Bug 231645

Summary:	>=dev-libs/openobex-1.3, app-mobilephone/obexftp-0.22: Does not open USB devices properly, causes a segfault (inside dev-libs/libusb-0.1.12-r4)
Product:	Gentoo Linux	Reporter:	gfl3162+gbugzilla
Component:	[OLD] Library	Assignee:	No maintainer - Look at https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers if you want to take care of it <maintainer-needed>
Status:	RESOLVED TEST-REQUEST
Severity:	normal	CC:	dsd, robbat2
Priority:	High
Version:	unspecified
Hardware:	x86
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---
Bug Depends on:
Bug Blocks:	547828

Description gfl3162+gbugzilla 2008-07-13 00:11:55 UTC

When I run "obexftp -u 0 -l", it segfaults.

Output:

# obexftp -u 0 -l
obexftp_open()
obexftp_connect_src()
Connecting...obexftp_connect_src() 
obexftp_connect_src() USB 1
cli_sync_request()
Tx: 80 00 1A 10 00 FF FF 46 00 13 F9 EC 7B C4 95 3C 11 D2 98 4E 52 54 00 DC 9E 09 
obexftp_sync()
obexftp_sync() OBEX_HandleInput = 0
failed: send UUID
error on connect(): Resource temporarily unavailable
Still trying to connect
obexftp_connect_src()
Connecting...obexftp_connect_src() 
obexftp_connect_src() USB 1
cli_sync_request()
Tx: 80 00 1A 10 00 FF FF 46 00 13 F9 EC 7B C4 95 3C 11 D2 98 4E 52 54 00 DC 9E 09 
Segmentation fault

Reproducible: Always

Steps to Reproduce:
1. Emerge libusb with debug flag
2. Emerge openobex with the syslog, bluetooth, debug, and usb use flags
3. Emerge obexftp with debug flag
4. Plug in obex device via usb connection
5. Run "obexftp -u 0 -l"

Actual Results:  
The program segfaults.

Expected Results:  
I am guessing that the files on the device are supposed to be listed.

emerge --info:

Portage 2.2_rc1 (default/linux/x86/2008.0/desktop, gcc-4.3.1,
glibc-2.8_p20080602-r0, 2.6.25-gentoo-r6-fast i686)
=================================================================
System uname:
Linux-2.6.25-gentoo-r6-fast-i686-Intel-R-_Pentium-R-_D_CPU_2.66GHz-with-glibc2.0
Timestamp of tree: Fri, 04 Jul 2008 19:33:01 +0000
ccache version 2.4 [enabled]
app-shells/bash:     3.2_p39
dev-java/java-config: 1.3.7, 2.1.6-r1
dev-lang/python:     2.5.2-r5
dev-util/ccache:     2.4-r7
sys-apps/baselayout: 2.0.0
sys-apps/openrc:     0.2.5
sys-apps/sandbox:    1.2.18.1-r3
sys-devel/autoconf:  2.13, 2.62-r1
sys-devel/automake:  1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.1-r1
sys-devel/binutils:  2.18-r2
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   2.2.4
virtual/os-headers:  2.6.25-r4
ACCEPT_KEYWORDS="x86 ~x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-Os -march=nocona -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/
/etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild
/etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-Os -march=nocona -pipe"
DISTDIR="/var/portage/distfiles"
FEATURES="ccache distlocks parallel-fetch preserve-libs sandbox sfperms strict
unmerge-orphans userfetch"
GENTOO_MIRRORS="http://gentoo.mirrors.easynews.com/linux/gentoo/
http://gentoo.llarian.net/"
LANG="en_US.UTF-8"
LDFLAGS=""
LINGUAS="en en_US zh zh_CN zh_HK"
MAKEOPTS="-j4"
PKGDIR="/var/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --stats --timeout=10 --exclude=/distfiles
--exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage/layman/desktop-effects
/usr/local/portage/layman/gentopia /var/portage/local/own
/var/portage/local/ubuntu"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X a52 aac acl acpi alsa bash-completion berkdb bluetooth branding bzip2
cairo caps cdda cdr cli cracklib crypt cups dbus dri dvd dvdr dvdread eds
emboss encode esd evo exif fam fbcon ffmpeg firefox flac gdbm gif gnome
gnome-keyring gnutls gphoto2 gpm gstreamer gtk guile hal iconv ipv6 isdnlog
jpeg kerberos ldap libnotify lzo mad midi mikmod mmx mono mp2 mp3 mpeg ncurses
nls nntp nptl nptlonly ogg opengl openmp pam pcre pdf perl png ppds pppd python
qt3support qt4 quicktime readline reflection sdl session spell spl sse sse2 ssl
startup-notification subversion svg tcpd theora threads tiff truetype unicode
usb vorbis win32codecs x264 x86 xcb xml xorg xulrunner xv xvid zlib"
ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1
emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m
maestro3 trident usb-audio via82xx via82xx-modem ymfpci"
ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file
hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route
share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias
authn_anon authn_dbm authn_default authn_file authz_dbm authz_default
authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs
dav_lock deflate dir disk_cache env expires ext_filter file_cache filter
headers include info log_config logio mem_cache mime mime_magic negotiation
rewrite setenvif speling status unique_id userdir usertrack vhost_alias"
ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad
cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en
en_US zh zh_CN zh_HK" USERLAND="GNU" VIDEO_CARDS="i810 intel fbdev vesa vga"

----------

Backtrace from gdb:
#0  0xb7fd6c6e in usb_urb_transfer (dev=0x0, ep=5, urbtype=3, bytes=0x82c21a0 "\200", size=26, timeout=10000) at linux.c:210
#1  0xb7fdfacb in obex_transport_write (self=0x82b2068, msg=0x82c2180) at obex_transport.c:414
#2  0xb7fddcf8 in obex_data_request (self=0x82b2068, msg=0x82c2180, opcode=128) at obex_main.c:221
#3  0xb7fdf366 in obex_object_send (self=0x82b2068, object=0x82d3e88, allowfinalcmd=1, forcefinalbit=0) at obex_object.c:552
#4  0xb7fe08b8 in obex_client (self=0x82b2068, msg=0x0, final=0) at obex_client.c:116
#5  0xb7fdd19d in OBEX_Request (self=0x82b2068, object=0x82d3e88) at obex.c:538
#6  0xb7ff3765 in cli_sync_request (cli=0x82b2008, object=0x82d3e88) at client.c:448
#7  0xb7ff4983 in obexftp_connect_src (cli=0x82b2008, src=0x0, device=0x0, port=137208768, uuid=0x804d290 "��{�\225<\021�\230NRT", uuid_len=16) at client.c:725
#8  0x08048fad in cli_connect_uuid (uuid=0x804d290 "��{�\225<\021�\230NRT", uuid_len=16) at obexftp.c:268
#9  0x0804979d in cli_connect () at obexftp.c:314
#10 0x08049da1 in main (argc=4, argv=0xbfc2cd04) at obexftp.c:624

Comment 1 Robin Johnson archtester

2008-07-13 23:53:09 UTC

Does libusb-0.1.12-r3 (or any version for that matter) work?

I don't have any OBEX hardware, so it's hard for me to test this.

Comment 2 gfl3162+gbugzilla 2008-07-14 00:42:42 UTC

No, the same problem occurs on other versions of libusb.

Comment 3 Robin Johnson archtester

2008-07-14 01:39:53 UTC

Since the linux.c:210 line is an ioctl call, there's not much we can do in libusb. The problem lies either with your kernel, your hardware or openobex.

Comment 4 Daniel Drake (RETIRED) gentoo-dev

2008-07-14 02:53:11 UTC

If it crashed in an ioctl then dmesg should have lots of freshly squeezed juicy info

Comment 5 gfl3162+gbugzilla 2008-08-01 03:15:29 UTC

I recompiled the kernel with USB debug support, but dmesg does not show any extra information that explains the segfault.

Is there any clues on howto debug this segfault?

Comment 6 gfl3162+gbugzilla 2008-09-07 22:00:42 UTC

I found out the following:
running 'strace obexftp -u 0 -l' show that obexftp runs these two ioctls before segfaulting:

ioctl(138421400, USBDEVFS_SETINTERFACE, 0xbfd5ccd4) = -1 EBADF (Bad file descriptor)
ioctl(138421400, USBDEVFS_RELEASEINTERFACE, 0xbfd5ccf4) = -1 EBADF (Bad file descriptor)

Why would obexftp be using 138421400 as a file descriptor number?

Comment 7 gfl3162+gbugzilla 2009-02-26 04:39:04 UTC

I found why it segfaults:

ret = ioctl(dev->fd, IOCTL_USB_SUBMITURB, &urb);

but dev = 0x28. In gdb:

(gdb) print dev->fd
Cannot access memory at address 0x28

Backtrace:

#0  0xb7e29be2 in usb_urb_transfer (dev=0x28, ep=5, urbtype=3, bytes=0x815e1a0 "\200", size=26, timeout=10000) at linux.c:210
#1  0xb7f78b93 in obex_transport_write (self=0x3e8, msg=0x815e180) at obex_transport.c:436
#2  0xb7f779ba in obex_data_request (self=0x814e068, msg=0x815e180, opcode=128) at obex_main.c:217
#3  0xb7f78653 in obex_object_send (self=0x814e068, object=0x816fe38, allowfinalcmd=1, forcefinalbit=0) at obex_object.c:547
#4  0xb7f7935a in obex_client (self=0x814e068, msg=0x0, final=0) at obex_client.c:113
#5  0xb7f770b9 in OBEX_Request (self=0x28, object=0x3e8) at obex.c:573
#6  0xb7f875a1 in cli_sync_request (cli=0x814e008, object=0x28) at client.c:448
#7  0xb7f87fdc in obexftp_connect_src (cli=0x814e008, src=0x0, device=0x0, port=0, uuid=0x804d238 "{\225<\021\230NRT", uuid_len=16) at client.c:725
#8  0x08049001 in cli_connect_uuid (uuid=0x804d238 "{\225<\021\230NRT", uuid_len=16) at obexftp.c:268
#9  0x08049613 in cli_connect () at obexftp.c:314
#10 0x08049d23 in main (argc=4, argv=0xbffceea4) at obexftp.c:624

BTW I'm on openobex 1.5, libusb 0.1.12-r4, obexftp 0.22 (so only openobex was updated).

Comment 8 Robin Johnson archtester

2009-05-16 08:19:04 UTC

the dev variable in that case is self->trans.self.usb.dev_data inside openobex.
This is the line that crashes in openobex:
436         actual = usb_bulk_write(self->trans.self.usb.dev_data,
437                     self->trans.self.usb.data_endpoint_write,
438                     (char *) msg->data, msg->data_size,
439                     USB_OBEX_TIMEOUT);

So it seems that openobex is screwing up opening the device or one it's internal variables is being overwritten. Somebody in the mobile herd with the hardware needs to dig and see that openobex sets up it's USB connections correctly.

It's not libusb at fault at all.

Comment 9 Robin Johnson archtester

2009-05-16 09:55:08 UTC

Updating the summary for easier browsing as I expect a lot of libusb bugs soon while we migrate to libusb-1.

Comment 10 Robin Johnson archtester

2009-11-11 21:05:43 UTC

mobile: reping. please see comment 8 and fix this? The package has broken functionality.

Comment 11 Pacho Ramos gentoo-dev

2012-11-18 13:16:25 UTC

(In reply to comment #10)
> mobile: reping. please see comment 8 and fix this? The package has broken
> functionality.

Feel free to commit the fix if you have it

Comment 12 Tom Wijsman (TomWij) (RETIRED) gentoo-dev

2014-04-09 07:28:05 UTC

[QA]

The mobile-phone herd has been dissolved to maintainer-needed due to absence.

This package has no maintainer so this bug may go unnoticed for a long time.
Gentoo has a dedicated team[1] for assisting users in maintaining orphaned
packages. If you are interested in maintaining this package, please contact
proxy-maint@gentoo.org. 

[1]: https://wiki.gentoo.org/index.php?title=Project:Proxy_Maintainers

Comment 13 Pacho Ramos gentoo-dev

2016-02-08 11:57:38 UTC

is this still hapenning with obexftp-0.24?