Double-close of file descriptor in backend-ofono (patch attached)
While testing a system that used oFono for telephony and the PulseAudio oFono backend, we noticed that PulseAudio would sometimes (perhaps 20% of the time) crash or behave strangely at the end of a phonecall. There were a variety of different symptoms. A particularly common symptom was a system call failing with "Invalid file descriptor" or POLLNVAL.
Running PulseAudio under strace showed shutdown() being called at the end of a phonecall on a file descriptor which was not a socket. I eventually noticed that the file descriptor obtained by calling acquire
on the backend transport was closed by the Bluetooth device module, but it was also being closed by release
in the oFono backend (but not the native backend, which seemed to work fine). Since PulseAudio is multi-threaded with new file descriptors being created and fd numbers recycled in different threads, this kicks off a chain of unpredictable behaviour.
The attached patch fixed the issue. I simply make the assumption that acquire
means that the returned file descriptor has changed ownership and now belongs to the caller. As far as I know, this patch is ok to be applied as-is, but any feedback would be appreciated.
0001-backend-ofono-fix-double-close-of-file-descriptor.patch