I have a usb-keyboard attached to my desktop machine, and noticed that removing the keyboard dongle (keyboard itself is wireless) and reattaching it causes double free error. Software versions: x11-libs/libdrm-2.4.16 media-libs/mesa-7.7_rc2 USE="nptl xcb -debug -gallium -motif -pic" x11-base/xorg-server-1.7.3.901 USE="hal ipv6 nptl sdl xorg -debug -dmx -kdrive -minimal -tslib" x11-drivers/xf86-video-intel-2.9.1 x11-drivers/xf86-input-evdev-2.3.1 Linux sol 2.6.32 #49 SMP Although it doesn't seem to be the right place to report it, but I just followed the trace: [snip] Program received signal SIGABRT, Aborted. 0x00007fb2ca3241b5 in *__GI_raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 64 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory. in ../nptl/sysdeps/unix/sysv/linux/raise.c (gdb) bt #0 0x00007fb2ca3241b5 in *__GI_raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 #1 0x00007fb2ca3255e0 in *__GI_abort () at abort.c:92 #2 0x00007fb2ca35ee77 in __libc_message (do_abort=<value optimized out>, fmt=<value optimized out>) at ../sysdeps/unix/sysv/linux/libc_fatal.c:186 #3 0x00007fb2ca364406 in malloc_printerr (action=3, str=0x7fb2ca412bf0 "double free or corruption (!prev)", ptr=<value optimized out>) at malloc.c:6264 #4 0x00007fb2ca3691ac in *__GI___libc_free (mem=<value optimized out>) at malloc.c:3738 #5 0x00007fb2c8916231 in drm_intel_gem_bo_unreference_final (bo=0x2a23d10, time=410) at intel_bufmgr_gem.c:790 #6 0x00007fb2c89161fb in drm_intel_gem_bo_unreference_locked_timed (bo=0x2a23dc0, time=410) at intel_bufmgr_gem.c:825 #7 drm_intel_gem_bo_unreference_final (bo=0x2a23dc0, time=410) at intel_bufmgr_gem.c:778 #8 0x00007fb2c89161fb in drm_intel_gem_bo_unreference_locked_timed (bo=0x2b603f0, time=410) at intel_bufmgr_gem.c:825 #9 drm_intel_gem_bo_unreference_final (bo=0x2b603f0, time=410) at intel_bufmgr_gem.c:778 #10 0x00007fb2c891644e in drm_intel_gem_bo_unreference (bo=0x2b603f0) at intel_bufmgr_gem.c:841 #11 0x00007fb2c8b33fdf in intel_batch_flush (pScrn=0xd491b0, flushed=<value optimized out>) at i830_batchbuffer.c:212 #12 0x00007fb2c8b3fcc8 in I830BlockHandler (i=<value optimized out>, blockData=<value optimized out>, pTimeout=0x7fff617fe768, pReadmask=0x7b9ee0) at i830_driver.c:2190 #13 0x00000000004b8982 in AnimCurScreenBlockHandler (screenNum=<value optimized out>, blockData=<value optimized out>, pTimeout=<value optimized out>, pReadmask=<value optimized out>) at animcur.c:211 #14 0x0000000000490cd4 in compBlockHandler (i=0, blockData=0x0, pTimeout=0x7fff617fe768, pReadmask=<value optimized out>) at compinit.c:166 #15 0x000000000043f515 in BlockHandler (pTimeout=0x7fff617fe768, pReadmask=0x7b9ee0) at dixutils.c:379 #16 0x000000000045cfdc in WaitForSomething (pClientsReady=<value optimized out>) at WaitFor.c:216 #17 0x000000000042c7b9 in Dispatch () at dispatch.c:381 #18 0x000000000042197a in main (argc=9, argv=0x7b91c8, envp=<value optimized out>) at main.c:285 [/snip]
Created attachment 32071 [details] Xorg.0.log Relevant Xorg.log lines: [snip] X.Org X Server 1.7.3.901 (1.7.4 RC 1) Release Date: 2009-12-11 X Protocol Version 11, Revision 0 Build Operating System: Linux 2.6.32-rc6 x86_64 Current Operating System: Linux sol 2.6.32 #49 SMP Mon Dec 14 20:11:21 EET 2009 x86_64 Kernel command line: root=/dev/sda3 i915.modeset=1 Build Date: 14 December 2009 06:20:58PM Current version of pixman: 0.17.2 ....skipped... ....here I removed the dongle... (II) config/hal: removing device Logitech USB Receiver (II) Logitech USB Receiver: Close (II) UnloadModule: "evdev" (II) config/hal: removing device Logitech USB Receiver (II) Logitech USB Receiver: Close (II) UnloadModule: "evdev" ...Reattached the dongle... (II) config/hal: Adding input device Logitech USB Receiver (**) Logitech USB Receiver: always reports core events (**) Logitech USB Receiver: Device: "/dev/input/event10" (II) Logitech USB Receiver: Found keys (II) Logitech USB Receiver: Configuring as keyboard (II) XINPUT: Adding extended input device "Logitech USB Receiver" (type: KEYBOARD) (**) Option "xkb_rules" "evdev" (**) Option "xkb_model" "evdev" (**) Option "xkb_layout" "us" (II) config/hal: Adding input device Logitech USB Receiver (**) Logitech USB Receiver: always reports core events (**) Logitech USB Receiver: Device: "/dev/input/event11" (II) Logitech USB Receiver: Found 12 mouse buttons (II) Logitech USB Receiver: Found scroll wheel(s) (II) Logitech USB Receiver: Found relative axes (II) Logitech USB Receiver: Found x and y relative axes (II) Logitech USB Receiver: Found absolute axes (II) Logitech USB Receiver: Found keys (II) Logitech USB Receiver: Configuring as mouse (II) Logitech USB Receiver: Configuring as keyboard (**) Logitech USB Receiver: YAxisMapping: buttons 4 and 5 (**) Logitech USB Receiver: EmulateWheelButton: 4, EmulateWheelInertia: 10, EmulateWheelTimeout: 200 (II) XINPUT: Adding extended input device "Logitech USB Receiver" (type: KEYBOARD) (**) Option "xkb_rules" "evdev" (**) Option "xkb_model" "evdev" (**) Option "xkb_layout" "us" (**) Logitech USB Receiver: (accel) keeping acceleration scheme 1 (**) Logitech USB Receiver: (accel) acceleration profile 0 (II) Logitech USB Receiver: initialized for relative axes. (WW) Logitech USB Receiver: ignoring absolute axes. ...CRASH... [/snip]
Created attachment 32072 [details] full-backtrace.txt
if -debug actually turns off debug code, please remove that so that the assertions we've put in the code to catch things actually work.
I actually couldn't reproduce the bug with USE="debug", although while testing I got this backtrace, that looks a bit better: (gdb) bt full #0 0x00007f96e189cbf8 in _int_free (av=0x7f96e1b7de60, p=0x21472c0) at malloc.c:4954 size = 272 nextchunk = 0x21473d0 nextsize = 528 prevsize = <value optimized out> bck = 0x0 fwd = 0x0 errstr = <value optimized out> __func__ = "_int_free" #1 0x00007f96e18a01ac in *__GI___libc_free (mem=<value optimized out>) at malloc.c:3738 ar_ptr = 0x7f96e1b7de60 p = 0x23fd000 #2 0x00000000004e2d16 in SrvXkbFreeServerMap (xkb=0x2168320, what=0, freeMap=37736448) at XKBMAlloc.c:871 No locals. #3 0x00000000004e4f54 in SrvXkbFreeKeyboard (xkb=0x2168320, which=<value optimized out>, freeAll=1) at XKBAlloc.c:318 No locals. #4 0x00000000004e7be2 in XkbFreeInfo (xkbi=0x2168250) at xkbInit.c:679 No locals. #5 0x000000000044a4d9 in FreeDeviceClass (type=<value optimized out>, class=0x0) at devices.c:671 No locals. #6 0x000000000044a629 in FreeAllDeviceClasses (classes=0x237a7a0) at devices.c:801 No locals. #7 0x000000000044a73b in CloseDevice (dev=0x237a600) at devices.c:849 screen = 0x81e250 j = <value optimized out> #8 0x000000000044b743 in RemoveDevice (dev=0x237a600, sendevent=1 '\001') at devices.c:996 prev = <value optimized out> tmp = <value optimized out> next = 0x0 ret = <value optimized out> screen = <value optimized out> deviceid = 7 initialized = 1 flags = {0, 0, 0, 0, 0, 0, 0, 8, 0 <repeats 32 times>} #9 0x0000000000466332 in DeleteInputDeviceRequest (pDev=0x237a600) at xf86Xinput.c:671 pInfo = 0x232e890 drv = 0x213d4a0 idev = 0x237d910 it = <value optimized out> isMaster = 0 ---Type <return> to continue, or q <return> to quit--- #10 0x000000000044f495 in remove_device (dev=0x237a600) at hal.c:72 No locals. #11 0x000000000044f52b in device_removed (ctx=<value optimized out>, udi=<value optimized out>) at hal.c:90 dev = 0x237a600 next = 0x0 value = 0x23068d0 "hal:/org/freedesktop/Hal/devices/usb_device_46d_c50c_noserial_if1_logicaldev_input" #12 0x00007f96e29b337d in filter_func (connection=0x2138060, message=0x213abd0, user_data=<value optimized out>) at libhal.c:1067 udi = 0x2198854 "/org/freedesktop/Hal/devices/usb_device_46d_c50c_noserial_if1_logicaldev_input" object_path = 0x237bfd8 "/org/freedesktop/Hal/Manager" error = {name = 0x0, message = 0x0, dummy1 = 1, dummy2 = 0, dummy3 = 1, dummy4 = 0, dummy5 = 0, padding1 = 0x7f96e360e38b} ctx = 0x213b310 #13 0x00007f96e3607d92 in dbus_connection_dispatch (connection=0x2138060) at /home/tmp/portage/sys-apps/dbus-1.3.0-r1/work/dbus-1.3.0/dbus/dbus-connection.c:4558 filter = <value optimized out> next = 0x0 message = 0x213abd0 link = <value optimized out> filter_list_copy = 0x2137630 message_link = 0x2137618 result = <value optimized out> status = <value optimized out> __FUNCTION__ = "dbus_connection_dispatch" #14 0x00007f96e3608049 in _dbus_connection_read_write_dispatch (connection=0x2138060, timeout_milliseconds=0, dispatch=1) at /home/tmp/portage/sys-apps/dbus-1.3.0-r1/work/dbus-1.3.0/dbus/dbus-connection.c:3583 dstatus = DBUS_DISPATCH_DATA_REMAINS progress_possible = <value optimized out> #15 0x000000000044f186 in wakeup_handler (data=0x7af860, err=<value optimized out>, read_mask=0x23fd000) at dbus-core.c:57 No locals. #16 0x000000000043f789 in WakeupHandler (result=-1, pReadmask=0x7ba020) at dixutils.c:413 i = 1 #17 0x000000000045d1bc in WaitForSomething (pClientsReady=<value optimized out>) at WaitFor.c:232 i = 37736448 waittime = {tv_sec = 9, tv_usec = 710935} wt = 0x7fff1547a1c0 timeout = <value optimized out> clientsReadable = {fds_bits = {0 <repeats 16 times>}} clientsWritable = {fds_bits = {33558160, 0, 37409008, 0, 37279924, 4343799, 32, 140286005773458, 48, 33558160, 140733193404416, 4562754, 8512080, 33558160, 140733550404012, 140733550403984}} selecterr = 4 nready = <value optimized out> ---Type <return> to continue, or q <return> to quit--- devicesReadable = {fds_bits = {0 <repeats 16 times>}} now = <value optimized out> someReady = 0 #18 0x000000000042c7b9 in Dispatch () at dispatch.c:381 result = <value optimized out> client = 0x2000e90 nready = -1 start_tick = 700 #19 0x000000000042197a in main (argc=9, argv=0x7b9308, envp=<value optimized out>) at main.c:285 i = 1 alwaysCheckForInput = {0, 1}
And relevant Xorg.log [snip] Backtrace: 0: /usr/bin/X (xorg_backtrace+0x28) [0x460a54] 1: /usr/bin/X (0x400000+0x62496) [0x462496] 2: /lib/libpthread.so.0 (0x7f96e278c000+0xf000) [0x7f96e279b000] 3: /lib/libc.so.6 (0x7f96e1829000+0x73bf8) [0x7f96e189cbf8] 4: /lib/libc.so.6 (cfree+0x6c) [0x7f96e18a01ac] 5: /usr/bin/X (SrvXkbFreeServerMap+0x110) [0x4e2d16] 6: /usr/bin/X (SrvXkbFreeKeyboard+0x15f) [0x4e4f54] 7: /usr/bin/X (XkbFreeInfo+0xde) [0x4e7be2] 8: /usr/bin/X (0x400000+0x4a4d9) [0x44a4d9] 9: /usr/bin/X (0x400000+0x4a629) [0x44a629] 10: /usr/bin/X (0x400000+0x4a73b) [0x44a73b] 11: /usr/bin/X (RemoveDevice+0x156) [0x44b743] 12: /usr/bin/X (DeleteInputDeviceRequest+0x3f) [0x466332] 13: /usr/bin/X (0x400000+0x4f495) [0x44f495] 14: /usr/bin/X (0x400000+0x4f52b) [0x44f52b] 15: /usr/lib/libhal.so.1 (0x7f96e29a8000+0xb37d) [0x7f96e29b337d] 16: /usr/lib/libdbus-1.so.3 (dbus_connection_dispatch+0x302) [0x7f96e3607d92] 17: /usr/lib/libdbus-1.so.3 (0x7f96e35ff000+0x9049) [0x7f96e3608049] 18: /usr/bin/X (0x400000+0x4f186) [0x44f186] 19: /usr/bin/X (WakeupHandler+0x3e) [0x43f789] 20: /usr/bin/X (WaitForSomething+0x1ce) [0x45d1bc] 21: /usr/bin/X (0x400000+0x2c7b9) [0x42c7b9] 22: /usr/bin/X (0x400000+0x2197a) [0x42197a] 23: /lib/libc.so.6 (__libc_start_main+0xfd) [0x7f96e1847bbd] 24: /usr/bin/X (0x400000+0x21549) [0x421549] Segmentation fault at address 0x18 [/snip]
that certainly makes more sense. reassigning to the server.
https://bugzilla.redhat.com/show_bug.cgi?id=540584 was just linked to this bug.
Please see the patch on the xorg list for a fix. Testing appreciated. http://lists.freedesktop.org/archives/xorg-devel/2010-January/004908.html
This patch seems to have fixed this issue :) Thanks :D
running with the patch 12 hours so far and have been unable to crash Xorg.
Junji Yamashita confirms in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566147 that the patchs fixes his crashes with his bluetooth keyboard.
*** Bug 24487 has been marked as a duplicate of this bug. ***
Looks like this patch fixes it. I've been testing it for a couple days without a crash.
Fixes with commit 48f7298657f91843db36566b8d66d6c4c18dbd4c. Thanks to all of you for testing.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct.