Bug 33623

Summary: bluetoothd segfaults when connecting/pair to a2dp headset
Product: Sisyphus Reporter: Konstantin A Lepikhov (L.A. Kostis) <lakostis>
Component: bluezAssignee: Valery Inozemtsev <shrek>
Status: CLOSED FIXED QA Contact: qa-sisyphus
Severity: major    
Priority: P3 CC: aris, shrek, zerg
Version: unstableKeywords: relnote
Hardware: all   
OS: Linux   
URL: https://bugzilla.kernel.org/show_bug.cgi?id=195221

Description Konstantin A Lepikhov (L.A. Kostis) 2017-07-06 22:45:00 MSK 
В общем одноглазое дитя bluez опять сломано в Сизифе - любая попытка соединить устройство приводит к segfault демона bluetoothd:

[lakostis@lks ~]$ sudo gdb --args /usr/libexec/bluetooth/bluetoothd
[sudo] password for lakostis:
GNU gdb (GDB) 7.9-alt3 (ALT Linux)
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-alt-linux".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/libexec/bluetooth/bluetoothd...Reading symbols from /usr/lib/debug/usr/libexec/bluetooth/bluetoothd.debug...done.
done.
(gdb) run
Starting program: /usr/libexec/bluetooth/bluetoothd 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00000000004929ff in ba2str ()
(gdb) where
#0  0x00000000004929ff in ba2str ()
#1  0x000000000048ce62 in update_bredr_services ()
#2  0x000000000048d884 in browse_cb ()
#3  0x0000000000460f06 in search_completed_cb ()
#4  0x00000000004a5b4c in sdp_process ()
#5  0x0000000000460fba in search_process_cb ()
#6  0x00007f1f6a8257ea in g_main_dispatch (context=0x720810) at gmain.c:3234
#7  g_main_context_dispatch (context=context@entry=0x720810) at gmain.c:3899
#8  0x00007f1f6a825b68 in g_main_context_iterate (context=0x720810, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3972
#9  0x00007f1f6a825e82 in g_main_loop_run (loop=0x71bdf0) at gmain.c:4168
#10 0x000000000044efd5 in main ()

Иногда падает еще раньше, в районе browse_cb

Откат до 5.41 ситуацию исправляет, больше ничего не падает.
Comment 1 Konstantin A Lepikhov (L.A. Kostis) 2017-07-06 23:19:36 MSK 
Проверил с 5.45-alt1.1 из репозитория aris, поведение аналогичное:

]$ sudo gdb --args /usr/libexec/bluetooth/bluetoothd 
GNU gdb (GDB) 7.9-alt3 (ALT Linux)
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-alt-linux".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/libexec/bluetooth/bluetoothd...Reading symbols from /usr/lib/debug/usr/libexec/bluetooth/bluetoothd.debug...done.
done.
(gdb) run
Starting program: /usr/libexec/bluetooth/bluetoothd 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x000000000048db15 in browse_cb ()
(gdb) bt
#0  0x000000000048db15 in browse_cb ()
#1  0x0000000000460f18 in search_completed_cb ()
#2  0x00000000004a5e55 in sdp_process ()
#3  0x0000000000460fcc in search_process_cb ()
#4  0x00007fd2800b57ea in g_main_dispatch (context=0x721810) at gmain.c:3234
#5  g_main_context_dispatch (context=context@entry=0x721810) at gmain.c:3899
#6  0x00007fd2800b5b68 in g_main_context_iterate (context=0x721810, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3972
#7  0x00007fd2800b5e82 in g_main_loop_run (loop=0x71cdf0) at gmain.c:4168
#8  0x000000000044efe7 in main ()

$ rpm -qa|fgrep bluez
bluez-5.45-alt1.1.x86_64
libbluez-debuginfo-5.45-alt1.1.x86_64
libbluez-5.45-alt1.1.x86_64
bluez-debuginfo-5.45-alt1.1.x86_64
Comment 2 Konstantin A Lepikhov (L.A. Kostis) 2017-07-07 01:40:05 MSK 
Аналогично воспроизводится и с последним GIT:

[lakostis@lks ~]$ sudo gdb --args /usr/libexec/bluetooth/bluetoothd -n
[sudo] password for lakostis:
GNU gdb (GDB) 7.9-alt3 (ALT Linux)
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-alt-linux".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/libexec/bluetooth/bluetoothd...Reading symbols from /usr/lib/debug/usr/libexec/bluetooth/bluetoothd.debug...done.
done.
(gdb) break browse_cb
Breakpoint 1 at 0x48eb54
(gdb) run
Starting program: /usr/libexec/bluetooth/bluetoothd -n
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
bluetoothd[19262]: Bluetooth daemon 5.45
bluetoothd[19262]: Starting SDP server
bluetoothd[19262]: Bluetooth management interface 1.14 initialized
bluetoothd[19262]: No cache for F4:5F:69:01:3D:69

Breakpoint 1, 0x000000000048eb54 in browse_cb ()
(gdb) info locals
No symbol table info available.
(gdb) info frame
Stack level 0, frame at 0x7fffffffe840:
 rip = 0x48eb54 in browse_cb; saved rip = 0x461130
 called by frame at 0x7fffffffe8a0
 Arglist at 0x7fffffffe830, args:
 Locals at 0x7fffffffe830, Previous frame's sp is 0x7fffffffe840
 Saved registers:
  rbp at 0x7fffffffe830, rip at 0x7fffffffe838
(gdb) x 0x48eb54
0x48eb54 <browse_cb+4>: 0x48535441
(gdb) x/c 0x48eb54
0x48eb54 <browse_cb+4>: 65 'A'
(gdb) continue
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x000000000048eb8d in browse_cb ()
(gdb) x/c 0x48eb54
0x48eb54 <browse_cb+4>: 65 'A'
(gdb) bt
#0  0x000000000048eb8d in browse_cb ()
#1  0x0000000000461130 in search_completed_cb ()
#2  0x00000000004a6ee0 in sdp_process ()
#3  0x00000000004611e4 in search_process_cb ()
#4  0x00007f6875ce67ea in g_main_dispatch (context=0x71de80) at gmain.c:3234
#5  g_main_context_dispatch (context=context@entry=0x71de80) at gmain.c:3899
#6  0x00007f6875ce6b68 in g_main_context_iterate (context=0x71de80, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3972
#7  0x00007f6875ce6e82 in g_main_loop_run (loop=0x71ddf0) at gmain.c:4168
#8  0x000000000044f198 in main ()
(gdb) x/c 0x000000000048eb8d
0x48eb8d <browse_cb+61>:        72 'H'
(gdb) quit
A debugging session is active.

$ rpm -qa|fgrep bluez
bluez-debuginfo-5.46-alt0.c896183.x86_64
bluez-5.46-alt0.c896183.x86_64
libbluez-debuginfo-5.46-alt0.c896183.x86_64
libbluez-5.46-alt0.c896183.x86_64

bluetoothd[31069]: attrib/gattrib.c:g_attrib_unref() 0x73aae0: g_attrib_unref=0 
bluetoothd[31069]: src/device.c:connect_profiles() /org/bluez/hci0/dev_F4_5F_69_01_3D_69 (all), client :1.868
bluetoothd[31069]: src/device.c:connect_profiles() Resolving services for /org/bluez/hci0/dev_F4_5F_69_01_3D_69
bluetoothd[31069]: src/adapter.c:connected_callback() hci0 device F4:5F:69:01:3D:69 connected eir_len 13
bluetoothd[31069]: src/gatt-database.c:connect_cb() New incoming BR/EDR ATT connection
bluetoothd[31069]: attrib/gattrib.c:g_attrib_ref() 0x73d280: g_attrib_ref=1 
bluetoothd[31069]: src/device.c:load_gatt_db() Restoring F4:5F:69:01:3D:69 gatt database from file
bluetoothd[31069]: No cache for F4:5F:69:01:3D:69
bluetoothd[31069]: src/gatt-client.c:btd_gatt_client_connected() Device connected.
bluetoothd[31069]: src/device.c:gatt_debug() Primary service discovery failed. ATT ECODE: 0x0a
bluetoothd[31069]: src/device.c:gatt_client_ready_cb() status: success, error: 0
bluetoothd[31069]: src/gatt-client.c:btd_gatt_client_ready() GATT client ready
bluetoothd[31069]: src/gatt-client.c:create_services() Exporting objects for GATT services: F4:5F:69:01:3D:69
bluetoothd[31069]: src/device.c:device_svc_resolved() /org/bluez/hci0/dev_F4_5F_69_01_3D_69 err 0
bluetoothd[31069]: src/device.c:connect_profiles() /org/bluez/hci0/dev_F4_5F_69_01_3D_69 (all), client :1.868

Program received signal SIGSEGV, Segmentation fault.
0x000000000048eb8d in browse_cb ()
Comment 3 Konstantin A Lepikhov (L.A. Kostis) 2017-07-08 14:45:57 MSK 
https://bugzilla.kernel.org/attachment.cgi?id=257395 - автором bluez предложен патч, который исправляет падения с одной гарнитурой, но все еще падает со второй.
Comment 4 Konstantin A Lepikhov (L.A. Kostis) 2017-08-24 22:56:03 MSK 
(In reply to comment #3)
> https://bugzilla.kernel.org/attachment.cgi?id=257395 - автором bluez предложен
> патч, который исправляет падения с одной гарнитурой, но все еще падает со
> второй.

Уже не падает. Так что патч нужно применить.
Comment 5 Konstantin A Lepikhov (L.A. Kostis) 2017-09-04 00:47:06 MSK 
- Fixed in 5.46-alt1.