Bug 499877 - xfs code not 64bit safe and crashes with multiple clients
Summary: xfs code not 64bit safe and crashes with multiple clients
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: xorg-x11-xfs
Version: 4.7
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Adam Jackson
QA Contact: desktop-bugs@redhat.com
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-05-08 17:34 UTC by Olivier Fourdan
Modified: 2018-10-27 13:52 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 652633 (view as bug list)
Environment:
Last Closed: 2012-04-17 19:23:13 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Proposed patch (2.46 KB, patch)
2009-05-08 17:34 UTC, Olivier Fourdan 		no flags Details | Diff
View All

Description Olivier Fourdan 2009-05-08 17:34:16 UTC 
Created attachment 343134 [details]
Proposed patch

Description of problem:

The code in Xorg xfs is not 64bit safe and crashed on 64bits platforms if client-limit is set to a greater value.

Version-Release number of selected component (if applicable):

Any xfs version (including current upstream)

How reproducible:

100% reproducible

Steps to Reproduce:
1. install and configure xfs on a x86_64 machine
2. Change the default value of client-limit to 100 in /etc/X11/fs/config

   client-limit = 100
   # no-listen = tcp

2. Stress the server with Xvfb (for example)

  while $(/bin/true); do for i in $(seq 1 50); do Xvfb -fp tcp/localhost:7100 :$i & done; sleep 10; for i in $(seq 1 50); do xlsfonts -display :$i & done;sleep 10; killall Xvfb; done

Actual results:

The xfs server will die withing seconds with a segfault.

Expected results:

The xfs server handle the load.

Additional info:

The crash occurs in WaitforSomething()

193     if (XFD_ANYSET(&clientsReadable)) {
194         ClientPtr   client;
195         int         conn;
196
197         if (current_time)       /* may not have been set */
198             current_time = GetTimeInMillis();
199         for (i = 0; i < howmany(XFD_SETSIZE, NFDBITS); i++) {
200             while (clientsReadable.fds_bits[i]) {
201                 curclient = ffs(clientsReadable.fds_bits[i]) - 1;
202                 conn = ConnectionTranslation[curclient + (i << 5)];
203                 clientsReadable.fds_bits[i] &= ~(((fd_mask)1L) << curclient);
204                 client = clients[conn];
205                 if (!client)
206                     continue;
207                 pClientsReady[nready++] = conn;
208                 client->last_request_time = current_time;
209                 client->clientGone = CLIENT_ALIVE;
210             }
211         }
212     }

For two reasons:

1. fds_bits is a long on 64bit, so need to use ffsl() instead of ffs()
2. curclient + (i << 5) is not 64bit safe

Proposed patch attached. 

Note:

1. This is follow up of bug #464619 (there was more than one bug in xfs)
2. I already discussed the issue and the patch with krh on irc.
3. This bug seems to be present in el5 also, Fedora and current git upstream.
Comment 4 RHEL Program Management 2010-10-22 18:55:58 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
Comment 5 Adam Jackson 2012-04-17 19:23:13 UTC 
No further non-security updates are planned for xorg-x11 in RHEL4.  If this issue is not addressed in RHEL5 or newer, please update the affected product version and reopen this bug.
Note You need to log in before you can comment on or make changes to this bug.