1. 26 Oct, 2015 2 commits
  2. 25 Oct, 2015 4 commits
    • Kuba Pawlak's avatar
      Bluetooth: Fix locking issue during fast SCO reconnection. · 1da5537e
      Kuba Pawlak authored
      When SCO connection is requested and disconnected fast, there is a change
      that sco_sock_shutdown is going to preempt thread started in sco_connect_cfm.
      When this happens struct sock sk may be removed but a pointer to it is still
      held in sco_conn_ready, where embedded spinlock is used. If it is used, but
      struct sock has been removed, it will crash.
      
      Block connection object, which will prevent struct sock from being removed
      and give connection process chance to finish.
      
      BUG: spinlock bad magic on CPU#0, kworker/u:2H/319
       lock: 0xe3e99434, .magic: f3000000, .owner: (���/0, .owner_cpu: -203804160
      Pid: 319, comm: kworker/u:2H Tainted: G           O 3.8.0-115.1-plk-adaptation-byt-ivi-brd #1
      Call Trace:
       [<c1155659>] ? do_raw_spin_lock+0x19/0xe9
       [<fb75354f>] ? sco_connect_cfm+0x92/0x236 [bluetooth]
       [<fb731dbc>] ? hci_sync_conn_complete_evt.clone.101+0x18b/0x1cb [bluetooth]
       [<fb734ee7>] ? hci_event_packet+0x1acd/0x21a6 [bluetooth]
       [<c1041095>] ? finish_task_switch+0x50/0x89
       [<c1349a2e>] ? __schedule+0x638/0x6b8
       [<fb727918>] ? hci_rx_work+0xb9/0x2b8 [bluetooth]
       [<c103760a>] ? queue_delayed_work_on+0x21/0x2a
       [<c1035df9>] ? process_one_work+0x157/0x21b
       [<fb72785f>] ? hci_cmd_work+0xef/0xef [bluetooth]
       [<c1036217>] ? worker_thread+0x16e/0x20a
       [<c10360a9>] ? manage_workers+0x1cf/0x1cf
       [<c103a0ef>] ? kthread+0x8d/0x92
       [<c134adf7>] ? ret_from_kernel_thread+0x1b/0x28
       [<c103a062>] ? __init_kthread_worker+0x24/0x24
      BUG: unable to handle kernel NULL pointer dereference at   (null)
      IP: [<  (null)>]   (null)
      *pdpt = 00000000244e1001 *pde = 0000000000000000
      Oops: 0010 [#1] PREEMPT SMP
      Modules linked in: evdev ecb rfcomm(O) libcomposite usb2380 udc_core bnep(O) btusb(O) btbcm(O) cdc_acm btintel(O) bluetooth(O) arc4 uinput hid_multitouch usbhid hid iwlmvm(O)e
      Pid: 319, comm: kworker/u:2H Tainted: G           O 3.8.0-115.1-plk-adaptation-byt-ivi-brd #1
      EIP: 0060:[<00000000>] EFLAGS: 00010246 CPU: 0
      EIP is at 0x0
      EAX: e3e99400 EBX: e3e99400 ECX: 00000100 EDX: 00000000
      ESI: e3e99434 EDI: fb763ce0 EBP: e49b9e44 ESP: e49b9e14
       DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
      CR0: 8005003b CR2: 00000000 CR3: 24444000 CR4: 001007f0
      DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
      DR6: ffff0ff0 DR7: 00000400
      Process kworker/u:2H (pid: 319, ti=e49b8000 task=e4ab9030 task.ti=e49b8000)
      Stack:
       fb75355b 00000246 fb763900 22222222 22222222 22222222 e3f94460 e3ca7c0a
       e49b9e4c e3f34c00 e3ca7c0a fb763ce0 e49b9e6c fb731dbc 02000246 e4cec85c
       e4cec008 00000000 e3f34c00 e4cec000 e3c2ce00 0000002c e49b9ed0 fb734ee7
      Call Trace:
       [<fb75355b>] ? sco_connect_cfm+0x9e/0x236 [bluetooth]
       [<fb731dbc>] ? hci_sync_conn_complete_evt.clone.101+0x18b/0x1cb [bluetooth]
       [<fb734ee7>] ? hci_event_packet+0x1acd/0x21a6 [bluetooth]
       [<c1041095>] ? finish_task_switch+0x50/0x89
       [<c1349a2e>] ? __schedule+0x638/0x6b8
       [<fb727918>] ? hci_rx_work+0xb9/0x2b8 [bluetooth]
       [<c103760a>] ? queue_delayed_work_on+0x21/0x2a
       [<c1035df9>] ? process_one_work+0x157/0x21b
       [<fb72785f>] ? hci_cmd_work+0xef/0xef [bluetooth]
       [<c1036217>] ? worker_thread+0x16e/0x20a
       [<c10360a9>] ? manage_workers+0x1cf/0x1cf
       [<c103a0ef>] ? kthread+0x8d/0x92
       [<c134adf7>] ? ret_from_kernel_thread+0x1b/0x28
       [<c103a062>] ? __init_kthread_worker+0x24/0x24
      Code:  Bad EIP value.
      EIP: [<00000000>] 0x0 SS:ESP 0068:e49b9e14
      CR2: 0000000000000000
      ---[ end trace 942a6577c0abd725 ]---
      Signed-off-by: default avatarKuba Pawlak <kubax.t.pawlak@intel.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      1da5537e
    • Kuba Pawlak's avatar
      Bluetooth: Fix locking issue on SCO disconnection · 435c5133
      Kuba Pawlak authored
      Thread handling SCO disconnection may get preempted in '__sco_sock_close'
      after dropping a reference to hci_conn but before marking this as NULL
      in associated struct sco_conn. When execution returs to this thread,
      this connection will possibly be released, resulting in kernel crash
      
      Lock connection before this point.
      
      BUG: unable to handle kernel NULL pointer dereference at   (null)
      IP: [<fb770ab9>] __sco_sock_close+0x194/0x1ff [bluetooth]
      *pdpt = 0000000023da6001 *pde = 0000000000000000
      Oops: 0002 [#1] PREEMPT SMP
      Modules linked in: evdev ecb rfcomm(O) libcomposite usb2380 udc_core bnep(O) btusb(O) btbcm(O) cdc_acm btintel(O) bluetooth(O) arc4 uinput hid_multitouch usbhid iwlmvm(O) hide
      Pid: 984, comm: bluetooth Tainted: G           O 3.8.0-115.1-plk-adaptation-byt-ivi-brd #1
      EIP: 0060:[<fb770ab9>] EFLAGS: 00010282 CPU: 2
      EIP is at __sco_sock_close+0x194/0x1ff [bluetooth]
      EAX: 00000000 EBX: e49d7600 ECX: ef1ec3c2 EDX: 000000c3
      ESI: e4c12000 EDI: 00000000 EBP: ef1edf5c ESP: ef1edf4c
       DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
      CR0: 80050033 CR2: 00000000 CR3: 23da7000 CR4: 001007f0
      DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
      DR6: ffff0ff0 DR7: 00000400
      Process bluetooth (pid: 984, ti=ef1ec000 task=e47f2550 task.ti=ef1ec000)
      Stack:
       e4c120d0 e49d7600 00000000 08421a40 ef1edf70 fb770b7a 00000002 e8a4cc80
       08421a40 ef1ec000 c12966b1 00000001 00000000 0000000b 084954c8 c1296b6c
       0000001b 00000002 0000001b 00000002 00000000 00000002 b2524880 00000046
      Call Trace:
       [<fb770b7a>] ? sco_sock_shutdown+0x56/0x95 [bluetooth]
       [<c12966b1>] ? sys_shutdown+0x37/0x53
       [<c1296b6c>] ? sys_socketcall+0x12e/0x1be
       [<c134ae7e>] ? sysenter_do_call+0x12/0x26
       [<c1340000>] ? ip_vs_control_net_cleanup+0x46/0xb1
      Code: e8 90 6b 8c c5 f6 05 72 5d 78 fb 04 74 17 8b 46 08 50 56 68 0a fd 77 fb 68 60 5d 78 fb e8 68 95 9e c5 83 c4 10 8b 83 fc 01 00 00 <c7> 00 00 00 00 00 eb 32 ba 68 00 00 0b
      EIP: [<fb770ab9>] __sco_sock_close+0x194/0x1ff [bluetooth] SS:ESP 0068:ef1edf4c
      CR2: 0000000000000000
      ---[ end trace 47fa2f55a9544e69 ]---
      Signed-off-by: default avatarKuba Pawlak <kubax.t.pawlak@intel.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      435c5133
    • Kuba Pawlak's avatar
      Bluetooth: Fix crash on SCO disconnect · 75e34f5c
      Kuba Pawlak authored
      When disconnecting audio from the phone's side, it may happen, that
      a thread handling HCI message 'disconnection complete' will get preempted
      in 'sco_conn_del' before calling 'sco_sock_kill', still holding a pointer
      to struct sock sk. Interrupting thread started in 'sco_sock_shutdown' will
      carry on releasing resources and will eventually release struct sock.
      When execution goes back to first thread it will call sco_sock_kill using
      now invalid pointer to already destroyed socket.
      
      Fix is to grab a reference to the socket a release it after calling
      'sco_sock_kill'.
      
      [  166.358213] BUG: unable to handle kernel paging request at 7541203a
      [  166.365228] IP: [<fb6e8bfb>] bt_sock_unlink+0x1a/0x38 [bluetooth]
      [  166.372068] *pdpt = 0000000024b19001 *pde = 0000000000000000
      [  166.378483] Oops: 0002 [#1] PREEMPT SMP
      [  166.382871] Modules linked in: evdev ecb rfcomm(O) libcomposite usb2380 udc_core bnep(O) btusb(O) btbcm(O) btintel(O) cdc_acm bluetooth(O) arc4 uinput hid_multitouch iwlmvm(O) usbhid hide
      [  166.424233] Pid: 338, comm: kworker/u:2H Tainted: G           O 3.8.0-115.1-plk-adaptation-byt-ivi-brd #1
      [  166.435112] EIP: 0060:[<fb6e8bfb>] EFLAGS: 00010206 CPU: 0
      [  166.441259] EIP is at bt_sock_unlink+0x1a/0x38 [bluetooth]
      [  166.447382] EAX: 632e6563 EBX: e4bfc600 ECX: e466d4d3 EDX: 7541203a
      [  166.454369] ESI: fb7278ac EDI: e4d52000 EBP: e4669e20 ESP: e4669e0c
      [  166.461366]  DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
      [  166.467391] CR0: 8005003b CR2: 7541203a CR3: 24aba000 CR4: 001007f0
      [  166.474387] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
      [  166.481375] DR6: ffff0ff0 DR7: 00000400
      [  166.485654] Process kworker/u:2H (pid: 338, ti=e4668000 task=e466e030 task.ti=e4668000)
      [  166.494591] Stack:
      [  166.496830]  e4bfc600 e4bfc600 fb715c28 e4717ee0 e4d52000 e4669e3c fb715cf3 e4bfc634
      [  166.505518]  00000068 e4d52000 e4c32000 fb7277c0 e4669e6c fb6f2019 0000004a 00000216
      [  166.514205]  e4660101 e4c32008 02000001 00000013 e4d52000 e4c32000 e3dc9240 00000005
      [  166.522891] Call Trace:
      [  166.525654]  [<fb715c28>] ? sco_sock_kill+0x73/0x9a [bluetooth]
      [  166.532295]  [<fb715cf3>] ? sco_conn_del+0xa4/0xbf [bluetooth]
      [  166.538836]  [<fb6f2019>] ? hci_disconn_complete_evt.clone.55+0x1bd/0x205 [bluetooth]
      [  166.547609]  [<fb6f73d3>] ? hci_event_packet+0x297/0x223c [bluetooth]
      [  166.554805]  [<c10416da>] ? dequeue_task+0xaf/0xb7
      [  166.560154]  [<c1041095>] ? finish_task_switch+0x50/0x89
      [  166.566086]  [<c1349a2e>] ? __schedule+0x638/0x6b8
      [  166.571460]  [<fb6eb906>] ? hci_rx_work+0xb9/0x2b8 [bluetooth]
      [  166.577975]  [<c1035df9>] ? process_one_work+0x157/0x21b
      [  166.583933]  [<fb6eb84d>] ? hci_cmd_work+0xef/0xef [bluetooth]
      [  166.590448]  [<c1036217>] ? worker_thread+0x16e/0x20a
      [  166.596088]  [<c10360a9>] ? manage_workers+0x1cf/0x1cf
      [  166.601826]  [<c103a0ef>] ? kthread+0x8d/0x92
      [  166.606691]  [<c134adf7>] ? ret_from_kernel_thread+0x1b/0x28
      [  166.613010]  [<c103a062>] ? __init_kthread_worker+0x24/0x24
      [  166.619230] Code: 85 63 ff ff ff 31 db 8d 65 f4 89 d8 5b 5e 5f 5d c3 56 8d 70 04 53 89 f0 89 d3 e8 7e 17 c6 c5 8b 53 28 85 d2 74 1a 8b 43 24 85 c0 <89> 02 74 03 89 50 04 c7 43 28 00 00 00
      [  166.640501] EIP: [<fb6e8bfb>] bt_sock_unlink+0x1a/0x38 [bluetooth] SS:ESP 0068:e4669e0c
      [  166.649474] CR2: 000000007541203a
      [  166.653420] ---[ end trace 0181ff2c9e42d51e ]---
      [  166.658609] note: kworker/u:2H[338] exited with preempt_count 1
      Signed-off-by: default avatarKuba Pawlak <kubax.t.pawlak@intel.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      75e34f5c
    • Julia Lawall's avatar
      Bluetooth: btmrvl: add missing of_node_put · c0859e2f
      Julia Lawall authored
      for_each_compatible_node performs an of_node_get on each iteration, so
      a break out of the loop requires an of_node_put.
      
      A simplified version of the semantic patch that fixes this problem is as
      follows (http://coccinelle.lip6.fr):
      
      // <smpl>
      @@
      expression e;
      local idexpression n;
      @@
      
       for_each_compatible_node(n, ...) {
         ... when != of_node_put(n)
             when != e = n
      (
         return n;
      |
      +  of_node_put(n);
      ?  return ...;
      )
         ...
       }
      // </smpl>
      Signed-off-by: default avatarJulia Lawall <Julia.Lawall@lip6.fr>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      c0859e2f
  3. 22 Oct, 2015 8 commits
    • Marcel Holtmann's avatar
      Bluetooth: Increase minor version of core module · 13972adc
      Marcel Holtmann authored
      With the addition of support for diagnostic feature, it makes sense to
      increase the minor version of the Bluetooth core module.
      
      The module version is not used anywhere, but it gives a nice extra
      hint for debugging purposes.
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarJohan Hedberg <johan.hedberg@intel.com>
      13972adc
    • Alexander Aring's avatar
      ieee802154: 6lowpan: fix memory leak · aeedebff
      Alexander Aring authored
      Looking at current situation of memory management in 6lowpan receive
      function I detected some invalid handling. After calling
      lowpan_invoke_rx_handlers we will do a kfree_skb and then NET_RX_DROP on
      error handling. We don't do this before, also on
      skb_share_check/skb_unshare which might manipulate the reference
      counters.
      
      After running some 'grep -r "dev_add_pack" net/' to look how others
      packet-layer receive callbacks works I detected that every subsystem do
      a kfree_skb, then NET_RX_DROP without calling skb functions which
      might manipulate the skb reference counters. This is the reason why we
      should do the same here like all others subsystems. I didn't find any
      documentation how the packet-layer receive callbacks handle NET_RX_DROP
      return values either.
      
      This patch will add a kfree_skb, then NET_RX_DROP handling for the
      "trivial checks", in case of skb_share_check/skb_unshare the kfree_skb
      call will be done inside these functions.
      Signed-off-by: default avatarAlexander Aring <alex.aring@gmail.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      aeedebff
    • Johan Hedberg's avatar
      Bluetooth: Make hci_disconnect() behave correctly for all states · 88d07feb
      Johan Hedberg authored
      There are a few places that don't explicitly check the connection
      state before calling hci_disconnect(). To make this API do the right
      thing take advantage of the new hci_abort_conn() API and also make
      sure to only read the clock offset if we're really connected.
      Signed-off-by: default avatarJohan Hedberg <johan.hedberg@intel.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      88d07feb
    • Johan Hedberg's avatar
      Bluetooth: Take advantage of connection abort helpers · 89e0ccc8
      Johan Hedberg authored
      Convert the various places mapping connection state to
      disconnect/cancel HCI command to use the new hci_abort_conn helper
      API.
      Signed-off-by: default avatarJohan Hedberg <johan.hedberg@intel.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      89e0ccc8
    • Johan Hedberg's avatar
      Bluetooth: Introduce hci_req helper to abort a connection · dcc0f0d9
      Johan Hedberg authored
      There are several different places needing to make sure that a
      connection gets disconnected or canceled. The exact action needed
      depends on the connection state, so centralizing this logic can save
      quite a lot of code duplication.
      Signed-off-by: default avatarJohan Hedberg <johan.hedberg@intel.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      dcc0f0d9
    • Dan Carpenter's avatar
      Bluetooth: hci_bcm: checking for ERR_PTR instead of NULL · a1857390
      Dan Carpenter authored
      bt_skb_alloc() returns NULL on error, it never returns an ERR_PTR.
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      a1857390
    • Johan Hedberg's avatar
      Bluetooth: Fix crash in SMP when unpairing · c81d555a
      Johan Hedberg authored
      When unpairing the keys stored in hci_dev are removed. If SMP is
      ongoing the SMP context will also have references to these keys, so
      removing them from the hci_dev lists will make the pointers invalid.
      This can result in the following type of crashes:
      
       BUG: unable to handle kernel paging request at 6b6b6b6b
       IP: [<c11f26be>] __list_del_entry+0x44/0x71
       *pde = 00000000
       Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
       Modules linked in: hci_uart btqca btusb btintel btbcm btrtl hci_vhci rfcomm bluetooth_6lowpan bluetooth
       CPU: 0 PID: 723 Comm: kworker/u5:0 Not tainted 4.3.0-rc3+ #1379
       Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.8.1-20150318_183358- 04/01/2014
       Workqueue: hci0 hci_rx_work [bluetooth]
       task: f19da940 ti: f1a94000 task.ti: f1a94000
       EIP: 0060:[<c11f26be>] EFLAGS: 00010202 CPU: 0
       EIP is at __list_del_entry+0x44/0x71
       EAX: c0088d20 EBX: f30fcac0 ECX: 6b6b6b6b EDX: 6b6b6b6b
       ESI: f4b60000 EDI: c0088d20 EBP: f1a95d90 ESP: f1a95d8c
        DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
       CR0: 8005003b CR2: 6b6b6b6b CR3: 319e5000 CR4: 00000690
       Stack:
        f30fcac0 f1a95db0 f82dc3e1 f1bfc000 00000000 c106524f f1bfc000 f30fd020
        f1a95dc0 f1a95dd0 f82dcbdb f1a95de0 f82dcbdb 00000067 f1bfc000 f30fd020
        f1a95de0 f1a95df0 f82d1126 00000067 f82d1126 00000006 f30fd020 f1bfc000
       Call Trace:
        [<f82dc3e1>] smp_chan_destroy+0x192/0x240 [bluetooth]
        [<c106524f>] ? trace_hardirqs_on_caller+0x14e/0x169
        [<f82dcbdb>] smp_teardown_cb+0x47/0x64 [bluetooth]
        [<f82dcbdb>] ? smp_teardown_cb+0x47/0x64 [bluetooth]
        [<f82d1126>] l2cap_chan_del+0x5d/0x14d [bluetooth]
        [<f82d1126>] ? l2cap_chan_del+0x5d/0x14d [bluetooth]
        [<f82d40ef>] l2cap_conn_del+0x109/0x17b [bluetooth]
        [<f82d40ef>] ? l2cap_conn_del+0x109/0x17b [bluetooth]
        [<f82c0205>] ? hci_event_packet+0x5b1/0x2092 [bluetooth]
        [<f82d41aa>] l2cap_disconn_cfm+0x49/0x50 [bluetooth]
        [<f82d41aa>] ? l2cap_disconn_cfm+0x49/0x50 [bluetooth]
        [<f82c0228>] hci_event_packet+0x5d4/0x2092 [bluetooth]
        [<c1332c16>] ? skb_release_data+0x6a/0x95
        [<f82ce5d4>] ? hci_send_to_monitor+0xe7/0xf4 [bluetooth]
        [<c1409708>] ? _raw_spin_unlock_irqrestore+0x44/0x57
        [<f82b3bb0>] hci_rx_work+0xf1/0x28b [bluetooth]
        [<f82b3bb0>] ? hci_rx_work+0xf1/0x28b [bluetooth]
        [<c10635a0>] ? __lock_is_held+0x2e/0x44
        [<c104772e>] process_one_work+0x232/0x432
        [<c1071ddc>] ? rcu_read_lock_sched_held+0x50/0x5a
        [<c104772e>] ? process_one_work+0x232/0x432
        [<c1047d48>] worker_thread+0x1b8/0x255
        [<c1047b90>] ? rescuer_thread+0x23c/0x23c
        [<c104bb71>] kthread+0x91/0x96
        [<c14096a7>] ? _raw_spin_unlock_irq+0x27/0x44
        [<c1409d61>] ret_from_kernel_thread+0x21/0x30
        [<c104bae0>] ? kthread_parkme+0x1e/0x1e
      
      To solve the issue, introduce a new smp_cancel_pairing() API that can
      be used to clean up the SMP state before touching the hci_dev lists.
      Signed-off-by: default avatarJohan Hedberg <johan.hedberg@intel.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      c81d555a
    • Johan Hedberg's avatar
      Bluetooth: Disable auto-connection parameters when unpairing · fc64361a
      Johan Hedberg authored
      For connection parameters that are left around until a disconnection
      we should at least clear any auto-connection properties. This way a
      new Add Device call is required to re-set them after calling Unpair
      Device.
      Signed-off-by: default avatarJohan Hedberg <johan.hedberg@intel.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      fc64361a
  4. 21 Oct, 2015 13 commits
  5. 20 Oct, 2015 13 commits