Re: Segmentation fault in bluetoothd with btgatt-client

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Luiz,

I just test your fix! It is working perfectly \o/.

I will probably add a kind of watchdog to check that Bluetoothd is
always alive on my device to reset
it in case of failure just in case.

Is it possible that this crash happened when a mobile app tried to
connect to my embedded device?
Or is it possible that this issue impacts the cache service/charac
feature? I am not sure to fully
understand the perimeter of the issue.
We have a problem with the cache update for a few weeks. Basically the
problem is that mobile app is
doing request on bad characteristics after firmware update with new
characteristic available.
The problem was already present but very very rare. On my last
firmware update, it is more frequent.
It is like the mobile app is using the old UUID mapping. The issue
happened after Bluez update from 5.52
to 5.54. But we are not sure that the issue is related to Bluez. It
can also be related to the phone.
It is weird also because the issue happened only with Android and IOS
is just fine.

Thank you for your quick fix and reply!


Le mer. 3 juin 2020 à 23:06, Luiz Augusto von Dentz
<luiz.dentz@xxxxxxxxx> a écrit :
>
> Hi Arthur,
>
> On Wed, Jun 3, 2020 at 11:22 AM Arthur Lambert
> <lambertarthur22@xxxxxxxxx> wrote:
> >
> > Hi Luiz,
> > thanks for your reply!
> >
> > Sorry I am lazy and stupid. I know that your next question will be
> > around symbol...
> >
> > After removing the binary strip option and enable debug symbol :
> >
> > bluetoothd[246]: src/device.c:device_svc_resolved()
> > /org/bluez/hci0/dev_80_32_53_37_58_A6 err -5
> > bluetoothd[246]: src/device.c:gatt_debug() Read By Grp Type - start:
> > 0x00bb end: 0xffff
> > bluetoothd[246]: src/device.c:gatt_debug() Read By Grp Type - start:
> > 0x0001 end: 0xffff
> > bluetoothd[246]: src/device.c:gatt_debug() Read By Type - start:
> > 0x0001 end: 0x00ba
> > bluetoothd[246]: src/device.c:gatt_debug() Read By Type - start:
> > 0x0001 end: 0x00ba
> > bluetoothd[246]: src/device.c:gatt_debug() Read By Type - start:
> > 0x002a end: 0x00ba
> > bluetoothd[246]: src/device.c:gatt_debug() Read By Type - start:
> > 0x0053 end: 0x00ba
> > bluetoothd[246]: src/device.c:gatt_debug() Read By Type - start:
> > 0x007a end: 0x00ba
> > bluetoothd[246]: src/device.c:gatt_debug() Read By Type - start:
> > 0x00a3 end: 0x00ba
> > bluetoothd[246]: src/device.c:gatt_debug() Read By Type - start:
> > 0x00ba end: 0x00ba
> > bluetoothd[246]: src/device.c:gatt_debug() Read By Type - start:
> > 0x0001 end: 0xffff
> > bluetoothd[246]: src/gatt-database.c:db_hash_read_cb() Database Hash read
> > ==246== Invalid read of size 1
> > ==246==    at 0x4831BA4: memcpy (vg_replace_strmem.c:1035)
> > ==246==    by 0x87F3B: read_by_type_read_complete_cb (gatt-server.c:392)
> > ==246==    by 0x892AB: pending_read_result (gatt-db.c:145)
> > ==246==    by 0x8B2FB: gatt_db_attribute_read_result (gatt-db.c:1866)
> > ==246==    by 0x3AB0B: db_hash_read_cb (gatt-database.c:1156)
> > ==246==    by 0x8B1AB: gatt_db_attribute_read (gatt-db.c:1825)
> > ==246==    by 0x87DB7: process_read_by_type (gatt-server.c:482)
> > ==246==    by 0x8854F: read_by_type_cb (gatt-server.c:559)
> > ==246==    by 0x81727: handle_notify (att.c:966)
> > ==246==    by 0x81873: can_read_data (att.c:1057)
> > ==246==    by 0x8B91B: watch_callback (io-glib.c:170)
> > ==246==    by 0x488A413: g_main_context_dispatch (in
> > /usr/lib/libglib-2.0.so.0.5600.3)
> > ==246==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
> > ==246==
> > ==246==
> > ==246== Process terminating with default action of signal 11 (SIGSEGV)
> > ==246==  Access not within mapped region at address 0x0
> > ==246==    at 0x4831BA4: memcpy (vg_replace_strmem.c:1035)
> > ==246==    by 0x87F3B: read_by_type_read_complete_cb (gatt-server.c:392)
> > ==246==    by 0x892AB: pending_read_result (gatt-db.c:145)
> > ==246==    by 0x8B2FB: gatt_db_attribute_read_result (gatt-db.c:1866)
> > ==246==    by 0x3AB0B: db_hash_read_cb (gatt-database.c:1156)
> > ==246==    by 0x8B1AB: gatt_db_attribute_read (gatt-db.c:1825)
> > ==246==    by 0x87DB7: process_read_by_type (gatt-server.c:482)
> > ==246==    by 0x8854F: read_by_type_cb (gatt-server.c:559)
> > ==246==    by 0x81727: handle_notify (att.c:966)
> > ==246==    by 0x81873: can_read_data (att.c:1057)
> > ==246==    by 0x8B91B: watch_callback (io-glib.c:170)
> > ==246==    by 0x488A413: g_main_context_dispatch (in
> > /usr/lib/libglib-2.0.so.0.5600.3)
> > ==246==  If you believe this happened as a result of a stack
> > ==246==  overflow in your program's main thread (unlikely but
> > ==246==  possible), you can try to increase the size of the
> > ==246==  main thread stack using the --main-stacksize= flag.
> > ==246==  The main thread stack size used in this run was 8388608.
> > /usr/bin/bluetoothd: can't resolve symbol '__libc_freeres'
> >
> > is it the crypto error that you expect?
> > Could you share a sha1 commit or a link to the patch to test the potential fix?
>
> Ive just pushed the fix:
>
> commit 41a5413023fa85bc711d461eb736a0624542df2d
> Author: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
> Date:   Wed Jun 3 10:31:59 2020 -0700
>
>     gatt: Fix possible crash when unable to generate hash
>
>
> --
> Luiz Augusto von Dentz



-- 
- Arthur LAMBERT




[Index of Archives]     [Bluez Devel]     [Linux Wireless Networking]     [Linux Wireless Personal Area Networking]     [Linux ATH6KL]     [Linux USB Devel]     [Linux Media Drivers]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Big List of Linux Books]

  Powered by Linux