bluetoothd crasher

bluetoothd crasher

[Bastien Nocera]

Heya,

The current bluetoothd crashes on resume from suspend. Here's the valgrind output:

==10147== 
==10147== Invalid read of size 4
==10147==    at 0x74B739: g_atomic_int_exchange_and_add (in /lib/libglib-2.0.so.0.1800.0)
==10147==    by 0x769011: g_io_channel_unref (in /lib/libglib-2.0.so.0.1800.0)
==10147==    by 0x969E: stop_security_manager (security.c:1022)
==10147==    by 0x8A83: io_stack_event (main.c:567)
==10147==    by 0x7A81CC: (within /lib/libglib-2.0.so.0.1800.0)
==10147==    by 0x7711F7: g_main_context_dispatch (in /lib/libglib-2.0.so.0.1800.0)
==10147==    by 0x7748A2: (within /lib/libglib-2.0.so.0.1800.0)
==10147==    by 0x774DC1: g_main_loop_run (in /lib/libglib-2.0.so.0.1800.0)
==10147==    by 0x9238: main (main.c:761)
==10147==  Address 0x487bcc8 is 0 bytes inside a block of size 64 free'd
==10147==    at 0x480590A: free (vg_replace_malloc.c:323)
==10147==    by 0x779725: g_free (in /lib/libglib-2.0.so.0.1800.0)
==10147==    by 0x7690BC: g_io_channel_unref (in /lib/libglib-2.0.so.0.1800.0)
==10147==    by 0x770BBE: (within /lib/libglib-2.0.so.0.1800.0)
==10147==    by 0x7712C0: g_main_context_dispatch (in /lib/libglib-2.0.so.0.1800.0)
==10147==    by 0x7748A2: (within /lib/libglib-2.0.so.0.1800.0)
==10147==    by 0x774DC1: g_main_loop_run (in /lib/libglib-2.0.so.0.1800.0)
==10147==    by 0x9238: main (main.c:761)
==10147== 
==10147== Invalid read of size 4
==10147==    at 0x74B73B: g_atomic_int_exchange_and_add (in /lib/libglib-2.0.so.0.1800.0)
==10147==    by 0x769011: g_io_channel_unref (in /lib/libglib-2.0.so.0.1800.0)
==10147==    by 0x969E: stop_security_manager (security.c:1022)
==10147==    by 0x8A83: io_stack_event (main.c:567)
==10147==    by 0x7A81CC: (within /lib/libglib-2.0.so.0.1800.0)
==10147==    by 0x7711F7: g_main_context_dispatch (in /lib/libglib-2.0.so.0.1800.0)
==10147==    by 0x7748A2: (within /lib/libglib-2.0.so.0.1800.0)
==10147==    by 0x774DC1: g_main_loop_run (in /lib/libglib-2.0.so.0.1800.0)
==10147==    by 0x9238: main (main.c:761)
==10147==  Address 0x487bcc8 is 0 bytes inside a block of size 64 free'd
==10147==    at 0x480590A: free (vg_replace_malloc.c:323)
==10147==    by 0x779725: g_free (in /lib/libglib-2.0.so.0.1800.0)
==10147==    by 0x7690BC: g_io_channel_unref (in /lib/libglib-2.0.so.0.1800.0)
==10147==    by 0x770BBE: (within /lib/libglib-2.0.so.0.1800.0)
==10147==    by 0x7712C0: g_main_context_dispatch (in /lib/libglib-2.0.so.0.1800.0)
==10147==    by 0x7748A2: (within /lib/libglib-2.0.so.0.1800.0)
==10147==    by 0x774DC1: g_main_loop_run (in /lib/libglib-2.0.so.0.1800.0)
==10147==    by 0x9238: main (main.c:761)
==10147== 
==10147== Invalid write of size 4
==10147==    at 0x74B740: g_atomic_int_exchange_and_add (in /lib/libglib-2.0.so.0.1800.0)
==10147==    by 0x769011: g_io_channel_unref (in /lib/libglib-2.0.so.0.1800.0)
==10147==    by 0x969E: stop_security_manager (security.c:1022)
==10147==    by 0x8A83: io_stack_event (main.c:567)
==10147==    by 0x7A81CC: (within /lib/libglib-2.0.so.0.1800.0)
==10147==    by 0x7711F7: g_main_context_dispatch (in /lib/libglib-2.0.so.0.1800.0)
==10147==    by 0x7748A2: (within /lib/libglib-2.0.so.0.1800.0)
==10147==    by 0x774DC1: g_main_loop_run (in /lib/libglib-2.0.so.0.1800.0)
==10147==    by 0x9238: main (main.c:761)
==10147==  Address 0x487bcc8 is 0 bytes inside a block of size 64 free'd
==10147==    at 0x480590A: free (vg_replace_malloc.c:323)
==10147==    by 0x779725: g_free (in /lib/libglib-2.0.so.0.1800.0)
==10147==    by 0x7690BC: g_io_channel_unref (in /lib/libglib-2.0.so.0.1800.0)
==10147==    by 0x770BBE: (within /lib/libglib-2.0.so.0.1800.0)
==10147==    by 0x7712C0: g_main_context_dispatch (in /lib/libglib-2.0.so.0.1800.0)
==10147==    by 0x7748A2: (within /lib/libglib-2.0.so.0.1800.0)
==10147==    by 0x774DC1: g_main_loop_run (in /lib/libglib-2.0.so.0.1800.0)
==10147==    by 0x9238: main (main.c:761)
bluetoothd[10147]: HCI dev 0 unregistered
bluetoothd[10147]: Unregister path: /org/bluez/hci0
bluetoothd[10147]: HCI dev 0 registered
bluetoothd[10328]: Can't set link policy on hci0: Connection timed out (110)
bluetoothd[10147]: HCI dev 0 up
bluetoothd[10147]: Unable to start SCO server socket

Looks like a double-free on the event channel.

Re: bluetoothd crasher

[Bastien Nocera]

On Wed, 2008-09-24 at 16:09 -0700, Bastien Nocera wrote:
> Heya,
> 
> The current bluetoothd crashes on resume from suspend. Here's the valgrind output:

And the crash itself:
#0  malloc_consolidate (av=<value optimized out>) at malloc.c:4841
#1  0x002e1b2d in _int_malloc (av=<value optimized out>, bytes=<value optimized out>) at malloc.c:4184
#2  0x002e368f in __libc_calloc (n=<value optimized out>, elem_size=<value optimized out>) at malloc.c:3901
#3  0x002d7a7d in open_memstream (bufloc=Could not find the frame base for "open_memstream".
) at memstream.c:86
#4  0x00350088 in __vsyslog_chk (pri=<value optimized out>, flag=<value optimized out>, fmt=<value optimized out>, ap=<value optimized out>) at ../misc/syslog.c:169
#5  0x003505d7 in __vsyslog (pri=Could not find the frame base for "__vsyslog".
) at ../misc/syslog.c:326
#6  0xb7ff5e68 in vinfo (format=0xb7ffcf75 "HCI dev %d unregistered", ap=0xbffff0b4 "") at logging.c:36
#7  0xb7ff5e3a in info (format=0xb7ffcf75 "HCI dev %d unregistered") at logging.c:45
#8  0xb7fdc1a9 in device_event (chan=0xb800a3d0, si=0xbffff10b) at main.c:544
#9  0xb7fdc0ed in io_stack_event (chan=0xb800a3d0, cond=G_IO_IN, data=0x0) at main.c:595
#10 0x001a524d in ?? () from /lib/libglib-2.0.so.0
#11 0x0016e218 in g_main_context_dispatch () from /lib/libglib-2.0.so.0
#12 0x001718c3 in ?? () from /lib/libglib-2.0.so.0
#13 0x00171de2 in g_main_loop_run () from /lib/libglib-2.0.so.0
#14 0xb7fdc7a4 in main (argc=1, argv=0xbffff7e4) at main.c:750

Re: bluetoothd crasher

[Bastien Nocera]

[-- Attachment #1: Type: text/plain, Size: 276 bytes --]

On Wed, 2008-09-24 at 16:18 -0700, Bastien Nocera wrote:
> On Wed, 2008-09-24 at 16:09 -0700, Bastien Nocera wrote:
> > Heya,
> > 
> > The current bluetoothd crashes on resume from suspend. Here's the valgrind output:

Patch attached, thanks to Johan for helping out.

Cheers

[-- Attachment #2: bluez-bluetoothd-crasher.patch --]
[-- Type: text/x-patch, Size: 1330 bytes --]

diff --git a/src/security.c b/src/security.c
index fd2535f..6a9a5c4 100644
--- a/src/security.c
+++ b/src/security.c
@@ -46,6 +46,7 @@
 
 #include <dbus/dbus.h>
 
+#include "hcid.h"
 #include "logging.h"
 #include "textfile.h"
 
@@ -789,6 +790,27 @@ static inline void conn_request(int dev, bdaddr_t *sba, void *ptr)
 	write_remote_class(sba, &evt->bdaddr, class);
 }
 
+static void delete_channel(GIOChannel *chan)
+{
+	gint i, found;
+
+	/* Look for the GIOChannel in the table */
+	found = -1;
+	for (i = 0; i < HCI_MAX_DEV; i++) {
+		if (io_data[i].channel == chan) {
+			found = i;
+			break;
+		}
+	}
+
+	if (found == -1) {
+		g_warning("IO channel not found in the io_data table");
+		return;
+	}
+
+	stop_security_manager(i);
+}
+
 static gboolean io_security_event(GIOChannel *chan, GIOCondition cond, gpointer data)
 {
 	unsigned char buf[HCI_MAX_EVENT_SIZE], *ptr = buf;
@@ -799,14 +821,14 @@ static gboolean io_security_event(GIOChannel *chan, GIOCondition cond, gpointer
 	GIOError err;
 
 	if (cond & (G_IO_NVAL | G_IO_HUP | G_IO_ERR)) {
-		g_io_channel_unref(chan);
+		delete_channel(chan);
 		return FALSE;
 	}
 
 	if ((err = g_io_channel_read(chan, (gchar *) buf, sizeof(buf), &len))) {
 		if (err == G_IO_ERROR_AGAIN)
 			return TRUE;
-		g_io_channel_unref(chan);
+		delete_channel(chan);
 		return FALSE;
 	}
 

Re: bluetoothd crasher

[Marcel Holtmann]

Hi Bastien,

> > > The current bluetoothd crashes on resume from suspend. Here's the valgrind output:
> 
> Patch attached, thanks to Johan for helping out.

a slight modified patch has been applied. Thanks.

Regards

Marcel