17.1: Reconcile picks

gains 10 Bluetooth patches + some corrections

Signed-off-by: Tavi <tavi@divested.dev>

Patches/LineageOS-17.1/android_frameworks_av/403300.patch

@@ -1,4 +1,4 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From a9760e6a3e5a55ed5e67881bca5d3242ee5fe2ad Mon Sep 17 00:00:00 2001
 From: Wonsik Kim <wonsik@google.com>
 Date: Fri, 28 Jun 2024 00:33:51 +0000
 Subject: [PATCH] omx: check HDR10+ info param size
@@ -15,7 +15,7 @@ Change-Id: I72523e1de61e5f947174272b732e170e1c2964df
  1 file changed, 7 insertions(+)
 
 diff --git a/media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp b/media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp
-index 418302389d..4ab5d10609 100644
+index 418302389d1..4ab5d106096 100644
 --- a/media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp
 +++ b/media/libstagefright/omx/SoftVideoDecoderOMXComponent.cpp
 @@ -619,6 +619,13 @@ OMX_ERRORTYPE SoftVideoDecoderOMXComponent::getConfig(

Patches/LineageOS-17.1/android_frameworks_base/403301.patch

@@ -1,4 +1,4 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From 337e31b00dc055d99911ec527f79183c2e881033 Mon Sep 17 00:00:00 2001
 From: Kiran Ramachandra <kiranmr@google.com>
 Date: Wed, 5 Jun 2024 21:03:33 +0000
 Subject: [PATCH] DO NOT MERGE Ignore - Sanitized uri scheme by removing scheme
@@ -19,10 +19,10 @@ Change-Id: I88b1550a5d8b3dc0f6286e28899884025d059645
  2 files changed, 16 insertions(+), 1 deletion(-)
 
 diff --git a/core/java/android/net/Uri.java b/core/java/android/net/Uri.java
-index 33acef7f9506..3f3501d1dbca 100644
+index 33acef7f95060..3f3501d1dbca5 100644
 --- a/core/java/android/net/Uri.java
 +++ b/core/java/android/net/Uri.java
-@@ -1380,7 +1380,11 @@ public abstract class Uri implements Parcelable, Comparable<Uri> {
+@@ -1380,7 +1380,11 @@ public Builder() {}
           * @param scheme name or {@code null} if this is a relative Uri
           */
          public Builder scheme(String scheme) {
@@ -36,10 +36,10 @@ index 33acef7f9506..3f3501d1dbca 100644
          }
  
 diff --git a/core/tests/coretests/src/android/net/UriTest.java b/core/tests/coretests/src/android/net/UriTest.java
-index 670aefd21d36..17a37831afdb 100644
+index 670aefd21d360..17a37831afdb1 100644
 --- a/core/tests/coretests/src/android/net/UriTest.java
 +++ b/core/tests/coretests/src/android/net/UriTest.java
-@@ -18,6 +18,7 @@ package android.net;
+@@ -18,6 +18,7 @@
  
  import android.content.ContentUris;
  import android.os.Parcel;
@@ -47,7 +47,7 @@ index 670aefd21d36..17a37831afdb 100644
  
  import androidx.test.filters.SmallTest;
  
-@@ -88,6 +89,16 @@ public class UriTest extends TestCase {
+@@ -88,6 +89,16 @@ public void testBuildUponOpaqueStringUri() {
          assertNull(u.getHost());
      }
  

Patches/LineageOS-17.1/android_packages_apps_Settings/403302.patch

@@ -1,4 +1,4 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From c766d2a2d50d579c4b711d1cacd2677e0afcf1a4 Mon Sep 17 00:00:00 2001
 From: Chaohui Wang <chaohuiw@google.com>
 Date: Thu, 2 Nov 2023 11:43:00 +0800
 Subject: [PATCH] Limit wifi item edit content's max length to 500

Patches/LineageOS-17.1/android_packages_apps_Settings/403303.patch

@@ -1,4 +1,4 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From e8fcd9986114b673068e77ad14202edc2b6aaaf5 Mon Sep 17 00:00:00 2001
 From: Jason Chiu <chiujason@google.com>
 Date: Wed, 31 Jan 2024 16:29:01 +0800
 Subject: [PATCH] Replace getCallingActivity() with getLaunchedFromPackage()
@@ -16,10 +16,10 @@ Merged-In: If97018c2741caef622f0596bbfeaa42ef1788b78
 Change-Id: If97018c2741caef622f0596bbfeaa42ef1788b78
 ---
  .../search/SearchFeatureProvider.java         |  2 +-
- .../search/SearchFeatureProviderImpl.java     | 20 +++++++++----------
+ .../search/SearchFeatureProviderImpl.java     | 26 +++++++++----------
- .../search/SearchResultTrampoline.java        |  2 +-
+ .../search/SearchResultTrampoline.java        | 11 +++++++-
- .../search/SearchFeatureProviderImplTest.java | 15 +++++++-------
+ .../search/SearchFeatureProviderImplTest.java | 15 ++++++-----
- 4 files changed, 19 insertions(+), 20 deletions(-)
+ 4 files changed, 31 insertions(+), 23 deletions(-)
 
 diff --git a/src/com/android/settings/search/SearchFeatureProvider.java b/src/com/android/settings/search/SearchFeatureProvider.java
 index 896f6e5c78c..cc6662acf1e 100644
@@ -35,7 +35,7 @@ index 896f6e5c78c..cc6662acf1e 100644
  
      /**
 diff --git a/src/com/android/settings/search/SearchFeatureProviderImpl.java b/src/com/android/settings/search/SearchFeatureProviderImpl.java
-index 63bf420c027..423779fbabf 100644
+index 63bf420c027..3a62ddfb67e 100644
 --- a/src/com/android/settings/search/SearchFeatureProviderImpl.java
 +++ b/src/com/android/settings/search/SearchFeatureProviderImpl.java
 @@ -17,13 +17,14 @@
@@ -54,7 +54,7 @@ index 63bf420c027..423779fbabf 100644
  import com.android.settingslib.search.SearchIndexableResources;
  import com.android.settingslib.search.SearchIndexableResourcesMobile;
  
-@@ -32,22 +33,19 @@ import com.android.settingslib.search.SearchIndexableResourcesMobile;
+@@ -32,26 +33,23 @@
   */
  public class SearchFeatureProviderImpl implements SearchFeatureProvider {
  
@@ -79,21 +79,57 @@ index 63bf420c027..423779fbabf 100644
 -        if (isSettingsPackage || isWhitelistedPackage) {
 +        final boolean isSettingsPackage = TextUtils.equals(callerPackage, context.getPackageName())
 +                || TextUtils.equals(getSettingsIntelligencePkgName(context), callerPackage);
-+        final boolean isAllowlistedPackage = isSignatureWhitelisted(context, callerPackage);
++        final boolean isAllowlistedPackage = isSignatureAllowlisted(context, callerPackage);
 +        if (isSettingsPackage || isAllowlistedPackage) {
              return;
          }
-         throw new SecurityException("Search result intents must be called with from a "
+-        throw new SecurityException("Search result intents must be called with from a "
+-                + "whitelisted package.");
++        throw new SecurityException("Search result intents must be called with from an "
++                + "allowlisted package.");
+     }
+ 
+     @Override
+@@ -69,7 +67,7 @@ public Intent buildSearchIntent(Context context, int pageId) {
+                 .putExtra(Intent.EXTRA_REFERRER, buildReferrer(context, pageId));
+     }
+ 
+-    protected boolean isSignatureWhitelisted(Context context, String callerPackage) {
++    protected boolean isSignatureAllowlisted(Context context, String callerPackage) {
+         return false;
+     }
+ 
 diff --git a/src/com/android/settings/search/SearchResultTrampoline.java b/src/com/android/settings/search/SearchResultTrampoline.java
-index 3bbe6bd58a7..70387b021d4 100644
+index 3bbe6bd58a7..3a14e874eae 100644
 --- a/src/com/android/settings/search/SearchResultTrampoline.java
 +++ b/src/com/android/settings/search/SearchResultTrampoline.java
-@@ -38,7 +38,7 @@ public class SearchResultTrampoline extends Activity {
+@@ -19,8 +19,10 @@
+ import static com.android.settings.SettingsActivity.EXTRA_SHOW_FRAGMENT_ARGUMENTS;
+ 
+ import android.app.Activity;
++import android.app.ActivityTaskManager;
+ import android.content.Intent;
+ import android.os.Bundle;
++import android.os.RemoteException;
+ 
+ import com.android.settings.SettingsActivity;
+ import com.android.settings.SubSettings;
+@@ -35,10 +37,17 @@ public class SearchResultTrampoline extends Activity {
+     protected void onCreate(Bundle savedInstanceState) {
+         super.onCreate(savedInstanceState);
+ 
++        String callerPackage;
++        try {
++            callerPackage = ActivityTaskManager.getService().getLaunchedFromPackage(getActivityToken());
++        } catch (RemoteException e) {
++            throw e.rethrowFromSystemServer();
++        }
++
          // First make sure caller has privilege to launch a search result page.
          FeatureFactory.getFactory(this)
                  .getSearchFeatureProvider()
 -                .verifyLaunchSearchResultPageCaller(this, getCallingActivity());
-+                .verifyLaunchSearchResultPageCaller(this, getCallingPackage());
++                .verifyLaunchSearchResultPageCaller(this, callerPackage);
          // Didn't crash, proceed and launch the result as a subsetting.
          final Intent intent = getIntent();
  
@@ -101,7 +137,7 @@ diff --git a/tests/robotests/src/com/android/settings/search/SearchFeatureProvid
 index 444a8137889..ebd935d3406 100644
 --- a/tests/robotests/src/com/android/settings/search/SearchFeatureProviderImplTest.java
 +++ b/tests/robotests/src/com/android/settings/search/SearchFeatureProviderImplTest.java
-@@ -21,7 +21,6 @@ import static com.google.common.truth.Truth.assertThat;
+@@ -21,7 +21,6 @@
  
  import android.app.Activity;
  import android.app.settings.SettingsEnums;
@@ -109,7 +145,7 @@ index 444a8137889..ebd935d3406 100644
  import android.content.Intent;
  import android.content.pm.ActivityInfo;
  import android.content.pm.ResolveInfo;
-@@ -126,20 +125,22 @@ public class SearchFeatureProviderImplTest {
+@@ -126,20 +125,22 @@ public void verifyLaunchSearchResultPageCaller_nullCaller_shouldCrash() {
  
      @Test(expected = SecurityException.class)
      public void verifyLaunchSearchResultPageCaller_badCaller_shouldCrash() {

Patches/LineageOS-17.1/android_packages_apps_Settings/403304.patch

@@ -1,4 +1,4 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From 4e81f642c6aba3a4344d5973436655b94bb9f0d6 Mon Sep 17 00:00:00 2001
 From: Chris Antol <cantol@google.com>
 Date: Tue, 4 Jun 2024 17:00:46 +0000
 Subject: [PATCH] Ignore fragment attr from ext authenticator resource
@@ -19,7 +19,7 @@ diff --git a/src/com/android/settings/accounts/AccountTypePreferenceLoader.java
 index c639d1df2eb..84386a38f08 100644
 --- a/src/com/android/settings/accounts/AccountTypePreferenceLoader.java
 +++ b/src/com/android/settings/accounts/AccountTypePreferenceLoader.java
-@@ -32,6 +32,10 @@ import android.os.UserHandle;
+@@ -32,6 +32,10 @@
  import android.text.TextUtils;
  import android.util.Log;
  
@@ -30,7 +30,7 @@ index c639d1df2eb..84386a38f08 100644
  import androidx.preference.Preference;
  import androidx.preference.Preference.OnPreferenceClickListener;
  import androidx.preference.PreferenceFragmentCompat;
-@@ -45,6 +49,8 @@ import com.android.settings.utils.LocalClassLoaderContextThemeWrapper;
+@@ -45,6 +49,8 @@
  import com.android.settingslib.accounts.AuthenticatorHelper;
  import com.android.settingslib.core.instrumentation.Instrumentable;
  
@@ -39,7 +39,7 @@ index c639d1df2eb..84386a38f08 100644
  /**
   * Class to load the preference screen to be added to the settings page for the specific account
   * type as specified in the account-authenticator.
-@@ -83,6 +89,7 @@ public class AccountTypePreferenceLoader {
+@@ -83,6 +89,7 @@ public PreferenceScreen addPreferencesForType(final String accountType,
              try {
                  desc = mAuthenticatorHelper.getAccountTypeDescription(accountType);
                  if (desc != null && desc.accountPreferencesId != 0) {
@@ -47,7 +47,7 @@ index c639d1df2eb..84386a38f08 100644
                      // Load the context of the target package, then apply the
                      // base Settings theme (no references to local resources)
                      // and create a context theme wrapper so that we get the
-@@ -98,6 +105,12 @@ public class AccountTypePreferenceLoader {
+@@ -98,6 +105,12 @@ public PreferenceScreen addPreferencesForType(final String accountType,
                      themedCtx.getTheme().setTo(baseTheme);
                      prefs = mFragment.getPreferenceManager().inflateFromResource(themedCtx,
                              desc.accountPreferencesId, parent);
@@ -60,7 +60,7 @@ index c639d1df2eb..84386a38f08 100644
                  }
              } catch (PackageManager.NameNotFoundException e) {
                  Log.w(TAG, "Couldn't load preferences.xml file from " + desc.packageName);
-@@ -182,6 +195,48 @@ public class AccountTypePreferenceLoader {
+@@ -182,6 +195,48 @@ public boolean onPreferenceClick(Preference preference) {
          }
      }
  

Patches/LineageOS-17.1/android_packages_apps_Settings/403305.patch

@@ -1,4 +1,4 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From 31469a42bf69d10b697f74989e2516a3bcece609 Mon Sep 17 00:00:00 2001
 From: Chris Antol <cantol@google.com>
 Date: Mon, 25 Mar 2024 23:49:35 +0000
 Subject: [PATCH] RESTRICT AUTOMERGE Restrict Settings Homepage prior to
@@ -13,14 +13,14 @@ Test: manual test
 Merged-In: I8cbe38109ebf88a0f68f3917e95468a81c6463c1
 Change-Id: I8cbe38109ebf88a0f68f3917e95468a81c6463c1
 ---
- .../settings/homepage/SettingsHomepageActivity.java   | 11 +++++++++++
+ .../settings/homepage/SettingsHomepageActivity.java | 13 +++++++++++++
- 1 file changed, 11 insertions(+)
+ 1 file changed, 13 insertions(+)
 
 diff --git a/src/com/android/settings/homepage/SettingsHomepageActivity.java b/src/com/android/settings/homepage/SettingsHomepageActivity.java
-index 5e6c54bb7c2..80e2e32e3e9 100644
+index 5e6c54bb7c2..784c6a2ec9c 100644
 --- a/src/com/android/settings/homepage/SettingsHomepageActivity.java
 +++ b/src/com/android/settings/homepage/SettingsHomepageActivity.java
-@@ -20,6 +20,7 @@ import android.animation.LayoutTransition;
+@@ -20,6 +20,7 @@
  import android.app.ActivityManager;
  import android.app.settings.SettingsEnums;
  import android.os.Bundle;
@@ -28,7 +28,13 @@ index 5e6c54bb7c2..80e2e32e3e9 100644
  import android.view.View;
  import android.widget.FrameLayout;
  import android.widget.ImageView;
-@@ -43,6 +44,16 @@ public class SettingsHomepageActivity extends FragmentActivity {
+@@ -39,10 +40,22 @@
+ 
+ public class SettingsHomepageActivity extends FragmentActivity {
+ 
++    private static final String TAG = "SettingsHomepageActivity";
++
+     @Override
      protected void onCreate(Bundle savedInstanceState) {
          super.onCreate(savedInstanceState);
  
@@ -37,7 +43,7 @@ index 5e6c54bb7c2..80e2e32e3e9 100644
 +        boolean unprovisioned = android.provider.Settings.Global.getInt(getContentResolver(),
 +                android.provider.Settings.Global.DEVICE_PROVISIONED, 0) == 0;
 +        if (unprovisioned) {
-+            Log.e("SettingsHomepageActivity", "Device is not provisioned, exiting Settings");
++            Log.e(TAG, "Device is not provisioned, exiting Settings");
 +            finish();
 +            return;
 +        }

Patches/LineageOS-17.1/android_packages_services_Telecomm/403306.patch

@@ -1,4 +1,4 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From 5aa0eae41483c8994e1771ace987c258a52f3bfc Mon Sep 17 00:00:00 2001
 From: Grant Menke <grantmenke@google.com>
 Date: Thu, 25 Apr 2024 10:43:43 -0700
 Subject: [PATCH] DO NOT MERGE Unbind CS if connection is not created within 15
@@ -14,21 +14,42 @@ Flag: EXEMPT Security High/Critical Severity CVE
 Merged-In: I30caed1481dff5af2223a8ff589846597cee8229
 Change-Id: I30caed1481dff5af2223a8ff589846597cee8229
 ---
+ .project                                      |  11 +
  src/com/android/server/telecom/Call.java      |  25 ++
- .../telecom/ConnectionServiceWrapper.java     |  49 ++-
+ .../telecom/ConnectionServiceWrapper.java     |  48 ++-
  src/com/android/server/telecom/LogUtils.java  |   1 +
  .../server/telecom/tests/BasicCallTests.java  |   2 +
- .../telecom/tests/CallsManagerTest.java       |  59 ++++
+ .../telecom/tests/CallsManagerTest.java       |  61 ++++
  .../tests/ComponentContextFixture.java        |  14 +
  .../tests/TestScheduledExecutorService.java   | 283 ++++++++++++++++++
- 7 files changed, 431 insertions(+), 2 deletions(-)
+ 8 files changed, 443 insertions(+), 2 deletions(-)
  create mode 100644 tests/src/com/android/server/telecom/tests/TestScheduledExecutorService.java
 
+diff --git a/.project b/.project
+index 7cc346140..d801f0843 100644
+--- a/.project
++++ b/.project
+@@ -30,4 +30,15 @@
+ 		<nature>com.android.ide.eclipse.adt.AndroidNature</nature>
+ 		<nature>org.eclipse.jdt.core.javanature</nature>
+ 	</natures>
++	<filteredResources>
++		<filter>
++			<id>1726332124436</id>
++			<name></name>
++			<type>30</type>
++			<matcher>
++				<id>org.eclipse.core.resources.regexFilterMatcher</id>
++				<arguments>node_modules|\.git|__CREATED_BY_JAVA_LANGUAGE_SERVER__</arguments>
++			</matcher>
++		</filter>
++	</filteredResources>
+ </projectDescription>
 diff --git a/src/com/android/server/telecom/Call.java b/src/com/android/server/telecom/Call.java
 index ecc635997..699c9ffee 100644
 --- a/src/com/android/server/telecom/Call.java
 +++ b/src/com/android/server/telecom/Call.java
-@@ -313,6 +313,17 @@ public class Call implements CreateConnectionResponse, EventManager.Loggable,
+@@ -313,6 +313,17 @@ public void onContactPhotoQueryComplete(Uri handle, CallerInfo callerInfo) {
      /** The state of the call. */
      private int mState;
  
@@ -46,7 +67,7 @@ index ecc635997..699c9ffee 100644
      /** The handle with which to establish this call. */
      private Uri mHandle;
  
-@@ -816,6 +827,19 @@ public class Call implements CreateConnectionResponse, EventManager.Loggable,
+@@ -816,6 +827,19 @@ public ConnectionServiceFocusManager.ConnectionServiceFocus getConnectionService
          return mConnectionService;
      }
  
@@ -66,7 +87,7 @@ index ecc635997..699c9ffee 100644
      @VisibleForTesting
      public int getState() {
          return mState;
-@@ -1739,6 +1763,7 @@ public class Call implements CreateConnectionResponse, EventManager.Loggable,
+@@ -1739,6 +1763,7 @@ public void handleCreateConnectionSuccess(
              CallIdMapper idMapper,
              ParcelableConnection connection) {
          Log.v(this, "handleCreateConnectionSuccessful %s", connection);
@@ -75,10 +96,10 @@ index ecc635997..699c9ffee 100644
          setHandle(connection.getHandle(), connection.getHandlePresentation());
          setCallerDisplayName(
 diff --git a/src/com/android/server/telecom/ConnectionServiceWrapper.java b/src/com/android/server/telecom/ConnectionServiceWrapper.java
-index bd5e37f89..f3f2e9337 100644
+index bd5e37f89..a69d725fd 100644
 --- a/src/com/android/server/telecom/ConnectionServiceWrapper.java
 +++ b/src/com/android/server/telecom/ConnectionServiceWrapper.java
-@@ -37,6 +37,7 @@ import android.telecom.ConnectionService;
+@@ -37,6 +37,7 @@
  import android.telecom.DisconnectCause;
  import android.telecom.GatewayInfo;
  import android.telecom.Log;
@@ -86,7 +107,7 @@ index bd5e37f89..f3f2e9337 100644
  import android.telecom.Logging.Session;
  import android.telecom.ParcelableConference;
  import android.telecom.ParcelableConnection;
-@@ -60,6 +61,11 @@ import java.util.List;
+@@ -60,6 +61,11 @@
  import java.util.Map;
  import java.util.Set;
  import java.util.concurrent.ConcurrentHashMap;
@@ -98,7 +119,7 @@ index bd5e37f89..f3f2e9337 100644
  
  /**
   * Wrapper for {@link IConnectionService}s, handles binding to {@link IConnectionService} and keeps
-@@ -71,6 +77,12 @@ import java.util.concurrent.ConcurrentHashMap;
+@@ -71,6 +77,11 @@
  public class ConnectionServiceWrapper extends ServiceBinder implements
          ConnectionServiceFocusManager.ConnectionServiceFocus {
  
@@ -107,11 +128,10 @@ index bd5e37f89..f3f2e9337 100644
 +            Executors.newSingleThreadScheduledExecutor();
 +    // Pre-allocate space for 2 calls; realistically thats all we should ever need (tm)
 +    private final Map<Call, ScheduledFuture<?>> mScheduledFutureMap = new ConcurrentHashMap<>(2);
-+
      private final class Adapter extends IConnectionServiceAdapter.Stub {
  
          @Override
-@@ -82,6 +94,12 @@ public class ConnectionServiceWrapper extends ServiceBinder implements
+@@ -82,6 +93,12 @@ public void handleCreateConnectionComplete(String callId, ConnectionRequest requ
              try {
                  synchronized (mLock) {
                      logIncoming("handleCreateConnectionComplete %s", callId);
@@ -124,7 +144,7 @@ index bd5e37f89..f3f2e9337 100644
                      // Check status hints image for cross user access
                      if (connection.getStatusHints() != null) {
                          Icon icon = connection.getStatusHints().getIcon();
-@@ -1126,7 +1144,8 @@ public class ConnectionServiceWrapper extends ServiceBinder implements
+@@ -1126,7 +1143,8 @@ public void setConferenceState(String callId, boolean isConference,
       * @param context The context.
       * @param userHandle The {@link UserHandle} to use when binding.
       */
@@ -134,7 +154,7 @@ index bd5e37f89..f3f2e9337 100644
              ComponentName componentName,
              ConnectionServiceRepository connectionServiceRepository,
              PhoneAccountRegistrar phoneAccountRegistrar,
-@@ -1229,6 +1248,26 @@ public class ConnectionServiceWrapper extends ServiceBinder implements
+@@ -1229,6 +1247,26 @@ public void onSuccess() {
                          .setRttPipeToInCall(call.getCsToInCallRttPipeForCs())
                          .build();
  
@@ -161,7 +181,7 @@ index bd5e37f89..f3f2e9337 100644
                  try {
                      mServiceInterface.createConnection(
                              call.getConnectionManagerPhoneAccount(),
-@@ -1514,7 +1553,8 @@ public class ConnectionServiceWrapper extends ServiceBinder implements
+@@ -1514,7 +1552,8 @@ void stopDtmfTone(Call call) {
          }
      }
  
@@ -171,7 +191,7 @@ index bd5e37f89..f3f2e9337 100644
          if (mCallIdMapper.getCallId(call) == null) {
              mCallIdMapper.addCall(call);
          }
-@@ -1909,4 +1949,9 @@ public class ConnectionServiceWrapper extends ServiceBinder implements
+@@ -1909,4 +1948,9 @@ public String toString() {
          sb.append("]");
          return sb.toString();
      }
@@ -185,7 +205,7 @@ diff --git a/src/com/android/server/telecom/LogUtils.java b/src/com/android/serv
 index 760d24e10..37afdb8f6 100644
 --- a/src/com/android/server/telecom/LogUtils.java
 +++ b/src/com/android/server/telecom/LogUtils.java
-@@ -87,6 +87,7 @@ public class LogUtils {
+@@ -87,6 +87,7 @@ public final static class Events {
          public static final String STOP_CALL_WAITING_TONE = "STOP_CALL_WAITING_TONE";
          public static final String START_CONNECTION = "START_CONNECTION";
          public static final String CREATE_CONNECTION_FAILED = "CREATE_CONNECTION_FAILED";
@@ -197,7 +217,7 @@ diff --git a/tests/src/com/android/server/telecom/tests/BasicCallTests.java b/te
 index 7889d0487..46aa758b8 100644
 --- a/tests/src/com/android/server/telecom/tests/BasicCallTests.java
 +++ b/tests/src/com/android/server/telecom/tests/BasicCallTests.java
-@@ -939,6 +939,7 @@ public class BasicCallTests extends TelecomSystemTest {
+@@ -939,6 +939,7 @@ public void testOutgoingCallSelectPhoneAccountVideo() throws Exception {
          call.setTargetPhoneAccount(mPhoneAccountA1.getAccountHandle());
          assert(call.isVideoCallingSupportedByPhoneAccount());
          assertEquals(VideoProfile.STATE_BIDIRECTIONAL, call.getVideoState());
@@ -205,7 +225,7 @@ index 7889d0487..46aa758b8 100644
      }
  
      /**
-@@ -962,6 +963,7 @@ public class BasicCallTests extends TelecomSystemTest {
+@@ -962,6 +963,7 @@ public void testOutgoingCallSelectPhoneAccountNoVideo() throws Exception {
          call.setTargetPhoneAccount(mPhoneAccountA2.getAccountHandle());
          assert(!call.isVideoCallingSupportedByPhoneAccount());
          assertEquals(VideoProfile.STATE_AUDIO_ONLY, call.getVideoState());
@@ -214,10 +234,15 @@ index 7889d0487..46aa758b8 100644
  
      /**
 diff --git a/tests/src/com/android/server/telecom/tests/CallsManagerTest.java b/tests/src/com/android/server/telecom/tests/CallsManagerTest.java
-index 7adc99aa3..6145aca5d 100644
+index 7adc99aa3..6e9515008 100644
 --- a/tests/src/com/android/server/telecom/tests/CallsManagerTest.java
 +++ b/tests/src/com/android/server/telecom/tests/CallsManagerTest.java
-@@ -40,6 +40,7 @@ import static org.mockito.Mockito.when;
+@@ -36,10 +36,12 @@
+ import static org.mockito.Mockito.times;
+ import static org.mockito.Mockito.verify;
+ import static org.mockito.Mockito.when;
++import static java.lang.Thread.sleep;
+ 
  import android.content.ComponentName;
  import android.net.Uri;
  import android.os.Bundle;
@@ -225,7 +250,7 @@ index 7adc99aa3..6145aca5d 100644
  import android.os.Process;
  import android.os.SystemClock;
  import android.os.UserHandle;
-@@ -55,6 +56,7 @@ import android.telephony.TelephonyManager;
+@@ -55,6 +57,7 @@
  import android.test.suitebuilder.annotation.MediumTest;
  import android.test.suitebuilder.annotation.SmallTest;
  
@@ -233,15 +258,23 @@ index 7adc99aa3..6145aca5d 100644
  import com.android.internal.telephony.CallerInfo;
  import com.android.server.telecom.AsyncRingtonePlayer;
  import com.android.server.telecom.Call;
-@@ -67,6 +69,7 @@ import com.android.server.telecom.CallsManager;
+@@ -68,6 +71,7 @@
- import com.android.server.telecom.ClockProxy;
  import com.android.server.telecom.ConnectionServiceFocusManager;
  import com.android.server.telecom.ConnectionServiceFocusManager.ConnectionServiceFocusManagerFactory;
-+import com.android.server.telecom.CreateConnectionResponse;
  import com.android.server.telecom.ConnectionServiceWrapper;
++import com.android.server.telecom.CreateConnectionResponse;
  import com.android.server.telecom.DefaultDialerCache;
  import com.android.server.telecom.EmergencyCallHelper;
-@@ -183,6 +186,7 @@ public class CallsManagerTest extends TelecomTestCase {
+ import com.android.server.telecom.HeadsetMediaButton;
+@@ -90,6 +94,7 @@
+ import com.android.server.telecom.bluetooth.BluetoothRouteManager;
+ import com.android.server.telecom.bluetooth.BluetoothStateReceiver;
+ 
++import org.junit.After;
+ import org.junit.Before;
+ import org.junit.Test;
+ import org.junit.runner.RunWith;
+@@ -183,6 +188,7 @@ public class CallsManagerTest extends TelecomTestCase {
      @Mock private CallAudioModeStateMachine.Factory mCallAudioModeStateMachineFactory;
      @Mock private BluetoothStateReceiver mBluetoothStateReceiver;
      @Mock private RoleManagerAdapter mRoleManagerAdapter;
@@ -249,7 +282,7 @@ index 7adc99aa3..6145aca5d 100644
  
      private CallsManager mCallsManager;
  
-@@ -240,8 +244,22 @@ public class CallsManagerTest extends TelecomTestCase {
+@@ -240,6 +246,20 @@ public void setUp() throws Exception {
                  eq(SIM_1_HANDLE), any())).thenReturn(SIM_1_ACCOUNT);
          when(mPhoneAccountRegistrar.getPhoneAccount(
                  eq(SIM_2_HANDLE), any())).thenReturn(SIM_2_ACCOUNT);
@@ -257,22 +290,20 @@ index 7adc99aa3..6145aca5d 100644
 +
 +        mComponentContextFixture.addConnectionService(new ComponentName(mContext.getPackageName(),
 +                mContext.getPackageName().getClass().getName()), mIConnectionService);
-     }
++    }
- 
++
-+     @Override
++    @Override
-+     @After
++    @After
-+     public void tearDown() throws Exception {
++    public void tearDown() throws Exception {
 +        mComponentContextFixture.removeConnectionService(
 +                new ComponentName(mContext.getPackageName(),
 +                        mContext.getPackageName().getClass().getName()),
 +                mock(IConnectionService.class));
-+         super.tearDown();
++        super.tearDown();
-+     }
+     }
-+
+ 
      @MediumTest
-     @Test
+@@ -1111,6 +1131,32 @@ public void testCrossUserCallRedirectionEndEarlyForIncapablePhoneAccount() {
-     public void testConstructPossiblePhoneAccounts() throws Exception {
-@@ -1111,6 +1129,32 @@ public class CallsManagerTest extends TelecomTestCase {
          assertTrue(argumentCaptor.getValue().contains("Unavailable phoneAccountHandle"));
      }
  
@@ -305,7 +336,7 @@ index 7adc99aa3..6145aca5d 100644
      private Call addSpyCall() {
          return addSpyCall(SIM_2_HANDLE, CallState.ACTIVE);
      }
-@@ -1189,4 +1233,19 @@ public class CallsManagerTest extends TelecomTestCase {
+@@ -1189,4 +1235,19 @@ private void setupMsimAccounts() {
          when(mPhoneAccountRegistrar.getSimPhoneAccountsOfCurrentUser()).thenReturn(
                  new ArrayList<>(Arrays.asList(SIM_1_HANDLE, SIM_2_HANDLE)));
      }
@@ -329,7 +360,7 @@ diff --git a/tests/src/com/android/server/telecom/tests/ComponentContextFixture.
 index e6e8ba122..675913aa0 100644
 --- a/tests/src/com/android/server/telecom/tests/ComponentContextFixture.java
 +++ b/tests/src/com/android/server/telecom/tests/ComponentContextFixture.java
-@@ -549,6 +549,14 @@ public class ComponentContextFixture implements TestFixture<Context> {
+@@ -549,6 +549,14 @@ public void addConnectionService(
          mServiceInfoByComponentName.put(componentName, serviceInfo);
      }
  
@@ -344,7 +375,7 @@ index e6e8ba122..675913aa0 100644
      public void addInCallService(
              ComponentName componentName,
              IInCallService service)
-@@ -599,6 +607,12 @@ public class ComponentContextFixture implements TestFixture<Context> {
+@@ -599,6 +607,12 @@ private void addService(String action, ComponentName name, IInterface service) {
          mComponentNameByService.put(service, name);
      }
  

Patches/LineageOS-17.1/android_packages_services_Telecomm/403307.patch

@@ -1,4 +1,4 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From b1f14158f389b0522a2eda4212344440dace65de Mon Sep 17 00:00:00 2001
 From: Pranav Madapurmath <pmadapurmath@google.com>
 Date: Tue, 11 Jun 2024 15:51:39 +0000
 Subject: [PATCH] Unbind CallScreeningService when timeout reached.
@@ -30,7 +30,7 @@ diff --git a/src/com/android/server/telecom/CallScreeningServiceHelper.java b/sr
 index 89778e43a..5582a7da4 100644
 --- a/src/com/android/server/telecom/CallScreeningServiceHelper.java
 +++ b/src/com/android/server/telecom/CallScreeningServiceHelper.java
-@@ -185,6 +185,10 @@ public class CallScreeningServiceHelper {
+@@ -185,6 +185,10 @@ public void onNullBinding(ComponentName name) {
                              Log.w(TAG, "Cancelling call id process due to timeout");
                          }
                          mFuture.complete(null);

Patches/LineageOS-17.1/android_system_bt/403308.patch

@@ -0,0 +1,144 @@
+From f9f366e1227c0a46b54b959cd97851ca0b654501 Mon Sep 17 00:00:00 2001
+From: Hansong Zhang <hsz@google.com>
+Date: Tue, 11 Aug 2020 12:39:26 -0700
+Subject: [PATCH] Clean up BTM_SEC_MODE
+
+Can never be BTM_SEC_MODE_UNDEFINED, BTM_SEC_MODE_NONE,
+BTM_SEC_MODE_LINK, or BTM_SEC_MODE_SP_DEBUG
+
+Bug: 159815595
+Tag: #refactor
+Test: compile & verify basic functions working
+Change-Id: Ib567b050a3cd38e0f77f1b875476ad84c3e949fa
+---
+ stack/btm/btm_sec.cc          | 29 ++++-------------------------
+ stack/include/btm_api_types.h |  4 ----
+ 2 files changed, 4 insertions(+), 29 deletions(-)
+
+diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc
+index 72dc9a2ed4b..8a194f08d59 100644
+--- a/stack/btm/btm_sec.cc
++++ b/stack/btm/btm_sec.cc
+@@ -591,7 +591,6 @@ static bool btm_sec_set_security_level(CONNECTION_TYPE conn_type,
+           BTM_SEC_IN_MITM | BTM_SEC_IN_MIN_16_DIGIT_PIN);
+ 
+     if (btm_cb.security_mode == BTM_SEC_MODE_SP ||
+-        btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
+         btm_cb.security_mode == BTM_SEC_MODE_SC) {
+       if (sec_level & BTM_SEC_OUT_AUTHENTICATE) sec_level |= BTM_SEC_OUT_MITM;
+     }
+@@ -624,7 +623,6 @@ static bool btm_sec_set_security_level(CONNECTION_TYPE conn_type,
+                    BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_MITM);
+ 
+     if (btm_cb.security_mode == BTM_SEC_MODE_SP ||
+-        btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
+         btm_cb.security_mode == BTM_SEC_MODE_SC) {
+       if (sec_level & BTM_SEC_IN_AUTHENTICATE) sec_level |= BTM_SEC_IN_MITM;
+     }
+@@ -1018,7 +1016,6 @@ tBTM_STATUS btm_sec_bond_by_transport(const RawAddress& bd_addr,
+     if (btm_sec_check_prefetch_pin(p_dev_rec)) return (BTM_CMD_STARTED);
+   }
+   if ((btm_cb.security_mode == BTM_SEC_MODE_SP ||
+-       btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
+        btm_cb.security_mode == BTM_SEC_MODE_SC) &&
+       BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4)) {
+     /* local is 2.1 and peer is unknown */
+@@ -2033,10 +2030,7 @@ tBTM_STATUS btm_sec_l2cap_access_req(const RawAddress& bd_addr, uint16_t psm,
+     BTM_TRACE_EVENT("security_flags:x%x, sec_flags:x%x", security_required,
+                     p_dev_rec->sec_flags);
+     rc = BTM_CMD_STARTED;
+-    if ((btm_cb.security_mode == BTM_SEC_MODE_UNDEFINED ||
+-         btm_cb.security_mode == BTM_SEC_MODE_NONE ||
+-         btm_cb.security_mode == BTM_SEC_MODE_SERVICE ||
+-         btm_cb.security_mode == BTM_SEC_MODE_LINK) ||
++    if ((btm_cb.security_mode == BTM_SEC_MODE_SERVICE) ||
+         (BTM_SM4_KNOWN == p_dev_rec->sm4) ||
+         (BTM_SEC_IS_SM4(p_dev_rec->sm4) &&
+          (!btm_sec_is_upgrade_possible(p_dev_rec, is_originator)))) {
+@@ -2114,7 +2108,6 @@ tBTM_STATUS btm_sec_l2cap_access_req(const RawAddress& bd_addr, uint16_t psm,
+ 
+   /* Modify security_required in btm_sec_l2cap_access_req for Lisbon */
+   if (btm_cb.security_mode == BTM_SEC_MODE_SP ||
+-      btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
+       btm_cb.security_mode == BTM_SEC_MODE_SC) {
+     if (BTM_SEC_IS_SM4(p_dev_rec->sm4)) {
+       if (is_originator) {
+@@ -2175,10 +2168,7 @@ tBTM_STATUS btm_sec_l2cap_access_req(const RawAddress& bd_addr, uint16_t psm,
+    * L2CAP connect
+    * response is received */
+   if (is_originator &&
+-      ((btm_cb.security_mode == BTM_SEC_MODE_UNDEFINED ||
+-        btm_cb.security_mode == BTM_SEC_MODE_NONE ||
+-        btm_cb.security_mode == BTM_SEC_MODE_SERVICE ||
+-        btm_cb.security_mode == BTM_SEC_MODE_LINK) ||
++      ((btm_cb.security_mode == BTM_SEC_MODE_SERVICE) ||
+        !BTM_SEC_IS_SM4(p_dev_rec->sm4)) &&
+       (psm >= 0x1001)) {
+     BTM_TRACE_EVENT(
+@@ -2342,10 +2332,7 @@ tBTM_STATUS btm_sec_mx_access_request(const RawAddress& bd_addr, uint16_t psm,
+ 
+     rc = BTM_CMD_STARTED;
+ 
+-    if ((btm_cb.security_mode == BTM_SEC_MODE_UNDEFINED ||
+-         btm_cb.security_mode == BTM_SEC_MODE_NONE ||
+-         btm_cb.security_mode == BTM_SEC_MODE_SERVICE ||
+-         btm_cb.security_mode == BTM_SEC_MODE_LINK) ||
++    if ((btm_cb.security_mode == BTM_SEC_MODE_SERVICE) ||
+         (BTM_SM4_KNOWN == p_dev_rec->sm4) ||
+         (BTM_SEC_IS_SM4(p_dev_rec->sm4) &&
+          (!btm_sec_is_upgrade_possible(p_dev_rec, is_originator)))) {
+@@ -2465,7 +2452,6 @@ tBTM_STATUS btm_sec_mx_access_request(const RawAddress& bd_addr, uint16_t psm,
+   p_dev_rec->security_required = security_required;
+ 
+   if (btm_cb.security_mode == BTM_SEC_MODE_SP ||
+-      btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
+       btm_cb.security_mode == BTM_SEC_MODE_SC) {
+     if (BTM_SEC_IS_SM4(p_dev_rec->sm4)) {
+       if ((p_dev_rec->security_required & BTM_SEC_MODE4_LEVEL4) &&
+@@ -4412,9 +4398,6 @@ void btm_sec_connected(const RawAddress& bda, uint16_t handle, uint8_t status,
+     p_dev_rec->sec_flags |=
+         ((BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED) << bit_shift);
+ 
+-  if (btm_cb.security_mode == BTM_SEC_MODE_LINK)
+-    p_dev_rec->sec_flags |= (BTM_SEC_AUTHENTICATED << bit_shift);
+-
+   if (p_dev_rec->pin_code_length >= 16 ||
+       p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB ||
+       p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256) {
+@@ -5505,10 +5488,7 @@ uint32_t* BTM_ReadTrustedMask(const RawAddress& bd_addr) {
+ static void btm_restore_mode(void) {
+   if (btm_cb.security_mode_changed) {
+     btm_cb.security_mode_changed = false;
+-    BTM_TRACE_DEBUG("%s() Auth enable -> %d", __func__,
+-                    (btm_cb.security_mode == BTM_SEC_MODE_LINK));
+-    btsnd_hcic_write_auth_enable(
+-        (uint8_t)(btm_cb.security_mode == BTM_SEC_MODE_LINK));
++    btsnd_hcic_write_auth_enable(false);
+   }
+ 
+   if (btm_cb.pin_type_changed) {
+@@ -5797,7 +5777,6 @@ static bool btm_sec_queue_encrypt_request(const RawAddress& bd_addr,
+ void btm_sec_set_peer_sec_caps(tACL_CONN* p_acl_cb,
+                                tBTM_SEC_DEV_REC* p_dev_rec) {
+   if ((btm_cb.security_mode == BTM_SEC_MODE_SP ||
+-       btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
+        btm_cb.security_mode == BTM_SEC_MODE_SC) &&
+       HCI_SSP_HOST_SUPPORTED(p_acl_cb->peer_lmp_feature_pages[1])) {
+     p_dev_rec->sm4 = BTM_SM4_TRUE;
+diff --git a/stack/include/btm_api_types.h b/stack/include/btm_api_types.h
+index 0d3d7d4b689..21c97d53f29 100644
+--- a/stack/include/btm_api_types.h
++++ b/stack/include/btm_api_types.h
+@@ -1038,12 +1038,8 @@ typedef void(tBTM_ESCO_CBACK)(tBTM_ESCO_EVT event, tBTM_ESCO_EVT_DATA* p_data);
+  *******************************/
+ 
+ /* Security Mode (BTM_SetSecurityMode) */
+-#define BTM_SEC_MODE_UNDEFINED 0
+-#define BTM_SEC_MODE_NONE 1
+ #define BTM_SEC_MODE_SERVICE 2
+-#define BTM_SEC_MODE_LINK 3
+ #define BTM_SEC_MODE_SP 4
+-#define BTM_SEC_MODE_SP_DEBUG 5
+ #define BTM_SEC_MODE_SC 6
+ 
+ /* Maximum Number of BTM Security Modes */

Patches/LineageOS-17.1/android_system_bt/403309.patch

@@ -0,0 +1,112 @@
+From 144792df6991b7e9b462b657f93d05fa45ca4d43 Mon Sep 17 00:00:00 2001
+From: Chris Manton <cmanton@google.com>
+Date: Mon, 7 Sep 2020 09:37:31 -0700
+Subject: [PATCH] Add getters to
+ stack/btm/security_device_record::tBTM_SEC_DEV_REC
+
+Towards readable code
+
+Bug: 163134718
+Tag: #refactor
+Test: compile & verify basic functions working
+Test: act.py -tc BleCocTest
+
+Change-Id: Ia024a6977d606714f7edc58ded09f82a95703324
+---
+ stack/btm/btm_int_types.h | 60 +++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 60 insertions(+)
+
+diff --git a/stack/btm/btm_int_types.h b/stack/btm/btm_int_types.h
+index a0460b1c0eb..e7450a5746d 100644
+--- a/stack/btm/btm_int_types.h
++++ b/stack/btm/btm_int_types.h
+@@ -516,6 +516,37 @@ typedef struct {
+ #define BTM_SEC_STATE_DISCONNECTING_BOTH 9 /* disconnecting BR/EDR and BLE */
+ 
+   uint8_t sec_state;  /* Operating state                    */
++  bool is_security_state_idle() const {
++    return sec_state == BTM_SEC_STATE_IDLE;
++  }
++  bool is_security_state_authenticating() const {
++    return sec_state == BTM_SEC_STATE_AUTHENTICATING;
++  }
++  bool is_security_state_encrypting() const {
++    return sec_state == BTM_SEC_STATE_ENCRYPTING;
++  }
++  bool is_security_state_getting_name() const {
++    return sec_state == BTM_SEC_STATE_GETTING_NAME;
++  }
++  bool is_security_state_authorizing() const {
++    return sec_state == BTM_SEC_STATE_AUTHORIZING;
++  }
++  bool is_security_state_switching_role() const {
++    return sec_state == BTM_SEC_STATE_SWITCHING_ROLE;
++  }
++  bool is_security_state_disconnecting() const {
++    return sec_state == BTM_SEC_STATE_DISCONNECTING;
++  }
++  bool is_security_state_wait_for_encryption() const {
++    return sec_state == BTM_SEC_STATE_DELAY_FOR_ENC;
++  }
++  bool is_security_state_ble_disconnecting() const {
++    return sec_state == BTM_SEC_STATE_DISCONNECTING_BLE;
++  }
++  bool is_security_state_br_edr_and_ble() const {
++    return sec_state == BTM_SEC_STATE_DISCONNECTING_BOTH;
++  }
++
+   bool is_originator; /* true if device is originating connection */
+   bool role_master;           /* true if current mode is master     */
+   uint16_t security_required; /* Security required for connection   */
+@@ -550,8 +581,20 @@ typedef struct {
+   /* it knows peer's support for Secure Connections */
+ 
+   uint16_t ble_hci_handle; /* use in DUMO connection */
++  uint16_t get_ble_hci_handle() const { return ble_hci_handle; }
++
+   uint8_t enc_key_size;    /* current link encryption key size */
++  uint8_t get_encryption_key_size() const { return enc_key_size; }
++
+   tBT_DEVICE_TYPE device_type;
++  bool is_device_type_br_edr() const {
++    return device_type == BT_DEVICE_TYPE_BREDR;
++  }
++  bool is_device_type_ble() const { return device_type == BT_DEVICE_TYPE_BLE; }
++  bool is_device_type_dual_mode() const {
++    return device_type == BT_DEVICE_TYPE_DUMO;
++  }
++
+   bool new_encryption_key_is_p256; /* Set to true when the newly generated LK
+                                    ** is generated from P-256.
+                                    ** Link encrypted with such LK can be used
+@@ -561,6 +604,14 @@ typedef struct {
+                             /* work, i.e. link keys crosspairing */
+                             /* SC BR/EDR->SC LE doesn't happen */
+   tBTM_BOND_TYPE bond_type; /* peering bond type */
++  bool is_bond_type_unknown() const { return bond_type == BOND_TYPE_UNKNOWN; }
++  bool is_bond_type_persistent() const {
++    return bond_type == BOND_TYPE_PERSISTENT;
++  }
++  bool is_bond_type_temporary() const {
++    return bond_type == BOND_TYPE_TEMPORARY;
++  }
++
+ 
+   tBTM_SEC_BLE ble;
+   tBTM_LE_CONN_PRAMS conn_params;
+@@ -570,6 +621,15 @@ typedef struct {
+ #define BTM_SEC_RS_PENDING 1     /* Role Switch in progress */
+ #define BTM_SEC_DISC_PENDING 2   /* Disconnect is pending */
+   uint8_t rs_disc_pending;
++  bool is_role_switch_idle() const {
++    return rs_disc_pending == BTM_SEC_RS_NOT_PENDING;
++  }
++  bool is_role_switch_pending() const {
++    return rs_disc_pending == BTM_SEC_RS_PENDING;
++  }
++  bool is_role_switch_disconnecting() const {
++    return rs_disc_pending == BTM_SEC_DISC_PENDING;
++  }
+ #endif
+ #define BTM_SEC_NO_LAST_SERVICE_ID 0
+   uint8_t last_author_service_id; /* ID of last serviced authorized: Reset after

Patches/LineageOS-17.1/android_system_bt/403310.patch

@@ -0,0 +1,33 @@
+From e81da50d737fe764f9dc7852185d72a576a230ec Mon Sep 17 00:00:00 2001
+From: Chris Manton <cmanton@google.com>
+Date: Thu, 14 Jan 2021 14:04:09 -0800
+Subject: [PATCH] Add APIs stack/btm/security_device_record::
+
+get_br_edr_hci_handle,Handle
+
+Towards encapsulated code
+
+Bug: 163134718
+Tag: #refactor
+Test: gd/cert/run
+
+Change-Id: I820541c1f2fc86202710b7ef1bb5756ca9427851
+---
+ stack/btm/btm_int_types.h | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/stack/btm/btm_int_types.h b/stack/btm/btm_int_types.h
+index e7450a5746..a5bd894abd 100644
+--- a/stack/btm/btm_int_types.h
++++ b/stack/btm/btm_int_types.h
+@@ -475,6 +475,10 @@ typedef struct {
+   LinkKey link_key;        /* Device link key                    */
+   uint8_t pin_code_length; /* Length of the pin_code used for paring */
+ 
++ public:
++  RawAddress RemoteAddress() const { return bd_addr; }
++  uint16_t get_br_edr_hci_handle() const { return hci_handle; }
++
+ #define BTM_SEC_AUTHORIZED BTM_SEC_FLAG_AUTHORIZED       /* 0x01 */
+ #define BTM_SEC_AUTHENTICATED BTM_SEC_FLAG_AUTHENTICATED /* 0x02 */
+ #define BTM_SEC_ENCRYPTED BTM_SEC_FLAG_ENCRYPTED         /* 0x04 */

Patches/LineageOS-17.1/android_system_bt/403311.patch

@@ -0,0 +1,40 @@
+From 0690014ef4e8b810871c91372d61fd59f2f2f60e Mon Sep 17 00:00:00 2001
+From: Chris Manton <cmanton@google.com>
+Date: Fri, 1 Jan 2021 19:11:49 -0800
+Subject: [PATCH] Add tACL_CONN::SupportsSecureConnections
+
+Towards encapsulation
+
+Bug: 163134718
+Tag: #refactor
+Test: gd/cert/run --host
+
+Change-Id: I4ede2886aa5d90bfab8fccea5edaed70ad1514e7
+---
+ stack/btm/btm_int_types.h | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/stack/btm/btm_int_types.h b/stack/btm/btm_int_types.h
+index a5bd894abd..3ca1182d54 100644
+--- a/stack/btm/btm_int_types.h
++++ b/stack/btm/btm_int_types.h
+@@ -578,7 +578,19 @@ typedef struct {
+   uint8_t sm4;                /* BTM_SM4_TRUE, if the peer supports SM4 */
+   tBTM_IO_CAP rmt_io_caps;    /* IO capability of the peer device */
+   tBTM_AUTH_REQ rmt_auth_req; /* the auth_req flag as in the IO caps rsp evt */
++
+   bool remote_supports_secure_connections;
++  friend void btm_sec_set_peer_sec_caps(uint16_t hci_handle, bool ssp_supported,
++                                        bool sc_supported,
++                                        bool hci_role_switch_supported,
++                                        bool br_edr_supported,
++                                        bool le_supported);
++
++ public:
++  bool SupportsSecureConnections() const {
++    return remote_supports_secure_connections;
++  }
++
+   bool remote_features_needed; /* set to true if the local device is in */
+   /* "Secure Connections Only" mode and it receives */
+   /* HCI_IO_CAPABILITY_REQUEST_EVT from the peer before */

Patches/LineageOS-17.1/android_system_bt/403312.patch

@@ -0,0 +1,85 @@
+From 9aa51330f13f42da60f0641b7ece6818690151d4 Mon Sep 17 00:00:00 2001
+From: Chris Manton <cmanton@google.com>
+Date: Fri, 1 Jan 2021 19:12:36 -0800
+Subject: [PATCH] Use tACL_CONN::SupportsSecureConnections
+
+Towards encapsulated code
+
+Bug: 163134718
+Tag: #refactor
+Test: gd/cert/run --host
+
+Change-Id: I7bfe087dcc28cfaeb492db1e1a6ec276e1e29ce2
+---
+ stack/btm/btm_sec.cc | 22 +++++++++-------------
+ 1 file changed, 9 insertions(+), 13 deletions(-)
+
+diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc
+index 8a194f08d5..bd11381abb 100644
+--- a/stack/btm/btm_sec.cc
++++ b/stack/btm/btm_sec.cc
+@@ -1727,7 +1727,7 @@ bool BTM_PeerSupportsSecureConnections(const RawAddress& bd_addr) {
+     return false;
+   }
+ 
+-  return (p_dev_rec->remote_supports_secure_connections);
++  return (p_dev_rec->SupportsSecureConnections());
+ }
+ 
+ /*******************************************************************************
+@@ -2005,12 +2005,11 @@ tBTM_STATUS btm_sec_l2cap_access_req(const RawAddress& bd_addr, uint16_t psm,
+         controller_get_interface()->supports_secure_connections();
+     /* acceptor receives L2CAP Channel Connect Request for Secure Connections
+      * Only service */
+-    if (!(local_supports_sc) ||
+-        !(p_dev_rec->remote_supports_secure_connections)) {
++    if (!(local_supports_sc) || !(p_dev_rec->SupportsSecureConnections())) {
+       BTM_TRACE_DEBUG("%s: SC only service, local_support_for_sc %d",
+-                      "rmt_support_for_sc : %d -> fail pairing", __func__,
++                      "rmt_support_for_sc : %s -> fail pairing", __func__,
+                       local_supports_sc,
+-                      p_dev_rec->remote_supports_secure_connections);
++                      logbool(p_dev_rec->SupportsSecureConnections()).c_str());
+       if (p_callback)
+         (*p_callback)(&bd_addr, transport, (void*)p_ref_data,
+                       BTM_MODE4_LEVEL4_NOT_SUPPORTED);
+@@ -2433,13 +2432,11 @@ tBTM_STATUS btm_sec_mx_access_request(const RawAddress& bd_addr, uint16_t psm,
+         controller_get_interface()->supports_secure_connections();
+     /* acceptor receives service connection establishment Request for */
+     /* Secure Connections Only service */
+-    if (!(local_supports_sc) ||
+-        !(p_dev_rec->remote_supports_secure_connections)) {
++    if (!(local_supports_sc) || !(p_dev_rec->SupportsSecureConnections())) {
+       BTM_TRACE_DEBUG("%s: SC only service,local_support_for_sc %d,",
+                       "remote_support_for_sc %d: fail pairing", __func__,
+                       local_supports_sc,
+-                      p_dev_rec->remote_supports_secure_connections);
+-
++                      p_dev_rec->SupportsSecureConnections());
+       if (p_callback)
+         (*p_callback)(&bd_addr, transport, (void*)p_ref_data,
+                       BTM_MODE4_LEVEL4_NOT_SUPPORTED);
+@@ -3235,12 +3232,11 @@ void btm_io_capabilities_req(const RawAddress& p) {
+     bool local_supports_sc =
+         controller_get_interface()->supports_secure_connections();
+     /* device in Secure Connections Only mode */
+-    if (!(local_supports_sc) ||
+-        !(p_dev_rec->remote_supports_secure_connections)) {
++    if (!(local_supports_sc) || !(p_dev_rec->SupportsSecureConnections())) {
+       BTM_TRACE_DEBUG("%s: SC only service, local_support_for_sc %d,",
+                       " remote_support_for_sc 0x%02x -> fail pairing", __func__,
+                       local_supports_sc,
+-                      p_dev_rec->remote_supports_secure_connections);
++                      p_dev_rec->SupportsSecureConnections());
+ 
+       err_code = HCI_ERR_PAIRING_NOT_ALLOWED;
+     }
+@@ -5789,7 +5785,7 @@ void btm_sec_set_peer_sec_caps(tACL_CONN* p_acl_cb,
+ 
+   BTM_TRACE_API("%s: sm4: 0x%02x, rmt_support_for_secure_connections %d",
+                 __func__, p_dev_rec->sm4,
+-                p_dev_rec->remote_supports_secure_connections);
++                p_dev_rec->SupportsSecureConnections());
+ 
+   if (p_dev_rec->remote_features_needed) {
+     BTM_TRACE_EVENT(

Patches/LineageOS-17.1/android_system_bt/403313.patch

@@ -0,0 +1,85 @@
+From 060dad70cc532963ab0ff727aa8aebf8f8424beb Mon Sep 17 00:00:00 2001
+From: Hansong Zhang <hsz@google.com>
+Date: Tue, 20 Oct 2020 18:48:52 -0700
+Subject: [PATCH] Refactor btm_sec_set_peer_sec_caps
+
+No need to pass acl_cb
+
+Bug: 159815595
+Tag: #refactor
+Test: compile & verify basic functions working
+Change-Id: I7cb1bae627c731106ab3a93442acb8f6bb2018fa
+---
+ stack/btm/btm_acl.cc | 15 +++++++++++++--
+ stack/btm/btm_int.h  |  2 +-
+ stack/btm/btm_sec.cc |  7 +++----
+ 3 files changed, 17 insertions(+), 7 deletions(-)
+
+diff --git a/stack/btm/btm_acl.cc b/stack/btm/btm_acl.cc
+index 55772e69883..4717a95d7b2 100644
+--- a/stack/btm/btm_acl.cc
++++ b/stack/btm/btm_acl.cc
+@@ -261,7 +261,13 @@ void btm_acl_created(const RawAddress& bda, DEV_CLASS dc, BD_NAME bdn,
+           const uint8_t req_pend = (p_dev_rec->sm4 & BTM_SM4_REQ_PEND);
+ 
+           /* Store the Peer Security Capabilites (in SM4 and rmt_sec_caps) */
+-          btm_sec_set_peer_sec_caps(p, p_dev_rec);
++          bool ssp_supported =
++              HCI_SSP_HOST_SUPPORTED(p->peer_lmp_feature_pages[1]);
++          bool secure_connections_supported =
++              HCI_SC_HOST_SUPPORTED(p->peer_lmp_feature_pages[1]);
++          btm_sec_set_peer_sec_caps(ssp_supported, secure_connections_supported,
++                                    p_dev_rec);
++
+ 
+           BTM_TRACE_API("%s: pend:%d", __func__, req_pend);
+           if (req_pend) {
+@@ -957,7 +963,12 @@ void btm_process_remote_ext_features(tACL_CONN* p_acl_cb,
+   const uint8_t req_pend = (p_dev_rec->sm4 & BTM_SM4_REQ_PEND);
+ 
+   /* Store the Peer Security Capabilites (in SM4 and rmt_sec_caps) */
+-  btm_sec_set_peer_sec_caps(p_acl_cb, p_dev_rec);
++  bool ssp_supported =
++      HCI_SSP_HOST_SUPPORTED(p_acl_cb->peer_lmp_feature_pages[1]);
++  bool secure_connections_supported =
++      HCI_SC_HOST_SUPPORTED(p_acl_cb->peer_lmp_feature_pages[1]);
++  btm_sec_set_peer_sec_caps(ssp_supported, secure_connections_supported,
++                            p_dev_rec);
+ 
+   BTM_TRACE_API("%s: pend:%d", __func__, req_pend);
+   if (req_pend) {
+diff --git a/stack/btm/btm_int.h b/stack/btm/btm_int.h
+index 05180db5eed..3ecca642245 100644
+--- a/stack/btm/btm_int.h
++++ b/stack/btm/btm_int.h
+@@ -258,7 +258,7 @@ extern void btm_sec_pin_code_request(const RawAddress& p_bda);
+ extern void btm_sec_update_clock_offset(uint16_t handle, uint16_t clock_offset);
+ extern void btm_sec_dev_rec_cback_event(tBTM_SEC_DEV_REC* p_dev_rec,
+                                         uint8_t res, bool is_le_trasnport);
+-extern void btm_sec_set_peer_sec_caps(tACL_CONN* p_acl_cb,
++extern void btm_sec_set_peer_sec_caps(bool ssp_supported, bool sc_supported,
+                                       tBTM_SEC_DEV_REC* p_dev_rec);
+ 
+ extern void btm_sec_clear_ble_keys(tBTM_SEC_DEV_REC* p_dev_rec);
+diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc
+index bd11381abb2..150ab7daf6b 100644
+--- a/stack/btm/btm_sec.cc
++++ b/stack/btm/btm_sec.cc
+@@ -5770,14 +5770,13 @@ static bool btm_sec_queue_encrypt_request(const RawAddress& bd_addr,
+  * Returns          void
+  *
+  ******************************************************************************/
+-void btm_sec_set_peer_sec_caps(tACL_CONN* p_acl_cb,
++void btm_sec_set_peer_sec_caps(bool ssp_supported, bool sc_supported,
+                                tBTM_SEC_DEV_REC* p_dev_rec) {
+   if ((btm_cb.security_mode == BTM_SEC_MODE_SP ||
+        btm_cb.security_mode == BTM_SEC_MODE_SC) &&
+-      HCI_SSP_HOST_SUPPORTED(p_acl_cb->peer_lmp_feature_pages[1])) {
++      ssp_supported) {
+     p_dev_rec->sm4 = BTM_SM4_TRUE;
+-    p_dev_rec->remote_supports_secure_connections =
+-        (HCI_SC_HOST_SUPPORTED(p_acl_cb->peer_lmp_feature_pages[1]));
++    p_dev_rec->remote_supports_secure_connections = sc_supported;
+   } else {
+     p_dev_rec->sm4 = BTM_SM4_KNOWN;
+     p_dev_rec->remote_supports_secure_connections = false;

Patches/LineageOS-17.1/android_system_bt/403314.patch

@@ -0,0 +1,85 @@
+From b13614438f7619007dd09a0805bbaf21db27c8b1 Mon Sep 17 00:00:00 2001
+From: Hansong Zhang <hsz@google.com>
+Date: Thu, 29 Oct 2020 20:29:14 -0700
+Subject: [PATCH] Use btm_sec_set_peer_sec_caps to store features
+
+Bug: 159815595
+Tag: #refactor
+Test: compile & verify basic functions working
+Change-Id: If9aba469bceb3d45ccd566dba0ec9c445f2a8102
+---
+ stack/btm/btm_acl.cc | 10 ++++------
+ stack/btm/btm_int.h  |  4 ++--
+ stack/btm/btm_sec.cc |  8 ++++++--
+ 3 files changed, 12 insertions(+), 10 deletions(-)
+
+diff --git a/stack/btm/btm_acl.cc b/stack/btm/btm_acl.cc
+index 4717a95d7b..14390482e2 100644
+--- a/stack/btm/btm_acl.cc
++++ b/stack/btm/btm_acl.cc
+@@ -260,13 +260,12 @@ void btm_acl_created(const RawAddress& bda, DEV_CLASS dc, BD_NAME bdn,
+ 
+           const uint8_t req_pend = (p_dev_rec->sm4 & BTM_SM4_REQ_PEND);
+ 
+-          /* Store the Peer Security Capabilites (in SM4 and rmt_sec_caps) */
+           bool ssp_supported =
+               HCI_SSP_HOST_SUPPORTED(p->peer_lmp_feature_pages[1]);
+           bool secure_connections_supported =
+               HCI_SC_HOST_SUPPORTED(p->peer_lmp_feature_pages[1]);
+-          btm_sec_set_peer_sec_caps(ssp_supported, secure_connections_supported,
+-                                    p_dev_rec);
++          btm_sec_set_peer_sec_caps(hci_handle, ssp_supported,
++                                    secure_connections_supported);
+ 
+ 
+           BTM_TRACE_API("%s: pend:%d", __func__, req_pend);
+@@ -962,13 +961,12 @@ void btm_process_remote_ext_features(tACL_CONN* p_acl_cb,
+   }
+   const uint8_t req_pend = (p_dev_rec->sm4 & BTM_SM4_REQ_PEND);
+ 
+-  /* Store the Peer Security Capabilites (in SM4 and rmt_sec_caps) */
+   bool ssp_supported =
+       HCI_SSP_HOST_SUPPORTED(p_acl_cb->peer_lmp_feature_pages[1]);
+   bool secure_connections_supported =
+       HCI_SC_HOST_SUPPORTED(p_acl_cb->peer_lmp_feature_pages[1]);
+-  btm_sec_set_peer_sec_caps(ssp_supported, secure_connections_supported,
+-                            p_dev_rec);
++  btm_sec_set_peer_sec_caps(handle, ssp_supported,
++                            secure_connections_supported);
+ 
+   BTM_TRACE_API("%s: pend:%d", __func__, req_pend);
+   if (req_pend) {
+diff --git a/stack/btm/btm_int.h b/stack/btm/btm_int.h
+index 3ecca64224..b5205aa43f 100644
+--- a/stack/btm/btm_int.h
++++ b/stack/btm/btm_int.h
+@@ -258,8 +258,8 @@ extern void btm_sec_pin_code_request(const RawAddress& p_bda);
+ extern void btm_sec_update_clock_offset(uint16_t handle, uint16_t clock_offset);
+ extern void btm_sec_dev_rec_cback_event(tBTM_SEC_DEV_REC* p_dev_rec,
+                                         uint8_t res, bool is_le_trasnport);
+-extern void btm_sec_set_peer_sec_caps(bool ssp_supported, bool sc_supported,
+-                                      tBTM_SEC_DEV_REC* p_dev_rec);
++extern void btm_sec_set_peer_sec_caps(uint16_t hci_handle, bool ssp_supported,
++                                      bool sc_supported);
+ 
+ extern void btm_sec_clear_ble_keys(tBTM_SEC_DEV_REC* p_dev_rec);
+ extern bool btm_sec_is_a_bonded_dev(const RawAddress& bda);
+diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc
+index 150ab7daf6..dcf01745d6 100644
+--- a/stack/btm/btm_sec.cc
++++ b/stack/btm/btm_sec.cc
+@@ -5770,8 +5770,12 @@ static bool btm_sec_queue_encrypt_request(const RawAddress& bd_addr,
+  * Returns          void
+  *
+  ******************************************************************************/
+-void btm_sec_set_peer_sec_caps(bool ssp_supported, bool sc_supported,
+-                               tBTM_SEC_DEV_REC* p_dev_rec) {
++void btm_sec_set_peer_sec_caps(uint16_t hci_handle, bool ssp_supported,
++                               bool sc_supported) {
++  tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_handle(hci_handle);
++  if (p_dev_rec == nullptr) return;
++
++  /* Store the Peer Security Capabilites (in SM4 and rmt_sec_caps) */
+   if ((btm_cb.security_mode == BTM_SEC_MODE_SP ||
+        btm_cb.security_mode == BTM_SEC_MODE_SC) &&
+       ssp_supported) {

Patches/LineageOS-17.1/android_system_bt/403315.patch

@@ -0,0 +1,266 @@
+From 0b49d63202e63201a10b1eb2d1e3943b73a8a7b5 Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <delwiche@google.com>
+Date: Sat, 25 May 2024 00:28:41 +0000
+Subject: [PATCH] Add support for checking security downgrade
+
+As a guard against the BLUFFS attack, we will need to check the security
+parameters of incoming connections against cached values and disallow
+connection if these parameters are downgraded or changed from their
+cached values.
+
+Future CLs will add checks during connection.  This CL adds the
+functions that will be needed to perform those checks and the necessary
+mocks.
+Currently supported checks are : IO capabilities (must be an exact match),
+Secure Connections capability (must not be a downgrade), and session key
+length (must not be a downgrade).  Maximum session key length, which was
+previously not cached, has been added to the device security manager
+cache.
+
+To QA: This CL is a logical no-op by itself.  Tests should be performed as described in ag/25815924 and ag/25815925/
+
+Bug: 314331379
+Test: m libbluetooth
+Tag: #security
+Ignore-AOSP-First: Security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:82382a934cf4a11b979de286e3f9ada723a740a3)
+Merged-In: I8810c1bf9b3d3af1108cf621e2c51537e429c0f3
+Change-Id: I8810c1bf9b3d3af1108cf621e2c51537e429c0f3
+---
+ btif/src/btif_storage.cc     |  31 ++++++++++-
+ include/hardware/bluetooth.h |  14 +++++
+ service/logging_helpers.cc   |   2 +
+ stack/btm/btm_int.h          |   3 +
+ stack/btm/btm_sec.cc         | 103 +++++++++++++++++++++++++++++++++++
+ 5 files changed, 152 insertions(+), 1 deletion(-)
+
+diff --git a/btif/src/btif_storage.cc b/btif/src/btif_storage.cc
+index 2427493cd5b..200ea2c4e42 100644
+--- a/btif/src/btif_storage.cc
++++ b/btif/src/btif_storage.cc
+@@ -84,7 +84,10 @@ using bluetooth::Uuid;
+ #define BTIF_STORAGE_KEY_ADAPTER_SCANMODE "ScanMode"
+ #define BTIF_STORAGE_KEY_LOCAL_IO_CAPS "LocalIOCaps"
+ #define BTIF_STORAGE_KEY_LOCAL_IO_CAPS_BLE "LocalIOCapsBLE"
++#define BTIF_STORAGE_KEY_MAX_SESSION_KEY_SIZE "MaxSessionKeySize"
+ #define BTIF_STORAGE_KEY_ADAPTER_DISC_TIMEOUT "DiscoveryTimeout"
++#define BTIF_STORAGE_KEY_SECURE_CONNECTIONS_SUPPORTED \
++  "SecureConnectionsSupported"
+ 
+ /* This is a local property to add a device found */
+ #define BT_PROPERTY_REMOTE_DEVICE_TIMESTAMP 0xFF
+@@ -267,7 +270,14 @@ static int prop2cfg(const RawAddress* remote_bd_addr, bt_property_t* prop) {
+       btif_config_set_int(bdstr, BTIF_STORAGE_PATH_REMOTE_VER_SUBVER,
+                           info->sub_ver);
+     } break;
+-
++    case BT_PROPERTY_REMOTE_SECURE_CONNECTIONS_SUPPORTED:
++      btif_config_set_int(bdstr, BTIF_STORAGE_KEY_SECURE_CONNECTIONS_SUPPORTED,
++                          *(uint8_t*)prop->val);
++      break;
++    case BT_PROPERTY_REMOTE_MAX_SESSION_KEY_SIZE:
++      btif_config_set_int(bdstr, BTIF_STORAGE_KEY_MAX_SESSION_KEY_SIZE,
++                          *(uint8_t*)prop->val);
++      break;
+     default:
+       BTIF_TRACE_ERROR("Unknown prop type:%d", prop->type);
+       return false;
+@@ -394,6 +404,25 @@ static int cfg2prop(const RawAddress* remote_bd_addr, bt_property_t* prop) {
+                                     &info->sub_ver);
+       }
+     } break;
++    case BT_PROPERTY_REMOTE_SECURE_CONNECTIONS_SUPPORTED: {
++      int val;
++
++      if (prop->len >= (int)sizeof(uint8_t)) {
++        ret = btif_config_get_int(
++            bdstr, BTIF_STORAGE_KEY_SECURE_CONNECTIONS_SUPPORTED, &val);
++        *(uint8_t*)prop->val = (uint8_t)val;
++      }
++    } break;
++
++    case BT_PROPERTY_REMOTE_MAX_SESSION_KEY_SIZE: {
++      int val;
++
++      if (prop->len >= (int)sizeof(uint8_t)) {
++        ret = btif_config_get_int(bdstr, BTIF_STORAGE_KEY_MAX_SESSION_KEY_SIZE,
++                                  &val);
++        *(uint8_t*)prop->val = (uint8_t)val;
++      }
++    } break;
+ 
+     default:
+       BTIF_TRACE_ERROR("Unknow prop type:%d", prop->type);
+diff --git a/include/hardware/bluetooth.h b/include/hardware/bluetooth.h
+index cd070a7fb28..7de2bbe7a18 100644
+--- a/include/hardware/bluetooth.h
++++ b/include/hardware/bluetooth.h
+@@ -262,6 +262,20 @@ typedef enum {
+    */
+   BT_PROPERTY_LOCAL_IO_CAPS_BLE,
+ 
++  /**
++   * Description - Whether remote device supports Secure Connections mode
++   * Access mode - GET and SET.
++   * Data Type - uint8_t.
++   */
++  BT_PROPERTY_REMOTE_SECURE_CONNECTIONS_SUPPORTED,
++
++  /**
++   * Description - Maximum observed session key for remote device
++   * Access mode - GET and SET.
++   * Data Type - uint8_t.
++   */
++  BT_PROPERTY_REMOTE_MAX_SESSION_KEY_SIZE,
++
+   BT_PROPERTY_REMOTE_DEVICE_TIMESTAMP = 0xFF,
+ } bt_property_type_t;
+ 
+diff --git a/service/logging_helpers.cc b/service/logging_helpers.cc
+index 70f8720c6d8..17ebe952056 100644
+--- a/service/logging_helpers.cc
++++ b/service/logging_helpers.cc
+@@ -117,6 +117,8 @@ const char* BtPropertyText(const bt_property_type_t prop) {
+     CASE_RETURN_TEXT(BT_PROPERTY_REMOTE_VERSION_INFO);
+     CASE_RETURN_TEXT(BT_PROPERTY_LOCAL_LE_FEATURES);
+     CASE_RETURN_TEXT(BT_PROPERTY_REMOTE_DEVICE_TIMESTAMP);
++    CASE_RETURN_TEXT(BT_PROPERTY_REMOTE_SECURE_CONNECTIONS_SUPPORTED);
++    CASE_RETURN_TEXT(BT_PROPERTY_REMOTE_MAX_SESSION_KEY_SIZE);
+     default:
+       return "Invalid property";
+   }
+diff --git a/stack/btm/btm_int.h b/stack/btm/btm_int.h
+index b5205aa43fc..971a02faa20 100644
+--- a/stack/btm/btm_int.h
++++ b/stack/btm/btm_int.h
+@@ -238,6 +238,8 @@ extern void btm_sec_abort_access_req(const RawAddress& bd_addr);
+ extern void btm_sec_auth_complete(uint16_t handle, uint8_t status);
+ extern void btm_sec_encrypt_change(uint16_t handle, uint8_t status,
+                                    uint8_t encr_enable);
++bool btm_sec_is_session_key_size_downgrade(uint16_t hci_handle,
++                                           uint8_t key_size);
+ extern void btm_sec_connected(const RawAddress& bda, uint16_t handle,
+                               uint8_t status, uint8_t enc_mode);
+ extern tBTM_STATUS btm_sec_disconnect(uint16_t handle, uint8_t reason);
+@@ -256,6 +258,7 @@ extern void btm_sec_link_key_notification(const RawAddress& p_bda,
+ extern void btm_sec_link_key_request(const RawAddress& p_bda);
+ extern void btm_sec_pin_code_request(const RawAddress& p_bda);
+ extern void btm_sec_update_clock_offset(uint16_t handle, uint16_t clock_offset);
++void btm_sec_update_session_key_size(uint16_t hci_handle, uint8_t key_size);
+ extern void btm_sec_dev_rec_cback_event(tBTM_SEC_DEV_REC* p_dev_rec,
+                                         uint8_t res, bool is_le_trasnport);
+ extern void btm_sec_set_peer_sec_caps(uint16_t hci_handle, bool ssp_supported,
+diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc
+index dcf01745d6c..835a5d7c5bf 100644
+--- a/stack/btm/btm_sec.cc
++++ b/stack/btm/btm_sec.cc
+@@ -220,6 +220,109 @@ static bool btm_serv_trusted(tBTM_SEC_DEV_REC* p_dev_rec,
+   return (false);
+ }
+ 
++/*******************************************************************************
++ *
++ * Function         btm_sec_is_device_sc_downgrade
++ *
++ * Description      Check for a stored device record matching the candidate
++ *                  device, and return true if the stored device has reported
++ *                  that it supports Secure Connections mode and the candidate
++ *                  device reports that it does not.  Otherwise, return false.
++ *
++ * Returns          bool
++ *
++ ******************************************************************************/
++static bool btm_sec_is_device_sc_downgrade(uint16_t hci_handle,
++                                           bool secure_connections_supported) {
++  if (secure_connections_supported) return false;
++
++  tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_handle(hci_handle);
++  if (p_dev_rec == nullptr) return false;
++
++  uint8_t property_val = 0;
++  bt_property_t property = {
++      .type = BT_PROPERTY_REMOTE_SECURE_CONNECTIONS_SUPPORTED,
++      .len = sizeof(uint8_t),
++      .val = &property_val};
++
++  bt_status_t cached =
++      btif_storage_get_remote_device_property(&p_dev_rec->bd_addr, &property);
++
++  if (cached == BT_STATUS_FAIL) return false;
++
++  return (bool)property_val;
++}
++
++/*******************************************************************************
++ *
++ * Function         btm_sec_store_device_sc_support
++ *
++ * Description      Save Secure Connections support for this device to file
++ *
++ ******************************************************************************/
++
++static void btm_sec_store_device_sc_support(uint16_t hci_handle,
++                                            bool secure_connections_supported) {
++  tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_handle(hci_handle);
++  if (p_dev_rec == nullptr) return;
++
++  uint8_t property_val = (uint8_t)secure_connections_supported;
++  bt_property_t property = {
++      .type = BT_PROPERTY_REMOTE_SECURE_CONNECTIONS_SUPPORTED,
++      .len = sizeof(uint8_t),
++      .val = &property_val};
++
++  btif_storage_set_remote_device_property(&p_dev_rec->bd_addr, &property);
++}
++
++/*******************************************************************************
++ *
++ * Function         btm_sec_is_session_key_size_downgrade
++ *
++ * Description      Check if there is a stored device record matching this
++ *                  handle, and return true if the stored record has a lower
++ *                  session key size than the candidate device.
++ *
++ * Returns          bool
++ *
++ ******************************************************************************/
++bool btm_sec_is_session_key_size_downgrade(uint16_t hci_handle,
++                                           uint8_t key_size) {
++  tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_handle(hci_handle);
++  if (p_dev_rec == nullptr) return false;
++
++  uint8_t property_val = 0;
++  bt_property_t property = {.type = BT_PROPERTY_REMOTE_MAX_SESSION_KEY_SIZE,
++                            .len = sizeof(uint8_t),
++                            .val = &property_val};
++
++  bt_status_t cached =
++      btif_storage_get_remote_device_property(&p_dev_rec->bd_addr, &property);
++
++  if (cached == BT_STATUS_FAIL) return false;
++
++  return property_val > key_size;
++}
++
++/*******************************************************************************
++ *
++ * Function         btm_sec_update_session_key_size
++ *
++ * Description      Store the max session key size to disk, if possible.
++ *
++ ******************************************************************************/
++void btm_sec_update_session_key_size(uint16_t hci_handle, uint8_t key_size) {
++  tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_handle(hci_handle);
++  if (p_dev_rec == nullptr) return;
++
++  uint8_t property_val = key_size;
++  bt_property_t property = {.type = BT_PROPERTY_REMOTE_MAX_SESSION_KEY_SIZE,
++                            .len = sizeof(uint8_t),
++                            .val = &property_val};
++
++  btif_storage_set_remote_device_property(&p_dev_rec->bd_addr, &property);
++}
++
+ /*******************************************************************************
+  *
+  * Function         access_secure_service_from_temp_bond

Patches/LineageOS-17.1/android_system_bt/403316.patch

@@ -0,0 +1,60 @@
+From 53a4eb2e74169493aad8f4ea49ab1dc086a3513d Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <delwiche@google.com>
+Date: Fri, 31 May 2024 21:46:17 +0000
+Subject: [PATCH] Disallow connect with Secure Connections downgrade
+
+As a guard against the BLUFFS attack, check security parameters of
+incoming connections against cached values and disallow connection if
+these parameters are downgraded or changed from their cached values.
+
+This CL adds the connection-time check for Secure Connections mode.
+
+Bug: 314331379
+Test: m libbluetooth
+Test: manual
+
+To test this CL, please ensure that BR/EDR initial connections and reconnections  (after cycling remote devices, cycling Bluetooth, restarting the phone, etc.) work against remote devices which both support and do not support Secure Connections mode, and with all supported bonding types.  Basic validation of LE bonding functionality should be done as well.
+
+Tag: #security
+Ignore-AOSP-First: Security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:4da47591b9530849123c238b2747f5304058db2d)
+Merged-In: I7b9dd1a18f1c04df88aabe89d4790fef9112da7e
+Change-Id: I7b9dd1a18f1c04df88aabe89d4790fef9112da7e
+---
+ stack/btm/btm_sec.cc | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc
+index 835a5d7c5b..d5d698c274 100644
+--- a/stack/btm/btm_sec.cc
++++ b/stack/btm/btm_sec.cc
+@@ -4751,6 +4751,13 @@ void btm_sec_link_key_notification(const RawAddress& p_bda,
+     }
+   }
+ 
++  if (p_dev_rec->is_bond_type_persistent() &&
++      (p_dev_rec->is_device_type_br_edr() ||
++       p_dev_rec->is_device_type_dual_mode())) {
++    btm_sec_store_device_sc_support(p_dev_rec->get_br_edr_hci_handle(),
++                                    p_dev_rec->SupportsSecureConnections());
++  }
++
+   /* If name is not known at this point delay calling callback until the name is
+    */
+   /* resolved. Unless it is a HID Device and we really need to send all link
+@@ -5878,6 +5885,15 @@ void btm_sec_set_peer_sec_caps(uint16_t hci_handle, bool ssp_supported,
+   tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_handle(hci_handle);
+   if (p_dev_rec == nullptr) return;
+ 
++  // Drop the connection here if the remote attempts to downgrade from Secure
++  // Connections mode.
++  if (btm_sec_is_device_sc_downgrade(hci_handle, sc_supported)) {
++    btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
++    btm_sec_send_hci_disconnect(p_dev_rec, HCI_ERR_AUTH_FAILURE, hci_handle);
++    LOG_WARN(LOG_TAG, "Remote attempted to downgrade from Secure Connections mode");
++    return;
++  }
++
+   /* Store the Peer Security Capabilites (in SM4 and rmt_sec_caps) */
+   if ((btm_cb.security_mode == BTM_SEC_MODE_SP ||
+        btm_cb.security_mode == BTM_SEC_MODE_SC) &&

Patches/LineageOS-17.1/android_system_bt/403317.patch

@@ -0,0 +1,54 @@
+From ee89e827180526082add19d08c480b72e9324e2d Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <delwiche@google.com>
+Date: Fri, 31 May 2024 21:50:12 +0000
+Subject: [PATCH] Disallow connect with key length downgrade
+
+As a guard against the BLUFFS attack, check security parameters of
+incoming connections against cached values and disallow connection if
+these parameters are downgraded or changed from their cached values.
+
+This CL adds the connection-time check for session key length.
+
+To test, please validate that bonding can be established and
+reestablished against devices with session key lengths of 7 and 16 bits,
+that session key lengths of less than 7 bits are refused, and that basic
+LE bonding functionality still works.  If it is possible to configure a
+remote device to establish a bond with a session key length of 16 bits
+and then reduce that key length to <16 bits before reconnection, this
+should fail.
+
+Bug: 314331379
+Test: m libbluetooth
+Test: manual
+
+Tag: #security
+Ignore-AOSP-First: Security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:bd88324876a8664899bd23e926675d7c1b2bbfb2)
+Merged-In: I5b931ddb4876b529ed0c2e1138c02382291216ab
+Change-Id: I5b931ddb4876b529ed0c2e1138c02382291216ab
+---
+ stack/btu/btu_hcif.cc | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/stack/btu/btu_hcif.cc b/stack/btu/btu_hcif.cc
+index 7bf385ea3d..615d3c6899 100644
+--- a/stack/btu/btu_hcif.cc
++++ b/stack/btu/btu_hcif.cc
+@@ -1171,6 +1171,17 @@ static void read_encryption_key_size_complete_after_encryption_change(uint8_t st
+     return;
+   }
+ 
++  if (btm_sec_is_session_key_size_downgrade(handle, key_size)) {
++    LOG_ERROR(LOG_TAG,
++        "encryption key size lower than cached value, disconnecting. "
++        "handle: 0x%x attempted key size: %d",
++        handle, key_size);
++    btsnd_hcic_disconnect(handle, HCI_ERR_HOST_REJECT_SECURITY);
++    return;
++  }
++
++  btm_sec_update_session_key_size(handle, key_size);
++
+   // good key size - succeed
+   btm_acl_encrypt_change(handle, status, 1 /* enable */);
+   btm_sec_encrypt_change(handle, status, 1 /* enable */);

Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/403318.patch

@@ -0,0 +1,144 @@
+From a85afea964ff0589e474b816ffa941b371076af8 Mon Sep 17 00:00:00 2001
+From: Hansong Zhang <hsz@google.com>
+Date: Tue, 11 Aug 2020 12:39:26 -0700
+Subject: [PATCH] Clean up BTM_SEC_MODE
+
+Can never be BTM_SEC_MODE_UNDEFINED, BTM_SEC_MODE_NONE,
+BTM_SEC_MODE_LINK, or BTM_SEC_MODE_SP_DEBUG
+
+Bug: 159815595
+Tag: #refactor
+Test: compile & verify basic functions working
+Change-Id: Ib567b050a3cd38e0f77f1b875476ad84c3e949fa
+---
+ stack/btm/btm_sec.cc          | 29 ++++-------------------------
+ stack/include/btm_api_types.h |  4 ----
+ 2 files changed, 4 insertions(+), 29 deletions(-)
+
+diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc
+index 1e7913854..9edf7cce5 100644
+--- a/stack/btm/btm_sec.cc
++++ b/stack/btm/btm_sec.cc
+@@ -626,7 +626,6 @@ static bool btm_sec_set_security_level(CONNECTION_TYPE conn_type,
+           BTM_SEC_IN_MITM | BTM_SEC_IN_MIN_16_DIGIT_PIN);
+ 
+     if (btm_cb.security_mode == BTM_SEC_MODE_SP ||
+-        btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
+         btm_cb.security_mode == BTM_SEC_MODE_SC) {
+       if (sec_level & BTM_SEC_OUT_AUTHENTICATE) sec_level |= BTM_SEC_OUT_MITM;
+     }
+@@ -673,7 +672,6 @@ static bool btm_sec_set_security_level(CONNECTION_TYPE conn_type,
+                    BTM_SEC_OUT_AUTHENTICATE | BTM_SEC_OUT_MITM);
+ 
+     if (btm_cb.security_mode == BTM_SEC_MODE_SP ||
+-        btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
+         btm_cb.security_mode == BTM_SEC_MODE_SC) {
+       if (sec_level & BTM_SEC_IN_AUTHENTICATE) sec_level |= BTM_SEC_IN_MITM;
+     }
+@@ -1103,7 +1101,6 @@ tBTM_STATUS btm_sec_bond_by_transport(const RawAddress& bd_addr,
+     if (btm_sec_check_prefetch_pin(p_dev_rec)) return (BTM_CMD_STARTED);
+   }
+   if ((btm_cb.security_mode == BTM_SEC_MODE_SP ||
+-       btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
+        btm_cb.security_mode == BTM_SEC_MODE_SC) &&
+       BTM_SEC_IS_SM4_UNKNOWN(p_dev_rec->sm4)) {
+     /* local is 2.1 and peer is unknown */
+@@ -2227,10 +2224,7 @@ tBTM_STATUS btm_sec_l2cap_access_req(const RawAddress& bd_addr, uint16_t psm,
+     BTM_TRACE_EVENT("security_flags:x%x, sec_flags:x%x", security_required,
+                     p_dev_rec->sec_flags);
+     rc = BTM_CMD_STARTED;
+-    if ((btm_cb.security_mode == BTM_SEC_MODE_UNDEFINED ||
+-         btm_cb.security_mode == BTM_SEC_MODE_NONE ||
+-         btm_cb.security_mode == BTM_SEC_MODE_SERVICE ||
+-         btm_cb.security_mode == BTM_SEC_MODE_LINK) ||
++    if ((btm_cb.security_mode == BTM_SEC_MODE_SERVICE) ||
+         (BTM_SM4_KNOWN == p_dev_rec->sm4) ||
+         (BTM_SEC_IS_SM4(p_dev_rec->sm4) &&
+          (btm_sec_is_upgrade_possible(p_dev_rec, is_originator) == false))) {
+@@ -2308,7 +2302,6 @@ tBTM_STATUS btm_sec_l2cap_access_req(const RawAddress& bd_addr, uint16_t psm,
+ 
+   /* Modify security_required in btm_sec_l2cap_access_req for Lisbon */
+   if (btm_cb.security_mode == BTM_SEC_MODE_SP ||
+-      btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
+       btm_cb.security_mode == BTM_SEC_MODE_SC) {
+     if (BTM_SEC_IS_SM4(p_dev_rec->sm4)) {
+       if (is_originator) {
+@@ -2382,10 +2375,7 @@ tBTM_STATUS btm_sec_l2cap_access_req(const RawAddress& bd_addr, uint16_t psm,
+    * L2CAP connect
+    * response is received */
+   if (is_originator &&
+-      ((btm_cb.security_mode == BTM_SEC_MODE_UNDEFINED ||
+-        btm_cb.security_mode == BTM_SEC_MODE_NONE ||
+-        btm_cb.security_mode == BTM_SEC_MODE_SERVICE ||
+-        btm_cb.security_mode == BTM_SEC_MODE_LINK) ||
++      ((btm_cb.security_mode == BTM_SEC_MODE_SERVICE) ||
+        !BTM_SEC_IS_SM4(p_dev_rec->sm4)) &&
+       (psm >= 0x1001)) {
+     BTM_TRACE_EVENT(
+@@ -2550,10 +2540,7 @@ tBTM_STATUS btm_sec_mx_access_request(const RawAddress& bd_addr, uint16_t psm,
+ 
+     rc = BTM_CMD_STARTED;
+ 
+-    if ((btm_cb.security_mode == BTM_SEC_MODE_UNDEFINED ||
+-         btm_cb.security_mode == BTM_SEC_MODE_NONE ||
+-         btm_cb.security_mode == BTM_SEC_MODE_SERVICE ||
+-         btm_cb.security_mode == BTM_SEC_MODE_LINK) ||
++    if ((btm_cb.security_mode == BTM_SEC_MODE_SERVICE) ||
+         (BTM_SM4_KNOWN == p_dev_rec->sm4) ||
+         (BTM_SEC_IS_SM4(p_dev_rec->sm4) &&
+          (btm_sec_is_upgrade_possible(p_dev_rec, is_originator) == false))) {
+@@ -2673,7 +2660,6 @@ tBTM_STATUS btm_sec_mx_access_request(const RawAddress& bd_addr, uint16_t psm,
+   p_dev_rec->security_required = security_required;
+ 
+   if (btm_cb.security_mode == BTM_SEC_MODE_SP ||
+-      btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
+       btm_cb.security_mode == BTM_SEC_MODE_SC) {
+     if (BTM_SEC_IS_SM4(p_dev_rec->sm4)) {
+       if ((p_dev_rec->security_required & BTM_SEC_MODE4_LEVEL4) &&
+@@ -4680,9 +4666,6 @@ void btm_sec_connected(const RawAddress& bda, uint16_t handle, uint8_t status,
+     p_dev_rec->sec_flags |=
+         ((BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED) << bit_shift);
+ 
+-  if (btm_cb.security_mode == BTM_SEC_MODE_LINK)
+-    p_dev_rec->sec_flags |= (BTM_SEC_AUTHENTICATED << bit_shift);
+-
+   if (p_dev_rec->pin_code_length >= 16 ||
+       p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB ||
+       p_dev_rec->link_key_type == BTM_LKEY_TYPE_AUTH_COMB_P_256) {
+@@ -5842,10 +5825,7 @@ uint32_t* BTM_ReadTrustedMask(const RawAddress& bd_addr) {
+ static void btm_restore_mode(void) {
+   if (btm_cb.security_mode_changed) {
+     btm_cb.security_mode_changed = false;
+-    BTM_TRACE_DEBUG("%s() Auth enable -> %d", __func__,
+-                    (btm_cb.security_mode == BTM_SEC_MODE_LINK));
+-    btsnd_hcic_write_auth_enable(
+-        (uint8_t)(btm_cb.security_mode == BTM_SEC_MODE_LINK));
++    btsnd_hcic_write_auth_enable(false);
+   }
+ 
+   if (btm_cb.pin_type_changed) {
+@@ -6143,7 +6123,6 @@ static bool btm_sec_queue_encrypt_request(const RawAddress& bd_addr,
+ void btm_sec_set_peer_sec_caps(tACL_CONN* p_acl_cb,
+                                tBTM_SEC_DEV_REC* p_dev_rec) {
+   if ((btm_cb.security_mode == BTM_SEC_MODE_SP ||
+-       btm_cb.security_mode == BTM_SEC_MODE_SP_DEBUG ||
+        btm_cb.security_mode == BTM_SEC_MODE_SC) &&
+       HCI_SSP_HOST_SUPPORTED(p_acl_cb->peer_lmp_feature_pages[1])) {
+     p_dev_rec->sm4 = BTM_SM4_TRUE;
+diff --git a/stack/include/btm_api_types.h b/stack/include/btm_api_types.h
+index 5ed6586d2..c6620c13d 100644
+--- a/stack/include/btm_api_types.h
++++ b/stack/include/btm_api_types.h
+@@ -1099,12 +1099,8 @@ typedef void(tBTM_ESCO_CBACK)(tBTM_ESCO_EVT event, tBTM_ESCO_EVT_DATA* p_data);
+  *******************************/
+ 
+ /* Security Mode (BTM_SetSecurityMode) */
+-#define BTM_SEC_MODE_UNDEFINED 0
+-#define BTM_SEC_MODE_NONE 1
+ #define BTM_SEC_MODE_SERVICE 2
+-#define BTM_SEC_MODE_LINK 3
+ #define BTM_SEC_MODE_SP 4
+-#define BTM_SEC_MODE_SP_DEBUG 5
+ #define BTM_SEC_MODE_SC 6
+ 
+ /* Maximum Number of BTM Security Modes */

Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/403319.patch

@@ -0,0 +1,112 @@
+From 7de7f2049c84e82c38435ab74396a19406e594a5 Mon Sep 17 00:00:00 2001
+From: Chris Manton <cmanton@google.com>
+Date: Mon, 7 Sep 2020 09:37:31 -0700
+Subject: [PATCH] Add getters to
+ stack/btm/security_device_record::tBTM_SEC_DEV_REC
+
+Towards readable code
+
+Bug: 163134718
+Tag: #refactor
+Test: compile & verify basic functions working
+Test: act.py -tc BleCocTest
+
+Change-Id: Ia024a6977d606714f7edc58ded09f82a95703324
+---
+ stack/btm/btm_int_types.h | 60 +++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 60 insertions(+)
+
+diff --git a/stack/btm/btm_int_types.h b/stack/btm/btm_int_types.h
+index f22456244..851aad488 100644
+--- a/stack/btm/btm_int_types.h
++++ b/stack/btm/btm_int_types.h
+@@ -552,6 +552,37 @@ typedef struct {
+ #define BTM_SEC_STATE_DISCONNECTING_BOTH 9 /* disconnecting BR/EDR and BLE */
+ 
+   uint8_t sec_state;  /* Operating state                    */
++  bool is_security_state_idle() const {
++    return sec_state == BTM_SEC_STATE_IDLE;
++  }
++  bool is_security_state_authenticating() const {
++    return sec_state == BTM_SEC_STATE_AUTHENTICATING;
++  }
++  bool is_security_state_encrypting() const {
++    return sec_state == BTM_SEC_STATE_ENCRYPTING;
++  }
++  bool is_security_state_getting_name() const {
++    return sec_state == BTM_SEC_STATE_GETTING_NAME;
++  }
++  bool is_security_state_authorizing() const {
++    return sec_state == BTM_SEC_STATE_AUTHORIZING;
++  }
++  bool is_security_state_switching_role() const {
++    return sec_state == BTM_SEC_STATE_SWITCHING_ROLE;
++  }
++  bool is_security_state_disconnecting() const {
++    return sec_state == BTM_SEC_STATE_DISCONNECTING;
++  }
++  bool is_security_state_wait_for_encryption() const {
++    return sec_state == BTM_SEC_STATE_DELAY_FOR_ENC;
++  }
++  bool is_security_state_ble_disconnecting() const {
++    return sec_state == BTM_SEC_STATE_DISCONNECTING_BLE;
++  }
++  bool is_security_state_br_edr_and_ble() const {
++    return sec_state == BTM_SEC_STATE_DISCONNECTING_BOTH;
++  }
++
+   bool is_originator; /* true if device is originating connection */
+ #if (L2CAP_UCD_INCLUDED == TRUE)
+   bool is_ucd; /* true if device is sending or receiving UCD */
+@@ -590,8 +621,20 @@ typedef struct {
+   /* it knows peer's support for Secure Connections */
+ 
+   uint16_t ble_hci_handle; /* use in DUMO connection */
++  uint16_t get_ble_hci_handle() const { return ble_hci_handle; }
++
+   uint8_t enc_key_size;    /* current link encryption key size */
++  uint8_t get_encryption_key_size() const { return enc_key_size; }
++
+   tBT_DEVICE_TYPE device_type;
++  bool is_device_type_br_edr() const {
++    return device_type == BT_DEVICE_TYPE_BREDR;
++  }
++  bool is_device_type_ble() const { return device_type == BT_DEVICE_TYPE_BLE; }
++  bool is_device_type_dual_mode() const {
++    return device_type == BT_DEVICE_TYPE_DUMO;
++  }
++
+   bool new_encryption_key_is_p256; /* Set to true when the newly generated LK
+                                    ** is generated from P-256.
+                                    ** Link encrypted with such LK can be used
+@@ -601,6 +644,14 @@ typedef struct {
+                             /* work, i.e. link keys crosspairing */
+                             /* SC BR/EDR->SC LE doesn't happen */
+   tBTM_BOND_TYPE bond_type; /* peering bond type */
++  bool is_bond_type_unknown() const { return bond_type == BOND_TYPE_UNKNOWN; }
++  bool is_bond_type_persistent() const {
++    return bond_type == BOND_TYPE_PERSISTENT;
++  }
++  bool is_bond_type_temporary() const {
++    return bond_type == BOND_TYPE_TEMPORARY;
++  }
++
+ 
+   tBTM_SEC_BLE ble;
+   tBTM_LE_CONN_PRAMS conn_params;
+@@ -616,6 +667,15 @@ typedef struct {
+ #define BTM_SEC_RS_PENDING 1     /* Role Switch in progress */
+ #define BTM_SEC_DISC_PENDING 2   /* Disconnect is pending */
+   uint8_t rs_disc_pending;
++  bool is_role_switch_idle() const {
++    return rs_disc_pending == BTM_SEC_RS_NOT_PENDING;
++  }
++  bool is_role_switch_pending() const {
++    return rs_disc_pending == BTM_SEC_RS_PENDING;
++  }
++  bool is_role_switch_disconnecting() const {
++    return rs_disc_pending == BTM_SEC_DISC_PENDING;
++  }
+   bool  process_existing_rnr; /* process the existing RNR */
+ #endif
+ #define BTM_SEC_NO_LAST_SERVICE_ID 0

Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/403320.patch

@@ -0,0 +1,33 @@
+From 8ae3462db2bac7543116b9951c339ba6cffa24de Mon Sep 17 00:00:00 2001
+From: Chris Manton <cmanton@google.com>
+Date: Thu, 14 Jan 2021 14:04:09 -0800
+Subject: [PATCH] Add APIs stack/btm/security_device_record::
+
+get_br_edr_hci_handle,Handle
+
+Towards encapsulated code
+
+Bug: 163134718
+Tag: #refactor
+Test: gd/cert/run
+
+Change-Id: I820541c1f2fc86202710b7ef1bb5756ca9427851
+---
+ stack/btm/btm_int_types.h | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/stack/btm/btm_int_types.h b/stack/btm/btm_int_types.h
+index 851aad488..9a75b3a02 100644
+--- a/stack/btm/btm_int_types.h
++++ b/stack/btm/btm_int_types.h
+@@ -510,6 +510,10 @@ typedef struct {
+   LinkKey link_key;        /* Device link key                    */
+   uint8_t pin_code_length; /* Length of the pin_code used for paring */
+ 
++ public:
++  RawAddress RemoteAddress() const { return bd_addr; }
++  uint16_t get_br_edr_hci_handle() const { return hci_handle; }
++
+ #define BTM_SEC_AUTHORIZED BTM_SEC_FLAG_AUTHORIZED       /* 0x01 */
+ #define BTM_SEC_AUTHENTICATED BTM_SEC_FLAG_AUTHENTICATED /* 0x02 */
+ #define BTM_SEC_ENCRYPTED BTM_SEC_FLAG_ENCRYPTED         /* 0x04 */

Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/403321.patch

@@ -0,0 +1,40 @@
+From 901b9e1e71a53cb99dca8117b20e6e2f525008df Mon Sep 17 00:00:00 2001
+From: Chris Manton <cmanton@google.com>
+Date: Fri, 1 Jan 2021 19:11:49 -0800
+Subject: [PATCH] Add tACL_CONN::SupportsSecureConnections
+
+Towards encapsulation
+
+Bug: 163134718
+Tag: #refactor
+Test: gd/cert/run --host
+
+Change-Id: I4ede2886aa5d90bfab8fccea5edaed70ad1514e7
+---
+ stack/btm/btm_int_types.h | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/stack/btm/btm_int_types.h b/stack/btm/btm_int_types.h
+index 9a75b3a02..433deaa00 100644
+--- a/stack/btm/btm_int_types.h
++++ b/stack/btm/btm_int_types.h
+@@ -618,7 +618,19 @@ typedef struct {
+   uint8_t sm4;                /* BTM_SM4_TRUE, if the peer supports SM4 */
+   tBTM_IO_CAP rmt_io_caps;    /* IO capability of the peer device */
+   tBTM_AUTH_REQ rmt_auth_req; /* the auth_req flag as in the IO caps rsp evt */
++
+   bool remote_supports_secure_connections;
++  friend void btm_sec_set_peer_sec_caps(uint16_t hci_handle, bool ssp_supported,
++                                        bool sc_supported,
++                                        bool hci_role_switch_supported,
++                                        bool br_edr_supported,
++                                        bool le_supported);
++
++ public:
++  bool SupportsSecureConnections() const {
++    return remote_supports_secure_connections;
++  }
++
+   bool remote_features_needed; /* set to true if the local device is in */
+   /* "Secure Connections Only" mode and it receives */
+   /* HCI_IO_CAPABILITY_REQUEST_EVT from the peer before */

Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/403322.patch

@@ -0,0 +1,85 @@
+From ba1d7096e640b401fd72dec3bc7f5683df317d38 Mon Sep 17 00:00:00 2001
+From: Chris Manton <cmanton@google.com>
+Date: Fri, 1 Jan 2021 19:12:36 -0800
+Subject: [PATCH] Use tACL_CONN::SupportsSecureConnections
+
+Towards encapsulated code
+
+Bug: 163134718
+Tag: #refactor
+Test: gd/cert/run --host
+
+Change-Id: I7bfe087dcc28cfaeb492db1e1a6ec276e1e29ce2
+---
+ stack/btm/btm_sec.cc | 22 +++++++++-------------
+ 1 file changed, 9 insertions(+), 13 deletions(-)
+
+diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc
+index 9edf7cce5..65713b1a9 100644
+--- a/stack/btm/btm_sec.cc
++++ b/stack/btm/btm_sec.cc
+@@ -1854,7 +1854,7 @@ bool BTM_PeerSupportsSecureConnections(const RawAddress& bd_addr) {
+     return false;
+   }
+ 
+-  return (p_dev_rec->remote_supports_secure_connections);
++  return (p_dev_rec->SupportsSecureConnections());
+ }
+ 
+ /*******************************************************************************
+@@ -2199,12 +2199,11 @@ tBTM_STATUS btm_sec_l2cap_access_req(const RawAddress& bd_addr, uint16_t psm,
+         controller_get_interface()->supports_secure_connections();
+     /* acceptor receives L2CAP Channel Connect Request for Secure Connections
+      * Only service */
+-    if (!(local_supports_sc) ||
+-        !(p_dev_rec->remote_supports_secure_connections)) {
++    if (!(local_supports_sc) || !(p_dev_rec->SupportsSecureConnections())) {
+       BTM_TRACE_DEBUG("%s: SC only service, local_support_for_sc %d",
+-                      "rmt_support_for_sc : %d -> fail pairing", __func__,
++                      "rmt_support_for_sc : %s -> fail pairing", __func__,
+                       local_supports_sc,
+-                      p_dev_rec->remote_supports_secure_connections);
++                      logbool(p_dev_rec->SupportsSecureConnections()).c_str());
+       if (p_callback)
+         (*p_callback)(&bd_addr, transport, (void*)p_ref_data,
+                       BTM_MODE4_LEVEL4_NOT_SUPPORTED);
+@@ -2641,13 +2640,11 @@ tBTM_STATUS btm_sec_mx_access_request(const RawAddress& bd_addr, uint16_t psm,
+         controller_get_interface()->supports_secure_connections();
+     /* acceptor receives service connection establishment Request for */
+     /* Secure Connections Only service */
+-    if (!(local_supports_sc) ||
+-        !(p_dev_rec->remote_supports_secure_connections)) {
++    if (!(local_supports_sc) || !(p_dev_rec->SupportsSecureConnections())) {
+       BTM_TRACE_DEBUG("%s: SC only service,local_support_for_sc %d,",
+                       "remote_support_for_sc %d: fail pairing", __func__,
+                       local_supports_sc,
+-                      p_dev_rec->remote_supports_secure_connections);
+-
++                      p_dev_rec->SupportsSecureConnections());
+       if (p_callback)
+         (*p_callback)(&bd_addr, transport, (void*)p_ref_data,
+                       BTM_MODE4_LEVEL4_NOT_SUPPORTED);
+@@ -3457,12 +3454,11 @@ void btm_io_capabilities_req(const RawAddress& p) {
+     bool local_supports_sc =
+         controller_get_interface()->supports_secure_connections();
+     /* device in Secure Connections Only mode */
+-    if (!(local_supports_sc) ||
+-        !(p_dev_rec->remote_supports_secure_connections)) {
++    if (!(local_supports_sc) || !(p_dev_rec->SupportsSecureConnections())) {
+       BTM_TRACE_DEBUG("%s: SC only service, local_support_for_sc %d,",
+                       " remote_support_for_sc 0x%02x -> fail pairing", __func__,
+                       local_supports_sc,
+-                      p_dev_rec->remote_supports_secure_connections);
++                      p_dev_rec->SupportsSecureConnections());
+ 
+       err_code = HCI_ERR_PAIRING_NOT_ALLOWED;
+     }
+@@ -6135,7 +6131,7 @@ void btm_sec_set_peer_sec_caps(tACL_CONN* p_acl_cb,
+ 
+   BTM_TRACE_API("%s: sm4: 0x%02x, rmt_support_for_secure_connections %d",
+                 __func__, p_dev_rec->sm4,
+-                p_dev_rec->remote_supports_secure_connections);
++                p_dev_rec->SupportsSecureConnections());
+ 
+   if (p_dev_rec->remote_features_needed) {
+     BTM_TRACE_EVENT(

Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/403323.patch

@@ -0,0 +1,85 @@
+From 541a53f79d4342e25cbe4212a8192a8f7467b163 Mon Sep 17 00:00:00 2001
+From: Hansong Zhang <hsz@google.com>
+Date: Tue, 20 Oct 2020 18:48:52 -0700
+Subject: [PATCH] Refactor btm_sec_set_peer_sec_caps
+
+No need to pass acl_cb
+
+Bug: 159815595
+Tag: #refactor
+Test: compile & verify basic functions working
+Change-Id: I7cb1bae627c731106ab3a93442acb8f6bb2018fa
+---
+ stack/btm/btm_acl.cc | 15 +++++++++++++--
+ stack/btm/btm_int.h  |  2 +-
+ stack/btm/btm_sec.cc |  7 +++----
+ 3 files changed, 17 insertions(+), 7 deletions(-)
+
+diff --git a/stack/btm/btm_acl.cc b/stack/btm/btm_acl.cc
+index 57c5c479a..aeb2b1c1b 100644
+--- a/stack/btm/btm_acl.cc
++++ b/stack/btm/btm_acl.cc
+@@ -320,7 +320,13 @@ void btm_acl_created(const RawAddress& bda, DEV_CLASS dc, BD_NAME bdn,
+           const uint8_t req_pend = (p_dev_rec->sm4 & BTM_SM4_REQ_PEND);
+ 
+           /* Store the Peer Security Capabilites (in SM4 and rmt_sec_caps) */
+-          btm_sec_set_peer_sec_caps(p, p_dev_rec);
++          bool ssp_supported =
++              HCI_SSP_HOST_SUPPORTED(p->peer_lmp_feature_pages[1]);
++          bool secure_connections_supported =
++              HCI_SC_HOST_SUPPORTED(p->peer_lmp_feature_pages[1]);
++          btm_sec_set_peer_sec_caps(ssp_supported, secure_connections_supported,
++                                    p_dev_rec);
++
+ 
+           BTM_TRACE_API("%s: pend:%d", __func__, req_pend);
+           if (req_pend) {
+@@ -1110,7 +1116,12 @@ void btm_process_remote_ext_features(tACL_CONN* p_acl_cb,
+   const uint8_t req_pend = (p_dev_rec->sm4 & BTM_SM4_REQ_PEND);
+ 
+   /* Store the Peer Security Capabilites (in SM4 and rmt_sec_caps) */
+-  btm_sec_set_peer_sec_caps(p_acl_cb, p_dev_rec);
++  bool ssp_supported =
++      HCI_SSP_HOST_SUPPORTED(p_acl_cb->peer_lmp_feature_pages[1]);
++  bool secure_connections_supported =
++      HCI_SC_HOST_SUPPORTED(p_acl_cb->peer_lmp_feature_pages[1]);
++  btm_sec_set_peer_sec_caps(ssp_supported, secure_connections_supported,
++                            p_dev_rec);
+ 
+   BTM_TRACE_API("%s: pend:%d", __func__, req_pend);
+   if (req_pend) {
+diff --git a/stack/btm/btm_int.h b/stack/btm/btm_int.h
+index 6262d89b9..b3ea2b73b 100644
+--- a/stack/btm/btm_int.h
++++ b/stack/btm/btm_int.h
+@@ -271,7 +271,7 @@ extern void btm_sec_pin_code_request(const RawAddress& p_bda);
+ extern void btm_sec_update_clock_offset(uint16_t handle, uint16_t clock_offset);
+ extern void btm_sec_dev_rec_cback_event(tBTM_SEC_DEV_REC* p_dev_rec,
+                                         uint8_t res, bool is_le_trasnport);
+-extern void btm_sec_set_peer_sec_caps(tACL_CONN* p_acl_cb,
++extern void btm_sec_set_peer_sec_caps(bool ssp_supported, bool sc_supported,
+                                       tBTM_SEC_DEV_REC* p_dev_rec);
+ 
+ extern void btm_sec_clear_ble_keys(tBTM_SEC_DEV_REC* p_dev_rec);
+diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc
+index 65713b1a9..faa79e132 100644
+--- a/stack/btm/btm_sec.cc
++++ b/stack/btm/btm_sec.cc
+@@ -6116,14 +6116,13 @@ static bool btm_sec_queue_encrypt_request(const RawAddress& bd_addr,
+  * Returns          void
+  *
+  ******************************************************************************/
+-void btm_sec_set_peer_sec_caps(tACL_CONN* p_acl_cb,
++void btm_sec_set_peer_sec_caps(bool ssp_supported, bool sc_supported,
+                                tBTM_SEC_DEV_REC* p_dev_rec) {
+   if ((btm_cb.security_mode == BTM_SEC_MODE_SP ||
+        btm_cb.security_mode == BTM_SEC_MODE_SC) &&
+-      HCI_SSP_HOST_SUPPORTED(p_acl_cb->peer_lmp_feature_pages[1])) {
++      ssp_supported) {
+     p_dev_rec->sm4 = BTM_SM4_TRUE;
+-    p_dev_rec->remote_supports_secure_connections =
+-        (HCI_SC_HOST_SUPPORTED(p_acl_cb->peer_lmp_feature_pages[1]));
++    p_dev_rec->remote_supports_secure_connections = sc_supported;
+   } else {
+     p_dev_rec->sm4 = BTM_SM4_KNOWN;
+     p_dev_rec->remote_supports_secure_connections = false;

Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/403324.patch

@@ -0,0 +1,85 @@
+From a3b3bada1c107c7c97d776d4d1ba5f8602076737 Mon Sep 17 00:00:00 2001
+From: Hansong Zhang <hsz@google.com>
+Date: Thu, 29 Oct 2020 20:29:14 -0700
+Subject: [PATCH] Use btm_sec_set_peer_sec_caps to store features
+
+Bug: 159815595
+Tag: #refactor
+Test: compile & verify basic functions working
+Change-Id: If9aba469bceb3d45ccd566dba0ec9c445f2a8102
+---
+ stack/btm/btm_acl.cc | 10 ++++------
+ stack/btm/btm_int.h  |  4 ++--
+ stack/btm/btm_sec.cc |  8 ++++++--
+ 3 files changed, 12 insertions(+), 10 deletions(-)
+
+diff --git a/stack/btm/btm_acl.cc b/stack/btm/btm_acl.cc
+index aeb2b1c1b..5f637fd46 100644
+--- a/stack/btm/btm_acl.cc
++++ b/stack/btm/btm_acl.cc
+@@ -319,13 +319,12 @@ void btm_acl_created(const RawAddress& bda, DEV_CLASS dc, BD_NAME bdn,
+ 
+           const uint8_t req_pend = (p_dev_rec->sm4 & BTM_SM4_REQ_PEND);
+ 
+-          /* Store the Peer Security Capabilites (in SM4 and rmt_sec_caps) */
+           bool ssp_supported =
+               HCI_SSP_HOST_SUPPORTED(p->peer_lmp_feature_pages[1]);
+           bool secure_connections_supported =
+               HCI_SC_HOST_SUPPORTED(p->peer_lmp_feature_pages[1]);
+-          btm_sec_set_peer_sec_caps(ssp_supported, secure_connections_supported,
+-                                    p_dev_rec);
++          btm_sec_set_peer_sec_caps(hci_handle, ssp_supported,
++                                    secure_connections_supported);
+ 
+ 
+           BTM_TRACE_API("%s: pend:%d", __func__, req_pend);
+@@ -1115,13 +1114,12 @@ void btm_process_remote_ext_features(tACL_CONN* p_acl_cb,
+   }
+   const uint8_t req_pend = (p_dev_rec->sm4 & BTM_SM4_REQ_PEND);
+ 
+-  /* Store the Peer Security Capabilites (in SM4 and rmt_sec_caps) */
+   bool ssp_supported =
+       HCI_SSP_HOST_SUPPORTED(p_acl_cb->peer_lmp_feature_pages[1]);
+   bool secure_connections_supported =
+       HCI_SC_HOST_SUPPORTED(p_acl_cb->peer_lmp_feature_pages[1]);
+-  btm_sec_set_peer_sec_caps(ssp_supported, secure_connections_supported,
+-                            p_dev_rec);
++  btm_sec_set_peer_sec_caps(handle, ssp_supported,
++                            secure_connections_supported);
+ 
+   BTM_TRACE_API("%s: pend:%d", __func__, req_pend);
+   if (req_pend) {
+diff --git a/stack/btm/btm_int.h b/stack/btm/btm_int.h
+index b3ea2b73b..d05a95340 100644
+--- a/stack/btm/btm_int.h
++++ b/stack/btm/btm_int.h
+@@ -271,8 +271,8 @@ extern void btm_sec_pin_code_request(const RawAddress& p_bda);
+ extern void btm_sec_update_clock_offset(uint16_t handle, uint16_t clock_offset);
+ extern void btm_sec_dev_rec_cback_event(tBTM_SEC_DEV_REC* p_dev_rec,
+                                         uint8_t res, bool is_le_trasnport);
+-extern void btm_sec_set_peer_sec_caps(bool ssp_supported, bool sc_supported,
+-                                      tBTM_SEC_DEV_REC* p_dev_rec);
++extern void btm_sec_set_peer_sec_caps(uint16_t hci_handle, bool ssp_supported,
++                                      bool sc_supported);
+ 
+ extern void btm_sec_clear_ble_keys(tBTM_SEC_DEV_REC* p_dev_rec);
+ extern bool btm_sec_is_a_bonded_dev(const RawAddress& bda);
+diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc
+index faa79e132..6e76176ed 100644
+--- a/stack/btm/btm_sec.cc
++++ b/stack/btm/btm_sec.cc
+@@ -6116,8 +6116,12 @@ static bool btm_sec_queue_encrypt_request(const RawAddress& bd_addr,
+  * Returns          void
+  *
+  ******************************************************************************/
+-void btm_sec_set_peer_sec_caps(bool ssp_supported, bool sc_supported,
+-                               tBTM_SEC_DEV_REC* p_dev_rec) {
++void btm_sec_set_peer_sec_caps(uint16_t hci_handle, bool ssp_supported,
++                               bool sc_supported) {
++  tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_handle(hci_handle);
++  if (p_dev_rec == nullptr) return;
++
++  /* Store the Peer Security Capabilites (in SM4 and rmt_sec_caps) */
+   if ((btm_cb.security_mode == BTM_SEC_MODE_SP ||
+        btm_cb.security_mode == BTM_SEC_MODE_SC) &&
+       ssp_supported) {

Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/403325.patch

@@ -0,0 +1,265 @@
+From e4fd09d4b7b1a4a4bd773b59f23f039d0fa877ca Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <delwiche@google.com>
+Date: Sat, 25 May 2024 00:28:41 +0000
+Subject: [PATCH] Add support for checking security downgrade
+
+As a guard against the BLUFFS attack, we will need to check the security
+parameters of incoming connections against cached values and disallow
+connection if these parameters are downgraded or changed from their
+cached values.
+
+Future CLs will add checks during connection.  This CL adds the
+functions that will be needed to perform those checks and the necessary
+mocks.
+Currently supported checks are : IO capabilities (must be an exact match),
+Secure Connections capability (must not be a downgrade), and session key
+length (must not be a downgrade).  Maximum session key length, which was
+previously not cached, has been added to the device security manager
+cache.
+
+To QA: This CL is a logical no-op by itself.  Tests should be performed as described in ag/25815924 and ag/25815925/
+
+Bug: 314331379
+Test: m libbluetooth
+Tag: #security
+Ignore-AOSP-First: Security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:82382a934cf4a11b979de286e3f9ada723a740a3)
+Merged-In: I8810c1bf9b3d3af1108cf621e2c51537e429c0f3
+Change-Id: I8810c1bf9b3d3af1108cf621e2c51537e429c0f3
+---
+ btif/src/btif_storage.cc     |  30 ++++++++++
+ include/hardware/bluetooth.h |  14 +++++
+ service/logging_helpers.cc   |   2 +
+ stack/btm/btm_int.h          |   3 +
+ stack/btm/btm_sec.cc         | 103 +++++++++++++++++++++++++++++++++++
+ 5 files changed, 152 insertions(+)
+
+diff --git a/btif/src/btif_storage.cc b/btif/src/btif_storage.cc
+index c4a1d218e..a62d9da6d 100644
+--- a/btif/src/btif_storage.cc
++++ b/btif/src/btif_storage.cc
+@@ -86,7 +86,10 @@ using bluetooth::Uuid;
+ #define BTIF_STORAGE_KEY_ADAPTER_SCANMODE "ScanMode"
+ #define BTIF_STORAGE_KEY_LOCAL_IO_CAPS "LocalIOCaps"
+ #define BTIF_STORAGE_KEY_LOCAL_IO_CAPS_BLE "LocalIOCapsBLE"
++#define BTIF_STORAGE_KEY_MAX_SESSION_KEY_SIZE "MaxSessionKeySize"
+ #define BTIF_STORAGE_KEY_ADAPTER_DISC_TIMEOUT "DiscoveryTimeout"
++#define BTIF_STORAGE_KEY_SECURE_CONNECTIONS_SUPPORTED \
++  "SecureConnectionsSupported"
+ 
+ /* This is a local property to add a device found */
+ #define BT_PROPERTY_REMOTE_DEVICE_TIMESTAMP 0xFF
+@@ -269,6 +272,14 @@ static bool prop_upd(const RawAddress* remote_bd_addr, bt_property_t *prop)
+                     info->sub_ver);
+       }
+       break;
++    case BT_PROPERTY_REMOTE_SECURE_CONNECTIONS_SUPPORTED:
++      btif_config_set_int(bdstr, BTIF_STORAGE_KEY_SECURE_CONNECTIONS_SUPPORTED,
++                          *(uint8_t*)prop->val);
++      break;
++    case BT_PROPERTY_REMOTE_MAX_SESSION_KEY_SIZE:
++      btif_config_set_int(bdstr, BTIF_STORAGE_KEY_MAX_SESSION_KEY_SIZE,
++                          *(uint8_t*)prop->val);
++      break;
+     default:
+       BTIF_TRACE_ERROR("%s: Unknown prop type:%d", __func__, prop->type);
+       ret = false;
+@@ -448,6 +459,25 @@ static int cfg2prop(const RawAddress* remote_bd_addr, bt_property_t* prop) {
+                                     &info->sub_ver);
+       }
+     } break;
++    case BT_PROPERTY_REMOTE_SECURE_CONNECTIONS_SUPPORTED: {
++      int val;
++
++      if (prop->len >= (int)sizeof(uint8_t)) {
++        ret = btif_config_get_int(
++            bdstr, BTIF_STORAGE_KEY_SECURE_CONNECTIONS_SUPPORTED, &val);
++        *(uint8_t*)prop->val = (uint8_t)val;
++      }
++    } break;
++
++    case BT_PROPERTY_REMOTE_MAX_SESSION_KEY_SIZE: {
++      int val;
++
++      if (prop->len >= (int)sizeof(uint8_t)) {
++        ret = btif_config_get_int(bdstr, BTIF_STORAGE_KEY_MAX_SESSION_KEY_SIZE,
++                                  &val);
++        *(uint8_t*)prop->val = (uint8_t)val;
++      }
++    } break;
+ 
+     default:
+       BTIF_TRACE_ERROR("Unknow prop type:%d", prop->type);
+diff --git a/include/hardware/bluetooth.h b/include/hardware/bluetooth.h
+index 64b13e48c..a4d82f9e7 100644
+--- a/include/hardware/bluetooth.h
++++ b/include/hardware/bluetooth.h
+@@ -275,6 +275,20 @@ typedef enum {
+    */
+   BT_PROPERTY_LOCAL_IO_CAPS_BLE,
+ 
++  /**
++   * Description - Whether remote device supports Secure Connections mode
++   * Access mode - GET and SET.
++   * Data Type - uint8_t.
++   */
++  BT_PROPERTY_REMOTE_SECURE_CONNECTIONS_SUPPORTED,
++
++  /**
++   * Description - Maximum observed session key for remote device
++   * Access mode - GET and SET.
++   * Data Type - uint8_t.
++   */
++  BT_PROPERTY_REMOTE_MAX_SESSION_KEY_SIZE,
++
+   BT_PROPERTY_REMOTE_DEVICE_TIMESTAMP = 0xFF,
+ } bt_property_type_t;
+ 
+diff --git a/service/logging_helpers.cc b/service/logging_helpers.cc
+index 39706ecb3..abfec3527 100644
+--- a/service/logging_helpers.cc
++++ b/service/logging_helpers.cc
+@@ -117,6 +117,8 @@ const char* BtPropertyText(const bt_property_type_t prop) {
+     CASE_RETURN_TEXT(BT_PROPERTY_REMOTE_VERSION_INFO);
+     CASE_RETURN_TEXT(BT_PROPERTY_LOCAL_LE_FEATURES);
+     CASE_RETURN_TEXT(BT_PROPERTY_REMOTE_DEVICE_TIMESTAMP);
++    CASE_RETURN_TEXT(BT_PROPERTY_REMOTE_SECURE_CONNECTIONS_SUPPORTED);
++    CASE_RETURN_TEXT(BT_PROPERTY_REMOTE_MAX_SESSION_KEY_SIZE);
+     default:
+       return "Invalid property";
+   }
+diff --git a/stack/btm/btm_int.h b/stack/btm/btm_int.h
+index d05a95340..7cc9541d4 100644
+--- a/stack/btm/btm_int.h
++++ b/stack/btm/btm_int.h
+@@ -251,6 +251,8 @@ extern void btm_sec_abort_access_req(const RawAddress& bd_addr);
+ extern void btm_sec_auth_complete(uint16_t handle, uint8_t status);
+ extern void btm_sec_encrypt_change(uint16_t handle, uint8_t status,
+                                    uint8_t encr_enable);
++bool btm_sec_is_session_key_size_downgrade(uint16_t hci_handle,
++                                           uint8_t key_size);
+ extern void btm_sec_connected(const RawAddress& bda, uint16_t handle,
+                               uint8_t status, uint8_t enc_mode);
+ extern tBTM_STATUS btm_sec_disconnect(uint16_t handle, uint8_t reason);
+@@ -269,6 +271,7 @@ extern void btm_sec_link_key_notification(const RawAddress& p_bda,
+ extern void btm_sec_link_key_request(const RawAddress& p_bda);
+ extern void btm_sec_pin_code_request(const RawAddress& p_bda);
+ extern void btm_sec_update_clock_offset(uint16_t handle, uint16_t clock_offset);
++void btm_sec_update_session_key_size(uint16_t hci_handle, uint8_t key_size);
+ extern void btm_sec_dev_rec_cback_event(tBTM_SEC_DEV_REC* p_dev_rec,
+                                         uint8_t res, bool is_le_trasnport);
+ extern void btm_sec_set_peer_sec_caps(uint16_t hci_handle, bool ssp_supported,
+diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc
+index 6e76176ed..74e33c96a 100644
+--- a/stack/btm/btm_sec.cc
++++ b/stack/btm/btm_sec.cc
+@@ -220,6 +220,109 @@ static bool btm_serv_trusted(tBTM_SEC_DEV_REC* p_dev_rec,
+   return (false);
+ }
+ 
++/*******************************************************************************
++ *
++ * Function         btm_sec_is_device_sc_downgrade
++ *
++ * Description      Check for a stored device record matching the candidate
++ *                  device, and return true if the stored device has reported
++ *                  that it supports Secure Connections mode and the candidate
++ *                  device reports that it does not.  Otherwise, return false.
++ *
++ * Returns          bool
++ *
++ ******************************************************************************/
++static bool btm_sec_is_device_sc_downgrade(uint16_t hci_handle,
++                                           bool secure_connections_supported) {
++  if (secure_connections_supported) return false;
++
++  tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_handle(hci_handle);
++  if (p_dev_rec == nullptr) return false;
++
++  uint8_t property_val = 0;
++  bt_property_t property = {
++      .type = BT_PROPERTY_REMOTE_SECURE_CONNECTIONS_SUPPORTED,
++      .len = sizeof(uint8_t),
++      .val = &property_val};
++
++  bt_status_t cached =
++      btif_storage_get_remote_device_property(&p_dev_rec->bd_addr, &property);
++
++  if (cached == BT_STATUS_FAIL) return false;
++
++  return (bool)property_val;
++}
++
++/*******************************************************************************
++ *
++ * Function         btm_sec_store_device_sc_support
++ *
++ * Description      Save Secure Connections support for this device to file
++ *
++ ******************************************************************************/
++
++static void btm_sec_store_device_sc_support(uint16_t hci_handle,
++                                            bool secure_connections_supported) {
++  tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_handle(hci_handle);
++  if (p_dev_rec == nullptr) return;
++
++  uint8_t property_val = (uint8_t)secure_connections_supported;
++  bt_property_t property = {
++      .type = BT_PROPERTY_REMOTE_SECURE_CONNECTIONS_SUPPORTED,
++      .len = sizeof(uint8_t),
++      .val = &property_val};
++
++  btif_storage_set_remote_device_property(&p_dev_rec->bd_addr, &property);
++}
++
++/*******************************************************************************
++ *
++ * Function         btm_sec_is_session_key_size_downgrade
++ *
++ * Description      Check if there is a stored device record matching this
++ *                  handle, and return true if the stored record has a lower
++ *                  session key size than the candidate device.
++ *
++ * Returns          bool
++ *
++ ******************************************************************************/
++bool btm_sec_is_session_key_size_downgrade(uint16_t hci_handle,
++                                           uint8_t key_size) {
++  tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_handle(hci_handle);
++  if (p_dev_rec == nullptr) return false;
++
++  uint8_t property_val = 0;
++  bt_property_t property = {.type = BT_PROPERTY_REMOTE_MAX_SESSION_KEY_SIZE,
++                            .len = sizeof(uint8_t),
++                            .val = &property_val};
++
++  bt_status_t cached =
++      btif_storage_get_remote_device_property(&p_dev_rec->bd_addr, &property);
++
++  if (cached == BT_STATUS_FAIL) return false;
++
++  return property_val > key_size;
++}
++
++/*******************************************************************************
++ *
++ * Function         btm_sec_update_session_key_size
++ *
++ * Description      Store the max session key size to disk, if possible.
++ *
++ ******************************************************************************/
++void btm_sec_update_session_key_size(uint16_t hci_handle, uint8_t key_size) {
++  tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_handle(hci_handle);
++  if (p_dev_rec == nullptr) return;
++
++  uint8_t property_val = key_size;
++  bt_property_t property = {.type = BT_PROPERTY_REMOTE_MAX_SESSION_KEY_SIZE,
++                            .len = sizeof(uint8_t),
++                            .val = &property_val};
++
++  btif_storage_set_remote_device_property(&p_dev_rec->bd_addr, &property);
++}
++
+ /*******************************************************************************
+  *
+  * Function         access_secure_service_from_temp_bond

Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/403326.patch

@@ -0,0 +1,60 @@
+From 667ea99b7d6d8985664c5f1866d20b824e360b07 Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <delwiche@google.com>
+Date: Fri, 31 May 2024 21:46:17 +0000
+Subject: [PATCH] Disallow connect with Secure Connections downgrade
+
+As a guard against the BLUFFS attack, check security parameters of
+incoming connections against cached values and disallow connection if
+these parameters are downgraded or changed from their cached values.
+
+This CL adds the connection-time check for Secure Connections mode.
+
+Bug: 314331379
+Test: m libbluetooth
+Test: manual
+
+To test this CL, please ensure that BR/EDR initial connections and reconnections  (after cycling remote devices, cycling Bluetooth, restarting the phone, etc.) work against remote devices which both support and do not support Secure Connections mode, and with all supported bonding types.  Basic validation of LE bonding functionality should be done as well.
+
+Tag: #security
+Ignore-AOSP-First: Security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:4da47591b9530849123c238b2747f5304058db2d)
+Merged-In: I7b9dd1a18f1c04df88aabe89d4790fef9112da7e
+Change-Id: I7b9dd1a18f1c04df88aabe89d4790fef9112da7e
+---
+ stack/btm/btm_sec.cc | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc
+index 74e33c96a..973e248c4 100644
+--- a/stack/btm/btm_sec.cc
++++ b/stack/btm/btm_sec.cc
+@@ -5031,6 +5031,13 @@ void btm_sec_link_key_notification(const RawAddress& p_bda,
+     }
+   }
+ 
++  if (p_dev_rec->is_bond_type_persistent() &&
++      (p_dev_rec->is_device_type_br_edr() ||
++       p_dev_rec->is_device_type_dual_mode())) {
++    btm_sec_store_device_sc_support(p_dev_rec->get_br_edr_hci_handle(),
++                                    p_dev_rec->SupportsSecureConnections());
++  }
++
+   /* If name is not known at this point delay calling callback until the name is
+    */
+   /* resolved. Unless it is a HID Device and we really need to send all link
+@@ -6224,6 +6231,15 @@ void btm_sec_set_peer_sec_caps(uint16_t hci_handle, bool ssp_supported,
+   tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_handle(hci_handle);
+   if (p_dev_rec == nullptr) return;
+ 
++  // Drop the connection here if the remote attempts to downgrade from Secure
++  // Connections mode.
++  if (btm_sec_is_device_sc_downgrade(hci_handle, sc_supported)) {
++    btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
++    btm_sec_send_hci_disconnect(p_dev_rec, HCI_ERR_AUTH_FAILURE, hci_handle);
++    LOG_WARN(LOG_TAG, "Remote attempted to downgrade from Secure Connections mode");
++    return;
++  }
++
+   /* Store the Peer Security Capabilites (in SM4 and rmt_sec_caps) */
+   if ((btm_cb.security_mode == BTM_SEC_MODE_SP ||
+        btm_cb.security_mode == BTM_SEC_MODE_SC) &&

Patches/LineageOS-17.1/android_vendor_qcom_opensource_system_bt/403327.patch

@@ -0,0 +1,54 @@
+From 51fa2abc7a900e24075bbd52b95c79be12e81ee2 Mon Sep 17 00:00:00 2001
+From: Brian Delwiche <delwiche@google.com>
+Date: Fri, 31 May 2024 21:50:12 +0000
+Subject: [PATCH] Disallow connect with key length downgrade
+
+As a guard against the BLUFFS attack, check security parameters of
+incoming connections against cached values and disallow connection if
+these parameters are downgraded or changed from their cached values.
+
+This CL adds the connection-time check for session key length.
+
+To test, please validate that bonding can be established and
+reestablished against devices with session key lengths of 7 and 16 bits,
+that session key lengths of less than 7 bits are refused, and that basic
+LE bonding functionality still works.  If it is possible to configure a
+remote device to establish a bond with a session key length of 16 bits
+and then reduce that key length to <16 bits before reconnection, this
+should fail.
+
+Bug: 314331379
+Test: m libbluetooth
+Test: manual
+
+Tag: #security
+Ignore-AOSP-First: Security
+(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:bd88324876a8664899bd23e926675d7c1b2bbfb2)
+Merged-In: I5b931ddb4876b529ed0c2e1138c02382291216ab
+Change-Id: I5b931ddb4876b529ed0c2e1138c02382291216ab
+---
+ stack/btu/btu_hcif.cc | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/stack/btu/btu_hcif.cc b/stack/btu/btu_hcif.cc
+index 071aafce3..ffaa018ff 100644
+--- a/stack/btu/btu_hcif.cc
++++ b/stack/btu/btu_hcif.cc
+@@ -786,6 +786,17 @@ static void read_encryption_key_size_complete_after_encryption_change(
+     return;
+   }
+ 
++  if (btm_sec_is_session_key_size_downgrade(handle, key_size)) {
++    LOG_ERROR(LOG_TAG,
++        "encryption key size lower than cached value, disconnecting. "
++        "handle: 0x%x attempted key size: %d",
++        handle, key_size);
++    btsnd_hcic_disconnect(handle, HCI_ERR_HOST_REJECT_SECURITY);
++    return;
++  }
++
++  btm_sec_update_session_key_size(handle, key_size);
++
+   // good key size - succeed
+   btm_acl_encrypt_change(handle, status, 1 /* enable */);
+   btm_sec_encrypt_change(handle, status, 1 /* enable */);

Scripts/LineageOS-17.1/Patch.sh

@@ -95,7 +95,7 @@ applyPatch "$DOS_PATCHES_COMMON/android_build/0001-verity-openssl3.patch"; #Fix
 sed -i '75i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches.
 awk -i inplace '!/updatable_apex.mk/' target/product/mainline_system.mk; #Disable APEX
 sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 23/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS)
-sed -i 's/2023-02-05/2024-09-05/' core/version_defaults.mk; #Bump Security String #x_asb_2024-09
+sed -i 's/2023-02-05/2024-09-05/' core/version_defaults.mk; #Bump Security String #Q_asb_2024-09
 fi;
 
 if enterAndClear "build/soong"; then
@@ -202,7 +202,7 @@ applyPatch "$DOS_PATCHES/android_frameworks_av/391907.patch"; #Q_asb_2024-03 Sof
 applyPatch "$DOS_PATCHES/android_frameworks_av/391908.patch"; #Q_asb_2024-03 Fix out of bounds read and write in onQueueFilled in outQueue
 applyPatch "$DOS_PATCHES/android_frameworks_av/402601.patch"; #Q_asb_2024-08 Fix flag check in JAudioTrack.cpp
 applyPatch "$DOS_PATCHES/android_frameworks_av/402602.patch"; #Q_asb_2024-08 StagefrightRecoder: Disabling B-frame support
-applyPatch "$DOS_PATCHES/android_frameworks_av/401372.patch"; #S_asb_2024-09 omx: check HDR10+ info param size
+applyPatch "$DOS_PATCHES/android_frameworks_av/403300.patch"; #Q_asb_2024-09 omx: check HDR10+ info param size
 fi;
 
 if enterAndClear "frameworks/base"; then
@@ -327,7 +327,7 @@ applyPatch "$DOS_PATCHES/android_frameworks_base/402603.patch"; #Q_asb_2024-08 S
 applyPatch "$DOS_PATCHES/android_frameworks_base/402604.patch"; #Q_asb_2024-08 Backport preventing BAL bypass via bound service
 applyPatch "$DOS_PATCHES/android_frameworks_base/402605.patch"; #Q_asb_2024-08 Restrict USB poups while setup is in progress
 applyPatch "$DOS_PATCHES/android_frameworks_base/402606.patch"; #Q_asb_2024-08 Hide SAW subwindows
-applyPatch "$DOS_PATCHES/android_frameworks_base/401373.patch"; #S_asb_2024-09 Sanitized uri scheme by removing scheme delimiter
+applyPatch "$DOS_PATCHES/android_frameworks_base/403301.patch"; #Q_asb_2024-09 Sanitized uri scheme by removing scheme delimiter
 #applyPatch "$DOS_PATCHES/android_frameworks_base/272645.patch"; #ten-bt-sbc-hd-dualchannel: Add CHANNEL_MODE_DUAL_CHANNEL constant (ValdikSS)
 #applyPatch "$DOS_PATCHES/android_frameworks_base/272646-forwardport.patch"; #ten-bt-sbc-hd-dualchannel: Add Dual Channel into Bluetooth Audio Channel Mode developer options menu (ValdikSS)
 #applyPatch "$DOS_PATCHES/android_frameworks_base/272647.patch"; #ten-bt-sbc-hd-dualchannel: Allow SBC as HD audio codec in Bluetooth device configuration (ValdikSS)
@@ -524,10 +524,10 @@ applyPatch "$DOS_PATCHES/android_packages_apps_Settings/368012.patch"; #Q_asb_20
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/378109.patch"; #Q_asb_2023-09 Settings: don't try to allow NLSes with too-long component names
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/378110.patch"; #Q_asb_2023-10 Restrict ApnEditor settings
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/380569.patch"; #Q_asb_2024-01 Validate ringtone URIs before setting
-applyPatch "$DOS_PATCHES/android_packages_apps_Settings/401375-backport.patch"; #S_asb_2024-09 Limit wifi item edit content's max length to 500
+applyPatch "$DOS_PATCHES/android_packages_apps_Settings/403302.patch"; #Q_asb_2024-09 Limit wifi item edit content's max length to 500
-applyPatch "$DOS_PATCHES/android_packages_apps_Settings/401376-backport.patch"; #S_asb_2024-09 Replace getCallingActivity() with getLaunchedFromPackage()
+applyPatch "$DOS_PATCHES/android_packages_apps_Settings/403303.patch"; #Q_asb_2024-09 Replace getCallingActivity() with getLaunchedFromPackage()
-applyPatch "$DOS_PATCHES/android_packages_apps_Settings/401377.patch"; #S_asb_2024-09 Ignore fragment attr from ext authenticator resource
+applyPatch "$DOS_PATCHES/android_packages_apps_Settings/403304.patch"; #Q_asb_2024-09 Ignore fragment attr from ext authenticator resource
-applyPatch "$DOS_PATCHES/android_packages_apps_Settings/401378-backport.patch"; #S_asb_2024-09 Restrict Settings Homepage prior to provisioning
+applyPatch "$DOS_PATCHES/android_packages_apps_Settings/403305.patch"; #Q_asb_2024-09 Restrict Settings Homepage prior to provisioning
 git revert --no-edit 486980cfecce2ca64267f41462f9371486308e9d; #Don't hide OEM unlock
 #applyPatch "$DOS_PATCHES/android_packages_apps_Settings/272651.patch"; #ten-bt-sbc-hd-dualchannel: Add Dual Channel into Bluetooth Audio Channel Mode developer options menu (ValdikSS)
 applyPatch "$DOS_PATCHES/android_packages_apps_Settings/0001-Captive_Portal_Toggle.patch"; #Add option to disable captive portal checks (MSe1969)
@@ -615,8 +615,8 @@ applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/378122.patch"; #Q_as
 applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/369703.patch"; #Q_asb_2023-12 Fix vulnerability in CallRedirectionService.
 applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/378123.patch"; #Q_asb_2023-12 Support for API cleanups.
 applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/378065.patch"; #Q_asb_2023-12 Resolve account image icon profile boundary exploit.
-applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/401380-backport.patch"; #S_asb_2024-09 Unbind CS if connection is not created within 15 seconds. #XXX
+applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/403306.patch"; #Q_asb_2024-09 Unbind CS if connection is not created within 15 seconds.
-applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/401381.patch"; #S_asb_2024-09 Unbind CallScreeningService when timeout reached.
+applyPatch "$DOS_PATCHES/android_packages_services_Telecomm/403307.patch"; #Q_asb_2024-09 Unbind CallScreeningService when timeout reached.
 fi;
 
 if enterAndClear "packages/services/Telephony"; then
@@ -658,6 +658,16 @@ applyPatch "$DOS_PATCHES/android_system_bt/391915.patch"; #Q_asb_2024-03 Reland:
 applyPatch "$DOS_PATCHES/android_system_bt/391916.patch"; #Q_asb_2024-03 Fix a security bypass issue in access_secure_service_from_temp_bond
 applyPatch "$DOS_PATCHES/android_system_bt/399092.patch"; #Q_asb_2024-07 Fix an authentication bypass bug in SMP
 applyPatch "$DOS_PATCHES/android_system_bt/402607.patch"; #Q_asb_2024-08 Fix heap-buffer overflow in sdp_utils.cc
+applyPatch "$DOS_PATCHES/android_system_bt/403308.patch"; #Q_asb_2024-09 Clean up BTM_SEC_MODE
+applyPatch "$DOS_PATCHES/android_system_bt/403309.patch"; #Q_asb_2024-09 Add getters to stack/btm/security_device_record::tBTM_SEC_DEV_REC
+applyPatch "$DOS_PATCHES/android_system_bt/403310.patch"; #Q_asb_2024-09 Add APIs stack/btm/security_device_record::
+applyPatch "$DOS_PATCHES/android_system_bt/403311.patch"; #Q_asb_2024-09 Add tACL_CONN::SupportsSecureConnections
+applyPatch "$DOS_PATCHES/android_system_bt/403312.patch"; #Q_asb_2024-09 Use tACL_CONN::SupportsSecureConnections
+applyPatch "$DOS_PATCHES/android_system_bt/403313.patch"; #Q_asb_2024-09 Refactor btm_sec_set_peer_sec_caps
+applyPatch "$DOS_PATCHES/android_system_bt/403314.patch"; #Q_asb_2024-09 Use btm_sec_set_peer_sec_caps to store features
+applyPatch "$DOS_PATCHES/android_system_bt/403315.patch"; #Q_asb_2024-09 Add support for checking security downgrade
+applyPatch "$DOS_PATCHES/android_system_bt/403316.patch"; #Q_asb_2024-09 Disallow connect with Secure Connections downgrade
+applyPatch "$DOS_PATCHES/android_system_bt/403317.patch"; #Q_asb_2024-09 Disallow connect with key length downgrade
 applyPatch "$DOS_PATCHES_COMMON/android_system_bt/0001-alloc_size.patch"; #Add alloc_size attributes to the allocator (GrapheneOS)
 #applyPatch "$DOS_PATCHES/android_system_bt/272648.patch"; #ten-bt-sbc-hd-dualchannel: Increase maximum Bluetooth SBC codec bitrate for SBC HD (ValdikSS)
 #applyPatch "$DOS_PATCHES/android_system_bt/272649.patch"; #ten-bt-sbc-hd-dualchannel: Explicit SBC Dual Channel (SBC HD) support (ValdikSS)
@@ -771,6 +781,16 @@ applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/391918.patch";
 applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/391919.patch"; #Q_asb_2024-03 Reland: Fix an OOB write bug in attp_build_value_cmd
 applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/399091.patch"; #Q_asb_2024-07 Fix an authentication bypass bug in SMP
 applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/402608.patch"; #Q_asb_2024-08 Fix heap-buffer overflow in sdp_utils.cc
+applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/403318.patch"; #Q_asb_2024-09 Clean up BTM_SEC_MODE
+applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/403319.patch"; #Q_asb_2024-09 Add getters to stack/btm/security_device_record::tBTM_SEC_DEV_REC
+applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/403320.patch"; #Q_asb_2024-09 Add APIs stack/btm/security_device_record::
+applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/403321.patch"; #Q_asb_2024-09 Add tACL_CONN::SupportsSecureConnections
+applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/403322.patch"; #Q_asb_2024-09 Use tACL_CONN::SupportsSecureConnections
+applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/403323.patch"; #Q_asb_2024-09 Refactor btm_sec_set_peer_sec_caps
+applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/403324.patch"; #Q_asb_2024-09 Use btm_sec_set_peer_sec_caps to store features
+applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/403325.patch"; #Q_asb_2024-09 Add support for checking security downgrade
+applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/403326.patch"; #Q_asb_2024-09 Disallow connect with Secure Connections downgrade
+applyPatch "$DOS_PATCHES/android_vendor_qcom_opensource_system_bt/403327.patch"; #Q_asb_2024-09 Disallow connect with key length downgrade
 fi;
 
 if enterAndClear "vendor/lineage"; then