Null dereference in profiles/audio/avrcp.c

Message ID	CA+6+gU=AEHhnEwVq=RyOKemRjZM_zHLmCZKkGO+aUKCaaQVOhA@mail.gmail.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-bluetooth-owner@kernel.org> MIME-Version: 1.0 From: Thomas Eriksson <thomas.eriksson@gmail.com> Date: Tue, 5 Oct 2021 10:53:18 +0200 Message-ID: <CA+6+gU=AEHhnEwVq=RyOKemRjZM_zHLmCZKkGO+aUKCaaQVOhA@mail.gmail.com> Subject: Null dereference in profiles/audio/avrcp.c To: linux-bluetooth@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Precedence: bulk
Series	Null dereference in profiles/audio/avrcp.c \| expand Null dereference in profiles/audio/avrcp.c

Message ID

CA+6+gU=AEHhnEwVq=RyOKemRjZM_zHLmCZKkGO+aUKCaaQVOhA@mail.gmail.com (mailing list archive)

State

New, archived

Headers

MIME-Version: 1.0
From: Thomas Eriksson <thomas.eriksson@gmail.com>
Date: Tue, 5 Oct 2021 10:53:18 +0200
Message-ID: 
 <CA+6+gU=AEHhnEwVq=RyOKemRjZM_zHLmCZKkGO+aUKCaaQVOhA@mail.gmail.com>
Subject: Null dereference in profiles/audio/avrcp.c
To: linux-bluetooth@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk

Series

Null dereference in profiles/audio/avrcp.c | expand

Commit Message

Thomas Eriksson Oct. 5, 2021, 8:53 a.m. UTC

Hi,

When trying to pair my "3M Peltor WS Alert XPI" headset with Bluez i
get a null dereference in profiles/audio/avrcp.c.

The following small patch avoids the problem:




Below is the backtrace from GDB:

GNU gdb (Debian 10.1-2) 10.1.90.20210103-git
Copyright (C) 2021 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/local/libexec/bluetooth/bluetoothd...
(gdb) run
Starting program: /usr/local/libexec/bluetooth/bluetoothd
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".



Program received signal SIGSEGV, Segmentation fault.
0x0000555555594f14 in avrcp_status_changed (pdu=0x5555556d1b36,
pdu=0x5555556d1b36, session=0x5555556a9800) at
profiles/audio/avrcp.c:3743
3743 struct media_player *mp = player->user_data;
(gdb)
(gdb)
(gdb) bt
#0  0x0000555555594f14 in avrcp_status_changed (pdu=0x5555556d1b36,
pdu=0x5555556d1b36, session=0x5555556a9800) at
profiles/audio/avrcp.c:3743
#1  avrcp_handle_event (conn=0x5555556c98e0, code=15 '\017',
subunit=<optimized out>, transaction=<optimized out>,
operands=0x5555556d1b36 "", operand_count=9, user_data=0x5555556a9800)
    at profiles/audio/avrcp.c:3884
#2  0x000055555558f3c7 in control_response (operand_count=9,
operands=0x5555556d1b36 "", avc=<optimized out>, avctp=<optimized
out>, control=<optimized out>) at profiles/audio/avctp.c:938
#3  session_cb (chan=<optimized out>, cond=<optimized out>,
data=<optimized out>) at profiles/audio/avctp.c:1107
#4  0x00007ffff7ebdc0f in g_main_context_dispatch () from
/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#5  0x00007ffff7ebdfb8 in ?? () from /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#6  0x00007ffff7ebe2ab in g_main_loop_run () from
/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#7  0x0000555555617415 in mainloop_run () at src/shared/mainloop-glib.c:66
#8  0x00005555556177f2 in mainloop_run_with_signal
(func=func@entry=0x5555555af8d0 <signal_callback>,
user_data=user_data@entry=0x0) at src/shared/mainloop-notify.c:188
#9  0x0000555555577147 in main (argc=<optimized out>, argv=<optimized
out>) at src/main.c:1210


Best regards
/Thomas Eriksson

Comments

Luiz Augusto von Dentz Oct. 5, 2021, 6:37 p.m. UTC | #1

Hi Thomas,

On Tue, Oct 5, 2021 at 1:55 AM Thomas Eriksson
<thomas.eriksson@gmail.com> wrote:
>
> Hi,
>
> When trying to pair my "3M Peltor WS Alert XPI" headset with Bluez i
> get a null dereference in profiles/audio/avrcp.c.
>
> The following small patch avoids the problem:
>
> diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
> index 7c280203c..6064ab40b 100644
> --- a/profiles/audio/avrcp.c
> +++ b/profiles/audio/avrcp.c
> @@ -3740,10 +3740,13 @@ static void avrcp_status_changed(struct avrcp *session,
>                                                 struct avrcp_header *pdu)
>  {
>         struct avrcp_player *player = session->controller->player;
> -       struct media_player *mp = player->user_data;
> +       struct media_player *mp = NULL;
>         uint8_t value;
>         const char *curval, *strval;
>
> +       if (player == NULL)
> +               return;
> +       mp = player->user_data;
>         value = pdu->params[1];
>
>         curval = media_player_get_status(mp);
>

What version are you using? This should not be reproducible with:

commit cc235a8d528b36cad2cf9fe6517d54711613331a
Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date:   Fri Apr 1 11:07:15 2016 +0300

    audio/avrcp: Fix registering to player events

    If controller does not have a player skip registering to events which
    requires a player.

diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
index 0c6279a20..37bc29137 100644
--- a/profiles/audio/avrcp.c
+++ b/profiles/audio/avrcp.c
@@ -3647,8 +3647,9 @@ static gboolean
avrcp_get_capabilities_resp(struct avctp *conn,
                case AVRCP_EVENT_ADDRESSED_PLAYER_CHANGED:
                case AVRCP_EVENT_UIDS_CHANGED:
                case AVRCP_EVENT_AVAILABLE_PLAYERS_CHANGED:
-                       /* These events above are controller specific */
-                       if (!session->controller)
+                       /* These events above requires a player */
+                       if (!session->controller ||
+                                               !session->controller->player)
                                break;
                case AVRCP_EVENT_VOLUME_CHANGED:
                        avrcp_register_notification(session, event);

>
> Below is the backtrace from GDB:
>
> GNU gdb (Debian 10.1-2) 10.1.90.20210103-git
> Copyright (C) 2021 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
> Type "show copying" and "show warranty" for details.
> This GDB was configured as "x86_64-linux-gnu".
> Type "show configuration" for configuration details.
> For bug reporting instructions, please see:
> <https://www.gnu.org/software/gdb/bugs/>.
> Find the GDB manual and other documentation resources online at:
>     <http://www.gnu.org/software/gdb/documentation/>.
>
> For help, type "help".
> Type "apropos word" to search for commands related to "word"...
> Reading symbols from /usr/local/libexec/bluetooth/bluetoothd...
> (gdb) run
> Starting program: /usr/local/libexec/bluetooth/bluetoothd
> [Thread debugging using libthread_db enabled]
> Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
>
>
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x0000555555594f14 in avrcp_status_changed (pdu=0x5555556d1b36,
> pdu=0x5555556d1b36, session=0x5555556a9800) at
> profiles/audio/avrcp.c:3743
> 3743 struct media_player *mp = player->user_data;
> (gdb)
> (gdb)
> (gdb) bt
> #0  0x0000555555594f14 in avrcp_status_changed (pdu=0x5555556d1b36,
> pdu=0x5555556d1b36, session=0x5555556a9800) at
> profiles/audio/avrcp.c:3743
> #1  avrcp_handle_event (conn=0x5555556c98e0, code=15 '\017',
> subunit=<optimized out>, transaction=<optimized out>,
> operands=0x5555556d1b36 "", operand_count=9, user_data=0x5555556a9800)
>     at profiles/audio/avrcp.c:3884
> #2  0x000055555558f3c7 in control_response (operand_count=9,
> operands=0x5555556d1b36 "", avc=<optimized out>, avctp=<optimized
> out>, control=<optimized out>) at profiles/audio/avctp.c:938
> #3  session_cb (chan=<optimized out>, cond=<optimized out>,
> data=<optimized out>) at profiles/audio/avctp.c:1107
> #4  0x00007ffff7ebdc0f in g_main_context_dispatch () from
> /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
> #5  0x00007ffff7ebdfb8 in ?? () from /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
> #6  0x00007ffff7ebe2ab in g_main_loop_run () from
> /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
> #7  0x0000555555617415 in mainloop_run () at src/shared/mainloop-glib.c:66
> #8  0x00005555556177f2 in mainloop_run_with_signal
> (func=func@entry=0x5555555af8d0 <signal_callback>,
> user_data=user_data@entry=0x0) at src/shared/mainloop-notify.c:188
> #9  0x0000555555577147 in main (argc=<optimized out>, argv=<optimized
> out>) at src/main.c:1210
>
>
> Best regards
> /Thomas Eriksson

Thomas Eriksson Oct. 6, 2021, 6:38 a.m. UTC | #2

On Tue, 5 Oct 2021 at 20:37, Luiz Augusto von Dentz
<luiz.dentz@gmail.com> wrote:
>
> Hi Thomas,

Hi Luiz,

>
> On Tue, Oct 5, 2021 at 1:55 AM Thomas Eriksson
> <thomas.eriksson@gmail.com> wrote:
> >
> > Hi,
> >
> > When trying to pair my "3M Peltor WS Alert XPI" headset with Bluez i
> > get a null dereference in profiles/audio/avrcp.c.
> >
> > The following small patch avoids the problem:
> >
> > diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
> > index 7c280203c..6064ab40b 100644
> > --- a/profiles/audio/avrcp.c
> > +++ b/profiles/audio/avrcp.c
> > @@ -3740,10 +3740,13 @@ static void avrcp_status_changed(struct avrcp *session,
> >                                                 struct avrcp_header *pdu)
> >  {
> >         struct avrcp_player *player = session->controller->player;
> > -       struct media_player *mp = player->user_data;
> > +       struct media_player *mp = NULL;
> >         uint8_t value;
> >         const char *curval, *strval;
> >
> > +       if (player == NULL)
> > +               return;
> > +       mp = player->user_data;
> >         value = pdu->params[1];
> >
> >         curval = media_player_get_status(mp);
> >
>
> What version are you using? This should not be reproducible with:
>
> commit cc235a8d528b36cad2cf9fe6517d54711613331a
> Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> Date:   Fri Apr 1 11:07:15 2016 +0300
>
>     audio/avrcp: Fix registering to player events
>
>     If controller does not have a player skip registering to events which
>     requires a player.
>
> diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
> index 0c6279a20..37bc29137 100644
> --- a/profiles/audio/avrcp.c
> +++ b/profiles/audio/avrcp.c
> @@ -3647,8 +3647,9 @@ static gboolean
> avrcp_get_capabilities_resp(struct avctp *conn,
>                 case AVRCP_EVENT_ADDRESSED_PLAYER_CHANGED:
>                 case AVRCP_EVENT_UIDS_CHANGED:
>                 case AVRCP_EVENT_AVAILABLE_PLAYERS_CHANGED:
> -                       /* These events above are controller specific */
> -                       if (!session->controller)
> +                       /* These events above requires a player */
> +                       if (!session->controller ||
> +                                               !session->controller->player)
>                                 break;
>                 case AVRCP_EVENT_VOLUME_CHANGED:
>                         avrcp_register_notification(session, event);
>

The crash was present yesterday on
bb12ef4a9f71550ba84033f565a27773d893d8bf (master).


> >
> > Below is the backtrace from GDB:
> >
> > GNU gdb (Debian 10.1-2) 10.1.90.20210103-git
> > Copyright (C) 2021 Free Software Foundation, Inc.
> > License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
> > This is free software: you are free to change and redistribute it.
> > There is NO WARRANTY, to the extent permitted by law.
> > Type "show copying" and "show warranty" for details.
> > This GDB was configured as "x86_64-linux-gnu".
> > Type "show configuration" for configuration details.
> > For bug reporting instructions, please see:
> > <https://www.gnu.org/software/gdb/bugs/>.
> > Find the GDB manual and other documentation resources online at:
> >     <http://www.gnu.org/software/gdb/documentation/>.
> >
> > For help, type "help".
> > Type "apropos word" to search for commands related to "word"...
> > Reading symbols from /usr/local/libexec/bluetooth/bluetoothd...
> > (gdb) run
> > Starting program: /usr/local/libexec/bluetooth/bluetoothd
> > [Thread debugging using libthread_db enabled]
> > Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
> >
> >
> >
> > Program received signal SIGSEGV, Segmentation fault.
> > 0x0000555555594f14 in avrcp_status_changed (pdu=0x5555556d1b36,
> > pdu=0x5555556d1b36, session=0x5555556a9800) at
> > profiles/audio/avrcp.c:3743
> > 3743 struct media_player *mp = player->user_data;
> > (gdb)
> > (gdb)
> > (gdb) bt
> > #0  0x0000555555594f14 in avrcp_status_changed (pdu=0x5555556d1b36,
> > pdu=0x5555556d1b36, session=0x5555556a9800) at
> > profiles/audio/avrcp.c:3743
> > #1  avrcp_handle_event (conn=0x5555556c98e0, code=15 '\017',
> > subunit=<optimized out>, transaction=<optimized out>,
> > operands=0x5555556d1b36 "", operand_count=9, user_data=0x5555556a9800)
> >     at profiles/audio/avrcp.c:3884
> > #2  0x000055555558f3c7 in control_response (operand_count=9,
> > operands=0x5555556d1b36 "", avc=<optimized out>, avctp=<optimized
> > out>, control=<optimized out>) at profiles/audio/avctp.c:938
> > #3  session_cb (chan=<optimized out>, cond=<optimized out>,
> > data=<optimized out>) at profiles/audio/avctp.c:1107
> > #4  0x00007ffff7ebdc0f in g_main_context_dispatch () from
> > /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
> > #5  0x00007ffff7ebdfb8 in ?? () from /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
> > #6  0x00007ffff7ebe2ab in g_main_loop_run () from
> > /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
> > #7  0x0000555555617415 in mainloop_run () at src/shared/mainloop-glib.c:66
> > #8  0x00005555556177f2 in mainloop_run_with_signal
> > (func=func@entry=0x5555555af8d0 <signal_callback>,
> > user_data=user_data@entry=0x0) at src/shared/mainloop-notify.c:188
> > #9  0x0000555555577147 in main (argc=<optimized out>, argv=<optimized
> > out>) at src/main.c:1210
> >
> >
> > Best regards
> > /Thomas Eriksson
>
>
>
> --
> Luiz Augusto von Dentz

Luiz Augusto von Dentz Oct. 6, 2021, 6:53 a.m. UTC | #3

Hi Thomas,

On Tue, Oct 5, 2021 at 11:38 PM Thomas Eriksson
<thomas.eriksson@gmail.com> wrote:
>
> On Tue, 5 Oct 2021 at 20:37, Luiz Augusto von Dentz
> <luiz.dentz@gmail.com> wrote:
> >
> > Hi Thomas,
>
> Hi Luiz,
>
> >
> > On Tue, Oct 5, 2021 at 1:55 AM Thomas Eriksson
> > <thomas.eriksson@gmail.com> wrote:
> > >
> > > Hi,
> > >
> > > When trying to pair my "3M Peltor WS Alert XPI" headset with Bluez i
> > > get a null dereference in profiles/audio/avrcp.c.
> > >
> > > The following small patch avoids the problem:
> > >
> > > diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
> > > index 7c280203c..6064ab40b 100644
> > > --- a/profiles/audio/avrcp.c
> > > +++ b/profiles/audio/avrcp.c
> > > @@ -3740,10 +3740,13 @@ static void avrcp_status_changed(struct avrcp *session,
> > >                                                 struct avrcp_header *pdu)
> > >  {
> > >         struct avrcp_player *player = session->controller->player;
> > > -       struct media_player *mp = player->user_data;
> > > +       struct media_player *mp = NULL;
> > >         uint8_t value;
> > >         const char *curval, *strval;
> > >
> > > +       if (player == NULL)
> > > +               return;
> > > +       mp = player->user_data;
> > >         value = pdu->params[1];
> > >
> > >         curval = media_player_get_status(mp);
> > >
> >
> > What version are you using? This should not be reproducible with:
> >
> > commit cc235a8d528b36cad2cf9fe6517d54711613331a
> > Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> > Date:   Fri Apr 1 11:07:15 2016 +0300
> >
> >     audio/avrcp: Fix registering to player events
> >
> >     If controller does not have a player skip registering to events which
> >     requires a player.
> >
> > diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
> > index 0c6279a20..37bc29137 100644
> > --- a/profiles/audio/avrcp.c
> > +++ b/profiles/audio/avrcp.c
> > @@ -3647,8 +3647,9 @@ static gboolean
> > avrcp_get_capabilities_resp(struct avctp *conn,
> >                 case AVRCP_EVENT_ADDRESSED_PLAYER_CHANGED:
> >                 case AVRCP_EVENT_UIDS_CHANGED:
> >                 case AVRCP_EVENT_AVAILABLE_PLAYERS_CHANGED:
> > -                       /* These events above are controller specific */
> > -                       if (!session->controller)
> > +                       /* These events above requires a player */
> > +                       if (!session->controller ||
> > +                                               !session->controller->player)
> >                                 break;
> >                 case AVRCP_EVENT_VOLUME_CHANGED:
> >                         avrcp_register_notification(session, event);
> >
>
> The crash was present yesterday on
> bb12ef4a9f71550ba84033f565a27773d893d8bf (master).

Can you attach the HCI trace, I wonder if the headset is sending a
notification without a registration then.

>
> > >
> > > Below is the backtrace from GDB:
> > >
> > > GNU gdb (Debian 10.1-2) 10.1.90.20210103-git
> > > Copyright (C) 2021 Free Software Foundation, Inc.
> > > License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
> > > This is free software: you are free to change and redistribute it.
> > > There is NO WARRANTY, to the extent permitted by law.
> > > Type "show copying" and "show warranty" for details.
> > > This GDB was configured as "x86_64-linux-gnu".
> > > Type "show configuration" for configuration details.
> > > For bug reporting instructions, please see:
> > > <https://www.gnu.org/software/gdb/bugs/>.
> > > Find the GDB manual and other documentation resources online at:
> > >     <http://www.gnu.org/software/gdb/documentation/>.
> > >
> > > For help, type "help".
> > > Type "apropos word" to search for commands related to "word"...
> > > Reading symbols from /usr/local/libexec/bluetooth/bluetoothd...
> > > (gdb) run
> > > Starting program: /usr/local/libexec/bluetooth/bluetoothd
> > > [Thread debugging using libthread_db enabled]
> > > Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
> > >
> > >
> > >
> > > Program received signal SIGSEGV, Segmentation fault.
> > > 0x0000555555594f14 in avrcp_status_changed (pdu=0x5555556d1b36,
> > > pdu=0x5555556d1b36, session=0x5555556a9800) at
> > > profiles/audio/avrcp.c:3743
> > > 3743 struct media_player *mp = player->user_data;
> > > (gdb)
> > > (gdb)
> > > (gdb) bt
> > > #0  0x0000555555594f14 in avrcp_status_changed (pdu=0x5555556d1b36,
> > > pdu=0x5555556d1b36, session=0x5555556a9800) at
> > > profiles/audio/avrcp.c:3743
> > > #1  avrcp_handle_event (conn=0x5555556c98e0, code=15 '\017',
> > > subunit=<optimized out>, transaction=<optimized out>,
> > > operands=0x5555556d1b36 "", operand_count=9, user_data=0x5555556a9800)
> > >     at profiles/audio/avrcp.c:3884
> > > #2  0x000055555558f3c7 in control_response (operand_count=9,
> > > operands=0x5555556d1b36 "", avc=<optimized out>, avctp=<optimized
> > > out>, control=<optimized out>) at profiles/audio/avctp.c:938
> > > #3  session_cb (chan=<optimized out>, cond=<optimized out>,
> > > data=<optimized out>) at profiles/audio/avctp.c:1107
> > > #4  0x00007ffff7ebdc0f in g_main_context_dispatch () from
> > > /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
> > > #5  0x00007ffff7ebdfb8 in ?? () from /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
> > > #6  0x00007ffff7ebe2ab in g_main_loop_run () from
> > > /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
> > > #7  0x0000555555617415 in mainloop_run () at src/shared/mainloop-glib.c:66
> > > #8  0x00005555556177f2 in mainloop_run_with_signal
> > > (func=func@entry=0x5555555af8d0 <signal_callback>,
> > > user_data=user_data@entry=0x0) at src/shared/mainloop-notify.c:188
> > > #9  0x0000555555577147 in main (argc=<optimized out>, argv=<optimized
> > > out>) at src/main.c:1210
> > >
> > >
> > > Best regards
> > > /Thomas Eriksson
> >
> >
> >
> > --
> > Luiz Augusto von Dentz

Thomas Eriksson Oct. 6, 2021, 8:52 a.m. UTC | #4

On Wed, 6 Oct 2021 at 08:53, Luiz Augusto von Dentz
<luiz.dentz@gmail.com> wrote:
>
> Hi Thomas,
>
Hi Luiz,

> On Tue, Oct 5, 2021 at 11:38 PM Thomas Eriksson
> <thomas.eriksson@gmail.com> wrote:
> >
> > On Tue, 5 Oct 2021 at 20:37, Luiz Augusto von Dentz
> > <luiz.dentz@gmail.com> wrote:
> > >
> > > Hi Thomas,
> >
> > Hi Luiz,
> >
> > >
> > > On Tue, Oct 5, 2021 at 1:55 AM Thomas Eriksson
> > > <thomas.eriksson@gmail.com> wrote:
> > > >
> > > > Hi,
> > > >
> > > > When trying to pair my "3M Peltor WS Alert XPI" headset with Bluez i
> > > > get a null dereference in profiles/audio/avrcp.c.
> > > >
> > > > The following small patch avoids the problem:
> > > >
> > > > diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
> > > > index 7c280203c..6064ab40b 100644
> > > > --- a/profiles/audio/avrcp.c
> > > > +++ b/profiles/audio/avrcp.c
> > > > @@ -3740,10 +3740,13 @@ static void avrcp_status_changed(struct avrcp *session,
> > > >                                                 struct avrcp_header *pdu)
> > > >  {
> > > >         struct avrcp_player *player = session->controller->player;
> > > > -       struct media_player *mp = player->user_data;
> > > > +       struct media_player *mp = NULL;
> > > >         uint8_t value;
> > > >         const char *curval, *strval;
> > > >
> > > > +       if (player == NULL)
> > > > +               return;
> > > > +       mp = player->user_data;
> > > >         value = pdu->params[1];
> > > >
> > > >         curval = media_player_get_status(mp);
> > > >
> > >
> > > What version are you using? This should not be reproducible with:
> > >
> > > commit cc235a8d528b36cad2cf9fe6517d54711613331a
> > > Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> > > Date:   Fri Apr 1 11:07:15 2016 +0300
> > >
> > >     audio/avrcp: Fix registering to player events
> > >
> > >     If controller does not have a player skip registering to events which
> > >     requires a player.
> > >
> > > diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
> > > index 0c6279a20..37bc29137 100644
> > > --- a/profiles/audio/avrcp.c
> > > +++ b/profiles/audio/avrcp.c
> > > @@ -3647,8 +3647,9 @@ static gboolean
> > > avrcp_get_capabilities_resp(struct avctp *conn,
> > >                 case AVRCP_EVENT_ADDRESSED_PLAYER_CHANGED:
> > >                 case AVRCP_EVENT_UIDS_CHANGED:
> > >                 case AVRCP_EVENT_AVAILABLE_PLAYERS_CHANGED:
> > > -                       /* These events above are controller specific */
> > > -                       if (!session->controller)
> > > +                       /* These events above requires a player */
> > > +                       if (!session->controller ||
> > > +                                               !session->controller->player)
> > >                                 break;
> > >                 case AVRCP_EVENT_VOLUME_CHANGED:
> > >                         avrcp_register_notification(session, event);
> > >
> >
> > The crash was present yesterday on
> > bb12ef4a9f71550ba84033f565a27773d893d8bf (master).
>
> Can you attach the HCI trace, I wonder if the headset is sending a
> notification without a registration then.

I've attached a HCI trace of the pairing process.

Best regards
/Thomas



>
> >
> > > >
> > > > Below is the backtrace from GDB:
> > > >
> > > > GNU gdb (Debian 10.1-2) 10.1.90.20210103-git
> > > > Copyright (C) 2021 Free Software Foundation, Inc.
> > > > License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
> > > > This is free software: you are free to change and redistribute it.
> > > > There is NO WARRANTY, to the extent permitted by law.
> > > > Type "show copying" and "show warranty" for details.
> > > > This GDB was configured as "x86_64-linux-gnu".
> > > > Type "show configuration" for configuration details.
> > > > For bug reporting instructions, please see:
> > > > <https://www.gnu.org/software/gdb/bugs/>.
> > > > Find the GDB manual and other documentation resources online at:
> > > >     <http://www.gnu.org/software/gdb/documentation/>.
> > > >
> > > > For help, type "help".
> > > > Type "apropos word" to search for commands related to "word"...
> > > > Reading symbols from /usr/local/libexec/bluetooth/bluetoothd...
> > > > (gdb) run
> > > > Starting program: /usr/local/libexec/bluetooth/bluetoothd
> > > > [Thread debugging using libthread_db enabled]
> > > > Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
> > > >
> > > >
> > > >
> > > > Program received signal SIGSEGV, Segmentation fault.
> > > > 0x0000555555594f14 in avrcp_status_changed (pdu=0x5555556d1b36,
> > > > pdu=0x5555556d1b36, session=0x5555556a9800) at
> > > > profiles/audio/avrcp.c:3743
> > > > 3743 struct media_player *mp = player->user_data;
> > > > (gdb)
> > > > (gdb)
> > > > (gdb) bt
> > > > #0  0x0000555555594f14 in avrcp_status_changed (pdu=0x5555556d1b36,
> > > > pdu=0x5555556d1b36, session=0x5555556a9800) at
> > > > profiles/audio/avrcp.c:3743
> > > > #1  avrcp_handle_event (conn=0x5555556c98e0, code=15 '\017',
> > > > subunit=<optimized out>, transaction=<optimized out>,
> > > > operands=0x5555556d1b36 "", operand_count=9, user_data=0x5555556a9800)
> > > >     at profiles/audio/avrcp.c:3884
> > > > #2  0x000055555558f3c7 in control_response (operand_count=9,
> > > > operands=0x5555556d1b36 "", avc=<optimized out>, avctp=<optimized
> > > > out>, control=<optimized out>) at profiles/audio/avctp.c:938
> > > > #3  session_cb (chan=<optimized out>, cond=<optimized out>,
> > > > data=<optimized out>) at profiles/audio/avctp.c:1107
> > > > #4  0x00007ffff7ebdc0f in g_main_context_dispatch () from
> > > > /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
> > > > #5  0x00007ffff7ebdfb8 in ?? () from /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
> > > > #6  0x00007ffff7ebe2ab in g_main_loop_run () from
> > > > /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
> > > > #7  0x0000555555617415 in mainloop_run () at src/shared/mainloop-glib.c:66
> > > > #8  0x00005555556177f2 in mainloop_run_with_signal
> > > > (func=func@entry=0x5555555af8d0 <signal_callback>,
> > > > user_data=user_data@entry=0x0) at src/shared/mainloop-notify.c:188
> > > > #9  0x0000555555577147 in main (argc=<optimized out>, argv=<optimized
> > > > out>) at src/main.c:1210
> > > >
> > > >
> > > > Best regards
> > > > /Thomas Eriksson
> > >
> > >
> > >
> > > --
> > > Luiz Augusto von Dentz
>
>
>
> --
> Luiz Augusto von Dentz

diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
index 7c280203c..6064ab40b 100644
--- a/profiles/audio/avrcp.c
+++ b/profiles/audio/avrcp.c
@@ -3740,10 +3740,13 @@  static void avrcp_status_changed(struct avrcp *session,
                                                struct avrcp_header *pdu)
 {
        struct avrcp_player *player = session->controller->player;
-       struct media_player *mp = player->user_data;
+       struct media_player *mp = NULL;
        uint8_t value;
        const char *curval, *strval;

+       if (player == NULL)
+               return;
+       mp = player->user_data;
        value = pdu->params[1];

        curval = media_player_get_status(mp);

Null dereference in profiles/audio/avrcp.c

Commit Message

Comments

Patch