[PATCH] x11-servers/xorg-server coredumps on exit

[Robert Noland]

On Sat, 2009-02-21 at 22:53 +1100, Peter Jeremy wrote:
> >Submitter-Id:	current-users
> >Originator:	Peter Jeremy
> >Organization:	n/a
> >Confidential:	no 
> >Synopsis:	[PATCH] x11-servers/xorg-server coredumps on exit
> >Severity:	serious
> >Priority:	medium
> >Category:	ports
> >Class:		sw-bug
> >Release:	FreeBSD 8.0-CURRENT amd64
> >Environment:
> System: FreeBSD server.vk2pj.dyndns.org 8.0-CURRENT FreeBSD 8.0-CURRENT #5: Sun Feb 15 21:09:05 EST 2009 root at server.vk2pj.dyndns.org:/var/obj/usr/src/sys/server amd64
> 
> dri-7.3,2
> freetype2-2.3.7
> libXau-1.0.4
> libXdmcp-1.0.2_1
> libXfont-1.3.4,1
> libdrm-2.4.4
> libfontenc-1.0.4
> libpciaccess-0.10.5_4
> pixman-0.14.0
> xf86-input-keyboard-1.3.2
> xf86-input-mouse-1.4.0_3
> xf86-video-ati-6.10.0 or xf86-video-ati-6.10.99.0
> xf86-video-radeonhd-1.2.4_1
> xf86-video-vesa-2.1.0
> xorg-server-1.5.3_5,1
> 
> ATI Radeon HD 2400 PRO (GV-RX24P256HE_F2):
> (--) PCI:*(0 at 1:0:0) ATI Technologies Inc RV610 video device [Radeon HD 2400 PRO] rev 0, Mem @ 0xd0000000/268435456, 0xfdee0000/65536, I/O @ 0x0000de00/256, BIOS @ 0x????????/65536
> 
> >Description:
> 	Xorg with ati or radeonhd driver core-dumps on exit due to
> 	use-after-free error (caused by freeing the root window
> 	structure too early) if MALLOC_OPTIONS=J.
> 
> 	Backtrace of failure is:
> #9  <signal handler called>
> #10 DeliverPropertyEvent (pWin=0x5a5a5a5a5a5a5a5a, value=0x7fffffffe990) at rrproperty.c:34
> #11 0x000000000042f0a3 in TraverseTree (pWin=0x802911000, func=0x511780 <DeliverPropertyEvent>, data=0x7fffffffe990) at window.c:225
> #12 0x000000000051173a in RRDeleteAllOutputProperties (output=0x8029ff1c0) at rrproperty.c:80
> #13 0x0000000000510131 in RROutputDestroyResource (value=Variable "value" is not available.) at rroutput.c:410
> #14 0x000000000042e6d2 in FreeClientResources (client=0x801821140) at resource.c:807
> #15 0x000000000042e7af in FreeAllResources () at resource.c:824
> #16 0x000000000042c423 in main (argc=4, argv=0x7fffffffeb58, envp=Variable "envp" is not available.
> 
> 	Backtrace from offending free() call is:
> (gdb) where
> #0  0x000000080162a4a0 in free () from /lib/libc.so.7
> #1  0x0000000000434391 in DeleteWindow (value=0x802911000, wid=129) at window.c:938
> #2  0x000000000042e6d2 in FreeClientResources (client=0x801821140) at resource.c:807
> #3  0x000000000042e7af in FreeAllResources () at resource.c:824
> #4  0x000000000042c423 in main (argc=1, argv=0x7fffffffeb38, envp=Variable "envp" is not available.
> ) at main.c:453
> (gdb) p *WindowTable 
> $23 = 0x802911000
> 
> >How-To-Repeat:
> 	Enable malloc(3) debugging (default in -current) and start and
> 	stop X normally.
> 
> >Fix:
> 	The following patch prevents the root window structure being
> 	freed.  I suspect it is a hack but it works for me.
> --- dix/window.c~	2008-11-06 03:52:17.000000000 +1100
> +++ dix/window.c	2009-02-21 12:49:41.157078842 +1100
> @@ -935,7 +935,11 @@
>  	    pWin->prevSib->nextSib = pWin->nextSib;
>      }
>      dixFreePrivates(pWin->devPrivates);
> -    xfree(pWin);
> +    if (!pParent) {
> +	pWin->devPrivates = NULL;
> +    } else {
> +	xfree(pWin);
> +    }
>      return Success;
>  }

Cool, this looks like it is still applicable to git master, so I've
forwarded this upstream to a couple of folks that are more familiar with
that code.  Should get word back fairly soon.

robert.

> _______________________________________________
> freebsd-x11 at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-x11
> To unsubscribe, send any mail to "freebsd-x11-unsubscribe at freebsd.org"
-- 
Robert Noland <rnoland at FreeBSD.org>
FreeBSD
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: This is a digitally signed message part
Url : http://lists.freebsd.org/pipermail/freebsd-x11/attachments/20090221/f3ebde30/attachment.pgp