[Bluez-devel] RFCOMM related oops

[Bluez-devel] RFCOMM related oops

[Victor Shcherbatyuk]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 1077 bytes --]


Hi Marcel,

Some more problems...

The following holds for Motorola V3 (RAZR) and Nokia 6310i (i hope i'm not 
mistaking), and prob. some more phones I've never seen ;)

The sequence leading to the oops (oops.txt):
Open RFCOMM channel exposed as HF channel. Try to open RFCOMM channel 
exposed as DUN channel for 3 times (first 2 fail, and finally attempt 3 
gives success). Close RFCOMM channel for DUN. Close RFCOMM channel for HF -> 
oops.

Looks like those phones allow only 1 RFCOMM channel to be opened. But 
strange things happen if you try to connect, when there is 
already a RFCOMM connection open on another channel (all this story with 
3 attempts). 

What I see from the log (motov3.bin):
On attempt 2 bluez stack DISC on dlci 0 (for the reason I don't know) 
where there are still active RFCOMM connections (HF channel, dlci 14 in 
the log).  So when I try to close HF it oops'es... 

Have it reproducible on 2 platforms (arm and i386):
2.6.11.4 + 2.6.11-mh2 (i386)

Please see the logs attached.

Thanks in advance.

Kind regards,
    Victor Shcherbatyuk.
-- 


[-- Attachment #2: Type: TEXT/plain, Size: 1821 bytes --]

Unable to handle kernel NULL pointer dereference at virtual address 0000000e
 printing eip:
c037e03d
*pde = 00000000
Oops: 0000 [#1]
PREEMPT 
Modules linked in: ndiswrapper
CPU:    0
EIP:    0060:[<c037e03d>]    Tainted: P      VLI
EFLAGS: 00010246   (2.6.11.4) 
EIP is at sock_sendmsg+0xdd/0x150
eax: 00000000   ebx: 00000006   ecx: df4dd560   edx: deabc000
esi: 00000004   edi: deabdeb4   ebp: deabddec   esp: deabdd8c
ds: 007b   es: 007b   ss: 0068
Process bluetalk (pid: 2686, threadinfo=deabc000 task=df4dd560)
Stack: 7fffffff dfce2804 7fffffff c0406a09 00000001 df103480 00000001 00000004 
       00000006 c15e0030 00000000 deabdeb4 00000286 00000292 deabc000 dfce27c0 
       dfce2804 c03fd77d 00000000 df4dd560 c0113fe0 00000000 00000000 00000007 
Call Trace:
 [<c0406a09>] schedule_timeout+0xa9/0xb0
 [<c03fd77d>] rfcomm_sock_data_wait+0xdd/0xf0
 [<c0113fe0>] default_wake_function+0x0/0x20
 [<c0268996>] scrup+0x86/0x100
 [<c012c710>] autoremove_wake_function+0x0/0x60
 [<c037e3e8>] sock_aio_read+0x108/0x120
 [<c037e0f6>] kernel_sendmsg+0x46/0x60
 [<c03fa584>] rfcomm_send_frame+0x54/0x60
 [<c01565e9>] do_sync_read+0xc9/0x110
 [<c03fa6ec>] rfcomm_send_disc+0x6c/0x70
 [<c03f9fe0>] __rfcomm_dlc_close+0xe0/0x100
 [<c03fa023>] rfcomm_dlc_close+0x23/0x40
 [<c03fce23>] __rfcomm_sock_close+0x43/0x60
 [<c03fdc4c>] rfcomm_sock_shutdown+0x4c/0x80
 [<c03fdca3>] rfcomm_sock_release+0x23/0x70
 [<c037df09>] sock_release+0x99/0xf0
 [<c037ea61>] sock_close+0x31/0x50
 [<c015786e>] __fput+0x11e/0x160
 [<c0156a7e>] sys_read+0x7e/0x80
 [<c0103119>] sysenter_past_esp+0x52/0x75
Code: 00 8d 84 24 c0 00 00 00 89 84 24 c0 00 00 00 89 84 24 c4 00 00 00 8d 44 24 10 89 84 24 d4 00 00 00 31 c0 89 44 24 28 89 74 24 1c <8b> 43 08 89 74 24 0c 89 7c 24 08 89 5c 24 04 89 2c 24 ff 50 38 
 

[-- Attachment #3: Type: APPLICATION/octet-stream, Size: 2549 bytes --]

Re: [Bluez-devel] RFCOMM related oops

[Marcel Holtmann]

Hi Victor,

> Some more problems...
> 
> The following holds for Motorola V3 (RAZR) and Nokia 6310i (i hope i'm not 
> mistaking), and prob. some more phones I've never seen ;)
> 
> The sequence leading to the oops (oops.txt):
> Open RFCOMM channel exposed as HF channel. Try to open RFCOMM channel 
> exposed as DUN channel for 3 times (first 2 fail, and finally attempt 3 
> gives success). Close RFCOMM channel for DUN. Close RFCOMM channel for HF -> 
> oops.
> 
> Looks like those phones allow only 1 RFCOMM channel to be opened. But 
> strange things happen if you try to connect, when there is 
> already a RFCOMM connection open on another channel (all this story with 
> 3 attempts). 
> 
> What I see from the log (motov3.bin):
> On attempt 2 bluez stack DISC on dlci 0 (for the reason I don't know) 
> where there are still active RFCOMM connections (HF channel, dlci 14 in 
> the log).  So when I try to close HF it oops'es... 
> 
> Have it reproducible on 2 platforms (arm and i386):
> 2.6.11.4 + 2.6.11-mh2 (i386)

I hope this is not because of my fix for the reference counting problem
you found. Check if this still happens with a vanilla 2.6.11 kernel.

If it still happens try to reproduce it without the ndiswrapper. This
taints your kernel and I am not willing to fix buggy Windows drivers.

Next thing is to try it without PREEMPT enabled.

Regards

Marcel




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Bluez-devel mailing list
Bluez-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-devel

RE: [Bluez-devel] RFCOMM related oops

[Victor Shcherbatyuk]

[-- Attachment #1: Type: text/plain, Size: 680 bytes --]

Hi Marcel,

The attached prog. is oops'ing for the _patched_ kernel. Hope this
helps.

Kind regards,
           Victor. 

P.S. I used channels 1 and 12 for 6310.


-----Original Message-----
From: Marcel Holtmann [mailto:marcel@holtmann.org] 
Sent: Tuesday, April 05, 2005 16:14 PM
To: Victor Shcherbatyuk
Subject: RE: [Bluez-devel] RFCOMM related oops

Hi Victor,

> Sorry, I should be more clear ... I tried 2.6.11.1 w/o the patch and 
> with it, the patch is what makes it oops'ing.

actually I need a small test program, so that I can reproduce it with my
Nokia 6310 at home. This will help me a lot to finally fix that issue.

Regards

Marcel



[-- Attachment #2: tryoops.c --]
[-- Type: application/octet-stream, Size: 2153 bytes --]

#include <stdio.h>
#include <errno.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/socket.h>

#include <bluetooth/bluetooth.h>
#include <bluetooth/hci.h>
#include <bluetooth/hci_lib.h>
#include <bluetooth/rfcomm.h>

#define NTRIES 5

int btopen( const char* addr, int chan )
{
	struct sockaddr_rc remote_addr, local_addr;
	bdaddr_t bdaddr;
	int s;

	str2ba(addr, &bdaddr);
	if ((s = socket(PF_BLUETOOTH, SOCK_STREAM, BTPROTO_RFCOMM)) < 0) {
		printf("Can't create socket. %s (%d)\n", strerror(errno), errno);
		return -1;
	}

	memset(&local_addr, 0, sizeof(local_addr));
	local_addr.rc_family = AF_BLUETOOTH;
	bacpy(&local_addr.rc_bdaddr, BDADDR_ANY);
	if (bind(s, (struct sockaddr *)&local_addr, sizeof(local_addr)) < 0) {
		printf("Can't bind socket. %s (%d)\n", strerror(errno), errno);
		close(s);
		return -1;
	}

	memset(&remote_addr, 0, sizeof(remote_addr));
	remote_addr.rc_family = AF_BLUETOOTH;
	bacpy(&remote_addr.rc_bdaddr, &bdaddr);
	remote_addr.rc_channel = chan;
	if (connect(s, (struct sockaddr *)&remote_addr, sizeof(remote_addr)) < 0) {
		printf("Can't connect on channel %d. %s (%d)\n", chan, strerror(errno), errno);
		close(s);
		return -1;
	}

	return s;
}

int main( int argc, char** argv )
{
	int fd1, fd2;

	if ( argc < 4 )
	{
		printf("Use: tryoops <address> <channel_1> <channel_2>\n");
		exit( 1 );
	}
  // open the first channel
	printf("opening %s on a channel %d...\n", argv[1], atoi(argv[2]));
	if ( (fd1 = btopen(argv[1], atoi(argv[2]))) < 0 ){
		printf("cannot open the channel!\n");
		exit(1);
	}
	else
		printf("opened.\n");

	//try to open the second channel, if the patch is applied it should fail for first 2 times and then succeed
	printf("opening %s on a channel %d...\n", argv[1], atoi(argv[3]));
	int ntries = NTRIES;
	while ((fd2 = btopen(argv[1], atoi(argv[3]))) < 0 && --ntries )
		printf("attempt %d failed.\n", NTRIES - ntries);
	if (!ntries){
		printf("kernel not patched?\n");
		close(fd1);
		exit(1);
	}
	else
		printf("opened.\n");

	printf("closing channel %d\n", atoi(argv[3]));
	close(fd2);
	//this one should oops
	printf("closing channel %d\n", atoi(argv[2]));
	close(fd1);

	return 0;
}