lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 14 Jan 2008 13:52:28 +0100
From:	Cornelia Huck <cornelia.huck@...ibm.com>
To:	"Dave Young" <hidave.darkstar@...il.com>
Cc:	"Gabor Gombas" <gombasg@...aki.hu>, "Tejun Heo" <htejun@...il.com>,
	"Al Viro" <viro@...iv.linux.org.uk>, linux-kernel@...r.kernel.org,
	bluez-devel@...ts.sf.net, kay.sievers@...y.org,
	"Greg KH" <greg@...ah.com>,
	"Marcel Holtmann" <marcel@...tmann.org>, davem@...emloft.net
Subject: Re: [Bluez-devel] Oops involving RFCOMM and sysfs

On Mon, 14 Jan 2008 15:05:19 +0800,
"Dave Young" <hidave.darkstar@...il.com> wrote:

> On Jan 12, 2008 7:09 AM, Gabor Gombas <gombasg@...aki.hu> wrote:
> > On Thu, Jan 10, 2008 at 09:11:17AM +0800, Dave Young wrote:
> >
> > > For bluetooth device_move, the only child device of hci_conn dev is
> > > the rfcomm tty_dev. How about the following patch, please verify :
> >
> > There is now no oops, instead the keyboard becomes almost completely
> > unresponsible when I switch off & on the phone. The mouse still works
> > (tested both with X and with the VGA console), but terminal input and VT
> > switching is dead. On the VGA console, even scrolling using Shift+PgUp
> > stops working.
> >
> > Alt+SysRq+w works, trace is below. Ctrl+Alt+Del also works, but then
> > init complains about hung processes and that it can not umount the file
> > systems and cannot stop the RAID arrays. Once it still rebooted though,
> > the second time it got hung after trying to umount the filesystems, and
> > I had to use Alt+SysRq+b.
> >
> > If I can choose then I prefer the Oops...
> >
> > Jan 11 23:46:35 twister kernel: SysRq : Emergency Sync
> > Jan 11 23:46:35 twister kernel: Emergency Sync complete
> > Jan 11 23:46:42 twister kernel: SysRq : Show Blocked State
> > Jan 11 23:46:42 twister kernel:   task                        PC stack   pid father
> > Jan 11 23:46:42 twister kernel: events/0      D ffffffff80487190     0     5      2
> > Jan 11 23:46:42 twister kernel:  ffff8100bf84fd40 0000000000000046 ffff8100ae7f2600 ffff8100bf84fd00
> > Jan 11 23:46:42 twister kernel:  ffff8100bf84a830 ffff8100bd872000 ffffffff80652ae0 0000000100000100
> > Jan 11 23:46:42 twister kernel:  0000000000000000 7fffffffffffffff 7fffffffffffffff 0000000000000002
> > Jan 11 23:46:42 twister kernel: Call Trace:
> > Jan 11 23:46:42 twister kernel:  [<ffffffff80473543>] schedule_timeout+0x1e/0xad
> > Jan 11 23:46:42 twister kernel:  [<ffffffff8028560d>] dput+0x26/0x103
> > Jan 11 23:46:42 twister kernel:  [<ffffffff802af3fd>] sysfs_move_dir+0x1ee/0x1fd
> > Jan 11 23:46:42 twister kernel:  [<ffffffff8047340b>] wait_for_common+0xc4/0x129
> > Jan 11 23:46:42 twister kernel:  [<ffffffff80224204>] default_wake_function+0x0/0xe
> > Jan 11 23:46:42 twister kernel:  [<ffffffff80471d72>] klist_del+0x15/0x2e
> > Jan 11 23:46:42 twister kernel:  [<ffffffff803698f3>] device_move+0x80/0x111
> > Jan 11 23:46:42 twister kernel:  [<ffffffff88146a27>] :bluetooth:hci_conn_move_child+0x0/0xf
> > Jan 11 23:46:42 twister kernel:  [<ffffffff88146a32>] :bluetooth:hci_conn_move_child+0xb/0xf
> > Jan 11 23:46:42 twister kernel:  [<ffffffff80369836>] device_for_each_child+0x22/0x4d

The problem here is that device_for_each_child() will elevate the
klist_node's refcount while the callback function calls device_move().
device_move() calls klist_remove() on the same node, which will do a
klist_del() and then wait for the refcount to drop to 0...

> > Jan 11 23:46:42 twister kernel:  [<ffffffff88146a05>] :bluetooth:del_conn+0x0/0x22
> > Jan 11 23:46:42 twister kernel:  [<ffffffff88146a1e>] :bluetooth:del_conn+0x19/0x22
> > Jan 11 23:46:42 twister kernel:  [<ffffffff8023696d>] run_workqueue+0x74/0xee
> > Jan 11 23:46:42 twister kernel:  [<ffffffff80236ff8>] worker_thread+0x0/0xe7
> > Jan 11 23:46:42 twister kernel:  [<ffffffff802370d2>] worker_thread+0xda/0xe7
> > Jan 11 23:46:42 twister kernel:  [<ffffffff80239b77>] autoremove_wake_function+0x0/0x2e
> > Jan 11 23:46:42 twister kernel:  [<ffffffff80236ff8>] worker_thread+0x0/0xe7
> > Jan 11 23:46:42 twister kernel:  [<ffffffff802399a0>] kthread+0x47/0x73
> > Jan 11 23:46:42 twister kernel:  [<ffffffff8020bdc8>] child_rip+0xa/0x12
> > Jan 11 23:46:42 twister kernel:  [<ffffffff80239959>] kthread+0x0/0x73
> > Jan 11 23:46:42 twister kernel:  [<ffffffff8020bdbe>] child_rip+0x0/0x12
> > Jan 11 23:46:42 twister kernel:
> > Jan 11 23:46:42 twister kernel: cat           D 7fffffffffffffff     0  3978   3965
> > Jan 11 23:46:42 twister kernel:  ffff81009e857ce8 0000000000000086 ffff8100ae7f2900 ffff81009e857ca8
> > Jan 11 23:46:42 twister kernel:  ffff8100bd872000 ffff8100bf9e7060 ffffffff80652ae0 00000001000000c0
> > Jan 11 23:46:42 twister kernel:  0000000000000000 7fffffffffffffff 7fffffffffffffff 0000000000000002
> > Jan 11 23:46:42 twister kernel: Call Trace:
> > Jan 11 23:46:42 twister kernel:  [<ffffffff80473543>] schedule_timeout+0x1e/0xad
> > Jan 11 23:46:42 twister kernel:  [<ffffffff80223ccc>] __dequeue_entity+0x1c/0x32
> > Jan 11 23:46:42 twister kernel:  [<ffffffff80223d05>] set_next_entity+0x23/0x73
> > Jan 11 23:46:42 twister kernel:  [<ffffffff8047340b>] wait_for_common+0xc4/0x129
> > Jan 11 23:46:42 twister kernel:  [<ffffffff80224204>] default_wake_function+0x0/0xe
> > Jan 11 23:46:42 twister kernel:  [<ffffffff80236b02>] flush_cpu_workqueue+0x50/0x58
> > Jan 11 23:46:42 twister kernel:  [<ffffffff80236c32>] wq_barrier_func+0x0/0x9
> > Jan 11 23:46:42 twister kernel:  [<ffffffff80236ecf>] flush_workqueue+0x9/0x12
> > Jan 11 23:46:42 twister kernel:  [<ffffffff803449f9>] release_dev+0x47c/0x5e2
> > Jan 11 23:46:42 twister kernel:  [<ffffffff8021b609>] do_page_fault+0x2ff/0x65a
> > Jan 11 23:46:42 twister kernel:  [<ffffffff80344b6b>] tty_release+0xc/0x10
> > Jan 11 23:46:42 twister kernel:  [<ffffffff80277013>] __fput+0xb1/0x16f
> > Jan 11 23:46:42 twister kernel:  [<ffffffff80274961>] filp_close+0x5d/0x65
> > Jan 11 23:46:42 twister kernel:  [<ffffffff80275ab3>] sys_close+0x73/0xa6
> > Jan 11 23:46:42 twister kernel:  [<ffffffff8020b5fc>] tracesys+0xdc/0xe1
> > Jan 11 23:46:42 twister kernel:
> >
> > If I'm not mistaken the "cat" above is the "cat /dev/zero >
> > /dev/rfcomm0" command.
> >
> 
> Any idea about this?
> 
> Add marcel and davem in cc-list.
 
As a band-aid, you could use device_find_child() and then device_move()
on the found child. Repeat until no children are left.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ