From: bugzilla-daemon@bugzilla.kernel.org
To: linux-bluetooth@vger.kernel.org
Subject: [Bug 213203] New: KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] when ASUS USB-BT500 bluetooth dongle is connected
Date: Mon, 24 May 2021 19:40:35 +0000 [thread overview]
Message-ID: <bug-213203-62941@https.bugzilla.kernel.org/> (raw)
https://bugzilla.kernel.org/show_bug.cgi?id=213203
Bug ID: 213203
Summary: KASAN: null-ptr-deref in range
[0x0000000000000000-0x0000000000000007] when ASUS
USB-BT500 bluetooth dongle is connected
Product: Drivers
Version: 2.5
Kernel Version: 5.13-rc3
Hardware: All
OS: Linux
Tree: Mainline
Status: NEW
Severity: normal
Priority: P1
Component: Bluetooth
Assignee: linux-bluetooth@vger.kernel.org
Reporter: erhard_f@mailbox.org
Regression: No
Created attachment 296971
--> https://bugzilla.kernel.org/attachment.cgi?id=296971&action=edit
kernel dmesg (5.13-rc3, AMD A10 PRO-7800B)
Getting this at shutdown with my ASUS USB-BT500 bluetooth dongle connected:
[...]
general protection fault, probably for non-canonical address
0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 2 PID: 110 Comm: kworker/u9:0 Not tainted 5.13.0-rc3-bdver3 #4
Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./FM2A88M Pro3+,
BIOS P2.60 01/11/2016
Workqueue: hci0 hci_power_off [bluetooth]
RIP: 0010:smp_del_chan+0x35/0x12f [bluetooth]
Code: c1 ea 03 48 c1 e0 2a 55 48 89 fd 80 3c 02 00 74 05 e8 70 df 43 d2 4c 8b
65 00 b8 ff ff 37 00 48 c1 e0 2a 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 74 08 4c 89
e7 e8 4e df 43 d2 4d 8b 24 24 b8 ff ff 37
RSP: 0018:ffff88811896fca0 EFLAGS: 00010256
RAX: dffffc0000000000 RBX: ffff88811fb6a000 RCX: 1ffff1102312df86
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff88816e770800
RBP: ffff88816e770800 R08: ffffed1023f6d403 R09: ffff88811fb6a017
R10: 0000000000000001 R11: ffffffff94fabad1 R12: 0000000000000000
R13: ffff88811fb6a0a8 R14: dffffc0000000000 R15: ffff88811fb6b758
FS: 0000000000000000(0000) GS:ffff888377f00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f6acdb50000 CR3: 000000012f1fc000 CR4: 00000000000506e0
Call Trace:
smp_unregister+0x42/0x83 [bluetooth]
hci_dev_do_close+0x455/0x7b1 [bluetooth]
? hci_inquiry+0x58f/0x58f [bluetooth]
? rcu_read_lock_sched_held+0x73/0xc8
process_one_work+0x625/0x99f
? rcu_read_unlock+0x59/0x59
? cancel_delayed_work+0xe9/0xe9
? __raw_spin_lock_init+0xf0/0xf0
worker_thread+0x47a/0x597
? __kthread_parkme+0x6f/0xc3
kthread+0x2b6/0x2c5
? drain_workqueue+0x268/0x268
? kthread_unpark+0x82/0x82
ret_from_fork+0x22/0x30
Modules linked in: rfcomm cmac bnep dm_crypt nhpoly1305_sse2 nhpoly1305
chacha_generic chacha_x86_64 libchacha adiantum libpoly1305 algif_skcipher
dm_mod input_leds joydev btusb btrtl btbcm hid_generic btintel bluetooth
jitterentropy_rng usbhid hid drbg ansi_cprng ecdh_generic ecc rfkill raid456
async_raid6_recov async_memcpy async_pq async_xor async_tx md_mod evdev amdgpu
edac_mce_amd crc32_generic crc32_pclmul ohci_pci f2fs lz4hc_compress
lz4_compress lz4_decompress aesni_intel libaes crypto_simd cryptd k10temp
fam15h_power i2c_piix4 ext4 snd_hda_codec_realtek crc16 snd_hda_codec_generic
mbcache ledtrig_audio drm_ttm_helper led_class jbd2 ttm snd_hda_codec_hdmi
mfd_core snd_hda_intel gpu_sched i2c_algo_bit snd_intel_dspcfg xhci_pci
snd_hda_codec drm_kms_helper ohci_hcd ehci_pci snd_hwdep cfbfillrect ehci_hcd
syscopyarea cfbimgblt sysfillrect snd_hda_core xhci_hcd sysimgblt acpi_cpufreq
fb_sys_fops cfbcopyarea snd_pcm snd_timer fb usbcore font video snd usb_common
fbdev
soundcore button processor zram zsmalloc nct6775 hwmon_vid hwmon nfsd
auth_rpcgss lockd drm grace drm_panel_orientation_quirks fuse backlight
configfs sunrpc efivarfs
---[ end trace ef1888241aeb31e2 ]---
RIP: 0010:smp_del_chan+0x35/0x12f [bluetooth]
Code: c1 ea 03 48 c1 e0 2a 55 48 89 fd 80 3c 02 00 74 05 e8 70 df 43 d2 4c 8b
65 00 b8 ff ff 37 00 48 c1 e0 2a 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 74 08 4c 89
e7 e8 4e df 43 d2 4d 8b 24 24 b8 ff ff 37
RSP: 0018:ffff88811896fca0 EFLAGS: 00010256
RAX: dffffc0000000000 RBX: ffff88811fb6a000 RCX: 1ffff1102312df86
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff88816e770800
RBP: ffff88816e770800 R08: ffffed1023f6d403 R09: ffff88811fb6a017
R10: 0000000000000001 R11: ffffffff94fabad1 R12: 0000000000000000
R13: ffff88811fb6a0a8 R14: dffffc0000000000 R15: ffff88811fb6b758
FS: 0000000000000000(0000) GS:ffff888377f00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f6acdb50000 CR3: 000000012f1fc000 CR4: 00000000000506e0
[...]
# inxi -bZ
System: Host: yea Kernel: 5.13.0-rc3-bdver3 x86_64 bits: 64 Console: tty 1
Distro: Gentoo Base System release 2.7
Machine: Type: Desktop Mobo: ASRock model: FM2A88M Pro3+ serial: N/A UEFI:
American Megatrends v: P2.60 date: 01/11/2016
CPU: Info: Quad Core AMD A10 PRO-7800B R7 12 Compute Cores 4C+8G [MCP]
speed: 1897 MHz min/max: 1400/3500 MHz
Graphics: Device-1: Advanced Micro Devices [AMD/ATI] Kaveri [Radeon R7
Graphics] driver: amdgpu v: kernel
Display: server: X.org 1.20.11 driver: amdgpu,ati unloaded:
fbdev,modesetting tty: 211x54
Message: Advanced graphics data unavailable in console for root.
Network: Device-1: Realtek RTL8111/8168/8411 PCI Express Gigabit Ethernet
driver: r8169
# lsusb -s 007:002 -v
Bus 007 Device 002: ID 0b05:190e ASUSTek Computer, Inc. ASUS USB-BT500
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 1.10
bDeviceClass 224 Wireless
bDeviceSubClass 1 Radio Frequency
bDeviceProtocol 1 Bluetooth
bMaxPacketSize0 64
idVendor 0x0b05 ASUSTek Computer, Inc.
idProduct 0x190e
bcdDevice 2.00
iManufacturer 1 Realtek
iProduct 2 ASUS USB-BT500
iSerial 3 00E04C239987
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 0x00b1
bNumInterfaces 2
bConfigurationValue 1
iConfiguration 0
bmAttributes 0xe0
Self Powered
Remote Wakeup
MaxPower 500mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 3
bInterfaceClass 224 Wireless
bInterfaceSubClass 1 Radio Frequency
bInterfaceProtocol 1 Bluetooth
iInterface 4 Bluetooth Radio
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x81 EP 1 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x0010 1x 16 bytes
bInterval 1
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x02 EP 2 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0040 1x 64 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x82 EP 2 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0040 1x 64 bytes
bInterval 0
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 1
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 224 Wireless
bInterfaceSubClass 1 Radio Frequency
bInterfaceProtocol 1 Bluetooth
iInterface 4 Bluetooth Radio
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x03 EP 3 OUT
bmAttributes 1
Transfer Type Isochronous
Synch Type None
Usage Type Data
wMaxPacketSize 0x0000 1x 0 bytes
bInterval 1
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x83 EP 3 IN
bmAttributes 1
Transfer Type Isochronous
Synch Type None
Usage Type Data
wMaxPacketSize 0x0000 1x 0 bytes
bInterval 1
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 1
bAlternateSetting 1
bNumEndpoints 2
bInterfaceClass 224 Wireless
bInterfaceSubClass 1 Radio Frequency
bInterfaceProtocol 1 Bluetooth
iInterface 4 Bluetooth Radio
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x03 EP 3 OUT
bmAttributes 1
Transfer Type Isochronous
Synch Type None
Usage Type Data
wMaxPacketSize 0x0009 1x 9 bytes
bInterval 1
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x83 EP 3 IN
bmAttributes 1
Transfer Type Isochronous
Synch Type None
Usage Type Data
wMaxPacketSize 0x0009 1x 9 bytes
bInterval 1
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 1
bAlternateSetting 2
bNumEndpoints 2
bInterfaceClass 224 Wireless
bInterfaceSubClass 1 Radio Frequency
bInterfaceProtocol 1 Bluetooth
iInterface 4 Bluetooth Radio
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x03 EP 3 OUT
bmAttributes 1
Transfer Type Isochronous
Synch Type None
Usage Type Data
wMaxPacketSize 0x0011 1x 17 bytes
bInterval 1
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x83 EP 3 IN
bmAttributes 1
Transfer Type Isochronous
Synch Type None
Usage Type Data
wMaxPacketSize 0x0011 1x 17 bytes
bInterval 1
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 1
bAlternateSetting 3
bNumEndpoints 2
bInterfaceClass 224 Wireless
bInterfaceSubClass 1 Radio Frequency
bInterfaceProtocol 1 Bluetooth
iInterface 4 Bluetooth Radio
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x03 EP 3 OUT
bmAttributes 1
Transfer Type Isochronous
Synch Type None
Usage Type Data
wMaxPacketSize 0x0019 1x 25 bytes
bInterval 1
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x83 EP 3 IN
bmAttributes 1
Transfer Type Isochronous
Synch Type None
Usage Type Data
wMaxPacketSize 0x0019 1x 25 bytes
bInterval 1
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 1
bAlternateSetting 4
bNumEndpoints 2
bInterfaceClass 224 Wireless
bInterfaceSubClass 1 Radio Frequency
bInterfaceProtocol 1 Bluetooth
iInterface 4 Bluetooth Radio
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x03 EP 3 OUT
bmAttributes 1
Transfer Type Isochronous
Synch Type None
Usage Type Data
wMaxPacketSize 0x0021 1x 33 bytes
bInterval 1
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x83 EP 3 IN
bmAttributes 1
Transfer Type Isochronous
Synch Type None
Usage Type Data
wMaxPacketSize 0x0021 1x 33 bytes
bInterval 1
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 1
bAlternateSetting 5
bNumEndpoints 2
bInterfaceClass 224 Wireless
bInterfaceSubClass 1 Radio Frequency
bInterfaceProtocol 1 Bluetooth
iInterface 4 Bluetooth Radio
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x03 EP 3 OUT
bmAttributes 1
Transfer Type Isochronous
Synch Type None
Usage Type Data
wMaxPacketSize 0x0031 1x 49 bytes
bInterval 1
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x83 EP 3 IN
bmAttributes 1
Transfer Type Isochronous
Synch Type None
Usage Type Data
wMaxPacketSize 0x0031 1x 49 bytes
bInterval 1
can't get debug descriptor: Resource temporarily unavailable
Device Status: 0x0001
Self Powered
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are the assignee for the bug.
next reply other threads:[~2021-05-24 19:40 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-24 19:40 bugzilla-daemon [this message]
2021-05-24 19:43 ` [Bug 213203] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] when ASUS USB-BT500 bluetooth dongle is connected bugzilla-daemon
2023-04-04 21:23 ` bugzilla-daemon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-213203-62941@https.bugzilla.kernel.org/ \
--to=bugzilla-daemon@bugzilla.kernel.org \
--cc=linux-bluetooth@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.