If RemoveBlockAndWakeupHandlers is called within a BlockHandler or WakeupHandler for a handler other than the one it's being called from, X marks the other handler as deleted but never checks whether handlers are deleted before calling them. This is unfortunately common due to config/udev, which will remove input devices from its own handler - and those input device drivers may well have handlers of their own that need to be removed. The end result is the removed handler gets called, with data that's been freed, and the X server segfaults underneath WakeupHandler or BlockHandler due to a bad pointer dereference.
Created attachment 47973 [details] [review] [PATCH] dix: avoid calling deleted block and wakeup handlers
commit 2ee85d954c8f3a6affbd9b1b745594ff12e8b670 Author: Scott James Remnant <scott@netsplit.com> Date: Tue Jun 14 16:36:07 2011 -0700 dix: avoid calling deleted block and wakeup handlers BlockHandler and WakeupHandlers may be removed within a different BlockHandler or WakeupHandler, especially since config/udev uses these and removes devices. Calling the deleted handlers and passing potentially freed data can result in the X server segfaulting after device removal, or events that result in device removal such as undocking or suspend/ resume. Signed-off-by: Scott James Remnant <scott@netsplit.com> Reviewed-by: Daniel Stone <daniel@fooishbar.org> Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.