Re: usbdi.c regression: mouse pointer freeze on two finger gesture

Thu, 16 Mar 2017 22:43:27 -0700 

On Thu, Mar 16, 2017 at 12:42:12PM +0100, Theo Buehler wrote:
> On Thu, Mar 16, 2017 at 11:00:38AM +0100, Martin Pieuchot wrote:
> > On 16/03/17(Thu) 10:22, Theo Buehler wrote:
> > > On Thu, Mar 16, 2017 at 09:09:49AM +0100, Martin Pieuchot wrote:
> > > > On 15/03/17(Wed) 11:55, Theo Buehler wrote:
> > > > > >Synopsis:    two finger gesture leads to mouse pointer freeze
> > > > > >Category:    kernel, amd64, usb
> > > > > >Environment:
> > > > >       System      : OpenBSD 6.1
> > > > >       Details     : OpenBSD 6.1-beta (GENERIC.MP) #20: Wed Mar 15 
> > > > > 01:49:05 MDT 2017
> > > > >                        
> > > > > [email protected]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> > > > > 
> > > > >       Architecture: OpenBSD.amd64
> > > > >       Machine     : amd64
> > > > > >Description:
> > > > >       Wenever I touch the touchpad of my MacBook pro with two fingers
> > > > >       simultaneously, the mouse pointer freezes and remains unusable
> > > > >       until I restart X. The output of xinput --test /dev/wsmouse1 
> > > > >       stops as soon as two fingers touch the pad.
> > > > >       
> > > > > >How-To-Repeat:
> > > > >       Start an X session, touch touchpad with two fingers 
> > > > > simultaneously.
> > > > > >Fix:
> > > > >       Reverting usbdi.c to r1.85 fixes the problem.
> > > > 
> > > > Does that mean r1.86 introduced the regression?  Do you know which
> > > > commit exactly it is ?
> > > 
> > > Yes, r1.85 is good r1.86 is bad.
> > 
> > Does enabling UBCMTP_DEBUG gives you more info?  Which error do you get?
> > 
> > I'm guessing the driver is working *because* of a use after free.
> 
> A two-finger tap gives this message, both with r1.85 and with r1.89:
> 
> /bsd: ubcmtp0: ubcmtp_tp_intr with status 0xd
> 
> That is to say, USBD_IOERROR.

I don't know if this helps at all or if it just confirms what you
already know: I inserted a db_stack_dump() conditionally on USBD_IOERROR
in ubcmtp_tp_intr() and set usbdebug = 6 (diff below).

With r1.89, I see the following two lines after a two finger tap:

Mar 17 06:18:20 miraculix /bsd: usb_freemem: large free
Mar 17 06:18:20 miraculix /bsd: usb_transfer_complete: repeat=0 new head=0x0

These aren't present with r1.85.

With usbdi.c r1.85, a two finger tap produces a variation of this:

Mar 17 06:09:57 miraculix /bsd: usb_transfer_complete: pipe=0xffff8000006eb200 
xfer=0xffffff000587db58 status=0 actlen=54
Mar 17 06:09:57 miraculix /bsd: usb_transfer_complete: repeat=1 new 
head=0xffffff000587db58
Mar 17 06:09:57 miraculix /bsd: usb_transfer_complete: pipe=0xffff8000006eb200 
xfer=0xffffff000587db58 status=0 actlen=54
Mar 17 06:09:57 miraculix /bsd: usb_transfer_complete: repeat=1 new 
head=0xffffff000587db58
Mar 17 06:09:58 miraculix /bsd: usb_transfer_complete: pipe=0xffff8000006eb200 
xfer=0xffffff000587db58 status=13 actlen=474
Mar 17 06:09:58 miraculix /bsd: usb_transfer_complete: repeat=1 new 
head=0xffffff000587db58
Mar 17 06:09:58 miraculix /bsd: Starting stack trace...
Mar 17 06:09:58 miraculix /bsd: ubcmtp_tp_intr() at ubcmtp_tp_intr+0x1e2
Mar 17 06:09:58 miraculix /bsd: usb_transfer_complete() at 
usb_transfer_complete+0x141
Mar 17 06:09:58 miraculix /bsd: uhci_softintr() at uhci_softintr+0x3f
Mar 17 06:09:58 miraculix /bsd: softintr_dispatch() at softintr_dispatch+0x8b
Mar 17 06:09:58 miraculix /bsd: Xsoftnet() at Xsoftnet+0x1f
Mar 17 06:09:58 miraculix /bsd: --- interrupt ---
Mar 17 06:09:58 miraculix /bsd: end trace frame: 0x0, count: 252
Mar 17 06:09:58 miraculix /bsd: 0x8:
Mar 17 06:09:58 miraculix /bsd: End of stack trace.
Mar 17 06:09:58 miraculix /bsd: usb_transfer_complete: pipe=0xffff8000006eb200 
xfer=0xffffff000587db58 status=0 actlen=18
Mar 17 06:09:58 miraculix /bsd: usb_transfer_complete: repeat=1 new 
head=0xffffff000587db58
Mar 17 06:09:58 miraculix /bsd: usb_transfer_complete: pipe=0xffff8000006eb200 
xfer=0xffffff000587db58 status=0 actlen=82
Mar 17 06:09:58 miraculix /bsd: usb_transfer_complete: repeat=1 new 
head=0xffffff000587db58
Mar 17 06:10:08 miraculix /bsd: usb_transfer_complete: pipe=0xffff8000006eb200 
xfer=0xffffff000587db58 status=0 actlen=438
Mar 17 06:10:08 miraculix /bsd: usb_transfer_complete: repeat=1 new 
head=0xffffff000587db58

and with usbdi.c r1.89:

Mar 17 06:18:19 miraculix /bsd: usb_transfer_complete: repeat=1 new 
head=0xffffff000587db58
Mar 17 06:18:20 miraculix /bsd: usb_transfer_complete: pipe=0xffff8000006db200 
xfer=0xffffff000587db58 status=13 actlen=474
Mar 17 06:18:20 miraculix /bsd: usb_transfer_complete: repeat=1 new 
head=0xffffff000587db58
Mar 17 06:18:20 miraculix /bsd: Starting stack trace...
Mar 17 06:18:20 miraculix /bsd: ubcmtp_tp_intr() at ubcmtp_tp_intr+0x1e2
Mar 17 06:18:20 miraculix /bsd: usb_transfer_complete() at 
usb_transfer_complete+0x157
Mar 17 06:18:20 miraculix /bsd: uhci_softintr() at uhci_softintr+0x3f
Mar 17 06:18:20 miraculix /bsd: softintr_dispatch() at softintr_dispatch+0x8b
Mar 17 06:18:20 miraculix /bsd: Xsoftnet() at Xsoftnet+0x1f
Mar 17 06:18:20 miraculix /bsd: --- interrupt ---
Mar 17 06:18:20 miraculix /bsd: end trace frame: 0x0, count: 252
Mar 17 06:18:20 miraculix /bsd: 0x8:
Mar 17 06:18:20 miraculix /bsd: End of stack trace.
Mar 17 06:18:20 miraculix /bsd: usb_transfer_complete: pipe=0xffff8000006db200 
xfer=0xffffff000587db58 status=0 actlen=18
Mar 17 06:18:20 miraculix /bsd: usb_freemem: large free
Mar 17 06:18:20 miraculix /bsd: usb_transfer_complete: repeat=0 new head=0x0
Mar 17 06:18:20 miraculix /bsd: usbd_start_next: pipe=0xffff8000006db200, 
xfer=0x0
Mar 17 06:18:59 miraculix /bsd: usb_transfer_complete: pipe=0xffff8000006db100 
xfer=0xffffff000587da50 status=0 actlen=4
Mar 17 06:18:59 miraculix /bsd: usb_transfer_complete: repeat=1 new 
head=0xffffff000587da50

Index: ubcmtp.c
===================================================================
RCS file: /var/cvs/src/sys/dev/usb/ubcmtp.c,v
retrieving revision 1.13
diff -u -p -r1.13 ubcmtp.c
--- ubcmtp.c    15 Mar 2017 21:43:45 -0000      1.13
+++ ubcmtp.c    17 Mar 2017 03:24:51 -0000
@@ -61,6 +61,9 @@
 #define DPRINTF(x...)
 #endif
 
+#ifdef DDB
+#include <ddb/db_output.h>
+#endif
 /* magic to switch device from HID (default) mode into raw */
 #define UBCMTP_WELLSPRING_MODE_RAW     0x01
 #define UBCMTP_WELLSPRING_MODE_HID     0x08
@@ -804,6 +807,8 @@ ubcmtp_tp_intr(struct usbd_xfer *xfer, v
                DPRINTF("%s: %s with status 0x%x\n", sc->sc_dev.dv_xname,
                    __func__, status);
 
+               if (status == USBD_IOERROR)
+                       db_stack_dump();
                if (status == USBD_NOT_STARTED || status == USBD_CANCELLED)
                        return;
                if (status == USBD_STALLED)
Index: usb.c
===================================================================
RCS file: /var/cvs/src/sys/dev/usb/usb.c,v
retrieving revision 1.111
diff -u -p -r1.111 usb.c
--- usb.c       18 May 2016 18:28:58 -0000      1.111
+++ usb.c       17 Mar 2017 04:52:48 -0000
@@ -67,7 +67,7 @@
 #ifdef USB_DEBUG
 #define DPRINTF(x)     do { if (usbdebug) printf x; } while (0)
 #define DPRINTFN(n,x)  do { if (usbdebug>(n)) printf x; } while (0)
-int    usbdebug = 0;
+int    usbdebug = 6;
 #if defined(UHCI_DEBUG) && NUHCI > 0
 extern int     uhcidebug;
 #endif
Index: usb.h
===================================================================
RCS file: /var/cvs/src/sys/dev/usb/usb.h,v
retrieving revision 1.57
diff -u -p -r1.57 usb.h
--- usb.h       19 Jun 2016 22:13:07 -0000      1.57
+++ usb.h       17 Mar 2017 04:55:01 -0000
@@ -32,7 +32,7 @@
  * POSSIBILITY OF SUCH DAMAGE.
  */
 
-
+#define USB_DEBUG
 #ifndef _USB_H_
 #define _USB_H_

Reply via email to