Kernel oops - unable to handle kernel NULL pointer dereference; EIP is at input_event+0x23/0x70

Bug #1244505 reported by James Henstridge on 2013-10-25
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
High
Luis Henriques

Bug Description

SRU Justification:

There is a bug in Ubuntu Saucy that prevents the usage of the IR remote with the appleir device driver (bug reporter was using a Mac Mini). It causes a kernel NULL pointer dereference on the first button press on the remote.

Impact:

The system locks up on the first button press on the remote, and prints an Oops message.

Fix:

This issue has been reported upstream[1] and a fix is already queued for mainline in Jiri Kosina HID git tree [2] with SHA1:

 3d18bd41a82fac69c82e1725c7beea25b17a0190 HID: appleir: force input to be set

[1] https://lkml.org/lkml/2013/10/29/355
[2] git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid.git

Testcase:

As described in the bug report, simply using pressing the button on the remote reproduces the bug.

=========================================================================================

After upgrading to Ubuntu Saucy (32 bit), I am able to reliably reproduce a crash by pressing any button on the IR remote of a Mac Mini.

The system is running XBMC and using LIRC to handle the remote. The system locks up on the first button press on the remote, and prints an Oops message if I switch to a virtual terminal first. The same happens if I exit XBMC and shut down lircd first. If I boot to the 3.8.0 kernel from Raring, the problem does not occur.

The dmesg output also shows non fatal intel_pipe_config_compare warnings that appear to be identical to bug 1211976, but I'm not sure if they are related.

$ uname -a
Linux tim-Macmini 3.11.0-12-generic #19-Ubuntu SMP Wed Oct 9 16:12:00 UTC 2013 i686 i686 i686 GNU/Linux

$ cat /proc/version_signature
Ubuntu 3.11.0-12.19-generic 3.11.3

The oops doesn't seem to be written to the log, so I've attached a photo for reference. I've also included the dmesg log from right before I triggered the oops.

CVE References

James Henstridge (jamesh) wrote :
tags: added: kernel-oops
James Henstridge (jamesh) wrote :
James Henstridge (jamesh) wrote :

This change was made by a bot.

Changed in linux (Ubuntu):
status: New → Confirmed
Joseph Salisbury (jsalisbury) wrote :

Would it be possible for you to test the latest upstream kernel? Refer to https://wiki.ubuntu.com/KernelMainlineBuilds . Please test the latest v3.12 kernel[0].

If this bug is fixed in the mainline kernel, please add the following tag 'kernel-fixed-upstream'.

If the mainline kernel does not fix this bug, please add the tag: 'kernel-bug-exists-upstream'.

If you are unable to test the mainline kernel, for example it will not boot, please add the tag: 'kernel-unable-to-test-upstream'.
Once testing of the upstream kernel is complete, please mark this bug as "Confirmed".

Thanks in advance.

[0] http://kernel.ubuntu.com/~kernel-ppa/mainline/v3.12-rc6-saucy/

Changed in linux (Ubuntu):
importance: Undecided → High
status: Confirmed → Incomplete
tags: added: needs-bisect saucy
James Henstridge (jamesh) wrote :

I've tried the 3.12-rc6-saucy kernel, and was able to reproduce the bug. On the first IR command from the remote, I get the same NULL pointer dereference in input_event with the next few call frames in the hid_appleir module.

tags: added: kernel-bug-exists-upstream
Changed in linux (Ubuntu):
status: Incomplete → Confirmed
James Henstridge (jamesh) wrote :

So, it looks like one big difference is that the hid-appleir driver didn't exist in the 3.8 kernel, and presumably LIRC was programming the chip directly before.

So I guess either (a) the driver is broken, or (b) LIRC is still trying to program the chip directly, and manages to confuse hid-appleir.

I guess I'll see if I can disable the driver and see what happens.

James Henstridge (jamesh) wrote :

I tried out a test kernel from henrix at http://people.canonical.com/~henrix/lp1244505/v1/ which also exhibited an oops. The stack trace was a bit longer with the top of the oops scrolling off the screen, but it still contained the appleir_raw_event and key_down frames.

I also tried disabling LIRC and booting with the stock Saucy kernel, where I wasn't able to reproduce the crash via the remote. I then tried blacklisting the hid-appleir driver and having lircd start. This time, lircd complained about not being able to open /dev/usb/hiddev0. Presumably some other driver bound the device to provide raw HID access in the Raring kernel.

Luis Henriques (henrix) wrote :

I've reported this issue upstream (https://lkml.org/lkml/2013/10/29/355), and Benjamin Tissoires has provided a patch for testing.

I've uploaded a test kernel here:

http://people.canonical.com/~henrix/lp1244505/v2/

It is a 3.11.0-12.19 kernel with the patch provided by Benjamin. James: could you please give it a try? Thanks.

James Henstridge (jamesh) wrote :

I've given the new kernel a try, and was no longer able to reproduce the crash.

The hid-appleir driver seems to be correctly generating keypress events, and LIRC still seems to be able to access the raw hiddev device. This gives me double input in XBMC, but that is clearly a problem with my local configuration rather than a kernel problem.

Luis Henriques (henrix) on 2013-11-21
Changed in linux (Ubuntu):
assignee: nobody → Luis Henriques (henrix)
status: Confirmed → In Progress
description: updated
Brad Figg (brad-figg) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-saucy' to 'verification-done-saucy'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-saucy
Launchpad Janitor (janitor) wrote :
Download full text (13.3 KiB)

This bug was fixed in the package linux - 3.11.0-15.23

---------------
linux (3.11.0-15.23) saucy; urgency=low

  [Brad Figg]

  * Release Tracking Bug
    - LP: #1259259

  [ Tim Gardner ]

  * [Config] Build-in ohci-pci
    - LP: #1244176

linux (3.11.0-15.22) saucy; urgency=low

  [Brad Figg]

  * Release Tracking Bug
    - LP: #1257092

  [ Andy Whitcroft ]

  * [Config] CONFIG_DEBUG_BUGVERBOSE=y
    - LP: #1252353

  [ Benjamin Tissoires ]

  * SAUCE: (no-up) HID: appleir: force input to be set
    - LP: #1244505

  [ John Johansen ]

  * SAUCE: (no-up) apparmor: Fix tasks not subject to, reloaded policy
    - LP: #1236455

  [ Kamal Mostafa ]

  * SAUCE: (no-up) drm/i915: i915.disable_pch_pwm overrides PCH_PWM_ENABLE
    quirk
    - LP: #1163720

  [ Manoj Iyer ]

  * SAUCE: Enable earlyprintk via the PL011.
    - LP: #1248233

  [ Paolo Pisati ]

  * [Config] armhf: RTC_DRV_PL031=y
    - LP: #1252242
  * [Config] armhf: CPU_FREQ=y && ARM_HIGHBANK_CPUFREQ=y
    - LP: #1249397

  [ Rob Herring ]

  * [Config] armhf: PSTORE_RAM=y and PSTORE_CONSOLE=y
    - LP: #1248492
  * SAUCE: net: calxedaxgmac: add mac address learning
    - LP: #1248233

  [ Tim Gardner ]

  * [Debian] Re-sign modules after debug objcopy
    - LP: #1253155

  [ Upstream Kernel Changes ]

  * Revert "rt2x00pci: Use PCI MSIs whenever possible"
    - LP: #1257037
  * Revert "epoll: use freezable blocking call"
    - LP: #1257037
  * Revert "select: use freezable blocking call"
    - LP: #1257037
  * Revert "ima: policy for RAMFS"
    - LP: #1257037
  * ARM: tlb: don't perform inner-shareable invalidation for local TLB ops
    - LP: #1239800
  * ARM: 7855/1: Add check for Cortex-A15 errata 798181 ECO
    - LP: #1239800
  * mfd: rtsx: Modify rts5249_optimize_phy
    - LP: #1255297
  * usb: musb: start musb on the udc side, too
    - LP: #1257037
  * usb-storage: add quirk for mandatory READ_CAPACITY_16
    - LP: #1257037
  * USB: support new huawei devices in option.c
    - LP: #1257037
  * USB: quirks.c: add one device that cannot deal with suspension
    - LP: #1257037
  * USB: quirks: add touchscreen that is dazzeled by remote wakeup
    - LP: #1257037
  * USB: serial: ftdi_sio: add id for Z3X Box device
    - LP: #1257037
  * xhci: Don't enable/disable RWE on bus suspend/resume.
    - LP: #1257037
  * cifs: Fix inability to write files >2GB to SMB2/3 shares
    - LP: #1257037
  * x86: Update UV3 hub revision ID
    - LP: #1257037
  * cpufreq: s3c64xx: Rename index to driver_data
    - LP: #1257037
  * cpufreq / intel_pstate: Fix max_perf_pct on resume
    - LP: #1257037
  * bcache: Fixed incorrect order of arguments to bio_alloc_bioset()
    - LP: #1257037
  * HID: wiimote: add LEGO-wiimote VID
    - LP: #1257037
  * cgroup: fix to break the while loop in cgroup_attach_task() correctly
    - LP: #1257037
  * mac80211: correctly close cancelled scans
    - LP: #1257037
  * mac80211: drop spoofed packets in ad-hoc mode
    - LP: #1257037
  * mac80211: use sta_info_get_bss() for nl80211 tx and client probing
    - LP: #1257037
  * mac80211: update sta->last_rx on acked tx frames
    - LP: #1257037
  * mac80211: fix crash if bitrate calculation goes wrong
    - LP: #1257...

Changed in linux (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers