Re: Segmentation fault in bluetoothd with btgatt-client

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Arthur,

On Wed, Jun 3, 2020 at 10:17 AM Luiz Augusto von Dentz
<luiz.dentz@xxxxxxxxx> wrote:
>
> Hi Arthur,
>
> On Wed, Jun 3, 2020 at 2:45 AM Arthur Lambert <lambertarthur22@xxxxxxxxx> wrote:
> >
> > Hello,
> >
> > I am working on an embedded device with Bluez 5.54.
> > My bluez init script for the bluetoothd demon :
> >
> > # cat /etc/init.d/S19_bluez
> > #!/bin/sh
> >
> > start() {
> > echo -n "Starting $0: "
> > #bluetoothd -dE&
> > echo "Done."
> > }
> >
> > (...)
> >
> > To initialize my hci0, we are using btmgmt :
> >
> > /usr/bin/btmgmt -i hci0 power off
> > /usr/bin/btmgmt -i hci0 le on
> > /usr/bin/btmgmt -i hci0 bredr on
> > /usr/bin/btmgmt -i hci0 connectable on
> > /usr/bin/btmgmt -i hci0 bondable on
> > /usr/bin/btmgmt -i hci0 discov on
> > /usr/bin/btmgmt -i hci0 name XXXXX-HEADBAND-V2
> > /usr/bin/btmgmt -i hci0 advertising on
> > /usr/bin/btmgmt -i hci0 power on
> >
> > Log from bluetoothd:
> >
> > # valgrind --leak-check=no --show-reachable=no
> > --show-possibly-lost=no --track-origins=yes bluetoothd -dEn
> > ==237== Memcheck, a memory error detector
> > ==237== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
> > ==237== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
> > ==237== Command: bluetoothd -dEn
> > ==237==
> > ==237== Invalid read of size 4
> > ==237==    at 0x4005458: _dl_get_ready_to_run (in /lib/ld-uClibc-1.0.31.so)
> > ==237==  Address 0x7dffc934 is on thread 1's stack
> > ==237==  20 bytes below stack pointer
> > ==237==
> > ==237== Invalid read of size 4
> > ==237==    at 0x4B05AB8: __uClibc_main (in /lib/libuClibc-1.0.31.so)
> > ==237==  Address 0x7dffcbec is on thread 1's stack
> > ==237==  20 bytes below stack pointer
> > ==237==
> > bluetoothd[237]: Bluetooth daemon 5.54
> > bluetoothd[237]: src/main.c:parse_config() parsing /etc/bluetooth/main.conf
> > bluetoothd[237]: src/main.c:parse_config() Key file does not have key
> > “DiscoverableTimeout” in group “General”
> > bluetoothd[237]: src/main.c:parse_config() Key file does not have key
> > “AlwaysPairable” in group “General”
> > bluetoothd[237]: src/main.c:parse_config() Key file does not have key
> > “PairableTimeout” in group “General”
> > bluetoothd[237]: src/main.c:parse_config() Key file does not have key
> > “Privacy” in group “General”
> > bluetoothd[237]: src/main.c:parse_config() Key file does not have key
> > “JustWorksRepairing” in group “General”
> > bluetoothd[237]: src/main.c:parse_config() name=XXXXX-HEADBAND-V2
> > bluetoothd[237]: src/main.c:parse_config() Key file does not have key
> > “Class” in group “General”
> > bluetoothd[237]: src/main.c:parse_config() Key file does not have key
> > “DeviceID” in group “General”
> > bluetoothd[237]: src/main.c:parse_config() Key file does not have key
> > “ReverseServiceDiscovery” in group “General”
> > bluetoothd[237]: src/main.c:parse_config() Key file does not have group “GATT”
> > bluetoothd[237]: src/main.c:parse_config() Key file does not have group “GATT”
> > bluetoothd[237]: src/main.c:parse_config() Key file does not have group “GATT”
> > bluetoothd[237]: src/main.c:parse_config() Key file does not have group “GATT”
> > bluetoothd[237]: src/adapter.c:adapter_init() sending read version command
> > bluetoothd[237]: Starting SDP server
> > bluetoothd[237]: src/sdpd-service.c:register_device_id() Adding device
> > id record for 0002:1d6b:0246:0536
> > bluetoothd[237]: src/plugin.c:plugin_init() Loading builtin plugins
> > bluetoothd[237]: src/plugin.c:add_plugin() Loading hostname plugin
> > bluetoothd[237]: src/plugin.c:add_plugin() Loading wiimote plugin
> > bluetoothd[237]: src/plugin.c:add_plugin() Loading autopair plugin
> > bluetoothd[237]: src/plugin.c:add_plugin() Loading policy plugin
> > bluetoothd[237]: src/plugin.c:add_plugin() Loading network plugin
> > bluetoothd[237]: src/plugin.c:add_plugin() Loading input plugin
> > bluetoothd[237]: src/plugin.c:add_plugin() Loading hog plugin
> > bluetoothd[237]: src/plugin.c:add_plugin() Loading gap plugin
> > bluetoothd[237]: src/plugin.c:add_plugin() Loading scanparam plugin
> > bluetoothd[237]: src/plugin.c:add_plugin() Loading deviceinfo plugin
> > bluetoothd[237]: src/plugin.c:plugin_init() Loading plugins
> > /usr/lib/bluetooth/plugins
> > bluetoothd[237]: profiles/input/suspend-none.c:suspend_init()
> > bluetoothd[237]: profiles/network/manager.c:read_config() Config
> > options: Security=true
> > bluetoothd[237]: Failed to open RFKILL control device
> > bluetoothd[237]: src/main.c:main() Entering main loop
> > bluetoothd[237]: Bluetooth management interface 1.9 initialized
> > bluetoothd[237]: src/adapter.c:read_version_complete() sending read
> > supported commands command
> > bluetoothd[237]: src/adapter.c:read_version_complete() sending read
> > index list command
> > bluetoothd[237]: src/adapter.c:read_commands_complete() Number of commands: 61
> > bluetoothd[237]: src/adapter.c:read_commands_complete() Number of events: 34
> > bluetoothd[237]: src/adapter.c:read_commands_complete() enabling
> > kernel-side connection control
> > bluetoothd[237]: src/adapter.c:read_index_list_complete() Number of
> > controllers: 0
> > bluetoothd[237]: src/adapter.c:index_added() index 0
> > bluetoothd[237]: src/adapter.c:btd_adapter_new() System name: XXXXXX-HEADBAND-V2
> > bluetoothd[237]: src/adapter.c:btd_adapter_new() Major class: 0
> > bluetoothd[237]: src/adapter.c:btd_adapter_new() Minor class: 0
> > bluetoothd[237]: src/adapter.c:btd_adapter_new() Modalias: usb:v1D6Bp0246d0536
> > bluetoothd[237]: src/adapter.c:btd_adapter_new() Discoverable timeout:
> > 180 seconds
> > bluetoothd[237]: src/adapter.c:btd_adapter_new() Pairable timeout: 0 seconds
> > bluetoothd[237]: src/adapter.c:index_added() sending read info command
> > for index 0
> > bluetoothd[237]: src/adapter.c:read_info_complete() index 0 status 0x00
> > bluetoothd[237]: src/adapter.c:clear_uuids() sending clear uuids
> > command for index 0
> > bluetoothd[237]: src/adapter.c:clear_devices() sending clear devices
> > command for index 0
> > bluetoothd[237]: src/adapter.c:set_mode() sending set mode command for index 0
> > bluetoothd[237]: src/adapter.c:set_mode() sending set mode command for index 0
> > bluetoothd[237]: src/adapter.c:set_mode() sending set mode command for index 0
> > bluetoothd[237]: src/adapter.c:set_privacy() sending set privacy
> > command for index 0
> > bluetoothd[237]: src/adapter.c:set_privacy() setting privacy mode 0x00
> > for index 0
> > bluetoothd[237]: src/gatt-database.c:btd_gatt_database_new() GATT
> > Manager registered for adapter: /org/bluez/hci0
> > bluetoothd[237]: src/adapter.c:adapter_service_add() /org/bluez/hci0
> > bluetoothd[237]: src/sdpd-service.c:add_record_to_server() Adding
> > record with handle 0x10001
> > bluetoothd[237]: src/sdpd-service.c:add_record_to_server() Record
> > pattern UUID 00000007-0000-1000-8000-00805f9
> > bluetoothd[237]: src/sdpd-service.c:add_record_to_server() Record
> > pattern UUID 00000100-0000-1000-8000-00805f9
> > bluetoothd[237]: src/sdpd-service.c:add_record_to_server() Record
> > pattern UUID 00001002-0000-1000-8000-00805f9
> > bluetoothd[237]: src/sdpd-service.c:add_record_to_server() Record
> > pattern UUID 00001800-0000-1000-8000-00805f9
> > bluetoothd[237]: src/adapter.c:adapter_service_insert() /org/bluez/hci0
> > bluetoothd[237]: src/adapter.c:add_uuid() sending add uuid command for index 0
> > bluetoothd[237]: src/adapter.c:adapter_service_add() /org/bluez/hci0
> > bluetoothd[237]: src/sdpd-service.c:add_record_to_server() Adding
> > record with handle 0x10002
> > bluetoothd[237]: src/sdpd-service.c:add_record_to_server() Record
> > pattern UUID 00000007-0000-1000-8000-00805f9
> > bluetoothd[237]: src/sdpd-service.c:add_record_to_server() Record
> > pattern UUID 00000100-0000-1000-8000-00805f9
> > bluetoothd[237]: src/sdpd-service.c:add_record_to_server() Record
> > pattern UUID 00001002-0000-1000-8000-00805f9
> > bluetoothd[237]: src/sdpd-service.c:add_record_to_server() Record
> > pattern UUID 00001801-0000-1000-8000-00805f9
> > bluetoothd[237]: src/adapter.c:adapter_service_insert() /org/bluez/hci0
> > bluetoothd[237]: src/adapter.c:add_uuid() sending add uuid command for index 0
> > bluetoothd[237]: src/advertising.c:btd_adv_manager_new() LE
> > Advertising Manager created for adapter: /org/bluez/hci0
> > bluetoothd[237]: plugins/hostname.c:hostname_probe()
> > bluetoothd[237]: profiles/network/manager.c:panu_server_probe() path
> > /org/bluez/hci0
> > bluetoothd[237]: profiles/network/server.c:server_register()
> > Registered interface org.bluez.NetworkServer1 on path /org/bluez/hci0
> > bluetoothd[237]: profiles/network/manager.c:gn_server_probe() path
> > /org/bluez/hci0
> > bluetoothd[237]: profiles/network/manager.c:nap_server_probe() path
> > /org/bluez/hci0
> > bluetoothd[237]: src/adapter.c:btd_adapter_unblock_address() hci0
> > 00:00:00:00:00:00
> > bluetoothd[237]: src/adapter.c:load_link_keys() hci0 keys 0 debug_keys 0
> > bluetoothd[237]: src/adapter.c:load_ltks() hci0 keys 0
> > bluetoothd[237]: src/adapter.c:load_irks() hci0 irks 0
> > bluetoothd[237]: src/adapter.c:load_conn_params() hci0 conn params 0
> > bluetoothd[237]: src/adapter.c:adapter_service_insert() /org/bluez/hci0
> > bluetoothd[237]: src/adapter.c:add_uuid() sending add uuid command for index 0
> > bluetoothd[237]: src/adapter.c:set_did() hci0 source 2 vendor 1d6b
> > product 246 version 536
> > bluetoothd[237]: src/adapter.c:adapter_register() Adapter
> > /org/bluez/hci0 registered
> > bluetoothd[237]: src/adapter.c:set_dev_class() sending set device
> > class command for index 0
> > bluetoothd[237]: src/adapter.c:set_name() sending set local name
> > command for index 0
> > bluetoothd[237]: src/adapter.c:new_settings_callback() Settings: 0x00000280
> > bluetoothd[237]: src/adapter.c:settings_changed() Changed settings: 0x00000200
> > bluetoothd[237]: src/adapter.c:settings_changed() Pending settings: 0x00000000
> > bluetoothd[237]: src/adapter.c:new_settings_callback() Settings: 0x00000282
> > bluetoothd[237]: src/adapter.c:settings_changed() Changed settings: 0x00000002
> > bluetoothd[237]: src/adapter.c:settings_changed() Pending settings: 0x00000000
> > bluetoothd[237]: src/adapter.c:new_settings_callback() Settings: 0x00000292
> > bluetoothd[237]: src/adapter.c:settings_changed() Changed settings: 0x00000010
> > bluetoothd[237]: src/adapter.c:settings_changed() Pending settings: 0x00000000
> > bluetoothd[237]: src/adapter.c:new_settings_callback() Settings: 0x0000029a
> > bluetoothd[237]: src/adapter.c:settings_changed() Changed settings: 0x00000008
> > bluetoothd[237]: src/adapter.c:settings_changed() Pending settings: 0x00000000
> > bluetoothd[237]: src/adapter.c:local_name_changed_callback() Name: TESTBENCH-V2
> > bluetoothd[237]: src/adapter.c:local_name_changed_callback() Short name:
> > bluetoothd[237]: src/adapter.c:local_name_changed_callback() Current
> > alias: TESTBENCH-V2
> > bluetoothd[237]: src/adapter.c:new_settings_callback() Settings: 0x0000069a
> > bluetoothd[237]: src/adapter.c:settings_changed() Changed settings: 0x00000400
> > bluetoothd[237]: src/adapter.c:settings_changed() Pending settings: 0x00000000
> > bluetoothd[237]: Failed to clear UUIDs: Busy (0x0a)
> > bluetoothd[237]: src/adapter.c:new_settings_callback() Settings: 0x0000069b
> > bluetoothd[237]: src/adapter.c:settings_changed() Changed settings: 0x00000001
> > bluetoothd[237]: src/adapter.c:settings_changed() Pending settings: 0x00000000
> > bluetoothd[237]: src/adapter.c:adapter_start() adapter /org/bluez/hci0
> > has been enabled
> > bluetoothd[237]: src/adapter.c:trigger_passive_scanning()
> > bluetoothd[237]: src/adapter.c:new_settings_callback() Settings: 0x000006db
> > bluetoothd[237]: src/adapter.c:settings_changed() Changed settings: 0x00000040
> > bluetoothd[237]: src/adapter.c:settings_changed() Pending settings: 0x00000000
> > bluetoothd[237]: src/adapter.c:new_settings_callback() Settings: 0x00000edb
> > bluetoothd[237]: src/adapter.c:settings_changed() Changed settings: 0x00000800
> > bluetoothd[237]: src/adapter.c:settings_changed() Pending settings: 0x00000000
> > bluetoothd[237]: Failed to set privacy: Rejected (0x0b)
> > bluetoothd[237]: src/adapter.c:load_link_keys_complete() link keys
> > loaded for hci0
> > bluetoothd[237]: src/adapter.c:load_ltks_complete() LTKs loaded for hci0
> > bluetoothd[237]: src/adapter.c:load_irks_complete() IRKs loaded for hci0
> > bluetoothd[237]: src/adapter.c:load_conn_params_complete() Connection
> > Parameters loaded for hci0
> > bluetoothd[237]: src/adapter.c:local_name_changed_callback() Name:
> > XXXXXX-HEADBAND-V2
> > bluetoothd[237]: src/adapter.c:local_name_changed_callback() Short name:
> > bluetoothd[237]: src/adapter.c:local_name_changed_callback() Current
> > alias: XXXXXXX-HEADBAND-V2
> >
> > # run btgatt client here...
> >
> > bluetoothd[237]: src/adapter.c:connected_callback() hci0 device
> > 80:32:53:37:58:A6 connected eir_len 0
> > bluetoothd[237]: src/device.c:device_create() dst 80:32:53:37:58:A6
> > bluetoothd[237]: src/device.c:device_new() address 80:32:53:37:58:A6
> > bluetoothd[237]: src/device.c:device_new() Creating device
> > /org/bluez/hci0/dev_80_32_53_37_58_A6
> > bluetoothd[237]: src/gatt-database.c:connect_cb() New incoming LE ATT connection
> > bluetoothd[237]: attrib/gattrib.c:g_attrib_ref() 0x4c56848: g_attrib_ref=1
> > bluetoothd[237]: src/device.c:load_gatt_db() Restoring
> > 80:32:53:37:58:A6 gatt database from file
> > bluetoothd[237]: No cache for 80:32:53:37:58:A6
> > bluetoothd[237]: src/gatt-client.c:btd_gatt_client_connected() Device connected.
> > bluetoothd[237]: src/device.c:gatt_debug() MTU exchange complete, with MTU: 256
> > bluetoothd[237]: src/device.c:gatt_debug() Read By Type - start:
> > 0x0001 end: 0xffff
> > bluetoothd[237]: src/device.c:gatt_debug() MTU Exchange failed. ATT ECODE: 0x06
> > bluetoothd[237]: src/device.c:gatt_debug() Read By Grp Type - start:
> > 0x0001 end: 0xffff
> > bluetoothd[237]: src/device.c:gatt_debug() Read By Type - start:
> > 0x0010 end: 0xffff
> > bluetoothd[237]: src/device.c:gatt_debug() Primary service discovery
> > failed. ATT ECODE: 0x06
> > bluetoothd[237]: src/device.c:gatt_debug() Failed to initialize gatt-client
> > bluetoothd[237]: src/device.c:gatt_client_ready_cb() status: failed, error: 6
> > bluetoothd[237]: src/device.c:device_svc_resolved()
> > /org/bluez/hci0/dev_80_32_53_37_58_A6 err -5
> > bluetoothd[237]: src/device.c:gatt_debug() Read By Grp Type - start:
> > 0x0010 end: 0xffff
> > bluetoothd[237]: src/device.c:gatt_debug() Read By Grp Type - start:
> > 0x0001 end: 0xffff
> > bluetoothd[237]: src/device.c:gatt_debug() Read By Type - start:
> > 0x0001 end: 0x000f
> > bluetoothd[237]: src/device.c:gatt_debug() Read By Type - start:
> > 0x0001 end: 0x000f
> > bluetoothd[237]: src/device.c:gatt_debug() Read By Type - start:
> > 0x000f end: 0x000f
> > bluetoothd[237]: src/device.c:gatt_debug() Read By Type - start:
> > 0x0001 end: 0xffff
> > bluetoothd[237]: src/gatt-database.c:db_hash_read_cb() Database Hash read
> > ==237== Invalid read of size 1
> > ==237==    at 0x4831BA4: memcpy (vg_replace_strmem.c:1035)
> > ==237==    by 0x79E1B: ??? (in /usr/bin/bluetoothd)
> > ==237==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
>
> Looks like a NULL pointer, it would be great if you could provide the
> backtrace with source symbols though.
>
> > ==237==
> > ==237== Process terminating with default action of signal 11 (SIGSEGV)
> > ==237==  Access not within mapped region at address 0x0
> > ==237==    at 0x4831BA4: memcpy (vg_replace_strmem.c:1035)
> > ==237==    by 0x79E1B: ??? (in /usr/bin/bluetoothd)
> > ==237==  If you believe this happened as a result of a stack
> > ==237==  overflow in your program's main thread (unlikely but
> > ==237==  possible), you can try to increase the size of the
> > ==237==  main thread stack using the --main-stacksize= flag.
> > ==237==  The main thread stack size used in this run was 8388608.
> > /usr/bin/bluetoothd: can't resolve symbol '__libc_freeres'
> > ==237==
> > ==237== HEAP SUMMARY:
> > ==237==     in use at exit: 40,320 bytes in 860 blocks
> > ==237==   total heap usage: 4,297 allocs, 3,437 frees, 981,133 bytes allocated
> > ==237==
> > ==237== For a detailed leak analysis, rerun with: --leak-check=full
> > ==237==
> > ==237== For counts of detected and suppressed errors, rerun with: -v
> > ==237== ERROR SUMMARY: 57 errors from 3 contexts (suppressed: 0 from 0)
> > Segmentation fault
> >
> > From my host, I run this command to trigger the segmentation fault :
> > [arthur ] sudo ./btgatt-client -i hci0 -d cc:c0:79:ce:f9:56 -m 256
> > Connecting to device... Done
> > [GATT client]# Service Added - UUID:
> > 00001800-0000-1000-8000-00805f9b34fb start: 0x0001 end: 0x0005
> > [GATT client]# Service Added - UUID:
> > 00001801-0000-1000-8000-00805f9b34fb start: 0x0006 end: 0x000f
> > [GATT client]# GATT discovery procedures failed - error code: 0x00
> > [GATT client]# Device disconnected: Connection reset by peer
> > Shutting down...
> >
> > When I run the test with btgatt-client from 5.50 release, there is no issue.
> > Is it normal?

Ive send a fix about this, it is probably due to the lack of crypto
support in your system the so called Database Hash cannot be
generated.

-- 
Luiz Augusto von Dentz
[Index of Archives]     [Bluez Devel]     [Linux Wireless Networking]     [Linux Wireless Personal Area Networking]     [Linux ATH6KL]     [Linux USB Devel]     [Linux Media Drivers]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Big List of Linux Books]

  Powered by Linux