Author: wulf
Date: Sun Feb 4 23:01:48 2018
New Revision: 328864
URL: https://svnweb.freebsd.org/changeset/base/328864
Log:
psm(4): Fix panic occuring soon after PS/2 packet has been rejected by
synaptics or elantech sanity checker.
After packet has been rejected contents of packet buffer is not cleared
with setting of inputbytes counter to 0. So when this packet buffer is
filled again being an element of circular queue, new data appends to old
data rather than overwrites it. This leads to packet buffer overflow
after 10 rounds.
Fix it with setting of packet's inputbytes counter to 0 after rejection.
While here add extra logging of rejected packets.
PR: 222667 (for reference)
Reported by: Neel Chauhan <n...@neelc.org>
Tested by: Neel Chauhan <n...@neelc.org>
MFC after: 1 week
Modified:
head/sys/dev/atkbdc/psm.c
Modified: head/sys/dev/atkbdc/psm.c
==============================================================================
--- head/sys/dev/atkbdc/psm.c Sun Feb 4 20:33:47 2018 (r328863)
+++ head/sys/dev/atkbdc/psm.c Sun Feb 4 23:01:48 2018 (r328864)
@@ -4935,13 +4935,19 @@ psmsoftintr(void *arg)
break;
case MOUSE_MODEL_SYNAPTICS:
- if (proc_synaptics(sc, pb, &ms, &x, &y, &z) != 0)
+ if (proc_synaptics(sc, pb, &ms, &x, &y, &z) != 0) {
+ VLOG(3, (LOG_DEBUG, "synaptics: "
+ "packet rejected\n"));
goto next;
+ }
break;
case MOUSE_MODEL_ELANTECH:
- if (proc_elantech(sc, pb, &ms, &x, &y, &z) != 0)
+ if (proc_elantech(sc, pb, &ms, &x, &y, &z) != 0) {
+ VLOG(3, (LOG_DEBUG, "elantech: "
+ "packet rejected\n"));
goto next;
+ }
break;
case MOUSE_MODEL_TRACKPOINT:
@@ -5037,9 +5043,9 @@ next_native:
sizeof(sc->queue.buf);
sc->queue.count += pb->inputbytes;
}
- pb->inputbytes = 0;
next:
+ pb->inputbytes = 0;
if (++sc->pqueue_start >= PSM_PACKETQUEUE)
sc->pqueue_start = 0;
} while (sc->pqueue_start != sc->pqueue_end);
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
