Re: kernel NULL pointer dereference in hci_send_sco()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

ti, 2023-07-11 kello 19:48 +0000, Barnabás Pőcze kirjoitti:
> Hi
> 
> 
> I have hit this issue again, still the same kernel and everything.
> The call stack appears to be the same.
> 
> But now there is a warning before the oops:
> 
>   Bluetooth: hci0: SCO packet for unknown connection handle 257
> 
> I am wondering if this could be relevant.

Those generally should be harmless, as the hci_conn may be destroyed
earlier than when controller stops sending SCO packets for it.

It's not clear those should be printed as errors, same also for the
"corrupted SCO packet" messages which are also printed when the
hci_conn has been already destroyed. You get lots of that spam during
normal SCO operation.

For this crash, maybe you can try apply the following patches:

https://lore.kernel.org/linux-bluetooth/490b5c6a0e13047fd1bea42d3184b46623adc359.1689003801.git.pav@xxxxxx/

https://lore.kernel.org/linux-bluetooth/20230711131353.40500-1-code@xxxxxxxx/

Basically the ISO sockets had similar crashes before, which are now
fixed and SCO seems to need similar fixes.

> 
> 
> 2023. július 9., vasárnap 15:57 keltezéssel, Barnabás Pőcze írta:
> 
> > Hi
> > 
> > 
> > while using a bluetooth headset with pipewire, I have run into the issue
> > in the subject multiple times already.
> > 
> > 	BUG: kernel NULL pointer dereference, address: 00000000000006a8
> > 	#PF: supervisor read access in kernel mode
> > 	#PF: error_code(0x0000) - not-present page
> > 	PGD 0 P4D 0
> > 	Oops: 0000 [#1] PREEMPT SMP PTI
> > 	CPU: 6 PID: 3472 Comm: pipewire-media- Tainted: P           OE      6.4.2-3-MANJARO #1 b8b1fec9d2ca7e610dcda537ef3912d54df433f4
> > 	Hardware name: SchenkerTechnologiesGmbH XMG FUSION 15 (XFU15L19)/LAPQC71A, BIOS QCCFL357.0120.2020.0813.1334 08/13/2020
> > 	RIP: 0010:hci_send_sco+0x17/0xb0 [bluetooth]
> > 	Code: f7 eb cf 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 0f 1f 44 00 00 41 56 49 89 fe 41 55 41 54 55 53 48 89 f3 <4c> 8b af a8 06 00 00 66 90 48 89 df be 03 00 00 00 45 0f b7 66 32
> > 	RSP: 0018:ffffbdb60454fd38 EFLAGS: 00010216
> > 	RAX: 0000000000000001 RBX: ffff964f52e2f200 RCX: 0000000000000000
> > 	RDX: 0000000000000001 RSI: ffff964f52e2f200 RDI: 0000000000000000
> > 	RBP: ffff96538383f800 R08: ffffbdb60454fbd0 R09: 0000000000000000
> > 	R10: ffff9652bf1a8c80 R11: 0000000000000000 R12: ffff964f512a7680
> > 	R13: ffffbdb60454fdf8 R14: 0000000000000000 R15: ffffbdb60454fde8
> > 	FS:  00007f139fdff6c0(0000) GS:ffff965ebdb80000(0000) knlGS:0000000000000000
> > 	CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > 	CR2: 00000000000006a8 CR3: 0000000113a0e004 CR4: 00000000003706e0
> > 	Call Trace:
> > 	<TASK>
> > 	? __die+0x23/0x70
> > 	? page_fault_oops+0x171/0x4e0
> > 	? exc_page_fault+0x7f/0x180
> > 	? asm_exc_page_fault+0x26/0x30
> > 	? hci_send_sco+0x17/0xb0 [bluetooth 5eeccc5bad4c2f4e85d0f6a24ae9715b47202498]
> > 	sco_sock_sendmsg+0x235/0x2e0 [bluetooth 5eeccc5bad4c2f4e85d0f6a24ae9715b47202498]
> > 	sock_sendmsg+0x93/0xa0
> > 	? sockfd_lookup_light+0x12/0x70
> > 	__sys_sendto+0x120/0x170
> > 	__x64_sys_sendto+0x24/0x30
> > 	do_syscall_64+0x5d/0x90
> > 	? exc_page_fault+0x7f/0x180
> > 	entry_SYSCALL_64_after_hwframe+0x72/0xdc
> > 	RIP: 0033:0x7f13a4b22dfc
> > 	Code: 89 4c 24 1c e8 f5 69 f7 ff 44 8b 54 24 1c 8b 3c 24 45 31 c9 89 c5 48 8b 54 24 10 48 8b 74 24 08 45 31 c0 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 34 89 ef 48 89 04 24 e8 41 6a f7 ff 48 8b 04
> > 	RSP: 002b:00007f139fdfd690 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
> > 	RAX: ffffffffffffffda RBX: 000000000000003c RCX: 00007f13a4b22dfc
> > 	RDX: 000000000000003c RSI: 000061500029bb00 RDI: 0000000000000041
> > 	RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
> > 	R10: 0000000000004040 R11: 0000000000000246 R12: 000061500029bb00
> > 	R13: 0000617000012d80 R14: 00000fe273d83b20 R15: 000000000000003c
> > 	</TASK>
> > 	Modules linked in: uinput nvidia_uvm(POE) rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device nvidia_drm(POE) nvidia_modeset(POE) nvidia(POE) hid_ite8291r3(OE) qc71_laptop(OE) ccm cmac algif_hash algif_skcipher af_alg bnep snd_sof_pci_intel_cnl snd_sof_intel_hda_common soundwire_intel soundwire_cadence snd_sof_intel_hda_mlink snd_sof_intel_hda snd_sof_pci snd_sof_xtensa_dsp snd_sof snd_sof_utils snd_soc_hdac_hda snd_hda_ext_core snd_soc_acpi_intel_match snd_soc_acpi soundwire_generic_allocation soundwire_bus ucsi_ccg snd_soc_core typec_ucsi snd_compress typec ac97_bus roles snd_pcm_dmaengine btusb uvcvideo videobuf2_vmalloc btrtl uvc videobuf2_memops btbcm videobuf2_v4l2 btintel videodev btmtk videobuf2_common mc bluetooth ecdh_generic intel_rapl_msr intel_rapl_common intel_tcc_cooling x86_pkg_temp_thermal intel_powerclamp coretemp snd_hda_codec_hdmi kvm_intel iwlmvm snd_hda_codec_realtek kvm snd_hda_codec_generic irqbypass joydev mac80211 crct10dif_pclmul vfat crc32_pclmul mousedev snd_hda_intel
> > 	polyval_clmulni fat polyval_generic libarc4 snd_intel_dspcfg gf128mul snd_intel_sdw_acpi ghash_clmulni_intel sha512_ssse3 snd_hda_codec aesni_intel iwlwifi crypto_simd snd_hda_core cryptd iTCO_wdt 8250_dw asus_wmi snd_hwdep hid_multitouch rapl ledtrig_audio intel_pmc_bxt mei_pxp mei_hdcp ee1004 iTCO_vendor_support intel_cstate snd_pcm spi_nor sparse_keymap cfg80211 intel_uncore platform_profile snd_timer intel_wmi_thunderbolt wmi_bmof mei_me intel_lpss_pci r8168(OE) mtd pcspkr snd thunderbolt mei intel_lpss i2c_i801 i2c_hid_acpi rfkill i2c_nvidia_gpu intel_pch_thermal soundcore i2c_smbus idma64 i2c_hid acpi_pad acpi_tad mac_hid dm_multipath vboxnetflt(OE) vboxnetadp(OE) vboxdrv(OE) crypto_user acpi_call(OE) fuse loop dm_mod bpf_preload ip_tables x_tables ext4 crc32c_generic crc16 mbcache jbd2 uas usbhid usb_storage i915 serio_raw atkbd i2c_algo_bit drm_buddy libps2 intel_gtt vivaldi_fmap nvme drm_display_helper mxm_wmi nvme_core crc32c_intel spi_intel_pci cec xhci_pci spi_intel nvme_common ttm
> > 	xhci_pci_renesas i8042 serio video wmi
> > 	CR2: 00000000000006a8
> > 	---[ end trace 0000000000000000 ]---
> > 	RIP: 0010:hci_send_sco+0x17/0xb0 [bluetooth]
> > 	Code: f7 eb cf 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 0f 1f 44 00 00 41 56 49 89 fe 41 55 41 54 55 53 48 89 f3 <4c> 8b af a8 06 00 00 66 90 48 89 df be 03 00 00 00 45 0f b7 66 32
> > 	RSP: 0018:ffffbdb60454fd38 EFLAGS: 00010216
> > 	RAX: 0000000000000001 RBX: ffff964f52e2f200 RCX: 0000000000000000
> > 	RDX: 0000000000000001 RSI: ffff964f52e2f200 RDI: 0000000000000000
> > 	RBP: ffff96538383f800 R08: ffffbdb60454fbd0 R09: 0000000000000000
> > 	R10: ffff9652bf1a8c80 R11: 0000000000000000 R12: ffff964f512a7680
> > 	R13: ffffbdb60454fdf8 R14: 0000000000000000 R15: ffffbdb60454fde8
> > 	FS:  00007f139fdff6c0(0000) GS:ffff965ebdb80000(0000) knlGS:0000000000000000
> > 	CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > 	CR2: 00000000000006a8 CR3: 0000000113a0e004 CR4: 00000000003706e0
> > 	note: pipewire-media-[3472] exited with irqs disabled
> > 
> > Here is the disassembly:
> > 
> > 	0000000000009fd0 <hci_send_sco>:
> > 	9fd0:       f3 0f 1e fa             endbr64
> > 	9fd4:       e8 00 00 00 00          call   9fd9 <hci_send_sco+0x9>
> > 				9fd5: R_X86_64_PLT32    __fentry__-0x4
> > 	9fd9:       41 56                   push   r14
> > 	9fdb:       49 89 fe                mov    r14,rdi
> > 	9fde:       41 55                   push   r13
> > 	9fe0:       41 54                   push   r12
> > 	9fe2:       55                      push   rbp
> > 	9fe3:       53                      push   rbx
> > 	9fe4:       48 89 f3                mov    rbx,rsi
> > 	9fe7:       4c 8b af a8 06 00 00    mov    r13,QWORD PTR [rdi+0x6a8]
> > 	9fee:       66 90                   xchg   ax,ax
> > 	9ff0:       48 89 df                mov    rdi,rbx
> > 	9ff3:       be 03 00 00 00          mov    esi,0x3
> > 	9ff8:       45 0f b7 66 32          movzx  r12d,WORD PTR [r14+0x32]
> > 	9ffd:       8b 6b 70                mov    ebp,DWORD PTR [rbx+0x70]
> > 	a000:       e8 00 00 00 00          call   a005 <hci_send_sco+0x35>
> > 				a001: R_X86_64_PLT32    skb_push-0x4
> > 
> > The offending instruction appears to be the mov at 0x9fe7. Based on the source code:
> > 
> > 	void hci_send_sco(struct hci_conn *conn, struct sk_buff *skb)
> > 	{
> > 		struct hci_dev *hdev = conn->hdev;
> > 		struct hci_sco_hdr hdr;
> > 
> > 		BT_DBG("%s len %d", hdev->name, skb->len);
> > 
> > 		hdr.handle = cpu_to_le16(conn->handle);
> > 		hdr.dlen   = skb->len;
> > 
> > 		skb_push(skb, HCI_SCO_HDR_SIZE);
> > 
> > The offending part appears to be `conn->hdev`. It looks like `conn` is NULL.
> > 
> > I have spent some time looking at the code and it looks like `__sco_sock_close()` is the only
> > place where `conn->hconn` is set to NULL, but that also sets `sk_state` to `BT_DISCONN`, so I
> > don't quite see how `sco_sock_sendmsg()` can then go ahead and call `sco_send_frame()` because
> > of the the following check:
> > 
> > 	if (sk->sk_state == BT_CONNECTED)
> > 		err = sco_send_frame(sk, skb);
> > 	else
> > 		err = -ENOTCONN;
> > 
> > It is entirely possible that I am missing some part of the logic, so I may be completely wrong.
> > In any case, thank you for your help in advance.
> > 
> > 
> > Regards,
> > Barnabás Pőcze

-- 
Pauli Virtanen
[Index of Archives]     [Bluez Devel]     [Linux Wireless Networking]     [Linux Wireless Personal Area Networking]     [Linux ATH6KL]     [Linux USB Devel]     [Linux Media Drivers]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Big List of Linux Books]

  Powered by Linux