Following advice on troubleshooting my BT headset here: <http://wiki.gentoo.org/wiki/Bluetooth_Headset> I call $ rfkill block bluetooth and see my system crashing with a "general protection fault". That has already been reported elsewhere, see f.i. <https://bugzilla.redhat.com/show_bug.cgi?id=839401>. The crashed happened at my second attempt to block the device, possibly with an established audio sink connection (KDE Bluedevil). I'd like to retry but after a reboot my BT device disappeared -- now I understand what 'rfkill' really means ;-) Details follow. Reproducible: Sometimes Steps to Reproduce: 1. Connect to a BT headset via Audio Sink (KDE bluedevil) -- connection establishes 2. call 'rfkill block bluetooth', possibly a couple of times 3. kernel crashes -- rebooted via Magic SysReq 'REISUB' sequence Actual Results: Kernel crash Expected Results: BT device blocked Portage 2.1.11.9 (default/linux/amd64/10.0/desktop/kde, gcc-4.5.4, glibc-2.15-r2, 3.4.9-gentoo x86_64) ================================================================= System uname: Linux-3.4.9-gentoo-x86_64-AMD_Turion-tm-_64_X2-with-gentoo-2.1 Timestamp of tree: Wed, 12 Sep 2012 16:45:01 +0000 app-shells/bash: 4.2_p37 dev-java/java-config: 2.1.11-r3 dev-lang/python: 2.7.3-r2, 3.2.3 dev-util/cmake: 2.8.8-r3 dev-util/pkgconfig: 0.27.1 sys-apps/baselayout: 2.1-r1 sys-apps/openrc: 0.10.5 sys-apps/sandbox: 2.5 sys-devel/autoconf: 2.13::<unknown repository>, 2.68 sys-devel/automake: 1.9.6-r3, 1.10.3, 1.11.6 sys-devel/binutils: 2.22-r1 sys-devel/gcc: 4.5.4 sys-devel/gcc-config: 1.7.3 sys-devel/libtool: 2.4-r1 sys-devel/make: 3.82-r3 sys-kernel/linux-headers: 3.4-r2 (virtual/os-headers) sys-libs/glibc: 2.15-r2 Repositories: gentoo enlightenment xmw g-ctan x-unsupported x-portage-aeskulap ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="* -@EULA" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=native -O2 -pipe -fomit-frame-pointer" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/lib64/fax /usr/share/config /usr/share/gnupg/qualified.txt /usr/share/themes/oxygen-gtk/gtk-2.0 /var/spool/fax/etc" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.3/ext-active/ /etc/php/apache2-php5.4/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cgi-php5.4/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/php/cli-php5.4/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-march=native -O2 -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles news parallel-fetch parse-eapi-ebuild-head protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://mirror.switch.ch/ftp/mirror/gentoo/ ftp://mirror.switch.ch/mirror/gentoo/" LANG="en_US.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" LINGUAS="" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/var/lib/layman/enlightenment /var/lib/layman/xmw /var/portage/overlay/g-ctan /var/portage/overlay/unsupported /var/portage/overlay/portage-aeskulap" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="3dnow 3dnowext X a52 aac acpi alsa amd64 amr apng bash-completion berkdb bittorrent bluetooth branding bzip2 cairo calendar cdda cddb cdr cli consolekit cracklib crypt cups curl cvs cxx dbus declarative directfb djvu dts dvd dvdr ebook emacs embedded emboss enchant encode exif fam fbcon ffmpeg firefox flac fortran gdbm gif git gnutls gpm h323 http hunspell iconv ipv6 jabber jack jpeg kde kipi kontact kpathsea ladspa lame laptop latex lcms ldap libnotify libsamplerate lxde mad mmx mng modules mp3 mp4 mpeg mplayer mudflap multilib musepack mysql ncurses nls nptl nsplugin ntfs ntfsprogs ofx ogg opengl openmp openvg pam pango pcre pdf png policykit ppds pppd qt3support qt4 quicktime readline rtmp samba sdl seamonkey session spell sql sqlite sse sse2 ssh ssl startup-notification svg tcpd tiff tordns truetype udev udisks unicode upower usb v4l v4l2 video vlc vorbis wifi wxwidgets x264 xcb xetex xinerama xml xscreensaver xv xvid zlib" ALSA_CARDS="hda-intel usb-audio" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" DRACUT_MODULES="crypt lvm" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" GRUB_PLATFORMS="pc" INPUT_DEVICES="keyboard mouse synaptics evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" PHP_TARGETS="php5-3" PYTHON_TARGETS="python3_2 python2_7" RUBY_TARGETS="ruby18 ruby19" SANE_BACKENDS="epson2" USERLAND="GNU" VIDEO_CARDS="nouveau fbdev vga vesa" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
Created attachment 323912 [details] Kernel crash trace
Does it happen on newer kernels (3.5 / 3.6_rc) too?
I managed to reproduce the bug. Firstly, note that after the crash: - a Magic SysRq REISUB wasn't enough to reboot since the keyboard started playing tricks -- for the curious ones, the 'm' key was non functional... So I had to turn my laptop off and on again. - my BT device got permanently blocked: I had to call $ rfkill unblock bluetooth that looks weird... Steps to reproduce: 0. make sure the BT device is ublocked (call rfkill unblock if needed); 1. connect to the BT device, f.i. to its 'audio sink' service; 2. call "$ rfkill block bluetooth".
According to RedHat's bug this also happens on kernel 3.5.0, but I can't confirm with gentoo-sources. I've only one box and prefer to stay stable as much as possible; will try newer kernels as soon as they get stable.
> I managed to reproduce the bug. Which kernel version did you reproduce this on? Does this still happen on a stable gentoo-sources-3.6.11 kernel and a development git-sources-3.8_rc3?
Thanks for reminding me. I tried with gentoo-sources-2.6.11 and the bug is still there: the system doesn't crash immediately, though it's unstable and SysRq is still needed to reboot :-(
Created attachment 336274 [details] Kernel-2.6.11 (gentoo sources) bug trace
The other bug you linked is unrelated since it crashes in a different process with a different stack trace. However, The most recent relevant comment I found that seems relevant is: > commit 49dfbb9129c4edb318578de35cc45c555df37884 > Author: Jaganath Kanakkassery <jaganath.k@samsung.com> > Date: Thu Jul 19 12:54:04 2012 +0530 > > Bluetooth: Fix socket not getting freed if l2cap channel create fails > > If l2cap_chan_create() fails then it will return from l2cap_sock_kill > since zapped flag of sk is reset. > > Signed-off-by: Jaganath Kanakkassery <jaganath.k@samsung.com> > Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk> The sad story, however, is that this patch was introduced in 3.6-rc2; which means that this patch is present in 3.6.11 so it's not the solution. Upon closer inspection this patch was in l2cap_sock_alloc and not in l2cap_conn_del (second function on the stack trace). This patch is however a good reference point, we know that it was bad at this time. So, let's see if they changed something to the function it crashed in; we can easily reveal this with `git diff 49dfbb9129c4edb318578de35cc45c555df37884..HEAD -- l2cap_sock.c` >@@ -823,7 +845,7 @@ static void l2cap_sock_kill(struct sock *sk) > > /* Kill poor orphan */ > >- l2cap_chan_destroy(l2cap_pi(sk)->chan); >+ l2cap_chan_put(l2cap_pi(sk)->chan); > sock_set_flag(sk, SOCK_DEAD); > sock_put(sk); > } Ah, we see in the second trace that l2cap_sock_kill calls for l2cap_chan_destroy; however, this has since been changed to a new function l2cap_chan_put. We can now use git blame to figure out when this l2cap_chan_put function was added. > 4af66c69 (Jaganath Kanakkassery 2012-07-13 18:17:55 +0530 848) After expanding that commit with git log, we get: > commit 4af66c691f4e5c2db9bb00793669a548e9db1974 > Author: Jaganath Kanakkassery <jaganath.k@samsung.com> > Date: Fri Jul 13 18:17:55 2012 +0530 > > Bluetooth: Free the l2cap channel list only when refcount is zero > > Move the l2cap channel list chan->global_l under the refcnt > protection and free it based on the refcnt. > > Signed-off-by: Jaganath Kanakkassery <jaganath.k@samsung.com> > Signed-off-by: Syam Sidhardhan <s.syam@samsung.com> > Reviewed-by: Andrei Emeltchenko <andrei.emeltchenko@intel.com> > Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk> This sounds way more like a fix to your actual problem; notice the "protection" keyword, which comes close to your "general protection fault". There's an odd thing though, this commit was applied in 3.6-rc2 as well. So, then why does it still show it like this? >void l2cap_chan_put(struct l2cap_chan *c) >{ > BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount)); > > kref_put(&c->kref, l2cap_chan_destroy); >} Since this only contains one function call, there is a high chance the compiler optimizes this function away. So, bummer, this one did not fix it either. So, I can only come to the conclusion that you should try a newer version like gentoo-sources-3.7.3 or git-sources-3.8_rc4 to see if something else that we can't catch right away fixes it, if it still appears on those then please report the bug upstream at http://bugzilla.kernel.org and leave a link to that bug here such that we can follow along. Good luck!
Please try the latest kernel, gentoo-sources-3.8.7 or git-sources-3.9_rc6.
Good news! The problem has gone with 3.7.10-gentoo-r1: rfkill works flawlessly even with processes using an active connection. For now I mark this WFM; I'll post more when the 3.8 branch becomes stable, unless someone can already confirm the fix.
Sounds good, thanks for testing and keeping us up-to-date; I'm going to mark this as FIXED as WORKSFORME means it works for maintainers and should work for users, if this does appear not FIXED with 3.8 or later you can always change back the bug to CONFIRMED. :)
