Xorg crashes after connect bluetooth keyboard

Bug #930936 reported by Dmitry on 2012-02-12
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
X.Org X server
Unknown
High
xorg-server (Ubuntu)
High
Unassigned
Lucid
High
Unassigned
Oneiric
High
Unassigned
Precise
High
Unassigned

Bug Description

SRU Criteria
============
[Impact]
The X server may crash after connecting a bluetooth keyboard.

[Development Fix]
The Q series is not open for development yet.

[Stable Fix]
Please see the attached patch midispcur.c.patch.

[Test Case]
Connect a bluetooth keyboard and use it for five minutes. Check if X server has crashed.

[Regression Potential]
Low. The patch merely short circuits code that may dereference a NULL pointer. It is possible that this causes a further issue, but such an issue is likely to be at worst just as bad as without this fix.

Original Bug Report
===================
X crashes after connect bluetooth keyboard.
With bluetooth mouse everything ok, crash only when i connect keyboard.

After connecting the keyboard works and i can use it. Failure occurs in the interval between 30 seconds and 5 minutes after connecting. It does not depend on whether I'm typing on a keyboard or not.

On Ubuntu Lucid same error

ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: xserver-xorg 1:7.6+7ubuntu7.1
ProcVersionSignature: Ubuntu 3.0.0-15.26-generic 3.0.13
Uname: Linux 3.0.0-15-generic i686
NonfreeKernelModules: nvidia
ApportVersion: 1.23-0ubuntu4
Architecture: i386
Date: Sun Feb 12 16:08:39 2012
InstallationMedia: Ubuntu 11.10 "Oneiric" - Build i386 LIVE Binary 20120208-10:12
ProcEnviron:
 PATH=(custom, no user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: xorg
UpgradeStatus: No upgrade log present (probably fresh install)

Download full text (4.5 KiB)

Hello,

on armv4t (neo freerunner) we're using xorg from git master and 1.7 branch. There is reproducible segfault in miPointerUpdateSprite()

Not sure where exactly, because first it occured in miDCRestoreUnderCursor(), so commented this function out and tested again and it occured in miDCSaveUnderCursor(), so I commented this one too and it occured in miDCPutUpCursor().

With all miPointerUpdateSprite() calls commented out it works good (just cursor background isn't redrawn).

Another workaround is to run Xorg with -nocursor.

Easiest way to reproduce this is run terminal (vala-terminal) and on screen keyboard (illume-keyboard) and type wery quickly. Maybe its because every key-press is highlighted with key drawn slightly above keyboard, so we're redrawing the same part of screen twice (for cursor-left redraw and key up&down - maybe some concurrency).

Maybe the problem lives in DDX driver for SMedia Glamo graphics http://git.openmoko.org/?p=xf86-video-glamo.git;a=summary

   1.
      Program received signal SIGSEGV, Segmentation fault.
   2.
      [Switching to Thread 0x4001edc0 (LWP 1701)]
   3.
      0x0013c9b4 in miDCRestoreUnderCursor ()
   4.
      Current language: auto; currently asm
   5.
      (gdb) back
   6.
      #0 0x0013c9b4 in miDCRestoreUnderCursor ()
   7.
      #1 0x00160780 in miSpriteRemoveCursor ()
   8.
      #2 0x00160934 in miSpriteSetCursor ()
   9.
      #3 0x00160a40 in miSpriteMoveCursor ()
  10.
      #4 0x00056ad4 in miPointerUpdateSprite ()
  11.
      #5 0x0009da28 in ProcXTestFakeInput ()
  12.
      #6 0x0004fc58 in Dispatch ()
  13.
      #7 0x000216a8 in main ()
  14.

  15.
      /* now i commented miDCRestoreUnderCursor out from Xorg */
  16.

  17.
      Program received signal SIGSEGV, Segmentation fault.
  18.
      [Switching to Thread 0x4001edc0 (LWP 2175)]
  19.
      0x0013c8e4 in miDCSaveUnderCursor ()
  20.
      Current language: auto; currently asm
  21.
      (gdb) back
  22.
      #0 0x0013c8e4 in miDCSaveUnderCursor ()
  23.
      #1 0x001602d4 in miSpriteSaveUnderCursor ()
  24.
      #2 0x0016078c in miSpriteSetCursor ()
  25.
      #3 0x001608e0 in miSpriteMoveCursor ()
  26.
      #4 0x00056ad4 in miPointerUpdateSprite ()
  27.
      #5 0x0009da28 in ProcXTestFakeInput ()
  28.
      #6 0x0004fc58 in Dispatch ()
  29.
      #7 0x000216a8 in main ()
  30.

  31.
      /* now i commented miDCSaveUnderCursor out from Xorg */
  32.

  33.
      Program received signal SIGSEGV, Segmentation fault.
  34.
      [Switching to Thread 0x4001edc0 (LWP 2306)]
  35.
      0x0013d500 in miDCPutUpCursor ()
  36.
      Current language: auto; currently asm
  37.
      (gdb) back
  38.
      #0 0x0013d500 in miDCPutUpCursor ()
  39.
      #1 0x0015ffc8 in miSpriteRestoreCursor ()
  40.
      #2 0x00160734 in miSpriteMoveCursor ()
  41.
      #3 0x00056ad4 in miPointerUpdateSprite ()
  42.
      #4 0x0009da20 in ProcXTestFakeInput ()
  43.
      #5 0x0004fc58 in Dispatch ()
  44.
      #6 0x000216a8 in main ()
  45.

  46.
      /* It works ok when I removed every miPointerUpdateSprite call, or when Xorg is executed with -nocursor */
  47.
  ...

Read more...

Created attachment 29880
backtrace - better format

Dmitry (pfzim) wrote :
Dmitry (pfzim) wrote :
Dmitry (pfzim) wrote :
Dmitry (pfzim) wrote :
Dmitry (pfzim) wrote :
Dmitry (pfzim) on 2012-02-15
description: updated
Dmitry (pfzim) on 2012-02-15
summary: - X crashes after connect bluetooth keyboard
+ Xorg crashes after connect bluetooth keyboard
Dmitry (pfzim) wrote :

The attachment "midispcur.c.patch" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-reviewers team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Bryce Harrington (bryce) on 2012-03-28
tags: added: precise
Bryce Harrington (bryce) on 2012-03-28
Changed in xorg-server (Ubuntu Precise):
status: New → Fix Committed
Changed in xorg-server (Ubuntu Oneiric):
status: New → Triaged
Changed in xorg-server (Ubuntu Lucid):
status: New → Triaged
importance: Undecided → High
Changed in xorg-server (Ubuntu Precise):
importance: Undecided → High
Changed in xorg-server (Ubuntu Oneiric):
importance: Undecided → High
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xorg-server - 2:1.11.4-0ubuntu8

---------------
xorg-server (2:1.11.4-0ubuntu8) precise; urgency=low

  [ Chase Douglas ]
  * Fix crash at startup due to input option abi break (LP: #931397)
    - Revert two commits from upstream 1.12 input stack

  [ Bryce Harrington ]
  * debian/patches/227_null_ptr_midispcur.patch:
    - Check for NULL pointer before dereferencing pointer from
      miGetDCDevice. Fixes crash after connecting a bluetooth keyboard.
      (LP: #930936)

  [ Chase Douglas ]
  * Fix mouse warping and clipping (LP: #948938)
    - Add temporary patch 503_fix_mouse_warp.patch
  * Implement passive touch ungrab (LP: #968726)
    - Add temporary patch 503_implement_passive_touch_ungrab.patch
  * Bump lintian standards to 3.9.3
 -- Chase Douglas <email address hidden> Thu, 29 Mar 2012 18:09:19 -0700

Changed in xorg-server (Ubuntu Precise):
status: Fix Committed → Fix Released
Dmitry (pfzim) wrote :

Thank you for release fix, but how about Ubuntu Oneiric? I use XBMCbuntu, it based on Ubuntu Oneiric. :-/

Chase Douglas (chasedouglas) wrote :
Changed in xorg-server (Ubuntu Precise):
status: Fix Released → Fix Committed
description: updated
Bryce Harrington (bryce) on 2012-05-18
Changed in xorg-server (Ubuntu Oneiric):
status: Triaged → Fix Committed
Clint Byrum (clint-fewbar) wrote :

Hello Xorg devs!

It would appear that this fix was already released for precise, as of 2:1.11.4-0ubuntu10.1 the message shows:

  [ Bryce Harrington ]
  * Enable 227_null_ptr_midispcur.patch to apply

That version was included in Quantal, so this is all Fix Released for precise and quantal. Just wanted to clarify that before accepting into oneiric-proposed.

Changed in xorg-server (Ubuntu Precise):
status: Fix Committed → Fix Released
Changed in xorg-server (Ubuntu):
status: Fix Committed → Fix Released
tags: added: verification-needed

Hello Dmitry, or anyone else affected,

Accepted xorg-server into oneiric-proposed. The package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Bryce Harrington (bryce) wrote :

Given this has been in -proposed for several months now without apparent incident, can we push it out?

Steve Langasek (vorlon) wrote :

Do we know that anyone is using the oneiric-proposed X server at all?

Silence is not a very confidence-inspiring metric.

Dmitry (pfzim) wrote :

Continue crashing

Bryce Harrington (bryce) wrote :

@Dmitry, "continue crashing" - do you have Xorg from oneiric-proposed installed? Post your /var/log/Xorg.0.log.old from after a crash.

The fix for this bug has been awaiting testing feedback in the -proposed repository for oneiric for more than 90 days. Please test this fix and update the bug appropriately with the results. In the event that the fix for this bug is still not verified 15 days from now, the package will be removed from the -proposed repository.

tags: added: removal-candidate
Dmitry (pfzim) wrote :

You a crazy!
Look at patch. It add only:
if (!pBuffer)
       return FALSE;

I don't how to install -proposed, it's too difficult.

Dmitry (pfzim) wrote :

Yesterday I install xserver from oneiric-proposed. Don't know do this correct or not, but bluetooth keyboard work without crash xserver.

tags: added: verification-done
removed: verification-needed
tags: removed: removal-candidate

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xorg-server - 2:1.10.4-1ubuntu4.3

---------------
xorg-server (2:1.10.4-1ubuntu4.3) oneiric-proposed; urgency=low

  * debian/patches/227_null_ptr_midispcur.patch:
    - Check for NULL pointer before dereferencing pointer from
      miGetDCDevice. Fixes crash after connecting a bluetooth keyboard.
      (LP: #930936)
 -- Bryce Harrington <email address hidden> Thu, 17 May 2012 19:20:08 -0700

Changed in xorg-server (Ubuntu Oneiric):
status: Fix Committed → Fix Released
todaioan (alan-ar06) on 2012-12-03
Changed in xorg-server (Ubuntu Lucid):
status: Triaged → Fix Committed
Adolfo Jayme (fitojb) on 2013-01-07
Changed in xorg-server (Ubuntu Lucid):
status: Fix Committed → Triaged

Created attachment 74395
227_null_ptr_midispcur.patch

The stacktrace looks very similar to the one in this downstream Ubuntu bug:
https://bugs.launchpad.net/xorg-server/+bug/930936

The patch we added to Ubuntu for that bug is attached. It was confirmed to fix the issue by that user, but would be helpful if others could test it as well.

Changed in xorg-server:
importance: Unknown → High
status: Unknown → Confirmed

(In reply to comment #3)
> The patch we added to Ubuntu for that bug is attached. It was confirmed to
> fix the issue by that user, but would be helpful if others could test it as
> well.

it doesn't fix the issue, it merely papers over the crash. would be useful to find a reproducible test case for the upstream git server. What versions do you see this one on? launchpad suggests 1.10 and 1.11, both of which are out of date by now.

Rolf Leggewie (r0lf) wrote :

lucid has seen the end of its life and is no longer receiving any updates. Marking the lucid task for this ticket as "Won't Fix".

Changed in xorg-server (Ubuntu Lucid):
status: Triaged → Won't Fix

-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/xorg/xserver/issues/383.

Changed in xorg-server:
status: Confirmed → Unknown
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.