From owner-freebsd-ports Thu Aug 23 2:40:11 2001 Delivered-To: freebsd-ports@hub.freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 8CE5937B40B for ; Thu, 23 Aug 2001 02:40:01 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id f7N9e1U27809; Thu, 23 Aug 2001 02:40:01 -0700 (PDT) (envelope-from gnats) Received: from neptune.he.net (neptune.he.net [216.218.166.2]) by hub.freebsd.org (Postfix) with ESMTP id 3DBFC37B40C for ; Thu, 23 Aug 2001 02:34:47 -0700 (PDT) (envelope-from robinson@netrinsics.com) Received: from netrinsics.com ([210.52.150.12] (may be forged)) by neptune.he.net (8.8.6/8.8.2) with ESMTP id CAA27309; Thu, 23 Aug 2001 02:34:40 -0700 Received: (from robinson@localhost) by netrinsics.com (8.11.2/8.11.1) id f7N9ZDs03504; Thu, 23 Aug 2001 17:35:13 +0800 (+0800) (envelope-from robinson) Message-Id: <200108230935.f7N9ZDs03504@netrinsics.com> Date: Thu, 23 Aug 2001 17:35:13 +0800 (+0800) From: Michael Robinson Reply-To: robinson@netrinsics.com To: FreeBSD-gnats-submit@freebsd.org Cc: fixes@xfree86.org X-Send-Pr-Version: 3.113 Subject: ports/29982: XFree86 4.x contains race condition in mouse device Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 29982 >Category: ports >Synopsis: XFree86 4.x contains race condition in mouse device >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-ports >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Aug 23 02:40:00 PDT 2001 >Closed-Date: >Last-Modified: >Originator: Michael Robinson >Release: FreeBSD 5.0-CURRENT i386 >Organization: >Environment: System: FreeBSD elephant.netrinsics.com 5.0-CURRENT FreeBSD 5.0-CURRENT #19: Sat Jul 7 17:29:50 +0800 2001 root@elephant.netrinsics.com:/usr/src/sys/compile/5000e-5x i386 >Description: The XFree86 mouse driver currently allocates and deallocates timers in MousePostEvent, which is called from the SIGIO handlers. Because TimerFree and TimerSet call the malloc library, this creates a race condition in which the X server can crash with a "malloc/free: recursive call" if a mouse event arrives while the server is in the malloc library code in another part of the server. The timer in question is used to handle the "Emulate3Buttons" timeout. It is not necessary to free and reallocate this timer, as TimerSet contains code to reuse timers. This patch removes the calls to FreeTimer, as well as (unnecessary) error-handling code for the (harmless) spurious timer events that occur when the timers aren't freed in MousePostEvent. This patch fixes a problem I had where the X server would intermittently crash during mouse motion concurrent with heavy paging activity. I have tested it for several days with no ill effects, and strongly recommend committing it to the XFree86-4 port until such time as it can be incorporated into the main XFree86 distribution. >How-To-Repeat: Infrequent crash with Emulate3Buttons enabled, with mouse button events concurrent with heavy paging. >Fix: --- programs/Xserver/hw/xfree86/input/mouse/mouse.c.orig Sat Aug 18 22:47:30 2001 +++ programs/Xserver/hw/xfree86/input/mouse/mouse.c Thu Aug 23 17:13:44 2001 @@ -1837,8 +1837,6 @@ if ((id = stateTab[pMse->emulateState][4][0]) != 0) { xf86PostButtonEvent(pInfo->dev, 0, abs(id), (id >= 0), 0, 0); pMse->emulateState = stateTab[pMse->emulateState][4][2]; - } else { - ErrorF("Got unexpected buttonTimer in state %d\n", pMse->emulateState); } xf86UnblockSIGIO (sigstate); @@ -1892,11 +1890,6 @@ if (stateTab[pMse->emulateState][4][0] != 0) { timer = TimerSet(timer, 0, pMse->emulate3Timeout, buttonTimer, pInfo); - } else { - if (timer) { - TimerFree(timer); - timer = NULL; - } } } >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message