[PATCH] x11-servers/xorg-server coredumps on exit

Peter Jeremy peterjeremy at optushome.com.au
Sat Feb 21 08:53:10 PST 2009 

>Submitter-Id:	current-users
>Originator:	Peter Jeremy
>Organization:	n/a
>Confidential:	no 
>Synopsis:	[PATCH] x11-servers/xorg-server coredumps on exit
>Severity:	serious
>Priority:	medium
>Category:	ports
>Class:		sw-bug
>Release:	FreeBSD 8.0-CURRENT amd64
>Environment:
System: FreeBSD server.vk2pj.dyndns.org 8.0-CURRENT FreeBSD 8.0-CURRENT #5: Sun Feb 15 21:09:05 EST 2009 root at server.vk2pj.dyndns.org:/var/obj/usr/src/sys/server amd64

dri-7.3,2
freetype2-2.3.7
libXau-1.0.4
libXdmcp-1.0.2_1
libXfont-1.3.4,1
libdrm-2.4.4
libfontenc-1.0.4
libpciaccess-0.10.5_4
pixman-0.14.0
xf86-input-keyboard-1.3.2
xf86-input-mouse-1.4.0_3
xf86-video-ati-6.10.0 or xf86-video-ati-6.10.99.0
xf86-video-radeonhd-1.2.4_1
xf86-video-vesa-2.1.0
xorg-server-1.5.3_5,1

ATI Radeon HD 2400 PRO (GV-RX24P256HE_F2):
(--) PCI:*(0 at 1:0:0) ATI Technologies Inc RV610 video device [Radeon HD 2400 PRO] rev 0, Mem @ 0xd0000000/268435456, 0xfdee0000/65536, I/O @ 0x0000de00/256, BIOS @ 0x????????/65536

>Description:
	Xorg with ati or radeonhd driver core-dumps on exit due to
	use-after-free error (caused by freeing the root window
	structure too early) if MALLOC_OPTIONS=J.

	Backtrace of failure is:
#9  <signal handler called>
#10 DeliverPropertyEvent (pWin=0x5a5a5a5a5a5a5a5a, value=0x7fffffffe990) at rrproperty.c:34
#11 0x000000000042f0a3 in TraverseTree (pWin=0x802911000, func=0x511780 <DeliverPropertyEvent>, data=0x7fffffffe990) at window.c:225
#12 0x000000000051173a in RRDeleteAllOutputProperties (output=0x8029ff1c0) at rrproperty.c:80
#13 0x0000000000510131 in RROutputDestroyResource (value=Variable "value" is not available.) at rroutput.c:410
#14 0x000000000042e6d2 in FreeClientResources (client=0x801821140) at resource.c:807
#15 0x000000000042e7af in FreeAllResources () at resource.c:824
#16 0x000000000042c423 in main (argc=4, argv=0x7fffffffeb58, envp=Variable "envp" is not available.

	Backtrace from offending free() call is:
(gdb) where
#0  0x000000080162a4a0 in free () from /lib/libc.so.7
#1  0x0000000000434391 in DeleteWindow (value=0x802911000, wid=129) at window.c:938
#2  0x000000000042e6d2 in FreeClientResources (client=0x801821140) at resource.c:807
#3  0x000000000042e7af in FreeAllResources () at resource.c:824
#4  0x000000000042c423 in main (argc=1, argv=0x7fffffffeb38, envp=Variable "envp" is not available.
) at main.c:453
(gdb) p *WindowTable 
$23 = 0x802911000

>How-To-Repeat:
	Enable malloc(3) debugging (default in -current) and start and
	stop X normally.

>Fix:
	The following patch prevents the root window structure being
	freed.  I suspect it is a hack but it works for me.
--- dix/window.c~	2008-11-06 03:52:17.000000000 +1100
+++ dix/window.c	2009-02-21 12:49:41.157078842 +1100
@@ -935,7 +935,11 @@
 	    pWin->prevSib->nextSib = pWin->nextSib;
     }
     dixFreePrivates(pWin->devPrivates);
-    xfree(pWin);
+    if (!pParent) {
+	pWin->devPrivates = NULL;
+    } else {
+	xfree(pWin);
+    }
     return Success;
 }

More information about the freebsd-x11 mailing list