Ubuntu
xorg-server package

X crashes due to freed memory read in damageDestroyPixmap() from sna_early_close_screen() from xf86CrtcCloseScreen()

Bug #1224296 reported by Daniel van Vugt on 2013-09-12

This bug affects 6 people

Affects		Status	Importance	Assigned to	Milestone
	xorg-server (Ubuntu)	Won't Fix	Critical	Unassigned

Bug Description

XMir: DDX memory use after being freed from libmirclient. Though it looks like bug 1221616 might be the root cause so see that first.

==32480== Invalid read of size 8
==32480== at 0x234D84: damageDestroyPixmap (damage.c:1544)
==32480== by 0xA1C6A3B: sna_early_close_screen (sna_driver.c:762)
==32480== by 0x1CE476: xf86CrtcCloseScreen (xf86Crtc.c:732)
==32480== by 0x1EB64D: CursorCloseScreen (cursor.c:193)
==32480== by 0x2324B5: AnimCurCloseScreen (animcur.c:106)
==32480== by 0x14C636: main (main.c:351)
==32480== Address 0xb98d190 is 16 bytes inside a block of size 296 free'd
==32480== at 0x4C2BADC: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==32480== by 0x8A03F07: __gnu_cxx::new_allocator<std::_Sp_counted_ptr_inplace<MirBufferPackage, std::allocator<MirBufferPackage>, (__gnu_cxx::_Lock_policy)2> >::deallocate(std::_Sp_counted_ptr_inplace<MirBufferPackage, std::allocator<MirBufferPackage>, (__gnu_cxx::_Lock_policy)2>*, unsigned long) (new_allocator.h:110)
==32480== by 0x8A03CB0: std::allocator_traits<std::allocator<std::_Sp_counted_ptr_inplace<MirBufferPackage, std::allocator<MirBufferPackage>, (__gnu_cxx::_Lock_policy)2> > >::deallocate(std::allocator<std::_Sp_counted_ptr_inplace<MirBufferPackage, std::allocator<MirBufferPackage>, (__gnu_cxx::_Lock_policy)2> >&, std::_Sp_counted_ptr_inplace<MirBufferPackage, std::allocator<MirBufferPackage>, (__gnu_cxx::_Lock_policy)2>*, unsigned long) (alloc_traits.h:377)
==32480== by 0x8A046A5: std::_Sp_counted_ptr_inplace<MirBufferPackage, std::allocator<MirBufferPackage>, (__gnu_cxx::_Lock_policy)2>::_M_destroy() (shared_ptr_base.h:417)
==32480== by 0x89E1091: std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() (shared_ptr_base.h:161)
==32480== by 0x89E0EC0: std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() (shared_ptr_base.h:553)
==32480== by 0x89E6711: std::__shared_ptr<MirBufferPackage, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr() (shared_ptr_base.h:810)
==32480== by 0x89E6751: std::shared_ptr<MirBufferPackage>::~shared_ptr() (shared_ptr.h:93)
==32480== by 0x8A00490: MirSurface::process_incoming_buffer() (mir_surface.cpp:179)
==32480== by 0x8A00661: MirSurface::new_buffer(void (*)(MirSurface*, void*), void*) (mir_surface.cpp:215)
==32480== by 0x8A04A12: google::protobuf::internal::MethodClosure2<MirSurface, void (*)(MirSurface*, void*), void*>::Run() (common.h:969)
==32480== by 0x8A1E81A: mir::client::rpc::MirSocketRpcChannel::receive_file_descriptors(google::protobuf::Message*, google::protobuf::Closure*) (mir_socket_rpc_channel.cpp:171)
==32480==
==32480== Invalid read of size 4
==32480== at 0x234E03: damageDestroyPixmap (damage.c:1548)
==32480== by 0xA1C6A3B: sna_early_close_screen (sna_driver.c:762)
==32480== by 0x1CE476: xf86CrtcCloseScreen (xf86Crtc.c:732)
==32480== by 0x1EB64D: CursorCloseScreen (cursor.c:193)
==32480== by 0x2324B5: AnimCurCloseScreen (animcur.c:106)
==32480== by 0x14C636: main (main.c:351)
==32480== Address 0xb98d1a8 is 40 bytes inside a block of size 296 free'd
==32480== at 0x4C2BADC: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==32480== by 0x8A03F07: __gnu_cxx::new_allocator<std::_Sp_counted_ptr_inplace<MirBufferPackage, std::allocator<MirBufferPackage>, (__gnu_cxx::_Lock_policy)2> >::deallocate(std::_Sp_counted_ptr_inplace<MirBufferPackage, std::allocator<MirBufferPackage>, (__gnu_cxx::_Lock_policy)2>*, unsigned long) (new_allocator.h:110)
==32480== by 0x8A03CB0: std::allocator_traits<std::allocator<std::_Sp_counted_ptr_inplace<MirBufferPackage, std::allocator<MirBufferPackage>, (__gnu_cxx::_Lock_policy)2> > >::deallocate(std::allocator<std::_Sp_counted_ptr_inplace<MirBufferPackage, std::allocator<MirBufferPackage>, (__gnu_cxx::_Lock_policy)2> >&, std::_Sp_counted_ptr_inplace<MirBufferPackage, std::allocator<MirBufferPackage>, (__gnu_cxx::_Lock_policy)2>*, unsigned long) (alloc_traits.h:377)
==32480== by 0x8A046A5: std::_Sp_counted_ptr_inplace<MirBufferPackage, std::allocator<MirBufferPackage>, (__gnu_cxx::_Lock_policy)2>::_M_destroy() (shared_ptr_base.h:417)
==32480== by 0x89E1091: std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() (shared_ptr_base.h:161)
==32480== by 0x89E0EC0: std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() (shared_ptr_base.h:553)
==32480== by 0x89E6711: std::__shared_ptr<MirBufferPackage, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr() (shared_ptr_base.h:810)
==32480== by 0x89E6751: std::shared_ptr<MirBufferPackage>::~shared_ptr() (shared_ptr.h:93)
==32480== by 0x8A00490: MirSurface::process_incoming_buffer() (mir_surface.cpp:179)
==32480== by 0x8A00661: MirSurface::new_buffer(void (*)(MirSurface*, void*), void*) (mir_surface.cpp:215)
==32480== by 0x8A04A12: google::protobuf::internal::MethodClosure2<MirSurface, void (*)(MirSurface*, void*), void*>::Run() (common.h:969)
==32480== by 0x8A1E81A: mir::client::rpc::MirSocketRpcChannel::receive_file_descriptors(google::protobuf::Message*, google::protobuf::Closure*) (mir_socket_rpc_channel.cpp:171)

See original description

Tags:

Daniel van Vugt (vanvugt) on 2013-09-12

description:	updated
summary:	- XMir: DDX memory use after being freed from libmirclient + Freed memory read in damageDestroyPixmap() from sna_early_close_screen() + from xf86CrtcCloseScreen()
tags:	added: make-xmir-default

Revision history for this message

Daniel van Vugt (vanvugt) wrote on 2013-09-12: Re: Freed memory read in damageDestroyPixmap() from sna_early_close_screen() from xf86CrtcCloseScreen()

Actually, this looks like it might be a side-effect of bug 1221616

Robert Ancell (robert-ancell) on 2013-09-18

Changed in xmir:
assignee:	nobody → Chris Halse Rogers (raof)

Daniel van Vugt (vanvugt) on 2013-09-27

summary:	- Freed memory read in damageDestroyPixmap() from sna_early_close_screen() - from xf86CrtcCloseScreen() + X crashes due to freed memory read in damageDestroyPixmap() from + sna_early_close_screen() from xf86CrtcCloseScreen()
Changed in xorg-server (Ubuntu):
importance:	Undecided → Critical
Changed in xmir:
status:	New → Confirmed
Changed in xorg-server (Ubuntu):
status:	New → Confirmed
description:	updated

Robert Ancell (robert-ancell) on 2015-06-09

no longer affects:	xmir
tags:	added: xmir

Revision history for this message

Daniel van Vugt (vanvugt) wrote on 2015-09-17:

XMir 1.0 (the old Xorg extension) is now deprecated and is not being maintained or fixed. It is replaced by the new 'Xmir' binary (package 'xmir') introduced in Ubuntu 15.10 wily.

Changed in xorg-server (Ubuntu):
status:	Confirmed → Won't Fix

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntuxorg-server package