[Bug 33036] New: Null ptr deref in radeon_r300_winsys_buffer_from_handle()

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Wed Jan 12 10:02:34 PST 2011 

https://bugs.freedesktop.org/show_bug.cgi?id=33036

           Summary: Null ptr deref in
                    radeon_r300_winsys_buffer_from_handle()
           Product: xorg
           Version: 7.5
          Platform: x86 (IA32)
        OS/Version: Linux (All)
            Status: NEW
          Severity: major
          Priority: medium
         Component: Driver/Radeon
        AssignedTo: xorg-driver-ati at lists.x.org
        ReportedBy: bryce at canonical.com
         QAContact: xorg-team at lists.x.org


Forwarding this bug from Ubuntu reporter David Barth:
http://bugs.launchpad.net/ubuntu/+source/xserver-xorg-video-ati/+bug/691653

[Problem]
Compiz periodically crashes in the radeon mesa driver code when using alt-tab. 
The backtrace shows the crash occurring in this routine:

#0 0x00fc230b in radeon_r300_winsys_buffer_from_handle () from
/usr/lib/dri/r300_dri.so

This seems to be because radeon_drm_bufmgr_create_buffer_from_handle() can
return a null buffer sometimes, but this is not being checked before
dereferencing.

It appears this bug is seen by RedHat as well:
https://bugzilla.redhat.com/show_bug.cgi?id=660143

[Original Description]
While alt-tabbing with compiz (latest version,
1:0.9.2.1+glibmainloop3-0ubuntu4), i got this crasher.

I've noticed crashers like this for a while since i switched over to natty, but
most of the time i was getting traces that were mostly "stack smashers"
according to smspillaz.

Withi this one, i think i've put the finger on a more probable cause for the
crasher. See stacktrace at http://pastebin.ubuntu.com/544957/ an excerpt of
which being: 


b#0  0x00fc230b in radeon_r300_winsys_buffer_from_handle () from
/usr/lib/dri/r300_dri.so
(gdb) bt
#0  0x00fc230b in radeon_r300_winsys_buffer_from_handle () from
/usr/lib/dri/r300_dri.so
#1  0x00fd272f in r300_texture_from_handle () from /usr/lib/dri/r300_dri.so
#2  0x00fdd2b4 in r300_resource_from_handle () from /usr/lib/dri/r300_dri.so
#3  0x00fc0958 in dri2_allocate_textures () from /usr/lib/dri/r300_dri.so
#4  0x00fc1797 in dri_st_framebuffer_validate () from /usr/lib/dri/r300_dri.so
#5  0x00fc1916 in dri_set_tex_buffer2 () from /usr/lib/dri/r300_dri.so
#6  0x008fc019 in dri2_bind_tex_image () from /usr/lib/mesa/libGL.so.1
#7  0x008d3cb6 in __glXBindTexImageEXT () from /usr/lib/mesa/libGL.so.1
#8  0x006c8a8a in TfpTexture::bindPixmapToTexture(unsigned long, int, int, int)
() from /usr/lib/compiz/libopengl.so
#9  0x006c5b3e in boost::detail::function::function_invoker4<GLTexture::List
(*)(unsigned long, int, int, int), GLTexture::List, unsigned long, int, int,
int>::invoke(boost::detail::function::function_buffer&, unsigned long, int,
int, int) () from /usr/lib/compiz/libopengl.so
#10 0x006c850a in GLTexture::bindPixmapToTexture(unsigned long, int, int, int)
() from /usr/lib/compiz/libopengl.so
#11 0x00c88743 in DecorTexture::DecorTexture(unsigned long) () from
/usr/lib/compiz/libdecor.so
...

dbarth at thinkpad:~$ apt-cache policy libgl1-mesa-dri
libgl1-mesa-dri:
  Installed: 7.9+repack-1ubuntu3
  Candidate: 7.9+repack-1ubuntu3
  Version table:
 *** 7.9+repack-1ubuntu3 0
        500 http://archive.ubuntu.com/ubuntu/ natty/main i386 Packages
        100 /var/lib/dpkg/status

To reproduce: alt-tab, and sometimes that will crash

mipmap was enabled, though i've had identical crashers when it was disabled as
well.
--- 
Architecture: i386
CompizPlugins: No value set for
`/apps/compiz-1/general/allscreens/options/active_plugins'
CompositorRunning: compiz
DRM.card0.LVDS.1:
 status: connected
 enabled: enabled
 dpms: On
 modes: 1400x1050 1400x1050 1280x1024 1280x1024 1280x960 1280x854 1280x800
1280x720 1152x768 1024x768 1024x768 800x600 800x600 848x480 720x480 640x480
640x480
 edid-base64:
AP///////wAwriJAAAAAAAAPAQOAHBV46q9AlVZKjyUgUFQhCACBgAEBAQEBAQEBAQEBAQEBMCp4IFEaEEAwcBMAHdYQAAAZJSN4IFEaEEAwcBMAHdYQAAAZAAAADwCQQzKQQygPAQAJ5QAAAAAA/gBIVDE0UDEyLTEwMAogAD8=
DRM.card0.VGA.1:
 status: disconnected
 enabled: disabled
 dpms: On
 modes: 
 edid-base64:
DistUpgraded: Yes, recently upgraded Log time: 2010-11-25 10:04:35.555639
DistroCodename: natty
DistroRelease: Ubuntu 11.04
DistroVariant: ubuntu
GraphicsCard:   Subsystem: Lenovo ThinkPad T60p [17aa:2007]
MachineType: LENOVO 200783U
Package: mesa (not installed)
PackageArchitecture: all
PccardctlIdent:
 Socket 0:
   no product info available
PccardctlStatus:
 Socket 0:
   no card
PciDisplay: 01:00.0 VGA compatible controller [0300]: ATI Technologies Inc
M56GL [Mobility FireGL V5200] [1002:71c4] (prog-if 00 [VGA controller])
ProcEnviron:
 LANGUAGE=en_US.UTF-8:en
 PATH=(custom, user)
 LANG=en_US.UTF-8
 LC_MESSAGES=en_AG.utf8ProcKernelCmdLine:
BOOT_IMAGE=/boot/vmlinuz-2.6.37-11-generic
root=UUID=d71a3bd3-9679-4649-b4ac-ce425d0e5bed ro vt.handoff=7 quiet splash
bootchart=disable
ProcKernelCmdLine_: BOOT_IMAGE=/boot/vmlinuz-2.6.37-11-generic
root=UUID=d71a3bd3-9679-4649-b4ac-ce425d0e5bed ro vt.handoff=7 quiet splash
bootchart=disable
ProcVersionSignature: Ubuntu 2.6.37-11.25-generic 2.6.37-rc7
ProcVersionSignature_: Ubuntu 2.6.37-11.25-generic 2.6.37-rc7
RelatedPackageVersions:
 xserver-xorg 1:7.5+6ubuntu6
 libgl1-mesa-glx 7.9+repack-1ubuntu3
 libdrm2 2.4.22-2ubuntu1
 xserver-xorg-video-intel 2:2.13.901-2ubuntu2
 xserver-xorg-video-ati 1:6.13.2-1ubuntu2
Renderer: Hardware acceleration
Tags: natty running-unity natty running-unity natty ubuntu
Uname: Linux 2.6.37-11-generic i686
UnitySupportTest:

UserGroups: adm admin cdrom dialout lpadmin plugdev sambashare
XorgConf: Error: [Errno 2] No such file or directory: '/etc/X11/xorg.conf'
dmi.bios.date: 09/12/2008
dmi.bios.vendor: LENOVO
dmi.bios.version: 79ETE3WW (2.23 )
dmi.board.name: 200783U
dmi.board.vendor: LENOVO
dmi.board.version: Not Available
dmi.chassis.asset.tag: No Asset Information
dmi.chassis.type: 10
dmi.chassis.vendor: LENOVO
dmi.chassis.version: Not Available
dmi.modalias:
dmi:bvnLENOVO:bvr79ETE3WW(2.23):bd09/12/2008:svnLENOVO:pn200783U:pvrThinkPadT60p:rvnLENOVO:rn200783U:rvrNotAvailable:cvnLENOVO:ct10:cvrNotAvailable:
dmi.product.name: 200783U
dmi.product.version: ThinkPad T60p
dmi.sys.vendor: LENOVO
system: distro = Ubuntu, architecture = i686, kernel = 2.6.37-11-generic
version.libdrm2: libdrm2 2.4.22-2ubuntu1
version.libgl1-mesa-glx: libgl1-mesa-glx 7.9+repack-1ubuntu3
version.xserver-xorg: xserver-xorg 1:7.5+6ubuntu6
version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:6.13.2-1ubuntu2
version.xserver-xorg-video-intel: xserver-xorg-video-intel 2:2.13.901-2ubuntu2
version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau
1:0.0.16+git20100805+b96170a-0ubuntu1

-- 
Configure bugmail: https://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the xorg-driver-ati mailing list