Bug 88715 - Type A multitouch device causes crash when sending too many contacts
Summary: Type A multitouch device causes crash when sending too many contacts
Status: RESOLVED FIXED
Alias: None
Product: xorg
Classification: Unclassified
Component: Input/evdev (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: Peter Hutterer
QA Contact: Xorg Project Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-01-22 17:19 UTC by provisorisch
Modified: 2015-01-23 02:06 UTC (History)
2 users (show)

See Also:
i915 platform:
i915 features:

Attachments
code causing a crash via uinput (3.29 KB, text/plain)
2015-01-22 17:19 UTC, provisorisch 		no flags Details
fix (788 bytes, patch)
2015-01-22 17:24 UTC, provisorisch 		no flags Details | Splinter Review
check for incoming MT slot indices (1.13 KB, patch)
2015-01-23 01:53 UTC, provisorisch 		no flags Details | Splinter Review
Show Obsolete (1) View All

Description provisorisch 2015-01-22 17:19:43 UTC 
Created attachment 112673 [details]
code causing a crash via uinput

I attached some c code simulating a type A multitouch device via uinput that eventually causes a crash when processing touch events.

e.g.


Program received signal SIGSEGV, Segmentation fault.
valuator_mask_set_double (mask=0x0, valuator=valuator@entry=0, data=4095) at inpututils.c:512
512	    mask->last_bit = max(valuator, mask->last_bit);
Continuing.

Program received signal SIGABRT, Aborted.
0x00007f22c2bd9a97 in raise () from /usr/lib/libc.so.6
#0  0x00007f22c2bd9a97 in raise () from /usr/lib/libc.so.6
#1  0x00007f22c2bdae6a in abort () from /usr/lib/libc.so.6
#2  0x000000000059aabe in OsAbort () at utils.c:1361
#3  0x000000000047869c in ddxGiveUp (error=error@entry=EXIT_ERR_ABORT) at xf86Init.c:1088
#4  0x0000000000478756 in AbortDDX (error=error@entry=EXIT_ERR_ABORT) at xf86Init.c:1132
#5  0x00000000005a0522 in AbortServer () at log.c:783
#6  0x00000000005a138d in FatalError (f=f@entry=0x5ca368 "Caught signal %d (%s). Server aborting\n") at log.c:924
#7  0x000000000059840c in OsSigHandler (signo=11, sip=<optimized out>, unused=<optimized out>) at osinit.c:147
#8  <signal handler called>
#9  valuator_mask_set_double (mask=0x0, valuator=valuator@entry=0, data=1.3852388523433896e-309) at inpututils.c:512
#10 0x000000000045274d in valuator_mask_set (mask=<optimized out>, valuator=valuator@entry=0, data=<optimized out>) at inpututils.c:523
#11 0x00007f22bb57a4ca in EvdevProcessTouchEvent (ev=<optimized out>, ev=<optimized out>, pInfo=0x2) at evdev.c:778
#12 EvdevProcessAbsoluteMotionEvent (ev=0x7fff7e84ae80, pInfo=0x2) at evdev.c:812
#13 EvdevProcessEvent (pInfo=pInfo@entry=0x25c0770, ev=ev@entry=0x7fff7e84ae80) at evdev.c:1017
#14 0x00007f22bb57a5d2 in EvdevHandleMTDevEvent (pInfo=pInfo@entry=0x25c0770, ev=ev@entry=0x7fff7e84aec0) at evdev.c:1065
#15 0x00007f22bb57a657 in EvdevReadInput (pInfo=0x25c0770) at evdev.c:1090
#16 0x0000000000475a78 in xf86SigioReadInput (fd=<optimized out>, closure=0x25c0770) at xf86Events.c:304
#17 0x00000000004a0707 in xf86SIGIO (sig=<optimized out>) at ./../shared/sigio.c:110
#18 <signal handler called>
#19 0x00007f22c2c87173 in __select_nocancel () from /usr/lib/libc.so.6
#20 0x0000000000591604 in WaitForSomething (pClientsReady=pClientsReady@entry=0x24c0280) at WaitFor.c:226
#21 0x0000000000437621 in Dispatch () at dispatch.c:361
#22 0x000000000043b9a6 in dix_main (argc=7, argv=0x7fff7e84b8a8, envp=<optimized out>) at main.c:296
#23 0x00007f22c2bc6040 in __libc_start_main () from /usr/lib/libc.so.6
#24 0x0000000000425dce in _start ()
Comment 1 provisorisch 2015-01-22 17:24:31 UTC 
Created attachment 112674 [details] [review]
fix

Checking the incoming slot number seems to fix the problem for me (see attached patch).
Comment 2 Peter Hutterer 2015-01-23 00:18:34 UTC 
whoopsy. Can you please reattach this as a signed off git-formatted patch? I'll push it asap then, thanks.
Comment 3 provisorisch 2015-01-23 01:53:46 UTC 
Created attachment 112694 [details] [review]
check for incoming MT slot indices

Sure - here it is.
Comment 4 Peter Hutterer 2015-01-23 02:06:36 UTC 
   b370ccd..abc4a8b  master -> master


thanks!

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.