Hi
I have hit this issue again, still the same kernel and everything.
The call stack appears to be the same.
But now there is a warning before the oops:
Bluetooth: hci0: SCO packet for unknown connection handle 257
I am wondering if this could be relevant.
2023. július 9., vasárnap 15:57 keltezéssel, Barnabás Pőcze írta:
> Hi
>
>
> while using a bluetooth headset with pipewire, I have run into the issue
> in the subject multiple times already.
>
> BUG: kernel NULL pointer dereference, address: 00000000000006a8
> #PF: supervisor read access in kernel mode
> #PF: error_code(0x0000) - not-present page
> PGD 0 P4D 0
> Oops: 0000 [#1] PREEMPT SMP PTI
> CPU: 6 PID: 3472 Comm: pipewire-media- Tainted: P OE 6.4.2-3-MANJARO #1 b8b1fec9d2ca7e610dcda537ef3912d54df433f4
> Hardware name: SchenkerTechnologiesGmbH XMG FUSION 15 (XFU15L19)/LAPQC71A, BIOS QCCFL357.0120.2020.0813.1334 08/13/2020
> RIP: 0010:hci_send_sco+0x17/0xb0 [bluetooth]
> Code: f7 eb cf 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 0f 1f 44 00 00 41 56 49 89 fe 41 55 41 54 55 53 48 89 f3 <4c> 8b af a8 06 00 00 66 90 48 89 df be 03 00 00 00 45 0f b7 66 32
> RSP: 0018:ffffbdb60454fd38 EFLAGS: 00010216
> RAX: 0000000000000001 RBX: ffff964f52e2f200 RCX: 0000000000000000
> RDX: 0000000000000001 RSI: ffff964f52e2f200 RDI: 0000000000000000
> RBP: ffff96538383f800 R08: ffffbdb60454fbd0 R09: 0000000000000000
> R10: ffff9652bf1a8c80 R11: 0000000000000000 R12: ffff964f512a7680
> R13: ffffbdb60454fdf8 R14: 0000000000000000 R15: ffffbdb60454fde8
> FS: 00007f139fdff6c0(0000) GS:ffff965ebdb80000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00000000000006a8 CR3: 0000000113a0e004 CR4: 00000000003706e0
> Call Trace:
> <TASK>
> ? __die+0x23/0x70
> ? page_fault_oops+0x171/0x4e0
> ? exc_page_fault+0x7f/0x180
> ? asm_exc_page_fault+0x26/0x30
> ? hci_send_sco+0x17/0xb0 [bluetooth 5eeccc5bad4c2f4e85d0f6a24ae9715b47202498]
> sco_sock_sendmsg+0x235/0x2e0 [bluetooth 5eeccc5bad4c2f4e85d0f6a24ae9715b47202498]
> sock_sendmsg+0x93/0xa0
> ? sockfd_lookup_light+0x12/0x70
> __sys_sendto+0x120/0x170
> __x64_sys_sendto+0x24/0x30
> do_syscall_64+0x5d/0x90
> ? exc_page_fault+0x7f/0x180
> entry_SYSCALL_64_after_hwframe+0x72/0xdc
> RIP: 0033:0x7f13a4b22dfc
> Code: 89 4c 24 1c e8 f5 69 f7 ff 44 8b 54 24 1c 8b 3c 24 45 31 c9 89 c5 48 8b 54 24 10 48 8b 74 24 08 45 31 c0 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 34 89 ef 48 89 04 24 e8 41 6a f7 ff 48 8b 04
> RSP: 002b:00007f139fdfd690 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
> RAX: ffffffffffffffda RBX: 000000000000003c RCX: 00007f13a4b22dfc
> RDX: 000000000000003c RSI: 000061500029bb00 RDI: 0000000000000041
> RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000004040 R11: 0000000000000246 R12: 000061500029bb00
> R13: 0000617000012d80 R14: 00000fe273d83b20 R15: 000000000000003c
> </TASK>
> Modules linked in: uinput nvidia_uvm(POE) rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device nvidia_drm(POE) nvidia_modeset(POE) nvidia(POE) hid_ite8291r3(OE) qc71_laptop(OE) ccm cmac algif_hash algif_skcipher af_alg bnep snd_sof_pci_intel_cnl snd_sof_intel_hda_common soundwire_intel soundwire_cadence snd_sof_intel_hda_mlink snd_sof_intel_hda snd_sof_pci snd_sof_xtensa_dsp snd_sof snd_sof_utils snd_soc_hdac_hda snd_hda_ext_core snd_soc_acpi_intel_match snd_soc_acpi soundwire_generic_allocation soundwire_bus ucsi_ccg snd_soc_core typec_ucsi snd_compress typec ac97_bus roles snd_pcm_dmaengine btusb uvcvideo videobuf2_vmalloc btrtl uvc videobuf2_memops btbcm videobuf2_v4l2 btintel videodev btmtk videobuf2_common mc bluetooth ecdh_generic intel_rapl_msr intel_rapl_common intel_tcc_cooling x86_pkg_temp_thermal intel_powerclamp coretemp snd_hda_codec_hdmi kvm_intel iwlmvm snd_hda_codec_realtek kvm snd_hda_codec_generic irqbypass joydev mac80211 crct10dif_pclmul vfat crc32_pclmul mousedev snd_hda_intel
> polyval_clmulni fat polyval_generic libarc4 snd_intel_dspcfg gf128mul snd_intel_sdw_acpi ghash_clmulni_intel sha512_ssse3 snd_hda_codec aesni_intel iwlwifi crypto_simd snd_hda_core cryptd iTCO_wdt 8250_dw asus_wmi snd_hwdep hid_multitouch rapl ledtrig_audio intel_pmc_bxt mei_pxp mei_hdcp ee1004 iTCO_vendor_support intel_cstate snd_pcm spi_nor sparse_keymap cfg80211 intel_uncore platform_profile snd_timer intel_wmi_thunderbolt wmi_bmof mei_me intel_lpss_pci r8168(OE) mtd pcspkr snd thunderbolt mei intel_lpss i2c_i801 i2c_hid_acpi rfkill i2c_nvidia_gpu intel_pch_thermal soundcore i2c_smbus idma64 i2c_hid acpi_pad acpi_tad mac_hid dm_multipath vboxnetflt(OE) vboxnetadp(OE) vboxdrv(OE) crypto_user acpi_call(OE) fuse loop dm_mod bpf_preload ip_tables x_tables ext4 crc32c_generic crc16 mbcache jbd2 uas usbhid usb_storage i915 serio_raw atkbd i2c_algo_bit drm_buddy libps2 intel_gtt vivaldi_fmap nvme drm_display_helper mxm_wmi nvme_core crc32c_intel spi_intel_pci cec xhci_pci spi_intel nvme_common ttm
> xhci_pci_renesas i8042 serio video wmi
> CR2: 00000000000006a8
> ---[ end trace 0000000000000000 ]---
> RIP: 0010:hci_send_sco+0x17/0xb0 [bluetooth]
> Code: f7 eb cf 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 0f 1f 44 00 00 41 56 49 89 fe 41 55 41 54 55 53 48 89 f3 <4c> 8b af a8 06 00 00 66 90 48 89 df be 03 00 00 00 45 0f b7 66 32
> RSP: 0018:ffffbdb60454fd38 EFLAGS: 00010216
> RAX: 0000000000000001 RBX: ffff964f52e2f200 RCX: 0000000000000000
> RDX: 0000000000000001 RSI: ffff964f52e2f200 RDI: 0000000000000000
> RBP: ffff96538383f800 R08: ffffbdb60454fbd0 R09: 0000000000000000
> R10: ffff9652bf1a8c80 R11: 0000000000000000 R12: ffff964f512a7680
> R13: ffffbdb60454fdf8 R14: 0000000000000000 R15: ffffbdb60454fde8
> FS: 00007f139fdff6c0(0000) GS:ffff965ebdb80000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00000000000006a8 CR3: 0000000113a0e004 CR4: 00000000003706e0
> note: pipewire-media-[3472] exited with irqs disabled
>
> Here is the disassembly:
>
> 0000000000009fd0 <hci_send_sco>:
> 9fd0: f3 0f 1e fa endbr64
> 9fd4: e8 00 00 00 00 call 9fd9 <hci_send_sco+0x9>
> 9fd5: R_X86_64_PLT32 __fentry__-0x4
> 9fd9: 41 56 push r14
> 9fdb: 49 89 fe mov r14,rdi
> 9fde: 41 55 push r13
> 9fe0: 41 54 push r12
> 9fe2: 55 push rbp
> 9fe3: 53 push rbx
> 9fe4: 48 89 f3 mov rbx,rsi
> 9fe7: 4c 8b af a8 06 00 00 mov r13,QWORD PTR [rdi+0x6a8]
> 9fee: 66 90 xchg ax,ax
> 9ff0: 48 89 df mov rdi,rbx
> 9ff3: be 03 00 00 00 mov esi,0x3
> 9ff8: 45 0f b7 66 32 movzx r12d,WORD PTR [r14+0x32]
> 9ffd: 8b 6b 70 mov ebp,DWORD PTR [rbx+0x70]
> a000: e8 00 00 00 00 call a005 <hci_send_sco+0x35>
> a001: R_X86_64_PLT32 skb_push-0x4
>
> The offending instruction appears to be the mov at 0x9fe7. Based on the source code:
>
> void hci_send_sco(struct hci_conn *conn, struct sk_buff *skb)
> {
> struct hci_dev *hdev = conn->hdev;
> struct hci_sco_hdr hdr;
>
> BT_DBG("%s len %d", hdev->name, skb->len);
>
> hdr.handle = cpu_to_le16(conn->handle);
> hdr.dlen = skb->len;
>
> skb_push(skb, HCI_SCO_HDR_SIZE);
>
> The offending part appears to be `conn->hdev`. It looks like `conn` is NULL.
>
> I have spent some time looking at the code and it looks like `__sco_sock_close()` is the only
> place where `conn->hconn` is set to NULL, but that also sets `sk_state` to `BT_DISCONN`, so I
> don't quite see how `sco_sock_sendmsg()` can then go ahead and call `sco_send_frame()` because
> of the the following check:
>
> if (sk->sk_state == BT_CONNECTED)
> err = sco_send_frame(sk, skb);
> else
> err = -ENOTCONN;
>
> It is entirely possible that I am missing some part of the logic, so I may be completely wrong.
> In any case, thank you for your help in advance.
>
>
> Regards,
> Barnabás Pőcze
