Bug 99102 - drop drm master on xserver teardown to avoid crash on VT switch
Summary: drop drm master on xserver teardown to avoid crash on VT switch
Status: RESOLVED MOVED
Alias: None
Product: xorg
Classification: Unclassified
Component: Driver/qxl (show other bugs)
Version: unspecified
Hardware: Other All
: medium major
Assignee: Søren Sandmann Pedersen
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-12-15 16:49 UTC by Oliver Henshaw
Modified: 2018-08-10 21:57 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Attachments
Patch to drop drm master in xf86-video-qxl:qxl_close_screen_kms() (1.63 KB, patch)
2016-12-15 17:22 UTC, Oliver Henshaw 		no flags Details | Splinter Review
View All

Description Oliver Henshaw 2016-12-15 16:49:03 UTC 
With the sddm display manager and the qxl driver, logging out of an x11 session can kill the x11 session session of a user who logged in earlier. This can't be reproduced on common real hardware (and all signs point to a problem with the xorg qxl driver); it can't be reproduced with gdm afaik, presumably because gdm systems use logind to mediate VT/drm-master access rather than the xserver accessing it directly.

Steps to reproduce:
1. Boot to sddm (which is on vt1)
2. Log in as user1 (which is on vt1)
3. Switch to new session (which is on vt2); login as user2
4. Log out of user2

Results:
User2 logs out, and after a few seconds I'm taken to a newly spawned sddm login screen on VT1 (on kde I briefly see a white dialog from ksmserver saying "Could not start ksmserver: check your installation"). Switching vt works and loginctl shows that the user1 session is in state 'closing'. The tail of Xorg.0.log.old shows:

[   502.491] (WW) qxl(0): drmSetMaster failed: Invalid argument
[   502.491] (EE) qxl(0): failed to set mode: Permission denied(EE) 
Fatal server error:
[   502.491] (EE) EnterVT failed for screen 0
[   502.491] (EE) 
[   502.491] (EE) 
Please consult the Fedora Project support 
	 at http://wiki.x.org
 for help. 
[   502.491] (EE) Please also check the log file at "/var/log/Xorg.0.log" for additional information.
[   502.491] (EE) 
[   502.492] (WW) qxl(0): drmDropMaster failed: Invalid argument
[   502.521] (EE) Server terminated with error (1). Closing log file.


Expected results:

user2 logs out and the system switches to user1's session on VT1.

Installed packages:
xorg-x11-server-Xorg-1.18.4-4.fc24.x86_64
libdrm-2.4.71-2.fc24.x86_64
kernel-4.8.6-201.fc24.x86_64 (this is an old test VM)
xorg-x11-drv-qxl-0.1.4-7.fc24.x86_64
Comment 1 Oliver Henshaw 2016-12-15 17:07:39 UTC 
Here's an edited perf trace from when user2 logs out

where the ioctls are:
VT_GETMODE=0x5601, VT_SETMODE=0x5602, VT_RELDISP=0x5605, VT_ACTIVATE=0x5606, VT_WAITACTIVE=0x5607
DRM_SET_MASTER=0x641e, DRM_DROP_MASTER=0x641e

and Xorg 7059 has user2 on VT2; Xorg 6116 has user1 on vt1.

Xorg  7059 [000] 12661.555050: syscalls:sys_enter_ioctl: fd: 0x00000014, cmd: 0x00005601, arg: 0x7ffd0c3c9530
                   f8b67 __GI___ioctl+0xffff01e36dbd6007 (/usr/lib64/libc-2.23.so)
                   9c4b1 xf86CloseConsole+0xffffffffff8000f1 (/usr/libexec/Xorg)
                   7b895 ddxGiveUp+0xffffffffff800085 (/usr/libexec/Xorg)
                   3b099 dix_main+0xffffffffff800699 (/usr/libexec/Xorg)
                   20731 __libc_start_main+0xffff01e36dbd60f1 (/usr/lib64/libc-2.23.so)
                   24d59 _start+0xffffffffff800029 (/usr/libexec/Xorg)

Xorg  7059 [000] 12661.555062: syscalls:sys_enter_ioctl: fd: 0x00000014, cmd: 0x00005602, arg: 0x7ffd0c3c9530
                   f8b67 __GI___ioctl+0xffff01e36dbd6007 (/usr/lib64/libc-2.23.so)
                   9c4e9 xf86CloseConsole+0xffffffffff800129 (/usr/libexec/Xorg)
                   7b895 ddxGiveUp+0xffffffffff800085 (/usr/libexec/Xorg)
                   3b099 dix_main+0xffffffffff800699 (/usr/libexec/Xorg)
                   20731 __libc_start_main+0xffff01e36dbd60f1 (/usr/lib64/libc-2.23.so)
                   24d59 _start+0xffffffffff800029 (/usr/libexec/Xorg)

Xorg  7059 [000] 12661.555067: syscalls:sys_enter_ioctl: fd: 0x00000014, cmd: 0x00005606, arg: 0x00000001
                   f8b67 __GI___ioctl+0xffff01e36dbd6007 (/usr/lib64/libc-2.23.so)
                   9bab9 switch_to+0xffffffffff800039 (/usr/libexec/Xorg)
                   9c513 xf86CloseConsole+0xffffffffff800153 (/usr/libexec/Xorg)
                   7b895 ddxGiveUp+0xffffffffff800085 (/usr/libexec/Xorg)
                   3b099 dix_main+0xffffffffff800699 (/usr/libexec/Xorg)
                   20731 __libc_start_main+0xffff01e36dbd60f1 (/usr/lib64/libc-2.23.so)
                   24d59 _start+0xffffffffff800029 (/usr/libexec/Xorg)

Xorg  7059 [000] 12661.555072: syscalls:sys_enter_ioctl: fd: 0x00000014, cmd: 0x00005607, arg: 0x00000001
                   f8b67 __GI___ioctl+0xffff01e36dbd6007 (/usr/lib64/libc-2.23.so)
                   9bae5 switch_to+0xffffffffff800065 (/usr/libexec/Xorg)
                   9c513 xf86CloseConsole+0xffffffffff800153 (/usr/libexec/Xorg)
                   7b895 ddxGiveUp+0xffffffffff800085 (/usr/libexec/Xorg)
                   3b099 dix_main+0xffffffffff800699 (/usr/libexec/Xorg)
                   20731 __libc_start_main+0xffff01e36dbd60f1 (/usr/lib64/libc-2.23.so)
                   24d59 _start+0xffffffffff800029 (/usr/libexec/Xorg)

Xorg  6116 [000] 12661.628144: syscalls:sys_enter_ioctl: fd: 0x00000011, cmd: 0x00005605, arg: 0x00000002
                   f8b67 __GI___ioctl+0xffff014f98aa0007 (/usr/lib64/libc-2.23.so)
                   9b1b5 xf86VTSwitchTo+0xffffffffff800025 (/usr/libexec/Xorg)
                   798dd xf86VTEnter+0xffffffffff80000d (/usr/libexec/Xorg)
                   3b94d WakeupHandler+0xffffffffff80006d (/usr/libexec/Xorg)
                  197fb9 WaitForSomething+0xffffffffff8001e9 (/usr/libexec/Xorg)
                   36bde Dispatch+0xffffffffff80008e (/usr/libexec/Xorg)
                   3add3 dix_main+0xffffffffff8003d3 (/usr/libexec/Xorg)
                   20731 __libc_start_main+0xffff014f98aa00f1 (/usr/lib64/libc-2.23.so)
                   24d59 _start+0xffffffffff800029 (/usr/libexec/Xorg)

Xorg  6116 [000] 12661.628169: syscalls:sys_enter_ioctl: fd: 0x00000015, cmd: 0x0000641e, arg: 0x00000000
                   f8b67 __GI___ioctl+0xffff014f98aa0007 (/usr/lib64/libc-2.23.so)
                    42b8 drmIoctl+0xffff014f962e6028 (/usr/lib64/libdrm.so.2.4.0)
                   12888 qxl_enter_vt_kms+0xffff014fa2efc028 (/usr/lib64/xorg/modules/drivers/qxl_drv.so)
                   b6d7d xf86RandR12EnterVT+0xffffffffff80007d (/usr/libexec/Xorg)
                   79940 xf86VTEnter+0xffffffffff800070 (/usr/libexec/Xorg)
                   3b94d WakeupHandler+0xffffffffff80006d (/usr/libexec/Xorg)
                  197fb9 WaitForSomething+0xffffffffff8001e9 (/usr/libexec/Xorg)
                   36bde Dispatch+0xffffffffff80008e (/usr/libexec/Xorg)
                   3add3 dix_main+0xffffffffff8003d3 (/usr/libexec/Xorg)
                   20731 __libc_start_main+0xffff014f98aa00f1 (/usr/lib64/libc-2.23.so)
                   24d59 _start+0xffffffffff800029 (/usr/libexec/Xorg)

Xorg  6116 [000] 12661.628415: syscalls:sys_enter_ioctl: fd: 0x00000015, cmd: 0x0000641f, arg: 0x00000000
                   f8b67 __GI___ioctl+0xffff014f98aa0007 (/usr/lib64/libc-2.23.so)
                    42b8 drmIoctl+0xffff014f962e6028 (/usr/lib64/libdrm.so.2.4.0)
                   12902 qxl_leave_vt_kms+0xffff014fa2efc032 (/usr/lib64/xorg/modules/drivers/qxl_drv.so)
                   7b91f AbortDDX+0xffffffffff80007f (/usr/libexec/Xorg)
                  1a79f2 AbortServer+0xffffffffff800022 (/usr/libexec/Xorg)
                  1a87fd [unknown] (/usr/libexec/Xorg)
                   79ad6 [unknown] (/usr/libexec/Xorg)
                   3b94d WakeupHandler+0xffffffffff80006d (/usr/libexec/Xorg)
                  197fb9 WaitForSomething+0xffffffffff8001e9 (/usr/libexec/Xorg)
                   36bde Dispatch+0xffffffffff80008e (/usr/libexec/Xorg)
                   3add3 dix_main+0xffffffffff8003d3 (/usr/libexec/Xorg)
                   20731 __libc_start_main+0xffff014f98aa00f1 (/usr/lib64/libc-2.23.so)
                   24d59 _start+0xffffffffff800029 (/usr/libexec/Xorg)

Xorg  7059 [000] 12661.645642: probe:drm_master_destroy: (ffffffffc02ef030)
                      a1 drm_master_destroy+0x7fa22071 ([drm])
                    470c drm_release+0x7fa222bc ([drm])
                  45297f __fput+0xb42000df (/usr/lib/debug/lib/modules/4.8.6-201.fc24.x86_64/vmlinux)
                  452ace ____fput+0xb420000e (/usr/lib/debug/lib/modules/4.8.6-201.fc24.x86_64/vmlinux)
                  2bf070 task_work_run+0xb4200080 (/usr/lib/debug/lib/modules/4.8.6-201.fc24.x86_64/vmlinux)
                  2a4c51 do_exit+0xb42002d1 (/usr/lib/debug/lib/modules/4.8.6-201.fc24.x86_64/vmlinux)
                  2a5517 do_group_exit+0xb4200047 (/usr/lib/debug/lib/modules/4.8.6-201.fc24.x86_64/vmlinux)
                  2a5594 [unknown] (/usr/lib/debug/lib/modules/4.8.6-201.fc24.x86_64/vmlinux)
                  203c57 do_syscall_64+0xb4200067 (/usr/lib/debug/lib/modules/4.8.6-201.fc24.x86_64/vmlinux)
                  a02621 return_from_SYSCALL_64+0xb4200000 (/usr/lib/debug/lib/modules/4.8.6-201.fc24.x86_64/vmlinux)


So in hw/xfree86/os-support/linux/lnx_init.c:xf86CloseConsole(void) there's the stanza:
    if (xf86Info.autoVTSwitch) {
        /*
         * Perform a switch back to the active VT when we were started
         */
        if (activeVT >= 0) {
            switch_to(activeVT, "xf86CloseConsole");
            activeVT = -1;
        }
    }

But when the xserver on this "active VT when we were started", i.e. vt1, tries to claim the drm master with drmSetMaster it fails and so EnterVT fails and aborts the xserver. The xserver on vt2 only gives up the drm master when it exits and the kernel cleans up the drm master fd.
Comment 2 Oliver Henshaw 2016-12-15 17:22:46 UTC 
Created attachment 128488 [details] [review]
Patch to drop drm master in xf86-video-qxl:qxl_close_screen_kms()

Here's a patch that solves the issue for me. I'm not entirely sure it's robust enough to include as-is, please read the commit message for details.

With this applied, logging out of user2 on returns to user1's session, as expected.

Now perf shows:

Xorg  1733 [000]  1171.499890: syscalls:sys_enter_ioctl: fd: 0x00000016, cmd: 0x0000641f, arg: 0x00000000
	           f8b67 __GI___ioctl+0xffff006ae4570007 (/usr/lib64/libc-2.23.so)
	            42b8 drmIoctl+0xffff006ae1db6028 (/usr/lib64/libdrm.so.2.4.0)
	           11891 qxl_close_screen_kms+0xffff006aee9ca041 (/usr/lib64/xorg/modules/drivers/qxl_drv.so)
	           c8f78 CursorCloseScreen+0xffffffffff800088 (/usr/libexec/Xorg)
	          118a34 AnimCurCloseScreen+0xffffffffff8000a4 (/usr/libexec/Xorg)
	          11a782 present_close_screen+0xffffffffff800042 (/usr/libexec/Xorg)
	           3aef1 dix_main+0xffffffffff8004f1 (/usr/libexec/Xorg)
	           20731 __libc_start_main+0xffff006ae45700f1 (/usr/lib64/libc-2.23.so)
	           24d59 _start+0xffffffffff800029 (/usr/libexec/Xorg)

Xorg  1733 [000]  1171.535989: syscalls:sys_enter_ioctl: fd: 0x00000014, cmd: 0x00005601, arg: 0x7ffd903c30a0
	           f8b67 __GI___ioctl+0xffff006ae4570007 (/usr/lib64/libc-2.23.so)
	           9c4b1 xf86CloseConsole+0xffffffffff8000f1 (/usr/libexec/Xorg)
	           7b895 ddxGiveUp+0xffffffffff800085 (/usr/libexec/Xorg)
	           3b099 dix_main+0xffffffffff800699 (/usr/libexec/Xorg)
	           20731 __libc_start_main+0xffff006ae45700f1 (/usr/lib64/libc-2.23.so)
	           24d59 _start+0xffffffffff800029 (/usr/libexec/Xorg)

Xorg  1733 [000]  1171.558736: syscalls:sys_enter_ioctl: fd: 0x00000014, cmd: 0x00005602, arg: 0x7ffd903c30a0
	           f8b67 __GI___ioctl+0xffff006ae4570007 (/usr/lib64/libc-2.23.so)
	           9c4e9 xf86CloseConsole+0xffffffffff800129 (/usr/libexec/Xorg)
	           7b895 ddxGiveUp+0xffffffffff800085 (/usr/libexec/Xorg)
	           3b099 dix_main+0xffffffffff800699 (/usr/libexec/Xorg)
	           20731 __libc_start_main+0xffff006ae45700f1 (/usr/lib64/libc-2.23.so)
	           24d59 _start+0xffffffffff800029 (/usr/libexec/Xorg)

Xorg  1733 [000]  1171.558752: syscalls:sys_enter_ioctl: fd: 0x00000014, cmd: 0x00005606, arg: 0x00000001
	           f8b67 __GI___ioctl+0xffff006ae4570007 (/usr/lib64/libc-2.23.so)
	           9bab9 switch_to+0xffffffffff800039 (/usr/libexec/Xorg)
	           9c513 xf86CloseConsole+0xffffffffff800153 (/usr/libexec/Xorg)
	           7b895 ddxGiveUp+0xffffffffff800085 (/usr/libexec/Xorg)
	           3b099 dix_main+0xffffffffff800699 (/usr/libexec/Xorg)
	           20731 __libc_start_main+0xffff006ae45700f1 (/usr/lib64/libc-2.23.so)
	           24d59 _start+0xffffffffff800029 (/usr/libexec/Xorg)

Xorg  1733 [000]  1171.558759: syscalls:sys_enter_ioctl: fd: 0x00000014, cmd: 0x00005607, arg: 0x00000001
	           f8b67 __GI___ioctl+0xffff006ae4570007 (/usr/lib64/libc-2.23.so)
	           9bae5 switch_to+0xffffffffff800065 (/usr/libexec/Xorg)
	           9c513 xf86CloseConsole+0xffffffffff800153 (/usr/libexec/Xorg)
	           7b895 ddxGiveUp+0xffffffffff800085 (/usr/libexec/Xorg)
	           3b099 dix_main+0xffffffffff800699 (/usr/libexec/Xorg)
	           20731 __libc_start_main+0xffff006ae45700f1 (/usr/lib64/libc-2.23.so)
	           24d59 _start+0xffffffffff800029 (/usr/libexec/Xorg)

Xorg   893 [000]  1171.642151: syscalls:sys_enter_ioctl: fd: 0x00000013, cmd: 0x00005605, arg: 0x00000002
	           f8b67 __GI___ioctl+0xffff008788f86007 (/usr/lib64/libc-2.23.so)
	           9b1b5 xf86VTSwitchTo+0xffffffffff800025 (/usr/libexec/Xorg)
	           798dd xf86VTEnter+0xffffffffff80000d (/usr/libexec/Xorg)
	           3b94d WakeupHandler+0xffffffffff80006d (/usr/libexec/Xorg)
	          197fb9 WaitForSomething+0xffffffffff8001e9 (/usr/libexec/Xorg)
	           36bde Dispatch+0xffffffffff80008e (/usr/libexec/Xorg)
	           3add3 dix_main+0xffffffffff8003d3 (/usr/libexec/Xorg)
	           20731 __libc_start_main+0xffff008788f860f1 (/usr/lib64/libc-2.23.so)
	           24d59 _start+0xffffffffff800029 (/usr/libexec/Xorg)

Xorg   893 [000]  1171.642179: syscalls:sys_enter_ioctl: fd: 0x00000015, cmd: 0x0000641e, arg: 0x00000000
	           f8b67 __GI___ioctl+0xffff008788f86007 (/usr/lib64/libc-2.23.so)
	            42b8 drmIoctl+0xffff0087867cc028 (/usr/lib64/libdrm.so.2.4.0)
	           12728 qxl_enter_vt_kms+0xffff0087933e0028 (/usr/lib64/xorg/modules/drivers/qxl_drv.so)
	           b6d7d xf86RandR12EnterVT+0xffffffffff80007d (/usr/libexec/Xorg)
	           79940 xf86VTEnter+0xffffffffff800070 (/usr/libexec/Xorg)
	           3b94d WakeupHandler+0xffffffffff80006d (/usr/libexec/Xorg)
	          197fb9 WaitForSomething+0xffffffffff8001e9 (/usr/libexec/Xorg)
	           36bde Dispatch+0xffffffffff80008e (/usr/libexec/Xorg)
	           3add3 dix_main+0xffffffffff8003d3 (/usr/libexec/Xorg)
	           20731 __libc_start_main+0xffff008788f860f1 (/usr/lib64/libc-2.23.so)
	           24d59 _start+0xffffffffff800029 (/usr/libexec/Xorg)

Xorg  1733 [000]  1171.660932: probe:drm_master_destroy: (ffffffffc0234030)
	              a1 drm_master_destroy+0x7fb98071 ([drm])
	            470c drm_release+0x7fb982bc ([drm])
	          45297f __fput+0xf82000df ([kernel.kallsyms])
	          452ace ____fput+0xf820000e ([kernel.kallsyms])
	          2bf070 task_work_run+0xf8200080 ([kernel.kallsyms])
	          2a4c51 do_exit+0xf82002d1 ([kernel.kallsyms])
	          2a5517 do_group_exit+0xf8200047 ([kernel.kallsyms])
	          2a5594 [unknown] ([kernel.kallsyms])
	          203c57 do_syscall_64+0xf8200067 ([kernel.kallsyms])
	          a02621 return_from_SYSCALL_64+0xf8200000 ([kernel.kallsyms])
Comment 3 Hans de Goede 2016-12-15 17:57:49 UTC 
Patch looks good to me, I see that you've already taken server-managed-fds into account, which is great.
Comment 4 Adam Williamson 2017-04-07 00:24:21 UTC 
Ping? Does anyone know what we need to do to get some movement on this?
Comment 5 GitLab Migration User 2018-08-10 21:57:53 UTC 
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/xorg/driver/xf86-video-qxl/issues/4.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.