1410582 – vmmouse_detect enters a SIGSEGV loop on physical systems

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1410582 - vmmouse_detect enters a SIGSEGV loop on physical systems

Summary: vmmouse_detect enters a SIGSEGV loop on physical systems

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	xorg-x11-drv-vmmouse
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Peter Hutterer
QA Contact:	Desktop QE
Docs Contact:
URL:
Whiteboard:
Depends On:	1401645
Blocks:
TreeView+	depends on / blocked

Reported:	2017-01-05 19:46 UTC by Kyle Walker
Modified:	2020-05-14 15:31 UTC (History)
CC List:	3 users (show)
Fixed In Version:	xorg-x11-drv-vmmouse-13.1.0-1.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-08-01 12:18:23 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Corrected patch to include the config.h header file. (571 bytes, patch) 2017-01-06 17:04 UTC, Kyle Walker	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:1905	0	normal	SHIPPED_LIVE	Xorg X11 server and drivers bug fix and enhancement update	2017-08-01 16:03:51 UTC

Description Kyle Walker 2017-01-05 19:46:31 UTC

Description of problem:
 The vmmouse_detect utility enters a SIGSEGV loop on physical systems with the package installed. An strace of the process shows the following:

	7104  12:12:42.823562 readlink("/sys/devices/virtual/input/input13/event13", 0x7fff1231e650, 1024) = -1 EINVAL (Invalid argument) <0.000009>
	7104  12:12:42.823582 stat("/sys/devices/virtual/input/input13/event13/uevent", {st_dev=makedev(0, 17), st_ino=33266, st_mode=S_IFREG|0644, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=0, st_size=4
	7104  12:12:42.823627 lstat("/sys/devices/virtual/input/input13/event13/name", 0x7fff1231d5d0) = -1 ENOENT (No such file or directory) <0.000009>
	7104  12:12:42.823680 readlink("/sys/devices/virtual/input/mice", 0x7fff1231e650, 1024) = -1 EINVAL (Invalid argument) <0.000022>
	7104  12:12:42.823714 stat("/sys/devices/virtual/input/mice/uevent", {st_dev=makedev(0, 17), st_ino=20861, st_mode=S_IFREG|0644, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=0, st_size=4096, st_ati
	7104  12:12:42.823743 lstat("/sys/devices/virtual/input/mice/name", 0x7fff1231d5d0) = -1 ENOENT (No such file or directory) <0.000010>
	7104  12:12:42.823784 rt_sigaction(SIGSEGV, {0x400c30, [SEGV], SA_RESTORER|SA_RESTART, 0x7f4286aa9250}, {SIG_DFL, [], 0}, 8) = 0 <0.000018>
	7104  12:12:42.823831 iopl(0x3)         = -1 EPERM (Operation not permitted) <0.000006>
	7104  12:12:42.823851 --- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=0} ---
	7104  12:12:42.823865 rt_sigreturn()    = 1447909480 <0.000006>


The above continues on repeatedly:

	7104  12:15:06.525764 --- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=0} ---
	7104  12:15:06.525777 rt_sigreturn()    = 1447909480 <0.000007>
	7104  12:15:06.525797 --- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=0} ---
	7104  12:15:06.525828 rt_sigreturn()    = 1447909480 <0.000006>
	7104  12:15:06.525867 --- SIGINT {si_signo=SIGINT, si_code=SI_KERNEL, si_value={int=603113048, ptr=0x7f4f23f2c658}} ---
	7104  12:15:06.526032 +++ killed by SIGINT +++


Version-Release number of selected component (if applicable):
 xorg-x11-drv-vmmouse-13.0.0-12.el7

How reproducible:
 Easily

Steps to Reproduce:
1. Install the latest version of xorg-x11-drv-vmmouse
2. Issue a "strace /usr/bin/vmmouse_detect"
3. Observe the operation

Actual results:
 The process endlessly encounters a SIGSEGV

Expected results:
 Exit with 0 or 1

Additional info:
 If uncorrected, the issue above causes the boot process to stall for an exceptional amount of time, before systemd issues a SIGKILL to vmmouse_detect.

Comment 1 Kyle Walker 2017-01-05 19:50:48 UTC

Looking at the end binary, it looks like the segvCB() signal handler is compiled out to a NOP.

	(gdb) disassemble segvCB
	Dump of assembler code for function segvCB:
	   0x0000000000400c30 <+0>:     repz retq 
	End of assembler dump.


It looks like the macro below, is not defined at compile time:

	void
	segvCB(int sig)
	{
	#if defined HAVE_XORG_SERVER_1_1_0
	   exit(1);
	#endif
	}


I'm attaching a patch to move the macro to the signal handler registration. That way, if the macro is not defined, the end result would be a death by SIGSEGV, instead of the endless loop.

- Kyle Walker

Comment 3 Kyle Walker 2017-01-05 21:32:23 UTC

Marking Regression, as the issue is not present in:

    xorg-x11-drv-vmmouse-13.0.0-11.el7

$ gdb ./usr/bin/vmmouse_detect
(gdb) disassemble segvCB
Dump of assembler code for function segvCB:
   0x0000000000400670 <+0>:     sub    $0x8,%rsp
   0x0000000000400674 <+4>:     mov    $0x1,%edi
   0x0000000000400679 <+9>:     callq  0x400530 <exit@plt>
End of assembler dump.

- Kyle Walker

Comment 6 Kyle Walker 2017-01-06 16:41:32 UTC

Redacted the previous patch.

The source of the failure is that in the latest update the following patch was backported:

    Subject: [PATCH vmmouse] Back off if we detect a vmmouse kernel driver v3

    If a vmmouse kernel driver is active, vmmouse input is handled by the Xorg
    evdev driver and not by the vmmouse driver, so make sure the vmmouse_detect
    utility doesn't detect a vmmouse if a kernel driver is active.

    v2: Change the vmmouse kernel device name, fix comment.
    v3: Fix up libudev error handling.


In that patch, the following is present:

	diff --git a/tools/vmmouse_detect.c b/tools/vmmouse_detect.c
	index cfb92e1..6402b16 100644
	--- a/tools/vmmouse_detect.c
	+++ b/tools/vmmouse_detect.c
	@@ -30,9 +30,7 @@
	 #include <signal.h>
	 #include "vmmouse_client.h"

	-#ifdef HAVE_CONFIG_H
	-#include "config.h"
	-#endif
	+extern int vmmouse_uses_kernel_driver(void);

	 void
	 segvCB(int sig)


The above erroneously removes the "ifdef HAVE_CONFIG_H" include statement. When the above is reverted, the previous behaviour is present. Soon to append a corrected patch for the above.

- Kyle Walker

Comment 7 Kyle Walker 2017-01-06 17:04:23 UTC

Created attachment 1238054 [details]
Corrected patch to include the config.h header file.

Attaching patch to correct the missing config.h header file. Test build running below:

build (rhel-7.3-z-test, /rpms/xorg-x11-drv-vmmouse:6b363d659e84289bc5f75e4529c4b112c34bda54) | Task Info | Brew
https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=12315189

Testing results:

	xorg-x11-drv-vmmouse-13.0.0-12.el7_3.bz1410582.x86_64.rpm

	$ rpm2cpio xorg-x11-drv-vmmouse-13.0.0-12.el7_3.bz1410582.x86_64.rpm | cpio -idmv
	./usr/bin/vmmouse_detect
	./usr/lib/udev/rules.d/69-xorg-vmmouse.rules
	./usr/lib64/xorg/modules/input/vmmouse_drv.so
	./usr/share/X11/xorg.conf.d/50-vmmouse.conf
	./usr/share/man/man1/vmmouse_detect.1.gz
	./usr/share/man/man4/vmmouse.4.gz
	69 blocks

	$ ./usr/bin/vmmouse_detect 
	$ echo $?
	1

With the binary function disassembly:

	$ gdb ./usr/bin/vmmouse_detect
	<snip>
	(gdb) disassem segvCB
	Dump of assembler code for function segvCB:
	   0x0000000000400c80 <+0>:	sub    $0x8,%rsp
	   0x0000000000400c84 <+4>:	mov    $0x1,%edi
	   0x0000000000400c89 <+9>:	callq  0x400b40 <exit@plt>
	End of assembler dump.

- Kyle Walker

Comment 8 Adam Jackson 2017-02-02 17:53:39 UTC

Rebased driver appears to have the right code in place.

Comment 11 errata-xmlrpc 2017-08-01 12:18:23 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1905

Note You need to log in before you can comment on or make changes to this bug.