Bug 100921 - Attempt to modify device proximity field for non-proximity input device causes segmentation fault using Wacom tablet
Summary: Attempt to modify device proximity field for non-proximity input device cause...
Alias: None
Product: xorg
Classification: Unclassified
Component: Lib/Xi (show other bugs)
Version: unspecified
Hardware: x86-64 (AMD64) Linux (All)
: medium normal
Assignee: Xorg Project Team
QA Contact: Xorg Project Team
Depends on:
Reported: 2017-05-04 04:13 UTC by Steve Holland
Modified: 2018-08-10 20:15 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Description Steve Holland 2017-05-04 04:13:11 UTC
Observed on xorg-1.19.3-1 (Fedora 25): 

Symptom: Occasional Xorg server crashes when using a Wacom tablet (Built into Lenovo Thinkpad S1 Yoga in my case). It seems to be a random issue that occurs roughly every hour of tablet use. 

(Might be a dup of  Bug #99556 -- but that report doesn't have enough detail to confirm) 

I have been able to obtain a core dump and gdb backtrace:

(gdb) where
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:58
#1  0x00007f6ec04b851a in __GI_abort () at abort.c:89
#2  0x00000000005a16be in OsAbort () at utils.c:1355
#3  0x00000000005a7243 in AbortServer () at log.c:877
#4  0x00000000005a802d in FatalError (f=f@entry=0x5d57d0 "Caught signal %d (%s). Server aborting\n") at log.c:1015
#5  0x000000000059e95e in OsSigHandler (signo=11, sip=<optimized out>, unused=<optimized out>) at osinit.c:154
#6  <signal handler called>
#7  UpdateDeviceState (device=0x20fb4b0, event=0x7fff96551190) at exevents.c:931
#8  0x0000000000528ce0 in ProcessDeviceEvent (ev=ev@entry=0x7fff96551190, device=device@entry=0x20fb4b0) at exevents.c:1709
#9  0x000000000052948b in ProcessOtherEvent (ev=0x7fff96551190, device=0x20fb4b0) at exevents.c:1873
#10 0x000000000054e0d2 in ProcessPointerEvent (ev=0x7fff96551190, mouse=0x20fb4b0) at xkbAccessX.c:756
#11 0x000000000057d612 in mieqProcessDeviceEvent (dev=0x22fd630, event=0x7fff96551df0, screen=0x1eb8cb0) at mieq.c:496
#12 0x000000000057d749 in mieqProcessInputEvents () at mieq.c:551
#13 0x0000000000479289 in ProcessInputEvents () at xf86Events.c:165
#14 0x0000000000436e16 in Dispatch () at dispatch.c:418
#15 0x000000000043b078 in dix_main (argc=15, argv=0x7fff96552c08, envp=<optimized out>) at main.c:287
#16 0x00007f6ec04a1401 in __libc_start_main (main=0x424d20 <main>, argc=15, argv=0x7fff96552c08, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7fff96552bf8) at ../csu/libc-start.c:289
#17 0x0000000000424d5a in _start ()

The coredump occurs in exevents.c:UpdateDeviceState():
930:    else if (event->type == ET_ProximityOut)
931:        device->proximity->in_proximity = FALSE;
device->proximity is NULL hence attempting to set its in_proximity member causes a segmentation violation. 

How did device->proximity turn out to be NULL for a ProximityOut event? 

Let's go up a few levels and look at mieq.c:mieqProcessDeviceEvent():

490:        /* process slave first, then master */
491:        dev->public.processInputProc(event, dev);
493:        /* Check for the SD's master in case the device got detached
494:         * during event processing */
495:        if (master && !IsFloating(dev))
496:            master->public.processInputProc(&mevent, master);

dev->proximity is a valid pointer, but master->proximity is NULL
So it is processed OK on line 491 but the processInputProc() call on line 496 provides an ET_ProximityOut event with a device where proximity is NULL. And after a few layers this turns into the call to UpdateDeviceState() above, which attempts to set the in_proximity field unconditionally. 

Possible Fix: Perhaps check for device->proximity being NULL in UpdateDeviceState()?
Comment 1 GitLab Migration User 2018-08-10 20:15:14 UTC
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/xorg/lib/libxi/issues/9.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.