search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
qemu-iotests: add no-op streaming test
[qemu.git] / hw / bt / hci.c
blob8bc33b50a5070ef7d9b72bf5850f363a5604c34d
1 /*
2 * QEMU Bluetooth HCI logic.
3 *
4 * Copyright (C) 2007 OpenMoko, Inc.
5 * Copyright (C) 2008 Andrzej Zaborowski <balrog@zabor.org>
6 *
7 * This program is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU General Public License as
9 * published by the Free Software Foundation; either version 2 of
10 * the License, or (at your option) any later version.
11 *
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "qemu/osdep.h"
22 #include "qemu-common.h"
23 #include "qemu/timer.h"
24 #include "hw/usb.h"
25 #include "sysemu/bt.h"
26 #include "hw/bt.h"
27 #include "qapi/qmp/qerror.h"
28 #include "sysemu/replay.h"
29
30 struct bt_hci_s {
31 uint8_t *(*evt_packet)(void *opaque);
32 void (*evt_submit)(void *opaque, int len);
33 void *opaque;
34 uint8_t evt_buf[256];
35
36 uint8_t acl_buf[4096];
37 int acl_len;
38
39 uint16_t asb_handle;
40 uint16_t psb_handle;
41
42 int last_cmd; /* Note: Always little-endian */
43
44 struct bt_device_s *conn_req_host;
45
46 struct {
47 int inquire;
48 int periodic;
49 int responses_left;
50 int responses;
51 QEMUTimer *inquiry_done;
52 QEMUTimer *inquiry_next;
53 int inquiry_length;
54 int inquiry_period;
55 int inquiry_mode;
56
57 #define HCI_HANDLE_OFFSET 0x20
58 #define HCI_HANDLES_MAX 0x10
59 struct bt_hci_master_link_s {
60 struct bt_link_s *link;
61 void (*lmp_acl_data)(struct bt_link_s *link,
62 const uint8_t *data, int start, int len);
63 QEMUTimer *acl_mode_timer;
64 } handle[HCI_HANDLES_MAX];
65 uint32_t role_bmp;
66 int last_handle;
67 int connecting;
68 bdaddr_t awaiting_bdaddr[HCI_HANDLES_MAX];
69 } lm;
70
71 uint8_t event_mask[8];
72 uint16_t voice_setting; /* Notw: Always little-endian */
73 uint16_t conn_accept_tout;
74 QEMUTimer *conn_accept_timer;
75
76 struct HCIInfo info;
77 struct bt_device_s device;
78
79 Error *replay_blocker;
80 };
81
82 #define DEFAULT_RSSI_DBM 20
83
84 #define hci_from_info(ptr) container_of((ptr), struct bt_hci_s, info)
85 #define hci_from_device(ptr) container_of((ptr), struct bt_hci_s, device)
86
87 struct bt_hci_link_s {
88 struct bt_link_s btlink;
89 uint16_t handle; /* Local */
90 };
91
92 /* LMP layer emulation */
93 #if 0
94 static void bt_submit_lmp(struct bt_device_s *bt, int length, uint8_t *data)
95 {
96 int resp, resplen, error, op, tr;
97 uint8_t respdata[17];
98
99 if (length < 1)
100 return;
101
102 tr = *data & 1;
103 op = *(data ++) >> 1;
104 resp = LMP_ACCEPTED;
105 resplen = 2;
106 respdata[1] = op;
107 error = 0;
108 length --;
109
110 if (op >= 0x7c) { /* Extended opcode */
111 op |= *(data ++) << 8;
112 resp = LMP_ACCEPTED_EXT;
113 resplen = 4;
114 respdata[0] = op >> 8;
115 respdata[1] = op & 0xff;
116 length --;
117 }
118
119 switch (op) {
120 case LMP_ACCEPTED:
121 /* data[0] Op code
122 */
123 if (length < 1) {
124 error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
125 goto not_accepted;
126 }
127 resp = 0;
128 break;
129
130 case LMP_ACCEPTED_EXT:
131 /* data[0] Escape op code
132 * data[1] Extended op code
133 */
134 if (length < 2) {
135 error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
136 goto not_accepted;
137 }
138 resp = 0;
139 break;
140
141 case LMP_NOT_ACCEPTED:
142 /* data[0] Op code
143 * data[1] Error code
144 */
145 if (length < 2) {
146 error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
147 goto not_accepted;
148 }
149 resp = 0;
150 break;
151
152 case LMP_NOT_ACCEPTED_EXT:
153 /* data[0] Op code
154 * data[1] Extended op code
155 * data[2] Error code
156 */
157 if (length < 3) {
158 error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
159 goto not_accepted;
160 }
161 resp = 0;
162 break;
163
164 case LMP_HOST_CONNECTION_REQ:
165 break;
166
167 case LMP_SETUP_COMPLETE:
168 resp = LMP_SETUP_COMPLETE;
169 resplen = 1;
170 bt->setup = 1;
171 break;
172
173 case LMP_DETACH:
174 /* data[0] Error code
175 */
176 if (length < 1) {
177 error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
178 goto not_accepted;
179 }
180 bt->setup = 0;
181 resp = 0;
182 break;
183
184 case LMP_SUPERVISION_TIMEOUT:
185 /* data[0,1] Supervision timeout
186 */
187 if (length < 2) {
188 error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
189 goto not_accepted;
190 }
191 resp = 0;
192 break;
193
194 case LMP_QUALITY_OF_SERVICE:
195 resp = 0;
196 /* Fall through */
197 case LMP_QOS_REQ:
198 /* data[0,1] Poll interval
199 * data[2] N(BC)
200 */
201 if (length < 3) {
202 error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
203 goto not_accepted;
204 }
205 break;
206
207 case LMP_MAX_SLOT:
208 resp = 0;
209 /* Fall through */
210 case LMP_MAX_SLOT_REQ:
211 /* data[0] Max slots
212 */
213 if (length < 1) {
214 error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
215 goto not_accepted;
216 }
217 break;
218
219 case LMP_AU_RAND:
220 case LMP_IN_RAND:
221 case LMP_COMB_KEY:
222 /* data[0-15] Random number
223 */
224 if (length < 16) {
225 error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
226 goto not_accepted;
227 }
228 if (op == LMP_AU_RAND) {
229 if (bt->key_present) {
230 resp = LMP_SRES;
231 resplen = 5;
232 /* XXX: [Part H] Section 6.1 on page 801 */
233 } else {
234 error = HCI_PIN_OR_KEY_MISSING;
235 goto not_accepted;
236 }
237 } else if (op == LMP_IN_RAND) {
238 error = HCI_PAIRING_NOT_ALLOWED;
239 goto not_accepted;
240 } else {
241 /* XXX: [Part H] Section 3.2 on page 779 */
242 resp = LMP_UNIT_KEY;
243 resplen = 17;
244 memcpy(respdata + 1, bt->key, 16);
245
246 error = HCI_UNIT_LINK_KEY_USED;
247 goto not_accepted;
248 }
249 break;
250
251 case LMP_UNIT_KEY:
252 /* data[0-15] Key
253 */
254 if (length < 16) {
255 error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
256 goto not_accepted;
257 }
258 memcpy(bt->key, data, 16);
259 bt->key_present = 1;
260 break;
261
262 case LMP_SRES:
263 /* data[0-3] Authentication response
264 */
265 if (length < 4) {
266 error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
267 goto not_accepted;
268 }
269 break;
270
271 case LMP_CLKOFFSET_REQ:
272 resp = LMP_CLKOFFSET_RES;
273 resplen = 3;
274 respdata[1] = 0x33;
275 respdata[2] = 0x33;
276 break;
277
278 case LMP_CLKOFFSET_RES:
279 /* data[0,1] Clock offset
280 * (Slave to master only)
281 */
282 if (length < 2) {
283 error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
284 goto not_accepted;
285 }
286 break;
287
288 case LMP_VERSION_REQ:
289 case LMP_VERSION_RES:
290 /* data[0] VersNr
291 * data[1,2] CompId
292 * data[3,4] SubVersNr
293 */
294 if (length < 5) {
295 error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
296 goto not_accepted;
297 }
298 if (op == LMP_VERSION_REQ) {
299 resp = LMP_VERSION_RES;
300 resplen = 6;
301 respdata[1] = 0x20;
302 respdata[2] = 0xff;
303 respdata[3] = 0xff;
304 respdata[4] = 0xff;
305 respdata[5] = 0xff;
306 } else
307 resp = 0;
308 break;
309
310 case LMP_FEATURES_REQ:
311 case LMP_FEATURES_RES:
312 /* data[0-7] Features
313 */
314 if (length < 8) {
315 error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
316 goto not_accepted;
317 }
318 if (op == LMP_FEATURES_REQ) {
319 resp = LMP_FEATURES_RES;
320 resplen = 9;
321 respdata[1] = (bt->lmp_caps >> 0) & 0xff;
322 respdata[2] = (bt->lmp_caps >> 8) & 0xff;
323 respdata[3] = (bt->lmp_caps >> 16) & 0xff;
324 respdata[4] = (bt->lmp_caps >> 24) & 0xff;
325 respdata[5] = (bt->lmp_caps >> 32) & 0xff;
326 respdata[6] = (bt->lmp_caps >> 40) & 0xff;
327 respdata[7] = (bt->lmp_caps >> 48) & 0xff;
328 respdata[8] = (bt->lmp_caps >> 56) & 0xff;
329 } else
330 resp = 0;
331 break;
332
333 case LMP_NAME_REQ:
334 /* data[0] Name offset
335 */
336 if (length < 1) {
337 error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
338 goto not_accepted;
339 }
340 resp = LMP_NAME_RES;
341 resplen = 17;
342 respdata[1] = data[0];
343 respdata[2] = strlen(bt->lmp_name);
344 memset(respdata + 3, 0x00, 14);
345 if (respdata[2] > respdata[1])
346 memcpy(respdata + 3, bt->lmp_name + respdata[1],
347 respdata[2] - respdata[1]);
348 break;
349
350 case LMP_NAME_RES:
351 /* data[0] Name offset
352 * data[1] Name length
353 * data[2-15] Name fragment
354 */
355 if (length < 16) {
356 error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
357 goto not_accepted;
358 }
359 resp = 0;
360 break;
361
362 default:
363 error = HCI_UNKNOWN_LMP_PDU;
364 /* Fall through */
365 not_accepted:
366 if (op >> 8) {
367 resp = LMP_NOT_ACCEPTED_EXT;
368 resplen = 5;
369 respdata[0] = op >> 8;
370 respdata[1] = op & 0xff;
371 respdata[2] = error;
372 } else {
373 resp = LMP_NOT_ACCEPTED;
374 resplen = 3;
375 respdata[0] = op & 0xff;
376 respdata[1] = error;
377 }
378 }
379
380 if (resp == 0)
381 return;
382
383 if (resp >> 8) {
384 respdata[0] = resp >> 8;
385 respdata[1] = resp & 0xff;
386 } else
387 respdata[0] = resp & 0xff;
388
389 respdata[0] <<= 1;
390 respdata[0] |= tr;
391 }
392
393 static void bt_submit_raw_acl(struct bt_piconet_s *net, int length, uint8_t *data)
394 {
395 struct bt_device_s *slave;
396 if (length < 1)
397 return;
398
399 slave = 0;
400 #if 0
401 slave = net->slave;
402 #endif
403
404 switch (data[0] & 3) {
405 case LLID_ACLC:
406 bt_submit_lmp(slave, length - 1, data + 1);
407 break;
408 case LLID_ACLU_START:
409 #if 0
410 bt_sumbit_l2cap(slave, length - 1, data + 1, (data[0] >> 2) & 1);
411 breka;
412 #endif
413 default:
414 case LLID_ACLU_CONT:
415 break;
416 }
417 }
418 #endif
419
420 /* HCI layer emulation */
421
422 /* Note: we could ignore endiannes because unswapped handles will still
423 * be valid as connection identifiers for the guest - they don't have to
424 * be continuously allocated. We do it though, to preserve similar
425 * behaviour between hosts. Some things, like the BD_ADDR cannot be
426 * preserved though (for example if a real hci is used). */
427 #ifdef HOST_WORDS_BIGENDIAN
428 # define HNDL(raw) bswap16(raw)
429 #else
430 # define HNDL(raw) (raw)
431 #endif
432
433 static const uint8_t bt_event_reserved_mask[8] = {
434 0xff, 0x9f, 0xfb, 0xff, 0x07, 0x18, 0x00, 0x00,
435 };
436
437
438 static void null_hci_send(struct HCIInfo *hci, const uint8_t *data, int len)
439 {
440 }
441
442 static int null_hci_addr_set(struct HCIInfo *hci, const uint8_t *bd_addr)
443 {
444 return -ENOTSUP;
445 }
446
447 struct HCIInfo null_hci = {
448 .cmd_send = null_hci_send,
449 .sco_send = null_hci_send,
450 .acl_send = null_hci_send,
451 .bdaddr_set = null_hci_addr_set,
452 };
453
454
455 static inline uint8_t *bt_hci_event_start(struct bt_hci_s *hci,
456 int evt, int len)
457 {
458 uint8_t *packet, mask;
459 int mask_byte;
460
461 if (len > 255) {
462 fprintf(stderr, "%s: HCI event params too long (%ib)\n",
463 __FUNCTION__, len);
464 exit(-1);
465 }
466
467 mask_byte = (evt - 1) >> 3;
468 mask = 1 << ((evt - 1) & 3);
469 if (mask & bt_event_reserved_mask[mask_byte] & ~hci->event_mask[mask_byte])
470 return NULL;
471
472 packet = hci->evt_packet(hci->opaque);
473 packet[0] = evt;
474 packet[1] = len;
475
476 return &packet[2];
477 }
478
479 static inline void bt_hci_event(struct bt_hci_s *hci, int evt,
480 void *params, int len)
481 {
482 uint8_t *packet = bt_hci_event_start(hci, evt, len);
483
484 if (!packet)
485 return;
486
487 if (len)
488 memcpy(packet, params, len);
489
490 hci->evt_submit(hci->opaque, len + 2);
491 }
492
493 static inline void bt_hci_event_status(struct bt_hci_s *hci, int status)
494 {
495 evt_cmd_status params = {
496 .status = status,
497 .ncmd = 1,
498 .opcode = hci->last_cmd,
499 };
500
501 bt_hci_event(hci, EVT_CMD_STATUS, &params, EVT_CMD_STATUS_SIZE);
502 }
503
504 static inline void bt_hci_event_complete(struct bt_hci_s *hci,
505 void *ret, int len)
506 {
507 uint8_t *packet = bt_hci_event_start(hci, EVT_CMD_COMPLETE,
508 len + EVT_CMD_COMPLETE_SIZE);
509 evt_cmd_complete *params = (evt_cmd_complete *) packet;
510
511 if (!packet)
512 return;
513
514 params->ncmd = 1;
515 params->opcode = hci->last_cmd;
516 if (len)
517 memcpy(&packet[EVT_CMD_COMPLETE_SIZE], ret, len);
518
519 hci->evt_submit(hci->opaque, len + EVT_CMD_COMPLETE_SIZE + 2);
520 }
521
522 static void bt_hci_inquiry_done(void *opaque)
523 {
524 struct bt_hci_s *hci = (struct bt_hci_s *) opaque;
525 uint8_t status = HCI_SUCCESS;
526
527 if (!hci->lm.periodic)
528 hci->lm.inquire = 0;
529
530 /* The specification is inconsistent about this one. Page 565 reads
531 * "The event parameters of Inquiry Complete event will have a summary
532 * of the result from the Inquiry process, which reports the number of
533 * nearby Bluetooth devices that responded [so hci->responses].", but
534 * Event Parameters (see page 729) has only Status. */
535 bt_hci_event(hci, EVT_INQUIRY_COMPLETE, &status, 1);
536 }
537
538 static void bt_hci_inquiry_result_standard(struct bt_hci_s *hci,
539 struct bt_device_s *slave)
540 {
541 inquiry_info params = {
542 .num_responses = 1,
543 .bdaddr = BAINIT(&slave->bd_addr),
544 .pscan_rep_mode = 0x00, /* R0 */
545 .pscan_period_mode = 0x00, /* P0 - deprecated */
546 .pscan_mode = 0x00, /* Standard scan - deprecated */
547 .dev_class[0] = slave->class[0],
548 .dev_class[1] = slave->class[1],
549 .dev_class[2] = slave->class[2],
550 /* TODO: return the clkoff *differenece* */
551 .clock_offset = slave->clkoff, /* Note: no swapping */
552 };
553
554 bt_hci_event(hci, EVT_INQUIRY_RESULT, &params, INQUIRY_INFO_SIZE);
555 }
556
557 static void bt_hci_inquiry_result_with_rssi(struct bt_hci_s *hci,
558 struct bt_device_s *slave)
559 {
560 inquiry_info_with_rssi params = {
561 .num_responses = 1,
562 .bdaddr = BAINIT(&slave->bd_addr),
563 .pscan_rep_mode = 0x00, /* R0 */
564 .pscan_period_mode = 0x00, /* P0 - deprecated */
565 .dev_class[0] = slave->class[0],
566 .dev_class[1] = slave->class[1],
567 .dev_class[2] = slave->class[2],
568 /* TODO: return the clkoff *differenece* */
569 .clock_offset = slave->clkoff, /* Note: no swapping */
570 .rssi = DEFAULT_RSSI_DBM,
571 };
572
573 bt_hci_event(hci, EVT_INQUIRY_RESULT_WITH_RSSI,
574 &params, INQUIRY_INFO_WITH_RSSI_SIZE);
575 }
576
577 static void bt_hci_inquiry_result(struct bt_hci_s *hci,
578 struct bt_device_s *slave)
579 {
580 if (!slave->inquiry_scan || !hci->lm.responses_left)
581 return;
582
583 hci->lm.responses_left --;
584 hci->lm.responses ++;
585
586 switch (hci->lm.inquiry_mode) {
587 case 0x00:
588 bt_hci_inquiry_result_standard(hci, slave);
589 return;
590 case 0x01:
591 bt_hci_inquiry_result_with_rssi(hci, slave);
592 return;
593 default:
594 fprintf(stderr, "%s: bad inquiry mode %02x\n", __FUNCTION__,
595 hci->lm.inquiry_mode);
596 exit(-1);
597 }
598 }
599
600 static void bt_hci_mod_timer_1280ms(QEMUTimer *timer, int period)
601 {
602 timer_mod(timer, qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) +
603 (uint64_t)(period << 7) * 10000000);
604 }
605
606 static void bt_hci_inquiry_start(struct bt_hci_s *hci, int length)
607 {
608 struct bt_device_s *slave;
609
610 hci->lm.inquiry_length = length;
611 for (slave = hci->device.net->slave; slave; slave = slave->next)
612 /* Don't uncover ourselves. */
613 if (slave != &hci->device)
614 bt_hci_inquiry_result(hci, slave);
615
616 /* TODO: register for a callback on a new device's addition to the
617 * scatternet so that if it's added before inquiry_length expires,
618 * an Inquiry Result is generated immediately. Alternatively re-loop
619 * through the devices on the inquiry_length expiration and report
620 * devices not seen before. */
621 if (hci->lm.responses_left)
622 bt_hci_mod_timer_1280ms(hci->lm.inquiry_done, hci->lm.inquiry_length);
623 else
624 bt_hci_inquiry_done(hci);
625
626 if (hci->lm.periodic)
627 bt_hci_mod_timer_1280ms(hci->lm.inquiry_next, hci->lm.inquiry_period);
628 }
629
630 static void bt_hci_inquiry_next(void *opaque)
631 {
632 struct bt_hci_s *hci = (struct bt_hci_s *) opaque;
633
634 hci->lm.responses_left += hci->lm.responses;
635 hci->lm.responses = 0;
636 bt_hci_inquiry_start(hci, hci->lm.inquiry_length);
637 }
638
639 static inline int bt_hci_handle_bad(struct bt_hci_s *hci, uint16_t handle)
640 {
641 return !(handle & HCI_HANDLE_OFFSET) ||
642 handle >= (HCI_HANDLE_OFFSET | HCI_HANDLES_MAX) ||
643 !hci->lm.handle[handle & ~HCI_HANDLE_OFFSET].link;
644 }
645
646 static inline int bt_hci_role_master(struct bt_hci_s *hci, uint16_t handle)
647 {
648 return !!(hci->lm.role_bmp & (1 << (handle & ~HCI_HANDLE_OFFSET)));
649 }
650
651 static inline struct bt_device_s *bt_hci_remote_dev(struct bt_hci_s *hci,
652 uint16_t handle)
653 {
654 struct bt_link_s *link = hci->lm.handle[handle & ~HCI_HANDLE_OFFSET].link;
655
656 return bt_hci_role_master(hci, handle) ? link->slave : link->host;
657 }
658
659 static void bt_hci_mode_tick(void *opaque);
660 static void bt_hci_lmp_link_establish(struct bt_hci_s *hci,
661 struct bt_link_s *link, int master)
662 {
663 hci->lm.handle[hci->lm.last_handle].link = link;
664
665 if (master) {
666 /* We are the master side of an ACL link */
667 hci->lm.role_bmp |= 1 << hci->lm.last_handle;
668
669 hci->lm.handle[hci->lm.last_handle].lmp_acl_data =
670 link->slave->lmp_acl_data;
671 } else {
672 /* We are the slave side of an ACL link */
673 hci->lm.role_bmp &= ~(1 << hci->lm.last_handle);
674
675 hci->lm.handle[hci->lm.last_handle].lmp_acl_data =
676 link->host->lmp_acl_resp;
677 }
678
679 /* Mode */
680 if (master) {
681 link->acl_mode = acl_active;
682 hci->lm.handle[hci->lm.last_handle].acl_mode_timer =
683 timer_new_ns(QEMU_CLOCK_VIRTUAL, bt_hci_mode_tick, link);
684 }
685 }
686
687 static void bt_hci_lmp_link_teardown(struct bt_hci_s *hci, uint16_t handle)
688 {
689 handle &= ~HCI_HANDLE_OFFSET;
690 hci->lm.handle[handle].link = NULL;
691
692 if (bt_hci_role_master(hci, handle)) {
693 timer_del(hci->lm.handle[handle].acl_mode_timer);
694 timer_free(hci->lm.handle[handle].acl_mode_timer);
695 }
696 }
697
698 static int bt_hci_connect(struct bt_hci_s *hci, bdaddr_t *bdaddr)
699 {
700 struct bt_device_s *slave;
701 struct bt_link_s link;
702
703 for (slave = hci->device.net->slave; slave; slave = slave->next)
704 if (slave->page_scan && !bacmp(&slave->bd_addr, bdaddr))
705 break;
706 if (!slave || slave == &hci->device)
707 return -ENODEV;
708
709 bacpy(&hci->lm.awaiting_bdaddr[hci->lm.connecting ++], &slave->bd_addr);
710
711 link.slave = slave;
712 link.host = &hci->device;
713 link.slave->lmp_connection_request(&link); /* Always last */
714
715 return 0;
716 }
717
718 static void bt_hci_connection_reject(struct bt_hci_s *hci,
719 struct bt_device_s *host, uint8_t because)
720 {
721 struct bt_link_s link = {
722 .slave = &hci->device,
723 .host = host,
724 /* Rest uninitialised */
725 };
726
727 host->reject_reason = because;
728 host->lmp_connection_complete(&link);
729 }
730
731 static void bt_hci_connection_reject_event(struct bt_hci_s *hci,
732 bdaddr_t *bdaddr)
733 {
734 evt_conn_complete params;
735
736 params.status = HCI_NO_CONNECTION;
737 params.handle = 0;
738 bacpy(&params.bdaddr, bdaddr);
739 params.link_type = ACL_LINK;
740 params.encr_mode = 0x00; /* Encryption not required */
741 bt_hci_event(hci, EVT_CONN_COMPLETE, &params, EVT_CONN_COMPLETE_SIZE);
742 }
743
744 static void bt_hci_connection_accept(struct bt_hci_s *hci,
745 struct bt_device_s *host)
746 {
747 struct bt_hci_link_s *link = g_malloc0(sizeof(struct bt_hci_link_s));
748 evt_conn_complete params;
749 uint16_t handle;
750 uint8_t status = HCI_SUCCESS;
751 int tries = HCI_HANDLES_MAX;
752
753 /* Make a connection handle */
754 do {
755 while (hci->lm.handle[++ hci->lm.last_handle].link && -- tries)
756 hci->lm.last_handle &= HCI_HANDLES_MAX - 1;
757 handle = hci->lm.last_handle | HCI_HANDLE_OFFSET;
758 } while ((handle == hci->asb_handle || handle == hci->psb_handle) &&
759 tries);
760
761 if (!tries) {
762 g_free(link);
763 bt_hci_connection_reject(hci, host, HCI_REJECTED_LIMITED_RESOURCES);
764 status = HCI_NO_CONNECTION;
765 goto complete;
766 }
767
768 link->btlink.slave = &hci->device;
769 link->btlink.host = host;
770 link->handle = handle;
771
772 /* Link established */
773 bt_hci_lmp_link_establish(hci, &link->btlink, 0);
774
775 complete:
776 params.status = status;
777 params.handle = HNDL(handle);
778 bacpy(&params.bdaddr, &host->bd_addr);
779 params.link_type = ACL_LINK;
780 params.encr_mode = 0x00; /* Encryption not required */
781 bt_hci_event(hci, EVT_CONN_COMPLETE, &params, EVT_CONN_COMPLETE_SIZE);
782
783 /* Neets to be done at the very end because it can trigger a (nested)
784 * disconnected, in case the other and had cancelled the request
785 * locally. */
786 if (status == HCI_SUCCESS) {
787 host->reject_reason = 0;
788 host->lmp_connection_complete(&link->btlink);
789 }
790 }
791
792 static void bt_hci_lmp_connection_request(struct bt_link_s *link)
793 {
794 struct bt_hci_s *hci = hci_from_device(link->slave);
795 evt_conn_request params;
796
797 if (hci->conn_req_host) {
798 bt_hci_connection_reject(hci, link->host,
799 HCI_REJECTED_LIMITED_RESOURCES);
800 return;
801 }
802 hci->conn_req_host = link->host;
803 /* TODO: if masked and auto-accept, then auto-accept,
804 * if masked and not auto-accept, then auto-reject */
805 /* TODO: kick the hci->conn_accept_timer, timeout after
806 * hci->conn_accept_tout * 0.625 msec */
807
808 bacpy(&params.bdaddr, &link->host->bd_addr);
809 memcpy(&params.dev_class, &link->host->class, sizeof(params.dev_class));
810 params.link_type = ACL_LINK;
811 bt_hci_event(hci, EVT_CONN_REQUEST, &params, EVT_CONN_REQUEST_SIZE);
812 }
813
814 static void bt_hci_conn_accept_timeout(void *opaque)
815 {
816 struct bt_hci_s *hci = (struct bt_hci_s *) opaque;
817
818 if (!hci->conn_req_host)
819 /* Already accepted or rejected. If the other end cancelled the
820 * connection request then we still have to reject or accept it
821 * and then we'll get a disconnect. */
822 return;
823
824 /* TODO */
825 }
826
827 /* Remove from the list of devices which we wanted to connect to and
828 * are awaiting a response from. If the callback sees a response from
829 * a device which is not on the list it will assume it's a connection
830 * that's been cancelled by the host in the meantime and immediately
831 * try to detach the link and send a Connection Complete. */
832 static int bt_hci_lmp_connection_ready(struct bt_hci_s *hci,
833 bdaddr_t *bdaddr)
834 {
835 int i;
836
837 for (i = 0; i < hci->lm.connecting; i ++)
838 if (!bacmp(&hci->lm.awaiting_bdaddr[i], bdaddr)) {
839 if (i < -- hci->lm.connecting)
840 bacpy(&hci->lm.awaiting_bdaddr[i],
841 &hci->lm.awaiting_bdaddr[hci->lm.connecting]);
842 return 0;
843 }
844
845 return 1;
846 }
847
848 static void bt_hci_lmp_connection_complete(struct bt_link_s *link)
849 {
850 struct bt_hci_s *hci = hci_from_device(link->host);
851 evt_conn_complete params;
852 uint16_t handle;
853 uint8_t status = HCI_SUCCESS;
854 int tries = HCI_HANDLES_MAX;
855
856 if (bt_hci_lmp_connection_ready(hci, &link->slave->bd_addr)) {
857 if (!hci->device.reject_reason)
858 link->slave->lmp_disconnect_slave(link);
859 handle = 0;
860 status = HCI_NO_CONNECTION;
861 goto complete;
862 }
863
864 if (hci->device.reject_reason) {
865 handle = 0;
866 status = hci->device.reject_reason;
867 goto complete;
868 }
869
870 /* Make a connection handle */
871 do {
872 while (hci->lm.handle[++ hci->lm.last_handle].link && -- tries)
873 hci->lm.last_handle &= HCI_HANDLES_MAX - 1;
874 handle = hci->lm.last_handle | HCI_HANDLE_OFFSET;
875 } while ((handle == hci->asb_handle || handle == hci->psb_handle) &&
876 tries);
877
878 if (!tries) {
879 link->slave->lmp_disconnect_slave(link);
880 status = HCI_NO_CONNECTION;
881 goto complete;
882 }
883
884 /* Link established */
885 link->handle = handle;
886 bt_hci_lmp_link_establish(hci, link, 1);
887
888 complete:
889 params.status = status;
890 params.handle = HNDL(handle);
891 params.link_type = ACL_LINK;
892 bacpy(&params.bdaddr, &link->slave->bd_addr);
893 params.encr_mode = 0x00; /* Encryption not required */
894 bt_hci_event(hci, EVT_CONN_COMPLETE, &params, EVT_CONN_COMPLETE_SIZE);
895 }
896
897 static void bt_hci_disconnect(struct bt_hci_s *hci,
898 uint16_t handle, int reason)
899 {
900 struct bt_link_s *btlink =
901 hci->lm.handle[handle & ~HCI_HANDLE_OFFSET].link;
902 struct bt_hci_link_s *link;
903 evt_disconn_complete params;
904
905 if (bt_hci_role_master(hci, handle)) {
906 btlink->slave->reject_reason = reason;
907 btlink->slave->lmp_disconnect_slave(btlink);
908 /* The link pointer is invalid from now on */
909
910 goto complete;
911 }
912
913 btlink->host->reject_reason = reason;
914 btlink->host->lmp_disconnect_master(btlink);
915
916 /* We are the slave, we get to clean this burden */
917 link = (struct bt_hci_link_s *) btlink;
918 g_free(link);
919
920 complete:
921 bt_hci_lmp_link_teardown(hci, handle);
922
923 params.status = HCI_SUCCESS;
924 params.handle = HNDL(handle);
925 params.reason = HCI_CONNECTION_TERMINATED;
926 bt_hci_event(hci, EVT_DISCONN_COMPLETE,
927 &params, EVT_DISCONN_COMPLETE_SIZE);
928 }
929
930 /* TODO: use only one function */
931 static void bt_hci_lmp_disconnect_host(struct bt_link_s *link)
932 {
933 struct bt_hci_s *hci = hci_from_device(link->host);
934 uint16_t handle = link->handle;
935 evt_disconn_complete params;
936
937 bt_hci_lmp_link_teardown(hci, handle);
938
939 params.status = HCI_SUCCESS;
940 params.handle = HNDL(handle);
941 params.reason = hci->device.reject_reason;
942 bt_hci_event(hci, EVT_DISCONN_COMPLETE,
943 &params, EVT_DISCONN_COMPLETE_SIZE);
944 }
945
946 static void bt_hci_lmp_disconnect_slave(struct bt_link_s *btlink)
947 {
948 struct bt_hci_link_s *link = (struct bt_hci_link_s *) btlink;
949 struct bt_hci_s *hci = hci_from_device(btlink->slave);
950 uint16_t handle = link->handle;
951 evt_disconn_complete params;
952
953 g_free(link);
954
955 bt_hci_lmp_link_teardown(hci, handle);
956
957 params.status = HCI_SUCCESS;
958 params.handle = HNDL(handle);
959 params.reason = hci->device.reject_reason;
960 bt_hci_event(hci, EVT_DISCONN_COMPLETE,
961 &params, EVT_DISCONN_COMPLETE_SIZE);
962 }
963
964 static int bt_hci_name_req(struct bt_hci_s *hci, bdaddr_t *bdaddr)
965 {
966 struct bt_device_s *slave;
967 evt_remote_name_req_complete params;
968
969 for (slave = hci->device.net->slave; slave; slave = slave->next)
970 if (slave->page_scan && !bacmp(&slave->bd_addr, bdaddr))
971 break;
972 if (!slave)
973 return -ENODEV;
974
975 bt_hci_event_status(hci, HCI_SUCCESS);
976
977 params.status = HCI_SUCCESS;
978 bacpy(&params.bdaddr, &slave->bd_addr);
979 pstrcpy(params.name, sizeof(params.name), slave->lmp_name ?: "");
980 bt_hci_event(hci, EVT_REMOTE_NAME_REQ_COMPLETE,
981 &params, EVT_REMOTE_NAME_REQ_COMPLETE_SIZE);
982
983 return 0;
984 }
985
986 static int bt_hci_features_req(struct bt_hci_s *hci, uint16_t handle)
987 {
988 struct bt_device_s *slave;
989 evt_read_remote_features_complete params;
990
991 if (bt_hci_handle_bad(hci, handle))
992 return -ENODEV;
993
994 slave = bt_hci_remote_dev(hci, handle);
995
996 bt_hci_event_status(hci, HCI_SUCCESS);
997
998 params.status = HCI_SUCCESS;
999 params.handle = HNDL(handle);
1000 params.features[0] = (slave->lmp_caps >> 0) & 0xff;
1001 params.features[1] = (slave->lmp_caps >> 8) & 0xff;
1002 params.features[2] = (slave->lmp_caps >> 16) & 0xff;
1003 params.features[3] = (slave->lmp_caps >> 24) & 0xff;
1004 params.features[4] = (slave->lmp_caps >> 32) & 0xff;
1005 params.features[5] = (slave->lmp_caps >> 40) & 0xff;
1006 params.features[6] = (slave->lmp_caps >> 48) & 0xff;
1007 params.features[7] = (slave->lmp_caps >> 56) & 0xff;
1008 bt_hci_event(hci, EVT_READ_REMOTE_FEATURES_COMPLETE,
1009 &params, EVT_READ_REMOTE_FEATURES_COMPLETE_SIZE);
1010
1011 return 0;
1012 }
1013
1014 static int bt_hci_version_req(struct bt_hci_s *hci, uint16_t handle)
1015 {
1016 evt_read_remote_version_complete params;
1017
1018 if (bt_hci_handle_bad(hci, handle))
1019 return -ENODEV;
1020
1021 bt_hci_remote_dev(hci, handle);
1022
1023 bt_hci_event_status(hci, HCI_SUCCESS);
1024
1025 params.status = HCI_SUCCESS;
1026 params.handle = HNDL(handle);
1027 params.lmp_ver = 0x03;
1028 params.manufacturer = cpu_to_le16(0xa000);
1029 params.lmp_subver = cpu_to_le16(0xa607);
1030 bt_hci_event(hci, EVT_READ_REMOTE_VERSION_COMPLETE,
1031 &params, EVT_READ_REMOTE_VERSION_COMPLETE_SIZE);
1032
1033 return 0;
1034 }
1035
1036 static int bt_hci_clkoffset_req(struct bt_hci_s *hci, uint16_t handle)
1037 {
1038 struct bt_device_s *slave;
1039 evt_read_clock_offset_complete params;
1040
1041 if (bt_hci_handle_bad(hci, handle))
1042 return -ENODEV;
1043
1044 slave = bt_hci_remote_dev(hci, handle);
1045
1046 bt_hci_event_status(hci, HCI_SUCCESS);
1047
1048 params.status = HCI_SUCCESS;
1049 params.handle = HNDL(handle);
1050 /* TODO: return the clkoff *differenece* */
1051 params.clock_offset = slave->clkoff; /* Note: no swapping */
1052 bt_hci_event(hci, EVT_READ_CLOCK_OFFSET_COMPLETE,
1053 &params, EVT_READ_CLOCK_OFFSET_COMPLETE_SIZE);
1054
1055 return 0;
1056 }
1057
1058 static void bt_hci_event_mode(struct bt_hci_s *hci, struct bt_link_s *link,
1059 uint16_t handle)
1060 {
1061 evt_mode_change params = {
1062 .status = HCI_SUCCESS,
1063 .handle = HNDL(handle),
1064 .mode = link->acl_mode,
1065 .interval = cpu_to_le16(link->acl_interval),
1066 };
1067
1068 bt_hci_event(hci, EVT_MODE_CHANGE, &params, EVT_MODE_CHANGE_SIZE);
1069 }
1070
1071 static void bt_hci_lmp_mode_change_master(struct bt_hci_s *hci,
1072 struct bt_link_s *link, int mode, uint16_t interval)
1073 {
1074 link->acl_mode = mode;
1075 link->acl_interval = interval;
1076
1077 bt_hci_event_mode(hci, link, link->handle);
1078
1079 link->slave->lmp_mode_change(link);
1080 }
1081
1082 static void bt_hci_lmp_mode_change_slave(struct bt_link_s *btlink)
1083 {
1084 struct bt_hci_link_s *link = (struct bt_hci_link_s *) btlink;
1085 struct bt_hci_s *hci = hci_from_device(btlink->slave);
1086
1087 bt_hci_event_mode(hci, btlink, link->handle);
1088 }
1089
1090 static int bt_hci_mode_change(struct bt_hci_s *hci, uint16_t handle,
1091 int interval, int mode)
1092 {
1093 struct bt_hci_master_link_s *link;
1094
1095 if (bt_hci_handle_bad(hci, handle) || !bt_hci_role_master(hci, handle))
1096 return -ENODEV;
1097
1098 link = &hci->lm.handle[handle & ~HCI_HANDLE_OFFSET];
1099 if (link->link->acl_mode != acl_active) {
1100 bt_hci_event_status(hci, HCI_COMMAND_DISALLOWED);
1101 return 0;
1102 }
1103
1104 bt_hci_event_status(hci, HCI_SUCCESS);
1105
1106 timer_mod(link->acl_mode_timer, qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) +
1107 ((uint64_t)interval * 625) * 1000);
1108 bt_hci_lmp_mode_change_master(hci, link->link, mode, interval);
1109
1110 return 0;
1111 }
1112
1113 static int bt_hci_mode_cancel(struct bt_hci_s *hci, uint16_t handle, int mode)
1114 {
1115 struct bt_hci_master_link_s *link;
1116
1117 if (bt_hci_handle_bad(hci, handle) || !bt_hci_role_master(hci, handle))
1118 return -ENODEV;
1119
1120 link = &hci->lm.handle[handle & ~HCI_HANDLE_OFFSET];
1121 if (link->link->acl_mode != mode) {
1122 bt_hci_event_status(hci, HCI_COMMAND_DISALLOWED);
1123
1124 return 0;
1125 }
1126
1127 bt_hci_event_status(hci, HCI_SUCCESS);
1128
1129 timer_del(link->acl_mode_timer);
1130 bt_hci_lmp_mode_change_master(hci, link->link, acl_active, 0);
1131
1132 return 0;
1133 }
1134
1135 static void bt_hci_mode_tick(void *opaque)
1136 {
1137 struct bt_link_s *link = opaque;
1138 struct bt_hci_s *hci = hci_from_device(link->host);
1139
1140 bt_hci_lmp_mode_change_master(hci, link, acl_active, 0);
1141 }
1142
1143 static void bt_hci_reset(struct bt_hci_s *hci)
1144 {
1145 hci->acl_len = 0;
1146 hci->last_cmd = 0;
1147 hci->lm.connecting = 0;
1148
1149 hci->event_mask[0] = 0xff;
1150 hci->event_mask[1] = 0xff;
1151 hci->event_mask[2] = 0xff;
1152 hci->event_mask[3] = 0xff;
1153 hci->event_mask[4] = 0xff;
1154 hci->event_mask[5] = 0x1f;
1155 hci->event_mask[6] = 0x00;
1156 hci->event_mask[7] = 0x00;
1157 hci->device.inquiry_scan = 0;
1158 hci->device.page_scan = 0;
1159 g_free((void *) hci->device.lmp_name);
1160 hci->device.lmp_name = NULL;
1161 hci->device.class[0] = 0x00;
1162 hci->device.class[1] = 0x00;
1163 hci->device.class[2] = 0x00;
1164 hci->voice_setting = 0x0000;
1165 hci->conn_accept_tout = 0x1f40;
1166 hci->lm.inquiry_mode = 0x00;
1167
1168 hci->psb_handle = 0x000;
1169 hci->asb_handle = 0x000;
1170
1171 /* XXX: timer_del(sl->acl_mode_timer); for all links */
1172 timer_del(hci->lm.inquiry_done);
1173 timer_del(hci->lm.inquiry_next);
1174 timer_del(hci->conn_accept_timer);
1175 }
1176
1177 static void bt_hci_read_local_version_rp(struct bt_hci_s *hci)
1178 {
1179 read_local_version_rp lv = {
1180 .status = HCI_SUCCESS,
1181 .hci_ver = 0x03,
1182 .hci_rev = cpu_to_le16(0xa607),
1183 .lmp_ver = 0x03,
1184 .manufacturer = cpu_to_le16(0xa000),
1185 .lmp_subver = cpu_to_le16(0xa607),
1186 };
1187
1188 bt_hci_event_complete(hci, &lv, READ_LOCAL_VERSION_RP_SIZE);
1189 }
1190
1191 static void bt_hci_read_local_commands_rp(struct bt_hci_s *hci)
1192 {
1193 read_local_commands_rp lc = {
1194 .status = HCI_SUCCESS,
1195 .commands = {
1196 /* Keep updated! */
1197 /* Also, keep in sync with hci->device.lmp_caps in bt_new_hci */
1198 0xbf, 0x80, 0xf9, 0x03, 0xb2, 0xc0, 0x03, 0xc3,
1199 0x00, 0x0f, 0x80, 0x00, 0xc0, 0x00, 0xe8, 0x13,
1200 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1201 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1202 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1203 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1204 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1205 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1206 },
1207 };
1208
1209 bt_hci_event_complete(hci, &lc, READ_LOCAL_COMMANDS_RP_SIZE);
1210 }
1211
1212 static void bt_hci_read_local_features_rp(struct bt_hci_s *hci)
1213 {
1214 read_local_features_rp lf = {
1215 .status = HCI_SUCCESS,
1216 .features = {
1217 (hci->device.lmp_caps >> 0) & 0xff,
1218 (hci->device.lmp_caps >> 8) & 0xff,
1219 (hci->device.lmp_caps >> 16) & 0xff,
1220 (hci->device.lmp_caps >> 24) & 0xff,
1221 (hci->device.lmp_caps >> 32) & 0xff,
1222 (hci->device.lmp_caps >> 40) & 0xff,
1223 (hci->device.lmp_caps >> 48) & 0xff,
1224 (hci->device.lmp_caps >> 56) & 0xff,
1225 },
1226 };
1227
1228 bt_hci_event_complete(hci, &lf, READ_LOCAL_FEATURES_RP_SIZE);
1229 }
1230
1231 static void bt_hci_read_local_ext_features_rp(struct bt_hci_s *hci, int page)
1232 {
1233 read_local_ext_features_rp lef = {
1234 .status = HCI_SUCCESS,
1235 .page_num = page,
1236 .max_page_num = 0x00,
1237 .features = {
1238 /* Keep updated! */
1239 0x5f, 0x35, 0x85, 0x7e, 0x9b, 0x19, 0x00, 0x80,
1240 },
1241 };
1242 if (page)
1243 memset(lef.features, 0, sizeof(lef.features));
1244
1245 bt_hci_event_complete(hci, &lef, READ_LOCAL_EXT_FEATURES_RP_SIZE);
1246 }
1247
1248 static void bt_hci_read_buffer_size_rp(struct bt_hci_s *hci)
1249 {
1250 read_buffer_size_rp bs = {
1251 /* This can be made configurable, for one standard USB dongle HCI
1252 * the four values are cpu_to_le16(0x0180), 0x40,
1253 * cpu_to_le16(0x0008), cpu_to_le16(0x0008). */
1254 .status = HCI_SUCCESS,
1255 .acl_mtu = cpu_to_le16(0x0200),
1256 .sco_mtu = 0,
1257 .acl_max_pkt = cpu_to_le16(0x0001),
1258 .sco_max_pkt = cpu_to_le16(0x0000),
1259 };
1260
1261 bt_hci_event_complete(hci, &bs, READ_BUFFER_SIZE_RP_SIZE);
1262 }
1263
1264 /* Deprecated in V2.0 (page 661) */
1265 static void bt_hci_read_country_code_rp(struct bt_hci_s *hci)
1266 {
1267 read_country_code_rp cc ={
1268 .status = HCI_SUCCESS,
1269 .country_code = 0x00, /* North America & Europe^1 and Japan */
1270 };
1271
1272 bt_hci_event_complete(hci, &cc, READ_COUNTRY_CODE_RP_SIZE);
1273
1274 /* ^1. Except France, sorry */
1275 }
1276
1277 static void bt_hci_read_bd_addr_rp(struct bt_hci_s *hci)
1278 {
1279 read_bd_addr_rp ba = {
1280 .status = HCI_SUCCESS,
1281 .bdaddr = BAINIT(&hci->device.bd_addr),
1282 };
1283
1284 bt_hci_event_complete(hci, &ba, READ_BD_ADDR_RP_SIZE);
1285 }
1286
1287 static int bt_hci_link_quality_rp(struct bt_hci_s *hci, uint16_t handle)
1288 {
1289 read_link_quality_rp lq = {
1290 .status = HCI_SUCCESS,
1291 .handle = HNDL(handle),
1292 .link_quality = 0xff,
1293 };
1294
1295 if (bt_hci_handle_bad(hci, handle))
1296 lq.status = HCI_NO_CONNECTION;
1297
1298 bt_hci_event_complete(hci, &lq, READ_LINK_QUALITY_RP_SIZE);
1299 return 0;
1300 }
1301
1302 /* Generate a Command Complete event with only the Status parameter */
1303 static inline void bt_hci_event_complete_status(struct bt_hci_s *hci,
1304 uint8_t status)
1305 {
1306 bt_hci_event_complete(hci, &status, 1);
1307 }
1308
1309 static inline void bt_hci_event_complete_conn_cancel(struct bt_hci_s *hci,
1310 uint8_t status, bdaddr_t *bd_addr)
1311 {
1312 create_conn_cancel_rp params = {
1313 .status = status,
1314 .bdaddr = BAINIT(bd_addr),
1315 };
1316
1317 bt_hci_event_complete(hci, &params, CREATE_CONN_CANCEL_RP_SIZE);
1318 }
1319
1320 static inline void bt_hci_event_auth_complete(struct bt_hci_s *hci,
1321 uint16_t handle)
1322 {
1323 evt_auth_complete params = {
1324 .status = HCI_SUCCESS,
1325 .handle = HNDL(handle),
1326 };
1327
1328 bt_hci_event(hci, EVT_AUTH_COMPLETE, &params, EVT_AUTH_COMPLETE_SIZE);
1329 }
1330
1331 static inline void bt_hci_event_encrypt_change(struct bt_hci_s *hci,
1332 uint16_t handle, uint8_t mode)
1333 {
1334 evt_encrypt_change params = {
1335 .status = HCI_SUCCESS,
1336 .handle = HNDL(handle),
1337 .encrypt = mode,
1338 };
1339
1340 bt_hci_event(hci, EVT_ENCRYPT_CHANGE, &params, EVT_ENCRYPT_CHANGE_SIZE);
1341 }
1342
1343 static inline void bt_hci_event_complete_name_cancel(struct bt_hci_s *hci,
1344 bdaddr_t *bd_addr)
1345 {
1346 remote_name_req_cancel_rp params = {
1347 .status = HCI_INVALID_PARAMETERS,
1348 .bdaddr = BAINIT(bd_addr),
1349 };
1350
1351 bt_hci_event_complete(hci, &params, REMOTE_NAME_REQ_CANCEL_RP_SIZE);
1352 }
1353
1354 static inline void bt_hci_event_read_remote_ext_features(struct bt_hci_s *hci,
1355 uint16_t handle)
1356 {
1357 evt_read_remote_ext_features_complete params = {
1358 .status = HCI_UNSUPPORTED_FEATURE,
1359 .handle = HNDL(handle),
1360 /* Rest uninitialised */
1361 };
1362
1363 bt_hci_event(hci, EVT_READ_REMOTE_EXT_FEATURES_COMPLETE,
1364 &params, EVT_READ_REMOTE_EXT_FEATURES_COMPLETE_SIZE);
1365 }
1366
1367 static inline void bt_hci_event_complete_lmp_handle(struct bt_hci_s *hci,
1368 uint16_t handle)
1369 {
1370 read_lmp_handle_rp params = {
1371 .status = HCI_NO_CONNECTION,
1372 .handle = HNDL(handle),
1373 .reserved = 0,
1374 /* Rest uninitialised */
1375 };
1376
1377 bt_hci_event_complete(hci, &params, READ_LMP_HANDLE_RP_SIZE);
1378 }
1379
1380 static inline void bt_hci_event_complete_role_discovery(struct bt_hci_s *hci,
1381 int status, uint16_t handle, int master)
1382 {
1383 role_discovery_rp params = {
1384 .status = status,
1385 .handle = HNDL(handle),
1386 .role = master ? 0x00 : 0x01,
1387 };
1388
1389 bt_hci_event_complete(hci, &params, ROLE_DISCOVERY_RP_SIZE);
1390 }
1391
1392 static inline void bt_hci_event_complete_flush(struct bt_hci_s *hci,
1393 int status, uint16_t handle)
1394 {
1395 flush_rp params = {
1396 .status = status,
1397 .handle = HNDL(handle),
1398 };
1399
1400 bt_hci_event_complete(hci, &params, FLUSH_RP_SIZE);
1401 }
1402
1403 static inline void bt_hci_event_complete_read_local_name(struct bt_hci_s *hci)
1404 {
1405 read_local_name_rp params;
1406 params.status = HCI_SUCCESS;
1407 memset(params.name, 0, sizeof(params.name));
1408 if (hci->device.lmp_name)
1409 pstrcpy(params.name, sizeof(params.name), hci->device.lmp_name);
1410
1411 bt_hci_event_complete(hci, &params, READ_LOCAL_NAME_RP_SIZE);
1412 }
1413
1414 static inline void bt_hci_event_complete_read_conn_accept_timeout(
1415 struct bt_hci_s *hci)
1416 {
1417 read_conn_accept_timeout_rp params = {
1418 .status = HCI_SUCCESS,
1419 .timeout = cpu_to_le16(hci->conn_accept_tout),
1420 };
1421
1422 bt_hci_event_complete(hci, &params, READ_CONN_ACCEPT_TIMEOUT_RP_SIZE);
1423 }
1424
1425 static inline void bt_hci_event_complete_read_scan_enable(struct bt_hci_s *hci)
1426 {
1427 read_scan_enable_rp params = {
1428 .status = HCI_SUCCESS,
1429 .enable =
1430 (hci->device.inquiry_scan ? SCAN_INQUIRY : 0) |
1431 (hci->device.page_scan ? SCAN_PAGE : 0),
1432 };
1433
1434 bt_hci_event_complete(hci, &params, READ_SCAN_ENABLE_RP_SIZE);
1435 }
1436
1437 static inline void bt_hci_event_complete_read_local_class(struct bt_hci_s *hci)
1438 {
1439 read_class_of_dev_rp params;
1440
1441 params.status = HCI_SUCCESS;
1442 memcpy(params.dev_class, hci->device.class, sizeof(params.dev_class));
1443
1444 bt_hci_event_complete(hci, &params, READ_CLASS_OF_DEV_RP_SIZE);
1445 }
1446
1447 static inline void bt_hci_event_complete_voice_setting(struct bt_hci_s *hci)
1448 {
1449 read_voice_setting_rp params = {
1450 .status = HCI_SUCCESS,
1451 .voice_setting = hci->voice_setting, /* Note: no swapping */
1452 };
1453
1454 bt_hci_event_complete(hci, &params, READ_VOICE_SETTING_RP_SIZE);
1455 }
1456
1457 static inline void bt_hci_event_complete_read_inquiry_mode(
1458 struct bt_hci_s *hci)
1459 {
1460 read_inquiry_mode_rp params = {
1461 .status = HCI_SUCCESS,
1462 .mode = hci->lm.inquiry_mode,
1463 };
1464
1465 bt_hci_event_complete(hci, &params, READ_INQUIRY_MODE_RP_SIZE);
1466 }
1467
1468 static inline void bt_hci_event_num_comp_pkts(struct bt_hci_s *hci,
1469 uint16_t handle, int packets)
1470 {
1471 uint16_t buf[EVT_NUM_COMP_PKTS_SIZE(1) / 2 + 1];
1472 evt_num_comp_pkts *params = (void *) ((uint8_t *) buf + 1);
1473
1474 params->num_hndl = 1;
1475 params->connection->handle = HNDL(handle);
1476 params->connection->num_packets = cpu_to_le16(packets);
1477
1478 bt_hci_event(hci, EVT_NUM_COMP_PKTS, params, EVT_NUM_COMP_PKTS_SIZE(1));
1479 }
1480
1481 static void bt_submit_hci(struct HCIInfo *info,
1482 const uint8_t *data, int length)
1483 {
1484 struct bt_hci_s *hci = hci_from_info(info);
1485 uint16_t cmd;
1486 int paramlen, i;
1487
1488 if (length < HCI_COMMAND_HDR_SIZE)
1489 goto short_hci;
1490
1491 memcpy(&hci->last_cmd, data, 2);
1492
1493 cmd = (data[1] << 8) | data[0];
1494 paramlen = data[2];
1495 if (cmd_opcode_ogf(cmd) == 0 || cmd_opcode_ocf(cmd) == 0) /* NOP */
1496 return;
1497
1498 data += HCI_COMMAND_HDR_SIZE;
1499 length -= HCI_COMMAND_HDR_SIZE;
1500
1501 if (paramlen > length)
1502 return;
1503
1504 #define PARAM(cmd, param) (((cmd##_cp *) data)->param)
1505 #define PARAM16(cmd, param) le16_to_cpup(&PARAM(cmd, param))
1506 #define PARAMHANDLE(cmd) HNDL(PARAM(cmd, handle))
1507 #define LENGTH_CHECK(cmd) if (length < sizeof(cmd##_cp)) goto short_hci
1508 /* Note: the supported commands bitmask in bt_hci_read_local_commands_rp
1509 * needs to be updated every time a command is implemented here! */
1510 switch (cmd) {
1511 case cmd_opcode_pack(OGF_LINK_CTL, OCF_INQUIRY):
1512 LENGTH_CHECK(inquiry);
1513
1514 if (PARAM(inquiry, length) < 1) {
1515 bt_hci_event_complete_status(hci, HCI_INVALID_PARAMETERS);
1516 break;
1517 }
1518
1519 hci->lm.inquire = 1;
1520 hci->lm.periodic = 0;
1521 hci->lm.responses_left = PARAM(inquiry, num_rsp) ?: INT_MAX;
1522 hci->lm.responses = 0;
1523 bt_hci_event_status(hci, HCI_SUCCESS);
1524 bt_hci_inquiry_start(hci, PARAM(inquiry, length));
1525 break;
1526
1527 case cmd_opcode_pack(OGF_LINK_CTL, OCF_INQUIRY_CANCEL):
1528 if (!hci->lm.inquire || hci->lm.periodic) {
1529 fprintf(stderr, "%s: Inquiry Cancel should only be issued after "
1530 "the Inquiry command has been issued, a Command "
1531 "Status event has been received for the Inquiry "
1532 "command, and before the Inquiry Complete event "
1533 "occurs", __FUNCTION__);
1534 bt_hci_event_complete_status(hci, HCI_COMMAND_DISALLOWED);
1535 break;
1536 }
1537
1538 hci->lm.inquire = 0;
1539 timer_del(hci->lm.inquiry_done);
1540 bt_hci_event_complete_status(hci, HCI_SUCCESS);
1541 break;
1542
1543 case cmd_opcode_pack(OGF_LINK_CTL, OCF_PERIODIC_INQUIRY):
1544 LENGTH_CHECK(periodic_inquiry);
1545
1546 if (!(PARAM(periodic_inquiry, length) <
1547 PARAM16(periodic_inquiry, min_period) &&
1548 PARAM16(periodic_inquiry, min_period) <
1549 PARAM16(periodic_inquiry, max_period)) ||
1550 PARAM(periodic_inquiry, length) < 1 ||
1551 PARAM16(periodic_inquiry, min_period) < 2 ||
1552 PARAM16(periodic_inquiry, max_period) < 3) {
1553 bt_hci_event_complete_status(hci, HCI_INVALID_PARAMETERS);
1554 break;
1555 }
1556
1557 hci->lm.inquire = 1;
1558 hci->lm.periodic = 1;
1559 hci->lm.responses_left = PARAM(periodic_inquiry, num_rsp);
1560 hci->lm.responses = 0;
1561 hci->lm.inquiry_period = PARAM16(periodic_inquiry, max_period);
1562 bt_hci_event_complete_status(hci, HCI_SUCCESS);
1563 bt_hci_inquiry_start(hci, PARAM(periodic_inquiry, length));
1564 break;
1565
1566 case cmd_opcode_pack(OGF_LINK_CTL, OCF_EXIT_PERIODIC_INQUIRY):
1567 if (!hci->lm.inquire || !hci->lm.periodic) {
1568 fprintf(stderr, "%s: Inquiry Cancel should only be issued after "
1569 "the Inquiry command has been issued, a Command "
1570 "Status event has been received for the Inquiry "
1571 "command, and before the Inquiry Complete event "
1572 "occurs", __FUNCTION__);
1573 bt_hci_event_complete_status(hci, HCI_COMMAND_DISALLOWED);
1574 break;
1575 }
1576 hci->lm.inquire = 0;
1577 timer_del(hci->lm.inquiry_done);
1578 timer_del(hci->lm.inquiry_next);
1579 bt_hci_event_complete_status(hci, HCI_SUCCESS);
1580 break;
1581
1582 case cmd_opcode_pack(OGF_LINK_CTL, OCF_CREATE_CONN):
1583 LENGTH_CHECK(create_conn);
1584
1585 if (hci->lm.connecting >= HCI_HANDLES_MAX) {
1586 bt_hci_event_status(hci, HCI_REJECTED_LIMITED_RESOURCES);
1587 break;
1588 }
1589 bt_hci_event_status(hci, HCI_SUCCESS);
1590
1591 if (bt_hci_connect(hci, &PARAM(create_conn, bdaddr)))
1592 bt_hci_connection_reject_event(hci, &PARAM(create_conn, bdaddr));
1593 break;
1594
1595 case cmd_opcode_pack(OGF_LINK_CTL, OCF_DISCONNECT):
1596 LENGTH_CHECK(disconnect);
1597
1598 if (bt_hci_handle_bad(hci, PARAMHANDLE(disconnect))) {
1599 bt_hci_event_status(hci, HCI_NO_CONNECTION);
1600 break;
1601 }
1602
1603 bt_hci_event_status(hci, HCI_SUCCESS);
1604 bt_hci_disconnect(hci, PARAMHANDLE(disconnect),
1605 PARAM(disconnect, reason));
1606 break;
1607
1608 case cmd_opcode_pack(OGF_LINK_CTL, OCF_CREATE_CONN_CANCEL):
1609 LENGTH_CHECK(create_conn_cancel);
1610
1611 if (bt_hci_lmp_connection_ready(hci,
1612 &PARAM(create_conn_cancel, bdaddr))) {
1613 for (i = 0; i < HCI_HANDLES_MAX; i ++)
1614 if (bt_hci_role_master(hci, i) && hci->lm.handle[i].link &&
1615 !bacmp(&hci->lm.handle[i].link->slave->bd_addr,
1616 &PARAM(create_conn_cancel, bdaddr)))
1617 break;
1618
1619 bt_hci_event_complete_conn_cancel(hci, i < HCI_HANDLES_MAX ?
1620 HCI_ACL_CONNECTION_EXISTS : HCI_NO_CONNECTION,
1621 &PARAM(create_conn_cancel, bdaddr));
1622 } else
1623 bt_hci_event_complete_conn_cancel(hci, HCI_SUCCESS,
1624 &PARAM(create_conn_cancel, bdaddr));
1625 break;
1626
1627 case cmd_opcode_pack(OGF_LINK_CTL, OCF_ACCEPT_CONN_REQ):
1628 LENGTH_CHECK(accept_conn_req);
1629
1630 if (!hci->conn_req_host ||
1631 bacmp(&PARAM(accept_conn_req, bdaddr),
1632 &hci->conn_req_host->bd_addr)) {
1633 bt_hci_event_status(hci, HCI_INVALID_PARAMETERS);
1634 break;
1635 }
1636
1637 bt_hci_event_status(hci, HCI_SUCCESS);
1638 bt_hci_connection_accept(hci, hci->conn_req_host);
1639 hci->conn_req_host = NULL;
1640 break;
1641
1642 case cmd_opcode_pack(OGF_LINK_CTL, OCF_REJECT_CONN_REQ):
1643 LENGTH_CHECK(reject_conn_req);
1644
1645 if (!hci->conn_req_host ||
1646 bacmp(&PARAM(reject_conn_req, bdaddr),
1647 &hci->conn_req_host->bd_addr)) {
1648 bt_hci_event_status(hci, HCI_INVALID_PARAMETERS);
1649 break;
1650 }
1651
1652 bt_hci_event_status(hci, HCI_SUCCESS);
1653 bt_hci_connection_reject(hci, hci->conn_req_host,
1654 PARAM(reject_conn_req, reason));
1655 bt_hci_connection_reject_event(hci, &hci->conn_req_host->bd_addr);
1656 hci->conn_req_host = NULL;
1657 break;
1658
1659 case cmd_opcode_pack(OGF_LINK_CTL, OCF_AUTH_REQUESTED):
1660 LENGTH_CHECK(auth_requested);
1661
1662 if (bt_hci_handle_bad(hci, PARAMHANDLE(auth_requested)))
1663 bt_hci_event_status(hci, HCI_NO_CONNECTION);
1664 else {
1665 bt_hci_event_status(hci, HCI_SUCCESS);
1666 bt_hci_event_auth_complete(hci, PARAMHANDLE(auth_requested));
1667 }
1668 break;
1669
1670 case cmd_opcode_pack(OGF_LINK_CTL, OCF_SET_CONN_ENCRYPT):
1671 LENGTH_CHECK(set_conn_encrypt);
1672
1673 if (bt_hci_handle_bad(hci, PARAMHANDLE(set_conn_encrypt)))
1674 bt_hci_event_status(hci, HCI_NO_CONNECTION);
1675 else {
1676 bt_hci_event_status(hci, HCI_SUCCESS);
1677 bt_hci_event_encrypt_change(hci,
1678 PARAMHANDLE(set_conn_encrypt),
1679 PARAM(set_conn_encrypt, encrypt));
1680 }
1681 break;
1682
1683 case cmd_opcode_pack(OGF_LINK_CTL, OCF_REMOTE_NAME_REQ):
1684 LENGTH_CHECK(remote_name_req);
1685
1686 if (bt_hci_name_req(hci, &PARAM(remote_name_req, bdaddr)))
1687 bt_hci_event_status(hci, HCI_NO_CONNECTION);
1688 break;
1689
1690 case cmd_opcode_pack(OGF_LINK_CTL, OCF_REMOTE_NAME_REQ_CANCEL):
1691 LENGTH_CHECK(remote_name_req_cancel);
1692
1693 bt_hci_event_complete_name_cancel(hci,
1694 &PARAM(remote_name_req_cancel, bdaddr));
1695 break;
1696
1697 case cmd_opcode_pack(OGF_LINK_CTL, OCF_READ_REMOTE_FEATURES):
1698 LENGTH_CHECK(read_remote_features);
1699
1700 if (bt_hci_features_req(hci, PARAMHANDLE(read_remote_features)))
1701 bt_hci_event_status(hci, HCI_NO_CONNECTION);
1702 break;
1703
1704 case cmd_opcode_pack(OGF_LINK_CTL, OCF_READ_REMOTE_EXT_FEATURES):
1705 LENGTH_CHECK(read_remote_ext_features);
1706
1707 if (bt_hci_handle_bad(hci, PARAMHANDLE(read_remote_ext_features)))
1708 bt_hci_event_status(hci, HCI_NO_CONNECTION);
1709 else {
1710 bt_hci_event_status(hci, HCI_SUCCESS);
1711 bt_hci_event_read_remote_ext_features(hci,
1712 PARAMHANDLE(read_remote_ext_features));
1713 }
1714 break;
1715
1716 case cmd_opcode_pack(OGF_LINK_CTL, OCF_READ_REMOTE_VERSION):
1717 LENGTH_CHECK(read_remote_version);
1718
1719 if (bt_hci_version_req(hci, PARAMHANDLE(read_remote_version)))
1720 bt_hci_event_status(hci, HCI_NO_CONNECTION);
1721 break;
1722
1723 case cmd_opcode_pack(OGF_LINK_CTL, OCF_READ_CLOCK_OFFSET):
1724 LENGTH_CHECK(read_clock_offset);
1725
1726 if (bt_hci_clkoffset_req(hci, PARAMHANDLE(read_clock_offset)))
1727 bt_hci_event_status(hci, HCI_NO_CONNECTION);
1728 break;
1729
1730 case cmd_opcode_pack(OGF_LINK_CTL, OCF_READ_LMP_HANDLE):
1731 LENGTH_CHECK(read_lmp_handle);
1732
1733 /* TODO: */
1734 bt_hci_event_complete_lmp_handle(hci, PARAMHANDLE(read_lmp_handle));
1735 break;
1736
1737 case cmd_opcode_pack(OGF_LINK_POLICY, OCF_HOLD_MODE):
1738 LENGTH_CHECK(hold_mode);
1739
1740 if (PARAM16(hold_mode, min_interval) >
1741 PARAM16(hold_mode, max_interval) ||
1742 PARAM16(hold_mode, min_interval) < 0x0002 ||
1743 PARAM16(hold_mode, max_interval) > 0xff00 ||
1744 (PARAM16(hold_mode, min_interval) & 1) ||
1745 (PARAM16(hold_mode, max_interval) & 1)) {
1746 bt_hci_event_status(hci, HCI_INVALID_PARAMETERS);
1747 break;
1748 }
1749
1750 if (bt_hci_mode_change(hci, PARAMHANDLE(hold_mode),
1751 PARAM16(hold_mode, max_interval),
1752 acl_hold))
1753 bt_hci_event_status(hci, HCI_NO_CONNECTION);
1754 break;
1755
1756 case cmd_opcode_pack(OGF_LINK_POLICY, OCF_PARK_MODE):
1757 LENGTH_CHECK(park_mode);
1758
1759 if (PARAM16(park_mode, min_interval) >
1760 PARAM16(park_mode, max_interval) ||
1761 PARAM16(park_mode, min_interval) < 0x000e ||
1762 (PARAM16(park_mode, min_interval) & 1) ||
1763 (PARAM16(park_mode, max_interval) & 1)) {
1764 bt_hci_event_status(hci, HCI_INVALID_PARAMETERS);
1765 break;
1766 }
1767
1768 if (bt_hci_mode_change(hci, PARAMHANDLE(park_mode),
1769 PARAM16(park_mode, max_interval),
1770 acl_parked))
1771 bt_hci_event_status(hci, HCI_NO_CONNECTION);
1772 break;
1773
1774 case cmd_opcode_pack(OGF_LINK_POLICY, OCF_EXIT_PARK_MODE):
1775 LENGTH_CHECK(exit_park_mode);
1776
1777 if (bt_hci_mode_cancel(hci, PARAMHANDLE(exit_park_mode),
1778 acl_parked))
1779 bt_hci_event_status(hci, HCI_NO_CONNECTION);
1780 break;
1781
1782 case cmd_opcode_pack(OGF_LINK_POLICY, OCF_ROLE_DISCOVERY):
1783 LENGTH_CHECK(role_discovery);
1784
1785 if (bt_hci_handle_bad(hci, PARAMHANDLE(role_discovery)))
1786 bt_hci_event_complete_role_discovery(hci,
1787 HCI_NO_CONNECTION, PARAMHANDLE(role_discovery), 0);
1788 else
1789 bt_hci_event_complete_role_discovery(hci,
1790 HCI_SUCCESS, PARAMHANDLE(role_discovery),
1791 bt_hci_role_master(hci,
1792 PARAMHANDLE(role_discovery)));
1793 break;
1794
1795 case cmd_opcode_pack(OGF_HOST_CTL, OCF_SET_EVENT_MASK):
1796 LENGTH_CHECK(set_event_mask);
1797
1798 memcpy(hci->event_mask, PARAM(set_event_mask, mask), 8);
1799 bt_hci_event_complete_status(hci, HCI_SUCCESS);
1800 break;
1801
1802 case cmd_opcode_pack(OGF_HOST_CTL, OCF_RESET):
1803 bt_hci_reset(hci);
1804 bt_hci_event_status(hci, HCI_SUCCESS);
1805 break;
1806
1807 case cmd_opcode_pack(OGF_HOST_CTL, OCF_SET_EVENT_FLT):
1808 if (length >= 1 && PARAM(set_event_flt, flt_type) == FLT_CLEAR_ALL)
1809 /* No length check */;
1810 else
1811 LENGTH_CHECK(set_event_flt);
1812
1813 /* Filters are not implemented */
1814 bt_hci_event_complete_status(hci, HCI_SUCCESS);
1815 break;
1816
1817 case cmd_opcode_pack(OGF_HOST_CTL, OCF_FLUSH):
1818 LENGTH_CHECK(flush);
1819
1820 if (bt_hci_handle_bad(hci, PARAMHANDLE(flush)))
1821 bt_hci_event_complete_flush(hci,
1822 HCI_NO_CONNECTION, PARAMHANDLE(flush));
1823 else {
1824 /* TODO: ordering? */
1825 bt_hci_event(hci, EVT_FLUSH_OCCURRED,
1826 &PARAM(flush, handle),
1827 EVT_FLUSH_OCCURRED_SIZE);
1828 bt_hci_event_complete_flush(hci,
1829 HCI_SUCCESS, PARAMHANDLE(flush));
1830 }
1831 break;
1832
1833 case cmd_opcode_pack(OGF_HOST_CTL, OCF_CHANGE_LOCAL_NAME):
1834 LENGTH_CHECK(change_local_name);
1835
1836 g_free((void *) hci->device.lmp_name);
1837 hci->device.lmp_name = g_strndup(PARAM(change_local_name, name),
1838 sizeof(PARAM(change_local_name, name)));
1839 bt_hci_event_complete_status(hci, HCI_SUCCESS);
1840 break;
1841
1842 case cmd_opcode_pack(OGF_HOST_CTL, OCF_READ_LOCAL_NAME):
1843 bt_hci_event_complete_read_local_name(hci);
1844 break;
1845
1846 case cmd_opcode_pack(OGF_HOST_CTL, OCF_READ_CONN_ACCEPT_TIMEOUT):
1847 bt_hci_event_complete_read_conn_accept_timeout(hci);
1848 break;
1849
1850 case cmd_opcode_pack(OGF_HOST_CTL, OCF_WRITE_CONN_ACCEPT_TIMEOUT):
1851 /* TODO */
1852 LENGTH_CHECK(write_conn_accept_timeout);
1853
1854 if (PARAM16(write_conn_accept_timeout, timeout) < 0x0001 ||
1855 PARAM16(write_conn_accept_timeout, timeout) > 0xb540) {
1856 bt_hci_event_complete_status(hci, HCI_INVALID_PARAMETERS);
1857 break;
1858 }
1859
1860 hci->conn_accept_tout = PARAM16(write_conn_accept_timeout, timeout);
1861 bt_hci_event_complete_status(hci, HCI_SUCCESS);
1862 break;
1863
1864 case cmd_opcode_pack(OGF_HOST_CTL, OCF_READ_SCAN_ENABLE):
1865 bt_hci_event_complete_read_scan_enable(hci);
1866 break;
1867
1868 case cmd_opcode_pack(OGF_HOST_CTL, OCF_WRITE_SCAN_ENABLE):
1869 LENGTH_CHECK(write_scan_enable);
1870
1871 /* TODO: check that the remaining bits are all 0 */
1872 hci->device.inquiry_scan =
1873 !!(PARAM(write_scan_enable, scan_enable) & SCAN_INQUIRY);
1874 hci->device.page_scan =
1875 !!(PARAM(write_scan_enable, scan_enable) & SCAN_PAGE);
1876 bt_hci_event_complete_status(hci, HCI_SUCCESS);
1877 break;
1878
1879 case cmd_opcode_pack(OGF_HOST_CTL, OCF_READ_CLASS_OF_DEV):
1880 bt_hci_event_complete_read_local_class(hci);
1881 break;
1882
1883 case cmd_opcode_pack(OGF_HOST_CTL, OCF_WRITE_CLASS_OF_DEV):
1884 LENGTH_CHECK(write_class_of_dev);
1885
1886 memcpy(hci->device.class, PARAM(write_class_of_dev, dev_class),
1887 sizeof(PARAM(write_class_of_dev, dev_class)));
1888 bt_hci_event_complete_status(hci, HCI_SUCCESS);
1889 break;
1890
1891 case cmd_opcode_pack(OGF_HOST_CTL, OCF_READ_VOICE_SETTING):
1892 bt_hci_event_complete_voice_setting(hci);
1893 break;
1894
1895 case cmd_opcode_pack(OGF_HOST_CTL, OCF_WRITE_VOICE_SETTING):
1896 LENGTH_CHECK(write_voice_setting);
1897
1898 hci->voice_setting = PARAM(write_voice_setting, voice_setting);
1899 bt_hci_event_complete_status(hci, HCI_SUCCESS);
1900 break;
1901
1902 case cmd_opcode_pack(OGF_HOST_CTL, OCF_HOST_NUMBER_OF_COMPLETED_PACKETS):
1903 if (length < data[0] * 2 + 1)
1904 goto short_hci;
1905
1906 for (i = 0; i < data[0]; i ++)
1907 if (bt_hci_handle_bad(hci,
1908 data[i * 2 + 1] | (data[i * 2 + 2] << 8)))
1909 bt_hci_event_complete_status(hci, HCI_INVALID_PARAMETERS);
1910 break;
1911
1912 case cmd_opcode_pack(OGF_HOST_CTL, OCF_READ_INQUIRY_MODE):
1913 /* Only if (local_features[3] & 0x40) && (local_commands[12] & 0x40)
1914 * else
1915 * goto unknown_command */
1916 bt_hci_event_complete_read_inquiry_mode(hci);
1917 break;
1918
1919 case cmd_opcode_pack(OGF_HOST_CTL, OCF_WRITE_INQUIRY_MODE):
1920 /* Only if (local_features[3] & 0x40) && (local_commands[12] & 0x80)
1921 * else
1922 * goto unknown_command */
1923 LENGTH_CHECK(write_inquiry_mode);
1924
1925 if (PARAM(write_inquiry_mode, mode) > 0x01) {
1926 bt_hci_event_complete_status(hci, HCI_INVALID_PARAMETERS);
1927 break;
1928 }
1929
1930 hci->lm.inquiry_mode = PARAM(write_inquiry_mode, mode);
1931 bt_hci_event_complete_status(hci, HCI_SUCCESS);
1932 break;
1933
1934 case cmd_opcode_pack(OGF_INFO_PARAM, OCF_READ_LOCAL_VERSION):
1935 bt_hci_read_local_version_rp(hci);
1936 break;
1937
1938 case cmd_opcode_pack(OGF_INFO_PARAM, OCF_READ_LOCAL_COMMANDS):
1939 bt_hci_read_local_commands_rp(hci);
1940 break;
1941
1942 case cmd_opcode_pack(OGF_INFO_PARAM, OCF_READ_LOCAL_FEATURES):
1943 bt_hci_read_local_features_rp(hci);
1944 break;
1945
1946 case cmd_opcode_pack(OGF_INFO_PARAM, OCF_READ_LOCAL_EXT_FEATURES):
1947 LENGTH_CHECK(read_local_ext_features);
1948
1949 bt_hci_read_local_ext_features_rp(hci,
1950 PARAM(read_local_ext_features, page_num));
1951 break;
1952
1953 case cmd_opcode_pack(OGF_INFO_PARAM, OCF_READ_BUFFER_SIZE):
1954 bt_hci_read_buffer_size_rp(hci);
1955 break;
1956
1957 case cmd_opcode_pack(OGF_INFO_PARAM, OCF_READ_COUNTRY_CODE):
1958 bt_hci_read_country_code_rp(hci);
1959 break;
1960
1961 case cmd_opcode_pack(OGF_INFO_PARAM, OCF_READ_BD_ADDR):
1962 bt_hci_read_bd_addr_rp(hci);
1963 break;
1964
1965 case cmd_opcode_pack(OGF_STATUS_PARAM, OCF_READ_LINK_QUALITY):
1966 LENGTH_CHECK(read_link_quality);
1967
1968 bt_hci_link_quality_rp(hci, PARAMHANDLE(read_link_quality));
1969 break;
1970
1971 default:
1972 bt_hci_event_status(hci, HCI_UNKNOWN_COMMAND);
1973 break;
1974
1975 short_hci:
1976 fprintf(stderr, "%s: HCI packet too short (%iB)\n",
1977 __FUNCTION__, length);
1978 bt_hci_event_status(hci, HCI_INVALID_PARAMETERS);
1979 break;
1980 }
1981 }
1982
1983 /* We could perform fragmentation here, we can't do "recombination" because
1984 * at this layer the length of the payload is not know ahead, so we only
1985 * know that a packet contained the last fragment of the SDU when the next
1986 * SDU starts. */
1987 static inline void bt_hci_lmp_acl_data(struct bt_hci_s *hci, uint16_t handle,
1988 const uint8_t *data, int start, int len)
1989 {
1990 struct hci_acl_hdr *pkt = (void *) hci->acl_buf;
1991
1992 /* TODO: packet flags */
1993 /* TODO: avoid memcpy'ing */
1994
1995 if (len + HCI_ACL_HDR_SIZE > sizeof(hci->acl_buf)) {
1996 fprintf(stderr, "%s: can't take ACL packets %i bytes long\n",
1997 __FUNCTION__, len);
1998 return;
1999 }
2000 memcpy(hci->acl_buf + HCI_ACL_HDR_SIZE, data, len);
2001
2002 pkt->handle = cpu_to_le16(
2003 acl_handle_pack(handle, start ? ACL_START : ACL_CONT));
2004 pkt->dlen = cpu_to_le16(len);
2005 hci->info.acl_recv(hci->info.opaque,
2006 hci->acl_buf, len + HCI_ACL_HDR_SIZE);
2007 }
2008
2009 static void bt_hci_lmp_acl_data_slave(struct bt_link_s *btlink,
2010 const uint8_t *data, int start, int len)
2011 {
2012 struct bt_hci_link_s *link = (struct bt_hci_link_s *) btlink;
2013
2014 bt_hci_lmp_acl_data(hci_from_device(btlink->slave),
2015 link->handle, data, start, len);
2016 }
2017
2018 static void bt_hci_lmp_acl_data_host(struct bt_link_s *link,
2019 const uint8_t *data, int start, int len)
2020 {
2021 bt_hci_lmp_acl_data(hci_from_device(link->host),
2022 link->handle, data, start, len);
2023 }
2024
2025 static void bt_submit_acl(struct HCIInfo *info,
2026 const uint8_t *data, int length)
2027 {
2028 struct bt_hci_s *hci = hci_from_info(info);
2029 uint16_t handle;
2030 int datalen, flags;
2031 struct bt_link_s *link;
2032
2033 if (length < HCI_ACL_HDR_SIZE) {
2034 fprintf(stderr, "%s: ACL packet too short (%iB)\n",
2035 __FUNCTION__, length);
2036 return;
2037 }
2038
2039 handle = acl_handle((data[1] << 8) | data[0]);
2040 flags = acl_flags((data[1] << 8) | data[0]);
2041 datalen = (data[3] << 8) | data[2];
2042 data += HCI_ACL_HDR_SIZE;
2043 length -= HCI_ACL_HDR_SIZE;
2044
2045 if (bt_hci_handle_bad(hci, handle)) {
2046 fprintf(stderr, "%s: invalid ACL handle %03x\n",
2047 __FUNCTION__, handle);
2048 /* TODO: signal an error */
2049 return;
2050 }
2051 handle &= ~HCI_HANDLE_OFFSET;
2052
2053 if (datalen > length) {
2054 fprintf(stderr, "%s: ACL packet too short (%iB < %iB)\n",
2055 __FUNCTION__, length, datalen);
2056 return;
2057 }
2058
2059 link = hci->lm.handle[handle].link;
2060
2061 if ((flags & ~3) == ACL_ACTIVE_BCAST) {
2062 if (!hci->asb_handle)
2063 hci->asb_handle = handle;
2064 else if (handle != hci->asb_handle) {
2065 fprintf(stderr, "%s: Bad handle %03x in Active Slave Broadcast\n",
2066 __FUNCTION__, handle);
2067 /* TODO: signal an error */
2068 return;
2069 }
2070
2071 /* TODO */
2072 }
2073
2074 if ((flags & ~3) == ACL_PICO_BCAST) {
2075 if (!hci->psb_handle)
2076 hci->psb_handle = handle;
2077 else if (handle != hci->psb_handle) {
2078 fprintf(stderr, "%s: Bad handle %03x in Parked Slave Broadcast\n",
2079 __FUNCTION__, handle);
2080 /* TODO: signal an error */
2081 return;
2082 }
2083
2084 /* TODO */
2085 }
2086
2087 /* TODO: increase counter and send EVT_NUM_COMP_PKTS */
2088 bt_hci_event_num_comp_pkts(hci, handle | HCI_HANDLE_OFFSET, 1);
2089
2090 /* Do this last as it can trigger further events even in this HCI */
2091 hci->lm.handle[handle].lmp_acl_data(link, data,
2092 (flags & 3) == ACL_START, length);
2093 }
2094
2095 static void bt_submit_sco(struct HCIInfo *info,
2096 const uint8_t *data, int length)
2097 {
2098 struct bt_hci_s *hci = hci_from_info(info);
2099 uint16_t handle;
2100 int datalen;
2101
2102 if (length < 3)
2103 return;
2104
2105 handle = acl_handle((data[1] << 8) | data[0]);
2106 datalen = data[2];
2107 length -= 3;
2108
2109 if (bt_hci_handle_bad(hci, handle)) {
2110 fprintf(stderr, "%s: invalid SCO handle %03x\n",
2111 __FUNCTION__, handle);
2112 return;
2113 }
2114
2115 if (datalen > length) {
2116 fprintf(stderr, "%s: SCO packet too short (%iB < %iB)\n",
2117 __FUNCTION__, length, datalen);
2118 return;
2119 }
2120
2121 /* TODO */
2122
2123 /* TODO: increase counter and send EVT_NUM_COMP_PKTS if synchronous
2124 * Flow Control is enabled.
2125 * (See Read/Write_Synchronous_Flow_Control_Enable on page 513 and
2126 * page 514.) */
2127 }
2128
2129 static uint8_t *bt_hci_evt_packet(void *opaque)
2130 {
2131 /* TODO: allocate a packet from upper layer */
2132 struct bt_hci_s *s = opaque;
2133
2134 return s->evt_buf;
2135 }
2136
2137 static void bt_hci_evt_submit(void *opaque, int len)
2138 {
2139 /* TODO: notify upper layer */
2140 struct bt_hci_s *s = opaque;
2141
2142 s->info.evt_recv(s->info.opaque, s->evt_buf, len);
2143 }
2144
2145 static int bt_hci_bdaddr_set(struct HCIInfo *info, const uint8_t *bd_addr)
2146 {
2147 struct bt_hci_s *hci = hci_from_info(info);
2148
2149 bacpy(&hci->device.bd_addr, (const bdaddr_t *) bd_addr);
2150 return 0;
2151 }
2152
2153 static void bt_hci_done(struct HCIInfo *info);
2154 static void bt_hci_destroy(struct bt_device_s *dev)
2155 {
2156 struct bt_hci_s *hci = hci_from_device(dev);
2157
2158 bt_hci_done(&hci->info);
2159 }
2160
2161 struct HCIInfo *bt_new_hci(struct bt_scatternet_s *net)
2162 {
2163 struct bt_hci_s *s = g_malloc0(sizeof(struct bt_hci_s));
2164
2165 s->lm.inquiry_done = timer_new_ns(QEMU_CLOCK_VIRTUAL, bt_hci_inquiry_done, s);
2166 s->lm.inquiry_next = timer_new_ns(QEMU_CLOCK_VIRTUAL, bt_hci_inquiry_next, s);
2167 s->conn_accept_timer =
2168 timer_new_ns(QEMU_CLOCK_VIRTUAL, bt_hci_conn_accept_timeout, s);
2169
2170 s->evt_packet = bt_hci_evt_packet;
2171 s->evt_submit = bt_hci_evt_submit;
2172 s->opaque = s;
2173
2174 bt_device_init(&s->device, net);
2175 s->device.lmp_connection_request = bt_hci_lmp_connection_request;
2176 s->device.lmp_connection_complete = bt_hci_lmp_connection_complete;
2177 s->device.lmp_disconnect_master = bt_hci_lmp_disconnect_host;
2178 s->device.lmp_disconnect_slave = bt_hci_lmp_disconnect_slave;
2179 s->device.lmp_acl_data = bt_hci_lmp_acl_data_slave;
2180 s->device.lmp_acl_resp = bt_hci_lmp_acl_data_host;
2181 s->device.lmp_mode_change = bt_hci_lmp_mode_change_slave;
2182
2183 /* Keep updated! */
2184 /* Also keep in sync with supported commands bitmask in
2185 * bt_hci_read_local_commands_rp */
2186 s->device.lmp_caps = 0x8000199b7e85355fll;
2187
2188 bt_hci_reset(s);
2189
2190 s->info.cmd_send = bt_submit_hci;
2191 s->info.sco_send = bt_submit_sco;
2192 s->info.acl_send = bt_submit_acl;
2193 s->info.bdaddr_set = bt_hci_bdaddr_set;
2194
2195 s->device.handle_destroy = bt_hci_destroy;
2196
2197 error_setg(&s->replay_blocker, QERR_REPLAY_NOT_SUPPORTED, "-bt hci");
2198 replay_add_blocker(s->replay_blocker);
2199
2200 return &s->info;
2201 }
2202
2203 struct HCIInfo *hci_init(const char *str)
2204 {
2205 char *endp;
2206 struct bt_scatternet_s *vlan = 0;
2207
2208 if (!strcmp(str, "null"))
2209 /* null */
2210 return &null_hci;
2211 else if (!strncmp(str, "host", 4) && (str[4] == '\0' || str[4] == ':'))
2212 /* host[:hciN] */
2213 return bt_host_hci(str[4] ? str + 5 : "hci0");
2214 else if (!strncmp(str, "hci", 3)) {
2215 /* hci[,vlan=n] */
2216 if (str[3]) {
2217 if (!strncmp(str + 3, ",vlan=", 6)) {
2218 vlan = qemu_find_bt_vlan(strtol(str + 9, &endp, 0));
2219 if (*endp)
2220 vlan = 0;
2221 }
2222 } else
2223 vlan = qemu_find_bt_vlan(0);
2224 if (vlan)
2225 return bt_new_hci(vlan);
2226 }
2227
2228 fprintf(stderr, "qemu: Unknown bluetooth HCI `%s'.\n", str);
2229
2230 return 0;
2231 }
2232
2233 static void bt_hci_done(struct HCIInfo *info)
2234 {
2235 struct bt_hci_s *hci = hci_from_info(info);
2236 int handle;
2237
2238 bt_device_done(&hci->device);
2239
2240 g_free((void *) hci->device.lmp_name);
2241
2242 /* Be gentle and send DISCONNECT to all connected peers and those
2243 * currently waiting for us to accept or reject a connection request.
2244 * This frees the links. */
2245 if (hci->conn_req_host) {
2246 bt_hci_connection_reject(hci,
2247 hci->conn_req_host, HCI_OE_POWER_OFF);
2248 return;
2249 }
2250
2251 for (handle = HCI_HANDLE_OFFSET;
2252 handle < (HCI_HANDLE_OFFSET | HCI_HANDLES_MAX); handle ++)
2253 if (!bt_hci_handle_bad(hci, handle))
2254 bt_hci_disconnect(hci, handle, HCI_OE_POWER_OFF);
2255
2256 /* TODO: this is not enough actually, there may be slaves from whom
2257 * we have requested a connection who will soon (or not) respond with
2258 * an accept or a reject, so we should also check if hci->lm.connecting
2259 * is non-zero and if so, avoid freeing the hci but otherwise disappear
2260 * from all qemu social life (e.g. stop scanning and request to be
2261 * removed from s->device.net) and arrange for
2262 * s->device.lmp_connection_complete to free the remaining bits once
2263 * hci->lm.awaiting_bdaddr[] is empty. */
2264
2265 timer_free(hci->lm.inquiry_done);
2266 timer_free(hci->lm.inquiry_next);
2267 timer_free(hci->conn_accept_timer);
2268
2269 g_free(hci);
2270 }
QEmu