Lo! Just booted 6.9 for the first time and noticed the Bluetooth code
causes an Oops (see below) during boot that did not happen with 6.8 and
earlier. This is on Fedora 40 with a vanilla kernel on a Lenovo Thinkpad
T14s Gen1 AMD.
Do I need to bisect this? Or is this known already? Or does anyone by
chance an idea what might cause this? Or is there some other way to get
down to the problem?
Ciao, Thorsten
[Full dmesg: https://www.leemhuis.info/files/misc/dmesg-6.9-btprob]
[ 19.903869] Bluetooth: hci0: Found device firmware: intel/ibt-20-1-3.sfi
[ 19.903908] Bluetooth: hci0: Boot Address: 0x24800
[ 19.903913] Bluetooth: hci0: Firmware Version: 255-255.255
[ 19.906245] usb 6-4: USB disconnect, device number 3
[ 19.906364] usb 2-2: Found UVC 1.50 device Integrated Camera (04f2:b6cb)
[ 19.906583] Bluetooth: hci0: FW download error recovery failed (-19)
[ 19.906649] Bluetooth: hci0: sending frame failed (-19)
[ 19.906666] BUG: kernel NULL pointer dereference, address: 0000000000000070
[ 19.906672] #PF: supervisor read access in kernel mode
[ 19.906677] #PF: error_code(0x0000) - not-present page
[ 19.906681] PGD 0 P4D 0
[ 19.906688] Oops: 0000 [#1] PREEMPT SMP NOPTI
[ 19.906701] Hardware name: LENOVO 20UH001HGE/20UH001HGE, BIOS R1CET77W(1.46 ) 10/26/2023
[ 19.906706] Workqueue: hci0 hci_power_on [bluetooth]
[ 19.906775] RIP: 0010:btintel_read_debug_features (/usr/src/debug/[...]/drivers/bluetooth/btintel.c:1306) btintel
[ 19.906789] Code: 00 00 00 48 89 6c 24 08 48 89 f5 48 8d 4c 24 07 be a6 fc 00 00 c6 44 24 07 01 e8 30 46 2a 00 48 89 c3 48 3d 00 f0 ff ff 77 49 <83> 78 70 13 75 67 48 8b 80 d0 00 00 00 be 02 00 00 00 48 89 df 48
All code
========
0: 00 00 add %al,(%rax)
2: 00 48 89 add %cl,-0x77(%rax)
5: 6c insb (%dx),%es:(%rdi)
6: 24 08 and $0x8,%al
8: 48 89 f5 mov %rsi,%rbp
b: 48 8d 4c 24 07 lea 0x7(%rsp),%rcx
10: be a6 fc 00 00 mov $0xfca6,%esi
15: c6 44 24 07 01 movb $0x1,0x7(%rsp)
1a: e8 30 46 2a 00 call 0x2a464f
1f: 48 89 c3 mov %rax,%rbx
22: 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax
28: 77 49 ja 0x73
2a:* 83 78 70 13 cmpl $0x13,0x70(%rax) <-- trapping instruction
2e: 75 67 jne 0x97
30: 48 8b 80 d0 00 00 00 mov 0xd0(%rax),%rax
37: be 02 00 00 00 mov $0x2,%esi
3c: 48 89 df mov %rbx,%rdi
3f: 48 rex.W
Code starting with the faulting instruction
===========================================
0: 83 78 70 13 cmpl $0x13,0x70(%rax)
4: 75 67 jne 0x6d
6: 48 8b 80 d0 00 00 00 mov 0xd0(%rax),%rax
d: be 02 00 00 00 mov $0x2,%esi
12: 48 89 df mov %rbx,%rdi
15: 48 rex.W
[ 19.906795] RSP: 0018:ffffb2bd80797cc0 EFLAGS: 00010207
[ 19.906801] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff903285506ab0
[ 19.906806] RDX: 0000000000000000 RSI: 0000000000000202 RDI: ffff903285506aa8
[ 19.906810] RBP: ffffb2bd80797cf0 R08: ffff903285506ab0 R09: 0000000000000000
[ 19.906814] R10: 000000000000000a R11: 0000000000000000 R12: ffff903285506000
[ 19.906818] R13: ffffb2bd80797d3e R14: ffff9032855066c8 R15: 0000000000000000
[ 19.906823] FS: 0000000000000000(0000) GS:ffff90357fb00000(0000) knlGS:0000000000000000
[ 19.906828] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 19.906832] CR2: 0000000000000070 CR3: 0000000104fb4000 CR4: 0000000000350ef0
[ 19.906837] Call Trace:
[ 19.906842] <TASK>
[ 19.906846] ? __die_body.cold (/usr/src/debug/[...]/arch/x86/kernel/dumpstack.c:478 (discriminator 1) /usr/src/debug/[...]/arch/x86/kernel/dumpstack.c:465 (discriminator 1) /usr/src/debug/[...]/arch/x86/kernel/dumpstack.c:420 (discriminator 1))
[ 19.906856] ? page_fault_oops (/usr/src/debug/[...]/arch/x86/mm/fault.c:709 (discriminator 1))
[ 19.906869] ? exc_page_fault (/usr/src/debug/[...]/./arch/x86/include/asm/paravirt.h:693 /usr/src/debug/[...]/arch/x86/mm/fault.c:1513 /usr/src/debug/[...]/arch/x86/mm/fault.c:1563)
[ 19.906877] ? asm_exc_page_fault (/usr/src/debug/[...]/./arch/x86/include/asm/idtentry.h:623)
[ 19.906889] ? btintel_read_debug_features (/usr/src/debug/[...]/drivers/bluetooth/btintel.c:1306) btintel
[ 19.906903] btintel_register_devcoredump_support.isra.0 (/usr/src/debug/[...]/drivers/bluetooth/btintel.c:1531) btintel
[ 19.906917] btintel_setup_combined (/usr/src/debug/[...]/drivers/bluetooth/btintel.c:2993) btintel
[ 19.906928] ? rpm_check_suspend_allowed (/usr/src/debug/[...]/drivers/base/power/runtime.c:277 (discriminator 1))
[ 19.906943] hci_dev_open_sync (/usr/src/debug/[...]/net/bluetooth/hci_sync.c:4820 /usr/src/debug/[...]/net/bluetooth/hci_sync.c:4888 /usr/src/debug/[...]/net/bluetooth/hci_sync.c:4988) bluetooth
[ 19.907012] ? ttwu_queue_wakelist (/usr/src/debug/[...]/kernel/sched/core.c:4036)
[ 19.907022] hci_dev_do_open (/usr/src/debug/[...]/net/bluetooth/hci_core.c:485) bluetooth
[ 19.907078] hci_power_on (/usr/src/debug/[...]/net/bluetooth/hci_core.c:1016) bluetooth
[ 19.907135] process_one_work (/usr/src/debug/[...]/./arch/x86/include/asm/jump_label.h:27 /usr/src/debug/[...]/./include/linux/jump_label.h:207 /usr/src/debug/[...]/./include/trace/events/workqueue.h:108 /usr/src/debug/[...]/kernel/workqueue.c:3259)
[ 19.907144] worker_thread (/usr/src/debug/[...]/kernel/workqueue.c:3329 (discriminator 2) /usr/src/debug/[...]/kernel/workqueue.c:3416 (discriminator 2))
[ 19.907152] ? __pfx_worker_thread (/usr/src/debug/[...]/kernel/workqueue.c:3362)
[ 19.907157] kthread (/usr/src/debug/[...]/kernel/kthread.c:388)
[ 19.907164] ? __pfx_kthread (/usr/src/debug/[...]/kernel/kthread.c:341)
[ 19.907171] ret_from_fork (/usr/src/debug/[...]/arch/x86/kernel/process.c:153)
[ 19.907180] ? __pfx_kthread (/usr/src/debug/[...]/kernel/kthread.c:341)
[ 19.907186] ret_from_fork_asm (/usr/src/debug/[...]/arch/x86/entry/entry_64.S:256)
[ 19.907199] </TASK>
[ 19.907203] Modules linked in: amd_atl ac97_bus snd_intel_dspcfg snd_pcm_dmaengine intel_rapl_common snd_intel_sdw_acpi snd_rpl_pci_acp6x snd_acp_pci snd_hda_codec uvcvideo(+) edac_mce_amd uvc snd_hda_core snd_acp_legacy_common snd_pci_acp6x snd_hwdep kvm_amd videobuf2_vmalloc btusb videobuf2_memops snd_seq tps6598x videobuf2_v4l2 btrtl kvm videobuf2_common btintel btbcm snd_seq_device videodev ledtrig_audio btmtk iwlwifi snd_pci_acp5x vfat think_lmi(+) firmware_attributes_class rapl bluetooth mc pcspkr snd_pcm acpi_cpufreq fat wmi_bmof cfg80211 snd_rn_pci_acp3x snd_acp_config thinkpad_acpi snd_soc_acpi k10temp snd_timer platform_profile ipmi_devintf snd_pci_acp3x i2c_piix4 snd rfkill ipmi_msghandler soundcore serial_multi_instantiate i2c_scmi amd_pmc joydev loop dm_multipath nfnetlink zram dm_crypt r8152 uas mii usb_storage amdgpu crct10dif_pclmul crc32_pclmul crc32c_intel amdxcp polyval_clmulni i2c_algo_bit rtsx_pci_sdmmc drm_ttm_helper polyval_generic ttm ghash_clmulni_intel drm_exec mmc_core nvme sha512_ssse3
[ 19.907365] gpu_sched drm_suballoc_helper sha256_ssse3 drm_buddy sha1_ssse3 drm_display_helper nvme_core ucsi_acpi nvme_auth ccp typec_ucsi rtsx_pci cec r8169 sp5100_tco typec realtek video wmi serio_raw hid_microsoft ff_memless scsi_dh_rdac scsi_dh_emc scsi_dh_alua ip6_tables ip_tables pkcs8_key_parser fuse
[ 19.907429] CR2: 0000000000000070
[ 19.907435] ---[ end trace 0000000000000000 ]---
[ 19.907439] RIP: 0010:btintel_read_debug_features (/usr/src/debug/[...]/drivers/bluetooth/btintel.c:1306) btintel
[ 19.907452] Code: 00 00 00 48 89 6c 24 08 48 89 f5 48 8d 4c 24 07 be a6 fc 00 00 c6 44 24 07 01 e8 30 46 2a 00 48 89 c3 48 3d 00 f0 ff ff 77 49 <83> 78 70 13 75 67 48 8b 80 d0 00 00 00 be 02 00 00 00 48 89 df 48
All code
========
0: 00 00 add %al,(%rax)
2: 00 48 89 add %cl,-0x77(%rax)
5: 6c insb (%dx),%es:(%rdi)
6: 24 08 and $0x8,%al
8: 48 89 f5 mov %rsi,%rbp
b: 48 8d 4c 24 07 lea 0x7(%rsp),%rcx
10: be a6 fc 00 00 mov $0xfca6,%esi
15: c6 44 24 07 01 movb $0x1,0x7(%rsp)
1a: e8 30 46 2a 00 call 0x2a464f
1f: 48 89 c3 mov %rax,%rbx
22: 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax
28: 77 49 ja 0x73
2a:* 83 78 70 13 cmpl $0x13,0x70(%rax) <-- trapping instruction
2e: 75 67 jne 0x97
30: 48 8b 80 d0 00 00 00 mov 0xd0(%rax),%rax
37: be 02 00 00 00 mov $0x2,%esi
3c: 48 89 df mov %rbx,%rdi
3f: 48 rex.W
Code starting with the faulting instruction
===========================================
0: 83 78 70 13 cmpl $0x13,0x70(%rax)
4: 75 67 jne 0x6d
6: 48 8b 80 d0 00 00 00 mov 0xd0(%rax),%rax
d: be 02 00 00 00 mov $0x2,%esi
12: 48 89 df mov %rbx,%rdi
15: 48 rex.W
[ 19.907457] RSP: 0018:ffffb2bd80797cc0 EFLAGS: 00010207
[ 19.907463] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff903285506ab0
[ 19.907468] RDX: 0000000000000000 RSI: 0000000000000202 RDI: ffff903285506aa8
[ 19.907473] RBP: ffffb2bd80797cf0 R08: ffff903285506ab0 R09: 0000000000000000
[ 19.907477] R10: 000000000000000a R11: 0000000000000000 R12: ffff903285506000
[ 19.907481] R13: ffffb2bd80797d3e R14: ffff9032855066c8 R15: 0000000000000000
[ 19.907486] FS: 0000000000000000(0000) GS:ffff90357fb00000(0000) knlGS:0000000000000000
[ 19.907491] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 19.907496] CR2: 0000000000000070 CR3: 0000000104fb4000 CR4: 0000000000350ef0
[ 19.907501] note: kworker/u51:0[158] exited with irqs disabled
[ 19.911758] usbcore: registered new interface driver uvcvideo
[ 19.921626] intel_rapl_common: Found RAPL domain package
[ 19.921637] intel_rapl_common: Found RAPL domain core
--
#regzbot introduced v6.8..v6.9-rc1
#regzbot title bluetooth: oops during init in btintel_read_debug_features
#regzbot ignore-activity
Hi Thorsten,
On Tue, Mar 26, 2024 at 4:44 AM Thorsten Leemhuis <[email protected]> wrote:
>
> Lo! Just booted 6.9 for the first time and noticed the Bluetooth code
> causes an Oops (see below) during boot that did not happen with 6.8 and
> earlier. This is on Fedora 40 with a vanilla kernel on a Lenovo Thinkpad
> T14s Gen1 AMD.
>
> Do I need to bisect this? Or is this known already? Or does anyone by
> chance an idea what might cause this? Or is there some other way to get
> down to the problem?
>
> Ciao, Thorsten
>
> [Full dmesg: https://www.leemhuis.info/files/misc/dmesg-6.9-btprob]
>
> [ 19.903869] Bluetooth: hci0: Found device firmware: intel/ibt-20-1-3.sfi
> [ 19.903908] Bluetooth: hci0: Boot Address: 0x24800
> [ 19.903913] Bluetooth: hci0: Firmware Version: 255-255.255
> [ 19.906245] usb 6-4: USB disconnect, device number 3
> [ 19.906364] usb 2-2: Found UVC 1.50 device Integrated Camera (04f2:b6cb)
> [ 19.906583] Bluetooth: hci0: FW download error recovery failed (-19)
> [ 19.906649] Bluetooth: hci0: sending frame failed (-19)
> [ 19.906666] BUG: kernel NULL pointer dereference, address: 0000000000000070
> [ 19.906672] #PF: supervisor read access in kernel mode
> [ 19.906677] #PF: error_code(0x0000) - not-present page
> [ 19.906681] PGD 0 P4D 0
> [ 19.906688] Oops: 0000 [#1] PREEMPT SMP NOPTI
> [ 19.906701] Hardware name: LENOVO 20UH001HGE/20UH001HGE, BIOS R1CET77W(1.46 ) 10/26/2023
> [ 19.906706] Workqueue: hci0 hci_power_on [bluetooth]
> [ 19.906775] RIP: 0010:btintel_read_debug_features (/usr/src/debug/[...]/drivers/bluetooth/btintel.c:1306) btintel
Seem like the following could be reason:
https://patchwork.kernel.org/project/bluetooth/patch/[email protected]/