Fix L2cap LE COC security record leaks

- When we are client, we don't need to register security during L2cap
registration.
- When we are done, we clean up security record by PSM; Service ID might
be invalid.
- Once the btif topshim facade initial commit is done, we can repro this
and verify the fix with test automation.

Tag: #stability
Bug: 193142224
Test: CtsVerifier LE COC Client for many times; later we will have an
automated test for this
Change-Id: I90fd23ce26c65ca3314e0754a2630d3f63c5d5d8
Merged-In: I90fd23ce26c65ca3314e0754a2630d3f63c5d5d8

2 files changed, 6 insertions, 2 deletions

diff --git a/stack/gap/gap_conn.cc b/stack/gap/gap_conn.cc
index 52b15318f..0f0026f71 100644
--- a/stack/gap/gap_conn.cc
+++ b/stack/gap/gap_conn.cc
@@ -994,7 +994,7 @@ static void gap_release_ccb(tGAP_CCB* p_ccb) {
   }
 
   /* Free the security record for this PSM */
-  BTM_SecClrService(p_ccb->service_id);
+  BTM_SecClrServiceByPsm(p_ccb->psm);
   if (p_ccb->transport == BT_TRANSPORT_BR_EDR) L2CA_Deregister(p_ccb->psm);
   if (p_ccb->transport == BT_TRANSPORT_LE) L2CA_DeregisterLECoc(p_ccb->psm);
 }
diff --git a/stack/l2cap/l2c_api.cc b/stack/l2cap/l2c_api.cc
index 198ccf7e8..43aab5fd6 100644
--- a/stack/l2cap/l2c_api.cc
+++ b/stack/l2cap/l2c_api.cc
@@ -382,7 +382,11 @@ uint16_t L2CA_RegisterLECoc(uint16_t psm, const tL2CAP_APPL_INFO& p_cb_info,
     return bluetooth::shim::L2CA_RegisterLECoc(psm, p_cb_info, sec_level, cfg);
   }
 
-  BTM_SetSecurityLevel(false, "", 0, sec_level, psm, 0, 0);
+  if (p_cb_info.pL2CA_ConnectInd_Cb != nullptr && psm < LE_DYNAMIC_PSM_START) {
+    //  If we register LE COC for outgoing connection only, don't register with
+    //  BTM_Sec, because it's handled by L2CA_ConnectLECocReq.
+    BTM_SetSecurityLevel(false, "", 0, sec_level, psm, 0, 0);
+  }
 
   /* Verify that the required callback info has been filled in
   **      Note:  Connection callbacks are required but not checked