From: Rong Zhang <i@rong.moe>
To: Benjamin Tissoires <bentiss@kernel.org>
Cc: bugzilla-daemon@kernel.org, Jiri Kosina <jikos@kernel.org>,
linux-input@vger.kernel.org, linux-kernel@vger.kernel.org,
Borislav Petkov <bp@alien8.de>
Subject: Re: [Bug 220083] New: [REGRESSION, BISECTED] x86 ASM changes make dispatch_hid_bpf_output_report access not-present page
Date: Wed, 07 May 2025 19:03:11 +0800 [thread overview]
Message-ID: <6b4fe1ae87c717c70708e7a3f5bd6d9c8c7bfcd5.camel@rong.moe> (raw)
In-Reply-To: <umqaxyqrrvle34haa3n3iohs5akos652ytbs5sef32xmc7gaz7@edyihsd4yokq>
[-- Attachment #1: Type: text/plain, Size: 41521 bytes --]
Hi Benjamin,
On Tue, 2025-05-06 at 17:35 +0200, Benjamin Tissoires wrote:
> Hi Boris,
>
> On May 06 2025, Borislav Petkov wrote:
> > Switching to mail.
> >
> > Hi Benjamin,
> >
> > take a look at the below pls.
> >
> > The RIP points to:
> >
> > 22: 48 c1 e6 04 shl $0x4,%rsi
> > 26: 48 03 77 08 add 0x8(%rdi),%rsi
> > 2a:* 65 48 ff 46 08 incq %gs:0x8(%rsi) <-- trapping instruction
> > 2f: c3 ret
> >
> > which really is a %gs-based access and the reporter has bisected this to
> >
> > 9d7de2aa8b41 ("x86/percpu/64: Use relative percpu offsets")
> >
> > which looks related.
> >
> > My silly guess would be some bpf program does per-cpu accesses but it doesn't
> > know about this change so it tramples over registers. I mean, my fix would be
> > to disable BPF but you young kids love to play with that...
>
> Heh. Well, I would like to know if any HID-BPF program is loaded first.
> These can be seen by running `sudo tree /sys/fs/bpf/hid/`.
Nothing is there.
$ sudo tree /sys/fs/bpf/hid/
/sys/fs/bpf/hid/ [error opening dir]
0 directories, 0 files
$ sudo tree /sys/fs/bpf/
/sys/fs/bpf/
0 directories, 0 files
> `sudo bpftool prog` is another option in case udev-hid-bpf is not used.
$ sudo bpftool prog
21: lsm name restrict_filesystems tag aae89fa01fe7ee91 gpl
loaded_at 2025-05-07T10:23:09+0800 uid 0
xlated 560B jited 305B memlock 4096B map_ids 11
btf_id 104
22: cgroup_device name sd_devices tag 40ddf486530245f5 gpl
loaded_at 2025-05-07T10:23:10+0800 uid 0
xlated 504B jited 318B memlock 4096B
23: cgroup_skb name sd_fw_egress tag 6deef7357e7b4530 gpl
loaded_at 2025-05-07T10:23:10+0800 uid 0
xlated 64B jited 63B memlock 4096B
24: cgroup_skb name sd_fw_ingress tag 6deef7357e7b4530 gpl
loaded_at 2025-05-07T10:23:10+0800 uid 0
xlated 64B jited 63B memlock 4096B
25: cgroup_device name sd_devices tag be31ae23198a0378 gpl
loaded_at 2025-05-07T10:23:10+0800 uid 0
xlated 464B jited 297B memlock 4096B
26: cgroup_skb name sd_fw_egress tag 6deef7357e7b4530 gpl
loaded_at 2025-05-07T10:23:10+0800 uid 0
xlated 64B jited 63B memlock 4096B
27: cgroup_skb name sd_fw_ingress tag 6deef7357e7b4530 gpl
loaded_at 2025-05-07T10:23:10+0800 uid 0
xlated 64B jited 63B memlock 4096B
28: cgroup_device name sd_devices tag ee0e253c78993a24 gpl
loaded_at 2025-05-07T10:23:10+0800 uid 0
xlated 416B jited 267B memlock 4096B
29: cgroup_skb name sd_fw_egress tag 6deef7357e7b4530 gpl
loaded_at 2025-05-07T10:23:10+0800 uid 0
xlated 64B jited 63B memlock 4096B
30: cgroup_skb name sd_fw_ingress tag 6deef7357e7b4530 gpl
loaded_at 2025-05-07T10:23:10+0800 uid 0
xlated 64B jited 63B memlock 4096B
31: cgroup_device name sd_devices tag ee0e253c78993a24 gpl
loaded_at 2025-05-07T10:23:12+0800 uid 0
xlated 416B jited 267B memlock 4096B
32: cgroup_device name sd_devices tag ee0e253c78993a24 gpl
loaded_at 2025-05-07T10:23:12+0800 uid 0
xlated 416B jited 267B memlock 4096B
33: cgroup_device name sd_devices tag b37200ab714f0e17 gpl
loaded_at 2025-05-07T10:23:12+0800 uid 0
xlated 184B jited 110B memlock 4096B
34: cgroup_device name sd_devices tag 738e6ebf4499a83a gpl
loaded_at 2025-05-07T10:23:12+0800 uid 0
xlated 792B jited 489B memlock 4096B
35: cgroup_skb name sd_fw_egress tag 6deef7357e7b4530 gpl
loaded_at 2025-05-07T10:23:12+0800 uid 0
xlated 64B jited 63B memlock 4096B
36: cgroup_skb name sd_fw_ingress tag 6deef7357e7b4530 gpl
loaded_at 2025-05-07T10:23:12+0800 uid 0
xlated 64B jited 63B memlock 4096B
37: cgroup_skb name sd_fw_egress tag 6deef7357e7b4530 gpl
loaded_at 2025-05-07T10:23:12+0800 uid 0
xlated 64B jited 63B memlock 4096B
38: cgroup_skb name sd_fw_ingress tag 6deef7357e7b4530 gpl
loaded_at 2025-05-07T10:23:12+0800 uid 0
xlated 64B jited 63B memlock 4096B
39: cgroup_device name sd_devices tag ee0e253c78993a24 gpl
loaded_at 2025-05-07T10:23:12+0800 uid 0
xlated 416B jited 267B memlock 4096B
41: cgroup_skb name sd_fw_egress tag 6deef7357e7b4530 gpl
loaded_at 2025-05-07T10:23:12+0800 uid 0
xlated 64B jited 63B memlock 4096B
42: cgroup_skb name sd_fw_ingress tag 6deef7357e7b4530 gpl
loaded_at 2025-05-07T10:23:12+0800 uid 0
xlated 64B jited 63B memlock 4096B
43: cgroup_device name sd_devices tag be31ae23198a0378 gpl
loaded_at 2025-05-07T10:23:13+0800 uid 0
xlated 464B jited 297B memlock 4096B
44: cgroup_device name sd_devices tag be31ae23198a0378 gpl
loaded_at 2025-05-07T10:23:13+0800 uid 0
xlated 464B jited 297B memlock 4096B
45: cgroup_skb name sd_fw_egress tag 6deef7357e7b4530 gpl
loaded_at 2025-05-07T10:23:13+0800 uid 0
xlated 64B jited 63B memlock 4096B
46: cgroup_skb name sd_fw_ingress tag 6deef7357e7b4530 gpl
loaded_at 2025-05-07T10:23:13+0800 uid 0
xlated 64B jited 63B memlock 4096B
50: cgroup_skb name sd_fw_egress tag 6deef7357e7b4530 gpl
loaded_at 2025-05-07T10:23:14+0800 uid 0
xlated 64B jited 63B memlock 4096B
51: cgroup_skb name sd_fw_ingress tag 6deef7357e7b4530 gpl
loaded_at 2025-05-07T10:23:14+0800 uid 0
xlated 64B jited 63B memlock 4096B
Though I am not familiar with systemd's BPF programs, given that they
are lsm/cgroup-related, I guess they don't aim to handle raw HID
requests.
> If there is no hid-bpf program loaded, then it seems the code path in
> drivers/hid/bpf/hid_bpf_dispatch.c:133 is:
>
> ```
> idx = srcu_read_lock(&hdev->bpf.srcu);
> list_for_each_entry_srcu(e, &hdev->bpf.prog_list, list,
> srcu_read_lock_held(&hdev->bpf.srcu)) {
> // nothing happens here because the list is empty
> }
> ret = 0;
>
> out:
> srcu_read_unlock(&hdev->bpf.srcu, idx);
> ```
>
> So we are just in srcu_read_lock()/srcu_read_unlock() which is unlikely
> to fail...
In case you need it, I decoded a stacktrace (I've upgraded to 6.15-rc5
BTW):
[14591.438053] usb 7-1.4.4: USB disconnect, device number 7
[14591.541666] BUG: unable to handle page fault for address: ffff8efd88e65018
[14591.541674] #PF: supervisor write access in kernel mode
[14591.541676] #PF: error_code(0x0002) - not-present page
[14591.541677] PGD 220801067 P4D 220801067 PUD 0
[14591.541681] Oops: Oops: 0002 [#1] SMP NOPTI
[14591.541684] CPU: 0 UID: 0 PID: 56816 Comm: kworker/0:2 Not tainted 6.15.0-rc5 #1 PREEMPT(lazy) 0538d36f9cfa2dbc3c98efb2730490d8b2399dc4
[14591.541687] Hardware name: LENOVO 21Q4/LNVNB161216, BIOS PXCN24WW 03/11/2025
[14591.541689] Workqueue: events hidinput_led_worker
[14591.541693] RIP: 0010:__srcu_read_unlock (kernel/rcu/srcutree.c:768 (discriminator 1))
[14591.541697] Code: c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 0f 1f 44 00 00 f0 83 44 24 fc 00 48 63 f6 48 c1 e6 04 48 03 77 08 <65> 48 ff 46 08 c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 90
All code
========
0: c3 ret
1: cc int3
2: cc int3
3: cc int3
4: cc int3
5: 66 66 2e 0f 1f 84 00 data16 cs nopw 0x0(%rax,%rax,1)
c: 00 00 00 00
10: f3 0f 1e fa endbr64
14: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
19: f0 83 44 24 fc 00 lock addl $0x0,-0x4(%rsp)
1f: 48 63 f6 movslq %esi,%rsi
22: 48 c1 e6 04 shl $0x4,%rsi
26: 48 03 77 08 add 0x8(%rdi),%rsi
2a:* 65 48 ff 46 08 incq %gs:0x8(%rsi) <-- trapping instruction
2f: c3 ret
30: cc int3
31: cc int3
32: cc int3
33: cc int3
34: 66 66 2e 0f 1f 84 00 data16 cs nopw 0x0(%rax,%rax,1)
3b: 00 00 00 00
3f: 90 nop
Code starting with the faulting instruction
===========================================
0: 65 48 ff 46 08 incq %gs:0x8(%rsi)
5: c3 ret
6: cc int3
7: cc int3
8: cc int3
9: cc int3
a: 66 66 2e 0f 1f 84 00 data16 cs nopw 0x0(%rax,%rax,1)
11: 00 00 00 00
15: 90 nop
[14591.541698] RSP: 0018:ffffd0c6094f7d88 EFLAGS: 00010202
[14591.541700] RAX: 0000000000000000 RBX: ffff8ef67492be08 RCX: 0000000000000000
[14591.541701] RDX: 0000000000000002 RSI: 0000000000000010 RDI: ffff8ef67492be38
[14591.541702] RBP: ffffd0c6094f7df8 R08: 0000000000000000 R09: 00000000fffffffd
[14591.541703] R10: 0000000000000001 R11: 00000000ffffffff R12: 0000000000000000
[14591.541703] R13: ffff8ef70d8143d0 R14: 0000000000000001 R15: 0000000000000000
[14591.541704] FS: 0000000000000000(0000) GS:ffff8efd88e65000(0000) knlGS:0000000000000000
[14591.541705] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[14591.541706] CR2: ffff8efd88e65018 CR3: 00000001d0184000 CR4: 0000000000f50ef0
[14591.541707] PKRU: 55555554
[14591.541708] Call Trace:
[14591.541710] <TASK>
[14591.541711] dispatch_hid_bpf_output_report (drivers/hid/bpf/hid_bpf_dispatch.c:148)
[14591.541716] hid_hw_output_report (drivers/hid/hid-core.c:2500 drivers/hid/hid-core.c:2520)
[14591.541717] hidinput_led_worker (drivers/hid/hid-input.c:1838)
[14591.541719] process_one_work (kernel/workqueue.c:3238)
[14591.541721] worker_thread (kernel/workqueue.c:3313 (discriminator 2) kernel/workqueue.c:3400 (discriminator 2))
[14591.541723] ? rescuer_thread (kernel/workqueue.c:3346)
[14591.541724] kthread (kernel/kthread.c:464)
[14591.541727] ? kthreads_online_cpu (kernel/kthread.c:413)
[14591.541729] ret_from_fork (arch/x86/kernel/process.c:153)
[14591.541731] ? kthreads_online_cpu (kernel/kthread.c:413)
[14591.541733] ret_from_fork_asm (arch/x86/entry/entry_64.S:255)
[14591.541737] </TASK>
[14591.541738] Modules linked in: mmc_block rpmb_core udp_diag tcp_diag inet_diag xt_mark ccm snd_hrtimer snd_seq_dummy snd_seq_midi snd_seq_oss snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp nft_compat nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 tun bridge stp llc nf_tables qrtr uhid rfcomm cmac algif_hash algif_skcipher af_alg overlay bnep sunrpc vfat fat btusb uvcvideo btrtl videobuf2_vmalloc btintel uvc videobuf2_memops btbcm videobuf2_v4l2 btmtk videobuf2_common bluetooth videodev mc intel_rapl_msr amd_atl intel_rapl_common snd_acp_legacy_mach snd_acp_mach snd_soc_nau8821 snd_acp3x_rn snd_acp70 snd_acp_i2s snd_acp_pdm snd_soc_dmic snd_acp_pcm snd_sof_amd_acp70 snd_sof_amd_acp63 snd_sof_amd_vangogh snd_sof_amd_rembrandt snd_sof_amd_renoir snd_sof_amd_acp snd_sof_pci snd_sof_xtensa_dsp snd_sof snd_sof_utils snd_pci_ps snd_soc_acpi_amd_match snd_hda_codec_realtek snd_amd_sdw_acpi soundwire_amd snd_hda_codec_generic
[14591.541775] soundwire_generic_allocation snd_hda_scodec_component soundwire_bus snd_soc_sdca snd_hda_codec_hdmi snd_soc_core mt7925e snd_hda_intel snd_compress mt7925_common ac97_bus snd_intel_dspcfg kvm_amd mt792x_lib snd_pcm_dmaengine snd_intel_sdw_acpi snd_rpl_pci_acp6x mt76_connac_lib snd_hda_codec snd_acp_pci kvm mt76 snd_amd_acpi_mach snd_hda_core snd_acp_legacy_common irqbypass think_lmi snd_pci_acp6x snd_hwdep rapl snd_ctl_led pcspkr mac80211 snd_pcm_oss firmware_attributes_class lenovo_wmi_hotkey_utilities snd_mixer_oss snd_pci_acp5x libarc4 snd_pcm wmi_bmof snd_rn_pci_acp3x spd5118 snd_timer snd_acp_config cfg80211 snd snd_soc_acpi hid_sensor_als soundcore amdxdna amd_pmf hid_sensor_trigger snd_pci_acp3x k10temp rfkill industrialio_triggered_buffer amdtee kfifo_buf joydev hid_sensor_iio_common ccp industrialio mousedev platform_profile amd_pmc mac_hid sch_fq_codel uinput i2c_dev parport_pc ppdev lp parport nvme_fabrics nfnetlink ip_tables x_tables hid_logitech_hidpp hid_logitech_dj usbhid dm_crypt
[14591.541811] encrypted_keys trusted asn1_encoder tee dm_mod raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 linear md_mod igc ptp pps_core r8153_ecm r8152 cdc_ether usbnet mii amdgpu i2c_algo_bit drm_ttm_helper ttm drm_panel_backlight_quirks polyval_clmulni polyval_generic drm_exec drm_suballoc_helper ghash_clmulni_intel amdxcp sha512_ssse3 drm_buddy sdhci_pci sha256_ssse3 sp5100_tco r8169 nvme sdhci_uhs2 gpu_sched sha1_ssse3 serio_raw hid_sensor_custom sdhci nvme_core realtek aesni_intel ucsi_acpi atkbd drm_display_helper cqhci libps2 crypto_simd typec_ucsi hid_multitouch i2c_piix4 nvme_keyring mdio_devres hid_sensor_hub hid_generic thunderbolt vivaldi_fmap cryptd typec cec libphy mmc_core amd_sfh video i8042 nvme_auth i2c_smbus roles i2c_hid_acpi serio wmi i2c_hid
[14591.541846] CR2: ffff8efd88e65018
[14591.541848] ---[ end trace 0000000000000000 ]---
[14591.733025] pstore: backend (efi_pstore) writing error (-28)
[14591.733031] RIP: 0010:__srcu_read_unlock (kernel/rcu/srcutree.c:768 (discriminator 1))
[14591.733037] Code: c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 0f 1f 44 00 00 f0 83 44 24 fc 00 48 63 f6 48 c1 e6 04 48 03 77 08 <65> 48 ff 46 08 c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 90
All code
========
0: c3 ret
1: cc int3
2: cc int3
3: cc int3
4: cc int3
5: 66 66 2e 0f 1f 84 00 data16 cs nopw 0x0(%rax,%rax,1)
c: 00 00 00 00
10: f3 0f 1e fa endbr64
14: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
19: f0 83 44 24 fc 00 lock addl $0x0,-0x4(%rsp)
1f: 48 63 f6 movslq %esi,%rsi
22: 48 c1 e6 04 shl $0x4,%rsi
26: 48 03 77 08 add 0x8(%rdi),%rsi
2a:* 65 48 ff 46 08 incq %gs:0x8(%rsi) <-- trapping instruction
2f: c3 ret
30: cc int3
31: cc int3
32: cc int3
33: cc int3
34: 66 66 2e 0f 1f 84 00 data16 cs nopw 0x0(%rax,%rax,1)
3b: 00 00 00 00
3f: 90 nop
Code starting with the faulting instruction
===========================================
0: 65 48 ff 46 08 incq %gs:0x8(%rsi)
5: c3 ret
6: cc int3
7: cc int3
8: cc int3
9: cc int3
a: 66 66 2e 0f 1f 84 00 data16 cs nopw 0x0(%rax,%rax,1)
11: 00 00 00 00
15: 90 nop
[14591.733039] RSP: 0018:ffffd0c6094f7d88 EFLAGS: 00010202
[14591.733041] RAX: 0000000000000000 RBX: ffff8ef67492be08 RCX: 0000000000000000
[14591.733043] RDX: 0000000000000002 RSI: 0000000000000010 RDI: ffff8ef67492be38
[14591.733043] RBP: ffffd0c6094f7df8 R08: 0000000000000000 R09: 00000000fffffffd
[14591.733044] R10: 0000000000000001 R11: 00000000ffffffff R12: 0000000000000000
[14591.733045] R13: ffff8ef70d8143d0 R14: 0000000000000001 R15: 0000000000000000
[14591.733046] FS: 0000000000000000(0000) GS:ffff8efd88e65000(0000) knlGS:0000000000000000
[14591.733047] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[14591.733047] CR2: ffff8efd88e65018 CR3: 00000001d0184000 CR4: 0000000000f50ef0
[14591.733048] PKRU: 55555554
[14591.733049] note: kworker/0:2[56816] exited with irqs disabled
> However, the fact that this happens in an unplug event makes me think
> that there may be a race here at play.
>
> Another option is that I completely missed the use of srcu, but it was
> working fine previously, so I have no ideas :)
Yes, this is weird.
I also tried uinput and some other HID devices (randomly borrowed from
my friends). They all worked fine.
I have a Logitech Bolt receiver, too. Will find and try it out.
> Anyway, we need to wait for the reporter to tell us if there were any
> HID-BPF program first because this will likely give us a hint on where
> the issue is.
In another clean boot, I triggered the bug and dumped the hdev struct
at fentry (fexit will never hit because of the PF) via bpftrace.
#!/usr/bin/env bpftrace
f:dispatch_hid_bpf_output_report
{
$US = (uint64) 1000000; $ts = nsecs / 1000;
printf(
"[%lld.%06lld - %s(%d)@CPU#%u]: %s:\n",
$ts / $US, $ts % $US, comm, pid, cpu, probe
);
print(*args);
print(kstack);
printf("*hdev:\n"); print(*args.hdev);
}
See attachments for its output (warning: contains an extremely long
line) and the decoded dmesg while tracing.
In another clean boot (again), I played around retsnoop to capture the
Last Branch Records (type: any_return, ind_call) from
dispatch_hid_bpf_output_report. This time I didn't trigger the issue,
or else nothing would be captured due to the PF as mentioned above.
Instead, I pressed Caps Lock on a keyboard under the same receiver
several times to trigger hidinput_led_worker. I always got:
[#15] kprobe_multi_link_handler+0x5d (kernel/trace/bpf_trace.c:2843) -> fprobe_entry+0xe6 (kernel/trace/fprobe.c:321)
. __fprobe_handler (kernel/trace/fprobe.c:224)
[#14] fprobe_entry+0x21c (kernel/trace/fprobe.c:336) -> function_graph_enter_regs+0x15d (kernel/trace/fgraph.c:676)
[#13] function_graph_enter_regs+0x1cd (kernel/trace/fgraph.c:718) -> ftrace_graph_func+0x3c (arch/x86/kernel/ftrace.c:659)
[#12] ftrace_graph_func+0x4c (arch/x86/kernel/ftrace.c:661) -> ftrace_trampoline+0x83
[#11] ftrace_trampoline+0xc2 -> dispatch_hid_bpf_output_report+0x9 (drivers/hid/bpf/hid_bpf_dispatch.c:120)
[#10] __srcu_read_lock+0x20 (kernel/rcu/srcutree.c:757) -> dispatch_hid_bpf_output_report+0x73 (drivers/hid/bpf/hid_bpf_dispatch.c:133)
. srcu_read_lock (include/linux/srcu.h:252)
[#09] __srcu_read_unlock+0x1f (kernel/rcu/srcutree.c:769) -> dispatch_hid_bpf_output_report+0xc5 (drivers/hid/bpf/hid_bpf_dispatch.c:148)
[#08] dispatch_hid_bpf_output_report+0xe6 (drivers/hid/bpf/hid_bpf_dispatch.c:148) -> return_to_handler+0x0 (arch/x86/kernel/ftrace_64.S:358)
! 6us [0] dispatch_hid_bpf_output_report
Thus, there is indeed no BPF program being called.
Feel free to ask for more experiments :)
> Cheers,
> Benjamin
Thanks,
Rong
> >
> > :-)
> >
> > Thx.
> >
> > On Sat, May 03, 2025 at 06:40:41PM +0000, bugzilla-daemon@kernel.org wrote:
> > > https://bugzilla.kernel.org/show_bug.cgi?id=220083
> > >
> > > Bug ID: 220083
> > > Summary: [REGRESSION, BISECTED] x86 ASM changes make
> > > dispatch_hid_bpf_output_report access not-present page
> > > Product: Platform Specific/Hardware
> > > Version: 2.5
> > > Hardware: All
> > > OS: Linux
> > > Status: NEW
> > > Severity: high
> > > Priority: P3
> > > Component: x86-64
> > > Assignee: platform_x86_64@kernel-bugs.osdl.org
> > > Reporter: i@rong.moe
> > > Regression: No
> > >
> > > After upgrading from 6.14.x to 6.15-rc3, not-present page PF occurs each time I
> > > unplug any of my Logitech Unifying receivers.
> > >
> > > Upgrading to 6.15-rc4 did not fix the issue.
> > >
> > > dmesg:
> > > ```
> > > [ 48.726588] usb 7-1.4: USB disconnect, device number 7
> > > [ 48.856531] BUG: unable to handle page fault for address: ffff8a510ee72018
> > > [ 48.856543] #PF: supervisor write access in kernel mode
> > > [ 48.856547] #PF: error_code(0x0002) - not-present page
> > > [ 48.856550] PGD 365c01067 P4D 365c01067 PUD 0
> > > [ 48.856558] Oops: Oops: 0002 [#1] SMP NOPTI
> > > [ 48.856566] CPU: 0 UID: 0 PID: 7237 Comm: kworker/0:3 Tainted: G U
> > > 6.15.0-rc4 #1 PREEMPT(lazy) b3a8ad1950c71c15317e5ea614db6e274ecb0913
> > > [ 48.856574] Tainted: [U]=USER
> > > [ 48.856577] Hardware name: LENOVO 21Q4/LNVNB161216, BIOS PXCN24WW 03/11/2025
> > > [ 48.856579] Workqueue: events hidinput_led_worker
> > > [ 48.856589] RIP: 0010:__srcu_read_unlock+0x1a/0x30
> > > [ 48.856595] Code: c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 f3 0f 1e
> > > fa 0f 1f 44 00 00 f0 83 44 24 fc 00 48 63 f6 48 c1 e6 04 48 03 77 08 <65> 48 ff
> > > 46 08 c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 90
> > > [ 48.856598] RSP: 0018:ffffd037cc29fd88 EFLAGS: 00010202
> > > [ 48.856602] RAX: 0000000000000000 RBX: ffff8a4c6b16fe08 RCX:
> > > 0000000000000000
> > > [ 48.856604] RDX: 0000000000000002 RSI: 0000000000000010 RDI:
> > > ffff8a4c6b16fe38
> > > [ 48.856606] RBP: ffffd037cc29fdf8 R08: 0000000000000000 R09:
> > > 00000000fffffffd
> > > [ 48.856607] R10: 0000000000000001 R11: 00000000ffffffff R12:
> > > 0000000000000000
> > > [ 48.856609] R13: ffff8a4ac182dbc0 R14: 0000000000000001 R15:
> > > 0000000000000000
> > > [ 48.856611] FS: 0000000000000000(0000) GS:ffff8a510ee72000(0000)
> > > knlGS:0000000000000000
> > > [ 48.856613] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > > [ 48.856614] CR2: ffff8a510ee72018 CR3: 0000000364c24000 CR4:
> > > 0000000000f50ef0
> > > [ 48.856617] PKRU: 55555554
> > > [ 48.856618] Call Trace:
> > > [ 48.856621] <TASK>
> > > [ 48.856623] dispatch_hid_bpf_output_report+0xc5/0x100
> > > [ 48.856631] hid_hw_output_report+0x46/0x90
> > > [ 48.856635] hidinput_led_worker+0xa9/0xe0
> > > [ 48.856640] process_one_work+0x18f/0x350
> > > [ 48.856646] worker_thread+0x2d3/0x400
> > > [ 48.856650] ? rescuer_thread+0x550/0x550
> > > [ 48.856654] kthread+0xf9/0x240
> > > [ 48.856657] ? kthreads_online_cpu+0x120/0x120
> > > [ 48.856661] ret_from_fork+0x31/0x50
> > > [ 48.856665] ? kthreads_online_cpu+0x120/0x120
> > > [ 48.856668] ret_from_fork_asm+0x11/0x20
> > > [ 48.856674] </TASK>
> > > [ 48.856675] Modules linked in: xt_mark tcp_diag inet_diag snd_hrtimer
> > > snd_seq_dummy snd_seq_midi snd_seq_oss snd_seq_midi_event snd_seq uhid rfcomm
> > > cmac algif_hash algif_skcipher af_alg xt_CHECKSUM xt_MASQUERADE xt_conntrack
> > > ipt_REJECT nf_reject_ipv4 xt_tcpudp nft_compat nft_chain_nat nf_nat
> > > nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 tun snd_usb_audio snd_usbmidi_lib
> > > snd_ump snd_rawmidi snd_seq_device bridge stp llc nf_tables qrtr bnep overlay
> > > sunrpc vfat fat uvcvideo videobuf2_vmalloc uvc videobuf2_memops videobuf2_v4l2
> > > videobuf2_common btusb videodev btrtl btintel mc btbcm btmtk bluetooth amd_atl
> > > intel_rapl_msr intel_rapl_common snd_acp_legacy_mach snd_acp_mach
> > > snd_soc_nau8821 snd_acp3x_rn snd_acp70 snd_acp_i2s snd_acp_pdm snd_soc_dmic
> > > snd_acp_pcm snd_sof_amd_acp70 snd_sof_amd_acp63 snd_sof_amd_vangogh
> > > snd_sof_amd_rembrandt snd_sof_amd_renoir snd_sof_amd_acp snd_sof_pci
> > > snd_sof_xtensa_dsp snd_sof snd_sof_utils snd_pci_ps snd_soc_acpi_amd_match
> > > snd_amd_sdw_acpi soundwire_amd snd_hda_codec_realtek
> > > [ 48.856732] soundwire_generic_allocation soundwire_bus
> > > snd_hda_codec_generic snd_soc_sdca snd_hda_scodec_component snd_hda_codec_hdmi
> > > snd_soc_core mt7925e snd_compress mt7925_common snd_hda_intel ac97_bus
> > > mt792x_lib snd_intel_dspcfg snd_pcm_dmaengine mt76_connac_lib
> > > snd_intel_sdw_acpi snd_rpl_pci_acp6x kvm_amd mt76 snd_hda_codec snd_acp_pci
> > > think_lmi snd_amd_acpi_mach kvm snd_hda_core snd_acp_legacy_common
> > > snd_pci_acp6x snd_hwdep mac80211 snd_pcm_oss snd_mixer_oss irqbypass
> > > snd_pci_acp5x snd_ctl_led snd_pcm libarc4 rapl pcspkr firmware_attributes_class
> > > snd_timer lenovo_wmi_hotkey_utilities snd_rn_pci_acp3x wmi_bmof cfg80211
> > > snd_acp_config snd snd_soc_acpi k10temp hid_sensor_als spd5118 amdxdna amd_pmf
> > > snd_pci_acp3x rfkill soundcore hid_sensor_trigger industrialio_triggered_buffer
> > > amdtee kfifo_buf joydev hid_sensor_iio_common ccp industrialio amd_pmc
> > > platform_profile mousedev mac_hid sch_fq_codel uinput i2c_dev parport_pc ppdev
> > > lp parport nvme_fabrics nfnetlink ip_tables x_tables dm_crypt encrypted_keys
> > > trusted
> > > [ 48.856786] asn1_encoder tee dm_mod raid10 raid456 async_raid6_recov
> > > async_memcpy async_pq async_xor async_tx raid1 raid0 linear md_mod igc ptp
> > > pps_core uas usb_storage hid_logitech_hidpp r8153_ecm cdc_ether usbnet
> > > hid_logitech_dj r8152 mii usbhid amdgpu i2c_algo_bit drm_ttm_helper ttm
> > > drm_panel_backlight_quirks polyval_clmulni polyval_generic drm_exec
> > > ghash_clmulni_intel drm_suballoc_helper amdxcp sha512_ssse3 sdhci_pci drm_buddy
> > > sha256_ssse3 thunderbolt hid_sensor_custom r8169 sha1_ssse3 serio_raw
> > > sp5100_tco sdhci_uhs2 gpu_sched nvme sdhci hid_multitouch realtek
> > > hid_sensor_hub aesni_intel atkbd ucsi_acpi drm_display_helper hid_generic
> > > nvme_core cqhci crypto_simd mdio_devres libps2 video typec_ucsi i2c_piix4
> > > vivaldi_fmap cryptd nvme_keyring typec libphy mmc_core i2c_smbus i8042 cec
> > > i2c_hid_acpi amd_sfh nvme_auth roles wmi serio i2c_hid
> > > [ 48.856843] CR2: ffff8a510ee72018
> > > [ 48.856846] ---[ end trace 0000000000000000 ]---
> > > [ 50.304586] RIP: 0010:__srcu_read_unlock+0x1a/0x30
> > > [ 50.304601] Code: c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 f3 0f 1e
> > > fa 0f 1f 44 00 00 f0 83 44 24 fc 00 48 63 f6 48 c1 e6 04 48 03 77 08 <65> 48 ff
> > > 46 08 c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 90
> > > [ 50.304603] RSP: 0018:ffffd037cc29fd88 EFLAGS: 00010202
> > > [ 50.304606] RAX: 0000000000000000 RBX: ffff8a4c6b16fe08 RCX:
> > > 0000000000000000
> > > [ 50.304607] RDX: 0000000000000002 RSI: 0000000000000010 RDI:
> > > ffff8a4c6b16fe38
> > > [ 50.304608] RBP: ffffd037cc29fdf8 R08: 0000000000000000 R09:
> > > 00000000fffffffd
> > > [ 50.304609] R10: 0000000000000001 R11: 00000000ffffffff R12:
> > > 0000000000000000
> > > [ 50.304610] R13: ffff8a4ac182dbc0 R14: 0000000000000001 R15:
> > > 0000000000000000
> > > [ 50.304611] FS: 0000000000000000(0000) GS:ffff8a510ee72000(0000)
> > > knlGS:0000000000000000
> > > [ 50.304612] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > > [ 50.304613] CR2: ffff8a510ee72018 CR3: 0000000121904000 CR4:
> > > 0000000000f50ef0
> > > [ 50.304615] PKRU: 55555554
> > > [ 50.304616] note: kworker/0:3[7237] exited with irqs disabled
> > > ```
> > >
> > > Bisect log:
> > >
> > > ```
> > > # good: [38fec10eb60d687e30c8c6b5420d86e8149f7557] Linux 6.14
> > > git bisect good 38fec10eb60d687e30c8c6b5420d86e8149f7557
> > > # bad: [9c32cda43eb78f78c73aee4aa344b777714e259b] Linux 6.15-rc3
> > > git bisect bad 9c32cda43eb78f78c73aee4aa344b777714e259b
> > > # bad: [4a4b30ea80d8cb5e8c4c62bb86201f4ea0d9b030] Merge tag
> > > 'bcachefs-2025-03-24' of git://evilpiepirate.org/bcachefs
> > > git bisect bad 4a4b30ea80d8cb5e8c4c62bb86201f4ea0d9b030
> > > # bad: [1e1ba8d23dae91e6a9cfeb1236b02749e8a49ab3] Merge tag
> > > 'timers-clocksource-2025-03-26' of
> > > git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
> > > git bisect bad 1e1ba8d23dae91e6a9cfeb1236b02749e8a49ab3
> > > # skip: [21e0ff5b10ec1b61fda435d42db4ba80d0cdfded] Merge tag 'acpi-6.15-rc1' of
> > > git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm
> > > git bisect skip 21e0ff5b10ec1b61fda435d42db4ba80d0cdfded
> > > # good: [47c4f9b1722fd883c9745d7877cb212e41dd2715] Tidy up ASoC control get and
> > > put handlers
> > > git bisect good 47c4f9b1722fd883c9745d7877cb212e41dd2715
> > > # bad: [2899aa3973efa3b0a7005cb7fb60475ea0c3b8a0] Merge tag
> > > 'x86_cache_for_v6.15' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
> > > git bisect bad 2899aa3973efa3b0a7005cb7fb60475ea0c3b8a0
> > > # good: [5a658afd468b0fb55bf5f45c9788ee8dc87ba463] Merge tag
> > > 'objtool-core-2025-03-22' of
> > > git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
> > > git bisect good 5a658afd468b0fb55bf5f45c9788ee8dc87ba463
> > > # bad: [a49a879f0ac19ed0a562e220019741857b261551] Merge tag
> > > 'x86-cleanups-2025-03-22' of
> > > git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
> > > git bisect bad a49a879f0ac19ed0a562e220019741857b261551
> > > # bad: [9a93e29f16bbba90a63faad0abbc6dea3b2f0c63] x86/syscall: Move
> > > sys_ni_syscall()
> > > git bisect bad 9a93e29f16bbba90a63faad0abbc6dea3b2f0c63
> > > # bad: [cfdaa618defc5ebe1ee6aa5bd40a7ccedffca6de] Merge branch 'x86/cpu' into
> > > x86/asm, to pick up dependent commits
> > > git bisect bad cfdaa618defc5ebe1ee6aa5bd40a7ccedffca6de
> > > # good: [c4a8b7116b9927f7b00bd68140e285662a03068e] perf/x86/intel: Use cache
> > > cpu-type for hybrid PMU selection
> > > git bisect good c4a8b7116b9927f7b00bd68140e285662a03068e
> > > # good: [4f2a0b765c9731d2fa94e209ee9ae0e96b280f17] <linux/sizes.h>: Cover all
> > > possible x86 CPU cache sizes
> > > git bisect good 4f2a0b765c9731d2fa94e209ee9ae0e96b280f17
> > > # bad: [95b0916118106054e1f3d5d7f8628ef3dc0b3c02] percpu: Remove
> > > PER_CPU_FIRST_SECTION
> > > git bisect bad 95b0916118106054e1f3d5d7f8628ef3dc0b3c02
> > > # skip: [78c4374ef8b842c6abf195d6f963853c7ec464d2] x86/module: Deal with GOT
> > > based stack cookie load on Clang < 17
> > > git bisect skip 78c4374ef8b842c6abf195d6f963853c7ec464d2
> > > # bad: [b5c4f95351a097a635c1a7fc8d9efa18308491b5] x86/percpu/64: Remove
> > > fixed_percpu_data
> > > git bisect bad b5c4f95351a097a635c1a7fc8d9efa18308491b5
> > > # skip: [cb7927fda002ca49ae62e2782c1692acc7b80c67] x86/relocs: Handle
> > > R_X86_64_REX_GOTPCRELX relocations
> > > git bisect skip cb7927fda002ca49ae62e2782c1692acc7b80c67
> > > # skip: [80d47defddc000271502057ebd7efa4fd6481542] x86/stackprotector/64:
> > > Convert to normal per-CPU variable
> > > git bisect skip 80d47defddc000271502057ebd7efa4fd6481542
> > > # skip: [f58b63857ae38b4484185b799a2759274b930c92] x86/pvh: Use
> > > fixed_percpu_data for early boot GSBASE
> > > git bisect skip f58b63857ae38b4484185b799a2759274b930c92
> > > # good: [0ee2689b9374d6fd5f43b703713a532278654749] x86/stackprotector: Remove
> > > stack protector test scripts
> > > git bisect good 0ee2689b9374d6fd5f43b703713a532278654749
> > > # bad: [9d7de2aa8b41407bc96d89a80dc1fd637d389d42] x86/percpu/64: Use relative
> > > percpu offsets
> > > git bisect bad 9d7de2aa8b41407bc96d89a80dc1fd637d389d42
> > > # good: [a9a76b38aaf577887103e3ebb41d70e6aa5a4b19] x86/boot: Disable stack
> > > protector for early boot code
> > > git bisect good a9a76b38aaf577887103e3ebb41d70e6aa5a4b19
> > > # only skipped commits left to test
> > > # possible first bad commit: [9d7de2aa8b41407bc96d89a80dc1fd637d389d42]
> > > x86/percpu/64: Use relative percpu offsets
> > > # possible first bad commit: [80d47defddc000271502057ebd7efa4fd6481542]
> > > x86/stackprotector/64: Convert to normal per-CPU variable
> > > # possible first bad commit: [78c4374ef8b842c6abf195d6f963853c7ec464d2]
> > > x86/module: Deal with GOT based stack cookie load on Clang < 17
> > > # possible first bad commit: [cb7927fda002ca49ae62e2782c1692acc7b80c67]
> > > x86/relocs: Handle R_X86_64_REX_GOTPCRELX relocations
> > > # possible first bad commit: [f58b63857ae38b4484185b799a2759274b930c92]
> > > x86/pvh: Use fixed_percpu_data for early boot GSBASE
> > > ```
> > >
> > > There is a typo in commit f58b63857ae3 ("x86/pvh: Use fixed_percpu_data for
> > > early boot GSBASE"), resulting in compilation failure.
> > > With the patch below, I bisected again:
> > >
> > > ```
> > > diff --git a/arch/x86/platform/pvh/head.S b/arch/x86/platform/pvh/head.S
> > > index 723f181b222a..f1a8392a4835 100644
> > > --- a/arch/x86/platform/pvh/head.S
> > > +++ b/arch/x86/platform/pvh/head.S
> > > @@ -180,7 +180,7 @@ SYM_CODE_START(pvh_start_xen)
> > > */
> > > movl $MSR_GS_BASE,%ecx
> > > leaq INIT_PER_CPU_VAR(fixed_percpu_data)(%rip), %rdx
> > > - movq %edx, %eax
> > > + movl %edx, %eax
> > > shrq $32, %rdx
> > > wrmsr
> > > ```
> > >
> > > New bisect log:
> > >
> > > ```
> > > [...]
> > > # good: [a9a76b38aaf577887103e3ebb41d70e6aa5a4b19] x86/boot: Disable stack
> > > protector for early boot code
> > > git bisect good a9a76b38aaf577887103e3ebb41d70e6aa5a4b19
> > > # good: [78c4374ef8b842c6abf195d6f963853c7ec464d2] x86/module: Deal with GOT
> > > based stack cookie load on Clang < 17
> > > git bisect good 78c4374ef8b842c6abf195d6f963853c7ec464d2
> > > # good: [80d47defddc000271502057ebd7efa4fd6481542] x86/stackprotector/64:
> > > Convert to normal per-CPU variable
> > > git bisect good 80d47defddc000271502057ebd7efa4fd6481542
> > > # first bad commit: [9d7de2aa8b41407bc96d89a80dc1fd637d389d42] x86/percpu/64:
> > > Use relative percpu offsets
> > > ```
> > >
> > > The bad commit 9d7de2aa8b41 ("x86/percpu/64: Use relative percpu offsets")
> > > first appeared in v6.15-rc1.
> > >
> > > Got dmesg below by building and booting the bad commit, then unplugging the
> > > receiver:
> > >
> > > ```
> > > [ 560.223095] BUG: unable to handle page fault for address: ffff9acf2b889008
> > > [ 560.223174] #PF: supervisor write access in kernel mode
> > > [ 560.223299] #PF: error_code(0x0002) - not-present page
> > > [ 560.223332] PGD 43e401067 P4D 43e401067 PUD 0
> > > [ 560.223353] Oops: Oops: 0002 [#1] PREEMPT SMP NOPTI
> > > [ 560.223359] CPU: 0 UID: 0 PID: 8212 Comm: kworker/0:3 Tainted: G U
> > > 6.14.0-rc3+ #1 ab962f3b7921227b62db2503d8ec7411fa694628
> > > [ 560.223364] Tainted: [U]=USER
> > > [ 560.223369] Hardware name: LENOVO 21Q4/LNVNB161216, BIOS PXCN24WW 03/11/2025
> > > [ 560.223378] Workqueue: events hidinput_led_worker
> > > [ 560.223382] RIP: 0010:__srcu_read_lock+0x14/0x30
> > > [ 560.223387] Code: 0f 0b eb bc 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 84 00 00
> > > 00 00 00 f3 0f 1e fa 0f 1f 44 00 00 8b 07 48 8b 57 08 83 e0 01 89 c1 <65> 48 ff
> > > 04 ca f0 83 44 24 fc 00 c3 cc cc cc cc 66 66 2e 0f 1f 84
> > > [ 560.223392] RSP: 0018:ffffb7df8d24fd88 EFLAGS: 00010202
> > > [ 560.223396] RAX: 0000000000000001 RBX: ffff9ac82f80de08 RCX:
> > > 0000000000000001
> > > [ 560.223401] RDX: 0000000000000000 RSI: ffff9ac8fd276f40 RDI:
> > > ffff9ac82f80de38
> > > [ 560.223407] RBP: ffffb7df8d24fdf8 R08: 0000000000000000 R09:
> > > 00000000fffffffd
> > > [ 560.223412] R10: 0000000000000001 R11: 00000000ffffffff R12:
> > > 0000000000000000
> > > [ 560.223417] R13: ffff9ac8fd276f40 R14: 000000000000000e R15:
> > > 0000000000000000
> > > [ 560.223421] FS: 0000000000000000(0000) GS:ffff9acf2b889000(0000)
> > > knlGS:0000000000000000
> > > [ 560.223426] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > > [ 560.223430] CR2: ffff9acf2b889008 CR3: 00000001e1c40000 CR4:
> > > 0000000000f50ef0
> > > [ 560.223434] PKRU: 55555554
> > > [ 560.223439] Call Trace:
> > > [ 560.223444] <TASK>
> > > [ 560.223449] ? __die_body.cold+0x19/0x29
> > > [ 560.223453] ? page_fault_oops+0x15a/0x2e0
> > > [ 560.223458] ? search_bpf_extables+0x5f/0x80
> > > [ 560.223462] ? exc_page_fault+0x1a3/0x1b0
> > > [ 560.223466] ? asm_exc_page_fault+0x26/0x30
> > > [ 560.223471] ? __srcu_read_lock+0x14/0x30
> > > [ 560.223475] ? psi_task_switch+0xb7/0x200
> > > [ 560.223480] dispatch_hid_bpf_output_report+0x73/0x100
> > > [ 560.223485] hid_hw_output_report+0x46/0x90
> > > [ 560.223490] hidinput_led_worker+0xa9/0xe0
> > > [ 560.223494] process_one_work+0x17b/0x330
> > > [ 560.223498] worker_thread+0x2ce/0x3f0
> > > [ 560.223503] ? rescuer_thread+0x530/0x530
> > > [ 560.223507] kthread+0xeb/0x230
> > > [ 560.223512] ? kthreads_online_cpu+0x120/0x120
> > > [ 560.223516] ret_from_fork+0x31/0x50
> > > [ 560.223522] ? kthreads_online_cpu+0x120/0x120
> > > [ 560.223528] ret_from_fork_asm+0x11/0x20
> > > [ 560.223532] </TASK>
> > > [ 560.223538] Modules linked in: tcp_diag inet_diag xt_mark snd_hrtimer
> > > snd_seq_dummy snd_seq_midi snd_seq_oss snd_seq_midi_event snd_seq uhid rfcomm
> > > cmac algif_hash algif_skcipher af_alg xt_CHECKSUM xt_MASQUERADE xt_conntrack
> > > ipt_REJECT nf_reject_ipv4 xt_tcpudp nft_compat nft_chain_nat nf_nat
> > > nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 tun bridge stp llc nf_tables
> > > snd_usb_audio snd_usbmidi_lib snd_ump snd_rawmidi snd_seq_device qrtr bnep
> > > overlay sunrpc vfat fat uvcvideo videobuf2_vmalloc uvc videobuf2_memops btusb
> > > videobuf2_v4l2 btrtl videobuf2_common btintel btbcm videodev btmtk mc bluetooth
> > > snd_acp_legacy_mach snd_acp_mach snd_soc_nau8821 snd_acp3x_rn snd_acp70
> > > snd_acp_i2s snd_acp_pdm snd_soc_dmic snd_acp_pcm snd_sof_amd_acp70
> > > snd_sof_amd_acp63 snd_sof_amd_vangogh snd_sof_amd_rembrandt snd_sof_amd_renoir
> > > snd_sof_amd_acp intel_rapl_msr amd_atl snd_sof_pci intel_rapl_common
> > > snd_sof_xtensa_dsp snd_sof snd_sof_utils snd_pci_ps snd_soc_acpi_amd_match
> > > snd_amd_sdw_acpi soundwire_amd soundwire_generic_allocation snd_ctl_led
> > > [ 560.223612] soundwire_bus snd_soc_sdca snd_hda_codec_realtek
> > > snd_hda_codec_generic snd_soc_core mt7925e snd_hda_scodec_component
> > > mt7925_common snd_compress mt792x_lib snd_hda_codec_hdmi ac97_bus snd_hda_intel
> > > mt76_connac_lib snd_pcm_dmaengine snd_intel_dspcfg mt76 snd_rpl_pci_acp6x
> > > snd_intel_sdw_acpi snd_hda_codec kvm_amd snd_acp_pci think_lmi snd_hda_core
> > > snd_acp_legacy_common mac80211 kvm snd_pci_acp6x snd_hwdep snd_pcm_oss
> > > snd_mixer_oss snd_pci_acp5x libarc4 amd_pmf rapl pcspkr
> > > firmware_attributes_class wmi_bmof hid_sensor_als amdtee snd_pcm
> > > hid_sensor_trigger snd_rn_pci_acp3x cfg80211 industrialio_triggered_buffer
> > > snd_timer joydev snd_acp_config kfifo_buf spd5118 snd snd_soc_acpi
> > > hid_sensor_iio_common ccp soundcore snd_pci_acp3x rfkill platform_profile
> > > amdxdna k10temp industrialio amd_pmc mousedev mac_hid sch_fq_codel uinput
> > > i2c_dev parport_pc ppdev lp parport nvme_fabrics nvme_keyring nfnetlink
> > > ip_tables x_tables dm_crypt encrypted_keys trusted asn1_encoder tee dm_mod
> > > raid10 raid456 async_raid6_recov
> > > [ 560.223631] async_memcpy async_pq async_xor async_tx raid1 raid0 linear
> > > md_mod igc ptp pps_core uas usb_storage hid_logitech_hidpp r8153_ecm cdc_ether
> > > usbnet hid_logitech_dj r8152 mii usbhid amdgpu i2c_algo_bit drm_ttm_helper ttm
> > > drm_panel_backlight_quirks polyval_clmulni drm_exec polyval_generic
> > > ghash_clmulni_intel drm_suballoc_helper sha512_ssse3 amdxcp hid_sensor_custom
> > > serio_raw sha256_ssse3 drm_buddy sdhci_pci ucsi_acpi atkbd nvme hid_multitouch
> > > r8169 sha1_ssse3 sp5100_tco hid_sensor_hub typec_ucsi libps2 gpu_sched
> > > sdhci_uhs2 vivaldi_fmap aesni_intel nvme_core sdhci hid_generic realtek typec
> > > drm_display_helper video i8042 crypto_simd i2c_piix4 mdio_devres cqhci cryptd
> > > thunderbolt mmc_core libphy cec amd_sfh nvme_auth roles i2c_smbus serio
> > > i2c_hid_acpi wmi i2c_hid
> > > [ 560.223646] CR2: ffff9acf2b889008
> > > [ 560.223650] ---[ end trace 0000000000000000 ]---
> > > [ 560.223655] RIP: 0010:__srcu_read_lock+0x14/0x30
> > > [ 560.223660] Code: 0f 0b eb bc 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 84 00 00
> > > 00 00 00 f3 0f 1e fa 0f 1f 44 00 00 8b 07 48 8b 57 08 83 e0 01 89 c1 <65> 48 ff
> > > 04 ca f0 83 44 24 fc 00 c3 cc cc cc cc 66 66 2e 0f 1f 84
> > > [ 560.223664] RSP: 0018:ffffb7df8d24fd88 EFLAGS: 00010202
> > > [ 560.223670] RAX: 0000000000000001 RBX: ffff9ac82f80de08 RCX:
> > > 0000000000000001
> > > [ 560.223674] RDX: 0000000000000000 RSI: ffff9ac8fd276f40 RDI:
> > > ffff9ac82f80de38
> > > [ 560.223679] RBP: ffffb7df8d24fdf8 R08: 0000000000000000 R09:
> > > 00000000fffffffd
> > > [ 560.223683] R10: 0000000000000001 R11: 00000000ffffffff R12:
> > > 0000000000000000
> > > [ 560.223687] R13: ffff9ac8fd276f40 R14: 000000000000000e R15:
> > > 0000000000000000
> > > [ 560.223692] FS: 0000000000000000(0000) GS:ffff9acf2b889000(0000)
> > > knlGS:0000000000000000
> > > [ 560.223696] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > > [ 560.223700] CR2: ffff9acf2b889008 CR3: 00000001e1c40000 CR4:
> > > 0000000000f50ef0
> > > [ 560.223704] PKRU: 55555554
> > > [ 560.223709] note: kworker/0:3[8212] exited with irqs disabled
> > > ```
> > >
> > > --
> > > You may reply to this email to add a comment.
> > >
> > > You are receiving this mail because:
> > > You are watching the assignee of the bug.
> >
> > --
> > Regards/Gruss,
> > Boris.
> >
> > https://people.kernel.org/tglx/notes-about-netiquette
[-- Attachment #2: 6.15-rc5_per-cpu-pf_bpftrace --]
[-- Type: text/plain, Size: 10792 bytes --]
[456.988134 - kworker/0:2(11111)@CPU#0]: fentry:vmlinux:dispatch_hid_bpf_output_report:
{ .hdev = 0xffff8be5b4e50000, .buf = 0xffff8be8c2b79710, .size = 2, .source = 0, .from_bpf = 0 }
bpf_prog_fa011a645bdd3530_fentry_vmlinux_dispatch_hid_bpf_output_report_1+1117
bpf_prog_fa011a645bdd3530_fentry_vmlinux_dispatch_hid_bpf_output_report_1+1117
bpf_trampoline_6442533195+98
dispatch_hid_bpf_output_report+9
hid_hw_output_report+70
hidinput_led_worker+169
process_one_work+399
worker_thread+723
kthread+249
ret_from_fork+49
ret_from_fork_asm+17
*hdev:
{ .dev_rdesc = 0xffff8be581986e00, .bpf_rdesc = 0xffff8be581986e00, .rdesc = 0xffff8be586c03400, .dev_rsize = 234, .bpf_rsize = 234, .rsize = 234, .collection_size = 16, .collection = 0xffff8be586c02400, .maxcollection = 6, .maxapplication = 5, .bus = 3, .group = 258, .vendor = 1133, .product = 16514, .version = 273, .type = 0, .country = 0, .report_enum = [{ .numbered = 1, .report_list = { .next = 0xffff8be5aa8a9000, .prev = 0xffff8be5b4e44000 }, .report_id_hash = [0x0,0xffff8be5aa8a9000,0xffff8be5aa8ad000,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0xffff8be5aa8ac000,0xffff8be5aa8aa000,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0xffff8be5801de000,0xffff8be5b4e44000,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0] },{ .numbered = 1, .report_list = { .next = 0xffff8be5aa8ae000, .prev = 0xffff8be5b4e45000 }, .report_id_hash = [0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0xffff8be5aa8ae000,0x0,0xffff8be5aa8a8000,0xffff8be5aa8af000,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0xffff8be5b4e40000,0xffff8be5b4e45000,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0] },{ .numbered = 0, .report_list = { .next = 0xffff8be5b4e51088, .prev = 0xffff8be5b4e51088 }, .report_id_hash = [0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0] }], .led_work = { .data = , .entry = { .next = 0xffff8be5b4e518a0, .prev = 0xffff8be5b4e518a0 }, .func = 0xffffffff89ad5ed0 }, .driver_input_lock = { .lock = { .raw_lock = { .val = , .locked = 0, .pending = 0, .locked_pending = 0, .tail = 0 } }, .count = 0, .wait_list = { .next = 0xffff8be5b4e518c0, .prev = 0xffff8be5b4e518c0 } }, .dev = { .kobj = { .name = 0xffff8be5b4c25040, .entry = { .next = 0xffff8be5a9c478d8, .prev = 0xffff8be589505418 }, .parent = 0xffff8be5b4e2b8d0, .kset = 0xffff8be5802c1180, .ktype = 0xffffffff89fb79c0, .sd = 0xffff8be5a7318c38, .kref = { .refcount = { .refs = } }, .state_initialized = 7, .state_in_sysfs = 7, .state_add_uevent_sent = 7, .state_remove_uevent_sent = 7, .uevent_suppress = 7 }, .parent = 0xffff8be5b4e2b8d0, .p = 0xffff8be581987900, .init_name = 0x0, .type = 0x0, .bus = 0xffffffff8a01d8c0, .driver = 0xffffffffc0944128, .platform_data = 0x0, .driver_data = 0xffff8be58ade1028, .mutex = { .owner = , .wait_lock = { .raw_lock = { .val = , .locked = 0, .pending = 0, .locked_pending = 0, .tail = 0 } }, .osq = { .tail = }, .wait_list = { .next = 0xffff8be5b4e51960, .prev = 0xffff8be5b4e51960 } }, .links = { .suppliers = { .next = 0xffff8be5b4e51970, .prev = 0xffff8be5b4e51970 }, .consumers = { .next = 0xffff8be5b4e51980, .prev = 0xffff8be5b4e51980 }, .defer_sync = { .next = 0xffff8be5b4e51990, .prev = 0xffff8be5b4e51990 }, .status = 3 }, .power = { .power_state = { .event = 0 }, .can_wakeup = 6, .async_suspend = 6, .in_dpm_list = 6, .is_prepared = 6, .is_suspended = 6, .is_noirq_suspended = 6, .is_late_suspended = 6, .no_pm = 6, .early_init = 1, .direct_complete = 1, .driver_flags = 0, .lock = { .rlock = { .raw_lock = { .val = , .locked = 0, .pending = 0, .locked_pending = 0, .tail = 0 } } }, .entry = { .next = 0xffff8be5a9c479b8, .prev = 0xffff8be5895054f8 }, .completion = { .done = 4294967295, .wait = { .lock = { .raw_lock = { .val = , .locked = 0, .pending = 0, .locked_pending = 0, .tail = 0 } }, .task_list = { .next = 0xffff8be5b4e519d8, .prev = 0xffff8be5b4e519d8 } } }, .wakeup = 0x0, .wakeup_path = 4, .syscore = 4, .no_pm_callbacks = 4, .work_in_progress = 4, .smart_suspend = 4, .must_resume = 4, .may_skip_resume = 4, .suspend_timer = { .node = { .node = { .__rb_parent_color = 18446616417431525880, .rb_right = 0x0, .rb_left = 0x0 }, .expires = 0 }, ._softexpires = 0, .function = 0xffffffff89980d10, .base = 0xffff8bec5f620d40, .state = 0, .is_rel = 0, .is_soft = 0, .is_hard = 0 }, .timer_expires = 0, .work = { .data = , .entry = { .next = 0xffff8be5b4e51a48, .prev = 0xffff8be5b4e51a48 }, .func = 0xffffffff89981260 }, .wait_queue = { .lock = { .rlock = { .raw_lock = { .val = , .locked = 0, .pending = 0, .locked_pending = 0, .tail = 0 } } }, .head = { .next = 0xffff8be5b4e51a68, .prev = 0xffff8be5b4e51a68 } }, .wakeirq = 0x0, .usage_count = , .child_count = , .disable_depth = 129, .idle_notification = 129, .request_pending = 129, .deferred_resume = 129, .needs_force_resume = 129, .runtime_auto = 129, .ignore_children = 0, .no_callbacks = 0, .irq_safe = 0, .use_autosuspend = 0, .timer_autosuspends = 0, .memalloc_noio = 0, .links_count = 0, .request = 0, .runtime_status = 2, .last_status = 4294967295, .runtime_error = 0, .autosuspend_delay = 0, .last_busy = 0, .active_time = 0, .suspended_time = 0, .accounting_timestamp = 0, .subsys_data = 0x0, .set_latency_tolerance = 0x0, .qos = 0x0 }, .pm_domain = 0x0, .em_pd = 0x0, .pins = 0x0, .msi = { .domain = 0x0, .data = 0x0 }, .dma_ops = 0x0, .dma_mask = 0x0, .coherent_dma_mask = 0, .bus_dma_limit = 0, .dma_range_map = 0x0, .dma_parms = 0x0, .dma_pools = { .next = 0xffff8be5b4e51b38, .prev = 0xffff8be5b4e51b38 }, .cma_area = 0x0, .dma_io_tlb_mem = 0xffffffff8ba5ff20, .archdata = { }, .of_node = 0x0, .fwnode = 0x0, .numa_node = -1, .devt = 0, .id = 0, .devres_lock = { .rlock = { .raw_lock = { .val = , .locked = 0, .pending = 0, .locked_pending = 0, .tail = 0 } } }, .devres_head = { .next = 0xffff8be5a7206c00, .prev = 0xffff8be67757d580 }, .class = 0x0, .groups = 0x0, .release = 0xffffffff89ad49d0, .iommu_group = 0x0, .iommu = 0x0, .physical_location = 0x0, .removable = 0, .offline_disabled = 16, .offline = 16, .of_node_reused = 16, .state_synced = 16, .can_match = 16, .dma_skip_sync = 16, .dma_iommu = 16 }, .driver = 0xffffffffc0944080, .devres_group_id = 0xffff8be5a7206c00, .ll_driver = 0xffffffffc090d720, .ll_open_lock = { .owner = , .wait_lock = { .raw_lock = { .val = , .locked = 0, .pending = 0, .locked_pending = 0, .tail = 0 } }, .osq = { .tail = }, .wait_list = { .next = 0xffff8be5b4e51be8, .prev = 0xffff8be5b4e51be8 } }, .ll_open_count = 1, .battery = 0x0, .battery_capacity = 0, .battery_min = 0, .battery_max = 0, .battery_report_type = 0, .battery_report_id = 0, .battery_charge_status = 0, .battery_status = 0, .battery_avoid_query = 0, .battery_ratelimit_time = 0, .status = 3, .claimed = 5, .quirks = 0, .initial_quirks = 0, .io_started = 0, .inputs = { .next = 0xffff8be5b4e51c48, .prev = 0xffff8be5b4e51c48 }, .hiddev = 0x0, .hidraw = 0xffff8be5a7206300, .name = Logitech MX Master 3, .phys = usb-0000:67:00.4-1.4.5/input2:1, .uniq = 0d-b7-de-cf, .driver_data = 0xffff8be5b4c25780, .ff_init = 0x0, .hiddev_connect = 0x0, .hiddev_disconnect = 0x0, .hiddev_hid_event = 0x0, .hiddev_report_event = 0x0, .debug = 1, .debug_dir = 0xffff8be593a93800, .debug_rdesc = 0xffff8be593a920c0, .debug_events = 0xffff8be593a92480, .debug_list = { .next = 0xffff8be5b4e51db8, .prev = 0xffff8be5b4e51db8 }, .debug_list_lock = { .rlock = { .raw_lock = { .val = , .locked = 0, .pending = 0, .locked_pending = 0, .tail = 0 } } }, .debug_wait = { .lock = { .rlock = { .raw_lock = { .val = , .locked = 0, .pending = 0, .locked_pending = 0, .tail = 0 } } }, .head = { .next = 0xffff8be5b4e51dd8, .prev = 0xffff8be5b4e51dd8 } }, .ref = { .refcount = { .refs = } }, .id = 8, .bpf = { .device_data = 0x0, .allocated_data = 0, .destroyed = 1, .rdesc_ops = 0x0, .prog_list = { .next = 0xffff8be5b4e51e08, .prev = 0xffff8be5b4e51e08 }, .prog_list_lock = { .owner = , .wait_lock = { .raw_lock = { .val = , .locked = 0, .pending = 0, .locked_pending = 0, .tail = 0 } }, .osq = { .tail = }, .wait_list = { .next = 0xffff8be5b4e51e28, .prev = 0xffff8be5b4e51e28 } }, .srcu = { .srcu_ctrp = 0x61896b5b0290, .sda = 0x0, .dep_map = { }, .srcu_sup = 0x0 } } }
[-- Attachment #3: 6.15-rc5_per-cpu-pf_bptrace_dmesg_decoded --]
[-- Type: text/plain, Size: 9374 bytes --]
[ 456.762911] usb 7-1.4.5: USB disconnect, device number 7
[ 456.893345] BUG: unable to handle page fault for address: ffff8becd3c65018
[ 456.893355] #PF: supervisor write access in kernel mode
[ 456.893358] #PF: error_code(0x0002) - not-present page
[ 456.893360] PGD 45ce01067 P4D 45ce01067 PUD 0
[ 456.893366] Oops: Oops: 0002 [#1] SMP NOPTI
[ 456.893370] CPU: 0 UID: 0 PID: 11111 Comm: kworker/0:2 Not tainted 6.15.0-rc5 #1 PREEMPT(lazy) 0538d36f9cfa2dbc3c98efb2730490d8b2399dc4
[ 456.893376] Hardware name: LENOVO 21Q4/LNVNB161216, BIOS PXCN24WW 03/11/2025
[ 456.893378] Workqueue: events hidinput_led_worker
[ 456.893385] RIP: 0010:__srcu_read_unlock (kernel/rcu/srcutree.c:768 (discriminator 1))
[ 456.893391] Code: c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 0f 1f 44 00 00 f0 83 44 24 fc 00 48 63 f6 48 c1 e6 04 48 03 77 08 <65> 48 ff 46 08 c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 90
All code
========
0: c3 ret
1: cc int3
2: cc int3
3: cc int3
4: cc int3
5: 66 66 2e 0f 1f 84 00 data16 cs nopw 0x0(%rax,%rax,1)
c: 00 00 00 00
10: f3 0f 1e fa endbr64
14: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
19: f0 83 44 24 fc 00 lock addl $0x0,-0x4(%rsp)
1f: 48 63 f6 movslq %esi,%rsi
22: 48 c1 e6 04 shl $0x4,%rsi
26: 48 03 77 08 add 0x8(%rdi),%rsi
2a:* 65 48 ff 46 08 incq %gs:0x8(%rsi) <-- trapping instruction
2f: c3 ret
30: cc int3
31: cc int3
32: cc int3
33: cc int3
34: 66 66 2e 0f 1f 84 00 data16 cs nopw 0x0(%rax,%rax,1)
3b: 00 00 00 00
3f: 90 nop
Code starting with the faulting instruction
===========================================
0: 65 48 ff 46 08 incq %gs:0x8(%rsi)
5: c3 ret
6: cc int3
7: cc int3
8: cc int3
9: cc int3
a: 66 66 2e 0f 1f 84 00 data16 cs nopw 0x0(%rax,%rax,1)
11: 00 00 00 00
15: 90 nop
[ 456.893393] RSP: 0018:ffffcd7648a47d18 EFLAGS: 00010202
[ 456.893396] RAX: 0000000000000000 RBX: ffff8be5b4e51e08 RCX: 0000000000000000
[ 456.893397] RDX: 0000000000000002 RSI: 0000000000000010 RDI: ffff8be5b4e51e38
[ 456.893399] RBP: ffffcd7648a47d90 R08: 0000000000000000 R09: ffffed763ec31c38
[ 456.893400] R10: 0000000000000000 R11: 00000000000028e6 R12: 0000000000000000
[ 456.893401] R13: ffff8be8c2b79710 R14: 0000000000000001 R15: 0000000000000000
[ 456.893402] FS: 0000000000000000(0000) GS:ffff8becd3c65000(0000) knlGS:0000000000000000
[ 456.893405] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 456.893406] CR2: ffff8becd3c65018 CR3: 000000057c08e000 CR4: 0000000000f50ef0
[ 456.893408] PKRU: 55555554
[ 456.893410] Call Trace:
[ 456.893411] <TASK>
[ 456.893413] dispatch_hid_bpf_output_report (drivers/hid/bpf/hid_bpf_dispatch.c:148)
[ 456.893419] bpf_trampoline_6442533195+0x91/0x137
[ 456.893422] dispatch_hid_bpf_output_report (drivers/hid/bpf/hid_bpf_dispatch.c:120)
[ 456.893426] hid_hw_output_report (drivers/hid/hid-core.c:2500 drivers/hid/hid-core.c:2520)
[ 456.893428] hidinput_led_worker (drivers/hid/hid-input.c:1838)
[ 456.893430] process_one_work (kernel/workqueue.c:3238)
[ 456.893433] worker_thread (kernel/workqueue.c:3313 (discriminator 2) kernel/workqueue.c:3400 (discriminator 2))
[ 456.893435] ? rescuer_thread (kernel/workqueue.c:3346)
[ 456.893437] kthread (kernel/kthread.c:464)
[ 456.893441] ? kthreads_online_cpu (kernel/kthread.c:413)
[ 456.893445] ret_from_fork (arch/x86/kernel/process.c:153)
[ 456.893449] ? kthreads_online_cpu (kernel/kthread.c:413)
[ 456.893452] ret_from_fork_asm (arch/x86/entry/entry_64.S:255)
[ 456.893458] </TASK>
[ 456.893459] Modules linked in: xt_mark tcp_diag inet_diag uhid rfcomm cmac algif_hash algif_skcipher af_alg snd_hrtimer snd_seq_dummy snd_seq_midi snd_seq_oss snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp nft_compat nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 tun bridge stp llc nf_tables qrtr overlay bnep sunrpc vfat fat uvcvideo videobuf2_vmalloc uvc videobuf2_memops btusb videobuf2_v4l2 btrtl videobuf2_common btintel btbcm videodev btmtk mc bluetooth snd_acp_legacy_mach snd_acp_mach snd_soc_nau8821 snd_acp3x_rn snd_acp70 snd_acp_i2s snd_acp_pdm snd_soc_dmic snd_acp_pcm amd_atl intel_rapl_msr snd_sof_amd_acp70 snd_sof_amd_acp63 intel_rapl_common snd_sof_amd_vangogh snd_sof_amd_rembrandt snd_sof_amd_renoir snd_sof_amd_acp snd_sof_pci snd_sof_xtensa_dsp snd_sof snd_sof_utils snd_pci_ps snd_soc_acpi_amd_match snd_amd_sdw_acpi snd_hda_codec_realtek soundwire_amd snd_hda_codec_generic soundwire_generic_allocation
[ 456.893512] soundwire_bus snd_hda_scodec_component snd_soc_sdca snd_hda_codec_hdmi snd_soc_core snd_hda_intel snd_compress kvm_amd mt7925e ac97_bus snd_intel_dspcfg mt7925_common snd_pcm_dmaengine snd_intel_sdw_acpi mt792x_lib snd_rpl_pci_acp6x snd_hda_codec snd_acp_pci kvm mt76_connac_lib snd_amd_acpi_mach snd_hda_core mt76 think_lmi snd_acp_legacy_common snd_hwdep irqbypass snd_pci_acp6x snd_ctl_led rapl mac80211 snd_pcm_oss firmware_attributes_class lenovo_wmi_hotkey_utilities snd_mixer_oss snd_pci_acp5x libarc4 snd_pcm wmi_bmof pcspkr snd_rn_pci_acp3x snd_timer snd_acp_config amd_pmf cfg80211 snd_soc_acpi spd5118 snd amdtee soundcore snd_pci_acp3x amdxdna k10temp hid_sensor_als rfkill hid_sensor_trigger ccp industrialio_triggered_buffer kfifo_buf joydev hid_sensor_iio_common platform_profile industrialio mousedev amd_pmc mac_hid sch_fq_codel uinput i2c_dev parport_pc ppdev lp parport nvme_fabrics nfnetlink ip_tables x_tables hid_logitech_hidpp hid_logitech_dj usbhid dm_crypt encrypted_keys trusted asn1_encoder
[ 456.893563] tee dm_mod raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 linear md_mod igc ptp pps_core r8153_ecm r8152 cdc_ether usbnet mii amdgpu i2c_algo_bit drm_ttm_helper ttm drm_panel_backlight_quirks polyval_clmulni drm_exec polyval_generic drm_suballoc_helper serio_raw amdxcp ghash_clmulni_intel drm_buddy hid_sensor_custom nvme sha512_ssse3 ucsi_acpi atkbd sdhci_pci gpu_sched sp5100_tco sha256_ssse3 libps2 typec_ucsi sdhci_uhs2 hid_multitouch hid_sensor_hub r8169 nvme_core sha1_ssse3 vivaldi_fmap sdhci hid_generic drm_display_helper realtek aesni_intel typec video nvme_keyring i8042 cqhci i2c_piix4 crypto_simd mdio_devres cryptd thunderbolt amd_sfh cec libphy mmc_core roles i2c_smbus nvme_auth i2c_hid_acpi serio wmi i2c_hid
[ 456.893612] CR2: ffff8becd3c65018
[ 456.893615] ---[ end trace 0000000000000000 ]---
[ 457.048135] pstore: backend (efi_pstore) writing error (-28)
[ 457.048142] RIP: 0010:__srcu_read_unlock (kernel/rcu/srcutree.c:768 (discriminator 1))
[ 457.048147] Code: c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 0f 1f 44 00 00 f0 83 44 24 fc 00 48 63 f6 48 c1 e6 04 48 03 77 08 <65> 48 ff 46 08 c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 90
All code
========
0: c3 ret
1: cc int3
2: cc int3
3: cc int3
4: cc int3
5: 66 66 2e 0f 1f 84 00 data16 cs nopw 0x0(%rax,%rax,1)
c: 00 00 00 00
10: f3 0f 1e fa endbr64
14: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
19: f0 83 44 24 fc 00 lock addl $0x0,-0x4(%rsp)
1f: 48 63 f6 movslq %esi,%rsi
22: 48 c1 e6 04 shl $0x4,%rsi
26: 48 03 77 08 add 0x8(%rdi),%rsi
2a:* 65 48 ff 46 08 incq %gs:0x8(%rsi) <-- trapping instruction
2f: c3 ret
30: cc int3
31: cc int3
32: cc int3
33: cc int3
34: 66 66 2e 0f 1f 84 00 data16 cs nopw 0x0(%rax,%rax,1)
3b: 00 00 00 00
3f: 90 nop
Code starting with the faulting instruction
===========================================
0: 65 48 ff 46 08 incq %gs:0x8(%rsi)
5: c3 ret
6: cc int3
7: cc int3
8: cc int3
9: cc int3
a: 66 66 2e 0f 1f 84 00 data16 cs nopw 0x0(%rax,%rax,1)
11: 00 00 00 00
15: 90 nop
[ 457.048149] RSP: 0018:ffffcd7648a47d18 EFLAGS: 00010202
[ 457.048152] RAX: 0000000000000000 RBX: ffff8be5b4e51e08 RCX: 0000000000000000
[ 457.048153] RDX: 0000000000000002 RSI: 0000000000000010 RDI: ffff8be5b4e51e38
[ 457.048154] RBP: ffffcd7648a47d90 R08: 0000000000000000 R09: ffffed763ec31c38
[ 457.048155] R10: 0000000000000000 R11: 00000000000028e6 R12: 0000000000000000
[ 457.048155] R13: ffff8be8c2b79710 R14: 0000000000000001 R15: 0000000000000000
[ 457.048156] FS: 0000000000000000(0000) GS:ffff8becd3c65000(0000) knlGS:0000000000000000
[ 457.048157] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 457.048158] CR2: ffff8becd3c65018 CR3: 000000057c08e000 CR4: 0000000000f50ef0
[ 457.048159] PKRU: 55555554
[ 457.048160] note: kworker/0:2[11111] exited with irqs disabled
next prev parent reply other threads:[~2025-05-07 11:04 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <bug-220083-6385@https.bugzilla.kernel.org/>
2025-05-06 14:55 ` [Bug 220083] New: [REGRESSION, BISECTED] x86 ASM changes make dispatch_hid_bpf_output_report access not-present page Borislav Petkov
2025-05-06 15:35 ` Benjamin Tissoires
2025-05-07 11:03 ` Rong Zhang [this message]
2025-05-07 17:33 ` Rong Zhang
2025-05-07 22:14 ` Brian Gerst
2025-05-08 12:17 ` Rong Zhang
2025-05-12 14:43 ` Benjamin Tissoires
2025-05-12 15:24 ` [PATCH] HID: bpf: abort dispatch if device destroyed Rong Zhang
2025-05-12 19:17 ` Petr Tesařík
2025-05-13 14:01 ` Benjamin Tissoires
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6b4fe1ae87c717c70708e7a3f5bd6d9c8c7bfcd5.camel@rong.moe \
--to=i@rong.moe \
--cc=bentiss@kernel.org \
--cc=bp@alien8.de \
--cc=bugzilla-daemon@kernel.org \
--cc=jikos@kernel.org \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).