* Segmentation fault in bluetoothd with btgatt-client
@ 2020-06-03 9:40 Arthur Lambert
2020-06-03 17:17 ` Luiz Augusto von Dentz
0 siblings, 1 reply; 7+ messages in thread
From: Arthur Lambert @ 2020-06-03 9:40 UTC (permalink / raw)
To: linux-bluetooth
Hello,
I am working on an embedded device with Bluez 5.54.
My bluez init script for the bluetoothd demon :
# cat /etc/init.d/S19_bluez
#!/bin/sh
start() {
echo -n "Starting $0: "
#bluetoothd -dE&
echo "Done."
}
(...)
To initialize my hci0, we are using btmgmt :
/usr/bin/btmgmt -i hci0 power off
/usr/bin/btmgmt -i hci0 le on
/usr/bin/btmgmt -i hci0 bredr on
/usr/bin/btmgmt -i hci0 connectable on
/usr/bin/btmgmt -i hci0 bondable on
/usr/bin/btmgmt -i hci0 discov on
/usr/bin/btmgmt -i hci0 name XXXXX-HEADBAND-V2
/usr/bin/btmgmt -i hci0 advertising on
/usr/bin/btmgmt -i hci0 power on
Log from bluetoothd:
# valgrind --leak-check=no --show-reachable=no
--show-possibly-lost=no --track-origins=yes bluetoothd -dEn
==237== Memcheck, a memory error detector
==237== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==237== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
==237== Command: bluetoothd -dEn
==237==
==237== Invalid read of size 4
==237== at 0x4005458: _dl_get_ready_to_run (in /lib/ld-uClibc-1.0.31.so)
==237== Address 0x7dffc934 is on thread 1's stack
==237== 20 bytes below stack pointer
==237==
==237== Invalid read of size 4
==237== at 0x4B05AB8: __uClibc_main (in /lib/libuClibc-1.0.31.so)
==237== Address 0x7dffcbec is on thread 1's stack
==237== 20 bytes below stack pointer
==237==
bluetoothd[237]: Bluetooth daemon 5.54
bluetoothd[237]: src/main.c:parse_config() parsing /etc/bluetooth/main.conf
bluetoothd[237]: src/main.c:parse_config() Key file does not have key
“DiscoverableTimeout” in group “General”
bluetoothd[237]: src/main.c:parse_config() Key file does not have key
“AlwaysPairable” in group “General”
bluetoothd[237]: src/main.c:parse_config() Key file does not have key
“PairableTimeout” in group “General”
bluetoothd[237]: src/main.c:parse_config() Key file does not have key
“Privacy” in group “General”
bluetoothd[237]: src/main.c:parse_config() Key file does not have key
“JustWorksRepairing” in group “General”
bluetoothd[237]: src/main.c:parse_config() name=XXXXX-HEADBAND-V2
bluetoothd[237]: src/main.c:parse_config() Key file does not have key
“Class” in group “General”
bluetoothd[237]: src/main.c:parse_config() Key file does not have key
“DeviceID” in group “General”
bluetoothd[237]: src/main.c:parse_config() Key file does not have key
“ReverseServiceDiscovery” in group “General”
bluetoothd[237]: src/main.c:parse_config() Key file does not have group “GATT”
bluetoothd[237]: src/main.c:parse_config() Key file does not have group “GATT”
bluetoothd[237]: src/main.c:parse_config() Key file does not have group “GATT”
bluetoothd[237]: src/main.c:parse_config() Key file does not have group “GATT”
bluetoothd[237]: src/adapter.c:adapter_init() sending read version command
bluetoothd[237]: Starting SDP server
bluetoothd[237]: src/sdpd-service.c:register_device_id() Adding device
id record for 0002:1d6b:0246:0536
bluetoothd[237]: src/plugin.c:plugin_init() Loading builtin plugins
bluetoothd[237]: src/plugin.c:add_plugin() Loading hostname plugin
bluetoothd[237]: src/plugin.c:add_plugin() Loading wiimote plugin
bluetoothd[237]: src/plugin.c:add_plugin() Loading autopair plugin
bluetoothd[237]: src/plugin.c:add_plugin() Loading policy plugin
bluetoothd[237]: src/plugin.c:add_plugin() Loading network plugin
bluetoothd[237]: src/plugin.c:add_plugin() Loading input plugin
bluetoothd[237]: src/plugin.c:add_plugin() Loading hog plugin
bluetoothd[237]: src/plugin.c:add_plugin() Loading gap plugin
bluetoothd[237]: src/plugin.c:add_plugin() Loading scanparam plugin
bluetoothd[237]: src/plugin.c:add_plugin() Loading deviceinfo plugin
bluetoothd[237]: src/plugin.c:plugin_init() Loading plugins
/usr/lib/bluetooth/plugins
bluetoothd[237]: profiles/input/suspend-none.c:suspend_init()
bluetoothd[237]: profiles/network/manager.c:read_config() Config
options: Security=true
bluetoothd[237]: Failed to open RFKILL control device
bluetoothd[237]: src/main.c:main() Entering main loop
bluetoothd[237]: Bluetooth management interface 1.9 initialized
bluetoothd[237]: src/adapter.c:read_version_complete() sending read
supported commands command
bluetoothd[237]: src/adapter.c:read_version_complete() sending read
index list command
bluetoothd[237]: src/adapter.c:read_commands_complete() Number of commands: 61
bluetoothd[237]: src/adapter.c:read_commands_complete() Number of events: 34
bluetoothd[237]: src/adapter.c:read_commands_complete() enabling
kernel-side connection control
bluetoothd[237]: src/adapter.c:read_index_list_complete() Number of
controllers: 0
bluetoothd[237]: src/adapter.c:index_added() index 0
bluetoothd[237]: src/adapter.c:btd_adapter_new() System name: XXXXXX-HEADBAND-V2
bluetoothd[237]: src/adapter.c:btd_adapter_new() Major class: 0
bluetoothd[237]: src/adapter.c:btd_adapter_new() Minor class: 0
bluetoothd[237]: src/adapter.c:btd_adapter_new() Modalias: usb:v1D6Bp0246d0536
bluetoothd[237]: src/adapter.c:btd_adapter_new() Discoverable timeout:
180 seconds
bluetoothd[237]: src/adapter.c:btd_adapter_new() Pairable timeout: 0 seconds
bluetoothd[237]: src/adapter.c:index_added() sending read info command
for index 0
bluetoothd[237]: src/adapter.c:read_info_complete() index 0 status 0x00
bluetoothd[237]: src/adapter.c:clear_uuids() sending clear uuids
command for index 0
bluetoothd[237]: src/adapter.c:clear_devices() sending clear devices
command for index 0
bluetoothd[237]: src/adapter.c:set_mode() sending set mode command for index 0
bluetoothd[237]: src/adapter.c:set_mode() sending set mode command for index 0
bluetoothd[237]: src/adapter.c:set_mode() sending set mode command for index 0
bluetoothd[237]: src/adapter.c:set_privacy() sending set privacy
command for index 0
bluetoothd[237]: src/adapter.c:set_privacy() setting privacy mode 0x00
for index 0
bluetoothd[237]: src/gatt-database.c:btd_gatt_database_new() GATT
Manager registered for adapter: /org/bluez/hci0
bluetoothd[237]: src/adapter.c:adapter_service_add() /org/bluez/hci0
bluetoothd[237]: src/sdpd-service.c:add_record_to_server() Adding
record with handle 0x10001
bluetoothd[237]: src/sdpd-service.c:add_record_to_server() Record
pattern UUID 00000007-0000-1000-8000-00805f9
bluetoothd[237]: src/sdpd-service.c:add_record_to_server() Record
pattern UUID 00000100-0000-1000-8000-00805f9
bluetoothd[237]: src/sdpd-service.c:add_record_to_server() Record
pattern UUID 00001002-0000-1000-8000-00805f9
bluetoothd[237]: src/sdpd-service.c:add_record_to_server() Record
pattern UUID 00001800-0000-1000-8000-00805f9
bluetoothd[237]: src/adapter.c:adapter_service_insert() /org/bluez/hci0
bluetoothd[237]: src/adapter.c:add_uuid() sending add uuid command for index 0
bluetoothd[237]: src/adapter.c:adapter_service_add() /org/bluez/hci0
bluetoothd[237]: src/sdpd-service.c:add_record_to_server() Adding
record with handle 0x10002
bluetoothd[237]: src/sdpd-service.c:add_record_to_server() Record
pattern UUID 00000007-0000-1000-8000-00805f9
bluetoothd[237]: src/sdpd-service.c:add_record_to_server() Record
pattern UUID 00000100-0000-1000-8000-00805f9
bluetoothd[237]: src/sdpd-service.c:add_record_to_server() Record
pattern UUID 00001002-0000-1000-8000-00805f9
bluetoothd[237]: src/sdpd-service.c:add_record_to_server() Record
pattern UUID 00001801-0000-1000-8000-00805f9
bluetoothd[237]: src/adapter.c:adapter_service_insert() /org/bluez/hci0
bluetoothd[237]: src/adapter.c:add_uuid() sending add uuid command for index 0
bluetoothd[237]: src/advertising.c:btd_adv_manager_new() LE
Advertising Manager created for adapter: /org/bluez/hci0
bluetoothd[237]: plugins/hostname.c:hostname_probe()
bluetoothd[237]: profiles/network/manager.c:panu_server_probe() path
/org/bluez/hci0
bluetoothd[237]: profiles/network/server.c:server_register()
Registered interface org.bluez.NetworkServer1 on path /org/bluez/hci0
bluetoothd[237]: profiles/network/manager.c:gn_server_probe() path
/org/bluez/hci0
bluetoothd[237]: profiles/network/manager.c:nap_server_probe() path
/org/bluez/hci0
bluetoothd[237]: src/adapter.c:btd_adapter_unblock_address() hci0
00:00:00:00:00:00
bluetoothd[237]: src/adapter.c:load_link_keys() hci0 keys 0 debug_keys 0
bluetoothd[237]: src/adapter.c:load_ltks() hci0 keys 0
bluetoothd[237]: src/adapter.c:load_irks() hci0 irks 0
bluetoothd[237]: src/adapter.c:load_conn_params() hci0 conn params 0
bluetoothd[237]: src/adapter.c:adapter_service_insert() /org/bluez/hci0
bluetoothd[237]: src/adapter.c:add_uuid() sending add uuid command for index 0
bluetoothd[237]: src/adapter.c:set_did() hci0 source 2 vendor 1d6b
product 246 version 536
bluetoothd[237]: src/adapter.c:adapter_register() Adapter
/org/bluez/hci0 registered
bluetoothd[237]: src/adapter.c:set_dev_class() sending set device
class command for index 0
bluetoothd[237]: src/adapter.c:set_name() sending set local name
command for index 0
bluetoothd[237]: src/adapter.c:new_settings_callback() Settings: 0x00000280
bluetoothd[237]: src/adapter.c:settings_changed() Changed settings: 0x00000200
bluetoothd[237]: src/adapter.c:settings_changed() Pending settings: 0x00000000
bluetoothd[237]: src/adapter.c:new_settings_callback() Settings: 0x00000282
bluetoothd[237]: src/adapter.c:settings_changed() Changed settings: 0x00000002
bluetoothd[237]: src/adapter.c:settings_changed() Pending settings: 0x00000000
bluetoothd[237]: src/adapter.c:new_settings_callback() Settings: 0x00000292
bluetoothd[237]: src/adapter.c:settings_changed() Changed settings: 0x00000010
bluetoothd[237]: src/adapter.c:settings_changed() Pending settings: 0x00000000
bluetoothd[237]: src/adapter.c:new_settings_callback() Settings: 0x0000029a
bluetoothd[237]: src/adapter.c:settings_changed() Changed settings: 0x00000008
bluetoothd[237]: src/adapter.c:settings_changed() Pending settings: 0x00000000
bluetoothd[237]: src/adapter.c:local_name_changed_callback() Name: TESTBENCH-V2
bluetoothd[237]: src/adapter.c:local_name_changed_callback() Short name:
bluetoothd[237]: src/adapter.c:local_name_changed_callback() Current
alias: TESTBENCH-V2
bluetoothd[237]: src/adapter.c:new_settings_callback() Settings: 0x0000069a
bluetoothd[237]: src/adapter.c:settings_changed() Changed settings: 0x00000400
bluetoothd[237]: src/adapter.c:settings_changed() Pending settings: 0x00000000
bluetoothd[237]: Failed to clear UUIDs: Busy (0x0a)
bluetoothd[237]: src/adapter.c:new_settings_callback() Settings: 0x0000069b
bluetoothd[237]: src/adapter.c:settings_changed() Changed settings: 0x00000001
bluetoothd[237]: src/adapter.c:settings_changed() Pending settings: 0x00000000
bluetoothd[237]: src/adapter.c:adapter_start() adapter /org/bluez/hci0
has been enabled
bluetoothd[237]: src/adapter.c:trigger_passive_scanning()
bluetoothd[237]: src/adapter.c:new_settings_callback() Settings: 0x000006db
bluetoothd[237]: src/adapter.c:settings_changed() Changed settings: 0x00000040
bluetoothd[237]: src/adapter.c:settings_changed() Pending settings: 0x00000000
bluetoothd[237]: src/adapter.c:new_settings_callback() Settings: 0x00000edb
bluetoothd[237]: src/adapter.c:settings_changed() Changed settings: 0x00000800
bluetoothd[237]: src/adapter.c:settings_changed() Pending settings: 0x00000000
bluetoothd[237]: Failed to set privacy: Rejected (0x0b)
bluetoothd[237]: src/adapter.c:load_link_keys_complete() link keys
loaded for hci0
bluetoothd[237]: src/adapter.c:load_ltks_complete() LTKs loaded for hci0
bluetoothd[237]: src/adapter.c:load_irks_complete() IRKs loaded for hci0
bluetoothd[237]: src/adapter.c:load_conn_params_complete() Connection
Parameters loaded for hci0
bluetoothd[237]: src/adapter.c:local_name_changed_callback() Name:
XXXXXX-HEADBAND-V2
bluetoothd[237]: src/adapter.c:local_name_changed_callback() Short name:
bluetoothd[237]: src/adapter.c:local_name_changed_callback() Current
alias: XXXXXXX-HEADBAND-V2
# run btgatt client here...
bluetoothd[237]: src/adapter.c:connected_callback() hci0 device
80:32:53:37:58:A6 connected eir_len 0
bluetoothd[237]: src/device.c:device_create() dst 80:32:53:37:58:A6
bluetoothd[237]: src/device.c:device_new() address 80:32:53:37:58:A6
bluetoothd[237]: src/device.c:device_new() Creating device
/org/bluez/hci0/dev_80_32_53_37_58_A6
bluetoothd[237]: src/gatt-database.c:connect_cb() New incoming LE ATT connection
bluetoothd[237]: attrib/gattrib.c:g_attrib_ref() 0x4c56848: g_attrib_ref=1
bluetoothd[237]: src/device.c:load_gatt_db() Restoring
80:32:53:37:58:A6 gatt database from file
bluetoothd[237]: No cache for 80:32:53:37:58:A6
bluetoothd[237]: src/gatt-client.c:btd_gatt_client_connected() Device connected.
bluetoothd[237]: src/device.c:gatt_debug() MTU exchange complete, with MTU: 256
bluetoothd[237]: src/device.c:gatt_debug() Read By Type - start:
0x0001 end: 0xffff
bluetoothd[237]: src/device.c:gatt_debug() MTU Exchange failed. ATT ECODE: 0x06
bluetoothd[237]: src/device.c:gatt_debug() Read By Grp Type - start:
0x0001 end: 0xffff
bluetoothd[237]: src/device.c:gatt_debug() Read By Type - start:
0x0010 end: 0xffff
bluetoothd[237]: src/device.c:gatt_debug() Primary service discovery
failed. ATT ECODE: 0x06
bluetoothd[237]: src/device.c:gatt_debug() Failed to initialize gatt-client
bluetoothd[237]: src/device.c:gatt_client_ready_cb() status: failed, error: 6
bluetoothd[237]: src/device.c:device_svc_resolved()
/org/bluez/hci0/dev_80_32_53_37_58_A6 err -5
bluetoothd[237]: src/device.c:gatt_debug() Read By Grp Type - start:
0x0010 end: 0xffff
bluetoothd[237]: src/device.c:gatt_debug() Read By Grp Type - start:
0x0001 end: 0xffff
bluetoothd[237]: src/device.c:gatt_debug() Read By Type - start:
0x0001 end: 0x000f
bluetoothd[237]: src/device.c:gatt_debug() Read By Type - start:
0x0001 end: 0x000f
bluetoothd[237]: src/device.c:gatt_debug() Read By Type - start:
0x000f end: 0x000f
bluetoothd[237]: src/device.c:gatt_debug() Read By Type - start:
0x0001 end: 0xffff
bluetoothd[237]: src/gatt-database.c:db_hash_read_cb() Database Hash read
==237== Invalid read of size 1
==237== at 0x4831BA4: memcpy (vg_replace_strmem.c:1035)
==237== by 0x79E1B: ??? (in /usr/bin/bluetoothd)
==237== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==237==
==237==
==237== Process terminating with default action of signal 11 (SIGSEGV)
==237== Access not within mapped region at address 0x0
==237== at 0x4831BA4: memcpy (vg_replace_strmem.c:1035)
==237== by 0x79E1B: ??? (in /usr/bin/bluetoothd)
==237== If you believe this happened as a result of a stack
==237== overflow in your program's main thread (unlikely but
==237== possible), you can try to increase the size of the
==237== main thread stack using the --main-stacksize= flag.
==237== The main thread stack size used in this run was 8388608.
/usr/bin/bluetoothd: can't resolve symbol '__libc_freeres'
==237==
==237== HEAP SUMMARY:
==237== in use at exit: 40,320 bytes in 860 blocks
==237== total heap usage: 4,297 allocs, 3,437 frees, 981,133 bytes allocated
==237==
==237== For a detailed leak analysis, rerun with: --leak-check=full
==237==
==237== For counts of detected and suppressed errors, rerun with: -v
==237== ERROR SUMMARY: 57 errors from 3 contexts (suppressed: 0 from 0)
Segmentation fault
From my host, I run this command to trigger the segmentation fault :
[arthur ] sudo ./btgatt-client -i hci0 -d cc:c0:79:ce:f9:56 -m 256
Connecting to device... Done
[GATT client]# Service Added - UUID:
00001800-0000-1000-8000-00805f9b34fb start: 0x0001 end: 0x0005
[GATT client]# Service Added - UUID:
00001801-0000-1000-8000-00805f9b34fb start: 0x0006 end: 0x000f
[GATT client]# GATT discovery procedures failed - error code: 0x00
[GATT client]# Device disconnected: Connection reset by peer
Shutting down...
When I run the test with btgatt-client from 5.50 release, there is no issue.
Is it normal?
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Segmentation fault in bluetoothd with btgatt-client
2020-06-03 9:40 Segmentation fault in bluetoothd with btgatt-client Arthur Lambert
@ 2020-06-03 17:17 ` Luiz Augusto von Dentz
2020-06-03 17:58 ` Luiz Augusto von Dentz
0 siblings, 1 reply; 7+ messages in thread
From: Luiz Augusto von Dentz @ 2020-06-03 17:17 UTC (permalink / raw)
To: Arthur Lambert; +Cc: linux-bluetooth
Hi Arthur,
On Wed, Jun 3, 2020 at 2:45 AM Arthur Lambert <lambertarthur22@gmail.com> wrote:
>
> Hello,
>
> I am working on an embedded device with Bluez 5.54.
> My bluez init script for the bluetoothd demon :
>
> # cat /etc/init.d/S19_bluez
> #!/bin/sh
>
> start() {
> echo -n "Starting $0: "
> #bluetoothd -dE&
> echo "Done."
> }
>
> (...)
>
> To initialize my hci0, we are using btmgmt :
>
> /usr/bin/btmgmt -i hci0 power off
> /usr/bin/btmgmt -i hci0 le on
> /usr/bin/btmgmt -i hci0 bredr on
> /usr/bin/btmgmt -i hci0 connectable on
> /usr/bin/btmgmt -i hci0 bondable on
> /usr/bin/btmgmt -i hci0 discov on
> /usr/bin/btmgmt -i hci0 name XXXXX-HEADBAND-V2
> /usr/bin/btmgmt -i hci0 advertising on
> /usr/bin/btmgmt -i hci0 power on
>
> Log from bluetoothd:
>
> # valgrind --leak-check=no --show-reachable=no
> --show-possibly-lost=no --track-origins=yes bluetoothd -dEn
> ==237== Memcheck, a memory error detector
> ==237== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
> ==237== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
> ==237== Command: bluetoothd -dEn
> ==237==
> ==237== Invalid read of size 4
> ==237== at 0x4005458: _dl_get_ready_to_run (in /lib/ld-uClibc-1.0.31.so)
> ==237== Address 0x7dffc934 is on thread 1's stack
> ==237== 20 bytes below stack pointer
> ==237==
> ==237== Invalid read of size 4
> ==237== at 0x4B05AB8: __uClibc_main (in /lib/libuClibc-1.0.31.so)
> ==237== Address 0x7dffcbec is on thread 1's stack
> ==237== 20 bytes below stack pointer
> ==237==
> bluetoothd[237]: Bluetooth daemon 5.54
> bluetoothd[237]: src/main.c:parse_config() parsing /etc/bluetooth/main.conf
> bluetoothd[237]: src/main.c:parse_config() Key file does not have key
> “DiscoverableTimeout” in group “General”
> bluetoothd[237]: src/main.c:parse_config() Key file does not have key
> “AlwaysPairable” in group “General”
> bluetoothd[237]: src/main.c:parse_config() Key file does not have key
> “PairableTimeout” in group “General”
> bluetoothd[237]: src/main.c:parse_config() Key file does not have key
> “Privacy” in group “General”
> bluetoothd[237]: src/main.c:parse_config() Key file does not have key
> “JustWorksRepairing” in group “General”
> bluetoothd[237]: src/main.c:parse_config() name=XXXXX-HEADBAND-V2
> bluetoothd[237]: src/main.c:parse_config() Key file does not have key
> “Class” in group “General”
> bluetoothd[237]: src/main.c:parse_config() Key file does not have key
> “DeviceID” in group “General”
> bluetoothd[237]: src/main.c:parse_config() Key file does not have key
> “ReverseServiceDiscovery” in group “General”
> bluetoothd[237]: src/main.c:parse_config() Key file does not have group “GATT”
> bluetoothd[237]: src/main.c:parse_config() Key file does not have group “GATT”
> bluetoothd[237]: src/main.c:parse_config() Key file does not have group “GATT”
> bluetoothd[237]: src/main.c:parse_config() Key file does not have group “GATT”
> bluetoothd[237]: src/adapter.c:adapter_init() sending read version command
> bluetoothd[237]: Starting SDP server
> bluetoothd[237]: src/sdpd-service.c:register_device_id() Adding device
> id record for 0002:1d6b:0246:0536
> bluetoothd[237]: src/plugin.c:plugin_init() Loading builtin plugins
> bluetoothd[237]: src/plugin.c:add_plugin() Loading hostname plugin
> bluetoothd[237]: src/plugin.c:add_plugin() Loading wiimote plugin
> bluetoothd[237]: src/plugin.c:add_plugin() Loading autopair plugin
> bluetoothd[237]: src/plugin.c:add_plugin() Loading policy plugin
> bluetoothd[237]: src/plugin.c:add_plugin() Loading network plugin
> bluetoothd[237]: src/plugin.c:add_plugin() Loading input plugin
> bluetoothd[237]: src/plugin.c:add_plugin() Loading hog plugin
> bluetoothd[237]: src/plugin.c:add_plugin() Loading gap plugin
> bluetoothd[237]: src/plugin.c:add_plugin() Loading scanparam plugin
> bluetoothd[237]: src/plugin.c:add_plugin() Loading deviceinfo plugin
> bluetoothd[237]: src/plugin.c:plugin_init() Loading plugins
> /usr/lib/bluetooth/plugins
> bluetoothd[237]: profiles/input/suspend-none.c:suspend_init()
> bluetoothd[237]: profiles/network/manager.c:read_config() Config
> options: Security=true
> bluetoothd[237]: Failed to open RFKILL control device
> bluetoothd[237]: src/main.c:main() Entering main loop
> bluetoothd[237]: Bluetooth management interface 1.9 initialized
> bluetoothd[237]: src/adapter.c:read_version_complete() sending read
> supported commands command
> bluetoothd[237]: src/adapter.c:read_version_complete() sending read
> index list command
> bluetoothd[237]: src/adapter.c:read_commands_complete() Number of commands: 61
> bluetoothd[237]: src/adapter.c:read_commands_complete() Number of events: 34
> bluetoothd[237]: src/adapter.c:read_commands_complete() enabling
> kernel-side connection control
> bluetoothd[237]: src/adapter.c:read_index_list_complete() Number of
> controllers: 0
> bluetoothd[237]: src/adapter.c:index_added() index 0
> bluetoothd[237]: src/adapter.c:btd_adapter_new() System name: XXXXXX-HEADBAND-V2
> bluetoothd[237]: src/adapter.c:btd_adapter_new() Major class: 0
> bluetoothd[237]: src/adapter.c:btd_adapter_new() Minor class: 0
> bluetoothd[237]: src/adapter.c:btd_adapter_new() Modalias: usb:v1D6Bp0246d0536
> bluetoothd[237]: src/adapter.c:btd_adapter_new() Discoverable timeout:
> 180 seconds
> bluetoothd[237]: src/adapter.c:btd_adapter_new() Pairable timeout: 0 seconds
> bluetoothd[237]: src/adapter.c:index_added() sending read info command
> for index 0
> bluetoothd[237]: src/adapter.c:read_info_complete() index 0 status 0x00
> bluetoothd[237]: src/adapter.c:clear_uuids() sending clear uuids
> command for index 0
> bluetoothd[237]: src/adapter.c:clear_devices() sending clear devices
> command for index 0
> bluetoothd[237]: src/adapter.c:set_mode() sending set mode command for index 0
> bluetoothd[237]: src/adapter.c:set_mode() sending set mode command for index 0
> bluetoothd[237]: src/adapter.c:set_mode() sending set mode command for index 0
> bluetoothd[237]: src/adapter.c:set_privacy() sending set privacy
> command for index 0
> bluetoothd[237]: src/adapter.c:set_privacy() setting privacy mode 0x00
> for index 0
> bluetoothd[237]: src/gatt-database.c:btd_gatt_database_new() GATT
> Manager registered for adapter: /org/bluez/hci0
> bluetoothd[237]: src/adapter.c:adapter_service_add() /org/bluez/hci0
> bluetoothd[237]: src/sdpd-service.c:add_record_to_server() Adding
> record with handle 0x10001
> bluetoothd[237]: src/sdpd-service.c:add_record_to_server() Record
> pattern UUID 00000007-0000-1000-8000-00805f9
> bluetoothd[237]: src/sdpd-service.c:add_record_to_server() Record
> pattern UUID 00000100-0000-1000-8000-00805f9
> bluetoothd[237]: src/sdpd-service.c:add_record_to_server() Record
> pattern UUID 00001002-0000-1000-8000-00805f9
> bluetoothd[237]: src/sdpd-service.c:add_record_to_server() Record
> pattern UUID 00001800-0000-1000-8000-00805f9
> bluetoothd[237]: src/adapter.c:adapter_service_insert() /org/bluez/hci0
> bluetoothd[237]: src/adapter.c:add_uuid() sending add uuid command for index 0
> bluetoothd[237]: src/adapter.c:adapter_service_add() /org/bluez/hci0
> bluetoothd[237]: src/sdpd-service.c:add_record_to_server() Adding
> record with handle 0x10002
> bluetoothd[237]: src/sdpd-service.c:add_record_to_server() Record
> pattern UUID 00000007-0000-1000-8000-00805f9
> bluetoothd[237]: src/sdpd-service.c:add_record_to_server() Record
> pattern UUID 00000100-0000-1000-8000-00805f9
> bluetoothd[237]: src/sdpd-service.c:add_record_to_server() Record
> pattern UUID 00001002-0000-1000-8000-00805f9
> bluetoothd[237]: src/sdpd-service.c:add_record_to_server() Record
> pattern UUID 00001801-0000-1000-8000-00805f9
> bluetoothd[237]: src/adapter.c:adapter_service_insert() /org/bluez/hci0
> bluetoothd[237]: src/adapter.c:add_uuid() sending add uuid command for index 0
> bluetoothd[237]: src/advertising.c:btd_adv_manager_new() LE
> Advertising Manager created for adapter: /org/bluez/hci0
> bluetoothd[237]: plugins/hostname.c:hostname_probe()
> bluetoothd[237]: profiles/network/manager.c:panu_server_probe() path
> /org/bluez/hci0
> bluetoothd[237]: profiles/network/server.c:server_register()
> Registered interface org.bluez.NetworkServer1 on path /org/bluez/hci0
> bluetoothd[237]: profiles/network/manager.c:gn_server_probe() path
> /org/bluez/hci0
> bluetoothd[237]: profiles/network/manager.c:nap_server_probe() path
> /org/bluez/hci0
> bluetoothd[237]: src/adapter.c:btd_adapter_unblock_address() hci0
> 00:00:00:00:00:00
> bluetoothd[237]: src/adapter.c:load_link_keys() hci0 keys 0 debug_keys 0
> bluetoothd[237]: src/adapter.c:load_ltks() hci0 keys 0
> bluetoothd[237]: src/adapter.c:load_irks() hci0 irks 0
> bluetoothd[237]: src/adapter.c:load_conn_params() hci0 conn params 0
> bluetoothd[237]: src/adapter.c:adapter_service_insert() /org/bluez/hci0
> bluetoothd[237]: src/adapter.c:add_uuid() sending add uuid command for index 0
> bluetoothd[237]: src/adapter.c:set_did() hci0 source 2 vendor 1d6b
> product 246 version 536
> bluetoothd[237]: src/adapter.c:adapter_register() Adapter
> /org/bluez/hci0 registered
> bluetoothd[237]: src/adapter.c:set_dev_class() sending set device
> class command for index 0
> bluetoothd[237]: src/adapter.c:set_name() sending set local name
> command for index 0
> bluetoothd[237]: src/adapter.c:new_settings_callback() Settings: 0x00000280
> bluetoothd[237]: src/adapter.c:settings_changed() Changed settings: 0x00000200
> bluetoothd[237]: src/adapter.c:settings_changed() Pending settings: 0x00000000
> bluetoothd[237]: src/adapter.c:new_settings_callback() Settings: 0x00000282
> bluetoothd[237]: src/adapter.c:settings_changed() Changed settings: 0x00000002
> bluetoothd[237]: src/adapter.c:settings_changed() Pending settings: 0x00000000
> bluetoothd[237]: src/adapter.c:new_settings_callback() Settings: 0x00000292
> bluetoothd[237]: src/adapter.c:settings_changed() Changed settings: 0x00000010
> bluetoothd[237]: src/adapter.c:settings_changed() Pending settings: 0x00000000
> bluetoothd[237]: src/adapter.c:new_settings_callback() Settings: 0x0000029a
> bluetoothd[237]: src/adapter.c:settings_changed() Changed settings: 0x00000008
> bluetoothd[237]: src/adapter.c:settings_changed() Pending settings: 0x00000000
> bluetoothd[237]: src/adapter.c:local_name_changed_callback() Name: TESTBENCH-V2
> bluetoothd[237]: src/adapter.c:local_name_changed_callback() Short name:
> bluetoothd[237]: src/adapter.c:local_name_changed_callback() Current
> alias: TESTBENCH-V2
> bluetoothd[237]: src/adapter.c:new_settings_callback() Settings: 0x0000069a
> bluetoothd[237]: src/adapter.c:settings_changed() Changed settings: 0x00000400
> bluetoothd[237]: src/adapter.c:settings_changed() Pending settings: 0x00000000
> bluetoothd[237]: Failed to clear UUIDs: Busy (0x0a)
> bluetoothd[237]: src/adapter.c:new_settings_callback() Settings: 0x0000069b
> bluetoothd[237]: src/adapter.c:settings_changed() Changed settings: 0x00000001
> bluetoothd[237]: src/adapter.c:settings_changed() Pending settings: 0x00000000
> bluetoothd[237]: src/adapter.c:adapter_start() adapter /org/bluez/hci0
> has been enabled
> bluetoothd[237]: src/adapter.c:trigger_passive_scanning()
> bluetoothd[237]: src/adapter.c:new_settings_callback() Settings: 0x000006db
> bluetoothd[237]: src/adapter.c:settings_changed() Changed settings: 0x00000040
> bluetoothd[237]: src/adapter.c:settings_changed() Pending settings: 0x00000000
> bluetoothd[237]: src/adapter.c:new_settings_callback() Settings: 0x00000edb
> bluetoothd[237]: src/adapter.c:settings_changed() Changed settings: 0x00000800
> bluetoothd[237]: src/adapter.c:settings_changed() Pending settings: 0x00000000
> bluetoothd[237]: Failed to set privacy: Rejected (0x0b)
> bluetoothd[237]: src/adapter.c:load_link_keys_complete() link keys
> loaded for hci0
> bluetoothd[237]: src/adapter.c:load_ltks_complete() LTKs loaded for hci0
> bluetoothd[237]: src/adapter.c:load_irks_complete() IRKs loaded for hci0
> bluetoothd[237]: src/adapter.c:load_conn_params_complete() Connection
> Parameters loaded for hci0
> bluetoothd[237]: src/adapter.c:local_name_changed_callback() Name:
> XXXXXX-HEADBAND-V2
> bluetoothd[237]: src/adapter.c:local_name_changed_callback() Short name:
> bluetoothd[237]: src/adapter.c:local_name_changed_callback() Current
> alias: XXXXXXX-HEADBAND-V2
>
> # run btgatt client here...
>
> bluetoothd[237]: src/adapter.c:connected_callback() hci0 device
> 80:32:53:37:58:A6 connected eir_len 0
> bluetoothd[237]: src/device.c:device_create() dst 80:32:53:37:58:A6
> bluetoothd[237]: src/device.c:device_new() address 80:32:53:37:58:A6
> bluetoothd[237]: src/device.c:device_new() Creating device
> /org/bluez/hci0/dev_80_32_53_37_58_A6
> bluetoothd[237]: src/gatt-database.c:connect_cb() New incoming LE ATT connection
> bluetoothd[237]: attrib/gattrib.c:g_attrib_ref() 0x4c56848: g_attrib_ref=1
> bluetoothd[237]: src/device.c:load_gatt_db() Restoring
> 80:32:53:37:58:A6 gatt database from file
> bluetoothd[237]: No cache for 80:32:53:37:58:A6
> bluetoothd[237]: src/gatt-client.c:btd_gatt_client_connected() Device connected.
> bluetoothd[237]: src/device.c:gatt_debug() MTU exchange complete, with MTU: 256
> bluetoothd[237]: src/device.c:gatt_debug() Read By Type - start:
> 0x0001 end: 0xffff
> bluetoothd[237]: src/device.c:gatt_debug() MTU Exchange failed. ATT ECODE: 0x06
> bluetoothd[237]: src/device.c:gatt_debug() Read By Grp Type - start:
> 0x0001 end: 0xffff
> bluetoothd[237]: src/device.c:gatt_debug() Read By Type - start:
> 0x0010 end: 0xffff
> bluetoothd[237]: src/device.c:gatt_debug() Primary service discovery
> failed. ATT ECODE: 0x06
> bluetoothd[237]: src/device.c:gatt_debug() Failed to initialize gatt-client
> bluetoothd[237]: src/device.c:gatt_client_ready_cb() status: failed, error: 6
> bluetoothd[237]: src/device.c:device_svc_resolved()
> /org/bluez/hci0/dev_80_32_53_37_58_A6 err -5
> bluetoothd[237]: src/device.c:gatt_debug() Read By Grp Type - start:
> 0x0010 end: 0xffff
> bluetoothd[237]: src/device.c:gatt_debug() Read By Grp Type - start:
> 0x0001 end: 0xffff
> bluetoothd[237]: src/device.c:gatt_debug() Read By Type - start:
> 0x0001 end: 0x000f
> bluetoothd[237]: src/device.c:gatt_debug() Read By Type - start:
> 0x0001 end: 0x000f
> bluetoothd[237]: src/device.c:gatt_debug() Read By Type - start:
> 0x000f end: 0x000f
> bluetoothd[237]: src/device.c:gatt_debug() Read By Type - start:
> 0x0001 end: 0xffff
> bluetoothd[237]: src/gatt-database.c:db_hash_read_cb() Database Hash read
> ==237== Invalid read of size 1
> ==237== at 0x4831BA4: memcpy (vg_replace_strmem.c:1035)
> ==237== by 0x79E1B: ??? (in /usr/bin/bluetoothd)
> ==237== Address 0x0 is not stack'd, malloc'd or (recently) free'd
Looks like a NULL pointer, it would be great if you could provide the
backtrace with source symbols though.
> ==237==
> ==237== Process terminating with default action of signal 11 (SIGSEGV)
> ==237== Access not within mapped region at address 0x0
> ==237== at 0x4831BA4: memcpy (vg_replace_strmem.c:1035)
> ==237== by 0x79E1B: ??? (in /usr/bin/bluetoothd)
> ==237== If you believe this happened as a result of a stack
> ==237== overflow in your program's main thread (unlikely but
> ==237== possible), you can try to increase the size of the
> ==237== main thread stack using the --main-stacksize= flag.
> ==237== The main thread stack size used in this run was 8388608.
> /usr/bin/bluetoothd: can't resolve symbol '__libc_freeres'
> ==237==
> ==237== HEAP SUMMARY:
> ==237== in use at exit: 40,320 bytes in 860 blocks
> ==237== total heap usage: 4,297 allocs, 3,437 frees, 981,133 bytes allocated
> ==237==
> ==237== For a detailed leak analysis, rerun with: --leak-check=full
> ==237==
> ==237== For counts of detected and suppressed errors, rerun with: -v
> ==237== ERROR SUMMARY: 57 errors from 3 contexts (suppressed: 0 from 0)
> Segmentation fault
>
> From my host, I run this command to trigger the segmentation fault :
> [arthur ] sudo ./btgatt-client -i hci0 -d cc:c0:79:ce:f9:56 -m 256
> Connecting to device... Done
> [GATT client]# Service Added - UUID:
> 00001800-0000-1000-8000-00805f9b34fb start: 0x0001 end: 0x0005
> [GATT client]# Service Added - UUID:
> 00001801-0000-1000-8000-00805f9b34fb start: 0x0006 end: 0x000f
> [GATT client]# GATT discovery procedures failed - error code: 0x00
> [GATT client]# Device disconnected: Connection reset by peer
> Shutting down...
>
> When I run the test with btgatt-client from 5.50 release, there is no issue.
> Is it normal?
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Segmentation fault in bluetoothd with btgatt-client
2020-06-03 17:17 ` Luiz Augusto von Dentz
@ 2020-06-03 17:58 ` Luiz Augusto von Dentz
2020-06-03 18:22 ` Arthur Lambert
0 siblings, 1 reply; 7+ messages in thread
From: Luiz Augusto von Dentz @ 2020-06-03 17:58 UTC (permalink / raw)
To: Arthur Lambert; +Cc: linux-bluetooth
Hi Arthur,
On Wed, Jun 3, 2020 at 10:17 AM Luiz Augusto von Dentz
<luiz.dentz@gmail.com> wrote:
>
> Hi Arthur,
>
> On Wed, Jun 3, 2020 at 2:45 AM Arthur Lambert <lambertarthur22@gmail.com> wrote:
> >
> > Hello,
> >
> > I am working on an embedded device with Bluez 5.54.
> > My bluez init script for the bluetoothd demon :
> >
> > # cat /etc/init.d/S19_bluez
> > #!/bin/sh
> >
> > start() {
> > echo -n "Starting $0: "
> > #bluetoothd -dE&
> > echo "Done."
> > }
> >
> > (...)
> >
> > To initialize my hci0, we are using btmgmt :
> >
> > /usr/bin/btmgmt -i hci0 power off
> > /usr/bin/btmgmt -i hci0 le on
> > /usr/bin/btmgmt -i hci0 bredr on
> > /usr/bin/btmgmt -i hci0 connectable on
> > /usr/bin/btmgmt -i hci0 bondable on
> > /usr/bin/btmgmt -i hci0 discov on
> > /usr/bin/btmgmt -i hci0 name XXXXX-HEADBAND-V2
> > /usr/bin/btmgmt -i hci0 advertising on
> > /usr/bin/btmgmt -i hci0 power on
> >
> > Log from bluetoothd:
> >
> > # valgrind --leak-check=no --show-reachable=no
> > --show-possibly-lost=no --track-origins=yes bluetoothd -dEn
> > ==237== Memcheck, a memory error detector
> > ==237== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
> > ==237== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
> > ==237== Command: bluetoothd -dEn
> > ==237==
> > ==237== Invalid read of size 4
> > ==237== at 0x4005458: _dl_get_ready_to_run (in /lib/ld-uClibc-1.0.31.so)
> > ==237== Address 0x7dffc934 is on thread 1's stack
> > ==237== 20 bytes below stack pointer
> > ==237==
> > ==237== Invalid read of size 4
> > ==237== at 0x4B05AB8: __uClibc_main (in /lib/libuClibc-1.0.31.so)
> > ==237== Address 0x7dffcbec is on thread 1's stack
> > ==237== 20 bytes below stack pointer
> > ==237==
> > bluetoothd[237]: Bluetooth daemon 5.54
> > bluetoothd[237]: src/main.c:parse_config() parsing /etc/bluetooth/main.conf
> > bluetoothd[237]: src/main.c:parse_config() Key file does not have key
> > “DiscoverableTimeout” in group “General”
> > bluetoothd[237]: src/main.c:parse_config() Key file does not have key
> > “AlwaysPairable” in group “General”
> > bluetoothd[237]: src/main.c:parse_config() Key file does not have key
> > “PairableTimeout” in group “General”
> > bluetoothd[237]: src/main.c:parse_config() Key file does not have key
> > “Privacy” in group “General”
> > bluetoothd[237]: src/main.c:parse_config() Key file does not have key
> > “JustWorksRepairing” in group “General”
> > bluetoothd[237]: src/main.c:parse_config() name=XXXXX-HEADBAND-V2
> > bluetoothd[237]: src/main.c:parse_config() Key file does not have key
> > “Class” in group “General”
> > bluetoothd[237]: src/main.c:parse_config() Key file does not have key
> > “DeviceID” in group “General”
> > bluetoothd[237]: src/main.c:parse_config() Key file does not have key
> > “ReverseServiceDiscovery” in group “General”
> > bluetoothd[237]: src/main.c:parse_config() Key file does not have group “GATT”
> > bluetoothd[237]: src/main.c:parse_config() Key file does not have group “GATT”
> > bluetoothd[237]: src/main.c:parse_config() Key file does not have group “GATT”
> > bluetoothd[237]: src/main.c:parse_config() Key file does not have group “GATT”
> > bluetoothd[237]: src/adapter.c:adapter_init() sending read version command
> > bluetoothd[237]: Starting SDP server
> > bluetoothd[237]: src/sdpd-service.c:register_device_id() Adding device
> > id record for 0002:1d6b:0246:0536
> > bluetoothd[237]: src/plugin.c:plugin_init() Loading builtin plugins
> > bluetoothd[237]: src/plugin.c:add_plugin() Loading hostname plugin
> > bluetoothd[237]: src/plugin.c:add_plugin() Loading wiimote plugin
> > bluetoothd[237]: src/plugin.c:add_plugin() Loading autopair plugin
> > bluetoothd[237]: src/plugin.c:add_plugin() Loading policy plugin
> > bluetoothd[237]: src/plugin.c:add_plugin() Loading network plugin
> > bluetoothd[237]: src/plugin.c:add_plugin() Loading input plugin
> > bluetoothd[237]: src/plugin.c:add_plugin() Loading hog plugin
> > bluetoothd[237]: src/plugin.c:add_plugin() Loading gap plugin
> > bluetoothd[237]: src/plugin.c:add_plugin() Loading scanparam plugin
> > bluetoothd[237]: src/plugin.c:add_plugin() Loading deviceinfo plugin
> > bluetoothd[237]: src/plugin.c:plugin_init() Loading plugins
> > /usr/lib/bluetooth/plugins
> > bluetoothd[237]: profiles/input/suspend-none.c:suspend_init()
> > bluetoothd[237]: profiles/network/manager.c:read_config() Config
> > options: Security=true
> > bluetoothd[237]: Failed to open RFKILL control device
> > bluetoothd[237]: src/main.c:main() Entering main loop
> > bluetoothd[237]: Bluetooth management interface 1.9 initialized
> > bluetoothd[237]: src/adapter.c:read_version_complete() sending read
> > supported commands command
> > bluetoothd[237]: src/adapter.c:read_version_complete() sending read
> > index list command
> > bluetoothd[237]: src/adapter.c:read_commands_complete() Number of commands: 61
> > bluetoothd[237]: src/adapter.c:read_commands_complete() Number of events: 34
> > bluetoothd[237]: src/adapter.c:read_commands_complete() enabling
> > kernel-side connection control
> > bluetoothd[237]: src/adapter.c:read_index_list_complete() Number of
> > controllers: 0
> > bluetoothd[237]: src/adapter.c:index_added() index 0
> > bluetoothd[237]: src/adapter.c:btd_adapter_new() System name: XXXXXX-HEADBAND-V2
> > bluetoothd[237]: src/adapter.c:btd_adapter_new() Major class: 0
> > bluetoothd[237]: src/adapter.c:btd_adapter_new() Minor class: 0
> > bluetoothd[237]: src/adapter.c:btd_adapter_new() Modalias: usb:v1D6Bp0246d0536
> > bluetoothd[237]: src/adapter.c:btd_adapter_new() Discoverable timeout:
> > 180 seconds
> > bluetoothd[237]: src/adapter.c:btd_adapter_new() Pairable timeout: 0 seconds
> > bluetoothd[237]: src/adapter.c:index_added() sending read info command
> > for index 0
> > bluetoothd[237]: src/adapter.c:read_info_complete() index 0 status 0x00
> > bluetoothd[237]: src/adapter.c:clear_uuids() sending clear uuids
> > command for index 0
> > bluetoothd[237]: src/adapter.c:clear_devices() sending clear devices
> > command for index 0
> > bluetoothd[237]: src/adapter.c:set_mode() sending set mode command for index 0
> > bluetoothd[237]: src/adapter.c:set_mode() sending set mode command for index 0
> > bluetoothd[237]: src/adapter.c:set_mode() sending set mode command for index 0
> > bluetoothd[237]: src/adapter.c:set_privacy() sending set privacy
> > command for index 0
> > bluetoothd[237]: src/adapter.c:set_privacy() setting privacy mode 0x00
> > for index 0
> > bluetoothd[237]: src/gatt-database.c:btd_gatt_database_new() GATT
> > Manager registered for adapter: /org/bluez/hci0
> > bluetoothd[237]: src/adapter.c:adapter_service_add() /org/bluez/hci0
> > bluetoothd[237]: src/sdpd-service.c:add_record_to_server() Adding
> > record with handle 0x10001
> > bluetoothd[237]: src/sdpd-service.c:add_record_to_server() Record
> > pattern UUID 00000007-0000-1000-8000-00805f9
> > bluetoothd[237]: src/sdpd-service.c:add_record_to_server() Record
> > pattern UUID 00000100-0000-1000-8000-00805f9
> > bluetoothd[237]: src/sdpd-service.c:add_record_to_server() Record
> > pattern UUID 00001002-0000-1000-8000-00805f9
> > bluetoothd[237]: src/sdpd-service.c:add_record_to_server() Record
> > pattern UUID 00001800-0000-1000-8000-00805f9
> > bluetoothd[237]: src/adapter.c:adapter_service_insert() /org/bluez/hci0
> > bluetoothd[237]: src/adapter.c:add_uuid() sending add uuid command for index 0
> > bluetoothd[237]: src/adapter.c:adapter_service_add() /org/bluez/hci0
> > bluetoothd[237]: src/sdpd-service.c:add_record_to_server() Adding
> > record with handle 0x10002
> > bluetoothd[237]: src/sdpd-service.c:add_record_to_server() Record
> > pattern UUID 00000007-0000-1000-8000-00805f9
> > bluetoothd[237]: src/sdpd-service.c:add_record_to_server() Record
> > pattern UUID 00000100-0000-1000-8000-00805f9
> > bluetoothd[237]: src/sdpd-service.c:add_record_to_server() Record
> > pattern UUID 00001002-0000-1000-8000-00805f9
> > bluetoothd[237]: src/sdpd-service.c:add_record_to_server() Record
> > pattern UUID 00001801-0000-1000-8000-00805f9
> > bluetoothd[237]: src/adapter.c:adapter_service_insert() /org/bluez/hci0
> > bluetoothd[237]: src/adapter.c:add_uuid() sending add uuid command for index 0
> > bluetoothd[237]: src/advertising.c:btd_adv_manager_new() LE
> > Advertising Manager created for adapter: /org/bluez/hci0
> > bluetoothd[237]: plugins/hostname.c:hostname_probe()
> > bluetoothd[237]: profiles/network/manager.c:panu_server_probe() path
> > /org/bluez/hci0
> > bluetoothd[237]: profiles/network/server.c:server_register()
> > Registered interface org.bluez.NetworkServer1 on path /org/bluez/hci0
> > bluetoothd[237]: profiles/network/manager.c:gn_server_probe() path
> > /org/bluez/hci0
> > bluetoothd[237]: profiles/network/manager.c:nap_server_probe() path
> > /org/bluez/hci0
> > bluetoothd[237]: src/adapter.c:btd_adapter_unblock_address() hci0
> > 00:00:00:00:00:00
> > bluetoothd[237]: src/adapter.c:load_link_keys() hci0 keys 0 debug_keys 0
> > bluetoothd[237]: src/adapter.c:load_ltks() hci0 keys 0
> > bluetoothd[237]: src/adapter.c:load_irks() hci0 irks 0
> > bluetoothd[237]: src/adapter.c:load_conn_params() hci0 conn params 0
> > bluetoothd[237]: src/adapter.c:adapter_service_insert() /org/bluez/hci0
> > bluetoothd[237]: src/adapter.c:add_uuid() sending add uuid command for index 0
> > bluetoothd[237]: src/adapter.c:set_did() hci0 source 2 vendor 1d6b
> > product 246 version 536
> > bluetoothd[237]: src/adapter.c:adapter_register() Adapter
> > /org/bluez/hci0 registered
> > bluetoothd[237]: src/adapter.c:set_dev_class() sending set device
> > class command for index 0
> > bluetoothd[237]: src/adapter.c:set_name() sending set local name
> > command for index 0
> > bluetoothd[237]: src/adapter.c:new_settings_callback() Settings: 0x00000280
> > bluetoothd[237]: src/adapter.c:settings_changed() Changed settings: 0x00000200
> > bluetoothd[237]: src/adapter.c:settings_changed() Pending settings: 0x00000000
> > bluetoothd[237]: src/adapter.c:new_settings_callback() Settings: 0x00000282
> > bluetoothd[237]: src/adapter.c:settings_changed() Changed settings: 0x00000002
> > bluetoothd[237]: src/adapter.c:settings_changed() Pending settings: 0x00000000
> > bluetoothd[237]: src/adapter.c:new_settings_callback() Settings: 0x00000292
> > bluetoothd[237]: src/adapter.c:settings_changed() Changed settings: 0x00000010
> > bluetoothd[237]: src/adapter.c:settings_changed() Pending settings: 0x00000000
> > bluetoothd[237]: src/adapter.c:new_settings_callback() Settings: 0x0000029a
> > bluetoothd[237]: src/adapter.c:settings_changed() Changed settings: 0x00000008
> > bluetoothd[237]: src/adapter.c:settings_changed() Pending settings: 0x00000000
> > bluetoothd[237]: src/adapter.c:local_name_changed_callback() Name: TESTBENCH-V2
> > bluetoothd[237]: src/adapter.c:local_name_changed_callback() Short name:
> > bluetoothd[237]: src/adapter.c:local_name_changed_callback() Current
> > alias: TESTBENCH-V2
> > bluetoothd[237]: src/adapter.c:new_settings_callback() Settings: 0x0000069a
> > bluetoothd[237]: src/adapter.c:settings_changed() Changed settings: 0x00000400
> > bluetoothd[237]: src/adapter.c:settings_changed() Pending settings: 0x00000000
> > bluetoothd[237]: Failed to clear UUIDs: Busy (0x0a)
> > bluetoothd[237]: src/adapter.c:new_settings_callback() Settings: 0x0000069b
> > bluetoothd[237]: src/adapter.c:settings_changed() Changed settings: 0x00000001
> > bluetoothd[237]: src/adapter.c:settings_changed() Pending settings: 0x00000000
> > bluetoothd[237]: src/adapter.c:adapter_start() adapter /org/bluez/hci0
> > has been enabled
> > bluetoothd[237]: src/adapter.c:trigger_passive_scanning()
> > bluetoothd[237]: src/adapter.c:new_settings_callback() Settings: 0x000006db
> > bluetoothd[237]: src/adapter.c:settings_changed() Changed settings: 0x00000040
> > bluetoothd[237]: src/adapter.c:settings_changed() Pending settings: 0x00000000
> > bluetoothd[237]: src/adapter.c:new_settings_callback() Settings: 0x00000edb
> > bluetoothd[237]: src/adapter.c:settings_changed() Changed settings: 0x00000800
> > bluetoothd[237]: src/adapter.c:settings_changed() Pending settings: 0x00000000
> > bluetoothd[237]: Failed to set privacy: Rejected (0x0b)
> > bluetoothd[237]: src/adapter.c:load_link_keys_complete() link keys
> > loaded for hci0
> > bluetoothd[237]: src/adapter.c:load_ltks_complete() LTKs loaded for hci0
> > bluetoothd[237]: src/adapter.c:load_irks_complete() IRKs loaded for hci0
> > bluetoothd[237]: src/adapter.c:load_conn_params_complete() Connection
> > Parameters loaded for hci0
> > bluetoothd[237]: src/adapter.c:local_name_changed_callback() Name:
> > XXXXXX-HEADBAND-V2
> > bluetoothd[237]: src/adapter.c:local_name_changed_callback() Short name:
> > bluetoothd[237]: src/adapter.c:local_name_changed_callback() Current
> > alias: XXXXXXX-HEADBAND-V2
> >
> > # run btgatt client here...
> >
> > bluetoothd[237]: src/adapter.c:connected_callback() hci0 device
> > 80:32:53:37:58:A6 connected eir_len 0
> > bluetoothd[237]: src/device.c:device_create() dst 80:32:53:37:58:A6
> > bluetoothd[237]: src/device.c:device_new() address 80:32:53:37:58:A6
> > bluetoothd[237]: src/device.c:device_new() Creating device
> > /org/bluez/hci0/dev_80_32_53_37_58_A6
> > bluetoothd[237]: src/gatt-database.c:connect_cb() New incoming LE ATT connection
> > bluetoothd[237]: attrib/gattrib.c:g_attrib_ref() 0x4c56848: g_attrib_ref=1
> > bluetoothd[237]: src/device.c:load_gatt_db() Restoring
> > 80:32:53:37:58:A6 gatt database from file
> > bluetoothd[237]: No cache for 80:32:53:37:58:A6
> > bluetoothd[237]: src/gatt-client.c:btd_gatt_client_connected() Device connected.
> > bluetoothd[237]: src/device.c:gatt_debug() MTU exchange complete, with MTU: 256
> > bluetoothd[237]: src/device.c:gatt_debug() Read By Type - start:
> > 0x0001 end: 0xffff
> > bluetoothd[237]: src/device.c:gatt_debug() MTU Exchange failed. ATT ECODE: 0x06
> > bluetoothd[237]: src/device.c:gatt_debug() Read By Grp Type - start:
> > 0x0001 end: 0xffff
> > bluetoothd[237]: src/device.c:gatt_debug() Read By Type - start:
> > 0x0010 end: 0xffff
> > bluetoothd[237]: src/device.c:gatt_debug() Primary service discovery
> > failed. ATT ECODE: 0x06
> > bluetoothd[237]: src/device.c:gatt_debug() Failed to initialize gatt-client
> > bluetoothd[237]: src/device.c:gatt_client_ready_cb() status: failed, error: 6
> > bluetoothd[237]: src/device.c:device_svc_resolved()
> > /org/bluez/hci0/dev_80_32_53_37_58_A6 err -5
> > bluetoothd[237]: src/device.c:gatt_debug() Read By Grp Type - start:
> > 0x0010 end: 0xffff
> > bluetoothd[237]: src/device.c:gatt_debug() Read By Grp Type - start:
> > 0x0001 end: 0xffff
> > bluetoothd[237]: src/device.c:gatt_debug() Read By Type - start:
> > 0x0001 end: 0x000f
> > bluetoothd[237]: src/device.c:gatt_debug() Read By Type - start:
> > 0x0001 end: 0x000f
> > bluetoothd[237]: src/device.c:gatt_debug() Read By Type - start:
> > 0x000f end: 0x000f
> > bluetoothd[237]: src/device.c:gatt_debug() Read By Type - start:
> > 0x0001 end: 0xffff
> > bluetoothd[237]: src/gatt-database.c:db_hash_read_cb() Database Hash read
> > ==237== Invalid read of size 1
> > ==237== at 0x4831BA4: memcpy (vg_replace_strmem.c:1035)
> > ==237== by 0x79E1B: ??? (in /usr/bin/bluetoothd)
> > ==237== Address 0x0 is not stack'd, malloc'd or (recently) free'd
>
> Looks like a NULL pointer, it would be great if you could provide the
> backtrace with source symbols though.
>
> > ==237==
> > ==237== Process terminating with default action of signal 11 (SIGSEGV)
> > ==237== Access not within mapped region at address 0x0
> > ==237== at 0x4831BA4: memcpy (vg_replace_strmem.c:1035)
> > ==237== by 0x79E1B: ??? (in /usr/bin/bluetoothd)
> > ==237== If you believe this happened as a result of a stack
> > ==237== overflow in your program's main thread (unlikely but
> > ==237== possible), you can try to increase the size of the
> > ==237== main thread stack using the --main-stacksize= flag.
> > ==237== The main thread stack size used in this run was 8388608.
> > /usr/bin/bluetoothd: can't resolve symbol '__libc_freeres'
> > ==237==
> > ==237== HEAP SUMMARY:
> > ==237== in use at exit: 40,320 bytes in 860 blocks
> > ==237== total heap usage: 4,297 allocs, 3,437 frees, 981,133 bytes allocated
> > ==237==
> > ==237== For a detailed leak analysis, rerun with: --leak-check=full
> > ==237==
> > ==237== For counts of detected and suppressed errors, rerun with: -v
> > ==237== ERROR SUMMARY: 57 errors from 3 contexts (suppressed: 0 from 0)
> > Segmentation fault
> >
> > From my host, I run this command to trigger the segmentation fault :
> > [arthur ] sudo ./btgatt-client -i hci0 -d cc:c0:79:ce:f9:56 -m 256
> > Connecting to device... Done
> > [GATT client]# Service Added - UUID:
> > 00001800-0000-1000-8000-00805f9b34fb start: 0x0001 end: 0x0005
> > [GATT client]# Service Added - UUID:
> > 00001801-0000-1000-8000-00805f9b34fb start: 0x0006 end: 0x000f
> > [GATT client]# GATT discovery procedures failed - error code: 0x00
> > [GATT client]# Device disconnected: Connection reset by peer
> > Shutting down...
> >
> > When I run the test with btgatt-client from 5.50 release, there is no issue.
> > Is it normal?
Ive send a fix about this, it is probably due to the lack of crypto
support in your system the so called Database Hash cannot be
generated.
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Segmentation fault in bluetoothd with btgatt-client
2020-06-03 17:58 ` Luiz Augusto von Dentz
@ 2020-06-03 18:22 ` Arthur Lambert
2020-06-03 21:06 ` Luiz Augusto von Dentz
0 siblings, 1 reply; 7+ messages in thread
From: Arthur Lambert @ 2020-06-03 18:22 UTC (permalink / raw)
To: Luiz Augusto von Dentz; +Cc: linux-bluetooth
Hi Luiz,
thanks for your reply!
Sorry I am lazy and stupid. I know that your next question will be
around symbol...
After removing the binary strip option and enable debug symbol :
bluetoothd[246]: src/device.c:device_svc_resolved()
/org/bluez/hci0/dev_80_32_53_37_58_A6 err -5
bluetoothd[246]: src/device.c:gatt_debug() Read By Grp Type - start:
0x00bb end: 0xffff
bluetoothd[246]: src/device.c:gatt_debug() Read By Grp Type - start:
0x0001 end: 0xffff
bluetoothd[246]: src/device.c:gatt_debug() Read By Type - start:
0x0001 end: 0x00ba
bluetoothd[246]: src/device.c:gatt_debug() Read By Type - start:
0x0001 end: 0x00ba
bluetoothd[246]: src/device.c:gatt_debug() Read By Type - start:
0x002a end: 0x00ba
bluetoothd[246]: src/device.c:gatt_debug() Read By Type - start:
0x0053 end: 0x00ba
bluetoothd[246]: src/device.c:gatt_debug() Read By Type - start:
0x007a end: 0x00ba
bluetoothd[246]: src/device.c:gatt_debug() Read By Type - start:
0x00a3 end: 0x00ba
bluetoothd[246]: src/device.c:gatt_debug() Read By Type - start:
0x00ba end: 0x00ba
bluetoothd[246]: src/device.c:gatt_debug() Read By Type - start:
0x0001 end: 0xffff
bluetoothd[246]: src/gatt-database.c:db_hash_read_cb() Database Hash read
==246== Invalid read of size 1
==246== at 0x4831BA4: memcpy (vg_replace_strmem.c:1035)
==246== by 0x87F3B: read_by_type_read_complete_cb (gatt-server.c:392)
==246== by 0x892AB: pending_read_result (gatt-db.c:145)
==246== by 0x8B2FB: gatt_db_attribute_read_result (gatt-db.c:1866)
==246== by 0x3AB0B: db_hash_read_cb (gatt-database.c:1156)
==246== by 0x8B1AB: gatt_db_attribute_read (gatt-db.c:1825)
==246== by 0x87DB7: process_read_by_type (gatt-server.c:482)
==246== by 0x8854F: read_by_type_cb (gatt-server.c:559)
==246== by 0x81727: handle_notify (att.c:966)
==246== by 0x81873: can_read_data (att.c:1057)
==246== by 0x8B91B: watch_callback (io-glib.c:170)
==246== by 0x488A413: g_main_context_dispatch (in
/usr/lib/libglib-2.0.so.0.5600.3)
==246== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==246==
==246==
==246== Process terminating with default action of signal 11 (SIGSEGV)
==246== Access not within mapped region at address 0x0
==246== at 0x4831BA4: memcpy (vg_replace_strmem.c:1035)
==246== by 0x87F3B: read_by_type_read_complete_cb (gatt-server.c:392)
==246== by 0x892AB: pending_read_result (gatt-db.c:145)
==246== by 0x8B2FB: gatt_db_attribute_read_result (gatt-db.c:1866)
==246== by 0x3AB0B: db_hash_read_cb (gatt-database.c:1156)
==246== by 0x8B1AB: gatt_db_attribute_read (gatt-db.c:1825)
==246== by 0x87DB7: process_read_by_type (gatt-server.c:482)
==246== by 0x8854F: read_by_type_cb (gatt-server.c:559)
==246== by 0x81727: handle_notify (att.c:966)
==246== by 0x81873: can_read_data (att.c:1057)
==246== by 0x8B91B: watch_callback (io-glib.c:170)
==246== by 0x488A413: g_main_context_dispatch (in
/usr/lib/libglib-2.0.so.0.5600.3)
==246== If you believe this happened as a result of a stack
==246== overflow in your program's main thread (unlikely but
==246== possible), you can try to increase the size of the
==246== main thread stack using the --main-stacksize= flag.
==246== The main thread stack size used in this run was 8388608.
/usr/bin/bluetoothd: can't resolve symbol '__libc_freeres'
is it the crypto error that you expect?
Could you share a sha1 commit or a link to the patch to test the potential fix?
Thanks !
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Segmentation fault in bluetoothd with btgatt-client
2020-06-03 18:22 ` Arthur Lambert
@ 2020-06-03 21:06 ` Luiz Augusto von Dentz
2020-06-04 8:15 ` Arthur Lambert
0 siblings, 1 reply; 7+ messages in thread
From: Luiz Augusto von Dentz @ 2020-06-03 21:06 UTC (permalink / raw)
To: Arthur Lambert; +Cc: linux-bluetooth
Hi Arthur,
On Wed, Jun 3, 2020 at 11:22 AM Arthur Lambert
<lambertarthur22@gmail.com> wrote:
>
> Hi Luiz,
> thanks for your reply!
>
> Sorry I am lazy and stupid. I know that your next question will be
> around symbol...
>
> After removing the binary strip option and enable debug symbol :
>
> bluetoothd[246]: src/device.c:device_svc_resolved()
> /org/bluez/hci0/dev_80_32_53_37_58_A6 err -5
> bluetoothd[246]: src/device.c:gatt_debug() Read By Grp Type - start:
> 0x00bb end: 0xffff
> bluetoothd[246]: src/device.c:gatt_debug() Read By Grp Type - start:
> 0x0001 end: 0xffff
> bluetoothd[246]: src/device.c:gatt_debug() Read By Type - start:
> 0x0001 end: 0x00ba
> bluetoothd[246]: src/device.c:gatt_debug() Read By Type - start:
> 0x0001 end: 0x00ba
> bluetoothd[246]: src/device.c:gatt_debug() Read By Type - start:
> 0x002a end: 0x00ba
> bluetoothd[246]: src/device.c:gatt_debug() Read By Type - start:
> 0x0053 end: 0x00ba
> bluetoothd[246]: src/device.c:gatt_debug() Read By Type - start:
> 0x007a end: 0x00ba
> bluetoothd[246]: src/device.c:gatt_debug() Read By Type - start:
> 0x00a3 end: 0x00ba
> bluetoothd[246]: src/device.c:gatt_debug() Read By Type - start:
> 0x00ba end: 0x00ba
> bluetoothd[246]: src/device.c:gatt_debug() Read By Type - start:
> 0x0001 end: 0xffff
> bluetoothd[246]: src/gatt-database.c:db_hash_read_cb() Database Hash read
> ==246== Invalid read of size 1
> ==246== at 0x4831BA4: memcpy (vg_replace_strmem.c:1035)
> ==246== by 0x87F3B: read_by_type_read_complete_cb (gatt-server.c:392)
> ==246== by 0x892AB: pending_read_result (gatt-db.c:145)
> ==246== by 0x8B2FB: gatt_db_attribute_read_result (gatt-db.c:1866)
> ==246== by 0x3AB0B: db_hash_read_cb (gatt-database.c:1156)
> ==246== by 0x8B1AB: gatt_db_attribute_read (gatt-db.c:1825)
> ==246== by 0x87DB7: process_read_by_type (gatt-server.c:482)
> ==246== by 0x8854F: read_by_type_cb (gatt-server.c:559)
> ==246== by 0x81727: handle_notify (att.c:966)
> ==246== by 0x81873: can_read_data (att.c:1057)
> ==246== by 0x8B91B: watch_callback (io-glib.c:170)
> ==246== by 0x488A413: g_main_context_dispatch (in
> /usr/lib/libglib-2.0.so.0.5600.3)
> ==246== Address 0x0 is not stack'd, malloc'd or (recently) free'd
> ==246==
> ==246==
> ==246== Process terminating with default action of signal 11 (SIGSEGV)
> ==246== Access not within mapped region at address 0x0
> ==246== at 0x4831BA4: memcpy (vg_replace_strmem.c:1035)
> ==246== by 0x87F3B: read_by_type_read_complete_cb (gatt-server.c:392)
> ==246== by 0x892AB: pending_read_result (gatt-db.c:145)
> ==246== by 0x8B2FB: gatt_db_attribute_read_result (gatt-db.c:1866)
> ==246== by 0x3AB0B: db_hash_read_cb (gatt-database.c:1156)
> ==246== by 0x8B1AB: gatt_db_attribute_read (gatt-db.c:1825)
> ==246== by 0x87DB7: process_read_by_type (gatt-server.c:482)
> ==246== by 0x8854F: read_by_type_cb (gatt-server.c:559)
> ==246== by 0x81727: handle_notify (att.c:966)
> ==246== by 0x81873: can_read_data (att.c:1057)
> ==246== by 0x8B91B: watch_callback (io-glib.c:170)
> ==246== by 0x488A413: g_main_context_dispatch (in
> /usr/lib/libglib-2.0.so.0.5600.3)
> ==246== If you believe this happened as a result of a stack
> ==246== overflow in your program's main thread (unlikely but
> ==246== possible), you can try to increase the size of the
> ==246== main thread stack using the --main-stacksize= flag.
> ==246== The main thread stack size used in this run was 8388608.
> /usr/bin/bluetoothd: can't resolve symbol '__libc_freeres'
>
> is it the crypto error that you expect?
> Could you share a sha1 commit or a link to the patch to test the potential fix?
Ive just pushed the fix:
commit 41a5413023fa85bc711d461eb736a0624542df2d
Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Wed Jun 3 10:31:59 2020 -0700
gatt: Fix possible crash when unable to generate hash
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Segmentation fault in bluetoothd with btgatt-client
2020-06-03 21:06 ` Luiz Augusto von Dentz
@ 2020-06-04 8:15 ` Arthur Lambert
2020-06-09 12:12 ` Arthur Lambert
0 siblings, 1 reply; 7+ messages in thread
From: Arthur Lambert @ 2020-06-04 8:15 UTC (permalink / raw)
To: Luiz Augusto von Dentz; +Cc: linux-bluetooth
Hi Luiz,
I just test your fix! It is working perfectly \o/.
I will probably add a kind of watchdog to check that Bluetoothd is
always alive on my device to reset
it in case of failure just in case.
Is it possible that this crash happened when a mobile app tried to
connect to my embedded device?
Or is it possible that this issue impacts the cache service/charac
feature? I am not sure to fully
understand the perimeter of the issue.
We have a problem with the cache update for a few weeks. Basically the
problem is that mobile app is
doing request on bad characteristics after firmware update with new
characteristic available.
The problem was already present but very very rare. On my last
firmware update, it is more frequent.
It is like the mobile app is using the old UUID mapping. The issue
happened after Bluez update from 5.52
to 5.54. But we are not sure that the issue is related to Bluez. It
can also be related to the phone.
It is weird also because the issue happened only with Android and IOS
is just fine.
Thank you for your quick fix and reply!
Le mer. 3 juin 2020 à 23:06, Luiz Augusto von Dentz
<luiz.dentz@gmail.com> a écrit :
>
> Hi Arthur,
>
> On Wed, Jun 3, 2020 at 11:22 AM Arthur Lambert
> <lambertarthur22@gmail.com> wrote:
> >
> > Hi Luiz,
> > thanks for your reply!
> >
> > Sorry I am lazy and stupid. I know that your next question will be
> > around symbol...
> >
> > After removing the binary strip option and enable debug symbol :
> >
> > bluetoothd[246]: src/device.c:device_svc_resolved()
> > /org/bluez/hci0/dev_80_32_53_37_58_A6 err -5
> > bluetoothd[246]: src/device.c:gatt_debug() Read By Grp Type - start:
> > 0x00bb end: 0xffff
> > bluetoothd[246]: src/device.c:gatt_debug() Read By Grp Type - start:
> > 0x0001 end: 0xffff
> > bluetoothd[246]: src/device.c:gatt_debug() Read By Type - start:
> > 0x0001 end: 0x00ba
> > bluetoothd[246]: src/device.c:gatt_debug() Read By Type - start:
> > 0x0001 end: 0x00ba
> > bluetoothd[246]: src/device.c:gatt_debug() Read By Type - start:
> > 0x002a end: 0x00ba
> > bluetoothd[246]: src/device.c:gatt_debug() Read By Type - start:
> > 0x0053 end: 0x00ba
> > bluetoothd[246]: src/device.c:gatt_debug() Read By Type - start:
> > 0x007a end: 0x00ba
> > bluetoothd[246]: src/device.c:gatt_debug() Read By Type - start:
> > 0x00a3 end: 0x00ba
> > bluetoothd[246]: src/device.c:gatt_debug() Read By Type - start:
> > 0x00ba end: 0x00ba
> > bluetoothd[246]: src/device.c:gatt_debug() Read By Type - start:
> > 0x0001 end: 0xffff
> > bluetoothd[246]: src/gatt-database.c:db_hash_read_cb() Database Hash read
> > ==246== Invalid read of size 1
> > ==246== at 0x4831BA4: memcpy (vg_replace_strmem.c:1035)
> > ==246== by 0x87F3B: read_by_type_read_complete_cb (gatt-server.c:392)
> > ==246== by 0x892AB: pending_read_result (gatt-db.c:145)
> > ==246== by 0x8B2FB: gatt_db_attribute_read_result (gatt-db.c:1866)
> > ==246== by 0x3AB0B: db_hash_read_cb (gatt-database.c:1156)
> > ==246== by 0x8B1AB: gatt_db_attribute_read (gatt-db.c:1825)
> > ==246== by 0x87DB7: process_read_by_type (gatt-server.c:482)
> > ==246== by 0x8854F: read_by_type_cb (gatt-server.c:559)
> > ==246== by 0x81727: handle_notify (att.c:966)
> > ==246== by 0x81873: can_read_data (att.c:1057)
> > ==246== by 0x8B91B: watch_callback (io-glib.c:170)
> > ==246== by 0x488A413: g_main_context_dispatch (in
> > /usr/lib/libglib-2.0.so.0.5600.3)
> > ==246== Address 0x0 is not stack'd, malloc'd or (recently) free'd
> > ==246==
> > ==246==
> > ==246== Process terminating with default action of signal 11 (SIGSEGV)
> > ==246== Access not within mapped region at address 0x0
> > ==246== at 0x4831BA4: memcpy (vg_replace_strmem.c:1035)
> > ==246== by 0x87F3B: read_by_type_read_complete_cb (gatt-server.c:392)
> > ==246== by 0x892AB: pending_read_result (gatt-db.c:145)
> > ==246== by 0x8B2FB: gatt_db_attribute_read_result (gatt-db.c:1866)
> > ==246== by 0x3AB0B: db_hash_read_cb (gatt-database.c:1156)
> > ==246== by 0x8B1AB: gatt_db_attribute_read (gatt-db.c:1825)
> > ==246== by 0x87DB7: process_read_by_type (gatt-server.c:482)
> > ==246== by 0x8854F: read_by_type_cb (gatt-server.c:559)
> > ==246== by 0x81727: handle_notify (att.c:966)
> > ==246== by 0x81873: can_read_data (att.c:1057)
> > ==246== by 0x8B91B: watch_callback (io-glib.c:170)
> > ==246== by 0x488A413: g_main_context_dispatch (in
> > /usr/lib/libglib-2.0.so.0.5600.3)
> > ==246== If you believe this happened as a result of a stack
> > ==246== overflow in your program's main thread (unlikely but
> > ==246== possible), you can try to increase the size of the
> > ==246== main thread stack using the --main-stacksize= flag.
> > ==246== The main thread stack size used in this run was 8388608.
> > /usr/bin/bluetoothd: can't resolve symbol '__libc_freeres'
> >
> > is it the crypto error that you expect?
> > Could you share a sha1 commit or a link to the patch to test the potential fix?
>
> Ive just pushed the fix:
>
> commit 41a5413023fa85bc711d461eb736a0624542df2d
> Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> Date: Wed Jun 3 10:31:59 2020 -0700
>
> gatt: Fix possible crash when unable to generate hash
>
>
> --
> Luiz Augusto von Dentz
--
- Arthur LAMBERT
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Segmentation fault in bluetoothd with btgatt-client
2020-06-04 8:15 ` Arthur Lambert
@ 2020-06-09 12:12 ` Arthur Lambert
0 siblings, 0 replies; 7+ messages in thread
From: Arthur Lambert @ 2020-06-09 12:12 UTC (permalink / raw)
To: Luiz Augusto von Dentz; +Cc: linux-bluetooth
Hi Luiz,
I have 25 devices running with bluez 5.54 + the fix that you push. I
have always segmentation fault but not very frequently. I have a demon
which is checking that Bluetoothd is always alive. The check is
running every minute.
Two times, my watchdog was able to detect the Bluetoothd was not
running anymore. In both case it was just after a disconnect. But I
dont know if the disconnect is triggered by
the crash on bluetoothd or if the crash happened just after
I cannot reproduce it in a deterministic way. I cannot deploy valgrind
on all device of course. Is there another way to share with you data
to help you to fix/understand the issue?
Arthur.
Le jeu. 4 juin 2020 à 10:15, Arthur Lambert
<lambertarthur22@gmail.com> a écrit :
>
> Hi Luiz,
>
> I just test your fix! It is working perfectly \o/.
>
> I will probably add a kind of watchdog to check that Bluetoothd is
> always alive on my device to reset
> it in case of failure just in case.
>
> Is it possible that this crash happened when a mobile app tried to
> connect to my embedded device?
> Or is it possible that this issue impacts the cache service/charac
> feature? I am not sure to fully
> understand the perimeter of the issue.
> We have a problem with the cache update for a few weeks. Basically the
> problem is that mobile app is
> doing request on bad characteristics after firmware update with new
> characteristic available.
> The problem was already present but very very rare. On my last
> firmware update, it is more frequent.
> It is like the mobile app is using the old UUID mapping. The issue
> happened after Bluez update from 5.52
> to 5.54. But we are not sure that the issue is related to Bluez. It
> can also be related to the phone.
> It is weird also because the issue happened only with Android and IOS
> is just fine.
>
> Thank you for your quick fix and reply!
>
>
> Le mer. 3 juin 2020 à 23:06, Luiz Augusto von Dentz
> <luiz.dentz@gmail.com> a écrit :
> >
> > Hi Arthur,
> >
> > On Wed, Jun 3, 2020 at 11:22 AM Arthur Lambert
> > <lambertarthur22@gmail.com> wrote:
> > >
> > > Hi Luiz,
> > > thanks for your reply!
> > >
> > > Sorry I am lazy and stupid. I know that your next question will be
> > > around symbol...
> > >
> > > After removing the binary strip option and enable debug symbol :
> > >
> > > bluetoothd[246]: src/device.c:device_svc_resolved()
> > > /org/bluez/hci0/dev_80_32_53_37_58_A6 err -5
> > > bluetoothd[246]: src/device.c:gatt_debug() Read By Grp Type - start:
> > > 0x00bb end: 0xffff
> > > bluetoothd[246]: src/device.c:gatt_debug() Read By Grp Type - start:
> > > 0x0001 end: 0xffff
> > > bluetoothd[246]: src/device.c:gatt_debug() Read By Type - start:
> > > 0x0001 end: 0x00ba
> > > bluetoothd[246]: src/device.c:gatt_debug() Read By Type - start:
> > > 0x0001 end: 0x00ba
> > > bluetoothd[246]: src/device.c:gatt_debug() Read By Type - start:
> > > 0x002a end: 0x00ba
> > > bluetoothd[246]: src/device.c:gatt_debug() Read By Type - start:
> > > 0x0053 end: 0x00ba
> > > bluetoothd[246]: src/device.c:gatt_debug() Read By Type - start:
> > > 0x007a end: 0x00ba
> > > bluetoothd[246]: src/device.c:gatt_debug() Read By Type - start:
> > > 0x00a3 end: 0x00ba
> > > bluetoothd[246]: src/device.c:gatt_debug() Read By Type - start:
> > > 0x00ba end: 0x00ba
> > > bluetoothd[246]: src/device.c:gatt_debug() Read By Type - start:
> > > 0x0001 end: 0xffff
> > > bluetoothd[246]: src/gatt-database.c:db_hash_read_cb() Database Hash read
> > > ==246== Invalid read of size 1
> > > ==246== at 0x4831BA4: memcpy (vg_replace_strmem.c:1035)
> > > ==246== by 0x87F3B: read_by_type_read_complete_cb (gatt-server.c:392)
> > > ==246== by 0x892AB: pending_read_result (gatt-db.c:145)
> > > ==246== by 0x8B2FB: gatt_db_attribute_read_result (gatt-db.c:1866)
> > > ==246== by 0x3AB0B: db_hash_read_cb (gatt-database.c:1156)
> > > ==246== by 0x8B1AB: gatt_db_attribute_read (gatt-db.c:1825)
> > > ==246== by 0x87DB7: process_read_by_type (gatt-server.c:482)
> > > ==246== by 0x8854F: read_by_type_cb (gatt-server.c:559)
> > > ==246== by 0x81727: handle_notify (att.c:966)
> > > ==246== by 0x81873: can_read_data (att.c:1057)
> > > ==246== by 0x8B91B: watch_callback (io-glib.c:170)
> > > ==246== by 0x488A413: g_main_context_dispatch (in
> > > /usr/lib/libglib-2.0.so.0.5600.3)
> > > ==246== Address 0x0 is not stack'd, malloc'd or (recently) free'd
> > > ==246==
> > > ==246==
> > > ==246== Process terminating with default action of signal 11 (SIGSEGV)
> > > ==246== Access not within mapped region at address 0x0
> > > ==246== at 0x4831BA4: memcpy (vg_replace_strmem.c:1035)
> > > ==246== by 0x87F3B: read_by_type_read_complete_cb (gatt-server.c:392)
> > > ==246== by 0x892AB: pending_read_result (gatt-db.c:145)
> > > ==246== by 0x8B2FB: gatt_db_attribute_read_result (gatt-db.c:1866)
> > > ==246== by 0x3AB0B: db_hash_read_cb (gatt-database.c:1156)
> > > ==246== by 0x8B1AB: gatt_db_attribute_read (gatt-db.c:1825)
> > > ==246== by 0x87DB7: process_read_by_type (gatt-server.c:482)
> > > ==246== by 0x8854F: read_by_type_cb (gatt-server.c:559)
> > > ==246== by 0x81727: handle_notify (att.c:966)
> > > ==246== by 0x81873: can_read_data (att.c:1057)
> > > ==246== by 0x8B91B: watch_callback (io-glib.c:170)
> > > ==246== by 0x488A413: g_main_context_dispatch (in
> > > /usr/lib/libglib-2.0.so.0.5600.3)
> > > ==246== If you believe this happened as a result of a stack
> > > ==246== overflow in your program's main thread (unlikely but
> > > ==246== possible), you can try to increase the size of the
> > > ==246== main thread stack using the --main-stacksize= flag.
> > > ==246== The main thread stack size used in this run was 8388608.
> > > /usr/bin/bluetoothd: can't resolve symbol '__libc_freeres'
> > >
> > > is it the crypto error that you expect?
> > > Could you share a sha1 commit or a link to the patch to test the potential fix?
> >
> > Ive just pushed the fix:
> >
> > commit 41a5413023fa85bc711d461eb736a0624542df2d
> > Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> > Date: Wed Jun 3 10:31:59 2020 -0700
> >
> > gatt: Fix possible crash when unable to generate hash
> >
> >
> > --
> > Luiz Augusto von Dentz
>
>
>
> --
> - Arthur LAMBERT
--
- Arthur LAMBERT
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2020-06-09 12:12 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-06-03 9:40 Segmentation fault in bluetoothd with btgatt-client Arthur Lambert
2020-06-03 17:17 ` Luiz Augusto von Dentz
2020-06-03 17:58 ` Luiz Augusto von Dentz
2020-06-03 18:22 ` Arthur Lambert
2020-06-03 21:06 ` Luiz Augusto von Dentz
2020-06-04 8:15 ` Arthur Lambert
2020-06-09 12:12 ` Arthur Lambert
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.