[xserver] randr: fix RRCrtcDetachScanoutPixmap crash on server exit

Submitted by Peter Wu on Aug. 14, 2018, 12:16 a.m.

Details

Message ID 20180814001611.27083-1-peter@lekensteyn.nl
State New
Series "randr: fix RRCrtcDetachScanoutPixmap crash on server exit"
Headers show

Commit Message

Peter Wu Aug. 14, 2018, 12:16 a.m.
The following crash was observed with xserver 1.20.1 on exiting xserver
after enabling a PRIME output source with the Intel driver:

    Old value = (WindowPtr) 0x612000159dc0
    New value = (WindowPtr) 0x0 // pWin->drawable.pScreen->root = NULL;
    DeleteWindow (value=0x612000159dc0, wid=<optimized out>) at dix/window.c:1112
    1112        dixFreeObjectWithPrivates(pWin, PRIVATE_WINDOW);
    (gdb) bt
    #0  DeleteWindow (value=0x612000159dc0, wid=<optimized out>) at dix/window.c:1112
    #1  0x0000557e7842535b in doFreeResource (res=0x60300000ebf0, skip=<optimized out>) at dix/resource.c:880
    #2  0x0000557e784289ed in FreeClientResources (client=0x60e000000040) at dix/resource.c:1146
    #3  0x0000557e78428c46 in FreeAllResources () at dix/resource.c:1161
    #4  0x0000557e783c25d8 in dix_main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at dix/main.c:292
    ...

    Thread 1 "Xorg" received signal SIGSEGV, Segmentation fault.
    0x0000557e7841138c in PixmapStopDirtyTracking (src=0x0, slave_dst=0x61100002ea80) at dix/pixmap.c:251
    251         ScreenPtr screen = src->pScreen;
    (gdb) bt
    #0  0x0000558e598a938c in PixmapStopDirtyTracking (src=0x0, slave_dst=0x611000038d00) at ../xserver/dix/pixmap.c:251
    #1  0x0000558e5990ccd5 in RRCrtcDetachScanoutPixmap (crtc=0x617000004680) at ../xserver/randr/rrcrtc.c:413
    #2  0x0000558e5990d001 in RRCrtcDestroyResource (value=0x617000004680, pid=<optimized out>) at ../xserver/randr/rrcrtc.c:900
    #3  0x0000558e598bd35b in doFreeResource (res=0x60300000a2a0, skip=<optimized out>) at ../xserver/dix/resource.c:880
    #4  0x0000558e598c09ed in FreeClientResources (client=0x60e000000040) at ../xserver/dix/resource.c:1146
    #5  0x0000558e598c0c46 in FreeAllResources () at ../xserver/dix/resource.c:1161
    #6  0x0000558e5985a5d8 in dix_main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at ../xserver/dix/main.c:292

For some reason, the Window resource ends up being freed before a pixmap
when using the intel driver. It does not occur with modesetting (there
RRCrtcDestroyResource is called before deleting the root window).

Before "Make PixmapDirtyUpdateRec::src a DrawablePtr" the "src" argument
was "master->GetScreenPixmap(master)". After that commit, it becomes the
root window drawable which can be NULL as shown above.

Signed-off-by: Peter Wu <peter@lekensteyn.nl>
---
 randr/rrcrtc.c | 26 ++++++++++++++------------
 1 file changed, 14 insertions(+), 12 deletions(-)

Patch hide | download patch | download mbox

diff --git a/randr/rrcrtc.c b/randr/rrcrtc.c
index 5d9026266..d5dc235b7 100644
--- a/randr/rrcrtc.c
+++ b/randr/rrcrtc.c
@@ -398,20 +398,22 @@  RRCrtcDetachScanoutPixmap(RRCrtcPtr crtc)
         ScreenPtr master = crtc->pScreen->current_master;
         DrawablePtr mrootdraw = &master->root->drawable;
 
-        if (crtc->scanout_pixmap_back) {
-            pScrPriv->rrDisableSharedPixmapFlipping(crtc);
+        if (mrootdraw) {
+            if (crtc->scanout_pixmap_back) {
+                pScrPriv->rrDisableSharedPixmapFlipping(crtc);
 
-            master->StopFlippingPixmapTracking(mrootdraw,
-                                               crtc->scanout_pixmap,
-                                               crtc->scanout_pixmap_back);
+                master->StopFlippingPixmapTracking(mrootdraw,
+                                                   crtc->scanout_pixmap,
+                                                   crtc->scanout_pixmap_back);
 
-            rrDestroySharedPixmap(crtc, crtc->scanout_pixmap_back);
-            crtc->scanout_pixmap_back = NULL;
-        }
-        else {
-            pScrPriv->rrCrtcSetScanoutPixmap(crtc, NULL);
-            master->StopPixmapTracking(mrootdraw,
-                                       crtc->scanout_pixmap);
+                rrDestroySharedPixmap(crtc, crtc->scanout_pixmap_back);
+                crtc->scanout_pixmap_back = NULL;
+            }
+            else {
+                pScrPriv->rrCrtcSetScanoutPixmap(crtc, NULL);
+                master->StopPixmapTracking(mrootdraw,
+                                           crtc->scanout_pixmap);
+            }
         }
 
         rrDestroySharedPixmap(crtc, crtc->scanout_pixmap);