Received: by 2002:a05:7412:e794:b0:fa:551:50a7 with SMTP id o20csp1529862rdd; Thu, 11 Jan 2024 01:47:39 -0800 (PST) X-Google-Smtp-Source: AGHT+IFt1JedLqRdV07GBsW7D5iwFp2PQRfOEZq048xJOuiYh9WGpHSAhv0rMWEdq1doapWlCnuV X-Received: by 2002:a17:903:1c6:b0:1d5:930f:c95 with SMTP id e6-20020a17090301c600b001d5930f0c95mr231520plh.115.1704966459603; Thu, 11 Jan 2024 01:47:39 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1704966459; cv=none; d=google.com; s=arc-20160816; b=dg33Xe4xZ2ZA6tBqR0ji9o4z9ra9qnsVbBlizGEJSbUhkkmR3hxX/VIWGt0LFw3djv QMyM9TQgO0cbtJUsFuSBA/QaSrEI+KSa3noHnQUuzqdKvWjMb5rVp6mTzbpSlysrFSkP 4IKGBOUyfYblVPKgS6E6OjYpmUSNJ5M96Kz86tLmKlO0ObkEA9zpXjfKGSMUKrp90cOS OUtAQYw21mkZzsLiXm5RoM3+/yqCgtwIBETG+Rqj827vv5/3mfcPEQ0T5jCc9H02QheN 9uNI6XB1fJtc6jve0OudB34yYr/a89hX+Sz3JYkj1vJOMOREjw39++AkmYn0yGPpbG8Q prRg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:date:message-id; bh=BqfgY5NAHymHd9GZl6MjTPrD2Ukp/hss5DmqqQmmhGs=; fh=s7dsMPnngV9rwX+0NaNI6gz+Czv8pkpBtmiRO56IEC4=; b=TJS2XMAdiYVCUz3nBmLIM3NX3IRPIbVUjCGZm8LV8Za/7PDYQ9/6SP38yxUkT8Oqoh 0UnrWQUTy67Qt8Q2OuD+Xk9kGt/lIvlnHD0iPIaK7G20/sCgt1v6etDsaDyYUJm76fLL SfW1mcfQ93c5tBxk+qJB8EtQWKpOVlNT6jAjREgRBeIC8Ut5zCpmLKGet1J8JCzW6VJf xOO8oMh5gD2dhrQm4WSW4pozB4CA6mBLJPOWhPsej1kHAr93VVl8B0OUb7zvAWu4kqd2 1sQgLXBLXnTpwnyiPWT6NA0geYBWQ7uokDzKZ8FrBXJjjxkoubl9gONtz7LH59DllyMY Ncfg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-bluetooth+bounces-1039-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-bluetooth+bounces-1039-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id 2-20020a170902c14200b001d09c96ba0fsi688602plj.421.2024.01.11.01.47.39 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 11 Jan 2024 01:47:39 -0800 (PST) Received-SPF: pass (google.com: domain of linux-bluetooth+bounces-1039-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-bluetooth+bounces-1039-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-bluetooth+bounces-1039-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 4182F286F03 for ; Thu, 11 Jan 2024 09:47:39 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id E57761173B; Thu, 11 Jan 2024 09:47:33 +0000 (UTC) X-Original-To: linux-bluetooth@vger.kernel.org Received: from mx3.molgen.mpg.de (mx3.molgen.mpg.de [141.14.17.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0960912E52; Thu, 11 Jan 2024 09:47:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=molgen.mpg.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=molgen.mpg.de Received: from [192.168.0.6] (unknown [95.90.244.42]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: pmenzel) by mx.molgen.mpg.de (Postfix) with ESMTPSA id F1CF661E5FE06; Thu, 11 Jan 2024 10:46:34 +0100 (CET) Message-ID: Date: Thu, 11 Jan 2024 10:46:34 +0100 Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v1] Bluetooth: qca: Fix crash when btattach controller ROME Content-Language: en-US To: Zijun Hu Cc: luiz.dentz@gmail.com, marcel@holtmann.org, jiangzp@google.com, linux-bluetooth@vger.kernel.org, stable@vger.kernel.org References: <1704960978-5437-1-git-send-email-quic_zijuhu@quicinc.com> From: Paul Menzel In-Reply-To: <1704960978-5437-1-git-send-email-quic_zijuhu@quicinc.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Dear Zijun, Thank you for your patch. Am 11.01.24 um 09:16 schrieb Zijun Hu: > A crash will happen when btattach controller ROME, and it is caused by What does “btattach controller ROME” mean? Is ROME a platform? If so, should it be *on ROME* or similar? > dereferring nullptr hu->serdev, fixed by null check before access. dereferring → dereferencing > > sudo btattach -B /dev/ttyUSB0 -P qca > Bluetooth: hci1: QCA setup on UART is completed > BUG: kernel NULL pointer dereference, address: 00000000000002f0 > ...... > Workqueue: hci1 hci_power_on [bluetooth] > RIP: 0010:qca_setup+0x7c1/0xe30 [hci_uart] > ...... > Call Trace: > > ? show_regs+0x72/0x90 > ? __die+0x25/0x80 > ? page_fault_oops+0x154/0x4c0 > ? srso_alias_return_thunk+0x5/0xfbef5 > ? kmem_cache_alloc+0x16b/0x310 > ? do_user_addr_fault+0x330/0x6e0 > ? srso_alias_return_thunk+0x5/0xfbef5 > ? exc_page_fault+0x84/0x1b0 > ? asm_exc_page_fault+0x27/0x30 > ? qca_setup+0x7c1/0xe30 [hci_uart] > hci_uart_setup+0x5c/0x1a0 [hci_uart] > hci_dev_open_sync+0xee/0xca0 [bluetooth] > hci_dev_do_open+0x2a/0x70 [bluetooth] > hci_power_on+0x46/0x210 [bluetooth] > process_one_work+0x17b/0x360 > worker_thread+0x307/0x430 > ? __pfx_worker_thread+0x10/0x10 > kthread+0xf7/0x130 > ? __pfx_kthread+0x10/0x10 > ret_from_fork+0x46/0x70 > ? __pfx_kthread+0x10/0x10 > ret_from_fork_asm+0x1b/0x30 > > > Fixes: 03b0093f7b31 ("Bluetooth: hci_qca: get wakeup status from serdev device handle") > Cc: > Signed-off-by: Zijun Hu > Tested-by: Zijun Hu On what device? > --- > drivers/bluetooth/hci_qca.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c > index 94b8c406f0c0..6fcfc1f7bb12 100644 > --- a/drivers/bluetooth/hci_qca.c > +++ b/drivers/bluetooth/hci_qca.c > @@ -1951,7 +1951,7 @@ static int qca_setup(struct hci_uart *hu) > qca_debugfs_init(hdev); > hu->hdev->hw_error = qca_hw_error; > hu->hdev->cmd_timeout = qca_cmd_timeout; > - if (device_can_wakeup(hu->serdev->ctrl->dev.parent)) > + if (hu->serdev && device_can_wakeup(hu->serdev->ctrl->dev.parent)) > hu->hdev->wakeup = qca_wakeup; Why is `hu->serdev` not set on the device? > } else if (ret == -ENOENT) { > /* No patch/nvm-config found, run with original fw/config */ Kind regards, Paul