Bug 195221 - bluez 5.44.1 crashes when connecting to A2DP device
Summary: bluez 5.44.1 crashes when connecting to A2DP device
Status: NEW
Alias: None
Product: Drivers
Classification: Unclassified
Component: Bluetooth (show other bugs)
Hardware: All Linux
: P1 high
Assignee: linux-bluetooth@vger.kernel.org
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-04-02 10:38 UTC by me
Modified: 2017-08-04 19:25 UTC (History)
5 users (show)

See Also:
Kernel Version: 4.10.6
Subsystem:
Regression: No
Bisected commit-id:


Attachments
Fix crashing when connecting ATT over BR/EDR (3.58 KB, patch)
2017-07-07 08:15 UTC, Luiz Von Dentz
Details | Diff

Description me 2017-04-02 10:38:48 UTC
As stated in title. Pairing is fine, but as soon as I try to connect, bluetoothd goes down. Works fine after downgrading to 5.43.2.

Stacktrace:
#0 0x0000000000469d60 n/a (bluetoothd)
#1 0x00000000004472d3 n/a (bluetoothd)
#2 0x000000000047a31d n/a (bluetoothd)
#3 0x0000000000447405 n/a (bluetoothd)
#4 0x00007f8ac61cf45a g_main_context_dispatch (libglib-2.0.so.0)
#5 0x00007f8ac61cf810 n/a (libglib-2.0.so.0)
#6 0x00007f8ac61cfb32 g_main_loop_run (libglib-2.0.so.0)
#7 0x000000000040b6b2 n/a (bluetoothd)
#8 0x00007f8ac57a5511 __libc_start_main (libc.so.6)
#9 0x000000000040bf0a n/a (bluetoothd)

I'm using Arch Linux, and reported the bug to their bug tracker, they told me to go to upstream.
Comment 1 - 2017-04-03 07:37:30 UTC
see also Arch Linux Bugtracker: 
- https://bugs.archlinux.org/task/53442
- https://bugs.archlinux.org/task/53424
Comment 2 Konstantin A. Lepikhov 2017-07-06 23:05:42 UTC
Still reproduces with latest GIT c896183:


[lakostis@lks ~]$ sudo gdb --args /usr/libexec/bluetooth/bluetoothd -n
[sudo] password for lakostis:
GNU gdb (GDB) 7.9-alt3 (ALT Linux)
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-alt-linux".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/libexec/bluetooth/bluetoothd...Reading symbols from
/usr/lib/debug/usr/libexec/bluetooth/bluetoothd.debug...done.
done.
(gdb) break browse_cb
Breakpoint 1 at 0x48eb54
(gdb) run
Starting program: /usr/libexec/bluetooth/bluetoothd -n
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
bluetoothd[19262]: Bluetooth daemon 5.45
bluetoothd[19262]: Starting SDP server
bluetoothd[19262]: Bluetooth management interface 1.14 initialized
bluetoothd[19262]: No cache for F4:5F:69:01:3D:69

Breakpoint 1, 0x000000000048eb54 in browse_cb ()
(gdb) info locals
No symbol table info available.
(gdb) info frame
Stack level 0, frame at 0x7fffffffe840:
 rip = 0x48eb54 in browse_cb; saved rip = 0x461130
 called by frame at 0x7fffffffe8a0
 Arglist at 0x7fffffffe830, args:
 Locals at 0x7fffffffe830, Previous frame's sp is 0x7fffffffe840
 Saved registers:
  rbp at 0x7fffffffe830, rip at 0x7fffffffe838
(gdb) x 0x48eb54
0x48eb54 <browse_cb+4>: 0x48535441
(gdb) x/c 0x48eb54
0x48eb54 <browse_cb+4>: 65 'A'
(gdb) continue
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x000000000048eb8d in browse_cb ()
(gdb) x/c 0x48eb54
0x48eb54 <browse_cb+4>: 65 'A'
(gdb) bt
#0  0x000000000048eb8d in browse_cb ()
#1  0x0000000000461130 in search_completed_cb ()
#2  0x00000000004a6ee0 in sdp_process ()
#3  0x00000000004611e4 in search_process_cb ()
#4  0x00007f6875ce67ea in g_main_dispatch (context=0x71de80) at gmain.c:3234
#5  g_main_context_dispatch (context=context@entry=0x71de80) at gmain.c:3899
#6  0x00007f6875ce6b68 in g_main_context_iterate (context=0x71de80,
block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at
gmain.c:3972
#7  0x00007f6875ce6e82 in g_main_loop_run (loop=0x71ddf0) at gmain.c:4168
#8  0x000000000044f198 in main ()
(gdb) x/c 0x000000000048eb8d
0x48eb8d <browse_cb+61>:        72 'H'
(gdb) quit
A debugging session is active.

bluetoothd[31069]: attrib/gattrib.c:g_attrib_unref() 0x73aae0: g_attrib_unref=0 
bluetoothd[31069]: src/device.c:connect_profiles()
/org/bluez/hci0/dev_F4_5F_69_01_3D_69 (all), client :1.868
bluetoothd[31069]: src/device.c:connect_profiles() Resolving services for
/org/bluez/hci0/dev_F4_5F_69_01_3D_69
bluetoothd[31069]: src/adapter.c:connected_callback() hci0 device
F4:5F:69:01:3D:69 connected eir_len 13
bluetoothd[31069]: src/gatt-database.c:connect_cb() New incoming BR/EDR ATT
connection
bluetoothd[31069]: attrib/gattrib.c:g_attrib_ref() 0x73d280: g_attrib_ref=1 
bluetoothd[31069]: src/device.c:load_gatt_db() Restoring F4:5F:69:01:3D:69 gatt
database from file
bluetoothd[31069]: No cache for F4:5F:69:01:3D:69
bluetoothd[31069]: src/gatt-client.c:btd_gatt_client_connected() Device
connected.
bluetoothd[31069]: src/device.c:gatt_debug() Primary service discovery failed.
ATT ECODE: 0x0a
bluetoothd[31069]: src/device.c:gatt_client_ready_cb() status: success, error:
0
bluetoothd[31069]: src/gatt-client.c:btd_gatt_client_ready() GATT client ready
bluetoothd[31069]: src/gatt-client.c:create_services() Exporting objects for
GATT services: F4:5F:69:01:3D:69
bluetoothd[31069]: src/device.c:device_svc_resolved()
/org/bluez/hci0/dev_F4_5F_69_01_3D_69 err 0
bluetoothd[31069]: src/device.c:connect_profiles()
/org/bluez/hci0/dev_F4_5F_69_01_3D_69 (all), client :1.868

Program received signal SIGSEGV, Segmentation fault.
0x000000000048eb8d in browse_cb ()
Comment 3 Luiz Von Dentz 2017-07-07 08:15:26 UTC
Created attachment 257395 [details]
Fix crashing when connecting ATT over BR/EDR

Please check if the attached patch fixes the problem.
Comment 4 me 2017-07-07 08:32:10 UTC
Patch does not resolve the problem for me
Comment 5 Luiz Von Dentz 2017-07-07 08:55:40 UTC
Logs, btw what device is this that connects over ATT?
Comment 6 me 2017-07-07 08:57:28 UTC
ATT is what Konstantin's device uses, mine does not, and probably that's why the patch did not solve my problem.
Comment 7 Konstantin A. Lepikhov 2017-07-07 10:22:19 UTC
(In reply to Luiz Von Dentz from comment #3)
> Created attachment 257395 [details]
> Fix crashing when connecting ATT over BR/EDR
> 
> Please check if the attached patch fixes the problem.

Thanks! With attached patch I see no crashes during connection:

Jul  7 12:14:49 lks bluetoothd[22595]: No cache for F4:5F:69:01:3D:69
Jul  7 12:19:18 lks bluetoothd[22595]: Endpoint registered: sender=:1.1088 path=/MediaEndpoint/A2DPSource
Jul  7 12:19:18 lks bluetoothd[22595]: Endpoint registered: sender=:1.1088 path=/MediaEndpoint/A2DPSink
Jul  7 12:19:30 lks bluetoothd[22595]: Can't open input device: No such file or directory (2)
Jul  7 12:19:30 lks bluetoothd[22595]: AVRCP: failed to init uinput for F4:5F:69:01:3D:69
Jul  7 12:19:33 lks bluetoothd[22595]: /org/bluez/hci0/dev_F4_5F_69_01_3D_69/fd0: fd(28) ready
Comment 8 Konstantin A. Lepikhov 2017-07-07 22:36:54 UTC
hmm, still crashing on pair with another device:

bluetoothd[24105]: src/adapter.c:adapter_start() adapter /org/bluez/hci0 has been enabled
bluetoothd[24105]: src/adapter.c:add_whitelist_complete() 20:14:10:76:69:A6 added to kernel whitelist
bluetoothd[24105]: src/adapter.c:add_whitelist_complete() 11:11:11:28:F9:5E added to kernel whitelist
bluetoothd[24105]: src/adapter.c:add_whitelist_complete() D0:03:4B:DF:0A:AD added to kernel whitelist
bluetoothd[24105]: src/adapter.c:add_whitelist_complete() F4:5F:69:01:3D:69 added to kernel whitelist
bluetoothd[24105]: src/adapter.c:add_whitelist_complete() 00:1D:DF:4D:EB:E4 added to kernel whitelist
bluetoothd[24105]: src/adapter.c:load_link_keys_complete() link keys loaded for hci0
bluetoothd[24105]: src/adapter.c:get_connections_complete() Connection count: 0
bluetoothd[24105]: src/agent.c:agent_ref() 0x72ba90: ref=1
bluetoothd[24105]: src/agent.c:register_agent() agent :1.1201
bluetoothd[24105]: src/agent.c:agent_ref() 0x72a3a0: ref=1
bluetoothd[24105]: src/agent.c:register_agent() agent :1.1207
bluetoothd[24105]: src/device.c:connect_profiles() /org/bluez/hci0/dev_00_1D_DF_4D_EB_E4 (all), client :1.1207
bluetoothd[24105]: src/device.c:connect_profiles() Resolving services for /org/bluez/hci0/dev_00_1D_DF_4D_EB_E4
bluetoothd[24105]: src/adapter.c:connected_callback() hci0 device 00:1D:DF:4D:EB:E4 connected eir_len 26
bluetoothd[24105]: src/gatt-database.c:connect_cb() New incoming BR/EDR ATT connection
bluetoothd[24105]: attrib/gattrib.c:g_attrib_ref() 0x73b300: g_attrib_ref=1 
bluetoothd[24105]: src/device.c:load_gatt_db() Restoring 00:1D:DF:4D:EB:E4 gatt database from file
bluetoothd[24105]: No cache for 00:1D:DF:4D:EB:E4
bluetoothd[24105]: src/gatt-client.c:btd_gatt_client_connected() Device connected.
bluetoothd[24105]: src/device.c:gatt_debug() Primary service discovery failed. ATT ECODE: 0x0a
bluetoothd[24105]: src/device.c:gatt_client_ready_cb() status: success, error: 0
bluetoothd[24105]: src/gatt-client.c:btd_gatt_client_ready() GATT client ready
bluetoothd[24105]: src/gatt-client.c:create_services() Exporting objects for GATT services: 00:1D:DF:4D:EB:E4
bluetoothd[24105]: src/device.c:device_svc_resolved() /org/bluez/hci0/dev_00_1D_DF_4D_EB_E4 err 0
bluetoothd[24105]: src/device.c:connect_profiles() /org/bluez/hci0/dev_00_1D_DF_4D_EB_E4 (all), client :1.1207

Program received signal SIGSEGV, Segmentation fault.
0x0000000000493dc2 in ba2str ()
(gdb) bt
#0  0x0000000000493dc2 in ba2str ()
#1  0x000000000048e1f6 in ?? ()
#2  0x000000000048ec18 in ?? ()
#3  0x0000000000461130 in ?? ()
#4  0x00000000004a6f0f in ?? ()
#5  0x00000000004611e4 in ?? ()
#6  0x00007fad980337ea in g_main_dispatch (context=0x71de80) at gmain.c:3234
#7  g_main_context_dispatch (context=context@entry=0x71de80) at gmain.c:3899
#8  0x00007fad98033b68 in g_main_context_iterate (context=0x71de80, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3972
#9  0x00007fad98033e82 in g_main_loop_run (loop=0x722990) at gmain.c:4168
#10 0x000000000044f198 in ?? ()
#11 0x00007fad973e7661 in __libc_start_main (main=0x44ee3d, argc=3, argv=0x7fffffffeba8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffeb98) at ../csu/libc-start.c:295
#12 0x000000000040aeda in ?? ()
(gdb) where
#0  0x0000000000493dc2 in ba2str ()
#1  0x000000000048e1f6 in ?? ()
#2  0x000000000048ec18 in ?? ()
#3  0x0000000000461130 in ?? ()
#4  0x00000000004a6f0f in ?? ()
#5  0x00000000004611e4 in ?? ()
#6  0x00007fad980337ea in g_main_dispatch (context=0x71de80) at gmain.c:3234
#7  g_main_context_dispatch (context=context@entry=0x71de80) at gmain.c:3899
#8  0x00007fad98033b68 in g_main_context_iterate (context=0x71de80, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3972
#9  0x00007fad98033e82 in g_main_loop_run (loop=0x722990) at gmain.c:4168
#10 0x000000000044f198 in ?? ()
#11 0x00007fad973e7661 in __libc_start_main (main=0x44ee3d, argc=3, argv=0x7fffffffeba8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffeb98) at ../csu/libc-start.c:295
#12 0x000000000040aeda in ?? ()
(gdb) x 0x0000000000493dc2 in ba2str ()
A syntax error in expression, near `in ba2str ()'.
(gdb) x 0x0000000000493dc2
0x493dc2 <ba2str+20>:   0x0f00b60f
(gdb) x/s 0x0000000000493dc2
0x493dc2 <ba2str+20>:   "\017\266"
Comment 9 Luiz Von Dentz 2017-07-10 07:44:26 UTC
Strange, there does seems to be anything suspicious in the logs and crashing on ba2str is really weird since that is just converting the address to string and it doesn't seem we have freed either the adapter or the device address.

Is there any way to run bluetoothd with valgrind?
Comment 10 Konstantin A. Lepikhov 2017-07-11 06:56:37 UTC
(In reply to Luiz Von Dentz from comment #9)
> Strange, there does seems to be anything suspicious in the logs and crashing
> on ba2str is really weird since that is just converting the address to
> string and it doesn't seem we have freed either the adapter or the device
> address.
> 
> Is there any way to run bluetoothd with valgrind?

After many tries I can't reproduce this problem again, so maybe it was an old instance of bluetoothd running.

Note You need to log in before you can comment on or make changes to this bug.