2.6.12 crash when using bluetooth
Hi,
There is a bug in kernel 2.6.12 that is accessed when doing fast
consecuvite calls to connect() over bluetooth sockets from a re-spawned
program (which may lead to some scheduling issues). I wrote this to the
kernel list, but it possibly got ignored (because it refered to a
distribution kernel, I didn't put it right or because 2.6.13 was already
the new "stable" one).
2.6.13 doesn't have this bug, but has enough new (and subtile) ones to
not want to use it (which aren't fixed in 2.6.14-rc3 yet).
I'm using the 686 kernel from Debian unstable.
The bluetooth phone that I do the channel scanning on is a Motorola
MPx220. What's "special" about it is that it has channels 1, 2, 3 and 7
always connectable, but 1, 2, 3 aren't always the same ones (it runs
Windows, what could you expect of it?), and the phone doesn't support
"browse" either, that's why I need the scanning.
Any ideas?
Here's the Oops message (although all I currently get are kernel
panics, which I can't intercept, but they go around the same lines),
bash script and C code.
------- cut (Oops) -------
Unable to handle kernel NULL pointer dereference at virtual address 00000008
printing eip:
c0244a15
*pde = 00000000
Oops: 0000 [#1]
PREEMPT
Modules linked in: rfcomm l2cap videodev hci_usb bluetooth ipt_state
iptable_filter \
ip_nat_irc ip_nat_ftp iptable_nat ip_tables ip_conntrack_irc
ip_conntrack_ftp \
ip_conntrack snd_via82xx gameport snd_ac97_codec snd_pcm_oss
snd_mixer_oss snd_pcm \
snd_timer snd_page_alloc snd_mpu401_uart snd_rawmidi snd_seq_device snd
soundcore \
ipaq usbserial nfsd exportfs lockd sunrpc af_packet capability commoncap
ipv6 floppy \
pcspkr i2c_viapro i2c_core pci_hotplug via_agp agpgart ehci_hcd uhci_hcd
usbcore \
sata_via libata scsi_mod via_rhine e100 mii tsdev mousedev evdev psmouse
ide_cd cdrom \
genrtc ext3 jbd mbcache ide_disk ide_generic via82cxxx trm290 triflex
slc90e66 \
sis5513 siimage serverworks sc1200 rz1000 piix pdc202xx_old opti621
ns87415 hpt366 \
hpt34x generic cy82c693 cs5530 cs5520 cmd64x atiixp amd74xx alim15x3
aec62xx \
pdc202xx_new ide_core unix
CPU: 0
EIP: 0060:[sock_sendmsg+197/256] Not tainted VLI
EFLAGS: 00010246 (2.6.12-pluto-2-default-1-686)
EIP is at sock_sendmsg+0xc5/0x100
eax: 00000000 ebx: 00000000 ecx: d5ef1020 edx: d4338000
esi: 00000004 edi: d4339ea4 ebp: d4339ddc esp: d4339d7c
ds: 007b es: 007b ss: 0068
Process obex_test (pid: 16708, threadinfo=d4338000 task=d5ef1020)
Stack: d4339dc0 c02b4329 d83b7020 c03a7f50 0000005e d4339dac d83b7020
00000004
00000000 000000e8 00000000 d4339ea4 d5ef1020 d5ef1148 ffffffff
d5ef1020
00000001 d4339dd0 c02b461f d83b7020 d4339de4 d4339df4 c011666a
d83b7020
Call Trace:
[schedule+921/1600] schedule+0x399/0x640
[preempt_schedule+79/112] preempt_schedule+0x4f/0x70
[try_to_wake_up+186/224] try_to_wake_up+0xba/0xe0
[buffered_rmqueue+224/544] buffered_rmqueue+0xe0/0x220
[autoremove_wake_function+0/96] autoremove_wake_function+0x0/0x60
[recalc_task_prio+136/336] recalc_task_prio+0x88/0x150
[kernel_sendmsg+70/96] kernel_sendmsg+0x46/0x60
[pg0+546565158/1069741056] rfcomm_send_frame+0x56/0x70 [rfcomm]
[pg0+546565550/1069741056] rfcomm_send_disc+0x6e/0x80 [rfcomm]
[pg0+546563509/1069741056] __rfcomm_dlc_close+0xc5/0x100 [rfcomm]
[pg0+546563603/1069741056] rfcomm_dlc_close+0x23/0x40 [rfcomm]
[pg0+546575278/1069741056] __rfcomm_sock_close+0x3e/0x60 [rfcomm]
[pg0+546578672/1069741056] rfcomm_sock_shutdown+0x50/0x80 [rfcomm]
[local_bh_enable+51/144] local_bh_enable+0x33/0x90
[pg0+546578761/1069741056] rfcomm_sock_release+0x29/0x80 [rfcomm]
[sock_release+153/240] sock_release+0x99/0xf0
[sock_close+52/80] sock_close+0x34/0x50
[__fput+314/336] __fput+0x13a/0x150
[filp_close+89/144] filp_close+0x59/0x90
[sys_close+107/160] sys_close+0x6b/0xa0
[syscall_call+7/11] syscall_call+0x7/0xb
Code: 00 8d 84 24 c0 00 00 00 89 84 24 c0 00 00 00 89 84 24 c4 00 00 00
8d 44 24 10 \
89 84 24 d4 00 00 00 31 c0 89 44 24 28 89 74 24 1c <8b> 43 08 89 74 24
0c 89 7c 24 08 \
89 5c 24 04 89 2c 24 ff 50 38
------- cut (Oops) -------
bash script:
------- cut (Phone_Scan_Ports.sh) -------
#!/bin/bash
MAC="$1" # optained from 'hcitool scan' or 'hcitool inq'
for ((i=1;i<=10;i++)); do
if ./TestChannel "$MAC" $i &>/dev/null; then
echo $i
fi
done
------- cut (Phone_Scan_Channels.sh) -------
C program (TestChannel called in above script):
------- cut (TestChannel.c) -------
// Compiles with: gcc -o TestChannel TestChannel.c -lbluetooth
#include <errno.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/socket.h>
#include <bluetooth/bluetooth.h>
#include <bluetooth/rfcomm.h>
#include <bluetooth/hci.h>
#include <bluetooth/hci_lib.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/ioctl.h>
int main(int argc, char* argv[])
{
bdaddr_t m_bdaddrDongle;
if(argc != 3)
{
printf("%s <mac_address> <channel>\n\n", argv[0]);
return 1;
}
int dev_id = 0;
struct hci_dev_info m_DevInfo;
int dd = hci_open_dev(dev_id);
if (dd < 0)
{
printf("Error opening bluetooth device\n");
}
m_DevInfo.dev_id = dev_id;
if (ioctl(dd, HCIGETDEVINFO, (void*) &m_DevInfo))
{
printf("Error opening bluetooth device\n");
hci_close_dev(dd);
return 1;
}
char addr[18];
ba2str(&m_DevInfo.bdaddr, addr);
printf("Attached to BT adapter: %s\t%s\n", m_DevInfo.name, addr);
hci_close_dev(dd);
bacpy(&m_bdaddrDongle, &m_DevInfo.bdaddr);
struct sockaddr_rc laddr, raddr;
laddr.rc_family = AF_BLUETOOTH;
bacpy(&laddr.rc_bdaddr, &m_bdaddrDongle);
laddr.rc_channel = 0;
printf("Mac address: %s\n", argv[1]);
raddr.rc_family = AF_BLUETOOTH;
str2ba(argv[1], &raddr.rc_bdaddr);
raddr.rc_channel = atoi(argv[2]);
printf("Channel: %d\n", raddr.rc_channel);
int m_CommHandle;
if ((m_CommHandle = socket(AF_BLUETOOTH, SOCK_STREAM,
BTPROTO_RFCOMM)) < 0)
{
printf("Can't create RFCOMM socketi\n");
return 1;
}
int r, e = 0;
errno = 0;
while ((r = connect(m_CommHandle, (struct sockaddr *)&raddr,
sizeof(raddr))) == -1)
{
e = errno;
if (e != EBUSY)
break;
errno = e = 0;
usleep(500000);
}
printf("r=%d; errno=%d; result=%s\n", r, e, strerror(e));
return r != 0;
}
------- cut (TestChannel.c) -------
Reply to: