lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <201108030120.21059.s.L-H@gmx.de>
Date:	Wed, 3 Aug 2011 01:20:18 +0200
From:	"Stefan Lippers-Hollmann" <s.L-H@....de>
To:	Larry Finger <Larry.Finger@...inger.net>
Cc:	linux-wireless@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] rtl8192cu: add USB ID for Belkin n300 Micro USB wireless adapter

Hi

On Wednesday 03 August 2011, Stefan Lippers-Hollmann wrote:
> On Wednesday 03 August 2011, Larry Finger wrote:
> > On 08/02/2011 03:43 PM, Stefan Lippers-Hollmann wrote:
> > > On Tuesday 02 August 2011, Stefan Lippers-Hollmann wrote:
> > > [1]	http://aptosid.com/index.php?name=PNphpBB2&file=viewtopic&t=1550&start=0
> > > [2]	http://pastebin.com/ppZJ0GmU
[...]
> - no Oops if his USB ID is compiled into the module, that only happens
>   if he tries to inject it into an unpatched kernel with:
>   echo -n "050d 2103">  /sys/bus/usb/drivers/rtl8192cu/new_id
>   (and I'm reluctant to raise this as potential issue completely, due
>   to the tainted kernel condition on his system).

I can reproduce the reported Oops by injecting a (wrong) USB ID into 
rtl8192cu myself on an untainted system. For reproducing the Oops, I 
inject an unknown (wrong, the device I'm abusing for this test is a 
Netgear WG111T, Atheros AR5523 based - no linux driver exists for this 
device and no module claims its device IDs 0x1385 0x4251) USB ID 
through sysfs facilities into rtl8192cu; all tests with kernel 
3.0 + current -stable queue:

# cat /proc/sys/kernel/tainted
0
# modprobe rtl8192cu
# echo -n "1385 4251" > /sys/bus/usb/drivers/rtl8192cu/new_id
[hotplug device]
# dmesg
[...]
[   86.420998] usbcore: registered new interface driver rtl8192cu
[  110.778029] usb 1-7: new high speed USB device number 5 using ehci_hcd
[  110.893824] usb 1-7: New USB device found, idVendor=1385, idProduct=4251
[  110.893830] usb 1-7: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[  110.893836] usb 1-7: Product: WG111T
[  110.893841] usb 1-7: Manufacturer: Atheros Communications Inc
[  110.893845] usb 1-7: SerialNumber: 1.0
[  110.894760] BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
[  110.894903] IP: [<ffffffffa0604747>] rtl_usb_probe+0x19b/0x74d [rtlwifi]
[  110.895012] PGD 0 
[  110.895012] Oops: 0000 [#1] PREEMPT SMP 
[  110.895012] CPU 0 
[  110.895012] Modules linked in: rtl8192cu rtl8192c_common rtlwifi mac80211 cfg80211 rfkill cpufreq_stats cpufreq_ondemand cpufreq_powersave cpufreq_conservative ppdev lp cpufreq_performance af_packet fuse nls_utf8 ntfs powernow_k8 freq_table mperf tda18218 af9013 ir_lirc_codec lirc_dev ir_sony_decoder ir_jvc_decoder ir_rc6_decoder ir_rc5_decoder ir_nec_decoder dvb_usb_af9015 dvb_usb dvb_core rc_core edac_core snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm snd_seq snd_timer snd_seq_device radeon parport_pc ttm drm_kms_helper drm i2c_algo_bit k8temp pcspkr evdev psmouse edac_mce_amd serio_raw power_supply parport snd i2c_nforce2 i2c_core button soundcore processor snd_page_alloc ext4 mbcache jbd2 crc16 dm_mod btrfs zlib_deflate crc32c libcrc32c sg sr_mod sd_mod cdrom crc_t10dif ata_generic usbhid hid floppy thermal fan firewire_ohci pata_acpi firewire_core crc_itu_t pata_amd sata_nv e1000 libata ohci_hcd forcedeth scsi_mod ehci_hcd usbcore ssb mmc_core pcmcia pcmcia_core [last unloaded: scsi_wait_scan]
[  110.895012] 
[  110.895012] Pid: 577, comm: khubd Not tainted 3.0-0.slh.6-aptosid-amd64 #1 MICRO-STAR INTERNATIONAL CO., LTD MS-7185/MS-7185
[  110.895012] RIP: 0010:[<ffffffffa0604747>]  [<ffffffffa0604747>] rtl_usb_probe+0x19b/0x74d [rtlwifi]
[  110.895012] RSP: 0018:ffff88011da77a60  EFLAGS: 00010246
[  110.895012] RAX: 0000000000000000 RBX: ffff88011fc09ca0 RCX: 0000000000000000
[  110.895012] RDX: ffffffffa0608618 RSI: ffffffffa0607819 RDI: ffff88011fc08520
[  110.895012] RBP: ffff88011f0a7088 R08: 000000000000ffff R09: 000000000000ffff
[  110.895012] R10: 0000000000000000 R11: 000000000000fffb R12: ffff88011d5a6c30
[  110.895012] R13: ffff88011fd54090 R14: ffff88011fc08520 R15: ffff88011fc09ca0
[  110.895012] FS:  00007f6e9e1d37a0(0000) GS:ffff880127c00000(0000) knlGS:0000000000000000
[  110.895012] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[  110.895012] CR2: 0000000000000018 CR3: 000000011fe0f000 CR4: 00000000000006f0
[  110.895012] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  110.895012] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[  110.895012] Process khubd (pid: 577, threadinfo ffff88011da76000, task ffff88011dc5b700)
[  110.895012] Stack:
[  110.895012]  0000000000000246 ffffffff8129f3d2 ffff88011fd54090 ffff88011f0a7000
[  110.895012]  ffff88011f0a7088 ffff88011d5a6c30 ffff88011f0a7000 ffffffffa0639528
[  110.895012]  ffff88011fd54090 ffff88011d5a6c00 0000000000000000 ffffffffa0051f05
[  110.895012] Call Trace:
[  110.895012]  [<ffffffff8129f3d2>] ? __pm_runtime_set_status+0x132/0x1e0
[  110.895012]  [<ffffffffa0051f05>] ? usb_probe_interface+0xe5/0x1e0 [usbcore]
[  110.895012]  [<ffffffff8129657f>] ? driver_probe_device+0x6f/0x190
[  110.895012]  [<ffffffff81296740>] ? __driver_attach+0xa0/0xa0
[  110.895012]  [<ffffffff812952d3>] ? bus_for_each_drv+0x53/0x80
[  110.895012]  [<ffffffff812964cf>] ? device_attach+0x9f/0xc0
[  110.895012]  [<ffffffff81295c7d>] ? bus_probe_device+0x2d/0x50
[  110.895012]  [<ffffffff81293f8d>] ? device_add+0x5ad/0x670
[  110.895012]  [<ffffffff812927b2>] ? dev_set_name+0x42/0x50
[  110.895012]  [<ffffffffa0050577>] ? usb_set_configuration+0x5d7/0x6d0 [usbcore]
[  110.895012]  [<ffffffffa005904b>] ? generic_probe+0x3b/0xa0 [usbcore]
[  110.895012]  [<ffffffff8129657f>] ? driver_probe_device+0x6f/0x190
[  110.895012]  [<ffffffff81296740>] ? __driver_attach+0xa0/0xa0
[  110.895012]  [<ffffffff812952d3>] ? bus_for_each_drv+0x53/0x80
[  110.895012]  [<ffffffff812964cf>] ? device_attach+0x9f/0xc0
[  110.895012]  [<ffffffff81295c7d>] ? bus_probe_device+0x2d/0x50
[  110.895012]  [<ffffffff81293f8d>] ? device_add+0x5ad/0x670
[  110.895012]  [<ffffffffa0048cd2>] ? usb_new_device+0x122/0x1b0 [usbcore]
[  110.895012]  [<ffffffffa0049cb0>] ? hub_thread+0x7c0/0x1310 [usbcore]
[  110.895012]  [<ffffffff813c8ed7>] ? schedule+0x2b7/0x860
[  110.895012]  [<ffffffff81044616>] ? try_to_wake_up+0x1b6/0x270
[  110.895012]  [<ffffffff8106a020>] ? abort_exclusive_wait+0xb0/0xb0
[  110.895012]  [<ffffffffa00494f0>] ? usb_remote_wakeup+0x40/0x40 [usbcore]
[  110.895012]  [<ffffffff8106985e>] ? kthread+0x7e/0x90
[  110.895012]  [<ffffffff813cd1a4>] ? kernel_thread_helper+0x4/0x10
[  110.895012]  [<ffffffff810697e0>] ? kthread_worker_fn+0x180/0x180
[  110.895012]  [<ffffffff813cd1a0>] ? gs_change+0x13/0x13
[  110.895012] Code: 29 60 a0 48 c7 83 60 06 00 00 70 29 60 a0 48 c7 83 68 06 00 00 50 29 60 a0 48 c7 83 70 06 00 00 f0 2b 60 a0 49 8b 87 38 27 00 00 
[  110.895012]  8b 40 18 ff 50 10 49 8b 87 38 27 00 00 4c 89 f7 48 8b 40 18 
[  110.895012] RIP  [<ffffffffa0604747>] rtl_usb_probe+0x19b/0x74d [rtlwifi]
[  110.895012]  RSP <ffff88011da77a60>
[  110.895012] CR2: 0000000000000018
[  110.944291] ---[ end trace aa8fb4280a86af53 ]---
# cat /proc/sys/kernel/tainted
128

The same procedure (after rebooting) doesn't result in an Oops with 
other modules, although they can't initialize this 'unknown' device 
either, using rt2500usb as example:
# cat /proc/sys/kernel/tainted
0
# modprobe rt2500usb
# echo -n "1385 4251" > /sys/bus/usb/drivers/rt2500usb/new_id
[hotplug device]
# dmesg
[...]
[  112.676033] usb 1-7: new high speed USB device number 5 using ehci_hcd
[  112.791945] usb 1-7: New USB device found, idVendor=1385, idProduct=4251
[  112.791951] usb 1-7: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[  112.791957] usb 1-7: Product: WG111T
[  112.791961] usb 1-7: Manufacturer: Atheros Communications Inc
[  112.791965] usb 1-7: SerialNumber: 1.0
[  112.895037] usb 1-7: reset high speed USB device number 5 using ehci_hcd
[  113.108950] phy0 -> rt2x00usb_vendor_request: Error - Vendor Request 0x09 failed for offset 0x0000 with error -32.
[  113.208947] phy0 -> rt2x00usb_vendor_request: Error - Vendor Request 0x07 failed for offset 0x04d0 with error -32.
[  113.308946] phy0 -> rt2x00usb_vendor_request: Error - Vendor Request 0x06 failed for offset 0x04ce with error -32.
[  113.408950] phy0 -> rt2x00usb_vendor_request: Error - Vendor Request 0x07 failed for offset 0x04d0 with error -32.
[  113.508946] phy0 -> rt2x00usb_vendor_request: Error - Vendor Request 0x07 failed for offset 0x04ce with error -32.
[  113.608450] phy0 -> rt2x00usb_vendor_request: Error - Vendor Request 0x07 failed for offset 0x0400 with error -32.
[  113.608457] phy0 -> rt2500usb_init_eeprom: Error - Invalid RT chipset detected.
[  113.608463] phy0 -> rt2x00lib_probe_dev: Error - Failed to allocate device.
[everything fine, as expected no issues - the wrong device just can't 
 get initialized]
# cat /proc/sys/kernel/tainted
0
# reboot

So at least the reported Oops is not specific to 050d:2103, but happens
for any USB ID injected at runtime through sysfs and therefore appears
to be a general issue with rtl8192cu.

Regards
	Stefan Lippers-Hollmann
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ