| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Change I63b857d031c55d3a0754e4101e330843eb422b2a caused a double
free. Move the free call to pan_data_buf_ind_cb().
Free the buffer before every return in pan_data_buf_ind_cb.
Bug: 74950468
Test: manual tethering test with DUT sharing its connection
Change-Id: If4526f3042699581e2cdde79a362eef0f83768eb
Merged-In: If4526f3042699581e2cdde79a362eef0f83768eb
(cherry picked from commit 98232b084c66368234d19fafe3076bc1c0f1b578)
CVE-2018-9356
|
|
|
|
|
|
|
|
|
|
| |
Check the number of UUIDs from remote device
Bug: 74016921
Test: manual
Change-Id: I1ca1f66bfc935f5fd219e8147511bdac7d2789ef
(cherry picked from commit 67ec216daa43f71adf103de6c4156c5a892c1460)
CVE-2018-9355
|
|
|
|
|
|
|
|
|
|
| |
Patch from b/67078939
Test: build
Bug: 67110692
Change-Id: I63b857d031c55d3a0754e4101e330843eb422b2a
(cherry picked from commit 2a18e724b2bf101ea38a5b089de56842107c8369)
CVE-2017-13257
|
|
|
|
|
|
|
|
|
| |
- fix formatting difference and use official 6.0.1 patches from r81
(e.g. commit 33427d54f31adaf5b9c697f5ce642fda1dc01946 and
commit 7f17ba1f8e475706727df7c50bc31ffb191d1f9d don't match googles patches
for 6.0.1)
Change-Id: I3187d1be2bcbc896a60100eda7c42d0e7bb5131f
|
|
|
|
|
|
|
|
|
| |
Bug: 63146237
Test: External script
Change-Id: I3e9c8a767a8a2a80ff56ccb48c56ca0d4b8c3402
Merged-In: I3e9c8a767a8a2a80ff56ccb48c56ca0d4b8c3402
(cherry picked from commit 1d909399cb4259243dac2e531e3ce6ca1afa77e7)
CVE-2017-0782
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes the following crash:
Stack frame #00 pc 00030370 /system/lib/libc.so (dlfree+59)
Stack frame #01 pc 0007ecd7 /system/lib/hw/bluetooth.default.so (bta_dm_sdp_result+942): Routine bta_dm_sdp_result at system/bt/bta/./dm/bta_dm_act.c:1859
Stack frame #02 pc 000816fd /system/lib/hw/bluetooth.default.so (bta_dm_search_sm_execute+92): Routine bta_dm_search_sm_execute at system/bt/bta/./dm/bta_dm_main.c:365
Stack frame #03 pc 000a7729 /system/lib/hw/bluetooth.default.so (bta_sys_event+56): Routine bta_sys_event at system/bt/bta/./sys/bta_sys_main.c:524
Stack frame #04 pc 0010f9ff /system/lib/hw/bluetooth.default.so: Routine run_reactor at system/bt/osi/./src/reactor.c:296
Stack frame #05 pc 0011095f /system/lib/hw/bluetooth.default.so: Routine run_thread at system/bt/osi/./src/thread.c:232
Stack frame #06 pc 000417fb /system/lib/libc.so (_ZL15__pthread_startPv+30)
Stack frame #07 pc 00019325 /system/lib/libc.so (__start_thread+6)
FEIJ-1578
Change-Id: I5706e4e5379168b24682347086c161e138c7f5cb
|
|
|
|
|
|
|
| |
* Removes the blacklisted device approach in favor of dynamically adding
the capabilities when detected.
Change-Id: I787eed0edee858c78a83fa65b70e9aaa9f0c5193
|
|
|
|
|
|
| |
Avoids dropping of connection after 5 seconds.
Change-Id: I89c531b9343d6b1cc5bb687f3b27ed8908d51ac3
|
|
|
|
| |
Change-Id: I6d3a91d7d7ee906f4a6ad2ee0559f741cebcaf4a
|
|\
| |
| |
| |
| |
| | |
into cm-13.0
Change-Id: Ib0f8f87bd5655ce85227bfc016044b1daa09ebe7
|
| |\ |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Issue scenario:
- Pair the DUT and HS. (Link Keys get established.)
- Now Switch OFF BT on DUT. (DUT still has the Link key of HS)
- Reset the paired devices memory in HS and keep HS in
pairing mode. (HS loses DUT's link key)
- Now switch ON BT on DUT. (DUt starts reconnection with HS,
but as HS lost DUT's key, PIN or KEY missing event will
come to host)
- DUT reconnects to HS (Using newly established link keys)
- Now power OFF and ON the HS.
- HS will try reconnection with DUT.
- While there is an incoming connection from HS to DUT,
host is giving negative link key reply always for the
multiple link key requests from HS.
- HS sends disconnection with "Authentication failure"
Fix:
Setting the remove device pending status to FALSE from
security device DB, when the link key notification event
comes. Basically it will avoid deleting the device from
security device DB, Which is solving the reconnection
initated from remote when we remove the link key at
remote side.
Change-Id: Ic164d8d5b5c2e0b9cc5f04f993047fb0a8e5d9a9
|
| |\ \ |
|
| | |/
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Due to alarm timer implementation, bta_sys_idle OR bta_sys_busy call
was the overhead(eg. 7ms) on every OPP packet(TX/RX), which was causing
high power. Below optimization have been done in JV to decrease
power during OPP TX/RX
- If particular JV acl link is in sniff, only then use bta_sys_busy to
trigger unsniff request.
- Start intermediate idle timer(1s) before starting actual idle sniff
timer(bta_sys_idle).
CRs-fixed: 971559
Change-Id: Ied1173776f9bf2dc89b8e84e68d6217932a01607
|
| |/
| |
| |
| |
| |
| |
| |
| |
| | |
- To avoid the crash, cancel SDP if it is started before
av_disable free memory for p_disc_db.
CRs-Fixed: 932048
Change-Id: If84d4990f17faa0fec9008da14034a8d8475a80a
|
|\ \
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
https://android.googlesource.com/platform/system/bt into cm-13.0
Android 6.0.1 release 22
Change-Id: I2e682780163afc7e9c88865192a6342027c80586
|
| |\ \
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
am: 79dc36d01a
* commit '79dc36d01aaab9a29cd70a0ff40463102505da4b':
Do not send AT+CHLD=? if the 3-way call feature is not supported
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The HF shall not issue the AT+CHLD=? test command in case
either the HF or the AG does not support the Three-way calling feature.
Currently HF sends AT+CHLD=? to AG device when SLC sequence on going.
It affects to SCO statemachine so that after going out of range and
coming back in range while active call alives, SCO state goes bad and
never comes back. This is out of specification of HFP and it should be
fixed by checking peer and local 3way call capability check.
Bug: 25703926
Change-Id: I66adac2345c6fb0df6741fdbfa67d9483fc38a00
|
| |\| |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
am: bf8d17ddbb
* commit 'bf8d17ddbb64fdc6c252c63f6b9078987f871ba6':
Fix crash in HFP client's +COPS parsing code.
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
If the Audio Gateway sends a malformed +COPS message (an operator
name > 16 characters) then the %n in sscanf format specifier is
ignored and sscanf will not assign a value to the appropriate
argument.
In such a case, the existing code will perform pointer arithmetic
using an uninitialized stack variable as an offset which may result
in pointing to an invalid memory address. When that memory is
subsequently dereferenced, we observe a crash.
This change ensures that the stack does not crash even if an invalid
+COPS message is sent from the Audio Gateway.
Bug: 24871011
Change-Id: I9bb42c75bcd90487831fc6950c571c87098559e7
|
| |\ \ \ |
|
| | |/ /
| | | |
| | | |
| | | | |
This reverts commit 6ff83ab9dd38bdefc5d252325f0cfbd3f1754d78.
|
| |/ /
| | |
| | |
| | |
| | |
| | | |
A2DP RECONFIGURE."
This reverts commit 8b1c7af03a2a8eedd1efd2eddca3ecd4b61bfd95.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
There appear to be race cases where the peer sends a START before
we reconfigure the stream. Avoid btif_av state from getting
mismatched by always sending out the SUSPEND_CFM during RECONFIGURE.
Change-Id: I2034cd111466f792233cedb60a3a0df11d055962
Signed-off-by: Sridhar Vashist <svashist@motorola.com>
|
| |\ \ |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
bluedroid changes to support A2DP SRC offload to BT FW.
add functionality to relay a2dp offload requests and responses
between AudioHAL & the BT vendor library.
Change-Id: Ie4e5992c48e95b0efb372a405e8537e4fd3ea071
Signed-off-by: Sridhar Vashist <svashist@motorola.com>
Conflicts:
audio_a2dp_hw/audio_a2dp_hw.h
bta/Android.mk
bta/av/bta_av_aact.c
btif/include/btif_media.h
btif/src/btif_av.c
btif/src/btif_media_task.c
hci/Android.mk
hci/src/vendor.c
include/bt_target.h
stack/include/l2c_api.h
|
| |/ /
| | |
| | |
| | |
| | | |
Bug: 25634250
Change-Id: I97330c853f6cf90673b4ff28c72645f9d1c8ff9d
|
|\ \ \
| | |/
| |/|
| | |
| | |
| | | |
into cm-13.0
Change-Id: Ic7851f38b6ca4b82ab9a0b96e7e494849944e5c6
|
| |\|
| | |
| | |
| | | |
Change-Id: I501838b5f3f9d8bf60ab8df59a322a6f1e9199b9
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Implement Split A2dp to process AVDTP Signalling commands
from host and media packet handling from Controller.
Host uses vendor specific commands to let controller know
the media channel configurations for controller to form
the media packets accordingly.
Change-Id: I7a98177a8125fd70b057bb514f0d870971a45bcf
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This change is specifically for certain HOGP device which start
sending notifications immidiately on repairing, even before the
HH profile connection is made. The check here, prevents the
processing of notification/indication sent to the DUT before
channel control block is allocated for the specific remote device
so that the remote HID device is not stuck in connecting state
due to HOGP state machine unable to proceed from the profile
connection initiation state.
CRs-Fixed: 936100
Change-Id: I77a1a39ea7f1d1344cfcf0fefe1fc0e28c213b60
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This change adds support for enable notification of scan refresh
value if remote device supports scan parameter services .this also
writes scan parameters to remote device whenever scan service client
receives notification of scan refresh.
CRs-Fixed: 736989
Change-Id: I3e41976cdb1f7fa952e53e33f90d52320d5808f4
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
When multiple profile connected on same link and if any one profile
deregister with powermanager,pm should stop timer for that profile
and restart other profile timers.But with out this fix,pm iniatites
sniff when it removes timer for one profile,even timeout did not
trigger for other profiles.
Change-Id: I8e215a9d868291976c70ff32b61145b4360a7f8f
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
this fixes crash during read client conf char descriptor value
of remote which has multiple instances of hid.
Change-Id: I88b6dbbb48037706e3b284450ffac88d7437fad1
CRs-Fixed: 726881
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Due to alarm timer implementation, bta_sys_idle OR bta_sys_busy call
was the overhead(eg. 7ms) on every pan packet(TX/RX), which was causing
low throughput. Below optimization have been done in pan to increase the
throughput.
- If particular pan acl link is in sniff, only then use bta_sys_busy to
trigger unsniff request
- Start intermediate idle timer(1s) before starting actual idle sniff
timer(bta_sys_idle).
CRs-fixed: 926571
Change-Id: If06d52f0460d4ea27fd71f97cea82f2319cd0f86
|
|\ \ \
| | |/
| |/|
| | |
| | |
| | |
| | |
| | | |
https://android.googlesource.com/platform/system/bt into HEAD
Android 6.0.1 release 3
Change-Id: I2af2b180c6d1779b7a34d1370cb9c759dd2c3506
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Whenever a device has more than 1 ACL link active and transferring
data on one of its links via PAN, HH or JV (RFCOMM) the sys busy/idle
state toggles frequently. To avoid triggering role switches for each
of these events we filter this out and let the other SYS events handle
it in combination with other role policy management code. Ideally we
should revert the toggling to properly reflect the busy/idle state of
each profile but to limit risk of side effects at this stage we will
make this intermittent change.
This also affects audio streaming in certain cases.
Bug: 24570959, 25129209
Change-Id: I141e17ee069c82624e153fd8de5db90ae93724b9
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
when using BLE_INCUDED = FALSE
and BTA_GATT_INCLUDED = FALSE
Change-Id: I3f34d43b6110c725c0d7ecbe394a4d4c90b55f12
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This patch adresses a change in bluetooth which causes a possible
loss of connection within 5 seconds after connecting. This new
behavior appeared with android 4.2 (4.1.2 worked fine in this regard).
I traced down the disconnects to an BTA_AG_SVC_TOUT_EVT via a timer
that checks if a service connection was made within a few seconds.
Essentially bta_ag_svc_conn_open() was not called on AT+CMER because
android thought the car kit supported 3WAY but the car kit did not
set the 3WAY flag via AT commands and did not send AT+CHLD either.
Android otoh used the flag obtained by SDP and expected 3WAY behavior
and eventually disconnected when AT+CHLD did not arrive.
This may be a bordeline case, because in the Bluetooth Specification
(page 20), assuming service level initialization via SDP is only
mentioned on the HF side while there is no such mention (but could
probably be implied) on page 21 for the AG.
Fact is however, that the use of SDP features value for peer_features
is new since Android 4.2 and breaks existing good behavior on a BMW
2005/E46 car kit (navi professional). This kit never asks for AT+CHLD
and never via AT commands suggests it supports 3WAY (although it seems
to have the flag set via SDP).
Also, having essential behavior (like making the connection or not)
depend on circumstances that may be prone to race conditions, may be
a good reason to not use the SDP flag also (or at least masking out
the 3WAY bit when using it).
(An alternative approach could be to hook into bta_ag_timer_cback() and
when the timer exipres, but when also AT+CMER has been seen meanwhile,
to continue and assume a service level connection without 3WAY,
i.e. clearing the 3-way flags but calling bta_ag_svc_conn_open() anyway.)
Change-Id: I95dcdc5f46e7af723a655afd3d707764603c96c3
Signed-off-by: Markus Schmidt <shimodax@gmail.com>
(cherry picked from commit 662eaddd47bca1de03018fbcbe57ca2bfabaa5ac)
|
| | |
| | |
| | |
| | | |
Change-Id: I59b7eed8be5b76be3e5a2d099e82eb8b691c688c
|
| | |
| | |
| | |
| | |
| | |
| | | |
* M7 needs us to configure I2SPCM for SCO and set the voice mode.
Change-Id: I98a9528af62f9c4fef075927f00a8aafdbeb4ee3
|
| | |
| | |
| | |
| | | |
Change-Id: I652684441160e2f5e806a7053ab9b574b2998356
|
|\ \ \
| | | |
| | | |
| | | |
| | | |
| | | | |
git://codeaurora.org/platform/system/bt into cm-13.0
Change-Id: Id03529dec9d120d857b952bbc287df8ef10ef7cc
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This change is specifically for certain HOGP device which start
sending notifications immidiately on repairing, even before the
HH profile connection is made. The check here, prevents the
processing of notification/indication sent to the DUT before
channel control block is allocated for the specific remote device
so that the remote HID device is not stuck in connecting state
due to HOGP state machine unable to proceed from the profile
connection initiation state.
CRs-Fixed: 936100
Change-Id: I77a1a39ea7f1d1344cfcf0fefe1fc0e28c213b60
|
| |\ \ \ |
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
This change adds support for enable notification of scan refresh
value if remote device supports scan parameter services .this also
writes scan parameters to remote device whenever scan service client
receives notification of scan refresh.
CRs-Fixed: 736989
Change-Id: I3e41976cdb1f7fa952e53e33f90d52320d5808f4
|
| |\ \ \ \
| | |/ / /
| |/| | | |
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Correcting sniff behaviour in multiconnection scenerio
Change-Id: I8e215a9d868291976c70ff32b61145b4360a7f8f
|
| |\ \ \ \ |
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
this fixes crash during read client conf char descriptor value
of remote which has multiple instances of hid.
Change-Id: I88b6dbbb48037706e3b284450ffac88d7437fad1
CRs-Fixed: 726881
|