korg/bluez
0
0
Fork 0
mirror of https://git.kernel.org/pub/scm/bluetooth/bluez.git synced 2024-11-15 16:24:28 +08:00
Code Issues Packages Projects Releases Wiki Activity
3bb8bd1bad
bluez/android/hal-pan.c
Luiz Augusto von Dentz 6dfd0d376f android: Fix crash on android-tester 
When doing the HAL cleanup the callbacks should be reset to NULL
after calling hal_ipc_unregister otherwise an handler may be called
leading to invalid reads:

BlueZ D: android/hal-a2dp.c:cleanup()
bluetoothd[2624]: android/avdtp.c:connection_lost() Disconnected: Input/output error (5)
bluetoothd[2624]: android/avdtp.c:avdtp_ref() 0x5841900: ref=2
bluetoothd[2624]: android/a2dp.c:bt_a2dp_notify_state() device 00:AA:01:01:00:00 state 0
==2564== Thread 3:
==2564== Invalid read of size 8
==2564==    at 0x6B66B47: handle_conn_state (hal-a2dp.c:38)
==2564==    by 0x6B6CDB3: notification_handler (hal-ipc.c:125)
==2564==    by 0x5368EE4: start_thread (in /usr/lib64/libpthread-2.18.so)
==2564==    by 0x5672B8C: clone (in /usr/lib64/libc-2.18.so)
==2564==  Address 0x8 is not stack'd, malloc'd or (recently) free'd
2014-12-03 13:59:13 +02:00

211 lines
4.8 KiB
C
Raw Blame History

/*
* Copyright (C) 2013 Intel Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
#include <stdbool.h>
#include <stddef.h>
#include <string.h>
#include "hal-utils.h"
#include "hal-log.h"
#include "hal.h"
#include "hal-msg.h"
#include "hal-ipc.h"
static const btpan_callbacks_t *cbs = NULL;
static bool interface_ready(void)
{
return cbs != NULL;
}
static void handle_conn_state(void *buf, uint16_t len, int fd)
{
struct hal_ev_pan_conn_state *ev = buf;
if (cbs->connection_state_cb)
cbs->connection_state_cb(ev->state, ev->status,
(bt_bdaddr_t *) ev->bdaddr,
ev->local_role, ev->remote_role);
}
static void handle_ctrl_state(void *buf, uint16_t len, int fd)
{
struct hal_ev_pan_ctrl_state *ev = buf;
#if ANDROID_VERSION >= PLATFORM_VER(5, 0, 0)
if (cbs->control_state_cb)
cbs->control_state_cb(ev->state, ev->local_role, ev->status,
(char *)ev->name);
#else
/*
* Callback declared in bt_pan.h is 'typedef void
* (*btpan_control_state_callback)(btpan_control_state_t state,
* bt_status_t error, int local_role, const char* ifname);
* But PanService.Java defined it wrong way.
* private void onControlStateChanged(int local_role, int state,
* int error, String ifname).
* First and third parameters are misplaced, so sending data according
* to PanService.Java.
*/
if (cbs->control_state_cb)
cbs->control_state_cb(ev->local_role, ev->state, ev->status,
(char *)ev->name);
#endif
}
/*
* handlers will be called from notification thread context,
* index in table equals to 'opcode - HAL_MINIMUM_EVENT'
*/
static const struct hal_ipc_handler ev_handlers[] = {
/* HAL_EV_PAN_CTRL_STATE */
{ handle_ctrl_state, false, sizeof(struct hal_ev_pan_ctrl_state) },
/* HAL_EV_PAN_CONN_STATE */
{ handle_conn_state, false, sizeof(struct hal_ev_pan_conn_state) },
};
static bt_status_t pan_enable(int local_role)
{
struct hal_cmd_pan_enable cmd;
DBG("");
if (!interface_ready())
return BT_STATUS_NOT_READY;
cmd.local_role = local_role;
return hal_ipc_cmd(HAL_SERVICE_ID_PAN, HAL_OP_PAN_ENABLE,
sizeof(cmd), &cmd, NULL, NULL, NULL);
}
static int pan_get_local_role(void)
{
struct hal_rsp_pan_get_role rsp;
size_t len = sizeof(rsp);
bt_status_t status;
DBG("");
if (!interface_ready())
return BTPAN_ROLE_NONE;
status = hal_ipc_cmd(HAL_SERVICE_ID_PAN, HAL_OP_PAN_GET_ROLE, 0, NULL,
&len, &rsp, NULL);
if (status != BT_STATUS_SUCCESS)
return BTPAN_ROLE_NONE;
return rsp.local_role;
}
static bt_status_t pan_connect(const bt_bdaddr_t *bd_addr, int local_role,
int remote_role)
{
struct hal_cmd_pan_connect cmd;
DBG("");
if (!interface_ready())
return BT_STATUS_NOT_READY;
memcpy(cmd.bdaddr, bd_addr, sizeof(cmd.bdaddr));
cmd.local_role = local_role;
cmd.remote_role = remote_role;
return hal_ipc_cmd(HAL_SERVICE_ID_PAN, HAL_OP_PAN_CONNECT,
sizeof(cmd), &cmd, NULL, NULL, NULL);
}
static bt_status_t pan_disconnect(const bt_bdaddr_t *bd_addr)
{
struct hal_cmd_pan_disconnect cmd;
DBG("");
if (!interface_ready())
return BT_STATUS_NOT_READY;
memcpy(cmd.bdaddr, bd_addr, sizeof(cmd.bdaddr));
return hal_ipc_cmd(HAL_SERVICE_ID_PAN, HAL_OP_PAN_DISCONNECT,
sizeof(cmd), &cmd, NULL, NULL, NULL);
}
static bt_status_t pan_init(const btpan_callbacks_t *callbacks)
{
struct hal_cmd_register_module cmd;
int ret;
DBG("");
if (interface_ready())
return BT_STATUS_DONE;
cbs = callbacks;
hal_ipc_register(HAL_SERVICE_ID_PAN, ev_handlers,
sizeof(ev_handlers)/sizeof(ev_handlers[0]));
cmd.service_id = HAL_SERVICE_ID_PAN;
cmd.mode = HAL_MODE_DEFAULT;
cmd.max_clients = 1;
ret = hal_ipc_cmd(HAL_SERVICE_ID_CORE, HAL_OP_REGISTER_MODULE,
sizeof(cmd), &cmd, NULL, NULL, NULL);
if (ret != BT_STATUS_SUCCESS) {
cbs = NULL;
hal_ipc_unregister(HAL_SERVICE_ID_PAN);
}
return ret;
}
static void pan_cleanup(void)
{
struct hal_cmd_unregister_module cmd;
DBG("");
if (!interface_ready())
return;
cmd.service_id = HAL_SERVICE_ID_PAN;
hal_ipc_cmd(HAL_SERVICE_ID_CORE, HAL_OP_UNREGISTER_MODULE,
sizeof(cmd), &cmd, NULL, NULL, NULL);
hal_ipc_unregister(HAL_SERVICE_ID_PAN);
cbs = NULL;
}
static btpan_interface_t pan_if = {
.size = sizeof(pan_if),
.init = pan_init,
.enable = pan_enable,
.get_local_role = pan_get_local_role,
.connect = pan_connect,
.disconnect = pan_disconnect,
.cleanup = pan_cleanup
};
btpan_interface_t *bt_get_pan_interface(void)
{
return &pan_if;
}
Reference in New Issue View Git Blame Copy Permalink