Bug 1667100
| Summary: | bluetoothd crashes with SIGSEGV when pairing with headset | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Divya <dbasant> |
| Component: | bluez | Assignee: | gopal krishna tiwari <gtiwari> |
| Status: | CLOSED ERRATA | QA Contact: | Ken Benoit <kbenoit> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 7.6 | CC: | ableisch, agk, amarecek, dzickus, gtiwari, jomurphy, kbenoit, mschibli, rvr |
| Target Milestone: | rc | Keywords: | Regression |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | bluez-5.44-5.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-08-06 13:19:05 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Would it be possible for you to attach the logs and crash traces ? Gopal.. Are we able to reproduce the issue ? If yes. I can fire a test bluez package for verification of the fix
006213cf4d231ce66de273e96619474bd516359b
device: Fix crashing when connecting ATT over BR/EDR
When remote connects ATT over BR/EDR the code will attempt to resolve
its attributes, but in the meantime a SDP session may be active to
resolve the services exposed over SDP which can cause a crash since ATT
may end up freeing the request causing the following trace:
5252296b725ef159992be5372f60721bd9adca48
device: Fix crash when connecting ATT with BR/EDR only device
The fix introduced in 006213cf4d231ce66de273e96619474bd516359b only
works for dual mode devices, if the device is BR/EDR the address type
would match the type on browsing_req so it still possible to crash.
Or if possible you can try and check with bluez-5.47 version to verify as these patches are available over 5.47 version ?
Gopal..
(In reply to gopal krishna tiwari from comment #7) > Are we able to reproduce the issue ? If yes. I can fire a test bluez package > for verification of the fix > > 006213cf4d231ce66de273e96619474bd516359b > device: Fix crashing when connecting ATT over BR/EDR > > When remote connects ATT over BR/EDR the code will attempt to resolve > its attributes, but in the meantime a SDP session may be active to > resolve the services exposed over SDP which can cause a crash since ATT > may end up freeing the request causing the following trace: > > > 5252296b725ef159992be5372f60721bd9adca48 > > device: Fix crash when connecting ATT with BR/EDR only device > > The fix introduced in 006213cf4d231ce66de273e96619474bd516359b only > works for dual mode devices, if the device is BR/EDR the address type > would match the type on browsing_req so it still possible to crash. > > > Or if possible you can try and check with bluez-5.47 version to verify as > these patches are available over 5.47 version ? > > Gopal.. Any feedback on this ? As I don't have the hardware to reproduce. Gopal.. Fix is available with the version bluez-5.44-5.el7. Gopal Tested RHEL-7.7-20190627.n.0 and can confirm that bluez-5.44-5.el7 is installed. Ran some testing with connecting, pairing, disconnecting, and unpairing various devices (mice, headphones, keyboards, cell phones for a tethered Internet connection) and everything tested fine. Given that I don't have the specific headset that the customer has I can't confirm the crash or the fix, but I have verified that the patches from comment 7 are in place in the source for bluez-5.44-5.el7 and given that the customer has tested the package themselves and had success I'm going to verify this as SanityOnly from my end. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2348 |
Description of problem: Trying to pair a new headset (IBH 6500) crashes bluetoothd: Jan 11 07:36:37 hostname kernel: bluetoothd[22318]: segfault at 10 ip 0000556a404f2ca4 sp 00007ffe4632f8b0 error 4 in bluetoothd[556a40475000+e8000] Jan 11 07:36:37 hostname abrt-hook-ccpp[22364]: Process 22318 (bluetoothd) of user 0 killed by SIGSEGV - dumping core Core was generated by `/usr/libexec/bluetooth/bluetoothd'. Program terminated with signal 11, Segmentation fault. #0 ba2str (ba=0x10, str=str@entry=0x7ffe4632f9c0 "0q\277AjU") at lib/bluetooth.c:79 79 return sprintf(str, "%2.2X:%2.2X:%2.2X:%2.2X:%2.2X:%2.2X", (gdb) list 74 return ba; 75 } 76 77 int ba2str(const bdaddr_t *ba, char *str) 78 { 79 return sprintf(str, "%2.2X:%2.2X:%2.2X:%2.2X:%2.2X:%2.2X", 80 ba->b[5], ba->b[4], ba->b[3], ba->b[2], ba->b[1], ba->b[0]); 81 } 82 83 int str2ba(const char *str, bdaddr_t *ba) (gdb) p ba $1 = (const bdaddr_t *) 0x10 (gdb) p *ba Cannot access memory at address 0x10 (gdb) bt #0 ba2str (ba=0x10, str=str@entry=0x7ffe4632f9c0 "0q\277AjU") at lib/bluetooth.c:79 #1 0x0000556a404f0b79 in update_bredr_services (req=req@entry=0x556a41c0e140, recs=recs@entry=0x556a41c14c90) at src/device.c:4305 #2 0x0000556a404f1345 in browse_cb (recs=0x556a41c14c90, err=0, user_data=0x556a41c0e140) at src/device.c:4536 #3 0x0000556a404ccd23 in search_completed_cb (type=<optimized out>, status=<optimized out>, rsp=<optimized out>, size=<optimized out>, user_data=0x556a41c0d7f0) at src/sdp-client.c:205 #4 0x0000556a40501ad1 in sdp_process (session=<optimized out>) at lib/sdp.c:4354 #5 0x0000556a404cce85 in search_process_cb (chan=<optimized out>, cond=<optimized out>, user_data=0x556a41c0d7f0) at src/sdp-client.c:230 #6 0x00007f70b0034049 in g_main_dispatch (context=0x556a41bf1e50) at gmain.c:3175 #7 g_main_context_dispatch (context=context@entry=0x556a41bf1e50) at gmain.c:3828 #8 0x00007f70b00343a8 in g_main_context_iterate (context=0x556a41bf1e50, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3901 #9 0x00007f70b003467a in g_main_loop_run (loop=0x556a41bf1f60) at gmain.c:4097 #10 0x0000556a4048dfa5 in main (argc=1, argv=0x7ffe46331f78) at src/main.c:708 (gdb) f 1 #1 0x0000556a404f0b79 in update_bredr_services (req=req@entry=0x556a41c0e140, recs=recs@entry=0x556a41c14c90) at src/device.c:4305 4305 ba2str(btd_adapter_get_address(device->adapter), srcaddr); (gdb) p device $1 = (struct btd_device *) 0x556a41c16f90 (gdb) p device->adapter $2 = (struct btd_adapter *) 0x0 Version-Release number of selected component (if applicable): bluez-5.44-4.el7_4 How reproducible: Always Steps to Reproduce: 1. Try to pair a device with RHEL-7 system through bluetooth Actual results: bluetoothd crashes with SIGSEGV Expected results: Device should be successfully paired with RHEL-7 system Additional info: * Issue occurs with bluez-5.44-2.el7 as well. * Downgrading the bluez to bluez-5.41-1.el7, pairing happens successfully and everything works smooth.