[Bug 215462] New: bluetoothd segfaults in libdbus-1.so.3.19.13

[bugzilla-daemon@bugzilla.kernel.org]

https://bugzilla.kernel.org/show_bug.cgi?id=215462

            Bug ID: 215462
           Summary: bluetoothd segfaults in libdbus-1.so.3.19.13
           Product: Drivers
           Version: 2.5
    Kernel Version: 5.16-rc8
          Hardware: All
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: Bluetooth
          Assignee: linux-bluetooth@vger.kernel.org
          Reporter: pmenzel+bugzilla.kernel.org@molgen.mpg.de
        Regression: No

Using Debian sid/unstable with Linux 5.16-rc8 from the suite *experimental*,
*bluez* 5.62-2 and *libdbus-1-3* 1.12.20-3, connecting to a Google Nest over
Bluetooth, bluetoothd crashed with a segmentation fault:

    [ 7793.540822] bluetoothd[7937]: segfault at 3 ip 00007f73196e3d28 sp
00007fffbd269280 error 4 in libdbus-1.so.3.19.13[7f73196be000+2f000]
    [ 7793.540835] Code: 08 4c 89 e9 44 89 e2 53 41 b9 6c 00 00 00 41 89 c0 48
89 ee bf 01 00 00 00 e8 e4 f9 ff ff 5a 59 e9 9f fe ff ff 0f 1f 44 00 00 <0f> b6
16 44 89 e6 e8 fd be fd ff 85 c0 0f 84 87 fe ff ff b8 01 00

```
(gdb) bt
#0  _dbus_marshal_write_basic (str=0x55992b2dc560, insert_at=213,
type=type@entry=121, value=value@entry=0x3, byte_order=108,
pos_after=pos_after@entry=0x7fffbd2693e0) at
../../../dbus/dbus-marshal-basic.c:814
#1  0x00007f73196cef9b in _dbus_type_writer_write_basic_no_typecode (value=0x3,
type=121, writer=0x7fffbd2693c0) at ../../../dbus/dbus-marshal-recursive.c:1605
#2  _dbus_type_writer_write_basic_no_typecode (value=0x3, type=121,
writer=0x7fffbd2693c0) at ../../../dbus/dbus-marshal-recursive.c:1600
#3  _dbus_type_writer_write_basic (writer=writer@entry=0x7fffbd2693c0,
type=type@entry=121, value=value@entry=0x3) at
../../../dbus/dbus-marshal-recursive.c:2327
#4  0x00007f73196d36b8 in dbus_message_iter_append_basic
(iter=iter@entry=0x7fffbd2693b0, type=type@entry=121, value=0x3) at
../../../dbus/dbus-message.c:2843
#5  0x0000559929aba78e in get_codec (property=<optimized out>,
iter=0x7fffbd2693b0, data=<optimized out>) at profiles/audio/a2dp.c:1970
#6  0x0000559929b54f86 in append_property (iface=iface@entry=0x55992b2fbdd0,
p=p@entry=0x559929bd6830 <sep_properties+48>, dict=dict@entry=0x7fffbd269430)
at gdbus/object.c:498
#7  0x0000559929b55632 in append_properties (data=data@entry=0x55992b2fbdd0,
iter=iter@entry=0x7fffbd2694b0) at gdbus/object.c:527
#8  0x0000559929b556bf in append_interface (data=0x55992b2fbdd0,
user_data=0x7fffbd269590) at gdbus/object.c:542
#9  0x00007f7319778938 in g_slist_foreach (list=<optimized out>,
func=func@entry=0x559929b55670 <append_interface>,
user_data=user_data@entry=0x7fffbd269590) at ../../../glib/gslist.c:885
#10 0x0000559929b557c9 in emit_interfaces_added (data=0x55992b31f310) at
gdbus/object.c:574
#11 process_changes (user_data=0x55992b31f310) at gdbus/object.c:996
#12 0x0000559929b56fb7 in g_dbus_flush (connection=0x55992b2d57d0) at
gdbus/object.c:1494
#13 g_dbus_send_message (message=0x55992b2fbe10, connection=0x55992b2d57d0) at
gdbus/object.c:1518
#14 g_dbus_send_message (connection=0x55992b2d57d0, message=0x55992b2fbe10) at
gdbus/object.c:1498
#15 0x0000559929b39d87 in device_profile_connected (err=-5,
profile=0x559929be0440 <a2dp_source_profile>, dev=0x55992b301360) at
src/device.c:1802
#16 service_state_changed (service=<optimized out>, old_state=<optimized out>,
new_state=<optimized out>, user_data=<optimized out>) at src/device.c:7002
#17 0x0000559929b2d072 in change_state (service=0x55992b306bd0,
state=BTD_SERVICE_STATE_DISCONNECTED, err=<optimized out>) at src/service.c:98
#18 0x0000559929ab91ef in discovery_complete (session=<optimized out>,
seps=<optimized out>, err=-5, user_data=0x55992b305b70) at
profiles/audio/source.c:237
#19 0x0000559929abdd87 in finalize_discover (s=0x55992b301250) at
profiles/audio/a2dp.c:403
#20 discover_cb (session=<optimized out>, seps=<optimized out>, err=<optimized
out>, user_data=0x55992b301250) at profiles/audio/a2dp.c:2842
#21 0x0000559929ac0ba7 in finalize_discovery (session=0x55992b311700, err=0) at
profiles/audio/avdtp.c:1087
#22 0x0000559929ac63e0 in avdtp_parse_resp (transaction=<optimized out>,
size=16, buf=0x55992b311773, signal_id=<optimized out>, stream=0x0,
session=0x55992b311700) at profiles/audio/avdtp.c:2957
#23 session_cb (data=0x55992b311700, cond=<optimized out>, chan=<optimized
out>) at profiles/audio/avdtp.c:2284
#24 session_cb (chan=<optimized out>, cond=<optimized out>,
data=0x55992b311700) at profiles/audio/avdtp.c:2208
#25 0x00007f7319758be4 in g_main_dispatch (context=0x55992b2d05b0) at
../../../glib/gmain.c:3381
#26 g_main_context_dispatch (context=0x55992b2d05b0) at
../../../glib/gmain.c:4099
#27 0x00007f7319758f88 in g_main_context_iterate (context=0x55992b2d05b0,
block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at
../../../glib/gmain.c:4175
#28 0x00007f7319759273 in g_main_loop_run (loop=0x55992b2d1790) at
../../../glib/gmain.c:4373
#29 0x0000559929b6ccd5 in mainloop_run () at src/shared/mainloop-glib.c:66
#30 0x0000559929b6d12c in mainloop_run_with_signal
(func=func@entry=0x559929afe2c0 <signal_callback>,
user_data=user_data@entry=0x0) at src/shared/mainloop-notify.c:188
#31 0x0000559929ab142d in main (argc=<optimized out>, argv=<optimized out>) at
src/main.c:1210
```

It looks like it’s a problem in D-Bus, so I reported it to their issue tracker
as *Segfault in `_dbus_marshal_write_basic`* [1].

[1]: https://gitlab.freedesktop.org/dbus/dbus/-/issues/372

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are the assignee for the bug.