Null pointer deref in FlushAllOutput with 1.19-rc1 ?

Olivier Fourdan ofourdan at redhat.com
Thu Oct 27 07:09:37 UTC 2016 

Hi

> > Multiple Fedora 25 users running 1.19-rc1 are reporting a backtrace
> > related to an InitFonts -> SendErrorToClient -> FlushAllOutput
> > call chain.
> > 
> > Since there is no trivial reproducer this is somewhat hard to debug,
> > hence this mail. Anyone have a clue / hint ?  See:
> > 
> > https://bugzilla.redhat.com/show_bug.cgi?id=1382444
> 
> Actually, I think we cannot really trust the symbols from Xorg's own
> generated backtrace, however, looking at the addresses, the sequence makes
> some more sense:
> 
>   FlushAllOutput() in /usr/src/debug/xorg-server-20160929/os/io.c:612
>   Dispatch() in /usr/src/debug/xorg-server-20160929/dix/dispatch.c:3491
>   dix_main() in /usr/src/debug/xorg-server-20160929/dix/main.c:296
> 
> with /usr/src/debug/xorg-server-20160929/os/io.c:612
> 
>  612     xorg_list_for_each_entry_safe(client, tmp, &output_pending_clients,
>  output_pending) {
>  613         if (client->clientGone)
>  614             continue;
>  615         if (!client_is_ready(client)) {
>  616             oc = (OsCommPtr) client->osPrivate;
>  617             (void) FlushClient(client, oc, (char *) NULL, 0);
>  618         } else
>  619             NewOutputPending = TRUE;
>  620     }
> 
> So it could be that output_pending_clients list got corrupted somehow.
> 
> Not sure I can go much further than that with so little data, but if that
> rings a bell with someone else...

Some more reports all pointing to FlushAllOutput() with different backtraces, e.g.:

 #6 FlushClient at io.c:938
 #7 WriteToClient at io.c:768
 #8 WriteEventsToClient at events.c:6000
 #9 present_send_complete_notify at present_event.c:172
 #10 present_vblank_notify at present.c:213
 #11 present_execute at present.c:771
 #12 present_pixmap at present.c:963
 #13 present_notify_msc at present.c:1014
 #14 proc_present_notify_msc at present_request.c:174
 #15 Dispatch at dispatch.c:469

or 

 #6 FlushClient at io.c:938
 #7 WriteToClient at io.c:768
 #8 ProcGetScreenSaver at dispatch.c:3163
 #9 Dispatch at dispatch.c:469
 #10 dix_main at main.c:287

with 

 792 int
 793 FlushClient(ClientPtr who, OsCommPtr oc, const void *__extraBuf, int extraCount)
 794 {
 ...

 936 
 937     if (oco->size > BUFWATERMARK) {
 938         free(oco->buf);  <== here
 939         free(oco);
 940     }
 941     else {
 942         oco->next = FreeOutputs;
 943         FreeOutputs = oco;
 944     }

The most important change I see affecting this code is the "Switch server to poll" series, I am not sure how this can be related though.

Also, I don't see any change between xorg-server-20160929 and current git master, so chances are this is still affecting current git code.

Cheers,
Olivier

More information about the xorg-devel mailing list