https://bugzilla.kernel.org/show_bug.cgi?id=215462 Bug ID: 215462 Summary: bluetoothd segfaults in libdbus-1.so.3.19.13 Product: Drivers Version: 2.5 Kernel Version: 5.16-rc8 Hardware: All OS: Linux Tree: Mainline Status: NEW Severity: normal Priority: P1 Component: Bluetooth Assignee: linux-bluetooth@xxxxxxxxxxxxxxx Reporter: pmenzel+bugzilla.kernel.org@xxxxxxxxxxxxx Regression: No Using Debian sid/unstable with Linux 5.16-rc8 from the suite *experimental*, *bluez* 5.62-2 and *libdbus-1-3* 1.12.20-3, connecting to a Google Nest over Bluetooth, bluetoothd crashed with a segmentation fault: [ 7793.540822] bluetoothd[7937]: segfault at 3 ip 00007f73196e3d28 sp 00007fffbd269280 error 4 in libdbus-1.so.3.19.13[7f73196be000+2f000] [ 7793.540835] Code: 08 4c 89 e9 44 89 e2 53 41 b9 6c 00 00 00 41 89 c0 48 89 ee bf 01 00 00 00 e8 e4 f9 ff ff 5a 59 e9 9f fe ff ff 0f 1f 44 00 00 <0f> b6 16 44 89 e6 e8 fd be fd ff 85 c0 0f 84 87 fe ff ff b8 01 00 ``` (gdb) bt #0 _dbus_marshal_write_basic (str=0x55992b2dc560, insert_at=213, type=type@entry=121, value=value@entry=0x3, byte_order=108, pos_after=pos_after@entry=0x7fffbd2693e0) at ../../../dbus/dbus-marshal-basic.c:814 #1 0x00007f73196cef9b in _dbus_type_writer_write_basic_no_typecode (value=0x3, type=121, writer=0x7fffbd2693c0) at ../../../dbus/dbus-marshal-recursive.c:1605 #2 _dbus_type_writer_write_basic_no_typecode (value=0x3, type=121, writer=0x7fffbd2693c0) at ../../../dbus/dbus-marshal-recursive.c:1600 #3 _dbus_type_writer_write_basic (writer=writer@entry=0x7fffbd2693c0, type=type@entry=121, value=value@entry=0x3) at ../../../dbus/dbus-marshal-recursive.c:2327 #4 0x00007f73196d36b8 in dbus_message_iter_append_basic (iter=iter@entry=0x7fffbd2693b0, type=type@entry=121, value=0x3) at ../../../dbus/dbus-message.c:2843 #5 0x0000559929aba78e in get_codec (property=<optimized out>, iter=0x7fffbd2693b0, data=<optimized out>) at profiles/audio/a2dp.c:1970 #6 0x0000559929b54f86 in append_property (iface=iface@entry=0x55992b2fbdd0, p=p@entry=0x559929bd6830 <sep_properties+48>, dict=dict@entry=0x7fffbd269430) at gdbus/object.c:498 #7 0x0000559929b55632 in append_properties (data=data@entry=0x55992b2fbdd0, iter=iter@entry=0x7fffbd2694b0) at gdbus/object.c:527 #8 0x0000559929b556bf in append_interface (data=0x55992b2fbdd0, user_data=0x7fffbd269590) at gdbus/object.c:542 #9 0x00007f7319778938 in g_slist_foreach (list=<optimized out>, func=func@entry=0x559929b55670 <append_interface>, user_data=user_data@entry=0x7fffbd269590) at ../../../glib/gslist.c:885 #10 0x0000559929b557c9 in emit_interfaces_added (data=0x55992b31f310) at gdbus/object.c:574 #11 process_changes (user_data=0x55992b31f310) at gdbus/object.c:996 #12 0x0000559929b56fb7 in g_dbus_flush (connection=0x55992b2d57d0) at gdbus/object.c:1494 #13 g_dbus_send_message (message=0x55992b2fbe10, connection=0x55992b2d57d0) at gdbus/object.c:1518 #14 g_dbus_send_message (connection=0x55992b2d57d0, message=0x55992b2fbe10) at gdbus/object.c:1498 #15 0x0000559929b39d87 in device_profile_connected (err=-5, profile=0x559929be0440 <a2dp_source_profile>, dev=0x55992b301360) at src/device.c:1802 #16 service_state_changed (service=<optimized out>, old_state=<optimized out>, new_state=<optimized out>, user_data=<optimized out>) at src/device.c:7002 #17 0x0000559929b2d072 in change_state (service=0x55992b306bd0, state=BTD_SERVICE_STATE_DISCONNECTED, err=<optimized out>) at src/service.c:98 #18 0x0000559929ab91ef in discovery_complete (session=<optimized out>, seps=<optimized out>, err=-5, user_data=0x55992b305b70) at profiles/audio/source.c:237 #19 0x0000559929abdd87 in finalize_discover (s=0x55992b301250) at profiles/audio/a2dp.c:403 #20 discover_cb (session=<optimized out>, seps=<optimized out>, err=<optimized out>, user_data=0x55992b301250) at profiles/audio/a2dp.c:2842 #21 0x0000559929ac0ba7 in finalize_discovery (session=0x55992b311700, err=0) at profiles/audio/avdtp.c:1087 #22 0x0000559929ac63e0 in avdtp_parse_resp (transaction=<optimized out>, size=16, buf=0x55992b311773, signal_id=<optimized out>, stream=0x0, session=0x55992b311700) at profiles/audio/avdtp.c:2957 #23 session_cb (data=0x55992b311700, cond=<optimized out>, chan=<optimized out>) at profiles/audio/avdtp.c:2284 #24 session_cb (chan=<optimized out>, cond=<optimized out>, data=0x55992b311700) at profiles/audio/avdtp.c:2208 #25 0x00007f7319758be4 in g_main_dispatch (context=0x55992b2d05b0) at ../../../glib/gmain.c:3381 #26 g_main_context_dispatch (context=0x55992b2d05b0) at ../../../glib/gmain.c:4099 #27 0x00007f7319758f88 in g_main_context_iterate (context=0x55992b2d05b0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../../../glib/gmain.c:4175 #28 0x00007f7319759273 in g_main_loop_run (loop=0x55992b2d1790) at ../../../glib/gmain.c:4373 #29 0x0000559929b6ccd5 in mainloop_run () at src/shared/mainloop-glib.c:66 #30 0x0000559929b6d12c in mainloop_run_with_signal (func=func@entry=0x559929afe2c0 <signal_callback>, user_data=user_data@entry=0x0) at src/shared/mainloop-notify.c:188 #31 0x0000559929ab142d in main (argc=<optimized out>, argv=<optimized out>) at src/main.c:1210 ``` It looks like it’s a problem in D-Bus, so I reported it to their issue tracker as *Segfault in `_dbus_marshal_write_basic`* [1]. [1]: https://gitlab.freedesktop.org/dbus/dbus/-/issues/372 -- You may reply to this email to add a comment. You are receiving this mail because: You are the assignee for the bug.
