[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bluetooth-dev] Bug in the stack?



Hello,

As Juha Nikkanen tells in his message below, Axis OpenBT-stack (in
kernel-mode) crashes when a client suddenly disconnects from it. (physical
link is cut off)
This crash does not occur every time, especially when we run the stack in a
slower computer.
I really wonder if anyone else has not had this problem.

Anyway, we have found a possible cause for this crash.

Our conclusion is, that the stack crashes, because function
tty_hangup(upper_tty) is called twice, and in both times, the line of that
upper_tty is same.
Thus, the second call causes the crash. (I have marked both calls to Juha's
message below.)

Here is a path for the first call of tty_hangup:

HCI-event 'disconnetion complete' occurs ------> process_event()
---calls---> lp_disconnect_ind() ---calls---> rfcomm_disconnect_ind()
---calls---> bt_unregister_rfcomm() ---calls---> bt_hangupline()
---calls---> tty_hangup(upper_tty)

And here for the second call:

line discipline ? ---calls---> bt_tty_close() ---calls--->
tty_hangup(upper_tty)

In function bt_tty_close(), there is a following condition:

if((SESSIONSTATE(line) == BT_ACTIVE ||
   (SESSIONSTATE(line) == BT_UPPERCONNECTED))

SESSIONSTATE(line) is a macro that handles a variable called
bt_ctrl.session[line].state
I think that condition is intended to prevent re-hangupping of tty's. 
Thus,  SESSIONSTATE(line) should not be neither BT_ACTIVE nor
BT_UPPERCONNECTED, because the tty_hangup() is already done.

So, it seems that the handling of the SESSIONSTATE(line)-variable fails
before bt_tty_close() is called.
That variable is handled in function bt_unregister_rfcomm(). In this
function, SESSIONSTATE(line) is changed either from BT_ACTIVE to
BT_UPPERCONNECTED or from BT_LOWERCONNECTED to BT_INACTIVE.

In this case, before bt_unregister_rfcomm() is called, the value of
SESSIONSTATE(line) is BT_ACTIVE. Thus the value is changed to
BT_UPPERCONNECTED in function bt_unregister_rfcomm().

Within bt_unregister_rfcomm(), after the value of SESSIONSTATE(line) is
handled, function bt_hangupline() is called. And bt_hangupline() then calls
tty_hangup(upper_tty). After bt_hangupline is called, the value of
SESSIONSTATE(line) should not be BT_UPPERCONNECTED anymore. But it is. And
that is why bt_tty_close() calls tty_hangup() again.

So, how to fix it? One possible way is just to add a line

	SESSIONSTATE(line)=BT_INACTIVE;

below the line

	bt_hangupline(line);

in function bt_unregister_rfcomm()

And then the stack behaves properly even when the client is disconnected by
cutting of the physical link.

On the other hand, I don't know how much this 'fix' breaks things up in the
stack.  
At least module usage count doesn't work properly after this fix. ( I don't
know if it worked before either )

Any comments are welcome.

br,

Jussi Utunen,
Elektrobit oy




Here is Juha's message:

Hi!

I have some problems when I operate Axis OpenBt
stack with Linux 2.2.19. Module bt.o compiles ok
and loads ok. But for some circumstances module
hangs up in a way that it does not function anymore.
This can happen when client device moves out of
radio coverage or client cycles power off.
I'd like to know if somebody has had similar
problems?

  Nikke
  juha.nikkanen@xxxxxxx.fi

Following is a shortened log:
....
May 22 15:18:16 foobar kernel: PPP Deflate Compression module registered 
May 22 15:18:16 foobar pppd[3025]: Cannot determine ethernet address for
proxy ARP
May 22 15:18:16 foobar pppd[3025]: local  IP address xxx.xxx.xxx.xxx
May 22 15:18:16 foobar pppd[3025]: remote IP address yyy.yyy.yyy.yyy
//
// Until this point, the connection has been
// successfull. But then the client device
// suddenly cycles power off and connection dies.
// This has been happened also when client moves
// out of radio coverage.
//
May 22 15:21:34 foobar pppd[3025]: Modem hangup
May 22 15:21:34 foobar pppd[3025]: Connection terminated.
May 22 15:21:34 foobar pppd[3025]: Connect time 3.4 minutes.
May 22 15:21:34 foobar pppd[3025]: Sent 912 bytes, received 510 bytes.
May 22 15:21:34 foobar kernel: BT SYS: process_event, DISCONNECTION_COMPLETE
Connection Timeout 
May 22 15:21:34 foobar kernel: BT SYS: lp_disconnect_ind : Connection handle
1 disconnected 
May 22 15:21:34 foobar kernel: BT SYS: closing l2cap con (64,65) 
May 22 15:21:34 foobar kernel: BT SYS: Baseband is down, reset this RFCOMM
session 
May 22 15:21:34 foobar kernel: BT (driver) bt_unregister_rfcomm : line 0 
May 22 15:21:34 foobar kernel: BT (driver) Upper tty still open... 
May 22 15:21:34 foobar kernel: BT (driver) bt_hangupline : hanging up line 0
<-------------------------here's the first call

May 22 15:21:34 foobar kernel: BT (driver) bt_disconnect_ind : RFCOMM dlci :
0 
May 22 15:21:34 foobar kernel: BT SYS: l2cap channel (64,65) [RFCOMM]
disconnected 
May 22 15:21:34 foobar kernel: BT (driver) bt_flush_buffer, ignored 
May 22 15:21:34 foobar kernel: BT (driver) bt_hangup on line 0 (nothing
done) pid 0 (swapper) 
May 22 15:21:34 foobar kernel: BT (driver) bt_close on line 0 
May 22 15:21:34 foobar kernel: BT (driver) Unregistering tty on line 0 
May 22 15:21:34 foobar kernel: BT (driver) bt_unregister_tty invalid pid 
May 22 15:21:34 foobar kernel:  
May 22 15:21:34 foobar kernel: HW module contains... 
May 22 15:21:34 foobar kernel: 10 ACL buffers at 800 bytes 
May 22 15:21:34 foobar kernel: 0 SCO buffers at 0 bytes 
May 22 15:21:34 foobar kernel:  
May 22 15:21:34 foobar pppd[3025]: Exit.
May 22 15:21:34 foobar btd: ppp child died, now restart!   
May 22 15:21:34 foobar btd: Opening dev /dev/ttyBT0 
May 22 15:21:34 foobar btd: Killing SDP server 
May 22 15:21:34 foobar btd: Shutting down bluetooth stack 
May 22 15:21:34 foobar btd: close_device
May 22 15:21:34 foobar btd: close_device
May 22 15:21:34 foobar kernel: BT (driver) bt_open on line 0 
May 22 15:21:34 foobar kernel: BT (driver) Registering tty on line 0 
May 22 15:21:34 foobar kernel: BT SYS: warning :bt_register_tty : line busy
! 
May 22 15:21:34 foobar kernel: BT (driver) bt_close on line 0 
May 22 15:21:34 foobar kernel: BT (driver) Unregistering tty on line 0 
May 22 15:21:34 foobar kernel: BT (driver) bt_unregister_tty invalid pid 
May 22 15:21:34 foobar kernel: BT SYS: Shutting down bluetooth stack 
May 22 15:21:34 foobar kernel: BT SYS: Shutting down RFCOMM 
May 22 15:21:34 foobar kernel: BT SYS: Shutting down SDP 
May 22 15:21:34 foobar kernel: BT SYS: Shutting down TCS 
May 22 15:21:34 foobar kernel: BT SYS: Shutting down L2CAP 
May 22 15:21:34 foobar kernel: BT SYS: Shutting down BTMEM 
May 22 15:21:34 foobar kernel: BT (driver) bt_close on line 7 
May 22 15:21:34 foobar kernel: BT (driver) Unregistering tty on line 7 
May 22 15:21:34 foobar kernel: BT (ldisc) bt_tty_ioctl cmd 0x540b 
May 22 15:21:34 foobar kernel: BT (ldisc) bt_tty_ioctl: forwarding ioctl
0x540b to n_tty line disc 
May 22 15:21:34 foobar kernel: BT (ldisc) Hanging up line 0
<---------------------------------- and here's the second call
//
// Next, something fatal happens and after that
// point bt module becomes unusable & unloadable
// (it may not unload with command 'rmmod',
// unloads only by rebooting).
//
May 22 15:21:34 foobar kernel: Unable to handle kernel NULL pointer
dereference at virtual address 00000000 
May 22 15:21:34 foobar kernel: current->tss.cr3 = 06027000, %%cr3 = 06027000

May 22 15:21:34 foobar kernel: *pde = 00000000 
May 22 15:21:34 foobar kernel: Oops: 0002 
May 22 15:21:34 foobar kernel: CPU:    0 
May 22 15:21:34 foobar kernel: EIP:    0010:[<4001b948>] 
May 22 15:21:34 foobar kernel: EFLAGS: 00010282 
May 22 15:21:34 foobar kernel: eax: 00000000   ebx: 00000000   ecx: 4001b948
edx: c5d4f974 
May 22 15:21:34 foobar kernel: esi: c0297220   edi: c2ccc100   ebp: 00000000
esp: c4281ef0 
May 22 15:21:34 foobar kernel: ds: 0018   es: 0018   ss: 0018 
May 22 15:21:34 foobar kernel: Process btd (pid: 2784, process nr: 98,
stackpage=c4281000) 
May 22 15:21:34 foobar kernel: Stack: c4046f70 c7d32310 c2f69090 bffff9b4
c2ccc000 c4046f70 c2ccc970 c2ccc968  
May 22 15:21:34 foobar kernel:        c2ccc000 00000000 00000000 00000001
00000000 0000540b c4046f70 00000000  
May 22 15:21:34 foobar kernel:        c2f69090 bffff9b4 c7d32380 c7d32310
c7d32380 c7d32310 c4046f70 0000540b  
May 22 15:21:34 foobar kernel: Call Trace: [tty_release+9/16] [__fput+31/72]
[fput+23/68] [filp_close+79/88] [sys_close+91/104] [system_call+52/56]
[_stext+43/285]  
May 22 15:21:34 foobar kernel: Code: 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00  
May 22 15:30:00 foobar kernel: PPP: ppp line discipline successfully
unregistered 
May 22 15:30:01 foobar kernel: hdc: ATAPI 40X CD-ROM drive, 120kB Cache 
May 22 15:37:38 foobar btd: Shutting down bluetooth stack 
May 22 15:37:49 foobar btd: Initiating signal handler 
May 22 15:37:49 foobar btd: Starting SDP server [sdp_server] 
May 22 15:37:49 foobar btd: sdp_server not found
May 22 15:37:49 foobar btd: Opening dev /dev/ttyS0 
May 22 15:37:49 foobar btd: Killing SDP server 
May 22 15:37:49 foobar btd: Shutting down bluetooth stack 








-
To unsubscribe from this list: send the line "unsubscribe bluetooth-dev" in
the body of a message to majordomo@xxxxxxx.com