[Mesa-dev] [Bug 91098] vmwgfx null ptr dereference at vmw_screen_ioctl.c:76 due to ioctl failure

2018-09-14 Thread bugzilla-daemon 
https://bugs.freedesktop.org/show_bug.cgi?id=91098

Brian Paul  changed:

   What|Removed |Added

 Resolution|--- |WONTFIX
 Status|NEW |RESOLVED

--- Comment #2 from Brian Paul  ---
There's been no follow-up from the original poster.  Closing.  Re-open if it's
still and issue for you.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.___
mesa-dev mailing list
mesa-dev@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/mesa-dev

[Mesa-dev] [Bug 91098] vmwgfx null ptr dereference at vmw_screen_ioctl.c:76 due to ioctl failure

2018-09-14 Thread bugzilla-daemon 
https://bugs.freedesktop.org/show_bug.cgi?id=91098

Timothy Arceri  changed:

   What|Removed |Added

  Component|Other   |Drivers/Gallium/vmwgfx

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are the QA Contact for the bug.___
mesa-dev mailing list
mesa-dev@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/mesa-dev

[Mesa-dev] [Bug 91098] vmwgfx null ptr dereference at vmw_screen_ioctl.c:76 due to ioctl failure

2015-06-24 Thread bugzilla-daemon 
https://bugs.freedesktop.org/show_bug.cgi?id=91098

--- Comment #1 from Thomas Hellström thellst...@vmware.com ---
Hi.

Thanks for the bug report.

I think the root problem is gnome-shell(gdm) dropping its master privileges and
then trying to render.

The reason this is not allowed in the vmwgfx driver is the following scenario:
1) A user switches away the X server VT and gets a console terminal.
2) User launches a DRM-aware malicious app that becomes master and
authenticates itself.
3) The user switches back the X server
4) The malicious app can now open exported buffer objects at will and access or
manipulate user private data. This is correctly blocked in the vmwgfx driver.

So this is AFAICT a gnome-shell (gdm mode) bug. It shouldn't render when it
drops its master privileges, so the gnome bugzilla would be good to start with.
We'll follow up.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
___
mesa-dev mailing list
mesa-dev@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/mesa-dev

[Mesa-dev] [Bug 91098] vmwgfx null ptr dereference at vmw_screen_ioctl.c:76 due to ioctl failure

2015-06-24 Thread bugzilla-daemon 
https://bugs.freedesktop.org/show_bug.cgi?id=91098

Bug ID: 91098
   Summary: vmwgfx null ptr dereference at vmw_screen_ioctl.c:76
due to ioctl failure
   Product: Mesa
   Version: 10.6
  Hardware: Other
OS: All
Status: NEW
  Severity: normal
  Priority: medium
 Component: Other
  Assignee: mesa-dev@lists.freedesktop.org
  Reporter: freedesk...@pargon.nl
QA Contact: mesa-dev@lists.freedesktop.org

I'm experiencing occasional crashes of gnome-shell (3.16) due to failed ioctls
requested by Mesa's vmware DRI backend.

Any pointers on where I should take the apparent root issue would be
appreciated - I have no idea whether Mesa or the kernel driver is at fault for
the ioctl failing in the first place.

Kernel logs (v4.0.5) report an ioctl failure:

[15949.294396] [drm:vmw_generic_ioctl [vmwgfx]] *ERROR* Dropped master trying
to access ioctl that requires authentication.
[15949.294400] [drm] IOCTL ERROR Command 65, Error -13.
[15949.296209] [drm:vmw_generic_ioctl [vmwgfx]] *ERROR* Dropped master trying
to access ioctl that requires authentication.
[15949.296214] [drm] IOCTL ERROR Command 65, Error -13.
[15949.296468] [drm:vmw_generic_ioctl [vmwgfx]] *ERROR* Dropped master trying
to access ioctl that requires authentication.
[15949.296470] [drm] IOCTL ERROR Command 87, Error -13.
[15949.296478] gnome-shell[337]: segfault at 20 ip 7ff502cb4680 sp
7ffeaeea96e8 error 4 in vmwgfx_dri.so[7ff50293f000+506000]

Followed by a crash of gnome-shell, due to an apparent null pointer
dereference:

Core was generated by `gnome-shell --mode=gdm --wayland --display-server'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  vmw_region_size (region=0x0) at vmw_screen_ioctl.c:76
76   return region-size;
(gdb) bt
#0  vmw_region_size (region=0x0) at vmw_screen_ioctl.c:76
#1  0x7ff502cb65cc in vmw_svga_winsys_surface_create (sws=0x145aaa0,
flags=(SVGA3D_SURFACE_HINT_TEXTURE | SVGA3D_SURFACE_HINT_RENDERTARGET),
format=SVGA3D_A8R8G8B8, usage=0, size=..., numFaces=1, 
numMipLevels=1) at vmw_screen_svga.c:222
#2  0x7ff502cc0d46 in svga_screen_surface_create
(svgascreen=svgascreen@entry=0x145b9c0, key=key@entry=0x1cc8c90) at
svga_screen_cache.c:449
#3  0x7ff502cbf810 in svga_texture_create (screen=0x145b9c0,
template=0x7ffeaeea9840) at svga_resource_texture.c:729
#4  0x7ff502b0797b in st_texture_create (st=st@entry=0x1536270,
target=optimized out, format=format@entry=PIPE_FORMAT_B8G8R8A8_UNORM,
last_level=last_level@entry=0, width0=width0@entry=16, 
height0=height0@entry=16, depth0=1, layers=1, nr_samples=0, bind=10) at
state_tracker/st_texture.c:97
#5  0x7ff502ada27d in guess_and_alloc_texture (st=st@entry=0x1536270,
stObj=stObj@entry=0x268bc00, stImage=stImage@entry=0x16b5060) at
state_tracker/st_cb_texture.c:464
#6  0x7ff502ada3a5 in st_AllocTextureImageBuffer (ctx=0x150c200,
texImage=0x16b5060) at state_tracker/st_cb_texture.c:517
#7  0x7ff502adcb9c in st_TexImage (ctx=0x150c200, dims=2,
texImage=0x16b5060, format=6408, type=5121, pixels=0x1f3bc80, unpack=0x15273f8)
at state_tracker/st_cb_texture.c:875
#8  0x7ff502a72e00 in teximage (ctx=0x150c200,
compressed=compressed@entry=0 '\000', dims=dims@entry=2, target=3553,
level=optimized out, internalFormat=optimized out, width=16, height=16,
depth=1, 
border=0, format=6408, type=5121, imageSize=0, pixels=0x1f3bc80) at
main/teximage.c:3364
#9  0x7ff502a740e0 in _mesa_TexImage2D (target=optimized out,
level=optimized out, internalFormat=optimized out, width=optimized out,
height=optimized out, border=optimized out, 
format=6408, type=5121, pixels=0x1f3bc80) at main/teximage.c:3403
#10 0x7ff513f093a3 in ?? () from /usr/lib/libcogl.so.20
#11 0x7ff513efed94 in ?? () from /usr/lib/libcogl.so.20
#12 0x7ff513f3008b in cogl_texture_allocate () from /usr/lib/libcogl.so.20
#13 0x7ff513f31880 in cogl_texture_2d_new_from_data () from
/usr/lib/libcogl.so.20
#14 0x7ff5191a6b98 in pixbuf_to_cogl_texture
(pixbuf=pixbuf@entry=0x2779de0) at st/st-texture-cache.c:473
#15 0x7ff5191a6bf1 in finish_texture_load (data=data@entry=0x2568a50,
pixbuf=pixbuf@entry=0x2779de0) at st/st-texture-cache.c:518
#16 0x7ff5191a6daa in on_symbolic_icon_loaded (source=0x15f20f0,
result=optimized out, user_data=0x2568a50) at st/st-texture-cache.c:553
#17 0x7ff516fcc1f3 in ?? () from /usr/lib/libgio-2.0.so.0
#18 0x7ff516fcc229 in ?? () from /usr/lib/libgio-2.0.so.0
#19 0x7ff51682490d in g_main_context_dispatch () from
/usr/lib/libglib-2.0.so.0
#20 0x7ff516824ce0 in ?? () from /usr/lib/libglib-2.0.so.0
#21 0x7ff516825002 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
#22 0x7ff518183326 in meta_run () from /usr/lib/libmutter.so.0
#23 0x0040208d in main (argc=1, argv=0x7ffeaeeaa028) at main.c:463

-- 
You are receiving this mail because:
You are the QA