Bug 1569813

Summary: bluez 5.49 bluetoothd coredump
Product: [Fedora] Fedora Reporter: misha.pavlov
Component: bluezAssignee: Don Zickus <dzickus>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 27CC: bnocera, dwmw2, dzickus, misha.pavlov, spacewar, w.vollprecht
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-20 10:05:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description misha.pavlov 2018-04-20 02:21:55 UTC 
Description of problem:
systemd[1]: bluetooth.service: Main process exited, code=dumped, status=11/SEGV
With a USB Bluetooth adapter
Bus 003 Device 078: ID 0461:4d75 Primax Electronics, Ltd Rocketfish RF-FLBTAD Bluetooth Adapter

Version-Release number of selected component (if applicable):
bluez-5.49-1.fc27.rpm
most likely as well in bluez-5.49-2.fc28.rpm

How reproducible:
every time i attempt to connect bluetooth headphones

Steps to Reproduce:
1. start bluetooth service 
2. attempt to connect headphones


Actual results:
Apr 19 20:16:50 haswell kernel: bluetoothd[5048]: segfault at 8 ip 00005629670b02d0 sp 00007ffea0f99368 error 4 in bluetoothd[56296704d000+f6000]

Expected results:
Apr 19 20:17:45 haswell bluetoothd[5313]: Bluetooth daemon 5.49
Apr 19 20:17:45 haswell systemd[1]: Started Bluetooth service.

Additional info:
Appears to be known and patch available
https://www.spinics.net/lists/linux-bluetooth/msg74984.html

I patched bluez-5.49-1.fc27.src.rpm with the below and can confirm the fix

# cat ../0001-btd_adv_manager_refresh.patch
From dc29fa5306991ce80e5479c44559119fca57d11d Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Thu, 19 Apr 2018 19:37:13 -0400
Subject: [PATCH] 001-btd_adv_manager_refresh.patch

---
 src/advertising.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/advertising.c b/src/advertising.c
index b976562..101b9a9 100644
--- a/src/advertising.c
+++ b/src/advertising.c
@@ -1173,6 +1173,8 @@ void btd_adv_manager_destroy(struct btd_adv_manager *manager)

 void btd_adv_manager_refresh(struct btd_adv_manager *manager)
 {
-       queue_foreach(manager->clients, (queue_foreach_func_t)refresh_adv,
-                                                                       NULL);
+     if (manager != NULL) {
+         queue_foreach(manager->clients, (queue_foreach_func_t)refresh_adv,
+                                         NULL);
+     }
 }
--
2.14.3

I checked also bluez-5.49-2.fc28.src.rpm and don't see this being fixed there.
Comment 1 Bastien Nocera 2018-04-20 10:05:52 UTC 

*** This bug has been marked as a duplicate of bug 1567622 ***
Comment 2 Wolf Vollprecht 2018-05-28 11:18:07 UTC 
In my version of bluez this patch has not been integrated as far as i can tell. 

This version is slightly closer to the upstream fix:

diff --git a/src/advertising.c b/src/advertising.c
index b976562c4..0cb6eac3a 100644
--- a/src/advertising.c
+++ b/src/advertising.c
@@ -1173,6 +1173,9 @@ void btd_adv_manager_destroy(struct btd_adv_manager *manager)
 
 void btd_adv_manager_refresh(struct btd_adv_manager *manager)
 {
+	if (!manager)
+		return;
+
 	queue_foreach(manager->clients, (queue_foreach_func_t)refresh_adv,
 									NULL);
 }



Cheers!