NULL deref in meta_x11_display_logical_monitor_to_xinerama_index

[t34-dev]

Summary

Muffin 6.6.3 segfaults in meta_x11_display_logical_monitor_to_xinerama_index when the method is invoked via D-Bus/GJS after DPMS display wake on a dual-monitor X11 NVIDIA setup. Crash is 100% reproducible and has occurred 6 times over 5 days, all with identical top frame.

Environment

• Linux Mint 22.3 (Zena), kernel 6.17.0-19-generic
• Cinnamon 6.6.7 (X11 session)
• Muffin 6.6.3
• cjs 115.1
• GPU: NVIDIA GeForce RTX 3090 Ti, proprietary driver 580.126.09
• Monitors: 2× 2560×1440 (HDMI-0 + DP-0, Xinerama)
• No third-party applets/desklets/extensions (user dirs empty)
• Enabled applets are all stock @cinnamon.org

Crash signature

All 6 crashes share an identical top frame:

#0  meta_x11_display_logical_monitor_to_xinerama_index (libmuffin.so.0 + 0xa720e)
#1  ffi_call                                           (libffi.so.8)
#4  Gjs::Function::invoke                              (libcjs.so.0)
#30 Gjs::Closure::marshal                              (libcjs.so.0)
#31 g_closure_invoke                                   (libgobject-2.0.so.0)
#35 g_signal_emit                                      (libgobject-2.0.so.0)
#36 gjs_dbus_implementation_method_call                (libcjs.so.0)
#41 g_main_loop_run                                    (libglib-2.0.so.0)
#42 meta_run                                           (libmuffin.so.0 + 0xb5aef)
#43 main                                               (cinnamon + 0x2b0c)

Kernel log:

cinnamon[2208]: segfault at 0 ip 0x…4274520e sp 0x…541660f0 error 4
  in libmuffin.so.0.0.0[a720e,…426e0000+f8000]

error 4 + fault addr 0 ⇒ user-mode read of a NULL pointer during an instruction sequence in meta_x11_display_logical_monitor_to_xinerama_index. Disassembly around the faulting IP (from dmesg):

Code: 8b 7c 24 48 89 de e8 e1 9b fa ff 48 8b 18 48 85 db 74 43
      49 8b 7d 18 e8 50 6d 03 00 8b 35 1e 78 0f 00 48 89 df
      e8 a2 39 fa ff <8b> 00 48 83 c4 08 …

The mov (%rax),%eax at the fault site (<8b> 00) suggests the function dereferences a pointer returned by the preceding call on a logical-monitor lookup without checking for NULL.

Trigger

Crash consistently fires shortly after a DPMS wake (monitor was blanked by sleep-display-ac=1800; no full system suspend involved). At wake time a notification is emitted by another process on D-Bus — in the most recent case the Solaar / BlueZ notification "MX Master 3S — Connection established, 65%". The notification pipeline calls into Muffin via GJS to resolve the target monitor; the lookup returns NULL and Muffin dereferences it.

Once Cinnamon dies, cinnamon-session relaunches into fallback mode ("Cinnamon прервал свою работу некорректно / Вы сейчас работаете в аварийном режиме").

Reproduction

1. Dual-monitor X11 session, NVIDIA proprietary driver.
2. Let display blank via DPMS (sleep-display-ac).
3. Wake display by mouse movement (Bluetooth mouse that fires a reconnect notification helps reproduce).
4. Cinnamon segfaults; session is dropped into fallback mode.

Frequency

6 crashes from 2026-04-16 to 2026-04-21 per coredumpctl list:

Thu 2026-04-16 17:49:25 MSK  PID 2139   SIGSEGV  /usr/bin/cinnamon
Thu 2026-04-16 20:24:15 MSK  PID 2159   SIGSEGV  /usr/bin/cinnamon
Fri 2026-04-17 15:43:36 MSK  PID 2108   SIGSEGV  /usr/bin/cinnamon
Fri 2026-04-17 16:52:20 MSK  PID 13141  SIGSEGV  /usr/bin/cinnamon
Fri 2026-04-17 19:32:12 MSK  PID 22130  SIGSEGV  /usr/bin/cinnamon
Tue 2026-04-21 15:23:48 MSK  PID 2208   SIGSEGV  /usr/bin/cinnamon

All have the identical top frame meta_x11_display_logical_monitor_to_xinerama_index.

Suspected cause

Race between X11 RandR / DPMS monitor state (temporarily no active logical monitor during wake under NVIDIA) and D-Bus calls that arrive during that window. Muffin's meta_x11_display_logical_monitor_to_xinerama_index appears to not handle a NULL logical-monitor result, returning or dereferencing a NULL pointer.

Suggested fix

Add a NULL check on the logical-monitor result in meta_x11_display_logical_monitor_to_xinerama_index and return a sentinel (e.g. -1) instead of dereferencing. That would at least prevent the WM from dying on a routine lookup during the DPMS-wake window.

Workarounds tested

• Disabling sleep-display-ac (DPMS never engages) removes the trigger window.
• Ctrl+Alt+Esc (cinnamon-killer-daemon) can recover the session without going through the fallback dialog.

Happy to provide the full core dump (25 MiB, zstd) or additional traces on request.