zygo: net/bluetooth: avoid NULL pointer dereference, try 2

May 11 09:31:41 faye kernel: [39401.979822] conn f29e0fe0 len 48
May 11 09:31:41 faye kernel: [39401.979829] sk f3333a00 len 48
May 11 09:31:41 faye kernel: [39401.980289] sock ea8ae0c0, sk f3333a00
May 11 09:31:41 faye kernel: [39401.980303] sock f3333a00 state 1
May 11 09:31:41 faye kernel: [39401.980311] sk f3333a00 state 1 socket ea8ae0c0
May 11 09:31:41 faye kernel: [39401.980320] sock f3333a00 state 8 timeout 2000
May 11 09:31:41 faye kernel: [39401.980385] BUG: unable to handle kernel NULL pointer dereference at 00000008
May 11 09:31:41 faye kernel: [39401.981038] IP: [<f85b5582>] __sco_sock_close+0xc2/0x180 [bluetooth]
May 11 09:31:41 faye kernel: [39401.981038] *pde = 00000000
May 11 09:31:41 faye kernel: [39401.981038] Oops: 0002 [#1] SMP
May 11 09:31:41 faye kernel: [39401.981038] Modules linked in: nls_iso8859_1 nls_cp437 vfat fat ppp_async crc_ccitt ppp_generic slhc binfmt_misc hidp parport_pc ppdev lp parport rfcomm bnep nfsd lockd nfs_acl auth_rpcgss sunrpc tun fbcon tileblit font bitblit fbcon_rotate fbcon_cw fbcon_ud fbcon_ccw softcursor i915 drm_kms_helper drm cpufreq_userspace cpufreq_stats cpufreq_conservative cpufreq_powersave microcode dummy ipv6 af_packet fuse tcp_westwood coretemp uinput usbserial speedstep_lib acpi_cpufreq mperf ipt_MASQUERADE xt_mark xt_state xt_tcpudp iptable_nat nf_nat nf_conntrack_ipv4 nf_conntrack nf_defrag_ipv4 iptable_mangle ipt_LOG xt_limit iptable_filter ip_tables x_tables snd_hda_codec_realtek snd_hda_intel snd_hda_codec firmware_class snd_hwdep snd_pcm_oss snd_mixer_oss snd_pcm snd_seq_dummy snd_seq_oss snd_seq_midi snd_rawmidi snd_seq_midi_event arc4 snd_seq ath9k snd_timer mac80211 joydev ath9k_common snd_seq_device btusb ath9k_hw snd eeepc_wmi asus_wmi bluetooth uvcvideo iTCO_wdt sparse_keymap pci_h
May 11 09:31:41 faye kernel: otplug iTCO_vendor_support ath videodev evdev pcspkr psmouse media cfg80211 intelfb rtc_cmos serio_raw intel_agp intel_gtt soundcore i2c_i801 rfkill i2c_algo_bit i2c_core wmi ac snd_page_alloc battery video button processor ext4 jbd2 crc16 cryptd aes_i586 aes_generic xts gf128mul dm_crypt dm_mod raid1 md_mod nbd uas thermal thermal_sys hwmon uhci_hcd ehci_hcd atl1c [last unloaded: scsi_wait_scan]
May 11 09:31:41 faye kernel: [39401.981038]
May 11 09:31:41 faye kernel: [39401.981038] Pid: 4840, comm: bluetoothd Not tainted 3.2.16-zb5s+ #1 ASUSTeK Computer INC. MK90H/MK90H
May 11 09:31:41 faye kernel: [39401.981038] EIP: 0060:[<f85b5582>] EFLAGS: 00010282 CPU: 0
May 11 09:31:41 faye kernel: [39402.057589] EIP is at __sco_sock_close+0xc2/0x180 [bluetooth]
May 11 09:31:41 faye kernel: [39402.057589] EAX: f29e0fe0 EBX: f3333a00 ECX: 818ad578 EDX: 00000286
May 11 09:31:41 faye kernel: [39402.057589] ESI: 00000000 EDI: f38e9f88 EBP: f38e9f30 ESP: f38e9f14
May 11 09:31:41 faye kernel: [39402.057589]  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
May 11 09:31:41 faye kernel: [39402.057589] Process bluetoothd (pid: 4840, ti=f38e8000 task=b78be2b0 task.ti=f38e8000)
May 11 09:31:41 faye kernel: [39402.057589] Stack:
May 11 09:31:41 faye kernel: [39402.057589]  f85be9e8 f85ba567 f3333a00 00000001 ea8ae0c0 f3333a00 00000000 f38e9f50
May 11 09:31:41 faye kernel: [39402.057589]  f85b56a7 f85be9d0 f85ba4d0 ea8ae0c0 f3333a00 ea8ae0c0 00000002 f38e9f68
May 11 09:31:41 faye kernel: [39402.057589]  81455332 00000000 00000000 0000000b 00000008 f38e9fac 81456804 00000022
May 11 09:31:41 faye kernel: [39402.057589] Call Trace:
May 11 09:31:41 faye kernel: [39402.057589]  [<f85b56a7>] sco_sock_shutdown+0x67/0xb0 [bluetooth]
May 11 09:31:41 faye kernel: [39402.057589]  [<81455332>] sys_shutdown+0x62/0x70
May 11 09:31:41 faye kernel: [39402.057589]  [<81456804>] sys_socketcall+0x154/0x2c0
May 11 09:31:41 faye kernel: [39402.057589]  [<8113aee5>] ? vfs_writev+0x45/0x60
May 11 09:31:41 faye kernel: [39402.057589]  [<8152d55f>] sysenter_do_call+0x12/0x2d
May 11 09:31:41 faye kernel: [39402.057589]  [<81520000>] ? init_idle+0x55/0x206
May 11 09:31:41 faye kernel: [39402.057589] Code: 00 08 83 c4 14 5b 5e 5d c3 8b 83 b8 01 00 00 85 c0 74 9e 89 d8 ba d0 07 00 00 c6 43 0e 08 e8 d6 fe ff ff 8b 83 b8 01 00 00 8b 30 <f0> ff 4e 08 0f 94 c0 84 c0 74 27 0f b6 46 19 3c 80 74 33 3c 01
May 11 09:31:41 faye kernel: [39402.057589] EIP: [<f85b5582>] __sco_sock_close+0xc2/0x180 [bluetooth] SS:ESP 0068:f38e9f14
May 11 09:31:41 faye kernel: [39402.057589] CR2: 0000000000000008
May 11 09:31:41 faye kernel: [39402.148568] conn f29e0fe0 len 48
May 11 09:31:41 faye kernel: [39402.148681] uvcvideo: Failed to resubmit video URB (-27).
May 11 09:31:41 faye kernel: [39402.148697] uvcvideo: Failed to resubmit video URB (-27).
May 11 09:31:41 faye kernel: [39402.148713] uvcvideo: Failed to resubmit video URB (-27).
May 11 09:31:41 faye kernel: [39402.148729] uvcvideo: Failed to resubmit video URB (-27).
May 11 09:31:41 faye kernel: [39402.148744] uvcvideo: Failed to resubmit video URB (-27).
May 11 09:31:41 faye kernel: [39402.172797] ---[ end trace 5fd7b8f96a0d27f1 ]---
May 11 09:31:41 faye kernel: [39402.172859] sk f3333a00 len 48
May 11 09:31:41 faye kernel: [39402.172875] conn f29e0fe0 len 48
May 11 09:31:41 faye kernel: [39402.172883] sk f3333a00 len 48
May 11 09:31:41 faye kernel: [39402.172892] conn f29e0fe0 len 48

diff --git a/include/net/bluetooth/bluetooth.h b/include/net/bluetooth/bluetooth.h
index e86af08293a8217153b48a98a4802015376185db..1003f68c69049ae67a7813e2f2606e69b1d7a0b1 100644 (file)
--- a/include/net/bluetooth/bluetooth.h
+++ b/include/net/bluetooth/bluetooth.h
@@ -93,7 +93,7 @@ enum {
        BT_CONNECT,
        BT_CONNECT2,
        BT_CONFIG,
-       BT_DISCONN,
+       BT_DISCONN, /* 8 */
        BT_CLOSED
 };
 

diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index 2087d52ac6032d02fd106bee7ab35a9fe045ed59..5b4355c17d114f299f515a80a1c33d16748e0acd 100644 (file)
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -382,6 +382,8 @@ static void __sco_sock_close(struct sock *sk)
 
        case BT_CONNECT:
        case BT_DISCONN:
+               BT_DBG("BT_DISCONN sco_pi(sk) %p", sco_pi(sk));
+               BT_DBG("BT_DISCONN sco_pi(sk)->conn %p", sco_pi(sk)->conn);
                sco_chan_del(sk, ECONNRESET);
                break;