Null pointer deref in FlushAllOutput with 1.19-rc1 ?
Olivier Fourdan
ofourdan at redhat.com
Thu Oct 27 07:09:37 UTC 2016
Hi
> > Multiple Fedora 25 users running 1.19-rc1 are reporting a backtrace
> > related to an InitFonts -> SendErrorToClient -> FlushAllOutput
> > call chain.
> >
> > Since there is no trivial reproducer this is somewhat hard to debug,
> > hence this mail. Anyone have a clue / hint ? See:
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=1382444
>
> Actually, I think we cannot really trust the symbols from Xorg's own
> generated backtrace, however, looking at the addresses, the sequence makes
> some more sense:
>
> FlushAllOutput() in /usr/src/debug/xorg-server-20160929/os/io.c:612
> Dispatch() in /usr/src/debug/xorg-server-20160929/dix/dispatch.c:3491
> dix_main() in /usr/src/debug/xorg-server-20160929/dix/main.c:296
>
> with /usr/src/debug/xorg-server-20160929/os/io.c:612
>
> 612 xorg_list_for_each_entry_safe(client, tmp, &output_pending_clients,
> output_pending) {
> 613 if (client->clientGone)
> 614 continue;
> 615 if (!client_is_ready(client)) {
> 616 oc = (OsCommPtr) client->osPrivate;
> 617 (void) FlushClient(client, oc, (char *) NULL, 0);
> 618 } else
> 619 NewOutputPending = TRUE;
> 620 }
>
> So it could be that output_pending_clients list got corrupted somehow.
>
> Not sure I can go much further than that with so little data, but if that
> rings a bell with someone else...
Some more reports all pointing to FlushAllOutput() with different backtraces, e.g.:
#6 FlushClient at io.c:938
#7 WriteToClient at io.c:768
#8 WriteEventsToClient at events.c:6000
#9 present_send_complete_notify at present_event.c:172
#10 present_vblank_notify at present.c:213
#11 present_execute at present.c:771
#12 present_pixmap at present.c:963
#13 present_notify_msc at present.c:1014
#14 proc_present_notify_msc at present_request.c:174
#15 Dispatch at dispatch.c:469
or
#6 FlushClient at io.c:938
#7 WriteToClient at io.c:768
#8 ProcGetScreenSaver at dispatch.c:3163
#9 Dispatch at dispatch.c:469
#10 dix_main at main.c:287
with
792 int
793 FlushClient(ClientPtr who, OsCommPtr oc, const void *__extraBuf, int extraCount)
794 {
...
936
937 if (oco->size > BUFWATERMARK) {
938 free(oco->buf); <== here
939 free(oco);
940 }
941 else {
942 oco->next = FreeOutputs;
943 FreeOutputs = oco;
944 }
The most important change I see affecting this code is the "Switch server to poll" series, I am not sure how this can be related though.
Also, I don't see any change between xorg-server-20160929 and current git master, so chances are this is still affecting current git code.
Cheers,
Olivier
More information about the xorg-devel
mailing list