Date: Sat, 21 Feb 2009 16:58:32 -0600 From: Robert Noland <rnoland@FreeBSD.org> To: Peter Jeremy <peterjeremy@optushome.com.au> Cc: FreeBSD-gnats-submit@freebsd.org, x11@freebsd.org Subject: Re: [PATCH] x11-servers/xorg-server coredumps on exit Message-ID: <1235257112.1278.4.camel@widget.2hip.net> In-Reply-To: <200902211153.n1LBrt7F048954@server.vk2pj.dyndns.org> References: <200902211153.n1LBrt7F048954@server.vk2pj.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--=-S7dark3p80UfExdlfdEs
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
On Sat, 2009-02-21 at 22:53 +1100, Peter Jeremy wrote:
> >Submitter-Id: current-users
> >Originator: Peter Jeremy
> >Organization: n/a
> >Confidential: no=20
> >Synopsis: [PATCH] x11-servers/xorg-server coredumps on exit
> >Severity: serious
> >Priority: medium
> >Category: ports
> >Class: sw-bug
> >Release: FreeBSD 8.0-CURRENT amd64
> >Environment:
> System: FreeBSD server.vk2pj.dyndns.org 8.0-CURRENT FreeBSD 8.0-CURRENT #=
5: Sun Feb 15 21:09:05 EST 2009 root@server.vk2pj.dyndns.org:/var/obj/usr/s=
rc/sys/server amd64
>=20
> dri-7.3,2
> freetype2-2.3.7
> libXau-1.0.4
> libXdmcp-1.0.2_1
> libXfont-1.3.4,1
> libdrm-2.4.4
> libfontenc-1.0.4
> libpciaccess-0.10.5_4
> pixman-0.14.0
> xf86-input-keyboard-1.3.2
> xf86-input-mouse-1.4.0_3
> xf86-video-ati-6.10.0 or xf86-video-ati-6.10.99.0
> xf86-video-radeonhd-1.2.4_1
> xf86-video-vesa-2.1.0
> xorg-server-1.5.3_5,1
>=20
> ATI Radeon HD 2400 PRO (GV-RX24P256HE_F2):
> (--) PCI:*(0@1:0:0) ATI Technologies Inc RV610 video device [Radeon HD 24=
00 PRO] rev 0, Mem @ 0xd0000000/268435456, 0xfdee0000/65536, I/O @ 0x0000de=
00/256, BIOS @ 0x????????/65536
>=20
> >Description:
> Xorg with ati or radeonhd driver core-dumps on exit due to
> use-after-free error (caused by freeing the root window
> structure too early) if MALLOC_OPTIONS=3DJ.
>=20
> Backtrace of failure is:
> #9 <signal handler called>
> #10 DeliverPropertyEvent (pWin=3D0x5a5a5a5a5a5a5a5a, value=3D0x7fffffffe9=
90) at rrproperty.c:34
> #11 0x000000000042f0a3 in TraverseTree (pWin=3D0x802911000, func=3D0x5117=
80 <DeliverPropertyEvent>, data=3D0x7fffffffe990) at window.c:225
> #12 0x000000000051173a in RRDeleteAllOutputProperties (output=3D0x8029ff1=
c0) at rrproperty.c:80
> #13 0x0000000000510131 in RROutputDestroyResource (value=3DVariable "valu=
e" is not available.) at rroutput.c:410
> #14 0x000000000042e6d2 in FreeClientResources (client=3D0x801821140) at r=
esource.c:807
> #15 0x000000000042e7af in FreeAllResources () at resource.c:824
> #16 0x000000000042c423 in main (argc=3D4, argv=3D0x7fffffffeb58, envp=3DV=
ariable "envp" is not available.
>=20
> Backtrace from offending free() call is:
> (gdb) where
> #0 0x000000080162a4a0 in free () from /lib/libc.so.7
> #1 0x0000000000434391 in DeleteWindow (value=3D0x802911000, wid=3D129) a=
t window.c:938
> #2 0x000000000042e6d2 in FreeClientResources (client=3D0x801821140) at r=
esource.c:807
> #3 0x000000000042e7af in FreeAllResources () at resource.c:824
> #4 0x000000000042c423 in main (argc=3D1, argv=3D0x7fffffffeb38, envp=3DV=
ariable "envp" is not available.
> ) at main.c:453
> (gdb) p *WindowTable=20
> $23 =3D 0x802911000
>=20
> >How-To-Repeat:
> Enable malloc(3) debugging (default in -current) and start and
> stop X normally.
>=20
> >Fix:
> The following patch prevents the root window structure being
> freed. I suspect it is a hack but it works for me.
> --- dix/window.c~ 2008-11-06 03:52:17.000000000 +1100
> +++ dix/window.c 2009-02-21 12:49:41.157078842 +1100
> @@ -935,7 +935,11 @@
> pWin->prevSib->nextSib =3D pWin->nextSib;
> }
> dixFreePrivates(pWin->devPrivates);
> - xfree(pWin);
> + if (!pParent) {
> + pWin->devPrivates =3D NULL;
> + } else {
> + xfree(pWin);
> + }
> return Success;
> }
Cool, this looks like it is still applicable to git master, so I've
forwarded this upstream to a couple of folks that are more familiar with
that code. Should get word back fairly soon.
robert.
> _______________________________________________
> freebsd-x11@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-x11
> To unsubscribe, send any mail to "freebsd-x11-unsubscribe@freebsd.org"
--=20
Robert Noland <rnoland@FreeBSD.org>
FreeBSD
--=-S7dark3p80UfExdlfdEs
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.10 (FreeBSD)
iEYEABECAAYFAkmghxgACgkQM4TrQ4qfROPu2gCffUtOjKxEYLXxeIlhWlwfwpfr
X80An1WjkTU2FdKXzm3ik3XdzQW+Ma03
=P+1n
-----END PGP SIGNATURE-----
--=-S7dark3p80UfExdlfdEs--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1235257112.1278.4.camel>