Segfault in swap_drm_surface_buffers #1868

emersion · 2019-10-22T10:36:12Z

Happens when docking with more outputs than CRTCs.

#0  0x0000000000000000 in  ()
#1  0x00007feb60838863 in swap_drm_surface_buffers (surf=surf@entry=0x55598a395958, damage=damage@entry=0x0) at ../subprojects/wlroots/backend/drm/renderer.c:154
#2  0x00007feb60838904 in get_drm_surface_front (surf=0x55598a395958) at ../subprojects/wlroots/backend/drm/renderer.c:168
        renderer = 0x55598a65a4c0
#3  0x00007feb60834b24 in drm_connector_start_renderer (conn=0x55598a6afa40) at ../subprojects/wlroots/backend/drm/drm.c:513
        drm = 0x55598a36eea0
        crtc = 0x55598a3855f8
        plane = 0x55598a395950
        bo = <optimized out>
        fb_id = <optimized out>
        mode = <optimized out>
#4  0x00007feb60836198 in drm_connector_start_renderer (conn=0x55598a6afa40) at ../subprojects/wlroots/backend/drm/drm.c:600
        conn = 0x55598a6afa40
        drm = <optimized out>
#5  0x00007feb60836198 in drm_connector_set_mode (output=0x55598a6afa40, mode=0x55598aad1190) at ../subprojects/wlroots/backend/drm/drm.c:609
        conn = 0x55598a6afa40
        drm = <optimized out>
#6  0x000055598880ed1b in set_mode (refresh_rate=<optimized out>, height=<optimized out>, width=1680, output=0x55598a6afa40) at ../sway/config/output.c:229
        mhz = <optimized out>
        mode = <optimized out>
        best = <optimized out>
        wlr_output = 0x55598a6afa40
        modeset_success = <optimized out>
        output_box = <optimized out>
#7  0x000055598880ed1b in apply_output_config (oc=oc@entry=0x55598aad0bf0, output=output@entry=0x55598ac360f0) at ../sway/config/output.c:266
        wlr_output = 0x55598a6afa40
        modeset_success = <optimized out>
        output_box = <optimized out>
#8  0x000055598882d5cc in output_enable (output=output@entry=0x55598ac360f0, oc=0x55598aad0bf0) at ../sway/tree/output.c:118
        __PRETTY_FUNCTION__ = "output_enable"
        wlr_output = 0x55598a6afa40
        len = 4
        ws = <optimized out>
#9  0x00005559887fcdea in handle_new_output (listener=0x55598884fe60 <server+64>, data=0x55598a6afa40) at ../sway/desktop/output.c:808
        server = 0x55598884fe20 <server>
        wlr_output = 0x55598a6afa40
        output = 0x55598ac360f0
        oc = <optimized out>
#10 0x00007feb608759ec in wlr_signal_emit_safe (signal=<optimized out>, data=0x55598a6afa40) at ../subprojects/wlroots/util/signal.c:29
        pos = 0x55598884fe60 <server+64>
        l = 0x55598884fe60 <server+64>
        cursor = {link = {prev = 0x55598884fe60 <server+64>, next = 0x7ffef5a7f6e0}, notify = 0x7feb60875960 <handle_noop>}
        end = {link = {prev = 0x7ffef5a7f6c0, next = 0x55598a37e1d8}, notify = 0x7feb60875960 <handle_noop>}
#11 0x00007feb608759ec in wlr_signal_emit_safe (signal=signal@entry=0x55598a36eec8, data=data@entry=0x55598a6afa40) at ../subprojects/wlroots/util/signal.c:29
        pos = 0x55598a65c098
        l = 0x55598a65c098
        cursor = {link = {prev = 0x55598a65c098, next = 0x7ffef5a7f750}, notify = 0x7feb60875960 <handle_noop>}
        end = {link = {prev = 0x7ffef5a7f730, next = 0x55598a36eec8}, notify = 0x7feb60875960 <handle_noop>}
#12 0x00007feb608374fb in scan_drm_connectors (drm=<optimized out>) at ../subprojects/wlroots/backend/drm/drm.c:1367
        conn = 0x55598a6afa40
        i = 0
        res = <optimized out>
        seen_len = 8
        seen = 0x7ffef5a7f7f0
        new_outputs_len = <optimized out>
--Type <RET> for more, q to quit, c to continue without paging--
        new_outputs = 0x7ffef5a7f7a0
        conn = <optimized out>
        tmp_conn = <optimized out>
        index = <optimized out>
#13 0x00007feb608759ec in wlr_signal_emit_safe (signal=<optimized out>, data=data@entry=0x55598a37e240) at ../subprojects/wlroots/util/signal.c:29
        pos = 0x55598a36ef48
        l = 0x55598a36ef48
        cursor = {link = {prev = 0x55598a36ef48, next = 0x7ffef5a7f900}, notify = 0x7feb60875960 <handle_noop>}
        end = {link = {prev = 0x7ffef5a7f8e0, next = 0x55598a3845d0}, notify = 0x7feb60875960 <handle_noop>}
#14 0x00007feb6083eb37 in udev_event (fd=<optimized out>, mask=<optimized out>, data=0x55598a37e240) at ../subprojects/wlroots/backend/session/session.c:52
        session = 0x55598a37e240
        udev_dev = 0x55598aa855b0
        action = <optimized out>
        devnum = <optimized out>
        dev = <optimized out>
#15 0x00007feb602287f2 in wl_event_loop_dispatch () at /lib64/libwayland-server.so.0
#16 0x00007feb6022739c in wl_display_run () at /lib64/libwayland-server.so.0
#17 0x00005559887ee5db in main (argc=1, argv=0x7ffef5a7fcd8) at ../sway/main.c:402
        verbose = 0
        debug = 0
        validate = 0
        allow_unsupported_gpu = 0
        long_options = 
            {{name = 0x5559888344eb "help", has_arg = 0, flag = 0x0, val = 104}, {name = 0x555988837415 "config", has_arg = 1, flag = 0x0, val = 99}, {name = 0x5559888344f0 "validate", has_arg = 0, flag = 0x0, val = 67}, {name = 0x5559888344f9 "debug", has_arg = 0, flag = 0x0, val = 100}, {name = 0x55598883444f "version", has_arg = 0, flag = 0x0, val = 118}, {name = 0x5559888335ef "verbose", has_arg = 0, flag = 0x0, val = 86}, {name = 0x5559888344ff "get-socketpath", has_arg = 0, flag = 0x0, val = 112}, {name = 0x55598883450e "unsupported-gpu", has_arg = 0, flag = 0x0, val = 117}, {name = 0x55598883451e "my-next-gpu-wont-be-nvidia", has_arg = 0, flag = 0x0, val = 117}, {name = 0x0, has_arg = 0, flag = 0x0, val = 0}}
        config_path = 0x0
        usage = 0x555988834850 "Usage: sway [options] [command]\n\n  -h, --help", ' ' <repeats 13 times>, "Show help message and quit.\n  -c, --config <config>  Specify a config file.\n  -C, --validate         Check the validity of the config file, th"...
        c = <optimized out>

The text was updated successfully, but these errors were encountered:

When surf->gbm was previously set, we destroy it without setting it to NULL. Later on, we only create the GBM surface if surf->gbm is NULL. This result in a use-after-free when we start using surf->gbm. Closes: swaywm#1868 Closes: swaywm#1874 Closes: swaywm/sway#4785 Closes: swaywm/sway#4717 Closes: swaywm/sway#4730 Fixes: 2bdd1d0 ("backend/drm: use modifiers for our GBM buffers")

When surf->gbm was previously set, we destroy it without setting it to NULL. Later on, we only create the GBM surface if surf->gbm is NULL. This result in a use-after-free when we start using surf->gbm. Closes: #1868 Closes: #1874 Closes: swaywm/sway#4785 Closes: swaywm/sway#4717 Closes: swaywm/sway#4730 Fixes: 2bdd1d0 ("backend/drm: use modifiers for our GBM buffers")

When surf->gbm was previously set, we destroy it without setting it to NULL. Later on, we only create the GBM surface if surf->gbm is NULL. This result in a use-after-free when we start using surf->gbm. Closes: swaywm#1868 Closes: swaywm#1874 Closes: swaywm/sway#4785 Closes: swaywm/sway#4717 Closes: swaywm/sway#4730 Fixes: 2bdd1d0 ("backend/drm: use modifiers for our GBM buffers")

emersion added bug backend/drm labels Oct 22, 2019

emersion mentioned this issue Dec 5, 2019

backend/drm: fix segfault in init_drm_surface #1944

Merged

ddevault closed this as completed in #1944 Dec 5, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Segfault in swap_drm_surface_buffers #1868

Segfault in swap_drm_surface_buffers #1868

emersion commented Oct 22, 2019

Segfault in swap_drm_surface_buffers #1868

Segfault in swap_drm_surface_buffers #1868

Comments

emersion commented Oct 22, 2019