Bug 18451 - Xorg server 1.5.2 SEGV during XFixesGetCursorImage()
Xorg server 1.5.2 SEGV during XFixesGetCursorImage()
Status: NEW
Product: xorg
Classification: Unclassified
Component: Server/General
unspecified
x86 (IA32) Linux (All)
: medium normal
Assigned To: Xorg Project Team
Xorg Project Team
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2008-11-08 17:56 UTC by Karl Runge
Modified: 2010-08-10 10:16 UTC (History)
1 user (show)

See Also:
i915 platform:
i915 features:


Attachments
Xorg.0.log output and xorg.conf (55.40 KB, text/plain)
2008-11-08 17:56 UTC, Karl Runge
no flags Details
Scope callback data for use by callback. (7.65 KB, patch)
2010-08-10 01:39 UTC, Chris Wilson
no flags Details | Splinter Review

Note You need to log in before you can comment on or make changes to this bug.
Description Karl Runge 2008-11-08 17:56:12 UTC
Created attachment 20159 [details]
Xorg.0.log output and xorg.conf

I have a test machine running ubuntu 8.10 that is running this version
of the X server:

  X.Org X Server 1.5.2
  Release Date: 10 October 2008
  X Protocol Version 11, Revision 0
  Build Operating System: Linux 2.6.24-19-server i686 Ubuntu
  Current Operating System: Linux fred-desktop 2.6.27-7-generic #1 SMP Tue Nov 4 19:33:20 UTC 2008 i686
  Build Date: 24 October 2008  08:00:16AM
  xorg-server 2:1.5.2-2ubuntu3 (buildd@rothera.buildd)

The x11vnc (http://www.karlrunge.com/x11vnc) VNC server uses
XFixesGetCursorImage() to retrieve the current cursor's pixels.

Normally this is working fine with X.Org X Server 1.5.2.  However, at
a critical point when GDM is starting the user's X session, this crash
occurs nearly always:

  Backtrace:
  0: /usr/X11R6/bin/X(xf86SigHandler+0x79) [0x80c3009]
  1: [0xb7f89400]
  2: /usr/X11R6/bin/X [0x8158279]
  3: /usr/X11R6/bin/X(CallCallbacks+0x4e) [0x80909ae]
  4: /usr/X11R6/bin/X(XaceHook+0x7e) [0x815702e]
  5: /usr/X11R6/bin/X(ProcXFixesGetCursorImageAndName+0x8b) [0x8147e9b]
  6: /usr/X11R6/bin/X [0x814639c]
  7: /usr/X11R6/bin/X(Dispatch+0x34f) [0x808c89f]
  8: /usr/X11R6/bin/X(main+0x47d) [0x8071d1d]
  9: /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe5) [0xb7b93685]
  10: /usr/X11R6/bin/X [0x8071101]
  Saw signal 11.  Server aborting.
  (II) Macintosh mouse button emulation: Close
  (II) UnloadModule: "evdev"
  (II) ImPS/2 Generic Wheel Mouse: Close
  (II) UnloadModule: "evdev"
  (II) AT Translated Set 2 keyboard: Close
  (II) UnloadModule: "evdev"
  (II) AIGLX: Suspending AIGLX clients for VT switch
  (II) CHROME(0): VIALeaveVT
  (II) CHROME(0): [drm] Cleaning up DMA ring-buffer.
  (II) CHROME(0): ViaCursorStore
  (II) CHROME(0): VIARestore
  (II) CHROME(0): ViaDisablePrimaryFIFO

Some others are reporting this problem:

  http://ubuntuforums.org/showthread.php?t=965695
  http://ubuntuforums.org/showthread.php?t=968044

The way this mode works is that x11vnc exports via VNC the X server
when it is showing the GDM greeter login.  The user connects via VNC and
then logs in via his username and password.  GDM then starts the user's
X session.

Normally at this point GDM will kill all clients (via XKillClient(3))
however, one uses the GDM 'KillInitClients=false' setting to prevent this.

Previously this worked fine and the user would not be disconnected after
he logs in.  Now, however, the X server actually crashes right after he
logs in.

It is not clear to me what could be making the X server vulnerable that
this point with GDM starts the users X session...

Karl Runge
Comment 1 Michalr 2009-07-27 03:56:52 UTC
I am experiencing the crash with version 1.6.0 (also with x11vnc when session is starting):

X.Org X Server 1.6.0
Release Date: 2009-2-25
X Protocol Version 11, Revision 0
Build Operating System: Linux 2.6.24-23-server i686 Ubuntu
Current Operating System: Linux mic 2.6.28-14-generic #46-Ubuntu SMP Wed Jul 8 07:21:34 UTC 2009 i686
Build Date: 09 April 2009 02:10:02AM
xorg-server 2:1.6.0-0ubuntu14 (buildd@rothera.buildd)
.....
.....
Backtrace:
0: /usr/X11R6/bin/X(xorg_backtrace+0x3b) [0x813518b]
1: /usr/X11R6/bin/X(xf86SigHandler+0x55) [0x80c7be5]
2: [0xb7fe0400]
3: /usr/X11R6/bin/X [0x8161a55]
4: /usr/X11R6/bin/X(CallCallbacks+0x4e) [0x80916be]
5: /usr/X11R6/bin/X(XaceHook+0x7e) [0x815ff5e]
6: /usr/X11R6/bin/X(ProcXFixesGetCursorImageAndName+0x8b) [0x814cb3b]
7: /usr/X11R6/bin/X [0x814af7c]
8: /usr/X11R6/bin/X(Dispatch+0x33f) [0x808d57f]
9: /usr/X11R6/bin/X(main+0x3bd) [0x80722ed]
10: /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe5) [0xb7ba7775]
11: /usr/X11R6/bin/X [0x80717a1]
Saw signal 11.  Server aborting.

Please let me know if I can provide more info.
Comment 2 Karl Q 2009-08-16 21:52:00 UTC
I too am having this problem.

http://ubuntuforums.org/showthread.php?p=7798663
Comment 3 Karl Runge 2010-08-09 21:10:15 UTC
I still see this bug in: X.Org X Server 1.7.7 Release Date: 2010-05-04

I saw this testing with the mandriva 2010.1 live CD. XFixesGetCursorImage() induces the X server crash; as in my original bug report x11vnc was used.  Note that KDM (not GMD) is used this time (mandriva live CD.)


Is this bug ever going to be addressed???


Searching on ProcXFixesGetCursorImageAndName, I found this bug report:

      https://bugs.launchpad.net/ubuntu/+source/xorg-server/+bug/526919

that induces the same X server SEGV but does not use x11vnc.
Comment 4 Chris Wilson 2010-08-10 01:39:39 UTC
Created attachment 37760 [details] [review]
Scope callback data for use by callback.
Comment 5 Karl Runge 2010-08-10 10:16:56 UTC
Thank you very much Chris.

So, if I understand things correctly, the patch you included in your post will at some point be applied to http://cgit.freedesktop.org/xorg/xserver/tree/Xext/xace.c and ultimately make it into an Xorg release?

I don't see your changes
in http://cgit.freedesktop.org/xorg/xserver/tree/Xext/xace.c so I assume that means no Xorg release has them.  Am I correct about that, or have I missed something?

Karl