2.6.26rc9+git bluetooth/rfcomm oops

2.6.26rc9+git bluetooth/rfcomm oops

[Soeren Sonnenburg]

Hi,

this oops happened after a couple of s2ram cycles so it might be very
well crap. However I somehow triggered it by /etc/init.d/bluetooth
stop/start's which also call hid2hci maybe even a connection was about
to be established at that time. As I remember having seen a problem like
this before I thought I report it (even though I have a madwifi tainted
kernel).

[drm] Num pipes: 1
kobject_add_internal failed for rfcomm0 with -EEXIST, don't try to register things with the same name in the same directory.
Pid: 22041, comm: rfcomm Tainted: P          2.6.26-rc9-sonne #39
 [<c026be97>] kobject_add_internal+0xf7/0x1a0
 [<c0273123>] ? kvasprintf+0x43/0x60
 [<c026bfcb>] kobject_add_varg+0x3b/0x70
 [<c026c05c>] kobject_add+0x2c/0x60
 [<c02efb0f>] device_add+0x8f/0x490
 [<c0270990>] ? vsnprintf+0x3a0/0x740
 [<c02eff22>] device_register+0x12/0x20
 [<c02effdb>] device_create_vargs+0xab/0xc0
 [<c02f0019>] device_create+0x29/0x30
 [<c02d954d>] tty_register_device+0xcd/0x100
 [<f8ba84d3>] rfcomm_dev_ioctl+0x5f3/0x840 [rfcomm]
 [<f8ba673c>] rfcomm_sock_ioctl+0x2c/0x50 [rfcomm]
 [<c0375db0>] sock_ioctl+0x60/0x230
 [<c0375d50>] ? sock_ioctl+0x0/0x230
 [<c0192468>] vfs_ioctl+0x28/0x90
 [<c019252e>] do_vfs_ioctl+0x5e/0x2c0
 [<c01927c9>] sys_ioctl+0x39/0x70
 [<c01032d1>] sysenter_past_esp+0x6a/0x91
 =======================

Soeren

Re: 2.6.26rc9+git bluetooth/rfcomm oops

[Vegard Nossum]

[-- Attachment #1: Type: text/plain, Size: 2196 bytes --]

On Sun, Jul 13, 2008 at 12:32 PM, Soeren Sonnenburg <kernel@nn7.de> wrote:
> Hi,
>
> this oops happened after a couple of s2ram cycles so it might be very
> well crap. However I somehow triggered it by /etc/init.d/bluetooth
> stop/start's which also call hid2hci maybe even a connection was about
> to be established at that time. As I remember having seen a problem like
> this before I thought I report it (even though I have a madwifi tainted
> kernel).
>
> [drm] Num pipes: 1
> kobject_add_internal failed for rfcomm0 with -EEXIST, don't try to register things with the same name in the same directory.

Hi,

Thanks for the report.

I was able to reproduce your Oops:

kobject_add_internal failed for rfcomm0 with -EEXIST, don't try to
register things with the same name in the same directory.
Pid: 2534, comm: a.out Not tainted 2.6.26-rc9-00132-g9df2fe9 #24
 [<c0210161>] kobject_add_internal+0x108/0x13e
 [<c0210478>] kobject_add+0x4a/0x4e
 [<c026e258>] device_add+0x62/0x446
 [<c020feb9>] kobject_init+0x32/0x53
 [<c026e6c4>] device_create_vargs+0x78/0x99
 [<c026e707>] device_create+0x22/0x26
 [<c02521be>] tty_register_device+0x97/0xa2
 [<c0110000>] __cpu_disable+0x10b/0x130
 [<c03721c8>] sk_prot_alloc+0x1c/0x61
 [<c03ea86e>] rfcomm_dev_ioctl+0x213/0x582
 [<c03e9342>] rfcomm_sock_ioctl+0x1e/0x2d
 [<c03715c5>] sock_ioctl+0x152/0x175
 [<c0371473>] sock_ioctl+0x0/0x175
 [<c0166538>] vfs_ioctl+0x1c/0x5d
 [<c01667b6>] do_vfs_ioctl+0x23d/0x254
 [<c037119d>] sys_socketcall+0x51/0x181
 [<c01667f9>] sys_ioctl+0x2c/0x43
 [<c0103569>] sysenter_past_esp+0x6a/0x91
 =======================

This is because the device may be unregistered even though a reference
to it is held. When we try to register it again, the kobject layer
burps because the tty parts have not been unregistered yet. (This only
happens when the device is finally destroyed, i.e. no references.)

I don't know how to fix this, but I've attached a reproducer and added
a couple of Ccs.


Vegard

-- 
"The animistic metaphor of the bug that maliciously sneaked in while
the programmer was not looking is intellectually dishonest as it
disguises that the error is the programmer's own creation."
	-- E. W. Dijkstra, EWD1036

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: rfcomm.c --]
[-- Type: text/x-csrc; name=rfcomm.c, Size: 2182 bytes --]

#include <sys/ioctl.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/wait.h>

#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#define RFCOMMCREATEDEV		_IOW('R', 200, int)
#define RFCOMMRELEASEDEV	_IOW('R', 201, int)
#define BTPROTO_RFCOMM  3

typedef uint8_t u8;
typedef uint32_t u32;
typedef int16_t s16;
typedef uint8_t __u8;

/* BD Address */
typedef struct {
	__u8 b[6];
} __attribute__((packed)) bdaddr_t;

struct rfcomm_dev_req {
	s16      dev_id;
	u32      flags;
	bdaddr_t src;
	bdaddr_t dst;
	u8       channel;
};

void rfcomm(int request, int dev_id)
{
	int fd = socket(PF_BLUETOOTH, SOCK_STREAM, BTPROTO_RFCOMM);
	if (fd == -1) {
		fprintf(stderr, "socket: error: %s\n", strerror(errno));
		exit(EXIT_FAILURE);
	}

	struct rfcomm_dev_req req;
	memset(&req, 0, sizeof(req));
	req.dev_id = dev_id;
	req.channel = 1;

	if (ioctl(fd, request, &req) == -1) {
		fprintf(stderr, "ioctl: error: %s\n", strerror(errno));
		exit(EXIT_FAILURE);
	}

	while (close(fd) == -1 && errno == EINTR);
}

int
main(int argc, char *argv[])
{
	pid_t child;

	child = fork();
	if (child == -1) {
		fprintf(stderr, "fork: error: %s\n", strerror(errno));
		exit(EXIT_FAILURE);
	}

	if (child == 0) {
		printf("Creating\n");
		rfcomm(RFCOMMCREATEDEV, 0);

		printf("Opening /dev/rfcomm0...\n");

		int fd = open("/dev/rfcomm0", O_RDWR | O_NOCTTY);
		if (fd == -1) {
			fprintf(stderr, "open: error: %s\n", strerror(errno));
			rfcomm(RFCOMMRELEASEDEV, 0);
			exit(EXIT_FAILURE);
		}

		exit(EXIT_SUCCESS);
	}

	sleep(1);

	/* This will delete the device, but since we still hold a reference
	 * to it in "fd", the tty won't be unregistered yet... */
	printf("Releasing\n");
	rfcomm(RFCOMMRELEASEDEV, 0);

	/* And now we try to register the same tty device... */
	printf("Recreating\n");
	rfcomm(RFCOMMCREATEDEV, 0);

	/* Cleanup */
	printf("Releasing\n");
	rfcomm(RFCOMMRELEASEDEV, 0);

	while (1) {
		int status;

		if (wait(&status) == -1) {
			if (errno == ECHILD)
				break;

			fprintf(stderr, "wait: error: %s\n", strerror(errno));
			exit(EXIT_FAILURE);
		}
	}

	return EXIT_SUCCESS;
}