A crash will happen when btattach controller ROME, and it is caused by
dereferring nullptr hu->serdev, fixed by null check before access.
sudo btattach -B /dev/ttyUSB0 -P qca
Bluetooth: hci1: QCA setup on UART is completed
BUG: kernel NULL pointer dereference, address: 00000000000002f0
......
Workqueue: hci1 hci_power_on [bluetooth]
RIP: 0010:qca_setup+0x7c1/0xe30 [hci_uart]
......
Call Trace:
<TASK>
? show_regs+0x72/0x90
? __die+0x25/0x80
? page_fault_oops+0x154/0x4c0
? srso_alias_return_thunk+0x5/0xfbef5
? kmem_cache_alloc+0x16b/0x310
? do_user_addr_fault+0x330/0x6e0
? srso_alias_return_thunk+0x5/0xfbef5
? exc_page_fault+0x84/0x1b0
? asm_exc_page_fault+0x27/0x30
? qca_setup+0x7c1/0xe30 [hci_uart]
hci_uart_setup+0x5c/0x1a0 [hci_uart]
hci_dev_open_sync+0xee/0xca0 [bluetooth]
hci_dev_do_open+0x2a/0x70 [bluetooth]
hci_power_on+0x46/0x210 [bluetooth]
process_one_work+0x17b/0x360
worker_thread+0x307/0x430
? __pfx_worker_thread+0x10/0x10
kthread+0xf7/0x130
? __pfx_kthread+0x10/0x10
ret_from_fork+0x46/0x70
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1b/0x30
</TASK>
Fixes: 03b0093f7b31 ("Bluetooth: hci_qca: get wakeup status from serdev device handle")
Cc: <[email protected]>
Signed-off-by: Zijun Hu <[email protected]>
Tested-by: Zijun Hu <[email protected]>
---
drivers/bluetooth/hci_qca.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c
index 94b8c406f0c0..6fcfc1f7bb12 100644
--- a/drivers/bluetooth/hci_qca.c
+++ b/drivers/bluetooth/hci_qca.c
@@ -1951,7 +1951,7 @@ static int qca_setup(struct hci_uart *hu)
qca_debugfs_init(hdev);
hu->hdev->hw_error = qca_hw_error;
hu->hdev->cmd_timeout = qca_cmd_timeout;
- if (device_can_wakeup(hu->serdev->ctrl->dev.parent))
+ if (hu->serdev && device_can_wakeup(hu->serdev->ctrl->dev.parent))
hu->hdev->wakeup = qca_wakeup;
} else if (ret == -ENOENT) {
/* No patch/nvm-config found, run with original fw/config */
--
2.7.4
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=815958
---Test result---
Test Summary:
CheckPatch PASS 0.60 seconds
GitLint PASS 0.30 seconds
SubjectPrefix PASS 0.12 seconds
BuildKernel PASS 28.60 seconds
CheckAllWarning PASS 30.69 seconds
CheckSparse PASS 36.51 seconds
CheckSmatch PASS 101.21 seconds
BuildKernel32 PASS 27.98 seconds
TestRunnerSetup PASS 437.67 seconds
TestRunner_l2cap-tester PASS 23.08 seconds
TestRunner_iso-tester PASS 44.91 seconds
TestRunner_bnep-tester PASS 7.51 seconds
TestRunner_mgmt-tester PASS 165.10 seconds
TestRunner_rfcomm-tester PASS 11.03 seconds
TestRunner_sco-tester PASS 14.68 seconds
TestRunner_ioctl-tester PASS 12.23 seconds
TestRunner_mesh-tester PASS 8.85 seconds
TestRunner_smp-tester PASS 9.85 seconds
TestRunner_userchan-tester PASS 7.33 seconds
IncrementalBuild PASS 26.42 seconds
---
Regards,
Linux Bluetooth
Dear Zijun,
Thank you for your patch.
Am 11.01.24 um 09:16 schrieb Zijun Hu:
> A crash will happen when btattach controller ROME, and it is caused by
What does “btattach controller ROME” mean? Is ROME a platform? If so,
should it be *on ROME* or similar?
> dereferring nullptr hu->serdev, fixed by null check before access.
dereferring → dereferencing
>
> sudo btattach -B /dev/ttyUSB0 -P qca
> Bluetooth: hci1: QCA setup on UART is completed
> BUG: kernel NULL pointer dereference, address: 00000000000002f0
> ......
> Workqueue: hci1 hci_power_on [bluetooth]
> RIP: 0010:qca_setup+0x7c1/0xe30 [hci_uart]
> ......
> Call Trace:
> <TASK>
> ? show_regs+0x72/0x90
> ? __die+0x25/0x80
> ? page_fault_oops+0x154/0x4c0
> ? srso_alias_return_thunk+0x5/0xfbef5
> ? kmem_cache_alloc+0x16b/0x310
> ? do_user_addr_fault+0x330/0x6e0
> ? srso_alias_return_thunk+0x5/0xfbef5
> ? exc_page_fault+0x84/0x1b0
> ? asm_exc_page_fault+0x27/0x30
> ? qca_setup+0x7c1/0xe30 [hci_uart]
> hci_uart_setup+0x5c/0x1a0 [hci_uart]
> hci_dev_open_sync+0xee/0xca0 [bluetooth]
> hci_dev_do_open+0x2a/0x70 [bluetooth]
> hci_power_on+0x46/0x210 [bluetooth]
> process_one_work+0x17b/0x360
> worker_thread+0x307/0x430
> ? __pfx_worker_thread+0x10/0x10
> kthread+0xf7/0x130
> ? __pfx_kthread+0x10/0x10
> ret_from_fork+0x46/0x70
> ? __pfx_kthread+0x10/0x10
> ret_from_fork_asm+0x1b/0x30
> </TASK>
>
> Fixes: 03b0093f7b31 ("Bluetooth: hci_qca: get wakeup status from serdev device handle")
> Cc: <[email protected]>
> Signed-off-by: Zijun Hu <[email protected]>
> Tested-by: Zijun Hu <[email protected]>
On what device?
> ---
> drivers/bluetooth/hci_qca.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c
> index 94b8c406f0c0..6fcfc1f7bb12 100644
> --- a/drivers/bluetooth/hci_qca.c
> +++ b/drivers/bluetooth/hci_qca.c
> @@ -1951,7 +1951,7 @@ static int qca_setup(struct hci_uart *hu)
> qca_debugfs_init(hdev);
> hu->hdev->hw_error = qca_hw_error;
> hu->hdev->cmd_timeout = qca_cmd_timeout;
> - if (device_can_wakeup(hu->serdev->ctrl->dev.parent))
> + if (hu->serdev && device_can_wakeup(hu->serdev->ctrl->dev.parent))
> hu->hdev->wakeup = qca_wakeup;
Why is `hu->serdev` not set on the device?
> } else if (ret == -ENOENT) {
> /* No patch/nvm-config found, run with original fw/config */
Kind regards,
Paul
On 1/11/2024 5:46 PM, Paul Menzel wrote:
> Dear Zijun,
>
>
> Thank you for your patch.
>
> Am 11.01.24 um 09:16 schrieb Zijun Hu:
>> A crash will happen when btattach controller ROME, and it is caused by
>
> What does “btattach controller ROME” mean? Is ROME a platform? If so, should it be *on ROME* or similar?
>
ROME is a type of BT controller name, and refer to QCA_ROME of below defination:
drivers/bluetooth/btqca.h:
enum qca_btsoc_type {
QCA_INVALID = -1,
QCA_AR3002,
QCA_ROME,
QCA_WCN3988,
QCA_WCN3990,
QCA_WCN3998,
QCA_WCN3991,
QCA_QCA2066,
QCA_QCA6390,
QCA_WCN6750,
QCA_WCN6855,
QCA_WCN7850,
};
Connect a external ROME module to ubuntu machine by BT UART to USB cable, then run
"sudo btattach -B /dev/ttyUSB0 -P qca" within ubuntu.
will optimize description.
>> dereferring nullptr hu->serdev, fixed by null check before access.
>
> dereferring → dereferencing
>
will correct it.
>>
>> sudo btattach -B /dev/ttyUSB0 -P qca
>> Bluetooth: hci1: QCA setup on UART is completed
>> BUG: kernel NULL pointer dereference, address: 00000000000002f0
>> ......
>> Workqueue: hci1 hci_power_on [bluetooth]
>> RIP: 0010:qca_setup+0x7c1/0xe30 [hci_uart]
>> ......
>> Call Trace:
>> <TASK>
>> ? show_regs+0x72/0x90
>> ? __die+0x25/0x80
>> ? page_fault_oops+0x154/0x4c0
>> ? srso_alias_return_thunk+0x5/0xfbef5
>> ? kmem_cache_alloc+0x16b/0x310
>> ? do_user_addr_fault+0x330/0x6e0
>> ? srso_alias_return_thunk+0x5/0xfbef5
>> ? exc_page_fault+0x84/0x1b0
>> ? asm_exc_page_fault+0x27/0x30
>> ? qca_setup+0x7c1/0xe30 [hci_uart]
>> hci_uart_setup+0x5c/0x1a0 [hci_uart]
>> hci_dev_open_sync+0xee/0xca0 [bluetooth]
>> hci_dev_do_open+0x2a/0x70 [bluetooth]
>> hci_power_on+0x46/0x210 [bluetooth]
>> process_one_work+0x17b/0x360
>> worker_thread+0x307/0x430
>> ? __pfx_worker_thread+0x10/0x10
>> kthread+0xf7/0x130
>> ? __pfx_kthread+0x10/0x10
>> ret_from_fork+0x46/0x70
>> ? __pfx_kthread+0x10/0x10
>> ret_from_fork_asm+0x1b/0x30
>> </TASK>
>>
>> Fixes: 03b0093f7b31 ("Bluetooth: hci_qca: get wakeup status from serdev device handle")
>> Cc: <[email protected]>
>> Signed-off-by: Zijun Hu <[email protected]>
>> Tested-by: Zijun Hu <[email protected]>
>
> On what device?
>
this crash will happens on any generic linux machine, for example,
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 22.04.3 LTS
Release: 22.04
Codename: jammy
>> ---
>> drivers/bluetooth/hci_qca.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c
>> index 94b8c406f0c0..6fcfc1f7bb12 100644
>> --- a/drivers/bluetooth/hci_qca.c
>> +++ b/drivers/bluetooth/hci_qca.c
>> @@ -1951,7 +1951,7 @@ static int qca_setup(struct hci_uart *hu)
>> qca_debugfs_init(hdev);
>> hu->hdev->hw_error = qca_hw_error;
>> hu->hdev->cmd_timeout = qca_cmd_timeout;
>> - if (device_can_wakeup(hu->serdev->ctrl->dev.parent))
>> + if (hu->serdev && device_can_wakeup(hu->serdev->ctrl->dev.parent))
>> hu->hdev->wakeup = qca_wakeup;
>
> Why is `hu->serdev` not set on the device?
>
actually, hu->serdev ONLY exists for BT controller which is embedded within machine's board,
and it will be probed by serdev driver and also don't have available device node for user to btattach.
also don't need to btattach.
for external BT module, it is tty instead of serdev. so hu->serdev is nullptr.
>> } else if (ret == -ENOENT) {
>> /* No patch/nvm-config found, run with original fw/config */
>
>
> Kind regards,
>
> Paul
A crash will happen when use tool btattach to attach a BT controller
QCA_ROME, and it is caused by dereferencing nullptr hu->serdev, fixed
by null check before access.
sudo btattach -B /dev/ttyUSB0 -P qca
Bluetooth: hci1: QCA setup on UART is completed
BUG: kernel NULL pointer dereference, address: 00000000000002f0
......
Workqueue: hci1 hci_power_on [bluetooth]
RIP: 0010:qca_setup+0x7c1/0xe30 [hci_uart]
......
Call Trace:
<TASK>
? show_regs+0x72/0x90
? __die+0x25/0x80
? page_fault_oops+0x154/0x4c0
? srso_alias_return_thunk+0x5/0xfbef5
? kmem_cache_alloc+0x16b/0x310
? do_user_addr_fault+0x330/0x6e0
? srso_alias_return_thunk+0x5/0xfbef5
? exc_page_fault+0x84/0x1b0
? asm_exc_page_fault+0x27/0x30
? qca_setup+0x7c1/0xe30 [hci_uart]
hci_uart_setup+0x5c/0x1a0 [hci_uart]
hci_dev_open_sync+0xee/0xca0 [bluetooth]
hci_dev_do_open+0x2a/0x70 [bluetooth]
hci_power_on+0x46/0x210 [bluetooth]
process_one_work+0x17b/0x360
worker_thread+0x307/0x430
? __pfx_worker_thread+0x10/0x10
kthread+0xf7/0x130
? __pfx_kthread+0x10/0x10
ret_from_fork+0x46/0x70
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1b/0x30
</TASK>
Fixes: 03b0093f7b31 ("Bluetooth: hci_qca: get wakeup status from serdev device handle")
Cc: <[email protected]>
Signed-off-by: Zijun Hu <[email protected]>
Tested-by: Zijun Hu <[email protected]>
---
Changes since v1:
- Correct tile and commit message based on Paul's suggestions
drivers/bluetooth/hci_qca.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c
index 94b8c406f0c0..6fcfc1f7bb12 100644
--- a/drivers/bluetooth/hci_qca.c
+++ b/drivers/bluetooth/hci_qca.c
@@ -1951,7 +1951,7 @@ static int qca_setup(struct hci_uart *hu)
qca_debugfs_init(hdev);
hu->hdev->hw_error = qca_hw_error;
hu->hdev->cmd_timeout = qca_cmd_timeout;
- if (device_can_wakeup(hu->serdev->ctrl->dev.parent))
+ if (hu->serdev && device_can_wakeup(hu->serdev->ctrl->dev.parent))
hu->hdev->wakeup = qca_wakeup;
} else if (ret == -ENOENT) {
/* No patch/nvm-config found, run with original fw/config */
--
2.7.4
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=816109
---Test result---
Test Summary:
CheckPatch PASS 0.63 seconds
GitLint PASS 0.32 seconds
SubjectPrefix PASS 0.12 seconds
BuildKernel PASS 28.32 seconds
CheckAllWarning PASS 31.56 seconds
CheckSparse PASS 37.70 seconds
CheckSmatch PASS 101.51 seconds
BuildKernel32 PASS 27.64 seconds
TestRunnerSetup PASS 443.35 seconds
TestRunner_l2cap-tester PASS 23.28 seconds
TestRunner_iso-tester PASS 43.29 seconds
TestRunner_bnep-tester PASS 7.00 seconds
TestRunner_mgmt-tester PASS 170.47 seconds
TestRunner_rfcomm-tester PASS 11.76 seconds
TestRunner_sco-tester PASS 14.61 seconds
TestRunner_ioctl-tester PASS 12.39 seconds
TestRunner_mesh-tester PASS 9.02 seconds
TestRunner_smp-tester PASS 9.86 seconds
TestRunner_userchan-tester PASS 7.31 seconds
IncrementalBuild PASS 26.99 seconds
---
Regards,
Linux Bluetooth
On 1/11/2024 5:46 PM, Paul Menzel wrote:
> Dear Zijun,
>
>
> Thank you for your patch.
>
> Am 11.01.24 um 09:16 schrieb Zijun Hu:
>> A crash will happen when btattach controller ROME, and it is caused by
>
> What does “btattach controller ROME” mean? Is ROME a platform? If so, should it be *on ROME* or similar?
>
it means that use tool btattach to attach BT controller QCA_ROME, ROME is a controller name. namely QCA_ROME
as defined below, have optimized description and sent v2 patch.
drivers/bluetooth/btqca.h:
enum qca_btsoc_type {
QCA_INVALID = -1,
QCA_AR3002,
QCA_ROME,
QCA_WCN3988,
QCA_WCN3990,
QCA_WCN3998,
QCA_WCN3991,
QCA_QCA2066,
QCA_QCA6390,
QCA_WCN6750,
QCA_WCN6855,
QCA_WCN7850,
};
>> dereferring nullptr hu->serdev, fixed by null check before access.
>
> dereferring → dereferencing
>
>>
have corrected as your advise
>> sudo btattach -B /dev/ttyUSB0 -P qca
>> Bluetooth: hci1: QCA setup on UART is completed
>> BUG: kernel NULL pointer dereference, address: 00000000000002f0
>> ......
>> Workqueue: hci1 hci_power_on [bluetooth]
>> RIP: 0010:qca_setup+0x7c1/0xe30 [hci_uart]
>> ......
>> Call Trace:
>> <TASK>
>> ? show_regs+0x72/0x90
>> ? __die+0x25/0x80
>> ? page_fault_oops+0x154/0x4c0
>> ? srso_alias_return_thunk+0x5/0xfbef5
>> ? kmem_cache_alloc+0x16b/0x310
>> ? do_user_addr_fault+0x330/0x6e0
>> ? srso_alias_return_thunk+0x5/0xfbef5
>> ? exc_page_fault+0x84/0x1b0
>> ? asm_exc_page_fault+0x27/0x30
>> ? qca_setup+0x7c1/0xe30 [hci_uart]
>> hci_uart_setup+0x5c/0x1a0 [hci_uart]
>> hci_dev_open_sync+0xee/0xca0 [bluetooth]
>> hci_dev_do_open+0x2a/0x70 [bluetooth]
>> hci_power_on+0x46/0x210 [bluetooth]
>> process_one_work+0x17b/0x360
>> worker_thread+0x307/0x430
>> ? __pfx_worker_thread+0x10/0x10
>> kthread+0xf7/0x130
>> ? __pfx_kthread+0x10/0x10
>> ret_from_fork+0x46/0x70
>> ? __pfx_kthread+0x10/0x10
>> ret_from_fork_asm+0x1b/0x30
>> </TASK>
>>
>> Fixes: 03b0093f7b31 ("Bluetooth: hci_qca: get wakeup status from serdev device handle")
>> Cc: <[email protected]>
>> Signed-off-by: Zijun Hu <[email protected]>
>> Tested-by: Zijun Hu <[email protected]>
>
> On what device?
>
it will happens on any machine with linux OS, such as
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 22.04.3 LTS
Release: 22.04
Codename: jammy
>> ---
>> drivers/bluetooth/hci_qca.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c
>> index 94b8c406f0c0..6fcfc1f7bb12 100644
>> --- a/drivers/bluetooth/hci_qca.c
>> +++ b/drivers/bluetooth/hci_qca.c
>> @@ -1951,7 +1951,7 @@ static int qca_setup(struct hci_uart *hu)
>> qca_debugfs_init(hdev);
>> hu->hdev->hw_error = qca_hw_error;
>> hu->hdev->cmd_timeout = qca_cmd_timeout;
>> - if (device_can_wakeup(hu->serdev->ctrl->dev.parent))
>> + if (hu->serdev && device_can_wakeup(hu->serdev->ctrl->dev.parent))
>> hu->hdev->wakeup = qca_wakeup;
>
> Why is `hu->serdev` not set on the device?
For ALL QCA BT controller which are attached by tool btattach. hu->serdev is nullptr since
it is not probed by serdev driver. and it is a tty device.
as you saw, the following code also do nullptr check for hu->serdev, since protocol setup function
are used by both Serdev and Non-serdev, thanks
if (hu->serdev) {
serdev_device_close(hu->serdev);
}
>
>> } else if (ret == -ENOENT) {
>> /* No patch/nvm-config found, run with original fw/config */
>
>
> Kind regards,
>
> Paul
A crash will happen when use tool btattach for a BT controller
with soc_type QCA_ROME, and it is caused by dereferencing nullptr
hu->serdev, fixed by null check before access.
sudo btattach -B /dev/ttyUSB0 -P qca
Bluetooth: hci1: QCA setup on UART is completed
BUG: kernel NULL pointer dereference, address: 00000000000002f0
......
Workqueue: hci1 hci_power_on [bluetooth]
RIP: 0010:qca_setup+0x7c1/0xe30 [hci_uart]
......
Call Trace:
<TASK>
? show_regs+0x72/0x90
? __die+0x25/0x80
? page_fault_oops+0x154/0x4c0
? srso_alias_return_thunk+0x5/0xfbef5
? kmem_cache_alloc+0x16b/0x310
? do_user_addr_fault+0x330/0x6e0
? srso_alias_return_thunk+0x5/0xfbef5
? exc_page_fault+0x84/0x1b0
? asm_exc_page_fault+0x27/0x30
? qca_setup+0x7c1/0xe30 [hci_uart]
hci_uart_setup+0x5c/0x1a0 [hci_uart]
hci_dev_open_sync+0xee/0xca0 [bluetooth]
hci_dev_do_open+0x2a/0x70 [bluetooth]
hci_power_on+0x46/0x210 [bluetooth]
process_one_work+0x17b/0x360
worker_thread+0x307/0x430
? __pfx_worker_thread+0x10/0x10
kthread+0xf7/0x130
? __pfx_kthread+0x10/0x10
ret_from_fork+0x46/0x70
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1b/0x30
</TASK>
Fixes: 03b0093f7b31 ("Bluetooth: hci_qca: get wakeup status from serdev device handle")
Signed-off-by: Zijun Hu <[email protected]>
Tested-by: Zijun Hu <[email protected]>
---
Changes since v2:
- Correct tile and commit message
Changes since v1:
- Correct tile and commit message based on Paul's suggestions
drivers/bluetooth/hci_qca.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c
index 8a60ad7acd70..24d45c5c47ad 100644
--- a/drivers/bluetooth/hci_qca.c
+++ b/drivers/bluetooth/hci_qca.c
@@ -1961,7 +1961,7 @@ static int qca_setup(struct hci_uart *hu)
qca_debugfs_init(hdev);
hu->hdev->hw_error = qca_hw_error;
hu->hdev->cmd_timeout = qca_cmd_timeout;
- if (device_can_wakeup(hu->serdev->ctrl->dev.parent))
+ if (hu->serdev && device_can_wakeup(hu->serdev->ctrl->dev.parent))
hu->hdev->wakeup = qca_wakeup;
} else if (ret == -ENOENT) {
/* No patch/nvm-config found, run with original fw/config */
--
2.7.4
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=836616
---Test result---
Test Summary:
CheckPatch PASS 0.49 seconds
GitLint PASS 0.20 seconds
SubjectPrefix PASS 0.06 seconds
BuildKernel PASS 28.36 seconds
CheckAllWarning PASS 31.58 seconds
CheckSparse PASS 36.95 seconds
CheckSmatch PASS 100.70 seconds
BuildKernel32 PASS 28.57 seconds
TestRunnerSetup PASS 527.24 seconds
TestRunner_l2cap-tester PASS 20.46 seconds
TestRunner_iso-tester PASS 32.89 seconds
TestRunner_bnep-tester PASS 4.78 seconds
TestRunner_mgmt-tester PASS 117.13 seconds
TestRunner_rfcomm-tester PASS 7.24 seconds
TestRunner_sco-tester PASS 15.00 seconds
TestRunner_ioctl-tester PASS 7.67 seconds
TestRunner_mesh-tester PASS 5.86 seconds
TestRunner_smp-tester PASS 6.77 seconds
TestRunner_userchan-tester PASS 4.92 seconds
IncrementalBuild PASS 27.03 seconds
---
Regards,
Linux Bluetooth
A crash will happen when use tool btattach to attach a BT controller
QCA_ROME, and it is caused by dereferencing nullptr hu->serdev, fixed
by null check before access.
sudo btattach -B /dev/ttyUSB0 -P qca
Bluetooth: hci1: QCA setup on UART is completed
BUG: kernel NULL pointer dereference, address: 00000000000002f0
......
Workqueue: hci1 hci_power_on [bluetooth]
RIP: 0010:qca_setup+0x7c1/0xe30 [hci_uart]
......
Call Trace:
<TASK>
? show_regs+0x72/0x90
? __die+0x25/0x80
? page_fault_oops+0x154/0x4c0
? srso_alias_return_thunk+0x5/0xfbef5
? kmem_cache_alloc+0x16b/0x310
? do_user_addr_fault+0x330/0x6e0
? srso_alias_return_thunk+0x5/0xfbef5
? exc_page_fault+0x84/0x1b0
? asm_exc_page_fault+0x27/0x30
? qca_setup+0x7c1/0xe30 [hci_uart]
hci_uart_setup+0x5c/0x1a0 [hci_uart]
hci_dev_open_sync+0xee/0xca0 [bluetooth]
hci_dev_do_open+0x2a/0x70 [bluetooth]
hci_power_on+0x46/0x210 [bluetooth]
process_one_work+0x17b/0x360
worker_thread+0x307/0x430
? __pfx_worker_thread+0x10/0x10
kthread+0xf7/0x130
? __pfx_kthread+0x10/0x10
ret_from_fork+0x46/0x70
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1b/0x30
</TASK>
Fixes: 03b0093f7b31 ("Bluetooth: hci_qca: get wakeup status from serdev device handle")
Cc: <[email protected]>
Signed-off-by: Zijun Hu <[email protected]>
Tested-by: Zijun Hu <[email protected]>
---
drivers/bluetooth/hci_qca.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c
index 92fa20f5ac7d..fdaf83d817af 100644
--- a/drivers/bluetooth/hci_qca.c
+++ b/drivers/bluetooth/hci_qca.c
@@ -1955,7 +1955,7 @@ static int qca_setup(struct hci_uart *hu)
qca_debugfs_init(hdev);
hu->hdev->hw_error = qca_hw_error;
hu->hdev->cmd_timeout = qca_cmd_timeout;
- if (device_can_wakeup(hu->serdev->ctrl->dev.parent))
+ if (hu->serdev && device_can_wakeup(hu->serdev->ctrl->dev.parent))
hu->hdev->wakeup = qca_wakeup;
} else if (ret == -ENOENT) {
/* No patch/nvm-config found, run with original fw/config */
--
2.7.4
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=846699
---Test result---
Test Summary:
CheckPatch PASS 0.61 seconds
GitLint PASS 0.27 seconds
SubjectPrefix PASS 0.09 seconds
BuildKernel PASS 31.88 seconds
CheckAllWarning PASS 35.51 seconds
CheckSparse PASS 40.67 seconds
CheckSmatch FAIL 38.18 seconds
BuildKernel32 PASS 31.05 seconds
TestRunnerSetup PASS 551.98 seconds
TestRunner_l2cap-tester PASS 21.08 seconds
TestRunner_iso-tester PASS 34.75 seconds
TestRunner_bnep-tester PASS 4.90 seconds
TestRunner_mgmt-tester FAIL 117.39 seconds
TestRunner_rfcomm-tester PASS 7.68 seconds
TestRunner_sco-tester PASS 15.28 seconds
TestRunner_ioctl-tester PASS 8.34 seconds
TestRunner_mesh-tester PASS 6.12 seconds
TestRunner_smp-tester PASS 7.12 seconds
TestRunner_userchan-tester PASS 5.02 seconds
IncrementalBuild PASS 30.33 seconds
Details
##############################
Test: CheckSmatch - FAIL
Desc: Run smatch tool with source
Output:
Segmentation fault (core dumped)
make[4]: *** [scripts/Makefile.build:244: net/bluetooth/hci_core.o] Error 139
make[4]: *** Deleting file 'net/bluetooth/hci_core.o'
make[3]: *** [scripts/Makefile.build:485: net/bluetooth] Error 2
make[2]: *** [scripts/Makefile.build:485: net] Error 2
make[2]: *** Waiting for unfinished jobs....
Segmentation fault (core dumped)
make[4]: *** [scripts/Makefile.build:244: drivers/bluetooth/bcm203x.o] Error 139
make[4]: *** Deleting file 'drivers/bluetooth/bcm203x.o'
make[4]: *** Waiting for unfinished jobs....
Segmentation fault (core dumped)
make[4]: *** [scripts/Makefile.build:244: drivers/bluetooth/bpa10x.o] Error 139
make[4]: *** Deleting file 'drivers/bluetooth/bpa10x.o'
make[3]: *** [scripts/Makefile.build:485: drivers/bluetooth] Error 2
make[2]: *** [scripts/Makefile.build:485: drivers] Error 2
make[1]: *** [/github/workspace/src/src/Makefile:1919: .] Error 2
make: *** [Makefile:240: __sub-make] Error 2
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 492, Passed: 486 (98.8%), Failed: 4, Not Run: 2
Failed Test Cases
LL Privacy - Add Device 4 (2 Devices to AL) Failed 0.162 seconds
LL Privacy - Add Device 6 (RL is full) Failed 0.194 seconds
LL Privacy - Add Device 7 (AL is full) Failed 0.198 seconds
LL Privacy - Remove Device 4 (Disable Adv) Timed out 2.210 seconds
---
Regards,
Linux Bluetooth