Bug 25640

Summary: Reattaching USB keyboard causes double free
Product: xorg Reporter: Priit Laes (irc: plaes) <plaes>
Component: Server/GeneralAssignee: Xorg Project Team <xorg-team>
Status: RESOLVED FIXED QA Contact: Xorg Project Team <xorg-team>
Severity: critical    
Priority: medium CC: brice.goglin, cmsj, mattst88, peter.hutterer
Version: git   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments:
Description Flags
Xorg.0.log
none
full-backtrace.txt none

Description Priit Laes (irc: plaes) 2009-12-14 10:50:44 UTC 
I have a usb-keyboard attached to my desktop machine, and noticed that removing the keyboard dongle (keyboard itself is wireless) and reattaching it causes double free error.

Software versions:
x11-libs/libdrm-2.4.16
media-libs/mesa-7.7_rc2  USE="nptl xcb -debug -gallium -motif -pic" 
x11-base/xorg-server-1.7.3.901  USE="hal ipv6 nptl sdl xorg -debug -dmx -kdrive -minimal -tslib"
x11-drivers/xf86-video-intel-2.9.1
x11-drivers/xf86-input-evdev-2.3.1
Linux sol 2.6.32 #49 SMP

Although it doesn't seem to be the right place to report it, but I just followed the trace:
[snip]
Program received signal SIGABRT, Aborted.
0x00007fb2ca3241b5 in *__GI_raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
64	../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
	in ../nptl/sysdeps/unix/sysv/linux/raise.c
(gdb) bt
#0  0x00007fb2ca3241b5 in *__GI_raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x00007fb2ca3255e0 in *__GI_abort () at abort.c:92
#2  0x00007fb2ca35ee77 in __libc_message (do_abort=<value optimized out>, fmt=<value optimized out>) at ../sysdeps/unix/sysv/linux/libc_fatal.c:186
#3  0x00007fb2ca364406 in malloc_printerr (action=3, str=0x7fb2ca412bf0 "double free or corruption (!prev)", ptr=<value optimized out>)
    at malloc.c:6264
#4  0x00007fb2ca3691ac in *__GI___libc_free (mem=<value optimized out>) at malloc.c:3738
#5  0x00007fb2c8916231 in drm_intel_gem_bo_unreference_final (bo=0x2a23d10, time=410) at intel_bufmgr_gem.c:790
#6  0x00007fb2c89161fb in drm_intel_gem_bo_unreference_locked_timed (bo=0x2a23dc0, time=410) at intel_bufmgr_gem.c:825
#7  drm_intel_gem_bo_unreference_final (bo=0x2a23dc0, time=410) at intel_bufmgr_gem.c:778
#8  0x00007fb2c89161fb in drm_intel_gem_bo_unreference_locked_timed (bo=0x2b603f0, time=410) at intel_bufmgr_gem.c:825
#9  drm_intel_gem_bo_unreference_final (bo=0x2b603f0, time=410) at intel_bufmgr_gem.c:778
#10 0x00007fb2c891644e in drm_intel_gem_bo_unreference (bo=0x2b603f0) at intel_bufmgr_gem.c:841
#11 0x00007fb2c8b33fdf in intel_batch_flush (pScrn=0xd491b0, flushed=<value optimized out>) at i830_batchbuffer.c:212
#12 0x00007fb2c8b3fcc8 in I830BlockHandler (i=<value optimized out>, blockData=<value optimized out>, pTimeout=0x7fff617fe768, pReadmask=0x7b9ee0)
    at i830_driver.c:2190
#13 0x00000000004b8982 in AnimCurScreenBlockHandler (screenNum=<value optimized out>, blockData=<value optimized out>, 
    pTimeout=<value optimized out>, pReadmask=<value optimized out>) at animcur.c:211
#14 0x0000000000490cd4 in compBlockHandler (i=0, blockData=0x0, pTimeout=0x7fff617fe768, pReadmask=<value optimized out>) at compinit.c:166
#15 0x000000000043f515 in BlockHandler (pTimeout=0x7fff617fe768, pReadmask=0x7b9ee0) at dixutils.c:379
#16 0x000000000045cfdc in WaitForSomething (pClientsReady=<value optimized out>) at WaitFor.c:216
#17 0x000000000042c7b9 in Dispatch () at dispatch.c:381
#18 0x000000000042197a in main (argc=9, argv=0x7b91c8, envp=<value optimized out>) at main.c:285
[/snip]
Comment 1 Priit Laes (irc: plaes) 2009-12-14 10:54:52 UTC 
Created attachment 32071 [details]
Xorg.0.log

Relevant Xorg.log lines:

[snip]
X.Org X Server 1.7.3.901 (1.7.4 RC 1)
Release Date: 2009-12-11
X Protocol Version 11, Revision 0
Build Operating System: Linux 2.6.32-rc6 x86_64 
Current Operating System: Linux sol 2.6.32 #49 SMP Mon Dec 14 20:11:21 EET 2009 x86_64
Kernel command line: root=/dev/sda3 i915.modeset=1
Build Date: 14 December 2009  06:20:58PM

Current version of pixman: 0.17.2
....skipped...
....here I removed the dongle...
(II) config/hal: removing device Logitech USB Receiver
(II) Logitech USB Receiver: Close
(II) UnloadModule: "evdev"
(II) config/hal: removing device Logitech USB Receiver
(II) Logitech USB Receiver: Close
(II) UnloadModule: "evdev"
...Reattached the dongle...
(II) config/hal: Adding input device Logitech USB Receiver
(**) Logitech USB Receiver: always reports core events
(**) Logitech USB Receiver: Device: "/dev/input/event10"
(II) Logitech USB Receiver: Found keys
(II) Logitech USB Receiver: Configuring as keyboard
(II) XINPUT: Adding extended input device "Logitech USB Receiver" (type: KEYBOARD)
(**) Option "xkb_rules" "evdev"
(**) Option "xkb_model" "evdev"
(**) Option "xkb_layout" "us"
(II) config/hal: Adding input device Logitech USB Receiver
(**) Logitech USB Receiver: always reports core events
(**) Logitech USB Receiver: Device: "/dev/input/event11"
(II) Logitech USB Receiver: Found 12 mouse buttons
(II) Logitech USB Receiver: Found scroll wheel(s)
(II) Logitech USB Receiver: Found relative axes
(II) Logitech USB Receiver: Found x and y relative axes
(II) Logitech USB Receiver: Found absolute axes
(II) Logitech USB Receiver: Found keys
(II) Logitech USB Receiver: Configuring as mouse
(II) Logitech USB Receiver: Configuring as keyboard
(**) Logitech USB Receiver: YAxisMapping: buttons 4 and 5
(**) Logitech USB Receiver: EmulateWheelButton: 4, EmulateWheelInertia: 10, EmulateWheelTimeout: 200
(II) XINPUT: Adding extended input device "Logitech USB Receiver" (type: KEYBOARD)
(**) Option "xkb_rules" "evdev"
(**) Option "xkb_model" "evdev"
(**) Option "xkb_layout" "us"
(**) Logitech USB Receiver: (accel) keeping acceleration scheme 1
(**) Logitech USB Receiver: (accel) acceleration profile 0
(II) Logitech USB Receiver: initialized for relative axes.
(WW) Logitech USB Receiver: ignoring absolute axes.
...CRASH...
[/snip]
Comment 2 Priit Laes (irc: plaes) 2009-12-14 10:57:07 UTC 
Created attachment 32072 [details]
full-backtrace.txt
Comment 3 Eric Anholt 2009-12-16 12:30:36 UTC 
if -debug actually turns off debug code, please remove that so that the assertions we've put in the code to catch things actually work.
Comment 4 Priit Laes (irc: plaes) 2009-12-18 04:48:59 UTC 
I actually couldn't reproduce the bug with USE="debug", although while testing I got this backtrace, that looks a bit better:
(gdb) bt full
#0  0x00007f96e189cbf8 in _int_free (av=0x7f96e1b7de60, p=0x21472c0) at malloc.c:4954
        size = 272
        nextchunk = 0x21473d0
        nextsize = 528
        prevsize = <value optimized out>
        bck = 0x0
        fwd = 0x0
        errstr = <value optimized out>
        __func__ = "_int_free"
#1  0x00007f96e18a01ac in *__GI___libc_free (mem=<value optimized out>) at malloc.c:3738
        ar_ptr = 0x7f96e1b7de60
        p = 0x23fd000
#2  0x00000000004e2d16 in SrvXkbFreeServerMap (xkb=0x2168320, what=0, freeMap=37736448) at XKBMAlloc.c:871
No locals.
#3  0x00000000004e4f54 in SrvXkbFreeKeyboard (xkb=0x2168320, which=<value optimized out>, freeAll=1) at XKBAlloc.c:318
No locals.
#4  0x00000000004e7be2 in XkbFreeInfo (xkbi=0x2168250) at xkbInit.c:679
No locals.
#5  0x000000000044a4d9 in FreeDeviceClass (type=<value optimized out>, class=0x0) at devices.c:671
No locals.
#6  0x000000000044a629 in FreeAllDeviceClasses (classes=0x237a7a0) at devices.c:801
No locals.
#7  0x000000000044a73b in CloseDevice (dev=0x237a600) at devices.c:849
        screen = 0x81e250
        j = <value optimized out>
#8  0x000000000044b743 in RemoveDevice (dev=0x237a600, sendevent=1 '\001') at devices.c:996
        prev = <value optimized out>
        tmp = <value optimized out>
        next = 0x0
        ret = <value optimized out>
        screen = <value optimized out>
        deviceid = 7
        initialized = 1
        flags = {0, 0, 0, 0, 0, 0, 0, 8, 0 <repeats 32 times>}
#9  0x0000000000466332 in DeleteInputDeviceRequest (pDev=0x237a600) at xf86Xinput.c:671
        pInfo = 0x232e890
        drv = 0x213d4a0
        idev = 0x237d910
        it = <value optimized out>
        isMaster = 0
---Type <return> to continue, or q <return> to quit---
#10 0x000000000044f495 in remove_device (dev=0x237a600) at hal.c:72
No locals.
#11 0x000000000044f52b in device_removed (ctx=<value optimized out>, udi=<value optimized out>) at hal.c:90
        dev = 0x237a600
        next = 0x0
        value = 0x23068d0 "hal:/org/freedesktop/Hal/devices/usb_device_46d_c50c_noserial_if1_logicaldev_input"
#12 0x00007f96e29b337d in filter_func (connection=0x2138060, message=0x213abd0, user_data=<value optimized out>) at libhal.c:1067
        udi = 0x2198854 "/org/freedesktop/Hal/devices/usb_device_46d_c50c_noserial_if1_logicaldev_input"
        object_path = 0x237bfd8 "/org/freedesktop/Hal/Manager"
        error = {name = 0x0, message = 0x0, dummy1 = 1, dummy2 = 0, dummy3 = 1, dummy4 = 0, dummy5 = 0, padding1 = 0x7f96e360e38b}
        ctx = 0x213b310
#13 0x00007f96e3607d92 in dbus_connection_dispatch (connection=0x2138060)
    at /home/tmp/portage/sys-apps/dbus-1.3.0-r1/work/dbus-1.3.0/dbus/dbus-connection.c:4558
        filter = <value optimized out>
        next = 0x0
        message = 0x213abd0
        link = <value optimized out>
        filter_list_copy = 0x2137630
        message_link = 0x2137618
        result = <value optimized out>
        status = <value optimized out>
        __FUNCTION__ = "dbus_connection_dispatch"
#14 0x00007f96e3608049 in _dbus_connection_read_write_dispatch (connection=0x2138060, timeout_milliseconds=0, dispatch=1)
    at /home/tmp/portage/sys-apps/dbus-1.3.0-r1/work/dbus-1.3.0/dbus/dbus-connection.c:3583
        dstatus = DBUS_DISPATCH_DATA_REMAINS
        progress_possible = <value optimized out>
#15 0x000000000044f186 in wakeup_handler (data=0x7af860, err=<value optimized out>, read_mask=0x23fd000) at dbus-core.c:57
No locals.
#16 0x000000000043f789 in WakeupHandler (result=-1, pReadmask=0x7ba020) at dixutils.c:413
        i = 1
#17 0x000000000045d1bc in WaitForSomething (pClientsReady=<value optimized out>) at WaitFor.c:232
        i = 37736448
        waittime = {tv_sec = 9, tv_usec = 710935}
        wt = 0x7fff1547a1c0
        timeout = <value optimized out>
        clientsReadable = {fds_bits = {0 <repeats 16 times>}}
        clientsWritable = {fds_bits = {33558160, 0, 37409008, 0, 37279924, 4343799, 32, 140286005773458, 48, 33558160, 140733193404416, 4562754, 8512080, 
            33558160, 140733550404012, 140733550403984}}
        selecterr = 4
        nready = <value optimized out>
---Type <return> to continue, or q <return> to quit---
        devicesReadable = {fds_bits = {0 <repeats 16 times>}}
        now = <value optimized out>
        someReady = 0
#18 0x000000000042c7b9 in Dispatch () at dispatch.c:381
        result = <value optimized out>
        client = 0x2000e90
        nready = -1
        start_tick = 700
#19 0x000000000042197a in main (argc=9, argv=0x7b9308, envp=<value optimized out>) at main.c:285
        i = 1
        alwaysCheckForInput = {0, 1}
Comment 5 Priit Laes (irc: plaes) 2009-12-18 04:52:12 UTC 
And relevant Xorg.log
[snip]
Backtrace:
0: /usr/bin/X (xorg_backtrace+0x28) [0x460a54]
1: /usr/bin/X (0x400000+0x62496) [0x462496]
2: /lib/libpthread.so.0 (0x7f96e278c000+0xf000) [0x7f96e279b000]
3: /lib/libc.so.6 (0x7f96e1829000+0x73bf8) [0x7f96e189cbf8]
4: /lib/libc.so.6 (cfree+0x6c) [0x7f96e18a01ac]
5: /usr/bin/X (SrvXkbFreeServerMap+0x110) [0x4e2d16]
6: /usr/bin/X (SrvXkbFreeKeyboard+0x15f) [0x4e4f54]
7: /usr/bin/X (XkbFreeInfo+0xde) [0x4e7be2]
8: /usr/bin/X (0x400000+0x4a4d9) [0x44a4d9]
9: /usr/bin/X (0x400000+0x4a629) [0x44a629]
10: /usr/bin/X (0x400000+0x4a73b) [0x44a73b]
11: /usr/bin/X (RemoveDevice+0x156) [0x44b743]
12: /usr/bin/X (DeleteInputDeviceRequest+0x3f) [0x466332]
13: /usr/bin/X (0x400000+0x4f495) [0x44f495]
14: /usr/bin/X (0x400000+0x4f52b) [0x44f52b]
15: /usr/lib/libhal.so.1 (0x7f96e29a8000+0xb37d) [0x7f96e29b337d]
16: /usr/lib/libdbus-1.so.3 (dbus_connection_dispatch+0x302) [0x7f96e3607d92]
17: /usr/lib/libdbus-1.so.3 (0x7f96e35ff000+0x9049) [0x7f96e3608049]
18: /usr/bin/X (0x400000+0x4f186) [0x44f186]
19: /usr/bin/X (WakeupHandler+0x3e) [0x43f789]
20: /usr/bin/X (WaitForSomething+0x1ce) [0x45d1bc]
21: /usr/bin/X (0x400000+0x2c7b9) [0x42c7b9]
22: /usr/bin/X (0x400000+0x2197a) [0x42197a]
23: /lib/libc.so.6 (__libc_start_main+0xfd) [0x7f96e1847bbd]
24: /usr/bin/X (0x400000+0x21549) [0x421549]
Segmentation fault at address 0x18
[/snip]
Comment 6 Eric Anholt 2009-12-29 09:51:03 UTC 
that certainly makes more sense.  reassigning to the server.
Comment 7 Carlos Romero 2010-01-12 21:23:41 UTC 
https://bugzilla.redhat.com/show_bug.cgi?id=540584 was just linked to this bug.
Comment 8 Peter Hutterer 2010-01-12 21:36:57 UTC 
Please see the patch on the xorg list for a fix. Testing appreciated.

http://lists.freedesktop.org/archives/xorg-devel/2010-January/004908.html
Comment 9 Priit Laes (irc: plaes) 2010-01-13 06:42:04 UTC 
This patch seems to have fixed this issue :)

Thanks :D
Comment 10 Carlos Romero 2010-01-13 09:54:35 UTC 
running with the patch 12 hours so far and have been unable to crash Xorg.
Comment 11 Brice Goglin 2010-01-30 06:29:13 UTC 
Junji Yamashita confirms in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566147 that the patchs fixes his crashes with his bluetooth keyboard.
Comment 12 Matt Turner 2010-02-12 13:35:19 UTC 
*** Bug 24487 has been marked as a duplicate of this bug. ***
Comment 13 Matt Turner 2010-02-12 13:35:54 UTC 
Looks like this patch fixes it. I've been testing it for a couple days without a crash.
Comment 14 Peter Hutterer 2010-02-15 17:36:01 UTC 
Fixes with commit 48f7298657f91843db36566b8d66d6c4c18dbd4c. Thanks to all of you for testing.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.