It all started after upgrading bluez from 4.69 to 4.76 .
'hcitool scan' work and bluetoothd starts normally, but when launching
any related program (e.g. Gnome bluetooth-applet), bluetoothd dies with segfault:
Oct 24 11:31:01 IL kernel: bluetoothd[3894]: segfault at 0 ip
b7632653 sp bfee9b5c error 4 in libc-2.12.1.so[b75be000+145000]
Downgrading to 4.69 helps, I don't even have to reboot, just
restarting bluetoothd
Additional info:
* package version(s)
kernel26 2.6.35.7
bluez 4.76
dbus 1.4.0
$ lsusb | grep lue
Bus 003 Device 002: ID 0a5c:2121 Broadcom Corp. BCM2210 Bluetooth
Compiled with debug flags, gdb output attached
dbus_message_iter_append_basic () is called 7 times after another bt
program starts.
Params seem valid:
Breakpoint 1, 0xb7e4e616 in dbus_message_iter_append_basic () from /usr/lib/libdbus-1.so.3
(gdb) print (void*)($esp+0)
$1 = (void *) 0xbffff3c0
(gdb) print *(char*)($esp+4)
$2 = 115 's'
(gdb) print **(char***)($esp+8)
$3 = 0xb80474f0 "0000110e-0000-1000-8000-00805f9b34fb"
(gdb) finish
Run till exit from #0 0xb7e4e616 in dbus_message_iter_append_basic () from /usr/lib/libdbus-1.so.3
Program received signal SIGSEGV, Segmentation fault.
0xb7d3e653 in strlen () from /lib/libc.so.6
(gdb)
Hi Johan. The patch works, many thanks.
Hi Ilya,
On Tue, Oct 26, 2010, Ilya Basin wrote:
> JH> have all debug symbols enabled. Could you try to reproduce this with
> JH> latest bluez git. You don't need to install anything but just compile
>
> segfaults start after this commit:
> [d5e700051b1263b2028331d41d60de02a5a6f90e] Fix append_variant_array()
> to take a number of elements
>
> Not every BT program kills bluetoothd, but Smartcam does.
> http://sourceforge.net/projects/smartcam/
> [il@IL bluez]$ smartcam
> smartcam: registered DBUS service "org.gnome.smartcam"
> Found smartcam device file: /dev/video0
> smartcam: started comm thread
> smartcam: port = 1
> sdp_record_register: Protocol error
Thanks for the info. This program seems to add a somehow malformed
service record which is the cause of the crash. Before the patch you
pointed out a NULL pointer was used to detect the end of a pointer array
and so bt_uuid2string() returning NULL for this service record didn't
cause any bad behavior (since the code just stopped iterating a pointer
array after this). However after the patch the code uses an explicit
integer value for the list length and would try to dereference the NULL
pointer in the middle of the list.
I've now pushed a patch to git which should fix this:
http://git.kernel.org/?p=bluetooth/bluez.git;a=commitdiff;h=e31d21c7f238352893a365ab50642707c44087cd
Please do a git pull and see if it really fixes the issue for you.
Thanks.
Johan
JH> have all debug symbols enabled. Could you try to reproduce this with
JH> latest bluez git. You don't need to install anything but just compile
segfaults start after this commit:
[d5e700051b1263b2028331d41d60de02a5a6f90e] Fix append_variant_array()
to take a number of elements
Not every BT program kills bluetoothd, but Smartcam does.
http://sourceforge.net/projects/smartcam/
[il@IL bluez]$ smartcam
smartcam: registered DBUS service "org.gnome.smartcam"
Found smartcam device file: /dev/video0
smartcam: started comm thread
smartcam: port = 1
sdp_record_register: Protocol error
--
Hi Ilya,
On Sun, Oct 24, 2010, Ilya Basin wrote:
> Program received signal SIGSEGV, Segmentation fault.
> 0xb7d3e653 in strlen () from /lib/libc.so.6
> (gdb) bt
> #0 0xb7d3e653 in strlen () from /lib/libc.so.6
> #1 0xb7e5eb10 in ?? () from /usr/lib/libdbus-1.so.3
> #2 0xb7e4a34b in ?? () from /usr/lib/libdbus-1.so.3
> #3 0xb7e4e7a9 in dbus_message_iter_append_basic () from /usr/lib/libdbus-1.so.3
> #4 0xb7fef03d in append_array_variant ()
> #5 0xb7fef799 in emit_array_property_changed ()
> #6 0xb7fe4de4 in adapter_service_ins_rem ()
> #7 0xb7fd7fb1 in sdp_record_add ()
> #8 0xb7fd79de in service_register_req ()
> #9 0xb7fd5dfc in handle_request ()
> #10 0xb7fd496e in io_session_event ()
> #11 0xb7ef7a2b in ?? () from /usr/lib/libglib-2.0.so.0
> #12 0xb7eb0b72 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
> #13 0xb7eb1350 in ?? () from /usr/lib/libglib-2.0.so.0
> #14 0xb7eb1a1b in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
> #15 0xb7fd1bbd in main ()
> (gdb)
Unfortunately this doesn't give too much info since you don't seem to
have all debug symbols enabled. Could you try to reproduce this with
latest bluez git. You don't need to install anything but just compile
(./boostrap-configure && make) and run (src/bluetoothd -nd) from the
source tree directly. Then, it'd also be nice if you could use git
bisect to determine the exact commit between 4.69 and 4.76 that
introduced this regression.
Thanks.
Johan