Re: List corruption in hidraw_release in 3.11-rc4

[Peter Wu <lekensteyn@gmail.com>]

On Wednesday 07 August 2013 03:01:26 Jiri Kosina wrote:
> On Tue, 6 Aug 2013, Peter Wu wrote:
> > While debugging upowerd (with Logitech Unifying receiver via hidraw),
> > I came across this list corruption warning.
> 
> Peter,
> 
> does the patch below fix the problem you are seeing?
That one is already in 3.11-rc4 as far as I can see. Also, that code can 
probably simplified by moving the mutex_unlock after the out label, removing 
the need to duplicate the mutex_unlock.

Remember what I said about "no Oopses"? Well, it turned out that several 
memory structures were damaged which causes a general protection fault in 
sock_alloc_inode and other places.

I managed to create a program that can reproduce this bug 100% in a QEMU 
virtual machine with a Logitech USB receiver passed to it.

qemu-system-x86_64 -enable-kvm -m 1G -usb -usbdevice host:046d:c52b
(pass -kernel, -initrd, -append as needed)

Copy hidraw-test to initrd, boot QEMU and run `hidraw-test`. Result: instant
(= +/- 2 seconds) crash.

I have applied Manoj's patch[1] on top of 3.11-rc4 which seem to fix the issue. 
One observation is that the new device is named /dev/hidraw1 instead of 
/dev/hidraw0. Example:

f(){ hidraw-test /dev/hidraw$1 usb1;}
# needed for 3.11-rc4
f 1; f 1 # crash
# needed for 3.11-rc4 + patch
f 1; f 2 # ok

Regards,
Peter

 [1]: http://lkml.org/lkml/2013/7/22/248
--
/* cc hidraw-test.c -o hidraw-test
 * hidraw-test /dev/hidraw0 usb1; hidraw-test /dev/hidraw0 usb1;
 */
#include <unistd.h>
#include <fcntl.h>
#include <stdio.h>
#include <errno.h>
#include <string.h>
#include <stdlib.h>

int open_and_write(const char *path, const char *data) {
	int sfd, r;

	sfd = open(path, O_WRONLY);
	if (sfd < 0) {
		perror(path);
		return 1;
	}

	r = write(sfd, data, strlen(data));
	if (r < 0) {
		fprintf(stderr, "write(%s, %s): %s\n",
			path, data, strerror(errno));
		return 1;
	}
	close(sfd);
	return 0;
}

int dork(const char *hiddev, const char *name) {
	int fd;
	char c;

	fd = open(hiddev, O_RDWR | O_NONBLOCK);
	if (fd < 0) {
		perror("open");
		return 1;
	}

	if (open_and_write("/sys/bus/usb/drivers/usb/unbind", name))
		return 1;

	// does not make a difference
	//sleep(1);

	if (open_and_write("/sys/bus/usb/drivers/usb/bind", name))
		return 1;

	// allow devices to get discovered
	sleep(1);

	printf("read() = %zi\n", read(fd, &c, 1)); perror("read");
	close(fd);
	return 0;
}

int main(int argc, char **argv) {
	if (argc < 3) {
		fprintf(stderr, "Usage: %s /dev/hidrawN usbN\n", *argv);
		return 1;
	}

	system("modprobe -v usbhid");
	system("modprobe -v hid-logitech-dj");

	dork(argv[1], argv[2]);

	return 0;
}