Ubuntu
bluez package

bluetoothd 5.56 segfaults when keyboard connects [SIGSEGV in get_report_cb() from notify_handler() from notify_handler() from queue_foreach() from queue_foreach()]

Bug #1924217 reported by John Bloom on 2021-04-15

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	Bluez Utilities	Fix Released	Unknown	auto-github-bluez-bluez #112
	bluez (Ubuntu)	Fix Released	High	Unassigned

Bug Description

https://errors.ubuntu.com/problem/e93420b383ce737e9a5dd894617135836bd75eb8

---

bluetoothd crashes when my Lenovo Trackpoint II keyboard connects. I see this in dmesg:
[ 58.257605] input: TrackPoint Keyboard II Keyboard as /devices/virtual/misc/uhid/0005:17EF:60E1.0005/input/input26
[ 58.258542] input: TrackPoint Keyboard II Mouse as /devices/virtual/misc/uhid/0005:17EF:60E1.0005/input/input27
[ 58.259561] input: TrackPoint Keyboard II Consumer Control as /devices/virtual/misc/uhid/0005:17EF:60E1.0005/input
/input28
[ 58.259661] input: TrackPoint Keyboard II System Control as /devices/virtual/misc/uhid/0005:17EF:60E1.0005/input/i
nput29
[ 58.260151] input: TrackPoint Keyboard II as /devices/virtual/misc/uhid/0005:17EF:60E1.0005/input/input31
[ 58.260267] hid-generic 0005:17EF:60E1.0005: input,hidraw4: BLUETOOTH HID v0.47 Keyboard [TrackPoint Keyboard II]
on 10:4a:7d:01:8d:7f
[ 58.263556] bluetoothd[685]: segfault at 59 ip 00005574d1d10683 sp 00007ffd03bd7570 error 6 in bluetoothd[5574d1ce5000+a9000]
[ 58.263568] Code: 00 00 4c 8b 21 64 48 8b 04 25 28 00 00 00 48 89 84 24 38 11 00 00 31 c0 48 8d 6c 24 10 89 fb 49 89 c9 48 89 ef b9 23 02 00 00 <41> c7 44 24 58 00 00 00 00 f3 48 ab c7 44 24 10 0a 00 00 00 c7 07

This segfault is with bluez 5.56-0ubuntu3 in Ubuntu 21.04 (up-to-date as of today). It did not happen in 20.10.
When I downgraded bluez to 5.55-0ubuntu1.1 the problem went away.

ProblemType: Bug
DistroRelease: Ubuntu 21.04
Package: bluez 5.56-0ubuntu3
Uname: Linux 5.11.0-051100-generic x86_64
NonfreeKernelModules: nvidia_modeset nvidia
ApportVersion: 2.20.11-0ubuntu62
Architecture: amd64
CasperMD5CheckResult: unknown
CurrentDesktop: GNOME
Date: Wed Apr 14 21:03:29 2021
InstallationDate: Installed on 2021-02-26 (47 days ago)
InstallationMedia: Ubuntu 20.10 "Groovy Gorilla" - Release amd64 (20201022)
InterestingModules: rfcomm bnep btusb bluetooth
MachineType: LENOVO 20AW0006US
ProcEnviron:
TERM=screen-256color
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=en_US.UTF-8
SHELL=/bin/zsh
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.11.0-051100-generic root=UUID=d3f49081-f2cd-43ca-b9ed-bd8157d94ee3 ro quiet splash vt.handoff=7
SourcePackage: bluez
UpgradeStatus: Upgraded to hirsute on 2021-04-14 (0 days ago)
dmi.bios.date: 01/27/2015
dmi.bios.release: 2.31
dmi.bios.vendor: LENOVO
dmi.bios.version: GLET77WW (2.31 )
dmi.board.asset.tag: Not Available
dmi.board.name: 20AW0006US
dmi.board.vendor: LENOVO
dmi.board.version: 0B98401 WIN
dmi.chassis.asset.tag: No Asset Information
dmi.chassis.type: 10
dmi.chassis.vendor: LENOVO
dmi.chassis.version: Not Available
dmi.ec.firmware.release: 1.8
dmi.modalias: dmi:bvnLENOVO:bvrGLET77WW(2.31):bd01/27/2015:br2.31:efr1.8:svnLENOVO:pn20AW0006US:pvrThinkPadT440p:rvnLENOVO:rn20AW0006US:rvr0B98401WIN:cvnLENOVO:ct10:cvrNotAvailable:
dmi.product.family: ThinkPad T440p
dmi.product.name: 20AW0006US
dmi.product.sku: LENOVO_MT_20AW_BU_Think_FM_ThinkPad T440p
dmi.product.version: ThinkPad T440p
dmi.sys.vendor: LENOVO
hciconfig:
hci0: Type: Primary Bus: USB
  BD Address: 10:4A:7D:01:8D:7F ACL MTU: 1021:5 SCO MTU: 96:5
  UP RUNNING
  RX bytes:267050 acl:16636 sco:0 events:966 errors:0
  TX bytes:28087 acl:371 sco:0 commands:388 errors:0

See original description

Tags:

Revision history for this message

John Bloom (johnxx) wrote on 2021-04-15:

CurrentDmesg.txt Edit (88.8 KiB, text/plain; charset="utf-8")
Dependencies.txt Edit (2.5 KiB, text/plain; charset="utf-8")
HookError_ubuntu.txt Edit (532 bytes, text/plain; charset="utf-8")
Lspci.txt Edit (12.9 KiB, text/plain; charset="utf-8")
Lspci-vt.txt Edit (1.4 KiB, text/plain; charset="utf-8")
Lsusb.txt Edit (1.1 KiB, text/plain; charset="utf-8")
Lsusb-t.txt Edit (1.3 KiB, text/plain; charset="utf-8")
Lsusb-v.txt Edit (69.5 KiB, text/plain; charset="utf-8")
ProcCpuinfo.txt Edit (5.2 KiB, text/plain; charset="utf-8")
ProcCpuinfoMinimal.txt Edit (1.3 KiB, text/plain; charset="utf-8")
ProcInterrupts.txt Edit (3.5 KiB, text/plain; charset="utf-8")
ProcModules.txt Edit (9.4 KiB, text/plain; charset="utf-8")
UdevDb.txt Edit (250.1 KiB, text/plain; charset="utf-8")
acpidump.txt Edit (435.9 KiB, text/plain; charset="utf-8")
getfacl.txt Edit (157 bytes, text/plain; charset="utf-8")
rfkill.txt Edit (182 bytes, text/plain; charset="utf-8")
syslog.txt Edit (28.8 KiB, text/plain; charset="utf-8")

Revision history for this message

Daniel van Vugt (vanvugt) wrote on 2021-04-15:

Thank you for taking the time to report this bug and helping to make Ubuntu better. It sounds like some part of the system has crashed. To help us find the cause of the crash please follow these steps:

1. Look in /var/crash for crash files and if found run:
ubuntu-bug YOURFILE.crash
Then tell us the ID of the newly-created bug.

2. If step 1 failed then look at https://errors.ubuntu.com/user/ID where ID is the content of file /var/lib/whoopsie/whoopsie-id on the machine. Do you find any links to recent problems on that page? If so then please send the links to us.

3. If step 2 also failed then apply the workaround from bug 994921, reboot, reproduce the crash, and retry step 1.

Please take care to avoid attaching .crash files to bugs as we are unable to process them as file attachments. It would also be a security risk for yourself.

tags:	added: regression-release
Changed in bluez (Ubuntu):
status:	New → Incomplete

Revision history for this message

Daniel van Vugt (vanvugt) wrote on 2021-04-15:

Judging by the newness of the problem, the crash address and the logs, this looks like it's probably bug 1924220. But we will need you to follow the instructions in comment #2 to confirm that.

Revision history for this message

Daniel van Vugt (vanvugt) wrote on 2021-04-15:

Actually upstream bug report https://github.com/bluez/bluez/issues/112 confirms the symptoms.

summary:	- bluetoothd segfaults when Trackpoint II keyboard connects + bluetoothd segfaults when Trackpoint II keyboard connects [SIGSEGV in + get_report_cb() from notify_handler() from notify_handler() from + queue_foreach() from queue_foreach()]
Changed in bluez (Ubuntu):
status:	Incomplete → Confirmed
description:	updated
Changed in bluez (Ubuntu):
status:	Confirmed → Fix Committed
tags:	added: fixed-in-5.57 fixed-upstream
summary:	- bluetoothd segfaults when Trackpoint II keyboard connects [SIGSEGV in - get_report_cb() from notify_handler() from notify_handler() from - queue_foreach() from queue_foreach()] + bluetoothd segfaults when keyboard connects [SIGSEGV in get_report_cb() + from notify_handler() from notify_handler() from queue_foreach() from + queue_foreach()]
Changed in bluez (Ubuntu):
importance:	Undecided → High

Revision history for this message

John Bloom (johnxx) wrote on 2021-04-15: Re: bluetoothd segfaults when keyboard connects [SIGSEGV in get_report_cb() from notify_handler() from notify_handler() from queue_foreach() from queue_foreach()]

I ran ubuntu-bug on the .crash file. The bug that created is here: https://bugs.launchpad.net/ubuntu/+source/bluez/+bug/1924221
I also did a quick build of bluez 5.58 and can confirm it does not seem to segfault when connecting my keyboard.

Bug Watch Updater (bug-watch-updater) on 2021-04-15

Changed in bluez:
status:	Unknown → Fix Released

Revision history for this message

Daniel van Vugt (vanvugt) wrote on 2021-04-15:

Bug 1924221 is private so I can't see it. But I'm confident we have the right links now (unless you're experiencing multiple different crashes).

summary:

- bluetoothd segfaults when keyboard connects [SIGSEGV in get_report_cb()
- from notify_handler() from notify_handler() from queue_foreach() from
- queue_foreach()]
+ bluetoothd 5.56 segfaults when keyboard connects [SIGSEGV in
+ get_report_cb() from notify_handler() from notify_handler() from
+ queue_foreach() from queue_foreach()]

Revision history for this message

John Bloom (johnxx) wrote on 2021-04-15:

That's the only crash I'm experiencing. I didn't intend to set the other bug as private, so I'm not sure what's up there.

Revision history for this message

Daniel van Vugt (vanvugt) wrote on 2021-04-15:

Private is the default state for crashes because those bugs could potentially contain personal information in crash data.

Revision history for this message

Daniel van Vugt (vanvugt) wrote on 2021-04-15:

Prepared a fix for future update 5.56-0ubuntu5 (approximately)

Revision history for this message

Daniel van Vugt (vanvugt) wrote on 2021-04-16:

#10

Now scheduled for release in:

https://launchpad.net/ubuntu/+source/bluez/5.56-0ubuntu4

Revision history for this message

Launchpad Janitor (janitor) wrote on 2021-04-16:

#11

This bug was fixed in the package bluez - 5.56-0ubuntu4

---------------
bluez (5.56-0ubuntu4) hirsute; urgency=medium

* Add hog-lib-Fix-crash-when-receiving-UHID_GET_REPORT.patch to fix crashes
when connecting Bluetooth keyboards (LP: #1924217)

-- Daniel van Vugt <email address hidden> Thu, 15 Apr 2021 14:47:04 +0800

Changed in bluez (Ubuntu):
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

Bug #1924220

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Add attachment

Remote bug watches

auto-github-bluez-bluez #112
[closed] Edit

Bug watches keep track of this bug in other bug trackers.

Ubuntubluez package

bluetoothd 5.56 segfaults when keyboard connects [SIGSEGV in get_report_cb() from notify_handler() from notify_handler() from queue_foreach() from queue_foreach()]

Bug Description

Duplicates of this bug

Other bug subscribers

Bug attachments

Remote bug watches

Ubuntu
bluez package