Description of problem: When I use Firefox 3.6 (download from www.mozilla.com/firefox/) on RHEL5.4 and visit some sites (For example, this one: http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.5.b1/html/Technical_Notes/Known_Issues-kexec-tools.html) will crash the whole X. And this is error log in Xorg.0.log: ------------ Backtrace: 0: /usr/bin/Xorg(xf86SigHandler+0x81) [0x80d1bb1] 1: [0xb3b420] 2: /usr/lib/xorg/modules/libfb.so(fbCompositeSrc_8888x8888mmx+0x162) [0x343212] 3: /usr/lib/xorg/modules/libfb.so(fbComposite+0x57b) [0x3334fb] 4: /usr/lib/xorg/modules/libxaa.so(XAAComposite+0x1db) [0xe98eeb] 5: /usr/lib/xorg/modules/drivers/intel_drv.so(i830_xaa_composite+0x148) [0x6ad5f8] 6: /usr/bin/Xorg [0x816aa46] 7: /usr/bin/Xorg [0x81673b6] 8: /usr/bin/Xorg(CompositePicture+0x153) [0x8154503] 9: /usr/bin/Xorg [0x815a34f] 10: /usr/bin/Xorg [0x81576c5] 11: /usr/bin/Xorg(Dispatch+0x19a) [0x80894fa] 12: /usr/bin/Xorg(main+0x485) [0x8070755] 13: /lib/libc.so.6(__libc_start_main+0xdc) [0x125e9c] 14: /usr/bin/Xorg(FontFileCompleteXLFD+0x1fd) [0x806fa51] Fatal server error: Caught signal 11. Server aborting (II) AIGLX: Suspending AIGLX clients for VT switch (II) intel(0): xf86UnbindGARTMemory: unbind key 0 (II) intel(0): xf86UnbindGARTMemory: unbind key 1 (II) intel(0): xf86UnbindGARTMemory: unbind key 2 (II) intel(0): xf86UnbindGARTMemory: unbind key 3 (II) intel(0): xf86UnbindGARTMemory: unbind key 4 ------------ I have updated all related packages to latest version but the problem still happened and reproductable. Version-Release number of selected component (if applicable): xorg-x11-server-Xorg-1.1.1-48.67.el5_4.1 How reproducible: Always. Steps to Reproduce: 1. Start the Firefox 3.6 2. Go to http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.5.b1/html/Technical_Notes/Known_Issues-kexec-tools.html 3. X crash and restart Actual results: X crash and restart Expected results: X shouldn't crash.
Scary, this bug affected me today. I can reproduce this bug with the URL specified. This obviously has security implications, and seems like it could be a remote root vulnerability. (gdb) bt #0 0x00839410 in __kernel_vsyscall () #1 0x00c1fdf0 in raise () from /lib/libc.so.6 #2 0x00c21701 in abort () from /lib/libc.so.6 #3 0x080a2e85 in ddxGiveUp () at xf86Init.c:1261 #4 0x081bbe93 in AbortServer () at log.c:408 #5 0x081bc426 in FatalError (f=0x81cd800 "Caught signal %d. Server aborting\n") at log.c:554 #6 0x080d1c20 in xf86SigHandler (signo=11) at xf86Events.c:1484 #7 <signal handler called> #8 fbCompositeSrc_8888x8888mmx (op=3 '\003', pSrc=0x8e76278, pMask=0x0, pDst=0x8e3ec40, xSrc=0, ySrc=2607, xMask=0, yMask=0, xDst=710, yDst=2420, width=500, height=52057) at fbmmx.c:1312 #9 0x001874fb in fbComposite (op=3 '\003', pSrc=0x8e76278, pMask=0x0, pDst=0x8e3ec40, xSrc=0, ySrc=1767, xMask=0, yMask=0, xDst=710, yDst=0, width=500, height=1016) at fbpict.c:1299 #10 0x0032ceeb in XAAComposite (op=3 '\003', pSrc=0x8e76278, pMask=0x0, pDst=0x8e3ec40, xSrc=0, ySrc=-153, xMask=0, yMask=0, xDst=710, yDst=0, width=500, height=1016) at xaaPict.c:536 #11 0x005285f8 in i830_xaa_composite (op=3 '\003', pSrc=0x8e76278, pMask=0x0, pDst=0x8e3ec40, xSrc=0, ySrc=-153, xMask=0, yMask=0, xDst=710, yDst=0, width=500, height=1016) at i830_xaa.c:873 #12 0x0816aa46 in cwComposite (op=3 '\003', pSrcPicture=0x8e76278, pMskPicture=0x0, pDstPicture=0x8e3ec40, xSrc=0, ySrc=-153, xMsk=0, yMsk=0, xDst=710, yDst=0, width=500, height=1016) at cw_render.c:275 #13 0x081673b6 in damageComposite (op=3 '\003', pSrc=0x8e76278, pMask=0x0, pDst=0x8e3ec40, xSrc=0, ySrc=-153, xMask=0, yMask=0, xDst=710, yDst=0, width=500, height=1016) at damage.c:541 #14 0x08154503 in CompositePicture (op=3 '\003', pSrc=0x8e76278, pMask=0x0, pDst=0x8e3ec40, xSrc=0, ySrc=-153, xMask=0, yMask=0, xDst=710, yDst=0, width=500, height=1016) at picture.c:1789 #15 0x0815a34f in ProcRenderComposite (client=0x8e05e18) at render.c:758 #16 0x081576c5 in ProcRenderDispatch (client=0x1e00) at render.c:2005 #17 0x080894fa in Dispatch () at dispatch.c:459 #18 0x08070755 in main (argc=10, argv=0xbf9ad824, envp=Cannot access memory at address 0x1e08 ) at main.c:447 (gdb) frame 8 #8 fbCompositeSrc_8888x8888mmx (op=3 '\003', pSrc=0x8e76278, pMask=0x0, pDst=0x8e3ec40, xSrc=0, ySrc=2607, xMask=0, yMask=0, xDst=710, yDst=2420, width=500, height=52057) at fbmmx.c:1312 1312 __m64 vs = *(__m64 *)(src + 0); (gdb) x/i $pc 0x197273 <fbCompositeSrc_8888x8888mmx+451>: movq (%eax),%mm4 (gdb) p/x $eax $1 = 0xaf169000 (Question: is ySrc=-153 in frame14 expected?) Temporary workaround (at the expense of losing xrender): Section "Extensions" Option "RENDER" "disable" EndSection in /etc/X11/xorg.conf. 00:02.0 VGA compatible controller: Intel Corporation Mobile 4 Series Chipset Integrated Graphics Controller (rev 07) 00:02.1 Display controller: Intel Corporation Mobile 4 Series Chipset Integrated Graphics Controller (rev 07) $ rpm -qf /usr/lib/xorg/modules/drivers/intel_drv.so xorg-x11-drv-i810-1.6.5-9.25.el5
Tavis, thanks for the heads-up.
Similar report - bug #498500.
bug #495733 looks also similar
The fix proposed in https://bugzilla.redhat.com/show_bug.cgi?id=495733#c15 (ie attachment https://bugzilla.redhat.com/attachment.cgi?id=403292) should fix this bug as well (at least it does in my tests).
Patch works here as well Olivier, Thanks. That must have been tough to spot, very cool.
*** This bug has been marked as a duplicate of bug 495733 ***