[Bug 221696] New: btmtk: regression in 6.6.142: NULL pointer dereference in btmtk_usb_hci_wmt_sync during resume from S4

[bugzilla-daemon@kernel.org]

https://bugzilla.kernel.org/show_bug.cgi?id=221696

            Bug ID: 221696
           Summary: btmtk: regression in 6.6.142: NULL pointer dereference
                    in btmtk_usb_hci_wmt_sync during resume from S4
           Product: Drivers
           Version: 2.5
    Kernel Version: 6.6.142
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P3
         Component: Bluetooth
          Assignee: linux-bluetooth@vger.kernel.org
          Reporter: kernel@mattwhitlock.name
        Regression: Yes

I have a problem that appeared in the 6.6.y series recently, I believe in or
around f0457842215438786e2e205ad06a4fbb8ab63cd0, although I haven't bisected.
The problem did not exist in 6.6.140 but does exist in 6.6.142 and 6.6.143.

The problem — during resume from hibernation (platform S4) I see this NULL
pointer dereference in the kernel log:

BUG: kernel NULL pointer dereference, address: 0000000000000219
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] SMP
CPU: 7 PID: 214 Comm: kworker/u33:0 Not tainted 6.6.143-gentoo #1
Hardware name: Framework Laptop 16 (AMD Ryzen 7040 Series)/FRANMZCP09, BIOS
04.03 12/22/2025
Workqueue: hci0 hci_power_on
RIP: 0010:__pm_runtime_resume+0x15/0x80
Code: 55 fe ff ff 83 e0 02 45 31 e4 e9 45 fd ff ff 66 0f 1f 44 00 00 f3 0f 1e
fa 41 54 55 53 48 89 fb 48 83 ec…
RSP: 0018:ffffc90004a37c18 EFLAGS: 00010246
RAX: ffff88810bdcd4f8 RBX: 0000000000000050 RCX: 0000000000000000
RDX: 0000000000000035 RSI: 0000000000000004 RDI: 0000000000000050
RBP: 0000000000000035 R08: ffff888fdfde6bd0 R09: ffff888101338a40
R10: 0000000000000001 R11: 0000000000000040 R12: ffff888101338a40
R13: ffffc90004a37cc0 R14: 000000000000003a R15: ffffc90004a37cb4
FS:  0000000000000000(0000) GS:ffff888fdfdc0000(0000) knlGS:0000000000000000
GS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000219 CR3: 0000000003e11000 CR4: 0000000000750ee0
PKRU: 55555554
Call Trace:
 <TASK>
 usb_autopm_get_interface+0x1a/0x50
 btmtk_usb_hci_wmt_sync+0xb8/0x480
 ? btmtk_usb_wmt_recv+0x240/0x240
 btmtk_setup_firmware_79xx+0x1a4/0x360
 btusb_mtk_setup+0x45b/0x690
 hci_dev_open_sync+0xdd/0xa40
 ? try_to_wake_up+0x235/0x510
 hci_power_on+0x69/0x2b0
 ? lock_timer_base+0x6a/0x90
 process_one_work+0x154/0x2f0
 ? process_one_work+0x2f0/0x2f0
 worker_thread+0x18b/0x310
 kthread+0xe0/0x110
 ? kthread_complete_and_exit+0x30/0x30
 ret_from_fork+0x2c/0x40
 ? kthread_complete_and_exit+0x30/0x30
 ret_from_frok_asm+0x11/0x20
 </TASK>
CR2: 0000000000000219
---[ end trace 0000000000000000 ]---

The BUG dump appears while the system is waiting for me to enter my LUKS
passphrase — i.e., *before* the initramfs writes the swap device major:minor to
/sys/power/resume to initiate resume from hibernation.

I am still running kernel 6.6.140 in my current session. In other words, a
6.6.143 kernel is booting to resume a suspended session that is running a
6.6.140 kernel.

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are the assignee for the bug.