[Mesa-dev] [Bug 91098] vmwgfx null ptr dereference at vmw_screen_ioctl.c:76 due to ioctl failure

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Wed Jun 24 13:23:36 PDT 2015 

https://bugs.freedesktop.org/show_bug.cgi?id=91098

            Bug ID: 91098
           Summary: vmwgfx null ptr dereference at vmw_screen_ioctl.c:76
                    due to ioctl failure
           Product: Mesa
           Version: 10.6
          Hardware: Other
                OS: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: Other
          Assignee: mesa-dev at lists.freedesktop.org
          Reporter: freedesktop at pargon.nl
        QA Contact: mesa-dev at lists.freedesktop.org

I'm experiencing occasional crashes of gnome-shell (3.16) due to failed ioctls
requested by Mesa's vmware DRI backend.

Any pointers on where I should take the apparent root issue would be
appreciated - I have no idea whether Mesa or the kernel driver is at fault for
the ioctl failing in the first place.

Kernel logs (v4.0.5) report an ioctl failure:

[15949.294396] [drm:vmw_generic_ioctl [vmwgfx]] *ERROR* Dropped master trying
to access ioctl that requires authentication.
[15949.294400] [drm] IOCTL ERROR Command 65, Error -13.
[15949.296209] [drm:vmw_generic_ioctl [vmwgfx]] *ERROR* Dropped master trying
to access ioctl that requires authentication.
[15949.296214] [drm] IOCTL ERROR Command 65, Error -13.
[15949.296468] [drm:vmw_generic_ioctl [vmwgfx]] *ERROR* Dropped master trying
to access ioctl that requires authentication.
[15949.296470] [drm] IOCTL ERROR Command 87, Error -13.
[15949.296478] gnome-shell[337]: segfault at 20 ip 00007ff502cb4680 sp
00007ffeaeea96e8 error 4 in vmwgfx_dri.so[7ff50293f000+506000]

Followed by a crash of gnome-shell, due to an apparent null pointer
dereference:

Core was generated by `gnome-shell --mode=gdm --wayland --display-server'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  vmw_region_size (region=0x0) at vmw_screen_ioctl.c:76
76       return region->size;
(gdb) bt
#0  vmw_region_size (region=0x0) at vmw_screen_ioctl.c:76
#1  0x00007ff502cb65cc in vmw_svga_winsys_surface_create (sws=0x145aaa0,
flags=(SVGA3D_SURFACE_HINT_TEXTURE | SVGA3D_SURFACE_HINT_RENDERTARGET),
format=SVGA3D_A8R8G8B8, usage=0, size=..., numFaces=1, 
    numMipLevels=1) at vmw_screen_svga.c:222
#2  0x00007ff502cc0d46 in svga_screen_surface_create
(svgascreen=svgascreen at entry=0x145b9c0, key=key at entry=0x1cc8c90) at
svga_screen_cache.c:449
#3  0x00007ff502cbf810 in svga_texture_create (screen=0x145b9c0,
template=0x7ffeaeea9840) at svga_resource_texture.c:729
#4  0x00007ff502b0797b in st_texture_create (st=st at entry=0x1536270,
target=<optimized out>, format=format at entry=PIPE_FORMAT_B8G8R8A8_UNORM,
last_level=last_level at entry=0, width0=width0 at entry=16, 
    height0=height0 at entry=16, depth0=1, layers=1, nr_samples=0, bind=10) at
state_tracker/st_texture.c:97
#5  0x00007ff502ada27d in guess_and_alloc_texture (st=st at entry=0x1536270,
stObj=stObj at entry=0x268bc00, stImage=stImage at entry=0x16b5060) at
state_tracker/st_cb_texture.c:464
#6  0x00007ff502ada3a5 in st_AllocTextureImageBuffer (ctx=0x150c200,
texImage=0x16b5060) at state_tracker/st_cb_texture.c:517
#7  0x00007ff502adcb9c in st_TexImage (ctx=0x150c200, dims=2,
texImage=0x16b5060, format=6408, type=5121, pixels=0x1f3bc80, unpack=0x15273f8)
at state_tracker/st_cb_texture.c:875
#8  0x00007ff502a72e00 in teximage (ctx=0x150c200,
compressed=compressed at entry=0 '\000', dims=dims at entry=2, target=3553,
level=<optimized out>, internalFormat=<optimized out>, width=16, height=16,
depth=1, 
    border=0, format=6408, type=5121, imageSize=0, pixels=0x1f3bc80) at
main/teximage.c:3364
#9  0x00007ff502a740e0 in _mesa_TexImage2D (target=<optimized out>,
level=<optimized out>, internalFormat=<optimized out>, width=<optimized out>,
height=<optimized out>, border=<optimized out>, 
    format=6408, type=5121, pixels=0x1f3bc80) at main/teximage.c:3403
#10 0x00007ff513f093a3 in ?? () from /usr/lib/libcogl.so.20
#11 0x00007ff513efed94 in ?? () from /usr/lib/libcogl.so.20
#12 0x00007ff513f3008b in cogl_texture_allocate () from /usr/lib/libcogl.so.20
#13 0x00007ff513f31880 in cogl_texture_2d_new_from_data () from
/usr/lib/libcogl.so.20
#14 0x00007ff5191a6b98 in pixbuf_to_cogl_texture
(pixbuf=pixbuf at entry=0x2779de0) at st/st-texture-cache.c:473
#15 0x00007ff5191a6bf1 in finish_texture_load (data=data at entry=0x2568a50,
pixbuf=pixbuf at entry=0x2779de0) at st/st-texture-cache.c:518
#16 0x00007ff5191a6daa in on_symbolic_icon_loaded (source=0x15f20f0,
result=<optimized out>, user_data=0x2568a50) at st/st-texture-cache.c:553
#17 0x00007ff516fcc1f3 in ?? () from /usr/lib/libgio-2.0.so.0
#18 0x00007ff516fcc229 in ?? () from /usr/lib/libgio-2.0.so.0
#19 0x00007ff51682490d in g_main_context_dispatch () from
/usr/lib/libglib-2.0.so.0
#20 0x00007ff516824ce0 in ?? () from /usr/lib/libglib-2.0.so.0
#21 0x00007ff516825002 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
#22 0x00007ff518183326 in meta_run () from /usr/lib/libmutter.so.0
#23 0x000000000040208d in main (argc=1, argv=0x7ffeaeeaa028) at main.c:463

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/mesa-dev/attachments/20150624/817c43fa/attachment.html>

More information about the mesa-dev mailing list