From: Nick Pelly <npelly@google.com>
To: Dave Young <hidave.darkstar@gmail.com>
Cc: Bluettooth Linux <linux-bluetooth@vger.kernel.org>
Subject: Re: Kernel panic in rfcomm_run - unbalanced refcount on rfcomm_session
Date: Sun, 21 Feb 2010 13:00:36 -0800 [thread overview]
Message-ID: <35c90d961002211300s25507542y9b73724881be5540@mail.gmail.com> (raw)
In-Reply-To: <a8e1da1002200017t6e856c7cu1300ac5b3b3a43b@mail.gmail.com>
On Sat, Feb 20, 2010 at 12:17 AM, Dave Young <hidave.darkstar@gmail.com> wrote:
> On Thu, Feb 18, 2010 at 1:04 PM, Nick Pelly <npelly@google.com> wrote:
>> Since 2.6.32 we are seeing kernel panics like:
>>
>> [10651.110229] Unable to handle kernel paging request at virtual
>> address 6b6b6b6b
>> [10651.111968] Internal error: Oops: 5 [#1] PREEMPT
>> [10651.113952] CPU: 0 Tainted: G W (2.6.32-59979-gd0c97db #1)
>> [10651.114624] PC is at rfcomm_run+0xa04/0xdbc
>> <...>
>> [10651.406188] [<c031ad24>] (rfcomm_run+0xa04/0xdbc) from [<c006ce30>]
>> (kthread+0x78/0x80)
>> [10651.406585] [<c006ce30>] (kthread+0x78/0x80) from [<c002793c>]
>> (kernel_thread_exit+0x0/0x8)
>>
>> (rfcomm_run() is all inlined so theres not much of a stack trace))
>
> Could you make rfcomm_process_sessions to be not inlined, and get new
> kernel logs?
I'm not using a stock kernel, so i'm not sure how the kernel trace
will help, but the un-inlined stack that I decoded against my vmlinux
is:
>> This is a use-after-free on struct rfcomm_session s in the call chain
>> rfcomm_run() -> rfcomm_process_sessions() -> rfcomm_process_dlcs() ->
>> list_for_each_safe(p, n, &s->dlcs)
PS - 9e726b17422b is definitely not the root cause, we've now seen the
same crash with this patch reverted (but it is much harder to
reproduce with 9e726b17422b reverted).
Nick
next prev parent reply other threads:[~2010-02-21 21:00 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-02-18 5:04 Kernel panic in rfcomm_run - unbalanced refcount on rfcomm_session Nick Pelly
2010-02-18 7:15 ` Ville Tervo
2010-02-20 8:17 ` Dave Young
2010-02-21 21:00 ` Nick Pelly [this message]
2010-02-26 10:23 ` Ville Tervo
2010-03-09 7:19 ` Ville Tervo
2010-03-09 7:31 ` Nick Pelly
2010-03-19 8:33 ` Andrei Emeltchenko
2010-10-29 12:34 ` Simantini Bhattacharya
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=35c90d961002211300s25507542y9b73724881be5540@mail.gmail.com \
--to=npelly@google.com \
--cc=hidave.darkstar@gmail.com \
--cc=linux-bluetooth@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).