Date: Thu, 23 Aug 2001 17:35:13 +0800 (+0800) From: Michael Robinson <robinson@netrinsics.com> To: FreeBSD-gnats-submit@freebsd.org Cc: fixes@xfree86.org Subject: ports/29982: XFree86 4.x contains race condition in mouse device Message-ID: <200108230935.f7N9ZDs03504@netrinsics.com>
next in thread | raw e-mail | index | archive | help
>Number: 29982
>Category: ports
>Synopsis: XFree86 4.x contains race condition in mouse device
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-ports
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Aug 23 02:40:00 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator: Michael Robinson
>Release: FreeBSD 5.0-CURRENT i386
>Organization:
>Environment:
System: FreeBSD elephant.netrinsics.com 5.0-CURRENT FreeBSD 5.0-CURRENT #19: Sat Jul 7 17:29:50 +0800 2001 root@elephant.netrinsics.com:/usr/src/sys/compile/5000e-5x i386
>Description:
The XFree86 mouse driver currently allocates and deallocates timers in
MousePostEvent, which is called from the SIGIO handlers. Because
TimerFree and TimerSet call the malloc library, this creates a race
condition in which the X server can crash with a "malloc/free: recursive call"
if a mouse event arrives while the server is in the malloc library code in
another part of the server.
The timer in question is used to handle the "Emulate3Buttons" timeout.
It is not necessary to free and reallocate this timer, as TimerSet contains
code to reuse timers.
This patch removes the calls to FreeTimer, as well as (unnecessary)
error-handling code for the (harmless) spurious timer events that occur when
the timers aren't freed in MousePostEvent.
This patch fixes a problem I had where the X server would intermittently
crash during mouse motion concurrent with heavy paging activity. I have
tested it for several days with no ill effects, and strongly recommend
committing it to the XFree86-4 port until such time as it can be incorporated
into the main XFree86 distribution.
>How-To-Repeat:
Infrequent crash with Emulate3Buttons enabled, with mouse button events
concurrent with heavy paging.
>Fix:
--- programs/Xserver/hw/xfree86/input/mouse/mouse.c.orig Sat Aug 18 22:47:30 2001
+++ programs/Xserver/hw/xfree86/input/mouse/mouse.c Thu Aug 23 17:13:44 2001
@@ -1837,8 +1837,6 @@
if ((id = stateTab[pMse->emulateState][4][0]) != 0) {
xf86PostButtonEvent(pInfo->dev, 0, abs(id), (id >= 0), 0, 0);
pMse->emulateState = stateTab[pMse->emulateState][4][2];
- } else {
- ErrorF("Got unexpected buttonTimer in state %d\n", pMse->emulateState);
}
xf86UnblockSIGIO (sigstate);
@@ -1892,11 +1890,6 @@
if (stateTab[pMse->emulateState][4][0] != 0) {
timer = TimerSet(timer, 0, pMse->emulate3Timeout, buttonTimer,
pInfo);
- } else {
- if (timer) {
- TimerFree(timer);
- timer = NULL;
- }
}
}
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200108230935.f7N9ZDs03504>