Public bug reported:
Hello,
I am experiencing a kernel-level bug with the btusb driver on my Lenovo
ThinkPad E14 Gen 7 running the linux-image-6.14.0-1014-oem kernel on
Ubuntu 24.04.
Symptoms:
1. Bluetooth Cannot Be Turned Off: Attempting to toggle Bluetooth off
from the system settings fails. The icon disappears for a moment, but
the hci0 device immediately resets and powers back on.
2. Cannot Connect Devices: All Bluetooth connection attempts to audio
devices (e.g., Sony WH-CH520) fail instantly.
Initial Log Evidence:
My dmesg log showed the following error when trying to toggle Bluetooth off,
indicating a driver timeout and a forced USB reset:
[14133.682922] Bluetooth: hci0: command 0x0c1a tx timeout
[14133.682948] Bluetooth: hci0: Initiating acpi reset method
[14133.683042] Bluetooth: hci0: Opcode 0x0c1a failed: -110
[14133.683066] Bluetooth: hci0: Error when powering off device on rfkill (-110)
[14133.786281] usb 3-10: USB disconnect, device number 6
[14144.332753] usb 3-10: new full-speed USB device number 7 using xhci_hcd
[14144.463755] Bluetooth: hci0: Device revision is 0
[14144.470583] Bluetooth: hci0: Found device firmware: intel/ibt-0040-0041.sfi
The bluetoothd log showed Connection refused (111) and Too many levels
of symbolic links (40), likely due to the unstable driver corrupting the
service's state.
Kernel Oops (Crash Confirmation):
The problem is confirmed to be in the btusb driver's power management. The
enable_autosuspend parameter was set to Y by default.
Attempting to reload the driver with sudo modprobe -r btusb && sudo modprobe
btusb caused a full kernel Oops (NULL pointer dereference) in btusb_suspend,
proving the suspend/power-down code path is buggy.
Full Kernel Oops Log:
[21010.728685] refcount_t: addition on 0; use-after-free.
[21010.728705] WARNING: CPU: 10 PID: 10438 at lib/refcount.c:25
refcount_warn_saturate+0x12e/0x150
[21010.728971] CPU: 10 UID: 0 PID: 10438 Comm: kworker/10:1 Not tainted
6.14.0-1014-oem #14-Ubuntu
[21010.728980] Workqueue: pm pm_runtime_work
[21010.728992] RIP: 0010:refcount_warn_saturate+0x12e/0x150
[21010.729031] Call Trace:
[21010.729034] <TASK>
[21010.729040] usb_get_urb.part.0+0x4d/0x60
[21010.729050] usb_kill_anchored_urbs+0x3a/0x110
[21010.729060] btusb_suspend+0xad/0x200 [btusb]
[21010.729068] usb_suspend_both+0xa6/0x320
[21010.729089] usb_runtime_suspend+0x2f/0x80
[21010.729095] __rpm_callback+0x4d/0x170
[21010.729116] rpm_callback+0x64/0x70
[21010.729126] rpm_suspend+0xe4/0x5f0
[21010.729141] pm_runtime_work+0xc6/0xe0
[21010.729148] process_one_work+0x178/0x3d0
[21010.729156] worker_thread+0x2de/0x410
[21010.729168] kthread+0xfb/0x230
[21010.729177] ret_from_fork+0x44/0x70
[21010.729186] ret_from_fork_asm+0x1a/0x30
[21010.729195] </TASK>
[21010.729198] ---[ end trace 0000000000000000 ]---
[21010.729238] ------------[ cut here ]------------
[21010.729242] kobject: '(null)' (00000000e2d98778): is not initialized, yet
kobject_get() is being called.
[21010.729271] WARNING: CPU: 10 PID: 10438 at lib/kobject.c:640
kobject_get+0x51/0x80
[21010.729638] RIP: 0010:kobject_get+0x51/0x80
[21010.729682] Call Trace:
[21010.729684] <TASK>
[21010.729686] get_device+0x13/0x30
[21010.729692] usb_get_dev+0x1e/0x30
[21010.729698] usb_hcd_unlink_urb+0x68/0xf0
[21010.729704] usb_kill_urb.part.0+0x2e/0xd0
[21010.729720] usb_kill_anchored_urbs+0x5d/0x110
[21010.729728] btusb_suspend+0xad/0x200 [btusb]
[21010.729737] usb_suspend_both+0xa6/0x320
...
[21010.729857] </TASK>
[21010.729859] ---[ end trace 0000000000000000 ]---
[21010.729867] BUG: kernel NULL pointer dereference, address: 0000000000000000
[21010.729875] #PF: supervisor read access in kernel mode
[21010.729880] #PF: error_code(0x0000) - not-present page
[21010.729890] Oops: 0000 [#1] PREEMPT SMP NOPTI
[21010.729915] RIP: 0010:unlink1+0x86/0x160
[21010.729964] <TASK>
[21010.729967] usb_hcd_unlink_urb+0x8a/0xf0
[21010.729974] usb_kill_urb.part.0+0x2e/0xd0
[21010.729988] usb_kill_anchored_urbs+0x5d/0x110
[21010.729997] btusb_suspend+0xad/0x200 [btusb]
[21010.730005] usb_suspend_both+0xa6/0x320
[21010.730026] usb_runtime_suspend+0x2f/0x80
[21010.730032] __rpm_callback+0x4d/0x170
[21010.730055] rpm_callback+0x64/0x70
[21010.730068] rpm_suspend+0xe4/0x5f0
[21010.730083] pm_runtime_work+0xc6/0xe0
[21010.730090] process_one_work+0x178/0x3d0
[21010.730098] worker_thread+0x2de/0x410
[21010.730119] kthread+0xfb/0x230
[21010.730128] ret_from_fork+0x44/0x70
[21010.730135] ret_from_fork_asm+0x1a/0x30
[21010.730145] </TASK>
[21012.150905] note: kworker/10:1[10438] exited with preempt_count 1
Successful Workaround:
I was able to completely fix all symptoms by disabling btusb
autosuspend.
1. Created the file /etc/modprobe.d/btusb-autosuspend.conf
2. Added the line: options btusb enable_autosuspend=0
3. After rebooting, cat /sys/module/btusb/parameters/enable_autosuspend
correctly shows N.
This stabilizes the driver. As a final step, the corrupted bluez cache
had to be cleared to restore connectivity: sudo rm -rf
/var/lib/bluetooth/*
After these two fixes (disabling autosuspend and clearing the cache),
the system is now 100% stable. Bluetooth can be toggled, and devices
connect perfectly.
This appears to be a bug in the btusb driver's suspend/resume logic for
this specific hardware and kernel.
ProblemType: Bug
DistroRelease: Ubuntu 24.04
Package: linux-image-6.14.0-1014-oem 6.14.0-1014.14
ProcVersionSignature: Ubuntu 6.14.0-1014.14-oem 6.14.11
Uname: Linux 6.14.0-1014-oem x86_64
ApportVersion: 2.28.1-0ubuntu3.8
Architecture: amd64
AudioDevicesInUse:
USER PID ACCESS COMMAND
/dev/snd/controlC0: kostiantyn-makarenko 2282 F.... pipewire
kostiantyn-makarenko 2285 F.... wireplumber
/dev/snd/seq: kostiantyn-makarenko 2282 F.... pipewire
CRDA: N/A
CasperMD5CheckResult: pass
CurrentDesktop: ubuntu:GNOME
Date: Wed Oct 22 21:04:53 2025
InstallationDate: Installed on 2025-08-08 (75 days ago)
InstallationMedia: Ubuntu 24.04.3 LTS "Noble Numbat" - Release amd64
(20250805.1)
MachineType: LENOVO 21T9CTO1WW
ProcEnviron:
LANG=en_US.UTF-8
PATH=(custom, no user)
SHELL=/bin/bash
TERM=xterm-256color
XDG_RUNTIME_DIR=<set>
ProcFB: 0 i915drmfb
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-6.14.0-1014-oem
root=UUID=bf0e73c2-ecc6-492d-91a0-4fa326ab0ce9 ro quiet splash vt.handoff=7
RelatedPackageVersions:
linux-restricted-modules-6.14.0-1014-oem N/A
linux-backports-modules-6.14.0-1014-oem N/A
linux-firmware 20240318.git3b128b60-0ubuntu2.19
SourcePackage: linux-oem-6.14
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 05/09/2025
dmi.bios.release: 1.5
dmi.bios.vendor: LENOVO
dmi.bios.version: R2YET16W(1.05)
dmi.board.asset.tag: Not Available
dmi.board.name: 21T9CTO1WW
dmi.board.vendor: LENOVO
dmi.board.version: SDK0T76463 WIN
dmi.chassis.asset.tag: No Asset Tag
dmi.chassis.type: 10
dmi.chassis.vendor: LENOVO
dmi.chassis.version: None
dmi.ec.firmware.release: 1.5
dmi.modalias:
dmi:bvnLENOVO:bvrR2YET16W(1.05):bd05/09/2025:br1.5:efr1.5:svnLENOVO:pn21T9CTO1WW:pvrThinkPadE14Gen7:rvnLENOVO:rn21T9CTO1WW:rvrSDK0T76463WIN:cvnLENOVO:ct10:cvrNone:skuLENOVO_MT_21T9_BU_Think_FM_ThinkPadE14Gen7:
dmi.product.family: ThinkPad E14 Gen 7
dmi.product.name: 21T9CTO1WW
dmi.product.sku: LENOVO_MT_21T9_BU_Think_FM_ThinkPad E14 Gen 7
dmi.product.version: ThinkPad E14 Gen 7
dmi.sys.vendor: LENOVO
** Affects: linux-oem-6.14 (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug noble wayland-session
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2129612
Title:
Kernel Oops in btusb driver on Lenovo ThinkPad E14 Gen 7
(6.14.0-1014-oem) - related to enable_autosuspend
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-oem-6.14/+bug/2129612/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
