Ubuntu
bluez package

segfault when CCD are present in two different HOG services

Bug #1836809 reported by Mathieu Stephan
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Bluez Utilities
Confirmed
Medium
bluez (Ubuntu)
Won't Fix
High
Unassigned

Bug Description

Hello everyone,

We are currently developing a device that contains two HID services.
That device, as it is right now, is properly functioning on Windows & Android.
However, when pairing the device on Linux running bluez 5.50 we do get segfaults (see attached files).
Our bluetooth device has 4 services : 1 battery service, 2 HID Over Gatt services and 1 device information service.
With trial and error, we managed to find that we wouldn't get any crash as long as only 1 HOG service was present.

Here's the interesting part. The two HOG services are made as follows:
- standard keyboard over gatt: protocole mode / report map / 1 INPUT report / boot INPUT + OUTPUT / HID information / HID Control point
- raw HID over gatt : report map / 1 INPUT report / 1 OUTPUT report / HID information / HID control point

Looking at the write_ccc in the call stacks we wondered if the callbacks subscribing to notifications for the INPUT reports were causing this issue.

We therefore changed the raw HID over gatt (and its report map) to remove the INPUT report and change it into 1 OUTPUT report (leading to 2 OUTPUT reports): no crash.

We therefore hypothesize that the segfault occurs when subscribing to notification on a second HOG service...

Tags: disco
Revision history for this message
Mathieu Stephan (limpkin) wrote :
Revision history for this message
Daniel van Vugt (vanvugt) wrote :

Thanks for the bug report.

Please tell us what version of Ubuntu you are using. Then please report the problem to the BlueZ developers at:

  https://bugzilla.kernel.org (Product: Drivers, Component: Bluetooth)

and then tell us the new bug ID.

Changed in bluez (Ubuntu):
status: New → Incomplete
Revision history for this message
In , mathieu.stephan (mathieu.stephan-linux-kernel-bugs) wrote :

Created attachment 283773
callstacks

Hello everyone,

We are currently developing a device that contains two HID services.
That device, as it is right now, is properly functioning on Windows & Android.
However, when pairing the device on Linux running bluez 5.50 we do get segfaults (see attached files).
Our bluetooth device has 4 services : 1 battery service, 2 HID Over Gatt services and 1 device information service.
With trial and error, we managed to find that we wouldn't get any crash as long as only 1 HOG service was present.

Here's the interesting part. The two HOG services are made as follows:
- standard keyboard over gatt: protocole mode / report map / 1 INPUT report / boot INPUT + OUTPUT / HID information / HID Control point
- raw HID over gatt : report map / 1 INPUT report / 1 OUTPUT report / HID information / HID control point

Looking at the write_ccc in the call stacks we wondered if the callbacks subscribing to notifications for the INPUT reports were causing this issue.

We therefore changed the raw HID over gatt (and its report map) to remove the INPUT report and change it into 1 OUTPUT report (leading to 2 OUTPUT reports): no crash.

We therefore hypothesize that the segfault occurs when subscribing to notification on a second HOG service..

Revision history for this message
Mathieu Stephan (limpkin) wrote :

Ubuntu 18.10

bug id 204201

thanks!

Revision history for this message
Daniel van Vugt (vanvugt) wrote :

Thanks.

Please note Ubuntu 18.10 reaches end-of-life this month, so please upgrade to 19.04.

tags: added: cosmic
Changed in bluez (Ubuntu):
status: Incomplete → New
Revision history for this message
Mathieu Stephan (limpkin) wrote :

Noted! Anyway we already had installed the latest bluez version - 5.50.

Revision history for this message
Daniel van Vugt (vanvugt) wrote :

Thank you for reporting this bug to Ubuntu.
Ubuntu 18.10 (cosmic) reached end-of-life on July 18, 2019.

See this document for currently supported Ubuntu releases:
https://wiki.ubuntu.com/Releases

We appreciate that this bug may be old and you might not be interested in discussing it any more. But if you are then please upgrade to the latest Ubuntu version and re-test. If you then find the bug is still present in the newer Ubuntu version, please add a comment here telling us which new version it is in and change the bug status to Confirmed.

Changed in bluez (Ubuntu):
status: New → Won't Fix
Revision history for this message
Daniel van Vugt (vanvugt) wrote :

Reopened per bug 1837467.

tags: added: disco
removed: cosmic
Changed in bluez (Ubuntu):
status: Won't Fix → New
Revision history for this message
Oliver Toth (dexol12) wrote :

Hello,

We have done some further investigation.
During device pairing bluez is crashing.
From debugging I can see the 2 hog services with the correct attributes, then one of the 2 hog services is reaching ref_count 0, hence it is getting freed, but on the next read bluez is trying to use a corrupted hog service and during reading its attributes we are receiving the segfault.
With normal behavior the next step would be "Report characteristic descriptor written: notifications enabled", but crashes right before that.

Revision history for this message
Daniel van Vugt (vanvugt) wrote :

Please note that Bluetooth developers do not monitor Launchpad (AFAIK). So if you would like their feedback then please comment in the upstream bug instead:

  https://bugzilla.kernel.org/show_bug.cgi?id=204201

Revision history for this message
In , mathieu.stephan (mathieu.stephan-linux-kernel-bugs) wrote :

Hello,

We have done some further investigation.
During device pairing bluez is crashing.
From debugging I can see the 2 hog services with the correct attributes, then one of the 2 hog services is reaching ref_count 0, hence it is getting freed, but on the next read bluez is trying to use a corrupted hog service and during reading its attributes we are receiving the segfault.
With normal behavior the next step would be "Report characteristic descriptor written: notifications enabled", but crashes right before that.

Sebastien Bacher (seb128)
Changed in bluez (Ubuntu):
importance: Undecided → High
status: New → Triaged
Bug Watch Updater (bug-watch-updater)
Changed in bluez:
importance: Unknown → Medium
status: Unknown → Confirmed
Revision history for this message
Daniel van Vugt (vanvugt) wrote :

Thank you for reporting this bug to Ubuntu.
Ubuntu 19.04 (disco) reached end-of-life on January 23, 2020.

See this document for currently supported Ubuntu releases:
https://wiki.ubuntu.com/Releases

We appreciate that this bug may be old and you might not be interested in discussing it any more. But if you are then please upgrade to the latest Ubuntu version and re-test. If you then find the bug is still present in the newer Ubuntu version, please add a comment here telling us which new version it is in and change the bug status to Confirmed.

Daniel van Vugt (vanvugt)
Changed in bluez (Ubuntu):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.