Synaptics RMI4 - accessing /dev/v4l-touch0 breaks everything
From: Mantas MikulÄnas
Date: Fri Feb 22 2019 - 01:07:48 EST
Hello,
I have a laptop with a Synaptics touchpad via RMI4/i2c-hid. I noticed
that it is also exposed as a "/dev/v4l-touch0" device
(/sys/devices/rmi4-00/rmi4-00.fn54/video4linux/v4l-touch0).
Because it has "v4l" in its name, I was stupid enough to run the `mpv`
video player on it. Now I have a dmesg full of errors, and don't have a
touchpad anymore (until rebooting).
Of course, I didn't really expect it to do anything useful, but somewhat
more concerning is that I got this kind of kernel messages instead:
"BUG: unable to handle kernel NULL pointer dereference"
"kernel tried to execute NX-protected page - exploit attempt? (uid: 0)"
"BUG: unable to handle kernel paging request"
"Fixing recursive fault but reboot is needed"
The full dmesg output generated by `mpv /dev/v4l-touch0` is:
---
[ 36.018308] BUG: unable to handle kernel NULL pointer dereference at
0000000000000000
[ 36.018313] PGD 0 P4D 0
[ 36.018316] Oops: 0010 [#1] PREEMPT SMP PTI
[ 36.018318] CPU: 2 PID: 509 Comm: irq/51-i2c_hid Not tainted
4.20.11-arch1-1-ARCH #1
[ 36.018319] Hardware name: Dell Inc. Inspiron 5547/06X5CY, BIOS A10
08/25/2016
[ 36.018321] RIP: 0010: (null)
[ 36.018324] Code: Bad RIP value.
[ 36.018325] RSP: 0000:ffffb9bd414dfe28 EFLAGS: 00010286
[ 36.018327] RAX: 0000000000000000 RBX: ffffffff86421e00 RCX:
0000000000000000
[ 36.018328] RDX: 0000000000000000 RSI: 0000000000000000 RDI:
0000000000000000
[ 36.018329] RBP: 0000000000000000 R08: ffff9a8d56802238 R09:
ffff9a8d56802260
[ 36.018330] R10: 0000000000000000 R11: ffffffff864507a8 R12:
ffff9a8d56d17c00
[ 36.018331] R13: ffff9a8d56d17ce4 R14: ffff9a8d51f69ee4 R15:
ffff9a8d43edbc80
[ 36.018332] FS: 0000000000000000(0000) GS:ffff9a8d57080000(0000)
knlGS:0000000000000000
[ 36.018333] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 36.018334] CR2: ffffffffffffffd6 CR3: 0000000205bb8004 CR4:
00000000001606e0
[ 36.018335] Call Trace:
[ 36.018340] ? handle_nested_irq+0xb3/0x110
[ 36.018347] ? rmi_process_interrupt_requests+0x7d/0x110 [rmi_core]
[ 36.018349] ? rmi_irq_fn+0x5f/0xe0 [rmi_core]
[ 36.018351] ? irq_forced_thread_fn+0x70/0x70
[ 36.018353] ? irq_thread_fn+0x1f/0x60
[ 36.018354] ? irq_thread+0xe7/0x160
[ 36.018355] ? wake_threads_waitq+0x30/0x30
[ 36.018357] ? irq_thread_dtor+0x80/0x80
[ 36.018359] ? kthread+0x112/0x130
[ 36.018361] ? kthread_park+0x80/0x80
[ 36.018364] ? ret_from_fork+0x1f/0x40
[ 36.018367] Modules linked in: fuse rfcomm nft_reject_inet
nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct bnep btusb btrtl btbcm
btintel bluetooth rtsx_usb_ms nf_tables_set ecdh_generic nf_tables
joydev mousedev amdgpu arc4 hid_rmi rmi_core videobuf2_vmalloc
videobuf2_memops videobuf2_v4l2 videobuf2_common videodev
intel_spi_platform intel_spi spi_nor iTCO_wdt mtd iTCO_vendor_support
wmi_bmof dell_wmi iwlmvm sparse_keymap media mac80211
snd_hda_codec_realtek snd_hda_codec_hdmi snd_hda_codec_generic
dell_laptop intel_rapl snd_hda_intel dell_smbios x86_pkg_temp_thermal
intel_powerclamp iwlwifi coretemp snd_hda_codec dell_wmi_descriptor
kvm_intel dcdbas dell_smm_hwmon snd_hda_core intel_cstate input_leds
snd_hwdep intel_uncore snd_pcm chash amd_iommu_v2 psmouse
intel_rapl_perf cfg80211 pcspkr gpu_sched ttm snd_timer r8169 mei_me
realtek snd mei soundcore lpc_ich i2c_i801 wmi battery ac gpio_lynxpoint
i2c_hid dell_rbtn evdev rfkill mac_hid pcc_cpufreq tcp_lp cdc_acm pl2303
[ 36.018393] nf_conntrack_netlink nfnetlink nf_conntrack
nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c rndis_host cdc_ether
ax88179_178a asix usbnet mii libphy tun sit tunnel4 ip_tunnel 8021q garp
mrp stp llc cifs ccm dns_resolver fscache nls_utf8 nls_iso8859_1
nls_cp437 vfat fat udf crc_itu_t isofs mspro_block ms_block memstick
mmc_block ums_cypress sr_mod cdrom uas usb_storage loop msr sg
crypto_user ip_tables x_tables ext4 crc32c_generic crc16 mbcache jbd2
fscrypto algif_skcipher af_alg rtsx_usb_sdmmc mmc_core rtsx_usb
hid_generic usbhid hid dm_crypt dm_mod sd_mod crct10dif_pclmul
crc32_pclmul crc32c_intel ghash_clmulni_intel serio_raw atkbd libps2
ahci libahci libata aesni_intel ehci_pci xhci_pci aes_x86_64 crypto_simd
cryptd glue_helper scsi_mod xhci_hcd ehci_hcd i8042 serio i915 kvmgt
vfio_mdev mdev vfio_iommu_type1 vfio kvm irqbypass intel_gtt
i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt
fb_sys_fops drm agpgart
[ 36.018433] CR2: 0000000000000000
[ 36.018435] ---[ end trace 5fe08f697d858ed0 ]---
[ 36.018436] RIP: 0010: (null)
[ 36.018438] Code: Bad RIP value.
[ 36.018439] RSP: 0000:ffffb9bd414dfe28 EFLAGS: 00010286
[ 36.018441] RAX: 0000000000000000 RBX: ffffffff86421e00 RCX:
0000000000000000
[ 36.018442] RDX: 0000000000000000 RSI: 0000000000000000 RDI:
0000000000000000
[ 36.018443] RBP: 0000000000000000 R08: ffff9a8d56802238 R09:
ffff9a8d56802260
[ 36.018444] R10: 0000000000000000 R11: ffffffff864507a8 R12:
ffff9a8d56d17c00
[ 36.018445] R13: ffff9a8d56d17ce4 R14: ffff9a8d51f69ee4 R15:
ffff9a8d43edbc80
[ 36.018446] FS: 0000000000000000(0000) GS:ffff9a8d57080000(0000)
knlGS:0000000000000000
[ 36.018447] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 36.018448] CR2: ffffffffffffffd6 CR3: 0000000205bb8004 CR4:
00000000001606e0
[ 36.018455] kernel tried to execute NX-protected page - exploit
attempt? (uid: 0)
[ 36.018456] BUG: unable to handle kernel paging request at
ffff9a8d43edbc01
[ 36.018457] PGD 22d801067 P4D 22d801067 PUD 22d805067 PMD 243f2d063
PTE 8000000243edb063
[ 36.018459] Oops: 0011 [#2] PREEMPT SMP PTI
[ 36.018461] CPU: 2 PID: 509 Comm: irq/51-i2c_hid Tainted: G D
4.20.11-arch1-1-ARCH #1
[ 36.018462] Hardware name: Dell Inc. Inspiron 5547/06X5CY, BIOS A10
08/25/2016
[ 36.018464] RIP: 0010:0xffff9a8d43edbc01
[ 36.018465] Code: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 <00> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 36.018466] RSP: 0000:ffffb9bd414dfea0 EFLAGS: 00010282
[ 36.018467] RAX: ffffb9bd414dfec8 RBX: ffff9a8d43edc400 RCX:
0000000000000000
[ 36.018468] RDX: ffff9a8d43edbc01 RSI: 0000000000000000 RDI:
ffffb9bd414dfec8
[ 36.018469] RBP: 0000000000000000 R08: 0000000000000000 R09:
0000000000000000
[ 36.018470] R10: ffffe28c8912ec00 R11: ffffffff86a50fcd R12:
ffff9a8d43edbc80
[ 36.018471] R13: ffffffff86a49f10 R14: 0000000000000000 R15:
ffff9a8d43edc434
[ 36.018472] FS: 0000000000000000(0000) GS:ffff9a8d57080000(0000)
knlGS:0000000000000000
[ 36.018473] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 36.018474] CR2: ffff9a8d43edbc01 CR3: 0000000205bb8004 CR4:
00000000001606e0
[ 36.018475] Call Trace:
[ 36.018477] ? task_work_run+0x8f/0xb0
[ 36.018481] ? do_exit+0x3a3/0xb60
[ 36.018483] ? irq_thread_dtor+0x80/0x80
[ 36.018485] ? kthread+0x112/0x130
[ 36.018488] ? rewind_stack_do_exit+0x17/0x20
[ 36.018490] Modules linked in: fuse rfcomm nft_reject_inet
nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct bnep btusb btrtl btbcm
btintel bluetooth rtsx_usb_ms nf_tables_set ecdh_generic nf_tables
joydev mousedev amdgpu arc4 hid_rmi rmi_core videobuf2_vmalloc
videobuf2_memops videobuf2_v4l2 videobuf2_common videodev
intel_spi_platform intel_spi spi_nor iTCO_wdt mtd iTCO_vendor_support
wmi_bmof dell_wmi iwlmvm sparse_keymap media mac80211
snd_hda_codec_realtek snd_hda_codec_hdmi snd_hda_codec_generic
dell_laptop intel_rapl snd_hda_intel dell_smbios x86_pkg_temp_thermal
intel_powerclamp iwlwifi coretemp snd_hda_codec dell_wmi_descriptor
kvm_intel dcdbas dell_smm_hwmon snd_hda_core intel_cstate input_leds
snd_hwdep intel_uncore snd_pcm chash amd_iommu_v2 psmouse
intel_rapl_perf cfg80211 pcspkr gpu_sched ttm snd_timer r8169 mei_me
realtek snd mei soundcore lpc_ich i2c_i801 wmi battery ac gpio_lynxpoint
i2c_hid dell_rbtn evdev rfkill mac_hid pcc_cpufreq tcp_lp cdc_acm pl2303
[ 36.018508] nf_conntrack_netlink nfnetlink nf_conntrack
nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c rndis_host cdc_ether
ax88179_178a asix usbnet mii libphy tun sit tunnel4 ip_tunnel 8021q garp
mrp stp llc cifs ccm dns_resolver fscache nls_utf8 nls_iso8859_1
nls_cp437 vfat fat udf crc_itu_t isofs mspro_block ms_block memstick
mmc_block ums_cypress sr_mod cdrom uas usb_storage loop msr sg
crypto_user ip_tables x_tables ext4 crc32c_generic crc16 mbcache jbd2
fscrypto algif_skcipher af_alg rtsx_usb_sdmmc mmc_core rtsx_usb
hid_generic usbhid hid dm_crypt dm_mod sd_mod crct10dif_pclmul
crc32_pclmul crc32c_intel ghash_clmulni_intel serio_raw atkbd libps2
ahci libahci libata aesni_intel ehci_pci xhci_pci aes_x86_64 crypto_simd
cryptd glue_helper scsi_mod xhci_hcd ehci_hcd i8042 serio i915 kvmgt
vfio_mdev mdev vfio_iommu_type1 vfio kvm irqbypass intel_gtt
i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt
fb_sys_fops drm agpgart
[ 36.018530] CR2: ffff9a8d43edbc01
[ 36.018531] ---[ end trace 5fe08f697d858ed1 ]---
[ 36.018532] RIP: 0010: (null)
[ 36.018534] Code: Bad RIP value.
[ 36.018535] RSP: 0000:ffffb9bd414dfe28 EFLAGS: 00010286
[ 36.018536] RAX: 0000000000000000 RBX: ffffffff86421e00 RCX:
0000000000000000
[ 36.018537] RDX: 0000000000000000 RSI: 0000000000000000 RDI:
0000000000000000
[ 36.018538] RBP: 0000000000000000 R08: ffff9a8d56802238 R09:
ffff9a8d56802260
[ 36.018539] R10: 0000000000000000 R11: ffffffff864507a8 R12:
ffff9a8d56d17c00
[ 36.018540] R13: ffff9a8d56d17ce4 R14: ffff9a8d51f69ee4 R15:
ffff9a8d43edbc80
[ 36.018541] FS: 0000000000000000(0000) GS:ffff9a8d57080000(0000)
knlGS:0000000000000000
[ 36.018542] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 36.018543] CR2: ffffffffffffffd6 CR3: 0000000205bb8004 CR4:
00000000001606e0
[ 36.018544] Fixing recursive fault but reboot is needed!
[ 37.015459] rmi4_f54 rmi4-00.fn54: Timed out
[ 37.042105] hid-rmi 0018:06CB:2934.0003: rmi_hid_read_block: timeout
elapsed
[ 38.058792] i2c_designware INT33C3:00: controller timed out
[ 38.085205] i2c_designware INT33C3:00: timeout in disabling adapter
[ 38.085216] i2c_hid i2c-DLL063E:00: failed to set a report to device.
[ 38.085221] hid-rmi 0018:06CB:2934.0003: failed to write hid report
(-110)
[ 38.085224] hid-rmi 0018:06CB:2934.0003: failed to write request
output report (-110)
[ 38.085229] rmi4_f54 rmi4-00.fn54: rmi_f54_work: read [722 bytes]
returned -110
---
--
Mantas MikulÄnas <grawity@xxxxxxxxx>