When disconnecting audio from the phone's side, it may happen, that
a thread handling HCI message 'disconnection complete' will get preempted
in 'sco_conn_del' before calling 'sco_sock_kill', still holding a pointer
to struct sock sk. Interrupting thread started in 'sco_sock_shutdown' will
carry on releasing resources and will eventually release struct sock.
When execution goes back to first thread it will call sco_sock_kill using
now invalid pointer to already destroyed socket.
Fix is to grab a reference to the socket a release it after calling
'sco_sock_kill'.
[ 166.358213] BUG: unable to handle kernel paging request at
7541203a
[ 166.365228] IP: [<
fb6e8bfb>] bt_sock_unlink+0x1a/0x38 [bluetooth]
[ 166.372068] *pdpt =
0000000024b19001 *pde =
0000000000000000
[ 166.378483] Oops: 0002 [#1] PREEMPT SMP
[ 166.382871] Modules linked in: evdev ecb rfcomm(O) libcomposite usb2380 udc_core bnep(O) btusb(O) btbcm(O) btintel(O) cdc_acm bluetooth(O) arc4 uinput hid_multitouch iwlmvm(O) usbhid hide
[ 166.424233] Pid: 338, comm: kworker/u:2H Tainted: G O 3.8.0-115.1-plk-adaptation-byt-ivi-brd #1
[ 166.435112] EIP: 0060:[<
fb6e8bfb>] EFLAGS:
00010206 CPU: 0
[ 166.441259] EIP is at bt_sock_unlink+0x1a/0x38 [bluetooth]
[ 166.447382] EAX:
632e6563 EBX:
e4bfc600 ECX:
e466d4d3 EDX:
7541203a
[ 166.454369] ESI:
fb7278ac EDI:
e4d52000 EBP:
e4669e20 ESP:
e4669e0c
[ 166.461366] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
[ 166.467391] CR0:
8005003b CR2:
7541203a CR3:
24aba000 CR4:
001007f0
[ 166.474387] DR0:
00000000 DR1:
00000000 DR2:
00000000 DR3:
00000000
[ 166.481375] DR6:
ffff0ff0 DR7:
00000400
[ 166.485654] Process kworker/u:2H (pid: 338, ti=
e4668000 task=
e466e030 task.ti=
e4668000)
[ 166.494591] Stack:
[ 166.496830]
e4bfc600 e4bfc600 fb715c28 e4717ee0 e4d52000 e4669e3c fb715cf3 e4bfc634
[ 166.505518]
00000068 e4d52000 e4c32000 fb7277c0 e4669e6c fb6f2019 0000004a 00000216
[ 166.514205]
e4660101 e4c32008 02000001 00000013 e4d52000 e4c32000 e3dc9240 00000005
[ 166.522891] Call Trace:
[ 166.525654] [<
fb715c28>] ? sco_sock_kill+0x73/0x9a [bluetooth]
[ 166.532295] [<
fb715cf3>] ? sco_conn_del+0xa4/0xbf [bluetooth]
[ 166.538836] [<
fb6f2019>] ? hci_disconn_complete_evt.clone.55+0x1bd/0x205 [bluetooth]
[ 166.547609] [<
fb6f73d3>] ? hci_event_packet+0x297/0x223c [bluetooth]
[ 166.554805] [<
c10416da>] ? dequeue_task+0xaf/0xb7
[ 166.560154] [<
c1041095>] ? finish_task_switch+0x50/0x89
[ 166.566086] [<
c1349a2e>] ? __schedule+0x638/0x6b8
[ 166.571460] [<
fb6eb906>] ? hci_rx_work+0xb9/0x2b8 [bluetooth]
[ 166.577975] [<
c1035df9>] ? process_one_work+0x157/0x21b
[ 166.583933] [<
fb6eb84d>] ? hci_cmd_work+0xef/0xef [bluetooth]
[ 166.590448] [<
c1036217>] ? worker_thread+0x16e/0x20a
[ 166.596088] [<
c10360a9>] ? manage_workers+0x1cf/0x1cf
[ 166.601826] [<
c103a0ef>] ? kthread+0x8d/0x92
[ 166.606691] [<
c134adf7>] ? ret_from_kernel_thread+0x1b/0x28
[ 166.613010] [<
c103a062>] ? __init_kthread_worker+0x24/0x24
[ 166.619230] Code: 85 63 ff ff ff 31 db 8d 65 f4 89 d8 5b 5e 5f 5d c3 56 8d 70 04 53 89 f0 89 d3 e8 7e 17 c6 c5 8b 53 28 85 d2 74 1a 8b 43 24 85 c0 <89> 02 74 03 89 50 04 c7 43 28 00 00 00
[ 166.640501] EIP: [<
fb6e8bfb>] bt_sock_unlink+0x1a/0x38 [bluetooth] SS:ESP 0068:
e4669e0c
[ 166.649474] CR2:
000000007541203a
[ 166.653420] ---[ end trace
0181ff2c9e42d51e ]---
[ 166.658609] note: kworker/u:2H[338] exited with preempt_count 1
Signed-off-by: Kuba Pawlak <kubax.t.pawlak@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
projects / GitHub / moto-9609 / android_kernel_motorola_exynos9610.git / commitdiff