Bug 499877

Summary: xfs code not 64bit safe and crashes with multiple clients
Product: Red Hat Enterprise Linux 4 Reporter: Olivier Fourdan <ofourdan>
Component: xorg-x11-xfsAssignee: Adam Jackson <ajax>
Status: CLOSED WONTFIX QA Contact: desktop-bugs <desktop-bugs>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.7CC: jwilleford, kem
Target Milestone: rcKeywords: Patch, Triaged
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 652633 (view as bug list) Environment:
Last Closed: 2012-04-17 19:23:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Proposed patch none

Description Olivier Fourdan 2009-05-08 17:34:16 UTC 
Created attachment 343134 [details]
Proposed patch

Description of problem:

The code in Xorg xfs is not 64bit safe and crashed on 64bits platforms if client-limit is set to a greater value.

Version-Release number of selected component (if applicable):

Any xfs version (including current upstream)

How reproducible:

100% reproducible

Steps to Reproduce:
1. install and configure xfs on a x86_64 machine
2. Change the default value of client-limit to 100 in /etc/X11/fs/config

   client-limit = 100
   # no-listen = tcp

2. Stress the server with Xvfb (for example)

  while $(/bin/true); do for i in $(seq 1 50); do Xvfb -fp tcp/localhost:7100 :$i & done; sleep 10; for i in $(seq 1 50); do xlsfonts -display :$i & done;sleep 10; killall Xvfb; done

Actual results:

The xfs server will die withing seconds with a segfault.

Expected results:

The xfs server handle the load.

Additional info:

The crash occurs in WaitforSomething()

193     if (XFD_ANYSET(&clientsReadable)) {
194         ClientPtr   client;
195         int         conn;
196
197         if (current_time)       /* may not have been set */
198             current_time = GetTimeInMillis();
199         for (i = 0; i < howmany(XFD_SETSIZE, NFDBITS); i++) {
200             while (clientsReadable.fds_bits[i]) {
201                 curclient = ffs(clientsReadable.fds_bits[i]) - 1;
202                 conn = ConnectionTranslation[curclient + (i << 5)];
203                 clientsReadable.fds_bits[i] &= ~(((fd_mask)1L) << curclient);
204                 client = clients[conn];
205                 if (!client)
206                     continue;
207                 pClientsReady[nready++] = conn;
208                 client->last_request_time = current_time;
209                 client->clientGone = CLIENT_ALIVE;
210             }
211         }
212     }

For two reasons:

1. fds_bits is a long on 64bit, so need to use ffsl() instead of ffs()
2. curclient + (i << 5) is not 64bit safe

Proposed patch attached. 

Note:

1. This is follow up of bug #464619 (there was more than one bug in xfs)
2. I already discussed the issue and the patch with krh on irc.
3. This bug seems to be present in el5 also, Fedora and current git upstream.
Comment 4 RHEL Program Management 2010-10-22 18:55:58 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
Comment 5 Adam Jackson 2012-04-17 19:23:13 UTC 
No further non-security updates are planned for xorg-x11 in RHEL4.  If this issue is not addressed in RHEL5 or newer, please update the affected product version and reopen this bug.