← Back to team overview

debcrafters-packages team mailing list archive

  1. debcrafters-packages team
  2. Mailing list archive
  3. Message #08003

[Bug 2121311] Re: pulseaudio aborts in pa_bluetooth_transport_set_state() (Bluetooth/BlueZ integration)

  Thread PreviousDate PreviousThread Next 
Hi charles05,

Thanks again for your attention to this issue. I've updated my analysis
with a clearer explanation of the components involved and provided the
symbolic backtrace you requested.

[High-Level Analysis]
The crash is a SIGABRT (abort signal) that occurs consistently within PulseAudio's pa_bluetooth_transport_set_state() function.

The call stack shows this function was triggered by a message from the
system's D-Bus service, which is the standard way BlueZ communicates
device state changes to applications like PulseAudio. The crash happens
when PulseAudio attempts to process one of these state change
notifications, specifically during stress-testing that involves rapid
Bluetooth profile and transport state transitions.

[Relationship between PulseAudio and BlueZ]
To clarify, the crash occurs inside the libbluez5-util.so library. Although the name contains "bluez", I assume that this is a PulseAudio-internal utility module used specifically for interacting with the BlueZ stack. It is part of the pulseaudio source package, not the bluez package.

Essentially, the situation is:

1. The BlueZ daemon manages the Bluetooth hardware and broadcasts device
state changes (e.g., "device disconnected") over D-Bus.

2. PulseAudio's Bluetooth module listens for these messages.

3. The crash occurs inside PulseAudio's code while it is handling a
message received from BlueZ.

Therefore, this appears to be a bug in PulseAudio's state management
logic when it receives a rapid or unusual sequence of valid messages
from BlueZ. The issue lies in PulseAudio's handling of the situation,
not in BlueZ itself. For this reason, the bug is correctly filed against
the pulseaudio package.

[Crashing Thread Backtrace (Thread 1)]
Here is the formatted backtrace for the crashing thread, which supports this analysis.
---------------------------------------------------------------
// Standard abort sequence initiated by the application
#4  0x00007355aebf77f3 in __GI_abort () at ./stdlib/abort.c:79
...

// <<< Crash occurs here, in PulseAudio's Bluetooth utility library
#5  0x00007355a886cfb5 in pa_bluetooth_transport_set_state () at /usr/lib/pulse-15.99.1+dfsg1/modules/libbluez5-util.so

...
// <<< Triggered by a D-Bus message, the standard IPC for BlueZ
#7  0x00007355aeed5869 in dbus_connection_dispatch () at /lib/x86_64-linux-gnu/libdbus-1.so.3

// Standard PulseAudio main event loop
...
#12 0x0000610c5ab82f7d in main ()
-------------------------------------------------------------

[Next Steps?]
This backtrace confirms the location of the fault within PulseAudio's logic. If you need any further resource, I will work on reproducing the crash with --log-level=debug enabled to capture the verbose logs leading up to this abort.

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/2121311

Title:
  pulseaudio aborts in pa_bluetooth_transport_set_state()
  (Bluetooth/BlueZ integration)

Status in pulseaudio package in Ubuntu:
  Incomplete

Bug description:
  What happened
   - While stress-testing Bluetooth with a custom RFCOMM/L2CAP fuzzing harness on a separate Ubuntu test device, pulseaudio aborted in pa_bluetooth_transport_set_state() (module-bluez5 / libbluez5-util.so). The harness drives rapid, occasionally malformed transport/profile transitions—frequent connect/disconnect and state flapping.

  Steps to reproduce (high-level)
   1. Pair/connect a Bluetooth audio device (e.g., headset/speaker).
   2. Generate rapid transport/profile state changes (connect/disconnect/suspend/resume, A2DP ↔ HFP/HSP switching) using a test harness.
   3. After a short burst (minutes), pulseaudio exits with SIGABRT in pa_bluetooth_transport_set_state().

  Repro notes (from fuzzing)
   - Traffic rate: ~55 packets/second (mix of RFCOMM frames and L2CAP signaling).
   - Pattern: quick successive control/state transitions
   - Impact: user-session PulseAudio terminates

  Environment
   - Distro/arch: Ubuntu 22.04 (amd64)
   - Package: pulseaudio 1:15.99.1+dfsg1-1ubuntu2.2
   - Cmdline: /usr/bin/pulseaudio --daemonize=no --log-target=journal
   - Device under test: separate machine used for Bluetooth fuzz testing

  Attachments
   - Apport crash: _usr_bin_pulseaudio.1000.crash (uploaded).

  Note: I don’t have btmon/journal extracts or pactl snapshots handy for
  this run; I can capture them on the test device if helpful.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/2121311/+subscriptions

References

  Thread PreviousDate PreviousThread Next