Date: Sat, 21 Feb 2009 16:58:32 -0600 From: Robert Noland <rnoland@FreeBSD.org> To: Peter Jeremy <peterjeremy@optushome.com.au> Cc: FreeBSD-gnats-submit@freebsd.org, x11@freebsd.org Subject: Re: [PATCH] x11-servers/xorg-server coredumps on exit Message-ID: <1235257112.1278.4.camel@widget.2hip.net> In-Reply-To: <200902211153.n1LBrt7F048954@server.vk2pj.dyndns.org> References: <200902211153.n1LBrt7F048954@server.vk2pj.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--=-S7dark3p80UfExdlfdEs Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Sat, 2009-02-21 at 22:53 +1100, Peter Jeremy wrote: > >Submitter-Id: current-users > >Originator: Peter Jeremy > >Organization: n/a > >Confidential: no=20 > >Synopsis: [PATCH] x11-servers/xorg-server coredumps on exit > >Severity: serious > >Priority: medium > >Category: ports > >Class: sw-bug > >Release: FreeBSD 8.0-CURRENT amd64 > >Environment: > System: FreeBSD server.vk2pj.dyndns.org 8.0-CURRENT FreeBSD 8.0-CURRENT #= 5: Sun Feb 15 21:09:05 EST 2009 root@server.vk2pj.dyndns.org:/var/obj/usr/s= rc/sys/server amd64 >=20 > dri-7.3,2 > freetype2-2.3.7 > libXau-1.0.4 > libXdmcp-1.0.2_1 > libXfont-1.3.4,1 > libdrm-2.4.4 > libfontenc-1.0.4 > libpciaccess-0.10.5_4 > pixman-0.14.0 > xf86-input-keyboard-1.3.2 > xf86-input-mouse-1.4.0_3 > xf86-video-ati-6.10.0 or xf86-video-ati-6.10.99.0 > xf86-video-radeonhd-1.2.4_1 > xf86-video-vesa-2.1.0 > xorg-server-1.5.3_5,1 >=20 > ATI Radeon HD 2400 PRO (GV-RX24P256HE_F2): > (--) PCI:*(0@1:0:0) ATI Technologies Inc RV610 video device [Radeon HD 24= 00 PRO] rev 0, Mem @ 0xd0000000/268435456, 0xfdee0000/65536, I/O @ 0x0000de= 00/256, BIOS @ 0x????????/65536 >=20 > >Description: > Xorg with ati or radeonhd driver core-dumps on exit due to > use-after-free error (caused by freeing the root window > structure too early) if MALLOC_OPTIONS=3DJ. >=20 > Backtrace of failure is: > #9 <signal handler called> > #10 DeliverPropertyEvent (pWin=3D0x5a5a5a5a5a5a5a5a, value=3D0x7fffffffe9= 90) at rrproperty.c:34 > #11 0x000000000042f0a3 in TraverseTree (pWin=3D0x802911000, func=3D0x5117= 80 <DeliverPropertyEvent>, data=3D0x7fffffffe990) at window.c:225 > #12 0x000000000051173a in RRDeleteAllOutputProperties (output=3D0x8029ff1= c0) at rrproperty.c:80 > #13 0x0000000000510131 in RROutputDestroyResource (value=3DVariable "valu= e" is not available.) at rroutput.c:410 > #14 0x000000000042e6d2 in FreeClientResources (client=3D0x801821140) at r= esource.c:807 > #15 0x000000000042e7af in FreeAllResources () at resource.c:824 > #16 0x000000000042c423 in main (argc=3D4, argv=3D0x7fffffffeb58, envp=3DV= ariable "envp" is not available. >=20 > Backtrace from offending free() call is: > (gdb) where > #0 0x000000080162a4a0 in free () from /lib/libc.so.7 > #1 0x0000000000434391 in DeleteWindow (value=3D0x802911000, wid=3D129) a= t window.c:938 > #2 0x000000000042e6d2 in FreeClientResources (client=3D0x801821140) at r= esource.c:807 > #3 0x000000000042e7af in FreeAllResources () at resource.c:824 > #4 0x000000000042c423 in main (argc=3D1, argv=3D0x7fffffffeb38, envp=3DV= ariable "envp" is not available. > ) at main.c:453 > (gdb) p *WindowTable=20 > $23 =3D 0x802911000 >=20 > >How-To-Repeat: > Enable malloc(3) debugging (default in -current) and start and > stop X normally. >=20 > >Fix: > The following patch prevents the root window structure being > freed. I suspect it is a hack but it works for me. > --- dix/window.c~ 2008-11-06 03:52:17.000000000 +1100 > +++ dix/window.c 2009-02-21 12:49:41.157078842 +1100 > @@ -935,7 +935,11 @@ > pWin->prevSib->nextSib =3D pWin->nextSib; > } > dixFreePrivates(pWin->devPrivates); > - xfree(pWin); > + if (!pParent) { > + pWin->devPrivates =3D NULL; > + } else { > + xfree(pWin); > + } > return Success; > } Cool, this looks like it is still applicable to git master, so I've forwarded this upstream to a couple of folks that are more familiar with that code. Should get word back fairly soon. robert. > _______________________________________________ > freebsd-x11@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-x11 > To unsubscribe, send any mail to "freebsd-x11-unsubscribe@freebsd.org" --=20 Robert Noland <rnoland@FreeBSD.org> FreeBSD --=-S7dark3p80UfExdlfdEs Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.10 (FreeBSD) iEYEABECAAYFAkmghxgACgkQM4TrQ4qfROPu2gCffUtOjKxEYLXxeIlhWlwfwpfr X80An1WjkTU2FdKXzm3ik3XdzQW+Ma03 =P+1n -----END PGP SIGNATURE----- --=-S7dark3p80UfExdlfdEs--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1235257112.1278.4.camel>