Bug 2389625

Summary: [abrt] bmc150_accel_buffer_postenable: BUG: kernel NULL pointer dereference, address: 0000000000000001 [bmc150_accel_core]
Product: [Fedora] Fedora Reporter: goldentiger24
Component: kernelAssignee: Kernel Maintainer List <kernel-maint>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 42CC: acaringi, adscvr, airlied, goldentiger24, hdegoede, highwaystar.ru, howl.nsp, hpa, josef, kernel-maint, linville, masami256, mchehab, ptalbert, steved, suraj.ghimire7
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
URL: https://retrace.fedoraproject.org/faf/reports/bthash/efde6e2de1362169a27f1fe3f765e9fa9bddaaa
Whiteboard: abrt_hash:93248e3f4c1d5519988030a767eabf4fb428bafe;VARIANT_ID=kde;
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description goldentiger24 2025-08-20 01:41:06 UTC 
Description of problem:
Problem happened after normal system updates. The computer booted extremely slowly to the login prompt and booted unusually after that (no KDE splash screen and just a frozen Fedora screen until the desktop eventually loaded).

Problem was resolved by stopping, disabling, and masking the iio-sensor-proxy.service. This was verified by the computer booting quickly again and by looking at dmesg (which showed a kernel specific bug before this fix and did not show that bug after this fix).

The laptop this happened on has a touchscreen and the screen can fold backwards to make it like a tablet. As such, the laptop may have some sort of sensor that iio-sensor-proxy.service is now not getting along with.

Additional info:
reporter:       libreport-2.17.15
BUG: kernel NULL pointer dereference, address: 0000000000000001
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0 
Oops: Oops: 0000 [#1] SMP PTI
CPU: 0 UID: 0 PID: 1039 Comm: iio-sensor-prox Not tainted 6.15.9-201.fc42.x86_64 #1 PREEMPT(lazy) 
Hardware name: LENOVO 20HSS00Q00/20HSS00Q00, BIOS R0LET22W (1.07 ) 05/11/2017
RIP: 0010:bmc150_accel_set_interrupt+0x73/0x140 [bmc150_accel_core]
Code: 84 83 00 00 00 b8 01 00 00 00 f0 0f c1 06 83 c0 01 83 f8 01 7f 5f 49 8b 3c 24 be 01 00 00 00 e8 93 fa ff ff 89 c5 85 c0 75 4d <0f> b6 53 01 0f b6 33 45 31 c9 45 31 c0 49 8b 3c 24 6a 00 89 d1 e8
RSP: 0018:ffffcc27406dfc90 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00000000ffffff01
RDX: ffffffff96583025 RSI: 0000000000000202 RDI: ffff88e4c02a4104
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: fffff54104037e80 R12: ffff88e4cda49570
R13: ffff88e4cda49330 R14: ffff88e4c02a4020 R15: ffff88e4cda49000
FS:  00007fbf1dba0940(0000) GS:ffff88e63e670000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000001 CR3: 000000010e572005 CR4: 00000000003726f0
Call Trace:
 <TASK>
 bmc150_accel_buffer_postenable+0x5e/0xa0 [bmc150_accel_core]
 iio_enable_buffers+0x172/0x2c0 [industrialio]
 __iio_update_buffers+0x237/0x2e0 [industrialio]
 enable_store+0x81/0xe0 [industrialio]
 kernfs_fop_write_iter+0x135/0x1f0
 vfs_write+0x28b/0x470
 ksys_write+0x73/0xe0
 do_syscall_64+0x7b/0x160
 ? ksys_write+0xa8/0xe0
 ? syscall_exit_to_user_mode+0x10/0x210
 ? do_syscall_64+0x87/0x160
 ? syscall_exit_to_user_mode+0x10/0x210
 ? do_syscall_64+0x87/0x160
 ? exc_page_fault+0x7e/0x1a0
 entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7fbf1df36642
Code: 08 0f 85 81 42 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 66 2e 0f 1f 84 00 00 00 00 00 66
RSP: 002b:00007ffc83469198 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fbf1df36642
RDX: 0000000000000001 RSI: 00007ffc83469370 RDI: 0000000000000009
RBP: 00007ffc834691d0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 00007ffc83469370 R14: 000055e555be8fd0 R15: 0000000000000002
 </TASK>
Modules linked in: bnep snd_sof_pci_intel_skl snd_sof_intel_hda_generic soundwire_intel snd_sof_intel_hda_sdw_bpt snd_sof_intel_hda_common snd_soc_hdac_hda snd_sof_intel_hda_mlink snd_sof_intel_hda soundwire_cadence snd_sof_pci snd_sof_xtensa_dsp snd_sof snd_sof_utils snd_soc_acpi_intel_match snd_soc_acpi_intel_sdca_quirks soundwire_generic_allocation snd_soc_acpi intel_rapl_msr crc8 soundwire_bus intel_rapl_common snd_soc_sdca intel_uncore_frequency snd_soc_avs intel_uncore_frequency_common intel_pmc_core_pltdrv intel_pmc_core snd_soc_hda_codec pmt_telemetry snd_hda_ext_core pmt_class iwlmvm intel_vsec snd_soc_core snd_hda_codec_hdmi intel_tcc_cooling x86_pkg_temp_thermal intel_powerclamp coretemp snd_compress kvm_intel snd_hda_codec_realtek ac97_bus mac80211 snd_hda_codec_generic snd_hda_scodec_component btusb kvm snd_pcm_dmaengine libarc4 snd_hda_intel btrtl btintel mei_hdcp mei_pxp uvcvideo irqbypass btbcm snd_intel_dspcfg iTCO_wdt uvc ee1004 btmtk videobuf2_vmalloc intel_pmc_bxt snd_intel_sdw_acpi
 videobuf2_memops iTCO_vendor_support snd_hda_codec videobuf2_v4l2 iwlwifi bluetooth videobuf2_common snd_hda_core videodev rapl snd_hwdep intel_cstate snd_seq intel_uncore bmi323_i2c mc snd_ctl_led bmi323_core intel_wmi_thunderbolt wmi_bmof snd_seq_device pcspkr mei_me think_lmi cfg80211 i2c_i801 snd_pcm i2c_smbus firmware_attributes_class vfat fat mei snd_timer intel_xhci_usb_role_switch bmc150_accel_i2c thinkpad_acpi bmc150_accel_core industrialio_triggered_buffer idma64 intel_pch_thermal kfifo_buf sparse_keymap industrialio platform_profile rfkill snd soundcore acpi_pad joydev loop zram lz4hc_compress lz4_compress i915 i2c_algo_bit drm_buddy ttm drm_display_helper r8169 polyval_clmulni wacom polyval_generic ghash_clmulni_intel sha512_ssse3 sha256_ssse3 sha1_ssse3 realtek cec i2c_hid_acpi i2c_hid video pinctrl_sunrisepoint wmi serio_raw sunrpc iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi fuse i2c_dev nfnetlink
CR2: 0000000000000001
Comment 1 David SantamarĂ­a Rogado 2025-09-03 01:27:23 UTC 
Lenovo ideapad D330-10IGM is also affected and this patch seems to be the solution https://lore.kernel.org/lkml/20250613124648.14141-1-marek.vasut+bmc150@mailbox.org/
Comment 2 birger 2025-10-28 22:01:35 UTC 
Description of problem:
during boot

Version-Release number of selected component:
kernel-core-6.17.4-200.fc42

Additional info:
reporter:       libreport-2.17.15
kernel:         6.17.4-200.fc42.x86_64
crash_function: __pm_runtime_resume
reason:         BUG: kernel NULL pointer dereference, address: 0000000000000001
type:           Kerneloops
cmdline:        BOOT_IMAGE=(hd0,gpt2)/vmlinuz-6.17.4-200.fc42.x86_64 root=UUID=e28b0d3b-f18d-4645-b862-d5818849748c ro rootflags=subvol=root resume=UUID=06497cc5-de51-4001-a561-4515b611434e rhgb quiet crashkernel=1G-4G:192M,4G-64G:256M,64G-:512M
package:        kernel-core-6.17.4-200.fc42
runlevel:       unknown
comment:        during boot

Truncated backtrace:
#1 [TASK] ? __pm_runtime_resume
#2 [TASK] bmc150_accel_buffer_postenable in bmc150_accel_core
#3 [TASK] iio_enable_buffers in industrialio
#4 [TASK] __iio_update_buffers in industrialio
#5 [TASK] enable_store in industrialio
#6 [TASK] kernfs_fop_write_iter
#7 [TASK] vfs_write
#8 [TASK] ksys_write
#9 [TASK] do_syscall_64
#10 [TASK] ? kmem_cache_free
#11 [TASK] ? __x64_sys_close
#12 [TASK] ? __x64_sys_close
#13 [TASK] ? do_syscall_64
#14 [TASK] ? arch_exit_to_user_mode_prepare
#15 [TASK] ? irqentry_exit_to_user_mode
#16 [TASK] entry_SYSCALL_64_after_hwframe
Comment 3 Vitalii Tomin 2025-11-06 15:09:17 UTC 
I have same issue on Linux fedora 6.17.7-300.fc43.x86_64 #1 SMP PREEMPT_DYNAMIC Sun Nov  2 15:30:09 UTC 2025 x86_64 GNU/Linux

Also same on Live Fedora KDE 43, but tried Fedora KDE 42 and here it works fine.


Here is log from 6.17.7-300.fc43:

[Thu Nov  6 22:36:44 2025] BUG: kernel NULL pointer dereference, address: 0000000000000001
[Thu Nov  6 22:36:44 2025] #PF: supervisor read access in kernel mode
[Thu Nov  6 22:36:44 2025] #PF: error_code(0x0000) - not-present page
[Thu Nov  6 22:36:44 2025] PGD 0 P4D 0 
[Thu Nov  6 22:36:44 2025] Oops: Oops: 0000 [#1] SMP NOPTI
[Thu Nov  6 22:36:44 2025] CPU: 1 UID: 0 PID: 727 Comm: iio-sensor-prox Tainted: G        W           6.17.7-300.fc43.x86_64 #1 PREEMPT(lazy) 
[Thu Nov  6 22:36:44 2025] Tainted: [W]=WARN
[Thu Nov  6 22:36:44 2025] Hardware name: ShenZhen ZhiWei Technology Co.,Ltd NA08H/Zwide Inc., BIOS 5.27 09/11/2025
[Thu Nov  6 22:36:44 2025] RIP: 0010:bmc150_accel_set_interrupt+0x73/0x140 [bmc150_accel_core]
[Thu Nov  6 22:36:44 2025] Code: 84 83 00 00 00 b8 01 00 00 00 f0 0f c1 06 83 c0 01 83 f8 01 7f 5f 49 8b 3c 24 be 01 00 00 00 e8 83 fa ff ff 89 c5 85 c0 75 4d <0f> b6 53 01 0f b6 33 45 31 c9 45 31 c0 49 8b 3c 24 6a 00 89 d1 e8
[Thu Nov  6 22:36:44 2025] RSP: 0018:ffffd0bf0249bb58 EFLAGS: 00010246
[Thu Nov  6 22:36:44 2025] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00000000ffffff01
[Thu Nov  6 22:36:44 2025] RDX: ffffffffa19cd465 RSI: 0000000000000202 RDI: ffff8d10c3387904
[Thu Nov  6 22:36:44 2025] RBP: 0000000000000000 R08: 0000000000000000 R09: ffff8d10c72e7800
[Thu Nov  6 22:36:44 2025] R10: 0000000000000000 R11: fffff0f5041263c0 R12: ffff8d10c19da578
[Thu Nov  6 22:36:44 2025] R13: ffff8d10c19da338 R14: ffff8d10c3387820 R15: ffff8d10c19da000
[Thu Nov  6 22:36:44 2025] FS:  00007f5de518f980(0000) GS:ffff8d148b8c4000(0000) knlGS:0000000000000000
[Thu Nov  6 22:36:44 2025] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[Thu Nov  6 22:36:44 2025] CR2: 0000000000000001 CR3: 0000000109d33001 CR4: 0000000000f72ef0
[Thu Nov  6 22:36:44 2025] PKRU: 55555554
[Thu Nov  6 22:36:44 2025] Call Trace:
[Thu Nov  6 22:36:44 2025]  <TASK>
[Thu Nov  6 22:36:44 2025]  ? __pm_runtime_resume+0x5f/0x90
[Thu Nov  6 22:36:44 2025]  bmc150_accel_buffer_postenable+0x5e/0xa0 [bmc150_accel_core]
[Thu Nov  6 22:36:44 2025]  iio_enable_buffers+0x172/0x2c0 [industrialio]
[Thu Nov  6 22:36:44 2025]  __iio_update_buffers+0x237/0x2e0 [industrialio]
[Thu Nov  6 22:36:44 2025]  enable_store+0x81/0xe0 [industrialio]
[Thu Nov  6 22:36:44 2025]  kernfs_fop_write_iter+0x14a/0x200
[Thu Nov  6 22:36:44 2025]  vfs_write+0x25a/0x480
[Thu Nov  6 22:36:44 2025]  ksys_write+0x73/0xf0
[Thu Nov  6 22:36:44 2025]  do_syscall_64+0x7e/0x250
[Thu Nov  6 22:36:44 2025]  ? do_sys_openat2+0xa2/0xe0
[Thu Nov  6 22:36:44 2025]  ? __x64_sys_openat+0x61/0xa0
[Thu Nov  6 22:36:44 2025]  ? do_syscall_64+0xb6/0x250
[Thu Nov  6 22:36:44 2025]  ? __x64_sys_openat+0x61/0xa0
[Thu Nov  6 22:36:44 2025]  ? do_syscall_64+0xb6/0x250
[Thu Nov  6 22:36:44 2025]  ? __x64_sys_close+0x3d/0x80
[Thu Nov  6 22:36:44 2025]  ? do_syscall_64+0xb6/0x250
[Thu Nov  6 22:36:44 2025]  ? irqentry_exit_to_user_mode+0x2c/0x1c0
[Thu Nov  6 22:36:44 2025]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
[Thu Nov  6 22:36:44 2025] RIP: 0033:0x7f5de5531982
[Thu Nov  6 22:36:44 2025] Code: 08 0f 85 21 42 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 66 2e 0f 1f 84 00 00 00 00 00 66
[Thu Nov  6 22:36:44 2025] RSP: 002b:00007ffc4668e6a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[Thu Nov  6 22:36:44 2025] RAX: ffffffffffffffda RBX: 000056444a53a5b0 RCX: 00007f5de5531982
[Thu Nov  6 22:36:44 2025] RDX: 0000000000000001 RSI: 00007ffc4668e870 RDI: 0000000000000009
[Thu Nov  6 22:36:44 2025] RBP: 00007ffc4668e6d0 R08: 0000000000000000 R09: 0000000000000000
[Thu Nov  6 22:36:44 2025] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[Thu Nov  6 22:36:44 2025] R13: 0000000000000001 R14: 00007ffc4668e870 R15: 0000000000000002
[Thu Nov  6 22:36:44 2025]  </TASK>
[Thu Nov  6 22:36:44 2025] Modules linked in: sunrpc snd_hda_codec_intelhdmi snd_hda_codec_alc269 snd_hda_scodec_component snd_hda_codec_realtek_lib snd_hda_codec_generic snd_hda_intel bnep snd_sof_pci_intel_tgl snd_sof_pci_intel_cnl snd_sof_intel_hda_generic soundwire_intel snd_sof_intel_hda_sdw_bpt snd_sof_intel_hda_common snd_soc_hdac_hda snd_sof_intel_hda_mlink snd_sof_intel_hda snd_hda_codec_hdmi soundwire_cadence snd_sof_pci snd_sof_xtensa_dsp snd_sof snd_sof_utils snd_soc_acpi_intel_match intel_rapl_msr intel_rapl_common snd_soc_acpi_intel_sdca_quirks soundwire_generic_allocation snd_soc_acpi crc8 soundwire_bus x86_pkg_temp_thermal intel_powerclamp coretemp snd_soc_sdca iTCO_wdt kvm_intel spi_nor intel_pmc_bxt mtd mei_hdcp iTCO_vendor_support mei_pxp joydev snd_soc_avs kvm snd_soc_hda_codec snd_hda_ext_core snd_hda_codec iwlmvm snd_hda_core irqbypass rapl snd_intel_dspcfg snd_usb_audio(+) snd_intel_sdw_acpi mac80211 snd_usbmidi_lib intel_cstate snd_soc_core snd_hwdep snd_ump snd_rawmidi snd_compress ac97_bus snd_pcm_dmaengine
[Thu Nov  6 22:36:44 2025]  libarc4 intel_uncore wmi_bmof snd_seq snd_seq_device pcspkr uvcvideo snd_pcm spi_intel_pci uvc videobuf2_vmalloc videobuf2_memops i2c_i801 iwlwifi videobuf2_v4l2 bmi323_i2c bmi323_core spi_intel i2c_smbus snd_timer vfat videobuf2_common snd fat videodev soundcore cfg80211 mei_me mc mei idma64 bmc150_accel_i2c igen6_edac bmc150_accel_core industrialio_triggered_buffer kfifo_buf industrialio goodix_ts intel_pmc_core pmt_telemetry pmt_discovery soc_button_array pmt_class intel_hid intel_pmc_ssram_telemetry acpi_tad sparse_keymap acpi_pad btusb btrtl btintel btbcm btmtk bluetooth rfkill loop nfnetlink zram lz4hc_compress lz4_compress xe drm_ttm_helper drm_suballoc_helper gpu_sched drm_gpuvm drm_exec i915 nvme sdhci_pci sdhci_uhs2 polyval_clmulni ghash_clmulni_intel sdhci i2c_algo_bit intel_ish_ipc nvme_core drm_buddy cqhci ttm nvme_keyring mmc_core nvme_auth spi_pxa2xx_platform drm_display_helper intel_ishtp dw_dmac intel_vsec spi_pxa2xx_core cec video intel_oc_wdt wmi pinctrl_alderlake serio_raw fuse i2c_dev

[Thu Nov  6 22:36:44 2025] CR2: 0000000000000001
[Thu Nov  6 22:36:44 2025] ---[ end trace 0000000000000000 ]---
[Thu Nov  6 22:36:44 2025] RIP: 0010:bmc150_accel_set_interrupt+0x73/0x140 [bmc150_accel_core]
[Thu Nov  6 22:36:44 2025] Code: 84 83 00 00 00 b8 01 00 00 00 f0 0f c1 06 83 c0 01 83 f8 01 7f 5f 49 8b 3c 24 be 01 00 00 00 e8 83 fa ff ff 89 c5 85 c0 75 4d <0f> b6 53 01 0f b6 33 45 31 c9 45 31 c0 49 8b 3c 24 6a 00 89 d1 e8
[Thu Nov  6 22:36:44 2025] RSP: 0018:ffffd0bf0249bb58 EFLAGS: 00010246
[Thu Nov  6 22:36:44 2025] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00000000ffffff01
[Thu Nov  6 22:36:44 2025] RDX: ffffffffa19cd465 RSI: 0000000000000202 RDI: ffff8d10c3387904
[Thu Nov  6 22:36:44 2025] RBP: 0000000000000000 R08: 0000000000000000 R09: ffff8d10c72e7800
[Thu Nov  6 22:36:44 2025] R10: 0000000000000000 R11: fffff0f5041263c0 R12: ffff8d10c19da578
[Thu Nov  6 22:36:44 2025] R13: ffff8d10c19da338 R14: ffff8d10c3387820 R15: ffff8d10c19da000
[Thu Nov  6 22:36:44 2025] FS:  00007f5de518f980(0000) GS:ffff8d148b8c4000(0000) knlGS:0000000000000000
[Thu Nov  6 22:36:44 2025] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Comment 4 Vitalii Tomin 2025-11-09 16:34:25 UTC 
I have edited and rebuilt drivers/iio/accel/bmc150-accel-core.c

static int bmc150_accel_set_interrupt(struct bmc150_accel_data *data, int i,
                                      bool state)


ret = bmc150_accel_set_power_state(data, state);
if (ret < 0)
       return ret;
+if(!info)
+       return 0;

/* map the interrupt to the appropriate pins */


After such edit module loads fine and accelerometer works. The root of issue is unclear, bmc150-accel-core.c shows few changes since fedora 42, maybe iio-sensor-proxy changed in way it request interrupt when info structure is empty.