Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#68242 - [bluez] Segfault if `MultiProfile = multiple` since 5.55-1

Attached to Project: Arch Linux
Opened by Mehdi Abaakouk (sileht) - Tuesday, 13 October 2020, 21:00 GMT
Last edited by Andreas Radke (AndyRTR) - Monday, 08 February 2021, 10:45 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Andreas Radke (AndyRTR)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No



Segfault if `MultiProfile = multiple` since 5.55-1.
It was working fine in 5.54-2

Additional info:
* package version(s) 5.55-1
* link to upstream bug report:

Steps to reproduce:

systemd bluetoothd service doesn't start with this error:

# journalctl -u bluetoohd -n 10
Oct 13 22:56:22 joe bluetoothd[267840]: Endpoint unregistered: sender=:1.2566 path=/MediaEndpoint/A2DPSink/sbc
Oct 13 22:56:22 joe bluetoothd[267840]: free(): double free detected in tcache 2
Oct 13 22:56:22 joe systemd[1]: bluetooth.service: Main process exited, code=dumped, status=6/ABRT
Oct 13 22:56:22 joe systemd[1]: bluetooth.service: Failed with result 'core-dump'.

Manually, it's not better:

# /usr/lib/bluetooth/bluetoothd
free(): double free detected in tcache 2
Aborted (core dumped)

So I recompiled the package with symbol and get the following backtrace:

(gdb) bt
#0 0x00007ffff7b9e615 in raise () from /usr/lib/
#1 0x00007ffff7b87862 in abort () from /usr/lib/
#2 0x00007ffff7be05e8 in __libc_message () from /usr/lib/
#3 0x00007ffff7be827a in malloc_printerr () from /usr/lib/
#4 0x00007ffff7be9d4c in _int_free () from /usr/lib/
#5 0x000055555558735e in media_endpoint_destroy (endpoint=0x5555556c4ce0) at profiles/audio/media.c:180
#6 0x0000555555587b63 in media_endpoint_create (adapter=adapter@entry=0x5555556c3480, sender=sender@entry=0x5555556be868 ":1.2566", path=0x5555556c7534 "/MediaEndpoint/A2DPSink/sbc",
uuid=0x5555556c7568 "0000110b-0000-1000-8000-00805f9b34fb", delay_reporting=0, codec=<optimized out>, capabilities=0x5555556c75bc "\377\377\002\065", size=4, err=0x7fffffffe340) at profiles/audio/media.c:823
#7 0x00005555555881e4 in register_endpoint (conn=<optimized out>, msg=0x5555556bd580, data=0x5555556c3480) at profiles/audio/media.c:926
#8 0x0000555555604519 in process_message (connection=0x5555556927f0, message=0x5555556bd580, method=0x555555676ba0 <media_methods>, iface_user_data=<optimized out>) at gdbus/object.c:259
#9 0x00007ffff7e357d6 in ?? () from /usr/lib/
#10 0x00007ffff7e253bd in dbus_connection_dispatch () from /usr/lib/
#11 0x0000555555600bb1 in message_dispatch (data=0x5555556927f0) at gdbus/mainloop.c:72
#12 0x00007ffff7eb5924 in g_main_context_dispatch () from /usr/lib/
#13 0x00007ffff7f09621 in ?? () from /usr/lib/
#14 0x00007ffff7eb4e73 in g_main_loop_run () from /usr/lib/
#15 0x0000555555619a06 in mainloop_run () at src/shared/mainloop-glib.c:79
#16 0x0000555555619e88 in mainloop_run_with_signal (func=<optimized out>, user_data=0x0) at src/shared/mainloop-notify.c:201
#17 0x0000555555574ac1 in main (argc=<optimized out>, argv=<optimized out>) at src/main.c:971
This task depends upon

Closed by  Andreas Radke (AndyRTR)
Monday, 08 February 2021, 10:45 GMT
Reason for closing:  Upstream
Additional comments about closing:  bluez-git has the fix available and will be included in the next release. see upstream report.