Bug 103722

Summary: segfault in xf86EdidMonitorSet if first mode of current monitor is deemed to be a duplicate
Product: xorg Reporter: John Lumby <johnlumby>
Component: Server/GeneralAssignee: Xorg Project Team <xorg-team>
Status: RESOLVED FIXED QA Contact: Xorg Project Team <xorg-team>
Severity: critical    
Priority: medium    
Version: git   
Hardware: x86-64 (AMD64)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:

Description John Lumby 2017-11-13 16:16:36 UTC 
segfault such as the following if the first mode belonging to current monitor is pruned by xf86PruneDuplicateModes(Monitor->Modes)

[  2857.667] (II) NOUVEAU(0): EDID vendor "LEN", prod id 16562
[  2857.667] (II) NOUVEAU(0): Printing DDC gathered Modelines:
[  2857.667] (II) NOUVEAU(0): Modeline "1920x1080"x0.0  139.00  1920 1980 2028 2050  1080 1090 1100 1130 -hsync -vsync (67.8 kHz eP)
[  2857.667] (II) NOUVEAU(0): Modeline "1920x1080"x0.0  115.83  1920 1980 2028 2050  1080 1090 1100 1130 -hsync -vsync (56.5 kHz e)
[  2857.667] (EE) 
[  2857.667] (EE) Backtrace:
[  2857.667] (EE) 0: X (xorg_backtrace+0x41) [0x46dd81]
[  2857.667] (EE) 1: X (0x400000+0x73a59) [0x473a59]
[  2857.667] (EE) 2: /lib/x86_64-linux-gnu/libpthread.so.0 (0x7ff8d619f000+0x11070) [0x7ff8d61b0070]
[  2857.667] (EE) 3: X (xf86EdidMonitorSet+0x273) [0x4c2db3]
[  2857.667] (EE) 4: X (xf86SetDDCproperties+0x34) [0x4d13c4]
[  2857.667] (EE) 5: X (xf86OutputSetEDID+0x22b) [0x4bc2bb]
[  2857.667] (EE) 6: /mnt/bluebild/xorg_170918-173356/xorg-build/lib/xorg/modules/drivers/nouveau_drv.so (0x7ff8d29fa000+0x286bc) [0x7ff8d2a226bc]
[  2857.667] (EE) 7: X (xf86ProbeOutputModes+0x1cd) [0x4bc4cd]
[  2857.668] (EE) 8: X (0x400000+0xc51e7) [0x4c51e7]
[  2857.668] (EE) 9: X (RRGetInfo+0xdb) [0x5007db]
[  2857.668] (EE) 10: X (0x400000+0x92e0c) [0x492e0c]
[  2857.668] (EE) 11: /mnt/bluebild/xorg_170918-173356/xorg-build/lib/xorg/modules/extensions/libglx.so (0x7ff8d4ead000+0x2d15f) [0x7ff8d4eda15f]
[  2857.668] (EE) 12: X (xf86VTEnter+0x80) [0x48b800]
[  2857.668] (EE) 13: X (xf86Wakeup+0x43) [0x48ba13]
[  2857.668] (EE) 14: X (WakeupHandler+0xda) [0x44209a]
[  2857.668] (EE) 15: X (WaitForSomething+0x1ce) [0x4778ae]
[  2857.668] (EE) 16: X (0x400000+0x3d3a1) [0x43d3a1]
[  2857.668] (EE) 17: X (0x400000+0x41558) [0x441558]
[  2857.668] (EE) 18: /lib/x86_64-linux-gnu/libc.so.6 (__libc_start_main+0xf0) [0x7ff8d5e222a0]
[  2857.668] (EE) 19: X (_start+0x2a) [0x42c04a]
[  2857.668] (EE) 
[  2857.668] (EE) Segmentation fault at address 0x139

cause - the following code follows the fwd chain of modes but starts from the one which has just been freed.

simple fix  -  change the line
xf86PruneDuplicateModes(Monitor->Modes);
to

Monitor->Modes = xf86PruneDuplicateModes(Monitor->Modes);
Comment 1 Michel Dänzer 2017-11-13 16:22:04 UTC 
Do you want to send a patch to the xorg-devel mailing list for review?
Comment 2 Jeff Smith 2018-01-27 16:14:39 UTC 
Original patch sent by John Lumby:
https://patchwork.freedesktop.org/series/33848/

I remade it here, following patch submission guidelines:
https://patchwork.freedesktop.org/series/37224/
Comment 3 Adam Jackson 2018-01-29 19:39:31 UTC 
commit 9b7b8720ebc8028b14796a66d0a21b002682a83c (HEAD -> master, origin/master, origin/HEAD)
Author: Jeff Smith <whydoubt@gmail.com>
Date:   Sat Jan 27 00:14:02 2018 -0600

    edid: use value returned from pruning duplicate modes
    
    xf86PruneDuplicateModes is passed a linked list of modes, and after
    pruning the duplicate nodes, the new head of the list is returned.  If
    the first element is removed, the head of the list will change and the
    returned value needs to be assigned.
    
    Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=103722
    Thanks: John Lumby <johnlumby@hotmail.com>
    Signed-off-by: Jeff Smith <whydoubt@gmail.com>
    Reviewed-by: Adam Jackson <ajax@redhat.com>

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.