Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp2961795iob; Mon, 16 May 2022 09:54:29 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw+RwbunAI+2uM63EQv5RZ9nz9dhligkER8JFX9PmQLLK58X72tZyW6ULgxTKg43JIzCf4F X-Received: by 2002:a05:6402:3593:b0:427:e6d6:9265 with SMTP id y19-20020a056402359300b00427e6d69265mr14202541edc.402.1652720069431; Mon, 16 May 2022 09:54:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1652720069; cv=none; d=google.com; s=arc-20160816; b=mTBA+5jeGiZTZtpqdZP+NcvxtpGNJx16JwAH6pNuS7492EAGnuKSaaPYE8S/4btiM/ p/tPm9k5OOQg+sQ5SPulsGIuMTmakOQOt8x+BSlhjxYuTnVXBwN1CjLbH9aqF95yVwO9 kpg9rNavRnS6ZWWIxqDrY9XSW0d+kUAEt/5CMgKu4dMbMCUABLRcAumxCVlfxh+lDNb4 wg7K2AcZCjYQj4VeqIkhTkq7c2HjH1lK/ElyvJV4aRnQjwMHCmfq0FiBmTWpAVoVOroM DbSmaFc5fsvyx7dHBwMZTTH31c46IjQWAAb6UCoyJdtN1fvv3MaBbDMRSdmmze2zrgdY gm1Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to :content-language:references:cc:to:subject:from:user-agent :mime-version:date:message-id; bh=vGsiFzwvQeXPgG/xSGFhHABF62CRWFtuzEo9aGdEbUI=; b=BkUJL38gWr2brS6TzhDkG8V2D+3hjA+9x58MP1VVUW2LatEiZxopAecjVWRQxvQa1U dVx9QXC3CSq3HoxzUUQ0RthcGQo71e0KrUShvGw44m+jCiANKY+ifnKO8Ak0H2v604fw 56suka70sAuQkMVizDK3Fe9GtNylyGAP1WIMv0iXoaLYpw0Vh2YRMUM7aZPUklv57Xx3 8U7mJuQjpFWin5lEnpxrDPZNNVBxBmnaHpuA5Z0Hz/7vi5g542KoOS5OUhQqtWW1fJC3 JUj0goP627PMvVzb0ROD3QlCfsQt8KWNy7Xxy46aqdJcqjv34RuIrU9vvkMFP/vw7ccT VRXw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id gb2-20020a170907960200b006df76385ce2si64522ejc.386.2022.05.16.09.53.47; Mon, 16 May 2022 09:54:29 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230049AbiEPQiD (ORCPT + 99 others); Mon, 16 May 2022 12:38:03 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46022 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343768AbiEPQiC (ORCPT ); Mon, 16 May 2022 12:38:02 -0400 Received: from metis.ext.pengutronix.de (metis.ext.pengutronix.de [IPv6:2001:67c:670:201:290:27ff:fe1d:cc33]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 83F193AA4D for ; Mon, 16 May 2022 09:38:01 -0700 (PDT) Received: from ptz.office.stw.pengutronix.de ([2a0a:edc0:0:900:1d::77] helo=[127.0.0.1]) by metis.ext.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1nqdjL-0001x3-Tx; Mon, 16 May 2022 18:37:59 +0200 Message-ID: <8d5c4724-d511-39b1-21d7-116c91cada45@pengutronix.de> Date: Mon, 16 May 2022 18:37:58 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.8.0 From: Ahmad Fatoum Subject: Re: [BUG] BLE device unpairing triggers kernel panic To: Luiz Augusto von Dentz Cc: "linux-bluetooth@vger.kernel.org" , Marcel Holtmann , Pengutronix Kernel Team , "regressions@lists.linux.dev" References: Content-Language: en-US In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-SA-Exim-Connect-IP: 2a0a:edc0:0:900:1d::77 X-SA-Exim-Mail-From: a.fatoum@pengutronix.de X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false X-PTX-Original-Recipient: linux-bluetooth@vger.kernel.org X-Spam-Status: No, score=-4.6 required=5.0 tests=BAYES_00,NICE_REPLY_A, RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org Hello Luiz, On 14.05.22 01:52, Luiz Augusto von Dentz wrote: > On Fri, May 13, 2022 at 1:14 PM Luiz Augusto von Dentz > wrote: Thanks for the quick reply. >> Hi Ahmad, >> >> On Fri, May 13, 2022 at 7:10 AM Ahmad Fatoum wrote: >>> >>> Hello, >>> >>> On Linux v5.18-rc5, I can reliably crash the kernel on the second (un)pairing >>> with a customer's BLE device. I have bisected the issue and found two commits: >>> >>> - Commit 6cd29ec6ae5e ("Bluetooth: hci_sync: Wait for proper events when >>> connecting LE") causes previously working pairing to time out, presumably >>> because it keeps waiting for the wrong event. >> >> Can you describe in more details what is the second pairing, are you >> pairing 2 devices concurrently? I recall someone for nxp having >> similar problem, at least the traces look pretty similar, the problem >> seems to be the expected event don't match the event the controller >> send, in this case hci_le_enh_conn_complete_evt, so hci_event process >> it and frees the hci_conn instead of first running the callback. It's the same device. I set the host to pairable, then have the device pair with the host. Then I unpair on the device and then redo the same operation again. First one works. Second one fails triggering the crash. > Looks like my memory failed me on this one, the sync callback is run > last so we shouldn't cleanup the hci_conn at that point, perhaps > something like the following should fix the crash: > > diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c > index 0270e597c285..c1634af670b8 100644 > --- a/net/bluetooth/hci_event.c > +++ b/net/bluetooth/hci_event.c > @@ -5632,10 +5632,8 @@ static void le_conn_complete_evt(struct hci_dev > *hdev, u8 status, > status = HCI_ERROR_INVALID_PARAMETERS; > } > > - if (status) { > - hci_conn_failed(conn, status); > + if (status) > goto unlock; > - } Yes, this fixes the crash for me. Can you send a patch to that effect? Feel free to add: Tested-by: Ahmad Fatoum > if (conn->dst_type == ADDR_LE_DEV_PUBLIC) > addr_type = BDADDR_LE_PUBLIC; > >>> - Commit a56a1138cbd8 ("Bluetooth: hci_sync: Fix not using conn_timeout") >>> fixes, despite the title, what event is waited on. First Pairing works now, >>> but the second pairing times out and crashes the kernel: >>> >>> [ 84.191684] Bluetooth: hci0: Opcode 0x200d failed: -110 >>> [ 84.230478] Bluetooth: hci0: request failed to create LE connection: err -110 >>> [ 84.237690] Unable to handle kernel read from unreadable memory at virtual address 0000000000000ca8 > > That said the error -110 mean -ETIMEDOUT Yes, this issue remains still. I feel better about my revert knowing that the crash is fixed, but I'd like this regression here fixed upstream as well. I'll try to collect some more information and report back. Cheers, Ahmad -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |