Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 21 Feb 2009 22:53:55 +1100 (EST)
From:      Peter Jeremy <peterjeremy@optushome.com.au>
To:        FreeBSD-gnats-submit@FreeBSD.org
Cc:        x11@FreeBSD.org
Subject:   ports/131930: [PATCH] x11-servers/xorg-server coredumps on exit
Message-ID:  <200902211153.n1LBrt7F048954@server.vk2pj.dyndns.org>
Resent-Message-ID: <200902211200.n1LC06ax032527@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         131930
>Category:       ports
>Synopsis:       [PATCH] x11-servers/xorg-server coredumps on exit
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Feb 21 12:00:06 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Peter Jeremy
>Release:        FreeBSD 8.0-CURRENT amd64
>Organization:
n/a
>Environment:
System: FreeBSD server.vk2pj.dyndns.org 8.0-CURRENT FreeBSD 8.0-CURRENT #5: Sun Feb 15 21:09:05 EST 2009 root@server.vk2pj.dyndns.org:/var/obj/usr/src/sys/server amd64

dri-7.3,2
freetype2-2.3.7
libXau-1.0.4
libXdmcp-1.0.2_1
libXfont-1.3.4,1
libdrm-2.4.4
libfontenc-1.0.4
libpciaccess-0.10.5_4
pixman-0.14.0
xf86-input-keyboard-1.3.2
xf86-input-mouse-1.4.0_3
xf86-video-ati-6.10.0 or xf86-video-ati-6.10.99.0
xf86-video-radeonhd-1.2.4_1
xf86-video-vesa-2.1.0
xorg-server-1.5.3_5,1

ATI Radeon HD 2400 PRO (GV-RX24P256HE_F2):
(--) PCI:*(0@1:0:0) ATI Technologies Inc RV610 video device [Radeon HD 2400 PRO] rev 0, Mem @ 0xd0000000/268435456, 0xfdee0000/65536, I/O @ 0x0000de00/256, BIOS @ 0x????????/65536

>Description:
	Xorg with ati or radeonhd driver core-dumps on exit due to
	use-after-free error (caused by freeing the root window
	structure too early) if MALLOC_OPTIONS=J.

	Backtrace of failure is:
#9  <signal handler called>
#10 DeliverPropertyEvent (pWin=0x5a5a5a5a5a5a5a5a, value=0x7fffffffe990) at rrproperty.c:34
#11 0x000000000042f0a3 in TraverseTree (pWin=0x802911000, func=0x511780 <DeliverPropertyEvent>, data=0x7fffffffe990) at window.c:225
#12 0x000000000051173a in RRDeleteAllOutputProperties (output=0x8029ff1c0) at rrproperty.c:80
#13 0x0000000000510131 in RROutputDestroyResource (value=Variable "value" is not available.) at rroutput.c:410
#14 0x000000000042e6d2 in FreeClientResources (client=0x801821140) at resource.c:807
#15 0x000000000042e7af in FreeAllResources () at resource.c:824
#16 0x000000000042c423 in main (argc=4, argv=0x7fffffffeb58, envp=Variable "envp" is not available.

	Backtrace from offending free() call is:
(gdb) where
#0  0x000000080162a4a0 in free () from /lib/libc.so.7
#1  0x0000000000434391 in DeleteWindow (value=0x802911000, wid=129) at window.c:938
#2  0x000000000042e6d2 in FreeClientResources (client=0x801821140) at resource.c:807
#3  0x000000000042e7af in FreeAllResources () at resource.c:824
#4  0x000000000042c423 in main (argc=1, argv=0x7fffffffeb38, envp=Variable "envp" is not available.
) at main.c:453
(gdb) p *WindowTable 
$23 = 0x802911000

>How-To-Repeat:
	Enable malloc(3) debugging (default in -current) and start and
	stop X normally.

>Fix:
	The following patch prevents the root window structure being
	freed.  I suspect it is a hack but it works for me.
--- dix/window.c~	2008-11-06 03:52:17.000000000 +1100
+++ dix/window.c	2009-02-21 12:49:41.157078842 +1100
@@ -935,7 +935,11 @@
 	    pWin->prevSib->nextSib = pWin->nextSib;
     }
     dixFreePrivates(pWin->devPrivates);
-    xfree(pWin);
+    if (!pParent) {
+	pWin->devPrivates = NULL;
+    } else {
+	xfree(pWin);
+    }
     return Success;
 }
 
>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200902211153.n1LBrt7F048954>