Dear list,
I used 3.10.14 with RFCOMM tty patches in 3.12-rc, and I tested
disconnecting and removing a bond from remote device. and I got
following crash.
[ 42.706670] Unable to handle kernel NULL pointer dereference at
virtual address 00000010
[ 42.709197] pgd = c0004000
[ 42.714500] [00000010] *pgd=00000000
[ 42.715484] Internal error: Oops: 17 [#1] PREEMPT SMP ARM
[ 42.720820] Modules linked in:
[ 42.723879] CPU: 1 PID: 828 Comm: krfcommd Not tainted
3.10.14-gdca4b73 #340
[ 42.730892] task: df03ac00 ti: df178000 task.ti: df178000
[ 42.736328] PC is at l2cap_create_basic_pdu+0x30/0x1ac
[ 42.741406] LR is at l2cap_chan_send+0x100/0x1d8
[ 42.745997] pc : [<c05163b8>] lr : [<c051addc>] psr: 400f0013
[ 42.745997] sp : df179d40 ip : c082daa0 fp : 00000008
[ 42.757443] r10: 00000004 r9 : 0000065a r8 : 000003f5
[ 42.762652] r7 : 00000000 r6 : 00000000 r5 : df179e84 r4 : d782bc00
[ 42.769162] r3 : 00000000 r2 : 00000004 r1 : df179e84 r0 : 00000000
[ 42.775680] Flags: nZcv IRQs on FIQs on Mode SVC_32 ISA ARM
Segment kernel
[ 42.782964] Control: 10c53c7d Table: 5f3f804a DAC: 00000015
[ 42.788693] Process krfcommd (pid: 828, stack limit = 0xdf178238)
[ 42.794770] Stack: (0xdf179d40 to 0xdf17a000)
[ 42.799127] 9d40: 00000000 d782bc00 00000004 df179e84 00000004
000003f5 0000065a c082f6a8
[ 42.807285] 9d60: 00000008 c051addc df179e84 d782bc00 00000004
d782bdfc de6c9600 df179e84
[ 42.815440] 9d80: d782bc00 00000004 d782bdfc c051fb30 00000004
dd728c00 df179e84 00000004
[ 42.823600] 9da0: df179db0 df03ac00 c082f6a8 c044fffc 00000001
00000000 00000000 00000000
[ 42.831735] 9dc0: 00000000 df03ac00 00000000 00000000 00000000
00000000 df179e10 00000000
[ 42.839895] 9de0: 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000
[ 42.848053] 9e00: 00000000 00000000 00000000 00000000 002e4d55
00000000 00000000 00000004
[ 42.856213] 9e20: dd728c00 df18ee00 00000000 df179e84 df178000
df03ac00 df18f0e4 00000000
[ 42.864372] 9e40: df178000 c0012030 c07e7ff8 c005c7b0 df178000
00000000 df179e84 db45b010
[ 42.872533] 9e60: 00000043 c04505cc 00000001 00000004 dfb53200
c0528f6c 00000004 dfb5320c
[ 42.880690] 9e80: ffff388b 00000000 00000000 df179ea0 00000001
00000000 00000000 00000000
[ 42.888850] 9ea0: df179ebc 00000004 dfb53200 c05d6854 00000000
c05291e4 c07c58c0 d7017303
[ 42.897010] 9ec0: f0e3fe36 00000000 dfb53200 c052a4d8 c07e7fe0
c07e8018 db779000 dfb53200
[ 42.905169] 9ee0: 00000000 c052beb0 dfb53200 dfb53500 dfb53200
de6c9600 db779000 00000000
[ 42.913328] 9f00: de6c964c c052c044 dfb16880 dfb53200 dfb53200
dfb16880 dfb53200 c081eca8
[ 42.921488] 9f20: c052c22c c052c124 a0000113 df178000 00000001
c082f6a8 00000000 c052c22c
[ 42.929646] 9f40: 00000000 00000000 00000000 c052c294 00000000
df9d0000 df9d5ee4 df179f6c
[ 42.937805] 9f60: df178000 c0049d54 00000000 00000000 c07e7ff8
00000000 00000000 00000000
[ 42.945964] 9f80: df179f80 df179f80 00000000 00000000 df179f90
df179f90 df9d5ee4 c0049c9c
[ 42.954123] 9fa0: 00000000 00000000 00000000 c000f168 00000000
00000000 00000000 00000000
[ 42.962283] 9fc0: 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000
[ 42.970442] 9fe0: 00000000 00000000 00000000 00000000 00000013
00000000 00000000 00000000
[ 42.978647] [<c05163b8>] (l2cap_create_basic_pdu+0x30/0x1ac) from
[<c051addc>] (l2cap_chan_send+0x100/0x1d8)
[ 42.988428] [<c051addc>] (l2cap_chan_send+0x100/0x1d8) from
[<c051fb30>] (l2cap_sock_sendmsg+0x7c/0xd8)
[ 42.997807] [<c051fb30>] (l2cap_sock_sendmsg+0x7c/0xd8) from
[<c044fffc>] (sock_sendmsg+0xac/0xcc)
[ 43.006736] [<c044fffc>] (sock_sendmsg+0xac/0xcc) from [<c04505cc>]
(kernel_sendmsg+0x2c/0x34)
[ 43.015345] [<c04505cc>] (kernel_sendmsg+0x2c/0x34) from [<c0528f6c>]
(rfcomm_send_frame+0x58/0x7c)
[ 43.024352] [<c0528f6c>] (rfcomm_send_frame+0x58/0x7c) from
[<c05291e4>] (rfcomm_send_ua+0x98/0xbc)
[ 43.033382] [<c05291e4>] (rfcomm_send_ua+0x98/0xbc) from [<c052a4d8>]
(rfcomm_recv_disc+0xac/0x100)
[ 43.042405] [<c052a4d8>] (rfcomm_recv_disc+0xac/0x100) from
[<c052beb0>] (rfcomm_recv_frame+0x144/0x264)
[ 43.051866] [<c052beb0>] (rfcomm_recv_frame+0x144/0x264) from
[<c052c044>] (rfcomm_process_rx+0x74/0xfc)
[ 43.061327] [<c052c044>] (rfcomm_process_rx+0x74/0xfc) from
[<c052c124>] (rfcomm_process_sessions+0x58/0x160)
[ 43.071221] [<c052c124>] (rfcomm_process_sessions+0x58/0x160) from
[<c052c294>] (rfcomm_run+0x68/0x110)
[ 43.080614] [<c052c294>] (rfcomm_run+0x68/0x110) from [<c0049d54>]
(kthread+0xb8/0xbc)
[ 43.088528] [<c0049d54>] (kthread+0xb8/0xbc) from [<c000f168>]
(ret_from_fork+0x14/0x2c)
[ 43.096574] Code: e3100004 e1a07003 e5946004 1a000057 (e5969010)
[ 43.110479] ---[ end trace b2b00f82e7216259 ]---
This happens because l2cap_chan_send() is called after l2cap_chan_del()
and I can easily fix this with following patch.
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 63fa111..11b5d09 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -2452,6 +2452,9 @@ int l2cap_chan_send(struct l2cap_chan *chan,
struct msghdr *msg, size_t len,
int err;
struct sk_buff_head seg_queue;
+ if (!chan->conn)
+ return -ENOTCONN;
+
/* Connectionless channel */
if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
skb = l2cap_create_connless_pdu(chan, msg, len, priority);
Here is also hcidump log for operation for this issue.
$ hcidump -X
HCI sniffer - Bluetooth packet analyzer ver 2.4
device: hci0 snap_len: 1500 filter: 0xffffffff
> ACL data: handle 12 flags 0x02 dlen 8
L2CAP(d): cid 0x0041 len 4 [psm 0]
0000: 3b 53 01 e7 ;S..
< ACL data: handle 12 flags 0x00 dlen 8
L2CAP(d): cid 0x0041 len 4 [psm 0]
0000: 3b 73 01 cd ;s..
> ACL data: handle 12 flags 0x02 dlen 8
L2CAP(d): cid 0x0041 len 4 [psm 0]
0000: 03 53 01 fd .S..
< ACL data: handle 12 flags 0x00 dlen 8
L2CAP(d): cid 0x0041 len 4 [psm 0]
0000: 03 73 01 d7 .s..
< ACL data: handle 12 flags 0x00 dlen 12
L2CAP(s): Disconn req: dcid 0x0041 scid 0x0041
> ACL data: handle 12 flags 0x02 dlen 12
L2CAP(s): Disconn req: dcid 0x0041 scid 0x0041
< ACL data: handle 12 flags 0x00 dlen 12
L2CAP(s): Disconn rsp: dcid 0x0041 scid 0x0041
> HCI Event: Number of Completed Packets (0x13) plen 5
handle 12 packets 2
> ACL data: handle 12 flags 0x02 dlen 12
L2CAP(s): Disconn rsp: dcid 0x0041 scid 0x0041
> HCI Event: Number of Completed Packets (0x13) plen 5
handle 12 packets 2
> HCI Event: Disconn Complete (0x05) plen 4
status 0x00 handle 12 reason 0x13
Reason: Remote User Terminated Connection
Best Regards,
- Seung-Woo Kim <[email protected]>
--
Seung-Woo Kim
Samsung Software R&D Center
--
Hi Seung-Woo Kim,
On Tue, Nov 05, 2013, Seung-Woo Kim wrote:
> Removing a bond and disconnecting from a specific remote device
> can cause l2cap_chan_send() is called after l2cap_chan_del() is
> called. This causes following crash.
>
> [ 1384.972086] Unable to handle kernel NULL pointer dereference at virtual address 00000008
> [ 1384.972090] pgd = c0004000
> [ 1384.972125] [00000008] *pgd=00000000
> [ 1384.972137] Internal error: Oops: 17 [#1] PREEMPT SMP ARM
> [ 1384.972144] Modules linked in:
> [ 1384.972156] CPU: 0 PID: 841 Comm: krfcommd Not tainted 3.10.14-gdf22a71-dirty #435
> [ 1384.972162] task: df29a100 ti: df178000 task.ti: df178000
> [ 1384.972182] PC is at l2cap_create_basic_pdu+0x30/0x1ac
> [ 1384.972191] LR is at l2cap_chan_send+0x100/0x1d4
> [ 1384.972198] pc : [<c051d250>] lr : [<c0521c78>] psr: 40000113
> [ 1384.972198] sp : df179d40 ip : c083a010 fp : 00000008
> [ 1384.972202] r10: 00000004 r9 : 0000065a r8 : 000003f5
> [ 1384.972206] r7 : 00000000 r6 : 00000000 r5 : df179e84 r4 : da557000
> [ 1384.972210] r3 : 00000000 r2 : 00000004 r1 : df179e84 r0 : 00000000
> [ 1384.972215] Flags: nZcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment kernel
> [ 1384.972220] Control: 10c53c7d Table: 5c8b004a DAC: 00000015
> [ 1384.972224] Process krfcommd (pid: 841, stack limit = 0xdf178238)
> [ 1384.972229] Stack: (0xdf179d40 to 0xdf17a000)
> [ 1384.972238] 9d40: 00000000 da557000 00000004 df179e84 00000004 000003f5 0000065a 00000000
> [ 1384.972245] 9d60: 00000008 c0521c78 df179e84 da557000 00000004 da557204 de0c6800 df179e84
> [ 1384.972253] 9d80: da557000 00000004 da557204 c0526b7c 00000004 df724000 df179e84 00000004
> [ 1384.972260] 9da0: df179db0 df29a100 c083bc48 c045481c 00000001 00000000 00000000 00000000
> [ 1384.972267] 9dc0: 00000000 df29a100 00000000 00000000 00000000 00000000 df179e10 00000000
> [ 1384.972274] 9de0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
> [ 1384.972281] 9e00: 00000000 00000000 00000000 00000000 df179e4c c000ec80 c0b538c0 00000004
> [ 1384.972288] 9e20: df724000 df178000 00000000 df179e84 c0b538c0 00000000 df178000 c07f4570
> [ 1384.972295] 9e40: dcad9c00 df179e74 c07f4394 df179e60 df178000 00000000 df179e84 de247010
> [ 1384.972303] 9e60: 00000043 c0454dec 00000001 00000004 df315c00 c0530598 00000004 df315c0c
> [ 1384.972310] 9e80: ffffc32c 00000000 00000000 df179ea0 00000001 00000000 00000000 00000000
> [ 1384.972317] 9ea0: df179ebc 00000004 df315c00 c05df838 00000000 c0530810 c07d08c0 d7017303
> [ 1384.972325] 9ec0: 6ec245b9 00000000 df315c00 c0531b04 c07f3fe0 c07f4018 da67a300 df315c00
> [ 1384.972332] 9ee0: 00000000 c05334e0 df315c00 df315b80 df315c00 de0c6800 da67a300 00000000
> [ 1384.972339] 9f00: de0c684c c0533674 df204100 df315c00 df315c00 df204100 df315c00 c082b138
> [ 1384.972347] 9f20: c053385c c0533754 a0000113 df178000 00000001 c083bc48 00000000 c053385c
> [ 1384.972354] 9f40: 00000000 00000000 00000000 c05338c4 00000000 df9f0000 df9f5ee4 df179f6c
> [ 1384.972360] 9f60: df178000 c0049db4 00000000 00000000 c07f3ff8 00000000 00000000 00000000
> [ 1384.972368] 9f80: df179f80 df179f80 00000000 00000000 df179f90 df179f90 df9f5ee4 c0049cfc
> [ 1384.972374] 9fa0: 00000000 00000000 00000000 c000f168 00000000 00000000 00000000 00000000
> [ 1384.972381] 9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
> [ 1384.972388] 9fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00010000 00000600
> [ 1384.972411] [<c051d250>] (l2cap_create_basic_pdu+0x30/0x1ac) from [<c0521c78>] (l2cap_chan_send+0x100/0x1d4)
> [ 1384.972425] [<c0521c78>] (l2cap_chan_send+0x100/0x1d4) from [<c0526b7c>] (l2cap_sock_sendmsg+0xa8/0x104)
> [ 1384.972440] [<c0526b7c>] (l2cap_sock_sendmsg+0xa8/0x104) from [<c045481c>] (sock_sendmsg+0xac/0xcc)
> [ 1384.972453] [<c045481c>] (sock_sendmsg+0xac/0xcc) from [<c0454dec>] (kernel_sendmsg+0x2c/0x34)
> [ 1384.972469] [<c0454dec>] (kernel_sendmsg+0x2c/0x34) from [<c0530598>] (rfcomm_send_frame+0x58/0x7c)
> [ 1384.972481] [<c0530598>] (rfcomm_send_frame+0x58/0x7c) from [<c0530810>] (rfcomm_send_ua+0x98/0xbc)
> [ 1384.972494] [<c0530810>] (rfcomm_send_ua+0x98/0xbc) from [<c0531b04>] (rfcomm_recv_disc+0xac/0x100)
> [ 1384.972506] [<c0531b04>] (rfcomm_recv_disc+0xac/0x100) from [<c05334e0>] (rfcomm_recv_frame+0x144/0x264)
> [ 1384.972519] [<c05334e0>] (rfcomm_recv_frame+0x144/0x264) from [<c0533674>] (rfcomm_process_rx+0x74/0xfc)
> [ 1384.972531] [<c0533674>] (rfcomm_process_rx+0x74/0xfc) from [<c0533754>] (rfcomm_process_sessions+0x58/0x160)
> [ 1384.972543] [<c0533754>] (rfcomm_process_sessions+0x58/0x160) from [<c05338c4>] (rfcomm_run+0x68/0x110)
> [ 1384.972558] [<c05338c4>] (rfcomm_run+0x68/0x110) from [<c0049db4>] (kthread+0xb8/0xbc)
> [ 1384.972576] [<c0049db4>] (kthread+0xb8/0xbc) from [<c000f168>] (ret_from_fork+0x14/0x2c)
> [ 1384.972586] Code: e3100004 e1a07003 e5946000 1a000057 (e5969008)
> [ 1384.972614] ---[ end trace 6170b7ce00144e8c ]---
>
> Signed-off-by: Seung-Woo Kim <[email protected]>
> ---
> I can reproduce this crash with bluetooth-next kernel merged onto my v3.10
> system. It is usually happens when the device is at sleep state and remote
> device disconnects and removes bonding.
>
> This patch is based on bluetooth-next tree.
> ---
> net/bluetooth/l2cap_core.c | 3 +++
> 1 files changed, 3 insertions(+), 0 deletions(-)
The patch has been applied to bluetooth-next. Thanks.
I also fixed up the subject a bit to be consistent with the rest of the
commits for the Bluetooth subsystem.
Johan
Removing a bond and disconnecting from a specific remote device
can cause l2cap_chan_send() is called after l2cap_chan_del() is
called. This causes following crash.
[ 1384.972086] Unable to handle kernel NULL pointer dereference at virtual address 00000008
[ 1384.972090] pgd = c0004000
[ 1384.972125] [00000008] *pgd=00000000
[ 1384.972137] Internal error: Oops: 17 [#1] PREEMPT SMP ARM
[ 1384.972144] Modules linked in:
[ 1384.972156] CPU: 0 PID: 841 Comm: krfcommd Not tainted 3.10.14-gdf22a71-dirty #435
[ 1384.972162] task: df29a100 ti: df178000 task.ti: df178000
[ 1384.972182] PC is at l2cap_create_basic_pdu+0x30/0x1ac
[ 1384.972191] LR is at l2cap_chan_send+0x100/0x1d4
[ 1384.972198] pc : [<c051d250>] lr : [<c0521c78>] psr: 40000113
[ 1384.972198] sp : df179d40 ip : c083a010 fp : 00000008
[ 1384.972202] r10: 00000004 r9 : 0000065a r8 : 000003f5
[ 1384.972206] r7 : 00000000 r6 : 00000000 r5 : df179e84 r4 : da557000
[ 1384.972210] r3 : 00000000 r2 : 00000004 r1 : df179e84 r0 : 00000000
[ 1384.972215] Flags: nZcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment kernel
[ 1384.972220] Control: 10c53c7d Table: 5c8b004a DAC: 00000015
[ 1384.972224] Process krfcommd (pid: 841, stack limit = 0xdf178238)
[ 1384.972229] Stack: (0xdf179d40 to 0xdf17a000)
[ 1384.972238] 9d40: 00000000 da557000 00000004 df179e84 00000004 000003f5 0000065a 00000000
[ 1384.972245] 9d60: 00000008 c0521c78 df179e84 da557000 00000004 da557204 de0c6800 df179e84
[ 1384.972253] 9d80: da557000 00000004 da557204 c0526b7c 00000004 df724000 df179e84 00000004
[ 1384.972260] 9da0: df179db0 df29a100 c083bc48 c045481c 00000001 00000000 00000000 00000000
[ 1384.972267] 9dc0: 00000000 df29a100 00000000 00000000 00000000 00000000 df179e10 00000000
[ 1384.972274] 9de0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 1384.972281] 9e00: 00000000 00000000 00000000 00000000 df179e4c c000ec80 c0b538c0 00000004
[ 1384.972288] 9e20: df724000 df178000 00000000 df179e84 c0b538c0 00000000 df178000 c07f4570
[ 1384.972295] 9e40: dcad9c00 df179e74 c07f4394 df179e60 df178000 00000000 df179e84 de247010
[ 1384.972303] 9e60: 00000043 c0454dec 00000001 00000004 df315c00 c0530598 00000004 df315c0c
[ 1384.972310] 9e80: ffffc32c 00000000 00000000 df179ea0 00000001 00000000 00000000 00000000
[ 1384.972317] 9ea0: df179ebc 00000004 df315c00 c05df838 00000000 c0530810 c07d08c0 d7017303
[ 1384.972325] 9ec0: 6ec245b9 00000000 df315c00 c0531b04 c07f3fe0 c07f4018 da67a300 df315c00
[ 1384.972332] 9ee0: 00000000 c05334e0 df315c00 df315b80 df315c00 de0c6800 da67a300 00000000
[ 1384.972339] 9f00: de0c684c c0533674 df204100 df315c00 df315c00 df204100 df315c00 c082b138
[ 1384.972347] 9f20: c053385c c0533754 a0000113 df178000 00000001 c083bc48 00000000 c053385c
[ 1384.972354] 9f40: 00000000 00000000 00000000 c05338c4 00000000 df9f0000 df9f5ee4 df179f6c
[ 1384.972360] 9f60: df178000 c0049db4 00000000 00000000 c07f3ff8 00000000 00000000 00000000
[ 1384.972368] 9f80: df179f80 df179f80 00000000 00000000 df179f90 df179f90 df9f5ee4 c0049cfc
[ 1384.972374] 9fa0: 00000000 00000000 00000000 c000f168 00000000 00000000 00000000 00000000
[ 1384.972381] 9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 1384.972388] 9fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00010000 00000600
[ 1384.972411] [<c051d250>] (l2cap_create_basic_pdu+0x30/0x1ac) from [<c0521c78>] (l2cap_chan_send+0x100/0x1d4)
[ 1384.972425] [<c0521c78>] (l2cap_chan_send+0x100/0x1d4) from [<c0526b7c>] (l2cap_sock_sendmsg+0xa8/0x104)
[ 1384.972440] [<c0526b7c>] (l2cap_sock_sendmsg+0xa8/0x104) from [<c045481c>] (sock_sendmsg+0xac/0xcc)
[ 1384.972453] [<c045481c>] (sock_sendmsg+0xac/0xcc) from [<c0454dec>] (kernel_sendmsg+0x2c/0x34)
[ 1384.972469] [<c0454dec>] (kernel_sendmsg+0x2c/0x34) from [<c0530598>] (rfcomm_send_frame+0x58/0x7c)
[ 1384.972481] [<c0530598>] (rfcomm_send_frame+0x58/0x7c) from [<c0530810>] (rfcomm_send_ua+0x98/0xbc)
[ 1384.972494] [<c0530810>] (rfcomm_send_ua+0x98/0xbc) from [<c0531b04>] (rfcomm_recv_disc+0xac/0x100)
[ 1384.972506] [<c0531b04>] (rfcomm_recv_disc+0xac/0x100) from [<c05334e0>] (rfcomm_recv_frame+0x144/0x264)
[ 1384.972519] [<c05334e0>] (rfcomm_recv_frame+0x144/0x264) from [<c0533674>] (rfcomm_process_rx+0x74/0xfc)
[ 1384.972531] [<c0533674>] (rfcomm_process_rx+0x74/0xfc) from [<c0533754>] (rfcomm_process_sessions+0x58/0x160)
[ 1384.972543] [<c0533754>] (rfcomm_process_sessions+0x58/0x160) from [<c05338c4>] (rfcomm_run+0x68/0x110)
[ 1384.972558] [<c05338c4>] (rfcomm_run+0x68/0x110) from [<c0049db4>] (kthread+0xb8/0xbc)
[ 1384.972576] [<c0049db4>] (kthread+0xb8/0xbc) from [<c000f168>] (ret_from_fork+0x14/0x2c)
[ 1384.972586] Code: e3100004 e1a07003 e5946000 1a000057 (e5969008)
[ 1384.972614] ---[ end trace 6170b7ce00144e8c ]---
Signed-off-by: Seung-Woo Kim <[email protected]>
---
I can reproduce this crash with bluetooth-next kernel merged onto my v3.10
system. It is usually happens when the device is at sleep state and remote
device disconnects and removes bonding.
This patch is based on bluetooth-next tree.
---
net/bluetooth/l2cap_core.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 0cef677..4af3821 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -2439,6 +2439,9 @@ int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len,
int err;
struct sk_buff_head seg_queue;
+ if (!chan->conn)
+ return -ENOTCONN;
+
/* Connectionless channel */
if (chan->chan_type == L2CAP_CHAN_CONN_LESS) {
skb = l2cap_create_connless_pdu(chan, msg, len, priority);
--
1.7.4.1
Hi Johan Hedberg,
Sorry for late response.
> -----Original Message-----
> From: Johan Hedberg [mailto:[email protected]]
> Sent: Friday, November 01, 2013 4:57 PM
> To: Seung-Woo Kim
> Cc: [email protected]; [email protected]
> Subject: Re: [BUG] Crash during disconnecting and removing bond from
> remote device
>
> Hi Seung-Woo Kim,
>
> On Mon, Oct 28, 2013, Seung-Woo Kim wrote:
> > I used 3.10.14 with RFCOMM tty patches in 3.12-rc, and I tested
> > disconnecting and removing a bond from remote device. and I got
> > following crash.
>
> This looks like a potentially valid issue, but you'd need to dress up the
> fix as a proper patch (i.e. git format-patch + git send-email). It'd also
> be good if you could confirm that the issue is reproducable with the
> latest bluetooth-next kernel.
I tried with bluetooth-next kernel and there is no issue I mentioned. But
if you consider to apply the patch, then I will post the formatted patch.
Please let me know if you want.
Best Regards,
- Seung-Woo Kim
>
> Johan
Hi Seung-Woo Kim,
On Mon, Oct 28, 2013, Seung-Woo Kim wrote:
> I used 3.10.14 with RFCOMM tty patches in 3.12-rc, and I tested
> disconnecting and removing a bond from remote device. and I got
> following crash.
This looks like a potentially valid issue, but you'd need to dress up
the fix as a proper patch (i.e. git format-patch + git send-email). It'd
also be good if you could confirm that the issue is reproducable with
the latest bluetooth-next kernel.
Johan