xserver xserver crash - segfault when running some program that uses X11 and GLX

Select the version

Git master branch

Describe your issue

I have an minimal example. I compile and run it and then xserver crashes.

minimal.c

Steps to reproduce

cc -g -o minimal minimal.c -lX11 -lGL && ./minimal

What did you expect?

xserver should not crash. My application should crash.

Additional Information

I ran gdb attached to Xorg with this script:

set logging enabled on
b egl_create_glx_drawable
command
  up
  b
  command
    p pGlxDraw->destroy
    p *pGlxDraw
    p pGlxDraw
    bt
    c
  end
  delete breakpoint 1
  c
end

b DrawableGone
commands
  b +1
  command
    set can-use-hw-watchpoints 0
    watch -l glxPriv->destroy
    command
      bt
      c
    end
    bt
    continue
  end
  delete breakpoint 2
  c
end

c

Output is in the attachments. ( 7.5 k lines )

gdb.txt

I have also tested with xorg-xserver and that one also crashes...

Extra fields

[x] I have checked the existing issues
[x] I have read the Contributing Guidelines
[x] I'd like to work on this issue

Nov 26 '25 17:11 branc116

For additional context AddressSanitizer log:

=================================================================
==21219==ERROR: AddressSanitizer: heap-use-after-free on address 0x7c6ff645d104 at pc 0x7bfff3d3750b bp 0x7fffffffc770 sp 0x7fffffffc760
READ of size 4 at 0x7c6ff645d104 thread T0
    #0 0x7bfff3d3750a in DrawableGone ../glx/glxext.c:100
    #1 0x555555792028 in doFreeResource ../dix/resource.c:896
    #2 0x555555793c4d in FreeClientResources ../dix/resource.c:1154
    #3 0x5555556f144d in CloseDownClient ../dix/dispatch.c:3677
    #4 0x555555ae2e61 in ClientReady ../os/connection.c:564
    #5 0x555555aefbba in ospoll_wait ../os/ospoll.c:663
    #6 0x555555ad68b9 in WaitForSomething ../os/WaitFor.c:207
    #7 0x5555556ccba4 in Dispatch ../dix/dispatch.c:496
    #8 0x5555557067fb in dix_main ../dix/main.c:284
    #9 0x555555cc4164 in main ../dix/stubmain.c:34
    #10 0x7ffff74783fa  (/usr/lib64/libc.so.6+0x273fa)
    #11 0x7ffff74784aa in __libc_start_main (/usr/lib64/libc.so.6+0x274aa)
    #12 0x555555611994 in _start (/tmp/x11libre/bin/Xorg+0xbd994)

0x7c6ff645d104 is located 52 bytes inside of 80-byte region [0x7c6ff645d0d0,0x7c6ff645d120)
freed by thread T0 here:
    #0 0x7ffff7921f6b in free /usr/src/debug/sys-devel/gcc-15.2.0/gcc-15.2.0/libsanitizer/asan/asan_malloc_linux.cpp:51
    #1 0x7bfff3d14a4b in egl_drawable_destroy ../glamor/glamor_glx_provider.c:87
    #2 0x7bfff3d37972 in DrawableGone ../glx/glxext.c:131
    #3 0x555555792028 in doFreeResource ../dix/resource.c:896
    #4 0x555555793c4d in FreeClientResources ../dix/resource.c:1154
    #5 0x5555556f144d in CloseDownClient ../dix/dispatch.c:3677
    #6 0x555555ae2e61 in ClientReady ../os/connection.c:564
    #7 0x555555aefbba in ospoll_wait ../os/ospoll.c:663
    #8 0x555555ad68b9 in WaitForSomething ../os/WaitFor.c:207
    #9 0x5555556ccba4 in Dispatch ../dix/dispatch.c:496
    #10 0x5555557067fb in dix_main ../dix/main.c:284
    #11 0x555555cc4164 in main ../dix/stubmain.c:34
    #12 0x7ffff74783fa  (/usr/lib64/libc.so.6+0x273fa)
    #13 0x7fffffffde0b  ([stack]+0x29e0b)
    #14 0x69622f657262696b  (<unknown module>)

previously allocated by thread T0 here:
    #0 0x7ffff7922d7b in calloc /usr/src/debug/sys-devel/gcc-15.2.0/gcc-15.2.0/libsanitizer/asan/asan_malloc_linux.cpp:74
    #1 0x7bfff3d14b2f in egl_create_glx_drawable ../glamor/glamor_glx_provider.c:119
    #2 0x7bfff3d2c7b1 in DoCreateGLXDrawable ../glx/glxcmds.c:1147
    #3 0x7bfff3d30131 in __glXDisp_CreateWindow ../glx/glxcmds.c:1556
    #4 0x7bfff3d3a2aa in __glXDispatch ../glx/glxext.c:716
    #5 0x7bfff3d38656 in xorgGlxHandleRequest ../glx/glxext.c:329
    #6 0x555555b30fde in GlxForwardRequest ../glx/vndext.c:258
    #7 0x555555b2ce6e in dispatch_CreateWindow ../glx/vnd_dispatch_stubs.c:354
    #8 0x555555b300d4 in GlxDispatchRequest ../glx/vndcmds.c:473
    #9 0x5555556cd213 in Dispatch ../dix/dispatch.c:565
    #10 0x5555557067fb in dix_main ../dix/main.c:284
    #11 0x555555cc4164 in main ../dix/stubmain.c:34
    #12 0x7ffff74783fa  (/usr/lib64/libc.so.6+0x273fa)
    #13 0x7fffffffde0b  ([stack]+0x29e0b)
    #14 0x69622f657262696b  (<unknown module>)

SUMMARY: AddressSanitizer: heap-use-after-free ../glx/glxext.c:100 in DrawableGone
Shadow bytes around the buggy address:
  0x7c6ff645ce80: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 fa fa
  0x7c6ff645cf00: fa fa 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
  0x7c6ff645cf80: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa 00 00
  0x7c6ff645d000: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
  0x7c6ff645d080: 00 00 00 00 00 00 fa fa fa fa fd fd fd fd fd fd
=>0x7c6ff645d100:[fd]fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
  0x7c6ff645d180: fd fd fa fa fa fa fd fd fd fd fd fd fd fd fd fd
  0x7c6ff645d200: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa
  0x7c6ff645d280: fa fa fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x7c6ff645d300: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fd fd
  0x7c6ff645d380: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==21219==ABORTING
[Thread 0x7ffff72dadc0 (LWP 21219) exited]
[Thread 0x7bffde2926c0 (LWP 21242) exited]
[New process 21219]
[Inferior 1 (process 21219) exited with code 01]
(gdb)

Nov 26 '25 23:11 cepelinas9000

Wow... that's impressive...

Xlibre running as unprived user... compiled minimal as unprived user, ran it and it took out X, and all my keyboards and mice too. Had to ssh in to be sure it wasn't hung. Likely a side effect of using xf86-input-keyboard and xf86-input-mouse.

I could yank and install the keyboards and mice (USB), and mdevd said all was well, but all were still dead. Guess I should have checked if the xf86-* was still running before rebooting...

Edit: ok, this time more forensics...

After the crash, keyboards, mice are locked up. Screen is vt7 showing the text from launching X. Nothing is running: X has terminated, and the vt it was running from is running mingetty. fuser reports nobody is using /dev/dri/* or /dev/input/*. xf86-input-* are not running. I can run chvt from ssh, but screen does not change. Guess I should have checked if I could open /dev/tty* or /dev/console. fuser said nothing had them open, not even s6 (PID 1)

Nov 27 '25 06:11 smj-cc

For additional context AddressSanitizer log:

=================================================================
==21219==ERROR: AddressSanitizer: heap-use-after-free on address 0x7c6ff645d104 at pc 0x7bfff3d3750b bp 0x7fffffffc770 sp 0x7fffffffc760
READ of size 4 at 0x7c6ff645d104 thread T0
    #0 0x7bfff3d3750a in DrawableGone ../glx/glxext.c:100
    #1 0x555555792028 in doFreeResource ../dix/resource.c:896
    #2 0x555555793c4d in FreeClientResources ../dix/resource.c:1154
    #3 0x5555556f144d in CloseDownClient ../dix/dispatch.c:3677
    #4 0x555555ae2e61 in ClientReady ../os/connection.c:564
    #5 0x555555aefbba in ospoll_wait ../os/ospoll.c:663
    #6 0x555555ad68b9 in WaitForSomething ../os/WaitFor.c:207
    #7 0x5555556ccba4 in Dispatch ../dix/dispatch.c:496
    #8 0x5555557067fb in dix_main ../dix/main.c:284
    #9 0x555555cc4164 in main ../dix/stubmain.c:34
    #10 0x7ffff74783fa  (/usr/lib64/libc.so.6+0x273fa)
    #11 0x7ffff74784aa in __libc_start_main (/usr/lib64/libc.so.6+0x274aa)
    #12 0x555555611994 in _start (/tmp/x11libre/bin/Xorg+0xbd994)

0x7c6ff645d104 is located 52 bytes inside of 80-byte region [0x7c6ff645d0d0,0x7c6ff645d120)
freed by thread T0 here:
    #0 0x7ffff7921f6b in free /usr/src/debug/sys-devel/gcc-15.2.0/gcc-15.2.0/libsanitizer/asan/asan_malloc_linux.cpp:51
    #1 0x7bfff3d14a4b in egl_drawable_destroy ../glamor/glamor_glx_provider.c:87
    #2 0x7bfff3d37972 in DrawableGone ../glx/glxext.c:131
    #3 0x555555792028 in doFreeResource ../dix/resource.c:896
    #4 0x555555793c4d in FreeClientResources ../dix/resource.c:1154
    #5 0x5555556f144d in CloseDownClient ../dix/dispatch.c:3677
    #6 0x555555ae2e61 in ClientReady ../os/connection.c:564
    #7 0x555555aefbba in ospoll_wait ../os/ospoll.c:663
    #8 0x555555ad68b9 in WaitForSomething ../os/WaitFor.c:207
    #9 0x5555556ccba4 in Dispatch ../dix/dispatch.c:496
    #10 0x5555557067fb in dix_main ../dix/main.c:284
    #11 0x555555cc4164 in main ../dix/stubmain.c:34
    #12 0x7ffff74783fa  (/usr/lib64/libc.so.6+0x273fa)
    #13 0x7fffffffde0b  ([stack]+0x29e0b)
    #14 0x69622f657262696b  (<unknown module>)

previously allocated by thread T0 here:
    #0 0x7ffff7922d7b in calloc /usr/src/debug/sys-devel/gcc-15.2.0/gcc-15.2.0/libsanitizer/asan/asan_malloc_linux.cpp:74
    #1 0x7bfff3d14b2f in egl_create_glx_drawable ../glamor/glamor_glx_provider.c:119
    #2 0x7bfff3d2c7b1 in DoCreateGLXDrawable ../glx/glxcmds.c:1147
    #3 0x7bfff3d30131 in __glXDisp_CreateWindow ../glx/glxcmds.c:1556
    #4 0x7bfff3d3a2aa in __glXDispatch ../glx/glxext.c:716
    #5 0x7bfff3d38656 in xorgGlxHandleRequest ../glx/glxext.c:329
    #6 0x555555b30fde in GlxForwardRequest ../glx/vndext.c:258
    #7 0x555555b2ce6e in dispatch_CreateWindow ../glx/vnd_dispatch_stubs.c:354
    #8 0x555555b300d4 in GlxDispatchRequest ../glx/vndcmds.c:473
    #9 0x5555556cd213 in Dispatch ../dix/dispatch.c:565
    #10 0x5555557067fb in dix_main ../dix/main.c:284
    #11 0x555555cc4164 in main ../dix/stubmain.c:34
    #12 0x7ffff74783fa  (/usr/lib64/libc.so.6+0x273fa)
    #13 0x7fffffffde0b  ([stack]+0x29e0b)
    #14 0x69622f657262696b  (<unknown module>)

SUMMARY: AddressSanitizer: heap-use-after-free ../glx/glxext.c:100 in DrawableGone
Shadow bytes around the buggy address:
  0x7c6ff645ce80: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 fa fa
  0x7c6ff645cf00: fa fa 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
  0x7c6ff645cf80: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa 00 00
  0x7c6ff645d000: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
  0x7c6ff645d080: 00 00 00 00 00 00 fa fa fa fa fd fd fd fd fd fd
=>0x7c6ff645d100:[fd]fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
  0x7c6ff645d180: fd fd fa fa fa fa fd fd fd fd fd fd fd fd fd fd
  0x7c6ff645d200: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa
  0x7c6ff645d280: fa fa fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x7c6ff645d300: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fd fd
  0x7c6ff645d380: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==21219==ABORTING
[Thread 0x7ffff72dadc0 (LWP 21219) exited]
[Thread 0x7bffde2926c0 (LWP 21242) exited]
[New process 21219]
[Inferior 1 (process 21219) exited with code 01]
(gdb)

That's more or less what I got with gdb.

Nov 27 '25 12:11 branc116