bluetooth: serialize ACL connect requests to avoid controller disallow#1
Open
chengkai15 wants to merge 878 commits into
Open
bluetooth: serialize ACL connect requests to avoid controller disallow#1chengkai15 wants to merge 878 commits into
chengkai15 wants to merge 878 commits into
Conversation
bug: v/81606 Signed-off-by: YuhengLi <liyuheng@xiaomi.com>
bug: v/81606 Signed-off-by: YuhengLi <liyuheng@xiaomi.com>
bug: v/81606 Signed-off-by: YuhengLi <liyuheng@xiaomi.com>
bug: v/80279 Signed-off-by: YuhengLi <liyuheng@xiaomi.com>
bug: v/80279 Signed-off-by: YuhengLi <liyuheng@xiaomi.com>
bug: v/81606 Signed-off-by: YuhengLi <liyuheng@xiaomi.com>
bug: v/80270 Signed-off-by: YuhengLi <liyuheng@xiaomi.com>
bug: v/80268 Signed-off-by: YuhengLi <liyuheng@xiaomi.com>
bug: v/80268 Rootcause: unref conn before use Signed-off-by: YuhengLi <liyuheng@xiaomi.com>
bug: v/81589 Signed-off-by: YuhengLi <liyuheng@xiaomi.com>
bug: v/80268 Signed-off-by: YuhengLi <liyuheng@xiaomi.com>
bug: v/80258 Rootcause: ARRAY_SIZE redefined Signed-off-by: YuhengLi <liyuheng@xiaomi.com>
bug: v/80268 Rootcause: profile direct connect api has changed Signed-off-by: YuhengLi <liyuheng@xiaomi.com>
bug: v/80268 Rootcause: should not call unref at this time Signed-off-by: YuhengLi <liyuheng@xiaomi.com>
bug: v/80269 Rootcause: add logs to print call number when sync Signed-off-by: YuhengLi <liyuheng@xiaomi.com>
bug: v/81504 return -EINPROGRESS dial callback and send OK after dial response Signed-off-by: YuhengLi <liyuheng@xiaomi.com>
bug: v/81567 remove unused functions Signed-off-by: YuhengLi <liyuheng@xiaomi.com>
bug: v/81589 remove global var g_sal_ag_sync_conn and sync call by addr Signed-off-by: YuhengLi <liyuheng@xiaomi.com>
bug: v/81504 Signed-off-by: YuhengLi <liyuheng@xiaomi.com>
bug: v/80268 Rootcause: Not unregister callbacks when cleanup. Signed-off-by: YuhengLi <liyuheng@xiaomi.com>
bug: v/81522 When event_id == BT_AVRCP_EVT_VOLUME_CHANGED, flag = true is set only if both CONFIG_BLUETOOTH_AVRCP_ABSOLUTE_VOLUME and CONFIG_BLUETOOTH_AVRCP_CONTROL are enabled. Otherwise in the else branch, flag = true is set only if CONFIG_BLUETOOTH_AVRCP_TARGET is enabled. All configurations are enabled, treating flag as always true, making the if (!flag) condition unreachable. Signed-off-by: YuhengLi <liyuheng@xiaomi.com>
bug: v/81702 Fixed memory leak caused by premature return. Signed-off-by: liuxiang18 <liuxiang18@xiaomi.com>
bug: v/80258 Rootcause: attributes in bt_sdp_discover_params may be modified by ZBlue SDP. Using const could cause a crash in some cases Signed-off-by: YuhengLi <liyuheng@xiaomi.com>
bug: v/81752 Rootcause: audio_connect should not be called in bluetoothd task Signed-off-by: YuhengLi <liyuheng@xiaomi.com>
bug: v/81968 Rootcause: disconnected_callback not called caused connect info not cleared in connection manager module Signed-off-by: YuhengLi <liyuheng@xiaomi.com>
… an asynchronous API. bug: v/81682 When priv dynamically allocates memory successfully but fails later due to other reasons before reaching the assignment ins->priv = priv;, the memory allocated to priv cannot be freed in bt_socket_async_client_deinit, leading to a resource leak. Signed-off-by: jialu <jialu@xiaomi.com>
…se functions bug: v/80811 Rootcause: In certain scenarios, users of `euv_pipe` must ensure all UV requests have completed execution before releasing resources. Consequently, it is necessary to notify users that `euv_pipe` has been fully released after its close operation is completed, thereby permitting subsequent operational procedures to proceed. Support for the close callback has therefore been added. Signed-off-by: chejinxian1 <chejinxian1@xiaomi.com>
…e callback bug: v/80808 Rootcause: In high-throughput reception scenarios, situations may arise where the `write_cb` for SPP data transmission to the application has not yet completed, yet the SPP device is released due to an abrupt disconnection, thereby preventing notification to the protocol stack that data reception has concluded. To circumvent this issue, it is imperative to ensure all write operations are finalised before releasing the SPP device. Consequently, an `euv_pipe` close callback implementation has been introduced to guarantee that all `write_cb` operations execute successfully prior to severing the data pathway. Signed-off-by: chejinxian1 <chejinxian1@xiaomi.com>
bug: v/74709
only open CONFIG_BLUETOOTH_AVRCP_CONTROL or CONFIG_BLUETOOTH_AVRCP_ABSOLUTE_VOLUME can build in bt_avrcp_control_notification_cb.
error: 'bt_avrcp_info_find_by_ct' undeclared (first use in this function); did you mean 'bt_avrcp_info_find_by_tg'?
1501 | avrcp_info = bt_list_find(bt_avrcp_conn, bt_avrcp_info_find_by_ct, ct);
| ^~~~~~~~~~~~~~~~~~~~~~~~
| bt_avrcp_info_find_by_tg
Signed-off-by: zhongzhijie1 <zhongzhijie1@xiaomi.com>
bug: v/82095 The spp_connect_handler was attempting to look up the SPP connection by rfcomm_dlc before it was added to the connection list, causing "SPP connection not found for rfcomm_dlc" error. Root Cause: The connection object wasn't in the global connection list at the time of lookup, making spp_find_connection_by_dlc() always fail. Fix: Pass the spp_conn pointer directly as user_data to avoid the lookup, and add it to the connection list after successful initialization. Signed-off-by: zhongzhijie1 <zhongzhijie1@xiaomi.com>
… fix compilation warnings. bug: v/87425 Signed-off-by: jialu <jialu@xiaomi.com>
bug: v/87862 Rootcause: zblue_on_security_changed and zblue_on_pairing_failed callbacks run inside smp_pairing_complete. They called bt_unpair / bt_conn_disconnect synchronously, which freed bt_conn before smp_pairing_complete finished. smp_reset then accessed freed memory. Fix: use async bt_sal_le_remove_bond / bt_sal_le_disconnect instead, so bt_conn stays alive until the entire callback chain returns. Signed-off-by: zhongzhijie1 <zhongzhijie1@xiaomi.com>
bug: v/87852 This change fixes multiple issues in the Bluetooth CS (Channel Sounding) RAS (Ranging Service) data conversion and transmission: Filter type overflow: Changed ras_filter from uint32_t to uint16_t to match the RAS spec (16-bit filter mask per mode), and updated the initial value from 0xFFFFFFFF to 0xFFFF. Filter enum start value: All mode filter bit enums (MODE_0/1/2/3) now start at 2 instead of 0, aligning with the actual bit definitions in the RAS specification. MODE 1 role condition inverted: In CS_RAS_SUBEVENT_STEP_MODE_1, the Initiator and Reflector role branches were swapped (Reflector was incorrectly executing the Initiator path). Missing antenna_paths semantic conversion: HCI reports num_antenna_paths as a count (1-4), but RAS requires a bitmask. Added count-to-bitmask conversion (e.g., count=4 → 0x0F). MODE 2/3 Tone data parsing: Changed Tone_PCT and Tone_Quality_Indicator from bulk copy using (num_antenna_paths+1) to per-tone iteration via while(remaining > 0), matching the RAS spec's per-tone filtering semantics. Real-time data trigger condition: Changed the condition in cs_ras_subevent_result_cb from procedure_done_status to subevent_done_status, since real-time mode should trigger on each subevent completion, not the entire procedure. Signed-off-by: jialu <jialu@xiaomi.com>
bug: v/87572 When bt_sal_spp_write returns BT_STATUS_NOMEM, the complete packet (size == mfs) is cached via spp_cache_fragement, setting cache_buf.length = mfs. On recovery, spp_on_outgoing_complete directly calls euv_pipe_read_start, causing euv_alloc_buffer to compute len = mfs - mfs = 0. libuv gets a zero-length buffer, pipe read stalls, and the connection eventually drops. Fix by incrementing remaining_quota before the recovery check to prevent uint8_t underflow (0 - 1 = 0xFF), then branching on cache_buf.length: flush cached data via do_spp_write if present, otherwise restart pipe read with mfs. Signed-off-by: chejinxian1 <chejinxian1@xiaomi.com>
Bug: v/87379 Define BT_UUID_STR_LENGTH macro (40) in bt_uuid.h to replace hardcoded magic numbers for UUID string buffer size. Use LENGTH suffix to avoid conflict with Zephyr's BT_UUID_STR_LEN definition. Update all usages across the codebase to use the new macro. Signed-off-by: Zihao Gao <gaozihao@xiaomi.com>
Bug: v/87379 Add GATT client debug module for conditional compilation of logging: - gattc_internal.h: shared type definitions (gattc_service_t, gattc_connection_t) extracted from gattc_service.c - gattc_debug.h: function declarations with empty macro fallbacks when CONFIG_BLUETOOTH_GATT_CLIENT_DEBUG is disabled - gattc_debug.c: logging implementations using explicit bt_addr_ba2str() + BT_LOGI() to avoid BT_ADDR_LOG parameter order confusion Functions provided: - gattc_log(): log address with message - gattc_log_state(): log connection state changes - gattc_log_status(): log operation status - gattc_dump_services(): dump discovered services Also fix gattc_event.h enum typo: GATTC_EVENT_DICCOVER_CMPL -> GATTC_EVENT_DISCOVER_CMPL Signed-off-by: Zihao Gao <gaozihao@xiaomi.com>
Bug: v/87379 Refactor gattc_service.c to use the new debug module: - Include gattc_internal.h and gattc_debug.h - Remove local struct definitions (moved to gattc_internal.h) - Replace inline logging with debug module functions - Remove dump_services() (moved to gattc_debug.c) Add CONFIG_BLUETOOTH_GATT_CLIENT_DEBUG Kconfig option: - Default enabled (y) for backward compatibility - When disabled, debug functions become empty macros - Reduces code size by removing log strings Update Makefile and CMakeLists.txt to conditionally compile gattc_debug.c based on the config option. Signed-off-by: Zihao Gao <gaozihao@xiaomi.com>
…t connect bug: v/88096 Fix SPP client connection by implementing bt_sal_spp_connect_with_option. Previously this function returned BT_STATUS_UNSUPPORTED directly, causing SPP client connect to fail. Now for non-insecure mode, it calls bt_sal_spp_connect to establish connection. Insecure mode is not yet supported and still returns BT_STATUS_UNSUPPORTED. Signed-off-by: chejinxian1 <chejinxian1@xiaomi.com>
bug: v/87917 Map BT_LE_ADDR_TYPE_UNKNOWN to BT_ADDR_LE_PUBLIC instead of BT_ADDR_LE_RANDOM to maintain compatibility with legacy stack behavior where the default address type was public. Signed-off-by: zhongzhijie1 <zhongzhijie1@xiaomi.com>
bug: v/-88168 Rootcause: Adjusting the volume in sniff mode is relatively slow; need to exit sniff before adjusting the volume. Signed-off-by: zhangyuan20 <zhangyuan20@xiaomi.com>
bug: v/84601 rootcause: 1: The old interface forcibly disconnects ACLs, causing profile connection compatibility issues. 2: The old interface port forcibly releases and cleans up local resources before disconnecting, especially in sniffing scenarios, ending before entering active mode, causing a 30-second timeout on the phone. in turn, increases the connection disconnection time by 300 milliseconds. Signed-off-by: Kai Cheng <chengkai@xiaomi.com>
bug: v/82380 The previous call operation path could block receiving and eventually lead to a crash. Signed-off-by: liyuheng <liyuheng@xiaomi.com>
bug: v/88151 In zblue_on_connected, when the device acts as ACP (acceptor), it only creates the a2dp_info and waits passively. It never initiates bt_a2dp_discover, so if the remote side also does not initiate the discover/set_config flow, the A2DP connection stalls -- signaling channel is up but no stream is ever configured. Additionally, in bt_a2dp_discover_endpoint_cb, the a2dp_info->role remains SEP_INVALID for ACP connections because the role was only assigned during the connect initiation path. The SNK set_config branch also had an unnecessary int_acp == A2DP_INT guard, which blocked ACP-initiated discover from completing the configuration. Fix: Added a 2-second service_loop_timer in the ACP path of zblue_on_connected. If the remote does not send set_config within 2s, the local side proactively initiates bt_a2dp_discover. The timer is cancelled in zblue_on_config_req (remote drove the flow first) and in a2dp_info_destroy (cleanup on disconnect). In bt_a2dp_discover_endpoint_cb, the local role is now derived from the remote's sep_info->tsep: BT_AVDTP_SOURCE -> local SEP_SNK, BT_AVDTP_SINK -> local SEP_SRC. Removed the int_acp == A2DP_INT restriction on the SEP_SNK set_config branch so ACP-triggered discover can also complete codec negotiation. Signed-off-by: jialu <jialu@xiaomi.com>
…lf sent). bug: v/87852 This commit performs an architecture-level refactoring of cs_ras.c and cs_ras.h. The core change replaces the shared global buffer and static arrays used for Real-time and On-demand mode data storage with independent dynamically-allocated linked list queues, resolving memory safety issues and concurrent processing defects in the original architecture. Signed-off-by: jialu <jialu@xiaomi.com>
bug: v/88558 Add conditional compilation for Bluetooth LE Channel Sounding (CS) feature across framework API, socket IPC, Zephyr SAL, CS profiles, and le_cs tool. Signed-off-by: jialu <jialu@xiaomi.com>
bug: v/87941 bt_sal_a2dp_source_send_data calls net_buf_add_mem(media_packet_buf, &buf[AVDTP_RTP_HEADER_LEN], nbytes) without validating whether nbytes exceeds the available space in media_packet_buf. The buffer is allocated from bt_a2dp_tx_pool with a data size of CONFIG_ZBLUE_A2DP_SOURCE_BUF_SIZE (default 660 bytes). After bt_a2dp_stream_create_pdu reserves protocol headers (STREAM_DATA_RESERVED, i.e. AVDTP_RTP_HEADER_LEN = 12 bytes), the actual usable payload space is CONFIG_ZBLUE_A2DP_SOURCE_BUF_SIZE - STREAM_DATA_RESERVED (648 bytes). Zephyr's net_buf_add_mem only has an __ASSERT_NO_MSG check which is stripped in release builds. If nbytes exceeds the tailroom, a buffer overflow occurs, corrupting adjacent memory and potentially causing hard faults or data corruption. Fix: Add a length check before buffer allocation using CONFIG_ZBLUE_A2DP_SOURCE_BUF_SIZE - STREAM_DATA_RESERVED as the maximum payload limit. When nbytes exceeds this limit, log an error and return BT_STATUS_PARM_INVALID, avoiding unnecessary buffer allocation and out-of-bounds writes. Signed-off-by: jialu <jialu@xiaomi.com>
bug: v/85832 Fix defects causing bttool resource leak during BT enable/disable stress test: 1. Store bttool_t pointer in g_bttool_loop->data so TURNING_OFF callback can access the async queue (previously always 0, cleanup was skipped) 2. Replace do_in_thread_loop with bttool_uninit() in TURNING_OFF callback to send _uninit command via uv_async_queue_send, ensuring bt_tool_uninit runs on g_bttool_loop thread (mirrors bttool_quit pattern). Guard with CONFIG_LIBUV_EXTENSION only. 3. Add re-entry guard in bt_tool_uninit to prevent double cleanup on repeated BT disable cycles Signed-off-by: chejinxian1 <chejinxian1@xiaomi.com>
bug: v/87902 Rootcause: When ACL disconnects during SDP discovery, the SDP client only invokes the disconnected callback, not the func callback. HFP HF SAL did not register a disconnected callback, causing sal_conn to be orphaned in g_sal_hf_conn_list and the upper layer state machine to get stuck. Add the disconnected callback to clean up sal_conn and notify the upper layer of the disconnection. Signed-off-by: liyuheng <liyuheng@xiaomi.com>
bug: v/87902 Rootcause: When ACL disconnects during SDP discovery, the SDP client only invokes the disconnected callback, not the func callback. HFP AG SAL did not register a disconnected callback, so the upper layer never received a PROFILE_STATE_DISCONNECTED notification and could get stuck. Add the disconnected callback to notify the upper layer of the disconnection. Signed-off-by: liyuheng <liyuheng@xiaomi.com>
…nnected bug: v/87902 Use sal_conn->addr directly instead of an intermediate bt_address_t* pointer variable. The sal_conn object remains valid until bt_list_remove at the end of the function, so direct access is safe and cleaner. Signed-off-by: liyuheng <liyuheng@xiaomi.com>
bug: v/87902 Refactor the HFP AG SAL connection establishment to align with the HFP HF implementation: - Remove global g_conn_params that serialized all connections through a single slot, preventing parallel outgoing connections. - Split do_ag_connect into do_ag_sdp_discover (SDP phase) and do_ag_slc_connect (SLC phase), matching HF's do_hf_sdp_discover and do_hf_slc_connect. - Create sal_conn early at SDP discover time so the connection is tracked from the start, enabling proper cleanup on SDP failure. - Use service_loop_work to dispatch do_ag_slc_connect from zblue_on_sdp_done, instead of direct synchronous call. - Add find_connection_by_context to look up sal_conn by bt_conn*. - Fix zblue_on_ag_disconnected to use sal_conn->addr directly and call bt_list_remove after callbacks. - Fix zblue_on_ag_connected to handle incoming connections and simultaneous connection collision consistently with HF. Signed-off-by: liyuheng <liyuheng@xiaomi.com>
bug: v/5823 CM_RECONNECT_INTERVAL was changed from 8s to 12s for power optimization, but CM_RECONNECT_TIMES was not updated accordingly, resulting in a 45-minute reconnect window instead of the designed 30 minutes. Fix by deriving CM_RECONNECT_TIMES from CM_RECONNECT_INTERVAL directly, so future interval changes are automatically reflected. Signed-off-by: liuxiang18 <liuxiang18@xiaomi.com>
bug: v/87639 Keep the ACL link in active mode during SCO connection to reduce control latency for HFP commands such as call termination. Also fix audio_on_exit to call bt_pm_idle instead of bt_pm_busy, ensuring consistent idle state when SCO is not established. Signed-off-by: Zihao Gao <gaozihao@xiaomi.com>
bug: v/43852 the feature now only access in adapter_disable_safe(), when using normal enable and disable, will not affect disable_safe. Change-Id: I6216b4640b793bd1101efa21c364b3385f613c91 Signed-off-by: zhongzhijie1 <zhongzhijie1@xiaomi.com> (cherry picked from commit 5936959f62b52985ae2d97986767d497ac0f7292)
bug: v/74513 Change-Id: I4e46f42d79879e1766342776f6afd5bb83c5d5d1 Signed-off-by: chejinxian1 <chejinxian1@xiaomi.com>
bug: v/66847 Change-Id: I3b75fa3a900ced834e90767b276827c5963c88ef Signed-off-by: yuanliping <yuanliping@xiaomi.com>
…ude from mutex.h
bug: v/73166
../../frameworks/connectivity/bluetooth/framework/btwrap/async/bt_gatt_feature.c: In function 'create_client_cb':
../../frameworks/connectivity/bluetooth/framework/btwrap/async/bt_gatt_feature.c:750:9: error: implicit declaration of function 'assert' [-Werror=implicit-function-declaration]
750 | assert(0);
| ^~~~~~
../../frameworks/connectivity/bluetooth/framework/btwrap/async/bt_gatt_feature.c:29:1: note: 'assert' is defined in header '<assert.h>'; did you forget to '#include <assert.h>'?
28 | #include bt_uuid.h
+++ |+#include <assert.h>
29 |
Change-Id: I1a10855abfeae06958957b8e318ec5c5992cc1d0
Signed-off-by: haopengxiang <haopengxiang@xiaomi.com>
bug: v/88196 Rootcause: Concurrent bt_sal_connect calls send multiple HCI Create Connection commands before the first completes, causing controller to reject with Command Disallowed. Add a pending queue to serialize ACL connect requests, dispatching the next via sal_send_req only after zblue_on_connected callback fires. Change-Id: I075735fd3c2f18f7d758a1fb360891f35f0d6872 Signed-off-by: Kai Cheng <chengkai@xiaomi.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
14 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
bug: v/88196
Rootcause: Concurrent bt_sal_connect calls send multiple HCI Create Connection commands before the first completes, causing controller to reject with Command Disallowed. Add a pending queue to serialize ACL connect requests, dispatching the next via sal_send_req only after zblue_on_connected callback fires.