Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp1300286ybl;
        Fri, 10 Jan 2020 15:54:40 -0800 (PST)
X-Google-Smtp-Source: APXvYqyoeaNsNwFHRzb4kQ8vxGg0/CWEfJ+hczhdccE5huhiQvT0ikTWbPEAKwkDpS7KuRNboDg/
X-Received: by 2002:a05:6830:1042:: with SMTP id b2mr4738795otp.306.1578700480456;
        Fri, 10 Jan 2020 15:54:40 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1578700480; cv=none;
        d=google.com; s=arc-20160816;
        b=oEeZ8TIzIm0CjpvAlYC7MU3J0fJ70u2j9D8SX9L+bibE2qbNJu1UUqjxJwVzYcm7t7
         YFVAH/Tdeq28YwpOSocBqqQcvmcJxUI7PNuz1YeZn1UPyx7g9bKUGK1hCeHpzqoO1j/L
         2XAYC5zmNUjVAD6N3+OQlkzw58v3/RM71xktNUIFSgUzT6vP4Qo6HzaLAbcrbmBiqdR1
         tbobOGMxVJ8QBaqRciv5qSVE24qDZtaMc3YiDGuGManE2xishn7ARBU8dO9BJbVvKhDg
         A9BPVQO0+COHD8ti5PbYBa8dYdDWaxXdgw7tOn9qLt5z2dI/bWKgemNqX2GDnlmbk6N+
         Q61w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject
         :message-id:date:from:in-reply-to:references:mime-version
         :dkim-signature;
        bh=+/1WEz/eIINIO9NV6nKyzMWSxBJSaO1uT7HM5hfnKEI=;
        b=XcGmojHIWb6UJdFS+SopjAnLuAjgf2iy8C3O/X+VwEOoucLgYRleotGN6z5OOECzAA
         0HzJ1NN642qZQu4a4/byqahmIDesW64V7IplDjjif2WyNVUiTIp23ON9EIZxEFBmjUT5
         YZCwvrITzpd9kew5K9731UmUxrCdHzSmUVhSpOe2TPY98r1vB/pbUwHBQ8CrQ3BMQPyo
         Sh6aWwbPkZ3PJWgG9vHZK7Itn6I3/yYFcyrL4h6J2toMg0voX6b5PLTL7kjA8jjJZPFL
         vxGWi0cLHY+8MvQv+CWBOdxfQkpZdLmtMiVdQLXvxKAjRXi2rt3M0WsANoKGQDvC/+i7
         c0LA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=VVEYHDgL;
       spf=pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-bluetooth-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id d188si1920286oib.273.2020.01.10.15.54.27;
        Fri, 10 Jan 2020 15:54:40 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=VVEYHDgL;
       spf=pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727725AbgAJXy0 (ORCPT <rfc822;ruprecht.th@gmail.com>
        + 99 others); Fri, 10 Jan 2020 18:54:26 -0500
Received: from mail-ot1-f67.google.com ([209.85.210.67]:40009 "EHLO
        mail-ot1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727706AbgAJXyZ (ORCPT
        <rfc822;linux-bluetooth@vger.kernel.org>);
        Fri, 10 Jan 2020 18:54:25 -0500
Received: by mail-ot1-f67.google.com with SMTP id w21so3647883otj.7
        for <linux-bluetooth@vger.kernel.org>; Fri, 10 Jan 2020 15:54:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc:content-transfer-encoding;
        bh=+/1WEz/eIINIO9NV6nKyzMWSxBJSaO1uT7HM5hfnKEI=;
        b=VVEYHDgLz7hHO2TwD9nY8D6kBXRj/hzHt2/7TNfV6AXnHT5q6ni6kFDPaTWhDezH1A
         V+FadpjMXYoaeYcg5azZEHqQQBIFKGqbnH1aRG7nmRJO9QREiyz1FQ08H7XnKyRrzd7M
         vFbForTQa90VJiGo5cOm6vU8oJGWJugdViNPGhAqSYL4nzhNZXtz7ZU1TM852htSDVkc
         reAxhqBrph6IVq0WTOxWw1hNfi3PgK8v13pHGaiyTr5IPGgzwzCgdj0HmpPIMELHVPYg
         7OkmprGNdtp0Kv2CDSvJcRG3QmurSVOL/C6D8wXrCBpfLKmD73MduYyLR2l7Zs02PFM2
         iMYA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc:content-transfer-encoding;
        bh=+/1WEz/eIINIO9NV6nKyzMWSxBJSaO1uT7HM5hfnKEI=;
        b=eDJhGjJMrqK7ANY0hOHEJRYxaDNK9Rq9FuXtM3Ah/mlna9r96JLqp0cyB6iIrlFIxs
         Lod0zzxTiTANsIqoPAmOzyKR+6xEsQGRBGFSaMo3VnBk0o0mR/17QJiHAH9qX+LFCNEj
         NzS/Iw6u/nYVyzc1d9TDl7slFcNJ4pbEXWVE/laYT7Gs7HS+L2p/YsBrT8Irz7G+Vzz2
         QQ9YIA2JNFROUCwmLfALpaO0G6/jiri0rLFwHcUYUAVqfvGR3zD6cCQnPWfBUyZ8db+u
         LHZs6JPXui2LftGaahYOPPb/kJAmEDjyJ205PeWdztrcp8y4KoOYj9dsSVh/EM1CZlv5
         gXQw==
X-Gm-Message-State: APjAAAUwXII8WDRNZd0csjCe4YswPOyFgTrFaY6H7I6Q91MP9tx5dOLy
        fDosVjUJ3ehoWT8byC4xDeIgyCFiUuxItVGhQS3wAXY3
X-Received: by 2002:a9d:6d10:: with SMTP id o16mr4995397otp.28.1578700464840;
 Fri, 10 Jan 2020 15:54:24 -0800 (PST)
MIME-Version: 1.0
References: <20200110155716.Bluez.v3.1.Ie74d7bb468a914ba7386aae02fc63cd4f529b0ef@changeid>
 <CAPHZWUd0LQrVrWa5jCG2skA8KOORxpBMRBKtYU+n23kVtx27JA@mail.gmail.com> <CAPHZWUdpxVMvth-cobmWriLsJ9=nVrUVtqr-jtMw3kQqZ36syw@mail.gmail.com>
In-Reply-To: <CAPHZWUdpxVMvth-cobmWriLsJ9=nVrUVtqr-jtMw3kQqZ36syw@mail.gmail.com>
From:   Luiz Augusto von Dentz <luiz.dentz@gmail.com>
Date:   Fri, 10 Jan 2020 15:54:12 -0800
Message-ID: <CABBYNZ+d0R7Q_-a1npxFr7b8SAhwpgG-+p=cSnhG8p1fQqbBXA@mail.gmail.com>
Subject: Re: [Bluez PATCH v3] audio/a2dp - fix crash during recovering process
To:     Yun-hao Chung <howardchung@google.com>
Cc:     "linux-bluetooth@vger.kernel.org" <linux-bluetooth@vger.kernel.org>,
        Luiz Augusto Von Dentz <luiz.von.dentz@intel.com>,
        chromeos-bluetooth-upstreaming@chromium.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Sender: linux-bluetooth-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-bluetooth.vger.kernel.org>
X-Mailing-List: linux-bluetooth@vger.kernel.org

Hi,

On Fri, Jan 10, 2020 at 12:13 AM Yun-hao Chung <howardchung@google.com> wro=
te:
>
> Hi Luiz,
>
> Thanks for the comment.
> I did the qualification test with and without the patch on both Chrome
> OS and Linux with bluez-5.52.
> The results are all the same.
> The tests I=E2=80=99ve run are as follows.
>
> A2DP/SRC/AS/BV-01-I
> A2DP/SRC/CC/BV-09-I
> A2DP/SRC/CC/BV-10-I
> A2DP/SRC/REL/BV-01-I
> A2DP/SRC/REL/BV-02-I
> A2DP/SRC/SET/BV-01-I
> A2DP/SRC/SET/BV-02-I
> A2DP/SRC/SET/BV-03-I
> A2DP/SRC/SET/BV-04-I
> A2DP/SRC/SET/BV-05-I
> A2DP/SRC/SET/BV-06-I
> IOPT/CL/A2DP-SRC/SFC/BV-01-I
> AVDTP/SRC/ACP/SIG/SMG/BV-06-C
> AVDTP/SRC/ACP/SIG/SMG/BV-08-C
> AVDTP/SRC/ACP/SIG/SMG/BV-10-C
> AVDTP/SRC/ACP/SIG/SMG/BV-16-C
> AVDTP/SRC/ACP/SIG/SMG/BV-18-C
> AVDTP/SRC/ACP/SIG/SMG/BV-20-C
> AVDTP/SRC/ACP/SIG/SMG/BV-24-C
> AVDTP/SRC/ACP/SIG/SMG/BI-05-C
> AVDTP/SRC/ACP/SIG/SMG/BI-08-C
> AVDTP/SRC/ACP/SIG/SMG/BI-17-C
> AVDTP/SRC/ACP/SIG/SMG/BI-20-C
> AVDTP/SRC/ACP/SIG/SMG/BI-23-C
> AVDTP/SRC/ACP/SIG/SMG/BI-28-C*
> AVDTP/SRC/ACP/TRA/BTR/BI-01-C
> AVDTP/SRC/INT/SIG/SMG/BV-05-C
> AVDTP/SRC/INT/SIG/SMG/BV-07-C
> AVDTP/SRC/INT/SIG/SMG/BV-09-C
> AVDTP/SRC/INT/SIG/SMG/BV-15-C
> AVDTP/SRC/INT/SIG/SMG/BV-17-C
> AVDTP/SRC/INT/SIG/SMG/BV-19-C
> AVDTP/SRC/INT/SIG/SMG/BV-23-C
> AVDTP/SRC/INT/SIG/SMG/BV-31-C
> AVDTP/SRC/INT/SIG/SMG/BI-30-C
> AVDTP/SRC/INT/TRA/BTR/BV-01-C
>
> Except for AVDTP/SRC/ACP/SIG/SMG/BI-28-C, the other tests had been passed=
.
> Please let me know if I need more verification.
>
> Thanks,
> Howard
>
> On Fri, Jan 10, 2020 at 4:09 PM Yun-hao Chung <howardchung@google.com> wr=
ote:
> >
> > ---------- Forwarded message ---------
> > From: howardchung@google.com <howardchung@google.com>
> > Date: Fri, Jan 10, 2020 at 3:57 PM
> > Subject: [Bluez PATCH v3] audio/a2dp - fix crash during recovering proc=
ess
> > To: <linux-bluetooth@vger.kernel.org>, <luiz.von.dentz@intel.com>
> > Cc: <chromeos-bluetooth-upstreaming@chromium.org>, howardchung
> > <howardchung@google.com>
> >
> >
> > From: howardchung <howardchung@google.com>
> >
> > The crash with stack trace:
> >
> > (libc-2.27.so -raise.c:51 )                     raise
> > (libc-2.27.so -abort.c:79 )                     abort
> > (libc-2.27.so -libc_fatal.c:181 )               __libc_message
> > (libc-2.27.so -malloc.c:5350 )                  malloc_printerr
> > (libc-2.27.so -malloc.c:4157 )                  _int_free
> > (libglib-2.0.so.0.5200.3 -gslist.c:878 )        g_slist_free_full
> > (bluetoothd -a2dp.c:165 )                       setup_unref
> > (bluetoothd -a2dp.c:2184 )                      a2dp_cancel
> > (bluetoothd -sink.c:317 )                       sink_unregister
> > (bluetoothd -service.c:176 )                    service_remove
> > (bluetoothd -device.c:4678 )                    device_remove
> > (bluetoothd -adapter.c:6573 )                   adapter_remove
> > (bluetoothd -adapter.c:8832 )                   index_removed
> > (bluetoothd -queue.c:220 )                      queue_foreach
> > (bluetoothd -mgmt.c:304 )                       can_read_data
> > (bluetoothd -io-glib.c:170 )                    watch_callback
> > (libglib-2.0.so.0.5200.3 -gmain.c:3234 )        g_main_context_dispatch
> > (libglib-2.0.so.0.5200.3 -gmain.c:3972 )        g_main_context_iterate
> > (libglib-2.0.so.0.5200.3 -gmain.c:4168 )        g_main_loop_run
> > (bluetoothd -main.c:798 )                       main
> > (libc-2.27.so -libc-start.c:308 )               __libc_start_main
> > (bluetoothd + 0x0000b089 )                      _start
> > (bluetoothd + 0x0000b05f )                      _init
> >
> > triggered when 'usb disconnect' happened during AVDTP_SET_CONFIGURATION
> > request is sent but haven't received the response.
> > In this situation, the recovering process goes into sink.c:sink_free an=
d
> > then a2dp.c:a2dp_cancel, avdtp.c:cancel_request, avdtp.c:connection_los=
t,
> > avdtp.c:release_stream.
> >
> > During recovering, the reference count of setup and avdtp decrease more
> > than it increase, which ends up causing the crash.
> >
> > The reference count of setup decreases one more time since
> > a2dp.c:setconf_cfm(called by cfm->set_configuration in
> > avdtp.c:cancel_request) was called in the 'error mode', which didn't
> > reference the setup, but in a2dp.c:abort_cfm(called by cfm->abort in
> > avdtp.c:release_stream), the reference count decreased by 1.
> >
> > In this case, abort_cfm shouldn't be called as we already know
> > setconf_cfm didn't send any request. Setting avdtp_sep_state to
> > AVDTP_STATE_ABORTING should avoid this issue.
> >
> > The reference count of avdtp decrease one more time since
> > both sink.c:sink_free and sink.c:sink_set_state(called from
> > avdtp.c:connection_lost -> avdtp.c:avdtp_set_state) unreference avdtp
> > for the session. The changes in sink.c should avoid the issue.
> >
> > ---
> > How to test:
> >         The crash can be simulated by the following procedure.
> >         1. injecting sleep(10) right before calling a2dp_config in
> >            sink.c:select_complete.
> >         2. connect with a bluetooth headset
> >         3. run 'rmmod btusb' after ~5 seconds(before the connection
> >            complete)
> > The procedure can reproduce the crash with ~50% probability.
> > Even if the bluetoothd didn't crash or it crashed with different
> > signature, the reference count can end up with some invalid number.
> >
> > After the patch applies, there is no crash after running the test above=
 10
> > times in a row.
> >
> > Changes in v3:
> > - Update the title
> > - Remove the signed-off-by section
> >
> > Changes in v2:
> > - Fixed typo in commit message
> >
> >  profiles/audio/avdtp.c | 3 +++
> >  profiles/audio/sink.c  | 4 +++-
> >  2 files changed, 6 insertions(+), 1 deletion(-)
> >
> > diff --git a/profiles/audio/avdtp.c b/profiles/audio/avdtp.c
> > index 51ead684a..620a76c90 100644
> > --- a/profiles/audio/avdtp.c
> > +++ b/profiles/audio/avdtp.c
> > @@ -3484,6 +3484,7 @@ int avdtp_abort(struct avdtp *session, struct
> > avdtp_stream *stream)
> >  {
> >         struct seid_req req;
> >         int ret;
> > +       struct avdtp_local_sep *sep =3D stream->lsep;
> >
> >         if (!stream && session->discover) {
> >                 /* Don't call cb since it being aborted */
> > @@ -3498,6 +3499,8 @@ int avdtp_abort(struct avdtp *session, struct
> > avdtp_stream *stream)
> >         if (stream->lsep->state =3D=3D AVDTP_STATE_ABORTING)
> >                 return -EINVAL;
> >
> > +       avdtp_sep_set_state(session, sep, AVDTP_STATE_ABORTING);
> > +
> >         if (session->req && stream =3D=3D session->req->stream)
> >                 return cancel_request(session, ECANCELED);
> >
> > diff --git a/profiles/audio/sink.c b/profiles/audio/sink.c
> > index 7cac21034..726e2f562 100644
> > --- a/profiles/audio/sink.c
> > +++ b/profiles/audio/sink.c
> > @@ -309,8 +309,10 @@ static void sink_free(struct btd_service *service)
> >                 avdtp_stream_remove_cb(sink->session, sink->stream,
> >                                         sink->cb_id);
> >
> > -       if (sink->session)
> > +       if (sink->session) {
> >                 avdtp_unref(sink->session);
> > +               sink->session =3D NULL;
> > +       }
> >
> >         if (sink->connect_id > 0) {
> >                 btd_service_connecting_complete(sink->service, -ECANCEL=
ED);
> > --
> > 2.25.0.rc1.283.g88dfdc4193-goog


Applied, thanks.

--=20
Luiz Augusto von Dentz