Re: Kernel Null Pointer Dereference on Fedora with thinkpad_acpi
From: Kurt Borja
Date: Sun Mar 30 2025 - 02:47:30 EST
On Sun Mar 30, 2025 at 3:28 AM -03, Damian Tometzki wrote:
> On Sun, Mar 30, 2025 at 8:01 AM Kurt Borja <kuurtb@xxxxxxxxx> wrote:
>>
>> Hi Damian,
>>
>> On Sun Mar 30, 2025 at 2:19 AM -03, Damian Tometzki wrote:
>> > Hi together,
>> >
>> > I encountered a kernel crash on a Lenovo ThinkPad (BIOS N32ET95W 1.71)
>> > running Fedora with kernel 6.15 (merge window) 7f2ff7b62617. The issue
>> > is a NULL pointer dereference during initialization of the
>> > thinkpad_acpi module. The crash occurs in kobject_get() while handling
>> > RFKill device registration (tpacpi_new_rfkill → rfkill_register →
>> > device_add).
>> > With kernel 6.14 system boot´s fine
>> >
>> > Let me know if further logs or debugging info are needed. Below the short dump
>> >
>> > Mar 29 17:43:16.173712 fedora kernel: thinkpad_acpi: Disabling
>> > thinkpad-acpi brightness events by default...
>> > Mar 29 17:43:16.175636 fedora kernel: ACPI: bus type thunderbolt registered
>> > Mar 29 17:43:16.179626 fedora kernel: BUG: kernel NULL pointer
>> > dereference, address: 000000000000004c
>> > Mar 29 17:43:16.179689 fedora kernel: #PF: supervisor read access in kernel mode
>> > Mar 29 17:43:16.180235 fedora kernel: #PF: error_code(0x0000) - not-present page
>> > Mar 29 17:43:16.180290 fedora kernel: PGD 0 P4D 0
>> > Mar 29 17:43:16.180325 fedora kernel: Oops: Oops: 0000 [#1] SMP NOPTI
>> > Mar 29 17:43:16.180340 fedora kernel: CPU: 6 UID: 0 PID: 1015 Comm:
>> > (udev-worker) Not tainted 6.14.0 #355 PREEMPT(lazy)
>> > Mar 29 17:43:16.180449 fedora kernel: Hardware name: LENOVO
>> > 20XWCTO1WW/20XWCTO1WW, BIOS N32ET95W (1.71 ) 10/24/2024
>> > Mar 29 17:43:16.180469 fedora kernel: RIP: 0010:kobject_get+0xd/0x70
>> > Mar 29 17:43:16.180491 fedora kernel: Code: 66 66 2e 0f 1f 84 00 00 00
>> > 00 00 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e
>> > fa 53 48 89 fb 48 85 ff 74 1f <f6> 47 3c 01 74 22 48 8d 7b 38 b8 01
>> > 00>
>> > Mar 29 17:43:16.180506 fedora kernel: RSP: 0018:ffffd3d200b5f750
>> > EFLAGS: 00010202
>> > Mar 29 17:43:16.180523 fedora kernel: RAX: ffff8ebbc10fac00 RBX:
>> > 0000000000000010 RCX: 0000000000000000
>> > Mar 29 17:43:16.180534 fedora kernel: RDX: 0000000000000000 RSI:
>> > ffffffff9aebafa0 RDI: 0000000000000010
>> > Mar 29 17:43:16.180547 fedora kernel: RBP: ffff8ebbd49f4b88 R08:
>> > 0000000000000100 R09: 0000000000000000
>> > Mar 29 17:43:16.180559 fedora kernel: R10: ffffd3d200b5f760 R11:
>> > 0000000000000008 R12: 0000000000000010
>> > Mar 29 17:43:16.180573 fedora kernel: R13: ffff8ebbc8b12388 R14:
>> > ffffffffc14a7500 R15: 0000000000000000
>> > Mar 29 17:43:16.180587 fedora kernel: FS: 00007f1aa7c15040(0000)
>> > GS:ffff8ebf72546000(0000) knlGS:0000000000000000
>> > Mar 29 17:43:16.180606 fedora kernel: CS: 0010 DS: 0000 ES: 0000 CR0:
>> > 0000000080050033
>> > Mar 29 17:43:16.180630 fedora kernel: CR2: 000000000000004c CR3:
>> > 0000000113948001 CR4: 0000000000f70ef0
>> > Mar 29 17:43:16.180642 fedora kernel: PKRU: 55555554
>> > Mar 29 17:43:16.180654 fedora kernel: Call Trace:
>> > Mar 29 17:43:16.180664 fedora kernel: <TASK>
>> > Mar 29 17:43:16.180676 fedora kernel: ? show_trace_log_lvl+0x1d2/0x2f0
>> > Mar 29 17:43:16.180688 fedora kernel: ? show_trace_log_lvl+0x1d2/0x2f0
>> > Mar 29 17:43:16.180704 fedora kernel: ? show_trace_log_lvl+0x1d2/0x2f0
>> > Mar 29 17:43:16.180712 fedora kernel: ? device_add+0x8f/0x6e0
>> > Mar 29 17:43:16.180724 fedora kernel: ? __die_body.cold+0x8/0x12
>> > Mar 29 17:43:16.180739 fedora kernel: ? page_fault_oops+0x146/0x180
>> > Mar 29 17:43:16.180748 fedora kernel: ? exc_page_fault+0x7e/0x1a0
>> > Mar 29 17:43:16.180758 fedora kernel: ? asm_exc_page_fault+0x26/0x30
>> > Mar 29 17:43:16.180769 fedora kernel: ? __pfx_klist_children_get+0x10/0x10
>> > Mar 29 17:43:16.180781 fedora kernel: ? kobject_get+0xd/0x70
>> > Mar 29 17:43:16.180792 fedora kernel: device_add+0x8f/0x6e0
>> > Mar 29 17:43:16.180804 fedora kernel: rfkill_register+0xbc/0x2c0 [rfkill]
>> > Mar 29 17:43:16.180813 fedora kernel: tpacpi_new_rfkill+0x185/0x230
>> > [thinkpad_acpi]
>> > Mar 29 17:43:16.180826 fedora kernel: ibm_init+0x66/0x2a0 [thinkpad_acpi]
>> > Mar 29 17:43:16.180840 fedora kernel:
>> > tpacpi_pdriver_probe+0x160/0x250 [thinkpad_acpi]
>> > Mar 29 17:43:16.180852 fedora kernel: platform_probe+0x41/0xa0
>> > Mar 29 17:43:16.180887 fedora kernel: really_probe+0xdb/0x340
>> > Mar 29 17:43:16.180900 fedora kernel: ? pm_runtime_barrier+0x55/0x90
>> > Mar 29 17:43:16.180912 fedora kernel: ? __pfx___driver_attach+0x10/0x10
>> > Mar 29 17:43:16.180920 fedora kernel: __driver_probe_device+0x78/0x140
>> > Mar 29 17:43:16.180932 fedora kernel: driver_probe_device+0x1f/0xa0
>> > Mar 29 17:43:16.180942 fedora kernel: __driver_attach+0xb8/0x1d0
>> > Mar 29 17:43:16.180954 fedora kernel: bus_for_each_dev+0x82/0xd0
>> > Mar 29 17:43:16.180966 fedora kernel: bus_add_driver+0x12f/0x210
>> > Mar 29 17:43:16.180976 fedora kernel: driver_register+0x72/0xd0
>> > Mar 29 17:43:16.180988 fedora kernel: __platform_driver_probe+0x45/0x90
>> > Mar 29 17:43:16.180999 fedora kernel: __platform_create_bundle+0xe7/0x100
>> > Mar 29 17:43:16.181011 fedora kernel: ?
>> > __pfx_tpacpi_pdriver_probe+0x10/0x10 [thinkpad_acpi]
>> > Mar 29 17:43:16.181025 fedora kernel: ?
>> > __pfx_thinkpad_acpi_module_init+0x10/0x10 [thinkpad_acpi]
>> > Mar 29 17:43:16.181035 fedora kernel:
>> > thinkpad_acpi_module_init+0x37e/0x430 [thinkpad_acpi]
>> > Mar 29 17:43:16.181045 fedora kernel: do_one_initcall+0x58/0x300
>> > Mar 29 17:43:16.181053 fedora kernel: do_init_module+0x82/0x240
>> > Mar 29 17:43:16.181065 fedora kernel: init_module_from_file+0x8b/0xe0
>> > Mar 29 17:43:16.181073 fedora kernel: idempotent_init_module+0x113/0x310
>> > Mar 29 17:43:16.181083 fedora kernel: __x64_sys_finit_module+0x67/0xc0
>> > Mar 29 17:43:16.181093 fedora kernel: do_syscall_64+0x7f/0x170
>> > Mar 29 17:43:16.181103 fedora kernel: ? syscall_exit_to_user_mode+0x1d5/0x210
>> > Mar 29 17:43:16.181112 fedora kernel: ? do_syscall_64+0x8c/0x170
>> > Mar 29 17:43:16.181124 fedora kernel: ?
>> > syscall_exit_to_user_mode_prepare+0x14a/0x180
>> > Mar 29 17:43:16.181135 fedora kernel: ? syscall_exit_to_user_mode+0x10/0x210
>> > Mar 29 17:43:16.181144 fedora kernel: ? do_syscall_64+0x8c/0x170
>> > Mar 29 17:43:16.181152 fedora kernel: ?
>> > syscall_exit_to_user_mode_prepare+0x14a/0x180
>> > Mar 29 17:43:16.181163 fedora kernel: ? syscall_exit_to_user_mode+0x10/0x210
>> > Mar 29 17:43:16.181173 fedora kernel: ? do_syscall_64+0x8c/0x170
>> > Mar 29 17:43:16.181182 fedora kernel: ? seq_read_iter+0x20e/0x480
>> > Mar 29 17:43:16.181198 fedora kernel: ? vfs_read+0x29b/0x370
>> > Mar 29 17:43:16.181217 fedora kernel: ? __seccomp_filter+0x41/0x4e0
>> > Mar 29 17:43:16.181233 fedora kernel: ?
>> > syscall_exit_to_user_mode_prepare+0x14a/0x180
>> > Mar 29 17:43:16.181250 fedora kernel: ? syscall_exit_to_user_mode+0x10/0x210
>> > Mar 29 17:43:16.181264 fedora kernel: ? do_syscall_64+0x8c/0x170
>> > Mar 29 17:43:16.181280 fedora kernel: ? do_syscall_64+0x8c/0x170
>> > Mar 29 17:43:16.181292 fedora kernel: ?
>> > syscall_exit_to_user_mode_prepare+0x14a/0x180
>> > Mar 29 17:43:16.181316 fedora kernel: ? syscall_exit_to_user_mode+0x10/0x210
>> > Mar 29 17:43:16.181331 fedora kernel: ? clear_bhb_loop+0x35/0x90
>> > Mar 29 17:43:16.181341 fedora kernel: ? clear_bhb_loop+0x35/0x90
>> > Mar 29 17:43:16.181351 fedora kernel: ? clear_bhb_loop+0x35/0x90
>> > Mar 29 17:43:16.181360 fedora kernel: entry_SYSCALL_64_after_hwframe+0x76/0x7e
>> > Mar 29 17:43:16.181372 fedora kernel: RIP: 0033:0x7f1aa84c5a8d
>> > Mar 29 17:43:16.181381 fedora kernel: Code: ff c3 66 2e 0f 1f 84 00 00
>> > 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2
>> > 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d
>> > 4b>
>> > Mar 29 17:43:16.181392 fedora kernel: RSP: 002b:00007ffe5ca79bc8
>> > EFLAGS: 00000246 ORIG_RAX: 0000000000000139
>> > Mar 29 17:43:16.181406 fedora kernel: RAX: ffffffffffffffda RBX:
>> > 00005610a8c7deb0 RCX: 00007f1aa84c5a8d
>> > Mar 29 17:43:16.181419 fedora kernel: RDX: 0000000000000000 RSI:
>> > 00007f1aa7b88965 RDI: 0000000000000032
>> > Mar 29 17:43:16.181431 fedora kernel: RBP: 00007ffe5ca79c80 R08:
>> > 0000000000000000 R09: 00007ffe5ca79c30
>> > Mar 29 17:43:16.181441 fedora kernel: R10: 0000000000000000 R11:
>> > 0000000000000246 R12: 0000000000020000
>> > Mar 29 17:43:16.181448 fedora kernel: R13: 00005610a8c7f880 R14:
>> > 00007f1aa7b88965 R15: 0000000000000000
>> > Mar 29 17:43:16.181458 fedora kernel: </TASK>
>> > Mar 29 17:43:16.181472 fedora kernel: Modules linked in: cfg80211(+)
>> > thunderbolt(+) thinkpad_acpi(+) igen6_edac intel_soc_dts_iosf
>> > platform_profile snd soundcore int3403_thermal int340x_thermal_zone
>> > soc_button_>
>> > Mar 29 17:43:16.181784 fedora kernel: CR2: 000000000000004c
>> > Mar 29 17:43:16.181806 fedora kernel: ---[ end trace 0000000000000000 ]---
>> >
>> > Best regards
>> > Damian
>>
>> Hmmm - I have a feeling about this one.
>>
>> Can you apply and test the attached proposed patch? If you do please
>> verify if the problem persist and if the driver has all the features
>> present before the regression.
>>
>> If everything goes nicely, feel free to add a Tested-by: tag for when I
>> submit this.
>>
>> --
>> ~ Kurt
>
> Hi Kurt,
>
> many thnaks for the fast response.
> With this patch my system boot again but i have other dump in dmesg
Oh, makes sense. It's the same problem but it was hidden because of the
previous one.
The attached patch should fix it.
--
~ Kurt
From 4cd53867580d85128ef81bd076e423faf4069076 Mon Sep 17 00:00:00 2001
From: Kurt Borja <kuurtb@xxxxxxxxx>
Date: Sun, 30 Mar 2025 02:53:26 -0300
Subject: [PATCH] platform/x86: thinkpad_acpi: Fix rfkill null pointer deref
Signed-off-by: Kurt Borja <kuurtb@xxxxxxxxx>
---
drivers/platform/x86/thinkpad_acpi.c | 24 ++++++++++++++++--------
1 file changed, 16 insertions(+), 8 deletions(-)
diff --git a/drivers/platform/x86/thinkpad_acpi.c b/drivers/platform/x86/thinkpad_acpi.c
index 0384cf311878..a17efb68664c 100644
--- a/drivers/platform/x86/thinkpad_acpi.c
+++ b/drivers/platform/x86/thinkpad_acpi.c
@@ -367,6 +367,7 @@ static struct {
u32 beep_needs_two_args:1;
u32 mixer_no_level_control:1;
u32 battery_force_primary:1;
+ u32 platform_drv_registered:1;
u32 hotkey_poll_active:1;
u32 has_adaptive_kbd:1;
u32 kbd_lang:1;
@@ -11820,10 +11821,10 @@ static void thinkpad_acpi_module_exit(void)
platform_device_unregister(tpacpi_sensors_pdev);
}
- if (tpacpi_pdev) {
+ if (tp_features.platform_drv_registered)
platform_driver_unregister(&tpacpi_pdriver);
+ if (tpacpi_pdev)
platform_device_unregister(tpacpi_pdev);
- }
if (proc_dir)
remove_proc_entry(TPACPI_PROC_DIR, acpi_root_dir);
@@ -11893,9 +11894,8 @@ static int __init tpacpi_pdriver_probe(struct platform_device *pdev)
static int __init tpacpi_hwmon_pdriver_probe(struct platform_device *pdev)
{
- tpacpi_hwmon = devm_hwmon_device_register_with_groups(
- &tpacpi_sensors_pdev->dev, TPACPI_NAME, NULL, tpacpi_hwmon_groups);
-
+ tpacpi_hwmon = devm_hwmon_device_register_with_groups(&pdev->dev, TPACPI_NAME,
+ NULL, tpacpi_hwmon_groups);
if (IS_ERR(tpacpi_hwmon))
pr_err("unable to register hwmon device\n");
@@ -11965,16 +11965,24 @@ static int __init thinkpad_acpi_module_init(void)
tp_features.quirks = dmi_id->driver_data;
/* Device initialization */
- tpacpi_pdev = platform_create_bundle(&tpacpi_pdriver, tpacpi_pdriver_probe,
- NULL, 0, NULL, 0);
+ tpacpi_pdev = platform_device_register_simple(TPACPI_DRVR_NAME, PLATFORM_DEVID_NONE,
+ NULL, 0);
if (IS_ERR(tpacpi_pdev)) {
ret = PTR_ERR(tpacpi_pdev);
tpacpi_pdev = NULL;
- pr_err("unable to register platform device/driver bundle\n");
+ pr_err("unable to register platform device\n");
thinkpad_acpi_module_exit();
return ret;
}
+ ret = platform_driver_probe(&tpacpi_pdriver, tpacpi_pdriver_probe);
+ if (ret) {
+ pr_err("unable to register main platform driver\n");
+ thinkpad_acpi_module_exit();
+ return ret;
+ }
+ tp_features.platform_drv_registered = 1;
+
tpacpi_sensors_pdev = platform_create_bundle(&tpacpi_hwmon_pdriver,
tpacpi_hwmon_pdriver_probe,
NULL, 0, NULL, 0);
--
2.49.0