Bug 22045

Summary: free memory deref in damage on server exit
Product: xorg Reporter: Matthieu Herrb <matthieu.herrb>
Component: Driver/otherAssignee: Xorg Project Team <xorg-team>
Status: RESOLVED FIXED QA Contact: Xorg Project Team <xorg-team>
Severity: major    
Priority: high    
Version: 7.4 (2008.09)   
Hardware: All   
OS: OpenBSD   
Whiteboard:
i915 platform: i915 features:
Bug Depends on:    
Bug Blocks: 16399    

Description Matthieu Herrb 2009-06-02 16:47:43 UTC 
On OpenBSD, with malloc flag set to put '0xdf' on every free'd memory chunk, Xserver 1.6 aborts on the exit path because of a free memory access in shadow. 

Backtrace: 

Program received signal SIGBUS, Bus error.
0x001e5bc0 in damageRemoveDamage (pPrev=0xdfdfdfdf, pDamage=0x2b2fd380)
    at damage.c:1697
1697        while (*pPrev)
(gdb) p pPrev
$1 = (DamagePtr *) 0xdfdfdfdf
(gdb) bt
#0  0x001e5bc0 in damageRemoveDamage (pPrev=0xdfdfdfdf, pDamage=0x2b2fd380)
    at damage.c:1697
#1  0x001e67f8 in DamageUnregister (pDrawable=0x2dc86640, pDamage=0x2b2fd380)
    at damage.c:2001
#2  0x28ee8988 in shadowRemove (pScreen=0x26f57400, pPixmap=0x2dc86640)
    at shadow.c:219
#3  0x28ee84c0 in shadowCloseScreen (i=0, pScreen=0x26f57400) at shadow.c:103
#4  0x0012f024 in miDCCloseScreen (index=0, pScreen=0x26f57400)
    at midispcur.c:175
#5  0x00140380 in miPointerCloseScreen (index=0, pScreen=0x26f57400)
    at mipointer.c:161
#6  0x0014a0b8 in miSpriteCloseScreen (i=0, pScreen=0x26f57400)
    at misprite.c:320
#7  0x000bd418 in CMapCloseScreen (i=0, pScreen=0x26f57400) at xf86cmap.c:230
#8  0x275ca1b4 in WsfbCloseScreen ()
   from /usr/X11R6/lib/modules/drivers/wsfb_drv.so
#9  0x000b80dc in VidModeClose (i=0, pScreen=0x26f57400) at xf86VidMode.c:116
#10 0x00187220 in CursorCloseScreen (index=0, pScreen=0x26f57400)
    at cursor.c:186
#11 0x001db614 in AnimCurCloseScreen (index=0, pScreen=0x26f57400)
    at animcur.c:136
#12 0x0017d9f8 in compCloseScreen (index=0, pScreen=0x26f57400)
    at compinit.c:84
#13 0x22113c74 in glxCloseScreen (index=0, pScreen=0x26f57400)
    at glxscreens.c:217
#14 0x0002a244 in main (argc=3, argv=0xbfffc120, envp=0xbfffc130) at main.c:429
(gdb)
Comment 1 Daniel Stone 2009-08-31 17:28:02 UTC 
looks like -wsfb is missing a shadowRemove() in CloseScreen; this will cause a leak on regen anyway.
Comment 2 Matthieu Herrb 2009-09-13 13:26:42 UTC 
That was it. 
Fixed in commit 872c691cbad253e4670a98349395b650677269cd
Thanks.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.