Bug 26836 - Memory read error in KMS VT switching
Summary: Memory read error in KMS VT switching
Status: RESOLVED INVALID
Alias: None
Product: xorg
Classification: Unclassified
Component: Driver/Radeon (show other bugs)
Version: git
Hardware: x86 (IA32) Linux (All)
: medium normal
Assignee: xf86-video-ati maintainers
QA Contact: Xorg Project Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-03-02 06:16 UTC by Pauli
Modified: 2018-06-12 19:09 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Attachments

Description Pauli 2010-03-02 06:16:08 UTC 
==25379== Invalid read of size 1
==25379==    at 0x4024CF2: strncpy (mc_replace_strmem.c:329)
==25379==    by 0x516F589: drmmode_set_mode_major (string3.h:122)
==25379==    by 0x5171561: drmmode_set_desired_modes (drmmode_display.c:1274)
==25379==    by 0x516CF47: RADEONEnterVT_KMS (radeon_kms.c:852)
==25379==    by 0x80D93C0: xf86XVEnterVT (xf86xv.c:1228)
==25379==    by 0x80CC653: CMapEnterVT (xf86cmap.c:455)
==25379==    by 0x4C417F3: glxDRIEnterVT (glxdri2.c:520)
==25379==    by 0x80C1BC4: xf86Wakeup (xf86Events.c:634)
==25379==    by 0x8091671: WakeupHandler (dixutils.c:418)
==25379==    by 0x81317F9: WaitForSomething (WaitFor.c:231)
==25379==    by 0x808CEE7: Dispatch (dispatch.c:386)
==25379==    by 0x8072514: main (main.c:397)
==25379==  Address 0x4cd71c8 is not stack'd, malloc'd or (recently) free'd
==25379==
^C ddxSigGiveUp: Closing log


I had a fast look to code. mode->name looks like pointing to incorrect memory address. Is the EnterVT called long time after X has freed the mode objecs?

Valgrind should note that there used to be something in this address even if there was quite a lot frees and mallocs in between. (this time I sued the default that is 10M)
Comment 1 Pauli 2010-03-02 06:28:37 UTC 
Ok. It was real VT switches that caused the read error. And i could capture the free trace too now.

==26198== Invalid read of size 1
==26198==    at 0x4024CF2: strncpy (mc_replace_strmem.c:329)
==26198==    by 0x516F589: drmmode_set_mode_major (string3.h:122)
==26198==    by 0x5171561: drmmode_set_desired_modes (drmmode_display.c:1274)
==26198==    by 0x516CF47: RADEONEnterVT_KMS (radeon_kms.c:852)
==26198==    by 0x80D93C0: xf86XVEnterVT (xf86xv.c:1228)
==26198==    by 0x80CC653: CMapEnterVT (xf86cmap.c:455)
==26198==    by 0x4C417F3: glxDRIEnterVT (glxdri2.c:520)
==26198==    by 0x80C1BC4: xf86Wakeup (xf86Events.c:634)
==26198==    by 0x8091671: WakeupHandler (dixutils.c:418)
==26198==    by 0x81317F9: WaitForSomething (WaitFor.c:231)
==26198==    by 0x808CEE7: Dispatch (dispatch.c:386)
==26198==    by 0x8072514: main (main.c:397)
==26198==  Address 0x4cd71c8 is 0 bytes inside a block of size 9 free'd
==26198==    at 0x4023836: free (vg_replace_malloc.c:325)
==26198==    by 0x8137A70: Xfree (utils.c:1165)
==26198==    by 0x80D28F7: xf86DeleteMode (xf86Mode.c:1795)
==26198==    by 0x80EF6F3: xf86ProbeOutputModes (xf86Crtc.c:1526)
==26198==    by 0x80F759F: xf86RandR12GetInfo12 (xf86RandR12.c:1482)
==26198==    by 0x8164A10: RRGetInfo (rrinfo.c:204)
==26198==    by 0x81695A3: rrGetScreenResources (rrscreen.c:343)
==26198==    by 0x8160D24: ProcRRDispatch (randr.c:483)
==26198==    by 0x808D1AE: Dispatch (dispatch.c:456)
==26198==    by 0x8072514: main (main.c:397)
==26198==
==26198== Invalid read of size 1
==26198==    at 0x4024D08: strncpy (mc_replace_strmem.c:329)
==26198==    by 0x516F589: drmmode_set_mode_major (string3.h:122)
==26198==    by 0x5171561: drmmode_set_desired_modes (drmmode_display.c:1274)
==26198==    by 0x516CF47: RADEONEnterVT_KMS (radeon_kms.c:852)
==26198==    by 0x80D93C0: xf86XVEnterVT (xf86xv.c:1228)
==26198==    by 0x80CC653: CMapEnterVT (xf86cmap.c:455)
==26198==    by 0x4C417F3: glxDRIEnterVT (glxdri2.c:520)
==26198==    by 0x80C1BC4: xf86Wakeup (xf86Events.c:634)
==26198==    by 0x8091671: WakeupHandler (dixutils.c:418)
==26198==    by 0x81317F9: WaitForSomething (WaitFor.c:231)
==26198==    by 0x808CEE7: Dispatch (dispatch.c:386)
==26198==    by 0x8072514: main (main.c:397)
==26198==  Address 0x4cd71c9 is 1 bytes inside a block of size 9 free'd
==26198==    at 0x4023836: free (vg_replace_malloc.c:325)
==26198==    by 0x8137A70: Xfree (utils.c:1165)
==26198==    by 0x80D28F7: xf86DeleteMode (xf86Mode.c:1795)
==26198==    by 0x80EF6F3: xf86ProbeOutputModes (xf86Crtc.c:1526)
==26198==    by 0x80F759F: xf86RandR12GetInfo12 (xf86RandR12.c:1482)
==26198==    by 0x8164A10: RRGetInfo (rrinfo.c:204)
==26198==    by 0x81695A3: rrGetScreenResources (rrscreen.c:343)
==26198==    by 0x8160D24: ProcRRDispatch (randr.c:483)
==26198==    by 0x808D1AE: Dispatch (dispatch.c:456)
==26198==    by 0x8072514: main (main.c:397)
Comment 2 Adam Jackson 2018-06-12 19:09:43 UTC 
Mass closure: This bug has been untouched for more than six years, and is not
obviously still valid. Please reopen this bug or file a new report if you continue to experience issues with current releases.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.