diff mbox series

bluez SEGV in current master

Message ID 6704ebbea9d1bb64e54b45b1b3d6cd321b28971b.camel@infinera.com (mailing list archive)
State New, archived
Headers show
Series bluez SEGV in current master | expand

Checks

Context Check Description
tedd_an/pre-ci_am success Success
tedd_an/CheckPatch warning WARNING:COMMIT_LOG_LONG_LINE: Possible unwrapped commit description (prefer a maximum 75 chars per line) #128: Jun 13 13:38:15 systemd-coredump[3941]: Process 1897 (bluetoothd) of user 0 dumped core. /github/workspace/src/src/13279998.patch total: 0 errors, 1 warnings, 18 lines checked NOTE: For some of the reported defects, checkpatch may be able to mechanically convert to the typical style using --fix or --fix-inplace. /github/workspace/src/src/13279998.patch has style problems, please review. NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO NOTE: If any of the errors are false positives, please report them to the maintainer, see CHECKPATCH in MAINTAINERS.
tedd_an/GitLint fail WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search 7: B1 Line exceeds max length (88>80): "Jun 13 13:38:15 systemd-coredump[3941]: Process 1897 (bluetoothd) of user 0 dumped core." 9: B1 Line exceeds max length (106>80): " #0 0x0000556bea93277a a2dp_resume_complete (bluetoothd + 0x3e77a)" 10: B1 Line exceeds max length (101>80): " #1 0x0000556bea9210a2 finalize_resume (bluetoothd + 0x2d0a2)" 11: B1 Line exceeds max length (102>80): " #2 0x0000556bea92afaf avdtp_start_resp (bluetoothd + 0x36faf)" 12: B1 Line exceeds max length (98>80): " #6 0x0000556bea9dcc85 mainloop_run (bluetoothd + 0xe8c85)" 13: B1 Line exceeds max length (110>80): " #7 0x0000556bea9dd0dc mainloop_run_with_signal (bluetoothd + 0xe90dc)" 14: B1 Line exceeds max length (90>80): " #8 0x0000556bea91a4ef main (bluetoothd + 0x264ef)" 15: B1 Line exceeds max length (92>80): " #11 0x0000556bea91ace1 _start (bluetoothd + 0x26ce1)" 16: B1 Line exceeds max length (95>80): "Jun 13 13:38:15 systemd[1]: bluetooth.service: Main process exited, code=dumped, status=11/SEGV" 21: B3 Line contains hard tab characters (\t): "342 static void a2dp_resume_complete(struct avdtp *session, int err," 22: B3 Line contains hard tab characters (\t): "343 void *user_data)" 23: B3 Line contains hard tab characters (\t): "344 {" 24: B3 Line contains hard tab characters (\t): "345 struct media_owner *owner = user_data;" 25: B3 Line contains hard tab characters (\t): "346 struct media_request *req = owner->pending;" 26: B3 Line contains hard tab characters (\t): "347 struct media_transport *transport = owner->transport;" 27: B3 Line contains hard tab characters (\t): "348 struct a2dp_sep *sep = media_endpoint_get_sep(transport->endpoint);"
tedd_an/BuildEll success Build ELL PASS
tedd_an/BluezMake success Bluez Make PASS
tedd_an/MakeCheck success Bluez Make Check PASS
tedd_an/MakeDistcheck success Make Distcheck PASS
tedd_an/CheckValgrind success Check Valgrind PASS
tedd_an/CheckSmatch success CheckSparse PASS
tedd_an/bluezmakeextell success Make External ELL PASS
tedd_an/IncrementalBuild success Incremental Build PASS
tedd_an/ScanBuild success Scan Build PASS

Commit Message

Joakim Tjernlund June 14, 2023, 12:29 p.m. UTC
commit bap: Add broadcast source support, 3030883, in bluez.git

A co-worker see this SEGV when connecting a headset:

Jun 13 13:38:15 systemd-coredump[3941]: Process 1897 (bluetoothd) of user 0 dumped core.
                                        Module bluetoothd without build-id.
                                        #0  0x0000556bea93277a a2dp_resume_complete (bluetoothd + 0x3e77a)
                                        #1  0x0000556bea9210a2 finalize_resume (bluetoothd + 0x2d0a2)
                                        #2  0x0000556bea92afaf avdtp_start_resp (bluetoothd + 0x36faf)
                                        #6  0x0000556bea9dcc85 mainloop_run (bluetoothd + 0xe8c85)
                                        #7  0x0000556bea9dd0dc mainloop_run_with_signal (bluetoothd + 0xe90dc)
                                        #8  0x0000556bea91a4ef main (bluetoothd + 0x264ef)
                                        #11 0x0000556bea91ace1 _start (bluetoothd + 0x26ce1)
Jun 13 13:38:15 systemd[1]: bluetooth.service: Main process exited, code=dumped, status=11/SEGV


Crash seems to be at:

342	static void a2dp_resume_complete(struct avdtp *session, int err,
343								void *user_data)
344	{
345		struct media_owner *owner = user_data;
346		struct media_request *req = owner->pending;
347		struct media_transport *transport = owner->transport;
348		struct a2dp_sep *sep = media_endpoint_get_sep(transport->endpoint);

A good start(but does NOT fix the problem) might be:


bluez-5.66 Works fine though.

Headset: WH-1000XM3

  Jocke

Comments

bluez.test.bot@gmail.com June 14, 2023, 1:52 p.m. UTC | #1
This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=757099

---Test result---

Test Summary:
CheckPatch                    FAIL      1.02 seconds
GitLint                       FAIL      0.74 seconds
BuildEll                      PASS      27.26 seconds
BluezMake                     PASS      861.75 seconds
MakeCheck                     PASS      12.27 seconds
MakeDistcheck                 PASS      153.25 seconds
CheckValgrind                 PASS      250.95 seconds
CheckSmatch                   PASS      338.03 seconds
bluezmakeextell               PASS      101.49 seconds
IncrementalBuild              PASS      702.53 seconds
ScanBuild                     PASS      1039.34 seconds

Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
bluez SEGV in current master
WARNING:COMMIT_LOG_LONG_LINE: Possible unwrapped commit description (prefer a maximum 75 chars per line)
#128: 
Jun 13 13:38:15 systemd-coredump[3941]: Process 1897 (bluetoothd) of user 0 dumped core.

/github/workspace/src/src/13279998.patch total: 0 errors, 1 warnings, 18 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
      mechanically convert to the typical style using --fix or --fix-inplace.

/github/workspace/src/src/13279998.patch has style problems, please review.

NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO

NOTE: If any of the errors are false positives, please report
      them to the maintainer, see CHECKPATCH in MAINTAINERS.


##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
bluez SEGV in current master

WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
7: B1 Line exceeds max length (88>80): "Jun 13 13:38:15 systemd-coredump[3941]: Process 1897 (bluetoothd) of user 0 dumped core."
9: B1 Line exceeds max length (106>80): "                                        #0  0x0000556bea93277a a2dp_resume_complete (bluetoothd + 0x3e77a)"
10: B1 Line exceeds max length (101>80): "                                        #1  0x0000556bea9210a2 finalize_resume (bluetoothd + 0x2d0a2)"
11: B1 Line exceeds max length (102>80): "                                        #2  0x0000556bea92afaf avdtp_start_resp (bluetoothd + 0x36faf)"
12: B1 Line exceeds max length (98>80): "                                        #6  0x0000556bea9dcc85 mainloop_run (bluetoothd + 0xe8c85)"
13: B1 Line exceeds max length (110>80): "                                        #7  0x0000556bea9dd0dc mainloop_run_with_signal (bluetoothd + 0xe90dc)"
14: B1 Line exceeds max length (90>80): "                                        #8  0x0000556bea91a4ef main (bluetoothd + 0x264ef)"
15: B1 Line exceeds max length (92>80): "                                        #11 0x0000556bea91ace1 _start (bluetoothd + 0x26ce1)"
16: B1 Line exceeds max length (95>80): "Jun 13 13:38:15 systemd[1]: bluetooth.service: Main process exited, code=dumped, status=11/SEGV"
21: B3 Line contains hard tab characters (\t): "342	static void a2dp_resume_complete(struct avdtp *session, int err,"
22: B3 Line contains hard tab characters (\t): "343								void *user_data)"
23: B3 Line contains hard tab characters (\t): "344	{"
24: B3 Line contains hard tab characters (\t): "345		struct media_owner *owner = user_data;"
25: B3 Line contains hard tab characters (\t): "346		struct media_request *req = owner->pending;"
26: B3 Line contains hard tab characters (\t): "347		struct media_transport *transport = owner->transport;"
27: B3 Line contains hard tab characters (\t): "348		struct a2dp_sep *sep = media_endpoint_get_sep(transport->endpoint);"


---
Regards,
Linux Bluetooth
Luiz Augusto von Dentz June 14, 2023, 4:25 p.m. UTC | #2
Hi Joakim,

On Wed, Jun 14, 2023 at 5:36 AM Joakim Tjernlund
<Joakim.Tjernlund@infinera.com> wrote:
>
> commit bap: Add broadcast source support, 3030883, in bluez.git
>
> A co-worker see this SEGV when connecting a headset:
>
> Jun 13 13:38:15 systemd-coredump[3941]: Process 1897 (bluetoothd) of user 0 dumped core.
>                                         Module bluetoothd without build-id.
>                                         #0  0x0000556bea93277a a2dp_resume_complete (bluetoothd + 0x3e77a)
>                                         #1  0x0000556bea9210a2 finalize_resume (bluetoothd + 0x2d0a2)
>                                         #2  0x0000556bea92afaf avdtp_start_resp (bluetoothd + 0x36faf)
>                                         #6  0x0000556bea9dcc85 mainloop_run (bluetoothd + 0xe8c85)
>                                         #7  0x0000556bea9dd0dc mainloop_run_with_signal (bluetoothd + 0xe90dc)
>                                         #8  0x0000556bea91a4ef main (bluetoothd + 0x264ef)
>                                         #11 0x0000556bea91ace1 _start (bluetoothd + 0x26ce1)
> Jun 13 13:38:15 systemd[1]: bluetooth.service: Main process exited, code=dumped, status=11/SEGV
>
>
> Crash seems to be at:
>
> 342     static void a2dp_resume_complete(struct avdtp *session, int err,
> 343                                                             void *user_data)
> 344     {
> 345             struct media_owner *owner = user_data;
> 346             struct media_request *req = owner->pending;
> 347             struct media_transport *transport = owner->transport;
> 348             struct a2dp_sep *sep = media_endpoint_get_sep(transport->endpoint);
>
> A good start(but does NOT fix the problem) might be:
>
> --- bluez-9999/profiles/audio/transport.c.org   2023-06-13 18:38:14.542137531 +0200
> +++ bluez-9999/profiles/audio/transport.c       2023-06-13 18:48:32.542527882 +0200
> @@ -345,7 +345,7 @@
>         struct media_owner *owner = user_data;
>         struct media_request *req = owner->pending;
>         struct media_transport *transport = owner->transport;
> -       struct a2dp_sep *sep = media_endpoint_get_sep(transport->endpoint);
> +       struct a2dp_sep *sep;
>         struct avdtp_stream *stream;
>         int fd;
>         uint16_t imtu, omtu;
> @@ -355,7 +355,10 @@
>
>         if (err)
>                 goto fail;
> +       if (!transport)
> +               goto fail;
>
> +       sep = media_endpoint_get_sep(transport->endpoint);
>         stream = a2dp_sep_get_stream(sep);
>         if (stream == NULL)
>                 goto fail;
>
> bluez-5.66 Works fine though.
>
> Headset: WH-1000XM3
>
>   Jocke

Weird, I don't think much has changed for A2DP, but perhaps there is
some BAP related changes affecting A2DP for some reason, any chance to
bisect the patch that introduces this problem? Or it is not always
reproducible?
Joakim Tjernlund June 14, 2023, 4:32 p.m. UTC | #3
On Wed, 2023-06-14 at 09:25 -0700, Luiz Augusto von Dentz wrote:
> Hi Joakim,
> 
> On Wed, Jun 14, 2023 at 5:36 AM Joakim Tjernlund
> <Joakim.Tjernlund@infinera.com> wrote:
> > 
> > commit bap: Add broadcast source support, 3030883, in bluez.git
> > 
> > A co-worker see this SEGV when connecting a headset:
> > 
> > Jun 13 13:38:15 systemd-coredump[3941]: Process 1897 (bluetoothd) of user 0 dumped core.
> >                                         Module bluetoothd without build-id.
> >                                         #0  0x0000556bea93277a a2dp_resume_complete (bluetoothd + 0x3e77a)
> >                                         #1  0x0000556bea9210a2 finalize_resume (bluetoothd + 0x2d0a2)
> >                                         #2  0x0000556bea92afaf avdtp_start_resp (bluetoothd + 0x36faf)
> >                                         #6  0x0000556bea9dcc85 mainloop_run (bluetoothd + 0xe8c85)
> >                                         #7  0x0000556bea9dd0dc mainloop_run_with_signal (bluetoothd + 0xe90dc)
> >                                         #8  0x0000556bea91a4ef main (bluetoothd + 0x264ef)
> >                                         #11 0x0000556bea91ace1 _start (bluetoothd + 0x26ce1)
> > Jun 13 13:38:15 systemd[1]: bluetooth.service: Main process exited, code=dumped, status=11/SEGV
> > 
> > 
> > Crash seems to be at:
> > 
> > 342     static void a2dp_resume_complete(struct avdtp *session, int err,
> > 343                                                             void *user_data)
> > 344     {
> > 345             struct media_owner *owner = user_data;
> > 346             struct media_request *req = owner->pending;
> > 347             struct media_transport *transport = owner->transport;
> > 348             struct a2dp_sep *sep = media_endpoint_get_sep(transport->endpoint);
> > 
> > A good start(but does NOT fix the problem) might be:
> > 
> > --- bluez-9999/profiles/audio/transport.c.org   2023-06-13 18:38:14.542137531 +0200
> > +++ bluez-9999/profiles/audio/transport.c       2023-06-13 18:48:32.542527882 +0200
> > @@ -345,7 +345,7 @@
> >         struct media_owner *owner = user_data;
> >         struct media_request *req = owner->pending;
> >         struct media_transport *transport = owner->transport;
> > -       struct a2dp_sep *sep = media_endpoint_get_sep(transport->endpoint);
> > +       struct a2dp_sep *sep;
> >         struct avdtp_stream *stream;
> >         int fd;
> >         uint16_t imtu, omtu;
> > @@ -355,7 +355,10 @@
> > 
> >         if (err)
> >                 goto fail;
> > +       if (!transport)
> > +               goto fail;
> > 
> > +       sep = media_endpoint_get_sep(transport->endpoint);
> >         stream = a2dp_sep_get_stream(sep);
> >         if (stream == NULL)
> >                 goto fail;
> > 
> > bluez-5.66 Works fine though.
> > 
> > Headset: WH-1000XM3
> > 
> >   Jocke
> 
> Weird, I don't think much has changed for A2DP, but perhaps there is
> some BAP related changes affecting A2DP for some reason, any chance to
> bisect the patch that introduces this problem? Or it is not always
> reproducible?

It is reproducible but on an remote laptop used for daily work so would disturb quite a lot.
Can I turn off BAP somehow to see if it is interfering ?

Any chance it is related to https://github.com/bluez/bluez/issues/533 ?

 Jocke
Luiz Augusto von Dentz June 14, 2023, 4:53 p.m. UTC | #4
Hi Joakim,

On Wed, Jun 14, 2023 at 9:32 AM Joakim Tjernlund
<Joakim.Tjernlund@infinera.com> wrote:
>
> On Wed, 2023-06-14 at 09:25 -0700, Luiz Augusto von Dentz wrote:
> > Hi Joakim,
> >
> > On Wed, Jun 14, 2023 at 5:36 AM Joakim Tjernlund
> > <Joakim.Tjernlund@infinera.com> wrote:
> > >
> > > commit bap: Add broadcast source support, 3030883, in bluez.git
> > >
> > > A co-worker see this SEGV when connecting a headset:
> > >
> > > Jun 13 13:38:15 systemd-coredump[3941]: Process 1897 (bluetoothd) of user 0 dumped core.
> > >                                         Module bluetoothd without build-id.
> > >                                         #0  0x0000556bea93277a a2dp_resume_complete (bluetoothd + 0x3e77a)
> > >                                         #1  0x0000556bea9210a2 finalize_resume (bluetoothd + 0x2d0a2)
> > >                                         #2  0x0000556bea92afaf avdtp_start_resp (bluetoothd + 0x36faf)
> > >                                         #6  0x0000556bea9dcc85 mainloop_run (bluetoothd + 0xe8c85)
> > >                                         #7  0x0000556bea9dd0dc mainloop_run_with_signal (bluetoothd + 0xe90dc)
> > >                                         #8  0x0000556bea91a4ef main (bluetoothd + 0x264ef)
> > >                                         #11 0x0000556bea91ace1 _start (bluetoothd + 0x26ce1)
> > > Jun 13 13:38:15 systemd[1]: bluetooth.service: Main process exited, code=dumped, status=11/SEGV
> > >
> > >
> > > Crash seems to be at:
> > >
> > > 342     static void a2dp_resume_complete(struct avdtp *session, int err,
> > > 343                                                             void *user_data)
> > > 344     {
> > > 345             struct media_owner *owner = user_data;
> > > 346             struct media_request *req = owner->pending;
> > > 347             struct media_transport *transport = owner->transport;
> > > 348             struct a2dp_sep *sep = media_endpoint_get_sep(transport->endpoint);
> > >
> > > A good start(but does NOT fix the problem) might be:
> > >
> > > --- bluez-9999/profiles/audio/transport.c.org   2023-06-13 18:38:14.542137531 +0200
> > > +++ bluez-9999/profiles/audio/transport.c       2023-06-13 18:48:32.542527882 +0200
> > > @@ -345,7 +345,7 @@
> > >         struct media_owner *owner = user_data;
> > >         struct media_request *req = owner->pending;
> > >         struct media_transport *transport = owner->transport;
> > > -       struct a2dp_sep *sep = media_endpoint_get_sep(transport->endpoint);
> > > +       struct a2dp_sep *sep;
> > >         struct avdtp_stream *stream;
> > >         int fd;
> > >         uint16_t imtu, omtu;
> > > @@ -355,7 +355,10 @@
> > >
> > >         if (err)
> > >                 goto fail;
> > > +       if (!transport)
> > > +               goto fail;
> > >
> > > +       sep = media_endpoint_get_sep(transport->endpoint);
> > >         stream = a2dp_sep_get_stream(sep);
> > >         if (stream == NULL)
> > >                 goto fail;
> > >
> > > bluez-5.66 Works fine though.
> > >
> > > Headset: WH-1000XM3
> > >
> > >   Jocke
> >
> > Weird, I don't think much has changed for A2DP, but perhaps there is
> > some BAP related changes affecting A2DP for some reason, any chance to
> > bisect the patch that introduces this problem? Or it is not always
> > reproducible?
>
> It is reproducible but on an remote laptop used for daily work so would disturb quite a lot.
> Can I turn off BAP somehow to see if it is interfering ?
>
> Any chance it is related to https://github.com/bluez/bluez/issues/533 ?

Right, yeah that is possible since it appears to be some unbalanced
reference count issue, that said that was a very old version, not sure
if we haven't fixed that.

>  Jocke
Joakim Tjernlund June 14, 2023, 5 p.m. UTC | #5
On Wed, 2023-06-14 at 09:53 -0700, Luiz Augusto von Dentz wrote:
> Hi Joakim,
>
> On Wed, Jun 14, 2023 at 9:32 AM Joakim Tjernlund
> <Joakim.Tjernlund@infinera.com> wrote:
> >
> > On Wed, 2023-06-14 at 09:25 -0700, Luiz Augusto von Dentz wrote:
> > > Hi Joakim,
> > >
> > > On Wed, Jun 14, 2023 at 5:36 AM Joakim Tjernlund
> > > <Joakim.Tjernlund@infinera.com> wrote:
> > > >
> > > > commit bap: Add broadcast source support, 3030883, in bluez.git
> > > >
> > > > A co-worker see this SEGV when connecting a headset:
> > > >
> > > > Jun 13 13:38:15 systemd-coredump[3941]: Process 1897 (bluetoothd) of user 0 dumped core.
> > > >                                         Module bluetoothd without build-id.
> > > >                                         #0  0x0000556bea93277a a2dp_resume_complete (bluetoothd + 0x3e77a)
> > > >                                         #1  0x0000556bea9210a2 finalize_resume (bluetoothd + 0x2d0a2)
> > > >                                         #2  0x0000556bea92afaf avdtp_start_resp (bluetoothd + 0x36faf)
> > > >                                         #6  0x0000556bea9dcc85 mainloop_run (bluetoothd + 0xe8c85)
> > > >                                         #7  0x0000556bea9dd0dc mainloop_run_with_signal (bluetoothd + 0xe90dc)
> > > >                                         #8  0x0000556bea91a4ef main (bluetoothd + 0x264ef)
> > > >                                         #11 0x0000556bea91ace1 _start (bluetoothd + 0x26ce1)
> > > > Jun 13 13:38:15 systemd[1]: bluetooth.service: Main process exited, code=dumped, status=11/SEGV
> > > >
> > > >
> > > > Crash seems to be at:
> > > >
> > > > 342     static void a2dp_resume_complete(struct avdtp *session, int err,
> > > > 343                                                             void *user_data)
> > > > 344     {
> > > > 345             struct media_owner *owner = user_data;
> > > > 346             struct media_request *req = owner->pending;
> > > > 347             struct media_transport *transport = owner->transport;
> > > > 348             struct a2dp_sep *sep = media_endpoint_get_sep(transport->endpoint);
> > > >
> > > > A good start(but does NOT fix the problem) might be:
> > > >
> > > > --- bluez-9999/profiles/audio/transport.c.org   2023-06-13 18:38:14.542137531 +0200
> > > > +++ bluez-9999/profiles/audio/transport.c       2023-06-13 18:48:32.542527882 +0200
> > > > @@ -345,7 +345,7 @@
> > > >         struct media_owner *owner = user_data;
> > > >         struct media_request *req = owner->pending;
> > > >         struct media_transport *transport = owner->transport;
> > > > -       struct a2dp_sep *sep = media_endpoint_get_sep(transport->endpoint);
> > > > +       struct a2dp_sep *sep;
> > > >         struct avdtp_stream *stream;
> > > >         int fd;
> > > >         uint16_t imtu, omtu;
> > > > @@ -355,7 +355,10 @@
> > > >
> > > >         if (err)
> > > >                 goto fail;
> > > > +       if (!transport)
> > > > +               goto fail;
> > > >
> > > > +       sep = media_endpoint_get_sep(transport->endpoint);
> > > >         stream = a2dp_sep_get_stream(sep);
> > > >         if (stream == NULL)
> > > >                 goto fail;
> > > >
> > > > bluez-5.66 Works fine though.
> > > >
> > > > Headset: WH-1000XM3
> > > >
> > > >   Jocke
> > >
> > > Weird, I don't think much has changed for A2DP, but perhaps there is
> > > some BAP related changes affecting A2DP for some reason, any chance to
> > > bisect the patch that introduces this problem? Or it is not always
> > > reproducible?
> >
> > It is reproducible but on an remote laptop used for daily work so would disturb quite a lot.
> > Can I turn off BAP somehow to see if it is interfering ?
> >
> > Any chance it is related to https://github.com/bluez/bluez/issues/533 ?
>
> Right, yeah that is possible since it appears to be some unbalanced
> reference count issue, that said that was a very old version, not sure
> if we haven't fixed that.

It is not fixed in unref code discussed in that issue on master

    Jocke
Joakim Tjernlund June 27, 2023, 8:35 a.m. UTC | #6
On Wed, 2023-06-14 at 19:00 +0200, Joakim Tjernlund wrote:
> On Wed, 2023-06-14 at 09:53 -0700, Luiz Augusto von Dentz wrote:
> > Hi Joakim,
> >
> > On Wed, Jun 14, 2023 at 9:32 AM Joakim Tjernlund
> > <Joakim.Tjernlund@infinera.com> wrote:
> > >
> > > On Wed, 2023-06-14 at 09:25 -0700, Luiz Augusto von Dentz wrote:
> > > > Hi Joakim,
> > > >
> > > > On Wed, Jun 14, 2023 at 5:36 AM Joakim Tjernlund
> > > > <Joakim.Tjernlund@infinera.com> wrote:
> > > > >
> > > > > commit bap: Add broadcast source support, 3030883, in bluez.git
> > > > >
> > > > > A co-worker see this SEGV when connecting a headset:
> > > > >
> > > > > Jun 13 13:38:15 systemd-coredump[3941]: Process 1897 (bluetoothd) of user 0 dumped core.
> > > > >                                         Module bluetoothd without build-id.
> > > > >                                         #0  0x0000556bea93277a a2dp_resume_complete (bluetoothd + 0x3e77a)
> > > > >                                         #1  0x0000556bea9210a2 finalize_resume (bluetoothd + 0x2d0a2)
> > > > >                                         #2  0x0000556bea92afaf avdtp_start_resp (bluetoothd + 0x36faf)
> > > > >                                         #6  0x0000556bea9dcc85 mainloop_run (bluetoothd + 0xe8c85)
> > > > >                                         #7  0x0000556bea9dd0dc mainloop_run_with_signal (bluetoothd + 0xe90dc)
> > > > >                                         #8  0x0000556bea91a4ef main (bluetoothd + 0x264ef)
> > > > >                                         #11 0x0000556bea91ace1 _start (bluetoothd + 0x26ce1)
> > > > > Jun 13 13:38:15 systemd[1]: bluetooth.service: Main process exited, code=dumped, status=11/SEGV
> > > > >
> > > > >
> > > > > Crash seems to be at:
> > > > >
> > > > > 342     static void a2dp_resume_complete(struct avdtp *session, int err,
> > > > > 343                                                             void *user_data)
> > > > > 344     {
> > > > > 345             struct media_owner *owner = user_data;
> > > > > 346             struct media_request *req = owner->pending;
> > > > > 347             struct media_transport *transport = owner->transport;
> > > > > 348             struct a2dp_sep *sep = media_endpoint_get_sep(transport->endpoint);
> > > > >
> > > > > A good start(but does NOT fix the problem) might be:
> > > > >
> > > > > --- bluez-9999/profiles/audio/transport.c.org   2023-06-13 18:38:14.542137531 +0200
> > > > > +++ bluez-9999/profiles/audio/transport.c       2023-06-13 18:48:32.542527882 +0200
> > > > > @@ -345,7 +345,7 @@
> > > > >         struct media_owner *owner = user_data;
> > > > >         struct media_request *req = owner->pending;
> > > > >         struct media_transport *transport = owner->transport;
> > > > > -       struct a2dp_sep *sep = media_endpoint_get_sep(transport->endpoint);
> > > > > +       struct a2dp_sep *sep;
> > > > >         struct avdtp_stream *stream;
> > > > >         int fd;
> > > > >         uint16_t imtu, omtu;
> > > > > @@ -355,7 +355,10 @@
> > > > >
> > > > >         if (err)
> > > > >                 goto fail;
> > > > > +       if (!transport)
> > > > > +               goto fail;
> > > > >
> > > > > +       sep = media_endpoint_get_sep(transport->endpoint);
> > > > >         stream = a2dp_sep_get_stream(sep);
> > > > >         if (stream == NULL)
> > > > >                 goto fail;
> > > > >
> > > > > bluez-5.66 Works fine though.
> > > > >
> > > > > Headset: WH-1000XM3
> > > > >
> > > > >   Jocke
> > > >
> > > > Weird, I don't think much has changed for A2DP, but perhaps there is
> > > > some BAP related changes affecting A2DP for some reason, any chance to
> > > > bisect the patch that introduces this problem? Or it is not always
> > > > reproducible?
> > >
> > > It is reproducible but on an remote laptop used for daily work so would disturb quite a lot.
> > > Can I turn off BAP somehow to see if it is interfering ?
> > >
> > > Any chance it is related to https://github.com/bluez/bluez/issues/533 ?
> >
> > Right, yeah that is possible since it appears to be some unbalanced
> > reference count issue, that said that was a very old version, not sure
> > if we haven't fixed that.
>
> It is not fixed in unref code discussed in that issue on master
>
>     Jocke

Managed to get a bt:
Core was generated by `/usr/libexec/bluetooth/bluetoothd'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  a2dp_resume_complete (session=0x55e437429c40, err=0, user_data=0x55e437456c90) at profiles/audio/transport.c:354

warning: Source file is more recent than executable.
354             req->id = 0;
(gdb) bt full
#0  a2dp_resume_complete (session=0x55e437429c40, err=0, user_data=0x55e437456c90) at profiles/audio/transport.c:354
        owner = 0x55e437456c90
        req = 0x0
        transport = 0x0
        sep = <optimized out>
        stream = <optimized out>
        fd = 0
        imtu = 0
        omtu = 0
        ret = <optimized out>
#1  0x000055e4367f30a2 in finalize_resume (data=0x55e43745fc90) at profiles/audio/a2dp.c:352
        cb = 0x55e437472f10
        s = 0x55e43745fc90
        l = 0x0
#2  0x000055e4367fcfaf in avdtp_start_resp (resp=0x55e437429cb3, size=0, stream=0x55e437455690, session=0x55e437429c40) at profiles/audio/avdtp.c:2868
        sep = 0x55e437411660
#3  avdtp_parse_resp (transaction=<optimized out>, size=0, buf=0x55e437429cb3, signal_id=<optimized out>, stream=0x55e437455690,
    session=0x55e437429c40) at profiles/audio/avdtp.c:2988
        next = 0x0
        get_all = 0x55e4368c19a8 ""
        next = <optimized out>
        get_all = <optimized out>
        __func__ = "avdtp_parse_resp"
        __btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
        __btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
        __btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
        __btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
        __btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
        __btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
        __btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
        __btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
        __btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
        __btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
        __btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
#4  session_cb (chan=<optimized out>, cond=<optimized out>, data=0x55e437429c40) at profiles/audio/avdtp.c:2286
        session = 0x55e437429c40
        header = <optimized out>
--Type <RET> for more, q to quit, c to continue without paging--
        size = <optimized out>
        fd = <optimized out>
        __func__ = "session_cb"
#5  0x00007fb64c271acf in g_main_dispatch (context=0x55e43740c870) at /var/tmp/portage/dev-libs/glib-2.76.2/glib-2.76.2/glib/gmain.c:3460
        dispatch = 0x7fb64c2ca330 <g_io_unix_dispatch>
        prev_source = 0x0
        begin_time_nsec = 0
        was_in_call = 0
        user_data = 0x55e437429c40
        callback = 0x55e4367fae60 <session_cb>
        cb_funcs = <optimized out>
        cb_data = 0x55e437448570
        need_destroy = <optimized out>
        source = 0x55e437456e50
        current = 0x55e437416a00
        i = 0
        current = <optimized out>
        i = <optimized out>
        __func__ = "g_main_dispatch"
        source = <optimized out>
        _g_boolean_var_163 = <optimized out>
        was_in_call = <optimized out>
        user_data = <optimized out>
        callback = <optimized out>
        cb_funcs = <optimized out>
        cb_data = <optimized out>
        need_destroy = <optimized out>
        dispatch = <optimized out>
        prev_source = <optimized out>
        begin_time_nsec = <optimized out>
        _g_boolean_var_164 = <optimized out>
#6  g_main_context_dispatch (context=context@entry=0x55e43740c870) at /var/tmp/portage/dev-libs/glib-2.76.2/glib-2.76.2/glib/gmain.c:4200
No locals.
#7  0x00007fb64c271ea8 in g_main_context_iterate (context=0x55e43740c870, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>)
    at /var/tmp/portage/dev-libs/glib-2.76.2/glib-2.76.2/glib/gmain.c:4276
        max_priority = 2147483647
        timeout = 5952
--Type <RET> for more, q to quit, c to continue without paging--
        some_ready = 1
        nfds = <optimized out>
        allocated_nfds = 35
        fds = 0x55e437439090
        begin_time_nsec = 0
#8  0x00007fb64c27215f in g_main_loop_run (loop=0x55e43740c9e0) at /var/tmp/portage/dev-libs/glib-2.76.2/glib-2.76.2/glib/gmain.c:4479
        self = <optimized out>
        __func__ = "g_main_loop_run"
#9  0x000055e4368afb55 in mainloop_run () at src/shared/mainloop-glib.c:66
No locals.
#10 0x000055e4368affac in mainloop_run_with_signal (func=func@entry=0x55e43682f6a0 <signal_callback>, user_data=user_data@entry=0x0)
    at src/shared/mainloop-notify.c:188
        data = 0x55e437416820
        io = 0x55e437416840
        ret = <optimized out>
#11 0x000055e4367ec4ff in main (argc=<optimized out>, argv=<optimized out>) at src/main.c:1450
        context = <optimized out>
        err = 0x0
        sdp_mtu = 0
        sdp_flags = <optimized out>
        gdbus_flags = <optimized out>
        __func__ = "main"

So req is NULL and:
print *owner
$2 = {transport = 0x0, pending = 0x0, name = 0x55e437473f70 ":1.41", watch = 0}

print *session
$3 = {ref = 3, version = 259, lseps = 0x55e437425990, device = 0x55e4374313d0, state = AVDTP_SESSION_STATE_CONNECTED, io = 0x55e437458370,
  io_id = 380, seps = 0x55e4374559e0 = {0x55e437455a40, 0x55e43742bb80, 0x55e43742c1f0, 0x55e43745dad0, 0x55e43745e060}, streams = 0x55e43745db70 = {
    0x55e437455690}, req_queue = 0x0, prio_queue = 0x0, pending_open = 0x0, pending_open_io = 0x0, phy = 511, imtu = 672, omtu = 895, in = {
    active = 0, no_of_packets = 1, transaction = 3 '\003', message_type = 2 '\002', signal_id = 7 '\a',
    buf = "\004\005\334\b\030\b\f\b\b\b", '\000' <repeats 1013 times>, data_size = 0 '\000'},
  buf = 0x55e43742a0f0 "2\a\024", <incomplete sequence \334>, discover = 0x0, req = 0x55e437455b70, dc_timer = 0, dc_timeout = 1, stream_setup = 0}
Joakim Tjernlund June 27, 2023, 1:14 p.m. UTC | #7
On Tue, 2023-06-27 at 10:35 +0200, Joakim Tjernlund wrote:
> On Wed, 2023-06-14 at 19:00 +0200, Joakim Tjernlund wrote:
> > On Wed, 2023-06-14 at 09:53 -0700, Luiz Augusto von Dentz wrote:
> > > Hi Joakim,
> > >
> > > On Wed, Jun 14, 2023 at 9:32 AM Joakim Tjernlund
> > > <Joakim.Tjernlund@infinera.com> wrote:
> > > >
> > > > On Wed, 2023-06-14 at 09:25 -0700, Luiz Augusto von Dentz wrote:
> > > > > Hi Joakim,
> > > > >
> > > > > On Wed, Jun 14, 2023 at 5:36 AM Joakim Tjernlund
> > > > > <Joakim.Tjernlund@infinera.com> wrote:
> > > > > >
> > > > > > commit bap: Add broadcast source support, 3030883, in bluez.git
> > > > > >
> > > > > > A co-worker see this SEGV when connecting a headset:
> > > > > >
> > > > > > Jun 13 13:38:15 systemd-coredump[3941]: Process 1897 (bluetoothd) of user 0 dumped core.
> > > > > >                                         Module bluetoothd without build-id.
> > > > > >                                         #0  0x0000556bea93277a a2dp_resume_complete (bluetoothd + 0x3e77a)
> > > > > >                                         #1  0x0000556bea9210a2 finalize_resume (bluetoothd + 0x2d0a2)
> > > > > >                                         #2  0x0000556bea92afaf avdtp_start_resp (bluetoothd + 0x36faf)
> > > > > >                                         #6  0x0000556bea9dcc85 mainloop_run (bluetoothd + 0xe8c85)
> > > > > >                                         #7  0x0000556bea9dd0dc mainloop_run_with_signal (bluetoothd + 0xe90dc)
> > > > > >                                         #8  0x0000556bea91a4ef main (bluetoothd + 0x264ef)
> > > > > >                                         #11 0x0000556bea91ace1 _start (bluetoothd + 0x26ce1)
> > > > > > Jun 13 13:38:15 systemd[1]: bluetooth.service: Main process exited, code=dumped, status=11/SEGV
> > > > > >
> > > > > >
> > > > > > Crash seems to be at:
> > > > > >
> > > > > > 342     static void a2dp_resume_complete(struct avdtp *session, int err,
> > > > > > 343                                                             void *user_data)
> > > > > > 344     {
> > > > > > 345             struct media_owner *owner = user_data;
> > > > > > 346             struct media_request *req = owner->pending;
> > > > > > 347             struct media_transport *transport = owner->transport;
> > > > > > 348             struct a2dp_sep *sep = media_endpoint_get_sep(transport->endpoint);
> > > > > >
> > > > > > A good start(but does NOT fix the problem) might be:
> > > > > >
> > > > > > --- bluez-9999/profiles/audio/transport.c.org   2023-06-13 18:38:14.542137531 +0200
> > > > > > +++ bluez-9999/profiles/audio/transport.c       2023-06-13 18:48:32.542527882 +0200
> > > > > > @@ -345,7 +345,7 @@
> > > > > >         struct media_owner *owner = user_data;
> > > > > >         struct media_request *req = owner->pending;
> > > > > >         struct media_transport *transport = owner->transport;
> > > > > > -       struct a2dp_sep *sep = media_endpoint_get_sep(transport->endpoint);
> > > > > > +       struct a2dp_sep *sep;
> > > > > >         struct avdtp_stream *stream;
> > > > > >         int fd;
> > > > > >         uint16_t imtu, omtu;
> > > > > > @@ -355,7 +355,10 @@
> > > > > >
> > > > > >         if (err)
> > > > > >                 goto fail;
> > > > > > +       if (!transport)
> > > > > > +               goto fail;
> > > > > >
> > > > > > +       sep = media_endpoint_get_sep(transport->endpoint);
> > > > > >         stream = a2dp_sep_get_stream(sep);
> > > > > >         if (stream == NULL)
> > > > > >                 goto fail;
> > > > > >
> > > > > > bluez-5.66 Works fine though.
> > > > > >
> > > > > > Headset: WH-1000XM3
> > > > > >
> > > > > >   Jocke
> > > > >
> > > > > Weird, I don't think much has changed for A2DP, but perhaps there is
> > > > > some BAP related changes affecting A2DP for some reason, any chance to
> > > > > bisect the patch that introduces this problem? Or it is not always
> > > > > reproducible?
> > > >
> > > > It is reproducible but on an remote laptop used for daily work so would disturb quite a lot.
> > > > Can I turn off BAP somehow to see if it is interfering ?
> > > >
> > > > Any chance it is related to https://github.com/bluez/bluez/issues/533 ?
> > >
> > > Right, yeah that is possible since it appears to be some unbalanced
> > > reference count issue, that said that was a very old version, not sure
> > > if we haven't fixed that.
> >
> > It is not fixed in unref code discussed in that issue on master
> >
> >     Jocke
>
> Managed to get a bt:
> Core was generated by `/usr/libexec/bluetooth/bluetoothd'.
> Program terminated with signal SIGSEGV, Segmentation fault.
> #0  a2dp_resume_complete (session=0x55e437429c40, err=0, user_data=0x55e437456c90) at profiles/audio/transport.c:354
>
> warning: Source file is more recent than executable.
> 354           req->id = 0;
> (gdb) bt full
> #0  a2dp_resume_complete (session=0x55e437429c40, err=0, user_data=0x55e437456c90) at profiles/audio/transport.c:354
>         owner = 0x55e437456c90
>         req = 0x0
>         transport = 0x0
>         sep = <optimized out>
>         stream = <optimized out>
>         fd = 0
>         imtu = 0
>         omtu = 0
>         ret = <optimized out>
> #1  0x000055e4367f30a2 in finalize_resume (data=0x55e43745fc90) at profiles/audio/a2dp.c:352
>         cb = 0x55e437472f10
>         s = 0x55e43745fc90
>         l = 0x0
> #2  0x000055e4367fcfaf in avdtp_start_resp (resp=0x55e437429cb3, size=0, stream=0x55e437455690, session=0x55e437429c40) at profiles/audio/avdtp.c:2868
>         sep = 0x55e437411660
> #3  avdtp_parse_resp (transaction=<optimized out>, size=0, buf=0x55e437429cb3, signal_id=<optimized out>, stream=0x55e437455690,
>     session=0x55e437429c40) at profiles/audio/avdtp.c:2988
>         next = 0x0
>         get_all = 0x55e4368c19a8 ""
>         next = <optimized out>
>         get_all = <optimized out>
>         __func__ = "avdtp_parse_resp"
>         __btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
>         __btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
>         __btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
>         __btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
>         __btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
>         __btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
>         __btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
>         __btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
>         __btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
>         __btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
>         __btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
> #4  session_cb (chan=<optimized out>, cond=<optimized out>, data=0x55e437429c40) at profiles/audio/avdtp.c:2286
>         session = 0x55e437429c40
>         header = <optimized out>
> --Type <RET> for more, q to quit, c to continue without paging--
>         size = <optimized out>
>         fd = <optimized out>
>         __func__ = "session_cb"
> #5  0x00007fb64c271acf in g_main_dispatch (context=0x55e43740c870) at /var/tmp/portage/dev-libs/glib-2.76.2/glib-2.76.2/glib/gmain.c:3460
>         dispatch = 0x7fb64c2ca330 <g_io_unix_dispatch>
>         prev_source = 0x0
>         begin_time_nsec = 0
>         was_in_call = 0
>         user_data = 0x55e437429c40
>         callback = 0x55e4367fae60 <session_cb>
>         cb_funcs = <optimized out>
>         cb_data = 0x55e437448570
>         need_destroy = <optimized out>
>         source = 0x55e437456e50
>         current = 0x55e437416a00
>         i = 0
>         current = <optimized out>
>         i = <optimized out>
>         __func__ = "g_main_dispatch"
>         source = <optimized out>
>         _g_boolean_var_163 = <optimized out>
>         was_in_call = <optimized out>
>         user_data = <optimized out>
>         callback = <optimized out>
>         cb_funcs = <optimized out>
>         cb_data = <optimized out>
>         need_destroy = <optimized out>
>         dispatch = <optimized out>
>         prev_source = <optimized out>
>         begin_time_nsec = <optimized out>
>         _g_boolean_var_164 = <optimized out>
> #6  g_main_context_dispatch (context=context@entry=0x55e43740c870) at /var/tmp/portage/dev-libs/glib-2.76.2/glib-2.76.2/glib/gmain.c:4200
> No locals.
> #7  0x00007fb64c271ea8 in g_main_context_iterate (context=0x55e43740c870, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>)
>     at /var/tmp/portage/dev-libs/glib-2.76.2/glib-2.76.2/glib/gmain.c:4276
>         max_priority = 2147483647
>         timeout = 5952
> --Type <RET> for more, q to quit, c to continue without paging--
>         some_ready = 1
>         nfds = <optimized out>
>         allocated_nfds = 35
>         fds = 0x55e437439090
>         begin_time_nsec = 0
> #8  0x00007fb64c27215f in g_main_loop_run (loop=0x55e43740c9e0) at /var/tmp/portage/dev-libs/glib-2.76.2/glib-2.76.2/glib/gmain.c:4479
>         self = <optimized out>
>         __func__ = "g_main_loop_run"
> #9  0x000055e4368afb55 in mainloop_run () at src/shared/mainloop-glib.c:66
> No locals.
> #10 0x000055e4368affac in mainloop_run_with_signal (func=func@entry=0x55e43682f6a0 <signal_callback>, user_data=user_data@entry=0x0)
>     at src/shared/mainloop-notify.c:188
>         data = 0x55e437416820
>         io = 0x55e437416840
>         ret = <optimized out>
> #11 0x000055e4367ec4ff in main (argc=<optimized out>, argv=<optimized out>) at src/main.c:1450
>         context = <optimized out>
>         err = 0x0
>         sdp_mtu = 0
>         sdp_flags = <optimized out>
>         gdbus_flags = <optimized out>
>         __func__ = "main"
>
> So req is NULL and:
> print *owner
> $2 = {transport = 0x0, pending = 0x0, name = 0x55e437473f70 ":1.41", watch = 0}
>
> print *session
> $3 = {ref = 3, version = 259, lseps = 0x55e437425990, device = 0x55e4374313d0, state = AVDTP_SESSION_STATE_CONNECTED, io = 0x55e437458370,
>   io_id = 380, seps = 0x55e4374559e0 = {0x55e437455a40, 0x55e43742bb80, 0x55e43742c1f0, 0x55e43745dad0, 0x55e43745e060}, streams = 0x55e43745db70 = {
>     0x55e437455690}, req_queue = 0x0, prio_queue = 0x0, pending_open = 0x0, pending_open_io = 0x0, phy = 511, imtu = 672, omtu = 895, in = {
>     active = 0, no_of_packets = 1, transaction = 3 '\003', message_type = 2 '\002', signal_id = 7 '\a',
>     buf = "\004\005\334\b\030\b\f\b\b\b", '\000' <repeats 1013 times>, data_size = 0 '\000'},
>   buf = 0x55e43742a0f0 "2\a\024", <incomplete sequence \334>, discover = 0x0, req = 0x55e437455b70, dc_timer = 0, dc_timeout = 1, stream_setup = 0}
>

I forgot, I have these local patches too:
--- bluez-9999/profiles/audio/a2dp.c.org        2023-06-14 16:20:45.777263502 +0200
+++ bluez-9999/profiles/audio/a2dp.c    2023-06-14 16:21:52.650843681 +0200
@@ -231,10 +231,8 @@

        DBG("%p: ref=%d", setup, setup->ref);

-       if (setup->ref > 0)
-               return;
-
-       setup_free(setup);
+       if (setup->ref == 0)
+               setup_free(setup);
 }

 static struct a2dp_setup_cb *setup_cb_new(struct a2dp_setup *setup)
--- bluez-9999/profiles/audio/avdtp.c.org       2023-06-14 16:22:15.353699371 +0200
+++ bluez-9999/profiles/audio/avdtp.c   2023-06-14 16:24:05.250988808 +0200
@@ -1220,7 +1220,7 @@

        DBG("%p: ref=%d", session, session->ref);

-       if (session->ref > 0)
+       if (session->ref != 0)
                return;

        switch (session->state) {
--- bluez-9999/profiles/audio/transport.c.org   2023-06-13 18:38:14.542137531 +0200
+++ bluez-9999/profiles/audio/transport.c       2023-06-13 18:39:22.110965184 +0200
@@ -345,7 +345,7 @@
        struct media_owner *owner = user_data;
        struct media_request *req = owner->pending;
        struct media_transport *transport = owner->transport;
-       struct a2dp_sep *sep = media_endpoint_get_sep(transport->endpoint);
+       struct a2dp_sep *sep;
        struct avdtp_stream *stream;
        int fd;
        uint16_t imtu, omtu;
@@ -356,6 +356,7 @@
        if (err)
                goto fail;

+       sep = media_endpoint_get_sep(transport->endpoint);
        stream = a2dp_sep_get_stream(sep);
        if (stream == NULL)
                goto fail;
Joakim Tjernlund June 29, 2023, 4:58 p.m. UTC | #8
Any clue/idea ?
Just test if req or transport ptrs are NULL and return ?

 Jocke

On Tue, 2023-06-27 at 15:14 +0200, Joakim Tjernlund wrote:
> On Tue, 2023-06-27 at 10:35 +0200, Joakim Tjernlund wrote:
> > On Wed, 2023-06-14 at 19:00 +0200, Joakim Tjernlund wrote:
> > > On Wed, 2023-06-14 at 09:53 -0700, Luiz Augusto von Dentz wrote:
> > > > Hi Joakim,
> > > >
> > > > On Wed, Jun 14, 2023 at 9:32 AM Joakim Tjernlund
> > > > <Joakim.Tjernlund@infinera.com> wrote:
> > > > >
> > > > > On Wed, 2023-06-14 at 09:25 -0700, Luiz Augusto von Dentz wrote:
> > > > > > Hi Joakim,
> > > > > >
> > > > > > On Wed, Jun 14, 2023 at 5:36 AM Joakim Tjernlund
> > > > > > <Joakim.Tjernlund@infinera.com> wrote:
> > > > > > >
> > > > > > > commit bap: Add broadcast source support, 3030883, in bluez.git
> > > > > > >
> > > > > > > A co-worker see this SEGV when connecting a headset:
> > > > > > >
> > > > > > > Jun 13 13:38:15 systemd-coredump[3941]: Process 1897 (bluetoothd) of user 0 dumped core.
> > > > > > >                                         Module bluetoothd without build-id.
> > > > > > >                                         #0  0x0000556bea93277a a2dp_resume_complete (bluetoothd + 0x3e77a)
> > > > > > >                                         #1  0x0000556bea9210a2 finalize_resume (bluetoothd + 0x2d0a2)
> > > > > > >                                         #2  0x0000556bea92afaf avdtp_start_resp (bluetoothd + 0x36faf)
> > > > > > >                                         #6  0x0000556bea9dcc85 mainloop_run (bluetoothd + 0xe8c85)
> > > > > > >                                         #7  0x0000556bea9dd0dc mainloop_run_with_signal (bluetoothd + 0xe90dc)
> > > > > > >                                         #8  0x0000556bea91a4ef main (bluetoothd + 0x264ef)
> > > > > > >                                         #11 0x0000556bea91ace1 _start (bluetoothd + 0x26ce1)
> > > > > > > Jun 13 13:38:15 systemd[1]: bluetooth.service: Main process exited, code=dumped, status=11/SEGV
> > > > > > >
> > > > > > >
> > > > > > > Crash seems to be at:
> > > > > > >
> > > > > > > 342     static void a2dp_resume_complete(struct avdtp *session, int err,
> > > > > > > 343                                                             void *user_data)
> > > > > > > 344     {
> > > > > > > 345             struct media_owner *owner = user_data;
> > > > > > > 346             struct media_request *req = owner->pending;
> > > > > > > 347             struct media_transport *transport = owner->transport;
> > > > > > > 348             struct a2dp_sep *sep = media_endpoint_get_sep(transport->endpoint);
> > > > > > >
> > > > > > > A good start(but does NOT fix the problem) might be:
> > > > > > >
> > > > > > > --- bluez-9999/profiles/audio/transport.c.org   2023-06-13 18:38:14.542137531 +0200
> > > > > > > +++ bluez-9999/profiles/audio/transport.c       2023-06-13 18:48:32.542527882 +0200
> > > > > > > @@ -345,7 +345,7 @@
> > > > > > >         struct media_owner *owner = user_data;
> > > > > > >         struct media_request *req = owner->pending;
> > > > > > >         struct media_transport *transport = owner->transport;
> > > > > > > -       struct a2dp_sep *sep = media_endpoint_get_sep(transport->endpoint);
> > > > > > > +       struct a2dp_sep *sep;
> > > > > > >         struct avdtp_stream *stream;
> > > > > > >         int fd;
> > > > > > >         uint16_t imtu, omtu;
> > > > > > > @@ -355,7 +355,10 @@
> > > > > > >
> > > > > > >         if (err)
> > > > > > >                 goto fail;
> > > > > > > +       if (!transport)
> > > > > > > +               goto fail;
> > > > > > >
> > > > > > > +       sep = media_endpoint_get_sep(transport->endpoint);
> > > > > > >         stream = a2dp_sep_get_stream(sep);
> > > > > > >         if (stream == NULL)
> > > > > > >                 goto fail;
> > > > > > >
> > > > > > > bluez-5.66 Works fine though.
> > > > > > >
> > > > > > > Headset: WH-1000XM3
> > > > > > >
> > > > > > >   Jocke
> > > > > >
> > > > > > Weird, I don't think much has changed for A2DP, but perhaps there is
> > > > > > some BAP related changes affecting A2DP for some reason, any chance to
> > > > > > bisect the patch that introduces this problem? Or it is not always
> > > > > > reproducible?
> > > > >
> > > > > It is reproducible but on an remote laptop used for daily work so would disturb quite a lot.
> > > > > Can I turn off BAP somehow to see if it is interfering ?
> > > > >
> > > > > Any chance it is related to https://github.com/bluez/bluez/issues/533 ?
> > > >
> > > > Right, yeah that is possible since it appears to be some unbalanced
> > > > reference count issue, that said that was a very old version, not sure
> > > > if we haven't fixed that.
> > >
> > > It is not fixed in unref code discussed in that issue on master
> > >
> > >     Jocke
> >
> > Managed to get a bt:
> > Core was generated by `/usr/libexec/bluetooth/bluetoothd'.
> > Program terminated with signal SIGSEGV, Segmentation fault.
> > #0  a2dp_resume_complete (session=0x55e437429c40, err=0, user_data=0x55e437456c90) at profiles/audio/transport.c:354
> >
> > warning: Source file is more recent than executable.
> > 354         req->id = 0;
> > (gdb) bt full
> > #0  a2dp_resume_complete (session=0x55e437429c40, err=0, user_data=0x55e437456c90) at profiles/audio/transport.c:354
> >         owner = 0x55e437456c90
> >         req = 0x0
> >         transport = 0x0
> >         sep = <optimized out>
> >         stream = <optimized out>
> >         fd = 0
> >         imtu = 0
> >         omtu = 0
> >         ret = <optimized out>
> > #1  0x000055e4367f30a2 in finalize_resume (data=0x55e43745fc90) at profiles/audio/a2dp.c:352
> >         cb = 0x55e437472f10
> >         s = 0x55e43745fc90
> >         l = 0x0
> > #2  0x000055e4367fcfaf in avdtp_start_resp (resp=0x55e437429cb3, size=0, stream=0x55e437455690, session=0x55e437429c40) at profiles/audio/avdtp.c:2868
> >         sep = 0x55e437411660
> > #3  avdtp_parse_resp (transaction=<optimized out>, size=0, buf=0x55e437429cb3, signal_id=<optimized out>, stream=0x55e437455690,
> >     session=0x55e437429c40) at profiles/audio/avdtp.c:2988
> >         next = 0x0
> >         get_all = 0x55e4368c19a8 ""
> >         next = <optimized out>
> >         get_all = <optimized out>
> >         __func__ = "avdtp_parse_resp"
> >         __btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
> >         __btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
> >         __btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
> >         __btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
> >         __btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
> >         __btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
> >         __btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
> >         __btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
> >         __btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
> >         __btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
> >         __btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
> > #4  session_cb (chan=<optimized out>, cond=<optimized out>, data=0x55e437429c40) at profiles/audio/avdtp.c:2286
> >         session = 0x55e437429c40
> >         header = <optimized out>
> > --Type <RET> for more, q to quit, c to continue without paging--
> >         size = <optimized out>
> >         fd = <optimized out>
> >         __func__ = "session_cb"
> > #5  0x00007fb64c271acf in g_main_dispatch (context=0x55e43740c870) at /var/tmp/portage/dev-libs/glib-2.76.2/glib-2.76.2/glib/gmain.c:3460
> >         dispatch = 0x7fb64c2ca330 <g_io_unix_dispatch>
> >         prev_source = 0x0
> >         begin_time_nsec = 0
> >         was_in_call = 0
> >         user_data = 0x55e437429c40
> >         callback = 0x55e4367fae60 <session_cb>
> >         cb_funcs = <optimized out>
> >         cb_data = 0x55e437448570
> >         need_destroy = <optimized out>
> >         source = 0x55e437456e50
> >         current = 0x55e437416a00
> >         i = 0
> >         current = <optimized out>
> >         i = <optimized out>
> >         __func__ = "g_main_dispatch"
> >         source = <optimized out>
> >         _g_boolean_var_163 = <optimized out>
> >         was_in_call = <optimized out>
> >         user_data = <optimized out>
> >         callback = <optimized out>
> >         cb_funcs = <optimized out>
> >         cb_data = <optimized out>
> >         need_destroy = <optimized out>
> >         dispatch = <optimized out>
> >         prev_source = <optimized out>
> >         begin_time_nsec = <optimized out>
> >         _g_boolean_var_164 = <optimized out>
> > #6  g_main_context_dispatch (context=context@entry=0x55e43740c870) at /var/tmp/portage/dev-libs/glib-2.76.2/glib-2.76.2/glib/gmain.c:4200
> > No locals.
> > #7  0x00007fb64c271ea8 in g_main_context_iterate (context=0x55e43740c870, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>)
> >     at /var/tmp/portage/dev-libs/glib-2.76.2/glib-2.76.2/glib/gmain.c:4276
> >         max_priority = 2147483647
> >         timeout = 5952
> > --Type <RET> for more, q to quit, c to continue without paging--
> >         some_ready = 1
> >         nfds = <optimized out>
> >         allocated_nfds = 35
> >         fds = 0x55e437439090
> >         begin_time_nsec = 0
> > #8  0x00007fb64c27215f in g_main_loop_run (loop=0x55e43740c9e0) at /var/tmp/portage/dev-libs/glib-2.76.2/glib-2.76.2/glib/gmain.c:4479
> >         self = <optimized out>
> >         __func__ = "g_main_loop_run"
> > #9  0x000055e4368afb55 in mainloop_run () at src/shared/mainloop-glib.c:66
> > No locals.
> > #10 0x000055e4368affac in mainloop_run_with_signal (func=func@entry=0x55e43682f6a0 <signal_callback>, user_data=user_data@entry=0x0)
> >     at src/shared/mainloop-notify.c:188
> >         data = 0x55e437416820
> >         io = 0x55e437416840
> >         ret = <optimized out>
> > #11 0x000055e4367ec4ff in main (argc=<optimized out>, argv=<optimized out>) at src/main.c:1450
> >         context = <optimized out>
> >         err = 0x0
> >         sdp_mtu = 0
> >         sdp_flags = <optimized out>
> >         gdbus_flags = <optimized out>
> >         __func__ = "main"
> >
> > So req is NULL and:
> > print *owner
> > $2 = {transport = 0x0, pending = 0x0, name = 0x55e437473f70 ":1.41", watch = 0}
> >
> > print *session
> > $3 = {ref = 3, version = 259, lseps = 0x55e437425990, device = 0x55e4374313d0, state = AVDTP_SESSION_STATE_CONNECTED, io = 0x55e437458370,
> >   io_id = 380, seps = 0x55e4374559e0 = {0x55e437455a40, 0x55e43742bb80, 0x55e43742c1f0, 0x55e43745dad0, 0x55e43745e060}, streams = 0x55e43745db70 = {
> >     0x55e437455690}, req_queue = 0x0, prio_queue = 0x0, pending_open = 0x0, pending_open_io = 0x0, phy = 511, imtu = 672, omtu = 895, in = {
> >     active = 0, no_of_packets = 1, transaction = 3 '\003', message_type = 2 '\002', signal_id = 7 '\a',
> >     buf = "\004\005\334\b\030\b\f\b\b\b", '\000' <repeats 1013 times>, data_size = 0 '\000'},
> >   buf = 0x55e43742a0f0 "2\a\024", <incomplete sequence \334>, discover = 0x0, req = 0x55e437455b70, dc_timer = 0, dc_timeout = 1, stream_setup = 0}
> >
>
> I forgot, I have these local patches too:
> --- bluez-9999/profiles/audio/a2dp.c.org      2023-06-14 16:20:45.777263502 +0200
> +++ bluez-9999/profiles/audio/a2dp.c  2023-06-14 16:21:52.650843681 +0200
> @@ -231,10 +231,8 @@
>
>       DBG("%p: ref=%d", setup, setup->ref);
>
> -     if (setup->ref > 0)
> -             return;
> -
> -     setup_free(setup);
> +     if (setup->ref == 0)
> +             setup_free(setup);
>  }
>
>  static struct a2dp_setup_cb *setup_cb_new(struct a2dp_setup *setup)
> --- bluez-9999/profiles/audio/avdtp.c.org     2023-06-14 16:22:15.353699371 +0200
> +++ bluez-9999/profiles/audio/avdtp.c 2023-06-14 16:24:05.250988808 +0200
> @@ -1220,7 +1220,7 @@
>
>       DBG("%p: ref=%d", session, session->ref);
>
> -     if (session->ref > 0)
> +     if (session->ref != 0)
>               return;
>
>       switch (session->state) {
> --- bluez-9999/profiles/audio/transport.c.org 2023-06-13 18:38:14.542137531 +0200
> +++ bluez-9999/profiles/audio/transport.c     2023-06-13 18:39:22.110965184 +0200
> @@ -345,7 +345,7 @@
>       struct media_owner *owner = user_data;
>       struct media_request *req = owner->pending;
>       struct media_transport *transport = owner->transport;
> -     struct a2dp_sep *sep = media_endpoint_get_sep(transport->endpoint);
> +     struct a2dp_sep *sep;
>       struct avdtp_stream *stream;
>       int fd;
>       uint16_t imtu, omtu;
> @@ -356,6 +356,7 @@
>       if (err)
>               goto fail;
>
> +     sep = media_endpoint_get_sep(transport->endpoint);
>       stream = a2dp_sep_get_stream(sep);
>       if (stream == NULL)
>               goto fail;
>
diff mbox series

Patch

--- bluez-9999/profiles/audio/transport.c.org	2023-06-13 18:38:14.542137531 +0200
+++ bluez-9999/profiles/audio/transport.c	2023-06-13 18:48:32.542527882 +0200
@@ -345,7 +345,7 @@ 
 	struct media_owner *owner = user_data;
 	struct media_request *req = owner->pending;
 	struct media_transport *transport = owner->transport;
-	struct a2dp_sep *sep = media_endpoint_get_sep(transport->endpoint);
+	struct a2dp_sep *sep;
 	struct avdtp_stream *stream;
 	int fd;
 	uint16_t imtu, omtu;
@@ -355,7 +355,10 @@ 
 
 	if (err)
 		goto fail;
+	if (!transport)
+		goto fail;
 
+	sep = media_endpoint_get_sep(transport->endpoint);
 	stream = a2dp_sep_get_stream(sep);
 	if (stream == NULL)
 		goto fail;