219002 – Kernel panic due to NULL pointer dereference in synaptics_process_byte

Bug 219002 - Kernel panic due to NULL pointer dereference in synaptics_process_byte

Summary: Kernel panic due to NULL pointer dereference in synaptics_process_byte

Status:	NEW

Alias:	None

Product:	Drivers
Classification:	Unclassified
Component:	Input Devices (show other bugs)
Hardware:	All Linux

Importance:	P3 normal
Assignee:	drivers_input-devices

URL:
Keywords:

Depends on:
Blocks:

Reported:	2024-07-01 18:54 UTC by Julian
Modified:	2025-02-15 09:33 UTC (History)
CC List:	3 users (show)

See Also:
Kernel Version:	6.9.6
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
dmesg output of the panic (115.17 KB, text/plain) 2024-07-01 18:54 UTC, Julian	Details
check if priv is NULL (694 bytes, patch) 2024-07-02 14:41 UTC, Ben O	Details \| Diff
New crash log, after applying the patch (114.83 KB, text/plain) 2024-07-04 13:33 UTC, Julian	Details
Add an attachment (proposed patch, testcase, etc.)

Description Julian 2024-07-01 18:54:04 UTC

Created attachment 306520 [details]
dmesg output of the panic

Hi,

for a long time my Lenovo X1 Yoga Gen 2 (20JE) running Arch Linux sometimes crashed with a kernel panic when waking up from suspend to disk. Today I was finally able to grab a log of the panic (see attachment) and it showed the cause to be a NULL pointer dereference inside synaptics_process_byte. I'm willing to help to further debug this issue, as it's quite annoying, but sadly I can't reproduce it consistently.

Best regards

Julian

Comment 1 Ben O 2024-07-02 14:22:52 UTC

diff --git a/drivers/input/mouse/synaptics.c b/drivers/input/mouse/synaptics.c
index 7a303a9d6bf7..3dafbf384d15 100644
--- a/drivers/input/mouse/synaptics.c
+++ b/drivers/input/mouse/synaptics.c
@@ -1211,6 +1211,11 @@ static psmouse_ret_t synaptics_process_byte(struct psmouse *psmouse)
 {
        struct synaptics_data *priv = psmouse->private;

+       if (!priv) {
+               printk(KERN_ERR "synaptics_process_byte: priv is NULL");
+               return PSMOUSE_BAD_DATA;
+       }
+
        if (psmouse->pktcnt >= 6) { /* Full packet received */
                if (unlikely(priv->pkt_type == SYN_NEWABS))
                        priv->pkt_type = synaptics_detect_pkt_type(psmouse);

apply the patch above, try reproducing and send dmesg output again, this should at least stop the kernel from panicking

Comment 2 Ben O 2024-07-02 14:41:59 UTC

Created attachment 306523 [details]
check if priv is NULL

Comment 3 Julian 2024-07-04 13:33:07 UTC

Applied your patch, but still got a crash. So psmouse is actually the NULL pointer, I guess?

Comment 4 Julian 2024-07-04 13:33:45 UTC

Created attachment 306530 [details]
New crash log, after applying the patch

Comment 5 Martin 2024-10-13 20:04:07 UTC

I suffer from the same problem after changing my keyboard in my ThinkPad T460p.
Sadly when I want to compile the 6.11.3 kernel with patch I get

```
ld: vmlinux.o: in function `x64_sys_call':
/buildpath/src/linux-6.11.3/./arch/x86/include/generated/asm/syscalls_64.h:464:(.text+0x6b8e): undefined reference to `__x64_sys_process_ksm_enable'
ld: /buildpath/src/linux-6.11.3/./arch/x86/include/generated/asm/syscalls_64.h:466:(.text+0x7178): undefined reference to `__x64_sys_process_ksm_status'
ld: /buildpath/src/linux-6.11.3/./arch/x86/include/generated/asm/syscalls_64.h:465:(.text+0x7355): undefined reference to `__x64_sys_process_ksm_disable'
ld: vmlinux.o: in function `ia32_sys_call':
/buildpath/src/linux-6.11.3/./arch/x86/include/generated/asm/syscalls_32.h:466:(.text+0x9ab3): undefined reference to `__ia32_sys_process_ksm_status'
ld: /buildpath/src/linux-6.11.3/./arch/x86/include/generated/asm/syscalls_32.h:464:(.text+0x9de4): undefined reference to `__ia32_sys_process_ksm_enable'
ld: /buildpath/src/linux-6.11.3/./arch/x86/include/generated/asm/syscalls_32.h:465:(.text+0xa03c): undefined reference to `__ia32_sys_process_ksm_disable'
ld: vmlinux.o: in function `x32_sys_call':
/buildpath/src/linux-6.11.3/./arch/x86/include/generated/asm/syscalls_x32.h:466:(.text+0xab0f): undefined reference to `__x64_sys_process_ksm_status'
ld: /buildpath/src/linux-6.11.3/./arch/x86/include/generated/asm/syscalls_x32.h:465:(.text+0xb452): undefined reference to `__x64_sys_process_ksm_disable'
ld: /buildpath/src/linux-6.11.3/./arch/x86/include/generated/asm/syscalls_x32.h:464:(.text+0xb49d): undefined reference to `__x64_sys_process_ksm_enable'
ld: vmlinux.o:(.rodata+0x3018): undefined reference to `__x64_sys_process_ksm_enable'
ld: vmlinux.o:(.rodata+0x3020): undefined reference to `__x64_sys_process_ksm_disable'
ld: vmlinux.o:(.rodata+0x3028): undefined reference to `__x64_sys_process_ksm_status'
make[2]: *** [scripts/Makefile.vmlinux:34: vmlinux] Fehler 1
make[1]: *** [/buildpath/src/linux-6.11.3/Makefile:1157: vmlinux] Fehler 2
make: *** [Makefile:224: __sub-make] Fehler 2
```

Comment 6 beaaegicfqmq6rytaqlagsydlqeheddv 2025-02-08 18:17:26 UTC

Hi,

I have the same issue for ages on a Lenovo X1 Carbon 4th gen:

> BUG: kernel NULL pointer dereference, address: 0000000000000108
> #PF: supervisor read access in kernel mode
> #PF: error_code(0x0000) - not-present page
> PGD 0 P4D 0 
> Oops: Oops: 0000 [#1] PREEMPT SMP PTI
> CPU: 0 UID: 1000 PID: 8015 Comm: Renderer Kdump: loaded Tainted: G     U     
>        6.12.10-200.fc41.x86_64 #1
> Tainted: [U]=USER
> Hardware name: LENOVO 20FB0043GE/20FB0043GE, BIOS N1FET82W (1.56 ) 12/06/2022
> RIP: 0010:synaptics_process_byte+0x59c/0xe30
> Code: ff 48 8b 6d 48 48 85 ed 0f 84 be fe ff ff 48 89 ef e8 58 d8 ff ff 0f b6
> b3 e9 00 00 00 31 d2 48 89 ef 49 89 c4 48 85 c0 74 0d <83> b8 18 01 00 00 04
> 0f 84 48 07 00 00 e8 22 8f fe ff e9 8b fe ff
> RSP: 0000:ffffb0c34ac7bd80 EFLAGS: 00010086
> RAX: fffffffffffffff0 RBX: ffff89af81704e00 RCX: 000000010165e3c5
> RDX: 0000000000000000 RSI: 0000000000000018 RDI: ffff89af81e8b000
> RBP: ffff89af81e8b000 R08: 0000000000000084 R09: 00000000000000c4
> R10: 0000000000000000 R11: 0000000000000000 R12: fffffffffffffff0
> R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
> FS:  00007fb195d946c0(0000) GS:ffff89b2b1400000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000000108 CR3: 00000001738d0001 CR4: 00000000003726f0
> Call Trace:
>  <TASK>
>  ? __die_body.cold+0x19/0x27
>  ? page_fault_oops+0x15a/0x2f0
>  ? idr_alloc+0x3a/0x70
>  ? exc_page_fault+0x7e/0x180
>  ? asm_exc_page_fault+0x26/0x30
>  ? synaptics_process_byte+0x59c/0xe30
>  ? pm_wakeup_dev_event+0x2d/0x60
>  psmouse_handle_byte+0x12/0x60
>  ps2_interrupt+0x9a/0x1a0
>  serio_interrupt+0x47/0x90
>  i8042_interrupt+0x12c/0x290
>  __handle_irq_event_percpu+0x47/0x190
>  handle_irq_event+0x38/0x80
>  handle_edge_irq+0x8b/0x230
>  __common_interrupt+0x49/0xd0
>  common_interrupt+0x42/0xa0
>  asm_common_interrupt+0x26/0x40
> RIP: 0033:0x7fb1b10fc9ed
> Code: 04 25 28 00 00 00 48 89 45 c8 31 c0 48 8d 45 10 c7 45 b0 10 00 00 00 48
> 89 45 b8 48 8d 45 d0 48 89 45 c0 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff
> 77 1a 48 8b 45 c8 64 48 2b 04 25 28 00 00 00
> RSP: 002b:00007fb195d92280 EFLAGS: 00000246
> RAX: 0000000000000000 RBX: 0000000000000030 RCX: 00007fb1b10fc9ed
> RDX: 00007fb195d922e0 RSI: 00000000c00864bf RDI: 0000000000000030
> RBP: 00007fb195d922d0 R08: 0000000000000019 R09: 00007fb1b0f009c0
> R10: 0000501110f40398 R11: 0000000000000246 R12: 00000000c00864bf
> R13: 00007fb195d922e0 R14: 00007fb16d1a0b18 R15: 00007fb195f84138
>  </TASK>

fwiw I have collected some vmcores.

Comment 7 beaaegicfqmq6rytaqlagsydlqeheddv 2025-02-15 09:33:34 UTC

Hi,

I recently updated to 6.14.0-rc2 as I've seen some changes done in the synaptics driver, and haven't had any crashes yet.

Note You need to log in before you can comment on or make changes to this bug.