Hi Andrei, > Yet another version of patches fixing kernel crash in RFCOMM / L2CAP. > *v4: taken Gustavo comments about timer HZ -> HZ/5 > > Do not delete l2cap channel and socket sk when sk is owned by user. > To delete l2cap channel standard timer is used. > > lock_sock and release_sock do not hold a normal spinlock directly but > instead hold the owner field. This means bh_lock_sock can still execute > even if the socket is "locked". More info can be found here: > http://www.linuxfoundation.org/collaborate/workgroups/networking/socketlocks > > When sending following sequence: > ... > No. Time Source Destination Protocol Info > 89 1.951202 RFCOMM Rcvd DISC DLCI=20 > 90 1.951324 RFCOMM Sent UA DLCI=20 > 91 1.959381 HCI_EVT Number of Completed Packets > 92 1.966461 RFCOMM Rcvd DISC DLCI=0 > 93 1.966492 L2CAP Rcvd Disconnect Request > 94 1.972595 L2CAP Sent Disconnect Response > > ... > > krfcommd kernel thread is preempted with l2cap tasklet which remove l2cap_conn > (L2CAP connection handler structure). Then rfcomm thread tries to send RFCOMM > UA which is reply to RFCOMM DISC and when de-referencing l2cap_conn crash > happens. so I assume you have tested this extensively with various RFCOMM corner cases like incoming RFCOMM. Since a lot of profiles require proper disconnects and we have to ensure that our reference counting is correct. Other then that it seems fine to me. Acked-by: Marcel Holtmann <marcel@xxxxxxxxxxxx> Regards Marcel -- To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
