New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sfos: Enable NFC pairing #1
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mlehtima
approved these changes
Jul 20, 2021
[sailfish] Enable NFC pairing. JB#54815
ikamaletdinov
pushed a commit
to ikamaletdinov/bluez5
that referenced
this pull request
Feb 15, 2022
The following trace can be observed sometimes when pairing 2 emulator instances: src/adapter.c:store_link_key() Unable to load key file from /var/lib/bluetooth/9C:DA:3E:F2:8E:46/9C:B6:D0:8A:A0:0C/info: (No such file or directory) GLib: g_file_set_contents: assertion 'error == NULL || *error == NULL' failed ++++++++ backtrace ++++++++ sailfishos#1 btd_backtrace+0x28a (src/backtrace.c:59) [0x7f65bb5ab53a] sailfishos#2 g_logv+0x21c (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6) [0x7f65ba3f955c] sailfishos#3 g_log+0x93 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6) [0x7f65ba3f9743] sailfishos#4 g_file_set_contents+0x68 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6) [0x7f65ba3dca68] sailfishos#5 store_link_key+0x30a (src/adapter.c:8235) [0x7f65bb61839a] sailfishos#6 new_link_key_callback+0x474 (src/adapter.c:8285) [0x7f65bb62c904] sailfishos#7 queue_foreach+0x164 (src/shared/queue.c:203) [0x7f65bb722e34] sailfishos#8 can_read_data+0x59f (src/shared/mgmt.c:343) [0x7f65bb72e09f] sailfishos#9 watch_callback+0x112 (src/shared/io-glib.c:162) [0x7f65bb78acb2] sailfishos#10 g_main_context_dispatch+0x14e (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6) [0x7f65ba3f204e]
ikamaletdinov
pushed a commit
to ikamaletdinov/bluez5
that referenced
this pull request
Feb 16, 2022
The following trace can be observed sometimes when pairing 2 emulator instances: src/adapter.c:store_link_key() Unable to load key file from /var/lib/bluetooth/9C:DA:3E:F2:8E:46/9C:B6:D0:8A:A0:0C/info: (No such file or directory) GLib: g_file_set_contents: assertion 'error == NULL || *error == NULL' failed ++++++++ backtrace ++++++++ sailfishos#1 btd_backtrace+0x28a (src/backtrace.c:59) [0x7f65bb5ab53a] sailfishos#2 g_logv+0x21c (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6) [0x7f65ba3f955c] sailfishos#3 g_log+0x93 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6) [0x7f65ba3f9743] sailfishos#4 g_file_set_contents+0x68 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6) [0x7f65ba3dca68] sailfishos#5 store_link_key+0x30a (src/adapter.c:8235) [0x7f65bb61839a] sailfishos#6 new_link_key_callback+0x474 (src/adapter.c:8285) [0x7f65bb62c904] sailfishos#7 queue_foreach+0x164 (src/shared/queue.c:203) [0x7f65bb722e34] sailfishos#8 can_read_data+0x59f (src/shared/mgmt.c:343) [0x7f65bb72e09f] sailfishos#9 watch_callback+0x112 (src/shared/io-glib.c:162) [0x7f65bb78acb2] sailfishos#10 g_main_context_dispatch+0x14e (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6) [0x7f65ba3f204e]
ikamaletdinov
pushed a commit
to ikamaletdinov/bluez5
that referenced
this pull request
Mar 1, 2022
The following trace can be observed sometimes when pairing 2 emulator instances: src/adapter.c:store_link_key() Unable to load key file from /var/lib/bluetooth/9C:DA:3E:F2:8E:46/9C:B6:D0:8A:A0:0C/info: (No such file or directory) GLib: g_file_set_contents: assertion 'error == NULL || *error == NULL' failed ++++++++ backtrace ++++++++ sailfishos#1 btd_backtrace+0x28a (src/backtrace.c:59) [0x7f65bb5ab53a] sailfishos#2 g_logv+0x21c (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6) [0x7f65ba3f955c] sailfishos#3 g_log+0x93 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6) [0x7f65ba3f9743] sailfishos#4 g_file_set_contents+0x68 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6) [0x7f65ba3dca68] sailfishos#5 store_link_key+0x30a (src/adapter.c:8235) [0x7f65bb61839a] sailfishos#6 new_link_key_callback+0x474 (src/adapter.c:8285) [0x7f65bb62c904] sailfishos#7 queue_foreach+0x164 (src/shared/queue.c:203) [0x7f65bb722e34] sailfishos#8 can_read_data+0x59f (src/shared/mgmt.c:343) [0x7f65bb72e09f] sailfishos#9 watch_callback+0x112 (src/shared/io-glib.c:162) [0x7f65bb78acb2] sailfishos#10 g_main_context_dispatch+0x14e (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6) [0x7f65ba3f204e]
mlehtima
pushed a commit
that referenced
this pull request
Sep 7, 2022
The following trace can be observed sometimes when pairing 2 emulator instances: src/adapter.c:store_link_key() Unable to load key file from /var/lib/bluetooth/9C:DA:3E:F2:8E:46/9C:B6:D0:8A:A0:0C/info: (No such file or directory) GLib: g_file_set_contents: assertion 'error == NULL || *error == NULL' failed ++++++++ backtrace ++++++++ #1 btd_backtrace+0x28a (src/backtrace.c:59) [0x7f65bb5ab53a] #2 g_logv+0x21c (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6) [0x7f65ba3f955c] #3 g_log+0x93 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6) [0x7f65ba3f9743] #4 g_file_set_contents+0x68 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6) [0x7f65ba3dca68] #5 store_link_key+0x30a (src/adapter.c:8235) [0x7f65bb61839a] #6 new_link_key_callback+0x474 (src/adapter.c:8285) [0x7f65bb62c904] #7 queue_foreach+0x164 (src/shared/queue.c:203) [0x7f65bb722e34] #8 can_read_data+0x59f (src/shared/mgmt.c:343) [0x7f65bb72e09f] #9 watch_callback+0x112 (src/shared/io-glib.c:162) [0x7f65bb78acb2] #10 g_main_context_dispatch+0x14e (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.6400.6) [0x7f65ba3f204e]
mlehtima
pushed a commit
that referenced
this pull request
Sep 7, 2022
This patch fixes the out-of-bounds array access caught by the ASAN. monitor/sdp.c:497:19: runtime error: index 8 out of bounds for type 'cont_data [8]' ================================================================= ==4180==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fe2d271a542 at pc 0x7fe2d174a57d bp 0x7ffc6dcac1d0 sp 0x7ffc6dcab978 WRITE of size 9 at 0x7fe2d271a542 thread T0 #0 0x7fe2d174a57c (/lib/x86_64-linux-gnu/libasan.so.5+0x9b57c) #1 0x7fe2d23bae85 in search_attr_rsp monitor/sdp.c:692 #2 0x7fe2d23be3f1 in sdp_packet monitor/sdp.c:771 #3 0x7fe2d23b004c in l2cap_frame monitor/l2cap.c:3247 #4 0x7fe2d23b3d9c in l2cap_packet monitor/l2cap.c:3312 #5 0x7fe2d237d5c3 in packet_hci_acldata monitor/packet.c:11638 #6 0x7fe2d2381876 in packet_monitor monitor/packet.c:3967 #7 0x7fe2d230b285 in data_callback monitor/control.c:973 #8 0x7fe2d2447029 in mainloop_run src/shared/mainloop.c:106 #9 0x7fe2d2449306 in mainloop_run_with_signal src/shared/mainloop-notify.c:188 #10 0x7fe2d230324a in main monitor/main.c:290 #11 0x7fe2d0b440b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) #12 0x7fe2d2303b7d in _start (/home/han1/work/dev/bluez/monitor/btmon+0x1dbb7d) 0x7fe2d271a542 is located 30 bytes to the left of global variable 'tid_list' defined in 'monitor/sdp.c:43:24' (0x7fe2d271a560) of size 384 0x7fe2d271a542 is located 2 bytes to the right of global variable 'cont_list' defined in 'monitor/sdp.c:424:25' (0x7fe2d271a400) of size 320 SUMMARY: AddressSanitizer: global-buffer-overflow (/lib/x86_64-linux-gnu/libasan.so.5+0x9b57c) ... ==4180==ABORTING
mlehtima
pushed a commit
that referenced
this pull request
Sep 7, 2022
This fixes the following error for invalid read access when registering filter for incoming messages: 140632==ERROR: AddressSanitizer: stack-buffer-overflow on address... #0 0x7f60c185741d in MemcmpInterceptorCommon(... #1 0x7f60c1857af8 in __interceptor_memcmp (/lib64/libasan.so... #2 0x55a10101536e in find_by_filter mesh/mesh-io-unit.c:494 #3 0x55a1010d8c46 in l_queue_remove_if ell/queue.c:517 #4 0x55a101014ebd in recv_register mesh/mesh-io-unit.c:506 #5 0x55a10102946f in mesh_net_attach mesh/net.c:2885 #6 0x55a101086f64 in send_reply mesh/dbus.c:153 #7 0x55a101124c3d in handle_method_return ell/dbus.c:216 #8 0x55a10112c8ef in message_read_handler ell/dbus.c:276 #9 0x55a1010dae20 in io_callback ell/io.c:120 #10 0x55a1010dff7e in l_main_iterate ell/main.c:478 #11 0x55a1010e06e3 in l_main_run ell/main.c:525 #12 0x55a1010e06e3 in l_main_run ell/main.c:507 #13 0x55a1010e0bfc in l_main_run_with_signal ell/main.c:647 #14 0x55a10100316e in main mesh/main.c:292 #15 0x7f60c0c6855f in __libc_start_call_main (/lib64/libc.so.6+... #16 0x7f60c0c6860b in __libc_start_main_alias_1 (/lib64/libc.so.6+... #17 0x55a101003ce4 in _start (/home/istotlan/bluez/mesh/bluetooth-m...
mlehtima
pushed a commit
that referenced
this pull request
Sep 7, 2022
This decodes the LTV fields of Basic Audio Announcements: < HCI Command: LE Set Periodic Advertising Data (0x08|0x003f) plen 41 Handle: 0 Operation: Complete ext advertising data (0x03) Data length: 0x26 Service Data: Basic Audio Announcement (0x1851) Presetation Delay: 40000 Number of Subgroups: 1 Subgroup #0: Number of BIS(s): 1 Codec: LC3 (0x06) Codec Specific Configuration #0: len 0x02 type 0x01 Codec Specific Configuration: 03 Codec Specific Configuration #1: len 0x02 type 0x02 Codec Specific Configuration: 01 Codec Specific Configuration #2: len 0x05 type 0x03 Codec Specific Configuration: 01000000 Codec Specific Configuration #3: len 0x03 type 0x04 Codec Specific Configuration: 2800 Metadata #0: len 0x03 type 0x02 Metadata: 0200 BIS #0: Index: 1 Codec Specific Configuration:
mlehtima
pushed a commit
that referenced
this pull request
Sep 7, 2022
This adds decoding support for PAC Sink/Source attributes: < ACL Data TX: Handle 42 flags 0x00 dlen 9 Channel: 64 len 5 sdu 3 [PSM 39 mode Enhanced Credit (0x81)] {chan 0} ATT: Read Request (0x0a) len 2 Handle: 0x0017 Type: Sink PAC (0x2bc9) > ACL Data RX: Handle 42 flags 0x02 dlen 31 Channel: 65 len 27 sdu 25 [PSM 39 mode Enhanced Credit (0x81)] {chan 0} Value: 010600000000100301ff0002020302030305041e00f00000 Number of PAC(s): 1 PAC #0: Codec: LC3 (0x06) Codec Specific Configuration #0: len 0x03 type 0x01 Codec Specific Configuration: ff00 Codec Specific Configuration #1: len 0x02 type 0x02 Codec Specific Configuration: 03 Codec Specific Configuration #2: len 0x02 type 0x03 Codec Specific Configuration: 03 Codec Specific Configuration #3: len 0x05 type 0x04 Codec Specific Configuration: 1e00f000
mlehtima
pushed a commit
that referenced
this pull request
Sep 7, 2022
This adds decoding support for ASE Sink/Source attributes: > ACL Data RX: Handle 42 flags 0x02 dlen 9 Channel: 65 len 5 sdu 3 [PSM 39 mode Enhanced Credit (0x81)] {chan 0} ATT: Read Request (0x0a) len 2 Handle: 0x002a Type: Sink ASE (0x2bc4) < ACL Data TX: Handle 42 flags 0x00 dlen 9 Channel: 64 len 5 sdu 3 [PSM 39 mode Enhanced Credit (0x81)] {chan 0} ATT: Read Response (0x0b) len 2 Value: 0300 ASE ID: 1 State: Idle (0x00) < ACL Data TX: Handle 42 flags 0x00 dlen 55 Channel: 64 len 51 sdu 49 [PSM 39 mode Enhanced Credit (0x81)] {chan 0} ATT: Handle Multiple Value Notification (0x23) len 48 Length: 0x0023 Handle: 0x0024 Type: Sink ASE (0x2bc4) Data: 01010000000a00204e00409c00204e00409c0006000000000a02010302020103042800 ASE ID: 1 State: Codec Configured (0x01) Framing: Unframed PDUs supported (0x00) PHY: 0x00 RTN: 0 Max Transport Latency: 10 Presentation Delay Min: 20000 us Presentation Delay Max: 40000 us Preferred Presentation Delay Min: 20000 us Preferred Presentation Delay Max: 40000 us Codec: LC3 (0x06) Codec Specific Configuration #0: len 0x02 type 0x01 Codec Specific Configuration: 03 Codec Specific Configuration #1: len 0x02 type 0x02 Codec Specific Configuration: 01 Codec Specific Configuration #2: len 0x03 type 0x04 Codec Specific Configuration: 2800 < ACL Data TX: Handle 42 flags 0x00 dlen 37 Channel: 64 len 33 sdu 31 [PSM 39 mode Enhanced Credit (0x81)] {chan 0} ATT: Handle Multiple Value Notification (0x23) len 30 Length: 0x0011 Handle: 0x0024 Type: Sink ASE (0x2bc4) Data: 0102000010270000022800020a00409c00 ASE ID: 1 State: QoS Configured (0x02) CIG ID: 0x00 CIS ID: 0x00 SDU Interval: 10000 usec Framing: Unframed (0x00) PHY: 0x02 LE 2M PHY (0x02) Max SDU: 40 RTN: 2 Max Transport Latency: 10 Presentation Delay: 40000 us < ACL Data TX: Handle 42 flags 0x00 dlen 33 Channel: 64 len 29 sdu 27 [PSM 39 mode Enhanced Credit (0x81)] {chan 0} ATT: Handle Multiple Value Notification (0x23) len 26 Length: 0x000d Handle: 0x002a Type: Source ASE (0x2bc5) Data: 03030000060304030202000000 ASE ID: 3 State: Enabling (0x03) CIG ID: 0x00 CIS ID: 0x00 Metadata #0: len 0x03 type 0x04 Metadata: 0302 Metadata #1: len 0x02 type 0x00 < ACL Data TX: Handle 42 flags 0x00 dlen 39 Channel: 64 len 35 sdu 33 [PSM 39 mode Enhanced Credit (0x81)] {chan 0} ATT: Handle Multiple Value Notification (0x23) len 32 Length: 0x000d Handle: 0x002a Type: Source ASE (0x2bc5) Data: 03040000060304030202000000 ASE ID: 3 State: Streaming (0x04) CIG ID: 0x00 CIS ID: 0x00 Metadata #0: len 0x03 type 0x04 Metadata: 0302 Metadata #1: len 0x02 type 0x00 < ACL Data TX: Handle 42 flags 0x00 dlen 33 Channel: 64 len 29 sdu 27 [PSM 39 mode Enhanced Credit (0x81)] {chan 0} ATT: Handle Multiple Value Notification (0x23) len 26 Length: 0x000d Handle: 0x002a Type: Source ASE (0x2bc5) Data: 03050000060304030202000000 ASE ID: 3 State: Disabling (0x05) CIG ID: 0x00 CIS ID: 0x00 Metadata #0: len 0x03 type 0x04 Metadata: 0302 Metadata #1: len 0x02 type 0x00
mlehtima
pushed a commit
that referenced
this pull request
Sep 7, 2022
This adds decoding support for ASE Control Point attribute: > ACL Data RX: Handle 42 flags 0x02 dlen 30 Channel: 64 len 26 sdu 24 [PSM 39 mode Enhanced Credit (0x81)] {chan 1} ATT: Write Command (0x52) len 23 Handle: 0x0030 Type: ASE Control Point (0x2bc6) Data: 010103020206000000000a02010302020103042800 Opcode: Codec Configuration (0x01) Number of ASE(s): 1 ASE: #0 ASE ID: 0x03 Target Latency: Balance Latency/Reliability (0x02) PHY: 0x02 LE 2M PHY (0x02) Codec: LC3 (0x06) Codec Specific Configuration #0: len 0x02 type 0x01 Codec Specific Configuration: 03 Codec Specific Configuration #1: len 0x02 type 0x02 Codec Specific Configuration: 01 Codec Specific Configuration #2: len 0x03 type 0x04 Codec Specific Configuration: 2800 < ACL Data TX: Handle 42 flags 0x00 dlen 55 Channel: 64 len 51 sdu 49 [PSM 39 mode Enhanced Credit (0x81)] {chan 0} ATT: Handle Multiple Value Notification (0x23) len 48 Length: 0x0005 Handle: 0x0030 Type: ASE Control Point (0x2bc6) Data: 0101030000 Opcode: Codec Configuration (0x01) Number of ASE(s): 1 ASE: #0 ASE ID: 0x03 ASE Response Code: Success (0x00) ASE Response Reason: None (0x00) > ACL Data RX: Handle 42 flags 0x02 dlen 27 Channel: 64 len 23 sdu 21 [PSM 39 mode Enhanced Credit (0x81)] {chan 1} ATT: Write Command (0x52) len 20 Handle: 0x0030 Type: ASE Control Point (0x2bc6) Data: 020103000010270000022800020a00409c00 Opcode: QoS Configuration (0x02) Number of ASE(s): 1 ASE: #0 ASE ID: 0x03 CIG ID: 0x00 CIS ID: 0x00 SDU Interval: 10000 usec Framing: Unframed (0x00) PHY: 0x02 LE 2M PHY (0x02) Max SDU: 40 RTN: 2 Max Transport Latency: 10 Presentation Delay: 40000 us < ACL Data TX: Handle 42 flags 0x00 dlen 37 Channel: 64 len 33 sdu 31 [PSM 39 mode Enhanced Credit (0x81)] {chan 0} ATT: Handle Multiple Value Notification (0x23) len 30 Length: 0x0005 Handle: 0x0030 Type: ASE Control Point (0x2bc6) Data: 0201030000 Opcode: QoS Configuration (0x02) Number of ASE(s): 1 ASE: #0 ASE ID: 0x03 ASE Response Code: Success (0x00) ASE Response Reason: None (0x00) > ACL Data RX: Handle 42 flags 0x02 dlen 17 Channel: 64 len 13 sdu 11 [PSM 39 mode Enhanced Credit (0x81)] {chan 1} ATT: Write Command (0x52) len 10 Handle: 0x0030 Type: ASE Control Point (0x2bc6) Data: 0301030403020200 Opcode: Enable (0x03) Number of ASE(s): 1 ASE: #0 ASE ID: 0x03 Metadata #0: len 0x03 type 0x02 Metadata: 0200 < ACL Data TX: Handle 42 flags 0x00 dlen 33 Channel: 64 len 29 sdu 27 [PSM 39 mode Enhanced Credit (0x81)] {chan 0} ATT: Handle Multiple Value Notification (0x23) len 26 Length: 0x0005 Handle: 0x0030 Type: ASE Control Point (0x2bc6) Data: 0301030000 Opcode: Enable (0x03) Number of ASE(s): 1 ASE: #0 ASE ID: 0x03 ASE Response Code: Success (0x00) ASE Response Reason: None (0x00) > ACL Data RX: Handle 42 flags 0x02 dlen 12 Channel: 64 len 8 sdu 6 [PSM 39 mode Enhanced Credit (0x81)] {chan 0} ATT: Write Command (0x52) len 5 Handle: 0x0030 Type: ASE Control Point (0x2bc6) Data: 050101 Opcode: Disable (0x05) Number of ASE(s): 1
mlehtima
pushed a commit
that referenced
this pull request
Sep 7, 2022
This adds decoding support for PAC/ASE attributes: > ACL Data RX: Handle 42 flags 0x02 dlen 31 Channel: 65 len 27 sdu 25 [PSM 39 mode Enhanced Credit (0x81)] {chan 1} ATT: Read Response (0x0b) len 24 Value: 010600000000100301ff0002020302030305041e00f00000 Number of PAC(s): 1 PAC #0: Codec: LC3 (0x06) Codec Specific Capabilities #0: len 0x03 type 0x01 Sampling Frequencies: 0x00ff 8 Khz (0x0001) 11.25 Khz (0x0002) 16 Khz (0x0004) 22.05 Khz (0x0008) 24 Khz (0x0010) 32 Khz (0x0020) 44.1 Khz (0x0040) 48 Khz (0x0080) Codec Specific Capabilities #1: len 0x02 type 0x02 Frame Duration: 0x0003 7.5 ms (0x01) 10 ms (0x02) Codec Specific Capabilities #2: len 0x02 type 0x03 Audio Channel Count: 0x03 1 channel (0x01) 2 channels (0x02) Codec Specific Capabilities #3: len 0x05 type 0x04 Frame Length: 30 (0x001e) - 240 (0x00f0) > ACL Data RX: Handle 42 flags 0x02 dlen 30 Channel: 64 len 26 sdu 24 [PSM 39 mode Enhanced Credit (0x81)] {chan 0} ATT: Write Command (0x52) len 23 Handle: 0x0036 Type: ASE Control Point (0x2bc6) Data: 010101020206000000000a02010302020103042800 Opcode: Codec Configuration (0x01) Number of ASE(s): 1 ASE: #0 ASE ID: 0x01 Target Latency: Balance Latency/Reliability (0x02) PHY: 0x02 LE 2M PHY (0x02) Codec: LC3 (0x06) Codec Specific Configuration #0: len 0x02 type 0x01 Sampling Frequency: 16 Khz (0x03) Codec Specific Configuration #1: len 0x02 type 0x02 Frame Duration: 10 ms (0x01) Codec Specific Configuration #2: len 0x03 type 0x04 Frame Length: 40 (0x0028)
mlehtima
pushed a commit
that referenced
this pull request
Jul 3, 2023
If the stream state is idle the ep->stream shall be set to NULL otherwise it may be reused causing the following trace: ==32623==ERROR: AddressSanitizer: heap-use-after-free on address ... READ of size 8 at 0x60b000103550 thread T0 #0 0x7bf7b7 in bap_stream_valid src/shared/bap.c:4065 #1 0x7bf981 in bt_bap_stream_config src/shared/bap.c:4082 #2 0x51a7c8 in bap_config profiles/audio/bap.c:584 #3 0x71b907 in queue_foreach src/shared/queue.c:207 #4 0x51b61f in select_cb profiles/audio/bap.c:626 #5 0x4691ed in pac_select_cb profiles/audio/media.c:884 #6 0x4657ea in endpoint_reply profiles/audio/media.c:369 Fixes: bluez/bluez#457 (comment)
mlehtima
pushed a commit
that referenced
this pull request
Jul 3, 2023
When grouping requests with the same opcode the code was queueing them without attempt to check that that would fit in the ATT MTU causing the following trace: stack-buffer-overflow on address 0x7fffdba951f0 at pc 0x7fc15fc49d21 bp 0x7fffdba95020 sp 0x7fffdba947d0 WRITE of size 9 at 0x7fffdba951f0 thread T0 #0 0x7fc15fc49d20 in __interceptor_memcpy (/lib64/libasan.so.8+0x49d20) #1 0x71f698 in util_iov_push_mem src/shared/util.c:266 #2 0x7b9312 in append_group src/shared/bap.c:3424 #3 0x71ba01 in queue_foreach src/shared/queue.c:207 #4 0x7b9b66 in bap_send src/shared/bap.c:3459 #5 0x7ba594 in bap_process_queue src/shared/bap.c:351 Fixes: bluez/bluez#457 (comment)
mlehtima
pushed a commit
that referenced
this pull request
Jul 3, 2023
To look up transports, use BAP stream pointers associated with them, not the path strings stored in the stream user data. This makes it clearer that transports presented to the sound server correspond to the actual streams. The Acquire/etc. of BAP transports are already tied to the associated stream. This fixes use-after-free crashes in pac_clear. They occur because the lifetime of the path string was either that of media transport or media endpoint, which may be shorter than that of the BAP stream. In such case, pac_clear is entered with invalid pointer in stream user data, leading to crash. There are a few code paths for this, e.g. making sound server delay its SetConfiguration response (e.g. gdb breakpoint) to get dbus timeout, then disconnecting: ERROR: AddressSanitizer: heap-use-after-free on address XXXX READ of size 3 at 0x606000031640 thread T0 ... #4 0x559891 in btd_debug src/log.c:117 #5 0x46abfd in pac_clear profiles/audio/media.c:1096 #6 0x79fcaf in bap_stream_clear_cfm src/shared/bap.c:914 #7 0x7a060d in bap_stream_detach src/shared/bap.c:987 #8 0x7a25ea in bap_stream_state_changed src/shared/bap.c:1210 #9 0x7a29cd in stream_set_state src/shared/bap.c:1254 #10 0x7be824 in stream_foreach_detach src/shared/bap.c:3820 #11 0x71d15d in queue_foreach src/shared/queue.c:207 #12 0x7beb98 in bt_bap_detach src/shared/bap.c:3836 #13 0x5228cb in bap_disconnect profiles/audio/bap.c:1342 #14 0x63247c in btd_service_disconnect src/service.c:305 freed by thread T0 here: #0 0x7f16708b9388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388) #1 0x7f167071b8cc in g_free (/lib64/libglib-2.0.so.0+0x5b8cc) #2 0x7047b7 in remove_interface gdbus/object.c:660 #3 0x70aef6 in g_dbus_unregister_interface gdbus/object.c:1394 #4 0x47be30 in media_transport_destroy profiles/audio/transport.c:217 #5 0x464ab9 in endpoint_remove_transport profiles/audio/media.c:270 #6 0x464d26 in clear_configuration profiles/audio/media.c:292 #7 0x464e69 in clear_endpoint profiles/audio/media.c:300 #8 0x46516e in endpoint_reply profiles/audio/media.c:325 ... Fixes: 7b1b1a4 ("media: clear the right transport when clearing BAP endpoint")
mlehtima
pushed a commit
that referenced
this pull request
Jul 3, 2023
Don't call configuration callback if stream's transport was cleared in the meantime. The clear callback is called just before the stream is freed. Fixes ASAN crash on disconnect while waiting for SetConfiguration DBus reply: ERROR: AddressSanitizer: heap-use-after-free on address 0x60b00002eb90 READ of size 8 at 0x60b00002eb90 thread T0 #0 0x7a4892 in bap_stream_config_cfm_cb src/shared/bap.c:3201 #1 0x4688fb in pac_config_cb profiles/audio/media.c:1010 #2 0x462164 in media_endpoint_cancel profiles/audio/media.c:157 #3 0x462243 in media_endpoint_cancel_all profiles/audio/media.c:165 #4 0x46365b in clear_endpoint profiles/audio/media.c:297 #5 0x463a21 in endpoint_reply profiles/audio/media.c:325 ... freed by thread T0 here: #0 0x7eff644b9388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388) #1 0x78d8cc in bap_stream_free src/shared/bap.c:974 #2 0x78dbc8 in bap_stream_detach src/shared/bap.c:991 #3 0x78fa43 in bap_stream_state_changed src/shared/bap.c:1210 #4 0x78fe26 in stream_set_state src/shared/bap.c:1254 #5 0x7ab5ce in stream_foreach_detach src/shared/bap.c:3820 #6 0x70ce06 in queue_foreach src/shared/queue.c:207 #7 0x7ab942 in bt_bap_detach src/shared/bap.c:3836 #8 0x51da7a in bap_disconnect profiles/audio/bap.c:1342 #9 0x626e57 in btd_service_disconnect src/service.c:305
mlehtima
pushed a commit
that referenced
this pull request
Jul 3, 2023
Always free BAP stream in bt_bap_stream_release if it is not attached to a client session, simplifying the cleanup. Fixes the following ASAN crash is observed when media endpoint is unregistered (stopping sound server) while streaming from remote BAP client: ERROR: AddressSanitizer: heap-use-after-free on address 0x60b0000474d8 READ of size 8 at 0x60b0000474d8 thread T0 #0 0x7a27c6 in stream_set_state src/shared/bap.c:1227 #1 0x7aff61 in remove_streams src/shared/bap.c:2483 #2 0x71d2d0 in queue_foreach src/shared/queue.c:207 #3 0x7b0152 in bt_bap_remove_pac src/shared/bap.c:2501 #4 0x463cda in media_endpoint_destroy profiles/audio/media.c:179 ... 0x60b0000474d8 is located 8 bytes inside of 112-byte region freed by thread T0 here: #0 0x7f93b12b9388 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xb9388) #1 0x7a0504 in bap_stream_free src/shared/bap.c:972 #2 0x7a0800 in bap_stream_detach src/shared/bap.c:989 #3 0x7a26d1 in bap_stream_state_changed src/shared/bap.c:1208 #4 0x7a2ab4 in stream_set_state src/shared/bap.c:1252 #5 0x7ab18a in stream_release src/shared/bap.c:1985 #6 0x7c6919 in bt_bap_stream_release src/shared/bap.c:4572 #7 0x7aff50 in remove_streams src/shared/bap.c:2482 ... previously allocated by thread T0 here: #0 0x7f93b12ba6af in __interceptor_malloc (/lib64/libasan.so.8+0xba6af) #1 0x71e9ae in util_malloc src/shared/util.c:43 #2 0x79c2f5 in bap_stream_new src/shared/bap.c:766 #3 0x7a4863 in ep_config src/shared/bap.c:1446 #4 0x7a4f22 in ascs_config src/shared/bap.c:1481 ...
mlehtima
pushed a commit
that referenced
this pull request
Jul 3, 2023
The following crash can be observed if the remote peer send and unsupported event: ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000148f11 at pc 0x559644552088 bp 0x7ffe28b3c7b0 sp 0x7ffe28b3c7a0 WRITE of size 1 at 0x60b000148f11 thread T0 #0 0x559644552087 in avrcp_handle_event profiles/audio/avrcp.c:3907 #1 0x559644536c22 in control_response profiles/audio/avctp.c:939 #2 0x5596445379ab in session_cb profiles/audio/avctp.c:1108 #3 0x7fbcb3e51c43 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43) #4 0x7fbcb3ea66c7 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xaa6c7) #5 0x7fbcb3e512b2 in g_main_loop_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x552b2) #6 0x559644754ab6 in mainloop_run src/shared/mainloop-glib.c:66 #7 0x559644755606 in mainloop_run_with_signal src/shared/mainloop-notify.c:188 #8 0x5596445bb963 in main src/main.c:1289 #9 0x7fbcb3bafd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #10 0x7fbcb3bafe3f in __libc_start_main_impl ../csu/libc-start.c:392 #11 0x5596444e8224 in _start (/usr/local/libexec/bluetooth/bluetoothd+0xf0224)
mlehtima
pushed a commit
that referenced
this pull request
Jul 3, 2023
This adds an additional command line option for the Broadcast exercise, so that the user can indicate the number of BISes to create as part of a BIG (Broadcast Source), or the number of BISes to synchronize to (Broadcast Sink). For the Broadcast Source exercise, issue the following command, in order to create a BIG with handle 0x01, associated with the advertising handle 0x01, with 2 BISes: tools/isotest -i hci0 -s 00:00:00:00:00:00 -N 2 -G 1 -T 1 The isotest and btmon logs will look something like this: isotest[7178]: mgmt socket: fd 3 isotest[7178]: mgmt_set_le: err 0 isotest[7178]: mgmt_set_experimental: err 0 isotest[7179]: Exit isotest[7178]: Connecting 00:00:00:00:00:00 ... isotest[7178]: Connected [00:00:00:00:00:00] isotest[7178]: QoS [BIG 0x01 BIS 0x01 Packing 0x00 Framing 0x00 Encryption 0x00] isotest[7178]: Input QoS [Interval 10000 us Latency 10 ms SDU 0 PHY 0x00 RTN 2] isotest[7178]: Output QoS [Interval 10000 us Latency 10 ms SDU 40 PHY 0x02 RTN 2] isotest[7178]: Connecting 00:00:00:00:00:00 ... isotest[7178]: Connected [00:00:00:00:00:00] isotest[7178]: QoS [BIG 0x01 BIS 0x01 Packing 0x00 Framing 0x00 Encryption 0x00] isotest[7178]: Input QoS [Interval 10000 us Latency 10 ms SDU 0 PHY 0x00 RTN 2] isotest[7178]: Output QoS [Interval 10000 us Latency 10 ms SDU 40 PHY 0x02 RTN 2] isotest[7183]: Sending ... isotest[7183]: Number of packets: 1 isotest[7183]: Socket jitter buffer: 80 buffer isotest[7183]: [seq 0] 40 bytes buffered 92 (3712 bytes) isotest[7184]: Sending ... isotest[7184]: Number of packets: 1 isotest[7184]: Socket jitter buffer: 80 buffer isotest[7184]: [seq 0] 40 bytes buffered 92 (3712 bytes) isotest[7178]: Exit < HCI Command: LE Create Broadcast Isochronous Group (0x08|0x0068) plen 31 Handle: 0x01 Advertising Handle: 0x01 Number of BIS: 2 SDU Interval: 10000 us (0x002710) Maximum SDU size: 40 Maximum Latency: 10 ms (0x000a) RTN: 0x02 PHY: LE 2M (0x02) Packing: Sequential (0x00) Framing: Unframed (0x00) Encryption: 0x00 Broadcast Code: 00000000000000000000000000000000 > HCI Event: Command Status (0x0f) plen 4 LE Create Broadcast Isochronous Group (0x08|0x0068) ncmd 1 Status: Success (0x00) > HCI Event: LE Meta Event (0x3e) plen 23 LE Broadcast Isochronous Group Complete (0x1b) Status: Success (0x00) Handle: 0x01 BIG Synchronization Delay: 1974 us (0x0007b6) Transport Latency: 1974 us (0x0007b6) PHY: LE 2M (0x02) NSE: 3 BN: 1 PTO: 1 IRC: 3 Maximum PDU: 40 ISO Interval: 10.00 msec (0x0008) Connection Handle #0: 10 Connection Handle #1: 11 < HCI Command: LE Setup Isochronous Data Path (0x08|0x006e) plen 13 Handle: 10 Data Path Direction: Input (Host to Controller) (0x00) Data Path: HCI (0x00) Coding Format: Transparent (0x03) Company Codec ID: Ericsson Technology Licensing (0) Vendor Codec ID: 0 Controller Delay: 0 us (0x000000) Codec Configuration Length: 0 Codec Configuration: > HCI Event: Command Complete (0x0e) plen 6 LE Setup Isochronous Data Path (0x08|0x006e) ncmd 1 Status: Success (0x00) Handle: 10 < HCI Command: LE Setup Isochronous Data Path (0x08|0x006e) plen 13 Handle: 11 Data Path Direction: Input (Host to Controller) (0x00) Data Path: HCI (0x00) Coding Format: Transparent (0x03) Company Codec ID: Ericsson Technology Licensing (0) Vendor Codec ID: 0 Controller Delay: 0 us (0x000000) Codec Configuration Length: 0 Codec Configuration: > HCI Event: Command Complete (0x0e) plen 6 LE Setup Isochronous Data Path (0x08|0x006e) ncmd 1 Status: Success (0x00) Handle: 11 < ISO Data TX: Handle 10 flags 0x02 dlen 44 < ISO Data TX: Handle 11 flags 0x02 dlen 44 > HCI Event: Number of Completed Packets (0x13) plen 5 Num handles: 1 Handle: 10 Count: 1 > HCI Event: Number of Completed Packets (0x13) plen 5 Num handles: 1 Handle: 11 Count: 1 For the Broadcast Sink exercise, issue the following command, in order to synchronize to the BISes created by the source: tools/isotest -i hci1 -r 36:13:00:E1:1B:F0 -V le_random -N 2 -G 1 The flow is shown by the isotest log and the filtered btmon snippet below: isotest[4033]: mgmt socket: fd 3 isotest[4034]: Exit isotest[4033]: mgmt_set_le: err 0 isotest[4033]: mgmt_set_experimental: err 0 isotest[4033]: Waiting for connection 36:13:00:E1:1B:F0... isotest[4036]: Connected [36:13:00:E1:1B:F0] isotest[4036]: QoS [BIG 0x01 BIS 0x00 Packing 0x00 Framing 0x00 Encryption 0x00] isotest[4036]: Input QoS [Interval 1974 us Latency 10 ms SDU 40 PHY 0x00 RTN 0] isotest[4036]: Output QoS [Interval 0 us Latency 0 ms SDU 0 PHY 0x00 RTN 0] isotest[4036]: Receiving ... isotest[4037]: Connected [36:13:00:E1:1B:F0] isotest[4037]: QoS [BIG 0x01 BIS 0x00 Packing 0x00 Framing 0x00 Encryption 0x00] isotest[4037]: Input QoS [Interval 1974 us Latency 10 ms SDU 40 PHY 0x00 RTN 0] isotest[4037]: Output QoS [Interval 0 us Latency 0 ms SDU 0 PHY 0x00 RTN 0] isotest[4037]: Receiving ... isotest[4037]: [seq 0] 280 bytes in 6.48 sec speed 0.34 kb/s isotest[4036]: [seq 0] 280 bytes in 6.54 sec speed 0.33 kb/s isotest[4037]: [seq 1] 280 bytes in 7.01 sec speed 0.31 kb/s isotest[4036]: [seq 1] 280 bytes in 7.02 sec speed 0.31 kb/s isotest[4037]: [seq 2] 280 bytes in 7.06 sec speed 0.31 kb/s isotest[4036]: [seq 2] 280 bytes in 7.04 sec speed 0.31 kb/s < HCI Command: LE Periodic Advertising Create Sync (0x08|0x0044) plen 14 Options: 0x0000 Use advertising SID, Advertiser Address Type and address Reporting initially enabled SID: 0x00 Adv address type: Random (0x01) Adv address: 36:13:00:E1:1B:F0 (Non-Resolvable) Skip: 0x0000 Sync timeout: 163840 msec (0x4000) Sync CTE type: 0x0000 > HCI Event: Command Status (0x0f) plen 4 LE Periodic Advertising Create Sync (0x08|0x0044) ncmd 1 Status: Success (0x00) < HCI Command: LE Set Extended Scan Parameters (0x08|0x0041) plen 13 Own address type: Public (0x00) Filter policy: Ignore not in accept list (0x01) PHYs: 0x05 Entry 0: LE 1M Type: Passive (0x00) Interval: 60.000 msec (0x0060) Window: 30.000 msec (0x0030) Entry 1: LE Coded Type: Passive (0x00) Interval: 60.000 msec (0x0060) Window: 30.000 msec (0x0030) > HCI Event: Command Complete (0x0e) plen 4 LE Set Extended Scan Parameters (0x08|0x0041) ncmd 1 Status: Success (0x00) < HCI Command: LE Set Extended Scan Enable (0x08|0x0042) plen 6 Extended scan: Enabled (0x01) Filter duplicates: Enabled (0x01) Duration: 0 msec (0x0000) Period: 0.00 sec (0x0000) > HCI Event: Command Complete (0x0e) plen 4 LE Set Extended Scan Enable (0x08|0x0042) ncmd 1 Status: Success (0x00) > HCI Event: LE Meta Event (0x3e) plen 16 LE Periodic Advertising Sync Established (0x0e) Status: Success (0x00) Sync handle: 0 Advertising SID: 0x00 Advertiser address type: Random (0x01) Advertiser address: 36:13:00:E1:1B:F0 (Non-Resolvable) Advertiser PHY: LE 2M (0x02) Periodic advertising interval: 10.00 msec (0x0008) Advertiser clock accuracy: 0x00 > HCI Event: LE Meta Event (0x3e) plen 8 LE Periodic Advertising Report (0x0f) Sync handle: 0 TX power: 127 dbm (0x7f) RSSI: -47 dBm (0xd1) CTE Type: No Constant Tone Extension (0xff) Data status: Complete Data length: 0x00 > HCI Event: LE Meta Event (0x3e) plen 20 LE Broadcast Isochronous Group Info Advertising Report (0x22) Sync Handle: 0x0000 Number BIS: 2 NSE: 3 ISO Interval: 10.00 msec (0x0008) BN: 1 PTO: 1 IRC: 3 Maximum PDU: 40 SDU Interval: 10000 us (0x002710) Maximum SDU: 40 PHY: LE 2M (0x02) Framing: Unframed (0x00) Encryption: 0x00 < HCI Command: LE Broadcast Isochronous Group Create Sync (0x08|0x006b) plen 26 BIG Handle: 0x01 BIG Sync Handle: 0x0000 Encryption: Unencrypted (0x00) Broadcast Code: 00000000000000000000000000000000 Maximum Number Subevents: 0x00 Timeout: 163840 ms (0x4000) Number of BIS: 2 BIS ID: 0x01 BIS ID: 0x02 > HCI Event: LE Meta Event (0x3e) plen 19 LE Broadcast Isochronous Group Sync Estabilished (0x1d) Status: Success (0x00) BIG Handle: 0x01 Transport Latency: 1974 us (0x0007b6) NSE: 3 BN: 1 PTO: 1 IRC: 3 Maximum PDU: 40 ISO Interval: 10.00 msec (0x0008) Connection Handle #0: 10 Connection Handle #1: 11 < HCI Command: LE Setup Isochronous Data Path (0x08|0x006e) plen 13 Handle: 10 Data Path Direction: Output (Controller to Host) (0x01) Data Path: HCI (0x00) Coding Format: Transparent (0x03) Company Codec ID: Ericsson Technology Licensing (0) Vendor Codec ID: 0 Controller Delay: 0 us (0x000000) Codec Configuration Length: 0 Codec Configuration: > HCI Event: Command Complete (0x0e) plen 6 LE Setup Isochronous Data Path (0x08|0x006e) ncmd 1 Status: Success (0x00) Handle: 10 < HCI Command: LE Setup Isochronous Data Path (0x08|0x006e) plen 13 Handle: 11 Data Path Direction: Output (Controller to Host) (0x01) Data Path: HCI (0x00) Coding Format: Transparent (0x03) Company Codec ID: Ericsson Technology Licensing (0) Vendor Codec ID: 0 Controller Delay: 0 us (0x000000) Codec Configuration Length: 0 Codec Configuration: > HCI Event: Command Complete (0x0e) plen 6 LE Setup Isochronous Data Path (0x08|0x006e) ncmd 1 Status: Success (0x00) Handle: 11 > ISO Data RX: Handle 10 flags 0x06 dlen 48 > ISO Data RX: Handle 11 flags 0x06 dlen 48
mlehtima
pushed a commit
that referenced
this pull request
Dec 13, 2023
It seems like some implementation of vasprintf set the content of the str to NULL rather then returning -1 causing the following errors: ================================================================= ==216204==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x55e787722cf0 in thread T0 #0 0x55e784f75872 in __interceptor_free.part.0 asan_malloc_linux.cpp.o #1 0x55e7850e55f9 in bt_log_vprintf /usr/src/debug/bluez-git/bluez-git/src/shared/log.c:154:2 #2 0x55e78502db18 in monitor_log /usr/src/debug/bluez-git/bluez-git/src/log.c:40:2 #3 0x55e78502dab4 in info /usr/src/debug/bluez-git/bluez-git/src/log.c:52:2 #4 0x55e78502e314 in __btd_log_init /usr/src/debug/bluez-git/bluez-git/src/log.c:179:2 #5 0x55e78502aa63 in main /usr/src/debug/bluez-git/bluez-git/src/main.c:1388:2 #6 0x7f1d5fe27ccf (/usr/lib/libc.so.6+0x27ccf) (BuildId: 316d0d3666387f0e8fb98773f51aa1801027c5ab) #7 0x7f1d5fe27d89 in __libc_start_main (/usr/lib/libc.so.6+0x27d89) (BuildId: 316d0d3666387f0e8fb98773f51aa1801027c5ab) #8 0x55e784e88084 in _start (/usr/lib/bluetooth/bluetoothd+0x36084) (BuildId: 19348ea642303b701c033d773055becb623fe79a) Address 0x55e787722cf0 is a wild pointer inside of access range of size 0x000000000001. SUMMARY: AddressSanitizer: bad-free asan_malloc_linux.cpp.o in __interceptor_free.part.0 ==216204==ABORTING сен 18 13:10:02 archlinux systemd[1]: bluetooth.service: Main process exited, code=exited, status=1/FAILURE
mlehtima
pushed a commit
that referenced
this pull request
Dec 13, 2023
Primary/Secundary Counters are supposed to be 16 bytes values, if the server has implemented them incorrectly it may lead to the following crash: ================================================================= ==31860==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x607000001878 at pc 0x7f95a1575638 bp 0x7fff58c6bb80 sp 0x7fff58c6b328 READ of size 48 at 0x607000001878 thread T0 #0 0x7f95a1575637 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:860 #1 0x7f95a1575ba6 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:892 #2 0x7f95a1575ba6 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:887 #3 0x564df69c77a0 in read_version obexd/client/pbap.c:288 #4 0x564df69c77a0 in read_return_apparam obexd/client/pbap.c:352 #5 0x564df69c77a0 in phonebook_size_callback obexd/client/pbap.c:374 #6 0x564df69bea3c in session_terminate_transfer obexd/client/session.c:921 #7 0x564df69d56b0 in get_xfer_progress_first obexd/client/transfer.c:729 #8 0x564df698b9ee in handle_response gobex/gobex.c:1140 #9 0x564df698cdea in incoming_data gobex/gobex.c:1385 #10 0x7f95a12fdc43 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43) #11 0x7f95a13526c7 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xaa6c7) #12 0x7f95a12fd2b2 in g_main_loop_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x552b2) #13 0x564df6977d41 in main obexd/src/main.c:307 #14 0x7f95a10a7d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #15 0x7f95a10a7e3f in __libc_start_main_impl ../csu/libc-start.c:392 #16 0x564df6978704 in _start (/usr/local/libexec/bluetooth/obexd+0x8b704) 0x607000001878 is located 0 bytes to the right of 72-byte region [0x607000001830,0x607000001878) allocated by thread T0 here: #0 0x7f95a1595a37 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 #1 0x564df69c8b6a in pbap_probe obexd/client/pbap.c:1259
mlehtima
pushed a commit
that referenced
this pull request
Dec 13, 2023
ASCS allows transitions from Codec/QoS Configured back to the same state. E.g. NRF5340_AUDIO devkit starts in the config(1) state, which is allowed (only Config QoS, Release, Enable, Receiver Stop Ready transition are client-only). In this case, as client, we do Config Codec ourselves and end up with config(1)->config(1) transition. We currently ignore that event, so QoS won't be setup and transports won't be created. Handle the config(1)->config(1) transition by continuing to Config QoS if it occurs. Log: src/gatt-client.c:btd_gatt_client_connected() Device connected. src/shared/gatt-client.c:exchange_mtu_cb() MTU exchange complete, with MTU: 65 src/shared/bap.c:bap_ep_set_status() ASE status: ep 0x604000039a90 id 0x01 handle 0x000f state config len 42 src/shared/bap.c:ep_status_config() codec 0x06 framing 0x00 phy 0x02 rtn 2 latency 10 pd 4000 - 40000 ppd 4000 - 40000 src/shared/bap.c:ep_status_config() Codec Config #0: type 0x01 len 2 src/shared/bap.c:ep_status_config() Codec Config #1: type 0x02 len 2 src/shared/bap.c:ep_status_config() Codec Config #2: type 0x03 len 5 src/shared/bap.c:ep_status_config() Codec Config #3: type 0x04 len 3 src/shared/bap.c:ep_status_config() Codec Config #4: type 0x05 len 2 src/shared/bap.c:bap_stream_state_changed() stream 0x60c0000334c0 dir 0x01: idle -> config src/shared/bap.c:bap_stream_update_io_links() stream 0x60c0000334c0 profiles/audio/bap.c:bap_state() stream 0x60c0000334c0: idle(0) -> config(1) profiles/audio/bap.c:bap_ready() bap 0x60e000001d20 profiles/audio/bap.c:pac_found() lpac 0x608000017520 rpac 0x6080000183a0 profiles/audio/bap.c:ep_register() ep 0x60d000006910 lpac 0x608000017520 rpac 0x6080000183a0 path /org/bluez/hci0/dev_C9_C9_76_21_08_4F/pac_sink0 profiles/audio/media.c:media_endpoint_async_call() Calling SelectProperties: name = :1.604 path = /MediaEndpointLE/BAPSource/lc3 ... src/shared/bap.c:bap_stream_state_changed() stream 0x60c0000334c0 dir 0x01: config -> config src/shared/bap.c:bap_stream_update_io_links() stream 0x60c0000334c0 profiles/audio/bap.c:bap_state() stream 0x60c0000334c0: config(1) -> config(1)
mlehtima
pushed a commit
that referenced
this pull request
Dec 13, 2023
This uses bt_bap_debug_{config, metadata} to decode the TLV entries found in Basic Audio Announcement: < HCI Command: LE Set Peri.. (0x08|0x003f) plen 41 Handle: 1 Operation: Complete ext advertising data (0x03) Data length: 0x26 Service Data: Basic Audio Announcement (0x1851) Presetation Delay: 10000 Number of Subgroups: 1 Subgroup #0: Number of BIS(s): 1 Codec: LC3 (0x06) Codec Specific Configuration: #0: len 0x02 type 0x01 Codec Specific Configuration: Sampling Frequency: 48 Khz (0x08) Codec Specific Configuration: #1: len 0x02 type 0x02 Codec Specific Configuration: Frame Duration: 7.5 ms (0x00) Codec Specific Configuration: #2: len 0x03 type 0x04 Codec Specific Configuration: Frame Length: 75 (0x004b) Metadata: #0: len 0x03 type 0x02 Metadata: Context: 0x0002 Metadata: Context Conversational (0x0002) BIS #0: Index: 1 Codec Specific Configuration: #0: len 0x05 type 0x03 Codec Specific Configuration: Location: 0x00000001 Codec Specific Configuration: Location: Front Left (0x00000001)
mlehtima
pushed a commit
that referenced
this pull request
Jan 28, 2024
bt_bap_pac may actually map to multiple PAC records and each may have a different channel count that needs to be matched separately, for instance when trying with EarFun Air Pro: < ACL Data TX: Handle 2048 flags 0x00 dlen 85 ATT: Write Command (0x52) len 80 Handle: 0x0098 Type: ASE Control Point (0x2bc6) Data: 010405020206000000000a020103020201030428000602020600000 0000a0201030202010304280001020206000000000a020103020201030428 0002020206000000000a02010302020103042800 Opcode: Codec Configuration (0x01) Number of ASE(s): 4 ASE: #0 ASE ID: 0x05 Target Latency: Balance Latency/Reliability (0x02) PHY: 0x02 LE 2M PHY (0x02) Codec: LC3 (0x06) Codec Specific Configuration: #0: len 0x02 type 0x01 Sampling Frequency: 16 Khz (0x03) Codec Specific Configuration: #1: len 0x02 type 0x02 Frame Duration: 10 ms (0x01) Codec Specific Configuration: #2: len 0x03 type 0x04 Frame Length: 40 (0x0028) ASE: #1 ASE ID: 0x06 Target Latency: Balance Latency/Reliability (0x02) PHY: 0x02 LE 2M PHY (0x02) Codec: LC3 (0x06) Codec Specific Configuration: #0: len 0x02 type 0x01 Sampling Frequency: 16 Khz (0x03) Codec Specific Configuration: #1: len 0x02 type 0x02 Frame Duration: 10 ms (0x01) Codec Specific Configuration: #2: len 0x03 type 0x04 Frame Length: 40 (0x0028) ASE: #2 ASE ID: 0x01 Target Latency: Balance Latency/Reliability (0x02) PHY: 0x02 LE 2M PHY (0x02) Codec: LC3 (0x06) Codec Specific Configuration: #0: len 0x02 type 0x01 Sampling Frequency: 16 Khz (0x03) Codec Specific Configuration: #1: len 0x02 type 0x02 Frame Duration: 10 ms (0x01) Codec Specific Configuration: #2: len 0x03 type 0x04 Frame Length: 40 (0x0028) ASE: #3 ASE ID: 0x02 Target Latency: Balance Latency/Reliability (0x02) PHY: 0x02 LE 2M PHY (0x02) Codec: LC3 (0x06) Codec Specific Configuration: #0: len 0x02 type 0x01 Sampling Frequency: 16 Khz (0x03) Codec Specific Configuration: #1: len 0x02 type 0x02 Frame Duration: 10 ms (0x01) Codec Specific Configuration: #2: len 0x03 type 0x04 Frame Length: 40 (0x0028) Fixes: bluez/bluez#612
mlehtima
pushed a commit
that referenced
this pull request
Jan 28, 2024
This makes use of ChannelAllocation when present on SelectProperties dictionary which is then passed on to bluetoothd and send over as part of Codec Configuration: < ACL Data TX: Handle 2048 flags 0x00 dlen 109 ATT: Write Command (0x52) len 104 Handle: 0x0098 Type: ASE Control Point (0x2bc6) Data: 0104050202060000000010020103020201030428000503010000000 6020206000000001002010302020103042800050302000000010202060000 0000100201030202010304280005030100000002020206000000001002010 302020103042800050302000000 Opcode: Codec Configuration (0x01) Number of ASE(s): 4 ASE: #0 ASE ID: 0x05 Target Latency: Balance Latency/Reliability (0x02) PHY: 0x02 LE 2M PHY (0x02) Codec: LC3 (0x06) Codec Specific Configuration: #0: len 0x02 type 0x01 Sampling Frequency: 16 Khz (0x03) Codec Specific Configuration: #1: len 0x02 type 0x02 Frame Duration: 10 ms (0x01) Codec Specific Configuration: #2: len 0x03 type 0x04 Frame Length: 40 (0x0028) Codec Specific Configuration: #3: len 0x05 type 0x03 Location: 0x00000001 Front Left (0x00000001) ASE: #1 ASE ID: 0x06 Target Latency: Balance Latency/Reliability (0x02) PHY: 0x02 LE 2M PHY (0x02) Codec: LC3 (0x06) Codec Specific Configuration: #0: len 0x02 type 0x01 Sampling Frequency: 16 Khz (0x03) Codec Specific Configuration: #1: len 0x02 type 0x02 Frame Duration: 10 ms (0x01) Codec Specific Configuration: #2: len 0x03 type 0x04 Frame Length: 40 (0x0028) Codec Specific Configuration: #3: len 0x05 type 0x03 Location: 0x00000002 Front Right (0x00000002) ASE: #2 ASE ID: 0x01 Target Latency: Balance Latency/Reliability (0x02) PHY: 0x02 LE 2M PHY (0x02) Codec: LC3 (0x06) Codec Specific Configuration: #0: len 0x02 type 0x01 Sampling Frequency: 16 Khz (0x03) Codec Specific Configuration: #1: len 0x02 type 0x02 Frame Duration: 10 ms (0x01) Codec Specific Configuration: #2: len 0x03 type 0x04 Frame Length: 40 (0x0028) Codec Specific Configuration: #3: len 0x05 type 0x03 Location: 0x00000001 Front Left (0x00000001) ASE: #3 ASE ID: 0x02 Target Latency: Balance Latency/Reliability (0x02) PHY: 0x02 LE 2M PHY (0x02) Codec: LC3 (0x06) Codec Specific Configuration: #0: len 0x02 type 0x01 Sampling Frequency: 16 Khz (0x03) Codec Specific Configuration: #1: len 0x02 type 0x02 Frame Duration: 10 ms (0x01) Codec Specific Configuration: #2: len 0x03 type 0x04 Frame Length: 40 (0x0028) Codec Specific Configuration: #3: len 0x05 type 0x03 Location: 0x00000002 Front Right (0x00000002)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
For Bluetooth Secure Simple Pairing