| Message ID | 1704960978-5437-1-git-send-email-quic_zijuhu@quicinc.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [v1] Bluetooth: qca: Fix crash when btattach controller ROME | expand |
| Context | Check | Description |
|---|---|---|
| tedd_an/pre-ci_am | success | Success |
| tedd_an/CheckPatch | success | CheckPatch PASS |
| tedd_an/GitLint | success | Gitlint PASS |
| tedd_an/SubjectPrefix | success | Gitlint PASS |
| tedd_an/BuildKernel | success | BuildKernel PASS |
| tedd_an/CheckAllWarning | success | CheckAllWarning PASS |
| tedd_an/CheckSparse | success | CheckSparse PASS |
| tedd_an/CheckSmatch | success | CheckSparse PASS |
| tedd_an/BuildKernel32 | success | BuildKernel32 PASS |
| tedd_an/TestRunnerSetup | success | TestRunnerSetup PASS |
| tedd_an/TestRunner_l2cap-tester | success | TestRunner PASS |
| tedd_an/TestRunner_iso-tester | success | TestRunner PASS |
| tedd_an/TestRunner_bnep-tester | success | TestRunner PASS |
| tedd_an/TestRunner_mgmt-tester | success | TestRunner PASS |
| tedd_an/TestRunner_rfcomm-tester | success | TestRunner PASS |
| tedd_an/TestRunner_sco-tester | success | TestRunner PASS |
| tedd_an/TestRunner_ioctl-tester | success | TestRunner PASS |
| tedd_an/TestRunner_mesh-tester | success | TestRunner PASS |
| tedd_an/TestRunner_smp-tester | success | TestRunner PASS |
| tedd_an/TestRunner_userchan-tester | success | TestRunner PASS |
| tedd_an/IncrementalBuild | success | Incremental Build PASS |
This is automated email and please do not reply to this email! Dear submitter, Thank you for submitting the patches to the linux bluetooth mailing list. This is a CI test results with your patch series: PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=815958 ---Test result--- Test Summary: CheckPatch PASS 0.60 seconds GitLint PASS 0.30 seconds SubjectPrefix PASS 0.12 seconds BuildKernel PASS 28.60 seconds CheckAllWarning PASS 30.69 seconds CheckSparse PASS 36.51 seconds CheckSmatch PASS 101.21 seconds BuildKernel32 PASS 27.98 seconds TestRunnerSetup PASS 437.67 seconds TestRunner_l2cap-tester PASS 23.08 seconds TestRunner_iso-tester PASS 44.91 seconds TestRunner_bnep-tester PASS 7.51 seconds TestRunner_mgmt-tester PASS 165.10 seconds TestRunner_rfcomm-tester PASS 11.03 seconds TestRunner_sco-tester PASS 14.68 seconds TestRunner_ioctl-tester PASS 12.23 seconds TestRunner_mesh-tester PASS 8.85 seconds TestRunner_smp-tester PASS 9.85 seconds TestRunner_userchan-tester PASS 7.33 seconds IncrementalBuild PASS 26.42 seconds --- Regards, Linux Bluetooth
Dear Zijun, Thank you for your patch. Am 11.01.24 um 09:16 schrieb Zijun Hu: > A crash will happen when btattach controller ROME, and it is caused by What does “btattach controller ROME” mean? Is ROME a platform? If so, should it be *on ROME* or similar? > dereferring nullptr hu->serdev, fixed by null check before access. dereferring → dereferencing > > sudo btattach -B /dev/ttyUSB0 -P qca > Bluetooth: hci1: QCA setup on UART is completed > BUG: kernel NULL pointer dereference, address: 00000000000002f0 > ...... > Workqueue: hci1 hci_power_on [bluetooth] > RIP: 0010:qca_setup+0x7c1/0xe30 [hci_uart] > ...... > Call Trace: > <TASK> > ? show_regs+0x72/0x90 > ? __die+0x25/0x80 > ? page_fault_oops+0x154/0x4c0 > ? srso_alias_return_thunk+0x5/0xfbef5 > ? kmem_cache_alloc+0x16b/0x310 > ? do_user_addr_fault+0x330/0x6e0 > ? srso_alias_return_thunk+0x5/0xfbef5 > ? exc_page_fault+0x84/0x1b0 > ? asm_exc_page_fault+0x27/0x30 > ? qca_setup+0x7c1/0xe30 [hci_uart] > hci_uart_setup+0x5c/0x1a0 [hci_uart] > hci_dev_open_sync+0xee/0xca0 [bluetooth] > hci_dev_do_open+0x2a/0x70 [bluetooth] > hci_power_on+0x46/0x210 [bluetooth] > process_one_work+0x17b/0x360 > worker_thread+0x307/0x430 > ? __pfx_worker_thread+0x10/0x10 > kthread+0xf7/0x130 > ? __pfx_kthread+0x10/0x10 > ret_from_fork+0x46/0x70 > ? __pfx_kthread+0x10/0x10 > ret_from_fork_asm+0x1b/0x30 > </TASK> > > Fixes: 03b0093f7b31 ("Bluetooth: hci_qca: get wakeup status from serdev device handle") > Cc: <stable@vger.kernel.org> > Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com> > Tested-by: Zijun Hu <quic_zijuhu@quicinc.com> On what device? > --- > drivers/bluetooth/hci_qca.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c > index 94b8c406f0c0..6fcfc1f7bb12 100644 > --- a/drivers/bluetooth/hci_qca.c > +++ b/drivers/bluetooth/hci_qca.c > @@ -1951,7 +1951,7 @@ static int qca_setup(struct hci_uart *hu) > qca_debugfs_init(hdev); > hu->hdev->hw_error = qca_hw_error; > hu->hdev->cmd_timeout = qca_cmd_timeout; > - if (device_can_wakeup(hu->serdev->ctrl->dev.parent)) > + if (hu->serdev && device_can_wakeup(hu->serdev->ctrl->dev.parent)) > hu->hdev->wakeup = qca_wakeup; Why is `hu->serdev` not set on the device? > } else if (ret == -ENOENT) { > /* No patch/nvm-config found, run with original fw/config */ Kind regards, Paul
On 1/11/2024 5:46 PM, Paul Menzel wrote: > Dear Zijun, > > > Thank you for your patch. > > Am 11.01.24 um 09:16 schrieb Zijun Hu: >> A crash will happen when btattach controller ROME, and it is caused by > > What does “btattach controller ROME” mean? Is ROME a platform? If so, should it be *on ROME* or similar? > ROME is a type of BT controller name, and refer to QCA_ROME of below defination: drivers/bluetooth/btqca.h: enum qca_btsoc_type { QCA_INVALID = -1, QCA_AR3002, QCA_ROME, QCA_WCN3988, QCA_WCN3990, QCA_WCN3998, QCA_WCN3991, QCA_QCA2066, QCA_QCA6390, QCA_WCN6750, QCA_WCN6855, QCA_WCN7850, }; Connect a external ROME module to ubuntu machine by BT UART to USB cable, then run "sudo btattach -B /dev/ttyUSB0 -P qca" within ubuntu. will optimize description. >> dereferring nullptr hu->serdev, fixed by null check before access. > > dereferring → dereferencing > will correct it. >> >> sudo btattach -B /dev/ttyUSB0 -P qca >> Bluetooth: hci1: QCA setup on UART is completed >> BUG: kernel NULL pointer dereference, address: 00000000000002f0 >> ...... >> Workqueue: hci1 hci_power_on [bluetooth] >> RIP: 0010:qca_setup+0x7c1/0xe30 [hci_uart] >> ...... >> Call Trace: >> <TASK> >> ? show_regs+0x72/0x90 >> ? __die+0x25/0x80 >> ? page_fault_oops+0x154/0x4c0 >> ? srso_alias_return_thunk+0x5/0xfbef5 >> ? kmem_cache_alloc+0x16b/0x310 >> ? do_user_addr_fault+0x330/0x6e0 >> ? srso_alias_return_thunk+0x5/0xfbef5 >> ? exc_page_fault+0x84/0x1b0 >> ? asm_exc_page_fault+0x27/0x30 >> ? qca_setup+0x7c1/0xe30 [hci_uart] >> hci_uart_setup+0x5c/0x1a0 [hci_uart] >> hci_dev_open_sync+0xee/0xca0 [bluetooth] >> hci_dev_do_open+0x2a/0x70 [bluetooth] >> hci_power_on+0x46/0x210 [bluetooth] >> process_one_work+0x17b/0x360 >> worker_thread+0x307/0x430 >> ? __pfx_worker_thread+0x10/0x10 >> kthread+0xf7/0x130 >> ? __pfx_kthread+0x10/0x10 >> ret_from_fork+0x46/0x70 >> ? __pfx_kthread+0x10/0x10 >> ret_from_fork_asm+0x1b/0x30 >> </TASK> >> >> Fixes: 03b0093f7b31 ("Bluetooth: hci_qca: get wakeup status from serdev device handle") >> Cc: <stable@vger.kernel.org> >> Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com> >> Tested-by: Zijun Hu <quic_zijuhu@quicinc.com> > > On what device? > this crash will happens on any generic linux machine, for example, lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 22.04.3 LTS Release: 22.04 Codename: jammy >> --- >> drivers/bluetooth/hci_qca.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c >> index 94b8c406f0c0..6fcfc1f7bb12 100644 >> --- a/drivers/bluetooth/hci_qca.c >> +++ b/drivers/bluetooth/hci_qca.c >> @@ -1951,7 +1951,7 @@ static int qca_setup(struct hci_uart *hu) >> qca_debugfs_init(hdev); >> hu->hdev->hw_error = qca_hw_error; >> hu->hdev->cmd_timeout = qca_cmd_timeout; >> - if (device_can_wakeup(hu->serdev->ctrl->dev.parent)) >> + if (hu->serdev && device_can_wakeup(hu->serdev->ctrl->dev.parent)) >> hu->hdev->wakeup = qca_wakeup; > > Why is `hu->serdev` not set on the device? > actually, hu->serdev ONLY exists for BT controller which is embedded within machine's board, and it will be probed by serdev driver and also don't have available device node for user to btattach. also don't need to btattach. for external BT module, it is tty instead of serdev. so hu->serdev is nullptr. >> } else if (ret == -ENOENT) { >> /* No patch/nvm-config found, run with original fw/config */ > > > Kind regards, > > Paul
On 1/11/2024 5:46 PM, Paul Menzel wrote: > Dear Zijun, > > > Thank you for your patch. > > Am 11.01.24 um 09:16 schrieb Zijun Hu: >> A crash will happen when btattach controller ROME, and it is caused by > > What does “btattach controller ROME” mean? Is ROME a platform? If so, should it be *on ROME* or similar? > it means that use tool btattach to attach BT controller QCA_ROME, ROME is a controller name. namely QCA_ROME as defined below, have optimized description and sent v2 patch. drivers/bluetooth/btqca.h: enum qca_btsoc_type { QCA_INVALID = -1, QCA_AR3002, QCA_ROME, QCA_WCN3988, QCA_WCN3990, QCA_WCN3998, QCA_WCN3991, QCA_QCA2066, QCA_QCA6390, QCA_WCN6750, QCA_WCN6855, QCA_WCN7850, }; >> dereferring nullptr hu->serdev, fixed by null check before access. > > dereferring → dereferencing > >> have corrected as your advise >> sudo btattach -B /dev/ttyUSB0 -P qca >> Bluetooth: hci1: QCA setup on UART is completed >> BUG: kernel NULL pointer dereference, address: 00000000000002f0 >> ...... >> Workqueue: hci1 hci_power_on [bluetooth] >> RIP: 0010:qca_setup+0x7c1/0xe30 [hci_uart] >> ...... >> Call Trace: >> <TASK> >> ? show_regs+0x72/0x90 >> ? __die+0x25/0x80 >> ? page_fault_oops+0x154/0x4c0 >> ? srso_alias_return_thunk+0x5/0xfbef5 >> ? kmem_cache_alloc+0x16b/0x310 >> ? do_user_addr_fault+0x330/0x6e0 >> ? srso_alias_return_thunk+0x5/0xfbef5 >> ? exc_page_fault+0x84/0x1b0 >> ? asm_exc_page_fault+0x27/0x30 >> ? qca_setup+0x7c1/0xe30 [hci_uart] >> hci_uart_setup+0x5c/0x1a0 [hci_uart] >> hci_dev_open_sync+0xee/0xca0 [bluetooth] >> hci_dev_do_open+0x2a/0x70 [bluetooth] >> hci_power_on+0x46/0x210 [bluetooth] >> process_one_work+0x17b/0x360 >> worker_thread+0x307/0x430 >> ? __pfx_worker_thread+0x10/0x10 >> kthread+0xf7/0x130 >> ? __pfx_kthread+0x10/0x10 >> ret_from_fork+0x46/0x70 >> ? __pfx_kthread+0x10/0x10 >> ret_from_fork_asm+0x1b/0x30 >> </TASK> >> >> Fixes: 03b0093f7b31 ("Bluetooth: hci_qca: get wakeup status from serdev device handle") >> Cc: <stable@vger.kernel.org> >> Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com> >> Tested-by: Zijun Hu <quic_zijuhu@quicinc.com> > > On what device? > it will happens on any machine with linux OS, such as lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 22.04.3 LTS Release: 22.04 Codename: jammy >> --- >> drivers/bluetooth/hci_qca.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c >> index 94b8c406f0c0..6fcfc1f7bb12 100644 >> --- a/drivers/bluetooth/hci_qca.c >> +++ b/drivers/bluetooth/hci_qca.c >> @@ -1951,7 +1951,7 @@ static int qca_setup(struct hci_uart *hu) >> qca_debugfs_init(hdev); >> hu->hdev->hw_error = qca_hw_error; >> hu->hdev->cmd_timeout = qca_cmd_timeout; >> - if (device_can_wakeup(hu->serdev->ctrl->dev.parent)) >> + if (hu->serdev && device_can_wakeup(hu->serdev->ctrl->dev.parent)) >> hu->hdev->wakeup = qca_wakeup; > > Why is `hu->serdev` not set on the device? For ALL QCA BT controller which are attached by tool btattach. hu->serdev is nullptr since it is not probed by serdev driver. and it is a tty device. as you saw, the following code also do nullptr check for hu->serdev, since protocol setup function are used by both Serdev and Non-serdev, thanks if (hu->serdev) { serdev_device_close(hu->serdev); } > >> } else if (ret == -ENOENT) { >> /* No patch/nvm-config found, run with original fw/config */ > > > Kind regards, > > Paul
diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c index 94b8c406f0c0..6fcfc1f7bb12 100644 --- a/drivers/bluetooth/hci_qca.c +++ b/drivers/bluetooth/hci_qca.c @@ -1951,7 +1951,7 @@ static int qca_setup(struct hci_uart *hu) qca_debugfs_init(hdev); hu->hdev->hw_error = qca_hw_error; hu->hdev->cmd_timeout = qca_cmd_timeout; - if (device_can_wakeup(hu->serdev->ctrl->dev.parent)) + if (hu->serdev && device_can_wakeup(hu->serdev->ctrl->dev.parent)) hu->hdev->wakeup = qca_wakeup; } else if (ret == -ENOENT) { /* No patch/nvm-config found, run with original fw/config */
A crash will happen when btattach controller ROME, and it is caused by dereferring nullptr hu->serdev, fixed by null check before access. sudo btattach -B /dev/ttyUSB0 -P qca Bluetooth: hci1: QCA setup on UART is completed BUG: kernel NULL pointer dereference, address: 00000000000002f0 ...... Workqueue: hci1 hci_power_on [bluetooth] RIP: 0010:qca_setup+0x7c1/0xe30 [hci_uart] ...... Call Trace: <TASK> ? show_regs+0x72/0x90 ? __die+0x25/0x80 ? page_fault_oops+0x154/0x4c0 ? srso_alias_return_thunk+0x5/0xfbef5 ? kmem_cache_alloc+0x16b/0x310 ? do_user_addr_fault+0x330/0x6e0 ? srso_alias_return_thunk+0x5/0xfbef5 ? exc_page_fault+0x84/0x1b0 ? asm_exc_page_fault+0x27/0x30 ? qca_setup+0x7c1/0xe30 [hci_uart] hci_uart_setup+0x5c/0x1a0 [hci_uart] hci_dev_open_sync+0xee/0xca0 [bluetooth] hci_dev_do_open+0x2a/0x70 [bluetooth] hci_power_on+0x46/0x210 [bluetooth] process_one_work+0x17b/0x360 worker_thread+0x307/0x430 ? __pfx_worker_thread+0x10/0x10 kthread+0xf7/0x130 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x46/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK> Fixes: 03b0093f7b31 ("Bluetooth: hci_qca: get wakeup status from serdev device handle") Cc: <stable@vger.kernel.org> Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com> Tested-by: Zijun Hu <quic_zijuhu@quicinc.com> --- drivers/bluetooth/hci_qca.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)