Home | History | Annotate | Download | only in dm
      1 /******************************************************************************
      2  *
      3  *  Copyright (C) 2003-2014 Broadcom Corporation
      4  *
      5  *  Licensed under the Apache License, Version 2.0 (the "License");
      6  *  you may not use this file except in compliance with the License.
      7  *  You may obtain a copy of the License at:
      8  *
      9  *  http://www.apache.org/licenses/LICENSE-2.0
     10  *
     11  *  Unless required by applicable law or agreed to in writing, software
     12  *  distributed under the License is distributed on an "AS IS" BASIS,
     13  *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     14  *  See the License for the specific language governing permissions and
     15  *  limitations under the License.
     16  *
     17  ******************************************************************************/
     18 
     19 /******************************************************************************
     20  *
     21  *  This file contains the action functions for device manager state
     22  *  machine.
     23  *
     24  ******************************************************************************/
     25 
     26 #define LOG_TAG "bt_bta_dm"
     27 
     28 #include <base/bind.h>
     29 #include <base/callback.h>
     30 #include <base/logging.h>
     31 #include <string.h>
     32 
     33 #include "bt_common.h"
     34 #include "bt_target.h"
     35 #include "bt_types.h"
     36 #include "bta_api.h"
     37 #include "bta_dm_api.h"
     38 #include "bta_dm_co.h"
     39 #include "bta_dm_int.h"
     40 #include "bta_sys.h"
     41 #include "btm_api.h"
     42 #include "btm_int.h"
     43 #include "btu.h"
     44 #include "gap_api.h" /* For GAP_BleReadPeerPrefConnParams */
     45 #include "l2c_api.h"
     46 #include "osi/include/log.h"
     47 #include "osi/include/osi.h"
     48 #include "sdp_api.h"
     49 #include "utl.h"
     50 
     51 #if (GAP_INCLUDED == TRUE)
     52 #include "gap_api.h"
     53 #endif
     54 
     55 static void bta_dm_inq_results_cb(tBTM_INQ_RESULTS* p_inq, uint8_t* p_eir,
     56                                   uint16_t eir_len);
     57 static void bta_dm_inq_cmpl_cb(void* p_result);
     58 static void bta_dm_service_search_remname_cback(BD_ADDR bd_addr, DEV_CLASS dc,
     59                                                 BD_NAME bd_name);
     60 static void bta_dm_remname_cback(tBTM_REMOTE_DEV_NAME* p_remote_name);
     61 static void bta_dm_find_services(BD_ADDR bd_addr);
     62 static void bta_dm_discover_next_device(void);
     63 static void bta_dm_sdp_callback(uint16_t sdp_status);
     64 static uint8_t bta_dm_authorize_cback(BD_ADDR bd_addr, DEV_CLASS dev_class,
     65                                       BD_NAME bd_name, uint8_t* service_name,
     66                                       uint8_t service_id, bool is_originator);
     67 static uint8_t bta_dm_pin_cback(BD_ADDR bd_addr, DEV_CLASS dev_class,
     68                                 BD_NAME bd_name, bool min_16_digit);
     69 static uint8_t bta_dm_new_link_key_cback(BD_ADDR bd_addr, DEV_CLASS dev_class,
     70                                          BD_NAME bd_name, LINK_KEY key,
     71                                          uint8_t key_type);
     72 static uint8_t bta_dm_authentication_complete_cback(BD_ADDR bd_addr,
     73                                                     DEV_CLASS dev_class,
     74                                                     BD_NAME bd_name,
     75                                                     int result);
     76 static void bta_dm_local_name_cback(BD_ADDR bd_addr);
     77 static bool bta_dm_check_av(uint16_t event);
     78 static void bta_dm_bl_change_cback(tBTM_BL_EVENT_DATA* p_data);
     79 
     80 static void bta_dm_policy_cback(tBTA_SYS_CONN_STATUS status, uint8_t id,
     81                                 uint8_t app_id, BD_ADDR peer_addr);
     82 
     83 /* Extended Inquiry Response */
     84 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
     85 static uint8_t bta_dm_sp_cback(tBTM_SP_EVT event, tBTM_SP_EVT_DATA* p_data);
     86 #endif
     87 
     88 static void bta_dm_set_eir(char* local_name);
     89 
     90 static void bta_dm_eir_search_services(tBTM_INQ_RESULTS* p_result,
     91                                        tBTA_SERVICE_MASK* p_services_to_search,
     92                                        tBTA_SERVICE_MASK* p_services_found);
     93 
     94 static void bta_dm_search_timer_cback(void* data);
     95 static void bta_dm_disable_conn_down_timer_cback(void* data);
     96 static void bta_dm_rm_cback(tBTA_SYS_CONN_STATUS status, uint8_t id,
     97                             uint8_t app_id, BD_ADDR peer_addr);
     98 static void bta_dm_adjust_roles(bool delay_role_switch);
     99 static char* bta_dm_get_remname(void);
    100 static void bta_dm_bond_cancel_complete_cback(tBTM_STATUS result);
    101 
    102 static bool bta_dm_read_remote_device_name(BD_ADDR bd_addr,
    103                                            tBT_TRANSPORT transport);
    104 static void bta_dm_discover_device(BD_ADDR remote_bd_addr);
    105 
    106 static void bta_dm_sys_hw_cback(tBTA_SYS_HW_EVT status);
    107 static void bta_dm_disable_search_and_disc(void);
    108 
    109 static uint8_t bta_dm_ble_smp_cback(tBTM_LE_EVT event, BD_ADDR bda,
    110                                     tBTM_LE_EVT_DATA* p_data);
    111 static void bta_dm_ble_id_key_cback(uint8_t key_type,
    112                                     tBTM_BLE_LOCAL_KEYS* p_key);
    113 static void bta_dm_gattc_register(void);
    114 static void btm_dm_start_gatt_discovery(BD_ADDR bd_addr);
    115 static void bta_dm_cancel_gatt_discovery(BD_ADDR bd_addr);
    116 static void bta_dm_gattc_callback(tBTA_GATTC_EVT event, tBTA_GATTC* p_data);
    117 extern tBTA_DM_CONTRL_STATE bta_dm_pm_obtain_controller_state(void);
    118 
    119 #if (BLE_VND_INCLUDED == TRUE)
    120 static void bta_dm_ctrl_features_rd_cmpl_cback(tBTM_STATUS result);
    121 #endif
    122 
    123 #ifndef BTA_DM_BLE_ADV_CHNL_MAP
    124 #define BTA_DM_BLE_ADV_CHNL_MAP \
    125   (BTM_BLE_ADV_CHNL_37 | BTM_BLE_ADV_CHNL_38 | BTM_BLE_ADV_CHNL_39)
    126 #endif
    127 
    128 /* Disable timer interval (in milliseconds) */
    129 #ifndef BTA_DM_DISABLE_TIMER_MS
    130 #define BTA_DM_DISABLE_TIMER_MS 5000
    131 #endif
    132 
    133 /* Disable timer retrial interval (in milliseconds) */
    134 #ifndef BTA_DM_DISABLE_TIMER_RETRIAL_MS
    135 #define BTA_DM_DISABLE_TIMER_RETRIAL_MS 1500
    136 #endif
    137 
    138 /* Disable connection down timer (in milliseconds) */
    139 #ifndef BTA_DM_DISABLE_CONN_DOWN_TIMER_MS
    140 #define BTA_DM_DISABLE_CONN_DOWN_TIMER_MS 1000
    141 #endif
    142 
    143 /* Switch delay timer (in milliseconds) */
    144 #ifndef BTA_DM_SWITCH_DELAY_TIMER_MS
    145 #define BTA_DM_SWITCH_DELAY_TIMER_MS 500
    146 #endif
    147 
    148 static void bta_dm_reset_sec_dev_pending(BD_ADDR remote_bd_addr);
    149 static void bta_dm_remove_sec_dev_entry(BD_ADDR remote_bd_addr);
    150 static void bta_dm_observe_results_cb(tBTM_INQ_RESULTS* p_inq, uint8_t* p_eir,
    151                                       uint16_t eir_len);
    152 static void bta_dm_observe_cmpl_cb(void* p_result);
    153 static void bta_dm_delay_role_switch_cback(void* data);
    154 static void bta_dm_disable_timer_cback(void* data);
    155 
    156 const uint16_t bta_service_id_to_uuid_lkup_tbl[BTA_MAX_SERVICE_ID] = {
    157     UUID_SERVCLASS_PNP_INFORMATION,       /* Reserved */
    158     UUID_SERVCLASS_SERIAL_PORT,           /* BTA_SPP_SERVICE_ID */
    159     UUID_SERVCLASS_DIALUP_NETWORKING,     /* BTA_DUN_SERVICE_ID */
    160     UUID_SERVCLASS_AUDIO_SOURCE,          /* BTA_A2DP_SOURCE_SERVICE_ID */
    161     UUID_SERVCLASS_LAN_ACCESS_USING_PPP,  /* BTA_LAP_SERVICE_ID */
    162     UUID_SERVCLASS_HEADSET,               /* BTA_HSP_HS_SERVICE_ID */
    163     UUID_SERVCLASS_HF_HANDSFREE,          /* BTA_HFP_HS_SERVICE_ID */
    164     UUID_SERVCLASS_OBEX_OBJECT_PUSH,      /* BTA_OPP_SERVICE_ID */
    165     UUID_SERVCLASS_OBEX_FILE_TRANSFER,    /* BTA_FTP_SERVICE_ID */
    166     UUID_SERVCLASS_CORDLESS_TELEPHONY,    /* BTA_CTP_SERVICE_ID */
    167     UUID_SERVCLASS_INTERCOM,              /* BTA_ICP_SERVICE_ID */
    168     UUID_SERVCLASS_IRMC_SYNC,             /* BTA_SYNC_SERVICE_ID */
    169     UUID_SERVCLASS_DIRECT_PRINTING,       /* BTA_BPP_SERVICE_ID */
    170     UUID_SERVCLASS_IMAGING_RESPONDER,     /* BTA_BIP_SERVICE_ID */
    171     UUID_SERVCLASS_PANU,                  /* BTA_PANU_SERVICE_ID */
    172     UUID_SERVCLASS_NAP,                   /* BTA_NAP_SERVICE_ID */
    173     UUID_SERVCLASS_GN,                    /* BTA_GN_SERVICE_ID */
    174     UUID_SERVCLASS_SAP,                   /* BTA_SAP_SERVICE_ID */
    175     UUID_SERVCLASS_AUDIO_SINK,            /* BTA_A2DP_SERVICE_ID */
    176     UUID_SERVCLASS_AV_REMOTE_CONTROL,     /* BTA_AVRCP_SERVICE_ID */
    177     UUID_SERVCLASS_HUMAN_INTERFACE,       /* BTA_HID_SERVICE_ID */
    178     UUID_SERVCLASS_VIDEO_SINK,            /* BTA_VDP_SERVICE_ID */
    179     UUID_SERVCLASS_PBAP_PSE,              /* BTA_PBAP_SERVICE_ID */
    180     UUID_SERVCLASS_HEADSET_AUDIO_GATEWAY, /* BTA_HSP_SERVICE_ID */
    181     UUID_SERVCLASS_AG_HANDSFREE,          /* BTA_HFP_SERVICE_ID */
    182     UUID_SERVCLASS_MESSAGE_ACCESS,        /* BTA_MAP_SERVICE_ID */
    183     UUID_SERVCLASS_MESSAGE_NOTIFICATION,  /* BTA_MN_SERVICE_ID */
    184     UUID_SERVCLASS_HDP_PROFILE,           /* BTA_HDP_SERVICE_ID */
    185     UUID_SERVCLASS_PBAP_PCE,              /* BTA_PCE_SERVICE_ID */
    186     UUID_PROTOCOL_ATT                     /* BTA_GATT_SERVICE_ID */
    187 };
    188 
    189 /*
    190  * NOTE : The number of element in bta_service_id_to_btm_srv_id_lkup_tbl should
    191  * be matching with
    192  *        the value BTA_MAX_SERVICE_ID in bta_api.h
    193  *
    194  *        i.e., If you add new Service ID for BTA, the correct security ID of
    195  * the new service
    196  *              from Security service definitions (btm_api.h) should be added to
    197  * this lookup table.
    198  */
    199 const uint32_t bta_service_id_to_btm_srv_id_lkup_tbl[BTA_MAX_SERVICE_ID] = {
    200     0,                             /* Reserved */
    201     BTM_SEC_SERVICE_SERIAL_PORT,   /* BTA_SPP_SERVICE_ID */
    202     BTM_SEC_SERVICE_DUN,           /* BTA_DUN_SERVICE_ID */
    203     BTM_SEC_SERVICE_AVDTP,         /* BTA_AUDIO_SOURCE_SERVICE_ID */
    204     BTM_SEC_SERVICE_LAN_ACCESS,    /* BTA_LAP_SERVICE_ID */
    205     BTM_SEC_SERVICE_HEADSET_AG,    /* BTA_HSP_SERVICE_ID */
    206     BTM_SEC_SERVICE_AG_HANDSFREE,  /* BTA_HFP_SERVICE_ID */
    207     BTM_SEC_SERVICE_OBEX,          /* BTA_OPP_SERVICE_ID */
    208     BTM_SEC_SERVICE_OBEX_FTP,      /* BTA_FTP_SERVICE_ID */
    209     BTM_SEC_SERVICE_CORDLESS,      /* BTA_CTP_SERVICE_ID */
    210     BTM_SEC_SERVICE_INTERCOM,      /* BTA_ICP_SERVICE_ID */
    211     BTM_SEC_SERVICE_IRMC_SYNC,     /* BTA_SYNC_SERVICE_ID */
    212     BTM_SEC_SERVICE_BPP_JOB,       /* BTA_BPP_SERVICE_ID */
    213     BTM_SEC_SERVICE_BIP,           /* BTA_BIP_SERVICE_ID */
    214     BTM_SEC_SERVICE_BNEP_PANU,     /* BTA_PANU_SERVICE_ID */
    215     BTM_SEC_SERVICE_BNEP_NAP,      /* BTA_NAP_SERVICE_ID */
    216     BTM_SEC_SERVICE_BNEP_GN,       /* BTA_GN_SERVICE_ID */
    217     BTM_SEC_SERVICE_SAP,           /* BTA_SAP_SERVICE_ID */
    218     BTM_SEC_SERVICE_AVDTP,         /* BTA_A2DP_SERVICE_ID */
    219     BTM_SEC_SERVICE_AVCTP,         /* BTA_AVRCP_SERVICE_ID */
    220     BTM_SEC_SERVICE_HIDH_SEC_CTRL, /* BTA_HID_SERVICE_ID */
    221     BTM_SEC_SERVICE_AVDTP,         /* BTA_VDP_SERVICE_ID */
    222     BTM_SEC_SERVICE_PBAP,          /* BTA_PBAP_SERVICE_ID */
    223     BTM_SEC_SERVICE_HEADSET,       /* BTA_HSP_HS_SERVICE_ID */
    224     BTM_SEC_SERVICE_HF_HANDSFREE,  /* BTA_HFP_HS_SERVICE_ID */
    225     BTM_SEC_SERVICE_MAP,           /* BTA_MAP_SERVICE_ID */
    226     BTM_SEC_SERVICE_MAP,           /* BTA_MN_SERVICE_ID */
    227     BTM_SEC_SERVICE_HDP_SNK,       /* BTA_HDP_SERVICE_ID */
    228     BTM_SEC_SERVICE_PBAP,          /* BTA_PCE_SERVICE_ID */
    229     BTM_SEC_SERVICE_ATT            /* BTA_GATT_SERVICE_ID */
    230 };
    231 
    232 /* bta security callback */
    233 const tBTM_APPL_INFO bta_security = {&bta_dm_authorize_cback,
    234                                      &bta_dm_pin_cback,
    235                                      &bta_dm_new_link_key_cback,
    236                                      &bta_dm_authentication_complete_cback,
    237                                      &bta_dm_bond_cancel_complete_cback,
    238 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
    239                                      &bta_dm_sp_cback,
    240 #else
    241                                      NULL,
    242 #endif
    243                                      &bta_dm_ble_smp_cback,
    244                                      &bta_dm_ble_id_key_cback};
    245 
    246 #define MAX_DISC_RAW_DATA_BUF (4096)
    247 uint8_t g_disc_raw_data_buf[MAX_DISC_RAW_DATA_BUF];
    248 
    249 extern DEV_CLASS local_device_default_class;
    250 extern fixed_queue_t* btu_bta_alarm_queue;
    251 
    252 /*******************************************************************************
    253  *
    254  * Function         bta_dm_enable
    255  *
    256  * Description      Initialises the BT device manager
    257  *
    258  *
    259  * Returns          void
    260  *
    261  ******************************************************************************/
    262 void bta_dm_enable(tBTA_DM_MSG* p_data) {
    263   tBTA_DM_ENABLE enable_event;
    264 
    265   /* if already in use, return an error */
    266   if (bta_dm_cb.is_bta_dm_active == true) {
    267     APPL_TRACE_WARNING("%s Device already started by another application",
    268                        __func__);
    269     memset(&enable_event, 0, sizeof(tBTA_DM_ENABLE));
    270     enable_event.status = BTA_FAILURE;
    271     if (p_data->enable.p_sec_cback != NULL)
    272       p_data->enable.p_sec_cback(BTA_DM_ENABLE_EVT,
    273                                  (tBTA_DM_SEC*)&enable_event);
    274     return;
    275   }
    276 
    277   /* first, register our callback to SYS HW manager */
    278   bta_sys_hw_register(BTA_SYS_HW_BLUETOOTH, bta_dm_sys_hw_cback);
    279 
    280   /* make sure security callback is saved - if no callback, do not erase the
    281   previous one,
    282   it could be an error recovery mechanism */
    283   if (p_data->enable.p_sec_cback != NULL)
    284     bta_dm_cb.p_sec_cback = p_data->enable.p_sec_cback;
    285   /* notify BTA DM is now active */
    286   bta_dm_cb.is_bta_dm_active = true;
    287 
    288   /* send a message to BTA SYS */
    289   tBTA_SYS_HW_MSG* sys_enable_event =
    290       (tBTA_SYS_HW_MSG*)osi_malloc(sizeof(tBTA_SYS_HW_MSG));
    291   sys_enable_event->hdr.event = BTA_SYS_API_ENABLE_EVT;
    292   sys_enable_event->hw_module = BTA_SYS_HW_BLUETOOTH;
    293 
    294   bta_sys_sendmsg(sys_enable_event);
    295 }
    296 
    297 /*******************************************************************************
    298  *
    299  * Function         bta_dm_init_cb
    300  *
    301  * Description      Initializes the bta_dm_cb control block
    302  *
    303  *
    304  * Returns          void
    305  *
    306  ******************************************************************************/
    307 void bta_dm_init_cb(void) {
    308   memset(&bta_dm_cb, 0, sizeof(bta_dm_cb));
    309   bta_dm_cb.disable_timer = alarm_new("bta_dm.disable_timer");
    310   bta_dm_cb.switch_delay_timer = alarm_new("bta_dm.switch_delay_timer");
    311   for (size_t i = 0; i < BTA_DM_NUM_PM_TIMER; i++) {
    312     for (size_t j = 0; j < BTA_DM_PM_MODE_TIMER_MAX; j++) {
    313       bta_dm_cb.pm_timer[i].timer[j] = alarm_new("bta_dm.pm_timer");
    314     }
    315   }
    316 }
    317 
    318 /*******************************************************************************
    319  *
    320  * Function         bta_dm_deinit_cb
    321  *
    322  * Description      De-initializes the bta_dm_cb control block
    323  *
    324  *
    325  * Returns          void
    326  *
    327  ******************************************************************************/
    328 void bta_dm_deinit_cb(void) {
    329   /*
    330    * TODO: Should alarm_free() the bta_dm_cb timers during graceful
    331    * shutdown.
    332    */
    333   alarm_free(bta_dm_cb.disable_timer);
    334   alarm_free(bta_dm_cb.switch_delay_timer);
    335   for (size_t i = 0; i < BTA_DM_NUM_PM_TIMER; i++) {
    336     for (size_t j = 0; j < BTA_DM_PM_MODE_TIMER_MAX; j++) {
    337       alarm_free(bta_dm_cb.pm_timer[i].timer[j]);
    338     }
    339   }
    340   memset(&bta_dm_cb, 0, sizeof(bta_dm_cb));
    341 }
    342 
    343 /*******************************************************************************
    344  *
    345  * Function         bta_dm_sys_hw_cback
    346  *
    347  * Description     callback register to SYS to get HW status updates
    348  *
    349  *
    350  * Returns          void
    351  *
    352  ******************************************************************************/
    353 static void bta_dm_sys_hw_cback(tBTA_SYS_HW_EVT status) {
    354   DEV_CLASS dev_class;
    355   tBTA_DM_SEC_CBACK* temp_cback;
    356   uint8_t key_mask = 0;
    357   BT_OCTET16 er;
    358   tBTA_BLE_LOCAL_ID_KEYS id_key;
    359 
    360   APPL_TRACE_DEBUG("%s with event: %i", __func__, status);
    361 
    362   /* On H/W error evt, report to the registered DM application callback */
    363   if (status == BTA_SYS_HW_ERROR_EVT) {
    364     if (bta_dm_cb.p_sec_cback != NULL)
    365       bta_dm_cb.p_sec_cback(BTA_DM_HW_ERROR_EVT, NULL);
    366     return;
    367   }
    368 
    369   if (status == BTA_SYS_HW_OFF_EVT) {
    370     if (bta_dm_cb.p_sec_cback != NULL)
    371       bta_dm_cb.p_sec_cback(BTA_DM_DISABLE_EVT, NULL);
    372 
    373     /* reinitialize the control block */
    374     bta_dm_deinit_cb();
    375 
    376     /* hw is ready, go on with BTA DM initialization */
    377     alarm_free(bta_dm_search_cb.search_timer);
    378     alarm_free(bta_dm_search_cb.gatt_close_timer);
    379     memset(&bta_dm_search_cb, 0, sizeof(bta_dm_search_cb));
    380 
    381     /* unregister from SYS */
    382     bta_sys_hw_unregister(BTA_SYS_HW_BLUETOOTH);
    383     /* notify BTA DM is now unactive */
    384     bta_dm_cb.is_bta_dm_active = false;
    385   } else if (status == BTA_SYS_HW_ON_EVT) {
    386     /* FIXME: We should not unregister as the SYS shall invoke this callback on
    387      * a H/W error.
    388      * We need to revisit when this platform has more than one BLuetooth H/W
    389      * chip
    390      */
    391     // bta_sys_hw_unregister( BTA_SYS_HW_BLUETOOTH);
    392 
    393     /* save security callback */
    394     temp_cback = bta_dm_cb.p_sec_cback;
    395     /* make sure the control block is properly initialized */
    396     bta_dm_init_cb();
    397     /* and retrieve the callback */
    398     bta_dm_cb.p_sec_cback = temp_cback;
    399     bta_dm_cb.is_bta_dm_active = true;
    400 
    401     /* hw is ready, go on with BTA DM initialization */
    402     alarm_free(bta_dm_search_cb.search_timer);
    403     alarm_free(bta_dm_search_cb.gatt_close_timer);
    404     memset(&bta_dm_search_cb, 0, sizeof(bta_dm_search_cb));
    405     /*
    406      * TODO: Should alarm_free() the bta_dm_search_cb timers during
    407      * graceful shutdown.
    408      */
    409     bta_dm_search_cb.search_timer = alarm_new("bta_dm_search.search_timer");
    410     bta_dm_search_cb.gatt_close_timer =
    411         alarm_new("bta_dm_search.gatt_close_timer");
    412 
    413     memset(&bta_dm_conn_srvcs, 0, sizeof(bta_dm_conn_srvcs));
    414     memset(&bta_dm_di_cb, 0, sizeof(tBTA_DM_DI_CB));
    415 
    416     memcpy(dev_class, p_bta_dm_cfg->dev_class, sizeof(dev_class));
    417     BTM_SetDeviceClass(dev_class);
    418 
    419     /* load BLE local information: ID keys, ER if available */
    420     bta_dm_co_ble_load_local_keys(&key_mask, er, &id_key);
    421 
    422     if (key_mask & BTA_BLE_LOCAL_KEY_TYPE_ER) {
    423       BTM_BleLoadLocalKeys(BTA_BLE_LOCAL_KEY_TYPE_ER,
    424                            (tBTM_BLE_LOCAL_KEYS*)&er);
    425     }
    426     if (key_mask & BTA_BLE_LOCAL_KEY_TYPE_ID) {
    427       BTM_BleLoadLocalKeys(BTA_BLE_LOCAL_KEY_TYPE_ID,
    428                            (tBTM_BLE_LOCAL_KEYS*)&id_key);
    429     }
    430     bta_dm_search_cb.conn_id = BTA_GATT_INVALID_CONN_ID;
    431 
    432     BTM_SecRegister((tBTM_APPL_INFO*)&bta_security);
    433     BTM_SetDefaultLinkSuperTout(p_bta_dm_cfg->link_timeout);
    434     BTM_WritePageTimeout(p_bta_dm_cfg->page_timeout);
    435     bta_dm_cb.cur_policy = p_bta_dm_cfg->policy_settings;
    436     BTM_SetDefaultLinkPolicy(bta_dm_cb.cur_policy);
    437     BTM_RegBusyLevelNotif(bta_dm_bl_change_cback, NULL,
    438                           BTM_BL_UPDATE_MASK | BTM_BL_ROLE_CHG_MASK);
    439 
    440 #if (BLE_VND_INCLUDED == TRUE)
    441     BTM_BleReadControllerFeatures(bta_dm_ctrl_features_rd_cmpl_cback);
    442 #else
    443     /* If VSC multi adv commands are available, advertising will be initialized
    444      * when capabilities are read. If they are not avaliable, initialize
    445      * advertising here */
    446     btm_ble_adv_init();
    447 #endif
    448 
    449     /* Earlier, we used to invoke BTM_ReadLocalAddr which was just copying the
    450        bd_addr
    451        from the control block and invoking the callback which was sending the
    452        DM_ENABLE_EVT.
    453        But then we have a few HCI commands being invoked above which were still
    454        in progress
    455        when the ENABLE_EVT was sent. So modified this to fetch the local name
    456        which forces
    457        the DM_ENABLE_EVT to be sent only after all the init steps are complete
    458        */
    459     BTM_ReadLocalDeviceNameFromController(
    460         (tBTM_CMPL_CB*)bta_dm_local_name_cback);
    461 
    462     bta_sys_rm_register((tBTA_SYS_CONN_CBACK*)bta_dm_rm_cback);
    463 
    464     /* initialize bluetooth low power manager */
    465     bta_dm_init_pm();
    466 
    467     bta_sys_policy_register((tBTA_SYS_CONN_CBACK*)bta_dm_policy_cback);
    468 
    469     bta_dm_gattc_register();
    470 
    471   } else
    472     APPL_TRACE_DEBUG(" --- ignored event");
    473 }
    474 
    475 /*******************************************************************************
    476  *
    477  * Function         bta_dm_disable
    478  *
    479  * Description      Disables the BT device manager
    480  *
    481  *
    482  * Returns          void
    483  *
    484  ******************************************************************************/
    485 void bta_dm_disable(UNUSED_ATTR tBTA_DM_MSG* p_data) {
    486   /* Set l2cap idle timeout to 0 (so BTE immediately disconnects ACL link after
    487    * last channel is closed) */
    488   L2CA_SetIdleTimeoutByBdAddr((uint8_t*)BT_BD_ANY, 0, BT_TRANSPORT_BR_EDR);
    489   L2CA_SetIdleTimeoutByBdAddr((uint8_t*)BT_BD_ANY, 0, BT_TRANSPORT_LE);
    490 
    491   /* disable all active subsystems */
    492   bta_sys_disable(BTA_SYS_HW_BLUETOOTH);
    493 
    494   BTM_SetDiscoverability(BTM_NON_DISCOVERABLE, 0, 0);
    495   BTM_SetConnectability(BTM_NON_CONNECTABLE, 0, 0);
    496 
    497   bta_dm_disable_pm();
    498   bta_dm_disable_search_and_disc();
    499   bta_dm_cb.disabling = true;
    500 
    501   BTM_BleClearBgConnDev();
    502 
    503   if (BTM_GetNumAclLinks() == 0) {
    504 #if (BTA_DISABLE_DELAY > 0)
    505     /* If BTA_DISABLE_DELAY is defined and greater than zero, then delay the
    506      * shutdown by
    507      * BTA_DISABLE_DELAY milliseconds
    508      */
    509     APPL_TRACE_WARNING("%s BTA_DISABLE_DELAY set to %d ms", __func__,
    510                        BTA_DISABLE_DELAY);
    511     alarm_set_on_queue(bta_dm_cb.disable_timer, BTA_DISABLE_DELAY,
    512                        bta_dm_disable_conn_down_timer_cback, NULL,
    513                        btu_bta_alarm_queue);
    514 #else
    515     bta_dm_disable_conn_down_timer_cback(NULL);
    516 #endif
    517   } else {
    518     alarm_set_on_queue(bta_dm_cb.disable_timer, BTA_DM_DISABLE_TIMER_MS,
    519                        bta_dm_disable_timer_cback, UINT_TO_PTR(0),
    520                        btu_bta_alarm_queue);
    521   }
    522 }
    523 
    524 /*******************************************************************************
    525  *
    526  * Function         bta_dm_disable_timer_cback
    527  *
    528  * Description      Called if the disable timer expires
    529  *                  Used to close ACL connections which are still active
    530  *
    531  *
    532  *
    533  * Returns          void
    534  *
    535  ******************************************************************************/
    536 static void bta_dm_disable_timer_cback(void* data) {
    537   uint8_t i;
    538   tBT_TRANSPORT transport = BT_TRANSPORT_BR_EDR;
    539   bool trigger_disc = false;
    540   uint32_t param = PTR_TO_UINT(data);
    541 
    542   APPL_TRACE_EVENT("%s trial %u", __func__, param);
    543 
    544   if (BTM_GetNumAclLinks() && (param == 0)) {
    545     for (i = 0; i < bta_dm_cb.device_list.count; i++) {
    546       transport = bta_dm_cb.device_list.peer_device[i].transport;
    547       btm_remove_acl(bta_dm_cb.device_list.peer_device[i].peer_bdaddr,
    548                      transport);
    549       trigger_disc = true;
    550     }
    551 
    552     /* Retrigger disable timer in case ACL disconnect failed, DISABLE_EVT still
    553        need
    554         to be sent out to avoid jave layer disable timeout */
    555     if (trigger_disc) {
    556       alarm_set_on_queue(
    557           bta_dm_cb.disable_timer, BTA_DM_DISABLE_TIMER_RETRIAL_MS,
    558           bta_dm_disable_timer_cback, UINT_TO_PTR(1), btu_bta_alarm_queue);
    559     }
    560   } else {
    561     bta_dm_cb.disabling = false;
    562 
    563     bta_sys_remove_uuid(UUID_SERVCLASS_PNP_INFORMATION);
    564     bta_dm_cb.p_sec_cback(BTA_DM_DISABLE_EVT, NULL);
    565   }
    566 }
    567 
    568 /*******************************************************************************
    569  *
    570  * Function         bta_dm_set_dev_name
    571  *
    572  * Description      Sets local device name
    573  *
    574  *
    575  * Returns          void
    576  *
    577  ******************************************************************************/
    578 void bta_dm_set_dev_name(tBTA_DM_MSG* p_data) {
    579   BTM_SetLocalDeviceName((char*)p_data->set_name.name);
    580   bta_dm_set_eir((char*)p_data->set_name.name);
    581 }
    582 
    583 /*******************************************************************************
    584  *
    585  * Function         bta_dm_set_visibility
    586  *
    587  * Description      Sets discoverability, connectability and pairability
    588  *
    589  *
    590  * Returns          void
    591  *
    592  ******************************************************************************/
    593 void bta_dm_set_visibility(tBTA_DM_MSG* p_data) {
    594   uint16_t window, interval;
    595   uint16_t le_disc_mode = BTM_BleReadDiscoverability();
    596   uint16_t le_conn_mode = BTM_BleReadConnectability();
    597   uint16_t disc_mode = BTM_ReadDiscoverability(&window, &interval);
    598   uint16_t conn_mode = BTM_ReadConnectability(&window, &interval);
    599 
    600   /* set modes for Discoverability and connectability if not ignore */
    601   if (p_data->set_visibility.disc_mode != (BTA_DM_IGNORE | BTA_DM_LE_IGNORE)) {
    602     if ((p_data->set_visibility.disc_mode & BTA_DM_LE_IGNORE) ==
    603         BTA_DM_LE_IGNORE)
    604       p_data->set_visibility.disc_mode =
    605           ((p_data->set_visibility.disc_mode & ~BTA_DM_LE_IGNORE) |
    606            le_disc_mode);
    607     if ((p_data->set_visibility.disc_mode & BTA_DM_IGNORE) == BTA_DM_IGNORE)
    608       p_data->set_visibility.disc_mode =
    609           ((p_data->set_visibility.disc_mode & ~BTA_DM_IGNORE) | disc_mode);
    610 
    611     BTM_SetDiscoverability(p_data->set_visibility.disc_mode,
    612                            bta_dm_cb.inquiry_scan_window,
    613                            bta_dm_cb.inquiry_scan_interval);
    614   }
    615 
    616   if (p_data->set_visibility.conn_mode != (BTA_DM_IGNORE | BTA_DM_LE_IGNORE)) {
    617     if ((p_data->set_visibility.conn_mode & BTA_DM_LE_IGNORE) ==
    618         BTA_DM_LE_IGNORE)
    619       p_data->set_visibility.conn_mode =
    620           ((p_data->set_visibility.conn_mode & ~BTA_DM_LE_IGNORE) |
    621            le_conn_mode);
    622     if ((p_data->set_visibility.conn_mode & BTA_DM_IGNORE) == BTA_DM_IGNORE)
    623       p_data->set_visibility.conn_mode =
    624           ((p_data->set_visibility.conn_mode & ~BTA_DM_IGNORE) | conn_mode);
    625 
    626     BTM_SetConnectability(p_data->set_visibility.conn_mode,
    627                           bta_dm_cb.page_scan_window,
    628                           bta_dm_cb.page_scan_interval);
    629   }
    630 
    631   /* Send False or True if not ignore */
    632   if (p_data->set_visibility.pair_mode != BTA_DM_IGNORE) {
    633     if (p_data->set_visibility.pair_mode == BTA_DM_NON_PAIRABLE)
    634       bta_dm_cb.disable_pair_mode = true;
    635     else
    636       bta_dm_cb.disable_pair_mode = false;
    637   }
    638 
    639   /* Send False or True if not ignore */
    640   if (p_data->set_visibility.conn_paired_only != BTA_DM_IGNORE) {
    641     if (p_data->set_visibility.conn_paired_only == BTA_DM_CONN_ALL)
    642       bta_dm_cb.conn_paired_only = false;
    643     else
    644       bta_dm_cb.conn_paired_only = true;
    645   }
    646 
    647   /* Change mode if either mode is not ignore */
    648   if (p_data->set_visibility.pair_mode != BTA_DM_IGNORE ||
    649       p_data->set_visibility.conn_paired_only != BTA_DM_IGNORE)
    650     BTM_SetPairableMode((bool)(!(bta_dm_cb.disable_pair_mode)),
    651                         bta_dm_cb.conn_paired_only);
    652 }
    653 
    654 /*******************************************************************************
    655  *
    656  * Function         bta_dm_process_remove_device
    657  *
    658  * Description      Removes device, Disconnects ACL link if required.
    659  ***
    660  ******************************************************************************/
    661 void bta_dm_process_remove_device(BD_ADDR bd_addr) {
    662   /* need to remove all pending background connection before unpair */
    663   BTA_GATTC_CancelOpen(0, bd_addr, false);
    664 
    665   BTM_SecDeleteDevice(bd_addr);
    666 
    667   /* remove all cached GATT information */
    668   BTA_GATTC_Refresh(bd_addr);
    669 
    670   if (bta_dm_cb.p_sec_cback) {
    671     tBTA_DM_SEC sec_event;
    672     bdcpy(sec_event.link_down.bd_addr, bd_addr);
    673     /* No connection, set status to success (acl disc code not valid) */
    674     sec_event.link_down.status = HCI_SUCCESS;
    675     bta_dm_cb.p_sec_cback(BTA_DM_DEV_UNPAIRED_EVT, &sec_event);
    676   }
    677 }
    678 
    679 /*******************************************************************************
    680  *
    681  * Function         bta_dm_remove_device
    682  *
    683  * Description      Removes device, disconnects ACL link if required.
    684  ***
    685  ******************************************************************************/
    686 void bta_dm_remove_device(tBTA_DM_MSG* p_data) {
    687   tBTA_DM_API_REMOVE_DEVICE* p_dev = &p_data->remove_dev;
    688   bool continue_delete_other_dev = false;
    689   if (p_dev == NULL) return;
    690 
    691   BD_ADDR other_address;
    692   bdcpy(other_address, p_dev->bd_addr);
    693 
    694   /* If ACL exists for the device in the remove_bond message*/
    695   bool continue_delete_dev = false;
    696   uint8_t other_transport = BT_TRANSPORT_INVALID;
    697 
    698   if (BTM_IsAclConnectionUp(p_dev->bd_addr, BT_TRANSPORT_LE) ||
    699       BTM_IsAclConnectionUp(p_dev->bd_addr, BT_TRANSPORT_BR_EDR)) {
    700     APPL_TRACE_DEBUG("%s: ACL Up count  %d", __func__,
    701                      bta_dm_cb.device_list.count);
    702     continue_delete_dev = false;
    703 
    704     /* Take the link down first, and mark the device for removal when
    705      * disconnected */
    706     for (int i = 0; i < bta_dm_cb.device_list.count; i++) {
    707       if (!bdcmp(bta_dm_cb.device_list.peer_device[i].peer_bdaddr,
    708                  p_dev->bd_addr)) {
    709         uint8_t transport = BT_TRANSPORT_BR_EDR;
    710 
    711         transport = bta_dm_cb.device_list.peer_device[i].transport;
    712         bta_dm_cb.device_list.peer_device[i].conn_state = BTA_DM_UNPAIRING;
    713         btm_remove_acl(p_dev->bd_addr, transport);
    714         APPL_TRACE_DEBUG("%s:transport = %d", __func__,
    715                          bta_dm_cb.device_list.peer_device[i].transport);
    716 
    717         /* save the other transport to check if device is connected on
    718          * other_transport */
    719         if (bta_dm_cb.device_list.peer_device[i].transport == BT_TRANSPORT_LE)
    720           other_transport = BT_TRANSPORT_BR_EDR;
    721         else
    722           other_transport = BT_TRANSPORT_LE;
    723 
    724         break;
    725       }
    726     }
    727   } else {
    728     continue_delete_dev = true;
    729   }
    730   // If it is DUMO device and device is paired as different address, unpair that
    731   // device
    732   // if different address
    733   if ((other_transport &&
    734        (BTM_ReadConnectedTransportAddress(other_address, other_transport))) ||
    735       (!other_transport &&
    736        (BTM_ReadConnectedTransportAddress(other_address, BT_TRANSPORT_BR_EDR) ||
    737         BTM_ReadConnectedTransportAddress(other_address, BT_TRANSPORT_LE)))) {
    738     continue_delete_other_dev = false;
    739     /* Take the link down first, and mark the device for removal when
    740      * disconnected */
    741     for (int i = 0; i < bta_dm_cb.device_list.count; i++) {
    742       if (!bdcmp(bta_dm_cb.device_list.peer_device[i].peer_bdaddr,
    743                  other_address)) {
    744         bta_dm_cb.device_list.peer_device[i].conn_state = BTA_DM_UNPAIRING;
    745         btm_remove_acl(other_address,
    746                        bta_dm_cb.device_list.peer_device[i].transport);
    747         break;
    748       }
    749     }
    750   } else {
    751     APPL_TRACE_DEBUG("%s: continue to delete the other dev ", __func__);
    752     continue_delete_other_dev = true;
    753   }
    754   /* Delete the device mentioned in the msg */
    755   if (continue_delete_dev) bta_dm_process_remove_device(p_dev->bd_addr);
    756 
    757   /* Delete the other paired device too */
    758   BD_ADDR dummy_bda = {0};
    759   if (continue_delete_other_dev && (bdcmp(other_address, dummy_bda) != 0))
    760     bta_dm_process_remove_device(other_address);
    761 }
    762 
    763 /*******************************************************************************
    764  *
    765  * Function         bta_dm_add_device
    766  *
    767  * Description      This function adds a Link Key to an security database entry.
    768  *                  It is normally called during host startup to restore all
    769  *                  required information stored in the NVRAM.
    770  ***
    771  ******************************************************************************/
    772 void bta_dm_add_device(tBTA_DM_MSG* p_data) {
    773   tBTA_DM_API_ADD_DEVICE* p_dev = &p_data->add_dev;
    774   uint8_t* p_dc = NULL;
    775   uint8_t* p_lc = NULL;
    776   uint32_t trusted_services_mask[BTM_SEC_SERVICE_ARRAY_SIZE];
    777   uint8_t index = 0;
    778   uint8_t btm_mask_index = 0;
    779 
    780   memset(trusted_services_mask, 0, sizeof(trusted_services_mask));
    781 
    782   /* If not all zeros, the device class has been specified */
    783   if (p_dev->dc_known) p_dc = (uint8_t*)p_dev->dc;
    784 
    785   if (p_dev->link_key_known) p_lc = (uint8_t*)p_dev->link_key;
    786 
    787   if (p_dev->is_trusted) {
    788     /* covert BTA service mask to BTM mask */
    789     while (p_dev->tm && (index < BTA_MAX_SERVICE_ID)) {
    790       if (p_dev->tm & (uint32_t)(1 << index)) {
    791         btm_mask_index =
    792             bta_service_id_to_btm_srv_id_lkup_tbl[index] / BTM_SEC_ARRAY_BITS;
    793         trusted_services_mask[btm_mask_index] |=
    794             (uint32_t)(1 << (bta_service_id_to_btm_srv_id_lkup_tbl[index] -
    795                              (uint32_t)(btm_mask_index * 32)));
    796 
    797         p_dev->tm &= (uint32_t)(~(1 << index));
    798       }
    799       index++;
    800     }
    801   }
    802 
    803   if (!BTM_SecAddDevice(p_dev->bd_addr, p_dc, p_dev->bd_name, p_dev->features,
    804                         trusted_services_mask, p_lc, p_dev->key_type,
    805                         p_dev->io_cap, p_dev->pin_length)) {
    806     APPL_TRACE_ERROR("BTA_DM: Error adding device %08x%04x",
    807                      (p_dev->bd_addr[0] << 24) + (p_dev->bd_addr[1] << 16) +
    808                          (p_dev->bd_addr[2] << 8) + p_dev->bd_addr[3],
    809                      (p_dev->bd_addr[4] << 8) + p_dev->bd_addr[5]);
    810   }
    811 }
    812 
    813 /*******************************************************************************
    814  *
    815  * Function         bta_dm_close_acl
    816  *
    817  * Description      This function forces to close the connection to a remote
    818  *                  device and optionaly remove the device from security
    819  *                  database if required.
    820  ***
    821  ******************************************************************************/
    822 void bta_dm_close_acl(tBTA_DM_MSG* p_data) {
    823   tBTA_DM_API_REMOVE_ACL* p_remove_acl = &p_data->remove_acl;
    824   uint8_t index;
    825 
    826   APPL_TRACE_DEBUG("bta_dm_close_acl");
    827 
    828   if (BTM_IsAclConnectionUp(p_remove_acl->bd_addr, p_remove_acl->transport)) {
    829     for (index = 0; index < bta_dm_cb.device_list.count; index++) {
    830       if (!bdcmp(bta_dm_cb.device_list.peer_device[index].peer_bdaddr,
    831                  p_remove_acl->bd_addr))
    832         break;
    833     }
    834     if (index != bta_dm_cb.device_list.count) {
    835       if (p_remove_acl->remove_dev)
    836         bta_dm_cb.device_list.peer_device[index].remove_dev_pending = true;
    837     } else {
    838       APPL_TRACE_ERROR("unknown device, remove ACL failed");
    839     }
    840     /* Disconnect the ACL link */
    841     btm_remove_acl(p_remove_acl->bd_addr, p_remove_acl->transport);
    842   }
    843   /* if to remove the device from security database ? do it now */
    844   else if (p_remove_acl->remove_dev) {
    845     if (!BTM_SecDeleteDevice(p_remove_acl->bd_addr)) {
    846       APPL_TRACE_ERROR("delete device from security database failed.");
    847     }
    848     /* need to remove all pending background connection if any */
    849     BTA_GATTC_CancelOpen(0, p_remove_acl->bd_addr, false);
    850     /* remove all cached GATT information */
    851     BTA_GATTC_Refresh(p_remove_acl->bd_addr);
    852   }
    853   /* otherwise, no action needed */
    854 }
    855 
    856 /*******************************************************************************
    857  *
    858  * Function         bta_dm_remove_all_acl
    859  *
    860  * Description      This function forces to close all the ACL links specified by
    861  *                  link type
    862  ***
    863  ******************************************************************************/
    864 void bta_dm_remove_all_acl(tBTA_DM_MSG* p_data) {
    865   const tBTA_DM_LINK_TYPE link_type = p_data->remove_all_acl.link_type;
    866   tBT_TRANSPORT transport = BT_TRANSPORT_BR_EDR;
    867 
    868   APPL_TRACE_DEBUG("%s link type = %d", __func__, link_type);
    869 
    870   for (uint8_t i = 0; i < bta_dm_cb.device_list.count; i++) {
    871     BD_ADDR addr = {0};
    872     bdcpy(addr, bta_dm_cb.device_list.peer_device[i].peer_bdaddr);
    873     transport = bta_dm_cb.device_list.peer_device[i].transport;
    874     if ((link_type == BTA_DM_LINK_TYPE_ALL) ||
    875         ((link_type == BTA_DM_LINK_TYPE_LE) &&
    876          (transport == BT_TRANSPORT_LE)) ||
    877         ((link_type == BTA_DM_LINK_TYPE_BR_EDR) &&
    878          (transport == BT_TRANSPORT_BR_EDR))) {
    879       /* Disconnect the ACL link */
    880       btm_remove_acl(addr, transport);
    881     }
    882   }
    883 }
    884 
    885 /*******************************************************************************
    886  *
    887  * Function         bta_dm_bond
    888  *
    889  * Description      Bonds with peer device
    890  *
    891  *
    892  * Returns          void
    893  *
    894  ******************************************************************************/
    895 void bta_dm_bond(tBTA_DM_MSG* p_data) {
    896   tBTM_STATUS status;
    897   tBTA_DM_SEC sec_event;
    898   char* p_name;
    899 
    900   if (p_data->bond.transport == BTA_TRANSPORT_UNKNOWN)
    901     status = BTM_SecBond(p_data->bond.bd_addr, 0, NULL, 0);
    902   else
    903     status = BTM_SecBondByTransport(p_data->bond.bd_addr,
    904                                     p_data->bond.transport, 0, NULL, 0);
    905 
    906   if (bta_dm_cb.p_sec_cback && (status != BTM_CMD_STARTED)) {
    907     memset(&sec_event, 0, sizeof(tBTA_DM_SEC));
    908     bdcpy(sec_event.auth_cmpl.bd_addr, p_data->bond.bd_addr);
    909     p_name = BTM_SecReadDevName(p_data->bond.bd_addr);
    910     if (p_name != NULL) {
    911       memcpy(sec_event.auth_cmpl.bd_name, p_name, (BD_NAME_LEN - 1));
    912       sec_event.auth_cmpl.bd_name[BD_NAME_LEN - 1] = 0;
    913     }
    914 
    915     /*      taken care of by memset [above]
    916             sec_event.auth_cmpl.key_present = false;
    917             sec_event.auth_cmpl.success = false;
    918     */
    919     sec_event.auth_cmpl.fail_reason = HCI_ERR_ILLEGAL_COMMAND;
    920     if (status == BTM_SUCCESS) {
    921       sec_event.auth_cmpl.success = true;
    922     } else {
    923       /* delete this device entry from Sec Dev DB */
    924       bta_dm_remove_sec_dev_entry(p_data->bond.bd_addr);
    925     }
    926     bta_dm_cb.p_sec_cback(BTA_DM_AUTH_CMPL_EVT, &sec_event);
    927   }
    928 }
    929 
    930 /*******************************************************************************
    931  *
    932  * Function         bta_dm_bond_cancel
    933  *
    934  * Description      Cancels bonding with a peer device
    935  *
    936  *
    937  * Returns          void
    938  *
    939  ******************************************************************************/
    940 void bta_dm_bond_cancel(tBTA_DM_MSG* p_data) {
    941   tBTM_STATUS status;
    942   tBTA_DM_SEC sec_event;
    943 
    944   APPL_TRACE_EVENT(" bta_dm_bond_cancel ");
    945   status = BTM_SecBondCancel(p_data->bond_cancel.bd_addr);
    946 
    947   if (bta_dm_cb.p_sec_cback &&
    948       (status != BTM_CMD_STARTED && status != BTM_SUCCESS)) {
    949     sec_event.bond_cancel_cmpl.result = BTA_FAILURE;
    950 
    951     bta_dm_cb.p_sec_cback(BTA_DM_BOND_CANCEL_CMPL_EVT, &sec_event);
    952   }
    953 }
    954 
    955 /*******************************************************************************
    956  *
    957  * Function         bta_dm_pin_reply
    958  *
    959  * Description      Send the pin_reply to a request from BTM
    960  *
    961  *
    962  * Returns          void
    963  *
    964  ******************************************************************************/
    965 void bta_dm_pin_reply(tBTA_DM_MSG* p_data) {
    966   uint32_t trusted_mask[BTM_SEC_SERVICE_ARRAY_SIZE];
    967   uint32_t* current_trusted_mask;
    968 
    969   current_trusted_mask = BTM_ReadTrustedMask(p_data->pin_reply.bd_addr);
    970 
    971   if (current_trusted_mask) {
    972     memcpy(trusted_mask, current_trusted_mask, sizeof(trusted_mask));
    973   } else {
    974     memset(trusted_mask, 0, sizeof(trusted_mask));
    975   }
    976 
    977   if (p_data->pin_reply.accept) {
    978     BTM_PINCodeReply(p_data->pin_reply.bd_addr, BTM_SUCCESS,
    979                      p_data->pin_reply.pin_len, p_data->pin_reply.p_pin,
    980                      trusted_mask);
    981   } else {
    982     BTM_PINCodeReply(p_data->pin_reply.bd_addr, BTM_NOT_AUTHORIZED, 0, NULL,
    983                      trusted_mask);
    984   }
    985 }
    986 
    987 /*******************************************************************************
    988  *
    989  * Function         bta_dm_policy_cback
    990  *
    991  * Description      process the link policy changes
    992  *
    993  * Returns          void
    994  *
    995  ******************************************************************************/
    996 static void bta_dm_policy_cback(tBTA_SYS_CONN_STATUS status, uint8_t id,
    997                                 uint8_t app_id, BD_ADDR peer_addr) {
    998   tBTA_DM_PEER_DEVICE* p_dev = NULL;
    999   uint16_t policy = app_id;
   1000   uint32_t mask = (uint32_t)(1 << id);
   1001 
   1002   if (peer_addr) p_dev = bta_dm_find_peer_device(peer_addr);
   1003 
   1004   APPL_TRACE_DEBUG(" bta_dm_policy_cback cmd:%d, policy:0x%x", status, policy);
   1005   switch (status) {
   1006     case BTA_SYS_PLCY_SET:
   1007       if (!p_dev) return;
   1008       /* restore the default link policy */
   1009       p_dev->link_policy |= policy;
   1010       BTM_SetLinkPolicy(p_dev->peer_bdaddr, &(p_dev->link_policy));
   1011       break;
   1012 
   1013     case BTA_SYS_PLCY_CLR:
   1014       if (!p_dev) return;
   1015       /* clear the policy from the default link policy */
   1016       p_dev->link_policy &= (~policy);
   1017       BTM_SetLinkPolicy(p_dev->peer_bdaddr, &(p_dev->link_policy));
   1018 
   1019       if (policy & (HCI_ENABLE_SNIFF_MODE | HCI_ENABLE_PARK_MODE)) {
   1020         /* if clearing sniff/park, wake the link */
   1021         bta_dm_pm_active(p_dev->peer_bdaddr);
   1022       }
   1023       break;
   1024 
   1025     case BTA_SYS_PLCY_DEF_SET:
   1026       /* want to restore/set the role switch policy */
   1027       bta_dm_cb.role_policy_mask &= ~mask;
   1028       if (0 == bta_dm_cb.role_policy_mask) {
   1029         /* if nobody wants to insist on the role */
   1030         bta_dm_cb.cur_policy |= HCI_ENABLE_MASTER_SLAVE_SWITCH;
   1031         BTM_SetDefaultLinkPolicy(bta_dm_cb.cur_policy);
   1032       }
   1033       break;
   1034 
   1035     case BTA_SYS_PLCY_DEF_CLR:
   1036       /* want to remove the role switch policy */
   1037       bta_dm_cb.role_policy_mask |= mask;
   1038       bta_dm_cb.cur_policy &= ~HCI_ENABLE_MASTER_SLAVE_SWITCH;
   1039       BTM_SetDefaultLinkPolicy(bta_dm_cb.cur_policy);
   1040       break;
   1041   }
   1042 }
   1043 
   1044 /*******************************************************************************
   1045  *
   1046  * Function         bta_dm_confirm
   1047  *
   1048  * Description      Send the user confirm request reply in response to a
   1049  *                  request from BTM
   1050  *
   1051  * Returns          void
   1052  *
   1053  ******************************************************************************/
   1054 void bta_dm_confirm(tBTA_DM_MSG* p_data) {
   1055   tBTM_STATUS res = BTM_NOT_AUTHORIZED;
   1056 
   1057   if (p_data->confirm.accept == true) res = BTM_SUCCESS;
   1058   BTM_ConfirmReqReply(res, p_data->confirm.bd_addr);
   1059 }
   1060 
   1061 /*******************************************************************************
   1062  *
   1063  * Function         bta_dm_loc_oob
   1064  *
   1065  * Description      Retrieve the OOB data from the local LM
   1066  *
   1067  * Returns          void
   1068  *
   1069  ******************************************************************************/
   1070 void bta_dm_loc_oob(UNUSED_ATTR tBTA_DM_MSG* p_data) { BTM_ReadLocalOobData(); }
   1071 
   1072 /*******************************************************************************
   1073  *
   1074  * Function         bta_dm_ci_io_req_act
   1075  *
   1076  * Description      respond to the IO capabilities request from BTM
   1077  *
   1078  * Returns          void
   1079  *
   1080  ******************************************************************************/
   1081 void bta_dm_ci_io_req_act(tBTA_DM_MSG* p_data) {
   1082   tBTM_AUTH_REQ auth_req = BTM_AUTH_AP_NO;
   1083   if (p_data->ci_io_req.auth_req) auth_req = BTM_AUTH_AP_YES;
   1084   BTM_IoCapRsp(p_data->ci_io_req.bd_addr, p_data->ci_io_req.io_cap,
   1085                p_data->ci_io_req.oob_data, auth_req);
   1086 }
   1087 
   1088 /*******************************************************************************
   1089  *
   1090  * Function         bta_dm_ci_rmt_oob_act
   1091  *
   1092  * Description      respond to the OOB data request for the remote device from
   1093  *                  BTM
   1094  *
   1095  *
   1096  * Returns          void
   1097  *
   1098  ******************************************************************************/
   1099 void bta_dm_ci_rmt_oob_act(tBTA_DM_MSG* p_data) {
   1100   tBTM_STATUS res = BTM_NOT_AUTHORIZED;
   1101 
   1102   if (p_data->ci_rmt_oob.accept == true) res = BTM_SUCCESS;
   1103   BTM_RemoteOobDataReply(res, p_data->ci_rmt_oob.bd_addr, p_data->ci_rmt_oob.c,
   1104                          p_data->ci_rmt_oob.r);
   1105 }
   1106 
   1107 /*******************************************************************************
   1108  *
   1109  * Function         bta_dm_search_start
   1110  *
   1111  * Description      Starts an inquiry
   1112  *
   1113  *
   1114  * Returns          void
   1115  *
   1116  ******************************************************************************/
   1117 void bta_dm_search_start(tBTA_DM_MSG* p_data) {
   1118   tBTM_INQUIRY_CMPL result;
   1119 
   1120   size_t len = sizeof(tBT_UUID) * p_data->search.num_uuid;
   1121   bta_dm_gattc_register();
   1122 
   1123   APPL_TRACE_DEBUG("%s avoid_scatter=%d", __func__,
   1124                    p_bta_dm_cfg->avoid_scatter);
   1125 
   1126   if (p_bta_dm_cfg->avoid_scatter &&
   1127       (p_data->search.rs_res == BTA_DM_RS_NONE) &&
   1128       bta_dm_check_av(BTA_DM_API_SEARCH_EVT)) {
   1129     memcpy(&bta_dm_cb.search_msg, &p_data->search, sizeof(tBTA_DM_API_SEARCH));
   1130     return;
   1131   }
   1132 
   1133   BTM_ClearInqDb(NULL);
   1134   /* save search params */
   1135   bta_dm_search_cb.p_search_cback = p_data->search.p_cback;
   1136   bta_dm_search_cb.services = p_data->search.services;
   1137 
   1138   osi_free_and_reset((void**)&bta_dm_search_cb.p_srvc_uuid);
   1139 
   1140   if ((bta_dm_search_cb.num_uuid = p_data->search.num_uuid) != 0 &&
   1141       p_data->search.p_uuid != NULL) {
   1142     bta_dm_search_cb.p_srvc_uuid = (tBT_UUID*)osi_malloc(len);
   1143     memcpy(bta_dm_search_cb.p_srvc_uuid, p_data->search.p_uuid, len);
   1144   }
   1145   result.status = BTM_StartInquiry((tBTM_INQ_PARMS*)&p_data->search.inq_params,
   1146                                    bta_dm_inq_results_cb,
   1147                                    (tBTM_CMPL_CB*)bta_dm_inq_cmpl_cb);
   1148 
   1149   APPL_TRACE_EVENT("%s status=%d", __func__, result.status);
   1150   if (result.status != BTM_CMD_STARTED) {
   1151     result.num_resp = 0;
   1152     bta_dm_inq_cmpl_cb((void*)&result);
   1153   }
   1154 }
   1155 
   1156 /*******************************************************************************
   1157  *
   1158  * Function         bta_dm_search_cancel
   1159  *
   1160  * Description      Cancels an ongoing search for devices
   1161  *
   1162  *
   1163  * Returns          void
   1164  *
   1165  ******************************************************************************/
   1166 void bta_dm_search_cancel(UNUSED_ATTR tBTA_DM_MSG* p_data) {
   1167   tBTA_DM_MSG* p_msg;
   1168 
   1169   if (BTM_IsInquiryActive()) {
   1170     if (BTM_CancelInquiry() == BTM_SUCCESS) {
   1171       bta_dm_search_cancel_notify(NULL);
   1172       p_msg = (tBTA_DM_MSG*)osi_malloc(sizeof(tBTA_DM_MSG));
   1173       p_msg->hdr.event = BTA_DM_SEARCH_CMPL_EVT;
   1174       p_msg->hdr.layer_specific = BTA_DM_API_DISCOVER_EVT;
   1175       bta_sys_sendmsg(p_msg);
   1176     } else {
   1177       /* flag a search cancel is pending */
   1178       bta_dm_search_cb.cancel_pending = true;
   1179     }
   1180   }
   1181   /* If no Service Search going on then issue cancel remote name in case it is
   1182      active */
   1183   else if (!bta_dm_search_cb.name_discover_done) {
   1184     BTM_CancelRemoteDeviceName();
   1185 
   1186     p_msg = (tBTA_DM_MSG*)osi_malloc(sizeof(tBTA_DM_MSG));
   1187     p_msg->hdr.event = BTA_DM_SEARCH_CMPL_EVT;
   1188     p_msg->hdr.layer_specific = BTA_DM_API_DISCOVER_EVT;
   1189     bta_sys_sendmsg(p_msg);
   1190   } else {
   1191     p_msg = (tBTA_DM_MSG*)osi_malloc(sizeof(tBTA_DM_MSG));
   1192     p_msg->hdr.event = BTA_DM_INQUIRY_CMPL_EVT;
   1193     p_msg->hdr.layer_specific = BTA_DM_API_DISCOVER_EVT;
   1194     bta_sys_sendmsg(p_msg);
   1195   }
   1196 
   1197   if (bta_dm_search_cb.gatt_disc_active) {
   1198     bta_dm_cancel_gatt_discovery(bta_dm_search_cb.peer_bdaddr);
   1199   }
   1200 }
   1201 
   1202 /*******************************************************************************
   1203  *
   1204  * Function         bta_dm_discover
   1205  *
   1206  * Description      Discovers services on a remote device
   1207  *
   1208  *
   1209  * Returns          void
   1210  *
   1211  ******************************************************************************/
   1212 void bta_dm_discover(tBTA_DM_MSG* p_data) {
   1213   size_t len = sizeof(tBT_UUID) * p_data->discover.num_uuid;
   1214   APPL_TRACE_EVENT("%s services_to_search=0x%04X, sdp_search=%d", __func__,
   1215                    p_data->discover.services, p_data->discover.sdp_search);
   1216 
   1217   /* save the search condition */
   1218   bta_dm_search_cb.services = p_data->discover.services;
   1219 
   1220   bta_dm_gattc_register();
   1221   osi_free_and_reset((void**)&bta_dm_search_cb.p_srvc_uuid);
   1222   if ((bta_dm_search_cb.num_uuid = p_data->discover.num_uuid) != 0 &&
   1223       p_data->discover.p_uuid != NULL) {
   1224     bta_dm_search_cb.p_srvc_uuid = (tBT_UUID*)osi_malloc(len);
   1225     memcpy(bta_dm_search_cb.p_srvc_uuid, p_data->discover.p_uuid, len);
   1226   }
   1227   bta_dm_search_cb.uuid_to_search = bta_dm_search_cb.num_uuid;
   1228 
   1229   bta_dm_search_cb.p_search_cback = p_data->discover.p_cback;
   1230   bta_dm_search_cb.sdp_search = p_data->discover.sdp_search;
   1231   bta_dm_search_cb.services_to_search = bta_dm_search_cb.services;
   1232   bta_dm_search_cb.service_index = 0;
   1233   bta_dm_search_cb.services_found = 0;
   1234   bta_dm_search_cb.peer_name[0] = 0;
   1235   bta_dm_search_cb.sdp_search = p_data->discover.sdp_search;
   1236   bta_dm_search_cb.p_btm_inq_info = BTM_InqDbRead(p_data->discover.bd_addr);
   1237   bta_dm_search_cb.transport = p_data->discover.transport;
   1238 
   1239   bta_dm_search_cb.name_discover_done = false;
   1240   memcpy(&bta_dm_search_cb.uuid, &p_data->discover.uuid, sizeof(tSDP_UUID));
   1241   bta_dm_discover_device(p_data->discover.bd_addr);
   1242 }
   1243 
   1244 /*******************************************************************************
   1245  *
   1246  * Function         bta_dm_di_disc_cmpl
   1247  *
   1248  * Description      Sends event to application when DI discovery complete
   1249  *
   1250  * Returns          void
   1251  *
   1252  ******************************************************************************/
   1253 void bta_dm_di_disc_cmpl(tBTA_DM_MSG* p_data) {
   1254   tBTA_DM_DI_DISC_CMPL di_disc;
   1255 
   1256   memset(&di_disc, 0, sizeof(tBTA_DM_DI_DISC_CMPL));
   1257   bdcpy(di_disc.bd_addr, bta_dm_search_cb.peer_bdaddr);
   1258 
   1259   if ((p_data->hdr.offset == SDP_SUCCESS) ||
   1260       (p_data->hdr.offset == SDP_DB_FULL)) {
   1261     di_disc.num_record = SDP_GetNumDiRecords(bta_dm_di_cb.p_di_db);
   1262   } else
   1263     di_disc.result = BTA_FAILURE;
   1264 
   1265   bta_dm_di_cb.p_di_db = NULL;
   1266   bta_dm_search_cb.p_search_cback(BTA_DM_DI_DISC_CMPL_EVT,
   1267                                   (tBTA_DM_SEARCH*)&di_disc);
   1268 }
   1269 
   1270 /*******************************************************************************
   1271  *
   1272  * Function         bta_dm_di_disc_callback
   1273  *
   1274  * Description      This function queries a remote device for DI information.
   1275  *
   1276  *
   1277  * Returns          void
   1278  *
   1279  ******************************************************************************/
   1280 static void bta_dm_di_disc_callback(uint16_t result) {
   1281   tBTA_DM_MSG* p_msg = (tBTA_DM_MSG*)osi_malloc(sizeof(tBTA_DM_MSG));
   1282 
   1283   p_msg->hdr.event = BTA_DM_SEARCH_CMPL_EVT;
   1284   p_msg->hdr.layer_specific = BTA_DM_API_DI_DISCOVER_EVT;
   1285   p_msg->hdr.offset = result;
   1286 
   1287   bta_sys_sendmsg(p_msg);
   1288 }
   1289 
   1290 /*******************************************************************************
   1291  *
   1292  * Function         bta_dm_disable_search_and_disc
   1293  *
   1294  * Description      Cancels an ongoing search or discovery for devices in case
   1295  *                  of a Bluetooth disable
   1296  *
   1297  *
   1298  * Returns          void
   1299  *
   1300  ******************************************************************************/
   1301 static void bta_dm_disable_search_and_disc(void) {
   1302   tBTA_DM_DI_DISC_CMPL di_disc;
   1303 
   1304   if (bta_dm_search_cb.state != BTA_DM_SEARCH_IDLE) bta_dm_search_cancel(NULL);
   1305 
   1306   if (bta_dm_di_cb.p_di_db != NULL) {
   1307     memset(&di_disc, 0, sizeof(tBTA_DM_DI_DISC_CMPL));
   1308     bdcpy(di_disc.bd_addr, bta_dm_search_cb.peer_bdaddr);
   1309     di_disc.result = BTA_FAILURE;
   1310 
   1311     bta_dm_di_cb.p_di_db = NULL;
   1312     bta_dm_search_cb.p_search_cback(BTA_DM_DI_DISC_CMPL_EVT, NULL);
   1313   }
   1314 }
   1315 
   1316 /*******************************************************************************
   1317  *
   1318  * Function         bta_dm_di_disc
   1319  *
   1320  * Description      This function queries a remote device for DI information.
   1321  *
   1322  *
   1323  * Returns          void
   1324  *
   1325  ******************************************************************************/
   1326 void bta_dm_di_disc(tBTA_DM_MSG* p_data) {
   1327   uint16_t result = BTA_FAILURE;
   1328 
   1329   bta_dm_search_cb.p_search_cback = p_data->di_disc.p_cback;
   1330   bdcpy(bta_dm_search_cb.peer_bdaddr, p_data->di_disc.bd_addr);
   1331   bta_dm_di_cb.p_di_db = p_data->di_disc.p_sdp_db;
   1332 
   1333   bta_dm_search_cb.p_sdp_db =
   1334       (tSDP_DISCOVERY_DB*)osi_malloc(BTA_DM_SDP_DB_SIZE);
   1335   if (SDP_DiDiscover(bta_dm_search_cb.peer_bdaddr, p_data->di_disc.p_sdp_db,
   1336                      p_data->di_disc.len,
   1337                      bta_dm_di_disc_callback) == SDP_SUCCESS) {
   1338     result = BTA_SUCCESS;
   1339   }
   1340 
   1341   if (result == BTA_FAILURE) {
   1342     tBTA_DM_MSG* p_msg = (tBTA_DM_MSG*)osi_malloc(sizeof(tBTA_DM_MSG));
   1343 
   1344     p_msg->hdr.event = BTA_DM_SEARCH_CMPL_EVT;
   1345     p_msg->hdr.layer_specific = BTA_DM_API_DI_DISCOVER_EVT;
   1346     p_data->hdr.offset = result;
   1347     bta_sys_sendmsg(p_msg);
   1348   }
   1349 }
   1350 
   1351 /*******************************************************************************
   1352  *
   1353  * Function         bta_dm_read_remote_device_name
   1354  *
   1355  * Description      Initiate to get remote device name
   1356  *
   1357  * Returns          true if started to get remote name
   1358  *
   1359  ******************************************************************************/
   1360 static bool bta_dm_read_remote_device_name(BD_ADDR bd_addr,
   1361                                            tBT_TRANSPORT transport) {
   1362   tBTM_STATUS btm_status;
   1363 
   1364   APPL_TRACE_DEBUG("bta_dm_read_remote_device_name");
   1365 
   1366   bdcpy(bta_dm_search_cb.peer_bdaddr, bd_addr);
   1367   bta_dm_search_cb.peer_name[0] = 0;
   1368 
   1369   btm_status =
   1370       BTM_ReadRemoteDeviceName(bta_dm_search_cb.peer_bdaddr,
   1371                                (tBTM_CMPL_CB*)bta_dm_remname_cback, transport);
   1372 
   1373   if (btm_status == BTM_CMD_STARTED) {
   1374     APPL_TRACE_DEBUG(
   1375         "bta_dm_read_remote_device_name: BTM_ReadRemoteDeviceName is started");
   1376 
   1377     return (true);
   1378   } else if (btm_status == BTM_BUSY) {
   1379     APPL_TRACE_DEBUG(
   1380         "bta_dm_read_remote_device_name: BTM_ReadRemoteDeviceName is busy");
   1381 
   1382     /* Remote name discovery is on going now so BTM cannot notify through
   1383      * "bta_dm_remname_cback" */
   1384     /* adding callback to get notified that current reading remore name done */
   1385     BTM_SecAddRmtNameNotifyCallback(&bta_dm_service_search_remname_cback);
   1386 
   1387     return (true);
   1388   } else {
   1389     APPL_TRACE_WARNING(
   1390         "bta_dm_read_remote_device_name: BTM_ReadRemoteDeviceName returns "
   1391         "0x%02X",
   1392         btm_status);
   1393 
   1394     return (false);
   1395   }
   1396 }
   1397 
   1398 /*******************************************************************************
   1399  *
   1400  * Function         bta_dm_inq_cmpl
   1401  *
   1402  * Description      Process the inquiry complete event from BTM
   1403  *
   1404  * Returns          void
   1405  *
   1406  ******************************************************************************/
   1407 void bta_dm_inq_cmpl(tBTA_DM_MSG* p_data) {
   1408   tBTA_DM_SEARCH data;
   1409 
   1410   APPL_TRACE_DEBUG("bta_dm_inq_cmpl");
   1411 
   1412   data.inq_cmpl.num_resps = p_data->inq_cmpl.num;
   1413   bta_dm_search_cb.p_search_cback(BTA_DM_INQ_CMPL_EVT, &data);
   1414 
   1415   bta_dm_search_cb.p_btm_inq_info = BTM_InqDbFirst();
   1416   if (bta_dm_search_cb.p_btm_inq_info != NULL) {
   1417     /* start name and service discovery from the first device on inquiry result
   1418      */
   1419     bta_dm_search_cb.name_discover_done = false;
   1420     bta_dm_search_cb.peer_name[0] = 0;
   1421     bta_dm_discover_device(
   1422         bta_dm_search_cb.p_btm_inq_info->results.remote_bd_addr);
   1423   } else {
   1424     tBTA_DM_MSG* p_msg = (tBTA_DM_MSG*)osi_malloc(sizeof(tBTA_DM_MSG));
   1425 
   1426     /* no devices, search complete */
   1427     bta_dm_search_cb.services = 0;
   1428 
   1429     p_msg->hdr.event = BTA_DM_SEARCH_CMPL_EVT;
   1430     p_msg->hdr.layer_specific = BTA_DM_API_DISCOVER_EVT;
   1431     bta_sys_sendmsg(p_msg);
   1432   }
   1433 }
   1434 
   1435 /*******************************************************************************
   1436  *
   1437  * Function         bta_dm_rmt_name
   1438  *
   1439  * Description      Process the remote name result from BTM
   1440  *
   1441  * Returns          void
   1442  *
   1443  ******************************************************************************/
   1444 void bta_dm_rmt_name(tBTA_DM_MSG* p_data) {
   1445   APPL_TRACE_DEBUG("bta_dm_rmt_name");
   1446 
   1447   if (p_data->rem_name.result.disc_res.bd_name[0] &&
   1448       bta_dm_search_cb.p_btm_inq_info) {
   1449     bta_dm_search_cb.p_btm_inq_info->appl_knows_rem_name = true;
   1450   }
   1451 
   1452   bta_dm_discover_device(bta_dm_search_cb.peer_bdaddr);
   1453 }
   1454 
   1455 /*******************************************************************************
   1456  *
   1457  * Function         bta_dm_disc_rmt_name
   1458  *
   1459  * Description      Process the remote name result from BTM when application
   1460  *                  wants to find the name for a bdaddr
   1461  *
   1462  * Returns          void
   1463  *
   1464  ******************************************************************************/
   1465 void bta_dm_disc_rmt_name(tBTA_DM_MSG* p_data) {
   1466   tBTM_INQ_INFO* p_btm_inq_info;
   1467 
   1468   APPL_TRACE_DEBUG("bta_dm_disc_rmt_name");
   1469 
   1470   p_btm_inq_info = BTM_InqDbRead(p_data->rem_name.result.disc_res.bd_addr);
   1471   if (p_btm_inq_info) {
   1472     if (p_data->rem_name.result.disc_res.bd_name[0]) {
   1473       p_btm_inq_info->appl_knows_rem_name = true;
   1474     }
   1475   }
   1476 
   1477   bta_dm_discover_device(p_data->rem_name.result.disc_res.bd_addr);
   1478 }
   1479 
   1480 /*******************************************************************************
   1481  *
   1482  * Function         bta_dm_sdp_result
   1483  *
   1484  * Description      Process the discovery result from sdp
   1485  *
   1486  * Returns          void
   1487  *
   1488  ******************************************************************************/
   1489 void bta_dm_sdp_result(tBTA_DM_MSG* p_data) {
   1490   tSDP_DISC_REC* p_sdp_rec = NULL;
   1491   tBTA_DM_MSG* p_msg;
   1492   bool scn_found = false;
   1493   uint16_t service = 0xFFFF;
   1494   tSDP_PROTOCOL_ELEM pe;
   1495 
   1496   tBT_UUID* p_uuid = bta_dm_search_cb.p_srvc_uuid;
   1497   tBTA_DM_SEARCH result;
   1498   tBT_UUID service_uuid;
   1499 
   1500   uint32_t num_uuids = 0;
   1501   uint8_t uuid_list[32][MAX_UUID_SIZE];  // assuming a max of 32 services
   1502 
   1503   if ((p_data->sdp_event.sdp_result == SDP_SUCCESS) ||
   1504       (p_data->sdp_event.sdp_result == SDP_NO_RECS_MATCH) ||
   1505       (p_data->sdp_event.sdp_result == SDP_DB_FULL)) {
   1506     APPL_TRACE_DEBUG("sdp_result::0x%x", p_data->sdp_event.sdp_result);
   1507     do {
   1508       p_sdp_rec = NULL;
   1509       if (bta_dm_search_cb.service_index == (BTA_USER_SERVICE_ID + 1)) {
   1510         p_sdp_rec = SDP_FindServiceUUIDInDb(bta_dm_search_cb.p_sdp_db,
   1511                                             &bta_dm_search_cb.uuid, p_sdp_rec);
   1512 
   1513         if (p_sdp_rec && SDP_FindProtocolListElemInRec(
   1514                              p_sdp_rec, UUID_PROTOCOL_RFCOMM, &pe)) {
   1515           bta_dm_search_cb.peer_scn = (uint8_t)pe.params[0];
   1516           scn_found = true;
   1517         }
   1518       } else {
   1519         service =
   1520             bta_service_id_to_uuid_lkup_tbl[bta_dm_search_cb.service_index - 1];
   1521         p_sdp_rec =
   1522             SDP_FindServiceInDb(bta_dm_search_cb.p_sdp_db, service, p_sdp_rec);
   1523       }
   1524       /* finished with BR/EDR services, now we check the result for GATT based
   1525        * service UUID */
   1526       if (bta_dm_search_cb.service_index == BTA_MAX_SERVICE_ID) {
   1527         if (bta_dm_search_cb.uuid_to_search != 0 && p_uuid != NULL) {
   1528           p_uuid +=
   1529               (bta_dm_search_cb.num_uuid - bta_dm_search_cb.uuid_to_search);
   1530           /* only support 16 bits UUID for now */
   1531           service = p_uuid->uu.uuid16;
   1532         }
   1533         /* all GATT based services */
   1534         do {
   1535           /* find a service record, report it */
   1536           p_sdp_rec =
   1537               SDP_FindServiceInDb(bta_dm_search_cb.p_sdp_db, 0, p_sdp_rec);
   1538           if (p_sdp_rec) {
   1539             if (SDP_FindServiceUUIDInRec(p_sdp_rec, &service_uuid)) {
   1540               /* send result back to app now, one by one */
   1541               bdcpy(result.disc_ble_res.bd_addr, bta_dm_search_cb.peer_bdaddr);
   1542               strlcpy((char*)result.disc_ble_res.bd_name, bta_dm_get_remname(),
   1543                       BD_NAME_LEN);
   1544               result.disc_ble_res.service.len = service_uuid.len;
   1545               result.disc_ble_res.service.uu.uuid16 = service_uuid.uu.uuid16;
   1546 
   1547               bta_dm_search_cb.p_search_cback(BTA_DM_DISC_BLE_RES_EVT, &result);
   1548             }
   1549           }
   1550 
   1551           if (bta_dm_search_cb.uuid_to_search > 0) break;
   1552 
   1553         } while (p_sdp_rec);
   1554       } else {
   1555         /* SDP_DB_FULL means some records with the
   1556            required attributes were received */
   1557         if (((p_data->sdp_event.sdp_result == SDP_DB_FULL) &&
   1558              bta_dm_search_cb.services != BTA_ALL_SERVICE_MASK) ||
   1559             (p_sdp_rec != NULL)) {
   1560           if (service != UUID_SERVCLASS_PNP_INFORMATION) {
   1561             uint16_t tmp_svc = 0xFFFF;
   1562             bta_dm_search_cb.services_found |=
   1563                 (tBTA_SERVICE_MASK)(BTA_SERVICE_ID_TO_SERVICE_MASK(
   1564                     bta_dm_search_cb.service_index - 1));
   1565             tmp_svc =
   1566                 bta_service_id_to_uuid_lkup_tbl[bta_dm_search_cb.service_index -
   1567                                                 1];
   1568             /* Add to the list of UUIDs */
   1569             sdpu_uuid16_to_uuid128(tmp_svc, uuid_list[num_uuids]);
   1570             num_uuids++;
   1571           }
   1572         }
   1573       }
   1574 
   1575       if (bta_dm_search_cb.services == BTA_ALL_SERVICE_MASK &&
   1576           bta_dm_search_cb.services_to_search == 0) {
   1577         if (bta_dm_search_cb.service_index == BTA_BLE_SERVICE_ID &&
   1578             bta_dm_search_cb.uuid_to_search > 0)
   1579           bta_dm_search_cb.uuid_to_search--;
   1580 
   1581         if (bta_dm_search_cb.uuid_to_search == 0 ||
   1582             bta_dm_search_cb.service_index != BTA_BLE_SERVICE_ID)
   1583           bta_dm_search_cb.service_index++;
   1584       } else /* regular one service per search or PNP search */
   1585         break;
   1586 
   1587     } while (bta_dm_search_cb.service_index <= BTA_MAX_SERVICE_ID);
   1588 
   1589     APPL_TRACE_DEBUG("%s services_found = %04x", __func__,
   1590                      bta_dm_search_cb.services_found);
   1591 
   1592     /* Collect the 128-bit services here and put them into the list */
   1593     if (bta_dm_search_cb.services == BTA_ALL_SERVICE_MASK) {
   1594       p_sdp_rec = NULL;
   1595       do {
   1596         tBT_UUID temp_uuid;
   1597         /* find a service record, report it */
   1598         p_sdp_rec =
   1599             SDP_FindServiceInDb_128bit(bta_dm_search_cb.p_sdp_db, p_sdp_rec);
   1600         if (p_sdp_rec) {
   1601           if (SDP_FindServiceUUIDInRec_128bit(p_sdp_rec, &temp_uuid)) {
   1602             memcpy(uuid_list[num_uuids], temp_uuid.uu.uuid128, MAX_UUID_SIZE);
   1603             num_uuids++;
   1604           }
   1605         }
   1606       } while (p_sdp_rec);
   1607     }
   1608     /* if there are more services to search for */
   1609     if (bta_dm_search_cb.services_to_search) {
   1610       /* Free up the p_sdp_db before checking the next one */
   1611       bta_dm_free_sdp_db(NULL);
   1612       bta_dm_find_services(bta_dm_search_cb.peer_bdaddr);
   1613     } else {
   1614       /* callbacks */
   1615       /* start next bd_addr if necessary */
   1616 
   1617       BTM_SecDeleteRmtNameNotifyCallback(&bta_dm_service_search_remname_cback);
   1618 
   1619       p_msg = (tBTA_DM_MSG*)osi_malloc(sizeof(tBTA_DM_MSG));
   1620       p_msg->hdr.event = BTA_DM_DISCOVERY_RESULT_EVT;
   1621       p_msg->disc_result.result.disc_res.result = BTA_SUCCESS;
   1622       p_msg->disc_result.result.disc_res.p_raw_data = NULL;
   1623       p_msg->disc_result.result.disc_res.raw_data_size = 0;
   1624       p_msg->disc_result.result.disc_res.num_uuids = num_uuids;
   1625       p_msg->disc_result.result.disc_res.p_uuid_list = NULL;
   1626       if (num_uuids > 0) {
   1627         p_msg->disc_result.result.disc_res.p_uuid_list =
   1628             (uint8_t*)osi_malloc(num_uuids * MAX_UUID_SIZE);
   1629         memcpy(p_msg->disc_result.result.disc_res.p_uuid_list, uuid_list,
   1630                num_uuids * MAX_UUID_SIZE);
   1631       }
   1632       // Copy the raw_data to the discovery result structure
   1633       if (bta_dm_search_cb.p_sdp_db != NULL &&
   1634           bta_dm_search_cb.p_sdp_db->raw_used != 0 &&
   1635           bta_dm_search_cb.p_sdp_db->raw_data != NULL) {
   1636         APPL_TRACE_DEBUG("%s raw_data used = 0x%x raw_data_ptr = 0x%x",
   1637                          __func__, bta_dm_search_cb.p_sdp_db->raw_used,
   1638                          bta_dm_search_cb.p_sdp_db->raw_data);
   1639 
   1640         p_msg->disc_result.result.disc_res.p_raw_data =
   1641             (uint8_t*)osi_malloc(bta_dm_search_cb.p_sdp_db->raw_used);
   1642         memcpy(p_msg->disc_result.result.disc_res.p_raw_data,
   1643                bta_dm_search_cb.p_sdp_db->raw_data,
   1644                bta_dm_search_cb.p_sdp_db->raw_used);
   1645 
   1646         p_msg->disc_result.result.disc_res.raw_data_size =
   1647             bta_dm_search_cb.p_sdp_db->raw_used;
   1648 
   1649         bta_dm_search_cb.p_sdp_db->raw_data =
   1650             NULL;  // no need to free this - it is a global assigned.
   1651         bta_dm_search_cb.p_sdp_db->raw_used = 0;
   1652         bta_dm_search_cb.p_sdp_db->raw_size = 0;
   1653       } else {
   1654         APPL_TRACE_DEBUG("%s raw data size is 0 or raw_data is null!!",
   1655                          __func__);
   1656       }
   1657       /* Done with p_sdp_db. Free it */
   1658       bta_dm_free_sdp_db(NULL);
   1659       p_msg->disc_result.result.disc_res.services =
   1660           bta_dm_search_cb.services_found;
   1661 
   1662       // Piggy back the SCN over result field
   1663       if (scn_found) {
   1664         p_msg->disc_result.result.disc_res.result =
   1665             (3 + bta_dm_search_cb.peer_scn);
   1666         p_msg->disc_result.result.disc_res.services |= BTA_USER_SERVICE_MASK;
   1667 
   1668         APPL_TRACE_EVENT(" Piggy back the SCN over result field  SCN=%d",
   1669                          bta_dm_search_cb.peer_scn);
   1670       }
   1671       bdcpy(p_msg->disc_result.result.disc_res.bd_addr,
   1672             bta_dm_search_cb.peer_bdaddr);
   1673       strlcpy((char*)p_msg->disc_result.result.disc_res.bd_name,
   1674               bta_dm_get_remname(), BD_NAME_LEN);
   1675 
   1676       bta_sys_sendmsg(p_msg);
   1677     }
   1678   } else {
   1679     /* conn failed. No need for timer */
   1680     if (p_data->sdp_event.sdp_result == SDP_CONN_FAILED ||
   1681         p_data->sdp_event.sdp_result == SDP_CONN_REJECTED ||
   1682         p_data->sdp_event.sdp_result == SDP_SECURITY_ERR)
   1683       bta_dm_search_cb.wait_disc = false;
   1684 
   1685     /* not able to connect go to next device */
   1686     if (bta_dm_search_cb.p_sdp_db)
   1687       osi_free_and_reset((void**)&bta_dm_search_cb.p_sdp_db);
   1688 
   1689     BTM_SecDeleteRmtNameNotifyCallback(&bta_dm_service_search_remname_cback);
   1690 
   1691     p_msg = (tBTA_DM_MSG*)osi_malloc(sizeof(tBTA_DM_MSG));
   1692     p_msg->hdr.event = BTA_DM_DISCOVERY_RESULT_EVT;
   1693     p_msg->disc_result.result.disc_res.result = BTA_FAILURE;
   1694     p_msg->disc_result.result.disc_res.services =
   1695         bta_dm_search_cb.services_found;
   1696     bdcpy(p_msg->disc_result.result.disc_res.bd_addr,
   1697           bta_dm_search_cb.peer_bdaddr);
   1698     strlcpy((char*)p_msg->disc_result.result.disc_res.bd_name,
   1699             bta_dm_get_remname(), BD_NAME_LEN);
   1700 
   1701     bta_sys_sendmsg(p_msg);
   1702   }
   1703 }
   1704 
   1705 /*******************************************************************************
   1706  *
   1707  * Function         bta_dm_search_cmpl
   1708  *
   1709  * Description      Sends event to application
   1710  *
   1711  * Returns          void
   1712  *
   1713  ******************************************************************************/
   1714 void bta_dm_search_cmpl(tBTA_DM_MSG* p_data) {
   1715   APPL_TRACE_EVENT("%s", __func__);
   1716 
   1717   osi_free_and_reset((void**)&bta_dm_search_cb.p_srvc_uuid);
   1718 
   1719   if (p_data->hdr.layer_specific == BTA_DM_API_DI_DISCOVER_EVT)
   1720     bta_dm_di_disc_cmpl(p_data);
   1721   else
   1722     bta_dm_search_cb.p_search_cback(BTA_DM_DISC_CMPL_EVT, NULL);
   1723 }
   1724 
   1725 /*******************************************************************************
   1726  *
   1727  * Function         bta_dm_disc_result
   1728  *
   1729  * Description      Service discovery result when discovering services on a
   1730  *                  device
   1731  *
   1732  * Returns          void
   1733  *
   1734  ******************************************************************************/
   1735 void bta_dm_disc_result(tBTA_DM_MSG* p_data) {
   1736   APPL_TRACE_EVENT("%s", __func__);
   1737 
   1738   /* if any BR/EDR service discovery has been done, report the event */
   1739   if ((bta_dm_search_cb.services &
   1740        ((BTA_ALL_SERVICE_MASK | BTA_USER_SERVICE_MASK) &
   1741         ~BTA_BLE_SERVICE_MASK)))
   1742     bta_dm_search_cb.p_search_cback(BTA_DM_DISC_RES_EVT,
   1743                                     &p_data->disc_result.result);
   1744 
   1745   tBTA_DM_MSG* p_msg = (tBTA_DM_MSG*)osi_malloc(sizeof(tBTA_DM_MSG));
   1746 
   1747   /* send a message to change state */
   1748   p_msg->hdr.event = BTA_DM_SEARCH_CMPL_EVT;
   1749   p_msg->hdr.layer_specific = BTA_DM_API_DISCOVER_EVT;
   1750   bta_sys_sendmsg(p_msg);
   1751 }
   1752 
   1753 /*******************************************************************************
   1754  *
   1755  * Function         bta_dm_search_result
   1756  *
   1757  * Description      Service discovery result while searching for devices
   1758  *
   1759  * Returns          void
   1760  *
   1761  ******************************************************************************/
   1762 void bta_dm_search_result(tBTA_DM_MSG* p_data) {
   1763   APPL_TRACE_DEBUG("%s searching:0x%04x, result:0x%04x", __func__,
   1764                    bta_dm_search_cb.services,
   1765                    p_data->disc_result.result.disc_res.services);
   1766 
   1767   /* call back if application wants name discovery or found services that
   1768    * application is searching */
   1769   if ((!bta_dm_search_cb.services) ||
   1770       ((bta_dm_search_cb.services) &&
   1771        (p_data->disc_result.result.disc_res.services))) {
   1772     bta_dm_search_cb.p_search_cback(BTA_DM_DISC_RES_EVT,
   1773                                     &p_data->disc_result.result);
   1774   }
   1775 
   1776   /* if searching did not initiate to create link */
   1777   if (!bta_dm_search_cb.wait_disc) {
   1778     /* if service searching is done with EIR, don't search next device */
   1779     if (bta_dm_search_cb.p_btm_inq_info) bta_dm_discover_next_device();
   1780   } else {
   1781     /* wait until link is disconnected or timeout */
   1782     bta_dm_search_cb.sdp_results = true;
   1783     alarm_set_on_queue(bta_dm_search_cb.search_timer,
   1784                        1000 * (L2CAP_LINK_INACTIVITY_TOUT + 1),
   1785                        bta_dm_search_timer_cback, NULL, btu_bta_alarm_queue);
   1786   }
   1787 }
   1788 
   1789 /*******************************************************************************
   1790  *
   1791  * Function         bta_dm_search_timer_cback
   1792  *
   1793  * Description      Called when ACL disconnect time is over
   1794  *
   1795  *
   1796  * Returns          void
   1797  *
   1798  ******************************************************************************/
   1799 static void bta_dm_search_timer_cback(UNUSED_ATTR void* data) {
   1800   APPL_TRACE_EVENT("%s", __func__);
   1801   bta_dm_search_cb.wait_disc = false;
   1802 
   1803   /* proceed with next device */
   1804   bta_dm_discover_next_device();
   1805 }
   1806 
   1807 /*******************************************************************************
   1808  *
   1809  * Function         bta_dm_free_sdp_db
   1810  *
   1811  * Description      Frees SDP data base
   1812  *
   1813  * Returns          void
   1814  *
   1815  ******************************************************************************/
   1816 void bta_dm_free_sdp_db(UNUSED_ATTR tBTA_DM_MSG* p_data) {
   1817   osi_free_and_reset((void**)&bta_dm_search_cb.p_sdp_db);
   1818 }
   1819 
   1820 /*******************************************************************************
   1821  *
   1822  * Function         bta_dm_queue_search
   1823  *
   1824  * Description      Queues search command while search is being cancelled
   1825  *
   1826  * Returns          void
   1827  *
   1828  ******************************************************************************/
   1829 void bta_dm_queue_search(tBTA_DM_MSG* p_data) {
   1830   osi_free(bta_dm_search_cb.p_search_queue);
   1831   bta_dm_search_cb.p_search_queue =
   1832       (tBTA_DM_MSG*)osi_malloc(sizeof(tBTA_DM_API_SEARCH));
   1833   memcpy(bta_dm_search_cb.p_search_queue, p_data, sizeof(tBTA_DM_API_SEARCH));
   1834 }
   1835 
   1836 /*******************************************************************************
   1837  *
   1838  * Function         bta_dm_queue_disc
   1839  *
   1840  * Description      Queues discovery command while search is being cancelled
   1841  *
   1842  * Returns          void
   1843  *
   1844  ******************************************************************************/
   1845 void bta_dm_queue_disc(tBTA_DM_MSG* p_data) {
   1846   osi_free(bta_dm_search_cb.p_search_queue);
   1847   bta_dm_search_cb.p_search_queue =
   1848       (tBTA_DM_MSG*)osi_malloc(sizeof(tBTA_DM_API_DISCOVER));
   1849   memcpy(bta_dm_search_cb.p_search_queue, p_data, sizeof(tBTA_DM_API_DISCOVER));
   1850 }
   1851 
   1852 /*******************************************************************************
   1853  *
   1854  * Function         bta_dm_search_clear_queue
   1855  *
   1856  * Description      Clears the queue if API search cancel is called
   1857  *
   1858  * Returns          void
   1859  *
   1860  ******************************************************************************/
   1861 void bta_dm_search_clear_queue(UNUSED_ATTR tBTA_DM_MSG* p_data) {
   1862   osi_free_and_reset((void**)&bta_dm_search_cb.p_search_queue);
   1863 }
   1864 
   1865 /*******************************************************************************
   1866  *
   1867  * Function         bta_dm_search_cancel_cmpl
   1868  *
   1869  * Description      Search cancel is complete
   1870  *
   1871  * Returns          void
   1872  *
   1873  ******************************************************************************/
   1874 void bta_dm_search_cancel_cmpl(UNUSED_ATTR tBTA_DM_MSG* p_data) {
   1875   if (bta_dm_search_cb.p_search_queue) {
   1876     bta_sys_sendmsg(bta_dm_search_cb.p_search_queue);
   1877     bta_dm_search_cb.p_search_queue = NULL;
   1878   }
   1879 }
   1880 
   1881 /*******************************************************************************
   1882  *
   1883  * Function         bta_dm_search_cancel_transac_cmpl
   1884  *
   1885  * Description      Current Service Discovery or remote name procedure is
   1886  *                  completed after search cancellation
   1887  *
   1888  * Returns          void
   1889  *
   1890  ******************************************************************************/
   1891 void bta_dm_search_cancel_transac_cmpl(UNUSED_ATTR tBTA_DM_MSG* p_data) {
   1892   osi_free_and_reset((void**)&bta_dm_search_cb.p_sdp_db);
   1893   bta_dm_search_cancel_notify(NULL);
   1894 }
   1895 
   1896 /*******************************************************************************
   1897  *
   1898  * Function         bta_dm_search_cancel_notify
   1899  *
   1900  * Description      Notify application that search has been cancelled
   1901  *
   1902  * Returns          void
   1903  *
   1904  ******************************************************************************/
   1905 void bta_dm_search_cancel_notify(UNUSED_ATTR tBTA_DM_MSG* p_data) {
   1906   if (bta_dm_search_cb.p_search_cback) {
   1907     bta_dm_search_cb.p_search_cback(BTA_DM_SEARCH_CANCEL_CMPL_EVT, NULL);
   1908   }
   1909   if (!bta_dm_search_cb.name_discover_done) {
   1910     BTM_CancelRemoteDeviceName();
   1911   }
   1912   if (bta_dm_search_cb.gatt_disc_active) {
   1913     bta_dm_cancel_gatt_discovery(bta_dm_search_cb.peer_bdaddr);
   1914   }
   1915 }
   1916 
   1917 /*******************************************************************************
   1918  *
   1919  * Function         bta_dm_find_services
   1920  *
   1921  * Description      Starts discovery on a device
   1922  *
   1923  * Returns          void
   1924  *
   1925  ******************************************************************************/
   1926 static void bta_dm_find_services(BD_ADDR bd_addr) {
   1927   tSDP_UUID uuid;
   1928 
   1929   memset(&uuid, 0, sizeof(tSDP_UUID));
   1930 
   1931   while (bta_dm_search_cb.service_index < BTA_MAX_SERVICE_ID) {
   1932     if (bta_dm_search_cb.services_to_search &
   1933         (tBTA_SERVICE_MASK)(
   1934             BTA_SERVICE_ID_TO_SERVICE_MASK(bta_dm_search_cb.service_index))) {
   1935       bta_dm_search_cb.p_sdp_db =
   1936           (tSDP_DISCOVERY_DB*)osi_malloc(BTA_DM_SDP_DB_SIZE);
   1937       APPL_TRACE_DEBUG("bta_dm_search_cb.services = %04x***********",
   1938                        bta_dm_search_cb.services);
   1939       /* try to search all services by search based on L2CAP UUID */
   1940       if (bta_dm_search_cb.services == BTA_ALL_SERVICE_MASK) {
   1941         LOG_INFO(LOG_TAG, "%s services_to_search=%08x", __func__,
   1942                  bta_dm_search_cb.services_to_search);
   1943         if (bta_dm_search_cb.services_to_search & BTA_RES_SERVICE_MASK) {
   1944           uuid.uu.uuid16 = bta_service_id_to_uuid_lkup_tbl[0];
   1945           bta_dm_search_cb.services_to_search &= ~BTA_RES_SERVICE_MASK;
   1946         } else {
   1947           uuid.uu.uuid16 = UUID_PROTOCOL_L2CAP;
   1948           bta_dm_search_cb.services_to_search = 0;
   1949         }
   1950       } else {
   1951         /* for LE only profile */
   1952         if (bta_dm_search_cb.service_index == BTA_BLE_SERVICE_ID) {
   1953           if (bta_dm_search_cb.uuid_to_search > 0 &&
   1954               bta_dm_search_cb.p_srvc_uuid) {
   1955             memcpy(&uuid, (const void*)(bta_dm_search_cb.p_srvc_uuid +
   1956                                         bta_dm_search_cb.num_uuid -
   1957                                         bta_dm_search_cb.uuid_to_search),
   1958                    sizeof(tBT_UUID));
   1959 
   1960             bta_dm_search_cb.uuid_to_search--;
   1961           } else {
   1962             uuid.uu.uuid16 =
   1963                 bta_service_id_to_uuid_lkup_tbl[bta_dm_search_cb.service_index];
   1964           }
   1965 
   1966           /* last one? clear the BLE service bit if all discovery has been done
   1967            */
   1968           if (bta_dm_search_cb.uuid_to_search == 0)
   1969             bta_dm_search_cb.services_to_search &=
   1970                 (tBTA_SERVICE_MASK)(~(BTA_SERVICE_ID_TO_SERVICE_MASK(
   1971                     bta_dm_search_cb.service_index)));
   1972 
   1973         } else {
   1974           /* remove the service from services to be searched  */
   1975           bta_dm_search_cb.services_to_search &= (tBTA_SERVICE_MASK)(~(
   1976               BTA_SERVICE_ID_TO_SERVICE_MASK(bta_dm_search_cb.service_index)));
   1977           uuid.uu.uuid16 =
   1978               bta_service_id_to_uuid_lkup_tbl[bta_dm_search_cb.service_index];
   1979         }
   1980       }
   1981 
   1982       if (uuid.len == 0) uuid.len = LEN_UUID_16;
   1983 
   1984       if (bta_dm_search_cb.service_index == BTA_USER_SERVICE_ID) {
   1985         memcpy(&uuid, &bta_dm_search_cb.uuid, sizeof(tSDP_UUID));
   1986       }
   1987 
   1988       LOG_INFO(LOG_TAG, "%s search UUID = %04x", __func__, uuid.uu.uuid16);
   1989       SDP_InitDiscoveryDb(bta_dm_search_cb.p_sdp_db, BTA_DM_SDP_DB_SIZE, 1,
   1990                           &uuid, 0, NULL);
   1991 
   1992       memset(g_disc_raw_data_buf, 0, sizeof(g_disc_raw_data_buf));
   1993       bta_dm_search_cb.p_sdp_db->raw_data = g_disc_raw_data_buf;
   1994 
   1995       bta_dm_search_cb.p_sdp_db->raw_size = MAX_DISC_RAW_DATA_BUF;
   1996 
   1997       if (!SDP_ServiceSearchAttributeRequest(bd_addr, bta_dm_search_cb.p_sdp_db,
   1998                                              &bta_dm_sdp_callback)) {
   1999         /*
   2000          * If discovery is not successful with this device, then
   2001          * proceed with the next one.
   2002          */
   2003         osi_free_and_reset((void**)&bta_dm_search_cb.p_sdp_db);
   2004         bta_dm_search_cb.service_index = BTA_MAX_SERVICE_ID;
   2005 
   2006       } else {
   2007         if ((bta_dm_search_cb.service_index == BTA_BLE_SERVICE_ID &&
   2008              bta_dm_search_cb.uuid_to_search == 0) ||
   2009             bta_dm_search_cb.service_index != BTA_BLE_SERVICE_ID)
   2010           bta_dm_search_cb.service_index++;
   2011         return;
   2012       }
   2013     }
   2014 
   2015     bta_dm_search_cb.service_index++;
   2016   }
   2017 
   2018   /* no more services to be discovered */
   2019   if (bta_dm_search_cb.service_index >= BTA_MAX_SERVICE_ID) {
   2020     tBTA_DM_MSG* p_msg = (tBTA_DM_MSG*)osi_malloc(sizeof(tBTA_DM_MSG));
   2021     /* initialize the data structure - includes p_raw_data and raw_data_size */
   2022     memset(&(p_msg->disc_result.result), 0, sizeof(tBTA_DM_DISC_RES));
   2023     p_msg->hdr.event = BTA_DM_DISCOVERY_RESULT_EVT;
   2024     p_msg->disc_result.result.disc_res.services =
   2025         bta_dm_search_cb.services_found;
   2026     bdcpy(p_msg->disc_result.result.disc_res.bd_addr,
   2027           bta_dm_search_cb.peer_bdaddr);
   2028     strlcpy((char*)p_msg->disc_result.result.disc_res.bd_name,
   2029             bta_dm_get_remname(), BD_NAME_LEN);
   2030 
   2031     bta_sys_sendmsg(p_msg);
   2032   }
   2033 }
   2034 
   2035 /*******************************************************************************
   2036  *
   2037  * Function         bta_dm_discover_next_device
   2038  *
   2039  * Description      Starts discovery on the next device in Inquiry data base
   2040  *
   2041  * Returns          void
   2042  *
   2043  ******************************************************************************/
   2044 static void bta_dm_discover_next_device(void) {
   2045   APPL_TRACE_DEBUG("bta_dm_discover_next_device");
   2046 
   2047   /* searching next device on inquiry result */
   2048   bta_dm_search_cb.p_btm_inq_info =
   2049       BTM_InqDbNext(bta_dm_search_cb.p_btm_inq_info);
   2050   if (bta_dm_search_cb.p_btm_inq_info != NULL) {
   2051     bta_dm_search_cb.name_discover_done = false;
   2052     bta_dm_search_cb.peer_name[0] = 0;
   2053     bta_dm_discover_device(
   2054         bta_dm_search_cb.p_btm_inq_info->results.remote_bd_addr);
   2055   } else {
   2056     tBTA_DM_MSG* p_msg = (tBTA_DM_MSG*)osi_malloc(sizeof(tBTA_DM_MSG));
   2057 
   2058     /* no devices, search complete */
   2059     bta_dm_search_cb.services = 0;
   2060 
   2061     p_msg->hdr.event = BTA_DM_SEARCH_CMPL_EVT;
   2062     p_msg->hdr.layer_specific = BTA_DM_API_DISCOVER_EVT;
   2063 
   2064     bta_sys_sendmsg(p_msg);
   2065   }
   2066 }
   2067 
   2068 /*******************************************************************************
   2069  *
   2070  * Function         bta_dm_discover_device
   2071  *
   2072  * Description      Starts name and service discovery on the device
   2073  *
   2074  * Returns          void
   2075  *
   2076  ******************************************************************************/
   2077 static void bta_dm_discover_device(BD_ADDR remote_bd_addr) {
   2078   tBT_TRANSPORT transport = BT_TRANSPORT_BR_EDR;
   2079   if (bta_dm_search_cb.transport == BTA_TRANSPORT_UNKNOWN) {
   2080     tBT_DEVICE_TYPE dev_type;
   2081     tBLE_ADDR_TYPE addr_type;
   2082 
   2083     BTM_ReadDevInfo(remote_bd_addr, &dev_type, &addr_type);
   2084     if (dev_type == BT_DEVICE_TYPE_BLE || addr_type == BLE_ADDR_RANDOM)
   2085       transport = BT_TRANSPORT_LE;
   2086   } else {
   2087     transport = bta_dm_search_cb.transport;
   2088   }
   2089 
   2090   /* Reset transport state for next discovery */
   2091   bta_dm_search_cb.transport = BTA_TRANSPORT_UNKNOWN;
   2092 
   2093   APPL_TRACE_DEBUG("%s BDA:0x%02X%02X%02X%02X%02X%02X", __func__,
   2094                    remote_bd_addr[0], remote_bd_addr[1], remote_bd_addr[2],
   2095                    remote_bd_addr[3], remote_bd_addr[4], remote_bd_addr[5]);
   2096 
   2097   bdcpy(bta_dm_search_cb.peer_bdaddr, remote_bd_addr);
   2098 
   2099   APPL_TRACE_DEBUG(
   2100       "%s name_discover_done = %d p_btm_inq_info 0x%x state = %d, transport=%d",
   2101       __func__, bta_dm_search_cb.name_discover_done,
   2102       bta_dm_search_cb.p_btm_inq_info, bta_dm_search_cb.state, transport);
   2103 
   2104   if (bta_dm_search_cb.p_btm_inq_info) {
   2105     APPL_TRACE_DEBUG("%s appl_knows_rem_name %d", __func__,
   2106                      bta_dm_search_cb.p_btm_inq_info->appl_knows_rem_name);
   2107   }
   2108   if ((bta_dm_search_cb.p_btm_inq_info) &&
   2109       (bta_dm_search_cb.p_btm_inq_info->results.device_type ==
   2110        BT_DEVICE_TYPE_BLE) &&
   2111       (bta_dm_search_cb.state == BTA_DM_SEARCH_ACTIVE)) {
   2112     /* Do not perform RNR for LE devices at inquiry complete*/
   2113     bta_dm_search_cb.name_discover_done = true;
   2114   }
   2115   /* if name discovery is not done and application needs remote name */
   2116   if ((!bta_dm_search_cb.name_discover_done) &&
   2117       ((bta_dm_search_cb.p_btm_inq_info == NULL) ||
   2118        (bta_dm_search_cb.p_btm_inq_info &&
   2119         (!bta_dm_search_cb.p_btm_inq_info->appl_knows_rem_name)))) {
   2120     if (bta_dm_read_remote_device_name(bta_dm_search_cb.peer_bdaddr,
   2121                                        transport) == true)
   2122       return;
   2123 
   2124     /* starting name discovery failed */
   2125     bta_dm_search_cb.name_discover_done = true;
   2126   }
   2127 
   2128   /* if application wants to discover service */
   2129   if (bta_dm_search_cb.services) {
   2130     /* initialize variables */
   2131     bta_dm_search_cb.service_index = 0;
   2132     bta_dm_search_cb.services_found = 0;
   2133     bta_dm_search_cb.services_to_search = bta_dm_search_cb.services;
   2134     bta_dm_search_cb.uuid_to_search = bta_dm_search_cb.num_uuid;
   2135     if ((bta_dm_search_cb.p_btm_inq_info != NULL) &&
   2136         bta_dm_search_cb.services != BTA_USER_SERVICE_MASK &&
   2137         (bta_dm_search_cb.sdp_search == false)) {
   2138       /* check if EIR provides the information of supported services */
   2139       bta_dm_eir_search_services(&bta_dm_search_cb.p_btm_inq_info->results,
   2140                                  &bta_dm_search_cb.services_to_search,
   2141                                  &bta_dm_search_cb.services_found);
   2142     }
   2143 
   2144     /* if seaching with EIR is not completed */
   2145     if (bta_dm_search_cb.services_to_search) {
   2146       /* check whether connection already exists to the device
   2147          if connection exists, we don't have to wait for ACL
   2148          link to go down to start search on next device */
   2149       if (BTM_IsAclConnectionUp(bta_dm_search_cb.peer_bdaddr,
   2150                                 BT_TRANSPORT_BR_EDR))
   2151         bta_dm_search_cb.wait_disc = false;
   2152       else
   2153         bta_dm_search_cb.wait_disc = true;
   2154 
   2155       if (bta_dm_search_cb.p_btm_inq_info) {
   2156         APPL_TRACE_DEBUG(
   2157             "%s p_btm_inq_info 0x%x results.device_type 0x%x "
   2158             "services_to_search 0x%x",
   2159             __func__, bta_dm_search_cb.p_btm_inq_info,
   2160             bta_dm_search_cb.p_btm_inq_info->results.device_type,
   2161             bta_dm_search_cb.services_to_search);
   2162       }
   2163 
   2164       if (transport == BT_TRANSPORT_LE) {
   2165         if (bta_dm_search_cb.services_to_search & BTA_BLE_SERVICE_MASK) {
   2166           // set the raw data buffer here
   2167           memset(g_disc_raw_data_buf, 0, sizeof(g_disc_raw_data_buf));
   2168           bta_dm_search_cb.p_ble_rawdata = g_disc_raw_data_buf;
   2169 
   2170           bta_dm_search_cb.ble_raw_size = MAX_DISC_RAW_DATA_BUF;
   2171           bta_dm_search_cb.ble_raw_used = 0;
   2172 
   2173           /* start GATT for service discovery */
   2174           btm_dm_start_gatt_discovery(bta_dm_search_cb.peer_bdaddr);
   2175           return;
   2176         }
   2177       } else {
   2178         bta_dm_search_cb.sdp_results = false;
   2179         bta_dm_find_services(bta_dm_search_cb.peer_bdaddr);
   2180         return;
   2181       }
   2182     }
   2183   }
   2184 
   2185   /* name discovery and service discovery are done for this device */
   2186   tBTA_DM_MSG* p_msg = (tBTA_DM_MSG*)osi_malloc(sizeof(tBTA_DM_MSG));
   2187   p_msg->hdr.event = BTA_DM_DISCOVERY_RESULT_EVT;
   2188   /* initialize the data structure - includes p_raw_data and raw_data_size */
   2189   memset(&(p_msg->disc_result.result), 0, sizeof(tBTA_DM_DISC_RES));
   2190   p_msg->disc_result.result.disc_res.result = BTA_SUCCESS;
   2191   p_msg->disc_result.result.disc_res.services = bta_dm_search_cb.services_found;
   2192   bdcpy(p_msg->disc_result.result.disc_res.bd_addr,
   2193         bta_dm_search_cb.peer_bdaddr);
   2194   strlcpy((char*)p_msg->disc_result.result.disc_res.bd_name,
   2195           (char*)bta_dm_search_cb.peer_name, BD_NAME_LEN);
   2196 
   2197   bta_sys_sendmsg(p_msg);
   2198 }
   2199 
   2200 /*******************************************************************************
   2201  *
   2202  * Function         bta_dm_sdp_callback
   2203  *
   2204  * Description      Callback from sdp with discovery status
   2205  *
   2206  * Returns          void
   2207  *
   2208  ******************************************************************************/
   2209 static void bta_dm_sdp_callback(uint16_t sdp_status) {
   2210   tBTA_DM_SDP_RESULT* p_msg =
   2211       (tBTA_DM_SDP_RESULT*)osi_malloc(sizeof(tBTA_DM_SDP_RESULT));
   2212 
   2213   p_msg->hdr.event = BTA_DM_SDP_RESULT_EVT;
   2214   p_msg->sdp_result = sdp_status;
   2215 
   2216   bta_sys_sendmsg(p_msg);
   2217 }
   2218 
   2219 /*******************************************************************************
   2220  *
   2221  * Function         bta_dm_inq_results_cb
   2222  *
   2223  * Description      Inquiry results callback from BTM
   2224  *
   2225  * Returns          void
   2226  *
   2227  ******************************************************************************/
   2228 static void bta_dm_inq_results_cb(tBTM_INQ_RESULTS* p_inq, uint8_t* p_eir,
   2229                                   uint16_t eir_len) {
   2230   tBTA_DM_SEARCH result;
   2231   tBTM_INQ_INFO* p_inq_info;
   2232   uint16_t service_class;
   2233 
   2234   bdcpy(result.inq_res.bd_addr, p_inq->remote_bd_addr);
   2235   memcpy(result.inq_res.dev_class, p_inq->dev_class, DEV_CLASS_LEN);
   2236   BTM_COD_SERVICE_CLASS(service_class, p_inq->dev_class);
   2237   result.inq_res.is_limited =
   2238       (service_class & BTM_COD_SERVICE_LMTD_DISCOVER) ? true : false;
   2239   result.inq_res.rssi = p_inq->rssi;
   2240 
   2241   result.inq_res.ble_addr_type = p_inq->ble_addr_type;
   2242   result.inq_res.inq_result_type = p_inq->inq_result_type;
   2243   result.inq_res.device_type = p_inq->device_type;
   2244   result.inq_res.flag = p_inq->flag;
   2245 
   2246   /* application will parse EIR to find out remote device name */
   2247   result.inq_res.p_eir = p_eir;
   2248   result.inq_res.eir_len = eir_len;
   2249 
   2250   p_inq_info = BTM_InqDbRead(p_inq->remote_bd_addr);
   2251   if (p_inq_info != NULL) {
   2252     /* initialize remt_name_not_required to false so that we get the name by
   2253      * default */
   2254     result.inq_res.remt_name_not_required = false;
   2255   }
   2256 
   2257   if (bta_dm_search_cb.p_search_cback)
   2258     bta_dm_search_cb.p_search_cback(BTA_DM_INQ_RES_EVT, &result);
   2259 
   2260   if (p_inq_info) {
   2261     /* application indicates if it knows the remote name, inside the callback
   2262      copy that to the inquiry data base*/
   2263     if (result.inq_res.remt_name_not_required)
   2264       p_inq_info->appl_knows_rem_name = true;
   2265   }
   2266 }
   2267 
   2268 /*******************************************************************************
   2269  *
   2270  * Function         bta_dm_inq_cmpl_cb
   2271  *
   2272  * Description      Inquiry complete callback from BTM
   2273  *
   2274  * Returns          void
   2275  *
   2276  ******************************************************************************/
   2277 static void bta_dm_inq_cmpl_cb(void* p_result) {
   2278   tBTA_DM_MSG* p_msg = (tBTA_DM_MSG*)osi_malloc(sizeof(tBTA_DM_MSG));
   2279 
   2280   APPL_TRACE_DEBUG("%s", __func__);
   2281 
   2282   if (bta_dm_search_cb.cancel_pending == false) {
   2283     p_msg->inq_cmpl.hdr.event = BTA_DM_INQUIRY_CMPL_EVT;
   2284     p_msg->inq_cmpl.num = ((tBTM_INQUIRY_CMPL*)p_result)->num_resp;
   2285   } else {
   2286     bta_dm_search_cb.cancel_pending = false;
   2287     bta_dm_search_cancel_notify(NULL);
   2288     p_msg->hdr.event = BTA_DM_SEARCH_CMPL_EVT;
   2289     p_msg->hdr.layer_specific = BTA_DM_API_DISCOVER_EVT;
   2290   }
   2291 
   2292   bta_sys_sendmsg(p_msg);
   2293 }
   2294 
   2295 /*******************************************************************************
   2296  *
   2297  * Function         bta_dm_service_search_remname_cback
   2298  *
   2299  * Description      Remote name call back from BTM during service discovery
   2300  *
   2301  * Returns          void
   2302  *
   2303  ******************************************************************************/
   2304 static void bta_dm_service_search_remname_cback(BD_ADDR bd_addr,
   2305                                                 UNUSED_ATTR DEV_CLASS dc,
   2306                                                 BD_NAME bd_name) {
   2307   tBTM_REMOTE_DEV_NAME rem_name;
   2308   tBTM_STATUS btm_status;
   2309 
   2310   APPL_TRACE_DEBUG("bta_dm_service_search_remname_cback name=<%s>", bd_name);
   2311 
   2312   /* if this is what we are looking for */
   2313   if (!bdcmp(bta_dm_search_cb.peer_bdaddr, bd_addr)) {
   2314     rem_name.length = strlen((char*)bd_name);
   2315     if (rem_name.length > (BD_NAME_LEN - 1)) {
   2316       rem_name.length = (BD_NAME_LEN - 1);
   2317       rem_name.remote_bd_name[(BD_NAME_LEN - 1)] = 0;
   2318     }
   2319     strlcpy((char*)rem_name.remote_bd_name, (char*)bd_name, BD_NAME_LEN);
   2320     rem_name.status = BTM_SUCCESS;
   2321 
   2322     bta_dm_remname_cback(&rem_name);
   2323   } else {
   2324     /* get name of device */
   2325     btm_status = BTM_ReadRemoteDeviceName(bta_dm_search_cb.peer_bdaddr,
   2326                                           (tBTM_CMPL_CB*)bta_dm_remname_cback,
   2327                                           BT_TRANSPORT_BR_EDR);
   2328     if (btm_status == BTM_BUSY) {
   2329       /* wait for next chance(notification of remote name discovery done) */
   2330       APPL_TRACE_DEBUG(
   2331           "bta_dm_service_search_remname_cback: BTM_ReadRemoteDeviceName is "
   2332           "busy");
   2333     } else if (btm_status != BTM_CMD_STARTED) {
   2334       /* if failed to start getting remote name then continue */
   2335       APPL_TRACE_WARNING(
   2336           "bta_dm_service_search_remname_cback: BTM_ReadRemoteDeviceName "
   2337           "returns 0x%02X",
   2338           btm_status);
   2339 
   2340       rem_name.length = 0;
   2341       rem_name.remote_bd_name[0] = 0;
   2342       rem_name.status = btm_status;
   2343       bta_dm_remname_cback(&rem_name);
   2344     }
   2345   }
   2346 }
   2347 
   2348 /*******************************************************************************
   2349  *
   2350  * Function         bta_dm_remname_cback
   2351  *
   2352  * Description      Remote name complete call back from BTM
   2353  *
   2354  * Returns          void
   2355  *
   2356  ******************************************************************************/
   2357 static void bta_dm_remname_cback(tBTM_REMOTE_DEV_NAME* p_remote_name) {
   2358   APPL_TRACE_DEBUG("bta_dm_remname_cback len = %d name=<%s>",
   2359                    p_remote_name->length, p_remote_name->remote_bd_name);
   2360 
   2361   /* remote name discovery is done but it could be failed */
   2362   bta_dm_search_cb.name_discover_done = true;
   2363   strlcpy((char*)bta_dm_search_cb.peer_name,
   2364           (char*)p_remote_name->remote_bd_name, BD_NAME_LEN);
   2365 
   2366   BTM_SecDeleteRmtNameNotifyCallback(&bta_dm_service_search_remname_cback);
   2367 
   2368   if (bta_dm_search_cb.transport == BT_TRANSPORT_LE) {
   2369     GAP_BleReadPeerPrefConnParams(bta_dm_search_cb.peer_bdaddr);
   2370   }
   2371 
   2372   tBTA_DM_REM_NAME* p_msg =
   2373       (tBTA_DM_REM_NAME*)osi_malloc(sizeof(tBTA_DM_REM_NAME));
   2374   bdcpy(p_msg->result.disc_res.bd_addr, bta_dm_search_cb.peer_bdaddr);
   2375   strlcpy((char*)p_msg->result.disc_res.bd_name,
   2376           (char*)p_remote_name->remote_bd_name, BD_NAME_LEN);
   2377   p_msg->hdr.event = BTA_DM_REMT_NAME_EVT;
   2378 
   2379   bta_sys_sendmsg(p_msg);
   2380 }
   2381 
   2382 /*******************************************************************************
   2383  *
   2384  * Function         bta_dm_authorize_cback
   2385  *
   2386  * Description      cback requesting authorization
   2387  *
   2388  * Returns          void
   2389  *
   2390  ******************************************************************************/
   2391 static uint8_t bta_dm_authorize_cback(BD_ADDR bd_addr, DEV_CLASS dev_class,
   2392                                       BD_NAME bd_name,
   2393                                       UNUSED_ATTR uint8_t* service_name,
   2394                                       uint8_t service_id,
   2395                                       UNUSED_ATTR bool is_originator) {
   2396   tBTA_DM_SEC sec_event;
   2397   uint8_t index = 1;
   2398 
   2399   bdcpy(sec_event.authorize.bd_addr, bd_addr);
   2400   memcpy(sec_event.authorize.dev_class, dev_class, DEV_CLASS_LEN);
   2401   strlcpy((char*)sec_event.authorize.bd_name, (char*)bd_name, BD_NAME_LEN);
   2402 
   2403 #if (BTA_JV_INCLUDED == TRUE)
   2404   sec_event.authorize.service = service_id;
   2405 #endif
   2406 
   2407   while (index < BTA_MAX_SERVICE_ID) {
   2408     /* get the BTA service id corresponding to BTM id */
   2409     if (bta_service_id_to_btm_srv_id_lkup_tbl[index] == service_id) {
   2410       sec_event.authorize.service = index;
   2411       break;
   2412     }
   2413     index++;
   2414   }
   2415 
   2416   /* if supported service callback otherwise not authorized */
   2417   if (bta_dm_cb.p_sec_cback && (index < BTA_MAX_SERVICE_ID
   2418 #if (BTA_JV_INCLUDED == TRUE)
   2419                                 /* pass through JV service ID */
   2420                                 || (service_id >= BTA_FIRST_JV_SERVICE_ID &&
   2421                                     service_id <= BTA_LAST_JV_SERVICE_ID)
   2422 #endif
   2423                                     )) {
   2424     bta_dm_cb.p_sec_cback(BTA_DM_AUTHORIZE_EVT, &sec_event);
   2425     return BTM_CMD_STARTED;
   2426   } else {
   2427     return BTM_NOT_AUTHORIZED;
   2428   }
   2429 }
   2430 
   2431 /*******************************************************************************
   2432  *
   2433  * Function         bta_dm_pinname_cback
   2434  *
   2435  * Description      Callback requesting pin_key
   2436  *
   2437  * Returns          void
   2438  *
   2439  ******************************************************************************/
   2440 static void bta_dm_pinname_cback(void* p_data) {
   2441   tBTM_REMOTE_DEV_NAME* p_result = (tBTM_REMOTE_DEV_NAME*)p_data;
   2442   tBTA_DM_SEC sec_event;
   2443   uint32_t bytes_to_copy;
   2444   tBTA_DM_SEC_EVT event = bta_dm_cb.pin_evt;
   2445 
   2446   if (BTA_DM_SP_CFM_REQ_EVT == event) {
   2447     /* Retrieved saved device class and bd_addr */
   2448     bdcpy(sec_event.cfm_req.bd_addr, bta_dm_cb.pin_bd_addr);
   2449     BTA_COPY_DEVICE_CLASS(sec_event.cfm_req.dev_class, bta_dm_cb.pin_dev_class);
   2450 
   2451     if (p_result && p_result->status == BTM_SUCCESS) {
   2452       bytes_to_copy = (p_result->length < (BD_NAME_LEN - 1))
   2453                           ? p_result->length
   2454                           : (BD_NAME_LEN - 1);
   2455       memcpy(sec_event.cfm_req.bd_name, p_result->remote_bd_name,
   2456              bytes_to_copy);
   2457       sec_event.pin_req.bd_name[BD_NAME_LEN - 1] = 0;
   2458     } else /* No name found */
   2459       sec_event.cfm_req.bd_name[0] = 0;
   2460 
   2461     sec_event.key_notif.passkey =
   2462         bta_dm_cb.num_val; /* get PIN code numeric number */
   2463 
   2464     /* 1 additional event data fields for this event */
   2465     sec_event.cfm_req.just_works = bta_dm_cb.just_works;
   2466   } else {
   2467     /* Retrieved saved device class and bd_addr */
   2468     bdcpy(sec_event.pin_req.bd_addr, bta_dm_cb.pin_bd_addr);
   2469     BTA_COPY_DEVICE_CLASS(sec_event.pin_req.dev_class, bta_dm_cb.pin_dev_class);
   2470 
   2471     if (p_result && p_result->status == BTM_SUCCESS) {
   2472       bytes_to_copy = (p_result->length < (BD_NAME_LEN - 1))
   2473                           ? p_result->length
   2474                           : (BD_NAME_LEN - 1);
   2475       memcpy(sec_event.pin_req.bd_name, p_result->remote_bd_name,
   2476              bytes_to_copy);
   2477       sec_event.pin_req.bd_name[BD_NAME_LEN - 1] = 0;
   2478     } else /* No name found */
   2479       sec_event.pin_req.bd_name[0] = 0;
   2480 
   2481     event = bta_dm_cb.pin_evt;
   2482     sec_event.key_notif.passkey =
   2483         bta_dm_cb.num_val; /* get PIN code numeric number */
   2484   }
   2485 
   2486   if (bta_dm_cb.p_sec_cback) bta_dm_cb.p_sec_cback(event, &sec_event);
   2487 }
   2488 
   2489 /*******************************************************************************
   2490  *
   2491  * Function         bta_dm_pin_cback
   2492  *
   2493  * Description      Callback requesting pin_key
   2494  *
   2495  * Returns          void
   2496  *
   2497  ******************************************************************************/
   2498 static uint8_t bta_dm_pin_cback(BD_ADDR bd_addr, DEV_CLASS dev_class,
   2499                                 BD_NAME bd_name, bool min_16_digit) {
   2500   tBTA_DM_SEC sec_event;
   2501 
   2502   if (!bta_dm_cb.p_sec_cback) return BTM_NOT_AUTHORIZED;
   2503 
   2504   /* If the device name is not known, save bdaddr and devclass and initiate a
   2505    * name request */
   2506   if (bd_name[0] == 0) {
   2507     bta_dm_cb.pin_evt = BTA_DM_PIN_REQ_EVT;
   2508     bdcpy(bta_dm_cb.pin_bd_addr, bd_addr);
   2509     BTA_COPY_DEVICE_CLASS(bta_dm_cb.pin_dev_class, dev_class);
   2510     if ((BTM_ReadRemoteDeviceName(bd_addr, bta_dm_pinname_cback,
   2511                                   BT_TRANSPORT_BR_EDR)) == BTM_CMD_STARTED)
   2512       return BTM_CMD_STARTED;
   2513 
   2514     APPL_TRACE_WARNING(
   2515         " bta_dm_pin_cback() -> Failed to start Remote Name Request  ");
   2516   }
   2517 
   2518   bdcpy(sec_event.pin_req.bd_addr, bd_addr);
   2519   BTA_COPY_DEVICE_CLASS(sec_event.pin_req.dev_class, dev_class);
   2520   strlcpy((char*)sec_event.pin_req.bd_name, (char*)bd_name, BD_NAME_LEN);
   2521   sec_event.pin_req.min_16_digit = min_16_digit;
   2522 
   2523   bta_dm_cb.p_sec_cback(BTA_DM_PIN_REQ_EVT, &sec_event);
   2524   return BTM_CMD_STARTED;
   2525 }
   2526 
   2527 /*******************************************************************************
   2528  *
   2529  * Function         bta_dm_new_link_key_cback
   2530  *
   2531  * Description      Callback from BTM to notify new link key
   2532  *
   2533  * Returns          void
   2534  *
   2535  ******************************************************************************/
   2536 static uint8_t bta_dm_new_link_key_cback(BD_ADDR bd_addr,
   2537                                          UNUSED_ATTR DEV_CLASS dev_class,
   2538                                          BD_NAME bd_name, LINK_KEY key,
   2539                                          uint8_t key_type) {
   2540   tBTA_DM_SEC sec_event;
   2541   tBTA_DM_AUTH_CMPL* p_auth_cmpl;
   2542   uint8_t event;
   2543 
   2544   memset(&sec_event, 0, sizeof(tBTA_DM_SEC));
   2545 
   2546   /* Not AMP Key type */
   2547   if (key_type != HCI_LKEY_TYPE_AMP_WIFI && key_type != HCI_LKEY_TYPE_AMP_UWB) {
   2548     event = BTA_DM_AUTH_CMPL_EVT;
   2549     p_auth_cmpl = &sec_event.auth_cmpl;
   2550 
   2551     bdcpy(p_auth_cmpl->bd_addr, bd_addr);
   2552 
   2553     memcpy(p_auth_cmpl->bd_name, bd_name, (BD_NAME_LEN - 1));
   2554     p_auth_cmpl->bd_name[BD_NAME_LEN - 1] = 0;
   2555 
   2556     p_auth_cmpl->key_present = true;
   2557     p_auth_cmpl->key_type = key_type;
   2558     p_auth_cmpl->success = true;
   2559 
   2560     memcpy(p_auth_cmpl->key, key, LINK_KEY_LEN);
   2561     sec_event.auth_cmpl.fail_reason = HCI_SUCCESS;
   2562 
   2563     // Report the BR link key based on the BR/EDR address and type
   2564     BTM_ReadDevInfo(bd_addr, &sec_event.auth_cmpl.dev_type,
   2565                     &sec_event.auth_cmpl.addr_type);
   2566     if (bta_dm_cb.p_sec_cback) bta_dm_cb.p_sec_cback(event, &sec_event);
   2567 
   2568     // Setting remove_dev_pending flag to false, where it will avoid deleting
   2569     // the
   2570     // security device record when the ACL connection link goes down in case of
   2571     // reconnection.
   2572     if (bta_dm_cb.device_list.count)
   2573       bta_dm_reset_sec_dev_pending(p_auth_cmpl->bd_addr);
   2574   } else {
   2575     APPL_TRACE_WARNING("%s() Received AMP Key", __func__);
   2576   }
   2577 
   2578   return BTM_CMD_STARTED;
   2579 }
   2580 
   2581 /*******************************************************************************
   2582  *
   2583  * Function         bta_dm_authentication_complete_cback
   2584  *
   2585  * Description      Authentication complete callback from BTM
   2586  *
   2587  * Returns          void
   2588  *
   2589  ******************************************************************************/
   2590 static uint8_t bta_dm_authentication_complete_cback(
   2591     BD_ADDR bd_addr, UNUSED_ATTR DEV_CLASS dev_class, BD_NAME bd_name,
   2592     int result) {
   2593   tBTA_DM_SEC sec_event;
   2594 
   2595   if (result != BTM_SUCCESS) {
   2596     memset(&sec_event, 0, sizeof(tBTA_DM_SEC));
   2597     bdcpy(sec_event.auth_cmpl.bd_addr, bd_addr);
   2598 
   2599     memcpy(sec_event.auth_cmpl.bd_name, bd_name, (BD_NAME_LEN - 1));
   2600     sec_event.auth_cmpl.bd_name[BD_NAME_LEN - 1] = 0;
   2601 
   2602     // Report the BR link key based on the BR/EDR address and type
   2603     BTM_ReadDevInfo(bd_addr, &sec_event.auth_cmpl.dev_type,
   2604                     &sec_event.auth_cmpl.addr_type);
   2605     sec_event.auth_cmpl.fail_reason = (uint8_t)result;
   2606 
   2607     if (bta_dm_cb.p_sec_cback)
   2608       bta_dm_cb.p_sec_cback(BTA_DM_AUTH_CMPL_EVT, &sec_event);
   2609 
   2610     if (result != HCI_ERR_LMP_RESPONSE_TIMEOUT &&
   2611         result != HCI_ERR_PAGE_TIMEOUT &&
   2612         result != HCI_ERR_CONN_FAILED_ESTABLISHMENT) {
   2613       bta_dm_remove_sec_dev_entry(bd_addr);
   2614     }
   2615   }
   2616 
   2617   return BTM_SUCCESS;
   2618 }
   2619 
   2620 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
   2621 /*******************************************************************************
   2622  *
   2623  * Function         bta_dm_sp_cback
   2624  *
   2625  * Description      simple pairing callback from BTM
   2626  *
   2627  * Returns          void
   2628  *
   2629  ******************************************************************************/
   2630 static uint8_t bta_dm_sp_cback(tBTM_SP_EVT event, tBTM_SP_EVT_DATA* p_data) {
   2631   tBTM_STATUS status = BTM_CMD_STARTED;
   2632   tBTA_DM_SEC sec_event;
   2633   tBTA_DM_SEC_EVT pin_evt = BTA_DM_SP_KEY_NOTIF_EVT;
   2634 
   2635   APPL_TRACE_EVENT("bta_dm_sp_cback: %d", event);
   2636   if (!bta_dm_cb.p_sec_cback) return BTM_NOT_AUTHORIZED;
   2637 
   2638   /* TODO_SP */
   2639   switch (event) {
   2640     case BTM_SP_IO_REQ_EVT:
   2641       /* translate auth_req */
   2642       bta_dm_co_io_req(p_data->io_req.bd_addr, &p_data->io_req.io_cap,
   2643                        &p_data->io_req.oob_data, &p_data->io_req.auth_req,
   2644                        p_data->io_req.is_orig);
   2645       APPL_TRACE_EVENT("io mitm: %d oob_data:%d", p_data->io_req.auth_req,
   2646                        p_data->io_req.oob_data);
   2647       break;
   2648     case BTM_SP_IO_RSP_EVT:
   2649       bta_dm_co_io_rsp(p_data->io_rsp.bd_addr, p_data->io_rsp.io_cap,
   2650                        p_data->io_rsp.oob_data, p_data->io_rsp.auth_req);
   2651       break;
   2652 
   2653     case BTM_SP_CFM_REQ_EVT:
   2654       pin_evt = BTA_DM_SP_CFM_REQ_EVT;
   2655       bta_dm_cb.just_works = sec_event.cfm_req.just_works =
   2656           p_data->cfm_req.just_works;
   2657       sec_event.cfm_req.loc_auth_req = p_data->cfm_req.loc_auth_req;
   2658       sec_event.cfm_req.rmt_auth_req = p_data->cfm_req.rmt_auth_req;
   2659       sec_event.cfm_req.loc_io_caps = p_data->cfm_req.loc_io_caps;
   2660       sec_event.cfm_req.rmt_io_caps = p_data->cfm_req.rmt_io_caps;
   2661 
   2662     /* continue to next case */
   2663     /* Passkey entry mode, mobile device with output capability is very
   2664         unlikely to receive key request, so skip this event */
   2665     /*case BTM_SP_KEY_REQ_EVT: */
   2666     case BTM_SP_KEY_NOTIF_EVT:
   2667       bta_dm_cb.num_val = sec_event.key_notif.passkey =
   2668           p_data->key_notif.passkey;
   2669 
   2670       if (BTM_SP_CFM_REQ_EVT == event) {
   2671         /* Due to the switch case falling through below to BTM_SP_KEY_NOTIF_EVT,
   2672            call remote name request using values from cfm_req */
   2673         if (p_data->cfm_req.bd_name[0] == 0) {
   2674           bta_dm_cb.pin_evt = pin_evt;
   2675           bdcpy(bta_dm_cb.pin_bd_addr, p_data->cfm_req.bd_addr);
   2676           BTA_COPY_DEVICE_CLASS(bta_dm_cb.pin_dev_class,
   2677                                 p_data->cfm_req.dev_class);
   2678           if ((BTM_ReadRemoteDeviceName(
   2679                   p_data->cfm_req.bd_addr, bta_dm_pinname_cback,
   2680                   BT_TRANSPORT_BR_EDR)) == BTM_CMD_STARTED)
   2681             return BTM_CMD_STARTED;
   2682           APPL_TRACE_WARNING(
   2683               " bta_dm_sp_cback() -> Failed to start Remote Name Request  ");
   2684         } else {
   2685           /* Due to the switch case falling through below to
   2686              BTM_SP_KEY_NOTIF_EVT,
   2687              copy these values into key_notif from cfm_req */
   2688           bdcpy(sec_event.key_notif.bd_addr, p_data->cfm_req.bd_addr);
   2689           BTA_COPY_DEVICE_CLASS(sec_event.key_notif.dev_class,
   2690                                 p_data->cfm_req.dev_class);
   2691           strlcpy((char*)sec_event.key_notif.bd_name,
   2692                   (char*)p_data->cfm_req.bd_name, BD_NAME_LEN);
   2693         }
   2694       }
   2695 
   2696       if (BTM_SP_KEY_NOTIF_EVT == event) {
   2697         /* If the device name is not known, save bdaddr and devclass
   2698            and initiate a name request with values from key_notif */
   2699         if (p_data->key_notif.bd_name[0] == 0) {
   2700           bta_dm_cb.pin_evt = pin_evt;
   2701           bdcpy(bta_dm_cb.pin_bd_addr, p_data->key_notif.bd_addr);
   2702           BTA_COPY_DEVICE_CLASS(bta_dm_cb.pin_dev_class,
   2703                                 p_data->key_notif.dev_class);
   2704           if ((BTM_ReadRemoteDeviceName(
   2705                   p_data->key_notif.bd_addr, bta_dm_pinname_cback,
   2706                   BT_TRANSPORT_BR_EDR)) == BTM_CMD_STARTED)
   2707             return BTM_CMD_STARTED;
   2708           APPL_TRACE_WARNING(
   2709               " bta_dm_sp_cback() -> Failed to start Remote Name Request  ");
   2710         } else {
   2711           bdcpy(sec_event.key_notif.bd_addr, p_data->key_notif.bd_addr);
   2712           BTA_COPY_DEVICE_CLASS(sec_event.key_notif.dev_class,
   2713                                 p_data->key_notif.dev_class);
   2714           strlcpy((char*)sec_event.key_notif.bd_name,
   2715                   (char*)p_data->key_notif.bd_name, BD_NAME_LEN);
   2716           sec_event.key_notif.bd_name[BD_NAME_LEN - 1] = 0;
   2717         }
   2718       }
   2719 
   2720       bta_dm_cb.p_sec_cback(pin_evt, &sec_event);
   2721 
   2722       break;
   2723 
   2724     case BTM_SP_LOC_OOB_EVT:
   2725       bta_dm_co_loc_oob((bool)(p_data->loc_oob.status == BTM_SUCCESS),
   2726                         p_data->loc_oob.c, p_data->loc_oob.r);
   2727       break;
   2728 
   2729     case BTM_SP_RMT_OOB_EVT:
   2730       /* If the device name is not known, save bdaddr and devclass and initiate
   2731        * a name request */
   2732       if (p_data->rmt_oob.bd_name[0] == 0) {
   2733         bta_dm_cb.pin_evt = BTA_DM_SP_RMT_OOB_EVT;
   2734         bdcpy(bta_dm_cb.pin_bd_addr, p_data->rmt_oob.bd_addr);
   2735         BTA_COPY_DEVICE_CLASS(bta_dm_cb.pin_dev_class,
   2736                               p_data->rmt_oob.dev_class);
   2737         if ((BTM_ReadRemoteDeviceName(p_data->rmt_oob.bd_addr,
   2738                                       bta_dm_pinname_cback,
   2739                                       BT_TRANSPORT_BR_EDR)) == BTM_CMD_STARTED)
   2740           return BTM_CMD_STARTED;
   2741         APPL_TRACE_WARNING(
   2742             " bta_dm_sp_cback() -> Failed to start Remote Name Request  ");
   2743       }
   2744 
   2745       bdcpy(sec_event.rmt_oob.bd_addr, p_data->rmt_oob.bd_addr);
   2746       BTA_COPY_DEVICE_CLASS(sec_event.rmt_oob.dev_class,
   2747                             p_data->rmt_oob.dev_class);
   2748       strlcpy((char*)sec_event.rmt_oob.bd_name, (char*)p_data->rmt_oob.bd_name,
   2749               BD_NAME_LEN);
   2750 
   2751       bta_dm_cb.p_sec_cback(BTA_DM_SP_RMT_OOB_EVT, &sec_event);
   2752 
   2753       bta_dm_co_rmt_oob(p_data->rmt_oob.bd_addr);
   2754       break;
   2755 
   2756     case BTM_SP_COMPLT_EVT:
   2757       /* do not report this event - handled by link_key_callback or
   2758        * auth_complete_callback */
   2759       break;
   2760 
   2761     case BTM_SP_KEYPRESS_EVT:
   2762       memcpy(&sec_event.key_press, &p_data->key_press,
   2763              sizeof(tBTM_SP_KEYPRESS));
   2764       bta_dm_cb.p_sec_cback(BTA_DM_SP_KEYPRESS_EVT, &sec_event);
   2765       break;
   2766 
   2767     case BTM_SP_UPGRADE_EVT:
   2768       bta_dm_co_lk_upgrade(p_data->upgrade.bd_addr, &p_data->upgrade.upgrade);
   2769       break;
   2770 
   2771     default:
   2772       status = BTM_NOT_AUTHORIZED;
   2773       break;
   2774   }
   2775   APPL_TRACE_EVENT("dm status: %d", status);
   2776   return status;
   2777 }
   2778 #endif
   2779 
   2780 /*******************************************************************************
   2781  *
   2782  * Function         bta_dm_local_name_cback
   2783  *
   2784  * Description      Callback from btm after local name is read
   2785  *
   2786  *
   2787  * Returns          void
   2788  *
   2789  ******************************************************************************/
   2790 static void bta_dm_local_name_cback(UNUSED_ATTR uint8_t* p_name) {
   2791   tBTA_DM_SEC sec_event;
   2792 
   2793   sec_event.enable.status = BTA_SUCCESS;
   2794 
   2795   if (bta_dm_cb.p_sec_cback)
   2796     bta_dm_cb.p_sec_cback(BTA_DM_ENABLE_EVT, &sec_event);
   2797 }
   2798 
   2799 /*******************************************************************************
   2800  *
   2801  * Function         bta_dm_bl_change_cback
   2802  *
   2803  * Description      Callback from btm when acl connection goes up or down
   2804  *
   2805  *
   2806  * Returns          void
   2807  *
   2808  ******************************************************************************/
   2809 static void bta_dm_bl_change_cback(tBTM_BL_EVENT_DATA* p_data) {
   2810   tBTA_DM_ACL_CHANGE* p_msg =
   2811       (tBTA_DM_ACL_CHANGE*)osi_malloc(sizeof(tBTA_DM_ACL_CHANGE));
   2812 
   2813   p_msg->event = p_data->event;
   2814   p_msg->is_new = false;
   2815 
   2816   switch (p_msg->event) {
   2817     case BTM_BL_CONN_EVT:
   2818       p_msg->is_new = true;
   2819       bdcpy(p_msg->bd_addr, p_data->conn.p_bda);
   2820       p_msg->transport = p_data->conn.transport;
   2821       p_msg->handle = p_data->conn.handle;
   2822       break;
   2823     case BTM_BL_DISCN_EVT:
   2824       bdcpy(p_msg->bd_addr, p_data->discn.p_bda);
   2825       p_msg->transport = p_data->discn.transport;
   2826       p_msg->handle = p_data->discn.handle;
   2827       break;
   2828     case BTM_BL_UPDATE_EVT:
   2829       p_msg->busy_level = p_data->update.busy_level;
   2830       p_msg->busy_level_flags = p_data->update.busy_level_flags;
   2831       break;
   2832     case BTM_BL_ROLE_CHG_EVT:
   2833       p_msg->new_role = p_data->role_chg.new_role;
   2834       p_msg->hci_status = p_data->role_chg.hci_status;
   2835       bdcpy(p_msg->bd_addr, p_data->role_chg.p_bda);
   2836       break;
   2837     case BTM_BL_COLLISION_EVT:
   2838       bdcpy(p_msg->bd_addr, p_data->conn.p_bda);
   2839       break;
   2840   }
   2841 
   2842   p_msg->hdr.event = BTA_DM_ACL_CHANGE_EVT;
   2843   bta_sys_sendmsg(p_msg);
   2844 }
   2845 
   2846 /*******************************************************************************
   2847  *
   2848  * Function         bta_dm_rs_cback
   2849  *
   2850  * Description      Receives the role switch complete event
   2851  *
   2852  * Returns
   2853  *
   2854  ******************************************************************************/
   2855 static void bta_dm_rs_cback(UNUSED_ATTR tBTM_ROLE_SWITCH_CMPL* p1) {
   2856   APPL_TRACE_WARNING("bta_dm_rs_cback:%d", bta_dm_cb.rs_event);
   2857   if (bta_dm_cb.rs_event == BTA_DM_API_SEARCH_EVT) {
   2858     bta_dm_cb.search_msg.rs_res =
   2859         BTA_DM_RS_OK; /* do not care about the result for now */
   2860     bta_dm_cb.rs_event = 0;
   2861     bta_dm_search_start((tBTA_DM_MSG*)&bta_dm_cb.search_msg);
   2862   }
   2863 }
   2864 
   2865 /*******************************************************************************
   2866  *
   2867  * Function         bta_dm_check_av
   2868  *
   2869  * Description      This function checks if AV is active
   2870  *                  if yes, make sure the AV link is master
   2871  *
   2872  * Returns          bool - true, if switch is in progress
   2873  *
   2874  ******************************************************************************/
   2875 static bool bta_dm_check_av(uint16_t event) {
   2876   bool avoid_roleswitch = false;
   2877   bool switching = false;
   2878   uint8_t i;
   2879   tBTA_DM_PEER_DEVICE* p_dev;
   2880 
   2881 #if (BTA_DM_AVOID_A2DP_ROLESWITCH_ON_INQUIRY == TRUE)
   2882 
   2883   /* avoid role switch upon inquiry if a2dp is actively streaming as it
   2884      introduces an audioglitch due to FW scheduling delays (unavoidable) */
   2885   if (event == BTA_DM_API_SEARCH_EVT) {
   2886     avoid_roleswitch = true;
   2887   }
   2888 #endif
   2889 
   2890   APPL_TRACE_WARNING("bta_dm_check_av:%d", bta_dm_cb.cur_av_count);
   2891   if (bta_dm_cb.cur_av_count) {
   2892     for (i = 0; i < bta_dm_cb.device_list.count; i++) {
   2893       p_dev = &bta_dm_cb.device_list.peer_device[i];
   2894       APPL_TRACE_WARNING("[%d]: state:%d, info:x%x, avoid_rs %d", i,
   2895                          p_dev->conn_state, p_dev->info, avoid_roleswitch);
   2896       if ((p_dev->conn_state == BTA_DM_CONNECTED) &&
   2897           (p_dev->info & BTA_DM_DI_AV_ACTIVE) && (avoid_roleswitch == false)) {
   2898         /* make master and take away the role switch policy */
   2899         if (BTM_CMD_STARTED == BTM_SwitchRole(p_dev->peer_bdaddr,
   2900                                               HCI_ROLE_MASTER,
   2901                                               (tBTM_CMPL_CB*)bta_dm_rs_cback)) {
   2902           /* the role switch command is actually sent */
   2903           bta_dm_cb.rs_event = event;
   2904           switching = true;
   2905         }
   2906         /* else either already master or can not switch for some reasons */
   2907         bta_dm_policy_cback(BTA_SYS_PLCY_CLR, 0, HCI_ENABLE_MASTER_SLAVE_SWITCH,
   2908                             p_dev->peer_bdaddr);
   2909         break;
   2910       }
   2911     }
   2912   }
   2913   return switching;
   2914 }
   2915 
   2916 /*******************************************************************************
   2917  *
   2918  * Function         bta_dm_acl_change
   2919  *
   2920  * Description      Process BTA_DM_ACL_CHANGE_EVT
   2921  *
   2922  *
   2923  * Returns          void
   2924  *
   2925  ******************************************************************************/
   2926 void bta_dm_acl_change(tBTA_DM_MSG* p_data) {
   2927   uint8_t i;
   2928   uint8_t* p;
   2929   tBTA_DM_SEC conn;
   2930   bool is_new = p_data->acl_change.is_new;
   2931   BD_ADDR_PTR p_bda = p_data->acl_change.bd_addr;
   2932   bool need_policy_change = false;
   2933   bool issue_unpair_cb = false;
   2934 
   2935   tBTA_DM_PEER_DEVICE* p_dev;
   2936   memset(&conn, 0, sizeof(tBTA_DM_SEC));
   2937 
   2938   switch (p_data->acl_change.event) {
   2939     case BTM_BL_UPDATE_EVT: /* busy level update */
   2940       if (bta_dm_cb.p_sec_cback) {
   2941         conn.busy_level.level = p_data->acl_change.busy_level;
   2942         conn.busy_level.level_flags = p_data->acl_change.busy_level_flags;
   2943         bta_dm_cb.p_sec_cback(BTA_DM_BUSY_LEVEL_EVT, &conn);
   2944       }
   2945       return;
   2946 
   2947     case BTM_BL_ROLE_CHG_EVT: /* role change event */
   2948       p_dev = bta_dm_find_peer_device(p_bda);
   2949       if (p_dev) {
   2950         APPL_TRACE_DEBUG(
   2951             "bta_dm_acl_change role chg info:x%x new_role:%d dev count:%d",
   2952             p_dev->info, p_data->acl_change.new_role,
   2953             bta_dm_cb.device_list.count);
   2954         if (p_dev->info & BTA_DM_DI_AV_ACTIVE) {
   2955           /* there's AV activity on this link */
   2956           if (p_data->acl_change.new_role == HCI_ROLE_SLAVE &&
   2957               bta_dm_cb.device_list.count > 1 &&
   2958               p_data->acl_change.hci_status == HCI_SUCCESS) {
   2959             /* more than one connections and the AV connection is role switched
   2960              * to slave
   2961              * switch it back to master and remove the switch policy */
   2962             BTM_SwitchRole(p_bda, BTM_ROLE_MASTER, NULL);
   2963             need_policy_change = true;
   2964           } else if (p_bta_dm_cfg->avoid_scatter &&
   2965                      (p_data->acl_change.new_role == HCI_ROLE_MASTER)) {
   2966             /* if the link updated to be master include AV activities, remove
   2967              * the switch policy */
   2968             need_policy_change = true;
   2969           }
   2970 
   2971           if (need_policy_change) {
   2972             bta_dm_policy_cback(BTA_SYS_PLCY_CLR, 0,
   2973                                 HCI_ENABLE_MASTER_SLAVE_SWITCH,
   2974                                 p_dev->peer_bdaddr);
   2975           }
   2976         } else {
   2977           /* there's AV no activity on this link and role switch happened
   2978            * check if AV is active
   2979            * if so, make sure the AV link is master */
   2980           bta_dm_check_av(0);
   2981         }
   2982         bta_sys_notify_role_chg(p_data->acl_change.bd_addr,
   2983                                 p_data->acl_change.new_role,
   2984                                 p_data->acl_change.hci_status);
   2985         bdcpy(conn.role_chg.bd_addr, p_bda);
   2986         conn.role_chg.new_role = (uint8_t)p_data->acl_change.new_role;
   2987         if (bta_dm_cb.p_sec_cback)
   2988           bta_dm_cb.p_sec_cback(BTA_DM_ROLE_CHG_EVT, (tBTA_DM_SEC*)&conn);
   2989       }
   2990       return;
   2991   }
   2992 
   2993   /* Collision report from Stack: Notify profiles */
   2994   if (p_data->acl_change.event == BTM_BL_COLLISION_EVT) {
   2995     bta_sys_notify_collision(p_bda);
   2996     return;
   2997   }
   2998 
   2999   if (is_new) {
   3000     for (i = 0; i < bta_dm_cb.device_list.count; i++) {
   3001       if (!bdcmp(bta_dm_cb.device_list.peer_device[i].peer_bdaddr, p_bda) &&
   3002           bta_dm_cb.device_list.peer_device[i].conn_handle ==
   3003               p_data->acl_change.handle)
   3004         break;
   3005     }
   3006 
   3007     if (i == bta_dm_cb.device_list.count) {
   3008       if (bta_dm_cb.device_list.count < BTA_DM_NUM_PEER_DEVICE) {
   3009         bdcpy(bta_dm_cb.device_list.peer_device[bta_dm_cb.device_list.count]
   3010                   .peer_bdaddr,
   3011               p_bda);
   3012         bta_dm_cb.device_list.peer_device[bta_dm_cb.device_list.count]
   3013             .link_policy = bta_dm_cb.cur_policy;
   3014         bta_dm_cb.device_list.count++;
   3015         bta_dm_cb.device_list.peer_device[i].conn_handle =
   3016             p_data->acl_change.handle;
   3017         if (p_data->acl_change.transport == BT_TRANSPORT_LE)
   3018           bta_dm_cb.device_list.le_count++;
   3019       } else {
   3020         APPL_TRACE_ERROR("%s max active connection reached, no resources",
   3021                          __func__);
   3022         return;
   3023       }
   3024     }
   3025 
   3026     bta_dm_cb.device_list.peer_device[i].conn_state = BTA_DM_CONNECTED;
   3027     bta_dm_cb.device_list.peer_device[i].pref_role = BTA_ANY_ROLE;
   3028     bdcpy(conn.link_up.bd_addr, p_bda);
   3029     bta_dm_cb.device_list.peer_device[i].info = BTA_DM_DI_NONE;
   3030     conn.link_up.link_type = p_data->acl_change.transport;
   3031     bta_dm_cb.device_list.peer_device[i].transport =
   3032         p_data->acl_change.transport;
   3033 
   3034     if (((NULL != (p = BTM_ReadLocalFeatures())) &&
   3035          HCI_SNIFF_SUB_RATE_SUPPORTED(p)) &&
   3036         ((NULL != (p = BTM_ReadRemoteFeatures(p_bda))) &&
   3037          HCI_SNIFF_SUB_RATE_SUPPORTED(p))) {
   3038       /* both local and remote devices support SSR */
   3039       bta_dm_cb.device_list.peer_device[i].info = BTA_DM_DI_USE_SSR;
   3040     }
   3041     APPL_TRACE_WARNING("%s info: 0x%x", __func__,
   3042                        bta_dm_cb.device_list.peer_device[i].info);
   3043 
   3044     if (bta_dm_cb.p_sec_cback)
   3045       bta_dm_cb.p_sec_cback(BTA_DM_LINK_UP_EVT, (tBTA_DM_SEC*)&conn);
   3046   } else {
   3047     for (i = 0; i < bta_dm_cb.device_list.count; i++) {
   3048       if (bdcmp(bta_dm_cb.device_list.peer_device[i].peer_bdaddr, p_bda) ||
   3049           bta_dm_cb.device_list.peer_device[i].transport !=
   3050               p_data->acl_change.transport)
   3051         continue;
   3052 
   3053       if (bta_dm_cb.device_list.peer_device[i].conn_state == BTA_DM_UNPAIRING) {
   3054         if (BTM_SecDeleteDevice(
   3055                 bta_dm_cb.device_list.peer_device[i].peer_bdaddr))
   3056           issue_unpair_cb = true;
   3057 
   3058         APPL_TRACE_DEBUG("%s: Unpairing: issue unpair CB = %d ", __func__,
   3059                          issue_unpair_cb);
   3060       }
   3061 
   3062       conn.link_down.is_removed =
   3063           bta_dm_cb.device_list.peer_device[i].remove_dev_pending;
   3064 
   3065       // Iterate to the one before the last when shrinking the list,
   3066       // otherwise we memcpy garbage data into the record.
   3067       // Then clear out the last item in the list since we are shrinking.
   3068       for (; i < bta_dm_cb.device_list.count - 1; i++) {
   3069         memcpy(&bta_dm_cb.device_list.peer_device[i],
   3070                &bta_dm_cb.device_list.peer_device[i + 1],
   3071                sizeof(bta_dm_cb.device_list.peer_device[i]));
   3072       }
   3073       if (bta_dm_cb.device_list.count > 0) {
   3074         int clear_index = bta_dm_cb.device_list.count - 1;
   3075         memset(&bta_dm_cb.device_list.peer_device[clear_index], 0,
   3076                sizeof(bta_dm_cb.device_list.peer_device[clear_index]));
   3077       }
   3078       break;
   3079     }
   3080     if (bta_dm_cb.device_list.count) bta_dm_cb.device_list.count--;
   3081     if ((p_data->acl_change.transport == BT_TRANSPORT_LE) &&
   3082         (bta_dm_cb.device_list.le_count))
   3083       bta_dm_cb.device_list.le_count--;
   3084     conn.link_down.link_type = p_data->acl_change.transport;
   3085 
   3086     if (bta_dm_search_cb.wait_disc &&
   3087         !bdcmp(bta_dm_search_cb.peer_bdaddr, p_bda)) {
   3088       bta_dm_search_cb.wait_disc = false;
   3089 
   3090       if (bta_dm_search_cb.sdp_results) {
   3091         APPL_TRACE_EVENT(" timer stopped  ");
   3092         alarm_cancel(bta_dm_search_cb.search_timer);
   3093         bta_dm_discover_next_device();
   3094       }
   3095     }
   3096 
   3097     if (bta_dm_cb.disabling) {
   3098       if (!BTM_GetNumAclLinks()) {
   3099         /*
   3100          * Start a timer to make sure that the profiles
   3101          * get the disconnect event.
   3102          */
   3103         alarm_set_on_queue(
   3104             bta_dm_cb.disable_timer, BTA_DM_DISABLE_CONN_DOWN_TIMER_MS,
   3105             bta_dm_disable_conn_down_timer_cback, NULL, btu_bta_alarm_queue);
   3106       }
   3107     }
   3108     if (conn.link_down.is_removed) {
   3109       BTM_SecDeleteDevice(p_bda);
   3110       /* need to remove all pending background connection */
   3111       BTA_GATTC_CancelOpen(0, p_bda, false);
   3112       /* remove all cached GATT information */
   3113       BTA_GATTC_Refresh(p_bda);
   3114     }
   3115 
   3116     bdcpy(conn.link_down.bd_addr, p_bda);
   3117     conn.link_down.status = (uint8_t)btm_get_acl_disc_reason_code();
   3118     if (bta_dm_cb.p_sec_cback) {
   3119       bta_dm_cb.p_sec_cback(BTA_DM_LINK_DOWN_EVT, &conn);
   3120       if (issue_unpair_cb)
   3121         bta_dm_cb.p_sec_cback(BTA_DM_DEV_UNPAIRED_EVT, &conn);
   3122     }
   3123   }
   3124 
   3125   bta_dm_adjust_roles(true);
   3126 }
   3127 
   3128 /*******************************************************************************
   3129  *
   3130  * Function         bta_dm_disable_conn_down_timer_cback
   3131  *
   3132  * Description      Sends disable event to application
   3133  *
   3134  *
   3135  * Returns          void
   3136  *
   3137  ******************************************************************************/
   3138 static void bta_dm_disable_conn_down_timer_cback(UNUSED_ATTR void* data) {
   3139   tBTA_SYS_HW_MSG* sys_enable_event =
   3140       (tBTA_SYS_HW_MSG*)osi_malloc(sizeof(tBTA_SYS_HW_MSG));
   3141 
   3142   /* disable the power managment module */
   3143   bta_dm_disable_pm();
   3144 
   3145   /* register our callback to SYS HW manager */
   3146   bta_sys_hw_register(BTA_SYS_HW_BLUETOOTH, bta_dm_sys_hw_cback);
   3147 
   3148   /* send a message to BTA SYS */
   3149   sys_enable_event->hdr.event = BTA_SYS_API_DISABLE_EVT;
   3150   sys_enable_event->hw_module = BTA_SYS_HW_BLUETOOTH;
   3151   bta_sys_sendmsg(sys_enable_event);
   3152 
   3153   bta_dm_cb.disabling = false;
   3154 }
   3155 
   3156 /*******************************************************************************
   3157  *
   3158  * Function         bta_dm_rm_cback
   3159  *
   3160  * Description      Role management callback from sys
   3161  *
   3162  *
   3163  * Returns          void
   3164  *
   3165  ******************************************************************************/
   3166 static void bta_dm_rm_cback(tBTA_SYS_CONN_STATUS status, uint8_t id,
   3167                             uint8_t app_id, BD_ADDR peer_addr) {
   3168   uint8_t j;
   3169   tBTA_PREF_ROLES role;
   3170   tBTA_DM_PEER_DEVICE* p_dev;
   3171 
   3172   p_dev = bta_dm_find_peer_device(peer_addr);
   3173   if (status == BTA_SYS_CONN_OPEN) {
   3174     if (p_dev) {
   3175       /* Do not set to connected if we are in the middle of unpairing. When AV
   3176        * stream is
   3177        * started it fakes out a SYS_CONN_OPEN to potentially trigger a role
   3178        * switch command.
   3179        * But this should not be done if we are in the middle of unpairing.
   3180        */
   3181       if (p_dev->conn_state != BTA_DM_UNPAIRING)
   3182         p_dev->conn_state = BTA_DM_CONNECTED;
   3183 
   3184       for (j = 1; j <= p_bta_dm_rm_cfg[0].app_id; j++) {
   3185         if (((p_bta_dm_rm_cfg[j].app_id == app_id) ||
   3186              (p_bta_dm_rm_cfg[j].app_id == BTA_ALL_APP_ID)) &&
   3187             (p_bta_dm_rm_cfg[j].id == id)) {
   3188           role = p_bta_dm_rm_cfg[j].cfg;
   3189 
   3190           if (role > p_dev->pref_role) p_dev->pref_role = role;
   3191           break;
   3192         }
   3193       }
   3194     }
   3195   }
   3196 
   3197   if ((BTA_ID_AV == id) || (BTA_ID_AVK == id)) {
   3198     if (status == BTA_SYS_CONN_BUSY) {
   3199       if (p_dev) p_dev->info |= BTA_DM_DI_AV_ACTIVE;
   3200       /* AV calls bta_sys_conn_open with the A2DP stream count as app_id */
   3201       if (BTA_ID_AV == id) bta_dm_cb.cur_av_count = bta_dm_get_av_count();
   3202     } else if (status == BTA_SYS_CONN_IDLE) {
   3203       if (p_dev) p_dev->info &= ~BTA_DM_DI_AV_ACTIVE;
   3204 
   3205       /* get cur_av_count from connected services */
   3206       if (BTA_ID_AV == id) bta_dm_cb.cur_av_count = bta_dm_get_av_count();
   3207     }
   3208     APPL_TRACE_WARNING("bta_dm_rm_cback:%d, status:%d", bta_dm_cb.cur_av_count,
   3209                        status);
   3210   }
   3211 
   3212   /* Don't adjust roles for each busy/idle state transition to avoid
   3213      excessive switch requests when individual profile busy/idle status
   3214      changes */
   3215   if ((status != BTA_SYS_CONN_BUSY) && (status != BTA_SYS_CONN_IDLE))
   3216     bta_dm_adjust_roles(false);
   3217 }
   3218 
   3219 /*******************************************************************************
   3220  *
   3221  * Function         bta_dm_delay_role_switch_cback
   3222  *
   3223  * Description      Callback from btm to delay a role switch
   3224  *
   3225  * Returns          void
   3226  *
   3227  ******************************************************************************/
   3228 static void bta_dm_delay_role_switch_cback(UNUSED_ATTR void* data) {
   3229   APPL_TRACE_EVENT("%s: initiating Delayed RS", __func__);
   3230   bta_dm_adjust_roles(false);
   3231 }
   3232 
   3233 /*******************************************************************************
   3234  *
   3235  * Function         bta_dm_reset_sec_dev_pending
   3236  *
   3237  * Description      Setting the remove device pending status to false from
   3238  *                  security device DB, when the link key notification
   3239  *                  event comes.
   3240  *
   3241  * Returns          void
   3242  *
   3243  ******************************************************************************/
   3244 static void bta_dm_reset_sec_dev_pending(BD_ADDR remote_bd_addr) {
   3245   for (size_t i = 0; i < bta_dm_cb.device_list.count; i++) {
   3246     if (bdcmp(bta_dm_cb.device_list.peer_device[i].peer_bdaddr,
   3247               remote_bd_addr) == 0) {
   3248       bta_dm_cb.device_list.peer_device[i].remove_dev_pending = false;
   3249       return;
   3250     }
   3251   }
   3252 }
   3253 
   3254 /*******************************************************************************
   3255  *
   3256  * Function         bta_dm_remove_sec_dev_entry
   3257  *
   3258  * Description      Removes device entry from Security device DB if ACL
   3259  connection with
   3260  *                  remtoe device does not exist, else schedule for dev entry
   3261  removal upon
   3262                      ACL close
   3263  *
   3264  * Returns          void
   3265  *
   3266  ******************************************************************************/
   3267 static void bta_dm_remove_sec_dev_entry(BD_ADDR remote_bd_addr) {
   3268   if (BTM_IsAclConnectionUp(remote_bd_addr, BT_TRANSPORT_LE) ||
   3269       BTM_IsAclConnectionUp(remote_bd_addr, BT_TRANSPORT_BR_EDR)) {
   3270     APPL_TRACE_DEBUG(
   3271         "%s ACL is not down. Schedule for  Dev Removal when ACL closes",
   3272         __func__);
   3273     BTM_SecClearSecurityFlags(remote_bd_addr);
   3274     for (int i = 0; i < bta_dm_cb.device_list.count; i++) {
   3275       if (!bdcmp(bta_dm_cb.device_list.peer_device[i].peer_bdaddr,
   3276                  remote_bd_addr)) {
   3277         bta_dm_cb.device_list.peer_device[i].remove_dev_pending = TRUE;
   3278         break;
   3279       }
   3280     }
   3281   } else {
   3282     BTM_SecDeleteDevice(remote_bd_addr);
   3283     /* need to remove all pending background connection */
   3284     BTA_GATTC_CancelOpen(0, remote_bd_addr, false);
   3285     /* remove all cached GATT information */
   3286     BTA_GATTC_Refresh(remote_bd_addr);
   3287   }
   3288 }
   3289 
   3290 /*******************************************************************************
   3291  *
   3292  * Function         bta_dm_adjust_roles
   3293  *
   3294  * Description      Adjust roles
   3295  *
   3296  *
   3297  * Returns          void
   3298  *
   3299  ******************************************************************************/
   3300 static void bta_dm_adjust_roles(bool delay_role_switch) {
   3301   uint8_t i;
   3302   bool set_master_role = false;
   3303   uint8_t br_count =
   3304       bta_dm_cb.device_list.count - bta_dm_cb.device_list.le_count;
   3305   if (br_count) {
   3306     /* the configuration is no scatternet
   3307      * or AV connection exists and there are more than one ACL link */
   3308     if ((p_bta_dm_rm_cfg[0].cfg == BTA_DM_NO_SCATTERNET) ||
   3309         (bta_dm_cb.cur_av_count && br_count > 1)) {
   3310       L2CA_SetDesireRole(HCI_ROLE_MASTER);
   3311       set_master_role = true;
   3312     }
   3313 
   3314     for (i = 0; i < bta_dm_cb.device_list.count; i++) {
   3315       if (bta_dm_cb.device_list.peer_device[i].conn_state == BTA_DM_CONNECTED &&
   3316           bta_dm_cb.device_list.peer_device[i].transport ==
   3317               BT_TRANSPORT_BR_EDR) {
   3318         if (!set_master_role &&
   3319             (bta_dm_cb.device_list.peer_device[i].pref_role != BTA_ANY_ROLE) &&
   3320             (p_bta_dm_rm_cfg[0].cfg == BTA_DM_PARTIAL_SCATTERNET)) {
   3321           L2CA_SetDesireRole(HCI_ROLE_MASTER);
   3322           set_master_role = true;
   3323         }
   3324 
   3325         if ((bta_dm_cb.device_list.peer_device[i].pref_role ==
   3326              BTA_MASTER_ROLE_ONLY) ||
   3327             (br_count > 1)) {
   3328           /* Initiating immediate role switch with certain remote devices
   3329             has caused issues due to role  switch colliding with link encryption
   3330             setup and
   3331             causing encryption (and in turn the link) to fail .  These device .
   3332             Firmware
   3333             versions are stored in a blacklist and role switch with these
   3334             devices are
   3335             delayed to avoid the collision with link encryption setup */
   3336 
   3337           if (bta_dm_cb.device_list.peer_device[i].pref_role !=
   3338                   BTA_SLAVE_ROLE_ONLY &&
   3339               delay_role_switch == false) {
   3340             BTM_SwitchRole(bta_dm_cb.device_list.peer_device[i].peer_bdaddr,
   3341                            HCI_ROLE_MASTER, NULL);
   3342           } else {
   3343             alarm_set_on_queue(
   3344                 bta_dm_cb.switch_delay_timer, BTA_DM_SWITCH_DELAY_TIMER_MS,
   3345                 bta_dm_delay_role_switch_cback, NULL, btu_bta_alarm_queue);
   3346           }
   3347         }
   3348       }
   3349     }
   3350 
   3351     if (!set_master_role) {
   3352       L2CA_SetDesireRole(L2CAP_DESIRED_LINK_ROLE);
   3353     }
   3354 
   3355   } else {
   3356     L2CA_SetDesireRole(L2CAP_DESIRED_LINK_ROLE);
   3357   }
   3358 }
   3359 
   3360 /*******************************************************************************
   3361  *
   3362  * Function         bta_dm_get_remname
   3363  *
   3364  * Description      Returns a pointer to the remote name stored in the DM
   3365  *                  control block if it exists, or from the BTM memory.
   3366  *
   3367  * Returns          char * - Pointer to the remote device name
   3368  ******************************************************************************/
   3369 static char* bta_dm_get_remname(void) {
   3370   char* p_name = (char*)bta_dm_search_cb.peer_name;
   3371   char* p_temp;
   3372 
   3373   /* If the name isn't already stored, try retrieving from BTM */
   3374   if (*p_name == '\0') {
   3375     p_temp = BTM_SecReadDevName(bta_dm_search_cb.peer_bdaddr);
   3376     if (p_temp != NULL) p_name = p_temp;
   3377   }
   3378 
   3379   return p_name;
   3380 }
   3381 
   3382 /*******************************************************************************
   3383  *
   3384  * Function         bta_dm_bond_cancel_complete_cback
   3385  *
   3386  * Description      Authentication complete callback from BTM
   3387  *
   3388  * Returns          void
   3389  *
   3390  ******************************************************************************/
   3391 static void bta_dm_bond_cancel_complete_cback(tBTM_STATUS result) {
   3392   tBTA_DM_SEC sec_event;
   3393 
   3394   if (result == BTM_SUCCESS)
   3395     sec_event.bond_cancel_cmpl.result = BTA_SUCCESS;
   3396   else
   3397     sec_event.bond_cancel_cmpl.result = BTA_FAILURE;
   3398 
   3399   if (bta_dm_cb.p_sec_cback) {
   3400     bta_dm_cb.p_sec_cback(BTA_DM_BOND_CANCEL_CMPL_EVT, &sec_event);
   3401   }
   3402 }
   3403 
   3404 /*******************************************************************************
   3405  *
   3406  * Function         find_utf8_char_boundary
   3407  *
   3408  * Description      This function checks a UTF8 string |utf8str| starting at
   3409  *                  |offset|, moving backwards and returns the offset of the
   3410  *                  next valid UTF8 character boundary found.
   3411  *
   3412  * Returns          Offset of UTF8 character boundary
   3413  *
   3414  ******************************************************************************/
   3415 static size_t find_utf8_char_boundary(const char* utf8str, size_t offset) {
   3416   CHECK(utf8str);
   3417   CHECK(offset > 0);
   3418 
   3419   while (--offset) {
   3420     uint8_t ch = (uint8_t)utf8str[offset];
   3421     if ((ch & 0x80) == 0x00)  // ASCII
   3422       return offset + 1;
   3423     if ((ch & 0xC0) == 0xC0)  // Multi-byte sequence start
   3424       return offset;
   3425   }
   3426 
   3427   return 0;
   3428 }
   3429 
   3430 /*******************************************************************************
   3431  *
   3432  * Function         bta_dm_set_eir
   3433  *
   3434  * Description      This function creates EIR tagged data and writes it to
   3435  *                  controller.
   3436  *
   3437  * Returns          None
   3438  *
   3439  ******************************************************************************/
   3440 static void bta_dm_set_eir(char* local_name) {
   3441   uint8_t* p;
   3442   uint8_t* p_length;
   3443 #if (BTA_EIR_CANNED_UUID_LIST != TRUE)
   3444   uint8_t* p_type;
   3445   uint8_t max_num_uuid;
   3446 #if (BTA_EIR_SERVER_NUM_CUSTOM_UUID > 0)
   3447   uint8_t custom_uuid_idx;
   3448 #endif  // BTA_EIR_SERVER_NUM_CUSTOM_UUID
   3449 #endif  // BTA_EIR_CANNED_UUID_LIST
   3450 #if (BTM_EIR_DEFAULT_FEC_REQUIRED == FALSE)
   3451   uint8_t free_eir_length = HCI_EXT_INQ_RESPONSE_LEN;
   3452 #else  // BTM_EIR_DEFAULT_FEC_REQUIRED
   3453   uint8_t free_eir_length = HCI_DM5_PACKET_SIZE;
   3454 #endif  // BTM_EIR_DEFAULT_FEC_REQUIRED
   3455   uint8_t num_uuid;
   3456   uint8_t data_type;
   3457   uint8_t local_name_len;
   3458 
   3459   /* wait until complete to disable */
   3460   if (alarm_is_scheduled(bta_dm_cb.disable_timer)) return;
   3461 
   3462 #if (BTA_EIR_CANNED_UUID_LIST != TRUE)
   3463   /* if local name is not provided, get it from controller */
   3464   if (local_name == NULL) {
   3465     if (BTM_ReadLocalDeviceName(&local_name) != BTM_SUCCESS) {
   3466       APPL_TRACE_ERROR("Fail to read local device name for EIR");
   3467     }
   3468   }
   3469 #endif  // BTA_EIR_CANNED_UUID_LIST
   3470 
   3471   /* Allocate a buffer to hold HCI command */
   3472   BT_HDR* p_buf = (BT_HDR*)osi_malloc(BTM_CMD_BUF_SIZE);
   3473   p = (uint8_t*)p_buf + BTM_HCI_EIR_OFFSET;
   3474 
   3475   memset(p, 0x00, HCI_EXT_INQ_RESPONSE_LEN);
   3476 
   3477   APPL_TRACE_DEBUG("BTA is generating EIR");
   3478 
   3479   if (local_name)
   3480     local_name_len = strlen(local_name);
   3481   else
   3482     local_name_len = 0;
   3483 
   3484   data_type = BTM_EIR_COMPLETE_LOCAL_NAME_TYPE;
   3485   /* if local name is longer than minimum length of shortened name */
   3486   /* check whether it needs to be shortened or not */
   3487   if (local_name_len > p_bta_dm_eir_cfg->bta_dm_eir_min_name_len) {
   3488 /* get number of UUID 16-bit list */
   3489 #if (BTA_EIR_CANNED_UUID_LIST == TRUE)
   3490     num_uuid = p_bta_dm_eir_cfg->bta_dm_eir_uuid16_len / LEN_UUID_16;
   3491 #else   // BTA_EIR_CANNED_UUID_LIST
   3492     max_num_uuid = (free_eir_length - 2) / LEN_UUID_16;
   3493     data_type = BTM_GetEirSupportedServices(bta_dm_cb.eir_uuid, &p,
   3494                                             max_num_uuid, &num_uuid);
   3495     p = (uint8_t*)p_buf + BTM_HCI_EIR_OFFSET; /* reset p */
   3496 #endif  // BTA_EIR_CANNED_UUID_LIST
   3497 
   3498     /* if UUID doesn't fit remaing space, shorten local name */
   3499     if (local_name_len > (free_eir_length - 4 - num_uuid * LEN_UUID_16)) {
   3500       local_name_len = find_utf8_char_boundary(
   3501           local_name, p_bta_dm_eir_cfg->bta_dm_eir_min_name_len);
   3502       APPL_TRACE_WARNING("%s local name is shortened (%d)", __func__,
   3503                          local_name_len);
   3504       data_type = BTM_EIR_SHORTENED_LOCAL_NAME_TYPE;
   3505     } else {
   3506       data_type = BTM_EIR_COMPLETE_LOCAL_NAME_TYPE;
   3507     }
   3508   }
   3509 
   3510   UINT8_TO_STREAM(p, local_name_len + 1);
   3511   UINT8_TO_STREAM(p, data_type);
   3512 
   3513   if (local_name != NULL) {
   3514     memcpy(p, local_name, local_name_len);
   3515     p += local_name_len;
   3516   }
   3517   free_eir_length -= local_name_len + 2;
   3518 
   3519 #if (BTA_EIR_CANNED_UUID_LIST == TRUE)
   3520   /* if UUID list is provided as static data in configuration */
   3521   if ((p_bta_dm_eir_cfg->bta_dm_eir_uuid16_len > 0) &&
   3522       (p_bta_dm_eir_cfg->bta_dm_eir_uuid16)) {
   3523     if (free_eir_length > LEN_UUID_16 + 2) {
   3524       free_eir_length -= 2;
   3525 
   3526       if (free_eir_length >= p_bta_dm_eir_cfg->bta_dm_eir_uuid16_len) {
   3527         num_uuid = p_bta_dm_eir_cfg->bta_dm_eir_uuid16_len / LEN_UUID_16;
   3528         data_type = BTM_EIR_COMPLETE_16BITS_UUID_TYPE;
   3529       } else /* not enough room for all UUIDs */
   3530       {
   3531         APPL_TRACE_WARNING("BTA EIR: UUID 16-bit list is truncated");
   3532         num_uuid = free_eir_length / LEN_UUID_16;
   3533         data_type = BTM_EIR_MORE_16BITS_UUID_TYPE;
   3534       }
   3535       UINT8_TO_STREAM(p, num_uuid * LEN_UUID_16 + 1);
   3536       UINT8_TO_STREAM(p, data_type);
   3537       memcpy(p, p_bta_dm_eir_cfg->bta_dm_eir_uuid16, num_uuid * LEN_UUID_16);
   3538       p += num_uuid * LEN_UUID_16;
   3539       free_eir_length -= num_uuid * LEN_UUID_16;
   3540     }
   3541   }
   3542 #else /* (BTA_EIR_CANNED_UUID_LIST == TRUE) */
   3543   /* if UUID list is dynamic */
   3544   if (free_eir_length >= 2) {
   3545     p_length = p++;
   3546     p_type = p++;
   3547     num_uuid = 0;
   3548 
   3549     max_num_uuid = (free_eir_length - 2) / LEN_UUID_16;
   3550     data_type = BTM_GetEirSupportedServices(bta_dm_cb.eir_uuid, &p,
   3551                                             max_num_uuid, &num_uuid);
   3552 
   3553     if (data_type == BTM_EIR_MORE_16BITS_UUID_TYPE) {
   3554       APPL_TRACE_WARNING("BTA EIR: UUID 16-bit list is truncated");
   3555     }
   3556 #if (BTA_EIR_SERVER_NUM_CUSTOM_UUID > 0)
   3557     else {
   3558       for (custom_uuid_idx = 0;
   3559            custom_uuid_idx < BTA_EIR_SERVER_NUM_CUSTOM_UUID;
   3560            custom_uuid_idx++) {
   3561         if (bta_dm_cb.custom_uuid[custom_uuid_idx].len == LEN_UUID_16) {
   3562           if (num_uuid < max_num_uuid) {
   3563             UINT16_TO_STREAM(p,
   3564                              bta_dm_cb.custom_uuid[custom_uuid_idx].uu.uuid16);
   3565             num_uuid++;
   3566           } else {
   3567             data_type = BTM_EIR_MORE_16BITS_UUID_TYPE;
   3568             APPL_TRACE_WARNING("BTA EIR: UUID 16-bit list is truncated");
   3569             break;
   3570           }
   3571         }
   3572       }
   3573     }
   3574 #endif /* (BTA_EIR_SERVER_NUM_CUSTOM_UUID > 0) */
   3575 
   3576     UINT8_TO_STREAM(p_length, num_uuid * LEN_UUID_16 + 1);
   3577     UINT8_TO_STREAM(p_type, data_type);
   3578     free_eir_length -= num_uuid * LEN_UUID_16 + 2;
   3579   }
   3580 #endif /* (BTA_EIR_CANNED_UUID_LIST == TRUE) */
   3581 
   3582 #if (BTA_EIR_CANNED_UUID_LIST != TRUE && BTA_EIR_SERVER_NUM_CUSTOM_UUID > 0)
   3583   /* Adding 32-bit UUID list */
   3584   if (free_eir_length >= 2) {
   3585     p_length = p++;
   3586     p_type = p++;
   3587     num_uuid = 0;
   3588     data_type = BTM_EIR_COMPLETE_32BITS_UUID_TYPE;
   3589 
   3590     max_num_uuid = (free_eir_length - 2) / LEN_UUID_32;
   3591 
   3592     for (custom_uuid_idx = 0; custom_uuid_idx < BTA_EIR_SERVER_NUM_CUSTOM_UUID;
   3593          custom_uuid_idx++) {
   3594       if (bta_dm_cb.custom_uuid[custom_uuid_idx].len == LEN_UUID_32) {
   3595         if (num_uuid < max_num_uuid) {
   3596           UINT32_TO_STREAM(p, bta_dm_cb.custom_uuid[custom_uuid_idx].uu.uuid32);
   3597           num_uuid++;
   3598         } else {
   3599           data_type = BTM_EIR_MORE_32BITS_UUID_TYPE;
   3600           APPL_TRACE_WARNING("BTA EIR: UUID 32-bit list is truncated");
   3601           break;
   3602         }
   3603       }
   3604     }
   3605 
   3606     UINT8_TO_STREAM(p_length, num_uuid * LEN_UUID_32 + 1);
   3607     UINT8_TO_STREAM(p_type, data_type);
   3608     free_eir_length -= num_uuid * LEN_UUID_32 + 2;
   3609   }
   3610 
   3611   /* Adding 128-bit UUID list */
   3612   if (free_eir_length >= 2) {
   3613     p_length = p++;
   3614     p_type = p++;
   3615     num_uuid = 0;
   3616     data_type = BTM_EIR_COMPLETE_128BITS_UUID_TYPE;
   3617 
   3618     max_num_uuid = (free_eir_length - 2) / LEN_UUID_128;
   3619 
   3620     for (custom_uuid_idx = 0; custom_uuid_idx < BTA_EIR_SERVER_NUM_CUSTOM_UUID;
   3621          custom_uuid_idx++) {
   3622       if (bta_dm_cb.custom_uuid[custom_uuid_idx].len == LEN_UUID_128) {
   3623         if (num_uuid < max_num_uuid) {
   3624           ARRAY16_TO_STREAM(p,
   3625                             bta_dm_cb.custom_uuid[custom_uuid_idx].uu.uuid128);
   3626           num_uuid++;
   3627         } else {
   3628           data_type = BTM_EIR_MORE_128BITS_UUID_TYPE;
   3629           APPL_TRACE_WARNING("BTA EIR: UUID 128-bit list is truncated");
   3630           break;
   3631         }
   3632       }
   3633     }
   3634 
   3635     UINT8_TO_STREAM(p_length, num_uuid * LEN_UUID_128 + 1);
   3636     UINT8_TO_STREAM(p_type, data_type);
   3637     free_eir_length -= num_uuid * LEN_UUID_128 + 2;
   3638   }
   3639 #endif /* ( BTA_EIR_CANNED_UUID_LIST != TRUE \
   3640           )&&(BTA_EIR_SERVER_NUM_CUSTOM_UUID > 0) */
   3641 
   3642   /* if Flags are provided in configuration */
   3643   if ((p_bta_dm_eir_cfg->bta_dm_eir_flag_len > 0) &&
   3644       (p_bta_dm_eir_cfg->bta_dm_eir_flags) &&
   3645       (free_eir_length >= p_bta_dm_eir_cfg->bta_dm_eir_flag_len + 2)) {
   3646     UINT8_TO_STREAM(p, p_bta_dm_eir_cfg->bta_dm_eir_flag_len + 1);
   3647     UINT8_TO_STREAM(p, BTM_EIR_FLAGS_TYPE);
   3648     memcpy(p, p_bta_dm_eir_cfg->bta_dm_eir_flags,
   3649            p_bta_dm_eir_cfg->bta_dm_eir_flag_len);
   3650     p += p_bta_dm_eir_cfg->bta_dm_eir_flag_len;
   3651     free_eir_length -= p_bta_dm_eir_cfg->bta_dm_eir_flag_len + 2;
   3652   }
   3653 
   3654   /* if Manufacturer Specific are provided in configuration */
   3655   if ((p_bta_dm_eir_cfg->bta_dm_eir_manufac_spec_len > 0) &&
   3656       (p_bta_dm_eir_cfg->bta_dm_eir_manufac_spec) &&
   3657       (free_eir_length >= p_bta_dm_eir_cfg->bta_dm_eir_manufac_spec_len + 2)) {
   3658     p_length = p;
   3659 
   3660     UINT8_TO_STREAM(p, p_bta_dm_eir_cfg->bta_dm_eir_manufac_spec_len + 1);
   3661     UINT8_TO_STREAM(p, BTM_EIR_MANUFACTURER_SPECIFIC_TYPE);
   3662     memcpy(p, p_bta_dm_eir_cfg->bta_dm_eir_manufac_spec,
   3663            p_bta_dm_eir_cfg->bta_dm_eir_manufac_spec_len);
   3664     p += p_bta_dm_eir_cfg->bta_dm_eir_manufac_spec_len;
   3665     free_eir_length -= p_bta_dm_eir_cfg->bta_dm_eir_manufac_spec_len + 2;
   3666 
   3667   } else {
   3668     p_length = NULL;
   3669   }
   3670 
   3671   /* if Inquiry Tx Resp Power compiled */
   3672   if ((p_bta_dm_eir_cfg->bta_dm_eir_inq_tx_power) && (free_eir_length >= 3)) {
   3673     UINT8_TO_STREAM(p, 2); /* Length field */
   3674     UINT8_TO_STREAM(p, BTM_EIR_TX_POWER_LEVEL_TYPE);
   3675     UINT8_TO_STREAM(p, *(p_bta_dm_eir_cfg->bta_dm_eir_inq_tx_power));
   3676     free_eir_length -= 3;
   3677   }
   3678 
   3679   if (free_eir_length)
   3680     UINT8_TO_STREAM(p, 0); /* terminator of significant part */
   3681 
   3682   BTM_WriteEIR(p_buf);
   3683 }
   3684 
   3685 /*******************************************************************************
   3686  *
   3687  * Function         bta_dm_eir_search_services
   3688  *
   3689  * Description      This function searches services in received EIR
   3690  *
   3691  * Returns          None
   3692  *
   3693  ******************************************************************************/
   3694 static void bta_dm_eir_search_services(tBTM_INQ_RESULTS* p_result,
   3695                                        tBTA_SERVICE_MASK* p_services_to_search,
   3696                                        tBTA_SERVICE_MASK* p_services_found) {
   3697   tBTA_SERVICE_MASK service_index = 0;
   3698   tBTM_EIR_SEARCH_RESULT result;
   3699 
   3700   APPL_TRACE_DEBUG(
   3701       "BTA searching services in EIR of BDA:0x%02X%02X%02X%02X%02X%02X",
   3702       p_result->remote_bd_addr[0], p_result->remote_bd_addr[1],
   3703       p_result->remote_bd_addr[2], p_result->remote_bd_addr[3],
   3704       p_result->remote_bd_addr[4], p_result->remote_bd_addr[5]);
   3705 
   3706   APPL_TRACE_DEBUG("    with services_to_search=0x%08X", *p_services_to_search);
   3707 
   3708   /* always do GATT based service discovery by SDP instead of from EIR    */
   3709   /* if GATT based service is also to be put in EIR, need to modify this  */
   3710   while (service_index < (BTA_MAX_SERVICE_ID - 1)) {
   3711     if (*p_services_to_search &
   3712         (tBTA_SERVICE_MASK)(BTA_SERVICE_ID_TO_SERVICE_MASK(service_index))) {
   3713       result = BTM_HasInquiryEirService(
   3714           p_result, bta_service_id_to_uuid_lkup_tbl[service_index]);
   3715 
   3716       /* Searching for HSP v1.2 only device */
   3717       if ((result != BTM_EIR_FOUND) &&
   3718           (bta_service_id_to_uuid_lkup_tbl[service_index] ==
   3719            UUID_SERVCLASS_HEADSET)) {
   3720         result = BTM_HasInquiryEirService(p_result, UUID_SERVCLASS_HEADSET_HS);
   3721       }
   3722 
   3723       if (result == BTM_EIR_FOUND) {
   3724         /* If Plug and Play service record, need to check to see if Broadcom
   3725          * stack */
   3726         /* However, EIR data doesn't have EXT_BRCM_VERSION so just skip it */
   3727         if (bta_service_id_to_uuid_lkup_tbl[service_index] !=
   3728             UUID_SERVCLASS_PNP_INFORMATION) {
   3729           *p_services_found |= (tBTA_SERVICE_MASK)(
   3730               BTA_SERVICE_ID_TO_SERVICE_MASK(service_index));
   3731           /* remove the service from services to be searched  */
   3732           *p_services_to_search &= (tBTA_SERVICE_MASK)(
   3733               ~(BTA_SERVICE_ID_TO_SERVICE_MASK(service_index)));
   3734         }
   3735       } else if (result == BTM_EIR_NOT_FOUND) {
   3736         /* remove the service from services to be searched  */
   3737         *p_services_to_search &= (tBTA_SERVICE_MASK)(
   3738             ~(BTA_SERVICE_ID_TO_SERVICE_MASK(service_index)));
   3739       }
   3740     }
   3741 
   3742     service_index++;
   3743   }
   3744 
   3745   APPL_TRACE_ERROR(
   3746       "BTA EIR search result, services_to_search=0x%08X, services_found=0x%08X",
   3747       *p_services_to_search, *p_services_found);
   3748 }
   3749 
   3750 #if (BTA_EIR_CANNED_UUID_LIST != TRUE)
   3751 /*******************************************************************************
   3752  *
   3753  * Function         bta_dm_eir_update_uuid
   3754  *
   3755  * Description      This function adds or removes service UUID in EIR database.
   3756  *
   3757  * Returns          None
   3758  *
   3759  ******************************************************************************/
   3760 void bta_dm_eir_update_uuid(uint16_t uuid16, bool adding) {
   3761   /* if this UUID is not advertised in EIR */
   3762   if (!BTM_HasEirService(p_bta_dm_eir_cfg->uuid_mask, uuid16)) return;
   3763 
   3764   if (adding) {
   3765     APPL_TRACE_EVENT("Adding UUID=0x%04X into EIR", uuid16);
   3766 
   3767     BTM_AddEirService(bta_dm_cb.eir_uuid, uuid16);
   3768   } else {
   3769     APPL_TRACE_EVENT("Removing UUID=0x%04X from EIR", uuid16);
   3770 
   3771     BTM_RemoveEirService(bta_dm_cb.eir_uuid, uuid16);
   3772   }
   3773 
   3774   bta_dm_set_eir(NULL);
   3775 
   3776   APPL_TRACE_EVENT("bta_dm_eir_update_uuid UUID bit mask=0x%08X %08X",
   3777                    bta_dm_cb.eir_uuid[1], bta_dm_cb.eir_uuid[0]);
   3778 }
   3779 #endif
   3780 
   3781 /*******************************************************************************
   3782  *
   3783  * Function         bta_dm_enable_test_mode
   3784  *
   3785  * Description      enable test mode
   3786  *
   3787  *
   3788  * Returns          void
   3789  *
   3790  ******************************************************************************/
   3791 void bta_dm_enable_test_mode(UNUSED_ATTR tBTA_DM_MSG* p_data) {
   3792   BTM_EnableTestMode();
   3793 }
   3794 
   3795 /*******************************************************************************
   3796  *
   3797  * Function         bta_dm_disable_test_mode
   3798  *
   3799  * Description      disable test mode
   3800  *
   3801  *
   3802  * Returns          void
   3803  *
   3804  ******************************************************************************/
   3805 void bta_dm_disable_test_mode(UNUSED_ATTR tBTA_DM_MSG* p_data) {
   3806   BTM_DeviceReset(NULL);
   3807 }
   3808 
   3809 /*******************************************************************************
   3810  *
   3811  * Function         bta_dm_execute_callback
   3812  *
   3813  * Description      Just execute a generic call back in the context of the
   3814  *                  BTU/BTA tack
   3815  *
   3816  *
   3817  * Returns          void
   3818  *
   3819  ******************************************************************************/
   3820 void bta_dm_execute_callback(tBTA_DM_MSG* p_data) {
   3821   /* sanity check */
   3822   if (p_data->exec_cback.p_exec_cback == NULL) {
   3823     return;
   3824   }
   3825 
   3826   p_data->exec_cback.p_exec_cback(p_data->exec_cback.p_param);
   3827 }
   3828 
   3829 /*******************************************************************************
   3830  *
   3831  * Function         bta_dm_encrypt_cback
   3832  *
   3833  * Description      link encryption complete callback.
   3834  *
   3835  * Returns         None
   3836  *
   3837  ******************************************************************************/
   3838 void bta_dm_encrypt_cback(BD_ADDR bd_addr, tBT_TRANSPORT transport,
   3839                           UNUSED_ATTR void* p_ref_data, tBTM_STATUS result) {
   3840   tBTA_STATUS bta_status = BTA_SUCCESS;
   3841   tBTA_DM_ENCRYPT_CBACK* p_callback = NULL;
   3842   uint8_t i;
   3843 
   3844   for (i = 0; i < bta_dm_cb.device_list.count; i++) {
   3845     if (bdcmp(bta_dm_cb.device_list.peer_device[i].peer_bdaddr, bd_addr) == 0 &&
   3846         bta_dm_cb.device_list.peer_device[i].conn_state == BTA_DM_CONNECTED)
   3847       break;
   3848   }
   3849 
   3850   if (i < bta_dm_cb.device_list.count) {
   3851     p_callback = bta_dm_cb.device_list.peer_device[i].p_encrypt_cback;
   3852     bta_dm_cb.device_list.peer_device[i].p_encrypt_cback = NULL;
   3853   }
   3854 
   3855   switch (result) {
   3856     case BTM_SUCCESS:
   3857       break;
   3858     case BTM_WRONG_MODE:
   3859       bta_status = BTA_WRONG_MODE;
   3860       break;
   3861     case BTM_NO_RESOURCES:
   3862       bta_status = BTA_NO_RESOURCES;
   3863       break;
   3864     case BTM_BUSY:
   3865       bta_status = BTA_BUSY;
   3866       break;
   3867     default:
   3868       bta_status = BTA_FAILURE;
   3869       break;
   3870   }
   3871 
   3872   APPL_TRACE_DEBUG("bta_dm_encrypt_cback status =%d p_callback=0x%x",
   3873                    bta_status, p_callback);
   3874 
   3875   if (p_callback) {
   3876     (*p_callback)(bd_addr, transport, bta_status);
   3877   }
   3878 }
   3879 
   3880 /*******************************************************************************
   3881  *
   3882  * Function         bta_dm_set_encryption
   3883  *
   3884  * Description      This function to encrypt the link
   3885  *
   3886  * Returns          None
   3887  *
   3888  ******************************************************************************/
   3889 void bta_dm_set_encryption(tBTA_DM_MSG* p_data) {
   3890   uint8_t i;
   3891 
   3892   APPL_TRACE_DEBUG("bta_dm_set_encryption");  // todo
   3893   if (!p_data->set_encryption.p_callback) {
   3894     APPL_TRACE_ERROR("bta_dm_set_encryption callback is not provided");
   3895     return;
   3896   }
   3897   for (i = 0; i < bta_dm_cb.device_list.count; i++) {
   3898     if (bdcmp(bta_dm_cb.device_list.peer_device[i].peer_bdaddr,
   3899               p_data->set_encryption.bd_addr) == 0 &&
   3900         bta_dm_cb.device_list.peer_device[i].conn_state == BTA_DM_CONNECTED)
   3901       break;
   3902   }
   3903   if (i < bta_dm_cb.device_list.count) {
   3904     if (bta_dm_cb.device_list.peer_device[i].p_encrypt_cback) {
   3905       APPL_TRACE_ERROR("earlier enc was not done for same device");
   3906       (*p_data->set_encryption.p_callback)(p_data->set_encryption.bd_addr,
   3907                                            p_data->set_encryption.transport,
   3908                                            BTA_BUSY);
   3909       return;
   3910     }
   3911 
   3912     if (BTM_SetEncryption(p_data->set_encryption.bd_addr,
   3913                           p_data->set_encryption.transport,
   3914                           bta_dm_encrypt_cback, NULL,
   3915                           p_data->set_encryption.sec_act) == BTM_CMD_STARTED) {
   3916       bta_dm_cb.device_list.peer_device[i].p_encrypt_cback =
   3917           p_data->set_encryption.p_callback;
   3918     }
   3919   }
   3920 }
   3921 
   3922 bool bta_dm_check_if_only_hd_connected(BD_ADDR peer_addr) {
   3923   APPL_TRACE_DEBUG("%s: count(%d)", __func__, bta_dm_conn_srvcs.count);
   3924 
   3925   for (uint8_t j = 0; j < bta_dm_conn_srvcs.count; j++) {
   3926     // Check if profiles other than hid are connected
   3927     if ((bta_dm_conn_srvcs.conn_srvc[j].id != BTA_ID_HD) &&
   3928         !bdcmp(bta_dm_conn_srvcs.conn_srvc[j].peer_bdaddr, peer_addr)) {
   3929       APPL_TRACE_DEBUG("%s: Another profile (id=%d) is connected", __func__,
   3930                        bta_dm_conn_srvcs.conn_srvc[j].id);
   3931       return false;
   3932     }
   3933   }
   3934 
   3935   return true;
   3936 }
   3937 
   3938 /*******************************************************************************
   3939  *
   3940  * Function         bta_dm_observe_results_cb
   3941  *
   3942  * Description      Callback for BLE Observe result
   3943  *
   3944  *
   3945  * Returns          void
   3946  *
   3947  ******************************************************************************/
   3948 static void bta_dm_observe_results_cb(tBTM_INQ_RESULTS* p_inq, uint8_t* p_eir,
   3949                                       uint16_t eir_len) {
   3950   tBTA_DM_SEARCH result;
   3951   tBTM_INQ_INFO* p_inq_info;
   3952   APPL_TRACE_DEBUG("bta_dm_observe_results_cb");
   3953 
   3954   bdcpy(result.inq_res.bd_addr, p_inq->remote_bd_addr);
   3955   result.inq_res.rssi = p_inq->rssi;
   3956   result.inq_res.ble_addr_type = p_inq->ble_addr_type;
   3957   result.inq_res.inq_result_type = p_inq->inq_result_type;
   3958   result.inq_res.device_type = p_inq->device_type;
   3959   result.inq_res.flag = p_inq->flag;
   3960   result.inq_res.ble_evt_type = p_inq->ble_evt_type;
   3961   result.inq_res.ble_primary_phy = p_inq->ble_primary_phy;
   3962   result.inq_res.ble_secondary_phy = p_inq->ble_secondary_phy;
   3963   result.inq_res.ble_advertising_sid = p_inq->ble_advertising_sid;
   3964   result.inq_res.ble_tx_power = p_inq->ble_tx_power;
   3965   result.inq_res.ble_periodic_adv_int = p_inq->ble_periodic_adv_int;
   3966 
   3967   /* application will parse EIR to find out remote device name */
   3968   result.inq_res.p_eir = p_eir;
   3969   result.inq_res.eir_len = eir_len;
   3970 
   3971   p_inq_info = BTM_InqDbRead(p_inq->remote_bd_addr);
   3972   if (p_inq_info != NULL) {
   3973     /* initialize remt_name_not_required to false so that we get the name by
   3974      * default */
   3975     result.inq_res.remt_name_not_required = false;
   3976   }
   3977 
   3978   if (bta_dm_search_cb.p_scan_cback)
   3979     bta_dm_search_cb.p_scan_cback(BTA_DM_INQ_RES_EVT, &result);
   3980 
   3981   if (p_inq_info) {
   3982     /* application indicates if it knows the remote name, inside the callback
   3983      copy that to the inquiry data base*/
   3984     if (result.inq_res.remt_name_not_required)
   3985       p_inq_info->appl_knows_rem_name = true;
   3986   }
   3987 }
   3988 
   3989 /*******************************************************************************
   3990  *
   3991  * Function         bta_dm_observe_cmpl_cb
   3992  *
   3993  * Description      Callback for BLE Observe complete
   3994  *
   3995  *
   3996  * Returns          void
   3997  *
   3998  ******************************************************************************/
   3999 static void bta_dm_observe_cmpl_cb(void* p_result) {
   4000   tBTA_DM_SEARCH data;
   4001 
   4002   APPL_TRACE_DEBUG("bta_dm_observe_cmpl_cb");
   4003 
   4004   data.inq_cmpl.num_resps = ((tBTM_INQUIRY_CMPL*)p_result)->num_resp;
   4005   if (bta_dm_search_cb.p_scan_cback) {
   4006     bta_dm_search_cb.p_scan_cback(BTA_DM_INQ_CMPL_EVT, &data);
   4007   }
   4008 }
   4009 
   4010 /*******************************************************************************
   4011  *
   4012  * Function         bta_dm_ble_smp_cback
   4013  *
   4014  * Description      Callback for BLE SMP
   4015  *
   4016  *
   4017  * Returns          void
   4018  *
   4019  ******************************************************************************/
   4020 static uint8_t bta_dm_ble_smp_cback(tBTM_LE_EVT event, BD_ADDR bda,
   4021                                     tBTM_LE_EVT_DATA* p_data) {
   4022   tBTM_STATUS status = BTM_SUCCESS;
   4023   tBTA_DM_SEC sec_event;
   4024   char* p_name = NULL;
   4025 
   4026   if (!bta_dm_cb.p_sec_cback) return BTM_NOT_AUTHORIZED;
   4027 
   4028   memset(&sec_event, 0, sizeof(tBTA_DM_SEC));
   4029   switch (event) {
   4030     case BTM_LE_IO_REQ_EVT:
   4031 #if (BTM_LOCAL_IO_CAPS != BTM_IO_CAP_NONE)
   4032 
   4033       bta_dm_co_ble_io_req(
   4034           bda, &p_data->io_req.io_cap, &p_data->io_req.oob_data,
   4035           &p_data->io_req.auth_req, &p_data->io_req.max_key_size,
   4036           &p_data->io_req.init_keys, &p_data->io_req.resp_keys);
   4037 #endif
   4038       APPL_TRACE_EVENT("io mitm: %d oob_data:%d", p_data->io_req.auth_req,
   4039                        p_data->io_req.oob_data);
   4040 
   4041       break;
   4042 
   4043     case BTM_LE_SEC_REQUEST_EVT:
   4044       bdcpy(sec_event.ble_req.bd_addr, bda);
   4045       p_name = BTM_SecReadDevName(bda);
   4046       if (p_name != NULL)
   4047         strlcpy((char*)sec_event.ble_req.bd_name, p_name, BD_NAME_LEN);
   4048       else
   4049         sec_event.ble_req.bd_name[0] = 0;
   4050       bta_dm_cb.p_sec_cback(BTA_DM_BLE_SEC_REQ_EVT, &sec_event);
   4051       break;
   4052 
   4053     case BTM_LE_KEY_NOTIF_EVT:
   4054       bdcpy(sec_event.key_notif.bd_addr, bda);
   4055       p_name = BTM_SecReadDevName(bda);
   4056       if (p_name != NULL)
   4057         strlcpy((char*)sec_event.key_notif.bd_name, p_name, BD_NAME_LEN);
   4058       else
   4059         sec_event.key_notif.bd_name[0] = 0;
   4060       sec_event.key_notif.passkey = p_data->key_notif;
   4061       bta_dm_cb.p_sec_cback(BTA_DM_BLE_PASSKEY_NOTIF_EVT, &sec_event);
   4062       break;
   4063 
   4064     case BTM_LE_KEY_REQ_EVT:
   4065       bdcpy(sec_event.ble_req.bd_addr, bda);
   4066       bta_dm_cb.p_sec_cback(BTA_DM_BLE_PASSKEY_REQ_EVT, &sec_event);
   4067       break;
   4068 
   4069     case BTM_LE_OOB_REQ_EVT:
   4070       bdcpy(sec_event.ble_req.bd_addr, bda);
   4071       bta_dm_cb.p_sec_cback(BTA_DM_BLE_OOB_REQ_EVT, &sec_event);
   4072       break;
   4073 
   4074     case BTM_LE_NC_REQ_EVT:
   4075       bdcpy(sec_event.key_notif.bd_addr, bda);
   4076       strlcpy((char*)sec_event.key_notif.bd_name, bta_dm_get_remname(),
   4077               (BD_NAME_LEN));
   4078       sec_event.key_notif.passkey = p_data->key_notif;
   4079       bta_dm_cb.p_sec_cback(BTA_DM_BLE_NC_REQ_EVT, &sec_event);
   4080       break;
   4081 
   4082     case BTM_LE_SC_OOB_REQ_EVT:
   4083       bdcpy(sec_event.ble_req.bd_addr, bda);
   4084       bta_dm_cb.p_sec_cback(BTA_DM_BLE_SC_OOB_REQ_EVT, &sec_event);
   4085       break;
   4086 
   4087     case BTM_LE_KEY_EVT:
   4088       bdcpy(sec_event.ble_key.bd_addr, bda);
   4089       sec_event.ble_key.key_type = p_data->key.key_type;
   4090       sec_event.ble_key.p_key_value = p_data->key.p_key_value;
   4091       bta_dm_cb.p_sec_cback(BTA_DM_BLE_KEY_EVT, &sec_event);
   4092       break;
   4093 
   4094     case BTM_LE_COMPLT_EVT:
   4095       bdcpy(sec_event.auth_cmpl.bd_addr, bda);
   4096       BTM_ReadDevInfo(bda, &sec_event.auth_cmpl.dev_type,
   4097                       &sec_event.auth_cmpl.addr_type);
   4098       p_name = BTM_SecReadDevName(bda);
   4099       if (p_name != NULL)
   4100         strlcpy((char*)sec_event.auth_cmpl.bd_name, p_name, (BD_NAME_LEN));
   4101       else
   4102         sec_event.auth_cmpl.bd_name[0] = 0;
   4103 
   4104       if (p_data->complt.reason != 0) {
   4105         sec_event.auth_cmpl.fail_reason =
   4106             BTA_DM_AUTH_CONVERT_SMP_CODE(((uint8_t)p_data->complt.reason));
   4107         /* delete this device entry from Sec Dev DB */
   4108         bta_dm_remove_sec_dev_entry(bda);
   4109       } else {
   4110         sec_event.auth_cmpl.success = true;
   4111       }
   4112 
   4113       if (bta_dm_cb.p_sec_cback) {
   4114         // bta_dm_cb.p_sec_cback(BTA_DM_AUTH_CMPL_EVT, &sec_event);
   4115         bta_dm_cb.p_sec_cback(BTA_DM_BLE_AUTH_CMPL_EVT, &sec_event);
   4116       }
   4117       break;
   4118 
   4119     default:
   4120       status = BTM_NOT_AUTHORIZED;
   4121       break;
   4122   }
   4123   return status;
   4124 }
   4125 
   4126 /*******************************************************************************
   4127  *
   4128  * Function         bta_dm_ble_id_key_cback
   4129  *
   4130  * Description      Callback for BLE local ID keys
   4131  *
   4132  *
   4133  * Returns          void
   4134  *
   4135  ******************************************************************************/
   4136 static void bta_dm_ble_id_key_cback(uint8_t key_type,
   4137                                     tBTM_BLE_LOCAL_KEYS* p_key) {
   4138   uint8_t evt;
   4139   tBTA_DM_SEC dm_key;
   4140 
   4141   switch (key_type) {
   4142     case BTM_BLE_KEY_TYPE_ID:
   4143     case BTM_BLE_KEY_TYPE_ER:
   4144       if (bta_dm_cb.p_sec_cback) {
   4145         memcpy(&dm_key.ble_id_keys, p_key, sizeof(tBTM_BLE_LOCAL_KEYS));
   4146 
   4147         evt = (key_type == BTM_BLE_KEY_TYPE_ID) ? BTA_DM_BLE_LOCAL_IR_EVT
   4148                                                 : BTA_DM_BLE_LOCAL_ER_EVT;
   4149         bta_dm_cb.p_sec_cback(evt, &dm_key);
   4150       }
   4151       break;
   4152 
   4153     default:
   4154       APPL_TRACE_DEBUG("Unknown key type %d", key_type);
   4155       break;
   4156   }
   4157   return;
   4158 }
   4159 
   4160 /*******************************************************************************
   4161  *
   4162  * Function         bta_dm_add_blekey
   4163  *
   4164  * Description      This function adds an BLE Key to an security database entry.
   4165  *                  This function shall only be called AFTER BTA_DmAddBleDevice
   4166  *                  has been called.
   4167  *                  It is normally called during host startup to restore all
   4168  *                  required information stored in the NVRAM.
   4169  *
   4170  * Parameters:
   4171  *
   4172  ******************************************************************************/
   4173 void bta_dm_add_blekey(tBTA_DM_MSG* p_data) {
   4174   if (!BTM_SecAddBleKey(p_data->add_ble_key.bd_addr,
   4175                         (tBTM_LE_KEY_VALUE*)&p_data->add_ble_key.blekey,
   4176                         p_data->add_ble_key.key_type)) {
   4177     APPL_TRACE_ERROR(
   4178         "BTA_DM: Error adding BLE Key for device %08x%04x",
   4179         (p_data->add_ble_key.bd_addr[0] << 24) +
   4180             (p_data->add_ble_key.bd_addr[1] << 16) +
   4181             (p_data->add_ble_key.bd_addr[2] << 8) +
   4182             p_data->add_ble_key.bd_addr[3],
   4183         (p_data->add_ble_key.bd_addr[4] << 8) + p_data->add_ble_key.bd_addr[5]);
   4184   }
   4185 }
   4186 
   4187 /*******************************************************************************
   4188  *
   4189  * Function         bta_dm_add_ble_device
   4190  *
   4191  * Description      This function adds an BLE device to an security database
   4192  *                  entry.
   4193  *                  It is normally called during host startup to restore all
   4194  *                  required information stored in the NVRAM.
   4195  *
   4196  * Parameters:
   4197  *
   4198  ******************************************************************************/
   4199 void bta_dm_add_ble_device(tBTA_DM_MSG* p_data) {
   4200   if (!BTM_SecAddBleDevice(p_data->add_ble_device.bd_addr, NULL,
   4201                            p_data->add_ble_device.dev_type,
   4202                            p_data->add_ble_device.addr_type)) {
   4203     APPL_TRACE_ERROR("BTA_DM: Error adding BLE Device for device %08x%04x",
   4204                      (p_data->add_ble_device.bd_addr[0] << 24) +
   4205                          (p_data->add_ble_device.bd_addr[1] << 16) +
   4206                          (p_data->add_ble_device.bd_addr[2] << 8) +
   4207                          p_data->add_ble_device.bd_addr[3],
   4208                      (p_data->add_ble_device.bd_addr[4] << 8) +
   4209                          p_data->add_ble_device.bd_addr[5]);
   4210   }
   4211 }
   4212 
   4213 /*******************************************************************************
   4214  *
   4215  * Function         bta_dm_add_ble_device
   4216  *
   4217  * Description      This function adds an BLE device to an security database
   4218  *                  entry.
   4219  *                  It is normally called during host startup to restore all
   4220  *                  required information stored in the NVRAM.
   4221  *
   4222  * Parameters:
   4223  *
   4224  ******************************************************************************/
   4225 void bta_dm_ble_passkey_reply(tBTA_DM_MSG* p_data) {
   4226   if (p_data->pin_reply.accept) {
   4227     BTM_BlePasskeyReply(p_data->ble_passkey_reply.bd_addr, BTM_SUCCESS,
   4228                         p_data->ble_passkey_reply.passkey);
   4229   } else {
   4230     BTM_BlePasskeyReply(p_data->ble_passkey_reply.bd_addr, BTM_NOT_AUTHORIZED,
   4231                         p_data->ble_passkey_reply.passkey);
   4232   }
   4233 }
   4234 
   4235 /*******************************************************************************
   4236  *
   4237  * Function         bta_dm_ble_confirm_reply
   4238  *
   4239  * Description      This is response to SM numeric comparison request submitted
   4240  *                  to application.
   4241  *
   4242  * Parameters:
   4243  *
   4244  ******************************************************************************/
   4245 void bta_dm_ble_confirm_reply(tBTA_DM_MSG* p_data) {
   4246   if (p_data->confirm.accept) {
   4247     BTM_BleConfirmReply(p_data->confirm.bd_addr, BTM_SUCCESS);
   4248   } else {
   4249     BTM_BleConfirmReply(p_data->ble_passkey_reply.bd_addr, BTM_NOT_AUTHORIZED);
   4250   }
   4251 }
   4252 
   4253 /*******************************************************************************
   4254  *
   4255  * Function         bta_dm_security_grant
   4256  *
   4257  * Description      This function grant SMP security request access.
   4258  *
   4259  * Parameters:
   4260  *
   4261  ******************************************************************************/
   4262 void bta_dm_security_grant(tBTA_DM_MSG* p_data) {
   4263   BTM_SecurityGrant(p_data->ble_sec_grant.bd_addr, p_data->ble_sec_grant.res);
   4264 }
   4265 
   4266 /*******************************************************************************
   4267  *
   4268  * Function         bta_dm_ble_set_bg_conn_type
   4269  *
   4270  * Description      This function set the BLE background connection type
   4271  *
   4272  * Parameters:
   4273  *
   4274  ******************************************************************************/
   4275 void bta_dm_ble_set_bg_conn_type(tBTA_DM_MSG* p_data) {
   4276   BTM_BleStartAutoConn();
   4277 }
   4278 
   4279 /*******************************************************************************
   4280  *
   4281  * Function         bta_dm_ble_set_conn_params
   4282  *
   4283  * Description      This function set the preferred connection parameters.
   4284  *
   4285  * Parameters:
   4286  *
   4287  ******************************************************************************/
   4288 void bta_dm_ble_set_conn_params(tBTA_DM_MSG* p_data) {
   4289   BTM_BleSetPrefConnParams(p_data->ble_set_conn_params.peer_bda,
   4290                            p_data->ble_set_conn_params.conn_int_min,
   4291                            p_data->ble_set_conn_params.conn_int_max,
   4292                            p_data->ble_set_conn_params.slave_latency,
   4293                            p_data->ble_set_conn_params.supervision_tout);
   4294 }
   4295 
   4296 /*******************************************************************************
   4297  *
   4298  * Function         bta_dm_ble_set_conn_scan_params
   4299  *
   4300  * Description      This function set the preferred connection scan parameters.
   4301  *
   4302  * Parameters:
   4303  *
   4304  ******************************************************************************/
   4305 void bta_dm_ble_set_conn_scan_params(tBTA_DM_MSG* p_data) {
   4306   BTM_BleSetConnScanParams(p_data->ble_set_conn_scan_params.scan_int,
   4307                            p_data->ble_set_conn_scan_params.scan_window);
   4308 }
   4309 /*******************************************************************************
   4310  *
   4311  * Function         bta_dm_ble_update_conn_params
   4312  *
   4313  * Description      This function update LE connection parameters.
   4314  *
   4315  * Parameters:
   4316  *
   4317  ******************************************************************************/
   4318 void bta_dm_ble_update_conn_params(tBTA_DM_MSG* p_data) {
   4319   if (!L2CA_UpdateBleConnParams(p_data->ble_update_conn_params.bd_addr,
   4320                                 p_data->ble_update_conn_params.min_int,
   4321                                 p_data->ble_update_conn_params.max_int,
   4322                                 p_data->ble_update_conn_params.latency,
   4323                                 p_data->ble_update_conn_params.timeout)) {
   4324     APPL_TRACE_ERROR("Update connection parameters failed!");
   4325   }
   4326 }
   4327 
   4328 #if (BLE_PRIVACY_SPT == TRUE)
   4329 /*******************************************************************************
   4330  *
   4331  * Function         bta_dm_ble_config_local_privacy
   4332  *
   4333  * Description      This function set the local device LE privacy settings.
   4334  *
   4335  * Parameters:
   4336  *
   4337  ******************************************************************************/
   4338 void bta_dm_ble_config_local_privacy(tBTA_DM_MSG* p_data) {
   4339   BTM_BleConfigPrivacy(p_data->ble_local_privacy.privacy_enable);
   4340 }
   4341 #endif
   4342 
   4343 /*******************************************************************************
   4344  *
   4345  * Function         bta_dm_ble_observe
   4346  *
   4347  * Description      This function set the preferred connection scan parameters.
   4348  *
   4349  * Parameters:
   4350  *
   4351  ******************************************************************************/
   4352 void bta_dm_ble_observe(tBTA_DM_MSG* p_data) {
   4353   tBTM_STATUS status;
   4354   if (p_data->ble_observe.start) {
   4355     /*Save the  callback to be called when a scan results are available */
   4356     bta_dm_search_cb.p_scan_cback = p_data->ble_observe.p_cback;
   4357     status = BTM_BleObserve(true, p_data->ble_observe.duration,
   4358                             bta_dm_observe_results_cb, bta_dm_observe_cmpl_cb);
   4359     if (status != BTM_CMD_STARTED) {
   4360       tBTA_DM_SEARCH data;
   4361       APPL_TRACE_WARNING(" %s BTM_BleObserve  failed. status %d", __func__,
   4362                          status);
   4363       data.inq_cmpl.num_resps = 0;
   4364       if (bta_dm_search_cb.p_scan_cback) {
   4365         bta_dm_search_cb.p_scan_cback(BTA_DM_INQ_CMPL_EVT, &data);
   4366       }
   4367     }
   4368   } else {
   4369     bta_dm_search_cb.p_scan_cback = NULL;
   4370     BTM_BleObserve(false, 0, NULL, NULL);
   4371   }
   4372 }
   4373 /*******************************************************************************
   4374  *
   4375  * Function         bta_dm_ble_set_adv_params
   4376  *
   4377  * Description      This function set the adv parameters.
   4378  *
   4379  * Parameters:
   4380  *
   4381  ******************************************************************************/
   4382 void bta_dm_ble_set_adv_params(uint16_t adv_int_min, uint16_t adv_int_max,
   4383                                tBLE_BD_ADDR* p_dir_bda) {
   4384   BTM_BleSetAdvParams(adv_int_min, adv_int_max, p_dir_bda,
   4385                       BTA_DM_BLE_ADV_CHNL_MAP);
   4386 }
   4387 
   4388 /*******************************************************************************
   4389  *
   4390  * Function         bta_dm_ble_set_data_length
   4391  *
   4392  * Description      This function set the maximum transmission packet size
   4393  *
   4394  * Parameters
   4395  *
   4396  ******************************************************************************/
   4397 void bta_dm_ble_set_data_length(tBTA_DM_MSG* p_data) {
   4398   if (BTM_SetBleDataLength(p_data->ble_set_data_length.remote_bda,
   4399                            p_data->ble_set_data_length.tx_data_length) !=
   4400       BTM_SUCCESS) {
   4401     APPL_TRACE_ERROR("%s failed", __func__);
   4402   }
   4403 }
   4404 
   4405 /*******************************************************************************
   4406  *
   4407  * Function         bta_ble_enable_scan_cmpl
   4408  *
   4409  * Description      ADV payload filtering enable / disable complete callback
   4410  *
   4411  *
   4412  * Returns          None
   4413  *
   4414  ******************************************************************************/
   4415 static void bta_ble_energy_info_cmpl(tBTM_BLE_TX_TIME_MS tx_time,
   4416                                      tBTM_BLE_RX_TIME_MS rx_time,
   4417                                      tBTM_BLE_IDLE_TIME_MS idle_time,
   4418                                      tBTM_BLE_ENERGY_USED energy_used,
   4419                                      tBTM_STATUS status) {
   4420   tBTA_STATUS st = (status == BTM_SUCCESS) ? BTA_SUCCESS : BTA_FAILURE;
   4421   tBTA_DM_CONTRL_STATE ctrl_state = 0;
   4422 
   4423   if (BTA_SUCCESS == st) ctrl_state = bta_dm_pm_obtain_controller_state();
   4424 
   4425   if (bta_dm_cb.p_energy_info_cback)
   4426     bta_dm_cb.p_energy_info_cback(tx_time, rx_time, idle_time, energy_used,
   4427                                   ctrl_state, st);
   4428 }
   4429 
   4430 /*******************************************************************************
   4431  *
   4432  * Function         bta_dm_ble_get_energy_info
   4433  *
   4434  * Description      This function obtains the energy info
   4435  *
   4436  * Parameters:
   4437  *
   4438  ******************************************************************************/
   4439 void bta_dm_ble_get_energy_info(tBTA_DM_MSG* p_data) {
   4440   tBTM_STATUS btm_status = 0;
   4441 
   4442   bta_dm_cb.p_energy_info_cback = p_data->ble_energy_info.p_energy_info_cback;
   4443   btm_status = BTM_BleGetEnergyInfo(bta_ble_energy_info_cmpl);
   4444   if (BTM_CMD_STARTED != btm_status)
   4445     bta_ble_energy_info_cmpl(0, 0, 0, 0, btm_status);
   4446 }
   4447 
   4448 #ifndef BTA_DM_GATT_CLOSE_DELAY_TOUT
   4449 #define BTA_DM_GATT_CLOSE_DELAY_TOUT 1000
   4450 #endif
   4451 
   4452 /*******************************************************************************
   4453  *
   4454  * Function         bta_dm_gattc_register
   4455  *
   4456  * Description      Register with GATTC in DM if BLE is needed.
   4457  *
   4458  *
   4459  * Returns          void
   4460  *
   4461  ******************************************************************************/
   4462 static void bta_dm_gattc_register(void) {
   4463   if (bta_dm_search_cb.client_if == BTA_GATTS_INVALID_IF) {
   4464     BTA_GATTC_AppRegister(bta_dm_gattc_callback,
   4465                           base::Bind([](uint8_t client_id, uint8_t status) {
   4466                             if (status == BTA_GATT_OK)
   4467                               bta_dm_search_cb.client_if = client_id;
   4468                             else
   4469                               bta_dm_search_cb.client_if = BTA_GATTS_INVALID_IF;
   4470 
   4471                           }));
   4472   }
   4473 }
   4474 
   4475 /*******************************************************************************
   4476  *
   4477  * Function         btm_dm_start_disc_gatt_services
   4478  *
   4479  * Description      This function starts a GATT service search request.
   4480  *
   4481  * Parameters:
   4482  *
   4483  ******************************************************************************/
   4484 static void btm_dm_start_disc_gatt_services(uint16_t conn_id) {
   4485   tBT_UUID* p_uuid = bta_dm_search_cb.p_srvc_uuid + bta_dm_search_cb.num_uuid -
   4486                      bta_dm_search_cb.uuid_to_search;
   4487 
   4488   p_uuid = bta_dm_search_cb.p_srvc_uuid + bta_dm_search_cb.num_uuid -
   4489            bta_dm_search_cb.uuid_to_search;
   4490 
   4491   /* always search for all services */
   4492   BTA_GATTC_ServiceSearchRequest(conn_id, p_uuid);
   4493 }
   4494 
   4495 /*******************************************************************************
   4496  *
   4497  * Function         bta_dm_gatt_disc_result
   4498  *
   4499  * Description      This function process the GATT service search result.
   4500  *
   4501  * Parameters:
   4502  *
   4503  ******************************************************************************/
   4504 static void bta_dm_gatt_disc_result(tBTA_GATT_ID service_id) {
   4505   tBTA_DM_SEARCH result;
   4506 
   4507   /*
   4508    * This logic will not work for gatt case.  We are checking against the
   4509    * bluetooth profiles here
   4510    * just copy the GATTID in raw data field and send it across.
   4511    */
   4512 
   4513   if (bta_dm_search_cb.ble_raw_used + sizeof(tBTA_GATT_ID) <
   4514       bta_dm_search_cb.ble_raw_size) {
   4515     APPL_TRACE_DEBUG(
   4516         "ADDING BLE SERVICE uuid=0x%x, ble_ptr = 0x%x, ble_raw_used = 0x%x",
   4517         service_id.uuid.uu.uuid16, bta_dm_search_cb.p_ble_rawdata,
   4518         bta_dm_search_cb.ble_raw_used);
   4519 
   4520     if (bta_dm_search_cb.p_ble_rawdata) {
   4521       memcpy((bta_dm_search_cb.p_ble_rawdata + bta_dm_search_cb.ble_raw_used),
   4522              &service_id, sizeof(service_id));
   4523 
   4524       bta_dm_search_cb.ble_raw_used += sizeof(service_id);
   4525     } else {
   4526       APPL_TRACE_ERROR("p_ble_rawdata is NULL");
   4527     }
   4528 
   4529   } else {
   4530     APPL_TRACE_ERROR(
   4531         "%s out of room to accomodate more service ids ble_raw_size = %d "
   4532         "ble_raw_used = %d",
   4533         __func__, bta_dm_search_cb.ble_raw_size, bta_dm_search_cb.ble_raw_used);
   4534   }
   4535 
   4536   LOG_INFO(LOG_TAG, "%s service_id_uuid_len=%d ", __func__,
   4537            service_id.uuid.len);
   4538   if (bta_dm_search_cb.state != BTA_DM_SEARCH_IDLE) {
   4539     /* send result back to app now, one by one */
   4540     bdcpy(result.disc_ble_res.bd_addr, bta_dm_search_cb.peer_bdaddr);
   4541     strlcpy((char*)result.disc_ble_res.bd_name, bta_dm_get_remname(),
   4542             BD_NAME_LEN);
   4543     memcpy(&result.disc_ble_res.service, &service_id.uuid, sizeof(tBT_UUID));
   4544 
   4545     bta_dm_search_cb.p_search_cback(BTA_DM_DISC_BLE_RES_EVT, &result);
   4546   }
   4547 }
   4548 
   4549 /*******************************************************************************
   4550  *
   4551  * Function         bta_dm_gatt_disc_complete
   4552  *
   4553  * Description      This function process the GATT service search complete.
   4554  *
   4555  * Parameters:
   4556  *
   4557  ******************************************************************************/
   4558 static void bta_dm_gatt_disc_complete(uint16_t conn_id,
   4559                                       tBTA_GATT_STATUS status) {
   4560   APPL_TRACE_DEBUG("%s conn_id = %d", __func__, conn_id);
   4561 
   4562   if (bta_dm_search_cb.uuid_to_search > 0) bta_dm_search_cb.uuid_to_search--;
   4563 
   4564   if (status == BTA_GATT_OK && bta_dm_search_cb.uuid_to_search > 0) {
   4565     btm_dm_start_disc_gatt_services(conn_id);
   4566   } else {
   4567     tBTA_DM_MSG* p_msg = (tBTA_DM_MSG*)osi_malloc(sizeof(tBTA_DM_MSG));
   4568 
   4569     bta_dm_search_cb.uuid_to_search = 0;
   4570 
   4571     /* no more services to be discovered */
   4572     p_msg->hdr.event = BTA_DM_DISCOVERY_RESULT_EVT;
   4573     p_msg->disc_result.result.disc_res.result =
   4574         (status == BTA_GATT_OK) ? BTA_SUCCESS : BTA_FAILURE;
   4575     APPL_TRACE_DEBUG("%s service found: 0x%08x", __func__,
   4576                      bta_dm_search_cb.services_found);
   4577     p_msg->disc_result.result.disc_res.services =
   4578         bta_dm_search_cb.services_found;
   4579     p_msg->disc_result.result.disc_res.num_uuids = 0;
   4580     p_msg->disc_result.result.disc_res.p_uuid_list = NULL;
   4581     bdcpy(p_msg->disc_result.result.disc_res.bd_addr,
   4582           bta_dm_search_cb.peer_bdaddr);
   4583     strlcpy((char*)p_msg->disc_result.result.disc_res.bd_name,
   4584             bta_dm_get_remname(), BD_NAME_LEN);
   4585 
   4586     p_msg->disc_result.result.disc_res.device_type |= BT_DEVICE_TYPE_BLE;
   4587     if (bta_dm_search_cb.ble_raw_used > 0) {
   4588       p_msg->disc_result.result.disc_res.p_raw_data =
   4589           (uint8_t*)osi_malloc(bta_dm_search_cb.ble_raw_used);
   4590 
   4591       memcpy(p_msg->disc_result.result.disc_res.p_raw_data,
   4592              bta_dm_search_cb.p_ble_rawdata, bta_dm_search_cb.ble_raw_used);
   4593 
   4594       p_msg->disc_result.result.disc_res.raw_data_size =
   4595           bta_dm_search_cb.ble_raw_used;
   4596     } else {
   4597       p_msg->disc_result.result.disc_res.p_raw_data = NULL;
   4598       bta_dm_search_cb.p_ble_rawdata = 0;
   4599     }
   4600 
   4601     bta_sys_sendmsg(p_msg);
   4602 
   4603     if (conn_id != BTA_GATT_INVALID_CONN_ID) {
   4604       /* start a GATT channel close delay timer */
   4605       bta_sys_start_timer(bta_dm_search_cb.gatt_close_timer,
   4606                           BTA_DM_GATT_CLOSE_DELAY_TOUT,
   4607                           BTA_DM_DISC_CLOSE_TOUT_EVT, 0);
   4608       bdcpy(bta_dm_search_cb.pending_close_bda, bta_dm_search_cb.peer_bdaddr);
   4609     }
   4610     bta_dm_search_cb.gatt_disc_active = false;
   4611   }
   4612 }
   4613 
   4614 /*******************************************************************************
   4615  *
   4616  * Function         bta_dm_close_gatt_conn
   4617  *
   4618  * Description      This function close the GATT connection after delay
   4619  *timeout.
   4620  *
   4621  * Parameters:
   4622  *
   4623  ******************************************************************************/
   4624 void bta_dm_close_gatt_conn(UNUSED_ATTR tBTA_DM_MSG* p_data) {
   4625   if (bta_dm_search_cb.conn_id != BTA_GATT_INVALID_CONN_ID)
   4626     BTA_GATTC_Close(bta_dm_search_cb.conn_id);
   4627 
   4628   memset(bta_dm_search_cb.pending_close_bda, 0, BD_ADDR_LEN);
   4629   bta_dm_search_cb.conn_id = BTA_GATT_INVALID_CONN_ID;
   4630 }
   4631 /*******************************************************************************
   4632  *
   4633  * Function         btm_dm_start_gatt_discovery
   4634  *
   4635  * Description      This is GATT initiate the service search by open a GATT
   4636  *                  connection first.
   4637  *
   4638  * Parameters:
   4639  *
   4640  ******************************************************************************/
   4641 void btm_dm_start_gatt_discovery(BD_ADDR bd_addr) {
   4642   bta_dm_search_cb.gatt_disc_active = true;
   4643 
   4644   /* connection is already open */
   4645   if (bdcmp(bta_dm_search_cb.pending_close_bda, bd_addr) == 0 &&
   4646       bta_dm_search_cb.conn_id != BTA_GATT_INVALID_CONN_ID) {
   4647     memset(bta_dm_search_cb.pending_close_bda, 0, BD_ADDR_LEN);
   4648     alarm_cancel(bta_dm_search_cb.gatt_close_timer);
   4649     btm_dm_start_disc_gatt_services(bta_dm_search_cb.conn_id);
   4650   } else {
   4651     if (BTM_IsAclConnectionUp(bd_addr, BT_TRANSPORT_LE)) {
   4652       BTA_GATTC_Open(bta_dm_search_cb.client_if, bd_addr, true,
   4653                      BTA_GATT_TRANSPORT_LE, true);
   4654     } else {
   4655       BTA_GATTC_Open(bta_dm_search_cb.client_if, bd_addr, true,
   4656                      BTA_GATT_TRANSPORT_LE, false);
   4657     }
   4658   }
   4659 }
   4660 
   4661 /*******************************************************************************
   4662  *
   4663  * Function         bta_dm_cancel_gatt_discovery
   4664  *
   4665  * Description      This is GATT cancel the GATT service search.
   4666  *
   4667  * Parameters:
   4668  *
   4669  ******************************************************************************/
   4670 static void bta_dm_cancel_gatt_discovery(BD_ADDR bd_addr) {
   4671   if (bta_dm_search_cb.conn_id == BTA_GATT_INVALID_CONN_ID) {
   4672     BTA_GATTC_CancelOpen(bta_dm_search_cb.client_if, bd_addr, true);
   4673   }
   4674 
   4675   bta_dm_gatt_disc_complete(bta_dm_search_cb.conn_id,
   4676                             (tBTA_GATT_STATUS)BTA_GATT_ERROR);
   4677 }
   4678 
   4679 /*******************************************************************************
   4680  *
   4681  * Function         bta_dm_proc_open_evt
   4682  *
   4683  * Description      process BTA_GATTC_OPEN_EVT in DM.
   4684  *
   4685  * Parameters:
   4686  *
   4687  ******************************************************************************/
   4688 void bta_dm_proc_open_evt(tBTA_GATTC_OPEN* p_data) {
   4689   uint8_t* p1;
   4690   uint8_t* p2;
   4691 
   4692   p1 = bta_dm_search_cb.peer_bdaddr;
   4693   p2 = p_data->remote_bda;
   4694 
   4695   APPL_TRACE_DEBUG(
   4696       "DM Search state= %d search_cb.peer_dbaddr: [%08x%04x] connected_bda= "
   4697       "[%08x%04x] ",
   4698       bta_dm_search_cb.state,
   4699       ((p1[0]) << 24) + ((p1[1]) << 16) + ((p1[2]) << 8) + (p1[3]),
   4700       ((p1[4]) << 8) + p1[5],
   4701       ((p2[0]) << 24) + ((p2[1]) << 16) + ((p2[2]) << 8) + (p2[3]),
   4702       ((p2[4]) << 8) + p2[5]);
   4703 
   4704   APPL_TRACE_DEBUG("BTA_GATTC_OPEN_EVT conn_id = %d client_if=%d status = %d",
   4705                    p_data->conn_id, p_data->client_if, p_data->status);
   4706 
   4707   bta_dm_search_cb.conn_id = p_data->conn_id;
   4708 
   4709   if (p_data->status == BTA_GATT_OK) {
   4710     btm_dm_start_disc_gatt_services(p_data->conn_id);
   4711   } else {
   4712     bta_dm_gatt_disc_complete(BTA_GATT_INVALID_CONN_ID, p_data->status);
   4713   }
   4714 }
   4715 
   4716 /*******************************************************************************
   4717  *
   4718  * Function         bta_dm_gattc_callback
   4719  *
   4720  * Description      This is GATT client callback function used in DM.
   4721  *
   4722  * Parameters:
   4723  *
   4724  ******************************************************************************/
   4725 static void bta_dm_gattc_callback(tBTA_GATTC_EVT event, tBTA_GATTC* p_data) {
   4726   APPL_TRACE_DEBUG("bta_dm_gattc_callback event = %d", event);
   4727 
   4728   switch (event) {
   4729     case BTA_GATTC_OPEN_EVT:
   4730       bta_dm_proc_open_evt(&p_data->open);
   4731       break;
   4732 
   4733     case BTA_GATTC_SEARCH_RES_EVT:
   4734       bta_dm_gatt_disc_result(p_data->srvc_res.service_uuid);
   4735       break;
   4736 
   4737     case BTA_GATTC_SEARCH_CMPL_EVT:
   4738       if (bta_dm_search_cb.state != BTA_DM_SEARCH_IDLE)
   4739         bta_dm_gatt_disc_complete(p_data->search_cmpl.conn_id,
   4740                                   p_data->search_cmpl.status);
   4741       break;
   4742 
   4743     case BTA_GATTC_CLOSE_EVT:
   4744       APPL_TRACE_DEBUG("BTA_GATTC_CLOSE_EVT reason = %d", p_data->close.reason);
   4745       /* in case of disconnect before search is completed */
   4746       if ((bta_dm_search_cb.state != BTA_DM_SEARCH_IDLE) &&
   4747           (bta_dm_search_cb.state != BTA_DM_SEARCH_ACTIVE) &&
   4748           !memcmp(p_data->close.remote_bda, bta_dm_search_cb.peer_bdaddr,
   4749                   BD_ADDR_LEN)) {
   4750         bta_dm_gatt_disc_complete((uint16_t)BTA_GATT_INVALID_CONN_ID,
   4751                                   (tBTA_GATT_STATUS)BTA_GATT_ERROR);
   4752       }
   4753       break;
   4754 
   4755     default:
   4756       break;
   4757   }
   4758 }
   4759 
   4760 #if (BLE_VND_INCLUDED == TRUE)
   4761 /*******************************************************************************
   4762  *
   4763  * Function         bta_dm_ctrl_features_rd_cmpl_cback
   4764  *
   4765  * Description      callback to handle controller feature read complete
   4766  *
   4767  * Parameters:
   4768  *
   4769  ******************************************************************************/
   4770 static void bta_dm_ctrl_features_rd_cmpl_cback(tBTM_STATUS result) {
   4771   APPL_TRACE_DEBUG("%s  status = %d ", __func__, result);
   4772   if (result == BTM_SUCCESS) {
   4773     if (bta_dm_cb.p_sec_cback)
   4774       bta_dm_cb.p_sec_cback(BTA_DM_LE_FEATURES_READ, NULL);
   4775   } else {
   4776     APPL_TRACE_ERROR("%s Ctrl BLE feature read failed: status :%d", __func__,
   4777                      result);
   4778   }
   4779 }
   4780 #endif /* BLE_VND_INCLUDED */
   4781