Null pointer deref in FlushAllOutput with 1.19-rc1 ?
Olivier Fourdan
ofourdan at redhat.com
Fri Oct 21 11:52:52 UTC 2016
Hi,
> Multiple Fedora 25 users running 1.19-rc1 are reporting a backtrace
> related to an InitFonts -> SendErrorToClient -> FlushAllOutput
> call chain.
>
> Since there is no trivial reproducer this is somewhat hard to debug,
> hence this mail. Anyone have a clue / hint ? See:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1382444
Actually, I think we cannot really trust the symbols from Xorg's own generated backtrace, however, looking at the addresses, the sequence makes some more sense:
FlushAllOutput() in /usr/src/debug/xorg-server-20160929/os/io.c:612
Dispatch() in /usr/src/debug/xorg-server-20160929/dix/dispatch.c:3491
dix_main() in /usr/src/debug/xorg-server-20160929/dix/main.c:296
with /usr/src/debug/xorg-server-20160929/os/io.c:612
612 xorg_list_for_each_entry_safe(client, tmp, &output_pending_clients, output_pending) {
613 if (client->clientGone)
614 continue;
615 if (!client_is_ready(client)) {
616 oc = (OsCommPtr) client->osPrivate;
617 (void) FlushClient(client, oc, (char *) NULL, 0);
618 } else
619 NewOutputPending = TRUE;
620 }
So it could be that output_pending_clients list got corrupted somehow.
Not sure I can go much further than that with so little data, but if that rings a bell with someone else...
Cheers,
Olivier
More information about the xorg-devel
mailing list