[Bluez-devel] Re: Linux 2.4.27rc3 and Bluetooth

[Marcel Holtmann <marcel@holtmann.org>]

[-- Attachment #1: Type: text/plain, Size: 1220 bytes --]

Hi John,

> I finally burned some time, studied the code, and created a
> working patch for bt3c_cs.c (patch attached).  It adds a test
> in bt3c_release to check whether the DEV_CONFIG_PENDING bit of
> link->state is clear before a call to bt3c_close.  If the
> DEV_CONFIG_PENDING bit is not clear, bt3c_open has failed,
> and never succeeded in a call to hci_register_dev and friends.
> 
> When loading the firmware fails, the unpatched code ignores the
> failure of bt3c_open, goes ahead with bt3c_close, and invokes 
> hci_unregister_dev and friends (despite the fact that
> hci_register_dev was never called), thus provoking a kernel panic
> with the NULL pointer dereference. (aiee!)

you are right. That is the problem. I fixed it in a different way.
Please try out the attached patch and report if it also works.

> I suspect the 2.6 kernel may have the same problem by casual
> inspection, but I have neither confirmed the existence of a problem
> through testing of the 2.6 kernel, nor carefully traced that code
> of Linux 2.6 for possible key differences.

No. The 2.6 kernel is not affected, because the hdev is a pointer in
that kernel series and we have the NULL pointer check in place.

Regards

Marcel


[-- Attachment #2: patch --]
[-- Type: text/plain, Size: 1688 bytes --]

===== drivers/bluetooth/dtl1_cs.c 1.2 vs edited =====
--- 1.2/drivers/bluetooth/dtl1_cs.c	2002-08-03 13:53:56 +02:00
+++ edited/drivers/bluetooth/dtl1_cs.c	2004-07-24 22:30:33 +02:00
@@ -535,6 +535,9 @@
 	unsigned int iobase = info->link.io.BasePort1;
 	struct hci_dev *hdev = &(info->hdev);
 
+	if (info->link.state & DEV_CONFIG_PENDING)
+		return -ENODEV;
+
 	dtl1_hci_close(hdev);
 
 	spin_lock_irqsave(&(info->lock), flags);
===== drivers/bluetooth/bluecard_cs.c 1.1 vs edited =====
--- 1.1/drivers/bluetooth/bluecard_cs.c	2002-08-03 13:54:07 +02:00
+++ edited/drivers/bluetooth/bluecard_cs.c	2004-07-24 22:30:53 +02:00
@@ -803,6 +803,9 @@
 	unsigned int iobase = info->link.io.BasePort1;
 	struct hci_dev *hdev = &(info->hdev);
 
+	if (info->link.state & DEV_CONFIG_PENDING)
+		return -ENODEV;
+
 	bluecard_hci_close(hdev);
 
 	clear_bit(CARD_READY, &(info->hw_state));
===== drivers/bluetooth/bt3c_cs.c 1.2 vs edited =====
--- 1.2/drivers/bluetooth/bt3c_cs.c	2004-04-16 14:05:25 +02:00
+++ edited/drivers/bluetooth/bt3c_cs.c	2004-07-24 22:31:11 +02:00
@@ -643,6 +643,9 @@
 {
 	struct hci_dev *hdev = &(info->hdev);
 
+	if (info->link.state & DEV_CONFIG_PENDING)
+		return -ENODEV;
+
 	bt3c_hci_close(hdev);
 
 	if (hci_unregister_dev(hdev) < 0)
===== drivers/bluetooth/btuart_cs.c 1.1 vs edited =====
--- 1.1/drivers/bluetooth/btuart_cs.c	2002-10-20 21:42:54 +02:00
+++ edited/drivers/bluetooth/btuart_cs.c	2004-07-24 22:30:46 +02:00
@@ -556,6 +556,9 @@
 	unsigned int iobase = info->link.io.BasePort1;
 	struct hci_dev *hdev = &(info->hdev);
 
+	if (info->link.state & DEV_CONFIG_PENDING)
+		return -ENODEV;
+
 	btuart_hci_close(hdev);
 
 	spin_lock_irqsave(&(info->lock), flags);