i++, l = l->next) {
+    for (i = 1, l = systray.list_icons; l; i++, l = next) {
+        next = l->next;
         traywin = (TrayWindow *)l->data;

         traywin->y = posy;