Bluetooth: hci0: SCO packet for unknown connection handle 257 (Kernel panic)

"Ryan J. Gray" <ryan@xxxxxxxxxxxxx> · Thu, 11 Apr 2024 12:15:52 +0000

Hey all,

I hope I've got the right list for this.

I ran into a bizarre problem a couple of days ago, where my laptop kernel panicked after I was in a voice call on Signal Desktop, using my Sony WH-1000XM5 Bluetooth headphones.

I'm using EndeavourOS, my kernel is:
Linux kvasir 6.8.2-arch2-1 #1 SMP PREEMPT_DYNAMIC Thu, 28 Mar 2024 17:06:35 +0000 x86_64 GNU/Linux

My laptop:
Razer Blade 17 (2022) - has Intel AX211 WiFi/Bluetooth.

hci0 details:
[   15.915176] Bluetooth: hci0: Device revision is 0[   15.915179] Bluetooth: hci0: Secure boot is enabled
[   15.915180] Bluetooth: hci0: OTP lock is enabled
[   15.915181] Bluetooth: hci0: API lock is enabled
[   15.915181] Bluetooth: hci0: Debug lock is disabled
[   15.915182] Bluetooth: hci0: Minimum firmware build 1 week 10 2014
[   15.915183] Bluetooth: hci0: Bootloader timestamp 2019.40 buildtype 1 build 38
[   15.915242] Bluetooth: hci0: DSM reset method type: 0x00
[   15.918180] Bluetooth: hci0: Found device firmware: intel/ibt-0040-0041.sfi
[   15.918197] Bluetooth: hci0: Boot Address: 0x100800
[   15.918199] Bluetooth: hci0: Firmware Version: 60-48.23
[   17.366978] Bluetooth: hci0: Waiting for firmware download to complete
[   17.367360] Bluetooth: hci0: Firmware loaded in 1415209 usecs
[   17.367554] Bluetooth: hci0: Waiting for device to boot
[   17.383254] Bluetooth: hci0: Malformed MSFT vendor event: 0x02
[   17.383319] Bluetooth: hci0: Device booted in 15524 usecs
[   17.383983] Bluetooth: hci0: Found Intel DDC parameters: intel/ibt-0040-0041.ddc
[   17.386302] Bluetooth: hci0: Applying Intel DDC parameters completed
[   17.389362] Bluetooth: hci0: Firmware timestamp 2023.48 buildtype 1 build 75324
[   17.389381] Bluetooth: hci0: Firmware SHA1: 0x23bac558

Signal kept jumping between the hands-free mode of my headphones and the HQ audio mode pretty rapidly, so I switched off my headphones to continue the call on mobile, as soon as I got a message/call in Signal I presume it tried to play the notification sound through my headphones (which weren't connected anymore), and the kernel panic happened.
It seems like Signal tried to use an old handle to my headphones, and that caused the bluetooth kernel driver to crash, judging from the timing of the journalctl messages?
It sounds to me like a use-after-free bug, but I don't really know enough about kernel driver development to try and narrow it down.

Here is a snippet of journalctl from the moment it kernel panicked:
Apr 09 16:28:04 kvasir kernel: Bluetooth: hci0: SCO packet for unknown connection handle 257Apr 09 16:28:04 kvasir kernel: BUG: unable to handle page fault for address: 000000000000e84d
Apr 09 16:28:04 kvasir kernel: #PF: supervisor read access in kernel mode
Apr 09 16:28:04 kvasir kernel: #PF: error_code(0x0000) - not-present page
Apr 09 16:28:04 kvasir kernel: PGD 0 P4D 0 
Apr 09 16:28:04 kvasir kernel: Oops: 0000 [#1] PREEMPT SMP NOPTI
Apr 09 16:28:04 kvasir kernel: CPU: 8 PID: 1489 Comm: systemd Tainted: P           OE      6.8.2-arch2-1 #1 a430fb92f7ba43092b62bbe6bac995458d3d442d
Apr 09 16:28:04 kvasir kernel: Hardware name: Razer Blade 17 (2022) - RZ09-0423/DI780, BIOS 1.09 01/10/2023
Apr 09 16:28:04 kvasir kernel: RIP: 0010:rb_first+0xf/0x30
Apr 09 16:28:04 kvasir kernel: Code: 10 c3 cc cc cc cc 0f 1f 44 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 48 8b 07 48 85 c0 74 14 48 89 c2 <48> 8b 40 10 48 85 c0 75 f4 48 89 d0 c3 cc cc cc cc 31 d2 eb f4 66
Apr 09 16:28:04 kvasir kernel: RSP: 0018:ffffa0aec556bd18 EFLAGS: 00010202
Apr 09 16:28:04 kvasir kernel: RAX: 000000000000e83d RBX: ffff930c5911a200 RCX: 0000000001000078
Apr 09 16:28:04 kvasir kernel: RDX: 000000000000e83d RSI: 0000000000000000 RDI: ffff930c6570fdf8
Apr 09 16:28:04 kvasir kernel: RBP: ffff930c5911a700 R08: ffff930c4694cbd0 R09: 0000000001000078
Apr 09 16:28:04 kvasir kernel: R10: 0000000001000078 R11: ffffa0aec556bd18 R12: 0000000000000000
Apr 09 16:28:04 kvasir kernel: R13: ffff930c6570fdf8 R14: 0000000000000002 R15: 0000000000000000
Apr 09 16:28:04 kvasir kernel: FS:  00007f781c810880(0000) GS:ffff9313e2800000(0000) knlGS:0000000000000000
Apr 09 16:28:04 kvasir kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Apr 09 16:28:04 kvasir kernel: CR2: 000000000000e84d CR3: 0000000113108000 CR4: 0000000000f50ef0
Apr 09 16:28:04 kvasir kernel: PKRU: 55555554
Apr 09 16:28:04 kvasir kernel: Call Trace:
Apr 09 16:28:04 kvasir kernel:  <TASK>
Apr 09 16:28:04 kvasir kernel:  ? __die+0x23/0x70
Apr 09 16:28:04 kvasir kernel:  ? page_fault_oops+0x171/0x4e0
Apr 09 16:28:04 kvasir kernel:  ? exc_page_fault+0x7f/0x180
Apr 09 16:28:04 kvasir kernel:  ? asm_exc_page_fault+0x26/0x30
Apr 09 16:28:04 kvasir kernel:  ? rb_first+0xf/0x30
Apr 09 16:28:04 kvasir kernel:  simple_xattrs_free+0x29/0x90
Apr 09 16:28:04 kvasir kernel:  kernfs_put.part.0+0x60/0x150
Apr 09 16:28:04 kvasir kernel:  evict+0xd4/0x1e0
Apr 09 16:28:04 kvasir kernel:  __dentry_kill+0x6e/0x170
Apr 09 16:28:04 kvasir kernel:  shrink_dentry_list+0x6b/0xe0
Apr 09 16:28:04 kvasir kernel:  shrink_dcache_parent+0xd2/0x140
Apr 09 16:28:04 kvasir kernel:  vfs_rmdir+0xb0/0x200
Apr 09 16:28:04 kvasir kernel:  do_rmdir+0x1a9/0x1c0
Apr 09 16:28:04 kvasir kernel:  __x64_sys_rmdir+0x42/0x70
Apr 09 16:28:04 kvasir kernel:  do_syscall_64+0x86/0x170
Apr 09 16:28:04 kvasir kernel:  ? do_syscall_64+0x96/0x170
Apr 09 16:28:04 kvasir kernel:  ? syscall_exit_to_user_mode+0x80/0x230
Apr 09 16:28:04 kvasir kernel:  ? do_syscall_64+0x96/0x170
Apr 09 16:28:04 kvasir kernel:  ? do_syscall_64+0x96/0x170
Apr 09 16:28:04 kvasir kernel:  ? do_syscall_64+0x96/0x170
Apr 09 16:28:04 kvasir kernel:  entry_SYSCALL_64_after_hwframe+0x6e/0x76
Apr 09 16:28:04 kvasir kernel: RIP: 0033:0x7f781c31977b
Apr 09 16:28:04 kvasir kernel: Code: f0 ff ff 73 01 c3 48 8b 0d b2 c5 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 54 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 8b 15 81 c5 0d 00 f7 d8
Apr 09 16:28:04 kvasir kernel: RSP: 002b:00007fff45ca3498 EFLAGS: 00000246 ORIG_RAX: 0000000000000054
Apr 09 16:28:04 kvasir kernel: RAX: ffffffffffffffda RBX: 0000619355419610 RCX: 00007f781c31977b
Apr 09 16:28:04 kvasir kernel: RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000619355401a30
Apr 09 16:28:04 kvasir kernel: RBP: 00007fff45ca34f0 R08: 00007f781c4aa90a R09: 0000000000000007
Apr 09 16:28:04 kvasir kernel: R10: 000061935540a7e0 R11: 0000000000000246 R12: 0000000000000001
Apr 09 16:28:04 kvasir kernel: R13: 0000000000000000 R14: 0000619355401a30 R15: 0000000000000000
Apr 09 16:28:04 kvasir kernel:  </TASK>
Apr 09 16:28:04 kvasir kernel: Modules linked in: uinput snd_seq_dummy snd_hrtimer snd_seq snd_seq_device rfcomm snd_ctl_led ledtrig_audio uhid cmac snd_soc_skl_hda_dsp algif_hash snd_soc_hdac_hdmi snd_soc_intel_hda_dsp_common snd_>
Apr 09 16:28:04 kvasir kernel:  nf_tables snd_intel_dspcfg kvm_intel libcrc32c snd_intel_sdw_acpi i915 mac80211 uvcvideo btusb snd_hda_codec videobuf2_vmalloc kvm btrtl uvc videobuf2_memops libarc4 snd_hda_core btintel processor_th>
Apr 09 16:28:04 kvasir kernel:  int3403_thermal int3400_thermal intel_hid pmt_telemetry int340x_thermal_zone acpi_thermal_rel sparse_keymap pmt_class acpi_tad acpi_pad mac_hid fuse loop nfnetlink ip_tables x_tables ext4 crc32c_gene>
Apr 09 16:28:04 kvasir kernel: CR2: 000000000000e84d
Apr 09 16:28:04 kvasir kernel: ---[ end trace 0000000000000000 ]---
Apr 09 16:28:04 kvasir kernel: RIP: 0010:rb_first+0xf/0x30
Apr 09 16:28:04 kvasir kernel: Code: 10 c3 cc cc cc cc 0f 1f 44 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 48 8b 07 48 85 c0 74 14 48 89 c2 <48> 8b 40 10 48 85 c0 75 f4 48 89 d0 c3 cc cc cc cc 31 d2 eb f4 66
Apr 09 16:28:04 kvasir kernel: RSP: 0018:ffffa0aec556bd18 EFLAGS: 00010202
Apr 09 16:28:04 kvasir kernel: RAX: 000000000000e83d RBX: ffff930c5911a200 RCX: 0000000001000078
Apr 09 16:28:04 kvasir kernel: RDX: 000000000000e83d RSI: 0000000000000000 RDI: ffff930c6570fdf8
Apr 09 16:28:04 kvasir kernel: RBP: ffff930c5911a700 R08: ffff930c4694cbd0 R09: 0000000001000078
Apr 09 16:28:04 kvasir kernel: R10: 0000000001000078 R11: ffffa0aec556bd18 R12: 0000000000000000
Apr 09 16:28:04 kvasir kernel: R13: ffff930c6570fdf8 R14: 0000000000000002 R15: 0000000000000000
Apr 09 16:28:04 kvasir kernel: FS:  00007f781c810880(0000) GS:ffff9313e2800000(0000) knlGS:0000000000000000
Apr 09 16:28:04 kvasir kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Apr 09 16:28:04 kvasir kernel: CR2: 000000000000e84d CR3: 0000000113108000 CR4: 0000000000f50ef0
Apr 09 16:28:04 kvasir kernel: PKRU: 55555554
Apr 09 16:28:04 kvasir kernel: note: systemd[1489] exited with irqs disabled
Apr 09 16:28:04 kvasir systemd[1]: user@1000.service: Main process exited, code=killed, status=9/KILL
Apr 09 16:28:04 kvasir systemd[1]: user@1000.service: Killing process 2051 (xdg-permission-) with signal SIGKILL.
Apr 09 16:28:04 kvasir (sd-pam)[1491]: pam_unix(systemd-user:session): session closed for user <snip>
Apr 09 16:28:04 kvasir kernel: traps: ThreadPoolSingl[54126] trap int3 ip:60260199ba4a sp:79c68adfe6a0 error:0 in signal-desktop[6025fdd77000+816d000]
Apr 09 16:28:04 kvasir systemd[1]: user@1000.service: Killing process 1508 (dbus-broker-lau) with signal SIGKILL.

Any help would be greatly appreciated.

Let me know if I can provide any more information to help narrow this down, it's a weird bug.

Thanks,
Ryan.

Attachment:
publickey - ryan@ryanjgray.com - 0xCB50AEEA.asc

Description: application/pgp-keys
Attachment:
signature.asc

Description: OpenPGP digital signature