Bug 215462 - bluetoothd segfaults in libdbus-1.so.3.19.13
Summary: bluetoothd segfaults in libdbus-1.so.3.19.13
Status: RESOLVED MOVED
Alias: None
Product: Drivers
Classification: Unclassified
Component: Bluetooth (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: linux-bluetooth@vger.kernel.org
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-01-07 17:53 UTC by Paul Menzel
Modified: 2022-01-07 17:53 UTC (History)
0 users

See Also:
Kernel Version: 5.16-rc8
Subsystem:
Regression: No
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Paul Menzel 2022-01-07 17:53:15 UTC 
Using Debian sid/unstable with Linux 5.16-rc8 from the suite *experimental*, *bluez* 5.62-2 and *libdbus-1-3* 1.12.20-3, connecting to a Google Nest over Bluetooth, bluetoothd crashed with a segmentation fault:

    [ 7793.540822] bluetoothd[7937]: segfault at 3 ip 00007f73196e3d28 sp 00007fffbd269280 error 4 in libdbus-1.so.3.19.13[7f73196be000+2f000]
    [ 7793.540835] Code: 08 4c 89 e9 44 89 e2 53 41 b9 6c 00 00 00 41 89 c0 48 89 ee bf 01 00 00 00 e8 e4 f9 ff ff 5a 59 e9 9f fe ff ff 0f 1f 44 00 00 <0f> b6 16 44 89 e6 e8 fd be fd ff 85 c0 0f 84 87 fe ff ff b8 01 00

```
(gdb) bt
#0  _dbus_marshal_write_basic (str=0x55992b2dc560, insert_at=213, type=type@entry=121, value=value@entry=0x3, byte_order=108, pos_after=pos_after@entry=0x7fffbd2693e0) at ../../../dbus/dbus-marshal-basic.c:814
#1  0x00007f73196cef9b in _dbus_type_writer_write_basic_no_typecode (value=0x3, type=121, writer=0x7fffbd2693c0) at ../../../dbus/dbus-marshal-recursive.c:1605
#2  _dbus_type_writer_write_basic_no_typecode (value=0x3, type=121, writer=0x7fffbd2693c0) at ../../../dbus/dbus-marshal-recursive.c:1600
#3  _dbus_type_writer_write_basic (writer=writer@entry=0x7fffbd2693c0, type=type@entry=121, value=value@entry=0x3) at ../../../dbus/dbus-marshal-recursive.c:2327
#4  0x00007f73196d36b8 in dbus_message_iter_append_basic (iter=iter@entry=0x7fffbd2693b0, type=type@entry=121, value=0x3) at ../../../dbus/dbus-message.c:2843
#5  0x0000559929aba78e in get_codec (property=<optimized out>, iter=0x7fffbd2693b0, data=<optimized out>) at profiles/audio/a2dp.c:1970
#6  0x0000559929b54f86 in append_property (iface=iface@entry=0x55992b2fbdd0, p=p@entry=0x559929bd6830 <sep_properties+48>, dict=dict@entry=0x7fffbd269430) at gdbus/object.c:498
#7  0x0000559929b55632 in append_properties (data=data@entry=0x55992b2fbdd0, iter=iter@entry=0x7fffbd2694b0) at gdbus/object.c:527
#8  0x0000559929b556bf in append_interface (data=0x55992b2fbdd0, user_data=0x7fffbd269590) at gdbus/object.c:542
#9  0x00007f7319778938 in g_slist_foreach (list=<optimized out>, func=func@entry=0x559929b55670 <append_interface>, user_data=user_data@entry=0x7fffbd269590) at ../../../glib/gslist.c:885
#10 0x0000559929b557c9 in emit_interfaces_added (data=0x55992b31f310) at gdbus/object.c:574
#11 process_changes (user_data=0x55992b31f310) at gdbus/object.c:996
#12 0x0000559929b56fb7 in g_dbus_flush (connection=0x55992b2d57d0) at gdbus/object.c:1494
#13 g_dbus_send_message (message=0x55992b2fbe10, connection=0x55992b2d57d0) at gdbus/object.c:1518
#14 g_dbus_send_message (connection=0x55992b2d57d0, message=0x55992b2fbe10) at gdbus/object.c:1498
#15 0x0000559929b39d87 in device_profile_connected (err=-5, profile=0x559929be0440 <a2dp_source_profile>, dev=0x55992b301360) at src/device.c:1802
#16 service_state_changed (service=<optimized out>, old_state=<optimized out>, new_state=<optimized out>, user_data=<optimized out>) at src/device.c:7002
#17 0x0000559929b2d072 in change_state (service=0x55992b306bd0, state=BTD_SERVICE_STATE_DISCONNECTED, err=<optimized out>) at src/service.c:98
#18 0x0000559929ab91ef in discovery_complete (session=<optimized out>, seps=<optimized out>, err=-5, user_data=0x55992b305b70) at profiles/audio/source.c:237
#19 0x0000559929abdd87 in finalize_discover (s=0x55992b301250) at profiles/audio/a2dp.c:403
#20 discover_cb (session=<optimized out>, seps=<optimized out>, err=<optimized out>, user_data=0x55992b301250) at profiles/audio/a2dp.c:2842
#21 0x0000559929ac0ba7 in finalize_discovery (session=0x55992b311700, err=0) at profiles/audio/avdtp.c:1087
#22 0x0000559929ac63e0 in avdtp_parse_resp (transaction=<optimized out>, size=16, buf=0x55992b311773, signal_id=<optimized out>, stream=0x0, session=0x55992b311700) at profiles/audio/avdtp.c:2957
#23 session_cb (data=0x55992b311700, cond=<optimized out>, chan=<optimized out>) at profiles/audio/avdtp.c:2284
#24 session_cb (chan=<optimized out>, cond=<optimized out>, data=0x55992b311700) at profiles/audio/avdtp.c:2208
#25 0x00007f7319758be4 in g_main_dispatch (context=0x55992b2d05b0) at ../../../glib/gmain.c:3381
#26 g_main_context_dispatch (context=0x55992b2d05b0) at ../../../glib/gmain.c:4099
#27 0x00007f7319758f88 in g_main_context_iterate (context=0x55992b2d05b0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../../../glib/gmain.c:4175
#28 0x00007f7319759273 in g_main_loop_run (loop=0x55992b2d1790) at ../../../glib/gmain.c:4373
#29 0x0000559929b6ccd5 in mainloop_run () at src/shared/mainloop-glib.c:66
#30 0x0000559929b6d12c in mainloop_run_with_signal (func=func@entry=0x559929afe2c0 <signal_callback>, user_data=user_data@entry=0x0) at src/shared/mainloop-notify.c:188
#31 0x0000559929ab142d in main (argc=<optimized out>, argv=<optimized out>) at src/main.c:1210
```

It looks like it’s a problem in D-Bus, so I reported it to their issue tracker as *Segfault in `_dbus_marshal_write_basic`* [1].

[1]: https://gitlab.freedesktop.org/dbus/dbus/-/issues/372
Note You need to log in before you can comment on or make changes to this bug.