Suspending while playing music via BlueTooth headset causes kernel panic
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | linux (Ubuntu) |
Medium
|
Colin Ian King | ||
| | Hardy |
Medium
|
Unassigned | ||
| | Intrepid |
Medium
|
Unassigned | ||
Bug Description
SRU justification:
Impact: Performing a suspend while streaming audio to a bluetooth headset trips a kernel panic in the bluetooth USB driver very late in the suspend process (after console messages are turned off).
The panic occurs when hci_usb_
Fix: Put _urb on the killed list before calling usb_kill_urb() - this ensures that the _urb is on a list and hence won't cause a panic when removed using _urb_unlink().
Testcase: Doing a suspend with audio streaming to a bluetooth headset using Elisa causes a panic. With the patch suspend/resume works correctly.
Playing audio through a Bluetooth headset and then suspending the machine on Hardy, Intrepid and Jaunty causes a kernel panic. I've captured the location of the panic below in hci_usb_
00000750 <hci_usb_
750: 83 ec 14 sub $0x14,%esp
753: 89 5c 24 04 mov %ebx,0x4(%esp)
757: 89 c3 mov %eax,%ebx
759: 89 74 24 08 mov %esi,0x8(%esp)
75d: 89 6c 24 10 mov %ebp,0x10(%esp)
761: 8d 68 ec lea -0x14(%eax),%ebp
764: 89 7c 24 0c mov %edi,0xc(%esp)
768: 8b 78 64 mov 0x64(%eax),%edi
76b: 8b 07 mov (%edi),%eax
76d: 8d 77 68 lea 0x68(%edi),%esi
770: 89 04 24 mov %eax,(%esp)
773: 8b 45 0c mov 0xc(%ebp),%eax
776: f0 ff 0c 86 lock decl (%esi,%eax,4)
77a: c7 43 3c 00 00 00 00 movl $0x0,0x3c(%ebx)
781: 8b 45 10 mov 0x10(%ebp),%eax
784: e8 fc ff ff ff call 785 <hci_usb_
789: 8b 14 24 mov (%esp),%edx
78c: 8b 42 18 mov 0x18(%edx),%eax
78f: a8 04 test $0x4,%al
791: 0f 84 9d 00 00 00 je 834 <hci_usb_
797: 8b 4b 34 mov 0x34(%ebx),%ecx
79a: 85 c9 test %ecx,%ecx
79c: 0f 84 a6 00 00 00 je 848 <hci_usb_
7a2: 8b 04 24 mov (%esp),%eax
7a5: 83 80 74 02 00 00 01 addl $0x1,0x274(%eax)
7ac: 89 f0 mov %esi,%eax
7ae: e8 fc ff ff ff call 7af <hci_usb_
7b3: 8b 45 08 mov 0x8(%ebp),%eax
7b6: 85 c0 test %eax,%eax
7b8: 74 33 je 7ed <hci_usb_
7ba: 8d 58 08 lea 0x8(%eax),%ebx
7bd: 89 d8 mov %ebx,%eax
7bf: e8 fc ff ff ff call 7c0 <hci_usb_
7c4: 8b 55 04 mov 0x4(%ebp),%edx
7c7: 8b 4d 00 mov 0x0(%ebp),%ecx
7ca: 89 51 04 mov %edx,0x4(%ecx) <-- panic occurs here
The panic occurs when hci_usb_
It seems to me that the bug occurs because hci_usb_suspend() dequeues the _urb and then calls usb_kill_urb() - I believe it should put the _urb on the killed list first before killing the urb.
My testing confirms this fix works fine every time (and I've checked the _urb activity throughout the stack to verify that this is the root cause of the panic).
Attached - the patch
| Colin Ian King (colin-king) wrote : | #1 |
| description: | updated |
| Changed in linux: | |
| assignee: | nobody → colin-king |
| importance: | Undecided → Medium |
| status: | New → In Progress |
| Stefan Bader (smb) wrote : | #2 |
| Changed in linux: | |
| importance: | Undecided → Medium |
| status: | New → Fix Committed |
| Stefan Bader (smb) wrote : | #3 |
| Changed in linux: | |
| importance: | Undecided → Medium |
| status: | New → Fix Committed |
| Steve Langasek (vorlon) wrote : | #5 |
Accepted into hardy-proposed; please test and give feedback here. Please see https:/
| Martin Pitt (pitti) wrote : | #6 |
Accepted linux into intrepid-proposed; please test and give feedback here. Please see https:/
| tags: | added: hw-specific |
| Launchpad Janitor (janitor) wrote : | #7 |
This bug was fixed in the package linux - 2.6.24-24.53
---------------
linux (2.6.24-24.53) hardy-proposed; urgency=low
[Stefan Bader]
* Rebuild of 2.6.24-24.51 with 2.6.24-23.52 security patches applied.
linux (2.6.24-24.51) hardy-proposed; urgency=low
[Alessio Igor Bogani]
* rt: Updated PREEMPT_RT support to rt27
- LP: #324275
[Steve Beattie]
* fix apparmor memory leak on deleted file ops
- LP: #329489
[Upstream Kernel Changes]
* KVM: MMU: Add locking around kvm_mmu_
- LP: #335097, #333409
* serial: 8250: fix shared interrupts issues with SMP and RT kernels
- LP: #280821
* 8250.c: port.lock is irq-safe
- LP: #280821
* ACPI: Clear WAK_STS on resume
- LP: #251338
linux (2.6.24-24.50) hardy-proposed; urgency=low
[Alok Kataria]
* x86: add X86_FEATURE_
- LP: #319945
* x86: add a synthetic TSC_RELIABLE feature bit
- LP: #319945
* x86: vmware: look for DMI string in the product serial key
- LP: #319945
* x86: Hypervisor detection and get tsc_freq from hypervisor
- LP: #319945
* x86: Use the synthetic TSC_RELIABLE bit to workaround virtualization
anomalies.
- LP: #319945
* x86: Skip verification by the watchdog for TSC clocksource.
- LP: #319945
* x86: Mark TSC synchronized on VMware.
- LP: #319945
[Colin Ian King]
* SAUCE: Bluetooth USB: fix kernel panic during suspend while streaming
audio to bluetooth headset
- LP: #331106
[James Troup]
* XEN: Enable architecture specific get_unmapped_
- LP: #237724
[Stefan Bader]
* Xen: Fix FTBS after Vmware TSC updates.
- LP: #319945
[Upstream Kernel Changes]
* r8169: fix RxMissed register access
- LP: #324760
* r8169: Tx performance tweak helper
- LP: #326891
* r8169: use pci_find_capability for the PCI-E features
- LP: #326891
* r8169: add 8168/8101 registers description
- LP: #326891
* r8169: add hw start helpers for the 8168 and the 8101
- LP: #326891
* r8169: additional 8101 and 8102 support
- LP: #326891
* Fix memory corruption in console selection
- LP: #329007
linux (2.6.24-23.52) hardy-security; urgency=low
[Stefan Bader]
* rt: Fix FTBS caused by shm changes
- CVE-2009-0859
[Steve Beattie]
* fix apparmor memory leak on deleted file ops
- LP: #329489
[Upstream Kernel Changes]
* NFS: Remove the buggy lock-if-signalled case from do_setlk()
- CVE-2008-4307
* sctp: Avoid memory overflow while FWD-TSN chunk is received with bad
stream ID
- CVE-2009-0065
* net: 4 bytes kernel memory disclosure in SO_BSDCOMPAT gsopt try #2
- CVE-2009-0676
* sparc: Fix mremap address range validation.
- CVE-2008-6107
* copy_process: fix CLONE_PARENT && parent_exec_id interaction
- CVE-2009-0028
* security: introduce missing kfree
- CVE-2009-0031
* eCryptfs: check readlink result was not an error before using it
- CVE-2009-0269
* dell_rbu: use scnprintf() instead of less secure sprintf()
- CVE-2009-0322
* drivers/net/skfp: if !capable(
- CVE-2009-0675
* Ext4: Fix online res...
| Changed in linux (Ubuntu Hardy): | |
| status: | Fix Committed → Fix Released |
| Launchpad Janitor (janitor) wrote : | #8 |
This bug was fixed in the package linux - 2.6.27-14.33
---------------
linux (2.6.27-14.33) intrepid-proposed; urgency=low
[Stefan Bader]
* Fix FTBS due to a mysteriously missing ABI directory.
linux (2.6.27-14.32) intrepid-proposed; urgency=low
[Stefan Bader]
* Rebuild of 2.6.27-14.30 with 2.6.27-11.31 security patches applied
linux (2.6.27-14.30) intrepid-proposed; urgency=low
[ Alexey Starikovskiy ]
* SAUCE: ACPI: EC: Limit workaround for ASUS notebooks even more
- LP: #288385
[ Huaxu Wan ]
* SAUCE: report rfkill changes event if interface is down
- LP: #193970
[ Scott James Remnant ]
* SAUCE: floppy: Provide a PnP device table in the module.
- LP: #255651
[ Steve Beattie ]
* fix apparmor memory leak on deleted file ops
- LP: #329489
[ Stefan Bader ]
* Revert "ACPI: Fix compiler warnings introduced by 32 to 64 bit acpi
conversions"
- LP: #337019
* Revert "ACPI: Change acpi_evaluate_
kernels"
- LP: #337019
[ Upstream Kernel Changes ]
* KVM: MMU: Add locking around kvm_mmu_
- LP: #335097, #333409
* ricoh_mmc: Handle newer models of Ricoh controllers
- LP: #311932
linux (2.6.27-13.29) intrepid-proposed; urgency=low
[ Colin Ian King ]
* SAUCE: Bluetooth USB: fix kernel panic during suspend while streaming
audio to bluetooth headset
- LP: #331106, #322082
[ Stefan Bader ]
* Revert "SAUCE: Work around ACPI corruption upon suspend on some Dell
machines." (replaced by stable update)
- LP: #330200
* Revert "SAUCE: Add back in lost commit for Apple BT Wireless Keyboard"
(replaced by stable update)
- LP: #330902
[ Upstream Kernel Changes ]
* Revert "vt: fix background color on line feed"
- LP: #330200
* ti_usb_3410_5052: support alternate firmware
- LP: #231276
* fuse: destroy bdi on umount
- LP: #324921
* fuse: fix missing fput on error
- LP: #324921
* fuse: fix NULL deref in fuse_file_alloc()
- LP: #324921
* inotify: clean up inotify_read and fix locking problems
- LP: #324921
* mac80211: decrement ref count to netdev after launching mesh discovery
- LP: #324921
* sysfs: fix problems with binary files
- LP: #324921
* x86, mm: fix pte_free()
- LP: #324921
* alpha: nautilus - fix compile failure with gcc-4.3
- LP: #324921
* it821x: Add ultra_mask quirk for Vortex86SX
- LP: #324921
* libata: pata_via: support VX855, future chips whose IDE controller use
0x0571
- LP: #324921
* rtl8187: Add termination packet to prevent stall
- LP: #324921
* serial_8250: support for Sealevel Systems Model 7803 COMM+8
- LP: #324921
* SUNRPC: Fix a memory leak in rpcb_getport_async
- LP: #324921
* SUNRPC: Fix autobind on cloned rpc clients
- LP: #324921
* USB: fix char-device disconnect handling
- LP: #324921
* USB: storage: add unusual devs entry
- LP: #324921
* USB: usbmon: Implement compat_ioctl
- LP: #324921
* ALSA: hda - add another MacBook Pro 4, 1 subsystem ID
- LP: #324921
* ALSA: hda - Add quirk for HP DV6700 laptop
- LP: #324921
* ALSA: ...
| Changed in linux (Ubuntu Intrepid): | |
| status: | Fix Committed → Fix Released |
http://