Bug 1818185 - [abrt] bluez: avdtp_abort(): bluetoothd killed by SIGSEGV
Summary: [abrt] bluez: avdtp_abort(): bluetoothd killed by SIGSEGV
Keywords:
Status: CLOSED EOL
Alias: None
Product: Fedora
Classification: Fedora
Component: bluez
Version: 31
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Don Zickus
QA Contact: Fedora Extras Quality Assurance
URL: https://retrace.fedoraproject.org/faf...
Whiteboard: abrt_hash:eb851e23cfa127d24da927a1a96...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-03-27 23:29 UTC by Jeremy Visser
Modified: 2020-11-24 20:23 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: ---
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-11-24 20:23:25 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
File: backtrace (19.71 KB, text/plain)
2020-03-27 23:29 UTC, Jeremy Visser 		no flags Details
File: core_backtrace (5.58 KB, text/plain)
2020-03-27 23:29 UTC, Jeremy Visser 		no flags Details
File: cpuinfo (2.50 KB, text/plain)
2020-03-27 23:29 UTC, Jeremy Visser 		no flags Details
File: dso_list (1.52 KB, text/plain)
2020-03-27 23:29 UTC, Jeremy Visser 		no flags Details
File: environ (176 bytes, text/plain)
2020-03-27 23:29 UTC, Jeremy Visser 		no flags Details
File: exploitable (82 bytes, text/plain)
2020-03-27 23:29 UTC, Jeremy Visser 		no flags Details
File: limits (1.29 KB, text/plain)
2020-03-27 23:29 UTC, Jeremy Visser 		no flags Details
File: maps (9.96 KB, text/plain)
2020-03-27 23:29 UTC, Jeremy Visser 		no flags Details
File: mountinfo (6.12 KB, text/plain)
2020-03-27 23:29 UTC, Jeremy Visser 		no flags Details
File: open_fds (4.98 KB, text/plain)
2020-03-27 23:29 UTC, Jeremy Visser 		no flags Details
File: proc_pid_status (1.30 KB, text/plain)
2020-03-27 23:29 UTC, Jeremy Visser 		no flags Details
File: var_log_messages (634 bytes, text/plain)
2020-03-27 23:29 UTC, Jeremy Visser 		no flags Details
View All

Description Jeremy Visser 2020-03-27 23:29:14 UTC 
Description of problem:
bluetoothd crashed and segfaulted when I removed the pairing for my Bluetooth headset after having failed to connect audio.

I had already paired the headset some days ago on a previous reboot. To reproduce the issue:

0. Pair headset, then pair it to another computer so the headset forgets
1. Go to GNOME Settings > Bluetooth > find headset
2. Try connecting to device (tick the "Connect" toggle), and observe that because I paired the headset to *another* computer and the headset forgot about the pairing, connecting no longer works
3. Try to re-pair device by choosing "Remove Device"
3. bluetoothd segfaults

The logs I got from the journal are:

bluetoothd[1578]: Unable to get connect data for Headset Voice gateway: getpeername: Transport endpoint is not connected (107)
bluetoothd[1578]: connect error: Too many levels of symbolic links (40)
bluetoothd[1578]: connect error: Too many levels of symbolic links (40)
bluetoothd[1578]: Unable to get Headset Voice gateway SDP record: Device or resource busy
bluetoothd[1578]: connect error: Device or resource busy (16)
systemd[1]: bluetooth.service: Main process exited, code=dumped, status=11/SEGV

The stack trace is:

% coredumpctl info 1578
           PID: 1578 (bluetoothd)
           UID: 0 (root)
           GID: 0 (root)
        Signal: 11 (SEGV)
     Timestamp: Sat 2020-03-28 10:16:17 AEDT (1min 57s ago)
  Command Line: /usr/libexec/bluetooth/bluetoothd
    Executable: /usr/libexec/bluetooth/bluetoothd
 Control Group: /system.slice/bluetooth.service
          Unit: bluetooth.service
         Slice: system.slice
       Boot ID: fb18dfaa6ed24ce1b72d4d96d0d07d5a
    Machine ID: c06facb854af4526847d941a3250f4af
       Storage: /var/lib/systemd/coredump/core.bluetoothd.0.fb18dfaa6ed24ce1b72d4d96d0d07d5a.1578.1585350977000000000000.lz4 (inaccessible)
       Message: Process 1578 (bluetoothd) of user 0 dumped core.
                
                Stack trace of thread 1578:
                #0  0x0000555e74c869e6 avdtp_abort (bluetoothd)
                #1  0x0000555e74c830d8 a2dp_cancel (bluetoothd)
                #2  0x0000555e74c7d846 sink_unregister (bluetoothd)
                #3  0x0000555e74cd967d service_remove (bluetoothd)
                #4  0x0000555e74ce7eaa device_remove (bluetoothd)
                #5  0x0000555e74ccfd98 btd_adapter_remove_device (bluetoothd)
                #6  0x0000555e74cd0c90 remove_device (bluetoothd)
                #7  0x0000555e74cfb7bc process_message.isra.0 (bluetoothd)
                #8  0x00007f7bc9bd80b8 _dbus_object_tree_dispatch_and_unlock (libdbus-1.so.3)
                #9  0x00007f7bc9bc8764 dbus_connection_dispatch (libdbus-1.so.3)
                #10 0x0000555e74cf7f08 message_dispatch (bluetoothd)
                #11 0x00007f7bc9c52e3b g_idle_dispatch (libglib-2.0.so.0)
                #12 0x00007f7bc9c56520 g_main_context_dispatch (libglib-2.0.so.0)
                #13 0x00007f7bc9c568b0 g_main_context_iterate.isra.0 (libglib-2.0.so.0)
                #14 0x00007f7bc9c56ba3 g_main_loop_run (libglib-2.0.so.0)
                #15 0x0000555e74d101c9 mainloop_run (bluetoothd)
                #16 0x0000555e74d10630 mainloop_run_with_signal (bluetoothd)
                #17 0x0000555e74c7865e main (bluetoothd)
                #18 0x00007f7bc9a061a3 __libc_start_main (libc.so.6)
                #19 0x0000555e74c791fe _start (bluetoothd)

Version-Release number of selected component:
bluez-5.54-1.fc31

Additional info:
reporter:       libreport-2.12.0
backtrace_rating: 4
cgroup:         0::/system.slice/bluetooth.service
cmdline:        /usr/libexec/bluetooth/bluetoothd
crash_function: avdtp_abort
executable:     /usr/libexec/bluetooth/bluetoothd
journald_cursor: s=edb2d3e7808642f989a73cee96863fef;i=442b2;b=fb18dfaa6ed24ce1b72d4d96d0d07d5a;m=4c842111;t=5a1de49d8c20d;x=9cd380f85d5e28cb
kernel:         5.5.10-200.fc31.x86_64
rootdir:        /
runlevel:       N 5
type:           CCpp
uid:            0

Truncated backtrace:
Thread no. 1 (10 frames)
 #0 avdtp_abort at profiles/audio/avdtp.c:3566
 #1 a2dp_cancel at profiles/audio/a2dp.c:2993
 #2 sink_free at profiles/audio/sink.c:318
 #3 sink_unregister at profiles/audio/sink.c:340
 #4 service_remove at src/service.c:176
 #5 device_remove at src/device.c:4227
 #6 btd_adapter_remove_device at src/adapter.c:1254
 #7 remove_device at src/adapter.c:3215
 #8 process_message at gdbus/object.c:259
 #9 _dbus_object_tree_dispatch_and_unlock at ../../dbus/dbus-object-tree.c:1020

Potential duplicate: bug 1815671
Comment 1 Jeremy Visser 2020-03-27 23:29:17 UTC 
Created attachment 1674197 [details]
File: backtrace
Comment 2 Jeremy Visser 2020-03-27 23:29:19 UTC 
Created attachment 1674198 [details]
File: core_backtrace
Comment 3 Jeremy Visser 2020-03-27 23:29:20 UTC 
Created attachment 1674199 [details]
File: cpuinfo
Comment 4 Jeremy Visser 2020-03-27 23:29:22 UTC 
Created attachment 1674200 [details]
File: dso_list
Comment 5 Jeremy Visser 2020-03-27 23:29:23 UTC 
Created attachment 1674201 [details]
File: environ
Comment 6 Jeremy Visser 2020-03-27 23:29:24 UTC 
Created attachment 1674202 [details]
File: exploitable
Comment 7 Jeremy Visser 2020-03-27 23:29:26 UTC 
Created attachment 1674203 [details]
File: limits
Comment 8 Jeremy Visser 2020-03-27 23:29:27 UTC 
Created attachment 1674204 [details]
File: maps
Comment 9 Jeremy Visser 2020-03-27 23:29:29 UTC 
Created attachment 1674205 [details]
File: mountinfo
Comment 10 Jeremy Visser 2020-03-27 23:29:31 UTC 
Created attachment 1674206 [details]
File: open_fds
Comment 11 Jeremy Visser 2020-03-27 23:29:32 UTC 
Created attachment 1674207 [details]
File: proc_pid_status
Comment 12 Jeremy Visser 2020-03-27 23:29:33 UTC 
Created attachment 1674208 [details]
File: var_log_messages
Comment 13 Jeremy Visser 2020-03-28 00:13:10 UTC 
One other note: it's annoying that Bluetooth did not automatically recover from this situation, because the systemd unit (/usr/lib/systemd/system/bluetooth.service) has a commented-out Restart flag:

  #Restart=on-failure

This means when bluetoothd segfaulted, the GNOME settings mysteriously said "Bluetooth is turned off", and toggling it on wouldn't work. Only by manually inspecting the systemd unit I could figure out the cause.

If Restart=on-failure was set, the system would have recovered and Bluetooth would have been usable. In fact, if the bluetoothd had auto-restarted, it's entirely possible I may not have cared enough to report this bug, and I would have got on with using my computer.

For non-technical users, setting Restart=on-failure is an even more meaningful change, as a non-technical user cannot be expected to know about the underlying service in any case. For example, my elderly relative uses a Fedora-based laptop to stream audio to a Bluetooth speaker. If this bug had occurred on that machine, due to their level of knowledge, would have been unable to recover it.

Let's make the system more usable for everyone by uncommenting Restart=on-failure in the systemd unit, please.
Comment 14 Fedora Update System 2020-09-07 15:09:17 UTC 
FEDORA-2020-00bf5ac290 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-00bf5ac290
Comment 15 Fedora Update System 2020-09-07 17:21:23 UTC 
FEDORA-2020-00bf5ac290 has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-00bf5ac290`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-00bf5ac290

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 16 Fedora Update System 2020-09-15 16:16:39 UTC 
FEDORA-2020-00bf5ac290 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 17 Ben Cotton 2020-11-03 16:32:35 UTC 
This message is a reminder that Fedora 31 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 31 on 2020-11-24.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '31'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 31 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 18 Ben Cotton 2020-11-24 20:23:25 UTC 
Fedora 31 changed to end-of-life (EOL) status on 2020-11-24. Fedora 31 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.
Note You need to log in before you can comment on or make changes to this bug.