#255 kernel driver may crash if sysfs accessed durring disconnect

[Jason Gerecke]

The wacom kernel has the potential to crash if a sysfs node is accessed while the device is in the middle of being disconnected. Although the driver is careful to destroy the sysfs nodes before tearing down internal structures, it seems that open file descriptors are left valid and may be used to command the driver mid-teardown.

In my particular case, I see a segfault occuring inside wacom_led_select_store on a fraction of disconnects, likely due to gnome-control-center (the only application I'm aware of on my system which would be attempting to control the LEDs).

[Jason Gerecke]

Sample crash from Ubuntu 14.04 with the 3.13.0-74-generic ("linux-generic-lts-trusty") kernel. Triggered by using modprobe to repeatedly load and unload the wacom kernel module. Last 3 probe/disconnect events included for context.

[ 1758.805568] input: Wacom Intuos5 touch M Pen as /devices/pci0000:00/0000:00:06.0/usb2/2-2/2-2:1.0/input/input369
[ 1758.811045] input: Wacom Intuos5 touch M Finger as /devices/pci0000:00/0000:00:06.0/usb2/2-2/2-2:1.1/input/input370
[ 1758.815929] usbcore: registered new interface driver wacom
[ 1759.526584] usbcore: deregistering interface driver wacom
[ 1761.407734] input: Wacom Intuos5 touch M Pen as /devices/pci0000:00/0000:00:06.0/usb2/2-2/2-2:1.0/input/input371
[ 1761.412178] input: Wacom Intuos5 touch M Finger as /devices/pci0000:00/0000:00:06.0/usb2/2-2/2-2:1.1/input/input372
[ 1761.412348] usbcore: registered new interface driver wacom
[ 1763.090528] usbcore: deregistering interface driver wacom
[ 1763.747642] input: Wacom Intuos5 touch M Pen as /devices/pci0000:00/0000:00:06.0/usb2/2-2/2-2:1.0/input/input373
[ 1763.752149] input: Wacom Intuos5 touch M Finger as /devices/pci0000:00/0000:00:06.0/usb2/2-2/2-2:1.1/input/input374
[ 1763.752308] usbcore: registered new interface driver wacom
[ 1763.860343] usbcore: deregistering interface driver wacom
[ 1763.941393] BUG: unable to handle kernel NULL pointer dereference at 00000000000000f8
[ 1763.941410] IP: [<ffffffff8172b392>] mutex_lock+0x12/0x2f
[ 1763.941420] PGD 91cb067 PUD 91ca067 PMD 0 
[ 1763.941425] Oops: 0002 [#1] SMP 
[ 1763.941430] Modules linked in: wacom(-) nls_utf8 isofs snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm snd_page_alloc joydev snd_seq_midi snd_seq_midi_event hid_generic snd_rawmidi crct10dif_pclmul snd_seq crc32_pclmul snd_seq_device snd_timer snd rfcomm bnep aesni_intel usbhid bluetooth aes_x86_64 hid lrw gf128mul glue_helper ablk_helper cryptd soundcore serio_raw video i2c_piix4 mac_hid parport_pc ppdev lp parport psmouse pata_acpi ahci libahci e1000 [last unloaded: wacom]
[ 1763.941462] CPU: 1 PID: 8520 Comm: usd-wacom-led-h Not tainted 3.13.0-74-generic #118-Ubuntu
[ 1763.941467] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 1763.941470] task: ffff880028970000 ti: ffff88002221e000 task.ti: ffff88002221e000
[ 1763.941473] RIP: 0010:[<ffffffff8172b392>]  [<ffffffff8172b392>] mutex_lock+0x12/0x2f
[ 1763.941477] RSP: 0018:ffff88002221fe50  EFLAGS: 00010246
[ 1763.941480] RAX: 0000000000000000 RBX: 00000000000000f8 RCX: 0000000000000000
[ 1763.941483] RDX: 0000000000000000 RSI: 000000000000000a RDI: 00000000000000f8
[ 1763.941486] RBP: ffff88002221fe58 R08: 0000000000000000 R09: 0000000000000001
[ 1763.941489] R10: 000000000000000a R11: f000000000000000 R12: 00000000000000f8
[ 1763.941492] R13: 0000000000000001 R14: 0000000000000000 R15: ffff88003acfda18
[ 1763.941495] FS:  00007f7a224d0740(0000) GS:ffff88003fd00000(0000) knlGS:0000000000000000
[ 1763.941517] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1763.941520] CR2: 00000000000000f8 CR3: 00000000143b2000 CR4: 00000000000006e0
[ 1763.941526] Stack:
[ 1763.941529]  0000000000000000 ffff88002221fe90 ffffffffa025632f 000000000212fca0
[ 1763.941533]  0000000000000001 ffff88002221ff50 ffff880028b3d070 ffff880028b3d060
[ 1763.941537]  ffff88002221fea0 ffffffffa0256380 ffff88002221feb0 ffffffff814950c8
[ 1763.941541] Call Trace:
[ 1763.941553]  [<ffffffffa025632f>] wacom_led_select_store+0x5f/0xa0 [wacom]
[ 1763.941559]  [<ffffffffa0256380>] wacom_led0_select_store+0x10/0x20 [wacom]
[ 1763.941569]  [<ffffffff814950c8>] dev_attr_store+0x18/0x30
[ 1763.941576]  [<ffffffff81235088>] sysfs_write_file+0x128/0x1c0
[ 1763.941585]  [<ffffffff811be514>] vfs_write+0xb4/0x1f0
[ 1763.941591]  [<ffffffff811bd8c8>] ? do_sys_open+0x1b8/0x280
[ 1763.941597]  [<ffffffff811bef49>] SyS_write+0x49/0xa0
[ 1763.941604]  [<ffffffff8173575d>] system_call_fastpath+0x1a/0x1f
[ 1763.941607] Code: 15 5b 98 ff e9 40 ff ff ff b8 01 00 00 00 e9 8c fe ff ff 66 0f 1f 44 00 00 66 66 66 66 90 55 48 89 e5 53 48 89 fb e8 ae df ff ff <f0> ff 0b 79 08 48 89 df e8 31 fe ff ff 65 48 8b 04 25 40 b8 00 
[ 1763.941632] RIP  [<ffffffff8172b392>] mutex_lock+0x12/0x2f
[ 1763.941636]  RSP <ffff88002221fe50>
[ 1763.941638] CR2: 00000000000000f8
[ 1763.941643] ---[ end trace 3f12ac48cc3f5cf1 ]---
[ 1763.951046] traps: unity-settings-[7794] trap int3 ip:7f8eeea66c13 sp:7ffd7f39f6c0 error:0
[ 1764.576793] compiz[8014]: segfault at 0 ip           (null) sp 00007ffd8ef20f48 error 14 in compiz[400000+3000]

[Ping Cheng]

The LED related issue was fixed in 3.17 by the introduction of led_initialized in Benjamin's "put a flag when the led are initialized" patch.

"compiz[8014]: segfault at 0 ip...." is still an issue, which is caused by g-s-d. A bug has been filed at https://bugzilla.gnome.org/show_bug.cgi?id=765996