Date: Fri, 20 Feb 2009 21:06:55 +1100 From: Peter Jeremy <peterjeremy@optushome.com.au> To: Robert Noland <rnoland@freebsd.org> Cc: freebsd-x11 <freebsd-x11@freebsd.org> Subject: Re: [CFT] xf86-video-ati-6.10.99.0 Message-ID: <20090220100655.GA56539@server.vk2pj.dyndns.org> In-Reply-To: <20090216190037.GA41111@server.vk2pj.dyndns.org> References: <1234248221.1524.31.camel@ferret.2hip.net> <20090216190037.GA41111@server.vk2pj.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On 2009-Feb-17 06:00:37 +1100, Peter Jeremy <peter@server.vk2pj.dyndns.org> wrote: >On 2009-Feb-10 01:43:41 -0500, Robert Noland <rnoland@freebsd.org> wrote: >>This patch is for the 6.11.0rc version of the ati driver driver. >> >>http://people.freebsd.org/~rnoland/xf86-video-ati-6.10.99.0.patch > >Summary: Still broken: Exiting Xserver core-dumps and doesn't restore >VTY video (though keyboard is restored). I rebuilt the Xserver related ports with debugging enabled and it turns out that this is a bug in xorg-server-1.5.3 rather than xf86-video-ati. The backtrace is: (gdb) where ... #9 <signal handler called> #10 DeliverPropertyEvent (pWin=0x5a5a5a5a5a5a5a5a, value=0x7fffffffe990) at rrproperty.c:34 #11 0x000000000042f0a3 in TraverseTree (pWin=0x802911000, func=0x511780 <DeliverPropertyEvent>, data=0x7fffffffe990) at window.c:225 #12 0x000000000051173a in RRDeleteAllOutputProperties (output=0x8029ff1c0) at rrproperty.c:80 #13 0x0000000000510131 in RROutputDestroyResource (value=Variable "value" is not available.) at rroutput.c:410 #14 0x000000000042e6d2 in FreeClientResources (client=0x801821140) at resource.c:807 #15 0x000000000042e7af in FreeAllResources () at resource.c:824 #16 0x000000000042c423 in main (argc=4, argv=0x7fffffffeb58, envp=Variable "envp" is not available. This fairly clearly shows DeliverPropertyEvent() is being called with a garbage window pointer - specifically it's a use-after-free bug: The root window _Window is being freed too early. I'm still digging through the code to work out where/why. -- Peter Jeremy [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.10 (FreeBSD) iEYEARECAAYFAkmegL8ACgkQ/opHv/APuIcZ7gCfaTYYAQOg3o5OEVC0O5hQqPUt RYYAoLL6KP45zyW4wBwcebY/aCHIPlr4 =KtF5 -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090220100655.GA56539>