The 'Dispatch' function accesses freed client structure if a client happens to kill itself in a request. For example, I have a test client that is used to check that it handles the XIO error correctly. The XIO error is generated by requesting the client to kill itself with XKillClient.
We don't have to care about LBX specific functionality anymore because LBX support has been removed from the server. Signed-off-by: Rami Ylimäki <rami.ylim...@vincit.fi> Reviewed-by: Erkki Seppälä <erkki.sepp...@vincit.fi> Reviewed-by: Jamey Sharp <ja...@minilop.net> --- Just and older patch that is already reviewed but was never picked. dix/dispatch.c | 24 ++++++++++-------------- 1 files changed, 10 insertions(+), 14 deletions(-) diff --git a/dix/dispatch.c b/dix/dispatch.c index 44c2433..fced038 100644 --- a/dix/dispatch.c +++ b/dix/dispatch.c @@ -3278,21 +3278,17 @@ ProcKillClient(ClientPtr client) } rc = dixLookupClient(&killclient, stuff->id, client, DixDestroyAccess); - if (rc == Success) { - CloseDownClient(killclient); - /* if an LBX proxy gets killed, isItTimeToYield will be set */ - if (isItTimeToYield || (client == killclient)) - { - /* force yield and return Success, so that Dispatch() - * doesn't try to touch client - */ - isItTimeToYield = TRUE; - return Success; - } - return Success; + if (rc == Success) + { + if (client == killclient) + { + MarkClientException(client); + isItTimeToYield = TRUE; + } + else + CloseDownClient(killclient); } - else - return rc; + return rc; } int -- 1.7.4.1 _______________________________________________ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel