Hi,
I found reproducible way to make rfcomm layer oops. I attached oops and
some notes how they were produced. I used several Nokia phones and IBM
T40 laptop in these tests.
PPP Deflate Compression module registered
atkbd.c: Keyboard on isa0060/serio0 reports too many keys pressed.
Unable to handle kernel NULL pointer dereference at virtual address
00000047
printing eip:
c0294798
*pde = 00000000
Oops: 0000 [#1]
PREEMPT
Modules linked in: ppp_deflate zlib_deflate bsd_comp ppp_async
ppp_generic slhc af_packet hci_usb radeon drm rfcomm l2cap bluetooth
binfmt_misc pcmcia md5 ipv6 fan irtty_sir sir_dev irda crc_ccitt
parport_pc parport i2c_i801 i2c_core hw_random uhci_hcd intel_agp
agpgart ipw2100 firmware_class ieee80211 ieee80211_crypt e1000
yenta_socket rsrc_nonstatic pcmcia_core snd_intel8x0 snd_ac97_codec
snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd soundcore snd_page_alloc
ehci_hcd usbcore aes_i586 thermal processor ibm_acpi ac button battery
ide_cd cdrom genrtc unix
CPU: 0
EIP: 0060:[<c0294798>] Not tainted VLI
EFLAGS: 00010246 (2.6.12-rc5)
EIP is at sock_sendmsg+0xb8/0xe0
eax: 0000000f ebx: f67c601b ecx: c9668060 edx: f6d17e0c
esi: 00000004 edi: f6d17d40 ebp: f6d17dcc esp: f6d17ce0
ds: 007b es: 007b ss: 0068
Process rfcomm (pid: 8320, threadinfo=f6d16000 task=c9668060)
Stack: f6d17d40 f67c601b f6d17e0c 00000004 f6d17d08 c03553c0 f6d17d68
00000004
f67c601b f6d17d20 00000000 f6d17e0c d16154c0 a6119780 a6119780
00108eeb
f6d17d40 f6d17d48 c01147a8 c03fa0d0 00108eeb ce724510 00000046
00000000
Call Trace:
[<c01037cf>] show_stack+0x7f/0xa0
[<c0103976>] show_registers+0x156/0x1c0
[<c0103b8a>] die+0xea/0x180
[<c0113406>] do_page_fault+0x326/0x6a2
[<c01033df>] error_code+0x4f/0x54
[<c0294802>] kernel_sendmsg+0x42/0x50
[<f8d5ebef>] rfcomm_send_frame+0x4f/0x60 [rfcomm]
[<f8d5ed5a>] rfcomm_send_disc+0x6a/0x70 [rfcomm]
[<f8d5e5b7>] __rfcomm_dlc_close+0xc7/0xf0 [rfcomm]
[<f8d5e604>] rfcomm_dlc_close+0x24/0x40 [rfcomm]
[<f8d630c1>] rfcomm_tty_close+0x61/0xb0 [rfcomm]
[<c0238e7c>] release_dev+0x7bc/0x7d0
[<c0239376>] tty_release+0x16/0x30
[<c015ad0d>] __fput+0x13d/0x150
[<c01593e7>] filp_close+0x57/0x90
[<c0159492>] sys_close+0x72/0xb0
[<c01031c5>] syscall_call+0x7/0xb
Code: 3c ff ff ff 8b 45 0c 89 9d 34 ff ff ff 89 b5 30 ff ff ff 89 85 40
ff ff ff 8b 43 08 89 74 24 0c 89 54 24 08 89 5c 24 04 89 3c 24 <ff> 50
38 3d ef fd ff ff 74 0e 81 c4 e0 00 00 00 5b 5e 5f 5d c3
I connected to Nokia 6630 with commands "rfcomm connect 1 bdaddr 1" and
"rfcomm connect 2 bdaddr 15" which are dun and obex channels. Then
started to disconnect and connect continously using ctrl-c. After a
while phone crashed and after phone rebooted kernel oopsed when I hit
ctrl-c for obex channel.
Second case
Bluetooth: RFCOMM socket layer initialized
Bluetooth: RFCOMM TTY layer initialized
Unable to handle kernel NULL pointer dereference at virtual address
00000038
printing eip:
c0294798
*pde = 00000000
Oops: 0000 [#1]
PREEMPT
Modules linked in: rfcomm l2cap binfmt_misc pcmcia md5 ipv6 fan
irtty_sir sir_dev irda crc_ccitt parport_pc parport i2c_i801 i2c_core
hw_random hci_usb bluetooth uhci_hcd intel_agp agpgart ipw2100
firmware_class ieee80211 ieee80211_crypt e1000 yenta_socket
rsrc_nonstatic pcmcia_core snd_intel8x0 snd_ac97_codec snd_pcm_oss
snd_mixer_oss snd_pcm snd_timer snd soundcore snd_page_alloc ehci_hcd
usbcore aes_i586 thermal processor ibm_acpi ac button battery ide_cd
cdrom genrtc unix
CPU: 0
EIP: 0060:[<c0294798>] Not tainted VLI
EFLAGS: 00010246 (2.6.12-rc5)
EIP is at sock_sendmsg+0xb8/0xe0
eax: 00000000 ebx: f75a4c40 ecx: f6da3ac0 edx: f6e1fe0c
esi: 00000004 edi: f6e1fd40 ebp: f6e1fdcc esp: f6e1fce0
ds: 007b es: 007b ss: 0068
Process rfcomm (pid: 3935, threadinfo=f6e1e000 task=f6da3ac0)
Stack: f6e1fd40 f75a4c40 f6e1fe0c 00000004 00000010 c03553c0 f6e1fd68
00000004
f75a4c40 f6e1fd20 00000000 f6e1fe0c f737f4c0 0d1a3a40 0d1a3a40
000f421c
f6e1fd40 f6e1fd48 c01147a8 c03fa548 000f421c f747c060 00000046
00000000
Call Trace:
[<c01037cf>] show_stack+0x7f/0xa0
[<c0103976>] show_registers+0x156/0x1c0
[<c0103b8a>] die+0xea/0x180
[<c0113406>] do_page_fault+0x326/0x6a2
[<c01033df>] error_code+0x4f/0x54
[<c0294802>] kernel_sendmsg+0x42/0x50
[<f8d6abef>] rfcomm_send_frame+0x4f/0x60 [rfcomm]
[<f8d6ad5a>] rfcomm_send_disc+0x6a/0x70 [rfcomm]
[<f8d6a5b7>] __rfcomm_dlc_close+0xc7/0xf0 [rfcomm]
[<f8d6a604>] rfcomm_dlc_close+0x24/0x40 [rfcomm]
[<f8d6f0c1>] rfcomm_tty_close+0x61/0xb0 [rfcomm]
[<c0238e7c>] release_dev+0x7bc/0x7d0
[<c0239376>] tty_release+0x16/0x30
[<c015ad0d>] __fput+0x13d/0x150
[<c01593e7>] filp_close+0x57/0x90
[<c0159492>] sys_close+0x72/0xb0
[<c01031c5>] syscall_call+0x7/0xb
Code: 3c ff ff ff 8b 45 0c 89 9d 34 ff ff ff 89 b5 30 ff ff ff 89 85 40
ff ff ff 8b 43 08 89 74 24 0c 89 54 24 08 89 5c 24 04 89 3c 24 <ff> 50
38 3d ef fd ff ff 74 0e 81 c4 e0 00 00 00 5b 5e 5f 5d c3
I connected to Nokia 6630 with command "rfcomm connect 1 bdaddr 1" and
"rfcomm connect 2 bdaddr 15" they are dun and obex channels. Then
disconnected and reconnected dun channel about 20 times and after that
disconnecting obex channel triggered this oops. I also tested Nokia 6680
and 9500 with same results.
--
Ville
Hi Ville,
> > > I found reproducible way to make rfcomm layer oops. I attached oops and
> > > some notes how they were produced. I used several Nokia phones and IBM
> > > T40 laptop in these tests.
> >
> > if the attached patch makes it go away, then I know what it is. Actually
> > I introduced that problem when I tried to fix another bug with buggy
> > phones that can't disconnect their DLCI 0 even if they established it.
>
> Look like this patch helps. I tested with i386 and arm.
this is what I expected. It is one step back, but it is better then
getting an oops every time.
Regards
Marcel
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Bluez-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/bluez-devel
On Mon, 2005-07-04 at 17:29 +0200, ext Marcel Holtmann wrote:
> Hi Ville,
>
> > I found reproducible way to make rfcomm layer oops. I attached oops and
> > some notes how they were produced. I used several Nokia phones and IBM
> > T40 laptop in these tests.
>
> if the attached patch makes it go away, then I know what it is. Actually
> I introduced that problem when I tried to fix another bug with buggy
> phones that can't disconnect their DLCI 0 even if they established it.
>
Look like this patch helps. I tested with i386 and arm.
--
Ville
Hi Ville,
On Mon, Jul 04, 2005 at 06:19:30PM +0300, Ville Tervo wrote:
> Hi,
>
> I found reproducible way to make rfcomm layer oops. I attached oops and
> some notes how they were produced. I used several Nokia phones and IBM
> T40 laptop in these tests.
>
>
> PPP Deflate Compression module registered
> atkbd.c: Keyboard on isa0060/serio0 reports too many keys pressed.
> Unable to handle kernel NULL pointer dereference at virtual address
> 00000047
> printing eip:
> c0294798
> *pde = 00000000
> Oops: 0000 [#1]
> PREEMPT
What happens if you disable CONFIG_PREEMPT? At least on ppc this leads
to crashes quite oft, I don't know ho well it works on i386.
HTH,
Wolfi
Hi Ville,
> I found reproducible way to make rfcomm layer oops. I attached oops and
> some notes how they were produced. I used several Nokia phones and IBM
> T40 laptop in these tests.
if the attached patch makes it go away, then I know what it is. Actually
I introduced that problem when I tried to fix another bug with buggy
phones that can't disconnect their DLCI 0 even if they established it.
Regards
Marcel