Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000

[dsx724]

On 5.19, get a null pointer exception as soon as the dongle is plugged in. ` [ 128.837664] usb 1-2: new high-speed USB device number 5 using xhci-hcd [ 128.987546] usb 1-2: New USB device found, idVendor=0bda, idProduct=d723, bcdDevice= 2.00 [ 128.987727] usb 1-2: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 128.987821] usb 1-2: Product: 802.11n WLAN Adapter [ 128.987894] usb 1-2: Manufacturer: Realtek [ 128.987965] usb 1-2: SerialNumber: 00e04c000001 [ 129.007297] Bluetooth: hci0: RTL: examining hci_ver=08 hci_rev=000d lmp_ver=08 lmp_subver=8723 [ 129.008329] Bluetooth: hci0: RTL: rom_version status=0 version=2 [ 129.008358] Bluetooth: hci0: RTL: loading rtl_bt/rtl8723d_fw.bin [ 129.014607] Bluetooth: hci0: RTL: loading rtl_bt/rtl8723d_config.bin [ 129.015038] Bluetooth: hci0: RTL: cfg_sz 10, total sz 33266 [ 129.094945] 8723du: loading out-of-tree module taints kernel. [ 129.279387] Bluetooth: hci0: RTL: fw version 0x828a96f1 [ 129.367781] usbcore: registered new interface driver rtl8723du [ 130.259888] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [ 130.263195] Mem abort info: [ 130.265984] ESR = 0x0000000096000004 [ 130.269866] EC = 0x25: DABT (current EL), IL = 32 bits [ 130.275153] SET = 0, FnV = 0 [ 130.278328] EA = 0, S1PTW = 0 [ 130.280888] FSC = 0x04: level 0 translation fault [ 130.285776] Data abort info: [ 130.288588] ISV = 0, ISS = 0x00000004 [ 130.292953] CM = 0, WnR = 0 [ 130.295596] user pgtable: 4k pages, 48-bit VAs, pgdp=000000005b796000 [ 130.303655] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 [ 130.308754] Internal error: Oops: 96000004 [#1] PREEMPT SMP [ 130.313923] Modules linked in: 8723du(O) 8021q garp mrp stp llc cfg80211 cbc des_generic libdes ecb rfcomm iptable_nat algif_skcipher md4 algif_hash nf_nat nf_conntrack af_alg bnep nf_defrag_ipv6 nf_defrag_ipv4 iptable_mangle bpfilter iptable_filter btusb btrtl btbcm btintel btmtk bluetooth ecdh_generic ecc rfkill meson_vdec(C) videobuf2_dma_contig v4l2_mem2mem videobuf2_memops snd_soc_hdmi_codec videobuf2_v4l2 videobuf2_common videodev snd_soc_meson_gx_sound_card snd_soc_meson_t9015 snd_soc_meson_aiu ao_cec meson_rng meson_ir snd_soc_simple_amplifier snd_soc_meson_codec_glue snd_soc_meson_card_utils amlogic_gxl_crypto rng_core crypto_engine snd_soc_core mc snd_compress snd_pcm_dmaengine snd_pcm_oss snd_mixer_oss snd_pcm meson_gxbb_wdt nvmem_meson_efuse snd_timer sch_fq_codel dm_multipath dm_mod scsi_dh_rdac scsi_dh_emc scsi_dh_alua pkcs8_key_parser ipmi_devintf ipmi_msghandler fuse ip_tables x_tables ipv6 crc_ccitt btrfs blake2b_generic raid10 raid456 async_raid6_recov async_memcpy [ 130.314155] async_pq async_xor async_tx xor xor_neon raid6_pq libcrc32c raid1 raid0 md_mod hid_lenovo dw_hdmi_i2s_audio meson_gxl dwmac_generic meson_drm meson_dw_hdmi crct10dif_ce drm_cma_helper dwmac_meson8b stmmac_platform stmmac dw_hdmi lima drm_display_helper gpu_sched drm_shmem_helper pcs_xpcs meson_canvas cec rc_core display_connector drm_kms_helper drm [ 130.432081] CPU: 0 PID: 608 Comm: iwd Tainted: G C O 5.19.5-02955-g068aa9070f39 #1 [ 130.440703] Hardware name: libre-computer aml-s905x-cc/aml-s905x-cc, BIOS 2022.07+ 07/01/2022 [ 130.449156] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 130.456055] pc : pi_memcmp+0xd8/0x110 [ 130.459850] lr : cfg80211_rtw_scan+0x2ac/0x7e4 [8723du] [ 130.465028] sp : ffff800009bbb5c0 [ 130.468303] x29: ffff800009bbb5c0 x28: 000000000000000c x27: ffff4afc5195a368 [ 130.475375] x26: ffff4afc43230048 x25: 000000000000000d x24: ffff4afc6e620a00 [ 130.482447] x23: 0000000000000000 x22: 0000000000000000 x21: 0000000000000000 [ 130.489520] x20: ffff800009ced000 x19: ffff4afc6e620a00 x18: 0000000000000000 [ 130.496592] x17: 0000000000000000 x16: ffffc27877b254c0 x15: 0000aaab02603ad0 [ 130.503665] x14: 0000000000000000 x13: ffffc27825b8c1b0 x12: 0000000000000000 [ 130.510737] x11: ffff4afc43243000 x10: ffffc27878296ec8 x9 : 0000000000000000 [ 130.517810] x8 : ffff4afc6e620a62 x7 : ffffffffffffffff x6 : 0000000800000a7f [ 130.524882] x5 : ffff4afc5620d3a0 x4 : 0000000000000000 x3 : ffff4afc56202aa0 [ 130.531955] x2 : 0000000000000003 x1 : ffffc27825ce2600 x0 : 0000000000000000 [ 130.539028] Call trace: [ 130.541443] pi_memcmp+0xd8/0x110 [ 130.544893] cfg80211_scan+0x110/0x150 [cfg80211] [ 130.549552] nl80211_trigger_scan+0x3f8/0x66c [cfg80211] [ 130.554813] genl_family_rcv_msg_doit+0xc8/0x150 [ 130.559383] genl_rcv_msg+0xe4/0x1e0 [ 130.562919] netlink_rcv_skb+0x5c/0x130 [ 130.566714] genl_rcv+0x38/0x50 [ 130.569819] netlink_unicast+0x2a8/0x300 [ 130.573700] netlink_sendmsg+0x1c0/0x410 [ 130.577581] sock_sendmsg+0x54/0x60 [ 130.581031] sys_sendto+0x118/0x14c [ 130.584654] arm64_sys_sendto+0x2c/0x40 [ 130.588621] invoke_syscall+0x48/0x114 [ 130.592330] el0_svc_common.constprop.0+0xd4/0xfc [ 130.596988] do_el0_svc+0x30/0xc0 [ 130.600266] el0_svc+0x34/0xb0 [ 130.603284] el0t_64_sync_handler+0xbc/0x140 [ 130.607510] el0t_64_sync+0x18c/0x190 [ 130.611138] Code: d65f03c0 d503201f b1001042 540000c3 (b8404403) [ 130.617174] ---[ end trace 0000000000000000 ]---

`

[dsx724]

I tested with a different dongle but same RTL8723DU chipset:

[ 63.953610] usb 1-1.3: new high-speed USB device number 4 using xhci-hcd [ 64.055461] usb 1-1.3: New USB device found, idVendor=0bda, idProduct=d723, bcdDevice= 2.00 [ 64.055644] usb 1-1.3: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 64.055738] usb 1-1.3: Product: 802.11n WLAN Adapter [ 64.055811] usb 1-1.3: Manufacturer: Realtek [ 64.055882] usb 1-1.3: SerialNumber: 00e04c000001 [ 64.235421] Bluetooth: hci0: RTL: examining hci_ver=08 hci_rev=000d lmp_ver=08 lmp_subver=8723 [ 64.235675] usbcore: registered new interface driver btusb [ 64.236234] Bluetooth: hci0: RTL: rom_version status=0 version=2 [ 64.236263] Bluetooth: hci0: RTL: loading rtl_bt/rtl8723d_fw.bin [ 64.241421] 8723du: loading out-of-tree module taints kernel. [ 64.246562] Bluetooth: hci0: RTL: loading rtl_bt/rtl8723d_config.bin [ 64.246920] Bluetooth: hci0: RTL: cfg_sz 10, total sz 33266 [ 64.483472] usbcore: registered new interface driver rtl8723du [ 64.510279] Bluetooth: hci0: RTL: fw version 0x828a96f1 [ 64.854837] Bluetooth: BNEP (Ethernet Emulation) ver 1.3 [ 64.854863] Bluetooth: BNEP filters: protocol multicast [ 64.854881] Bluetooth: BNEP socket layer initialized [ 64.882220] Bluetooth: RFCOMM TTY layer initialized [ 64.882251] Bluetooth: RFCOMM socket layer initialized [ 64.882279] Bluetooth: RFCOMM ver 1.11 [ 65.217626] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [ 65.220800] Mem abort info: [ 65.223601] ESR = 0x0000000096000004 [ 65.227737] EC = 0x25: DABT (current EL), IL = 32 bits [ 65.232580] SET = 0, FnV = 0 [ 65.235679] EA = 0, S1PTW = 0 [ 65.238706] FSC = 0x04: level 0 translation fault [ 65.243619] Data abort info: [ 65.246344] ISV = 0, ISS = 0x00000004 [ 65.250229] CM = 0, WnR = 0 [ 65.253021] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000003752000 [ 65.269410] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 [ 65.270585] Internal error: Oops: 96000004 [#1] PREEMPT SMP [ 65.276103] Modules linked in: rfcomm bnep 8723du(O) btusb btrtl btbcm btintel btmtk 8021q garp mrp stp llc cfg80211 cbc des_generic libdes ecb algif_skcipher iptable_nat nf_nat nf_conntrack md4 algif_hash nf_defrag_ipv6 af_alg nf_defrag_ipv4 bluetooth ecdh_generic ecc rfkill iptable_mangle bpfilter iptable_filter meson_vdec(C) videobuf2_dma_contig v4l2_mem2mem videobuf2_memops videobuf2_v4l2 meson_ir meson_gxbb_wdt videobuf2_common snd_soc_hdmi_codec meson_rng ao_cec snd_soc_meson_aiu rng_core snd_soc_meson_gx_sound_card videodev snd_soc_meson_codec_glue snd_soc_meson_t9015 snd_soc_meson_card_utils snd_soc_simple_amplifier snd_pcm_oss snd_soc_core mc amlogic_gxl_crypto crypto_engine snd_mixer_oss snd_compress snd_pcm_dmaengine snd_pcm nvmem_meson_efuse snd_timer sch_fq_codel dm_multipath dm_mod scsi_dh_rdac scsi_dh_emc scsi_dh_alua pkcs8_key_parser ipmi_devintf ipmi_msghandler fuse ip_tables x_tables ipv6 crc_ccitt btrfs blake2b_generic raid10 raid456 async_raid6_recov async_memcpy [ 65.276334] async_pq async_xor async_tx xor xor_neon raid6_pq libcrc32c raid1 raid0 md_mod hid_lenovo dw_hdmi_i2s_audio meson_gxl dwmac_generic meson_drm lima crct10dif_ce drm_cma_helper gpu_sched meson_dw_hdmi dw_hdmi drm_display_helper cec rc_core drm_shmem_helper meson_canvas dwmac_meson8b stmmac_platform stmmac pcs_xpcs display_connector drm_kms_helper drm [ 65.394266] CPU: 3 PID: 593 Comm: iwd Tainted: G C O 5.19.5-02955-g068aa9070f39 #1 [ 65.402889] Hardware name: libre-computer aml-s905x-cc/aml-s905x-cc, BIOS 2022.07+ 07/01/2022 [ 65.411342] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 65.418241] pc : pi_memcmp+0xd8/0x110 [ 65.422036] lr : cfg80211_rtw_scan+0x2ac/0x7e4 [8723du] [ 65.427213] sp : ffff800008a5b5c0 [ 65.430487] x29: ffff800008a5b5c0 x28: 000000000000000c x27: ffff71c004f55368 [ 65.437561] x26: ffff71c004f57048 x25: 000000000000000d x24: ffff71c0151f0600 [ 65.444633] x23: 0000000000000000 x22: 0000000000000000 x21: 0000000000000000 [ 65.451706] x20: ffff800009cf3000 x19: ffff71c0151f0600 x18: 0000000000000000 [ 65.458778] x17: 0000000000000000 x16: 0000000000000000 x15: 0000aaaaf3d67a10 [ 65.465851] x14: 0000000000000000 x13: ffffbef65c7021b0 x12: 0000000000000000 [ 65.472923] x11: ffff71c014d04000 x10: ffffbef65e466ec8 x9 : 0000000000000000 [ 65.479995] x8 : ffff71c0151f0662 x7 : ffffffffffffffff x6 : 0000000800000a7f [ 65.487068] x5 : ffff71c004a733a0 x4 : 0000000000000000 x3 : ffff71c0035b3aa0 [ 65.494140] x2 : 0000000000000003 x1 : ffffbef65c895600 x0 : 0000000000000000 [ 65.501214] Call trace: [ 65.503630] pi_memcmp+0xd8/0x110 [ 65.507080] cfg80211_scan+0x110/0x150 [cfg80211] [ 65.511738] nl80211_trigger_scan+0x3f8/0x66c [cfg80211] [ 65.516999] genl_family_rcv_msg_doit+0xc8/0x150 [ 65.521570] genl_rcv_msg+0xe4/0x1e0 [ 65.525104] netlink_rcv_skb+0x5c/0x130 [ 65.528900] genl_rcv+0x38/0x50 [ 65.532005] netlink_unicast+0x2a8/0x300 [ 65.535886] netlink_sendmsg+0x1c0/0x410 [ 65.539767] sock_sendmsg+0x54/0x60 [ 65.543217] sys_sendto+0x118/0x14c [ 65.546840] arm64_sys_sendto+0x2c/0x40 [ 65.550807] invoke_syscall+0x48/0x114 [ 65.554517] el0_svc_common.constprop.0+0xd4/0xfc [ 65.559173] do_el0_svc+0x30/0xc0 [ 65.562451] el0_svc+0x34/0xb0 [ 65.565471] el0t_64_sync_handler+0xbc/0x140 [ 65.569696] el0t_64_sync+0x18c/0x190 [ 65.573325] Code: d65f03c0 d503201f b1001042 540000c3 (b8404403) [ 65.579360] ---[ end trace 0000000000000000 ]---

[lwfinger]

On my system, the code at cfg80211_rtw_scan+0x2ac is as follows: finger@localhost:~/rtl8723du>gdb 8723du.ko (gdb) l *cfg80211_rtw_scan+0x2ac 0x6eb3a is in cfg80211_rtw_scan (/home/finger/rtl8723du/os_dep/ioctl_cfg80211.c:2220). 2215 } 2216 rtw_p2p_set_state(pwdinfo, P2P_STATE_LISTEN); 2217 2218 if (request->n_channels == 3 && 2219 request->channels[0]->hw_value == 1 && 2220 request->channels[1]->hw_value == 6 && 2221 request->channels[2]->hw_value == 11 2222 ) 2223 social_channel = 1; 2224 } (gdb) quit

Does this match your code?

[dsx724]

If I disable iwd and use connman, this driver works without issue. As this is not a mac80211 driver, that probably explains it?

I took the code from master.

[lwfinger]

Yes, it uses cfg80211, but not mac80211. It does work with NetworkManager (what I use), thus it should be OK with conman, and probably with wicked. If iwd depends on mac80211, it should have errored long before it generated a NULL pointer dereference.

[dsx724]

That's the curious part. I had iwd running from another dongle running. I rebooted and plugged this in and iwd caused the NPE. I didn't think a non-mac80211 dongle would have anything to do with iwd.