Re: [PATCH 1/5] Bluetooth: Fix crash on SCO disconnect

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Kuba,

> When disconnecting audio from the phone's side, it may happen, that
> a thread handling HCI message 'disconnection complete' will get preempted
> in 'sco_conn_del' before calling 'sco_sock_kill', still holding a pointer
> to struct sock sk. Interrupting thread started in 'sco_sock_shutdown' will
> carry on releasing resources and will eventually release struct sock.
> When execution goes back to first thread it will call sco_sock_kill using
> now invalid pointer to already destroyed socket.
> 
> Fix is to grab a reference to the socket a release it after calling
> 'sco_sock_kill'.
> 
> [  166.358213] BUG: unable to handle kernel paging request at 7541203a
> [  166.365228] IP: [<fb6e8bfb>] bt_sock_unlink+0x1a/0x38 [bluetooth]
> [  166.372068] *pdpt = 0000000024b19001 *pde = 0000000000000000
> [  166.378483] Oops: 0002 [#1] PREEMPT SMP
> [  166.382871] Modules linked in: evdev ecb rfcomm(O) libcomposite usb2380 udc_core bnep(O) btusb(O) btbcm(O) btintel(O) cdc_acm bluetooth(O) arc4 uinput hid_multitouch iwlmvm(O) usbhid hide
> [  166.424233] Pid: 338, comm: kworker/u:2H Tainted: G           O 3.8.0-115.1-plk-adaptation-byt-ivi-brd #1
> [  166.435112] EIP: 0060:[<fb6e8bfb>] EFLAGS: 00010206 CPU: 0
> [  166.441259] EIP is at bt_sock_unlink+0x1a/0x38 [bluetooth]
> [  166.447382] EAX: 632e6563 EBX: e4bfc600 ECX: e466d4d3 EDX: 7541203a
> [  166.454369] ESI: fb7278ac EDI: e4d52000 EBP: e4669e20 ESP: e4669e0c
> [  166.461366]  DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
> [  166.467391] CR0: 8005003b CR2: 7541203a CR3: 24aba000 CR4: 001007f0
> [  166.474387] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
> [  166.481375] DR6: ffff0ff0 DR7: 00000400
> [  166.485654] Process kworker/u:2H (pid: 338, ti=e4668000 task=e466e030 task.ti=e4668000)
> [  166.494591] Stack:
> [  166.496830]  e4bfc600 e4bfc600 fb715c28 e4717ee0 e4d52000 e4669e3c fb715cf3 e4bfc634
> [  166.505518]  00000068 e4d52000 e4c32000 fb7277c0 e4669e6c fb6f2019 0000004a 00000216
> [  166.514205]  e4660101 e4c32008 02000001 00000013 e4d52000 e4c32000 e3dc9240 00000005
> [  166.522891] Call Trace:
> [  166.525654]  [<fb715c28>] ? sco_sock_kill+0x73/0x9a [bluetooth]
> [  166.532295]  [<fb715cf3>] ? sco_conn_del+0xa4/0xbf [bluetooth]
> [  166.538836]  [<fb6f2019>] ? hci_disconn_complete_evt.clone.55+0x1bd/0x205 [bluetooth]
> [  166.547609]  [<fb6f73d3>] ? hci_event_packet+0x297/0x223c [bluetooth]
> [  166.554805]  [<c10416da>] ? dequeue_task+0xaf/0xb7
> [  166.560154]  [<c1041095>] ? finish_task_switch+0x50/0x89
> [  166.566086]  [<c1349a2e>] ? __schedule+0x638/0x6b8
> [  166.571460]  [<fb6eb906>] ? hci_rx_work+0xb9/0x2b8 [bluetooth]
> [  166.577975]  [<c1035df9>] ? process_one_work+0x157/0x21b
> [  166.583933]  [<fb6eb84d>] ? hci_cmd_work+0xef/0xef [bluetooth]
> [  166.590448]  [<c1036217>] ? worker_thread+0x16e/0x20a
> [  166.596088]  [<c10360a9>] ? manage_workers+0x1cf/0x1cf
> [  166.601826]  [<c103a0ef>] ? kthread+0x8d/0x92
> [  166.606691]  [<c134adf7>] ? ret_from_kernel_thread+0x1b/0x28
> [  166.613010]  [<c103a062>] ? __init_kthread_worker+0x24/0x24
> [  166.619230] Code: 85 63 ff ff ff 31 db 8d 65 f4 89 d8 5b 5e 5f 5d c3 56 8d 70 04 53 89 f0 89 d3 e8 7e 17 c6 c5 8b 53 28 85 d2 74 1a 8b 43 24 85 c0 <89> 02 74 03 89 50 04 c7 43 28 00 00 00
> [  166.640501] EIP: [<fb6e8bfb>] bt_sock_unlink+0x1a/0x38 [bluetooth] SS:ESP 0068:e4669e0c
> [  166.649474] CR2: 000000007541203a
> [  166.653420] ---[ end trace 0181ff2c9e42d51e ]---
> [  166.658609] note: kworker/u:2H[338] exited with preempt_count 1
> 
> Signed-off-by: Kuba Pawlak <kubax.t.pawlak@xxxxxxxxx>
> ---
> net/bluetooth/sco.c | 2 ++
> 1 file changed, 2 insertions(+)

patch has been applied to bluetooth-next tree.

Regards

Marcel

--
To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Bluez Devel]     [Linux Wireless Networking]     [Linux Wireless Personal Area Networking]     [Linux ATH6KL]     [Linux USB Devel]     [Linux Media Drivers]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Big List of Linux Books]

  Powered by Linux