When handling vendor dependent PDUs len was passed in wrong order to
callback function. It is really wrong to pass such a parameter and
expect that callbacks would handle it.
Implement avrcp_get_capabilities() request through
avrcp_send_vendordep_req(). avctp_send_req() is not exported so we use
the functions which are exported by AVCTP code.
If remote device has name but it is empty (0 bytes) just ignore it and
continue using address as name. This will avoid sending remote device
property notification with empty name.
This adds a check for uinput before attempting to use send_key and if it
is not initialized response with AVC_CTYPE_NOT_IMPLEMENTED which is the
same code used when a unkown key is received.
The patch fixes following warning:
...
android/android-tester.c:2185:2: warning: Value stored to
'adapter_status' is never read
adapter_status = data->if_bluetooth->set_adapter_property(prop);
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
...
If loading key file from file failed free key file. This fix following:
490 (40 direct, 450 indirect) bytes in 1 blocks are definitely lost in
loss record 122 of 126
at 0x4028B4C: malloc (vg_replace_malloc.c:291)
by 0x40A25B2: g_malloc (in /lib/i386-linux-gnu/
libglib-2.0.so.0.3800.2)
by 0x40B8DB1: g_slice_alloc (in /lib/i386-linux-gnu/
libglib-2.0.so.0.3800.2)
by 0x40B92DC: g_slice_alloc0 (in /lib/i386-linux-gnu/
libglib-2.0.so.0.3800.2)
by 0x40946BB: g_key_file_new (in /lib/i386-linux-gnu/
libglib-2.0.so.0.3800.2)
by 0x8054A84: new_link_key_callback (bluetooth.c:563)
by 0x804FB44: notify_handler (mgmt.c:278)
by 0x804F357: queue_foreach (queue.c:186)
by 0x804FE6C: can_read_data (mgmt.c:290)
by 0x804ED12: read_callback (io-glib.c:168)
by 0x40E0CF4: ??? (in /lib/i386-linux-gnu/libglib-2.0.so.0.3800.2)
by 0x409CAED: g_main_context_dispatch (in /lib/i386-linux-gnu/
libglib-2.0.so.0.3800.2)
This patch adds simple downmix support from stereo to mono in order to
support mono channel mode as it's mandatory for SBC codec. It uses
simple (L+R)/2 calculation which should be good enough.
This removes start discovery returned status check what derives double
check of expected status. Returned status should be only checked for cancel
discovery.
Tester setup result is set to pass after set to fail because of missing
function return. This adds return from function after setting of setup
result to fail.
With this patch, deamon will not ask kernel to resolve name of remote
device during inquiry in case device name is already in the local cache.
Instead Android will be updated with already known device name.
The patch makes AVRCP to be transport agnostic so that it can be used in
with socket pair to build unit tests.
The idea is that all AVRCP specific logic will stay on avrcp-lib until it
receives proper unit tests and then eventually will be used by audio
plugin as well.
This prevent having to increase the MTU size just to fit all attributes
when in fact some attributes are numbers (3 out of 8) in text format
which should not get even close to use 256 bytes defined by bt_rc.h.
Although this callback is for deprecated functionality and
corresponding notification is never send by daemon it should be
implemented for library and IPC completeness.
This patch fix an issue when Android disables BT during ongoing
paring. In this case mgmt did not accept any commands and BT gets
in some unknown state.
Since Android turns off BT anyway, it is ok to just cancel all
the mgmt requests before send power off command.
Socket security shall be based on flags passed from HAL.
Android public API uses both encrypt and auth flags for "secure"
sockets which should be mapped to high security on our side, but since
this would also trigger requirement for 16-digits pin code (which is
not used in Android) we'll ignore auth flag and use either low or
medium security based on encrypt flag value only.
This patch adds entry for HF AG profile in built-in profiles list. This
it to reserve channel number so it's not assigned to other service
registered by application. Method for creating SDP record is not
provided so it's not possible for application to register HF AG service
by mistake (this can be only done by handsfree profile implementation).
This patch adds support to register server with channel number assigned
dynamically, i.e. first free number is assigned. Channels which are
reserved for built-in services are not assigned for other services.
Since there is only small, fixed number of channels to allocate for
RFCOMM servers we can store them in static array. This will make
lookup for free channel simpler once we add support to assign channel
numbers dynamically.
At startup, channels reserved for built-in services which have static
channel number are marked as reserved so they cannot be assigned for
other service.
Records are now created using helper function which creates SDP record
with common contents like service class, name and protocols. Other
attributes are then added by custom functions.
This patch makes logging more consistent by including rfsock pointer in
most messages which identifies socket structure unambigously (instead
of using bunch of file descriptors for the same purpose) and puts other
parameters in order in some cases.
Additionally, some new logs are introduced to better track socket
structures and connections lifetime.
This patch changes names of symbols related to various sockets to be
consistent and easier to follow in code.
Symbols related to actual BT (RFCOMM) socket are prefixed with "bt_".
Symbols related to local socket for Java comm are prefixed with "jv_".
Remote socket for Java comm is called "hal_sock".
It's now possible to add record with 128-bit UUID Service Class which
are used for custom applications. To simplify implementation adapter
uuids list stores now full UUID in uuid_t structure instead of uint16_t
short UUID.
This test checks for proper handling of invalid Service ID on a IPC
message, but it was attempting to register handlers for this invalid ID,
which on current ipc_register() implementation was causing a buffer
overrun.
The fix was to use a valid ID during registration, but still attempt to
use an invalid one when sending the message.
Although this command is not implemented by BlueZ, make sure it is
callable from haltest so at least the IPC can be tested.
Also memset() the hid_info parameter to not pass uninitialized data
around.
These UUIDs are assigned by BT-SIG and therefore there is no need to
use full 128-bit UUIDs. This also avoids unnecessary conversion from
string representation.
This patch allows bluetoothd to be run with Valgrind easily in debug
variants.
For userdebug and eng variants bluetoothd is renamed to bluetoothd-main
and bluetoothd acts a wrapper to launch it either with or without
Valgrind (this is decided by value of persist.sys.bluetooth.valgrind
property).
The patch fixes following clang warning:
...
profiles/audio/avdtp.c:3293:2: warning: Null pointer passed as an
argument to a 'nonnull' parameter
memcpy(cap->data, data, length);
^ ~~~~
Unregistering a SEP can trigger abort_cfm callback if some device is
connected thus we should free setups list after all endpoints are
unregistered to avoid error in abort_cfm due to non-existing setup.
In case audio IPC is suddenly disconnected (most likely due to crash of
mediaserver process) we should disconnect headset since it is no longer
associated with valid setup and cannot be used properly.
We should not try to neither auto-resume nor write when state is set to
NONE as this is case when we're being closed and it's ok do ignore
write request.
Using sysfs is causing problems due to filesystem permissions
(bluetoothd is running as bluetooth user) and bluetoothd already has
required capabilities for setting forward delay through ioctl.
Android uses bt-pan static interface in PAN profile. In server role
it uses it as bridge name. But current implementaion passes interface
names like bnep0, bnep1... Android Framework is unaware of this name
and unable to allocate IP address after profile connection setup.
Calling g_slist_remove within the callback of g_slist_foreach is very
inefficient as it has to iterate in the list twice to figure which
element to remove.
Calling g_slist_remove within the callback of g_slist_foreach is very
inefficient as it has to iterate twice in the list to figure which
element to remove.
Invalid read of size 8
at 0x30EE465A78: g_slice_free_chain_with_offset (in /usr/lib64/libglib-2.0.so.0.3800.2)
by 0x418209: bt_a2dp_unregister (a2dp.c:1576)
by 0x4039E6: main (main.c:347)
Address 0x4f2d248 is 8 bytes inside a block of size 16 free'd
at 0x4A07577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x30EE44EF7E: g_free (in /usr/lib64/libglib-2.0.so.0.3800.2)
by 0x30EE4655CA: g_slice_free1 (in /usr/lib64/libglib-2.0.so.0.3800.2)
by 0x30EE465F0C: g_slist_remove (in /usr/lib64/libglib-2.0.so.0.3800.2)
by 0x41645F: a2dp_device_free (a2dp.c:174)
by 0x30EE466477: g_slist_foreach (in /usr/lib64/libglib-2.0.so.0.3800.2)
by 0x30EE46649A: g_slist_free_full (in /usr/lib64/libglib-2.0.so.0.3800.2)
by 0x418209: bt_a2dp_unregister (a2dp.c:1576)
by 0x4039E6: main (main.c:347)
This patch adds checking for proper msg size verification in case it is
not declared in handlers that this is variable sized message. In
such case malformed data should not be accepted.
This patch adds test for variable length data handling. Handlers struct
have static values representing minimum payload. It cannot be predicted
how large data will be sent so they should accept data larger than
declared inside ipc_handler array, which holds the minimum size of such
message.
This patch adds sending messages larger than just hal_hdr, and fixes
response verification which worked only for empty messages but was
failing when sending something more than just header.
This patch adds tests for calling proper opcode handler. Two handlers
are registered, but one always results in failure. No failure means that
proper opcode <-> handler maching is done by the ipc mechanism.
This handler responses for opcode == 1, thus should use proper naming to
avoid confision when more functions sending different responses will be
added.
This fix makes sure that when signalled termination is expected,
it actually happens. If IPC termination is expected no response will be
sent, so cmd_watch will never be executed. But if it is executed when
expecting termination, its a failure.
This patch fixes media packet construction with devices which use large
omtu value. In such cases it's possible that we will try to fit more
than 15 SBC frames in single media packet (which is maximum possible
value as it's encoded using 4 bits) which will cause frame counter to
wrap around and provide incorrect data to SBC encoder.
This behaviour was seen on UPF with one of carkit devices which set
omtu=2688.
AudioFlinger can only provide PCM 16bit Stereo data for A2DP track so
we should not advertise mono channel mode in capabilities since we
can't downmix this internally.
Remove setups when a2dp device is removed. This fix following:
Invalid read of size 4
at 0x115E32: bt_stream_close (a2dp.c:1352)
by 0x111DFB: ipc_handle_msg (ipc.c:95)
by 0x11234B: audio_watch_cb (audio-ipc.c:67)
by 0x48BD9C7: ??? (in /system/lib/libglib.so)
Address 0x4a590f4 is 12 bytes inside a block of size 20 free'd
at 0x4897E6C: free (in
/system/lib/valgrind/vgpreload_memcheck-arm-linux.so)
by 0x48C5E2B: g_free (in /system/lib/libglib.so)
Invalid read of size 4
at 0x113638: avdtp_close (avdtp.c:3201)
by 0x115E39: bt_stream_close (a2dp.c:1352)
by 0x111DFB: ipc_handle_msg (ipc.c:95)
by 0x11234B: audio_watch_cb (audio-ipc.c:67)
by 0x48BD9C7: ??? (in /system/lib/libglib.so)
Address 0x4a594a4 is 28 bytes inside a block of size 1,100 free'd
at 0x4897E6C: free (in
/system/lib/valgrind/vgpreload_memcheck-arm-linux.so)
by 0x48C5E2B: g_free (in /system/lib/libglib.so)
There is currently inconsistence in the avctp code with
AVC_HEADER_LENGTH defined in avctp.h but AVCTP_HEADER_LENGTH defined in
avctp.c. Move definition to place it is actually used in consistent way.
This makes signalling priority 6 so it can push commands before the
stream channel, without this the stream channel may be schedule
first and cause the signalling commands to timeout while waiting a slot.
Callback declared in bt_pan.h is
'typedef void (*btpan_control_state_callback)
(btpan_control_state_t state, bt_status_t error, int local_role,
const char* ifname);
But PanService.Java defined it wrong way.
private void onControlStateChanged(int local_role, int state,
int error, String ifname).
First and third parameters are misplaced, so sending data according
to PanService.Java, discard this fix if issue fixed in PanService.Java.
The various setup_* functions were still continuing even though setup()
failed and did not initialize data->if_bluetooth properly.
Also do a little refactoring by moving tester_setup_failed() calls to
the setup() callers, so they stay close to the other failure points and
not hidden deep into a helper function.
Crash detected by Valgrind:
==4959== Invalid read of size 4
==4959== at 0x805967A: setup_base (android-tester.c:2029)
==4959== by 0x8055541: setup_callback (tester.c:373)
==4959== by 0x408348F: g_idle_dispatch (gmain.c:5250)
==4959== by 0x4086A75: g_main_context_dispatch (gmain.c:3065)
==4959== by 0x4086E14: g_main_context_iterate.isra.23 (gmain.c:3712)
==4959== by 0x40872FA: g_main_loop_run (gmain.c:3906)
==4959== by 0x41744D2: (below main) (libc-start.c:226)
==4959== Address 0x4 is not stack'd, malloc'd or (recently) free'd
This adds the following record:
Service Name: AVRCP TG
Service RecHandle: 0x10002
Service Class ID List:
"AV Remote Target" (0x110c)
Protocol Descriptor List:
"L2CAP" (0x0100)
PSM: 23
"AVCTP" (0x0017)
uint16: 0x103
Profile Descriptor List:
"AV Remote" (0x110e)
Version: 0x0100
In case stream is started from remote we'll receive Resume Stream IPC
when audio is already considered as started (i.e. on first write from
AudioFlinger). In such case we should not try to send AVDTP_START since
this will fail but just reply success over IPC instead.
Info is now stored for all devices and bond state depends on file.
Based on that devices loaded from storage are put either to cache
or to bonded_devices list.
Bonded devices are permament until unbondedn. Non-bonded devices will
be held in (size limited) cache based on timestamp property so split
list to ease separation.
Audio HAL code calculates accurate input stream buffer size which
allows to fill media packets with as much data as possible. However,
in most cases calculated buffer size does not work well with Android
audio code which causes glitches when playing simultaneously to
different audio output (like notification) or crashes mediaserver
when disconnecting with headset.
This patch changes input buffer size to fixed magic value 20*512 which
is used in Bluedroid Audio HAL. Such change requires that we need to
drop assumption that each input buffer can be used to fill exactly one
media packet and need to use it to fill multiple media packets. To
avoid buffering in Audio HAL, we allow that last media packet can be
filled in non-optimal way, i.e. has less data that can fit.
The endpoint is unregistered but it was still accessible via endpoints
list causing the following trace when audio HAL is closed:
Invalid read of size 8
at 0x414A49: unregister_endpoint (a2dp.c:114)
by 0x3862466477: g_slist_foreach (in /usr/lib64/libglib-2.0.so.0.3800.2)
by 0x386246649A: g_slist_free_full (in /usr/lib64/libglib-2.0.so.0.3800.2)
by 0x414985: audio_disconnected (a2dp.c:1446)
by 0x40FD5C: audio_watch_cb (audio-ipc.c:79)
by 0x38624492A5: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3800.2)
by 0x3862449627: ??? (in /usr/lib64/libglib-2.0.so.0.3800.2)
by 0x3862449A39: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3800.2)
by 0x4034D5: main (main.c:449)
Address 0x4cd5e68 is 8 bytes inside a block of size 32 free'd
at 0x4A07577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x386244EF7E: g_free (in /usr/lib64/libglib-2.0.so.0.3800.2)
by 0x4159FD: bt_audio_close (a2dp.c:1296)
by 0x40F629: ipc_handle_msg (ipc.c:95)
by 0x40FD9F: audio_watch_cb (audio-ipc.c:67)
by 0x38624492A5: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3800.2)
by 0x3862449627: ??? (in /usr/lib64/libglib-2.0.so.0.3800.2)
by 0x3862449A39: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3800.2)
by 0x4034D5: main (main.c:449)
This fix various issues with locking like missing unlock on
audio_ipc_cmd() return or accesing audio_sk without holding lock.
close_thread is removed to simplify code and shutdown on listen_sk is
used to indicate that that handler thread should stop.
This patch implements get_latency() for output stream properly by
returning some meaningful value, i.e. calculated duration of single
media packet increased by fixed A2DP playback latency. This is the
same as PulseAudio does.
Input and output stream is configured in a way that each input buffer
can be encoded to exactly one output buffer.
Reading from AudioFlinger is synchronized based on amounts of frames
which were expected to be sent since stream was resumed, i.e. as long
as we sent enough data we can wait for period of single media packet
before we need another buffer from input. Without synchronization
we'd receive next input buffer as soon as we process current one.
Once stream is resumed it may be required to reset some state of codec,
i.e. in case of SBC we need to reset monotonic clock and frames count
which are used for synchronization.
This patch adds necessary calculations for SBC stream parameters.
Both input and output buffers are expected to have exact amount of
data to fill single media packet (based on transport channel MTU).
Frame duration will be used to synchronize input and output streams.
MTU value for transport channel is sent in Open Stream response, which
is required to calculate number of frames which can be packed into
single media packet.
This is to avoid including GPLv2 licensed headers in Audio HAL
implementation.
Using source paths relative to android/ directory created mess in
Android's obj directory since object files are created also relative
to bluetoothd_intermediates (thus can be created outside it).
To avoid this we set LOCAL_PATH to absolute path (in terms of Android
build root) of directory in which bluez/ is located and change and
update source paths accordingly.
This also allows us to build in future glib and sbc easily using
Android.mk in BlueZ.
This patch adds some data structures used to send data with ipc during
test setup and run stage. Test execution macro is extended for easy
data preparation.
