Re: [PATCH 1/2 v2] Bluetooth: Fix system crash caused by del_timer()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Gustavo F. Padovan" <padovan@profusion.mobi>
To: haijun liu <liuhaijun.er@gmail.com>
Cc: Haijun Liu <haijun.liu@atheros.com>, linux-bluetooth@vger.kernel.org
Subject: Re: [PATCH 1/2 v2] Bluetooth: Fix system crash caused by del_timer()
Date: Wed, 3 Nov 2010 13:56:45 -0400	[thread overview]
Message-ID: <20101103175645.GA17561@vigoh> (raw)
In-Reply-To: <AANLkTi=Q3g2UTiHV1i2gBa=POY0jS6GbBWAD1ddOaETx@mail.gmail.com>

Hi Haijun,

* haijun liu <liuhaijun.er@gmail.com> [2010-11-01 09:22:14 +0800]:

> Hi Gustavo,
> 
> >> >> >> During test session with another vendor's bt stack, found that in
> >> >> >> l2cap_chan_del() using del_timer() caused l2cap_monitor_timeout()
> >> >> >> be called after the sock was freed, so it raised a system crash.
> >> >> >> So I just replaced del_timer() with del_timer_sync() to solve it.
> >> >> >
> >> >> > NAK on this. If you read the del_timer_sync() documentation you can
> >> >> > see that you can't call del_timer_sync() on interrupt context. The
> >> >> > possible solution here is to check in the beginning of
> >> >> > l2cap_monitor_timeout() if your sock is still valid.
> >> >> >
> >> >>
> >> >> You are right, I only considered close() interface, so missed the interrupt
> >> >> context.
> >> >>
> >> >> It's very difficult to check sock valid or not in timeout procedure, since it's
> >> >> an interrupt context, and only can get context from parameter pre-stored,
> >> >> except global variables.
> >> >
> >> > I think you can check for sk == null there.
> >> >
> >>
> >> It's a pre-stored parameter, it will not change by itself.
> >
> > I looked a bit into this and a good solution seems to be to hold a
> > reference to the sock when we call a mod_timer() and then put the
> > reference when we call del_timer() and the timer is inactive or when
> > l2cap_monitor_timeout(). Look net/sctp/ for examples.
> >
> 
> Same situation still is there, in this case, l2cap_monitor_timeout()
> how to know the reference has been released by del_timer()?
> 
> If we refer to net/sctp, use timer_pending() to detect it, unless we can
> ensure del_timer() always be called in interrupt context and same
> level compare to timer interrupt, otherwise it's not an atomic operation
> for this case.

No, the socket lock take care of that, so there will be no race
condition here. One related thing that we should fix is a locking
problem in l2cap_monitor_timeout() and l2cap_retrans_timeout() already
reported by Mat Martineau. (I just can't find his e-mail about that).
So I think you should go ahead and this problem using ref counting and
then we can also fix the problem reported by Mat.

-- 
Gustavo F. Padovan
ProFUSION embedded systems - http://profusion.mobi

next prev parent reply	other threads:[~2010-11-03 17:56 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-10-22  2:26 [PATCH 1/2 v2] Bluetooth: Fix system crash caused by del_timer() Haijun Liu
2010-10-22  2:26 ` [PATCH 2/2 v2] Bluetooth: Fix system crash bug of no send queue protect Haijun Liu
2010-10-22 17:34   ` Gustavo F. Padovan
2010-10-25  2:15     ` haijun liu
2010-10-25 11:09       ` Gustavo F. Padovan
2010-10-26 11:50         ` haijun liu
2010-10-22 17:18 ` [PATCH 1/2 v2] Bluetooth: Fix system crash caused by del_timer() Gustavo F. Padovan
2010-10-25  1:35   ` haijun liu
2010-10-25  2:21     ` haijun liu
2010-10-25 11:01     ` Gustavo F. Padovan
2010-10-26  1:32       ` haijun liu
     [not found]         ` <AANLkTin+dNkjySQBvCSLK9f5aRF9445UqjhXaNvKWSz_@mail.gmail.com>
2010-10-26  7:35           ` haijun liu
2010-10-28  8:49         ` Gustavo F. Padovan
2010-11-01  1:22           ` haijun liu
2010-11-03 17:56             ` Gustavo F. Padovan [this message]
2010-11-03 21:12               ` Mat Martineau

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20101103175645.GA17561@vigoh \
    --to=padovan@profusion.mobi \
    --cc=haijun.liu@atheros.com \
    --cc=linux-bluetooth@vger.kernel.org \
    --cc=liuhaijun.er@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.