← Back to team overview

kernel-packages team mailing list archive

[Bug 1189998] Re: bluetooth disconnection corrupts memory and causes kernel panic

 

ekin wrote:
> This bug seems similar to bug 1165433. By the way, the patch referred
> to in comment #4 is still being > reviewed and revised it seems. See
> for instance http://marc.info/?a=127476616600009&r=1&w=2

The fix being discussed on Bluetooth mailing list has already been
merged to bluetooth-next (and wireless-next). The fix should find its
way to mainline kernel (probably 3.12).

http://marc.info/?l=linux-bluetooth&m=137699050920055&w=2

https://git.kernel.org/cgit/linux/kernel/git/bluetooth/bluetooth-
next.git/commit/?id=1f088c00f11cd5b09e215cf31010ed3854f62b9a

https://git.kernel.org/cgit/linux/kernel/git/bluetooth/bluetooth-
next.git/commit/?id=befa7d049165e6d47859fb827ee5671354f30284

https://git.kernel.org/cgit/linux/kernel/git/bluetooth/bluetooth-
next.git/commit/?id=33040aa77f9ba8f0e3120f2e15917a74aef7ee07

https://git.kernel.org/cgit/linux/kernel/git/bluetooth/bluetooth-
next.git/commit/?id=e5e5db0dcfb07cf40cbec7e198443a8f67a844c2

https://git.kernel.org/cgit/linux/kernel/git/bluetooth/bluetooth-
next.git/commit/?id=77f577d52aefb92c350f65c4228958415a05510f

https://git.kernel.org/cgit/linux/kernel/git/bluetooth/bluetooth-
next.git/commit/?id=288f2fc4203559d225d84f1a0308198ad7a06c65

http://marc.info/?l=linux-bluetooth&m=137719621522631&w=2

https://git.kernel.org/cgit/linux/kernel/git/linville/wireless-
next.git/commit/?id=69b307a48a5e10d5fd53dbbfae1c700da356bd5d

However, the patch series is apparently "too extensive to consider for
-stable" [1]. So another solution is required for stable kernels. Though
no one seems to know what the right solution for stable kernels is [2].

[1] http://marc.info/?l=linux-bluetooth&m=137762583515880&w=2

[2] http://marc.info/?l=linux-bluetooth&m=137768948602122&w=2

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1189998

Title:
  bluetooth disconnection corrupts memory and causes kernel panic

Status in “linux” package in Ubuntu:
  Confirmed
Status in “linux” source package in Raring:
  Confirmed
Status in “linux” source package in Saucy:
  Confirmed

Bug description:
  This bug is present on kernels v3.8-rc1 and beyond and was exposed by commit ecbbfd44.
  To reproduce:

  1) Pair a bluetooth device that is capable of being easily powered down (a phone for example)
  2) Configure /etc/bluetooth/rfcomm.conf to connect to device. For example:
  rfcomm0 {
          bind no;
          device XX:XX:XX:XX:XX:XX;
          channel XX;
          comment "phone";
  }
  3) Type 'rfcomm connect 0'.
  4) On the device power down the bluetooth component or power down the device.
  5) Eventually the machine will crash, I've found that exec'ing another program will cause the crash easily.

  ProblemType: KernelCrash
  DistroRelease: Ubuntu 13.10
  Package: linux-image-3.9.0-4-generic
  ProcVersionSignature: Ubuntu 3.9.0-4.9-generic 3.9.4
  Uname: Linux 3.9.0-4-generic x86_64
  ApportVersion: 2.10.2-0ubuntu1
  Architecture: amd64
  AudioDevicesInUse:
   USER        PID ACCESS COMMAND
   /dev/snd/controlC0:  ubuntu     1537 F.... pulseaudio
  Date: Tue Jun 11 12:22:26 2013
  HibernationDevice: RESUME=UUID=8c8e9f7c-b216-4ead-a5da-8e267ab136ac
  InstallationDate: Installed on 2013-06-05 (5 days ago)
  InstallationMedia: Ubuntu 13.10 "Saucy Salamander" - Alpha amd64 (20130605)
  MachineType: LENOVO 42872WU
  MarkForUpload: True
  ProcFB: 0 inteldrmfb
  ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.9.0-4-generic root=UUID=94d4ed1f-8182-4805-8d5b-6944f6f1c428 ro crashkernel=384M-2G:64M,2G-:128M debug ignore_loglevel
  PulseList:
   Error: command ['pacmd', 'list'] failed with exit code 1: Home directory not accessible: Permission denied
   No PulseAudio daemon running, or not running as session daemon.
  RelatedPackageVersions:
   linux-restricted-modules-3.9.0-4-generic N/A
   linux-backports-modules-3.9.0-4-generic  N/A
   linux-firmware                           1.109
  SourcePackage: linux
  UpgradeStatus: No upgrade log present (probably fresh install)
  dmi.bios.date: 11/01/2011
  dmi.bios.vendor: LENOVO
  dmi.bios.version: 8DET55WW (1.25 )
  dmi.board.asset.tag: Not Available
  dmi.board.name: 42872WU
  dmi.board.vendor: LENOVO
  dmi.board.version: Not Available
  dmi.chassis.asset.tag: No Asset Information
  dmi.chassis.type: 10
  dmi.chassis.vendor: LENOVO
  dmi.chassis.version: Not Available
  dmi.modalias: dmi:bvnLENOVO:bvr8DET55WW(1.25):bd11/01/2011:svnLENOVO:pn42872WU:pvrThinkPadX220:rvnLENOVO:rn42872WU:rvrNotAvailable:cvnLENOVO:ct10:cvrNotAvailable:
  dmi.product.name: 42872WU
  dmi.product.version: ThinkPad X220
  dmi.sys.vendor: LENOVO

  --

  The actual crash:
  [  507.050158] Bluetooth: TIOCGSERIAL is not supported
  [  513.902765] ------------[ cut here ]------------
  [  513.902781] WARNING: at /build/buildd/linux-3.9.0/kernel/workqueue.c:602 get_work_pool+0x81/0x90()
  [  513.902784] Hardware name: 42872WU
  [  513.902786] Modules linked in: intel_powerclamp coretemp kvm_intel kvm parport_pc(F) crc32_pclmul(F) ghash_clmulni_intel(F) ppdev(F) rfcomm aesni_intel(F) aes_x86_64(F) bnep xts(F) lrw(F) gf128mul(F) ablk_helper(F) cryptd(F) joydev(F) arc4(F) uvcvideo iwldvm snd_hda_codec_hdmi snd_hda_codec_conexant videobuf2_vmalloc videobuf2_memops videobuf2_core mac80211 snd_hda_intel thinkpad_acpi videodev snd_hda_codec nvram(F) snd_hwdep(F) snd_pcm(F) iwlwifi snd_page_alloc(F) snd_seq_midi(F) snd_seq_midi_event(F) snd_rawmidi(F) snd_seq(F) snd_seq_device(F) btusb snd_timer(F) psmouse(F) snd(F) bluetooth mei cfg80211 serio_raw(F) soundcore(F) microcode(F) tpm_tis lpc_ich mac_hid lp(F) parport(F) i915 i2c_algo_bit drm_kms_helper e1000e(F) ptp(F) pps_core(F) drm sdhci_pci sdhci ahci(F) libahci(F) wmi video(F)
  [  513.902871] Pid: 863, comm: modem-manager Tainted: GF            3.9.0-4-generic #9-Ubuntu
  [  513.902873] Call Trace:
  [  513.902883]  [<ffffffff810584c0>] warn_slowpath_common+0x70/0xa0
  [  513.902889]  [<ffffffff810585aa>] warn_slowpath_null+0x1a/0x20
  [  513.902894]  [<ffffffff810750f1>] get_work_pool+0x81/0x90
  [  513.902900]  [<ffffffff810780c4>] flush_work+0x24/0x160
  [  513.902909]  [<ffffffffa051330e>] ? rfcomm_dev_destruct+0x7e/0xb0 [rfcomm]
  [  513.902916]  [<ffffffff8117d0ed>] ? kfree+0xfd/0x130
  [  513.902922]  [<ffffffff81078274>] __cancel_work_timer+0x74/0xb0
  [  513.902928]  [<ffffffff810782c0>] cancel_work_sync+0x10/0x20
  [  513.902935]  [<ffffffff814196bd>] tty_ldisc_halt+0x1d/0x30
  [  513.902940]  [<ffffffff8141a437>] tty_ldisc_release+0x17/0x90
  [  513.902946]  [<ffffffff814131ed>] tty_release+0x46d/0x5c0
  [  513.902953]  [<ffffffff81195da1>] __fput+0xe1/0x230
  [  513.902958]  [<ffffffff81195fbe>] ____fput+0xe/0x10
  [  513.902964]  [<ffffffff810799d7>] task_work_run+0xa7/0xe0
  [  513.902970]  [<ffffffff81013d09>] do_notify_resume+0x69/0xa0
  [  513.902977]  [<ffffffff816db7da>] int_signal+0x12/0x17
  [  513.902980] ---[ end trace df6aa8116aaf35db ]---
  [  536.981969] BUG: unable to handle kernel paging request at 000000fffffffe00
  [  536.982013] IP: [<ffffffff8117f83b>] __kmalloc_node_track_caller+0xdb/0x1d0
  [  536.982050] PGD 0 
  [  536.982061] Oops: 0000 [#1] SMP 
  [  536.982079] Modules linked in: intel_powerclamp coretemp kvm_intel kvm parport_pc(F) crc32_pclmul(F) ghash_clmulni_intel(F) ppdev(F) rfcomm aesni_intel(F) aes_x86_64(F) bnep xts(F) lrw(F) gf128mul(F) ablk_helper(F) cryptd(F) joydev(F) arc4(F) uvcvideo iwldvm snd_hda_codec_hdmi snd_hda_codec_conexant videobuf2_vmalloc videobuf2_memops videobuf2_core mac80211 snd_hda_intel thinkpad_acpi videodev snd_hda_codec nvram(F) snd_hwdep(F) snd_pcm(F) iwlwifi snd_page_alloc(F) snd_seq_midi(F) snd_seq_midi_event(F) snd_rawmidi(F) snd_seq(F) snd_seq_device(F) btusb snd_timer(F) psmouse(F) snd(F) bluetooth mei cfg80211 serio_raw(F) soundcore(F) microcode(F) tpm_tis lpc_ich mac_hid lp(F) parport(F) i915 i2c_algo_bit drm_kms_helper e1000e(F) ptp(F) pps_core(F) drm sdhci_pci sdhci ahci(F) libahci(F) wmi video(F)
  [  536.982464] CPU 3 
  [  536.982476] Pid: 1586, comm: dbus-daemon Tainted: GF       W    3.9.0-4-generic #9-Ubuntu LENOVO 42872WU/42872WU
  [  536.982522] RIP: 0010:[<ffffffff8117f83b>]  [<ffffffff8117f83b>] __kmalloc_node_track_caller+0xdb/0x1d0
  [  536.982567] RSP: 0018:ffff8801167099d0  EFLAGS: 00010246
  [  536.982591] RAX: 0000000000000000 RBX: ffff8800d3ce3c00 RCX: 000000000000c011
  [  536.982623] RDX: 000000000000c010 RSI: 0000000000000000 RDI: 0000000000017080
  [  536.982657] RBP: ffff880116709a10 R08: ffff88011e2d7080 R09: ffff880119802a00
  [  536.982688] R10: ffff880119810400 R11: 0000000000000246 R12: 00000000000106d0
  [  536.982719] R13: 000000fffffffe00 R14: 0000000000000200 R15: 00000000ffffffff
  [  536.982751] FS:  00007fab0e008800(0000) GS:ffff88011e2c0000(0000) knlGS:0000000000000000
  [  536.982787] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  [  536.982812] CR2: 000000fffffffe00 CR3: 0000000116606000 CR4: 00000000000407e0
  [  536.982844] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
  [  536.982875] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
  [  536.982907] Process dbus-daemon (pid: 1586, threadinfo ffff880116708000, task ffff880113de45f0)
  [  536.982945] Stack:
  [  536.982954]  0000000000000001 ffff880119802a00 ffffffff815be9ae ffff8800d3ce3c00
  [  536.982991]  ffff880116709a6f 00000000000004d0 0000000000000200 00000000ffffffff
  [  536.983026]  ffff880116709a50 ffffffff815be741 ffffffff815be97e ffff8800d3ce3c00
  [  536.983062] Call Trace:
  [  536.983078]  [<ffffffff815be9ae>] ? __alloc_skb+0x7e/0x2b0
  [  536.983105]  [<ffffffff815be741>] __kmalloc_reserve.isra.26+0x31/0x90
  [  536.983135]  [<ffffffff815be97e>] ? __alloc_skb+0x4e/0x2b0
  [  536.983162]  [<ffffffff815be9ae>] __alloc_skb+0x7e/0x2b0
  [  536.983188]  [<ffffffff815b9f56>] sock_alloc_send_pskb+0x1c6/0x340
  [  536.983218]  [<ffffffff815bf38c>] ? consume_skb+0x2c/0x80
  [  536.983244]  [<ffffffff816d2c2e>] ? _raw_spin_lock+0xe/0x20
  [  536.983270]  [<ffffffff815ba0e5>] sock_alloc_send_skb+0x15/0x20
  [  536.983300]  [<ffffffff8165f349>] unix_stream_sendmsg+0x269/0x460
  [  536.983328]  [<ffffffff815b511a>] sock_sendmsg+0xaa/0xe0
  [  536.983353]  [<ffffffff815b5259>] ? sock_recvmsg+0xb9/0xf0
  [  536.983380]  [<ffffffff81098429>] ? load_balance+0x109/0x7e0
  [  536.983408]  [<ffffffff815c2c06>] ? verify_iovec+0x56/0xd0
  [  536.983434]  [<ffffffff815b58de>] __sys_sendmsg+0x39e/0x3b0
  [  536.983461]  [<ffffffff811da07b>] ? ep_send_events_proc+0x15b/0x1a0
  [  536.983492]  [<ffffffff81043bd9>] ? default_spin_lock_flags+0x9/0x10
  [  536.983522]  [<ffffffff811da85d>] ? ep_scan_ready_list.isra.6+0x1ad/0x1b0
  [  536.983554]  [<ffffffff811da991>] ? ep_poll+0x111/0x340
  [  536.983578]  [<ffffffff815b7802>] sys_sendmsg+0x42/0x80
  [  536.984924]  [<ffffffff816db51d>] system_call_fastpath+0x1a/0x1f
  [  536.986258] Code: 49 63 41 18 66 66 66 66 90 4c 89 e8 48 83 c4 18 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 1f 44 00 00 49 63 41 20 48 8d 4a 01 49 8b 39 <49> 8b 5c 05 00 4c 89 e8 65 48 0f c7 0f 0f 94 c0 84 c0 0f 84 65 
  [  536.989223] RIP  [<ffffffff8117f83b>] __kmalloc_node_track_caller+0xdb/0x1d0
  [  536.990667]  RSP <ffff8801167099d0>
  [  536.992062] CR2: 000000fffffffe00

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1189998/+subscriptions