Null pointer deref in FlushAllOutput with 1.19-rc1 ?

Olivier Fourdan ofourdan at redhat.com
Fri Oct 21 11:52:52 UTC 2016


Hi,

> Multiple Fedora 25 users running 1.19-rc1 are reporting a backtrace
> related to an InitFonts -> SendErrorToClient -> FlushAllOutput
> call chain.
> 
> Since there is no trivial reproducer this is somewhat hard to debug,
> hence this mail. Anyone have a clue / hint ?  See:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1382444

Actually, I think we cannot really trust the symbols from Xorg's own generated backtrace, however, looking at the addresses, the sequence makes some more sense:

  FlushAllOutput() in /usr/src/debug/xorg-server-20160929/os/io.c:612
  Dispatch() in /usr/src/debug/xorg-server-20160929/dix/dispatch.c:3491
  dix_main() in /usr/src/debug/xorg-server-20160929/dix/main.c:296

with /usr/src/debug/xorg-server-20160929/os/io.c:612 

 612     xorg_list_for_each_entry_safe(client, tmp, &output_pending_clients, output_pending) {
 613         if (client->clientGone)
 614             continue;
 615         if (!client_is_ready(client)) {
 616             oc = (OsCommPtr) client->osPrivate;
 617             (void) FlushClient(client, oc, (char *) NULL, 0);
 618         } else
 619             NewOutputPending = TRUE;
 620     }

So it could be that output_pending_clients list got corrupted somehow.

Not sure I can go much further than that with so little data, but if that rings a bell with someone else...

Cheers,
Olivier


More information about the xorg-devel mailing list