1 /* $NetBSD: hci_event.c,v 1.25 2018/08/21 14:59:13 plunky Exp $ */ 2 3 /*- 4 * Copyright (c) 2005 Iain Hibbert. 5 * Copyright (c) 2006 Itronix Inc. 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 3. The name of Itronix Inc. may not be used to endorse 17 * or promote products derived from this software without specific 18 * prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY ITRONIX INC. ``AS IS'' AND 21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 22 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 23 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL ITRONIX INC. BE LIABLE FOR ANY 24 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 25 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 26 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 27 * ON ANY THEORY OF LIABILITY, WHETHER IN 28 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 29 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 30 * POSSIBILITY OF SUCH DAMAGE. 31 */ 32 33 #include <sys/cdefs.h> 34 __KERNEL_RCSID(0, "$NetBSD: hci_event.c,v 1.25 2018/08/21 14:59:13 plunky Exp $"); 35 36 #include <sys/param.h> 37 #include <sys/kernel.h> 38 #include <sys/malloc.h> 39 #include <sys/mbuf.h> 40 #include <sys/proc.h> 41 #include <sys/systm.h> 42 43 #include <netbt/bluetooth.h> 44 #include <netbt/hci.h> 45 #include <netbt/sco.h> 46 47 static void hci_event_inquiry_result(struct hci_unit *, struct mbuf *); 48 static void hci_event_rssi_result(struct hci_unit *, struct mbuf *); 49 static void hci_event_extended_result(struct hci_unit *, struct mbuf *); 50 static void hci_event_command_status(struct hci_unit *, struct mbuf *); 51 static void hci_event_command_compl(struct hci_unit *, struct mbuf *); 52 static void hci_event_con_compl(struct hci_unit *, struct mbuf *); 53 static void hci_event_discon_compl(struct hci_unit *, struct mbuf *); 54 static void hci_event_con_req(struct hci_unit *, struct mbuf *); 55 static void hci_event_num_compl_pkts(struct hci_unit *, struct mbuf *); 56 static void hci_event_auth_compl(struct hci_unit *, struct mbuf *); 57 static void hci_event_encryption_change(struct hci_unit *, struct mbuf *); 58 static void hci_event_change_con_link_key_compl(struct hci_unit *, struct mbuf *); 59 static void hci_event_read_clock_offset_compl(struct hci_unit *, struct mbuf *); 60 static void hci_cmd_read_bdaddr(struct hci_unit *, struct mbuf *); 61 static void hci_cmd_read_buffer_size(struct hci_unit *, struct mbuf *); 62 static void hci_cmd_read_local_features(struct hci_unit *, struct mbuf *); 63 static void hci_cmd_read_local_extended_features(struct hci_unit *, struct mbuf *); 64 static void hci_cmd_read_local_ver(struct hci_unit *, struct mbuf *); 65 static void hci_cmd_read_local_commands(struct hci_unit *, struct mbuf *); 66 static void hci_cmd_reset(struct hci_unit *, struct mbuf *); 67 static void hci_cmd_create_con(struct hci_unit *unit, uint8_t status); 68 69 #ifdef BLUETOOTH_DEBUG 70 int bluetooth_debug; 71 72 static const char *hci_eventnames[] = { 73 /* 0x00 */ "NULL", 74 /* 0x01 */ "INQUIRY COMPLETE", 75 /* 0x02 */ "INQUIRY RESULT", 76 /* 0x03 */ "CONN COMPLETE", 77 /* 0x04 */ "CONN REQ", 78 /* 0x05 */ "DISCONN COMPLETE", 79 /* 0x06 */ "AUTH COMPLETE", 80 /* 0x07 */ "REMOTE NAME REQ COMPLETE", 81 /* 0x08 */ "ENCRYPTION CHANGE", 82 /* 0x09 */ "CHANGE CONN LINK KEY COMPLETE", 83 /* 0x0a */ "MASTER LINK KEY COMPLETE", 84 /* 0x0b */ "READ REMOTE FEATURES COMPLETE", 85 /* 0x0c */ "READ REMOTE VERSION INFO COMPLETE", 86 /* 0x0d */ "QoS SETUP COMPLETE", 87 /* 0x0e */ "COMMAND COMPLETE", 88 /* 0x0f */ "COMMAND STATUS", 89 /* 0x10 */ "HARDWARE ERROR", 90 /* 0x11 */ "FLUSH OCCUR", 91 /* 0x12 */ "ROLE CHANGE", 92 /* 0x13 */ "NUM COMPLETED PACKETS", 93 /* 0x14 */ "MODE CHANGE", 94 /* 0x15 */ "RETURN LINK KEYS", 95 /* 0x16 */ "PIN CODE REQ", 96 /* 0x17 */ "LINK KEY REQ", 97 /* 0x18 */ "LINK KEY NOTIFICATION", 98 /* 0x19 */ "LOOPBACK COMMAND", 99 /* 0x1a */ "DATA BUFFER OVERFLOW", 100 /* 0x1b */ "MAX SLOT CHANGE", 101 /* 0x1c */ "READ CLOCK OFFSET COMPLETE", 102 /* 0x1d */ "CONN PKT TYPE CHANGED", 103 /* 0x1e */ "QOS VIOLATION", 104 /* 0x1f */ "PAGE SCAN MODE CHANGE", 105 /* 0x20 */ "PAGE SCAN REP MODE CHANGE", 106 /* 0x21 */ "FLOW SPECIFICATION COMPLETE", 107 /* 0x22 */ "RSSI RESULT", 108 /* 0x23 */ "READ REMOTE EXT FEATURES", 109 /* 0x24 */ "UNKNOWN", 110 /* 0x25 */ "UNKNOWN", 111 /* 0x26 */ "UNKNOWN", 112 /* 0x27 */ "UNKNOWN", 113 /* 0x28 */ "UNKNOWN", 114 /* 0x29 */ "UNKNOWN", 115 /* 0x2a */ "UNKNOWN", 116 /* 0x2b */ "UNKNOWN", 117 /* 0x2c */ "SCO CON COMPLETE", 118 /* 0x2d */ "SCO CON CHANGED", 119 /* 0x2e */ "SNIFF SUBRATING", 120 /* 0x2f */ "EXTENDED INQUIRY RESULT", 121 /* 0x30 */ "ENCRYPTION KEY REFRESH", 122 /* 0x31 */ "IO CAPABILITY REQUEST", 123 /* 0x32 */ "IO CAPABILITY RESPONSE", 124 /* 0x33 */ "USER CONFIRM REQUEST", 125 /* 0x34 */ "USER PASSKEY REQUEST", 126 /* 0x35 */ "REMOTE OOB DATA REQUEST", 127 /* 0x36 */ "SIMPLE PAIRING COMPLETE", 128 /* 0x37 */ "UNKNOWN", 129 /* 0x38 */ "LINK SUPERVISION TIMEOUT CHANGED", 130 /* 0x39 */ "ENHANCED FLUSH COMPLETE", 131 /* 0x3a */ "UNKNOWN", 132 /* 0x3b */ "USER PASSKEY NOTIFICATION", 133 /* 0x3c */ "KEYPRESS NOTIFICATION", 134 /* 0x3d */ "REMOTE HOST FEATURES NOTIFICATION", 135 }; 136 137 static const char * 138 hci_eventstr(unsigned int event) 139 { 140 141 if (event < __arraycount(hci_eventnames)) 142 return hci_eventnames[event]; 143 144 switch (event) { 145 case HCI_EVENT_BT_LOGO: /* 0xfe */ 146 return "BT_LOGO"; 147 148 case HCI_EVENT_VENDOR: /* 0xff */ 149 return "VENDOR"; 150 } 151 152 return "UNKNOWN"; 153 } 154 #endif /* BLUETOOTH_DEBUG */ 155 156 /* 157 * process HCI Events 158 * 159 * We will free the mbuf at the end, no need for any sub 160 * functions to handle that. 161 */ 162 void 163 hci_event(struct mbuf *m, struct hci_unit *unit) 164 { 165 hci_event_hdr_t hdr; 166 167 KASSERT(m->m_flags & M_PKTHDR); 168 169 if (m->m_pkthdr.len < sizeof(hdr)) 170 goto done; 171 172 m_copydata(m, 0, sizeof(hdr), &hdr); 173 m_adj(m, sizeof(hdr)); 174 175 KASSERT(hdr.type == HCI_EVENT_PKT); 176 if (m->m_pkthdr.len != hdr.length) 177 goto done; 178 179 DPRINTFN(1, "(%s) event %s\n", 180 device_xname(unit->hci_dev), hci_eventstr(hdr.event)); 181 182 switch(hdr.event) { 183 case HCI_EVENT_COMMAND_STATUS: 184 hci_event_command_status(unit, m); 185 break; 186 187 case HCI_EVENT_COMMAND_COMPL: 188 hci_event_command_compl(unit, m); 189 break; 190 191 case HCI_EVENT_NUM_COMPL_PKTS: 192 hci_event_num_compl_pkts(unit, m); 193 break; 194 195 case HCI_EVENT_INQUIRY_RESULT: 196 hci_event_inquiry_result(unit, m); 197 break; 198 199 case HCI_EVENT_RSSI_RESULT: 200 hci_event_rssi_result(unit, m); 201 break; 202 203 case HCI_EVENT_EXTENDED_RESULT: 204 hci_event_extended_result(unit, m); 205 break; 206 207 case HCI_EVENT_CON_COMPL: 208 hci_event_con_compl(unit, m); 209 break; 210 211 case HCI_EVENT_DISCON_COMPL: 212 hci_event_discon_compl(unit, m); 213 break; 214 215 case HCI_EVENT_CON_REQ: 216 hci_event_con_req(unit, m); 217 break; 218 219 case HCI_EVENT_AUTH_COMPL: 220 hci_event_auth_compl(unit, m); 221 break; 222 223 case HCI_EVENT_ENCRYPTION_CHANGE: 224 hci_event_encryption_change(unit, m); 225 break; 226 227 case HCI_EVENT_CHANGE_CON_LINK_KEY_COMPL: 228 hci_event_change_con_link_key_compl(unit, m); 229 break; 230 231 case HCI_EVENT_READ_CLOCK_OFFSET_COMPL: 232 hci_event_read_clock_offset_compl(unit, m); 233 break; 234 235 default: 236 break; 237 } 238 239 done: 240 m_freem(m); 241 } 242 243 /* 244 * Command Status 245 * 246 * Restart command queue and post-process any pending commands 247 */ 248 static void 249 hci_event_command_status(struct hci_unit *unit, struct mbuf *m) 250 { 251 hci_command_status_ep ep; 252 253 if (m->m_pkthdr.len < sizeof(ep)) 254 return; 255 256 m_copydata(m, 0, sizeof(ep), &ep); 257 m_adj(m, sizeof(ep)); 258 259 ep.opcode = le16toh(ep.opcode); 260 261 DPRINTFN(1, "(%s) opcode (%03x|%04x) status = 0x%x num_cmd_pkts = %d\n", 262 device_xname(unit->hci_dev), 263 HCI_OGF(ep.opcode), HCI_OCF(ep.opcode), 264 ep.status, 265 ep.num_cmd_pkts); 266 267 hci_num_cmds(unit, ep.num_cmd_pkts); 268 269 /* 270 * post processing of pending commands 271 */ 272 switch(ep.opcode) { 273 case HCI_CMD_CREATE_CON: 274 hci_cmd_create_con(unit, ep.status); 275 break; 276 277 default: 278 if (ep.status == 0) 279 break; 280 281 aprint_error_dev(unit->hci_dev, 282 "CommandStatus opcode (%03x|%04x) failed (status=0x%02x)\n", 283 HCI_OGF(ep.opcode), HCI_OCF(ep.opcode), 284 ep.status); 285 286 break; 287 } 288 } 289 290 /* 291 * Command Complete 292 * 293 * Restart command queue and handle the completed command 294 */ 295 static void 296 hci_event_command_compl(struct hci_unit *unit, struct mbuf *m) 297 { 298 hci_command_compl_ep ep; 299 hci_status_rp rp; 300 301 if (m->m_pkthdr.len < sizeof(ep)) 302 return; 303 304 m_copydata(m, 0, sizeof(ep), &ep); 305 m_adj(m, sizeof(ep)); 306 307 DPRINTFN(1, "(%s) opcode (%03x|%04x) num_cmd_pkts = %d\n", 308 device_xname(unit->hci_dev), 309 HCI_OGF(le16toh(ep.opcode)), HCI_OCF(le16toh(ep.opcode)), 310 ep.num_cmd_pkts); 311 312 hci_num_cmds(unit, ep.num_cmd_pkts); 313 314 /* 315 * I am not sure if this is completely correct, it is not guaranteed 316 * that a command_complete packet will contain the status though most 317 * do seem to. 318 */ 319 if (m->m_pkthdr.len >= sizeof(rp)) { 320 m_copydata(m, 0, sizeof(rp), &rp); 321 if (rp.status > 0) 322 aprint_error_dev(unit->hci_dev, 323 "CommandComplete opcode (%03x|%04x) failed (status=0x%02x)\n", 324 HCI_OGF(le16toh(ep.opcode)), HCI_OCF(le16toh(ep.opcode)), 325 rp.status); 326 } 327 328 /* 329 * post processing of completed commands 330 */ 331 switch(le16toh(ep.opcode)) { 332 case HCI_CMD_READ_BDADDR: 333 hci_cmd_read_bdaddr(unit, m); 334 break; 335 336 case HCI_CMD_READ_BUFFER_SIZE: 337 hci_cmd_read_buffer_size(unit, m); 338 break; 339 340 case HCI_CMD_READ_LOCAL_FEATURES: 341 hci_cmd_read_local_features(unit, m); 342 break; 343 344 case HCI_CMD_READ_LOCAL_EXTENDED_FEATURES: 345 hci_cmd_read_local_extended_features(unit, m); 346 break; 347 348 case HCI_CMD_READ_LOCAL_VER: 349 hci_cmd_read_local_ver(unit, m); 350 break; 351 352 case HCI_CMD_READ_LOCAL_COMMANDS: 353 hci_cmd_read_local_commands(unit, m); 354 break; 355 356 case HCI_CMD_RESET: 357 hci_cmd_reset(unit, m); 358 break; 359 360 default: 361 break; 362 } 363 } 364 365 /* 366 * Number of Completed Packets 367 * 368 * This is sent periodically by the Controller telling us how many 369 * buffers are now freed up and which handle was using them. From 370 * this we determine which type of buffer it was and add the qty 371 * back into the relevant packet counter, then restart output on 372 * links that have halted. 373 */ 374 static void 375 hci_event_num_compl_pkts(struct hci_unit *unit, struct mbuf *m) 376 { 377 hci_num_compl_pkts_ep ep; 378 struct hci_link *link, *next; 379 uint16_t handle, num; 380 int num_acl = 0, num_sco = 0; 381 382 if (m->m_pkthdr.len < sizeof(ep)) 383 return; 384 385 m_copydata(m, 0, sizeof(ep), &ep); 386 m_adj(m, sizeof(ep)); 387 388 if (m->m_pkthdr.len < ep.num_con_handles * (sizeof(handle) + sizeof(num))) 389 return; 390 391 while (ep.num_con_handles--) { 392 m_copydata(m, 0, sizeof(handle), &handle); 393 m_adj(m, sizeof(handle)); 394 handle = le16toh(handle); 395 396 m_copydata(m, 0, sizeof(num), &num); 397 m_adj(m, sizeof(num)); 398 num = le16toh(num); 399 400 link = hci_link_lookup_handle(unit, handle); 401 if (link) { 402 if (link->hl_type == HCI_LINK_ACL) { 403 num_acl += num; 404 hci_acl_complete(link, num); 405 } else { 406 num_sco += num; 407 hci_sco_complete(link, num); 408 } 409 } else { 410 /* XXX need to issue Read_Buffer_Size or Reset? */ 411 aprint_error_dev(unit->hci_dev, 412 "unknown handle %d! (losing track of %d packet buffer%s)\n", 413 handle, num, (num == 1 ? "" : "s")); 414 } 415 } 416 417 /* 418 * Move up any queued packets. When a link has sent data, it will move 419 * to the back of the queue - technically then if a link had something 420 * to send and there were still buffers available it could get started 421 * twice but it seemed more important to to handle higher loads fairly 422 * than worry about wasting cycles when we are not busy. 423 */ 424 425 unit->hci_num_acl_pkts += num_acl; 426 unit->hci_num_sco_pkts += num_sco; 427 428 link = TAILQ_FIRST(&unit->hci_links); 429 while (link && (unit->hci_num_acl_pkts > 0 || unit->hci_num_sco_pkts > 0)) { 430 next = TAILQ_NEXT(link, hl_next); 431 432 if (link->hl_type == HCI_LINK_ACL) { 433 if (unit->hci_num_acl_pkts > 0 && link->hl_txqlen > 0) 434 hci_acl_start(link); 435 } else { 436 if (unit->hci_num_sco_pkts > 0 && link->hl_txqlen > 0) 437 hci_sco_start(link); 438 } 439 440 link = next; 441 } 442 } 443 444 /* 445 * Inquiry Result 446 * 447 * keep a note of devices seen, so we know which unit to use 448 * on outgoing connections 449 */ 450 static void 451 hci_event_inquiry_result(struct hci_unit *unit, struct mbuf *m) 452 { 453 hci_inquiry_result_ep ep; 454 hci_inquiry_response ir; 455 struct hci_memo *memo; 456 457 if (m->m_pkthdr.len < sizeof(ep)) 458 return; 459 460 m_copydata(m, 0, sizeof(ep), &ep); 461 m_adj(m, sizeof(ep)); 462 463 DPRINTFN(1, "%d response%s\n", ep.num_responses, 464 (ep.num_responses == 1 ? "" : "s")); 465 466 while(ep.num_responses--) { 467 if (m->m_pkthdr.len < sizeof(ir)) 468 return; 469 470 m_copydata(m, 0, sizeof(ir), &ir); 471 m_adj(m, sizeof(ir)); 472 473 DPRINTFN(1, "bdaddr %02x:%02x:%02x:%02x:%02x:%02x\n", 474 ir.bdaddr.b[5], ir.bdaddr.b[4], ir.bdaddr.b[3], 475 ir.bdaddr.b[2], ir.bdaddr.b[1], ir.bdaddr.b[0]); 476 477 memo = hci_memo_new(unit, &ir.bdaddr); 478 if (memo != NULL) { 479 memo->page_scan_rep_mode = ir.page_scan_rep_mode; 480 memo->page_scan_mode = ir.page_scan_mode; 481 memo->clock_offset = ir.clock_offset; 482 } 483 } 484 } 485 486 /* 487 * Inquiry Result with RSSI 488 * 489 * as above but different packet when RSSI result is enabled 490 */ 491 static void 492 hci_event_rssi_result(struct hci_unit *unit, struct mbuf *m) 493 { 494 hci_rssi_result_ep ep; 495 hci_rssi_response rr; 496 struct hci_memo *memo; 497 498 if (m->m_pkthdr.len < sizeof(ep)) 499 return; 500 501 m_copydata(m, 0, sizeof(ep), &ep); 502 m_adj(m, sizeof(ep)); 503 504 DPRINTFN(1, "%d response%s\n", ep.num_responses, 505 (ep.num_responses == 1 ? "" : "s")); 506 507 while(ep.num_responses--) { 508 if (m->m_pkthdr.len < sizeof(rr)) 509 return; 510 511 m_copydata(m, 0, sizeof(rr), &rr); 512 m_adj(m, sizeof(rr)); 513 514 DPRINTFN(1, "bdaddr %02x:%02x:%02x:%02x:%02x:%02x\n", 515 rr.bdaddr.b[5], rr.bdaddr.b[4], rr.bdaddr.b[3], 516 rr.bdaddr.b[2], rr.bdaddr.b[1], rr.bdaddr.b[0]); 517 518 memo = hci_memo_new(unit, &rr.bdaddr); 519 if (memo != NULL) { 520 memo->page_scan_rep_mode = rr.page_scan_rep_mode; 521 memo->page_scan_mode = 0; 522 memo->clock_offset = rr.clock_offset; 523 } 524 } 525 } 526 527 /* 528 * Extended Inquiry Result 529 * 530 * as above but provides only one response and extended service info 531 */ 532 static void 533 hci_event_extended_result(struct hci_unit *unit, struct mbuf *m) 534 { 535 hci_extended_result_ep ep; 536 struct hci_memo *memo; 537 538 if (m->m_pkthdr.len < sizeof(ep)) 539 return; 540 541 m_copydata(m, 0, sizeof(ep), &ep); 542 m_adj(m, sizeof(ep)); 543 544 if (ep.num_responses != 1) 545 return; 546 547 DPRINTFN(1, "bdaddr %02x:%02x:%02x:%02x:%02x:%02x\n", 548 ep.bdaddr.b[5], ep.bdaddr.b[4], ep.bdaddr.b[3], 549 ep.bdaddr.b[2], ep.bdaddr.b[1], ep.bdaddr.b[0]); 550 551 memo = hci_memo_new(unit, &ep.bdaddr); 552 if (memo != NULL) { 553 memo->page_scan_rep_mode = ep.page_scan_rep_mode; 554 memo->page_scan_mode = 0; 555 memo->clock_offset = ep.clock_offset; 556 } 557 } 558 559 /* 560 * Connection Complete 561 * 562 * Sent to us when a connection is made. If there is no link 563 * structure already allocated for this, we must have changed 564 * our mind, so just disconnect. 565 */ 566 static void 567 hci_event_con_compl(struct hci_unit *unit, struct mbuf *m) 568 { 569 hci_con_compl_ep ep; 570 hci_write_link_policy_settings_cp cp; 571 struct hci_link *link; 572 int err; 573 574 if (m->m_pkthdr.len < sizeof(ep)) 575 return; 576 577 m_copydata(m, 0, sizeof(ep), &ep); 578 m_adj(m, sizeof(ep)); 579 580 DPRINTFN(1, "(%s) %s connection complete for " 581 "%02x:%02x:%02x:%02x:%02x:%02x status %#x\n", 582 device_xname(unit->hci_dev), 583 (ep.link_type == HCI_LINK_ACL ? "ACL" : "SCO"), 584 ep.bdaddr.b[5], ep.bdaddr.b[4], ep.bdaddr.b[3], 585 ep.bdaddr.b[2], ep.bdaddr.b[1], ep.bdaddr.b[0], 586 ep.status); 587 588 link = hci_link_lookup_bdaddr(unit, &ep.bdaddr, ep.link_type); 589 590 if (ep.status) { 591 if (link != NULL) { 592 switch (ep.status) { 593 case 0x04: /* "Page Timeout" */ 594 err = EHOSTDOWN; 595 break; 596 597 case 0x08: /* "Connection Timed Out" */ 598 err = ETIMEDOUT; 599 break; 600 601 case 0x16: /* "Connection Terminated by Local Host" */ 602 err = 0; 603 break; 604 605 default: 606 err = ECONNREFUSED; 607 break; 608 } 609 610 hci_link_free(link, err); 611 } 612 613 return; 614 } 615 616 if (link == NULL) { 617 hci_discon_cp dp; 618 619 dp.con_handle = ep.con_handle; 620 dp.reason = 0x13; /* "Remote User Terminated Connection" */ 621 622 hci_send_cmd(unit, HCI_CMD_DISCONNECT, &dp, sizeof(dp)); 623 return; 624 } 625 626 /* XXX could check auth_enable here */ 627 628 if (ep.encryption_mode) 629 link->hl_flags |= (HCI_LINK_AUTH | HCI_LINK_ENCRYPT); 630 631 link->hl_state = HCI_LINK_OPEN; 632 link->hl_handle = HCI_CON_HANDLE(le16toh(ep.con_handle)); 633 634 if (ep.link_type == HCI_LINK_ACL) { 635 cp.con_handle = ep.con_handle; 636 cp.settings = htole16(unit->hci_link_policy); 637 err = hci_send_cmd(unit, HCI_CMD_WRITE_LINK_POLICY_SETTINGS, 638 &cp, sizeof(cp)); 639 if (err) 640 aprint_error_dev(unit->hci_dev, 641 "Warning, could not write link policy\n"); 642 643 err = hci_send_cmd(unit, HCI_CMD_READ_CLOCK_OFFSET, 644 &cp.con_handle, sizeof(cp.con_handle)); 645 if (err) 646 aprint_error_dev(unit->hci_dev, 647 "Warning, could not read clock offset\n"); 648 649 err = hci_acl_setmode(link); 650 if (err == EINPROGRESS) 651 return; 652 653 hci_acl_linkmode(link); 654 } else { 655 (*link->hl_sco->sp_proto->connected)(link->hl_sco->sp_upper); 656 } 657 } 658 659 /* 660 * Disconnection Complete 661 * 662 * This is sent in response to a disconnection request, but also if 663 * the remote device goes out of range. 664 */ 665 static void 666 hci_event_discon_compl(struct hci_unit *unit, struct mbuf *m) 667 { 668 hci_discon_compl_ep ep; 669 struct hci_link *link; 670 671 if (m->m_pkthdr.len < sizeof(ep)) 672 return; 673 674 m_copydata(m, 0, sizeof(ep), &ep); 675 m_adj(m, sizeof(ep)); 676 677 ep.con_handle = le16toh(ep.con_handle); 678 679 DPRINTFN(1, "handle #%d, status=0x%x\n", ep.con_handle, ep.status); 680 681 link = hci_link_lookup_handle(unit, HCI_CON_HANDLE(ep.con_handle)); 682 if (link) 683 hci_link_free(link, ENOLINK); 684 } 685 686 /* 687 * Connect Request 688 * 689 * We check upstream for appropriate listeners and accept connections 690 * that are wanted. 691 */ 692 static void 693 hci_event_con_req(struct hci_unit *unit, struct mbuf *m) 694 { 695 hci_con_req_ep ep; 696 hci_accept_con_cp ap; 697 hci_reject_con_cp rp; 698 struct hci_link *link; 699 700 if (m->m_pkthdr.len < sizeof(ep)) 701 return; 702 703 m_copydata(m, 0, sizeof(ep), &ep); 704 m_adj(m, sizeof(ep)); 705 706 DPRINTFN(1, "bdaddr %2.2x:%2.2x:%2.2x:%2.2x:%2.2x:%2.2x " 707 "class %2.2x%2.2x%2.2x type %s\n", 708 ep.bdaddr.b[5], ep.bdaddr.b[4], ep.bdaddr.b[3], 709 ep.bdaddr.b[2], ep.bdaddr.b[1], ep.bdaddr.b[0], 710 ep.uclass[0], ep.uclass[1], ep.uclass[2], 711 ep.link_type == HCI_LINK_ACL ? "ACL" : "SCO"); 712 713 if (ep.link_type == HCI_LINK_ACL) 714 link = hci_acl_newconn(unit, &ep.bdaddr); 715 else 716 link = hci_sco_newconn(unit, &ep.bdaddr); 717 718 if (link == NULL) { 719 memset(&rp, 0, sizeof(rp)); 720 bdaddr_copy(&rp.bdaddr, &ep.bdaddr); 721 rp.reason = 0x0f; /* Unacceptable BD_ADDR */ 722 723 hci_send_cmd(unit, HCI_CMD_REJECT_CON, &rp, sizeof(rp)); 724 } else { 725 memset(&ap, 0, sizeof(ap)); 726 bdaddr_copy(&ap.bdaddr, &ep.bdaddr); 727 if (unit->hci_flags & BTF_MASTER) 728 ap.role = HCI_ROLE_MASTER; 729 else 730 ap.role = HCI_ROLE_SLAVE; 731 732 hci_send_cmd(unit, HCI_CMD_ACCEPT_CON, &ap, sizeof(ap)); 733 } 734 } 735 736 /* 737 * Auth Complete 738 * 739 * Authentication has been completed on an ACL link. We can notify the 740 * upper layer protocols unless further mode changes are pending. 741 */ 742 static void 743 hci_event_auth_compl(struct hci_unit *unit, struct mbuf *m) 744 { 745 hci_auth_compl_ep ep; 746 struct hci_link *link; 747 int err; 748 749 if (m->m_pkthdr.len < sizeof(ep)) 750 return; 751 752 m_copydata(m, 0, sizeof(ep), &ep); 753 m_adj(m, sizeof(ep)); 754 755 ep.con_handle = HCI_CON_HANDLE(le16toh(ep.con_handle)); 756 757 DPRINTFN(1, "handle #%d, status=0x%x\n", ep.con_handle, ep.status); 758 759 link = hci_link_lookup_handle(unit, ep.con_handle); 760 if (link == NULL || link->hl_type != HCI_LINK_ACL) 761 return; 762 763 if (ep.status == 0) { 764 link->hl_flags |= HCI_LINK_AUTH; 765 766 if (link->hl_state == HCI_LINK_WAIT_AUTH) 767 link->hl_state = HCI_LINK_OPEN; 768 769 err = hci_acl_setmode(link); 770 if (err == EINPROGRESS) 771 return; 772 } 773 774 hci_acl_linkmode(link); 775 } 776 777 /* 778 * Encryption Change 779 * 780 * The encryption status has changed. Basically, we note the change 781 * then notify the upper layer protocol unless further mode changes 782 * are pending. 783 * Note that if encryption gets disabled when it has been requested, 784 * we will attempt to enable it again.. (its a feature not a bug :) 785 */ 786 static void 787 hci_event_encryption_change(struct hci_unit *unit, struct mbuf *m) 788 { 789 hci_encryption_change_ep ep; 790 struct hci_link *link; 791 int err; 792 793 if (m->m_pkthdr.len < sizeof(ep)) 794 return; 795 796 m_copydata(m, 0, sizeof(ep), &ep); 797 m_adj(m, sizeof(ep)); 798 799 ep.con_handle = HCI_CON_HANDLE(le16toh(ep.con_handle)); 800 801 DPRINTFN(1, "handle #%d, status=0x%x, encryption_enable=0x%x\n", 802 ep.con_handle, ep.status, ep.encryption_enable); 803 804 link = hci_link_lookup_handle(unit, ep.con_handle); 805 if (link == NULL || link->hl_type != HCI_LINK_ACL) 806 return; 807 808 if (ep.status == 0) { 809 if (ep.encryption_enable == 0) 810 link->hl_flags &= ~HCI_LINK_ENCRYPT; 811 else 812 link->hl_flags |= (HCI_LINK_AUTH | HCI_LINK_ENCRYPT); 813 814 if (link->hl_state == HCI_LINK_WAIT_ENCRYPT) 815 link->hl_state = HCI_LINK_OPEN; 816 817 err = hci_acl_setmode(link); 818 if (err == EINPROGRESS) 819 return; 820 } 821 822 hci_acl_linkmode(link); 823 } 824 825 /* 826 * Change Connection Link Key Complete 827 * 828 * Link keys are handled in userland but if we are waiting to secure 829 * this link, we should notify the upper protocols. A SECURE request 830 * only needs a single key change, so we can cancel the request. 831 */ 832 static void 833 hci_event_change_con_link_key_compl(struct hci_unit *unit, struct mbuf *m) 834 { 835 hci_change_con_link_key_compl_ep ep; 836 struct hci_link *link; 837 int err; 838 839 if (m->m_pkthdr.len < sizeof(ep)) 840 return; 841 842 m_copydata(m, 0, sizeof(ep), &ep); 843 m_adj(m, sizeof(ep)); 844 845 ep.con_handle = HCI_CON_HANDLE(le16toh(ep.con_handle)); 846 847 DPRINTFN(1, "handle #%d, status=0x%x\n", ep.con_handle, ep.status); 848 849 link = hci_link_lookup_handle(unit, ep.con_handle); 850 if (link == NULL || link->hl_type != HCI_LINK_ACL) 851 return; 852 853 link->hl_flags &= ~HCI_LINK_SECURE_REQ; 854 855 if (ep.status == 0) { 856 link->hl_flags |= (HCI_LINK_AUTH | HCI_LINK_SECURE); 857 858 if (link->hl_state == HCI_LINK_WAIT_SECURE) 859 link->hl_state = HCI_LINK_OPEN; 860 861 err = hci_acl_setmode(link); 862 if (err == EINPROGRESS) 863 return; 864 } 865 866 hci_acl_linkmode(link); 867 } 868 869 /* 870 * Read Clock Offset Complete 871 * 872 * We keep a note of the clock offset of remote devices when a 873 * link is made, in order to facilitate reconnections to the device 874 */ 875 static void 876 hci_event_read_clock_offset_compl(struct hci_unit *unit, struct mbuf *m) 877 { 878 hci_read_clock_offset_compl_ep ep; 879 struct hci_link *link; 880 881 if (m->m_pkthdr.len < sizeof(ep)) 882 return; 883 884 m_copydata(m, 0, sizeof(ep), &ep); 885 m_adj(m, sizeof(ep)); 886 887 DPRINTFN(1, "handle #%d, offset=%u, status=0x%x\n", 888 le16toh(ep.con_handle), le16toh(ep.clock_offset), ep.status); 889 890 ep.con_handle = HCI_CON_HANDLE(le16toh(ep.con_handle)); 891 link = hci_link_lookup_handle(unit, ep.con_handle); 892 if (link == NULL || link->hl_type != HCI_LINK_ACL) 893 return; 894 895 if (ep.status == 0) 896 link->hl_clock = ep.clock_offset; 897 } 898 899 /* 900 * process results of read_bdaddr command_complete event 901 */ 902 static void 903 hci_cmd_read_bdaddr(struct hci_unit *unit, struct mbuf *m) 904 { 905 hci_read_bdaddr_rp rp; 906 907 if (m->m_pkthdr.len < sizeof(rp)) 908 return; 909 910 m_copydata(m, 0, sizeof(rp), &rp); 911 m_adj(m, sizeof(rp)); 912 913 if (rp.status > 0) 914 return; 915 916 if ((unit->hci_flags & BTF_INIT_BDADDR) == 0) 917 return; 918 919 bdaddr_copy(&unit->hci_bdaddr, &rp.bdaddr); 920 921 unit->hci_flags &= ~BTF_INIT_BDADDR; 922 923 cv_broadcast(&unit->hci_init); 924 } 925 926 /* 927 * process results of read_buffer_size command_complete event 928 */ 929 static void 930 hci_cmd_read_buffer_size(struct hci_unit *unit, struct mbuf *m) 931 { 932 hci_read_buffer_size_rp rp; 933 934 if (m->m_pkthdr.len < sizeof(rp)) 935 return; 936 937 m_copydata(m, 0, sizeof(rp), &rp); 938 m_adj(m, sizeof(rp)); 939 940 if (rp.status > 0) 941 return; 942 943 if ((unit->hci_flags & BTF_INIT_BUFFER_SIZE) == 0) 944 return; 945 946 unit->hci_max_acl_size = le16toh(rp.max_acl_size); 947 unit->hci_num_acl_pkts = le16toh(rp.num_acl_pkts); 948 unit->hci_max_acl_pkts = le16toh(rp.num_acl_pkts); 949 unit->hci_max_sco_size = rp.max_sco_size; 950 unit->hci_num_sco_pkts = le16toh(rp.num_sco_pkts); 951 unit->hci_max_sco_pkts = le16toh(rp.num_sco_pkts); 952 953 unit->hci_flags &= ~BTF_INIT_BUFFER_SIZE; 954 955 cv_broadcast(&unit->hci_init); 956 } 957 958 /* 959 * process results of read_local_features command_complete event 960 */ 961 static void 962 hci_cmd_read_local_features(struct hci_unit *unit, struct mbuf *m) 963 { 964 hci_read_local_features_rp rp; 965 966 if (m->m_pkthdr.len < sizeof(rp)) 967 return; 968 969 m_copydata(m, 0, sizeof(rp), &rp); 970 m_adj(m, sizeof(rp)); 971 972 if (rp.status > 0) 973 return; 974 975 if ((unit->hci_flags & BTF_INIT_FEATURES) == 0) 976 return; 977 978 memcpy(unit->hci_feat0, rp.features, HCI_FEATURES_SIZE); 979 980 unit->hci_lmp_mask = 0; 981 982 if (rp.features[0] & HCI_LMP_ROLE_SWITCH) 983 unit->hci_lmp_mask |= HCI_LINK_POLICY_ENABLE_ROLE_SWITCH; 984 985 if (rp.features[0] & HCI_LMP_HOLD_MODE) 986 unit->hci_lmp_mask |= HCI_LINK_POLICY_ENABLE_HOLD_MODE; 987 988 if (rp.features[0] & HCI_LMP_SNIFF_MODE) 989 unit->hci_lmp_mask |= HCI_LINK_POLICY_ENABLE_SNIFF_MODE; 990 991 if (rp.features[1] & HCI_LMP_PARK_MODE) 992 unit->hci_lmp_mask |= HCI_LINK_POLICY_ENABLE_PARK_MODE; 993 994 DPRINTFN(1, "%s: lmp_mask %4.4x\n", 995 device_xname(unit->hci_dev), unit->hci_lmp_mask); 996 997 /* ACL packet mask */ 998 unit->hci_acl_mask = HCI_PKT_DM1 | HCI_PKT_DH1; 999 1000 if (rp.features[0] & HCI_LMP_3SLOT) 1001 unit->hci_acl_mask |= HCI_PKT_DM3 | HCI_PKT_DH3; 1002 1003 if (rp.features[0] & HCI_LMP_5SLOT) 1004 unit->hci_acl_mask |= HCI_PKT_DM5 | HCI_PKT_DH5; 1005 1006 if ((rp.features[3] & HCI_LMP_EDR_ACL_2MBPS) == 0) 1007 unit->hci_acl_mask |= HCI_PKT_2MBPS_DH1 1008 | HCI_PKT_2MBPS_DH3 1009 | HCI_PKT_2MBPS_DH5; 1010 1011 if ((rp.features[3] & HCI_LMP_EDR_ACL_3MBPS) == 0) 1012 unit->hci_acl_mask |= HCI_PKT_3MBPS_DH1 1013 | HCI_PKT_3MBPS_DH3 1014 | HCI_PKT_3MBPS_DH5; 1015 1016 if ((rp.features[4] & HCI_LMP_3SLOT_EDR_ACL) == 0) 1017 unit->hci_acl_mask |= HCI_PKT_2MBPS_DH3 1018 | HCI_PKT_3MBPS_DH3; 1019 1020 if ((rp.features[5] & HCI_LMP_5SLOT_EDR_ACL) == 0) 1021 unit->hci_acl_mask |= HCI_PKT_2MBPS_DH5 1022 | HCI_PKT_3MBPS_DH5; 1023 1024 DPRINTFN(1, "%s: acl_mask %4.4x\n", 1025 device_xname(unit->hci_dev), unit->hci_acl_mask); 1026 1027 unit->hci_packet_type = unit->hci_acl_mask; 1028 1029 /* SCO packet mask */ 1030 unit->hci_sco_mask = 0; 1031 if (rp.features[1] & HCI_LMP_SCO_LINK) 1032 unit->hci_sco_mask |= HCI_PKT_HV1; 1033 1034 if (rp.features[1] & HCI_LMP_HV2_PKT) 1035 unit->hci_sco_mask |= HCI_PKT_HV2; 1036 1037 if (rp.features[1] & HCI_LMP_HV3_PKT) 1038 unit->hci_sco_mask |= HCI_PKT_HV3; 1039 1040 if (rp.features[3] & HCI_LMP_EV3_PKT) 1041 unit->hci_sco_mask |= HCI_PKT_EV3; 1042 1043 if (rp.features[4] & HCI_LMP_EV4_PKT) 1044 unit->hci_sco_mask |= HCI_PKT_EV4; 1045 1046 if (rp.features[4] & HCI_LMP_EV5_PKT) 1047 unit->hci_sco_mask |= HCI_PKT_EV5; 1048 1049 /* XXX what do 2MBPS/3MBPS/3SLOT eSCO mean? */ 1050 1051 DPRINTFN(1, "%s: sco_mask %4.4x\n", 1052 device_xname(unit->hci_dev), unit->hci_sco_mask); 1053 1054 /* extended feature masks */ 1055 if (rp.features[7] & HCI_LMP_EXTENDED_FEATURES) { 1056 hci_read_local_extended_features_cp cp; 1057 1058 cp.page = 0; 1059 hci_send_cmd(unit, HCI_CMD_READ_LOCAL_EXTENDED_FEATURES, 1060 &cp, sizeof(cp)); 1061 1062 return; 1063 } 1064 1065 unit->hci_flags &= ~BTF_INIT_FEATURES; 1066 cv_broadcast(&unit->hci_init); 1067 } 1068 1069 /* 1070 * process results of read_local_extended_features command_complete event 1071 */ 1072 static void 1073 hci_cmd_read_local_extended_features(struct hci_unit *unit, struct mbuf *m) 1074 { 1075 hci_read_local_extended_features_rp rp; 1076 1077 if (m->m_pkthdr.len < sizeof(rp)) 1078 return; 1079 1080 m_copydata(m, 0, sizeof(rp), &rp); 1081 m_adj(m, sizeof(rp)); 1082 1083 if (rp.status > 0) 1084 return; 1085 1086 if ((unit->hci_flags & BTF_INIT_FEATURES) == 0) 1087 return; 1088 1089 DPRINTFN(1, "%s: page %d of %d\n", device_xname(unit->hci_dev), 1090 rp.page, rp.max_page); 1091 1092 switch (rp.page) { 1093 case 2: 1094 memcpy(unit->hci_feat2, rp.features, HCI_FEATURES_SIZE); 1095 break; 1096 1097 case 1: 1098 memcpy(unit->hci_feat1, rp.features, HCI_FEATURES_SIZE); 1099 break; 1100 1101 case 0: /* (already handled) */ 1102 default: 1103 break; 1104 } 1105 1106 if (rp.page < rp.max_page) { 1107 hci_read_local_extended_features_cp cp; 1108 1109 cp.page = rp.page + 1; 1110 hci_send_cmd(unit, HCI_CMD_READ_LOCAL_EXTENDED_FEATURES, 1111 &cp, sizeof(cp)); 1112 1113 return; 1114 } 1115 1116 unit->hci_flags &= ~BTF_INIT_FEATURES; 1117 cv_broadcast(&unit->hci_init); 1118 } 1119 1120 /* 1121 * process results of read_local_ver command_complete event 1122 * 1123 * reading local supported commands is only supported from 1.2 spec 1124 */ 1125 static void 1126 hci_cmd_read_local_ver(struct hci_unit *unit, struct mbuf *m) 1127 { 1128 hci_read_local_ver_rp rp; 1129 1130 if (m->m_pkthdr.len < sizeof(rp)) 1131 return; 1132 1133 m_copydata(m, 0, sizeof(rp), &rp); 1134 m_adj(m, sizeof(rp)); 1135 1136 if (rp.status != 0) 1137 return; 1138 1139 if ((unit->hci_flags & BTF_INIT_COMMANDS) == 0) 1140 return; 1141 1142 if (rp.hci_version < HCI_SPEC_V12) { 1143 unit->hci_flags &= ~BTF_INIT_COMMANDS; 1144 cv_broadcast(&unit->hci_init); 1145 return; 1146 } 1147 1148 hci_send_cmd(unit, HCI_CMD_READ_LOCAL_COMMANDS, NULL, 0); 1149 } 1150 1151 /* 1152 * process results of read_local_commands command_complete event 1153 */ 1154 static void 1155 hci_cmd_read_local_commands(struct hci_unit *unit, struct mbuf *m) 1156 { 1157 hci_read_local_commands_rp rp; 1158 1159 if (m->m_pkthdr.len < sizeof(rp)) 1160 return; 1161 1162 m_copydata(m, 0, sizeof(rp), &rp); 1163 m_adj(m, sizeof(rp)); 1164 1165 if (rp.status != 0) 1166 return; 1167 1168 if ((unit->hci_flags & BTF_INIT_COMMANDS) == 0) 1169 return; 1170 1171 unit->hci_flags &= ~BTF_INIT_COMMANDS; 1172 memcpy(unit->hci_cmds, rp.commands, HCI_COMMANDS_SIZE); 1173 1174 cv_broadcast(&unit->hci_init); 1175 } 1176 1177 /* 1178 * process results of reset command_complete event 1179 * 1180 * This has killed all the connections, so close down anything we have left, 1181 * and reinitialise the unit. 1182 */ 1183 static void 1184 hci_cmd_reset(struct hci_unit *unit, struct mbuf *m) 1185 { 1186 hci_reset_rp rp; 1187 struct hci_link *link, *next; 1188 int acl; 1189 1190 if (m->m_pkthdr.len < sizeof(rp)) 1191 return; 1192 1193 m_copydata(m, 0, sizeof(rp), &rp); 1194 m_adj(m, sizeof(rp)); 1195 1196 if (rp.status != 0) 1197 return; 1198 1199 /* 1200 * release SCO links first, since they may be holding 1201 * an ACL link reference. 1202 */ 1203 for (acl = 0 ; acl < 2 ; acl++) { 1204 next = TAILQ_FIRST(&unit->hci_links); 1205 while ((link = next) != NULL) { 1206 next = TAILQ_NEXT(link, hl_next); 1207 if (acl || link->hl_type != HCI_LINK_ACL) 1208 hci_link_free(link, ECONNABORTED); 1209 } 1210 } 1211 1212 unit->hci_num_acl_pkts = 0; 1213 unit->hci_num_sco_pkts = 0; 1214 1215 if (hci_send_cmd(unit, HCI_CMD_READ_BDADDR, NULL, 0)) 1216 return; 1217 1218 if (hci_send_cmd(unit, HCI_CMD_READ_BUFFER_SIZE, NULL, 0)) 1219 return; 1220 1221 if (hci_send_cmd(unit, HCI_CMD_READ_LOCAL_FEATURES, NULL, 0)) 1222 return; 1223 1224 if (hci_send_cmd(unit, HCI_CMD_READ_LOCAL_VER, NULL, 0)) 1225 return; 1226 } 1227 1228 /* 1229 * process command_status event for create_con command 1230 * 1231 * a "Create Connection" command can sometimes fail to start for whatever 1232 * reason and the command_status event returns failure but we get no 1233 * indication of which connection failed (for instance in the case where 1234 * we tried to open too many connections all at once) So, we keep a flag 1235 * on the link to indicate pending status until the command_status event 1236 * is returned to help us decide which needs to be failed. 1237 * 1238 * since created links are inserted at the tail of hci_links, we know that 1239 * the first pending link we find will be the one that this command status 1240 * refers to. 1241 */ 1242 static void 1243 hci_cmd_create_con(struct hci_unit *unit, uint8_t status) 1244 { 1245 struct hci_link *link; 1246 1247 TAILQ_FOREACH(link, &unit->hci_links, hl_next) { 1248 if ((link->hl_flags & HCI_LINK_CREATE_CON) == 0) 1249 continue; 1250 1251 link->hl_flags &= ~HCI_LINK_CREATE_CON; 1252 1253 switch(status) { 1254 case 0x00: /* success */ 1255 break; 1256 1257 case 0x0c: /* "Command Disallowed" */ 1258 hci_link_free(link, EBUSY); 1259 break; 1260 1261 default: /* some other trouble */ 1262 hci_link_free(link, EPROTO); 1263 break; 1264 } 1265 1266 return; 1267 } 1268 } 1269