I have a usb-keyboard attached to my desktop machine, and noticed that removing the keyboard dongle (keyboard itself is wireless) and reattaching it causes double free error. Software versions: x11-libs/libdrm-2.4.16 media-libs/mesa-7.7_rc2 USE="nptl xcb -debug -gallium -motif -pic" x11-base/xorg-server-1.7.3.901 USE="hal ipv6 nptl sdl xorg -debug -dmx -kdrive -minimal -tslib" x11-drivers/xf86-video-intel-2.9.1 x11-drivers/xf86-input-evdev-2.3.1 Linux sol 2.6.32 #49 SMP Although it doesn't seem to be the right place to report it, but I just followed the trace: [snip] Program received signal SIGABRT, Aborted. 0x00007fb2ca3241b5 in *__GI_raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 64 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory. in ../nptl/sysdeps/unix/sysv/linux/raise.c (gdb) bt #0 0x00007fb2ca3241b5 in *__GI_raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 #1 0x00007fb2ca3255e0 in *__GI_abort () at abort.c:92 #2 0x00007fb2ca35ee77 in __libc_message (do_abort=<value optimized out>, fmt=<value optimized out>) at ../sysdeps/unix/sysv/linux/libc_fatal.c:186 #3 0x00007fb2ca364406 in malloc_printerr (action=3, str=0x7fb2ca412bf0 "double free or corruption (!prev)", ptr=<value optimized out>) at malloc.c:6264 #4 0x00007fb2ca3691ac in *__GI___libc_free (mem=<value optimized out>) at malloc.c:3738 #5 0x00007fb2c8916231 in drm_intel_gem_bo_unreference_final (bo=0x2a23d10, time=410) at intel_bufmgr_gem.c:790 #6 0x00007fb2c89161fb in drm_intel_gem_bo_unreference_locked_timed (bo=0x2a23dc0, time=410) at intel_bufmgr_gem.c:825 #7 drm_intel_gem_bo_unreference_final (bo=0x2a23dc0, time=410) at intel_bufmgr_gem.c:778 #8 0x00007fb2c89161fb in drm_intel_gem_bo_unreference_locked_timed (bo=0x2b603f0, time=410) at intel_bufmgr_gem.c:825 #9 drm_intel_gem_bo_unreference_final (bo=0x2b603f0, time=410) at intel_bufmgr_gem.c:778 #10 0x00007fb2c891644e in drm_intel_gem_bo_unreference (bo=0x2b603f0) at intel_bufmgr_gem.c:841 #11 0x00007fb2c8b33fdf in intel_batch_flush (pScrn=0xd491b0, flushed=<value optimized out>) at i830_batchbuffer.c:212 #12 0x00007fb2c8b3fcc8 in I830BlockHandler (i=<value optimized out>, blockData=<value optimized out>, pTimeout=0x7fff617fe768, pReadmask=0x7b9ee0) at i830_driver.c:2190 #13 0x00000000004b8982 in AnimCurScreenBlockHandler (screenNum=<value optimized out>, blockData=<value optimized out>, pTimeout=<value optimized out>, pReadmask=<value optimized out>) at animcur.c:211 #14 0x0000000000490cd4 in compBlockHandler (i=0, blockData=0x0, pTimeout=0x7fff617fe768, pReadmask=<value optimized out>) at compinit.c:166 #15 0x000000000043f515 in BlockHandler (pTimeout=0x7fff617fe768, pReadmask=0x7b9ee0) at dixutils.c:379 #16 0x000000000045cfdc in WaitForSomething (pClientsReady=<value optimized out>) at WaitFor.c:216 #17 0x000000000042c7b9 in Dispatch () at dispatch.c:381 #18 0x000000000042197a in main (argc=9, argv=0x7b91c8, envp=<value optimized out>) at main.c:285 [/snip]
Created attachment 32071 [details] Xorg.0.log Relevant Xorg.log lines: [snip] X.Org X Server 1.7.3.901 (1.7.4 RC 1) Release Date: 2009-12-11 X Protocol Version 11, Revision 0 Build Operating System: Linux 2.6.32-rc6 x86_64 Current Operating System: Linux sol 2.6.32 #49 SMP Mon Dec 14 20:11:21 EET 2009 x86_64 Kernel command line: root=/dev/sda3 i915.modeset=1 Build Date: 14 December 2009 06:20:58PM Current version of pixman: 0.17.2 ....skipped... ....here I removed the dongle... (II) config/hal: removing device Logitech USB Receiver (II) Logitech USB Receiver: Close (II) UnloadModule: "evdev" (II) config/hal: removing device Logitech USB Receiver (II) Logitech USB Receiver: Close (II) UnloadModule: "evdev" ...Reattached the dongle... (II) config/hal: Adding input device Logitech USB Receiver (**) Logitech USB Receiver: always reports core events (**) Logitech USB Receiver: Device: "/dev/input/event10" (II) Logitech USB Receiver: Found keys (II) Logitech USB Receiver: Configuring as keyboard (II) XINPUT: Adding extended input device "Logitech USB Receiver" (type: KEYBOARD) (**) Option "xkb_rules" "evdev" (**) Option "xkb_model" "evdev" (**) Option "xkb_layout" "us" (II) config/hal: Adding input device Logitech USB Receiver (**) Logitech USB Receiver: always reports core events (**) Logitech USB Receiver: Device: "/dev/input/event11" (II) Logitech USB Receiver: Found 12 mouse buttons (II) Logitech USB Receiver: Found scroll wheel(s) (II) Logitech USB Receiver: Found relative axes (II) Logitech USB Receiver: Found x and y relative axes (II) Logitech USB Receiver: Found absolute axes (II) Logitech USB Receiver: Found keys (II) Logitech USB Receiver: Configuring as mouse (II) Logitech USB Receiver: Configuring as keyboard (**) Logitech USB Receiver: YAxisMapping: buttons 4 and 5 (**) Logitech USB Receiver: EmulateWheelButton: 4, EmulateWheelInertia: 10, EmulateWheelTimeout: 200 (II) XINPUT: Adding extended input device "Logitech USB Receiver" (type: KEYBOARD) (**) Option "xkb_rules" "evdev" (**) Option "xkb_model" "evdev" (**) Option "xkb_layout" "us" (**) Logitech USB Receiver: (accel) keeping acceleration scheme 1 (**) Logitech USB Receiver: (accel) acceleration profile 0 (II) Logitech USB Receiver: initialized for relative axes. (WW) Logitech USB Receiver: ignoring absolute axes. ...CRASH... [/snip]
Created attachment 32072 [details] full-backtrace.txt
if -debug actually turns off debug code, please remove that so that the assertions we've put in the code to catch things actually work.
I actually couldn't reproduce the bug with USE="debug", although while testing I got this backtrace, that looks a bit better: (gdb) bt full #0 0x00007f96e189cbf8 in _int_free (av=0x7f96e1b7de60, p=0x21472c0) at malloc.c:4954 size = 272 nextchunk = 0x21473d0 nextsize = 528 prevsize = <value optimized out> bck = 0x0 fwd = 0x0 errstr = <value optimized out> __func__ = "_int_free" #1 0x00007f96e18a01ac in *__GI___libc_free (mem=<value optimized out>) at malloc.c:3738 ar_ptr = 0x7f96e1b7de60 p = 0x23fd000 #2 0x00000000004e2d16 in SrvXkbFreeServerMap (xkb=0x2168320, what=0, freeMap=37736448) at XKBMAlloc.c:871 No locals. #3 0x00000000004e4f54 in SrvXkbFreeKeyboard (xkb=0x2168320, which=<value optimized out>, freeAll=1) at XKBAlloc.c:318 No locals. #4 0x00000000004e7be2 in XkbFreeInfo (xkbi=0x2168250) at xkbInit.c:679 No locals. #5 0x000000000044a4d9 in FreeDeviceClass (type=<value optimized out>, class=0x0) at devices.c:671 No locals. #6 0x000000000044a629 in FreeAllDeviceClasses (classes=0x237a7a0) at devices.c:801 No locals. #7 0x000000000044a73b in CloseDevice (dev=0x237a600) at devices.c:849 screen = 0x81e250 j = <value optimized out> #8 0x000000000044b743 in RemoveDevice (dev=0x237a600, sendevent=1 '\001') at devices.c:996 prev = <value optimized out> tmp = <value optimized out> next = 0x0 ret = <value optimized out> screen = <value optimized out> deviceid = 7 initialized = 1 flags = {0, 0, 0, 0, 0, 0, 0, 8, 0 <repeats 32 times>} #9 0x0000000000466332 in DeleteInputDeviceRequest (pDev=0x237a600) at xf86Xinput.c:671 pInfo = 0x232e890 drv = 0x213d4a0 idev = 0x237d910 it = <value optimized out> isMaster = 0 ---Type <return> to continue, or q <return> to quit--- #10 0x000000000044f495 in remove_device (dev=0x237a600) at hal.c:72 No locals. #11 0x000000000044f52b in device_removed (ctx=<value optimized out>, udi=<value optimized out>) at hal.c:90 dev = 0x237a600 next = 0x0 value = 0x23068d0 "hal:/org/freedesktop/Hal/devices/usb_device_46d_c50c_noserial_if1_logicaldev_input" #12 0x00007f96e29b337d in filter_func (connection=0x2138060, message=0x213abd0, user_data=<value optimized out>) at libhal.c:1067 udi = 0x2198854 "/org/freedesktop/Hal/devices/usb_device_46d_c50c_noserial_if1_logicaldev_input" object_path = 0x237bfd8 "/org/freedesktop/Hal/Manager" error = {name = 0x0, message = 0x0, dummy1 = 1, dummy2 = 0, dummy3 = 1, dummy4 = 0, dummy5 = 0, padding1 = 0x7f96e360e38b} ctx = 0x213b310 #13 0x00007f96e3607d92 in dbus_connection_dispatch (connection=0x2138060) at /home/tmp/portage/sys-apps/dbus-1.3.0-r1/work/dbus-1.3.0/dbus/dbus-connection.c:4558 filter = <value optimized out> next = 0x0 message = 0x213abd0 link = <value optimized out> filter_list_copy = 0x2137630 message_link = 0x2137618 result = <value optimized out> status = <value optimized out> __FUNCTION__ = "dbus_connection_dispatch" #14 0x00007f96e3608049 in _dbus_connection_read_write_dispatch (connection=0x2138060, timeout_milliseconds=0, dispatch=1) at /home/tmp/portage/sys-apps/dbus-1.3.0-r1/work/dbus-1.3.0/dbus/dbus-connection.c:3583 dstatus = DBUS_DISPATCH_DATA_REMAINS progress_possible = <value optimized out> #15 0x000000000044f186 in wakeup_handler (data=0x7af860, err=<value optimized out>, read_mask=0x23fd000) at dbus-core.c:57 No locals. #16 0x000000000043f789 in WakeupHandler (result=-1, pReadmask=0x7ba020) at dixutils.c:413 i = 1 #17 0x000000000045d1bc in WaitForSomething (pClientsReady=<value optimized out>) at WaitFor.c:232 i = 37736448 waittime = {tv_sec = 9, tv_usec = 710935} wt = 0x7fff1547a1c0 timeout = <value optimized out> clientsReadable = {fds_bits = {0 <repeats 16 times>}} clientsWritable = {fds_bits = {33558160, 0, 37409008, 0, 37279924, 4343799, 32, 140286005773458, 48, 33558160, 140733193404416, 4562754, 8512080, 33558160, 140733550404012, 140733550403984}} selecterr = 4 nready = <value optimized out> ---Type <return> to continue, or q <return> to quit--- devicesReadable = {fds_bits = {0 <repeats 16 times>}} now = <value optimized out> someReady = 0 #18 0x000000000042c7b9 in Dispatch () at dispatch.c:381 result = <value optimized out> client = 0x2000e90 nready = -1 start_tick = 700 #19 0x000000000042197a in main (argc=9, argv=0x7b9308, envp=<value optimized out>) at main.c:285 i = 1 alwaysCheckForInput = {0, 1}
And relevant Xorg.log [snip] Backtrace: 0: /usr/bin/X (xorg_backtrace+0x28) [0x460a54] 1: /usr/bin/X (0x400000+0x62496) [0x462496] 2: /lib/libpthread.so.0 (0x7f96e278c000+0xf000) [0x7f96e279b000] 3: /lib/libc.so.6 (0x7f96e1829000+0x73bf8) [0x7f96e189cbf8] 4: /lib/libc.so.6 (cfree+0x6c) [0x7f96e18a01ac] 5: /usr/bin/X (SrvXkbFreeServerMap+0x110) [0x4e2d16] 6: /usr/bin/X (SrvXkbFreeKeyboard+0x15f) [0x4e4f54] 7: /usr/bin/X (XkbFreeInfo+0xde) [0x4e7be2] 8: /usr/bin/X (0x400000+0x4a4d9) [0x44a4d9] 9: /usr/bin/X (0x400000+0x4a629) [0x44a629] 10: /usr/bin/X (0x400000+0x4a73b) [0x44a73b] 11: /usr/bin/X (RemoveDevice+0x156) [0x44b743] 12: /usr/bin/X (DeleteInputDeviceRequest+0x3f) [0x466332] 13: /usr/bin/X (0x400000+0x4f495) [0x44f495] 14: /usr/bin/X (0x400000+0x4f52b) [0x44f52b] 15: /usr/lib/libhal.so.1 (0x7f96e29a8000+0xb37d) [0x7f96e29b337d] 16: /usr/lib/libdbus-1.so.3 (dbus_connection_dispatch+0x302) [0x7f96e3607d92] 17: /usr/lib/libdbus-1.so.3 (0x7f96e35ff000+0x9049) [0x7f96e3608049] 18: /usr/bin/X (0x400000+0x4f186) [0x44f186] 19: /usr/bin/X (WakeupHandler+0x3e) [0x43f789] 20: /usr/bin/X (WaitForSomething+0x1ce) [0x45d1bc] 21: /usr/bin/X (0x400000+0x2c7b9) [0x42c7b9] 22: /usr/bin/X (0x400000+0x2197a) [0x42197a] 23: /lib/libc.so.6 (__libc_start_main+0xfd) [0x7f96e1847bbd] 24: /usr/bin/X (0x400000+0x21549) [0x421549] Segmentation fault at address 0x18 [/snip]
that certainly makes more sense. reassigning to the server.
https://bugzilla.redhat.com/show_bug.cgi?id=540584 was just linked to this bug.
Please see the patch on the xorg list for a fix. Testing appreciated. http://lists.freedesktop.org/archives/xorg-devel/2010-January/004908.html
This patch seems to have fixed this issue :) Thanks :D
running with the patch 12 hours so far and have been unable to crash Xorg.
Junji Yamashita confirms in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566147 that the patchs fixes his crashes with his bluetooth keyboard.
*** Bug 24487 has been marked as a duplicate of this bug. ***
Looks like this patch fixes it. I've been testing it for a couple days without a crash.
Fixes with commit 48f7298657f91843db36566b8d66d6c4c18dbd4c. Thanks to all of you for testing.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.