Skip to content

Kernel oops on wl.ko load on intel IBT-enabled platforms

Description:

As soon as the system loads wl.ko, it triggers a kernel oops that makes the system near-unresponsive because it kills systemd. This is circumventable by setting ibt=off in kernel cmdline, after which the card functions more-or-less normally, and happens because the blob was compiled without security mitigations in 2015 and has remained like that ever since.

Trace of both oops and warn-thunk immediately before that (both inside the blob code):

[    5.668063] ------------[ cut here ]------------
[    5.668066] Unpatched return thunk in use. This should not happen!
[    5.668068] WARNING: CPU: 8 PID: 499 at arch/x86/kernel/cpu/bugs.c:3070 __warn_thunk+0x2a/0x40
[    5.668072] Modules linked in: wl(POE+) snd_usbmidi_lib snd_hda_codec uvcvideo(+) snd_ump snd_hda_core videobuf2_vmalloc btusb kvm snd_rawmidi btrtl uvc snd_seq_device snd_hwdep r8169 btintel videobuf2_memops iTCO_wdt btbcm snd_pcm videobuf2_v4l2 btmtk realtek intel_pmc_bxt rapl mei_hdcp ee1004 iTCO_vendor_support mei_pxp videobuf2_common snd_timer intel_cstate mdio_devres cfg80211 bluetooth i2c_i801 videodev spi_nor snd mei_me i2c_smbus intel_uncore pcspkr wmi_bmof mxm_wmi libphy mtd mc rfkill i2c_mux soundcore mei serial_multi_instantiate intel_pmc_core intel_vsec mousedev pmt_telemetry joydev pinctrl_alderlake pmt_class acpi_pad acpi_tad mac_hid pkcs8_key_parser i2c_dev crypto_user loop nfnetlink ip_tables x_tables ext4 crc32c_generic mbcache jbd2 xe hid_generic drm_gpuvm usbhid dm_mod amdgpu i915 crct10dif_pclmul crc32_pclmul amdxcp crc32c_intel drm_ttm_helper polyval_clmulni drm_exec polyval_generic ghash_clmulni_intel gpu_sched intel_gtt sha512_ssse3 i2c_algo_bit drm_suballoc_helper sha256_ssse3 ttm sha1_ssse3
[    5.668109]  drm_panel_backlight_quirks nvme aesni_intel drm_buddy gf128mul nvme_core drm_display_helper crypto_simd spi_intel_pci cryptd spi_intel cec crc16 nvme_auth video wmi
[    5.668116] CPU: 8 UID: 0 PID: 499 Comm: (udev-worker) Tainted: P           OE      6.13.7-arch1-1 #1 c1fb750cdab658a6e7961595e6231210fa8606e4
[    5.668119] Tainted: [P]=PROPRIETARY_MODULE, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
[    5.668119] Hardware name: Micro-Star International Co., Ltd. MS-7D45/PRO B660M-G DDR4 (MS-7D45), BIOS 1.80 06/29/2022
[    5.668120] RIP: 0010:__warn_thunk+0x2a/0x40
[    5.668122] Code: 66 0f 1f 00 0f 1f 44 00 00 80 3d f8 a4 37 02 00 74 05 c3 cc cc cc cc 48 c7 c7 b8 35 70 b1 c6 05 e3 a4 37 02 01 e8 f6 41 06 00 <0f> 0b c3 cc cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00
[    5.668123] RSP: 0018:ffffad6c81f3b8f8 EFLAGS: 00010286
[    5.668125] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000027
[    5.668125] RDX: ffff97fb2f6218c8 RSI: 0000000000000001 RDI: ffff97fb2f6218c0
[    5.668126] RBP: ffffad6c81f3b948 R08: 0000000000000000 R09: ffffad6c81f3b778
[    5.668127] R10: ffffffffb20b5448 R11: 0000000000000003 R12: ffffffffc2f52aa5
[    5.668127] R13: ffffad6c81f3b990 R14: ffff97f7dbe52840 R15: ffff97f7c2b39820
[    5.668128] FS:  000077a988ad7880(0000) GS:ffff97fb2f600000(0000) knlGS:0000000000000000
[    5.668129] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    5.668130] CR2: 00005baeda5ab4e0 CR3: 000000011b52a000 CR4: 0000000000f50ef0
[    5.668131] PKRU: 55555554
[    5.668132] Call Trace:
[    5.668133]  <TASK>
[    5.668134]  ? __warn_thunk+0x2a/0x40
[    5.668135]  ? __warn.cold+0x93/0xf6
[    5.668136]  ? __warn_thunk+0x2a/0x40
[    5.668138]  ? report_bug+0xff/0x140
[    5.668141]  ? console_unlock+0x9d/0x140
[    5.668143]  ? handle_bug+0x58/0x90
[    5.668145]  ? exc_invalid_op+0x17/0x70
[    5.668147]  ? asm_exc_invalid_op+0x1a/0x20
[    5.668149]  ? __warn_thunk+0x2a/0x40
[    5.668150]  ? __warn_thunk+0x2a/0x40
[    5.668151]  warn_thunk_thunk+0x1a/0x30
[    5.668153]  getvar+0x20/0x70 [wl b060ae6aa408f05e8c02fdb693dcce492ceef5fc]
[    5.668178]  ? orc_header+0x17b0/0x17b0 [wl b060ae6aa408f05e8c02fdb693dcce492ceef5fc]
[    5.668196]  wl_module_init+0x17/0xa0 [wl b060ae6aa408f05e8c02fdb693dcce492ceef5fc]
[    5.668209]  ? do_one_initcall+0x58/0x310
[    5.668212]  ? do_init_module+0x60/0x230
[    5.668214]  ? init_module_from_file+0x89/0xe0
[    5.668216]  ? idempotent_init_module+0x115/0x310
[    5.668218]  ? __x64_sys_finit_module+0x65/0xc0
[    5.668220]  ? do_syscall_64+0x82/0x190
[    5.668221]  ? do_syscall_64+0x8e/0x190
[    5.668222]  ? switch_fpu_return+0x4e/0xd0
[    5.668224]  ? arch_exit_to_user_mode_prepare.isra.0+0x79/0x90
[    5.668226]  ? syscall_exit_to_user_mode+0x37/0x1c0
[    5.668228]  ? do_syscall_64+0x8e/0x190
[    5.668229]  ? vfs_statx+0x79/0xe0
[    5.668232]  ? strncpy_from_user+0x24/0x100
[    5.668235]  ? vfs_fstatat+0x75/0xa0
[    5.668236]  ? __do_sys_newfstatat+0x3c/0x80
[    5.668238]  ? syscall_exit_to_user_mode+0x37/0x1c0
[    5.668239]  ? do_syscall_64+0x8e/0x190
[    5.668240]  ? arch_exit_to_user_mode_prepare.isra.0+0x79/0x90
[    5.668242]  ? syscall_exit_to_user_mode+0x37/0x1c0
[    5.668243]  ? do_syscall_64+0x8e/0x190
[    5.668244]  ? do_sys_openat2+0x9c/0xe0
[    5.668245]  ? switch_fpu_return+0x4e/0xd0
[    5.668247]  ? arch_exit_to_user_mode_prepare.isra.0+0x79/0x90
[    5.668248]  ? sched_clock+0x10/0x30
[    5.668250]  ? sched_clock_cpu+0xf/0x1d0
[    5.668252]  ? irqtime_account_irq+0x3e/0xc0
[    5.668254]  ? __irq_exit_rcu+0x4c/0xe0
[    5.668256]  ? entry_SYSCALL_64_after_hwframe+0x76/0x7e
[    5.668258]  </TASK>
[    5.668258] ---[ end trace 0000000000000000 ]---
[    5.668285] usbcore: registered new interface driver uvcvideo
[    5.668293] wl 0000:07:00.0: enabling device (0000 -> 0002)
[    5.684332] Missing ENDBR: otp_read_bit+0x8ce/0x106c [wl]
[    5.684708] ------------[ cut here ]------------
[    5.684709] kernel BUG at arch/x86/kernel/cet.c:132!
[    5.684947] Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
[    5.685168] CPU: 9 UID: 0 PID: 499 Comm: (udev-worker) Tainted: P        W  OE      6.13.7-arch1-1 #1 c1fb750cdab658a6e7961595e6231210fa8606e4
[    5.685393] Tainted: [P]=PROPRIETARY_MODULE, [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
[    5.685611] Hardware name: Micro-Star International Co., Ltd. MS-7D45/PRO B660M-G DDR4 (MS-7D45), BIOS 1.80 06/29/2022
[    5.685830] RIP: 0010:exc_control_protection+0x29f/0x2b0
[    5.686046] Code: d8 b9 09 00 00 00 48 8b 93 80 00 00 00 be 80 00 00 00 48 c7 c7 27 e7 7b b1 e8 0d 7c 24 ff 80 a3 8a 00 00 00 fb e9 38 fe ff ff <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 90 90 90 90 90
[    5.686276] RSP: 0000:ffffad6c81f3b328 EFLAGS: 00010002
[    5.686499] RAX: 000000000000002d RBX: ffffad6c81f3b358 RCX: 0000000000000000
[    5.686714] RDX: 0000000000000000 RSI: ffff97fb2f6a18c0 RDI: ffff97fb2f6a18c0
[    5.686928] RBP: 0000000000000000 R08: 0000000000000000 R09: ffffad6c81f3b1b8
[    5.687141] R10: ffffffffb20b5448 R11: 0000000000000003 R12: 0000000000000003
[    5.687354] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[    5.687569] FS:  000077a988ad7880(0000) GS:ffff97fb2f680000(0000) knlGS:0000000000000000
[    5.687785] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    5.687998] CR2: 000077a987c32ed6 CR3: 000000011b52a000 CR4: 0000000000f50ef0
[    5.688213] PKRU: 55555554
[    5.688425] Call Trace:
[    5.688636]  <TASK>
[    5.688845]  ? __die_body.cold+0x19/0x27
[    5.689058]  ? die+0x2e/0x50
[    5.689270]  ? do_trap+0xca/0x110
[    5.689482]  ? do_error_trap+0x6a/0x90
[    5.689695]  ? exc_control_protection+0x29f/0x2b0
[    5.689910]  ? exc_invalid_op+0x50/0x70
[    5.690124]  ? exc_control_protection+0x29f/0x2b0
[    5.690340]  ? asm_exc_invalid_op+0x1a/0x20
[    5.690558]  ? exc_control_protection+0x29f/0x2b0
[    5.690775]  ? exc_control_protection+0x25b/0x2b0
[    5.690992]  asm_exc_control_protection+0x26/0x30
[    5.691210] RIP: 0010:otp_read_bit+0x8ce/0x106c [wl]
[    5.691449] Code: f0 41 5e c9 c3 48 81 c3 a4 00 00 00 48 89 df e8 4c df 17 00 25 ff ff f0 ff 48 89 de 0d 00 00 0c 00 89 c7 e8 a8 df 17 00 eb ae <55> 48 89 e5 41 57 41 56 41 55 41 54 49 89 fc 53 48 83 ec 08 8b 47
[    5.691687] RSP: 0000:ffffad6c81f3b408 EFLAGS: 00010202
[    5.691921] RAX: ffffffffc2aaa900 RBX: ffff97f7d4718800 RCX: 0000000000000070
[    5.692155] RDX: 0000000000000cfc RSI: 0000000000000206 RDI: ffff97f7d4718800
[    5.692389] RBP: ffffad6c81f3b430 R08: ffffad6c81f3b4be R09: 0000000000000007
[    5.692627] R10: 0000000000000007 R11: ffffffffb0cb80d0 R12: ffff97f7dad2c001
[    5.692865] R13: 0000000000000010 R14: ffffad6c81f3b4be R15: 0000000000000000
[    5.693104]  ? __pfx_pci_conf1_write+0x10/0x10
[    5.693345]  ? otp_init+0xa5/0xc3 [wl b060ae6aa408f05e8c02fdb693dcce492ceef5fc]
[    5.693606]  otp_read_word+0x51/0x9d [wl b060ae6aa408f05e8c02fdb693dcce492ceef5fc]
[    5.693869]  ? si_set_sromctl+0x50/0x5b [wl b060ae6aa408f05e8c02fdb693dcce492ceef5fc]
[    5.694141]  wlc_phy_attach_acphy+0x164d/0x182d [wl b060ae6aa408f05e8c02fdb693dcce492ceef5fc]
[    5.694433]  wlc_phy_attach+0x818/0xfc2 [wl b060ae6aa408f05e8c02fdb693dcce492ceef5fc]
[    5.694728]  wlc_bmac_attach+0x8ee/0x1215 [wl b060ae6aa408f05e8c02fdb693dcce492ceef5fc]
[    5.695017]  ? warn_thunk_thunk+0x1a/0x30
[    5.695271]  ? wlc_scan_attach+0x161/0x1b9 [wl b060ae6aa408f05e8c02fdb693dcce492ceef5fc]
[    5.695571]  wlc_attach+0x283/0x1a93 [wl b060ae6aa408f05e8c02fdb693dcce492ceef5fc]
[    5.695861]  ? iomem_map_sanity_check+0xd5/0x100
[    5.696124]  ? wl_pci_probe+0x2a9/0xf50 [wl b060ae6aa408f05e8c02fdb693dcce492ceef5fc]
[    5.696406]  wl_pci_probe+0x32a/0xf50 [wl b060ae6aa408f05e8c02fdb693dcce492ceef5fc]
[    5.696692]  ? local_pci_probe+0x42/0x90
[    5.696960]  ? pci_device_probe+0xdd/0x270
[    5.697228]  ? really_probe+0xdb/0x340
[    5.697494]  ? pm_runtime_barrier+0x54/0x90
[    5.697763]  ? __pfx___driver_attach+0x10/0x10
[    5.698031]  ? __driver_probe_device+0x78/0x110
[    5.698298]  ? driver_probe_device+0x1f/0xa0
[    5.698567]  ? __driver_attach+0xba/0x1c0
[    5.698833]  ? bus_for_each_dev+0x8c/0xe0
[    5.699100]  ? bus_add_driver+0x112/0x1f0
[    5.699366]  ? driver_register+0x72/0xd0
[    5.699634]  ? orc_header+0x17b0/0x17b0 [wl b060ae6aa408f05e8c02fdb693dcce492ceef5fc]
[    5.699919]  ? do_one_initcall+0x58/0x310
[    5.700190]  ? do_init_module+0x60/0x230
[    5.700460]  ? init_module_from_file+0x89/0xe0
[    5.700733]  ? idempotent_init_module+0x115/0x310
[    5.701003]  ? __x64_sys_finit_module+0x65/0xc0
[    5.701271]  ? do_syscall_64+0x82/0x190
[    5.701534]  ? do_syscall_64+0x8e/0x190
[    5.701788]  ? switch_fpu_return+0x4e/0xd0
[    5.702038]  ? arch_exit_to_user_mode_prepare.isra.0+0x79/0x90
[    5.702287]  ? syscall_exit_to_user_mode+0x37/0x1c0
[    5.702526]  ? do_syscall_64+0x8e/0x190
[    5.702755]  ? vfs_statx+0x79/0xe0
[    5.702983]  ? strncpy_from_user+0x24/0x100
[    5.703210]  ? vfs_fstatat+0x75/0xa0
[    5.703436]  ? __do_sys_newfstatat+0x3c/0x80
[    5.703663]  ? syscall_exit_to_user_mode+0x37/0x1c0
[    5.703889]  ? do_syscall_64+0x8e/0x190
[    5.704112]  ? arch_exit_to_user_mode_prepare.isra.0+0x79/0x90
[    5.704337]  ? syscall_exit_to_user_mode+0x37/0x1c0
[    5.704560]  ? do_syscall_64+0x8e/0x190
[    5.704780]  ? do_sys_openat2+0x9c/0xe0
[    5.705000]  ? switch_fpu_return+0x4e/0xd0
[    5.705221]  ? arch_exit_to_user_mode_prepare.isra.0+0x79/0x90
[    5.705445]  ? sched_clock+0x10/0x30
[    5.705671]  ? sched_clock_cpu+0xf/0x1d0
[    5.705895]  ? irqtime_account_irq+0x3e/0xc0
[    5.706121]  ? __irq_exit_rcu+0x4c/0xe0
[    5.706345]  ? entry_SYSCALL_64_after_hwframe+0x76/0x7e
[    5.706573]  </TASK>
[    5.706796] Modules linked in: snd_hda_intel(+) snd_usb_audio(+) kvm_intel(+) snd_intel_dspcfg snd_intel_sdw_acpi wl(POE+) snd_usbmidi_lib snd_hda_codec uvcvideo snd_ump snd_hda_core videobuf2_vmalloc btusb kvm snd_rawmidi btrtl uvc snd_seq_device snd_hwdep r8169 btintel videobuf2_memops iTCO_wdt btbcm snd_pcm videobuf2_v4l2 btmtk realtek intel_pmc_bxt rapl mei_hdcp ee1004 iTCO_vendor_support mei_pxp videobuf2_common snd_timer intel_cstate mdio_devres cfg80211 bluetooth i2c_i801 videodev spi_nor snd mei_me i2c_smbus intel_uncore pcspkr wmi_bmof mxm_wmi libphy mtd mc rfkill i2c_mux soundcore mei serial_multi_instantiate intel_pmc_core intel_vsec mousedev pmt_telemetry joydev pinctrl_alderlake pmt_class acpi_pad acpi_tad mac_hid pkcs8_key_parser i2c_dev crypto_user loop nfnetlink ip_tables x_tables ext4 crc32c_generic mbcache jbd2 xe hid_generic drm_gpuvm usbhid dm_mod amdgpu i915 crct10dif_pclmul crc32_pclmul amdxcp crc32c_intel drm_ttm_helper polyval_clmulni drm_exec polyval_generic ghash_clmulni_intel gpu_sched
[    5.706833]  intel_gtt sha512_ssse3 i2c_algo_bit drm_suballoc_helper sha256_ssse3 ttm sha1_ssse3 drm_panel_backlight_quirks nvme aesni_intel drm_buddy gf128mul nvme_core drm_display_helper crypto_simd spi_intel_pci cryptd spi_intel cec crc16 nvme_auth video wmi
[    5.708750] ---[ end trace 0000000000000000 ]---
[    5.709040] RIP: 0010:exc_control_protection+0x29f/0x2b0
[    5.709332] Code: d8 b9 09 00 00 00 48 8b 93 80 00 00 00 be 80 00 00 00 48 c7 c7 27 e7 7b b1 e8 0d 7c 24 ff 80 a3 8a 00 00 00 fb e9 38 fe ff ff <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 90 90 90 90 90
[    5.709643] RSP: 0000:ffffad6c81f3b328 EFLAGS: 00010002
[    5.709952] RAX: 000000000000002d RBX: ffffad6c81f3b358 RCX: 0000000000000000
[    5.710263] RDX: 0000000000000000 RSI: ffff97fb2f6a18c0 RDI: ffff97fb2f6a18c0
[    5.710575] RBP: 0000000000000000 R08: 0000000000000000 R09: ffffad6c81f3b1b8
[    5.710884] R10: ffffffffb20b5448 R11: 0000000000000003 R12: 0000000000000003
[    5.711191] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[    5.711495] FS:  000077a988ad7880(0000) GS:ffff97fb2f680000(0000) knlGS:0000000000000000
[    5.711800] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    5.712102] CR2: 000077a987c32ed6 CR3: 000000011b52a000 CR4: 0000000000f50ef0
[    5.712405] PKRU: 55555554

Additional info:

  • package version: broadcom-wl 6.30.223.271-609 (but presumably affects older broadcom-wl versions as well)
  • kernel version: 6.13.7-arch1-1 #1 (closed) SMP PREEMPT_DYNAMIC Thu, 13 Mar 2025 18:12:00 +0000 x86_64 GNU/Linux
  • kernel config: config.gz

Steps to reproduce:

  1. Load broadcom-wl on 12th+ gen intel CPU with BCM4360 installed and ibt=on
  2. observe dmesg output

possible solutions:

Since we have no control over the .o_shipped blob, we can't recompile it to the security standards of the modern kernel. So the options are pretty limited:

  • Check in postinstall script whether IBT is enabled (/proc/config.gz) and working(/proc/cpuinfo), and if so, warn user.
  • straight up fail to install if IBT is detected as enabled/working
  • add information into the Arch wiki and make no changes to the package.
Edited by helga
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information