interfaces_added() calls spa_bt_quirks_get_features() with adapter=NULL
wireplumber crashed on my "Samsung Galaxy S7" bluetooth audio during a system resume (after the system was suspended) in spa_bt_quirks_get_features() called by interfaces_added() with NULL adapter.
It crashed on adapter->source_id.
gdb:
(gdb) frame 0
#0 spa_bt_quirks_get_features (this=0x55ebfc7ce540, adapter=0x0, device=0x55ebfc7d0da0, features=0x7ffe69928740) at ../spa/plugins/bluez5/quirks.c:336
...
334 /* Adapter */
335 if (this->adapter_rules) {
336 uint32_t no_features = 0;
337 int nitems = 0;
338 char vendor_id[64], product_id[64], address[64];
339
340 if (spa_bt_format_vendor_product_id(
341 adapter->source_id, adapter->vendor_id, adapter->product_id,
342 vendor_id, sizeof(vendor_id), product_id, sizeof(product_id)) == 0) {
343 items[nitems++] = SPA_DICT_ITEM_INIT("vendor-id", vendor_id);
344 items[nitems++] = SPA_DICT_ITEM_INIT("product-id", product_id);
345 }
...
(gdb) where
#0 spa_bt_quirks_get_features (this=0x55ebfc7ce540, adapter=0x0, device=0x55ebfc7d0da0, features=0x7ffe69928740) at ../spa/plugins/bluez5/quirks.c:336
#1 0x00007ff8e04aec11 in device_update_hw_volume_profiles (device=0x55ebfc7d0da0) at ../spa/plugins/bluez5/bluez5-dbus.c:1300
#2 interface_added (conn=<optimized out>, props_iter=0x7ffe69928820, interface_name=<optimized out>, object_path=<optimized out>, monitor=0x55ebfc7c5ec8)
at ../spa/plugins/bluez5/bluez5-dbus.c:3610
#3 interfaces_added (monitor=monitor@entry=0x55ebfc7c5ec8, arg_iter=arg_iter@entry=0x7ffe69929180) at ../spa/plugins/bluez5/bluez5-dbus.c:3654
#4 0x00007ff8e04b029c in filter_cb (bus=<optimized out>, m=0x55ebfc8b9e10, user_data=0x55ebfc7c5ec8) at ../spa/plugins/bluez5/bluez5-dbus.c:3908
#5 0x00007ff8e1dff2e5 in dbus_connection_dispatch (connection=0x55ebfc7cfa20) at ../../dbus/dbus-connection.c:4704
#6 dbus_connection_dispatch (connection=0x55ebfc7cfa20) at ../../dbus/dbus-connection.c:4576
#7 0x00007ff8e1e5860a in dispatch_cb (userdata=0x55ebfc7cf0b0) at ../spa/plugins/support/dbus.c:96
#8 0x00007ff8efc6dedb in loop_iterate (object=0x55ebfc623378, timeout=<optimized out>) at ../spa/plugins/support/loop.c:337
#9 0x00007ff8efc0f146 in wp_loop_source_dispatch (s=0x55ebfc621350, callback=<optimized out>, user_data=<optimized out>) at ../lib/wp/core.c:41
#10 0x00007ff8efaac130 in g_main_dispatch (context=0x55ebfc61df30) at ../glib/gmain.c:3381
#11 g_main_context_dispatch (context=0x55ebfc61df30) at ../glib/gmain.c:4099
#12 0x00007ff8efb01208 in g_main_context_iterate.constprop.0 (context=0x55ebfc61df30, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:4175
#13 0x00007ff8efaab853 in g_main_loop_run (loop=0x55ebfc61e050) at ../glib/gmain.c:4373
#14 0x000055ebfb06aadc in main (argc=<optimized out>, argv=<optimized out>) at ../src/main.c:434
(gdb) p *device
$11 = {
link = {
next = 0x55ebfc7c5f68,
prev = 0x55ebfc7c5f68
},
monitor = 0x55ebfc7c5ec8,
adapter = 0x0,
id = 2,
path = 0x55ebfc95d230 "/org/bluez/hci0/dev_94_B1_0A_69_ED_08",
alias = 0x55ebfc7b0b20 "Samsung Galaxy S7",
address = 0x55ebfc844490 "94:B1:0A:69:ED:08",
adapter_path = 0x55ebfc7b12f0 "/org/bluez/hci0",
battery_path = 0x55ebfc84aed0 "/org/freedesktop/pipewire/battery/org/bluez/hci0/dev_94_B1_0A_69_ED_08",
name = 0x55ebfc7dbd30 "Samsung Galaxy S7",
icon = 0x55ebfc84af20 "phone",
source_id = 1,
vendor_id = 117,
product_id = 256,
version_id = 513,
bluetooth_class = 5898764,
appearance = 0,
RSSI = 0,
paired = 1,
trusted = 1,
connected = 0,
blocked = 0,
profiles = 46,
connected_profiles = 0,
reconnect_profiles = 0,
reconnect_state = 0,
timer = {
loop = 0x0,
func = 0x0,
data = 0x0,
fd = 0,
mask = 0,
rmask = 0
},
remote_endpoint_list = {
next = 0x55ebfc7d0e58,
prev = 0x55ebfc7d0e58
},
transport_list = {
next = 0x55ebfc7d0e68,
prev = 0x55ebfc7d0e68
},
codec_switch_list = {
next = 0x55ebfc7d0e78,
prev = 0x55ebfc7d0e78
},
battery = 0 '\000',
has_battery = 0,
hw_volume_profiles = 63,
a2dp_volume_active = {false, false},
last_bluez_action_time = 103420266351785,
listener_list = {
list = {
next = 0x55ebfc7d0ea0,
prev = 0x55ebfc7d0ea0
}
},
added = false,
settings = 0x0,
battery_pending_call = 0x0
}
(gdb) p *monitor->quirks
$12 = {
log = 0x7ff8efc5d060 <wp_spa_log>,
force_msbc = -1,
force_hw_volume = -1,
force_sbc_xq = -1,
force_faststream = -1,
force_a2dp_duplex = -1,
device_rules = 0x55ebfc7ce580 "[\n # properties:\n # - name\n # - address (\"ff:ff:ff:ff:ff:ff\")\n # - vendor-id (\"bluetooth:ffff\", \"usb:ffff\")\n # - product-id\n # - version-id\n\n { name = \"Air 1 Plus\", no-features = "...,
adapter_rules = 0x55ebfc783c00 "[\n # properties:\n # - address (\"ff:ff:ff:ff:ff:ff\")\n # - bus-type (\"usb\", \"other\")\n # - vendor-id (\"usb:ffff\")\n # - product-id (\"ffff\")\n\n # Realtek Semiconductor Corp.\n { bus-type"...,
kernel_rules = 0x55ebfc7afc20 "[\n # properties (as in uname):\n # - sysname\n # - release\n # - version\n\n # See https://lore.kernel.org/linux-bluetooth/20201210012003.133000-1-tpiepho@gmail.com/\n # https://lore.kerne"...
}Versions:
$ cat /etc/fedora-release
Fedora release 35 (Thirty Five)
$ rpm -qf /usr/lib64/spa/bluez5/libspa-bluez5.so
pipewire0.2-libs-0.2.7-6.fc35.x86_64
$ rpm -q wireplumber
wireplumber-0.4.7-2.fc35.x86_64Logs:
Jan 18 16:33:01 apu kernel: Bluetooth: hci0: Bootloader revision 0.0 build 2 week 52 2014
Jan 18 16:33:01 apu kernel: done.
Jan 18 16:33:01 apu kernel: Bluetooth: hci0: Device revision is 5
Jan 18 16:33:01 apu kernel: Bluetooth: hci0: Secure boot is enabled
Jan 18 16:33:01 apu kernel: Bluetooth: hci0: OTP lock is enabled
Jan 18 16:33:01 apu kernel: Bluetooth: hci0: API lock is enabled
Jan 18 16:33:01 apu kernel: Bluetooth: hci0: Debug lock is disabled
Jan 18 16:33:01 apu kernel: Bluetooth: hci0: Minimum firmware build 1 week 10 2014
...
Jan 18 16:33:01 apu systemd[1754]: Reached target Bluetooth.
Jan 18 16:33:01 apu systemd[1]: systemd-suspend.service: Deactivated successfully.
Jan 18 16:33:01 apu systemd[1]: Finished System Suspend.
...
Jan 18 16:33:01 apu systemd[1]: Started Load/Save RF Kill Switch Status.
...
Jan 18 16:33:02 apu kernel: Bluetooth: hci0: Waiting for firmware download to complete
Jan 18 16:33:02 apu kernel: Bluetooth: hci0: Firmware loaded in 1604832 usecs
Jan 18 16:33:02 apu kernel: Bluetooth: hci0: Waiting for device to boot
Jan 18 16:33:02 apu kernel: Bluetooth: hci0: Device booted in 11698 usecs
Jan 18 16:33:02 apu kernel: Bluetooth: hci0: Found Intel DDC parameters: intel/ibt-11-5.ddc
Jan 18 16:33:02 apu kernel: Bluetooth: hci0: Applying Intel DDC parameters completed
Jan 18 16:33:02 apu kernel: Bluetooth: hci0: Reading supported features failed (-16)
Jan 18 16:33:02 apu kernel: Bluetooth: hci0: Firmware revision 0.0 build 10 week 41 2018
Jan 18 16:33:02 apu wireplumber[197119]: unknown adapter /org/bluez/hci0
Jan 18 16:33:02 apu audit[197119]: ANOM_ABEND auid=1000 uid=1000 gid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 pid=197119 comm="wireplumber" exe="/usr/bin/>
Jan 18 16:33:02 apu kernel: wireplumber[197119]: segfault at 44 ip 00007ff8e0496a23 sp 00007ffe699283b0 error 4 in libspa-bluez5.so[7ff8e046e000+66000]
Jan 18 16:33:02 apu systemd-coredump[197412]: [LNK] Process 197119 (wireplumber) of user 1000 dumped core.
...
Stack trace of thread 197119:
#0 0x00007ff8e0496a23 spa_bt_quirks_get_features (libspa-bluez5.so + 0x30a23)
#1 0x00007ff8e04aec11 interfaces_added (libspa-bluez5.so + 0x48c11)
#2 0x00007ff8e04b029c filter_cb (libspa-bluez5.so + 0x4a29c)
#3 0x00007ff8e1dff2e5 dbus_connection_dispatch (libdbus-1.so.3 + 0x1b2e5)
#4 0x00007ff8e1e5860a dispatch_cb (libspa-dbus.so + 0x160a)
#5 0x00007ff8efc6dedb loop_iterate (libspa-support.so + 0x6edb)
#6 0x00007ff8efc0f146 wp_loop_source_dispatch (libwireplumber-0.4.so.0 + 0x21146)
#7 0x00007ff8efaac130 g_main_context_dispatch (libglib-2.0.so.0 + 0x55130)
#8 0x00007ff8efb01208 g_main_context_iterate.constprop.0 (libglib-2.0.so.0 + 0xaa208)
#9 0x00007ff8efaab853 g_main_loop_run (libglib-2.0.so.0 + 0x54853)
#10 0x000055ebfb06aadc main (wireplumber + 0x2adc)
#11 0x00007ff8ef781560 __libc_start_call_main (libc.so.6 + 0x2d560)
#12 0x00007ff8ef78160c __libc_start_main@@GLIBC_2.34 (libc.so.6 + 0x2d60c)
#13 0x000055ebfb06ad15 _start (wireplumber + 0x2d15)
Stack trace of thread 197122:
#0 0x00007ff8ef85973f __poll (libc.so.6 + 0x10573f)
#1 0x00007ff8efb0119c g_main_context_iterate.constprop.0 (libglib-2.0.so.0 + 0xaa19c)
#2 0x00007ff8efaa9933 g_main_context_iteration (libglib-2.0.so.0 + 0x52933)
#3 0x00007ff8efaa9981 glib_worker_main (libglib-2.0.so.0 + 0x52981)
#4 0x00007ff8efad6842 g_thread_proxy (libglib-2.0.so.0 + 0x7f842)
#5 0x00007ff8ef7e1a87 start_thread (libc.so.6 + 0x8da87)
#6 0x00007ff8ef866640 __clone3 (libc.so.6 + 0x112640)
Stack trace of thread 197125:
#0 0x00007ff8ef85973f __poll (libc.so.6 + 0x10573f)
#1 0x00007ff8efb0119c g_main_context_iterate.constprop.0 (libglib-2.0.so.0 + 0xaa19c)
#2 0x00007ff8efaab853 g_main_loop_run (libglib-2.0.so.0 + 0x54853)
#3 0x00007ff8ef684c0a gdbus_shared_thread_func.lto_priv.0 (libgio-2.0.so.0 + 0x113c0a)
#4 0x00007ff8efad6842 g_thread_proxy (libglib-2.0.so.0 + 0x7f842)
#5 0x00007ff8ef7e1a87 start_thread (libc.so.6 + 0x8da87)
#6 0x00007ff8ef866640 __clone3 (libc.so.6 + 0x112640)
Stack trace of thread 197121:
#0 0x00007ff8ef865c1e epoll_wait (libc.so.6 + 0x111c1e)
#1 0x00007ff8efc7a538 impl_pollfd_wait (libspa-support.so + 0x13538)
#2 0x00007ff8efc6de44 loop_iterate (libspa-support.so + 0x6e44)
#3 0x00007ff8ef9bf037 do_loop (libpipewire-0.3.so.0 + 0x46037)
#4 0x00007ff8ef7e1a87 start_thread (libc.so.6 + 0x8da87)
#5 0x00007ff8ef866640 __clone3 (libc.so.6 + 0x112640)Edited by Victor Stinner