Bug 27573

Summary: segfault in DGAProcessPointerEvent using qemu-kvm
Product: xorg Reporter: Julien Cristau <jcristau>
Component: Server/Input/CoreAssignee: Peter Hutterer <peter.hutterer>
Status: RESOLVED FIXED QA Contact: Xorg Project Team <xorg-team>
Severity: normal    
Priority: medium CC: ben, peter.hutterer
Version: git   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments:
Description Flags
xorg.conf
none
xorg log
none
0001-xfree86-dga-needs-to-the-master-keyboard-state-27573.patch
none
0001-xfree86-dga-needs-to-use-the-master-keyboard-state-2.patch
none
0001-xfree86-dga-needs-to-use-the-master-keyboard-state-2.patch none

Description Julien Cristau 2010-04-10 01:43:01 UTC 
Created attachment 34861 [details]
xorg.conf

This bug was originally reported by Ben Hutchings at http://bugs.debian.org/576393

He writes:

I've been exercising graphics in qemu-kvm a bit more and have seen the
host's X server crash a couple of times.  I expect I can reproduce it
again if you want me to gather more information.

The backtrace from Xorg.0.log.old is:

Backtrace:
0: /usr/bin/X (xorg_backtrace+0x3b) [0x80ad72b]
1: /usr/bin/X (0x8048000+0x5a8a5) [0x80a28a5]
2: (vdso) (__kernel_rt_sigreturn+0x0) [0xf7770410]
3: /usr/bin/X (mieqProcessDeviceEvent+0xb9) [0x809fd29]
4: /usr/bin/X (mieqProcessInputEvents+0x6c) [0x809feac]
5: /usr/bin/X (ProcessInputEvents+0x17) [0x80b1437]
6: /usr/bin/X (0x8048000+0x2be40) [0x8073e40]
7: /usr/bin/X (0x8048000+0x1e93a) [0x806693a]
8: /lib/i686/cmov/libc.so.6 (__libc_start_main+0xe5) [0xf74a3b55]
9: /usr/bin/X (0x8048000+0x1e521) [0x8066521]
Segmentation fault at address 0x64

Fatal server error:
Caught signal 11 (Segmentation fault). Server aborting

Here's a backtrace and local variables for each frame.

(gdb) bt
#0  0x080b4eec in DGAProcessPointerEvent (pScreen=<value optimized out>, 
    event=0xa336400, mouse=0xa332418)
    at ../../../../hw/xfree86/common/xf86DGA.c:1097
#1  0x0809fd29 in mieqProcessDeviceEvent (dev=0xa332418, event=0xa336400, 
    screen=0x8b15368) at ../../mi/mieq.c:404
#2  0x0809feac in mieqProcessInputEvents () at ../../mi/mieq.c:471
#3  0x080b1437 in ProcessInputEvents ()
    at ../../../../hw/xfree86/common/xf86Events.c:165
#4  0x08074040 in Dispatch () at ../../dix/dispatch.c:407
#5  0x0806693a in main (argc=9, argv=0xffc31114, envp=0xffc3113c)
    at ../../dix/main.c:285
(gdb) info locals
butc = 0xa3328a0
ev = {header = 255 '\377', type = ET_Motion, length = 408, time = 0,
  deviceid = 0, sourceid = 0, detail = {button = 0, key = 0}, root_x = 0,
  root_x_frac = 0, root_y = 0, root_y_frac = 0,
  buttons = '\000' <repeats 31 times>, valuators = {mask = "\000\000\000\000",
    mode = "\000\000\000\000", data = {0 <repeats 36 times>}, data_frac = {
      0 <repeats 36 times>}}, mods = {base = 0, latched = 0, locked = 0,
    effective = 0}, group = {base = 0 '\000', latched = 0 '\000',
    locked = 0 '\000', effective = 0 '\000'}, root = 0, corestate = 0,
  key_repeat = 0}
(gdb) up
#1  0x0809fd29 in mieqProcessDeviceEvent (dev=0xa332418, event=0xa336400, 
    screen=0x8b15368) at ../../mi/mieq.c:404
404     ../../mi/mieq.c: No such file or directory.
        in ../../mi/mieq.c
(gdb) info locals
screenNum = <value optimized out>
handler = 0x80b5050 <DGAHandleEvent>
master = <value optimized out>
mevent = {any = {header = 192 '\300', type = 0, length = 0, time = 0},
  device_event = {header = 192 '\300', type = 0, length = 0, time = 0,
    deviceid = -3995384, sourceid = -3995540, detail = {button = 4290971752,
      key = 4290971752}, root_x = 36423, root_x_frac = 1.06619174e-33,
    root_y = 10100, root_y_frac = 1.06620166e-33,
    buttons = "\340\021\v\b4'\261\b\001\000\000\000\310&\261\b\000|E\n\000\000\000\000\210\326=\367\000\000\000", valuators = {
      mask = "\001\216r", <incomplete sequence \367>, mode = "|E\n|\003",
      data = {1024, 0 <repeats 33 times>, 145827636, 167522360}, data_frac = {
        135587579, 32, 32, -144928780, -3993944, -143223808, 29, 99, 0, 43,
        43, -144928780, 32, -3993944, -3993980, 32, 1, -3993800, 32, 0, 0,
        -143223760, 35, 2110102, -3993980, 43, -3994604, 0, 0, -147770984,
        172098632, 172099432, -3995160, -147910644, 172098632, 172099432}},
    mods = {base = 330, latched = 18, locked = 1, effective = 4290972176},
    group = {base = 0 '\000', latched = 0 '\000', locked = 0 '\000',
      effective = 0 '\000'}, root = 4151408674, corestate = 171500120,
    key_repeat = 1}, changed_event = {header = 192 '\300', type = 0,
    length = 0, time = 0, deviceid = -3995384, flags = -3995540,
    masterid = -3995544, sourceid = -143487417, buttons = {
      num_buttons = 145827528, names = {145827700, 145827636, 134943200,

        145827636, 1, 145827528, 172325888, 0, 4148024968, 0, 4151479809,
        172325888, 892, 1024, 0 <repeats 33 times>, 145827636, 167522360,
        135587579, 32, 32, 4150038516, 4290973352, 4151743488, 29, 99, 0, 43,
        43, 4150038516, 32, 4290973352, 4290973316, 32, 1, 4290973496, 32, 0,
        0, 4151743536, 35, 2110102, 4290973316, 43, 4290972692, 0, 0,
        4147196312, 172098632, 172099432, 4290972136, 4147056652, 172098632,
        172099432, 330, 18, 1, 4290972176, 0, 4151408674, 171500120, 1,
        171569982, 0, 4290973196, 4290972176, 4147031323, 136180172, 4,
        4290972176, 4290973224, 0, 7845976, 2160918528, 330, 18, 1,
        4290972176, 4294902655, 4294902048, 4294967295, 136004405, 16, 0, 43,
        0, 0, 0, 0, 0, 0, 2147483648, 49167, 0, 1073709056, 0, 3355443200,
        16387, 0, 0, 0, 2356019200, 49166, 0, 3222178926, 288, 18875263, 0,
        136004405, 0, 0, 0, 8064, 65535, 0, 0, 0, 0, 0, 0, 7845976,
        2160918528, 0, 2147483648, 4294902655, 4294902048, 4294967295,
        136004405, 16, 0, 43, 0, 0, 0, 0, 0, 0, 2147483648, 49167, 0,
        1073709056, 0, 3355443200, 16387, 0, 0, 0, 2356019200, 49166, 0,
        3222178926, 288, 18875263, 0, 136004405, 0, 0, 0, 8064, 65535, 0, 0,
        0, 0, 0, 0, 0, 0, 0, 2147483648, 49167, 0, 0, 2147483648, 16383, 0, 0,
        3355443200, 16387, 0, 0, 0, 0, 0, 0, 2356019200, 49166, 0, 0,
        2356019200, 49166, 0...}}, num_valuators = 0, valuators = {{min = 0,
        max = 0, resolution = 135579312, mode = 0 '\000', name = 0}, {
        min = 136265120, max = 0, resolution = 0, mode = 0 '\000', name = 0}, {
        min = 0, max = 0, resolution = 0, mode = 0 '\000', name = 0}, {
        min = 0, max = 0, resolution = 0, mode = 0 '\000', name = 0}, {
        min = 0, max = 0, resolution = 0, mode = 0 '\000', name = 0}, {
        min = 0, max = 0, resolution = 0, mode = 0 '\000', name = 0}, {
        min = 0, max = 0, resolution = 0, mode = 0 '\000', name = 0}, {
        min = 0, max = 0, resolution = 0, mode = 0 '\000', name = 0}, {
        min = 0, max = 136180172, resolution = 0, mode = 240 '\360',
        name = 4290973000}, {min = 0, max = 4290972976,
        resolution = 4149291337, mode = 204 '\314', name = 134919401}, {
        min = 0, max = 4290972976, resolution = 0, mode = 0 '\000', name = 0},
      {min = 20000, max = 0, resolution = 20000, mode = 153 '\231',
        name = 136180172}, {min = 4290973624, max = 134876191, resolution = 1,
        mode = 160 '\240', name = 0}, {min = 0, max = 4290973588,
        resolution = 4149174493, mode = 134 '\206', name = 4147530204}, {
        min = 136180172, max = 166689704, resolution = 4290973080,
        mode = 113 'q', name = 32}, {min = 1, max = 4290973460,
        resolution = 0, mode = 7 '\a', name = 0}, {min = 0, max = 0,
        resolution = 0, mode = 0 '\000', name = 0} <repeats 12 times>, {
        min = 0, max = 0, resolution = 0, mode = 221 '\335', name = 32}, {
        min = 136180172, max = 32, resolution = 171135424, mode = 200 '\310',
        name = 135140110}, {min = 32, max = 4290973496, resolution = 1,
        mode = 71 'G', name = 4290973400}, {min = 136180172, max = 4290973416,
        resolution = 171140088, mode = 192 '\300', name = 4290973496}, {
        min = 1, max = 134784785, resolution = 169790576, mode = 8 '\b',
        name = 4150038516}, {min = 4150043584, max = 1800,
        resolution = 4290973480, mode = 221 '\335', name = 1800}, {min = 1800,
        max = 171666976, resolution = 1792, mode = 0 '\000',
        name = 171140088}, {min = 1800, max = 4149178635,
        resolution = 136180172, mode = 0 '\000', name = 136242656}}, keys = {

      min_keycode = -3993784, max_keycode = 134919875}}, dga_event = {
    header = 192 '\300', type = 0, length = 0, time = 0, subtype = -3995384,
    detail = -3995540, dx = -3995544, dy = -143487417, screen = 145827528,
    state = 10100}, raw_event = {header = 192 '\300', type = 0, length = 0,
    time = 0, deviceid = -3995384, sourceid = -3995540, detail = {
      button = 4290971752, key = 4290971752}, valuators = {
      mask = "G\216r\367", <incomplete sequence \310>, data = {145827700,
        145827636, 134943200, 145827636, 1, 145827528, 172325888, 0,
        -146942328, 0, -143487487, 172325888, 892, 1024,
        0 <repeats 22 times>}, data_frac = {0 <repeats 11 times>, 145827636,
        167522360, 135587579, 32, 32, -144928780, -3993944, -143223808, 29,
        99, 0, 43, 43, -144928780, 32, -3993944, -3993980, 32, 1, -3993800,
        32, 0, 0, -143223760, 35}, data_raw = {2110102, -3993980, 43,
        -3994604, 0, 0, -147770984, 172098632, 172099432, -3995160,
        -147910644, 172098632, 172099432, 330, 18, 1, -3995120, 0, -143558622,
        171500120, 1, 171569982, 0, -3994100, -3995120, -147935973, 136180172,
        4, -3995120, -3994072, 0, 7845976, -2134048768, 330, 18, 1},
      data_raw_frac = {-3995120, -64641, -65248, -1, 136004405, 16, 0, 43, 0,
        0, 0, 0, 0, 0, -2147483648, 49167, 0, 1073709056, 0, -939524096,
        16387, 0, 0, 0, -1938948096, 49166, 0, -1072788370, 288, 18875263, 0,
        136004405, 0, 0, 0, 8064}}}}
(gdb) up
#2  0x0809feac in mieqProcessInputEvents () at ../../mi/mieq.c:471
471     in ../../mi/mieq.c
(gdb) info locals
e = <value optimized out>
evlen = <value optimized out>
screen = 0x8b15368
event = 0xa336400
dev = 0xa332418
(gdb) up
#3  0x080b1437 in ProcessInputEvents ()
    at ../../../../hw/xfree86/common/xf86Events.c:165
165     ../../../../hw/xfree86/common/xf86Events.c: No such file or directory.
        in ../../../../hw/xfree86/common/xf86Events.c
(gdb) info locals
x = 136180172
y = 134914603
(gdb) up
#4  0x08074040 in Dispatch () at ../../dix/dispatch.c:407
407     ../../dix/dispatch.c: No such file or directory.
        in ../../dix/dispatch.c
(gdb) info locals
result = <value optimized out>
client = 0xa375870
nready = 0
start_tick = 1340
(gdb) up
#5  0x0806693a in main (argc=9, argv=0xffc31114, envp=0xffc3113c)
    at ../../dix/main.c:285
285     ../../dix/main.c: No such file or directory.
        in ../../dix/main.c
(gdb) info locals
i = <value optimized out>
alwaysCheckForInput = {0, 1}
Comment 1 Julien Cristau 2010-04-10 01:44:21 UTC 
Created attachment 34862 [details]
xorg log
Comment 2 Peter Hutterer 2010-04-12 18:51:51 UTC 
Created attachment 34946 [details] [review]
0001-xfree86-dga-needs-to-the-master-keyboard-state-27573.patch

i think this one should fix it, but I'd like to get your Tested-by to make sure.
Comment 3 Ben Hutchings 2010-04-18 17:33:17 UTC 
(In reply to comment #2)
> Created an attachment (id=34946) [details]
> 0001-xfree86-dga-needs-to-the-master-keyboard-state-27573.patch
> 
> i think this one should fix it, but I'd like to get your Tested-by to make
> sure.

Sadly not.

I dug a little further with gdb this time:

(gdb) bt
#0  0x080bdd3e in DGAProcessPointerEvent (pScreen=<value optimized out>, 
    event=0x9dbe178, mouse=0x9dba5c8)
    at ../../../../hw/xfree86/common/xf86DGA.c:1097
#1  0x080dbb69 in mieqProcessDeviceEvent (dev=0x9dba5c8, event=0x9dbe178, 
    screen=0x859d518) at ../../mi/mieq.c:404
#2  0x080dbcec in mieqProcessInputEvents () at ../../mi/mieq.c:471
#3  0x080b2347 in ProcessInputEvents ()
    at ../../../../hw/xfree86/common/xf86Events.c:165
#4  0x08082ff0 in Dispatch () at ../../dix/dispatch.c:371
#5  0x0806697a in main (argc=9, argv=0xff90af24, envp=0xff90af4c)
    at ../../dix/main.c:285
(gdb) print mouse
$3 = (DeviceIntPtr) 0x9dba5c8
(gdb) print *mouse->spriteInfo
$4 = {sprite = 0x9dbd140, spriteOwner = 0, paired = 0x9dba5c8}
(gdb) print *mouse
$6 = {public = {devicePrivate = 0x9dba428, 
    processInputProc = 0x8121a90 <ProcessKeyboardEvent>, 
    realInputProc = 0x8121a90 <ProcessKeyboardEvent>, 
    enqueueInputProc = 0x8094c00 <EnqueueEvent>, on = 1}, next = 0x9dcd210, 
  startup = 1, deviceProc = 0xf7214d10, inited = 1, enabled = 1, 
  coreEvents = 0, deviceGrab = {grabTime = {months = 0, 
      milliseconds = 121913608}, fromPassiveGrab = 0, implicitGrab = 0, 
    activeGrab = {next = 0x0, resource = 0, device = 0x0, window = 0x0, 
      ownerEvents = 0, keyboardMode = 0, pointerMode = 0, 
      grabtype = GRABTYPE_CORE, type = 0 '\000', modifiersDetail = {exact = 0, 
        pMask = 0x0}, modifierDevice = 0x0, detail = {exact = 0, pMask = 0x0}, 
      confineTo = 0x0, cursor = 0x0, eventMask = 0, deviceMask = 0, xi2mask = {
        "\000\000" <repeats 42 times>}}, grab = 0x0, activatingKey = 0 '\000', 
    ActivateGrab = 0x8094890 <ActivateKeyboardGrab>, 
    DeactivateGrab = 0x80945b0 <DeactivateKeyboardGrab>, sync = {frozen = 0, 
      state = 0, other = 0x0, event = 0x0}}, type = 3, xinput_type = 95, 
  name = 0x9dba8a8 "touchpad", id = 6, key = 0x0, valuator = 0x9dbafa8, 
  button = 0x9dbaa50, focus = 0x0, proximity = 0x0, absolute = 0x0, 
  kbdfeed = 0x0, ptrfeed = 0x9dbc048, intfeed = 0x0, stringfeed = 0x0, 
  bell = 0x0, leds = 0x0, xkb_interest = 0x0, config_info = 0x0, 
  devPrivates = 0x9dbbc30, nPrivates = 0, 
  unwrapProc = 0x8122960 <xkbUnwrapProc>, spriteInfo = 0x9dba870, u = {
    master = 0x0, lastSlave = 0x0}, last = {valuators = {901, 209, 
      0 <repeats 34 times>}, remainder = {-0.0765800476, -0.0139235258, 
      0 <repeats 34 times>}, numValuators = 2, slave = 0x0}, properties = {
    properties = 0x9dbd060, handlers = 0x9dbd098}}

Note that:

mouse->name == "touchpad"
mouse->type == 3 == SLAVE
mouse->u.master == NULL
mouse->spriteInfo->paired == mouse
mouse->key == NULL
Comment 4 Peter Hutterer 2010-04-20 20:32:28 UTC 
(In reply to comment #3)
> Note that:
> 
> mouse->name == "touchpad"
> mouse->type == 3 == SLAVE
> mouse->u.master == NULL
> mouse->spriteInfo->paired == mouse
> mouse->key == NULL

bloody hell, the device is floating. I didn't think of that - thanks. patch coming up.
Comment 5 Peter Hutterer 2010-04-20 20:32:48 UTC 
Created attachment 35193 [details] [review]
0001-xfree86-dga-needs-to-use-the-master-keyboard-state-2.patch
Comment 6 Peter Hutterer 2010-04-21 01:31:38 UTC 
Created attachment 35198 [details] [review]
0001-xfree86-dga-needs-to-use-the-master-keyboard-state-2.patch

sorry, uncommitted changes (an & missing) made the last patch fail to compile. Fixed now.
Comment 7 Ben Hutchings 2010-05-01 12:39:16 UTC 
(In reply to comment #6)
> Created an attachment (id=35198) [details]
> 0001-xfree86-dga-needs-to-use-the-master-keyboard-state-2.patch
> 
> sorry, uncommitted changes (an & missing) made the last patch fail to compile.
> Fixed now.

That seems to fix the bug, thanks.
Comment 8 Julien Cristau 2010-05-11 09:36:52 UTC 
commit 10de9e8ee37265a35ceeceb2007d711da70d4f2d
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Fri Apr 16 16:35:22 2010 +1000

    xfree86: dga needs to use the master keyboard state (#27573)
    
    GetPairedDevice() may not always return the keyboard, resulting in a
    null-pointer dereference when accessing the XKB state.
    For floating devices, the GetMaster() returns the device itself.
    
    X.Org Bug 27573 <http://bugs.freedesktop.org/show_bug.cgi?id=27573>
    
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    Reviewed-by: Daniel Stone <daniel@fooishbar.org>
    Tested-by: Ben Hutchings <ben@decadent.org.uk>

closing, the fix is on master.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.