FS#68671 - [bluez] blouetoothd segfaults when pairing with a loudspeaker

Attached to Project: Arch Linux
Opened by Filip Krikava (fikovnik) - Thursday, 19 November 2020, 17:00 GMT
Last edited by Andreas Radke (AndyRTR) - Monday, 08 February 2021, 11:49 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Andreas Radke (AndyRTR)
Architecture x86_64
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Hi,

I have a raspberry pi 3 setup as a loudspeaker:
```
[bluetoothctl]# info 00:1A:7D:DA:71:0F
Device 00:1A:7D:DA:71:0F (public)
Name: radio1
Alias: radio1
Class: 0x00040414
Icon: audio-card
Paired: yes
Trusted: no
Blocked: no
Connected: no
LegacyPairing: no
UUID: Audio Sink (0000110b-0000-1000-8000-00805f9b34fb)
UUID: A/V Remote Control Target (0000110c-0000-1000-8000-00805f9b34fb)
UUID: A/V Remote Control (0000110e-0000-1000-8000-00805f9b34fb)
UUID: PnP Information (00001200-0000-1000-8000-00805f9b34fb)
Modalias: usb:v1D6Bp0246d0532
RSSI: -69
```

I can connect to it using my android phone and a window box.

When I try on arch (5.9.4-arch1-1, bluez 5.55-1, pulseaudio 13.99.3-1, pulseaudio-modules-bt 1.4-3), the bluetoothd crashes:

```
Nov 06 13:25:03 kathmandu pulseaudio[1934]: Found duplicated D-Bus path for sep endpoint /org/bluez/hci0/dev_00_1A_7D_DA_71_0F/sep1
Nov 06 13:25:03 kathmandu pulseaudio[1934]: Found duplicated D-Bus path for sep endpoint /org/bluez/hci0/dev_00_1A_7D_DA_71_0F/sep2
Nov 06 13:25:03 kathmandu pulseaudio[1934]: Found duplicated D-Bus path for sep endpoint /org/bluez/hci0/dev_00_1A_7D_DA_71_0F/sep3
Nov 06 13:25:03 kathmandu bluetoothd[11096]: profiles/audio/a2dp.c:register_remote_sep() Could not register remote sep /org/bluez/hci0/dev_00_1A_7D_DA_71_0F/sep2
Nov 06 13:25:03 kathmandu audit[11096]: ANOM_ABEND auid=4294967295 uid=0 gid=0 ses=4294967295 pid=11096 comm="bluetoothd" exe="/usr/lib/bluetooth/bluetoothd" sig=11 res=1
Nov 06 13:25:03 kathmandu bluetoothd[11096]: profiles/audio/a2dp.c:register_remote_sep() Could not register remote sep /org/bluez/hci0/dev_00_1A_7D_DA_71_0F/sep3
Nov 06 13:25:03 kathmandu kernel: bluetoothd[11096]: segfault at 3 ip 00005602dce85517 sp 00007fffefc38050 error 4 in bluetoothd[5602dce80000+a8000]
Nov 06 13:25:03 kathmandu kernel: Code: 48 8d 0d d7 35 0a 00 ba 04 00 00 00 4c 89 f7 44 0f b6 c0 be 01 00 00 00 31 c0 ff 15 db 58 10 00 48 8b 7d 10 67 e8 99 77 00 00 <44> 0f b6 6b 03 48 8b 7d 10 44 0f b6 f8 67 e8 66 77 00 00 48 83 ec
Nov 06 13:25:03 kathmandu kernel: audit: type=1701 audit(1604665503.844:244): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=11096 comm="bluetoothd" exe="/usr/lib/bluetooth/bluetoothd" sig=11 res=1
Nov 06 13:25:03 kathmandu audit: BPF prog-id=42 op=LOAD
Nov 06 13:25:03 kathmandu audit: BPF prog-id=43 op=LOAD
Nov 06 13:25:03 kathmandu kernel: audit: type=1334 audit(1604665503.891:245): prog-id=42 op=LOAD
Nov 06 13:25:03 kathmandu kernel: audit: type=1334 audit(1604665503.891:246): prog-id=43 op=LOAD
Nov 06 13:25:03 kathmandu systemd[1]: Started Process Core Dump (PID 11445/UID 0).
Nov 06 13:25:03 kathmandu audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-coredump@6-11445-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Nov 06 13:25:03 kathmandu kernel: audit: type=1130 audit(1604665503.894:247): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-coredump@6-11445-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Nov 06 13:25:04 kathmandu systemd[1]: bluetooth.service: Main process exited, code=dumped, status=11/SEGV
Nov 06 13:25:04 kathmandu systemd[1]: bluetooth.service: Failed with result 'core-dump'.
Nov 06 13:25:04 kathmandu audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=bluetooth comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Nov 06 13:25:04 kathmandu kernel: audit: type=1131 audit(1604665504.181:248): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=bluetooth comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Nov 06 13:25:04 kathmandu systemd-coredump[11446]: [?] Process 11096 (bluetoothd) of user 0 dumped core.

Stack trace of thread 2526285:
#0 0x000055ac5132c517 store_remote_sep (bluetoothd + 0x25517)
#1 0x000055ac513baf6d queue_foreach (bluetoothd + 0xb3f6d)
#2 0x000055ac5132ce3e store_remote_seps (bluetoothd + 0x25e3e)
#3 0x000055ac5132fb13 discover_cb (bluetoothd + 0x28b13)
#4 0x000055ac51331d5e finalize_discovery (bluetoothd + 0x2ad5e)
#5 0x000055ac513373a9 avdtp_parse_resp (bluetoothd + 0x303a9)
#6 0x00007f55bd639914 g_main_context_dispatch (libglib-2.0.so.0 + 0x52914)
#7 0x00007f55bd68d7d1 n/a (libglib-2.0.so.0 + 0xa67d1)
#8 0x00007f55bd638e63 g_main_loop_run (libglib-2.0.so.0 + 0x51e63)
#9 0x000055ac513cca06 mainloop_run (bluetoothd + 0xc5a06)
#10 0x000055ac513cce88 mainloop_run_with_signal (bluetoothd + 0xc5e88)
#11 0x000055ac51327ac1 main (bluetoothd + 0x20ac1)
#12 0x00007f55bd30c152 __libc_start_main (libc.so.6 + 0x28152)
#13 0x000055ac5132877e _start (bluetoothd + 0x2177e)Nov 06 13:25:04 kathmandu systemd[1]: systemd-coredump%406-11445-0.service: Succeeded.
Nov 06 13:25:04 kathmandu kernel: audit: type=1131 audit(1604665504.201:249): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-coredump@6-11445-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Nov 06 13:25:04 kathmandu audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-coredump@6-11445-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Nov 06 13:25:04 kathmandu audit: BPF prog-id=43 op=UNLOAD
Nov 06 13:25:04 kathmandu audit: BPF prog-id=42 op=UNLOAD
```

The problematic lines in `store_remote_sep` (`profiles/audio/a2dp.c`) are:

```
2657 offset = sprintf(value, "%02hhx:%02hhx:%02hhx:",
2658 avdtp_get_type(sep->sep), codec->media_codec_type,
2659 avdtp_get_delay_reporting(sep->sep));
```

The `codec->media_codec_type` is `NULL`. When I add a simple null check and return early from the function, it starts to work.

Not sure if it is of any help, but connecting to other loudspeaker (Bose mini 2 soundlink) or BT headsets - it works fine.
Another thing: if I install and start ofono service, bluetoothd does not crash, but after connecting, it immediately disconnects.

This task depends upon

Closed by  Andreas Radke (AndyRTR)
Monday, 08 February 2021, 11:49 GMT
Reason for closing:  Fixed
Additional comments about closing:  5.55-2 - upstream patch applied
Comment by Andreas Radke (AndyRTR) - Friday, 20 November 2020, 06:37 GMT
Please report this upstream and leave the link here.
Comment by Filip Krikava (fikovnik) - Friday, 20 November 2020, 12:02 GMT
Could you please point me where I can submit the issue?
I asked yesterday at #bluez, but I have not received nay answer.
Comment by niko (ik0n) - Friday, 20 November 2020, 13:14 GMT
Hi Filip,

you could try: https://github.com/bluez/bluez/issues.
Comment by Filip Krikava (fikovnik) - Friday, 20 November 2020, 13:26 GMT
I really don't know how could have I missed something that obvious?! Here is the issue: https://github.com/bluez/bluez/issues/57
Comment by Filip Krikava (fikovnik) - Monday, 04 January 2021, 22:08 GMT
The issue has been resolved upstream https://github.com/bluez/bluez/issues/57
Comment by loqs (loqs) - Monday, 04 January 2021, 22:22 GMT

Loading...