X crash on KDM logout (still - yes, really)

Bug #651294 reported by Scott Kitterman
152
This bug affects 28 people
Affects Status Importance Assigned to Milestone
Release Notes for Ubuntu
Fix Released
High
Unassigned
xorg-server (Ubuntu)
Fix Released
High
Chris Halse Rogers
Maverick
Invalid
High
Unassigned

Bug Description

PROPOSED RELEASE NOTE:

On some Kubuntu systems, the display server crashes on logout instead of returning to the KDE Display Manger (KDM) login display. For systems with this problem, the problem can be avoided by changing the method KDM uses to interact with the display server. Edit /etc/kde4/kdm/kdmrc and uncomment the line "#TerminateServer=true" by changing it to "TerminateServer=true" and restart KDM (reboot the system or sudo restart kdm).

Binary package hint: xserver-xorg-video-intel

This system still crashes reliably on logout.

ProblemType: Bug
DistroRelease: Ubuntu 10.10
Package: xserver-xorg-video-intel 2:2.12.0-1ubuntu5
ProcVersionSignature: Ubuntu 2.6.35-22.33-generic 2.6.35.4
Uname: Linux 2.6.35-22-generic i686
NonfreeKernelModules: wl
Architecture: i386
DRM.card0.LVDS.1:
 status: connected
 enabled: enabled
 dpms: On
 modes: 1024x600
 edid-base64: AP///////wAw5AYCAAAAAAATAQOAFg14CtOFlVlWjiggUFQAAAABAQEBAQEBAQEBAQEBAQEBdBgA0kFYZCAwIDYA4H4AAAAbAAAAAAAAAAAAAAAAAAAAAAAAAAAA/gBGMDUwVIAxMDFXU0EKAAAAAAAAAAAAAAAAAAEBCiAgAI4=
DRM.card0.VGA.1:
 status: disconnected
 enabled: disabled
 dpms: On
 modes:
 edid-base64:
Date: Wed Sep 29 12:48:45 2010
DkmsStatus:
 bcmwl, 5.60.48.36+bdcom, 2.6.35-20-generic, i686: installed
 bcmwl, 5.60.48.36+bdcom, 2.6.35-22-generic, i686: installed
EcryptfsInUse: Yes
GdmLog: Error: command ['kdesudo', '--', 'cat', '/var/log/gdm/:0.log'] failed with exit code 1: cat: /var/log/gdm/:0.log: No such file or directory
GdmLog1: Error: command ['kdesudo', '--', 'cat', '/var/log/gdm/:0.log.1'] failed with exit code 1: cat: /var/log/gdm/:0.log.1: No such file or directory
GdmLog2: Error: command ['kdesudo', '--', 'cat', '/var/log/gdm/:0.log.2'] failed with exit code 1: cat: /var/log/gdm/:0.log.2: No such file or directory
InstallationMedia: Kubuntu 10.10 "Maverick Meerkat" - Alpha i386 (20100909)
MachineType: Dell Inc. Inspiron 1011
ProcCmdLine: BOOT_IMAGE=/boot/vmlinuz-2.6.35-22-generic root=UUID=3db0186f-9810-41ed-8ba1-715fb956e23e ro quiet splash
ProcEnviron:
 LANGUAGE=
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: xserver-xorg-video-intel
dmi.bios.date: 03/20/2009
dmi.bios.vendor: Dell Inc.
dmi.bios.version: A00
dmi.board.name: CN0Y53
dmi.board.vendor: Dell Inc.
dmi.board.version: A00
dmi.chassis.type: 8
dmi.chassis.vendor: Dell Inc.
dmi.chassis.version: A00
dmi.modalias: dmi:bvnDellInc.:bvrA00:bd03/20/2009:svnDellInc.:pnInspiron1011:pvrA00:rvnDellInc.:rnCN0Y53:rvrA00:cvnDellInc.:ct8:cvrA00:
dmi.product.name: Inspiron 1011
dmi.product.version: A00
dmi.sys.vendor: Dell Inc.
glxinfo: Error: [Errno 2] No such file or directory
peripherals: Error: [Errno 2] No such file or directory
system:
 distro: Ubuntu
 codename: maverick
 architecture: i686
 kernel: 2.6.35-22-generic

Revision history for this message
Scott Kitterman (kitterman) wrote :
Revision history for this message
Scott Kitterman (kitterman) wrote :
Revision history for this message
Scott Kitterman (kitterman) wrote :

Also crashed in a live session on the same box (Dell Mini 10v), so it's not a local configuration issue.

tags: added: iso-testing
Bryce Harrington (bryce)
tags: added: kubuntu
Revision history for this message
Scott Kitterman (kitterman) wrote :

Marking confirmed based on replicating on multiple systems.

Changed in xserver-xorg-video-intel (Ubuntu):
importance: Undecided → High
status: New → Confirmed
Revision history for this message
Scott Kitterman (kitterman) wrote :

Proposed release note added.

description: updated
Changed in ubuntu-release-notes:
importance: Undecided → High
status: New → Fix Committed
Revision history for this message
Scott Kitterman (kitterman) wrote :

Added to draft release notes.

Changed in ubuntu-release-notes:
status: Fix Committed → Fix Released
Revision history for this message
Sven Roederer (sven-roederer) wrote :

The same problem I've here with a "ATI Technologies Inc Radeon R350 [Radeon 9800 Pro]" using the "xserver-xorg-video-radeon" driver.

Revision history for this message
Scott Kitterman (kitterman) wrote : Re: [Bug 651294] Re: X crash on KDM logout (still - yes, really)

Does the work around (changing kdmrc) solve it for you?

Revision history for this message
Sven Roederer (sven-roederer) wrote :

Yes, the "TerminateServer" solves it.

Revision history for this message
Chris Halse Rogers (raof) wrote :

Ok. I'm moving this to xorg-server, since it seems that other drivers also fail to clean up properly.

I'll look at making the server not crash on regenerate when the driver fails to clean up all the relevant resources.

affects: xserver-xorg-video-intel (Ubuntu) → xorg-server (Ubuntu)
Revision history for this message
Piotr Kęplicz (keplicz) wrote :

Same problem here with ATI Technologies Inc M64-S [Mobility Radeon X2300], backtrace in kdm.log identical as in comment #2. Also solved by "TerminateServer=true".

Revision history for this message
Chris Halse Rogers (raof) wrote :

This seems to be a somewhat more general problem than just logging out from KDE; see bug #660152, which I suspect is a duplicate of this.

Now the fun begins.

What appears to be happening is that FreeClientResources is being called on the server pseudo-client, which is perfectly reasonable. However, at some the resource list stored in clientTable[0].resources has become corrupted, and one or more of __GLXdrawables stored in there ends up with garbage values. When FreeClientResources hits this resource, DrawableGone from glx/glxext.c is called on the corrupted __GLXdrawable and explodes somewhere, either with a bogus pDraw or calling an invalid ->destroy().

I've traced through the resource code, and these __GLXdrawables are perfectly valid when they're getting added to the resource list. Furthermore, nothing from the resource code seems to be fiddling with them; it looks like some unrelated code is *sometimes* scribbling over *some of* the values in memory.

Revision history for this message
Scott Kitterman (kitterman) wrote :

The logout problem happens every time for me. It's not intermittent.

Revision history for this message
Chris Halse Rogers (raof) wrote :

On further inspection, I think that to trigger this crash I need to have at least one window open when logging out.

I've got a bit further with gdb watches; it looks like the drawable is getting freed with DoDestroyDrawable from GLX but not removed from the serverClient's resource list, so when later in the shutdown process FreeClientResources is called it runs into the garbage of a free'd drawable.

Revision history for this message
Albert Damen (albrt) wrote :

I have been trying to debug this and think I found the problem:
- The crash is caused when an already freed drawable is used (drawable contents are invalid)
- The crashing resource always has xid=0. If I prevent DrawableGone calls when xid=0, the crash does not happen. XID=0 seems strange, as the minimum xid should be SERVER_MINID (=32). Also, walking through clientTable[0]->resources[0] shows we have multiple resources with xid=0, which seems strange as well (i.e. calling FreeResource(0, x) may well remove the wrong resource).
- The resources with xid=0 are added via DoCreateGLXDrawable, where pDraw->id is used to add the resource. pDraw->id is 0 in these calls.
- The pDraw with xid=0 should be the X pixmap backing the GLX pixmap. This pixmap is created via ProcCompositeNameWindowPixmap. This function indeed creates pixmaps with drawable.id=0.

The glxdrawable should be registered with the glxdrawableid and the drawableid of the backing X pixmap, as stated in the comment in DoCreateGLXDrawable. In DoCreateGLXDrawable this would be easy, but drawableGone does not get this pixmaps drawableid as parameter. Therefore in my opinion this could only work if the pixmaps drawableid is properly set, so I changed ProcCompositeNameWindowPixmap to set the pixmaps drawableid to stuff->pixmap (like ProcCreatePixmap would do). With that change I no longer get resources with xid=0 and KDM does not crash anymore when I logout.

So far all seems to work fine, but I am not sure if setting the drawable id like this is safe.

The attachment contains gdb traces with and without my change (X built without optimization to get access to all symbols).

Revision history for this message
molecule-eye (niburu1) wrote :

The proposed workaround (or fix) worked for me. Others might like to know, however, that the TerminateServer=true command should be slotted under the category [X-*-Core], as my file did not have the line uncommented or commented in it.

Revision history for this message
Tom Chiverton (bugs-launchpad-net-falkensweb) wrote :

This worked fine in 10.04, but was broken on upgrade to 10.10. I'm using the Kubuntu PPA, with Intel hardware (i915).

As per #16 I had to add the line in the correct section, there wasn't one to uncomment.

Revision history for this message
Sven Roederer (sven-roederer) wrote :

Hi,

I could fix prevent kdm from crashing by installing "xfce4" and setting the alternatives
- x-session-manager to /usr/bin/startkde
- x-window-manager to /usr/bin/kwin

it do not make sense but it's working. I got to it, as my NFS-server wasn't up and I only could login to "failsafe"-mode. And here KDM did not crash on logout. After installing "xfce4" (xession-manager and window-manager were set to the xfc alternatives) logout worked also. And restoring the managers to the kde-alternatives did ot break the logout-function.

Revision history for this message
Ofir Klinger (klinger-ofir) wrote :

I experience this too on 2 laptop, one lenovo 3000 N100 and the other one is Dell Vostro 3300.
Both have a clean install of Kubuntu 10.10.

Comment #16 worked for me.

I remember that this issue is a long time in Kubuntu, and I ask myself. Why no one fixes it when the solution is just to add a single line to a file?

Revision history for this message
Scott Kitterman (kitterman) wrote :

This is a different X bug that happens to have the same workaround.

Revision history for this message
Albert Damen (albrt) wrote :

A patch was posted by Chris Wilson today on the dri-devel mailing list that fixes this crash for me:

    glx: Refcnt the GLXDrawable to avoid use after free with multiple FreeResource

    Although there may be more than one resource handles pointing to the
    Drawable, we only want to destroy it once and only reference the
    resource which may have just been deleted on the first instance.

    v2: Apply fixes and combine with another bug fix from Michel Dänzer,
        https://bugs.freedesktop.org/show_bug.cgi?id=28181

see http://lists.freedesktop.org/archives/dri-devel/2010-December/006137.html

Revision history for this message
Chris Halse Rogers (raof) wrote : Re: [Ubuntu-x-swat] [Bug 651294] Re: X crash on KDM logout (still - yes, really)

On Fri, 2010-12-10 at 20:36 +0000, Albert Damen wrote:
> A patch was posted by Chris Wilson today on the dri-devel mailing list
> that fixes this crash for me:
>
> glx: Refcnt the GLXDrawable to avoid use after free with multiple FreeResource
>
> Although there may be more than one resource handles pointing to the
> Drawable, we only want to destroy it once and only reference the
> resource which may have just been deleted on the first instance.
>
> v2: Apply fixes and combine with another bug fix from Michel Dänzer,
> https://bugs.freedesktop.org/show_bug.cgi?id=28181
>

Excellent. I'd seen that patch, and was going to ask for testing on
this bug. It's pleasantly small and self-contained.

I'm on holiday for the next couple of days, but if no one else picks
this up before then I'll prepare an SRU.

Revision history for this message
Chris Halse Rogers (raof) wrote :

I've applied the patch from xorg-devel (and another glx use-after-free commit it depends upon) and uploaded some testing packages to my PPA here: https://edge.launchpad.net/~raof/+archive/aubergine .

Because X is core infrastructure, GLX resource tracking is complex, and we've been bitten by it before, I'd like to wait before the patch gets committed upstream and we've had a little preliminary testing before sending it to maverick-proposed.

It's particularly important to check for memory leak issues; that's what we ran into last time.

Revision history for this message
Scott Kitterman (kitterman) wrote :

Your test packages do appear, based on a small number of logouts, to solve the problem. We'll run it here and keep an eye on performance and such. This is on the same system that suffers from Bug #660152, so we'll see if it helps there too.

Changed in xorg-server (Ubuntu):
assignee: nobody → Chris Halse Rogers (raof)
Changed in xorg-server (Ubuntu Maverick):
status: New → Confirmed
importance: Undecided → High
milestone: none → maverick-updates
Bryce Harrington (bryce)
Changed in xorg-server (Ubuntu):
status: Confirmed → In Progress
Revision history for this message
Sergii (serbats) wrote :

Hi I have same bug on Acer emachines E642 notebook. It has ATI Mobility Radeon HD 4250 videocard. This bug disappeared when I installed new driver "ATI/AMD proprietary FGLRX graphics driver" via "jockey-kde". It seems this is a problem of graphics driver.

Revision history for this message
Albert Damen (albrt) wrote :

I noticed the refcount patch was applied in natty and can confirm logging out has been working fine in natty for the past couple of weeks.

xorg-server (2:1.9.99.902-2ubuntu1) natty; urgency=low
...
  * 215_glx_drawable_refcounting.diff:
    - Refcount GLXDrawables to avoid use-after-free crashes. Patch from
      xorg-devel mailing list. Prevents segfault on logout and server
      regenerate, and possibly other times. (LP: #711422)

Revision history for this message
Bryce Harrington (bryce) wrote :

Thanks for the confirmation of the fix.

Changed in xorg-server (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Amr Ibrahim (amribrahim1987) wrote :

This bug still exists in Oneiric.

Revision history for this message
Lucazade (lucazade) wrote :

This bug is still present in Precise.. are we going to replace KDM with Lightdm?

Revision history for this message
Paul White (paulw2u) wrote :

Confirming this bug still present in Oneiric and Precise

tags: added: oneiric precise
Revision history for this message
Scott Kitterman (kitterman) wrote :

You should file a new bug against xorg-server if you're having a problem with similar symptoms.

tags: added: rls-mgr-p-tracking
tags: removed: precise rls-mgr-p-tracking
Revision history for this message
JC Hulce (soaringsky) wrote :

This bug affects Ubuntu 10.10, Maverick Meerkat. Maverick has reached end-of-life and is no longer supported, so I am closing the bugtask for Maverick. Please upgrade to a newer version of Ubuntu.
More information here: https://lists.ubuntu.com/archives/ubuntu-announce/2012-April/000158.html

Changed in xorg-server (Ubuntu Maverick):
status: Confirmed → Invalid
Revision history for this message
Mauro (mauromol) wrote :

For the records, this bug also affects Debian Wheezy 7.5.0 on an Intel NUC D34010WYKH. The workaround of "TerminateServer=true" also works there, too. Please note that "TerminateServer=true" must be added to the [X-*-Core] section, if not present.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.