Segfault in `drm_connector_set_mode` #1874

KenMacD · 2019-10-25T16:58:33Z

When switching from another virtual console back I get the following segfault:

#0  0x00007fd3e6920c49 in drm_connector_set_mode (output=output@entry=0x55a34d3b7d00, wlr_mode=0x0)
    at ../backend/drm/drm.c:652
        conn = 0x55a34d3b7d00
        drm = <optimized out>
        mode = <optimized out>
#1  0x00007fd3e691ec70 in session_signal (listener=0x55a34d1ed7c0, data=<optimized out>) at ../backend/drm/backend.c:96
        plane = <optimized out>
        conn = 0x55a34d3b7d00
        drm = 0x55a34d1ed730
        session = <optimized out>
#2  0x00007fd3e696264e in wlr_signal_emit_safe (signal=signal@entry=0x55a34d1d6408, data=data@entry=0x55a34d1d6400)
    at ../util/signal.c:29
        pos = 0x55a34d1ed7c0
        l = 0x55a34d1ed7c0
        cursor = {link = {prev = 0x55a34d1ed7c0, next = 0x7fffa160d550}, notify = 0x7fd3e69625c0 <handle_noop>}
        end = {link = {prev = 0x7fffa160d530, next = 0x55a34d1d6408}, notify = 0x7fd3e69625c0 <handle_noop>}
#3  0x00007fd3e692f081 in resume_device (msg=<optimized out>, userdata=0x55a34d1d6400, ret_error=<optimized out>)
    at ../backend/session/logind.c:323
        dev = 0x55a34d1dd380
        session = 0x55a34d1d6400
        ret = <optimized out>
        fd = 30
        major = 226
        minor = 0
#4  0x00007fd3e5d9d642 in  () at /usr/lib/libsystemd.so.0
#5  0x00007fd3e5d9d184 in  () at /usr/lib/libsystemd.so.0
#6  0x00007fd3e5d9d15d in  () at /usr/lib/libsystemd.so.0
#7  0x00007fd3e5d9d184 in  () at /usr/lib/libsystemd.so.0
#8  0x00007fd3e5d9d15d in  () at /usr/lib/libsystemd.so.0
#9  0x00007fd3e5d9d184 in  () at /usr/lib/libsystemd.so.0
#10 0x00007fd3e5d9d15d in  () at /usr/lib/libsystemd.so.0
#11 0x00007fd3e5d9d184 in  () at /usr/lib/libsystemd.so.0
#12 0x00007fd3e5d9d15d in  () at /usr/lib/libsystemd.so.0
#13 0x00007fd3e5d9d184 in  () at /usr/lib/libsystemd.so.0
#14 0x00007fd3e5d9d2da in  () at /usr/lib/libsystemd.so.0
#15 0x00007fd3e5d9d4de in  () at /usr/lib/libsystemd.so.0
#16 0x00007fd3e5dccb88 in  () at /usr/lib/libsystemd.so.0
#17 0x00007fd3e5dd5de3 in  () at /usr/lib/libsystemd.so.0
#18 0x00007fd3e692ece3 in dbus_event (fd=<optimized out>, mask=<optimized out>, data=0x55a34d1d49d0)
    at ../backend/session/logind.c:487
        bus = 0x55a34d1d49d0
#19 0x00007fd3e69a67f2 in wl_event_loop_dispatch () at /usr/lib/libwayland-server.so.0
#20 0x00007fd3e69a539c in wl_display_run () at /usr/lib/libwayland-server.so.0
#21 0x000055a34bd83583 in main (argc=2, argv=0x7fffa160e2a8) at ../sway/sway/main.c:402
        verbose = 0
        debug = 1
        validate = 0
        allow_unsupported_gpu = 0
        long_options =
            {{name = 0x55a34bdcb4db "help", has_arg = 0, flag = 0x0, val = 104}, {name = 0x55a34bdce415 "config", has_arg = 1,flag = 0x0, val = 99}, {name = 0x55a34bdcb4e0 "validate", has_arg = 0, flag = 0x0, val = 67}, {name = 0x55a34bdcb4e9 "debug", has_arg = 0, flag = 0x0, val = 100}, {name = 0x55a34bdcb43f "version", has_arg = 0, flag = 0x0, val = 118}, {name = 0x55a34bdca5df "verbose", has_arg = 0, flag = 0x0, val = 86}, {name = 0x55a34bdcb4ef "get-socketpath", has_arg = 0, flag = 0x0, val = 112}, {name = 0x55a34bdcb4fe "unsupported-gpu", has_arg = 0, flag = 0x0, val = 117}, {name = 0x55a34bdcb50e "my-next-gpu-wont-be-nvidia", has_arg = 0, flag = 0x0, val = 117}, {name = 0x0, has_arg = 0, flag = 0x0, val = 0}}
        config_path = 0x0
        usage = 0x55a34bdcb840 "Usage: sway [options] [command]\n\n  -h, --help", ' ' <repeats 13 times>, "Show help message and quit.\n  -c, --config <config>  Specify a config file.\n  -C, --validate         Check the validity of the config file, th"...
        c = <optimized out>

with the following logs:

2019-10-25 13:39:18 - [backend/drm/backend.c:90] DRM fd resumed
2019-10-25 13:39:18 - [backend/drm/drm.c:1217] Scanning DRM connectors
2019-10-25 13:39:19 - [backend/drm/drm.c:1050] Reallocating CRTCs
2019-10-25 13:39:19 - [backend/drm/drm.c:1061] State before reallocation:
2019-10-25 13:39:19 - [backend/drm/drm.c:1067]   'eDP-1' crtc=0 state=3 desired_enabled=1
2019-10-25 13:39:19 - [backend/drm/drm.c:1067]   'DP-1' crtc=-1 state=0 desired_enabled=0
2019-10-25 13:39:19 - [backend/drm/drm.c:1067]   'HDMI-A-1' crtc=-1 state=0 desired_enabled=0
2019-10-25 13:39:19 - [backend/drm/drm.c:1067]   'DP-2' crtc=-1 state=0 desired_enabled=0
2019-10-25 13:39:19 - [backend/drm/drm.c:1067]   'DP-3' crtc=1 state=3 desired_enabled=1
2019-10-25 13:39:19 - [backend/drm/drm.c:1067]   'DP-4' crtc=2 state=1 desired_enabled=1
2019-10-25 13:39:19 - [backend/drm/drm.c:1067]   'DP-5' crtc=-1 state=0 desired_enabled=0
2019-10-25 13:39:19 - [backend/drm/drm.c:1119] State after reallocation:
2019-10-25 13:39:19 - [backend/drm/drm.c:1126]   'eDP-1' crtc=0 state=3 desired_enabled=1
2019-10-25 13:39:19 - [backend/drm/drm.c:1126]   'DP-1' crtc=-1 state=0 desired_enabled=0
2019-10-25 13:39:19 - [backend/drm/drm.c:1126]   'HDMI-A-1' crtc=-1 state=0 desired_enabled=0
2019-10-25 13:39:19 - [backend/drm/drm.c:1126]   'DP-2' crtc=-1 state=0 desired_enabled=0
2019-10-25 13:39:19 - [backend/drm/drm.c:1126]   'DP-3' crtc=1 state=3 desired_enabled=1
2019-10-25 13:39:19 - [backend/drm/drm.c:1126]   'DP-4' crtc=2 state=1 desired_enabled=1
2019-10-25 13:39:19 - [backend/drm/drm.c:1126]   'DP-5' crtc=-1 state=0 desired_enabled=0
2019-10-25 13:39:19 - [backend/drm/drm.c:652] Modesetting 'eDP-1' with '1920x1080@60012 mHz'
2019-10-25 13:39:19 - [backend/drm/drm.c:548] Initializing renderer on connector 'eDP-1'
2019-10-25 13:39:19 - [backend/drm/atomic.c:56] eDP-1: Atomic commit failed (modeset): Invalid argument
2019-10-25 13:39:19 - [backend/drm/drm.c:567] Page-flip failed with primary FB modifiers enabled, retrying without modifiers
2019-10-25 13:39:19 - [backend/drm/drm.c:652] Modesetting 'DP-3' with '2560x1440@59951 mHz'
2019-10-25 13:39:19 - [backend/drm/drm.c:548] Initializing renderer on connector 'DP-3'
2019-10-25 13:39:19 - [backend/drm/atomic.c:56] DP-3: Atomic commit failed (modeset): Invalid argument
2019-10-25 13:39:19 - [backend/drm/drm.c:567] Page-flip failed with primary FB modifiers enabled, retrying without modifiers
[298 13:39:19.477937] [glfw error 65544]: Wayland: fatal display error: Broken pipe
[298 13:39:19.477978] [glfw error 65544]: Wayland: fatal display error: Broken pipe
[298 13:39:19.477992] [298 13:39:19.477999] No render frame received in 0.250000 seconds, re-requesting at: 216.028388
No render frame received in 0.250000 seconds, re-requesting at: 253.880846
[2019-10-25 13:39:19.478] [error] Workspaces: Unable to receive IPC header
[2019-10-25 13:39:19.478] [error] Workspaces: Unable to receive IPC header
[2019-10-25 13:39:19.478] [error] Workspaces: Unable to receive IPC header
[2019-10-25 13:39:19.478] [error] Workspaces: Unable to receive IPC header
[2019-10-25 13:39:19.478] [error] Workspaces: Unable to receive IPC header
[2019-10-25 13:39:19.478] [error] Workspaces: Unable to receive IPC header
[2019-10-25 13:39:19.478] [error] Workspaces: Unable to receive IPC header
[2019-10-25 13:39:19.478] [error] Workspaces: Unable to receive IPC header
[2019-10-25 13:39:19.478] [error] Workspaces: Unable to receive IPC header
[2019-10-25 13:39:19.478] [error] Workspaces: Unable to receive IPC header
[2019-10-25 13:39:19.478] [error] Workspaces: Unable to receive IPC header
[2019-10-25 13:39:19.478] [error] Workspaces: Unable to receive IPC header
[2019-10-25 13:39:19.478] [error] Workspaces: Unable to receive IPC header
[2019-10-25 13:39:19.478] [error] Workspaces: Unable to receive IPC header
[2019-10-25 13:39:19.478] [error] Workspaces: Unable to receive IPC header
...
Gdk-Message: 13:39:19.479: Error reading events from display: Broken pipe
(EE) failed to read Wayland events: Broken pipe
[298 13:39:19.480451] No render frame received in 0.250000 seconds, re-requesting at: 842.350226
[298 13:39:19.480485] [glfw error 65544]: Wayland: fatal display error: Broken pipe
[298 13:39:19.480567] [glfw error 65544]: Wayland: fatal display error: Broken pipe
[298 13:39:19.480587] No render frame received in 0.250000 seconds, re-requesting at: 562.474622

The text was updated successfully, but these errors were encountered:

emersion · 2019-10-27T09:52:23Z

Can you compile manually to disable optimizations?

Compiling with ASan (meson build/ -Db_sanitize=address) may help too.

KenMacD · 2019-10-28T02:54:21Z

Sure!

#8  0x00007fb065a0098f in drm_connector_set_mode (output=0x61800000ac80, wlr_mode=0x0) at ../backend/drm/drm.c:653
        conn = 0x61800000ac80
        drm = 0x613000004800
        mode = 0x62300005f900
#9  0x00007fb0659facdf in session_signal (listener=0x613000004890, data=0x614000000040) at ../backend/drm/backend.c:96
        plane = 0x611000002fc0
        conn = 0x61800000ac80
        drm = 0x613000004800
        session = 0x614000000040
#10 0x00007fb065ad89af in wlr_signal_emit_safe (signal=0x614000000048, data=0x614000000040) at ../util/signal.c:29
        pos = 0x613000004890
        l = 0x613000004890
        cursor = {link = {prev = 0x613000004890, next = 0x7ffcb97b4490}, notify = 0x7fb065ad8768 <handle_noop>}
        end = {link = {prev = 0x7ffcb97b4450, next = 0x614000000048}, notify = 0x7fb065ad8768 <handle_noop>}
#11 0x00007fb065a32ee7 in resume_device (msg=0x61800004e880, userdata=0x614000000040, ret_error=0x7ffcb97b4630) at ../backend/session/logind.c:323
        dev = 0x604000001910
        session = 0x614000000040
        ret = 1
        fd = 30
        major = 226
        minor = 0
#12 0x00007fb064c12642 in  () at /usr/lib/libsystemd.so.0
#13 0x00007fb064c12184 in  () at /usr/lib/libsystemd.so.0
#14 0x00007fb064c1215d in  () at /usr/lib/libsystemd.so.0
#15 0x00007fb064c12184 in  () at /usr/lib/libsystemd.so.0
#16 0x00007fb064c1215d in  () at /usr/lib/libsystemd.so.0
#17 0x00007fb064c12184 in  () at /usr/lib/libsystemd.so.0
#18 0x00007fb064c1215d in  () at /usr/lib/libsystemd.so.0
#19 0x00007fb064c12184 in  () at /usr/lib/libsystemd.so.0
#20 0x00007fb064c1215d in  () at /usr/lib/libsystemd.so.0
#21 0x00007fb064c12184 in  () at /usr/lib/libsystemd.so.0
#22 0x00007fb064c122da in  () at /usr/lib/libsystemd.so.0
#23 0x00007fb064c124de in  () at /usr/lib/libsystemd.so.0
#24 0x00007fb064c41b88 in  () at /usr/lib/libsystemd.so.0
#25 0x00007fb064c4ade3 in  () at /usr/lib/libsystemd.so.0
#26 0x00007fb065a33e7a in dbus_event (fd=4, mask=1, data=0x61c000000080) at ../backend/session/logind.c:485
        bus = 0x61c000000080
#27 0x00007fb065b8b7f2 in wl_event_loop_dispatch () at /usr/lib/libwayland-server.so.0
#28 0x00007fb065b8a39c in wl_display_run () at /usr/lib/libwayland-server.so.0
#29 0x0000563f6cc49583 in main (argc=1, argv=0x7ffcb97b52f8) at ../sway/sway/main.c:402
        verbose = 0
        debug = 0
        validate = 0
        allow_unsupported_gpu = 0
        long_options =
            {{name = 0x563f6cc914db "help", has_arg = 0, flag = 0x0, val = 104}, {name = 0x563f6cc94415 "config", has_arg = 1, flag = 0x0, val = 99}, {name = 0x563f6cc914e0 "validate", has_arg = 0, flag = 0x0, val = 67}, {name = 0x563f6cc914e9 "debug", has_arg = 0, flag = 0x0, val = 100}, {name = 0x563f6cc9143f "version", has_arg = 0, flag = 0x0, val = 118}, {name = 0x563f6cc905df "verbose", has_arg = 0, flag = 0x0, val = 86}, {name = 0x563f6cc914ef "get-socketpath", has_arg = 0, flag = 0x0, val = 112}, {name = 0x563f6cc914fe "unsupported-gpu", has_arg = 0, flag = 0x0, val = 117}, {name = 0x563f6cc9150e "my-next-gpu-wont-be-nvidia", has_arg = 0, flag = 0x0, val = 117}, {name = 0x0, has_arg = 0, flag = 0x0, val = 0}}
        config_path = 0x0
        usage = 0x563f6cc91840 "Usage: sway [options] [command]\n\n  -h, --help", ' ' <repeats 13 times>, "Show help message and quit.\n  -c, --config <config>  Specify a config file.\n  -C,--validate         Check the validity of the config file, th"...
        c = <optimized out>

When surf->gbm was previously set, we destroy it without setting it to NULL. Later on, we only create the GBM surface if surf->gbm is NULL. This result in a use-after-free when we start using surf->gbm. Closes: swaywm#1868 Closes: swaywm#1874 Closes: swaywm/sway#4785 Closes: swaywm/sway#4717 Closes: swaywm/sway#4730 Fixes: 2bdd1d0 ("backend/drm: use modifiers for our GBM buffers")

When surf->gbm was previously set, we destroy it without setting it to NULL. Later on, we only create the GBM surface if surf->gbm is NULL. This result in a use-after-free when we start using surf->gbm. Closes: #1868 Closes: #1874 Closes: swaywm/sway#4785 Closes: swaywm/sway#4717 Closes: swaywm/sway#4730 Fixes: 2bdd1d0 ("backend/drm: use modifiers for our GBM buffers")

KenMacD · 2019-12-10T16:49:32Z

@emersion & @ddevault this issue does not seem to be fixed. It still occurs if I switch between terminal 2 and back.

KenMacD · 2019-12-17T17:56:28Z

@emersion I'm sure it's not the correct solution, but adding a wlr_output_update_enabled(&conn->output, false) to https://github.com/swaywm/wlroots/blob/master/backend/drm/drm.c#L660 at least fixes the crash on my machine.

When I start sway with this I still have the second external monitor turn on and display essentially garbage (the last terminal output), but then switching back and forth between virtual terminals stops sending output to the second external monitor (the way it probably should be).

I'm thinking there's an issue with properly cleaning up this input when there's a failure in drm_connector_init_renderer (and probably also a bug causing that to fail, but even if it does it should be cleaned up).

When surf->gbm was previously set, we destroy it without setting it to NULL. Later on, we only create the GBM surface if surf->gbm is NULL. This result in a use-after-free when we start using surf->gbm. Closes: swaywm#1868 Closes: swaywm#1874 Closes: swaywm/sway#4785 Closes: swaywm/sway#4717 Closes: swaywm/sway#4730 Fixes: 2bdd1d0 ("backend/drm: use modifiers for our GBM buffers")

This fixes a segfault in drm_connector_set_mode (mode = NULL). This happens because we set wlr_output.enabled to true if the connector is attached to the CRTC. When the user disables an output in the wlroots-based compositor, switches to another VT (enabling the output), then switches back, wlroots sets wlr_output.enabled to true but wlr_output.current_mode is NULL. We should consider not reading properties from KMS after a TTY switch, disabling all connectors. However this may result in flickering (outputs being disabled then re-enabled). Closes: swaywm#1874

emersion · 2019-12-29T10:00:55Z

Can you try #1971?

This fixes a segfault in drm_connector_set_mode (mode = NULL). This happens because we set wlr_output.enabled to true if the connector is attached to the CRTC. When the user disables an output in the wlroots-based compositor, switches to another VT (enabling the output), then switches back, wlroots sets wlr_output.enabled to true but wlr_output.current_mode is NULL. We should consider not reading properties from KMS after a TTY switch, disabling all connectors. However this may result in flickering (outputs being disabled then re-enabled). Closes: #1874

KenMacD · 2019-12-31T15:43:02Z

@emersion I can confirm that the segfault issue is fixed. This still an issue with the second monitor not starting correctly, and a difference in what that monitor shows depending if it's plugged in to start with or after starting sway, but no crashes either way. Thank you!

When surf->gbm was previously set, we destroy it without setting it to NULL. Later on, we only create the GBM surface if surf->gbm is NULL. This result in a use-after-free when we start using surf->gbm. Closes: swaywm#1868 Closes: swaywm#1874 Closes: swaywm/sway#4785 Closes: swaywm/sway#4717 Closes: swaywm/sway#4730 Fixes: 2bdd1d0 ("backend/drm: use modifiers for our GBM buffers")

This fixes a segfault in drm_connector_set_mode (mode = NULL). This happens because we set wlr_output.enabled to true if the connector is attached to the CRTC. When the user disables an output in the wlroots-based compositor, switches to another VT (enabling the output), then switches back, wlroots sets wlr_output.enabled to true but wlr_output.current_mode is NULL. We should consider not reading properties from KMS after a TTY switch, disabling all connectors. However this may result in flickering (outputs being disabled then re-enabled). Closes: swaywm#1874

emersion added the backend/drm label Oct 26, 2019

emersion mentioned this issue Dec 5, 2019

backend/drm: fix segfault in init_drm_surface #1944

Merged

ddevault closed this as completed in #1944 Dec 5, 2019

emersion reopened this Dec 10, 2019

emersion mentioned this issue Dec 29, 2019

backend/drm: don't modeset with a NULL mode after TTY switch #1971

Merged

ddevault closed this as completed in #1971 Dec 30, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Segfault in `drm_connector_set_mode` #1874

Segfault in `drm_connector_set_mode` #1874

KenMacD commented Oct 25, 2019

emersion commented Oct 27, 2019

KenMacD commented Oct 28, 2019

KenMacD commented Dec 10, 2019

KenMacD commented Dec 17, 2019

emersion commented Dec 29, 2019

KenMacD commented Dec 31, 2019

Segfault in drm_connector_set_mode #1874

Segfault in drm_connector_set_mode #1874

Comments

KenMacD commented Oct 25, 2019

emersion commented Oct 27, 2019

KenMacD commented Oct 28, 2019

KenMacD commented Dec 10, 2019

KenMacD commented Dec 17, 2019

emersion commented Dec 29, 2019

KenMacD commented Dec 31, 2019

Segfault in `drm_connector_set_mode` #1874

Segfault in `drm_connector_set_mode` #1874