Re: Bluetoothd crash/segfault when Chrombook creates connection with Samsung gear circle

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Ethan,

On Thu, Mar 12, 2015 at 10:04 AM, Ethan <ethancsge@xxxxxxxxx> wrote:
>
>
> Hi,
>
> There has an issue about bluetoothd crash/segfault when Chrombook creates connection with Samsung gear circle.
> The bluez version is 5.28. From sniffer, it shows get capabilities response error due to capability count is less than 2.
> so I modified the code in function avrcp_get_capabilities_resp as below and issue can not be reproduced. I am not sure it's good for fixing, please help to check.
> Attached file is sniffer log and patch.
> Thanks
>
> diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
> index 11de6ee..f19d26b 100644
> --- a/profiles/audio/avrcp.c
> +++ b/profiles/audio/avrcp.c
> @@ -3228,7 +3228,7 @@ static gboolean avrcp_get_capabilities_resp(struct avctp *conn,
>         uint8_t count;
>
>         if (code == AVC_CTYPE_REJECTED || code == AVC_CTYPE_NOT_IMPLEMENTED ||
> -                       pdu == NULL || pdu->params[0] != CAP_EVENTS_SUPPORTED)
> +                       pdu == NULL || pdu->params[0] != CAP_EVENTS_SUPPORTED || pdu->params[1] < 2 )
>                 return FALSE;
>
>         /* Connect browsing if pending */
>
> 015-03-11T09:16:03.462714+02:00 DEBUG bluetoothd[3304]: src/service.c:change_state() 0x7fdba9a0a7d0: device A0:B4:A5:1F:56:B9 profile avrcp-controller state changed: disconnected -> connecting (0)
> 2015-03-11T09:16:03.462746+02:00 DEBUG bluetoothd[3304]: src/service.c:btd_service_ref() 0x7fdba9a0a8a0: ref=3
> 2015-03-11T09:16:03.462760+02:00 DEBUG bluetoothd[3304]: plugins/policy.c:service_cb() Added a2dp-sink reconnect 0
> 2015-03-11T09:16:03.462772+02:00 DEBUG bluetoothd[3304]: profiles/audio/sink.c:sink_set_state() State changed /org/bluez/hci0/dev_A0_B4_A5_1F_56_B9: SINK_STATE_CONNECTING -> SINK_STATE_CONNECTED
> 2015-03-11T09:16:03.462784+02:00 DEBUG bluetoothd[3304]: profiles/audio/transport.c:transport_update_playing() /org/bluez/hci0/dev_A0_B4_A5_1F_56_B9/fd0 State=TRANSPORT_STATE_IDLE Playing=0
> 2015-03-11T09:16:03.520141+02:00 DEBUG bluetoothd[3304]: profiles/audio/avctp.c:avctp_connect_cb() AVCTP: connected to A0:B4:A5:1F:56:B9
> 2015-03-11T09:16:03.520189+02:00 ERR bluetoothd[3304]: Can't open input device: No such file or directory (2)
> 2015-03-11T09:16:03.520205+02:00 ERR bluetoothd[3304]: AVRCP: failed to init uinput for A0:B4:A5:1F:56:B9
> 2015-03-11T09:16:03.520216+02:00 DEBUG bluetoothd[3304]: profiles/audio/avrcp.c:target_init() 0x7fdba9a09bd0 version 0x0105
> 2015-03-11T09:16:03.520227+02:00 DEBUG bluetoothd[3304]: src/service.c:change_state() 0x7fdba9a0a7d0: device A0:B4:A5:1F:56:B9 profile avrcp-controller state changed: connecting -> connected (0)
> 2015-03-11T09:16:03.520239+02:00 DEBUG bluetoothd[3304]: src/device.c:device_profile_connected() avrcp-controller Success (0)
> 2015-03-11T09:16:03.520250+02:00 DEBUG bluetoothd[3304]: profiles/audio/avctp.c:avctp_set_state() AVCTP Connected
> 2015-03-11T09:16:03.613393+02:00 DEBUG bluetoothd[3304]: profiles/audio/avrcp.c:handle_vendordep_pdu() AVRCP PDU 0x10, company 0x001958 len 0x0001
> 2015-03-11T09:16:03.613423+02:00 DEBUG bluetoothd[3304]: profiles/audio/avrcp.c:avrcp_handle_get_capabilities() id=3
> 2015-03-11T09:16:03.719326+02:00 DEBUG bluetoothd[3304]: src/device.c:search_cb() A0:B4:A5:1F:56:B9: No service update
> 2015-03-11T09:16:03.719358+02:00 DEBUG bluetoothd[3304]: src/device.c:device_svc_resolved() /org/bluez/hci0/dev_A0_B4_A5_1F_56_B9 err 0
> 2015-03-11T09:16:05.597080+02:00 INFO kernel: [  232.700006] bluetoothd[3304]: segfault at 0 ip 00007fdba8143369 sp 00007fff95799110 error 4 in bluetoothd[7fdba8115000+b4000]
> 2015-03-11T09:16:05.675496+02:00 WARNING crash_reporter[16211]: Received crash notification for bluetoothd[3304] sig 11, user 218 (handling)
> 2015-03-11T09:16:05.678077+02:00 INFO crash_reporter[16211]: State of crashed process [3304]: S (sleeping)
> 2015-03-11T09:16:05.696673+02:00 INFO crash_reporter[16211]: Stored minidump to /var/spool/crash/bluetoothd.20150311.091605.3304.dmp
> 2015-03-11T09:16:05.702634+02:00 WARNING minijail0[3298]: libminijail: child process 3304 received signal 11
> 2015-03-11T09:16:05.703799+02:00 WARNING kernel: [  232.806836] init: bluetoothd main process (3298) terminated with status 139
> 2015-03-11T09:16:05.703823+02:00 WARNING kernel: [  232.806914] init: bluetoothd main process ended, respawning

This does not match the picture since I can see List Player Settings
packet so I afraid it is crashing in some other place, also your
sniffer got this wrong it is allowed to send 1 as capability counter
if you are the controller you usually only have Volume Changed event.

-- 
Luiz Augusto von Dentz
--
To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Bluez Devel]     [Linux Wireless Networking]     [Linux Wireless Personal Area Networking]     [Linux ATH6KL]     [Linux USB Devel]     [Linux Media Drivers]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Big List of Linux Books]

  Powered by Linux