Bug 488115 - Bluetooth oops from hci_conn_del
Summary: Bluetooth oops from hci_conn_del
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: rawhide
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: ---
Assignee: Kernel Maintainer List
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 481678 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-03-02 18:58 UTC by Pete Zaitcev
Modified: 2009-03-28 19:32 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-03-06 01:46:59 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
The dmesg pre-captured before crash (37.48 KB, text/plain)
2009-03-02 18:58 UTC, Pete Zaitcev 		no flags Details
The crash, over netconsole, same run as dmesg (9.50 KB, text/plain)
2009-03-02 18:59 UTC, Pete Zaitcev 		no flags Details
View All

Description Pete Zaitcev 2009-03-02 18:58:15 UTC 
Created attachment 333774 [details]
The dmesg pre-captured before crash

Description of problem:

After pairing the earpiece, kernel oopses (GPF).

Version-Release number of selected component (if applicable):

2.6.29-0.148.rc6.fc11.x86_64

How reproducible:

100% (in the given configuration)

Steps to Reproduce:
1. Connect USB adapter
2. hcitool scan
3. hcitool cc MAC
4. Wait - it's not synchronous. Takes some idle time to happen.
5. Oops
  
Actual results:

Crash

Expected results:

No crash at least

Additional info:

Terminal trace:

[root@simbelmyne zaitcev]# hcitool dev
Devices:
        hci0    00:18:E7:36:30:3A
[root@simbelmyne zaitcev]# hcitool dev
Devices:
        hci0    00:18:E7:36:30:3A
[root@simbelmyne zaitcev]# hcitool scan
Scanning ...
        00:1A:0E:43:6D:5E       Motorola H350
[root@simbelmyne zaitcev]# hcitool cc 00:1A:0E:43:6D:5E
[root@simbelmyne zaitcev]# hcitool cc 00:1A:0E:43:6D:5E
[root@simbelmyne zaitcev]# 
 <--------------- crash at this point after some idle time

I've done hcitool cc twice here, but actually it happens with just
one too.
Comment 1 Pete Zaitcev 2009-03-02 18:59:19 UTC 
Created attachment 333775 [details]
The crash, over netconsole, same run as dmesg
Comment 2 Chuck Ebbert 2009-03-02 22:45:26 UTC 
   0:	49 8b 0c 24          	mov    (%r12),%rcx

r12 == 6b6b6b6b6b6b6b6b
Comment 3 Chuck Ebbert 2009-03-03 02:27:06 UTC 
*** Bug 481678 has been marked as a duplicate of this bug. ***
Comment 4 Chuck Ebbert 2009-03-03 21:52:30 UTC 
net/core/skbuff.c:1793:
        result = __skb_dequeue(list);

static inline struct sk_buff *__skb_dequeue(struct sk_buff_head *list)
{
        struct sk_buff *skb = skb_peek(list);
        if (skb)
                __skb_unlink(skb, list);
        return skb;
}

skb_peek() returns skb == 0x6b6b6b6b6b6b6b6b

static inline struct sk_buff *skb_peek(struct sk_buff_head *list_)
{
        struct sk_buff *list = ((struct sk_buff *)list_)->next;
        if (list == (struct sk_buff *)list_)
                list = NULL;
        return list;
}
Comment 5 Chuck Ebbert 2009-03-03 22:53:28 UTC 
reported upstream:
http://marc.info/?l=linux-netdev&m=123612024109003&w=2
Comment 6 Bastien Nocera 2009-03-04 18:49:36 UTC 
Could this be related as well?
http://thread.gmane.org/gmane.linux.bluez.kernel/1549
Comment 7 Chuck Ebbert 2009-03-05 23:15:40 UTC 
The bluetooth patches have been rebased in kernel 0.207, can you try this again?
Comment 8 Pete Zaitcev 2009-03-06 01:46:59 UTC 
2.6.29-0.207.rc7.fc11 seems to work ok (I've not gotten the headset to
work, but there's no crash anymore). Rawhide is on .197, I pulled .207
from Koji to test. Closing.
Comment 9 James 2009-03-28 19:32:43 UTC 
I've seen some lockups after finishing with Bluetooth on kernel-2.6.29-3.fc10.x86_64, have the patches made it into this kernel?
Note You need to log in before you can comment on or make changes to this bug.