Created attachment 95229 [details] [review] ix SIGSEGV for heigth = 0 and width = 0 in libdrm memory alloc intel driver creates a crash in libdrm while trying to allocate a framebuffer with heigth == 0 and width == 0. Circumvent this situation by returning NULL. Backtrace is : #0 0x00007f4e567a034b in drm_intel_gem_bo_free (bo=0x477c840) at intel_bufmgr_gem.c:936 #1 0x00007f4e567a20a4 in drm_intel_gem_bo_alloc_internal (bufmgr=0x2921e20, name=0x7f4e56ac3946 "front buffer", size=0, flags=<optimized out>, tiling_mode=1, stride=0) at intel_bufmgr_gem.c:734 #2 0x00007f4e56a9e262 in intel_allocate_framebuffer (scrn=scrn@entry=0x2912eb0, width=width@entry=0, height=height@entry=0, cpp=<optimized out>, out_pitch=out_pitch@entry=0x7ffff44ae9d0, out_tiling=out_tiling@entry=0x7ffff44ae9cc) at intel_memory.c:240 #3 0x00007f4e56a99f55 in intel_xf86crtc_resize (scrn=0x2912eb0, width=0, height=0) at intel_display.c:1551 #4 0x00000000004cccf9 in xf86RandR12ScreenSetSize (pScreen=0x293a900, width=0, height=0, mmWidth=0, mmHeight=0) at xf86RandR12.c:699 #5 0x000000000050c3a4 in rrCheckPixmapBounding (h=0, w=0, y=0, x=0, rr_crtc=0x2930430, pScreen=0x293a900) at rrcrtc.c:510 #6 RRCrtcSet (crtc=0x2930430, mode=0x0, x=0, y=0, rotation=rotation@entry=1, numOutputs=numOutputs@entry=0, outputs=outputs@entry=0x0) at rrcrtc.c:554 #7 0x000000000050d566 in ProcRRSetCrtcConfig (client=0x48721b0) at rrcrtc.c:1167 #8 0x000000000043a327 in Dispatch () at dispatch.c:432 #9 0x00000000004288da in main (argc=12, argv=0x7ffff44aeeb8, envp=<optimized out>) at main.c:298 See also bug report https://bugzilla.redhat.com/show_bug.cgi?id=1056299
Nope the patch doesn't fix the bug, it can be triggered other ways as well.
Assigning to Chris for the "wontfix->sna" resolution.
any news on this? I still run into this bug! Chris, do you have a better solution to fix this bug? I only can trigger this bug this one way, i.e. I attach an external monitor to my laptop and try to log into gnome, and then Xorg server crashes due this bug.
The issue is quite an obvious set of bugs inside libdrm...
Created attachment 108797 [details] fix crash in drm_intel_gem_bo_free
Also take a look at the locking...
locking looks okay, doesn't it?! drm_intel_gem_bo_set_tiling_internal() and drm_intel_bo_gem_set_in_aperture_size() is sometimes calles with the lock held, sometimes, not... I'm not sure what bufmgr_gem->lock does protect, it's a bit unclear from the code.
Hmm, in the free path on error during create, I though we access a list that requires locking. But actually since we are never added to the lists at that point, the deletion is a no-op, and locking not required. For completeness, do both list initialisation together and send to dri-devel@lists.freedestop.org and cc "Damien Lespiau <damien.lespiau@intel.com>" with a Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
Pushed the libdrm patch. commit 4f44ecc6beeaac5064871d41dcc4693b8e313859 Author: Thomas Meyer <thomas@m3y3r.de> Date: Fri Nov 7 19:43:04 2014 +0100 intel: Fix SIGSEGV in libdrm for heigth = 0 and width = 0 drm_intel_gem_bo_free() crashes because the list bo_gem->vma_list is not yet initialised, but the error path tries to free it. See also https://bugs.freedesktop.org/show_bug.cgi?id=75844 Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk> Signed-off-by: Thomas Meyer <thomas@m3y3r.de> Signed-off-by: Damien Lespiau <damien.lespiau@intel.com>
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.