Currently, we have few different representations for UUID in stack:
tBT_UUID, tSDP_UUID, bt_uuid_t, bluetooth:UUID, or uint8_t*.

Additionally, tBT_UUID and bt_uuid_t are used to hold UUID as 128bit
as Little Endian or Big Endian, depending on which part of stack (GATT
or SDP) is using it.

This patch is creating one type, bluetooth::Uuid, that will replace all
other types.

Bug: 66912853
Test: all sl4a tests for GATT and RFCOMM
Merged-In: Ia42d3233146db0488728ed6f878f99b368fe8838
Change-Id: Ia42d3233146db0488728ed6f878f99b368fe8838

Removed the unused BTA_DYNAMIC_MEMORY and HID_DYNAMIC_LIBRARY

Bug: 27731905
Test: Manual
Change-Id: I6019584b165471c4058a2ec7ef8f278531153d18

This prevents issues with devices that only support 1.3 but can not
handle forward compatability like some Alpine Carkits.

Bug: 37943083
Test: Connect to Alpine carkit that only supports 1.3 and see new features
      are used.

Change-Id: I6d041590dc51d7e8711b17fb1cb9c880b640052a
(cherry picked from commit 6afd046f)

This is requied for the 2012 Mazda 3 carkit as the carkit refuses to send
AVRCP commands other than passthrough commands when the version is anything
else. AVRCP 1.3 is compatible with most carkits on the market and can be
used to get most carkits working at the cost of losing many features.

Bug: 37943083
Test: Set AVRCP 1.3 in developer options and see that SDP and the AVRCP
      capabilites have updated to reflect this.
      TestTracker: 105915/3975

Change-Id: Iffc7ed1dd91eecb699153125b25451de5826f202
(cherry picked from commit d881634d)

There are some carkits like the ones found in the 2016 Honda CRZ and some
Audi's that do not follow the spec and do not honor reject pending notification
messages after switching players. This causes an issue whenever you switch
players, the metadata freezes due to the fact that the carkit never re-registers
for new track changed notifications. This patch removes the reject notification
and reorders the current notifications.

Bug: 64142363
Test: Test with Audi S7 and 2016 Honda CRZ and see that switching players works
      TestTracker: 105391/3975
Change-Id: Iaec70863594e13217916ab740d529f526d27c2d1
(cherry picked from commit d8abe6d0)

Test: compilation test
Bug: 66187274
Change-Id: I97ee33a55315f44dc03083d1a8da9a38d5619725

In most places we don't really need the libhardware library, just the
headers.

Bug: 66187274
Test: compilation test
Change-Id: Ifa2f547165fcf8b34bc29ab80d2bd12ce02f4ae1

Also, fixed a log message when failed to accept the
corresponding socket socket.

Test: manual
Bug: 63949429
Change-Id: I6d9af32f61974a739d179c37da36c360aefcca79

BLE Advertisement RPA is getting updated with the
same RPA instead of the newly generated RPA on the
first timeout. Make sure to send the newly generated
RPA to the Controller.

CRs-Fixed: 2111232
Bug: 65857055
Change-Id: I4d8e95c26fe8e5944fdee32089b8fcaffa238367

In full Treble builds, the btlinux HAL fails to build the sepolicy:

neverallow check failed at out/target/product/linaro_x86_64/obj/ETC/plat_sepolicy.cil_intermediates/plat_sepolicy.cil:4518
from system/sepolicy/public/domain.te:673
  (neverallow base_typeattr_55 base_typeattr_56 (file (execute execute_no_trans entrypoint)))
    <root>
    allow at out/target/product/linaro_x86_64/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_sepolicy.cil:6054
      (allow hal_bluetooth_btlinux hal_bluetooth_btlinux_exec (file (read getattr map execute entrypoint open)))

Test: Build completes successfully
Change-Id: Ibb8dbe7f2ca823c87ae4404c40cdc35656c8e0af
Signed-off-by: Rob Herring <robh@kernel.org>

* Add btif_profile_cleanup(uuid) method to remove pending connection
  requests for individual UUIDs
* Call the above method in each profile's clean-up method
* Add unit tests for btif_profile_queue

Bug: 63790458
Test: make, unit tests, pair and connect car kits
Change-Id: I28288c295b7ca0259b2112c11b4e5a81d6f2e33c

Bug: 65746728
Test: manual
Change-Id: Ifdd8e7051c953aa1c006abecd62d1af196619d98

Calling gap_release_ccb with a service_id == 0, which in turn
calls BTM_SecClrService with an ID of 0.

From the documentation for BTM_SecClrService:

  Service ID - Id of the service to remove. '0' removes all
               service records (except SDP).

Test: BLE connection and characteristic read
Change-Id: Icf309807f02e1faa273cf9bad9c09d9221a8bbfd

Bug: 65637368
Test: sl4a GattIncludedServiceTest
Change-Id: Icb882d411a75a91e3fea050f00c40e76de3539de

This is needed for resolving list handling.

Bug: 64846264
Test: updated unit tests
Change-Id: I3d9c7b90d3b69d459d33c4ca7a9849ca3a7abc40

Bug: 62561154
Test: Smart Setup, erase target, Smart Setup
Change-Id: Icba672a38772dc99a74f351301c81d66f37ee929

Allocate sufficient data on the stack that can be safely copied inside
btif_av_event_deep_copy()

Bug: 65524264
Test: Run Bluetooth on ASAN enabled build
Change-Id: Ie6d4a28933302131c58eb4aee34161e435634377

Bug: 65588660
Test: Code compilation
Change-Id: I705ec28c76f2342e18bece193005c962b9febac8

The UNIQ field can be used in the driver to detect duplicate devices.
For example, if a controller is connected via both Bluetooth and USB,
the driver can use the UNIQ field, which typically contains the unique
MAC address to identify that it's the same device.

Test: Connect a Bluetooth device and check its MAC address using
      ioctl(EVIOCGUNIQ) call.
Change-Id: I458608e845fcb24c0d615f6aef8d92ccb08d08ec

Test: build
Change-Id: I212ac76af9fab7b11d02120cae5f6eeec14baf69

Alarms from btu_bta_alarm_queue and btu_generic_alarm_queue should be
processed on the main MessageLoop thread.
Replaced obsoleted alarm_set_on_queue() alarm API with the new
alarm_set_on_mloop() API

Test: manual
Bug: 65078753
Change-Id: I54b472b39b44a6c541dbdcdad7414056d0dd4163

When deregister a gatt server, GATT_deregister
will use a loop to stop service one by one and
call std::list::erase in GATTS_StopService to
remove service info. But erase makes iterator lose
efficacy. If the iterator is operated after that,
Bluetooth will crash.

Add the iterator before erase.

Test: manual
Change-Id: I10f9351a95ab4922553d8a77663a0212407607aa

The incorrect service handle was being plumbed up to onServiceDeleted.
This was causing stale entries to stick around forever in the HandleMap,
which could later cause failures to find callback references in
ContextMap if the connection ID changed for a given device.

Bug: 65463237
Test: unit tests modified and run
Change-Id: I2e22858b447f4e6b5a4fbceee4c406191c84a67d

Also, allocate property with extra space for the null-termination string.

Test: Unit tests passing
Change-Id: I67452cb640cda752c3094c2b1a47eaa13c24e5c6

Also, minor renaming and cleanup (for consistency).

Test: Streaming A2DP headset and trigger audio stutter
Bug: 64038257
Change-Id: Id722342b596e0bf3c9c7664272b6d3e311bb82e9

Also, read the Automatic Flush Timeout when flushing the A2DP Tx queue

Test: Streaming A2DP headset and trigger audio stutter
Bug: 64038257
Change-Id: Ic49b5236328ddacde1d7f2aee131e35e317a14ef

To prevent property name collisions between properties of system and
vendor, 'vendor.' prefix must be added to a vendor HAL service name.
You can see the details in http://go/treble-sysprop-compatibility.

Test: succeeded building gce_x86_phone-userdebug and confirmed that
service names were renamed correctly.
Bug: 36796459
Change-Id: Iedcb3a01e00e80c58dc76653784a3c353f34ce0a

Use the tBTA_GATTC union for |notify| in bta_gattc_process_indicate() to
avoid a stack-buffer-overflow in btif_transfer_context.

==1410==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x0077c8c0c066 at pc 0x0077e50c9ae0 bp 0x0077c8c0bcd0 sp 0x0077c8c0b460

READ of size 616 at 0x0077c8c0c066 thread T38 (btu message loo)
    #0 0x77e50c9adf in __interceptor_memcpy external/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:701:5
    #1 0x77ca1e838f in memcpy(void*, void const* pass_object_size0, unsigned long) bionic/libc/include/string.h:173:12
    #2 0x77ca1e838f in btif_transfer_context(void (*)(unsigned short, char*), unsigned short, char*, int, void (*)(unsigned short, char*, char*)) system/bt/btif/src/btif_core.cc:208:0
    #3 0x77ca209853 in (anonymous namespace)::bta_gattc_cback(unsigned char, tBTA_GATTC*) system/bt/btif/src/btif_gatt_client.cc:204:7
    #4 0x77ca11455b in bta_gattc_process_indicate(unsigned short, unsigned char, tGATT_CL_COMPLETE*) system/bt/bta/gatt/bta_gattc_act.cc:1596:9
    #5 0x77ca40b4b7 in gatt_process_notification(tGATT_TCB&, unsigned char, unsigned short, unsigned char*) system/bt/stack/gatt/gatt_cl.cc:664:7
    #6 0x77ca40d78f in gatt_client_handle_server_rsp(tGATT_TCB&, unsigned char, unsigned short, unsigned char*) system/bt/stack/gatt/gatt_cl.cc:1119:9
    #7 0x77ca414447 in gatt_le_data_ind(unsigned short, unsigned char*, BT_HDR*) system/bt/stack/gatt/gatt_main.cc:576:7
    #8 0x77ca47665b in l2c_rcv_acl_data(BT_HDR*) system/bt/stack/l2cap/l2c_main.cc:211:9
    #9 0x77c9da50eb in base::Callback<void (), (base::internal::CopyMode)1>::Run() const external/libchrome/base/callback.h:389:12
    #10 0x77c9da50eb in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask const&) external/libchrome/base/debug/task_annotator.cc:51:0
    #11 0x77c9df75e3 in base::MessageLoop::RunTask(base::PendingTask const&) external/libchrome/base/message_loop/message_loop.cc:494:19
    #12 0x77c9df80b7 in base::MessageLoop::DeferOrRunPendingTask(base::PendingTask) external/libchrome/base/message_loop/message_loop.cc:503:5
    #13 0x77c9df8fb7 in base::MessageLoop::DoWork() external/libchrome/base/message_loop/message_loop.cc:627:13
    #14 0x77c9dfd33b in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) external/libchrome/base/message_loop/message_pump_default.cc:35:31
    #15 0x77c9e4e327 in base::RunLoop::Run() external/libchrome/base/run_loop.cc:35:10
    #16 0x77ca3e97ab in btu_message_loop_run(void*) system/bt/stack/btu/btu_task.cc:98:14
    #17 0x77ca52ad3b in work_queue_read_cb(void*) system/bt/osi/src/thread.cc:251:3
    #18 0x77ca52489b in run_reactor(reactor_t*, int) system/bt/osi/src/reactor.cc:282:11
    #19 0x77ca524413 in reactor_start(reactor_t*) system/bt/osi/src/reactor.cc:125:10
    #20 0x77ca529c6f in run_thread(void*) system/bt/osi/src/thread.cc:221:3
    #21 0x77eb40a31b in __pthread_start(void*) bionic/libc/bionic/pthread_create.cpp:214:18
    #22 0x77eb3c1dff in __start_thread bionic/libc/bionic/clone.cpp:47:16

002(bluetooth) btu message loo identical 2 lines

Address 0x0077c8c0c066 is located in stack of thread T38 (btu message loo)
 at offset 646 in frame

    #0 0x77ca114293 in bta_gattc_process_indicate(unsigned short, unsigned char, tGATT_CL_COMPLETE*) system/bt/bta/gatt/bta_gattc_act.cc:1538:0

002(bluetooth) btu message loo identical 1 line

  This frame has 4 object(s):

    [32, 646) 'notify' (line 1543)
    [784, 790) 'remote_bda' (line 1544) <== Memory access at offset 646 partially underflows this variable
    [816, 817) 'gatt_if' (line 1545) <== Memory access at offset 646 partially underflows this variable
    [832, 833) 'transport' (line 1546) <== Memory access at offset 646 partially underflows this variable

HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext

      (longjmp and C++ exceptions *are* supported)

Thread T38 (btu message loo) created by T37 (bt_workqueue) here:

    #0 0x77e50fd46f in __interceptor_pthread_create _asan_rtl_:3
    #1 0x77ca529727 in thread_new_sized(char const*, unsigned long) system/bt/osi/src/thread.cc:87:3
    #2 0x77ca3e9a73 in btu_task_start_up(void*) system/bt/stack/btu/btu_task.cc:127:26
    #3 0x77ca52ad3b in work_queue_read_cb(void*) system/bt/osi/src/thread.cc:251:3
    #4 0x77ca52489b in run_reactor(reactor_t*, int) system/bt/osi/src/reactor.cc:282:11
    #5 0x77ca524413 in reactor_start(reactor_t*) system/bt/osi/src/reactor.cc:125:10
    #6 0x77ca529c6f in run_thread(void*) system/bt/osi/src/thread.cc:221:3
    #7 0x77eb40a31b in __pthread_start(void*) bionic/libc/bionic/pthread_create.cpp:214:18
    #8 0x77eb3c1dff in __start_thread bionic/libc/bionic/clone.cpp:47:16

002(bluetooth) btu message loo identical 1 line

Thread T37 (bt_workqueue) created by T20 (stack_manager) here:

    #0 0x77e50fd46f in __interceptor_pthread_create _asan_rtl_:3
    #1 0x77ca529727 in thread_new_sized(char const*, unsigned long) system/bt/osi/src/thread.cc:87:3
    #2 0x77ca3e936f in BTU_StartUp() system/bt/stack/btu/btu_init.cc:129:25
    #3 0x77ca2a513b in event_start_up_stack(void*) system/bt/btif/src/stack_manager.cc:146:3
    #4 0x77ca52ad3b in work_queue_read_cb(void*) system/bt/osi/src/thread.cc:251:3
    #5 0x77ca52489b in run_reactor(reactor_t*, int) system/bt/osi/src/reactor.cc:282:11
    #6 0x77ca524413 in reactor_start(reactor_t*) system/bt/osi/src/reactor.cc:125:10
    #7 0x77ca529c6f in run_thread(void*) system/bt/osi/src/thread.cc:221:3
    #8 0x77eb40a31b in __pthread_start(void*) bionic/libc/bionic/pthread_create.cpp:214:18
    #9 0x77eb3c1dff in __start_thread bionic/libc/bionic/clone.cpp:47:16

002(bluetooth) btu message loo identical 1 line

Thread T20 (stack_manager) created by T0 (droid.bluetooth) here:

    #0 0x77e50fd46f in __interceptor_pthread_create _asan_rtl_:3
    #1 0x77ca529727 in thread_new_sized(char const*, unsigned long) system/bt/osi/src/thread.cc:87:3
    #2 0x77ca2a4e7f in ensure_manager_initialized() system/bt/btif/src/stack_manager.cc:238:23
    #3 0x77ca2a4e7f in stack_manager_get_interface() system/bt/btif/src/stack_manager.cc:251:0
    #4 0x77ca1b7927 in init(bt_callbacks_t*) system/bt/btif/src/bluetooth.cc:144:3
    #5 0x77ca9899fb in android::initNative(_JNIEnv*, _jobject*) packages/apps/Bluetooth/jni/com_android_bluetooth_btservice_AdapterService.cpp:663:13
    #6 0x77e1c87703 in art_quick_generic_jni_trampoline /proc/self/cwd/art/runtime/arch/arm64/quick_entrypoints_arm64.S:2329:0

    #6 0x37ab0579318381f  (<unknown module>)

002(bluetooth) btu message loo identical 1 line

SUMMARY: AddressSanitizer: stack-buffer-overflow (/system/lib64/libclang_rt.asan-aarch64-android.so+0x31adf)

Shadow bytes around the buggy address:
  0x001ef91817b0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
  0x001ef91817c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x001ef91817d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x001ef91817e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x001ef91817f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x001ef9181800: 00 00 00 00 00 00 00 00 00 00 00 00[06]f2 f2 f2
  0x001ef9181810: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 06 f2
  0x001ef9181820: f2 f2 01 f2 01 f3 f3 f3 00 00 00 00 00 00 00 00
  0x001ef9181830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x001ef9181840: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 00
  0x001ef9181850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

==1410==ABORTING

Bug: 65381426

Change-Id: Ie632f131b622cc323ce68ec7be152caef23c95ec

Bug: 65255942
Test: manual
Change-Id: I212bc93149dc514517f409edc36f74e1c2895d96

Don't copy data beyond end of string when storing it as BT_PROPERTY_BDNAME
in property.
Also, update an unit test to create a string by considering the property
name length.

Test: Running unit tests with ASAN enabled
Change-Id: Iaa586b4a0942f99ba469d1ed963729e7ad721503

Added Ext Scan HCI defination for periodic scan.

Change-Id: Ic7dce5fb5207a22e4b193d84033d84126d780be5
Signed-off-by: Sagayajayasheelan Thomas <sagayajayasheelan.thomas@intel.com>

Root Cause: Configure request fails in CST_OPEN state
after a configure request IB_CFG_DONE and OB_CFG_DONE both are
cleared. Some IOT devices try to configure again in the CST_OPEN
state which fails if OB_CFG_DONE is cleared.

Fix: Clear IB_CFG_DONE and keep OB_CFG_DONE unchanged on receiving
Peer config request when channel open.

Test: Tested with Geely Carkit.
Bug: 35082459

Change-Id: I8deca0c8ff73faafc3da94dcd9ea55e06bd8a31d

Test: Manually watch some debug logs during pairing and auth processes
Change-Id: I6410b8bc00587196392ae787a6aa1d85c0c71967