From: Marcel Holtmann <marcel@holtmann.org>
To: Nick Pelly <npelly@google.com>
Cc: Andrei Emeltchenko <andrei.emeltchenko.news@gmail.com>,
Lan Zhu <zhu.lan.cn@gmail.com>,
linux-bluetooth@vger.kernel.org
Subject: Re: kernel panic happens when disconnecting Bluetooth headset
Date: Fri, 18 Dec 2009 15:02:27 -0800 [thread overview]
Message-ID: <1261177347.4041.103.camel@localhost.localdomain> (raw)
In-Reply-To: <35c90d960912181430t4bf36fb9gbc6ae71eeaf16602@mail.gmail.com>
Hi Nick,
> >> Processing a RFCOMM UA frame when the socket is closed and we were not
> >> the
> >> RFCOMM initiator would cause rfcomm_session_put() to be called twice
> >> during
> >> rfcomm_process_rx(). This would cause a kernel panic in
> >> rfcomm_session_close.
> >>
> >> This could be easily reproduced during disconnect with devices such as
> >> Motorola H270 that send RFCOMM UA followed quickly by L2CAP disconnect
> >> request.
> >> This hcidump for this looks like:
> >>
> >> 2009-09-21 17:22:37.788895 < ACL data: handle 1 flags 0x02 dlen 8
> >> L2CAP(d): cid 0x0041 len 4 [psm 3]
> >> RFCOMM(s): DISC: cr 0 dlci 20 pf 1 ilen 0 fcs 0x7d
> >> 2009-09-21 17:22:37.906204 > HCI Event: Number of Completed Packets
> >> (0x13)
> >> plen 5
> >> handle 1 packets 1
> >> 2009-09-21 17:22:37.933090 > ACL data: handle 1 flags 0x02 dlen 8
> >> L2CAP(d): cid 0x0040 len 4 [psm 3]
> >> RFCOMM(s): UA: cr 0 dlci 20 pf 1 ilen 0 fcs 0x57
> >> 2009-09-21 17:22:38.636764 < ACL data: handle 1 flags 0x02 dlen 8
> >> L2CAP(d): cid 0x0041 len 4 [psm 3]
> >> RFCOMM(s): DISC: cr 0 dlci 0 pf 1 ilen 0 fcs 0x9c
> >> 2009-09-21 17:22:38.744125 > HCI Event: Number of Completed Packets
> >> (0x13)
> >> plen 5
> >> handle 1 packets 1
> >> 2009-09-21 17:22:38.763687 > ACL data: handle 1 flags 0x02 dlen 8
> >> L2CAP(d): cid 0x0040 len 4 [psm 3]
> >> RFCOMM(s): UA: cr 0 dlci 0 pf 1 ilen 0 fcs 0xb6
> >> 2009-09-21 17:22:38.783554 > ACL data: handle 1 flags 0x02 dlen 12
> >> L2CAP(s): Disconn req: dcid 0x0040 scid 0x0041
> >>
> >> Avoid calling rfcomm_session_put() twice by skipping this call
> >> in rfcomm_recv_ua() if the socket is closed.
> >>
> >> Picked from:
> >> http://android.git.kernel.org/?p=kernel/common.git;a=commit;h=1048e007842da2d6440679e1ca80f45438a6369d
> >>
> >> Signed-off-by: Nick Pelly <npelly@google.com>
> >> Signed-off-by: Andrei Emeltchenko <andrei.emeltchenko@nokia.com>
> >> ---
> >> net/bluetooth/rfcomm/core.c | 3 ++-
> >> 1 files changed, 2 insertions(+), 1 deletions(-)
> >>
> >> diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
> >> index 0313e88..56ffcb8 100644
> >> --- a/net/bluetooth/rfcomm/core.c
> >> +++ b/net/bluetooth/rfcomm/core.c
> >> @@ -1148,7 +1148,8 @@ static int rfcomm_recv_ua(struct rfcomm_session
> >> *s, u8 dlci)
> >> break;
> >>
> >> case BT_DISCONN:
> >> - rfcomm_session_put(s);
> >> + if (s->sock->sk->sk_state != BT_CLOSED)
> >> + rfcomm_session_put(s);
> >> break;
> >> }
> >> }
> >
> > I am not a big fan of conditionally decreasing reference counts. I do
> > think it would be better to fix this by holding an extra pair of
> > reference counts or actually fixing the imbalance. What about the other
> > patches I proposed?
>
> Your proposed patch was to add an extra hold() / put() reference count
> around the offending put(). I did test this patch, and found it does
> not fix the underlying imbalance, it just moves the kernel panic
> somewhere else.
>
> As best I can tell, my patch does address the underlying imbalance. It
> is in production on Android phones and seems to work well. As best I
> can tell, there is not a cleaner solution that does not involve
> significant refactoring of rfcomm refcounting.
the RFCOMM reference counting is something nasty and it does need to be
re-written. One thing that needs to happen that we stop using the L2CAP
sockets directly. We have to put a proper L2CAP in-kernel specific API
in between that ensures we are not mixing things. That is the one issues
that we always had in this area.
Before applying this patch, I like to have additionally a comment in
front of this conditional put call that explains a little bit the
problem area here. The long explanation with logs etc. should be in the
commit message. I have to make sure that we fully understand what is
going on here and why we did it.
Regards
Marcel
next prev parent reply other threads:[~2009-12-18 23:02 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-09-11 7:53 kernel panic happens when disconnecting Bluetooth headset Lan Zhu
2009-09-11 8:23 ` Marcel Holtmann
2009-09-11 15:28 ` Lan Zhu
2009-09-11 16:45 ` Marcel Holtmann
2009-09-14 9:10 ` Lan Zhu
2009-09-17 1:21 ` Nick Pelly
2009-09-17 2:17 ` Marcel Holtmann
2009-09-18 8:06 ` Andrei Emeltchenko
2009-09-18 15:24 ` Marcel Holtmann
2009-09-22 0:52 ` Nick Pelly
2009-09-22 1:29 ` Nick Pelly
2009-09-22 20:18 ` Nick Pelly
2009-09-23 7:22 ` Dave Young
2009-12-18 14:20 ` Andrei Emeltchenko
2009-12-18 21:59 ` Marcel Holtmann
2009-12-18 22:30 ` Nick Pelly
2009-12-18 23:02 ` Marcel Holtmann [this message]
2009-12-22 16:20 ` Andrei Emeltchenko
2010-02-03 2:11 ` Nick Pelly
2010-02-03 20:21 ` Marcel Holtmann
2010-02-04 0:19 ` Nick Pelly
2009-12-30 14:22 ` Luiz Pena
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1261177347.4041.103.camel@localhost.localdomain \
--to=marcel@holtmann.org \
--cc=andrei.emeltchenko.news@gmail.com \
--cc=linux-bluetooth@vger.kernel.org \
--cc=npelly@google.com \
--cc=zhu.lan.cn@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.