* Null dereference in profiles/audio/avrcp.c
@ 2021-10-05 8:53 Thomas Eriksson
2021-10-05 18:37 ` Luiz Augusto von Dentz
0 siblings, 1 reply; 5+ messages in thread
From: Thomas Eriksson @ 2021-10-05 8:53 UTC (permalink / raw)
To: linux-bluetooth
Hi,
When trying to pair my "3M Peltor WS Alert XPI" headset with Bluez i
get a null dereference in profiles/audio/avrcp.c.
The following small patch avoids the problem:
diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
index 7c280203c..6064ab40b 100644
--- a/profiles/audio/avrcp.c
+++ b/profiles/audio/avrcp.c
@@ -3740,10 +3740,13 @@ static void avrcp_status_changed(struct avrcp *session,
struct avrcp_header *pdu)
{
struct avrcp_player *player = session->controller->player;
- struct media_player *mp = player->user_data;
+ struct media_player *mp = NULL;
uint8_t value;
const char *curval, *strval;
+ if (player == NULL)
+ return;
+ mp = player->user_data;
value = pdu->params[1];
curval = media_player_get_status(mp);
Below is the backtrace from GDB:
GNU gdb (Debian 10.1-2) 10.1.90.20210103-git
Copyright (C) 2021 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/local/libexec/bluetooth/bluetoothd...
(gdb) run
Starting program: /usr/local/libexec/bluetooth/bluetoothd
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0x0000555555594f14 in avrcp_status_changed (pdu=0x5555556d1b36,
pdu=0x5555556d1b36, session=0x5555556a9800) at
profiles/audio/avrcp.c:3743
3743 struct media_player *mp = player->user_data;
(gdb)
(gdb)
(gdb) bt
#0 0x0000555555594f14 in avrcp_status_changed (pdu=0x5555556d1b36,
pdu=0x5555556d1b36, session=0x5555556a9800) at
profiles/audio/avrcp.c:3743
#1 avrcp_handle_event (conn=0x5555556c98e0, code=15 '\017',
subunit=<optimized out>, transaction=<optimized out>,
operands=0x5555556d1b36 "", operand_count=9, user_data=0x5555556a9800)
at profiles/audio/avrcp.c:3884
#2 0x000055555558f3c7 in control_response (operand_count=9,
operands=0x5555556d1b36 "", avc=<optimized out>, avctp=<optimized
out>, control=<optimized out>) at profiles/audio/avctp.c:938
#3 session_cb (chan=<optimized out>, cond=<optimized out>,
data=<optimized out>) at profiles/audio/avctp.c:1107
#4 0x00007ffff7ebdc0f in g_main_context_dispatch () from
/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#5 0x00007ffff7ebdfb8 in ?? () from /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#6 0x00007ffff7ebe2ab in g_main_loop_run () from
/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#7 0x0000555555617415 in mainloop_run () at src/shared/mainloop-glib.c:66
#8 0x00005555556177f2 in mainloop_run_with_signal
(func=func@entry=0x5555555af8d0 <signal_callback>,
user_data=user_data@entry=0x0) at src/shared/mainloop-notify.c:188
#9 0x0000555555577147 in main (argc=<optimized out>, argv=<optimized
out>) at src/main.c:1210
Best regards
/Thomas Eriksson
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: Null dereference in profiles/audio/avrcp.c
2021-10-05 8:53 Null dereference in profiles/audio/avrcp.c Thomas Eriksson
@ 2021-10-05 18:37 ` Luiz Augusto von Dentz
2021-10-06 6:38 ` Thomas Eriksson
0 siblings, 1 reply; 5+ messages in thread
From: Luiz Augusto von Dentz @ 2021-10-05 18:37 UTC (permalink / raw)
To: Thomas Eriksson; +Cc: linux-bluetooth
Hi Thomas,
On Tue, Oct 5, 2021 at 1:55 AM Thomas Eriksson
<thomas.eriksson@gmail.com> wrote:
>
> Hi,
>
> When trying to pair my "3M Peltor WS Alert XPI" headset with Bluez i
> get a null dereference in profiles/audio/avrcp.c.
>
> The following small patch avoids the problem:
>
> diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
> index 7c280203c..6064ab40b 100644
> --- a/profiles/audio/avrcp.c
> +++ b/profiles/audio/avrcp.c
> @@ -3740,10 +3740,13 @@ static void avrcp_status_changed(struct avrcp *session,
> struct avrcp_header *pdu)
> {
> struct avrcp_player *player = session->controller->player;
> - struct media_player *mp = player->user_data;
> + struct media_player *mp = NULL;
> uint8_t value;
> const char *curval, *strval;
>
> + if (player == NULL)
> + return;
> + mp = player->user_data;
> value = pdu->params[1];
>
> curval = media_player_get_status(mp);
>
What version are you using? This should not be reproducible with:
commit cc235a8d528b36cad2cf9fe6517d54711613331a
Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Fri Apr 1 11:07:15 2016 +0300
audio/avrcp: Fix registering to player events
If controller does not have a player skip registering to events which
requires a player.
diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
index 0c6279a20..37bc29137 100644
--- a/profiles/audio/avrcp.c
+++ b/profiles/audio/avrcp.c
@@ -3647,8 +3647,9 @@ static gboolean
avrcp_get_capabilities_resp(struct avctp *conn,
case AVRCP_EVENT_ADDRESSED_PLAYER_CHANGED:
case AVRCP_EVENT_UIDS_CHANGED:
case AVRCP_EVENT_AVAILABLE_PLAYERS_CHANGED:
- /* These events above are controller specific */
- if (!session->controller)
+ /* These events above requires a player */
+ if (!session->controller ||
+ !session->controller->player)
break;
case AVRCP_EVENT_VOLUME_CHANGED:
avrcp_register_notification(session, event);
>
> Below is the backtrace from GDB:
>
> GNU gdb (Debian 10.1-2) 10.1.90.20210103-git
> Copyright (C) 2021 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
> Type "show copying" and "show warranty" for details.
> This GDB was configured as "x86_64-linux-gnu".
> Type "show configuration" for configuration details.
> For bug reporting instructions, please see:
> <https://www.gnu.org/software/gdb/bugs/>.
> Find the GDB manual and other documentation resources online at:
> <http://www.gnu.org/software/gdb/documentation/>.
>
> For help, type "help".
> Type "apropos word" to search for commands related to "word"...
> Reading symbols from /usr/local/libexec/bluetooth/bluetoothd...
> (gdb) run
> Starting program: /usr/local/libexec/bluetooth/bluetoothd
> [Thread debugging using libthread_db enabled]
> Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
>
>
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x0000555555594f14 in avrcp_status_changed (pdu=0x5555556d1b36,
> pdu=0x5555556d1b36, session=0x5555556a9800) at
> profiles/audio/avrcp.c:3743
> 3743 struct media_player *mp = player->user_data;
> (gdb)
> (gdb)
> (gdb) bt
> #0 0x0000555555594f14 in avrcp_status_changed (pdu=0x5555556d1b36,
> pdu=0x5555556d1b36, session=0x5555556a9800) at
> profiles/audio/avrcp.c:3743
> #1 avrcp_handle_event (conn=0x5555556c98e0, code=15 '\017',
> subunit=<optimized out>, transaction=<optimized out>,
> operands=0x5555556d1b36 "", operand_count=9, user_data=0x5555556a9800)
> at profiles/audio/avrcp.c:3884
> #2 0x000055555558f3c7 in control_response (operand_count=9,
> operands=0x5555556d1b36 "", avc=<optimized out>, avctp=<optimized
> out>, control=<optimized out>) at profiles/audio/avctp.c:938
> #3 session_cb (chan=<optimized out>, cond=<optimized out>,
> data=<optimized out>) at profiles/audio/avctp.c:1107
> #4 0x00007ffff7ebdc0f in g_main_context_dispatch () from
> /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
> #5 0x00007ffff7ebdfb8 in ?? () from /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
> #6 0x00007ffff7ebe2ab in g_main_loop_run () from
> /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
> #7 0x0000555555617415 in mainloop_run () at src/shared/mainloop-glib.c:66
> #8 0x00005555556177f2 in mainloop_run_with_signal
> (func=func@entry=0x5555555af8d0 <signal_callback>,
> user_data=user_data@entry=0x0) at src/shared/mainloop-notify.c:188
> #9 0x0000555555577147 in main (argc=<optimized out>, argv=<optimized
> out>) at src/main.c:1210
>
>
> Best regards
> /Thomas Eriksson
--
Luiz Augusto von Dentz
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: Null dereference in profiles/audio/avrcp.c
2021-10-05 18:37 ` Luiz Augusto von Dentz
@ 2021-10-06 6:38 ` Thomas Eriksson
2021-10-06 6:53 ` Luiz Augusto von Dentz
0 siblings, 1 reply; 5+ messages in thread
From: Thomas Eriksson @ 2021-10-06 6:38 UTC (permalink / raw)
To: Luiz Augusto von Dentz; +Cc: linux-bluetooth
On Tue, 5 Oct 2021 at 20:37, Luiz Augusto von Dentz
<luiz.dentz@gmail.com> wrote:
>
> Hi Thomas,
Hi Luiz,
>
> On Tue, Oct 5, 2021 at 1:55 AM Thomas Eriksson
> <thomas.eriksson@gmail.com> wrote:
> >
> > Hi,
> >
> > When trying to pair my "3M Peltor WS Alert XPI" headset with Bluez i
> > get a null dereference in profiles/audio/avrcp.c.
> >
> > The following small patch avoids the problem:
> >
> > diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
> > index 7c280203c..6064ab40b 100644
> > --- a/profiles/audio/avrcp.c
> > +++ b/profiles/audio/avrcp.c
> > @@ -3740,10 +3740,13 @@ static void avrcp_status_changed(struct avrcp *session,
> > struct avrcp_header *pdu)
> > {
> > struct avrcp_player *player = session->controller->player;
> > - struct media_player *mp = player->user_data;
> > + struct media_player *mp = NULL;
> > uint8_t value;
> > const char *curval, *strval;
> >
> > + if (player == NULL)
> > + return;
> > + mp = player->user_data;
> > value = pdu->params[1];
> >
> > curval = media_player_get_status(mp);
> >
>
> What version are you using? This should not be reproducible with:
>
> commit cc235a8d528b36cad2cf9fe6517d54711613331a
> Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> Date: Fri Apr 1 11:07:15 2016 +0300
>
> audio/avrcp: Fix registering to player events
>
> If controller does not have a player skip registering to events which
> requires a player.
>
> diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
> index 0c6279a20..37bc29137 100644
> --- a/profiles/audio/avrcp.c
> +++ b/profiles/audio/avrcp.c
> @@ -3647,8 +3647,9 @@ static gboolean
> avrcp_get_capabilities_resp(struct avctp *conn,
> case AVRCP_EVENT_ADDRESSED_PLAYER_CHANGED:
> case AVRCP_EVENT_UIDS_CHANGED:
> case AVRCP_EVENT_AVAILABLE_PLAYERS_CHANGED:
> - /* These events above are controller specific */
> - if (!session->controller)
> + /* These events above requires a player */
> + if (!session->controller ||
> + !session->controller->player)
> break;
> case AVRCP_EVENT_VOLUME_CHANGED:
> avrcp_register_notification(session, event);
>
The crash was present yesterday on
bb12ef4a9f71550ba84033f565a27773d893d8bf (master).
> >
> > Below is the backtrace from GDB:
> >
> > GNU gdb (Debian 10.1-2) 10.1.90.20210103-git
> > Copyright (C) 2021 Free Software Foundation, Inc.
> > License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
> > This is free software: you are free to change and redistribute it.
> > There is NO WARRANTY, to the extent permitted by law.
> > Type "show copying" and "show warranty" for details.
> > This GDB was configured as "x86_64-linux-gnu".
> > Type "show configuration" for configuration details.
> > For bug reporting instructions, please see:
> > <https://www.gnu.org/software/gdb/bugs/>.
> > Find the GDB manual and other documentation resources online at:
> > <http://www.gnu.org/software/gdb/documentation/>.
> >
> > For help, type "help".
> > Type "apropos word" to search for commands related to "word"...
> > Reading symbols from /usr/local/libexec/bluetooth/bluetoothd...
> > (gdb) run
> > Starting program: /usr/local/libexec/bluetooth/bluetoothd
> > [Thread debugging using libthread_db enabled]
> > Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
> >
> >
> >
> > Program received signal SIGSEGV, Segmentation fault.
> > 0x0000555555594f14 in avrcp_status_changed (pdu=0x5555556d1b36,
> > pdu=0x5555556d1b36, session=0x5555556a9800) at
> > profiles/audio/avrcp.c:3743
> > 3743 struct media_player *mp = player->user_data;
> > (gdb)
> > (gdb)
> > (gdb) bt
> > #0 0x0000555555594f14 in avrcp_status_changed (pdu=0x5555556d1b36,
> > pdu=0x5555556d1b36, session=0x5555556a9800) at
> > profiles/audio/avrcp.c:3743
> > #1 avrcp_handle_event (conn=0x5555556c98e0, code=15 '\017',
> > subunit=<optimized out>, transaction=<optimized out>,
> > operands=0x5555556d1b36 "", operand_count=9, user_data=0x5555556a9800)
> > at profiles/audio/avrcp.c:3884
> > #2 0x000055555558f3c7 in control_response (operand_count=9,
> > operands=0x5555556d1b36 "", avc=<optimized out>, avctp=<optimized
> > out>, control=<optimized out>) at profiles/audio/avctp.c:938
> > #3 session_cb (chan=<optimized out>, cond=<optimized out>,
> > data=<optimized out>) at profiles/audio/avctp.c:1107
> > #4 0x00007ffff7ebdc0f in g_main_context_dispatch () from
> > /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
> > #5 0x00007ffff7ebdfb8 in ?? () from /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
> > #6 0x00007ffff7ebe2ab in g_main_loop_run () from
> > /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
> > #7 0x0000555555617415 in mainloop_run () at src/shared/mainloop-glib.c:66
> > #8 0x00005555556177f2 in mainloop_run_with_signal
> > (func=func@entry=0x5555555af8d0 <signal_callback>,
> > user_data=user_data@entry=0x0) at src/shared/mainloop-notify.c:188
> > #9 0x0000555555577147 in main (argc=<optimized out>, argv=<optimized
> > out>) at src/main.c:1210
> >
> >
> > Best regards
> > /Thomas Eriksson
>
>
>
> --
> Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Null dereference in profiles/audio/avrcp.c
2021-10-06 6:38 ` Thomas Eriksson
@ 2021-10-06 6:53 ` Luiz Augusto von Dentz
2021-10-06 8:52 ` Thomas Eriksson
0 siblings, 1 reply; 5+ messages in thread
From: Luiz Augusto von Dentz @ 2021-10-06 6:53 UTC (permalink / raw)
To: Thomas Eriksson; +Cc: linux-bluetooth
Hi Thomas,
On Tue, Oct 5, 2021 at 11:38 PM Thomas Eriksson
<thomas.eriksson@gmail.com> wrote:
>
> On Tue, 5 Oct 2021 at 20:37, Luiz Augusto von Dentz
> <luiz.dentz@gmail.com> wrote:
> >
> > Hi Thomas,
>
> Hi Luiz,
>
> >
> > On Tue, Oct 5, 2021 at 1:55 AM Thomas Eriksson
> > <thomas.eriksson@gmail.com> wrote:
> > >
> > > Hi,
> > >
> > > When trying to pair my "3M Peltor WS Alert XPI" headset with Bluez i
> > > get a null dereference in profiles/audio/avrcp.c.
> > >
> > > The following small patch avoids the problem:
> > >
> > > diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
> > > index 7c280203c..6064ab40b 100644
> > > --- a/profiles/audio/avrcp.c
> > > +++ b/profiles/audio/avrcp.c
> > > @@ -3740,10 +3740,13 @@ static void avrcp_status_changed(struct avrcp *session,
> > > struct avrcp_header *pdu)
> > > {
> > > struct avrcp_player *player = session->controller->player;
> > > - struct media_player *mp = player->user_data;
> > > + struct media_player *mp = NULL;
> > > uint8_t value;
> > > const char *curval, *strval;
> > >
> > > + if (player == NULL)
> > > + return;
> > > + mp = player->user_data;
> > > value = pdu->params[1];
> > >
> > > curval = media_player_get_status(mp);
> > >
> >
> > What version are you using? This should not be reproducible with:
> >
> > commit cc235a8d528b36cad2cf9fe6517d54711613331a
> > Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> > Date: Fri Apr 1 11:07:15 2016 +0300
> >
> > audio/avrcp: Fix registering to player events
> >
> > If controller does not have a player skip registering to events which
> > requires a player.
> >
> > diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
> > index 0c6279a20..37bc29137 100644
> > --- a/profiles/audio/avrcp.c
> > +++ b/profiles/audio/avrcp.c
> > @@ -3647,8 +3647,9 @@ static gboolean
> > avrcp_get_capabilities_resp(struct avctp *conn,
> > case AVRCP_EVENT_ADDRESSED_PLAYER_CHANGED:
> > case AVRCP_EVENT_UIDS_CHANGED:
> > case AVRCP_EVENT_AVAILABLE_PLAYERS_CHANGED:
> > - /* These events above are controller specific */
> > - if (!session->controller)
> > + /* These events above requires a player */
> > + if (!session->controller ||
> > + !session->controller->player)
> > break;
> > case AVRCP_EVENT_VOLUME_CHANGED:
> > avrcp_register_notification(session, event);
> >
>
> The crash was present yesterday on
> bb12ef4a9f71550ba84033f565a27773d893d8bf (master).
Can you attach the HCI trace, I wonder if the headset is sending a
notification without a registration then.
>
> > >
> > > Below is the backtrace from GDB:
> > >
> > > GNU gdb (Debian 10.1-2) 10.1.90.20210103-git
> > > Copyright (C) 2021 Free Software Foundation, Inc.
> > > License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
> > > This is free software: you are free to change and redistribute it.
> > > There is NO WARRANTY, to the extent permitted by law.
> > > Type "show copying" and "show warranty" for details.
> > > This GDB was configured as "x86_64-linux-gnu".
> > > Type "show configuration" for configuration details.
> > > For bug reporting instructions, please see:
> > > <https://www.gnu.org/software/gdb/bugs/>.
> > > Find the GDB manual and other documentation resources online at:
> > > <http://www.gnu.org/software/gdb/documentation/>.
> > >
> > > For help, type "help".
> > > Type "apropos word" to search for commands related to "word"...
> > > Reading symbols from /usr/local/libexec/bluetooth/bluetoothd...
> > > (gdb) run
> > > Starting program: /usr/local/libexec/bluetooth/bluetoothd
> > > [Thread debugging using libthread_db enabled]
> > > Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
> > >
> > >
> > >
> > > Program received signal SIGSEGV, Segmentation fault.
> > > 0x0000555555594f14 in avrcp_status_changed (pdu=0x5555556d1b36,
> > > pdu=0x5555556d1b36, session=0x5555556a9800) at
> > > profiles/audio/avrcp.c:3743
> > > 3743 struct media_player *mp = player->user_data;
> > > (gdb)
> > > (gdb)
> > > (gdb) bt
> > > #0 0x0000555555594f14 in avrcp_status_changed (pdu=0x5555556d1b36,
> > > pdu=0x5555556d1b36, session=0x5555556a9800) at
> > > profiles/audio/avrcp.c:3743
> > > #1 avrcp_handle_event (conn=0x5555556c98e0, code=15 '\017',
> > > subunit=<optimized out>, transaction=<optimized out>,
> > > operands=0x5555556d1b36 "", operand_count=9, user_data=0x5555556a9800)
> > > at profiles/audio/avrcp.c:3884
> > > #2 0x000055555558f3c7 in control_response (operand_count=9,
> > > operands=0x5555556d1b36 "", avc=<optimized out>, avctp=<optimized
> > > out>, control=<optimized out>) at profiles/audio/avctp.c:938
> > > #3 session_cb (chan=<optimized out>, cond=<optimized out>,
> > > data=<optimized out>) at profiles/audio/avctp.c:1107
> > > #4 0x00007ffff7ebdc0f in g_main_context_dispatch () from
> > > /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
> > > #5 0x00007ffff7ebdfb8 in ?? () from /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
> > > #6 0x00007ffff7ebe2ab in g_main_loop_run () from
> > > /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
> > > #7 0x0000555555617415 in mainloop_run () at src/shared/mainloop-glib.c:66
> > > #8 0x00005555556177f2 in mainloop_run_with_signal
> > > (func=func@entry=0x5555555af8d0 <signal_callback>,
> > > user_data=user_data@entry=0x0) at src/shared/mainloop-notify.c:188
> > > #9 0x0000555555577147 in main (argc=<optimized out>, argv=<optimized
> > > out>) at src/main.c:1210
> > >
> > >
> > > Best regards
> > > /Thomas Eriksson
> >
> >
> >
> > --
> > Luiz Augusto von Dentz
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Null dereference in profiles/audio/avrcp.c
2021-10-06 6:53 ` Luiz Augusto von Dentz
@ 2021-10-06 8:52 ` Thomas Eriksson
0 siblings, 0 replies; 5+ messages in thread
From: Thomas Eriksson @ 2021-10-06 8:52 UTC (permalink / raw)
To: Luiz Augusto von Dentz; +Cc: linux-bluetooth
[-- Attachment #1: Type: text/plain, Size: 6409 bytes --]
On Wed, 6 Oct 2021 at 08:53, Luiz Augusto von Dentz
<luiz.dentz@gmail.com> wrote:
>
> Hi Thomas,
>
Hi Luiz,
> On Tue, Oct 5, 2021 at 11:38 PM Thomas Eriksson
> <thomas.eriksson@gmail.com> wrote:
> >
> > On Tue, 5 Oct 2021 at 20:37, Luiz Augusto von Dentz
> > <luiz.dentz@gmail.com> wrote:
> > >
> > > Hi Thomas,
> >
> > Hi Luiz,
> >
> > >
> > > On Tue, Oct 5, 2021 at 1:55 AM Thomas Eriksson
> > > <thomas.eriksson@gmail.com> wrote:
> > > >
> > > > Hi,
> > > >
> > > > When trying to pair my "3M Peltor WS Alert XPI" headset with Bluez i
> > > > get a null dereference in profiles/audio/avrcp.c.
> > > >
> > > > The following small patch avoids the problem:
> > > >
> > > > diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
> > > > index 7c280203c..6064ab40b 100644
> > > > --- a/profiles/audio/avrcp.c
> > > > +++ b/profiles/audio/avrcp.c
> > > > @@ -3740,10 +3740,13 @@ static void avrcp_status_changed(struct avrcp *session,
> > > > struct avrcp_header *pdu)
> > > > {
> > > > struct avrcp_player *player = session->controller->player;
> > > > - struct media_player *mp = player->user_data;
> > > > + struct media_player *mp = NULL;
> > > > uint8_t value;
> > > > const char *curval, *strval;
> > > >
> > > > + if (player == NULL)
> > > > + return;
> > > > + mp = player->user_data;
> > > > value = pdu->params[1];
> > > >
> > > > curval = media_player_get_status(mp);
> > > >
> > >
> > > What version are you using? This should not be reproducible with:
> > >
> > > commit cc235a8d528b36cad2cf9fe6517d54711613331a
> > > Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> > > Date: Fri Apr 1 11:07:15 2016 +0300
> > >
> > > audio/avrcp: Fix registering to player events
> > >
> > > If controller does not have a player skip registering to events which
> > > requires a player.
> > >
> > > diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
> > > index 0c6279a20..37bc29137 100644
> > > --- a/profiles/audio/avrcp.c
> > > +++ b/profiles/audio/avrcp.c
> > > @@ -3647,8 +3647,9 @@ static gboolean
> > > avrcp_get_capabilities_resp(struct avctp *conn,
> > > case AVRCP_EVENT_ADDRESSED_PLAYER_CHANGED:
> > > case AVRCP_EVENT_UIDS_CHANGED:
> > > case AVRCP_EVENT_AVAILABLE_PLAYERS_CHANGED:
> > > - /* These events above are controller specific */
> > > - if (!session->controller)
> > > + /* These events above requires a player */
> > > + if (!session->controller ||
> > > + !session->controller->player)
> > > break;
> > > case AVRCP_EVENT_VOLUME_CHANGED:
> > > avrcp_register_notification(session, event);
> > >
> >
> > The crash was present yesterday on
> > bb12ef4a9f71550ba84033f565a27773d893d8bf (master).
>
> Can you attach the HCI trace, I wonder if the headset is sending a
> notification without a registration then.
I've attached a HCI trace of the pairing process.
Best regards
/Thomas
>
> >
> > > >
> > > > Below is the backtrace from GDB:
> > > >
> > > > GNU gdb (Debian 10.1-2) 10.1.90.20210103-git
> > > > Copyright (C) 2021 Free Software Foundation, Inc.
> > > > License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
> > > > This is free software: you are free to change and redistribute it.
> > > > There is NO WARRANTY, to the extent permitted by law.
> > > > Type "show copying" and "show warranty" for details.
> > > > This GDB was configured as "x86_64-linux-gnu".
> > > > Type "show configuration" for configuration details.
> > > > For bug reporting instructions, please see:
> > > > <https://www.gnu.org/software/gdb/bugs/>.
> > > > Find the GDB manual and other documentation resources online at:
> > > > <http://www.gnu.org/software/gdb/documentation/>.
> > > >
> > > > For help, type "help".
> > > > Type "apropos word" to search for commands related to "word"...
> > > > Reading symbols from /usr/local/libexec/bluetooth/bluetoothd...
> > > > (gdb) run
> > > > Starting program: /usr/local/libexec/bluetooth/bluetoothd
> > > > [Thread debugging using libthread_db enabled]
> > > > Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
> > > >
> > > >
> > > >
> > > > Program received signal SIGSEGV, Segmentation fault.
> > > > 0x0000555555594f14 in avrcp_status_changed (pdu=0x5555556d1b36,
> > > > pdu=0x5555556d1b36, session=0x5555556a9800) at
> > > > profiles/audio/avrcp.c:3743
> > > > 3743 struct media_player *mp = player->user_data;
> > > > (gdb)
> > > > (gdb)
> > > > (gdb) bt
> > > > #0 0x0000555555594f14 in avrcp_status_changed (pdu=0x5555556d1b36,
> > > > pdu=0x5555556d1b36, session=0x5555556a9800) at
> > > > profiles/audio/avrcp.c:3743
> > > > #1 avrcp_handle_event (conn=0x5555556c98e0, code=15 '\017',
> > > > subunit=<optimized out>, transaction=<optimized out>,
> > > > operands=0x5555556d1b36 "", operand_count=9, user_data=0x5555556a9800)
> > > > at profiles/audio/avrcp.c:3884
> > > > #2 0x000055555558f3c7 in control_response (operand_count=9,
> > > > operands=0x5555556d1b36 "", avc=<optimized out>, avctp=<optimized
> > > > out>, control=<optimized out>) at profiles/audio/avctp.c:938
> > > > #3 session_cb (chan=<optimized out>, cond=<optimized out>,
> > > > data=<optimized out>) at profiles/audio/avctp.c:1107
> > > > #4 0x00007ffff7ebdc0f in g_main_context_dispatch () from
> > > > /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
> > > > #5 0x00007ffff7ebdfb8 in ?? () from /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
> > > > #6 0x00007ffff7ebe2ab in g_main_loop_run () from
> > > > /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
> > > > #7 0x0000555555617415 in mainloop_run () at src/shared/mainloop-glib.c:66
> > > > #8 0x00005555556177f2 in mainloop_run_with_signal
> > > > (func=func@entry=0x5555555af8d0 <signal_callback>,
> > > > user_data=user_data@entry=0x0) at src/shared/mainloop-notify.c:188
> > > > #9 0x0000555555577147 in main (argc=<optimized out>, argv=<optimized
> > > > out>) at src/main.c:1210
> > > >
> > > >
> > > > Best regards
> > > > /Thomas Eriksson
> > >
> > >
> > >
> > > --
> > > Luiz Augusto von Dentz
>
>
>
> --
> Luiz Augusto von Dentz
[-- Attachment #2: hcitrace3.snoop.xz --]
[-- Type: application/octet-stream, Size: 10456 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-10-06 8:53 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-05 8:53 Null dereference in profiles/audio/avrcp.c Thomas Eriksson
2021-10-05 18:37 ` Luiz Augusto von Dentz
2021-10-06 6:38 ` Thomas Eriksson
2021-10-06 6:53 ` Luiz Augusto von Dentz
2021-10-06 8:52 ` Thomas Eriksson
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.