OSDN > ソフトウェアを探す > システム > OS配布 > Live CD > Android-x86 > SCM > git > system-bt > コミット

Android-x86
Fork
external-gbm_gralloc
hardware-powerbtnd
hardware-intel-libva
manifest
device-generic-x86_64
device-generic-common
system-bt
hardware-intel-intel-driver
external-bluetooth-bluedroid
build
device-generic-x86
packages-apps-Camera2
device-viewsonic-viewpad10
packages-apps-Taskbar
packages-apps-Gallery2
system-media
hardware-intel-common-libva
external-vboxguest-linux-modules
system-netd
hardware-intel-common-vaapi
external-swiftshader
external-efibootmgr
device-generic-openthos
packages-apps-Settings
hardware-ril
packages-apps-CMFileManager
packages-apps-Eleven
external-toybox
external-drm_hwcomposer
hardware-libhardware_legacy
system-extras
hardware-libsensors
hardware-liblights
hardware-broadcom-libbt
packages-apps-TSCalibration2
system-core
packages-apps-Bluetooth
device-generic-firmware
device-generic-goldfish
external-s2tc
device-asus
device-amd
device-common
device-hp-tx2500
device-ibm-thinkpad
device-lenovo-s103t
device-tegatech-tegav2
external-srec
external-webkit
external-wpa_supplicant_6
packages-apps-AndroidTerm
packages-apps-FileManager
external-tslib
external-modules-rtl8723au
packages-inputmethods-PinyinIME
sdk
system-bluetooth
hardware-alsa_sound
device-asus-laptop
device-amd-persimmon
development
device-dell-sparta
device-vm-vm
hardware-wacom-input
libcore
packages-apps-Browser
packages-apps-Camera
prebuilt
device-motion-m1400
device-viliv-s5
packages-apps-Superuser
device-asus-eeepc
device-generic-goldfish-opengl
external-mplayer
external-wpa_supplicant
frameworks-policies-base
ndk
packages-apps-Calendar
packages-apps-ConnectBot
packages-apps-Contacts
packages-apps-DeskClock
packages-apps-LIME
packages-apps-Music
packages-providers-DownloadProvider
packages-wallpapers-Basic
packages-wallpapers-MagicSmoke
packages-wallpapers-MusicVisualization
packages-providers-ImProvider
packages-apps-AlarmClock
packages-apps-IM
packages-apps-Launcher
packages-apps-SoundRecorder
external-opencore
vendor-intel-houdini
vendor-samsung-q1u
external-dhcpcd
hardware-menlow-psb
hardware-menlow-ioport
push
external-eject
external-v86d
external-koush-Superuser
external-koush-Widgets
frameworks-native
external-libpciaccess
external-bluetooth-bluez
external-libtruezip
external-stagefright-plugins
external-ntfs-3g
external-parted
hardware-intel-hwcomposer
external-mesa
external-ffmpeg
external-llvm
external-libdrm
external-e2fsprogs
external-bluetooth-glib
hardware-broadcom-wlan
external-drm_gralloc
hardware-gps
external-busybox
kernel
external-alsa-lib
external-alsa-utils
system-vold
frameworks-base
frameworks-av
external-bluetooth-sbc
packages-apps-Trebuchet
dalvik
hardware-x86power
packages-services-Analytics
external-ppp
packages-apps-Launcher3
external-wpa_supplicant_8
hardware-intel-audio_media
hardware-intel-libsensors
hardware-libaudio
hardware-libcamera
external-googleanalytics
hardware-libhardware
hardware-interfaces
bootable-newinstaller
art
external-efivar
hardware-memtrack
system-connectivity-wificond
bionic
external-kernel-drivers
external-drm_framebuffer
external-exfat
external-openssh
external-wireless-tools
external-mksh
external-libffi
external-musl-libc
system-hardware-interfaces
external-minigbm
external-IA-Hardware-Composer
external-drmfb-composer
external-alsa-ucm-conf
external-libncurses
external-llvm-project
system-linkerconfig

R/O
HTTP
SSH
HTTPS

system-bt: コミット

system/bt

コミットメタ情報

リビジョン	4689e9b7af19e74632d340cd0851dd0b9b824089 (tree)
日時	2020-04-14 23:54:21
作者	Gaganpreet kaur <gaganpreetx.kaur@inte...>
コミッター	Chih-Wei Huang

ログメッセージ

Fix for multiple com.android.bluetooth crash issues.

Issue 1: com.android.bluetooth crash was seen due to invalid/
out of bound index while creating Listening Channel for AVRCP.

Reason: AVRCP creates the listening channel using
bta_av_rc_create, this function expects RC Channel Handle to be
passed as it will fetch the index for RC handle using
tBTA_AV_SCB* p_scb = p_cb->p_scb[shdl - 1];

But we are passing 0 i.e. index for RC handle directly. Due to
which above statement will throw exception for out of bound
index and crash is observed.

Fix: Updated the bta_av_rc_create calls with RC handle value
instead of index.

Issue 2: com.android.bluetooth crash was seen due to failed
check for parameter length for vendor capabilities as:
CHECK(p_vcs_cplt_params->param_len >

BTM_VSC_CHIP_CAPABILITY_RSP_LEN)

Reason: We always receive param_len for vendor capabilities as
9. Also BTM_VSC_CHIP_CAPABILITY_RSP_LEN is defined as 9. But as
per the check param_len is expected to be greater than 9. As the
check fails, exception is seen and crash is observed.

Fix: Changed the CHECK on param_len for Vendor Capabilities as:
CHECK(p_vcs_cplt_params->param_len >=

BTM_VSC_CHIP_CAPABILITY_RSP_LEN)

Change-Id: Ic11c58e8193c0d8252e569fee2bc99d30abb7aae
Tracked-On:
Signed-off-by: Gaganpreet kaur <gaganpreetx.kaur@intel.com>

変更サマリ

modified: bta/av/bta_av_act.cc (diff)
modified: bta/av/bta_av_main.cc (diff)
modified: stack/btm/btm_ble_gap.cc (diff)

差分

--- a/bta/av/bta_av_act.cc

+++ b/bta/av/bta_av_act.cc

		@@ -1254,7 +1254,7 @@ void bta_av_conn_chg(tBTA_AV_DATA* p_data) {
1254	1254	/* if the AVRCP is no longer listening, create the listening channel */
1255	1255	if (bta_av_cb.rc_acp_handle == BTA_AV_RC_HANDLE_NONE &&
1256	1256	bta_av_cb.features & BTA_AV_FEAT_RCTG)
1257		- bta_av_rc_create(&bta_av_cb, AVCT_ACP, 0, BTA_AV_NUM_LINKS + 1);
	1257	+ bta_av_rc_create(&bta_av_cb, AVCT_ACP, 1, BTA_AV_NUM_LINKS + 1);
1258	1258	}
1259	1259
1260	1260	APPL_TRACE_DEBUG(

		@@ -1435,7 +1435,7 @@ void bta_av_sig_chg(tBTA_AV_DATA* p_data) {
1435	1435	p_lcb->conn_msk = 0; /* clear the connect mask */
1436	1436	/* start listening when the signal channel is open */
1437	1437	if (p_cb->features & BTA_AV_FEAT_RCTG) {
1438		- bta_av_rc_create(p_cb, AVCT_ACP, 0, p_lcb->lidx);
	1438	+ bta_av_rc_create(p_cb, AVCT_ACP, 1, p_lcb->lidx);
1439	1439	}
1440	1440	/* this entry is not used yet. */
1441	1441	p_cb->conn_lcb \|= mask; /* mark it as used */

		@@ -1969,7 +1969,7 @@ void bta_av_rc_closed(tBTA_AV_DATA* p_data) {
1969	1969	(*p_cb->p_cback)(BTA_AV_RC_CLOSE_EVT, &bta_av_data);
1970	1970	if (bta_av_cb.rc_acp_handle == BTA_AV_RC_HANDLE_NONE
1971	1971	&& bta_av_cb.features & BTA_AV_FEAT_RCTG)
1972		- bta_av_rc_create(&bta_av_cb, AVCT_ACP, 0, BTA_AV_NUM_LINKS + 1);
	1972	+ bta_av_rc_create(&bta_av_cb, AVCT_ACP, 1, BTA_AV_NUM_LINKS + 1);
1973	1973	}
1974	1974
1975	1975	/*******************************************************************************

--- a/bta/av/bta_av_main.cc

+++ b/bta/av/bta_av_main.cc

		@@ -679,7 +679,7 @@ static void bta_av_api_register(tBTA_AV_DATA* p_data) {
679	679	}
680	680	/* start listening when A2DP is registered */
681	681	if (bta_av_cb.features & BTA_AV_FEAT_RCTG)
682		- bta_av_rc_create(&bta_av_cb, AVCT_ACP, 0, BTA_AV_NUM_LINKS + 1);
	682	+ bta_av_rc_create(&bta_av_cb, AVCT_ACP, 1, BTA_AV_NUM_LINKS + 1);
683	683
684	684	/* if the AV and AVK are both supported, it cannot support the CT role
685	685	*/

		@@ -696,7 +696,7 @@ static void bta_av_api_register(tBTA_AV_DATA* p_data) {
696	696	BTA_ID_AV);
697	697	#endif
698	698	#endif
699		- bta_av_rc_create(&bta_av_cb, AVCT_ACP, 0, BTA_AV_NUM_LINKS + 1);
	699	+ bta_av_rc_create(&bta_av_cb, AVCT_ACP, 1, BTA_AV_NUM_LINKS + 1);
700	700	}
701	701	#if (BTA_AR_INCLUDED == TRUE)
702	702	/* create an SDP record as AVRC CT. We create 1.3 for SOURCE

--- a/stack/btm/btm_ble_gap.cc

+++ b/stack/btm/btm_ble_gap.cc

		@@ -498,14 +498,17 @@ static void btm_ble_vendor_capability_vsc_cmpl_cback(
498	498	BTM_TRACE_DEBUG("%s: Status = 0x%02x (0 is success)", __func__, status);
499	499	return;
500	500	}
501		- CHECK(p_vcs_cplt_params->param_len > BTM_VSC_CHIP_CAPABILITY_RSP_LEN);
502		- STREAM_TO_UINT8(btm_cb.cmn_ble_vsc_cb.adv_inst_max, p);
503		- STREAM_TO_UINT8(btm_cb.cmn_ble_vsc_cb.rpa_offloading, p);
504		- STREAM_TO_UINT16(btm_cb.cmn_ble_vsc_cb.tot_scan_results_strg, p);
505		- STREAM_TO_UINT8(btm_cb.cmn_ble_vsc_cb.max_irk_list_sz, p);
506		- STREAM_TO_UINT8(btm_cb.cmn_ble_vsc_cb.filter_support, p);
507		- STREAM_TO_UINT8(btm_cb.cmn_ble_vsc_cb.max_filter, p);
508		- STREAM_TO_UINT8(btm_cb.cmn_ble_vsc_cb.energy_support, p);
	501	+
	502	+ if (p_vcs_cplt_params->param_len >= BTM_VSC_CHIP_CAPABILITY_RSP_LEN) {
	503	+ CHECK(p_vcs_cplt_params->param_len >= BTM_VSC_CHIP_CAPABILITY_RSP_LEN);
	504	+ STREAM_TO_UINT8(btm_cb.cmn_ble_vsc_cb.adv_inst_max, p);
	505	+ STREAM_TO_UINT8(btm_cb.cmn_ble_vsc_cb.rpa_offloading, p);
	506	+ STREAM_TO_UINT16(btm_cb.cmn_ble_vsc_cb.tot_scan_results_strg, p);
	507	+ STREAM_TO_UINT8(btm_cb.cmn_ble_vsc_cb.max_irk_list_sz, p);
	508	+ STREAM_TO_UINT8(btm_cb.cmn_ble_vsc_cb.filter_support, p);
	509	+ STREAM_TO_UINT8(btm_cb.cmn_ble_vsc_cb.max_filter, p);
	510	+ STREAM_TO_UINT8(btm_cb.cmn_ble_vsc_cb.energy_support, p);
	511	+ }
509	512
510	513	if (p_vcs_cplt_params->param_len >
511	514	BTM_VSC_CHIP_CAPABILITY_RSP_LEN_L_RELEASE) {

旧リポジトリブラウザで表示