Hi, I'm getting a lot of crashes when I disconnect SCO quickly after triggering connect from a remote device. They all happen when there is a race between sco_sock_shutdown function, when it is called before a connection is fully established by sco_connect_cfm. Remote device opens a connection. We create hci_conn, sco_conn and sock structures. This new socket is in defered_accept state. When first read occurs on our side (that is done by PulseAudio), it is accepted and connect confirm message is sent. At this point it is possible to close this socket. PulseAudio calls shutdown. SCO shutdown procedure starts to remove data and eventually struct sock sk is destroyed. Hci_conn and sco_conn are still there as they can only be removed in disconnect_cfm, which did not happen. These structures are partially cleaned out. When connection confirmation arrives, sco_conn_ready see that sk in sco_conn is NULL and tries to create a new socket. Please see attached backtrace. it crashed while calling bacmp (...) in sco_get_sock_listen(&conn->hcon->src) called from sco_conn_ready because __sco_sock_close already marked hcon in conn as NULL (sco_pi(sk)->conn->hcon = NULL). Sco_connect_cfm should not try to create new socket, that has just been removed, and disconnect message should have been sent. Kuba Intel Deutschland GmbH Registered Address: Am Campeon 10-12, 85579 Neubiberg, Germany Tel: +49 89 99 8853-0, www.intel.de Managing Directors: Christin Eisenschmid, Prof. Dr. Hermann Eul Chairperson of the Supervisory Board: Tiffany Doon Silva Registered Office: Munich Commercial Register: Amtsgericht Muenchen HRB 186928
[ 4634.942441] bluetooth:hci_conn_request_evt:2319: hci0 bdaddr 78:1f:db:e3:55:ad type 0x2 [ 4634.951788] bluetooth:sco_connect_ind:1082: hdev hci0, bdaddr 78:1f:db:e3:55:ad [ 4634.960286] bluetooth:hci_inquiry_cache_lookup:1071: cache e47c4948, 78:1f:db:e3:55:ad [ 4634.969446] bluetooth:hci_conn_add:437: hci0 dst 78:1f:db:e3:55:ad [ 4634.976573] bluetooth:hci_dev_hold:913: hci0 orig refcnt 9 [ 4634.982801] bluetooth:hci_conn_init_sysfs:80: conn e416a000 [ 4634.989298] bluetooth:sco_connect_cfm:1109: hcon e416a000 bdaddr 78:1f:db:e3:55:ad status 0 [ 4634.999061] bluetooth:sco_conn_add:125: hcon e416a000 conn e3f101c0 [ 4635.006328] bluetooth:sco_conn_ready:1023: conn e3f101c0 [ 4635.012560] bluetooth:sco_sock_init:448: sk e4aedc00 [ 4635.018151] bluetooth:hci_conn_hold:860: hcon e416a000 orig refcnt 0 [ 4635.025271] bluetooth:__sco_chan_add:187: conn e3f101c0 [ 4635.031125] bluetooth:bt_accept_enqueue:157: parent e4720400, sk e4aedc00 [ 4635.039289] bluetooth:sco_sock_accept:630: sk e4720400 timeo 0 [ 4635.046092] bluetooth:bt_accept_dequeue:182: parent e4720400 [ 4635.052501] bluetooth:bt_accept_unlink:168: sk e4aedc00 state 6 [ 4635.059240] bluetooth:sco_sock_accept:666: new socket e4aedc00 [ 4635.065879] bluetooth:sco_sock_getname:678: sock e3575040, sk e4aedc00 [ 4635.073695] bluetooth:sco_sock_getname:678: sock e3575040, sk e4aedc00 [ 4635.086828] bluetooth:sco_conn_defer_accept:726: conn e416a000 [ 4635.093430] bluetooth:hci_send_cmd:3382: hci0 opcode 0x0429 plen 21 [ 4635.100503] bluetooth:hci_prepare_cmd:99: skb len 24 [ 4635.106182] bluetooth:hci_cmd_work:4217: hci0 cmd_cnt 1 cmd queued 1 [ 4635.114352] bluetooth:hci_cmd_status_evt:3143: hci0 opcode 0x0429 [ 4635.121352] bluetooth:hci_req_cmd_complete:4103: opcode 0x0429 status 0x00 [ 4635.129251] bluetooth:hci_sent_cmd_data:3414: hci0 opcode 0x0429 [ 4635.129695] bluetooth:sco_sock_shutdown:974: sock e3575040, sk e4aedc00 [ 4635.129701] bluetooth:sco_sock_clear_timer:98: sock e4aedc00 state 7 [ 4635.129705] bluetooth:__sco_sock_close:406: sk e4aedc00 state 7 socket e3575040 [ 4635.129709] bluetooth:sco_sock_set_timer:92: sock e4aedc00 state 8 timeout 2000 [ 4635.129713] bluetooth:hci_conn_drop:868: hcon e416a000 orig refcnt 1 [ 4635.129744] bluetooth:sco_sock_release:999: sock e3575040, sk e4aedc00 [ 4635.129747] bluetooth:sco_sock_clear_timer:98: sock e4aedc00 state 8 [ 4635.129752] bluetooth:__sco_sock_close:406: sk e4aedc00 state 8 socket e3575040 [ 4635.129755] bluetooth:sco_chan_del:138: sk e4aedc00, conn e3f101c0, err 104 [ 4635.129761] bluetooth:sco_sock_kill:396: sk e4aedc00 state 9 [ 4635.129765] bluetooth:sco_sock_destruct:366: sk e4aedc00 [ 4635.217111] bluetooth:hci_sync_conn_complete_evt:3745: hci0 status 0x00 [ 4635.225058] bluetooth:hci_conn_add_sysfs:93: conn e416a000 [ 4635.231753] bluetooth:hci_dev_hold:913: hci0 orig refcnt 12 [ 4635.238208] bluetooth:sco_connect_cfm:1109: hcon e416a000 bdaddr 78:1f:db:e3:55:ad status 0 [ 4635.247842] bluetooth:sco_conn_ready:1023: conn e3f101c0 [ 4635.254073] BUG: unable to handle kernel NULL pointer dereference at 00000013 [ 4635.262058] IP: [<c11659f0>] memcmp+0xe/0x25 [ 4635.266835] *pdpt = 0000000024190001 *pde = 0000000000000000 [ 4635.273261] Oops: 0000 [#1] PREEMPT SMP [ 4635.277652] Modules linked in: evdev ecb vfat fat libcomposite usb2380 isofs zlib_inflate rfcomm(O) udc_core bnep(O) btusb(O) btbcm(O) btintel(O) bluetooth(O) cdc_acm arc4 uinput hid_mule [ 4635.321761] Pid: 363, comm: kworker/u:2H Tainted: G O 3.8.0-119.1-plk-adaptation-byt-ivi-brd #1 [ 4635.332642] EIP: 0060:[<c11659f0>] EFLAGS: 00010206 CPU: 0 [ 4635.338767] EIP is at memcmp+0xe/0x25 [ 4635.342852] EAX: e4720678 EBX: 00000000 ECX: 00000006 EDX: 00000013 [ 4635.349849] ESI: 00000000 EDI: fb85366c EBP: e40c7dc0 ESP: e40c7db4 [ 4635.356846] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 [ 4635.362873] CR0: 8005003b CR2: 00000013 CR3: 24191000 CR4: 001007f0 [ 4635.369869] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 [ 4635.376865] DR6: ffff0ff0 DR7: 00000400 [ 4635.381143] Process kworker/u:2H (pid: 363, ti=e40c6000 task=e40c5510 task.ti=e40c6000) [ 4635.390080] Stack: [ 4635.392319] e4720400 00000000 fb85366c e40c7df4 fb842285 e40c7de2 fb853200 00000013 [ 4635.401003] e3f101c4 e4720678 e3f101c0 e403be0a e40c7dfc e416a000 e403be0a fb85366c [ 4635.409692] e40c7e1c fb820186 020f6c00 e47c49ac e47c4008 00000000 e416a000 e47c402c [ 4635.418380] Call Trace: [ 4635.421153] [<fb842285>] sco_connect_cfm+0xff/0x236 [bluetooth] [ 4635.427893] [<fb820186>] hci_sync_conn_complete_evt.clone.101+0x227/0x268 [bluetooth] [ 4635.436758] [<fb82370f>] hci_event_packet+0x1caa/0x21d3 [bluetooth] [ 4635.443859] [<c106231f>] ? trace_hardirqs_on+0xb/0xd [ 4635.449502] [<c1375b8a>] ? _raw_spin_unlock_irqrestore+0x42/0x59 [ 4635.456340] [<fb814b67>] hci_rx_work+0xb9/0x350 [bluetooth] [ 4635.462663] [<c1039f1e>] ? process_one_work+0x17b/0x2e6 [ 4635.468596] [<c1039f77>] process_one_work+0x1d4/0x2e6 [ 4635.474333] [<c1039f1e>] ? process_one_work+0x17b/0x2e6 [ 4635.480294] [<fb814aae>] ? hci_cmd_work+0xda/0xda [bluetooth] [ 4635.486810] [<c103a3fa>] worker_thread+0x171/0x20f [ 4635.492257] [<c10456c5>] ? complete+0x34/0x3e [ 4635.497219] [<c103ea06>] kthread+0x90/0x95 [ 4635.501888] [<c103a289>] ? manage_workers+0x1df/0x1df [ 4635.507628] [<c1376537>] ret_from_kernel_thread+0x1b/0x28 [ 4635.513755] [<c103e976>] ? __init_kthread_worker+0x42/0x42 [ 4635.519975] Code: 74 0d 3c 79 74 04 3c 59 75 0c c6 02 01 eb 03 c6 02 00 31 c0 eb 05 b8 ea ff ff ff 5d c3 55 89 e5 57 56 53 31 db eb 0e 0f b6 34 18 <0f> b6 3c 1a 43 29 fe 75 07 49 85 c9 7f [ 4635.541264] EIP: [<c11659f0>] memcmp+0xe/0x25 SS:ESP 0068:e40c7db4 [ 4635.548166] CR2: 0000000000000013 [ 4635.552177] ---[ end trace e05ce9b8ce6182f6 ]--- [
