Bluetooth driver crashes on IOS 18.2.1 (22C161)

I have been trying to investigate some of the kernel crashes I have noticed on my IOS crash logs. Some of these are in device driver software for the peripheral interfaces.

Given that the driver code executes with kernel privileges, these kind of crashes leave the device vulnerable to remote code injection, with no user interaction required in some cases.

-------------------------------------
Translated Report (Full Report Below)
-------------------------------------

Incident Identifier: 76EC8391-9A48-44D9-8FFB-AF1CE5553209
CrashReporter Key:   9aa09fbaf03597169a066ac3afb13bb7f0f7e4d5
Hardware Model:      iPhone17,1
Process:             bluetoothd [96]
Path:                /usr/sbin/bluetoothd
Identifier:          bluetoothd
Version:             ???
Code Type:           ARM-64 (Native)
Role:                Unspecified
Parent Process:      launchd [1]
Coalition:           com.apple.bluetoothd [131]

Date/Time:           2025-01-17 08:09:58.6074 -0500
Launch Time:         2025-01-11 19:56:26.6427 -0500
OS Version:          iPhone OS 18.2.1 (22C161)
Release Type:        User
Baseband Version:    1.21.05
Report Version:      104

Exception Type:  EXC_BAD_ACCESS (SIGKILL)
Exception Subtype: KERN_INVALID_ADDRESS at 0x003d800000182159 -> 0x0000000000182159 (possible pointer authentication failure)
Exception Codes: 0x0000000000000001, 0x003d800000182159
VM Region Info: 0x182159 is not in any region.  Bytes before following region: 4366065319
      REGION TYPE                 START - END      [ VSIZE] PRT/MAX SHRMOD  REGION DETAIL
      UNUSED SPACE AT START
--->  
      __TEXT                   104550000-104ee4000 [ 9808K] r-x/r-x SM=COW  /usr/sbin/bluetoothd
Termination Reason: PAC_EXCEPTION 1 

Triggered by Thread:  9

Thread 0 name:   Dispatch queue: com.apple.main-thread
Thread 0:
0   libsystem_kernel.dylib        	       0x1eb406788 mach_msg2_trap + 8
1   libsystem_kernel.dylib        	       0x1eb409e98 mach_msg2_internal + 80
2   libsystem_kernel.dylib        	       0x1eb409db0 mach_msg_overwrite + 424
3   libsystem_kernel.dylib        	       0x1eb409bfc mach_msg + 24
4   CoreFoundation                	       0x199e1e7f4 __CFRunLoopServiceMachPort + 160
5   CoreFoundation                	       0x199e1dea0 __CFRunLoopRun + 1212
6   CoreFoundation                	       0x199e70274 CFRunLoopRunSpecific + 588
7   CoreFoundation                	       0x199e83814 CFRunLoopRun + 64
8   bluetoothd                    	       0x1045d12b0 0x104550000 + 529072
9   dyld                          	       0x1c0044de8 start + 2724

Thread 1 name:  StackLoop
Thread 1:
0   libsystem_kernel.dylib        	       0x1eb40c090 __psynch_cvwait + 8
1   libsystem_pthread.dylib       	       0x224a17fc4 _pthread_cond_wait + 1248
2   bluetoothd                    	       0x10455b43c 0x104550000 + 46140
3   libsystem_pthread.dylib       	       0x224a157d0 _pthread_start + 136
4   libsystem_pthread.dylib       	       0x224a15480 thread_start + 8

Thread 2 name:  hci_rx
Thread 2:
0   libsystem_kernel.dylib        	       0x1eb40d4cc kevent + 8
1   bluetoothd                    	       0x10457322c 0x104550000 + 143916
2   libsystem_pthread.dylib       	       0x224a157d0 _pthread_start + 136
3   libsystem_pthread.dylib       	       0x224a15480 thread_start + 8

Thread 3 name:  acl_rx
Thread 3:
0   libsystem_kernel.dylib        	       0x1eb40d4cc kevent + 8
1   bluetoothd                    	       0x10457322c 0x104550000 + 143916
2   libsystem_pthread.dylib       	       0x224a157d0 _pthread_start + 136
3   libsystem_pthread.dylib       	       0x224a15480 thread_start + 8

Thread 4 name:  sco_rx
Thread 4:
0   libsystem_kernel.dylib        	       0x1eb40d4cc kevent + 8
1   bluetoothd                    	       0x104573100 0x104550000 + 143616
2   libsystem_pthread.dylib       	       0x224a157d0 _pthread_start + 136
3   libsystem_pthread.dylib       	       0x224a15480 thread_start + 8

Thread 5 name:  TxLoop
Thread 5:
0   libsystem_kernel.dylib        	       0x1eb40c090 __psynch_cvwait + 8
1   libsystem_pthread.dylib       	       0x224a17f98 _pthread_cond_wait + 1204
2   bluetoothd                    	       0x1046535f8 0x104550000 + 1062392
3   bluetoothd                    	       0x104745874 0x104550000 + 2054260
4   libsystem_pthread.dylib       	       0x224a157d0 _pthread_start + 136
5   libsystem_pthread.dylib       	       0x224a15480 thread_start + 8

Thread 6 name:  AudioSkywalkPipeReadLoop
Thread 6:
0   libsystem_kernel.dylib        	       0x1eb40d4cc kevent + 8
1   bluetoothd                    	       0x104a59f3c 0x104550000 + 5283644
2   libsystem_pthread.dylib       	       0x224a157d0 _pthread_start + 136
3   libsystem_pthread.dylib       	       0x224a15480 thread_start + 8

Thread 7:
0   libsystem_pthread.dylib       	       0x224a1546c start_wqthread + 0

Thread 8 name:   Dispatch queue: com.apple.bluetooth.root
Thread 8:
0   bluetoothd                    	       0x10479d230 0x104550000 + 2413104
1   bluetoothd                    	       0x104a4a148 0x104550000 + 5218632
2   bluetoothd                    	       0x104a3974c 0x104550000 + 5150540
3   bluetoothd                    	       0x104a31cb0 0x104550000 + 5119152
4   bluetoothd                    	       0x104a31a14 0x104550000 + 5118484
5   bluetoothd                    	       0x104a09ab0 0x104550000 + 4954800
6   libdispatch.dylib             	       0x1a1b5a248 _dispatch_call_block_and_release + 32
7   libdispatch.dylib             	       0x1a1b5bfa8 _dispatch_client_callout + 20
8   libdispatch.dylib             	       0x1a1b635cc _dispatch_lane_serial_drain + 768
9   libdispatch.dylib             	       0x1a1b64158 _dispatch_lane_invoke + 432
10  libdispatch.dylib             	       0x1a1b6f38c _dispatch_root_queue_drain_deferred_wlh + 288
11  libdispatch.dylib             	       0x1a1b6ebd8 _dispatch_workloop_worker_thread + 540
12  libsystem_pthread.dylib       	       0x224a17680 _pthread_wqthread + 288
13  libsystem_pthread.dylib       	       0x224a15474 start_wqthread + 8

Thread 9 name:   Dispatch queue: com.apple.bluetooth.coreBluetooth
Thread 9 Crashed:
0   bluetoothd                    	       0x104581618 0x104550000 + 202264
1   bluetoothd                    	       0x1045815ac 0x104550000 + 202156
2   bluetoothd                    	       0x104a4d470 0x104550000 + 5231728
3   bluetoothd                    	       0x104bdb670 0x104550000 + 6862448
4   bluetoothd                    	       0x104bdc038 0x104550000 + 6864952
5   bluetoothd                    	       0x104bdfbc4 0x104550000 + 6880196
6   bluetoothd                    	       0x104bf21b4 0x104550000 + 6955444
7   libdispatch.dylib             	       0x1a1b5a248 _dispatch_call_block_and_release + 32
8   libdispatch.dylib             	       0x1a1b5bfa8 _dispatch_client_callout + 20
9   libdispatch.dylib             	       0x1a1b635cc _dispatch_lane_serial_drain + 768
10  libdispatch.dylib             	       0x1a1b64158 _dispatch_lane_invoke + 432
11  libdispatch.dylib             	       0x1a1b6f38c _dispatch_root_queue_drain_deferred_wlh + 288
12  libdispatch.dylib             	       0x1a1b6ebd8 _dispatch_workloop_worker_thread + 540
13  libsystem_pthread.dylib       	       0x224a17680 _pthread_wqthread + 288
14  libsystem_pthread.dylib       	       0x224a15474 start_wqthread + 8

Thread 10 name:   Dispatch queue: com.apple.locationd-76
Thread 10:
0   libsystem_kernel.dylib        	       0x1eb4064e4 kevent_id + 8
1   libdispatch.dylib             	       0x1a1b7eb40 _dispatch_kq_poll + 228
2   libdispatch.dylib             	       0x1a1b7f54c _dispatch_event_loop_wait_for_ownership + 436
3   libdispatch.dylib             	       0x1a1b6bacc __DISPATCH_WAIT_FOR_QUEUE__ + 340
4   libdispatch.dylib             	       0x1a1b6b694 _dispatch_sync_f_slow + 148
5   bluetoothd                    	       0x104569840 0x104550000 + 104512
6   bluetoothd                    	       0x104ae2570 0x104550000 + 5842288
7   bluetoothd                    	       0x1045663d8 0x104550000 + 91096
8   bluetoothd                    	       0x104566078 0x104550000 + 90232
9   libxpc.dylib                  	       0x224a70b10 _xpc_connection_call_event_handler + 144
10  libxpc.dylib                  	       0x224a7268c _xpc_connection_mach_event + 1140
11  libdispatch.dylib             	       0x1a1b5c068 _dispatch_client_callout4 + 20
12  libdispatch.dylib             	       0x1a1b78424 _dispatch_mach_msg_invoke + 464
13  libdispatch.dylib             	       0x1a1b6342c _dispatch_lane_serial_drain + 352
14  libdispatch.dylib             	       0x1a1b79178 _dispatch_mach_invoke + 456
15  libdispatch.dylib             	       0x1a1b6342c _dispatch_lane_serial_drain + 352
16  libdispatch.dylib             	       0x1a1b64158 _dispatch_lane_invoke + 432
17  libdispatch.dylib             	       0x1a1b655c0 _dispatch_workloop_invoke + 1744
18  libdispatch.dylib             	       0x1a1b6f38c _dispatch_root_queue_drain_deferred_wlh + 288
19  libdispatch.dylib             	       0x1a1b6ebd8 _dispatch_workloop_worker_thread + 540
20  libsystem_pthread.dylib       	       0x224a17680 _pthread_wqthread + 288
21  libsystem_pthread.dylib       	       0x224a15474 start_wqthread + 8

Thread 11:
0   libsystem_pthread.dylib       	       0x224a1546c start_wqthread + 0

Thread 12 name:  AudioSession - RootQueue
Thread 12:
0   libsystem_kernel.dylib        	       0x1eb40671c semaphore_timedwait_trap + 8
1   libdispatch.dylib             	       0x1a1b5c5c0 _dispatch_sema4_timedwait + 64
2   libdispatch.dylib             	       0x1a1b5cbc0 _dispatch_semaphore_wait_slow + 76
3   libdispatch.dylib             	       0x1a1b6dc94 _dispatch_worker_thread + 324
4   libsystem_pthread.dylib       	       0x224a157d0 _pthread_start + 136
5   libsystem_pthread.dylib       	       0x224a15480 thread_start + 8

Thread 13 name:   Dispatch queue: com.apple.bluetooth.ClassicScan
Thread 13:
0   libsystem_kernel.dylib        	       0x1eb40c2b0 __semwait_signal + 8
1   libsystem_c.dylib             	       0x1a1bb65cc nanosleep + 220
2   libsystem_c.dylib             	       0x1a1bb64e4 usleep + 68
3   bluetoothd                    	       0x104a3fc44 0x104550000 + 5176388
4   bluetoothd                    	       0x104a003f4 0x104550000 + 4916212
5   libdispatch.dylib             	       0x1a1b5bfa8 _dispatch_client_callout + 20
6   libdispatch.dylib             	       0x1a1b635cc _dispatch_lane_serial_drain + 768
7   libdispatch.dylib             	       0x1a1b64158 _dispatch_lane_invoke + 432
8   libdispatch.dylib             	       0x1a1b6f38c _dispatch_root_queue_drain_deferred_wlh + 288
9   libdispatch.dylib             	       0x1a1b6ebd8 _dispatch_workloop_worker_thread + 540
10  libsystem_pthread.dylib       	       0x224a17680 _pthread_wqthread + 288
11  libsystem_pthread.dylib       	       0x224a15474 start_wqthread + 8

Thread 14 name:   Dispatch queue: CBDaemon
Thread 14:
0   libsystem_kernel.dylib        	       0x1eb40cb78 __psynch_mutexwait + 8
1   libsystem_pthread.dylib       	       0x224a188a0 _pthread_mutex_firstfit_lock_wait + 84
2   libsystem_pthread.dylib       	       0x224a18250 _pthread_mutex_firstfit_lock_slow + 220
3   bluetoothd                    	       0x10458af74 0x104550000 + 241524
4   bluetoothd                    	       0x10458af48 0x104550000 + 241480
5   bluetoothd                    	       0x10458aef0 0x104550000 + 241392
6   bluetoothd                    	       0x10459038c 0x104550000 + 263052
7   bluetoothd                    	       0x1045af878 0x104550000 + 391288
8   bluetoothd                    	       0x1045af29c 0x104550000 + 389788
9   libdispatch.dylib             	       0x1a1b5a248 _dispatch_call_block_and_release + 32
10  libdispatch.dylib             	       0x1a1b5bfa8 _dispatch_client_callout + 20
11  libdispatch.dylib             	       0x1a1b635cc _dispatch_lane_serial_drain + 768
12  libdispatch.dylib             	       0x1a1b64158 _dispatch_lane_invoke + 432
13  libdispatch.dylib             	       0x1a1b6f38c _dispatch_root_queue_drain_deferred_wlh + 288
14  libdispatch.dylib             	       0x1a1b6ebd8 _dispatch_workloop_worker_thread + 540
15  libsystem_pthread.dylib       	       0x224a17680 _pthread_wqthread + 288
16  libsystem_pthread.dylib       	       0x224a15474 start_wqthread + 8


Thread 9 crashed with ARM Thread State (64-bit):
    x0: 0x00000001053b0cd8   x1: 0x003d800000182142   x2: 0x000000016b935c90   x3: 0x0000000000000000
    x4: 0x0000000a10c7aaa4   x5: 0x0000000a1019c4f4   x6: 0x0000000000000044   x7: 0x00618000006bb171
    x8: 0x0000000000000080   x9: 0x00000000ffffff80  x10: 0x0000000a1019c4e0  x11: 0x0000000000000024
   x12: 0x0000000000000000  x13: 0x0000000000000000  x14: 0x0000000000000000  x15: 0x0000000000000000
   x16: 0x665f800224969650  x17: 0x0000000104ee55c8  x18: 0x0000000000000000  x19: 0x000000016b935c90
   x20: 0x0000000a10c5dd60  x21: 0x00000001053b0cd8  x22: 0x00000001053b0cd0  x23: 0x003d800000182122
   x24: 0x00000001053b0cd0  x25: 0x000000016b935c28  x26: 0x0000000000000400  x27: 0x0000000a10cb3058
   x28: 0x0000000a10fb9540   fp: 0x000000016b935b80   lr: 0x627a8001045815ac
    sp: 0x000000016b935b70   pc: 0x0000000104581618 cpsr: 0x20000000
   far: 0x003d800000182159  esr: 0x92000004 (Data Abort) byte read Translation fault

Binary Images:
       0x104550000 -        0x104ee3fff bluetoothd arm64e  <55d75cb2d5c832f581ff9392d1e7ef28> /usr/sbin/bluetoothd
       0x1051d8000 -        0x1051dbfff FastpathLib arm64e  <50caf55faa7637dbaec22557871a3167> /System/Library/Extensions/AppleSPU.kext/PlugIns/FastpathLib.plugin/FastpathLib
       0x10520c000 -        0x105217fff libobjc-trampolines.dylib arm64e   /private/preboot/Cryptexes/OS/usr/lib/libobjc-trampolines.dylib
       0x1eb405000 -        0x1eb43efe3 libsystem_kernel.dylib arm64e   /usr/lib/system/libsystem_kernel.dylib
       0x199da8000 -        0x19a2ebfff CoreFoundation arm64e  <6a60be13e6573beca9acba239ae29862> /System/Library/Frameworks/CoreFoundation.framework/CoreFoundation
       0x1c0015000 -        0x1c009813f dyld arm64e  <4eb7459fe23738ce82403f3e2e1ce5ab> /usr/lib/dyld
               0x0 - 0xffffffffffffffff ??? unknown-arch  <00000000000000000000000000000000> ???
       0x1a1b9e000 -        0x1a1c1dffb libsystem_c.dylib arm64e  <8d425c7257c93e54a1e1e243cbdfc446> /usr/lib/system/libsystem_c.dylib
       0x224a14000 -        0x224a20ff3 libsystem_pthread.dylib arm64e   /usr/lib/system/libsystem_pthread.dylib
       0x1a1b58000 -        0x1a1b9dfff libdispatch.dylib arm64e  <8ce3afb96d8434468fd4e5f798d98403> /usr/lib/system/libdispatch.dylib
       0x224a5f000 -        0x224aa6fff libxpc.dylib arm64e   /usr/lib/system/libxpc.dylib

EOF

-----------
Full Report
-----------

If Apple can provide the symbol table for IOS 18.2.1 blue tooth driver and source code, I can gladly help investigate this further.

Our engineering teams need to investigate this issue, as this might indicate an issue with iOS 18.2.1.

We'd greatly appreciate it if you could open a bug report, include crash logs and sample code or models that reproduce the issue.

Bug Reporting: How and Why? has tips on creating a successful bug report.

If you are able to reproduce the issue at will, t would be very helpful if you could please go to https://developer.apple.com/bug-reporting/profiles-and-logs/ and follow the instructions for Bluetooth for iOS to install a logging profile on your device. Then reproduce the issue, and follow the instructions at the above link to create a sysdiagnose. And attach that to the Feedback report as well.

Bluetooth driver crashes on IOS 18.2.1 (22C161)
 
 
Q