Hi,

I recently discovered very consistent BUG inside the serial HCI driver
that implements BlueCore BCSP protocol.

I am running BlueZ 2.18 protocol stack (compiled with gcc version
3.3.2)  on the embedded ARM-based CerfBoard target platform from
Intrinsync on the linux-2.6.7-cerfb1 kernel. I am using ttyS3 serial
interface at the 115200 baud rate as the HCI interface to BlueCore
module attached to the BlueZ upper layer stack via:
$ hciattach ttyS3 bcsp 115200

I created successfully PAN-profile bluetooth access point (with ethernet
bridging to local LAN for Internet access) and tested it with the XDA||
pocket PC.

Generally all basic fuctionality seems to be OK i.e. BNEP interface get
created successfully and the access to LAN is working fine. The problem
is triggered when I am trying to increase the traffic via the HCI bcsp
link. Any application on my PocketPc that increases the network traffic
via the BNEP interface (ftp, sip, web browsing... etc) eventually causes
the kernel to Oops at the attempt to dereference a NULL pointer. I
analysed the Oops trace and localised the offending code to be placed
inside the bcsp_complete_rx_pkt() function. Next I added following
debugging code (marked as "ajc:..."), in the hci_bcsp.c:

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
static int cnt = 0; //ajc: DBG
static inline void bcsp_complete_rx_pkt(struct hci_uart *hu)
{
    struct bcsp_struct *bcsp = hu->priv;
    int pass_up;
    unsigned char  **ptr_dbg = &(bcsp->rx_skb->data); //ajc: DBG
                                                                                                                            
    if (bcsp->rx_skb->data[0] & 0x80) {     /* reliable pkt */

		...
                                                                                                                        
         /* If needed, transmit an ack pkt */
         hci_uart_tx_wakeup(hu);
                                                                                                                            
         //ajc: DBG start
         ++cnt;
         if (!bcsp->rx_skb) //ajc: detect NULL pointer
         {
           printk("ajc: !! NULL pointer: 0x%p->(0x%p != 0x%p) cnt=%d\n",
                        bcsp->rx_skb,
                        &(bcsp->rx_skb->data),
                        ptr_dbg,
                        cnt);
               printk("ajc: Next instruction will crush the kernel\n");
            }
            //ajc: DBG end
        }
                                                                                                                          
        bcsp->rxack = (bcsp->rx_skb->data[0] >> 3) & 0x07;
        ...
}
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< 

The final result is that the the code line:

bcsp->rxack = (bcsp->rx_skb->data[0] >> 3) & 0x07;

fails because the "bcsp->rx_skb" pointer gets occasionally reseted to
NULL. The full Oops trace from my target platform is included (see
Oops.txt). Unfortunately the complexity of the code, and the limited
linux programming experience from my side stopped me from making any
further progress in solving this problem. Therefore I would deeply
appreciate any comments (or solutions) to help in resolving described
above problem. 

Thanks in advance for your co-operation. 

Best regards,
Adam