debcrafters-packages team mailing list archive

Thread
Date
[Bug 2121311] [NEW] pulseaudio aborts in pa_bluetooth_transport_set_state() (Bluetooth/BlueZ integration)

To: debcrafters-packages@xxxxxxxxxxxxxxxxxxx
From: Jiwoong Ryu <2121311@xxxxxxxxxxxxxxxxxx>
Date: Sun, 24 Aug 2025 14:14:24 -0000
Reply-to: Bug 2121311 <2121311@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Public bug reported:

What happened
 - While stress-testing Bluetooth with a custom RFCOMM/L2CAP fuzzing harness on a separate Ubuntu test device, pulseaudio aborted in pa_bluetooth_transport_set_state() (module-bluez5 / libbluez5-util.so). The harness drives rapid, occasionally malformed transport/profile transitions—frequent connect/disconnect and state flapping.

Steps to reproduce (high-level)
 1. Pair/connect a Bluetooth audio device (e.g., headset/speaker).
 2. Generate rapid transport/profile state changes (connect/disconnect/suspend/resume, A2DP ↔ HFP/HSP switching) using a test harness.
 3. After a short burst (minutes), pulseaudio exits with SIGABRT in pa_bluetooth_transport_set_state().

Repro notes (from fuzzing)
 - Traffic rate: ~55 packets/second (mix of RFCOMM frames and L2CAP signaling).
 - Pattern: quick successive control/state transitions
 - Impact: user-session PulseAudio terminates

Environment
 - Distro/arch: Ubuntu 22.04 (amd64)
 - Package: pulseaudio 1:15.99.1+dfsg1-1ubuntu2.2
 - Cmdline: /usr/bin/pulseaudio --daemonize=no --log-target=journal
 - Device under test: separate machine used for Bluetooth fuzz testing

Attachments
 - Apport crash: _usr_bin_pulseaudio.1000.crash (uploaded).

Note: I don’t have btmon/journal extracts or pactl snapshots handy for
this run; I can capture them on the test device if helpful.

** Affects: pulseaudio (Ubuntu)
     Importance: Undecided
         Status: New

** Attachment added: "_usr_bin_pulseaudio.1000.crash"
   https://bugs.launchpad.net/bugs/2121311/+attachment/5901959/+files/_usr_bin_pulseaudio.1000.crash

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/2121311

Title:
  pulseaudio aborts in pa_bluetooth_transport_set_state()
  (Bluetooth/BlueZ integration)

Status in pulseaudio package in Ubuntu:
  New

Bug description:
  What happened
   - While stress-testing Bluetooth with a custom RFCOMM/L2CAP fuzzing harness on a separate Ubuntu test device, pulseaudio aborted in pa_bluetooth_transport_set_state() (module-bluez5 / libbluez5-util.so). The harness drives rapid, occasionally malformed transport/profile transitions—frequent connect/disconnect and state flapping.

  Steps to reproduce (high-level)
   1. Pair/connect a Bluetooth audio device (e.g., headset/speaker).
   2. Generate rapid transport/profile state changes (connect/disconnect/suspend/resume, A2DP ↔ HFP/HSP switching) using a test harness.
   3. After a short burst (minutes), pulseaudio exits with SIGABRT in pa_bluetooth_transport_set_state().

  Repro notes (from fuzzing)
   - Traffic rate: ~55 packets/second (mix of RFCOMM frames and L2CAP signaling).
   - Pattern: quick successive control/state transitions
   - Impact: user-session PulseAudio terminates

  Environment
   - Distro/arch: Ubuntu 22.04 (amd64)
   - Package: pulseaudio 1:15.99.1+dfsg1-1ubuntu2.2
   - Cmdline: /usr/bin/pulseaudio --daemonize=no --log-target=journal
   - Device under test: separate machine used for Bluetooth fuzz testing

  Attachments
   - Apport crash: _usr_bin_pulseaudio.1000.crash (uploaded).

  Note: I don’t have btmon/journal extracts or pactl snapshots handy for
  this run; I can capture them on the test device if helpful.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/2121311/+subscriptions