The Linux Kernel Mailing List
 help / color / mirror / Atom feed
* btmtk: regression in 6.6.142: NULL pointer dereference in btmtk_usb_hci_wmt_sync during resume from S4
@ 2026-07-03  6:34 Thorsten Leemhuis
  2026-07-04  2:05 ` Sasha Levin
  0 siblings, 1 reply; 2+ messages in thread
From: Thorsten Leemhuis @ 2026-07-03  6:34 UTC (permalink / raw)
  To: Chris Lu, Sean Wang
  Cc: Linux kernel regressions list, linux-mediatek, linux-kernel,
	linux-bluetooth, stable@vger.kernel.org

Hi Chris & Sean! I noticed a report about a regression with btmtk that
happens in 6.6.y series. This strictly speaking is the domain of the
stable team, but maybe you want to take a look nevertheless:

https://bugzilla.kernel.org/show_bug.cgi?id=221696

To quote:
"""
I have a problem that appeared in the 6.6.y series recently, I believe
in or around f0457842215438786e2e205ad06a4fbb8ab63cd0, although I
haven't bisected. The problem did not exist in 6.6.140 but does exist in
6.6.142 and 6.6.143.

The problem — during resume from hibernation (platform S4) I see this
NULL pointer dereference in the kernel log:

BUG: kernel NULL pointer dereference, address: 0000000000000219
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] SMP
CPU: 7 PID: 214 Comm: kworker/u33:0 Not tainted 6.6.143-gentoo #1
Hardware name: Framework Laptop 16 (AMD Ryzen 7040 Series)/FRANMZCP09,
BIOS 04.03 12/22/2025
Workqueue: hci0 hci_power_on
RIP: 0010:__pm_runtime_resume+0x15/0x80
Code: 55 fe ff ff 83 e0 02 45 31 e4 e9 45 fd ff ff 66 0f 1f 44 00 00 f3
0f 1e fa 41 54 55 53 48 89 fb 48 83 ec…
RSP: 0018:ffffc90004a37c18 EFLAGS: 00010246
RAX: ffff88810bdcd4f8 RBX: 0000000000000050 RCX: 0000000000000000
RDX: 0000000000000035 RSI: 0000000000000004 RDI: 0000000000000050
RBP: 0000000000000035 R08: ffff888fdfde6bd0 R09: ffff888101338a40
R10: 0000000000000001 R11: 0000000000000040 R12: ffff888101338a40
R13: ffffc90004a37cc0 R14: 000000000000003a R15: ffffc90004a37cb4
FS:  0000000000000000(0000) GS:ffff888fdfdc0000(0000) knlGS:0000000000000000
GS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000219 CR3: 0000000003e11000 CR4: 0000000000750ee0
PKRU: 55555554
Call Trace:
 <TASK>
 usb_autopm_get_interface+0x1a/0x50
 btmtk_usb_hci_wmt_sync+0xb8/0x480
 ? btmtk_usb_wmt_recv+0x240/0x240
 btmtk_setup_firmware_79xx+0x1a4/0x360
 btusb_mtk_setup+0x45b/0x690
 hci_dev_open_sync+0xdd/0xa40
 ? try_to_wake_up+0x235/0x510
 hci_power_on+0x69/0x2b0
 ? lock_timer_base+0x6a/0x90
 process_one_work+0x154/0x2f0
 ? process_one_work+0x2f0/0x2f0
 worker_thread+0x18b/0x310
 kthread+0xe0/0x110
 ? kthread_complete_and_exit+0x30/0x30
 ret_from_fork+0x2c/0x40
 ? kthread_complete_and_exit+0x30/0x30
 ret_from_frok_asm+0x11/0x20
 </TASK>
CR2: 0000000000000219
---[ end trace 0000000000000000 ]---

The BUG dump appears while the system is waiting for me to enter my LUKS
passphrase — i.e., *before* the initramfs writes the swap device
major:minor to /sys/power/resume to initiate resume from hibernation.

I am still running kernel 6.6.140 in my current session. In other words,
a 6.6.143 kernel is booting to resume a suspended session that is
running a 6.6.140 kernel.
"""

This does not happen in mainline -- apparently it is fixed by
"Bluetooth: btmtk: move btusb_mtk_[setup, shutdown] to btmtk.c"

Ciao, Thorsten

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: btmtk: regression in 6.6.142: NULL pointer dereference in btmtk_usb_hci_wmt_sync during resume from S4
  2026-07-03  6:34 btmtk: regression in 6.6.142: NULL pointer dereference in btmtk_usb_hci_wmt_sync during resume from S4 Thorsten Leemhuis
@ 2026-07-04  2:05 ` Sasha Levin
  0 siblings, 0 replies; 2+ messages in thread
From: Sasha Levin @ 2026-07-04  2:05 UTC (permalink / raw)
  To: Chris Lu, Sean Wang
  Cc: Sasha Levin, Linux kernel regressions list, linux-mediatek,
	linux-kernel, linux-bluetooth, stable, Thorsten Leemhuis

On Thu, Jul 03, 2026 at 08:34:04AM +0200, Thorsten Leemhuis wrote:
> Hi Chris & Sean! I noticed a report about a regression with btmtk that
> happens in 6.6.y series. This strictly speaking is the domain of the
> stable team, but maybe you want to take a look nevertheless:
>
> https://bugzilla.kernel.org/show_bug.cgi?id=221696

Thanks for the report!

I've queued the missing part of the upstream chain for 6.6.y: 5c5e8c52e3caf
plus its follow-up fixes 67dba2c28fe0af ("Bluetooth: btmtk: Fix failed to send
func ctrl for MediaTek devices."), 099799fa9b76c5 ("Bluetooth: btmtk: Fix
wait_on_bit_timeout interruption during shutdown"), and f0c83a23fcbb42
("Bluetooth: btmtk: Fix btmtk.c undefined reference build error").

-- 
Thanks,
Sasha

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-07-04  2:05 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-03  6:34 btmtk: regression in 6.6.142: NULL pointer dereference in btmtk_usb_hci_wmt_sync during resume from S4 Thorsten Leemhuis
2026-07-04  2:05 ` Sasha Levin

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox