Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

#17 Check pointer handling of the Xbox controller device driver

open
nobody
None
6
2007-10-31
2007-10-30
Markus Elfring
No

I have tried out the Xbox input device driver for Linux v0.1.7. I get unpleasant results.
http://xbox-linux.cvs.sourceforge.net/xbox-linux/kernel-2.6/drivers/usb/input/xpad.c?revision=1.34&view=markup

What is really wrong in the following situation?

Excerpt from the boot log (dmesg):
"Linux version 2.6.23.1-default (root@Sonne) (gcc version 4.2.1 (SUSE Linux)) #4 SMP PREEMPT Tue Oct 23 20:41:32 CEST 2007
...
input: Microsoft Xbox 360 Controller as
/devices/pci0000:00/0000:00:0b.0/usb2/2-2/2-2:1.0/input/input3
input: Microsoft Xbox 360 Controller as
/devices/pci0000:00/0000:00:0b.0/usb2/2-2/2-2:1.1/input/input4
input: Microsoft Xbox 360 Controller as
/devices/pci0000:00/0000:00:0b.0/usb2/2-2/2-2:1.2/input/input5
Unable to handle kernel NULL pointer dereference at 0000000000000006 RIP:
[<ffffffff880f8ae9>] :xpad:xpad_probe+0x378/0x4a3
PGD 7d005067 PUD 7d004067 PMD 0
Oops: 0000 [1] PREEMPT SMP
CPU 0
Modules linked in: rtc_core soundcore xpad rtc_lib snd_page_alloc floppy
sg linear ohci_hcd ehci_hcd usbcore edd dm_mod ext3 mbcache jbd fan
sata_sil24 sata_nv pata_amd libata thermal processor
Pid: 1410, comm: modprobe Not tainted 2.6.23.1-default #4
RIP: 0010:[<ffffffff880f8ae9>] [<ffffffff880f8ae9>]
:xpad:xpad_probe+0x378/0x4a3
RSP: 0018:ffff81007d8f1cd8 EFLAGS: 00010216
RAX: 0000000000000000 RBX: ffff81007c661da8 RCX: ffff81007cfb1080
RDX: 0000000000000200 RSI: ffff81007c661c00 RDI: 000000000000000e
RBP: ffff81007c035000 R08: 0000000000000017 R09: ffff81007c661dba
R10: 0000000000000041 R11: ffffc20000aceeb0 R12: ffff81007c661d80
R13: ffff81007c944800 R14: 0000000000000006 R15: ffff810037df5800
FS: 00002ad16eb0c6f0(0000) GS:ffffffff8050d000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000000000006 CR3: 000000007d002000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process modprobe (pid: 1410, threadinfo ffff81007d8f0000, task
ffff810037e220c0)
Stack: 000000000000001b ffffffff802d159e ffff81007c420fa8 ffffffff880a0e5d
ffffffff880fa910 ffff810037df5800 ffffffff880fa740 ffffffff880fa7a8
ffffffff880fa7a8 ffffc20000aceeb0 000000000000001b ffffffff880a1b46
Call Trace:
[<ffffffff802d159e>] sysfs_create_link+0x10b/0x165
[<ffffffff880a0e5d>] :usbcore:usb_match_one_id+0x26/0x82
[<ffffffff880a1b46>] :usbcore:usb_probe_interface+0x89/0xb8
[<ffffffff8036f667>] driver_probe_device+0xd3/0x150
[<ffffffff8036f786>] __driver_attach+0x0/0x93
[<ffffffff8036f7e0>] __driver_attach+0x5a/0x93
[<ffffffff8036eae1>] bus_for_each_dev+0x43/0x6e
[<ffffffff8036ee09>] bus_add_driver+0x7d/0x19b
[<ffffffff8022c17c>] default_wake_function+0x0/0xe
[<ffffffff880a164d>] :usbcore:usb_register_driver+0x85/0xe8
[<ffffffff880c901b>] :xpad:usb_xpad_init+0x1b/0x3a
[<ffffffff80250a25>] sys_init_module+0x1695/0x1782
[<ffffffff8020bf9e>] system_call+0x7e/0x83

Code: 0f b6 78 06 0f b6 40 02 c7 46 08 00 00 00 00 c7 46 04 01 00
RIP [<ffffffff880f8ae9>] :xpad:xpad_probe+0x378/0x4a3
RSP <ffff81007d8f1cd8>
CR2: 0000000000000006
..."

Another try from the command line:
Sonne:~ # modprobe --verbose xpad
insmod /lib/modules/2.6.23.1-default/kernel/drivers/input/joystick/xpad.ko
Killed

I get a little improvement despite of the reported crash. - The green LED around the big "X" button is not blinking any more. ;-)

How can this null pointer issue be fixed?

Discussion

  • Markus Elfring
    Markus Elfring
    2007-10-31

    • priority: 5 --> 6
     
  • Markus Elfring
    Markus Elfring
    2007-10-31

    Logged In: YES
    user_id=572001
    Originator: YES

    I have tried the following command.
    Sonne:~ # modprobe -v xpad debug=1
    insmod /lib/modules/2.6.23.1-default/kernel/drivers/input/joystick/xpad.ko debug=1
    Killed

    Some error output is generated in the file "/var/log/messages".
    Oct 31 11:40:51 Sonne kernel: input: Microsoft Xbox 360 Controller as /devices/pci0000:00/0000:00:0b.0/usb1/1-2/1-2:1.0/input/input6
    Oct 31 11:40:51 Sonne kernel: input: Microsoft Xbox 360 Controller as /devices/pci0000:00/0000:00:0b.0/usb1/1-2/1-2:1.1/input/input7
    Oct 31 11:40:51 Sonne kernel: input: Microsoft Xbox 360 Controller as /devices/pci0000:00/0000:00:0b.0/usb1/1-2/1-2:1.2/input/input8
    Oct 31 11:40:51 Sonne kernel: Unable to handle kernel NULL pointer dereference at 0000000000000006 RIP:
    Oct 31 11:40:51 Sonne kernel: [<ffffffff88a06ae9>] :xpad:xpad_probe+0x378/0x4a3
    Oct 31 11:40:51 Sonne kernel: PGD 614c7067 PUD 38ede067 PMD 0
    Oct 31 11:40:51 Sonne kernel: Oops: 0000 [1] PREEMPT SMP
    Oct 31 11:40:51 Sonne kernel: CPU 0
    Oct 31 11:40:51 Sonne kernel: Modules linked in: xpad xt_tcpudp xt_pkttype ipt_LOG xt_limit af_packet snd_pcm_oss snd_mixer_oss snd_seq_midi snd_seq_midi_event snd_seq ipt_REJECT xt_state iptable_mangle iptable_nat nf_nat iptable_filter nf_conntrack_ipv4 nf_conntrack ip_tables x_tables ipv6 cpufreq_conservative cpufreq_userspace cpufreq_powersave powernow_k8 binfmt_misc quota_v2 fuse loop tda827x saa7134_dvb video_buf_dvb dvb_core tda1004x firmware_class tuner saa7134 nvidia(P) video_buf compat_ioctl32 ir_kbd_i2c snd_intel8x0 ir_common snd_ac97_codec videodev v4l2_common snd_mpu401 snd_mpu401_uart ac97_bus snd_pcm ohci1394 v4l1_compat ieee1394 snd_rawmidi snd_timer button sky2 snd_seq_device snd forcedeth rtc_cmos sr_mod rtc_core cdrom rtc_lib ns558 snd_page_alloc gameport i2c_nforce2 floppy soundcore i2c_core sg linear ehci_hcd ohci_hcd usbcore edd dm_mod ext3 mbcache jbd fan sata_sil24 sata_nv pata_amd libata thermal processor
    Oct 31 11:40:51 Sonne kernel: Pid: 4788, comm: modprobe Tainted: P 2.6.23.1-default #1
    Oct 31 11:40:51 Sonne kernel: RIP: 0010:[<ffffffff88a06ae9>] [<ffffffff88a06ae9>] :xpad:xpad_probe+0x378/0x4a3
    Oct 31 11:40:51 Sonne kernel: RSP: 0000:ffff81004cff9cd8 EFLAGS: 00010216
    Oct 31 11:40:51 Sonne kernel: RAX: 0000000000000000 RBX: ffff810056283da8 RCX: ffff81007cc9b080
    Oct 31 11:40:51 Sonne kernel: RDX: 0000000000000200 RSI: ffff810056283cc0 RDI: 000000000000000e
    Oct 31 11:40:51 Sonne kernel: RBP: ffff81004c6e2000 R08: 0000000000000017 R09: ffff810056283dba
    Oct 31 11:40:51 Sonne kernel: R10: 0000000000000041 R11: ffffc200021edeb0 R12: ffff810056283d80
    Oct 31 11:40:51 Sonne kernel: R13: ffff810037e77000 R14: 0000000000000006 R15: ffff810037dc2c00
    Oct 31 11:40:51 Sonne kernel: FS: 00002ba4c010d6f0(0000) GS:ffffffff8050d000(0000) knlGS:00000000f7e30ab0
    Oct 31 11:40:51 Sonne kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
    Oct 31 11:40:51 Sonne kernel: CR2: 0000000000000006 CR3: 000000003cffa000 CR4: 00000000000006e0
    Oct 31 11:40:51 Sonne kernel: DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    Oct 31 11:40:51 Sonne kernel: DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
    Oct 31 11:40:51 Sonne kernel: Process modprobe (pid: 4788, threadinfo ffff81004cff8000, task ffff81004604c810)
    Oct 31 11:40:51 Sonne kernel: Stack: 000000000000001b ffffffff802d159e ffff810037de4e48 ffffffff880a0e5d
    Oct 31 11:40:51 Sonne kernel: ffffffff88a08910 ffff810037dc2c00 ffffffff88a08740 ffffffff88a087a8
    Oct 31 11:40:51 Sonne kernel: ffffffff88a087a8 ffffc200021edeb0 000000000000001b ffffffff880a1b46
    Oct 31 11:40:51 Sonne kernel: Call Trace:
    Oct 31 11:40:51 Sonne kernel: [<ffffffff802d159e>] sysfs_create_link+0x10b/0x165
    Oct 31 11:40:51 Sonne kernel: [<ffffffff880a0e5d>] :usbcore:usb_match_one_id+0x26/0x82
    Oct 31 11:40:51 Sonne kernel: [<ffffffff880a1b46>] :usbcore:usb_probe_interface+0x89/0xb8
    Oct 31 11:40:51 Sonne kernel: [<ffffffff8036f667>] driver_probe_device+0xd3/0x150
    Oct 31 11:40:51 Sonne kernel: [<ffffffff8036f786>] __driver_attach+0x0/0x93
    Oct 31 11:40:51 Sonne kernel: [<ffffffff8036f7e0>] __driver_attach+0x5a/0x93
    Oct 31 11:40:51 Sonne kernel: [<ffffffff8036eae1>] bus_for_each_dev+0x43/0x6e
    Oct 31 11:40:51 Sonne kernel: [<ffffffff8036ee09>] bus_add_driver+0x7d/0x19b
    Oct 31 11:40:51 Sonne kernel: [<ffffffff880a164d>] :usbcore:usb_register_driver+0x85/0xe8
    Oct 31 11:40:51 Sonne kernel: [<ffffffff88a0a01b>] :xpad:usb_xpad_init+0x1b/0x3a
    Oct 31 11:40:51 Sonne kernel: [<ffffffff80250a25>] sys_init_module+0x1695/0x1782
    Oct 31 11:40:51 Sonne kernel: [<ffffffff802605af>] audit_syscall_entry+0x141/0x174
    Oct 31 11:40:51 Sonne kernel: [<ffffffff8020c11c>] tracesys+0xdc/0xe1
    Oct 31 11:40:51 Sonne kernel:
    Oct 31 11:40:51 Sonne kernel:
    Oct 31 11:40:51 Sonne kernel: Code: 0f b6 78 06 0f b6 40 02 c7 46 08 00 00 00 00 c7 46 04 01 00
    Oct 31 11:40:51 Sonne kernel: RIP [<ffffffff88a06ae9>] :xpad:xpad_probe+0x378/0x4a3
    Oct 31 11:40:51 Sonne kernel: RSP <ffff81004cff9cd8>
    Oct 31 11:40:51 Sonne kernel: CR2: 0000000000000006

    Which instructions in the source file are affected?

     
  • Markus Elfring
    Markus Elfring
    2007-11-08

    Logged In: YES
    user_id=572001
    Originator: YES

    Can the following information help to find the error?

    Sonne:~ # modprobe xpad
    Killed
    Sonne:~ # dmesg|ksymoops
    ksymoops 2.4.11 on x86_64 2.6.23.1-default.
    [...]
    CPU 0: aperture @ 9660000000 size 32 MB
    CPU 0/0 -> Node 0
    CPU 1/1 -> Node 0
    ehci_hcd 0000:00:0b.1: debug port 1
    lo: Disabled Privacy Extensions
    Unable to handle kernel NULL pointer dereference at 0000000000000006 RIP:
    [<ffffffff88a06ae9>] :xpad:xpad_probe+0x378/0x4a3
    Oops: 0000 [1] PREEMPT SMP
    CPU 0
    Pid: 7688, comm: modprobe Tainted: P 2.6.23.1-default #1
    RIP: 0010:[<ffffffff88a06ae9>] [<ffffffff88a06ae9>] :xpad:xpad_probe+0x378/0x4a3
    Using defaults from ksymoops -t elf64-x86-64 -a i386:x86-64
    RSP: 0000:ffff810026ca3cd8 EFLAGS: 00010216
    RAX: 0000000000000000 RBX: ffff81003c2670a8 RCX: ffff81007cd3e080
    RDX: 0000000000000200 RSI: ffff81003c267c80 RDI: 000000000000000e
    RBP: ffff81005dbc2000 R08: 0000000000000017 R09: ffff81003c2670ba
    R10: 0000000000000041 R11: ffffc200021f1eb0 R12: ffff81003c267080
    R13: ffff810037f9d800 R14: 0000000000000006 R15: ffff810037da8800
    FS: 00002b0a594b36f0(0000) GS:ffffffff8050d000(0000) knlGS:00000000f7d8cad0
    CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
    CR2: 0000000000000006 CR3: 000000004cd95000 CR4: 00000000000006e0
    Stack: 000000000000001b ffffffff802d159e ffff81007d1a96b8 ffffffff880a0e5d
    ffffffff88a08910 ffff810037da8800 ffffffff88a08740 ffffffff88a087a8
    ffffffff88a087a8 ffffc200021f1eb0 000000000000001b ffffffff880a1b46
    Call Trace:
    [<ffffffff802d159e>] sysfs_create_link+0x10b/0x165
    [<ffffffff880a0e5d>] :usbcore:usb_match_one_id+0x26/0x82
    [<ffffffff880a1b46>] :usbcore:usb_probe_interface+0x89/0xb8
    [<ffffffff8036f667>] driver_probe_device+0xd3/0x150
    [<ffffffff8036f786>] __driver_attach+0x0/0x93
    [<ffffffff8036f7e0>] __driver_attach+0x5a/0x93
    [<ffffffff8036eae1>] bus_for_each_dev+0x43/0x6e
    [<ffffffff8036ee09>] bus_add_driver+0x7d/0x19b
    [<ffffffff880a164d>] :usbcore:usb_register_driver+0x85/0xe8
    [<ffffffff88a0a01b>] :xpad:usb_xpad_init+0x1b/0x3a
    [<ffffffff80250a25>] sys_init_module+0x1695/0x1782
    [<ffffffff802605af>] audit_syscall_entry+0x141/0x174
    [<ffffffff8020c11c>] tracesys+0xdc/0xe1
    Code: 0f b6 78 06 0f b6 40 02 c7 46 08 00 00 00 00 c7 46 04 01 00

    >>RIP; ffffffff88a06ae9 <_end+8411701/7f00ac18> <=====

    >>RBX; ffff81003c2670a8 <phys_startup_64+ffff81003c0670a8/ffffffff80000000>
    >>RCX; ffff81007cd3e080 <phys_startup_64+ffff81007cb3e080/ffffffff80000000>
    >>RSI; ffff81003c267c80 <phys_startup_64+ffff81003c067c80/ffffffff80000000>
    >>RBP; ffff81005dbc2000 <phys_startup_64+ffff81005d9c2000/ffffffff80000000>
    >>R09; ffff81003c2670ba <phys_startup_64+ffff81003c0670ba/ffffffff80000000>
    >>R11; ffffc200021f1eb0 <phys_startup_64+ffffc20001ff1eb0/ffffffff80000000>
    >>R12; ffff81003c267080 <phys_startup_64+ffff81003c067080/ffffffff80000000>
    >>R13; ffff810037f9d800 <phys_startup_64+ffff810037d9d800/ffffffff80000000>
    >>R15; ffff810037da8800 <phys_startup_64+ffff810037ba8800/ffffffff80000000>

    Trace; ffffffff802d159e <sysfs_create_link+10b/165>
    Trace; ffffffff880a0e5d <_end+7aaba75/7f00ac18>
    Trace; ffffffff880a1b46 <_end+7aac75e/7f00ac18>
    Trace; ffffffff8036f667 <driver_probe_device+d3/150>
    Trace; ffffffff8036f786 <__driver_attach+0/93>
    Trace; ffffffff8036f7e0 <__driver_attach+5a/93>
    Trace; ffffffff8036eae1 <bus_for_each_dev+43/6e>
    Trace; ffffffff8036ee09 <bus_add_driver+7d/19b>
    Trace; ffffffff880a164d <_end+7aac265/7f00ac18>
    Trace; ffffffff88a0a01b <_end+8414c33/7f00ac18>
    Trace; ffffffff80250a25 <sys_init_module+1695/1782>
    Trace; ffffffff802605af <audit_syscall_entry+141/174>
    Trace; ffffffff8020c11c <tracesys+dc/e1>

    Code; ffffffff88a06ae9 <_end+8411701/7f00ac18>
    0000000000000000 <_RIP>:
    Code; ffffffff88a06ae9 <_end+8411701/7f00ac18> <=====
    0: 0f b6 78 06 movzbl 0x6(%rax),%edi <=====
    Code; ffffffff88a06aed <_end+8411705/7f00ac18>
    4: 0f b6 40 02 movzbl 0x2(%rax),%eax
    Code; ffffffff88a06af1 <_end+8411709/7f00ac18>
    8: c7 46 08 00 00 00 00 movl $0x0,0x8(%rsi)
    Code; ffffffff88a06af8 <_end+8411710/7f00ac18>
    f: c7 46 04 01 00 00 00 movl $0x1,0x4(%rsi)

    CR2: 0000000000000006

    I see some reactions for my device "Microsoft Xbox 360 Controller (/dev/input/js0)" in the KDE Control Center despite of the crash.

     
  • Peter Sandin
    Peter Sandin
    2008-02-03

    Logged In: YES
    user_id=1999185
    Originator: NO

    I was having the same problem. I've managed to "fix" it so that the null pointer dereference no longer crashes the module, I'm not sure about the correctness of my solution in the grand scheme how things should be handled. I added a check between the comment on line 555 of xpad.c, and it's corresponding code.

    if (&intf->cur_altsetting->endpoint[0].desc==0)
    goto fail2;

    Like I said this prevents the module from crashing, but I'm not familiar enough with how USB probing should be handled to know if this is the correct behavior.