Kernel panic when a Motorola S305 Stereo headset requests connection

Just revisited my description, and there're some words missing

My system still has so the panic backtrace is not available , however I attached a picture taken by my mobile.

==>

My system still has rsyslogd problem(see the message rsyslogd was HUPed, type 'lightweight'. in kernel log) so the panic backtrace is not available , however I attached a picture taken by my mobile.

Is there any progress? I tested latest 2.6.33-rc9 from ubuntu, the
problem is still there. rsyslog still doesn't work so I took another
picture. Back trace is quite similar and if looking at the bluetooth
part, the call stack (at least those shown in the console) is the
same.

a correct to #3, it's 2.6.33-rc8

just fyi, and added a correction to #3, it's 2.6.33-rc8

---------- Forwarded message ----------
From: Liang Bao <email address hidden>
Date: 2010/3/1
Subject: Re: Kernel panic when handing Motorola S305 headset
To: <email address hidden>

I'd like to continue the previous thread on that Motorola S305 causes
kernel panic because I did find some clue here. Sorry for misleading
guess one month ago if any.

Recap the problem here so that you don't to read the first long post.
The pattern to reproduce the issue is:
1. Pair the S305 headset from the phone or the PC( I am using a Ubuntu)
2. Remove pairing on the phone or PC
3. Power off and then power on S305.
4. The S305 will try to connect and since link key removed on this
side it will try to pair. Input 0000.
5. Kernel panic happens. This can be observed on kernel version
2.6.29(on the Droid phone, yes, it's a modified version),
2.6.31-19-generic on a Ubuntu and a pretty latest 2.6.33-020633rc8
from Ubuntu official RC release.

The exact kernel crash point is
            if (l2cap_check_security(sk)) {
                 if (bt_sk(sk)->defer_setup) {
                     struct sock *parent = bt_sk(sk)->parent;
                     rsp.result = cpu_to_le16(L2CAP_CR_PEND);
                     rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
>>>                   parent->sk_data_ready(parent, 0)
                 } else {

After tracing the issue for a couple of weeks, I find the difference
between a normal flow and the panic one. If the user space process
accepts the L2CAP connection request before L2CAP_INFO_RSP received,
the following calls will be carried out:

l2cap_sock_accept-> bt_accept_dequeue->bt_accept_unlink(in the branch
bt_sk(parent)->defer_setup)-> set bt_sk(sk)->parent = NULL. Later when
L2CAP_INFO_RSP arrives, the l2cap_conn_start() will try to call the
marked line above and de-referring NULL happen.

To fix this, shall we consider checking if a pending socket can be
accepted in bt_accept_dequeue() prior to a pending L2CAP_INFO_REQ
responded? For example,  adding a check to BT_CONNECT2 in
af_bluetooth.c.

215         if (sk->sk_state == BT_CONNECTED || !newsock ||
216                         ( bt_sk(parent)->defer_setup &&
(sk->sk_state != BT_CONNECT2))) {

Again, I am not sure if this will bring a side-effect. Please advise
the most appropriate way. Thanks.

p.s: I attached partial trace files for those who're interested to the traces.

Just recently, I was trying to get it to work on Ubuntu Netbook Remix. I experienced the same Kernel Panic as described in this bug report. I hope that the problem can be solved in time.

I wanted to share that this also affects the Android OS at least up through 2.1. I can confirm that S305 headset crashes my Motorola Droid about every other time.

I couldn't select Android or AOSP in "Also Affects Distribution" above, otherwise I would have tagged it.

I Have the same headset, motorola s305, in an acer desktop. I bought a "perfect choice" usb bluetoth and ubuntu 10.04 recognize inmediately. Then I power on the headset and the 2 elements pairse correctly. The soun quality is excelent and i have not problem.

This is reported against an old version of Ubuntu and many things has changed since then. Because of that we won't fix this issue however if this behavior repeats on a modern version please fill a bug report against it and we will take it from there.