Re: kernel panic happens when disconnecting Bluetooth headset

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Marcel Holtmann <marcel@holtmann.org>
To: Andrei Emeltchenko <andrei.emeltchenko.news@gmail.com>
Cc: Nick Pelly <npelly@google.com>, Lan Zhu <zhu.lan.cn@gmail.com>,
	linux-bluetooth@vger.kernel.org
Subject: Re: kernel panic happens when disconnecting Bluetooth headset
Date: Fri, 18 Dec 2009 13:59:15 -0800	[thread overview]
Message-ID: <1261173555.4041.91.camel@localhost.localdomain> (raw)
In-Reply-To: <508e92ca0912180620l3550bdb7w1211094681cbc87b@mail.gmail.com>

Hi Andrei,

> Processing a RFCOMM UA frame when the socket is closed and we were not
> the
> RFCOMM initiator would cause rfcomm_session_put() to be called twice
> during
> rfcomm_process_rx(). This would cause a kernel panic in
> rfcomm_session_close.
> 
> This could be easily reproduced during disconnect with devices such as
> Motorola H270 that send RFCOMM UA followed quickly by L2CAP disconnect
> request.
> This hcidump for this looks like:
> 
> 2009-09-21 17:22:37.788895 < ACL data: handle 1 flags 0x02 dlen 8
>    L2CAP(d): cid 0x0041 len 4 [psm 3]
>      RFCOMM(s): DISC: cr 0 dlci 20 pf 1 ilen 0 fcs 0x7d
> 2009-09-21 17:22:37.906204 > HCI Event: Number of Completed Packets
> (0x13)
> plen 5
>    handle 1 packets 1
> 2009-09-21 17:22:37.933090 > ACL data: handle 1 flags 0x02 dlen 8
>    L2CAP(d): cid 0x0040 len 4 [psm 3]
>      RFCOMM(s): UA: cr 0 dlci 20 pf 1 ilen 0 fcs 0x57
> 2009-09-21 17:22:38.636764 < ACL data: handle 1 flags 0x02 dlen 8
>    L2CAP(d): cid 0x0041 len 4 [psm 3]
>      RFCOMM(s): DISC: cr 0 dlci 0 pf 1 ilen 0 fcs 0x9c
> 2009-09-21 17:22:38.744125 > HCI Event: Number of Completed Packets
> (0x13)
> plen 5
>    handle 1 packets 1
> 2009-09-21 17:22:38.763687 > ACL data: handle 1 flags 0x02 dlen 8
>    L2CAP(d): cid 0x0040 len 4 [psm 3]
>      RFCOMM(s): UA: cr 0 dlci 0 pf 1 ilen 0 fcs 0xb6
> 2009-09-21 17:22:38.783554 > ACL data: handle 1 flags 0x02 dlen 12
>    L2CAP(s): Disconn req: dcid 0x0040 scid 0x0041
> 
> Avoid calling rfcomm_session_put() twice by skipping this call
> in rfcomm_recv_ua() if the socket is closed.
> 
> Picked from:
> http://android.git.kernel.org/?p=kernel/common.git;a=commit;h=1048e007842da2d6440679e1ca80f45438a6369d
> 
> Signed-off-by: Nick Pelly <npelly@google.com>
> Signed-off-by: Andrei Emeltchenko <andrei.emeltchenko@nokia.com>
> ---
>  net/bluetooth/rfcomm/core.c |    3 ++-
>  1 files changed, 2 insertions(+), 1 deletions(-)
> 
> diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
> index 0313e88..56ffcb8 100644
> --- a/net/bluetooth/rfcomm/core.c
> +++ b/net/bluetooth/rfcomm/core.c
> @@ -1148,7 +1148,8 @@ static int rfcomm_recv_ua(struct rfcomm_session
> *s, u8 dlci)
>                         break;
>  
>                 case BT_DISCONN:
> -                       rfcomm_session_put(s);
> +                       if (s->sock->sk->sk_state != BT_CLOSED)
> +                               rfcomm_session_put(s);
>                         break;
>                 }
>         } 

I am not a big fan of conditionally decreasing reference counts. I do
think it would be better to fix this by holding an extra pair of
reference counts or actually fixing the imbalance. What about the other
patches I proposed?

Regards

Marcel

next prev parent reply	other threads:[~2009-12-18 21:59 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-09-11  7:53 kernel panic happens when disconnecting Bluetooth headset Lan Zhu
2009-09-11  8:23 ` Marcel Holtmann
2009-09-11 15:28   ` Lan Zhu
2009-09-11 16:45     ` Marcel Holtmann
2009-09-14  9:10       ` Lan Zhu
2009-09-17  1:21         ` Nick Pelly
2009-09-17  2:17           ` Marcel Holtmann
2009-09-18  8:06             ` Andrei Emeltchenko
2009-09-18 15:24               ` Marcel Holtmann
2009-09-22  0:52         ` Nick Pelly
2009-09-22  1:29           ` Nick Pelly
2009-09-22 20:18             ` Nick Pelly
2009-09-23  7:22               ` Dave Young
2009-12-18 14:20               ` Andrei Emeltchenko
2009-12-18 21:59                 ` Marcel Holtmann [this message]
2009-12-18 22:30                   ` Nick Pelly
2009-12-18 23:02                     ` Marcel Holtmann
2009-12-22 16:20                       ` Andrei Emeltchenko
2010-02-03  2:11                         ` Nick Pelly
2010-02-03 20:21                         ` Marcel Holtmann
2010-02-04  0:19                           ` Nick Pelly
2009-12-30 14:22                       ` Luiz Pena

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1261173555.4041.91.camel@localhost.localdomain \
    --to=marcel@holtmann.org \
    --cc=andrei.emeltchenko.news@gmail.com \
    --cc=linux-bluetooth@vger.kernel.org \
    --cc=npelly@google.com \
    --cc=zhu.lan.cn@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.