Bug 96831 - PulseAudio crashes when I disconnect Bluetooth A2DP headphones (with Bluez 5)
Summary: PulseAudio crashes when I disconnect Bluetooth A2DP headphones (with Bluez 5)
Status: RESOLVED FIXED
Alias: None
Product: PulseAudio
Classification: Unclassified
Component: modules (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: pulseaudio-bugs
QA Contact: pulseaudio-bugs
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: 96750
  Show dependency treegraph
 
Reported: 2016-07-06 14:30 UTC by Aidan Thornton
Modified: 2016-12-12 15:21 UTC (History)
1 user (show)

See Also:
i915 platform:
i915 features:

Attachments

Description Aidan Thornton 2016-07-06 14:30:06 UTC 
For the last few PulseAudio versions, including 9.0, it's been segfaulting every time I disconnect my Bluetooth headphones with no usable backtrace. It turns out that module-bluez5-device.so is unloading itself when the device disconnects, which means that when pa_module_unload returns the code in module-bluez5-device.so that's doing this is no longer loaded and PulseAudio crashes. Backtrace of the place where it unloads itself is as follows:

#0  0x00007ffff6bc3120 in dlclose () from /lib64/libdl.so.2
#1  0x0000555555561473 in bind_now_close (d=<optimized out>, m=<optimized out>)
    at /var/tmp/portage/media-sound/pulseaudio-9.0/work/pulseaudio-9.0/src/daemon/ltdl-bind-now.c:87
#2  0x00007ffff7444106 in lt_dlclose (handle=0x555555a71010)
    at /var/tmp/portage/dev-libs/libltdl-2.4.6/work/libtool-2.4.6/libltdl/ltdl.c:1989
#3  0x00007ffff7b5c89e in pa_module_free (m=0x555555bee380)
    at /var/tmp/portage/media-sound/pulseaudio-9.0/work/pulseaudio-9.0/src/pulsecore/module.c:249
#4  0x00007ffff7b5d50d in pa_module_unload (m=<optimized out>, force=force@entry=true)
    at /var/tmp/portage/media-sound/pulseaudio-9.0/work/pulseaudio-9.0/src/pulsecore/module.c:271
#5  0x00007fffe5db146e in device_connection_changed_cb (y=<optimized out>, d=<optimized out>, u=0x555555bef0d0)
    at /var/tmp/portage/media-sound/pulseaudio-9.0/work/pulseaudio-9.0/src/modules/bluetooth/module-bluez5-device.c:2038
#6  0x00007ffff7b5aa2d in pa_hook_fire (hook=0x555555ab0780, data=0x555555a0bd60)
    at /var/tmp/portage/media-sound/pulseaudio-9.0/work/pulseaudio-9.0/src/pulsecore/hook-list.c:104
#7  0x00007fffe75f6676 in pa_bluetooth_transport_unlink (t=0x555555bb0150)
    at /var/tmp/portage/media-sound/pulseaudio-9.0/work/pulseaudio-9.0/src/modules/bluetooth/bluez5-util.c:199
#8  0x00007fffe75f6742 in pa_bluetooth_transport_free (t=0x555555bb0150)
    at /var/tmp/portage/media-sound/pulseaudio-9.0/work/pulseaudio-9.0/src/modules/bluetooth/bluez5-util.c:209
#9  0x00007fffe75f9500 in endpoint_clear_configuration (conn=<optimized out>, userdata=0x555555ab0760, m=0x555555770740)
    at /var/tmp/portage/media-sound/pulseaudio-9.0/work/pulseaudio-9.0/src/modules/bluetooth/bluez5-util.c:1473
#10 endpoint_handler (c=<optimized out>, m=0x555555770740, userdata=0x555555ab0760)
    at /var/tmp/portage/media-sound/pulseaudio-9.0/work/pulseaudio-9.0/src/modules/bluetooth/bluez5-util.c:1521
#11 0x00007ffff72122f7 in _dbus_object_tree_dispatch_and_unlock () from /usr/lib64/libdbus-1.so.3
#12 0x00007ffff72026b2 in dbus_connection_dispatch () from /usr/lib64/libdbus-1.so.3
#13 0x00007ffff76b0137 in dispatch_cb (ea=0x55555576d898, ev=0x555555b7efb0, userdata=<optimized out>)
    at /var/tmp/portage/media-sound/pulseaudio-9.0/work/pulseaudio-9.0/src/pulsecore/dbus-util.c:53
#14 0x00007ffff790009a in dispatch_defer (m=0x55555576d840)
    at /var/tmp/portage/media-sound/pulseaudio-9.0/work/pulseaudio-9.0/src/pulse/mainloop.c:680
#15 pa_mainloop_dispatch (m=m@entry=0x55555576d840)
    at /var/tmp/portage/media-sound/pulseaudio-9.0/work/pulseaudio-9.0/src/pulse/mainloop.c:889
#16 0x00007ffff7900307 in pa_mainloop_iterate (m=0x55555576d840, block=<optimized out>, retval=0x7fffffffd138)
    at /var/tmp/portage/media-sound/pulseaudio-9.0/work/pulseaudio-9.0/src/pulse/mainloop.c:929
#17 0x00007ffff7900410 in pa_mainloop_run (m=0x55555576d840, retval=0x7fffffffd138)
    at /var/tmp/portage/media-sound/pulseaudio-9.0/work/pulseaudio-9.0/src/pulse/mainloop.c:944
#18 0x000055555555b622 in main (argc=<optimized out>, argv=<optimized out>)
    at /var/tmp/portage/media-sound/pulseaudio-9.0/work/pulseaudio-9.0/src/daemon/main.c:1141

Note that this is the last point at which I can get a full backtrace - after dlclose returns, module-bluez5-device.so is no longer loaded and the information required to create one is no longer available. The actual crash happens once we try and return into device_connection_changed_cb in module-bluez5-device.c which has been unmapped from memory. Final log messages are as follows:

D: [pulseaudio] device-port.c: Setting port headset-output to status unknown
D: [pulseaudio] core-subscribe.c: Dropped redundant event due to change event.
D: [pulseaudio] bluez5-util.c: dbus: path=/MediaEndpoint/A2DPSource, interface=org.bluez.MediaEndpoint1, member=ClearConfiguration
D: [pulseaudio] bluez5-util.c: Clearing transport /org/bluez/hci0/dev_20_15_00_00_07_FD/fd7 profile a2dp_sink
D: [pulseaudio] bluez5-util.c: Transport /org/bluez/hci0/dev_20_15_00_00_07_FD/fd7 state changed from idle to disconnected
D: [pulseaudio] module-rescue-streams.c: No sink inputs to move away.
D: [pulseaudio] module-rescue-streams.c: No source outputs to move away.
D: [bluetooth] module-bluez5-device.c: IO thread shutdown requested, stopping cleanly
D: [bluetooth] module-bluez5-device.c: IO thread shutting down
[Thread 0x7fffe5b99700 (LWP 10177) exited]
I: [pulseaudio] sink.c: Freeing sink 1 "bluez_sink.20_15_00_00_07_FD"
I: [pulseaudio] source.c: Freeing source 3 "bluez_sink.20_15_00_00_07_FD.monitor"
I: [pulseaudio] card.c: Changed profile of card 4 "bluez_card.20_15_00_00_07_FD" to off
D: [pulseaudio] card.c: Setting card bluez_card.20_15_00_00_07_FD profile a2dp_sink to availability status no
D: [pulseaudio] core-subscribe.c: Dropped redundant event due to change event.
D: [pulseaudio] device-port.c: Setting port headset-output to status no
D: [pulseaudio] core-subscribe.c: Dropped redundant event due to change event.
D: [pulseaudio] module-bluez5-discover.c: Unregistering module for /org/bluez/hci0/dev_20_15_00_00_07_FD
D: [pulseaudio] module-bluez5-device.c: Unloading module for device /org/bluez/hci0/dev_20_15_00_00_07_FD
I: [pulseaudio] module.c: Unloading "module-bluez5-device" (index: #24).
I: [pulseaudio] card.c: Freed 4 "bluez_card.20_15_00_00_07_FD"
D: [pulseaudio] core-subscribe.c: Dropped redundant event due to remove event.
I: [pulseaudio] module.c: Unloaded "module-bluez5-device" (index: #24).

Thread 1 "pulseaudio" received signal SIGSEGV, Segmentation fault.
0x00007fffe5db146e in ?? ()

This is on Gentoo x86-64. Note that this doesn't affect all systems and I haven't been able to figure out why, so you may have difficulty reproducing this. On another Gentoo system the offending call to dlclose doesn't actually unload the library for a reason I have not been able to determine and it seems to remain loaded indefinitely with no crash.
Comment 1 Tanu Kaskinen 2016-07-06 15:45:34 UTC 
Crasher, marking as a release blocker.

The fix might be quite simple: just add a defer event for calling lt_dlclose() a bit later.
Comment 2 Tanu Kaskinen 2016-09-21 09:56:34 UTC 
Fix submitted: https://patchwork.freedesktop.org/patch/111580/

I'm not able to reproduce the bug even without the patch, so testing would be welcome.
Comment 3 Aidan Thornton 2016-09-22 16:38:06 UTC 
Tested on affected system and that seems to fix the bug - without it I get a crash pretty reliably on disconnecting my Bluetooth headphones, with it disconnecting and reconnecting them works normally and unloads/reloads module-bluez5-device.so without crashing. Thank you! I'm still not quite sure why not all systems are affected but perhaps some mysteries are best left unanswered.
Comment 4 Tanu Kaskinen 2016-12-12 15:21:31 UTC 
The fix is now committed.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.