Bug 2208202

Summary: [abrt] sco_sock_sendmsg: BUG: kernel NULL pointer dereference, address: 0000000000000688 [bluetooth]
Product: [Fedora] Fedora Reporter: Paolo Antinori <pantinor>
Component: kernelAssignee: Kernel Maintainer List <kernel-maint>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 38CC: acaringi, adscvr, airlied, alciregi, bskeggs, hdegoede, hpa, jarodwilson, josef, kernel-maint, lgoncalv, linville, masami256, mchehab, pantinor, ptalbert, steved
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
URL: https://retrace.fedoraproject.org/faf/reports/bthash/2526f25d5d203c03338ff9afa012d47fc6eb0a3
Whiteboard: abrt_hash:4c90ae6a66cf0219b12f6680dbe9ad388f3aa848;VARIANT_ID=workstation;
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: dmesg none

Description Paolo Antinori 2023-05-18 08:54:14 UTC 
Description of problem:
I'm fighting with bluetoothd problems. Since some time the deamon freezes and it even hangs at shutdown, giving me as the only option tht of perform a hard shutdown.

Additional info:
reporter:       libreport-2.17.10
BUG: kernel NULL pointer dereference, address: 0000000000000688
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0 
Oops: 0000 [#1] PREEMPT SMP NOPTI
CPU: 4 PID: 2400 Comm: wireplumber Not tainted 6.2.15-300.fc38.x86_64 #1
Hardware name: LENOVO 20XXS3HC0G/20XXS3HC0G, BIOS N32ET83W (1.59 ) 02/09/2023
RIP: 0010:hci_send_sco+0x13/0xb0 [bluetooth]
Code: e3 eb cf 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 41 56 49 89 fe 41 55 41 54 55 53 48 89 f3 <4c> 8b af 88 06 00 00 66 90 48 89 df be 03 00 00 00 45 0f b7 66 32
RSP: 0018:ffffb11582247c78 EFLAGS: 00010216
RAX: 0000000000000001 RBX: ffff9e383926db00 RCX: 0000000000000000
RDX: 0000000000000001 RSI: ffff9e383926db00 RDI: 0000000000000000
RBP: ffff9e38131d0c00 R08: ffffb11582247b08 R09: 0000000000000000
R10: 0000000000000038 R11: 0000000000000000 R12: ffff9e37c3f77080
R13: ffffb11582247d30 R14: 0000000000000000 R15: ffffb11582247d20
FS:  00007f49c125d6c0(0000) GS:ffff9e3ebf700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000688 CR3: 00000001a5ffe005 CR4: 0000000000770ee0
PKRU: 55555554
Call Trace:
 <TASK>
 sco_sock_sendmsg+0x231/0x2e0 [bluetooth]
 sock_sendmsg+0x5c/0x70
 __sys_sendto+0x11c/0x170
 __x64_sys_sendto+0x20/0x30
 do_syscall_64+0x59/0x90
 ? vfs_read+0x239/0x310
 ? ksys_read+0xd4/0xf0
 ? syscall_exit_to_user_mode+0x17/0x40
 ? do_syscall_64+0x68/0x90
 entry_SYSCALL_64_after_hwframe+0x72/0xdc
RIP: 0033:0x7f49cf13184a
Code: e0 89 7d e8 89 4d d4 e8 54 42 f7 ff 44 8b 55 d4 48 8b 55 d8 45 31 c9 89 c3 48 8b 75 e0 8b 7d e8 45 31 c0 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 36 89 df 48 89 45 e8 e8 a3 42 f7 ff 48 8b 45
RSP: 002b:00007f49c125c900 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f49cf13184a
RDX: 000000000000003c RSI: 0000557ed6edfe6c RDI: 0000000000000038
RBP: 00007f49c125c930 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000004040 R11: 0000000000000246 R12: 000000000000003c
R13: 0000557ed6edfe6c R14: 0000557ed6ef8fa0 R15: 0000000000000060
 </TASK>
Modules linked in: uinput rfcomm snd_seq_dummy snd_hrtimer nf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables nfnetlink qrtr bnep sunrpc snd_ctl_led snd_soc_skl_hda_dsp snd_soc_intel_hda_dsp_common snd_soc_hdac_hdmi snd_sof_probes binfmt_misc vfat fat snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic snd_soc_dmic snd_sof_pci_intel_tgl snd_sof_intel_hda_common soundwire_intel soundwire_generic_allocation soundwire_cadence snd_sof_intel_hda snd_sof_pci snd_sof_xtensa_dsp snd_sof snd_sof_utils snd_soc_hdac_hda iwlmvm snd_hda_ext_core intel_tcc_cooling snd_soc_acpi_intel_match iTCO_wdt snd_soc_acpi intel_pmc_bxt x86_pkg_temp_thermal mei_hdcp mei_pxp intel_powerclamp mei_wdt iTCO_vendor_support intel_rapl_msr soundwire_bus mac80211 coretemp pmt_telemetry pmt_class snd_soc_core
 kvm_intel snd_compress ac97_bus snd_pcm_dmaengine libarc4 uvcvideo kvm snd_hda_intel snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec videobuf2_vmalloc btusb snd_hda_core irqbypass videobuf2_memops iwlwifi videobuf2_v4l2 rapl snd_hwdep btrtl btbcm processor_thermal_device_pci_legacy intel_cstate processor_thermal_device btintel snd_seq videobuf2_common processor_thermal_rfim snd_seq_device btmtk processor_thermal_mbox intel_uncore videodev snd_pcm pcspkr cfg80211 think_lmi mc firmware_attributes_class thinkpad_acpi bluetooth processor_thermal_rapl wmi_bmof i2c_i801 mei_me thunderbolt ledtrig_audio idma64 snd_timer platform_profile mei intel_rapl_common snd i2c_smbus rfkill intel_vsec igen6_edac intel_soc_dts_iosf soundcore int3403_thermal soc_button_array int340x_thermal_zone intel_hid sparse_keymap int3400_thermal acpi_thermal_rel acpi_tad acpi_pad joydev loop zram dm_crypt hid_logitech_hidpp i915 drm_buddy hid_logitech_dj crct10dif_pclmul drm_display_helper crc32_pclmul
 nvme crc32c_intel polyval_clmulni ucsi_acpi hid_multitouch polyval_generic ghash_clmulni_intel nvme_core cec typec_ucsi sha512_ssse3 typec i2c_hid_acpi ttm nvme_common i2c_hid video pinctrl_tigerlake wmi serio_raw ip6_tables ip_tables fuse
CR2: 0000000000000688
Comment 1 Paolo Antinori 2023-05-18 08:54:19 UTC 
Created attachment 1965382 [details]
File: dmesg
Comment 2 Kate Hsuan 2023-05-19 11:25:24 UTC 
Hi,

Thank you for reporting the issue.
This issue was caused by an uncompleted sync command when powering off the device.
Some of the sync commands take a long time to finish their tasks. So, those commands should be canceled before powering off the device to prevent the NULL pointer access.

I've applied the upstream patch to the F38 kernel and made a scratch build for you to test.

Once the build task is done, you could download the rpm package through the following URL:
https://koji.fedoraproject.org/koji/taskinfo?taskID=101329198

If it works for you, I'll submit those patches to the Fedora kernel. :)
Comment 3 Paolo Antinori 2023-05-26 10:03:06 UTC 
Description of problem:
audio stopped working. it's somehow related to bluetooth. and the bluetooth deamon stops and halts the shutdown, having an unbound graceperiod

Version-Release number of selected component:
kernel-core-6.2.15-300.fc38

Additional info:
reporter:       libreport-2.17.10
kernel:         6.2.15-300.fc38.x86_64
crash_function: sco_sock_sendmsg
reason:         BUG: kernel NULL pointer dereference, address: 0000000000000688 [bluetooth]
type:           Kerneloops
cmdline:        BOOT_IMAGE=(hd0,gpt2)/vmlinuz-6.2.15-300.fc38.x86_64 root=UUID=e5a64610-0f60-4ed6-95c0-be750705362e ro rootflags=subvol=root rd.luks.uuid=luks-5e01c370-74a9-441e-bb48-8e9690fd830b rhgb quiet
package:        kernel-core-6.2.15-300.fc38
runlevel:       N 5
comment:        audio stopped working. it's somehow related to bluetooth. and the bluetooth deamon stops and halts the shutdown, having an unbound graceperiod

Truncated backtrace:
#1 [TASK] sco_sock_sendmsg in bluetooth
#2 [TASK] sock_sendmsg
#3 [TASK] __sys_sendto
#4 [TASK] __x64_sys_sendto
#5 [TASK] do_syscall_64
#6 [TASK] ? __do_softirq
#7 [TASK] ? __irq_exit_rcu
#8 [TASK] entry_SYSCALL_64_after_hwframe
Comment 4 Paolo Antinori 2023-05-29 12:25:31 UTC 
Description of problem:
something related to bluetooth daemon that halted

Version-Release number of selected component:
kernel-core-6.2.15-300.fc38

Additional info:
reporter:       libreport-2.17.10
kernel:         6.2.15-300.fc38.x86_64
crash_function: sco_sock_sendmsg
reason:         BUG: kernel NULL pointer dereference, address: 0000000000000688 [bluetooth]
type:           Kerneloops
cmdline:        BOOT_IMAGE=(hd0,gpt2)/vmlinuz-6.2.15-300.fc38.x86_64 root=UUID=e5a64610-0f60-4ed6-95c0-be750705362e ro rootflags=subvol=root rd.luks.uuid=luks-5e01c370-74a9-441e-bb48-8e9690fd830b rhgb quiet
package:        kernel-core-6.2.15-300.fc38
runlevel:       N 5
comment:        something related to bluetooth daemon that halted

Truncated backtrace:
#1 [TASK] sco_sock_sendmsg in bluetooth
#2 [TASK] sock_sendmsg
#3 [TASK] __sys_sendto
#4 [TASK] __x64_sys_sendto
#5 [TASK] do_syscall_64
#6 [TASK] ? switch_fpu_return
#7 [TASK] ? exit_to_user_mode_prepare
#8 [TASK] ? syscall_exit_to_user_mode
#9 [TASK] ? do_syscall_64
#10 [TASK] ? do_syscall_64
#11 [TASK] ? exc_page_fault
#12 [TASK] entry_SYSCALL_64_after_hwframe
Comment 5 Kilian 2023-06-30 11:50:04 UTC 
Description of problem:
I *suspect* that this has something to do with bluetooth. The laptop crashed now 2x, each time I was trying to get a bluetooth device connected. 

So far I have not been able to reproduce reliably.

Version-Release number of selected component:
kernel-core-6.3.8-200.fc38

Additional info:
reporter:       libreport-2.17.10
cmdline:        BOOT_IMAGE=(hd0,gpt2)/vmlinuz-6.3.8-200.fc38.x86_64 root=/dev/mapper/fedora_localhost--live-root ro resume=/dev/mapper/fedora_localhost--live-swap rd.lvm.lv=fedora_localhost-live/root rd.lvm.lv=fedora_localhost-live/swap rhgb quiet
crash_function: __die
kernel:         6.3.8-200.fc38.x86_64
package:        kernel-core-6.3.8-200.fc38
type:           Kerneloops
reason:         BUG: kernel NULL pointer dereference, address: 00000000000006a8
runlevel:       N 5

Truncated backtrace:
#1 [TASK] ? __die
#2 [TASK] ? page_fault_oops
#3 [TASK] ? exc_page_fault
#4 [TASK] ? asm_exc_page_fault
#5 [TASK] ? hci_send_sco in bluetooth
#6 [TASK] sco_sock_sendmsg in bluetooth
#7 [TASK] sock_sendmsg
#8 [TASK] ? sockfd_lookup_light
#9 [TASK] __sys_sendto
#10 [TASK] __x64_sys_sendto
#11 [TASK] do_syscall_64
#12 [TASK] ? handle_mm_fault
#13 [TASK] ? do_user_addr_fault
#14 [TASK] ? exc_page_fault
#15 [TASK] entry_SYSCALL_64_after_hwframe
Comment 6 mejia 2023-07-31 19:27:45 UTC 
Description of problem:
al reiniciar el equipo luego de una actualizacion se provoco el error

Version-Release number of selected component:
kernel-core-6.3.12-200.fc38

Additional info:
reporter:       libreport-2.17.11
runlevel:       N 5
kernel:         6.3.12-200.fc38.x86_64
type:           Kerneloops
package:        kernel-core-6.3.12-200.fc38
reason:         BUG: kernel NULL pointer dereference, address: 00000000000006a8
cmdline:        BOOT_IMAGE=(hd0,gpt5)/boot/vmlinuz-6.3.12-200.fc38.x86_64 root=UUID=07f333bb-2ec6-4bab-8b72-c8722192b1b5 ro resume=UUID=715299b5-c3cc-460f-b16b-d2c24ec53805 rhgb quiet
comment:        al reiniciar el equipo luego de una actualizacion se provoco el error
crash_function: __die

Truncated backtrace:
#1 [TASK] ? __die
#2 [TASK] ? page_fault_oops
#3 [TASK] ? exc_page_fault
#4 [TASK] ? asm_exc_page_fault
#5 [TASK] ? hci_send_sco in bluetooth
#6 [TASK] sco_sock_sendmsg in bluetooth
#7 [TASK] sock_sendmsg
#8 [TASK] ? sockfd_lookup_light
#9 [TASK] __sys_sendto
#10 [TASK] __x64_sys_sendto
#11 [TASK] do_syscall_64
#12 [TASK] ? do_syscall_64
#13 [TASK] ? exc_page_fault
#14 [TASK] entry_SYSCALL_64_after_hwframe