Request to backport fixes for crash in hci_unregister_dev() to 6.12.y

Request to backport fixes for crash in hci_unregister_dev() to 6.12.y

[Fedor Pchelkin]

On 6.12 there is a kernel crash during the release of btusb Mediatek
device.

list_del corruption, ffff8aae1f024000->next is LIST_POISON1 (dead000000000100)
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:56!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
CPU: 3 UID: 0 PID: 3770 Comm: qemu-system-x86 Tainted: G        W          6.12.5-200.fc41.x86_64 #1
Tainted: [W]=WARN
Hardware name: ASUS System Product Name/PRIME X670E-PRO WIFI, BIOS 3035 09/05/2024
RIP: 0010:__list_del_entry_valid_or_report.cold+0x5c/0x6f
Call Trace:
<TASK>
hci_unregister_dev+0x46/0x1f0 [bluetooth]
btusb_disconnect+0x67/0x170 [btusb]
usb_unbind_interface+0x95/0x2d0
device_release_driver_internal+0x19c/0x200
proc_ioctl+0x1be/0x230
usbdev_ioctl+0x6bd/0x1430
__x64_sys_ioctl+0x91/0xd0
do_syscall_64+0x82/0x160
entry_SYSCALL_64_after_hwframe+0x76/0x7e

Note: Taint is due to the amdgpu warnings, totally unrelated to the
issue.

The bug has been fixed "silently" in upstream with the following series
of 4 commits [1]:

ad0c6f603bb0 ("Bluetooth: btusb: mediatek: move Bluetooth power off command position")
cea1805f165c ("Bluetooth: btusb: mediatek: add callback function in btusb_disconnect")
489304e67087 ("Bluetooth: btusb: mediatek: add intf release flow when usb disconnect")
defc33b5541e ("Bluetooth: btusb: mediatek: change the conditions for ISO interface")

These commits can be cleanly cherry-picked to 6.12.y and I may confirm
they fix the problem.

FWIW, the offending commit is ceac1cb0259d ("Bluetooth: btusb: mediatek:
add ISO data transmission functions") and it is present in 6.11.y and
6.12.y.

6.11.y is EOL, so please apply the patches to 6.12.y.

[1]: https://lore.kernel.org/linux-bluetooth/20240923084705.14123-1-chris.lu@mediatek.com/

--
Thanks,
Fedor

Re: Request to backport fixes for crash in hci_unregister_dev() to 6.12.y

[Greg Kroah-Hartman]

On Mon, Dec 30, 2024 at 01:51:58PM +0300, Fedor Pchelkin wrote:
> On 6.12 there is a kernel crash during the release of btusb Mediatek
> device.
> 
> list_del corruption, ffff8aae1f024000->next is LIST_POISON1 (dead000000000100)
> ------------[ cut here ]------------
> kernel BUG at lib/list_debug.c:56!
> Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
> CPU: 3 UID: 0 PID: 3770 Comm: qemu-system-x86 Tainted: G        W          6.12.5-200.fc41.x86_64 #1
> Tainted: [W]=WARN
> Hardware name: ASUS System Product Name/PRIME X670E-PRO WIFI, BIOS 3035 09/05/2024
> RIP: 0010:__list_del_entry_valid_or_report.cold+0x5c/0x6f
> Call Trace:
> <TASK>
> hci_unregister_dev+0x46/0x1f0 [bluetooth]
> btusb_disconnect+0x67/0x170 [btusb]
> usb_unbind_interface+0x95/0x2d0
> device_release_driver_internal+0x19c/0x200
> proc_ioctl+0x1be/0x230
> usbdev_ioctl+0x6bd/0x1430
> __x64_sys_ioctl+0x91/0xd0
> do_syscall_64+0x82/0x160
> entry_SYSCALL_64_after_hwframe+0x76/0x7e
> 
> Note: Taint is due to the amdgpu warnings, totally unrelated to the
> issue.
> 
> The bug has been fixed "silently" in upstream with the following series
> of 4 commits [1]:
> 
> ad0c6f603bb0 ("Bluetooth: btusb: mediatek: move Bluetooth power off command position")
> cea1805f165c ("Bluetooth: btusb: mediatek: add callback function in btusb_disconnect")
> 489304e67087 ("Bluetooth: btusb: mediatek: add intf release flow when usb disconnect")
> defc33b5541e ("Bluetooth: btusb: mediatek: change the conditions for ISO interface")
> 
> These commits can be cleanly cherry-picked to 6.12.y and I may confirm
> they fix the problem.
> 
> FWIW, the offending commit is ceac1cb0259d ("Bluetooth: btusb: mediatek:
> add ISO data transmission functions") and it is present in 6.11.y and
> 6.12.y.
> 
> 6.11.y is EOL, so please apply the patches to 6.12.y.

All now queued up, thanks.

greg k-h