Created attachment 20290 [details] [review] xkbhandlebell-segfault.patch Forwarding this bug from a Ubuntu reporter: https://bugs.edge.launchpad.net/ubuntu/+source/xorg-server/+bug/231484 [Problem] Xorg crashes in XkbHandleBell() when DEL key pressed, in various applications. [Discussion] The attached patch addresses the symptom but maybe not the root cause. The kbd pointer is defined, but perhaps kbd->key is not, which could explain the fault. The obvious question being why that would be null in the first place? Perhaps xkbEvents.c could use additional NULL pointer checks before this one. [Backtrace] #0 XkbHandleBell (force=0 '\0', eventOnly=0 '\0', kbd=0x8273490, percent=50 '2', pCtrl=0x8273cc8, class=0 '\0', name=0, pWin=0x0, pClient=0x8262fd8) at ../../xkb/xkbEvents.c:404 bn = {type = 111 'o', xkbType = 8 '\b', sequenceNumber = 280, time = 504481, deviceID = 0 '\0', bellClass = 0 '\0', bellID = 0 '\0', percent = 50 '2', pitch = 400, duration = 100, name = 0, window = 0, eventOnly = 0 '\0', pad1 = 58 ':', pad2 = 2167, pad3 = 4120} initialized = <value optimized out> xkbi = <value optimized out> interest = <value optimized out> id = <value optimized out> pitch = <value optimized out> duration = <value optimized out> time = <value optimized out> winID = <value optimized out> #1 0x0808386c in ProcBell (client=0x8262fd8) at ../../dix/devices.c:1859 keybd = (DeviceIntPtr) 0x8273490 base = <value optimized out> newpercent = 0 #2 0x0815076e in XaceCatchDispatchProc (client=0x8262fd8) at ../../Xext/xace.c:281 major = 104 #3 0x0808d8df in Dispatch () at ../../dix/dispatch.c:502 result = <value optimized out> client = (ClientPtr) 0x8262fd8 nready = 0 start_tick = 2680 #4 0x0807471b in main (argc=3, argv=0xbfeb0fd4, envp=Cannot access memory at address 0x8 ) at ../../dix/main.c:452 i = 1 error = 136163204 xauthfile = <value optimized out> alwaysCheckForInput = {0, 1} [Original Report] I get crashes of the Xorg server if I press the "Del" key. This happened three times recently and seems to be repeatable. The system is an up-to-date Kubuntu 8.04. The dmesg says: [ 754.699253] Xorg[5444]: segfault at 000001a4 eip 0818fa3a esp bfa98800 error 4 [ 866.241862] Xorg[9589]: segfault at 000001a4 eip 0818fa3a esp bfd02030 error 4 [ 1039.389615] Xorg[10174]: segfault at 000001a4 eip 0818fa3a esp bfd978d0 error 4 The first two crashes happened with a Java program while saving a file. I placed the cursor in the middle of the default filename and pressed the "Del" key. As here were no more characters to delete left, Xorg crashed. The third crash happened with Seamonkey while editing the Ubuntu bug report search query. Note: Special on my system is, that I have a Wacom Bamboo connected. My xorg.conf will follow.
On Thu, Nov 13, 2008 at 04:52:15PM -0800, bugzilla-daemon@freedesktop.org wrote: > Note: Special on my system is, that I have a Wacom Bamboo connected. my gut feeling is that that's the root cause here because I've seen similar issues here. Need to wait until my tablet arrives before I can debug that.
On Thu, Nov 13, 2008 at 05:49:50PM -0800, bugzilla-daemon@freedesktop.org wrote: > --- Comment #1 from Peter Hutterer <peter.hutterer@who-t.net> 2008-11-13 17:49:49 PST --- > On Thu, Nov 13, 2008 at 04:52:15PM -0800, bugzilla-daemon@freedesktop.org > wrote: > > Note: Special on my system is, that I have a Wacom Bamboo connected. > > my gut feeling is that that's the root cause here because I've seen similar > issues here. Need to wait until my tablet arrives before I can debug that. http://linuxwacom.cvs.sourceforge.net/viewvc/linuxwacom/linuxwacom-dev/src/xdrv/xf86Wacom.c?revision=1.47&view=markup grep for 'long-standing misunderstanding': Wacom will always define a keyboard feedback class, but not necessarily a key class. XkbHandleBell expects a key class to exist as well as a keyboard feedback class, so if we have a Wacom tablet with no keys, a bell will cause the server to explode. I guess strengthening the test to (!dev->kbdfeed || !dev->key) should solve this.
On Fri, Nov 14, 2008 at 01:28:33PM +1100, Daniel Stone wrote: > grep for 'long-standing misunderstanding': Wacom will always define a > keyboard feedback class, but not necessarily a key class. XkbHandleBell > expects a key class to exist as well as a keyboard feedback class, so if > we have a Wacom tablet with no keys, a bell will cause the server to > explode. I guess strengthening the test to (!dev->kbdfeed || !dev->key) > should solve this. (Tangentially, not sure why it defines feedback classes, as it doesn't do anything with keyboard feedback, bells, or LED feedback. Oh well.)
AFAICT, fixed with commit 95fc59a199f99bf167fbb09297a9bb0e33e31869 Author: Peter Hutterer <peter.hutterer@redhat.com> AuthorDate: Fri Nov 28 14:55:15 2008 +1000 xkb: Extra sanity checks to prevent dev->key == NULL dereferencing.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.