[src/trunk]: src/sys/dev/wscons PR/32794: Paul Shupak: Panic in wsmouse code.

[christos <christos%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/5f0b945f6638
branches:  trunk
changeset: 588165:5f0b945f6638
user:      christos <christos%NetBSD.org@localhost>
date:      Fri Feb 10 17:33:01 2006 +0000

description:
PR/32794: Paul Shupak: Panic in wsmouse code.
Checking the number of events after you've trashed the stack is not very
useful. Instead, break out of the loop if we ran out, printing a message.
Also don't try to inject 0 events; reset our state instead. Maybe having
0 events should be a diagnostic printf at this point? Anyway it is not
nice having the kernel die because the mouse code got confused. Finally,
explain why the array of events is sized funny.

diffstat:

 sys/dev/wscons/wsmouse.c |  16 ++++++++++------
 1 files changed, 10 insertions(+), 6 deletions(-)

diffs (51 lines):

diff -r 9b70ea734d38 -r 5f0b945f6638 sys/dev/wscons/wsmouse.c
--- a/sys/dev/wscons/wsmouse.c  Fri Feb 10 16:01:45 2006 +0000
+++ b/sys/dev/wscons/wsmouse.c  Fri Feb 10 17:33:01 2006 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: wsmouse.c,v 1.40 2006/02/07 09:13:02 jmmv Exp $ */
+/* $NetBSD: wsmouse.c,v 1.41 2006/02/10 17:33:01 christos Exp $ */
 
 /*-
  * Copyright (c) 2006 The NetBSD Foundation, Inc.
@@ -111,7 +111,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: wsmouse.c,v 1.40 2006/02/07 09:13:02 jmmv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: wsmouse.c,v 1.41 2006/02/10 17:33:01 christos Exp $");
 
 #include "wsmouse.h"
 #include "wsdisplay.h"
@@ -346,6 +346,7 @@
        struct wsmouse_softc *sc = (struct wsmouse_softc *)wsmousedev;
        struct wseventvar *evar;
        int mb, ub, d, nevents;
+       /* one for each dimension (4) + a bit for each button */
        struct wscons_event events[4 + sizeof(d) * 8];
 
         /*
@@ -463,6 +464,12 @@
                btnno = ffs(d) - 1;
                KASSERT(btnno >= 0);
 
+               if (nevents >= events / sizeof(events[0])) {
+                       printf("%s: Event queue full (button status mb=0x%x"
+                           " ub=0x%x\n", sc->sc_dev.dv_xname, mb, ub);
+                       break;
+               }
+
                events[nevents].type =
                    (mb & d) ? WSCONS_EVENT_MOUSE_DOWN : WSCONS_EVENT_MOUSE_UP;
                events[nevents].value = btnno;
@@ -483,10 +490,7 @@
                }
        }
 
-       KASSERT(nevents > 0 &&
-           nevents <= sizeof(events) / sizeof(struct wscons_event));
-
-       if (wsevent_inject(evar, events, nevents) == 0) {
+       if (nevents == 0 || wsevent_inject(evar, events, nevents) == 0) {
                /* All events were correctly injected into the queue.
                 * Synchronize the mouse's status with what the user
                 * has received. */