Ubuntu
linux package

Suspending while playing music via BlueTooth headset causes kernel panic

Bug #331106 reported by Colin Ian King
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
Medium
Colin Ian King
Hardy
Fix Released
Medium
Unassigned
Intrepid
Fix Released
Medium
Unassigned

Bug Description

SRU justification:

Impact: Performing a suspend while streaming audio to a bluetooth headset trips a kernel panic in the bluetooth USB driver very late in the suspend process (after console messages are turned off).
The panic occurs when hci_usb_tx_complete() calls _urb_unlink() on an _urb which has been previously been removed from a list. This happens because hci_usb_suspend() dequeues the _urb and then calls usb_kill_urb() which is the wrong way around.

Fix: Put _urb on the killed list before calling usb_kill_urb() - this ensures that the _urb is on a list and hence won't cause a panic when removed using _urb_unlink().

Testcase: Doing a suspend with audio streaming to a bluetooth headset using Elisa causes a panic. With the patch suspend/resume works correctly.

Playing audio through a Bluetooth headset and then suspending the machine on Hardy, Intrepid and Jaunty causes a kernel panic. I've captured the location of the panic below in hci_usb_tx_complete.

00000750 <hci_usb_tx_complete>:
     750: 83 ec 14 sub $0x14,%esp
     753: 89 5c 24 04 mov %ebx,0x4(%esp)
     757: 89 c3 mov %eax,%ebx
     759: 89 74 24 08 mov %esi,0x8(%esp)
     75d: 89 6c 24 10 mov %ebp,0x10(%esp)
     761: 8d 68 ec lea -0x14(%eax),%ebp
     764: 89 7c 24 0c mov %edi,0xc(%esp)
     768: 8b 78 64 mov 0x64(%eax),%edi
     76b: 8b 07 mov (%edi),%eax
     76d: 8d 77 68 lea 0x68(%edi),%esi
     770: 89 04 24 mov %eax,(%esp)
     773: 8b 45 0c mov 0xc(%ebp),%eax
     776: f0 ff 0c 86 lock decl (%esi,%eax,4)
     77a: c7 43 3c 00 00 00 00 movl $0x0,0x3c(%ebx)
     781: 8b 45 10 mov 0x10(%ebp),%eax
     784: e8 fc ff ff ff call 785 <hci_usb_tx_complete+0x35>
     789: 8b 14 24 mov (%esp),%edx
     78c: 8b 42 18 mov 0x18(%edx),%eax
     78f: a8 04 test $0x4,%al
     791: 0f 84 9d 00 00 00 je 834 <hci_usb_tx_complete+0xe4>
     797: 8b 4b 34 mov 0x34(%ebx),%ecx
     79a: 85 c9 test %ecx,%ecx
     79c: 0f 84 a6 00 00 00 je 848 <hci_usb_tx_complete+0xf8>
     7a2: 8b 04 24 mov (%esp),%eax
     7a5: 83 80 74 02 00 00 01 addl $0x1,0x274(%eax)
     7ac: 89 f0 mov %esi,%eax
     7ae: e8 fc ff ff ff call 7af <hci_usb_tx_complete+0x5f>
     7b3: 8b 45 08 mov 0x8(%ebp),%eax
     7b6: 85 c0 test %eax,%eax
     7b8: 74 33 je 7ed <hci_usb_tx_complete+0x9d>
     7ba: 8d 58 08 lea 0x8(%eax),%ebx
     7bd: 89 d8 mov %ebx,%eax
     7bf: e8 fc ff ff ff call 7c0 <hci_usb_tx_complete+0x70>
     7c4: 8b 55 04 mov 0x4(%ebp),%edx
     7c7: 8b 4d 00 mov 0x0(%ebp),%ecx
     7ca: 89 51 04 mov %edx,0x4(%ecx) <-- panic occurs here

The panic occurs when hci_usb_tx_complete() calls _urb_unlink() on an _urb which has been previously been removed from a list - basically _urb->list.prev and _urb->list.next are invalid pointers at this point and this causes a panic on the _urb_unlink().

It seems to me that the bug occurs because hci_usb_suspend() dequeues the _urb and then calls usb_kill_urb() - I believe it should put the _urb on the killed list first before killing the urb.

My testing confirms this fix works fine every time (and I've checked the _urb activity throughout the stack to verify that this is the root cause of the panic).

Attached - the patch

See original description
Revision history for this message
Colin Ian King (colin-king) wrote :
Stefan Bader (smb)
description: updated
Changed in linux:
assignee: nobody → colin-king
importance: Undecided → Medium
status: New → In Progress
Revision history for this message
Stefan Bader (smb) wrote :

http://kernel.ubuntu.com/git?p=ubuntu/ubuntu-hardy.git;a=commitdiff;h=00608e6f3fad994f332244e79750bd732ea2c1a1

Changed in linux:
importance: Undecided → Medium
status: New → Fix Committed
Revision history for this message
Stefan Bader (smb) wrote :

http://kernel.ubuntu.com/git?p=ubuntu/ubuntu-intrepid.git;a=commitdiff;h=99051fd18e0141be141b434c8e05ca2c7c8f3f3d

Changed in linux:
importance: Undecided → Medium
status: New → Fix Committed
Revision history for this message
Stefan Bader (smb) wrote :

http://kernel.ubuntu.com/git?p=ubuntu/ubuntu-jaunty.git;a=commitdiff;h=eef26a344d1e8966d7af75fe149611eedb67197c
Released -8.22

Changed in linux:
status: In Progress → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote :

Accepted into hardy-proposed; please test and give feedback here. Please see https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Revision history for this message
Martin Pitt (pitti) wrote :

Accepted linux into intrepid-proposed; please test and give feedback here. Please see https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Steve Beattie (sbeattie)
tags: added: hw-specific
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (5.1 KiB)

This bug was fixed in the package linux - 2.6.24-24.53

---------------
linux (2.6.24-24.53) hardy-proposed; urgency=low

  [Stefan Bader]

  * Rebuild of 2.6.24-24.51 with 2.6.24-23.52 security patches applied.

linux (2.6.24-24.51) hardy-proposed; urgency=low

  [Alessio Igor Bogani]

  * rt: Updated PREEMPT_RT support to rt27
    - LP: #324275

  [Steve Beattie]

  * fix apparmor memory leak on deleted file ops
    - LP: #329489

  [Upstream Kernel Changes]

  * KVM: MMU: Add locking around kvm_mmu_slot_remove_write_access()
    - LP: #335097, #333409
  * serial: 8250: fix shared interrupts issues with SMP and RT kernels
    - LP: #280821
  * 8250.c: port.lock is irq-safe
    - LP: #280821
  * ACPI: Clear WAK_STS on resume
    - LP: #251338

linux (2.6.24-24.50) hardy-proposed; urgency=low

  [Alok Kataria]

  * x86: add X86_FEATURE_HYPERVISOR feature bit
    - LP: #319945
  * x86: add a synthetic TSC_RELIABLE feature bit
    - LP: #319945
  * x86: vmware: look for DMI string in the product serial key
    - LP: #319945
  * x86: Hypervisor detection and get tsc_freq from hypervisor
    - LP: #319945
  * x86: Use the synthetic TSC_RELIABLE bit to workaround virtualization
    anomalies.
    - LP: #319945
  * x86: Skip verification by the watchdog for TSC clocksource.
    - LP: #319945
  * x86: Mark TSC synchronized on VMware.
    - LP: #319945

  [Colin Ian King]

  * SAUCE: Bluetooth USB: fix kernel panic during suspend while streaming
    audio to bluetooth headset
    - LP: #331106

  [James Troup]

  * XEN: Enable architecture specific get_unmapped_area_topdown
    - LP: #237724

  [Stefan Bader]

  * Xen: Fix FTBS after Vmware TSC updates.
    - LP: #319945

  [Upstream Kernel Changes]

  * r8169: fix RxMissed register access
    - LP: #324760
  * r8169: Tx performance tweak helper
    - LP: #326891
  * r8169: use pci_find_capability for the PCI-E features
    - LP: #326891
  * r8169: add 8168/8101 registers description
    - LP: #326891
  * r8169: add hw start helpers for the 8168 and the 8101
    - LP: #326891
  * r8169: additional 8101 and 8102 support
    - LP: #326891
  * Fix memory corruption in console selection
    - LP: #329007

linux (2.6.24-23.52) hardy-security; urgency=low

  [Stefan Bader]
  * rt: Fix FTBS caused by shm changes
    - CVE-2009-0859

  [Steve Beattie]

  * fix apparmor memory leak on deleted file ops
    - LP: #329489

  [Upstream Kernel Changes]

  * NFS: Remove the buggy lock-if-signalled case from do_setlk()
    - CVE-2008-4307
  * sctp: Avoid memory overflow while FWD-TSN chunk is received with bad
    stream ID
    - CVE-2009-0065
  * net: 4 bytes kernel memory disclosure in SO_BSDCOMPAT gsopt try #2
    - CVE-2009-0676
  * sparc: Fix mremap address range validation.
    - CVE-2008-6107
  * copy_process: fix CLONE_PARENT && parent_exec_id interaction
    - CVE-2009-0028
  * security: introduce missing kfree
    - CVE-2009-0031
  * eCryptfs: check readlink result was not an error before using it
    - CVE-2009-0269
  * dell_rbu: use scnprintf() instead of less secure sprintf()
    - CVE-2009-0322
  * drivers/net/skfp: if !capable(CAP_NET_ADMIN): inverted logic
    - CVE-2009-0675
  * Ext4: Fix online res...

Read more...

Changed in linux (Ubuntu Hardy):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (27.1 KiB)

This bug was fixed in the package linux - 2.6.27-14.33

---------------
linux (2.6.27-14.33) intrepid-proposed; urgency=low

  [Stefan Bader]

  * Fix FTBS due to a mysteriously missing ABI directory.

linux (2.6.27-14.32) intrepid-proposed; urgency=low

  [Stefan Bader]

  * Rebuild of 2.6.27-14.30 with 2.6.27-11.31 security patches applied

linux (2.6.27-14.30) intrepid-proposed; urgency=low

  [ Alexey Starikovskiy ]

  * SAUCE: ACPI: EC: Limit workaround for ASUS notebooks even more
    - LP: #288385

  [ Huaxu Wan ]

  * SAUCE: report rfkill changes event if interface is down
    - LP: #193970

  [ Scott James Remnant ]

  * SAUCE: floppy: Provide a PnP device table in the module.
    - LP: #255651

  [ Steve Beattie ]

  * fix apparmor memory leak on deleted file ops
    - LP: #329489

  [ Stefan Bader ]

  * Revert "ACPI: Fix compiler warnings introduced by 32 to 64 bit acpi
    conversions"
    - LP: #337019
  * Revert "ACPI: Change acpi_evaluate_integer to support 64-bit on 32-bit
    kernels"
    - LP: #337019

  [ Upstream Kernel Changes ]

  * KVM: MMU: Add locking around kvm_mmu_slot_remove_write_access()
    - LP: #335097, #333409
  * ricoh_mmc: Handle newer models of Ricoh controllers
    - LP: #311932

linux (2.6.27-13.29) intrepid-proposed; urgency=low

  [ Colin Ian King ]

  * SAUCE: Bluetooth USB: fix kernel panic during suspend while streaming
    audio to bluetooth headset
    - LP: #331106, #322082

  [ Stefan Bader ]

  * Revert "SAUCE: Work around ACPI corruption upon suspend on some Dell
    machines." (replaced by stable update)
    - LP: #330200
  * Revert "SAUCE: Add back in lost commit for Apple BT Wireless Keyboard"
    (replaced by stable update)
    - LP: #330902

  [ Upstream Kernel Changes ]

  * Revert "vt: fix background color on line feed"
    - LP: #330200
  * ti_usb_3410_5052: support alternate firmware
    - LP: #231276
  * fuse: destroy bdi on umount
    - LP: #324921
  * fuse: fix missing fput on error
    - LP: #324921
  * fuse: fix NULL deref in fuse_file_alloc()
    - LP: #324921
  * inotify: clean up inotify_read and fix locking problems
    - LP: #324921
  * mac80211: decrement ref count to netdev after launching mesh discovery
    - LP: #324921
  * sysfs: fix problems with binary files
    - LP: #324921
  * x86, mm: fix pte_free()
    - LP: #324921
  * alpha: nautilus - fix compile failure with gcc-4.3
    - LP: #324921
  * it821x: Add ultra_mask quirk for Vortex86SX
    - LP: #324921
  * libata: pata_via: support VX855, future chips whose IDE controller use
    0x0571
    - LP: #324921
  * rtl8187: Add termination packet to prevent stall
    - LP: #324921
  * serial_8250: support for Sealevel Systems Model 7803 COMM+8
    - LP: #324921
  * SUNRPC: Fix a memory leak in rpcb_getport_async
    - LP: #324921
  * SUNRPC: Fix autobind on cloned rpc clients
    - LP: #324921
  * USB: fix char-device disconnect handling
    - LP: #324921
  * USB: storage: add unusual devs entry
    - LP: #324921
  * USB: usbmon: Implement compat_ioctl
    - LP: #324921
  * ALSA: hda - add another MacBook Pro 4, 1 subsystem ID
    - LP: #324921
  * ALSA: hda - Add quirk for HP DV6700 laptop
    - LP: #324921
  * ALSA: ...

Changed in linux (Ubuntu Intrepid):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.