Bug 14426 - SIGSEV in NVAccelUploadIFC
Summary: SIGSEV in NVAccelUploadIFC
Status: RESOLVED FIXED
Alias: None
Product: xorg
Classification: Unclassified
Component: Driver/nouveau (show other bugs)
Version: 7.3 (2007.09)
Hardware: x86-64 (AMD64) Linux (All)
: medium normal
Assignee: Nouveau Project
QA Contact: Xorg Project Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-02-08 10:39 UTC by Jaime Velasco Juan
Modified: 2008-03-06 15:20 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Attachments
xorg.log (not the same run as the above backtrace) (91.77 KB, text/plain)
2008-02-08 10:39 UTC, Jaime Velasco Juan
no flags Details
Xorg.log with DMA_TRACE and DMA_DEBUG enabled (186.57 KB, text/plain)
2008-02-09 09:03 UTC, Jaime Velasco Juan
no flags Details
Do not access beyond source pixmap in NVAccelUploadIFC (1.62 KB, patch)
2008-02-16 07:10 UTC, Jaime Velasco Juan
no flags Details | Splinter Review

Description Jaime Velasco Juan 2008-02-08 10:39:39 UTC
Created attachment 14218 [details]
xorg.log (not the same run as the above backtrace)

I can reliably cause SIGSEV in the Xserver following these steps:
1 - launch Xephyr with gdmflexyserver -n
2 - log in GNOME

The server crashes before GNOME has finished loading (the nested GNOME)
In fact, using Xephyr with other clients also makes the server crash, but
it takes more time.

Backtrace: (I hope it's right, I got symbols' names with addr2line)

0: /usr/bin/X(xf86SigHandler+0x6a) [0x47568a]
1: /lib/libc.so.6 [0x2aac59730090]
2: /lib/libc.so.6(memcpy+0x63) [0x2aac5977acf3]
3: /usr/lib/xorg/modules/drivers//nouveau_drv.so [0x2aac5b4b8b6a]
  nouveau_dma_outp
  /home/jaime/src/nouveau/xf86-video-nouveau/src/nouveau_dma.h:86
4: /usr/lib/xorg/modules/drivers//nouveau_drv.so [0x2aac5b4b8afa]
  NVAccelUploadIFC
  /home/jaime/src/nouveau/xf86-video-nouveau/src/nv_exa.c:529
5: /usr/lib/xorg/modules/drivers//nouveau_drv.so [0x2aac5b4b85c3]
  NVUploadToScreen
  /home/jaime/src/nouveau/xf86-video-nouveau/src/nv_exa.c:633
6: /usr/lib/xorg/modules//libexa.so [0x2aac5d4c87d0]
  exaPutImage
7: /usr/bin/X [0x524ea4]
8: /usr/bin/X [0x4fa1c2]
9: /usr/bin/X [0x4fb2e0]
10: /usr/bin/X [0x4fbf7c]
11: /usr/bin/X(Dispatch+0x2e0) [0x44e3b0]
12: /usr/bin/X(main+0x47d) [0x436b8d]
13: /lib/libc.so.6(__libc_start_main+0xf4) [0x2aac5971c1c4]
14: /usr/bin/X(FontFileCompleteXLFD+0x279) [0x435ec9]

My card is a GeForce Go 7300.
Comment 1 Jaime Velasco Juan 2008-02-08 10:51:41 UTC
Sorry, I selected wrong component
Comment 2 Jaime Velasco Juan 2008-02-09 09:03:17 UTC
Created attachment 14237 [details]
Xorg.log with DMA_TRACE and DMA_DEBUG enabled

I enabled NOUVEAU_DMA_DEBUG and NOUVEAU_DMA_TRACE.

The bug triggers when the input needs padding. The code reads the padding bytes from the input data, but after the last line of the input there is not valid data and the driver gets a SIGSEV. If I force the driver to skip the last line it doesn't crash (but I get some corruption).
Comment 3 Jaime Velasco Juan 2008-02-16 07:10:16 UTC
Created attachment 14356 [details] [review]
Do not access beyond source pixmap in NVAccelUploadIFC

This patch fixes the issue for me
Comment 4 Danny 2008-02-27 02:04:54 UTC
I can confirm this. Would be nice to see it fixed in git as well?

danny
Comment 5 Stephane Marchesin 2008-03-06 15:20:50 UTC
Thanks for the patch! Tested and pushed.


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.