sfos: Enable NFC pairing #1
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mlehtima
approved these changes
Jul 20, 2021
[sailfish] Enable NFC pairing. JB#54815
ikamaletdinov
pushed a commit
to ikamaletdinov/bluez5
that referenced
this pull request
Feb 15, 2022
The following trace can be observed sometimes when pairing 2 emulator instances: src/adapter.c:store_link_key() Unable to load key file from /var/lib/bluetooth/9C:DA:3E:F2:8E:46/9C:B6:D0:8A:A0:0C/info: (No such file or directory) GLib: g_file_set_contents: assertion 'error == NULL || *error == NULL' failed ++++++++ backtrace ++++++++ sailfishos#1 btd_backtrace+0x28a (src/backtrace.c:59) [0x7f65bb5ab53a] sailfishos#2 g_logv+0x21c (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6) [0x7f65ba3f955c] sailfishos#3 g_log+0x93 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6) [0x7f65ba3f9743] sailfishos#4 g_file_set_contents+0x68 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6) [0x7f65ba3dca68] sailfishos#5 store_link_key+0x30a (src/adapter.c:8235) [0x7f65bb61839a] sailfishos#6 new_link_key_callback+0x474 (src/adapter.c:8285) [0x7f65bb62c904] sailfishos#7 queue_foreach+0x164 (src/shared/queue.c:203) [0x7f65bb722e34] sailfishos#8 can_read_data+0x59f (src/shared/mgmt.c:343) [0x7f65bb72e09f] sailfishos#9 watch_callback+0x112 (src/shared/io-glib.c:162) [0x7f65bb78acb2] sailfishos#10 g_main_context_dispatch+0x14e (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6) [0x7f65ba3f204e]
ikamaletdinov
pushed a commit
to ikamaletdinov/bluez5
that referenced
this pull request
Feb 16, 2022
The following trace can be observed sometimes when pairing 2 emulator instances: src/adapter.c:store_link_key() Unable to load key file from /var/lib/bluetooth/9C:DA:3E:F2:8E:46/9C:B6:D0:8A:A0:0C/info: (No such file or directory) GLib: g_file_set_contents: assertion 'error == NULL || *error == NULL' failed ++++++++ backtrace ++++++++ sailfishos#1 btd_backtrace+0x28a (src/backtrace.c:59) [0x7f65bb5ab53a] sailfishos#2 g_logv+0x21c (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6) [0x7f65ba3f955c] sailfishos#3 g_log+0x93 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6) [0x7f65ba3f9743] sailfishos#4 g_file_set_contents+0x68 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6) [0x7f65ba3dca68] sailfishos#5 store_link_key+0x30a (src/adapter.c:8235) [0x7f65bb61839a] sailfishos#6 new_link_key_callback+0x474 (src/adapter.c:8285) [0x7f65bb62c904] sailfishos#7 queue_foreach+0x164 (src/shared/queue.c:203) [0x7f65bb722e34] sailfishos#8 can_read_data+0x59f (src/shared/mgmt.c:343) [0x7f65bb72e09f] sailfishos#9 watch_callback+0x112 (src/shared/io-glib.c:162) [0x7f65bb78acb2] sailfishos#10 g_main_context_dispatch+0x14e (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6) [0x7f65ba3f204e]
ikamaletdinov
pushed a commit
to ikamaletdinov/bluez5
that referenced
this pull request
Mar 1, 2022
The following trace can be observed sometimes when pairing 2 emulator instances: src/adapter.c:store_link_key() Unable to load key file from /var/lib/bluetooth/9C:DA:3E:F2:8E:46/9C:B6:D0:8A:A0:0C/info: (No such file or directory) GLib: g_file_set_contents: assertion 'error == NULL || *error == NULL' failed ++++++++ backtrace ++++++++ sailfishos#1 btd_backtrace+0x28a (src/backtrace.c:59) [0x7f65bb5ab53a] sailfishos#2 g_logv+0x21c (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6) [0x7f65ba3f955c] sailfishos#3 g_log+0x93 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6) [0x7f65ba3f9743] sailfishos#4 g_file_set_contents+0x68 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6) [0x7f65ba3dca68] sailfishos#5 store_link_key+0x30a (src/adapter.c:8235) [0x7f65bb61839a] sailfishos#6 new_link_key_callback+0x474 (src/adapter.c:8285) [0x7f65bb62c904] sailfishos#7 queue_foreach+0x164 (src/shared/queue.c:203) [0x7f65bb722e34] sailfishos#8 can_read_data+0x59f (src/shared/mgmt.c:343) [0x7f65bb72e09f] sailfishos#9 watch_callback+0x112 (src/shared/io-glib.c:162) [0x7f65bb78acb2] sailfishos#10 g_main_context_dispatch+0x14e (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6) [0x7f65ba3f204e]
mlehtima
pushed a commit
that referenced
this pull request
Sep 7, 2022
The following trace can be observed sometimes when pairing 2 emulator instances: src/adapter.c:store_link_key() Unable to load key file from /var/lib/bluetooth/9C:DA:3E:F2:8E:46/9C:B6:D0:8A:A0:0C/info: (No such file or directory) GLib: g_file_set_contents: assertion 'error == NULL || *error == NULL' failed ++++++++ backtrace ++++++++ #1 btd_backtrace+0x28a (src/backtrace.c:59) [0x7f65bb5ab53a] #2 g_logv+0x21c (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6) [0x7f65ba3f955c] #3 g_log+0x93 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6) [0x7f65ba3f9743] #4 g_file_set_contents+0x68 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6) [0x7f65ba3dca68] #5 store_link_key+0x30a (src/adapter.c:8235) [0x7f65bb61839a] #6 new_link_key_callback+0x474 (src/adapter.c:8285) [0x7f65bb62c904] #7 queue_foreach+0x164 (src/shared/queue.c:203) [0x7f65bb722e34] #8 can_read_data+0x59f (src/shared/mgmt.c:343) [0x7f65bb72e09f] #9 watch_callback+0x112 (src/shared/io-glib.c:162) [0x7f65bb78acb2] #10 g_main_context_dispatch+0x14e (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6) [0x7f65ba3f204e]
mlehtima
pushed a commit
that referenced
this pull request
Sep 7, 2022
This patch fixes the out-of-bounds array access caught by the ASAN.
monitor/sdp.c:497:19: runtime error: index 8 out of bounds for type
'cont_data [8]'
=================================================================
==4180==ERROR: AddressSanitizer: global-buffer-overflow on address
0x7fe2d271a542 at pc 0x7fe2d174a57d bp 0x7ffc6dcac1d0 sp 0x7ffc6dcab978
WRITE of size 9 at 0x7fe2d271a542 thread T0
#0 0x7fe2d174a57c (/lib/x86_64-linux-gnu/libasan.so.5+0x9b57c)
#1 0x7fe2d23bae85 in search_attr_rsp monitor/sdp.c:692
#2 0x7fe2d23be3f1 in sdp_packet monitor/sdp.c:771
#3 0x7fe2d23b004c in l2cap_frame monitor/l2cap.c:3247
#4 0x7fe2d23b3d9c in l2cap_packet monitor/l2cap.c:3312
#5 0x7fe2d237d5c3 in packet_hci_acldata monitor/packet.c:11638
#6 0x7fe2d2381876 in packet_monitor monitor/packet.c:3967
#7 0x7fe2d230b285 in data_callback monitor/control.c:973
#8 0x7fe2d2447029 in mainloop_run src/shared/mainloop.c:106
#9 0x7fe2d2449306 in mainloop_run_with_signal src/shared/mainloop-notify.c:188
#10 0x7fe2d230324a in main monitor/main.c:290
#11 0x7fe2d0b440b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#12 0x7fe2d2303b7d in _start (/home/han1/work/dev/bluez/monitor/btmon+0x1dbb7d)
0x7fe2d271a542 is located 30 bytes to the left of global variable 'tid_list'
defined in 'monitor/sdp.c:43:24' (0x7fe2d271a560) of size 384
0x7fe2d271a542 is located 2 bytes to the right of global variable 'cont_list'
defined in 'monitor/sdp.c:424:25' (0x7fe2d271a400) of size 320
SUMMARY: AddressSanitizer: global-buffer-overflow
(/lib/x86_64-linux-gnu/libasan.so.5+0x9b57c)
...
==4180==ABORTING
mlehtima
pushed a commit
that referenced
this pull request
Sep 7, 2022
This fixes the following error for invalid read access when registering
filter for incoming messages:
140632==ERROR: AddressSanitizer: stack-buffer-overflow on address...
#0 0x7f60c185741d in MemcmpInterceptorCommon(...
#1 0x7f60c1857af8 in __interceptor_memcmp (/lib64/libasan.so...
#2 0x55a10101536e in find_by_filter mesh/mesh-io-unit.c:494
#3 0x55a1010d8c46 in l_queue_remove_if ell/queue.c:517
#4 0x55a101014ebd in recv_register mesh/mesh-io-unit.c:506
#5 0x55a10102946f in mesh_net_attach mesh/net.c:2885
#6 0x55a101086f64 in send_reply mesh/dbus.c:153
#7 0x55a101124c3d in handle_method_return ell/dbus.c:216
#8 0x55a10112c8ef in message_read_handler ell/dbus.c:276
#9 0x55a1010dae20 in io_callback ell/io.c:120
#10 0x55a1010dff7e in l_main_iterate ell/main.c:478
#11 0x55a1010e06e3 in l_main_run ell/main.c:525
#12 0x55a1010e06e3 in l_main_run ell/main.c:507
#13 0x55a1010e0bfc in l_main_run_with_signal ell/main.c:647
#14 0x55a10100316e in main mesh/main.c:292
#15 0x7f60c0c6855f in __libc_start_call_main (/lib64/libc.so.6+...
#16 0x7f60c0c6860b in __libc_start_main_alias_1 (/lib64/libc.so.6+...
#17 0x55a101003ce4 in _start (/home/istotlan/bluez/mesh/bluetooth-m...
mlehtima
pushed a commit
that referenced
this pull request
Sep 7, 2022
This decodes the LTV fields of Basic Audio Announcements:
< HCI Command: LE Set Periodic Advertising Data (0x08|0x003f) plen 41
Handle: 0
Operation: Complete ext advertising data (0x03)
Data length: 0x26
Service Data: Basic Audio Announcement (0x1851)
Presetation Delay: 40000
Number of Subgroups: 1
Subgroup #0:
Number of BIS(s): 1
Codec: LC3 (0x06)
Codec Specific Configuration #0: len 0x02 type 0x01
Codec Specific Configuration: 03
Codec Specific Configuration #1: len 0x02 type 0x02
Codec Specific Configuration: 01
Codec Specific Configuration #2: len 0x05 type 0x03
Codec Specific Configuration: 01000000
Codec Specific Configuration #3: len 0x03 type 0x04
Codec Specific Configuration: 2800
Metadata #0: len 0x03 type 0x02
Metadata: 0200
BIS #0:
Index: 1
Codec Specific Configuration:
mlehtima
pushed a commit
that referenced
this pull request
Sep 7, 2022
This adds decoding support for PAC Sink/Source attributes:
< ACL Data TX: Handle 42 flags 0x00 dlen 9
Channel: 64 len 5 sdu 3 [PSM 39 mode Enhanced Credit (0x81)]
{chan 0}
ATT: Read Request (0x0a) len 2
Handle: 0x0017 Type: Sink PAC (0x2bc9)
> ACL Data RX: Handle 42 flags 0x02 dlen 31
Channel: 65 len 27 sdu 25 [PSM 39 mode Enhanced Credit (0x81)]
{chan 0}
Value: 010600000000100301ff0002020302030305041e00f00000
Number of PAC(s): 1
PAC #0:
Codec: LC3 (0x06)
Codec Specific Configuration #0: len 0x03 type 0x01
Codec Specific Configuration: ff00
Codec Specific Configuration #1: len 0x02 type 0x02
Codec Specific Configuration: 03
Codec Specific Configuration #2: len 0x02 type 0x03
Codec Specific Configuration: 03
Codec Specific Configuration #3: len 0x05 type 0x04
Codec Specific Configuration: 1e00f000
mlehtima
pushed a commit
that referenced
this pull request
Sep 7, 2022
This adds decoding support for ASE Sink/Source attributes:
> ACL Data RX: Handle 42 flags 0x02 dlen 9
Channel: 65 len 5 sdu 3 [PSM 39 mode Enhanced Credit (0x81)] {chan 0}
ATT: Read Request (0x0a) len 2
Handle: 0x002a Type: Sink ASE (0x2bc4)
< ACL Data TX: Handle 42 flags 0x00 dlen 9
Channel: 64 len 5 sdu 3 [PSM 39 mode Enhanced Credit (0x81)] {chan 0}
ATT: Read Response (0x0b) len 2
Value: 0300
ASE ID: 1
State: Idle (0x00)
< ACL Data TX: Handle 42 flags 0x00 dlen 55
Channel: 64 len 51 sdu 49 [PSM 39 mode Enhanced Credit (0x81)] {chan 0}
ATT: Handle Multiple Value Notification (0x23) len 48
Length: 0x0023
Handle: 0x0024 Type: Sink ASE (0x2bc4)
Data: 01010000000a00204e00409c00204e00409c0006000000000a02010302020103042800
ASE ID: 1
State: Codec Configured (0x01)
Framing: Unframed PDUs supported (0x00)
PHY: 0x00
RTN: 0
Max Transport Latency: 10
Presentation Delay Min: 20000 us
Presentation Delay Max: 40000 us
Preferred Presentation Delay Min: 20000 us
Preferred Presentation Delay Max: 40000 us
Codec: LC3 (0x06)
Codec Specific Configuration #0: len 0x02 type 0x01
Codec Specific Configuration: 03
Codec Specific Configuration #1: len 0x02 type 0x02
Codec Specific Configuration: 01
Codec Specific Configuration #2: len 0x03 type 0x04
Codec Specific Configuration: 2800
< ACL Data TX: Handle 42 flags 0x00 dlen 37
Channel: 64 len 33 sdu 31 [PSM 39 mode Enhanced Credit (0x81)] {chan 0}
ATT: Handle Multiple Value Notification (0x23) len 30
Length: 0x0011
Handle: 0x0024 Type: Sink ASE (0x2bc4)
Data: 0102000010270000022800020a00409c00
ASE ID: 1
State: QoS Configured (0x02)
CIG ID: 0x00
CIS ID: 0x00
SDU Interval: 10000 usec
Framing: Unframed (0x00)
PHY: 0x02
LE 2M PHY (0x02)
Max SDU: 40
RTN: 2
Max Transport Latency: 10
Presentation Delay: 40000 us
< ACL Data TX: Handle 42 flags 0x00 dlen 33
Channel: 64 len 29 sdu 27 [PSM 39 mode Enhanced Credit (0x81)] {chan 0}
ATT: Handle Multiple Value Notification (0x23) len 26
Length: 0x000d
Handle: 0x002a Type: Source ASE (0x2bc5)
Data: 03030000060304030202000000
ASE ID: 3
State: Enabling (0x03)
CIG ID: 0x00
CIS ID: 0x00
Metadata #0: len 0x03 type 0x04
Metadata: 0302
Metadata #1: len 0x02 type 0x00
< ACL Data TX: Handle 42 flags 0x00 dlen 39
Channel: 64 len 35 sdu 33 [PSM 39 mode Enhanced Credit (0x81)] {chan 0}
ATT: Handle Multiple Value Notification (0x23) len 32
Length: 0x000d
Handle: 0x002a Type: Source ASE (0x2bc5)
Data: 03040000060304030202000000
ASE ID: 3
State: Streaming (0x04)
CIG ID: 0x00
CIS ID: 0x00
Metadata #0: len 0x03 type 0x04
Metadata: 0302
Metadata #1: len 0x02 type 0x00
< ACL Data TX: Handle 42 flags 0x00 dlen 33
Channel: 64 len 29 sdu 27 [PSM 39 mode Enhanced Credit (0x81)] {chan 0}
ATT: Handle Multiple Value Notification (0x23) len 26
Length: 0x000d
Handle: 0x002a Type: Source ASE (0x2bc5)
Data: 03050000060304030202000000
ASE ID: 3
State: Disabling (0x05)
CIG ID: 0x00
CIS ID: 0x00
Metadata #0: len 0x03 type 0x04
Metadata: 0302
Metadata #1: len 0x02 type 0x00
mlehtima
pushed a commit
that referenced
this pull request
Sep 7, 2022
This adds decoding support for ASE Control Point attribute:
> ACL Data RX: Handle 42 flags 0x02 dlen 30
Channel: 64 len 26 sdu 24 [PSM 39 mode Enhanced Credit (0x81)] {chan 1}
ATT: Write Command (0x52) len 23
Handle: 0x0030 Type: ASE Control Point (0x2bc6)
Data: 010103020206000000000a02010302020103042800
Opcode: Codec Configuration (0x01)
Number of ASE(s): 1
ASE: #0
ASE ID: 0x03
Target Latency: Balance Latency/Reliability (0x02)
PHY: 0x02
LE 2M PHY (0x02)
Codec: LC3 (0x06)
Codec Specific Configuration #0: len 0x02 type 0x01
Codec Specific Configuration: 03
Codec Specific Configuration #1: len 0x02 type 0x02
Codec Specific Configuration: 01
Codec Specific Configuration #2: len 0x03 type 0x04
Codec Specific Configuration: 2800
< ACL Data TX: Handle 42 flags 0x00 dlen 55
Channel: 64 len 51 sdu 49 [PSM 39 mode Enhanced Credit (0x81)] {chan 0}
ATT: Handle Multiple Value Notification (0x23) len 48
Length: 0x0005
Handle: 0x0030 Type: ASE Control Point (0x2bc6)
Data: 0101030000
Opcode: Codec Configuration (0x01)
Number of ASE(s): 1
ASE: #0
ASE ID: 0x03
ASE Response Code: Success (0x00)
ASE Response Reason: None (0x00)
> ACL Data RX: Handle 42 flags 0x02 dlen 27
Channel: 64 len 23 sdu 21 [PSM 39 mode Enhanced Credit (0x81)] {chan 1}
ATT: Write Command (0x52) len 20
Handle: 0x0030 Type: ASE Control Point (0x2bc6)
Data: 020103000010270000022800020a00409c00
Opcode: QoS Configuration (0x02)
Number of ASE(s): 1
ASE: #0
ASE ID: 0x03
CIG ID: 0x00
CIS ID: 0x00
SDU Interval: 10000 usec
Framing: Unframed (0x00)
PHY: 0x02
LE 2M PHY (0x02)
Max SDU: 40
RTN: 2
Max Transport Latency: 10
Presentation Delay: 40000 us
< ACL Data TX: Handle 42 flags 0x00 dlen 37
Channel: 64 len 33 sdu 31 [PSM 39 mode Enhanced Credit (0x81)] {chan 0}
ATT: Handle Multiple Value Notification (0x23) len 30
Length: 0x0005
Handle: 0x0030 Type: ASE Control Point (0x2bc6)
Data: 0201030000
Opcode: QoS Configuration (0x02)
Number of ASE(s): 1
ASE: #0
ASE ID: 0x03
ASE Response Code: Success (0x00)
ASE Response Reason: None (0x00)
> ACL Data RX: Handle 42 flags 0x02 dlen 17
Channel: 64 len 13 sdu 11 [PSM 39 mode Enhanced Credit (0x81)] {chan 1}
ATT: Write Command (0x52) len 10
Handle: 0x0030 Type: ASE Control Point (0x2bc6)
Data: 0301030403020200
Opcode: Enable (0x03)
Number of ASE(s): 1
ASE: #0
ASE ID: 0x03
Metadata #0: len 0x03 type 0x02
Metadata: 0200
< ACL Data TX: Handle 42 flags 0x00 dlen 33
Channel: 64 len 29 sdu 27 [PSM 39 mode Enhanced Credit (0x81)] {chan 0}
ATT: Handle Multiple Value Notification (0x23) len 26
Length: 0x0005
Handle: 0x0030 Type: ASE Control Point (0x2bc6)
Data: 0301030000
Opcode: Enable (0x03)
Number of ASE(s): 1
ASE: #0
ASE ID: 0x03
ASE Response Code: Success (0x00)
ASE Response Reason: None (0x00)
> ACL Data RX: Handle 42 flags 0x02 dlen 12
Channel: 64 len 8 sdu 6 [PSM 39 mode Enhanced Credit (0x81)] {chan 0}
ATT: Write Command (0x52) len 5
Handle: 0x0030 Type: ASE Control Point (0x2bc6)
Data: 050101
Opcode: Disable (0x05)
Number of ASE(s): 1
mlehtima
pushed a commit
that referenced
this pull request
Sep 7, 2022
This adds decoding support for PAC/ASE attributes:
> ACL Data RX: Handle 42 flags 0x02 dlen 31
Channel: 65 len 27 sdu 25 [PSM 39 mode Enhanced Credit (0x81)] {chan 1}
ATT: Read Response (0x0b) len 24
Value: 010600000000100301ff0002020302030305041e00f00000
Number of PAC(s): 1
PAC #0:
Codec: LC3 (0x06)
Codec Specific Capabilities #0: len 0x03 type 0x01
Sampling Frequencies: 0x00ff
8 Khz (0x0001)
11.25 Khz (0x0002)
16 Khz (0x0004)
22.05 Khz (0x0008)
24 Khz (0x0010)
32 Khz (0x0020)
44.1 Khz (0x0040)
48 Khz (0x0080)
Codec Specific Capabilities #1: len 0x02 type 0x02
Frame Duration: 0x0003
7.5 ms (0x01)
10 ms (0x02)
Codec Specific Capabilities #2: len 0x02 type 0x03
Audio Channel Count: 0x03
1 channel (0x01)
2 channels (0x02)
Codec Specific Capabilities #3: len 0x05 type 0x04
Frame Length: 30 (0x001e) - 240 (0x00f0)
> ACL Data RX: Handle 42 flags 0x02 dlen 30
Channel: 64 len 26 sdu 24 [PSM 39 mode Enhanced Credit (0x81)] {chan 0}
ATT: Write Command (0x52) len 23
Handle: 0x0036 Type: ASE Control Point (0x2bc6)
Data: 010101020206000000000a02010302020103042800
Opcode: Codec Configuration (0x01)
Number of ASE(s): 1
ASE: #0
ASE ID: 0x01
Target Latency: Balance Latency/Reliability (0x02)
PHY: 0x02
LE 2M PHY (0x02)
Codec: LC3 (0x06)
Codec Specific Configuration #0: len 0x02 type 0x01
Sampling Frequency: 16 Khz (0x03)
Codec Specific Configuration #1: len 0x02 type 0x02
Frame Duration: 10 ms (0x01)
Codec Specific Configuration #2: len 0x03 type 0x04
Frame Length: 40 (0x0028)
mlehtima
pushed a commit
that referenced
this pull request
Jul 3, 2023
If the stream state is idle the ep->stream shall be set to NULL
otherwise it may be reused causing the following trace:
==32623==ERROR: AddressSanitizer: heap-use-after-free on address ...
READ of size 8 at 0x60b000103550 thread T0
#0 0x7bf7b7 in bap_stream_valid src/shared/bap.c:4065
#1 0x7bf981 in bt_bap_stream_config src/shared/bap.c:4082
#2 0x51a7c8 in bap_config profiles/audio/bap.c:584
#3 0x71b907 in queue_foreach src/shared/queue.c:207
#4 0x51b61f in select_cb profiles/audio/bap.c:626
#5 0x4691ed in pac_select_cb profiles/audio/media.c:884
#6 0x4657ea in endpoint_reply profiles/audio/media.c:369
Fixes: bluez/bluez#457 (comment)
mlehtima
pushed a commit
that referenced
this pull request
Jul 3, 2023
When grouping requests with the same opcode the code was queueing them without attempt to check that that would fit in the ATT MTU causing the following trace: stack-buffer-overflow on address 0x7fffdba951f0 at pc 0x7fc15fc49d21 bp 0x7fffdba95020 sp 0x7fffdba947d0 WRITE of size 9 at 0x7fffdba951f0 thread T0 #0 0x7fc15fc49d20 in __interceptor_memcpy (/lib64/libasan.so.8+0x49d20) #1 0x71f698 in util_iov_push_mem src/shared/util.c:266 #2 0x7b9312 in append_group src/shared/bap.c:3424 #3 0x71ba01 in queue_foreach src/shared/queue.c:207 #4 0x7b9b66 in bap_send src/shared/bap.c:3459 #5 0x7ba594 in bap_process_queue src/shared/bap.c:351 Fixes: bluez/bluez#457 (comment)
mlehtima
pushed a commit
that referenced
this pull request
Jul 3, 2023
To look up transports, use BAP stream pointers associated with them, not
the path strings stored in the stream user data. This makes it clearer
that transports presented to the sound server correspond to the actual
streams. The Acquire/etc. of BAP transports are already tied to the
associated stream.
This fixes use-after-free crashes in pac_clear. They occur because the
lifetime of the path string was either that of media transport or media
endpoint, which may be shorter than that of the BAP stream. In such
case, pac_clear is entered with invalid pointer in stream user data,
leading to crash. There are a few code paths for this, e.g. making
sound server delay its SetConfiguration response (e.g. gdb breakpoint)
to get dbus timeout, then disconnecting:
ERROR: AddressSanitizer: heap-use-after-free on address XXXX
READ of size 3 at 0x606000031640 thread T0
...
#4 0x559891 in btd_debug src/log.c:117
#5 0x46abfd in pac_clear profiles/audio/media.c:1096
#6 0x79fcaf in bap_stream_clear_cfm src/shared/bap.c:914
#7 0x7a060d in bap_stream_detach src/shared/bap.c:987
#8 0x7a25ea in bap_stream_state_changed src/shared/bap.c:1210
#9 0x7a29cd in stream_set_state src/shared/bap.c:1254
#10 0x7be824 in stream_foreach_detach src/shared/bap.c:3820
#11 0x71d15d in queue_foreach src/shared/queue.c:207
#12 0x7beb98 in bt_bap_detach src/shared/bap.c:3836
#13 0x5228cb in bap_disconnect profiles/audio/bap.c:1342
#14 0x63247c in btd_service_disconnect src/service.c:305
freed by thread T0 here:
#0 0x7f16708b9388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388)
#1 0x7f167071b8cc in g_free (/lib64/libglib-2.0.so.0+0x5b8cc)
#2 0x7047b7 in remove_interface gdbus/object.c:660
#3 0x70aef6 in g_dbus_unregister_interface gdbus/object.c:1394
#4 0x47be30 in media_transport_destroy profiles/audio/transport.c:217
#5 0x464ab9 in endpoint_remove_transport profiles/audio/media.c:270
#6 0x464d26 in clear_configuration profiles/audio/media.c:292
#7 0x464e69 in clear_endpoint profiles/audio/media.c:300
#8 0x46516e in endpoint_reply profiles/audio/media.c:325
...
Fixes: 7b1b1a4 ("media: clear the right transport when clearing BAP endpoint")
mlehtima
pushed a commit
that referenced
this pull request
Jul 3, 2023
Don't call configuration callback if stream's transport was cleared in
the meantime. The clear callback is called just before the stream is
freed.
Fixes ASAN crash on disconnect while waiting for SetConfiguration DBus
reply:
ERROR: AddressSanitizer: heap-use-after-free on address 0x60b00002eb90
READ of size 8 at 0x60b00002eb90 thread T0
#0 0x7a4892 in bap_stream_config_cfm_cb src/shared/bap.c:3201
#1 0x4688fb in pac_config_cb profiles/audio/media.c:1010
#2 0x462164 in media_endpoint_cancel profiles/audio/media.c:157
#3 0x462243 in media_endpoint_cancel_all profiles/audio/media.c:165
#4 0x46365b in clear_endpoint profiles/audio/media.c:297
#5 0x463a21 in endpoint_reply profiles/audio/media.c:325
...
freed by thread T0 here:
#0 0x7eff644b9388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388)
#1 0x78d8cc in bap_stream_free src/shared/bap.c:974
#2 0x78dbc8 in bap_stream_detach src/shared/bap.c:991
#3 0x78fa43 in bap_stream_state_changed src/shared/bap.c:1210
#4 0x78fe26 in stream_set_state src/shared/bap.c:1254
#5 0x7ab5ce in stream_foreach_detach src/shared/bap.c:3820
#6 0x70ce06 in queue_foreach src/shared/queue.c:207
#7 0x7ab942 in bt_bap_detach src/shared/bap.c:3836
#8 0x51da7a in bap_disconnect profiles/audio/bap.c:1342
#9 0x626e57 in btd_service_disconnect src/service.c:305
mlehtima
pushed a commit
that referenced
this pull request
Jul 3, 2023
Always free BAP stream in bt_bap_stream_release if it is not attached to
a client session, simplifying the cleanup.
Fixes the following ASAN crash is observed when media endpoint is
unregistered (stopping sound server) while streaming from remote BAP
client:
ERROR: AddressSanitizer: heap-use-after-free on address 0x60b0000474d8
READ of size 8 at 0x60b0000474d8 thread T0
#0 0x7a27c6 in stream_set_state src/shared/bap.c:1227
#1 0x7aff61 in remove_streams src/shared/bap.c:2483
#2 0x71d2d0 in queue_foreach src/shared/queue.c:207
#3 0x7b0152 in bt_bap_remove_pac src/shared/bap.c:2501
#4 0x463cda in media_endpoint_destroy profiles/audio/media.c:179
...
0x60b0000474d8 is located 8 bytes inside of 112-byte region
freed by thread T0 here:
#0 0x7f93b12b9388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388)
#1 0x7a0504 in bap_stream_free src/shared/bap.c:972
#2 0x7a0800 in bap_stream_detach src/shared/bap.c:989
#3 0x7a26d1 in bap_stream_state_changed src/shared/bap.c:1208
#4 0x7a2ab4 in stream_set_state src/shared/bap.c:1252
#5 0x7ab18a in stream_release src/shared/bap.c:1985
#6 0x7c6919 in bt_bap_stream_release src/shared/bap.c:4572
#7 0x7aff50 in remove_streams src/shared/bap.c:2482
...
previously allocated by thread T0 here:
#0 0x7f93b12ba6af in __interceptor_malloc (/lib64/libasan.so.8+0xba6af)
#1 0x71e9ae in util_malloc src/shared/util.c:43
#2 0x79c2f5 in bap_stream_new src/shared/bap.c:766
#3 0x7a4863 in ep_config src/shared/bap.c:1446
#4 0x7a4f22 in ascs_config src/shared/bap.c:1481
...
mlehtima
pushed a commit
that referenced
this pull request
Jul 3, 2023
The following crash can be observed if the remote peer send and
unsupported event:
ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000148f11
at pc 0x559644552088 bp 0x7ffe28b3c7b0 sp 0x7ffe28b3c7a0
WRITE of size 1 at 0x60b000148f11 thread T0
#0 0x559644552087 in avrcp_handle_event profiles/audio/avrcp.c:3907
#1 0x559644536c22 in control_response profiles/audio/avctp.c:939
#2 0x5596445379ab in session_cb profiles/audio/avctp.c:1108
#3 0x7fbcb3e51c43 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43)
#4 0x7fbcb3ea66c7 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xaa6c7)
#5 0x7fbcb3e512b2 in g_main_loop_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x552b2)
#6 0x559644754ab6 in mainloop_run src/shared/mainloop-glib.c:66
#7 0x559644755606 in mainloop_run_with_signal src/shared/mainloop-notify.c:188
#8 0x5596445bb963 in main src/main.c:1289
#9 0x7fbcb3bafd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#10 0x7fbcb3bafe3f in __libc_start_main_impl ../csu/libc-start.c:392
#11 0x5596444e8224 in _start (/usr/local/libexec/bluetooth/bluetoothd+0xf0224)
mlehtima
pushed a commit
that referenced
this pull request
Jul 3, 2023
This adds an additional command line option for the Broadcast exercise,
so that the user can indicate the number of BISes to create as part of a
BIG (Broadcast Source), or the number of BISes to synchronize
to (Broadcast Sink).
For the Broadcast Source exercise, issue the following command,
in order to create a BIG with handle 0x01, associated with the
advertising handle 0x01, with 2 BISes:
tools/isotest -i hci0 -s 00:00:00:00:00:00 -N 2 -G 1 -T 1
The isotest and btmon logs will look something like this:
isotest[7178]: mgmt socket: fd 3
isotest[7178]: mgmt_set_le: err 0
isotest[7178]: mgmt_set_experimental: err 0
isotest[7179]: Exit
isotest[7178]: Connecting 00:00:00:00:00:00 ...
isotest[7178]: Connected [00:00:00:00:00:00]
isotest[7178]: QoS [BIG 0x01 BIS 0x01 Packing 0x00 Framing 0x00 Encryption 0x00]
isotest[7178]: Input QoS [Interval 10000 us Latency 10 ms SDU 0 PHY 0x00 RTN 2]
isotest[7178]: Output QoS [Interval 10000 us Latency 10 ms SDU 40 PHY 0x02 RTN 2]
isotest[7178]: Connecting 00:00:00:00:00:00 ...
isotest[7178]: Connected [00:00:00:00:00:00]
isotest[7178]: QoS [BIG 0x01 BIS 0x01 Packing 0x00 Framing 0x00 Encryption 0x00]
isotest[7178]: Input QoS [Interval 10000 us Latency 10 ms SDU 0 PHY 0x00 RTN 2]
isotest[7178]: Output QoS [Interval 10000 us Latency 10 ms SDU 40 PHY 0x02 RTN 2]
isotest[7183]: Sending ...
isotest[7183]: Number of packets: 1
isotest[7183]: Socket jitter buffer: 80 buffer
isotest[7183]: [seq 0] 40 bytes buffered 92 (3712 bytes)
isotest[7184]: Sending ...
isotest[7184]: Number of packets: 1
isotest[7184]: Socket jitter buffer: 80 buffer
isotest[7184]: [seq 0] 40 bytes buffered 92 (3712 bytes)
isotest[7178]: Exit
< HCI Command: LE Create Broadcast Isochronous Group (0x08|0x0068) plen 31
Handle: 0x01
Advertising Handle: 0x01
Number of BIS: 2
SDU Interval: 10000 us (0x002710)
Maximum SDU size: 40
Maximum Latency: 10 ms (0x000a)
RTN: 0x02
PHY: LE 2M (0x02)
Packing: Sequential (0x00)
Framing: Unframed (0x00)
Encryption: 0x00
Broadcast Code: 00000000000000000000000000000000
> HCI Event: Command Status (0x0f) plen 4
LE Create Broadcast Isochronous Group (0x08|0x0068) ncmd 1
Status: Success (0x00)
> HCI Event: LE Meta Event (0x3e) plen 23
LE Broadcast Isochronous Group Complete (0x1b)
Status: Success (0x00)
Handle: 0x01
BIG Synchronization Delay: 1974 us (0x0007b6)
Transport Latency: 1974 us (0x0007b6)
PHY: LE 2M (0x02)
NSE: 3
BN: 1
PTO: 1
IRC: 3
Maximum PDU: 40
ISO Interval: 10.00 msec (0x0008)
Connection Handle #0: 10
Connection Handle #1: 11
< HCI Command: LE Setup Isochronous Data Path (0x08|0x006e) plen 13
Handle: 10
Data Path Direction: Input (Host to Controller) (0x00)
Data Path: HCI (0x00)
Coding Format: Transparent (0x03)
Company Codec ID: Ericsson Technology Licensing (0)
Vendor Codec ID: 0
Controller Delay: 0 us (0x000000)
Codec Configuration Length: 0
Codec Configuration:
> HCI Event: Command Complete (0x0e) plen 6
LE Setup Isochronous Data Path (0x08|0x006e) ncmd 1
Status: Success (0x00)
Handle: 10
< HCI Command: LE Setup Isochronous Data Path (0x08|0x006e) plen 13
Handle: 11
Data Path Direction: Input (Host to Controller) (0x00)
Data Path: HCI (0x00)
Coding Format: Transparent (0x03)
Company Codec ID: Ericsson Technology Licensing (0)
Vendor Codec ID: 0
Controller Delay: 0 us (0x000000)
Codec Configuration Length: 0
Codec Configuration:
> HCI Event: Command Complete (0x0e) plen 6
LE Setup Isochronous Data Path (0x08|0x006e) ncmd 1
Status: Success (0x00)
Handle: 11
< ISO Data TX: Handle 10 flags 0x02 dlen 44
< ISO Data TX: Handle 11 flags 0x02 dlen 44
> HCI Event: Number of Completed Packets (0x13) plen 5
Num handles: 1
Handle: 10
Count: 1
> HCI Event: Number of Completed Packets (0x13) plen 5
Num handles: 1
Handle: 11
Count: 1
For the Broadcast Sink exercise, issue the following command,
in order to synchronize to the BISes created by the source:
tools/isotest -i hci1 -r 36:13:00:E1:1B:F0 -V le_random -N 2 -G 1
The flow is shown by the isotest log and the filtered btmon snippet below:
isotest[4033]: mgmt socket: fd 3
isotest[4034]: Exit
isotest[4033]: mgmt_set_le: err 0
isotest[4033]: mgmt_set_experimental: err 0
isotest[4033]: Waiting for connection 36:13:00:E1:1B:F0...
isotest[4036]: Connected [36:13:00:E1:1B:F0]
isotest[4036]: QoS [BIG 0x01 BIS 0x00 Packing 0x00 Framing 0x00 Encryption 0x00]
isotest[4036]: Input QoS [Interval 1974 us Latency 10 ms SDU 40 PHY 0x00 RTN 0]
isotest[4036]: Output QoS [Interval 0 us Latency 0 ms SDU 0 PHY 0x00 RTN 0]
isotest[4036]: Receiving ...
isotest[4037]: Connected [36:13:00:E1:1B:F0]
isotest[4037]: QoS [BIG 0x01 BIS 0x00 Packing 0x00 Framing 0x00 Encryption 0x00]
isotest[4037]: Input QoS [Interval 1974 us Latency 10 ms SDU 40 PHY 0x00 RTN 0]
isotest[4037]: Output QoS [Interval 0 us Latency 0 ms SDU 0 PHY 0x00 RTN 0]
isotest[4037]: Receiving ...
isotest[4037]: [seq 0] 280 bytes in 6.48 sec speed 0.34 kb/s
isotest[4036]: [seq 0] 280 bytes in 6.54 sec speed 0.33 kb/s
isotest[4037]: [seq 1] 280 bytes in 7.01 sec speed 0.31 kb/s
isotest[4036]: [seq 1] 280 bytes in 7.02 sec speed 0.31 kb/s
isotest[4037]: [seq 2] 280 bytes in 7.06 sec speed 0.31 kb/s
isotest[4036]: [seq 2] 280 bytes in 7.04 sec speed 0.31 kb/s
< HCI Command: LE Periodic Advertising Create Sync (0x08|0x0044) plen 14
Options: 0x0000
Use advertising SID, Advertiser Address Type and address
Reporting initially enabled
SID: 0x00
Adv address type: Random (0x01)
Adv address: 36:13:00:E1:1B:F0 (Non-Resolvable)
Skip: 0x0000
Sync timeout: 163840 msec (0x4000)
Sync CTE type: 0x0000
> HCI Event: Command Status (0x0f) plen 4
LE Periodic Advertising Create Sync (0x08|0x0044) ncmd 1
Status: Success (0x00)
< HCI Command: LE Set Extended Scan Parameters (0x08|0x0041) plen 13
Own address type: Public (0x00)
Filter policy: Ignore not in accept list (0x01)
PHYs: 0x05
Entry 0: LE 1M
Type: Passive (0x00)
Interval: 60.000 msec (0x0060)
Window: 30.000 msec (0x0030)
Entry 1: LE Coded
Type: Passive (0x00)
Interval: 60.000 msec (0x0060)
Window: 30.000 msec (0x0030)
> HCI Event: Command Complete (0x0e) plen 4
LE Set Extended Scan Parameters (0x08|0x0041) ncmd 1
Status: Success (0x00)
< HCI Command: LE Set Extended Scan Enable (0x08|0x0042) plen 6
Extended scan: Enabled (0x01)
Filter duplicates: Enabled (0x01)
Duration: 0 msec (0x0000)
Period: 0.00 sec (0x0000)
> HCI Event: Command Complete (0x0e) plen 4
LE Set Extended Scan Enable (0x08|0x0042) ncmd 1
Status: Success (0x00)
> HCI Event: LE Meta Event (0x3e) plen 16
LE Periodic Advertising Sync Established (0x0e)
Status: Success (0x00)
Sync handle: 0
Advertising SID: 0x00
Advertiser address type: Random (0x01)
Advertiser address: 36:13:00:E1:1B:F0 (Non-Resolvable)
Advertiser PHY: LE 2M (0x02)
Periodic advertising interval: 10.00 msec (0x0008)
Advertiser clock accuracy: 0x00
> HCI Event: LE Meta Event (0x3e) plen 8
LE Periodic Advertising Report (0x0f)
Sync handle: 0
TX power: 127 dbm (0x7f)
RSSI: -47 dBm (0xd1)
CTE Type: No Constant Tone Extension (0xff)
Data status: Complete
Data length: 0x00
> HCI Event: LE Meta Event (0x3e) plen 20
LE Broadcast Isochronous Group Info Advertising Report (0x22)
Sync Handle: 0x0000
Number BIS: 2
NSE: 3
ISO Interval: 10.00 msec (0x0008)
BN: 1
PTO: 1
IRC: 3
Maximum PDU: 40
SDU Interval: 10000 us (0x002710)
Maximum SDU: 40
PHY: LE 2M (0x02)
Framing: Unframed (0x00)
Encryption: 0x00
< HCI Command: LE Broadcast Isochronous Group Create Sync (0x08|0x006b) plen 26
BIG Handle: 0x01
BIG Sync Handle: 0x0000
Encryption: Unencrypted (0x00)
Broadcast Code: 00000000000000000000000000000000
Maximum Number Subevents: 0x00
Timeout: 163840 ms (0x4000)
Number of BIS: 2
BIS ID: 0x01
BIS ID: 0x02
> HCI Event: LE Meta Event (0x3e) plen 19
LE Broadcast Isochronous Group Sync Estabilished (0x1d)
Status: Success (0x00)
BIG Handle: 0x01
Transport Latency: 1974 us (0x0007b6)
NSE: 3
BN: 1
PTO: 1
IRC: 3
Maximum PDU: 40
ISO Interval: 10.00 msec (0x0008)
Connection Handle #0: 10
Connection Handle #1: 11
< HCI Command: LE Setup Isochronous Data Path (0x08|0x006e) plen 13
Handle: 10
Data Path Direction: Output (Controller to Host) (0x01)
Data Path: HCI (0x00)
Coding Format: Transparent (0x03)
Company Codec ID: Ericsson Technology Licensing (0)
Vendor Codec ID: 0
Controller Delay: 0 us (0x000000)
Codec Configuration Length: 0
Codec Configuration:
> HCI Event: Command Complete (0x0e) plen 6
LE Setup Isochronous Data Path (0x08|0x006e) ncmd 1
Status: Success (0x00)
Handle: 10
< HCI Command: LE Setup Isochronous Data Path (0x08|0x006e) plen 13
Handle: 11
Data Path Direction: Output (Controller to Host) (0x01)
Data Path: HCI (0x00)
Coding Format: Transparent (0x03)
Company Codec ID: Ericsson Technology Licensing (0)
Vendor Codec ID: 0
Controller Delay: 0 us (0x000000)
Codec Configuration Length: 0
Codec Configuration:
> HCI Event: Command Complete (0x0e) plen 6
LE Setup Isochronous Data Path (0x08|0x006e) ncmd 1
Status: Success (0x00)
Handle: 11
> ISO Data RX: Handle 10 flags 0x06 dlen 48
> ISO Data RX: Handle 11 flags 0x06 dlen 48
mlehtima
pushed a commit
that referenced
this pull request
Dec 13, 2023
It seems like some implementation of vasprintf set the content of the
str to NULL rather then returning -1 causing the following errors:
=================================================================
==216204==ERROR: AddressSanitizer: attempting free on address which
was not malloc()-ed: 0x55e787722cf0 in thread T0
#0 0x55e784f75872 in __interceptor_free.part.0 asan_malloc_linux.cpp.o
#1 0x55e7850e55f9 in bt_log_vprintf
/usr/src/debug/bluez-git/bluez-git/src/shared/log.c:154:2
#2 0x55e78502db18 in monitor_log
/usr/src/debug/bluez-git/bluez-git/src/log.c:40:2
#3 0x55e78502dab4 in info
/usr/src/debug/bluez-git/bluez-git/src/log.c:52:2
#4 0x55e78502e314 in __btd_log_init
/usr/src/debug/bluez-git/bluez-git/src/log.c:179:2
#5 0x55e78502aa63 in main
/usr/src/debug/bluez-git/bluez-git/src/main.c:1388:2
#6 0x7f1d5fe27ccf (/usr/lib/libc.so.6+0x27ccf) (BuildId:
316d0d3666387f0e8fb98773f51aa1801027c5ab)
#7 0x7f1d5fe27d89 in __libc_start_main
(/usr/lib/libc.so.6+0x27d89) (BuildId:
316d0d3666387f0e8fb98773f51aa1801027c5ab)
#8 0x55e784e88084 in _start
(/usr/lib/bluetooth/bluetoothd+0x36084) (BuildId:
19348ea642303b701c033d773055becb623fe79a)
Address 0x55e787722cf0 is a wild pointer inside of access range of
size 0x000000000001.
SUMMARY: AddressSanitizer: bad-free asan_malloc_linux.cpp.o in
__interceptor_free.part.0
==216204==ABORTING
сен 18 13:10:02 archlinux systemd[1]: bluetooth.service: Main process
exited, code=exited, status=1/FAILURE
mlehtima
pushed a commit
that referenced
this pull request
Dec 13, 2023
Primary/Secundary Counters are supposed to be 16 bytes values, if the
server has implemented them incorrectly it may lead to the following
crash:
=================================================================
==31860==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x607000001878 at pc 0x7f95a1575638 bp 0x7fff58c6bb80 sp 0x7fff58c6b328
READ of size 48 at 0x607000001878 thread T0
#0 0x7f95a1575637 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:860
#1 0x7f95a1575ba6 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:892
#2 0x7f95a1575ba6 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:887
#3 0x564df69c77a0 in read_version obexd/client/pbap.c:288
#4 0x564df69c77a0 in read_return_apparam obexd/client/pbap.c:352
#5 0x564df69c77a0 in phonebook_size_callback obexd/client/pbap.c:374
#6 0x564df69bea3c in session_terminate_transfer obexd/client/session.c:921
#7 0x564df69d56b0 in get_xfer_progress_first obexd/client/transfer.c:729
#8 0x564df698b9ee in handle_response gobex/gobex.c:1140
#9 0x564df698cdea in incoming_data gobex/gobex.c:1385
#10 0x7f95a12fdc43 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43)
#11 0x7f95a13526c7 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xaa6c7)
#12 0x7f95a12fd2b2 in g_main_loop_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x552b2)
#13 0x564df6977d41 in main obexd/src/main.c:307
#14 0x7f95a10a7d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#15 0x7f95a10a7e3f in __libc_start_main_impl ../csu/libc-start.c:392
#16 0x564df6978704 in _start (/usr/local/libexec/bluetooth/obexd+0x8b704)
0x607000001878 is located 0 bytes to the right of 72-byte region [0x607000001830,0x607000001878)
allocated by thread T0 here:
#0 0x7f95a1595a37 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
#1 0x564df69c8b6a in pbap_probe obexd/client/pbap.c:1259
mlehtima
pushed a commit
that referenced
this pull request
Dec 13, 2023
ASCS allows transitions from Codec/QoS Configured back to the same state. E.g. NRF5340_AUDIO devkit starts in the config(1) state, which is allowed (only Config QoS, Release, Enable, Receiver Stop Ready transition are client-only). In this case, as client, we do Config Codec ourselves and end up with config(1)->config(1) transition. We currently ignore that event, so QoS won't be setup and transports won't be created. Handle the config(1)->config(1) transition by continuing to Config QoS if it occurs. Log: src/gatt-client.c:btd_gatt_client_connected() Device connected. src/shared/gatt-client.c:exchange_mtu_cb() MTU exchange complete, with MTU: 65 src/shared/bap.c:bap_ep_set_status() ASE status: ep 0x604000039a90 id 0x01 handle 0x000f state config len 42 src/shared/bap.c:ep_status_config() codec 0x06 framing 0x00 phy 0x02 rtn 2 latency 10 pd 4000 - 40000 ppd 4000 - 40000 src/shared/bap.c:ep_status_config() Codec Config #0: type 0x01 len 2 src/shared/bap.c:ep_status_config() Codec Config #1: type 0x02 len 2 src/shared/bap.c:ep_status_config() Codec Config #2: type 0x03 len 5 src/shared/bap.c:ep_status_config() Codec Config #3: type 0x04 len 3 src/shared/bap.c:ep_status_config() Codec Config #4: type 0x05 len 2 src/shared/bap.c:bap_stream_state_changed() stream 0x60c0000334c0 dir 0x01: idle -> config src/shared/bap.c:bap_stream_update_io_links() stream 0x60c0000334c0 profiles/audio/bap.c:bap_state() stream 0x60c0000334c0: idle(0) -> config(1) profiles/audio/bap.c:bap_ready() bap 0x60e000001d20 profiles/audio/bap.c:pac_found() lpac 0x608000017520 rpac 0x6080000183a0 profiles/audio/bap.c:ep_register() ep 0x60d000006910 lpac 0x608000017520 rpac 0x6080000183a0 path /org/bluez/hci0/dev_C9_C9_76_21_08_4F/pac_sink0 profiles/audio/media.c:media_endpoint_async_call() Calling SelectProperties: name = :1.604 path = /MediaEndpointLE/BAPSource/lc3 ... src/shared/bap.c:bap_stream_state_changed() stream 0x60c0000334c0 dir 0x01: config -> config src/shared/bap.c:bap_stream_update_io_links() stream 0x60c0000334c0 profiles/audio/bap.c:bap_state() stream 0x60c0000334c0: config(1) -> config(1)
mlehtima
pushed a commit
that referenced
this pull request
Dec 13, 2023
This uses bt_bap_debug_{config, metadata} to decode the TLV entries
found in Basic Audio Announcement:
< HCI Command: LE Set Peri.. (0x08|0x003f) plen 41
Handle: 1
Operation: Complete ext advertising data (0x03)
Data length: 0x26
Service Data: Basic Audio Announcement (0x1851)
Presetation Delay: 10000
Number of Subgroups: 1
Subgroup #0:
Number of BIS(s): 1
Codec: LC3 (0x06)
Codec Specific Configuration: #0: len 0x02 type 0x01
Codec Specific Configuration: Sampling Frequency: 48 Khz (0x08)
Codec Specific Configuration: #1: len 0x02 type 0x02
Codec Specific Configuration: Frame Duration: 7.5 ms (0x00)
Codec Specific Configuration: #2: len 0x03 type 0x04
Codec Specific Configuration: Frame Length: 75 (0x004b)
Metadata: #0: len 0x03 type 0x02
Metadata: Context: 0x0002
Metadata: Context Conversational (0x0002)
BIS #0:
Index: 1
Codec Specific Configuration: #0: len 0x05 type 0x03
Codec Specific Configuration: Location: 0x00000001
Codec Specific Configuration: Location: Front Left (0x00000001)
mlehtima
pushed a commit
that referenced
this pull request
Jan 28, 2024
bt_bap_pac may actually map to multiple PAC records and each may have a
different channel count that needs to be matched separately, for
instance when trying with EarFun Air Pro:
< ACL Data TX: Handle 2048 flags 0x00 dlen 85
ATT: Write Command (0x52) len 80
Handle: 0x0098 Type: ASE Control Point (0x2bc6)
Data: 010405020206000000000a020103020201030428000602020600000
0000a0201030202010304280001020206000000000a020103020201030428
0002020206000000000a02010302020103042800
Opcode: Codec Configuration (0x01)
Number of ASE(s): 4
ASE: #0
ASE ID: 0x05
Target Latency: Balance Latency/Reliability (0x02)
PHY: 0x02
LE 2M PHY (0x02)
Codec: LC3 (0x06)
Codec Specific Configuration: #0: len 0x02 type 0x01
Sampling Frequency: 16 Khz (0x03)
Codec Specific Configuration: #1: len 0x02 type 0x02
Frame Duration: 10 ms (0x01)
Codec Specific Configuration: #2: len 0x03 type 0x04
Frame Length: 40 (0x0028)
ASE: #1
ASE ID: 0x06
Target Latency: Balance Latency/Reliability (0x02)
PHY: 0x02
LE 2M PHY (0x02)
Codec: LC3 (0x06)
Codec Specific Configuration: #0: len 0x02 type 0x01
Sampling Frequency: 16 Khz (0x03)
Codec Specific Configuration: #1: len 0x02 type 0x02
Frame Duration: 10 ms (0x01)
Codec Specific Configuration: #2: len 0x03 type 0x04
Frame Length: 40 (0x0028)
ASE: #2
ASE ID: 0x01
Target Latency: Balance Latency/Reliability (0x02)
PHY: 0x02
LE 2M PHY (0x02)
Codec: LC3 (0x06)
Codec Specific Configuration: #0: len 0x02 type 0x01
Sampling Frequency: 16 Khz (0x03)
Codec Specific Configuration: #1: len 0x02 type 0x02
Frame Duration: 10 ms (0x01)
Codec Specific Configuration: #2: len 0x03 type 0x04
Frame Length: 40 (0x0028)
ASE: #3
ASE ID: 0x02
Target Latency: Balance Latency/Reliability (0x02)
PHY: 0x02
LE 2M PHY (0x02)
Codec: LC3 (0x06)
Codec Specific Configuration: #0: len 0x02 type 0x01
Sampling Frequency: 16 Khz (0x03)
Codec Specific Configuration: #1: len 0x02 type 0x02
Frame Duration: 10 ms (0x01)
Codec Specific Configuration: #2: len 0x03 type 0x04
Frame Length: 40 (0x0028)
Fixes: bluez/bluez#612
mlehtima
pushed a commit
that referenced
this pull request
Jan 28, 2024
This makes use of ChannelAllocation when present on SelectProperties
dictionary which is then passed on to bluetoothd and send over as part
of Codec Configuration:
< ACL Data TX: Handle 2048 flags 0x00 dlen 109
ATT: Write Command (0x52) len 104
Handle: 0x0098 Type: ASE Control Point (0x2bc6)
Data: 0104050202060000000010020103020201030428000503010000000
6020206000000001002010302020103042800050302000000010202060000
0000100201030202010304280005030100000002020206000000001002010
302020103042800050302000000
Opcode: Codec Configuration (0x01)
Number of ASE(s): 4
ASE: #0
ASE ID: 0x05
Target Latency: Balance Latency/Reliability (0x02)
PHY: 0x02
LE 2M PHY (0x02)
Codec: LC3 (0x06)
Codec Specific Configuration: #0: len 0x02 type 0x01
Sampling Frequency: 16 Khz (0x03)
Codec Specific Configuration: #1: len 0x02 type 0x02
Frame Duration: 10 ms (0x01)
Codec Specific Configuration: #2: len 0x03 type 0x04
Frame Length: 40 (0x0028)
Codec Specific Configuration: #3: len 0x05 type 0x03
Location: 0x00000001
Front Left (0x00000001)
ASE: #1
ASE ID: 0x06
Target Latency: Balance Latency/Reliability (0x02)
PHY: 0x02
LE 2M PHY (0x02)
Codec: LC3 (0x06)
Codec Specific Configuration: #0: len 0x02 type 0x01
Sampling Frequency: 16 Khz (0x03)
Codec Specific Configuration: #1: len 0x02 type 0x02
Frame Duration: 10 ms (0x01)
Codec Specific Configuration: #2: len 0x03 type 0x04
Frame Length: 40 (0x0028)
Codec Specific Configuration: #3: len 0x05 type 0x03
Location: 0x00000002
Front Right (0x00000002)
ASE: #2
ASE ID: 0x01
Target Latency: Balance Latency/Reliability (0x02)
PHY: 0x02
LE 2M PHY (0x02)
Codec: LC3 (0x06)
Codec Specific Configuration: #0: len 0x02 type 0x01
Sampling Frequency: 16 Khz (0x03)
Codec Specific Configuration: #1: len 0x02 type 0x02
Frame Duration: 10 ms (0x01)
Codec Specific Configuration: #2: len 0x03 type 0x04
Frame Length: 40 (0x0028)
Codec Specific Configuration: #3: len 0x05 type 0x03
Location: 0x00000001
Front Left (0x00000001)
ASE: #3
ASE ID: 0x02
Target Latency: Balance Latency/Reliability (0x02)
PHY: 0x02
LE 2M PHY (0x02)
Codec: LC3 (0x06)
Codec Specific Configuration: #0: len 0x02 type 0x01
Sampling Frequency: 16 Khz (0x03)
Codec Specific Configuration: #1: len 0x02 type 0x02
Frame Duration: 10 ms (0x01)
Codec Specific Configuration: #2: len 0x03 type 0x04
Frame Length: 40 (0x0028)
Codec Specific Configuration: #3: len 0x05 type 0x03
Location: 0x00000002
Front Right (0x00000002)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
For Bluetooth Secure Simple Pairing