1/* 2 * QEMU Bluetooth HCI logic. 3 * 4 * Copyright (C) 2007 OpenMoko, Inc. 5 * Copyright (C) 2008 Andrzej Zaborowski <balrog@zabor.org> 6 * 7 * This program is free software; you can redistribute it and/or 8 * modify it under the terms of the GNU General Public License as 9 * published by the Free Software Foundation; either version 2 of 10 * the License, or (at your option) any later version. 11 * 12 * This program is distributed in the hope that it will be useful, 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 * GNU General Public License for more details. 16 * 17 * You should have received a copy of the GNU General Public License 18 * along with this program; if not, see <http://www.gnu.org/licenses/>. 19 */ 20 21#include "qemu-common.h" 22#include "qemu-timer.h" 23#include "usb.h" 24#include "net.h" 25#include "bt.h" 26 27struct bt_hci_s { 28 uint8_t *(*evt_packet)(void *opaque); 29 void (*evt_submit)(void *opaque, int len); 30 void *opaque; 31 uint8_t evt_buf[256]; 32 33 uint8_t acl_buf[4096]; 34 int acl_len; 35 36 uint16_t asb_handle; 37 uint16_t psb_handle; 38 39 int last_cmd; /* Note: Always little-endian */ 40 41 struct bt_device_s *conn_req_host; 42 43 struct { 44 int inquire; 45 int periodic; 46 int responses_left; 47 int responses; 48 QEMUTimer *inquiry_done; 49 QEMUTimer *inquiry_next; 50 int inquiry_length; 51 int inquiry_period; 52 int inquiry_mode; 53 54#define HCI_HANDLE_OFFSET 0x20 55#define HCI_HANDLES_MAX 0x10 56 struct bt_hci_master_link_s { 57 struct bt_link_s *link; 58 void (*lmp_acl_data)(struct bt_link_s *link, 59 const uint8_t *data, int start, int len); 60 QEMUTimer *acl_mode_timer; 61 } handle[HCI_HANDLES_MAX]; 62 uint32_t role_bmp; 63 int last_handle; 64 int connecting; 65 bdaddr_t awaiting_bdaddr[HCI_HANDLES_MAX]; 66 } lm; 67 68 uint8_t event_mask[8]; 69 uint16_t voice_setting; /* Notw: Always little-endian */ 70 uint16_t conn_accept_tout; 71 QEMUTimer *conn_accept_timer; 72 73 struct HCIInfo info; 74 struct bt_device_s device; 75}; 76 77#define DEFAULT_RSSI_DBM 20 78 79#define hci_from_info(ptr) container_of((ptr), struct bt_hci_s, info) 80#define hci_from_device(ptr) container_of((ptr), struct bt_hci_s, device) 81 82struct bt_hci_link_s { 83 struct bt_link_s btlink; 84 uint16_t handle; /* Local */ 85}; 86 87/* LMP layer emulation */ 88#if 0 89static void bt_submit_lmp(struct bt_device_s *bt, int length, uint8_t *data) 90{ 91 int resp, resplen, error, op, tr; 92 uint8_t respdata[17]; 93 94 if (length < 1) 95 return; 96 97 tr = *data & 1; 98 op = *(data ++) >> 1; 99 resp = LMP_ACCEPTED; 100 resplen = 2; 101 respdata[1] = op; 102 error = 0; 103 length --; 104 105 if (op >= 0x7c) { /* Extended opcode */ 106 op |= *(data ++) << 8; 107 resp = LMP_ACCEPTED_EXT; 108 resplen = 4; 109 respdata[0] = op >> 8; 110 respdata[1] = op & 0xff; 111 length --; 112 } 113 114 switch (op) { 115 case LMP_ACCEPTED: 116 /* data[0] Op code 117 */ 118 if (length < 1) { 119 error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE; 120 goto not_accepted; 121 } 122 resp = 0; 123 break; 124 125 case LMP_ACCEPTED_EXT: 126 /* data[0] Escape op code 127 * data[1] Extended op code 128 */ 129 if (length < 2) { 130 error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE; 131 goto not_accepted; 132 } 133 resp = 0; 134 break; 135 136 case LMP_NOT_ACCEPTED: 137 /* data[0] Op code 138 * data[1] Error code 139 */ 140 if (length < 2) { 141 error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE; 142 goto not_accepted; 143 } 144 resp = 0; 145 break; 146 147 case LMP_NOT_ACCEPTED_EXT: 148 /* data[0] Op code 149 * data[1] Extended op code 150 * data[2] Error code 151 */ 152 if (length < 3) { 153 error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE; 154 goto not_accepted; 155 } 156 resp = 0; 157 break; 158 159 case LMP_HOST_CONNECTION_REQ: 160 break; 161 162 case LMP_SETUP_COMPLETE: 163 resp = LMP_SETUP_COMPLETE; 164 resplen = 1; 165 bt->setup = 1; 166 break; 167 168 case LMP_DETACH: 169 /* data[0] Error code 170 */ 171 if (length < 1) { 172 error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE; 173 goto not_accepted; 174 } 175 bt->setup = 0; 176 resp = 0; 177 break; 178 179 case LMP_SUPERVISION_TIMEOUT: 180 /* data[0,1] Supervision timeout 181 */ 182 if (length < 2) { 183 error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE; 184 goto not_accepted; 185 } 186 resp = 0; 187 break; 188 189 case LMP_QUALITY_OF_SERVICE: 190 resp = 0; 191 /* Fall through */ 192 case LMP_QOS_REQ: 193 /* data[0,1] Poll interval 194 * data[2] N(BC) 195 */ 196 if (length < 3) { 197 error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE; 198 goto not_accepted; 199 } 200 break; 201 202 case LMP_MAX_SLOT: 203 resp = 0; 204 /* Fall through */ 205 case LMP_MAX_SLOT_REQ: 206 /* data[0] Max slots 207 */ 208 if (length < 1) { 209 error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE; 210 goto not_accepted; 211 } 212 break; 213 214 case LMP_AU_RAND: 215 case LMP_IN_RAND: 216 case LMP_COMB_KEY: 217 /* data[0-15] Random number 218 */ 219 if (length < 16) { 220 error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE; 221 goto not_accepted; 222 } 223 if (op == LMP_AU_RAND) { 224 if (bt->key_present) { 225 resp = LMP_SRES; 226 resplen = 5; 227 /* XXX: [Part H] Section 6.1 on page 801 */ 228 } else { 229 error = HCI_PIN_OR_KEY_MISSING; 230 goto not_accepted; 231 } 232 } else if (op == LMP_IN_RAND) { 233 error = HCI_PAIRING_NOT_ALLOWED; 234 goto not_accepted; 235 } else { 236 /* XXX: [Part H] Section 3.2 on page 779 */ 237 resp = LMP_UNIT_KEY; 238 resplen = 17; 239 memcpy(respdata + 1, bt->key, 16); 240 241 error = HCI_UNIT_LINK_KEY_USED; 242 goto not_accepted; 243 } 244 break; 245 246 case LMP_UNIT_KEY: 247 /* data[0-15] Key 248 */ 249 if (length < 16) { 250 error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE; 251 goto not_accepted; 252 } 253 memcpy(bt->key, data, 16); 254 bt->key_present = 1; 255 break; 256 257 case LMP_SRES: 258 /* data[0-3] Authentication response 259 */ 260 if (length < 4) { 261 error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE; 262 goto not_accepted; 263 } 264 break; 265 266 case LMP_CLKOFFSET_REQ: 267 resp = LMP_CLKOFFSET_RES; 268 resplen = 3; 269 respdata[1] = 0x33; 270 respdata[2] = 0x33; 271 break; 272 273 case LMP_CLKOFFSET_RES: 274 /* data[0,1] Clock offset 275 * (Slave to master only) 276 */ 277 if (length < 2) { 278 error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE; 279 goto not_accepted; 280 } 281 break; 282 283 case LMP_VERSION_REQ: 284 case LMP_VERSION_RES: 285 /* data[0] VersNr 286 * data[1,2] CompId 287 * data[3,4] SubVersNr 288 */ 289 if (length < 5) { 290 error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE; 291 goto not_accepted; 292 } 293 if (op == LMP_VERSION_REQ) { 294 resp = LMP_VERSION_RES; 295 resplen = 6; 296 respdata[1] = 0x20; 297 respdata[2] = 0xff; 298 respdata[3] = 0xff; 299 respdata[4] = 0xff; 300 respdata[5] = 0xff; 301 } else 302 resp = 0; 303 break; 304 305 case LMP_FEATURES_REQ: 306 case LMP_FEATURES_RES: 307 /* data[0-7] Features 308 */ 309 if (length < 8) { 310 error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE; 311 goto not_accepted; 312 } 313 if (op == LMP_FEATURES_REQ) { 314 resp = LMP_FEATURES_RES; 315 resplen = 9; 316 respdata[1] = (bt->lmp_caps >> 0) & 0xff; 317 respdata[2] = (bt->lmp_caps >> 8) & 0xff; 318 respdata[3] = (bt->lmp_caps >> 16) & 0xff; 319 respdata[4] = (bt->lmp_caps >> 24) & 0xff; 320 respdata[5] = (bt->lmp_caps >> 32) & 0xff; 321 respdata[6] = (bt->lmp_caps >> 40) & 0xff; 322 respdata[7] = (bt->lmp_caps >> 48) & 0xff; 323 respdata[8] = (bt->lmp_caps >> 56) & 0xff; 324 } else 325 resp = 0; 326 break; 327 328 case LMP_NAME_REQ: 329 /* data[0] Name offset 330 */ 331 if (length < 1) { 332 error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE; 333 goto not_accepted; 334 } 335 resp = LMP_NAME_RES; 336 resplen = 17; 337 respdata[1] = data[0]; 338 respdata[2] = strlen(bt->lmp_name); 339 memset(respdata + 3, 0x00, 14); 340 if (respdata[2] > respdata[1]) 341 memcpy(respdata + 3, bt->lmp_name + respdata[1], 342 respdata[2] - respdata[1]); 343 break; 344 345 case LMP_NAME_RES: 346 /* data[0] Name offset 347 * data[1] Name length 348 * data[2-15] Name fragment 349 */ 350 if (length < 16) { 351 error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE; 352 goto not_accepted; 353 } 354 resp = 0; 355 break; 356 357 default: 358 error = HCI_UNKNOWN_LMP_PDU; 359 /* Fall through */ 360 not_accepted: 361 if (op >> 8) { 362 resp = LMP_NOT_ACCEPTED_EXT; 363 resplen = 5; 364 respdata[0] = op >> 8; 365 respdata[1] = op & 0xff; 366 respdata[2] = error; 367 } else { 368 resp = LMP_NOT_ACCEPTED; 369 resplen = 3; 370 respdata[0] = op & 0xff; 371 respdata[1] = error; 372 } 373 } 374 375 if (resp == 0) 376 return; 377 378 if (resp >> 8) { 379 respdata[0] = resp >> 8; 380 respdata[1] = resp & 0xff; 381 } else 382 respdata[0] = resp & 0xff; 383 384 respdata[0] <<= 1; 385 respdata[0] |= tr; 386} 387 388static void bt_submit_raw_acl(struct bt_piconet_s *net, int length, uint8_t *data) 389{ 390 struct bt_device_s *slave; 391 if (length < 1) 392 return; 393 394 slave = 0; 395#if 0 396 slave = net->slave; 397#endif 398 399 switch (data[0] & 3) { 400 case LLID_ACLC: 401 bt_submit_lmp(slave, length - 1, data + 1); 402 break; 403 case LLID_ACLU_START: 404#if 0 405 bt_sumbit_l2cap(slave, length - 1, data + 1, (data[0] >> 2) & 1); 406 breka; 407#endif 408 default: 409 case LLID_ACLU_CONT: 410 break; 411 } 412} 413#endif 414 415/* HCI layer emulation */ 416 417/* Note: we could ignore endiannes because unswapped handles will still 418 * be valid as connection identifiers for the guest - they don't have to 419 * be continuously allocated. We do it though, to preserve similar 420 * behaviour between hosts. Some things, like the BD_ADDR cannot be 421 * preserved though (for example if a real hci is used). */ 422#ifdef HOST_WORDS_BIGENDIAN 423# define HNDL(raw) bswap16(raw) 424#else 425# define HNDL(raw) (raw) 426#endif 427 428static const uint8_t bt_event_reserved_mask[8] = { 429 0xff, 0x9f, 0xfb, 0xff, 0x07, 0x18, 0x00, 0x00, 430}; 431 432static inline uint8_t *bt_hci_event_start(struct bt_hci_s *hci, 433 int evt, int len) 434{ 435 uint8_t *packet, mask; 436 int mask_byte; 437 438 if (len > 255) { 439 fprintf(stderr, "%s: HCI event params too long (%ib)\n", 440 __FUNCTION__, len); 441 exit(-1); 442 } 443 444 mask_byte = (evt - 1) >> 3; 445 mask = 1 << ((evt - 1) & 3); 446 if (mask & bt_event_reserved_mask[mask_byte] & ~hci->event_mask[mask_byte]) 447 return NULL; 448 449 packet = hci->evt_packet(hci->opaque); 450 packet[0] = evt; 451 packet[1] = len; 452 453 return &packet[2]; 454} 455 456static inline void bt_hci_event(struct bt_hci_s *hci, int evt, 457 void *params, int len) 458{ 459 uint8_t *packet = bt_hci_event_start(hci, evt, len); 460 461 if (!packet) 462 return; 463 464 if (len) 465 memcpy(packet, params, len); 466 467 hci->evt_submit(hci->opaque, len + 2); 468} 469 470static inline void bt_hci_event_status(struct bt_hci_s *hci, int status) 471{ 472 evt_cmd_status params = { 473 .status = status, 474 .ncmd = 1, 475 .opcode = hci->last_cmd, 476 }; 477 478 bt_hci_event(hci, EVT_CMD_STATUS, ¶ms, EVT_CMD_STATUS_SIZE); 479} 480 481static inline void bt_hci_event_complete(struct bt_hci_s *hci, 482 void *ret, int len) 483{ 484 uint8_t *packet = bt_hci_event_start(hci, EVT_CMD_COMPLETE, 485 len + EVT_CMD_COMPLETE_SIZE); 486 evt_cmd_complete *params = (evt_cmd_complete *) packet; 487 488 if (!packet) 489 return; 490 491 params->ncmd = 1; 492 params->opcode = hci->last_cmd; 493 if (len) 494 memcpy(&packet[EVT_CMD_COMPLETE_SIZE], ret, len); 495 496 hci->evt_submit(hci->opaque, len + EVT_CMD_COMPLETE_SIZE + 2); 497} 498 499static void bt_hci_inquiry_done(void *opaque) 500{ 501 struct bt_hci_s *hci = (struct bt_hci_s *) opaque; 502 uint8_t status = HCI_SUCCESS; 503 504 if (!hci->lm.periodic) 505 hci->lm.inquire = 0; 506 507 /* The specification is inconsistent about this one. Page 565 reads 508 * "The event parameters of Inquiry Complete event will have a summary 509 * of the result from the Inquiry process, which reports the number of 510 * nearby Bluetooth devices that responded [so hci->responses].", but 511 * Event Parameters (see page 729) has only Status. */ 512 bt_hci_event(hci, EVT_INQUIRY_COMPLETE, &status, 1); 513} 514 515static void bt_hci_inquiry_result_standard(struct bt_hci_s *hci, 516 struct bt_device_s *slave) 517{ 518 inquiry_info params = { 519 .num_responses = 1, 520 .bdaddr = BAINIT(&slave->bd_addr), 521 .pscan_rep_mode = 0x00, /* R0 */ 522 .pscan_period_mode = 0x00, /* P0 - deprecated */ 523 .pscan_mode = 0x00, /* Standard scan - deprecated */ 524 .dev_class[0] = slave->class[0], 525 .dev_class[1] = slave->class[1], 526 .dev_class[2] = slave->class[2], 527 /* TODO: return the clkoff *differenece* */ 528 .clock_offset = slave->clkoff, /* Note: no swapping */ 529 }; 530 531 bt_hci_event(hci, EVT_INQUIRY_RESULT, ¶ms, INQUIRY_INFO_SIZE); 532} 533 534static void bt_hci_inquiry_result_with_rssi(struct bt_hci_s *hci, 535 struct bt_device_s *slave) 536{ 537 inquiry_info_with_rssi params = { 538 .num_responses = 1, 539 .bdaddr = BAINIT(&slave->bd_addr), 540 .pscan_rep_mode = 0x00, /* R0 */ 541 .pscan_period_mode = 0x00, /* P0 - deprecated */ 542 .dev_class[0] = slave->class[0], 543 .dev_class[1] = slave->class[1], 544 .dev_class[2] = slave->class[2], 545 /* TODO: return the clkoff *differenece* */ 546 .clock_offset = slave->clkoff, /* Note: no swapping */ 547 .rssi = DEFAULT_RSSI_DBM, 548 }; 549 550 bt_hci_event(hci, EVT_INQUIRY_RESULT_WITH_RSSI, 551 ¶ms, INQUIRY_INFO_WITH_RSSI_SIZE); 552} 553 554static void bt_hci_inquiry_result(struct bt_hci_s *hci, 555 struct bt_device_s *slave) 556{ 557 if (!slave->inquiry_scan || !hci->lm.responses_left) 558 return; 559 560 hci->lm.responses_left --; 561 hci->lm.responses ++; 562 563 switch (hci->lm.inquiry_mode) { 564 case 0x00: 565 bt_hci_inquiry_result_standard(hci, slave); 566 return; 567 case 0x01: 568 bt_hci_inquiry_result_with_rssi(hci, slave); 569 return; 570 default: 571 fprintf(stderr, "%s: bad inquiry mode %02x\n", __FUNCTION__, 572 hci->lm.inquiry_mode); 573 exit(-1); 574 } 575} 576 577static void bt_hci_mod_timer_1280ms(QEMUTimer *timer, int period) 578{ 579 qemu_mod_timer(timer, qemu_get_clock(vm_clock) + 580 muldiv64(period << 7, get_ticks_per_sec(), 100)); 581} 582 583static void bt_hci_inquiry_start(struct bt_hci_s *hci, int length) 584{ 585 struct bt_device_s *slave; 586 587 hci->lm.inquiry_length = length; 588 for (slave = hci->device.net->slave; slave; slave = slave->next) 589 /* Don't uncover ourselves. */ 590 if (slave != &hci->device) 591 bt_hci_inquiry_result(hci, slave); 592 593 /* TODO: register for a callback on a new device's addition to the 594 * scatternet so that if it's added before inquiry_length expires, 595 * an Inquiry Result is generated immediately. Alternatively re-loop 596 * through the devices on the inquiry_length expiration and report 597 * devices not seen before. */ 598 if (hci->lm.responses_left) 599 bt_hci_mod_timer_1280ms(hci->lm.inquiry_done, hci->lm.inquiry_length); 600 else 601 bt_hci_inquiry_done(hci); 602 603 if (hci->lm.periodic) 604 bt_hci_mod_timer_1280ms(hci->lm.inquiry_next, hci->lm.inquiry_period); 605} 606 607static void bt_hci_inquiry_next(void *opaque) 608{ 609 struct bt_hci_s *hci = (struct bt_hci_s *) opaque; 610 611 hci->lm.responses_left += hci->lm.responses; 612 hci->lm.responses = 0; 613 bt_hci_inquiry_start(hci, hci->lm.inquiry_length); 614} 615 616static inline int bt_hci_handle_bad(struct bt_hci_s *hci, uint16_t handle) 617{ 618 return !(handle & HCI_HANDLE_OFFSET) || 619 handle >= (HCI_HANDLE_OFFSET | HCI_HANDLES_MAX) || 620 !hci->lm.handle[handle & ~HCI_HANDLE_OFFSET].link; 621} 622 623static inline int bt_hci_role_master(struct bt_hci_s *hci, uint16_t handle) 624{ 625 return !!(hci->lm.role_bmp & (1 << (handle & ~HCI_HANDLE_OFFSET))); 626} 627 628static inline struct bt_device_s *bt_hci_remote_dev(struct bt_hci_s *hci, 629 uint16_t handle) 630{ 631 struct bt_link_s *link = hci->lm.handle[handle & ~HCI_HANDLE_OFFSET].link; 632 633 return bt_hci_role_master(hci, handle) ? link->slave : link->host; 634} 635 636static void bt_hci_mode_tick(void *opaque); 637static void bt_hci_lmp_link_establish(struct bt_hci_s *hci, 638 struct bt_link_s *link, int master) 639{ 640 hci->lm.handle[hci->lm.last_handle].link = link; 641 642 if (master) { 643 /* We are the master side of an ACL link */ 644 hci->lm.role_bmp |= 1 << hci->lm.last_handle; 645 646 hci->lm.handle[hci->lm.last_handle].lmp_acl_data = 647 link->slave->lmp_acl_data; 648 } else { 649 /* We are the slave side of an ACL link */ 650 hci->lm.role_bmp &= ~(1 << hci->lm.last_handle); 651 652 hci->lm.handle[hci->lm.last_handle].lmp_acl_data = 653 link->host->lmp_acl_resp; 654 } 655 656 /* Mode */ 657 if (master) { 658 link->acl_mode = acl_active; 659 hci->lm.handle[hci->lm.last_handle].acl_mode_timer = 660 qemu_new_timer(vm_clock, bt_hci_mode_tick, link); 661 } 662} 663 664static void bt_hci_lmp_link_teardown(struct bt_hci_s *hci, uint16_t handle) 665{ 666 handle &= ~HCI_HANDLE_OFFSET; 667 hci->lm.handle[handle].link = NULL; 668 669 if (bt_hci_role_master(hci, handle)) { 670 qemu_del_timer(hci->lm.handle[handle].acl_mode_timer); 671 qemu_free_timer(hci->lm.handle[handle].acl_mode_timer); 672 } 673} 674 675static int bt_hci_connect(struct bt_hci_s *hci, bdaddr_t *bdaddr) 676{ 677 struct bt_device_s *slave; 678 struct bt_link_s link; 679 680 for (slave = hci->device.net->slave; slave; slave = slave->next) 681 if (slave->page_scan && !bacmp(&slave->bd_addr, bdaddr)) 682 break; 683 if (!slave || slave == &hci->device) 684 return -ENODEV; 685 686 bacpy(&hci->lm.awaiting_bdaddr[hci->lm.connecting ++], &slave->bd_addr); 687 688 link.slave = slave; 689 link.host = &hci->device; 690 link.slave->lmp_connection_request(&link); /* Always last */ 691 692 return 0; 693} 694 695static void bt_hci_connection_reject(struct bt_hci_s *hci, 696 struct bt_device_s *host, uint8_t because) 697{ 698 struct bt_link_s link = { 699 .slave = &hci->device, 700 .host = host, 701 /* Rest uninitialised */ 702 }; 703 704 host->reject_reason = because; 705 host->lmp_connection_complete(&link); 706} 707 708static void bt_hci_connection_reject_event(struct bt_hci_s *hci, 709 bdaddr_t *bdaddr) 710{ 711 evt_conn_complete params; 712 713 params.status = HCI_NO_CONNECTION; 714 params.handle = 0; 715 bacpy(¶ms.bdaddr, bdaddr); 716 params.link_type = ACL_LINK; 717 params.encr_mode = 0x00; /* Encryption not required */ 718 bt_hci_event(hci, EVT_CONN_COMPLETE, ¶ms, EVT_CONN_COMPLETE_SIZE); 719} 720 721static void bt_hci_connection_accept(struct bt_hci_s *hci, 722 struct bt_device_s *host) 723{ 724 struct bt_hci_link_s *link = qemu_mallocz(sizeof(struct bt_hci_link_s)); 725 evt_conn_complete params; 726 uint16_t handle; 727 uint8_t status = HCI_SUCCESS; 728 int tries = HCI_HANDLES_MAX; 729 730 /* Make a connection handle */ 731 do { 732 while (hci->lm.handle[++ hci->lm.last_handle].link && -- tries) 733 hci->lm.last_handle &= HCI_HANDLES_MAX - 1; 734 handle = hci->lm.last_handle | HCI_HANDLE_OFFSET; 735 } while ((handle == hci->asb_handle || handle == hci->psb_handle) && 736 tries); 737 738 if (!tries) { 739 qemu_free(link); 740 bt_hci_connection_reject(hci, host, HCI_REJECTED_LIMITED_RESOURCES); 741 status = HCI_NO_CONNECTION; 742 goto complete; 743 } 744 745 link->btlink.slave = &hci->device; 746 link->btlink.host = host; 747 link->handle = handle; 748 749 /* Link established */ 750 bt_hci_lmp_link_establish(hci, &link->btlink, 0); 751 752complete: 753 params.status = status; 754 params.handle = HNDL(handle); 755 bacpy(¶ms.bdaddr, &host->bd_addr); 756 params.link_type = ACL_LINK; 757 params.encr_mode = 0x00; /* Encryption not required */ 758 bt_hci_event(hci, EVT_CONN_COMPLETE, ¶ms, EVT_CONN_COMPLETE_SIZE); 759 760 /* Neets to be done at the very end because it can trigger a (nested) 761 * disconnected, in case the other and had cancelled the request 762 * locally. */ 763 if (status == HCI_SUCCESS) { 764 host->reject_reason = 0; 765 host->lmp_connection_complete(&link->btlink); 766 } 767} 768 769static void bt_hci_lmp_connection_request(struct bt_link_s *link) 770{ 771 struct bt_hci_s *hci = hci_from_device(link->slave); 772 evt_conn_request params; 773 774 if (hci->conn_req_host) { 775 bt_hci_connection_reject(hci, link->host, 776 HCI_REJECTED_LIMITED_RESOURCES); 777 return; 778 } 779 hci->conn_req_host = link->host; 780 /* TODO: if masked and auto-accept, then auto-accept, 781 * if masked and not auto-accept, then auto-reject */ 782 /* TODO: kick the hci->conn_accept_timer, timeout after 783 * hci->conn_accept_tout * 0.625 msec */ 784 785 bacpy(¶ms.bdaddr, &link->host->bd_addr); 786 memcpy(¶ms.dev_class, &link->host->class, sizeof(params.dev_class)); 787 params.link_type = ACL_LINK; 788 bt_hci_event(hci, EVT_CONN_REQUEST, ¶ms, EVT_CONN_REQUEST_SIZE); 789 return; 790} 791 792static void bt_hci_conn_accept_timeout(void *opaque) 793{ 794 struct bt_hci_s *hci = (struct bt_hci_s *) opaque; 795 796 if (!hci->conn_req_host) 797 /* Already accepted or rejected. If the other end cancelled the 798 * connection request then we still have to reject or accept it 799 * and then we'll get a disconnect. */ 800 return; 801 802 /* TODO */ 803} 804 805/* Remove from the list of devices which we wanted to connect to and 806 * are awaiting a response from. If the callback sees a response from 807 * a device which is not on the list it will assume it's a connection 808 * that's been cancelled by the host in the meantime and immediately 809 * try to detach the link and send a Connection Complete. */ 810static int bt_hci_lmp_connection_ready(struct bt_hci_s *hci, 811 bdaddr_t *bdaddr) 812{ 813 int i; 814 815 for (i = 0; i < hci->lm.connecting; i ++) 816 if (!bacmp(&hci->lm.awaiting_bdaddr[i], bdaddr)) { 817 if (i < -- hci->lm.connecting) 818 bacpy(&hci->lm.awaiting_bdaddr[i], 819 &hci->lm.awaiting_bdaddr[hci->lm.connecting]); 820 return 0; 821 } 822 823 return 1; 824} 825 826static void bt_hci_lmp_connection_complete(struct bt_link_s *link) 827{ 828 struct bt_hci_s *hci = hci_from_device(link->host); 829 evt_conn_complete params; 830 uint16_t handle; 831 uint8_t status = HCI_SUCCESS; 832 int tries = HCI_HANDLES_MAX; 833 834 if (bt_hci_lmp_connection_ready(hci, &link->slave->bd_addr)) { 835 if (!hci->device.reject_reason) 836 link->slave->lmp_disconnect_slave(link); 837 handle = 0; 838 status = HCI_NO_CONNECTION; 839 goto complete; 840 } 841 842 if (hci->device.reject_reason) { 843 handle = 0; 844 status = hci->device.reject_reason; 845 goto complete; 846 } 847 848 /* Make a connection handle */ 849 do { 850 while (hci->lm.handle[++ hci->lm.last_handle].link && -- tries) 851 hci->lm.last_handle &= HCI_HANDLES_MAX - 1; 852 handle = hci->lm.last_handle | HCI_HANDLE_OFFSET; 853 } while ((handle == hci->asb_handle || handle == hci->psb_handle) && 854 tries); 855 856 if (!tries) { 857 link->slave->lmp_disconnect_slave(link); 858 status = HCI_NO_CONNECTION; 859 goto complete; 860 } 861 862 /* Link established */ 863 link->handle = handle; 864 bt_hci_lmp_link_establish(hci, link, 1); 865 866complete: 867 params.status = status; 868 params.handle = HNDL(handle); 869 params.link_type = ACL_LINK; 870 bacpy(¶ms.bdaddr, &link->slave->bd_addr); 871 params.encr_mode = 0x00; /* Encryption not required */ 872 bt_hci_event(hci, EVT_CONN_COMPLETE, ¶ms, EVT_CONN_COMPLETE_SIZE); 873} 874 875static void bt_hci_disconnect(struct bt_hci_s *hci, 876 uint16_t handle, int reason) 877{ 878 struct bt_link_s *btlink = 879 hci->lm.handle[handle & ~HCI_HANDLE_OFFSET].link; 880 struct bt_hci_link_s *link; 881 evt_disconn_complete params; 882 883 if (bt_hci_role_master(hci, handle)) { 884 btlink->slave->reject_reason = reason; 885 btlink->slave->lmp_disconnect_slave(btlink); 886 /* The link pointer is invalid from now on */ 887 888 goto complete; 889 } 890 891 btlink->host->reject_reason = reason; 892 btlink->host->lmp_disconnect_master(btlink); 893 894 /* We are the slave, we get to clean this burden */ 895 link = (struct bt_hci_link_s *) btlink; 896 qemu_free(link); 897 898complete: 899 bt_hci_lmp_link_teardown(hci, handle); 900 901 params.status = HCI_SUCCESS; 902 params.handle = HNDL(handle); 903 params.reason = HCI_CONNECTION_TERMINATED; 904 bt_hci_event(hci, EVT_DISCONN_COMPLETE, 905 ¶ms, EVT_DISCONN_COMPLETE_SIZE); 906} 907 908/* TODO: use only one function */ 909static void bt_hci_lmp_disconnect_host(struct bt_link_s *link) 910{ 911 struct bt_hci_s *hci = hci_from_device(link->host); 912 uint16_t handle = link->handle; 913 evt_disconn_complete params; 914 915 bt_hci_lmp_link_teardown(hci, handle); 916 917 params.status = HCI_SUCCESS; 918 params.handle = HNDL(handle); 919 params.reason = hci->device.reject_reason; 920 bt_hci_event(hci, EVT_DISCONN_COMPLETE, 921 ¶ms, EVT_DISCONN_COMPLETE_SIZE); 922} 923 924static void bt_hci_lmp_disconnect_slave(struct bt_link_s *btlink) 925{ 926 struct bt_hci_link_s *link = (struct bt_hci_link_s *) btlink; 927 struct bt_hci_s *hci = hci_from_device(btlink->slave); 928 uint16_t handle = link->handle; 929 evt_disconn_complete params; 930 931 qemu_free(link); 932 933 bt_hci_lmp_link_teardown(hci, handle); 934 935 params.status = HCI_SUCCESS; 936 params.handle = HNDL(handle); 937 params.reason = hci->device.reject_reason; 938 bt_hci_event(hci, EVT_DISCONN_COMPLETE, 939 ¶ms, EVT_DISCONN_COMPLETE_SIZE); 940} 941 942static int bt_hci_name_req(struct bt_hci_s *hci, bdaddr_t *bdaddr) 943{ 944 struct bt_device_s *slave; 945 evt_remote_name_req_complete params; 946 int len; 947 948 for (slave = hci->device.net->slave; slave; slave = slave->next) 949 if (slave->page_scan && !bacmp(&slave->bd_addr, bdaddr)) 950 break; 951 if (!slave) 952 return -ENODEV; 953 954 bt_hci_event_status(hci, HCI_SUCCESS); 955 956 params.status = HCI_SUCCESS; 957 bacpy(¶ms.bdaddr, &slave->bd_addr); 958 len = snprintf(params.name, sizeof(params.name), 959 "%s", slave->lmp_name ?: ""); 960 memset(params.name + len, 0, sizeof(params.name) - len); 961 bt_hci_event(hci, EVT_REMOTE_NAME_REQ_COMPLETE, 962 ¶ms, EVT_REMOTE_NAME_REQ_COMPLETE_SIZE); 963 964 return 0; 965} 966 967static int bt_hci_features_req(struct bt_hci_s *hci, uint16_t handle) 968{ 969 struct bt_device_s *slave; 970 evt_read_remote_features_complete params; 971 972 if (bt_hci_handle_bad(hci, handle)) 973 return -ENODEV; 974 975 slave = bt_hci_remote_dev(hci, handle); 976 977 bt_hci_event_status(hci, HCI_SUCCESS); 978 979 params.status = HCI_SUCCESS; 980 params.handle = HNDL(handle); 981 params.features[0] = (slave->lmp_caps >> 0) & 0xff; 982 params.features[1] = (slave->lmp_caps >> 8) & 0xff; 983 params.features[2] = (slave->lmp_caps >> 16) & 0xff; 984 params.features[3] = (slave->lmp_caps >> 24) & 0xff; 985 params.features[4] = (slave->lmp_caps >> 32) & 0xff; 986 params.features[5] = (slave->lmp_caps >> 40) & 0xff; 987 params.features[6] = (slave->lmp_caps >> 48) & 0xff; 988 params.features[7] = (slave->lmp_caps >> 56) & 0xff; 989 bt_hci_event(hci, EVT_READ_REMOTE_FEATURES_COMPLETE, 990 ¶ms, EVT_READ_REMOTE_FEATURES_COMPLETE_SIZE); 991 992 return 0; 993} 994 995static int bt_hci_version_req(struct bt_hci_s *hci, uint16_t handle) 996{ 997 struct bt_device_s *slave; 998 evt_read_remote_version_complete params; 999 1000 if (bt_hci_handle_bad(hci, handle)) 1001 return -ENODEV; 1002 1003 slave = bt_hci_remote_dev(hci, handle); 1004 1005 bt_hci_event_status(hci, HCI_SUCCESS); 1006 1007 params.status = HCI_SUCCESS; 1008 params.handle = HNDL(handle); 1009 params.lmp_ver = 0x03; 1010 params.manufacturer = cpu_to_le16(0xa000); 1011 params.lmp_subver = cpu_to_le16(0xa607); 1012 bt_hci_event(hci, EVT_READ_REMOTE_VERSION_COMPLETE, 1013 ¶ms, EVT_READ_REMOTE_VERSION_COMPLETE_SIZE); 1014 1015 return 0; 1016} 1017 1018static int bt_hci_clkoffset_req(struct bt_hci_s *hci, uint16_t handle) 1019{ 1020 struct bt_device_s *slave; 1021 evt_read_clock_offset_complete params; 1022 1023 if (bt_hci_handle_bad(hci, handle)) 1024 return -ENODEV; 1025 1026 slave = bt_hci_remote_dev(hci, handle); 1027 1028 bt_hci_event_status(hci, HCI_SUCCESS); 1029 1030 params.status = HCI_SUCCESS; 1031 params.handle = HNDL(handle); 1032 /* TODO: return the clkoff *differenece* */ 1033 params.clock_offset = slave->clkoff; /* Note: no swapping */ 1034 bt_hci_event(hci, EVT_READ_CLOCK_OFFSET_COMPLETE, 1035 ¶ms, EVT_READ_CLOCK_OFFSET_COMPLETE_SIZE); 1036 1037 return 0; 1038} 1039 1040static void bt_hci_event_mode(struct bt_hci_s *hci, struct bt_link_s *link, 1041 uint16_t handle) 1042{ 1043 evt_mode_change params = { 1044 .status = HCI_SUCCESS, 1045 .handle = HNDL(handle), 1046 .mode = link->acl_mode, 1047 .interval = cpu_to_le16(link->acl_interval), 1048 }; 1049 1050 bt_hci_event(hci, EVT_MODE_CHANGE, ¶ms, EVT_MODE_CHANGE_SIZE); 1051} 1052 1053static void bt_hci_lmp_mode_change_master(struct bt_hci_s *hci, 1054 struct bt_link_s *link, int mode, uint16_t interval) 1055{ 1056 link->acl_mode = mode; 1057 link->acl_interval = interval; 1058 1059 bt_hci_event_mode(hci, link, link->handle); 1060 1061 link->slave->lmp_mode_change(link); 1062} 1063 1064static void bt_hci_lmp_mode_change_slave(struct bt_link_s *btlink) 1065{ 1066 struct bt_hci_link_s *link = (struct bt_hci_link_s *) btlink; 1067 struct bt_hci_s *hci = hci_from_device(btlink->slave); 1068 1069 bt_hci_event_mode(hci, btlink, link->handle); 1070} 1071 1072static int bt_hci_mode_change(struct bt_hci_s *hci, uint16_t handle, 1073 int interval, int mode) 1074{ 1075 struct bt_hci_master_link_s *link; 1076 1077 if (bt_hci_handle_bad(hci, handle) || !bt_hci_role_master(hci, handle)) 1078 return -ENODEV; 1079 1080 link = &hci->lm.handle[handle & ~HCI_HANDLE_OFFSET]; 1081 if (link->link->acl_mode != acl_active) { 1082 bt_hci_event_status(hci, HCI_COMMAND_DISALLOWED); 1083 return 0; 1084 } 1085 1086 bt_hci_event_status(hci, HCI_SUCCESS); 1087 1088 qemu_mod_timer(link->acl_mode_timer, qemu_get_clock(vm_clock) + 1089 muldiv64(interval * 625, get_ticks_per_sec(), 1000000)); 1090 bt_hci_lmp_mode_change_master(hci, link->link, mode, interval); 1091 1092 return 0; 1093} 1094 1095static int bt_hci_mode_cancel(struct bt_hci_s *hci, uint16_t handle, int mode) 1096{ 1097 struct bt_hci_master_link_s *link; 1098 1099 if (bt_hci_handle_bad(hci, handle) || !bt_hci_role_master(hci, handle)) 1100 return -ENODEV; 1101 1102 link = &hci->lm.handle[handle & ~HCI_HANDLE_OFFSET]; 1103 if (link->link->acl_mode != mode) { 1104 bt_hci_event_status(hci, HCI_COMMAND_DISALLOWED); 1105 1106 return 0; 1107 } 1108 1109 bt_hci_event_status(hci, HCI_SUCCESS); 1110 1111 qemu_del_timer(link->acl_mode_timer); 1112 bt_hci_lmp_mode_change_master(hci, link->link, acl_active, 0); 1113 1114 return 0; 1115} 1116 1117static void bt_hci_mode_tick(void *opaque) 1118{ 1119 struct bt_link_s *link = opaque; 1120 struct bt_hci_s *hci = hci_from_device(link->host); 1121 1122 bt_hci_lmp_mode_change_master(hci, link, acl_active, 0); 1123} 1124 1125static void bt_hci_reset(struct bt_hci_s *hci) 1126{ 1127 hci->acl_len = 0; 1128 hci->last_cmd = 0; 1129 hci->lm.connecting = 0; 1130 1131 hci->event_mask[0] = 0xff; 1132 hci->event_mask[1] = 0xff; 1133 hci->event_mask[2] = 0xff; 1134 hci->event_mask[3] = 0xff; 1135 hci->event_mask[4] = 0xff; 1136 hci->event_mask[5] = 0x1f; 1137 hci->event_mask[6] = 0x00; 1138 hci->event_mask[7] = 0x00; 1139 hci->device.inquiry_scan = 0; 1140 hci->device.page_scan = 0; 1141 if (hci->device.lmp_name) 1142 qemu_free((void *) hci->device.lmp_name); 1143 hci->device.lmp_name = NULL; 1144 hci->device.class[0] = 0x00; 1145 hci->device.class[1] = 0x00; 1146 hci->device.class[2] = 0x00; 1147 hci->voice_setting = 0x0000; 1148 hci->conn_accept_tout = 0x1f40; 1149 hci->lm.inquiry_mode = 0x00; 1150 1151 hci->psb_handle = 0x000; 1152 hci->asb_handle = 0x000; 1153 1154 /* XXX: qemu_del_timer(sl->acl_mode_timer); for all links */ 1155 qemu_del_timer(hci->lm.inquiry_done); 1156 qemu_del_timer(hci->lm.inquiry_next); 1157 qemu_del_timer(hci->conn_accept_timer); 1158} 1159 1160static void bt_hci_read_local_version_rp(struct bt_hci_s *hci) 1161{ 1162 read_local_version_rp lv = { 1163 .status = HCI_SUCCESS, 1164 .hci_ver = 0x03, 1165 .hci_rev = cpu_to_le16(0xa607), 1166 .lmp_ver = 0x03, 1167 .manufacturer = cpu_to_le16(0xa000), 1168 .lmp_subver = cpu_to_le16(0xa607), 1169 }; 1170 1171 bt_hci_event_complete(hci, &lv, READ_LOCAL_VERSION_RP_SIZE); 1172} 1173 1174static void bt_hci_read_local_commands_rp(struct bt_hci_s *hci) 1175{ 1176 read_local_commands_rp lc = { 1177 .status = HCI_SUCCESS, 1178 .commands = { 1179 /* Keep updated! */ 1180 /* Also, keep in sync with hci->device.lmp_caps in bt_new_hci */ 1181 0xbf, 0x80, 0xf9, 0x03, 0xb2, 0xc0, 0x03, 0xc3, 1182 0x00, 0x0f, 0x80, 0x00, 0xc0, 0x00, 0xe8, 0x13, 1183 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1184 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1185 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1186 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1187 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1188 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1189 }, 1190 }; 1191 1192 bt_hci_event_complete(hci, &lc, READ_LOCAL_COMMANDS_RP_SIZE); 1193} 1194 1195static void bt_hci_read_local_features_rp(struct bt_hci_s *hci) 1196{ 1197 read_local_features_rp lf = { 1198 .status = HCI_SUCCESS, 1199 .features = { 1200 (hci->device.lmp_caps >> 0) & 0xff, 1201 (hci->device.lmp_caps >> 8) & 0xff, 1202 (hci->device.lmp_caps >> 16) & 0xff, 1203 (hci->device.lmp_caps >> 24) & 0xff, 1204 (hci->device.lmp_caps >> 32) & 0xff, 1205 (hci->device.lmp_caps >> 40) & 0xff, 1206 (hci->device.lmp_caps >> 48) & 0xff, 1207 (hci->device.lmp_caps >> 56) & 0xff, 1208 }, 1209 }; 1210 1211 bt_hci_event_complete(hci, &lf, READ_LOCAL_FEATURES_RP_SIZE); 1212} 1213 1214static void bt_hci_read_local_ext_features_rp(struct bt_hci_s *hci, int page) 1215{ 1216 read_local_ext_features_rp lef = { 1217 .status = HCI_SUCCESS, 1218 .page_num = page, 1219 .max_page_num = 0x00, 1220 .features = { 1221 /* Keep updated! */ 1222 0x5f, 0x35, 0x85, 0x7e, 0x9b, 0x19, 0x00, 0x80, 1223 }, 1224 }; 1225 if (page) 1226 memset(lef.features, 0, sizeof(lef.features)); 1227 1228 bt_hci_event_complete(hci, &lef, READ_LOCAL_EXT_FEATURES_RP_SIZE); 1229} 1230 1231static void bt_hci_read_buffer_size_rp(struct bt_hci_s *hci) 1232{ 1233 read_buffer_size_rp bs = { 1234 /* This can be made configurable, for one standard USB dongle HCI 1235 * the four values are cpu_to_le16(0x0180), 0x40, 1236 * cpu_to_le16(0x0008), cpu_to_le16(0x0008). */ 1237 .status = HCI_SUCCESS, 1238 .acl_mtu = cpu_to_le16(0x0200), 1239 .sco_mtu = 0, 1240 .acl_max_pkt = cpu_to_le16(0x0001), 1241 .sco_max_pkt = cpu_to_le16(0x0000), 1242 }; 1243 1244 bt_hci_event_complete(hci, &bs, READ_BUFFER_SIZE_RP_SIZE); 1245} 1246 1247/* Deprecated in V2.0 (page 661) */ 1248static void bt_hci_read_country_code_rp(struct bt_hci_s *hci) 1249{ 1250 read_country_code_rp cc ={ 1251 .status = HCI_SUCCESS, 1252 .country_code = 0x00, /* North America & Europe^1 and Japan */ 1253 }; 1254 1255 bt_hci_event_complete(hci, &cc, READ_COUNTRY_CODE_RP_SIZE); 1256 1257 /* ^1. Except France, sorry */ 1258} 1259 1260static void bt_hci_read_bd_addr_rp(struct bt_hci_s *hci) 1261{ 1262 read_bd_addr_rp ba = { 1263 .status = HCI_SUCCESS, 1264 .bdaddr = BAINIT(&hci->device.bd_addr), 1265 }; 1266 1267 bt_hci_event_complete(hci, &ba, READ_BD_ADDR_RP_SIZE); 1268} 1269 1270static int bt_hci_link_quality_rp(struct bt_hci_s *hci, uint16_t handle) 1271{ 1272 read_link_quality_rp lq = { 1273 .status = HCI_SUCCESS, 1274 .handle = HNDL(handle), 1275 .link_quality = 0xff, 1276 }; 1277 1278 if (bt_hci_handle_bad(hci, handle)) 1279 lq.status = HCI_NO_CONNECTION; 1280 1281 bt_hci_event_complete(hci, &lq, READ_LINK_QUALITY_RP_SIZE); 1282 return 0; 1283} 1284 1285/* Generate a Command Complete event with only the Status parameter */ 1286static inline void bt_hci_event_complete_status(struct bt_hci_s *hci, 1287 uint8_t status) 1288{ 1289 bt_hci_event_complete(hci, &status, 1); 1290} 1291 1292static inline void bt_hci_event_complete_conn_cancel(struct bt_hci_s *hci, 1293 uint8_t status, bdaddr_t *bd_addr) 1294{ 1295 create_conn_cancel_rp params = { 1296 .status = status, 1297 .bdaddr = BAINIT(bd_addr), 1298 }; 1299 1300 bt_hci_event_complete(hci, ¶ms, CREATE_CONN_CANCEL_RP_SIZE); 1301} 1302 1303static inline void bt_hci_event_auth_complete(struct bt_hci_s *hci, 1304 uint16_t handle) 1305{ 1306 evt_auth_complete params = { 1307 .status = HCI_SUCCESS, 1308 .handle = HNDL(handle), 1309 }; 1310 1311 bt_hci_event(hci, EVT_AUTH_COMPLETE, ¶ms, EVT_AUTH_COMPLETE_SIZE); 1312} 1313 1314static inline void bt_hci_event_encrypt_change(struct bt_hci_s *hci, 1315 uint16_t handle, uint8_t mode) 1316{ 1317 evt_encrypt_change params = { 1318 .status = HCI_SUCCESS, 1319 .handle = HNDL(handle), 1320 .encrypt = mode, 1321 }; 1322 1323 bt_hci_event(hci, EVT_ENCRYPT_CHANGE, ¶ms, EVT_ENCRYPT_CHANGE_SIZE); 1324} 1325 1326static inline void bt_hci_event_complete_name_cancel(struct bt_hci_s *hci, 1327 bdaddr_t *bd_addr) 1328{ 1329 remote_name_req_cancel_rp params = { 1330 .status = HCI_INVALID_PARAMETERS, 1331 .bdaddr = BAINIT(bd_addr), 1332 }; 1333 1334 bt_hci_event_complete(hci, ¶ms, REMOTE_NAME_REQ_CANCEL_RP_SIZE); 1335} 1336 1337static inline void bt_hci_event_read_remote_ext_features(struct bt_hci_s *hci, 1338 uint16_t handle) 1339{ 1340 evt_read_remote_ext_features_complete params = { 1341 .status = HCI_UNSUPPORTED_FEATURE, 1342 .handle = HNDL(handle), 1343 /* Rest uninitialised */ 1344 }; 1345 1346 bt_hci_event(hci, EVT_READ_REMOTE_EXT_FEATURES_COMPLETE, 1347 ¶ms, EVT_READ_REMOTE_EXT_FEATURES_COMPLETE_SIZE); 1348} 1349 1350static inline void bt_hci_event_complete_lmp_handle(struct bt_hci_s *hci, 1351 uint16_t handle) 1352{ 1353 read_lmp_handle_rp params = { 1354 .status = HCI_NO_CONNECTION, 1355 .handle = HNDL(handle), 1356 .reserved = 0, 1357 /* Rest uninitialised */ 1358 }; 1359 1360 bt_hci_event_complete(hci, ¶ms, READ_LMP_HANDLE_RP_SIZE); 1361} 1362 1363static inline void bt_hci_event_complete_role_discovery(struct bt_hci_s *hci, 1364 int status, uint16_t handle, int master) 1365{ 1366 role_discovery_rp params = { 1367 .status = status, 1368 .handle = HNDL(handle), 1369 .role = master ? 0x00 : 0x01, 1370 }; 1371 1372 bt_hci_event_complete(hci, ¶ms, ROLE_DISCOVERY_RP_SIZE); 1373} 1374 1375static inline void bt_hci_event_complete_flush(struct bt_hci_s *hci, 1376 int status, uint16_t handle) 1377{ 1378 flush_rp params = { 1379 .status = status, 1380 .handle = HNDL(handle), 1381 }; 1382 1383 bt_hci_event_complete(hci, ¶ms, FLUSH_RP_SIZE); 1384} 1385 1386static inline void bt_hci_event_complete_read_local_name(struct bt_hci_s *hci) 1387{ 1388 read_local_name_rp params; 1389 params.status = HCI_SUCCESS; 1390 memset(params.name, 0, sizeof(params.name)); 1391 if (hci->device.lmp_name) 1392 strncpy(params.name, hci->device.lmp_name, sizeof(params.name)); 1393 1394 bt_hci_event_complete(hci, ¶ms, READ_LOCAL_NAME_RP_SIZE); 1395} 1396 1397static inline void bt_hci_event_complete_read_conn_accept_timeout( 1398 struct bt_hci_s *hci) 1399{ 1400 read_conn_accept_timeout_rp params = { 1401 .status = HCI_SUCCESS, 1402 .timeout = cpu_to_le16(hci->conn_accept_tout), 1403 }; 1404 1405 bt_hci_event_complete(hci, ¶ms, READ_CONN_ACCEPT_TIMEOUT_RP_SIZE); 1406} 1407 1408static inline void bt_hci_event_complete_read_scan_enable(struct bt_hci_s *hci) 1409{ 1410 read_scan_enable_rp params = { 1411 .status = HCI_SUCCESS, 1412 .enable = 1413 (hci->device.inquiry_scan ? SCAN_INQUIRY : 0) | 1414 (hci->device.page_scan ? SCAN_PAGE : 0), 1415 }; 1416 1417 bt_hci_event_complete(hci, ¶ms, READ_SCAN_ENABLE_RP_SIZE); 1418} 1419 1420static inline void bt_hci_event_complete_read_local_class(struct bt_hci_s *hci) 1421{ 1422 read_class_of_dev_rp params; 1423 1424 params.status = HCI_SUCCESS; 1425 memcpy(params.dev_class, hci->device.class, sizeof(params.dev_class)); 1426 1427 bt_hci_event_complete(hci, ¶ms, READ_CLASS_OF_DEV_RP_SIZE); 1428} 1429 1430static inline void bt_hci_event_complete_voice_setting(struct bt_hci_s *hci) 1431{ 1432 read_voice_setting_rp params = { 1433 .status = HCI_SUCCESS, 1434 .voice_setting = hci->voice_setting, /* Note: no swapping */ 1435 }; 1436 1437 bt_hci_event_complete(hci, ¶ms, READ_VOICE_SETTING_RP_SIZE); 1438} 1439 1440static inline void bt_hci_event_complete_read_inquiry_mode( 1441 struct bt_hci_s *hci) 1442{ 1443 read_inquiry_mode_rp params = { 1444 .status = HCI_SUCCESS, 1445 .mode = hci->lm.inquiry_mode, 1446 }; 1447 1448 bt_hci_event_complete(hci, ¶ms, READ_INQUIRY_MODE_RP_SIZE); 1449} 1450 1451static inline void bt_hci_event_num_comp_pkts(struct bt_hci_s *hci, 1452 uint16_t handle, int packets) 1453{ 1454 uint16_t buf[EVT_NUM_COMP_PKTS_SIZE(1) / 2 + 1]; 1455 evt_num_comp_pkts *params = (void *) ((uint8_t *) buf + 1); 1456 1457 params->num_hndl = 1; 1458 params->connection->handle = HNDL(handle); 1459 params->connection->num_packets = cpu_to_le16(packets); 1460 1461 bt_hci_event(hci, EVT_NUM_COMP_PKTS, params, EVT_NUM_COMP_PKTS_SIZE(1)); 1462} 1463 1464static void bt_submit_hci(struct HCIInfo *info, 1465 const uint8_t *data, int length) 1466{ 1467 struct bt_hci_s *hci = hci_from_info(info); 1468 uint16_t cmd; 1469 int paramlen, i; 1470 1471 if (length < HCI_COMMAND_HDR_SIZE) 1472 goto short_hci; 1473 1474 memcpy(&hci->last_cmd, data, 2); 1475 1476 cmd = (data[1] << 8) | data[0]; 1477 paramlen = data[2]; 1478 if (cmd_opcode_ogf(cmd) == 0 || cmd_opcode_ocf(cmd) == 0) /* NOP */ 1479 return; 1480 1481 data += HCI_COMMAND_HDR_SIZE; 1482 length -= HCI_COMMAND_HDR_SIZE; 1483 1484 if (paramlen > length) 1485 return; 1486 1487#define PARAM(cmd, param) (((cmd##_cp *) data)->param) 1488#define PARAM16(cmd, param) le16_to_cpup(&PARAM(cmd, param)) 1489#define PARAMHANDLE(cmd) HNDL(PARAM(cmd, handle)) 1490#define LENGTH_CHECK(cmd) if (length < sizeof(cmd##_cp)) goto short_hci 1491 /* Note: the supported commands bitmask in bt_hci_read_local_commands_rp 1492 * needs to be updated every time a command is implemented here! */ 1493 switch (cmd) { 1494 case cmd_opcode_pack(OGF_LINK_CTL, OCF_INQUIRY): 1495 LENGTH_CHECK(inquiry); 1496 1497 if (PARAM(inquiry, length) < 1) { 1498 bt_hci_event_complete_status(hci, HCI_INVALID_PARAMETERS); 1499 break; 1500 } 1501 1502 hci->lm.inquire = 1; 1503 hci->lm.periodic = 0; 1504 hci->lm.responses_left = PARAM(inquiry, num_rsp) ?: INT_MAX; 1505 hci->lm.responses = 0; 1506 bt_hci_event_status(hci, HCI_SUCCESS); 1507 bt_hci_inquiry_start(hci, PARAM(inquiry, length)); 1508 break; 1509 1510 case cmd_opcode_pack(OGF_LINK_CTL, OCF_INQUIRY_CANCEL): 1511 if (!hci->lm.inquire || hci->lm.periodic) { 1512 fprintf(stderr, "%s: Inquiry Cancel should only be issued after " 1513 "the Inquiry command has been issued, a Command " 1514 "Status event has been received for the Inquiry " 1515 "command, and before the Inquiry Complete event " 1516 "occurs", __FUNCTION__); 1517 bt_hci_event_complete_status(hci, HCI_COMMAND_DISALLOWED); 1518 break; 1519 } 1520 1521 hci->lm.inquire = 0; 1522 qemu_del_timer(hci->lm.inquiry_done); 1523 bt_hci_event_complete_status(hci, HCI_SUCCESS); 1524 break; 1525 1526 case cmd_opcode_pack(OGF_LINK_CTL, OCF_PERIODIC_INQUIRY): 1527 LENGTH_CHECK(periodic_inquiry); 1528 1529 if (!(PARAM(periodic_inquiry, length) < 1530 PARAM16(periodic_inquiry, min_period) && 1531 PARAM16(periodic_inquiry, min_period) < 1532 PARAM16(periodic_inquiry, max_period)) || 1533 PARAM(periodic_inquiry, length) < 1 || 1534 PARAM16(periodic_inquiry, min_period) < 2 || 1535 PARAM16(periodic_inquiry, max_period) < 3) { 1536 bt_hci_event_complete_status(hci, HCI_INVALID_PARAMETERS); 1537 break; 1538 } 1539 1540 hci->lm.inquire = 1; 1541 hci->lm.periodic = 1; 1542 hci->lm.responses_left = PARAM(periodic_inquiry, num_rsp); 1543 hci->lm.responses = 0; 1544 hci->lm.inquiry_period = PARAM16(periodic_inquiry, max_period); 1545 bt_hci_event_complete_status(hci, HCI_SUCCESS); 1546 bt_hci_inquiry_start(hci, PARAM(periodic_inquiry, length)); 1547 break; 1548 1549 case cmd_opcode_pack(OGF_LINK_CTL, OCF_EXIT_PERIODIC_INQUIRY): 1550 if (!hci->lm.inquire || !hci->lm.periodic) { 1551 fprintf(stderr, "%s: Inquiry Cancel should only be issued after " 1552 "the Inquiry command has been issued, a Command " 1553 "Status event has been received for the Inquiry " 1554 "command, and before the Inquiry Complete event " 1555 "occurs", __FUNCTION__); 1556 bt_hci_event_complete_status(hci, HCI_COMMAND_DISALLOWED); 1557 break; 1558 } 1559 hci->lm.inquire = 0; 1560 qemu_del_timer(hci->lm.inquiry_done); 1561 qemu_del_timer(hci->lm.inquiry_next); 1562 bt_hci_event_complete_status(hci, HCI_SUCCESS); 1563 break; 1564 1565 case cmd_opcode_pack(OGF_LINK_CTL, OCF_CREATE_CONN): 1566 LENGTH_CHECK(create_conn); 1567 1568 if (hci->lm.connecting >= HCI_HANDLES_MAX) { 1569 bt_hci_event_status(hci, HCI_REJECTED_LIMITED_RESOURCES); 1570 break; 1571 } 1572 bt_hci_event_status(hci, HCI_SUCCESS); 1573 1574 if (bt_hci_connect(hci, &PARAM(create_conn, bdaddr))) 1575 bt_hci_connection_reject_event(hci, &PARAM(create_conn, bdaddr)); 1576 break; 1577 1578 case cmd_opcode_pack(OGF_LINK_CTL, OCF_DISCONNECT): 1579 LENGTH_CHECK(disconnect); 1580 1581 if (bt_hci_handle_bad(hci, PARAMHANDLE(disconnect))) { 1582 bt_hci_event_status(hci, HCI_NO_CONNECTION); 1583 break; 1584 } 1585 1586 bt_hci_event_status(hci, HCI_SUCCESS); 1587 bt_hci_disconnect(hci, PARAMHANDLE(disconnect), 1588 PARAM(disconnect, reason)); 1589 break; 1590 1591 case cmd_opcode_pack(OGF_LINK_CTL, OCF_CREATE_CONN_CANCEL): 1592 LENGTH_CHECK(create_conn_cancel); 1593 1594 if (bt_hci_lmp_connection_ready(hci, 1595 &PARAM(create_conn_cancel, bdaddr))) { 1596 for (i = 0; i < HCI_HANDLES_MAX; i ++) 1597 if (bt_hci_role_master(hci, i) && hci->lm.handle[i].link && 1598 !bacmp(&hci->lm.handle[i].link->slave->bd_addr, 1599 &PARAM(create_conn_cancel, bdaddr))) 1600 break; 1601 1602 bt_hci_event_complete_conn_cancel(hci, i < HCI_HANDLES_MAX ? 1603 HCI_ACL_CONNECTION_EXISTS : HCI_NO_CONNECTION, 1604 &PARAM(create_conn_cancel, bdaddr)); 1605 } else 1606 bt_hci_event_complete_conn_cancel(hci, HCI_SUCCESS, 1607 &PARAM(create_conn_cancel, bdaddr)); 1608 break; 1609 1610 case cmd_opcode_pack(OGF_LINK_CTL, OCF_ACCEPT_CONN_REQ): 1611 LENGTH_CHECK(accept_conn_req); 1612 1613 if (!hci->conn_req_host || 1614 bacmp(&PARAM(accept_conn_req, bdaddr), 1615 &hci->conn_req_host->bd_addr)) { 1616 bt_hci_event_status(hci, HCI_INVALID_PARAMETERS); 1617 break; 1618 } 1619 1620 bt_hci_event_status(hci, HCI_SUCCESS); 1621 bt_hci_connection_accept(hci, hci->conn_req_host); 1622 hci->conn_req_host = NULL; 1623 break; 1624 1625 case cmd_opcode_pack(OGF_LINK_CTL, OCF_REJECT_CONN_REQ): 1626 LENGTH_CHECK(reject_conn_req); 1627 1628 if (!hci->conn_req_host || 1629 bacmp(&PARAM(reject_conn_req, bdaddr), 1630 &hci->conn_req_host->bd_addr)) { 1631 bt_hci_event_status(hci, HCI_INVALID_PARAMETERS); 1632 break; 1633 } 1634 1635 bt_hci_event_status(hci, HCI_SUCCESS); 1636 bt_hci_connection_reject(hci, hci->conn_req_host, 1637 PARAM(reject_conn_req, reason)); 1638 bt_hci_connection_reject_event(hci, &hci->conn_req_host->bd_addr); 1639 hci->conn_req_host = NULL; 1640 break; 1641 1642 case cmd_opcode_pack(OGF_LINK_CTL, OCF_AUTH_REQUESTED): 1643 LENGTH_CHECK(auth_requested); 1644 1645 if (bt_hci_handle_bad(hci, PARAMHANDLE(auth_requested))) 1646 bt_hci_event_status(hci, HCI_NO_CONNECTION); 1647 else { 1648 bt_hci_event_status(hci, HCI_SUCCESS); 1649 bt_hci_event_auth_complete(hci, PARAMHANDLE(auth_requested)); 1650 } 1651 break; 1652 1653 case cmd_opcode_pack(OGF_LINK_CTL, OCF_SET_CONN_ENCRYPT): 1654 LENGTH_CHECK(set_conn_encrypt); 1655 1656 if (bt_hci_handle_bad(hci, PARAMHANDLE(set_conn_encrypt))) 1657 bt_hci_event_status(hci, HCI_NO_CONNECTION); 1658 else { 1659 bt_hci_event_status(hci, HCI_SUCCESS); 1660 bt_hci_event_encrypt_change(hci, 1661 PARAMHANDLE(set_conn_encrypt), 1662 PARAM(set_conn_encrypt, encrypt)); 1663 } 1664 break; 1665 1666 case cmd_opcode_pack(OGF_LINK_CTL, OCF_REMOTE_NAME_REQ): 1667 LENGTH_CHECK(remote_name_req); 1668 1669 if (bt_hci_name_req(hci, &PARAM(remote_name_req, bdaddr))) 1670 bt_hci_event_status(hci, HCI_NO_CONNECTION); 1671 break; 1672 1673 case cmd_opcode_pack(OGF_LINK_CTL, OCF_REMOTE_NAME_REQ_CANCEL): 1674 LENGTH_CHECK(remote_name_req_cancel); 1675 1676 bt_hci_event_complete_name_cancel(hci, 1677 &PARAM(remote_name_req_cancel, bdaddr)); 1678 break; 1679 1680 case cmd_opcode_pack(OGF_LINK_CTL, OCF_READ_REMOTE_FEATURES): 1681 LENGTH_CHECK(read_remote_features); 1682 1683 if (bt_hci_features_req(hci, PARAMHANDLE(read_remote_features))) 1684 bt_hci_event_status(hci, HCI_NO_CONNECTION); 1685 break; 1686 1687 case cmd_opcode_pack(OGF_LINK_CTL, OCF_READ_REMOTE_EXT_FEATURES): 1688 LENGTH_CHECK(read_remote_ext_features); 1689 1690 if (bt_hci_handle_bad(hci, PARAMHANDLE(read_remote_ext_features))) 1691 bt_hci_event_status(hci, HCI_NO_CONNECTION); 1692 else { 1693 bt_hci_event_status(hci, HCI_SUCCESS); 1694 bt_hci_event_read_remote_ext_features(hci, 1695 PARAMHANDLE(read_remote_ext_features)); 1696 } 1697 break; 1698 1699 case cmd_opcode_pack(OGF_LINK_CTL, OCF_READ_REMOTE_VERSION): 1700 LENGTH_CHECK(read_remote_version); 1701 1702 if (bt_hci_version_req(hci, PARAMHANDLE(read_remote_version))) 1703 bt_hci_event_status(hci, HCI_NO_CONNECTION); 1704 break; 1705 1706 case cmd_opcode_pack(OGF_LINK_CTL, OCF_READ_CLOCK_OFFSET): 1707 LENGTH_CHECK(read_clock_offset); 1708 1709 if (bt_hci_clkoffset_req(hci, PARAMHANDLE(read_clock_offset))) 1710 bt_hci_event_status(hci, HCI_NO_CONNECTION); 1711 break; 1712 1713 case cmd_opcode_pack(OGF_LINK_CTL, OCF_READ_LMP_HANDLE): 1714 LENGTH_CHECK(read_lmp_handle); 1715 1716 /* TODO: */ 1717 bt_hci_event_complete_lmp_handle(hci, PARAMHANDLE(read_lmp_handle)); 1718 break; 1719 1720 case cmd_opcode_pack(OGF_LINK_POLICY, OCF_HOLD_MODE): 1721 LENGTH_CHECK(hold_mode); 1722 1723 if (PARAM16(hold_mode, min_interval) > 1724 PARAM16(hold_mode, max_interval) || 1725 PARAM16(hold_mode, min_interval) < 0x0002 || 1726 PARAM16(hold_mode, max_interval) > 0xff00 || 1727 (PARAM16(hold_mode, min_interval) & 1) || 1728 (PARAM16(hold_mode, max_interval) & 1)) { 1729 bt_hci_event_status(hci, HCI_INVALID_PARAMETERS); 1730 break; 1731 } 1732 1733 if (bt_hci_mode_change(hci, PARAMHANDLE(hold_mode), 1734 PARAM16(hold_mode, max_interval), 1735 acl_hold)) 1736 bt_hci_event_status(hci, HCI_NO_CONNECTION); 1737 break; 1738 1739 case cmd_opcode_pack(OGF_LINK_POLICY, OCF_PARK_MODE): 1740 LENGTH_CHECK(park_mode); 1741 1742 if (PARAM16(park_mode, min_interval) > 1743 PARAM16(park_mode, max_interval) || 1744 PARAM16(park_mode, min_interval) < 0x000e || 1745 (PARAM16(park_mode, min_interval) & 1) || 1746 (PARAM16(park_mode, max_interval) & 1)) { 1747 bt_hci_event_status(hci, HCI_INVALID_PARAMETERS); 1748 break; 1749 } 1750 1751 if (bt_hci_mode_change(hci, PARAMHANDLE(park_mode), 1752 PARAM16(park_mode, max_interval), 1753 acl_parked)) 1754 bt_hci_event_status(hci, HCI_NO_CONNECTION); 1755 break; 1756 1757 case cmd_opcode_pack(OGF_LINK_POLICY, OCF_EXIT_PARK_MODE): 1758 LENGTH_CHECK(exit_park_mode); 1759 1760 if (bt_hci_mode_cancel(hci, PARAMHANDLE(exit_park_mode), 1761 acl_parked)) 1762 bt_hci_event_status(hci, HCI_NO_CONNECTION); 1763 break; 1764 1765 case cmd_opcode_pack(OGF_LINK_POLICY, OCF_ROLE_DISCOVERY): 1766 LENGTH_CHECK(role_discovery); 1767 1768 if (bt_hci_handle_bad(hci, PARAMHANDLE(role_discovery))) 1769 bt_hci_event_complete_role_discovery(hci, 1770 HCI_NO_CONNECTION, PARAMHANDLE(role_discovery), 0); 1771 else 1772 bt_hci_event_complete_role_discovery(hci, 1773 HCI_SUCCESS, PARAMHANDLE(role_discovery), 1774 bt_hci_role_master(hci, 1775 PARAMHANDLE(role_discovery))); 1776 break; 1777 1778 case cmd_opcode_pack(OGF_HOST_CTL, OCF_SET_EVENT_MASK): 1779 LENGTH_CHECK(set_event_mask); 1780 1781 memcpy(hci->event_mask, PARAM(set_event_mask, mask), 8); 1782 bt_hci_event_complete_status(hci, HCI_SUCCESS); 1783 break; 1784 1785 case cmd_opcode_pack(OGF_HOST_CTL, OCF_RESET): 1786 bt_hci_reset(hci); 1787 bt_hci_event_status(hci, HCI_SUCCESS); 1788 break; 1789 1790 case cmd_opcode_pack(OGF_HOST_CTL, OCF_SET_EVENT_FLT): 1791 if (length >= 1 && PARAM(set_event_flt, flt_type) == FLT_CLEAR_ALL) 1792 /* No length check */; 1793 else 1794 LENGTH_CHECK(set_event_flt); 1795 1796 /* Filters are not implemented */ 1797 bt_hci_event_complete_status(hci, HCI_SUCCESS); 1798 break; 1799 1800 case cmd_opcode_pack(OGF_HOST_CTL, OCF_FLUSH): 1801 LENGTH_CHECK(flush); 1802 1803 if (bt_hci_handle_bad(hci, PARAMHANDLE(flush))) 1804 bt_hci_event_complete_flush(hci, 1805 HCI_NO_CONNECTION, PARAMHANDLE(flush)); 1806 else { 1807 /* TODO: ordering? */ 1808 bt_hci_event(hci, EVT_FLUSH_OCCURRED, 1809 &PARAM(flush, handle), 1810 EVT_FLUSH_OCCURRED_SIZE); 1811 bt_hci_event_complete_flush(hci, 1812 HCI_SUCCESS, PARAMHANDLE(flush)); 1813 } 1814 break; 1815 1816 case cmd_opcode_pack(OGF_HOST_CTL, OCF_CHANGE_LOCAL_NAME): 1817 LENGTH_CHECK(change_local_name); 1818 1819 if (hci->device.lmp_name) 1820 qemu_free((void *) hci->device.lmp_name); 1821 hci->device.lmp_name = qemu_strndup(PARAM(change_local_name, name), 1822 sizeof(PARAM(change_local_name, name))); 1823 bt_hci_event_complete_status(hci, HCI_SUCCESS); 1824 break; 1825 1826 case cmd_opcode_pack(OGF_HOST_CTL, OCF_READ_LOCAL_NAME): 1827 bt_hci_event_complete_read_local_name(hci); 1828 break; 1829 1830 case cmd_opcode_pack(OGF_HOST_CTL, OCF_READ_CONN_ACCEPT_TIMEOUT): 1831 bt_hci_event_complete_read_conn_accept_timeout(hci); 1832 break; 1833 1834 case cmd_opcode_pack(OGF_HOST_CTL, OCF_WRITE_CONN_ACCEPT_TIMEOUT): 1835 /* TODO */ 1836 LENGTH_CHECK(write_conn_accept_timeout); 1837 1838 if (PARAM16(write_conn_accept_timeout, timeout) < 0x0001 || 1839 PARAM16(write_conn_accept_timeout, timeout) > 0xb540) { 1840 bt_hci_event_complete_status(hci, HCI_INVALID_PARAMETERS); 1841 break; 1842 } 1843 1844 hci->conn_accept_tout = PARAM16(write_conn_accept_timeout, timeout); 1845 bt_hci_event_complete_status(hci, HCI_SUCCESS); 1846 break; 1847 1848 case cmd_opcode_pack(OGF_HOST_CTL, OCF_READ_SCAN_ENABLE): 1849 bt_hci_event_complete_read_scan_enable(hci); 1850 break; 1851 1852 case cmd_opcode_pack(OGF_HOST_CTL, OCF_WRITE_SCAN_ENABLE): 1853 LENGTH_CHECK(write_scan_enable); 1854 1855 /* TODO: check that the remaining bits are all 0 */ 1856 hci->device.inquiry_scan = 1857 !!(PARAM(write_scan_enable, scan_enable) & SCAN_INQUIRY); 1858 hci->device.page_scan = 1859 !!(PARAM(write_scan_enable, scan_enable) & SCAN_PAGE); 1860 bt_hci_event_complete_status(hci, HCI_SUCCESS); 1861 break; 1862 1863 case cmd_opcode_pack(OGF_HOST_CTL, OCF_READ_CLASS_OF_DEV): 1864 bt_hci_event_complete_read_local_class(hci); 1865 break; 1866 1867 case cmd_opcode_pack(OGF_HOST_CTL, OCF_WRITE_CLASS_OF_DEV): 1868 LENGTH_CHECK(write_class_of_dev); 1869 1870 memcpy(hci->device.class, PARAM(write_class_of_dev, dev_class), 1871 sizeof(PARAM(write_class_of_dev, dev_class))); 1872 bt_hci_event_complete_status(hci, HCI_SUCCESS); 1873 break; 1874 1875 case cmd_opcode_pack(OGF_HOST_CTL, OCF_READ_VOICE_SETTING): 1876 bt_hci_event_complete_voice_setting(hci); 1877 break; 1878 1879 case cmd_opcode_pack(OGF_HOST_CTL, OCF_WRITE_VOICE_SETTING): 1880 LENGTH_CHECK(write_voice_setting); 1881 1882 hci->voice_setting = PARAM(write_voice_setting, voice_setting); 1883 bt_hci_event_complete_status(hci, HCI_SUCCESS); 1884 break; 1885 1886 case cmd_opcode_pack(OGF_HOST_CTL, OCF_HOST_NUMBER_OF_COMPLETED_PACKETS): 1887 if (length < data[0] * 2 + 1) 1888 goto short_hci; 1889 1890 for (i = 0; i < data[0]; i ++) 1891 if (bt_hci_handle_bad(hci, 1892 data[i * 2 + 1] | (data[i * 2 + 2] << 8))) 1893 bt_hci_event_complete_status(hci, HCI_INVALID_PARAMETERS); 1894 break; 1895 1896 case cmd_opcode_pack(OGF_HOST_CTL, OCF_READ_INQUIRY_MODE): 1897 /* Only if (local_features[3] & 0x40) && (local_commands[12] & 0x40) 1898 * else 1899 * goto unknown_command */ 1900 bt_hci_event_complete_read_inquiry_mode(hci); 1901 break; 1902 1903 case cmd_opcode_pack(OGF_HOST_CTL, OCF_WRITE_INQUIRY_MODE): 1904 /* Only if (local_features[3] & 0x40) && (local_commands[12] & 0x80) 1905 * else 1906 * goto unknown_command */ 1907 LENGTH_CHECK(write_inquiry_mode); 1908 1909 if (PARAM(write_inquiry_mode, mode) > 0x01) { 1910 bt_hci_event_complete_status(hci, HCI_INVALID_PARAMETERS); 1911 break; 1912 } 1913 1914 hci->lm.inquiry_mode = PARAM(write_inquiry_mode, mode); 1915 bt_hci_event_complete_status(hci, HCI_SUCCESS); 1916 break; 1917 1918 case cmd_opcode_pack(OGF_INFO_PARAM, OCF_READ_LOCAL_VERSION): 1919 bt_hci_read_local_version_rp(hci); 1920 break; 1921 1922 case cmd_opcode_pack(OGF_INFO_PARAM, OCF_READ_LOCAL_COMMANDS): 1923 bt_hci_read_local_commands_rp(hci); 1924 break; 1925 1926 case cmd_opcode_pack(OGF_INFO_PARAM, OCF_READ_LOCAL_FEATURES): 1927 bt_hci_read_local_features_rp(hci); 1928 break; 1929 1930 case cmd_opcode_pack(OGF_INFO_PARAM, OCF_READ_LOCAL_EXT_FEATURES): 1931 LENGTH_CHECK(read_local_ext_features); 1932 1933 bt_hci_read_local_ext_features_rp(hci, 1934 PARAM(read_local_ext_features, page_num)); 1935 break; 1936 1937 case cmd_opcode_pack(OGF_INFO_PARAM, OCF_READ_BUFFER_SIZE): 1938 bt_hci_read_buffer_size_rp(hci); 1939 break; 1940 1941 case cmd_opcode_pack(OGF_INFO_PARAM, OCF_READ_COUNTRY_CODE): 1942 bt_hci_read_country_code_rp(hci); 1943 break; 1944 1945 case cmd_opcode_pack(OGF_INFO_PARAM, OCF_READ_BD_ADDR): 1946 bt_hci_read_bd_addr_rp(hci); 1947 break; 1948 1949 case cmd_opcode_pack(OGF_STATUS_PARAM, OCF_READ_LINK_QUALITY): 1950 LENGTH_CHECK(read_link_quality); 1951 1952 bt_hci_link_quality_rp(hci, PARAMHANDLE(read_link_quality)); 1953 break; 1954 1955 default: 1956 bt_hci_event_status(hci, HCI_UNKNOWN_COMMAND); 1957 break; 1958 1959 short_hci: 1960 fprintf(stderr, "%s: HCI packet too short (%iB)\n", 1961 __FUNCTION__, length); 1962 bt_hci_event_status(hci, HCI_INVALID_PARAMETERS); 1963 break; 1964 } 1965} 1966 1967/* We could perform fragmentation here, we can't do "recombination" because 1968 * at this layer the length of the payload is not know ahead, so we only 1969 * know that a packet contained the last fragment of the SDU when the next 1970 * SDU starts. */ 1971static inline void bt_hci_lmp_acl_data(struct bt_hci_s *hci, uint16_t handle, 1972 const uint8_t *data, int start, int len) 1973{ 1974 struct hci_acl_hdr *pkt = (void *) hci->acl_buf; 1975 1976 /* TODO: packet flags */ 1977 /* TODO: avoid memcpy'ing */ 1978 1979 if (len + HCI_ACL_HDR_SIZE > sizeof(hci->acl_buf)) { 1980 fprintf(stderr, "%s: can't take ACL packets %i bytes long\n", 1981 __FUNCTION__, len); 1982 return; 1983 } 1984 memcpy(hci->acl_buf + HCI_ACL_HDR_SIZE, data, len); 1985 1986 pkt->handle = cpu_to_le16( 1987 acl_handle_pack(handle, start ? ACL_START : ACL_CONT)); 1988 pkt->dlen = cpu_to_le16(len); 1989 hci->info.acl_recv(hci->info.opaque, 1990 hci->acl_buf, len + HCI_ACL_HDR_SIZE); 1991} 1992 1993static void bt_hci_lmp_acl_data_slave(struct bt_link_s *btlink, 1994 const uint8_t *data, int start, int len) 1995{ 1996 struct bt_hci_link_s *link = (struct bt_hci_link_s *) btlink; 1997 1998 bt_hci_lmp_acl_data(hci_from_device(btlink->slave), 1999 link->handle, data, start, len); 2000} 2001 2002static void bt_hci_lmp_acl_data_host(struct bt_link_s *link, 2003 const uint8_t *data, int start, int len) 2004{ 2005 bt_hci_lmp_acl_data(hci_from_device(link->host), 2006 link->handle, data, start, len); 2007} 2008 2009static void bt_submit_acl(struct HCIInfo *info, 2010 const uint8_t *data, int length) 2011{ 2012 struct bt_hci_s *hci = hci_from_info(info); 2013 uint16_t handle; 2014 int datalen, flags; 2015 struct bt_link_s *link; 2016 2017 if (length < HCI_ACL_HDR_SIZE) { 2018 fprintf(stderr, "%s: ACL packet too short (%iB)\n", 2019 __FUNCTION__, length); 2020 return; 2021 } 2022 2023 handle = acl_handle((data[1] << 8) | data[0]); 2024 flags = acl_flags((data[1] << 8) | data[0]); 2025 datalen = (data[3] << 8) | data[2]; 2026 data += HCI_ACL_HDR_SIZE; 2027 length -= HCI_ACL_HDR_SIZE; 2028 2029 if (bt_hci_handle_bad(hci, handle)) { 2030 fprintf(stderr, "%s: invalid ACL handle %03x\n", 2031 __FUNCTION__, handle); 2032 /* TODO: signal an error */ 2033 return; 2034 } 2035 handle &= ~HCI_HANDLE_OFFSET; 2036 2037 if (datalen > length) { 2038 fprintf(stderr, "%s: ACL packet too short (%iB < %iB)\n", 2039 __FUNCTION__, length, datalen); 2040 return; 2041 } 2042 2043 link = hci->lm.handle[handle].link; 2044 2045 if ((flags & ~3) == ACL_ACTIVE_BCAST) { 2046 if (!hci->asb_handle) 2047 hci->asb_handle = handle; 2048 else if (handle != hci->asb_handle) { 2049 fprintf(stderr, "%s: Bad handle %03x in Active Slave Broadcast\n", 2050 __FUNCTION__, handle); 2051 /* TODO: signal an error */ 2052 return; 2053 } 2054 2055 /* TODO */ 2056 } 2057 2058 if ((flags & ~3) == ACL_PICO_BCAST) { 2059 if (!hci->psb_handle) 2060 hci->psb_handle = handle; 2061 else if (handle != hci->psb_handle) { 2062 fprintf(stderr, "%s: Bad handle %03x in Parked Slave Broadcast\n", 2063 __FUNCTION__, handle); 2064 /* TODO: signal an error */ 2065 return; 2066 } 2067 2068 /* TODO */ 2069 } 2070 2071 /* TODO: increase counter and send EVT_NUM_COMP_PKTS */ 2072 bt_hci_event_num_comp_pkts(hci, handle | HCI_HANDLE_OFFSET, 1); 2073 2074 /* Do this last as it can trigger further events even in this HCI */ 2075 hci->lm.handle[handle].lmp_acl_data(link, data, 2076 (flags & 3) == ACL_START, length); 2077} 2078 2079static void bt_submit_sco(struct HCIInfo *info, 2080 const uint8_t *data, int length) 2081{ 2082 struct bt_hci_s *hci = hci_from_info(info); 2083 struct bt_link_s *link; 2084 uint16_t handle; 2085 int datalen; 2086 2087 if (length < 3) 2088 return; 2089 2090 handle = acl_handle((data[1] << 8) | data[0]); 2091 datalen = data[2]; 2092 data += 3; 2093 length -= 3; 2094 2095 if (bt_hci_handle_bad(hci, handle)) { 2096 fprintf(stderr, "%s: invalid SCO handle %03x\n", 2097 __FUNCTION__, handle); 2098 return; 2099 } 2100 handle &= ~HCI_HANDLE_OFFSET; 2101 2102 if (datalen > length) { 2103 fprintf(stderr, "%s: SCO packet too short (%iB < %iB)\n", 2104 __FUNCTION__, length, datalen); 2105 return; 2106 } 2107 2108 link = hci->lm.handle[handle].link; 2109 /* TODO */ 2110 2111 /* TODO: increase counter and send EVT_NUM_COMP_PKTS if synchronous 2112 * Flow Control is enabled. 2113 * (See Read/Write_Synchronous_Flow_Control_Enable on page 513 and 2114 * page 514.) */ 2115} 2116 2117static uint8_t *bt_hci_evt_packet(void *opaque) 2118{ 2119 /* TODO: allocate a packet from upper layer */ 2120 struct bt_hci_s *s = opaque; 2121 2122 return s->evt_buf; 2123} 2124 2125static void bt_hci_evt_submit(void *opaque, int len) 2126{ 2127 /* TODO: notify upper layer */ 2128 struct bt_hci_s *s = opaque; 2129 2130 s->info.evt_recv(s->info.opaque, s->evt_buf, len); 2131} 2132 2133static int bt_hci_bdaddr_set(struct HCIInfo *info, const uint8_t *bd_addr) 2134{ 2135 struct bt_hci_s *hci = hci_from_info(info); 2136 2137 bacpy(&hci->device.bd_addr, (const bdaddr_t *) bd_addr); 2138 return 0; 2139} 2140 2141static void bt_hci_done(struct HCIInfo *info); 2142static void bt_hci_destroy(struct bt_device_s *dev) 2143{ 2144 struct bt_hci_s *hci = hci_from_device(dev); 2145 2146 bt_hci_done(&hci->info); 2147} 2148 2149struct HCIInfo *bt_new_hci(struct bt_scatternet_s *net) 2150{ 2151 struct bt_hci_s *s = qemu_mallocz(sizeof(struct bt_hci_s)); 2152 2153 s->lm.inquiry_done = qemu_new_timer(vm_clock, bt_hci_inquiry_done, s); 2154 s->lm.inquiry_next = qemu_new_timer(vm_clock, bt_hci_inquiry_next, s); 2155 s->conn_accept_timer = 2156 qemu_new_timer(vm_clock, bt_hci_conn_accept_timeout, s); 2157 2158 s->evt_packet = bt_hci_evt_packet; 2159 s->evt_submit = bt_hci_evt_submit; 2160 s->opaque = s; 2161 2162 bt_device_init(&s->device, net); 2163 s->device.lmp_connection_request = bt_hci_lmp_connection_request; 2164 s->device.lmp_connection_complete = bt_hci_lmp_connection_complete; 2165 s->device.lmp_disconnect_master = bt_hci_lmp_disconnect_host; 2166 s->device.lmp_disconnect_slave = bt_hci_lmp_disconnect_slave; 2167 s->device.lmp_acl_data = bt_hci_lmp_acl_data_slave; 2168 s->device.lmp_acl_resp = bt_hci_lmp_acl_data_host; 2169 s->device.lmp_mode_change = bt_hci_lmp_mode_change_slave; 2170 2171 /* Keep updated! */ 2172 /* Also keep in sync with supported commands bitmask in 2173 * bt_hci_read_local_commands_rp */ 2174 s->device.lmp_caps = 0x8000199b7e85355fll; 2175 2176 bt_hci_reset(s); 2177 2178 s->info.cmd_send = bt_submit_hci; 2179 s->info.sco_send = bt_submit_sco; 2180 s->info.acl_send = bt_submit_acl; 2181 s->info.bdaddr_set = bt_hci_bdaddr_set; 2182 2183 s->device.handle_destroy = bt_hci_destroy; 2184 2185 return &s->info; 2186} 2187 2188static void bt_hci_done(struct HCIInfo *info) 2189{ 2190 struct bt_hci_s *hci = hci_from_info(info); 2191 int handle; 2192 2193 bt_device_done(&hci->device); 2194 2195 if (hci->device.lmp_name) 2196 qemu_free((void *) hci->device.lmp_name); 2197 2198 /* Be gentle and send DISCONNECT to all connected peers and those 2199 * currently waiting for us to accept or reject a connection request. 2200 * This frees the links. */ 2201 if (hci->conn_req_host) { 2202 bt_hci_connection_reject(hci, 2203 hci->conn_req_host, HCI_OE_POWER_OFF); 2204 return; 2205 } 2206 2207 for (handle = HCI_HANDLE_OFFSET; 2208 handle < (HCI_HANDLE_OFFSET | HCI_HANDLES_MAX); handle ++) 2209 if (!bt_hci_handle_bad(hci, handle)) 2210 bt_hci_disconnect(hci, handle, HCI_OE_POWER_OFF); 2211 2212 /* TODO: this is not enough actually, there may be slaves from whom 2213 * we have requested a connection who will soon (or not) respond with 2214 * an accept or a reject, so we should also check if hci->lm.connecting 2215 * is non-zero and if so, avoid freeing the hci but otherwise disappear 2216 * from all qemu social life (e.g. stop scanning and request to be 2217 * removed from s->device.net) and arrange for 2218 * s->device.lmp_connection_complete to free the remaining bits once 2219 * hci->lm.awaiting_bdaddr[] is empty. */ 2220 2221 qemu_free_timer(hci->lm.inquiry_done); 2222 qemu_free_timer(hci->lm.inquiry_next); 2223 qemu_free_timer(hci->conn_accept_timer); 2224 2225 qemu_free(hci); 2226} 2227