commit 64cd18f10841b1479d669e12afda754584898ddd
author Maarten Derks <maarten@fairphone.com> Wed Nov 16 10:29:17 2022 +0100
committer Maarten Derks <maarten@fairphone.com> Wed Nov 16 10:29:17 2022 +0100
tree 6d4181ac5445d2691dd0f9f525a354c0d128e84b
parent 324ef58331350d93195a5d04483186258bf59a02
parent 250831844843db2900d2fa7f13a6f46182ac5160

Merge branch 'dev/10/fp2/security-aosp-qt-release' into int/10/fp2

* dev/10/fp2/security-aosp-qt-release:
  Fix integer overflow when parsing avrc response
  Add length check when copy AVDT and AVCT packet
  Add missing increment in bnep_api.cc
  RESTRICT AUTOMERGE Added max buffer length check
  Add length check when copy AVDTP packet
  Add buffer in pin_reply in bluetooth.cc
  Add negative length check in process_service_search_rsp

Change-Id: Ifa3582358d1082182b8bf681285a04d5be63311c

TEST_MAPPING

diff --git a/TEST_MAPPING b/TEST_MAPPING
index d29c2f7..dc17051 100644
--- a/TEST_MAPPING
+++ b/TEST_MAPPING
@@ -78,6 +78,10 @@
       "host" : true
     },
     {
+      "name" : "net_test_btif_rc",
+      "host" : true
+    },
+    {
       "name" : "net_test_stack_a2dp_native",
       "host" : true
     }

binder/android/bluetooth/IBluetoothManager.aidl

diff --git a/binder/android/bluetooth/IBluetoothManager.aidl b/binder/android/bluetooth/IBluetoothManager.aidl
index 2e12700..8a80d49 100644
--- a/binder/android/bluetooth/IBluetoothManager.aidl
+++ b/binder/android/bluetooth/IBluetoothManager.aidl
@@ -46,6 +46,8 @@
     String getAddress();
     String getName();
 
+    boolean onFactoryReset();
+
     boolean isBleScanAlwaysAvailable();
     int updateBleAppCount(IBinder b, boolean enable, String packageName);
     boolean isBleAppPresent();

binder/android/bluetooth/IBluetoothPan.aidl

diff --git a/binder/android/bluetooth/IBluetoothPan.aidl b/binder/android/bluetooth/IBluetoothPan.aidl
index 16b6ddf..4052aa4 100644
--- a/binder/android/bluetooth/IBluetoothPan.aidl
+++ b/binder/android/bluetooth/IBluetoothPan.aidl
@@ -26,7 +26,7 @@
 interface IBluetoothPan {
     // Public API
     boolean isTetheringOn();
-    void setBluetoothTethering(boolean value);
+    void setBluetoothTethering(boolean value, String pkgName);
     boolean connect(in BluetoothDevice device);
     boolean disconnect(in BluetoothDevice device);
     List<BluetoothDevice> getConnectedDevices();

bta/av/bta_av_aact.cc

diff --git a/bta/av/bta_av_aact.cc b/bta/av/bta_av_aact.cc
index b022b43..7cd7056 100644
--- a/bta/av/bta_av_aact.cc
+++ b/bta/av/bta_av_aact.cc
@@ -1246,7 +1246,6 @@
     open.chnl = p_scb->chnl;
     open.hndl = p_scb->hndl;
     open.status = BTA_AV_SUCCESS;
-    open.starting = bta_av_chk_start(p_scb);
     open.edr = 0;
     p = BTM_ReadRemoteFeatures(p_scb->PeerAddress());
     if (p != NULL) {
@@ -1262,8 +1261,10 @@
     bta_ar_avdt_conn(BTA_ID_AV, open.bd_addr, p_scb->hdi);
 #endif
     if (p_scb->seps[p_scb->sep_idx].tsep == AVDT_TSEP_SRC) {
+      open.starting = false;
       open.sep = AVDT_TSEP_SNK;
     } else if (p_scb->seps[p_scb->sep_idx].tsep == AVDT_TSEP_SNK) {
+      open.starting = bta_av_chk_start(p_scb);
       open.sep = AVDT_TSEP_SRC;
     }
 

bta/av/bta_av_main.cc

diff --git a/bta/av/bta_av_main.cc b/bta/av/bta_av_main.cc
index 34516fc..bdd8a70 100644
--- a/bta/av/bta_av_main.cc
+++ b/bta/av/bta_av_main.cc
@@ -1108,8 +1108,10 @@
                   "%s: peer %s BTM_SwitchRole(BTM_ROLE_MASTER) error: %d",
                   __func__, p_scb->PeerAddress().ToString().c_str(), status);
       }
-      is_ok = false;
-      p_scb->wait |= BTA_AV_WAIT_ROLE_SW_RES_START;
+      if (status != BTM_DEV_BLACKLISTED) {
+        is_ok = false;
+        p_scb->wait |= BTA_AV_WAIT_ROLE_SW_RES_START;
+      }
     }
   }
 

bta/av/bta_av_ssm.cc

diff --git a/bta/av/bta_av_ssm.cc b/bta/av/bta_av_ssm.cc
index a1a94b0..80effa3 100644
--- a/bta/av/bta_av_ssm.cc
+++ b/bta/av/bta_av_ssm.cc
@@ -329,7 +329,7 @@
     /* STR_RECONFIG_CFM_EVT */
     {BTA_AV_SIGNORE, BTA_AV_SIGNORE, BTA_AV_OPEN_SST},
     /* AVRC_TIMER_EVT */
-    {BTA_AV_OPEN_RC, BTA_AV_CHK_2ND_START, BTA_AV_OPEN_SST},
+    {BTA_AV_OPEN_RC, BTA_AV_SIGNORE, BTA_AV_OPEN_SST},
     /* AVDT_CONNECT_EVT */ {BTA_AV_SIGNORE, BTA_AV_SIGNORE, BTA_AV_OPEN_SST},
     /* AVDT_DISCONNECT_EVT */
     {BTA_AV_STR_CLOSED, BTA_AV_SIGNORE, BTA_AV_INIT_SST},

bta/hearing_aid/hearing_aid.cc

diff --git a/bta/hearing_aid/hearing_aid.cc b/bta/hearing_aid/hearing_aid.cc
index fb7cab7..867c628 100644
--- a/bta/hearing_aid/hearing_aid.cc
+++ b/bta/hearing_aid/hearing_aid.cc
@@ -390,6 +390,13 @@
       hearingDevice->connection_update_status = AWAITING;
     }
 
+    tACL_CONN* p_acl = btm_bda_to_acl(address, BT_TRANSPORT_LE);
+    if (p_acl != nullptr && controller_get_interface()->supports_ble_2m_phy() &&
+        HCI_LE_2M_PHY_SUPPORTED(p_acl->peer_le_features)) {
+      LOG(INFO) << address << " set preferred PHY to 2M";
+      BTM_BleSetPhy(address, PHY_LE_2M, PHY_LE_2M, 0);
+    }
+
     // Set data length
     // TODO(jpawlowski: for 16khz only 87 is required, optimize
     BTM_SetBleDataLength(address, 167);
@@ -1005,13 +1012,16 @@
     }
   }
 
-  void OnAudioSuspend() {
+  void OnAudioSuspend(const std::function<void()>& stop_audio_ticks) {
+    CHECK(stop_audio_ticks) << "stop_audio_ticks is empty";
+
     if (!audio_running) {
       LOG(WARNING) << __func__ << ": Unexpected audio suspend";
     } else {
       LOG(INFO) << __func__ << ": audio_running=" << audio_running;
     }
     audio_running = false;
+    stop_audio_ticks();
 
     std::vector<uint8_t> stop({CONTROL_POINT_OP_STOP});
     for (auto& device : hearingDevices.devices) {
@@ -1032,23 +1042,33 @@
     }
   }
 
-  void OnAudioResume() {
+  void OnAudioResume(const std::function<void()>& start_audio_ticks) {
+    CHECK(start_audio_ticks) << "start_audio_ticks is empty";
+
     if (audio_running) {
       LOG(ERROR) << __func__ << ": Unexpected Audio Resume";
     } else {
       LOG(INFO) << __func__ << ": audio_running=" << audio_running;
     }
-    audio_running = true;
+
+    for (auto& device : hearingDevices.devices) {
+      if (!device.accepting_audio) continue;
+      audio_running = true;
+      SendStart(&device);
+    }
+
+    if (!audio_running) {
+      LOG(INFO) << __func__ << ": No device (0/" << GetDeviceCount()
+                << ") ready to start";
+      return;
+    }
 
     // TODO: shall we also reset the encoder ?
     encoder_state_release();
     encoder_state_init();
     seq_counter = 0;
 
-    for (auto& device : hearingDevices.devices) {
-      if (!device.accepting_audio) continue;
-      SendStart(&device);
-    }
+    start_audio_ticks();
   }
 
   uint8_t GetOtherSideStreamStatus(HearingDevice* this_side_device) {
@@ -1140,10 +1160,9 @@
     }
 
     if (left == nullptr && right == nullptr) {
-      HearingAidAudioSource::Stop();
-      audio_running = false;
-      encoder_state_release();
-      current_volume = VOLUME_UNKNOWN;
+      LOG(WARNING) << __func__ << ": No more (0/" << GetDeviceCount()
+                   << ") devices ready";
+      DoDisconnectAudioStop();
       return;
     }
 
@@ -1456,8 +1475,17 @@
 
     hearingDevices.Remove(address);
 
-    if (connected)
-      callbacks->OnConnectionState(ConnectionState::DISCONNECTED, address);
+    if (!connected) {
+      return;
+    }
+
+    callbacks->OnConnectionState(ConnectionState::DISCONNECTED, address);
+    for (const auto& device : hearingDevices.devices) {
+      if (device.accepting_audio) return;
+    }
+    LOG(INFO) << __func__ << ": No more (0/" << GetDeviceCount()
+              << ") devices ready";
+    DoDisconnectAudioStop();
   }
 
   void OnGattDisconnected(tGATT_STATUS status, uint16_t conn_id,
@@ -1479,7 +1507,16 @@
 
     DoDisconnectCleanUp(hearingDevice);
 
+    // Keep this hearing aid in the list, and allow to reconnect back.
+
     callbacks->OnConnectionState(ConnectionState::DISCONNECTED, remote_bda);
+
+    for (const auto& device : hearingDevices.devices) {
+      if (device.accepting_audio) return;
+    }
+    LOG(INFO) << __func__ << ": No more (0/" << GetDeviceCount()
+              << ") devices ready";
+    DoDisconnectAudioStop();
   }
 
   void DoDisconnectCleanUp(HearingDevice* hearingDevice) {
@@ -1512,6 +1549,13 @@
     hearingDevice->command_acked = false;
   }
 
+  void DoDisconnectAudioStop() {
+    HearingAidAudioSource::Stop();
+    audio_running = false;
+    encoder_state_release();
+    current_volume = VOLUME_UNKNOWN;
+  }
+
   void SetVolume(int8_t volume) override {
     VLOG(2) << __func__ << ": " << +volume;
     current_volume = volume;
@@ -1723,14 +1767,11 @@
   void OnAudioDataReady(const std::vector<uint8_t>& data) override {
     if (instance) instance->OnAudioDataReady(data);
   }
-  void OnAudioSuspend(std::promise<void> do_suspend_promise) override {
-    if (instance) instance->OnAudioSuspend();
-    do_suspend_promise.set_value();
+  void OnAudioSuspend(const std::function<void()>& stop_audio_ticks) override {
+    if (instance) instance->OnAudioSuspend(stop_audio_ticks);
   }
-
-  void OnAudioResume(std::promise<void> do_resume_promise) override {
-    if (instance) instance->OnAudioResume();
-    do_resume_promise.set_value();
+  void OnAudioResume(const std::function<void()>& start_audio_ticks) override {
+    if (instance) instance->OnAudioResume(start_audio_ticks);
   }
 };
 

bta/hearing_aid/hearing_aid_audio_source.cc

diff --git a/bta/hearing_aid/hearing_aid_audio_source.cc b/bta/hearing_aid/hearing_aid_audio_source.cc
index 3b92d41..0896e2b 100644
--- a/bta/hearing_aid/hearing_aid_audio_source.cc
+++ b/bta/hearing_aid/hearing_aid_audio_source.cc
@@ -97,12 +97,20 @@
 }
 
 void start_audio_ticks() {
+  if (data_interval_ms != HA_INTERVAL_10_MS &&
+      data_interval_ms != HA_INTERVAL_20_MS) {
+    LOG(FATAL) << " Unsupported data interval: " << data_interval_ms;
+  }
+
   wakelock_acquire();
-  audio_timer.SchedulePeriodic(get_main_thread()->GetWeakPtr(), FROM_HERE, base::Bind(&send_audio_data),
-                               base::TimeDelta::FromMilliseconds(data_interval_ms));
+  audio_timer.SchedulePeriodic(
+      get_main_thread()->GetWeakPtr(), FROM_HERE, base::Bind(&send_audio_data),
+      base::TimeDelta::FromMilliseconds(data_interval_ms));
+  LOG(INFO) << __func__ << ": running with data interval: " << data_interval_ms;
 }
 
 void stop_audio_ticks() {
+  LOG(INFO) << __func__ << ": stopped";
   audio_timer.CancelAndWait();
   wakelock_release();
 }
@@ -121,17 +129,12 @@
       UIPC_Ioctl(*uipc_hearing_aid, UIPC_CH_ID_AV_AUDIO, UIPC_SET_READ_POLL_TMO,
                  reinterpret_cast<void*>(0));
 
-      if (data_interval_ms != HA_INTERVAL_10_MS &&
-          data_interval_ms != HA_INTERVAL_20_MS) {
-        LOG(FATAL) << " Unsupported data interval: " << data_interval_ms;
-      }
-
-      start_audio_ticks();
+      do_in_main_thread(FROM_HERE, base::BindOnce(start_audio_ticks));
       break;
     case UIPC_CLOSE_EVT:
       LOG(INFO) << __func__ << ": UIPC_CLOSE_EVT";
       hearing_aid_send_ack(HEARING_AID_CTRL_ACK_SUCCESS);
-      stop_audio_ticks();
+      do_in_main_thread(FROM_HERE, base::BindOnce(stop_audio_ticks));
       break;
     default:
       LOG(ERROR) << "Hearing Aid audio data event not recognized:" << event;
@@ -306,65 +309,52 @@
 }
 
 bool hearing_aid_on_resume_req(bool start_media_task) {
-  // hearing_aid_recv_ctrl_data(HEARING_AID_CTRL_CMD_START)
-  if (localAudioReceiver != nullptr) {
-    // Call OnAudioResume and block till it returns.
-    std::promise<void> do_resume_promise;
-    std::future<void> do_resume_future = do_resume_promise.get_future();
-    bt_status_t status = do_in_main_thread(
-        FROM_HERE, base::BindOnce(&HearingAidAudioReceiver::OnAudioResume,
-                                  base::Unretained(localAudioReceiver),
-                                  std::move(do_resume_promise)));
-    if (status == BT_STATUS_SUCCESS) {
-      do_resume_future.wait();
-    } else {
-      LOG(ERROR) << __func__
-                 << ": HEARING_AID_CTRL_CMD_START: do_in_main_thread err="
-                 << status;
-      return false;
-    }
-  } else {
+  if (localAudioReceiver == nullptr) {
     LOG(ERROR) << __func__
                << ": HEARING_AID_CTRL_CMD_START: audio receiver not started";
     return false;
   }
-
-  // hearing_aid_data_cb(UIPC_OPEN_EVT): start_media_task
+  bt_status_t status;
   if (start_media_task) {
-    if (data_interval_ms != HA_INTERVAL_10_MS &&
-        data_interval_ms != HA_INTERVAL_20_MS) {
-      LOG(FATAL) << " Unsupported data interval: " << data_interval_ms;
-      data_interval_ms = HA_INTERVAL_10_MS;
-    }
-    start_audio_ticks();
+    status = do_in_main_thread(
+        FROM_HERE, base::BindOnce(&HearingAidAudioReceiver::OnAudioResume,
+                                  base::Unretained(localAudioReceiver),
+                                  start_audio_ticks));
+  } else {
+    auto start_dummy_ticks = []() {
+      LOG(INFO) << "start_audio_ticks: waiting for data path opened";
+    };
+    status = do_in_main_thread(
+        FROM_HERE, base::BindOnce(&HearingAidAudioReceiver::OnAudioResume,
+                                  base::Unretained(localAudioReceiver),
+                                  start_dummy_ticks));
+  }
+  if (status != BT_STATUS_SUCCESS) {
+    LOG(ERROR) << __func__
+               << ": HEARING_AID_CTRL_CMD_START: do_in_main_thread err="
+               << status;
+    return false;
   }
   return true;
 }
 
 bool hearing_aid_on_suspend_req() {
-  // hearing_aid_recv_ctrl_data(HEARING_AID_CTRL_CMD_SUSPEND): stop_media_task
-  stop_audio_ticks();
-  if (localAudioReceiver != nullptr) {
-    // Call OnAudioSuspend and block till it returns.
-    std::promise<void> do_suspend_promise;
-    std::future<void> do_suspend_future = do_suspend_promise.get_future();
-    bt_status_t status = do_in_main_thread(
-        FROM_HERE, base::BindOnce(&HearingAidAudioReceiver::OnAudioSuspend,
-                                  base::Unretained(localAudioReceiver),
-                                  std::move(do_suspend_promise)));
-    if (status == BT_STATUS_SUCCESS) {
-      do_suspend_future.wait();
-      return true;
-    } else {
-      LOG(ERROR) << __func__
-                 << ": HEARING_AID_CTRL_CMD_SUSPEND: do_in_main_thread err="
-                 << status;
-    }
-  } else {
+  if (localAudioReceiver == nullptr) {
     LOG(ERROR) << __func__
                << ": HEARING_AID_CTRL_CMD_SUSPEND: audio receiver not started";
+    return false;
   }
-  return false;
+  bt_status_t status = do_in_main_thread(
+      FROM_HERE,
+      base::BindOnce(&HearingAidAudioReceiver::OnAudioSuspend,
+                     base::Unretained(localAudioReceiver), stop_audio_ticks));
+  if (status != BT_STATUS_SUCCESS) {
+    LOG(ERROR) << __func__
+               << ": HEARING_AID_CTRL_CMD_SUSPEND: do_in_main_thread err="
+               << status;
+    return false;
+  }
+  return true;
 }
 }  // namespace
 

bta/hf_client/bta_hf_client_rfc.cc

diff --git a/bta/hf_client/bta_hf_client_rfc.cc b/bta/hf_client/bta_hf_client_rfc.cc
index f3e0947..535371f 100644
--- a/bta/hf_client/bta_hf_client_rfc.cc
+++ b/bta/hf_client/bta_hf_client_rfc.cc
@@ -127,6 +127,7 @@
     } else {
       APPL_TRACE_ERROR("%s: PORT_SUCCESS, ignoring handle = %d", __func__,
                        port_handle);
+      osi_free(p_buf);
       return;
     }
   } else if (client_cb != NULL &&
@@ -136,6 +137,10 @@
 
     RFCOMM_RemoveServer(port_handle);
     p_buf->hdr.event = BTA_HF_CLIENT_RFC_CLOSE_EVT;
+  } else if (client_cb == NULL) {
+    // client_cb is already cleaned due to hfp client disabled.
+    // Assigned a valid event value to header and send this message anyway.
+    p_buf->hdr.event = BTA_HF_CLIENT_RFC_CLOSE_EVT;
   }
 
   p_buf->hdr.layer_specific = client_cb != NULL ? client_cb->handle : 0;

bta/include/bta_hearing_aid_api.h

diff --git a/bta/include/bta_hearing_aid_api.h b/bta/include/bta_hearing_aid_api.h
index 9026262..6c4954b 100644
--- a/bta/include/bta_hearing_aid_api.h
+++ b/bta/include/bta_hearing_aid_api.h
@@ -21,7 +21,6 @@
 #include <base/callback_forward.h>
 #include <hardware/bt_hearing_aid.h>
 #include <deque>
-#include <future>
 #include <vector>
 
 constexpr uint16_t HEARINGAID_MAX_NUM_UUIDS = 1;
@@ -39,8 +38,22 @@
  public:
   virtual ~HearingAidAudioReceiver() = default;
   virtual void OnAudioDataReady(const std::vector<uint8_t>& data) = 0;
-  virtual void OnAudioSuspend(std::promise<void> do_suspend_promise) = 0;
-  virtual void OnAudioResume(std::promise<void> do_resume_promise) = 0;
+
+  // API to stop our feeding timer, and notify hearing aid devices that the
+  // streaming would stop, too.
+  //
+  // @param stop_audio_ticks a callable function calls out to stop the media
+  // timer for reading data.
+  virtual void OnAudioSuspend(
+      const std::function<void()>& stop_audio_ticks) = 0;
+
+  // To notify hearing aid devices to be ready for streaming, and start the
+  // media timer to feed the audio data.
+  //
+  // @param start_audio_ticks a callable function calls out to start a periodic
+  // timer for feeding data from the audio HAL.
+  virtual void OnAudioResume(
+      const std::function<void()>& start_audio_ticks) = 0;
 };
 
 // Number of rssi reads to attempt when requested

bta/jv/bta_jv_act.cc

diff --git a/bta/jv/bta_jv_act.cc b/bta/jv/bta_jv_act.cc
index 462ee9d..2ede5c9 100644
--- a/bta/jv/bta_jv_act.cc
+++ b/bta/jv/bta_jv_act.cc
@@ -362,6 +362,8 @@
   p_cb->cong = false;
   bta_jv_free_sec_id(&p_cb->sec_id);
   p_cb->p_cback = NULL;
+  p_cb->handle = 0;
+  p_cb->l2cap_socket_id = 0;
   return status;
 }
 
@@ -1121,7 +1123,7 @@
 /* stops an L2CAP server */
 void bta_jv_l2cap_stop_server(uint16_t local_psm, uint32_t l2cap_socket_id) {
   for (int i = 0; i < BTA_JV_MAX_L2C_CONN; i++) {
-    if (bta_jv_cb.l2c_cb[i].psm == local_psm) {
+    if (bta_jv_cb.l2c_cb[i].l2cap_socket_id == l2cap_socket_id) {
       tBTA_JV_L2C_CB* p_cb = &bta_jv_cb.l2c_cb[i];
       tBTA_JV_L2CAP_CBACK* p_cback = p_cb->p_cback;
       tBTA_JV_L2CAP_CLOSE evt_data;

btif/Android.bp

diff --git a/btif/Android.bp b/btif/Android.bp
index f33d174..0ecf207 100644
--- a/btif/Android.bp
+++ b/btif/Android.bp
@@ -208,3 +208,36 @@
     ],
     cflags: ["-DBUILDCFG"],
 }
+
+// btif rc unit tests for target
+// ========================================================
+cc_test {
+    name: "net_test_btif_rc",
+    defaults: ["fluoride_defaults"],
+    test_suites: ["device-tests"],
+    host_supported: true,
+    include_dirs: btifCommonIncludes,
+    srcs: [
+        "test/btif_rc_test.cc",
+    ],
+    header_libs: ["libbluetooth_headers"],
+    shared_libs: [
+        "libcrypto",
+        "libcutils",
+        "liblog",
+        "libprotobuf-cpp-lite",
+    ],
+    static_libs: [
+        "libbluetooth-types",
+        "libbt-common",
+        "libbt-protos-lite",
+        "libosi",
+        "libosi-AllocationTestHarness",
+    ],
+    cflags: ["-DBUILDCFG"],
+    sanitize: {
+        address: true,
+        cfi: true,
+        misc_undefined: ["bounds"],
+    },
+}

btif/include/btif_api.h

diff --git a/btif/include/btif_api.h b/btif/include/btif_api.h
index 71acd28..50d833f 100644
--- a/btif/include/btif_api.h
+++ b/btif/include/btif_api.h
@@ -105,7 +105,7 @@
 
 /*******************************************************************************
  *
- * Function         is_single_user_mode_
+ * Function         is_niap_mode
  *
  * Description      Checks if BT was enabled in single user mode. In this
  *                  mode, use of keystore for key attestation of LTK is limitee
@@ -114,7 +114,7 @@
  * Returns          bool
  *
  ******************************************************************************/
-bool is_single_user_mode(void);
+bool is_niap_mode(void);
 
 /*******************************************************************************
  *

btif/include/btif_bqr.h

diff --git a/btif/include/btif_bqr.h b/btif/include/btif_bqr.h
index 4407b0d..ecf69f1 100644
--- a/btif/include/btif_bqr.h
+++ b/btif/include/btif_bqr.h
@@ -67,6 +67,11 @@
 static constexpr uint8_t kCriWarnUnusedCh = 55;
 // The queue size of recording the BQR events.
 static constexpr uint8_t kBqrEventQueueSize = 25;
+// The minimum size of the ROOT_INFLAMMATION event
+// HCI_VENDOR_SPECIFIC_EVT(1) + BQR sub event(1) + BQR report ID(1) +
+// error code(1) + vendor error code(1) = 5
+static constexpr uint8_t kRootInflammationPacketMinSize = 5;
+
 // The Property of BQR event mask configuration.
 static constexpr const char* kpPropertyEventMask =
     "persist.bluetooth.bqr.event_mask";
@@ -90,7 +95,8 @@
   QUALITY_REPORT_ID_MONITOR_MODE = 0x01,
   QUALITY_REPORT_ID_APPROACH_LSTO = 0x02,
   QUALITY_REPORT_ID_A2DP_AUDIO_CHOPPY = 0x03,
-  QUALITY_REPORT_ID_SCO_VOICE_CHOPPY = 0x04
+  QUALITY_REPORT_ID_SCO_VOICE_CHOPPY = 0x04,
+  QUALITY_REPORT_ID_ROOT_INFLAMMATION = 0x05
 };
 
 // Packet Type definition

btif/include/btif_keystore.h

diff --git a/btif/include/btif_keystore.h b/btif/include/btif_keystore.h
index cc06a98..1b3663d 100644
--- a/btif/include/btif_keystore.h
+++ b/btif/include/btif_keystore.h
@@ -70,9 +70,7 @@
  private:
   std::unique_ptr<keystore::KeystoreClient> keystore_client_;
   std::mutex api_mutex_;
-  keystore::KeyStoreNativeReturnCode GenerateKey(const std::string& name,
-                                                 int32_t flags,
-                                                 bool auth_bound);
+  bool GenerateKey(const std::string& name, int32_t flags);
 };
 
 }  // namespace bluetooth

btif/src/bluetooth.cc

diff --git a/btif/src/bluetooth.cc b/btif/src/bluetooth.cc
index 9c71422..b1d0c9a 100644
--- a/btif/src/bluetooth.cc
+++ b/btif/src/bluetooth.cc
@@ -81,7 +81,7 @@
 
 bt_callbacks_t* bt_hal_cbacks = NULL;
 bool restricted_mode = false;
-bool single_user_mode = false;
+bool niap_mode = false;
 bool is_local_device_atv = false;
 
 /*******************************************************************************
@@ -135,9 +135,9 @@
  ****************************************************************************/
 
 static int init(bt_callbacks_t* callbacks, bool start_restricted,
-                bool is_single_user_mode, bool is_atv) {
-  LOG_INFO(LOG_TAG, "%s: start restricted = %d ; single user = %d", __func__,
-           start_restricted, is_single_user_mode);
+                bool is_niap_mode, bool is_atv) {
+  LOG_INFO(LOG_TAG, "%s: start restricted = %d ; niap = %d", __func__,
+           start_restricted, is_niap_mode);
 
   if (interface_ready()) return BT_STATUS_DONE;
 
@@ -147,7 +147,7 @@
 
   bt_hal_cbacks = callbacks;
   restricted_mode = start_restricted;
-  single_user_mode = is_single_user_mode;
+  niap_mode = is_niap_mode;
   is_local_device_atv = is_atv;
   stack_manager_get_interface()->init_stack();
   btif_debug_init();
@@ -171,7 +171,7 @@
 static void cleanup(void) { stack_manager_get_interface()->clean_up_stack(); }
 
 bool is_restricted_mode() { return restricted_mode; }
-bool is_single_user_mode() { return single_user_mode; }
+bool is_niap_mode() { return niap_mode; }
 
 bool is_atv_device() { return is_local_device_atv; }
 

btif/src/btif_a2dp_sink.cc

diff --git a/btif/src/btif_a2dp_sink.cc b/btif/src/btif_a2dp_sink.cc
index bb1bc49..aa75d21 100644
--- a/btif/src/btif_a2dp_sink.cc
+++ b/btif/src/btif_a2dp_sink.cc
@@ -667,7 +667,6 @@
   LOG_INFO(LOG_TAG, "%s: state=%d", __func__, state);
   LockGuard lock(g_mutex);
 
-  if (!btif_av_is_connected()) return;
   APPL_TRACE_DEBUG("%s: setting focus state to %d", __func__, state);
   btif_a2dp_sink_cb.rx_focus_state = state;
   if (btif_a2dp_sink_cb.rx_focus_state == BTIF_A2DP_SINK_FOCUS_NOT_GRANTED) {

btif/src/btif_config.cc

diff --git a/btif/src/btif_config.cc b/btif/src/btif_config.cc
index ed24d7d..277671c 100644
--- a/btif/src/btif_config.cc
+++ b/btif/src/btif_config.cc
@@ -20,6 +20,7 @@
 
 #include "btif_config.h"
 
+#include <base/base64.h>
 #include <base/logging.h>
 #include <ctype.h>
 #include <openssl/rand.h>
@@ -60,8 +61,8 @@
 
 constexpr int kBufferSize = 400 * 10;  // initial file is ~400B
 
-static bool use_key_attestation() {
-  return getuid() == AID_BLUETOOTH && is_single_user_mode();
+static bool btif_is_niap_mode() {
+  return getuid() == AID_BLUETOOTH && is_niap_mode();
 }
 
 #define BT_CONFIG_METRICS_SECTION "Metrics"
@@ -93,10 +94,22 @@
 static std::unique_ptr<config_t> btif_config_open(const char* filename, const char* checksum_filename);
 
 // Key attestation
+static std::string btif_convert_to_encrypt_key(
+    const std::string& unencrypt_str);
+static std::string btif_convert_to_unencrypt_key(
+    const std::string& encrypt_str);
+static bool btif_in_encrypt_key_name_list(std::string key);
+static bool btif_is_key_encrypted(int key_from_config_size,
+                                  std::string key_type_string);
 static std::string hash_file(const char* filename);
 static std::string read_checksum_file(const char* filename);
 static void write_checksum_file(const char* filename, const std::string& hash);
 
+static const int ENCRYPT_KEY_NAME_LIST_SIZE = 7;
+static const std::string encrypt_key_name_list[] = {
+    "LinkKey",      "LE_KEY_PENC", "LE_KEY_PID",  "LE_KEY_LID",
+    "LE_KEY_PCSRK", "LE_KEY_LENC", "LE_KEY_LCSRK"};
+
 static enum ConfigSource {
   NOT_LOADED,
   ORIGINAL,
@@ -183,9 +196,7 @@
 static future_t* init(void) {
   std::unique_lock<std::recursive_mutex> lock(config_lock);
 
-  if (is_factory_reset() ||
-      (use_key_attestation() && !btif_keystore.DoesKeyExist()))
-    delete_config_files();
+  if (is_factory_reset()) delete_config_files();
 
   std::string file_source;
 
@@ -271,7 +282,8 @@
   std::string stored_hash = read_checksum_file(checksum_filename);
   if (stored_hash.empty()) {
     LOG(ERROR) << __func__ << ": stored_hash=<empty>";
-    if (!current_hash.empty()) {
+    // Will encrypt once since the bt_config never encrypt.
+    if (!btif_keystore.DoesKeyExist() && !current_hash.empty()) {
       write_checksum_file(checksum_filename, current_hash);
       stored_hash = read_checksum_file(checksum_filename);
     }
@@ -408,14 +420,29 @@
   CHECK(length != NULL);
 
   std::unique_lock<std::recursive_mutex> lock(config_lock);
-  const std::string* value_str = config_get_string(*config, section, key, NULL);
+  const std::string* value_str;
+  const std::string* value_str_from_config =
+      config_get_string(*config, section, key, NULL);
 
-  if (!value_str) {
+  if (!value_str_from_config) {
     VLOG(1) << __func__ << ": cannot find string for section " << section
             << ", key " << key;
     return false;
   }
 
+  bool in_encrypt_key_name_list = btif_in_encrypt_key_name_list(key);
+  bool is_key_encrypted =
+      btif_is_key_encrypted(value_str_from_config->size(), key);
+
+  if (in_encrypt_key_name_list && is_key_encrypted) {
+    VLOG(2) << __func__ << " decrypt section: " << section << " key:" << key;
+    std::string tmp_value_str =
+        btif_convert_to_unencrypt_key(*value_str_from_config);
+    value_str = &tmp_value_str;
+  } else {
+    value_str = value_str_from_config;
+  }
+
   size_t value_len = value_str->length();
   if ((value_len % 2) != 0 || *length < (value_len / 2)) {
     LOG(WARNING) << ": value size not divisible by 2, size is " << value_len;
@@ -429,12 +456,72 @@
     }
 
   const char* ptr = value_str->c_str();
-  for (*length = 0; *ptr; ptr += 2, *length += 1)
+  for (*length = 0; *ptr; ptr += 2, *length += 1) {
     sscanf(ptr, "%02hhx", &value[*length]);
+  }
+
+  if (btif_is_niap_mode()) {
+    if (in_encrypt_key_name_list && !is_key_encrypted) {
+      VLOG(2) << __func__ << " encrypt section: " << section << " key:" << key;
+      std::string encrypt_str =
+          btif_convert_to_encrypt_key(*value_str_from_config);
+      config_set_string(config.get(), section, key, encrypt_str);
+    }
+  } else {
+    if (in_encrypt_key_name_list && is_key_encrypted) {
+      config_set_string(config.get(), section, key, value_str->c_str());
+    }
+  }
 
   return true;
 }
 
+static bool btif_in_encrypt_key_name_list(std::string key) {
+  return std::find(encrypt_key_name_list,
+                   encrypt_key_name_list + ENCRYPT_KEY_NAME_LIST_SIZE,
+                   key) != (encrypt_key_name_list + ENCRYPT_KEY_NAME_LIST_SIZE);
+}
+
+static bool btif_is_key_encrypted(int key_from_config_size,
+                                  std::string key_type_string) {
+  if (key_type_string.compare("LinkKey") == 0) {
+    return sizeof(LinkKey) * 2 != key_from_config_size;
+  } else if (key_type_string.compare("LE_KEY_PENC") == 0) {
+    return sizeof(tBTM_LE_PENC_KEYS) * 2 != key_from_config_size;
+  } else if (key_type_string.compare("LE_KEY_PID") == 0) {
+    return sizeof(tBTM_LE_PID_KEYS) * 2 != key_from_config_size;
+  } else if (key_type_string.compare("LE_KEY_LID") == 0) {
+    return sizeof(tBTM_LE_PID_KEYS) * 2 != key_from_config_size;
+  } else if (key_type_string.compare("LE_KEY_PCSRK") == 0) {
+    return sizeof(tBTM_LE_PCSRK_KEYS) * 2 != key_from_config_size;
+  } else if (key_type_string.compare("LE_KEY_LENC") == 0) {
+    return sizeof(tBTM_LE_LENC_KEYS) * 2 != key_from_config_size;
+  } else if (key_type_string.compare("LE_KEY_LCSRK") == 0) {
+    return sizeof(tBTM_LE_LCSRK_KEYS) * 2 != key_from_config_size;
+  } else {
+    VLOG(2) << __func__ << ": " << key_type_string
+            << " Key type is unknown, return false first";
+    return false;
+  }
+}
+
+static std::string btif_convert_to_unencrypt_key(
+    const std::string& encrypt_str) {
+  if (!encrypt_str.empty()) {
+    std::string tmp_encrypt_str("");
+    if (base::Base64Decode(encrypt_str, &tmp_encrypt_str)) {
+      std::string unencrypt_str = btif_keystore.Decrypt(tmp_encrypt_str);
+      if (!unencrypt_str.empty()) {
+        return unencrypt_str;
+      }
+    } else {
+      LOG(WARNING) << __func__
+                   << ": base64string decode fail, will return empty string";
+    }
+  }
+  return "";
+}
+
 size_t btif_config_get_bin_length(const std::string& section,
                                   const std::string& key) {
   CHECK(config != NULL);
@@ -468,15 +555,37 @@
     str[(i * 2) + 1] = lookup[value[i] & 0x0F];
   }
 
+  std::string value_str;
+  if (btif_is_niap_mode() && btif_in_encrypt_key_name_list(key)) {
+    VLOG(2) << __func__ << " encrypt section: " << section << " key:" << key;
+    value_str = btif_convert_to_encrypt_key(str);
+  } else {
+    value_str = str;
+  }
+
   {
     std::unique_lock<std::recursive_mutex> lock(config_lock);
-    config_set_string(config.get(), section, key, str);
+    config_set_string(config.get(), section, key, value_str);
   }
 
   osi_free(str);
   return true;
 }
 
+static std::string btif_convert_to_encrypt_key(
+    const std::string& unencrypt_str) {
+  if (!unencrypt_str.empty()) {
+    std::string encrypt_str = btif_keystore.Encrypt(unencrypt_str, 0);
+    if (!encrypt_str.empty()) {
+      base::Base64Encode(encrypt_str, &encrypt_str);
+      return encrypt_str;
+    } else {
+      LOG(ERROR) << __func__ << ": Encrypt fail, will return empty str.";
+    }
+  }
+  return "";
+}
+
 std::list<section_t>& btif_config_sections() { return config->sections; }
 
 bool btif_config_remove(const std::string& section, const std::string& key) {
@@ -643,7 +752,7 @@
 }
 
 static std::string hash_file(const char* filename) {
-  if (!use_key_attestation()) {
+  if (!btif_is_niap_mode()) {
     LOG(INFO) << __func__ << ": Disabled for multi-user";
     return DISABLED;
   }
@@ -671,7 +780,7 @@
 }
 
 static std::string read_checksum_file(const char* checksum_filename) {
-  if (!use_key_attestation()) {
+  if (!btif_is_niap_mode()) {
     LOG(INFO) << __func__ << ": Disabled for multi-user";
     return DISABLED;
   }
@@ -685,7 +794,7 @@
 
 static void write_checksum_file(const char* checksum_filename,
                                 const std::string& hash) {
-  if (!use_key_attestation()) {
+  if (!btif_is_niap_mode()) {
     LOG(INFO) << __func__
               << ": Disabled for multi-user, since config changed removing "
                  "checksums.";

btif/src/btif_keystore.cc

diff --git a/btif/src/btif_keystore.cc b/btif/src/btif_keystore.cc
index 0af03e1..1bf2c0f 100644
--- a/btif/src/btif_keystore.cc
+++ b/btif/src/btif_keystore.cc
@@ -17,6 +17,8 @@
  ******************************************************************************/
 
 #include "btif_keystore.h"
+#include "keystore_client.pb.h"
+#include "string.h"
 
 #include <base/files/file_util.h>
 #include <base/logging.h>
@@ -29,7 +31,9 @@
 using namespace keystore;
 using namespace bluetooth;
 
-constexpr char kKeyStore[] = "AndroidKeystore";
+const std::string kKeyStore = "bluetooth-key-encrypted";
+constexpr uint32_t kAESKeySize = 256;     // bits
+constexpr uint32_t kMACOutputSize = 128;  // bits
 
 namespace bluetooth {
 
@@ -43,19 +47,45 @@
     LOG(ERROR) << __func__ << ": empty data";
     return output;
   }
-  if (!keystore_client_->doesKeyExist(kKeyStore)) {
-    auto gen_result = GenerateKey(kKeyStore, 0, false);
-    if (!gen_result.isOk()) {
-      LOG(FATAL) << "EncryptWithAuthentication Failed: generateKey response="
-                 << gen_result;
-      return output;
-    }
-  }
-  if (!keystore_client_->encryptWithAuthentication(kKeyStore, data, flags,
-                                                   &output)) {
-    LOG(FATAL) << "EncryptWithAuthentication failed.";
+  if (!GenerateKey(kKeyStore, flags)) {
     return output;
   }
+
+  AuthorizationSetBuilder encrypt_params;
+  encrypt_params.Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
+      .Authorization(TAG_MAC_LENGTH, kMACOutputSize)
+      .Padding(PaddingMode::NONE);
+  AuthorizationSet output_params;
+  std::string raw_encrypted_data;
+  if (!keystore_client_->oneShotOperation(
+          KeyPurpose::ENCRYPT, kKeyStore, encrypt_params, data,
+          std::string() /* signature_to_verify */, &output_params,
+          &raw_encrypted_data)) {
+    LOG(ERROR) << __func__ << ": AES operation failed.";
+    return output;
+  }
+  auto init_vector_blob = output_params.GetTagValue(TAG_NONCE);
+  if (!init_vector_blob.isOk()) {
+    LOG(ERROR) << __func__ << ": Missing initialization vector.";
+    return output;
+  }
+
+  const hidl_vec<uint8_t>& value = init_vector_blob.value();
+  std::string init_vector =
+      std::string(reinterpret_cast<const std::string::value_type*>(&value[0]),
+                  value.size());
+
+  if (memcmp(&init_vector_blob, &init_vector, init_vector.length()) == 0) {
+    LOG(ERROR) << __func__
+               << ": Protobuf nonce data doesn't match the actual nonce.";
+  }
+
+  EncryptedData protobuf;
+  protobuf.set_init_vector(init_vector);
+  protobuf.set_encrypted_data(raw_encrypted_data);
+  if (!protobuf.SerializeToString(&output)) {
+    LOG(ERROR) << __func__ << ": Failed to serialize EncryptedData protobuf.";
+  }
   return output;
 }
 
@@ -66,36 +96,49 @@
     return "";
   }
   std::string output;
-  if (!keystore_client_->decryptWithAuthentication(kKeyStore, input, &output)) {
-    LOG(FATAL) << "DecryptWithAuthentication failed.\n";
+  EncryptedData protobuf;
+  if (!protobuf.ParseFromString(input)) {
+    LOG(ERROR) << __func__ << ": Failed to parse EncryptedData protobuf.";
+    return output;
+  }
+  AuthorizationSetBuilder encrypt_params;
+  encrypt_params.Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
+      .Authorization(TAG_MAC_LENGTH, kMACOutputSize)
+      .Authorization(TAG_NONCE, protobuf.init_vector().data(),
+                     protobuf.init_vector().size())
+      .Padding(PaddingMode::NONE);
+  AuthorizationSet output_params;
+  if (!keystore_client_->oneShotOperation(
+          KeyPurpose::DECRYPT, kKeyStore, encrypt_params,
+          protobuf.encrypted_data(), std::string() /* signature_to_verify */,
+          &output_params, &output)) {
+    LOG(ERROR) << __func__ << ": AES operation failed.";
   }
   return output;
 }
 
-// Note: auth_bound keys created with this tool will not be usable.
-KeyStoreNativeReturnCode BtifKeystore::GenerateKey(const std::string& name,
-                                                   int32_t flags,
-                                                   bool auth_bound) {
-  AuthorizationSetBuilder params;
-  params.RsaSigningKey(2048, 65537)
-      .Digest(Digest::SHA_2_224)
-      .Digest(Digest::SHA_2_256)
-      .Digest(Digest::SHA_2_384)
-      .Digest(Digest::SHA_2_512)
-      .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)
-      .Padding(PaddingMode::RSA_PSS);
-  if (auth_bound) {
-    // Gatekeeper normally generates the secure user id.
-    // Using zero allows the key to be created, but it will not be usuable.
-    params.Authorization(TAG_USER_SECURE_ID, 0);
-  } else {
-    params.Authorization(TAG_NO_AUTH_REQUIRED);
+bool BtifKeystore::GenerateKey(const std::string& name, int32_t flags) {
+  if (!DoesKeyExist()) {
+    AuthorizationSetBuilder params;
+    params.AesEncryptionKey(kAESKeySize)
+        .Authorization(TAG_NO_AUTH_REQUIRED)
+        .Authorization(TAG_BLOCK_MODE, BlockMode::GCM)
+        .Authorization(TAG_PURPOSE, KeyPurpose::ENCRYPT)
+        .Authorization(TAG_PURPOSE, KeyPurpose::DECRYPT)
+        .Padding(PaddingMode::NONE)
+        .Authorization(TAG_MIN_MAC_LENGTH, kMACOutputSize);
+    AuthorizationSet hardware_enforced_characteristics;
+    AuthorizationSet software_enforced_characteristics;
+    auto result = keystore_client_->generateKey(
+        name, params, flags, &hardware_enforced_characteristics,
+        &software_enforced_characteristics);
+    if (!result.isOk()) {
+      LOG(FATAL) << __func__ << "Failed to generate key: name: " << name
+                 << ", error code: " << result.getErrorCode();
+      return false;
+    }
   }
-  AuthorizationSet hardware_enforced_characteristics;
-  AuthorizationSet software_enforced_characteristics;
-  return keystore_client_->generateKey(name, params, flags,
-                                       &hardware_enforced_characteristics,
-                                       &software_enforced_characteristics);
+  return true;
 }
 
 bool BtifKeystore::DoesKeyExist() {

btif/src/btif_profile_queue.cc

diff --git a/btif/src/btif_profile_queue.cc b/btif/src/btif_profile_queue.cc
index 41275f1..900a6af 100644
--- a/btif/src/btif_profile_queue.cc
+++ b/btif/src/btif_profile_queue.cc
@@ -195,7 +195,14 @@
 
   LOG_INFO(LOG_TAG, "%s: executing connection request: %s", __func__,
            head.ToString().c_str());
-  return head.connect();
+  bt_status_t b_status = head.connect();
+  if (b_status != BT_STATUS_SUCCESS) {
+    LOG_INFO(LOG_TAG,
+             "%s: connect %s failed, advance to next scheduled connection.",
+             __func__, head.ToString().c_str());
+    btif_queue_advance();
+  }
+  return b_status;
 }
 
 /*******************************************************************************

btif/src/btif_rc.cc

diff --git a/btif/src/btif_rc.cc b/btif/src/btif_rc.cc
index 9919a7b..575d83e 100644
--- a/btif/src/btif_rc.cc
+++ b/btif/src/btif_rc.cc
@@ -1836,6 +1836,12 @@
   BTIF_TRACE_DEBUG("%s", __func__);
   CHECK_RC_CONNECTED(p_dev);
 
+  if (num_attr > BTRC_MAX_ELEM_ATTR_SIZE) {
+    LOG(WARNING) << __func__
+                 << " Exceeded number attributes:" << static_cast<int>(num_attr)
+                 << " max:" << BTRC_MAX_ELEM_ATTR_SIZE;
+    num_attr = BTRC_MAX_ELEM_ATTR_SIZE;
+  }
   memset(element_attrs, 0, sizeof(tAVRC_ATTR_ENTRY) * num_attr);
 
   if (num_attr == 0) {
@@ -1844,7 +1850,8 @@
     for (i = 0; i < num_attr; i++) {
       element_attrs[i].attr_id = p_attrs[i].attr_id;
       element_attrs[i].name.charset_id = AVRC_CHARSET_ID_UTF8;
-      element_attrs[i].name.str_len = (uint16_t)strlen((char*)p_attrs[i].text);
+      element_attrs[i].name.str_len =
+          (uint16_t)strnlen((char*)p_attrs[i].text, BTRC_MAX_ATTR_STR_LEN);
       element_attrs[i].name.p_str = p_attrs[i].text;
       BTIF_TRACE_DEBUG(
           "%s: attr_id: 0x%x, charset_id: 0x%x, str_len: %d, str: %s", __func__,
@@ -2939,11 +2946,12 @@
     return;
   }
   // interval is only valid for AVRC_EVT_PLAY_POS_CHANGED
-  uint32_t interval = 0;
+  uint32_t interval_in_seconds = 0;
   if (p_event->event_id == AVRC_EVT_PLAY_POS_CHANGED) {
-    interval = 2000;
+    interval_in_seconds = 2;
   }
-  status = register_notification_cmd(p_transaction->lbl, p_event->event_id, interval, p_dev);
+  status = register_notification_cmd(p_transaction->lbl, p_event->event_id,
+                                     interval_in_seconds, p_dev);
   if (status != BT_STATUS_SUCCESS) {
     BTIF_TRACE_ERROR("%s: Error in Notification registration: %d", __func__,
                      status);
@@ -3152,11 +3160,10 @@
           break;
         } else {
           uint8_t* p_data = p_rsp->param.track;
-          /* Update the UID for current track
-           * Attributes will be fetched after the AVRCP procedure
-           */
           BE_STREAM_TO_UINT64(p_dev->rc_playing_uid, p_data);
           get_play_status_cmd(p_dev);
+          get_element_attribute_cmd(AVRC_MAX_NUM_MEDIA_ATTR_ID, attr_list,
+                                    p_dev);
         }
         break;
 
@@ -3336,6 +3343,8 @@
     rc_ctrl_procedure_complete(p_dev);
     return;
   }
+  p_dev->rc_app_settings.num_attrs = 0;
+  p_dev->rc_app_settings.num_ext_attrs = 0;
 
   for (xx = 0; xx < p_rsp->num_attr; xx++) {
     uint8_t st_index;
@@ -3809,6 +3818,10 @@
   if (p_rsp->status == AVRC_STS_NO_ERROR) {
     do_in_jni_thread(
         FROM_HERE,
+        base::Bind(bt_rc_ctrl_callbacks->play_status_changed_cb, p_dev->rc_addr,
+                   (btrc_play_status_t)p_rsp->play_status));
+    do_in_jni_thread(
+        FROM_HERE,
         base::Bind(bt_rc_ctrl_callbacks->play_position_changed_cb,
                    p_dev->rc_addr, p_rsp->song_len, p_rsp->song_pos));
   } else {
@@ -3907,6 +3920,12 @@
                    /* We want to make the ownership explicit in native */
                    btrc_items, item_count));
 
+    if (item_count > 0) {
+      if (btrc_items[0].item_type == AVRC_ITEM_PLAYER &&
+          (p_dev->rc_features & BTA_AV_FEAT_APP_SETTING)) {
+        list_player_app_setting_attrib_cmd(p_dev);
+      }
+    }
     /* Release the memory block for items and attributes allocated here.
      * Since the executor for do_in_jni_thread is a Single Thread Task Runner it
      * is okay to queue up the cleanup of btrc_items */

btif/src/btif_sock_l2cap.cc

diff --git a/btif/src/btif_sock_l2cap.cc b/btif/src/btif_sock_l2cap.cc
index 5d333d1..fa59d87 100644
--- a/btif/src/btif_sock_l2cap.cc
+++ b/btif/src/btif_sock_l2cap.cc
@@ -97,6 +97,7 @@
 static std::mutex state_lock;
 
 l2cap_socket* socks = NULL;
+static uint32_t last_sock_id = 0;
 static uid_set_t* uid_set = NULL;
 static int pth = -1;
 
@@ -254,6 +255,11 @@
     }
     if ((sock->channel >= 0) && (sock->server)) {
       BTA_JvFreeChannel(sock->channel, BTA_JV_CONN_TYPE_L2CAP_LE);
+      if (!sock->fixed_chan) {
+        VLOG(2) << __func__ << ": stopping L2CAP LE COC server channel "
+                << sock->channel;
+        BTA_JvL2capStopServer(sock->channel, sock->id);
+      }
     }
   } else {
     // Only call if we are non server connections
@@ -322,7 +328,7 @@
   sock->next = socks;
   sock->prev = NULL;
   if (socks) socks->prev = sock;
-  sock->id = (socks ? socks->id : 0) + 1;
+  sock->id = last_sock_id + 1;
   sock->tx_bytes = 0;
   sock->rx_bytes = 0;
   socks = sock;
@@ -340,6 +346,7 @@
     if (!++sock->id) /* no zero IDs allowed */
       sock->id++;
   }
+  last_sock_id = sock->id;
   DVLOG(2) << __func__ << " SOCK_LIST: alloc id:" << sock->id;
   return sock;
 

btif/test/btif_profile_queue_test.cc

diff --git a/btif/test/btif_profile_queue_test.cc b/btif/test/btif_profile_queue_test.cc
index 486959b..af0255b 100644
--- a/btif/test/btif_profile_queue_test.cc
+++ b/btif/test/btif_profile_queue_test.cc
@@ -97,6 +97,49 @@
   EXPECT_EQ(sResult, UUID1_ADDR1);
 }
 
+static bt_status_t test_connect_cb_fail(RawAddress* bda, uint16_t uuid) {
+  sResult = UNKNOWN;
+  if (*bda == BtifProfileQueueTest::kTestAddr1) {
+    if (uuid == BtifProfileQueueTest::kTestUuid1) {
+      sResult = UUID1_ADDR1;
+    } else if (uuid == BtifProfileQueueTest::kTestUuid2) {
+      sResult = UUID2_ADDR1;
+    }
+  } else if (*bda == BtifProfileQueueTest::kTestAddr2) {
+    if (uuid == BtifProfileQueueTest::kTestUuid1) {
+      sResult = UUID1_ADDR2;
+    } else if (uuid == BtifProfileQueueTest::kTestUuid2) {
+      sResult = UUID2_ADDR2;
+    }
+  }
+  return BT_STATUS_BUSY;
+}
+
+TEST_F(BtifProfileQueueTest, test_connect_fail_still_can_advance_the_queue) {
+  sResult = NOT_SET;
+  // First connect-message for UUID1-ADDR1 is executed, but does not be removed
+  // from connect-queue yet.
+  btif_queue_connect(kTestUuid1, &kTestAddr1, test_connect_cb);
+  EXPECT_EQ(sResult, UUID1_ADDR1);
+  sResult = NOT_SET;
+  // Second connect-message for UUID2-ADDR1 be pushed into connect-queue, but is
+  // not executed
+  btif_queue_connect(kTestUuid2, &kTestAddr1, test_connect_cb_fail);
+  EXPECT_EQ(sResult, NOT_SET);
+  // Third connect-message for UUID1-ADDR2 be pushed into connect-queue, but is
+  // not executed
+  btif_queue_connect(kTestUuid1, &kTestAddr2, test_connect_cb_fail);
+  EXPECT_EQ(sResult, NOT_SET);
+  // Fourth connect-message for UUID2-ADDR2 be pushed into connect-queue, but is
+  // not executed
+  btif_queue_connect(kTestUuid2, &kTestAddr2, test_connect_cb_fail);
+  EXPECT_EQ(sResult, NOT_SET);
+  // removed First connect-message from connect-queue, check it can advance to
+  // subsequent connect-message.
+  btif_queue_advance();
+  EXPECT_EQ(sResult, UUID2_ADDR2);
+}
+
 TEST_F(BtifProfileQueueTest, test_connect_same_uuid_do_not_repeat) {
   sResult = NOT_SET;
   btif_queue_connect(kTestUuid1, &kTestAddr1, test_connect_cb);

btif/test/btif_rc_test.cc

diff --git a/btif/test/btif_rc_test.cc b/btif/test/btif_rc_test.cc
new file mode 100644
index 0000000..6271881
--- /dev/null
+++ b/btif/test/btif_rc_test.cc
@@ -0,0 +1,131 @@
+/*
+ * Copyright 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <base/logging.h>
+#include <gtest/gtest.h>
+#include <stdio.h>
+#include <cstdint>
+
+#include "bta/include/bta_av_api.h"
+#include "btif/include/btif_common.h"
+#include "device/include/interop.h"
+#include "include/hardware/bt_rc.h"
+#include "osi/test/AllocationTestHarness.h"
+#include "stack/include/btm_api_types.h"
+#include "types/raw_address.h"
+#undef LOG_TAG
+#include "btif/src/btif_rc.cc"
+
+extern void allocation_tracker_uninit(void);
+
+namespace {
+int AVRC_BldResponse_ = 0;
+}  // namespace
+
+uint8_t appl_trace_level = BT_TRACE_LEVEL_WARNING;
+uint8_t btif_trace_level = BT_TRACE_LEVEL_WARNING;
+
+tAVRC_STS AVRC_BldCommand(tAVRC_COMMAND* p_cmd, BT_HDR** pp_pkt) { return 0; }
+tAVRC_STS AVRC_BldResponse(uint8_t handle, tAVRC_RESPONSE* p_rsp,
+                           BT_HDR** pp_pkt) {
+  AVRC_BldResponse_++;
+  return 0;
+}
+tAVRC_STS AVRC_Ctrl_ParsCommand(tAVRC_MSG* p_msg, tAVRC_COMMAND* p_result) {
+  return 0;
+}
+tAVRC_STS AVRC_Ctrl_ParsResponse(tAVRC_MSG* p_msg, tAVRC_RESPONSE* p_result,
+                                 uint8_t* p_buf, uint16_t* buf_len) {
+  return 0;
+}
+tAVRC_STS AVRC_ParsCommand(tAVRC_MSG* p_msg, tAVRC_COMMAND* p_result,
+                           uint8_t* p_buf, uint16_t buf_len) {
+  return 0;
+}
+tAVRC_STS AVRC_ParsResponse(tAVRC_MSG* p_msg, tAVRC_RESPONSE* p_result,
+                            UNUSED_ATTR uint8_t* p_buf,
+                            UNUSED_ATTR uint16_t buf_len) {
+  return 0;
+}
+void BTA_AvCloseRc(uint8_t rc_handle) {}
+void BTA_AvMetaCmd(uint8_t rc_handle, uint8_t label, tBTA_AV_CMD cmd_code,
+                   BT_HDR* p_pkt) {}
+void BTA_AvMetaRsp(uint8_t rc_handle, uint8_t label, tBTA_AV_CODE rsp_code,
+                   BT_HDR* p_pkt) {}
+void BTA_AvRemoteCmd(uint8_t rc_handle, uint8_t label, tBTA_AV_RC rc_id,
+                     tBTA_AV_STATE key_state) {}
+void BTA_AvRemoteVendorUniqueCmd(uint8_t rc_handle, uint8_t label,
+                                 tBTA_AV_STATE key_state, uint8_t* p_msg,
+                                 uint8_t buf_len) {}
+void BTA_AvVendorCmd(uint8_t rc_handle, uint8_t label, tBTA_AV_CODE cmd_code,
+                     uint8_t* p_data, uint16_t len) {}
+void BTA_AvVendorRsp(uint8_t rc_handle, uint8_t label, tBTA_AV_CODE rsp_code,
+                     uint8_t* p_data, uint16_t len, uint32_t company_id) {}
+void btif_av_clear_remote_suspend_flag(void) {}
+bool btif_av_is_connected(void) { return false; }
+bool btif_av_is_sink_enabled(void) { return false; }
+RawAddress btif_av_sink_active_peer(void) { return RawAddress(); }
+RawAddress btif_av_source_active_peer(void) { return RawAddress(); }
+bool btif_av_stream_started_ready(void) { return false; }
+bt_status_t btif_transfer_context(tBTIF_CBACK* p_cback, uint16_t event,
+                                  char* p_params, int param_len,
+                                  tBTIF_COPY_CBACK* p_copy_cback) {
+  return BT_STATUS_SUCCESS;
+}
+const char* dump_rc_event(uint8_t event) { return nullptr; }
+const char* dump_rc_notification_event_id(uint8_t event_id) { return nullptr; }
+const char* dump_rc_pdu(uint8_t pdu) { return nullptr; }
+bt_status_t do_in_jni_thread(const base::Location& from_here,
+                             base::OnceClosure task) {
+  return BT_STATUS_SUCCESS;
+}
+base::MessageLoop* get_main_message_loop() { return nullptr; }
+bool interop_match_addr(const interop_feature_t feature,
+                        const RawAddress* addr) {
+  return false;
+}
+void LogMsg(uint32_t trace_set_mask, const char* fmt_str, ...) {}
+
+/**
+ * Test class to test selected functionality in hci/src/hci_layer.cc
+ */
+class BtifRcTest : public AllocationTestHarness {
+ protected:
+  void SetUp() override {
+    AllocationTestHarness::SetUp();
+    // Disable our allocation tracker to allow ASAN full range
+    allocation_tracker_uninit();
+  }
+
+  void TearDown() override { AllocationTestHarness::TearDown(); }
+};
+
+TEST_F(BtifRcTest, get_element_attr_rsp) {
+  RawAddress bd_addr;
+
+  btif_rc_cb.rc_multi_cb[0].rc_addr = bd_addr;
+  btif_rc_cb.rc_multi_cb[0].rc_connected = true;
+  btif_rc_cb.rc_multi_cb[0]
+      .rc_pdu_info[IDX_GET_ELEMENT_ATTR_RSP]
+      .is_rsp_pending = true;
+  btif_rc_cb.rc_multi_cb[0].rc_state = BTRC_CONNECTION_STATE_CONNECTED;
+
+  btrc_element_attr_val_t p_attrs[BTRC_MAX_ELEM_ATTR_SIZE];
+  uint8_t num_attr = BTRC_MAX_ELEM_ATTR_SIZE + 1;
+
+  CHECK(get_element_attr_rsp(bd_addr, num_attr, p_attrs) == BT_STATUS_SUCCESS);
+  CHECK(AVRC_BldResponse_ == 1);
+}

device/include/controller.h

diff --git a/device/include/controller.h b/device/include/controller.h
index c1fe337..f1c85aa 100644
--- a/device/include/controller.h
+++ b/device/include/controller.h
@@ -85,6 +85,7 @@
   uint8_t (*get_ble_resolving_list_max_size)(void);
   void (*set_ble_resolving_list_max_size)(int resolving_list_max_size);
   uint8_t* (*get_local_supported_codecs)(uint8_t* number_of_codecs);
+  bool (*supports_ble_offload_features)(void);
   uint8_t (*get_le_all_initiating_phys)(void);
 
 } controller_t;

device/src/controller.cc

diff --git a/device/src/controller.cc b/device/src/controller.cc
index 34c8afd..6525c14 100644
--- a/device/src/controller.cc
+++ b/device/src/controller.cc
@@ -22,6 +22,7 @@
 
 #include <base/logging.h>
 
+#include "bt_target.h"
 #include "bt_types.h"
 #include "btcore/include/event_mask.h"
 #include "btcore/include/module.h"
@@ -84,6 +85,7 @@
 
 static bool readable;
 static bool ble_supported;
+static bool ble_offload_features_supported;
 static bool simple_pairing_supported;
 static bool secure_connections_supported;
 
@@ -126,6 +128,9 @@
       AWAIT_COMMAND(packet_factory->make_read_local_supported_commands());
   packet_parser->parse_read_local_supported_commands_response(
       response, supported_commands, HCI_SUPPORTED_COMMANDS_ARRAY_SIZE);
+#if (BTM_SCO_ENHANCED_SYNC_ENABLED == FALSE)
+  supported_commands[29] &= ~0x08;
+#endif
 
   // Read page 0 of the controller features next
   uint8_t page_number = 0;
@@ -178,14 +183,19 @@
     page_number++;
   }
 
+  // read BLE offload features support from controller
+  response = AWAIT_COMMAND(packet_factory->make_ble_read_offload_features_support());
+  packet_parser->parse_ble_read_offload_features_response(response, &ble_offload_features_supported);
 #if (SC_MODE_INCLUDED == TRUE)
-  secure_connections_supported =
-      HCI_SC_CTRLR_SUPPORTED(features_classic[2].as_array);
-  if (secure_connections_supported) {
-    response = AWAIT_COMMAND(
-        packet_factory->make_write_secure_connections_host_support(
-            HCI_SC_MODE_ENABLED));
-    packet_parser->parse_generic_command_complete(response);
+  if(ble_offload_features_supported) {
+    secure_connections_supported =
+        HCI_SC_CTRLR_SUPPORTED(features_classic[2].as_array);
+    if (secure_connections_supported) {
+      response = AWAIT_COMMAND(
+          packet_factory->make_write_secure_connections_host_support(
+              HCI_SC_MODE_ENABLED));
+      packet_parser->parse_generic_command_complete(response);
+    }
   }
 #endif
 
@@ -443,6 +453,12 @@
   return HCI_LE_PERIODIC_ADVERTISING_SUPPORTED(features_ble.as_array);
 }
 
+static bool supports_ble_offload_features(void) {
+  assert(readable);
+  assert(ble_supported);
+  return ble_offload_features_supported;
+}
+
 static uint16_t get_acl_data_size_classic(void) {
   CHECK(readable);
   return acl_data_size_classic;
@@ -580,6 +596,7 @@
     get_ble_resolving_list_max_size,
     set_ble_resolving_list_max_size,
     get_local_supported_codecs,
+    supports_ble_offload_features,
     get_le_all_initiating_phys};
 
 const controller_t* controller_get_interface() {

hci/Android.bp

diff --git a/hci/Android.bp b/hci/Android.bp
index 635d939..5702177 100644
--- a/hci/Android.bp
+++ b/hci/Android.bp
@@ -36,6 +36,7 @@
         "system/bt/stack/include",
         "system/bt/utils/include",
         "system/bt/bta/include",
+        "system/bt/btif/include",
         "system/libhwbinder/include",
     ],
 }

hci/include/hci_packet_factory.h

diff --git a/hci/include/hci_packet_factory.h b/hci/include/hci_packet_factory.h
index e7cb47b..91caa7a 100644
--- a/hci/include/hci_packet_factory.h
+++ b/hci/include/hci_packet_factory.h
@@ -46,6 +46,7 @@
   BT_HDR* (*make_ble_read_number_of_supported_advertising_sets)(void);
   BT_HDR* (*make_ble_set_event_mask)(const bt_event_mask_t* event_mask);
   BT_HDR* (*make_read_local_supported_codecs)(void);
+  BT_HDR *(*make_ble_read_offload_features_support)(void);
 } hci_packet_factory_t;
 
 const hci_packet_factory_t* hci_packet_factory_get_interface();

hci/include/hci_packet_parser.h

diff --git a/hci/include/hci_packet_parser.h b/hci/include/hci_packet_parser.h
index 8878cb9..06af557 100644
--- a/hci/include/hci_packet_parser.h
+++ b/hci/include/hci_packet_parser.h
@@ -83,6 +83,9 @@
       BT_HDR* response, uint8_t* number_of_local_supported_codecs,
       uint8_t* local_supported_codecs);
 
+  void (*parse_ble_read_offload_features_response)(
+    BT_HDR *response,
+    bool *ble_offload_features_supported);
 } hci_packet_parser_t;
 
 const hci_packet_parser_t* hci_packet_parser_get_interface();

hci/src/hci_layer.cc

diff --git a/hci/src/hci_layer.cc b/hci/src/hci_layer.cc
index ed2908c..79c44e0 100644
--- a/hci/src/hci_layer.cc
+++ b/hci/src/hci_layer.cc
@@ -36,10 +36,12 @@
 #include <mutex>
 
 #include "btcore/include/module.h"
+#include "btif/include/btif_bqr.h"
 #include "btsnoop.h"
 #include "buffer_allocator.h"
 #include "common/message_loop_thread.h"
 #include "common/metrics.h"
+#include "common/once_timer.h"
 #include "hci_inject.h"
 #include "hci_internals.h"
 #include "hcidefs.h"
@@ -54,6 +56,7 @@
 #define BT_HCI_TIMEOUT_TAG_NUM 1010000
 
 using bluetooth::common::MessageLoopThread;
+using bluetooth::common::OnceTimer;
 
 extern void hci_initialize();
 extern void hci_transmit(BT_HDR* packet);
@@ -110,7 +113,7 @@
 static alarm_t* command_response_timer;
 static list_t* commands_pending_response;
 static std::recursive_timed_mutex commands_pending_response_mutex;
-static alarm_t* hci_timeout_abort_timer;
+static OnceTimer abort_timer;
 
 // The hand-off point for data going to a higher layer, set by the higher layer
 static base::Callback<void(const base::Location&, BT_HDR*)> send_data_upwards;
@@ -160,6 +163,14 @@
   packet_fragmenter->reassemble_and_dispatch(packet);
 }
 
+void hal_service_died() {
+  if (abort_timer.IsScheduled()) {
+    LOG(ERROR) << "abort_timer is scheduled, wait for timeout";
+    return;
+  }
+  abort();
+}
+
 // Module lifecycle functions
 
 static future_t* hci_module_shut_down();
@@ -258,12 +269,6 @@
 
   packet_fragmenter->cleanup();
 
-  // Clean up abort timer, if it exists.
-  if (hci_timeout_abort_timer != NULL) {
-    alarm_free(hci_timeout_abort_timer);
-    hci_timeout_abort_timer = NULL;
-  }
-
   if (hci_firmware_log_fd != INVALID_FD) {
     hci_close_firmware_log_file(hci_firmware_log_fd);
     hci_firmware_log_fd = INVALID_FD;
@@ -436,13 +441,19 @@
 }
 
 // Abort.  The chip has had time to write any debugging information.
-static void hci_timeout_abort(void* unused_data) {
+static void hci_timeout_abort(void) {
   LOG_ERROR(LOG_TAG, "%s restarting the Bluetooth process.", __func__);
   hci_close_firmware_log_file(hci_firmware_log_fd);
 
   // We shouldn't try to recover the stack from this command timeout.
   // If it's caused by a software bug, fix it. If it's a hardware bug, fix it.
-  abort();
+  exit(0);
+}
+
+static void hci_root_inflamed_abort(uint8_t error_code,
+                                    uint8_t vendor_error_code) {
+  LOG(FATAL) << __func__ << ": error_code = " << std::to_string(error_code)
+             << ", vendor_error_code = " << std::to_string(vendor_error_code);
 }
 
 static void command_timed_out_log_info(void* original_wait_entry) {
@@ -494,7 +505,7 @@
   }
 
   // Don't request a firmware dump for multiple hci timeouts
-  if (hci_timeout_abort_timer != NULL || hci_firmware_log_fd != INVALID_FD) {
+  if (hci_firmware_log_fd != INVALID_FD) {
     return;
   }
 
@@ -521,13 +532,13 @@
   osi_free(bt_hdr);
   LOG_ERROR(LOG_TAG, "%s: Setting a timer to restart.", __func__);
 
-  hci_timeout_abort_timer = alarm_new("hci.hci_timeout_aborter");
-  if (!hci_timeout_abort_timer) {
+  // alarm_default_callbacks thread post to hci_thread.
+  if (!abort_timer.Schedule(
+          hci_thread.GetWeakPtr(), FROM_HERE, base::Bind(hci_timeout_abort),
+          base::TimeDelta::FromMilliseconds(COMMAND_TIMEOUT_RESTART_MS))) {
     LOG_ERROR(LOG_TAG, "%s unable to create an abort timer.", __func__);
     abort();
   }
-  alarm_set(hci_timeout_abort_timer, COMMAND_TIMEOUT_RESTART_MS,
-            hci_timeout_abort, nullptr);
 }
 
 // Event/packet receiving functions
@@ -614,15 +625,62 @@
     }
 
     goto intercepted;
-  } else if (event_code == HCI_VSE_SUBCODE_DEBUG_INFO_SUB_EVT) {
-    if (hci_firmware_log_fd == INVALID_FD)
-      hci_firmware_log_fd = hci_open_firmware_log_file();
+  } else if (event_code == HCI_VENDOR_SPECIFIC_EVT) {
+    uint8_t sub_event_code;
+    STREAM_TO_UINT8(sub_event_code, stream);
 
-    if (hci_firmware_log_fd != INVALID_FD)
-      hci_log_firmware_debug_packet(hci_firmware_log_fd, packet);
+    if (sub_event_code == HCI_VSE_SUBCODE_DEBUG_INFO_SUB_EVT) {
+      if (hci_firmware_log_fd == INVALID_FD)
+        hci_firmware_log_fd = hci_open_firmware_log_file();
 
-    buffer_allocator->free(packet);
-    return true;
+      if (hci_firmware_log_fd != INVALID_FD)
+        hci_log_firmware_debug_packet(hci_firmware_log_fd, packet);
+
+      buffer_allocator->free(packet);
+      return true;
+    } else if (sub_event_code == HCI_VSE_SUBCODE_BQR_SUB_EVT) {
+      uint8_t bqr_report_id;
+      STREAM_TO_UINT8(bqr_report_id, stream);
+
+      if (bqr_report_id ==
+              bluetooth::bqr::QUALITY_REPORT_ID_ROOT_INFLAMMATION &&
+          packet->len >= bluetooth::bqr::kRootInflammationPacketMinSize) {
+        uint8_t error_code;
+        uint8_t vendor_error_code;
+        STREAM_TO_UINT8(error_code, stream);
+        STREAM_TO_UINT8(vendor_error_code, stream);
+        // TODO(ugoyu) Report to bluetooth metrics here
+
+        LOG(ERROR) << __func__
+                   << ": Root inflammation event! setting timer to restart.";
+        {
+          // Try to stop hci command and startup timers
+          std::unique_lock<std::recursive_timed_mutex> lock(
+              commands_pending_response_mutex, std::defer_lock);
+          if (lock.try_lock_for(std::chrono::milliseconds(
+                  COMMAND_PENDING_MUTEX_ACQUIRE_TIMEOUT_MS))) {
+            if (alarm_is_scheduled(startup_timer)) {
+              alarm_cancel(startup_timer);
+            }
+            if (alarm_is_scheduled(command_response_timer)) {
+              alarm_cancel(command_response_timer);
+            }
+          } else {
+            LOG(ERROR) << __func__ << ": Failed to obtain mutex";
+          }
+        }
+
+        // HwBinder thread post to hci_thread
+        if (!abort_timer.Schedule(hci_thread.GetWeakPtr(), FROM_HERE,
+                                  base::Bind(hci_root_inflamed_abort,
+                                             error_code, vendor_error_code),
+                                  base::TimeDelta::FromMilliseconds(
+                                      COMMAND_TIMEOUT_RESTART_MS))) {
+          LOG(ERROR) << "Failed to schedule abort_timer!";
+          hci_root_inflamed_abort(error_code, vendor_error_code);
+        }
+      }
+    }
   }
 
   return false;
@@ -672,7 +730,26 @@
 
     return wait_entry;
   }
+  // look for any command complete with improper VS Opcode
+  for (const list_node_t *node = list_begin(commands_pending_response);
+      node != list_end(commands_pending_response);
+      node = list_next(node)) {
+    waiting_command_t *wait_entry =
+        reinterpret_cast<waiting_command_t*> (list_node(node));
 
+    if (wait_entry && (wait_entry->opcode != opcode) &&
+        (((wait_entry->opcode & HCI_GRP_VENDOR_SPECIFIC) == HCI_GRP_VENDOR_SPECIFIC) &&
+        ((opcode & HCI_GRP_VENDOR_SPECIFIC) == HCI_GRP_VENDOR_SPECIFIC))) {
+        LOG_DEBUG(LOG_TAG,"%s VS event found treat it as valid 0x%x", __func__, opcode);
+    }
+    else {
+        continue;
+    }
+
+    list_remove(commands_pending_response, wait_entry);
+
+    return wait_entry;
+  }
   return NULL;
 }
 

hci/src/hci_layer_android.cc

diff --git a/hci/src/hci_layer_android.cc b/hci/src/hci_layer_android.cc
index 92be0df..a9fde50 100644
--- a/hci/src/hci_layer_android.cc
+++ b/hci/src/hci_layer_android.cc
@@ -51,6 +51,7 @@
 extern void hci_event_received(const base::Location& from_here, BT_HDR* packet);
 extern void acl_event_received(BT_HDR* packet);
 extern void sco_data_received(BT_HDR* packet);
+extern void hal_service_died();
 
 android::sp<IBluetoothHci> btHci;
 
@@ -58,7 +59,7 @@
  public:
   virtual void serviceDied(uint64_t /*cookie*/, const android::wp<::android::hidl::base::V1_0::IBase>& /*who*/) {
     LOG_ERROR(LOG_TAG, "Bluetooth HAL service died!");
-    abort();
+    hal_service_died();
   }
 };
 android::sp<BluetoothHciDeathRecipient> bluetoothHciDeathRecipient = new BluetoothHciDeathRecipient();

hci/src/hci_packet_factory.cc

diff --git a/hci/src/hci_packet_factory.cc b/hci/src/hci_packet_factory.cc
index ca0fb5f..1cff9f6 100644
--- a/hci/src/hci_packet_factory.cc
+++ b/hci/src/hci_packet_factory.cc
@@ -159,6 +159,10 @@
   return make_command_no_params(HCI_READ_LOCAL_SUPPORTED_CODECS);
 }
 
+static BT_HDR* make_ble_read_offload_features_support(void) {
+    return make_command_no_params(HCI_BLE_VENDOR_CAP_OCF);
+}
+
 static BT_HDR* make_ble_set_event_mask(const bt_event_mask_t* event_mask) {
   uint8_t* stream;
   uint8_t parameter_size = sizeof(bt_event_mask_t);
@@ -220,7 +224,8 @@
     make_ble_read_maximum_advertising_data_length,
     make_ble_read_number_of_supported_advertising_sets,
     make_ble_set_event_mask,
-    make_read_local_supported_codecs};
+    make_read_local_supported_codecs,
+    make_ble_read_offload_features_support};
 
 const hci_packet_factory_t* hci_packet_factory_get_interface() {
   buffer_allocator = buffer_allocator_get_interface();

hci/src/hci_packet_parser.cc

diff --git a/hci/src/hci_packet_parser.cc b/hci/src/hci_packet_parser.cc
index b1efd44..3f4e46c 100644
--- a/hci/src/hci_packet_parser.cc
+++ b/hci/src/hci_packet_parser.cc
@@ -85,6 +85,20 @@
   buffer_allocator->free(response);
 }
 
+static void parse_ble_read_offload_features_response(
+    BT_HDR *response,
+    bool *ble_offload_features_supported) {
+
+  uint8_t *stream = read_command_complete_header(response, NO_OPCODE_CHECKING, 0 /* bytes after */);
+  if(stream) {
+    *ble_offload_features_supported  = true;
+  } else {
+    *ble_offload_features_supported  = false;
+  }
+
+  buffer_allocator->free(response);
+}
+
 static void parse_read_bd_addr_response(BT_HDR* response,
                                         RawAddress* address_ptr) {
   uint8_t* stream = read_command_complete_header(
@@ -281,7 +295,8 @@
     parse_ble_read_maximum_data_length_response,
     parse_ble_read_maximum_advertising_data_length,
     parse_ble_read_number_of_supported_advertising_sets,
-    parse_read_local_supported_codecs_response};
+    parse_read_local_supported_codecs_response,
+    parse_ble_read_offload_features_response};
 
 const hci_packet_parser_t* hci_packet_parser_get_interface() {
   buffer_allocator = buffer_allocator_get_interface();

include/hardware/bluetooth.h

diff --git a/include/hardware/bluetooth.h b/include/hardware/bluetooth.h
index 4c88de8..3097c1a 100644
--- a/include/hardware/bluetooth.h
+++ b/include/hardware/bluetooth.h
@@ -469,11 +469,11 @@
    * The |start_restricted| flag inits the adapter in restricted mode. In
    * restricted mode, bonds that are created are marked as restricted in the
    * config file. These devices are deleted upon leaving restricted mode.
-   * The |is_single_user_mode| flag inits the adapter in NIAP mode.
+   * The |is_niap_mode| flag inits the adapter in NIAP mode.
    * The |is_atv| flag indicates whether the local device is an Android TV
    */
-  int (*init)(bt_callbacks_t* callbacks, bool guest_mode,
-              bool is_single_user_mode, bool is_atv);
+  int (*init)(bt_callbacks_t* callbacks, bool guest_mode, bool is_niap_mode,
+              bool is_atv);
 
   /** Enable Bluetooth. */
   int (*enable)();

internal_include/bt_target.h

diff --git a/internal_include/bt_target.h b/internal_include/bt_target.h
index 67a67c5..e33f0b5 100644
--- a/internal_include/bt_target.h
+++ b/internal_include/bt_target.h
@@ -108,7 +108,7 @@
 #endif
 
 #ifndef BTA_DM_SDP_DB_SIZE
-#define BTA_DM_SDP_DB_SIZE 8000
+#define BTA_DM_SDP_DB_SIZE 20000
 #endif
 
 #ifndef HL_INCLUDED
@@ -286,6 +286,12 @@
 #define BTM_DISC_DURING_RS TRUE
 #endif
 
+/*  This is used to work around a controller bug that report supporting
+ *  enhanced synchronous commands */
+#ifndef BTM_SCO_ENHANCED_SYNC_ENABLED
+#define BTM_SCO_ENHANCED_SYNC_ENABLED TRUE
+#endif
+
 /**************************
  * Initial SCO TX credit
  ************************/

profile/avrcp/connection_handler.cc

diff --git a/profile/avrcp/connection_handler.cc b/profile/avrcp/connection_handler.cc
index 51ebfea..e9a4c72 100644
--- a/profile/avrcp/connection_handler.cc
+++ b/profile/avrcp/connection_handler.cc
@@ -138,9 +138,7 @@
 bool ConnectionHandler::DisconnectDevice(const RawAddress& bdaddr) {
   for (auto it = device_map_.begin(); it != device_map_.end(); it++) {
     if (bdaddr == it->second->GetAddress()) {
-      it->second->DeviceDisconnected();
       uint8_t handle = it->first;
-      device_map_.erase(handle);
       return avrc_->Close(handle) == AVRC_SUCCESS;
     }
   }

profile/avrcp/device.cc

diff --git a/profile/avrcp/device.cc b/profile/avrcp/device.cc
index 4ca624b..264eaf0 100644
--- a/profile/avrcp/device.cc
+++ b/profile/avrcp/device.cc
@@ -98,6 +98,19 @@
       case CommandPdu::REGISTER_NOTIFICATION: {
         auto register_notification =
             Packet::Specialize<RegisterNotificationResponse>(pkt);
+
+        if (!register_notification->IsValid()) {
+          DEVICE_LOG(WARNING) << __func__ << ": Request packet is not valid";
+          auto response =
+              RejectBuilder::MakeBuilder(pkt->GetCommandPdu(),
+                                         Status::INVALID_PARAMETER);
+          send_message(label, false, std::move(response));
+          active_labels_.erase(label);
+          volume_interface_ = nullptr;
+          volume_ = VOL_REGISTRATION_FAILED;
+          return;
+        }
+
         if (register_notification->GetEvent() != Event::VOLUME_CHANGED) {
           DEVICE_LOG(WARNING)
               << __func__ << ": Unhandled register notification received: "
@@ -336,16 +349,6 @@
     uint8_t label, const std::shared_ptr<RegisterNotificationResponse>& pkt) {
   DEVICE_VLOG(1) << __func__ << ": interim=" << pkt->IsInterim();
 
-  if (!pkt->IsValid()) {
-    DEVICE_LOG(WARNING) << __func__ << ": Request packet is not valid";
-    auto response = RejectBuilder::MakeBuilder(pkt->GetCommandPdu(), Status::INVALID_PARAMETER);
-    send_message(label, false, std::move(response));
-    active_labels_.erase(label);
-    volume_interface_ = nullptr;
-    volume_ = VOL_REGISTRATION_FAILED;
-    return;
-  }
-
   if (volume_interface_ == nullptr) return;
 
   if (pkt->GetCType() == CType::REJECTED) {

stack/Android.bp

diff --git a/stack/Android.bp b/stack/Android.bp
index 4863afb..c468423 100644
--- a/stack/Android.bp
+++ b/stack/Android.bp
@@ -200,6 +200,7 @@
     ],
     srcs: [
         "test/stack_a2dp_test.cc",
+        "test/stack_avrcp_test.cc",
     ],
     shared_libs: [
         "libcrypto",

stack/BUILD.gn

diff --git a/stack/BUILD.gn b/stack/BUILD.gn
index 00680c8..87dc726 100644
--- a/stack/BUILD.gn
+++ b/stack/BUILD.gn
@@ -202,6 +202,7 @@
   testonly = true
   sources = [
     "test/stack_a2dp_test.cc",
+    "test/stack_avrcp_test.cc",
   ]
 
   include_dirs = [

stack/avdt/avdt_msg.cc

diff --git a/stack/avdt/avdt_msg.cc b/stack/avdt/avdt_msg.cc
index ae17c11..bf83d19 100644
--- a/stack/avdt/avdt_msg.cc
+++ b/stack/avdt/avdt_msg.cc
@@ -985,18 +985,30 @@
  * Returns          Error code or zero if no error.
  *
  ******************************************************************************/
-static uint8_t avdt_msg_prs_rej(tAVDT_MSG* p_msg, uint8_t* p, uint8_t sig) {
-  if ((sig == AVDT_SIG_SETCONFIG) || (sig == AVDT_SIG_RECONFIG)) {
-    p_msg->hdr.err_param = *p++;
-    p_msg->hdr.err_code = *p;
-  } else if ((sig == AVDT_SIG_START) || (sig == AVDT_SIG_SUSPEND)) {
-    AVDT_MSG_PRS_SEID(p, p_msg->hdr.err_param);
-    p_msg->hdr.err_code = *p;
+static uint8_t avdt_msg_prs_rej(tAVDT_MSG* p_msg, uint8_t* p, uint16_t len,
+                                uint8_t sig) {
+  uint8_t error = 0;
+
+  if (len > 0) {
+    if ((sig == AVDT_SIG_SETCONFIG) || (sig == AVDT_SIG_RECONFIG)) {
+      p_msg->hdr.err_param = *p++;
+      len--;
+    } else if ((sig == AVDT_SIG_START) || (sig == AVDT_SIG_SUSPEND)) {
+      AVDT_MSG_PRS_SEID(p, p_msg->hdr.err_param);
+      len--;
+    }
+  }
+
+  if (len < 1) {
+    char error_info[] = "AVDT rejected response length mismatch";
+    android_errorWriteWithInfoLog(0x534e4554, "79702484", -1, error_info,
+                                  strlen(error_info));
+    error = AVDT_ERR_LENGTH;
   } else {
     p_msg->hdr.err_code = *p;
   }
 
-  return 0;
+  return error;
 }
 
 /*******************************************************************************
@@ -1610,7 +1622,7 @@
       evt = avdt_msg_rsp_2_evt[sig - 1];
     } else /* msg_type == AVDT_MSG_TYPE_REJ */
     {
-      err = avdt_msg_prs_rej(&msg, p, sig);
+      err = avdt_msg_prs_rej(&msg, p, p_buf->len, sig);
       evt = avdt_msg_rej_2_evt[sig - 1];
     }
 

stack/avrc/avrc_pars_ct.cc

diff --git a/stack/avrc/avrc_pars_ct.cc b/stack/avrc/avrc_pars_ct.cc
index 74b56e7..83f2293 100644
--- a/stack/avrc/avrc_pars_ct.cc
+++ b/stack/avrc/avrc_pars_ct.cc
@@ -814,7 +814,7 @@
       if (len < min_len) goto length_error;
       BE_STREAM_TO_UINT32(p_result->get_play_status.song_len, p);
       BE_STREAM_TO_UINT32(p_result->get_play_status.song_pos, p);
-      BE_STREAM_TO_UINT8(p_result->get_play_status.status, p);
+      BE_STREAM_TO_UINT8(p_result->get_play_status.play_status, p);
       break;
 
     case AVRC_PDU_SET_ADDRESSED_PLAYER:

stack/avrc/avrc_pars_tg.cc

diff --git a/stack/avrc/avrc_pars_tg.cc b/stack/avrc/avrc_pars_tg.cc
index 00e85e7..99e6671 100644
--- a/stack/avrc/avrc_pars_tg.cc
+++ b/stack/avrc/avrc_pars_tg.cc
@@ -382,7 +382,7 @@
  *
  * Description      This function is used to parse cmds received for CTRL
  *                  Currently it is for SetAbsVolume and Volume Change
- *                  Notification..
+ *                  Notification.
  *
  * Returns          AVRC_STS_NO_ERROR, if the message in p_data is parsed
  *                  successfully.
@@ -409,6 +409,12 @@
   return status;
 }
 
+#define RETURN_STATUS_IF_FALSE(_status_, _b_, _msg_, ...) \
+  if (!(_b_)) {                                           \
+    AVRC_TRACE_DEBUG(_msg_, ##__VA_ARGS__);               \
+    return _status_;                                      \
+  }
+
 /*******************************************************************************
  *
  * Function         avrc_pars_browsing_cmd
@@ -428,6 +434,10 @@
   uint8_t* p = p_msg->p_browse_data;
   int count;
 
+  uint16_t min_len = 3;
+  RETURN_STATUS_IF_FALSE(AVRC_STS_BAD_CMD, (p_msg->browse_len >= min_len),
+                         "msg too short");
+
   p_result->pdu = *p++;
   AVRC_TRACE_DEBUG("avrc_pars_browsing_cmd() pdu:0x%x", p_result->pdu);
   /* skip over len */
@@ -435,11 +445,20 @@
 
   switch (p_result->pdu) {
     case AVRC_PDU_SET_BROWSED_PLAYER: /* 0x70 */
+      min_len += 2;
+      RETURN_STATUS_IF_FALSE(AVRC_STS_BAD_CMD, (p_msg->browse_len >= min_len),
+                             "msg too short");
+
       // For current implementation all players are browsable.
       BE_STREAM_TO_UINT16(p_result->br_player.player_id, p);
       break;
 
     case AVRC_PDU_GET_FOLDER_ITEMS: /* 0x71 */
+
+      min_len += 10;
+      RETURN_STATUS_IF_FALSE(AVRC_STS_BAD_CMD, (p_msg->browse_len >= min_len),
+                             "msg too short");
+
       STREAM_TO_UINT8(p_result->get_items.scope, p);
       // To be modified later here (Scope) when all browsing commands are
       // supported
@@ -460,12 +479,21 @@
         if (buf_len < (count << 2))
           p_result->get_items.attr_count = count = (buf_len >> 2);
         for (int idx = 0; idx < count; idx++) {
+          min_len += 4;
+          RETURN_STATUS_IF_FALSE(AVRC_STS_BAD_CMD,
+                                 (p_msg->browse_len >= min_len),
+                                 "msg too short");
+
           BE_STREAM_TO_UINT32(p_result->get_items.p_attr_list[idx], p);
         }
       }
       break;
 
     case AVRC_PDU_CHANGE_PATH: /* 0x72 */
+      min_len += 11;
+      RETURN_STATUS_IF_FALSE(AVRC_STS_BAD_CMD, (p_msg->browse_len >= min_len),
+                             "msg too short");
+
       BE_STREAM_TO_UINT16(p_result->chg_path.uid_counter, p);
       BE_STREAM_TO_UINT8(p_result->chg_path.direction, p);
       if (p_result->chg_path.direction != AVRC_DIR_UP &&
@@ -476,7 +504,12 @@
       break;
 
     case AVRC_PDU_GET_ITEM_ATTRIBUTES: /* 0x73 */
+      min_len += 12;
+      RETURN_STATUS_IF_FALSE(AVRC_STS_BAD_CMD, (p_msg->browse_len >= min_len),
+                             "msg too short");
+
       BE_STREAM_TO_UINT8(p_result->get_attrs.scope, p);
+
       if (p_result->get_attrs.scope > AVRC_SCOPE_NOW_PLAYING) {
         status = AVRC_STS_BAD_SCOPE;
         break;
@@ -492,6 +525,11 @@
           p_result->get_attrs.attr_count = count = (buf_len >> 2);
         for (int idx = 0, count = 0; idx < p_result->get_attrs.attr_count;
              idx++) {
+          min_len += 4;
+          RETURN_STATUS_IF_FALSE(AVRC_STS_BAD_CMD,
+                                 (p_msg->browse_len >= min_len),
+                                 "msg too short");
+
           BE_STREAM_TO_UINT32(p_result->get_attrs.p_attr_list[count], p);
           if (AVRC_IS_VALID_MEDIA_ATTRIBUTE(
                   p_result->get_attrs.p_attr_list[count])) {
@@ -507,6 +545,10 @@
       break;
 
     case AVRC_PDU_GET_TOTAL_NUM_OF_ITEMS: /* 0x75 */
+      ++min_len;
+      RETURN_STATUS_IF_FALSE(AVRC_STS_BAD_CMD, (p_msg->browse_len >= min_len),
+                             "msg too short");
+
       BE_STREAM_TO_UINT8(p_result->get_num_of_items.scope, p);
       if (p_result->get_num_of_items.scope > AVRC_SCOPE_NOW_PLAYING) {
         status = AVRC_STS_BAD_SCOPE;
@@ -514,6 +556,10 @@
       break;
 
     case AVRC_PDU_SEARCH: /* 0x80 */
+      min_len += 4;
+      RETURN_STATUS_IF_FALSE(AVRC_STS_BAD_CMD, (p_msg->browse_len >= min_len),
+                             "msg too short");
+
       BE_STREAM_TO_UINT16(p_result->search.string.charset_id, p);
       BE_STREAM_TO_UINT16(p_result->search.string.str_len, p);
       p_result->search.string.p_str = p_buf;
@@ -523,6 +569,10 @@
         } else {
           android_errorWriteLog(0x534e4554, "63146237");
         }
+        min_len += p_result->search.string.str_len;
+        RETURN_STATUS_IF_FALSE(AVRC_STS_BAD_CMD, (p_msg->browse_len >= min_len),
+                               "msg too short");
+
         BE_STREAM_TO_ARRAY(p, p_buf, p_result->search.string.str_len);
       } else {
         status = AVRC_STS_INTERNAL_ERR;

stack/btm/btm_acl.cc

diff --git a/stack/btm/btm_acl.cc b/stack/btm/btm_acl.cc
index 090a0aa..55772e6 100644
--- a/stack/btm/btm_acl.cc
+++ b/stack/btm/btm_acl.cc
@@ -825,7 +825,8 @@
   tBTM_SEC_DEV_REC* p_dev_rec = btm_find_or_alloc_dev(bda);
 
   /* If there are any preferred connection parameters, set them now */
-  if ((p_dev_rec->conn_params.min_conn_int >= BTM_BLE_CONN_INT_MIN) &&
+  if ((p_lcb != NULL) && (p_dev_rec != NULL) &&
+      (p_dev_rec->conn_params.min_conn_int >= BTM_BLE_CONN_INT_MIN) &&
       (p_dev_rec->conn_params.min_conn_int <= BTM_BLE_CONN_INT_MAX) &&
       (p_dev_rec->conn_params.max_conn_int >= BTM_BLE_CONN_INT_MIN) &&
       (p_dev_rec->conn_params.max_conn_int <= BTM_BLE_CONN_INT_MAX) &&

stack/btm/btm_ble_batchscan.cc

diff --git a/stack/btm/btm_ble_batchscan.cc b/stack/btm/btm_ble_batchscan.cc
index 89b3e6c..db82829 100644
--- a/stack/btm/btm_ble_batchscan.cc
+++ b/stack/btm/btm_ble_batchscan.cc
@@ -63,6 +63,7 @@
 
   uint8_t sub_event = 0;
   tBTM_BLE_VSC_CB cmn_ble_vsc_cb;
+  if (len == 0) return;
   STREAM_TO_UINT8(sub_event, p);
 
   BTM_TRACE_EVENT(
@@ -90,6 +91,7 @@
 
       /* Extract the adv info details */
       if (ADV_INFO_PRESENT == adv_data.advertiser_info_present) {
+        if (len < 15) return;
         STREAM_TO_UINT8(adv_data.tx_power, p);
         STREAM_TO_UINT8(adv_data.rssi_value, p);
         STREAM_TO_UINT16(adv_data.time_stamp, p);

stack/btm/btm_ble_bgconn.cc

diff --git a/stack/btm/btm_ble_bgconn.cc b/stack/btm/btm_ble_bgconn.cc
index 73256c8..209f49f 100644
--- a/stack/btm/btm_ble_bgconn.cc
+++ b/stack/btm/btm_ble_bgconn.cc
@@ -39,6 +39,7 @@
     uint16_t conn_timeout, uint16_t min_ce_len, uint16_t max_ce_len,
     uint8_t phy);
 extern void btm_ble_create_conn_cancel();
+void wl_remove_complete(uint8_t* p_data, uint16_t /* evt_len */);
 
 // Unfortunately (for now?) we have to maintain a copy of the device whitelist
 // on the host to determine if a device is pending to be connected or not. This
@@ -72,7 +73,14 @@
         BackgroundConnection{address, addr_type, false, 0, false};
   } else {
     BackgroundConnection* connection = &map_iter->second;
-    connection->addr_type = addr_type;
+    if (addr_type != connection->addr_type) {
+      LOG(INFO) << __func__ << " Addr type mismatch " << address;
+      btsnd_hcic_ble_remove_from_white_list(
+        connection->addr_type_in_wl, connection->address,
+        base::Bind(&wl_remove_complete));
+      connection->addr_type = addr_type;
+      connection->in_controller_wl = false;
+    }
     connection->pending_removal = false;
   }
 }
@@ -170,8 +178,7 @@
     return true;
 
   // bonded device with identity address known
-  if (p_dev_rec->ble.identity_addr != address &&
-      !p_dev_rec->ble.identity_addr.IsEmpty()) {
+  if (!p_dev_rec->ble.identity_addr.IsEmpty()) {
     return true;
   }
 
@@ -197,8 +204,7 @@
 
   if (p_dev_rec != NULL && p_dev_rec->device_type & BT_DEVICE_TYPE_BLE) {
     if (to_add) {
-      if (p_dev_rec->ble.identity_addr != bd_addr &&
-          !p_dev_rec->ble.identity_addr.IsEmpty()) {
+      if (!p_dev_rec->ble.identity_addr.IsEmpty()) {
         background_connection_add(p_dev_rec->ble.identity_addr_type,
                                   p_dev_rec->ble.identity_addr);
       } else {
@@ -212,8 +218,7 @@
 
       p_dev_rec->ble.in_controller_list |= BTM_WHITE_LIST_BIT;
     } else {
-      if (!p_dev_rec->ble.identity_addr.IsEmpty() &&
-          p_dev_rec->ble.identity_addr != bd_addr) {
+      if (!p_dev_rec->ble.identity_addr.IsEmpty()) {
         background_connection_remove(p_dev_rec->ble.identity_addr);
       } else {
         background_connection_remove(bd_addr);

stack/btm/btm_ble_connection_establishment.cc

diff --git a/stack/btm/btm_ble_connection_establishment.cc b/stack/btm/btm_ble_connection_establishment.cc
index c0d7791..77bc00f 100644
--- a/stack/btm/btm_ble_connection_establishment.cc
+++ b/stack/btm/btm_ble_connection_establishment.cc
@@ -159,6 +159,7 @@
         if (!btm_ble_init_pseudo_addr(match_rec, bda)) {
           /* assign the original address to be the current report address */
           bda = match_rec->ble.pseudo_addr;
+          bda_type = match_rec->ble.ble_addr_type;
         } else {
           bda = match_rec->bd_addr;
         }

stack/btm/btm_ble_gap.cc

diff --git a/stack/btm/btm_ble_gap.cc b/stack/btm/btm_ble_gap.cc
index c46acf0..7f94bb8 100644
--- a/stack/btm/btm_ble_gap.cc
+++ b/stack/btm/btm_ble_gap.cc
@@ -498,7 +498,7 @@
     BTM_TRACE_DEBUG("%s: Status = 0x%02x (0 is success)", __func__, status);
     return;
   }
-  CHECK(p_vcs_cplt_params->param_len > BTM_VSC_CHIP_CAPABILITY_RSP_LEN);
+  CHECK(p_vcs_cplt_params->param_len >= BTM_VSC_CHIP_CAPABILITY_RSP_LEN);
   STREAM_TO_UINT8(btm_cb.cmn_ble_vsc_cb.adv_inst_max, p);
   STREAM_TO_UINT8(btm_cb.cmn_ble_vsc_cb.rpa_offloading, p);
   STREAM_TO_UINT16(btm_cb.cmn_ble_vsc_cb.tot_scan_results_strg, p);
@@ -1755,6 +1755,7 @@
       } else {
         // Assign the original address to be the current report address
         bda = match_rec->ble.pseudo_addr;
+        *addr_type = match_rec->ble.ble_addr_type;
       }
     }
   }

stack/btm/btm_ble_multi_adv.cc

diff --git a/stack/btm/btm_ble_multi_adv.cc b/stack/btm/btm_ble_multi_adv.cc
index 22d2e17..b425c09 100644
--- a/stack/btm/btm_ble_multi_adv.cc
+++ b/stack/btm/btm_ble_multi_adv.cc
@@ -728,16 +728,13 @@
       data.insert(data.begin(), flags.begin(), flags.end());
     }
 
-    // Find and fill TX Power with the correct value
-    if (data.size()) {
-      size_t i = 0;
-      while (i < data.size()) {
-        uint8_t type = data[i + 1];
-        if (type == HCI_EIR_TX_POWER_LEVEL_TYPE) {
-          data[i + 2] = adv_inst[inst_id].tx_power;
-        }
-        i += data[i] + 1;
+    // Find and fill TX Power with the correct value.
+    // The TX Power section is a 3 byte section.
+    for (size_t i = 0; (i + 2) < data.size();) {
+      if (data[i + 1] == HCI_EIR_TX_POWER_LEVEL_TYPE) {
+        data[i + 2] = adv_inst[inst_id].tx_power;
       }
+      i += data[i] + 1;
     }
 
     VLOG(1) << "data is: " << base::HexEncode(data.data(), data.size());

stack/btm/btm_inq.cc

diff --git a/stack/btm/btm_inq.cc b/stack/btm/btm_inq.cc
index 1a5d7f5..f56369b 100644
--- a/stack/btm/btm_inq.cc
+++ b/stack/btm/btm_inq.cc
@@ -25,6 +25,7 @@
  *
  ******************************************************************************/
 
+#include <log/log.h>
 #include <stddef.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -914,10 +915,9 @@
   /* Make sure there is not already one in progress */
   if (p_inq->remname_active) {
     if (BTM_UseLeLink(p_inq->remname_bda)) {
-      if (btm_ble_cancel_remote_name(p_inq->remname_bda))
-        return (BTM_CMD_STARTED);
-      else
-        return (BTM_UNKNOWN_ADDR);
+      /* Cancel remote name request for LE device, and process remote name
+       * callback. */
+      btm_inq_rmt_name_failed_cancelled();
     } else
       btsnd_hcic_rmt_name_req_cancel(p_inq->remname_bda);
     return (BTM_CMD_STARTED);
@@ -1602,7 +1602,8 @@
  * Returns          void
  *
  ******************************************************************************/
-void btm_process_inq_results(uint8_t* p, uint8_t inq_res_mode) {
+void btm_process_inq_results(uint8_t* p, uint8_t hci_evt_len,
+                             uint8_t inq_res_mode) {
   uint8_t num_resp, xx;
   RawAddress bda;
   tINQ_DB_ENT* p_i;
@@ -1631,10 +1632,29 @@
 
   STREAM_TO_UINT8(num_resp, p);
 
-  if (inq_res_mode == BTM_INQ_RESULT_EXTENDED && (num_resp > 1)) {
-    BTM_TRACE_ERROR("btm_process_inq_results() extended results (%d) > 1",
-                    num_resp);
-    return;
+  if (inq_res_mode == BTM_INQ_RESULT_EXTENDED) {
+    if (num_resp > 1) {
+      BTM_TRACE_ERROR("btm_process_inq_results() extended results (%d) > 1",
+                      num_resp);
+      return;
+    }
+
+    constexpr uint16_t extended_inquiry_result_size = 254;
+    if (hci_evt_len - 1 != extended_inquiry_result_size) {
+      android_errorWriteLog(0x534e4554, "141620271");
+      BTM_TRACE_ERROR("%s: can't fit %d results in %d bytes", __func__,
+                      num_resp, hci_evt_len);
+      return;
+    }
+  } else if (inq_res_mode == BTM_INQ_RESULT_STANDARD ||
+             inq_res_mode == BTM_INQ_RESULT_WITH_RSSI) {
+    constexpr uint16_t inquiry_result_size = 14;
+    if (hci_evt_len < num_resp * inquiry_result_size) {
+      android_errorWriteLog(0x534e4554, "141620271");
+      BTM_TRACE_ERROR("%s: can't fit %d results in %d bytes", __func__,
+                      num_resp, hci_evt_len);
+      return;
+    }
   }
 
   for (xx = 0; xx < num_resp; xx++) {
@@ -2070,22 +2090,22 @@
 }
 
 void btm_inq_remote_name_timer_timeout(UNUSED_ATTR void* data) {
-  btm_inq_rmt_name_failed();
+  btm_inq_rmt_name_failed_cancelled();
 }
 
 /*******************************************************************************
  *
- * Function         btm_inq_rmt_name_failed
+ * Function         btm_inq_rmt_name_failed_cancelled
  *
- * Description      This function is if timeout expires while getting remote
- *                  name.  This is done for devices that incorrectly do not
- *                  report operation failure
+ * Description      This function is if timeout expires or request is cancelled
+ *                  while getting remote name.  This is done for devices that
+ *                  incorrectly do not report operation failure
  *
  * Returns          void
  *
  ******************************************************************************/
-void btm_inq_rmt_name_failed(void) {
-  BTM_TRACE_ERROR("btm_inq_rmt_name_failed()  remname_active=%d",
+void btm_inq_rmt_name_failed_cancelled(void) {
+  BTM_TRACE_ERROR("btm_inq_rmt_name_failed_cancelled()  remname_active=%d",
                   btm_cb.btm_inq_vars.remname_active);
 
   if (btm_cb.btm_inq_vars.remname_active)

stack/btm/btm_int.h

diff --git a/stack/btm/btm_int.h b/stack/btm/btm_int.h
index ee1d655..05180db 100644
--- a/stack/btm/btm_int.h
+++ b/stack/btm/btm_int.h
@@ -59,13 +59,14 @@
 
 extern void btm_process_remote_name(const RawAddress* bda, BD_NAME name,
                                     uint16_t evt_len, uint8_t hci_status);
-extern void btm_inq_rmt_name_failed(void);
+extern void btm_inq_rmt_name_failed_cancelled(void);
 extern void btm_inq_remote_name_timer_timeout(void* data);
 
 /* Inquiry related functions */
 extern void btm_clr_inq_db(const RawAddress* p_bda);
 extern void btm_inq_db_init(void);
-extern void btm_process_inq_results(uint8_t* p, uint8_t inq_res_mode);
+extern void btm_process_inq_results(uint8_t* p, uint8_t hci_evt_len,
+                                    uint8_t inq_res_mode);
 extern void btm_process_inq_complete(uint8_t status, uint8_t mode);
 extern void btm_process_cancel_complete(uint8_t status, uint8_t mode);
 extern void btm_event_filter_complete(uint8_t* p);

stack/btm/btm_sec.cc

diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc
index 1c1cead..277e01d 100644
--- a/stack/btm/btm_sec.cc
+++ b/stack/btm/btm_sec.cc
@@ -4313,12 +4313,15 @@
       }
     }
 
-    if (!addr_matched) {
-      /* Don't callback unless this Connection-Complete-failure event has the
-       * same mac address as the bonding device */
+    /* p_auth_complete_callback might have freed the p_dev_rec, ensure it exists
+     * before accessing */
+    p_dev_rec = btm_find_dev(bda);
+    if (!p_dev_rec) {
+      /* Don't callback when device security record was removed */
       VLOG(1) << __func__
-              << ": Different mac addresses: pairing_bda=" << btm_cb.pairing_bda
-              << ", bda=" << bda << ", do not callback";
+              << ": device security record associated with this bda has been "
+                 "removed! bda="
+              << bda << ", do not callback!";
       return;
     }
 

stack/btu/btu_hcif.cc

diff --git a/stack/btu/btu_hcif.cc b/stack/btu/btu_hcif.cc
index c70448e..52d5d60 100644
--- a/stack/btu/btu_hcif.cc
+++ b/stack/btu/btu_hcif.cc
@@ -48,6 +48,7 @@
 #include "btu.h"
 #include "common/metrics.h"
 #include "device/include/controller.h"
+#include "hci_evt_length.h"
 #include "hci_layer.h"
 #include "hcimsgs.h"
 #include "l2c_int.h"
@@ -64,11 +65,12 @@
 /*            L O C A L    F U N C T I O N     P R O T O T Y P E S            */
 /******************************************************************************/
 static void btu_hcif_inquiry_comp_evt(uint8_t* p);
-static void btu_hcif_inquiry_result_evt(uint8_t* p);
-static void btu_hcif_inquiry_rssi_result_evt(uint8_t* p);
-static void btu_hcif_extended_inquiry_result_evt(uint8_t* p);
+static void btu_hcif_inquiry_result_evt(uint8_t* p, uint8_t hci_evt_len);
+static void btu_hcif_inquiry_rssi_result_evt(uint8_t* p, uint8_t hci_evt_len);
+static void btu_hcif_extended_inquiry_result_evt(uint8_t* p,
+                                                 uint8_t hci_evt_len);
 
-static void btu_hcif_connection_comp_evt(uint8_t* p);
+static void btu_hcif_connection_comp_evt(uint8_t* p, uint8_t evt_len);
 static void btu_hcif_connection_request_evt(uint8_t* p);
 static void btu_hcif_disconnection_comp_evt(uint8_t* p);
 static void btu_hcif_authentication_comp_evt(uint8_t* p);
@@ -85,7 +87,7 @@
 static void btu_hcif_hardware_error_evt(uint8_t* p);
 static void btu_hcif_flush_occured_evt(void);
 static void btu_hcif_role_change_evt(uint8_t* p);
-static void btu_hcif_num_compl_data_pkts_evt(uint8_t* p);
+static void btu_hcif_num_compl_data_pkts_evt(uint8_t* p, uint8_t evt_len);
 static void btu_hcif_mode_change_evt(uint8_t* p);
 static void btu_hcif_pin_code_request_evt(uint8_t* p);
 static void btu_hcif_link_key_request_evt(uint8_t* p);
@@ -256,6 +258,13 @@
   STREAM_TO_UINT8(hci_evt_code, p);
   STREAM_TO_UINT8(hci_evt_len, p);
 
+  // validate event size
+  if (hci_evt_len < hci_event_parameters_minimum_length[hci_evt_code]) {
+    HCI_TRACE_WARNING("%s: evt:0x%2X, malformed event of size %hhd", __func__,
+                      hci_evt_code, hci_evt_len);
+    return;
+  }
+
   btu_hcif_log_event_metrics(hci_evt_code, p);
 
   switch (hci_evt_code) {
@@ -263,16 +272,16 @@
       btu_hcif_inquiry_comp_evt(p);
       break;
     case HCI_INQUIRY_RESULT_EVT:
-      btu_hcif_inquiry_result_evt(p);
+      btu_hcif_inquiry_result_evt(p, hci_evt_len);
       break;
     case HCI_INQUIRY_RSSI_RESULT_EVT:
-      btu_hcif_inquiry_rssi_result_evt(p);
+      btu_hcif_inquiry_rssi_result_evt(p, hci_evt_len);
       break;
     case HCI_EXTENDED_INQUIRY_RESULT_EVT:
-      btu_hcif_extended_inquiry_result_evt(p);
+      btu_hcif_extended_inquiry_result_evt(p, hci_evt_len);
       break;
     case HCI_CONNECTION_COMP_EVT:
-      btu_hcif_connection_comp_evt(p);
+      btu_hcif_connection_comp_evt(p, hci_evt_len);
       break;
     case HCI_CONNECTION_REQUEST_EVT:
       btu_hcif_connection_request_evt(p);
@@ -326,7 +335,7 @@
       btu_hcif_role_change_evt(p);
       break;
     case HCI_NUM_COMPL_DATA_PKTS_EVT:
-      btu_hcif_num_compl_data_pkts_evt(p);
+      btu_hcif_num_compl_data_pkts_evt(p, hci_evt_len);
       break;
     case HCI_MODE_CHANGE_EVT:
       btu_hcif_mode_change_evt(p);
@@ -948,9 +957,9 @@
  * Returns          void
  *
  ******************************************************************************/
-static void btu_hcif_inquiry_result_evt(uint8_t* p) {
+static void btu_hcif_inquiry_result_evt(uint8_t* p, uint8_t hci_evt_len) {
   /* Store results in the cache */
-  btm_process_inq_results(p, BTM_INQ_RESULT_STANDARD);
+  btm_process_inq_results(p, hci_evt_len, BTM_INQ_RESULT_STANDARD);
 }
 
 /*******************************************************************************
@@ -962,9 +971,9 @@
  * Returns          void
  *
  ******************************************************************************/
-static void btu_hcif_inquiry_rssi_result_evt(uint8_t* p) {
+static void btu_hcif_inquiry_rssi_result_evt(uint8_t* p, uint8_t hci_evt_len) {
   /* Store results in the cache */
-  btm_process_inq_results(p, BTM_INQ_RESULT_WITH_RSSI);
+  btm_process_inq_results(p, hci_evt_len, BTM_INQ_RESULT_WITH_RSSI);
 }
 
 /*******************************************************************************
@@ -976,9 +985,10 @@
  * Returns          void
  *
  ******************************************************************************/
-static void btu_hcif_extended_inquiry_result_evt(uint8_t* p) {
+static void btu_hcif_extended_inquiry_result_evt(uint8_t* p,
+                                                 uint8_t hci_evt_len) {
   /* Store results in the cache */
-  btm_process_inq_results(p, BTM_INQ_RESULT_EXTENDED);
+  btm_process_inq_results(p, hci_evt_len, BTM_INQ_RESULT_EXTENDED);
 }
 
 /*******************************************************************************
@@ -990,7 +1000,7 @@
  * Returns          void
  *
  ******************************************************************************/
-static void btu_hcif_connection_comp_evt(uint8_t* p) {
+static void btu_hcif_connection_comp_evt(uint8_t* p, uint8_t evt_len) {
   uint8_t status;
   uint16_t handle;
   RawAddress bda;
@@ -998,6 +1008,12 @@
   uint8_t enc_mode;
   tBTM_ESCO_DATA esco_data;
 
+  if (evt_len < 11) {
+    android_errorWriteLog(0x534e4554, "141619686");
+    HCI_TRACE_WARNING("%s: malformed event of size %hhd", __func__, evt_len);
+    return;
+  }
+
   STREAM_TO_UINT8(status, p);
   STREAM_TO_UINT16(handle, p);
   STREAM_TO_BDADDR(bda, p);
@@ -1699,9 +1715,9 @@
  * Returns          void
  *
  ******************************************************************************/
-static void btu_hcif_num_compl_data_pkts_evt(uint8_t* p) {
+static void btu_hcif_num_compl_data_pkts_evt(uint8_t* p, uint8_t evt_len) {
   /* Process for L2CAP and SCO */
-  l2c_link_process_num_completed_pkts(p);
+  l2c_link_process_num_completed_pkts(p, evt_len);
 
   /* Send on to SCO */
   /*?? No SCO for now */

stack/gatt/gatt_main.cc

diff --git a/stack/gatt/gatt_main.cc b/stack/gatt/gatt_main.cc
index 87f9c87..ed8d3fd 100644
--- a/stack/gatt/gatt_main.cc
+++ b/stack/gatt/gatt_main.cc
@@ -823,6 +823,9 @@
     }
   }
 
+  /* Remove the direct connection */
+  connection_manager::on_connection_complete(p_tcb->peer_bda);
+
   if (!p_tcb->app_hold_link.empty() && p_tcb->att_lcid == L2CAP_ATT_CID) {
     /* disable idle timeout if one or more clients are holding the link disable
      * the idle timer */

stack/include/hci_evt_length.h

diff --git a/stack/include/hci_evt_length.h b/stack/include/hci_evt_length.h
new file mode 100644
index 0000000..ea8dfdf
--- /dev/null
+++ b/stack/include/hci_evt_length.h
@@ -0,0 +1,278 @@
+/*
+ * Copyright 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ *  Definitions for HCI Event Parameter Minimum Length
+ */
+static const uint8_t hci_event_parameters_minimum_length[] = {
+    0,    //  0x00 - N/A
+    1,    //  0x01 - HCI_Inquiry_Complete Event
+    15,   //  0x02 - HCI_Inquiry_Result Event (Num_Responses = 1)
+    11,   //  0x03 - HCI_Connection_Complete Event
+    10,   //  0x04 - HCI_Connection_Request Event
+    4,    //  0x05 - HCI_Disconnection_Complete Event
+    3,    //  0x06 - HCI_Authentication_Complete Event
+    255,  //  0x07 - HCI_Remote_Name_Request_Complete Event
+    4,    //  0x08 - HCI_Encryption_Change Event
+    3,    //  0x09 - HCI_Change_Connection_Link_Key_Complete Event
+    4,    //  0x0A - HCI_Master_Link_Key_Complete Event
+    11,   //  0x0B - HCI_Read_Remote_Supported_Features_Complete Event
+    8,    //  0x0C - HCI_Read_Remote_Version_Information_Complete Event
+    21,   //  0x0D - HCI_QoS_Setup_Complete Event
+    3,    //  0x0E - HCI_Command_Complete Event (Depends on command)
+    4,    //  0x0F - HCI_Command_Status Event
+    1,    //  0x10 - HCI_Hardware_Error Event
+    2,    //  0x11 - HCI_Flush_Occurred Event
+    8,    //  0x12 - HCI_Role_Change Event
+    5,    //  0x13 - HCI_Number_Of_Completed_Packets Event (Num_Handles = 1)
+    6,    //  0x14 - HCI_Mode_Change Event
+    23,   //  0x15 - HCI_Return_Link_Keys Event (Num_Keys = 1)
+    6,    //  0x16 - HCI_PIN_Code_Request Event
+    6,    //  0x17 - HCI_Link_Key_Request Event
+    23,   //  0x18 - HCI_Link_Key_Notification Event
+    3,    //  0x19 - HCI_Loopback_Command Event (Depends on command)
+    1,    //  0x1A - HCI_Data_Buffer_Overflow Event
+    3,    //  0x1B - HCI_Max_Slots_Change Event
+    5,    //  0x1C - HCI_Read_Clock_Offset_Complete Event
+    5,    //  0x1D - HCI_Connection_Packet_Type_Changed Event
+    2,    //  0x1E - HCI_QoS_Violation Event
+    7,    //  0x1F - HCI_Page_Scan_Mode_Change Event (Deprecated)
+    7,    //  0x20 - HCI_Page_Scan_Repetition_Mode_Change Event
+    22,   //  0x21 - HCI_Flow_Specification_Complet Event
+    15,   //  0x22 - HCI_Inquiry_Result_with_RSSI Event (Num_Responses = 1)
+    13,   //  0x23 - HCI_Read_Remote_Extended_Features_Complete Event
+    0,    //  0x24 - N/A
+    0,    //  0x25 - N/A
+    0,    //  0x26 - N/A
+    0,    //  0x27 - N/A
+    0,    //  0x28 - N/A
+    0,    //  0x29 - N/A
+    0,    //  0x2A - N/A
+    0,    //  0x2B - N/A
+    17,   //  0x2C - HCI_Synchronous_Connection_Complete Event
+    9,    //  0x2D - HCI_Synchronous_Connection_Changed Event
+    11,   //  0x2E - HCI_Sniff_Subrating Event
+    255,  //  0x2F - HCI_Extended_Inquiry_Result Event
+    3,    //  0x30 - HCI_Encryption_Key_Refresh_Complete Event
+    6,    //  0x31 - HCI_IO_Capability_Request Event
+    9,    //  0x32 - HCI_IO_Capability_Response Event
+    10,   //  0x33 - HCI_User_Confirmation_Request Event
+    6,    //  0x34 - HCI_User_Passkey_Request Event
+    6,    //  0x35 - HCI_Remote_OOB_Data_Request Event
+    7,    //  0x36 - HCI_Simple_Pairing_Complete Event
+    0,    //  0x37 - N/A
+    4,    //  0x38 - HCI_Link_Supervision_Timeout_Changed Event
+    2,    //  0x39 - HCI_Enhanced_Flush_Complete Event
+    0,    //  0x3A - N/A
+    10,   //  0x3B - HCI_User_Passkey_Notification Event
+    7,    //  0x3C - HCI_Keypress_Notification Event
+    14,   //  0x3D - HCI_Remote_Host_Supported_Features_Notification Event
+    0,    //  0x3E - LE Meta event
+    0,    //  0x3F - N/A
+    2,    //  0x40 - HCI_Physical_Link_Complete Event
+    1,    //  0x41 - HCI_Channel_Selected Event
+    3,    //  0x42 - HCI_Disconnection_Physical_Link_Complete Event
+    2,    //  0x43 - HCI_Physical_Link_Loss_Early_Warning Event
+    1,    //  0x44 - HCI_Physical_Link_Recovery Event
+    5,    //  0x45 - HCI_Logical_Link_Complete Event
+    4,    //  0x46 - HCI_Disconnection_Logical_Link_Complete Event
+    3,    //  0x47 - HCI_Flow_Spec_Modify_Complete Event
+    9,    //  0x48 - HCI_Number_Of_Completed_Data_Blocks Event (Num_Handles = 1)
+    2,    //  0x49 - HCI_AMP_Start_Test Event
+    2,    //  0x4A - HCI_AMP_Test_End Event
+    18,   //  0x4B - HCI_AMP_Receiver_Report Event
+    3,    //  0x4C - HCI_Short_Range_Mode_Change_Complete Event
+    2,    //  0x4D - HCI_AMP_Status_Change Event
+    9,    //  0x4E - HCI_Triggered_Clock_Capture Event
+    1,    //  0x4F - HCI_Synchronization_Train_Complete Event
+    29,   //  0x50 - HCI_Synchronization_Train_Received Event
+    18,   //  0x51 - HCI_Connectionless_Slave_Broadcast_Receive Event
+          //  (Data_Length = 0)
+    7,    //  0x52 - HCI_Connectionless_Slave_Broadcast_Timeout Event
+    7,    //  0x53 - HCI_Truncated_Page_Complete Event
+    0,    //  0x54 - HCI_Slave_Page_Response_Timeout Event
+    10,   //  0x55 - HCI_Connectionless_Slave_Broadcast_Channel_Map_Change Event
+    4,    //  0x56 - HCI_Inquiry_Response_Notification Event
+    2,    //  0x57 - HCI_Authenticated_Payload_Timeout_Expired Event
+    8,    //  0x58 - HCI_SAM_Status_Change Event
+    0,    //  0x59 - N/A
+    0,    //  0x5A - N/A
+    0,    //  0x5B - N/A
+    0,    //  0x5C - N/A
+    0,    //  0x5D - N/A
+    0,    //  0x5E - N/A
+    0,    //  0x5F - N/A
+    0,    //  0x60 - N/A
+    0,    //  0x61 - N/A
+    0,    //  0x62 - N/A
+    0,    //  0x63 - N/A
+    0,    //  0x64 - N/A
+    0,    //  0x65 - N/A
+    0,    //  0x66 - N/A
+    0,    //  0x67 - N/A
+    0,    //  0x68 - N/A
+    0,    //  0x69 - N/A
+    0,    //  0x6A - N/A
+    0,    //  0x6B - N/A
+    0,    //  0x6C - N/A
+    0,    //  0x6D - N/A
+    0,    //  0x6E - N/A
+    0,    //  0x6F - N/A
+    0,    //  0x70 - N/A
+    0,    //  0x71 - N/A
+    0,    //  0x72 - N/A
+    0,    //  0x73 - N/A
+    0,    //  0x74 - N/A
+    0,    //  0x75 - N/A
+    0,    //  0x76 - N/A
+    0,    //  0x77 - N/A
+    0,    //  0x78 - N/A
+    0,    //  0x79 - N/A
+    0,    //  0x7A - N/A
+    0,    //  0x7B - N/A
+    0,    //  0x7C - N/A
+    0,    //  0x7D - N/A
+    0,    //  0x7E - N/A
+    0,    //  0x7F - N/A
+    0,    //  0x80 - N/A
+    0,    //  0x81 - N/A
+    0,    //  0x82 - N/A
+    0,    //  0x83 - N/A
+    0,    //  0x84 - N/A
+    0,    //  0x85 - N/A
+    0,    //  0x86 - N/A
+    0,    //  0x87 - N/A
+    0,    //  0x88 - N/A
+    0,    //  0x89 - N/A
+    0,    //  0x8A - N/A
+    0,    //  0x8B - N/A
+    0,    //  0x8C - N/A
+    0,    //  0x8D - N/A
+    0,    //  0x8E - N/A
+    0,    //  0x8F - N/A
+    0,    //  0x90 - N/A
+    0,    //  0x91 - N/A
+    0,    //  0x92 - N/A
+    0,    //  0x93 - N/A
+    0,    //  0x94 - N/A
+    0,    //  0x95 - N/A
+    0,    //  0x96 - N/A
+    0,    //  0x97 - N/A
+    0,    //  0x98 - N/A
+    0,    //  0x99 - N/A
+    0,    //  0x9A - N/A
+    0,    //  0x9B - N/A
+    0,    //  0x9C - N/A
+    0,    //  0x9D - N/A
+    0,    //  0x9E - N/A
+    0,    //  0x9F - N/A
+    0,    //  0xA0 - N/A
+    0,    //  0xA1 - N/A
+    0,    //  0xA2 - N/A
+    0,    //  0xA3 - N/A
+    0,    //  0xA4 - N/A
+    0,    //  0xA5 - N/A
+    0,    //  0xA6 - N/A
+    0,    //  0xA7 - N/A
+    0,    //  0xA8 - N/A
+    0,    //  0xA9 - N/A
+    0,    //  0xAA - N/A
+    0,    //  0xAB - N/A
+    0,    //  0xAC - N/A
+    0,    //  0xAD - N/A
+    0,    //  0xAE - N/A
+    0,    //  0xAF - N/A
+    0,    //  0xB0 - N/A
+    0,    //  0xB1 - N/A
+    0,    //  0xB2 - N/A
+    0,    //  0xB3 - N/A
+    0,    //  0xB4 - N/A
+    0,    //  0xB5 - N/A
+    0,    //  0xB6 - N/A
+    0,    //  0xB7 - N/A
+    0,    //  0xB8 - N/A
+    0,    //  0xB9 - N/A
+    0,    //  0xBA - N/A
+    0,    //  0xBB - N/A
+    0,    //  0xBC - N/A
+    0,    //  0xBD - N/A
+    0,    //  0xBE - N/A
+    0,    //  0xBF - N/A
+    0,    //  0xC0 - N/A
+    0,    //  0xC1 - N/A
+    0,    //  0xC2 - N/A
+    0,    //  0xC3 - N/A
+    0,    //  0xC4 - N/A
+    0,    //  0xC5 - N/A
+    0,    //  0xC6 - N/A
+    0,    //  0xC7 - N/A
+    0,    //  0xC8 - N/A
+    0,    //  0xC9 - N/A
+    0,    //  0xCA - N/A
+    0,    //  0xCB - N/A
+    0,    //  0xCC - N/A
+    0,    //  0xCD - N/A
+    0,    //  0xCE - N/A
+    0,    //  0xCF - N/A
+    0,    //  0xD0 - N/A
+    0,    //  0xD1 - N/A
+    0,    //  0xD2 - N/A
+    0,    //  0xD3 - N/A
+    0,    //  0xD4 - N/A
+    0,    //  0xD5 - N/A
+    0,    //  0xD6 - N/A
+    0,    //  0xD7 - N/A
+    0,    //  0xD8 - N/A
+    0,    //  0xD9 - N/A
+    0,    //  0xDA - N/A
+    0,    //  0xDB - N/A
+    0,    //  0xDC - N/A
+    0,    //  0xDD - N/A
+    0,    //  0xDE - N/A
+    0,    //  0xDF - N/A
+    0,    //  0xE0 - N/A
+    0,    //  0xE1 - N/A
+    0,    //  0xE2 - N/A
+    0,    //  0xE3 - N/A
+    0,    //  0xE4 - N/A
+    0,    //  0xE5 - N/A
+    0,    //  0xE6 - N/A
+    0,    //  0xE7 - N/A
+    0,    //  0xE8 - N/A
+    0,    //  0xE9 - N/A
+    0,    //  0xEA - N/A
+    0,    //  0xEB - N/A
+    0,    //  0xEC - N/A
+    0,    //  0xED - N/A
+    0,    //  0xEE - N/A
+    0,    //  0xEF - N/A
+    0,    //  0xF0 - N/A
+    0,    //  0xF1 - N/A
+    0,    //  0xF2 - N/A
+    0,    //  0xF3 - N/A
+    0,    //  0xF4 - N/A
+    0,    //  0xF5 - N/A
+    0,    //  0xF6 - N/A
+    0,    //  0xF7 - N/A
+    0,    //  0xF8 - N/A
+    0,    //  0xF9 - N/A
+    0,    //  0xFA - N/A
+    0,    //  0xFB - N/A
+    0,    //  0xFC - N/A
+    0,    //  0xFD - N/A
+    0,    //  0xFE - N/A
+    0,    //  0xFF - HCI_Vendor_Specific Event
+};

stack/l2cap/l2c_int.h

diff --git a/stack/l2cap/l2c_int.h b/stack/l2cap/l2c_int.h
index 53b6f32..e58efaf 100644
--- a/stack/l2cap/l2c_int.h
+++ b/stack/l2cap/l2c_int.h
@@ -713,7 +713,7 @@
 extern void l2c_link_check_send_pkts(tL2C_LCB* p_lcb, tL2C_CCB* p_ccb,
                                      BT_HDR* p_buf);
 extern void l2c_link_adjust_allocation(void);
-extern void l2c_link_process_num_completed_pkts(uint8_t* p);
+extern void l2c_link_process_num_completed_pkts(uint8_t* p, uint8_t evt_len);
 extern void l2c_link_process_num_completed_blocks(uint8_t controller_id,
                                                   uint8_t* p, uint16_t evt_len);
 extern void l2c_link_processs_num_bufs(uint16_t num_lm_acl_bufs);

stack/l2cap/l2c_link.cc

diff --git a/stack/l2cap/l2c_link.cc b/stack/l2cap/l2c_link.cc
index 8e04c6e..958425d 100644
--- a/stack/l2cap/l2c_link.cc
+++ b/stack/l2cap/l2c_link.cc
@@ -40,6 +40,7 @@
 #include "l2c_api.h"
 #include "l2c_int.h"
 #include "l2cdefs.h"
+#include "log/log.h"
 #include "osi/include/osi.h"
 
 static bool l2c_link_send_to_lower(tL2C_LCB* p_lcb, BT_HDR* p_buf,
@@ -675,6 +676,8 @@
   uint16_t num_hipri_links = 0;
   uint16_t controller_xmit_quota = l2cb.num_lm_acl_bufs;
   uint16_t high_pri_link_quota = L2CAP_HIGH_PRI_MIN_XMIT_QUOTA_A;
+  bool is_share_buffer =
+      (l2cb.num_lm_ble_bufs == L2C_DEF_NUM_BLE_BUF_SHARED) ? true : false;
 
   /* If no links active, reset buffer quotas and controller buffers */
   if (l2cb.num_links_active == 0) {
@@ -685,7 +688,8 @@
 
   /* First, count the links */
   for (yy = 0, p_lcb = &l2cb.lcb_pool[0]; yy < MAX_L2CAP_LINKS; yy++, p_lcb++) {
-    if (p_lcb->in_use) {
+    if (p_lcb->in_use &&
+        (is_share_buffer || p_lcb->transport != BT_TRANSPORT_LE)) {
       if (p_lcb->acl_priority == L2CAP_PRIORITY_HIGH)
         num_hipri_links++;
       else
@@ -732,7 +736,8 @@
 
   /* Now, assign the quotas to each link */
   for (yy = 0, p_lcb = &l2cb.lcb_pool[0]; yy < MAX_L2CAP_LINKS; yy++, p_lcb++) {
-    if (p_lcb->in_use) {
+    if (p_lcb->in_use &&
+        (is_share_buffer || p_lcb->transport != BT_TRANSPORT_LE)) {
       if (p_lcb->acl_priority == L2CAP_PRIORITY_HIGH) {
         p_lcb->link_xmit_quota = high_pri_link_quota;
       } else {
@@ -1210,13 +1215,22 @@
  * Returns          void
  *
  ******************************************************************************/
-void l2c_link_process_num_completed_pkts(uint8_t* p) {
+void l2c_link_process_num_completed_pkts(uint8_t* p, uint8_t evt_len) {
   uint8_t num_handles, xx;
   uint16_t handle;
   uint16_t num_sent;
   tL2C_LCB* p_lcb;
 
-  STREAM_TO_UINT8(num_handles, p);
+  if (evt_len > 0) {
+    STREAM_TO_UINT8(num_handles, p);
+  } else {
+    num_handles = 0;
+  }
+
+  if (num_handles > evt_len / (2 * sizeof(uint16_t))) {
+    android_errorWriteLog(0x534e4554, "141617601");
+    num_handles = evt_len / (2 * sizeof(uint16_t));
+  }
 
   for (xx = 0; xx < num_handles; xx++) {
     STREAM_TO_UINT16(handle, p);

stack/l2cap/l2c_main.cc

diff --git a/stack/l2cap/l2c_main.cc b/stack/l2cap/l2c_main.cc
index 128f60e..52d77c5 100644
--- a/stack/l2cap/l2c_main.cc
+++ b/stack/l2cap/l2c_main.cc
@@ -97,6 +97,11 @@
     /* There is a slight possibility (specifically with USB) that we get an */
     /* L2CAP connection request before we get the HCI connection complete.  */
     /* So for these types of messages, hold them for up to 2 seconds.       */
+    if (l2cap_len == 0) {
+      L2CAP_TRACE_WARNING("received empty L2CAP packet");
+      osi_free(p_msg);
+      return;
+    }
     uint8_t cmd_code;
     STREAM_TO_UINT8(cmd_code, p);