1
// SPDX-License-Identifier: GPL-2.0-only
2
/*
3
 * Copyright (C) 2020 Google Corporation
4
 */
5

6
#include <net/bluetooth/bluetooth.h>
7
#include <net/bluetooth/hci_core.h>
8
#include <net/bluetooth/mgmt.h>
9

10
#include "mgmt_util.h"
11
#include "msft.h"
12

13
#define MSFT_RSSI_THRESHOLD_VALUE_MIN		-127
14
#define MSFT_RSSI_THRESHOLD_VALUE_MAX		20
15
#define MSFT_RSSI_LOW_TIMEOUT_MAX		0x3C
16

17
#define MSFT_OP_READ_SUPPORTED_FEATURES		0x00
18
struct msft_cp_read_supported_features {
19
	__u8   sub_opcode;
20
} __packed;
21

22
struct msft_rp_read_supported_features {
23
	__u8   status;
24
	__u8   sub_opcode;
25
	__le64 features;
26
	__u8   evt_prefix_len;
27
	__u8   evt_prefix[];
28
} __packed;
29

30
#define MSFT_OP_LE_MONITOR_ADVERTISEMENT	0x03
31
#define MSFT_MONITOR_ADVERTISEMENT_TYPE_PATTERN	0x01
32
struct msft_le_monitor_advertisement_pattern {
33
	__u8 length;
34
	__u8 data_type;
35
	__u8 start_byte;
36
	__u8 pattern[];
37
};
38

39
struct msft_le_monitor_advertisement_pattern_data {
40
	__u8 count;
41
	__u8 data[];
42
};
43

44
struct msft_cp_le_monitor_advertisement {
45
	__u8 sub_opcode;
46
	__s8 rssi_high;
47
	__s8 rssi_low;
48
	__u8 rssi_low_interval;
49
	__u8 rssi_sampling_period;
50
	__u8 cond_type;
51
	__u8 data[];
52
} __packed;
53

54
struct msft_rp_le_monitor_advertisement {
55
	__u8 status;
56
	__u8 sub_opcode;
57
	__u8 handle;
58
} __packed;
59

60
#define MSFT_OP_LE_CANCEL_MONITOR_ADVERTISEMENT	0x04
61
struct msft_cp_le_cancel_monitor_advertisement {
62
	__u8 sub_opcode;
63
	__u8 handle;
64
} __packed;
65

66
struct msft_rp_le_cancel_monitor_advertisement {
67
	__u8 status;
68
	__u8 sub_opcode;
69
} __packed;
70

71
#define MSFT_OP_LE_SET_ADVERTISEMENT_FILTER_ENABLE	0x05
72
struct msft_cp_le_set_advertisement_filter_enable {
73
	__u8 sub_opcode;
74
	__u8 enable;
75
} __packed;
76

77
struct msft_rp_le_set_advertisement_filter_enable {
78
	__u8 status;
79
	__u8 sub_opcode;
80
} __packed;
81

82
#define MSFT_EV_LE_MONITOR_DEVICE	0x02
83
struct msft_ev_le_monitor_device {
84
	__u8     addr_type;
85
	bdaddr_t bdaddr;
86
	__u8     monitor_handle;
87
	__u8     monitor_state;
88
} __packed;
89

90
struct msft_monitor_advertisement_handle_data {
91
	__u8  msft_handle;
92
	__u16 mgmt_handle;
93
	__s8 rssi_high;
94
	__s8 rssi_low;
95
	__u8 rssi_low_interval;
96
	__u8 rssi_sampling_period;
97
	__u8 cond_type;
98
	struct list_head list;
99
};
100

101
enum monitor_addr_filter_state {
102
	AF_STATE_IDLE,
103
	AF_STATE_ADDING,
104
	AF_STATE_ADDED,
105
	AF_STATE_REMOVING,
106
};
107

108
#define MSFT_MONITOR_ADVERTISEMENT_TYPE_ADDR	0x04
109
struct msft_monitor_addr_filter_data {
110
	__u8     msft_handle;
111
	__u8     pattern_handle; /* address filters pertain to */
112
	__u16    mgmt_handle;
113
	int      state;
114
	__s8     rssi_high;
115
	__s8     rssi_low;
116
	__u8     rssi_low_interval;
117
	__u8     rssi_sampling_period;
118
	__u8     addr_type;
119
	bdaddr_t bdaddr;
120
	struct list_head list;
121
};
122

123
struct msft_data {
124
	__u64 features;
125
	__u8  evt_prefix_len;
126
	__u8  *evt_prefix;
127
	struct list_head handle_map;
128
	struct list_head address_filters;
129
	__u8 resuming;
130
	__u8 suspending;
131
	__u8 filter_enabled;
132
	/* To synchronize add/remove address filter and monitor device event.*/
133
	struct mutex filter_lock;
134
};
135

136
bool msft_monitor_supported(struct hci_dev *hdev)
137
{
138
	return !!(msft_get_features(hdev) & MSFT_FEATURE_MASK_LE_ADV_MONITOR);
139
}
140

141
static bool read_supported_features(struct hci_dev *hdev,
142
				    struct msft_data *msft)
143
{
144
	struct msft_cp_read_supported_features cp;
145
	struct msft_rp_read_supported_features *rp;
146
	struct sk_buff *skb;
147

148
	cp.sub_opcode = MSFT_OP_READ_SUPPORTED_FEATURES;
149

150
	skb = __hci_cmd_sync(hdev, hdev->msft_opcode, sizeof(cp), &cp,
151
			     HCI_CMD_TIMEOUT);
152
	if (IS_ERR(skb)) {
153
		bt_dev_err(hdev, "Failed to read MSFT supported features (%ld)",
154
			   PTR_ERR(skb));
155
		return false;
156
	}
157

158
	if (skb->len < sizeof(*rp)) {
159
		bt_dev_err(hdev, "MSFT supported features length mismatch");
160
		goto failed;
161
	}
162

163
	rp = (struct msft_rp_read_supported_features *)skb->data;
164

165
	if (rp->sub_opcode != MSFT_OP_READ_SUPPORTED_FEATURES)
166
		goto failed;
167

168
	if (rp->evt_prefix_len > 0) {
169
		msft->evt_prefix = kmemdup(rp->evt_prefix, rp->evt_prefix_len,
170
					   GFP_KERNEL);
171
		if (!msft->evt_prefix)
172
			goto failed;
173
	}
174

175
	msft->evt_prefix_len = rp->evt_prefix_len;
176
	msft->features = __le64_to_cpu(rp->features);
177

178
	if (msft->features & MSFT_FEATURE_MASK_CURVE_VALIDITY)
179
		hdev->msft_curve_validity = true;
180

181
	kfree_skb(skb);
182
	return true;
183

184
failed:
185
	kfree_skb(skb);
186
	return false;
187
}
188

189
/* is_mgmt = true matches the handle exposed to userspace via mgmt.
190
 * is_mgmt = false matches the handle used by the msft controller.
191
 * This function requires the caller holds hdev->lock
192
 */
193
static struct msft_monitor_advertisement_handle_data *msft_find_handle_data
194
				(struct hci_dev *hdev, u16 handle, bool is_mgmt)
195
{
196
	struct msft_monitor_advertisement_handle_data *entry;
197
	struct msft_data *msft = hdev->msft_data;
198

199
	list_for_each_entry(entry, &msft->handle_map, list) {
200
		if (is_mgmt && entry->mgmt_handle == handle)
201
			return entry;
202
		if (!is_mgmt && entry->msft_handle == handle)
203
			return entry;
204
	}
205

206
	return NULL;
207
}
208

209
/* This function requires the caller holds msft->filter_lock */
210
static struct msft_monitor_addr_filter_data *msft_find_address_data
211
			(struct hci_dev *hdev, u8 addr_type, bdaddr_t *addr,
212
			 u8 pattern_handle)
213
{
214
	struct msft_monitor_addr_filter_data *entry;
215
	struct msft_data *msft = hdev->msft_data;
216

217
	list_for_each_entry(entry, &msft->address_filters, list) {
218
		if (entry->pattern_handle == pattern_handle &&
219
		    addr_type == entry->addr_type &&
220
		    !bacmp(addr, &entry->bdaddr))
221
			return entry;
222
	}
223

224
	return NULL;
225
}
226

227
/* This function requires the caller holds hdev->lock */
228
static int msft_monitor_device_del(struct hci_dev *hdev, __u16 mgmt_handle,
229
				   bdaddr_t *bdaddr, __u8 addr_type,
230
				   bool notify)
231
{
232
	struct monitored_device *dev, *tmp;
233
	int count = 0;
234

235
	list_for_each_entry_safe(dev, tmp, &hdev->monitored_devices, list) {
236
		/* mgmt_handle == 0 indicates remove all devices, whereas,
237
		 * bdaddr == NULL indicates remove all devices matching the
238
		 * mgmt_handle.
239
		 */
240
		if ((!mgmt_handle || dev->handle == mgmt_handle) &&
241
		    (!bdaddr || (!bacmp(bdaddr, &dev->bdaddr) &&
242
				 addr_type == dev->addr_type))) {
243
			if (notify && dev->notified) {
244
				mgmt_adv_monitor_device_lost(hdev, dev->handle,
245
							     &dev->bdaddr,
246
							     dev->addr_type);
247
			}
248

249
			list_del(&dev->list);
250
			kfree(dev);
251
			count++;
252
		}
253
	}
254

255
	return count;
256
}
257

258
static int msft_le_monitor_advertisement_cb(struct hci_dev *hdev, u16 opcode,
259
					    struct adv_monitor *monitor,
260
					    struct sk_buff *skb)
261
{
262
	struct msft_rp_le_monitor_advertisement *rp;
263
	struct msft_monitor_advertisement_handle_data *handle_data;
264
	struct msft_data *msft = hdev->msft_data;
265
	int status = 0;
266

267
	hci_dev_lock(hdev);
268

269
	rp = (struct msft_rp_le_monitor_advertisement *)skb->data;
270
	if (skb->len < sizeof(*rp)) {
271
		status = HCI_ERROR_UNSPECIFIED;
272
		goto unlock;
273
	}
274

275
	status = rp->status;
276
	if (status)
277
		goto unlock;
278

279
	handle_data = kmalloc(sizeof(*handle_data), GFP_KERNEL);
280
	if (!handle_data) {
281
		status = HCI_ERROR_UNSPECIFIED;
282
		goto unlock;
283
	}
284

285
	handle_data->mgmt_handle = monitor->handle;
286
	handle_data->msft_handle = rp->handle;
287
	handle_data->cond_type   = MSFT_MONITOR_ADVERTISEMENT_TYPE_PATTERN;
288
	INIT_LIST_HEAD(&handle_data->list);
289
	list_add(&handle_data->list, &msft->handle_map);
290

291
	monitor->state = ADV_MONITOR_STATE_OFFLOADED;
292

293
unlock:
294
	if (status)
295
		hci_free_adv_monitor(hdev, monitor);
296

297
	hci_dev_unlock(hdev);
298

299
	return status;
300
}
301

302
/* This function requires the caller holds hci_req_sync_lock */
303
static void msft_remove_addr_filters_sync(struct hci_dev *hdev, u8 handle)
304
{
305
	struct msft_monitor_addr_filter_data *address_filter, *n;
306
	struct msft_cp_le_cancel_monitor_advertisement cp;
307
	struct msft_data *msft = hdev->msft_data;
308
	struct list_head head;
309
	struct sk_buff *skb;
310

311
	INIT_LIST_HEAD(&head);
312

313
	/* Cancel all corresponding address monitors */
314
	mutex_lock(&msft->filter_lock);
315

316
	list_for_each_entry_safe(address_filter, n, &msft->address_filters,
317
				 list) {
318
		if (address_filter->pattern_handle != handle)
319
			continue;
320

321
		list_del(&address_filter->list);
322

323
		/* Keep the address filter and let
324
		 * msft_add_address_filter_sync() remove and free the address
325
		 * filter.
326
		 */
327
		if (address_filter->state == AF_STATE_ADDING) {
328
			address_filter->state = AF_STATE_REMOVING;
329
			continue;
330
		}
331

332
		/* Keep the address filter and let
333
		 * msft_cancel_address_filter_sync() remove and free the address
334
		 * filter
335
		 */
336
		if (address_filter->state == AF_STATE_REMOVING)
337
			continue;
338

339
		list_add_tail(&address_filter->list, &head);
340
	}
341

342
	mutex_unlock(&msft->filter_lock);
343

344
	list_for_each_entry_safe(address_filter, n, &head, list) {
345
		list_del(&address_filter->list);
346

347
		cp.sub_opcode = MSFT_OP_LE_CANCEL_MONITOR_ADVERTISEMENT;
348
		cp.handle = address_filter->msft_handle;
349

350
		skb = __hci_cmd_sync(hdev, hdev->msft_opcode, sizeof(cp), &cp,
351
				     HCI_CMD_TIMEOUT);
352
		if (IS_ERR(skb)) {
353
			kfree(address_filter);
354
			continue;
355
		}
356

357
		kfree_skb(skb);
358

359
		bt_dev_dbg(hdev, "MSFT: Canceled device %pMR address filter",
360
			   &address_filter->bdaddr);
361

362
		kfree(address_filter);
363
	}
364
}
365

366
static int msft_le_cancel_monitor_advertisement_cb(struct hci_dev *hdev,
367
						   u16 opcode,
368
						   struct adv_monitor *monitor,
369
						   struct sk_buff *skb)
370
{
371
	struct msft_rp_le_cancel_monitor_advertisement *rp;
372
	struct msft_monitor_advertisement_handle_data *handle_data;
373
	struct msft_data *msft = hdev->msft_data;
374
	int status = 0;
375
	u8 msft_handle;
376

377
	rp = (struct msft_rp_le_cancel_monitor_advertisement *)skb->data;
378
	if (skb->len < sizeof(*rp)) {
379
		status = HCI_ERROR_UNSPECIFIED;
380
		goto done;
381
	}
382

383
	status = rp->status;
384
	if (status)
385
		goto done;
386

387
	hci_dev_lock(hdev);
388

389
	handle_data = msft_find_handle_data(hdev, monitor->handle, true);
390

391
	if (handle_data) {
392
		if (monitor->state == ADV_MONITOR_STATE_OFFLOADED)
393
			monitor->state = ADV_MONITOR_STATE_REGISTERED;
394

395
		/* Do not free the monitor if it is being removed due to
396
		 * suspend. It will be re-monitored on resume.
397
		 */
398
		if (!msft->suspending) {
399
			hci_free_adv_monitor(hdev, monitor);
400

401
			/* Clear any monitored devices by this Adv Monitor */
402
			msft_monitor_device_del(hdev, handle_data->mgmt_handle,
403
						NULL, 0, false);
404
		}
405

406
		msft_handle = handle_data->msft_handle;
407

408
		list_del(&handle_data->list);
409
		kfree(handle_data);
410

411
		hci_dev_unlock(hdev);
412

413
		msft_remove_addr_filters_sync(hdev, msft_handle);
414
	} else {
415
		hci_dev_unlock(hdev);
416
	}
417

418
done:
419
	return status;
420
}
421

422
/* This function requires the caller holds hci_req_sync_lock */
423
static int msft_remove_monitor_sync(struct hci_dev *hdev,
424
				    struct adv_monitor *monitor)
425
{
426
	struct msft_cp_le_cancel_monitor_advertisement cp;
427
	struct msft_monitor_advertisement_handle_data *handle_data;
428
	struct sk_buff *skb;
429

430
	handle_data = msft_find_handle_data(hdev, monitor->handle, true);
431

432
	/* If no matched handle, just remove without telling controller */
433
	if (!handle_data)
434
		return -ENOENT;
435

436
	cp.sub_opcode = MSFT_OP_LE_CANCEL_MONITOR_ADVERTISEMENT;
437
	cp.handle = handle_data->msft_handle;
438

439
	skb = __hci_cmd_sync(hdev, hdev->msft_opcode, sizeof(cp), &cp,
440
			     HCI_CMD_TIMEOUT);
441
	if (IS_ERR(skb))
442
		return PTR_ERR(skb);
443

444
	return msft_le_cancel_monitor_advertisement_cb(hdev, hdev->msft_opcode,
445
						       monitor, skb);
446
}
447

448
/* This function requires the caller holds hci_req_sync_lock */
449
int msft_suspend_sync(struct hci_dev *hdev)
450
{
451
	struct msft_data *msft = hdev->msft_data;
452
	struct adv_monitor *monitor;
453
	int handle = 0;
454

455
	if (!msft || !msft_monitor_supported(hdev))
456
		return 0;
457

458
	msft->suspending = true;
459

460
	while (1) {
461
		monitor = idr_get_next(&hdev->adv_monitors_idr, &handle);
462
		if (!monitor)
463
			break;
464

465
		msft_remove_monitor_sync(hdev, monitor);
466

467
		handle++;
468
	}
469

470
	/* All monitors have been removed */
471
	msft->suspending = false;
472

473
	return 0;
474
}
475

476
static bool msft_monitor_rssi_valid(struct adv_monitor *monitor)
477
{
478
	struct adv_rssi_thresholds *r = &monitor->rssi;
479

480
	if (r->high_threshold < MSFT_RSSI_THRESHOLD_VALUE_MIN ||
481
	    r->high_threshold > MSFT_RSSI_THRESHOLD_VALUE_MAX ||
482
	    r->low_threshold < MSFT_RSSI_THRESHOLD_VALUE_MIN ||
483
	    r->low_threshold > MSFT_RSSI_THRESHOLD_VALUE_MAX)
484
		return false;
485

486
	/* High_threshold_timeout is not supported,
487
	 * once high_threshold is reached, events are immediately reported.
488
	 */
489
	if (r->high_threshold_timeout != 0)
490
		return false;
491

492
	if (r->low_threshold_timeout > MSFT_RSSI_LOW_TIMEOUT_MAX)
493
		return false;
494

495
	/* Sampling period from 0x00 to 0xFF are all allowed */
496
	return true;
497
}
498

499
static bool msft_monitor_pattern_valid(struct adv_monitor *monitor)
500
{
501
	return msft_monitor_rssi_valid(monitor);
502
	/* No additional check needed for pattern-based monitor */
503
}
504

505
static int msft_add_monitor_sync(struct hci_dev *hdev,
506
				 struct adv_monitor *monitor)
507
{
508
	struct msft_cp_le_monitor_advertisement *cp;
509
	struct msft_le_monitor_advertisement_pattern_data *pattern_data;
510
	struct msft_monitor_advertisement_handle_data *handle_data;
511
	struct msft_le_monitor_advertisement_pattern *pattern;
512
	struct adv_pattern *entry;
513
	size_t total_size = sizeof(*cp) + sizeof(*pattern_data);
514
	ptrdiff_t offset = 0;
515
	u8 pattern_count = 0;
516
	struct sk_buff *skb;
517
	int err;
518

519
	if (!msft_monitor_pattern_valid(monitor))
520
		return -EINVAL;
521

522
	list_for_each_entry(entry, &monitor->patterns, list) {
523
		pattern_count++;
524
		total_size += sizeof(*pattern) + entry->length;
525
	}
526

527
	cp = kmalloc(total_size, GFP_KERNEL);
528
	if (!cp)
529
		return -ENOMEM;
530

531
	cp->sub_opcode = MSFT_OP_LE_MONITOR_ADVERTISEMENT;
532
	cp->rssi_high = monitor->rssi.high_threshold;
533
	cp->rssi_low = monitor->rssi.low_threshold;
534
	cp->rssi_low_interval = (u8)monitor->rssi.low_threshold_timeout;
535
	cp->rssi_sampling_period = monitor->rssi.sampling_period;
536

537
	cp->cond_type = MSFT_MONITOR_ADVERTISEMENT_TYPE_PATTERN;
538

539
	pattern_data = (void *)cp->data;
540
	pattern_data->count = pattern_count;
541

542
	list_for_each_entry(entry, &monitor->patterns, list) {
543
		pattern = (void *)(pattern_data->data + offset);
544
		/* the length also includes data_type and offset */
545
		pattern->length = entry->length + 2;
546
		pattern->data_type = entry->ad_type;
547
		pattern->start_byte = entry->offset;
548
		memcpy(pattern->pattern, entry->value, entry->length);
549
		offset += sizeof(*pattern) + entry->length;
550
	}
551

552
	skb = __hci_cmd_sync(hdev, hdev->msft_opcode, total_size, cp,
553
			     HCI_CMD_TIMEOUT);
554

555
	if (IS_ERR(skb)) {
556
		err = PTR_ERR(skb);
557
		goto out_free;
558
	}
559

560
	err = msft_le_monitor_advertisement_cb(hdev, hdev->msft_opcode,
561
					       monitor, skb);
562
	if (err)
563
		goto out_free;
564

565
	handle_data = msft_find_handle_data(hdev, monitor->handle, true);
566
	if (!handle_data) {
567
		err = -ENODATA;
568
		goto out_free;
569
	}
570

571
	handle_data->rssi_high	= cp->rssi_high;
572
	handle_data->rssi_low	= cp->rssi_low;
573
	handle_data->rssi_low_interval	  = cp->rssi_low_interval;
574
	handle_data->rssi_sampling_period = cp->rssi_sampling_period;
575

576
out_free:
577
	kfree(cp);
578
	return err;
579
}
580

581
/* This function requires the caller holds hci_req_sync_lock */
582
static void reregister_monitor(struct hci_dev *hdev)
583
{
584
	struct adv_monitor *monitor;
585
	struct msft_data *msft = hdev->msft_data;
586
	int handle = 0;
587

588
	if (!msft)
589
		return;
590

591
	msft->resuming = true;
592

593
	while (1) {
594
		monitor = idr_get_next(&hdev->adv_monitors_idr, &handle);
595
		if (!monitor)
596
			break;
597

598
		msft_add_monitor_sync(hdev, monitor);
599

600
		handle++;
601
	}
602

603
	/* All monitors have been reregistered */
604
	msft->resuming = false;
605
}
606

607
/* This function requires the caller holds hci_req_sync_lock */
608
int msft_resume_sync(struct hci_dev *hdev)
609
{
610
	struct msft_data *msft = hdev->msft_data;
611

612
	if (!msft || !msft_monitor_supported(hdev))
613
		return 0;
614

615
	hci_dev_lock(hdev);
616

617
	/* Clear already tracked devices on resume. Once the monitors are
618
	 * reregistered, devices in range will be found again after resume.
619
	 */
620
	hdev->advmon_pend_notify = false;
621
	msft_monitor_device_del(hdev, 0, NULL, 0, true);
622

623
	hci_dev_unlock(hdev);
624

625
	reregister_monitor(hdev);
626

627
	return 0;
628
}
629

630
/* This function requires the caller holds hci_req_sync_lock */
631
void msft_do_open(struct hci_dev *hdev)
632
{
633
	struct msft_data *msft = hdev->msft_data;
634

635
	if (hdev->msft_opcode == HCI_OP_NOP)
636
		return;
637

638
	if (!msft) {
639
		bt_dev_err(hdev, "MSFT extension not registered");
640
		return;
641
	}
642

643
	bt_dev_dbg(hdev, "Initialize MSFT extension");
644

645
	/* Reset existing MSFT data before re-reading */
646
	kfree(msft->evt_prefix);
647
	msft->evt_prefix = NULL;
648
	msft->evt_prefix_len = 0;
649
	msft->features = 0;
650

651
	if (!read_supported_features(hdev, msft)) {
652
		hdev->msft_data = NULL;
653
		kfree(msft);
654
		return;
655
	}
656

657
	if (msft_monitor_supported(hdev)) {
658
		msft->resuming = true;
659
		msft_set_filter_enable(hdev, true);
660
		/* Monitors get removed on power off, so we need to explicitly
661
		 * tell the controller to re-monitor.
662
		 */
663
		reregister_monitor(hdev);
664
	}
665
}
666

667
void msft_do_close(struct hci_dev *hdev)
668
{
669
	struct msft_data *msft = hdev->msft_data;
670
	struct msft_monitor_advertisement_handle_data *handle_data, *tmp;
671
	struct msft_monitor_addr_filter_data *address_filter, *n;
672
	struct adv_monitor *monitor;
673

674
	if (!msft)
675
		return;
676

677
	bt_dev_dbg(hdev, "Cleanup of MSFT extension");
678

679
	/* The controller will silently remove all monitors on power off.
680
	 * Therefore, remove handle_data mapping and reset monitor state.
681
	 */
682
	list_for_each_entry_safe(handle_data, tmp, &msft->handle_map, list) {
683
		monitor = idr_find(&hdev->adv_monitors_idr,
684
				   handle_data->mgmt_handle);
685

686
		if (monitor && monitor->state == ADV_MONITOR_STATE_OFFLOADED)
687
			monitor->state = ADV_MONITOR_STATE_REGISTERED;
688

689
		list_del(&handle_data->list);
690
		kfree(handle_data);
691
	}
692

693
	mutex_lock(&msft->filter_lock);
694
	list_for_each_entry_safe(address_filter, n, &msft->address_filters,
695
				 list) {
696
		list_del(&address_filter->list);
697
		kfree(address_filter);
698
	}
699
	mutex_unlock(&msft->filter_lock);
700

701
	hci_dev_lock(hdev);
702

703
	/* Clear any devices that are being monitored and notify device lost */
704
	hdev->advmon_pend_notify = false;
705
	msft_monitor_device_del(hdev, 0, NULL, 0, true);
706

707
	hci_dev_unlock(hdev);
708
}
709

710
static int msft_cancel_address_filter_sync(struct hci_dev *hdev, void *data)
711
{
712
	struct msft_monitor_addr_filter_data *address_filter = data;
713
	struct msft_cp_le_cancel_monitor_advertisement cp;
714
	struct msft_data *msft = hdev->msft_data;
715
	struct sk_buff *skb;
716
	int err = 0;
717

718
	if (!msft) {
719
		bt_dev_err(hdev, "MSFT: msft data is freed");
720
		return -EINVAL;
721
	}
722

723
	/* The address filter has been removed by hci dev close */
724
	if (!test_bit(HCI_UP, &hdev->flags))
725
		return 0;
726

727
	mutex_lock(&msft->filter_lock);
728
	list_del(&address_filter->list);
729
	mutex_unlock(&msft->filter_lock);
730

731
	cp.sub_opcode = MSFT_OP_LE_CANCEL_MONITOR_ADVERTISEMENT;
732
	cp.handle = address_filter->msft_handle;
733

734
	skb = __hci_cmd_sync(hdev, hdev->msft_opcode, sizeof(cp), &cp,
735
			     HCI_CMD_TIMEOUT);
736
	if (IS_ERR(skb)) {
737
		bt_dev_err(hdev, "MSFT: Failed to cancel address (%pMR) filter",
738
			   &address_filter->bdaddr);
739
		err = PTR_ERR(skb);
740
		goto done;
741
	}
742
	kfree_skb(skb);
743

744
	bt_dev_dbg(hdev, "MSFT: Canceled device %pMR address filter",
745
		   &address_filter->bdaddr);
746

747
done:
748
	kfree(address_filter);
749

750
	return err;
751
}
752

753
void msft_register(struct hci_dev *hdev)
754
{
755
	struct msft_data *msft = NULL;
756

757
	bt_dev_dbg(hdev, "Register MSFT extension");
758

759
	msft = kzalloc(sizeof(*msft), GFP_KERNEL);
760
	if (!msft) {
761
		bt_dev_err(hdev, "Failed to register MSFT extension");
762
		return;
763
	}
764

765
	INIT_LIST_HEAD(&msft->handle_map);
766
	INIT_LIST_HEAD(&msft->address_filters);
767
	hdev->msft_data = msft;
768
	mutex_init(&msft->filter_lock);
769
}
770

771
void msft_release(struct hci_dev *hdev)
772
{
773
	struct msft_data *msft = hdev->msft_data;
774

775
	if (!msft)
776
		return;
777

778
	bt_dev_dbg(hdev, "Unregister MSFT extension");
779

780
	hdev->msft_data = NULL;
781

782
	kfree(msft->evt_prefix);
783
	mutex_destroy(&msft->filter_lock);
784
	kfree(msft);
785
}
786

787
/* This function requires the caller holds hdev->lock */
788
static void msft_device_found(struct hci_dev *hdev, bdaddr_t *bdaddr,
789
			      __u8 addr_type, __u16 mgmt_handle)
790
{
791
	struct monitored_device *dev;
792

793
	dev = kmalloc(sizeof(*dev), GFP_KERNEL);
794
	if (!dev) {
795
		bt_dev_err(hdev, "MSFT vendor event %u: no memory",
796
			   MSFT_EV_LE_MONITOR_DEVICE);
797
		return;
798
	}
799

800
	bacpy(&dev->bdaddr, bdaddr);
801
	dev->addr_type = addr_type;
802
	dev->handle = mgmt_handle;
803
	dev->notified = false;
804

805
	INIT_LIST_HEAD(&dev->list);
806
	list_add(&dev->list, &hdev->monitored_devices);
807
	hdev->advmon_pend_notify = true;
808
}
809

810
/* This function requires the caller holds hdev->lock */
811
static void msft_device_lost(struct hci_dev *hdev, bdaddr_t *bdaddr,
812
			     __u8 addr_type, __u16 mgmt_handle)
813
{
814
	if (!msft_monitor_device_del(hdev, mgmt_handle, bdaddr, addr_type,
815
				     true)) {
816
		bt_dev_err(hdev, "MSFT vendor event %u: dev %pMR not in list",
817
			   MSFT_EV_LE_MONITOR_DEVICE, bdaddr);
818
	}
819
}
820

821
static void *msft_skb_pull(struct hci_dev *hdev, struct sk_buff *skb,
822
			   u8 ev, size_t len)
823
{
824
	void *data;
825

826
	data = skb_pull_data(skb, len);
827
	if (!data)
828
		bt_dev_err(hdev, "Malformed MSFT vendor event: 0x%02x", ev);
829

830
	return data;
831
}
832

833
static int msft_add_address_filter_sync(struct hci_dev *hdev, void *data)
834
{
835
	struct msft_monitor_addr_filter_data *address_filter = data;
836
	struct msft_rp_le_monitor_advertisement *rp;
837
	struct msft_cp_le_monitor_advertisement *cp;
838
	struct msft_data *msft = hdev->msft_data;
839
	struct sk_buff *skb = NULL;
840
	bool remove = false;
841
	size_t size;
842

843
	if (!msft) {
844
		bt_dev_err(hdev, "MSFT: msft data is freed");
845
		return -EINVAL;
846
	}
847

848
	/* The address filter has been removed by hci dev close */
849
	if (!test_bit(HCI_UP, &hdev->flags))
850
		return -ENODEV;
851

852
	/* We are safe to use the address filter from now on.
853
	 * msft_monitor_device_evt() wouldn't delete this filter because it's
854
	 * not been added by now.
855
	 * And all other functions that requiring hci_req_sync_lock wouldn't
856
	 * touch this filter before this func completes because it's protected
857
	 * by hci_req_sync_lock.
858
	 */
859

860
	if (address_filter->state == AF_STATE_REMOVING) {
861
		mutex_lock(&msft->filter_lock);
862
		list_del(&address_filter->list);
863
		mutex_unlock(&msft->filter_lock);
864
		kfree(address_filter);
865
		return 0;
866
	}
867

868
	size = sizeof(*cp) +
869
	       sizeof(address_filter->addr_type) +
870
	       sizeof(address_filter->bdaddr);
871
	cp = kzalloc(size, GFP_KERNEL);
872
	if (!cp) {
873
		bt_dev_err(hdev, "MSFT: Alloc cmd param err");
874
		remove = true;
875
		goto done;
876
	}
877

878
	cp->sub_opcode           = MSFT_OP_LE_MONITOR_ADVERTISEMENT;
879
	cp->rssi_high		 = address_filter->rssi_high;
880
	cp->rssi_low		 = address_filter->rssi_low;
881
	cp->rssi_low_interval    = address_filter->rssi_low_interval;
882
	cp->rssi_sampling_period = address_filter->rssi_sampling_period;
883
	cp->cond_type            = MSFT_MONITOR_ADVERTISEMENT_TYPE_ADDR;
884
	cp->data[0]              = address_filter->addr_type;
885
	memcpy(&cp->data[1], &address_filter->bdaddr,
886
	       sizeof(address_filter->bdaddr));
887

888
	skb = __hci_cmd_sync(hdev, hdev->msft_opcode, size, cp,
889
			     HCI_CMD_TIMEOUT);
890
	kfree(cp);
891

892
	if (IS_ERR(skb)) {
893
		bt_dev_err(hdev, "Failed to enable address %pMR filter",
894
			   &address_filter->bdaddr);
895
		skb = NULL;
896
		remove = true;
897
		goto done;
898
	}
899

900
	rp = skb_pull_data(skb, sizeof(*rp));
901
	if (!rp || rp->sub_opcode != MSFT_OP_LE_MONITOR_ADVERTISEMENT ||
902
	    rp->status)
903
		remove = true;
904

905
done:
906
	mutex_lock(&msft->filter_lock);
907

908
	if (remove) {
909
		bt_dev_warn(hdev, "MSFT: Remove address (%pMR) filter",
910
			    &address_filter->bdaddr);
911
		list_del(&address_filter->list);
912
		kfree(address_filter);
913
	} else {
914
		address_filter->state = AF_STATE_ADDED;
915
		address_filter->msft_handle = rp->handle;
916
		bt_dev_dbg(hdev, "MSFT: Address %pMR filter enabled",
917
			   &address_filter->bdaddr);
918
	}
919
	mutex_unlock(&msft->filter_lock);
920

921
	kfree_skb(skb);
922

923
	return 0;
924
}
925

926
/* This function requires the caller holds msft->filter_lock */
927
static struct msft_monitor_addr_filter_data *msft_add_address_filter
928
		(struct hci_dev *hdev, u8 addr_type, bdaddr_t *bdaddr,
929
		 struct msft_monitor_advertisement_handle_data *handle_data)
930
{
931
	struct msft_monitor_addr_filter_data *address_filter = NULL;
932
	struct msft_data *msft = hdev->msft_data;
933
	int err;
934

935
	address_filter = kzalloc(sizeof(*address_filter), GFP_KERNEL);
936
	if (!address_filter)
937
		return NULL;
938

939
	address_filter->state             = AF_STATE_ADDING;
940
	address_filter->msft_handle       = 0xff;
941
	address_filter->pattern_handle    = handle_data->msft_handle;
942
	address_filter->mgmt_handle       = handle_data->mgmt_handle;
943
	address_filter->rssi_high         = handle_data->rssi_high;
944
	address_filter->rssi_low          = handle_data->rssi_low;
945
	address_filter->rssi_low_interval = handle_data->rssi_low_interval;
946
	address_filter->rssi_sampling_period = handle_data->rssi_sampling_period;
947
	address_filter->addr_type            = addr_type;
948
	bacpy(&address_filter->bdaddr, bdaddr);
949

950
	/* With the above AF_STATE_ADDING, duplicated address filter can be
951
	 * avoided when receiving monitor device event (found/lost) frequently
952
	 * for the same device.
953
	 */
954
	list_add_tail(&address_filter->list, &msft->address_filters);
955

956
	err = hci_cmd_sync_queue(hdev, msft_add_address_filter_sync,
957
				 address_filter, NULL);
958
	if (err < 0) {
959
		bt_dev_err(hdev, "MSFT: Add address %pMR filter err", bdaddr);
960
		list_del(&address_filter->list);
961
		kfree(address_filter);
962
		return NULL;
963
	}
964

965
	bt_dev_dbg(hdev, "MSFT: Add device %pMR address filter",
966
		   &address_filter->bdaddr);
967

968
	return address_filter;
969
}
970

971
/* This function requires the caller holds hdev->lock */
972
static void msft_monitor_device_evt(struct hci_dev *hdev, struct sk_buff *skb)
973
{
974
	struct msft_monitor_addr_filter_data *n, *address_filter = NULL;
975
	struct msft_ev_le_monitor_device *ev;
976
	struct msft_monitor_advertisement_handle_data *handle_data;
977
	struct msft_data *msft = hdev->msft_data;
978
	u16 mgmt_handle = 0xffff;
979
	u8 addr_type;
980

981
	ev = msft_skb_pull(hdev, skb, MSFT_EV_LE_MONITOR_DEVICE, sizeof(*ev));
982
	if (!ev)
983
		return;
984

985
	bt_dev_dbg(hdev,
986
		   "MSFT vendor event 0x%02x: handle 0x%04x state %d addr %pMR",
987
		   MSFT_EV_LE_MONITOR_DEVICE, ev->monitor_handle,
988
		   ev->monitor_state, &ev->bdaddr);
989

990
	handle_data = msft_find_handle_data(hdev, ev->monitor_handle, false);
991

992
	if (!hci_test_quirk(hdev, HCI_QUIRK_USE_MSFT_EXT_ADDRESS_FILTER)) {
993
		if (!handle_data)
994
			return;
995
		mgmt_handle = handle_data->mgmt_handle;
996
		goto report_state;
997
	}
998

999
	if (handle_data) {
1000
		/* Don't report any device found/lost event from pattern
1001
		 * monitors. Pattern monitor always has its address filters for
1002
		 * tracking devices.
1003
		 */
1004

1005
		address_filter = msft_find_address_data(hdev, ev->addr_type,
1006
							&ev->bdaddr,
1007
							handle_data->msft_handle);
1008
		if (address_filter)
1009
			return;
1010

1011
		if (ev->monitor_state && handle_data->cond_type ==
1012
				MSFT_MONITOR_ADVERTISEMENT_TYPE_PATTERN)
1013
			msft_add_address_filter(hdev, ev->addr_type,
1014
						&ev->bdaddr, handle_data);
1015

1016
		return;
1017
	}
1018

1019
	/* This device event is not from pattern monitor.
1020
	 * Report it if there is a corresponding address_filter for it.
1021
	 */
1022
	list_for_each_entry(n, &msft->address_filters, list) {
1023
		if (n->state == AF_STATE_ADDED &&
1024
		    n->msft_handle == ev->monitor_handle) {
1025
			mgmt_handle = n->mgmt_handle;
1026
			address_filter = n;
1027
			break;
1028
		}
1029
	}
1030

1031
	if (!address_filter) {
1032
		bt_dev_warn(hdev, "MSFT: Unexpected device event %pMR, %u, %u",
1033
			    &ev->bdaddr, ev->monitor_handle, ev->monitor_state);
1034
		return;
1035
	}
1036

1037
report_state:
1038
	switch (ev->addr_type) {
1039
	case ADDR_LE_DEV_PUBLIC:
1040
		addr_type = BDADDR_LE_PUBLIC;
1041
		break;
1042

1043
	case ADDR_LE_DEV_RANDOM:
1044
		addr_type = BDADDR_LE_RANDOM;
1045
		break;
1046

1047
	default:
1048
		bt_dev_err(hdev,
1049
			   "MSFT vendor event 0x%02x: unknown addr type 0x%02x",
1050
			   MSFT_EV_LE_MONITOR_DEVICE, ev->addr_type);
1051
		return;
1052
	}
1053

1054
	if (ev->monitor_state) {
1055
		msft_device_found(hdev, &ev->bdaddr, addr_type, mgmt_handle);
1056
	} else {
1057
		if (address_filter && address_filter->state == AF_STATE_ADDED) {
1058
			address_filter->state = AF_STATE_REMOVING;
1059
			hci_cmd_sync_queue(hdev,
1060
					   msft_cancel_address_filter_sync,
1061
					   address_filter,
1062
					   NULL);
1063
		}
1064
		msft_device_lost(hdev, &ev->bdaddr, addr_type, mgmt_handle);
1065
	}
1066
}
1067

1068
void msft_vendor_evt(struct hci_dev *hdev, void *data, struct sk_buff *skb)
1069
{
1070
	struct msft_data *msft = hdev->msft_data;
1071
	u8 *evt_prefix;
1072
	u8 *evt;
1073

1074
	if (!msft)
1075
		return;
1076

1077
	/* When the extension has defined an event prefix, check that it
1078
	 * matches, and otherwise just return.
1079
	 */
1080
	if (msft->evt_prefix_len > 0) {
1081
		evt_prefix = msft_skb_pull(hdev, skb, 0, msft->evt_prefix_len);
1082
		if (!evt_prefix)
1083
			return;
1084

1085
		if (memcmp(evt_prefix, msft->evt_prefix, msft->evt_prefix_len))
1086
			return;
1087
	}
1088

1089
	/* Every event starts at least with an event code and the rest of
1090
	 * the data is variable and depends on the event code.
1091
	 */
1092
	if (skb->len < 1)
1093
		return;
1094

1095
	evt = msft_skb_pull(hdev, skb, 0, sizeof(*evt));
1096
	if (!evt)
1097
		return;
1098

1099
	hci_dev_lock(hdev);
1100

1101
	switch (*evt) {
1102
	case MSFT_EV_LE_MONITOR_DEVICE:
1103
		mutex_lock(&msft->filter_lock);
1104
		msft_monitor_device_evt(hdev, skb);
1105
		mutex_unlock(&msft->filter_lock);
1106
		break;
1107

1108
	default:
1109
		bt_dev_dbg(hdev, "MSFT vendor event 0x%02x", *evt);
1110
		break;
1111
	}
1112

1113
	hci_dev_unlock(hdev);
1114
}
1115

1116
__u64 msft_get_features(struct hci_dev *hdev)
1117
{
1118
	struct msft_data *msft = hdev->msft_data;
1119

1120
	return msft ? msft->features : 0;
1121
}
1122

1123
static void msft_le_set_advertisement_filter_enable_cb(struct hci_dev *hdev,
1124
						       void *user_data,
1125
						       u8 status)
1126
{
1127
	struct msft_cp_le_set_advertisement_filter_enable *cp = user_data;
1128
	struct msft_data *msft = hdev->msft_data;
1129

1130
	/* Error 0x0C would be returned if the filter enabled status is
1131
	 * already set to whatever we were trying to set.
1132
	 * Although the default state should be disabled, some controller set
1133
	 * the initial value to enabled. Because there is no way to know the
1134
	 * actual initial value before sending this command, here we also treat
1135
	 * error 0x0C as success.
1136
	 */
1137
	if (status != 0x00 && status != 0x0C)
1138
		return;
1139

1140
	hci_dev_lock(hdev);
1141

1142
	msft->filter_enabled = cp->enable;
1143

1144
	if (status == 0x0C)
1145
		bt_dev_warn(hdev, "MSFT filter_enable is already %s",
1146
			    cp->enable ? "on" : "off");
1147

1148
	hci_dev_unlock(hdev);
1149
}
1150

1151
/* This function requires the caller holds hci_req_sync_lock */
1152
int msft_add_monitor_pattern(struct hci_dev *hdev, struct adv_monitor *monitor)
1153
{
1154
	struct msft_data *msft = hdev->msft_data;
1155

1156
	if (!msft)
1157
		return -EOPNOTSUPP;
1158

1159
	if (msft->resuming || msft->suspending)
1160
		return -EBUSY;
1161

1162
	return msft_add_monitor_sync(hdev, monitor);
1163
}
1164

1165
/* This function requires the caller holds hci_req_sync_lock */
1166
int msft_remove_monitor(struct hci_dev *hdev, struct adv_monitor *monitor)
1167
{
1168
	struct msft_data *msft = hdev->msft_data;
1169

1170
	if (!msft)
1171
		return -EOPNOTSUPP;
1172

1173
	if (msft->resuming || msft->suspending)
1174
		return -EBUSY;
1175

1176
	return msft_remove_monitor_sync(hdev, monitor);
1177
}
1178

1179
int msft_set_filter_enable(struct hci_dev *hdev, bool enable)
1180
{
1181
	struct msft_cp_le_set_advertisement_filter_enable cp;
1182
	struct msft_data *msft = hdev->msft_data;
1183
	int err;
1184

1185
	if (!msft)
1186
		return -EOPNOTSUPP;
1187

1188
	cp.sub_opcode = MSFT_OP_LE_SET_ADVERTISEMENT_FILTER_ENABLE;
1189
	cp.enable = enable;
1190
	err = __hci_cmd_sync_status(hdev, hdev->msft_opcode, sizeof(cp), &cp,
1191
				    HCI_CMD_TIMEOUT);
1192

1193
	msft_le_set_advertisement_filter_enable_cb(hdev, &cp, err);
1194

1195
	return 0;
1196
}
1197

1198
bool msft_curve_validity(struct hci_dev *hdev)
1199
{
1200
	return hdev->msft_curve_validity;
1201
}
1202

1203