[Bug 221666] New: Regression in 7.1: Kernel Oops in hidinput_setup_battery (hid_microsoft) causing uhid deadlock when pairing Xbox controller

[bugzilla-daemon@kernel.org]

https://bugzilla.kernel.org/show_bug.cgi?id=221666

            Bug ID: 221666
           Summary: Regression in 7.1: Kernel Oops in
                    hidinput_setup_battery (hid_microsoft) causing uhid
                    deadlock when pairing Xbox controller
           Product: Drivers
           Version: 2.5
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: blocking
          Priority: P3
         Component: Bluetooth
          Assignee: linux-bluetooth@vger.kernel.org
          Reporter: intellq@gmail.com
        Regression: No

OS: Arch Linux / EndeavourOS
Kernel (Failing): 7.1.0 (TKG and mainline equivalent)
Kernel (Working): 7.0.12 (Arch stable and TKG)
Device: Gulikit KingKong 2 Pro (paired in XInput/Xbox One mode)

Pairing the controller in Xbox One mode via Bluetooth on kernel 7.1 triggers an
immediate Kernel Oops (Page Fault) inside hidinput_setup_battery called by the
hid_microsoft driver.

This initial crash leaves the HID subsystem in a locked state. Consequently,
the bluetoothd daemon enters an Uninterruptible Sleep (D state) deadlock inside
uhid_dev_destroy when attempting to clean up. The Bluetooth service becomes
completely unresponsive, fails to terminate on SIGKILL, and causes the system
to hang indefinitely during shutdown/reboot (watchdog did not stop).

Booting into kernel 7.0.12 completely resolves the issue, and the controller
pairs and reports battery normally. The issue only happens in XInput/Xbox mode
(which uses hid_microsoft). D-Input or Switch mode works fine on 7.1.

Steps to Reproduce:

- Boot kernel 7.1.
- Put the controller in XInput/Xbox mode.
- Attempt to pair via Bluetooth (BlueZ).
- Observe the dmesg Oops and subsequent bluetoothd deadlock.

Kernel Oops Log (The Root Cause):

BUG: unable to handle page fault for address: ffffffffffffffe4
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
Oops: Oops: 0000 [#1] SMP NOPTI
CPU: 19 UID: 0 PID: 912691 Comm: (udev-worker)
RIP: 0010:hidinput_setup_battery+0x88/0x3a0
Call Trace:
 <TASK>
 hidinput_configure_usage+0x62e/0x3290
 hidinput_connect+0x6fd/0xb50
 hid_connect+0x147/0x760
 hid_hw_start+0x3c/0x60
 ms_probe+0x80/0x190 [hid_microsoft]
 hid_device_probe+0x1a1/0x250
 really_probe+0x1bc/0x4b0
 __driver_probe_device+0xa1/0x140
 driver_probe_device+0x1e/0x110
 __device_attach_driver+0xc1/0x150
 bus_for_each_drv+0x12a/0x180
 __device_attach+0xd3/0x1c0
 device_reprobe+0x5a/0xa0
 bus_for_each_dev+0x117/0x160
 __hid_bus_driver_added+0x32/0x40
 bus_for_each_drv+0x12a/0x180
 __hid_register_driver+0x73/0x80
 do_one_initcall+0x135/0x330
 do_init_module+0x62/0x330
 __se_sys_finit_module+0x270/0x3e0
 do_syscall_64+0x12c/0x3b0
 entry_SYSCALL_64_after_hwframe+0x76/0x7e
 </TASK>

Secondary Consequence (bluetoothd deadlock):
Because of the worker crash above, bluetoothd gets stuck in D state
permanently:

[<0>] device_del+0x3a/0x3c0
[<0>] hid_destroy_device+0x27/0x90
[<0>] uhid_dev_destroy+0x48/0x70 [uhid]
[<0>] uhid_char_write+0x28f/0x440 [uhid]
[<0>] vfs_writev+0x2c8/0x410
[<0>] do_writev+0x76/0x110
[<0>] do_syscall_64+0x12c/0x3b0
[<0>] entry_SYSCALL_64_after_hwframe+0x76/0x7e

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are the assignee for the bug.