Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp14003842ybl; Mon, 30 Dec 2019 02:08:53 -0800 (PST) X-Google-Smtp-Source: APXvYqxL5bacIj2Qe3OCV6jxm8yM1+zzz6I3mM8z+cHUo6wtuor6F0mzzNDFDj0PByPp0dZlOlKX X-Received: by 2002:a05:6830:1047:: with SMTP id b7mr75927216otp.77.1577700533558; Mon, 30 Dec 2019 02:08:53 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1577700533; cv=none; d=google.com; s=arc-20160816; b=mtgG5hVTv6G+LjA1Txx18zuVt9UDrog090DB/+V3PW6nqF623G9q6zuIzo5SsOSjSs P4cdrjxbQtNB4RIKSLip014TaB2Wt+Bgqvq+lKGFJOlj9fLKSp9Y+6OZ1UbKT3I+y4y0 cICp5Wk3+j3NON9RjS2Fh4Y7lkTC+MrbeRlx/AskD5otmN7XypLE/kgxwfaMnGVPFnhg LwJmQGwyQT2eG8jyU6gkLz0QWubeM+EyLwcKLW4qOz2Nb+w8zsSUjaLw+gy4STLBIG+R Igos1EG12p6J65e76V+huRLFSiUaOPZ/ibkX8wv+PLu7+4jFIjCLMoaOcfVkff0v/yiS iSyg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:mime-version :message-id:date:dkim-signature; bh=GCjUQL10HH5KY5jXChxh/arhMxvfV3S1Jdo8mtlE0LA=; b=t4Zks1lWEhMDqBnYU4frs0TFdurY1JlLNXF6QD0M5bEMm/qe2IARGXySRPXULybmtv kuwP8YKx42Qgk6R4qSUKKuD9//gZLWZQWHIb0Z91kwtglt0jPKJWa5mMgfZowNHH63LW vIopfgSo7JkisqFZQ0aiVxVK+rif6ePUs+wuMYt1jyIVSw6Aa8mE5HBn3fgF/EL+IqFF xFkjmQ6Cs7qe8a3rD8fdPtKV+xu5sbin3CowDcOF3xEuPitJ2qDVDJx8aJ1HwwVQZ6R/ Zq0XOX2sEC/DEnKBk+pv6NOX9xcI9Qyp6JRInzFIA0vrbfNafia3KJ2E0PUK8tYK+Zmx h3lA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=Wb36d7yc; spf=pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l2si19215347oti.303.2019.12.30.02.08.26; Mon, 30 Dec 2019 02:08:53 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=Wb36d7yc; spf=pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727322AbfL3KEG (ORCPT + 99 others); Mon, 30 Dec 2019 05:04:06 -0500 Received: from mail-pg1-f201.google.com ([209.85.215.201]:46941 "EHLO mail-pg1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727320AbfL3KEG (ORCPT ); Mon, 30 Dec 2019 05:04:06 -0500 Received: by mail-pg1-f201.google.com with SMTP id t12so21951589pgs.13 for ; Mon, 30 Dec 2019 02:04:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:message-id:mime-version:subject:from:to:cc; bh=GCjUQL10HH5KY5jXChxh/arhMxvfV3S1Jdo8mtlE0LA=; b=Wb36d7yc1E0myIfmm2AUKiQlHNo4uleQwMxAr0LBJMIpGFpZ8rMFmnWoRd3GcoEy7B INIHU74xEOlRqjA10IM3nG6wXbRe9pI1pO4X13sYXcn6aeFn6yuLqDJjWrq35VNhaupm nZaIX/KYsMxV2TjiQnnEpEuf2KNYhf+JwSU0wSOw/ELZGOqyYhNHBxthoreHV96kmqGJ L9jSdH65+F5Eq5N6o93fOj9fwHtnHS49hZ/+AefKZoTejj5l1ForSSN0qadSMIfzE7LV univyAwy7XQyOVQY+3+4iD3Uk1iRCTKxGBD0qZrJ3OXjp3k4voNc2x3irLkWh/kB0Faw NA1g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=GCjUQL10HH5KY5jXChxh/arhMxvfV3S1Jdo8mtlE0LA=; b=CX8lXKShusjwzP2qs4Nq6dQizWmJtN7vboHjX0b2OTalyTcQuKTy/zCFQe1RIceSzL ul/qQGgu9MF1kK9uo1Ce+NExvD6TwQ7CAglaaARL4FzOfM9Jv2XfJVXTepJ1ep0eFrdN Pe+Fx+eLSPIvQCZRixgYPNYip2RbpoXwSDFQoBFGKuCk92x4V8exsOP60dM36FLAERKd MSPn2qfCbCxA+vJXhl8MwPZDn4RsfzV1pl04FqOAUB2aZI/LKGq8s5QK5CWEV7nxfapf /YAzqjz52nWU1TZEuAMcF5zKzoJCGj5V2sMuW4cvzENRBnhVRMGpBhCQ4/lsvUt8ihCJ QQZw== X-Gm-Message-State: APjAAAXOMYvkcCe1N2AoGtAIkrNu0moaKMQPlehwJPwUCbs6ma8QXc7Q i+tFwKOIoUO1fcXG0YfeQcshmQg/1g6WkWxy9uoNWGbVFMPameb43av5MXJU78/CVcy+YC3ATYb PTXaDevuohPp7RQQRUjH1YCPQUw0++9c56nqPUoRV982FUZP9Bh+RcOLPJ2nufgHo6crjV+vJCa XBWR2SATEaxEM= X-Received: by 2002:a63:4e06:: with SMTP id c6mr18104623pgb.187.1577700244579; Mon, 30 Dec 2019 02:04:04 -0800 (PST) Date: Mon, 30 Dec 2019 18:03:58 +0800 Message-Id: <20191230180355.Bluez.v2.1.Ie74d7bb468a914ba7386aae02fc63cd4f529b0ef@changeid> Mime-Version: 1.0 X-Mailer: git-send-email 2.24.1.735.g03f4e72817-goog Subject: [Bluez PATCH v2] CHROMIUM: audio: fix crash during recovering process From: "howardchung@google.com" To: linux-bluetooth@vger.kernel.org, luiz.von.dentz@intel.com Cc: chromeos-bluetooth-upstreaming@chromium.org, howardchung Content-Type: text/plain; charset="UTF-8" Sender: linux-bluetooth-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org From: howardchung The crash with stack trace: (libc-2.27.so -raise.c:51 ) raise (libc-2.27.so -abort.c:79 ) abort (libc-2.27.so -libc_fatal.c:181 ) __libc_message (libc-2.27.so -malloc.c:5350 ) malloc_printerr (libc-2.27.so -malloc.c:4157 ) _int_free (libglib-2.0.so.0.5200.3 -gslist.c:878 ) g_slist_free_full (bluetoothd -a2dp.c:165 ) setup_unref (bluetoothd -a2dp.c:2184 ) a2dp_cancel (bluetoothd -sink.c:317 ) sink_unregister (bluetoothd -service.c:176 ) service_remove (bluetoothd -device.c:4678 ) device_remove (bluetoothd -adapter.c:6573 ) adapter_remove (bluetoothd -adapter.c:8832 ) index_removed (bluetoothd -queue.c:220 ) queue_foreach (bluetoothd -mgmt.c:304 ) can_read_data (bluetoothd -io-glib.c:170 ) watch_callback (libglib-2.0.so.0.5200.3 -gmain.c:3234 ) g_main_context_dispatch (libglib-2.0.so.0.5200.3 -gmain.c:3972 ) g_main_context_iterate (libglib-2.0.so.0.5200.3 -gmain.c:4168 ) g_main_loop_run (bluetoothd -main.c:798 ) main (libc-2.27.so -libc-start.c:308 ) __libc_start_main (bluetoothd + 0x0000b089 ) _start (bluetoothd + 0x0000b05f ) _init triggered when 'usb disconnect' happened during AVDTP_SET_CONFIGURATION request is sent but haven't received the response. In this situation, the recovering process goes into sink.c:sink_free and then a2dp.c:a2dp_cancel, avdtp.c:cancel_request, avdtp.c:connection_lost, avdtp.c:release_stream. During recovering, the reference count of setup and avdtp decrease more than it increase, which ends up causing the crash. The reference count of setup decreases one more time since a2dp.c:setconf_cfm(called by cfm->set_configuration in avdtp.c:cancel_request) was called in the 'error mode', which didn't reference the setup, but in a2dp.c:abort_cfm(called by cfm->abort in avdtp.c:release_stream), the reference count decreased by 1. In this case, abort_cfm shouldn't be called as we already know setconf_cfm didn't send any request. Setting avdtp_sep_state to AVDTP_STATE_ABORTING should avoid this issue. The reference count of avdtp decrease one more time since both sink.c:sink_free and sink.c:sink_set_state(called from avdtp.c:connection_lost -> avdtp.c:avdtp_set_state) unreference avdtp for the session. The changes in sink.c should avoid the issue. Signed-off-by: howardchung@google.com --- How to test: The crash can be simulated by the following procedure. 1. injecting sleep(10) right before calling a2dp_config in sink.c:select_complete. 2. connect with a bluetooth headset 3. run 'rmmod btusb' after ~5 seconds(before the connection complete) The procedure can reproduce the crash with ~50% probability. Even if the bluetoothd didn't crash or it crashed with different signature, the reference count can end up with some invalid number. After the patch applies, there is no crash after running the test above 10 times in a row. Changes in v2: - Fixed typo in commit message profiles/audio/avdtp.c | 3 +++ profiles/audio/sink.c | 4 +++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/profiles/audio/avdtp.c b/profiles/audio/avdtp.c index 51ead684a..620a76c90 100644 --- a/profiles/audio/avdtp.c +++ b/profiles/audio/avdtp.c @@ -3484,6 +3484,7 @@ int avdtp_abort(struct avdtp *session, struct avdtp_stream *stream) { struct seid_req req; int ret; + struct avdtp_local_sep *sep = stream->lsep; if (!stream && session->discover) { /* Don't call cb since it being aborted */ @@ -3498,6 +3499,8 @@ int avdtp_abort(struct avdtp *session, struct avdtp_stream *stream) if (stream->lsep->state == AVDTP_STATE_ABORTING) return -EINVAL; + avdtp_sep_set_state(session, sep, AVDTP_STATE_ABORTING); + if (session->req && stream == session->req->stream) return cancel_request(session, ECANCELED); diff --git a/profiles/audio/sink.c b/profiles/audio/sink.c index 7cac21034..726e2f562 100644 --- a/profiles/audio/sink.c +++ b/profiles/audio/sink.c @@ -309,8 +309,10 @@ static void sink_free(struct btd_service *service) avdtp_stream_remove_cb(sink->session, sink->stream, sink->cb_id); - if (sink->session) + if (sink->session) { avdtp_unref(sink->session); + sink->session = NULL; + } if (sink->connect_id > 0) { btd_service_connecting_complete(sink->service, -ECANCELED); -- 2.24.1.735.g03f4e72817-goog