[PATCH] mi: don't process events from disabled devices (#77884)

Maarten Lankhorst maarten.lankhorst at canonical.com
Tue May 20 01:38:41 PDT 2014 

Hey,

op 20-05-14 06:32, Peter Hutterer schreef:
> Once a device is disabled, it doesn't have a sprite pointer anymore. If an
> event is still in the queue and processed after DisableDevice finished, a
> dereference causes a crash. Example backtrace (crash forced by injecting an
> event at the right time):
>
> (EE) 0: /opt/xorg/bin/Xorg (OsSigHandler+0x3c) [0x48d334]
> (EE) 1: /lib64/libpthread.so.0 (__restore_rt+0x0) [0x37fcc0f74f]
> (EE) 2: /opt/xorg/bin/Xorg (mieqMoveToNewScreen+0x38) [0x609240]
> (EE) 3: /opt/xorg/bin/Xorg (mieqProcessDeviceEvent+0xd4) [0x609389]
> (EE) 4: /opt/xorg/bin/Xorg (mieqProcessInputEvents+0x206) [0x609720]
> (EE) 5: /opt/xorg/bin/Xorg (ProcessInputEvents+0xd) [0x4aeb58]
> (EE) 6: /opt/xorg/bin/Xorg (xf86VTSwitch+0x1a6) [0x4af457]
> (EE) 7: /opt/xorg/bin/Xorg (xf86Wakeup+0x2bf) [0x4af0a7]
> (EE) 8: /opt/xorg/bin/Xorg (WakeupHandler+0x83) [0x4445cb]
> (EE) 9: /opt/xorg/bin/Xorg (WaitForSomething+0x3fe) [0x491bf6]
> (EE) 10: /opt/xorg/bin/Xorg (Dispatch+0x97) [0x435748]
> (EE) 11: /opt/xorg/bin/Xorg (dix_main+0x61d) [0x4438a9]
> (EE) 12: /opt/xorg/bin/Xorg (main+0x28) [0x49ba28]
> (EE) 13: /lib64/libc.so.6 (__libc_start_main+0xf5) [0x37fc821d65]
> (EE) 14: /opt/xorg/bin/Xorg (_start+0x29) [0x425e69]
> (EE) 15: ? (?+0x29) [0x29]
>
> xf86VTSwitch() calls ProcessInputEvents() before disabling a device, and
> DisableDevice() calls mieqProcessInputEvents() again when flushing touches and
> button events. Between that and disabling the device (which causes new events
> to be refused) there is a window where events may be triggered and enqueued.
> On the next call to PIE that event is processed on a now defunct device,
> causing the crash.
>
> The simplest fix to this is to discard events from disabled devices. We flush
> the queue often enough before disabling that when we get here, we really don't
> care about the events from this device.
>
> X.Org Bug 77884 <http://bugs.freedesktop.org/show_bug.cgi?id=77884>
>
This breaks tests/input on xorg-server 1.15.1.

(gdb) run
Starting program: /home/mlankhorst/nfs/xorg/xorg-server/build-main/test/input
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Testing double to FP1616/FP3232 conversions
(EE) BUG: triggered 'if (dev == ((void *)0))'
(EE) BUG: ../../dix/devices.c:1344 in InitValuatorClassDeviceStruct()
(EE)
(EE) Backtrace:
(EE) 0: /home/mlankhorst/nfs/xorg/xorg-server/build-main/test/input (InitValuatorClassDeviceStruct+0x1f4) [0x555555585a74]
(EE) 1: /home/mlankhorst/nfs/xorg/xorg-server/build-main/test/input (dix_init_valuators+0x40) [0x555555581c40]
(EE) 2: /home/mlankhorst/nfs/xorg/xorg-server/build-main/test/input (main+0x98f) [0x55555557ddcf]
(EE) 3: /lib/x86_64-linux-gnu/libc.so.6 (__libc_start_main+0xf5) [0x7ffff5920ec5]
(EE) 4: /home/mlankhorst/nfs/xorg/xorg-server/build-main/test/input (_start+0x29) [0x55555557f234]
(EE) 5: ? (?+0x29) [0x29]
(EE)
(EE) BUG: triggered 'if (axnum >= dev->valuator->numAxes)'
(EE) BUG: ../../Xi/exevents.c:2115 in SetScrollValuator()
(EE)
(EE) Backtrace:
(EE) 0: /home/mlankhorst/nfs/xorg/xorg-server/build-main/test/input (SetScrollValuator+0x76) [0x555555641ae6]
(EE) 1: /home/mlankhorst/nfs/xorg/xorg-server/build-main/test/input (dix_init_valuators+0x166) [0x555555581d66]
(EE) 2: /home/mlankhorst/nfs/xorg/xorg-server/build-main/test/input (main+0x98f) [0x55555557ddcf]
(EE) 3: /lib/x86_64-linux-gnu/libc.so.6 (__libc_start_main+0xf5) [0x7ffff5920ec5]
(EE) 4: /home/mlankhorst/nfs/xorg/xorg-server/build-main/test/input (_start+0x29) [0x55555557f234]
(EE) 5: ? (?+0x29) [0x29]
(EE)
[dix] EventToCore: Not implemented yet
[dix] EventToCore: Not implemented yet
[dix] EventToCore: Not implemented yet
(EE) BUG: triggered 'if (dev == ((void *)0))'
(EE) BUG: ../../dix/devices.c:1344 in InitValuatorClassDeviceStruct()
(EE)
(EE) Backtrace:
(EE) 0: /home/mlankhorst/nfs/xorg/xorg-server/build-main/test/input (InitValuatorClassDeviceStruct+0x1f4) [0x555555585a74]
(EE) 1: /home/mlankhorst/nfs/xorg/xorg-server/build-main/test/input (dix_valuator_mode+0x42) [0x5555555838e2]
(EE) 2: /home/mlankhorst/nfs/xorg/xorg-server/build-main/test/input (main+0xc05) [0x55555557e045]
(EE) 3: /lib/x86_64-linux-gnu/libc.so.6 (__libc_start_main+0xf5) [0x7ffff5920ec5]
(EE) 4: /home/mlankhorst/nfs/xorg/xorg-server/build-main/test/input (_start+0x29) [0x55555557f234]
(EE) 5: ? (?+0x29) [0x29]
(EE)
Testing bits_to_bytes()
Testing bytes_to_int32()
Testing pad_to_int32()
Testing padding_for_int32()
Unlinking from front.
Testing input_option list interface

Program received signal SIGSEGV, Segmentation fault.
mieqProcessDeviceEvent (dev=dev at entry=0x0, event=event at entry=0x555555983840 <event>, screen=screen at entry=0x0) at ../../mi/mieq.c:519
519         if (!dev->enabled)
(gdb) print dev


~Maarten

More information about the xorg-devel mailing list