lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-Id: <1167756714.30886.88.camel@violet>
Date:	Tue, 02 Jan 2007 17:51:54 +0100
From:	Marcel Holtmann <marcel@...tmann.org>
To:	BlueZ development <bluez-devel@...ts.sourceforge.net>
Cc:	kernel list <linux-kernel@...r.kernel.org>,
	Andrew Morton <akpm@...l.org>, gregkh@....ucw.cz,
	maxk@...lcomm.com, bluez-devel@...ts.sf.net
Subject: Re: [Bluez-devel] regression: bluetooth oopses because of multiple
	kobject_add()

Hi Pavel,

> On 2.6.20-rc2, I got:
> 
> This used to work before... certainly with 2.6.19.
> 
> Running this multiple times seems to trigger it:
> 
> #!/bin/bash
> #
> # Run tui on desktop machine, using t68i instead of a modem.
> #
> 
> hciconfig hci0 name billionton
> hciconfig hci0 up
> hcid
> rfcomm unbind 1
> # t68
>  rfcomm bind 1 00:80:37:??:??:??
> stty -echo < /dev/rfcomm1
> 
> cd ~pavel/misc/tui/microwindows-0.91/src
> ( while true; do ~pavel/sf/tui/input_sx1 | bin/phone; done ) &
> ./launcher.sh
> 
> 								Pavel
> 
> ....
> l2cap_recv_acldata: Unexpected continuation frame (len 0)
> l2cap_recv_acldata: Unexpected continuation frame (len 0)
> l2cap_recv_acldata: Unexpected continuation frame (len 0)
> l2cap_recv_acldata: Unexpected continuation frame (len 0)
> l2cap_recv_acldata: Unexpected continuation frame (len 0)
> l2cap_recv_acldata: Unexpected continuation frame (len 0)
> l2cap_recv_acldata: Unexpected continuation frame (len 0)
> l2cap_recv_acldata: Unexpected continuation frame (len 0)
> l2cap_recv_acldata: Unexpected continuation frame (len 0)
> kobject_add failed for rfcomm1 with -EEXIST, don't try to register things with the same name in the same directory.
>  [<c025121c>] kobject_add+0x1ac/0x1e0
>  [<c0328d40>] device_add+0xb0/0x500
>  [<c025156b>] kobject_init+0x2b/0x40
>  [<c0328510>] device_create_release+0x0/0x10
>  [<c0329229>] device_create+0x89/0xc0
>  [<c02d854b>] tty_register_device+0x5b/0xf0
>  [<c0612038>] _read_lock_bh+0x8/0x20
>  [<c05e4072>] hci_get_route+0x112/0x120
>  [<c05f04ed>] rfcomm_dev_ioctl+0x4cd/0x690
>  [<c05ee6b9>] rfcomm_sock_ioctl+0x29/0x50
>  [<c054409f>] sock_ioctl+0xaf/0x1d0
>  [<c0543ff0>] sock_ioctl+0x0/0x1d0
>  [<c017a23b>] do_ioctl+0x2b/0xa0
>  [<c017a30c>] vfs_ioctl+0x5c/0x2e0
>  [<c017a5cd>] sys_ioctl+0x3d/0x70
>  [<c010304c>] syscall_call+0x7/0xb
>  [<c0610033>] schedule+0x2c3/0x8f0
>  =======================

I have no idea why this one happens. You should check if the unbind
really succeeded.

> BUG: unable to handle kernel NULL pointer dereference at virtual address 0000003c
>  printing eip:
> c05ef978
> *pde = 00000000
> BUG: soft lockup detected on CPU#0!
>  [<c014d469>] softlockup_tick+0xa9/0xd0
>  [<c0131383>] update_process_times+0x33/0x80
>  [<c011ab7b>] smp_apic_timer_interrupt+0x6b/0x80
>  [<c0103aa4>] apic_timer_interrupt+0x28/0x30
>  [<c0255606>] delay_tsc+0x16/0x20
>  [<c0255646>] __delay+0x6/0x10
>  [<c011fbbb>] do_page_fault+0x35b/0x600
>  [<c011f860>] do_page_fault+0x0/0x600
>  [<c061237c>] error_code+0x7c/0x84
>  [<c02d007b>] read_fan+0x59/0x6f
>  [<c05ef978>] rfcomm_tty_chars_in_buffer+0x8/0x20
>  [<c02dcd64>] normal_poll+0xd4/0x140
>  [<c02dcc90>] normal_poll+0x0/0x140
>  [<c02d9f4b>] tty_poll+0x6b/0x90
>  [<c017b5c9>] do_select+0x219/0x4b0
>  [<c017ac00>] __pollwait+0x0/0x110
>  [<c0123c90>] default_wake_function+0x0/0x10
>  [<c0123c90>] default_wake_function+0x0/0x10
>  [<c0123c90>] default_wake_function+0x0/0x10
>  [<c018f0a0>] __find_get_block_slow+0xc0/0x140
>  [<c0169c39>] poison_obj+0x29/0x60
>  [<c016962e>] dbg_redzone1+0xe/0x20
>  [<c016a51e>] cache_alloc_debugcheck_after+0x3e/0x150
>  [<c016a364>] check_poison_obj+0x24/0x1a0
>  [<c019129f>] __find_get_block+0xcf/0x1c0
>  [<c0169c39>] poison_obj+0x29/0x60
>  [<c0169c39>] poison_obj+0x29/0x60
>  [<c016a220>] cache_free_debugcheck+0xb0/0x1d0
>  [<c01c0592>] journal_stop+0x162/0x1f0
>  [<c01c0592>] journal_stop+0x162/0x1f0
>  [<c01ba0e4>] __ext3_journal_stop+0x24/0x50
>  [<c01b29f1>] ext3_ordered_commit_write+0xa1/0xd0
>  [<c01b16a0>] ext3_journal_dirty_data+0x0/0x50
>  [<c015162b>] generic_file_buffered_write+0x39b/0x680
>  [<c01ba0e4>] __ext3_journal_stop+0x24/0x50
>  [<c018a824>] __mark_inode_dirty+0x34/0x1c0
>  [<c0152a43>] __generic_file_aio_write_nolock+0x283/0x590
>  [<c017ba26>] core_sys_select+0x1c6/0x2e0
>  [<c06112cf>] __mutex_lock_slowpath+0xef/0x230
>  [<c0152db2>] generic_file_aio_write+0x62/0xd0
>  [<c01b0570>] ext3_file_write+0x30/0xc0
>  [<c016ea77>] do_sync_write+0xc7/0x130
>  [<c015e392>] __handle_mm_fault+0x642/0x890
>  [<c013c680>] autoremove_wake_function+0x0/0x50
>  [<c02d82d5>] tty_ldisc_deref+0x15/0x70
>  [<c017bea1>] sys_select+0x51/0x1c0
>  [<c010304c>] syscall_call+0x7/0xb
>  =======================
> Oops: 0000 [#1]
> SMP 
> Modules linked in:
> CPU:    0
> EIP:    0060:[<c05ef978>]    Not tainted VLI
> EFLAGS: 00010246   (2.6.20-rc2 #384)
> EIP is at rfcomm_tty_chars_in_buffer+0x8/0x20
> eax: 00000000   ebx: db0e5704   ecx: 00000000   edx: f79858ac
> esi: 00000000   edi: f7599528   ebp: 00000000   esp: da73bb54
> ds: 007b   es: 007b   ss: 0068
> Process phone (pid: 3930, ti=da73a000 task=dc212a70 task.ti=da73a000)
> Stack: c02dcd64 00610a52 f7599528 db0e5704 c02dcc90 c02d9f4b 00000000 db0e5710 
>        00000010 f7599528 00000004 0000001c c017b5c9 00000000 da73bf9c da73bf54 
>        00000000 da73be60 da73be64 da73be68 da73be58 da73be5c da73be60 00000011 
> Call Trace:
>  [<c02dcd64>] normal_poll+0xd4/0x140
>  [<c02dcc90>] normal_poll+0x0/0x140
>  [<c02d9f4b>] tty_poll+0x6b/0x90
>  [<c017b5c9>] do_select+0x219/0x4b0
>  [<c017ac00>] __pollwait+0x0/0x110
>  [<c0123c90>] default_wake_function+0x0/0x10
>  [<c0123c90>] default_wake_function+0x0/0x10
>  [<c0123c90>] default_wake_function+0x0/0x10
>  [<c018f0a0>] __find_get_block_slow+0xc0/0x140
>  [<c0169c39>] poison_obj+0x29/0x60
>  [<c016962e>] dbg_redzone1+0xe/0x20
>  [<c016a51e>] cache_alloc_debugcheck_after+0x3e/0x150
>  [<c016a364>] check_poison_obj+0x24/0x1a0
>  [<c019129f>] __find_get_block+0xcf/0x1c0
>  [<c0169c39>] poison_obj+0x29/0x60
>  [<c0169c39>] poison_obj+0x29/0x60
>  [<c016a220>] cache_free_debugcheck+0xb0/0x1d0
>  [<c01c0592>] journal_stop+0x162/0x1f0
>  [<c01c0592>] journal_stop+0x162/0x1f0
>  [<c01ba0e4>] __ext3_journal_stop+0x24/0x50
>  [<c01b29f1>] ext3_ordered_commit_write+0xa1/0xd0
>  [<c01b16a0>] ext3_journal_dirty_data+0x0/0x50
>  [<c015162b>] generic_file_buffered_write+0x39b/0x680
>  [<c01ba0e4>] __ext3_journal_stop+0x24/0x50
>  [<c018a824>] __mark_inode_dirty+0x34/0x1c0
>  [<c0152a43>] __generic_file_aio_write_nolock+0x283/0x590
>  [<c017ba26>] core_sys_select+0x1c6/0x2e0
>  [<c06112cf>] __mutex_lock_slowpath+0xef/0x230
>  [<c0152db2>] generic_file_aio_write+0x62/0xd0
>  [<c01b0570>] ext3_file_write+0x30/0xc0
>  [<c016ea77>] do_sync_write+0xc7/0x130
>  [<c015e392>] __handle_mm_fault+0x642/0x890
>  [<c013c680>] autoremove_wake_function+0x0/0x50
>  [<c02d82d5>] tty_ldisc_deref+0x15/0x70
>  [<c017bea1>] sys_select+0x51/0x1c0
>  [<c010304c>] syscall_call+0x7/0xb
>  =======================
> Code: 8d 76 00 8b 80 60 01 00 00 8b 50 3c f0 0f ba 72 3c 00 19 c0 85 c0 75 01 c3 89 d0 e9 f3 cb ff ff 8d 76 00 8b 80 60 01 00 00 31 c9 <8b> 50 3c 8d 42 0c 39 42 0c 74 03 8b 4a 50 89 c8 c3 8d b4 26 00 
> EIP: [<c05ef978>] rfcomm_tty_chars_in_buffer+0x8/0x20 SS:ESP 0068:da73bb54

The attached patch is from my queue of pending fixes and should take
care of these oopses.

Regards

Marcel


View attachment "patch" of type "text/plain" (2405 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ