On Wed, 18 Aug 2010 10:16:24 +0200 (CEST) Jiri Kosina <jkosina@xxxxxxx> wrote: > On Tue, 17 Aug 2010, Stephen Hemminger wrote: > > > Running last-week kernel, saw this in the log every time I flip my KVM switch. > > > > > > Aug 17 14:29:10 nehalam kernel: [ 7523.675554] input: Belkin Corporation Flip CC as /devices/pci0000:00/0000:00:1d.7/usb2/2-1/2-1.1/2-1.1:1.0/input/input27 > > Aug 17 14:29:10 nehalam kernel: [ 7523.675701] belkin 0003:050D:3201.0019: input,hiddev0,hidraw4: USB HID v1.10 Device [Belkin Corporation Flip CC] on usb-0000:00:1d.7-1.1/input0 > > Aug 17 14:29:10 nehalam kernel: [ 7523.723485] usb 2-1.4: USB disconnect, address 20 > > Aug 17 14:29:11 nehalam kernel: [ 7524.235309] usb 2-1.3: USB disconnect, address 21 > > Aug 17 14:42:46 nehalam kernel: [ 8338.552566] usb 2-1.1: USB disconnect, address 22 > > Aug 17 14:42:46 nehalam kernel: [ 8338.552614] ------------[ cut here ]------------ > > Aug 17 14:42:46 nehalam kernel: [ 8338.552620] WARNING: at lib/kobject.c:595 kobject_put+0x50/0x60() > > Aug 17 14:42:46 nehalam kernel: [ 8338.552623] Hardware name: System Product Name > > Aug 17 14:42:46 nehalam kernel: [ 8338.552625] kobject: '(null)' (ffff88017177d898): is not initialized, yet kobject_put() is being called. > > Aug 17 14:42:46 nehalam kernel: [ 8338.552628] Modules linked in: hid_belkin sha1_generic arc4 ppp_mppe ppp_async crc_ccitt autofs4 binfmt_misc ipt_MASQUERADE iptable_nat nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_state nf_conntrack ipt_REJECT xt_tcpudp iptable_filter ip_tables x_tables bridge stp llc kvm_intel kvm radeon ttm drm_kms_helper drm i2c_algo_bit snd_hda_codec_analog ipv6 snd_hda_intel snd_hda_codec snd_hwdep snd_pcm_oss snd_mixer_oss snd_pcm snd_seq_dummy snd_seq_oss snd_seq_midi snd_rawmidi snd_seq_midi_event snd_seq snd_timer snd_seq_device asus_atk0110 snd psmouse serio_raw soundcore snd_page_alloc usbhid mvsas libsas scsi_transport_sas floppy sky2 e1000e > > Aug 17 14:42:46 nehalam kernel: [ 8338.552678] Pid: 69, comm: khubd Tainted: G W 2.6.35+ #35 > > Aug 17 14:42:46 nehalam kernel: [ 8338.552680] Call Trace: > > Aug 17 14:42:46 nehalam kernel: [ 8338.552687] [<ffffffff8104821a>] warn_slowpath_common+0x7a/0xb0 > > Aug 17 14:42:46 nehalam kernel: [ 8338.552693] [<ffffffff810482f1>] warn_slowpath_fmt+0x41/0x50 > > Aug 17 14:42:46 nehalam kernel: [ 8338.552697] [<ffffffff81249db0>] kobject_put+0x50/0x60 > > Aug 17 14:42:46 nehalam kernel: [ 8338.552701] [<ffffffff812f3592>] put_device+0x12/0x20 > > Aug 17 14:42:46 nehalam kernel: [ 8338.552706] [<ffffffff813b95b3>] hid_destroy_device+0x43/0x50 > > Aug 17 14:42:46 nehalam kernel: [ 8338.552713] [<ffffffffa0044a06>] usbhid_disconnect+0x26/0x50 [usbhid] > > Aug 17 14:42:46 nehalam kernel: [ 8338.552719] [<ffffffff81378a35>] usb_unbind_interface+0x55/0x1a0 > > Aug 17 14:42:46 nehalam kernel: [ 8338.552725] [<ffffffff812f73d0>] __device_release_driver+0x70/0xe0 > > Aug 17 14:42:46 nehalam kernel: [ 8338.552730] [<ffffffff812f7538>] device_release_driver+0x28/0x40 > > Aug 17 14:42:46 nehalam kernel: [ 8338.552734] [<ffffffff812f64e9>] bus_remove_device+0xa9/0xe0 > > Aug 17 14:42:46 nehalam kernel: [ 8338.552737] [<ffffffff812f41e7>] device_del+0x127/0x1d0 > > Aug 17 14:42:46 nehalam kernel: [ 8338.552742] [<ffffffff813753c7>] usb_disable_device+0xa7/0x130 > > Aug 17 14:42:46 nehalam kernel: [ 8338.552745] [<ffffffff8136e941>] usb_disconnect+0x91/0x130 > > Aug 17 14:42:46 nehalam kernel: [ 8338.552749] [<ffffffff8136ffdc>] hub_thread+0x48c/0x1220 > > Aug 17 14:42:46 nehalam kernel: [ 8338.552754] [<ffffffff81040651>] ? dequeue_entity+0x1a1/0x1e0 > > Aug 17 14:42:46 nehalam kernel: [ 8338.552759] [<ffffffff810661f0>] ? autoremove_wake_function+0x0/0x40 > > Aug 17 14:42:46 nehalam kernel: [ 8338.552763] [<ffffffff8136fb50>] ? hub_thread+0x0/0x1220 > > Aug 17 14:42:46 nehalam kernel: [ 8338.552766] [<ffffffff81065cfe>] kthread+0x8e/0xa0 > > Aug 17 14:42:46 nehalam kernel: [ 8338.552771] [<ffffffff81003454>] kernel_thread_helper+0x4/0x10 > > Aug 17 14:42:46 nehalam kernel: [ 8338.552775] [<ffffffff81065c70>] ? kthread+0x0/0xa0 > > Aug 17 14:42:46 nehalam kernel: [ 8338.552778] [<ffffffff81003450>] ? kernel_thread_helper+0x0/0x10 > > Aug 17 14:42:46 nehalam kernel: [ 8338.552781] ---[ end trace 2721da84d6efea62 ]--- > > Hi Stephen, > > I have the patch below queued in my tree, and I am planning to push it to > Linus soon. It will almost certainly fix your issue, but I'll appreciate > if you can confirm that. Thanks. > > commit 9c9e54a8df0be48aa359744f412377cc55c3b7d2 > Author: Jiri Kosina <jkosina@xxxxxxx> > Date: Fri Aug 13 12:19:45 2010 +0200 > > HID: hiddev: fix memory corruption due to invalid intfdata > > Commit bd25f4dd6972755579d0 ("HID: hiddev: use usb_find_interface, > get rid of BKL") introduced using of private intfdata in hiddev for > purpose of storing hiddev pointer. > > This is a problem, because intf pointer is already being set to struct > hid_device pointer by HID core. This obviously lead to memory corruptions > at device disconnect time, such as > > WARNING: at lib/kobject.c:595 kobject_put+0x37/0x4b() > kobject: '(null)' (ffff88011e9cd898): is not initialized, yet kobject_put() is being called. > > Convert hiddev into accessing hiddev through struct hid_device which is > in intfdata already. > > Reported-and-tested-by: Markus Trippelsdorf <markus@xxxxxxxxxxxxxxx> > Reported-and-tested-by: Heinz Diehl <htd@xxxxxxxxxx> > Reported-and-tested-by: Alan Ott <alan@xxxxxxxxxxx> > Signed-off-by: Jiri Kosina <jkosina@xxxxxxx> > > diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c > index f285017..0a29c51 100644 > --- a/drivers/hid/usbhid/hiddev.c > +++ b/drivers/hid/usbhid/hiddev.c > @@ -266,13 +266,15 @@ static int hiddev_open(struct inode *inode, struct file *file) > { > struct hiddev_list *list; > struct usb_interface *intf; > + struct hid_device *hid; > struct hiddev *hiddev; > int res; > > intf = usb_find_interface(&hiddev_driver, iminor(inode)); > if (!intf) > return -ENODEV; > - hiddev = usb_get_intfdata(intf); > + hid = usb_get_intfdata(intf); > + hiddev = hid->hiddev; > > if (!(list = kzalloc(sizeof(struct hiddev_list), GFP_KERNEL))) > return -ENOMEM; > @@ -890,7 +892,6 @@ int hiddev_connect(struct hid_device *hid, unsigned int force) > hid->hiddev = hiddev; > hiddev->hid = hid; > hiddev->exist = 1; > - usb_set_intfdata(usbhid->intf, usbhid); > retval = usb_register_dev(usbhid->intf, &hiddev_class); > if (retval) { > err_hid("Not able to get a minor for this device."); > I don't see any more errors when using the patch. Reported-and-tested-by: Stephen Hemminger <shemminger@xxxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html