Quel, On Fri, 22 Feb 2008, Quel Qun wrote: > $ addr2line -e vmlinux c012d51d > /usr/src/linux-2.6.25-rc2-git5kk1/kernel/timer.c:770 > > Crap, that is on the next list_for_each_entry in timer.c :( > > I tried to make a similar test loop as you did a few lines above:
Cool. > I thought I got it on the next crash, but the system locked too > fast, and the only thing I saw was: > > TTRACE timer f7b52858 fn f8e7c608 addr c012d776 > TTRACE fn l2cap_info_timeout > TTRACE addr mod_timer > BUG: unable to handle kernel paging request at 6b6b6b6b That's what I wanted to see. > I hope the tiny bit of trace can trigger some idea. At least l2cap > has something to do with bluetooth. l2cap_info_timeout is line 360 > of net/bluetooth/l2cap.c, apparently only called from > l2cap_conn_add, line 391: setup_timer(&conn->info_timer, > l2cap_info_timeout, (unsigned long)conn); Correct. And I don't see how it's guaranteed that the timer is deleted before l2cap_conn_del() is called which kfree's the l2cap_conn structure. > After four hours and ten crashes today, it is the little I > got. Kernel stuff is tough... Yes, it is. The little information you got should be enough to solve this. Thanks for your patience and help ! Does the patch below fix your problem ? Thanks, tglx --- net/bluetooth/l2cap.c | 2 ++ 1 file changed, 2 insertions(+) Index: linux-2.6/net/bluetooth/l2cap.c =================================================================== --- linux-2.6.orig/net/bluetooth/l2cap.c +++ linux-2.6/net/bluetooth/l2cap.c @@ -417,6 +417,8 @@ static void l2cap_conn_del(struct hci_co l2cap_sock_kill(sk); } + del_timer(&conn->info_timer); + hcon->l2cap_data = NULL; kfree(conn); } -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/