lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <524648a9-3fb9-1423-aa1a-376289fafc5d@gmail.com>
Date:   Fri, 22 Feb 2019 08:07:38 +0200
From:   Mantas Mikulėnas <grawity@...il.com>
To:     linux-input@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Synaptics RMI4 - accessing /dev/v4l-touch0 breaks everything

Hello,

I have a laptop with a Synaptics touchpad via RMI4/i2c-hid. I noticed
that it is also exposed as a "/dev/v4l-touch0" device
(/sys/devices/rmi4-00/rmi4-00.fn54/video4linux/v4l-touch0).

Because it has "v4l" in its name, I was stupid enough to run the `mpv`
video player on it. Now I have a dmesg full of errors, and don't have a
touchpad anymore (until rebooting).

Of course, I didn't really expect it to do anything useful, but somewhat
more concerning is that I got this kind of kernel messages instead:

"BUG: unable to handle kernel NULL pointer dereference"
"kernel tried to execute NX-protected page - exploit attempt? (uid: 0)"
"BUG: unable to handle kernel paging request"
"Fixing recursive fault but reboot is needed"

The full dmesg output generated by `mpv /dev/v4l-touch0` is:

---
[   36.018308] BUG: unable to handle kernel NULL pointer dereference at
0000000000000000
[   36.018313] PGD 0 P4D 0
[   36.018316] Oops: 0010 [#1] PREEMPT SMP PTI
[   36.018318] CPU: 2 PID: 509 Comm: irq/51-i2c_hid Not tainted
4.20.11-arch1-1-ARCH #1
[   36.018319] Hardware name: Dell Inc. Inspiron 5547/06X5CY, BIOS A10
08/25/2016
[   36.018321] RIP: 0010:          (null)
[   36.018324] Code: Bad RIP value.
[   36.018325] RSP: 0000:ffffb9bd414dfe28 EFLAGS: 00010286
[   36.018327] RAX: 0000000000000000 RBX: ffffffff86421e00 RCX:
0000000000000000
[   36.018328] RDX: 0000000000000000 RSI: 0000000000000000 RDI:
0000000000000000
[   36.018329] RBP: 0000000000000000 R08: ffff9a8d56802238 R09:
ffff9a8d56802260
[   36.018330] R10: 0000000000000000 R11: ffffffff864507a8 R12:
ffff9a8d56d17c00
[   36.018331] R13: ffff9a8d56d17ce4 R14: ffff9a8d51f69ee4 R15:
ffff9a8d43edbc80
[   36.018332] FS:  0000000000000000(0000) GS:ffff9a8d57080000(0000)
knlGS:0000000000000000
[   36.018333] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   36.018334] CR2: ffffffffffffffd6 CR3: 0000000205bb8004 CR4:
00000000001606e0
[   36.018335] Call Trace:
[   36.018340]  ? handle_nested_irq+0xb3/0x110
[   36.018347]  ? rmi_process_interrupt_requests+0x7d/0x110 [rmi_core]
[   36.018349]  ? rmi_irq_fn+0x5f/0xe0 [rmi_core]
[   36.018351]  ? irq_forced_thread_fn+0x70/0x70
[   36.018353]  ? irq_thread_fn+0x1f/0x60
[   36.018354]  ? irq_thread+0xe7/0x160
[   36.018355]  ? wake_threads_waitq+0x30/0x30
[   36.018357]  ? irq_thread_dtor+0x80/0x80
[   36.018359]  ? kthread+0x112/0x130
[   36.018361]  ? kthread_park+0x80/0x80
[   36.018364]  ? ret_from_fork+0x1f/0x40
[   36.018367] Modules linked in: fuse rfcomm nft_reject_inet
nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct bnep btusb btrtl btbcm
btintel bluetooth rtsx_usb_ms nf_tables_set ecdh_generic nf_tables
joydev mousedev amdgpu arc4 hid_rmi rmi_core videobuf2_vmalloc
videobuf2_memops videobuf2_v4l2 videobuf2_common videodev
intel_spi_platform intel_spi spi_nor iTCO_wdt mtd iTCO_vendor_support
wmi_bmof dell_wmi iwlmvm sparse_keymap media mac80211
snd_hda_codec_realtek snd_hda_codec_hdmi snd_hda_codec_generic
dell_laptop intel_rapl snd_hda_intel dell_smbios x86_pkg_temp_thermal
intel_powerclamp iwlwifi coretemp snd_hda_codec dell_wmi_descriptor
kvm_intel dcdbas dell_smm_hwmon snd_hda_core intel_cstate input_leds
snd_hwdep intel_uncore snd_pcm chash amd_iommu_v2 psmouse
intel_rapl_perf cfg80211 pcspkr gpu_sched ttm snd_timer r8169 mei_me
realtek snd mei soundcore lpc_ich i2c_i801 wmi battery ac gpio_lynxpoint
i2c_hid dell_rbtn evdev rfkill mac_hid pcc_cpufreq tcp_lp cdc_acm pl2303
[   36.018393]  nf_conntrack_netlink nfnetlink nf_conntrack
nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c rndis_host cdc_ether
ax88179_178a asix usbnet mii libphy tun sit tunnel4 ip_tunnel 8021q garp
mrp stp llc cifs ccm dns_resolver fscache nls_utf8 nls_iso8859_1
nls_cp437 vfat fat udf crc_itu_t isofs mspro_block ms_block memstick
mmc_block ums_cypress sr_mod cdrom uas usb_storage loop msr sg
crypto_user ip_tables x_tables ext4 crc32c_generic crc16 mbcache jbd2
fscrypto algif_skcipher af_alg rtsx_usb_sdmmc mmc_core rtsx_usb
hid_generic usbhid hid dm_crypt dm_mod sd_mod crct10dif_pclmul
crc32_pclmul crc32c_intel ghash_clmulni_intel serio_raw atkbd libps2
ahci libahci libata aesni_intel ehci_pci xhci_pci aes_x86_64 crypto_simd
cryptd glue_helper scsi_mod xhci_hcd ehci_hcd i8042 serio i915 kvmgt
vfio_mdev mdev vfio_iommu_type1 vfio kvm irqbypass intel_gtt
i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt
fb_sys_fops drm agpgart
[   36.018433] CR2: 0000000000000000
[   36.018435] ---[ end trace 5fe08f697d858ed0 ]---
[   36.018436] RIP: 0010:          (null)
[   36.018438] Code: Bad RIP value.
[   36.018439] RSP: 0000:ffffb9bd414dfe28 EFLAGS: 00010286
[   36.018441] RAX: 0000000000000000 RBX: ffffffff86421e00 RCX:
0000000000000000
[   36.018442] RDX: 0000000000000000 RSI: 0000000000000000 RDI:
0000000000000000
[   36.018443] RBP: 0000000000000000 R08: ffff9a8d56802238 R09:
ffff9a8d56802260
[   36.018444] R10: 0000000000000000 R11: ffffffff864507a8 R12:
ffff9a8d56d17c00
[   36.018445] R13: ffff9a8d56d17ce4 R14: ffff9a8d51f69ee4 R15:
ffff9a8d43edbc80
[   36.018446] FS:  0000000000000000(0000) GS:ffff9a8d57080000(0000)
knlGS:0000000000000000
[   36.018447] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   36.018448] CR2: ffffffffffffffd6 CR3: 0000000205bb8004 CR4:
00000000001606e0
[   36.018455] kernel tried to execute NX-protected page - exploit
attempt? (uid: 0)
[   36.018456] BUG: unable to handle kernel paging request at
ffff9a8d43edbc01
[   36.018457] PGD 22d801067 P4D 22d801067 PUD 22d805067 PMD 243f2d063
PTE 8000000243edb063
[   36.018459] Oops: 0011 [#2] PREEMPT SMP PTI
[   36.018461] CPU: 2 PID: 509 Comm: irq/51-i2c_hid Tainted: G      D
        4.20.11-arch1-1-ARCH #1
[   36.018462] Hardware name: Dell Inc. Inspiron 5547/06X5CY, BIOS A10
08/25/2016
[   36.018464] RIP: 0010:0xffff9a8d43edbc01
[   36.018465] Code: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 <00> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   36.018466] RSP: 0000:ffffb9bd414dfea0 EFLAGS: 00010282
[   36.018467] RAX: ffffb9bd414dfec8 RBX: ffff9a8d43edc400 RCX:
0000000000000000
[   36.018468] RDX: ffff9a8d43edbc01 RSI: 0000000000000000 RDI:
ffffb9bd414dfec8
[   36.018469] RBP: 0000000000000000 R08: 0000000000000000 R09:
0000000000000000
[   36.018470] R10: ffffe28c8912ec00 R11: ffffffff86a50fcd R12:
ffff9a8d43edbc80
[   36.018471] R13: ffffffff86a49f10 R14: 0000000000000000 R15:
ffff9a8d43edc434
[   36.018472] FS:  0000000000000000(0000) GS:ffff9a8d57080000(0000)
knlGS:0000000000000000
[   36.018473] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   36.018474] CR2: ffff9a8d43edbc01 CR3: 0000000205bb8004 CR4:
00000000001606e0
[   36.018475] Call Trace:
[   36.018477]  ? task_work_run+0x8f/0xb0
[   36.018481]  ? do_exit+0x3a3/0xb60
[   36.018483]  ? irq_thread_dtor+0x80/0x80
[   36.018485]  ? kthread+0x112/0x130
[   36.018488]  ? rewind_stack_do_exit+0x17/0x20
[   36.018490] Modules linked in: fuse rfcomm nft_reject_inet
nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct bnep btusb btrtl btbcm
btintel bluetooth rtsx_usb_ms nf_tables_set ecdh_generic nf_tables
joydev mousedev amdgpu arc4 hid_rmi rmi_core videobuf2_vmalloc
videobuf2_memops videobuf2_v4l2 videobuf2_common videodev
intel_spi_platform intel_spi spi_nor iTCO_wdt mtd iTCO_vendor_support
wmi_bmof dell_wmi iwlmvm sparse_keymap media mac80211
snd_hda_codec_realtek snd_hda_codec_hdmi snd_hda_codec_generic
dell_laptop intel_rapl snd_hda_intel dell_smbios x86_pkg_temp_thermal
intel_powerclamp iwlwifi coretemp snd_hda_codec dell_wmi_descriptor
kvm_intel dcdbas dell_smm_hwmon snd_hda_core intel_cstate input_leds
snd_hwdep intel_uncore snd_pcm chash amd_iommu_v2 psmouse
intel_rapl_perf cfg80211 pcspkr gpu_sched ttm snd_timer r8169 mei_me
realtek snd mei soundcore lpc_ich i2c_i801 wmi battery ac gpio_lynxpoint
i2c_hid dell_rbtn evdev rfkill mac_hid pcc_cpufreq tcp_lp cdc_acm pl2303
[   36.018508]  nf_conntrack_netlink nfnetlink nf_conntrack
nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c rndis_host cdc_ether
ax88179_178a asix usbnet mii libphy tun sit tunnel4 ip_tunnel 8021q garp
mrp stp llc cifs ccm dns_resolver fscache nls_utf8 nls_iso8859_1
nls_cp437 vfat fat udf crc_itu_t isofs mspro_block ms_block memstick
mmc_block ums_cypress sr_mod cdrom uas usb_storage loop msr sg
crypto_user ip_tables x_tables ext4 crc32c_generic crc16 mbcache jbd2
fscrypto algif_skcipher af_alg rtsx_usb_sdmmc mmc_core rtsx_usb
hid_generic usbhid hid dm_crypt dm_mod sd_mod crct10dif_pclmul
crc32_pclmul crc32c_intel ghash_clmulni_intel serio_raw atkbd libps2
ahci libahci libata aesni_intel ehci_pci xhci_pci aes_x86_64 crypto_simd
cryptd glue_helper scsi_mod xhci_hcd ehci_hcd i8042 serio i915 kvmgt
vfio_mdev mdev vfio_iommu_type1 vfio kvm irqbypass intel_gtt
i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt
fb_sys_fops drm agpgart
[   36.018530] CR2: ffff9a8d43edbc01
[   36.018531] ---[ end trace 5fe08f697d858ed1 ]---
[   36.018532] RIP: 0010:          (null)
[   36.018534] Code: Bad RIP value.
[   36.018535] RSP: 0000:ffffb9bd414dfe28 EFLAGS: 00010286
[   36.018536] RAX: 0000000000000000 RBX: ffffffff86421e00 RCX:
0000000000000000
[   36.018537] RDX: 0000000000000000 RSI: 0000000000000000 RDI:
0000000000000000
[   36.018538] RBP: 0000000000000000 R08: ffff9a8d56802238 R09:
ffff9a8d56802260
[   36.018539] R10: 0000000000000000 R11: ffffffff864507a8 R12:
ffff9a8d56d17c00
[   36.018540] R13: ffff9a8d56d17ce4 R14: ffff9a8d51f69ee4 R15:
ffff9a8d43edbc80
[   36.018541] FS:  0000000000000000(0000) GS:ffff9a8d57080000(0000)
knlGS:0000000000000000
[   36.018542] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   36.018543] CR2: ffffffffffffffd6 CR3: 0000000205bb8004 CR4:
00000000001606e0
[   36.018544] Fixing recursive fault but reboot is needed!
[   37.015459] rmi4_f54 rmi4-00.fn54: Timed out
[   37.042105] hid-rmi 0018:06CB:2934.0003: rmi_hid_read_block: timeout
elapsed
[   38.058792] i2c_designware INT33C3:00: controller timed out
[   38.085205] i2c_designware INT33C3:00: timeout in disabling adapter
[   38.085216] i2c_hid i2c-DLL063E:00: failed to set a report to device.
[   38.085221] hid-rmi 0018:06CB:2934.0003: failed to write hid report
(-110)
[   38.085224] hid-rmi 0018:06CB:2934.0003: failed to write request
output report (-110)
[   38.085229] rmi4_f54 rmi4-00.fn54: rmi_f54_work: read [722 bytes]
returned -110
---



-- 
Mantas Mikulėnas <grawity@...il.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ