Gitiles
Code Review Sign In
review.blissroms.org / platform_packages_modules_Bluetooth / 10008bcd7dba7592d7b5828ef1f06d3fcf36ada4
commit10008bcd7dba7592d7b5828ef1f06d3fcf36ada4[log] [tgz]
authorHemant Gupta <hemantg@codeaurora.org>Fri Dec 09 23:10:10 2016 +0530
committerMyles Watson <mylesgw@google.com>Wed Jan 18 18:49:00 2017 +0000
treed2202a694cb911ed49533a506eab177ec8ff1e00
parent986840578998c235e91dc16ebef626fe1f7cd4a5 [diff]
HID: Prevent crash by Cancelling SDP during cleanup

Usecase:
1) User tried to connect to HID Device.
2) SDP is internally performed by DUT. SDP is at stage,
   where L2CAP connection, configuration is done, and data
   fetch is ongoing.
3) BT was turned off from UI.
Observation:
BT crashed while accessing memory that was freed already because BT turn off,
caused ACL disconnection, leading to L2CAP disconnect indication in stack,
leading to sdp disconnect indication.
backtrace:
    #00 pc 000f98d4  /system/lib/hw/bluetooth.default.so (SDP_FindServiceUUIDInDb+51)
    #01 pc 000b5dbd  /system/lib/hw/bluetooth.default.so (hidh_search_callback+0x40)
    #02 pc 000f770b  /system/lib/hw/bluetooth.default.so (sdp_disconnect_ind+0x5e)
    #03 pc 00107a5f  /system/lib/hw/bluetooth.default.so (l2c_csm_execute+3446)
    #04 pc 001080e7  /system/lib/hw/bluetooth.default.so (l2c_link_hci_disc_comp+122)
    #05 pc 000fda81  /system/lib/hw/bluetooth.default.so (btu_hcif_process_event+588)
    #06 pc 000fec81  /system/lib/hw/bluetooth.default.so (btu_hci_msg_ready+96)
    #07 pc 00118191  /system/lib/hw/bluetooth.default.so
    #08 pc 0011917f  /system/lib/hw/bluetooth.default.so
    #09 pc 00041993  /system/lib/libc.so (_ZL15__pthread_startPv+30)
    #10 pc 000192b5  /system/lib/libc.so (__start_thread+6)
Register Dump
pid: 15740, tid: 15761, name: bluedroid wake/  >>> com.android.bluetooth <<<
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x20000
    r0 815a5cac  r1 a1a2f370  r2 00000000  r3 85d4e541
    r4 00020000  r5 815a5cac  r6 a1a2f370  r7 b6d3ae40
    r8 00000000  r9 b6d3ae40  sl 00000002  fp 00000013
    ip a228c050  sp a1a2f360  lr a20eddc1  pc a21318d4  cpsr 200e0030
Rootcause
The above scenario could lead to crash we see as below, as bta_hh_cb.p_disc_db would be freed
during HID Host cleanup, and would be accessed via callback received for parsing SDP results on
SDP completion.
Fix:
While cleaning up HID Host, Cancel SDP search before freeing and resetting bta_hh_cb.p_disc_db.
This will internally send L2CAP disconnect request for SDP, and would lead to sdp_disconnect_cfm
call when L2CAP is disconnected, and would lead to call of hidh_search_callback with result code
as SDP_CANCEL.

Change-Id: I63563cb23dd69946f87a70cafa203c44edc9b753
1 file changed
tree: d2202a694cb911ed49533a506eab177ec8ff1e00
  1. system/
  2. .clang-format
  3. .gitignore
  4. .gn
  5. Android.mk
  6. BUILD.gn
  7. CleanSpec.mk
  8. EventLogTags.logtags
  9. MODULE_LICENSE_APACHE2
  10. NOTICE
  11. OWNERS
  12. PREUPLOAD.cfg
  13. README.md
README.md

Fluoride Bluetooth stack

Building and running on AOSP

Just build AOSP - Fluoride is there by default.

Building and running on Linux

Instructions for Ubuntu, tested on 14.04 with Clang 3.5.0 and 16.10 with Clang 3.8.0

Download source

mkdir ~/fluoride
cd ~/fluoride
git clone https://android.googlesource.com/platform/packages/modules/Bluetooth/system

Install dependencies (require sudo access):

cd ~/fluoride/bt
build/install_deps.sh

Then fetch third party dependencies:

cd ~/fluoride/bt
mkdir third_party
cd third_party
git clone https://github.com/google/googletest.git
git clone https://android.googlesource.com/platform/external/libchrome
git clone https://android.googlesource.com/platform/external/modp_b64
git clone https://android.googlesource.com/platform/external/tinyxml2
git clone https://android.googlesource.com/platform/hardware/libhardware

And third party dependencies of third party dependencies:

cd fluoride/bt/third_party/libchrome/base/third_party
mkdir valgrind
cd valgrind
curl https://chromium.googlesource.com/chromium/src/base/+/master/third_party/valgrind/valgrind.h?format=TEXT | base64 -d > valgrind.h
curl https://chromium.googlesource.com/chromium/src/base/+/master/third_party/valgrind/memcheck.h?format=TEXT | base64 -d > memcheck.h

NOTE: If packages/modules/Bluetooth/system is checked out under AOSP, then create symbolic links instead of downloading sources

cd packages/modules/Bluetooth/system
mkdir third_party
cd third_party
ln -s ../../../external/libchrome libchrome
ln -s ../../../external/modp_b64 modp_b64
ln -s ../../../external/tinyxml2 tinyxml2
ln -s ../../../hardware/libhardware libhardware
ln -s ../../../external/googletest googletest

Generate your build files

cd ~/fluoride/bt
gn gen out/Default

Build

cd ~/fluoride/bt
ninja -C out/Default all

This will build all targets (the shared library, executables, tests, etc) and put them in out/Default. To build an individual target, replace "all" with the target of your choice, e.g. ninja -C out/Default net_test_osi.

Run

cd ~/fluoride/bt/out/Default
LD_LIBRARY_PATH=./ ./bluetoothtbd -create-ipc-socket=fluoride

Eclipse IDE Support

  1. Follows the Chromium project Eclipse Setup Instructions until "Optional: Building inside Eclipse" section (don't do that section, we will set it up differently)

  2. Generate Eclipse settings:

cd packages/modules/Bluetooth/system
gn gen --ide=eclipse out/Default

  1. In Eclipse, do File->Import->C/C++->C/C++ Project Settings, choose the XML location under packages/modules/Bluetooth/system/out/Default

  2. Right click on the project. Go to Preferences->C/C++ Build->Builder Settings. Uncheck "Use default build command", but instead using "ninja -C out/Default"

  3. Goto Behaviour tab, change clean command to "-t clean"