[1.] One line summary:
Kernel Oops in hidinput_hid_event during rapid typing on Apple Aluminum 
Bluetooth Keyboard

[2.] Full description of the problem/report:

System experiences a kernel NULL pointer dereference (Oops) when typing
rapidly on an Apple Aluminum Bluetooth Keyboard (Aluminium Wireless 
Keyboard,
model A1314). The crash occurs in hidinput_hid_event+0x321 and causes 
complete
system lockup requiring hard reboot.

The keyboard is connected via Bluetooth through a Broadcom BCM20702A0 
dongle
(USB ID 0a5c:21e8). The hid-apple driver is properly loaded and bound 
to the
keyboard. The crash is reproducible during fast typing, particularly 
when
multiple keys are pressed in quick succession.

Steps to reproduce:
1. Pair Apple Aluminum Keyboard with system via Bluetooth Broadcom 
dongle
2. Verify hid-apple driver is bound (confirmed via 
/sys/bus/hid/devices/*/driver)
3. Type quickly and continuously on the keyboard
4. Within 30-60 seconds of rapid typing, kernel crashes with Oops
5. Bluetooth subsystem becomes unresponsive, requires hard power cycle

Note: The crash occurs even when the generic HID driver is forced; the
issue persists with both hid-generic and hid-apple.

[3.] Keywords:
HID, apple, keyboard, bluetooth, Oops, NULL pointer, hidinput_hid_event

[4.] Kernel version:
7.1.0-rc2-custom #1 SMP PREEMPT_DYNAMIC Tue May 5 09:34:05 CEST 2026

[5.] Most recent kernel version which did NOT have the bug:
Unknown — this is a custom kernel based on 7.1.0-rc2. The issue may 
be present
in mainline as well.

[6.] Output of Oops message with symbolic information resolved:

12146 │ [14299.726587] BUG: unable to handle page fault for address: 
ffffffffffffffe4
12147 │ [14299.726604] #PF: supervisor read access in kernel mode
12148 │ [14299.726610] #PF: error_code(0x0000) - not-present page
12149 │ [14299.726616] PGD 232825067 P4D 232825067 PUD 232827067 PMD 0
12150 │ [14299.726630] Oops: Oops: 0000 [#1] SMP NOPTI
12151 │ [14299.726642] CPU: 3 UID: 0 PID: 722 Comm: bluetoothd 
Tainted: G S          E       7.1.0-rc2-custom #1 PREEMPT(full)
12152 │ [14299.726655] Tainted: [S]=CPU_OUT_OF_SPEC, 
[E]=UNSIGNED_MODULE
12153 │ [14299.726659] Hardware name: BESSTAR (HK) LIMITED 
U500-H/VB9, BIOS 0.010 04/07/2020
12154 │ [14299.726665] RIP: 0010:hidinput_hid_event+0x321/0x910 [hid]
12155 │ [14299.726685] Code: 00 41 8b 57 30 48 8d 68 c8 48 39 c7 75 
1c e9 17 fe ff ff 66 0f 1f 44 00 00 48 8b 45 38 48 8d 68 c8 48 39 c7 0f 
84 0
      │ 0 fe ff ff <3b> 55 1c 75 ea 48 85 ed 0f 84 f2 fd ff ff 8b 03 
3d 44 00 85 00 0f
12156 │ [14299.726693] RSP: 0018:ffffd392026c7ae0 EFLAGS: 00010286
12157 │ [14299.726701] RAX: 0000000000000000 RBX: ffff8a7a9a783da4 
RCX: 0000000000000000
12158 │ [14299.726707] RDX: 0000000000000090 RSI: 0000000000000016 
RDI: ffff8a7a9bccdc18
12159 │ [14299.726712] RBP: ffffffffffffffc8 R08: 0000000000000000 
R09: ffff8a7a95e1c800
12160 │ [14299.726718] R10: 0000000000000014 R11: ffff8a7a9a783238 
R12: ffff8a7a9bccc000
12161 │ [14299.726723] R13: ffff8a7a9a783da4 R14: 0000000000000000 
R15: ffff8a7a95d2f000
12162 │ [14299.726729] FS:  00007fe112863540(0000) 
GS:ffff8a7e2799c000(0000) knlGS:0000000000000000
12163 │ [14299.726736] CS:  0010 DS: 0000 ES: 0000 CR0: 
0000000080050033
12164 │ [14299.726742] CR2: ffffffffffffffe4 CR3: 00000001157e6006 
CR4: 00000000003726f0
12165 │ [14299.726748] Call Trace:
12166 │ [14299.726755]  <TASK>
12167 │ [14299.726760]  ? __wake_up+0x44/0x60
12168 │ [14299.726779]  hid_process_event+0x119/0x130 [hid]
12169 │ [14299.726794]  hid_report_raw_event+0x315/0x4b0 [hid]
12170 │ [14299.726810]  __hid_input_report.constprop.0+0xfe/0x190 
[hid]
12171 │ [14299.726824]  uhid_char_write+0x41b/0x550 [uhid]
12172 │ [14299.726833]  ? rw_verify_area+0x54/0x180
12173 │ [14299.726842]  vfs_writev+0x26c/0x3d0
12174 │ [14299.726856]  ? ksys_read+0xbe/0xe0
12175 │ [14299.726867]  ? do_writev+0xeb/0x110
12176 │ [14299.726875]  do_writev+0xeb/0x110
12177 │ [14299.726885]  do_syscall_64+0xea/0x15e0
12178 │ [14299.726899]  ? __x64_sys_ppoll+0xf3/0x160
12179 │ [14299.726910]  ? switch_fpu_return+0x50/0xe0
12180 │ [14299.726920]  ? do_syscall_64+0x290/0x15e0
12181 │ [14299.726930]  ? ksys_read+0x6b/0xe0
12182 │ [14299.726940]  ? do_syscall_64+0xea/0x15e0
12183 │ [14299.726949]  ? do_syscall_64+0xea/0x15e0
12184 │ [14299.726957]  ? do_syscall_64+0x9f/0x15e0
12185 │ [14299.726965]  ? __irq_exit_rcu+0x4c/0xf0
12186 │ [14299.726974]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
12187 │ [14299.726982] RIP: 0033:0x7fe11299e197
12188 │ [14299.726990] Code: 48 89 fa 4c 89 df e8 98 af 00 00 8b 93 
08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 
44 2
      │ 4 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 
de e8 23 ff ff ff
12189 │ [14299.726996] RSP: 002b:00007ffd64b38710 EFLAGS: 00000202 
ORIG_RAX: 0000000000000014
12190 │ [14299.727005] RAX: ffffffffffffffda RBX: 00007fe112863540 
RCX: 00007fe11299e197
12191 │ [14299.727010] RDX: 0000000000000001 RSI: 00007ffd64b38780 
RDI: 0000000000000012
12192 │ [14299.727015] RBP: 0000000000000001 R08: 0000000000000000 
R09: 0000000000000000
12193 │ [14299.727019] R10: 0000000000000000 R11: 0000000000000202 
R12: 0000000000000012
12194 │ [14299.727024] R13: 00005623af2376b0 R14: 0000000000000000 
R15: 00005623af269f70
12195 │ [14299.727033]  </TASK>
12196 │ [14299.727037] Modules linked in: ccm(E) nls_utf8(E) cifs(E) 
nls_ucs2_utils(E) cifs_md4(E) dns_resolver(E) netfs(E) rfcomm(E) 
snd_seq_du
      │ mmy(E) snd_hrtimer(E) input_leds(E) hid_apple(E) 
hid_generic(E) algif_hash(E) algif_skcipher(E) af_alg(E) ovpn(E) 
ip6_udp_tunnel(E) udp_
      │ tunnel(E) nls_iso8859_1(E) nls_cp437(E) vfat(E) fat(E) 
intel_rapl_msr(E) intel_rapl_common(E) x86_pkg_temp_thermal(E) 
intel_powerclamp(E
      │ ) coretemp(E) kvm_intel(E) iwlmvm(E) rtsx_usb_ms(E) kvm(E) 
at24(E) rtsx_usb_sdmmc(E) memstick(E) iTCO_wdt(E) spi_intel_platform(E) 
spi_i
      │ ntel(E) mac80211(E) intel_pmc_bxt(E) irqbypass(E) mei_pxp(E) 
mei_hdcp(E) rapl(E) libarc4(E) intel_cstate(E) intel_uncore(E) evdev(E) 
pcs
      │ pkr(E) mac_hid(E) snd_usb_audio(E) iwlwifi(E) snd_ctl_led(E) 
snd_hda_codec_alc269(E) snd_usbmidi_lib(E) i2c_i801(E) snd_rawmidi(E) 
btusb
      │ (E) snd_hda_codec_realtek_lib(E) snd_hda_codec_intelhdmi(E) 
snd_hda_scodec_component(E) btbcm(E) i2c_smbus(E) 
snd_hda_codec_generic(E) r
      │ tsx_usb(E) mc(E) snd_hda_codec_hdmi(E) btmtk(E) i2c_mux(E) 
btrtl(E) snd_hda_intel(E)
12197 │ [14299.727186]  btintel(E) r8169(E) cfg80211(E) 
intel_pmc_core(E) i2c_designware_platform(E) snd_hda_codec(E) 
pmt_telemetry(E) realtek(E
      │ ) i2c_designware_core(E) phy_package(E) pmt_discovery(E) 
snd_hda_core(E) snd_intel_dspcfg(E) ccp(E) pmt_class(E) 
intel_pmc_ssram_telemet
      │ ry(E) snd_intel_sdw_acpi(E) snd_hwdep(E) intel_vsec(E) 
rng_core(E) mei_me(E) acpi_pad(E) ac(E) tiny_power_button(E) lpc_ich(E) 
mei(E) sn
      │ d_pcm(E) dm_raid(E) raid456(E) md_mod(E) async_raid6_recov(E) 
async_memcpy(E) async_pq(E) async_xor(E) async_tx(E) snd_seq(E) 
snd_seq_de
      │ vice(E) snd_timer(E) snd(E) soundcore(E) vhost_vsock(E) 
vmw_vsock_virtio_transport_common(E) vsock(E) vhost_net(E) vhost(E) 
vhost_iotlb(
      │ E) tap(E) hci_vhci(E) bluetooth(E) rfkill(E) ecdh_generic(E) 
ecc(E) crc16(E) vfio_iommu_type1(E) vfio(E) iommufd(E) uhid(E) hid(E) 
uinpu
      │ t(E) userio(E) ppp_generic(E) slhc(E) tun(E) loop(E) nvram(E) 
cuse(E) fuse(E) i915(E) intel_gtt(E) drm_buddy(E) sd_mod(E) ttm(E) 
agpgart
      │ (E) i2c_algo_bit(E) drm_display_helper(E) ahci(E) cec(E) 
xhci_pci(E) rc_core(E)
12198 │ [14299.727346]  ehci_pci(E) libahci(E) xhci_hcd(E) 
drm_client_lib(E) ehci_hcd(E) libata(E) aesni_intel(E) 
drm_kms_helper(E) video(E) gf1
      │ 28mul(E) usbcore(E) scsi_mod(E) aead(E) wmi(E) scsi_common(E) 
drm(E) usb_common(E) sdhci_acpi(E) sdhci(E) dw_dmac(E) mmc_core(E) 
dw_dmac
      │ _core(E) pinctrl_lynxpoint(E) button(E) dm_mirror(E) 
dm_region_hash(E) dm_log(E) dm_mod(E) btrfs(E) libblake2b(E) 
raid6_pq(E) xor(E)
12199 │ [14299.727414] Unloaded tainted modules: acpi_cpufreq(E):1 
fjes(E):2
12200 │ [14299.727431] CR2: ffffffffffffffe4
12201 │ [14299.727437] ---[ end trace 0000000000000000 ]---
12202 │ [14299.727443] RIP: 0010:hidinput_hid_event+0x321/0x910 [hid]
12203 │ [14299.727458] Code: 00 41 8b 57 30 48 8d 68 c8 48 39 c7 75 
1c e9 17 fe ff ff 66 0f 1f 44 00 00 48 8b 45 38 48 8d 68 c8 48 39 c7 0f 
84 0
      │ 0 fe ff ff <3b> 55 1c 75 ea 48 85 ed 0f 84 f2 fd ff ff 8b 03 
3d 44 00 85 00 0f
12204 │ [14299.727464] RSP: 0018:ffffd392026c7ae0 EFLAGS: 00010286
12205 │ [14299.727471] RAX: 0000000000000000 RBX: ffff8a7a9a783da4 
RCX: 0000000000000000
12206 │ [14299.727476] RDX: 0000000000000090 RSI: 0000000000000016 
RDI: ffff8a7a9bccdc18
12207 │ [14299.727481] RBP: ffffffffffffffc8 R08: 0000000000000000 
R09: ffff8a7a95e1c800
12208 │ [14299.727485] R10: 0000000000000014 R11: ffff8a7a9a783238 
R12: ffff8a7a9bccc000
12209 │ [14299.727490] R13: ffff8a7a9a783da4 R14: 0000000000000000 
R15: ffff8a7a95d2f000
12210 │ [14299.727495] FS:  00007fe112863540(0000) 
GS:ffff8a7e2799c000(0000) knlGS:0000000000000000
12211 │ [14299.727501] CS:  0010 DS: 0000 ES: 0000 CR0: 
0000000080050033
12212 │ [14299.727506] CR2: ffffffffffffffe4 CR3: 00000001157e6006 
CR4: 00000000003726f0
12213 │ [14299.727512] note: bluetoothd[722] exited with irqs disabled
12214 │

[7.] Small shell script or example program which triggers the problem:
No script needed — rapid typing on the keyboard for 30-60 seconds 
triggers
the crash. No special application required.

[8.] Environment

[8.1.] Software:
Distribution: Void Linux
Kernel: 7.1.0-rc2-custom (self-built)
Driver: hid-apple (bound to keyboard), btusb (Bluetooth)

[8.2.] Processor information:processor

cpu: 0
vendor_id	: GenuineIntel
cpu family	: 6
model		: 61
model name	: Intel(R) Core(TM) i3-5005U CPU @ 2.00GHz
stepping	: 4
microcode	: 0x24
cpu MHz		: 1696.096
cache size	: 3072 KB
physical id	: 0
siblings	: 4
core id		: 0
cpu cores	: 2
apicid		: 0
initial apicid	: 0
fpu		: yes
fpu_exception	: yes
cpuid level	: 20
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov 
pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx 
pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl 
xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor 
ds_cpl vmx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 
x2apic movbe popcnt aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch 
cpuid_fault epb tpr_shadow flexpriority ept vpid ept_ad fsgsbase 
tsc_adjust bmi1 avx2 smep bmi2 erms invpcid rdseed adx smap intel_pt 
xsaveopt dtherm arat pln pts vnmi
vmx flags	: vnmi preemption_timer invvpid ept_x_only ept_ad ept_1gb 
flexpriority tsc_offset vtpr mtf vapic ept vpid unrestricted_guest ple 
ept_violation_ve
bugs		: cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds 
swapgs itlb_multihit srbds spectre_v2_user old_microcode vmscape
bogomips	: 3990.76
clflush size	: 64
cache_alignment	: 64
address sizes	: 39 bits physical, 48 bits virtual
power management:
CPU:



Hardware: BESSTAR (HK) LIMITED U500-H/VB9, BIOS 0.010 04/07/2020

[8.3.] Module information:
hid-apple, hid-generic, btusb, bluetooth, hid

[8.4.] USB information:
Bus 002 Device 002: ID 0a5c:21e8 Broadcom Corp. BCM20702A0 Bluetooth 4.0
Bus 002 Device 005: ID 8087:0a2a Intel Corp. Bluetooth wireless 
interface (disabled) the bug occurs when this controler is used as well.

[8.5.] Bluetooth controller information:
Controller 5C:F3:70:A2:F8:56 (public) — Broadcom dongle
Keyboard MAC: 10:94:BB:AE:04:64

[9.] Other notes:

Additional observations:
- The crash occurs more frequently during RAPID typing. Normal-speed 
typing (30-40 WPM)
  does not seem to trigger the crash as much.
- The mouse (Bluetooth Mouse 4.0) does not cause crashes even during 
rapid
  movement.
- The internal Intel Bluetooth adapter is disabled via udev rule; only 
the
  Broadcom dongle is active.
- The hid-apple driver is confirmed to be bound to the keyboard:
  /sys/bus/hid/devices/0005:004C:026C.0007/driver -> 
../../../../../bus/hid/drivers/apple

Potential related issues:
- This Oops appears similar to historical HID bugs where feature reports
  without hidinput pointers cause NULL dereferences[citation:1]
- The crash address ffffffffffffffe4 suggests an offset from NULL (0 - 
0x1c)

Workarounds attempted (none fully successful):
1. Switching between hid-apple and hid-generic drivers
2. Disabling KernelExperimental = true in /etc/bluetooth/main.conf
3. Using different Bluetooth adapter (Broadcom vs internal Intel)

[X.] Other notes:
I am willing to test patches and provide additional debugging 
information.
The crash is fairly reproducible on demand within 10-20 minutes of 
testing.

Regards,

Michel Barthelemy

Attached: Full .config and useful data dumps