projects / qemu / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Add #defines needed by OpenSolaris, fix breakage by the #defines
[qemu] / hw / bt-hci.c
1 /*
2  * QEMU Bluetooth HCI logic.
3  *
4  * Copyright (C) 2007 OpenMoko, Inc.
5  * Copyright (C) 2008 Andrzej Zaborowski  <balrog@zabor.org>
6  *
7  * This program is free software; you can redistribute it and/or
8  * modify it under the terms of the GNU General Public License as
9  * published by the Free Software Foundation; either version 2 of
10  * the License, or (at your option) any later version.
11  *
12  * This program is distributed in the hope that it will be useful,
13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15  * GNU General Public License for more details.
16  *
17  * You should have received a copy of the GNU General Public License
18  * along with this program; if not, see <http://www.gnu.org/licenses/>.
19  */
20
21 #include "qemu-common.h"
22 #include "qemu-timer.h"
23 #include "usb.h"
24 #include "net.h"
25 #include "bt.h"
26
27 struct bt_hci_s {
28     uint8_t *(*evt_packet)(void *opaque);
29     void (*evt_submit)(void *opaque, int len);
30     void *opaque;
31     uint8_t evt_buf[256];
32
33     uint8_t acl_buf[4096];
34     int acl_len;
35
36     uint16_t asb_handle;
37     uint16_t psb_handle;
38
39     int last_cmd;       /* Note: Always little-endian */
40
41     struct bt_device_s *conn_req_host;
42
43     struct {
44         int inquire;
45         int periodic;
46         int responses_left;
47         int responses;
48         QEMUTimer *inquiry_done;
49         QEMUTimer *inquiry_next;
50         int inquiry_length;
51         int inquiry_period;
52         int inquiry_mode;
53
54 #define HCI_HANDLE_OFFSET       0x20
55 #define HCI_HANDLES_MAX         0x10
56         struct bt_hci_master_link_s {
57             struct bt_link_s *link;
58             void (*lmp_acl_data)(struct bt_link_s *link,
59                             const uint8_t *data, int start, int len);
60             QEMUTimer *acl_mode_timer;
61         } handle[HCI_HANDLES_MAX];
62         uint32_t role_bmp;
63         int last_handle;
64         int connecting;
65         bdaddr_t awaiting_bdaddr[HCI_HANDLES_MAX];
66     } lm;
67
68     uint8_t event_mask[8];
69     uint16_t voice_setting;     /* Notw: Always little-endian */
70     uint16_t conn_accept_tout;
71     QEMUTimer *conn_accept_timer;
72
73     struct HCIInfo info;
74     struct bt_device_s device;
75 };
76
77 #define DEFAULT_RSSI_DBM        20
78
79 #define hci_from_info(ptr)      container_of((ptr), struct bt_hci_s, info)
80 #define hci_from_device(ptr)    container_of((ptr), struct bt_hci_s, device)
81
82 struct bt_hci_link_s {
83     struct bt_link_s btlink;
84     uint16_t handle;    /* Local */
85 };
86
87 /* LMP layer emulation */
88 #if 0
89 static void bt_submit_lmp(struct bt_device_s *bt, int length, uint8_t *data)
90 {
91     int resp, resplen, error, op, tr;
92     uint8_t respdata[17];
93
94     if (length < 1)
95         return;
96
97     tr = *data & 1;
98     op = *(data ++) >> 1;
99     resp = LMP_ACCEPTED;
100     resplen = 2;
101     respdata[1] = op;
102     error = 0;
103     length --;
104
105     if (op >= 0x7c) {   /* Extended opcode */
106         op |= *(data ++) << 8;
107         resp = LMP_ACCEPTED_EXT;
108         resplen = 4;
109         respdata[0] = op >> 8;
110         respdata[1] = op & 0xff;
111         length --;
112     }
113
114     switch (op) {
115     case LMP_ACCEPTED:
116         /* data[0]      Op code
117          */
118         if (length < 1) {
119             error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
120             goto not_accepted;
121         }
122         resp = 0;
123         break;
124
125     case LMP_ACCEPTED_EXT:
126         /* data[0]      Escape op code
127          * data[1]      Extended op code
128          */
129         if (length < 2) {
130             error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
131             goto not_accepted;
132         }
133         resp = 0;
134         break;
135
136     case LMP_NOT_ACCEPTED:
137         /* data[0]      Op code
138          * data[1]      Error code
139          */
140         if (length < 2) {
141             error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
142             goto not_accepted;
143         }
144         resp = 0;
145         break;
146
147     case LMP_NOT_ACCEPTED_EXT:
148         /* data[0]      Op code
149          * data[1]      Extended op code
150          * data[2]      Error code
151          */
152         if (length < 3) {
153             error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
154             goto not_accepted;
155         }
156         resp = 0;
157         break;
158
159     case LMP_HOST_CONNECTION_REQ:
160         break;
161
162     case LMP_SETUP_COMPLETE:
163         resp = LMP_SETUP_COMPLETE;
164         resplen = 1;
165         bt->setup = 1;
166         break;
167
168     case LMP_DETACH:
169         /* data[0]      Error code
170          */
171         if (length < 1) {
172             error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
173             goto not_accepted;
174         }
175         bt->setup = 0;
176         resp = 0;
177         break;
178
179     case LMP_SUPERVISION_TIMEOUT:
180         /* data[0,1]    Supervision timeout
181          */
182         if (length < 2) {
183             error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
184             goto not_accepted;
185         }
186         resp = 0;
187         break;
188
189     case LMP_QUALITY_OF_SERVICE:
190         resp = 0;
191         /* Fall through */
192     case LMP_QOS_REQ:
193         /* data[0,1]    Poll interval
194          * data[2]      N(BC)
195          */
196         if (length < 3) {
197             error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
198             goto not_accepted;
199         }
200         break;
201
202     case LMP_MAX_SLOT:
203         resp = 0;
204         /* Fall through */
205     case LMP_MAX_SLOT_REQ:
206         /* data[0]      Max slots
207          */
208         if (length < 1) {
209             error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
210             goto not_accepted;
211         }
212         break;
213
214     case LMP_AU_RAND:
215     case LMP_IN_RAND:
216     case LMP_COMB_KEY:
217         /* data[0-15]   Random number
218          */
219         if (length < 16) {
220             error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
221             goto not_accepted;
222         }
223         if (op == LMP_AU_RAND) {
224             if (bt->key_present) {
225                 resp = LMP_SRES;
226                 resplen = 5;
227                 /* XXX: [Part H] Section 6.1 on page 801 */
228             } else {
229                 error = HCI_PIN_OR_KEY_MISSING;
230                 goto not_accepted;
231             }
232         } else if (op == LMP_IN_RAND) {
233             error = HCI_PAIRING_NOT_ALLOWED;
234             goto not_accepted;
235         } else {
236             /* XXX: [Part H] Section 3.2 on page 779 */
237             resp = LMP_UNIT_KEY;
238             resplen = 17;
239             memcpy(respdata + 1, bt->key, 16);
240
241             error = HCI_UNIT_LINK_KEY_USED;
242             goto not_accepted;
243         }
244         break;
245
246     case LMP_UNIT_KEY:
247         /* data[0-15]   Key
248          */
249         if (length < 16) {
250             error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
251             goto not_accepted;
252         }
253         memcpy(bt->key, data, 16);
254         bt->key_present = 1;
255         break;
256
257     case LMP_SRES:
258         /* data[0-3]    Authentication response
259          */
260         if (length < 4) {
261             error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
262             goto not_accepted;
263         }
264         break;
265
266     case LMP_CLKOFFSET_REQ:
267         resp = LMP_CLKOFFSET_RES;
268         resplen = 3;
269         respdata[1] = 0x33;
270         respdata[2] = 0x33;
271         break;
272
273     case LMP_CLKOFFSET_RES:
274         /* data[0,1]    Clock offset
275          * (Slave to master only)
276          */
277         if (length < 2) {
278             error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
279             goto not_accepted;
280         }
281         break;
282
283     case LMP_VERSION_REQ:
284     case LMP_VERSION_RES:
285         /* data[0]      VersNr
286          * data[1,2]    CompId
287          * data[3,4]    SubVersNr
288          */
289         if (length < 5) {
290             error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
291             goto not_accepted;
292         }
293         if (op == LMP_VERSION_REQ) {
294             resp = LMP_VERSION_RES;
295             resplen = 6;
296             respdata[1] = 0x20;
297             respdata[2] = 0xff;
298             respdata[3] = 0xff;
299             respdata[4] = 0xff;
300             respdata[5] = 0xff;
301         } else
302             resp = 0;
303         break;
304
305     case LMP_FEATURES_REQ:
306     case LMP_FEATURES_RES:
307         /* data[0-7]    Features
308          */
309         if (length < 8) {
310             error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
311             goto not_accepted;
312         }
313         if (op == LMP_FEATURES_REQ) {
314             resp = LMP_FEATURES_RES;
315             resplen = 9;
316             respdata[1] = (bt->lmp_caps >> 0) & 0xff;
317             respdata[2] = (bt->lmp_caps >> 8) & 0xff;
318             respdata[3] = (bt->lmp_caps >> 16) & 0xff;
319             respdata[4] = (bt->lmp_caps >> 24) & 0xff;
320             respdata[5] = (bt->lmp_caps >> 32) & 0xff;
321             respdata[6] = (bt->lmp_caps >> 40) & 0xff;
322             respdata[7] = (bt->lmp_caps >> 48) & 0xff;
323             respdata[8] = (bt->lmp_caps >> 56) & 0xff;
324         } else
325             resp = 0;
326         break;
327
328     case LMP_NAME_REQ:
329         /* data[0]      Name offset
330          */
331         if (length < 1) {
332             error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
333             goto not_accepted;
334         }
335         resp = LMP_NAME_RES;
336         resplen = 17;
337         respdata[1] = data[0];
338         respdata[2] = strlen(bt->lmp_name);
339         memset(respdata + 3, 0x00, 14);
340         if (respdata[2] > respdata[1])
341             memcpy(respdata + 3, bt->lmp_name + respdata[1],
342                             respdata[2] - respdata[1]);
343         break;
344
345     case LMP_NAME_RES:
346         /* data[0]      Name offset
347          * data[1]      Name length
348          * data[2-15]   Name fragment
349          */
350         if (length < 16) {
351             error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;
352             goto not_accepted;
353         }
354         resp = 0;
355         break;
356
357     default:
358         error = HCI_UNKNOWN_LMP_PDU;
359         /* Fall through */
360     not_accepted:
361         if (op >> 8) {
362             resp = LMP_NOT_ACCEPTED_EXT;
363             resplen = 5;
364             respdata[0] = op >> 8;
365             respdata[1] = op & 0xff;
366             respdata[2] = error;
367         } else {
368             resp = LMP_NOT_ACCEPTED;
369             resplen = 3;
370             respdata[0] = op & 0xff;
371             respdata[1] = error;
372         }
373     }
374
375     if (resp == 0)
376         return;
377
378     if (resp >> 8) {
379         respdata[0] = resp >> 8;
380         respdata[1] = resp & 0xff;
381     } else
382         respdata[0] = resp & 0xff;
383
384     respdata[0] <<= 1;
385     respdata[0] |= tr;
386 }
387
388 static void bt_submit_raw_acl(struct bt_piconet_s *net, int length, uint8_t *data)
389 {
390     struct bt_device_s *slave;
391     if (length < 1)
392         return;
393
394     slave = 0;
395 #if 0
396     slave = net->slave;
397 #endif
398
399     switch (data[0] & 3) {
400     case LLID_ACLC:
401         bt_submit_lmp(slave, length - 1, data + 1);
402         break;
403     case LLID_ACLU_START:
404 #if 0
405         bt_sumbit_l2cap(slave, length - 1, data + 1, (data[0] >> 2) & 1);
406         breka;
407 #endif
408     default:
409     case LLID_ACLU_CONT:
410         break;
411     }
412 }
413 #endif
414
415 /* HCI layer emulation */
416
417 /* Note: we could ignore endiannes because unswapped handles will still
418  * be valid as connection identifiers for the guest - they don't have to
419  * be continuously allocated.  We do it though, to preserve similar
420  * behaviour between hosts.  Some things, like the BD_ADDR cannot be
421  * preserved though (for example if a real hci is used).  */
422 #ifdef HOST_WORDS_BIGENDIAN
423 # define HNDL(raw)      bswap16(raw)
424 #else
425 # define HNDL(raw)      (raw)
426 #endif
427
428 static const uint8_t bt_event_reserved_mask[8] = {
429     0xff, 0x9f, 0xfb, 0xff, 0x07, 0x18, 0x00, 0x00,
430 };
431
432 static inline uint8_t *bt_hci_event_start(struct bt_hci_s *hci,
433                 int evt, int len)
434 {
435     uint8_t *packet, mask;
436     int mask_byte;
437
438     if (len > 255) {
439         fprintf(stderr, "%s: HCI event params too long (%ib)\n",
440                         __FUNCTION__, len);
441         exit(-1);
442     }
443
444     mask_byte = (evt - 1) >> 3;
445     mask = 1 << ((evt - 1) & 3);
446     if (mask & bt_event_reserved_mask[mask_byte] & ~hci->event_mask[mask_byte])
447         return NULL;
448
449     packet = hci->evt_packet(hci->opaque);
450     packet[0] = evt;
451     packet[1] = len;
452
453     return &packet[2];
454 }
455
456 static inline void bt_hci_event(struct bt_hci_s *hci, int evt,
457                 void *params, int len)
458 {
459     uint8_t *packet = bt_hci_event_start(hci, evt, len);
460
461     if (!packet)
462         return;
463
464     if (len)
465         memcpy(packet, params, len);
466
467     hci->evt_submit(hci->opaque, len + 2);
468 }
469
470 static inline void bt_hci_event_status(struct bt_hci_s *hci, int status)
471 {
472     evt_cmd_status params = {
473         .status = status,
474         .ncmd   = 1,
475         .opcode = hci->last_cmd,
476     };
477
478     bt_hci_event(hci, EVT_CMD_STATUS, &params, EVT_CMD_STATUS_SIZE);
479 }
480
481 static inline void bt_hci_event_complete(struct bt_hci_s *hci,
482                 void *ret, int len)
483 {
484     uint8_t *packet = bt_hci_event_start(hci, EVT_CMD_COMPLETE,
485                     len + EVT_CMD_COMPLETE_SIZE);
486     evt_cmd_complete *params = (evt_cmd_complete *) packet;
487
488     if (!packet)
489         return;
490
491     params->ncmd        = 1;
492     params->opcode      = hci->last_cmd;
493     if (len)
494         memcpy(&packet[EVT_CMD_COMPLETE_SIZE], ret, len);
495
496     hci->evt_submit(hci->opaque, len + EVT_CMD_COMPLETE_SIZE + 2);
497 }
498
499 static void bt_hci_inquiry_done(void *opaque)
500 {
501     struct bt_hci_s *hci = (struct bt_hci_s *) opaque;
502     uint8_t status = HCI_SUCCESS;
503
504     if (!hci->lm.periodic)
505         hci->lm.inquire = 0;
506
507     /* The specification is inconsistent about this one.  Page 565 reads
508      * "The event parameters of Inquiry Complete event will have a summary
509      * of the result from the Inquiry process, which reports the number of
510      * nearby Bluetooth devices that responded [so hci->responses].", but
511      * Event Parameters (see page 729) has only Status.  */
512     bt_hci_event(hci, EVT_INQUIRY_COMPLETE, &status, 1);
513 }
514
515 static void bt_hci_inquiry_result_standard(struct bt_hci_s *hci,
516                 struct bt_device_s *slave)
517 {
518     inquiry_info params = {
519         .num_responses          = 1,
520         .bdaddr                 = BAINIT(&slave->bd_addr),
521         .pscan_rep_mode         = 0x00, /* R0 */
522         .pscan_period_mode      = 0x00, /* P0 - deprecated */
523         .pscan_mode             = 0x00, /* Standard scan - deprecated */
524         .dev_class[0]           = slave->class[0],
525         .dev_class[1]           = slave->class[1],
526         .dev_class[2]           = slave->class[2],
527         /* TODO: return the clkoff *differenece* */
528         .clock_offset           = slave->clkoff,        /* Note: no swapping */
529     };
530
531     bt_hci_event(hci, EVT_INQUIRY_RESULT, &params, INQUIRY_INFO_SIZE);
532 }
533
534 static void bt_hci_inquiry_result_with_rssi(struct bt_hci_s *hci,
535                 struct bt_device_s *slave)
536 {
537     inquiry_info_with_rssi params = {
538         .num_responses          = 1,
539         .bdaddr                 = BAINIT(&slave->bd_addr),
540         .pscan_rep_mode         = 0x00, /* R0 */
541         .pscan_period_mode      = 0x00, /* P0 - deprecated */
542         .dev_class[0]           = slave->class[0],
543         .dev_class[1]           = slave->class[1],
544         .dev_class[2]           = slave->class[2],
545         /* TODO: return the clkoff *differenece* */
546         .clock_offset           = slave->clkoff,        /* Note: no swapping */
547         .rssi                   = DEFAULT_RSSI_DBM,
548     };
549
550     bt_hci_event(hci, EVT_INQUIRY_RESULT_WITH_RSSI,
551                     &params, INQUIRY_INFO_WITH_RSSI_SIZE);
552 }
553
554 static void bt_hci_inquiry_result(struct bt_hci_s *hci,
555                 struct bt_device_s *slave)
556 {
557     if (!slave->inquiry_scan || !hci->lm.responses_left)
558         return;
559
560     hci->lm.responses_left --;
561     hci->lm.responses ++;
562
563     switch (hci->lm.inquiry_mode) {
564     case 0x00:
565         bt_hci_inquiry_result_standard(hci, slave);
566         return;
567     case 0x01:
568         bt_hci_inquiry_result_with_rssi(hci, slave);
569         return;
570     default:
571         fprintf(stderr, "%s: bad inquiry mode %02x\n", __FUNCTION__,
572                         hci->lm.inquiry_mode);
573         exit(-1);
574     }
575 }
576
577 static void bt_hci_mod_timer_1280ms(QEMUTimer *timer, int period)
578 {
579     qemu_mod_timer(timer, qemu_get_clock(vm_clock) +
580                    muldiv64(period << 7, get_ticks_per_sec(), 100));
581 }
582
583 static void bt_hci_inquiry_start(struct bt_hci_s *hci, int length)
584 {
585     struct bt_device_s *slave;
586
587     hci->lm.inquiry_length = length;
588     for (slave = hci->device.net->slave; slave; slave = slave->next)
589         /* Don't uncover ourselves.  */
590         if (slave != &hci->device)
591             bt_hci_inquiry_result(hci, slave);
592
593     /* TODO: register for a callback on a new device's addition to the
594      * scatternet so that if it's added before inquiry_length expires,
595      * an Inquiry Result is generated immediately.  Alternatively re-loop
596      * through the devices on the inquiry_length expiration and report
597      * devices not seen before.  */
598     if (hci->lm.responses_left)
599         bt_hci_mod_timer_1280ms(hci->lm.inquiry_done, hci->lm.inquiry_length);
600     else
601         bt_hci_inquiry_done(hci);
602
603     if (hci->lm.periodic)
604         bt_hci_mod_timer_1280ms(hci->lm.inquiry_next, hci->lm.inquiry_period);
605 }
606
607 static void bt_hci_inquiry_next(void *opaque)
608 {
609     struct bt_hci_s *hci = (struct bt_hci_s *) opaque;
610
611     hci->lm.responses_left += hci->lm.responses;
612     hci->lm.responses = 0;
613     bt_hci_inquiry_start(hci,  hci->lm.inquiry_length);
614 }
615
616 static inline int bt_hci_handle_bad(struct bt_hci_s *hci, uint16_t handle)
617 {
618     return !(handle & HCI_HANDLE_OFFSET) ||
619             handle >= (HCI_HANDLE_OFFSET | HCI_HANDLES_MAX) ||
620             !hci->lm.handle[handle & ~HCI_HANDLE_OFFSET].link;
621 }
622
623 static inline int bt_hci_role_master(struct bt_hci_s *hci, uint16_t handle)
624 {
625     return !!(hci->lm.role_bmp & (1 << (handle & ~HCI_HANDLE_OFFSET)));
626 }
627
628 static inline struct bt_device_s *bt_hci_remote_dev(struct bt_hci_s *hci,
629                 uint16_t handle)
630 {
631     struct bt_link_s *link = hci->lm.handle[handle & ~HCI_HANDLE_OFFSET].link;
632
633     return bt_hci_role_master(hci, handle) ? link->slave : link->host;
634 }
635
636 static void bt_hci_mode_tick(void *opaque);
637 static void bt_hci_lmp_link_establish(struct bt_hci_s *hci,
638                 struct bt_link_s *link, int master)
639 {
640     hci->lm.handle[hci->lm.last_handle].link = link;
641
642     if (master) {
643         /* We are the master side of an ACL link */
644         hci->lm.role_bmp |= 1 << hci->lm.last_handle;
645
646         hci->lm.handle[hci->lm.last_handle].lmp_acl_data =
647                 link->slave->lmp_acl_data;
648     } else {
649         /* We are the slave side of an ACL link */
650         hci->lm.role_bmp &= ~(1 << hci->lm.last_handle);
651
652         hci->lm.handle[hci->lm.last_handle].lmp_acl_data =
653                 link->host->lmp_acl_resp;
654     }
655
656     /* Mode */
657     if (master) {
658         link->acl_mode = acl_active;
659         hci->lm.handle[hci->lm.last_handle].acl_mode_timer =
660                 qemu_new_timer(vm_clock, bt_hci_mode_tick, link);
661     }
662 }
663
664 static void bt_hci_lmp_link_teardown(struct bt_hci_s *hci, uint16_t handle)
665 {
666     handle &= ~HCI_HANDLE_OFFSET;
667     hci->lm.handle[handle].link = NULL;
668
669     if (bt_hci_role_master(hci, handle)) {
670         qemu_del_timer(hci->lm.handle[handle].acl_mode_timer);
671         qemu_free_timer(hci->lm.handle[handle].acl_mode_timer);
672     }
673 }
674
675 static int bt_hci_connect(struct bt_hci_s *hci, bdaddr_t *bdaddr)
676 {
677     struct bt_device_s *slave;
678     struct bt_link_s link;
679
680     for (slave = hci->device.net->slave; slave; slave = slave->next)
681         if (slave->page_scan && !bacmp(&slave->bd_addr, bdaddr))
682             break;
683     if (!slave || slave == &hci->device)
684         return -ENODEV;
685
686     bacpy(&hci->lm.awaiting_bdaddr[hci->lm.connecting ++], &slave->bd_addr);
687
688     link.slave = slave;
689     link.host = &hci->device;
690     link.slave->lmp_connection_request(&link);  /* Always last */
691
692     return 0;
693 }
694
695 static void bt_hci_connection_reject(struct bt_hci_s *hci,
696                 struct bt_device_s *host, uint8_t because)
697 {
698     struct bt_link_s link = {
699         .slave  = &hci->device,
700         .host   = host,
701         /* Rest uninitialised */
702     };
703
704     host->reject_reason = because;
705     host->lmp_connection_complete(&link);
706 }
707
708 static void bt_hci_connection_reject_event(struct bt_hci_s *hci,
709                 bdaddr_t *bdaddr)
710 {
711     evt_conn_complete params;
712
713     params.status       = HCI_NO_CONNECTION;
714     params.handle       = 0;
715     bacpy(&params.bdaddr, bdaddr);
716     params.link_type    = ACL_LINK;
717     params.encr_mode    = 0x00;         /* Encryption not required */
718     bt_hci_event(hci, EVT_CONN_COMPLETE, &params, EVT_CONN_COMPLETE_SIZE);
719 }
720
721 static void bt_hci_connection_accept(struct bt_hci_s *hci,
722                 struct bt_device_s *host)
723 {
724     struct bt_hci_link_s *link = qemu_mallocz(sizeof(struct bt_hci_link_s));
725     evt_conn_complete params;
726     uint16_t handle;
727     uint8_t status = HCI_SUCCESS;
728     int tries = HCI_HANDLES_MAX;
729
730     /* Make a connection handle */
731     do {
732         while (hci->lm.handle[++ hci->lm.last_handle].link && -- tries)
733             hci->lm.last_handle &= HCI_HANDLES_MAX - 1;
734         handle = hci->lm.last_handle | HCI_HANDLE_OFFSET;
735     } while ((handle == hci->asb_handle || handle == hci->psb_handle) &&
736             tries);
737
738     if (!tries) {
739         qemu_free(link);
740         bt_hci_connection_reject(hci, host, HCI_REJECTED_LIMITED_RESOURCES);
741         status = HCI_NO_CONNECTION;
742         goto complete;
743     }
744
745     link->btlink.slave  = &hci->device;
746     link->btlink.host   = host;
747     link->handle = handle;
748
749     /* Link established */
750     bt_hci_lmp_link_establish(hci, &link->btlink, 0);
751
752 complete:
753     params.status       = status;
754     params.handle       = HNDL(handle);
755     bacpy(&params.bdaddr, &host->bd_addr);
756     params.link_type    = ACL_LINK;
757     params.encr_mode    = 0x00;         /* Encryption not required */
758     bt_hci_event(hci, EVT_CONN_COMPLETE, &params, EVT_CONN_COMPLETE_SIZE);
759
760     /* Neets to be done at the very end because it can trigger a (nested)
761      * disconnected, in case the other and had cancelled the request
762      * locally.  */
763     if (status == HCI_SUCCESS) {
764         host->reject_reason = 0;
765         host->lmp_connection_complete(&link->btlink);
766     }
767 }
768
769 static void bt_hci_lmp_connection_request(struct bt_link_s *link)
770 {
771     struct bt_hci_s *hci = hci_from_device(link->slave);
772     evt_conn_request params;
773
774     if (hci->conn_req_host) {
775         bt_hci_connection_reject(hci, link->host,
776                                  HCI_REJECTED_LIMITED_RESOURCES);
777         return;
778     }
779     hci->conn_req_host = link->host;
780     /* TODO: if masked and auto-accept, then auto-accept,
781      * if masked and not auto-accept, then auto-reject */
782     /* TODO: kick the hci->conn_accept_timer, timeout after
783      * hci->conn_accept_tout * 0.625 msec */
784
785     bacpy(&params.bdaddr, &link->host->bd_addr);
786     memcpy(&params.dev_class, &link->host->class, sizeof(params.dev_class));
787     params.link_type    = ACL_LINK;
788     bt_hci_event(hci, EVT_CONN_REQUEST, &params, EVT_CONN_REQUEST_SIZE);
789     return;
790 }
791
792 static void bt_hci_conn_accept_timeout(void *opaque)
793 {
794     struct bt_hci_s *hci = (struct bt_hci_s *) opaque;
795
796     if (!hci->conn_req_host)
797         /* Already accepted or rejected.  If the other end cancelled the
798          * connection request then we still have to reject or accept it
799          * and then we'll get a disconnect.  */
800         return;
801
802     /* TODO */
803 }
804
805 /* Remove from the list of devices which we wanted to connect to and
806  * are awaiting a response from.  If the callback sees a response from
807  * a device which is not on the list it will assume it's a connection
808  * that's been cancelled by the host in the meantime and immediately
809  * try to detach the link and send a Connection Complete.  */
810 static int bt_hci_lmp_connection_ready(struct bt_hci_s *hci,
811                 bdaddr_t *bdaddr)
812 {
813     int i;
814
815     for (i = 0; i < hci->lm.connecting; i ++)
816         if (!bacmp(&hci->lm.awaiting_bdaddr[i], bdaddr)) {
817             if (i < -- hci->lm.connecting)
818                 bacpy(&hci->lm.awaiting_bdaddr[i],
819                                 &hci->lm.awaiting_bdaddr[hci->lm.connecting]);
820             return 0;
821         }
822
823     return 1;
824 }
825
826 static void bt_hci_lmp_connection_complete(struct bt_link_s *link)
827 {
828     struct bt_hci_s *hci = hci_from_device(link->host);
829     evt_conn_complete params;
830     uint16_t handle;
831     uint8_t status = HCI_SUCCESS;
832     int tries = HCI_HANDLES_MAX;
833
834     if (bt_hci_lmp_connection_ready(hci, &link->slave->bd_addr)) {
835         if (!hci->device.reject_reason)
836             link->slave->lmp_disconnect_slave(link);
837         handle = 0;
838         status = HCI_NO_CONNECTION;
839         goto complete;
840     }
841
842     if (hci->device.reject_reason) {
843         handle = 0;
844         status = hci->device.reject_reason;
845         goto complete;
846     }
847
848     /* Make a connection handle */
849     do {
850         while (hci->lm.handle[++ hci->lm.last_handle].link && -- tries)
851             hci->lm.last_handle &= HCI_HANDLES_MAX - 1;
852         handle = hci->lm.last_handle | HCI_HANDLE_OFFSET;
853     } while ((handle == hci->asb_handle || handle == hci->psb_handle) &&
854             tries);
855
856     if (!tries) {
857         link->slave->lmp_disconnect_slave(link);
858         status = HCI_NO_CONNECTION;
859         goto complete;
860     }
861
862     /* Link established */
863     link->handle = handle;
864     bt_hci_lmp_link_establish(hci, link, 1);
865
866 complete:
867     params.status       = status;
868     params.handle       = HNDL(handle);
869     params.link_type    = ACL_LINK;
870     bacpy(&params.bdaddr, &link->slave->bd_addr);
871     params.encr_mode    = 0x00;         /* Encryption not required */
872     bt_hci_event(hci, EVT_CONN_COMPLETE, &params, EVT_CONN_COMPLETE_SIZE);
873 }
874
875 static void bt_hci_disconnect(struct bt_hci_s *hci,
876                 uint16_t handle, int reason)
877 {
878     struct bt_link_s *btlink =
879             hci->lm.handle[handle & ~HCI_HANDLE_OFFSET].link;
880     struct bt_hci_link_s *link;
881     evt_disconn_complete params;
882
883     if (bt_hci_role_master(hci, handle)) {
884         btlink->slave->reject_reason = reason;
885         btlink->slave->lmp_disconnect_slave(btlink);
886         /* The link pointer is invalid from now on */
887
888         goto complete;
889     }
890
891     btlink->host->reject_reason = reason;
892     btlink->host->lmp_disconnect_master(btlink);
893
894     /* We are the slave, we get to clean this burden */
895     link = (struct bt_hci_link_s *) btlink;
896     qemu_free(link);
897
898 complete:
899     bt_hci_lmp_link_teardown(hci, handle);
900
901     params.status       = HCI_SUCCESS;
902     params.handle       = HNDL(handle);
903     params.reason       = HCI_CONNECTION_TERMINATED;
904     bt_hci_event(hci, EVT_DISCONN_COMPLETE,
905                     &params, EVT_DISCONN_COMPLETE_SIZE);
906 }
907
908 /* TODO: use only one function */
909 static void bt_hci_lmp_disconnect_host(struct bt_link_s *link)
910 {
911     struct bt_hci_s *hci = hci_from_device(link->host);
912     uint16_t handle = link->handle;
913     evt_disconn_complete params;
914
915     bt_hci_lmp_link_teardown(hci, handle);
916
917     params.status       = HCI_SUCCESS;
918     params.handle       = HNDL(handle);
919     params.reason       = hci->device.reject_reason;
920     bt_hci_event(hci, EVT_DISCONN_COMPLETE,
921                     &params, EVT_DISCONN_COMPLETE_SIZE);
922 }
923
924 static void bt_hci_lmp_disconnect_slave(struct bt_link_s *btlink)
925 {
926     struct bt_hci_link_s *link = (struct bt_hci_link_s *) btlink;
927     struct bt_hci_s *hci = hci_from_device(btlink->slave);
928     uint16_t handle = link->handle;
929     evt_disconn_complete params;
930
931     qemu_free(link);
932
933     bt_hci_lmp_link_teardown(hci, handle);
934
935     params.status       = HCI_SUCCESS;
936     params.handle       = HNDL(handle);
937     params.reason       = hci->device.reject_reason;
938     bt_hci_event(hci, EVT_DISCONN_COMPLETE,
939                     &params, EVT_DISCONN_COMPLETE_SIZE);
940 }
941
942 static int bt_hci_name_req(struct bt_hci_s *hci, bdaddr_t *bdaddr)
943 {
944     struct bt_device_s *slave;
945     evt_remote_name_req_complete params;
946     int len;
947
948     for (slave = hci->device.net->slave; slave; slave = slave->next)
949         if (slave->page_scan && !bacmp(&slave->bd_addr, bdaddr))
950             break;
951     if (!slave)
952         return -ENODEV;
953
954     bt_hci_event_status(hci, HCI_SUCCESS);
955
956     params.status       = HCI_SUCCESS;
957     bacpy(&params.bdaddr, &slave->bd_addr);
958     len = snprintf(params.name, sizeof(params.name),
959                     "%s", slave->lmp_name ?: "");
960     memset(params.name + len, 0, sizeof(params.name) - len);
961     bt_hci_event(hci, EVT_REMOTE_NAME_REQ_COMPLETE,
962                     &params, EVT_REMOTE_NAME_REQ_COMPLETE_SIZE);
963
964     return 0;
965 }
966
967 static int bt_hci_features_req(struct bt_hci_s *hci, uint16_t handle)
968 {
969     struct bt_device_s *slave;
970     evt_read_remote_features_complete params;
971
972     if (bt_hci_handle_bad(hci, handle))
973         return -ENODEV;
974
975     slave = bt_hci_remote_dev(hci, handle);
976
977     bt_hci_event_status(hci, HCI_SUCCESS);
978
979     params.status       = HCI_SUCCESS;
980     params.handle       = HNDL(handle);
981     params.features[0]  = (slave->lmp_caps >>  0) & 0xff;
982     params.features[1]  = (slave->lmp_caps >>  8) & 0xff;
983     params.features[2]  = (slave->lmp_caps >> 16) & 0xff;
984     params.features[3]  = (slave->lmp_caps >> 24) & 0xff;
985     params.features[4]  = (slave->lmp_caps >> 32) & 0xff;
986     params.features[5]  = (slave->lmp_caps >> 40) & 0xff;
987     params.features[6]  = (slave->lmp_caps >> 48) & 0xff;
988     params.features[7]  = (slave->lmp_caps >> 56) & 0xff;
989     bt_hci_event(hci, EVT_READ_REMOTE_FEATURES_COMPLETE,
990                     &params, EVT_READ_REMOTE_FEATURES_COMPLETE_SIZE);
991
992     return 0;
993 }
994
995 static int bt_hci_version_req(struct bt_hci_s *hci, uint16_t handle)
996 {
997     struct bt_device_s *slave;
998     evt_read_remote_version_complete params;
999
1000     if (bt_hci_handle_bad(hci, handle))
1001         return -ENODEV;
1002
1003     slave = bt_hci_remote_dev(hci, handle);
1004
1005     bt_hci_event_status(hci, HCI_SUCCESS);
1006
1007     params.status       = HCI_SUCCESS;
1008     params.handle       = HNDL(handle);
1009     params.lmp_ver      = 0x03;
1010     params.manufacturer = cpu_to_le16(0xa000);
1011     params.lmp_subver   = cpu_to_le16(0xa607);
1012     bt_hci_event(hci, EVT_READ_REMOTE_VERSION_COMPLETE,
1013                     &params, EVT_READ_REMOTE_VERSION_COMPLETE_SIZE);
1014
1015     return 0;
1016 }
1017
1018 static int bt_hci_clkoffset_req(struct bt_hci_s *hci, uint16_t handle)
1019 {
1020     struct bt_device_s *slave;
1021     evt_read_clock_offset_complete params;
1022
1023     if (bt_hci_handle_bad(hci, handle))
1024         return -ENODEV;
1025
1026     slave = bt_hci_remote_dev(hci, handle);
1027
1028     bt_hci_event_status(hci, HCI_SUCCESS);
1029
1030     params.status       = HCI_SUCCESS;
1031     params.handle       = HNDL(handle);
1032     /* TODO: return the clkoff *differenece* */
1033     params.clock_offset = slave->clkoff;        /* Note: no swapping */
1034     bt_hci_event(hci, EVT_READ_CLOCK_OFFSET_COMPLETE,
1035                     &params, EVT_READ_CLOCK_OFFSET_COMPLETE_SIZE);
1036
1037     return 0;
1038 }
1039
1040 static void bt_hci_event_mode(struct bt_hci_s *hci, struct bt_link_s *link,
1041                 uint16_t handle)
1042 {
1043     evt_mode_change params = {
1044         .status         = HCI_SUCCESS,
1045         .handle         = HNDL(handle),
1046         .mode           = link->acl_mode,
1047         .interval       = cpu_to_le16(link->acl_interval),
1048     };
1049
1050     bt_hci_event(hci, EVT_MODE_CHANGE, &params, EVT_MODE_CHANGE_SIZE);
1051 }
1052
1053 static void bt_hci_lmp_mode_change_master(struct bt_hci_s *hci,
1054                 struct bt_link_s *link, int mode, uint16_t interval)
1055 {
1056     link->acl_mode = mode;
1057     link->acl_interval = interval;
1058
1059     bt_hci_event_mode(hci, link, link->handle);
1060
1061     link->slave->lmp_mode_change(link);
1062 }
1063
1064 static void bt_hci_lmp_mode_change_slave(struct bt_link_s *btlink)
1065 {
1066     struct bt_hci_link_s *link = (struct bt_hci_link_s *) btlink;
1067     struct bt_hci_s *hci = hci_from_device(btlink->slave);
1068
1069     bt_hci_event_mode(hci, btlink, link->handle);
1070 }
1071
1072 static int bt_hci_mode_change(struct bt_hci_s *hci, uint16_t handle,
1073                 int interval, int mode)
1074 {
1075     struct bt_hci_master_link_s *link;
1076
1077     if (bt_hci_handle_bad(hci, handle) || !bt_hci_role_master(hci, handle))
1078         return -ENODEV;
1079
1080     link = &hci->lm.handle[handle & ~HCI_HANDLE_OFFSET];
1081     if (link->link->acl_mode != acl_active) {
1082         bt_hci_event_status(hci, HCI_COMMAND_DISALLOWED);
1083         return 0;
1084     }
1085
1086     bt_hci_event_status(hci, HCI_SUCCESS);
1087
1088     qemu_mod_timer(link->acl_mode_timer, qemu_get_clock(vm_clock) +
1089                    muldiv64(interval * 625, get_ticks_per_sec(), 1000000));
1090     bt_hci_lmp_mode_change_master(hci, link->link, mode, interval);
1091
1092     return 0;
1093 }
1094
1095 static int bt_hci_mode_cancel(struct bt_hci_s *hci, uint16_t handle, int mode)
1096 {
1097     struct bt_hci_master_link_s *link;
1098
1099     if (bt_hci_handle_bad(hci, handle) || !bt_hci_role_master(hci, handle))
1100         return -ENODEV;
1101
1102     link = &hci->lm.handle[handle & ~HCI_HANDLE_OFFSET];
1103     if (link->link->acl_mode != mode) {
1104         bt_hci_event_status(hci, HCI_COMMAND_DISALLOWED);
1105
1106         return 0;
1107     }
1108
1109     bt_hci_event_status(hci, HCI_SUCCESS);
1110
1111     qemu_del_timer(link->acl_mode_timer);
1112     bt_hci_lmp_mode_change_master(hci, link->link, acl_active, 0);
1113
1114     return 0;
1115 }
1116
1117 static void bt_hci_mode_tick(void *opaque)
1118 {
1119     struct bt_link_s *link = opaque;
1120     struct bt_hci_s *hci = hci_from_device(link->host);
1121
1122     bt_hci_lmp_mode_change_master(hci, link, acl_active, 0);
1123 }
1124
1125 static void bt_hci_reset(struct bt_hci_s *hci)
1126 {
1127     hci->acl_len = 0;
1128     hci->last_cmd = 0;
1129     hci->lm.connecting = 0;
1130
1131     hci->event_mask[0] = 0xff;
1132     hci->event_mask[1] = 0xff;
1133     hci->event_mask[2] = 0xff;
1134     hci->event_mask[3] = 0xff;
1135     hci->event_mask[4] = 0xff;
1136     hci->event_mask[5] = 0x1f;
1137     hci->event_mask[6] = 0x00;
1138     hci->event_mask[7] = 0x00;
1139     hci->device.inquiry_scan = 0;
1140     hci->device.page_scan = 0;
1141     if (hci->device.lmp_name)
1142         qemu_free((void *) hci->device.lmp_name);
1143     hci->device.lmp_name = NULL;
1144     hci->device.class[0] = 0x00;
1145     hci->device.class[1] = 0x00;
1146     hci->device.class[2] = 0x00;
1147     hci->voice_setting = 0x0000;
1148     hci->conn_accept_tout = 0x1f40;
1149     hci->lm.inquiry_mode = 0x00;
1150
1151     hci->psb_handle = 0x000;
1152     hci->asb_handle = 0x000;
1153
1154     /* XXX: qemu_del_timer(sl->acl_mode_timer); for all links */
1155     qemu_del_timer(hci->lm.inquiry_done);
1156     qemu_del_timer(hci->lm.inquiry_next);
1157     qemu_del_timer(hci->conn_accept_timer);
1158 }
1159
1160 static void bt_hci_read_local_version_rp(struct bt_hci_s *hci)
1161 {
1162     read_local_version_rp lv = {
1163         .status         = HCI_SUCCESS,
1164         .hci_ver        = 0x03,
1165         .hci_rev        = cpu_to_le16(0xa607),
1166         .lmp_ver        = 0x03,
1167         .manufacturer   = cpu_to_le16(0xa000),
1168         .lmp_subver     = cpu_to_le16(0xa607),
1169     };
1170
1171     bt_hci_event_complete(hci, &lv, READ_LOCAL_VERSION_RP_SIZE);
1172 }
1173
1174 static void bt_hci_read_local_commands_rp(struct bt_hci_s *hci)
1175 {
1176     read_local_commands_rp lc = {
1177         .status         = HCI_SUCCESS,
1178         .commands       = {
1179             /* Keep updated! */
1180             /* Also, keep in sync with hci->device.lmp_caps in bt_new_hci */
1181             0xbf, 0x80, 0xf9, 0x03, 0xb2, 0xc0, 0x03, 0xc3,
1182             0x00, 0x0f, 0x80, 0x00, 0xc0, 0x00, 0xe8, 0x13,
1183             0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1184             0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1185             0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1186             0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1187             0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1188             0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1189         },
1190     };
1191
1192     bt_hci_event_complete(hci, &lc, READ_LOCAL_COMMANDS_RP_SIZE);
1193 }
1194
1195 static void bt_hci_read_local_features_rp(struct bt_hci_s *hci)
1196 {
1197     read_local_features_rp lf = {
1198         .status         = HCI_SUCCESS,
1199         .features       = {
1200             (hci->device.lmp_caps >>  0) & 0xff,
1201             (hci->device.lmp_caps >>  8) & 0xff,
1202             (hci->device.lmp_caps >> 16) & 0xff,
1203             (hci->device.lmp_caps >> 24) & 0xff,
1204             (hci->device.lmp_caps >> 32) & 0xff,
1205             (hci->device.lmp_caps >> 40) & 0xff,
1206             (hci->device.lmp_caps >> 48) & 0xff,
1207             (hci->device.lmp_caps >> 56) & 0xff,
1208         },
1209     };
1210
1211     bt_hci_event_complete(hci, &lf, READ_LOCAL_FEATURES_RP_SIZE);
1212 }
1213
1214 static void bt_hci_read_local_ext_features_rp(struct bt_hci_s *hci, int page)
1215 {
1216     read_local_ext_features_rp lef = {
1217         .status         = HCI_SUCCESS,
1218         .page_num       = page,
1219         .max_page_num   = 0x00,
1220         .features       = {
1221             /* Keep updated! */
1222             0x5f, 0x35, 0x85, 0x7e, 0x9b, 0x19, 0x00, 0x80,
1223         },
1224     };
1225     if (page)
1226         memset(lef.features, 0, sizeof(lef.features));
1227
1228     bt_hci_event_complete(hci, &lef, READ_LOCAL_EXT_FEATURES_RP_SIZE);
1229 }
1230
1231 static void bt_hci_read_buffer_size_rp(struct bt_hci_s *hci)
1232 {
1233     read_buffer_size_rp bs = {
1234         /* This can be made configurable, for one standard USB dongle HCI
1235          * the four values are cpu_to_le16(0x0180), 0x40,
1236          * cpu_to_le16(0x0008), cpu_to_le16(0x0008).  */
1237         .status         = HCI_SUCCESS,
1238         .acl_mtu        = cpu_to_le16(0x0200),
1239         .sco_mtu        = 0,
1240         .acl_max_pkt    = cpu_to_le16(0x0001),
1241         .sco_max_pkt    = cpu_to_le16(0x0000),
1242     };
1243
1244     bt_hci_event_complete(hci, &bs, READ_BUFFER_SIZE_RP_SIZE);
1245 }
1246
1247 /* Deprecated in V2.0 (page 661) */
1248 static void bt_hci_read_country_code_rp(struct bt_hci_s *hci)
1249 {
1250     read_country_code_rp cc ={
1251         .status         = HCI_SUCCESS,
1252         .country_code   = 0x00, /* North America & Europe^1 and Japan */
1253     };
1254
1255     bt_hci_event_complete(hci, &cc, READ_COUNTRY_CODE_RP_SIZE);
1256
1257     /* ^1. Except France, sorry */
1258 }
1259
1260 static void bt_hci_read_bd_addr_rp(struct bt_hci_s *hci)
1261 {
1262     read_bd_addr_rp ba = {
1263         .status = HCI_SUCCESS,
1264         .bdaddr = BAINIT(&hci->device.bd_addr),
1265     };
1266
1267     bt_hci_event_complete(hci, &ba, READ_BD_ADDR_RP_SIZE);
1268 }
1269
1270 static int bt_hci_link_quality_rp(struct bt_hci_s *hci, uint16_t handle)
1271 {
1272     read_link_quality_rp lq = {
1273         .status         = HCI_SUCCESS,
1274         .handle         = HNDL(handle),
1275         .link_quality   = 0xff,
1276     };
1277
1278     if (bt_hci_handle_bad(hci, handle))
1279         lq.status = HCI_NO_CONNECTION;
1280
1281     bt_hci_event_complete(hci, &lq, READ_LINK_QUALITY_RP_SIZE);
1282     return 0;
1283 }
1284
1285 /* Generate a Command Complete event with only the Status parameter */
1286 static inline void bt_hci_event_complete_status(struct bt_hci_s *hci,
1287                 uint8_t status)
1288 {
1289     bt_hci_event_complete(hci, &status, 1);
1290 }
1291
1292 static inline void bt_hci_event_complete_conn_cancel(struct bt_hci_s *hci,
1293                 uint8_t status, bdaddr_t *bd_addr)
1294 {
1295     create_conn_cancel_rp params = {
1296         .status = status,
1297         .bdaddr = BAINIT(bd_addr),
1298     };
1299
1300     bt_hci_event_complete(hci, &params, CREATE_CONN_CANCEL_RP_SIZE);
1301 }
1302
1303 static inline void bt_hci_event_auth_complete(struct bt_hci_s *hci,
1304                 uint16_t handle)
1305 {
1306     evt_auth_complete params = {
1307         .status = HCI_SUCCESS,
1308         .handle = HNDL(handle),
1309     };
1310
1311     bt_hci_event(hci, EVT_AUTH_COMPLETE, &params, EVT_AUTH_COMPLETE_SIZE);
1312 }
1313
1314 static inline void bt_hci_event_encrypt_change(struct bt_hci_s *hci,
1315                 uint16_t handle, uint8_t mode)
1316 {
1317     evt_encrypt_change params = {
1318         .status         = HCI_SUCCESS,
1319         .handle         = HNDL(handle),
1320         .encrypt        = mode,
1321     };
1322
1323     bt_hci_event(hci, EVT_ENCRYPT_CHANGE, &params, EVT_ENCRYPT_CHANGE_SIZE);
1324 }
1325
1326 static inline void bt_hci_event_complete_name_cancel(struct bt_hci_s *hci,
1327                 bdaddr_t *bd_addr)
1328 {
1329     remote_name_req_cancel_rp params = {
1330         .status = HCI_INVALID_PARAMETERS,
1331         .bdaddr = BAINIT(bd_addr),
1332     };
1333
1334     bt_hci_event_complete(hci, &params, REMOTE_NAME_REQ_CANCEL_RP_SIZE);
1335 }
1336
1337 static inline void bt_hci_event_read_remote_ext_features(struct bt_hci_s *hci,
1338                 uint16_t handle)
1339 {
1340     evt_read_remote_ext_features_complete params = {
1341         .status = HCI_UNSUPPORTED_FEATURE,
1342         .handle = HNDL(handle),
1343         /* Rest uninitialised */
1344     };
1345
1346     bt_hci_event(hci, EVT_READ_REMOTE_EXT_FEATURES_COMPLETE,
1347                     &params, EVT_READ_REMOTE_EXT_FEATURES_COMPLETE_SIZE);
1348 }
1349
1350 static inline void bt_hci_event_complete_lmp_handle(struct bt_hci_s *hci,
1351                 uint16_t handle)
1352 {
1353     read_lmp_handle_rp params = {
1354         .status         = HCI_NO_CONNECTION,
1355         .handle         = HNDL(handle),
1356         .reserved       = 0,
1357         /* Rest uninitialised */
1358     };
1359
1360     bt_hci_event_complete(hci, &params, READ_LMP_HANDLE_RP_SIZE);
1361 }
1362
1363 static inline void bt_hci_event_complete_role_discovery(struct bt_hci_s *hci,
1364                 int status, uint16_t handle, int master)
1365 {
1366     role_discovery_rp params = {
1367         .status         = status,
1368         .handle         = HNDL(handle),
1369         .role           = master ? 0x00 : 0x01,
1370     };
1371
1372     bt_hci_event_complete(hci, &params, ROLE_DISCOVERY_RP_SIZE);
1373 }
1374
1375 static inline void bt_hci_event_complete_flush(struct bt_hci_s *hci,
1376                 int status, uint16_t handle)
1377 {
1378     flush_rp params = {
1379         .status         = status,
1380         .handle         = HNDL(handle),
1381     };
1382
1383     bt_hci_event_complete(hci, &params, FLUSH_RP_SIZE);
1384 }
1385
1386 static inline void bt_hci_event_complete_read_local_name(struct bt_hci_s *hci)
1387 {
1388     read_local_name_rp params;
1389     params.status = HCI_SUCCESS;
1390     memset(params.name, 0, sizeof(params.name));
1391     if (hci->device.lmp_name)
1392         strncpy(params.name, hci->device.lmp_name, sizeof(params.name));
1393
1394     bt_hci_event_complete(hci, &params, READ_LOCAL_NAME_RP_SIZE);
1395 }
1396
1397 static inline void bt_hci_event_complete_read_conn_accept_timeout(
1398                 struct bt_hci_s *hci)
1399 {
1400     read_conn_accept_timeout_rp params = {
1401         .status         = HCI_SUCCESS,
1402         .timeout        = cpu_to_le16(hci->conn_accept_tout),
1403     };
1404
1405     bt_hci_event_complete(hci, &params, READ_CONN_ACCEPT_TIMEOUT_RP_SIZE);
1406 }
1407
1408 static inline void bt_hci_event_complete_read_scan_enable(struct bt_hci_s *hci)
1409 {
1410     read_scan_enable_rp params = {
1411         .status = HCI_SUCCESS,
1412         .enable =
1413                 (hci->device.inquiry_scan ? SCAN_INQUIRY : 0) |
1414                 (hci->device.page_scan ? SCAN_PAGE : 0),
1415     };
1416
1417     bt_hci_event_complete(hci, &params, READ_SCAN_ENABLE_RP_SIZE);
1418 }
1419
1420 static inline void bt_hci_event_complete_read_local_class(struct bt_hci_s *hci)
1421 {
1422     read_class_of_dev_rp params;
1423
1424     params.status = HCI_SUCCESS;
1425     memcpy(params.dev_class, hci->device.class, sizeof(params.dev_class));
1426
1427     bt_hci_event_complete(hci, &params, READ_CLASS_OF_DEV_RP_SIZE);
1428 }
1429
1430 static inline void bt_hci_event_complete_voice_setting(struct bt_hci_s *hci)
1431 {
1432     read_voice_setting_rp params = {
1433         .status         = HCI_SUCCESS,
1434         .voice_setting  = hci->voice_setting,   /* Note: no swapping */
1435     };
1436
1437     bt_hci_event_complete(hci, &params, READ_VOICE_SETTING_RP_SIZE);
1438 }
1439
1440 static inline void bt_hci_event_complete_read_inquiry_mode(
1441                 struct bt_hci_s *hci)
1442 {
1443     read_inquiry_mode_rp params = {
1444         .status         = HCI_SUCCESS,
1445         .mode           = hci->lm.inquiry_mode,
1446     };
1447
1448     bt_hci_event_complete(hci, &params, READ_INQUIRY_MODE_RP_SIZE);
1449 }
1450
1451 static inline void bt_hci_event_num_comp_pkts(struct bt_hci_s *hci,
1452                 uint16_t handle, int packets)
1453 {
1454     uint16_t buf[EVT_NUM_COMP_PKTS_SIZE(1) / 2 + 1];
1455     evt_num_comp_pkts *params = (void *) ((uint8_t *) buf + 1);
1456
1457     params->num_hndl                    = 1;
1458     params->connection->handle          = HNDL(handle);
1459     params->connection->num_packets     = cpu_to_le16(packets);
1460
1461     bt_hci_event(hci, EVT_NUM_COMP_PKTS, params, EVT_NUM_COMP_PKTS_SIZE(1));
1462 }
1463
1464 static void bt_submit_hci(struct HCIInfo *info,
1465                 const uint8_t *data, int length)
1466 {
1467     struct bt_hci_s *hci = hci_from_info(info);
1468     uint16_t cmd;
1469     int paramlen, i;
1470
1471     if (length < HCI_COMMAND_HDR_SIZE)
1472         goto short_hci;
1473
1474     memcpy(&hci->last_cmd, data, 2);
1475
1476     cmd = (data[1] << 8) | data[0];
1477     paramlen = data[2];
1478     if (cmd_opcode_ogf(cmd) == 0 || cmd_opcode_ocf(cmd) == 0)   /* NOP */
1479         return;
1480
1481     data += HCI_COMMAND_HDR_SIZE;
1482     length -= HCI_COMMAND_HDR_SIZE;
1483
1484     if (paramlen > length)
1485         return;
1486
1487 #define PARAM(cmd, param)       (((cmd##_cp *) data)->param)
1488 #define PARAM16(cmd, param)     le16_to_cpup(&PARAM(cmd, param))
1489 #define PARAMHANDLE(cmd)        HNDL(PARAM(cmd, handle))
1490 #define LENGTH_CHECK(cmd)       if (length < sizeof(cmd##_cp)) goto short_hci
1491     /* Note: the supported commands bitmask in bt_hci_read_local_commands_rp
1492      * needs to be updated every time a command is implemented here!  */
1493     switch (cmd) {
1494     case cmd_opcode_pack(OGF_LINK_CTL, OCF_INQUIRY):
1495         LENGTH_CHECK(inquiry);
1496
1497         if (PARAM(inquiry, length) < 1) {
1498             bt_hci_event_complete_status(hci, HCI_INVALID_PARAMETERS);
1499             break;
1500         }
1501
1502         hci->lm.inquire = 1;
1503         hci->lm.periodic = 0;
1504         hci->lm.responses_left = PARAM(inquiry, num_rsp) ?: INT_MAX;
1505         hci->lm.responses = 0;
1506         bt_hci_event_status(hci, HCI_SUCCESS);
1507         bt_hci_inquiry_start(hci, PARAM(inquiry, length));
1508         break;
1509
1510     case cmd_opcode_pack(OGF_LINK_CTL, OCF_INQUIRY_CANCEL):
1511         if (!hci->lm.inquire || hci->lm.periodic) {
1512             fprintf(stderr, "%s: Inquiry Cancel should only be issued after "
1513                             "the Inquiry command has been issued, a Command "
1514                             "Status event has been received for the Inquiry "
1515                             "command, and before the Inquiry Complete event "
1516                             "occurs", __FUNCTION__);
1517             bt_hci_event_complete_status(hci, HCI_COMMAND_DISALLOWED);
1518             break;
1519         }
1520
1521         hci->lm.inquire = 0;
1522         qemu_del_timer(hci->lm.inquiry_done);
1523         bt_hci_event_complete_status(hci, HCI_SUCCESS);
1524         break;
1525
1526     case cmd_opcode_pack(OGF_LINK_CTL, OCF_PERIODIC_INQUIRY):
1527         LENGTH_CHECK(periodic_inquiry);
1528
1529         if (!(PARAM(periodic_inquiry, length) <
1530                                 PARAM16(periodic_inquiry, min_period) &&
1531                                 PARAM16(periodic_inquiry, min_period) <
1532                                 PARAM16(periodic_inquiry, max_period)) ||
1533                         PARAM(periodic_inquiry, length) < 1 ||
1534                         PARAM16(periodic_inquiry, min_period) < 2 ||
1535                         PARAM16(periodic_inquiry, max_period) < 3) {
1536             bt_hci_event_complete_status(hci, HCI_INVALID_PARAMETERS);
1537             break;
1538         }
1539
1540         hci->lm.inquire = 1;
1541         hci->lm.periodic = 1;
1542         hci->lm.responses_left = PARAM(periodic_inquiry, num_rsp);
1543         hci->lm.responses = 0;
1544         hci->lm.inquiry_period = PARAM16(periodic_inquiry, max_period);
1545         bt_hci_event_complete_status(hci, HCI_SUCCESS);
1546         bt_hci_inquiry_start(hci, PARAM(periodic_inquiry, length));
1547         break;
1548
1549     case cmd_opcode_pack(OGF_LINK_CTL, OCF_EXIT_PERIODIC_INQUIRY):
1550         if (!hci->lm.inquire || !hci->lm.periodic) {
1551             fprintf(stderr, "%s: Inquiry Cancel should only be issued after "
1552                             "the Inquiry command has been issued, a Command "
1553                             "Status event has been received for the Inquiry "
1554                             "command, and before the Inquiry Complete event "
1555                             "occurs", __FUNCTION__);
1556             bt_hci_event_complete_status(hci, HCI_COMMAND_DISALLOWED);
1557             break;
1558         }
1559         hci->lm.inquire = 0;
1560         qemu_del_timer(hci->lm.inquiry_done);
1561         qemu_del_timer(hci->lm.inquiry_next);
1562         bt_hci_event_complete_status(hci, HCI_SUCCESS);
1563         break;
1564
1565     case cmd_opcode_pack(OGF_LINK_CTL, OCF_CREATE_CONN):
1566         LENGTH_CHECK(create_conn);
1567
1568         if (hci->lm.connecting >= HCI_HANDLES_MAX) {
1569             bt_hci_event_status(hci, HCI_REJECTED_LIMITED_RESOURCES);
1570             break;
1571         }
1572         bt_hci_event_status(hci, HCI_SUCCESS);
1573
1574         if (bt_hci_connect(hci, &PARAM(create_conn, bdaddr)))
1575             bt_hci_connection_reject_event(hci, &PARAM(create_conn, bdaddr));
1576         break;
1577
1578     case cmd_opcode_pack(OGF_LINK_CTL, OCF_DISCONNECT):
1579         LENGTH_CHECK(disconnect);
1580
1581         if (bt_hci_handle_bad(hci, PARAMHANDLE(disconnect))) {
1582             bt_hci_event_status(hci, HCI_NO_CONNECTION);
1583             break;
1584         }
1585
1586         bt_hci_event_status(hci, HCI_SUCCESS);
1587         bt_hci_disconnect(hci, PARAMHANDLE(disconnect),
1588                         PARAM(disconnect, reason));
1589         break;
1590
1591     case cmd_opcode_pack(OGF_LINK_CTL, OCF_CREATE_CONN_CANCEL):
1592         LENGTH_CHECK(create_conn_cancel);
1593
1594         if (bt_hci_lmp_connection_ready(hci,
1595                                 &PARAM(create_conn_cancel, bdaddr))) {
1596             for (i = 0; i < HCI_HANDLES_MAX; i ++)
1597                 if (bt_hci_role_master(hci, i) && hci->lm.handle[i].link &&
1598                                 !bacmp(&hci->lm.handle[i].link->slave->bd_addr,
1599                                         &PARAM(create_conn_cancel, bdaddr)))
1600                    break;
1601
1602             bt_hci_event_complete_conn_cancel(hci, i < HCI_HANDLES_MAX ?
1603                             HCI_ACL_CONNECTION_EXISTS : HCI_NO_CONNECTION,
1604                             &PARAM(create_conn_cancel, bdaddr));
1605         } else
1606             bt_hci_event_complete_conn_cancel(hci, HCI_SUCCESS,
1607                             &PARAM(create_conn_cancel, bdaddr));
1608         break;
1609
1610     case cmd_opcode_pack(OGF_LINK_CTL, OCF_ACCEPT_CONN_REQ):
1611         LENGTH_CHECK(accept_conn_req);
1612
1613         if (!hci->conn_req_host ||
1614                         bacmp(&PARAM(accept_conn_req, bdaddr),
1615                                 &hci->conn_req_host->bd_addr)) {
1616             bt_hci_event_status(hci, HCI_INVALID_PARAMETERS);
1617             break;
1618         }
1619
1620         bt_hci_event_status(hci, HCI_SUCCESS);
1621         bt_hci_connection_accept(hci, hci->conn_req_host);
1622         hci->conn_req_host = NULL;
1623         break;
1624
1625     case cmd_opcode_pack(OGF_LINK_CTL, OCF_REJECT_CONN_REQ):
1626         LENGTH_CHECK(reject_conn_req);
1627
1628         if (!hci->conn_req_host ||
1629                         bacmp(&PARAM(reject_conn_req, bdaddr),
1630                                 &hci->conn_req_host->bd_addr)) {
1631             bt_hci_event_status(hci, HCI_INVALID_PARAMETERS);
1632             break;
1633         }
1634
1635         bt_hci_event_status(hci, HCI_SUCCESS);
1636         bt_hci_connection_reject(hci, hci->conn_req_host,
1637                         PARAM(reject_conn_req, reason));
1638         bt_hci_connection_reject_event(hci, &hci->conn_req_host->bd_addr);
1639         hci->conn_req_host = NULL;
1640         break;
1641
1642     case cmd_opcode_pack(OGF_LINK_CTL, OCF_AUTH_REQUESTED):
1643         LENGTH_CHECK(auth_requested);
1644
1645         if (bt_hci_handle_bad(hci, PARAMHANDLE(auth_requested)))
1646             bt_hci_event_status(hci, HCI_NO_CONNECTION);
1647         else {
1648             bt_hci_event_status(hci, HCI_SUCCESS);
1649             bt_hci_event_auth_complete(hci, PARAMHANDLE(auth_requested));
1650         }
1651         break;
1652
1653     case cmd_opcode_pack(OGF_LINK_CTL, OCF_SET_CONN_ENCRYPT):
1654         LENGTH_CHECK(set_conn_encrypt);
1655
1656         if (bt_hci_handle_bad(hci, PARAMHANDLE(set_conn_encrypt)))
1657             bt_hci_event_status(hci, HCI_NO_CONNECTION);
1658         else {
1659             bt_hci_event_status(hci, HCI_SUCCESS);
1660             bt_hci_event_encrypt_change(hci,
1661                             PARAMHANDLE(set_conn_encrypt),
1662                             PARAM(set_conn_encrypt, encrypt));
1663         }
1664         break;
1665
1666     case cmd_opcode_pack(OGF_LINK_CTL, OCF_REMOTE_NAME_REQ):
1667         LENGTH_CHECK(remote_name_req);
1668
1669         if (bt_hci_name_req(hci, &PARAM(remote_name_req, bdaddr)))
1670             bt_hci_event_status(hci, HCI_NO_CONNECTION);
1671         break;
1672
1673     case cmd_opcode_pack(OGF_LINK_CTL, OCF_REMOTE_NAME_REQ_CANCEL):
1674         LENGTH_CHECK(remote_name_req_cancel);
1675
1676         bt_hci_event_complete_name_cancel(hci,
1677                         &PARAM(remote_name_req_cancel, bdaddr));
1678         break;
1679
1680     case cmd_opcode_pack(OGF_LINK_CTL, OCF_READ_REMOTE_FEATURES):
1681         LENGTH_CHECK(read_remote_features);
1682
1683         if (bt_hci_features_req(hci, PARAMHANDLE(read_remote_features)))
1684             bt_hci_event_status(hci, HCI_NO_CONNECTION);
1685         break;
1686
1687     case cmd_opcode_pack(OGF_LINK_CTL, OCF_READ_REMOTE_EXT_FEATURES):
1688         LENGTH_CHECK(read_remote_ext_features);
1689
1690         if (bt_hci_handle_bad(hci, PARAMHANDLE(read_remote_ext_features)))
1691             bt_hci_event_status(hci, HCI_NO_CONNECTION);
1692         else {
1693             bt_hci_event_status(hci, HCI_SUCCESS);
1694             bt_hci_event_read_remote_ext_features(hci,
1695                             PARAMHANDLE(read_remote_ext_features));
1696         }
1697         break;
1698
1699     case cmd_opcode_pack(OGF_LINK_CTL, OCF_READ_REMOTE_VERSION):
1700         LENGTH_CHECK(read_remote_version);
1701
1702         if (bt_hci_version_req(hci, PARAMHANDLE(read_remote_version)))
1703             bt_hci_event_status(hci, HCI_NO_CONNECTION);
1704         break;
1705
1706     case cmd_opcode_pack(OGF_LINK_CTL, OCF_READ_CLOCK_OFFSET):
1707         LENGTH_CHECK(read_clock_offset);
1708
1709         if (bt_hci_clkoffset_req(hci, PARAMHANDLE(read_clock_offset)))
1710             bt_hci_event_status(hci, HCI_NO_CONNECTION);
1711         break;
1712
1713     case cmd_opcode_pack(OGF_LINK_CTL, OCF_READ_LMP_HANDLE):
1714         LENGTH_CHECK(read_lmp_handle);
1715
1716         /* TODO: */
1717         bt_hci_event_complete_lmp_handle(hci, PARAMHANDLE(read_lmp_handle));
1718         break;
1719
1720     case cmd_opcode_pack(OGF_LINK_POLICY, OCF_HOLD_MODE):
1721         LENGTH_CHECK(hold_mode);
1722
1723         if (PARAM16(hold_mode, min_interval) >
1724                         PARAM16(hold_mode, max_interval) ||
1725                         PARAM16(hold_mode, min_interval) < 0x0002 ||
1726                         PARAM16(hold_mode, max_interval) > 0xff00 ||
1727                         (PARAM16(hold_mode, min_interval) & 1) ||
1728                         (PARAM16(hold_mode, max_interval) & 1)) {
1729             bt_hci_event_status(hci, HCI_INVALID_PARAMETERS);
1730             break;
1731         }
1732
1733         if (bt_hci_mode_change(hci, PARAMHANDLE(hold_mode),
1734                                 PARAM16(hold_mode, max_interval),
1735                                 acl_hold))
1736             bt_hci_event_status(hci, HCI_NO_CONNECTION);
1737         break;
1738
1739     case cmd_opcode_pack(OGF_LINK_POLICY, OCF_PARK_MODE):
1740         LENGTH_CHECK(park_mode);
1741
1742         if (PARAM16(park_mode, min_interval) >
1743                         PARAM16(park_mode, max_interval) ||
1744                         PARAM16(park_mode, min_interval) < 0x000e ||
1745                         (PARAM16(park_mode, min_interval) & 1) ||
1746                         (PARAM16(park_mode, max_interval) & 1)) {
1747             bt_hci_event_status(hci, HCI_INVALID_PARAMETERS);
1748             break;
1749         }
1750
1751         if (bt_hci_mode_change(hci, PARAMHANDLE(park_mode),
1752                                 PARAM16(park_mode, max_interval),
1753                                 acl_parked))
1754             bt_hci_event_status(hci, HCI_NO_CONNECTION);
1755         break;
1756
1757     case cmd_opcode_pack(OGF_LINK_POLICY, OCF_EXIT_PARK_MODE):
1758         LENGTH_CHECK(exit_park_mode);
1759
1760         if (bt_hci_mode_cancel(hci, PARAMHANDLE(exit_park_mode),
1761                                 acl_parked))
1762             bt_hci_event_status(hci, HCI_NO_CONNECTION);
1763         break;
1764
1765     case cmd_opcode_pack(OGF_LINK_POLICY, OCF_ROLE_DISCOVERY):
1766         LENGTH_CHECK(role_discovery);
1767
1768         if (bt_hci_handle_bad(hci, PARAMHANDLE(role_discovery)))
1769             bt_hci_event_complete_role_discovery(hci,
1770                             HCI_NO_CONNECTION, PARAMHANDLE(role_discovery), 0);
1771         else
1772             bt_hci_event_complete_role_discovery(hci,
1773                             HCI_SUCCESS, PARAMHANDLE(role_discovery),
1774                             bt_hci_role_master(hci,
1775                                     PARAMHANDLE(role_discovery)));
1776         break;
1777
1778     case cmd_opcode_pack(OGF_HOST_CTL, OCF_SET_EVENT_MASK):
1779         LENGTH_CHECK(set_event_mask);
1780
1781         memcpy(hci->event_mask, PARAM(set_event_mask, mask), 8);
1782         bt_hci_event_complete_status(hci, HCI_SUCCESS);
1783         break;
1784
1785     case cmd_opcode_pack(OGF_HOST_CTL, OCF_RESET):
1786         bt_hci_reset(hci);
1787         bt_hci_event_status(hci, HCI_SUCCESS);
1788         break;
1789
1790     case cmd_opcode_pack(OGF_HOST_CTL, OCF_SET_EVENT_FLT):
1791         if (length >= 1 && PARAM(set_event_flt, flt_type) == FLT_CLEAR_ALL)
1792             /* No length check */;
1793         else
1794             LENGTH_CHECK(set_event_flt);
1795
1796         /* Filters are not implemented */
1797         bt_hci_event_complete_status(hci, HCI_SUCCESS);
1798         break;
1799
1800     case cmd_opcode_pack(OGF_HOST_CTL, OCF_FLUSH):
1801         LENGTH_CHECK(flush);
1802
1803         if (bt_hci_handle_bad(hci, PARAMHANDLE(flush)))
1804             bt_hci_event_complete_flush(hci,
1805                             HCI_NO_CONNECTION, PARAMHANDLE(flush));
1806         else {
1807             /* TODO: ordering? */
1808             bt_hci_event(hci, EVT_FLUSH_OCCURRED,
1809                             &PARAM(flush, handle),
1810                             EVT_FLUSH_OCCURRED_SIZE);
1811             bt_hci_event_complete_flush(hci,
1812                             HCI_SUCCESS, PARAMHANDLE(flush));
1813         }
1814         break;
1815
1816     case cmd_opcode_pack(OGF_HOST_CTL, OCF_CHANGE_LOCAL_NAME):
1817         LENGTH_CHECK(change_local_name);
1818
1819         if (hci->device.lmp_name)
1820             qemu_free((void *) hci->device.lmp_name);
1821         hci->device.lmp_name = qemu_strndup(PARAM(change_local_name, name),
1822                         sizeof(PARAM(change_local_name, name)));
1823         bt_hci_event_complete_status(hci, HCI_SUCCESS);
1824         break;
1825
1826     case cmd_opcode_pack(OGF_HOST_CTL, OCF_READ_LOCAL_NAME):
1827         bt_hci_event_complete_read_local_name(hci);
1828         break;
1829
1830     case cmd_opcode_pack(OGF_HOST_CTL, OCF_READ_CONN_ACCEPT_TIMEOUT):
1831         bt_hci_event_complete_read_conn_accept_timeout(hci);
1832         break;
1833
1834     case cmd_opcode_pack(OGF_HOST_CTL, OCF_WRITE_CONN_ACCEPT_TIMEOUT):
1835         /* TODO */
1836         LENGTH_CHECK(write_conn_accept_timeout);
1837
1838         if (PARAM16(write_conn_accept_timeout, timeout) < 0x0001 ||
1839                         PARAM16(write_conn_accept_timeout, timeout) > 0xb540) {
1840             bt_hci_event_complete_status(hci, HCI_INVALID_PARAMETERS);
1841             break;
1842         }
1843
1844         hci->conn_accept_tout = PARAM16(write_conn_accept_timeout, timeout);
1845         bt_hci_event_complete_status(hci, HCI_SUCCESS);
1846         break;
1847
1848     case cmd_opcode_pack(OGF_HOST_CTL, OCF_READ_SCAN_ENABLE):
1849         bt_hci_event_complete_read_scan_enable(hci);
1850         break;
1851
1852     case cmd_opcode_pack(OGF_HOST_CTL, OCF_WRITE_SCAN_ENABLE):
1853         LENGTH_CHECK(write_scan_enable);
1854
1855         /* TODO: check that the remaining bits are all 0 */
1856         hci->device.inquiry_scan =
1857                 !!(PARAM(write_scan_enable, scan_enable) & SCAN_INQUIRY);
1858         hci->device.page_scan =
1859                 !!(PARAM(write_scan_enable, scan_enable) & SCAN_PAGE);
1860         bt_hci_event_complete_status(hci, HCI_SUCCESS);
1861         break;
1862
1863     case cmd_opcode_pack(OGF_HOST_CTL, OCF_READ_CLASS_OF_DEV):
1864         bt_hci_event_complete_read_local_class(hci);
1865         break;
1866
1867     case cmd_opcode_pack(OGF_HOST_CTL, OCF_WRITE_CLASS_OF_DEV):
1868         LENGTH_CHECK(write_class_of_dev);
1869
1870         memcpy(hci->device.class, PARAM(write_class_of_dev, dev_class),
1871                         sizeof(PARAM(write_class_of_dev, dev_class)));
1872         bt_hci_event_complete_status(hci, HCI_SUCCESS);
1873         break;
1874
1875     case cmd_opcode_pack(OGF_HOST_CTL, OCF_READ_VOICE_SETTING):
1876         bt_hci_event_complete_voice_setting(hci);
1877         break;
1878
1879     case cmd_opcode_pack(OGF_HOST_CTL, OCF_WRITE_VOICE_SETTING):
1880         LENGTH_CHECK(write_voice_setting);
1881
1882         hci->voice_setting = PARAM(write_voice_setting, voice_setting);
1883         bt_hci_event_complete_status(hci, HCI_SUCCESS);
1884         break;
1885
1886     case cmd_opcode_pack(OGF_HOST_CTL, OCF_HOST_NUMBER_OF_COMPLETED_PACKETS):
1887         if (length < data[0] * 2 + 1)
1888             goto short_hci;
1889
1890         for (i = 0; i < data[0]; i ++)
1891             if (bt_hci_handle_bad(hci,
1892                                     data[i * 2 + 1] | (data[i * 2 + 2] << 8)))
1893                 bt_hci_event_complete_status(hci, HCI_INVALID_PARAMETERS);
1894         break;
1895
1896     case cmd_opcode_pack(OGF_HOST_CTL, OCF_READ_INQUIRY_MODE):
1897         /* Only if (local_features[3] & 0x40) && (local_commands[12] & 0x40)
1898          * else
1899          *     goto unknown_command */
1900         bt_hci_event_complete_read_inquiry_mode(hci);
1901         break;
1902
1903     case cmd_opcode_pack(OGF_HOST_CTL, OCF_WRITE_INQUIRY_MODE):
1904         /* Only if (local_features[3] & 0x40) && (local_commands[12] & 0x80)
1905          * else
1906          *     goto unknown_command */
1907         LENGTH_CHECK(write_inquiry_mode);
1908
1909         if (PARAM(write_inquiry_mode, mode) > 0x01) {
1910             bt_hci_event_complete_status(hci, HCI_INVALID_PARAMETERS);
1911             break;
1912         }
1913
1914         hci->lm.inquiry_mode = PARAM(write_inquiry_mode, mode);
1915         bt_hci_event_complete_status(hci, HCI_SUCCESS);
1916         break;
1917
1918     case cmd_opcode_pack(OGF_INFO_PARAM, OCF_READ_LOCAL_VERSION):
1919         bt_hci_read_local_version_rp(hci);
1920         break;
1921
1922     case cmd_opcode_pack(OGF_INFO_PARAM, OCF_READ_LOCAL_COMMANDS):
1923         bt_hci_read_local_commands_rp(hci);
1924         break;
1925
1926     case cmd_opcode_pack(OGF_INFO_PARAM, OCF_READ_LOCAL_FEATURES):
1927         bt_hci_read_local_features_rp(hci);
1928         break;
1929
1930     case cmd_opcode_pack(OGF_INFO_PARAM, OCF_READ_LOCAL_EXT_FEATURES):
1931         LENGTH_CHECK(read_local_ext_features);
1932
1933         bt_hci_read_local_ext_features_rp(hci,
1934                         PARAM(read_local_ext_features, page_num));
1935         break;
1936
1937     case cmd_opcode_pack(OGF_INFO_PARAM, OCF_READ_BUFFER_SIZE):
1938         bt_hci_read_buffer_size_rp(hci);
1939         break;
1940
1941     case cmd_opcode_pack(OGF_INFO_PARAM, OCF_READ_COUNTRY_CODE):
1942         bt_hci_read_country_code_rp(hci);
1943         break;
1944
1945     case cmd_opcode_pack(OGF_INFO_PARAM, OCF_READ_BD_ADDR):
1946         bt_hci_read_bd_addr_rp(hci);
1947         break;
1948
1949     case cmd_opcode_pack(OGF_STATUS_PARAM, OCF_READ_LINK_QUALITY):
1950         LENGTH_CHECK(read_link_quality);
1951
1952         bt_hci_link_quality_rp(hci, PARAMHANDLE(read_link_quality));
1953         break;
1954
1955     default:
1956         bt_hci_event_status(hci, HCI_UNKNOWN_COMMAND);
1957         break;
1958
1959     short_hci:
1960         fprintf(stderr, "%s: HCI packet too short (%iB)\n",
1961                         __FUNCTION__, length);
1962         bt_hci_event_status(hci, HCI_INVALID_PARAMETERS);
1963         break;
1964     }
1965 }
1966
1967 /* We could perform fragmentation here, we can't do "recombination" because
1968  * at this layer the length of the payload is not know ahead, so we only
1969  * know that a packet contained the last fragment of the SDU when the next
1970  * SDU starts.  */
1971 static inline void bt_hci_lmp_acl_data(struct bt_hci_s *hci, uint16_t handle,
1972                 const uint8_t *data, int start, int len)
1973 {
1974     struct hci_acl_hdr *pkt = (void *) hci->acl_buf;
1975
1976     /* TODO: packet flags */
1977     /* TODO: avoid memcpy'ing */
1978
1979     if (len + HCI_ACL_HDR_SIZE > sizeof(hci->acl_buf)) {
1980         fprintf(stderr, "%s: can't take ACL packets %i bytes long\n",
1981                         __FUNCTION__, len);
1982         return;
1983     }
1984     memcpy(hci->acl_buf + HCI_ACL_HDR_SIZE, data, len);
1985
1986     pkt->handle = cpu_to_le16(
1987                     acl_handle_pack(handle, start ? ACL_START : ACL_CONT));
1988     pkt->dlen = cpu_to_le16(len);
1989     hci->info.acl_recv(hci->info.opaque,
1990                     hci->acl_buf, len + HCI_ACL_HDR_SIZE);
1991 }
1992
1993 static void bt_hci_lmp_acl_data_slave(struct bt_link_s *btlink,
1994                 const uint8_t *data, int start, int len)
1995 {
1996     struct bt_hci_link_s *link = (struct bt_hci_link_s *) btlink;
1997
1998     bt_hci_lmp_acl_data(hci_from_device(btlink->slave),
1999                     link->handle, data, start, len);
2000 }
2001
2002 static void bt_hci_lmp_acl_data_host(struct bt_link_s *link,
2003                 const uint8_t *data, int start, int len)
2004 {
2005     bt_hci_lmp_acl_data(hci_from_device(link->host),
2006                     link->handle, data, start, len);
2007 }
2008
2009 static void bt_submit_acl(struct HCIInfo *info,
2010                 const uint8_t *data, int length)
2011 {
2012     struct bt_hci_s *hci = hci_from_info(info);
2013     uint16_t handle;
2014     int datalen, flags;
2015     struct bt_link_s *link;
2016
2017     if (length < HCI_ACL_HDR_SIZE) {
2018         fprintf(stderr, "%s: ACL packet too short (%iB)\n",
2019                         __FUNCTION__, length);
2020         return;
2021     }
2022
2023     handle = acl_handle((data[1] << 8) | data[0]);
2024     flags = acl_flags((data[1] << 8) | data[0]);
2025     datalen = (data[3] << 8) | data[2];
2026     data += HCI_ACL_HDR_SIZE;
2027     length -= HCI_ACL_HDR_SIZE;
2028
2029     if (bt_hci_handle_bad(hci, handle)) {
2030         fprintf(stderr, "%s: invalid ACL handle %03x\n",
2031                         __FUNCTION__, handle);
2032         /* TODO: signal an error */
2033         return;
2034     }
2035     handle &= ~HCI_HANDLE_OFFSET;
2036
2037     if (datalen > length) {
2038         fprintf(stderr, "%s: ACL packet too short (%iB < %iB)\n",
2039                         __FUNCTION__, length, datalen);
2040         return;
2041     }
2042
2043     link = hci->lm.handle[handle].link;
2044
2045     if ((flags & ~3) == ACL_ACTIVE_BCAST) {
2046         if (!hci->asb_handle)
2047             hci->asb_handle = handle;
2048         else if (handle != hci->asb_handle) {
2049             fprintf(stderr, "%s: Bad handle %03x in Active Slave Broadcast\n",
2050                             __FUNCTION__, handle);
2051             /* TODO: signal an error */
2052             return;
2053         }
2054
2055         /* TODO */
2056     }
2057
2058     if ((flags & ~3) == ACL_PICO_BCAST) {
2059         if (!hci->psb_handle)
2060             hci->psb_handle = handle;
2061         else if (handle != hci->psb_handle) {
2062             fprintf(stderr, "%s: Bad handle %03x in Parked Slave Broadcast\n",
2063                             __FUNCTION__, handle);
2064             /* TODO: signal an error */
2065             return;
2066         }
2067
2068         /* TODO */
2069     }
2070
2071     /* TODO: increase counter and send EVT_NUM_COMP_PKTS */
2072     bt_hci_event_num_comp_pkts(hci, handle | HCI_HANDLE_OFFSET, 1);
2073
2074     /* Do this last as it can trigger further events even in this HCI */
2075     hci->lm.handle[handle].lmp_acl_data(link, data,
2076                     (flags & 3) == ACL_START, length);
2077 }
2078
2079 static void bt_submit_sco(struct HCIInfo *info,
2080                 const uint8_t *data, int length)
2081 {
2082     struct bt_hci_s *hci = hci_from_info(info);
2083     struct bt_link_s *link;
2084     uint16_t handle;
2085     int datalen;
2086
2087     if (length < 3)
2088         return;
2089
2090     handle = acl_handle((data[1] << 8) | data[0]);
2091     datalen = data[2];
2092     data += 3;
2093     length -= 3;
2094
2095     if (bt_hci_handle_bad(hci, handle)) {
2096         fprintf(stderr, "%s: invalid SCO handle %03x\n",
2097                         __FUNCTION__, handle);
2098         return;
2099     }
2100     handle &= ~HCI_HANDLE_OFFSET;
2101
2102     if (datalen > length) {
2103         fprintf(stderr, "%s: SCO packet too short (%iB < %iB)\n",
2104                         __FUNCTION__, length, datalen);
2105         return;
2106     }
2107
2108     link = hci->lm.handle[handle].link;
2109     /* TODO */
2110
2111     /* TODO: increase counter and send EVT_NUM_COMP_PKTS if synchronous
2112      * Flow Control is enabled.
2113      * (See Read/Write_Synchronous_Flow_Control_Enable on page 513 and
2114      * page 514.)  */
2115 }
2116
2117 static uint8_t *bt_hci_evt_packet(void *opaque)
2118 {
2119     /* TODO: allocate a packet from upper layer */
2120     struct bt_hci_s *s = opaque;
2121
2122     return s->evt_buf;
2123 }
2124
2125 static void bt_hci_evt_submit(void *opaque, int len)
2126 {
2127     /* TODO: notify upper layer */
2128     struct bt_hci_s *s = opaque;
2129
2130     s->info.evt_recv(s->info.opaque, s->evt_buf, len);
2131 }
2132
2133 static int bt_hci_bdaddr_set(struct HCIInfo *info, const uint8_t *bd_addr)
2134 {
2135     struct bt_hci_s *hci = hci_from_info(info);
2136
2137     bacpy(&hci->device.bd_addr, (const bdaddr_t *) bd_addr);
2138     return 0;
2139 }
2140
2141 static void bt_hci_done(struct HCIInfo *info);
2142 static void bt_hci_destroy(struct bt_device_s *dev)
2143 {
2144     struct bt_hci_s *hci = hci_from_device(dev);
2145
2146     bt_hci_done(&hci->info);
2147 }
2148
2149 struct HCIInfo *bt_new_hci(struct bt_scatternet_s *net)
2150 {
2151     struct bt_hci_s *s = qemu_mallocz(sizeof(struct bt_hci_s));
2152
2153     s->lm.inquiry_done = qemu_new_timer(vm_clock, bt_hci_inquiry_done, s);
2154     s->lm.inquiry_next = qemu_new_timer(vm_clock, bt_hci_inquiry_next, s);
2155     s->conn_accept_timer =
2156             qemu_new_timer(vm_clock, bt_hci_conn_accept_timeout, s);
2157
2158     s->evt_packet = bt_hci_evt_packet;
2159     s->evt_submit = bt_hci_evt_submit;
2160     s->opaque = s;
2161
2162     bt_device_init(&s->device, net);
2163     s->device.lmp_connection_request = bt_hci_lmp_connection_request;
2164     s->device.lmp_connection_complete = bt_hci_lmp_connection_complete;
2165     s->device.lmp_disconnect_master = bt_hci_lmp_disconnect_host;
2166     s->device.lmp_disconnect_slave = bt_hci_lmp_disconnect_slave;
2167     s->device.lmp_acl_data = bt_hci_lmp_acl_data_slave;
2168     s->device.lmp_acl_resp = bt_hci_lmp_acl_data_host;
2169     s->device.lmp_mode_change = bt_hci_lmp_mode_change_slave;
2170
2171     /* Keep updated! */
2172     /* Also keep in sync with supported commands bitmask in
2173      * bt_hci_read_local_commands_rp */
2174     s->device.lmp_caps = 0x8000199b7e85355fll;
2175
2176     bt_hci_reset(s);
2177
2178     s->info.cmd_send = bt_submit_hci;
2179     s->info.sco_send = bt_submit_sco;
2180     s->info.acl_send = bt_submit_acl;
2181     s->info.bdaddr_set = bt_hci_bdaddr_set;
2182
2183     s->device.handle_destroy = bt_hci_destroy;
2184
2185     return &s->info;
2186 }
2187
2188 static void bt_hci_done(struct HCIInfo *info)
2189 {
2190     struct bt_hci_s *hci = hci_from_info(info);
2191     int handle;
2192
2193     bt_device_done(&hci->device);
2194
2195     if (hci->device.lmp_name)
2196         qemu_free((void *) hci->device.lmp_name);
2197
2198     /* Be gentle and send DISCONNECT to all connected peers and those
2199      * currently waiting for us to accept or reject a connection request.
2200      * This frees the links.  */
2201     if (hci->conn_req_host) {
2202         bt_hci_connection_reject(hci,
2203                                  hci->conn_req_host, HCI_OE_POWER_OFF);
2204         return;
2205     }
2206
2207     for (handle = HCI_HANDLE_OFFSET;
2208                     handle < (HCI_HANDLE_OFFSET | HCI_HANDLES_MAX); handle ++)
2209         if (!bt_hci_handle_bad(hci, handle))
2210             bt_hci_disconnect(hci, handle, HCI_OE_POWER_OFF);
2211
2212     /* TODO: this is not enough actually, there may be slaves from whom
2213      * we have requested a connection who will soon (or not) respond with
2214      * an accept or a reject, so we should also check if hci->lm.connecting
2215      * is non-zero and if so, avoid freeing the hci but otherwise disappear
2216      * from all qemu social life (e.g. stop scanning and request to be
2217      * removed from s->device.net) and arrange for
2218      * s->device.lmp_connection_complete to free the remaining bits once
2219      * hci->lm.awaiting_bdaddr[] is empty.  */
2220
2221     qemu_free_timer(hci->lm.inquiry_done);
2222     qemu_free_timer(hci->lm.inquiry_next);
2223     qemu_free_timer(hci->conn_accept_timer);
2224
2225     qemu_free(hci);
2226 }
Unnamed repository; edit this file to name it for gitweb.