Bug 231601 - Bluetooth HID use-after-free
Summary: Bluetooth HID use-after-free
Status: CLOSED DUPLICATE of bug 227893
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Kernel Maintainer List
QA Contact: Brian Brock
Depends On:
Blocks: FC7Blocker
TreeView+ depends on / blocked
Reported: 2007-03-09 13:14 UTC by David Woodhouse
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Clone Of:
Last Closed: 2007-03-09 22:16:07 UTC

Attachments (Terms of Use)

Description David Woodhouse 2007-03-09 13:14:08 UTC
When my Bluetooth mouse disconnects and reconnects (as it does from time to
time), I sometimes see this crash. I cannot reproduce this by turning the mouse
off and on.

PM: Removing info for bluetooth:acl000A94C07E17
Unable to handle kernel paging request for data at address 0x6b6b6b6b
Oops: Kernel access of bad area, sig: 11 [#1]

Modules linked in: radeon(U) drm(U) hidp(U) hci_usb(U) rfcomm(U) l2cap(U) blueto
oth(U) arc4(U) ecb(U) blkcipher(U) ieee80211_crypt_wep(U) ipv6(U) nls_utf8(U) hf
splus(U) dm_mirror(U) dm_mod(U) therm_adt746x(U) parport_pc(U) lp(U) parport(U) 
snd_aoa_i2sbus(U) bcm43xx(U) ieee80211softmac(U) snd_powermac(U) snd_seq_dummy(U
) ieee80211(U) snd_seq_oss(U) snd_seq_midi_event(U) snd_seq(U) snd_seq_device(U)
 ieee80211_crypt(U) sungem(U) snd_pcm_oss(U) snd_mixer_oss(U) sungem_phy(U) snd_
pcm(U) snd_timer(U) snd_page_alloc(U) snd(U) soundcore(U) snd_aoa_soundbus(U) id
e_cd(U) cdrom(U) fw_ohci(U) fw_core(U) ext3(U) jbd(U) mbcache(U) ehci_hcd(U) ohc
i_hcd(U) uhci_hcd(U)
NIP: C001890C LR: C012C760 CTR: C01CCEBC
REGS: ef65fdb0 TRAP: 0300   Not tainted  (2.6.20-1.2967.fc7)
MSR: 00009032 <EE,ME,IR,DR>  CR: 22000224  XER: 20000000
DAR: 6B6B6B6B, DSISR: 40000000
TASK = c0e0ecf0[2599] 'khidpd_00000000' THREAD: ef65e000
GPR00: 6B6B6B6B EF65FE60 C0E0ECF0 6B6B6B6B 6B6B6B6A C1C57D3C 0000001A ED22EECE 
GPR08: 000007AA 00000014 FFFFFFFF 00000005 00000000 2002160C 22204422 00000000 
GPR16: 00000000 7FE59006 00000003 C1C57D24 00000000 C1F03ED8 C037AEB8 ED22EE78 
GPR24: C0369F0C ED22EECE 0000001A 000007AA 00000001 C0F7E728 C0F7E728 000000D0 
NIP [C001890C] strlen+0x4/0x18
LR [C012C760] kobject_get_path+0x34/0xc4
Call Trace:
[EF65FE60] [C0092884] __kmalloc_track_caller+0x144/0x164 (unreliable)
[EF65FE80] [C01CCF04] class_uevent+0x48/0x1c0
[EF65FEC0] [C012CED8] kobject_uevent_env+0x278/0x490
[EF65FF10] [C01CC6A0] class_device_del+0x178/0x1a0
[EF65FF30] [C01CC6E0] class_device_unregister+0x18/0x30
[EF65FF50] [C021DD38] input_unregister_device+0x13c/0x178
[EF65FF70] [C023EF3C] hidinput_disconnect+0x2c/0x60
[EF65FF90] [F27B1B50] hidp_session+0x550/0x584 [hidp]
[EF65FFF0] [C0013F7C] kernel_thread+0x44/0x60
Instruction dump:
4082fff4 4e800020 38a3ffff 3884ffff 8c650001 2c830000 8c040001 7c601851 
4d860020 4182ffec 4e800020 3883ffff <8c040001> 2c000000 4082fff8 7c632050 
0xc01ccf04 is in class_uevent (drivers/base/class.c:388).
383                     return 0;
385             /* add device, backing this class device (deprecated) */
386             path = kobject_get_path(&dev->kobj, GFP_KERNEL);
388             add_uevent_var(envp, num_envp, cur_index, buffer, buffer_size,
389                            cur_len, "PHYSDEVPATH=%s", path);
390             kfree(path);
392             if (dev->bus)

Reverting commits f5ffd4620aba9e55656483ae1ef5c79ba81f5403 and
e1aaadd4d8162a2c33e41dd5a72234ea4d3b014f doesn't make a different (except a
cosmetic one to the backtrace, of course).

I think this started happening in 2.6.19-1.2914, when we enabled

Comment 1 Pete Zaitcev 2007-03-09 19:15:21 UTC
This looks like a dup of bug 227893. I looked at it briefly, but the code is
somewhat involved.

Comment 2 David Woodhouse 2007-03-09 22:16:07 UTC

*** This bug has been marked as a duplicate of 227893 ***

Note You need to log in before you can comment on or make changes to this bug.