From: David Fries <david@fries.net>
To: Liang Bao <tim.bao@gmail.com>,
Andrei Warkentin <andreiw@motorola.com>,
linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org,
Feng Tang <feng.tang@intel.com>
Subject: Re: [PATCH] work around for l2cap NULL dereference in l2cap_conn_start
Date: Sun, 27 Feb 2011 23:03:40 -0600 [thread overview]
Message-ID: <20110228050340.GC22204@spacedout.fries.net> (raw)
In-Reply-To: <20110227191545.GB2166@joana>
On Sun, Feb 27, 2011 at 04:15:45PM -0300, Gustavo F. Padovan wrote:
> I pushed the following patch to bluetooth-2.6 tree. It should fix the problem
> by avoiding connections to be accepted before a L2CAP info response comes:
Is
git://git.kernel.org/pub/scm/linux/kernel/git/padovan/bluetooth-2.6.git
the bluetooth-2.6 tree you mentioned? I don't see your patch there.
As a side note, the inline patch in your e-mail has the tabs replaced by
spaces, once I changed them, it applied cleanly.
I first reverted to the base N900 kernel-power-2.6.28 46 (none of my
changes or debugging), it crashed as expected. I then applied your
patch 743400e0, and it still crashed. I added back the
l2cap_conn_start parent check and some debugging in af_bluetooth.c
dmesg debug output and patches follow.
I haven't at all looked into the bluetooth protocol, but what connect
sequence difference does it make if I power on the bluetooth headset
and press play on the headset before it automatically pairs with the
N900, vs power on bluetooth headset, wait for it to pair then press
play? I ask this partly because I'm curiouse, but mostly how I
trigger the bug. This is with pulse audio running, but no
applications playing audio or responding to a play event from the
headset.
[ 443.424560] bt_accept_dequeue, parent cd54ba00 newsock c81f0180, defer_setup && BT_CONNECT2
[ 443.427368] avoided crash in l2cap_conn_start sk c6d3f600 result 1 status 2
[ 443.518463] bt_accept_dequeue, parent cdee9c00 newsock c81f0000, BT_CONNECTED
[ 443.729736] bt_accept_dequeue, parent cd54be00 newsock c81f0000, BT_CONNECTED
[ 443.813537] bt_accept_dequeue, parent cd54b600 newsock c81f0180, defer_setup && BT_CONNECT2
>From 5bc80fafac43b6698e271f1246cb24e596bf2ef1 Mon Sep 17 00:00:00 2001
From: David Fries <david@fries.net>
Date: Sun, 6 Feb 2011 14:34:49 -0600
Subject: [PATCH 1/2] work around for l2cap NULL dereference in l2cap_conn_start print sk
---
net/bluetooth/l2cap.c | 11 ++++++++++-
1 files changed, 10 insertions(+), 1 deletions(-)
diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
index fda7741..ff05f51 100644
--- a/net/bluetooth/l2cap.c
+++ b/net/bluetooth/l2cap.c
@@ -400,7 +400,16 @@ static void l2cap_conn_start(struct l2cap_conn *conn)
struct sock *parent = bt_sk(sk)->parent;
rsp.result = cpu_to_le16(L2CAP_CR_PEND);
rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
- parent->sk_data_ready(parent, 0);
+ if(!parent) {
+ printk(KERN_DEBUG "avoided "
+ "crash in %s sk %p "
+ "result %d status %d\n",
+ __func__, sk,
+ rsp.result, rsp.status);
+ } else {
+ parent->sk_data_ready(parent,
+ 0);
+ }
} else {
sk->sk_state = BT_CONFIG;
--
1.7.2.3
>From 42b9a6ef68a1cd0ef025b826afcfb0ef23342fe5 Mon Sep 17 00:00:00 2001
From: David Fries <david@fries.net>
Date: Sun, 27 Feb 2011 21:50:14 -0600
Subject: [PATCH 2/2] af_bluetooth.c debug
---
net/bluetooth/af_bluetooth.c | 12 ++++++++++++
1 files changed, 12 insertions(+), 0 deletions(-)
diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
index 8e910f1..57cd360 100644
--- a/net/bluetooth/af_bluetooth.c
+++ b/net/bluetooth/af_bluetooth.c
@@ -211,6 +211,18 @@ struct sock *bt_accept_dequeue(struct sock *parent, struct socket *newsock)
continue;
}
+ if (bt_sk(parent)->defer_setup && sk->sk_state == BT_CONNECT2)
+ printk("%s, parent %p newsock %p, "
+ "defer_setup && BT_CONNECT2\n", __func__,
+ parent, newsock);
+ if (sk->sk_state == BT_CONNECTED)
+ printk("%s, parent %p newsock %p, "
+ "BT_CONNECTED\n", __func__,
+ parent, newsock);
+ if (!newsock)
+ printk("%s, parent %p newsock %p, "
+ "!newsock\n", __func__,
+ parent, newsock);
if ((bt_sk(parent)->defer_setup && sk->sk_state == BT_CONNECT2)
|| sk->sk_state == BT_CONNECTED || !newsock) {
bt_accept_unlink(sk);
--
1.7.2.3
> commit 743400e01a33779f93b79c84a1b0d1a2d27338c8
> Author: Gustavo F. Padovan <padovan@profusion.mobi>
> Date: Sun Feb 27 16:05:07 2011 -0300
>
> Bluetooth: Don't accept l2cap connection before info_rsp
>
> When using defer_setup accepting a connection before receive the L2CAP
> Info Response for the connection lead us to a crash in l2cap_conn_start(.
>
> Reported-by: David Fries <david@fries.net>
> Reported-by: Liang Bao <tim.bao@gmail.com>
> Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
>
> diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
> index c4cf3f5..a8ca42b 100644
> --- a/net/bluetooth/af_bluetooth.c
> +++ b/net/bluetooth/af_bluetooth.c
> @@ -211,8 +211,8 @@ struct sock *bt_accept_dequeue(struct sock *parent, struct socket *newsock)
> continue;
> }
>
> - if (sk->sk_state == BT_CONNECTED || !newsock ||
> - bt_sk(parent)->defer_setup) {
> + if ((bt_sk(parent)->defer_setup && sk->sk_state == BT_CONNECT2)
> + || sk->sk_state == BT_CONNECTED || !newsock) {
> bt_accept_unlink(sk);
> if (newsock)
> sock_graft(sk, newsock);
>
>
> --
> Gustavo F. Padovan
> http://profusion.mobi
> --
> To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
David Fries <david@fries.net>
http://fries.net/~david/ (PGP encryption key available)
next prev parent reply other threads:[~2011-02-28 5:03 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-02-11 3:53 [HACK PATCH] N900 l2cap connect crash, NULL parent David Fries
2011-02-14 14:56 ` Gustavo F. Padovan
2011-02-14 21:40 ` Andrei Warkentin
2011-02-21 4:36 ` [PATCH] work around for l2cap NULL dereference in l2cap_conn_start David Fries
2011-02-21 6:41 ` Liang Bao
2011-02-27 19:15 ` Gustavo F. Padovan
2011-02-28 5:03 ` David Fries [this message]
2011-02-28 17:30 ` Gustavo F. Padovan
2011-03-02 6:19 ` David Fries
2011-03-05 2:12 ` Gustavo F. Padovan
2011-03-22 2:30 ` David Fries
2011-03-24 15:37 ` Andrei Emeltchenko
2011-03-02 1:31 ` Andrei Warkentin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110228050340.GC22204@spacedout.fries.net \
--to=david@fries.net \
--cc=andreiw@motorola.com \
--cc=feng.tang@intel.com \
--cc=linux-bluetooth@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=tim.bao@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).