Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp1972382ybz;
        Sun, 26 Apr 2020 08:17:34 -0700 (PDT)
X-Google-Smtp-Source: APiQypJm7F1fgWKRi7y22o9492468T76mFQerDhswMw+jbzBheDhjOWLO8RVA07lbBslUyLmNTwN
X-Received: by 2002:a05:6402:3125:: with SMTP id dd5mr15886838edb.208.1587914254391;
        Sun, 26 Apr 2020 08:17:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1587914254; cv=none;
        d=google.com; s=arc-20160816;
        b=QXB11yu8I509c3adkBzz7+qqjTOXgKZ54bg41eSiyOrIiiCjrh0J0uBjJnR+30HtAG
         pCgb43yJmXWpfZyBp/CZIPgBCJMs3jNH1YPW/LhAjxns/tB1Vf1aZhqce2pdX9N4BlGD
         lpqys4eGTILkfBRVtZfo1N7XjNRkRHYB6xT5T19MkeFcWyuQbypANqYNXb9IJf2VQqas
         kcSYHkQjzhl9CaVwFt4sf9t7y4njXOAqc3ISo7dkIgeoxcD81Kec8VNrRbagkKuWoNSK
         Q6KW4IE5n+dIiwLP97OGI2tGqOu/8DTxme3XDYIShs6XsX/epQqLJHuTWrj1D8SPXB7+
         C8Iw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-transfer-encoding:content-disposition:mime-version
         :references:message-id:subject:to:from:date:dkim-signature;
        bh=dl2rULlR4EfPR9VvJGhk8ekVpyvHPiOor7EAnEI9tME=;
        b=oJC2I1hW0TbwrT5qw6QY+ul1xv2BzRu7sOupYj4C1uKXLiEtDKS3QkVJPwAtAwhnff
         k3AoMQkI4HsxreGFqla/XTLWscXHg2Rk0EwfIKClQqWNJYLXpEIfggmx1GQ6x6a/4uOu
         wtsRdKzaZfAzI658zNJFLNduwo8GgjCTKXSEvXbSm0+vHEB+fr9XFpp6dr+Y86OXLbSG
         ZpSdFYxZ7eGydS7HyQAfZnYnclk9YJzN6imcQiBXVWJ4qBY5NIU7WxbEeOpqrB++xcXE
         bnrNCJh9GtJWYw738yk3ekMA6Zk1WDBv2l6mVdiTJoKFgtyN+4KOS/S7rtl4POrpy/o3
         ooVw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=eYi7ApRO;
       spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-bluetooth-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id h1si2467683edn.261.2020.04.26.08.16.59;
        Sun, 26 Apr 2020 08:17:34 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=eYi7ApRO;
       spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726144AbgDZPPd (ORCPT <rfc822;nicolas.fabbro@gmail.com>
        + 99 others); Sun, 26 Apr 2020 11:15:33 -0400
Received: from mail.kernel.org ([198.145.29.99]:59284 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1725975AbgDZPPc (ORCPT <rfc822;linux-bluetooth@vger.kernel.org>);
        Sun, 26 Apr 2020 11:15:32 -0400
Received: from pali.im (pali.im [31.31.79.79])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 83DDF2070A;
        Sun, 26 Apr 2020 15:15:31 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1587914131;
        bh=Ut9eCrJ1zUUTzIQMadS0VxSRBI1mGDqKcK50d1sAm9o=;
        h=Date:From:To:Subject:References:In-Reply-To:From;
        b=eYi7ApRO18foIy3uFmmtIY6QEDmZkPjljALgTWhk0zPAtMRiMkrB0pvRzryDESFZL
         F0bq1xs15KlIXTIRp4Vc/ntoVVFZj2tndbp0m5BFU91zC8HsV+RX5zAyDJ6pDhIbqp
         Zv7FCOmZm7p48wElde3x+jCN7CB/l5QaYAndMv3E=
Received: by pali.im (Postfix)
        id 8EEC5B71; Sun, 26 Apr 2020 17:15:29 +0200 (CEST)
Date:   Sun, 26 Apr 2020 17:15:29 +0200
From:   Pali =?utf-8?B?Um9ow6Fy?= <pali@kernel.org>
To:     linux-bluetooth@vger.kernel.org,
        Luiz Augusto von Dentz <luiz.dentz@gmail.com>
Subject: Re: bluetoothd crashes when tryting to change A2DP codec via DBus
Message-ID: <20200426151529.dpzojinssjqagsaq@pali>
References: <20200426150435.s562o34mertpj6ct@pali>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20200426150435.s562o34mertpj6ct@pali>
User-Agent: NeoMutt/20180716
Sender: linux-bluetooth-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-bluetooth.vger.kernel.org>
X-Mailing-List: linux-bluetooth@vger.kernel.org

On Sunday 26 April 2020 17:04:35 Pali Rohár wrote:
> Hello!
> 
> Bluez bluetoothd daemon compiled from git master branch crashes when I
> try to call DBus method for switching A2DP codec. Below is stacktrace
> from gdb. It looks like NULL pointer dereference. It is reproducible.
> 
> Program received signal SIGSEGV, Segmentation fault.
> 0x000055e1b3659c1a in avdtp_find_remote_sep (session=0x55e1b408bf80, lsep=0x0) at profiles/audio/avdtp.c:1221
> 1221            if (lsep->info.inuse)
> (gdb) bt
> #0  0x000055e1b3659c1a in avdtp_find_remote_sep (session=0x55e1b408bf80, lsep=0x0) at profiles/audio/avdtp.c:1221
> #1  0x000055e1b36568fc in find_remote_sep (sep=<optimized out>, chan=<optimized out>, chan=<optimized out>) at profiles/audio/a2dp.c:1169
> #2  0x000055e1b3656955 in a2dp_reconfigure (data=0x55e1b40a1e10) at profiles/audio/a2dp.c:1188
> #3  0x00007f4e07e90863 in ?? () from /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
> #4  0x00007f4e07e8fdd8 in g_main_context_dispatch () from /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
> #5  0x00007f4e07e901c8 in ?? () from /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
> #6  0x00007f4e07e904c2 in g_main_loop_run () from /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
> #7  0x000055e1b36ef725 in mainloop_run () at src/shared/mainloop-glib.c:79
> #8  0x000055e1b36efb02 in mainloop_run_with_signal (func=<optimized out>, user_data=0x0) at src/shared/mainloop-notify.c:201
> #9  0x000055e1b364b15e in main (argc=<optimized out>, argv=<optimized out>) at src/main.c:770
> (gdb) print lsep
> $1 = (struct avdtp_local_sep *) 0x0

It always happens if I kill target application (pulseaudio) during
bluetooth daemon is connecting to remote bluetooth headset. I guess that
there is a race condition between unregistering application agent
(together with unregistering all its local seps) and trying to use /
choose local sep for a new remote connection.

Here is simple patch which prevent bluetooth daemon crash:

diff --git a/profiles/audio/a2dp.c b/profiles/audio/a2dp.c
index a5590b24c..2f0fcd974 100644
--- a/profiles/audio/a2dp.c
+++ b/profiles/audio/a2dp.c
@@ -1184,8 +1184,14 @@ static gboolean a2dp_reconfigure(gpointer data)
 		rsep_codec = (struct avdtp_media_codec_capability *) cap->data;
 	}
 
-	if (!setup->rsep || sep->codec != rsep_codec->media_codec_type)
+	if (!setup->rsep || sep->codec != rsep_codec->media_codec_type) {
+		if (!sep->lsep) {
+			error("no lsep");
+			posix_err = -EINVAL;
+			goto failed;
+		}
 		setup->rsep = find_remote_sep(setup->chan, sep);
+	}
 
 	posix_err = avdtp_set_configuration(setup->session, setup->rsep->sep,
 						sep->lsep,

After applying this patch I get following error message without any
crash in bluetooth log:

bluetoothd[...]: Error on avdtp_open Invalid argument (22)

Which is probably OK, as target application is not running anymore and
connect request could not be finished.