A crash will happen when btattach controller ROME, and it is caused by dereferring nullptr hu->serdev, fixed by null check before access.
sudo btattach -B /dev/ttyUSB0 -P qca Bluetooth: hci1: QCA setup on UART is completed BUG: kernel NULL pointer dereference, address: 00000000000002f0 ...... Workqueue: hci1 hci_power_on [bluetooth] RIP: 0010:qca_setup+0x7c1/0xe30 [hci_uart] ...... Call Trace: <TASK> ? show_regs+0x72/0x90 ? __die+0x25/0x80 ? page_fault_oops+0x154/0x4c0 ? srso_alias_return_thunk+0x5/0xfbef5 ? kmem_cache_alloc+0x16b/0x310 ? do_user_addr_fault+0x330/0x6e0 ? srso_alias_return_thunk+0x5/0xfbef5 ? exc_page_fault+0x84/0x1b0 ? asm_exc_page_fault+0x27/0x30 ? qca_setup+0x7c1/0xe30 [hci_uart] hci_uart_setup+0x5c/0x1a0 [hci_uart] hci_dev_open_sync+0xee/0xca0 [bluetooth] hci_dev_do_open+0x2a/0x70 [bluetooth] hci_power_on+0x46/0x210 [bluetooth] process_one_work+0x17b/0x360 worker_thread+0x307/0x430 ? __pfx_worker_thread+0x10/0x10 kthread+0xf7/0x130 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x46/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK>
Fixes: 03b0093f7b31 ("Bluetooth: hci_qca: get wakeup status from serdev device handle") Cc: stable@vger.kernel.org Signed-off-by: Zijun Hu quic_zijuhu@quicinc.com Tested-by: Zijun Hu quic_zijuhu@quicinc.com --- drivers/bluetooth/hci_qca.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c index 94b8c406f0c0..6fcfc1f7bb12 100644 --- a/drivers/bluetooth/hci_qca.c +++ b/drivers/bluetooth/hci_qca.c @@ -1951,7 +1951,7 @@ static int qca_setup(struct hci_uart *hu) qca_debugfs_init(hdev); hu->hdev->hw_error = qca_hw_error; hu->hdev->cmd_timeout = qca_cmd_timeout; - if (device_can_wakeup(hu->serdev->ctrl->dev.parent)) + if (hu->serdev && device_can_wakeup(hu->serdev->ctrl->dev.parent)) hu->hdev->wakeup = qca_wakeup; } else if (ret == -ENOENT) { /* No patch/nvm-config found, run with original fw/config */
Dear Zijun,
Thank you for your patch.
Am 11.01.24 um 09:16 schrieb Zijun Hu:
A crash will happen when btattach controller ROME, and it is caused by
What does “btattach controller ROME” mean? Is ROME a platform? If so, should it be *on ROME* or similar?
dereferring nullptr hu->serdev, fixed by null check before access.
dereferring → dereferencing
sudo btattach -B /dev/ttyUSB0 -P qca Bluetooth: hci1: QCA setup on UART is completed BUG: kernel NULL pointer dereference, address: 00000000000002f0 ...... Workqueue: hci1 hci_power_on [bluetooth] RIP: 0010:qca_setup+0x7c1/0xe30 [hci_uart] ...... Call Trace:
<TASK> ? show_regs+0x72/0x90 ? __die+0x25/0x80 ? page_fault_oops+0x154/0x4c0 ? srso_alias_return_thunk+0x5/0xfbef5 ? kmem_cache_alloc+0x16b/0x310 ? do_user_addr_fault+0x330/0x6e0 ? srso_alias_return_thunk+0x5/0xfbef5 ? exc_page_fault+0x84/0x1b0 ? asm_exc_page_fault+0x27/0x30 ? qca_setup+0x7c1/0xe30 [hci_uart] hci_uart_setup+0x5c/0x1a0 [hci_uart] hci_dev_open_sync+0xee/0xca0 [bluetooth] hci_dev_do_open+0x2a/0x70 [bluetooth] hci_power_on+0x46/0x210 [bluetooth] process_one_work+0x17b/0x360 worker_thread+0x307/0x430 ? __pfx_worker_thread+0x10/0x10 kthread+0xf7/0x130 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x46/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK>
Fixes: 03b0093f7b31 ("Bluetooth: hci_qca: get wakeup status from serdev device handle") Cc: stable@vger.kernel.org Signed-off-by: Zijun Hu quic_zijuhu@quicinc.com Tested-by: Zijun Hu quic_zijuhu@quicinc.com
On what device?
drivers/bluetooth/hci_qca.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c index 94b8c406f0c0..6fcfc1f7bb12 100644 --- a/drivers/bluetooth/hci_qca.c +++ b/drivers/bluetooth/hci_qca.c @@ -1951,7 +1951,7 @@ static int qca_setup(struct hci_uart *hu) qca_debugfs_init(hdev); hu->hdev->hw_error = qca_hw_error; hu->hdev->cmd_timeout = qca_cmd_timeout;
if (device_can_wakeup(hu->serdev->ctrl->dev.parent))
if (hu->serdev && device_can_wakeup(hu->serdev->ctrl->dev.parent)) hu->hdev->wakeup = qca_wakeup;
Why is `hu->serdev` not set on the device?
} else if (ret == -ENOENT) { /* No patch/nvm-config found, run with original fw/config */
Kind regards,
Paul
On 1/11/2024 5:46 PM, Paul Menzel wrote:
Dear Zijun,
Thank you for your patch.
Am 11.01.24 um 09:16 schrieb Zijun Hu:
A crash will happen when btattach controller ROME, and it is caused by
What does “btattach controller ROME” mean? Is ROME a platform? If so, should it be *on ROME* or similar?
ROME is a type of BT controller name, and refer to QCA_ROME of below defination: drivers/bluetooth/btqca.h: enum qca_btsoc_type { QCA_INVALID = -1, QCA_AR3002, QCA_ROME, QCA_WCN3988, QCA_WCN3990, QCA_WCN3998, QCA_WCN3991, QCA_QCA2066, QCA_QCA6390, QCA_WCN6750, QCA_WCN6855, QCA_WCN7850, };
Connect a external ROME module to ubuntu machine by BT UART to USB cable, then run "sudo btattach -B /dev/ttyUSB0 -P qca" within ubuntu.
will optimize description.
dereferring nullptr hu->serdev, fixed by null check before access.
dereferring → dereferencing
will correct it.
sudo btattach -B /dev/ttyUSB0 -P qca Bluetooth: hci1: QCA setup on UART is completed BUG: kernel NULL pointer dereference, address: 00000000000002f0 ...... Workqueue: hci1 hci_power_on [bluetooth] RIP: 0010:qca_setup+0x7c1/0xe30 [hci_uart] ...... Call Trace: <TASK> ? show_regs+0x72/0x90 ? __die+0x25/0x80 ? page_fault_oops+0x154/0x4c0 ? srso_alias_return_thunk+0x5/0xfbef5 ? kmem_cache_alloc+0x16b/0x310 ? do_user_addr_fault+0x330/0x6e0 ? srso_alias_return_thunk+0x5/0xfbef5 ? exc_page_fault+0x84/0x1b0 ? asm_exc_page_fault+0x27/0x30 ? qca_setup+0x7c1/0xe30 [hci_uart] hci_uart_setup+0x5c/0x1a0 [hci_uart] hci_dev_open_sync+0xee/0xca0 [bluetooth] hci_dev_do_open+0x2a/0x70 [bluetooth] hci_power_on+0x46/0x210 [bluetooth] process_one_work+0x17b/0x360 worker_thread+0x307/0x430 ? __pfx_worker_thread+0x10/0x10 kthread+0xf7/0x130 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x46/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK>
Fixes: 03b0093f7b31 ("Bluetooth: hci_qca: get wakeup status from serdev device handle") Cc: stable@vger.kernel.org Signed-off-by: Zijun Hu quic_zijuhu@quicinc.com Tested-by: Zijun Hu quic_zijuhu@quicinc.com
On what device?
this crash will happens on any generic linux machine, for example,
lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 22.04.3 LTS Release: 22.04 Codename: jammy
drivers/bluetooth/hci_qca.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c index 94b8c406f0c0..6fcfc1f7bb12 100644 --- a/drivers/bluetooth/hci_qca.c +++ b/drivers/bluetooth/hci_qca.c @@ -1951,7 +1951,7 @@ static int qca_setup(struct hci_uart *hu) qca_debugfs_init(hdev); hu->hdev->hw_error = qca_hw_error; hu->hdev->cmd_timeout = qca_cmd_timeout; - if (device_can_wakeup(hu->serdev->ctrl->dev.parent)) + if (hu->serdev && device_can_wakeup(hu->serdev->ctrl->dev.parent)) hu->hdev->wakeup = qca_wakeup;
Why is `hu->serdev` not set on the device?
actually, hu->serdev ONLY exists for BT controller which is embedded within machine's board, and it will be probed by serdev driver and also don't have available device node for user to btattach. also don't need to btattach.
for external BT module, it is tty instead of serdev. so hu->serdev is nullptr.
} else if (ret == -ENOENT) { /* No patch/nvm-config found, run with original fw/config */
Kind regards,
Paul
On 1/11/2024 5:46 PM, Paul Menzel wrote:
Dear Zijun,
Thank you for your patch.
Am 11.01.24 um 09:16 schrieb Zijun Hu:
A crash will happen when btattach controller ROME, and it is caused by
What does “btattach controller ROME” mean? Is ROME a platform? If so, should it be *on ROME* or similar?
it means that use tool btattach to attach BT controller QCA_ROME, ROME is a controller name. namely QCA_ROME as defined below, have optimized description and sent v2 patch. drivers/bluetooth/btqca.h: enum qca_btsoc_type { QCA_INVALID = -1, QCA_AR3002, QCA_ROME, QCA_WCN3988, QCA_WCN3990, QCA_WCN3998, QCA_WCN3991, QCA_QCA2066, QCA_QCA6390, QCA_WCN6750, QCA_WCN6855, QCA_WCN7850, };
dereferring nullptr hu->serdev, fixed by null check before access.
dereferring → dereferencing
have corrected as your advise
sudo btattach -B /dev/ttyUSB0 -P qca Bluetooth: hci1: QCA setup on UART is completed BUG: kernel NULL pointer dereference, address: 00000000000002f0 ...... Workqueue: hci1 hci_power_on [bluetooth] RIP: 0010:qca_setup+0x7c1/0xe30 [hci_uart] ...... Call Trace: <TASK> ? show_regs+0x72/0x90 ? __die+0x25/0x80 ? page_fault_oops+0x154/0x4c0 ? srso_alias_return_thunk+0x5/0xfbef5 ? kmem_cache_alloc+0x16b/0x310 ? do_user_addr_fault+0x330/0x6e0 ? srso_alias_return_thunk+0x5/0xfbef5 ? exc_page_fault+0x84/0x1b0 ? asm_exc_page_fault+0x27/0x30 ? qca_setup+0x7c1/0xe30 [hci_uart] hci_uart_setup+0x5c/0x1a0 [hci_uart] hci_dev_open_sync+0xee/0xca0 [bluetooth] hci_dev_do_open+0x2a/0x70 [bluetooth] hci_power_on+0x46/0x210 [bluetooth] process_one_work+0x17b/0x360 worker_thread+0x307/0x430 ? __pfx_worker_thread+0x10/0x10 kthread+0xf7/0x130 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x46/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK>
Fixes: 03b0093f7b31 ("Bluetooth: hci_qca: get wakeup status from serdev device handle") Cc: stable@vger.kernel.org Signed-off-by: Zijun Hu quic_zijuhu@quicinc.com Tested-by: Zijun Hu quic_zijuhu@quicinc.com
On what device?
it will happens on any machine with linux OS, such as lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 22.04.3 LTS Release: 22.04 Codename: jammy
drivers/bluetooth/hci_qca.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c index 94b8c406f0c0..6fcfc1f7bb12 100644 --- a/drivers/bluetooth/hci_qca.c +++ b/drivers/bluetooth/hci_qca.c @@ -1951,7 +1951,7 @@ static int qca_setup(struct hci_uart *hu) qca_debugfs_init(hdev); hu->hdev->hw_error = qca_hw_error; hu->hdev->cmd_timeout = qca_cmd_timeout; - if (device_can_wakeup(hu->serdev->ctrl->dev.parent)) + if (hu->serdev && device_can_wakeup(hu->serdev->ctrl->dev.parent)) hu->hdev->wakeup = qca_wakeup;
Why is `hu->serdev` not set on the device?
For ALL QCA BT controller which are attached by tool btattach. hu->serdev is nullptr since it is not probed by serdev driver. and it is a tty device.
as you saw, the following code also do nullptr check for hu->serdev, since protocol setup function are used by both Serdev and Non-serdev, thanks
if (hu->serdev) { serdev_device_close(hu->serdev); }
} else if (ret == -ENOENT) { /* No patch/nvm-config found, run with original fw/config */
Kind regards,
Paul
A crash will happen when use tool btattach to attach a BT controller QCA_ROME, and it is caused by dereferencing nullptr hu->serdev, fixed by null check before access.
sudo btattach -B /dev/ttyUSB0 -P qca Bluetooth: hci1: QCA setup on UART is completed BUG: kernel NULL pointer dereference, address: 00000000000002f0 ...... Workqueue: hci1 hci_power_on [bluetooth] RIP: 0010:qca_setup+0x7c1/0xe30 [hci_uart] ...... Call Trace: <TASK> ? show_regs+0x72/0x90 ? __die+0x25/0x80 ? page_fault_oops+0x154/0x4c0 ? srso_alias_return_thunk+0x5/0xfbef5 ? kmem_cache_alloc+0x16b/0x310 ? do_user_addr_fault+0x330/0x6e0 ? srso_alias_return_thunk+0x5/0xfbef5 ? exc_page_fault+0x84/0x1b0 ? asm_exc_page_fault+0x27/0x30 ? qca_setup+0x7c1/0xe30 [hci_uart] hci_uart_setup+0x5c/0x1a0 [hci_uart] hci_dev_open_sync+0xee/0xca0 [bluetooth] hci_dev_do_open+0x2a/0x70 [bluetooth] hci_power_on+0x46/0x210 [bluetooth] process_one_work+0x17b/0x360 worker_thread+0x307/0x430 ? __pfx_worker_thread+0x10/0x10 kthread+0xf7/0x130 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x46/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK>
Fixes: 03b0093f7b31 ("Bluetooth: hci_qca: get wakeup status from serdev device handle") Cc: stable@vger.kernel.org Signed-off-by: Zijun Hu quic_zijuhu@quicinc.com Tested-by: Zijun Hu quic_zijuhu@quicinc.com --- Changes since v1: - Correct tile and commit message based on Paul's suggestions
drivers/bluetooth/hci_qca.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c index 94b8c406f0c0..6fcfc1f7bb12 100644 --- a/drivers/bluetooth/hci_qca.c +++ b/drivers/bluetooth/hci_qca.c @@ -1951,7 +1951,7 @@ static int qca_setup(struct hci_uart *hu) qca_debugfs_init(hdev); hu->hdev->hw_error = qca_hw_error; hu->hdev->cmd_timeout = qca_cmd_timeout; - if (device_can_wakeup(hu->serdev->ctrl->dev.parent)) + if (hu->serdev && device_can_wakeup(hu->serdev->ctrl->dev.parent)) hu->hdev->wakeup = qca_wakeup; } else if (ret == -ENOENT) { /* No patch/nvm-config found, run with original fw/config */
A crash will happen when use tool btattach to attach a BT controller QCA_ROME, and it is caused by dereferencing nullptr hu->serdev, fixed by null check before access.
sudo btattach -B /dev/ttyUSB0 -P qca Bluetooth: hci1: QCA setup on UART is completed BUG: kernel NULL pointer dereference, address: 00000000000002f0 ...... Workqueue: hci1 hci_power_on [bluetooth] RIP: 0010:qca_setup+0x7c1/0xe30 [hci_uart] ...... Call Trace: <TASK> ? show_regs+0x72/0x90 ? __die+0x25/0x80 ? page_fault_oops+0x154/0x4c0 ? srso_alias_return_thunk+0x5/0xfbef5 ? kmem_cache_alloc+0x16b/0x310 ? do_user_addr_fault+0x330/0x6e0 ? srso_alias_return_thunk+0x5/0xfbef5 ? exc_page_fault+0x84/0x1b0 ? asm_exc_page_fault+0x27/0x30 ? qca_setup+0x7c1/0xe30 [hci_uart] hci_uart_setup+0x5c/0x1a0 [hci_uart] hci_dev_open_sync+0xee/0xca0 [bluetooth] hci_dev_do_open+0x2a/0x70 [bluetooth] hci_power_on+0x46/0x210 [bluetooth] process_one_work+0x17b/0x360 worker_thread+0x307/0x430 ? __pfx_worker_thread+0x10/0x10 kthread+0xf7/0x130 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x46/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK>
Fixes: 03b0093f7b31 ("Bluetooth: hci_qca: get wakeup status from serdev device handle") Cc: stable@vger.kernel.org Signed-off-by: Zijun Hu quic_zijuhu@quicinc.com Tested-by: Zijun Hu quic_zijuhu@quicinc.com --- drivers/bluetooth/hci_qca.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c index 92fa20f5ac7d..fdaf83d817af 100644 --- a/drivers/bluetooth/hci_qca.c +++ b/drivers/bluetooth/hci_qca.c @@ -1955,7 +1955,7 @@ static int qca_setup(struct hci_uart *hu) qca_debugfs_init(hdev); hu->hdev->hw_error = qca_hw_error; hu->hdev->cmd_timeout = qca_cmd_timeout; - if (device_can_wakeup(hu->serdev->ctrl->dev.parent)) + if (hu->serdev && device_can_wakeup(hu->serdev->ctrl->dev.parent)) hu->hdev->wakeup = qca_wakeup; } else if (ret == -ENOENT) { /* No patch/nvm-config found, run with original fw/config */
linux-stable-mirror@lists.linaro.org