diff options
| author | Hemant Gupta <hemantg@codeaurora.org> | 2016-12-09 23:10:10 +0530 |
|---|---|---|
| committer | Andreas Schneider <asn@cryptomilk.org> | 2017-01-19 10:58:41 +0100 |
| commit | eed8b166ef55c21b187ee5438d938886d2e9a760 (patch) | |
| tree | 17e7018adb03e0b325b5e823cb22a6b2954f6903 | |
| parent | cc99880ca95edea3c9712a58ec3c843994bb6ea5 (diff) | |
| download | android_system_bt-cm-14.1_prerebase.tar.gz android_system_bt-cm-14.1_prerebase.tar.bz2 android_system_bt-cm-14.1_prerebase.zip | |
HID: Prevent crash by Cancelling SDP during cleanupcm-14.1_prerebase
Usecase:
1) User tried to connect to HID Device.
2) SDP is internally performed by DUT. SDP is at stage,
where L2CAP connection, configuration is done, and data
fetch is ongoing.
3) BT was turned off from UI.
Observation:
BT crashed while accessing memory that was freed already because BT turn off,
caused ACL disconnection, leading to L2CAP disconnect indication in stack,
leading to sdp disconnect indication.
backtrace:
#00 pc 000f98d4 /system/lib/hw/bluetooth.default.so (SDP_FindServiceUUIDInDb+51)
#01 pc 000b5dbd /system/lib/hw/bluetooth.default.so (hidh_search_callback+0x40)
#02 pc 000f770b /system/lib/hw/bluetooth.default.so (sdp_disconnect_ind+0x5e)
#03 pc 00107a5f /system/lib/hw/bluetooth.default.so (l2c_csm_execute+3446)
#04 pc 001080e7 /system/lib/hw/bluetooth.default.so (l2c_link_hci_disc_comp+122)
#05 pc 000fda81 /system/lib/hw/bluetooth.default.so (btu_hcif_process_event+588)
#06 pc 000fec81 /system/lib/hw/bluetooth.default.so (btu_hci_msg_ready+96)
#07 pc 00118191 /system/lib/hw/bluetooth.default.so
#08 pc 0011917f /system/lib/hw/bluetooth.default.so
#09 pc 00041993 /system/lib/libc.so (_ZL15__pthread_startPv+30)
#10 pc 000192b5 /system/lib/libc.so (__start_thread+6)
Register Dump
pid: 15740, tid: 15761, name: bluedroid wake/ >>> com.android.bluetooth <<<
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x20000
r0 815a5cac r1 a1a2f370 r2 00000000 r3 85d4e541
r4 00020000 r5 815a5cac r6 a1a2f370 r7 b6d3ae40
r8 00000000 r9 b6d3ae40 sl 00000002 fp 00000013
ip a228c050 sp a1a2f360 lr a20eddc1 pc a21318d4 cpsr 200e0030
Rootcause
The above scenario could lead to crash we see as below, as bta_hh_cb.p_disc_db would be freed
during HID Host cleanup, and would be accessed via callback received for parsing SDP results on
SDP completion.
Fix:
While cleaning up HID Host, Cancel SDP search before freeing and resetting bta_hh_cb.p_disc_db.
This will internally send L2CAP disconnect request for SDP, and would lead to sdp_disconnect_cfm
call when L2CAP is disconnected, and would lead to call of hidh_search_callback with result code
as SDP_CANCEL.
BACKPORT OF: https://android-review.googlesource.com/#/c/312104/
Change-Id: I63563cb23dd69946f87a70cafa203c44edc9b753
| -rw-r--r-- | bta/hh/bta_hh_utils.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/bta/hh/bta_hh_utils.c b/bta/hh/bta_hh_utils.c index 8bfed318b..3c5f2baf6 100644 --- a/bta/hh/bta_hh_utils.c +++ b/bta/hh/bta_hh_utils.c @@ -507,7 +507,12 @@ void bta_hh_cleanup_disable(tBTA_HH_STATUS status) for (xx = 0; xx < BTA_HH_MAX_DEVICE; xx ++) { osi_free_and_reset((void **)&bta_hh_cb.kdev[xx].dscp_info.descriptor.dsc_list); } - osi_free_and_reset((void **)&bta_hh_cb.p_disc_db); + + if (bta_hh_cb.p_disc_db) { + /* Cancel SDP if it had been started. */ + (void)SDP_CancelServiceSearch (bta_hh_cb.p_disc_db); + osi_free_and_reset((void **)&bta_hh_cb.p_disc_db); + } (* bta_hh_cb.p_cback)(BTA_HH_DISABLE_EVT, (tBTA_HH *)&status); /* all connections are down, no waiting for diconnect */ |