Suspending while playing music via BlueTooth headset causes kernel panic

Bug #331106 reported by Colin Ian King on 2009-02-18
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Medium
Colin Ian King
Hardy
Medium
Unassigned
Intrepid
Medium
Unassigned

Bug Description

SRU justification:

Impact: Performing a suspend while streaming audio to a bluetooth headset trips a kernel panic in the bluetooth USB driver very late in the suspend process (after console messages are turned off).
The panic occurs when hci_usb_tx_complete() calls _urb_unlink() on an _urb which has been previously been removed from a list. This happens because hci_usb_suspend() dequeues the _urb and then calls usb_kill_urb() which is the wrong way around.

Fix: Put _urb on the killed list before calling usb_kill_urb() - this ensures that the _urb is on a list and hence won't cause a panic when removed using _urb_unlink().

Testcase: Doing a suspend with audio streaming to a bluetooth headset using Elisa causes a panic. With the patch suspend/resume works correctly.

Playing audio through a Bluetooth headset and then suspending the machine on Hardy, Intrepid and Jaunty causes a kernel panic. I've captured the location of the panic below in hci_usb_tx_complete.

00000750 <hci_usb_tx_complete>:
     750: 83 ec 14 sub $0x14,%esp
     753: 89 5c 24 04 mov %ebx,0x4(%esp)
     757: 89 c3 mov %eax,%ebx
     759: 89 74 24 08 mov %esi,0x8(%esp)
     75d: 89 6c 24 10 mov %ebp,0x10(%esp)
     761: 8d 68 ec lea -0x14(%eax),%ebp
     764: 89 7c 24 0c mov %edi,0xc(%esp)
     768: 8b 78 64 mov 0x64(%eax),%edi
     76b: 8b 07 mov (%edi),%eax
     76d: 8d 77 68 lea 0x68(%edi),%esi
     770: 89 04 24 mov %eax,(%esp)
     773: 8b 45 0c mov 0xc(%ebp),%eax
     776: f0 ff 0c 86 lock decl (%esi,%eax,4)
     77a: c7 43 3c 00 00 00 00 movl $0x0,0x3c(%ebx)
     781: 8b 45 10 mov 0x10(%ebp),%eax
     784: e8 fc ff ff ff call 785 <hci_usb_tx_complete+0x35>
     789: 8b 14 24 mov (%esp),%edx
     78c: 8b 42 18 mov 0x18(%edx),%eax
     78f: a8 04 test $0x4,%al
     791: 0f 84 9d 00 00 00 je 834 <hci_usb_tx_complete+0xe4>
     797: 8b 4b 34 mov 0x34(%ebx),%ecx
     79a: 85 c9 test %ecx,%ecx
     79c: 0f 84 a6 00 00 00 je 848 <hci_usb_tx_complete+0xf8>
     7a2: 8b 04 24 mov (%esp),%eax
     7a5: 83 80 74 02 00 00 01 addl $0x1,0x274(%eax)
     7ac: 89 f0 mov %esi,%eax
     7ae: e8 fc ff ff ff call 7af <hci_usb_tx_complete+0x5f>
     7b3: 8b 45 08 mov 0x8(%ebp),%eax
     7b6: 85 c0 test %eax,%eax
     7b8: 74 33 je 7ed <hci_usb_tx_complete+0x9d>
     7ba: 8d 58 08 lea 0x8(%eax),%ebx
     7bd: 89 d8 mov %ebx,%eax
     7bf: e8 fc ff ff ff call 7c0 <hci_usb_tx_complete+0x70>
     7c4: 8b 55 04 mov 0x4(%ebp),%edx
     7c7: 8b 4d 00 mov 0x0(%ebp),%ecx
     7ca: 89 51 04 mov %edx,0x4(%ecx) <-- panic occurs here

The panic occurs when hci_usb_tx_complete() calls _urb_unlink() on an _urb which has been previously been removed from a list - basically _urb->list.prev and _urb->list.next are invalid pointers at this point and this causes a panic on the _urb_unlink().

It seems to me that the bug occurs because hci_usb_suspend() dequeues the _urb and then calls usb_kill_urb() - I believe it should put the _urb on the killed list first before killing the urb.

My testing confirms this fix works fine every time (and I've checked the _urb activity throughout the stack to verify that this is the root cause of the panic).

Attached - the patch

Colin Ian King (colin-king) wrote :
Stefan Bader (smb) on 2009-02-18
description: updated
Changed in linux:
assignee: nobody → colin-king
importance: Undecided → Medium
status: New → In Progress
Stefan Bader (smb) wrote :
Changed in linux:
importance: Undecided → Medium
status: New → Fix Committed
Stefan Bader (smb) wrote :
Changed in linux:
importance: Undecided → Medium
status: New → Fix Committed
Stefan Bader (smb) wrote :
Changed in linux:
status: In Progress → Fix Released
Steve Langasek (vorlon) wrote :

Accepted into hardy-proposed; please test and give feedback here. Please see https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Martin Pitt (pitti) wrote :

Accepted linux into intrepid-proposed; please test and give feedback here. Please see https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Steve Beattie (sbeattie) on 2009-05-01
tags: added: hw-specific
Launchpad Janitor (janitor) wrote :
Download full text (5.1 KiB)

This bug was fixed in the package linux - 2.6.24-24.53

---------------
linux (2.6.24-24.53) hardy-proposed; urgency=low

  [Stefan Bader]

  * Rebuild of 2.6.24-24.51 with 2.6.24-23.52 security patches applied.

linux (2.6.24-24.51) hardy-proposed; urgency=low

  [Alessio Igor Bogani]

  * rt: Updated PREEMPT_RT support to rt27
    - LP: #324275

  [Steve Beattie]

  * fix apparmor memory leak on deleted file ops
    - LP: #329489

  [Upstream Kernel Changes]

  * KVM: MMU: Add locking around kvm_mmu_slot_remove_write_access()
    - LP: #335097, #333409
  * serial: 8250: fix shared interrupts issues with SMP and RT kernels
    - LP: #280821
  * 8250.c: port.lock is irq-safe
    - LP: #280821
  * ACPI: Clear WAK_STS on resume
    - LP: #251338

linux (2.6.24-24.50) hardy-proposed; urgency=low

  [Alok Kataria]

  * x86: add X86_FEATURE_HYPERVISOR feature bit
    - LP: #319945
  * x86: add a synthetic TSC_RELIABLE feature bit
    - LP: #319945
  * x86: vmware: look for DMI string in the product serial key
    - LP: #319945
  * x86: Hypervisor detection and get tsc_freq from hypervisor
    - LP: #319945
  * x86: Use the synthetic TSC_RELIABLE bit to workaround virtualization
    anomalies.
    - LP: #319945
  * x86: Skip verification by the watchdog for TSC clocksource.
    - LP: #319945
  * x86: Mark TSC synchronized on VMware.
    - LP: #319945

  [Colin Ian King]

  * SAUCE: Bluetooth USB: fix kernel panic during suspend while streaming
    audio to bluetooth headset
    - LP: #331106

  [James Troup]

  * XEN: Enable architecture specific get_unmapped_area_topdown
    - LP: #237724

  [Stefan Bader]

  * Xen: Fix FTBS after Vmware TSC updates.
    - LP: #319945

  [Upstream Kernel Changes]

  * r8169: fix RxMissed register access
    - LP: #324760
  * r8169: Tx performance tweak helper
    - LP: #326891
  * r8169: use pci_find_capability for the PCI-E features
    - LP: #326891
  * r8169: add 8168/8101 registers description
    - LP: #326891
  * r8169: add hw start helpers for the 8168 and the 8101
    - LP: #326891
  * r8169: additional 8101 and 8102 support
    - LP: #326891
  * Fix memory corruption in console selection
    - LP: #329007

linux (2.6.24-23.52) hardy-security; urgency=low

  [Stefan Bader]
  * rt: Fix FTBS caused by shm changes
    - CVE-2009-0859

  [Steve Beattie]

  * fix apparmor memory leak on deleted file ops
    - LP: #329489

  [Upstream Kernel Changes]

  * NFS: Remove the buggy lock-if-signalled case from do_setlk()
    - CVE-2008-4307
  * sctp: Avoid memory overflow while FWD-TSN chunk is received with bad
    stream ID
    - CVE-2009-0065
  * net: 4 bytes kernel memory disclosure in SO_BSDCOMPAT gsopt try #2
    - CVE-2009-0676
  * sparc: Fix mremap address range validation.
    - CVE-2008-6107
  * copy_process: fix CLONE_PARENT && parent_exec_id interaction
    - CVE-2009-0028
  * security: introduce missing kfree
    - CVE-2009-0031
  * eCryptfs: check readlink result was not an error before using it
    - CVE-2009-0269
  * dell_rbu: use scnprintf() instead of less secure sprintf()
    - CVE-2009-0322
  * drivers/net/skfp: if !capable(CAP_NET_ADMIN): inverted logic
    - CVE-2009-0675
  * Ext4: Fix online res...

Read more...

Changed in linux (Ubuntu Hardy):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (27.1 KiB)

This bug was fixed in the package linux - 2.6.27-14.33

---------------
linux (2.6.27-14.33) intrepid-proposed; urgency=low

  [Stefan Bader]

  * Fix FTBS due to a mysteriously missing ABI directory.

linux (2.6.27-14.32) intrepid-proposed; urgency=low

  [Stefan Bader]

  * Rebuild of 2.6.27-14.30 with 2.6.27-11.31 security patches applied

linux (2.6.27-14.30) intrepid-proposed; urgency=low

  [ Alexey Starikovskiy ]

  * SAUCE: ACPI: EC: Limit workaround for ASUS notebooks even more
    - LP: #288385

  [ Huaxu Wan ]

  * SAUCE: report rfkill changes event if interface is down
    - LP: #193970

  [ Scott James Remnant ]

  * SAUCE: floppy: Provide a PnP device table in the module.
    - LP: #255651

  [ Steve Beattie ]

  * fix apparmor memory leak on deleted file ops
    - LP: #329489

  [ Stefan Bader ]

  * Revert "ACPI: Fix compiler warnings introduced by 32 to 64 bit acpi
    conversions"
    - LP: #337019
  * Revert "ACPI: Change acpi_evaluate_integer to support 64-bit on 32-bit
    kernels"
    - LP: #337019

  [ Upstream Kernel Changes ]

  * KVM: MMU: Add locking around kvm_mmu_slot_remove_write_access()
    - LP: #335097, #333409
  * ricoh_mmc: Handle newer models of Ricoh controllers
    - LP: #311932

linux (2.6.27-13.29) intrepid-proposed; urgency=low

  [ Colin Ian King ]

  * SAUCE: Bluetooth USB: fix kernel panic during suspend while streaming
    audio to bluetooth headset
    - LP: #331106, #322082

  [ Stefan Bader ]

  * Revert "SAUCE: Work around ACPI corruption upon suspend on some Dell
    machines." (replaced by stable update)
    - LP: #330200
  * Revert "SAUCE: Add back in lost commit for Apple BT Wireless Keyboard"
    (replaced by stable update)
    - LP: #330902

  [ Upstream Kernel Changes ]

  * Revert "vt: fix background color on line feed"
    - LP: #330200
  * ti_usb_3410_5052: support alternate firmware
    - LP: #231276
  * fuse: destroy bdi on umount
    - LP: #324921
  * fuse: fix missing fput on error
    - LP: #324921
  * fuse: fix NULL deref in fuse_file_alloc()
    - LP: #324921
  * inotify: clean up inotify_read and fix locking problems
    - LP: #324921
  * mac80211: decrement ref count to netdev after launching mesh discovery
    - LP: #324921
  * sysfs: fix problems with binary files
    - LP: #324921
  * x86, mm: fix pte_free()
    - LP: #324921
  * alpha: nautilus - fix compile failure with gcc-4.3
    - LP: #324921
  * it821x: Add ultra_mask quirk for Vortex86SX
    - LP: #324921
  * libata: pata_via: support VX855, future chips whose IDE controller use
    0x0571
    - LP: #324921
  * rtl8187: Add termination packet to prevent stall
    - LP: #324921
  * serial_8250: support for Sealevel Systems Model 7803 COMM+8
    - LP: #324921
  * SUNRPC: Fix a memory leak in rpcb_getport_async
    - LP: #324921
  * SUNRPC: Fix autobind on cloned rpc clients
    - LP: #324921
  * USB: fix char-device disconnect handling
    - LP: #324921
  * USB: storage: add unusual devs entry
    - LP: #324921
  * USB: usbmon: Implement compat_ioctl
    - LP: #324921
  * ALSA: hda - add another MacBook Pro 4, 1 subsystem ID
    - LP: #324921
  * ALSA: hda - Add quirk for HP DV6700 laptop
    - LP: #324921
  * ALSA: ...

Changed in linux (Ubuntu Intrepid):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers