Launchpad has imported 2 comments from the remote bug at https://bugzilla.kernel.org/show_bug.cgi?id=204201.
If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. ------------------------------------------------------------------------ On 2019-07-17T09:53:30+00:00 mathieu.stephan wrote: Created attachment 283773 callstacks Hello everyone, We are currently developing a device that contains two HID services. That device, as it is right now, is properly functioning on Windows & Android. However, when pairing the device on Linux running bluez 5.50 we do get segfaults (see attached files). Our bluetooth device has 4 services : 1 battery service, 2 HID Over Gatt services and 1 device information service. With trial and error, we managed to find that we wouldn't get any crash as long as only 1 HOG service was present. Here's the interesting part. The two HOG services are made as follows: - standard keyboard over gatt: protocole mode / report map / 1 INPUT report / boot INPUT + OUTPUT / HID information / HID Control point - raw HID over gatt : report map / 1 INPUT report / 1 OUTPUT report / HID information / HID control point Looking at the write_ccc in the call stacks we wondered if the callbacks subscribing to notifications for the INPUT reports were causing this issue. We therefore changed the raw HID over gatt (and its report map) to remove the INPUT report and change it into 1 OUTPUT report (leading to 2 OUTPUT reports): no crash. We therefore hypothesize that the segfault occurs when subscribing to notification on a second HOG service.. Reply at: https://bugs.launchpad.net/ubuntu/+source/bluez/+bug/1836809/comments/3 ------------------------------------------------------------------------ On 2019-08-05T04:56:38+00:00 mathieu.stephan wrote: Hello, We have done some further investigation. During device pairing bluez is crashing. >From debugging I can see the 2 hog services with the correct attributes, then >one of the 2 hog services is reaching ref_count 0, hence it is getting freed, >but on the next read bluez is trying to use a corrupted hog service and during >reading its attributes we are receiving the segfault. With normal behavior the next step would be "Report characteristic descriptor written: notifications enabled", but crashes right before that. Reply at: https://bugs.launchpad.net/ubuntu/+source/bluez/+bug/1836809/comments/11 ** Changed in: bluez Status: Unknown => Confirmed ** Changed in: bluez Importance: Unknown => Medium -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to bluez in Ubuntu. https://bugs.launchpad.net/bugs/1836809 Title: segfault when CCD are present in two different HOG services Status in Bluez Utilities: Confirmed Status in bluez package in Ubuntu: Triaged Bug description: Hello everyone, We are currently developing a device that contains two HID services. That device, as it is right now, is properly functioning on Windows & Android. However, when pairing the device on Linux running bluez 5.50 we do get segfaults (see attached files). Our bluetooth device has 4 services : 1 battery service, 2 HID Over Gatt services and 1 device information service. With trial and error, we managed to find that we wouldn't get any crash as long as only 1 HOG service was present. Here's the interesting part. The two HOG services are made as follows: - standard keyboard over gatt: protocole mode / report map / 1 INPUT report / boot INPUT + OUTPUT / HID information / HID Control point - raw HID over gatt : report map / 1 INPUT report / 1 OUTPUT report / HID information / HID control point Looking at the write_ccc in the call stacks we wondered if the callbacks subscribing to notifications for the INPUT reports were causing this issue. We therefore changed the raw HID over gatt (and its report map) to remove the INPUT report and change it into 1 OUTPUT report (leading to 2 OUTPUT reports): no crash. We therefore hypothesize that the segfault occurs when subscribing to notification on a second HOG service... To manage notifications about this bug go to: https://bugs.launchpad.net/bluez/+bug/1836809/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
