RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1667100 - bluetoothd crashes with SIGSEGV when pairing with headset
Summary: bluetoothd crashes with SIGSEGV when pairing with headset
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: bluez
Version: 7.6
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: rc
: ---
Assignee: gopal krishna tiwari
QA Contact: Ken Benoit
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-01-17 13:07 UTC by Divya
Modified: 2019-08-06 13:19 UTC (History)
9 users (show)

Fixed In Version: bluez-5.44-5.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-06 13:19:05 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:2348 0 None None None 2019-08-06 13:19:06 UTC

Description Divya 2019-01-17 13:07:33 UTC 
Description of problem:
Trying to pair a new headset (IBH 6500) crashes bluetoothd:

Jan 11 07:36:37 hostname kernel: bluetoothd[22318]: segfault at 10 ip 0000556a404f2ca4 sp 00007ffe4632f8b0 error 4 in bluetoothd[556a40475000+e8000]
Jan 11 07:36:37 hostname abrt-hook-ccpp[22364]: Process 22318 (bluetoothd) of user 0 killed by SIGSEGV - dumping core

Core was generated by `/usr/libexec/bluetooth/bluetoothd'.
Program terminated with signal 11, Segmentation fault.
#0  ba2str (ba=0x10, str=str@entry=0x7ffe4632f9c0 "0q\277AjU") at lib/bluetooth.c:79
79		return sprintf(str, "%2.2X:%2.2X:%2.2X:%2.2X:%2.2X:%2.2X",
(gdb) list
74		return ba;
75	}
76	
77	int ba2str(const bdaddr_t *ba, char *str)
78	{
79		return sprintf(str, "%2.2X:%2.2X:%2.2X:%2.2X:%2.2X:%2.2X",
80			ba->b[5], ba->b[4], ba->b[3], ba->b[2], ba->b[1], ba->b[0]);
81	}
82	
83	int str2ba(const char *str, bdaddr_t *ba)
(gdb) p ba
$1 = (const bdaddr_t *) 0x10
(gdb) p *ba
Cannot access memory at address 0x10
(gdb) bt
#0  ba2str (ba=0x10, str=str@entry=0x7ffe4632f9c0 "0q\277AjU") at lib/bluetooth.c:79
#1  0x0000556a404f0b79 in update_bredr_services (req=req@entry=0x556a41c0e140, recs=recs@entry=0x556a41c14c90) at src/device.c:4305
#2  0x0000556a404f1345 in browse_cb (recs=0x556a41c14c90, err=0, user_data=0x556a41c0e140) at src/device.c:4536
#3  0x0000556a404ccd23 in search_completed_cb (type=<optimized out>, status=<optimized out>, rsp=<optimized out>, size=<optimized out>, user_data=0x556a41c0d7f0) at src/sdp-client.c:205
#4  0x0000556a40501ad1 in sdp_process (session=<optimized out>) at lib/sdp.c:4354
#5  0x0000556a404cce85 in search_process_cb (chan=<optimized out>, cond=<optimized out>, user_data=0x556a41c0d7f0) at src/sdp-client.c:230
#6  0x00007f70b0034049 in g_main_dispatch (context=0x556a41bf1e50) at gmain.c:3175
#7  g_main_context_dispatch (context=context@entry=0x556a41bf1e50) at gmain.c:3828
#8  0x00007f70b00343a8 in g_main_context_iterate (context=0x556a41bf1e50, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3901
#9  0x00007f70b003467a in g_main_loop_run (loop=0x556a41bf1f60) at gmain.c:4097
#10 0x0000556a4048dfa5 in main (argc=1, argv=0x7ffe46331f78) at src/main.c:708
(gdb) f 1
#1  0x0000556a404f0b79 in update_bredr_services (req=req@entry=0x556a41c0e140, recs=recs@entry=0x556a41c14c90) at src/device.c:4305
4305		ba2str(btd_adapter_get_address(device->adapter), srcaddr);
(gdb) p device
$1 = (struct btd_device *) 0x556a41c16f90
(gdb) p device->adapter
$2 = (struct btd_adapter *) 0x0


Version-Release number of selected component (if applicable):
bluez-5.44-4.el7_4

How reproducible:
Always

Steps to Reproduce:
1. Try to pair a device with RHEL-7 system through bluetooth

Actual results:
bluetoothd crashes with SIGSEGV

Expected results:
Device should be successfully paired with RHEL-7 system

Additional info:
* Issue occurs with bluez-5.44-2.el7 as well.
* Downgrading the bluez to bluez-5.41-1.el7, pairing happens successfully and everything works smooth.
Comment 4 gopal krishna tiwari 2019-04-08 06:51:18 UTC 
Would it be possible for you to attach the logs and crash traces ?

Gopal..
Comment 7 gopal krishna tiwari 2019-04-10 07:47:17 UTC 
Are we able to reproduce the issue ? If yes. I can fire a test bluez package for verification of the fix 

006213cf4d231ce66de273e96619474bd516359b
device: Fix crashing when connecting ATT over BR/EDR
    
    When remote connects ATT over BR/EDR the code will attempt to resolve
    its attributes, but in the meantime a SDP session may be active to
    resolve the services exposed over SDP which can cause a crash since ATT
    may end up freeing the request causing the following trace:


5252296b725ef159992be5372f60721bd9adca48

 device: Fix crash when connecting ATT with BR/EDR only device
    
    The fix introduced in 006213cf4d231ce66de273e96619474bd516359b only
    works for dual mode devices, if the device is BR/EDR the address type
    would match the type on browsing_req so it still possible to crash.


Or if possible you can try and check with bluez-5.47 version to verify as these patches are available over 5.47 version ?

Gopal..
Comment 9 gopal krishna tiwari 2019-04-11 13:00:09 UTC 
(In reply to gopal krishna tiwari from comment #7)
> Are we able to reproduce the issue ? If yes. I can fire a test bluez package
> for verification of the fix 
> 
> 006213cf4d231ce66de273e96619474bd516359b
> device: Fix crashing when connecting ATT over BR/EDR
>     
>     When remote connects ATT over BR/EDR the code will attempt to resolve
>     its attributes, but in the meantime a SDP session may be active to
>     resolve the services exposed over SDP which can cause a crash since ATT
>     may end up freeing the request causing the following trace:
> 
> 
> 5252296b725ef159992be5372f60721bd9adca48
> 
>  device: Fix crash when connecting ATT with BR/EDR only device
>     
>     The fix introduced in 006213cf4d231ce66de273e96619474bd516359b only
>     works for dual mode devices, if the device is BR/EDR the address type
>     would match the type on browsing_req so it still possible to crash.
> 
> 
> Or if possible you can try and check with bluez-5.47 version to verify as
> these patches are available over 5.47 version ?
> 
> Gopal..

Any feedback on this ? As I don't have the hardware to reproduce.

Gopal..
Comment 28 gopal krishna tiwari 2019-04-25 15:18:56 UTC 
Fix is available with the version bluez-5.44-5.el7.

Gopal
Comment 30 Ken Benoit 2019-06-27 12:37:09 UTC 
Tested RHEL-7.7-20190627.n.0 and can confirm that bluez-5.44-5.el7 is installed. Ran some testing with connecting, pairing, disconnecting, and unpairing various devices (mice, headphones, keyboards, cell phones for a tethered Internet connection) and everything tested fine. Given that I don't have the specific headset that the customer has I can't confirm the crash or the fix, but I have verified that the patches from comment 7 are in place in the source for bluez-5.44-5.el7 and given that the customer has tested the package themselves and had success I'm going to verify this as SanityOnly from my end.
Comment 32 errata-xmlrpc 2019-08-06 13:19:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2348
Note You need to log in before you can comment on or make changes to this bug.