Re: [Bluez-devel] A bug in the bluetooth stack?

[Marcel Holtmann <marcel@holtmann.org>]

Hi,

> I was helped by: Omar. He gave to me his phone because I had to send him a song 
> via Obex Push (OBEX OBJECT PUSH PROTOCOL). Many Nokia phones like this, will 
> forbid you make more than just one connection. If you try to connect more than 
> once simultaneously the bluetooth stack will bring down some layers of the 
> kernel!
> 
> To reproduce this bug follow the following steps: I here use obexftp but may be 
> any application might reproduce the problem as yuo can see with rfcomm...
> 1 - Connect to the phone sending a relatively big file:
> obexftp -b xx:xx:xx:xx:xx:xx -p location/nomefile.ext
> 
> And while the phone is receiving the file, in another session type:
> rfcomm -i hci1 connect /dev/rfcomm0 xx:xx:xx:xx:xx:xx 1
> 
> And you will see the following happen:
> 
> Dec 27 16:43:05 atlantide hcid[1022]: link_key_request (sba=00:0B:0D:62:55:00, dba=00:0E:6D:BE:54:9B)
> Dec 27 16:45:43 atlantide kernel: add_conn: Failed to register connection device
> Dec 27 16:46:03 atlantide kernel: BUG: unable to handle kernel NULL pointer dereference at virtual address 0000000c
> Dec 27 16:46:03 atlantide kernel:  printing eip:
> Dec 27 16:46:03 atlantide kernel: c02440dd
> Dec 27 16:46:03 atlantide kernel: *pde = 00000000
> Dec 27 16:46:03 atlantide kernel: Oops: 0000 [#1]
> Dec 27 16:46:03 atlantide kernel: PREEMPT 
> Dec 27 16:46:03 atlantide kernel: Modules linked in: rfcomm l2cap processor af_packet reiserfs hci_usb bluetooth usbhid w83781d hwmon_vid hwmon i2c_isa i2c_i801 i2c_core snd_emu10k1 snd_rawmidi snd_seq_device snd_util_mem snd_hwdep uhci_hcd snd_intel8x0 snd_ac97_codec snd_ac97_bus snd_pcm snd_timer snd soundcore snd_page_alloc iTCO_wdt b44 mii ehci_hcd ohci_hcd usbcore atkbd libps2 rtc pcspkr
> Dec 27 16:46:03 atlantide kernel: CPU:    0
> Dec 27 16:46:03 atlantide kernel: EIP:    0060:[<c02440dd>]    Not tainted VLI
> Dec 27 16:46:03 atlantide kernel: EFLAGS: 00010282   (2.6.19.1 #1)
> Dec 27 16:46:03 atlantide kernel: EIP is at klist_del+0x6/0x45
> Dec 27 16:46:03 atlantide kernel: eax: 00000000   ebx: cee63aa8   ecx: cee63a7c   edx: c1920748
> Dec 27 16:46:03 atlantide kernel: esi: cee63ab8   edi: cee63a78   ebp: f7e8b94c   esp: c1949f4c
> Dec 27 16:46:03 atlantide kernel: ds: 007b   es: 007b   ss: 0068
> Dec 27 16:46:03 atlantide kernel: Process events/0 (pid: 3, ti=c1948000 task=c192d030 task.ti=c1948000)
> Dec 27 16:46:03 atlantide kernel: Stack: cee63aa8 c1920740 c01e0e68 00000286 c1920740 cee63a78 cee63a00 c012073a 
> Dec 27 16:46:03 atlantide kernel:        00000000 0000a57f 08074116 f89b62e8 c1920750 c1920740 c1920748 00000000 
> Dec 27 16:46:03 atlantide kernel:        c0120c36 00000001 00000000 c192da50 00010000 00000000 00000000 c192d030 
> Dec 27 16:46:03 atlantide kernel: Call Trace:
> Dec 27 16:46:03 atlantide kernel:  [<c01e0e68>] device_del+0x15/0x169
> Dec 27 16:46:03 atlantide kernel:  [<c012073a>] run_workqueue+0x8a/0xe6
> Dec 27 16:46:03 atlantide kernel:  [<f89b62e8>] del_conn+0x0/0xa [bluetooth]
> Dec 27 16:46:03 atlantide kernel:  [<c0120c36>] worker_thread+0xe8/0x11a
> Dec 27 16:46:03 atlantide kernel:  [<c01108ea>] default_wake_function+0x0/0xc
> Dec 27 16:46:03 atlantide kernel:  [<c0120b4e>] worker_thread+0x0/0x11a
> Dec 27 16:46:03 atlantide kernel:  [<c0123083>] kthread+0xad/0xda
> Dec 27 16:46:03 atlantide kernel:  [<c0122fd6>] kthread+0x0/0xda
> Dec 27 16:46:03 atlantide kernel:  [<c01033cf>] kernel_thread_helper+0x7/0x10
> Dec 27 16:46:04 atlantide kernel:  =======================
> Dec 27 16:46:04 atlantide kernel: Code: 04 89 42 04 89 10 c7 43 f8 00 01 10 00 c7 41 04 00 02 20 00 8d 43 04 e8 57 ce ec ff c7 43 f4 00 00 00 00 5b c3 56 53 89 c6 8b 00 <8b> 58 0c 89 e0 25 00 e0 ff ff ff 40 14 89 f0 e8 a9 ff ff ff 85 
> Dec 27 16:46:04 atlantide kernel: EIP: [<c02440dd>] klist_del+0x6/0x45 SS:ESP 0068:c1949f4c
> 
> The key to reproduce this bug is to attempt to connect to the same device 
> which allows only one connection with two different hci interfaces!

I can reproduce this issue with a 2.6.20-rc3 kernel running on my G5:

add_conn: Failed to register connection device
Unable to handle kernel paging request for data at address 0x00000020
Faulting instruction address: 0xc0000000002877d8
Oops: Kernel access of bad area, sig: 11 [#1]
SMP NR_CPUS=4 
Modules linked in: hci_usb binfmt_misc rfcomm hidp l2cap bluetooth ipv6 cpufreq_stats usbhid hid fuse ide_cd cdrom snd_aoa_codec_onyx snd_aoa_fabric_layout snd_aoa snd_aoa_i2sbus snd_aoa_soundbus snd_pcm snd_page_alloc snd_timer bcm43xx snd ieee80211softmac ieee80211 ohci_hcd ieee80211_crypt ehci_hcd evdev ide_core soundcore tg3 firmware_class ata_generic pmac_zilog serial_core usbcore
NIP: C0000000002877D8 LR: C0000000001B7380 CTR: C0000000001B7344
REGS: c00000003ff07940 TRAP: 0300   Not tainted  (2.6.20-rc3)
MSR: 9000000000009032 <EE,ME,IR,DR>  CR: 28000028  XER: 000FFFFF
DAR: 0000000000000020, DSISR: 0000000040000000
TASK = c0000000018cc040[17] 'events/3' THREAD: c00000003ff04000 CPU: 3
GPR00: C0000000001B7380 C00000003FF07BC0 C0000000003D1F50 0000000000000000 
GPR04: 0000000000000001 0000000000000001 0000000028000022 0000000000F12E00 
GPR08: C00000003FF07EB0 0000000000000001 C000000001981FB0 C0000000001B7344 
GPR12: D000000000402360 C00000000034BC80 0000000000000000 C0000000002C6F78 
GPR16: 4000000001400000 C0000000002C5A98 0000000000000000 0000000000000000 
GPR20: C00000000033BCA8 000000000173BCA8 C00000000033BF18 000000000173BF18 
GPR24: 0000000000241AC0 0000000000000000 C00000003FF04000 C000000001981F80 
GPR28: C00000003823FD10 0000000000000000 C000000000386668 C00000003823FCE8 
NIP [C0000000002877D8] .klist_del+0x24/0xb4
LR [C0000000001B7380] .device_del+0x3c/0x278
Call Trace:
[C00000003FF07BC0] [C0000000018CC040] 0xc0000000018cc040 (unreliable)
[C00000003FF07C50] [C0000000001B7380] .device_del+0x3c/0x278
[C00000003FF07CE0] [D000000000400820] .del_conn+0x14/0x28 [bluetooth]
[C00000003FF07D60] [C000000000058560] .run_workqueue+0xec/0x1d4
[C00000003FF07E00] [C000000000059198] .worker_thread+0x15c/0x1b4
[C00000003FF07EE0] [C00000000005DE88] .kthread+0x11c/0x16c
[C00000003FF07F90] [C0000000000210EC] .kernel_thread+0x4c/0x68
Instruction dump:
eba1ffe8 7c0803a6 4e800020 7c0802a6 fb81ffe0 fba1ffe8 fbe1fff8 7c7c1b78 
f8010010 f821ff71 eba30000 7fa3eb78 <ebfd0020> 4800386d 60000000 7f83e378 

The problem is that the add_conn call fails for some strange reasons. I
have no idea why, because it actually shouldn't. Even if it fails, it
shouldn't kill the kernel on del_conn.

Regards

Marcel



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Bluez-devel mailing list
Bluez-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-devel