Sample Header Ad - 728x90

Kernel Oops happened in hci_send_acl() in Linux

1 vote
0 answers
18 views
linux memory bluetooth kernel-panic
I am working on an embedded Linux system (kernel-5.10.150), there is an bluetooth+WIFI module in system. By wifi+BT testing, I found there is a kernel oops as follows, 
[  101.717826] CPU 0 Unable to handle kernel paging request at virtual address 000002d4, epc == 805be290, ra == 805be560
[  101.717838] Oops[#1]:
[  101.717851] CPU: 0 PID: 1763 Comm: bttest Not tainted 5.10.150 #4
[  101.717858] $ 0   : 00000000 00000001 00000010 a8be6d21
[  101.717894] $ 4   : a8be6d21 00000001 81015fa0 005f5000
[  101.717919] $ 8   : 00000000 00000000 05355555 00000000
[  101.717943] $12   : ffffffff 00000000 ffffffea 00000000
[  101.717969] $16   : 8166f000 00000000 8224dd80 00000000
[  101.717995] $20   : 00000000 00000019 81c2f308 81e11020
[  101.718023] $24   : 00000000 8001190c
[  101.718043] $28   : 8224c000 8224dc88 82134380 805be560
[  101.718061] Hi    : 02f5db53
[  101.718066] Lo    : 24a9f11c
[  101.718084] epc   : 805be290 hci_send_acl+0xa0/0x43c
[  101.718093] ra    : 805be560 hci_send_acl+0x370/0x43c
[  101.718098] Status: 34001c03 KERNEL EXL IE
[  101.718115] Cause : 00800008 (ExcCode 02)
[  101.718119] BadVA : 000002d4
[  101.718124] PrId  : 00132000 (MiPs)
[  101.718129] Modules linked in:
[  101.718142] Process bttest (pid: 1763, threadinfo=58765d16, task=15407a97, tls=6f9fd920)
[  101.718147] Stack : 8224ddf0 8166f3c8 00000001 8224dae0 80820000 805e2944 82189c00 00000019
[  101.718175]         8224dd80 8224dd78 00000000 00000019 81c2f308 821f1900 81e11020 805e7b48
[  101.718203]         8224dd08 82189c00 00000019 81d8b0f0 8224dd80 a8be6d21 80bfcc00 81c9d400
[  101.718229]         80990000 805b5298 80990000 81c9d400 a8be6d21 00000001 00000000 6f9f5d28
[  101.718256]         00000000 a8be6d21 82189e04 00000000 8224dd78 00000019 82189c00 00000001
[  101.718281]         ...
[  101.718292] Call Trace:
[  101.718301] [] hci_send_acl+0xa0/0x43c
[  101.718315] [] l2cap_chan_send+0x1f4/0xf34
[  101.718325] [] l2cap_sock_sendmsg+0xac/0x11c
[  101.718333] [] sock_write_iter+0xc8/0x14c
[  101.718344] [] do_iter_readv_writev+0x1c8/0x1ec
[  101.718351] [] do_iter_write+0xb0/0x1f8
[  101.718358] [] vfs_writev+0x80/0x280
[  101.718365] [] do_writev+0x78/0x134
[  101.718375] [] syscall_common+0x34/0x58
[  101.718382]
[  101.718387] Code: 2c441000  148000a5  3c048090  2e821000  144000c8  3c048090  02203825  03c03025
[  101.718422]
[  101.718538] ---[ end trace 87e7cd85f44c4db0 ]---
I think there should be a use-after-free in the kernel BT codes, and I got following links similar to this Oops. https://bugzilla.kernel.org/show_bug.cgi?id=216686 -- I did find the fix to that bug. And, https://groups.google.com/g/syzkaller-bugs/c/SH1vfz5mhtA/m/_nzs-IpaAwAJ -- It seemed using different version of kernel, and I am not sure if there is any backporting of the fix to kernel-5.10, I don't know much about BT, and I don't know how to get the fixes from this link. Is there any offical website of bluetooth-next where I can find the complete commits to fix the issue? So how can I fix this Oops issue in my system?
Asked by wangt13 (631 rep)
Dec 5, 2024, 09:21 AM
Sidebar Ad - 300x250
Related Questions

Browse more questions from Unix & Linux Stack Exchange

More questions tagged "linux"
More questions tagged "memory"
More questions tagged "bluetooth"
Footer Ad - 728x90