https://bugzilla.kernel.org/show_bug.cgi?id=199537 Bug ID: 199537 Summary: Bluez crashes after device disconnect Product: Drivers Version: 2.5 Kernel Version: 4.14.11 Hardware: All OS: Linux Tree: Mainline Status: NEW Severity: normal Priority: P1 Component: Bluetooth Assignee: linux-bluetooth@xxxxxxxxxxxxxxx Reporter: batyiev@xxxxxxxxx Regression: No Created attachment 275615 --> https://bugzilla.kernel.org/attachment.cgi?id=275615&action=edit Test script (modified from example-gatt-client) I've got crash in bluez daemon (git master version) while trying to use AcquireNotify DBus method. My steps are: 0. I have two separate linux devices (laptop and raspberry pi 3) 1. GATT server (rpi3) running example-advertisement and example-gatt-server (both are test scripts from bluez package itself) 2. GATT client (laptop) is running custom script (see at the end of the message) 3. I do CTRL+C on example-gatt-server to shutdown GATT server 4. bluetoothd on GATT client gets SIGSERV bluetoothd[11407]: src/device.c:gatt_debug() service disappeared: start 0x0026 end 0x0035 bluetoothd[11407]: src/device.c:gatt_service_removed() start: 0x0026, end: 0x0035 bluetoothd[11407]: src/gatt-client.c:btd_gatt_client_service_removed() GATT Services Removed - start: 0x0026, end: 0x0035 bluetoothd[11407]: src/gatt-client.c:unregister_service() Removing GATT service: /org/bluez/hci1/dev_B8_27_EB_E7_50_36/service0026 bluetoothd[11407]: src/gatt-client.c:unregister_characteristic() Removing GATT characteristic: /org/bluez/hci1/dev_B8_27_EB_E7_50_36/service0026/char0027 bluetoothd[11407]: src/gatt-client.c:unregister_descriptor() Removing GATT descriptor: /org/bluez/hci1/dev_B8_27_EB_E7_50_36/service0026/char0027/desc0029 bluetoothd[11407]: src/gatt-client.c:unregister_descriptor() Removing GATT descriptor: /org/bluez/hci1/dev_B8_27_EB_E7_50_36/service0026/char0027/desc002a bluetoothd[11407]: src/gatt-client.c:unregister_descriptor() Removing GATT descriptor: /org/bluez/hci1/dev_B8_27_EB_E7_50_36/service0026/char0027/desc002b bluetoothd[11407]: src/gatt-client.c:unregister_characteristic() Removing GATT characteristic: /org/bluez/hci1/dev_B8_27_EB_E7_50_36/service0026/char002c bluetoothd[11407]: src/gatt-client.c:unregister_descriptor() Removing GATT descriptor: /org/bluez/hci1/dev_B8_27_EB_E7_50_36/service0026/char002c/desc002e bluetoothd[11407]: src/gatt-client.c:unregister_descriptor() Removing GATT descriptor: /org/bluez/hci1/dev_B8_27_EB_E7_50_36/service0026/char002c/desc002f bluetoothd[11407]: src/gatt-client.c:unregister_descriptor() Removing GATT descriptor: /org/bluez/hci1/dev_B8_27_EB_E7_50_36/service0026/char002c/desc0030 bluetoothd[11407]: src/gatt-client.c:unregister_characteristic() Removing GATT characteristic: /org/bluez/hci1/dev_B8_27_EB_E7_50_36/service0026/char0031 bluetoothd[11407]: src/gatt-client.c:unregister_descriptor() Removing GATT descriptor: /org/bluez/hci1/dev_B8_27_EB_E7_50_36/service0026/char0031/desc0033 bluetoothd[11407]: src/gatt-client.c:unregister_descriptor() Removing GATT descriptor: /org/bluez/hci1/dev_B8_27_EB_E7_50_36/service0026/char0031/desc0034 bluetoothd[11407]: src/gatt-client.c:unregister_descriptor() Removing GATT descriptor: /org/bluez/hci1/dev_B8_27_EB_E7_50_36/service0026/char0031/desc0035 bluetoothd[11407]: src/device.c:gatt_client_service_changed() start 0x0026, end: 0x0035 bluetoothd[11407]: src/device.c:gatt_debug() service disappeared: start 0x0036 end 0x003d bluetoothd[11407]: src/device.c:gatt_service_removed() start: 0x0036, end: 0x003d bluetoothd[11407]: src/gatt-client.c:btd_gatt_client_service_removed() GATT Services Removed - start: 0x0036, end: 0x003d bluetoothd[11407]: src/gatt-client.c:unregister_service() Removing GATT service: /org/bluez/hci1/dev_B8_27_EB_E7_50_36/service0036 bluetoothd[11407]: src/gatt-client.c:unregister_characteristic() Removing GATT characteristic: /org/bluez/hci1/dev_B8_27_EB_E7_50_36/service0036/char0037 bluetoothd[11407]: src/gatt-client.c:unregister_characteristic() Removing GATT characteristic: /org/bluez/hci1/dev_B8_27_EB_E7_50_36/service0036/char0039 bluetoothd[11407]: src/gatt-client.c:unregister_characteristic() Removing GATT characteristic: /org/bluez/hci1/dev_B8_27_EB_E7_50_36/service0036/char003b bluetoothd[11407]: src/gatt-client.c:notify_client_unref() owner :1.159 bluetoothd[11407]: src/gatt-client.c:notify_client_free() owner :1.159 bluetoothd[11407]: src/gatt-client.c:unregister_descriptor() Removing GATT descriptor: /org/bluez/hci1/dev_B8_27_EB_E7_50_36/service0036/char003b/desc003d Program received signal SIGSEGV, Segmentation fault. 0x080eeca3 in queue_remove (queue=0x696c6275, data=0x8178be8) at src/shared/queue.c:256 256 for (entry = queue->head, prev = NULL; entry; (gdb) bt #0 0x080eeca3 in queue_remove (queue=0x696c6275, data=0x8178be8) at src/shared/queue.c:256 #1 0x080c1138 in notify_io_destroy (data=0x8178be8) at src/gatt-client.c:1461 #2 0x080c0480 in pipe_io_destroy (io=0x817aac8) at src/gatt-client.c:1082 #3 0x080c16f0 in characteristic_free (data=0x817b870) at src/gatt-client.c:1663 #4 0x080e8cc4 in remove_interface (data=0x817de00, name=0x811e609 "org.bluez.GattCharacteristic1") at gdbus/object.c:667 #5 0x080ea489 in g_dbus_unregister_interface (connection=0x8161140, path=0x817df48 "/org/bluez/hci1/dev_B8_27_EB_E7_50_36/service0036/char003b", name=0x811e609 "org.bluez.GattCharacteristic1") at gdbus/object.c:1391 #6 0x080c1a32 in unregister_characteristic (data=0x817b870) at src/gatt-client.c:1744 #7 0x080eeee0 in queue_remove_all (queue=0x817b280, function=0x0, user_data=0x0, destroy=0x80c1958 <unregister_characteristic>) at src/shared/queue.c:354 #8 0x080c1ef9 in unregister_service (data=0x817b1f0) at src/gatt-client.c:1893 #9 0x080eee8e in queue_remove_all (queue=0x8173928, function=0x80c2188 <match_service_handle>, user_data=0x36, destroy=0x80c1e9d <unregister_service>) at src/shared/queue.c:339 #10 0x080c286b in btd_gatt_client_service_removed (client=0x8173fa8, attrib=0x817bbf8) at src/gatt-client.c:2199 #11 0x080ca00e in gatt_service_removed (attr=0x817bbf8, user_data=0x8173dc0) at src/device.c:3682 #12 0x08100266 in handle_notify (data=0x8174248, user_data=0xbffff1a4) at src/shared/gatt-db.c:263 #13 0x080eebc2 in queue_foreach (queue=0x8173c18, function=0x810020a <handle_notify>, user_data=0xbffff1a4) at src/shared/queue.c:220 #14 0x081002eb in notify_service_changed (db=0x8173b00, service=0x8174238, added=false) at src/shared/gatt-db.c:280 #15 0x0810034b in gatt_db_service_destroy (data=0x8174238) at src/shared/gatt-db.c:291 #16 0x081007d3 in gatt_db_remove_service (db=0x8173b00, attrib=0x817bbf8) at src/shared/gatt-db.c:420 #17 0x080f6f2a in discovery_op_complete (op=0x817ba70, success=true, err=10 '\n') at src/shared/gatt-client.c:376 #18 0x080f8171 in discover_chrcs_cb (success=true, att_ecode=10 '\n', result=0x0, user_data=0x817ba70) at src/shared/gatt-client.c:940 #19 0x081049dd in discovery_op_complete (op=0x81747b0, success=false, ecode=10 '\n') at src/shared/gatt-helpers.c:628 #20 0x08105ca7 in discover_chrcs_cb (opcode=1 '\001', pdu=0x817be09, length=4, user_data=0x81747b0) at src/shared/gatt-helpers.c:1250 #21 0x080f4ff2 in handle_rsp (att=0x8170200, opcode=1 '\001', pdu=0x817be09 "\b6", pdu_len=4) at src/shared/att.c:714 #22 0x080f54f1 in can_read_data (io=0x81689c8, user_data=0x8170200) at src/shared/att.c:886 #23 0x0810347a in watch_callback (channel=0x816b0a0, cond=G_IO_IN, user_data=0x816d658) at src/shared/io-glib.c:170 #24 0xb7f068ee in g_io_unix_dispatch () from /usr/lib/libglib-2.0.so.0 #25 0xb7ebfffb in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0 #26 0xb7ec03f9 in g_main_context_iterate.isra () from /usr/lib/libglib-2.0.so.0 #27 0xb7ec07a9 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0 #28 0x0808e9f7 in main (argc=1, argv=0xbffff654) at src/main.c:781 -- You are receiving this mail because: You are the assignee for the bug.-- To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
