Skip to content
Snippets Groups Projects
Commit 10008bcd authored by Hemant Gupta's avatar Hemant Gupta Committed by Myles Watson
Browse files

HID: Prevent crash by Cancelling SDP during cleanup 

Usecase:
1) User tried to connect to HID Device.
2) SDP is internally performed by DUT. SDP is at stage,
   where L2CAP connection, configuration is done, and data
   fetch is ongoing.
3) BT was turned off from UI.
Observation:
BT crashed while accessing memory that was freed already because BT turn off,
caused ACL disconnection, leading to L2CAP disconnect indication in stack,
leading to sdp disconnect indication.
backtrace:
    #00 pc 000f98d4  /system/lib/hw/bluetooth.default.so (SDP_FindServiceUUIDInDb+51)
    #1 pc 000b5dbd  /system/lib/hw/bluetooth.default.so (hidh_search_callback+0x40)
    #02 pc 000f770b  /system/lib/hw/bluetooth.default.so (sdp_disconnect_ind+0x5e)
    #03 pc 00107a5f  /system/lib/hw/bluetooth.default.so (l2c_csm_execute+3446)
    #04 pc 001080e7  /system/lib/hw/bluetooth.default.so (l2c_link_hci_disc_comp+122)
    #05 pc 000fda81  /system/lib/hw/bluetooth.default.so (btu_hcif_process_event+588)
    #06 pc 000fec81  /system/lib/hw/bluetooth.default.so (btu_hci_msg_ready+96)
    #07 pc 00118191  /system/lib/hw/bluetooth.default.so
    #08 pc 0011917f  /system/lib/hw/bluetooth.default.so
    #09 pc 00041993  /system/lib/libc.so (_ZL15__pthread_startPv+30)
    #10 pc 000192b5  /system/lib/libc.so (__start_thread+6)
Register Dump
pid: 15740, tid: 15761, name: bluedroid wake/  >>> com.android.bluetooth <<<
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x20000
    r0 815a5cac  r1 a1a2f370  r2 00000000  r3 85d4e541
    r4 00020000  r5 815a5cac  r6 a1a2f370  r7 b6d3ae40
    r8 00000000  r9 b6d3ae40  sl 00000002  fp 00000013
    ip a228c050  sp a1a2f360  lr a20eddc1  pc a21318d4  cpsr 200e0030
Rootcause
The above scenario could lead to crash we see as below, as bta_hh_cb.p_disc_db would be freed
during HID Host cleanup, and would be accessed via callback received for parsing SDP results on
SDP completion.
Fix:
While cleaning up HID Host, Cancel SDP search before freeing and resetting bta_hh_cb.p_disc_db.
This will internally send L2CAP disconnect request for SDP, and would lead to sdp_disconnect_cfm
call when L2CAP is disconnected, and would lead to call of hidh_search_callback with result code
as SDP_CANCEL.

Change-Id: I63563cb23dd69946f87a70cafa203c44edc9b753
parent 98684057
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment