os: Don't crash in AttendClient if the client is gone
If a client is in the process of being closed down, then its client->osPrivate
pointer will be set to NULL by CloseDownConnection. This can cause a crash if
freeing the client's resources results in a call to AttendClient. For example,
if the client has a pending sync fence:
Thread 1 "X" received signal SIGSEGV, Segmentation fault.
AttendClient (client=0x5571c4aed9a0) at ../os/connection.c:942
(gdb) bt
#0 AttendClient (client=0x5571c4aed9a0) at ../os/connection.c:942
#1 0x00005571c3dbb865 in SyncAwaitTriggerFired (pTrigger=<optimized out>) at ../Xext/sync.c:694
#2 0x00005571c3dd5749 in miSyncDestroyFence (pFence=0x5571c5063980) at ../miext/sync/misync.c:120
#3 0x00005571c3dbbc69 in FreeFence (obj=<optimized out>, id=<optimized out>) at ../Xext/sync.c:1909
#4 0x00005571c3d7a01d in doFreeResource (res=0x5571c506e3d0, skip=skip@entry=0) at ../dix/resource.c:880
#5 0x00005571c3d7b1dc in FreeClientResources (client=0x5571c4aed9a0) at ../dix/resource.c:1146
#6 FreeClientResources (client=0x5571c4aed9a0) at ../dix/resource.c:1109
#7 0x00005571c3d5525f in CloseDownClient (client=0x5571c4aed9a0) at ../dix/dispatch.c:3473
#8 0x00005571c3d55eeb in Dispatch () at ../dix/dispatch.c:492
#9 0x00005571c3d59e96 in dix_main (argc=3, argv=0x7ffe7854bc28, envp=<optimized out>) at ../dix/main.c:276
#10 0x00007fea4837cb6b in __libc_start_main (main=0x5571c3d1d060 <main>, argc=3, argv=0x7ffe7854bc28, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffe7854bc18) at ../csu/libc-start.c:308
#11 0x00005571c3d1d09a in _start () at ../Xext/sync.c:2378
(gdb) print client->osPrivate
$1 = (void *) 0x0
Since the client is about to be freed, its ignore count doesn't matter and
AttendClient can simply be a no-op. Check for client->clientGone in AttendClient
and remove similar checks from two callers that had them.
Signed-off-by: Aaron Plattner <aplattner@nvidia.com>
(cherry picked from commit 4308f5d3d1
)
This commit is contained in:
parent
68cfee97bc
commit
2edadf26f1
|
@ -125,8 +125,7 @@ ClientSleepUntil(ClientPtr client,
|
|||
static void
|
||||
ClientAwaken(ClientPtr client, void *closure)
|
||||
{
|
||||
if (!client->clientGone)
|
||||
AttendClient(client);
|
||||
AttendClient(client);
|
||||
}
|
||||
|
||||
static int
|
||||
|
|
|
@ -662,14 +662,7 @@ ClientWakeup(ClientPtr client)
|
|||
if (q->client == client) {
|
||||
*prev = q->next;
|
||||
free(q);
|
||||
if (client->clientGone)
|
||||
/* Oops -- new zombie cleanup code ensures this only
|
||||
* happens from inside CloseDownClient; don't want to
|
||||
* recurse here...
|
||||
*/
|
||||
/* CloseDownClient(client) */ ;
|
||||
else
|
||||
AttendClient(client);
|
||||
AttendClient(client);
|
||||
break;
|
||||
}
|
||||
prev = &q->next;
|
||||
|
|
|
@ -935,6 +935,14 @@ AttendClient(ClientPtr client)
|
|||
{
|
||||
OsCommPtr oc = (OsCommPtr) client->osPrivate;
|
||||
|
||||
if (client->clientGone) {
|
||||
/*
|
||||
* client is gone, so any pending requests will be dropped and its
|
||||
* ignore count doesn't matter.
|
||||
*/
|
||||
return;
|
||||
}
|
||||
|
||||
client->ignoreCount--;
|
||||
if (client->ignoreCount)
|
||||
return;
|
||||
|
|
|
@ -2362,9 +2362,9 @@ RecordDisableContext(RecordContextPtr pContext)
|
|||
if (!pContext->pRecordingClient->clientGone) {
|
||||
RecordAProtocolElement(pContext, NULL, XRecordEndOfData, NULL, 0, 0, 0);
|
||||
RecordFlushReplyBuffer(pContext, NULL, 0, NULL, 0);
|
||||
/* Re-enable request processing on this connection. */
|
||||
AttendClient(pContext->pRecordingClient);
|
||||
}
|
||||
/* Re-enable request processing on this connection. */
|
||||
AttendClient(pContext->pRecordingClient);
|
||||
|
||||
for (pRCAP = pContext->pListOfRCAP; pRCAP; pRCAP = pRCAP->pNextRCAP) {
|
||||
RecordUninstallHooks(pRCAP, 0);
|
||||
|
|
Loading…
Reference in New Issue