Bug 91098

Summary: vmwgfx null ptr dereference at vmw_screen_ioctl.c:76 due to ioctl failure
Product: Mesa Reporter: freedesktop
Component: Drivers/Gallium/vmwgfxAssignee: mesa-dev
Status: RESOLVED WONTFIX QA Contact: mesa-dev
Severity: normal    
Priority: medium    
Version: 10.6   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:

Description freedesktop 2015-06-24 20:23:36 UTC 
I'm experiencing occasional crashes of gnome-shell (3.16) due to failed ioctls requested by Mesa's vmware DRI backend.

Any pointers on where I should take the apparent root issue would be appreciated - I have no idea whether Mesa or the kernel driver is at fault for the ioctl failing in the first place.

Kernel logs (v4.0.5) report an ioctl failure:

[15949.294396] [drm:vmw_generic_ioctl [vmwgfx]] *ERROR* Dropped master trying to access ioctl that requires authentication.
[15949.294400] [drm] IOCTL ERROR Command 65, Error -13.
[15949.296209] [drm:vmw_generic_ioctl [vmwgfx]] *ERROR* Dropped master trying to access ioctl that requires authentication.
[15949.296214] [drm] IOCTL ERROR Command 65, Error -13.
[15949.296468] [drm:vmw_generic_ioctl [vmwgfx]] *ERROR* Dropped master trying to access ioctl that requires authentication.
[15949.296470] [drm] IOCTL ERROR Command 87, Error -13.
[15949.296478] gnome-shell[337]: segfault at 20 ip 00007ff502cb4680 sp 00007ffeaeea96e8 error 4 in vmwgfx_dri.so[7ff50293f000+506000]

Followed by a crash of gnome-shell, due to an apparent null pointer dereference:

Core was generated by `gnome-shell --mode=gdm --wayland --display-server'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  vmw_region_size (region=0x0) at vmw_screen_ioctl.c:76
76	   return region->size;
(gdb) bt
#0  vmw_region_size (region=0x0) at vmw_screen_ioctl.c:76
#1  0x00007ff502cb65cc in vmw_svga_winsys_surface_create (sws=0x145aaa0, flags=(SVGA3D_SURFACE_HINT_TEXTURE | SVGA3D_SURFACE_HINT_RENDERTARGET), format=SVGA3D_A8R8G8B8, usage=0, size=..., numFaces=1, 
    numMipLevels=1) at vmw_screen_svga.c:222
#2  0x00007ff502cc0d46 in svga_screen_surface_create (svgascreen=svgascreen@entry=0x145b9c0, key=key@entry=0x1cc8c90) at svga_screen_cache.c:449
#3  0x00007ff502cbf810 in svga_texture_create (screen=0x145b9c0, template=0x7ffeaeea9840) at svga_resource_texture.c:729
#4  0x00007ff502b0797b in st_texture_create (st=st@entry=0x1536270, target=<optimized out>, format=format@entry=PIPE_FORMAT_B8G8R8A8_UNORM, last_level=last_level@entry=0, width0=width0@entry=16, 
    height0=height0@entry=16, depth0=1, layers=1, nr_samples=0, bind=10) at state_tracker/st_texture.c:97
#5  0x00007ff502ada27d in guess_and_alloc_texture (st=st@entry=0x1536270, stObj=stObj@entry=0x268bc00, stImage=stImage@entry=0x16b5060) at state_tracker/st_cb_texture.c:464
#6  0x00007ff502ada3a5 in st_AllocTextureImageBuffer (ctx=0x150c200, texImage=0x16b5060) at state_tracker/st_cb_texture.c:517
#7  0x00007ff502adcb9c in st_TexImage (ctx=0x150c200, dims=2, texImage=0x16b5060, format=6408, type=5121, pixels=0x1f3bc80, unpack=0x15273f8) at state_tracker/st_cb_texture.c:875
#8  0x00007ff502a72e00 in teximage (ctx=0x150c200, compressed=compressed@entry=0 '\000', dims=dims@entry=2, target=3553, level=<optimized out>, internalFormat=<optimized out>, width=16, height=16, depth=1, 
    border=0, format=6408, type=5121, imageSize=0, pixels=0x1f3bc80) at main/teximage.c:3364
#9  0x00007ff502a740e0 in _mesa_TexImage2D (target=<optimized out>, level=<optimized out>, internalFormat=<optimized out>, width=<optimized out>, height=<optimized out>, border=<optimized out>, 
    format=6408, type=5121, pixels=0x1f3bc80) at main/teximage.c:3403
#10 0x00007ff513f093a3 in ?? () from /usr/lib/libcogl.so.20
#11 0x00007ff513efed94 in ?? () from /usr/lib/libcogl.so.20
#12 0x00007ff513f3008b in cogl_texture_allocate () from /usr/lib/libcogl.so.20
#13 0x00007ff513f31880 in cogl_texture_2d_new_from_data () from /usr/lib/libcogl.so.20
#14 0x00007ff5191a6b98 in pixbuf_to_cogl_texture (pixbuf=pixbuf@entry=0x2779de0) at st/st-texture-cache.c:473
#15 0x00007ff5191a6bf1 in finish_texture_load (data=data@entry=0x2568a50, pixbuf=pixbuf@entry=0x2779de0) at st/st-texture-cache.c:518
#16 0x00007ff5191a6daa in on_symbolic_icon_loaded (source=0x15f20f0, result=<optimized out>, user_data=0x2568a50) at st/st-texture-cache.c:553
#17 0x00007ff516fcc1f3 in ?? () from /usr/lib/libgio-2.0.so.0
#18 0x00007ff516fcc229 in ?? () from /usr/lib/libgio-2.0.so.0
#19 0x00007ff51682490d in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#20 0x00007ff516824ce0 in ?? () from /usr/lib/libglib-2.0.so.0
#21 0x00007ff516825002 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
#22 0x00007ff518183326 in meta_run () from /usr/lib/libmutter.so.0
#23 0x000000000040208d in main (argc=1, argv=0x7ffeaeeaa028) at main.c:463
Comment 1 Thomas Hellström 2015-06-24 21:03:27 UTC 
Hi.

Thanks for the bug report.

I think the root problem is gnome-shell(gdm) dropping its master privileges and then trying to render.

The reason this is not allowed in the vmwgfx driver is the following scenario:
1) A user switches away the X server VT and gets a console terminal.
2) User launches a DRM-aware malicious app that becomes master and authenticates itself.
3) The user switches back the X server
4) The malicious app can now open exported buffer objects at will and access or manipulate user private data. This is correctly blocked in the vmwgfx driver.

So this is AFAICT a gnome-shell (gdm mode) bug. It shouldn't render when it drops its master privileges, so the gnome bugzilla would be good to start with. We'll follow up.
Comment 2 Brian Paul 2018-09-15 03:13:49 UTC 
There's been no follow-up from the original poster.  Closing.  Re-open if it's still and issue for you.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.