Pairing wiimote leads to kernel null pointer derefence in hid_wiimote
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
Medium
|
Luis Henriques | ||
Precise |
Fix Released
|
Undecided
|
Luis Henriques | ||
Quantal |
Fix Released
|
Medium
|
Luis Henriques |
Bug Description
Relevant dmesg lines:
[ 55.782981] wiimote 0005:057E:
[ 55.783047] input: Nintendo Wii Remote Accelerometer as /devices/
[ 55.783187] input: Nintendo Wii Remote IR as /devices/
[ 55.783276] input: Nintendo Wii Remote as /devices/
[ 55.783390] BUG: unable to handle kernel NULL pointer dereference at 0000000000000040
[ 55.783431] IP: [<ffffffff811ee
[ 55.783463] PGD 3a5106067 PUD 3a5108067 PMD 0
[ 55.783485] Oops: 0000 [#1] SMP
[ 55.783502] CPU 0
[ 55.783510] Modules linked in: hid_wiimote(+) ff_memless hidp pci_stub vboxpci(O) vboxnetadp(O) vboxnetflt(O) vboxdrv(O) kvm_intel kvm dm_crypt snd_hda_codec_hdmi snd_hda_codec_idt deflate zlib_deflate ctr twofish_generic twofish_x86_64_3way twofish_x86_64 twofish_common camellia serpent blowfish_generic blowfish_x86_64 blowfish_common cast5 des_generic xcbc rmd160 sha512_generic crypto_null rfcomm af_key parport_pc bnep ppdev nfsd binfmt_misc nfs lockd fscache auth_rpcgss nfs_acl sunrpc btusb bluetooth uvcvideo videodev v4l2_compat_ioctl32 hid_logitech_dj joydev hp_wmi sparse_keymap snd_hda_intel snd_hda_codec snd_hwdep snd_pcm snd_seq_midi snd_rawmidi arc4 snd_seq_midi_event snd_seq snd_timer snd_seq_device ath9k snd mac80211 psmouse ath9k_common ath9k_hw ath serio_raw cfg80211 jmb38x_ms memstick soundcore snd_page_alloc mei(C) hp_accel lis3lv02d input_polldev mac_hid coretemp lp parport uas usb_storage usbhid hid wmi r8169 i915 radeon sdhci_pci sdhci video ttm drm_kms_helper drm i2c_algo_bit [last unloaded: ipmi_msghandler]
[ 55.783981]
[ 55.783990] Pid: 3180, comm: modprobe Tainted: G C O 3.2.0-30-generic #48-Ubuntu Hewlett-Packard HP ProBook 4530s/167C
[ 55.784038] RIP: 0010:[<
[ 55.784077] RSP: 0018:ffff8803a5
[ 55.784098] RAX: 0000000000000000 RBX: ffffffff81a4d9cc RCX: 0000000000000001
[ 55.784127] RDX: ffffffff81a4d9cc RSI: ffff8803e650b8b0 RDI: 0000000000000010
[ 55.784155] RBP: ffff8803a5103cb8 R08: 0000000000000000 R09: ffffffff8130e3d5
[ 55.784183] R10: fffffffffffffd67 R11: 0000000000000000 R12: 0000000000000000
[ 55.784211] R13: ffff8803a4b00000 R14: ffff8803e650b8b0 R15: 0000000000000001
[ 55.784240] FS: 00007f960dee070
[ 55.784273] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 55.784296] CR2: 0000000000000040 CR3: 00000003a4811000 CR4: 00000000000406f0
[ 55.784324] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 55.784352] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 55.784381] Process modprobe (pid: 3180, threadinfo ffff8803a5102000, task ffff8803a49a4500)
[ 55.784414] Stack:
[ 55.784423] 0000000000000282 ffffffff81c96ca0 ffff8803a5103ca8 ffffffff8104dea3
[ 55.784457] ffff8803a5103ca8 0000000000000000 ffff8803a5b1c800 ffff8803e650a000
[ 55.784489] 0000000000000000 ffff8803a4b00000 ffff8803a4b00040 ffff8803e650b8a0
[ 55.784522] Call Trace:
[ 55.784538] [<ffffffff8104d
[ 55.784560] [<ffffffff811ee
[ 55.784586] [<ffffffff814dc
[ 55.784612] [<ffffffffa07dc
[ 55.784647] [<ffffffffa021b
[ 55.784674] [<ffffffff811ee
[ 55.784699] [<ffffffff813f5
[ 55.784722] [<ffffffff813f5
[ 55.784747] [<ffffffff813f5
[ 55.784770] [<ffffffff813f5
[ 55.784795] [<ffffffff813f5
[ 55.786524] [<ffffffff813f4
[ 55.788358] [<ffffffff813f5
[ 55.790670] [<ffffffff813f5
[ 55.792984] [<ffffffffa0071
[ 55.794886] [<ffffffff813f6
[ 55.796586] [<ffffffffa0071
[ 55.798276] [<ffffffffa021c
[ 55.799946] [<ffffffffa0071
[ 55.802199] [<ffffffff81002
[ 55.804301] [<ffffffff810a8
[ 55.805965] [<ffffffff81662
[ 55.807622] Code: 89 6d e8 4c 89 75 f0 4c 89 7d f8 66 66 66 66 90 48 85 d2 49 89 f6 48 89 d3 41 89 cf 0f 84 bf 01 00 00 48 85 ff 0f 84 74 01 00 00 <4c> 8b 6f 30 b8 f2 ff ff ff 4d 85 ed 0f 84 ba 00 00 00 48 c7 c7
[ 55.809464] RIP [<ffffffff811ee
[ 55.811298] RSP <ffff8803a5103c58>
[ 55.813514] CR2: 0000000000000040
[ 56.045155] ---[ end trace b1ebc7f8b069843a ]---
I can reproduce this consistently by pressing 1+2 on the wiimote and connecting to the device from gnome-bluetooth (I'm assuming I paired correctly, however I can't tell due to this being the problem in the first place).
ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: linux-image-
ProcVersionSign
Uname: Linux 3.2.0-30-generic x86_64
AlsaVersion: Advanced Linux Sound Architecture Driver Version 1.0.24.
ApportVersion: 2.0.1-0ubuntu12
Architecture: amd64
ArecordDevices:
**** List of CAPTURE Hardware Devices ****
card 0: PCH [HDA Intel PCH], device 0: STAC92xx Analog [STAC92xx Analog]
Subdevices: 1/1
Subdevice #0: subdevice #0
AudioDevicesInUse:
USER PID ACCESS COMMAND
/dev/snd/
/dev/snd/pcmC0D0p: mcuelenaere 2724 F...m pulseaudio
Card0.Amixer.info:
Card hw:0 'PCH'/'HDA Intel PCH at 0xd4a00000 irq 51'
Mixer name : 'Intel CougarPoint HDMI'
Components : 'HDA:111d76d1,
Controls : 23
Simple ctrls : 11
Date: Mon Sep 10 13:48:46 2012
EcryptfsInUse: Yes
InstallationMedia: Ubuntu 11.10 "Oneiric Ocelot" - Release amd64 (20111012)
MachineType: Hewlett-Packard HP ProBook 4530s
ProcEnviron:
TERM=xterm
PATH=(custom, user)
LANG=nl_BE.utf8
SHELL=/bin/bash
ProcFB:
0 radeondrmfb
1 inteldrmfb
ProcKernelCmdLine: BOOT_IMAGE=
RelatedPackageV
linux-
linux-
linux-firmware 1.79.1
SourcePackage: linux
StagingDrivers: mei
UpgradeStatus: Upgraded to precise on 2012-04-27 (135 days ago)
dmi.bios.date: 03/09/2012
dmi.bios.vendor: Hewlett-Packard
dmi.bios.version: 68SRR Ver. F.23
dmi.board.name: 167C
dmi.board.vendor: Hewlett-Packard
dmi.board.version: KBC Version 22.21
dmi.chassis.
dmi.chassis.type: 10
dmi.chassis.vendor: Hewlett-Packard
dmi.modalias: dmi:bvnHewlett-
dmi.product.name: HP ProBook 4530s
dmi.product.
dmi.sys.vendor: Hewlett-Packard
CVE References
Changed in linux (Ubuntu): | |
status: | New → Confirmed |
tags: | added: kernel-fixed-upstream-v3.4 |
Changed in linux (Ubuntu): | |
importance: | Undecided → Medium |
tags: | added: needs-upstream-testing |
tags: | removed: needs-upstream-testing |
tags: | added: needs-bisect |
Changed in linux (Ubuntu): | |
status: | Confirmed → In Progress |
assignee: | nobody → Luis Henriques (henrix) |
Changed in linux (Ubuntu Precise): | |
assignee: | nobody → Luis Henriques (henrix) |
status: | New → Fix Committed |
Changed in linux (Ubuntu Quantal): | |
status: | In Progress → Fix Released |
This might be the fix: http:// git.kernel. org/?p= linux/kernel/ git/torvalds/ linux.git; a=commitdiff; h=217c8b2b1978a a4a02ce040a99c5 9ed3b6418fe5