Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 231601 - Bluetooth HID use-after-free
Summary: Bluetooth HID use-after-free
Status: CLOSED DUPLICATE of bug 227893
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Kernel Maintainer List
QA Contact: Brian Brock
Depends On:
Blocks: FC7Blocker
TreeView+ depends on / blocked
Reported: 2007-03-09 13:14 UTC by David Woodhouse
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2007-03-09 22:16:07 UTC

Attachments (Terms of Use)

Description David Woodhouse 2007-03-09 13:14:08 UTC
When my Bluetooth mouse disconnects and reconnects (as it does from time to
time), I sometimes see this crash. I cannot reproduce this by turning the mouse
off and on.

PM: Removing info for bluetooth:acl000A94C07E17
Unable to handle kernel paging request for data at address 0x6b6b6b6b
Oops: Kernel access of bad area, sig: 11 [#1]

Modules linked in: radeon(U) drm(U) hidp(U) hci_usb(U) rfcomm(U) l2cap(U) blueto
oth(U) arc4(U) ecb(U) blkcipher(U) ieee80211_crypt_wep(U) ipv6(U) nls_utf8(U) hf
splus(U) dm_mirror(U) dm_mod(U) therm_adt746x(U) parport_pc(U) lp(U) parport(U) 
snd_aoa_i2sbus(U) bcm43xx(U) ieee80211softmac(U) snd_powermac(U) snd_seq_dummy(U
) ieee80211(U) snd_seq_oss(U) snd_seq_midi_event(U) snd_seq(U) snd_seq_device(U)
 ieee80211_crypt(U) sungem(U) snd_pcm_oss(U) snd_mixer_oss(U) sungem_phy(U) snd_
pcm(U) snd_timer(U) snd_page_alloc(U) snd(U) soundcore(U) snd_aoa_soundbus(U) id
e_cd(U) cdrom(U) fw_ohci(U) fw_core(U) ext3(U) jbd(U) mbcache(U) ehci_hcd(U) ohc
i_hcd(U) uhci_hcd(U)
NIP: C001890C LR: C012C760 CTR: C01CCEBC
REGS: ef65fdb0 TRAP: 0300   Not tainted  (2.6.20-1.2967.fc7)
MSR: 00009032 <EE,ME,IR,DR>  CR: 22000224  XER: 20000000
DAR: 6B6B6B6B, DSISR: 40000000
TASK = c0e0ecf0[2599] 'khidpd_00000000' THREAD: ef65e000
GPR00: 6B6B6B6B EF65FE60 C0E0ECF0 6B6B6B6B 6B6B6B6A C1C57D3C 0000001A ED22EECE 
GPR08: 000007AA 00000014 FFFFFFFF 00000005 00000000 2002160C 22204422 00000000 
GPR16: 00000000 7FE59006 00000003 C1C57D24 00000000 C1F03ED8 C037AEB8 ED22EE78 
GPR24: C0369F0C ED22EECE 0000001A 000007AA 00000001 C0F7E728 C0F7E728 000000D0 
NIP [C001890C] strlen+0x4/0x18
LR [C012C760] kobject_get_path+0x34/0xc4
Call Trace:
[EF65FE60] [C0092884] __kmalloc_track_caller+0x144/0x164 (unreliable)
[EF65FE80] [C01CCF04] class_uevent+0x48/0x1c0
[EF65FEC0] [C012CED8] kobject_uevent_env+0x278/0x490
[EF65FF10] [C01CC6A0] class_device_del+0x178/0x1a0
[EF65FF30] [C01CC6E0] class_device_unregister+0x18/0x30
[EF65FF50] [C021DD38] input_unregister_device+0x13c/0x178
[EF65FF70] [C023EF3C] hidinput_disconnect+0x2c/0x60
[EF65FF90] [F27B1B50] hidp_session+0x550/0x584 [hidp]
[EF65FFF0] [C0013F7C] kernel_thread+0x44/0x60
Instruction dump:
4082fff4 4e800020 38a3ffff 3884ffff 8c650001 2c830000 8c040001 7c601851 
4d860020 4182ffec 4e800020 3883ffff <8c040001> 2c000000 4082fff8 7c632050 
0xc01ccf04 is in class_uevent (drivers/base/class.c:388).
383                     return 0;
385             /* add device, backing this class device (deprecated) */
386             path = kobject_get_path(&dev->kobj, GFP_KERNEL);
388             add_uevent_var(envp, num_envp, cur_index, buffer, buffer_size,
389                            cur_len, "PHYSDEVPATH=%s", path);
390             kfree(path);
392             if (dev->bus)

Reverting commits f5ffd4620aba9e55656483ae1ef5c79ba81f5403 and
e1aaadd4d8162a2c33e41dd5a72234ea4d3b014f doesn't make a different (except a
cosmetic one to the backtrace, of course).

I think this started happening in 2.6.19-1.2914, when we enabled

Comment 1 Pete Zaitcev 2007-03-09 19:15:21 UTC
This looks like a dup of bug 227893. I looked at it briefly, but the code is
somewhat involved.

Comment 2 David Woodhouse 2007-03-09 22:16:07 UTC

*** This bug has been marked as a duplicate of 227893 ***

Note You need to log in before you can comment on or make changes to this bug.