net/bluetooth/iso.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
From: Yang Li <yang.li@amlogic.com>
kernel panic: Unable to handle kernel read from unreadable
memory at virtual address 00000000000003d8
Call trace:
iso_sock_disconn+0x110/0x1c8
__iso_sock_close+0x50/0x164
iso_sock_release+0x48/0xf0
__sock_release+0x40/0xb4
sock_close+0x18/0x28
__fput+0xd8/0x28c
__fput_sync+0x50/0x5c
__arm64_sys_close+0x38/0x7c
invoke_syscall+0x48/0x118
el0_svc_common.constprop.0+0x40/0xe0
do_el0_svc_compat+0x1c/0x34
el0_svc_compat+0x30/0x88
el0t_32_sync_handler+0x90/0x140
el0t_32_sync+0x198/0x19c
Signed-off-by: Yang Li <yang.li@amlogic.com>
---
net/bluetooth/iso.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
index 74ec7d125c88..89c7700ceb81 100644
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -838,14 +838,14 @@ static void __iso_sock_close(struct sock *sk)
case BT_CONNECT:
case BT_CONNECTED:
case BT_CONFIG:
- if (iso_pi(sk)->conn->hcon)
+ if (iso_pi(sk)->conn && iso_pi(sk)->conn->hcon)
iso_sock_disconn(sk);
else
iso_chan_del(sk, ECONNRESET);
break;
case BT_CONNECT2:
- if (iso_pi(sk)->conn->hcon &&
+ if (iso_pi(sk)->conn && iso_pi(sk)->conn->hcon &&
(test_bit(HCI_CONN_PA_SYNC, &iso_pi(sk)->conn->hcon->flags) ||
test_bit(HCI_CONN_PA_SYNC_FAILED, &iso_pi(sk)->conn->hcon->flags)))
iso_sock_disconn(sk);
---
base-commit: 2747d929617743ecba08eeeb310283b4be681383
change-id: 20251105-kernel_panic-73adc703480d
Best regards,
--
Yang Li <yang.li@amlogic.com>Dear Yang, Thank you for your patch. Am 05.11.25 um 10:02 schrieb Yang Li via B4 Relay: > From: Yang Li <yang.li@amlogic.com> > > kernel panic: Unable to handle kernel read from unreadable > memory at virtual address 00000000000003d8 No line break needed in pasted logs. > > Call trace: > iso_sock_disconn+0x110/0x1c8 > __iso_sock_close+0x50/0x164 > iso_sock_release+0x48/0xf0 > __sock_release+0x40/0xb4 > sock_close+0x18/0x28 > __fput+0xd8/0x28c > __fput_sync+0x50/0x5c > __arm64_sys_close+0x38/0x7c > invoke_syscall+0x48/0x118 > el0_svc_common.constprop.0+0x40/0xe0 > do_el0_svc_compat+0x1c/0x34 > el0_svc_compat+0x30/0x88 > el0t_32_sync_handler+0x90/0x140 > el0t_32_sync+0x198/0x19c Please add a paragraph about this problem, and how `iso_pi(sk)->conn` can be NULL. > Signed-off-by: Yang Li <yang.li@amlogic.com> > --- > net/bluetooth/iso.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c > index 74ec7d125c88..89c7700ceb81 100644 > --- a/net/bluetooth/iso.c > +++ b/net/bluetooth/iso.c > @@ -838,14 +838,14 @@ static void __iso_sock_close(struct sock *sk) > case BT_CONNECT: > case BT_CONNECTED: > case BT_CONFIG: > - if (iso_pi(sk)->conn->hcon) > + if (iso_pi(sk)->conn && iso_pi(sk)->conn->hcon) > iso_sock_disconn(sk); > else > iso_chan_del(sk, ECONNRESET); > break; > > case BT_CONNECT2: > - if (iso_pi(sk)->conn->hcon && > + if (iso_pi(sk)->conn && iso_pi(sk)->conn->hcon && > (test_bit(HCI_CONN_PA_SYNC, &iso_pi(sk)->conn->hcon->flags) || > test_bit(HCI_CONN_PA_SYNC_FAILED, &iso_pi(sk)->conn->hcon->flags))) > iso_sock_disconn(sk); This diff looks fine. Kind regards, Paul
Hi Paul, > [ EXTERNAL EMAIL ] > > Dear Yang, > > > Thank you for your patch. > > Am 05.11.25 um 10:02 schrieb Yang Li via B4 Relay: >> From: Yang Li <yang.li@amlogic.com> >> >> kernel panic: Unable to handle kernel read from unreadable >> memory at virtual address 00000000000003d8 > > No line break needed in pasted logs. > >> >> Call trace: >> iso_sock_disconn+0x110/0x1c8 >> __iso_sock_close+0x50/0x164 >> iso_sock_release+0x48/0xf0 >> __sock_release+0x40/0xb4 >> sock_close+0x18/0x28 >> __fput+0xd8/0x28c >> __fput_sync+0x50/0x5c >> __arm64_sys_close+0x38/0x7c >> invoke_syscall+0x48/0x118 >> el0_svc_common.constprop.0+0x40/0xe0 >> do_el0_svc_compat+0x1c/0x34 >> el0_svc_compat+0x30/0x88 >> el0t_32_sync_handler+0x90/0x140 >> el0t_32_sync+0x198/0x19c > > Please add a paragraph about this problem, and how `iso_pi(sk)->conn` > can be NULL. I will update it. Thanks! > >> Signed-off-by: Yang Li <yang.li@amlogic.com> >> --- >> net/bluetooth/iso.c | 4 ++-- >> 1 file changed, 2 insertions(+), 2 deletions(-) >> >> diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c >> index 74ec7d125c88..89c7700ceb81 100644 >> --- a/net/bluetooth/iso.c >> +++ b/net/bluetooth/iso.c >> @@ -838,14 +838,14 @@ static void __iso_sock_close(struct sock *sk) >> case BT_CONNECT: >> case BT_CONNECTED: >> case BT_CONFIG: >> - if (iso_pi(sk)->conn->hcon) >> + if (iso_pi(sk)->conn && iso_pi(sk)->conn->hcon) >> iso_sock_disconn(sk); >> else >> iso_chan_del(sk, ECONNRESET); >> break; >> >> case BT_CONNECT2: >> - if (iso_pi(sk)->conn->hcon && >> + if (iso_pi(sk)->conn && iso_pi(sk)->conn->hcon && >> (test_bit(HCI_CONN_PA_SYNC, >> &iso_pi(sk)->conn->hcon->flags) || >> test_bit(HCI_CONN_PA_SYNC_FAILED, >> &iso_pi(sk)->conn->hcon->flags))) >> iso_sock_disconn(sk); > > This diff looks fine. > > > Kind regards, > > Paul
Hi Yang, On Wed, Nov 5, 2025 at 9:21 PM Yang Li <yang.li@amlogic.com> wrote: > > Hi Paul, > > > > [ EXTERNAL EMAIL ] > > > > Dear Yang, > > > > > > Thank you for your patch. > > > > Am 05.11.25 um 10:02 schrieb Yang Li via B4 Relay: > >> From: Yang Li <yang.li@amlogic.com> > >> > >> kernel panic: Unable to handle kernel read from unreadable > >> memory at virtual address 00000000000003d8 > > > > No line break needed in pasted logs. > > > >> > >> Call trace: > >> iso_sock_disconn+0x110/0x1c8 > >> __iso_sock_close+0x50/0x164 > >> iso_sock_release+0x48/0xf0 > >> __sock_release+0x40/0xb4 > >> sock_close+0x18/0x28 > >> __fput+0xd8/0x28c > >> __fput_sync+0x50/0x5c > >> __arm64_sys_close+0x38/0x7c > >> invoke_syscall+0x48/0x118 > >> el0_svc_common.constprop.0+0x40/0xe0 > >> do_el0_svc_compat+0x1c/0x34 > >> el0_svc_compat+0x30/0x88 > >> el0t_32_sync_handler+0x90/0x140 > >> el0t_32_sync+0x198/0x19c > > > > Please add a paragraph about this problem, and how `iso_pi(sk)->conn` > > can be NULL. > > > I will update it. > > Thanks! > > > > >> Signed-off-by: Yang Li <yang.li@amlogic.com> > >> --- > >> net/bluetooth/iso.c | 4 ++-- > >> 1 file changed, 2 insertions(+), 2 deletions(-) > >> > >> diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c > >> index 74ec7d125c88..89c7700ceb81 100644 > >> --- a/net/bluetooth/iso.c > >> +++ b/net/bluetooth/iso.c > >> @@ -838,14 +838,14 @@ static void __iso_sock_close(struct sock *sk) > >> case BT_CONNECT: > >> case BT_CONNECTED: > >> case BT_CONFIG: > >> - if (iso_pi(sk)->conn->hcon) > >> + if (iso_pi(sk)->conn && iso_pi(sk)->conn->hcon) > >> iso_sock_disconn(sk); > >> else > >> iso_chan_del(sk, ECONNRESET); > >> break; > >> > >> case BT_CONNECT2: > >> - if (iso_pi(sk)->conn->hcon && > >> + if (iso_pi(sk)->conn && iso_pi(sk)->conn->hcon && > >> (test_bit(HCI_CONN_PA_SYNC, > >> &iso_pi(sk)->conn->hcon->flags) || > >> test_bit(HCI_CONN_PA_SYNC_FAILED, > >> &iso_pi(sk)->conn->hcon->flags))) > >> iso_sock_disconn(sk); Hold on since the bug is actually in the handling of BIG Sync Lost, it has been assuming that it also means PA Sync is lost as well when that is inform byt its own event PA Sync Lost: https://patchwork.kernel.org/project/bluetooth/patch/20251106230943.877242-2-luiz.dentz@gmail.com/ Also note that Ive changed the handling so it no longer calls hci_conn_del without first calling hci_disconn_cfm, since the latter actually informs the socket layers about the imminent deletion so the socket can go ahead and clean up properly. > > This diff looks fine. > > > > > > Kind regards, > > > > Paul -- Luiz Augusto von Dentz
© 2016 - 2026 Red Hat, Inc.