Opened 16 years ago

Last modified 22 months ago

#2505 reopened bug

bluetooth_server provokes vm_page_fault in h2generic

Reported by: monni Owned by: oruizdorantes
Priority: normal Milestone: Unscheduled
Component: Network & Internet/Bluetooth Version: R1/pre-alpha1
Keywords: Cc: modeenf
Blocked By: Blocking:
Platform: All

Description

E-mailed this to Oliver earlier today and adding here to track progress ;)

How to reproduce: disconnect bluetooth dongle while bluetooth_server is running Experienced behavior: unhandled page fault in kernel space at 0xdeadbef3 Expected behavior: wait for new dongle to appear

Back trace: 

</boot/beos/system/add-ons/kernel/drivers/dev/bluetooth/h2generic>:device_close + 0x009d
<kernel>:devfs_close__FP9fs_volumeP8fs_vnodePv + 0x0035
<kernel>:file_close__FP15file_descriptor + 0x004c
<kernel>:put_fd + 0x006c
<kernel>:disconnect_mount_or_vnode_fds__FP8fs_mountP5vnode + 0x01e5
<kernel>:vfs_disconnect_vnode + 0x003d
<kernel>:devfs_unpublish_device + 0x0067
<kernel>:republish_driver__FP13legacy_driver + 0x0535
<kernel>:legacy_driver_rescan + 0x0075
<kernel>:devfs_rescan_driver + 0x0012
<usb>:RescanDrivers__5StackP11rescan_item + 0x001b
<usb>:ExploreThread__5StackPv + 0x0101

Change History (11)

comment:1 by monni, 16 years ago

Added few panics just to make sure h2generic manages to print out all relevant information and looks like the passed in cookie is from outer space...

it gives cookie = -559038737 which translates to 0xdeadbeef

comment:2 by monni, 16 years ago 

KERN: USB Hub 1: port 1 disabled 
KERN: BT fetch_device: (0x90ca30cc) 
KERN: usb_uhci: td (0x02473bc0) error: status: 0x214507ff; token: 0x01e08369; 
KERN: BT device_removed: device_removed(0x90ca30cc) 
KERN: usb_uhci: td (0x02473be0) error: status: 0x214507ff; token: 0x01e08369; 
KERN: BT kill_device: kill_device(0x90ca30cc) 
KERN: usb_uhci: td (0x02473c00) error: status: 0x214507ff; token: 0x01e08369; 
KERN: BT publish_devices: publish_devices() 
KERN: BT publish_devices: published 0 devices 
KERN: BT fetch_device: (0x90ca30cc) 
KERN: BT device_close: device_close(0x90ca30cc) 
KERN: BT device_close: device_close(0x90ca30cc) hdev = 0 
KERN: BT device_close: Stopping device 0 and cancelling queues... 
KERN: USB Stack: tried to get object with invalid usb_id 
KERN: BT device_close: Cancelled EVENTS on device 0 
KERN: USB Stack: tried to get object with invalid usb_id 
KERN: BT device_close: Cancelled ACL in on device 0 
KERN: USB Stack: tried to get object with invalid usb_id 
KERN: BT device_close: Cancelled ACL out on device 0 
KERN: BT device_free: device_free() called on bluetooth/h2generic 
KERN: BT uninit_driver: uninit_driver() 
KERN: BT kill_device: kill_device(0x90ca30cc)

Crash is caused by several calls to kill_device with same pointer... kill_device frees the pointer which sends the cookie to outer space.

http://dev.haiku-os.org/browser/haiku/trunk/src/add-ons/kernel/drivers/bluetooth/h2/h2generic/h2generic.c#L157

comment:3 by oruizdorantes, 16 years ago

Its a pleasure fix bugs when someone else has done all the tracking work :) Thanks a lot Monni, there is a TODO pointing this possible problem.

BTW you added more debug output, feel free to send me the patch.

comment:4 by monni, 16 years ago

Well... It's only half of the issue... Now we need to make it wait for the "new" dongle... I looked into it briefly but looks like something doesn't work correctly after reconnect as name of LocalDevice is dongle type and not "siam-0" as it is right after boot.

comment:5 by oruizdorantes, 16 years ago

Status: newassigned

Bluetooth_server is not yet monitoring devices(DeviceManager class is basically a stub). This is one of the reasons for example, so this feature will take longer.

comment:6 by oruizdorantes, 16 years ago

Resolution: fixed
Status: assignedclosed

Fixed at rev 26382

comment:7 by monni, 16 years ago

Resolution: fixed
Status: closedreopened

Hmmm... looks like this crash is regression to fix in hrev26382 

</boot/beos/system/add-ons/kernel/drivers/dev/bluetooth/h2generic>:event_complete + 0x0070
<uhci>:Finished__8TransferUlUl + 0x0027
<uhci>:FinishTransfers__4UHCI + 0x0441
<uhci>:FinishThread__4UHCIPv + 0x001f

comment:8 by monni, 16 years ago

syslog: 

KERN: [31mBT h2generic device_control[0m: ioctl() opcode 12999 size 17.
KERN: [31mBT h2generic device_control[0m: device launched 0
KERN: [38mBT  command_complete[0m: 21 19:04:0a:
KERN: [38mBT  assembly_rx[0m: count 6 0x00000000 0x80282400
KERN: [38mBT  assembly_rx[0m: Frame goes up!
KERN: [38mBT  post_packet_up[0m: HCI not present, Posting to userland
KERN: [38mBT  assembly_rx[0m: count 16 0x00000000 0x80282400
KERN: Last message repeated 15 times.
KERN: [38mBT  assembly_rx[0m: count 1 0x00000000 0x80282400
KERN: [38mBT  assembly_rx[0m: Frame goes up!
KERN: [38mBT  post_packet_up[0m: HCI not present, Posting to userland
KERN: [31mBT h2generic device_close[0m: device_close(0x90bdb198)
KERN: [31mBT h2generic device_close[0m: device_close(0x90bdb198) hdev =  0
KERN: [31mBT h2generic device_close[0m:  bluetooth/h2generic/0 not running¿?
KERN: [31mBT h2generic device_free[0m: device_free() called on bluetooth/h2generic 
KERN: [31mBT h2generic kill_device[0m: (0x90bdb198)
KERN: [31mBT h2generic device_open[0m: device_open()
KERN: [31mBT h2generic device_open[0m: Device not found in the open list!

comment:9 by luroh, 10 years ago

Milestone: R1Unscheduled

Moving Bluetooth related tickets out of R1 milestone.

comment:10 by modeenf, 4 years ago

Cc: modeenf added

comment:11 by waddlesplash, 22 months ago

Does this still happen?

Note: See TracTickets for help on using tickets.