531884 – Crashes when fiddling with input devices

Bug 531884 - Crashes when fiddling with input devices

Summary: Crashes when fiddling with input devices

Keywords:
Status:	CLOSED CANTFIX
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	xorg-x11-server
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Peter Hutterer
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-10-29 18:19 UTC by Bastien Nocera
Modified:	2018-04-11 12:29 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2009-11-08 23:21:57 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Bastien Nocera 2009-10-29 18:19:02 UTC

hal-0.5.13-9.fc12.x86_64
xorg-x11-server-Xorg-1.7.0-1.fc12.x86_64
xorg-x11-drv-evdev-2.3.0-1.fc12.x86_64

double-free error from libc

#0  0x000000349bc33575 in raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x000000349bc34d55 in abort () at abort.c:92
#2  0x000000349bc70393 in __libc_message (do_abort=<value optimized out>, fmt=<value optimized out>) at ../sysdeps/unix/sysv/linux/libc_fatal.c:186
#3  0x000000349bc75dc6 in malloc_printerr (action=3, str=0x349bd3fc1e "free(): invalid pointer", ptr=<value optimized out>) at malloc.c:6264
#4  0x00000000004e2553 in XIDeleteAllDeviceProperties (device=0x17c0860) at xiproperty.c:622
#5  0x00000000004257b4 in CloseDevice (dev=0x17c0860) at devices.c:833
#6  0x00000000004268a5 in RemoveDevice (dev=0x17c0860, sendevent=1 '\001') at devices.c:993
#7  0x0000000000479114 in DeleteInputDeviceRequest (pDev=0x17c0860) at xf86Xinput.c:671
#8  0x0000000000455c30 in remove_device (dev=0x17c0860) at hal.c:72
#9  0x0000000000455ccf in device_removed (ctx=<value optimized out>, udi=<value optimized out>) at hal.c:90
#10 0x00000034aac0bb68 in filter_func (connection=0x14f8ab0, message=0x191dc10, user_data=0x14fac90) at libhal.c:1067
#11 0x00000034a14109d6 in dbus_connection_dispatch (connection=0x14f8ab0) at dbus-connection.c:4444
#12 0x00000034a1410bff in _dbus_connection_read_write_dispatch (connection=0x14f8ab0, timeout_milliseconds=0, dispatch=1) at dbus-connection.c:3469
#13 0x00000000004558db in wakeup_handler (data=0x7d23c0, err=<value optimized out>, read_mask=<value optimized out>) at dbus-core.c:57
#14 0x00000000004318eb in WakeupHandler (result=-1, pReadmask=0x7dc6a0) at dixutils.c:413
#15 0x000000000045bd77 in WaitForSomething (pClientsReady=<value optimized out>) at WaitFor.c:232
#16 0x000000000042c322 in Dispatch () at dispatch.c:381
#17 0x0000000000421c9a in main (argc=<value optimized out>, argv=<value optimized out>, envp=<value optimized out>) at main.c:285

(gdb) frame 4
#4  0x00000000004e2553 in XIDeleteAllDeviceProperties (device=0x17c0860) at xiproperty.c:622
622	        XIDestroyDeviceProperty(prop);
(gdb) list
617	
618	    for (prop = device->properties.properties; prop; prop = next)
619	    {
620	        next = prop->next;
621	        send_property_event(device, prop->propertyName, XIPropertyDeleted);
622	        XIDestroyDeviceProperty(prop);
623	    }
624	
625	    /* Now free all handlers */
626	    curr_handler = device->properties.handlers;
(gdb) p prop
$2 = (XIPropertyRec *) 0x5cd
(gdb) p device
$3 = (struct _DeviceIntRec *) 0x17c0860

Comment 1 Peter Hutterer 2009-11-04 03:54:09 UTC

What did you do to get this crash? just plug/unplug or something more?

Comment 2 Matěj Cepl 2009-11-05 17:19:56 UTC

Since this bugzilla report was filed, there have been several major updates in various components of the Xorg system, which may have resolved this issue. Users who have experienced this problem are encouraged to upgrade their system to the latest version of their packages (at least F12Beta, but even better if the very latest versions).

Please, if you experience this problem on the up-to-date system, let us now in the comment for this bug, or whether the upgraded system works for you.

If you won't be able to reply in one month, I will have to close this bug as INSUFFICIENT_DATA. Thank you.

[This is a bulk message for all open Fedora Rawhide Xorg-related bugs. I'm adding myself to the CC list for each bug, so I'll see any comments you make after this and do my best to make sure every issue gets proper attention.]

Comment 3 Bastien Nocera 2009-11-05 19:32:28 UTC

(In reply to comment #1)
> What did you do to get this crash? just plug/unplug or something more?  

That's what happens when hid2hci runs on a Logitech keyboard/mouse dongle. I think the problem is that the input device created in USB mode disappears pretty much straight away when switching to Bluetooth mode.

Comment 4 Peter Hutterer 2009-11-06 04:18:21 UTC

was this a once-off thing?
I just plugged+unplugged hardware and software emulation devices as fast as I could but didn't see anything like this. Is is consistently reproducible?

if so, can you get me the valgrind output from X for when this happens?

Comment 5 Bastien Nocera 2009-11-06 10:55:16 UTC

It was consistently reproduceable, unfortunately, the Logitech dongle "died", and doesn't load its own firmware anymore, meaning it just shows up as a Broadcom Bluetooth dongle as opposed to a Logitech USB HID proxy device.

Want to close this?

Comment 6 Peter Hutterer 2009-11-08 23:21:57 UTC

Closing as CANTFIX for now, please reopen when that occurs again. Still unable to reproduce it and the property screwup indicates some memory corruption somewhere.

Comment 7 Marko Macek 2009-12-28 08:59:45 UTC

opened new bug 550948

Note You need to log in before you can comment on or make changes to this bug.