Re: Fwd: Potential data race in psmouse_interrupt
On Wed, Jul 22, 2015 at 03:14:42PM +0200, Andrey Konovalov wrote:
> Hi!
>
> We are working on a dynamic data race detector for Linux kernel called
> KernelThreadSanitizer (ktsan) (https://github.com/google/ktsan/wiki).
>
> Here is a report we got while running ktsan (upstream revision
> 21bdb584af8cca7c6df3c44cba268be050a234eb).
>
> ==
> ThreadSanitizer: data-race in psmouse_interrupt
>
> Write of size 1 by thread T1 (K1):
> [] psmouse_interrupt+0xd2/0x690
> drivers/input/mouse/psmouse-base.c:337
> [] serio_interrupt+0x66/0xb0
> drivers/input/serio/serio.c:1008
> [] i8042_interrupt+0x240/0x4d0
> drivers/input/serio/i8042.c:541
> [] handle_irq_event_percpu+0x62/0x2a0
> kernel/irq/handle.c:143
> [] handle_irq_event+0xa2/0xf0 kernel/irq/handle.c:192
> [] handle_edge_irq+0x104/0x380 kernel/irq/chip.c:608
> [< inlined>] handle_irq+0xf6/0x220 generic_handle_irq_desc
> include/linux/irqdesc.h:146
> [] handle_irq+0xf6/0x220 arch/x86/kernel/irq_64.c:81
> [] do_IRQ+0x5e/0x110 arch/x86/kernel/irq.c:223
> [] ret_from_intr+0x0/0x1f arch/x86/entry/entry_64.S:601
> [< inlined>] irq_exit+0x98/0xa0 invoke_softirq kernel/softirq.c:350
> [] irq_exit+0x98/0xa0 kernel/softirq.c:391
> [< inlined>] smp_apic_timer_interrupt+0x63/0x80 exiting_irq
> ./arch/x86/include/asm/apic.h:655
> [] smp_apic_timer_interrupt+0x63/0x80
> arch/x86/kernel/apic/apic.c:915
> [] apic_timer_interrupt+0x6b/0x70
> arch/x86/entry/entry_64.S:782
> [] kvasprintf+0x5d/0x90 lib/kasprintf.c:24
> [] kasprintf+0x4e/0x70 lib/kasprintf.c:40
> [< inlined>] module_add_driver+0x8f/0x180 make_driver_name
> drivers/base/module.c:18
> [] module_add_driver+0x8f/0x180 drivers/base/module.c:63
> [] bus_add_driver+0x204/0x340 drivers/base/bus.c:713
> [] driver_register+0xdb/0x190 drivers/base/driver.c:168
> [] __hid_register_driver+0xb6/0x100
> drivers/hid/hid-core.c:2677
> [] apple_driver_init+0x24/0x31 drivers/hid/hid-apple.c:574
> [] do_one_initcall+0xb9/0x220 init/main.c:798
> [< inlined>] kernel_init_freeable+0x2ca/0x397
> do_initcall_level init/main.c:863
> [< inlined>] kernel_init_freeable+0x2ca/0x397 do_initcalls
> init/main.c:871
> [< inlined>] kernel_init_freeable+0x2ca/0x397 do_basic_setup
> init/main.c:890
> [] kernel_init_freeable+0x2ca/0x397 init/main.c:1013
> [] kernel_init+0x16/0x140 init/main.c:941
> [] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:526
> DBG: cpu = 88053fd9fe68
> DBG: cpu id = 3
>
> Previous read of size 1 by thread T509 (K506):
> [< inlined>] cypress_send_ext_cmd+0x193/0x500
> cypress_ps2_read_cmd_status drivers/input/mouse/cypress_ps2.c:123
> [] cypress_send_ext_cmd+0x193/0x500
> drivers/input/mouse/cypress_ps2.c:192
> [] cypress_detect+0x2a/0xb0
> drivers/input/mouse/cypress_ps2.c:208
> [] psmouse_extensions+0x1f6/0x4e0
> drivers/input/mouse/psmouse-base.c:849 (discriminator 1)
> [] psmouse_switch_protocol+0x2ad/0x330
> drivers/input/mouse/psmouse-base.c:1467
> [] psmouse_connect+0x2e6/0x450
> drivers/input/mouse/psmouse-base.c:1554 (discriminator 4)
> [< inlined>] serio_driver_probe+0x57/0x80
> serio_connect_driver drivers/input/serio/serio.c:65
> [] serio_driver_probe+0x57/0x80
> drivers/input/serio/serio.c:796
> [< inlined>] driver_probe_device+0x1da/0x460 really_probe
> drivers/base/dd.c:308
> [] driver_probe_device+0x1da/0x460 drivers/base/dd.c:414
> [] __driver_attach+0xc4/0xd0 drivers/base/dd.c:612
> [] bus_for_each_dev+0x93/0xe0 drivers/base/bus.c:314
> [] driver_attach+0x33/0x50 drivers/base/dd.c:631
> [< inlined>] serio_handle_event+0x2d3/0x3b0
> serio_attach_driver drivers/input/serio/serio.c:826
> [] serio_handle_event+0x2d3/0x3b0
> drivers/input/serio/serio.c:245
> [] process_one_work+0x2a9/0x6d0 kernel/workqueue.c:2036
> [] worker_thread+0xbf/0x710 kernel/workqueue.c:2170
> [] kthread+0x15c/0x180 kernel/kthread.c:207
> [] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:526
> DBG: cpu = 0
>
> DBG: addr: 88019d703909
> DBG: first offset: 1, second offset: 1
> DBG: T1 clock: {T1: 17075020, T509: 142163}
> DBG: T509 clock: {T509: 142167}
> ==
>
> It seems that accessing 'psmouse->pktcnt' in
> 'psmouse->packet[psmouse->pktcnt++] = data' in 'psmouse_interrupt()'
> is racing with 'wait_event_timeout(ps2dev->wait, (psmouse->pktcnt >=
> pktsize), msecs_to_jiffies(CYTP_CMD_TIMEOUT))' in
> 'cypress_ps2_read_cmd_status()'.
> If that's the case, it's possible that 'psmouse->pktcnt' is
> incremented, but no data is written yet, so '(psmouse->pktcnt >=
> pktsize)' will evaluate to true and the following 'memcpy' will access
> invalid data.
>
> Could you confirm if this is a real data race?
Yes, looks like real positive.
Thanks.
--
Dmitry
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to
Fwd: Potential data race in psmouse_interrupt
Hi!
We are working on a dynamic data race detector for Linux kernel called
KernelThreadSanitizer (ktsan) (https://github.com/google/ktsan/wiki).
Here is a report we got while running ktsan (upstream revision
21bdb584af8cca7c6df3c44cba268be050a234eb).
==
ThreadSanitizer: data-race in psmouse_interrupt
Write of size 1 by thread T1 (K1):
[] psmouse_interrupt+0xd2/0x690
drivers/input/mouse/psmouse-base.c:337
[] serio_interrupt+0x66/0xb0 drivers/input/serio/serio.c:1008
[] i8042_interrupt+0x240/0x4d0
drivers/input/serio/i8042.c:541
[] handle_irq_event_percpu+0x62/0x2a0 kernel/irq/handle.c:143
[] handle_irq_event+0xa2/0xf0 kernel/irq/handle.c:192
[] handle_edge_irq+0x104/0x380 kernel/irq/chip.c:608
[< inlined>] handle_irq+0xf6/0x220 generic_handle_irq_desc
include/linux/irqdesc.h:146
[] handle_irq+0xf6/0x220 arch/x86/kernel/irq_64.c:81
[] do_IRQ+0x5e/0x110 arch/x86/kernel/irq.c:223
[] ret_from_intr+0x0/0x1f arch/x86/entry/entry_64.S:601
[< inlined>] irq_exit+0x98/0xa0 invoke_softirq kernel/softirq.c:350
[] irq_exit+0x98/0xa0 kernel/softirq.c:391
[< inlined>] smp_apic_timer_interrupt+0x63/0x80 exiting_irq
./arch/x86/include/asm/apic.h:655
[] smp_apic_timer_interrupt+0x63/0x80
arch/x86/kernel/apic/apic.c:915
[] apic_timer_interrupt+0x6b/0x70
arch/x86/entry/entry_64.S:782
[] kvasprintf+0x5d/0x90 lib/kasprintf.c:24
[] kasprintf+0x4e/0x70 lib/kasprintf.c:40
[< inlined>] module_add_driver+0x8f/0x180 make_driver_name
drivers/base/module.c:18
[] module_add_driver+0x8f/0x180 drivers/base/module.c:63
[] bus_add_driver+0x204/0x340 drivers/base/bus.c:713
[] driver_register+0xdb/0x190 drivers/base/driver.c:168
[] __hid_register_driver+0xb6/0x100
drivers/hid/hid-core.c:2677
[] apple_driver_init+0x24/0x31 drivers/hid/hid-apple.c:574
[] do_one_initcall+0xb9/0x220 init/main.c:798
[< inlined>] kernel_init_freeable+0x2ca/0x397
do_initcall_level init/main.c:863
[< inlined>] kernel_init_freeable+0x2ca/0x397 do_initcalls
init/main.c:871
[< inlined>] kernel_init_freeable+0x2ca/0x397 do_basic_setup
init/main.c:890
[] kernel_init_freeable+0x2ca/0x397 init/main.c:1013
[] kernel_init+0x16/0x140 init/main.c:941
[] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:526
DBG: cpu = 88053fd9fe68
DBG: cpu id = 3
Previous read of size 1 by thread T509 (K506):
[< inlined>] cypress_send_ext_cmd+0x193/0x500
cypress_ps2_read_cmd_status drivers/input/mouse/cypress_ps2.c:123
[] cypress_send_ext_cmd+0x193/0x500
drivers/input/mouse/cypress_ps2.c:192
[] cypress_detect+0x2a/0xb0
drivers/input/mouse/cypress_ps2.c:208
[] psmouse_extensions+0x1f6/0x4e0
drivers/input/mouse/psmouse-base.c:849 (discriminator 1)
[] psmouse_switch_protocol+0x2ad/0x330
drivers/input/mouse/psmouse-base.c:1467
[] psmouse_connect+0x2e6/0x450
drivers/input/mouse/psmouse-base.c:1554 (discriminator 4)
[< inlined>] serio_driver_probe+0x57/0x80
serio_connect_driver drivers/input/serio/serio.c:65
[] serio_driver_probe+0x57/0x80
drivers/input/serio/serio.c:796
[< inlined>] driver_probe_device+0x1da/0x460 really_probe
drivers/base/dd.c:308
[] driver_probe_device+0x1da/0x460 drivers/base/dd.c:414
[] __driver_attach+0xc4/0xd0 drivers/base/dd.c:612
[] bus_for_each_dev+0x93/0xe0 drivers/base/bus.c:314
[] driver_attach+0x33/0x50 drivers/base/dd.c:631
[< inlined>] serio_handle_event+0x2d3/0x3b0
serio_attach_driver drivers/input/serio/serio.c:826
[] serio_handle_event+0x2d3/0x3b0
drivers/input/serio/serio.c:245
[] process_one_work+0x2a9/0x6d0 kernel/workqueue.c:2036
[] worker_thread+0xbf/0x710 kernel/workqueue.c:2170
[] kthread+0x15c/0x180 kernel/kthread.c:207
[] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:526
DBG: cpu = 0
DBG: addr: 88019d703909
DBG: first offset: 1, second offset: 1
DBG: T1 clock: {T1: 17075020, T509: 142163}
DBG: T509 clock: {T509: 142167}
==
It seems that accessing 'psmouse->pktcnt' in
'psmouse->packet[psmouse->pktcnt++] = data' in 'psmouse_interrupt()'
is racing with 'wait_event_timeout(ps2dev->wait, (psmouse->pktcnt >=
pktsize), msecs_to_jiffies(CYTP_CMD_TIMEOUT))' in
'cypress_ps2_read_cmd_status()'.
If that's the case, it's possible that 'psmouse->pktcnt' is
incremented, but no data is written yet, so '(psmouse->pktcnt >=
pktsize)' will evaluate to true and the following 'memcpy' will access
invalid data.
Could you confirm if this is a real data race?
Thanks in advance!
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: Fwd: Potential data race in psmouse_interrupt
On Wed, Jul 22, 2015 at 03:14:42PM +0200, Andrey Konovalov wrote:
Hi!
We are working on a dynamic data race detector for Linux kernel called
KernelThreadSanitizer (ktsan) (https://github.com/google/ktsan/wiki).
Here is a report we got while running ktsan (upstream revision
21bdb584af8cca7c6df3c44cba268be050a234eb).
==
ThreadSanitizer: data-race in psmouse_interrupt
Write of size 1 by thread T1 (K1):
[819d5272] psmouse_interrupt+0xd2/0x690
drivers/input/mouse/psmouse-base.c:337
[819bcd16] serio_interrupt+0x66/0xb0
drivers/input/serio/serio.c:1008
[819be5f0] i8042_interrupt+0x240/0x4d0
drivers/input/serio/i8042.c:541
[810f03b2] handle_irq_event_percpu+0x62/0x2a0
kernel/irq/handle.c:143
[810f0692] handle_irq_event+0xa2/0xf0 kernel/irq/handle.c:192
[810f5414] handle_edge_irq+0x104/0x380 kernel/irq/chip.c:608
[ inlined] handle_irq+0xf6/0x220 generic_handle_irq_desc
include/linux/irqdesc.h:146
[81009f86] handle_irq+0xf6/0x220 arch/x86/kernel/irq_64.c:81
[810093ce] do_IRQ+0x5e/0x110 arch/x86/kernel/irq.c:223
[81e726ab] ret_from_intr+0x0/0x1f arch/x86/entry/entry_64.S:601
[ inlined] irq_exit+0x98/0xa0 invoke_softirq kernel/softirq.c:350
[8108edd8] irq_exit+0x98/0xa0 kernel/softirq.c:391
[ inlined] smp_apic_timer_interrupt+0x63/0x80 exiting_irq
./arch/x86/include/asm/apic.h:655
[8105c503] smp_apic_timer_interrupt+0x63/0x80
arch/x86/kernel/apic/apic.c:915
[81e7299b] apic_timer_interrupt+0x6b/0x70
arch/x86/entry/entry_64.S:782
[8153223d] kvasprintf+0x5d/0x90 lib/kasprintf.c:24
[815322be] kasprintf+0x4e/0x70 lib/kasprintf.c:40
[ inlined] module_add_driver+0x8f/0x180 make_driver_name
drivers/base/module.c:18
[8183059f] module_add_driver+0x8f/0x180 drivers/base/module.c:63
[81812c94] bus_add_driver+0x204/0x340 drivers/base/bus.c:713
[81814e2b] driver_register+0xdb/0x190 drivers/base/driver.c:168
[81a5ed16] __hid_register_driver+0xb6/0x100
drivers/hid/hid-core.c:2677
[825ab67d] apple_driver_init+0x24/0x31 drivers/hid/hid-apple.c:574
[81000339] do_one_initcall+0xb9/0x220 init/main.c:798
[ inlined] kernel_init_freeable+0x2ca/0x397
do_initcall_level init/main.c:863
[ inlined] kernel_init_freeable+0x2ca/0x397 do_initcalls
init/main.c:871
[ inlined] kernel_init_freeable+0x2ca/0x397 do_basic_setup
init/main.c:890
[8253d919] kernel_init_freeable+0x2ca/0x397 init/main.c:1013
[81e5ad66] kernel_init+0x16/0x140 init/main.c:941
[81e71f5f] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:526
DBG: cpu = 88053fd9fe68
DBG: cpu id = 3
Previous read of size 1 by thread T509 (K506):
[ inlined] cypress_send_ext_cmd+0x193/0x500
cypress_ps2_read_cmd_status drivers/input/mouse/cypress_ps2.c:123
[819e6b23] cypress_send_ext_cmd+0x193/0x500
drivers/input/mouse/cypress_ps2.c:192
[819e6f5a] cypress_detect+0x2a/0xb0
drivers/input/mouse/cypress_ps2.c:208
[819d5e66] psmouse_extensions+0x1f6/0x4e0
drivers/input/mouse/psmouse-base.c:849 (discriminator 1)
[819d63fd] psmouse_switch_protocol+0x2ad/0x330
drivers/input/mouse/psmouse-base.c:1467
[819d7426] psmouse_connect+0x2e6/0x450
drivers/input/mouse/psmouse-base.c:1554 (discriminator 4)
[ inlined] serio_driver_probe+0x57/0x80
serio_connect_driver drivers/input/serio/serio.c:65
[819bcf77] serio_driver_probe+0x57/0x80
drivers/input/serio/serio.c:796
[ inlined] driver_probe_device+0x1da/0x460 really_probe
drivers/base/dd.c:308
[81813b1a] driver_probe_device+0x1da/0x460 drivers/base/dd.c:414
[81813e64] __driver_attach+0xc4/0xd0 drivers/base/dd.c:612
[81810933] bus_for_each_dev+0x93/0xe0 drivers/base/bus.c:314
[81813353] driver_attach+0x33/0x50 drivers/base/dd.c:631
[ inlined] serio_handle_event+0x2d3/0x3b0
serio_attach_driver drivers/input/serio/serio.c:826
[819bd8e3] serio_handle_event+0x2d3/0x3b0
drivers/input/serio/serio.c:245
[810adcf9] process_one_work+0x2a9/0x6d0 kernel/workqueue.c:2036
[810aeddf] worker_thread+0xbf/0x710 kernel/workqueue.c:2170
[810b700c] kthread+0x15c/0x180 kernel/kthread.c:207
[81e71f5f] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:526
DBG: cpu = 0
DBG: addr: 88019d703909
DBG: first offset: 1, second offset: 1
DBG: T1 clock: {T1: 17075020, T509: 142163}
DBG: T509 clock: {T509: 142167}
==
It seems that accessing 'psmouse-pktcnt' in
'psmouse-packet[psmouse-pktcnt++] = data' in 'psmouse_interrupt()'
is racing with 'wait_event_timeout(ps2dev-wait, (psmouse-pktcnt =
pktsize),
Fwd: Potential data race in psmouse_interrupt
Hi!
We are working on a dynamic data race detector for Linux kernel called
KernelThreadSanitizer (ktsan) (https://github.com/google/ktsan/wiki).
Here is a report we got while running ktsan (upstream revision
21bdb584af8cca7c6df3c44cba268be050a234eb).
==
ThreadSanitizer: data-race in psmouse_interrupt
Write of size 1 by thread T1 (K1):
[819d5272] psmouse_interrupt+0xd2/0x690
drivers/input/mouse/psmouse-base.c:337
[819bcd16] serio_interrupt+0x66/0xb0 drivers/input/serio/serio.c:1008
[819be5f0] i8042_interrupt+0x240/0x4d0
drivers/input/serio/i8042.c:541
[810f03b2] handle_irq_event_percpu+0x62/0x2a0 kernel/irq/handle.c:143
[810f0692] handle_irq_event+0xa2/0xf0 kernel/irq/handle.c:192
[810f5414] handle_edge_irq+0x104/0x380 kernel/irq/chip.c:608
[ inlined] handle_irq+0xf6/0x220 generic_handle_irq_desc
include/linux/irqdesc.h:146
[81009f86] handle_irq+0xf6/0x220 arch/x86/kernel/irq_64.c:81
[810093ce] do_IRQ+0x5e/0x110 arch/x86/kernel/irq.c:223
[81e726ab] ret_from_intr+0x0/0x1f arch/x86/entry/entry_64.S:601
[ inlined] irq_exit+0x98/0xa0 invoke_softirq kernel/softirq.c:350
[8108edd8] irq_exit+0x98/0xa0 kernel/softirq.c:391
[ inlined] smp_apic_timer_interrupt+0x63/0x80 exiting_irq
./arch/x86/include/asm/apic.h:655
[8105c503] smp_apic_timer_interrupt+0x63/0x80
arch/x86/kernel/apic/apic.c:915
[81e7299b] apic_timer_interrupt+0x6b/0x70
arch/x86/entry/entry_64.S:782
[8153223d] kvasprintf+0x5d/0x90 lib/kasprintf.c:24
[815322be] kasprintf+0x4e/0x70 lib/kasprintf.c:40
[ inlined] module_add_driver+0x8f/0x180 make_driver_name
drivers/base/module.c:18
[8183059f] module_add_driver+0x8f/0x180 drivers/base/module.c:63
[81812c94] bus_add_driver+0x204/0x340 drivers/base/bus.c:713
[81814e2b] driver_register+0xdb/0x190 drivers/base/driver.c:168
[81a5ed16] __hid_register_driver+0xb6/0x100
drivers/hid/hid-core.c:2677
[825ab67d] apple_driver_init+0x24/0x31 drivers/hid/hid-apple.c:574
[81000339] do_one_initcall+0xb9/0x220 init/main.c:798
[ inlined] kernel_init_freeable+0x2ca/0x397
do_initcall_level init/main.c:863
[ inlined] kernel_init_freeable+0x2ca/0x397 do_initcalls
init/main.c:871
[ inlined] kernel_init_freeable+0x2ca/0x397 do_basic_setup
init/main.c:890
[8253d919] kernel_init_freeable+0x2ca/0x397 init/main.c:1013
[81e5ad66] kernel_init+0x16/0x140 init/main.c:941
[81e71f5f] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:526
DBG: cpu = 88053fd9fe68
DBG: cpu id = 3
Previous read of size 1 by thread T509 (K506):
[ inlined] cypress_send_ext_cmd+0x193/0x500
cypress_ps2_read_cmd_status drivers/input/mouse/cypress_ps2.c:123
[819e6b23] cypress_send_ext_cmd+0x193/0x500
drivers/input/mouse/cypress_ps2.c:192
[819e6f5a] cypress_detect+0x2a/0xb0
drivers/input/mouse/cypress_ps2.c:208
[819d5e66] psmouse_extensions+0x1f6/0x4e0
drivers/input/mouse/psmouse-base.c:849 (discriminator 1)
[819d63fd] psmouse_switch_protocol+0x2ad/0x330
drivers/input/mouse/psmouse-base.c:1467
[819d7426] psmouse_connect+0x2e6/0x450
drivers/input/mouse/psmouse-base.c:1554 (discriminator 4)
[ inlined] serio_driver_probe+0x57/0x80
serio_connect_driver drivers/input/serio/serio.c:65
[819bcf77] serio_driver_probe+0x57/0x80
drivers/input/serio/serio.c:796
[ inlined] driver_probe_device+0x1da/0x460 really_probe
drivers/base/dd.c:308
[81813b1a] driver_probe_device+0x1da/0x460 drivers/base/dd.c:414
[81813e64] __driver_attach+0xc4/0xd0 drivers/base/dd.c:612
[81810933] bus_for_each_dev+0x93/0xe0 drivers/base/bus.c:314
[81813353] driver_attach+0x33/0x50 drivers/base/dd.c:631
[ inlined] serio_handle_event+0x2d3/0x3b0
serio_attach_driver drivers/input/serio/serio.c:826
[819bd8e3] serio_handle_event+0x2d3/0x3b0
drivers/input/serio/serio.c:245
[810adcf9] process_one_work+0x2a9/0x6d0 kernel/workqueue.c:2036
[810aeddf] worker_thread+0xbf/0x710 kernel/workqueue.c:2170
[810b700c] kthread+0x15c/0x180 kernel/kthread.c:207
[81e71f5f] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:526
DBG: cpu = 0
DBG: addr: 88019d703909
DBG: first offset: 1, second offset: 1
DBG: T1 clock: {T1: 17075020, T509: 142163}
DBG: T509 clock: {T509: 142167}
==
It seems that accessing 'psmouse-pktcnt' in
'psmouse-packet[psmouse-pktcnt++] = data' in 'psmouse_interrupt()'
is racing with 'wait_event_timeout(ps2dev-wait, (psmouse-pktcnt =
pktsize), msecs_to_jiffies(CYTP_CMD_TIMEOUT))' in
'cypress_ps2_read_cmd_status()'.
If that's the case, it's possible that 'psmouse-pktcnt' is
incremented, but no data is written yet, so '(psmouse-pktcnt =
