Bug 196621

Summary:	bluez-5.46: unit/test-gatt segfaults when running tests
Product:	Drivers	Reporter:	Pacho Ramos (pachoramos1)
Component:	Bluetooth	Assignee:	linux-bluetooth (linux-bluetooth)
Status:	NEW ---
Severity:	normal	CC:	andyrtr, brian.gix, stefan.seyfried, zarniwhoop
Priority:	P1
Hardware:	All
OS:	Linux
Kernel Version:	4.12.4	Subsystem:
Regression:	No	Bisected commit-id:
Attachments:	test-suite.log

Description Pacho Ramos 2017-08-09 14:31:39 UTC

Created attachment 257859 [details]
test-suite.log

When running:
./configure && make && make check 

I get:
PASS: unit/test-lib
  CC       unit/test-gatt.o
  CCLD     unit/test-gatt
./test-driver: línea 107: 27563 Violación de segmento  (`core' generado) "$@" > $log_file 2>&1
FAIL: unit/test-gatt
  CC       unit/test-hog.o
  CC       profiles/input/hog-lib.o
  CC       profiles/scanparam/scpp.o
  CC       profiles/battery/bas.o
  CC       profiles/deviceinfo/dis.o
  CC       attrib/att.o
  CC       attrib/gatt.o
  CC       attrib/gattrib.o
  CCLD     unit/test-hog
PASS: unit/test-hog
  CC       unit/test-gattrib.o
  CCLD     unit/test-gattrib
PASS: unit/test-gattrib
make --no-print-directory all-am
============================================================================
Testsuite summary for bluez 5.46
============================================================================
# TOTAL: 25
# PASS:  24
# SKIP:  0
# XFAIL: 0
# FAIL:  1
# XPASS: 0
# ERROR: 0
============================================================================
See ./test-suite.log
============================================================================
make[3]: *** [Makefile:8485: test-suite.log] Error 1
make[2]: *** [Makefile:8593: check-TESTS] Error 2
make[1]: *** [Makefile:8977: check-am] Error 2
make: *** [Makefile:8979: check] Error 2

Comment 1 Pacho Ramos 2017-08-09 14:32:21 UTC

[New LWP 27563]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `./unit/test-gatt'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x0000000000441be5 in timeout_cb (user_data=0x21d2200) at src/shared/att.c:405
405		if (att->pending_req && att->pending_req->id == timeout->id) {

Thread 1 (Thread 0x7f96c6fe1700 (LWP 27563)):
#0  0x0000000000441be5 in timeout_cb (user_data=0x21d2200) at src/shared/att.c:405
        timeout = 0x21d2200
        att = 0x21d2740
        op = 0x0
#1  0x000000000044e42d in timeout_callback (user_data=<error reading variable: value has been optimized out>) at src/shared/timeout-glib.c:34
        data = <error reading variable data (value has been optimized out)>
#2  0x0000003f9e24afc3 in g_timeout_dispatch (source=0x21d0800, callback=<optimized out>, user_data=<optimized out>) at /var/tmp/portage/dev-libs/glib-2.50.3-r1/work/glib-2.50.3/glib/gmain.c:4674
        timeout_source = 0x21d0800
        again = <optimized out>
#3  0x0000003f9e24a52d in g_main_dispatch (context=0x21c4830) at /var/tmp/portage/dev-libs/glib-2.50.3-r1/work/glib-2.50.3/glib/gmain.c:3203
        dispatch = 0x3f9e24afb0 <g_timeout_dispatch>
        prev_source = 0x0
        was_in_call = 0
        user_data = 0x21d1420
        callback = 0x44e420 <timeout_callback>
        cb_funcs = <optimized out>
        cb_data = 0x21d2050
        need_destroy = <optimized out>
        source = 0x21d0800
        current = 0x21c4940
        i = 0
#4  g_main_context_dispatch (context=context@entry=0x21c4830) at /var/tmp/portage/dev-libs/glib-2.50.3-r1/work/glib-2.50.3/glib/gmain.c:3856
No locals.
#5  0x0000003f9e24a900 in g_main_context_iterate (context=0x21c4830, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at /var/tmp/portage/dev-libs/glib-2.50.3-r1/work/glib-2.50.3/glib/gmain.c:3929
        max_priority = 2147483647
        timeout = 29928
        some_ready = 1
        nfds = <optimized out>
        allocated_nfds = 4
        fds = 0x21eca80
#6  0x0000003f9e24ac22 in g_main_loop_run (loop=0x21c4a80) at /var/tmp/portage/dev-libs/glib-2.50.3-r1/work/glib-2.50.3/glib/gmain.c:4125
        __FUNCTION__ = "g_main_loop_run"
#7  0x0000000000441848 in tester_run () at src/shared/tester.c:830
No locals.
#8  0x000000000043e68b in main (argc=1, argv=0x7ffcc2215f78) at unit/test-gatt.c:4474
No locals.
From                To                  Syms Read   Shared Object Library
0x0000003f9e21acf0  0x0000003f9e292c29  Yes         /usr/lib64/libglib-2.0.so.0
0x0000003f9be1f7a0  0x0000003f9bf47c34  Yes (*)     /lib64/libc.so.6
0x0000003f9da01650  0x0000003f9da52b2d  Yes (*)     /lib64/libpcre.so.1
0x0000003f9c605a10  0x0000003f9c6124d1  Yes (*)     /lib64/libpthread.so.0
0x0000003f9ba00a10  0x0000003f9ba1c300  Yes (*)     /lib64/ld-linux-x86-64.so.2
(*): Shared library is missing debugging information.
$1 = 0x0
$2 = 0x0
rax            0xc	12
rbx            0x4545454545454545	4991471925827290437
rcx            0x0	0
rdx            0x21d1420	35460128
rsi            0x44e420	4514848
rdi            0x21d2200	35463680
rbp            0x21d2740	0x21d2740
rsp            0x7ffcc2209b40	0x7ffcc2209b40
r8             0x1	1
r9             0x3f9e512940	273239058752
r10            0x1	1
r11            0x246	582
r12            0x21c4830	35407920
r13            0x21c4940	35408192
r14            0x21d0800	35457024
r15            0x3f9e24afb0	273236144048
rip            0x441be5	0x441be5 <timeout_cb+21>
eflags         0x10202	[ IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0
Dump of assembler code for function timeout_cb:
   0x0000000000441bd0 <+0>:	push   %rbp
   0x0000000000441bd1 <+1>:	push   %rbx
   0x0000000000441bd2 <+2>:	sub    $0x8,%rsp
   0x0000000000441bd6 <+6>:	mov    (%rdi),%rbp
   0x0000000000441bd9 <+9>:	mov    0x20(%rbp),%rbx
   0x0000000000441bdd <+13>:	test   %rbx,%rbx
   0x0000000000441be0 <+16>:	je     0x441be9 <timeout_cb+25>
   0x0000000000441be2 <+18>:	mov    0x8(%rdi),%eax
=> 0x0000000000441be5 <+21>:	cmp    %eax,(%rbx)
   0x0000000000441be7 <+23>:	je     0x441c08 <timeout_cb+56>
   0x0000000000441be9 <+25>:	mov    0x30(%rbp),%rbx
   0x0000000000441bed <+29>:	test   %rbx,%rbx
   0x0000000000441bf0 <+32>:	je     0x441bf9 <timeout_cb+41>
   0x0000000000441bf2 <+34>:	mov    0x8(%rdi),%eax
   0x0000000000441bf5 <+37>:	cmp    %eax,(%rbx)
   0x0000000000441bf7 <+39>:	je     0x441c70 <timeout_cb+160>
   0x0000000000441bf9 <+41>:	add    $0x8,%rsp
   0x0000000000441bfd <+45>:	xor    %eax,%eax
   0x0000000000441bff <+47>:	pop    %rbx
   0x0000000000441c00 <+48>:	pop    %rbp
   0x0000000000441c01 <+49>:	retq   
   0x0000000000441c02 <+50>:	nopw   0x0(%rax,%rax,1)
   0x0000000000441c08 <+56>:	movq   $0x0,0x20(%rbp)
   0x0000000000441c10 <+64>:	movzbl 0xc(%rbx),%ecx
   0x0000000000441c14 <+68>:	mov    0xa0(%rbp),%rsi
   0x0000000000441c1b <+75>:	lea    0x12baa(%rip),%rdx        # 0x4547cc
   0x0000000000441c22 <+82>:	mov    0x90(%rbp),%rdi
   0x0000000000441c29 <+89>:	xor    %eax,%eax
   0x0000000000441c2b <+91>:	callq  0x4405d0 <util_debug>
   0x0000000000441c30 <+96>:	mov    0x78(%rbp),%rax
   0x0000000000441c34 <+100>:	test   %rax,%rax
   0x0000000000441c37 <+103>:	je     0x441c48 <timeout_cb+120>
   0x0000000000441c39 <+105>:	movzbl 0xc(%rbx),%esi
   0x0000000000441c3d <+109>:	mov    0x88(%rbp),%rdx
   0x0000000000441c44 <+116>:	mov    (%rbx),%edi
   0x0000000000441c46 <+118>:	callq  *%rax
   0x0000000000441c48 <+120>:	mov    %rbx,%rdi
   0x0000000000441c4b <+123>:	movl   $0x0,0x4(%rbx)
   0x0000000000441c52 <+130>:	callq  0x441b20 <destroy_att_send_op>
   0x0000000000441c57 <+135>:	mov    0x8(%rbp),%rdi
   0x0000000000441c5b <+139>:	callq  0x44e3e0 <io_shutdown>
   0x0000000000441c60 <+144>:	add    $0x8,%rsp
   0x0000000000441c64 <+148>:	xor    %eax,%eax
   0x0000000000441c66 <+150>:	pop    %rbx
   0x0000000000441c67 <+151>:	pop    %rbp
   0x0000000000441c68 <+152>:	retq   
   0x0000000000441c69 <+153>:	nopl   0x0(%rax)
   0x0000000000441c70 <+160>:	movq   $0x0,0x30(%rbp)
   0x0000000000441c78 <+168>:	jmp    0x441c10 <timeout_cb+64>
End of assembler dump.

Comment 2 Pacho Ramos 2017-09-07 08:36:17 UTC

Any news? It would be nice to get this solved before next release if possible

Thanks

Comment 3 Pacho Ramos 2017-09-14 11:03:36 UTC

The same with 5.47

Comment 4 Ken Moffat 2017-09-15 04:02:21 UTC

I had the same - the cause is an inadequate kernel .config. If you add (modules will do) CONFIG_CRYPTO_USER_API_HASH and CONFIG_CRYPTO_USER_API_SKCIPHER (both near the bottom of the crypto menu) it should work.

Or, wearing my pedant's hat, "when I did that, it worked for me".

Comment 5 Stefan Seyfried 2017-12-13 19:10:03 UTC

This looks similar to what I have reported here: https://marc.info/?t=149578476300002&r=1&w=2

Comment 6 Pacho Ramos 2018-06-08 16:56:11 UTC

It seems that CONFIG_CRYPTO_USER_API_HASH is the only needed (at least with 5.50)

Comment 7 Pacho Ramos 2020-03-11 12:14:21 UTC

(In reply to Pacho Ramos from comment #6)
> It seems that CONFIG_CRYPTO_USER_API_HASH is the only needed (at least with
> 5.50)

is that really needed only for tests or for general USE? To know if I need to enforce that option for regular users or only for those wanting to run tests.

Thanks a lot for the info

Comment 8 Pacho Ramos 2020-03-11 12:18:56 UTC

Per
http://www.linuxfromscratch.org/blfs/view/svn/general/bluez.html

it seems only for tests :)

Comment 9 Pacho Ramos 2020-03-11 12:27:56 UTC

it would be interesting to list needed kernel options in README file I think

Thanks

Comment 10 Brian Gix 2020-03-11 16:32:18 UTC

The User space API's in the kernel are needed for Bluetooth Mesh daemon support, including at a minimum:

CONFIG_CRYPTO_USER
CONFIG_CRYPTO_USER_API
CONFIG_CRYPTO_USER_API_AEAD
CONFIG_CRYPTO_USER_API_HASH

CONFIG_CRYPTO_AES
CONFIG_CRYPTO_CCM
CONFIG_CRYPTO_AEAD
CONFIG_CRYPTO_CMAC

And there may be others.