Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 4 Feb 2018 23:01:48 +0000 (UTC)
From:      Vladimir Kondratyev <wulf@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r328864 - head/sys/dev/atkbdc
Message-ID:  <201802042301.w14N1mj9011855@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: wulf
Date: Sun Feb  4 23:01:48 2018
New Revision: 328864
URL: https://svnweb.freebsd.org/changeset/base/328864

Log:
  psm(4): Fix panic occuring soon after PS/2 packet has been rejected by
  synaptics or elantech sanity checker.
  
  After packet has been rejected contents of packet buffer is not cleared
  with setting of inputbytes counter to 0. So when this packet buffer is
  filled again being an element of circular queue, new data appends to old
  data rather than overwrites it. This leads to packet buffer overflow
  after 10 rounds.
  
  Fix it with setting of packet's inputbytes counter to 0 after rejection.
  
  While here add extra logging of rejected packets.
  
  PR:		222667 (for reference)
  Reported by:	Neel Chauhan <neel@neelc.org>
  Tested by:	Neel Chauhan <neel@neelc.org>
  MFC after:	1 week

Modified:
  head/sys/dev/atkbdc/psm.c

Modified: head/sys/dev/atkbdc/psm.c
==============================================================================
--- head/sys/dev/atkbdc/psm.c	Sun Feb  4 20:33:47 2018	(r328863)
+++ head/sys/dev/atkbdc/psm.c	Sun Feb  4 23:01:48 2018	(r328864)
@@ -4935,13 +4935,19 @@ psmsoftintr(void *arg)
 			break;
 
 		case MOUSE_MODEL_SYNAPTICS:
-			if (proc_synaptics(sc, pb, &ms, &x, &y, &z) != 0)
+			if (proc_synaptics(sc, pb, &ms, &x, &y, &z) != 0) {
+				VLOG(3, (LOG_DEBUG, "synaptics: "
+				    "packet rejected\n"));
 				goto next;
+			}
 			break;
 
 		case MOUSE_MODEL_ELANTECH:
-			if (proc_elantech(sc, pb, &ms, &x, &y, &z) != 0)
+			if (proc_elantech(sc, pb, &ms, &x, &y, &z) != 0) {
+				VLOG(3, (LOG_DEBUG, "elantech: "
+				    "packet rejected\n"));
 				goto next;
+			}
 			break;
 
 		case MOUSE_MODEL_TRACKPOINT:
@@ -5037,9 +5043,9 @@ next_native:
 		    sizeof(sc->queue.buf);
 		sc->queue.count += pb->inputbytes;
 	}
-	pb->inputbytes = 0;
 
 next:
+	pb->inputbytes = 0;
 	if (++sc->pqueue_start >= PSM_PACKETQUEUE)
 		sc->pqueue_start = 0;
 	} while (sc->pqueue_start != sc->pqueue_end);

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201802042301.w14N1mj9011855>