Ubuntu
linux package

Sony Dualshock 4 usb dongle crashes the whole system

  1. Groovy (20.10)
  2. Bug #1935846
Bug #1935846 reported by xcom
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
Undecided
Unassigned
Focal
Fix Released
Medium
Alex Hung
Groovy
Won't Fix
Undecided
Unassigned

Bug Description

[Impact]

Sony Dualshock 4 controller crashes systems. This is the result of a
divide by zero when the driver processes requests from Steam and returns
invalid data. More details are in the patch description.

[Fix]

Check whether data is valid and retry up to 3 times if needed.

[Test Case]

Tested by the bug reporter of LP:1935846. No more crashes after applying
this patch.

[Where problems could occur]

None. The patch checks whether data is valid and retry 3 times before
return -EILSEQ if it still fails.

== Original descriptions ==

The hid-sony driver has custom DS4 connect/disconnect logic for the
DS4 dongle, which is a USB dongle acting as a proxy to Bluetooth
connected DS4.

The connect/disconnect logic works fine generally, however not in
conjunction with Steam. Steam implements its own DS4 driver using
hidraw. Both hid-sony and Steam are issuing their own HID requests
and are racing each other during DS4 dongle connect/disconnect
resulting in a kernel crash in hid-sony.

The problem is that upon a DS4 connect to the dongle, hid-sony kicks
of 'ds4_get_calibration_data' from within its dongle hotplug code.
The calibration code issues raw HID feature report for reportID 0x02.
When Steam is running, it issues a feature report for reportID 0x12
typically just prior to hid-sony requesting feature reportID 0x02.
The result is that 'ds4_get_calibration_data' receives the data Steam
requested as that's the HID report returing first. Currently this
results in it processing invalid data, which ultimately results in a
divide by zero upon a future 'dualshock4_parse_report'.

The solution for now is to check within 'ds4_get_calibration_data' to
check if we received data for the feature report we issued and if not
retry.

Please consider to add this patch to Ubuntu LTS kernels.

Commit:
https://github.com/torvalds/linux/commit/f5dc93b7875bcb8be77baa792cc9432aaf65365b

See original description

CVE References

Revision history for this message
Alex Hung (alexhung) wrote :

I assume you were referring to LTS kernel 5.4 used in Ubuntu20.04.

I compiled a kernel with the proposed commit in below link. Let me know whether it fixes your problem and I will submit a SRU to kernel 5.4 if it does.

https://people.canonical.com/~alexhung/LP1935846/

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

I would have thought that this patch upstream would have been suitable for stable series.

It seems like the bug that the patch fixes is not annotated correctly, hence it was not picked for stable updates yet.

I wonder if we should try to submit to linux-stable for v5.4 v5.8 series.

Revision history for this message
xcom (xcom) wrote :

Thank you Alex!
Your kernel seems to be crash free. It fixes the problem for me.

Uname -a
ry2600 ~ % uname -a
Linux x-ry2600 5.4.0-77-generic #86 SMP Mon Jul 12 19:43:42 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

Alex Hung (alexhung)
description: updated
Tim Gardner (timg-tpi)
Changed in linux (Ubuntu Focal):
status: New → In Progress
Changed in linux (Ubuntu Groovy):
status: New → Won't Fix
Changed in linux (Ubuntu):
status: New → Fix Released
Revision history for this message
xcom (xcom) wrote :

Hello All!

Please also apply the patch for the 5.8.0-63-generic series.

Revision history for this message
Alex Hung (alexhung) wrote :

Hi xcom,

Ubuntu 20.10 (kernel 5.8) reached its EOL (https://ubuntu.com/about/release-cycle#ubuntu-kernel-release-cycle); as a result, the SRU patch was not merged into 5.8 (https://lists.ubuntu.com/archives/kernel-team/2021-July/122465.html).

I built a test kernel 5.8 with the patch. It is available for testing @ https://people.canonical.com/~alexhung/LP1935846/5.8/

Revision history for this message
xcom (xcom) wrote :

Hello Alex!

Thanks! Your kernel package works fine with my DS4 controller.

Alex Hung (alexhung)
Changed in linux (Ubuntu Focal):
assignee: nobody → Alex Hung (alexhung)
assignee: Alex Hung (alexhung) → nobody
Changed in linux (Ubuntu):
assignee: nobody → Alex Hung (alexhung)
assignee: Alex Hung (alexhung) → nobody
Changed in linux (Ubuntu Focal):
assignee: nobody → Alex Hung (alexhung)
Stefan Bader (smb)
Changed in linux (Ubuntu Focal):
importance: Undecided → Medium
Kelsey Steele (kelsey-steele)
Changed in linux (Ubuntu Focal):
status: In Progress → Fix Committed
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-focal
Alex Hung (alexhung)
tags: added: verification-done-focal
removed: verification-needed-focal
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (36.6 KiB)

This bug was fixed in the package linux - 5.4.0-84.94

---------------
linux (5.4.0-84.94) focal; urgency=medium

  * focal/linux: 5.4.0-84.94 -proposed tracker (LP: #1941767)

  * Server boot failure after adding checks for ACPI IRQ override (LP: #1941657)
    - Revert "ACPI: resources: Add checks for ACPI IRQ override"

linux (5.4.0-83.93) focal; urgency=medium

  * focal/linux: 5.4.0-83.93 -proposed tracker (LP: #1940159)

  * fails to launch linux L2 guests on AMD (LP: #1940134) // CVE-2021-3653
    - KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl
      (CVE-2021-3653)

  * fails to launch linux L2 guests on AMD (LP: #1940134)
    - SAUCE: Revert "UBUNTU: SAUCE: KVM: nSVM: avoid picking up unsupported bits
      from L2 in int_ctl"

linux (5.4.0-82.92) focal; urgency=medium

  * focal/linux: 5.4.0-82.92 -proposed tracker (LP: #1939799)

  * Packaging resync (LP: #1786013)
    - debian/dkms-versions -- update from kernel-versions (main/2021.08.16)

  * CVE-2021-3656
    - SAUCE: KVM: nSVM: always intercept VMLOAD/VMSAVE when nested

  * CVE-2021-3653
    - SAUCE: KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl

  * [regression] USB device is not detected during boot (LP: #1939638)
    - SAUCE: Revert "usb: core: reduce power-on-good delay time of root hub"

  * dev_forward_skb: do not scrub skb mark within the same name space
    (LP: #1935040)
    - dev_forward_skb: do not scrub skb mark within the same name space

  * XPS 9510 (TGL) Screen Brightness could not be changed (LP: #1933566)
    - SAUCE: drm/i915: Force DPCD backlight mode for Dell XPS 9510(TGL)

  * Acer Aspire 5 sound driver issues (LP: #1930188)
    - ALSA: hda/realtek: headphone and mic don't work on an Acer laptop

  * Sony Dualshock 4 usb dongle crashes the whole system (LP: #1935846)
    - HID: sony: Workaround for DS4 dongle hotplug kernel crash.

  * [21.10 FEAT] KVM: Provide a secure guest indication (LP: #1933173)
    - s390/uv: add prot virt guest/host indication files
    - s390/uv: fix prot virt host indication compilation

  * Skip rtcpie test in kselftests/timers if the default RTC device does not
    exist (LP: #1937991)
    - selftests: timers: rtcpie: skip test if default RTC device does not exist

  * Focal update: v5.4.133 upstream stable release (LP: #1938713)
    - drm/mxsfb: Don't select DRM_KMS_FB_HELPER
    - drm/zte: Don't select DRM_KMS_FB_HELPER
    - drm/amd/amdgpu/sriov disable all ip hw status by default
    - drm/vc4: fix argument ordering in vc4_crtc_get_margins()
    - net: pch_gbe: Use proper accessors to BE data in pch_ptp_match()
    - drm/amd/display: fix use_max_lb flag for 420 pixel formats
    - hugetlb: clear huge pte during flush function on mips platform
    - atm: iphase: fix possible use-after-free in ia_module_exit()
    - mISDN: fix possible use-after-free in HFC_cleanup()
    - atm: nicstar: Fix possible use-after-free in nicstar_cleanup()
    - net: Treat __napi_schedule_irqoff() as __napi_schedule() on PREEMPT_RT
    - drm/mediatek: Fix PM reference leak in mtk_crtc_ddp_hw_init()
    - reiserfs: add check for invalid 1st journal block
    - drm/virtio: Fix double free on probe failure
    - dr...

Changed in linux (Ubuntu Focal):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.