From owner-freebsd-x11@FreeBSD.ORG Sat Feb 21 22:58:44 2009 Return-Path: Delivered-To: x11@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EEB6D10656D7 for ; Sat, 21 Feb 2009 22:58:44 +0000 (UTC) (envelope-from rnoland@FreeBSD.org) Received: from gizmo.2hip.net (gizmo.2hip.net [64.74.207.195]) by mx1.freebsd.org (Postfix) with ESMTP id A06A98FC35 for ; Sat, 21 Feb 2009 22:58:44 +0000 (UTC) (envelope-from rnoland@FreeBSD.org) Received: from [192.168.1.2] (adsl-157-36-144.bna.bellsouth.net [70.157.36.144]) (authenticated bits=0) by gizmo.2hip.net (8.14.3/8.14.3) with ESMTP id n1LMvHTV083380 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 21 Feb 2009 17:57:18 -0500 (EST) (envelope-from rnoland@FreeBSD.org) From: Robert Noland To: Peter Jeremy In-Reply-To: <200902211153.n1LBrt7F048954@server.vk2pj.dyndns.org> References: <200902211153.n1LBrt7F048954@server.vk2pj.dyndns.org> Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="=-S7dark3p80UfExdlfdEs" Organization: FreeBSD Date: Sat, 21 Feb 2009 16:58:32 -0600 Message-Id: <1235257112.1278.4.camel@widget.2hip.net> Mime-Version: 1.0 X-Mailer: Evolution 2.24.4 FreeBSD GNOME Team Port X-Spam-Status: No, score=-2.3 required=5.0 tests=AWL,BAYES_00,RCVD_IN_PBL, RDNS_DYNAMIC autolearn=no version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on gizmo.2hip.net Cc: FreeBSD-gnats-submit@freebsd.org, x11@freebsd.org Subject: Re: [PATCH] x11-servers/xorg-server coredumps on exit X-BeenThere: freebsd-x11@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: X11 on FreeBSD -- maintaining and support List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Feb 2009 22:58:48 -0000 --=-S7dark3p80UfExdlfdEs Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Sat, 2009-02-21 at 22:53 +1100, Peter Jeremy wrote: > >Submitter-Id: current-users > >Originator: Peter Jeremy > >Organization: n/a > >Confidential: no=20 > >Synopsis: [PATCH] x11-servers/xorg-server coredumps on exit > >Severity: serious > >Priority: medium > >Category: ports > >Class: sw-bug > >Release: FreeBSD 8.0-CURRENT amd64 > >Environment: > System: FreeBSD server.vk2pj.dyndns.org 8.0-CURRENT FreeBSD 8.0-CURRENT #= 5: Sun Feb 15 21:09:05 EST 2009 root@server.vk2pj.dyndns.org:/var/obj/usr/s= rc/sys/server amd64 >=20 > dri-7.3,2 > freetype2-2.3.7 > libXau-1.0.4 > libXdmcp-1.0.2_1 > libXfont-1.3.4,1 > libdrm-2.4.4 > libfontenc-1.0.4 > libpciaccess-0.10.5_4 > pixman-0.14.0 > xf86-input-keyboard-1.3.2 > xf86-input-mouse-1.4.0_3 > xf86-video-ati-6.10.0 or xf86-video-ati-6.10.99.0 > xf86-video-radeonhd-1.2.4_1 > xf86-video-vesa-2.1.0 > xorg-server-1.5.3_5,1 >=20 > ATI Radeon HD 2400 PRO (GV-RX24P256HE_F2): > (--) PCI:*(0@1:0:0) ATI Technologies Inc RV610 video device [Radeon HD 24= 00 PRO] rev 0, Mem @ 0xd0000000/268435456, 0xfdee0000/65536, I/O @ 0x0000de= 00/256, BIOS @ 0x????????/65536 >=20 > >Description: > Xorg with ati or radeonhd driver core-dumps on exit due to > use-after-free error (caused by freeing the root window > structure too early) if MALLOC_OPTIONS=3DJ. >=20 > Backtrace of failure is: > #9 > #10 DeliverPropertyEvent (pWin=3D0x5a5a5a5a5a5a5a5a, value=3D0x7fffffffe9= 90) at rrproperty.c:34 > #11 0x000000000042f0a3 in TraverseTree (pWin=3D0x802911000, func=3D0x5117= 80 , data=3D0x7fffffffe990) at window.c:225 > #12 0x000000000051173a in RRDeleteAllOutputProperties (output=3D0x8029ff1= c0) at rrproperty.c:80 > #13 0x0000000000510131 in RROutputDestroyResource (value=3DVariable "valu= e" is not available.) at rroutput.c:410 > #14 0x000000000042e6d2 in FreeClientResources (client=3D0x801821140) at r= esource.c:807 > #15 0x000000000042e7af in FreeAllResources () at resource.c:824 > #16 0x000000000042c423 in main (argc=3D4, argv=3D0x7fffffffeb58, envp=3DV= ariable "envp" is not available. >=20 > Backtrace from offending free() call is: > (gdb) where > #0 0x000000080162a4a0 in free () from /lib/libc.so.7 > #1 0x0000000000434391 in DeleteWindow (value=3D0x802911000, wid=3D129) a= t window.c:938 > #2 0x000000000042e6d2 in FreeClientResources (client=3D0x801821140) at r= esource.c:807 > #3 0x000000000042e7af in FreeAllResources () at resource.c:824 > #4 0x000000000042c423 in main (argc=3D1, argv=3D0x7fffffffeb38, envp=3DV= ariable "envp" is not available. > ) at main.c:453 > (gdb) p *WindowTable=20 > $23 =3D 0x802911000 >=20 > >How-To-Repeat: > Enable malloc(3) debugging (default in -current) and start and > stop X normally. >=20 > >Fix: > The following patch prevents the root window structure being > freed. I suspect it is a hack but it works for me. > --- dix/window.c~ 2008-11-06 03:52:17.000000000 +1100 > +++ dix/window.c 2009-02-21 12:49:41.157078842 +1100 > @@ -935,7 +935,11 @@ > pWin->prevSib->nextSib =3D pWin->nextSib; > } > dixFreePrivates(pWin->devPrivates); > - xfree(pWin); > + if (!pParent) { > + pWin->devPrivates =3D NULL; > + } else { > + xfree(pWin); > + } > return Success; > } Cool, this looks like it is still applicable to git master, so I've forwarded this upstream to a couple of folks that are more familiar with that code. Should get word back fairly soon. robert. > _______________________________________________ > freebsd-x11@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-x11 > To unsubscribe, send any mail to "freebsd-x11-unsubscribe@freebsd.org" --=20 Robert Noland FreeBSD --=-S7dark3p80UfExdlfdEs Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.10 (FreeBSD) iEYEABECAAYFAkmghxgACgkQM4TrQ4qfROPu2gCffUtOjKxEYLXxeIlhWlwfwpfr X80An1WjkTU2FdKXzm3ik3XdzQW+Ma03 =P+1n -----END PGP SIGNATURE----- --=-S7dark3p80UfExdlfdEs--