From robinson@netrinsics.com  Thu Aug 23 02:34:47 2001
Return-Path: <robinson@netrinsics.com>
Received: from neptune.he.net (neptune.he.net [216.218.166.2])
	by hub.freebsd.org (Postfix) with ESMTP id 3DBFC37B40C
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 23 Aug 2001 02:34:47 -0700 (PDT)
	(envelope-from robinson@netrinsics.com)
Received: from netrinsics.com ([210.52.150.12] (may be forged)) by neptune.he.net (8.8.6/8.8.2) with ESMTP id CAA27309; Thu, 23 Aug 2001 02:34:40 -0700
Received: (from robinson@localhost)
	by netrinsics.com (8.11.2/8.11.1) id f7N9ZDs03504;
	Thu, 23 Aug 2001 17:35:13 +0800 (+0800)
	(envelope-from robinson)
Message-Id: <200108230935.f7N9ZDs03504@netrinsics.com>
Date: Thu, 23 Aug 2001 17:35:13 +0800 (+0800)
From: Michael Robinson <robinson@netrinsics.com>
Reply-To: robinson@netrinsics.com
To: FreeBSD-gnats-submit@freebsd.org
Cc: fixes@xfree86.org
Subject: XFree86 4.x contains race condition in mouse device
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         29982
>Category:       ports
>Synopsis:       XFree86 4.x contains race condition in mouse device
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    jmz
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Aug 23 02:40:00 PDT 2001
>Closed-Date:    Thu Aug 23 15:37:23 PDT 2001
>Last-Modified:  Thu Aug 23 15:37:57 PDT 2001
>Originator:     Michael Robinson
>Release:        FreeBSD 5.0-CURRENT i386
>Organization:
>Environment:
System: FreeBSD elephant.netrinsics.com 5.0-CURRENT FreeBSD 5.0-CURRENT #19: Sat Jul 7 17:29:50 +0800 2001 root@elephant.netrinsics.com:/usr/src/sys/compile/5000e-5x i386
>Description:
The XFree86 mouse driver currently allocates and deallocates timers in 
MousePostEvent, which is called from the SIGIO handlers.  Because 
TimerFree and TimerSet call the malloc library, this creates a race 
condition in which the X server can crash with a "malloc/free: recursive call"
if a mouse event arrives while the server is in the malloc library code in
another part of the server.

The timer in question is used to handle the "Emulate3Buttons" timeout.
It is not necessary to free and reallocate this timer, as TimerSet contains
code to reuse timers.

This patch removes the calls to FreeTimer, as well as (unnecessary)
error-handling code for the (harmless) spurious timer events that occur when
the timers aren't freed in MousePostEvent.

This patch fixes a problem I had where the X server would intermittently 
crash during mouse motion concurrent with heavy paging activity.  I have
tested it for several days with no ill effects, and strongly recommend 
committing it to the XFree86-4 port until such time as it can be incorporated
into the main XFree86 distribution.

>How-To-Repeat:
Infrequent crash with Emulate3Buttons enabled, with mouse button events 
concurrent with heavy paging.
>Fix:

--- programs/Xserver/hw/xfree86/input/mouse/mouse.c.orig	Sat Aug 18 22:47:30 2001
+++ programs/Xserver/hw/xfree86/input/mouse/mouse.c	Thu Aug 23 17:13:44 2001
@@ -1837,8 +1837,6 @@
     if ((id = stateTab[pMse->emulateState][4][0]) != 0) {
         xf86PostButtonEvent(pInfo->dev, 0, abs(id), (id >= 0), 0, 0);
         pMse->emulateState = stateTab[pMse->emulateState][4][2];
-    } else {
-        ErrorF("Got unexpected buttonTimer in state %d\n", pMse->emulateState);
     }
 
     xf86UnblockSIGIO (sigstate);
@@ -1892,11 +1890,6 @@
             if (stateTab[pMse->emulateState][4][0] != 0) {
                 timer = TimerSet(timer, 0, pMse->emulate3Timeout, buttonTimer,
 			     pInfo);
-            } else {
-                if (timer) {
-                    TimerFree(timer);
-                    timer = NULL;
-                }
             }
         }
 

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports->jmz 
Responsible-Changed-By: petef 
Responsible-Changed-When: Thu Aug 23 06:35:05 PDT 2001 
Responsible-Changed-Why:  
Over to maintainer. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=29982 
State-Changed-From-To: open->closed 
State-Changed-By: jmz 
State-Changed-When: Thu Aug 23 15:37:23 PDT 2001 
State-Changed-Why:  
Patch committed. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=29982 
>Unformatted:
