Re: 2.6.26rc9+git bluetooth/rfcomm oops

From: Vegard Nossum
Date: Sun Jul 13 2008 - 12:26:15 EST

Next message: Suresh Siddha: "Re: [PATCH] x86: let 32bit use apic_ops too"
Previous message: Cyrill Gorcunov: "Re: [RFC] lapic calibration results fix"
In reply to: Soeren Sonnenburg: "2.6.26rc9+git bluetooth/rfcomm oops"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, Jul 13, 2008 at 12:32 PM, Soeren Sonnenburg <kernel@xxxxxx> wrote:
> Hi,
>
> this oops happened after a couple of s2ram cycles so it might be very
> well crap. However I somehow triggered it by /etc/init.d/bluetooth
> stop/start's which also call hid2hci maybe even a connection was about
> to be established at that time. As I remember having seen a problem like
> this before I thought I report it (even though I have a madwifi tainted
> kernel).
>
> [drm] Num pipes: 1
> kobject_add_internal failed for rfcomm0 with -EEXIST, don't try to register things with the same name in the same directory.

Hi,

Thanks for the report.

I was able to reproduce your Oops:

kobject_add_internal failed for rfcomm0 with -EEXIST, don't try to
register things with the same name in the same directory.
Pid: 2534, comm: a.out Not tainted 2.6.26-rc9-00132-g9df2fe9 #24
[<c0210161>] kobject_add_internal+0x108/0x13e
[<c0210478>] kobject_add+0x4a/0x4e
[<c026e258>] device_add+0x62/0x446
[<c020feb9>] kobject_init+0x32/0x53
[<c026e6c4>] device_create_vargs+0x78/0x99
[<c026e707>] device_create+0x22/0x26
[<c02521be>] tty_register_device+0x97/0xa2
[<c0110000>] __cpu_disable+0x10b/0x130
[<c03721c8>] sk_prot_alloc+0x1c/0x61
[<c03ea86e>] rfcomm_dev_ioctl+0x213/0x582
[<c03e9342>] rfcomm_sock_ioctl+0x1e/0x2d
[<c03715c5>] sock_ioctl+0x152/0x175
[<c0371473>] sock_ioctl+0x0/0x175
[<c0166538>] vfs_ioctl+0x1c/0x5d
[<c01667b6>] do_vfs_ioctl+0x23d/0x254
[<c037119d>] sys_socketcall+0x51/0x181
[<c01667f9>] sys_ioctl+0x2c/0x43
[<c0103569>] sysenter_past_esp+0x6a/0x91
=======================

This is because the device may be unregistered even though a reference
to it is held. When we try to register it again, the kobject layer
burps because the tty parts have not been unregistered yet. (This only
happens when the device is finally destroyed, i.e. no references.)

I don't know how to fix this, but I've attached a reproducer and added
a couple of Ccs.

Vegard

--
"The animistic metaphor of the bug that maliciously sneaked in while
the programmer was not looking is intellectually dishonest as it
disguises that the error is the programmer's own creation."
-- E. W. Dijkstra, EWD1036
#include <sys/ioctl.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/wait.h>

#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#define RFCOMMCREATEDEV _IOW('R', 200, int)
#define RFCOMMRELEASEDEV _IOW('R', 201, int)
#define BTPROTO_RFCOMM 3

typedef uint8_t u8;
typedef uint32_t u32;
typedef int16_t s16;
typedef uint8_t __u8;

/* BD Address */
typedef struct {
__u8 b[6];
} __attribute__((packed)) bdaddr_t;

struct rfcomm_dev_req {
s16 dev_id;
u32 flags;
bdaddr_t src;
bdaddr_t dst;
u8 channel;
};

void rfcomm(int request, int dev_id)
{
int fd = socket(PF_BLUETOOTH, SOCK_STREAM, BTPROTO_RFCOMM);
if (fd == -1) {
fprintf(stderr, "socket: error: %s\n", strerror(errno));
exit(EXIT_FAILURE);
}

struct rfcomm_dev_req req;
memset(&req, 0, sizeof(req));
req.dev_id = dev_id;
req.channel = 1;

if (ioctl(fd, request, &req) == -1) {
fprintf(stderr, "ioctl: error: %s\n", strerror(errno));
exit(EXIT_FAILURE);
}

while (close(fd) == -1 && errno == EINTR);
}

int
main(int argc, char *argv[])
{
pid_t child;

child = fork();
if (child == -1) {
fprintf(stderr, "fork: error: %s\n", strerror(errno));
exit(EXIT_FAILURE);
}

if (child == 0) {
printf("Creating\n");
rfcomm(RFCOMMCREATEDEV, 0);

printf("Opening /dev/rfcomm0...\n");

int fd = open("/dev/rfcomm0", O_RDWR | O_NOCTTY);
if (fd == -1) {
fprintf(stderr, "open: error: %s\n", strerror(errno));
rfcomm(RFCOMMRELEASEDEV, 0);
exit(EXIT_FAILURE);
}

exit(EXIT_SUCCESS);
}

sleep(1);

/* This will delete the device, but since we still hold a reference
* to it in "fd", the tty won't be unregistered yet... */
printf("Releasing\n");
rfcomm(RFCOMMRELEASEDEV, 0);

/* And now we try to register the same tty device... */
printf("Recreating\n");
rfcomm(RFCOMMCREATEDEV, 0);

/* Cleanup */
printf("Releasing\n");
rfcomm(RFCOMMRELEASEDEV, 0);

while (1) {
int status;

if (wait(&status) == -1) {
if (errno == ECHILD)
break;

fprintf(stderr, "wait: error: %s\n", strerror(errno));
exit(EXIT_FAILURE);
}
}

return EXIT_SUCCESS;
}

Next message: Suresh Siddha: "Re: [PATCH] x86: let 32bit use apic_ops too"
Previous message: Cyrill Gorcunov: "Re: [RFC] lapic calibration results fix"
In reply to: Soeren Sonnenburg: "2.6.26rc9+git bluetooth/rfcomm oops"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]