Sungwoo Kim 10f9f426ac Bluetooth: msft: fix slab-use-after-free in msft_do_close()
Tying the msft->data lifetime to hdev by freeing it in
hci_release_dev() to fix the following case:

[use]
msft_do_close()
  msft = hdev->msft_data;
  if (!msft)                      ...(1) <- passed.
    return;
  mutex_lock(&msft->filter_lock); ...(4) <- used after freed.

[free]
msft_unregister()
  msft = hdev->msft_data;
  hdev->msft_data = NULL;         ...(2)
  kfree(msft);                    ...(3) <- msft is freed.

==================================================================
BUG: KASAN: slab-use-after-free in __mutex_lock_common
kernel/locking/mutex.c:587 [inline]
BUG: KASAN: slab-use-after-free in __mutex_lock+0x8f/0xc30
kernel/locking/mutex.c:752
Read of size 8 at addr ffff888106cbbca8 by task kworker/u5:2/309

Fixes: bf6a4e30ffbd ("Bluetooth: disable advertisement filters during suspend")
Signed-off-by: Sungwoo Kim <iam@sung-woo.kim>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
2024-05-03 13:05:28 -04:00

1203 lines
30 KiB
C

// SPDX-License-Identifier: GPL-2.0-only
/*
* Copyright (C) 2020 Google Corporation
*/
#include <net/bluetooth/bluetooth.h>
#include <net/bluetooth/hci_core.h>
#include <net/bluetooth/mgmt.h>
#include "hci_request.h"
#include "mgmt_util.h"
#include "msft.h"
#define MSFT_RSSI_THRESHOLD_VALUE_MIN -127
#define MSFT_RSSI_THRESHOLD_VALUE_MAX 20
#define MSFT_RSSI_LOW_TIMEOUT_MAX 0x3C
#define MSFT_OP_READ_SUPPORTED_FEATURES 0x00
struct msft_cp_read_supported_features {
__u8 sub_opcode;
} __packed;
struct msft_rp_read_supported_features {
__u8 status;
__u8 sub_opcode;
__le64 features;
__u8 evt_prefix_len;
__u8 evt_prefix[];
} __packed;
#define MSFT_OP_LE_MONITOR_ADVERTISEMENT 0x03
#define MSFT_MONITOR_ADVERTISEMENT_TYPE_PATTERN 0x01
struct msft_le_monitor_advertisement_pattern {
__u8 length;
__u8 data_type;
__u8 start_byte;
__u8 pattern[];
};
struct msft_le_monitor_advertisement_pattern_data {
__u8 count;
__u8 data[];
};
struct msft_cp_le_monitor_advertisement {
__u8 sub_opcode;
__s8 rssi_high;
__s8 rssi_low;
__u8 rssi_low_interval;
__u8 rssi_sampling_period;
__u8 cond_type;
__u8 data[];
} __packed;
struct msft_rp_le_monitor_advertisement {
__u8 status;
__u8 sub_opcode;
__u8 handle;
} __packed;
#define MSFT_OP_LE_CANCEL_MONITOR_ADVERTISEMENT 0x04
struct msft_cp_le_cancel_monitor_advertisement {
__u8 sub_opcode;
__u8 handle;
} __packed;
struct msft_rp_le_cancel_monitor_advertisement {
__u8 status;
__u8 sub_opcode;
} __packed;
#define MSFT_OP_LE_SET_ADVERTISEMENT_FILTER_ENABLE 0x05
struct msft_cp_le_set_advertisement_filter_enable {
__u8 sub_opcode;
__u8 enable;
} __packed;
struct msft_rp_le_set_advertisement_filter_enable {
__u8 status;
__u8 sub_opcode;
} __packed;
#define MSFT_EV_LE_MONITOR_DEVICE 0x02
struct msft_ev_le_monitor_device {
__u8 addr_type;
bdaddr_t bdaddr;
__u8 monitor_handle;
__u8 monitor_state;
} __packed;
struct msft_monitor_advertisement_handle_data {
__u8 msft_handle;
__u16 mgmt_handle;
__s8 rssi_high;
__s8 rssi_low;
__u8 rssi_low_interval;
__u8 rssi_sampling_period;
__u8 cond_type;
struct list_head list;
};
enum monitor_addr_filter_state {
AF_STATE_IDLE,
AF_STATE_ADDING,
AF_STATE_ADDED,
AF_STATE_REMOVING,
};
#define MSFT_MONITOR_ADVERTISEMENT_TYPE_ADDR 0x04
struct msft_monitor_addr_filter_data {
__u8 msft_handle;
__u8 pattern_handle; /* address filters pertain to */
__u16 mgmt_handle;
int state;
__s8 rssi_high;
__s8 rssi_low;
__u8 rssi_low_interval;
__u8 rssi_sampling_period;
__u8 addr_type;
bdaddr_t bdaddr;
struct list_head list;
};
struct msft_data {
__u64 features;
__u8 evt_prefix_len;
__u8 *evt_prefix;
struct list_head handle_map;
struct list_head address_filters;
__u8 resuming;
__u8 suspending;
__u8 filter_enabled;
/* To synchronize add/remove address filter and monitor device event.*/
struct mutex filter_lock;
};
bool msft_monitor_supported(struct hci_dev *hdev)
{
return !!(msft_get_features(hdev) & MSFT_FEATURE_MASK_LE_ADV_MONITOR);
}
static bool read_supported_features(struct hci_dev *hdev,
struct msft_data *msft)
{
struct msft_cp_read_supported_features cp;
struct msft_rp_read_supported_features *rp;
struct sk_buff *skb;
cp.sub_opcode = MSFT_OP_READ_SUPPORTED_FEATURES;
skb = __hci_cmd_sync(hdev, hdev->msft_opcode, sizeof(cp), &cp,
HCI_CMD_TIMEOUT);
if (IS_ERR(skb)) {
bt_dev_err(hdev, "Failed to read MSFT supported features (%ld)",
PTR_ERR(skb));
return false;
}
if (skb->len < sizeof(*rp)) {
bt_dev_err(hdev, "MSFT supported features length mismatch");
goto failed;
}
rp = (struct msft_rp_read_supported_features *)skb->data;
if (rp->sub_opcode != MSFT_OP_READ_SUPPORTED_FEATURES)
goto failed;
if (rp->evt_prefix_len > 0) {
msft->evt_prefix = kmemdup(rp->evt_prefix, rp->evt_prefix_len,
GFP_KERNEL);
if (!msft->evt_prefix)
goto failed;
}
msft->evt_prefix_len = rp->evt_prefix_len;
msft->features = __le64_to_cpu(rp->features);
if (msft->features & MSFT_FEATURE_MASK_CURVE_VALIDITY)
hdev->msft_curve_validity = true;
kfree_skb(skb);
return true;
failed:
kfree_skb(skb);
return false;
}
/* is_mgmt = true matches the handle exposed to userspace via mgmt.
* is_mgmt = false matches the handle used by the msft controller.
* This function requires the caller holds hdev->lock
*/
static struct msft_monitor_advertisement_handle_data *msft_find_handle_data
(struct hci_dev *hdev, u16 handle, bool is_mgmt)
{
struct msft_monitor_advertisement_handle_data *entry;
struct msft_data *msft = hdev->msft_data;
list_for_each_entry(entry, &msft->handle_map, list) {
if (is_mgmt && entry->mgmt_handle == handle)
return entry;
if (!is_mgmt && entry->msft_handle == handle)
return entry;
}
return NULL;
}
/* This function requires the caller holds msft->filter_lock */
static struct msft_monitor_addr_filter_data *msft_find_address_data
(struct hci_dev *hdev, u8 addr_type, bdaddr_t *addr,
u8 pattern_handle)
{
struct msft_monitor_addr_filter_data *entry;
struct msft_data *msft = hdev->msft_data;
list_for_each_entry(entry, &msft->address_filters, list) {
if (entry->pattern_handle == pattern_handle &&
addr_type == entry->addr_type &&
!bacmp(addr, &entry->bdaddr))
return entry;
}
return NULL;
}
/* This function requires the caller holds hdev->lock */
static int msft_monitor_device_del(struct hci_dev *hdev, __u16 mgmt_handle,
bdaddr_t *bdaddr, __u8 addr_type,
bool notify)
{
struct monitored_device *dev, *tmp;
int count = 0;
list_for_each_entry_safe(dev, tmp, &hdev->monitored_devices, list) {
/* mgmt_handle == 0 indicates remove all devices, whereas,
* bdaddr == NULL indicates remove all devices matching the
* mgmt_handle.
*/
if ((!mgmt_handle || dev->handle == mgmt_handle) &&
(!bdaddr || (!bacmp(bdaddr, &dev->bdaddr) &&
addr_type == dev->addr_type))) {
if (notify && dev->notified) {
mgmt_adv_monitor_device_lost(hdev, dev->handle,
&dev->bdaddr,
dev->addr_type);
}
list_del(&dev->list);
kfree(dev);
count++;
}
}
return count;
}
static int msft_le_monitor_advertisement_cb(struct hci_dev *hdev, u16 opcode,
struct adv_monitor *monitor,
struct sk_buff *skb)
{
struct msft_rp_le_monitor_advertisement *rp;
struct msft_monitor_advertisement_handle_data *handle_data;
struct msft_data *msft = hdev->msft_data;
int status = 0;
hci_dev_lock(hdev);
rp = (struct msft_rp_le_monitor_advertisement *)skb->data;
if (skb->len < sizeof(*rp)) {
status = HCI_ERROR_UNSPECIFIED;
goto unlock;
}
status = rp->status;
if (status)
goto unlock;
handle_data = kmalloc(sizeof(*handle_data), GFP_KERNEL);
if (!handle_data) {
status = HCI_ERROR_UNSPECIFIED;
goto unlock;
}
handle_data->mgmt_handle = monitor->handle;
handle_data->msft_handle = rp->handle;
handle_data->cond_type = MSFT_MONITOR_ADVERTISEMENT_TYPE_PATTERN;
INIT_LIST_HEAD(&handle_data->list);
list_add(&handle_data->list, &msft->handle_map);
monitor->state = ADV_MONITOR_STATE_OFFLOADED;
unlock:
if (status)
hci_free_adv_monitor(hdev, monitor);
hci_dev_unlock(hdev);
return status;
}
/* This function requires the caller holds hci_req_sync_lock */
static void msft_remove_addr_filters_sync(struct hci_dev *hdev, u8 handle)
{
struct msft_monitor_addr_filter_data *address_filter, *n;
struct msft_cp_le_cancel_monitor_advertisement cp;
struct msft_data *msft = hdev->msft_data;
struct list_head head;
struct sk_buff *skb;
INIT_LIST_HEAD(&head);
/* Cancel all corresponding address monitors */
mutex_lock(&msft->filter_lock);
list_for_each_entry_safe(address_filter, n, &msft->address_filters,
list) {
if (address_filter->pattern_handle != handle)
continue;
list_del(&address_filter->list);
/* Keep the address filter and let
* msft_add_address_filter_sync() remove and free the address
* filter.
*/
if (address_filter->state == AF_STATE_ADDING) {
address_filter->state = AF_STATE_REMOVING;
continue;
}
/* Keep the address filter and let
* msft_cancel_address_filter_sync() remove and free the address
* filter
*/
if (address_filter->state == AF_STATE_REMOVING)
continue;
list_add_tail(&address_filter->list, &head);
}
mutex_unlock(&msft->filter_lock);
list_for_each_entry_safe(address_filter, n, &head, list) {
list_del(&address_filter->list);
cp.sub_opcode = MSFT_OP_LE_CANCEL_MONITOR_ADVERTISEMENT;
cp.handle = address_filter->msft_handle;
skb = __hci_cmd_sync(hdev, hdev->msft_opcode, sizeof(cp), &cp,
HCI_CMD_TIMEOUT);
if (IS_ERR(skb)) {
kfree(address_filter);
continue;
}
kfree_skb(skb);
bt_dev_dbg(hdev, "MSFT: Canceled device %pMR address filter",
&address_filter->bdaddr);
kfree(address_filter);
}
}
static int msft_le_cancel_monitor_advertisement_cb(struct hci_dev *hdev,
u16 opcode,
struct adv_monitor *monitor,
struct sk_buff *skb)
{
struct msft_rp_le_cancel_monitor_advertisement *rp;
struct msft_monitor_advertisement_handle_data *handle_data;
struct msft_data *msft = hdev->msft_data;
int status = 0;
u8 msft_handle;
rp = (struct msft_rp_le_cancel_monitor_advertisement *)skb->data;
if (skb->len < sizeof(*rp)) {
status = HCI_ERROR_UNSPECIFIED;
goto done;
}
status = rp->status;
if (status)
goto done;
hci_dev_lock(hdev);
handle_data = msft_find_handle_data(hdev, monitor->handle, true);
if (handle_data) {
if (monitor->state == ADV_MONITOR_STATE_OFFLOADED)
monitor->state = ADV_MONITOR_STATE_REGISTERED;
/* Do not free the monitor if it is being removed due to
* suspend. It will be re-monitored on resume.
*/
if (!msft->suspending) {
hci_free_adv_monitor(hdev, monitor);
/* Clear any monitored devices by this Adv Monitor */
msft_monitor_device_del(hdev, handle_data->mgmt_handle,
NULL, 0, false);
}
msft_handle = handle_data->msft_handle;
list_del(&handle_data->list);
kfree(handle_data);
hci_dev_unlock(hdev);
msft_remove_addr_filters_sync(hdev, msft_handle);
} else {
hci_dev_unlock(hdev);
}
done:
return status;
}
/* This function requires the caller holds hci_req_sync_lock */
static int msft_remove_monitor_sync(struct hci_dev *hdev,
struct adv_monitor *monitor)
{
struct msft_cp_le_cancel_monitor_advertisement cp;
struct msft_monitor_advertisement_handle_data *handle_data;
struct sk_buff *skb;
handle_data = msft_find_handle_data(hdev, monitor->handle, true);
/* If no matched handle, just remove without telling controller */
if (!handle_data)
return -ENOENT;
cp.sub_opcode = MSFT_OP_LE_CANCEL_MONITOR_ADVERTISEMENT;
cp.handle = handle_data->msft_handle;
skb = __hci_cmd_sync(hdev, hdev->msft_opcode, sizeof(cp), &cp,
HCI_CMD_TIMEOUT);
if (IS_ERR(skb))
return PTR_ERR(skb);
return msft_le_cancel_monitor_advertisement_cb(hdev, hdev->msft_opcode,
monitor, skb);
}
/* This function requires the caller holds hci_req_sync_lock */
int msft_suspend_sync(struct hci_dev *hdev)
{
struct msft_data *msft = hdev->msft_data;
struct adv_monitor *monitor;
int handle = 0;
if (!msft || !msft_monitor_supported(hdev))
return 0;
msft->suspending = true;
while (1) {
monitor = idr_get_next(&hdev->adv_monitors_idr, &handle);
if (!monitor)
break;
msft_remove_monitor_sync(hdev, monitor);
handle++;
}
/* All monitors have been removed */
msft->suspending = false;
return 0;
}
static bool msft_monitor_rssi_valid(struct adv_monitor *monitor)
{
struct adv_rssi_thresholds *r = &monitor->rssi;
if (r->high_threshold < MSFT_RSSI_THRESHOLD_VALUE_MIN ||
r->high_threshold > MSFT_RSSI_THRESHOLD_VALUE_MAX ||
r->low_threshold < MSFT_RSSI_THRESHOLD_VALUE_MIN ||
r->low_threshold > MSFT_RSSI_THRESHOLD_VALUE_MAX)
return false;
/* High_threshold_timeout is not supported,
* once high_threshold is reached, events are immediately reported.
*/
if (r->high_threshold_timeout != 0)
return false;
if (r->low_threshold_timeout > MSFT_RSSI_LOW_TIMEOUT_MAX)
return false;
/* Sampling period from 0x00 to 0xFF are all allowed */
return true;
}
static bool msft_monitor_pattern_valid(struct adv_monitor *monitor)
{
return msft_monitor_rssi_valid(monitor);
/* No additional check needed for pattern-based monitor */
}
static int msft_add_monitor_sync(struct hci_dev *hdev,
struct adv_monitor *monitor)
{
struct msft_cp_le_monitor_advertisement *cp;
struct msft_le_monitor_advertisement_pattern_data *pattern_data;
struct msft_monitor_advertisement_handle_data *handle_data;
struct msft_le_monitor_advertisement_pattern *pattern;
struct adv_pattern *entry;
size_t total_size = sizeof(*cp) + sizeof(*pattern_data);
ptrdiff_t offset = 0;
u8 pattern_count = 0;
struct sk_buff *skb;
int err;
if (!msft_monitor_pattern_valid(monitor))
return -EINVAL;
list_for_each_entry(entry, &monitor->patterns, list) {
pattern_count++;
total_size += sizeof(*pattern) + entry->length;
}
cp = kmalloc(total_size, GFP_KERNEL);
if (!cp)
return -ENOMEM;
cp->sub_opcode = MSFT_OP_LE_MONITOR_ADVERTISEMENT;
cp->rssi_high = monitor->rssi.high_threshold;
cp->rssi_low = monitor->rssi.low_threshold;
cp->rssi_low_interval = (u8)monitor->rssi.low_threshold_timeout;
cp->rssi_sampling_period = monitor->rssi.sampling_period;
cp->cond_type = MSFT_MONITOR_ADVERTISEMENT_TYPE_PATTERN;
pattern_data = (void *)cp->data;
pattern_data->count = pattern_count;
list_for_each_entry(entry, &monitor->patterns, list) {
pattern = (void *)(pattern_data->data + offset);
/* the length also includes data_type and offset */
pattern->length = entry->length + 2;
pattern->data_type = entry->ad_type;
pattern->start_byte = entry->offset;
memcpy(pattern->pattern, entry->value, entry->length);
offset += sizeof(*pattern) + entry->length;
}
skb = __hci_cmd_sync(hdev, hdev->msft_opcode, total_size, cp,
HCI_CMD_TIMEOUT);
if (IS_ERR(skb)) {
err = PTR_ERR(skb);
goto out_free;
}
err = msft_le_monitor_advertisement_cb(hdev, hdev->msft_opcode,
monitor, skb);
if (err)
goto out_free;
handle_data = msft_find_handle_data(hdev, monitor->handle, true);
if (!handle_data) {
err = -ENODATA;
goto out_free;
}
handle_data->rssi_high = cp->rssi_high;
handle_data->rssi_low = cp->rssi_low;
handle_data->rssi_low_interval = cp->rssi_low_interval;
handle_data->rssi_sampling_period = cp->rssi_sampling_period;
out_free:
kfree(cp);
return err;
}
/* This function requires the caller holds hci_req_sync_lock */
static void reregister_monitor(struct hci_dev *hdev)
{
struct adv_monitor *monitor;
struct msft_data *msft = hdev->msft_data;
int handle = 0;
if (!msft)
return;
msft->resuming = true;
while (1) {
monitor = idr_get_next(&hdev->adv_monitors_idr, &handle);
if (!monitor)
break;
msft_add_monitor_sync(hdev, monitor);
handle++;
}
/* All monitors have been reregistered */
msft->resuming = false;
}
/* This function requires the caller holds hci_req_sync_lock */
int msft_resume_sync(struct hci_dev *hdev)
{
struct msft_data *msft = hdev->msft_data;
if (!msft || !msft_monitor_supported(hdev))
return 0;
hci_dev_lock(hdev);
/* Clear already tracked devices on resume. Once the monitors are
* reregistered, devices in range will be found again after resume.
*/
hdev->advmon_pend_notify = false;
msft_monitor_device_del(hdev, 0, NULL, 0, true);
hci_dev_unlock(hdev);
reregister_monitor(hdev);
return 0;
}
/* This function requires the caller holds hci_req_sync_lock */
void msft_do_open(struct hci_dev *hdev)
{
struct msft_data *msft = hdev->msft_data;
if (hdev->msft_opcode == HCI_OP_NOP)
return;
if (!msft) {
bt_dev_err(hdev, "MSFT extension not registered");
return;
}
bt_dev_dbg(hdev, "Initialize MSFT extension");
/* Reset existing MSFT data before re-reading */
kfree(msft->evt_prefix);
msft->evt_prefix = NULL;
msft->evt_prefix_len = 0;
msft->features = 0;
if (!read_supported_features(hdev, msft)) {
hdev->msft_data = NULL;
kfree(msft);
return;
}
if (msft_monitor_supported(hdev)) {
msft->resuming = true;
msft_set_filter_enable(hdev, true);
/* Monitors get removed on power off, so we need to explicitly
* tell the controller to re-monitor.
*/
reregister_monitor(hdev);
}
}
void msft_do_close(struct hci_dev *hdev)
{
struct msft_data *msft = hdev->msft_data;
struct msft_monitor_advertisement_handle_data *handle_data, *tmp;
struct msft_monitor_addr_filter_data *address_filter, *n;
struct adv_monitor *monitor;
if (!msft)
return;
bt_dev_dbg(hdev, "Cleanup of MSFT extension");
/* The controller will silently remove all monitors on power off.
* Therefore, remove handle_data mapping and reset monitor state.
*/
list_for_each_entry_safe(handle_data, tmp, &msft->handle_map, list) {
monitor = idr_find(&hdev->adv_monitors_idr,
handle_data->mgmt_handle);
if (monitor && monitor->state == ADV_MONITOR_STATE_OFFLOADED)
monitor->state = ADV_MONITOR_STATE_REGISTERED;
list_del(&handle_data->list);
kfree(handle_data);
}
mutex_lock(&msft->filter_lock);
list_for_each_entry_safe(address_filter, n, &msft->address_filters,
list) {
list_del(&address_filter->list);
kfree(address_filter);
}
mutex_unlock(&msft->filter_lock);
hci_dev_lock(hdev);
/* Clear any devices that are being monitored and notify device lost */
hdev->advmon_pend_notify = false;
msft_monitor_device_del(hdev, 0, NULL, 0, true);
hci_dev_unlock(hdev);
}
static int msft_cancel_address_filter_sync(struct hci_dev *hdev, void *data)
{
struct msft_monitor_addr_filter_data *address_filter = data;
struct msft_cp_le_cancel_monitor_advertisement cp;
struct msft_data *msft = hdev->msft_data;
struct sk_buff *skb;
int err = 0;
if (!msft) {
bt_dev_err(hdev, "MSFT: msft data is freed");
return -EINVAL;
}
/* The address filter has been removed by hci dev close */
if (!test_bit(HCI_UP, &hdev->flags))
return 0;
mutex_lock(&msft->filter_lock);
list_del(&address_filter->list);
mutex_unlock(&msft->filter_lock);
cp.sub_opcode = MSFT_OP_LE_CANCEL_MONITOR_ADVERTISEMENT;
cp.handle = address_filter->msft_handle;
skb = __hci_cmd_sync(hdev, hdev->msft_opcode, sizeof(cp), &cp,
HCI_CMD_TIMEOUT);
if (IS_ERR(skb)) {
bt_dev_err(hdev, "MSFT: Failed to cancel address (%pMR) filter",
&address_filter->bdaddr);
err = PTR_ERR(skb);
goto done;
}
kfree_skb(skb);
bt_dev_dbg(hdev, "MSFT: Canceled device %pMR address filter",
&address_filter->bdaddr);
done:
kfree(address_filter);
return err;
}
void msft_register(struct hci_dev *hdev)
{
struct msft_data *msft = NULL;
bt_dev_dbg(hdev, "Register MSFT extension");
msft = kzalloc(sizeof(*msft), GFP_KERNEL);
if (!msft) {
bt_dev_err(hdev, "Failed to register MSFT extension");
return;
}
INIT_LIST_HEAD(&msft->handle_map);
INIT_LIST_HEAD(&msft->address_filters);
hdev->msft_data = msft;
mutex_init(&msft->filter_lock);
}
void msft_release(struct hci_dev *hdev)
{
struct msft_data *msft = hdev->msft_data;
if (!msft)
return;
bt_dev_dbg(hdev, "Unregister MSFT extension");
hdev->msft_data = NULL;
kfree(msft->evt_prefix);
mutex_destroy(&msft->filter_lock);
kfree(msft);
}
/* This function requires the caller holds hdev->lock */
static void msft_device_found(struct hci_dev *hdev, bdaddr_t *bdaddr,
__u8 addr_type, __u16 mgmt_handle)
{
struct monitored_device *dev;
dev = kmalloc(sizeof(*dev), GFP_KERNEL);
if (!dev) {
bt_dev_err(hdev, "MSFT vendor event %u: no memory",
MSFT_EV_LE_MONITOR_DEVICE);
return;
}
bacpy(&dev->bdaddr, bdaddr);
dev->addr_type = addr_type;
dev->handle = mgmt_handle;
dev->notified = false;
INIT_LIST_HEAD(&dev->list);
list_add(&dev->list, &hdev->monitored_devices);
hdev->advmon_pend_notify = true;
}
/* This function requires the caller holds hdev->lock */
static void msft_device_lost(struct hci_dev *hdev, bdaddr_t *bdaddr,
__u8 addr_type, __u16 mgmt_handle)
{
if (!msft_monitor_device_del(hdev, mgmt_handle, bdaddr, addr_type,
true)) {
bt_dev_err(hdev, "MSFT vendor event %u: dev %pMR not in list",
MSFT_EV_LE_MONITOR_DEVICE, bdaddr);
}
}
static void *msft_skb_pull(struct hci_dev *hdev, struct sk_buff *skb,
u8 ev, size_t len)
{
void *data;
data = skb_pull_data(skb, len);
if (!data)
bt_dev_err(hdev, "Malformed MSFT vendor event: 0x%02x", ev);
return data;
}
static int msft_add_address_filter_sync(struct hci_dev *hdev, void *data)
{
struct msft_monitor_addr_filter_data *address_filter = data;
struct msft_rp_le_monitor_advertisement *rp;
struct msft_cp_le_monitor_advertisement *cp;
struct msft_data *msft = hdev->msft_data;
struct sk_buff *skb = NULL;
bool remove = false;
size_t size;
if (!msft) {
bt_dev_err(hdev, "MSFT: msft data is freed");
return -EINVAL;
}
/* The address filter has been removed by hci dev close */
if (!test_bit(HCI_UP, &hdev->flags))
return -ENODEV;
/* We are safe to use the address filter from now on.
* msft_monitor_device_evt() wouldn't delete this filter because it's
* not been added by now.
* And all other functions that requiring hci_req_sync_lock wouldn't
* touch this filter before this func completes because it's protected
* by hci_req_sync_lock.
*/
if (address_filter->state == AF_STATE_REMOVING) {
mutex_lock(&msft->filter_lock);
list_del(&address_filter->list);
mutex_unlock(&msft->filter_lock);
kfree(address_filter);
return 0;
}
size = sizeof(*cp) +
sizeof(address_filter->addr_type) +
sizeof(address_filter->bdaddr);
cp = kzalloc(size, GFP_KERNEL);
if (!cp) {
bt_dev_err(hdev, "MSFT: Alloc cmd param err");
remove = true;
goto done;
}
cp->sub_opcode = MSFT_OP_LE_MONITOR_ADVERTISEMENT;
cp->rssi_high = address_filter->rssi_high;
cp->rssi_low = address_filter->rssi_low;
cp->rssi_low_interval = address_filter->rssi_low_interval;
cp->rssi_sampling_period = address_filter->rssi_sampling_period;
cp->cond_type = MSFT_MONITOR_ADVERTISEMENT_TYPE_ADDR;
cp->data[0] = address_filter->addr_type;
memcpy(&cp->data[1], &address_filter->bdaddr,
sizeof(address_filter->bdaddr));
skb = __hci_cmd_sync(hdev, hdev->msft_opcode, size, cp,
HCI_CMD_TIMEOUT);
kfree(cp);
if (IS_ERR(skb)) {
bt_dev_err(hdev, "Failed to enable address %pMR filter",
&address_filter->bdaddr);
skb = NULL;
remove = true;
goto done;
}
rp = skb_pull_data(skb, sizeof(*rp));
if (!rp || rp->sub_opcode != MSFT_OP_LE_MONITOR_ADVERTISEMENT ||
rp->status)
remove = true;
done:
mutex_lock(&msft->filter_lock);
if (remove) {
bt_dev_warn(hdev, "MSFT: Remove address (%pMR) filter",
&address_filter->bdaddr);
list_del(&address_filter->list);
kfree(address_filter);
} else {
address_filter->state = AF_STATE_ADDED;
address_filter->msft_handle = rp->handle;
bt_dev_dbg(hdev, "MSFT: Address %pMR filter enabled",
&address_filter->bdaddr);
}
mutex_unlock(&msft->filter_lock);
kfree_skb(skb);
return 0;
}
/* This function requires the caller holds msft->filter_lock */
static struct msft_monitor_addr_filter_data *msft_add_address_filter
(struct hci_dev *hdev, u8 addr_type, bdaddr_t *bdaddr,
struct msft_monitor_advertisement_handle_data *handle_data)
{
struct msft_monitor_addr_filter_data *address_filter = NULL;
struct msft_data *msft = hdev->msft_data;
int err;
address_filter = kzalloc(sizeof(*address_filter), GFP_KERNEL);
if (!address_filter)
return NULL;
address_filter->state = AF_STATE_ADDING;
address_filter->msft_handle = 0xff;
address_filter->pattern_handle = handle_data->msft_handle;
address_filter->mgmt_handle = handle_data->mgmt_handle;
address_filter->rssi_high = handle_data->rssi_high;
address_filter->rssi_low = handle_data->rssi_low;
address_filter->rssi_low_interval = handle_data->rssi_low_interval;
address_filter->rssi_sampling_period = handle_data->rssi_sampling_period;
address_filter->addr_type = addr_type;
bacpy(&address_filter->bdaddr, bdaddr);
/* With the above AF_STATE_ADDING, duplicated address filter can be
* avoided when receiving monitor device event (found/lost) frequently
* for the same device.
*/
list_add_tail(&address_filter->list, &msft->address_filters);
err = hci_cmd_sync_queue(hdev, msft_add_address_filter_sync,
address_filter, NULL);
if (err < 0) {
bt_dev_err(hdev, "MSFT: Add address %pMR filter err", bdaddr);
list_del(&address_filter->list);
kfree(address_filter);
return NULL;
}
bt_dev_dbg(hdev, "MSFT: Add device %pMR address filter",
&address_filter->bdaddr);
return address_filter;
}
/* This function requires the caller holds hdev->lock */
static void msft_monitor_device_evt(struct hci_dev *hdev, struct sk_buff *skb)
{
struct msft_monitor_addr_filter_data *n, *address_filter = NULL;
struct msft_ev_le_monitor_device *ev;
struct msft_monitor_advertisement_handle_data *handle_data;
struct msft_data *msft = hdev->msft_data;
u16 mgmt_handle = 0xffff;
u8 addr_type;
ev = msft_skb_pull(hdev, skb, MSFT_EV_LE_MONITOR_DEVICE, sizeof(*ev));
if (!ev)
return;
bt_dev_dbg(hdev,
"MSFT vendor event 0x%02x: handle 0x%04x state %d addr %pMR",
MSFT_EV_LE_MONITOR_DEVICE, ev->monitor_handle,
ev->monitor_state, &ev->bdaddr);
handle_data = msft_find_handle_data(hdev, ev->monitor_handle, false);
if (!test_bit(HCI_QUIRK_USE_MSFT_EXT_ADDRESS_FILTER, &hdev->quirks)) {
if (!handle_data)
return;
mgmt_handle = handle_data->mgmt_handle;
goto report_state;
}
if (handle_data) {
/* Don't report any device found/lost event from pattern
* monitors. Pattern monitor always has its address filters for
* tracking devices.
*/
address_filter = msft_find_address_data(hdev, ev->addr_type,
&ev->bdaddr,
handle_data->msft_handle);
if (address_filter)
return;
if (ev->monitor_state && handle_data->cond_type ==
MSFT_MONITOR_ADVERTISEMENT_TYPE_PATTERN)
msft_add_address_filter(hdev, ev->addr_type,
&ev->bdaddr, handle_data);
return;
}
/* This device event is not from pattern monitor.
* Report it if there is a corresponding address_filter for it.
*/
list_for_each_entry(n, &msft->address_filters, list) {
if (n->state == AF_STATE_ADDED &&
n->msft_handle == ev->monitor_handle) {
mgmt_handle = n->mgmt_handle;
address_filter = n;
break;
}
}
if (!address_filter) {
bt_dev_warn(hdev, "MSFT: Unexpected device event %pMR, %u, %u",
&ev->bdaddr, ev->monitor_handle, ev->monitor_state);
return;
}
report_state:
switch (ev->addr_type) {
case ADDR_LE_DEV_PUBLIC:
addr_type = BDADDR_LE_PUBLIC;
break;
case ADDR_LE_DEV_RANDOM:
addr_type = BDADDR_LE_RANDOM;
break;
default:
bt_dev_err(hdev,
"MSFT vendor event 0x%02x: unknown addr type 0x%02x",
MSFT_EV_LE_MONITOR_DEVICE, ev->addr_type);
return;
}
if (ev->monitor_state) {
msft_device_found(hdev, &ev->bdaddr, addr_type, mgmt_handle);
} else {
if (address_filter && address_filter->state == AF_STATE_ADDED) {
address_filter->state = AF_STATE_REMOVING;
hci_cmd_sync_queue(hdev,
msft_cancel_address_filter_sync,
address_filter,
NULL);
}
msft_device_lost(hdev, &ev->bdaddr, addr_type, mgmt_handle);
}
}
void msft_vendor_evt(struct hci_dev *hdev, void *data, struct sk_buff *skb)
{
struct msft_data *msft = hdev->msft_data;
u8 *evt_prefix;
u8 *evt;
if (!msft)
return;
/* When the extension has defined an event prefix, check that it
* matches, and otherwise just return.
*/
if (msft->evt_prefix_len > 0) {
evt_prefix = msft_skb_pull(hdev, skb, 0, msft->evt_prefix_len);
if (!evt_prefix)
return;
if (memcmp(evt_prefix, msft->evt_prefix, msft->evt_prefix_len))
return;
}
/* Every event starts at least with an event code and the rest of
* the data is variable and depends on the event code.
*/
if (skb->len < 1)
return;
evt = msft_skb_pull(hdev, skb, 0, sizeof(*evt));
if (!evt)
return;
hci_dev_lock(hdev);
switch (*evt) {
case MSFT_EV_LE_MONITOR_DEVICE:
mutex_lock(&msft->filter_lock);
msft_monitor_device_evt(hdev, skb);
mutex_unlock(&msft->filter_lock);
break;
default:
bt_dev_dbg(hdev, "MSFT vendor event 0x%02x", *evt);
break;
}
hci_dev_unlock(hdev);
}
__u64 msft_get_features(struct hci_dev *hdev)
{
struct msft_data *msft = hdev->msft_data;
return msft ? msft->features : 0;
}
static void msft_le_set_advertisement_filter_enable_cb(struct hci_dev *hdev,
void *user_data,
u8 status)
{
struct msft_cp_le_set_advertisement_filter_enable *cp = user_data;
struct msft_data *msft = hdev->msft_data;
/* Error 0x0C would be returned if the filter enabled status is
* already set to whatever we were trying to set.
* Although the default state should be disabled, some controller set
* the initial value to enabled. Because there is no way to know the
* actual initial value before sending this command, here we also treat
* error 0x0C as success.
*/
if (status != 0x00 && status != 0x0C)
return;
hci_dev_lock(hdev);
msft->filter_enabled = cp->enable;
if (status == 0x0C)
bt_dev_warn(hdev, "MSFT filter_enable is already %s",
cp->enable ? "on" : "off");
hci_dev_unlock(hdev);
}
/* This function requires the caller holds hci_req_sync_lock */
int msft_add_monitor_pattern(struct hci_dev *hdev, struct adv_monitor *monitor)
{
struct msft_data *msft = hdev->msft_data;
if (!msft)
return -EOPNOTSUPP;
if (msft->resuming || msft->suspending)
return -EBUSY;
return msft_add_monitor_sync(hdev, monitor);
}
/* This function requires the caller holds hci_req_sync_lock */
int msft_remove_monitor(struct hci_dev *hdev, struct adv_monitor *monitor)
{
struct msft_data *msft = hdev->msft_data;
if (!msft)
return -EOPNOTSUPP;
if (msft->resuming || msft->suspending)
return -EBUSY;
return msft_remove_monitor_sync(hdev, monitor);
}
int msft_set_filter_enable(struct hci_dev *hdev, bool enable)
{
struct msft_cp_le_set_advertisement_filter_enable cp;
struct msft_data *msft = hdev->msft_data;
int err;
if (!msft)
return -EOPNOTSUPP;
cp.sub_opcode = MSFT_OP_LE_SET_ADVERTISEMENT_FILTER_ENABLE;
cp.enable = enable;
err = __hci_cmd_sync_status(hdev, hdev->msft_opcode, sizeof(cp), &cp,
HCI_CMD_TIMEOUT);
msft_le_set_advertisement_filter_enable_cb(hdev, &cp, err);
return 0;
}
bool msft_curve_validity(struct hci_dev *hdev)
{
return hdev->msft_curve_validity;
}