lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20100921004145.GA5648@amos.infernal>
Date:	Tue, 21 Sep 2010 02:41:46 +0200
From:	Andreas Bombe <aeb@...ian.org>
To:	Jiri Kosina <jkosina@...e.cz>
Cc:	Alan Stern <stern@...land.harvard.edu>, Mat <jackdachef@...il.com>,
	Guillaume Chazarain <guichaz@...il.com>,
	linux-kernel@...r.kernel.org, Greg Kroah-Hartman <gregkh@...e.de>,
	Oliver Neukum <oliver@...kum.org>, Alan Ott <alan@...nal11.us>,
	linux-usb@...r.kernel.org, linux-input@...r.kernel.org,
	Alex Riesen <raa.lkml@...il.com>,
	Phil Turmel <philip@...mel.org>
Subject: Re: [BUG, Regression, bisected] USB mouse causes bug on 1st
 insert, ignored on 2nd insert, lsusb stuck at usbdev_open

On Tue, Sep 21, 2010 at 12:48:25AM +0200, Jiri Kosina wrote:
> On Mon, 20 Sep 2010, Alan Stern wrote:
> > I have no idea what's really happening.  Can you figure it out?
> 
> I am trying, but on my testing systems everything is behaving correctly, 
> so it's a bit more difficult. Ideas welcome.

It appears it so far only happened to those who have one of the fancier
Logitech mice. Those also have some extra communications channels AFAICS
(storing and retrieving settings for the G500, battery information for
the wireless mice). That might trigger something here. I am appending
the lsusb output at the end FWIW.

I have compiled it with your extra debug output and also confirmed that
the pointer hiddev is null:

        /*
         * no need for locking because the USB major number
         * is shared which usbcore guards against disconnect
         */
        if (list->hiddev->exist) {
    1406:       48 8b 93 18 c0 00 00    mov    0xc018(%rbx),%rdx
    140d:       b8 ed ff ff ff          mov    $0xffffffed,%eax
    1412:       83 3a 00                cmpl   $0x0,(%rdx)
    1415:       0f 84 bb 00 00 00       je     14d6 <hiddev_open+0x170>

The RIP in the Oops is at offset 1412 here. Relevant dmesg output:

[    1.668245] usb 2-2.3: new full speed USB device using ehci_hcd and address 4
[    1.763862] usb 2-2.3: New USB device found, idVendor=046d, idProduct=c068
[    1.763898] usb 2-2.3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[    1.763937] usb 2-2.3: Product: G500
[    1.763970] usb 2-2.3: Manufacturer: Logitech
...
[    1.771981] usbcore: registered new interface driver hiddev
[    1.772246] HID debug: usbhid_probe() -- set intfdata(ffff88012baa3800, ffff88012b9f8000)
[    1.772347] HID debug: usbhid_probe() -- set intfdata(ffff88012c01ec00, ffff88012b9f8000)
[    1.774298] HID debug: hid_connect() -- hid: ffff88012b9f8000
[    1.774434] input: Logitech G500 as /devices/pci0000:00/0000:00:1d.7/usb2/2-2/2-2.3/2-2.3:1.0/input/input1
[    1.774885] generic-usb 0003:046D:C068.0001: input,hidraw0: USB HID v1.11 Mouse [Logitech G500] on usb-0000:00:1d.7-2.3/input0
[    1.774942] HID debug: usbhid_probe() -- set intfdata(ffff88012c01dc00, ffff88012b848000)
[    1.779008] HID debug: hid_connect() -- hid: ffff88012b848000
[    1.779192] input: Logitech G500 as /devices/pci0000:00/0000:00:1d.7/usb2/2-2/2-2.3/2-2.3:1.1/input/input2
[    1.779353] HID debug: hiddev_connect() -- hid: ffff88012b848000, hiddev: ffff88012ac59600, intf: ffff88012c01dc00
[    1.779634] HID debug: hid_connect() -- after hiddev_connect(), hid: ffff88012b848000, hiddev: ffff88012ac59600
[    1.779724] generic-usb 0003:046D:C068.0002: input,hiddev0,hidraw1: USB HID v1.11 Keyboard [Logitech G500] on usb-0000:00:1d.7-2.3/input1
[    1.779783] usbcore: registered new interface driver usbhid
[    1.779813] usbhid: USB HID core driver

...

[   28.047248] HID debug: hiddev_open(): hid: ffff88012b9f8000, hiddev: (null), intf: ffff88012c01ec00
[   28.050469] BUG: unable to handle kernel NULL pointer dereference at (null)
[   28.053596] IP: [<ffffffffa0042f72>] hiddev_open+0xac/0x19e [usbhid]
[   28.054362] PGD 12c188067 PUD 12b68b067 PMD 0 
[   28.054362] Oops: 0000 [#1] SMP 
[   28.054362] last sysfs file: /sys/module/acpi/parameters/acpica_version
[   28.054362] CPU 1 
[   28.054362] Modules linked in: sco bnep rfcomm l2cap bluetooth rfkill binfmt_misc kvm_intel kvm uinput fuse xfs exportfs sha256_generic twofish_generic twofish_x86_64 twofish_common cbc coretemp loop dm_crypt snd_hda_codec_atihdmi snd_hda_codec_realtek snd_emu10k1_synth snd_emux_synth snd_seq_virmidi snd_seq_midi_emul snd_emu10k1 snd_hda_intel radeon snd_hda_codec ttm drm_kms_helper drm snd_ac97_codec snd_pcm_oss snd_mixer_oss ac97_bus snd_util_mem joydev snd_hwdep snd_seq_midi i2c_algo_bit snd_rawmidi wacom snd_seq_midi_event i2c_i801 snd_pcm pcspkr snd_seq snd_timer emu10k1_gp gameport snd_page_alloc snd_seq_device button asus_atk0110 evdev shpchp snd pci_hotplug soundcore intel_agp tpm_tis tpm processor tpm_bios ext4 mbcache jbd2 crc16 dm_mod sg sr_mod sd_mod cdrom crc_t10dif usbhid hid uhci_hcd ahci libahci libata ehci_hcd firewire_ohci scsi_mod firewire_core crc_itu_t usbcore atl1e thermal thermal_sys nls_base [last unloaded: scsi_wait_scan]
[   28.054362] 
[   28.054362] Pid: 2098, comm: hald-probe-hidd Not tainted 2.6.36-rc4-00215-gb3fe624 #24 P5Q/P5Q
[   28.054362] RIP: 0010:[<ffffffffa0042f72>]  [<ffffffffa0042f72>] hiddev_open+0xac/0x19e [usbhid]
[   28.054362] RSP: 0018:ffff88012dfe5c28  EFLAGS: 00010296
[   28.054362] RAX: 00000000ffffffed RBX: ffff88012df50000 RCX: 0000000000000034
[   28.054362] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000246
[   28.054362] RBP: ffff88012dfe5c68 R08: 000000000000e4a7 R09: 0000000000000000
[   28.054362] R10: 0000000000000000 R11: ffffffff8163d278 R12: 0000000000000000
[   28.054362] R13: ffff88012b8bcdc0 R14: ffff88012b9f8000 R15: ffff88012c01ec00
[   28.054362] FS:  00007fed1de45700(0000) GS:ffff880002280000(0000) knlGS:0000000000000000
[   28.054362] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[   28.054362] CR2: 0000000000000000 CR3: 000000012af00000 CR4: 00000000000406e0
[   28.054362] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   28.054362] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[   28.054362] Process hald-probe-hidd (pid: 2098, threadinfo ffff88012dfe4000, task ffff88012b7d0000)
[   28.054362] Stack:
[   28.054362]  0000000000000000 0000000000000000 ffff88012dfe5c68 ffffffffa0063d50
[   28.054362] <0> ffff88012b8bcdc0 ffff88012a8f7330 00000000ffffffed 0000000000000000
[   28.054362] <0> ffff88012dfe5c98 ffffffffa005c0a7 ffff88012a8f7330 ffff88012b8bcdc0
[   28.054362] Call Trace:
[   28.054362]  [<ffffffffa005c0a7>] usb_open+0x63/0xc4 [usbcore]
[   28.054362]  [<ffffffff81105532>] chrdev_open+0x134/0x155
[   28.054362]  [<ffffffff811053fe>] ? chrdev_open+0x0/0x155
[   28.054362]  [<ffffffff81100d31>] __dentry_open+0x164/0x299
[   28.054362]  [<ffffffff811858f3>] ? devcgroup_inode_permission+0xf9/0x13b
[   28.054362]  [<ffffffff81100f2b>] nameidata_to_filp+0x3a/0x4b
[   28.054362]  [<ffffffff8110c244>] do_last+0x3d6/0x51d
[   28.054362]  [<ffffffff8110dd6e>] do_filp_open+0x203/0x599
[   28.054362]  [<ffffffff813397e3>] ? _raw_spin_unlock+0x26/0x2a
[   28.054362]  [<ffffffff81117080>] ? alloc_fd+0x111/0x123
[   28.054362]  [<ffffffff81100af4>] do_sys_open+0x5b/0xf7
[   28.054362]  [<ffffffff81338f49>] ? trace_hardirqs_on_thunk+0x3a/0x3f
[   28.054362]  [<ffffffff81100bb9>] sys_open+0x1b/0x1d
[   28.054362]  [<ffffffff81009a82>] system_call_fastpath+0x16/0x1b
[   28.054362] Code: 00 4c 89 e2 31 c0 49 89 9d f8 00 00 00 4c 89 f9 4c 89 f6 48 c7 c7 d3 5a 04 a0 e8 de 3b 2f e1 48 8b 93 18 c0 00 00 b8 ed ff ff ff <83> 3a 00 0f 84 bb 00 00 00 8b 42 04 8d 48 01 85 c0 89 4a 04 75 
[   28.054362] RIP  [<ffffffffa0042f72>] hiddev_open+0xac/0x19e [usbhid]
[   28.054362]  RSP <ffff88012dfe5c28>
[   28.054362] CR2: 0000000000000000
[   28.246052] ---[ end trace 2a9b1643521f14fd ]---


And finally, the lsusb output for my mouse:

Bus 002 Device 004: ID 046d:c068 Logitech, Inc. G500 Laser Mouse
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               2.00
  bDeviceClass            0 (Defined at Interface level)
  bDeviceSubClass         0 
  bDeviceProtocol         0 
  bMaxPacketSize0         8
  idVendor           0x046d Logitech, Inc.
  idProduct          0xc068 G500 Laser Mouse
  bcdDevice           58.02
  iManufacturer           1 Logitech
  iProduct                2 G500
...
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength           59
    bNumInterfaces          2
    bConfigurationValue     1
    iConfiguration          4 U58.02_B0018
    bmAttributes         0xa0
      (Bus Powered)
      Remote Wakeup
    MaxPower               98mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           1
      bInterfaceClass         3 Human Interface Device
      bInterfaceSubClass      1 Boot Interface Subclass
      bInterfaceProtocol      2 Mouse
      iInterface              0 
        HID Device Descriptor:
          bLength                 9
          bDescriptorType        33
          bcdHID               1.11
          bCountryCode            0 Not supported
          bNumDescriptors         1
          bDescriptorType        34 Report
          wDescriptorLength      67
         Report Descriptors: 
           ** UNAVAILABLE **
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x81  EP 1 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0008  1x 8 bytes
        bInterval               1
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        1
      bAlternateSetting       0
      bNumEndpoints           1
      bInterfaceClass         3 Human Interface Device
      bInterfaceSubClass      0 No Subclass
      bInterfaceProtocol      0 None
      iInterface              0 
        HID Device Descriptor:
          bLength                 9
          bDescriptorType        33
          bcdHID               1.11
          bCountryCode            0 Not supported
          bNumDescriptors         1
          bDescriptorType        34 Report
          wDescriptorLength     122
         Report Descriptors: 
           ** UNAVAILABLE **
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x82  EP 2 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0014  1x 20 bytes
        bInterval               1
Device Status:     0x0000
  (Bus Powered)
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ