Hi all, we’re seeing a reproducible BLE scan crash on VOXL2 / Starling 2 with SDK v1.8.06 when BLE 5 extended advertising is present.
QRB5165 code path: https://gitlab.com/voxl-public/system-image-build/qrb5165-kernel/-/blob/v1.8.06/net/bluetooth/hci_event.c#L5385
From device captures (see dmesg segments describe below, I don't forum privileges to post the logs), we’re seeing LE Extended Advertising Report (0x0d) events with Num reports up to 6, followed by a kernel NULL deref in the Bluetooth RX path (hci0 hci_rx_work -> process_adv_report -> hci_bdaddr_list_lookup).
This looks consistent with the extended-adv bounds-check issue in hci_le_ext_adv_report_evt() that upstream now guards here:
https://github.com/torvalds/linux/blob/master/net/bluetooth/hci_event.c
Key lines from dmesg:
- Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010
- Workqueue: hci0 hci_rx_work
- pc : hci_bdaddr_list_lookup+0x24/0x60
- lr : process_adv_report+0x154/0x408
- call trace includes hci_le_meta_evt and hci_event_packet
- Bluetooth: Unknown advertising packet type: 0x100
- Bluetooth: Unknown advertising packet type: 0x4cff
Have you seen this on QRB5165 / VOXL2 before, and is there already a downstream fix or recommended workaround / SDK version for BLE 5 extended advertising? I pulled in the guards from the latest kernel, testing today.
Related post:
https://forum.modalai.com/topic/5181/bluetooth-integration-on-the-voxl2