Bug 499877 - xfs code not 64bit safe and crashes with multiple clients
xfs code not 64bit safe and crashes with multiple clients
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: xorg-x11-xfs (Show other bugs)
4.7
x86_64 Linux
medium Severity medium
: rc
: ---
Assigned To: Adam Jackson
desktop-bugs@redhat.com
: Patch, Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-05-08 13:34 EDT by Olivier Fourdan
Modified: 2013-03-03 21:48 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 652633 (view as bug list)
Environment:
Last Closed: 2012-04-17 15:23:13 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Proposed patch (2.46 KB, patch)
2009-05-08 13:34 EDT, Olivier Fourdan
no flags Details | Diff

  None (edit)
Description Olivier Fourdan 2009-05-08 13:34:16 EDT
Created attachment 343134 [details]
Proposed patch

Description of problem:

The code in Xorg xfs is not 64bit safe and crashed on 64bits platforms if client-limit is set to a greater value.

Version-Release number of selected component (if applicable):

Any xfs version (including current upstream)

How reproducible:

100% reproducible

Steps to Reproduce:
1. install and configure xfs on a x86_64 machine
2. Change the default value of client-limit to 100 in /etc/X11/fs/config

   client-limit = 100
   # no-listen = tcp

2. Stress the server with Xvfb (for example)

  while $(/bin/true); do for i in $(seq 1 50); do Xvfb -fp tcp/localhost:7100 :$i & done; sleep 10; for i in $(seq 1 50); do xlsfonts -display :$i & done;sleep 10; killall Xvfb; done

Actual results:

The xfs server will die withing seconds with a segfault.

Expected results:

The xfs server handle the load.

Additional info:

The crash occurs in WaitforSomething()

193     if (XFD_ANYSET(&clientsReadable)) {
194         ClientPtr   client;
195         int         conn;
196
197         if (current_time)       /* may not have been set */
198             current_time = GetTimeInMillis();
199         for (i = 0; i < howmany(XFD_SETSIZE, NFDBITS); i++) {
200             while (clientsReadable.fds_bits[i]) {
201                 curclient = ffs(clientsReadable.fds_bits[i]) - 1;
202                 conn = ConnectionTranslation[curclient + (i << 5)];
203                 clientsReadable.fds_bits[i] &= ~(((fd_mask)1L) << curclient);
204                 client = clients[conn];
205                 if (!client)
206                     continue;
207                 pClientsReady[nready++] = conn;
208                 client->last_request_time = current_time;
209                 client->clientGone = CLIENT_ALIVE;
210             }
211         }
212     }

For two reasons:

1. fds_bits is a long on 64bit, so need to use ffsl() instead of ffs()
2. curclient + (i << 5) is not 64bit safe

Proposed patch attached. 

Note:

1. This is follow up of bug #464619 (there was more than one bug in xfs)
2. I already discussed the issue and the patch with krh on irc.
3. This bug seems to be present in el5 also, Fedora and current git upstream.
Comment 4 RHEL Product and Program Management 2010-10-22 14:55:58 EDT
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
Comment 5 Adam Jackson 2012-04-17 15:23:13 EDT
No further non-security updates are planned for xorg-x11 in RHEL4.  If this issue is not addressed in RHEL5 or newer, please update the affected product version and reopen this bug.

Note You need to log in before you can comment on or make changes to this bug.