rfcomm oops in 2.5.74

rfcomm oops in 2.5.74

[Dagfinn Ilmari Mannsåker]

Hi,

Calling socket(PF_BLUETOOTH, SOCK_RAW, BTPROTO_RFCOMM) on 2.5.74
segfaults and gives the below oops. module.h:297 is
BUG_ON(module_refcount(module) == 0) in __module_get(), which is called
from rfcomm_sock_alloc() via sk_set_owner().

kernel BUG at include/linux/module.h:297!
invalid operand: 0000 [#4]
CPU:    0
EIP:    0060:[<e0a48104>]    Not tainted
EFLAGS: 00010246
EIP is at rfcomm_sock_alloc+0x107/0x121 [rfcomm]
eax: 00000000   ebx: d3e5ab00   ecx: da30c680   edx: d3e5ab00
esi: 000000d0   edi: 00000001   ebp: ffffff9f   esp: d53c5ef8
ds: 007b   es: 007b   ss: 0068
Process rfcomm (pid: 10709, threadinfo=d53c4000 task=da2a2d80)
Stack: e0a4d880 00000003 00000008 000000d0 fffffff4 ffffffa3 e0a48168 da30c680 
       00000003 000000d0 00000003 e0a320e8 da30c680 00000003 0000001f da30c680 
       00000001 c021ddbf da30c680 00000003 00000000 00000001 d53c5f90 00000000 
Call Trace:
 [<e0a48168>] rfcomm_sock_create+0x4a/0x6a [rfcomm]
 [<e0a320e8>] bt_sock_create+0x8e/0x10f [bluetooth]
 [<c021ddbf>] sock_create+0xce/0x263
 [<c021df7f>] sys_socket+0x2b/0x5b
 [<c021eee0>] sys_socketcall+0x89/0x28c
 [<c010911b>] syscall_call+0x7/0xb

Code: 0f 0b 29 01 09 b0 a4 e0 e9 52 ff ff ff 0f 0b cb 01 20 b0 a4 

The relevant loaded modules are:

Module                  Size  Used by
rfcomm                 35484  0 
l2cap                  22404  3 rfcomm
bluetooth              43108  7 rfcomm,l2cap

And the relevant config options are:

#
# Bluetooth support
#
CONFIG_BT=m
CONFIG_BT_L2CAP=m
CONFIG_BT_SCO=m
CONFIG_BT_RFCOMM=m
CONFIG_BT_RFCOMM_TTY=y
CONFIG_BT_BNEP=m
CONFIG_BT_BNEP_MC_FILTER=y
CONFIG_BT_BNEP_PROTO_FILTER=y

#
# Bluetooth device drivers
#
CONFIG_BT_HCIUSB=m
CONFIG_BT_USB_SCO=y
# CONFIG_BT_USB_ZERO_PACKET is not set
CONFIG_BT_HCIUART=m
CONFIG_BT_HCIUART_H4=y
CONFIG_BT_HCIUART_BCSP=y
# CONFIG_BT_HCIUART_BCSP_TXCRC is not set
CONFIG_BT_HCIDTL1=m
CONFIG_BT_HCIBT3C=m
CONFIG_BT_HCIBLUECARD=m
CONFIG_BT_HCIBTUART=m
CONFIG_BT_HCIVHCI=m

-- 
ilmari

Re: [Bluez-devel] rfcomm oops in 2.5.74

[Aurelien Minet]

Hi Dagfinn


> Calling socket(PF_BLUETOOTH, SOCK_RAW, BTPROTO_RFCOMM) on 2.5.74
> segfaults and gives the below oops. module.h:297 is
> BUG_ON(module_refcount(module) == 0) in __module_get(), which is called
> from rfcomm_sock_alloc() via sk_set_owner().

I don't know for 2.5.xx  but for 2.4.xx in order to use RFCOMM protocol 
you must use a SOCK_STREAM and not SOCK_RAW socket type.
(SOCK_RAW is for HCI , SOCK_SEQPACKET & SOCK_DGRAM for L2cap)
I think it must return an error instead of making a segfault, in this 
way it is a bug.


Regards

Aurelien

Re: [Bluez-devel] rfcomm oops in 2.5.74

[Dagfinn Ilmari Mannsåker]

Aurelien Minet <a.minet@prim-time.fr> writes:

Hi Aurelien, and thanks for the quick response.

>> Calling socket(PF_BLUETOOTH, SOCK_RAW, BTPROTO_RFCOMM) on 2.5.74
>> segfaults and gives the below oops. module.h:297 is
>> BUG_ON(module_refcount(module) == 0) in __module_get(), which is called
>> from rfcomm_sock_alloc() via sk_set_owner().
>
> I don't know for 2.5.xx  but for 2.4.xx in order to use RFCOMM protocol
> you must use a SOCK_STREAM and not SOCK_RAW socket type.
> (SOCK_RAW is for HCI , SOCK_SEQPACKET & SOCK_DGRAM for L2cap)
> I think it must return an error instead of making a segfault, in this
> way it is a bug.

I noticed it when rfcomm(1) segfaulted and caused the oops on startup,
so I straced it. The strace output is:

  [linking stuff snipped]
  socket(0x1f /* PF_??? */, SOCK_RAW, 3 <unfinished ...>
  +++ killed by SIGSEGV +++

According to <net/bluetooth/bluetooth.h> 0x1f is PF_BLUETOOTH and 3 is
PTPROTO_RFCOMM. Looking at the source, rfcomm(1) uses SOCK_RAW for the
RFCOMM control socket (for ioctls: RFCOMMGETDEVLIST, RFCOMMCREATEDEV,
RFCOMMRELEASEDEV, RFCOMMGETDEVINFO), and SOCK_STREAM for the data
sockets.

What is the correct way of doing these ioctls on 2.5 if not against a
SOCK_RAW socket?

-- 
ilmari

Re: rfcomm oops in 2.5.74

[Dagfinn Ilmari Mannsåker]

ilmari@ilmari.org (Dagfinn Ilmari Mannsåker) writes:

> Calling socket(PF_BLUETOOTH, SOCK_RAW, BTPROTO_RFCOMM) on 2.5.74
> segfaults and gives the below oops. module.h:297 is
> BUG_ON(module_refcount(module) == 0) in __module_get(), which is called
> from rfcomm_sock_alloc() via sk_set_owner().

It turns out that net/bluetooth/rfcomm/sock.c (and
net/bluetooth/hci_sock.c) had been left out when net_proto_family gained
an owner field, here's a patch that fixes them both. Now I can transfer
pictures from my phone over OBEX Object Push again :)

--- net/bluetooth/rfcomm/sock.c~	2003-07-02 22:50:14.000000000 +0200
+++ net/bluetooth/rfcomm/sock.c	2003-07-04 05:24:15.000000000 +0200
@@ -878,6 +878,7 @@
 
 static struct net_proto_family rfcomm_sock_family_ops = {
 	.family		= PF_BLUETOOTH,
+	.owner		= THIS_MODULE,
 	.create		= rfcomm_sock_create
 };
 
--- net/bluetooth/hci_sock.c~	2003-07-02 22:49:11.000000000 +0200
+++ net/bluetooth/hci_sock.c	2003-07-04 05:24:54.000000000 +0200
@@ -632,6 +632,7 @@
 
 struct net_proto_family hci_sock_family_ops = {
 	.family = PF_BLUETOOTH,
+	.owner	= THIS_MODULE,
 	.create = hci_sock_create,
 };
 

-- 
ilmari

Re: [Bluez-devel] rfcomm oops in 2.5.74

[Aurelien Minet]

Hi Dagfinn


> I noticed it when rfcomm(1) segfaulted and caused the oops on startup,
> so I straced it. The strace output is:
> 
>   [linking stuff snipped]
>   socket(0x1f /* PF_??? */, SOCK_RAW, 3 <unfinished ...>
>   +++ killed by SIGSEGV +++
> 
> According to <net/bluetooth/bluetooth.h> 0x1f is PF_BLUETOOTH and 3 is
> PTPROTO_RFCOMM. Looking at the source, rfcomm(1) uses SOCK_RAW for the
> RFCOMM control socket (for ioctls: RFCOMMGETDEVLIST, RFCOMMCREATEDEV,
> RFCOMMRELEASEDEV, RFCOMMGETDEVINFO), and SOCK_STREAM for the data
> sockets.
> 
> What is the correct way of doing these ioctls on 2.5 if not against a
> SOCK_RAW socket?
Yes, the use of iotcl need SOCK_RAW socket. But I am not aware about 
iotcl with RFCOMM (just whit HCI) and even less under 2.5 .
But I saw in 2.4 that it is for the TTY RFCOMM module, I think it should 
only  be used in this module.
If it is while your are using TTY over bluetooth, ask Marcel and Max on 
Bluez List they can help you much more than me.

Sorry for the lack of help


Aurelien

Re: [Bluez-devel] Re: rfcomm oops in 2.5.74

[Max Krasnyansky]

At 09:04 PM 7/3/2003, Dagfinn Ilmari Mannsåker wrote:
>ilmari@ilmari.org (Dagfinn Ilmari Mannsåker) writes:
>
>> Calling socket(PF_BLUETOOTH, SOCK_RAW, BTPROTO_RFCOMM) on 2.5.74
>> segfaults and gives the below oops. module.h:297 is
>> BUG_ON(module_refcount(module) == 0) in __module_get(), which is called
>> from rfcomm_sock_alloc() via sk_set_owner().
>
>It turns out that net/bluetooth/rfcomm/sock.c (and
>net/bluetooth/hci_sock.c) had been left out when net_proto_family gained
>an owner field, here's a patch that fixes them both. Now I can transfer
>pictures from my phone over OBEX Object Push again :)
HCI socket doesn't need an owner field. But RFCOMM does I'll fix that.

Thanks for the patch
Max