Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0ac4b40e authored by Himanshu Rawat's avatar Himanshu Rawat
Browse files

Check validity of GATT client ID before unregistering 

GATT would always de-register HOGP host if de-registration was requested
for unknown GATT client ID. This used to occasionally corrupt
(b/266474582) the HOGP host state which was fixed in
Iaff8495bbfcc1288b7011380474fa6a0eac302cc.
During BT shutdown, the GATT client cleanup may complete before
de-register requests from all clients are serviced. In such case,
handling of pending de-register requests results in null pointer access.

Bug: 277181689
Test: Regression
Change-Id: I6a56e0561212e9361b960b174127c95fe4b686fd
parent 13a42062

system/bta/gatt/bta_gattc_act.cc

+1 −7
Original line number Diff line number Diff line
@@ -147,14 +147,8 @@ void bta_gattc_disable() { 
    if (!bta_gattc_cb.cl_rcb[i].in_use) continue;



    bta_gattc_cb.state = BTA_GATTC_STATE_DISABLING;

/* don't deregister HH GATT IF */

/* HH GATT IF will be deregistered by bta_hh_le_deregister when disable HH */

    if (!GetInterfaceToProfiles()

             ->profileSpecific_HACK->bta_hh_le_is_hh_gatt_if(

                 bta_gattc_cb.cl_rcb[i].client_if)) {

    bta_gattc_deregister(&bta_gattc_cb.cl_rcb[i]);

  }

  }



  /* no registered apps, indicate disable completed */

  if (bta_gattc_cb.state != BTA_GATTC_STATE_DISABLING) {

system/bta/gatt/bta_gattc_api.cc

+7 −1
Original line number Diff line number Diff line
@@ -92,7 +92,13 @@ void BTA_GATTC_AppRegister(tBTA_GATTC_CBACK* p_client_cb, 
}



static void app_deregister_impl(tGATT_IF client_if) {

  bta_gattc_deregister(bta_gattc_cl_get_regcb(client_if));

  tBTA_GATTC_RCB* p_clreg = bta_gattc_cl_get_regcb(client_if);



  if (p_clreg != nullptr) {

    bta_gattc_deregister(p_clreg);

  } else {

    LOG_ERROR("Unknown GATT ID: %d, state: %d", client_if, bta_gattc_cb.state);

  }

}

/*******************************************************************************

 *

system/bta/hh/bta_hh_int.h

+0 −1
Original line number Diff line number Diff line
@@ -296,7 +296,6 @@ extern tBTA_HH_STATUS bta_hh_read_ssr_param(const RawAddress& bd_addr, 


/* functions for LE HID */

extern void bta_hh_le_enable(void);

extern bool bta_hh_le_is_hh_gatt_if(tGATT_IF client_if);

extern void bta_hh_le_deregister(void);

extern void bta_hh_le_open_conn(tBTA_HH_DEV_CB* p_cb,

                                const RawAddress& remote_bda);

system/bta/hh/bta_hh_le.cc

+0 −14
Original line number Diff line number Diff line
@@ -199,20 +199,6 @@ void bta_hh_le_enable(void) { 
                        }), false);

}



/*******************************************************************************

 *

 * Function         bta_hh_le_is_hh_gatt_if

 *

 * Description      Check to see if client_if is BTA HH LE GATT interface

 *

 *

 * Returns          whether it is HH GATT IF

 *

 ******************************************************************************/

bool bta_hh_le_is_hh_gatt_if(tGATT_IF client_if) {

  return (bta_hh_cb.gatt_if == client_if);

}



/*******************************************************************************

 *

 * Function         bta_hh_le_deregister

system/btif/include/core_callbacks.h

+0 −1
Original line number Diff line number Diff line
@@ -111,7 +111,6 @@ struct HACK_ProfileInterface { 
  tBTA_HH_STATUS (*bta_hh_read_ssr_param)(const RawAddress& bd_addr,

                                          uint16_t* p_max_ssr_lat,

                                          uint16_t* p_min_ssr_tout);

  bool (*bta_hh_le_is_hh_gatt_if)(tGATT_IF client_if);



  // AVDTP hacks

  void (*btif_av_set_dynamic_audio_buffer_size)(