Re: bug in audio/pcm_bluetooth.c causing memory corruption

public inbox for linux-bluetooth@vger.kernel.org
 help / color / mirror / Atom feed

From: Marcel Holtmann <marcel@holtmann.org>
To: David Mansfield <bluez@dm.cobite.com>
Cc: linux-bluetooth@vger.kernel.org
Subject: Re: bug in audio/pcm_bluetooth.c causing memory corruption
Date: Sun, 01 Feb 2009 17:59:44 +0100	[thread overview]
Message-ID: <1233507584.4809.11.camel@californication> (raw)
In-Reply-To: <1233089481.32572.15.camel@gandalf.cobite.com>

Hi David,

> I've been debugging a problem using pulseaudio on top of an alsa
> bluetooth device for a week or so and I've found the cause of the
> problem (which manifests as a pulseaudio daemon segfault).
> 
> The bug is an line audio/pcm_bluetooth.c:802:
> 
> 
>         if (pfds[1].revents & (POLLERR | POLLHUP | POLLNVAL))
>                 io->state = SND_PCM_STATE_DISCONNECTED;
> 
>         revents[0] = (pfds[0].revents & ~POLLIN) | POLLOUT;
> -->here revents[1] = (pfds[1].revents & ~POLLIN);
> 
>         return 0;
> 
> The 'unsigned short *revents' argument is NOT an array of shorts, but in
> fact a pointer to a single short.  The assignment to revents[1] trashes
> memory.
> 
> My guess is that all the flags should be combined into revents[0] (or
> *revents, as that would be more semantically correct), but I'm not
> really sure what the exact fix should be.
> 
> See this post by Jaroslav Kysela on the method
> snd_pcm_poll_descriptors_revents, which ultimately ends up in the above
> code:
> 
> http://osdir.com/ml/linux.alsa.devel/2002-07/msg00258.html

this is a real problem since it seem audicious seems to break if we not
using revents[1]. So I have no clue what's the right fix is here. The
problem seems to be more complex. Seems we need an ALSA expert to fix
this for us.

Regards

Marcel

next prev parent reply	other threads:[~2009-02-01 16:59 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-01-27 20:51 bug in audio/pcm_bluetooth.c causing memory corruption David Mansfield
2009-02-01 16:59 ` Marcel Holtmann [this message]
2009-02-02 15:24   ` David Mansfield

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1233507584.4809.11.camel@californication \
    --to=marcel@holtmann.org \
    --cc=bluez@dm.cobite.com \
    --cc=linux-bluetooth@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox