6.8.2-rc1 review

[PATCH 6.8 308/715] Bluetooth: hci_core: Cancel request on command timeout

Posted by Sasha Levin 1 year, 8 months ago

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

[ Upstream commit 63298d6e752fc0ec7f5093860af8bc9f047b30c8 ]

If command has timed out call __hci_cmd_sync_cancel to notify the
hci_req since it will inevitably cause a timeout.

This also rework the code around __hci_cmd_sync_cancel since it was
wrongly assuming it needs to cancel timer as well, but sometimes the
timers have not been started or in fact they already had timed out in
which case they don't need to be cancel yet again.

Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Stable-dep-of: 2615fd9a7c25 ("Bluetooth: hci_sync: Fix overwriting request callback")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 include/net/bluetooth/hci_sync.h |  2 +-
 net/bluetooth/hci_core.c         | 84 ++++++++++++++++++++++----------
 net/bluetooth/hci_request.c      |  2 +-
 net/bluetooth/hci_sync.c         | 20 ++++----
 net/bluetooth/mgmt.c             |  2 +-
 5 files changed, 71 insertions(+), 39 deletions(-)

diff --git a/include/net/bluetooth/hci_sync.h b/include/net/bluetooth/hci_sync.h
index 6efbc2152146b..e2582c2425449 100644
--- a/include/net/bluetooth/hci_sync.h
+++ b/include/net/bluetooth/hci_sync.h
@@ -42,7 +42,7 @@ int __hci_cmd_sync_status_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
 void hci_cmd_sync_init(struct hci_dev *hdev);
 void hci_cmd_sync_clear(struct hci_dev *hdev);
 void hci_cmd_sync_cancel(struct hci_dev *hdev, int err);
-void __hci_cmd_sync_cancel(struct hci_dev *hdev, int err);
+void hci_cmd_sync_cancel_sync(struct hci_dev *hdev, int err);
 
 int hci_cmd_sync_submit(struct hci_dev *hdev, hci_cmd_sync_work_func_t func,
 			void *data, hci_cmd_sync_work_destroy_t destroy);
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 2821a42cefdc6..539305b9a0e27 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -1492,10 +1492,11 @@ static void hci_cmd_timeout(struct work_struct *work)
 					    cmd_timer.work);
 
 	if (hdev->sent_cmd) {
-		struct hci_command_hdr *sent = (void *) hdev->sent_cmd->data;
-		u16 opcode = __le16_to_cpu(sent->opcode);
+		u16 opcode = hci_skb_opcode(hdev->sent_cmd);
 
 		bt_dev_err(hdev, "command 0x%4.4x tx timeout", opcode);
+
+		hci_cmd_sync_cancel_sync(hdev, ETIMEDOUT);
 	} else {
 		bt_dev_err(hdev, "command tx timeout");
 	}
@@ -2826,6 +2827,23 @@ int hci_unregister_suspend_notifier(struct hci_dev *hdev)
 	return ret;
 }
 
+/* Cancel ongoing command synchronously:
+ *
+ * - Cancel command timer
+ * - Reset command counter
+ * - Cancel command request
+ */
+static void hci_cancel_cmd_sync(struct hci_dev *hdev, int err)
+{
+	bt_dev_dbg(hdev, "err 0x%2.2x", err);
+
+	cancel_delayed_work_sync(&hdev->cmd_timer);
+	cancel_delayed_work_sync(&hdev->ncmd_timer);
+	atomic_set(&hdev->cmd_cnt, 1);
+
+	hci_cmd_sync_cancel_sync(hdev, -err);
+}
+
 /* Suspend HCI device */
 int hci_suspend_dev(struct hci_dev *hdev)
 {
@@ -2843,7 +2861,7 @@ int hci_suspend_dev(struct hci_dev *hdev)
 		return 0;
 
 	/* Cancel potentially blocking sync operation before suspend */
-	__hci_cmd_sync_cancel(hdev, -EHOSTDOWN);
+	hci_cancel_cmd_sync(hdev, -EHOSTDOWN);
 
 	hci_req_sync_lock(hdev);
 	ret = hci_suspend_sync(hdev);
@@ -4128,6 +4146,33 @@ static void hci_rx_work(struct work_struct *work)
 	}
 }
 
+static void hci_send_cmd_sync(struct hci_dev *hdev, struct sk_buff *skb)
+{
+	int err;
+
+	bt_dev_dbg(hdev, "skb %p", skb);
+
+	kfree_skb(hdev->sent_cmd);
+
+	hdev->sent_cmd = skb_clone(skb, GFP_KERNEL);
+	if (!hdev->sent_cmd) {
+		skb_queue_head(&hdev->cmd_q, skb);
+		queue_work(hdev->workqueue, &hdev->cmd_work);
+		return;
+	}
+
+	err = hci_send_frame(hdev, skb);
+	if (err < 0) {
+		hci_cmd_sync_cancel_sync(hdev, err);
+		return;
+	}
+
+	if (hci_req_status_pend(hdev))
+		hci_dev_set_flag(hdev, HCI_CMD_PENDING);
+
+	atomic_dec(&hdev->cmd_cnt);
+}
+
 static void hci_cmd_work(struct work_struct *work)
 {
 	struct hci_dev *hdev = container_of(work, struct hci_dev, cmd_work);
@@ -4142,30 +4187,15 @@ static void hci_cmd_work(struct work_struct *work)
 		if (!skb)
 			return;
 
-		kfree_skb(hdev->sent_cmd);
-
-		hdev->sent_cmd = skb_clone(skb, GFP_KERNEL);
-		if (hdev->sent_cmd) {
-			int res;
-			if (hci_req_status_pend(hdev))
-				hci_dev_set_flag(hdev, HCI_CMD_PENDING);
-			atomic_dec(&hdev->cmd_cnt);
+		hci_send_cmd_sync(hdev, skb);
 
-			res = hci_send_frame(hdev, skb);
-			if (res < 0)
-				__hci_cmd_sync_cancel(hdev, -res);
-
-			rcu_read_lock();
-			if (test_bit(HCI_RESET, &hdev->flags) ||
-			    hci_dev_test_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE))
-				cancel_delayed_work(&hdev->cmd_timer);
-			else
-				queue_delayed_work(hdev->workqueue, &hdev->cmd_timer,
-						   HCI_CMD_TIMEOUT);
-			rcu_read_unlock();
-		} else {
-			skb_queue_head(&hdev->cmd_q, skb);
-			queue_work(hdev->workqueue, &hdev->cmd_work);
-		}
+		rcu_read_lock();
+		if (test_bit(HCI_RESET, &hdev->flags) ||
+		    hci_dev_test_flag(hdev, HCI_CMD_DRAIN_WORKQUEUE))
+			cancel_delayed_work(&hdev->cmd_timer);
+		else
+			queue_delayed_work(hdev->workqueue, &hdev->cmd_timer,
+					   HCI_CMD_TIMEOUT);
+		rcu_read_unlock();
 	}
 }
diff --git a/net/bluetooth/hci_request.c b/net/bluetooth/hci_request.c
index 6e023b0104b03..00e02138003ec 100644
--- a/net/bluetooth/hci_request.c
+++ b/net/bluetooth/hci_request.c
@@ -895,7 +895,7 @@ void hci_request_setup(struct hci_dev *hdev)
 
 void hci_request_cancel_all(struct hci_dev *hdev)
 {
-	__hci_cmd_sync_cancel(hdev, ENODEV);
+	hci_cmd_sync_cancel_sync(hdev, ENODEV);
 
 	cancel_interleave_scan(hdev);
 }
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 5716345a26dfb..5236fe72a8553 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -584,7 +584,7 @@ void hci_cmd_sync_clear(struct hci_dev *hdev)
 	mutex_unlock(&hdev->cmd_sync_work_lock);
 }
 
-void __hci_cmd_sync_cancel(struct hci_dev *hdev, int err)
+void hci_cmd_sync_cancel(struct hci_dev *hdev, int err)
 {
 	bt_dev_dbg(hdev, "err 0x%2.2x", err);
 
@@ -592,15 +592,17 @@ void __hci_cmd_sync_cancel(struct hci_dev *hdev, int err)
 		hdev->req_result = err;
 		hdev->req_status = HCI_REQ_CANCELED;
 
-		cancel_delayed_work_sync(&hdev->cmd_timer);
-		cancel_delayed_work_sync(&hdev->ncmd_timer);
-		atomic_set(&hdev->cmd_cnt, 1);
-
-		wake_up_interruptible(&hdev->req_wait_q);
+		queue_work(hdev->workqueue, &hdev->cmd_sync_cancel_work);
 	}
 }
+EXPORT_SYMBOL(hci_cmd_sync_cancel);
 
-void hci_cmd_sync_cancel(struct hci_dev *hdev, int err)
+/* Cancel ongoing command request synchronously:
+ *
+ * - Set result and mark status to HCI_REQ_CANCELED
+ * - Wakeup command sync thread
+ */
+void hci_cmd_sync_cancel_sync(struct hci_dev *hdev, int err)
 {
 	bt_dev_dbg(hdev, "err 0x%2.2x", err);
 
@@ -608,10 +610,10 @@ void hci_cmd_sync_cancel(struct hci_dev *hdev, int err)
 		hdev->req_result = err;
 		hdev->req_status = HCI_REQ_CANCELED;
 
-		queue_work(hdev->workqueue, &hdev->cmd_sync_cancel_work);
+		wake_up_interruptible(&hdev->req_wait_q);
 	}
 }
-EXPORT_SYMBOL(hci_cmd_sync_cancel);
+EXPORT_SYMBOL(hci_cmd_sync_cancel_sync);
 
 /* Submit HCI command to be run in as cmd_sync_work:
  *
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 7490092ccb2de..cc8efdc4ad431 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -1404,7 +1404,7 @@ static int set_powered(struct sock *sk, struct hci_dev *hdev, void *data,
 
 	/* Cancel potentially blocking sync operation before power off */
 	if (cp->val == 0x00) {
-		__hci_cmd_sync_cancel(hdev, -EHOSTDOWN);
+		hci_cmd_sync_cancel_sync(hdev, -EHOSTDOWN);
 		err = hci_cmd_sync_queue(hdev, set_powered_sync, cmd,
 					 mgmt_set_powered_complete);
 	} else {
-- 
2.43.0

Bluetooth broken for some people with 6.8.2 [Was: [PATCH 6.8 308/715] Bluetooth: hci_core: Cancel request on command timeout]

Posted by Linux regression tracking (Thorsten Leemhuis) 1 year, 8 months ago

On 24.03.24 23:28, Sasha Levin wrote:
> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> 
> [ Upstream commit 63298d6e752fc0ec7f5093860af8bc9f047b30c8 ]
> 
> If command has timed out call __hci_cmd_sync_cancel to notify the
> hci_req since it will inevitably cause a timeout.
> 
> This also rework the code around __hci_cmd_sync_cancel since it was
> wrongly assuming it needs to cancel timer as well, but sometimes the
> timers have not been started or in fact they already had timed out in
> which case they don't need to be cancel yet again.
> 
> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> Stable-dep-of: 2615fd9a7c25 ("Bluetooth: hci_sync: Fix overwriting request callback")
> Signed-off-by: Sasha Levin <sashal@kernel.org>

Hey stable team, I wonder if it might be wise to pick up 1c3366abdbe884
("Bluetooth: hci_sync: Fix not checking error on
hci_cmd_sync_cancel_sync") from next
(https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=1c3366abdbe884)
for the next releases of all series that a few days ago received
63298d6e752fc0 ("Bluetooth: hci_core: Cancel request on command timeout").

The latter patch sadly on quite a few systems causes a Oops due to a
NULL pointer dereference and breaks Bluetooth. This was reported for
mainline here (yes, coincidentally it was reported by yours truly):
https://lore.kernel.org/all/08275279-7462-4f4a-a0ee-8aa015f829bc@leemhuis.info/

Now that the patch landed in 6.8.2 it seems to happen there as well
(guess in 6.7 and others, too), as can be seen from this bug report
where multiple people already joined:
https://bugzilla.kernel.org/show_bug.cgi?id=218651

The fix mentioned above is on the way to Linus, but due to unlucky
timing missed this weeks network pull, hence will likely only reach
mainline next Thursday. But the fix afaics has a stable commit id, so
might be worth picking up soon for the stable releases to fix the
regression quickly.

Ciao, Thorsten

Re: Bluetooth broken for some people with 6.8.2 [Was: [PATCH 6.8 308/715] Bluetooth: hci_core: Cancel request on command timeout]

Posted by Greg KH 1 year, 8 months ago

On Sat, Mar 30, 2024 at 03:59:22PM +0100, Linux regression tracking (Thorsten Leemhuis) wrote:
> On 24.03.24 23:28, Sasha Levin wrote:
> > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> > 
> > [ Upstream commit 63298d6e752fc0ec7f5093860af8bc9f047b30c8 ]
> > 
> > If command has timed out call __hci_cmd_sync_cancel to notify the
> > hci_req since it will inevitably cause a timeout.
> > 
> > This also rework the code around __hci_cmd_sync_cancel since it was
> > wrongly assuming it needs to cancel timer as well, but sometimes the
> > timers have not been started or in fact they already had timed out in
> > which case they don't need to be cancel yet again.
> > 
> > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> > Stable-dep-of: 2615fd9a7c25 ("Bluetooth: hci_sync: Fix overwriting request callback")
> > Signed-off-by: Sasha Levin <sashal@kernel.org>
> 
> Hey stable team, I wonder if it might be wise to pick up 1c3366abdbe884
> ("Bluetooth: hci_sync: Fix not checking error on
> hci_cmd_sync_cancel_sync") from next
> (https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=1c3366abdbe884)
> for the next releases of all series that a few days ago received
> 63298d6e752fc0 ("Bluetooth: hci_core: Cancel request on command timeout").
> 
> The latter patch sadly on quite a few systems causes a Oops due to a
> NULL pointer dereference and breaks Bluetooth. This was reported for
> mainline here (yes, coincidentally it was reported by yours truly):
> https://lore.kernel.org/all/08275279-7462-4f4a-a0ee-8aa015f829bc@leemhuis.info/
> 
> Now that the patch landed in 6.8.2 it seems to happen there as well
> (guess in 6.7 and others, too), as can be seen from this bug report
> where multiple people already joined:
> https://bugzilla.kernel.org/show_bug.cgi?id=218651
> 
> The fix mentioned above is on the way to Linus, but due to unlucky
> timing missed this weeks network pull, hence will likely only reach
> mainline next Thursday. But the fix afaics has a stable commit id, so
> might be worth picking up soon for the stable releases to fix the
> regression quickly.

Now queued up, thanks for letting us know.

greg k-h

Re: Bluetooth broken for some people with 6.8.2 [Was: [PATCH 6.8 308/715] Bluetooth: hci_core: Cancel request on command timeout]

Posted by Linux regression tracking (Thorsten Leemhuis) 1 year, 8 months ago

On 30.03.24 17:23, Greg KH wrote:
> On Sat, Mar 30, 2024 at 03:59:22PM +0100, Linux regression tracking (Thorsten Leemhuis) wrote:
>> On 24.03.24 23:28, Sasha Levin wrote:
>>> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
>>>
>>> [ Upstream commit 63298d6e752fc0ec7f5093860af8bc9f047b30c8 ]
>>>
>>> If command has timed out call __hci_cmd_sync_cancel to notify the
>>> hci_req since it will inevitably cause a timeout.
> [...]
>>> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
>>> Stable-dep-of: 2615fd9a7c25 ("Bluetooth: hci_sync: Fix overwriting request callback")
>>> Signed-off-by: Sasha Levin <sashal@kernel.org>
>>
>> Hey stable team, I wonder if it might be wise to pick up 1c3366abdbe884
>> ("Bluetooth: hci_sync: Fix not checking error on hci_cmd_sync_cancel_sync") from next
>> (https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=1c3366abdbe884)
>> for the next releases of all series that a few days ago received
>> 63298d6e752fc0 ("Bluetooth: hci_core: Cancel request on command timeout").
>>
>> The latter patch sadly on quite a few systems causes a Oops due to a
>> NULL pointer dereference and breaks Bluetooth. This was reported for
>> mainline here (yes, coincidentally it was reported by yours truly):
>> https://lore.kernel.org/all/08275279-7462-4f4a-a0ee-8aa015f829bc@leemhuis.info/
>>
>> Now that the patch landed in 6.8.2 it seems to happen there as well
>> (guess in 6.7 and others, too), as can be seen from this bug report
>> where multiple people already joined:
>> https://bugzilla.kernel.org/show_bug.cgi?id=218651
> [...]
> Now queued up, thanks for letting us know.

FWIW, at least one user reported additional BT problems in bugzilla that
might or might not be related to the backports. But I write for a
different reason:

Luiz replied in bugzilla
(https://bugzilla.kernel.org/show_bug.cgi?id=218651#c20) and you might
want to know about it:

"'"
Hmm, was the original change [63298d6e752fc0 ("Bluetooth: hci_core:
Cancel request on command timeout")] backported to stable kernels, afaik
I didn't mark it to Cc stable: [...]

I wonder why it got selected to be backported, in any case I don't think
it is a good idea to attempt to do backporting without having at least a
Fixes tag to begin with otherwise we risk having problems like this
widespread to people not really running the latest where this sort of
problem is sort of expected during the early rc phase, so instead of
having these 2 patches backported we could just remove the above from
the stable trees.
"'"

Luiz: Sasha and Greg can speak for themselves, but the "Stable-dep-of:
2615fd9a7c25 ("Bluetooth: hci_sync: Fix overwriting request callback")"
tag above is a strong indicator why 63298d6e752fc0 was backported.

Ciao, Thorsten (who now hopes the developers sort this out without him
as accidentally man-in-the-middle)

Re: Bluetooth broken for some people with 6.8.2 [Was: [PATCH 6.8 308/715] Bluetooth: hci_core: Cancel request on command timeout]

Posted by Philippe Strauss 1 year, 8 months ago

I'm a good linux sysadmin with basics C abilities and no prior kernel 
dev experience having subscribed to the lkml yesterday to report two 
oopses which may be related:

--

6.8.2

Mar 30 17:27:26 PulseG2 NetworkManager[963]: <info> [1711816046.7303] 
device (wlp3s0): state change: unmanaged -> unavailable (reason 
'managed', sys-iface-state: 'external')
Mar 30 17:27:26 PulseG2 kernel: Bluetooth: hci0: command 0xfc05 tx timeout
Mar 30 17:27:26 PulseG2 kernel: Bluetooth: hci0: Reading Intel version 
command failed (-110)
Mar 30 17:27:27 PulseG2 kernel: iwlwifi 0000:03:00.0: Registered PHC 
clock: iwlwifi-PTP, with index: 0
Mar 30 17:27:27 PulseG2 kernel: BUG: kernel NULL pointer dereference, 
address: 0000000000000027
Mar 30 17:27:27 PulseG2 kernel: #PF: supervisor read access in kernel mode
Mar 30 17:27:27 PulseG2 kernel: #PF: error_code(0x0000) - not-present page
Mar 30 17:27:27 PulseG2 kernel: PGD 0 P4D 0
Mar 30 17:27:27 PulseG2 kernel: Oops: 0000 [#1] PREEMPT SMP PTI
Mar 30 17:27:27 PulseG2 kernel: CPU: 15 PID: 963 Comm: NetworkManager 
Not tainted 6.8.2 #1
Mar 30 17:27:27 PulseG2 kernel: Hardware name: TUXEDO TUXEDO Pulse 15 
Gen2/PF5LUXG, BIOS N.1.06A12 03/15/2023
Mar 30 17:27:27 PulseG2 kernel: RIP: 
0010:iwl_mvm_vif_dbgfs_add_link+0x88/0xd0 [iwlmvm]
Mar 30 17:27:27 PulseG2 kernel: Code: f3 48 ab 4d 85 f6 74 35 48 89 f3 
4c 89 f1 48 c7 c2 26 34 31 c2 4c 89 ef be 64 00 00 00 e8 70 83 1d ef 49 
8b b4 24 c8 1c 00 00 <49> 8b 7e 28 4c 89 ea e8 fc 61 8c ee 48 89 83 >
Mar 30 17:27:27 PulseG2 kernel: RSP: 0018:ffffad53c7557510 EFLAGS: 00010246
Mar 30 17:27:27 PulseG2 kernel: RAX: 0000000000000018 RBX: 
ffff930126395b98 RCX: 0000000000000000
Mar 30 17:27:27 PulseG2 kernel: RDX: 0000000000000000 RSI: 
ffffffffffffffff RDI: 0000000000000000
Mar 30 17:27:27 PulseG2 kernel: RBP: ffffad53c75575a0 R08: 
0000000000000000 R09: 0000000000000000
Mar 30 17:27:27 PulseG2 kernel: R10: 0000000000000000 R11: 
0000000000000000 R12: ffff92feb9291fc8
Mar 30 17:27:27 PulseG2 kernel: R13: ffffad53c7557514 R14: 
ffffffffffffffff R15: ffff930126395b98
Mar 30 17:27:27 PulseG2 kernel: FS:  00007d4436d44500(0000) 
GS:ffff9301ee980000(0000) knlGS:0000000000000000
Mar 30 17:27:27 PulseG2 kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 
0000000080050033
Mar 30 17:27:27 PulseG2 kernel: CR2: 0000000000000027 CR3: 
0000000105df2000 CR4: 0000000000350ef0
Mar 30 17:27:27 PulseG2 kernel: Call Trace:
Mar 30 17:27:27 PulseG2 kernel:  <TASK>
Mar 30 17:27:27 PulseG2 kernel:  ? show_regs+0x71/0x90
Mar 30 17:27:27 PulseG2 kernel:  ? __die+0x28/0x80
Mar 30 17:27:27 PulseG2 kernel:  ? page_fault_oops+0x176/0x500
Mar 30 17:27:27 PulseG2 kernel:  ? dentry_name+0x180/0x370
Mar 30 17:27:27 PulseG2 kernel:  ? srso_return_thunk+0x5/0x5f
Mar 30 17:27:27 PulseG2 kernel:  ? iwl_trans_txq_send_hcmd+0x389/0x460 
[iwlwifi]
Mar 30 17:27:27 PulseG2 kernel:  ? do_user_addr_fault+0x2f2/0x6c0
Mar 30 17:27:27 PulseG2 kernel:  ? exc_page_fault+0x87/0x1b0
Mar 30 17:27:27 PulseG2 kernel:  ? asm_exc_page_fault+0x2b/0x30
Mar 30 17:27:27 PulseG2 kernel:  ? iwl_mvm_vif_dbgfs_add_link+0x88/0xd0 
[iwlmvm]
Mar 30 17:27:27 PulseG2 kernel: 
iwl_mvm_mld_mac_add_interface+0x2f1/0x3b0 [iwlmvm]
Mar 30 17:27:27 PulseG2 kernel:  drv_add_interface+0x58/0x280 [mac80211]
Mar 30 17:27:27 PulseG2 kernel:  ieee80211_do_open+0x515/0x7d0 [mac80211]
Mar 30 17:27:27 PulseG2 kernel:  ? srso_return_thunk+0x5/0x5f
Mar 30 17:27:27 PulseG2 kernel:  ieee80211_open+0x6d/0xa0 [mac80211]
Mar 30 17:27:27 PulseG2 kernel:  __dev_open+0xfa/0x1b0
Mar 30 17:27:27 PulseG2 kernel:  __dev_change_flags+0x1ec/0x270
Mar 30 17:27:27 PulseG2 kernel:  dev_change_flags+0x2b/0x80
Mar 30 17:27:27 PulseG2 kernel:  do_setlink+0x3a8/0x12c0
Mar 30 17:27:27 PulseG2 kernel:  ? srso_return_thunk+0x5/0x5f
Mar 30 17:27:27 PulseG2 kernel:  ? srso_return_thunk+0x5/0x5f
Mar 30 17:27:27 PulseG2 kernel:  ? srso_return_thunk+0x5/0x5f
Mar 30 17:27:27 PulseG2 kernel:  ? __nla_validate_parse+0x5b/0xe40
Mar 30 17:27:27 PulseG2 kernel:  ? srso_return_thunk+0x5/0x5f
Mar 30 17:27:27 PulseG2 kernel:  ? get_partial_node.part.0+0x19d/0x2e0
Mar 30 17:27:27 PulseG2 kernel:  __rtnl_newlink+0x717/0xb60
Mar 30 17:27:27 PulseG2 kernel:  ? rtnl_newlink+0x62/0xb0
Mar 30 17:27:27 PulseG2 kernel:  rtnl_newlink+0x7b/0xb0
Mar 30 17:27:27 PulseG2 kernel:  rtnetlink_rcv_msg+0x174/0x430
Mar 30 17:27:27 PulseG2 kernel:  ? srso_return_thunk+0x5/0x5f
Mar 30 17:27:27 PulseG2 kernel:  ? kmem_cache_alloc_lru+0x372/0x420
Mar 30 17:27:27 PulseG2 kernel:  ? __alloc_skb+0x178/0x1c0
Mar 30 17:27:27 PulseG2 kernel:  ? __alloc_skb+0x178/0x1c0
Mar 30 17:27:27 PulseG2 kernel:  ? __pfx_rtnetlink_rcv_msg+0x10/0x10
Mar 30 17:27:27 PulseG2 kernel:  netlink_rcv_skb+0x61/0x110
Mar 30 17:27:27 PulseG2 kernel:  rtnetlink_rcv+0x19/0x30
Mar 30 17:27:27 PulseG2 kernel:  netlink_unicast+0x248/0x380
Mar 30 17:27:27 PulseG2 kernel:  netlink_sendmsg+0x218/0x470
Mar 30 17:27:27 PulseG2 kernel:  __sock_sendmsg+0xae/0xb0
Mar 30 17:27:27 PulseG2 kernel:  ____sys_sendmsg+0x25f/0x300
Mar 30 17:27:27 PulseG2 kernel:  ? srso_return_thunk+0x5/0x5f
Mar 30 17:27:27 PulseG2 kernel:  ? copy_msghdr_from_user+0x80/0xd0
Mar 30 17:27:27 PulseG2 kernel:  ___sys_sendmsg+0x96/0xe0
Mar 30 17:27:27 PulseG2 kernel:  __sys_sendmsg+0x81/0xe0
Mar 30 17:27:27 PulseG2 kernel:  __x64_sys_sendmsg+0x21/0x30
Mar 30 17:27:27 PulseG2 kernel:  do_syscall_64+0x7b/0x140
Mar 30 17:27:27 PulseG2 kernel:  ? do_syscall_64+0x87/0x140
Mar 30 17:27:27 PulseG2 kernel:  ? srso_return_thunk+0x5/0x5f
Mar 30 17:27:27 PulseG2 kernel:  ? do_syscall_64+0x87/0x140
Mar 30 17:27:27 PulseG2 kernel: entry_SYSCALL_64_after_hwframe+0x6e/0x76
Mar 30 17:27:27 PulseG2 kernel: RIP: 0033:0x7d4437a9fb9d
Mar 30 17:27:27 PulseG2 kernel: Code: 28 89 54 24 1c 48 89 74 24 10 89 
7c 24 08 e8 4a 9f f7 ff 8b 54 24 1c 48 8b 74 24 10 41 89 c0 8b 7c 24 08 
b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 33 44 89 c7 48 89 44 24 >
Mar 30 17:27:27 PulseG2 kernel: RSP: 002b:00007ffcc6e0d7a0 EFLAGS: 
00000293 ORIG_RAX: 000000000000002e
Mar 30 17:27:27 PulseG2 kernel: RAX: ffffffffffffffda RBX: 
0000634f86cfcca0 RCX: 00007d4437a9fb9d
Mar 30 17:27:27 PulseG2 kernel: RDX: 0000000000000000 RSI: 
00007ffcc6e0d7f0 RDI: 000000000000000d
Mar 30 17:27:27 PulseG2 kernel: RBP: 00007ffcc6e0d7f0 R08: 
0000000000000000 R09: 0000000000000000
Mar 30 17:27:27 PulseG2 kernel: R10: 0000000000000000 R11: 
0000000000000293 R12: 000000000000000e
Mar 30 17:27:27 PulseG2 kernel: R13: 0000634f86d69590 R14: 
0000000000000000 R15: 0000000000000000
Mar 30 17:27:27 PulseG2 kernel:  </TASK>
Mar 30 17:27:27 PulseG2 kernel: Modules linked in: qrtr bnep 
intel_rapl_msr intel_rapl_common joydev nls_iso8859_1 edac_mce_amd 
nls_cp437 iwlmvm snd_hda_codec_realtek vfat snd_hda_codec_generic fat 
snd_hda_codec>
Mar 30 17:27:27 PulseG2 kernel:  i2c_piix4 realtek drm wmi aesni_intel 
crypto_simd cryptd
Mar 30 17:27:27 PulseG2 kernel: CR2: 0000000000000027
Mar 30 17:27:27 PulseG2 kernel: ---[ end trace 0000000000000000 ]---
Mar 30 17:27:27 PulseG2 kernel: RIP: 
0010:iwl_mvm_vif_dbgfs_add_link+0x88/0xd0 [iwlmvm]
Mar 30 17:27:27 PulseG2 kernel: Code: f3 48 ab 4d 85 f6 74 35 48 89 f3 
4c 89 f1 48 c7 c2 26 34 31 c2 4c 89 ef be 64 00 00 00 e8 70 83 1d ef 49 
8b b4 24 c8 1c 00 00 <49> 8b 7e 28 4c 89 ea e8 fc 61 8c ee 48 89 83 >
Mar 30 17:27:27 PulseG2 kernel: RSP: 0018:ffffad53c7557510 EFLAGS: 00010246
Mar 30 17:27:27 PulseG2 kernel: RAX: 0000000000000018 RBX: 
ffff930126395b98 RCX: 0000000000000000
Mar 30 17:27:27 PulseG2 kernel: RDX: 0000000000000000 RSI: 
ffffffffffffffff RDI: 0000000000000000
Mar 30 17:27:27 PulseG2 kernel: RBP: ffffad53c75575a0 R08: 
0000000000000000 R09: 0000000000000000
Mar 30 17:27:27 PulseG2 kernel: R10: 0000000000000000 R11: 
0000000000000000 R12: ffff92feb9291fc8
Mar 30 17:27:27 PulseG2 kernel: R13: ffffad53c7557514 R14: 
ffffffffffffffff R15: ffff930126395b98
Mar 30 17:27:27 PulseG2 kernel: FS:  00007d4436d44500(0000) 
GS:ffff9301ee980000(0000) knlGS:0000000000000000
Mar 30 17:27:27 PulseG2 kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 
0000000080050033
Mar 30 17:27:27 PulseG2 kernel: CR2: 0000000000000027 CR3: 
0000000105df2000 CR4: 0000000000350ef0
Mar 30 17:27:27 PulseG2 kernel: note: NetworkManager[963] exited with 
irqs disabled

--

6.6.22
                                 Bluetooth: hci0: Found device firmware: 
intel/ibt-20-1-3.sfi
...
Mar 29 17:04:59 PulseG2 kernel: Bluetooth: hci0: FW download error 
recovery failed (-19)
Mar 29 17:04:59 PulseG2 kernel: Bluetooth: hci0: sending frame failed (-19)
Mar 29 17:04:59 PulseG2 kernel: BUG: kernel NULL pointer dereference, 
address: 0000000000000068
Mar 29 17:04:59 PulseG2 kernel: #PF: supervisor read access in kernel mode
Mar 29 17:04:59 PulseG2 kernel: #PF: error_code(0x0000) - not-present page
Mar 29 17:04:59 PulseG2 kernel: PGD 0 P4D 0
Mar 29 17:04:59 PulseG2 kernel: Oops: 0000 [#1] PREEMPT SMP PTI
Mar 29 17:04:59 PulseG2 kernel: CPU: 0 PID: 160 Comm: kworker/u35:0 Not 
tainted 6.6.23 #5
Mar 29 17:04:59 PulseG2 kernel: Hardware name: TUXEDO TUXEDO Pulse 15 
Gen2/PF5LUXG, BIOS N.1.06A12 03/15/2023
Mar 29 17:04:59 PulseG2 kernel: Workqueue: hci0 hci_power_on [bluetooth]
Mar 29 17:04:59 PulseG2 kernel: RIP: 
0010:btintel_read_debug_features+0x4f/0x100 [btintel]
Mar 29 17:04:59 PulseG2 kernel: Code: 00 00 53 48 83 ec 10 65 48 8b 04 
25 28 00 00 00 48 89 45 e0 31 c0 c6 45 df 01 e8 8c cb b4 ff 48 89 c3 48 
3d 00 f0 ff ff 77 56 <83> 78 68 13 75 73 48 8b 80 c0 00 00 00 be 02 >
Mar 29 17:04:59 PulseG2 kernel: RSP: 0018:ffffc900016a7c78 EFLAGS: 00010207
Mar 29 17:04:59 PulseG2 kernel: RAX: 0000000000000000 RBX: 
0000000000000000 RCX: 0000000000000000
Mar 29 17:04:59 PulseG2 kernel: RDX: 0000000000000000 RSI: 
0000000000000000 RDI: 0000000000000000
Mar 29 17:04:59 PulseG2 kernel: RBP: ffffc900016a7ca0 R08: 
0000000000000000 R09: 0000000000000000
Mar 29 17:04:59 PulseG2 kernel: R10: 0000000000000000 R11: 
0000000000000000 R12: ffffc900016a7cb0
Mar 29 17:04:59 PulseG2 kernel: R13: ffff88820e73c000 R14: 
ffff888122cf8400 R15: ffff88820e73c6d0
Mar 29 17:04:59 PulseG2 kernel: FS:  0000000000000000(0000) 
GS:ffff8887ee200000(0000) knlGS:0000000000000000
Mar 29 17:04:59 PulseG2 kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 
0000000080050033
Mar 29 17:04:59 PulseG2 kernel: CR2: 0000000000000068 CR3: 
0000000780c24000 CR4: 0000000000350ef0
Mar 29 17:04:59 PulseG2 kernel: Call Trace:
Mar 29 17:04:59 PulseG2 kernel:  <TASK>
Mar 29 17:04:59 PulseG2 kernel:  ? show_regs+0x71/0x90
Mar 29 17:04:59 PulseG2 kernel:  ? __die+0x28/0x80
Mar 29 17:04:59 PulseG2 kernel:  ? page_fault_oops+0x176/0x500
Mar 29 17:04:59 PulseG2 kernel:  ? do_user_addr_fault+0x2fb/0x6a0
Mar 29 17:04:59 PulseG2 kernel:  ? exc_page_fault+0x87/0x1b0
Mar 29 17:04:59 PulseG2 kernel:  ? asm_exc_page_fault+0x2b/0x30
Mar 29 17:04:59 PulseG2 kernel:  ? 
btintel_read_debug_features+0x4f/0x100 [btintel]
Mar 29 17:04:59 PulseG2 kernel:  ? 
btintel_read_debug_features+0x44/0x100 [btintel]
Mar 29 17:04:59 PulseG2 kernel: 
btintel_register_devcoredump_support.isra.0+0x3e/0xd0 [btintel]
Mar 29 17:04:59 PulseG2 kernel: btintel_setup_combined+0x2b3/0x780 [btintel]
Mar 29 17:04:59 PulseG2 kernel:  hci_dev_open_sync+0x10b/0xcb0 [bluetooth]
Mar 29 17:04:59 PulseG2 kernel:  ? srso_return_thunk+0x5/0x10
Mar 29 17:04:59 PulseG2 kernel:  ? try_to_wake_up+0x2e2/0x6f0
Mar 29 17:04:59 PulseG2 kernel:  hci_dev_do_open+0x28/0x70 [bluetooth]
Mar 29 17:04:59 PulseG2 kernel:  hci_power_on+0x54/0x220 [bluetooth]
Mar 29 17:04:59 PulseG2 kernel:  process_one_work+0x182/0x370
Mar 29 17:04:59 PulseG2 kernel:  worker_thread+0x299/0x3e0
Mar 29 17:04:59 PulseG2 kernel:  ? __pfx_worker_thread+0x10/0x10
Mar 29 17:04:59 PulseG2 kernel:  kthread+0xf6/0x130
Mar 29 17:04:59 PulseG2 kernel:  ? __pfx_kthread+0x10/0x10
Mar 29 17:04:59 PulseG2 kernel:  ret_from_fork+0x4b/0x70
Mar 29 17:04:59 PulseG2 kernel:  ? __pfx_kthread+0x10/0x10
Mar 29 17:04:59 PulseG2 kernel:  ret_from_fork_asm+0x1b/0x30
Mar 29 17:04:59 PulseG2 kernel:  </TASK>
Mar 29 17:04:59 PulseG2 kernel: Modules linked in: snd_hda_codec_generic 
uvcvideo(+) amd64_edac(-) nls_iso8859_1 edac_mce_amd ledtrig_audio btusb 
uvc snd_hda_codec_hdmi mac80211 nls_cp437 videobuf2_vmalloc btrtl>
Mar 29 17:04:59 PulseG2 kernel:  drm wmi
Mar 29 17:04:59 PulseG2 kernel: CR2: 0000000000000068
Mar 29 17:04:59 PulseG2 kernel: ---[ end trace 0000000000000000 ]---
Mar 29 17:04:59 PulseG2 kernel: RIP: 
0010:btintel_read_debug_features+0x4f/0x100 [btintel]
Mar 29 17:04:59 PulseG2 kernel: Code: 00 00 53 48 83 ec 10 65 48 8b 04 
25 28 00 00 00 48 89 45 e0 31 c0 c6 45 df 01 e8 8c cb b4 ff 48 89 c3 48 
3d 00 f0 ff ff 77 56 <83> 78 68 13 75 73 48 8b 80 c0 00 00 00 be 02 >
Mar 29 17:04:59 PulseG2 kernel: RSP: 0018:ffffc900016a7c78 EFLAGS: 00010207
Mar 29 17:04:59 PulseG2 kernel: RAX: 0000000000000000 RBX: 
0000000000000000 RCX: 0000000000000000
Mar 29 17:04:59 PulseG2 kernel: RDX: 0000000000000000 RSI: 
0000000000000000 RDI: 0000000000000000
Mar 29 17:04:59 PulseG2 kernel: RBP: ffffc900016a7ca0 R08: 
0000000000000000 R09: 0000000000000000
Mar 29 17:04:59 PulseG2 kernel: R10: 0000000000000000 R11: 
0000000000000000 R12: ffffc900016a7cb0
Mar 29 17:04:59 PulseG2 kernel: R13: ffff88820e73c000 R14: 
ffff888122cf8400 R15: ffff88820e73c6d0
Mar 29 17:04:59 PulseG2 kernel: FS:  0000000000000000(0000) 
GS:ffff8887ee200000(0000) knlGS:0000000000000000
Mar 29 17:04:59 PulseG2 kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 
0000000080050033
Mar 29 17:04:59 PulseG2 kernel: CR2: 0000000000000068 CR3: 
0000000780c24000 CR4: 0000000000350ef0
Mar 29 17:04:59 PulseG2 kernel: note: kworker/u35:0[160] exited with 
irqs disabled
...
(reboot in between)
Mar 29 21:17:26 PulseG2 kernel: Bluetooth: hci0: Reading Intel version 
command failed (-110)
Mar 29 21:17:26 PulseG2 kernel: Bluetooth: hci0: command 0xfc05 tx timeout

(.pylocal) catseye@PulseG2:~$ lspci

00:00.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Renoir/Cezanne 
Root Complex
00:00.2 IOMMU: Advanced Micro Devices, Inc. [AMD] Renoir/Cezanne IOMMU
00:01.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Renoir PCIe 
Dummy Host Bridge
00:01.2 PCI bridge: Advanced Micro Devices, Inc. [AMD] Renoir/Cezanne 
PCIe GPP Bridge
00:02.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Renoir PCIe 
Dummy Host Bridge
00:02.1 PCI bridge: Advanced Micro Devices, Inc. [AMD] Renoir/Cezanne 
PCIe GPP Bridge
00:02.2 PCI bridge: Advanced Micro Devices, Inc. [AMD] Renoir/Cezanne 
PCIe GPP Bridge
00:02.4 PCI bridge: Advanced Micro Devices, Inc. [AMD] Renoir/Cezanne 
PCIe GPP Bridge
00:08.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Renoir PCIe 
Dummy Host Bridge
00:08.1 PCI bridge: Advanced Micro Devices, Inc. [AMD] Renoir Internal 
PCIe GPP Bridge to Bus
00:14.0 SMBus: Advanced Micro Devices, Inc. [AMD] FCH SMBus Controller 
(rev 51)
00:14.3 ISA bridge: Advanced Micro Devices, Inc. [AMD] FCH LPC Bridge 
(rev 51)
00:18.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Renoir Device 
24: Function 0
00:18.1 Host bridge: Advanced Micro Devices, Inc. [AMD] Renoir Device 
24: Function 1
00:18.2 Host bridge: Advanced Micro Devices, Inc. [AMD] Renoir Device 
24: Function 2
00:18.3 Host bridge: Advanced Micro Devices, Inc. [AMD] Renoir Device 
24: Function 3
00:18.4 Host bridge: Advanced Micro Devices, Inc. [AMD] Renoir Device 
24: Function 4
00:18.5 Host bridge: Advanced Micro Devices, Inc. [AMD] Renoir Device 
24: Function 5
00:18.6 Host bridge: Advanced Micro Devices, Inc. [AMD] Renoir Device 
24: Function 6
00:18.7 Host bridge: Advanced Micro Devices, Inc. [AMD] Renoir Device 
24: Function 7
01:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. 
RTL8111/8168/8211/8411 PCI Express Gigabit Ethernet Controller (rev 15)
02:00.0 Non-Volatile memory controller: Samsung Electronics Co Ltd NVMe 
SSD Controller 980 (DRAM-less)
03:00.0 Network controller: Intel Corporation Wi-Fi 6 AX200 (rev 1a)
05:00.0 VGA compatible controller: Advanced Micro Devices, Inc. 
[AMD/ATI] Lucienne (rev c1)
05:00.1 Audio device: Advanced Micro Devices, Inc. [AMD/ATI] Renoir 
Radeon High Definition Audio Controller
05:00.2 Encryption controller: Advanced Micro Devices, Inc. [AMD] Family 
17h (Models 10h-1fh) Platform Security Processor
05:00.3 USB controller: Advanced Micro Devices, Inc. [AMD] 
Renoir/Cezanne USB 3.1
05:00.4 USB controller: Advanced Micro Devices, Inc. [AMD] 
Renoir/Cezanne USB 3.1
05:00.5 Multimedia controller: Advanced Micro Devices, Inc. [AMD] 
ACP/ACP3X/ACP6x Audio Coprocessor (rev 01)
05:00.6 Audio device: Advanced Micro Devices, Inc. [AMD] Family 17h/19h 
HD Audio Controller
(.pylocal) catseye@PulseG2:~$ lsusb
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 002: ID 04f2:b71a Chicony Electronics Co., Ltd Integrated 
IR Camera
Bus 001 Device 003: ID 05e3:0608 Genesys Logic, Inc. Hub
Bus 001 Device 004: ID 046d:c077 Logitech, Inc. Mouse
Bus 001 Device 005: ID 8087:0029 Intel Corp. AX200 Bluetooth
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub

Not a single oops up to 6.6.20 (included), haven't tried 6.6.21, and 
started with 6.6.22, while 6.6.23 seems stable for now, 6.7.11 also 
trigger oops around BT.

The configuration is my own, derived from debian, but heavily modified 
(trimmed down) and hardened using KSPP recommendations.

I have spare time, let me know if I can be of any testing help.

Regards.

Philippe, Lausanne, switzerland.


On 3/30/24 5:23 PM, Greg KH wrote:
> On Sat, Mar 30, 2024 at 03:59:22PM +0100, Linux regression tracking (Thorsten Leemhuis) wrote:
>> On 24.03.24 23:28, Sasha Levin wrote:
>>> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
>>>
>>> [ Upstream commit 63298d6e752fc0ec7f5093860af8bc9f047b30c8 ]
>>>
>>> If command has timed out call __hci_cmd_sync_cancel to notify the
>>> hci_req since it will inevitably cause a timeout.
>>>
>>> This also rework the code around __hci_cmd_sync_cancel since it was
>>> wrongly assuming it needs to cancel timer as well, but sometimes the
>>> timers have not been started or in fact they already had timed out in
>>> which case they don't need to be cancel yet again.
>>>
>>> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
>>> Stable-dep-of: 2615fd9a7c25 ("Bluetooth: hci_sync: Fix overwriting request callback")
>>> Signed-off-by: Sasha Levin <sashal@kernel.org>
>> Hey stable team, I wonder if it might be wise to pick up 1c3366abdbe884
>> ("Bluetooth: hci_sync: Fix not checking error on
>> hci_cmd_sync_cancel_sync") from next
>> (https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=1c3366abdbe884)
>> for the next releases of all series that a few days ago received
>> 63298d6e752fc0 ("Bluetooth: hci_core: Cancel request on command timeout").
>>
>> The latter patch sadly on quite a few systems causes a Oops due to a
>> NULL pointer dereference and breaks Bluetooth. This was reported for
>> mainline here (yes, coincidentally it was reported by yours truly):
>> https://lore.kernel.org/all/08275279-7462-4f4a-a0ee-8aa015f829bc@leemhuis.info/
>>
>> Now that the patch landed in 6.8.2 it seems to happen there as well
>> (guess in 6.7 and others, too), as can be seen from this bug report
>> where multiple people already joined:
>> https://bugzilla.kernel.org/show_bug.cgi?id=218651
>>
>> The fix mentioned above is on the way to Linus, but due to unlucky
>> timing missed this weeks network pull, hence will likely only reach
>> mainline next Thursday. But the fix afaics has a stable commit id, so
>> might be worth picking up soon for the stable releases to fix the
>> regression quickly.
> Now queued up, thanks for letting us know.
>
> greg k-h
>

Re: Bluetooth broken for some people with 6.8.2 [Was: [PATCH 6.8 308/715] Bluetooth: hci_core: Cancel request on command timeout]

Posted by Philippe Strauss 1 year, 8 months ago

Oh it's in the debugging code, my problem, I've reconfigured my kernel 
without debugging in iwlwifi and btusb/btintel and can now use 6.8.2 as 
my laptop kernel.

On 3/30/24 6:22 PM, Philippe Strauss wrote:
> I'm a good linux sysadmin with basics C abilities and no prior kernel 
> dev experience having subscribed to the lkml yesterday to report two 
> oopses which may be related:
>
> -- 
>
> 6.8.2
>
> Mar 30 17:27:26 PulseG2 NetworkManager[963]: <info> [1711816046.7303] 
> device (wlp3s0): state change: unmanaged -> unavailable (reason 
> 'managed', sys-iface-state: 'external')
> Mar 30 17:27:26 PulseG2 kernel: Bluetooth: hci0: command 0xfc05 tx 
> timeout
> Mar 30 17:27:26 PulseG2 kernel: Bluetooth: hci0: Reading Intel version 
> command failed (-110)
> Mar 30 17:27:27 PulseG2 kernel: iwlwifi 0000:03:00.0: Registered PHC 
> clock: iwlwifi-PTP, with index: 0
> Mar 30 17:27:27 PulseG2 kernel: BUG: kernel NULL pointer dereference, 
> address: 0000000000000027
> Mar 30 17:27:27 PulseG2 kernel: #PF: supervisor read access in kernel 
> mode
> Mar 30 17:27:27 PulseG2 kernel: #PF: error_code(0x0000) - not-present 
> page
> Mar 30 17:27:27 PulseG2 kernel: PGD 0 P4D 0
> Mar 30 17:27:27 PulseG2 kernel: Oops: 0000 [#1] PREEMPT SMP PTI
> Mar 30 17:27:27 PulseG2 kernel: CPU: 15 PID: 963 Comm: NetworkManager 
> Not tainted 6.8.2 #1
> Mar 30 17:27:27 PulseG2 kernel: Hardware name: TUXEDO TUXEDO Pulse 15 
> Gen2/PF5LUXG, BIOS N.1.06A12 03/15/2023
> Mar 30 17:27:27 PulseG2 kernel: RIP: 
> 0010:iwl_mvm_vif_dbgfs_add_link+0x88/0xd0 [iwlmvm]
> Mar 30 17:27:27 PulseG2 kernel: Code: f3 48 ab 4d 85 f6 74 35 48 89 f3 
> 4c 89 f1 48 c7 c2 26 34 31 c2 4c 89 ef be 64 00 00 00 e8 70 83 1d ef 
> 49 8b b4 24 c8 1c 00 00 <49> 8b 7e 28 4c 89 ea e8 fc 61 8c ee 48 89 83 >
> Mar 30 17:27:27 PulseG2 kernel: RSP: 0018:ffffad53c7557510 EFLAGS: 
> 00010246
> Mar 30 17:27:27 PulseG2 kernel: RAX: 0000000000000018 RBX: 
> ffff930126395b98 RCX: 0000000000000000
> Mar 30 17:27:27 PulseG2 kernel: RDX: 0000000000000000 RSI: 
> ffffffffffffffff RDI: 0000000000000000
> Mar 30 17:27:27 PulseG2 kernel: RBP: ffffad53c75575a0 R08: 
> 0000000000000000 R09: 0000000000000000
> Mar 30 17:27:27 PulseG2 kernel: R10: 0000000000000000 R11: 
> 0000000000000000 R12: ffff92feb9291fc8
> Mar 30 17:27:27 PulseG2 kernel: R13: ffffad53c7557514 R14: 
> ffffffffffffffff R15: ffff930126395b98
> Mar 30 17:27:27 PulseG2 kernel: FS:  00007d4436d44500(0000) 
> GS:ffff9301ee980000(0000) knlGS:0000000000000000
> Mar 30 17:27:27 PulseG2 kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 
> 0000000080050033
> Mar 30 17:27:27 PulseG2 kernel: CR2: 0000000000000027 CR3: 
> 0000000105df2000 CR4: 0000000000350ef0
> Mar 30 17:27:27 PulseG2 kernel: Call Trace:
> Mar 30 17:27:27 PulseG2 kernel:  <TASK>
> Mar 30 17:27:27 PulseG2 kernel:  ? show_regs+0x71/0x90
> Mar 30 17:27:27 PulseG2 kernel:  ? __die+0x28/0x80
> Mar 30 17:27:27 PulseG2 kernel:  ? page_fault_oops+0x176/0x500
> Mar 30 17:27:27 PulseG2 kernel:  ? dentry_name+0x180/0x370
> Mar 30 17:27:27 PulseG2 kernel:  ? srso_return_thunk+0x5/0x5f
> Mar 30 17:27:27 PulseG2 kernel:  ? iwl_trans_txq_send_hcmd+0x389/0x460 
> [iwlwifi]
> Mar 30 17:27:27 PulseG2 kernel:  ? do_user_addr_fault+0x2f2/0x6c0
> Mar 30 17:27:27 PulseG2 kernel:  ? exc_page_fault+0x87/0x1b0
> Mar 30 17:27:27 PulseG2 kernel:  ? asm_exc_page_fault+0x2b/0x30
> Mar 30 17:27:27 PulseG2 kernel:  ? 
> iwl_mvm_vif_dbgfs_add_link+0x88/0xd0 [iwlmvm]
> Mar 30 17:27:27 PulseG2 kernel: 
> iwl_mvm_mld_mac_add_interface+0x2f1/0x3b0 [iwlmvm]
> Mar 30 17:27:27 PulseG2 kernel:  drv_add_interface+0x58/0x280 [mac80211]
> Mar 30 17:27:27 PulseG2 kernel:  ieee80211_do_open+0x515/0x7d0 [mac80211]
> Mar 30 17:27:27 PulseG2 kernel:  ? srso_return_thunk+0x5/0x5f
> Mar 30 17:27:27 PulseG2 kernel:  ieee80211_open+0x6d/0xa0 [mac80211]
> Mar 30 17:27:27 PulseG2 kernel:  __dev_open+0xfa/0x1b0
> Mar 30 17:27:27 PulseG2 kernel:  __dev_change_flags+0x1ec/0x270
> Mar 30 17:27:27 PulseG2 kernel:  dev_change_flags+0x2b/0x80
> Mar 30 17:27:27 PulseG2 kernel:  do_setlink+0x3a8/0x12c0
> Mar 30 17:27:27 PulseG2 kernel:  ? srso_return_thunk+0x5/0x5f
> Mar 30 17:27:27 PulseG2 kernel:  ? srso_return_thunk+0x5/0x5f
> Mar 30 17:27:27 PulseG2 kernel:  ? srso_return_thunk+0x5/0x5f
> Mar 30 17:27:27 PulseG2 kernel:  ? __nla_validate_parse+0x5b/0xe40
> Mar 30 17:27:27 PulseG2 kernel:  ? srso_return_thunk+0x5/0x5f
> Mar 30 17:27:27 PulseG2 kernel:  ? get_partial_node.part.0+0x19d/0x2e0
> Mar 30 17:27:27 PulseG2 kernel:  __rtnl_newlink+0x717/0xb60
> Mar 30 17:27:27 PulseG2 kernel:  ? rtnl_newlink+0x62/0xb0
> Mar 30 17:27:27 PulseG2 kernel:  rtnl_newlink+0x7b/0xb0
> Mar 30 17:27:27 PulseG2 kernel:  rtnetlink_rcv_msg+0x174/0x430
> Mar 30 17:27:27 PulseG2 kernel:  ? srso_return_thunk+0x5/0x5f
> Mar 30 17:27:27 PulseG2 kernel:  ? kmem_cache_alloc_lru+0x372/0x420
> Mar 30 17:27:27 PulseG2 kernel:  ? __alloc_skb+0x178/0x1c0
> Mar 30 17:27:27 PulseG2 kernel:  ? __alloc_skb+0x178/0x1c0
> Mar 30 17:27:27 PulseG2 kernel:  ? __pfx_rtnetlink_rcv_msg+0x10/0x10
> Mar 30 17:27:27 PulseG2 kernel:  netlink_rcv_skb+0x61/0x110
> Mar 30 17:27:27 PulseG2 kernel:  rtnetlink_rcv+0x19/0x30
> Mar 30 17:27:27 PulseG2 kernel:  netlink_unicast+0x248/0x380
> Mar 30 17:27:27 PulseG2 kernel:  netlink_sendmsg+0x218/0x470
> Mar 30 17:27:27 PulseG2 kernel:  __sock_sendmsg+0xae/0xb0
> Mar 30 17:27:27 PulseG2 kernel:  ____sys_sendmsg+0x25f/0x300
> Mar 30 17:27:27 PulseG2 kernel:  ? srso_return_thunk+0x5/0x5f
> Mar 30 17:27:27 PulseG2 kernel:  ? copy_msghdr_from_user+0x80/0xd0
> Mar 30 17:27:27 PulseG2 kernel:  ___sys_sendmsg+0x96/0xe0
> Mar 30 17:27:27 PulseG2 kernel:  __sys_sendmsg+0x81/0xe0
> Mar 30 17:27:27 PulseG2 kernel:  __x64_sys_sendmsg+0x21/0x30
> Mar 30 17:27:27 PulseG2 kernel:  do_syscall_64+0x7b/0x140
> Mar 30 17:27:27 PulseG2 kernel:  ? do_syscall_64+0x87/0x140
> Mar 30 17:27:27 PulseG2 kernel:  ? srso_return_thunk+0x5/0x5f
> Mar 30 17:27:27 PulseG2 kernel:  ? do_syscall_64+0x87/0x140
> Mar 30 17:27:27 PulseG2 kernel: entry_SYSCALL_64_after_hwframe+0x6e/0x76
> Mar 30 17:27:27 PulseG2 kernel: RIP: 0033:0x7d4437a9fb9d
> Mar 30 17:27:27 PulseG2 kernel: Code: 28 89 54 24 1c 48 89 74 24 10 89 
> 7c 24 08 e8 4a 9f f7 ff 8b 54 24 1c 48 8b 74 24 10 41 89 c0 8b 7c 24 
> 08 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 33 44 89 c7 48 89 44 24 >
> Mar 30 17:27:27 PulseG2 kernel: RSP: 002b:00007ffcc6e0d7a0 EFLAGS: 
> 00000293 ORIG_RAX: 000000000000002e
> Mar 30 17:27:27 PulseG2 kernel: RAX: ffffffffffffffda RBX: 
> 0000634f86cfcca0 RCX: 00007d4437a9fb9d
> Mar 30 17:27:27 PulseG2 kernel: RDX: 0000000000000000 RSI: 
> 00007ffcc6e0d7f0 RDI: 000000000000000d
> Mar 30 17:27:27 PulseG2 kernel: RBP: 00007ffcc6e0d7f0 R08: 
> 0000000000000000 R09: 0000000000000000
> Mar 30 17:27:27 PulseG2 kernel: R10: 0000000000000000 R11: 
> 0000000000000293 R12: 000000000000000e
> Mar 30 17:27:27 PulseG2 kernel: R13: 0000634f86d69590 R14: 
> 0000000000000000 R15: 0000000000000000
> Mar 30 17:27:27 PulseG2 kernel:  </TASK>
> Mar 30 17:27:27 PulseG2 kernel: Modules linked in: qrtr bnep 
> intel_rapl_msr intel_rapl_common joydev nls_iso8859_1 edac_mce_amd 
> nls_cp437 iwlmvm snd_hda_codec_realtek vfat snd_hda_codec_generic fat 
> snd_hda_codec>
> Mar 30 17:27:27 PulseG2 kernel:  i2c_piix4 realtek drm wmi aesni_intel 
> crypto_simd cryptd
> Mar 30 17:27:27 PulseG2 kernel: CR2: 0000000000000027
> Mar 30 17:27:27 PulseG2 kernel: ---[ end trace 0000000000000000 ]---
> Mar 30 17:27:27 PulseG2 kernel: RIP: 
> 0010:iwl_mvm_vif_dbgfs_add_link+0x88/0xd0 [iwlmvm]
> Mar 30 17:27:27 PulseG2 kernel: Code: f3 48 ab 4d 85 f6 74 35 48 89 f3 
> 4c 89 f1 48 c7 c2 26 34 31 c2 4c 89 ef be 64 00 00 00 e8 70 83 1d ef 
> 49 8b b4 24 c8 1c 00 00 <49> 8b 7e 28 4c 89 ea e8 fc 61 8c ee 48 89 83 >
> Mar 30 17:27:27 PulseG2 kernel: RSP: 0018:ffffad53c7557510 EFLAGS: 
> 00010246
> Mar 30 17:27:27 PulseG2 kernel: RAX: 0000000000000018 RBX: 
> ffff930126395b98 RCX: 0000000000000000
> Mar 30 17:27:27 PulseG2 kernel: RDX: 0000000000000000 RSI: 
> ffffffffffffffff RDI: 0000000000000000
> Mar 30 17:27:27 PulseG2 kernel: RBP: ffffad53c75575a0 R08: 
> 0000000000000000 R09: 0000000000000000
> Mar 30 17:27:27 PulseG2 kernel: R10: 0000000000000000 R11: 
> 0000000000000000 R12: ffff92feb9291fc8
> Mar 30 17:27:27 PulseG2 kernel: R13: ffffad53c7557514 R14: 
> ffffffffffffffff R15: ffff930126395b98
> Mar 30 17:27:27 PulseG2 kernel: FS:  00007d4436d44500(0000) 
> GS:ffff9301ee980000(0000) knlGS:0000000000000000
> Mar 30 17:27:27 PulseG2 kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 
> 0000000080050033
> Mar 30 17:27:27 PulseG2 kernel: CR2: 0000000000000027 CR3: 
> 0000000105df2000 CR4: 0000000000350ef0
> Mar 30 17:27:27 PulseG2 kernel: note: NetworkManager[963] exited with 
> irqs disabled
>
> -- 
>
> 6.6.22
>                                 Bluetooth: hci0: Found device 
> firmware: intel/ibt-20-1-3.sfi
> ..
> Mar 29 17:04:59 PulseG2 kernel: Bluetooth: hci0: FW download error 
> recovery failed (-19)
> Mar 29 17:04:59 PulseG2 kernel: Bluetooth: hci0: sending frame failed 
> (-19)
> Mar 29 17:04:59 PulseG2 kernel: BUG: kernel NULL pointer dereference, 
> address: 0000000000000068
> Mar 29 17:04:59 PulseG2 kernel: #PF: supervisor read access in kernel 
> mode
> Mar 29 17:04:59 PulseG2 kernel: #PF: error_code(0x0000) - not-present 
> page
> Mar 29 17:04:59 PulseG2 kernel: PGD 0 P4D 0
> Mar 29 17:04:59 PulseG2 kernel: Oops: 0000 [#1] PREEMPT SMP PTI
> Mar 29 17:04:59 PulseG2 kernel: CPU: 0 PID: 160 Comm: kworker/u35:0 
> Not tainted 6.6.23 #5
> Mar 29 17:04:59 PulseG2 kernel: Hardware name: TUXEDO TUXEDO Pulse 15 
> Gen2/PF5LUXG, BIOS N.1.06A12 03/15/2023
> Mar 29 17:04:59 PulseG2 kernel: Workqueue: hci0 hci_power_on [bluetooth]
> Mar 29 17:04:59 PulseG2 kernel: RIP: 
> 0010:btintel_read_debug_features+0x4f/0x100 [btintel]
> Mar 29 17:04:59 PulseG2 kernel: Code: 00 00 53 48 83 ec 10 65 48 8b 04 
> 25 28 00 00 00 48 89 45 e0 31 c0 c6 45 df 01 e8 8c cb b4 ff 48 89 c3 
> 48 3d 00 f0 ff ff 77 56 <83> 78 68 13 75 73 48 8b 80 c0 00 00 00 be 02 >
> Mar 29 17:04:59 PulseG2 kernel: RSP: 0018:ffffc900016a7c78 EFLAGS: 
> 00010207
> Mar 29 17:04:59 PulseG2 kernel: RAX: 0000000000000000 RBX: 
> 0000000000000000 RCX: 0000000000000000
> Mar 29 17:04:59 PulseG2 kernel: RDX: 0000000000000000 RSI: 
> 0000000000000000 RDI: 0000000000000000
> Mar 29 17:04:59 PulseG2 kernel: RBP: ffffc900016a7ca0 R08: 
> 0000000000000000 R09: 0000000000000000
> Mar 29 17:04:59 PulseG2 kernel: R10: 0000000000000000 R11: 
> 0000000000000000 R12: ffffc900016a7cb0
> Mar 29 17:04:59 PulseG2 kernel: R13: ffff88820e73c000 R14: 
> ffff888122cf8400 R15: ffff88820e73c6d0
> Mar 29 17:04:59 PulseG2 kernel: FS:  0000000000000000(0000) 
> GS:ffff8887ee200000(0000) knlGS:0000000000000000
> Mar 29 17:04:59 PulseG2 kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 
> 0000000080050033
> Mar 29 17:04:59 PulseG2 kernel: CR2: 0000000000000068 CR3: 
> 0000000780c24000 CR4: 0000000000350ef0
> Mar 29 17:04:59 PulseG2 kernel: Call Trace:
> Mar 29 17:04:59 PulseG2 kernel:  <TASK>
> Mar 29 17:04:59 PulseG2 kernel:  ? show_regs+0x71/0x90
> Mar 29 17:04:59 PulseG2 kernel:  ? __die+0x28/0x80
> Mar 29 17:04:59 PulseG2 kernel:  ? page_fault_oops+0x176/0x500
> Mar 29 17:04:59 PulseG2 kernel:  ? do_user_addr_fault+0x2fb/0x6a0
> Mar 29 17:04:59 PulseG2 kernel:  ? exc_page_fault+0x87/0x1b0
> Mar 29 17:04:59 PulseG2 kernel:  ? asm_exc_page_fault+0x2b/0x30
> Mar 29 17:04:59 PulseG2 kernel:  ? 
> btintel_read_debug_features+0x4f/0x100 [btintel]
> Mar 29 17:04:59 PulseG2 kernel:  ? 
> btintel_read_debug_features+0x44/0x100 [btintel]
> Mar 29 17:04:59 PulseG2 kernel: 
> btintel_register_devcoredump_support.isra.0+0x3e/0xd0 [btintel]
> Mar 29 17:04:59 PulseG2 kernel: btintel_setup_combined+0x2b3/0x780 
> [btintel]
> Mar 29 17:04:59 PulseG2 kernel:  hci_dev_open_sync+0x10b/0xcb0 
> [bluetooth]
> Mar 29 17:04:59 PulseG2 kernel:  ? srso_return_thunk+0x5/0x10
> Mar 29 17:04:59 PulseG2 kernel:  ? try_to_wake_up+0x2e2/0x6f0
> Mar 29 17:04:59 PulseG2 kernel:  hci_dev_do_open+0x28/0x70 [bluetooth]
> Mar 29 17:04:59 PulseG2 kernel:  hci_power_on+0x54/0x220 [bluetooth]
> Mar 29 17:04:59 PulseG2 kernel:  process_one_work+0x182/0x370
> Mar 29 17:04:59 PulseG2 kernel:  worker_thread+0x299/0x3e0
> Mar 29 17:04:59 PulseG2 kernel:  ? __pfx_worker_thread+0x10/0x10
> Mar 29 17:04:59 PulseG2 kernel:  kthread+0xf6/0x130
> Mar 29 17:04:59 PulseG2 kernel:  ? __pfx_kthread+0x10/0x10
> Mar 29 17:04:59 PulseG2 kernel:  ret_from_fork+0x4b/0x70
> Mar 29 17:04:59 PulseG2 kernel:  ? __pfx_kthread+0x10/0x10
> Mar 29 17:04:59 PulseG2 kernel:  ret_from_fork_asm+0x1b/0x30
> Mar 29 17:04:59 PulseG2 kernel:  </TASK>
> Mar 29 17:04:59 PulseG2 kernel: Modules linked in: 
> snd_hda_codec_generic uvcvideo(+) amd64_edac(-) nls_iso8859_1 
> edac_mce_amd ledtrig_audio btusb uvc snd_hda_codec_hdmi mac80211 
> nls_cp437 videobuf2_vmalloc btrtl>
> Mar 29 17:04:59 PulseG2 kernel:  drm wmi
> Mar 29 17:04:59 PulseG2 kernel: CR2: 0000000000000068
> Mar 29 17:04:59 PulseG2 kernel: ---[ end trace 0000000000000000 ]---
> Mar 29 17:04:59 PulseG2 kernel: RIP: 
> 0010:btintel_read_debug_features+0x4f/0x100 [btintel]
> Mar 29 17:04:59 PulseG2 kernel: Code: 00 00 53 48 83 ec 10 65 48 8b 04 
> 25 28 00 00 00 48 89 45 e0 31 c0 c6 45 df 01 e8 8c cb b4 ff 48 89 c3 
> 48 3d 00 f0 ff ff 77 56 <83> 78 68 13 75 73 48 8b 80 c0 00 00 00 be 02 >
> Mar 29 17:04:59 PulseG2 kernel: RSP: 0018:ffffc900016a7c78 EFLAGS: 
> 00010207
> Mar 29 17:04:59 PulseG2 kernel: RAX: 0000000000000000 RBX: 
> 0000000000000000 RCX: 0000000000000000
> Mar 29 17:04:59 PulseG2 kernel: RDX: 0000000000000000 RSI: 
> 0000000000000000 RDI: 0000000000000000
> Mar 29 17:04:59 PulseG2 kernel: RBP: ffffc900016a7ca0 R08: 
> 0000000000000000 R09: 0000000000000000
> Mar 29 17:04:59 PulseG2 kernel: R10: 0000000000000000 R11: 
> 0000000000000000 R12: ffffc900016a7cb0
> Mar 29 17:04:59 PulseG2 kernel: R13: ffff88820e73c000 R14: 
> ffff888122cf8400 R15: ffff88820e73c6d0
> Mar 29 17:04:59 PulseG2 kernel: FS:  0000000000000000(0000) 
> GS:ffff8887ee200000(0000) knlGS:0000000000000000
> Mar 29 17:04:59 PulseG2 kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 
> 0000000080050033
> Mar 29 17:04:59 PulseG2 kernel: CR2: 0000000000000068 CR3: 
> 0000000780c24000 CR4: 0000000000350ef0
> Mar 29 17:04:59 PulseG2 kernel: note: kworker/u35:0[160] exited with 
> irqs disabled
> ..
> (reboot in between)
> Mar 29 21:17:26 PulseG2 kernel: Bluetooth: hci0: Reading Intel version 
> command failed (-110)
> Mar 29 21:17:26 PulseG2 kernel: Bluetooth: hci0: command 0xfc05 tx 
> timeout
>
> (.pylocal) catseye@PulseG2:~$ lspci
>
> 00:00.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Renoir/Cezanne 
> Root Complex
> 00:00.2 IOMMU: Advanced Micro Devices, Inc. [AMD] Renoir/Cezanne IOMMU
> 00:01.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Renoir PCIe 
> Dummy Host Bridge
> 00:01.2 PCI bridge: Advanced Micro Devices, Inc. [AMD] Renoir/Cezanne 
> PCIe GPP Bridge
> 00:02.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Renoir PCIe 
> Dummy Host Bridge
> 00:02.1 PCI bridge: Advanced Micro Devices, Inc. [AMD] Renoir/Cezanne 
> PCIe GPP Bridge
> 00:02.2 PCI bridge: Advanced Micro Devices, Inc. [AMD] Renoir/Cezanne 
> PCIe GPP Bridge
> 00:02.4 PCI bridge: Advanced Micro Devices, Inc. [AMD] Renoir/Cezanne 
> PCIe GPP Bridge
> 00:08.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Renoir PCIe 
> Dummy Host Bridge
> 00:08.1 PCI bridge: Advanced Micro Devices, Inc. [AMD] Renoir Internal 
> PCIe GPP Bridge to Bus
> 00:14.0 SMBus: Advanced Micro Devices, Inc. [AMD] FCH SMBus Controller 
> (rev 51)
> 00:14.3 ISA bridge: Advanced Micro Devices, Inc. [AMD] FCH LPC Bridge 
> (rev 51)
> 00:18.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Renoir Device 
> 24: Function 0
> 00:18.1 Host bridge: Advanced Micro Devices, Inc. [AMD] Renoir Device 
> 24: Function 1
> 00:18.2 Host bridge: Advanced Micro Devices, Inc. [AMD] Renoir Device 
> 24: Function 2
> 00:18.3 Host bridge: Advanced Micro Devices, Inc. [AMD] Renoir Device 
> 24: Function 3
> 00:18.4 Host bridge: Advanced Micro Devices, Inc. [AMD] Renoir Device 
> 24: Function 4
> 00:18.5 Host bridge: Advanced Micro Devices, Inc. [AMD] Renoir Device 
> 24: Function 5
> 00:18.6 Host bridge: Advanced Micro Devices, Inc. [AMD] Renoir Device 
> 24: Function 6
> 00:18.7 Host bridge: Advanced Micro Devices, Inc. [AMD] Renoir Device 
> 24: Function 7
> 01:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. 
> RTL8111/8168/8211/8411 PCI Express Gigabit Ethernet Controller (rev 15)
> 02:00.0 Non-Volatile memory controller: Samsung Electronics Co Ltd 
> NVMe SSD Controller 980 (DRAM-less)
> 03:00.0 Network controller: Intel Corporation Wi-Fi 6 AX200 (rev 1a)
> 05:00.0 VGA compatible controller: Advanced Micro Devices, Inc. 
> [AMD/ATI] Lucienne (rev c1)
> 05:00.1 Audio device: Advanced Micro Devices, Inc. [AMD/ATI] Renoir 
> Radeon High Definition Audio Controller
> 05:00.2 Encryption controller: Advanced Micro Devices, Inc. [AMD] 
> Family 17h (Models 10h-1fh) Platform Security Processor
> 05:00.3 USB controller: Advanced Micro Devices, Inc. [AMD] 
> Renoir/Cezanne USB 3.1
> 05:00.4 USB controller: Advanced Micro Devices, Inc. [AMD] 
> Renoir/Cezanne USB 3.1
> 05:00.5 Multimedia controller: Advanced Micro Devices, Inc. [AMD] 
> ACP/ACP3X/ACP6x Audio Coprocessor (rev 01)
> 05:00.6 Audio device: Advanced Micro Devices, Inc. [AMD] Family 
> 17h/19h HD Audio Controller
> (.pylocal) catseye@PulseG2:~$ lsusb
> Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
> Bus 001 Device 002: ID 04f2:b71a Chicony Electronics Co., Ltd 
> Integrated IR Camera
> Bus 001 Device 003: ID 05e3:0608 Genesys Logic, Inc. Hub
> Bus 001 Device 004: ID 046d:c077 Logitech, Inc. Mouse
> Bus 001 Device 005: ID 8087:0029 Intel Corp. AX200 Bluetooth
> Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
> Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
> Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
>
> Not a single oops up to 6.6.20 (included), haven't tried 6.6.21, and 
> started with 6.6.22, while 6.6.23 seems stable for now, 6.7.11 also 
> trigger oops around BT.
>
> The configuration is my own, derived from debian, but heavily modified 
> (trimmed down) and hardened using KSPP recommendations.
>
> I have spare time, let me know if I can be of any testing help.
>
> Regards.
>
> Philippe, Lausanne, switzerland.
>
>
> On 3/30/24 5:23 PM, Greg KH wrote:
>> On Sat, Mar 30, 2024 at 03:59:22PM +0100, Linux regression tracking 
>> (Thorsten Leemhuis) wrote:
>>> On 24.03.24 23:28, Sasha Levin wrote:
>>>> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
>>>>
>>>> [ Upstream commit 63298d6e752fc0ec7f5093860af8bc9f047b30c8 ]
>>>>
>>>> If command has timed out call __hci_cmd_sync_cancel to notify the
>>>> hci_req since it will inevitably cause a timeout.
>>>>
>>>> This also rework the code around __hci_cmd_sync_cancel since it was
>>>> wrongly assuming it needs to cancel timer as well, but sometimes the
>>>> timers have not been started or in fact they already had timed out in
>>>> which case they don't need to be cancel yet again.
>>>>
>>>> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
>>>> Stable-dep-of: 2615fd9a7c25 ("Bluetooth: hci_sync: Fix overwriting 
>>>> request callback")
>>>> Signed-off-by: Sasha Levin <sashal@kernel.org>
>>> Hey stable team, I wonder if it might be wise to pick up 1c3366abdbe884
>>> ("Bluetooth: hci_sync: Fix not checking error on
>>> hci_cmd_sync_cancel_sync") from next
>>> (https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=1c3366abdbe884) 
>>>
>>> for the next releases of all series that a few days ago received
>>> 63298d6e752fc0 ("Bluetooth: hci_core: Cancel request on command 
>>> timeout").
>>>
>>> The latter patch sadly on quite a few systems causes a Oops due to a
>>> NULL pointer dereference and breaks Bluetooth. This was reported for
>>> mainline here (yes, coincidentally it was reported by yours truly):
>>> https://lore.kernel.org/all/08275279-7462-4f4a-a0ee-8aa015f829bc@leemhuis.info/ 
>>>
>>>
>>> Now that the patch landed in 6.8.2 it seems to happen there as well
>>> (guess in 6.7 and others, too), as can be seen from this bug report
>>> where multiple people already joined:
>>> https://bugzilla.kernel.org/show_bug.cgi?id=218651
>>>
>>> The fix mentioned above is on the way to Linus, but due to unlucky
>>> timing missed this weeks network pull, hence will likely only reach
>>> mainline next Thursday. But the fix afaics has a stable commit id, so
>>> might be worth picking up soon for the stable releases to fix the
>>> regression quickly.
>> Now queued up, thanks for letting us know.
>>
>> greg k-h
>>
>