Heya,
The current bluetoothd crashes on resume from suspend. Here's the valgrind output:
==10147==
==10147== Invalid read of size 4
==10147== at 0x74B739: g_atomic_int_exchange_and_add (in /lib/libglib-2.0.so.0.1800.0)
==10147== by 0x769011: g_io_channel_unref (in /lib/libglib-2.0.so.0.1800.0)
==10147== by 0x969E: stop_security_manager (security.c:1022)
==10147== by 0x8A83: io_stack_event (main.c:567)
==10147== by 0x7A81CC: (within /lib/libglib-2.0.so.0.1800.0)
==10147== by 0x7711F7: g_main_context_dispatch (in /lib/libglib-2.0.so.0.1800.0)
==10147== by 0x7748A2: (within /lib/libglib-2.0.so.0.1800.0)
==10147== by 0x774DC1: g_main_loop_run (in /lib/libglib-2.0.so.0.1800.0)
==10147== by 0x9238: main (main.c:761)
==10147== Address 0x487bcc8 is 0 bytes inside a block of size 64 free'd
==10147== at 0x480590A: free (vg_replace_malloc.c:323)
==10147== by 0x779725: g_free (in /lib/libglib-2.0.so.0.1800.0)
==10147== by 0x7690BC: g_io_channel_unref (in /lib/libglib-2.0.so.0.1800.0)
==10147== by 0x770BBE: (within /lib/libglib-2.0.so.0.1800.0)
==10147== by 0x7712C0: g_main_context_dispatch (in /lib/libglib-2.0.so.0.1800.0)
==10147== by 0x7748A2: (within /lib/libglib-2.0.so.0.1800.0)
==10147== by 0x774DC1: g_main_loop_run (in /lib/libglib-2.0.so.0.1800.0)
==10147== by 0x9238: main (main.c:761)
==10147==
==10147== Invalid read of size 4
==10147== at 0x74B73B: g_atomic_int_exchange_and_add (in /lib/libglib-2.0.so.0.1800.0)
==10147== by 0x769011: g_io_channel_unref (in /lib/libglib-2.0.so.0.1800.0)
==10147== by 0x969E: stop_security_manager (security.c:1022)
==10147== by 0x8A83: io_stack_event (main.c:567)
==10147== by 0x7A81CC: (within /lib/libglib-2.0.so.0.1800.0)
==10147== by 0x7711F7: g_main_context_dispatch (in /lib/libglib-2.0.so.0.1800.0)
==10147== by 0x7748A2: (within /lib/libglib-2.0.so.0.1800.0)
==10147== by 0x774DC1: g_main_loop_run (in /lib/libglib-2.0.so.0.1800.0)
==10147== by 0x9238: main (main.c:761)
==10147== Address 0x487bcc8 is 0 bytes inside a block of size 64 free'd
==10147== at 0x480590A: free (vg_replace_malloc.c:323)
==10147== by 0x779725: g_free (in /lib/libglib-2.0.so.0.1800.0)
==10147== by 0x7690BC: g_io_channel_unref (in /lib/libglib-2.0.so.0.1800.0)
==10147== by 0x770BBE: (within /lib/libglib-2.0.so.0.1800.0)
==10147== by 0x7712C0: g_main_context_dispatch (in /lib/libglib-2.0.so.0.1800.0)
==10147== by 0x7748A2: (within /lib/libglib-2.0.so.0.1800.0)
==10147== by 0x774DC1: g_main_loop_run (in /lib/libglib-2.0.so.0.1800.0)
==10147== by 0x9238: main (main.c:761)
==10147==
==10147== Invalid write of size 4
==10147== at 0x74B740: g_atomic_int_exchange_and_add (in /lib/libglib-2.0.so.0.1800.0)
==10147== by 0x769011: g_io_channel_unref (in /lib/libglib-2.0.so.0.1800.0)
==10147== by 0x969E: stop_security_manager (security.c:1022)
==10147== by 0x8A83: io_stack_event (main.c:567)
==10147== by 0x7A81CC: (within /lib/libglib-2.0.so.0.1800.0)
==10147== by 0x7711F7: g_main_context_dispatch (in /lib/libglib-2.0.so.0.1800.0)
==10147== by 0x7748A2: (within /lib/libglib-2.0.so.0.1800.0)
==10147== by 0x774DC1: g_main_loop_run (in /lib/libglib-2.0.so.0.1800.0)
==10147== by 0x9238: main (main.c:761)
==10147== Address 0x487bcc8 is 0 bytes inside a block of size 64 free'd
==10147== at 0x480590A: free (vg_replace_malloc.c:323)
==10147== by 0x779725: g_free (in /lib/libglib-2.0.so.0.1800.0)
==10147== by 0x7690BC: g_io_channel_unref (in /lib/libglib-2.0.so.0.1800.0)
==10147== by 0x770BBE: (within /lib/libglib-2.0.so.0.1800.0)
==10147== by 0x7712C0: g_main_context_dispatch (in /lib/libglib-2.0.so.0.1800.0)
==10147== by 0x7748A2: (within /lib/libglib-2.0.so.0.1800.0)
==10147== by 0x774DC1: g_main_loop_run (in /lib/libglib-2.0.so.0.1800.0)
==10147== by 0x9238: main (main.c:761)
bluetoothd[10147]: HCI dev 0 unregistered
bluetoothd[10147]: Unregister path: /org/bluez/hci0
bluetoothd[10147]: HCI dev 0 registered
bluetoothd[10328]: Can't set link policy on hci0: Connection timed out (110)
bluetoothd[10147]: HCI dev 0 up
bluetoothd[10147]: Unable to start SCO server socket
Looks like a double-free on the event channel.
Hi Bastien,
> > > The current bluetoothd crashes on resume from suspend. Here's the valgrind output:
>
> Patch attached, thanks to Johan for helping out.
a slight modified patch has been applied. Thanks.
Regards
Marcel
On Wed, 2008-09-24 at 16:18 -0700, Bastien Nocera wrote:
> On Wed, 2008-09-24 at 16:09 -0700, Bastien Nocera wrote:
> > Heya,
> >
> > The current bluetoothd crashes on resume from suspend. Here's the valgrind output:
Patch attached, thanks to Johan for helping out.
Cheers
On Wed, 2008-09-24 at 16:09 -0700, Bastien Nocera wrote:
> Heya,
>
> The current bluetoothd crashes on resume from suspend. Here's the valgrind output:
And the crash itself:
#0 malloc_consolidate (av=<value optimized out>) at malloc.c:4841
#1 0x002e1b2d in _int_malloc (av=<value optimized out>, bytes=<value optimized out>) at malloc.c:4184
#2 0x002e368f in __libc_calloc (n=<value optimized out>, elem_size=<value optimized out>) at malloc.c:3901
#3 0x002d7a7d in open_memstream (bufloc=Could not find the frame base for "open_memstream".
) at memstream.c:86
#4 0x00350088 in __vsyslog_chk (pri=<value optimized out>, flag=<value optimized out>, fmt=<value optimized out>, ap=<value optimized out>) at ../misc/syslog.c:169
#5 0x003505d7 in __vsyslog (pri=Could not find the frame base for "__vsyslog".
) at ../misc/syslog.c:326
#6 0xb7ff5e68 in vinfo (format=0xb7ffcf75 "HCI dev %d unregistered", ap=0xbffff0b4 "") at logging.c:36
#7 0xb7ff5e3a in info (format=0xb7ffcf75 "HCI dev %d unregistered") at logging.c:45
#8 0xb7fdc1a9 in device_event (chan=0xb800a3d0, si=0xbffff10b) at main.c:544
#9 0xb7fdc0ed in io_stack_event (chan=0xb800a3d0, cond=G_IO_IN, data=0x0) at main.c:595
#10 0x001a524d in ?? () from /lib/libglib-2.0.so.0
#11 0x0016e218 in g_main_context_dispatch () from /lib/libglib-2.0.so.0
#12 0x001718c3 in ?? () from /lib/libglib-2.0.so.0
#13 0x00171de2 in g_main_loop_run () from /lib/libglib-2.0.so.0
#14 0xb7fdc7a4 in main (argc=1, argv=0xbffff7e4) at main.c:750