Bug 216274 - rfcomm oops
rfcomm oops
Status: CLOSED INSUFFICIENT_DATA
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
6
All Linux
medium Severity medium
: ---
: ---
Assigned To: Kernel Maintainer List
Brian Brock
:
Depends On:
Blocks: 427887
  Show dependency treegraph
 
Reported: 2006-11-18 10:41 EST by David Woodhouse
Modified: 2008-02-07 23:29 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-02-07 23:29:16 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch to check for session pointer (378 bytes, patch)
2006-11-18 16:56 EST, Marcel Holtmann
no flags Details | Diff

  None (edit)
Description David Woodhouse 2006-11-18 10:41:41 EST
When I run gpsdrive configured to use a GPS received on /dev/rfcomm4 it causes
an oops:

Oops: Kernel access of bad area, sig: 11 [#1]

Modules linked in: arc4(U) ieee80211_crypt_wep(U) udf(U) drm(U) hidp(U)
hci_usb(U) rfcomm(U) l2cap(U) bluetooth(U) ipv6(U) nls_utf8(U) hfsplus(U)
dm_mirror(U) dm_mod(U) therm_adt746x(U) parport_pc(U) lp(U) parport(U)
snd_aoa_i2sbus(U) snd_powermac(U) snd_seq_dummy(U) snd_seq_oss(U)
snd_seq_midi_event(U) snd_seq(U) snd_seq_device(U) snd_pcm_oss(U)
snd_mixer_oss(U) snd_pcm(U) sungem(U) sungem_phy(U) snd_timer(U)
snd_page_alloc(U) snd(U) ide_cd(U) soundcore(U) snd_aoa_soundbus(U) ohci1394(U)
cdrom(U) bcm43xx(U) ieee1394(U) ieee80211softmac(U) ieee80211(U)
ieee80211_crypt(U) ext3(U) jbd(U) ehci_hcd(U) ohci_hcd(U) uhci_hcd(U)
NIP: F285A240 LR: F285E8E8 CTR: C0195D1C
REGS: eb2d9be0 TRAP: 0300   Not tainted  (2.6.18-1.2849.fc6)
MSR: 00009032 <EE,ME,IR,DR>  CR: 28004444  XER: 20000000
DAR: 00000018, DSISR: 40000000
TASK = eb4ead30[3616] 'gpsdrive' THREAD: eb2d8000
GPR00: F285E8E8 EB2D9C90 EB4EAD30 00000000 00000001 0000000E 00000003 0000000B 
GPR08: 00000003 00000000 00000000 F2860A58 EC9A5820 1007D1A0 10070000 10070000 
GPR16: 10070000 10070000 0EF67250 0EF671B8 0EF67320 00000000 00000001 7FD374D8 
GPR24: FFFFFFEF 802C7415 00000000 00000000 00002580 00000000 EB2D9D08 00000000 
NIP [F285A240] rfcomm_send_rpn+0x44/0xd4 [rfcomm]
LR [F285E8E8] rfcomm_tty_set_termios+0x1dc/0x1f0 [rfcomm]
Call Trace:
[EB2D9C90] [C002E3FC] try_to_wake_up+0x18c/0x1a4 (unreliable)
[EB2D9CD0] [F285E8E8] rfcomm_tty_set_termios+0x1dc/0x1f0 [rfcomm]
[EB2D9D00] [C019CE24] change_termios+0x278/0x2c8
[EB2D9D50] [C019D2C0] set_termios+0x284/0x2c0
[EB2D9DA0] [C019D8AC] n_tty_ioctl+0x5b0/0xc00
[EB2D9E00] [C0199AEC] tty_ioctl+0xea8/0xf44
[EB2D9ED0] [C00A433C] do_ioctl+0x6c/0x84
[EB2D9EE0] [C00A4734] vfs_ioctl+0x3e0/0x414
[EB2D9F10] [C00A47D0] sys_ioctl+0x68/0x98
[EB2D9F40] [C0011C0C] ret_from_syscall+0x0/0x38
--- Exception: c01 at 0xf551de4
    LR = 0x1003653c
Instruction dump:
5508177a 7d083b78 55291eb8 bf010020 3b00ffef 54a7163a 90010044 7d084b78 
60e70003 8b61004b 38a0000e 8b41004f <83a30018> a3210052 57bd083c 9b610011 

Further attempts to open /dev/rfcomm4 give -EIO. Will reboot and attempt to
strace gpsdrive when this happens -- it seems repeatable.
Comment 1 David Woodhouse 2006-11-18 10:50:26 EST
open("/dev/rfcomm4", O_RDWR|O_NOCTTY)   = 7
ioctl(7, TCGETS, {B115200 -opost -isig -icanon -echo ...}) = 0
ioctl(7, TCSETSW
Comment 2 Marcel Holtmann 2006-11-18 14:28:06 EST
I can't see the actual kernel version in the oops. What kernel is this, because
the latest Fedora Core 6 kernel might already fix this.
Comment 3 David Woodhouse 2006-11-18 16:43:30 EST
REGS: eb2d9be0 TRAP: 0300   Not tainted  (2.6.18-1.2849.fc6)


(gdb) list *rfcomm_send_rpn+0x44
0x240 is in rfcomm_send_rpn (net/bluetooth/rfcomm/core.c:842).
837                             " flwc_s 0x%x xon_c 0x%x xoff_c 0x%x p_mask 0x%x", 
838                     s, cr, dlci, bit_rate, data_bits, stop_bits, parity, 
839                     flow_ctrl_settings, xon_char, xoff_char, param_mask);
840
841             hdr = (void *) ptr; ptr += sizeof(*hdr);
842             hdr->addr = __addr(s->initiator, 0);
843             hdr->ctrl = __ctrl(RFCOMM_UIH, 0);
844             hdr->len  = __len8(sizeof(*mcc) + sizeof(*rpn));
845
846             mcc = (void *) ptr; ptr += sizeof(*mcc);


Looks like 's' is zero. The fault was at address 0x18. (Sorry, snipped that bit)

Unable to handle kernel paging request for data at address 0x00000018

Will reproduce with debugging enabled.
Comment 4 Marcel Holtmann 2006-11-18 16:56:39 EST
Created attachment 141568 [details]
Patch to check for session pointer
Comment 5 David Woodhouse 2006-11-18 16:57:59 EST
rfcomm_tty_open: tty ea723800 id 4
rfcomm_tty_open: dev c0d46f60 dst DF:12:10:F7:15:00 channel 1 opened 1
rfcomm_tty_ioctl: tty ea723800 cmd 0x402c7413
rfcomm_tty_ioctl: TCGETS is not supported
rfcomm_tty_ioctl: tty ea723800 cmd 0x802c7415
rfcomm_tty_chars_in_buffer: tty ea723800 dev c0d46f60
rfcomm_tty_wait_until_sent: tty ea723800 timeout 2147483647
rfcomm_tty_set_termios: tty ea723800 termios e5c37d08
rfcomm_tty_set_termios: Parity is OFF
rfcomm_tty_set_termios: XOFF custom
rfcomm_tty_set_termios: XON custom
rfcomm_send_rpn: 00000000 cr 1 dlci 2 bit_r 0x3 data_b 0x3 stop_b 0x0 parity 0x0
flwc_s 0x0 xon_c 0x0 xoff_c 0x0 p_mask 0x61
Unable to handle kernel paging request for data at address 0x00000018
Faulting instruction address: 0xf284f360
Oops: Kernel access of bad area, sig: 11 [#1]

Modules linked in: arc4(U) ieee80211_crypt_wep(U) udf(U) drm(U) hidp(U)
hci_usb(U) rfcomm(U) l2cap(U) bluetooth(U) ipv6(U) nls_utf8(U) hfsplus(U)
dm_mirror(U) dm_mod(U) therm_adt746x(U) parport_pc(U) lp(U) parport(U)
snd_aoa_i2sbus(U) snd_powermac(U) snd_seq_dummy(U) snd_seq_oss(U)
snd_seq_midi_event(U) snd_seq(U) snd_seq_device(U) snd_pcm_oss(U)
snd_mixer_oss(U) snd_pcm(U) snd_timer(U) snd_page_alloc(U) snd(U) soundcore(U)
ohci1394(U) snd_aoa_soundbus(U) ieee1394(U) ide_cd(U) bcm43xx(U) cdrom(U)
sungem(U) sungem_phy(U) ieee80211softmac(U) ieee80211(U) ieee80211_crypt(U)
ext3(U) jbd(U) ehci_hcd(U) ohci_hcd(U) uhci_hcd(U)
NIP: F284F360 LR: F284F358 CTR: 00000001
REGS: e5c37ba0 TRAP: 0300   Not tainted  (2.6.18-1.2849.fc6)
MSR: 00009032 <EE,ME,IR,DR>  CR: 28004422  XER: 00000000
DAR: 00000018, DSISR: 40000000
TASK = eb587930[3784] 'gpsdrive' THREAD: e5c36000
GPR00: F284F358 E5C37C50 EB587930 00000080 C02FD4D8 FFFFFFFF C03D0000 00000000 
GPR08: C03DFA4C F2850000 FFFFFFEF C03D0000 00000000 1007D1A0 10070000 10070000 
GPR16: 10070000 10070000 0EF67250 00000061 00000000 00000000 00000003 00000000 
GPR24: 00000000 00000002 00000001 00000000 00000003 00000000 E5C37D08 ECAE82A0 
NIP [F284F360] rfcomm_send_rpn+0x84/0x138 [rfcomm]
LR [F284F358] rfcomm_send_rpn+0x7c/0x138 [rfcomm]
Call Trace:
[E5C37C50] [F284F358] rfcomm_send_rpn+0x7c/0x138 [rfcomm] (unreliable)
[E5C37CC0] [F2854904] rfcomm_tty_set_termios+0x2d8/0x2ec [rfcomm]
[E5C37D00] [C019CE24] change_termios+0x278/0x2c8
[E5C37D50] [C019D2C0] set_termios+0x284/0x2c0
[E5C37DA0] [C019D8AC] n_tty_ioctl+0x5b0/0xc00
[E5C37E00] [C0199AEC] tty_ioctl+0xea8/0xf44
[E5C37ED0] [C00A433C] do_ioctl+0x6c/0x84
[E5C37EE0] [C00A4734] vfs_ioctl+0x3e0/0x414
[E5C37F10] [C00A47D0] sys_ioctl+0x68/0x98
[E5C37F40] [C0011C0C] ret_from_syscall+0x0/0x38
--- Exception: c01 at 0xf551de4
    LR = 0x1003653c
Instruction dump:
7ec8b378 92e1000c 7f89e378 7faaeb78 92a10010 38847db4 386383d8 92810014 
92610018 48006725 3d20f285 3940ffef <81780018> 39297904 579c07be 57bd177a 
 <6>rfcomm_tty_close: tty ea723800 dev c0d46f60 dlc cfc16540 opened 2
rfcomm_tty_close: tty ea723800 dev c0d46f60 dlc cfc16540 opened 1
Comment 6 Marcel Holtmann 2007-07-21 06:29:08 EDT
There have been a lot of RFCOMM fixes. Please re-test the latest Linus' kernel.
Comment 7 Jon Stanley 2008-01-07 20:55:55 EST
(This is a mass-update to all current FC6 kernel bugs in NEW state)

Hello,

I'm reviewing this bug list as part of the kernel bug triage project, an attempt
to isolate current bugs in the Fedora kernel.

http://fedoraproject.org/wiki/KernelBugTriage

I am CC'ing myself to this bug, however this version of Fedora is no longer
maintained.

Please attempt to reproduce this bug with a current version of Fedora (presently
Fedora 8). If the bug no longer exists, please close the bug or I'll do so in a
few days if there is no further information lodged.

Thanks for using Fedora!
Comment 8 Jon Stanley 2008-02-07 23:29:16 EST
Per the previous comment in this bug, I am closing it as INSUFFICIENT_DATA,
since no information has been lodged for over 30 days.

Please re-open this bug or file a new one if you can provide the requested data,
and thanks for filing the original report!

Note You need to log in before you can comment on or make changes to this bug.