From: "Marek Marczykowski-Górecki" <marmarek@invisiblethingslab.com>
To: Mario Limonciello <mario.limonciello@amd.com>,
Yazen Ghannam <yazen.ghannam@amd.com>
Cc: "maintainer:X86 ARCHITECTURE (32-BIT AND 64-BIT)"
<x86@kernel.org>,
"open list:AMD NODE DRIVER" <linux-kernel@vger.kernel.org>,
regressions@lists.linux.dev
Subject: kernel NULL pointer dereference in quirk_clear_strap_no_soft_reset_dev2_f0 -> amd_smn_read
Date: Tue, 13 Jan 2026 02:01:34 +0100 [thread overview]
Message-ID: <aWWZb3eRfQdB4OsI@mail-itl> (raw)
[-- Attachment #1: Type: text/plain, Size: 6300 bytes --]
Hi,
I've got a report that kernel 6.17.9 crashes when running a Xen HVM domU
with AMD Raphael/Granite Ridge USB controller passed through.
It worked correctly in 6.12.59. Between those versions, I don't see any
relevant change to quirk_clear_strap_no_soft_reset_dev2_f0() function,
but the AMD node driver did got some changes, so my guess is one of them
is to blame. I know the good-bad range is huge, but there aren't that
many changes to the AMD node driver in this range.
It's running on Qubes OS 4.3, which uses Xen 4.19, and does PCI
passthrough of USB controllers to a dedicated VM (HVM).
The full crash message is:
[ 0.302571] pci 0000:00:08.0: quirk_usb_early_handoff+0x0/0x180 took 16590 usecs
[ 0.303172] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 0.303189] #PF: supervisor read access in kernel mode
[ 0.303202] #PF: error_code(0x0000) - not-present page
[ 0.303216] PGD 0 P4D 0
[ 0.303225] Oops: Oops: 0000 [#1] SMP NOPTI
[ 0.303236] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.17.9-1.qubes.fc41.x86_64 #1 PREEMPT(full)
[ 0.303258] Hardware name: Xen HVM domU, BIOS 4.19.3 08/26/2025
[ 0.303273] RIP: 0010:__amd_smn_rw+0x30/0x100
[ 0.303288] Code: 05 bd 44 b8 01 66 0f af 05 2d 44 b8 01 41 57 41 56 41 55 41 54 55 53 66 39 c2 0f 83 c0 00 00 00 48 8b 05 c3 61 d7 02 0f b7 d2 <4c> 8b 34 d0 4d 85 f6 0f 84 a9 00 00 00 80 3d a4 61 d7 02 00 0f 84
[ 0.303327] RSP: 0018:ffffcdd30001fd68 EFLAGS: 00010297
[ 0.303341] RAX: 0000000000000000 RBX: ffffcdd30001fdb4 RCX: 0000000010136008
[ 0.303359] RDX: 0000000000000000 RSI: 0000000000000064 RDI: 0000000000000060
[ 0.303377] RBP: ffffffffa684bb80 R08: ffffcdd30001fdb4 R09: 0000000000000000
[ 0.303395] R10: ffffffffa7567420 R11: 0000000000000020 R12: ffff8dd081dff000
[ 0.303413] R13: ffffffffa736ab60 R14: 00000000055ee14a R15: ffff8dd081dff000
[ 0.303434] FS: 0000000000000000(0000) GS:ffff8dd0e87c1000(0000) knlGS:0000000000000000
[ 0.303452] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 0.303468] CR2: 0000000000000000 CR3: 000000000c62c000 CR4: 0000000000750ef0
[ 0.303487] PKRU: 55555554
[ 0.303495] Call Trace:
[ 0.303504] <TASK>
[ 0.303513] ? __pfx_quirk_clear_strap_no_soft_reset_dev2_f0+0x10/0x10
[ 0.304112] amd_smn_read+0x27/0x50
[ 0.304112] quirk_clear_strap_no_soft_reset_dev2_f0+0x37/0x80
[ 0.304112] pci_fixup_device+0xf6/0x1b0
[ 0.304112] pci_apply_final_quirks+0xe9/0x280
[ 0.304112] ? __pfx_pci_apply_final_quirks+0x10/0x10
[ 0.304112] do_one_initcall+0x57/0x310
[ 0.304112] do_initcalls+0x1ef/0x240
[ 0.304112] kernel_init_freeable+0x187/0x210
[ 0.304112] ? __pfx_kernel_init+0x10/0x10
[ 0.304112] kernel_init+0x1a/0x140
[ 0.304112] ret_from_fork+0xf2/0x110
[ 0.304112] ? __pfx_kernel_init+0x10/0x10
[ 0.304112] ret_from_fork_asm+0x1a/0x30
[ 0.304112] </TASK>
[ 0.304112] Modules linked in:
[ 0.304112] CR2: 0000000000000000
[ 0.304112] ---[ end trace 0000000000000000 ]---
[ 0.304112] RIP: 0010:__amd_smn_rw+0x30/0x100
[ 0.304112] Code: 05 bd 44 b8 01 66 0f af 05 2d 44 b8 01 41 57 41 56 41 55 41 54 55 53 66 39 c2 0f 83 c0 00 00 00 48 8b 05 c3 61 d7 02 0f b7 d2 <4c> 8b 34 d0 4d 85 f6 0f 84 a9 00 00 00 80 3d a4 61 d7 02 00 0f 84
[ 0.304112] RSP: 0018:ffffcdd30001fd68 EFLAGS: 00010297
[ 0.304112] RAX: 0000000000000000 RBX: ffffcdd30001fdb4 RCX: 0000000010136008
[ 0.304112] RDX: 0000000000000000 RSI: 0000000000000064 RDI: 0000000000000060
[ 0.304112] RBP: ffffffffa684bb80 R08: ffffcdd30001fdb4 R09: 0000000000000000
[ 0.304112] R10: ffffffffa7567420 R11: 0000000000000020 R12: ffff8dd081dff000
[ 0.304112] R13: ffffffffa736ab60 R14: 00000000055ee14a R15: ffff8dd081dff000
[ 0.304112] FS: 0000000000000000(0000) GS:ffff8dd0e87c1000(0000) knlGS:0000000000000000
[ 0.304112] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 0.304112] CR2: 0000000000000000 CR3: 000000000c62c000 CR4: 0000000000750ef0
[ 0.304112] PKRU: 55555554
[ 0.304112] Kernel panic - not syncing: Fatal exception
The device, as seen from within the VM:
00:09.0 USB controller [0c03]: Advanced Micro Devices, Inc. [AMD] Raphael/Granite Ridge USB 2.0 xHCI [1022:15b8] (prog-if 30 [XHCI])
Subsystem: ASUSTeK Computer Inc. Device [1043:8877]
Physical Slot: 9
Flags: bus master, fast devsel, latency 0, IRQ 21
Memory at f2200000 (64-bit, non-prefetchable) [size=1M]
Capabilities: [48] Vendor Specific Information: Len=08 <?>
Capabilities: [50] Power Management version 3
Capabilities: [64] Express Endpoint, IntMsgNum 0
Capabilities: [a0] MSI: Enable- Count=1/1 Maskable- 64bit+
Capabilities: [c0] MSI-X: Enable+ Count=8 Masked-
Kernel driver in use: xhci_hcd
Kernel modules: xhci_pci
00: 22 10 b8 15 07 04 10 00 00 30 03 0c 10 00 00 00
10: 04 00 20 f2 00 00 00 00 00 00 00 00 00 00 00 00
20: 00 00 00 00 00 00 00 00 00 00 00 00 43 10 77 88
30: 00 00 00 00 48 00 00 00 00 00 00 00 2e 01 00 00
40: 00 00 00 00 00 00 00 00 09 50 08 00 43 10 77 88
50: 01 64 03 00 08 00 00 00 00 00 00 00 00 00 00 00
60: 31 60 00 00 10 a0 02 00 a1 8f 00 00 30 29 00 00
70: 04 0d 40 00 00 00 04 11 00 00 00 00 00 00 00 00
80: 00 00 00 00 00 00 00 00 1f 00 01 00 00 00 00 00
90: 1e 00 80 01 04 00 1f 00 00 00 00 00 00 00 00 00
a0: 05 c0 80 00 00 00 00 00 00 00 00 00 00 00 00 00
b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
c0: 11 00 07 80 00 e0 0f 00 00 f0 0f 00 00 00 00 00
d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Any ideas?
Original report at (with full kernel log etc): https://forum.qubes-os.org/t/yet-another-usb-keyboard-thread/38355/8
#regzbot introduced: v6.12.59..v6.17.9
--
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
next reply other threads:[~2026-01-13 1:01 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-13 1:01 Marek Marczykowski-Górecki [this message]
2026-01-13 2:47 ` kernel NULL pointer dereference in quirk_clear_strap_no_soft_reset_dev2_f0 -> amd_smn_read Mario Limonciello
2026-01-13 16:04 ` Borislav Petkov
2026-01-30 17:01 ` Yazen Ghannam
2026-02-07 1:57 ` Marek Marczykowski-Górecki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aWWZb3eRfQdB4OsI@mail-itl \
--to=marmarek@invisiblethingslab.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mario.limonciello@amd.com \
--cc=regressions@lists.linux.dev \
--cc=x86@kernel.org \
--cc=yazen.ghannam@amd.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox