git.osdn.net Git - android-x86/system-bt.git/log

Add packet length checks in l2cble_process_sig_cmd

Bug: 80261585
Test: compilation
Change-Id: Icf55747dc948bcce140a12658237554938e2d717
Merged-In: Icf55747dc948bcce140a12658237554938e2d717
(cherry picked from commit 329b7cfb446ed34a2b67e31267ff61ce12f1d70c)

DO NOT MERGE Fix OOB read in process_l2cap_cmd

Test: manual
Bug: 79488381
Change-Id: I723866ed40d3647fed99875f659bb95df96a6969
(cherry picked from commit 55afdafb272737a54bc629dbe4fdd4111ebb08f5)

SDP: return error on offset bigger than atribute length

Test: none
Bug: 79217770
Change-Id: I8b594882dd07644b1a747c53d6166db466b7e998
Merged-In: I8b594882dd07644b1a747c53d6166db466b7e998
(cherry picked from commit 3565eaf72d810688bf91f75002da1f25039996df)

DO NOT MERGE HFP: Fix out of bound access in phone number processing

* Write at most sizeof(dialnum) chars into dialnum array in ClccResponse
method
* Write at most sizeof(ag_res.str) - 5 chars into ag_res.str array in
PhoneStateChange method

Bug: 79431031
Bug: 79266386
Test: make call with super long phone numbers
Change-Id: I98e7687ac4055800aa46626c6b1c866e52e474df
Merged-In: I98e7687ac4055800aa46626c6b1c866e52e474df
(cherry picked from commit 82371c1204cc0b48941ec1d41c516c4b40093879)

DO NOT MERGE HID Host: Check L2CAP packet data length

Bug: 80493272
Test: manual
Change-Id: I8b1acd11616684729752195fabb4fa34c46a508d
(cherry picked from commit 4344cfb76ad4c1c660d00a7b306acccde9bdef77)

Revert "DO NOT MERGE: SDP: Recalculate param_len after max_list_len"

This reverts commit 0f2114c7943106a566abd1064a5719ad0335bf0b.

DO NOT MERGE: Don't reuse buffer when building response

Bug: 79541338
Test: Compile and connect to remote headset
Change-Id: I5e059615db589e165630f39d631a922006c2d70f
(cherry picked from commit ecef51ee8fc216ef654fd73bdc5e2802b2cf9a7e)

Add checks whether the AVDTP element data length is valid

Bug: 78288378
Test: Manual: Python script and extra logging
Change-Id: I576d798d8b566946a3f2d973cb9d4e8dbd22d09e
Merged-In: I715b5977c833d33ff798f008fbf244effa13ea1f
(cherry picked from commit e192c988cbe6c0593f23e6d8e2701b459e8d895c)

DO NOT MERGE BNEP: Fix build breakage by using osi_free instead of GKI_freebuf

Bug: 79164722
Bug: 78286118
Test: make
Change-Id: I04fc994d9bca80aa4711118d3c5be02f2b809a48
(cherry picked from commit 6245466d55c4abb8047b4c167fced0804a9f217e)

BNEP: Fix OOB access in bnep_data_ind

* Stop reading the L2CAP packet if packet length is 0
* Process the buffer for BNEP_EXTENSION_CONTROL packet before advancing
  the buffer pointer by length of payload
* Reject BNEP_EXTENSION_CONTROL packet when the payload size is zero
* Move error logging to more appropriate locations at where the OOB access
  is most likely triggered

Bug: 78286118
Bug: 79164722
Test: Send zero length L2CAP packet to BNEP, send invalid
      BNEP_EXTENSION_CONTROL packet
Change-Id: I7e18632b8faab1b6aaca1bff1b7f55d69962729e
Merged-In: I7e18632b8faab1b6aaca1bff1b7f55d69962729e
(cherry picked from commit 3c799a6e25abdf6bacb660ff7a06338836cc7356)
(cherry picked from commit 0bd01271c4d888453ba375d9442ac27cd66961c9)

Decrease length after reading from array in process_service_attr_req

Test: compilation
Bug: 78136677
Change-Id: I4807a350e2b4764a93f104ce88f23a957a7e85c0
Merged-In: I4807a350e2b4764a93f104ce88f23a957a7e85c0
(cherry picked from commit 76e962892ea1419f69e3c7e26a09fa77948c46e6)

DO NOT MERGE: SDP: Recalculate param_len after max_list_len

Bug: 78136869
Test: manual connection to an A2DP device
Change-Id: I71392cf1a70567fec957feb36768069ac5258aa1
(cherry picked from commit ef7dddabbd70222fa0fafc97e8562d977f550d26)
(cherry picked from commit ca8a83ba76685d164baf0825a82f8d95c677bd3c)

DO NOT MERGE SMP: Check p_cb->role in smp_br_state_machine_event

Bug: 80145946
Test: manual
Change-Id: Ic83eaa4be868d5a345d80cd50a6915c0af719a53
(cherry picked from commit 078756d8071e0c122b2c75d416ebc22f77ed54e4)

GATT: Handle too short Error Response PDU

Since the spec is not clear what to do in this case, use one of
reserved error codes as a failure reason, and pass it to upper layers.

Bug: 79591688
Change-Id: Ie6a53e9c8e4ceb8f1e5a75aee44baa5f4a798c4f
Merged-In: Ie6a53e9c8e4ceb8f1e5a75aee44baa5f4a798c4f
(cherry picked from commit 03881d1055cf98b15ced06300e03a947b5300878)

Add PDU size checks in process_service_search_attr_rsp

Bug: 79884292
Change-Id: Icc02a6188f806f766aa8676804d74995afa08d25
Merged-In: Icc02a6188f806f766aa8676804d74995afa08d25
(cherry picked from commit 3181bdee7d207c9894dd1dfca02fad71cb2430e8)

RESTRICT AUTOMERGE: Fixes two bluetooth causing remote overreads (2/2)

Bug: 74075873
Test: manual
Change-Id: I76058b11c90dc40b78f26fb64b74d609f3473f5d
(cherry picked from commit 23918433c1f4970ae04c09a9fe096bf87cd83d76)

RESTRICT AUTOMERGE: Fixes two bluetooth bugs causing remote overreads (1/2)

Bug: 74075873
Test: manual test (poc in bug)
Change-Id: I18e652f7e10ba42db6f2553083d2a2eec10e2998
(cherry picked from commit 4375ef17844b4d338754d517400ddd029d0882d3)

DO NOT MERGE: Check number of attributes before writing to a buffer

Bug: 73824150
Test: Compile
Change-Id: Ie38ba177d6599afe28b5c6684bd951a75fa8a805
(cherry picked from commit d28e985241e4efdf6f3ce7d665fe50f48be13dae)

DO NOT MERGE AVRC: Add bound check for AVRC_EVT_APP_SETTING_CHANGE

Test: manual
Bug: 73782082
Change-Id: I4e384a2f8c0d8c4af03bd5865b2e907321419c86
(cherry picked from commit 9ca83201006bf938b9f2fad7fce121c26dc77028)

DO NOT MERGE Prevent stack overflow in btif_storage

Bug: 73963551
Test: manual
Change-Id: I5f7a583aad150ebf9e3d492181d80ca935c8aa3f
(cherry picked from commit 1d200be95816e6e82f3876ec03091a1b07a827a7)

DO NOT MERGE: Add bounds check to l2cble_process_sig_cmd L2CAP_CMD_DISC_REQ

Bug: 74121659
Test: Compiles
Change-Id: Ib29dd50cee9decda2d73bb79b84215ea4c6ead75
(cherry picked from commit a75ccdc7ee6c6f60baaf78717926faa9504f9f3f)

DO NOT MERGE Fix unexpected behavior in smp_sm_event

Bug: 74121126
Test: manual
Change-Id: Ie5dd841d6461ad057c4ab572007f38c5446aba53
(cherry picked from commit 61c9430c58544b4bd4846ed0d5e6de0ae5150414)

DO NOT MERGE SMP: Validate remote elliptic curve points

Fixes: 72377774
Test: net_test_stack_smp (where applicable)
Change-Id: Iefcf97364493467075fadefd77d12716f71cd4f6
(cherry picked from commit 9181ec28da94705a763edbe60bd2a87e5f882beb)
(cherry picked from commit 4f9ed8f66eb57142f4bedd667230b55bbf8da366)

DO NOT MERGE Fix OOB read in process_l2cap_cmd

Bug: 74202041
Bug: 74196706
Bug: 74201143
Test: manual
Change-Id: Ic25f7f3777d0375f76cc91e4d129b1636f1c388d
(cherry picked from commit 1bbea25a24004a371f4aed1c69b976fd23407d73)

DO NOT MERGE Add bounds check for BNEP_Write

Bug: 74947856
Test: manual
Change-Id: I19d9dee53b9cac800c66becef4861e4ad9602bdf
(cherry picked from commit 769aeaaf444e08bad9d4e902242a3b8a1765202d)

DO NOT MERGE Handle bad packet length in gatts_process_read_req

Added error check and handling code in gatts_process_read_req to
make sure that the packet length is correct.
Please note that there is another earlier CL that is reverted and this
is the updated one.

Bug: 73172115
Test: Run the test program, poc, that was attached in the bug report
Merged-In: Ia9b4e502fa8f8384bf9767e68f73b48a0915141b
Change-Id: Ia9b4e502fa8f8384bf9767e68f73b48a0915141b
(cherry picked from commit cc9c7330d1c3507d745170ae7b2e0546197b7acb)
(cherry picked from commit 810e669d7ae55dd50ec1ea159cd87c3f1cdf5695)

DO NOT MERGE Drop LE CoC fragments when frame size is too big

Drop the LE CoC data fragments when the received fragment size is too
big.

Test: Runs LE CoC SL4A test, BleCocTest.
Bug: 75298652
Merged-In: I529944341e9e67a39e7ec7e740d5ada3db8cc23a
Change-Id: I529944341e9e67a39e7ec7e740d5ada3db8cc23a
(cherry picked from commit 235eab9efd27469ac0dd82f63d198421f0e0f400)

DO NOT MERGE: PAN: Always allocate in bta_pan_data_buf_ind_cback

Change I63b857d031c55d3a0754e4101e330843eb422b2a caused a double
free. Move the free call to pan_data_buf_ind_cb().

Free the buffer before every return in pan_data_buf_ind_cb.

Bug: 74950468
Test: manual tethering test with DUT sharing its connection
Change-Id: If4526f3042699581e2cdde79a362eef0f83768eb
Merged-In: If4526f3042699581e2cdde79a362eef0f83768eb
(cherry picked from commit 2e0deb1d135805b37697f0e02a55269c6cc500fe)
(cherry picked from commit e04c8be75d115e5d241afe95148e0093ef8c72eb)

DO NOT MERGE Fix unexpected behavior in bta_dm_sdp_result

Check the number of UUIDs from remote device

Bug: 74016921
Test: manual
Change-Id: I7e1fd420c96bdb4d8b1bb129eb85045f9e3da443
(cherry picked from commit f55b3093f1c5659da16c3df2670edd9089844526)

DO NOT MERGE: AVRCP: Check number of text attribute values in response

Test: Build
Bug: 71603410
Change-Id: I6f822b0bc7fc2fb042a70b64cff61583a86b36e2
(cherry picked from commit 8a6fb368847794adb2365f91aa60a36a61d02607)

DO NOT MERGE Truncate new line characters when adding string to config

Bug: 70808273
Test: test with a device with newline character in name
Change-Id: Ie7e0b5d93047bc12a9cb84cc15f7f68f38f36441
(cherry picked from commit 01facbcf9762e93010744edfa9bd04a46f95be6e)

DO NOT MERGE: AVRCP: Check number of text attributes in response

Test: Build
Bug: 71603315
Change-Id: Ieda5e410057062533ae09bd977bfe7f758a55140
(cherry picked from commit 07900311fbd68eba44c46ed491368597a63ae770)

DO NOT MERGE: AVRCP: Initialize buffer for attribute values to be written to

Test: Build
Bug: 71603553
Change-Id: I978270605cfaa3b833d6c19f1b1d2cd5a82ac079
(cherry picked from commit aeff2c709c34a56058f3a67a86acf96733bd6061)

DO NOT MERGE: SDP: Check p_req_end before reading from p_req

Bug: 69384124
Test: Connect a headset
Change-Id: Ia30c58ed39977552e5ddc21cc3c1b54c6b1d8abe
(cherry picked from commit d321b13feaebb6ce83d4c449b3ef500ddbbef716)

PAN: Fix Use-after-free in bta_pan_data_buf_ind_cback

Patch from b/67078939

Test: build
Bug: 67110692
Change-Id: I63b857d031c55d3a0754e4101e330843eb422b2a
Merged-In: I63b857d031c55d3a0754e4101e330843eb422b2a
(cherry picked from commit bcad4b57fa67826fa254e987959b2666616fd6e9)

BNEP: Check received frame type

Bug: 68818034
Test: build
Change-Id: I2b9f32b92d72f226361e6a80f20f9c7ee77f6019
Merged-In: I2b9f32b92d72f226361e6a80f20f9c7ee77f6019
(cherry picked from commit c1778018189498da0ecb35e9356d11c9dc315353)

SDP: Pass the bounds to process_service_*_rsp

Test: build
Bug: 68161546
Change-Id: Icf53d4d05f99b5e0a2b3f4d3735b6fbfd62adaa3
Merged-In: Icf53d4d05f99b5e0a2b3f4d3735b6fbfd62adaa3
(cherry picked from commit 88beb384eb3ab97d3da2902e3477e68e44345bd2)

Allocate/free the SDP connection timers only during stack startup/shutdown

This avoids freeing the sdp_conn_timer within the alarm callback itself.

Bug: 67110137
Test: Manual
Change-Id: I775b4b532cd42cf207258c53c6052a167a124627
Merged-In: I775b4b532cd42cf207258c53c6052a167a124627
(cherry picked from commit ef6a4a0c9d9220a7d909863349d7a0c0b967d54c)
(cherry picked from commit 486d27733fd3db14575370985ae50a02cbb193d4)

DO NOT MERGE Fix unexpected behavior in reading BNEP packets

Bug: 67863755
Bug: 69177251
Bug: 69177292
Bug: 69271284
Test: BNEP still works
Change-Id: I41b8bfe5e123a56b8812124178663735f2bf3372
(cherry picked from commit 1ba7a489f57252de63d95d0374fccc002fe3d35a)

DO NOT MERGE Remove memory reference to invalid mem in error log

Remove the memory reference to an invalid memory inside an error log
message.

Test: Edit code to force the error condition and make sure the new error
log does not crashed.
Bug: 67058064
Merged-In: I55ec6d8b53e5987cd7721e0ae3ffccc11d6638a0
Change-Id: I55ec6d8b53e5987cd7721e0ae3ffccc11d6638a0
(cherry picked from commit 11cd7277a1d0da9013a8381cddbfc096e9adaed6)
(cherry picked from commit c779dc72e098a65fea6774d7ffdd036086ef7cd2)

DO NOT MERGE: AVRCP: Check the number of text value attributes requested

Test: Builds
Bug: 69479009
Change-Id: Ibd6a448eda65f857ddfacc1ee7ad1ead3b46fb8d
(cherry picked from commit 03ffdc94b07ad40d99b298137877aa9b5ebecb58)

DO NOT MERGE: AVRCP: Check the number of text attributes requested

Test: Build
Bug: 69478941
Change-Id: Ic7e2632e5dab9031703b2bf8747e27f90f92f0e4
(cherry picked from commit 1661401e3a7b535f4c7eccfc15e4f228bf385eea)

DO NOT MERGE Fix unexpected behavior in SDP

Bug: 68776054
Bug: 68817966
Test: Bluetooth SDP still works
Change-Id: I4eef22679a313b88d7e8ec463b29dbb592c6b5b9
Merged-In: I4eef22679a313b88d7e8ec463b29dbb592c6b5b9
(cherry picked from commit 968df7a80cc1901fb63ec0eb7a5080f64da3819e)

Removed alarm callback execution statistics

Updating the alarm state after the callback returns can be problematic
in case the callback itself deleted the alarm.

Bug: 67110137
Test: Manual
Change-Id: Id4de06eebedb792cadd63d09efb68672e9bddc69
Merged-In: Id4de06eebedb792cadd63d09efb68672e9bddc69
(cherry picked from commit 04574e1cde3b0d46b59b4b6ebab935ac60af9f97)
(cherry picked from commit b9ebb4ab26e27d0701d43faee775c1b1975d0191)

Read the correct amount of attributes

bta_gattc_cache_load currently attempts to read 0xFF attributes into an
allocation sized to num_attr attributes, which can be smaller than 0xFF.

There aren't more than num_attr bytes in correct data, but this breaks
with dynamic buffer overflow checking in CopperheadOS for the read
system call since fread ends up calling read, which obtains the size of
the allocation from the malloc implementation and then aborts due to the
(potential) overflow.

This would also fail with the default enabled _FORTIFY_SOURCE=2 feature
in the Android Open Source Project if osi_malloc was marked with the
alloc_size attribute. The way it wraps malloc loses that information so
fortify checks aren't done for calls like this.

Bug: 37160362
Change-Id: I68bd170d5378c9d9d21cbda376083bc0b857e15c
Signed-off-by: Scott Bauer <sbauer@plzdonthack.me>
[migrated to C++ file, added 0xFFFF limit and wrote commit message]
Signed-off-by: Daniel Micay <danielmicay@gmail.com>
(cherry picked from commit 8eb6493ad56ed4fd8310bf96042cc54eb5b450dd)

SDP: Bounds check 'id' parameter for free_sdp_slot()

Merged-In: I34e8296ec7ec6b4ffbe1fa0452754f2a421e6ec7

Test: manual
Fixes: 37502513
Change-Id: I34e8296ec7ec6b4ffbe1fa0452754f2a421e6ec7
(cherry picked from commit b413f1b1365af4273647727e497848f95312d0ec)
(cherry picked from commit 82e4754aaafe820619a51f8eeaa858db8735d9c1)

Add missing extension length check while parsing BNEP control packets

Bug: 63146237
Test: External script
Change-Id: I4e519cec1c7dffb8bd42add00bd891e0969a3d9f
(cherry picked from commit 9ab89b7dbe5735b796799f65144efa48595d0230)
(cherry picked from commit dc7700a43189d2a8607b69ae19a6d646f11ddf51)
(cherry picked from commit c7874f25a0557ca4413d8db80bab8da842fc389a)
(cherry picked from commit 187bd8aec0aae63c6328981041e5ec7764ece6a9)
(cherry picked from commit 01f46e0aff705dab350cda7f648fb94976ea3988)
(cherry picked from commit e07d37969e654fd6be308232b15c1ed716205543)

Free p_pending_data from tBNEP_CONN to avoid potential memory leaks

Bug: 63146105
Test: External script
Change-Id: I1281779ccf38d1d2dfb1a6dc0e45c0e533cabbca
Merged-In: I1281779ccf38d1d2dfb1a6dc0e45c0e533cabbca
(cherry picked from commit 4982eb5df30cbcbee5c8b8807be95fdc6dfa63c5)
(cherry picked from commit a654681c5558904a8abfa1bbab8eafb651c13231)
(cherry picked from commit 64a12d3b6e71d9161837f28ce18c34d924c2bafc)
(cherry picked from commit 8f18afd26c02ae3d46bf14d6e36017965dee0394)
(cherry picked from commit f8fc7f7d112d5ff2064aaaa3c7fceb077169183e)

Add a missing check for PAN buffer size before copying data

Bug: 63146237
Test: External script
Change-Id: I3e9c8a767a8a2a80ff56ccb48c56ca0d4b8c3402
Merged-In: I3e9c8a767a8a2a80ff56ccb48c56ca0d4b8c3402
(cherry picked from commit 1d909399cb4259243dac2e531e3ce6ca1afa77e7)
(cherry picked from commit aa486ad8b5ad6eaef732e5fa7f151495c8c3faf2)
(cherry picked from commit a8a6a17fdfc8d930ba4ad18f92cf4453cc1a219e)
(cherry picked from commit d1145e0af3507e37d4bd25f1833e22c5c716f0ac)
(cherry picked from commit 23642dc32ce8704067882cfb37745b62c2b3562a)

Disable PAN Reverse Tethering when connection originated by the Remote

* Check for valid interactions between the three PAN profile roles per
Table 1 in PAN Profile v1.0 spec.
* Explicitly disable connections to the local PANU if the remote is
not PANU.

Bug: 63145701
Test: External script
Change-Id: I29a7e404ba7e4453b6a7c59148a2b3eb7395303a
Merged-In: I29a7e404ba7e4453b6a7c59148a2b3eb7395303a
(cherry picked from commit 9aea2c2f92dd5245f6b35d564ce8e471fec2b4ec)
(cherry picked from commit 3f2ee5b546b65b5b021779588316249276ed3827)
(cherry picked from commit 40c7cefb12ac1a70bf7b1c770c1ab21a5b3f229e)
(cherry picked from commit f7a7f7a948e38195e8ca897785ac5d489082f0cc)
(cherry picked from commit b40497b27a0dce81d11f0dca09af6d81abf4bd92)

Allocate buffers of the right size when BT_HDR is included

Bug: 63146105
Test: External script
Change-Id: I1f2c871e3fcf57aabdad9d07905e6dae643bd496
Merged-In: I1f2c871e3fcf57aabdad9d07905e6dae643bd496
(cherry picked from commit d88838a7237cd672d87b6b9cc8d56fff625fd1d5)
(cherry picked from commit b648c7dfe45c57842d58576f558fdf8edff10bec)
(cherry picked from commit 338e0485940ab278e6a2dc12285ba0798b79cfa4)
(cherry picked from commit 510697a0d79ac9816c0e2717c357c3330d89645a)

Add missing packet length checks while parsing BNEP control packets

Bug: 63146237
Test: External script
Change-Id: Ie778f3c99df81c85ed988f3af89b4edbcc2eeb99
Merged-In: Ie778f3c99df81c85ed988f3af89b4edbcc2eeb99
(cherry picked from commit 7feaeb006941a1494d7cdc0a2ffc4bb1004b38b4)
(cherry picked from commit 6d415839da570b94b0763f6ab444f0dd1321fc33)
(cherry picked from commit c68554feb3ddfd31cdec6d81a4b73a959c1b2a09)
(cherry picked from commit 3775b3c49e5d62349fd1f3dfb743fabadb43ea75)
(cherry picked from commit f31afd3836184edccdfc8393dc4d168b0cfd912b)

Add missing continuation offset check for SDP continuation requests

Bug: 63146698
Test: External script
Change-Id: Iea52f1689dc12bfe0d4b57996f17db4bc3bd5983
Merged-In: Iea52f1689dc12bfe0d4b57996f17db4bc3bd5983
(cherry picked from commit e776c834768bedd043ace7e5714390b61c96a248)
(cherry picked from commit 10ce685cb025f6854be4ecc5329f2f684fd9ea5d)
(cherry picked from commit 3488364721ec066a03af14076bd312d27173115d)

Check LE advertising data length before caching advertising records

Bug: 33899337
Test: make, receive LE advertising
Change-Id: I06b249ac5cabdef64528deda07b8bae749e1d2fd
(cherry picked from commit d57adbc350fdee4f27b82c9e39a14bd745d92320)
(cherry picked from commit 1bef3546a6cb6f05739c10825dab9eb3362892f6)

DO NOT MERGE
resolve merge conflicts of a3ee2e35 to nyc-dev

Bug: 34946955
Change-Id: Ieff690edd3aa527a0639483ec8e1e3b661f0ecc4
Merged-In: I0b6f50dee05a58db8c043b4d01fb58c9acbeede9
(cherry picked from commit a33dd28064b98a63c7050814d7939e0a8b515b0e)

Corrected default value assignments in Bluetooth A2DP Metrics

* In certain cases btif_media_task_stop_aa_req() could be called before
  btif_media_task_start_aa_req() is called, resulting in session_start_us
  to be 0. In this case, audio_duration_ms = time_now_us() - 0 will be a
  very large number that is not the actual audio duration.This CL marks
  audio_duration_ms as -1 in the above situation so that we can
  differentiate between valid and invalid audio durations
* Set default timer and counter values to 0 when
  tx_queue_dequeue_stats.total_updates > 1
* Move update_scheduling_stats for tx_queue_enqueue_stats to
  btif_media_task_aa_handle_timer as we intend to capture the time
  intervals for enqueue scheduling instead of time intervals between
  frame enqueue (i.e. one scheduling event can enqueue multiple frames)
* Use tx_queue_enqueue_stats instead of *dequeue* since only enqueue is
  triggered by timer event

Bug: 33694310
Test: Code compilation, BtFunhausMetricsTest
Change-Id: I10984920afd4d77f07a5ac75736f8dcd69b13af8

Fix A2DP Metrics Logging Capacity

* Set the maximum number of wake events logged to 1000
* Stop logging wake log name as it takes too much memory
* Add counters for each of the repeated values in BluetoothLog so that
  the true number of events can be determined while oldest event get
  dropped
* Log Bluetooth session disconnect reasons using enum instead of string
  in order to save memory usage
* Apply changes to bluetooth.proto in ag/1460462 on system/bt

Bug: 33694310
Test: Code compilation and unit tests
Change-Id: I2cc6f9304725938b63b211d615eb1941eac60edf

Fix NPE when discovering invalid GATT datatbase

When doing a discovery of invalid GATT database, where two services are
added with same start handle, characteristics are added to the first
one, where descriptors are added to the later. This cause NPE when
adding descriptor.

Bug: 34280184
Test: manual test
Change-Id: I27619098df33a641cb089b82cf4d4ffd3c6e6aea
(cherry picked from commit 8957fdca4f6a1ba963b81983e8a40a82c3b1122d)

Merge "Serialize stack shutdown, state change callback and cleanup" into cw-f-dev
am: 718b632f2b

Change-Id: I1ce4066cb7598d38cd2963ff2a9800a8f9f5debe

Serialize stack shutdown, state change callback and cleanup
am: 352b8e89ea

Change-Id: Icace606e4c596074c4a120678d65511c78f683c4

Merge "Serialize stack shutdown, state change callback and cleanup" into cw-f-dev

resolve merge conflicts of 316589aa to nyc-mr2-dev

Change-Id: I1a5e1b3d09b5bc5d13eda31fd633146536dbd7ee

Remove position dependent lookup tables in AT command parser
am: 8d3cf5988a

Change-Id: I0a690f1538c49fbed743ccf324d240dbb8c927c8

Fix A2DP metrics session duration

* Fixed A2DP duration counting. It is now counting from music play start
  to music play end.
* Start logging a2dp connection as Bluetooth sessions. Currently, only
  A2DP connections are logged. Thus the bluetooth session length will be
  the total connection length and the length within A2DP session message
  will be the audio connection length.
* Add a audio_duration_millis field in A2DPSession to record audio duration
* Add bonded memory constraint for metrics entries
* Use a builder mechanism to only build metrics upon dumping
* Refactor metrics module into BluetoothMetricsLogger class
* Created unit test for BluetoothMetricsLogger

Bug: 33694310
Test: Code compilation, Unit test, BtFunhausMetricsTest
Merged-In: Iea2a997c4ea074687a5d50860e9229f0e1b82659
Change-Id: Iea2a997c4ea074687a5d50860e9229f0e1b82659
(cherry picked from commit f3175629208a64b190dde4dcf5f92cacef70d3e9)

Add LeakyBondedQueue to libosi

* LeakyBondedQueue is a fixed size queue that leaks oldest item when
  reaching its capacity. This is useful in creating memory bonded data
  structure where freshness is more important than full coverage.
* The queue is protected by a simple mutex and is thread-safe, although
  improvements could be made to lock enqueue and dequeue separately, it
  is not implemented at this moment due to lack of demand
* The queue uses unique_ptr to automatically free its content when it is
  destructed
* Add several tests to verify its API and memory management
* This data structure will be firstly used in the metrics module

Bug: 33781460
Test: Code compilation, unit tests
Merged-In: I51cb73666ac58e4792d9cba0d6f16dad30a0ff39
Change-Id: I51cb73666ac58e4792d9cba0d6f16dad30a0ff39
(cherry picked from commit a22dd221033bb6b4052544c4489934a4ba2a3416)

Serialize stack shutdown, state change callback and cleanup

Use Case: Bluetooth On/Off scenario, User switch

Steps:
1. Turn ON Bluetooth
2. Switch user
Also observed on occurrence of enable/disable timeout during On/Off testing.

Failure: Crash while sending state change HAL callback.

Root Cause: In the event when stack cleanup is queued to stack manager
thread when stack shutdown is being processed, stack cleanup starts
execution as soon as stack shutdown is finished.
If the function event_signal_stack_down posted to btif thread at the
end of stack shutdown is executed after stack cleanup crash occurs.

Fix: Serialized the execution of stack shutdown, state change callback
execution and stack cleanup to happen in same order.

Test: code compilation.

Change-Id: Ic96205b5c304acb44eab53f4e2cb150726643bda
(cherry picked from commit 16e112b1861d8f1147325372608c905627e00e88)

Remove position dependent lookup tables in AT command parser

The various position dependent lookup tables in the AT command parser
were out of sync, causing invalid responses to the AT+CBPS command for
example.

This patch gets rid of positionally dependent enums for simple lookup
tables that correlate all the values for easier, less error prone
maintenance of the related tables.

This re-instates a previously reverted patch after fixing incorrect
field order in tBTA_AG_INDICATOR_MAP.

Change-Id: I7f8a052e78706c8c72c5102b38cfe9ce200ae0d9
Fixes: 29978908

DO NOT MERGE ANYWHERE Fix the timestamp in btsnoop format
am: aa40aa18bc -s ours

Change-Id: I4fc659fbacd28f726d336d04600289ed891e00f6

Move btsnoop_hci.log to /data/misc/bluetooth/logs

Bug: 31466840
Change-Id: Ibd8f8b85eb59be8bfbb8a7c83b5935802624a748
(cherry picked from commit 12aeda148b39f82d07733ad5c3eafcc9264707a1)

DO NOT MERGE ANYWHERE Fix the timestamp in btsnoop format

Due to overflow, timestamp does not have correct value.
Make sure it should be saved in long long type as 64bit.

Change-Id: Iaf1b1dd746dd52ab7e50b870efacde2b8dd0bed6
Signed-off-by: Ben YoungTae Kim <ytkim@qca.qualcomm.com>

DO NOT MERGE ANYWHERE Do not update sco_state when no matching peer_addr is found
am: 3e1402c31c -s ours

Change-Id: I235c9562890483bcba881a59c718c14b2f6ce2a2

DO NOT MERGE ANYWHERE Do not update sco_state when no matching peer_addr is found

In the bta_hf_client_sco_conn_cback function, sco_state should not be set to
BTA_HF_CLIENT_SCO_SHUTDOWN_ST when no matched peer_addr found, so that it
can handle BTA_HF_CLIENT_SCO_OPEN_E event later.

Bug: 26416310
Change-Id: I4540230c792490f79e4cca24cb4b34a1c383422f
(cherry-picked from 2dfcbda49f694fcf1355955c334926e8641b4dc5)

Add extra logs by default inside sdp_copy_raw_data()

The extra logging is needed for investigating an issue that
is hard to reproduce.

Test: code compilation
Bug: 31795382
Change-Id: Ibe500e332dba8f44485b44bcac32d11be52520a6
Merged-In: Ibe500e332dba8f44485b44bcac32d11be52520a6
(cherry picked from commit 9f9166c5830e06f816ff8299f74518f7ec781347)

Merge changes from topic 'ble_oob_sc_mr2' into nyc-mr2-dev

* changes:
  Fix incorrect check for empty out-of-band pairing data
  BLE OOB Pairing - parse address type (1/5)
  Add LE Secure Connection data parsing (3/4)

Improve HOGP input report error handling

This fixes com.android.bluetooth crash when receiving HOGP input report
for unknown characteristic.

Test: Pair/Unpair BLE mouse/keyboard devices.
(cherry picked from commit 9e6f5ad992060fe91dbacc302417a30ddf5e7a57)
Bug: 33257618
Change-Id: I4bb3fb02cffdcc5b1273f8ace281826eccce6639

Cleanup GATT cache when remote device is disconnected

According to Bluetooth spec, GATT cache should not be persisted between
reconnections for unbonded devices. Bonded devices store the cache on
the disk and will read it on reconnection.

Bug: 33123476
Test: sl4a GattReadTest
Change-Id: If2ca53c7b22a346e7236514ea7b461695c923f74
(cherry picked from commit 9580a30918c256cf20fdb68823115864155e6243)

Fix how LE connection parameters are set after connecting.

This patch fixes bug introduced in commit
95075be6e95e9021c1ddd834bcf9e3771c57c217
which would cause unnecessary connection parameter update request
to be send. It should be send only right after connecting.

Bug: 32563079
Bug: 28435172
Change-Id: Ibd9301a990f12a94e8043b9c29a480f068251ba8

Fix incorrect check for empty out-of-band pairing data

Bug: 32780409
Test: try pairing with nRF52DK using OOB LE SC
Change-Id: I3c165843bb76c372b76bdc18a7d9226345d39037
(cherry picked from commit a638cc509bf8fe4157c0aa5d3e39011063d3587a)

BLE OOB Pairing - parse address type (1/5)

When address type is not parsed, creating bond to devices not using
random address is impossible.

Bug: 32780409
Test: try pairing with nRF52DK using random address
Change-Id: Idc0315e9e3f9e17c3cf56fa483c8e21eb3590f01
(cherry picked from commit 7921e8f594079e00e90173a8fe7483ad72443b34)

Add LE Secure Connection data parsing (3/4)

Bug: 30460956
Change-Id: I216142090fe99b25ef7697fceceb278b761a182b

resolve merge conflicts of c5bae32 to nyc-mr2-dev

Change-Id: Ib1acd5c8f60785470906941228593aa7453d5830

Mask out HFP 1.7 feature bits if peer version is <1.7
am: ebba3ef2ea

Change-Id: Ifba883eecdf6296d94f6181564e3fdf69ec5a452

Mask out HFP 1.7 feature bits if peer version is <1.7

Bug: 32378402
Merged-In: I568e8c4c584d56d744cf7a30273feac1d8d4c4df
Change-Id: Iac8684bdfd02b18cce260bedefb829e8f7285361
(cherry picked from commit 1ad2678e2ff5fa3dbfae9dc76ab646db10794e4e)
(cherry picked from commit 571f23ca31cdbc87cae8c078b5885246dd779498)

Remove position dependent lookup tables in AT command parser

The various position dependent lookup tables in the AT command parser
were out of sync, causing invalid responses to the AT+CBPS command for
example.

This patch gets rid of positionally dependent enums for simple lookup
tables that correlate all the values for easier, less error prone
maintenance of the related tables.

This re-instates a previously reverted patch after fixing incorrect
field order in tBTA_AG_INDICATOR_MAP.

Change-Id: I7f8a052e78706c8c72c5102b38cfe9ce200ae0d9
Fixes: 29978908

[DO NOT MERGE] Remove incorrect assert in btm_read_rssi_cb

|data| may be NULL if the RSSI request times out.
See btm_read_rssi_timeout implementation for details.

Bug: 32587130
Test: manual
Change-Id: Ide9dee819e1db24a39c05b086cd4c0b558ca23ef

DO NOT MERGE ANYWHERE Auto Connection Parameter Update for Whitelisted Address
am: eac369fc17 -s ours

Change-Id: I78c55cc18fadc66a7dc943446ffc60a4e145a774

DO NOT MERGE ANYWHERE LE Connection Parameter Update Callback
am: f4314979ba -s ours

Change-Id: I9594cfb0e7be17a5e3d13631602ade1767df26ec

DO NOT MERGE ANYWHERE Auto Connection Parameter Update for Whitelisted Address

Auto adjust connection interval parameter after a certain idle
period on the connection.

BUG: 32380838

Change-Id: I28cf4f6d5dcfb7a0bfb6aa652d939e16fbdcdcde

DO NOT MERGE ANYWHERE LE Connection Parameter Update Callback

The callback ends at the btif layer and does not go up to the HAL layer.
Event logging is added to track success rate.

BUG: 28800115

Change-Id: I73ad281437760e1d61dd4e504401b270eb77e3e6

Assign pairing code to bta_dm_cb before device name resolution

Device name resolution, BTM_ReadRemoteDeviceName(), will cause
bta_dm_sp_cback() to exit early and bta_dm_pinname_cback() callback
will be invoked after the resolution, which continues the pairing
with pairing code from bta_dm_cb.num_val. Hence, bta_dm_cb.num_val
needs to be assigned before BTM_ReadRemoteDeviceName() is called.

Test: manual
Bug: 31381715
Change-Id: I61f06a9d878dd72154d6621eb094dcea5f701cbc
(cherry picked from commit db76fa4d26d73402a3f03b288a0999f8694dbea8)

Fix random crashes in HID related code am: e318faa73a
am: 1fe98c51ab

Change-Id: Ic1010a65720d0e90024e16b87353017321e34f8f

Fix random crashes in HID related code
am: e318faa73a

Change-Id: I134f5f63052d7173b106422cebda1c9987c15e4a

Fix random crashes in HID related code

Operation on characteristics/descriptors shouldn't access GATT database
when it's executed. This could happen while service rediscovery is in
progress.

Bug: 32240759
Test: connect to HID device
Change-Id: Ie2b6e6b451456204b1cea1e500df9a0ff949a9ef
(cherry picked from commit d8f09d077d9017a522c17f4b9a49328b0ed3e91e)

Merge "DO NOT MERGE ANYWHERE Add Wear-specific feature to override LE IO capability" into cw-f-dev

Reset device security flags when pairing fails
am: 667e1fe3d7

Change-Id: I1dd2d6d1a3f1dd613ae6d02d167f4fd7e015aadf

Reset device security flags when pairing fails

Bug: 29998634
Test: manual
Change-Id: Icd9a76a065de147372df060c0b9555c75bcf46bc

DO NOT MERGE ANYWHERE Add Wear-specific feature to override LE IO capability

Force the first bond to use Just Works pairing when
WEAR_LE_IO_CAP_OVERRIDE is set to TRUE.

Bug: 32234733
Change-Id: I1732be86dd888586c603112fb6c3010974b54a13

Merge "Fix HFP AT command BIA failures" into cw-f-dev

Fix HFP AT command BIA failures

Running the PTE test case TC_AG_IIA_BV_01_I, a failure occurs due to
missing initialization of tBTA_AG_VAL.

Bug: 31325270
Test: PTS
Change-Id: I683eccd53d40e79ec03545166b18ffa1922f0fb2

Fix bad GATT client state machine state after successfull cache load
am: f87953f1be

Change-Id: If89361b40bd9abf0150afa4ac2af1b02366eafc7