Disassembling dixFreePrivates in gdb shows the crash is happening in:
if (items[i].size) xfree(privates[i].value);
Also, Kubuntu resets/regenerates the Xserver on log-out, where Gnome starts a new server on log-out.
The regeneration bit in the git commit below matches Scotts findings in comment #3.
Therefore in my opinion this patch from xserver git looks quite promising to fix this bug:
commit 4151a13c80f3afa43f88afcf19a7aeb16dace93a
Author: Francisco Jerez <email address hidden>
Date: Mon Oct 5 02:39:03 2009 +0200
dix: Fix a double free in dixFreePrivates.
It can be reproduced when the server is regenerated and for some
reason the private keys are reassigned in a different order: a
manually allocated private may get an index formerly used by a
preallocated private. In that case it will first be manually freed and
then again by dixFreePrivates, as items[i].size was never zeroed
out. Do it in dixResetPrivates.
Signed-off-by: Francisco Jerez <email address hidden>
Acked-by: Eamon Walsh <email address hidden>
Signed-off-by: Keith Packard <email address hidden>
diff --git a/dix/privates.c b/dix/privates.c
index 3a2deb8..e3e7274 100644
--- a/dix/privates.c
+++ b/dix/privates.c
@@ -303,6 +303,7 @@ dixResetPrivates(void)
/* reset private descriptors */
for (i = 1; i < nextPriv; i++) { *items[i].key = 0;
+ items[i].size = 0; DeleteCallbackList(&items[i].initfuncs); DeleteCallbackList(&items[i].deletefuncs);
}
Can anyone test if this patch against xorg-server solves the crash? (I cannot reproduce the crash myself)
Disassembling dixFreePrivates in gdb shows the crash is happening in:
if (items[i].size)
xfree( privates[ i].value) ;
Also, Kubuntu resets/regenerates the Xserver on log-out, where Gnome starts a new server on log-out.
The regeneration bit in the git commit below matches Scotts findings in comment #3.
Therefore in my opinion this patch from xserver git looks quite promising to fix this bug:
commit 4151a13c80f3afa 43f88afcf19a7ae b16dace93a
Author: Francisco Jerez <email address hidden>
Date: Mon Oct 5 02:39:03 2009 +0200
dix: Fix a double free in dixFreePrivates.
It can be reproduced when the server is regenerated and for some
reason the private keys are reassigned in a different order: a
manually allocated private may get an index formerly used by a
preallocated private. In that case it will first be manually freed and
then again by dixFreePrivates, as items[i].size was never zeroed
out. Do it in dixResetPrivates.
Signed-off-by: Francisco Jerez <email address hidden>
Acked-by: Eamon Walsh <email address hidden>
Signed-off-by: Keith Packard <email address hidden>
diff --git a/dix/privates.c b/dix/privates.c s(void)
*items[ i].key = 0;
DeleteCallback List(&items[ i].initfuncs) ;
DeleteCallback List(&items[ i].deletefuncs) ;
index 3a2deb8..e3e7274 100644
--- a/dix/privates.c
+++ b/dix/privates.c
@@ -303,6 +303,7 @@ dixResetPrivate
/* reset private descriptors */
for (i = 1; i < nextPriv; i++) {
+ items[i].size = 0;
}
Can anyone test if this patch against xorg-server solves the crash? (I cannot reproduce the crash myself)