Received: by 2002:a05:6a10:c604:0:0:0:0 with SMTP id y4csp151979pxt; Wed, 4 Aug 2021 08:00:28 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzUDXEw2l1wjCGpd/FjvbAIyF1C1OVXlGlLby1Rmmawsv4jwH+mxqX7FGIvWp7rouxYtMI/ X-Received: by 2002:a92:c567:: with SMTP id b7mr81782ilj.117.1628089228810; Wed, 04 Aug 2021 08:00:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1628089228; cv=none; d=google.com; s=arc-20160816; b=QqjGpr1zJGhe58ouXpZXdL/NPCovJUi0j2OcTiDSNMRTqgGdUBuduVBi/08FrVv7zH z+2zmZU9dcNx4tfZ43b54gy5qRFb3YKRq+a0D5L0kIXg854YX0j3kU5JAilgIprFJnwu u1nrlfACNC+ndLUFc6nFLmq7WirtmfPCC8DOdJv5LCfhTWqoGqF36K61hzlZU4q/joSj Bs6TmeF6UCK99PES6tUB4LXH9Ll/iqHutPavtb1w3snltWebbebioJa9I8kqoew0nPSd aIfyTtZXbkhfwuDShNlMzdy+LaYVUUOBljgy3NFiE1+ZzpF6kjS+rHra9ie27cpd+gXg gQAw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=K5TNPGczlna7cZJ2HSa6Pq+LnWnwehyD5R/FozLlvyo=; b=S8rajMtXDRA43ntVfHM8OhPsXi2BKLrFA2rver2s0H9HVkaFluCCz0TygRlCk9Hxoi /ctDzEVa7iPbCUxsM6C8MxrU2WTwCboquuhUk3h+7m0+ww66VQO6AMJ/csrAb/QwCrVv L4Efm2LhYR73A/VJdbloy/rlpUcZLfMiJG4AKs1tDVqG/Ep1UEwEI6R3q6KFdu7BX1EL 6a9KOYibvdttHH0Ifvh4aN0k2ikgT5QED4fDajl5OCI5sjCznJ0Tl93y2St2APGx4888 R/XHvAFxLM474WLZzM1dQHSBjVe5SP3QkqUgDagwABpfRaP6UWFEXeFL21X8/eDUgRtF hNvg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@canonical.com header.s=20210705 header.b=ErV4xZBZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=canonical.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id k2si2287209iol.39.2021.08.04.08.00.16; Wed, 04 Aug 2021 08:00:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@canonical.com header.s=20210705 header.b=ErV4xZBZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=canonical.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237104AbhHDOgN (ORCPT + 99 others); Wed, 4 Aug 2021 10:36:13 -0400 Received: from smtp-relay-canonical-0.canonical.com ([185.125.188.120]:59518 "EHLO smtp-relay-canonical-0.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236599AbhHDOgM (ORCPT ); Wed, 4 Aug 2021 10:36:12 -0400 Received: from mail-ed1-f71.google.com (mail-ed1-f71.google.com [209.85.208.71]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-canonical-0.canonical.com (Postfix) with ESMTPS id 09A4D3F34D for ; Wed, 4 Aug 2021 14:35:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1628087759; bh=K5TNPGczlna7cZJ2HSa6Pq+LnWnwehyD5R/FozLlvyo=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=ErV4xZBZbJxdI53OmG7qkNNMcuZhqU52HtLBaRXRHTsyLFy1nKpzV3CAWRmHJLpqq BRSjo3ef35HkjJgkHk5LatrWzvCHu1TksXrTDNhGLVJCevzq4n74MklcNDhWMvpxQO N4gb3UyODMvRhB4t/YcEt906FJBbVoinZtqfTt2avGoruiIHqibou04iZDqSyrtM0S 60AH5xvlPS2LZ8PTxp92cq0PIXK/oRp/DgNoK8lRZZaNEiYCuYcqcmfdr844tb/EuY 9C3jo7/TuXz8s9SXJbs1xxv5aqrzY6FuH2bGmqPxNWKfLxh47q15V+UjPsCiHMdAeI 5XOD3BmDBsnOg== Received: by mail-ed1-f71.google.com with SMTP id a23-20020a50ff170000b02903b85a16b672so1577834edu.1 for ; Wed, 04 Aug 2021 07:35:59 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=K5TNPGczlna7cZJ2HSa6Pq+LnWnwehyD5R/FozLlvyo=; b=Ths88aFakVgy2T/FG29zB8oQvXjEEDO7pXn7nXhmhlIv/PEXvykIYUsfQJQmADGouz jxI028zSTTClPWDK9dYSmE9LBF9bnJB3e9N7VmQCA48nSMyhlafgi4P38XAvhrYwHD7a NJodonkfo3eISaHHa5G6dbUE6XkRe/MneAG+FkZyIkVLG6Lkjh47B5eJVMwUIxxjk+0G MPS7sT8vLRIZzgFO852ASSF8ADm9cotLmUEa1+Y4gi5izczPl7L+2/kZhgVJuF7/pe6R A06mNUGyMWPx59vvrxTR+mQluROpx30WwDtaihT7P3jGvenGyURQKE5rlcFSLZakAj5H +swA== X-Gm-Message-State: AOAM531iUEu5LgVBBFGR9qWsGat3HsVhtsXKH8wV5Z+0zKMNABHS65M/ ZgTuCQeKFDplKsFQesqJNHlJ8/L/kiewHgzBcsM0NDJx2CrJqQp2q2NeDS2N4fBzwwkaBCXynxq DvBXMm+uPxPJDKcItaTkzKpoCMReAmN09ZF1028sYjobYWAt2GVkyxQTtjA== X-Received: by 2002:aa7:c9d8:: with SMTP id i24mr18349edt.79.1628087758605; Wed, 04 Aug 2021 07:35:58 -0700 (PDT) X-Received: by 2002:aa7:c9d8:: with SMTP id i24mr18321edt.79.1628087758363; Wed, 04 Aug 2021 07:35:58 -0700 (PDT) MIME-Version: 1.0 References: <20210514071452.25220-1-kai.heng.feng@canonical.com> <20210802030538.2023-1-hdanton@sina.com> <20210803074722.2383-1-hdanton@sina.com> In-Reply-To: <20210803074722.2383-1-hdanton@sina.com> From: Kai-Heng Feng Date: Wed, 4 Aug 2021 22:35:43 +0800 Message-ID: Subject: Re: [PATCH v2] Bluetooth: Shutdown controller after workqueues are flushed or cancelled To: Hillf Danton Cc: Marcel Holtmann , Johan Hedberg , Mattijs Korpershoek , Luiz Augusto von Dentz , "bluez mailin list (linux-bluetooth@vger.kernel.org)" , Linux Netdev List , LKML Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Aug 3, 2021 at 3:47 PM Hillf Danton wrote: > > On Tue, 3 Aug 2021 14:45:07 +0800 Kai-Heng Feng wrote: > >On Mon, Aug 2, 2021 at 11:05 AM Hillf Danton wrote: > >> > >> Given the skb_get in hci_req_sync_complete makes it safe to free skb on > >> driver side, I doubt this patch is the correct fix as it is. > > > >Some workqueues are still active. > >The shutdown() should be called at least after hci_request_cancel_all(). > > What is muddy then is how active workqueues prevent skb_get from protecting > kfree_skb. Can you spot what workqueue it is? I managed to reproduce the issue with another kernel splat: ------------[ cut here ]------------ kernel BUG at mm/slub.c:321! invalid opcode: 0000 [#1] SMP NOPTI CPU: 2 PID: 2208 Comm: kworker/u9:3 Not tainted 5.14.0-rc4+ #16 Hardware name: HP HP ProBook 650 G8 Notebook PC/87ED, BIOS T74 Ver. 01.03.04 01/07/2021 Workqueue: hci0 discov_update [bluetooth] RIP: 0010:__slab_free+0x20c/0x3a0 Code: 00 44 0f b6 54 24 1a 8b 74 24 14 44 0f b6 4c 24 1b 44 8b 44 24 1c 48 89 44 24 08 48 8b 54 24 20 48 8b 7c 24 28 e9 ad fe ff ff <0f> 0b 49 3b 54 24 28 0f 85 6b ff ff ff 49 89 5c 24 20 49 89 4c 24 RSP: 0018:ffffaa0e4164fc50 EFLAGS: 00010246 RAX: ffff9cc9a217e668 RBX: ffff9cc9a217e600 RCX: ffff9cc9a217e600 RDX: 000000008010000e RSI: ffffd09044885f80 RDI: ffff9cc980e96500 RBP: ffffaa0e4164fd00 R08: 0000000000000001 R09: ffffffff885b3a4e R10: ffff9cc999aab800 R11: ffff9cc9a217e600 R12: ffffd09044885f80 R13: ffff9cc9a217e600 R14: ffff9cc980e96500 R15: ffff9cc9a217e600 FS: 0000000000000000(0000) GS:ffff9cca2b900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffe164d5b98 CR3: 000000013f410002 CR4: 0000000000770ee0 PKRU: 55555554 Call Trace: ? psi_task_switch+0xc3/0x1e0 ? __switch_to_asm+0x36/0x70 ? skb_free_head+0x67/0x80 kmem_cache_free+0x370/0x3d0 ? kfree_skbmem+0x4e/0x90 kfree_skbmem+0x4e/0x90 kfree_skb+0x47/0xb0 __hci_req_sync+0x134/0x2a0 [bluetooth] ? wait_woken+0x70/0x70 discov_update+0x2ae/0x310 [bluetooth] process_one_work+0x21d/0x3c0 worker_thread+0x53/0x420 ? process_one_work+0x3c0/0x3c0 kthread+0x127/0x150 ? set_kthread_struct+0x50/0x50 ret_from_fork+0x1f/0x30 Modules linked in: rfcomm cmac algif_hash algif_skcipher af_alg bnep nls_iso8859_1 snd_soc_skl_hda_dsp snd_soc_intel_hda_dsp_common snd_soc_hdac_hdmi snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic snd_soc_dmic snd_sof_pci_intel_tgl snd_sof_intel_hda_common snd_soc_hdac_hda snd_sof_pci snd_sof snd_sof_xtensa_dsp snd_sof_intel_hda snd_hda_ext_core snd_soc_acpi_intel_match snd_soc_acpi ledtrig_audio snd_soc_core snd_hda_intel snd_intel_dspcfg snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_seq i915 snd_seq_device snd_timer hp_wmi intel_tcc_cooling x86_pkg_temp_thermal intel_powerclamp i2c_algo_bit coretemp joydev kvm_intel ttm mei_hdcp intel_rapl_msr platform_profile wmi_bmof kvm uvcvideo crct10dif_pclmul btusb videobuf2_vmalloc videobuf2_memops drm_kms_helper btrtl videobuf2_v4l2 crc32_pclmul btbcm ghash_clmulni_intel input_leds videobuf2_common btintel snd videodev syscopyarea sysfillrect sysimgblt aesni_intel mc serio_raw fb_sys_fops bluetooth crypto_simd cec cryptd intel_cstate ecdh_generic efi_pstore ecc rc_core hid_multitouch processor_thermal_device_pci_legacy mei_me intel_soc_dts_iosf processor_thermal_device mei soundcore processor_thermal_rfim ee1004 processor_thermal_mbox processor_thermal_rapl intel_pmt_telemetry intel_rapl_common intel_pmt_class ucsi_acpi typec_ucsi typec wmi soc_button_array int3403_thermal int340x_thermal_zone video int3400_thermal acpi_thermal_rel acpi_pad mac_hid intel_hid sparse_keymap sch_fq_codel msr parport_pc ppdev lp drm parport ip_tables x_tables autofs4 hid_generic nvme nvme_core intel_lpss_pci e1000e intel_lpss i2c_i801 idma64 i2c_smbus xhci_pci xhci_pci_renesas vmd intel_pmt i2c_hid_acpi i2c_hid hid pinctrl_tigerlake ---[ end trace c09445d4697039ed ]--- So hci_request_cancel_all() -> cancel_work_sync(&hdev->discov_update) and can prevent the race from happening. And the kernel splat is just one symptom of the issue, most of the time it's just "Bluetooth: hci0: HCI reset during shutdown failed" in dmesg. Kai-Heng