Bug 196119

Summary: null pointer dereference when the removable keyboard detached at rmi bus, on Thinkpad X1 tablet
Product: Drivers Reporter: Robin Lee (robinlee.sysu)
Component: Input DevicesAssignee: drivers_input-devices
Status: RESOLVED CODE_FIX    
Severity: normal CC: benjamin.tissoires, dmitry.torokhov
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 4.12-rc5 Subsystem:
Regression: No Bisected commit-id:
Attachments: lsusb -vvv output on Thinkpad X1 Tablet

Description Robin Lee 2017-06-19 08:53:19 UTC 
Description of problem:
null pointer dereference when the removable keyboard detached.
And if the keyboard is attached a again. It will not be usable.

The device is ThinkPad X1 tablet 20GGA00L00.

I am responsive to provide further information.

I am on Fedora 26 with kernel-4.12.0-0.rc5.git2.1.fc27.x86_64. And kernel-4.11.5-300.fc26.x86_64 also comes with the name issue.

journal output:
Jun 19 11:33:42 cheese-X1tablet kernel: usb 1-7: USB disconnect, device number 2
Jun 19 11:33:42 cheese-X1tablet kernel: BUG: unable to handle kernel NULL pointer dereference at           (null)
Jun 19 11:33:42 cheese-X1tablet kernel: IP: device_del+0x17/0x360
Jun 19 11:33:42 cheese-X1tablet kernel: PGD 0 
Jun 19 11:33:42 cheese-X1tablet kernel: P4D 0 
Jun 19 11:33:42 cheese-X1tablet kernel: 
Jun 19 11:33:42 cheese-X1tablet kernel: Oops: 0000 [#1] SMP
Jun 19 11:33:42 cheese-X1tablet kernel: Modules linked in: fuse ccm xt_CHECKSUM ipt_MASQUERADE nf_nat_masquerade_ipv4 tun nf_conntrack_netbios_ns nf_conntrack_broadcast xt_CT ip6t_rpfilter ip6t_REJECT nf_reject_ipv6 xt_conntrack ip_set nfnetlink ebtable_nat ebtable_broute bridge stp llc ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle ip6table_raw ip6table_security iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack libcrc32c iptable_mangle iptable_raw iptable_security ebtable_filter ebtables ip6table_filter ip6_tables bnep vfat fat wacom iTCO_wdt iTCO_vendor_support mei_wdt spi_pxa2xx_platform intel_rapl x86_pkg_temp_thermal i2c_designware_platform intel_powerclamp i2c_designware_core coretemp snd_soc_skl kvm_intel snd_soc_skl_ipc snd_soc_sst_ipc snd_soc_sst_dsp snd_hda_ext_core
Jun 19 11:33:42 cheese-X1tablet kernel:  arc4 snd_soc_sst_match snd_soc_core kvm snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic snd_compress iwlmvm snd_pcm_dmaengine ac97_bus snd_hda_intel snd_hda_codec mac80211 irqbypass snd_hda_core crct10dif_pclmul crc32_pclmul snd_hwdep snd_seq ghash_clmulni_intel intel_cstate snd_seq_device intel_uncore snd_pcm intel_rapl_perf iwlwifi cfg80211 rtsx_pci_ms snd_timer i2c_i801 memstick btusb btrtl btbcm btintel joydev bluetooth mei_me mei ecdh_generic 8250_pci shpchp hid_sensor_als hid_sensor_accel_3d hid_sensor_magn_3d hid_sensor_gyro_3d hid_sensor_trigger hid_sensor_iio_common industrialio_triggered_buffer kfifo_buf industrialio idma64 processor_thermal_device thinkpad_acpi intel_lpss_pci intel_soc_dts_iosf wmi snd soc_button_array soundcore int3403_thermal rfkill intel_vbtn
Jun 19 11:33:42 cheese-X1tablet kernel:  pinctrl_sunrisepoint pinctrl_intel intel_lpss_acpi int3400_thermal intel_hid int3402_thermal acpi_thermal_rel intel_lpss sparse_keymap int340x_thermal_zone tpm_tis tpm_tis_core tpm nfsd auth_rpcgss nfs_acl lockd grace sunrpc mmc_block hid_sensor_hub intel_ishtp_hid i915 rtsx_pci_sdmmc mmc_core crc32c_intel i2c_algo_bit drm_kms_helper serio_raw drm rtsx_pci intel_ish_ipc intel_ishtp i2c_hid video hid_rmi rmi_core
Jun 19 11:33:42 cheese-X1tablet kernel: CPU: 2 PID: 43 Comm: kworker/2:1 Not tainted 4.12.0-0.rc5.git2.1.fc27.x86_64 #1
Jun 19 11:33:42 cheese-X1tablet kernel: Hardware name: LENOVO 20GGA00L00/20GGA00L00, BIOS N1LET37W (1.19 ) 05/19/2016
Jun 19 11:33:42 cheese-X1tablet kernel: Workqueue: usb_hub_wq hub_event
Jun 19 11:33:42 cheese-X1tablet kernel: task: ffff9ef59667b2c0 task.stack: ffffbd7d40df4000
Jun 19 11:33:42 cheese-X1tablet kernel: RIP: 0010:device_del+0x17/0x360
Jun 19 11:33:42 cheese-X1tablet kernel: RSP: 0018:ffffbd7d40df7a00 EFLAGS: 00010286
Jun 19 11:33:42 cheese-X1tablet kernel: RAX: ffffffffb6e5b300 RBX: 0000000000000000 RCX: 0000000000000000
Jun 19 11:33:42 cheese-X1tablet kernel: RDX: 0000001fffffffc0 RSI: ffff9ef59667c068 RDI: 0000000000000000
Jun 19 11:33:42 cheese-X1tablet kernel: RBP: ffffbd7d40df7a38 R08: 0000000000000001 R09: 0000000000000000
Jun 19 11:33:42 cheese-X1tablet kernel: R10: 0000000000000000 R11: 0000000000000000 R12: ffff9ef590bcc000
Jun 19 11:33:42 cheese-X1tablet kernel: R13: 0000000000000000 R14: ffff9ef590bcd8e8 R15: ffff9ef590bcd948
Jun 19 11:33:42 cheese-X1tablet kernel: FS:  0000000000000000(0000) GS:ffff9ef598a00000(0000) knlGS:0000000000000000
Jun 19 11:33:42 cheese-X1tablet kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Jun 19 11:33:42 cheese-X1tablet kernel: CR2: 0000000000000000 CR3: 0000000025e11000 CR4: 00000000003406e0
Jun 19 11:33:42 cheese-X1tablet kernel: DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Jun 19 11:33:42 cheese-X1tablet kernel: DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Jun 19 11:33:42 cheese-X1tablet kernel: Call Trace:
Jun 19 11:33:42 cheese-X1tablet kernel:  ? trace_hardirqs_on_caller+0xf4/0x190
Jun 19 11:33:42 cheese-X1tablet kernel:  rmi_unregister_transport_device+0x16/0x30 [rmi_core]
Jun 19 11:33:42 cheese-X1tablet kernel:  rmi_remove+0x36/0x60 [hid_rmi]
Jun 19 11:33:42 cheese-X1tablet kernel:  hid_device_remove+0x68/0xd0
Jun 19 11:33:42 cheese-X1tablet kernel:  device_release_driver_internal+0x160/0x210
Jun 19 11:33:42 cheese-X1tablet kernel:  device_release_driver+0x12/0x20
Jun 19 11:33:42 cheese-X1tablet kernel:  bus_remove_device+0x11b/0x190
Jun 19 11:33:42 cheese-X1tablet kernel:  device_del+0x1e7/0x360
Jun 19 11:33:42 cheese-X1tablet kernel:  hid_destroy_device+0x27/0x60
Jun 19 11:33:42 cheese-X1tablet kernel:  usbhid_disconnect+0x49/0x70
Jun 19 11:33:42 cheese-X1tablet kernel:  usb_unbind_interface+0x75/0x290
Jun 19 11:33:42 cheese-X1tablet kernel:  device_release_driver_internal+0x160/0x210
Jun 19 11:33:42 cheese-X1tablet kernel:  device_release_driver+0x12/0x20
Jun 19 11:33:42 cheese-X1tablet kernel:  bus_remove_device+0x11b/0x190
Jun 19 11:33:42 cheese-X1tablet kernel:  device_del+0x1e7/0x360
Jun 19 11:33:42 cheese-X1tablet kernel:  usb_disable_device+0x9f/0x270
Jun 19 11:33:42 cheese-X1tablet kernel:  usb_disconnect+0xc8/0x2b0
Jun 19 11:33:42 cheese-X1tablet kernel:  hub_event+0x598/0x15e0
Jun 19 11:33:42 cheese-X1tablet kernel:  process_one_work+0x253/0x6a0
Jun 19 11:33:42 cheese-X1tablet kernel:  worker_thread+0x4d/0x3b0
Jun 19 11:33:42 cheese-X1tablet kernel:  kthread+0x133/0x150
Jun 19 11:33:42 cheese-X1tablet kernel:  ? process_one_work+0x6a0/0x6a0
Jun 19 11:33:42 cheese-X1tablet kernel:  ? kthread_create_on_node+0x70/0x70
Jun 19 11:33:42 cheese-X1tablet kernel:  ret_from_fork+0x2a/0x40
Jun 19 11:33:42 cheese-X1tablet kernel: Code: 00 00 00 00 00 41 5c 41 5d 5d c3 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41 56 41 55 41 54 53 48 89 fb 48 83 ec 18 <4c> 8b 2f 65 48 8b 04 25 28 00 00 00 48 89 45 d8 31 c0 48 8b 87 
Jun 19 11:33:42 cheese-X1tablet kernel: RIP: device_del+0x17/0x360 RSP: ffffbd7d40df7a00
Jun 19 11:33:42 cheese-X1tablet kernel: CR2: 0000000000000000
Jun 19 11:33:42 cheese-X1tablet kernel: ---[ end trace a6f1a7b4d9a49be5 ]---
Jun 19 11:33:42 cheese-X1tablet kernel: BUG: sleeping function called from invalid context at ./include/linux/percpu-rwsem.h:33
Jun 19 11:33:42 cheese-X1tablet kernel: in_atomic(): 0, irqs_disabled(): 1, pid: 43, name: kworker/2:1
Jun 19 11:33:42 cheese-X1tablet kernel: INFO: lockdep is turned off.
Jun 19 11:33:42 cheese-X1tablet kernel: irq event stamp: 980444
Jun 19 11:33:42 cheese-X1tablet kernel: hardirqs last  enabled at (980443): [<ffffffffb60cee10>] flush_work+0x2b0/0x320
Jun 19 11:33:42 cheese-X1tablet kernel: hardirqs last disabled at (980444): [<ffffffffb698488c>] error_entry+0x7c/0xd0
Jun 19 11:33:42 cheese-X1tablet kernel: softirqs last  enabled at (980426): [<ffffffffb6988012>] __do_softirq+0x382/0x4ed
Jun 19 11:33:42 cheese-X1tablet kernel: softirqs last disabled at (980411): [<ffffffffb60b8faf>] irq_exit+0x10f/0x120
Jun 19 11:33:42 cheese-X1tablet kernel: CPU: 2 PID: 43 Comm: kworker/2:1 Tainted: G      D         4.12.0-0.rc5.git2.1.fc27.x86_64 #1
Jun 19 11:33:42 cheese-X1tablet kernel: Hardware name: LENOVO 20GGA00L00/20GGA00L00, BIOS N1LET37W (1.19 ) 05/19/2016
Jun 19 11:33:42 cheese-X1tablet kernel: Workqueue: usb_hub_wq hub_event
Jun 19 11:33:42 cheese-X1tablet kernel: Call Trace:
Jun 19 11:33:42 cheese-X1tablet kernel:  dump_stack+0x8e/0xcd
Jun 19 11:33:42 cheese-X1tablet kernel:  ___might_sleep+0x144/0x260
Jun 19 11:33:42 cheese-X1tablet kernel:  __might_sleep+0x4a/0x80
Jun 19 11:33:42 cheese-X1tablet kernel:  exit_signals+0x33/0x240
Jun 19 11:33:42 cheese-X1tablet kernel:  do_exit+0xb4/0xd30
Jun 19 11:33:42 cheese-X1tablet kernel:  ? kthread+0x133/0x150
Jun 19 11:33:42 cheese-X1tablet kernel:  rewind_stack_do_exit+0x17/0x20
Jun 19 11:33:42 cheese-X1tablet kernel: intel-vbtn INT33D6:00: unknown event index 0xcc
Jun 19 11:33:42 cheese-X1tablet kernel: intel-vbtn INT33D6:00: unknown event index 0xcb
Jun 19 11:33:43 cheese-X1tablet kernel: thinkpad_acpi: unhandled HKEY event 0x4013
Jun 19 11:33:43 cheese-X1tablet kernel: thinkpad_acpi: please report the conditions when this event happened to ibm-acpi-devel@lists.sourceforge.net
Jun 19 11:33:43 cheese-X1tablet kernel: int3403 thermal INT3403:01: Unsupported event [0x91]
Jun 19 11:33:43 cheese-X1tablet kernel: int3403 thermal INT3403:00: Unsupported event [0x91]
Jun 19 11:33:43 cheese-X1tablet kernel: intel-vbtn INT33D6:00: unknown event index 0xcc
Jun 19 11:33:43 cheese-X1tablet kernel: intel-vbtn INT33D6:00: unknown event index 0xcb
Comment 1 Robin Lee 2017-06-20 02:08:18 UTC 
Created attachment 257077 [details]
lsusb -vvv output on Thinkpad X1 Tablet
Comment 2 Robin Lee 2017-11-26 06:00:17 UTC 
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ef14a4bf0910d06c7e202552914028d4956809cb
This commit in current master fixed this issue. And the commit can be applied to 4.13 branch cleanly.