On Thu, Mar 16, 2017 at 11:00:38AM +0100, Martin Pieuchot wrote: > On 16/03/17(Thu) 10:22, Theo Buehler wrote: > > On Thu, Mar 16, 2017 at 09:09:49AM +0100, Martin Pieuchot wrote: > > > On 15/03/17(Wed) 11:55, Theo Buehler wrote: > > > > >Synopsis: two finger gesture leads to mouse pointer freeze > > > > >Category: kernel, amd64, usb > > > > >Environment: > > > > System : OpenBSD 6.1 > > > > Details : OpenBSD 6.1-beta (GENERIC.MP) #20: Wed Mar 15 > > > > 01:49:05 MDT 2017 > > > > > > > > [email protected]:/usr/src/sys/arch/amd64/compile/GENERIC.MP > > > > > > > > Architecture: OpenBSD.amd64 > > > > Machine : amd64 > > > > >Description: > > > > Wenever I touch the touchpad of my MacBook pro with two fingers > > > > simultaneously, the mouse pointer freezes and remains unusable > > > > until I restart X. The output of xinput --test /dev/wsmouse1 > > > > stops as soon as two fingers touch the pad. > > > > > > > > >How-To-Repeat: > > > > Start an X session, touch touchpad with two fingers > > > > simultaneously. > > > > >Fix: > > > > Reverting usbdi.c to r1.85 fixes the problem. > > > > > > Does that mean r1.86 introduced the regression? Do you know which > > > commit exactly it is ? > > > > Yes, r1.85 is good r1.86 is bad. > > Does enabling UBCMTP_DEBUG gives you more info? Which error do you get? > > I'm guessing the driver is working *because* of a use after free.
A two-finger tap gives this message, both with r1.85 and with r1.89: /bsd: ubcmtp0: ubcmtp_tp_intr with status 0xd That is to say, USBD_IOERROR. The only real difference I can see is this: With r1.89, I can generate this message only once: the mouse pointer freezes permanently and all subsequent two finger taps don't generate any message anymore. As you can see below, I still get interrupts from pressing and releasing the button. With r1.85, a two finger tap generates this message, the mouse pointer freezes for 1-2 seconds, and neither finger movement nor tapping results in any output, but button presses still do. After the freeze, things work again as before. Here's all I get with usbdi.c r1.89 and UBCMTP_DEBUG enabled: Mar 16 12:27:08 miraculix /bsd: ubcmtp0: button iface at 0x84, max size 4 Mar 16 12:27:08 miraculix /bsd: ubcmtp0: trackpad data iface at 0x81, max size 474 Mar 16 12:27:08 miraculix /bsd: ubcmtp0: in ubcmtp_ioctl with cmd 0x40045720 Mar 16 12:27:08 miraculix /bsd: ubcmtp0: button iface at 0x84, max size 4 Mar 16 12:27:08 miraculix /bsd: ubcmtp0: trackpad data iface at 0x81, max size 474 Mar 16 12:27:08 miraculix /bsd: ubcmtp0: in ubcmtp_ioctl with cmd 0x40045720 Mar 16 12:27:08 miraculix /bsd: ubcmtp0: button iface at 0x84, max size 4 Mar 16 12:27:08 miraculix /bsd: ubcmtp0: trackpad data iface at 0x81, max size 474 Mar 16 12:27:08 miraculix /bsd: ubcmtp0: in ubcmtp_ioctl with cmd 0x41205725 Mar 16 12:27:08 miraculix /bsd: ubcmtp0: in ubcmtp_ioctl with cmd 0x40045720 Mar 16 12:27:08 miraculix /bsd: ubcmtp0: in ubcmtp_ioctl with cmd 0x40045720 Mar 16 12:27:08 miraculix /bsd: ubcmtp0: button iface at 0x84, max size 4 Mar 16 12:27:08 miraculix /bsd: ubcmtp0: trackpad data iface at 0x81, max size 474 Mar 16 12:27:08 miraculix /bsd: ubcmtp0: in ubcmtp_ioctl with cmd 0x80045726 Mar 16 12:27:08 miraculix /bsd: ubcmtp0: changing mode to native Mar 16 12:27:08 miraculix /bsd: ubcmtp0: in ubcmtp_ioctl with cmd 0x80047410 Mar 16 12:27:08 miraculix /bsd: ubcmtp0: in ubcmtp_ioctl with cmd 0x40045720 Mar 16 12:27:45 miraculix /bsd: ubcmtp0: button interrupt (2, 1, 0, 0) Mar 16 12:27:45 miraculix /bsd: ubcmtp0: button interrupt (2, 0, 0, 0) Mar 16 12:27:51 miraculix /bsd: ubcmtp0: ubcmtp_tp_intr with status 0xd Mar 16 12:28:21 miraculix /bsd: ubcmtp0: button interrupt (2, 1, 0, 0) Mar 16 12:28:21 miraculix /bsd: ubcmtp0: button interrupt (2, 0, 0, 0) Mar 16 12:28:24 miraculix /bsd: ubcmtp0: button interrupt (2, 1, 0, 0) Mar 16 12:28:25 miraculix /bsd: ubcmtp0: button interrupt (2, 0, 0, 0) Mar 16 12:28:27 miraculix /bsd: ubcmtp0: button interrupt (2, 1, 0, 0) Mar 16 12:28:27 miraculix /bsd: ubcmtp0: button interrupt (2, 0, 0, 0) Mar 16 12:28:43 miraculix /bsd: ubcmtp0: button interrupt (2, 1, 0, 0) Mar 16 12:28:43 miraculix /bsd: ubcmtp0: button interrupt (2, 0, 0, 0) and with usbdi.c r1.85 and UBCMTP_DEBUG enabled Mar 16 12:17:56 miraculix /bsd: ubcmtp0: button iface at 0x84, max size 4 Mar 16 12:17:56 miraculix /bsd: ubcmtp0: trackpad data iface at 0x81, max size 474 Mar 16 12:17:56 miraculix /bsd: ubcmtp0: in ubcmtp_ioctl with cmd 0x40045720 Mar 16 12:17:56 miraculix /bsd: ubcmtp0: button iface at 0x84, max size 4 Mar 16 12:17:56 miraculix /bsd: ubcmtp0: trackpad data iface at 0x81, max size 474 Mar 16 12:17:56 miraculix /bsd: ubcmtp0: in ubcmtp_ioctl with cmd 0x40045720 Mar 16 12:17:56 miraculix /bsd: ubcmtp0: button iface at 0x84, max size 4 Mar 16 12:17:56 miraculix /bsd: ubcmtp0: trackpad data iface at 0x81, max size 474 Mar 16 12:17:56 miraculix /bsd: ubcmtp0: in ubcmtp_ioctl with cmd 0x41205725 Mar 16 12:17:56 miraculix /bsd: ubcmtp0: in ubcmtp_ioctl with cmd 0x40045720 Mar 16 12:17:56 miraculix /bsd: ubcmtp0: in ubcmtp_ioctl with cmd 0x40045720 Mar 16 12:17:56 miraculix /bsd: ubcmtp0: button iface at 0x84, max size 4 Mar 16 12:17:56 miraculix /bsd: ubcmtp0: trackpad data iface at 0x81, max size 474 Mar 16 12:17:56 miraculix /bsd: ubcmtp0: in ubcmtp_ioctl with cmd 0x80045726 Mar 16 12:17:56 miraculix /bsd: ubcmtp0: changing mode to native Mar 16 12:17:56 miraculix /bsd: ubcmtp0: in ubcmtp_ioctl with cmd 0x80047410 Mar 16 12:17:56 miraculix /bsd: ubcmtp0: in ubcmtp_ioctl with cmd 0x40045720 Mar 16 12:18:21 miraculix /bsd: ubcmtp0: ubcmtp_tp_intr with status 0xd Mar 16 12:18:24 miraculix /bsd: ubcmtp0: ubcmtp_tp_intr with status 0xd Mar 16 12:18:25 miraculix /bsd: ubcmtp0: button interrupt (2, 1, 0, 0) Mar 16 12:18:26 miraculix /bsd: ubcmtp0: button interrupt (2, 0, 0, 0) Mar 16 12:18:27 miraculix /bsd: ubcmtp0: button interrupt (2, 1, 0, 0) Mar 16 12:18:27 miraculix /bsd: ubcmtp0: button interrupt (2, 0, 0, 0) Mar 16 12:18:31 miraculix /bsd: ubcmtp0: ubcmtp_tp_intr with status 0xd Mar 16 12:18:53 miraculix last message repeated 3 times Mar 16 12:18:54 miraculix /bsd: ubcmtp0: button interrupt (2, 1, 0, 0) Mar 16 12:18:55 miraculix /bsd: ubcmtp0: button interrupt (2, 0, 0, 0) Mar 16 12:18:59 miraculix /bsd: ubcmtp0: ubcmtp_tp_intr with status 0xd Mar 16 12:19:02 miraculix /bsd: ubcmtp0: button interrupt (2, 1, 0, 0) Mar 16 12:19:02 miraculix /bsd: ubcmtp0: button interrupt (2, 0, 0, 0) Mar 16 12:19:04 miraculix /bsd: ubcmtp0: button interrupt (2, 1, 0, 0) Mar 16 12:19:04 miraculix /bsd: ubcmtp0: button interrupt (2, 0, 0, 0) Mar 16 12:19:06 miraculix /bsd: ubcmtp0: button interrupt (2, 1, 0, 0) Mar 16 12:19:06 miraculix /bsd: ubcmtp0: button interrupt (2, 0, 0, 0) Mar 16 12:19:08 miraculix /bsd: ubcmtp0: ubcmtp_tp_intr with status 0xd Mar 16 12:19:14 miraculix /bsd: ubcmtp0: ubcmtp_tp_intr with status 0xd
