Hi,
Calling socket(PF_BLUETOOTH, SOCK_RAW, BTPROTO_RFCOMM) on 2.5.74
segfaults and gives the below oops. module.h:297 is
BUG_ON(module_refcount(module) == 0) in __module_get(), which is called
from rfcomm_sock_alloc() via sk_set_owner().
kernel BUG at include/linux/module.h:297!
invalid operand: 0000 [#4]
CPU: 0
EIP: 0060:[<e0a48104>] Not tainted
EFLAGS: 00010246
EIP is at rfcomm_sock_alloc+0x107/0x121 [rfcomm]
eax: 00000000 ebx: d3e5ab00 ecx: da30c680 edx: d3e5ab00
esi: 000000d0 edi: 00000001 ebp: ffffff9f esp: d53c5ef8
ds: 007b es: 007b ss: 0068
Process rfcomm (pid: 10709, threadinfo=d53c4000 task=da2a2d80)
Stack: e0a4d880 00000003 00000008 000000d0 fffffff4 ffffffa3 e0a48168 da30c680
00000003 000000d0 00000003 e0a320e8 da30c680 00000003 0000001f da30c680
00000001 c021ddbf da30c680 00000003 00000000 00000001 d53c5f90 00000000
Call Trace:
[<e0a48168>] rfcomm_sock_create+0x4a/0x6a [rfcomm]
[<e0a320e8>] bt_sock_create+0x8e/0x10f [bluetooth]
[<c021ddbf>] sock_create+0xce/0x263
[<c021df7f>] sys_socket+0x2b/0x5b
[<c021eee0>] sys_socketcall+0x89/0x28c
[<c010911b>] syscall_call+0x7/0xb
Code: 0f 0b 29 01 09 b0 a4 e0 e9 52 ff ff ff 0f 0b cb 01 20 b0 a4
The relevant loaded modules are:
Module Size Used by
rfcomm 35484 0
l2cap 22404 3 rfcomm
bluetooth 43108 7 rfcomm,l2cap
And the relevant config options are:
#
# Bluetooth support
#
CONFIG_BT=m
CONFIG_BT_L2CAP=m
CONFIG_BT_SCO=m
CONFIG_BT_RFCOMM=m
CONFIG_BT_RFCOMM_TTY=y
CONFIG_BT_BNEP=m
CONFIG_BT_BNEP_MC_FILTER=y
CONFIG_BT_BNEP_PROTO_FILTER=y
#
# Bluetooth device drivers
#
CONFIG_BT_HCIUSB=m
CONFIG_BT_USB_SCO=y
# CONFIG_BT_USB_ZERO_PACKET is not set
CONFIG_BT_HCIUART=m
CONFIG_BT_HCIUART_H4=y
CONFIG_BT_HCIUART_BCSP=y
# CONFIG_BT_HCIUART_BCSP_TXCRC is not set
CONFIG_BT_HCIDTL1=m
CONFIG_BT_HCIBT3C=m
CONFIG_BT_HCIBLUECARD=m
CONFIG_BT_HCIBTUART=m
CONFIG_BT_HCIVHCI=m
--
ilmari
Hi Dagfinn
> Calling socket(PF_BLUETOOTH, SOCK_RAW, BTPROTO_RFCOMM) on 2.5.74
> segfaults and gives the below oops. module.h:297 is
> BUG_ON(module_refcount(module) == 0) in __module_get(), which is called
> from rfcomm_sock_alloc() via sk_set_owner().
I don't know for 2.5.xx but for 2.4.xx in order to use RFCOMM protocol
you must use a SOCK_STREAM and not SOCK_RAW socket type.
(SOCK_RAW is for HCI , SOCK_SEQPACKET & SOCK_DGRAM for L2cap)
I think it must return an error instead of making a segfault, in this
way it is a bug.
Regards
Aurelien
Aurelien Minet <[email protected]> writes:
Hi Aurelien, and thanks for the quick response.
>> Calling socket(PF_BLUETOOTH, SOCK_RAW, BTPROTO_RFCOMM) on 2.5.74
>> segfaults and gives the below oops. module.h:297 is
>> BUG_ON(module_refcount(module) == 0) in __module_get(), which is called
>> from rfcomm_sock_alloc() via sk_set_owner().
>
> I don't know for 2.5.xx but for 2.4.xx in order to use RFCOMM protocol
> you must use a SOCK_STREAM and not SOCK_RAW socket type.
> (SOCK_RAW is for HCI , SOCK_SEQPACKET & SOCK_DGRAM for L2cap)
> I think it must return an error instead of making a segfault, in this
> way it is a bug.
I noticed it when rfcomm(1) segfaulted and caused the oops on startup,
so I straced it. The strace output is:
[linking stuff snipped]
socket(0x1f /* PF_??? */, SOCK_RAW, 3 <unfinished ...>
+++ killed by SIGSEGV +++
According to <net/bluetooth/bluetooth.h> 0x1f is PF_BLUETOOTH and 3 is
PTPROTO_RFCOMM. Looking at the source, rfcomm(1) uses SOCK_RAW for the
RFCOMM control socket (for ioctls: RFCOMMGETDEVLIST, RFCOMMCREATEDEV,
RFCOMMRELEASEDEV, RFCOMMGETDEVINFO), and SOCK_STREAM for the data
sockets.
What is the correct way of doing these ioctls on 2.5 if not against a
SOCK_RAW socket?
--
ilmari
[email protected] (Dagfinn Ilmari Mannsåker) writes:
> Calling socket(PF_BLUETOOTH, SOCK_RAW, BTPROTO_RFCOMM) on 2.5.74
> segfaults and gives the below oops. module.h:297 is
> BUG_ON(module_refcount(module) == 0) in __module_get(), which is called
> from rfcomm_sock_alloc() via sk_set_owner().
It turns out that net/bluetooth/rfcomm/sock.c (and
net/bluetooth/hci_sock.c) had been left out when net_proto_family gained
an owner field, here's a patch that fixes them both. Now I can transfer
pictures from my phone over OBEX Object Push again :)
--- net/bluetooth/rfcomm/sock.c~ 2003-07-02 22:50:14.000000000 +0200
+++ net/bluetooth/rfcomm/sock.c 2003-07-04 05:24:15.000000000 +0200
@@ -878,6 +878,7 @@
static struct net_proto_family rfcomm_sock_family_ops = {
.family = PF_BLUETOOTH,
+ .owner = THIS_MODULE,
.create = rfcomm_sock_create
};
--- net/bluetooth/hci_sock.c~ 2003-07-02 22:49:11.000000000 +0200
+++ net/bluetooth/hci_sock.c 2003-07-04 05:24:54.000000000 +0200
@@ -632,6 +632,7 @@
struct net_proto_family hci_sock_family_ops = {
.family = PF_BLUETOOTH,
+ .owner = THIS_MODULE,
.create = hci_sock_create,
};
--
ilmari
Hi Dagfinn
> I noticed it when rfcomm(1) segfaulted and caused the oops on startup,
> so I straced it. The strace output is:
>
> [linking stuff snipped]
> socket(0x1f /* PF_??? */, SOCK_RAW, 3 <unfinished ...>
> +++ killed by SIGSEGV +++
>
> According to <net/bluetooth/bluetooth.h> 0x1f is PF_BLUETOOTH and 3 is
> PTPROTO_RFCOMM. Looking at the source, rfcomm(1) uses SOCK_RAW for the
> RFCOMM control socket (for ioctls: RFCOMMGETDEVLIST, RFCOMMCREATEDEV,
> RFCOMMRELEASEDEV, RFCOMMGETDEVINFO), and SOCK_STREAM for the data
> sockets.
>
> What is the correct way of doing these ioctls on 2.5 if not against a
> SOCK_RAW socket?
Yes, the use of iotcl need SOCK_RAW socket. But I am not aware about
iotcl with RFCOMM (just whit HCI) and even less under 2.5 .
But I saw in 2.4 that it is for the TTY RFCOMM module, I think it should
only be used in this module.
If it is while your are using TTY over bluetooth, ask Marcel and Max on
Bluez List they can help you much more than me.
Sorry for the lack of help
Aurelien
At 09:04 PM 7/3/2003, Dagfinn Ilmari Manns?ker wrote:
>[email protected] (Dagfinn Ilmari Mannsåker) writes:
>
>> Calling socket(PF_BLUETOOTH, SOCK_RAW, BTPROTO_RFCOMM) on 2.5.74
>> segfaults and gives the below oops. module.h:297 is
>> BUG_ON(module_refcount(module) == 0) in __module_get(), which is called
>> from rfcomm_sock_alloc() via sk_set_owner().
>
>It turns out that net/bluetooth/rfcomm/sock.c (and
>net/bluetooth/hci_sock.c) had been left out when net_proto_family gained
>an owner field, here's a patch that fixes them both. Now I can transfer
>pictures from my phone over OBEX Object Push again :)
HCI socket doesn't need an owner field. But RFCOMM does I'll fix that.
Thanks for the patch
Max