From owner-freebsd-x11@FreeBSD.ORG  Sat Feb 21 16:53:10 2009
Return-Path: <owner-freebsd-x11@FreeBSD.ORG>
Delivered-To: x11@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 4B1391065670
	for <x11@freebsd.org>; Sat, 21 Feb 2009 16:53:10 +0000 (UTC)
	(envelope-from peterjeremy@optushome.com.au)
Received: from fallbackmx09.syd.optusnet.com.au
	(fallbackmx09.syd.optusnet.com.au [211.29.132.242])
	by mx1.freebsd.org (Postfix) with ESMTP id D342C8FC13
	for <x11@freebsd.org>; Sat, 21 Feb 2009 16:53:09 +0000 (UTC)
	(envelope-from peterjeremy@optushome.com.au)
Received: from mail36.syd.optusnet.com.au (mail36.syd.optusnet.com.au
	[211.29.133.76])
	by fallbackmx09.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id
	n1LBrx9m031224 for <x11@freebsd.org>; Sat, 21 Feb 2009 22:53:59 +1100
Received: from server.vk2pj.dyndns.org
	(c122-106-216-167.belrs3.nsw.optusnet.com.au [122.106.216.167])
	by mail36.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id
	n1LBrtZi015238
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Sat, 21 Feb 2009 22:53:57 +1100
X-Bogosity: Ham, spamicity=0.000000
Received: from server.vk2pj.dyndns.org (localhost.vk2pj.dyndns.org [127.0.0.1])
	by server.vk2pj.dyndns.org (8.14.3/8.14.3) with ESMTP id n1LBrtap048955;
	Sat, 21 Feb 2009 22:53:55 +1100 (EST)
	(envelope-from peter@server.vk2pj.dyndns.org)
Received: (from peter@localhost)
	by server.vk2pj.dyndns.org (8.14.3/8.14.3/Submit) id n1LBrt7F048954;
	Sat, 21 Feb 2009 22:53:55 +1100 (EST) (envelope-from peter)
Date: Sat, 21 Feb 2009 22:53:55 +1100 (EST)
Message-Id: <200902211153.n1LBrt7F048954@server.vk2pj.dyndns.org>
To: FreeBSD-gnats-submit@freebsd.org
From: Peter Jeremy <peterjeremy@optushome.com.au>
X-send-pr-version: 3.113
X-GNATS-Notify: 
Cc: x11@freebsd.org
Subject: [PATCH] x11-servers/xorg-server coredumps on exit
X-BeenThere: freebsd-x11@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Peter Jeremy <peterjeremy@optushome.com.au>
List-Id: X11 on FreeBSD -- maintaining and support <freebsd-x11.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-x11>,
	<mailto:freebsd-x11-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-x11>
List-Post: <mailto:freebsd-x11@freebsd.org>
List-Help: <mailto:freebsd-x11-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-x11>,
	<mailto:freebsd-x11-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Feb 2009 16:53:10 -0000


>Submitter-Id:	current-users
>Originator:	Peter Jeremy
>Organization:	n/a
>Confidential:	no 
>Synopsis:	[PATCH] x11-servers/xorg-server coredumps on exit
>Severity:	serious
>Priority:	medium
>Category:	ports
>Class:		sw-bug
>Release:	FreeBSD 8.0-CURRENT amd64
>Environment:
System: FreeBSD server.vk2pj.dyndns.org 8.0-CURRENT FreeBSD 8.0-CURRENT #5: Sun Feb 15 21:09:05 EST 2009 root@server.vk2pj.dyndns.org:/var/obj/usr/src/sys/server amd64

dri-7.3,2
freetype2-2.3.7
libXau-1.0.4
libXdmcp-1.0.2_1
libXfont-1.3.4,1
libdrm-2.4.4
libfontenc-1.0.4
libpciaccess-0.10.5_4
pixman-0.14.0
xf86-input-keyboard-1.3.2
xf86-input-mouse-1.4.0_3
xf86-video-ati-6.10.0 or xf86-video-ati-6.10.99.0
xf86-video-radeonhd-1.2.4_1
xf86-video-vesa-2.1.0
xorg-server-1.5.3_5,1

ATI Radeon HD 2400 PRO (GV-RX24P256HE_F2):
(--) PCI:*(0@1:0:0) ATI Technologies Inc RV610 video device [Radeon HD 2400 PRO] rev 0, Mem @ 0xd0000000/268435456, 0xfdee0000/65536, I/O @ 0x0000de00/256, BIOS @ 0x????????/65536

>Description:
	Xorg with ati or radeonhd driver core-dumps on exit due to
	use-after-free error (caused by freeing the root window
	structure too early) if MALLOC_OPTIONS=J.

	Backtrace of failure is:
#9  <signal handler called>
#10 DeliverPropertyEvent (pWin=0x5a5a5a5a5a5a5a5a, value=0x7fffffffe990) at rrproperty.c:34
#11 0x000000000042f0a3 in TraverseTree (pWin=0x802911000, func=0x511780 <DeliverPropertyEvent>, data=0x7fffffffe990) at window.c:225
#12 0x000000000051173a in RRDeleteAllOutputProperties (output=0x8029ff1c0) at rrproperty.c:80
#13 0x0000000000510131 in RROutputDestroyResource (value=Variable "value" is not available.) at rroutput.c:410
#14 0x000000000042e6d2 in FreeClientResources (client=0x801821140) at resource.c:807
#15 0x000000000042e7af in FreeAllResources () at resource.c:824
#16 0x000000000042c423 in main (argc=4, argv=0x7fffffffeb58, envp=Variable "envp" is not available.

	Backtrace from offending free() call is:
(gdb) where
#0  0x000000080162a4a0 in free () from /lib/libc.so.7
#1  0x0000000000434391 in DeleteWindow (value=0x802911000, wid=129) at window.c:938
#2  0x000000000042e6d2 in FreeClientResources (client=0x801821140) at resource.c:807
#3  0x000000000042e7af in FreeAllResources () at resource.c:824
#4  0x000000000042c423 in main (argc=1, argv=0x7fffffffeb38, envp=Variable "envp" is not available.
) at main.c:453
(gdb) p *WindowTable 
$23 = 0x802911000

>How-To-Repeat:
	Enable malloc(3) debugging (default in -current) and start and
	stop X normally.

>Fix:
	The following patch prevents the root window structure being
	freed.  I suspect it is a hack but it works for me.
--- dix/window.c~	2008-11-06 03:52:17.000000000 +1100
+++ dix/window.c	2009-02-21 12:49:41.157078842 +1100
@@ -935,7 +935,11 @@
 	    pWin->prevSib->nextSib = pWin->nextSib;
     }
     dixFreePrivates(pWin->devPrivates);
-    xfree(pWin);
+    if (!pParent) {
+	pWin->devPrivates = NULL;
+    } else {
+	xfree(pWin);
+    }
     return Success;
 }