Xorg crashed with SIGABRT in libinput_device_config_tap_get_finger_count()

Bug #1655752 reported by TJ on 2017-01-11
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
X.Org X server
Unknown
Unknown
xorg-server (Debian)
New
Unknown
xserver-xorg-input-libinput (Ubuntu)
Medium
Unassigned
Xenial
Undecided
Unassigned
Yakkety
Undecided
Unassigned

Bug Description

Using Xubuntu 16.04, including light-locker, whenever the screen has been locked the X server will SIGABRT crash as soon as the user has entered their credentials. This happens 100% of the time.

The only related information I can find is a Debian bug report:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=838462

I ran the crash report through gdb and it seems there is a null pointer dereference attempt for the 'device' without checking the pointer is valid.

        signo = 11
#6 <signal handler called>
No locals.
#7 libinput_device_config_tap_get_finger_count (device=0x0) at libinput.c:3075
No locals.
#8 0x00007fcb5c100953 in xf86libinput_parse_tap_option (device=0x0, pInfo=0x5616b20d54e0)
    at ../../src/xf86libinput.c:1686
        tap = <optimised out>
#9 xf86libinput_parse_options (device=0x0, driver_data=0x5616b23406a0, pInfo=0x5616b20d54e0)
    at ../../src/xf86libinput.c:2134
        options = 0x5616b2340700
#10 xf86libinput_pre_init (drv=<optimised out>, pInfo=0x5616b20d54e0, flags=<optimised out>)
    at ../../src/xf86libinput.c:2465
        driver_data = 0x5616b23406a0
        shared_device = <optimised out>
        libinput = <optimised out>
        device = 0x0
        path = <optimised out>
#11 0x00005616b0d0f998 in xf86NewInputDevice (pInfo=0x5616b20d54e0, pdev=pdev@entry=0x7ffce92a7c60,
    enable=<optimised out>) at ../../../../hw/xfree86/common/xf86Xinput.c:900
        drv = 0x5616b1c9a840
        dev = 0x0
        paused = 0
        rval = <optimised out>
        path = 0x5616b2092fb0 "libinput"
#12 0x00005616b0d1091e in NewInputDeviceRequest (options=<optimised out>, attrs=0x5616b23a4ad0,
    pdev=pdev@entry=0x7ffce92a7c60) at ../../../../hw/xfree86/common/xf86Xinput.c:1049
        pInfo = <optimised out>
        option = <optimised out>
        rval = <optimised out>
        is_auto = <optimised out>
#13 0x00007fcb5c0ff5e7 in xf86libinput_hotplug_device (hotplug=0x5616b23482c0)
    at ../../src/xf86libinput.c:2224
        dev = 0x5616b10c8a40 <LastSelectMask>
#14 0x00007fcb5c0ff82c in xf86libinput_hotplug_device_cb (client=<optimised out>, closure=<optimised out>)
    at ../../src/xf86libinput.c:2241
        hotplug = <optimised out>
#15 0x00005616b0cc5c71 in ProcessWorkQueue () at ../../dix/dixutils.c:526
        q = 0x5616b23a4960
        p = 0x5616b10c15d8 <workQueue>
#16 0x00005616b0e1c6dd in WaitForSomething (pClientsReady=pClientsReady@entry=0x5616b208caf0)
    at ../../os/WaitFor.c:176
        i = <optimised out>
        waittime = {tv_sec = 0, tv_usec = 32}
        wt = 0x0
        timeout = <optimised out>
        clientsReadable = {fds_bits = {0 <repeats 16 times>}}
        clientsWritable = {fds_bits = {0 <repeats 16 times>}}
        selecterr = <optimised out>
        nready = 0
        devicesReadable = {fds_bits = {0 <repeats 16 times>}}
        now = <optimised out>
        someReady = 0

ProblemType: Crash
DistroRelease: Ubuntu 16.04
Package: xserver-xorg-core 2:1.18.4-0ubuntu0.2
Uname: Linux 4.9.0-040900rc5-lowlatency x86_64
ApportVersion: 2.20.1-0ubuntu2.4
Architecture: amd64
CrashCounter: 1
Date: Wed Jan 11 18:06:23 2017
ExecutablePath: /usr/lib/xorg/Xorg
ExecutableTimestamp: 1478124781
ProcCmdline: /usr/lib/xorg/Xorg -core :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch
ProcCwd: /
ProcEnviron:

Signal: 6
SourcePackage: xorg-server
StacktraceTop:
 libinput_device_config_tap_get_finger_count (device=0x0) at libinput.c:3075
 xf86libinput_parse_tap_option (device=0x0, pInfo=0x5616b20d54e0) at ../../src/xf86libinput.c:1686
 xf86libinput_parse_options (device=0x0, driver_data=0x5616b23406a0, pInfo=0x5616b20d54e0) at ../../src/xf86libinput.c:2134
 xf86libinput_pre_init (drv=<optimised out>, pInfo=0x5616b20d54e0, flags=<optimised out>) at ../../src/xf86libinput.c:2465
 xf86NewInputDevice (pInfo=0x5616b20d54e0, pdev=pdev@entry=0x7ffce92a7c60, enable=<optimised out>) at ../../../../hw/xfree86/common/xf86Xinput.c:900
Title: Xorg crashed with SIGABRT in libinput_device_config_tap_get_finger_count()
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups:

TJ (tj) wrote :
information type: Private → Public

StacktraceTop:
 libinput_device_config_tap_get_finger_count () from /tmp/apport_sandbox_E5oWhM/usr/lib/x86_64-linux-gnu/libinput.so.10
 xf86libinput_pre_init () from /tmp/apport_sandbox_E5oWhM/usr/lib/xorg/modules/input/libinput_drv.so
 xf86NewInputDevice ()
 xf86libinput_hotplug_device () from /tmp/apport_sandbox_E5oWhM/usr/lib/xorg/modules/input/libinput_drv.so
 xf86libinput_hotplug_device_cb () from /tmp/apport_sandbox_E5oWhM/usr/lib/xorg/modules/input/libinput_drv.so

Changed in xorg-server (Ubuntu):
importance: Undecided → Medium
tags: removed: need-amd64-retrace
TJ (tj) wrote :

The NULL device bubbles up from

xserver-xorg-input-libinput-0.18.0/src/xf86libinput.c::xf86libinput_pre_init()

where it does

    is_subdevice = xf86libinput_is_subdevice(pInfo);
    if (!is_subdevice) {
       ...
    } else {
        InputInfoPtr parent;
        struct xf86libinput *parent_driver_data;

        parent = xf86libinput_get_parent(pInfo);
        if (!parent) {
            xf86IDrvMsg(pInfo, X_ERROR, "Failed to find parent device\n");
            goto fail;
        }
        xf86IDrvMsg(pInfo, X_INFO, "is a virtual subdevice\n");

        parent_driver_data = parent->private;
        shared_device = xf86libinput_shared_ref(parent_driver_data->shared_device);
        device = shared_device->device;
    }

At this point the parent device's private->shared_device->device node should provide a non-NULL pointer for the device.

Changed in xorg-server (Debian):
status: Unknown → New
TJ (tj) wrote :

The log file shows the input device(s) being removed upon system idle and the attempt to re-attach it failing.

TJ (tj) on 2017-01-15
no longer affects: xorg-server
Timo Aaltonen (tjaalton) on 2017-01-17
affects: xorg-server (Ubuntu) → xserver-xorg-input-libinput (Ubuntu)
TJ (tj) wrote :

I've backported the upstream fix to the Debian/Ubuntu package; Timo, are you able to update the Ubuntu packages for 16.04 + and also apply it to Debian package (I'll try to recall how to send the debdiff via email into the Debian bug tracker).

Changed in xserver-xorg-input-libinput (Ubuntu):
status: New → In Progress
assignee: nobody → TJ (tj)

The attachment "Debdiff containing backported upstream fix" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Timo Aaltonen (tjaalton) wrote :

debian and zesty already has 0.23 which fixed this

Changed in xserver-xorg-input-libinput (Ubuntu):
status: In Progress → Fix Released
TJ (tj) on 2017-01-20
Changed in xserver-xorg-input-libinput (Ubuntu):
assignee: TJ (tj) → nobody
Robie Basak (racb) wrote :

It looks like your backport also pulled in upstream commit 116cddba69b37246db564c1ddf772c0144c589f0. Was this intentional?

Hello TJ, or anyone else affected,

Accepted xserver-xorg-input-libinput into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/xserver-xorg-input-libinput/0.18.0-1ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in xserver-xorg-input-libinput (Ubuntu Xenial):
status: New → Fix Committed
tags: added: verification-needed
Changed in xserver-xorg-input-libinput (Ubuntu Yakkety):
status: New → Fix Committed
Adam Conrad (adconrad) wrote :

Hello TJ, or anyone else affected,

Accepted xserver-xorg-input-libinput into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/xserver-xorg-input-libinput/0.19.0-1ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Timo Aaltonen (tjaalton) wrote :

TJ: this is still unverified

TJ (tj) wrote :

@Robie: "It looks like your backport also pulled in upstream commit 116cddba69b37246db564c1ddf772c0144c589f0. Was this intentional?"

No, from what I can see the backported commit 72bac84df9ce72f2baf730655ecc23f1692d1e64 removes and re-applies that specific change too.

@Timo: My local package version is higher than that in -proposed so it hadn't been applied locally. I'll report back after the next logout/reboot cycle.

TJ (tj) on 2017-02-21
tags: added: verification-done-xenial
Robie Basak (racb) wrote :

@TJ

Please could you explain what you tested and what the results were? Please also confirm the package version of the package you tested.

Changed in xserver-xorg-input-libinput (Ubuntu Xenial):
status: Fix Committed → Incomplete
Changed in xserver-xorg-input-libinput (Ubuntu Yakkety):
status: Fix Committed → Incomplete
Download full text (4.9 KiB)

I'm getting this same crash on ElementaryOS Loki (based on Ubuntu 16.04) with light-locker 1.7.0-2ubuntu1 and xserver-xorg-input-libinput 0.18.0-1. It is on a Dell m3800 with dual Intel/nVidia graphics setup with bumblebee and nouveau. I'm pretty sure it happens when I put the laptop to sleep with the external mouse plugged in, then I wake up the laptop without that mouse plugged in. I happens right after I log into the lock screen.

[ 8894.710] (II) config/udev: removing device Yubico Yubikey NEO OTP+CCID
[ 8894.721] (II) UnloadModule: "libinput"
[ 8924.009] (II) config/udev: removing device Microsoft Comfort Mouse 3000
[ 8924.009] (II) UnloadModule: "libinput"
[ 8924.009] (II) config/udev: removing device Microsoft Comfort Mouse 3000
[ 8924.024] (II) UnloadModule: "libinput"
[ 8942.192] (II) AIGLX: Suspending AIGLX clients for VT switch
[ 8944.824] (II) config/udev: Adding input device Microsoft Comfort Mouse 3000 (/dev/input/mouse0)
[ 8944.824] (II) No input driver specified, ignoring this device.
[ 8944.824] (II) This device may have been added with another device file.
[ 8944.881] (II) config/udev: Adding input device Microsoft Comfort Mouse 3000 (/dev/input/event6)
[ 8944.881] (**) Microsoft Comfort Mouse 3000: Applying InputClass "evdev pointer catchall"
[ 8944.881] (**) Microsoft Comfort Mouse 3000: Applying InputClass "evdev keyboard catchall"
[ 8944.881] (**) Microsoft Comfort Mouse 3000: Applying InputClass "libinput pointer catchall"
[ 8944.881] (**) Microsoft Comfort Mouse 3000: Applying InputClass "libinput keyboard catchall"
[ 8944.881] (II) Using input driver 'libinput' for 'Microsoft Comfort Mouse 3000'
[ 8944.881] (**) Microsoft Comfort Mouse 3000: always reports core events
[ 8944.881] (**) Option "Device" "/dev/input/event6"
[ 8944.881] (**) Option "_source" "server/udev"
[ 8944.882] (II) input device 'Microsoft Comfort Mouse 3000', /dev/input/event6 is tagged by udev as: Keyboard Mouse
[ 8944.882] (II) input device 'Microsoft Comfort Mouse 3000', /dev/input/event6 is a pointer caps
[ 8944.882] (II) input device 'Microsoft Comfort Mouse 3000', /dev/input/event6 is a keyboard
[ 8944.896] (II) libinput: Microsoft Comfort Mouse 3000: needs a virtual subdevice
[ 8944.896] (**) Option "config_info" "udev:/sys/devices/pci0000:00/0000:00:14.0/usb3/3-3/3-3.3/3-3.3:1.0/0003:045E:077B.0004/input/input19/event6"
[ 8944.896] (II) XINPUT: Adding extended input device "Microsoft Comfort Mouse 3000" (type: MOUSE, id 11)
[ 8944.896] (**) Option "AccelerationScheme" "none"
[ 8944.896] (**) Microsoft Comfort Mouse 3000: (accel) selected scheme none/0
[ 8944.896] (**) Microsoft Comfort Mouse 3000: (accel) acceleration factor: 2.000
[ 8944.896] (**) Microsoft Comfort Mouse 3000: (accel) acceleration threshold: 4
[ 8944.896] (**) Microsoft Comfort Mouse 3000: Applying InputClass "evdev pointer catchall"
[ 8944.896] (**) Microsoft Comfort Mouse 3000: Applying InputClass "evdev keyboard catchall"
[ 8944.896] (**) Microsoft Comfort Mouse 3000: Applying InputClass "libinput pointer catchall"
[ 8944.896] (**) Microsoft Comfort Mouse 3000: Applying InputClass "libinput keyboard catchall"
[ 8944.896] (II) Using i...

Read more...

tags: removed: verification-done-xenial

As part of a recent change in the Stable Release Update verification policy we would like to inform that for a bug to be considered verified for a given release a verification-done-$RELEASE tag needs to be added to the bug where $RELEASE is the name of the series the package that was tested (e.g. verification-done-xenial). Please note that the global 'verification-done' tag can no longer be used for this purpose.

Thank you!

Timo Aaltonen (tjaalton) wrote :

TJ: ping? this is still unverified..

I now know how to reproduce this everytime:

* put my laptop to sleep/suspend
* wake it up
* before doing anything, plug in my USB mouse

If I plug in the USB mouse any time between wake up and logging into
lightdm, I get this crash. Every time without fail.

Timo Aaltonen (tjaalton) wrote :

great. now enable proposed and test the update

Ok, so I downgraded from 0.19.0-1 which I had manually installed from
yakkety, and installed 0.18.0-1ubuntu0.1 from xenial-proposed. I tried
one clear test so far, and it did not crash. It also seemed to log in
from wake up quite a bit faster. It would usually hang for a while
after I entered my password.

Thanks so much! If I encounter the problem again, I'll report back.

Timo Aaltonen:
> great. now enable proposed and test the update
>

Timo Aaltonen (tjaalton) wrote :

thanks a lot for testing!

Changed in xserver-xorg-input-libinput (Ubuntu Xenial):
status: Incomplete → Fix Committed
tags: added: verification-done-xenial
removed: verification-needed

I've been through the suspend cycle a few more times, still no crashes!

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xserver-xorg-input-libinput - 0.18.0-1ubuntu0.1

---------------
xserver-xorg-input-libinput (0.18.0-1ubuntu0.1) xenial; urgency=medium

  * fix-fdo-97117.diff: If the parent libinput_device is unavailable,
    create a new one. (LP: #1655752)

 -- Timo Aaltonen <email address hidden> Thu, 19 Jan 2017 20:33:43 +0200

Changed in xserver-xorg-input-libinput (Ubuntu Xenial):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for xserver-xorg-input-libinput has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.