105761 – Segmentation fault in AnimCurCancelTimer with multiseat when removing/adding input devices on second seat

Bug 105761 - Segmentation fault in AnimCurCancelTimer with multiseat when removing/adding input devices on second seat

Summary: Segmentation fault in AnimCurCancelTimer with multiseat when removing/adding ...

Status:	RESOLVED FIXED

Alias:	None

Product:	xorg
Classification:	Unclassified
Component:	Server/Input/Core (show other bugs)
Version:	unspecified
Hardware:	x86-64 (AMD64) Linux (All)

Importance:	medium normal
Assignee:	Xorg Project Team
QA Contact:	Xorg Project Team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2018-03-27 09:22 UTC by Christiaan
Modified:	2018-06-12 16:09 UTC (History)
CC List:	0 users

See Also:
i915 platform:
i915 features:

Attachments

Description Christiaan 2018-03-27 09:22:07 UTC

In a multiseat enviroment with two Xorg servers running with latest redhat xorg-x11-server-Xorg-1.19.3-11.el7_4.2.x86_64.rpm the Xorg crashes with a segmentation fault.

Change Log:
2018-02-21 Adam Jackson <ajax@redhat.com> - 1.19.3-11.2
    - Fix fetching animated cursor images with the XFIXES extension

We have no segmentation fault with older redhat xorg-x11-server-Xorg releases.

/usr/bin/X +iglx -ac -br -audit 0 -isolateDevice PCI:1:0:0 :0 -layout seat0 -seat seat0 -auth /var/run/lightdm/root/:0 -listen tcp vt1 -novtswitch
/usr/bin/X +iglx -ac -br -audit 0 -isolateDevice PCI:3:0:0 -sharevts :1 -layout seat1 -seat seat1 -auth /var/run/lightdm/root/:1 -listen tcp

# xinput
⎡ Virtual core pointer                          id=2    [master pointer  (3)]
⎜   ↳ Virtual core XTEST pointer                id=4    [slave  pointer  (2)]
⎜   ↳ Mouse5                                    id=6    [slave  pointer  (2)]
⎜   ↳ Keyboard2                                 id=7    [slave  pointer  (2)]
⎜   ↳ EloTouchSystems,Inc Elo TouchSystems 2216 AccuTouch® USB Touchmonitor Interface   id=8    [slave  pointer  (2)]
⎜   ↳ EloTouchSystems,Inc Elo TouchSystems 2216 AccuTouch® USB Touchmonitor Interface   id=9    [slave  pointer  (2)]
⎜   ↳ EloTouchSystems,Inc Elo TouchSystems 2216 AccuTouch® USB Touchmonitor Interface   id=10   [slave  pointer  (2)]
⎣ Virtual core keyboard                         id=3    [master keyboard (2)]
    ↳ Virtual core XTEST keyboard               id=5    [slave  keyboard (3)]


# echo '3-4' | tee /sys/bus/usb/drivers/usb/unbind

# xinput
⎡ Virtual core pointer                          id=2    [master pointer  (3)]
⎜   ↳ Virtual core XTEST pointer                id=4    [slave  pointer  (2)]
⎜   ↳ Mouse5                                    id=6    [slave  pointer  (2)]
⎜   ↳ Keyboard2                                 id=7    [slave  pointer  (2)]
⎣ Virtual core keyboard                         id=3    [master keyboard (2)]
    ↳ Virtual core XTEST keyboard               id=5    [slave  keyboard (3)]

# echo '3-4' | tee /sys/bus/usb/drivers/usb/bind


Program received signal SIGSEGV, Segmentation fault.
0x000055cc1cb47b24 in AnimCurCancelTimer (pDev=<optimized out>)
    at animcur.c:159
159         CursorPtr cur = pDev->spriteInfo->sprite->current;
#0  0x000055cc1cb47b24 in AnimCurCancelTimer (pDev=<optimized out>)
    at animcur.c:159
        cur = <optimized out>
#1  0x000055cc1cb480fd in AnimCurDisplayCursor (pDev=0x55cc1f177ce0,
    pScreen=0x55cc1e971380, pCursor=0x0) at animcur.c:196
        ret = 1
#2  0x000055cc1ca652cb in RemoveDevice (dev=dev@entry=0x55cc1f177ce0,
    sendevent=sendevent@entry=1 '\001') at devices.c:1159
        prev = <optimized out>
        tmp = <optimized out>
        next = <optimized out>
        ret = 8
        screen = 0x55cc1e971380
        deviceid = 11
        initialized = 1
        flags = {0 <repeats 40 times>}
#3  0x000055cc1cabb3b2 in DeleteInputDeviceRequest (pDev=0x55cc1f177ce0)
    at xf86Xinput.c:1111
        pInfo = 0x0
        drv = 0x0
        isMaster = 484936056
#4  0x000055cc1ca604ac in CloseDeviceList (
    listHead=listHead@entry=0x55cc1ce6f830 <inputInfo+16>) at devices.c:1041
        freedIds = {0 <repeats 11 times>, 1, 0 <repeats 28 times>}
        dev = <optimized out>
#5  0x000055cc1ca6102a in CloseDownDevices () at devices.c:1071
        dev = 0x0
#6  0x000055cc1ca7030c in dix_main (argc=16, argv=0x7fff4ac55678,
    envp=<optimized out>) at main.c:317
        i = <optimized out>
        alwaysCheckForInput = {0, 1}
#7  0x00007fa065c22c05 in __libc_start_main () from /lib64/libc.so.6
No symbol table info available.
#8  0x000055cc1ca5a39e in _start ()
No symbol table info available.
(EE)
(EE) Backtrace:
(EE) 0: /usr/bin/Xorg (xorg_backtrace+0x55) [0x55cc1cbc6485]
(EE) 1: /usr/bin/Xorg (0x55cc1ca18000+0x1b2199) [0x55cc1cbca199]
(EE) 2: /lib64/libpthread.so.0 (0x7fa065fc4000+0xf5e0) [0x7fa065fd35e0]
(EE) 3: /usr/bin/Xorg (0x55cc1ca18000+0x12fb24) [0x55cc1cb47b24]
(EE) 4: /usr/bin/Xorg (0x55cc1ca18000+0x1300fd) [0x55cc1cb480fd]
(EE) 5: /usr/bin/Xorg (RemoveDevice+0x25b) [0x55cc1ca652cb]
(EE) 6: /usr/bin/Xorg (DeleteInputDeviceRequest+0x92) [0x55cc1cabb3b2]
(EE) 7: /usr/bin/Xorg (0x55cc1ca18000+0x484ac) [0x55cc1ca604ac]
(EE) 8: /usr/bin/Xorg (0x55cc1ca18000+0x4902a) [0x55cc1ca6102a]
(EE) 9: /usr/bin/Xorg (0x55cc1ca18000+0x5830c) [0x55cc1ca7030c]
(EE) 10: /lib64/libc.so.6 (__libc_start_main+0xf5) [0x7fa065c22c05]
(EE) 11: /usr/bin/Xorg (0x55cc1ca18000+0x4239e) [0x55cc1ca5a39e]
(EE)
(EE) Segmentation fault at address 0x0
(EE)
Fatal server error:
(EE) Caught signal 11 (Segmentation fault). Server aborting
(EE)
(EE)
Please consult the The X.Org Foundation support
         at http://wiki.x.org
 for help.
(EE) Please also check the log file at "/var/log/Xorg.1.log" for additional information.
(EE)
(EE) Server terminated with error (1). Closing log file.

Comment 1 Christiaan 2018-03-28 07:39:41 UTC

The USB unbind, bind doesn't always produce a segmentation fault.
The following command sequence always produce the segmentation fault:

# export DISPLAY=:1.0
# xinput create-master touch1

Comment 2 Christiaan 2018-03-28 08:37:25 UTC

Same problem on computers with a single graphics card.
Tested this on two computers.
In debugger segmentation fault with "xinput create-master". Without debugger segmentation fault with "xinput remove-master". 

# export DISPLAY=:0
# xinput
⎡ Virtual core pointer                          id=2    [master pointer  (3)]
⎜   ↳ Virtual core XTEST pointer                id=4    [slave  pointer  (2)]
⎜   ↳ Logitech Optical USB Mouse                id=7    [slave  pointer  (2)]
⎣ Virtual core keyboard                         id=3    [master keyboard (2)]
    ↳ Virtual core XTEST keyboard               id=5    [slave  keyboard (3)]
    ↳ HID 046a:0011                             id=6    [slave  keyboard (3)]
# xinput create-master touch1
# xinput               
⎡ Virtual core pointer                          id=2    [master pointer  (3)]
⎜   ↳ Virtual core XTEST pointer                id=4    [slave  pointer  (2)]
⎜   ↳ Logitech Optical USB Mouse                id=7    [slave  pointer  (2)]
⎣ Virtual core keyboard                         id=3    [master keyboard (2)]
    ↳ Virtual core XTEST keyboard               id=5    [slave  keyboard (3)]
    ↳ HID 046a:0011                             id=6    [slave  keyboard (3)]
⎡ touch1 pointer                                id=8    [master pointer  (9)]
⎜   ↳ touch1 XTEST pointer                      id=10   [slave  pointer  (8)]
⎣ touch1 keyboard                               id=9    [master keyboard (8)]
    ↳ touch1 XTEST keyboard                     id=11   [slave  keyboard (9)]
# xinput remove-master "touch1 pointer"
XIO:  fatal IO error 11 (Resource temporarily unavailable) on X server ":0.0"
      after 18 requests (18 known processed) with 0 events remaining.

Comment 3 Adam Jackson 2018-06-12 16:09:00 UTC

commit 9d5af632fde0373babfa32e66a59cfbf26ed7e5d
Author: Adam Jackson <ajax@redhat.com>
Date:   Mon Apr 23 15:21:14 2018 -0400

    animcur: Fix crash when removing a master device
    
    Reproducer:
    
    $ Xvfb -ac -noreset :1 &
    $ DISPLAY=:1 xinput create-master touch1
    $ DISPLAY=:1 xinput remove-master "touch1 pointer"
    
    Bugzilla: https://bugs.freedesktop.org/105761
    Signed-off-by: Adam Jackson <ajax@redhat.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.