Bug 18451 - Xorg server 1.5.2 SEGV during XFixesGetCursorImage()
Summary: Xorg server 1.5.2 SEGV during XFixesGetCursorImage()
Status: NEW
Alias: None
Product: xorg
Classification: Unclassified
Component: Server/General (show other bugs)
Version: git
Hardware: All All
: highest normal
Assignee: Xorg Project Team
QA Contact: Xorg Project Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-11-08 17:56 UTC by Karl Runge
Modified: 2017-12-06 16:08 UTC (History)
2 users (show)

See Also:
i915 platform:
i915 features:


Attachments
Xorg.0.log output and xorg.conf (55.40 KB, text/plain)
2008-11-08 17:56 UTC, Karl Runge
no flags Details
Scope callback data for use by callback. (7.65 KB, patch)
2010-08-10 01:39 UTC, Chris Wilson
no flags Details | Splinter Review

Note You need to log in before you can comment on or make changes to this bug.
Description Karl Runge 2008-11-08 17:56:12 UTC
Created attachment 20159 [details]
Xorg.0.log output and xorg.conf

I have a test machine running ubuntu 8.10 that is running this version
of the X server:

  X.Org X Server 1.5.2
  Release Date: 10 October 2008
  X Protocol Version 11, Revision 0
  Build Operating System: Linux 2.6.24-19-server i686 Ubuntu
  Current Operating System: Linux fred-desktop 2.6.27-7-generic #1 SMP Tue Nov 4 19:33:20 UTC 2008 i686
  Build Date: 24 October 2008  08:00:16AM
  xorg-server 2:1.5.2-2ubuntu3 (buildd@rothera.buildd)

The x11vnc (http://www.karlrunge.com/x11vnc) VNC server uses
XFixesGetCursorImage() to retrieve the current cursor's pixels.

Normally this is working fine with X.Org X Server 1.5.2.  However, at
a critical point when GDM is starting the user's X session, this crash
occurs nearly always:

  Backtrace:
  0: /usr/X11R6/bin/X(xf86SigHandler+0x79) [0x80c3009]
  1: [0xb7f89400]
  2: /usr/X11R6/bin/X [0x8158279]
  3: /usr/X11R6/bin/X(CallCallbacks+0x4e) [0x80909ae]
  4: /usr/X11R6/bin/X(XaceHook+0x7e) [0x815702e]
  5: /usr/X11R6/bin/X(ProcXFixesGetCursorImageAndName+0x8b) [0x8147e9b]
  6: /usr/X11R6/bin/X [0x814639c]
  7: /usr/X11R6/bin/X(Dispatch+0x34f) [0x808c89f]
  8: /usr/X11R6/bin/X(main+0x47d) [0x8071d1d]
  9: /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe5) [0xb7b93685]
  10: /usr/X11R6/bin/X [0x8071101]
  Saw signal 11.  Server aborting.
  (II) Macintosh mouse button emulation: Close
  (II) UnloadModule: "evdev"
  (II) ImPS/2 Generic Wheel Mouse: Close
  (II) UnloadModule: "evdev"
  (II) AT Translated Set 2 keyboard: Close
  (II) UnloadModule: "evdev"
  (II) AIGLX: Suspending AIGLX clients for VT switch
  (II) CHROME(0): VIALeaveVT
  (II) CHROME(0): [drm] Cleaning up DMA ring-buffer.
  (II) CHROME(0): ViaCursorStore
  (II) CHROME(0): VIARestore
  (II) CHROME(0): ViaDisablePrimaryFIFO

Some others are reporting this problem:

  http://ubuntuforums.org/showthread.php?t=965695
  http://ubuntuforums.org/showthread.php?t=968044

The way this mode works is that x11vnc exports via VNC the X server
when it is showing the GDM greeter login.  The user connects via VNC and
then logs in via his username and password.  GDM then starts the user's
X session.

Normally at this point GDM will kill all clients (via XKillClient(3))
however, one uses the GDM 'KillInitClients=false' setting to prevent this.

Previously this worked fine and the user would not be disconnected after
he logs in.  Now, however, the X server actually crashes right after he
logs in.

It is not clear to me what could be making the X server vulnerable that
this point with GDM starts the users X session...

Karl Runge
Comment 1 Michalr 2009-07-27 03:56:52 UTC
I am experiencing the crash with version 1.6.0 (also with x11vnc when session is starting):

X.Org X Server 1.6.0
Release Date: 2009-2-25
X Protocol Version 11, Revision 0
Build Operating System: Linux 2.6.24-23-server i686 Ubuntu
Current Operating System: Linux mic 2.6.28-14-generic #46-Ubuntu SMP Wed Jul 8 07:21:34 UTC 2009 i686
Build Date: 09 April 2009 02:10:02AM
xorg-server 2:1.6.0-0ubuntu14 (buildd@rothera.buildd)
.....
.....
Backtrace:
0: /usr/X11R6/bin/X(xorg_backtrace+0x3b) [0x813518b]
1: /usr/X11R6/bin/X(xf86SigHandler+0x55) [0x80c7be5]
2: [0xb7fe0400]
3: /usr/X11R6/bin/X [0x8161a55]
4: /usr/X11R6/bin/X(CallCallbacks+0x4e) [0x80916be]
5: /usr/X11R6/bin/X(XaceHook+0x7e) [0x815ff5e]
6: /usr/X11R6/bin/X(ProcXFixesGetCursorImageAndName+0x8b) [0x814cb3b]
7: /usr/X11R6/bin/X [0x814af7c]
8: /usr/X11R6/bin/X(Dispatch+0x33f) [0x808d57f]
9: /usr/X11R6/bin/X(main+0x3bd) [0x80722ed]
10: /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe5) [0xb7ba7775]
11: /usr/X11R6/bin/X [0x80717a1]
Saw signal 11.  Server aborting.

Please let me know if I can provide more info.
Comment 2 Karl Q 2009-08-16 21:52:00 UTC
I too am having this problem.

http://ubuntuforums.org/showthread.php?p=7798663
Comment 3 Karl Runge 2010-08-09 21:10:15 UTC
I still see this bug in: X.Org X Server 1.7.7 Release Date: 2010-05-04

I saw this testing with the mandriva 2010.1 live CD. XFixesGetCursorImage() induces the X server crash; as in my original bug report x11vnc was used.  Note that KDM (not GMD) is used this time (mandriva live CD.)


Is this bug ever going to be addressed???


Searching on ProcXFixesGetCursorImageAndName, I found this bug report:

      https://bugs.launchpad.net/ubuntu/+source/xorg-server/+bug/526919

that induces the same X server SEGV but does not use x11vnc.
Comment 4 Chris Wilson 2010-08-10 01:39:39 UTC
Created attachment 37760 [details] [review]
Scope callback data for use by callback.
Comment 5 Karl Runge 2010-08-10 10:16:56 UTC
Thank you very much Chris.

So, if I understand things correctly, the patch you included in your post will at some point be applied to http://cgit.freedesktop.org/xorg/xserver/tree/Xext/xace.c and ultimately make it into an Xorg release?

I don't see your changes
in http://cgit.freedesktop.org/xorg/xserver/tree/Xext/xace.c so I assume that means no Xorg release has them.  Am I correct about that, or have I missed something?

Karl
Comment 6 Alan Hourihane 2017-12-06 16:07:35 UTC
No, the fix that Chris added doesn't fix this issue.

Please see RedHat's bugzilla database.

https://bugzilla.redhat.com/show_bug.cgi?id=1357694

which has a valid fix to bump the refcount on used cursors.
Comment 7 Alan Hourihane 2017-12-06 16:08:39 UTC
Actually, Chris fix might fix this error, but there's another crash. As reported in the RedHat database.


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct.