[PATCH xserver] randr: fix RRCrtcDetachScanoutPixmap crash on server exit
Peter Wu
peter at lekensteyn.nl
Tue Aug 14 00:16:11 UTC 2018
The following crash was observed with xserver 1.20.1 on exiting xserver
after enabling a PRIME output source with the Intel driver:
Old value = (WindowPtr) 0x612000159dc0
New value = (WindowPtr) 0x0 // pWin->drawable.pScreen->root = NULL;
DeleteWindow (value=0x612000159dc0, wid=<optimized out>) at dix/window.c:1112
1112 dixFreeObjectWithPrivates(pWin, PRIVATE_WINDOW);
(gdb) bt
#0 DeleteWindow (value=0x612000159dc0, wid=<optimized out>) at dix/window.c:1112
#1 0x0000557e7842535b in doFreeResource (res=0x60300000ebf0, skip=<optimized out>) at dix/resource.c:880
#2 0x0000557e784289ed in FreeClientResources (client=0x60e000000040) at dix/resource.c:1146
#3 0x0000557e78428c46 in FreeAllResources () at dix/resource.c:1161
#4 0x0000557e783c25d8 in dix_main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at dix/main.c:292
...
Thread 1 "Xorg" received signal SIGSEGV, Segmentation fault.
0x0000557e7841138c in PixmapStopDirtyTracking (src=0x0, slave_dst=0x61100002ea80) at dix/pixmap.c:251
251 ScreenPtr screen = src->pScreen;
(gdb) bt
#0 0x0000558e598a938c in PixmapStopDirtyTracking (src=0x0, slave_dst=0x611000038d00) at ../xserver/dix/pixmap.c:251
#1 0x0000558e5990ccd5 in RRCrtcDetachScanoutPixmap (crtc=0x617000004680) at ../xserver/randr/rrcrtc.c:413
#2 0x0000558e5990d001 in RRCrtcDestroyResource (value=0x617000004680, pid=<optimized out>) at ../xserver/randr/rrcrtc.c:900
#3 0x0000558e598bd35b in doFreeResource (res=0x60300000a2a0, skip=<optimized out>) at ../xserver/dix/resource.c:880
#4 0x0000558e598c09ed in FreeClientResources (client=0x60e000000040) at ../xserver/dix/resource.c:1146
#5 0x0000558e598c0c46 in FreeAllResources () at ../xserver/dix/resource.c:1161
#6 0x0000558e5985a5d8 in dix_main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at ../xserver/dix/main.c:292
For some reason, the Window resource ends up being freed before a pixmap
when using the intel driver. It does not occur with modesetting (there
RRCrtcDestroyResource is called before deleting the root window).
Before "Make PixmapDirtyUpdateRec::src a DrawablePtr" the "src" argument
was "master->GetScreenPixmap(master)". After that commit, it becomes the
root window drawable which can be NULL as shown above.
Signed-off-by: Peter Wu <peter at lekensteyn.nl>
---
randr/rrcrtc.c | 26 ++++++++++++++------------
1 file changed, 14 insertions(+), 12 deletions(-)
diff --git a/randr/rrcrtc.c b/randr/rrcrtc.c
index 5d9026266..d5dc235b7 100644
--- a/randr/rrcrtc.c
+++ b/randr/rrcrtc.c
@@ -398,20 +398,22 @@ RRCrtcDetachScanoutPixmap(RRCrtcPtr crtc)
ScreenPtr master = crtc->pScreen->current_master;
DrawablePtr mrootdraw = &master->root->drawable;
- if (crtc->scanout_pixmap_back) {
- pScrPriv->rrDisableSharedPixmapFlipping(crtc);
+ if (mrootdraw) {
+ if (crtc->scanout_pixmap_back) {
+ pScrPriv->rrDisableSharedPixmapFlipping(crtc);
- master->StopFlippingPixmapTracking(mrootdraw,
- crtc->scanout_pixmap,
- crtc->scanout_pixmap_back);
+ master->StopFlippingPixmapTracking(mrootdraw,
+ crtc->scanout_pixmap,
+ crtc->scanout_pixmap_back);
- rrDestroySharedPixmap(crtc, crtc->scanout_pixmap_back);
- crtc->scanout_pixmap_back = NULL;
- }
- else {
- pScrPriv->rrCrtcSetScanoutPixmap(crtc, NULL);
- master->StopPixmapTracking(mrootdraw,
- crtc->scanout_pixmap);
+ rrDestroySharedPixmap(crtc, crtc->scanout_pixmap_back);
+ crtc->scanout_pixmap_back = NULL;
+ }
+ else {
+ pScrPriv->rrCrtcSetScanoutPixmap(crtc, NULL);
+ master->StopPixmapTracking(mrootdraw,
+ crtc->scanout_pixmap);
+ }
}
rrDestroySharedPixmap(crtc, crtc->scanout_pixmap);
--
2.18.0
More information about the xorg-devel
mailing list