[PANIC] 6.0BETA2 in l2ping flood
Maksim Yevmenkin
maksim.yevmenkin at gmail.com
Mon Aug 22 18:57:23 GMT 2005
Jonatan,
On 8/22/05, Maksim Yevmenkin <maksim.yevmenkin at gmail.com> wrote:
> Jonatan and Pawel,
>
> > +> This is a repeatable panic I get when l2ping flooding my tungsten.
> > +> Maksim?
> > +>
> > +> repeatable panic with bluetooth on SMP
> > +>
> > +> #> l2ping -fa MyTungsten -s 65531
>
> [...]
>
> > Fixed in HEAD, thanks for the report.
>
> first, let me thank you both for reporting the problem (Jonatan) and
> spending time looking into this (Pawel). i was able to reproduce the
> problem and have fix that i will commit after brief testing.
>
> the patch Pawel has committed to HEAD indeed fixes the panic (thanks
> Pawel!) however it somewhat hides bigger bug in the bluetooth l2cap
> code. the panic happens when l2cap connection descriptor is deleted
> with the l2cap command(s) pending in the queue. in this case when the
> last l2cap command is deleted (due to cleanup) and reference counter
> for the l2cap connection goes down to zero the auto disconnect timeout
> is incorrectly set.
could you please try the attached patch? this patch is against HEAD.
it should apply cleanly (for the most part) against 6.x and 5.x. there
will be some rejects in ng_l2cap_misc.c if you apply it against 5.x or
6.x. you could fix them by hand.
also to build l2control(8) utility you will need to install ng_l2cap.h
header from /sys/netgraph/bluetooth/incude into
/usr/include/netgraph/bluetooth/include. or you could just do "make
buildworld/installworld"
thanks,
max
-------------- next part --------------
? sys/dev/an/if_an.c.new
? sys/net/if_tap.c.altq
? usr.bin/bluetooth/rfcomm_sppd/log
? usr.sbin/bluetooth/bthidd/bthid_switch_keyboard
Index: sys/netgraph/bluetooth/include/ng_l2cap.h
===================================================================
RCS file: /home/ncvs/src/sys/netgraph/bluetooth/include/ng_l2cap.h,v
retrieving revision 1.3
diff -u -r1.3 ng_l2cap.h
--- sys/netgraph/bluetooth/include/ng_l2cap.h 7 Jan 2005 01:45:43 -0000 1.3
+++ sys/netgraph/bluetooth/include/ng_l2cap.h 22 Aug 2005 18:41:14 -0000
@@ -623,6 +623,7 @@
#define NG_L2CAP_CON_OUTGOING (1 << 2) /* outgoing connection */
#define NG_L2CAP_CON_LP_TIMO (1 << 3) /* LP timeout */
#define NG_L2CAP_CON_AUTO_DISCON_TIMO (1 << 4) /* auto discon. timeout */
+#define NG_L2CAP_CON_DYING (1 << 5) /* connection is dying */
typedef struct {
u_int8_t state; /* connection state */
Index: sys/netgraph/bluetooth/l2cap/ng_l2cap_cmds.c
===================================================================
RCS file: /home/ncvs/src/sys/netgraph/bluetooth/l2cap/ng_l2cap_cmds.c,v
retrieving revision 1.5
diff -u -r1.5 ng_l2cap_cmds.c
--- sys/netgraph/bluetooth/l2cap/ng_l2cap_cmds.c 7 Jan 2005 01:45:43 -0000 1.5
+++ sys/netgraph/bluetooth/l2cap/ng_l2cap_cmds.c 22 Aug 2005 18:41:14 -0000
@@ -226,6 +226,9 @@
"%s: %s - ACL connection failed, result=%d\n",
__func__, NG_NODE_NAME(l2cap->node), result);
+ /* Connection is dying */
+ con->flags |= NG_L2CAP_CON_DYING;
+
/* Clean command queue */
while (!TAILQ_EMPTY(&con->cmd_list)) {
cmd = TAILQ_FIRST(&con->cmd_list);
Index: sys/netgraph/bluetooth/l2cap/ng_l2cap_misc.c
===================================================================
RCS file: /home/ncvs/src/sys/netgraph/bluetooth/l2cap/ng_l2cap_misc.c,v
retrieving revision 1.11
diff -u -r1.11 ng_l2cap_misc.c
--- sys/netgraph/bluetooth/l2cap/ng_l2cap_misc.c 21 Aug 2005 19:16:27 -0000 1.11
+++ sys/netgraph/bluetooth/l2cap/ng_l2cap_misc.c 22 Aug 2005 18:41:14 -0000
@@ -182,12 +182,14 @@
* 2) connection is in OPEN state
* 3) it is an outgoing connection
* 4) disconnect timeout > 0
+ * 5) connection is not dying
*/
if ((con->refcnt == 0) &&
(con->state == NG_L2CAP_CON_OPEN) &&
(con->flags & NG_L2CAP_CON_OUTGOING) &&
- (con->l2cap->discon_timo > 0))
+ (con->l2cap->discon_timo > 0) &&
+ ((con->flags & NG_L2CAP_CON_DYING) == 0))
ng_l2cap_discon_timeout(con);
} /* ng_l2cap_con_unref */
@@ -273,11 +275,14 @@
ng_l2cap_free_cmd(cmd);
}
+ if (con->flags & (NG_L2CAP_CON_AUTO_DISCON_TIMO|NG_L2CAP_CON_LP_TIMO))
+ panic(
+"%s: %s - timeout pending! state=%d, flags=%#x\n",
+ __func__, NG_NODE_NAME(con->l2cap->node),
+ con->state, con->flags);
+
LIST_REMOVE(con, next);
- if (con->flags & NG_L2CAP_CON_AUTO_DISCON_TIMO)
- ng_l2cap_discon_untimeout(con);
- if (con->flags & NG_L2CAP_CON_LP_TIMO)
- ng_l2cap_lp_untimeout(con);
+
bzero(con, sizeof(*con));
FREE(con, M_NETGRAPH_L2CAP);
} /* ng_l2cap_free_con */
Index: usr.sbin/bluetooth/l2control/l2cap.c
===================================================================
RCS file: /home/ncvs/src/usr.sbin/bluetooth/l2control/l2cap.c,v
retrieving revision 1.3
diff -u -r1.3 l2cap.c
--- usr.sbin/bluetooth/l2control/l2cap.c 12 Oct 2003 22:04:23 -0000 1.3
+++ usr.sbin/bluetooth/l2control/l2cap.c 22 Aug 2005 18:41:14 -0000
@@ -159,7 +159,7 @@
fprintf(stdout,
"%-17.17s " \
"%6d " \
- "%c%c%c%c%c " \
+ "%c%c%c%c%c%c " \
"%7d " \
"%s\n",
bdaddrpr(&r.connections[n].remote),
@@ -167,6 +167,7 @@
((r.connections[n].flags & NG_L2CAP_CON_OUTGOING)? 'O' : 'I'),
((r.connections[n].flags & NG_L2CAP_CON_LP_TIMO)? 'L' : ' '),
((r.connections[n].flags & NG_L2CAP_CON_AUTO_DISCON_TIMO)? 'D' : ' '),
+ ((r.connections[n].flags & NG_L2CAP_CON_DYING)? '!' : ' '),
((r.connections[n].flags & NG_L2CAP_CON_TX)? 'T' : ' '),
((r.connections[n].flags & NG_L2CAP_CON_RX)? 'R' : ' '),
r.connections[n].pending,
More information about the freebsd-bluetooth
mailing list