Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

After upgrade april 5th Xserver crashes when launching Java #1

Open
WillemsenGithub opened this issue Apr 6, 2024 · 0 comments
Open

After upgrade april 5th Xserver crashes when launching Java #1

WillemsenGithub opened this issue Apr 6, 2024 · 0 comments

Comments

@WillemsenGithub
Copy link

After upgrading XServer Java application crashes Xserver, need to re-login

Linux Mint Xfce4, Jammy
Kernel: 5.15.0-101-generic x86_64 bits: 64 compiler: gcc v: 11.4.0 Desktop: Xfce 4.18.1
tk: Gtk 3.24.33 info: xfce4-panel wm: xfwm 4.18.0 vt: 7 dm: LightDM 1.30.0
Distro: Linux Mint 21.3 Virginia base: Ubuntu 22.04 jammy

Investigated with Internet searches and make changes to system and software

  • upgrade Java to OpenJDK 21, used OpenJDK 8, 11 and 21 > same problem
  • remove Mesa* > same problem
  • up and downgraded Nvidia drivers > same problem
  • Change Window manager and settings > same problem
  • running Java from Cinnamon and XFCE (both present on machine) > same problem
  • Then looked at latest updates/upgrades (grep "upgrade " /var/log/dpkg.log), found Xserver upgrades 1 day previous

The Xserver upgrade of april 5th 2024
2024-04-05 09:19:49 upgrade xserver-common:all 2:21.1.4-2ubuntu1.722.04.8 2:21.1.4-2ubuntu1.722.04.9
2024-04-05 09:19:50 upgrade xserver-xephyr:amd64 2:21.1.4-2ubuntu1.722.04.8 2:21.1.4-2ubuntu1.722.04.9
2024-04-05 09:19:50 upgrade xserver-xorg-legacy:amd64 2:21.1.4-2ubuntu1.722.04.8 2:21.1.4-2ubuntu1.722.04.9
2024-04-05 09:19:50 upgrade xserver-xorg-core:amd64 2:21.1.4-2ubuntu1.722.04.8 2:21.1.4-2ubuntu1.722.04.9

Rolled back all updates/upgrades since crash with Synaptic, Force version, and found that issue is now gone

  • server-xorg-video-amdgpu will be downgraded
  • xserver-xorg-core will be downgraded
  • xserver-xorg-legacy will be downgraded
  • xserver-common will be downgraded
  • xserver-xorg-video-radeon will be downgraded
  • xserver-xephyr will be downgraded
  • xserver-xorg-video-ati will be downgraded
    (Using Nvidia 535 on GTK 1060, this module wasnt changed. Guess drivers like ATI and Radeon dont matter)

The error will be somewhere in

  • xserver-xorg-core
  • xserver-xorg-legacy
  • xserver-common

By the way: cant subscribe to Xorg mailing list due to Recaptcha issues, tried 2 browsers.

Hope anyone picks up this "Message in a bottle"

Cheers
komar007 pushed a commit to komar007/xserver that referenced this issue Jul 19, 2024
@whot
dix: clean up the GestureInfoRec on device close
45009fb 
Direct leak of 1080 byte(s) in 3 object(s) allocated from:
    #0 0x7f00a4ed8cc7 in calloc (/lib64/libasan.so.8+0xd8cc7) (BuildId: 6f17f87dc4c1aa9f9dde7c4856604c3a25ba4872)
    mirror#1 0x59f740 in InitGestureClassDeviceStruct ../dix/devices.c:1692
    #2 0x418a0b in xwl_pointer_proc_pointer_gestures ../hw/xwayland/xwayland-input.c:325
    #3 0x598e5c in ActivateDevice ../dix/devices.c:578
    #4 0x420207 in init_pointer_gestures_device ../hw/xwayland/xwayland-input.c:1677
    #5 0x420bf1 in seat_handle_capabilities ../hw/xwayland/xwayland-input.c:1801
    #6 0x7f00a4145055 in ffi_call_unix64 (/lib64/libffi.so.8+0x9055) (BuildId: 308041eea4a8d89d9265d3c24b7261dfbe44a61e)

Acked-by: Olivier Fourdan <[email protected]>
komar007 pushed a commit to komar007/xserver that referenced this issue Jul 19, 2024
@whot
xkb: free the filters
073b90e 
Direct leak of 960 byte(s) in 6 object(s) allocated from:
    #0 0x7f00a4ed8cc7 in calloc (/lib64/libasan.so.8+0xd8cc7) (BuildId: 6f17f87dc4c1aa9f9dde7c4856604c3a25ba4872)
    mirror#1 0x994944 in _XkbNextFreeFilter ../xkb/xkbActions.c:1142
    #2 0x9971b3 in SrvXkbLatchModifiers ../xkb/xkbActions.c:1452
    #3 0x41dec7 in keyboard_handle_modifiers ../hw/xwayland/xwayland-input.c:1211
    #4 0x7f00a4145055 in ffi_call_unix64 (/lib64/libffi.so.8+0x9055) (BuildId: 308041eea4a8d89d9265d3c24b7261dfbe44a61e)

Acked-by: Olivier Fourdan <[email protected]>
komar007 pushed a commit to komar007/xserver that referenced this issue Jul 19, 2024
@ofourdan
render: Avoid possible double-free in ProcRenderAddGlyphs()
337d8d4 
ProcRenderAddGlyphs() adds the glyph to the glyphset using AddGlyph() and
then frees it using FreeGlyph() to decrease the reference count, after
AddGlyph() has increased it.

AddGlyph() however may chose to reuse an existing glyph if it's already
in the glyphSet, and free the glyph that was given, in which case the
caller function, ProcRenderAddGlyphs() will call FreeGlyph() on an
already freed glyph, as reported by ASan:

  READ of size 4 thread T0
    #0 in FreeGlyph xserver/render/glyph.c:252
    mirror#1 in ProcRenderAddGlyphs xserver/render/render.c:1174
    #2 in Dispatch xserver/dix/dispatch.c:546
    #3 in dix_main xserver/dix/main.c:271
    #4 in main xserver/dix/stubmain.c:34
    #5 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #6 in __libc_start_main_impl ../csu/libc-start.c:360
    #7  (/usr/bin/Xwayland+0x44fe4)
  Address is located 0 bytes inside of 64-byte region
  freed by thread T0 here:
    #0 in __interceptor_free libsanitizer/asan/asan_malloc_linux.cpp:52
    mirror#1 in _dixFreeObjectWithPrivates xserver/dix/privates.c:538
    #2 in AddGlyph xserver/render/glyph.c:295
    #3 in ProcRenderAddGlyphs xserver/render/render.c:1173
    #4 in Dispatch xserver/dix/dispatch.c:546
    #5 in dix_main xserver/dix/main.c:271
    #6 in main xserver/dix/stubmain.c:34
    #7 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
  previously allocated by thread T0 here:
    #0 in __interceptor_malloc libsanitizer/asan/asan_malloc_linux.cpp:69
    mirror#1 in AllocateGlyph xserver/render/glyph.c:355
    #2 in ProcRenderAddGlyphs xserver/render/render.c:1085
    #3 in Dispatch xserver/dix/dispatch.c:546
    #4 in dix_main xserver/dix/main.c:271
    #5 in main xserver/dix/stubmain.c:34
    #6 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
  SUMMARY: AddressSanitizer: heap-use-after-free xserver/render/glyph.c:252 in FreeGlyph

To avoid that, make sure not to free the given glyph in AddGlyph().

v2: Simplify the test using the boolean returned from AddGlyph() (Michel)
v3: Simplify even more by not freeing the glyph in AddGlyph() (Peter)

Fixes: bdca6c3 - render: fix refcounting of glyphs during ProcRenderAddGlyphs
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1659
Signed-off-by: Olivier Fourdan <[email protected]>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1476>
komar007 pushed a commit to komar007/xserver that referenced this issue Jul 19, 2024
@p12tic @whot
dix: Fix use after free in input device shutdown
8b75ec3 
This fixes access to freed heap memory via dev->master. E.g. when
running BarrierNotify.ReceivesNotifyEvents/7 test from
xorg-integration-tests:

==24736==ERROR: AddressSanitizer: heap-use-after-free on address
0x619000065020 at pc 0x55c450e2b9cf bp 0x7fffc532fd20 sp 0x7fffc532fd10
READ of size 4 at 0x619000065020 thread T0
    #0 0x55c450e2b9ce in GetMaster ../../../dix/devices.c:2722
    mirror#1 0x55c450e9d035 in IsFloating ../../../dix/events.c:346
    #2 0x55c4513209c6 in GetDeviceUse ../../../Xi/xiquerydevice.c:525
../../../Xi/xichangehierarchy.c:95
    #4 0x55c450e3455c in RemoveDevice ../../../dix/devices.c:1204
../../../hw/xfree86/common/xf86Xinput.c:1142
    #6 0x55c450e17b04 in CloseDeviceList ../../../dix/devices.c:1038
    #7 0x55c450e1de85 in CloseDownDevices ../../../dix/devices.c:1068
    #8 0x55c450e837ef in dix_main ../../../dix/main.c:302
    #9 0x55c4517a8d93 in main ../../../dix/stubmain.c:34
(/lib/x86_64-linux-gnu/libc.so.6+0x28564)
    #11 0x55c450d0113d in _start (/usr/lib/xorg/Xorg+0x117713d)

0x619000065020 is located 160 bytes inside of 912-byte region
[0x619000064f80,0x619000065310)
freed by thread T0 here:
(/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
    mirror#1 0x55c450e19f1c in CloseDevice ../../../dix/devices.c:1014
    #2 0x55c450e343a4 in RemoveDevice ../../../dix/devices.c:1186
../../../hw/xfree86/common/xf86Xinput.c:1142
    #4 0x55c450e17b04 in CloseDeviceList ../../../dix/devices.c:1038
    #5 0x55c450e1de85 in CloseDownDevices ../../../dix/devices.c:1068
    #6 0x55c450e837ef in dix_main ../../../dix/main.c:302
    #7 0x55c4517a8d93 in main ../../../dix/stubmain.c:34
(/lib/x86_64-linux-gnu/libc.so.6+0x28564)

previously allocated by thread T0 here:
(/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10ddc6)
    mirror#1 0x55c450e1c57b in AddInputDevice ../../../dix/devices.c:259
    #2 0x55c450e34840 in AllocDevicePair ../../../dix/devices.c:2755
    #3 0x55c45130318f in add_master ../../../Xi/xichangehierarchy.c:152
../../../Xi/xichangehierarchy.c:465
    #5 0x55c4512cb9f5 in ProcIDispatch ../../../Xi/extinit.c:390
    #6 0x55c450e6a92b in Dispatch ../../../dix/dispatch.c:551
    #7 0x55c450e834b7 in dix_main ../../../dix/main.c:272
    #8 0x55c4517a8d93 in main ../../../dix/stubmain.c:34
(/lib/x86_64-linux-gnu/libc.so.6+0x28564)

The problem is caused by dev->master being not reset when disabling the
device, which then causes dangling pointer when the master device itself
is being deleted when exiting whole server.

Note that RecalculateMasterButtons() requires dev->master to be still
valid, so we can reset it only at the end of function.

Signed-off-by: Povilas Kanapickas <[email protected]>
(cherry picked from commit 1801fe0)
komar007 pushed a commit to komar007/xserver that referenced this issue Jul 19, 2024
@ofourdan
render: Avoid possible double-free in ProcRenderAddGlyphs()
b4ea6f9 
ProcRenderAddGlyphs() adds the glyph to the glyphset using AddGlyph() and
then frees it using FreeGlyph() to decrease the reference count, after
AddGlyph() has increased it.

AddGlyph() however may chose to reuse an existing glyph if it's already
in the glyphSet, and free the glyph that was given, in which case the
caller function, ProcRenderAddGlyphs() will call FreeGlyph() on an
already freed glyph, as reported by ASan:

  READ of size 4 thread T0
    #0 in FreeGlyph xserver/render/glyph.c:252
    mirror#1 in ProcRenderAddGlyphs xserver/render/render.c:1174
    #2 in Dispatch xserver/dix/dispatch.c:546
    #3 in dix_main xserver/dix/main.c:271
    #4 in main xserver/dix/stubmain.c:34
    #5 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #6 in __libc_start_main_impl ../csu/libc-start.c:360
    #7  (/usr/bin/Xwayland+0x44fe4)
  Address is located 0 bytes inside of 64-byte region
  freed by thread T0 here:
    #0 in __interceptor_free libsanitizer/asan/asan_malloc_linux.cpp:52
    mirror#1 in _dixFreeObjectWithPrivates xserver/dix/privates.c:538
    #2 in AddGlyph xserver/render/glyph.c:295
    #3 in ProcRenderAddGlyphs xserver/render/render.c:1173
    #4 in Dispatch xserver/dix/dispatch.c:546
    #5 in dix_main xserver/dix/main.c:271
    #6 in main xserver/dix/stubmain.c:34
    #7 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
  previously allocated by thread T0 here:
    #0 in __interceptor_malloc libsanitizer/asan/asan_malloc_linux.cpp:69
    mirror#1 in AllocateGlyph xserver/render/glyph.c:355
    #2 in ProcRenderAddGlyphs xserver/render/render.c:1085
    #3 in Dispatch xserver/dix/dispatch.c:546
    #4 in dix_main xserver/dix/main.c:271
    #5 in main xserver/dix/stubmain.c:34
    #6 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
  SUMMARY: AddressSanitizer: heap-use-after-free xserver/render/glyph.c:252 in FreeGlyph

To avoid that, make sure not to free the given glyph in AddGlyph().

v2: Simplify the test using the boolean returned from AddGlyph() (Michel)
v3: Simplify even more by not freeing the glyph in AddGlyph() (Peter)

Fixes: bdca6c3 - render: fix refcounting of glyphs during ProcRenderAddGlyphs
Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1659
Signed-off-by: Olivier Fourdan <[email protected]>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1476>
(cherry picked from commit 337d8d4)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@WillemsenGithub