Launchpad has imported 2 comments from the remote bug at https://bugs.freedesktop.org/show_bug.cgi?id=49439.
If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. ------------------------------------------------------------------------ On 2012-05-03T17:32:20+00:00 Maarten Lankhorst wrote: Created attachment 60979 Diff needed to trigger the problem in ubuntu. priv->num_slots can grow out of bounds if multitouch is enabled, resulting in memory corruption. A simple patch is attached that crashes when the the problem is triggered. On my laptop I seem to be able to reproduce it by simply running /usr/bin/Xorg in 1 window, making circles with 2 fingers on touchpad and then starting DISPLAY=:0 /etc/X11/Xsession in another. Backtrace: #0 0x00007ffff61cf445 in __GI_raise (sig=<optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 #1 0x00007ffff61d2bab in __GI_abort () at abort.c:91 #2 0x00007ffff61c810e in __assert_fail_base (fmt=<optimized out>, assertion=0x7fffefdd4186 "priv->num_active_touches >= 0", file=0x7fffefdd4170 "../../src/synaptics.c", line=<optimized out>, function=<optimized out>) at assert.c:94 #3 0x00007ffff61c81b2 in __GI___assert_fail (assertion=0x7fffefdd4186 "priv->num_active_touches >= 0", file=0x7fffefdd4170 "../../src/synaptics.c", line=3021, function=0x7fffefdd4100 "UpdateTouchState") at assert.c:103 #4 0x00007fffefdc9e30 in UpdateTouchState (hw=<optimized out>, pInfo=<optimized out>) at ../../src/synaptics.c:3021 #5 0x00007fffefdcb033 in HandleTouches (hw=0x555555d5d3f0, pInfo=0x555555d35940) at ../../src/synaptics.c:3113 #6 HandleState (pInfo=<optimized out>, hw=<optimized out>, now=<optimized out>, from_timer=<optimized out>) at ../../src/synaptics.c:3306 #7 0x00007fffefdcd0b0 in ReadInput (pInfo=0x555555d35940) at ../../src/synaptics.c:1678 #8 0x00005555555df787 in xf86SigioReadInput (fd=<optimized out>, closure=0x555555d35940) at ../../../../hw/xfree86/common/xf86Events.c:298 #9 0x0000555555605757 in xf86SIGIO (sig=<optimized out>) at ../../../../../hw/xfree86/os-support/linux/../shared/sigio.c:111 #10 <signal handler called> #11 SmartScheduleTimer (sig=14) at ../../os/utils.c:1158 #12 <signal handler called> #13 __GI__dl_debug_state () at dl-debug.c:77 #14 0x00007ffff7ded908 in dl_open_worker (a=0x7fffffffdf70) at dl-open.c:294 #15 0x00007ffff7de9176 in _dl_catch_error (objname=0x7fffffffdfb8, errstring=0x7fffffffdfc0, mallocedp=0x7fffffffdfcf, operate=0x7ffff7ded700 <dl_open_worker>, args=0x7fffffffdf70) at dl-error.c:178 #16 0x00007ffff7ded31a in _dl_open (file=0x7fffffffe1c0 "libnss_compat.so.2", mode=-2147483647, caller_dlopen=0x7ffff629d21e, nsid=-2, argc=1, argv=<optimized out>, env=0x555555969370) at dl-open.c:639 #17 0x00007ffff62c7e02 in do_dlopen (ptr=0x7fffffffe170) at dl-libc.c:89 #18 0x00007ffff7de9176 in _dl_catch_error (objname=0x7fffffffe1a0, errstring=0x7fffffffe190, mallocedp=0x7fffffffe1af, operate=0x7ffff62c7dc0 <do_dlopen>, args=0x7fffffffe170) at dl-error.c:178 #19 0x00007ffff62c7ec4 in dlerror_run (args=0x7fffffffe170, operate=0x7ffff62c7dc0 <do_dlopen>) at dl-libc.c:48 #20 __GI___libc_dlopen_mode (name=<optimized out>, mode=<optimized out>) at dl-libc.c:165 #21 0x00007ffff629d21e in nss_load_library (ni=<optimized out>) at nsswitch.c:372 #22 0x00007ffff629dc7d in __GI___nss_lookup_function (ni=0x555555d79330, fct_name=0x7ffff63127aa "getpwnam_r") at nsswitch.c:474 #23 0x00007ffff629de8c in __GI___nss_lookup (ni=0x7fffffffe2d0, fct_name=0x7ffff63127aa "getpwnam_r", fct2_name=0x0, fctp=0x7fffffffe2e0) at nsswitch.c:202 #24 0x00007ffff62562c8 in __getpwnam_r (name=0x555555ce4990 "i", resbuf=0x7ffff6552320, buffer=0x555555b35870 "X\374T\366\377\177", buflen=1024, result=0x7fffffffe330) at ../nss/getXXbyYY_r.c:203 #25 0x00007ffff6255b74 in getpwnam (name=0x555555ce4990 "i") at ../nss/getXXbyYY.c:117 #26 0x00005555556db375 in siLocalCredGetId (addr=0x555555c7a272 "i", len=1, lcPriv=0x555555952790, id=0x7fffffffe3cc) at ../../os/access.c:1980 #27 0x00005555556db3d1 in siLocalCredCheckAddr (addrString=<optimized out>, length=<optimized out>, typePriv=<optimized out>) at ../../os/access.c:2055 #28 0x00005555556db11c in siCheckAddr (addrString=<optimized out>, length=11) at ../../os/access.c:1686 #29 0x00005555556dc4af in AddHost (client=0x555555ce4c60, family=5, length=11, pAddr=0x555555c7a268) at ../../os/access.c:1249 #30 0x00005555555a2881 in Dispatch () at ../../dix/dispatch.c:439 #31 0x00005555555917aa in main (argc=1, argv=<optimized out>, envp=<optimized out>) at ../../dix/main.c:287 Reply at: https://bugs.launchpad.net/xserver-xorg-input- synaptics/+bug/941953/comments/6 ------------------------------------------------------------------------ On 2012-05-03T17:46:11+00:00 Maarten Lankhorst wrote: Backtrace was with synaptics 1.6.0 Reply at: https://bugs.launchpad.net/xserver-xorg-input- synaptics/+bug/941953/comments/7 ** Changed in: xserver-xorg-input-synaptics Status: Unknown => In Progress ** Changed in: xserver-xorg-input-synaptics Importance: Unknown => High -- You received this bug notification because you are a member of Ubuntu-X, which is subscribed to xserver-xorg-input-synaptics in Ubuntu. https://bugs.launchpad.net/bugs/941953 Title: Xorg crashed with SIGSEGV in WriteToClient() with buf = 0x100000000 from ProcXIGetProperty() To manage notifications about this bug go to: https://bugs.launchpad.net/xserver-xorg-input-synaptics/+bug/941953/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~ubuntu-x-swat Post to : [email protected] Unsubscribe : https://launchpad.net/~ubuntu-x-swat More help : https://help.launchpad.net/ListHelp
