Kernel oops on wl.ko load on intel IBT-enabled platforms
Description:
As soon as the system loads wl.ko, it triggers a kernel oops that makes the system near-unresponsive because it kills systemd. This is circumventable by setting ibt=off in kernel cmdline, after which the card functions more-or-less normally, and happens because the blob was compiled without security mitigations in 2015 and has remained like that ever since.
Trace of both oops and warn-thunk immediately before that (both inside the blob code):
[ 5.668063] ------------[ cut here ]------------
[ 5.668066] Unpatched return thunk in use. This should not happen!
[ 5.668068] WARNING: CPU: 8 PID: 499 at arch/x86/kernel/cpu/bugs.c:3070 __warn_thunk+0x2a/0x40
[ 5.668072] Modules linked in: wl(POE+) snd_usbmidi_lib snd_hda_codec uvcvideo(+) snd_ump snd_hda_core videobuf2_vmalloc btusb kvm snd_rawmidi btrtl uvc snd_seq_device snd_hwdep r8169 btintel videobuf2_memops iTCO_wdt btbcm snd_pcm videobuf2_v4l2 btmtk realtek intel_pmc_bxt rapl mei_hdcp ee1004 iTCO_vendor_support mei_pxp videobuf2_common snd_timer intel_cstate mdio_devres cfg80211 bluetooth i2c_i801 videodev spi_nor snd mei_me i2c_smbus intel_uncore pcspkr wmi_bmof mxm_wmi libphy mtd mc rfkill i2c_mux soundcore mei serial_multi_instantiate intel_pmc_core intel_vsec mousedev pmt_telemetry joydev pinctrl_alderlake pmt_class acpi_pad acpi_tad mac_hid pkcs8_key_parser i2c_dev crypto_user loop nfnetlink ip_tables x_tables ext4 crc32c_generic mbcache jbd2 xe hid_generic drm_gpuvm usbhid dm_mod amdgpu i915 crct10dif_pclmul crc32_pclmul amdxcp crc32c_intel drm_ttm_helper polyval_clmulni drm_exec polyval_generic ghash_clmulni_intel gpu_sched intel_gtt sha512_ssse3 i2c_algo_bit drm_suballoc_helper sha256_ssse3 ttm sha1_ssse3
[ 5.668109] drm_panel_backlight_quirks nvme aesni_intel drm_buddy gf128mul nvme_core drm_display_helper crypto_simd spi_intel_pci cryptd spi_intel cec crc16 nvme_auth video wmi
[ 5.668116] CPU: 8 UID: 0 PID: 499 Comm: (udev-worker) Tainted: P OE 6.13.7-arch1-1 #1 c1fb750cdab658a6e7961595e6231210fa8606e4
[ 5.668119] Tainted: [P]=PROPRIETARY_MODULE, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
[ 5.668119] Hardware name: Micro-Star International Co., Ltd. MS-7D45/PRO B660M-G DDR4 (MS-7D45), BIOS 1.80 06/29/2022
[ 5.668120] RIP: 0010:__warn_thunk+0x2a/0x40
[ 5.668122] Code: 66 0f 1f 00 0f 1f 44 00 00 80 3d f8 a4 37 02 00 74 05 c3 cc cc cc cc 48 c7 c7 b8 35 70 b1 c6 05 e3 a4 37 02 01 e8 f6 41 06 00 <0f> 0b c3 cc cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00
[ 5.668123] RSP: 0018:ffffad6c81f3b8f8 EFLAGS: 00010286
[ 5.668125] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000027
[ 5.668125] RDX: ffff97fb2f6218c8 RSI: 0000000000000001 RDI: ffff97fb2f6218c0
[ 5.668126] RBP: ffffad6c81f3b948 R08: 0000000000000000 R09: ffffad6c81f3b778
[ 5.668127] R10: ffffffffb20b5448 R11: 0000000000000003 R12: ffffffffc2f52aa5
[ 5.668127] R13: ffffad6c81f3b990 R14: ffff97f7dbe52840 R15: ffff97f7c2b39820
[ 5.668128] FS: 000077a988ad7880(0000) GS:ffff97fb2f600000(0000) knlGS:0000000000000000
[ 5.668129] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 5.668130] CR2: 00005baeda5ab4e0 CR3: 000000011b52a000 CR4: 0000000000f50ef0
[ 5.668131] PKRU: 55555554
[ 5.668132] Call Trace:
[ 5.668133] <TASK>
[ 5.668134] ? __warn_thunk+0x2a/0x40
[ 5.668135] ? __warn.cold+0x93/0xf6
[ 5.668136] ? __warn_thunk+0x2a/0x40
[ 5.668138] ? report_bug+0xff/0x140
[ 5.668141] ? console_unlock+0x9d/0x140
[ 5.668143] ? handle_bug+0x58/0x90
[ 5.668145] ? exc_invalid_op+0x17/0x70
[ 5.668147] ? asm_exc_invalid_op+0x1a/0x20
[ 5.668149] ? __warn_thunk+0x2a/0x40
[ 5.668150] ? __warn_thunk+0x2a/0x40
[ 5.668151] warn_thunk_thunk+0x1a/0x30
[ 5.668153] getvar+0x20/0x70 [wl b060ae6aa408f05e8c02fdb693dcce492ceef5fc]
[ 5.668178] ? orc_header+0x17b0/0x17b0 [wl b060ae6aa408f05e8c02fdb693dcce492ceef5fc]
[ 5.668196] wl_module_init+0x17/0xa0 [wl b060ae6aa408f05e8c02fdb693dcce492ceef5fc]
[ 5.668209] ? do_one_initcall+0x58/0x310
[ 5.668212] ? do_init_module+0x60/0x230
[ 5.668214] ? init_module_from_file+0x89/0xe0
[ 5.668216] ? idempotent_init_module+0x115/0x310
[ 5.668218] ? __x64_sys_finit_module+0x65/0xc0
[ 5.668220] ? do_syscall_64+0x82/0x190
[ 5.668221] ? do_syscall_64+0x8e/0x190
[ 5.668222] ? switch_fpu_return+0x4e/0xd0
[ 5.668224] ? arch_exit_to_user_mode_prepare.isra.0+0x79/0x90
[ 5.668226] ? syscall_exit_to_user_mode+0x37/0x1c0
[ 5.668228] ? do_syscall_64+0x8e/0x190
[ 5.668229] ? vfs_statx+0x79/0xe0
[ 5.668232] ? strncpy_from_user+0x24/0x100
[ 5.668235] ? vfs_fstatat+0x75/0xa0
[ 5.668236] ? __do_sys_newfstatat+0x3c/0x80
[ 5.668238] ? syscall_exit_to_user_mode+0x37/0x1c0
[ 5.668239] ? do_syscall_64+0x8e/0x190
[ 5.668240] ? arch_exit_to_user_mode_prepare.isra.0+0x79/0x90
[ 5.668242] ? syscall_exit_to_user_mode+0x37/0x1c0
[ 5.668243] ? do_syscall_64+0x8e/0x190
[ 5.668244] ? do_sys_openat2+0x9c/0xe0
[ 5.668245] ? switch_fpu_return+0x4e/0xd0
[ 5.668247] ? arch_exit_to_user_mode_prepare.isra.0+0x79/0x90
[ 5.668248] ? sched_clock+0x10/0x30
[ 5.668250] ? sched_clock_cpu+0xf/0x1d0
[ 5.668252] ? irqtime_account_irq+0x3e/0xc0
[ 5.668254] ? __irq_exit_rcu+0x4c/0xe0
[ 5.668256] ? entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 5.668258] </TASK>
[ 5.668258] ---[ end trace 0000000000000000 ]---
[ 5.668285] usbcore: registered new interface driver uvcvideo
[ 5.668293] wl 0000:07:00.0: enabling device (0000 -> 0002)
[ 5.684332] Missing ENDBR: otp_read_bit+0x8ce/0x106c [wl]
[ 5.684708] ------------[ cut here ]------------
[ 5.684709] kernel BUG at arch/x86/kernel/cet.c:132!
[ 5.684947] Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
[ 5.685168] CPU: 9 UID: 0 PID: 499 Comm: (udev-worker) Tainted: P W OE 6.13.7-arch1-1 #1 c1fb750cdab658a6e7961595e6231210fa8606e4
[ 5.685393] Tainted: [P]=PROPRIETARY_MODULE, [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
[ 5.685611] Hardware name: Micro-Star International Co., Ltd. MS-7D45/PRO B660M-G DDR4 (MS-7D45), BIOS 1.80 06/29/2022
[ 5.685830] RIP: 0010:exc_control_protection+0x29f/0x2b0
[ 5.686046] Code: d8 b9 09 00 00 00 48 8b 93 80 00 00 00 be 80 00 00 00 48 c7 c7 27 e7 7b b1 e8 0d 7c 24 ff 80 a3 8a 00 00 00 fb e9 38 fe ff ff <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 90 90 90 90 90
[ 5.686276] RSP: 0000:ffffad6c81f3b328 EFLAGS: 00010002
[ 5.686499] RAX: 000000000000002d RBX: ffffad6c81f3b358 RCX: 0000000000000000
[ 5.686714] RDX: 0000000000000000 RSI: ffff97fb2f6a18c0 RDI: ffff97fb2f6a18c0
[ 5.686928] RBP: 0000000000000000 R08: 0000000000000000 R09: ffffad6c81f3b1b8
[ 5.687141] R10: ffffffffb20b5448 R11: 0000000000000003 R12: 0000000000000003
[ 5.687354] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 5.687569] FS: 000077a988ad7880(0000) GS:ffff97fb2f680000(0000) knlGS:0000000000000000
[ 5.687785] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 5.687998] CR2: 000077a987c32ed6 CR3: 000000011b52a000 CR4: 0000000000f50ef0
[ 5.688213] PKRU: 55555554
[ 5.688425] Call Trace:
[ 5.688636] <TASK>
[ 5.688845] ? __die_body.cold+0x19/0x27
[ 5.689058] ? die+0x2e/0x50
[ 5.689270] ? do_trap+0xca/0x110
[ 5.689482] ? do_error_trap+0x6a/0x90
[ 5.689695] ? exc_control_protection+0x29f/0x2b0
[ 5.689910] ? exc_invalid_op+0x50/0x70
[ 5.690124] ? exc_control_protection+0x29f/0x2b0
[ 5.690340] ? asm_exc_invalid_op+0x1a/0x20
[ 5.690558] ? exc_control_protection+0x29f/0x2b0
[ 5.690775] ? exc_control_protection+0x25b/0x2b0
[ 5.690992] asm_exc_control_protection+0x26/0x30
[ 5.691210] RIP: 0010:otp_read_bit+0x8ce/0x106c [wl]
[ 5.691449] Code: f0 41 5e c9 c3 48 81 c3 a4 00 00 00 48 89 df e8 4c df 17 00 25 ff ff f0 ff 48 89 de 0d 00 00 0c 00 89 c7 e8 a8 df 17 00 eb ae <55> 48 89 e5 41 57 41 56 41 55 41 54 49 89 fc 53 48 83 ec 08 8b 47
[ 5.691687] RSP: 0000:ffffad6c81f3b408 EFLAGS: 00010202
[ 5.691921] RAX: ffffffffc2aaa900 RBX: ffff97f7d4718800 RCX: 0000000000000070
[ 5.692155] RDX: 0000000000000cfc RSI: 0000000000000206 RDI: ffff97f7d4718800
[ 5.692389] RBP: ffffad6c81f3b430 R08: ffffad6c81f3b4be R09: 0000000000000007
[ 5.692627] R10: 0000000000000007 R11: ffffffffb0cb80d0 R12: ffff97f7dad2c001
[ 5.692865] R13: 0000000000000010 R14: ffffad6c81f3b4be R15: 0000000000000000
[ 5.693104] ? __pfx_pci_conf1_write+0x10/0x10
[ 5.693345] ? otp_init+0xa5/0xc3 [wl b060ae6aa408f05e8c02fdb693dcce492ceef5fc]
[ 5.693606] otp_read_word+0x51/0x9d [wl b060ae6aa408f05e8c02fdb693dcce492ceef5fc]
[ 5.693869] ? si_set_sromctl+0x50/0x5b [wl b060ae6aa408f05e8c02fdb693dcce492ceef5fc]
[ 5.694141] wlc_phy_attach_acphy+0x164d/0x182d [wl b060ae6aa408f05e8c02fdb693dcce492ceef5fc]
[ 5.694433] wlc_phy_attach+0x818/0xfc2 [wl b060ae6aa408f05e8c02fdb693dcce492ceef5fc]
[ 5.694728] wlc_bmac_attach+0x8ee/0x1215 [wl b060ae6aa408f05e8c02fdb693dcce492ceef5fc]
[ 5.695017] ? warn_thunk_thunk+0x1a/0x30
[ 5.695271] ? wlc_scan_attach+0x161/0x1b9 [wl b060ae6aa408f05e8c02fdb693dcce492ceef5fc]
[ 5.695571] wlc_attach+0x283/0x1a93 [wl b060ae6aa408f05e8c02fdb693dcce492ceef5fc]
[ 5.695861] ? iomem_map_sanity_check+0xd5/0x100
[ 5.696124] ? wl_pci_probe+0x2a9/0xf50 [wl b060ae6aa408f05e8c02fdb693dcce492ceef5fc]
[ 5.696406] wl_pci_probe+0x32a/0xf50 [wl b060ae6aa408f05e8c02fdb693dcce492ceef5fc]
[ 5.696692] ? local_pci_probe+0x42/0x90
[ 5.696960] ? pci_device_probe+0xdd/0x270
[ 5.697228] ? really_probe+0xdb/0x340
[ 5.697494] ? pm_runtime_barrier+0x54/0x90
[ 5.697763] ? __pfx___driver_attach+0x10/0x10
[ 5.698031] ? __driver_probe_device+0x78/0x110
[ 5.698298] ? driver_probe_device+0x1f/0xa0
[ 5.698567] ? __driver_attach+0xba/0x1c0
[ 5.698833] ? bus_for_each_dev+0x8c/0xe0
[ 5.699100] ? bus_add_driver+0x112/0x1f0
[ 5.699366] ? driver_register+0x72/0xd0
[ 5.699634] ? orc_header+0x17b0/0x17b0 [wl b060ae6aa408f05e8c02fdb693dcce492ceef5fc]
[ 5.699919] ? do_one_initcall+0x58/0x310
[ 5.700190] ? do_init_module+0x60/0x230
[ 5.700460] ? init_module_from_file+0x89/0xe0
[ 5.700733] ? idempotent_init_module+0x115/0x310
[ 5.701003] ? __x64_sys_finit_module+0x65/0xc0
[ 5.701271] ? do_syscall_64+0x82/0x190
[ 5.701534] ? do_syscall_64+0x8e/0x190
[ 5.701788] ? switch_fpu_return+0x4e/0xd0
[ 5.702038] ? arch_exit_to_user_mode_prepare.isra.0+0x79/0x90
[ 5.702287] ? syscall_exit_to_user_mode+0x37/0x1c0
[ 5.702526] ? do_syscall_64+0x8e/0x190
[ 5.702755] ? vfs_statx+0x79/0xe0
[ 5.702983] ? strncpy_from_user+0x24/0x100
[ 5.703210] ? vfs_fstatat+0x75/0xa0
[ 5.703436] ? __do_sys_newfstatat+0x3c/0x80
[ 5.703663] ? syscall_exit_to_user_mode+0x37/0x1c0
[ 5.703889] ? do_syscall_64+0x8e/0x190
[ 5.704112] ? arch_exit_to_user_mode_prepare.isra.0+0x79/0x90
[ 5.704337] ? syscall_exit_to_user_mode+0x37/0x1c0
[ 5.704560] ? do_syscall_64+0x8e/0x190
[ 5.704780] ? do_sys_openat2+0x9c/0xe0
[ 5.705000] ? switch_fpu_return+0x4e/0xd0
[ 5.705221] ? arch_exit_to_user_mode_prepare.isra.0+0x79/0x90
[ 5.705445] ? sched_clock+0x10/0x30
[ 5.705671] ? sched_clock_cpu+0xf/0x1d0
[ 5.705895] ? irqtime_account_irq+0x3e/0xc0
[ 5.706121] ? __irq_exit_rcu+0x4c/0xe0
[ 5.706345] ? entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 5.706573] </TASK>
[ 5.706796] Modules linked in: snd_hda_intel(+) snd_usb_audio(+) kvm_intel(+) snd_intel_dspcfg snd_intel_sdw_acpi wl(POE+) snd_usbmidi_lib snd_hda_codec uvcvideo snd_ump snd_hda_core videobuf2_vmalloc btusb kvm snd_rawmidi btrtl uvc snd_seq_device snd_hwdep r8169 btintel videobuf2_memops iTCO_wdt btbcm snd_pcm videobuf2_v4l2 btmtk realtek intel_pmc_bxt rapl mei_hdcp ee1004 iTCO_vendor_support mei_pxp videobuf2_common snd_timer intel_cstate mdio_devres cfg80211 bluetooth i2c_i801 videodev spi_nor snd mei_me i2c_smbus intel_uncore pcspkr wmi_bmof mxm_wmi libphy mtd mc rfkill i2c_mux soundcore mei serial_multi_instantiate intel_pmc_core intel_vsec mousedev pmt_telemetry joydev pinctrl_alderlake pmt_class acpi_pad acpi_tad mac_hid pkcs8_key_parser i2c_dev crypto_user loop nfnetlink ip_tables x_tables ext4 crc32c_generic mbcache jbd2 xe hid_generic drm_gpuvm usbhid dm_mod amdgpu i915 crct10dif_pclmul crc32_pclmul amdxcp crc32c_intel drm_ttm_helper polyval_clmulni drm_exec polyval_generic ghash_clmulni_intel gpu_sched
[ 5.706833] intel_gtt sha512_ssse3 i2c_algo_bit drm_suballoc_helper sha256_ssse3 ttm sha1_ssse3 drm_panel_backlight_quirks nvme aesni_intel drm_buddy gf128mul nvme_core drm_display_helper crypto_simd spi_intel_pci cryptd spi_intel cec crc16 nvme_auth video wmi
[ 5.708750] ---[ end trace 0000000000000000 ]---
[ 5.709040] RIP: 0010:exc_control_protection+0x29f/0x2b0
[ 5.709332] Code: d8 b9 09 00 00 00 48 8b 93 80 00 00 00 be 80 00 00 00 48 c7 c7 27 e7 7b b1 e8 0d 7c 24 ff 80 a3 8a 00 00 00 fb e9 38 fe ff ff <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 90 90 90 90 90
[ 5.709643] RSP: 0000:ffffad6c81f3b328 EFLAGS: 00010002
[ 5.709952] RAX: 000000000000002d RBX: ffffad6c81f3b358 RCX: 0000000000000000
[ 5.710263] RDX: 0000000000000000 RSI: ffff97fb2f6a18c0 RDI: ffff97fb2f6a18c0
[ 5.710575] RBP: 0000000000000000 R08: 0000000000000000 R09: ffffad6c81f3b1b8
[ 5.710884] R10: ffffffffb20b5448 R11: 0000000000000003 R12: 0000000000000003
[ 5.711191] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 5.711495] FS: 000077a988ad7880(0000) GS:ffff97fb2f680000(0000) knlGS:0000000000000000
[ 5.711800] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 5.712102] CR2: 000077a987c32ed6 CR3: 000000011b52a000 CR4: 0000000000f50ef0
[ 5.712405] PKRU: 55555554
Additional info:
- package version: broadcom-wl 6.30.223.271-609 (but presumably affects older broadcom-wl versions as well)
- kernel version: 6.13.7-arch1-1 #1 (closed) SMP PREEMPT_DYNAMIC Thu, 13 Mar 2025 18:12:00 +0000 x86_64 GNU/Linux
- kernel config: config.gz
Steps to reproduce:
- Load broadcom-wl on 12th+ gen intel CPU with BCM4360 installed and ibt=on
- observe dmesg output
possible solutions:
Since we have no control over the .o_shipped blob, we can't recompile it to the security standards of the modern kernel. So the options are pretty limited:
- Check in postinstall script whether IBT is enabled (/proc/config.gz) and working(/proc/cpuinfo), and if so, warn user.
- straight up fail to install if IBT is detected as enabled/working
- add information into the Arch wiki and make no changes to the package.