commit bap: Add broadcast source support, 3030883, in bluez.git
A co-worker see this SEGV when connecting a headset:
Jun 13 13:38:15 systemd-coredump[3941]: Process 1897 (bluetoothd) of user 0 dumped core.
Module bluetoothd without build-id.
#0 0x0000556bea93277a a2dp_resume_complete (bluetoothd + 0x3e77a)
#1 0x0000556bea9210a2 finalize_resume (bluetoothd + 0x2d0a2)
#2 0x0000556bea92afaf avdtp_start_resp (bluetoothd + 0x36faf)
#6 0x0000556bea9dcc85 mainloop_run (bluetoothd + 0xe8c85)
#7 0x0000556bea9dd0dc mainloop_run_with_signal (bluetoothd + 0xe90dc)
#8 0x0000556bea91a4ef main (bluetoothd + 0x264ef)
#11 0x0000556bea91ace1 _start (bluetoothd + 0x26ce1)
Jun 13 13:38:15 systemd[1]: bluetooth.service: Main process exited, code=dumped, status=11/SEGV
Crash seems to be at:
342 static void a2dp_resume_complete(struct avdtp *session, int err,
343 void *user_data)
344 {
345 struct media_owner *owner = user_data;
346 struct media_request *req = owner->pending;
347 struct media_transport *transport = owner->transport;
348 struct a2dp_sep *sep = media_endpoint_get_sep(transport->endpoint);
A good start(but does NOT fix the problem) might be:
--- bluez-9999/profiles/audio/transport.c.org 2023-06-13 18:38:14.542137531 +0200
+++ bluez-9999/profiles/audio/transport.c 2023-06-13 18:48:32.542527882 +0200
@@ -345,7 +345,7 @@
struct media_owner *owner = user_data;
struct media_request *req = owner->pending;
struct media_transport *transport = owner->transport;
- struct a2dp_sep *sep = media_endpoint_get_sep(transport->endpoint);
+ struct a2dp_sep *sep;
struct avdtp_stream *stream;
int fd;
uint16_t imtu, omtu;
@@ -355,7 +355,10 @@
if (err)
goto fail;
+ if (!transport)
+ goto fail;
+ sep = media_endpoint_get_sep(transport->endpoint);
stream = a2dp_sep_get_stream(sep);
if (stream == NULL)
goto fail;
bluez-5.66 Works fine though.
Headset: WH-1000XM3
Jocke
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=757099
---Test result---
Test Summary:
CheckPatch FAIL 1.02 seconds
GitLint FAIL 0.74 seconds
BuildEll PASS 27.26 seconds
BluezMake PASS 861.75 seconds
MakeCheck PASS 12.27 seconds
MakeDistcheck PASS 153.25 seconds
CheckValgrind PASS 250.95 seconds
CheckSmatch PASS 338.03 seconds
bluezmakeextell PASS 101.49 seconds
IncrementalBuild PASS 702.53 seconds
ScanBuild PASS 1039.34 seconds
Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
bluez SEGV in current master
WARNING:COMMIT_LOG_LONG_LINE: Possible unwrapped commit description (prefer a maximum 75 chars per line)
#128:
Jun 13 13:38:15 systemd-coredump[3941]: Process 1897 (bluetoothd) of user 0 dumped core.
/github/workspace/src/src/13279998.patch total: 0 errors, 1 warnings, 18 lines checked
NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.
/github/workspace/src/src/13279998.patch has style problems, please review.
NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO
NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.
##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
bluez SEGV in current master
WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
7: B1 Line exceeds max length (88>80): "Jun 13 13:38:15 systemd-coredump[3941]: Process 1897 (bluetoothd) of user 0 dumped core."
9: B1 Line exceeds max length (106>80): " #0 0x0000556bea93277a a2dp_resume_complete (bluetoothd + 0x3e77a)"
10: B1 Line exceeds max length (101>80): " #1 0x0000556bea9210a2 finalize_resume (bluetoothd + 0x2d0a2)"
11: B1 Line exceeds max length (102>80): " #2 0x0000556bea92afaf avdtp_start_resp (bluetoothd + 0x36faf)"
12: B1 Line exceeds max length (98>80): " #6 0x0000556bea9dcc85 mainloop_run (bluetoothd + 0xe8c85)"
13: B1 Line exceeds max length (110>80): " #7 0x0000556bea9dd0dc mainloop_run_with_signal (bluetoothd + 0xe90dc)"
14: B1 Line exceeds max length (90>80): " #8 0x0000556bea91a4ef main (bluetoothd + 0x264ef)"
15: B1 Line exceeds max length (92>80): " #11 0x0000556bea91ace1 _start (bluetoothd + 0x26ce1)"
16: B1 Line exceeds max length (95>80): "Jun 13 13:38:15 systemd[1]: bluetooth.service: Main process exited, code=dumped, status=11/SEGV"
21: B3 Line contains hard tab characters (\t): "342 static void a2dp_resume_complete(struct avdtp *session, int err,"
22: B3 Line contains hard tab characters (\t): "343 void *user_data)"
23: B3 Line contains hard tab characters (\t): "344 {"
24: B3 Line contains hard tab characters (\t): "345 struct media_owner *owner = user_data;"
25: B3 Line contains hard tab characters (\t): "346 struct media_request *req = owner->pending;"
26: B3 Line contains hard tab characters (\t): "347 struct media_transport *transport = owner->transport;"
27: B3 Line contains hard tab characters (\t): "348 struct a2dp_sep *sep = media_endpoint_get_sep(transport->endpoint);"
---
Regards,
Linux Bluetooth
Hi Joakim,
On Wed, Jun 14, 2023 at 5:36 AM Joakim Tjernlund
<[email protected]> wrote:
>
> commit bap: Add broadcast source support, 3030883, in bluez.git
>
> A co-worker see this SEGV when connecting a headset:
>
> Jun 13 13:38:15 systemd-coredump[3941]: Process 1897 (bluetoothd) of user 0 dumped core.
> Module bluetoothd without build-id.
> #0 0x0000556bea93277a a2dp_resume_complete (bluetoothd + 0x3e77a)
> #1 0x0000556bea9210a2 finalize_resume (bluetoothd + 0x2d0a2)
> #2 0x0000556bea92afaf avdtp_start_resp (bluetoothd + 0x36faf)
> #6 0x0000556bea9dcc85 mainloop_run (bluetoothd + 0xe8c85)
> #7 0x0000556bea9dd0dc mainloop_run_with_signal (bluetoothd + 0xe90dc)
> #8 0x0000556bea91a4ef main (bluetoothd + 0x264ef)
> #11 0x0000556bea91ace1 _start (bluetoothd + 0x26ce1)
> Jun 13 13:38:15 systemd[1]: bluetooth.service: Main process exited, code=dumped, status=11/SEGV
>
>
> Crash seems to be at:
>
> 342 static void a2dp_resume_complete(struct avdtp *session, int err,
> 343 void *user_data)
> 344 {
> 345 struct media_owner *owner = user_data;
> 346 struct media_request *req = owner->pending;
> 347 struct media_transport *transport = owner->transport;
> 348 struct a2dp_sep *sep = media_endpoint_get_sep(transport->endpoint);
>
> A good start(but does NOT fix the problem) might be:
>
> --- bluez-9999/profiles/audio/transport.c.org 2023-06-13 18:38:14.542137531 +0200
> +++ bluez-9999/profiles/audio/transport.c 2023-06-13 18:48:32.542527882 +0200
> @@ -345,7 +345,7 @@
> struct media_owner *owner = user_data;
> struct media_request *req = owner->pending;
> struct media_transport *transport = owner->transport;
> - struct a2dp_sep *sep = media_endpoint_get_sep(transport->endpoint);
> + struct a2dp_sep *sep;
> struct avdtp_stream *stream;
> int fd;
> uint16_t imtu, omtu;
> @@ -355,7 +355,10 @@
>
> if (err)
> goto fail;
> + if (!transport)
> + goto fail;
>
> + sep = media_endpoint_get_sep(transport->endpoint);
> stream = a2dp_sep_get_stream(sep);
> if (stream == NULL)
> goto fail;
>
> bluez-5.66 Works fine though.
>
> Headset: WH-1000XM3
>
> Jocke
Weird, I don't think much has changed for A2DP, but perhaps there is
some BAP related changes affecting A2DP for some reason, any chance to
bisect the patch that introduces this problem? Or it is not always
reproducible?
--
Luiz Augusto von Dentz
On Wed, 2023-06-14 at 09:25 -0700, Luiz Augusto von Dentz wrote:
> Hi Joakim,
>
> On Wed, Jun 14, 2023 at 5:36 AM Joakim Tjernlund
> <[email protected]> wrote:
> >
> > commit bap: Add broadcast source support, 3030883, in bluez.git
> >
> > A co-worker see this SEGV when connecting a headset:
> >
> > Jun 13 13:38:15 systemd-coredump[3941]: Process 1897 (bluetoothd) of user 0 dumped core.
> > Module bluetoothd without build-id.
> > #0 0x0000556bea93277a a2dp_resume_complete (bluetoothd + 0x3e77a)
> > #1 0x0000556bea9210a2 finalize_resume (bluetoothd + 0x2d0a2)
> > #2 0x0000556bea92afaf avdtp_start_resp (bluetoothd + 0x36faf)
> > #6 0x0000556bea9dcc85 mainloop_run (bluetoothd + 0xe8c85)
> > #7 0x0000556bea9dd0dc mainloop_run_with_signal (bluetoothd + 0xe90dc)
> > #8 0x0000556bea91a4ef main (bluetoothd + 0x264ef)
> > #11 0x0000556bea91ace1 _start (bluetoothd + 0x26ce1)
> > Jun 13 13:38:15 systemd[1]: bluetooth.service: Main process exited, code=dumped, status=11/SEGV
> >
> >
> > Crash seems to be at:
> >
> > 342 static void a2dp_resume_complete(struct avdtp *session, int err,
> > 343 void *user_data)
> > 344 {
> > 345 struct media_owner *owner = user_data;
> > 346 struct media_request *req = owner->pending;
> > 347 struct media_transport *transport = owner->transport;
> > 348 struct a2dp_sep *sep = media_endpoint_get_sep(transport->endpoint);
> >
> > A good start(but does NOT fix the problem) might be:
> >
> > --- bluez-9999/profiles/audio/transport.c.org 2023-06-13 18:38:14.542137531 +0200
> > +++ bluez-9999/profiles/audio/transport.c 2023-06-13 18:48:32.542527882 +0200
> > @@ -345,7 +345,7 @@
> > struct media_owner *owner = user_data;
> > struct media_request *req = owner->pending;
> > struct media_transport *transport = owner->transport;
> > - struct a2dp_sep *sep = media_endpoint_get_sep(transport->endpoint);
> > + struct a2dp_sep *sep;
> > struct avdtp_stream *stream;
> > int fd;
> > uint16_t imtu, omtu;
> > @@ -355,7 +355,10 @@
> >
> > if (err)
> > goto fail;
> > + if (!transport)
> > + goto fail;
> >
> > + sep = media_endpoint_get_sep(transport->endpoint);
> > stream = a2dp_sep_get_stream(sep);
> > if (stream == NULL)
> > goto fail;
> >
> > bluez-5.66 Works fine though.
> >
> > Headset: WH-1000XM3
> >
> > Jocke
>
> Weird, I don't think much has changed for A2DP, but perhaps there is
> some BAP related changes affecting A2DP for some reason, any chance to
> bisect the patch that introduces this problem? Or it is not always
> reproducible?
It is reproducible but on an remote laptop used for daily work so would disturb quite a lot.
Can I turn off BAP somehow to see if it is interfering ?
Any chance it is related to https://github.com/bluez/bluez/issues/533 ?
Jocke
Hi Joakim,
On Wed, Jun 14, 2023 at 9:32 AM Joakim Tjernlund
<[email protected]> wrote:
>
> On Wed, 2023-06-14 at 09:25 -0700, Luiz Augusto von Dentz wrote:
> > Hi Joakim,
> >
> > On Wed, Jun 14, 2023 at 5:36 AM Joakim Tjernlund
> > <[email protected]> wrote:
> > >
> > > commit bap: Add broadcast source support, 3030883, in bluez.git
> > >
> > > A co-worker see this SEGV when connecting a headset:
> > >
> > > Jun 13 13:38:15 systemd-coredump[3941]: Process 1897 (bluetoothd) of user 0 dumped core.
> > > Module bluetoothd without build-id.
> > > #0 0x0000556bea93277a a2dp_resume_complete (bluetoothd + 0x3e77a)
> > > #1 0x0000556bea9210a2 finalize_resume (bluetoothd + 0x2d0a2)
> > > #2 0x0000556bea92afaf avdtp_start_resp (bluetoothd + 0x36faf)
> > > #6 0x0000556bea9dcc85 mainloop_run (bluetoothd + 0xe8c85)
> > > #7 0x0000556bea9dd0dc mainloop_run_with_signal (bluetoothd + 0xe90dc)
> > > #8 0x0000556bea91a4ef main (bluetoothd + 0x264ef)
> > > #11 0x0000556bea91ace1 _start (bluetoothd + 0x26ce1)
> > > Jun 13 13:38:15 systemd[1]: bluetooth.service: Main process exited, code=dumped, status=11/SEGV
> > >
> > >
> > > Crash seems to be at:
> > >
> > > 342 static void a2dp_resume_complete(struct avdtp *session, int err,
> > > 343 void *user_data)
> > > 344 {
> > > 345 struct media_owner *owner = user_data;
> > > 346 struct media_request *req = owner->pending;
> > > 347 struct media_transport *transport = owner->transport;
> > > 348 struct a2dp_sep *sep = media_endpoint_get_sep(transport->endpoint);
> > >
> > > A good start(but does NOT fix the problem) might be:
> > >
> > > --- bluez-9999/profiles/audio/transport.c.org 2023-06-13 18:38:14.542137531 +0200
> > > +++ bluez-9999/profiles/audio/transport.c 2023-06-13 18:48:32.542527882 +0200
> > > @@ -345,7 +345,7 @@
> > > struct media_owner *owner = user_data;
> > > struct media_request *req = owner->pending;
> > > struct media_transport *transport = owner->transport;
> > > - struct a2dp_sep *sep = media_endpoint_get_sep(transport->endpoint);
> > > + struct a2dp_sep *sep;
> > > struct avdtp_stream *stream;
> > > int fd;
> > > uint16_t imtu, omtu;
> > > @@ -355,7 +355,10 @@
> > >
> > > if (err)
> > > goto fail;
> > > + if (!transport)
> > > + goto fail;
> > >
> > > + sep = media_endpoint_get_sep(transport->endpoint);
> > > stream = a2dp_sep_get_stream(sep);
> > > if (stream == NULL)
> > > goto fail;
> > >
> > > bluez-5.66 Works fine though.
> > >
> > > Headset: WH-1000XM3
> > >
> > > Jocke
> >
> > Weird, I don't think much has changed for A2DP, but perhaps there is
> > some BAP related changes affecting A2DP for some reason, any chance to
> > bisect the patch that introduces this problem? Or it is not always
> > reproducible?
>
> It is reproducible but on an remote laptop used for daily work so would disturb quite a lot.
> Can I turn off BAP somehow to see if it is interfering ?
>
> Any chance it is related to https://github.com/bluez/bluez/issues/533 ?
Right, yeah that is possible since it appears to be some unbalanced
reference count issue, that said that was a very old version, not sure
if we haven't fixed that.
> Jocke
--
Luiz Augusto von Dentz
On Wed, 2023-06-14 at 09:53 -0700, Luiz Augusto von Dentz wrote:
> Hi Joakim,
>
> On Wed, Jun 14, 2023 at 9:32 AM Joakim Tjernlund
> <[email protected]> wrote:
> >
> > On Wed, 2023-06-14 at 09:25 -0700, Luiz Augusto von Dentz wrote:
> > > Hi Joakim,
> > >
> > > On Wed, Jun 14, 2023 at 5:36 AM Joakim Tjernlund
> > > <[email protected]> wrote:
> > > >
> > > > commit bap: Add broadcast source support, 3030883, in bluez.git
> > > >
> > > > A co-worker see this SEGV when connecting a headset:
> > > >
> > > > Jun 13 13:38:15 systemd-coredump[3941]: Process 1897 (bluetoothd) of user 0 dumped core.
> > > > Module bluetoothd without build-id.
> > > > #0 0x0000556bea93277a a2dp_resume_complete (bluetoothd + 0x3e77a)
> > > > #1 0x0000556bea9210a2 finalize_resume (bluetoothd + 0x2d0a2)
> > > > #2 0x0000556bea92afaf avdtp_start_resp (bluetoothd + 0x36faf)
> > > > #6 0x0000556bea9dcc85 mainloop_run (bluetoothd + 0xe8c85)
> > > > #7 0x0000556bea9dd0dc mainloop_run_with_signal (bluetoothd + 0xe90dc)
> > > > #8 0x0000556bea91a4ef main (bluetoothd + 0x264ef)
> > > > #11 0x0000556bea91ace1 _start (bluetoothd + 0x26ce1)
> > > > Jun 13 13:38:15 systemd[1]: bluetooth.service: Main process exited, code=dumped, status=11/SEGV
> > > >
> > > >
> > > > Crash seems to be at:
> > > >
> > > > 342 static void a2dp_resume_complete(struct avdtp *session, int err,
> > > > 343 void *user_data)
> > > > 344 {
> > > > 345 struct media_owner *owner = user_data;
> > > > 346 struct media_request *req = owner->pending;
> > > > 347 struct media_transport *transport = owner->transport;
> > > > 348 struct a2dp_sep *sep = media_endpoint_get_sep(transport->endpoint);
> > > >
> > > > A good start(but does NOT fix the problem) might be:
> > > >
> > > > --- bluez-9999/profiles/audio/transport.c.org 2023-06-13 18:38:14.542137531 +0200
> > > > +++ bluez-9999/profiles/audio/transport.c 2023-06-13 18:48:32.542527882 +0200
> > > > @@ -345,7 +345,7 @@
> > > > struct media_owner *owner = user_data;
> > > > struct media_request *req = owner->pending;
> > > > struct media_transport *transport = owner->transport;
> > > > - struct a2dp_sep *sep = media_endpoint_get_sep(transport->endpoint);
> > > > + struct a2dp_sep *sep;
> > > > struct avdtp_stream *stream;
> > > > int fd;
> > > > uint16_t imtu, omtu;
> > > > @@ -355,7 +355,10 @@
> > > >
> > > > if (err)
> > > > goto fail;
> > > > + if (!transport)
> > > > + goto fail;
> > > >
> > > > + sep = media_endpoint_get_sep(transport->endpoint);
> > > > stream = a2dp_sep_get_stream(sep);
> > > > if (stream == NULL)
> > > > goto fail;
> > > >
> > > > bluez-5.66 Works fine though.
> > > >
> > > > Headset: WH-1000XM3
> > > >
> > > > Jocke
> > >
> > > Weird, I don't think much has changed for A2DP, but perhaps there is
> > > some BAP related changes affecting A2DP for some reason, any chance to
> > > bisect the patch that introduces this problem? Or it is not always
> > > reproducible?
> >
> > It is reproducible but on an remote laptop used for daily work so would disturb quite a lot.
> > Can I turn off BAP somehow to see if it is interfering ?
> >
> > Any chance it is related to https://github.com/bluez/bluez/issues/533 ?
>
> Right, yeah that is possible since it appears to be some unbalanced
> reference count issue, that said that was a very old version, not sure
> if we haven't fixed that.
It is not fixed in unref code discussed in that issue on master
Jocke
On Wed, 2023-06-14 at 19:00 +0200, Joakim Tjernlund wrote:
> On Wed, 2023-06-14 at 09:53 -0700, Luiz Augusto von Dentz wrote:
> > Hi Joakim,
> >
> > On Wed, Jun 14, 2023 at 9:32 AM Joakim Tjernlund
> > <[email protected]> wrote:
> > >
> > > On Wed, 2023-06-14 at 09:25 -0700, Luiz Augusto von Dentz wrote:
> > > > Hi Joakim,
> > > >
> > > > On Wed, Jun 14, 2023 at 5:36 AM Joakim Tjernlund
> > > > <[email protected]> wrote:
> > > > >
> > > > > commit bap: Add broadcast source support, 3030883, in bluez.git
> > > > >
> > > > > A co-worker see this SEGV when connecting a headset:
> > > > >
> > > > > Jun 13 13:38:15 systemd-coredump[3941]: Process 1897 (bluetoothd) of user 0 dumped core.
> > > > > Module bluetoothd without build-id.
> > > > > #0 0x0000556bea93277a a2dp_resume_complete (bluetoothd + 0x3e77a)
> > > > > #1 0x0000556bea9210a2 finalize_resume (bluetoothd + 0x2d0a2)
> > > > > #2 0x0000556bea92afaf avdtp_start_resp (bluetoothd + 0x36faf)
> > > > > #6 0x0000556bea9dcc85 mainloop_run (bluetoothd + 0xe8c85)
> > > > > #7 0x0000556bea9dd0dc mainloop_run_with_signal (bluetoothd + 0xe90dc)
> > > > > #8 0x0000556bea91a4ef main (bluetoothd + 0x264ef)
> > > > > #11 0x0000556bea91ace1 _start (bluetoothd + 0x26ce1)
> > > > > Jun 13 13:38:15 systemd[1]: bluetooth.service: Main process exited, code=dumped, status=11/SEGV
> > > > >
> > > > >
> > > > > Crash seems to be at:
> > > > >
> > > > > 342 static void a2dp_resume_complete(struct avdtp *session, int err,
> > > > > 343 void *user_data)
> > > > > 344 {
> > > > > 345 struct media_owner *owner = user_data;
> > > > > 346 struct media_request *req = owner->pending;
> > > > > 347 struct media_transport *transport = owner->transport;
> > > > > 348 struct a2dp_sep *sep = media_endpoint_get_sep(transport->endpoint);
> > > > >
> > > > > A good start(but does NOT fix the problem) might be:
> > > > >
> > > > > --- bluez-9999/profiles/audio/transport.c.org 2023-06-13 18:38:14.542137531 +0200
> > > > > +++ bluez-9999/profiles/audio/transport.c 2023-06-13 18:48:32.542527882 +0200
> > > > > @@ -345,7 +345,7 @@
> > > > > struct media_owner *owner = user_data;
> > > > > struct media_request *req = owner->pending;
> > > > > struct media_transport *transport = owner->transport;
> > > > > - struct a2dp_sep *sep = media_endpoint_get_sep(transport->endpoint);
> > > > > + struct a2dp_sep *sep;
> > > > > struct avdtp_stream *stream;
> > > > > int fd;
> > > > > uint16_t imtu, omtu;
> > > > > @@ -355,7 +355,10 @@
> > > > >
> > > > > if (err)
> > > > > goto fail;
> > > > > + if (!transport)
> > > > > + goto fail;
> > > > >
> > > > > + sep = media_endpoint_get_sep(transport->endpoint);
> > > > > stream = a2dp_sep_get_stream(sep);
> > > > > if (stream == NULL)
> > > > > goto fail;
> > > > >
> > > > > bluez-5.66 Works fine though.
> > > > >
> > > > > Headset: WH-1000XM3
> > > > >
> > > > > Jocke
> > > >
> > > > Weird, I don't think much has changed for A2DP, but perhaps there is
> > > > some BAP related changes affecting A2DP for some reason, any chance to
> > > > bisect the patch that introduces this problem? Or it is not always
> > > > reproducible?
> > >
> > > It is reproducible but on an remote laptop used for daily work so would disturb quite a lot.
> > > Can I turn off BAP somehow to see if it is interfering ?
> > >
> > > Any chance it is related to https://github.com/bluez/bluez/issues/533 ?
> >
> > Right, yeah that is possible since it appears to be some unbalanced
> > reference count issue, that said that was a very old version, not sure
> > if we haven't fixed that.
>
> It is not fixed in unref code discussed in that issue on master
>
> Jocke
Managed to get a bt:
Core was generated by `/usr/libexec/bluetooth/bluetoothd'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 a2dp_resume_complete (session=0x55e437429c40, err=0, user_data=0x55e437456c90) at profiles/audio/transport.c:354
warning: Source file is more recent than executable.
354 req->id = 0;
(gdb) bt full
#0 a2dp_resume_complete (session=0x55e437429c40, err=0, user_data=0x55e437456c90) at profiles/audio/transport.c:354
owner = 0x55e437456c90
req = 0x0
transport = 0x0
sep = <optimized out>
stream = <optimized out>
fd = 0
imtu = 0
omtu = 0
ret = <optimized out>
#1 0x000055e4367f30a2 in finalize_resume (data=0x55e43745fc90) at profiles/audio/a2dp.c:352
cb = 0x55e437472f10
s = 0x55e43745fc90
l = 0x0
#2 0x000055e4367fcfaf in avdtp_start_resp (resp=0x55e437429cb3, size=0, stream=0x55e437455690, session=0x55e437429c40) at profiles/audio/avdtp.c:2868
sep = 0x55e437411660
#3 avdtp_parse_resp (transaction=<optimized out>, size=0, buf=0x55e437429cb3, signal_id=<optimized out>, stream=0x55e437455690,
session=0x55e437429c40) at profiles/audio/avdtp.c:2988
next = 0x0
get_all = 0x55e4368c19a8 ""
next = <optimized out>
get_all = <optimized out>
__func__ = "avdtp_parse_resp"
__btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
__btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
__btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
__btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
__btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
__btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
__btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
__btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
__btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
__btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
__btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
#4 session_cb (chan=<optimized out>, cond=<optimized out>, data=0x55e437429c40) at profiles/audio/avdtp.c:2286
session = 0x55e437429c40
header = <optimized out>
--Type <RET> for more, q to quit, c to continue without paging--
size = <optimized out>
fd = <optimized out>
__func__ = "session_cb"
#5 0x00007fb64c271acf in g_main_dispatch (context=0x55e43740c870) at /var/tmp/portage/dev-libs/glib-2.76.2/glib-2.76.2/glib/gmain.c:3460
dispatch = 0x7fb64c2ca330 <g_io_unix_dispatch>
prev_source = 0x0
begin_time_nsec = 0
was_in_call = 0
user_data = 0x55e437429c40
callback = 0x55e4367fae60 <session_cb>
cb_funcs = <optimized out>
cb_data = 0x55e437448570
need_destroy = <optimized out>
source = 0x55e437456e50
current = 0x55e437416a00
i = 0
current = <optimized out>
i = <optimized out>
__func__ = "g_main_dispatch"
source = <optimized out>
_g_boolean_var_163 = <optimized out>
was_in_call = <optimized out>
user_data = <optimized out>
callback = <optimized out>
cb_funcs = <optimized out>
cb_data = <optimized out>
need_destroy = <optimized out>
dispatch = <optimized out>
prev_source = <optimized out>
begin_time_nsec = <optimized out>
_g_boolean_var_164 = <optimized out>
#6 g_main_context_dispatch (context=context@entry=0x55e43740c870) at /var/tmp/portage/dev-libs/glib-2.76.2/glib-2.76.2/glib/gmain.c:4200
No locals.
#7 0x00007fb64c271ea8 in g_main_context_iterate (context=0x55e43740c870, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>)
at /var/tmp/portage/dev-libs/glib-2.76.2/glib-2.76.2/glib/gmain.c:4276
max_priority = 2147483647
timeout = 5952
--Type <RET> for more, q to quit, c to continue without paging--
some_ready = 1
nfds = <optimized out>
allocated_nfds = 35
fds = 0x55e437439090
begin_time_nsec = 0
#8 0x00007fb64c27215f in g_main_loop_run (loop=0x55e43740c9e0) at /var/tmp/portage/dev-libs/glib-2.76.2/glib-2.76.2/glib/gmain.c:4479
self = <optimized out>
__func__ = "g_main_loop_run"
#9 0x000055e4368afb55 in mainloop_run () at src/shared/mainloop-glib.c:66
No locals.
#10 0x000055e4368affac in mainloop_run_with_signal (func=func@entry=0x55e43682f6a0 <signal_callback>, user_data=user_data@entry=0x0)
at src/shared/mainloop-notify.c:188
data = 0x55e437416820
io = 0x55e437416840
ret = <optimized out>
#11 0x000055e4367ec4ff in main (argc=<optimized out>, argv=<optimized out>) at src/main.c:1450
context = <optimized out>
err = 0x0
sdp_mtu = 0
sdp_flags = <optimized out>
gdbus_flags = <optimized out>
__func__ = "main"
So req is NULL and:
print *owner
$2 = {transport = 0x0, pending = 0x0, name = 0x55e437473f70 ":1.41", watch = 0}
print *session
$3 = {ref = 3, version = 259, lseps = 0x55e437425990, device = 0x55e4374313d0, state = AVDTP_SESSION_STATE_CONNECTED, io = 0x55e437458370,
io_id = 380, seps = 0x55e4374559e0 = {0x55e437455a40, 0x55e43742bb80, 0x55e43742c1f0, 0x55e43745dad0, 0x55e43745e060}, streams = 0x55e43745db70 = {
0x55e437455690}, req_queue = 0x0, prio_queue = 0x0, pending_open = 0x0, pending_open_io = 0x0, phy = 511, imtu = 672, omtu = 895, in = {
active = 0, no_of_packets = 1, transaction = 3 '\003', message_type = 2 '\002', signal_id = 7 '\a',
buf = "\004\005\334\b\030\b\f\b\b\b", '\000' <repeats 1013 times>, data_size = 0 '\000'},
buf = 0x55e43742a0f0 "2\a\024", <incomplete sequence \334>, discover = 0x0, req = 0x55e437455b70, dc_timer = 0, dc_timeout = 1, stream_setup = 0}
On Tue, 2023-06-27 at 10:35 +0200, Joakim Tjernlund wrote:
> On Wed, 2023-06-14 at 19:00 +0200, Joakim Tjernlund wrote:
> > On Wed, 2023-06-14 at 09:53 -0700, Luiz Augusto von Dentz wrote:
> > > Hi Joakim,
> > >
> > > On Wed, Jun 14, 2023 at 9:32 AM Joakim Tjernlund
> > > <[email protected]> wrote:
> > > >
> > > > On Wed, 2023-06-14 at 09:25 -0700, Luiz Augusto von Dentz wrote:
> > > > > Hi Joakim,
> > > > >
> > > > > On Wed, Jun 14, 2023 at 5:36 AM Joakim Tjernlund
> > > > > <[email protected]> wrote:
> > > > > >
> > > > > > commit bap: Add broadcast source support, 3030883, in bluez.git
> > > > > >
> > > > > > A co-worker see this SEGV when connecting a headset:
> > > > > >
> > > > > > Jun 13 13:38:15 systemd-coredump[3941]: Process 1897 (bluetoothd) of user 0 dumped core.
> > > > > > Module bluetoothd without build-id.
> > > > > > #0 0x0000556bea93277a a2dp_resume_complete (bluetoothd + 0x3e77a)
> > > > > > #1 0x0000556bea9210a2 finalize_resume (bluetoothd + 0x2d0a2)
> > > > > > #2 0x0000556bea92afaf avdtp_start_resp (bluetoothd + 0x36faf)
> > > > > > #6 0x0000556bea9dcc85 mainloop_run (bluetoothd + 0xe8c85)
> > > > > > #7 0x0000556bea9dd0dc mainloop_run_with_signal (bluetoothd + 0xe90dc)
> > > > > > #8 0x0000556bea91a4ef main (bluetoothd + 0x264ef)
> > > > > > #11 0x0000556bea91ace1 _start (bluetoothd + 0x26ce1)
> > > > > > Jun 13 13:38:15 systemd[1]: bluetooth.service: Main process exited, code=dumped, status=11/SEGV
> > > > > >
> > > > > >
> > > > > > Crash seems to be at:
> > > > > >
> > > > > > 342 static void a2dp_resume_complete(struct avdtp *session, int err,
> > > > > > 343 void *user_data)
> > > > > > 344 {
> > > > > > 345 struct media_owner *owner = user_data;
> > > > > > 346 struct media_request *req = owner->pending;
> > > > > > 347 struct media_transport *transport = owner->transport;
> > > > > > 348 struct a2dp_sep *sep = media_endpoint_get_sep(transport->endpoint);
> > > > > >
> > > > > > A good start(but does NOT fix the problem) might be:
> > > > > >
> > > > > > --- bluez-9999/profiles/audio/transport.c.org 2023-06-13 18:38:14.542137531 +0200
> > > > > > +++ bluez-9999/profiles/audio/transport.c 2023-06-13 18:48:32.542527882 +0200
> > > > > > @@ -345,7 +345,7 @@
> > > > > > struct media_owner *owner = user_data;
> > > > > > struct media_request *req = owner->pending;
> > > > > > struct media_transport *transport = owner->transport;
> > > > > > - struct a2dp_sep *sep = media_endpoint_get_sep(transport->endpoint);
> > > > > > + struct a2dp_sep *sep;
> > > > > > struct avdtp_stream *stream;
> > > > > > int fd;
> > > > > > uint16_t imtu, omtu;
> > > > > > @@ -355,7 +355,10 @@
> > > > > >
> > > > > > if (err)
> > > > > > goto fail;
> > > > > > + if (!transport)
> > > > > > + goto fail;
> > > > > >
> > > > > > + sep = media_endpoint_get_sep(transport->endpoint);
> > > > > > stream = a2dp_sep_get_stream(sep);
> > > > > > if (stream == NULL)
> > > > > > goto fail;
> > > > > >
> > > > > > bluez-5.66 Works fine though.
> > > > > >
> > > > > > Headset: WH-1000XM3
> > > > > >
> > > > > > Jocke
> > > > >
> > > > > Weird, I don't think much has changed for A2DP, but perhaps there is
> > > > > some BAP related changes affecting A2DP for some reason, any chance to
> > > > > bisect the patch that introduces this problem? Or it is not always
> > > > > reproducible?
> > > >
> > > > It is reproducible but on an remote laptop used for daily work so would disturb quite a lot.
> > > > Can I turn off BAP somehow to see if it is interfering ?
> > > >
> > > > Any chance it is related to https://github.com/bluez/bluez/issues/533 ?
> > >
> > > Right, yeah that is possible since it appears to be some unbalanced
> > > reference count issue, that said that was a very old version, not sure
> > > if we haven't fixed that.
> >
> > It is not fixed in unref code discussed in that issue on master
> >
> > Jocke
>
> Managed to get a bt:
> Core was generated by `/usr/libexec/bluetooth/bluetoothd'.
> Program terminated with signal SIGSEGV, Segmentation fault.
> #0 a2dp_resume_complete (session=0x55e437429c40, err=0, user_data=0x55e437456c90) at profiles/audio/transport.c:354
>
> warning: Source file is more recent than executable.
> 354 req->id = 0;
> (gdb) bt full
> #0 a2dp_resume_complete (session=0x55e437429c40, err=0, user_data=0x55e437456c90) at profiles/audio/transport.c:354
> owner = 0x55e437456c90
> req = 0x0
> transport = 0x0
> sep = <optimized out>
> stream = <optimized out>
> fd = 0
> imtu = 0
> omtu = 0
> ret = <optimized out>
> #1 0x000055e4367f30a2 in finalize_resume (data=0x55e43745fc90) at profiles/audio/a2dp.c:352
> cb = 0x55e437472f10
> s = 0x55e43745fc90
> l = 0x0
> #2 0x000055e4367fcfaf in avdtp_start_resp (resp=0x55e437429cb3, size=0, stream=0x55e437455690, session=0x55e437429c40) at profiles/audio/avdtp.c:2868
> sep = 0x55e437411660
> #3 avdtp_parse_resp (transaction=<optimized out>, size=0, buf=0x55e437429cb3, signal_id=<optimized out>, stream=0x55e437455690,
> session=0x55e437429c40) at profiles/audio/avdtp.c:2988
> next = 0x0
> get_all = 0x55e4368c19a8 ""
> next = <optimized out>
> get_all = <optimized out>
> __func__ = "avdtp_parse_resp"
> __btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
> __btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
> __btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
> __btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
> __btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
> __btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
> __btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
> __btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
> __btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
> __btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
> __btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
> #4 session_cb (chan=<optimized out>, cond=<optimized out>, data=0x55e437429c40) at profiles/audio/avdtp.c:2286
> session = 0x55e437429c40
> header = <optimized out>
> --Type <RET> for more, q to quit, c to continue without paging--
> size = <optimized out>
> fd = <optimized out>
> __func__ = "session_cb"
> #5 0x00007fb64c271acf in g_main_dispatch (context=0x55e43740c870) at /var/tmp/portage/dev-libs/glib-2.76.2/glib-2.76.2/glib/gmain.c:3460
> dispatch = 0x7fb64c2ca330 <g_io_unix_dispatch>
> prev_source = 0x0
> begin_time_nsec = 0
> was_in_call = 0
> user_data = 0x55e437429c40
> callback = 0x55e4367fae60 <session_cb>
> cb_funcs = <optimized out>
> cb_data = 0x55e437448570
> need_destroy = <optimized out>
> source = 0x55e437456e50
> current = 0x55e437416a00
> i = 0
> current = <optimized out>
> i = <optimized out>
> __func__ = "g_main_dispatch"
> source = <optimized out>
> _g_boolean_var_163 = <optimized out>
> was_in_call = <optimized out>
> user_data = <optimized out>
> callback = <optimized out>
> cb_funcs = <optimized out>
> cb_data = <optimized out>
> need_destroy = <optimized out>
> dispatch = <optimized out>
> prev_source = <optimized out>
> begin_time_nsec = <optimized out>
> _g_boolean_var_164 = <optimized out>
> #6 g_main_context_dispatch (context=context@entry=0x55e43740c870) at /var/tmp/portage/dev-libs/glib-2.76.2/glib-2.76.2/glib/gmain.c:4200
> No locals.
> #7 0x00007fb64c271ea8 in g_main_context_iterate (context=0x55e43740c870, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>)
> at /var/tmp/portage/dev-libs/glib-2.76.2/glib-2.76.2/glib/gmain.c:4276
> max_priority = 2147483647
> timeout = 5952
> --Type <RET> for more, q to quit, c to continue without paging--
> some_ready = 1
> nfds = <optimized out>
> allocated_nfds = 35
> fds = 0x55e437439090
> begin_time_nsec = 0
> #8 0x00007fb64c27215f in g_main_loop_run (loop=0x55e43740c9e0) at /var/tmp/portage/dev-libs/glib-2.76.2/glib-2.76.2/glib/gmain.c:4479
> self = <optimized out>
> __func__ = "g_main_loop_run"
> #9 0x000055e4368afb55 in mainloop_run () at src/shared/mainloop-glib.c:66
> No locals.
> #10 0x000055e4368affac in mainloop_run_with_signal (func=func@entry=0x55e43682f6a0 <signal_callback>, user_data=user_data@entry=0x0)
> at src/shared/mainloop-notify.c:188
> data = 0x55e437416820
> io = 0x55e437416840
> ret = <optimized out>
> #11 0x000055e4367ec4ff in main (argc=<optimized out>, argv=<optimized out>) at src/main.c:1450
> context = <optimized out>
> err = 0x0
> sdp_mtu = 0
> sdp_flags = <optimized out>
> gdbus_flags = <optimized out>
> __func__ = "main"
>
> So req is NULL and:
> print *owner
> $2 = {transport = 0x0, pending = 0x0, name = 0x55e437473f70 ":1.41", watch = 0}
>
> print *session
> $3 = {ref = 3, version = 259, lseps = 0x55e437425990, device = 0x55e4374313d0, state = AVDTP_SESSION_STATE_CONNECTED, io = 0x55e437458370,
> io_id = 380, seps = 0x55e4374559e0 = {0x55e437455a40, 0x55e43742bb80, 0x55e43742c1f0, 0x55e43745dad0, 0x55e43745e060}, streams = 0x55e43745db70 = {
> 0x55e437455690}, req_queue = 0x0, prio_queue = 0x0, pending_open = 0x0, pending_open_io = 0x0, phy = 511, imtu = 672, omtu = 895, in = {
> active = 0, no_of_packets = 1, transaction = 3 '\003', message_type = 2 '\002', signal_id = 7 '\a',
> buf = "\004\005\334\b\030\b\f\b\b\b", '\000' <repeats 1013 times>, data_size = 0 '\000'},
> buf = 0x55e43742a0f0 "2\a\024", <incomplete sequence \334>, discover = 0x0, req = 0x55e437455b70, dc_timer = 0, dc_timeout = 1, stream_setup = 0}
>
I forgot, I have these local patches too:
--- bluez-9999/profiles/audio/a2dp.c.org 2023-06-14 16:20:45.777263502 +0200
+++ bluez-9999/profiles/audio/a2dp.c 2023-06-14 16:21:52.650843681 +0200
@@ -231,10 +231,8 @@
DBG("%p: ref=%d", setup, setup->ref);
- if (setup->ref > 0)
- return;
-
- setup_free(setup);
+ if (setup->ref == 0)
+ setup_free(setup);
}
static struct a2dp_setup_cb *setup_cb_new(struct a2dp_setup *setup)
--- bluez-9999/profiles/audio/avdtp.c.org 2023-06-14 16:22:15.353699371 +0200
+++ bluez-9999/profiles/audio/avdtp.c 2023-06-14 16:24:05.250988808 +0200
@@ -1220,7 +1220,7 @@
DBG("%p: ref=%d", session, session->ref);
- if (session->ref > 0)
+ if (session->ref != 0)
return;
switch (session->state) {
--- bluez-9999/profiles/audio/transport.c.org 2023-06-13 18:38:14.542137531 +0200
+++ bluez-9999/profiles/audio/transport.c 2023-06-13 18:39:22.110965184 +0200
@@ -345,7 +345,7 @@
struct media_owner *owner = user_data;
struct media_request *req = owner->pending;
struct media_transport *transport = owner->transport;
- struct a2dp_sep *sep = media_endpoint_get_sep(transport->endpoint);
+ struct a2dp_sep *sep;
struct avdtp_stream *stream;
int fd;
uint16_t imtu, omtu;
@@ -356,6 +356,7 @@
if (err)
goto fail;
+ sep = media_endpoint_get_sep(transport->endpoint);
stream = a2dp_sep_get_stream(sep);
if (stream == NULL)
goto fail;
Any clue/idea ?
Just test if req or transport ptrs are NULL and return ?
Jocke
On Tue, 2023-06-27 at 15:14 +0200, Joakim Tjernlund wrote:
> On Tue, 2023-06-27 at 10:35 +0200, Joakim Tjernlund wrote:
> > On Wed, 2023-06-14 at 19:00 +0200, Joakim Tjernlund wrote:
> > > On Wed, 2023-06-14 at 09:53 -0700, Luiz Augusto von Dentz wrote:
> > > > Hi Joakim,
> > > >
> > > > On Wed, Jun 14, 2023 at 9:32 AM Joakim Tjernlund
> > > > <[email protected]> wrote:
> > > > >
> > > > > On Wed, 2023-06-14 at 09:25 -0700, Luiz Augusto von Dentz wrote:
> > > > > > Hi Joakim,
> > > > > >
> > > > > > On Wed, Jun 14, 2023 at 5:36 AM Joakim Tjernlund
> > > > > > <[email protected]> wrote:
> > > > > > >
> > > > > > > commit bap: Add broadcast source support, 3030883, in bluez.git
> > > > > > >
> > > > > > > A co-worker see this SEGV when connecting a headset:
> > > > > > >
> > > > > > > Jun 13 13:38:15 systemd-coredump[3941]: Process 1897 (bluetoothd) of user 0 dumped core.
> > > > > > > Module bluetoothd without build-id.
> > > > > > > #0 0x0000556bea93277a a2dp_resume_complete (bluetoothd + 0x3e77a)
> > > > > > > #1 0x0000556bea9210a2 finalize_resume (bluetoothd + 0x2d0a2)
> > > > > > > #2 0x0000556bea92afaf avdtp_start_resp (bluetoothd + 0x36faf)
> > > > > > > #6 0x0000556bea9dcc85 mainloop_run (bluetoothd + 0xe8c85)
> > > > > > > #7 0x0000556bea9dd0dc mainloop_run_with_signal (bluetoothd + 0xe90dc)
> > > > > > > #8 0x0000556bea91a4ef main (bluetoothd + 0x264ef)
> > > > > > > #11 0x0000556bea91ace1 _start (bluetoothd + 0x26ce1)
> > > > > > > Jun 13 13:38:15 systemd[1]: bluetooth.service: Main process exited, code=dumped, status=11/SEGV
> > > > > > >
> > > > > > >
> > > > > > > Crash seems to be at:
> > > > > > >
> > > > > > > 342 static void a2dp_resume_complete(struct avdtp *session, int err,
> > > > > > > 343 void *user_data)
> > > > > > > 344 {
> > > > > > > 345 struct media_owner *owner = user_data;
> > > > > > > 346 struct media_request *req = owner->pending;
> > > > > > > 347 struct media_transport *transport = owner->transport;
> > > > > > > 348 struct a2dp_sep *sep = media_endpoint_get_sep(transport->endpoint);
> > > > > > >
> > > > > > > A good start(but does NOT fix the problem) might be:
> > > > > > >
> > > > > > > --- bluez-9999/profiles/audio/transport.c.org 2023-06-13 18:38:14.542137531 +0200
> > > > > > > +++ bluez-9999/profiles/audio/transport.c 2023-06-13 18:48:32.542527882 +0200
> > > > > > > @@ -345,7 +345,7 @@
> > > > > > > struct media_owner *owner = user_data;
> > > > > > > struct media_request *req = owner->pending;
> > > > > > > struct media_transport *transport = owner->transport;
> > > > > > > - struct a2dp_sep *sep = media_endpoint_get_sep(transport->endpoint);
> > > > > > > + struct a2dp_sep *sep;
> > > > > > > struct avdtp_stream *stream;
> > > > > > > int fd;
> > > > > > > uint16_t imtu, omtu;
> > > > > > > @@ -355,7 +355,10 @@
> > > > > > >
> > > > > > > if (err)
> > > > > > > goto fail;
> > > > > > > + if (!transport)
> > > > > > > + goto fail;
> > > > > > >
> > > > > > > + sep = media_endpoint_get_sep(transport->endpoint);
> > > > > > > stream = a2dp_sep_get_stream(sep);
> > > > > > > if (stream == NULL)
> > > > > > > goto fail;
> > > > > > >
> > > > > > > bluez-5.66 Works fine though.
> > > > > > >
> > > > > > > Headset: WH-1000XM3
> > > > > > >
> > > > > > > Jocke
> > > > > >
> > > > > > Weird, I don't think much has changed for A2DP, but perhaps there is
> > > > > > some BAP related changes affecting A2DP for some reason, any chance to
> > > > > > bisect the patch that introduces this problem? Or it is not always
> > > > > > reproducible?
> > > > >
> > > > > It is reproducible but on an remote laptop used for daily work so would disturb quite a lot.
> > > > > Can I turn off BAP somehow to see if it is interfering ?
> > > > >
> > > > > Any chance it is related to https://github.com/bluez/bluez/issues/533 ?
> > > >
> > > > Right, yeah that is possible since it appears to be some unbalanced
> > > > reference count issue, that said that was a very old version, not sure
> > > > if we haven't fixed that.
> > >
> > > It is not fixed in unref code discussed in that issue on master
> > >
> > > Jocke
> >
> > Managed to get a bt:
> > Core was generated by `/usr/libexec/bluetooth/bluetoothd'.
> > Program terminated with signal SIGSEGV, Segmentation fault.
> > #0 a2dp_resume_complete (session=0x55e437429c40, err=0, user_data=0x55e437456c90) at profiles/audio/transport.c:354
> >
> > warning: Source file is more recent than executable.
> > 354 req->id = 0;
> > (gdb) bt full
> > #0 a2dp_resume_complete (session=0x55e437429c40, err=0, user_data=0x55e437456c90) at profiles/audio/transport.c:354
> > owner = 0x55e437456c90
> > req = 0x0
> > transport = 0x0
> > sep = <optimized out>
> > stream = <optimized out>
> > fd = 0
> > imtu = 0
> > omtu = 0
> > ret = <optimized out>
> > #1 0x000055e4367f30a2 in finalize_resume (data=0x55e43745fc90) at profiles/audio/a2dp.c:352
> > cb = 0x55e437472f10
> > s = 0x55e43745fc90
> > l = 0x0
> > #2 0x000055e4367fcfaf in avdtp_start_resp (resp=0x55e437429cb3, size=0, stream=0x55e437455690, session=0x55e437429c40) at profiles/audio/avdtp.c:2868
> > sep = 0x55e437411660
> > #3 avdtp_parse_resp (transaction=<optimized out>, size=0, buf=0x55e437429cb3, signal_id=<optimized out>, stream=0x55e437455690,
> > session=0x55e437429c40) at profiles/audio/avdtp.c:2988
> > next = 0x0
> > get_all = 0x55e4368c19a8 ""
> > next = <optimized out>
> > get_all = <optimized out>
> > __func__ = "avdtp_parse_resp"
> > __btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
> > __btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
> > __btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
> > __btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
> > __btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
> > __btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
> > __btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
> > __btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
> > __btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
> > __btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
> > __btd_debug_desc = {file = 0x55e4368b3f97 "profiles/audio/avdtp.c", flags = 0}
> > #4 session_cb (chan=<optimized out>, cond=<optimized out>, data=0x55e437429c40) at profiles/audio/avdtp.c:2286
> > session = 0x55e437429c40
> > header = <optimized out>
> > --Type <RET> for more, q to quit, c to continue without paging--
> > size = <optimized out>
> > fd = <optimized out>
> > __func__ = "session_cb"
> > #5 0x00007fb64c271acf in g_main_dispatch (context=0x55e43740c870) at /var/tmp/portage/dev-libs/glib-2.76.2/glib-2.76.2/glib/gmain.c:3460
> > dispatch = 0x7fb64c2ca330 <g_io_unix_dispatch>
> > prev_source = 0x0
> > begin_time_nsec = 0
> > was_in_call = 0
> > user_data = 0x55e437429c40
> > callback = 0x55e4367fae60 <session_cb>
> > cb_funcs = <optimized out>
> > cb_data = 0x55e437448570
> > need_destroy = <optimized out>
> > source = 0x55e437456e50
> > current = 0x55e437416a00
> > i = 0
> > current = <optimized out>
> > i = <optimized out>
> > __func__ = "g_main_dispatch"
> > source = <optimized out>
> > _g_boolean_var_163 = <optimized out>
> > was_in_call = <optimized out>
> > user_data = <optimized out>
> > callback = <optimized out>
> > cb_funcs = <optimized out>
> > cb_data = <optimized out>
> > need_destroy = <optimized out>
> > dispatch = <optimized out>
> > prev_source = <optimized out>
> > begin_time_nsec = <optimized out>
> > _g_boolean_var_164 = <optimized out>
> > #6 g_main_context_dispatch (context=context@entry=0x55e43740c870) at /var/tmp/portage/dev-libs/glib-2.76.2/glib-2.76.2/glib/gmain.c:4200
> > No locals.
> > #7 0x00007fb64c271ea8 in g_main_context_iterate (context=0x55e43740c870, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>)
> > at /var/tmp/portage/dev-libs/glib-2.76.2/glib-2.76.2/glib/gmain.c:4276
> > max_priority = 2147483647
> > timeout = 5952
> > --Type <RET> for more, q to quit, c to continue without paging--
> > some_ready = 1
> > nfds = <optimized out>
> > allocated_nfds = 35
> > fds = 0x55e437439090
> > begin_time_nsec = 0
> > #8 0x00007fb64c27215f in g_main_loop_run (loop=0x55e43740c9e0) at /var/tmp/portage/dev-libs/glib-2.76.2/glib-2.76.2/glib/gmain.c:4479
> > self = <optimized out>
> > __func__ = "g_main_loop_run"
> > #9 0x000055e4368afb55 in mainloop_run () at src/shared/mainloop-glib.c:66
> > No locals.
> > #10 0x000055e4368affac in mainloop_run_with_signal (func=func@entry=0x55e43682f6a0 <signal_callback>, user_data=user_data@entry=0x0)
> > at src/shared/mainloop-notify.c:188
> > data = 0x55e437416820
> > io = 0x55e437416840
> > ret = <optimized out>
> > #11 0x000055e4367ec4ff in main (argc=<optimized out>, argv=<optimized out>) at src/main.c:1450
> > context = <optimized out>
> > err = 0x0
> > sdp_mtu = 0
> > sdp_flags = <optimized out>
> > gdbus_flags = <optimized out>
> > __func__ = "main"
> >
> > So req is NULL and:
> > print *owner
> > $2 = {transport = 0x0, pending = 0x0, name = 0x55e437473f70 ":1.41", watch = 0}
> >
> > print *session
> > $3 = {ref = 3, version = 259, lseps = 0x55e437425990, device = 0x55e4374313d0, state = AVDTP_SESSION_STATE_CONNECTED, io = 0x55e437458370,
> > io_id = 380, seps = 0x55e4374559e0 = {0x55e437455a40, 0x55e43742bb80, 0x55e43742c1f0, 0x55e43745dad0, 0x55e43745e060}, streams = 0x55e43745db70 = {
> > 0x55e437455690}, req_queue = 0x0, prio_queue = 0x0, pending_open = 0x0, pending_open_io = 0x0, phy = 511, imtu = 672, omtu = 895, in = {
> > active = 0, no_of_packets = 1, transaction = 3 '\003', message_type = 2 '\002', signal_id = 7 '\a',
> > buf = "\004\005\334\b\030\b\f\b\b\b", '\000' <repeats 1013 times>, data_size = 0 '\000'},
> > buf = 0x55e43742a0f0 "2\a\024", <incomplete sequence \334>, discover = 0x0, req = 0x55e437455b70, dc_timer = 0, dc_timeout = 1, stream_setup = 0}
> >
>
> I forgot, I have these local patches too:
> --- bluez-9999/profiles/audio/a2dp.c.org 2023-06-14 16:20:45.777263502 +0200
> +++ bluez-9999/profiles/audio/a2dp.c 2023-06-14 16:21:52.650843681 +0200
> @@ -231,10 +231,8 @@
>
> DBG("%p: ref=%d", setup, setup->ref);
>
> - if (setup->ref > 0)
> - return;
> -
> - setup_free(setup);
> + if (setup->ref == 0)
> + setup_free(setup);
> }
>
> static struct a2dp_setup_cb *setup_cb_new(struct a2dp_setup *setup)
> --- bluez-9999/profiles/audio/avdtp.c.org 2023-06-14 16:22:15.353699371 +0200
> +++ bluez-9999/profiles/audio/avdtp.c 2023-06-14 16:24:05.250988808 +0200
> @@ -1220,7 +1220,7 @@
>
> DBG("%p: ref=%d", session, session->ref);
>
> - if (session->ref > 0)
> + if (session->ref != 0)
> return;
>
> switch (session->state) {
> --- bluez-9999/profiles/audio/transport.c.org 2023-06-13 18:38:14.542137531 +0200
> +++ bluez-9999/profiles/audio/transport.c 2023-06-13 18:39:22.110965184 +0200
> @@ -345,7 +345,7 @@
> struct media_owner *owner = user_data;
> struct media_request *req = owner->pending;
> struct media_transport *transport = owner->transport;
> - struct a2dp_sep *sep = media_endpoint_get_sep(transport->endpoint);
> + struct a2dp_sep *sep;
> struct avdtp_stream *stream;
> int fd;
> uint16_t imtu, omtu;
> @@ -356,6 +356,7 @@
> if (err)
> goto fail;
>
> + sep = media_endpoint_get_sep(transport->endpoint);
> stream = a2dp_sep_get_stream(sep);
> if (stream == NULL)
> goto fail;
>