NULL pointer dereference in i2c-hid

NULL pointer dereference in i2c-hid

[Gabriele Mazzotta]

Hi,

my laptop uses a touchpad that needs hid-rmi along with i2c-hid to work.
i2c-hid and hid-rmi can be loaded and unloaded independelty from each
other, however since 34f439e4afcd ("HID: i2c-hid: add runtime PM support")
if I unload hid-rmi and after it I also unload i2c-hid, I get a NULL
pointer dereference.

I have already reported this problem in the Bugzilla [1], but since that
report is about something else, I'm reporting this separately.

Here the dmesg:

[   79.691459] BUG: unable to handle kernel NULL pointer dereference at           (null)
[   79.691532] IP: [<ffffffffa05bc049>] __i2c_hid_command+0x49/0x310 [i2c_hid]
[   79.691591] PGD 0 
[   79.691611] Oops: 0002 [#1] SMP 
[   79.691641] Modules linked in: ctr ccm binfmt_misc rfcomm bnep vboxpci(O) vboxnetadp(O) vboxnetflt(O) vboxdrv(O) i2c_hid(-) nfsd auth_rpcgss oid_registry nfs_acl nfs lockd grace fscache sunrpc ecb btusb uvcvideo bluetooth videobuf2_vmalloc joydev videobuf2_memops videobuf2_core hid_multitouch v4l2_common videodev usbhid media hid dell_wmi sparse_keymap arc4 nls_utf8 nls_cp437 iTCO_wdt iTCO_vendor_support intel_rapl x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel iwlmvm dell_laptop dcdbas aesni_intel mac80211 aes_x86_64 glue_helper snd_hda_codec_realtek lrw gf128mul snd_hda_codec_generic ablk_helper cryptd snd_hda_codec_hdmi iwlwifi psmouse cfg80211 serio_raw sg rfkill lpc_ich mfd_core ehci_pci i2c_i801 ehci_hcd thermal wmi
[   79.692330]  battery sdhci_acpi sdhci mmc_core intel_rst snd_hda_intel snd_hda_controller snd_hda_codec snd_hwdep snd_pcm i2c_designware_platform xhci_pci i2c_designware_core xhci_hcd snd_timer usbcore snd mei_me soundcore ac evdev usb_common mei shpchp processor fuse parport_pc ppdev lp parport [last unloaded: hid_rmi]
[   79.692602] CPU: 0 PID: 2898 Comm: rmmod Tainted: G           O   3.18.0+ #1
[   79.692655] Hardware name: Dell Inc. XPS13 9333/0GFTRT, BIOS A04 03/19/2014
[   79.692705] task: ffff8801eae4a340 ti: ffff8800b4608000 task.ti: ffff8800b4608000
[   79.692758] RIP: 0010:[<ffffffffa05bc049>]  [<ffffffffa05bc049>] __i2c_hid_command+0x49/0x310 [i2c_hid]
[   79.692830] RSP: 0018:ffff8800b460bce8  EFLAGS: 00010206
[   79.692868] RAX: ffffffffa05be720 RBX: ffff880212cb2f80 RCX: 0000000000000000
[   79.692919] RDX: 0000000000000000 RSI: 0000000000000022 RDI: 0000000000000011
[   79.692968] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   79.693018] R10: ffff880216400000 R11: 0000000000000000 R12: 0000000000000004
[   79.693067] R13: 0000000000000000 R14: ffff880214c08400 R15: 0000000000000000
[   79.693119] FS:  00007fd597c22700(0000) GS:ffff88021f200000(0000) knlGS:0000000000000000
[   79.693175] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   79.693216] CR2: 0000000000000000 CR3: 00000000b46b5000 CR4: 00000000001407f0
[   79.693266] Stack:
[   79.693283]  ffff880215b79800 ffff880214c92b00 ffff880214c084ce ffff880212d68920
[   79.693344]  0000000000000004 ffffffff810424e1 0000000000000096 ffffffff81042855
[   79.693405]  0000000000000292 ffff8800cfe77600 0000000000000096 ffff880214c08400
[   79.693467] Call Trace:
[   79.693494]  [<ffffffff810424e1>] ? __unmask_ioapic+0x21/0x30
[   79.693537]  [<ffffffff81042855>] ? unmask_ioapic+0x25/0x40
[   79.693581]  [<ffffffffa05bc35b>] ? i2c_hid_set_power+0x4b/0xa0 [i2c_hid]
[   79.693632]  [<ffffffffa05bc3cf>] ? i2c_hid_runtime_resume+0x1f/0x30 [i2c_hid]
[   79.693689]  [<ffffffff814c08fb>] ? __rpm_callback+0x2b/0x70
[   79.693733]  [<ffffffff814c0961>] ? rpm_callback+0x21/0x90
[   79.693776]  [<ffffffff814c0dec>] ? rpm_resume+0x41c/0x600
[   79.693820]  [<ffffffff814c1e1c>] ? __pm_runtime_resume+0x4c/0x80
[   79.693868]  [<ffffffff814b8588>] ? __device_release_driver+0x28/0x100
[   79.693917]  [<ffffffff814b8d90>] ? driver_detach+0xa0/0xb0
[   79.693959]  [<ffffffff814b82cc>] ? bus_remove_driver+0x4c/0xb0
[   79.694006]  [<ffffffff810d1cfd>] ? SyS_delete_module+0x11d/0x1d0
[   79.694054]  [<ffffffff8165f107>] ? int_signal+0x12/0x17
[   79.694095]  [<ffffffff8165ee69>] ? system_call_fastpath+0x12/0x17
[   79.694139] Code: 9f c0 00 00 00 44 8b 66 08 44 0f b6 6e 0c 8b 3e 48 8b 6b 40 48 81 fe 70 e7 5b a0 0f 84 51 02 00 00 89 fe 83 c7 01 0f b6 74 33 10 <40> 88 75 00 0f b6 74 3b 10 40 88 75 01 41 83 fc 02 7e 0f 0f b6 
[   79.694422] RIP  [<ffffffffa05bc049>] __i2c_hid_command+0x49/0x310 [i2c_hid]
[   79.694478]  RSP <ffff8800b460bce8>
[   79.694503] CR2: 0000000000000000
[   79.712214] ---[ end trace e97e4d6468e56036 ]---


Regards,
Gabriele

[1] https://bugzilla.kernel.org/show_bug.cgi?id=81141

NULL pointer dereference in i2c-hid

[Gabriele Mazzotta]

Hi,

my laptop uses a touchpad that needs hid-rmi along with i2c-hid to work.
i2c-hid and hid-rmi can be loaded and unloaded independelty from each
other, however since 34f439e4afcd ("HID: i2c-hid: add runtime PM support")
if I unload hid-rmi and after it I also unload i2c-hid, I get a NULL
pointer dereference.

I have already reported this problem in the Bugzilla [1], but since that
report is about something else, I'm reporting this separately.

Here the dmesg:

[   79.691459] BUG: unable to handle kernel NULL pointer dereference at           (null)
[   79.691532] IP: [<ffffffffa05bc049>] __i2c_hid_command+0x49/0x310 [i2c_hid]
[   79.691591] PGD 0 
[   79.691611] Oops: 0002 [#1] SMP 
[   79.691641] Modules linked in: ctr ccm binfmt_misc rfcomm bnep vboxpci(O) vboxnetadp(O) vboxnetflt(O) vboxdrv(O) i2c_hid(-) nfsd auth_rpcgss oid_registry nfs_acl nfs lockd grace fscache sunrpc ecb btusb uvcvideo bluetooth videobuf2_vmalloc joydev videobuf2_memops videobuf2_core hid_multitouch v4l2_common videodev usbhid media hid dell_wmi sparse_keymap arc4 nls_utf8 nls_cp437 iTCO_wdt iTCO_vendor_support intel_rapl x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel iwlmvm dell_laptop dcdbas aesni_intel mac80211 aes_x86_64 glue_helper snd_hda_codec_realtek lrw gf128mul snd_hda_codec_generic ablk_helper cryptd snd_hda_codec_hdmi iwlwifi psmouse cfg80211 serio_raw sg rfkill lpc_ich mfd_core ehci_pci i2c_i801 ehci_hcd 
 thermal wmi
[   79.692330]  battery sdhci_acpi sdhci mmc_core intel_rst snd_hda_intel snd_hda_controller snd_hda_codec snd_hwdep snd_pcm i2c_designware_platform xhci_pci i2c_designware_core xhci_hcd snd_timer usbcore snd mei_me soundcore ac evdev usb_common mei shpchp processor fuse parport_pc ppdev lp parport [last unloaded: hid_rmi]
[   79.692602] CPU: 0 PID: 2898 Comm: rmmod Tainted: G           O   3.18.0+ #1
[   79.692655] Hardware name: Dell Inc. XPS13 9333/0GFTRT, BIOS A04 03/19/2014
[   79.692705] task: ffff8801eae4a340 ti: ffff8800b4608000 task.ti: ffff8800b4608000
[   79.692758] RIP: 0010:[<ffffffffa05bc049>]  [<ffffffffa05bc049>] __i2c_hid_command+0x49/0x310 [i2c_hid]
[   79.692830] RSP: 0018:ffff8800b460bce8  EFLAGS: 00010206
[   79.692868] RAX: ffffffffa05be720 RBX: ffff880212cb2f80 RCX: 0000000000000000
[   79.692919] RDX: 0000000000000000 RSI: 0000000000000022 RDI: 0000000000000011
[   79.692968] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   79.693018] R10: ffff880216400000 R11: 0000000000000000 R12: 0000000000000004
[   79.693067] R13: 0000000000000000 R14: ffff880214c08400 R15: 0000000000000000
[   79.693119] FS:  00007fd597c22700(0000) GS:ffff88021f200000(0000) knlGS:0000000000000000
[   79.693175] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   79.693216] CR2: 0000000000000000 CR3: 00000000b46b5000 CR4: 00000000001407f0
[   79.693266] Stack:
[   79.693283]  ffff880215b79800 ffff880214c92b00 ffff880214c084ce ffff880212d68920
[   79.693344]  0000000000000004 ffffffff810424e1 0000000000000096 ffffffff81042855
[   79.693405]  0000000000000292 ffff8800cfe77600 0000000000000096 ffff880214c08400
[   79.693467] Call Trace:
[   79.693494]  [<ffffffff810424e1>] ? __unmask_ioapic+0x21/0x30
[   79.693537]  [<ffffffff81042855>] ? unmask_ioapic+0x25/0x40
[   79.693581]  [<ffffffffa05bc35b>] ? i2c_hid_set_power+0x4b/0xa0 [i2c_hid]
[   79.693632]  [<ffffffffa05bc3cf>] ? i2c_hid_runtime_resume+0x1f/0x30 [i2c_hid]
[   79.693689]  [<ffffffff814c08fb>] ? __rpm_callback+0x2b/0x70
[   79.693733]  [<ffffffff814c0961>] ? rpm_callback+0x21/0x90
[   79.693776]  [<ffffffff814c0dec>] ? rpm_resume+0x41c/0x600
[   79.693820]  [<ffffffff814c1e1c>] ? __pm_runtime_resume+0x4c/0x80
[   79.693868]  [<ffffffff814b8588>] ? __device_release_driver+0x28/0x100
[   79.693917]  [<ffffffff814b8d90>] ? driver_detach+0xa0/0xb0
[   79.693959]  [<ffffffff814b82cc>] ? bus_remove_driver+0x4c/0xb0
[   79.694006]  [<ffffffff810d1cfd>] ? SyS_delete_module+0x11d/0x1d0
[   79.694054]  [<ffffffff8165f107>] ? int_signal+0x12/0x17
[   79.694095]  [<ffffffff8165ee69>] ? system_call_fastpath+0x12/0x17
[   79.694139] Code: 9f c0 00 00 00 44 8b 66 08 44 0f b6 6e 0c 8b 3e 48 8b 6b 40 48 81 fe 70 e7 5b a0 0f 84 51 02 00 00 89 fe 83 c7 01 0f b6 74 33 10 <40> 88 75 00 0f b6 74 3b 10 40 88 75 01 41 83 fc 02 7e 0f 0f b6 
[   79.694422] RIP  [<ffffffffa05bc049>] __i2c_hid_command+0x49/0x310 [i2c_hid]
[   79.694478]  RSP <ffff8800b460bce8>
[   79.694503] CR2: 0000000000000000
[   79.712214] ---[ end trace e97e4d6468e56036 ]---


Regards,
Gabriele

[1] https://bugzilla.kernel.org/show_bug.cgi?id=81141

Re: NULL pointer dereference in i2c-hid

[Mika Westerberg]

On Wed, Dec 10, 2014 at 06:04:51PM +0100, Gabriele Mazzotta wrote:
> my laptop uses a touchpad that needs hid-rmi along with i2c-hid to work.
> i2c-hid and hid-rmi can be loaded and unloaded independelty from each
> other, however since 34f439e4afcd ("HID: i2c-hid: add runtime PM support")
> if I unload hid-rmi and after it I also unload i2c-hid, I get a NULL
> pointer dereference.

I'll look into this.

I can reproduce this easily with i2c-hid + hid-multitouch following your
directions.

Re: NULL pointer dereference in i2c-hid

[Mika Westerberg]

On Thu, Dec 11, 2014 at 10:58:01AM +0200, Mika Westerberg wrote:
> On Wed, Dec 10, 2014 at 06:04:51PM +0100, Gabriele Mazzotta wrote:
> > my laptop uses a touchpad that needs hid-rmi along with i2c-hid to work.
> > i2c-hid and hid-rmi can be loaded and unloaded independelty from each
> > other, however since 34f439e4afcd ("HID: i2c-hid: add runtime PM support")
> > if I unload hid-rmi and after it I also unload i2c-hid, I get a NULL
> > pointer dereference.
> 
> I'll look into this.
> 
> I can reproduce this easily with i2c-hid + hid-multitouch following your
> directions.

Can you try the below patch? 

I think we shouldn't free buffers yet in ->stop() because we need the
command buffer sending power commands to the device. Also it seems that
->start() re-allocates buffers anyway if maximum size increases.

It shouldn't even leak memory as we release buffers at ->remove()
anyway.

diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c
index 62cec01937ea..68a8c938feea 100644
--- a/drivers/hid/i2c-hid/i2c-hid.c
+++ b/drivers/hid/i2c-hid/i2c-hid.c
@@ -705,12 +705,7 @@ static int i2c_hid_start(struct hid_device *hid)
 
 static void i2c_hid_stop(struct hid_device *hid)
 {
-	struct i2c_client *client = hid->driver_data;
-	struct i2c_hid *ihid = i2c_get_clientdata(client);
-
 	hid->claimed = 0;
-
-	i2c_hid_free_buffers(ihid);
 }
 
 static int i2c_hid_open(struct hid_device *hid)

Re: NULL pointer dereference in i2c-hid

[Gabriele Mazzotta]

On Thursday 11 December 2014 16:03:07 Mika Westerberg wrote:
> On Thu, Dec 11, 2014 at 10:58:01AM +0200, Mika Westerberg wrote:
> > On Wed, Dec 10, 2014 at 06:04:51PM +0100, Gabriele Mazzotta wrote:
> > > my laptop uses a touchpad that needs hid-rmi along with i2c-hid to work.
> > > i2c-hid and hid-rmi can be loaded and unloaded independelty from each
> > > other, however since 34f439e4afcd ("HID: i2c-hid: add runtime PM support")
> > > if I unload hid-rmi and after it I also unload i2c-hid, I get a NULL
> > > pointer dereference.
> > 
> > I'll look into this.
> > 
> > I can reproduce this easily with i2c-hid + hid-multitouch following your
> > directions.
> 
> Can you try the below patch? 
> 
> I think we shouldn't free buffers yet in ->stop() because we need the
> command buffer sending power commands to the device. Also it seems that
> ->start() re-allocates buffers anyway if maximum size increases.
> 
> It shouldn't even leak memory as we release buffers at ->remove()
> anyway.
> 
> diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c
> index 62cec01937ea..68a8c938feea 100644
> --- a/drivers/hid/i2c-hid/i2c-hid.c
> +++ b/drivers/hid/i2c-hid/i2c-hid.c
> @@ -705,12 +705,7 @@ static int i2c_hid_start(struct hid_device *hid)
>  
>  static void i2c_hid_stop(struct hid_device *hid)
>  {
> -	struct i2c_client *client = hid->driver_data;
> -	struct i2c_hid *ihid = i2c_get_clientdata(client);
> -
>  	hid->claimed = 0;
> -
> -	i2c_hid_free_buffers(ihid);
>  }
>  
>  static int i2c_hid_open(struct hid_device *hid)

Yes, it works, thanks.

This change seems to also prevent kernel ooops when I unload either
i2c-hid or i2c-designware-platform while the touchpad is in use,
thing that is likely to happen because of the other bug I reported.

Speaking of it, does any of you have any suggestion on how to debug it?

Re: NULL pointer dereference in i2c-hid

[Andrew Duggan]

On 12/11/2014 10:16 AM, Gabriele Mazzotta wrote:
> On Thursday 11 December 2014 16:03:07 Mika Westerberg wrote:
>> On Thu, Dec 11, 2014 at 10:58:01AM +0200, Mika Westerberg wrote:
>>> On Wed, Dec 10, 2014 at 06:04:51PM +0100, Gabriele Mazzotta wrote:
>>>> my laptop uses a touchpad that needs hid-rmi along with i2c-hid to work.
>>>> i2c-hid and hid-rmi can be loaded and unloaded independelty from each
>>>> other, however since 34f439e4afcd ("HID: i2c-hid: add runtime PM support")
>>>> if I unload hid-rmi and after it I also unload i2c-hid, I get a NULL
>>>> pointer dereference.
>>> I'll look into this.
>>>
>>> I can reproduce this easily with i2c-hid + hid-multitouch following your
>>> directions.
>> Can you try the below patch?
>>
>> I think we shouldn't free buffers yet in ->stop() because we need the
>> command buffer sending power commands to the device. Also it seems that
>> ->start() re-allocates buffers anyway if maximum size increases.
>>
>> It shouldn't even leak memory as we release buffers at ->remove()
>> anyway.
>>
>> diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c
>> index 62cec01937ea..68a8c938feea 100644
>> --- a/drivers/hid/i2c-hid/i2c-hid.c
>> +++ b/drivers/hid/i2c-hid/i2c-hid.c
>> @@ -705,12 +705,7 @@ static int i2c_hid_start(struct hid_device *hid)
>>   
>>   static void i2c_hid_stop(struct hid_device *hid)
>>   {
>> -	struct i2c_client *client = hid->driver_data;
>> -	struct i2c_hid *ihid = i2c_get_clientdata(client);
>> -
>>   	hid->claimed = 0;
>> -
>> -	i2c_hid_free_buffers(ihid);
>>   }
>>   
>>   static int i2c_hid_open(struct hid_device *hid)
> Yes, it works, thanks.
>
> This change seems to also prevent kernel ooops when I unload either
> i2c-hid or i2c-designware-platform while the touchpad is in use,
> thing that is likely to happen because of the other bug I reported.
>
> Speaking of it, does any of you have any suggestion on how to debug it?
I was able to reproduce the initial issue by unloading hid-rmi and 
i2c-hid while holding my fingers on the touchpad. Mika's patch fixes it 
for me.

For the original bug, you can modprobe i2c-hid debug=1 and we can see 
what data the touchpad is reporting. That might help narrowing down if 
it's noise which the touchpad thinks are fingers or if there is a 
problem with the I2C lines causing spurious interrupts.

Andrew

Re: NULL pointer dereference in i2c-hid

[Andrew Duggan]

On 12/11/2014 10:16 AM, Gabriele Mazzotta wrote:
> On Thursday 11 December 2014 16:03:07 Mika Westerberg wrote:
>> On Thu, Dec 11, 2014 at 10:58:01AM +0200, Mika Westerberg wrote:
>>> On Wed, Dec 10, 2014 at 06:04:51PM +0100, Gabriele Mazzotta wrote:
>>>> my laptop uses a touchpad that needs hid-rmi along with i2c-hid to work.
>>>> i2c-hid and hid-rmi can be loaded and unloaded independelty from each
>>>> other, however since 34f439e4afcd ("HID: i2c-hid: add runtime PM support")
>>>> if I unload hid-rmi and after it I also unload i2c-hid, I get a NULL
>>>> pointer dereference.
>>> I'll look into this.
>>>
>>> I can reproduce this easily with i2c-hid + hid-multitouch following your
>>> directions.
>> Can you try the below patch?
>>
>> I think we shouldn't free buffers yet in ->stop() because we need the
>> command buffer sending power commands to the device. Also it seems that
>> ->start() re-allocates buffers anyway if maximum size increases.
>>
>> It shouldn't even leak memory as we release buffers at ->remove()
>> anyway.
>>
>> diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c
>> index 62cec01937ea..68a8c938feea 100644
>> --- a/drivers/hid/i2c-hid/i2c-hid.c
>> +++ b/drivers/hid/i2c-hid/i2c-hid.c
>> @@ -705,12 +705,7 @@ static int i2c_hid_start(struct hid_device *hid)
>>   
>>   static void i2c_hid_stop(struct hid_device *hid)
>>   {
>> -	struct i2c_client *client = hid->driver_data;
>> -	struct i2c_hid *ihid = i2c_get_clientdata(client);
>> -
>>   	hid->claimed = 0;
>> -
>> -	i2c_hid_free_buffers(ihid);
>>   }
>>   
>>   static int i2c_hid_open(struct hid_device *hid)
> Yes, it works, thanks.
>
> This change seems to also prevent kernel ooops when I unload either
> i2c-hid or i2c-designware-platform while the touchpad is in use,
> thing that is likely to happen because of the other bug I reported.
>
> Speaking of it, does any of you have any suggestion on how to debug it?
I was able to reproduce the initial issue by unloading hid-rmi and 
i2c-hid while holding my fingers on the touchpad. Mika's patch fixes it 
for me.

For the original bug, you can modprobe i2c-hid debug=1 and we can see 
what data the touchpad is reporting. That might help narrowing down if 
it's noise which the touchpad thinks are fingers or if there is a 
problem with the I2C lines causing spurious interrupts.

Andrew

Re: NULL pointer dereference in i2c-hid

[Benjamin Tissoires]

On Thu, Dec 11, 2014 at 1:16 PM, Gabriele Mazzotta
<gabriele.mzt@gmail.com> wrote:
> On Thursday 11 December 2014 16:03:07 Mika Westerberg wrote:
>> On Thu, Dec 11, 2014 at 10:58:01AM +0200, Mika Westerberg wrote:
>> > On Wed, Dec 10, 2014 at 06:04:51PM +0100, Gabriele Mazzotta wrote:
>> > > my laptop uses a touchpad that needs hid-rmi along with i2c-hid to work.
>> > > i2c-hid and hid-rmi can be loaded and unloaded independelty from each
>> > > other, however since 34f439e4afcd ("HID: i2c-hid: add runtime PM support")
>> > > if I unload hid-rmi and after it I also unload i2c-hid, I get a NULL
>> > > pointer dereference.
>> >
>> > I'll look into this.
>> >
>> > I can reproduce this easily with i2c-hid + hid-multitouch following your
>> > directions.
>>
>> Can you try the below patch?
>>
>> I think we shouldn't free buffers yet in ->stop() because we need the
>> command buffer sending power commands to the device. Also it seems that
>> ->start() re-allocates buffers anyway if maximum size increases.
>>
>> It shouldn't even leak memory as we release buffers at ->remove()
>> anyway.
>>
>> diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c
>> index 62cec01937ea..68a8c938feea 100644
>> --- a/drivers/hid/i2c-hid/i2c-hid.c
>> +++ b/drivers/hid/i2c-hid/i2c-hid.c
>> @@ -705,12 +705,7 @@ static int i2c_hid_start(struct hid_device *hid)
>>
>>  static void i2c_hid_stop(struct hid_device *hid)
>>  {
>> -     struct i2c_client *client = hid->driver_data;
>> -     struct i2c_hid *ihid = i2c_get_clientdata(client);
>> -
>>       hid->claimed = 0;
>> -
>> -     i2c_hid_free_buffers(ihid);
>>  }
>>
>>  static int i2c_hid_open(struct hid_device *hid)

Mika,

you can add my Rev-by when submitting this patch to the mailing list.


>
> Yes, it works, thanks.
>
> This change seems to also prevent kernel ooops when I unload either
> i2c-hid or i2c-designware-platform while the touchpad is in use,
> thing that is likely to happen because of the other bug I reported.
>
> Speaking of it, does any of you have any suggestion on how to debug it?

Hehe, I coincidentally just replied to your bug with one patch to try
(that was proposed by the intel folks back in May[1]).
The powertop problem is IMO really worrying because the purpose of
i2c_hid was to reduce power consumption :)

Anyway, thanks for the quick test.

Cheers,
Benjamin

[1] https://patchwork.kernel.org/patch/4133771/

Re: NULL pointer dereference in i2c-hid

[Gabriele Mazzotta]

On Thursday 11 December 2014 10:40:05 Andrew Duggan wrote:
> On 12/11/2014 10:16 AM, Gabriele Mazzotta wrote:
> > On Thursday 11 December 2014 16:03:07 Mika Westerberg wrote:
> >> On Thu, Dec 11, 2014 at 10:58:01AM +0200, Mika Westerberg wrote:
> >>> On Wed, Dec 10, 2014 at 06:04:51PM +0100, Gabriele Mazzotta wrote:
> >>>> my laptop uses a touchpad that needs hid-rmi along with i2c-hid to work.
> >>>> i2c-hid and hid-rmi can be loaded and unloaded independelty from each
> >>>> other, however since 34f439e4afcd ("HID: i2c-hid: add runtime PM support")
> >>>> if I unload hid-rmi and after it I also unload i2c-hid, I get a NULL
> >>>> pointer dereference.
> >>> I'll look into this.
> >>>
> >>> I can reproduce this easily with i2c-hid + hid-multitouch following your
> >>> directions.
> >> Can you try the below patch?
> >>
> >> I think we shouldn't free buffers yet in ->stop() because we need the
> >> command buffer sending power commands to the device. Also it seems that
> >> ->start() re-allocates buffers anyway if maximum size increases.
> >>
> >> It shouldn't even leak memory as we release buffers at ->remove()
> >> anyway.
> >>
> >> diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c
> >> index 62cec01937ea..68a8c938feea 100644
> >> --- a/drivers/hid/i2c-hid/i2c-hid.c
> >> +++ b/drivers/hid/i2c-hid/i2c-hid.c
> >> @@ -705,12 +705,7 @@ static int i2c_hid_start(struct hid_device *hid)
> >>   
> >>   static void i2c_hid_stop(struct hid_device *hid)
> >>   {
> >> -	struct i2c_client *client = hid->driver_data;
> >> -	struct i2c_hid *ihid = i2c_get_clientdata(client);
> >> -
> >>   	hid->claimed = 0;
> >> -
> >> -	i2c_hid_free_buffers(ihid);
> >>   }
> >>   
> >>   static int i2c_hid_open(struct hid_device *hid)
> > Yes, it works, thanks.
> >
> > This change seems to also prevent kernel ooops when I unload either
> > i2c-hid or i2c-designware-platform while the touchpad is in use,
> > thing that is likely to happen because of the other bug I reported.
> >
> > Speaking of it, does any of you have any suggestion on how to debug it?
> I was able to reproduce the initial issue by unloading hid-rmi and 
> i2c-hid while holding my fingers on the touchpad. Mika's patch fixes it 
> for me.
> 
> For the original bug, you can modprobe i2c-hid debug=1 and we can see 
> what data the touchpad is reporting. That might help narrowing down if 
> it's noise which the touchpad thinks are fingers or if there is a 
> problem with the I2C lines causing spurious interrupts.
> 
> Andrew

I've already tried to do that and here what I got:

When I release the finger, the last message is repeated 81 times.
If the byte containing informations about the width of the finger
becomes equal to either c0 or 0c at least once, the last message is
repeated indefinitely and changes as soon as I start using the touchpad.
The only way to stop it is to unload and reload i2c-hid.

Re: NULL pointer dereference in i2c-hid

[Andrew Duggan]

On 12/11/2014 11:11 AM, Gabriele Mazzotta wrote:
> On Thursday 11 December 2014 10:40:05 Andrew Duggan wrote:
>> On 12/11/2014 10:16 AM, Gabriele Mazzotta wrote:
>>> On Thursday 11 December 2014 16:03:07 Mika Westerberg wrote:
>>>> On Thu, Dec 11, 2014 at 10:58:01AM +0200, Mika Westerberg wrote:
>>>>> On Wed, Dec 10, 2014 at 06:04:51PM +0100, Gabriele Mazzotta wrote:
>>>>>> my laptop uses a touchpad that needs hid-rmi along with i2c-hid to work.
>>>>>> i2c-hid and hid-rmi can be loaded and unloaded independelty from each
>>>>>> other, however since 34f439e4afcd ("HID: i2c-hid: add runtime PM support")
>>>>>> if I unload hid-rmi and after it I also unload i2c-hid, I get a NULL
>>>>>> pointer dereference.
>>>>> I'll look into this.
>>>>>
>>>>> I can reproduce this easily with i2c-hid + hid-multitouch following your
>>>>> directions.
>>>> Can you try the below patch?
>>>>
>>>> I think we shouldn't free buffers yet in ->stop() because we need the
>>>> command buffer sending power commands to the device. Also it seems that
>>>> ->start() re-allocates buffers anyway if maximum size increases.
>>>>
>>>> It shouldn't even leak memory as we release buffers at ->remove()
>>>> anyway.
>>>>
>>>> diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c
>>>> index 62cec01937ea..68a8c938feea 100644
>>>> --- a/drivers/hid/i2c-hid/i2c-hid.c
>>>> +++ b/drivers/hid/i2c-hid/i2c-hid.c
>>>> @@ -705,12 +705,7 @@ static int i2c_hid_start(struct hid_device *hid)
>>>>    
>>>>    static void i2c_hid_stop(struct hid_device *hid)
>>>>    {
>>>> -	struct i2c_client *client = hid->driver_data;
>>>> -	struct i2c_hid *ihid = i2c_get_clientdata(client);
>>>> -
>>>>    	hid->claimed = 0;
>>>> -
>>>> -	i2c_hid_free_buffers(ihid);
>>>>    }
>>>>    
>>>>    static int i2c_hid_open(struct hid_device *hid)
>>> Yes, it works, thanks.
>>>
>>> This change seems to also prevent kernel ooops when I unload either
>>> i2c-hid or i2c-designware-platform while the touchpad is in use,
>>> thing that is likely to happen because of the other bug I reported.
>>>
>>> Speaking of it, does any of you have any suggestion on how to debug it?
>> I was able to reproduce the initial issue by unloading hid-rmi and
>> i2c-hid while holding my fingers on the touchpad. Mika's patch fixes it
>> for me.
>>
>> For the original bug, you can modprobe i2c-hid debug=1 and we can see
>> what data the touchpad is reporting. That might help narrowing down if
>> it's noise which the touchpad thinks are fingers or if there is a
>> problem with the I2C lines causing spurious interrupts.
>>
>> Andrew
> I've already tried to do that and here what I got:
>
> When I release the finger, the last message is repeated 81 times.
> If the byte containing informations about the width of the finger
> becomes equal to either c0 or 0c at least once, the last message is
> repeated indefinitely and changes as soon as I start using the touchpad.
> The only way to stop it is to unload and reload i2c-hid.
The reports before log throttling kicks in would still be useful. For 
instance c0 is outside of the range of finger width which we report so 
something is wrong there. But, the touchpad should stop interrupting 
once the finger is lifted. The fact that subsequent reads are reporting 
the same data does sound like a problem with I2C getting confused and 
continuously interrupting and reading the old finger data. I am also 
curious about the value of the byte after the report id.

Andrew

Re: NULL pointer dereference in i2c-hid

[Andrew Duggan]

On 12/11/2014 11:11 AM, Gabriele Mazzotta wrote:
> On Thursday 11 December 2014 10:40:05 Andrew Duggan wrote:
>> On 12/11/2014 10:16 AM, Gabriele Mazzotta wrote:
>>> On Thursday 11 December 2014 16:03:07 Mika Westerberg wrote:
>>>> On Thu, Dec 11, 2014 at 10:58:01AM +0200, Mika Westerberg wrote:
>>>>> On Wed, Dec 10, 2014 at 06:04:51PM +0100, Gabriele Mazzotta wrote:
>>>>>> my laptop uses a touchpad that needs hid-rmi along with i2c-hid to work.
>>>>>> i2c-hid and hid-rmi can be loaded and unloaded independelty from each
>>>>>> other, however since 34f439e4afcd ("HID: i2c-hid: add runtime PM support")
>>>>>> if I unload hid-rmi and after it I also unload i2c-hid, I get a NULL
>>>>>> pointer dereference.
>>>>> I'll look into this.
>>>>>
>>>>> I can reproduce this easily with i2c-hid + hid-multitouch following your
>>>>> directions.
>>>> Can you try the below patch?
>>>>
>>>> I think we shouldn't free buffers yet in ->stop() because we need the
>>>> command buffer sending power commands to the device. Also it seems that
>>>> ->start() re-allocates buffers anyway if maximum size increases.
>>>>
>>>> It shouldn't even leak memory as we release buffers at ->remove()
>>>> anyway.
>>>>
>>>> diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c
>>>> index 62cec01937ea..68a8c938feea 100644
>>>> --- a/drivers/hid/i2c-hid/i2c-hid.c
>>>> +++ b/drivers/hid/i2c-hid/i2c-hid.c
>>>> @@ -705,12 +705,7 @@ static int i2c_hid_start(struct hid_device *hid)
>>>>    
>>>>    static void i2c_hid_stop(struct hid_device *hid)
>>>>    {
>>>> -	struct i2c_client *client = hid->driver_data;
>>>> -	struct i2c_hid *ihid = i2c_get_clientdata(client);
>>>> -
>>>>    	hid->claimed = 0;
>>>> -
>>>> -	i2c_hid_free_buffers(ihid);
>>>>    }
>>>>    
>>>>    static int i2c_hid_open(struct hid_device *hid)
>>> Yes, it works, thanks.
>>>
>>> This change seems to also prevent kernel ooops when I unload either
>>> i2c-hid or i2c-designware-platform while the touchpad is in use,
>>> thing that is likely to happen because of the other bug I reported.
>>>
>>> Speaking of it, does any of you have any suggestion on how to debug it?
>> I was able to reproduce the initial issue by unloading hid-rmi and
>> i2c-hid while holding my fingers on the touchpad. Mika's patch fixes it
>> for me.
>>
>> For the original bug, you can modprobe i2c-hid debug=1 and we can see
>> what data the touchpad is reporting. That might help narrowing down if
>> it's noise which the touchpad thinks are fingers or if there is a
>> problem with the I2C lines causing spurious interrupts.
>>
>> Andrew
> I've already tried to do that and here what I got:
>
> When I release the finger, the last message is repeated 81 times.
> If the byte containing informations about the width of the finger
> becomes equal to either c0 or 0c at least once, the last message is
> repeated indefinitely and changes as soon as I start using the touchpad.
> The only way to stop it is to unload and reload i2c-hid.
The reports before log throttling kicks in would still be useful. For 
instance c0 is outside of the range of finger width which we report so 
something is wrong there. But, the touchpad should stop interrupting 
once the finger is lifted. The fact that subsequent reads are reporting 
the same data does sound like a problem with I2C getting confused and 
continuously interrupting and reading the old finger data. I am also 
curious about the value of the byte after the report id.

Andrew

Re: NULL pointer dereference in i2c-hid

[Gabriele Mazzotta]

On Thursday 11 December 2014 13:41:57 Benjamin Tissoires wrote:
> On Thu, Dec 11, 2014 at 1:16 PM, Gabriele Mazzotta
> <gabriele.mzt@gmail.com> wrote:
> > On Thursday 11 December 2014 16:03:07 Mika Westerberg wrote:
> >> On Thu, Dec 11, 2014 at 10:58:01AM +0200, Mika Westerberg wrote:
> >> > On Wed, Dec 10, 2014 at 06:04:51PM +0100, Gabriele Mazzotta wrote:
> >> > > my laptop uses a touchpad that needs hid-rmi along with i2c-hid to work.
> >> > > i2c-hid and hid-rmi can be loaded and unloaded independelty from each
> >> > > other, however since 34f439e4afcd ("HID: i2c-hid: add runtime PM support")
> >> > > if I unload hid-rmi and after it I also unload i2c-hid, I get a NULL
> >> > > pointer dereference.
> >> >
> >> > I'll look into this.
> >> >
> >> > I can reproduce this easily with i2c-hid + hid-multitouch following your
> >> > directions.
> >>
> >> Can you try the below patch?
> >>
> >> I think we shouldn't free buffers yet in ->stop() because we need the
> >> command buffer sending power commands to the device. Also it seems that
> >> ->start() re-allocates buffers anyway if maximum size increases.
> >>
> >> It shouldn't even leak memory as we release buffers at ->remove()
> >> anyway.
> >>
> >> diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c
> >> index 62cec01937ea..68a8c938feea 100644
> >> --- a/drivers/hid/i2c-hid/i2c-hid.c
> >> +++ b/drivers/hid/i2c-hid/i2c-hid.c
> >> @@ -705,12 +705,7 @@ static int i2c_hid_start(struct hid_device *hid)
> >>
> >>  static void i2c_hid_stop(struct hid_device *hid)
> >>  {
> >> -     struct i2c_client *client = hid->driver_data;
> >> -     struct i2c_hid *ihid = i2c_get_clientdata(client);
> >> -
> >>       hid->claimed = 0;
> >> -
> >> -     i2c_hid_free_buffers(ihid);
> >>  }
> >>
> >>  static int i2c_hid_open(struct hid_device *hid)
> 
> Mika,
> 
> you can add my Rev-by when submitting this patch to the mailing list.
> 
> 
> >
> > Yes, it works, thanks.
> >
> > This change seems to also prevent kernel ooops when I unload either
> > i2c-hid or i2c-designware-platform while the touchpad is in use,
> > thing that is likely to happen because of the other bug I reported.
> >
> > Speaking of it, does any of you have any suggestion on how to debug it?
> 
> Hehe, I coincidentally just replied to your bug with one patch to try
> (that was proposed by the intel folks back in May[1]).
> The powertop problem is IMO really worrying because the purpose of
> i2c_hid was to reduce power consumption :)
> 
> Anyway, thanks for the quick test.
> 
> Cheers,
> Benjamin
> 
> [1] https://patchwork.kernel.org/patch/4133771/

Thanks for the reply.

It is sad that using the touchpad as PS/2 device gives me a better
battery life. What makes me use hid-rmi is that the touchpad works
definitely better with it (touchpad more reactive, correct min/max range
and palm detection that takes into account the width of the fingers).
The only other advantage of using the touchpad as PS/2 device (maybe
disadvantage for someone else) is that the keyboard illumination is
automatically turned on when the touchpad is in use. For some reason
it doesn't happen with hid-rmi, but that's really not a problem.

Anyway, I tried the patch and unfortunately it makes no difference.

Gabriele

Re: NULL pointer dereference in i2c-hid

[Gabriele Mazzotta]

On Thursday 11 December 2014 11:21:43 Andrew Duggan wrote:
> On 12/11/2014 11:11 AM, Gabriele Mazzotta wrote:
> > On Thursday 11 December 2014 10:40:05 Andrew Duggan wrote:
> >> On 12/11/2014 10:16 AM, Gabriele Mazzotta wrote:
> >>> On Thursday 11 December 2014 16:03:07 Mika Westerberg wrote:
> >>>> On Thu, Dec 11, 2014 at 10:58:01AM +0200, Mika Westerberg wrote:
> >>>>> On Wed, Dec 10, 2014 at 06:04:51PM +0100, Gabriele Mazzotta wrote:
> >>>>>> my laptop uses a touchpad that needs hid-rmi along with i2c-hid to work.
> >>>>>> i2c-hid and hid-rmi can be loaded and unloaded independelty from each
> >>>>>> other, however since 34f439e4afcd ("HID: i2c-hid: add runtime PM support")
> >>>>>> if I unload hid-rmi and after it I also unload i2c-hid, I get a NULL
> >>>>>> pointer dereference.
> >>>>> I'll look into this.
> >>>>>
> >>>>> I can reproduce this easily with i2c-hid + hid-multitouch following your
> >>>>> directions.
> >>>> Can you try the below patch?
> >>>>
> >>>> I think we shouldn't free buffers yet in ->stop() because we need the
> >>>> command buffer sending power commands to the device. Also it seems that
> >>>> ->start() re-allocates buffers anyway if maximum size increases.
> >>>>
> >>>> It shouldn't even leak memory as we release buffers at ->remove()
> >>>> anyway.
> >>>>
> >>>> diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c
> >>>> index 62cec01937ea..68a8c938feea 100644
> >>>> --- a/drivers/hid/i2c-hid/i2c-hid.c
> >>>> +++ b/drivers/hid/i2c-hid/i2c-hid.c
> >>>> @@ -705,12 +705,7 @@ static int i2c_hid_start(struct hid_device *hid)
> >>>>    
> >>>>    static void i2c_hid_stop(struct hid_device *hid)
> >>>>    {
> >>>> -	struct i2c_client *client = hid->driver_data;
> >>>> -	struct i2c_hid *ihid = i2c_get_clientdata(client);
> >>>> -
> >>>>    	hid->claimed = 0;
> >>>> -
> >>>> -	i2c_hid_free_buffers(ihid);
> >>>>    }
> >>>>    
> >>>>    static int i2c_hid_open(struct hid_device *hid)
> >>> Yes, it works, thanks.
> >>>
> >>> This change seems to also prevent kernel ooops when I unload either
> >>> i2c-hid or i2c-designware-platform while the touchpad is in use,
> >>> thing that is likely to happen because of the other bug I reported.
> >>>
> >>> Speaking of it, does any of you have any suggestion on how to debug it?
> >> I was able to reproduce the initial issue by unloading hid-rmi and
> >> i2c-hid while holding my fingers on the touchpad. Mika's patch fixes it
> >> for me.
> >>
> >> For the original bug, you can modprobe i2c-hid debug=1 and we can see
> >> what data the touchpad is reporting. That might help narrowing down if
> >> it's noise which the touchpad thinks are fingers or if there is a
> >> problem with the I2C lines causing spurious interrupts.
> >>
> >> Andrew
> > I've already tried to do that and here what I got:
> >
> > When I release the finger, the last message is repeated 81 times.
> > If the byte containing informations about the width of the finger
> > becomes equal to either c0 or 0c at least once, the last message is
> > repeated indefinitely and changes as soon as I start using the touchpad.
> > The only way to stop it is to unload and reload i2c-hid.
> The reports before log throttling kicks in would still be useful. For 
> instance c0 is outside of the range of finger width which we report so 
> something is wrong there. But, the touchpad should stop interrupting 
> once the finger is lifted. The fact that subsequent reads are reporting 
> the same data does sound like a problem with I2C getting confused and 
> continuously interrupting and reading the old finger data. I am also 
> curious about the value of the byte after the report id.
> 
> Andrew

If I'm not wrong c0 means that the width is 12 on y axis, while 0c means
that the width is 12 on the x axis.

I have to correct myself. The important thing is that the byte is either
cx or xc, where x is anything below c.

Another correction. Sometimes unloading i2c-hid is not enough, I have to
first disable the touchpad with xinput and then unload i2c-hid. If I
don't do it, the messages starts reappearing as soon as I reload i2c-hid.

I did several tests in the past months and I'm quite sure that the bug
happens only past xc/cy.

Here few lines right before the bug. The last line is repeated indefinitely:

[ 1983.527097] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 61 0a 5f 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1983.537211] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 63 0a 60 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1983.547329] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 64 0a 60 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1983.557486] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 66 0a 60 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1983.567663] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 67 5b 68 0a 60 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1983.577719] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 6a 0a 61 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1983.587852] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 6b 0a 61 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1983.598001] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 67 5b 6e 0a 62 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1983.608215] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 61 0a 62 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1983.618288] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 64 0b 63 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1983.628493] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 67 0b 63 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1983.638552] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 69 0b 64 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1983.648663] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 68 5b 6c 0b 64 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1983.658789] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 6f 0b 64 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1983.668923] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 61 0b 65 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1983.678819] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 64 0b 65 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1983.689230] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 66 0b 65 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1983.699435] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 69 5b 68 0b 65 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1983.709502] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 6a 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1983.719574] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 6c 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1983.729713] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 6e 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1983.739863] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 60 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1983.750001] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 62 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1983.760150] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6a 5b 64 0b 67 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1983.770291] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 66 0b 67 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1983.780445] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 68 0b 67 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1983.790490] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 5a 0b 68 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1983.800667] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6a 5b 4e 0c 69 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1983.810691] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 31 0c 69 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1983.820963] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 24 0c 6a 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1983.831071] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 17 0c 6a 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1983.841178] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 09 0c 6a 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1983.851325] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 0b 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1983.861435] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 0d 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1983.871566] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6b 5b 0f 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1983.881735] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 01 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1983.891975] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 03 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1983.902073] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 05 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1983.912155] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 07 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1983.922224] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 09 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1983.932364] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 0b 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1983.942480] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 0d 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1983.952612] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6c 5b 0f 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1983.962774] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a f1 0d 6d 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1983.972932] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a f3 0d 6e 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1983.982872] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a f6 0d 6f 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1983.993194] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6d 5a f9 0d 6f 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1984.003295] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a fc 0d 6f 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1984.013511] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a ff 0d 70 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1984.023590] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6e 5a f2 0d 70 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1984.033747] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6e 5a f5 0e 71 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1984.043850] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6e 5a f8 0e 71 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1984.053873] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6e 5a fb 0e 71 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1984.064077] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6e 5a fe 0e 72 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1984.074207] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a f1 0e 72 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1984.084425] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6f 5a f3 0e 72 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1984.094533] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a f6 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1984.104629] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a f8 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1984.114742] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a fa 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1984.124890] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a fc 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1984.135006] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a fe 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1984.145149] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a f0 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1984.155317] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 70 5a e2 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1984.165380] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a d4 0d 74 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1984.175532] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a d6 0d 74 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1984.185409] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a d8 0d 75 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1984.195761] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 70 5a db 0d 75 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1984.205909] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a dd 0d 75 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1984.216034] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 71 5a d0 0e 76 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1984.226198] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 71 5a d3 0e 77 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1984.236301] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 71 5a d6 0e 77 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1984.246520] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 71 5a cb 0f 79 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1984.256573] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 72 5a b1 0e 78 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1984.266697] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 72 5a a7 0e 77 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1984.276823] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 72 5a 6d 0d 72 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1984.286921] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 73 59 96 0a 5a 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1984.296888] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 00 00 73 59 96 00 00 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1984.306825] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 00 00 73 59 96 00 00 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1984.316980] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 00 00 73 59 96 00 00 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00

Re: NULL pointer dereference in i2c-hid

[Andrew Duggan]

On 12/11/2014 11:40 AM, Gabriele Mazzotta wrote:
> On Thursday 11 December 2014 11:21:43 Andrew Duggan wrote:
>> On 12/11/2014 11:11 AM, Gabriele Mazzotta wrote:
>>> On Thursday 11 December 2014 10:40:05 Andrew Duggan wrote:
>>>> On 12/11/2014 10:16 AM, Gabriele Mazzotta wrote:
>>>>> On Thursday 11 December 2014 16:03:07 Mika Westerberg wrote:
>>>>>> On Thu, Dec 11, 2014 at 10:58:01AM +0200, Mika Westerberg wrote:
>>>>>>> On Wed, Dec 10, 2014 at 06:04:51PM +0100, Gabriele Mazzotta wrote:
>>>>>>>> my laptop uses a touchpad that needs hid-rmi along with i2c-hid to work.
>>>>>>>> i2c-hid and hid-rmi can be loaded and unloaded independelty from each
>>>>>>>> other, however since 34f439e4afcd ("HID: i2c-hid: add runtime PM support")
>>>>>>>> if I unload hid-rmi and after it I also unload i2c-hid, I get a NULL
>>>>>>>> pointer dereference.
>>>>>>> I'll look into this.
>>>>>>>
>>>>>>> I can reproduce this easily with i2c-hid + hid-multitouch following your
>>>>>>> directions.
>>>>>> Can you try the below patch?
>>>>>>
>>>>>> I think we shouldn't free buffers yet in ->stop() because we need the
>>>>>> command buffer sending power commands to the device. Also it seems that
>>>>>> ->start() re-allocates buffers anyway if maximum size increases.
>>>>>>
>>>>>> It shouldn't even leak memory as we release buffers at ->remove()
>>>>>> anyway.
>>>>>>
>>>>>> diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c
>>>>>> index 62cec01937ea..68a8c938feea 100644
>>>>>> --- a/drivers/hid/i2c-hid/i2c-hid.c
>>>>>> +++ b/drivers/hid/i2c-hid/i2c-hid.c
>>>>>> @@ -705,12 +705,7 @@ static int i2c_hid_start(struct hid_device *hid)
>>>>>>     
>>>>>>     static void i2c_hid_stop(struct hid_device *hid)
>>>>>>     {
>>>>>> -	struct i2c_client *client = hid->driver_data;
>>>>>> -	struct i2c_hid *ihid = i2c_get_clientdata(client);
>>>>>> -
>>>>>>     	hid->claimed = 0;
>>>>>> -
>>>>>> -	i2c_hid_free_buffers(ihid);
>>>>>>     }
>>>>>>     
>>>>>>     static int i2c_hid_open(struct hid_device *hid)
>>>>> Yes, it works, thanks.
>>>>>
>>>>> This change seems to also prevent kernel ooops when I unload either
>>>>> i2c-hid or i2c-designware-platform while the touchpad is in use,
>>>>> thing that is likely to happen because of the other bug I reported.
>>>>>
>>>>> Speaking of it, does any of you have any suggestion on how to debug it?
>>>> I was able to reproduce the initial issue by unloading hid-rmi and
>>>> i2c-hid while holding my fingers on the touchpad. Mika's patch fixes it
>>>> for me.
>>>>
>>>> For the original bug, you can modprobe i2c-hid debug=1 and we can see
>>>> what data the touchpad is reporting. That might help narrowing down if
>>>> it's noise which the touchpad thinks are fingers or if there is a
>>>> problem with the I2C lines causing spurious interrupts.
>>>>
>>>> Andrew
>>> I've already tried to do that and here what I got:
>>>
>>> When I release the finger, the last message is repeated 81 times.
>>> If the byte containing informations about the width of the finger
>>> becomes equal to either c0 or 0c at least once, the last message is
>>> repeated indefinitely and changes as soon as I start using the touchpad.
>>> The only way to stop it is to unload and reload i2c-hid.
>> The reports before log throttling kicks in would still be useful. For
>> instance c0 is outside of the range of finger width which we report so
>> something is wrong there. But, the touchpad should stop interrupting
>> once the finger is lifted. The fact that subsequent reads are reporting
>> the same data does sound like a problem with I2C getting confused and
>> continuously interrupting and reading the old finger data. I am also
>> curious about the value of the byte after the report id.
>>
>> Andrew
> If I'm not wrong c0 means that the width is 12 on y axis, while 0c means
> that the width is 12 on the x axis.

You are correct! I forgot width was 4 bits for X and Y in the same byte. 
That makes more sense.

>
> I have to correct myself. The important thing is that the byte is either
> cx or xc, where x is anything below c.
>
> Another correction. Sometimes unloading i2c-hid is not enough, I have to
> first disable the touchpad with xinput and then unload i2c-hid. If I
> don't do it, the messages starts reappearing as soon as I reload i2c-hid.
>
> I did several tests in the past months and I'm quite sure that the bug
> happens only past xc/cy.

This maybe coincidental. It is not obvious to me why a certain width 
value would cause the symptoms described.

>
> Here few lines right before the bug. The last line is repeated indefinitely:
>
> [ 1983.527097] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 61 0a 5f 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.537211] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 63 0a 60 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.547329] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 64 0a 60 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.557486] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 66 0a 60 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.567663] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 67 5b 68 0a 60 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.577719] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 6a 0a 61 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.587852] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 6b 0a 61 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.598001] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 67 5b 6e 0a 62 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.608215] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 61 0a 62 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.618288] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 64 0b 63 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.628493] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 67 0b 63 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.638552] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 69 0b 64 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.648663] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 68 5b 6c 0b 64 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.658789] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 6f 0b 64 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.668923] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 61 0b 65 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.678819] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 64 0b 65 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.689230] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 66 0b 65 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.699435] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 69 5b 68 0b 65 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.709502] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 6a 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.719574] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 6c 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.729713] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 6e 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.739863] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 60 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.750001] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 62 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.760150] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6a 5b 64 0b 67 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.770291] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 66 0b 67 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.780445] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 68 0b 67 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.790490] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 5a 0b 68 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.800667] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6a 5b 4e 0c 69 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.810691] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 31 0c 69 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.820963] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 24 0c 6a 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.831071] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 17 0c 6a 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.841178] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 09 0c 6a 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.851325] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 0b 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.861435] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 0d 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.871566] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6b 5b 0f 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.881735] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 01 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.891975] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 03 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.902073] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 05 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.912155] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 07 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.922224] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 09 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.932364] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 0b 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.942480] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 0d 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.952612] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6c 5b 0f 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.962774] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a f1 0d 6d 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.972932] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a f3 0d 6e 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.982872] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a f6 0d 6f 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.993194] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6d 5a f9 0d 6f 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.003295] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a fc 0d 6f 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.013511] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a ff 0d 70 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.023590] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6e 5a f2 0d 70 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.033747] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6e 5a f5 0e 71 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.043850] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6e 5a f8 0e 71 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.053873] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6e 5a fb 0e 71 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.064077] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6e 5a fe 0e 72 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.074207] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a f1 0e 72 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.084425] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6f 5a f3 0e 72 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.094533] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a f6 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.104629] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a f8 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.114742] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a fa 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.124890] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a fc 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.135006] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a fe 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.145149] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a f0 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.155317] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 70 5a e2 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.165380] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a d4 0d 74 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.175532] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a d6 0d 74 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.185409] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a d8 0d 75 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.195761] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 70 5a db 0d 75 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.205909] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a dd 0d 75 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.216034] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 71 5a d0 0e 76 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.226198] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 71 5a d3 0e 77 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.236301] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 71 5a d6 0e 77 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.246520] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 71 5a cb 0f 79 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.256573] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 72 5a b1 0e 78 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.266697] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 72 5a a7 0e 77 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.276823] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 72 5a 6d 0d 72 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.286921] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 73 59 96 0a 5a 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.296888] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 00 00 73 59 96 00 00 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.306825] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 00 00 73 59 96 00 00 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.316980] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 00 00 73 59 96 00 00 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
The last report which repeats indicates that no fingers are present. 
But, the click button is generating the interrupt and it is reporting 
that it is in the down position. Could the click button be getting stuck 
down? That would also explain why the data in the report is not 
changing. Could you be bumping the touchpad with your palm which is 
causing the click button to get stuck in the down position? That might 
also explain the large width value. Our max width is 15, so 12 would 
typically indicate a contact larger then a normal finger contact. That 
would explain the width of 12 showing up when this happens.

Andrew

Re: NULL pointer dereference in i2c-hid

[Andrew Duggan]

On 12/11/2014 11:40 AM, Gabriele Mazzotta wrote:
> On Thursday 11 December 2014 11:21:43 Andrew Duggan wrote:
>> On 12/11/2014 11:11 AM, Gabriele Mazzotta wrote:
>>> On Thursday 11 December 2014 10:40:05 Andrew Duggan wrote:
>>>> On 12/11/2014 10:16 AM, Gabriele Mazzotta wrote:
>>>>> On Thursday 11 December 2014 16:03:07 Mika Westerberg wrote:
>>>>>> On Thu, Dec 11, 2014 at 10:58:01AM +0200, Mika Westerberg wrote:
>>>>>>> On Wed, Dec 10, 2014 at 06:04:51PM +0100, Gabriele Mazzotta wrote:
>>>>>>>> my laptop uses a touchpad that needs hid-rmi along with i2c-hid to work.
>>>>>>>> i2c-hid and hid-rmi can be loaded and unloaded independelty from each
>>>>>>>> other, however since 34f439e4afcd ("HID: i2c-hid: add runtime PM support")
>>>>>>>> if I unload hid-rmi and after it I also unload i2c-hid, I get a NULL
>>>>>>>> pointer dereference.
>>>>>>> I'll look into this.
>>>>>>>
>>>>>>> I can reproduce this easily with i2c-hid + hid-multitouch following your
>>>>>>> directions.
>>>>>> Can you try the below patch?
>>>>>>
>>>>>> I think we shouldn't free buffers yet in ->stop() because we need the
>>>>>> command buffer sending power commands to the device. Also it seems that
>>>>>> ->start() re-allocates buffers anyway if maximum size increases.
>>>>>>
>>>>>> It shouldn't even leak memory as we release buffers at ->remove()
>>>>>> anyway.
>>>>>>
>>>>>> diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c
>>>>>> index 62cec01937ea..68a8c938feea 100644
>>>>>> --- a/drivers/hid/i2c-hid/i2c-hid.c
>>>>>> +++ b/drivers/hid/i2c-hid/i2c-hid.c
>>>>>> @@ -705,12 +705,7 @@ static int i2c_hid_start(struct hid_device *hid)
>>>>>>     
>>>>>>     static void i2c_hid_stop(struct hid_device *hid)
>>>>>>     {
>>>>>> -	struct i2c_client *client = hid->driver_data;
>>>>>> -	struct i2c_hid *ihid = i2c_get_clientdata(client);
>>>>>> -
>>>>>>     	hid->claimed = 0;
>>>>>> -
>>>>>> -	i2c_hid_free_buffers(ihid);
>>>>>>     }
>>>>>>     
>>>>>>     static int i2c_hid_open(struct hid_device *hid)
>>>>> Yes, it works, thanks.
>>>>>
>>>>> This change seems to also prevent kernel ooops when I unload either
>>>>> i2c-hid or i2c-designware-platform while the touchpad is in use,
>>>>> thing that is likely to happen because of the other bug I reported.
>>>>>
>>>>> Speaking of it, does any of you have any suggestion on how to debug it?
>>>> I was able to reproduce the initial issue by unloading hid-rmi and
>>>> i2c-hid while holding my fingers on the touchpad. Mika's patch fixes it
>>>> for me.
>>>>
>>>> For the original bug, you can modprobe i2c-hid debug=1 and we can see
>>>> what data the touchpad is reporting. That might help narrowing down if
>>>> it's noise which the touchpad thinks are fingers or if there is a
>>>> problem with the I2C lines causing spurious interrupts.
>>>>
>>>> Andrew
>>> I've already tried to do that and here what I got:
>>>
>>> When I release the finger, the last message is repeated 81 times.
>>> If the byte containing informations about the width of the finger
>>> becomes equal to either c0 or 0c at least once, the last message is
>>> repeated indefinitely and changes as soon as I start using the touchpad.
>>> The only way to stop it is to unload and reload i2c-hid.
>> The reports before log throttling kicks in would still be useful. For
>> instance c0 is outside of the range of finger width which we report so
>> something is wrong there. But, the touchpad should stop interrupting
>> once the finger is lifted. The fact that subsequent reads are reporting
>> the same data does sound like a problem with I2C getting confused and
>> continuously interrupting and reading the old finger data. I am also
>> curious about the value of the byte after the report id.
>>
>> Andrew
> If I'm not wrong c0 means that the width is 12 on y axis, while 0c means
> that the width is 12 on the x axis.

You are correct! I forgot width was 4 bits for X and Y in the same byte. 
That makes more sense.

>
> I have to correct myself. The important thing is that the byte is either
> cx or xc, where x is anything below c.
>
> Another correction. Sometimes unloading i2c-hid is not enough, I have to
> first disable the touchpad with xinput and then unload i2c-hid. If I
> don't do it, the messages starts reappearing as soon as I reload i2c-hid.
>
> I did several tests in the past months and I'm quite sure that the bug
> happens only past xc/cy.

This maybe coincidental. It is not obvious to me why a certain width 
value would cause the symptoms described.

>
> Here few lines right before the bug. The last line is repeated indefinitely:
>
> [ 1983.527097] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 61 0a 5f 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.537211] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 63 0a 60 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.547329] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 64 0a 60 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.557486] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 66 0a 60 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.567663] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 67 5b 68 0a 60 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.577719] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 6a 0a 61 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.587852] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 6b 0a 61 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.598001] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 67 5b 6e 0a 62 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.608215] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 61 0a 62 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.618288] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 64 0b 63 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.628493] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 67 0b 63 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.638552] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 69 0b 64 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.648663] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 68 5b 6c 0b 64 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.658789] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 6f 0b 64 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.668923] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 61 0b 65 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.678819] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 64 0b 65 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.689230] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 66 0b 65 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.699435] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 69 5b 68 0b 65 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.709502] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 6a 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.719574] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 6c 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.729713] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 6e 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.739863] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 60 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.750001] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 62 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.760150] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6a 5b 64 0b 67 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.770291] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 66 0b 67 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.780445] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 68 0b 67 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.790490] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 5a 0b 68 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.800667] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6a 5b 4e 0c 69 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.810691] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 31 0c 69 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.820963] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 24 0c 6a 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.831071] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 17 0c 6a 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.841178] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 09 0c 6a 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.851325] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 0b 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.861435] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 0d 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.871566] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6b 5b 0f 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.881735] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 01 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.891975] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 03 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.902073] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 05 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.912155] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 07 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.922224] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 09 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.932364] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 0b 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.942480] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 0d 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.952612] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6c 5b 0f 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.962774] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a f1 0d 6d 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.972932] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a f3 0d 6e 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.982872] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a f6 0d 6f 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1983.993194] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6d 5a f9 0d 6f 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.003295] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a fc 0d 6f 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.013511] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a ff 0d 70 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.023590] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6e 5a f2 0d 70 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.033747] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6e 5a f5 0e 71 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.043850] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6e 5a f8 0e 71 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.053873] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6e 5a fb 0e 71 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.064077] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6e 5a fe 0e 72 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.074207] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a f1 0e 72 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.084425] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6f 5a f3 0e 72 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.094533] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a f6 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.104629] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a f8 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.114742] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a fa 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.124890] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a fc 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.135006] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a fe 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.145149] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a f0 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.155317] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 70 5a e2 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.165380] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a d4 0d 74 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.175532] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a d6 0d 74 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.185409] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a d8 0d 75 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.195761] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 70 5a db 0d 75 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.205909] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a dd 0d 75 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.216034] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 71 5a d0 0e 76 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.226198] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 71 5a d3 0e 77 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.236301] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 71 5a d6 0e 77 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.246520] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 71 5a cb 0f 79 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.256573] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 72 5a b1 0e 78 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.266697] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 72 5a a7 0e 77 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.276823] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 72 5a 6d 0d 72 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.286921] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 73 59 96 0a 5a 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.296888] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 00 00 73 59 96 00 00 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.306825] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 00 00 73 59 96 00 00 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 1984.316980] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 00 00 73 59 96 00 00 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
The last report which repeats indicates that no fingers are present. 
But, the click button is generating the interrupt and it is reporting 
that it is in the down position. Could the click button be getting stuck 
down? That would also explain why the data in the report is not 
changing. Could you be bumping the touchpad with your palm which is 
causing the click button to get stuck in the down position? That might 
also explain the large width value. Our max width is 15, so 12 would 
typically indicate a contact larger then a normal finger contact. That 
would explain the width of 12 showing up when this happens.

Andrew

Re: NULL pointer dereference in i2c-hid

[Gabriele Mazzotta]

On Thursday 11 December 2014 12:46:53 Andrew Duggan wrote:
> On 12/11/2014 11:40 AM, Gabriele Mazzotta wrote:
> > On Thursday 11 December 2014 11:21:43 Andrew Duggan wrote:
> >> On 12/11/2014 11:11 AM, Gabriele Mazzotta wrote:
> >>> On Thursday 11 December 2014 10:40:05 Andrew Duggan wrote:
> >>>> On 12/11/2014 10:16 AM, Gabriele Mazzotta wrote:
> >>>>> On Thursday 11 December 2014 16:03:07 Mika Westerberg wrote:
> >>>>>> On Thu, Dec 11, 2014 at 10:58:01AM +0200, Mika Westerberg wrote:
> >>>>>>> On Wed, Dec 10, 2014 at 06:04:51PM +0100, Gabriele Mazzotta wrote:
> >>>>>>>> my laptop uses a touchpad that needs hid-rmi along with i2c-hid to work.
> >>>>>>>> i2c-hid and hid-rmi can be loaded and unloaded independelty from each
> >>>>>>>> other, however since 34f439e4afcd ("HID: i2c-hid: add runtime PM support")
> >>>>>>>> if I unload hid-rmi and after it I also unload i2c-hid, I get a NULL
> >>>>>>>> pointer dereference.
> >>>>>>> I'll look into this.
> >>>>>>>
> >>>>>>> I can reproduce this easily with i2c-hid + hid-multitouch following your
> >>>>>>> directions.
> >>>>>> Can you try the below patch?
> >>>>>>
> >>>>>> I think we shouldn't free buffers yet in ->stop() because we need the
> >>>>>> command buffer sending power commands to the device. Also it seems that
> >>>>>> ->start() re-allocates buffers anyway if maximum size increases.
> >>>>>>
> >>>>>> It shouldn't even leak memory as we release buffers at ->remove()
> >>>>>> anyway.
> >>>>>>
> >>>>>> diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c
> >>>>>> index 62cec01937ea..68a8c938feea 100644
> >>>>>> --- a/drivers/hid/i2c-hid/i2c-hid.c
> >>>>>> +++ b/drivers/hid/i2c-hid/i2c-hid.c
> >>>>>> @@ -705,12 +705,7 @@ static int i2c_hid_start(struct hid_device *hid)
> >>>>>>     
> >>>>>>     static void i2c_hid_stop(struct hid_device *hid)
> >>>>>>     {
> >>>>>> -	struct i2c_client *client = hid->driver_data;
> >>>>>> -	struct i2c_hid *ihid = i2c_get_clientdata(client);
> >>>>>> -
> >>>>>>     	hid->claimed = 0;
> >>>>>> -
> >>>>>> -	i2c_hid_free_buffers(ihid);
> >>>>>>     }
> >>>>>>     
> >>>>>>     static int i2c_hid_open(struct hid_device *hid)
> >>>>> Yes, it works, thanks.
> >>>>>
> >>>>> This change seems to also prevent kernel ooops when I unload either
> >>>>> i2c-hid or i2c-designware-platform while the touchpad is in use,
> >>>>> thing that is likely to happen because of the other bug I reported.
> >>>>>
> >>>>> Speaking of it, does any of you have any suggestion on how to debug it?
> >>>> I was able to reproduce the initial issue by unloading hid-rmi and
> >>>> i2c-hid while holding my fingers on the touchpad. Mika's patch fixes it
> >>>> for me.
> >>>>
> >>>> For the original bug, you can modprobe i2c-hid debug=1 and we can see
> >>>> what data the touchpad is reporting. That might help narrowing down if
> >>>> it's noise which the touchpad thinks are fingers or if there is a
> >>>> problem with the I2C lines causing spurious interrupts.
> >>>>
> >>>> Andrew
> >>> I've already tried to do that and here what I got:
> >>>
> >>> When I release the finger, the last message is repeated 81 times.
> >>> If the byte containing informations about the width of the finger
> >>> becomes equal to either c0 or 0c at least once, the last message is
> >>> repeated indefinitely and changes as soon as I start using the touchpad.
> >>> The only way to stop it is to unload and reload i2c-hid.
> >> The reports before log throttling kicks in would still be useful. For
> >> instance c0 is outside of the range of finger width which we report so
> >> something is wrong there. But, the touchpad should stop interrupting
> >> once the finger is lifted. The fact that subsequent reads are reporting
> >> the same data does sound like a problem with I2C getting confused and
> >> continuously interrupting and reading the old finger data. I am also
> >> curious about the value of the byte after the report id.
> >>
> >> Andrew
> > If I'm not wrong c0 means that the width is 12 on y axis, while 0c means
> > that the width is 12 on the x axis.
> 
> You are correct! I forgot width was 4 bits for X and Y in the same byte. 
> That makes more sense.
> 
> >
> > I have to correct myself. The important thing is that the byte is either
> > cx or xc, where x is anything below c.
> >
> > Another correction. Sometimes unloading i2c-hid is not enough, I have to
> > first disable the touchpad with xinput and then unload i2c-hid. If I
> > don't do it, the messages starts reappearing as soon as I reload i2c-hid.
> >
> > I did several tests in the past months and I'm quite sure that the bug
> > happens only past xc/cy.
> 
> This maybe coincidental. It is not obvious to me why a certain width 
> value would cause the symptoms described.

Yes, I don't deny it. This is just a constant I found in my tests.

> >
> > Here few lines right before the bug. The last line is repeated indefinitely:
> >
> > [ 1983.527097] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 61 0a 5f 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1983.537211] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 63 0a 60 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1983.547329] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 64 0a 60 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1983.557486] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 66 0a 60 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1983.567663] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 67 5b 68 0a 60 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1983.577719] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 6a 0a 61 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1983.587852] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 6b 0a 61 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1983.598001] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 67 5b 6e 0a 62 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1983.608215] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 61 0a 62 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1983.618288] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 64 0b 63 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1983.628493] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 67 0b 63 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1983.638552] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 69 0b 64 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1983.648663] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 68 5b 6c 0b 64 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1983.658789] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 6f 0b 64 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1983.668923] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 61 0b 65 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1983.678819] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 64 0b 65 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1983.689230] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 66 0b 65 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1983.699435] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 69 5b 68 0b 65 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1983.709502] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 6a 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1983.719574] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 6c 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1983.729713] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 6e 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1983.739863] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 60 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1983.750001] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 62 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1983.760150] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6a 5b 64 0b 67 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1983.770291] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 66 0b 67 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1983.780445] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 68 0b 67 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1983.790490] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 5a 0b 68 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1983.800667] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6a 5b 4e 0c 69 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1983.810691] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 31 0c 69 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1983.820963] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 24 0c 6a 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1983.831071] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 17 0c 6a 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1983.841178] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 09 0c 6a 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1983.851325] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 0b 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1983.861435] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 0d 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1983.871566] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6b 5b 0f 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1983.881735] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 01 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1983.891975] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 03 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1983.902073] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 05 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1983.912155] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 07 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1983.922224] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 09 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1983.932364] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 0b 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1983.942480] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 0d 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1983.952612] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6c 5b 0f 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1983.962774] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a f1 0d 6d 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1983.972932] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a f3 0d 6e 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1983.982872] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a f6 0d 6f 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1983.993194] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6d 5a f9 0d 6f 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1984.003295] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a fc 0d 6f 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1984.013511] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a ff 0d 70 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1984.023590] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6e 5a f2 0d 70 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1984.033747] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6e 5a f5 0e 71 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1984.043850] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6e 5a f8 0e 71 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1984.053873] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6e 5a fb 0e 71 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1984.064077] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6e 5a fe 0e 72 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1984.074207] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a f1 0e 72 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1984.084425] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6f 5a f3 0e 72 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1984.094533] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a f6 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1984.104629] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a f8 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1984.114742] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a fa 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1984.124890] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a fc 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1984.135006] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a fe 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1984.145149] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a f0 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1984.155317] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 70 5a e2 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1984.165380] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a d4 0d 74 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1984.175532] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a d6 0d 74 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1984.185409] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a d8 0d 75 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1984.195761] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 70 5a db 0d 75 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1984.205909] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a dd 0d 75 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1984.216034] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 71 5a d0 0e 76 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1984.226198] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 71 5a d3 0e 77 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1984.236301] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 71 5a d6 0e 77 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1984.246520] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 71 5a cb 0f 79 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1984.256573] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 72 5a b1 0e 78 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1984.266697] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 72 5a a7 0e 77 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1984.276823] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 72 5a 6d 0d 72 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1984.286921] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 73 59 96 0a 5a 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1984.296888] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 00 00 73 59 96 00 00 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1984.306825] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 00 00 73 59 96 00 00 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> > [ 1984.316980] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 00 00 73 59 96 00 00 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> The last report which repeats indicates that no fingers are present. 
> But, the click button is generating the interrupt and it is reporting 
> that it is in the down position. Could the click button be getting stuck 
> down? That would also explain why the data in the report is not 
> changing. Could you be bumping the touchpad with your palm which is 
> causing the click button to get stuck in the down position? That might 
> also explain the large width value. Our max width is 15, so 12 would 
> typically indicate a contact larger then a normal finger contact. That 
> would explain the width of 12 showing up when this happens.

Yes, that's not a normal finger touch and the reported width seems
quite accurate to me. There are no clicks involved, laying the side of
my thumb gently on the top part of the clickpad (from where even voluntary
clicks are hard to obtain) is enough to trigger the bug. If a click is
reported, than something is really wrong.

> Andrew

Re: NULL pointer dereference in i2c-hid

[Andrew Duggan]

On 12/11/2014 01:17 PM, Gabriele Mazzotta wrote:
> On Thursday 11 December 2014 12:46:53 Andrew Duggan wrote:
>> On 12/11/2014 11:40 AM, Gabriele Mazzotta wrote:
>>> On Thursday 11 December 2014 11:21:43 Andrew Duggan wrote:
>>>> On 12/11/2014 11:11 AM, Gabriele Mazzotta wrote:
>>>>> On Thursday 11 December 2014 10:40:05 Andrew Duggan wrote:
>>>>>> On 12/11/2014 10:16 AM, Gabriele Mazzotta wrote:
>>>>>>> On Thursday 11 December 2014 16:03:07 Mika Westerberg wrote:
>>>>>>>> On Thu, Dec 11, 2014 at 10:58:01AM +0200, Mika Westerberg wrote:
>>>>>>>>> On Wed, Dec 10, 2014 at 06:04:51PM +0100, Gabriele Mazzotta wrote:
>>>>>>>>>> my laptop uses a touchpad that needs hid-rmi along with i2c-hid to work.
>>>>>>>>>> i2c-hid and hid-rmi can be loaded and unloaded independelty from each
>>>>>>>>>> other, however since 34f439e4afcd ("HID: i2c-hid: add runtime PM support")
>>>>>>>>>> if I unload hid-rmi and after it I also unload i2c-hid, I get a NULL
>>>>>>>>>> pointer dereference.
>>>>>>>>> I'll look into this.
>>>>>>>>>
>>>>>>>>> I can reproduce this easily with i2c-hid + hid-multitouch following your
>>>>>>>>> directions.
>>>>>>>> Can you try the below patch?
>>>>>>>>
>>>>>>>> I think we shouldn't free buffers yet in ->stop() because we need the
>>>>>>>> command buffer sending power commands to the device. Also it seems that
>>>>>>>> ->start() re-allocates buffers anyway if maximum size increases.
>>>>>>>>
>>>>>>>> It shouldn't even leak memory as we release buffers at ->remove()
>>>>>>>> anyway.
>>>>>>>>
>>>>>>>> diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c
>>>>>>>> index 62cec01937ea..68a8c938feea 100644
>>>>>>>> --- a/drivers/hid/i2c-hid/i2c-hid.c
>>>>>>>> +++ b/drivers/hid/i2c-hid/i2c-hid.c
>>>>>>>> @@ -705,12 +705,7 @@ static int i2c_hid_start(struct hid_device *hid)
>>>>>>>>      
>>>>>>>>      static void i2c_hid_stop(struct hid_device *hid)
>>>>>>>>      {
>>>>>>>> -	struct i2c_client *client = hid->driver_data;
>>>>>>>> -	struct i2c_hid *ihid = i2c_get_clientdata(client);
>>>>>>>> -
>>>>>>>>      	hid->claimed = 0;
>>>>>>>> -
>>>>>>>> -	i2c_hid_free_buffers(ihid);
>>>>>>>>      }
>>>>>>>>      
>>>>>>>>      static int i2c_hid_open(struct hid_device *hid)
>>>>>>> Yes, it works, thanks.
>>>>>>>
>>>>>>> This change seems to also prevent kernel ooops when I unload either
>>>>>>> i2c-hid or i2c-designware-platform while the touchpad is in use,
>>>>>>> thing that is likely to happen because of the other bug I reported.
>>>>>>>
>>>>>>> Speaking of it, does any of you have any suggestion on how to debug it?
>>>>>> I was able to reproduce the initial issue by unloading hid-rmi and
>>>>>> i2c-hid while holding my fingers on the touchpad. Mika's patch fixes it
>>>>>> for me.
>>>>>>
>>>>>> For the original bug, you can modprobe i2c-hid debug=1 and we can see
>>>>>> what data the touchpad is reporting. That might help narrowing down if
>>>>>> it's noise which the touchpad thinks are fingers or if there is a
>>>>>> problem with the I2C lines causing spurious interrupts.
>>>>>>
>>>>>> Andrew
>>>>> I've already tried to do that and here what I got:
>>>>>
>>>>> When I release the finger, the last message is repeated 81 times.
>>>>> If the byte containing informations about the width of the finger
>>>>> becomes equal to either c0 or 0c at least once, the last message is
>>>>> repeated indefinitely and changes as soon as I start using the touchpad.
>>>>> The only way to stop it is to unload and reload i2c-hid.
>>>> The reports before log throttling kicks in would still be useful. For
>>>> instance c0 is outside of the range of finger width which we report so
>>>> something is wrong there. But, the touchpad should stop interrupting
>>>> once the finger is lifted. The fact that subsequent reads are reporting
>>>> the same data does sound like a problem with I2C getting confused and
>>>> continuously interrupting and reading the old finger data. I am also
>>>> curious about the value of the byte after the report id.
>>>>
>>>> Andrew
>>> If I'm not wrong c0 means that the width is 12 on y axis, while 0c means
>>> that the width is 12 on the x axis.
>> You are correct! I forgot width was 4 bits for X and Y in the same byte.
>> That makes more sense.
>>
>>> I have to correct myself. The important thing is that the byte is either
>>> cx or xc, where x is anything below c.
>>>
>>> Another correction. Sometimes unloading i2c-hid is not enough, I have to
>>> first disable the touchpad with xinput and then unload i2c-hid. If I
>>> don't do it, the messages starts reappearing as soon as I reload i2c-hid.
>>>
>>> I did several tests in the past months and I'm quite sure that the bug
>>> happens only past xc/cy.
>> This maybe coincidental. It is not obvious to me why a certain width
>> value would cause the symptoms described.
> Yes, I don't deny it. This is just a constant I found in my tests.
>
>>> Here few lines right before the bug. The last line is repeated indefinitely:
>>>
>>> [ 1983.527097] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 61 0a 5f 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.537211] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 63 0a 60 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.547329] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 64 0a 60 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.557486] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 66 0a 60 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.567663] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 67 5b 68 0a 60 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.577719] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 6a 0a 61 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.587852] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 6b 0a 61 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.598001] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 67 5b 6e 0a 62 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.608215] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 61 0a 62 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.618288] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 64 0b 63 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.628493] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 67 0b 63 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.638552] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 69 0b 64 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.648663] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 68 5b 6c 0b 64 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.658789] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 6f 0b 64 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.668923] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 61 0b 65 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.678819] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 64 0b 65 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.689230] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 66 0b 65 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.699435] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 69 5b 68 0b 65 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.709502] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 6a 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.719574] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 6c 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.729713] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 6e 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.739863] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 60 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.750001] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 62 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.760150] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6a 5b 64 0b 67 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.770291] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 66 0b 67 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.780445] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 68 0b 67 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.790490] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 5a 0b 68 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.800667] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6a 5b 4e 0c 69 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.810691] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 31 0c 69 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.820963] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 24 0c 6a 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.831071] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 17 0c 6a 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.841178] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 09 0c 6a 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.851325] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 0b 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.861435] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 0d 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.871566] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6b 5b 0f 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.881735] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 01 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.891975] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 03 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.902073] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 05 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.912155] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 07 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.922224] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 09 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.932364] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 0b 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.942480] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 0d 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.952612] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6c 5b 0f 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.962774] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a f1 0d 6d 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.972932] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a f3 0d 6e 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.982872] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a f6 0d 6f 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.993194] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6d 5a f9 0d 6f 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.003295] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a fc 0d 6f 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.013511] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a ff 0d 70 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.023590] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6e 5a f2 0d 70 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.033747] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6e 5a f5 0e 71 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.043850] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6e 5a f8 0e 71 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.053873] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6e 5a fb 0e 71 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.064077] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6e 5a fe 0e 72 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.074207] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a f1 0e 72 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.084425] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6f 5a f3 0e 72 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.094533] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a f6 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.104629] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a f8 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.114742] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a fa 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.124890] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a fc 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.135006] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a fe 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.145149] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a f0 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.155317] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 70 5a e2 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.165380] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a d4 0d 74 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.175532] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a d6 0d 74 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.185409] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a d8 0d 75 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.195761] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 70 5a db 0d 75 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.205909] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a dd 0d 75 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.216034] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 71 5a d0 0e 76 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.226198] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 71 5a d3 0e 77 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.236301] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 71 5a d6 0e 77 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.246520] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 71 5a cb 0f 79 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.256573] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 72 5a b1 0e 78 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.266697] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 72 5a a7 0e 77 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.276823] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 72 5a 6d 0d 72 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.286921] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 73 59 96 0a 5a 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.296888] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 00 00 73 59 96 00 00 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.306825] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 00 00 73 59 96 00 00 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.316980] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 00 00 73 59 96 00 00 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>> The last report which repeats indicates that no fingers are present.
>> But, the click button is generating the interrupt and it is reporting
>> that it is in the down position. Could the click button be getting stuck
>> down? That would also explain why the data in the report is not
>> changing. Could you be bumping the touchpad with your palm which is
>> causing the click button to get stuck in the down position? That might
>> also explain the large width value. Our max width is 15, so 12 would
>> typically indicate a contact larger then a normal finger contact. That
>> would explain the width of 12 showing up when this happens.
> Yes, that's not a normal finger touch and the reported width seems
> quite accurate to me. There are no clicks involved, laying the side of
> my thumb gently on the top part of the clickpad (from where even voluntary
> clicks are hard to obtain) is enough to trigger the bug. If a click is
> reported, than something is really wrong.

Do the reports look the same? With the repeated reports starting with 
"20 00 0c 04"?

>> Andrew

Re: NULL pointer dereference in i2c-hid

[Andrew Duggan]

On 12/11/2014 01:17 PM, Gabriele Mazzotta wrote:
> On Thursday 11 December 2014 12:46:53 Andrew Duggan wrote:
>> On 12/11/2014 11:40 AM, Gabriele Mazzotta wrote:
>>> On Thursday 11 December 2014 11:21:43 Andrew Duggan wrote:
>>>> On 12/11/2014 11:11 AM, Gabriele Mazzotta wrote:
>>>>> On Thursday 11 December 2014 10:40:05 Andrew Duggan wrote:
>>>>>> On 12/11/2014 10:16 AM, Gabriele Mazzotta wrote:
>>>>>>> On Thursday 11 December 2014 16:03:07 Mika Westerberg wrote:
>>>>>>>> On Thu, Dec 11, 2014 at 10:58:01AM +0200, Mika Westerberg wrote:
>>>>>>>>> On Wed, Dec 10, 2014 at 06:04:51PM +0100, Gabriele Mazzotta wrote:
>>>>>>>>>> my laptop uses a touchpad that needs hid-rmi along with i2c-hid to work.
>>>>>>>>>> i2c-hid and hid-rmi can be loaded and unloaded independelty from each
>>>>>>>>>> other, however since 34f439e4afcd ("HID: i2c-hid: add runtime PM support")
>>>>>>>>>> if I unload hid-rmi and after it I also unload i2c-hid, I get a NULL
>>>>>>>>>> pointer dereference.
>>>>>>>>> I'll look into this.
>>>>>>>>>
>>>>>>>>> I can reproduce this easily with i2c-hid + hid-multitouch following your
>>>>>>>>> directions.
>>>>>>>> Can you try the below patch?
>>>>>>>>
>>>>>>>> I think we shouldn't free buffers yet in ->stop() because we need the
>>>>>>>> command buffer sending power commands to the device. Also it seems that
>>>>>>>> ->start() re-allocates buffers anyway if maximum size increases.
>>>>>>>>
>>>>>>>> It shouldn't even leak memory as we release buffers at ->remove()
>>>>>>>> anyway.
>>>>>>>>
>>>>>>>> diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c
>>>>>>>> index 62cec01937ea..68a8c938feea 100644
>>>>>>>> --- a/drivers/hid/i2c-hid/i2c-hid.c
>>>>>>>> +++ b/drivers/hid/i2c-hid/i2c-hid.c
>>>>>>>> @@ -705,12 +705,7 @@ static int i2c_hid_start(struct hid_device *hid)
>>>>>>>>      
>>>>>>>>      static void i2c_hid_stop(struct hid_device *hid)
>>>>>>>>      {
>>>>>>>> -	struct i2c_client *client = hid->driver_data;
>>>>>>>> -	struct i2c_hid *ihid = i2c_get_clientdata(client);
>>>>>>>> -
>>>>>>>>      	hid->claimed = 0;
>>>>>>>> -
>>>>>>>> -	i2c_hid_free_buffers(ihid);
>>>>>>>>      }
>>>>>>>>      
>>>>>>>>      static int i2c_hid_open(struct hid_device *hid)
>>>>>>> Yes, it works, thanks.
>>>>>>>
>>>>>>> This change seems to also prevent kernel ooops when I unload either
>>>>>>> i2c-hid or i2c-designware-platform while the touchpad is in use,
>>>>>>> thing that is likely to happen because of the other bug I reported.
>>>>>>>
>>>>>>> Speaking of it, does any of you have any suggestion on how to debug it?
>>>>>> I was able to reproduce the initial issue by unloading hid-rmi and
>>>>>> i2c-hid while holding my fingers on the touchpad. Mika's patch fixes it
>>>>>> for me.
>>>>>>
>>>>>> For the original bug, you can modprobe i2c-hid debug=1 and we can see
>>>>>> what data the touchpad is reporting. That might help narrowing down if
>>>>>> it's noise which the touchpad thinks are fingers or if there is a
>>>>>> problem with the I2C lines causing spurious interrupts.
>>>>>>
>>>>>> Andrew
>>>>> I've already tried to do that and here what I got:
>>>>>
>>>>> When I release the finger, the last message is repeated 81 times.
>>>>> If the byte containing informations about the width of the finger
>>>>> becomes equal to either c0 or 0c at least once, the last message is
>>>>> repeated indefinitely and changes as soon as I start using the touchpad.
>>>>> The only way to stop it is to unload and reload i2c-hid.
>>>> The reports before log throttling kicks in would still be useful. For
>>>> instance c0 is outside of the range of finger width which we report so
>>>> something is wrong there. But, the touchpad should stop interrupting
>>>> once the finger is lifted. The fact that subsequent reads are reporting
>>>> the same data does sound like a problem with I2C getting confused and
>>>> continuously interrupting and reading the old finger data. I am also
>>>> curious about the value of the byte after the report id.
>>>>
>>>> Andrew
>>> If I'm not wrong c0 means that the width is 12 on y axis, while 0c means
>>> that the width is 12 on the x axis.
>> You are correct! I forgot width was 4 bits for X and Y in the same byte.
>> That makes more sense.
>>
>>> I have to correct myself. The important thing is that the byte is either
>>> cx or xc, where x is anything below c.
>>>
>>> Another correction. Sometimes unloading i2c-hid is not enough, I have to
>>> first disable the touchpad with xinput and then unload i2c-hid. If I
>>> don't do it, the messages starts reappearing as soon as I reload i2c-hid.
>>>
>>> I did several tests in the past months and I'm quite sure that the bug
>>> happens only past xc/cy.
>> This maybe coincidental. It is not obvious to me why a certain width
>> value would cause the symptoms described.
> Yes, I don't deny it. This is just a constant I found in my tests.
>
>>> Here few lines right before the bug. The last line is repeated indefinitely:
>>>
>>> [ 1983.527097] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 61 0a 5f 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.537211] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 63 0a 60 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.547329] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 64 0a 60 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.557486] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 66 0a 60 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.567663] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 67 5b 68 0a 60 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.577719] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 6a 0a 61 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.587852] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 6b 0a 61 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.598001] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 67 5b 6e 0a 62 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.608215] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 61 0a 62 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.618288] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 64 0b 63 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.628493] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 67 0b 63 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.638552] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 69 0b 64 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.648663] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 68 5b 6c 0b 64 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.658789] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 6f 0b 64 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.668923] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 61 0b 65 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.678819] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 64 0b 65 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.689230] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 66 0b 65 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.699435] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 69 5b 68 0b 65 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.709502] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 6a 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.719574] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 6c 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.729713] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 6e 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.739863] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 60 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.750001] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 62 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.760150] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6a 5b 64 0b 67 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.770291] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 66 0b 67 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.780445] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 68 0b 67 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.790490] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 5a 0b 68 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.800667] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6a 5b 4e 0c 69 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.810691] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 31 0c 69 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.820963] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 24 0c 6a 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.831071] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 17 0c 6a 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.841178] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 09 0c 6a 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.851325] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 0b 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.861435] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 0d 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.871566] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6b 5b 0f 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.881735] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 01 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.891975] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 03 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.902073] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 05 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.912155] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 07 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.922224] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 09 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.932364] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 0b 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.942480] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 0d 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.952612] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6c 5b 0f 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.962774] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a f1 0d 6d 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.972932] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a f3 0d 6e 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.982872] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a f6 0d 6f 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1983.993194] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6d 5a f9 0d 6f 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.003295] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a fc 0d 6f 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.013511] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a ff 0d 70 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.023590] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6e 5a f2 0d 70 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.033747] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6e 5a f5 0e 71 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.043850] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6e 5a f8 0e 71 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.053873] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6e 5a fb 0e 71 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.064077] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6e 5a fe 0e 72 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.074207] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a f1 0e 72 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.084425] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6f 5a f3 0e 72 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.094533] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a f6 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.104629] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a f8 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.114742] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a fa 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.124890] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a fc 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.135006] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a fe 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.145149] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a f0 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.155317] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 70 5a e2 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.165380] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a d4 0d 74 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.175532] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a d6 0d 74 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.185409] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a d8 0d 75 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.195761] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 70 5a db 0d 75 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.205909] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a dd 0d 75 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.216034] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 71 5a d0 0e 76 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.226198] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 71 5a d3 0e 77 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.236301] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 71 5a d6 0e 77 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.246520] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 71 5a cb 0f 79 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.256573] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 72 5a b1 0e 78 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.266697] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 72 5a a7 0e 77 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.276823] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 72 5a 6d 0d 72 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.286921] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 73 59 96 0a 5a 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.296888] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 00 00 73 59 96 00 00 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.306825] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 00 00 73 59 96 00 00 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> [ 1984.316980] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 00 00 73 59 96 00 00 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>> The last report which repeats indicates that no fingers are present.
>> But, the click button is generating the interrupt and it is reporting
>> that it is in the down position. Could the click button be getting stuck
>> down? That would also explain why the data in the report is not
>> changing. Could you be bumping the touchpad with your palm which is
>> causing the click button to get stuck in the down position? That might
>> also explain the large width value. Our max width is 15, so 12 would
>> typically indicate a contact larger then a normal finger contact. That
>> would explain the width of 12 showing up when this happens.
> Yes, that's not a normal finger touch and the reported width seems
> quite accurate to me. There are no clicks involved, laying the side of
> my thumb gently on the top part of the clickpad (from where even voluntary
> clicks are hard to obtain) is enough to trigger the bug. If a click is
> reported, than something is really wrong.

Do the reports look the same? With the repeated reports starting with 
"20 00 0c 04"?

>> Andrew

Re: NULL pointer dereference in i2c-hid

[Gabriele Mazzotta]

On Thursday 11 December 2014 13:34:02 Andrew Duggan wrote:
> On 12/11/2014 01:17 PM, Gabriele Mazzotta wrote:
> > On Thursday 11 December 2014 12:46:53 Andrew Duggan wrote:
> >> On 12/11/2014 11:40 AM, Gabriele Mazzotta wrote:
> >>> On Thursday 11 December 2014 11:21:43 Andrew Duggan wrote:
> >>>> On 12/11/2014 11:11 AM, Gabriele Mazzotta wrote:
> >>>>> On Thursday 11 December 2014 10:40:05 Andrew Duggan wrote:
> >>>>>> On 12/11/2014 10:16 AM, Gabriele Mazzotta wrote:
> >>>>>>> On Thursday 11 December 2014 16:03:07 Mika Westerberg wrote:
> >>>>>>>> On Thu, Dec 11, 2014 at 10:58:01AM +0200, Mika Westerberg wrote:
> >>>>>>>>> On Wed, Dec 10, 2014 at 06:04:51PM +0100, Gabriele Mazzotta wrote:
> >>>>>>>>>> my laptop uses a touchpad that needs hid-rmi along with i2c-hid to work.
> >>>>>>>>>> i2c-hid and hid-rmi can be loaded and unloaded independelty from each
> >>>>>>>>>> other, however since 34f439e4afcd ("HID: i2c-hid: add runtime PM support")
> >>>>>>>>>> if I unload hid-rmi and after it I also unload i2c-hid, I get a NULL
> >>>>>>>>>> pointer dereference.
> >>>>>>>>> I'll look into this.
> >>>>>>>>>
> >>>>>>>>> I can reproduce this easily with i2c-hid + hid-multitouch following your
> >>>>>>>>> directions.
> >>>>>>>> Can you try the below patch?
> >>>>>>>>
> >>>>>>>> I think we shouldn't free buffers yet in ->stop() because we need the
> >>>>>>>> command buffer sending power commands to the device. Also it seems that
> >>>>>>>> ->start() re-allocates buffers anyway if maximum size increases.
> >>>>>>>>
> >>>>>>>> It shouldn't even leak memory as we release buffers at ->remove()
> >>>>>>>> anyway.
> >>>>>>>>
> >>>>>>>> diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c
> >>>>>>>> index 62cec01937ea..68a8c938feea 100644
> >>>>>>>> --- a/drivers/hid/i2c-hid/i2c-hid.c
> >>>>>>>> +++ b/drivers/hid/i2c-hid/i2c-hid.c
> >>>>>>>> @@ -705,12 +705,7 @@ static int i2c_hid_start(struct hid_device *hid)
> >>>>>>>>      
> >>>>>>>>      static void i2c_hid_stop(struct hid_device *hid)
> >>>>>>>>      {
> >>>>>>>> -	struct i2c_client *client = hid->driver_data;
> >>>>>>>> -	struct i2c_hid *ihid = i2c_get_clientdata(client);
> >>>>>>>> -
> >>>>>>>>      	hid->claimed = 0;
> >>>>>>>> -
> >>>>>>>> -	i2c_hid_free_buffers(ihid);
> >>>>>>>>      }
> >>>>>>>>      
> >>>>>>>>      static int i2c_hid_open(struct hid_device *hid)
> >>>>>>> Yes, it works, thanks.
> >>>>>>>
> >>>>>>> This change seems to also prevent kernel ooops when I unload either
> >>>>>>> i2c-hid or i2c-designware-platform while the touchpad is in use,
> >>>>>>> thing that is likely to happen because of the other bug I reported.
> >>>>>>>
> >>>>>>> Speaking of it, does any of you have any suggestion on how to debug it?
> >>>>>> I was able to reproduce the initial issue by unloading hid-rmi and
> >>>>>> i2c-hid while holding my fingers on the touchpad. Mika's patch fixes it
> >>>>>> for me.
> >>>>>>
> >>>>>> For the original bug, you can modprobe i2c-hid debug=1 and we can see
> >>>>>> what data the touchpad is reporting. That might help narrowing down if
> >>>>>> it's noise which the touchpad thinks are fingers or if there is a
> >>>>>> problem with the I2C lines causing spurious interrupts.
> >>>>>>
> >>>>>> Andrew
> >>>>> I've already tried to do that and here what I got:
> >>>>>
> >>>>> When I release the finger, the last message is repeated 81 times.
> >>>>> If the byte containing informations about the width of the finger
> >>>>> becomes equal to either c0 or 0c at least once, the last message is
> >>>>> repeated indefinitely and changes as soon as I start using the touchpad.
> >>>>> The only way to stop it is to unload and reload i2c-hid.
> >>>> The reports before log throttling kicks in would still be useful. For
> >>>> instance c0 is outside of the range of finger width which we report so
> >>>> something is wrong there. But, the touchpad should stop interrupting
> >>>> once the finger is lifted. The fact that subsequent reads are reporting
> >>>> the same data does sound like a problem with I2C getting confused and
> >>>> continuously interrupting and reading the old finger data. I am also
> >>>> curious about the value of the byte after the report id.
> >>>>
> >>>> Andrew
> >>> If I'm not wrong c0 means that the width is 12 on y axis, while 0c means
> >>> that the width is 12 on the x axis.
> >> You are correct! I forgot width was 4 bits for X and Y in the same byte.
> >> That makes more sense.
> >>
> >>> I have to correct myself. The important thing is that the byte is either
> >>> cx or xc, where x is anything below c.
> >>>
> >>> Another correction. Sometimes unloading i2c-hid is not enough, I have to
> >>> first disable the touchpad with xinput and then unload i2c-hid. If I
> >>> don't do it, the messages starts reappearing as soon as I reload i2c-hid.
> >>>
> >>> I did several tests in the past months and I'm quite sure that the bug
> >>> happens only past xc/cy.
> >> This maybe coincidental. It is not obvious to me why a certain width
> >> value would cause the symptoms described.
> > Yes, I don't deny it. This is just a constant I found in my tests.
> >
> >>> Here few lines right before the bug. The last line is repeated indefinitely:
> >>>
> >>> [ 1983.527097] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 61 0a 5f 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1983.537211] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 63 0a 60 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1983.547329] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 64 0a 60 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1983.557486] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 66 0a 60 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1983.567663] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 67 5b 68 0a 60 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1983.577719] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 6a 0a 61 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1983.587852] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 6b 0a 61 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1983.598001] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 67 5b 6e 0a 62 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1983.608215] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 61 0a 62 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1983.618288] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 64 0b 63 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1983.628493] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 67 0b 63 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1983.638552] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 69 0b 64 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1983.648663] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 68 5b 6c 0b 64 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1983.658789] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 6f 0b 64 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1983.668923] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 61 0b 65 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1983.678819] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 64 0b 65 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1983.689230] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 66 0b 65 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1983.699435] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 69 5b 68 0b 65 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1983.709502] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 6a 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1983.719574] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 6c 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1983.729713] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 6e 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1983.739863] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 60 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1983.750001] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 62 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1983.760150] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6a 5b 64 0b 67 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1983.770291] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 66 0b 67 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1983.780445] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 68 0b 67 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1983.790490] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 5a 0b 68 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1983.800667] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6a 5b 4e 0c 69 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1983.810691] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 31 0c 69 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1983.820963] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 24 0c 6a 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1983.831071] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 17 0c 6a 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1983.841178] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 09 0c 6a 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1983.851325] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 0b 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1983.861435] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 0d 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1983.871566] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6b 5b 0f 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1983.881735] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 01 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1983.891975] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 03 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1983.902073] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 05 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1983.912155] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 07 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1983.922224] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 09 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1983.932364] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 0b 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1983.942480] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 0d 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1983.952612] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6c 5b 0f 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1983.962774] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a f1 0d 6d 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1983.972932] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a f3 0d 6e 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1983.982872] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a f6 0d 6f 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1983.993194] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6d 5a f9 0d 6f 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1984.003295] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a fc 0d 6f 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1984.013511] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a ff 0d 70 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1984.023590] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6e 5a f2 0d 70 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1984.033747] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6e 5a f5 0e 71 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1984.043850] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6e 5a f8 0e 71 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1984.053873] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6e 5a fb 0e 71 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1984.064077] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6e 5a fe 0e 72 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1984.074207] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a f1 0e 72 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1984.084425] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6f 5a f3 0e 72 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1984.094533] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a f6 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1984.104629] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a f8 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1984.114742] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a fa 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1984.124890] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a fc 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1984.135006] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a fe 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1984.145149] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a f0 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1984.155317] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 70 5a e2 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1984.165380] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a d4 0d 74 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1984.175532] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a d6 0d 74 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1984.185409] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a d8 0d 75 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1984.195761] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 70 5a db 0d 75 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1984.205909] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a dd 0d 75 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1984.216034] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 71 5a d0 0e 76 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1984.226198] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 71 5a d3 0e 77 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1984.236301] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 71 5a d6 0e 77 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1984.246520] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 71 5a cb 0f 79 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1984.256573] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 72 5a b1 0e 78 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1984.266697] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 72 5a a7 0e 77 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1984.276823] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 72 5a 6d 0d 72 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1984.286921] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 73 59 96 0a 5a 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1984.296888] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 00 00 73 59 96 00 00 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1984.306825] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 00 00 73 59 96 00 00 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>> [ 1984.316980] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 00 00 73 59 96 00 00 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >> The last report which repeats indicates that no fingers are present.
> >> But, the click button is generating the interrupt and it is reporting
> >> that it is in the down position. Could the click button be getting stuck
> >> down? That would also explain why the data in the report is not
> >> changing. Could you be bumping the touchpad with your palm which is
> >> causing the click button to get stuck in the down position? That might
> >> also explain the large width value. Our max width is 15, so 12 would
> >> typically indicate a contact larger then a normal finger contact. That
> >> would explain the width of 12 showing up when this happens.
> > Yes, that's not a normal finger touch and the reported width seems
> > quite accurate to me. There are no clicks involved, laying the side of
> > my thumb gently on the top part of the clickpad (from where even voluntary
> > clicks are hard to obtain) is enough to trigger the bug. If a click is
> > reported, than something is really wrong.
> 
> Do the reports look the same? With the repeated reports starting with 
> "20 00 0c 04"?

I'm not sure I understood exactly what you want to know, so this might
not answer your questions.

All the repeated messages look like this:

20 00 0c 04 00 00 27 57 fa 00 00 07 8a 0c 00 00 7e 87 eb 00 00 aa 8f 37 00 00 61 4d f1 00 00 00

The values equal to zero are always equal to zero when there are no
fingers on the touchpad. The non-zero values are equal to the last
valid value recorded and don't change when the fingers are released.

To get the above line I touched the touchpad with 5 fingers so that
all the bytes (except the last one which is different from zero on
click release) were used.

> >> Andrew
> 

Re: NULL pointer dereference in i2c-hid

[Andrew Duggan]

On 12/11/2014 01:57 PM, Gabriele Mazzotta wrote:
> On Thursday 11 December 2014 13:34:02 Andrew Duggan wrote:
>> On 12/11/2014 01:17 PM, Gabriele Mazzotta wrote:
>>> On Thursday 11 December 2014 12:46:53 Andrew Duggan wrote:
>>>> On 12/11/2014 11:40 AM, Gabriele Mazzotta wrote:
>>>>> On Thursday 11 December 2014 11:21:43 Andrew Duggan wrote:
>>>>>> On 12/11/2014 11:11 AM, Gabriele Mazzotta wrote:
>>>>>>> On Thursday 11 December 2014 10:40:05 Andrew Duggan wrote:
>>>>>>>> On 12/11/2014 10:16 AM, Gabriele Mazzotta wrote:
>>>>>>>>> On Thursday 11 December 2014 16:03:07 Mika Westerberg wrote:
>>>>>>>>>> On Thu, Dec 11, 2014 at 10:58:01AM +0200, Mika Westerberg wrote:
>>>>>>>>>>> On Wed, Dec 10, 2014 at 06:04:51PM +0100, Gabriele Mazzotta wrote:
>>>>>>>>>>>> my laptop uses a touchpad that needs hid-rmi along with i2c-hid to work.
>>>>>>>>>>>> i2c-hid and hid-rmi can be loaded and unloaded independelty from each
>>>>>>>>>>>> other, however since 34f439e4afcd ("HID: i2c-hid: add runtime PM support")
>>>>>>>>>>>> if I unload hid-rmi and after it I also unload i2c-hid, I get a NULL
>>>>>>>>>>>> pointer dereference.
>>>>>>>>>>> I'll look into this.
>>>>>>>>>>>
>>>>>>>>>>> I can reproduce this easily with i2c-hid + hid-multitouch following your
>>>>>>>>>>> directions.
>>>>>>>>>> Can you try the below patch?
>>>>>>>>>>
>>>>>>>>>> I think we shouldn't free buffers yet in ->stop() because we need the
>>>>>>>>>> command buffer sending power commands to the device. Also it seems that
>>>>>>>>>> ->start() re-allocates buffers anyway if maximum size increases.
>>>>>>>>>>
>>>>>>>>>> It shouldn't even leak memory as we release buffers at ->remove()
>>>>>>>>>> anyway.
>>>>>>>>>>
>>>>>>>>>> diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c
>>>>>>>>>> index 62cec01937ea..68a8c938feea 100644
>>>>>>>>>> --- a/drivers/hid/i2c-hid/i2c-hid.c
>>>>>>>>>> +++ b/drivers/hid/i2c-hid/i2c-hid.c
>>>>>>>>>> @@ -705,12 +705,7 @@ static int i2c_hid_start(struct hid_device *hid)
>>>>>>>>>>       
>>>>>>>>>>       static void i2c_hid_stop(struct hid_device *hid)
>>>>>>>>>>       {
>>>>>>>>>> -	struct i2c_client *client = hid->driver_data;
>>>>>>>>>> -	struct i2c_hid *ihid = i2c_get_clientdata(client);
>>>>>>>>>> -
>>>>>>>>>>       	hid->claimed = 0;
>>>>>>>>>> -
>>>>>>>>>> -	i2c_hid_free_buffers(ihid);
>>>>>>>>>>       }
>>>>>>>>>>       
>>>>>>>>>>       static int i2c_hid_open(struct hid_device *hid)
>>>>>>>>> Yes, it works, thanks.
>>>>>>>>>
>>>>>>>>> This change seems to also prevent kernel ooops when I unload either
>>>>>>>>> i2c-hid or i2c-designware-platform while the touchpad is in use,
>>>>>>>>> thing that is likely to happen because of the other bug I reported.
>>>>>>>>>
>>>>>>>>> Speaking of it, does any of you have any suggestion on how to debug it?
>>>>>>>> I was able to reproduce the initial issue by unloading hid-rmi and
>>>>>>>> i2c-hid while holding my fingers on the touchpad. Mika's patch fixes it
>>>>>>>> for me.
>>>>>>>>
>>>>>>>> For the original bug, you can modprobe i2c-hid debug=1 and we can see
>>>>>>>> what data the touchpad is reporting. That might help narrowing down if
>>>>>>>> it's noise which the touchpad thinks are fingers or if there is a
>>>>>>>> problem with the I2C lines causing spurious interrupts.
>>>>>>>>
>>>>>>>> Andrew
>>>>>>> I've already tried to do that and here what I got:
>>>>>>>
>>>>>>> When I release the finger, the last message is repeated 81 times.
>>>>>>> If the byte containing informations about the width of the finger
>>>>>>> becomes equal to either c0 or 0c at least once, the last message is
>>>>>>> repeated indefinitely and changes as soon as I start using the touchpad.
>>>>>>> The only way to stop it is to unload and reload i2c-hid.
>>>>>> The reports before log throttling kicks in would still be useful. For
>>>>>> instance c0 is outside of the range of finger width which we report so
>>>>>> something is wrong there. But, the touchpad should stop interrupting
>>>>>> once the finger is lifted. The fact that subsequent reads are reporting
>>>>>> the same data does sound like a problem with I2C getting confused and
>>>>>> continuously interrupting and reading the old finger data. I am also
>>>>>> curious about the value of the byte after the report id.
>>>>>>
>>>>>> Andrew
>>>>> If I'm not wrong c0 means that the width is 12 on y axis, while 0c means
>>>>> that the width is 12 on the x axis.
>>>> You are correct! I forgot width was 4 bits for X and Y in the same byte.
>>>> That makes more sense.
>>>>
>>>>> I have to correct myself. The important thing is that the byte is either
>>>>> cx or xc, where x is anything below c.
>>>>>
>>>>> Another correction. Sometimes unloading i2c-hid is not enough, I have to
>>>>> first disable the touchpad with xinput and then unload i2c-hid. If I
>>>>> don't do it, the messages starts reappearing as soon as I reload i2c-hid.
>>>>>
>>>>> I did several tests in the past months and I'm quite sure that the bug
>>>>> happens only past xc/cy.
>>>> This maybe coincidental. It is not obvious to me why a certain width
>>>> value would cause the symptoms described.
>>> Yes, I don't deny it. This is just a constant I found in my tests.
>>>
>>>>> Here few lines right before the bug. The last line is repeated indefinitely:
>>>>>
>>>>> [ 1983.527097] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 61 0a 5f 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.537211] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 63 0a 60 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.547329] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 64 0a 60 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.557486] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 66 0a 60 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.567663] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 67 5b 68 0a 60 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.577719] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 6a 0a 61 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.587852] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 6b 0a 61 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.598001] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 67 5b 6e 0a 62 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.608215] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 61 0a 62 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.618288] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 64 0b 63 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.628493] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 67 0b 63 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.638552] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 69 0b 64 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.648663] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 68 5b 6c 0b 64 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.658789] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 6f 0b 64 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.668923] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 61 0b 65 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.678819] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 64 0b 65 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.689230] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 66 0b 65 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.699435] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 69 5b 68 0b 65 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.709502] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 6a 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.719574] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 6c 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.729713] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 6e 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.739863] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 60 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.750001] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 62 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.760150] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6a 5b 64 0b 67 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.770291] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 66 0b 67 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.780445] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 68 0b 67 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.790490] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 5a 0b 68 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.800667] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6a 5b 4e 0c 69 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.810691] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 31 0c 69 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.820963] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 24 0c 6a 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.831071] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 17 0c 6a 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.841178] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 09 0c 6a 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.851325] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 0b 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.861435] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 0d 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.871566] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6b 5b 0f 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.881735] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 01 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.891975] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 03 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.902073] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 05 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.912155] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 07 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.922224] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 09 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.932364] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 0b 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.942480] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 0d 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.952612] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6c 5b 0f 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.962774] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a f1 0d 6d 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.972932] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a f3 0d 6e 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.982872] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a f6 0d 6f 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.993194] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6d 5a f9 0d 6f 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.003295] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a fc 0d 6f 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.013511] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a ff 0d 70 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.023590] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6e 5a f2 0d 70 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.033747] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6e 5a f5 0e 71 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.043850] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6e 5a f8 0e 71 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.053873] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6e 5a fb 0e 71 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.064077] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6e 5a fe 0e 72 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.074207] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a f1 0e 72 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.084425] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6f 5a f3 0e 72 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.094533] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a f6 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.104629] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a f8 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.114742] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a fa 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.124890] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a fc 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.135006] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a fe 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.145149] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a f0 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.155317] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 70 5a e2 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.165380] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a d4 0d 74 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.175532] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a d6 0d 74 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.185409] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a d8 0d 75 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.195761] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 70 5a db 0d 75 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.205909] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a dd 0d 75 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.216034] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 71 5a d0 0e 76 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.226198] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 71 5a d3 0e 77 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.236301] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 71 5a d6 0e 77 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.246520] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 71 5a cb 0f 79 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.256573] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 72 5a b1 0e 78 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.266697] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 72 5a a7 0e 77 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.276823] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 72 5a 6d 0d 72 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.286921] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 73 59 96 0a 5a 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.296888] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 00 00 73 59 96 00 00 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.306825] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 00 00 73 59 96 00 00 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.316980] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 00 00 73 59 96 00 00 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>> The last report which repeats indicates that no fingers are present.
>>>> But, the click button is generating the interrupt and it is reporting
>>>> that it is in the down position. Could the click button be getting stuck
>>>> down? That would also explain why the data in the report is not
>>>> changing. Could you be bumping the touchpad with your palm which is
>>>> causing the click button to get stuck in the down position? That might
>>>> also explain the large width value. Our max width is 15, so 12 would
>>>> typically indicate a contact larger then a normal finger contact. That
>>>> would explain the width of 12 showing up when this happens.
>>> Yes, that's not a normal finger touch and the reported width seems
>>> quite accurate to me. There are no clicks involved, laying the side of
>>> my thumb gently on the top part of the clickpad (from where even voluntary
>>> clicks are hard to obtain) is enough to trigger the bug. If a click is
>>> reported, than something is really wrong.
>> Do the reports look the same? With the repeated reports starting with
>> "20 00 0c 04"?
> I'm not sure I understood exactly what you want to know, so this might
> not answer your questions.
>
> All the repeated messages look like this:
>
> 20 00 0c 04 00 00 27 57 fa 00 00 07 8a 0c 00 00 7e 87 eb 00 00 aa 8f 37 00 00 61 4d f1 00 00 00
>
> The values equal to zero are always equal to zero when there are no
> fingers on the touchpad. The non-zero values are equal to the last
> valid value recorded and don't change when the fingers are released.
>
> To get the above line I touched the touchpad with 5 fingers so that
> all the bytes (except the last one which is different from zero on
> click release) were used.

Yes, that was the information I was looking for. But, this must not be 
my day since it turns out I misremembered what 0x4 stood for and this is 
unrelated to the click button. You can ignore everything I said about 
the click button =)

The report you have above is actually a finger lift report which 
indicates that all of the fingers left the touchpad. I checked the 
firmware configuration for this touchpad and it will repeat the lift 
report probably about 40 times. This is the expected behavior. However, 
you reported earlier that the message had been repeated 81 times? That 
seems a bit high and it would not explain why it gets repeated indefinitely.

You can try disabling the repeating finger lift reports and see if that 
helps. To do that you need to download a utility at:
https://github.com/aduggan/rmi4utils

After building it run:
$ sudo ./rmihidtool -r 0x45 1 /dev/hidraw0
This should print out 0x78 assuming the register address is what I 
expect. If not I can send further instructions on how to figure that out.

To disable the repeating lift report run:
$ sudo ./rmihidtool -w 0x45 0x38 /dev/hidraw0

After you do that there should only be one finger lift report.

Also, if you can get the firmware id from your touchpad that would also 
be useful.

$ sudo ./rmihidtool -f /dev/hidraw0

>>>> Andrew

Re: NULL pointer dereference in i2c-hid

[Andrew Duggan]

On 12/11/2014 01:57 PM, Gabriele Mazzotta wrote:
> On Thursday 11 December 2014 13:34:02 Andrew Duggan wrote:
>> On 12/11/2014 01:17 PM, Gabriele Mazzotta wrote:
>>> On Thursday 11 December 2014 12:46:53 Andrew Duggan wrote:
>>>> On 12/11/2014 11:40 AM, Gabriele Mazzotta wrote:
>>>>> On Thursday 11 December 2014 11:21:43 Andrew Duggan wrote:
>>>>>> On 12/11/2014 11:11 AM, Gabriele Mazzotta wrote:
>>>>>>> On Thursday 11 December 2014 10:40:05 Andrew Duggan wrote:
>>>>>>>> On 12/11/2014 10:16 AM, Gabriele Mazzotta wrote:
>>>>>>>>> On Thursday 11 December 2014 16:03:07 Mika Westerberg wrote:
>>>>>>>>>> On Thu, Dec 11, 2014 at 10:58:01AM +0200, Mika Westerberg wrote:
>>>>>>>>>>> On Wed, Dec 10, 2014 at 06:04:51PM +0100, Gabriele Mazzotta wrote:
>>>>>>>>>>>> my laptop uses a touchpad that needs hid-rmi along with i2c-hid to work.
>>>>>>>>>>>> i2c-hid and hid-rmi can be loaded and unloaded independelty from each
>>>>>>>>>>>> other, however since 34f439e4afcd ("HID: i2c-hid: add runtime PM support")
>>>>>>>>>>>> if I unload hid-rmi and after it I also unload i2c-hid, I get a NULL
>>>>>>>>>>>> pointer dereference.
>>>>>>>>>>> I'll look into this.
>>>>>>>>>>>
>>>>>>>>>>> I can reproduce this easily with i2c-hid + hid-multitouch following your
>>>>>>>>>>> directions.
>>>>>>>>>> Can you try the below patch?
>>>>>>>>>>
>>>>>>>>>> I think we shouldn't free buffers yet in ->stop() because we need the
>>>>>>>>>> command buffer sending power commands to the device. Also it seems that
>>>>>>>>>> ->start() re-allocates buffers anyway if maximum size increases.
>>>>>>>>>>
>>>>>>>>>> It shouldn't even leak memory as we release buffers at ->remove()
>>>>>>>>>> anyway.
>>>>>>>>>>
>>>>>>>>>> diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c
>>>>>>>>>> index 62cec01937ea..68a8c938feea 100644
>>>>>>>>>> --- a/drivers/hid/i2c-hid/i2c-hid.c
>>>>>>>>>> +++ b/drivers/hid/i2c-hid/i2c-hid.c
>>>>>>>>>> @@ -705,12 +705,7 @@ static int i2c_hid_start(struct hid_device *hid)
>>>>>>>>>>       
>>>>>>>>>>       static void i2c_hid_stop(struct hid_device *hid)
>>>>>>>>>>       {
>>>>>>>>>> -	struct i2c_client *client = hid->driver_data;
>>>>>>>>>> -	struct i2c_hid *ihid = i2c_get_clientdata(client);
>>>>>>>>>> -
>>>>>>>>>>       	hid->claimed = 0;
>>>>>>>>>> -
>>>>>>>>>> -	i2c_hid_free_buffers(ihid);
>>>>>>>>>>       }
>>>>>>>>>>       
>>>>>>>>>>       static int i2c_hid_open(struct hid_device *hid)
>>>>>>>>> Yes, it works, thanks.
>>>>>>>>>
>>>>>>>>> This change seems to also prevent kernel ooops when I unload either
>>>>>>>>> i2c-hid or i2c-designware-platform while the touchpad is in use,
>>>>>>>>> thing that is likely to happen because of the other bug I reported.
>>>>>>>>>
>>>>>>>>> Speaking of it, does any of you have any suggestion on how to debug it?
>>>>>>>> I was able to reproduce the initial issue by unloading hid-rmi and
>>>>>>>> i2c-hid while holding my fingers on the touchpad. Mika's patch fixes it
>>>>>>>> for me.
>>>>>>>>
>>>>>>>> For the original bug, you can modprobe i2c-hid debug=1 and we can see
>>>>>>>> what data the touchpad is reporting. That might help narrowing down if
>>>>>>>> it's noise which the touchpad thinks are fingers or if there is a
>>>>>>>> problem with the I2C lines causing spurious interrupts.
>>>>>>>>
>>>>>>>> Andrew
>>>>>>> I've already tried to do that and here what I got:
>>>>>>>
>>>>>>> When I release the finger, the last message is repeated 81 times.
>>>>>>> If the byte containing informations about the width of the finger
>>>>>>> becomes equal to either c0 or 0c at least once, the last message is
>>>>>>> repeated indefinitely and changes as soon as I start using the touchpad.
>>>>>>> The only way to stop it is to unload and reload i2c-hid.
>>>>>> The reports before log throttling kicks in would still be useful. For
>>>>>> instance c0 is outside of the range of finger width which we report so
>>>>>> something is wrong there. But, the touchpad should stop interrupting
>>>>>> once the finger is lifted. The fact that subsequent reads are reporting
>>>>>> the same data does sound like a problem with I2C getting confused and
>>>>>> continuously interrupting and reading the old finger data. I am also
>>>>>> curious about the value of the byte after the report id.
>>>>>>
>>>>>> Andrew
>>>>> If I'm not wrong c0 means that the width is 12 on y axis, while 0c means
>>>>> that the width is 12 on the x axis.
>>>> You are correct! I forgot width was 4 bits for X and Y in the same byte.
>>>> That makes more sense.
>>>>
>>>>> I have to correct myself. The important thing is that the byte is either
>>>>> cx or xc, where x is anything below c.
>>>>>
>>>>> Another correction. Sometimes unloading i2c-hid is not enough, I have to
>>>>> first disable the touchpad with xinput and then unload i2c-hid. If I
>>>>> don't do it, the messages starts reappearing as soon as I reload i2c-hid.
>>>>>
>>>>> I did several tests in the past months and I'm quite sure that the bug
>>>>> happens only past xc/cy.
>>>> This maybe coincidental. It is not obvious to me why a certain width
>>>> value would cause the symptoms described.
>>> Yes, I don't deny it. This is just a constant I found in my tests.
>>>
>>>>> Here few lines right before the bug. The last line is repeated indefinitely:
>>>>>
>>>>> [ 1983.527097] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 61 0a 5f 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.537211] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 63 0a 60 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.547329] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 64 0a 60 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.557486] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 66 0a 60 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.567663] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 67 5b 68 0a 60 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.577719] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 6a 0a 61 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.587852] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 6b 0a 61 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.598001] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 67 5b 6e 0a 62 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.608215] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 61 0a 62 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.618288] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 64 0b 63 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.628493] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 67 0b 63 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.638552] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 69 0b 64 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.648663] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 68 5b 6c 0b 64 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.658789] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 6f 0b 64 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.668923] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 61 0b 65 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.678819] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 64 0b 65 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.689230] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 66 0b 65 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.699435] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 69 5b 68 0b 65 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.709502] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 6a 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.719574] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 6c 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.729713] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 6e 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.739863] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 60 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.750001] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 62 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.760150] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6a 5b 64 0b 67 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.770291] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 66 0b 67 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.780445] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 68 0b 67 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.790490] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 5a 0b 68 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.800667] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6a 5b 4e 0c 69 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.810691] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 31 0c 69 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.820963] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 24 0c 6a 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.831071] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 17 0c 6a 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.841178] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 09 0c 6a 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.851325] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 0b 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.861435] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 0d 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.871566] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6b 5b 0f 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.881735] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 01 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.891975] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 03 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.902073] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 05 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.912155] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 07 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.922224] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 09 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.932364] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 0b 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.942480] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 0d 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.952612] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6c 5b 0f 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.962774] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a f1 0d 6d 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.972932] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a f3 0d 6e 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.982872] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a f6 0d 6f 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1983.993194] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6d 5a f9 0d 6f 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.003295] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a fc 0d 6f 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.013511] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a ff 0d 70 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.023590] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6e 5a f2 0d 70 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.033747] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6e 5a f5 0e 71 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.043850] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6e 5a f8 0e 71 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.053873] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6e 5a fb 0e 71 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.064077] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6e 5a fe 0e 72 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.074207] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a f1 0e 72 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.084425] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6f 5a f3 0e 72 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.094533] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a f6 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.104629] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a f8 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.114742] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a fa 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.124890] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a fc 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.135006] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a fe 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.145149] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a f0 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.155317] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 70 5a e2 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.165380] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a d4 0d 74 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.175532] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a d6 0d 74 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.185409] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a d8 0d 75 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.195761] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 70 5a db 0d 75 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.205909] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a dd 0d 75 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.216034] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 71 5a d0 0e 76 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.226198] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 71 5a d3 0e 77 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.236301] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 71 5a d6 0e 77 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.246520] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 71 5a cb 0f 79 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.256573] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 72 5a b1 0e 78 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.266697] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 72 5a a7 0e 77 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.276823] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 72 5a 6d 0d 72 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.286921] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 73 59 96 0a 5a 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.296888] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 00 00 73 59 96 00 00 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.306825] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 00 00 73 59 96 00 00 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>> [ 1984.316980] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 00 00 73 59 96 00 00 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>> The last report which repeats indicates that no fingers are present.
>>>> But, the click button is generating the interrupt and it is reporting
>>>> that it is in the down position. Could the click button be getting stuck
>>>> down? That would also explain why the data in the report is not
>>>> changing. Could you be bumping the touchpad with your palm which is
>>>> causing the click button to get stuck in the down position? That might
>>>> also explain the large width value. Our max width is 15, so 12 would
>>>> typically indicate a contact larger then a normal finger contact. That
>>>> would explain the width of 12 showing up when this happens.
>>> Yes, that's not a normal finger touch and the reported width seems
>>> quite accurate to me. There are no clicks involved, laying the side of
>>> my thumb gently on the top part of the clickpad (from where even voluntary
>>> clicks are hard to obtain) is enough to trigger the bug. If a click is
>>> reported, than something is really wrong.
>> Do the reports look the same? With the repeated reports starting with
>> "20 00 0c 04"?
> I'm not sure I understood exactly what you want to know, so this might
> not answer your questions.
>
> All the repeated messages look like this:
>
> 20 00 0c 04 00 00 27 57 fa 00 00 07 8a 0c 00 00 7e 87 eb 00 00 aa 8f 37 00 00 61 4d f1 00 00 00
>
> The values equal to zero are always equal to zero when there are no
> fingers on the touchpad. The non-zero values are equal to the last
> valid value recorded and don't change when the fingers are released.
>
> To get the above line I touched the touchpad with 5 fingers so that
> all the bytes (except the last one which is different from zero on
> click release) were used.

Yes, that was the information I was looking for. But, this must not be 
my day since it turns out I misremembered what 0x4 stood for and this is 
unrelated to the click button. You can ignore everything I said about 
the click button =)

The report you have above is actually a finger lift report which 
indicates that all of the fingers left the touchpad. I checked the 
firmware configuration for this touchpad and it will repeat the lift 
report probably about 40 times. This is the expected behavior. However, 
you reported earlier that the message had been repeated 81 times? That 
seems a bit high and it would not explain why it gets repeated indefinitely.

You can try disabling the repeating finger lift reports and see if that 
helps. To do that you need to download a utility at:
https://github.com/aduggan/rmi4utils

After building it run:
$ sudo ./rmihidtool -r 0x45 1 /dev/hidraw0
This should print out 0x78 assuming the register address is what I 
expect. If not I can send further instructions on how to figure that out.

To disable the repeating lift report run:
$ sudo ./rmihidtool -w 0x45 0x38 /dev/hidraw0

After you do that there should only be one finger lift report.

Also, if you can get the firmware id from your touchpad that would also 
be useful.

$ sudo ./rmihidtool -f /dev/hidraw0

>>>> Andrew

Re: NULL pointer dereference in i2c-hid

[Gabriele Mazzotta]

On Thursday 11 December 2014 16:26:00 Andrew Duggan wrote:
> On 12/11/2014 01:57 PM, Gabriele Mazzotta wrote:
> > On Thursday 11 December 2014 13:34:02 Andrew Duggan wrote:
> >> On 12/11/2014 01:17 PM, Gabriele Mazzotta wrote:
> >>> On Thursday 11 December 2014 12:46:53 Andrew Duggan wrote:
> >>>> On 12/11/2014 11:40 AM, Gabriele Mazzotta wrote:
> >>>>> On Thursday 11 December 2014 11:21:43 Andrew Duggan wrote:
> >>>>>> On 12/11/2014 11:11 AM, Gabriele Mazzotta wrote:
> >>>>>>> On Thursday 11 December 2014 10:40:05 Andrew Duggan wrote:
> >>>>>>>> On 12/11/2014 10:16 AM, Gabriele Mazzotta wrote:
> >>>>>>>>> On Thursday 11 December 2014 16:03:07 Mika Westerberg wrote:
> >>>>>>>>>> On Thu, Dec 11, 2014 at 10:58:01AM +0200, Mika Westerberg wrote:
> >>>>>>>>>>> On Wed, Dec 10, 2014 at 06:04:51PM +0100, Gabriele Mazzotta wrote:
> >>>>>>>>>>>> my laptop uses a touchpad that needs hid-rmi along with i2c-hid to work.
> >>>>>>>>>>>> i2c-hid and hid-rmi can be loaded and unloaded independelty from each
> >>>>>>>>>>>> other, however since 34f439e4afcd ("HID: i2c-hid: add runtime PM support")
> >>>>>>>>>>>> if I unload hid-rmi and after it I also unload i2c-hid, I get a NULL
> >>>>>>>>>>>> pointer dereference.
> >>>>>>>>>>> I'll look into this.
> >>>>>>>>>>>
> >>>>>>>>>>> I can reproduce this easily with i2c-hid + hid-multitouch following your
> >>>>>>>>>>> directions.
> >>>>>>>>>> Can you try the below patch?
> >>>>>>>>>>
> >>>>>>>>>> I think we shouldn't free buffers yet in ->stop() because we need the
> >>>>>>>>>> command buffer sending power commands to the device. Also it seems that
> >>>>>>>>>> ->start() re-allocates buffers anyway if maximum size increases.
> >>>>>>>>>>
> >>>>>>>>>> It shouldn't even leak memory as we release buffers at ->remove()
> >>>>>>>>>> anyway.
> >>>>>>>>>>
> >>>>>>>>>> diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c
> >>>>>>>>>> index 62cec01937ea..68a8c938feea 100644
> >>>>>>>>>> --- a/drivers/hid/i2c-hid/i2c-hid.c
> >>>>>>>>>> +++ b/drivers/hid/i2c-hid/i2c-hid.c
> >>>>>>>>>> @@ -705,12 +705,7 @@ static int i2c_hid_start(struct hid_device *hid)
> >>>>>>>>>>       
> >>>>>>>>>>       static void i2c_hid_stop(struct hid_device *hid)
> >>>>>>>>>>       {
> >>>>>>>>>> -	struct i2c_client *client = hid->driver_data;
> >>>>>>>>>> -	struct i2c_hid *ihid = i2c_get_clientdata(client);
> >>>>>>>>>> -
> >>>>>>>>>>       	hid->claimed = 0;
> >>>>>>>>>> -
> >>>>>>>>>> -	i2c_hid_free_buffers(ihid);
> >>>>>>>>>>       }
> >>>>>>>>>>       
> >>>>>>>>>>       static int i2c_hid_open(struct hid_device *hid)
> >>>>>>>>> Yes, it works, thanks.
> >>>>>>>>>
> >>>>>>>>> This change seems to also prevent kernel ooops when I unload either
> >>>>>>>>> i2c-hid or i2c-designware-platform while the touchpad is in use,
> >>>>>>>>> thing that is likely to happen because of the other bug I reported.
> >>>>>>>>>
> >>>>>>>>> Speaking of it, does any of you have any suggestion on how to debug it?
> >>>>>>>> I was able to reproduce the initial issue by unloading hid-rmi and
> >>>>>>>> i2c-hid while holding my fingers on the touchpad. Mika's patch fixes it
> >>>>>>>> for me.
> >>>>>>>>
> >>>>>>>> For the original bug, you can modprobe i2c-hid debug=1 and we can see
> >>>>>>>> what data the touchpad is reporting. That might help narrowing down if
> >>>>>>>> it's noise which the touchpad thinks are fingers or if there is a
> >>>>>>>> problem with the I2C lines causing spurious interrupts.
> >>>>>>>>
> >>>>>>>> Andrew
> >>>>>>> I've already tried to do that and here what I got:
> >>>>>>>
> >>>>>>> When I release the finger, the last message is repeated 81 times.
> >>>>>>> If the byte containing informations about the width of the finger
> >>>>>>> becomes equal to either c0 or 0c at least once, the last message is
> >>>>>>> repeated indefinitely and changes as soon as I start using the touchpad.
> >>>>>>> The only way to stop it is to unload and reload i2c-hid.
> >>>>>> The reports before log throttling kicks in would still be useful. For
> >>>>>> instance c0 is outside of the range of finger width which we report so
> >>>>>> something is wrong there. But, the touchpad should stop interrupting
> >>>>>> once the finger is lifted. The fact that subsequent reads are reporting
> >>>>>> the same data does sound like a problem with I2C getting confused and
> >>>>>> continuously interrupting and reading the old finger data. I am also
> >>>>>> curious about the value of the byte after the report id.
> >>>>>>
> >>>>>> Andrew
> >>>>> If I'm not wrong c0 means that the width is 12 on y axis, while 0c means
> >>>>> that the width is 12 on the x axis.
> >>>> You are correct! I forgot width was 4 bits for X and Y in the same byte.
> >>>> That makes more sense.
> >>>>
> >>>>> I have to correct myself. The important thing is that the byte is either
> >>>>> cx or xc, where x is anything below c.
> >>>>>
> >>>>> Another correction. Sometimes unloading i2c-hid is not enough, I have to
> >>>>> first disable the touchpad with xinput and then unload i2c-hid. If I
> >>>>> don't do it, the messages starts reappearing as soon as I reload i2c-hid.
> >>>>>
> >>>>> I did several tests in the past months and I'm quite sure that the bug
> >>>>> happens only past xc/cy.
> >>>> This maybe coincidental. It is not obvious to me why a certain width
> >>>> value would cause the symptoms described.
> >>> Yes, I don't deny it. This is just a constant I found in my tests.
> >>>
> >>>>> Here few lines right before the bug. The last line is repeated indefinitely:
> >>>>>
> >>>>> [ 1983.527097] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 61 0a 5f 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1983.537211] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 63 0a 60 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1983.547329] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 64 0a 60 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1983.557486] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 66 0a 60 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1983.567663] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 67 5b 68 0a 60 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1983.577719] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 6a 0a 61 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1983.587852] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 6b 0a 61 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1983.598001] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 67 5b 6e 0a 62 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1983.608215] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 61 0a 62 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1983.618288] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 64 0b 63 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1983.628493] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 67 0b 63 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1983.638552] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 69 0b 64 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1983.648663] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 68 5b 6c 0b 64 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1983.658789] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 6f 0b 64 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1983.668923] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 61 0b 65 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1983.678819] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 64 0b 65 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1983.689230] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 66 0b 65 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1983.699435] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 69 5b 68 0b 65 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1983.709502] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 6a 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1983.719574] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 6c 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1983.729713] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 6e 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1983.739863] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 60 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1983.750001] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 62 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1983.760150] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6a 5b 64 0b 67 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1983.770291] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 66 0b 67 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1983.780445] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 68 0b 67 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1983.790490] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 5a 0b 68 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1983.800667] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6a 5b 4e 0c 69 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1983.810691] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 31 0c 69 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1983.820963] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 24 0c 6a 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1983.831071] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 17 0c 6a 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1983.841178] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 09 0c 6a 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1983.851325] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 0b 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1983.861435] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 0d 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1983.871566] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6b 5b 0f 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1983.881735] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 01 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1983.891975] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 03 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1983.902073] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 05 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1983.912155] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 07 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1983.922224] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 09 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1983.932364] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 0b 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1983.942480] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 0d 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1983.952612] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6c 5b 0f 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1983.962774] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a f1 0d 6d 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1983.972932] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a f3 0d 6e 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1983.982872] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a f6 0d 6f 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1983.993194] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6d 5a f9 0d 6f 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1984.003295] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a fc 0d 6f 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1984.013511] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a ff 0d 70 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1984.023590] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6e 5a f2 0d 70 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1984.033747] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6e 5a f5 0e 71 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1984.043850] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6e 5a f8 0e 71 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1984.053873] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6e 5a fb 0e 71 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1984.064077] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6e 5a fe 0e 72 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1984.074207] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a f1 0e 72 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1984.084425] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6f 5a f3 0e 72 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1984.094533] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a f6 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1984.104629] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a f8 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1984.114742] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a fa 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1984.124890] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a fc 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1984.135006] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a fe 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1984.145149] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a f0 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1984.155317] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 70 5a e2 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1984.165380] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a d4 0d 74 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1984.175532] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a d6 0d 74 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1984.185409] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a d8 0d 75 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1984.195761] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 70 5a db 0d 75 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1984.205909] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a dd 0d 75 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1984.216034] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 71 5a d0 0e 76 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1984.226198] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 71 5a d3 0e 77 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1984.236301] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 71 5a d6 0e 77 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1984.246520] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 71 5a cb 0f 79 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1984.256573] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 72 5a b1 0e 78 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1984.266697] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 72 5a a7 0e 77 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1984.276823] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 72 5a 6d 0d 72 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1984.286921] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 73 59 96 0a 5a 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1984.296888] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 00 00 73 59 96 00 00 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1984.306825] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 00 00 73 59 96 00 00 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>> [ 1984.316980] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 00 00 73 59 96 00 00 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>> The last report which repeats indicates that no fingers are present.
> >>>> But, the click button is generating the interrupt and it is reporting
> >>>> that it is in the down position. Could the click button be getting stuck
> >>>> down? That would also explain why the data in the report is not
> >>>> changing. Could you be bumping the touchpad with your palm which is
> >>>> causing the click button to get stuck in the down position? That might
> >>>> also explain the large width value. Our max width is 15, so 12 would
> >>>> typically indicate a contact larger then a normal finger contact. That
> >>>> would explain the width of 12 showing up when this happens.
> >>> Yes, that's not a normal finger touch and the reported width seems
> >>> quite accurate to me. There are no clicks involved, laying the side of
> >>> my thumb gently on the top part of the clickpad (from where even voluntary
> >>> clicks are hard to obtain) is enough to trigger the bug. If a click is
> >>> reported, than something is really wrong.
> >> Do the reports look the same? With the repeated reports starting with
> >> "20 00 0c 04"?
> > I'm not sure I understood exactly what you want to know, so this might
> > not answer your questions.
> >
> > All the repeated messages look like this:
> >
> > 20 00 0c 04 00 00 27 57 fa 00 00 07 8a 0c 00 00 7e 87 eb 00 00 aa 8f 37 00 00 61 4d f1 00 00 00
> >
> > The values equal to zero are always equal to zero when there are no
> > fingers on the touchpad. The non-zero values are equal to the last
> > valid value recorded and don't change when the fingers are released.
> >
> > To get the above line I touched the touchpad with 5 fingers so that
> > all the bytes (except the last one which is different from zero on
> > click release) were used.
> 
> Yes, that was the information I was looking for. But, this must not be 
> my day since it turns out I misremembered what 0x4 stood for and this is 
> unrelated to the click button. You can ignore everything I said about 
> the click button =)
> 
> The report you have above is actually a finger lift report which 
> indicates that all of the fingers left the touchpad. I checked the 
> firmware configuration for this touchpad and it will repeat the lift 
> report probably about 40 times. This is the expected behavior. However, 
> you reported earlier that the message had been repeated 81 times? That 
> seems a bit high and it would not explain why it gets repeated indefinitely.
> 
> You can try disabling the repeating finger lift reports and see if that 
> helps. To do that you need to download a utility at:
> https://github.com/aduggan/rmi4utils
> 
> After building it run:
> $ sudo ./rmihidtool -r 0x45 1 /dev/hidraw0
> This should print out 0x78 assuming the register address is what I 
> expect. If not I can send further instructions on how to figure that out.
> 
> To disable the repeating lift report run:
> $ sudo ./rmihidtool -w 0x45 0x38 /dev/hidraw0
> 
> After you do that there should only be one finger lift report.

Yes, this disables the repeating lift report, but the bug is still there.

> Also, if you can get the firmware id from your touchpad that would also 
> be useful.
> 
> $ sudo ./rmihidtool -f /dev/hidraw0

firmware id: 1522295

Re: NULL pointer dereference in i2c-hid

[Andrew Duggan]

On 12/12/2014 12:12 AM, Gabriele Mazzotta wrote:
> On Thursday 11 December 2014 16:26:00 Andrew Duggan wrote:
>> On 12/11/2014 01:57 PM, Gabriele Mazzotta wrote:
>>> On Thursday 11 December 2014 13:34:02 Andrew Duggan wrote:
>>>> On 12/11/2014 01:17 PM, Gabriele Mazzotta wrote:
>>>>> On Thursday 11 December 2014 12:46:53 Andrew Duggan wrote:
>>>>>> On 12/11/2014 11:40 AM, Gabriele Mazzotta wrote:
>>>>>>> On Thursday 11 December 2014 11:21:43 Andrew Duggan wrote:
>>>>>>>> On 12/11/2014 11:11 AM, Gabriele Mazzotta wrote:
>>>>>>>>> On Thursday 11 December 2014 10:40:05 Andrew Duggan wrote:
>>>>>>>>>> On 12/11/2014 10:16 AM, Gabriele Mazzotta wrote:
>>>>>>>>>>> On Thursday 11 December 2014 16:03:07 Mika Westerberg wrote:
>>>>>>>>>>>> On Thu, Dec 11, 2014 at 10:58:01AM +0200, Mika Westerberg wrote:
>>>>>>>>>>>>> On Wed, Dec 10, 2014 at 06:04:51PM +0100, Gabriele Mazzotta wrote:
>>>>>>>>>>>>>> my laptop uses a touchpad that needs hid-rmi along with i2c-hid to work.
>>>>>>>>>>>>>> i2c-hid and hid-rmi can be loaded and unloaded independelty from each
>>>>>>>>>>>>>> other, however since 34f439e4afcd ("HID: i2c-hid: add runtime PM support")
>>>>>>>>>>>>>> if I unload hid-rmi and after it I also unload i2c-hid, I get a NULL
>>>>>>>>>>>>>> pointer dereference.
>>>>>>>>>>>>> I'll look into this.
>>>>>>>>>>>>>
>>>>>>>>>>>>> I can reproduce this easily with i2c-hid + hid-multitouch following your
>>>>>>>>>>>>> directions.
>>>>>>>>>>>> Can you try the below patch?
>>>>>>>>>>>>
>>>>>>>>>>>> I think we shouldn't free buffers yet in ->stop() because we need the
>>>>>>>>>>>> command buffer sending power commands to the device. Also it seems that
>>>>>>>>>>>> ->start() re-allocates buffers anyway if maximum size increases.
>>>>>>>>>>>>
>>>>>>>>>>>> It shouldn't even leak memory as we release buffers at ->remove()
>>>>>>>>>>>> anyway.
>>>>>>>>>>>>
>>>>>>>>>>>> diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c
>>>>>>>>>>>> index 62cec01937ea..68a8c938feea 100644
>>>>>>>>>>>> --- a/drivers/hid/i2c-hid/i2c-hid.c
>>>>>>>>>>>> +++ b/drivers/hid/i2c-hid/i2c-hid.c
>>>>>>>>>>>> @@ -705,12 +705,7 @@ static int i2c_hid_start(struct hid_device *hid)
>>>>>>>>>>>>        
>>>>>>>>>>>>        static void i2c_hid_stop(struct hid_device *hid)
>>>>>>>>>>>>        {
>>>>>>>>>>>> -	struct i2c_client *client = hid->driver_data;
>>>>>>>>>>>> -	struct i2c_hid *ihid = i2c_get_clientdata(client);
>>>>>>>>>>>> -
>>>>>>>>>>>>        	hid->claimed = 0;
>>>>>>>>>>>> -
>>>>>>>>>>>> -	i2c_hid_free_buffers(ihid);
>>>>>>>>>>>>        }
>>>>>>>>>>>>        
>>>>>>>>>>>>        static int i2c_hid_open(struct hid_device *hid)
>>>>>>>>>>> Yes, it works, thanks.
>>>>>>>>>>>
>>>>>>>>>>> This change seems to also prevent kernel ooops when I unload either
>>>>>>>>>>> i2c-hid or i2c-designware-platform while the touchpad is in use,
>>>>>>>>>>> thing that is likely to happen because of the other bug I reported.
>>>>>>>>>>>
>>>>>>>>>>> Speaking of it, does any of you have any suggestion on how to debug it?
>>>>>>>>>> I was able to reproduce the initial issue by unloading hid-rmi and
>>>>>>>>>> i2c-hid while holding my fingers on the touchpad. Mika's patch fixes it
>>>>>>>>>> for me.
>>>>>>>>>>
>>>>>>>>>> For the original bug, you can modprobe i2c-hid debug=1 and we can see
>>>>>>>>>> what data the touchpad is reporting. That might help narrowing down if
>>>>>>>>>> it's noise which the touchpad thinks are fingers or if there is a
>>>>>>>>>> problem with the I2C lines causing spurious interrupts.
>>>>>>>>>>
>>>>>>>>>> Andrew
>>>>>>>>> I've already tried to do that and here what I got:
>>>>>>>>>
>>>>>>>>> When I release the finger, the last message is repeated 81 times.
>>>>>>>>> If the byte containing informations about the width of the finger
>>>>>>>>> becomes equal to either c0 or 0c at least once, the last message is
>>>>>>>>> repeated indefinitely and changes as soon as I start using the touchpad.
>>>>>>>>> The only way to stop it is to unload and reload i2c-hid.
>>>>>>>> The reports before log throttling kicks in would still be useful. For
>>>>>>>> instance c0 is outside of the range of finger width which we report so
>>>>>>>> something is wrong there. But, the touchpad should stop interrupting
>>>>>>>> once the finger is lifted. The fact that subsequent reads are reporting
>>>>>>>> the same data does sound like a problem with I2C getting confused and
>>>>>>>> continuously interrupting and reading the old finger data. I am also
>>>>>>>> curious about the value of the byte after the report id.
>>>>>>>>
>>>>>>>> Andrew
>>>>>>> If I'm not wrong c0 means that the width is 12 on y axis, while 0c means
>>>>>>> that the width is 12 on the x axis.
>>>>>> You are correct! I forgot width was 4 bits for X and Y in the same byte.
>>>>>> That makes more sense.
>>>>>>
>>>>>>> I have to correct myself. The important thing is that the byte is either
>>>>>>> cx or xc, where x is anything below c.
>>>>>>>
>>>>>>> Another correction. Sometimes unloading i2c-hid is not enough, I have to
>>>>>>> first disable the touchpad with xinput and then unload i2c-hid. If I
>>>>>>> don't do it, the messages starts reappearing as soon as I reload i2c-hid.
>>>>>>>
>>>>>>> I did several tests in the past months and I'm quite sure that the bug
>>>>>>> happens only past xc/cy.
>>>>>> This maybe coincidental. It is not obvious to me why a certain width
>>>>>> value would cause the symptoms described.
>>>>> Yes, I don't deny it. This is just a constant I found in my tests.
>>>>>
>>>>>>> Here few lines right before the bug. The last line is repeated indefinitely:
>>>>>>>
>>>>>>> [ 1983.527097] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 61 0a 5f 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.537211] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 63 0a 60 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.547329] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 64 0a 60 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.557486] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 66 0a 60 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.567663] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 67 5b 68 0a 60 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.577719] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 6a 0a 61 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.587852] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 6b 0a 61 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.598001] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 67 5b 6e 0a 62 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.608215] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 61 0a 62 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.618288] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 64 0b 63 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.628493] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 67 0b 63 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.638552] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 69 0b 64 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.648663] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 68 5b 6c 0b 64 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.658789] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 6f 0b 64 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.668923] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 61 0b 65 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.678819] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 64 0b 65 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.689230] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 66 0b 65 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.699435] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 69 5b 68 0b 65 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.709502] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 6a 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.719574] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 6c 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.729713] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 6e 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.739863] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 60 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.750001] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 62 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.760150] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6a 5b 64 0b 67 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.770291] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 66 0b 67 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.780445] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 68 0b 67 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.790490] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 5a 0b 68 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.800667] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6a 5b 4e 0c 69 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.810691] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 31 0c 69 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.820963] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 24 0c 6a 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.831071] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 17 0c 6a 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.841178] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 09 0c 6a 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.851325] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 0b 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.861435] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 0d 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.871566] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6b 5b 0f 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.881735] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 01 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.891975] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 03 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.902073] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 05 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.912155] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 07 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.922224] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 09 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.932364] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 0b 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.942480] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 0d 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.952612] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6c 5b 0f 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.962774] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a f1 0d 6d 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.972932] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a f3 0d 6e 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.982872] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a f6 0d 6f 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.993194] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6d 5a f9 0d 6f 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.003295] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a fc 0d 6f 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.013511] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a ff 0d 70 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.023590] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6e 5a f2 0d 70 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.033747] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6e 5a f5 0e 71 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.043850] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6e 5a f8 0e 71 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.053873] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6e 5a fb 0e 71 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.064077] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6e 5a fe 0e 72 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.074207] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a f1 0e 72 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.084425] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6f 5a f3 0e 72 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.094533] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a f6 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.104629] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a f8 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.114742] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a fa 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.124890] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a fc 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.135006] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a fe 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.145149] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a f0 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.155317] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 70 5a e2 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.165380] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a d4 0d 74 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.175532] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a d6 0d 74 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.185409] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a d8 0d 75 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.195761] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 70 5a db 0d 75 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.205909] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a dd 0d 75 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.216034] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 71 5a d0 0e 76 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.226198] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 71 5a d3 0e 77 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.236301] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 71 5a d6 0e 77 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.246520] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 71 5a cb 0f 79 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.256573] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 72 5a b1 0e 78 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.266697] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 72 5a a7 0e 77 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.276823] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 72 5a 6d 0d 72 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.286921] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 73 59 96 0a 5a 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.296888] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 00 00 73 59 96 00 00 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.306825] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 00 00 73 59 96 00 00 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.316980] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 00 00 73 59 96 00 00 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>> The last report which repeats indicates that no fingers are present.
>>>>>> But, the click button is generating the interrupt and it is reporting
>>>>>> that it is in the down position. Could the click button be getting stuck
>>>>>> down? That would also explain why the data in the report is not
>>>>>> changing. Could you be bumping the touchpad with your palm which is
>>>>>> causing the click button to get stuck in the down position? That might
>>>>>> also explain the large width value. Our max width is 15, so 12 would
>>>>>> typically indicate a contact larger then a normal finger contact. That
>>>>>> would explain the width of 12 showing up when this happens.
>>>>> Yes, that's not a normal finger touch and the reported width seems
>>>>> quite accurate to me. There are no clicks involved, laying the side of
>>>>> my thumb gently on the top part of the clickpad (from where even voluntary
>>>>> clicks are hard to obtain) is enough to trigger the bug. If a click is
>>>>> reported, than something is really wrong.
>>>> Do the reports look the same? With the repeated reports starting with
>>>> "20 00 0c 04"?
>>> I'm not sure I understood exactly what you want to know, so this might
>>> not answer your questions.
>>>
>>> All the repeated messages look like this:
>>>
>>> 20 00 0c 04 00 00 27 57 fa 00 00 07 8a 0c 00 00 7e 87 eb 00 00 aa 8f 37 00 00 61 4d f1 00 00 00
>>>
>>> The values equal to zero are always equal to zero when there are no
>>> fingers on the touchpad. The non-zero values are equal to the last
>>> valid value recorded and don't change when the fingers are released.
>>>
>>> To get the above line I touched the touchpad with 5 fingers so that
>>> all the bytes (except the last one which is different from zero on
>>> click release) were used.
>> Yes, that was the information I was looking for. But, this must not be
>> my day since it turns out I misremembered what 0x4 stood for and this is
>> unrelated to the click button. You can ignore everything I said about
>> the click button =)
>>
>> The report you have above is actually a finger lift report which
>> indicates that all of the fingers left the touchpad. I checked the
>> firmware configuration for this touchpad and it will repeat the lift
>> report probably about 40 times. This is the expected behavior. However,
>> you reported earlier that the message had been repeated 81 times? That
>> seems a bit high and it would not explain why it gets repeated indefinitely.
>>
>> You can try disabling the repeating finger lift reports and see if that
>> helps. To do that you need to download a utility at:
>> https://github.com/aduggan/rmi4utils
>>
>> After building it run:
>> $ sudo ./rmihidtool -r 0x45 1 /dev/hidraw0
>> This should print out 0x78 assuming the register address is what I
>> expect. If not I can send further instructions on how to figure that out.
>>
>> To disable the repeating lift report run:
>> $ sudo ./rmihidtool -w 0x45 0x38 /dev/hidraw0
>>
>> After you do that there should only be one finger lift report.
> Yes, this disables the repeating lift report, but the bug is still there.

Ok, I would have been surprised if this fixed it. But, at least it helps 
to narrow down the cause.

>
>> Also, if you can get the firmware id from your touchpad that would also
>> be useful.
>>
>> $ sudo ./rmihidtool -f /dev/hidraw0
> firmware id: 1522295
Thanks, I will see if I can get any additional information on this.

Andrew

Re: NULL pointer dereference in i2c-hid

[Andrew Duggan]

On 12/12/2014 12:12 AM, Gabriele Mazzotta wrote:
> On Thursday 11 December 2014 16:26:00 Andrew Duggan wrote:
>> On 12/11/2014 01:57 PM, Gabriele Mazzotta wrote:
>>> On Thursday 11 December 2014 13:34:02 Andrew Duggan wrote:
>>>> On 12/11/2014 01:17 PM, Gabriele Mazzotta wrote:
>>>>> On Thursday 11 December 2014 12:46:53 Andrew Duggan wrote:
>>>>>> On 12/11/2014 11:40 AM, Gabriele Mazzotta wrote:
>>>>>>> On Thursday 11 December 2014 11:21:43 Andrew Duggan wrote:
>>>>>>>> On 12/11/2014 11:11 AM, Gabriele Mazzotta wrote:
>>>>>>>>> On Thursday 11 December 2014 10:40:05 Andrew Duggan wrote:
>>>>>>>>>> On 12/11/2014 10:16 AM, Gabriele Mazzotta wrote:
>>>>>>>>>>> On Thursday 11 December 2014 16:03:07 Mika Westerberg wrote:
>>>>>>>>>>>> On Thu, Dec 11, 2014 at 10:58:01AM +0200, Mika Westerberg wrote:
>>>>>>>>>>>>> On Wed, Dec 10, 2014 at 06:04:51PM +0100, Gabriele Mazzotta wrote:
>>>>>>>>>>>>>> my laptop uses a touchpad that needs hid-rmi along with i2c-hid to work.
>>>>>>>>>>>>>> i2c-hid and hid-rmi can be loaded and unloaded independelty from each
>>>>>>>>>>>>>> other, however since 34f439e4afcd ("HID: i2c-hid: add runtime PM support")
>>>>>>>>>>>>>> if I unload hid-rmi and after it I also unload i2c-hid, I get a NULL
>>>>>>>>>>>>>> pointer dereference.
>>>>>>>>>>>>> I'll look into this.
>>>>>>>>>>>>>
>>>>>>>>>>>>> I can reproduce this easily with i2c-hid + hid-multitouch following your
>>>>>>>>>>>>> directions.
>>>>>>>>>>>> Can you try the below patch?
>>>>>>>>>>>>
>>>>>>>>>>>> I think we shouldn't free buffers yet in ->stop() because we need the
>>>>>>>>>>>> command buffer sending power commands to the device. Also it seems that
>>>>>>>>>>>> ->start() re-allocates buffers anyway if maximum size increases.
>>>>>>>>>>>>
>>>>>>>>>>>> It shouldn't even leak memory as we release buffers at ->remove()
>>>>>>>>>>>> anyway.
>>>>>>>>>>>>
>>>>>>>>>>>> diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c
>>>>>>>>>>>> index 62cec01937ea..68a8c938feea 100644
>>>>>>>>>>>> --- a/drivers/hid/i2c-hid/i2c-hid.c
>>>>>>>>>>>> +++ b/drivers/hid/i2c-hid/i2c-hid.c
>>>>>>>>>>>> @@ -705,12 +705,7 @@ static int i2c_hid_start(struct hid_device *hid)
>>>>>>>>>>>>        
>>>>>>>>>>>>        static void i2c_hid_stop(struct hid_device *hid)
>>>>>>>>>>>>        {
>>>>>>>>>>>> -	struct i2c_client *client = hid->driver_data;
>>>>>>>>>>>> -	struct i2c_hid *ihid = i2c_get_clientdata(client);
>>>>>>>>>>>> -
>>>>>>>>>>>>        	hid->claimed = 0;
>>>>>>>>>>>> -
>>>>>>>>>>>> -	i2c_hid_free_buffers(ihid);
>>>>>>>>>>>>        }
>>>>>>>>>>>>        
>>>>>>>>>>>>        static int i2c_hid_open(struct hid_device *hid)
>>>>>>>>>>> Yes, it works, thanks.
>>>>>>>>>>>
>>>>>>>>>>> This change seems to also prevent kernel ooops when I unload either
>>>>>>>>>>> i2c-hid or i2c-designware-platform while the touchpad is in use,
>>>>>>>>>>> thing that is likely to happen because of the other bug I reported.
>>>>>>>>>>>
>>>>>>>>>>> Speaking of it, does any of you have any suggestion on how to debug it?
>>>>>>>>>> I was able to reproduce the initial issue by unloading hid-rmi and
>>>>>>>>>> i2c-hid while holding my fingers on the touchpad. Mika's patch fixes it
>>>>>>>>>> for me.
>>>>>>>>>>
>>>>>>>>>> For the original bug, you can modprobe i2c-hid debug=1 and we can see
>>>>>>>>>> what data the touchpad is reporting. That might help narrowing down if
>>>>>>>>>> it's noise which the touchpad thinks are fingers or if there is a
>>>>>>>>>> problem with the I2C lines causing spurious interrupts.
>>>>>>>>>>
>>>>>>>>>> Andrew
>>>>>>>>> I've already tried to do that and here what I got:
>>>>>>>>>
>>>>>>>>> When I release the finger, the last message is repeated 81 times.
>>>>>>>>> If the byte containing informations about the width of the finger
>>>>>>>>> becomes equal to either c0 or 0c at least once, the last message is
>>>>>>>>> repeated indefinitely and changes as soon as I start using the touchpad.
>>>>>>>>> The only way to stop it is to unload and reload i2c-hid.
>>>>>>>> The reports before log throttling kicks in would still be useful. For
>>>>>>>> instance c0 is outside of the range of finger width which we report so
>>>>>>>> something is wrong there. But, the touchpad should stop interrupting
>>>>>>>> once the finger is lifted. The fact that subsequent reads are reporting
>>>>>>>> the same data does sound like a problem with I2C getting confused and
>>>>>>>> continuously interrupting and reading the old finger data. I am also
>>>>>>>> curious about the value of the byte after the report id.
>>>>>>>>
>>>>>>>> Andrew
>>>>>>> If I'm not wrong c0 means that the width is 12 on y axis, while 0c means
>>>>>>> that the width is 12 on the x axis.
>>>>>> You are correct! I forgot width was 4 bits for X and Y in the same byte.
>>>>>> That makes more sense.
>>>>>>
>>>>>>> I have to correct myself. The important thing is that the byte is either
>>>>>>> cx or xc, where x is anything below c.
>>>>>>>
>>>>>>> Another correction. Sometimes unloading i2c-hid is not enough, I have to
>>>>>>> first disable the touchpad with xinput and then unload i2c-hid. If I
>>>>>>> don't do it, the messages starts reappearing as soon as I reload i2c-hid.
>>>>>>>
>>>>>>> I did several tests in the past months and I'm quite sure that the bug
>>>>>>> happens only past xc/cy.
>>>>>> This maybe coincidental. It is not obvious to me why a certain width
>>>>>> value would cause the symptoms described.
>>>>> Yes, I don't deny it. This is just a constant I found in my tests.
>>>>>
>>>>>>> Here few lines right before the bug. The last line is repeated indefinitely:
>>>>>>>
>>>>>>> [ 1983.527097] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 61 0a 5f 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.537211] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 63 0a 60 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.547329] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 64 0a 60 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.557486] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 66 0a 60 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.567663] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 67 5b 68 0a 60 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.577719] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 6a 0a 61 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.587852] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 6b 0a 61 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.598001] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 67 5b 6e 0a 62 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.608215] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 61 0a 62 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.618288] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 64 0b 63 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.628493] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 67 0b 63 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.638552] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 69 0b 64 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.648663] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 68 5b 6c 0b 64 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.658789] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 6f 0b 64 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.668923] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 61 0b 65 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.678819] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 64 0b 65 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.689230] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 66 0b 65 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.699435] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 69 5b 68 0b 65 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.709502] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 6a 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.719574] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 6c 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.729713] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 6e 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.739863] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 60 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.750001] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 62 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.760150] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6a 5b 64 0b 67 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.770291] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 66 0b 67 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.780445] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 68 0b 67 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.790490] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 5a 0b 68 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.800667] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6a 5b 4e 0c 69 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.810691] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 31 0c 69 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.820963] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 24 0c 6a 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.831071] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 17 0c 6a 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.841178] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 09 0c 6a 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.851325] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 0b 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.861435] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 0d 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.871566] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6b 5b 0f 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.881735] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 01 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.891975] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 03 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.902073] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 05 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.912155] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 07 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.922224] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 09 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.932364] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 0b 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.942480] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 0d 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.952612] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6c 5b 0f 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.962774] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a f1 0d 6d 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.972932] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a f3 0d 6e 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.982872] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a f6 0d 6f 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1983.993194] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6d 5a f9 0d 6f 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.003295] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a fc 0d 6f 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.013511] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a ff 0d 70 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.023590] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6e 5a f2 0d 70 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.033747] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6e 5a f5 0e 71 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.043850] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6e 5a f8 0e 71 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.053873] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6e 5a fb 0e 71 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.064077] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6e 5a fe 0e 72 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.074207] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a f1 0e 72 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.084425] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6f 5a f3 0e 72 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.094533] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a f6 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.104629] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a f8 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.114742] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a fa 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.124890] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a fc 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.135006] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a fe 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.145149] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a f0 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.155317] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 70 5a e2 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.165380] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a d4 0d 74 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.175532] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a d6 0d 74 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.185409] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a d8 0d 75 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.195761] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 70 5a db 0d 75 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.205909] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a dd 0d 75 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.216034] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 71 5a d0 0e 76 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.226198] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 71 5a d3 0e 77 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.236301] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 71 5a d6 0e 77 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.246520] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 71 5a cb 0f 79 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.256573] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 72 5a b1 0e 78 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.266697] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 72 5a a7 0e 77 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.276823] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 72 5a 6d 0d 72 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.286921] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 73 59 96 0a 5a 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.296888] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 00 00 73 59 96 00 00 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.306825] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 00 00 73 59 96 00 00 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>>> [ 1984.316980] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 00 00 73 59 96 00 00 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
>>>>>> The last report which repeats indicates that no fingers are present.
>>>>>> But, the click button is generating the interrupt and it is reporting
>>>>>> that it is in the down position. Could the click button be getting stuck
>>>>>> down? That would also explain why the data in the report is not
>>>>>> changing. Could you be bumping the touchpad with your palm which is
>>>>>> causing the click button to get stuck in the down position? That might
>>>>>> also explain the large width value. Our max width is 15, so 12 would
>>>>>> typically indicate a contact larger then a normal finger contact. That
>>>>>> would explain the width of 12 showing up when this happens.
>>>>> Yes, that's not a normal finger touch and the reported width seems
>>>>> quite accurate to me. There are no clicks involved, laying the side of
>>>>> my thumb gently on the top part of the clickpad (from where even voluntary
>>>>> clicks are hard to obtain) is enough to trigger the bug. If a click is
>>>>> reported, than something is really wrong.
>>>> Do the reports look the same? With the repeated reports starting with
>>>> "20 00 0c 04"?
>>> I'm not sure I understood exactly what you want to know, so this might
>>> not answer your questions.
>>>
>>> All the repeated messages look like this:
>>>
>>> 20 00 0c 04 00 00 27 57 fa 00 00 07 8a 0c 00 00 7e 87 eb 00 00 aa 8f 37 00 00 61 4d f1 00 00 00
>>>
>>> The values equal to zero are always equal to zero when there are no
>>> fingers on the touchpad. The non-zero values are equal to the last
>>> valid value recorded and don't change when the fingers are released.
>>>
>>> To get the above line I touched the touchpad with 5 fingers so that
>>> all the bytes (except the last one which is different from zero on
>>> click release) were used.
>> Yes, that was the information I was looking for. But, this must not be
>> my day since it turns out I misremembered what 0x4 stood for and this is
>> unrelated to the click button. You can ignore everything I said about
>> the click button =)
>>
>> The report you have above is actually a finger lift report which
>> indicates that all of the fingers left the touchpad. I checked the
>> firmware configuration for this touchpad and it will repeat the lift
>> report probably about 40 times. This is the expected behavior. However,
>> you reported earlier that the message had been repeated 81 times? That
>> seems a bit high and it would not explain why it gets repeated indefinitely.
>>
>> You can try disabling the repeating finger lift reports and see if that
>> helps. To do that you need to download a utility at:
>> https://github.com/aduggan/rmi4utils
>>
>> After building it run:
>> $ sudo ./rmihidtool -r 0x45 1 /dev/hidraw0
>> This should print out 0x78 assuming the register address is what I
>> expect. If not I can send further instructions on how to figure that out.
>>
>> To disable the repeating lift report run:
>> $ sudo ./rmihidtool -w 0x45 0x38 /dev/hidraw0
>>
>> After you do that there should only be one finger lift report.
> Yes, this disables the repeating lift report, but the bug is still there.

Ok, I would have been surprised if this fixed it. But, at least it helps 
to narrow down the cause.

>
>> Also, if you can get the firmware id from your touchpad that would also
>> be useful.
>>
>> $ sudo ./rmihidtool -f /dev/hidraw0
> firmware id: 1522295
Thanks, I will see if I can get any additional information on this.

Andrew

Re: NULL pointer dereference in i2c-hid

[Gabriele Mazzotta]

On Friday 12 December 2014 11:12:50 Andrew Duggan wrote:
> On 12/12/2014 12:12 AM, Gabriele Mazzotta wrote:
> > On Thursday 11 December 2014 16:26:00 Andrew Duggan wrote:
> >> On 12/11/2014 01:57 PM, Gabriele Mazzotta wrote:
> >>> On Thursday 11 December 2014 13:34:02 Andrew Duggan wrote:
> >>>> On 12/11/2014 01:17 PM, Gabriele Mazzotta wrote:
> >>>>> On Thursday 11 December 2014 12:46:53 Andrew Duggan wrote:
> >>>>>> On 12/11/2014 11:40 AM, Gabriele Mazzotta wrote:
> >>>>>>> On Thursday 11 December 2014 11:21:43 Andrew Duggan wrote:
> >>>>>>>> On 12/11/2014 11:11 AM, Gabriele Mazzotta wrote:
> >>>>>>>>> On Thursday 11 December 2014 10:40:05 Andrew Duggan wrote:
> >>>>>>>>>> On 12/11/2014 10:16 AM, Gabriele Mazzotta wrote:
> >>>>>>>>>>> On Thursday 11 December 2014 16:03:07 Mika Westerberg wrote:
> >>>>>>>>>>>> On Thu, Dec 11, 2014 at 10:58:01AM +0200, Mika Westerberg wrote:
> >>>>>>>>>>>>> On Wed, Dec 10, 2014 at 06:04:51PM +0100, Gabriele Mazzotta wrote:
> >>>>>>>>>>>>>> my laptop uses a touchpad that needs hid-rmi along with i2c-hid to work.
> >>>>>>>>>>>>>> i2c-hid and hid-rmi can be loaded and unloaded independelty from each
> >>>>>>>>>>>>>> other, however since 34f439e4afcd ("HID: i2c-hid: add runtime PM support")
> >>>>>>>>>>>>>> if I unload hid-rmi and after it I also unload i2c-hid, I get a NULL
> >>>>>>>>>>>>>> pointer dereference.
> >>>>>>>>>>>>> I'll look into this.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> I can reproduce this easily with i2c-hid + hid-multitouch following your
> >>>>>>>>>>>>> directions.
> >>>>>>>>>>>> Can you try the below patch?
> >>>>>>>>>>>>
> >>>>>>>>>>>> I think we shouldn't free buffers yet in ->stop() because we need the
> >>>>>>>>>>>> command buffer sending power commands to the device. Also it seems that
> >>>>>>>>>>>> ->start() re-allocates buffers anyway if maximum size increases.
> >>>>>>>>>>>>
> >>>>>>>>>>>> It shouldn't even leak memory as we release buffers at ->remove()
> >>>>>>>>>>>> anyway.
> >>>>>>>>>>>>
> >>>>>>>>>>>> diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c
> >>>>>>>>>>>> index 62cec01937ea..68a8c938feea 100644
> >>>>>>>>>>>> --- a/drivers/hid/i2c-hid/i2c-hid.c
> >>>>>>>>>>>> +++ b/drivers/hid/i2c-hid/i2c-hid.c
> >>>>>>>>>>>> @@ -705,12 +705,7 @@ static int i2c_hid_start(struct hid_device *hid)
> >>>>>>>>>>>>        
> >>>>>>>>>>>>        static void i2c_hid_stop(struct hid_device *hid)
> >>>>>>>>>>>>        {
> >>>>>>>>>>>> -	struct i2c_client *client = hid->driver_data;
> >>>>>>>>>>>> -	struct i2c_hid *ihid = i2c_get_clientdata(client);
> >>>>>>>>>>>> -
> >>>>>>>>>>>>        	hid->claimed = 0;
> >>>>>>>>>>>> -
> >>>>>>>>>>>> -	i2c_hid_free_buffers(ihid);
> >>>>>>>>>>>>        }
> >>>>>>>>>>>>        
> >>>>>>>>>>>>        static int i2c_hid_open(struct hid_device *hid)
> >>>>>>>>>>> Yes, it works, thanks.
> >>>>>>>>>>>
> >>>>>>>>>>> This change seems to also prevent kernel ooops when I unload either
> >>>>>>>>>>> i2c-hid or i2c-designware-platform while the touchpad is in use,
> >>>>>>>>>>> thing that is likely to happen because of the other bug I reported.
> >>>>>>>>>>>
> >>>>>>>>>>> Speaking of it, does any of you have any suggestion on how to debug it?
> >>>>>>>>>> I was able to reproduce the initial issue by unloading hid-rmi and
> >>>>>>>>>> i2c-hid while holding my fingers on the touchpad. Mika's patch fixes it
> >>>>>>>>>> for me.
> >>>>>>>>>>
> >>>>>>>>>> For the original bug, you can modprobe i2c-hid debug=1 and we can see
> >>>>>>>>>> what data the touchpad is reporting. That might help narrowing down if
> >>>>>>>>>> it's noise which the touchpad thinks are fingers or if there is a
> >>>>>>>>>> problem with the I2C lines causing spurious interrupts.
> >>>>>>>>>>
> >>>>>>>>>> Andrew
> >>>>>>>>> I've already tried to do that and here what I got:
> >>>>>>>>>
> >>>>>>>>> When I release the finger, the last message is repeated 81 times.
> >>>>>>>>> If the byte containing informations about the width of the finger
> >>>>>>>>> becomes equal to either c0 or 0c at least once, the last message is
> >>>>>>>>> repeated indefinitely and changes as soon as I start using the touchpad.
> >>>>>>>>> The only way to stop it is to unload and reload i2c-hid.
> >>>>>>>> The reports before log throttling kicks in would still be useful. For
> >>>>>>>> instance c0 is outside of the range of finger width which we report so
> >>>>>>>> something is wrong there. But, the touchpad should stop interrupting
> >>>>>>>> once the finger is lifted. The fact that subsequent reads are reporting
> >>>>>>>> the same data does sound like a problem with I2C getting confused and
> >>>>>>>> continuously interrupting and reading the old finger data. I am also
> >>>>>>>> curious about the value of the byte after the report id.
> >>>>>>>>
> >>>>>>>> Andrew
> >>>>>>> If I'm not wrong c0 means that the width is 12 on y axis, while 0c means
> >>>>>>> that the width is 12 on the x axis.
> >>>>>> You are correct! I forgot width was 4 bits for X and Y in the same byte.
> >>>>>> That makes more sense.
> >>>>>>
> >>>>>>> I have to correct myself. The important thing is that the byte is either
> >>>>>>> cx or xc, where x is anything below c.
> >>>>>>>
> >>>>>>> Another correction. Sometimes unloading i2c-hid is not enough, I have to
> >>>>>>> first disable the touchpad with xinput and then unload i2c-hid. If I
> >>>>>>> don't do it, the messages starts reappearing as soon as I reload i2c-hid.
> >>>>>>>
> >>>>>>> I did several tests in the past months and I'm quite sure that the bug
> >>>>>>> happens only past xc/cy.
> >>>>>> This maybe coincidental. It is not obvious to me why a certain width
> >>>>>> value would cause the symptoms described.
> >>>>> Yes, I don't deny it. This is just a constant I found in my tests.
> >>>>>
> >>>>>>> Here few lines right before the bug. The last line is repeated indefinitely:
> >>>>>>>
> >>>>>>> [ 1983.527097] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 61 0a 5f 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1983.537211] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 63 0a 60 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1983.547329] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 64 0a 60 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1983.557486] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 66 0a 60 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1983.567663] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 67 5b 68 0a 60 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1983.577719] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 6a 0a 61 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1983.587852] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 67 5b 6b 0a 61 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1983.598001] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 67 5b 6e 0a 62 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1983.608215] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 61 0a 62 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1983.618288] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 64 0b 63 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1983.628493] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 67 0b 63 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1983.638552] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 69 0b 64 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1983.648663] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 68 5b 6c 0b 64 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1983.658789] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 68 5b 6f 0b 64 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1983.668923] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 61 0b 65 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1983.678819] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 64 0b 65 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1983.689230] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 66 0b 65 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1983.699435] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 69 5b 68 0b 65 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1983.709502] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 6a 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1983.719574] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 6c 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1983.729713] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 69 5b 6e 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1983.739863] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 60 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1983.750001] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 62 0b 66 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1983.760150] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6a 5b 64 0b 67 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1983.770291] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 66 0b 67 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1983.780445] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 68 0b 67 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1983.790490] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6a 5b 5a 0b 68 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1983.800667] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6a 5b 4e 0c 69 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1983.810691] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 31 0c 69 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1983.820963] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 24 0c 6a 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1983.831071] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 17 0c 6a 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1983.841178] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 09 0c 6a 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1983.851325] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 0b 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1983.861435] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6b 5b 0d 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1983.871566] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6b 5b 0f 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1983.881735] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 01 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1983.891975] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 03 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1983.902073] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 05 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1983.912155] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 07 0c 6b 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1983.922224] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 09 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1983.932364] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 0b 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1983.942480] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6c 5b 0d 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1983.952612] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6c 5b 0f 0c 6c 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1983.962774] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a f1 0d 6d 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1983.972932] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a f3 0d 6e 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1983.982872] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a f6 0d 6f 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1983.993194] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6d 5a f9 0d 6f 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1984.003295] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a fc 0d 6f 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1984.013511] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6d 5a ff 0d 70 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1984.023590] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6e 5a f2 0d 70 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1984.033747] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6e 5a f5 0e 71 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1984.043850] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6e 5a f8 0e 71 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1984.053873] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6e 5a fb 0e 71 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1984.064077] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6e 5a fe 0e 72 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1984.074207] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a f1 0e 72 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1984.084425] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 6f 5a f3 0e 72 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1984.094533] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a f6 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1984.104629] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a f8 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1984.114742] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a fa 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1984.124890] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a fc 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1984.135006] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 6f 5a fe 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1984.145149] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a f0 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1984.155317] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 70 5a e2 0e 73 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1984.165380] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a d4 0d 74 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1984.175532] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a d6 0d 74 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1984.185409] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a d8 0d 75 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1984.195761] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 70 5a db 0d 75 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1984.205909] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 70 5a dd 0d 75 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1984.216034] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 71 5a d0 0e 76 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1984.226198] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 71 5a d3 0e 77 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1984.236301] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 71 5a d6 0e 77 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1984.246520] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 71 5a cb 0f 79 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1984.256573] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 01 00 72 5a b1 0e 78 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1984.266697] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 72 5a a7 0e 77 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1984.276823] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 72 5a 6d 0d 72 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1984.286921] i2c_hid i2c-DLL060A:00: input: 20 00 0c 0c 01 00 73 59 96 0a 5a 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1984.296888] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 00 00 73 59 96 00 00 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1984.306825] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 00 00 73 59 96 00 00 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>>> [ 1984.316980] i2c_hid i2c-DLL060A:00: input: 20 00 0c 04 00 00 73 59 96 00 00 03 09 40 00 00 90 86 1d 00 00 00 00 00 00 00 00 00 00 00 00 00
> >>>>>> The last report which repeats indicates that no fingers are present.
> >>>>>> But, the click button is generating the interrupt and it is reporting
> >>>>>> that it is in the down position. Could the click button be getting stuck
> >>>>>> down? That would also explain why the data in the report is not
> >>>>>> changing. Could you be bumping the touchpad with your palm which is
> >>>>>> causing the click button to get stuck in the down position? That might
> >>>>>> also explain the large width value. Our max width is 15, so 12 would
> >>>>>> typically indicate a contact larger then a normal finger contact. That
> >>>>>> would explain the width of 12 showing up when this happens.
> >>>>> Yes, that's not a normal finger touch and the reported width seems
> >>>>> quite accurate to me. There are no clicks involved, laying the side of
> >>>>> my thumb gently on the top part of the clickpad (from where even voluntary
> >>>>> clicks are hard to obtain) is enough to trigger the bug. If a click is
> >>>>> reported, than something is really wrong.
> >>>> Do the reports look the same? With the repeated reports starting with
> >>>> "20 00 0c 04"?
> >>> I'm not sure I understood exactly what you want to know, so this might
> >>> not answer your questions.
> >>>
> >>> All the repeated messages look like this:
> >>>
> >>> 20 00 0c 04 00 00 27 57 fa 00 00 07 8a 0c 00 00 7e 87 eb 00 00 aa 8f 37 00 00 61 4d f1 00 00 00
> >>>
> >>> The values equal to zero are always equal to zero when there are no
> >>> fingers on the touchpad. The non-zero values are equal to the last
> >>> valid value recorded and don't change when the fingers are released.
> >>>
> >>> To get the above line I touched the touchpad with 5 fingers so that
> >>> all the bytes (except the last one which is different from zero on
> >>> click release) were used.
> >> Yes, that was the information I was looking for. But, this must not be
> >> my day since it turns out I misremembered what 0x4 stood for and this is
> >> unrelated to the click button. You can ignore everything I said about
> >> the click button =)
> >>
> >> The report you have above is actually a finger lift report which
> >> indicates that all of the fingers left the touchpad. I checked the
> >> firmware configuration for this touchpad and it will repeat the lift
> >> report probably about 40 times. This is the expected behavior. However,
> >> you reported earlier that the message had been repeated 81 times? That
> >> seems a bit high and it would not explain why it gets repeated indefinitely.
> >>
> >> You can try disabling the repeating finger lift reports and see if that
> >> helps. To do that you need to download a utility at:
> >> https://github.com/aduggan/rmi4utils
> >>
> >> After building it run:
> >> $ sudo ./rmihidtool -r 0x45 1 /dev/hidraw0
> >> This should print out 0x78 assuming the register address is what I
> >> expect. If not I can send further instructions on how to figure that out.
> >>
> >> To disable the repeating lift report run:
> >> $ sudo ./rmihidtool -w 0x45 0x38 /dev/hidraw0
> >>
> >> After you do that there should only be one finger lift report.
> > Yes, this disables the repeating lift report, but the bug is still there.
> 
> Ok, I would have been surprised if this fixed it. But, at least it helps 
> to narrow down the cause.
> 
> >
> >> Also, if you can get the firmware id from your touchpad that would also
> >> be useful.
> >>
> >> $ sudo ./rmihidtool -f /dev/hidraw0
> > firmware id: 1522295
> Thanks, I will see if I can get any additional information on this.
> 
> Andrew

Hi,

I think I found the source of the problem.

$ ./rmihidtool /dev/hidraw1 -r 0x50 1
0x01  #PalmDetect Interrupt Enable, right?
$ ./rmihidtool /dev/hidraw1 -w 0x50 0  #Disable PalmDetect Interrupt

It makes more sense now that widths greater than 12 trigger the bug.

Gabriele

Re: NULL pointer dereference in i2c-hid

[Andrew Duggan]

On 12/24/2014 03:53 PM, Gabriele Mazzotta wrote:
[...snip...]
>>>> Also, if you can get the firmware id from your touchpad that would also
>>>> be useful.
>>>>
>>>> $ sudo ./rmihidtool -f /dev/hidraw0
>>> firmware id: 1522295
>> Thanks, I will see if I can get any additional information on this.
>>
>> Andrew
> Hi,
>
> I think I found the source of the problem.
>
> $ ./rmihidtool /dev/hidraw1 -r 0x50 1
> 0x01  #PalmDetect Interrupt Enable, right?
Yes, 0x50 does appear to be the address of the palm detect interrupt 
enable register.
> $ ./rmihidtool /dev/hidraw1 -w 0x50 0  #Disable PalmDetect Interrupt
>
> It makes more sense now that widths greater than 12 trigger the bug.
That is weird behavior and I haven't seen anything like that before. I 
will file a bug to see if firmware has any idea why this is happening.
>
> Gabriele
>
Andrew

Re: NULL pointer dereference in i2c-hid

[Andrew Duggan]

On 12/24/2014 03:53 PM, Gabriele Mazzotta wrote:
[...snip...]
>>>> Also, if you can get the firmware id from your touchpad that would also
>>>> be useful.
>>>>
>>>> $ sudo ./rmihidtool -f /dev/hidraw0
>>> firmware id: 1522295
>> Thanks, I will see if I can get any additional information on this.
>>
>> Andrew
> Hi,
>
> I think I found the source of the problem.
>
> $ ./rmihidtool /dev/hidraw1 -r 0x50 1
> 0x01  #PalmDetect Interrupt Enable, right?
Yes, 0x50 does appear to be the address of the palm detect interrupt 
enable register.
> $ ./rmihidtool /dev/hidraw1 -w 0x50 0  #Disable PalmDetect Interrupt
>
> It makes more sense now that widths greater than 12 trigger the bug.
That is weird behavior and I haven't seen anything like that before. I 
will file a bug to see if firmware has any idea why this is happening.
>
> Gabriele
>
Andrew

Re: NULL pointer dereference in i2c-hid

[Gabriele Mazzotta]

On Thursday 08 January 2015 15:58:54 Andrew Duggan wrote:
> On 12/24/2014 03:53 PM, Gabriele Mazzotta wrote:
> [...snip...]
> >>>> Also, if you can get the firmware id from your touchpad that would also
> >>>> be useful.
> >>>>
> >>>> $ sudo ./rmihidtool -f /dev/hidraw0
> >>> firmware id: 1522295
> >> Thanks, I will see if I can get any additional information on this.
> >>
> >> Andrew
> > Hi,
> >
> > I think I found the source of the problem.
> >
> > $ ./rmihidtool /dev/hidraw1 -r 0x50 1
> > 0x01  #PalmDetect Interrupt Enable, right?
> Yes, 0x50 does appear to be the address of the palm detect interrupt 
> enable register.
> > $ ./rmihidtool /dev/hidraw1 -w 0x50 0  #Disable PalmDetect Interrupt
> >
> > It makes more sense now that widths greater than 12 trigger the bug.
> That is weird behavior and I haven't seen anything like that before. I 
> will file a bug to see if firmware has any idea why this is happening.

According to the RMI4 specification, gesture interrupts are cleared
only once specific flag registers, F11_2D_Data8 and F11_2D_Data9, are
read. So I tried to read those register and found that the following
command stops the events:

$ rmihidtool /dev/hidraw1 -r 0x24 1  # I was looking for F11_2D_Data8

I'm not sure I got the right address as reading any register close to
0x24 (such as 0x25, 0x26) has the same effect. I would have expected
this to happen only reading one specific register.

I also honestly don't know why palms are detected when the width is at
least 12, PalmDetectThreshold is 0 and so the palm detection should
be inhibited.

> >
> > Gabriele
> >
> Andrew

Re: NULL pointer dereference in i2c-hid

[Andrew Duggan]

On 01/09/2015 12:04 AM, Gabriele Mazzotta wrote:
> On Thursday 08 January 2015 15:58:54 Andrew Duggan wrote:
>> On 12/24/2014 03:53 PM, Gabriele Mazzotta wrote:
>> [...snip...]
>>>>>> Also, if you can get the firmware id from your touchpad that would also
>>>>>> be useful.
>>>>>>
>>>>>> $ sudo ./rmihidtool -f /dev/hidraw0
>>>>> firmware id: 1522295
>>>> Thanks, I will see if I can get any additional information on this.
>>>>
>>>> Andrew
>>> Hi,
>>>
>>> I think I found the source of the problem.
>>>
>>> $ ./rmihidtool /dev/hidraw1 -r 0x50 1
>>> 0x01  #PalmDetect Interrupt Enable, right?
>> Yes, 0x50 does appear to be the address of the palm detect interrupt
>> enable register.
>>> $ ./rmihidtool /dev/hidraw1 -w 0x50 0  #Disable PalmDetect Interrupt
>>>
>>> It makes more sense now that widths greater than 12 trigger the bug.
>> That is weird behavior and I haven't seen anything like that before. I
>> will file a bug to see if firmware has any idea why this is happening.
> According to the RMI4 specification, gesture interrupts are cleared
> only once specific flag registers, F11_2D_Data8 and F11_2D_Data9, are
> read. So I tried to read those register and found that the following
> command stops the events:

It is unusual to see firmware gestures enabled for HID/I2C touchpads. In 
fact none of the touchpads I have have that functionality enabled, which 
is why I haven't been able to test. On HID touchpads there is a layer in 
the firmware which reads the RMI registers and packs them into the HID 
attention report. My guess is that the HID layer is not reading 
F11_2D_Data8 or 9 causing it to assert indefinitely. Since this isn't a 
common firmware configuration that is probably why this hasn't been 
observed before.

> $ rmihidtool /dev/hidraw1 -r 0x24 1  # I was looking for F11_2D_Data8
>
> I'm not sure I got the right address as reading any register close to
> 0x24 (such as 0x25, 0x26) has the same effect. I would have expected
> this to happen only reading one specific register.

With this firmware, F11_2D_Data8 should be at 0x3A. It's 2 bytes for 
finger state + 5 bytes per finger * 5 fingers for abs data  + 2 bytes 
per finger * 5 fingers for rel data. I'm not sure why reading 0x24 would 
stop the reports though.

>
> I also honestly don't know why palms are detected when the width is at
> least 12, PalmDetectThreshold is 0 and so the palm detection should
> be inhibited.
>

This seems to be set in the firmware config. It looks like 
PalmDetectThreshold is only used when the reporting mode is 001. The 
default reporting mode looks like it is 000.

>>> Gabriele
>>>
>> Andrew
Thanks for provide all of this detail.

Andrew

Re: NULL pointer dereference in i2c-hid

[Andrew Duggan]

On 01/09/2015 12:04 AM, Gabriele Mazzotta wrote:
> On Thursday 08 January 2015 15:58:54 Andrew Duggan wrote:
>> On 12/24/2014 03:53 PM, Gabriele Mazzotta wrote:
>> [...snip...]
>>>>>> Also, if you can get the firmware id from your touchpad that would also
>>>>>> be useful.
>>>>>>
>>>>>> $ sudo ./rmihidtool -f /dev/hidraw0
>>>>> firmware id: 1522295
>>>> Thanks, I will see if I can get any additional information on this.
>>>>
>>>> Andrew
>>> Hi,
>>>
>>> I think I found the source of the problem.
>>>
>>> $ ./rmihidtool /dev/hidraw1 -r 0x50 1
>>> 0x01  #PalmDetect Interrupt Enable, right?
>> Yes, 0x50 does appear to be the address of the palm detect interrupt
>> enable register.
>>> $ ./rmihidtool /dev/hidraw1 -w 0x50 0  #Disable PalmDetect Interrupt
>>>
>>> It makes more sense now that widths greater than 12 trigger the bug.
>> That is weird behavior and I haven't seen anything like that before. I
>> will file a bug to see if firmware has any idea why this is happening.
> According to the RMI4 specification, gesture interrupts are cleared
> only once specific flag registers, F11_2D_Data8 and F11_2D_Data9, are
> read. So I tried to read those register and found that the following
> command stops the events:

It is unusual to see firmware gestures enabled for HID/I2C touchpads. In 
fact none of the touchpads I have have that functionality enabled, which 
is why I haven't been able to test. On HID touchpads there is a layer in 
the firmware which reads the RMI registers and packs them into the HID 
attention report. My guess is that the HID layer is not reading 
F11_2D_Data8 or 9 causing it to assert indefinitely. Since this isn't a 
common firmware configuration that is probably why this hasn't been 
observed before.

> $ rmihidtool /dev/hidraw1 -r 0x24 1  # I was looking for F11_2D_Data8
>
> I'm not sure I got the right address as reading any register close to
> 0x24 (such as 0x25, 0x26) has the same effect. I would have expected
> this to happen only reading one specific register.

With this firmware, F11_2D_Data8 should be at 0x3A. It's 2 bytes for 
finger state + 5 bytes per finger * 5 fingers for abs data  + 2 bytes 
per finger * 5 fingers for rel data. I'm not sure why reading 0x24 would 
stop the reports though.

>
> I also honestly don't know why palms are detected when the width is at
> least 12, PalmDetectThreshold is 0 and so the palm detection should
> be inhibited.
>

This seems to be set in the firmware config. It looks like 
PalmDetectThreshold is only used when the reporting mode is 001. The 
default reporting mode looks like it is 000.

>>> Gabriele
>>>
>> Andrew
Thanks for provide all of this detail.

Andrew

Re: NULL pointer dereference in i2c-hid

[Gabriele Mazzotta]

On Friday 09 January 2015 16:29:04 Andrew Duggan wrote:
> On 01/09/2015 12:04 AM, Gabriele Mazzotta wrote:
> > On Thursday 08 January 2015 15:58:54 Andrew Duggan wrote:
> >> On 12/24/2014 03:53 PM, Gabriele Mazzotta wrote:
> >> [...snip...]
> >>>>>> Also, if you can get the firmware id from your touchpad that would also
> >>>>>> be useful.
> >>>>>>
> >>>>>> $ sudo ./rmihidtool -f /dev/hidraw0
> >>>>> firmware id: 1522295
> >>>> Thanks, I will see if I can get any additional information on this.
> >>>>
> >>>> Andrew
> >>> Hi,
> >>>
> >>> I think I found the source of the problem.
> >>>
> >>> $ ./rmihidtool /dev/hidraw1 -r 0x50 1
> >>> 0x01  #PalmDetect Interrupt Enable, right?
> >> Yes, 0x50 does appear to be the address of the palm detect interrupt
> >> enable register.
> >>> $ ./rmihidtool /dev/hidraw1 -w 0x50 0  #Disable PalmDetect Interrupt
> >>>
> >>> It makes more sense now that widths greater than 12 trigger the bug.
> >> That is weird behavior and I haven't seen anything like that before. I
> >> will file a bug to see if firmware has any idea why this is happening.
> > According to the RMI4 specification, gesture interrupts are cleared
> > only once specific flag registers, F11_2D_Data8 and F11_2D_Data9, are
> > read. So I tried to read those register and found that the following
> > command stops the events:
> 
> It is unusual to see firmware gestures enabled for HID/I2C touchpads. In 
> fact none of the touchpads I have have that functionality enabled, which 
> is why I haven't been able to test. On HID touchpads there is a layer in 
> the firmware which reads the RMI registers and packs them into the HID 
> attention report. My guess is that the HID layer is not reading 
> F11_2D_Data8 or 9 causing it to assert indefinitely. Since this isn't a 
> common firmware configuration that is probably why this hasn't been 
> observed before.
> 
> > $ rmihidtool /dev/hidraw1 -r 0x24 1  # I was looking for F11_2D_Data8
> >
> > I'm not sure I got the right address as reading any register close to
> > 0x24 (such as 0x25, 0x26) has the same effect. I would have expected
> > this to happen only reading one specific register.
> 
> With this firmware, F11_2D_Data8 should be at 0x3A. It's 2 bytes for 
> finger state + 5 bytes per finger * 5 fingers for abs data  + 2 bytes 
> per finger * 5 fingers for rel data. I'm not sure why reading 0x24 would 
> stop the reports though.

Yes, this seems to be the right one, I can see the things I was
expecting to see. That's why I kind of knew that 0x24 wasn't right,
but I was surprised to see the problem disappear by reading that
register, so I didn't bother do the math. Thanks for doing it for me.

Anyway, I can see PalmDetect set to 1 in register 0x3B and the
interrupts stop as soon as I read it.

> >
> > I also honestly don't know why palms are detected when the width is at
> > least 12, PalmDetectThreshold is 0 and so the palm detection should
> > be inhibited.
> >
> 
> This seems to be set in the firmware config. It looks like 
> PalmDetectThreshold is only used when the reporting mode is 001. The 
> default reporting mode looks like it is 000.

For some reason, mode 001 is not working. I tried it time ago as an
attempt to reduce the power consumption, but as soon as switched to it,
the touchpad stopped working as intended. In that mode, nothing happens
until I click and when I do that, I can see something going on while
I move the finger. But this has nothing to do with the problem here
discussed. The interesting thing is that whichever mode I set, as soon
as the width of the finger reaches 12, everything starts working as
if the reporting mode was 000. This means that as long as the palm
detect interrupt is enabled, palms are detected regardless of the mode.

Gabriele

Re: NULL pointer dereference in i2c-hid

[Gabriele Mazzotta]

On Friday 09 January 2015 16:29:04 Andrew Duggan wrote:
> On 01/09/2015 12:04 AM, Gabriele Mazzotta wrote:
> > On Thursday 08 January 2015 15:58:54 Andrew Duggan wrote:
> >> On 12/24/2014 03:53 PM, Gabriele Mazzotta wrote:
> >> [...snip...]
> >>>>>> Also, if you can get the firmware id from your touchpad that would also
> >>>>>> be useful.
> >>>>>>
> >>>>>> $ sudo ./rmihidtool -f /dev/hidraw0
> >>>>> firmware id: 1522295
> >>>> Thanks, I will see if I can get any additional information on this.
> >>>>
> >>>> Andrew
> >>> Hi,
> >>>
> >>> I think I found the source of the problem.
> >>>
> >>> $ ./rmihidtool /dev/hidraw1 -r 0x50 1
> >>> 0x01  #PalmDetect Interrupt Enable, right?
> >> Yes, 0x50 does appear to be the address of the palm detect interrupt
> >> enable register.
> >>> $ ./rmihidtool /dev/hidraw1 -w 0x50 0  #Disable PalmDetect Interrupt
> >>>
> >>> It makes more sense now that widths greater than 12 trigger the bug.
> >> That is weird behavior and I haven't seen anything like that before. I
> >> will file a bug to see if firmware has any idea why this is happening.
> > According to the RMI4 specification, gesture interrupts are cleared
> > only once specific flag registers, F11_2D_Data8 and F11_2D_Data9, are
> > read. So I tried to read those register and found that the following
> > command stops the events:
> 
> It is unusual to see firmware gestures enabled for HID/I2C touchpads. In 
> fact none of the touchpads I have have that functionality enabled, which 
> is why I haven't been able to test. On HID touchpads there is a layer in 
> the firmware which reads the RMI registers and packs them into the HID 
> attention report. My guess is that the HID layer is not reading 
> F11_2D_Data8 or 9 causing it to assert indefinitely. Since this isn't a 
> common firmware configuration that is probably why this hasn't been 
> observed before.
> 
> > $ rmihidtool /dev/hidraw1 -r 0x24 1  # I was looking for F11_2D_Data8
> >
> > I'm not sure I got the right address as reading any register close to
> > 0x24 (such as 0x25, 0x26) has the same effect. I would have expected
> > this to happen only reading one specific register.
> 
> With this firmware, F11_2D_Data8 should be at 0x3A. It's 2 bytes for 
> finger state + 5 bytes per finger * 5 fingers for abs data  + 2 bytes 
> per finger * 5 fingers for rel data. I'm not sure why reading 0x24 would 
> stop the reports though.
> 
> >
> > I also honestly don't know why palms are detected when the width is at
> > least 12, PalmDetectThreshold is 0 and so the palm detection should
> > be inhibited.
> >
> 
> This seems to be set in the firmware config. It looks like 
> PalmDetectThreshold is only used when the reporting mode is 001. The 
> default reporting mode looks like it is 000.

Hi Andrew,

is there any plan on implementing a function to write registers? This
would allow me to easily disable the PalmDetect Interrupt when the driver
is loaded without relying on external tools. Reading F11_2D_Data8
continuously seems unnecessary.

Not totally related. Is there any use for the dribble interrupts? I'm
wondering if they could be disabled by default. I'm my case these
interrupts go on for about a second, making the I2C host controller
generate a lot of interrupts. A quick tap for example make INT33C3
generate more than 5000 interrupts when dribbling is enabled and less
than 200 interrupts when disabled. The difference is not really
insignificant, so if they have no real use, I'd disable them by default
in order to save some power.

Regards,
Gabriele

Re: NULL pointer dereference in i2c-hid

[Andrew Duggan]

On 02/22/2015 01:37 PM, Gabriele Mazzotta wrote:
> On Friday 09 January 2015 16:29:04 Andrew Duggan wrote:
>> On 01/09/2015 12:04 AM, Gabriele Mazzotta wrote:
>>> On Thursday 08 January 2015 15:58:54 Andrew Duggan wrote:
>>>> On 12/24/2014 03:53 PM, Gabriele Mazzotta wrote:
>>>> [...snip...]
>>>>>>>> Also, if you can get the firmware id from your touchpad that would also
>>>>>>>> be useful.
>>>>>>>>
>>>>>>>> $ sudo ./rmihidtool -f /dev/hidraw0
>>>>>>> firmware id: 1522295
>>>>>> Thanks, I will see if I can get any additional information on this.
>>>>>>
>>>>>> Andrew
>>>>> Hi,
>>>>>
>>>>> I think I found the source of the problem.
>>>>>
>>>>> $ ./rmihidtool /dev/hidraw1 -r 0x50 1
>>>>> 0x01  #PalmDetect Interrupt Enable, right?
>>>> Yes, 0x50 does appear to be the address of the palm detect interrupt
>>>> enable register.
>>>>> $ ./rmihidtool /dev/hidraw1 -w 0x50 0  #Disable PalmDetect Interrupt
>>>>>
>>>>> It makes more sense now that widths greater than 12 trigger the bug.
>>>> That is weird behavior and I haven't seen anything like that before. I
>>>> will file a bug to see if firmware has any idea why this is happening.
>>> According to the RMI4 specification, gesture interrupts are cleared
>>> only once specific flag registers, F11_2D_Data8 and F11_2D_Data9, are
>>> read. So I tried to read those register and found that the following
>>> command stops the events:
>> It is unusual to see firmware gestures enabled for HID/I2C touchpads. In
>> fact none of the touchpads I have have that functionality enabled, which
>> is why I haven't been able to test. On HID touchpads there is a layer in
>> the firmware which reads the RMI registers and packs them into the HID
>> attention report. My guess is that the HID layer is not reading
>> F11_2D_Data8 or 9 causing it to assert indefinitely. Since this isn't a
>> common firmware configuration that is probably why this hasn't been
>> observed before.
>>
>>> $ rmihidtool /dev/hidraw1 -r 0x24 1  # I was looking for F11_2D_Data8
>>>
>>> I'm not sure I got the right address as reading any register close to
>>> 0x24 (such as 0x25, 0x26) has the same effect. I would have expected
>>> this to happen only reading one specific register.
>> With this firmware, F11_2D_Data8 should be at 0x3A. It's 2 bytes for
>> finger state + 5 bytes per finger * 5 fingers for abs data  + 2 bytes
>> per finger * 5 fingers for rel data. I'm not sure why reading 0x24 would
>> stop the reports though.
>>
>>> I also honestly don't know why palms are detected when the width is at
>>> least 12, PalmDetectThreshold is 0 and so the palm detection should
>>> be inhibited.
>>>
>> This seems to be set in the firmware config. It looks like
>> PalmDetectThreshold is only used when the reporting mode is 001. The
>> default reporting mode looks like it is 000.
> Hi Andrew,
>
> is there any plan on implementing a function to write registers? This
> would allow me to easily disable the PalmDetect Interrupt when the driver
> is loaded without relying on external tools. Reading F11_2D_Data8
> continuously seems unnecessary.

Writes are not that complicated. We just haven't had a need to do them 
in the driver yet which is why there isn't a write function implemented 
already. After thinking about this again I think you are right and 
disabling the palm detect interrupt in the driver makes sense. Its easy 
enough to see if the firmware has palm detect enabled and simply disable it.

>
> Not totally related. Is there any use for the dribble interrupts? I'm
> wondering if they could be disabled by default. I'm my case these
> interrupts go on for about a second, making the I2C host controller
> generate a lot of interrupts. A quick tap for example make INT33C3
> generate more than 5000 interrupts when dribbling is enabled and less
> than 200 interrupts when disabled. The difference is not really
> insignificant, so if they have no real use, I'd disable them by default
> in order to save some power.

Good point, I believe on Linux the input subsystem is filtering out all 
of the duplicate reports and they aren't going to userspace. Which does 
make them pointless on Linux.

Both of these changes are pretty straightforward, especially once a 
write function is implemented, so I think I can have some patches ready 
at some point this week.

Andrew
> Regards,
> Gabriele

Re: NULL pointer dereference in i2c-hid

[Andrew Duggan]

On 02/22/2015 01:37 PM, Gabriele Mazzotta wrote:
> On Friday 09 January 2015 16:29:04 Andrew Duggan wrote:
>> On 01/09/2015 12:04 AM, Gabriele Mazzotta wrote:
>>> On Thursday 08 January 2015 15:58:54 Andrew Duggan wrote:
>>>> On 12/24/2014 03:53 PM, Gabriele Mazzotta wrote:
>>>> [...snip...]
>>>>>>>> Also, if you can get the firmware id from your touchpad that would also
>>>>>>>> be useful.
>>>>>>>>
>>>>>>>> $ sudo ./rmihidtool -f /dev/hidraw0
>>>>>>> firmware id: 1522295
>>>>>> Thanks, I will see if I can get any additional information on this.
>>>>>>
>>>>>> Andrew
>>>>> Hi,
>>>>>
>>>>> I think I found the source of the problem.
>>>>>
>>>>> $ ./rmihidtool /dev/hidraw1 -r 0x50 1
>>>>> 0x01  #PalmDetect Interrupt Enable, right?
>>>> Yes, 0x50 does appear to be the address of the palm detect interrupt
>>>> enable register.
>>>>> $ ./rmihidtool /dev/hidraw1 -w 0x50 0  #Disable PalmDetect Interrupt
>>>>>
>>>>> It makes more sense now that widths greater than 12 trigger the bug.
>>>> That is weird behavior and I haven't seen anything like that before. I
>>>> will file a bug to see if firmware has any idea why this is happening.
>>> According to the RMI4 specification, gesture interrupts are cleared
>>> only once specific flag registers, F11_2D_Data8 and F11_2D_Data9, are
>>> read. So I tried to read those register and found that the following
>>> command stops the events:
>> It is unusual to see firmware gestures enabled for HID/I2C touchpads. In
>> fact none of the touchpads I have have that functionality enabled, which
>> is why I haven't been able to test. On HID touchpads there is a layer in
>> the firmware which reads the RMI registers and packs them into the HID
>> attention report. My guess is that the HID layer is not reading
>> F11_2D_Data8 or 9 causing it to assert indefinitely. Since this isn't a
>> common firmware configuration that is probably why this hasn't been
>> observed before.
>>
>>> $ rmihidtool /dev/hidraw1 -r 0x24 1  # I was looking for F11_2D_Data8
>>>
>>> I'm not sure I got the right address as reading any register close to
>>> 0x24 (such as 0x25, 0x26) has the same effect. I would have expected
>>> this to happen only reading one specific register.
>> With this firmware, F11_2D_Data8 should be at 0x3A. It's 2 bytes for
>> finger state + 5 bytes per finger * 5 fingers for abs data  + 2 bytes
>> per finger * 5 fingers for rel data. I'm not sure why reading 0x24 would
>> stop the reports though.
>>
>>> I also honestly don't know why palms are detected when the width is at
>>> least 12, PalmDetectThreshold is 0 and so the palm detection should
>>> be inhibited.
>>>
>> This seems to be set in the firmware config. It looks like
>> PalmDetectThreshold is only used when the reporting mode is 001. The
>> default reporting mode looks like it is 000.
> Hi Andrew,
>
> is there any plan on implementing a function to write registers? This
> would allow me to easily disable the PalmDetect Interrupt when the driver
> is loaded without relying on external tools. Reading F11_2D_Data8
> continuously seems unnecessary.

Writes are not that complicated. We just haven't had a need to do them 
in the driver yet which is why there isn't a write function implemented 
already. After thinking about this again I think you are right and 
disabling the palm detect interrupt in the driver makes sense. Its easy 
enough to see if the firmware has palm detect enabled and simply disable it.

>
> Not totally related. Is there any use for the dribble interrupts? I'm
> wondering if they could be disabled by default. I'm my case these
> interrupts go on for about a second, making the I2C host controller
> generate a lot of interrupts. A quick tap for example make INT33C3
> generate more than 5000 interrupts when dribbling is enabled and less
> than 200 interrupts when disabled. The difference is not really
> insignificant, so if they have no real use, I'd disable them by default
> in order to save some power.

Good point, I believe on Linux the input subsystem is filtering out all 
of the duplicate reports and they aren't going to userspace. Which does 
make them pointless on Linux.

Both of these changes are pretty straightforward, especially once a 
write function is implemented, so I think I can have some patches ready 
at some point this week.

Andrew
> Regards,
> Gabriele