lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 21 Apr 2010 23:40:52 +0100
From:	Nix <nix@...eri.org.uk>
To:	xorg-ati <xorg-driver-ati@...ts.x.org>,
	Linux-Kernel-Mailing-List <linux-kernel@...r.kernel.org>
Cc:	xorg@...ts.freedesktop.org
Subject: Radeon KMS bug(?) after Linux kernel 2.6.32 causes a crash of X server 1.8.0+ on termination

On 18 Apr 2010, nix@...eri.org.uk said:

> So far, every time I've quit X 1.8.0 (1.8-stable tip of tree), it's
> coredumped and left my console unusable until I restart. (I'm using the
> tip of the xf86-video-ati tree, and KMS, both of which worked fine with
> 1.7.5. Obviously I've recompiled all the drivers I'm usingt, or X
> wouldn't work at all...)
>
> The backtrace differs depending on whether auditing is enabled or not.
>
> With auditing on, we are hit with a segfault here:
>
> #0  0x00007f7e06148985 in _xstat () from /lib/libc.so.6
> #1  0x00007f7e061198d0 in __tzfile_read () from /lib/libc.so.6
> #2  0x00007f7e06118c8a in tzset_internal () from /lib/libc.so.6
> #3  0x00007f7e06118df9 in __tz_convert () from /lib/libc.so.6
> #4  0x00007f7e06117439 in ctime () from /lib/libc.so.6
> #5  0x00000000004533c8 in AuditPrefix ()
> #6  0x0000000000453956 in VAuditF ()
> #7  0x0000000000453add in AuditF ()
> #8  0x000000000043e5c6 in CloseDownClient ()
> #9  0x0000000000443af8 in Dispatch ()
> #10 0x0000000000420dc5 in main ()
>
> With it off, I see this instead:
>
> Program received signal SIGTERM, Terminated.
> 0x000000000042904c in FreeClientResources ()
> (gdb) bt
> #0  0x000000000042904c in FreeClientResources ()
> #1  0x000000000043e4c2 in CloseDownClient ()
> #2  0x0000000000443af8 in Dispatch ()
> #3  0x0000000000420dc5 in main ()
>
> which might look like normal termination, except that
> FreeClientResources() of course does not contain an exit(), and the
> console is still unusable.
>
> I suspect a double-free() somewhere, and/or heap corruption.

Nope. This bug only appears with KMS enabled; it does not appear in
2.6.32.10 (when termination happens normally, with only

[   71.267834] Unpin not necessary for ffff88033d66dc00 !

in the kernel log) but does appear with current tip; seen with 2.6.34rc3
and later (i.e. as soon as I upgraded the X server).

So this is either a KMS bug corrupting something in userspace, or a bug
in the X server triggered by the presence of KMS and some feature only
available in 2.6.33+. It's nearly midnight here so I'm going to leave it
at that tonight. I'll do a bisection of the kernel tomorrow, and perhaps
a bisection of the X server, to see where it started crashing between
1.7.5 and 1.8.0.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ