1 /*        $NetBSD: hci_event.c,v 1.26 2019/09/28 07:06:33 plunky Exp $          */
2 
3 /*-
4  * Copyright (c) 2005 Iain Hibbert.
5  * Copyright (c) 2006 Itronix Inc.
6  * All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  * 1. Redistributions of source code must retain the above copyright
12  *    notice, this list of conditions and the following disclaimer.
13  * 2. Redistributions in binary form must reproduce the above copyright
14  *    notice, this list of conditions and the following disclaimer in the
15  *    documentation and/or other materials provided with the distribution.
16  * 3. The name of Itronix Inc. may not be used to endorse
17  *    or promote products derived from this software without specific
18  *    prior written permission.
19  *
20  * THIS SOFTWARE IS PROVIDED BY ITRONIX INC. ``AS IS'' AND
21  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
22  * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
23  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL ITRONIX INC. BE LIABLE FOR ANY
24  * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
25  * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
26  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
27  * ON ANY THEORY OF LIABILITY, WHETHER IN
28  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30  * POSSIBILITY OF SUCH DAMAGE.
31  */
32 
33 #include <sys/cdefs.h>
34 __KERNEL_RCSID(0, "$NetBSD: hci_event.c,v 1.26 2019/09/28 07:06:33 plunky Exp $");
35 
36 #include <sys/param.h>
37 #include <sys/kernel.h>
38 #include <sys/malloc.h>
39 #include <sys/mbuf.h>
40 #include <sys/proc.h>
41 #include <sys/systm.h>
42 
43 #include <netbt/bluetooth.h>
44 #include <netbt/hci.h>
45 #include <netbt/sco.h>
46 
47 static void hci_event_inquiry_result(struct hci_unit *, struct mbuf *);
48 static void hci_event_rssi_result(struct hci_unit *, struct mbuf *);
49 static void hci_event_extended_result(struct hci_unit *, struct mbuf *);
50 static void hci_event_command_status(struct hci_unit *, struct mbuf *);
51 static void hci_event_command_compl(struct hci_unit *, struct mbuf *);
52 static void hci_event_con_compl(struct hci_unit *, struct mbuf *);
53 static void hci_event_discon_compl(struct hci_unit *, struct mbuf *);
54 static void hci_event_con_req(struct hci_unit *, struct mbuf *);
55 static void hci_event_num_compl_pkts(struct hci_unit *, struct mbuf *);
56 static void hci_event_auth_compl(struct hci_unit *, struct mbuf *);
57 static void hci_event_encryption_change(struct hci_unit *, struct mbuf *);
58 static void hci_event_change_con_link_key_compl(struct hci_unit *, struct mbuf *);
59 static void hci_event_read_clock_offset_compl(struct hci_unit *, struct mbuf *);
60 static void hci_cmd_read_bdaddr(struct hci_unit *, struct mbuf *);
61 static void hci_cmd_read_buffer_size(struct hci_unit *, struct mbuf *);
62 static void hci_cmd_read_local_features(struct hci_unit *, struct mbuf *);
63 static void hci_cmd_read_local_extended_features(struct hci_unit *, struct mbuf *);
64 static void hci_cmd_read_local_ver(struct hci_unit *, struct mbuf *);
65 static void hci_cmd_read_local_commands(struct hci_unit *, struct mbuf *);
66 static void hci_cmd_read_encryption_key_size(struct hci_unit *, struct mbuf *);
67 static void hci_cmd_reset(struct hci_unit *, struct mbuf *);
68 static void hci_cmd_create_con(struct hci_unit *unit, uint8_t status);
69 
70 #ifdef BLUETOOTH_DEBUG
71 int bluetooth_debug;
72 
73 static const char *hci_eventnames[] = {
74 /* 0x00 */ "NULL",
75 /* 0x01 */ "INQUIRY COMPLETE",
76 /* 0x02 */ "INQUIRY RESULT",
77 /* 0x03 */ "CONN COMPLETE",
78 /* 0x04 */ "CONN REQ",
79 /* 0x05 */ "DISCONN COMPLETE",
80 /* 0x06 */ "AUTH COMPLETE",
81 /* 0x07 */ "REMOTE NAME REQ COMPLETE",
82 /* 0x08 */ "ENCRYPTION CHANGE",
83 /* 0x09 */ "CHANGE CONN LINK KEY COMPLETE",
84 /* 0x0a */ "MASTER LINK KEY COMPLETE",
85 /* 0x0b */ "READ REMOTE FEATURES COMPLETE",
86 /* 0x0c */ "READ REMOTE VERSION INFO COMPLETE",
87 /* 0x0d */ "QoS SETUP COMPLETE",
88 /* 0x0e */ "COMMAND COMPLETE",
89 /* 0x0f */ "COMMAND STATUS",
90 /* 0x10 */ "HARDWARE ERROR",
91 /* 0x11 */ "FLUSH OCCUR",
92 /* 0x12 */ "ROLE CHANGE",
93 /* 0x13 */ "NUM COMPLETED PACKETS",
94 /* 0x14 */ "MODE CHANGE",
95 /* 0x15 */ "RETURN LINK KEYS",
96 /* 0x16 */ "PIN CODE REQ",
97 /* 0x17 */ "LINK KEY REQ",
98 /* 0x18 */ "LINK KEY NOTIFICATION",
99 /* 0x19 */ "LOOPBACK COMMAND",
100 /* 0x1a */ "DATA BUFFER OVERFLOW",
101 /* 0x1b */ "MAX SLOT CHANGE",
102 /* 0x1c */ "READ CLOCK OFFSET COMPLETE",
103 /* 0x1d */ "CONN PKT TYPE CHANGED",
104 /* 0x1e */ "QOS VIOLATION",
105 /* 0x1f */ "PAGE SCAN MODE CHANGE",
106 /* 0x20 */ "PAGE SCAN REP MODE CHANGE",
107 /* 0x21 */ "FLOW SPECIFICATION COMPLETE",
108 /* 0x22 */ "RSSI RESULT",
109 /* 0x23 */ "READ REMOTE EXT FEATURES",
110 /* 0x24 */ "UNKNOWN",
111 /* 0x25 */ "UNKNOWN",
112 /* 0x26 */ "UNKNOWN",
113 /* 0x27 */ "UNKNOWN",
114 /* 0x28 */ "UNKNOWN",
115 /* 0x29 */ "UNKNOWN",
116 /* 0x2a */ "UNKNOWN",
117 /* 0x2b */ "UNKNOWN",
118 /* 0x2c */ "SCO CON COMPLETE",
119 /* 0x2d */ "SCO CON CHANGED",
120 /* 0x2e */ "SNIFF SUBRATING",
121 /* 0x2f */ "EXTENDED INQUIRY RESULT",
122 /* 0x30 */ "ENCRYPTION KEY REFRESH",
123 /* 0x31 */ "IO CAPABILITY REQUEST",
124 /* 0x32 */ "IO CAPABILITY RESPONSE",
125 /* 0x33 */ "USER CONFIRM REQUEST",
126 /* 0x34 */ "USER PASSKEY REQUEST",
127 /* 0x35 */ "REMOTE OOB DATA REQUEST",
128 /* 0x36 */ "SIMPLE PAIRING COMPLETE",
129 /* 0x37 */ "UNKNOWN",
130 /* 0x38 */ "LINK SUPERVISION TIMEOUT CHANGED",
131 /* 0x39 */ "ENHANCED FLUSH COMPLETE",
132 /* 0x3a */ "UNKNOWN",
133 /* 0x3b */ "USER PASSKEY NOTIFICATION",
134 /* 0x3c */ "KEYPRESS NOTIFICATION",
135 /* 0x3d */ "REMOTE HOST FEATURES NOTIFICATION",
136 };
137 
138 static const char *
hci_eventstr(unsigned int event)139 hci_eventstr(unsigned int event)
140 {
141 
142           if (event < __arraycount(hci_eventnames))
143                     return hci_eventnames[event];
144 
145           switch (event) {
146           case HCI_EVENT_BT_LOGO:                 /* 0xfe */
147                     return "BT_LOGO";
148 
149           case HCI_EVENT_VENDOR:                  /* 0xff */
150                     return "VENDOR";
151           }
152 
153           return "UNKNOWN";
154 }
155 #endif    /* BLUETOOTH_DEBUG */
156 
157 /*
158  * process HCI Events
159  *
160  * We will free the mbuf at the end, no need for any sub
161  * functions to handle that.
162  */
163 void
hci_event(struct mbuf * m,struct hci_unit * unit)164 hci_event(struct mbuf *m, struct hci_unit *unit)
165 {
166           hci_event_hdr_t hdr;
167 
168           KASSERT(m->m_flags & M_PKTHDR);
169 
170           if (m->m_pkthdr.len < sizeof(hdr))
171                     goto done;
172 
173           m_copydata(m, 0, sizeof(hdr), &hdr);
174           m_adj(m, sizeof(hdr));
175 
176           KASSERT(hdr.type == HCI_EVENT_PKT);
177           if (m->m_pkthdr.len != hdr.length)
178                     goto done;
179 
180           DPRINTFN(1, "(%s) event %s\n",
181               device_xname(unit->hci_dev), hci_eventstr(hdr.event));
182 
183           switch(hdr.event) {
184           case HCI_EVENT_COMMAND_STATUS:
185                     hci_event_command_status(unit, m);
186                     break;
187 
188           case HCI_EVENT_COMMAND_COMPL:
189                     hci_event_command_compl(unit, m);
190                     break;
191 
192           case HCI_EVENT_NUM_COMPL_PKTS:
193                     hci_event_num_compl_pkts(unit, m);
194                     break;
195 
196           case HCI_EVENT_INQUIRY_RESULT:
197                     hci_event_inquiry_result(unit, m);
198                     break;
199 
200           case HCI_EVENT_RSSI_RESULT:
201                     hci_event_rssi_result(unit, m);
202                     break;
203 
204           case HCI_EVENT_EXTENDED_RESULT:
205                     hci_event_extended_result(unit, m);
206                     break;
207 
208           case HCI_EVENT_CON_COMPL:
209                     hci_event_con_compl(unit, m);
210                     break;
211 
212           case HCI_EVENT_DISCON_COMPL:
213                     hci_event_discon_compl(unit, m);
214                     break;
215 
216           case HCI_EVENT_CON_REQ:
217                     hci_event_con_req(unit, m);
218                     break;
219 
220           case HCI_EVENT_AUTH_COMPL:
221                     hci_event_auth_compl(unit, m);
222                     break;
223 
224           case HCI_EVENT_ENCRYPTION_CHANGE:
225                     hci_event_encryption_change(unit, m);
226                     break;
227 
228           case HCI_EVENT_CHANGE_CON_LINK_KEY_COMPL:
229                     hci_event_change_con_link_key_compl(unit, m);
230                     break;
231 
232           case HCI_EVENT_READ_CLOCK_OFFSET_COMPL:
233                     hci_event_read_clock_offset_compl(unit, m);
234                     break;
235 
236           default:
237                     break;
238           }
239 
240 done:
241           m_freem(m);
242 }
243 
244 /*
245  * Command Status
246  *
247  * Restart command queue and post-process any pending commands
248  */
249 static void
hci_event_command_status(struct hci_unit * unit,struct mbuf * m)250 hci_event_command_status(struct hci_unit *unit, struct mbuf *m)
251 {
252           hci_command_status_ep ep;
253 
254           if (m->m_pkthdr.len < sizeof(ep))
255                     return;
256 
257           m_copydata(m, 0, sizeof(ep), &ep);
258           m_adj(m, sizeof(ep));
259 
260           ep.opcode = le16toh(ep.opcode);
261 
262           DPRINTFN(1, "(%s) opcode (%03x|%04x) status = 0x%x num_cmd_pkts = %d\n",
263                     device_xname(unit->hci_dev),
264                     HCI_OGF(ep.opcode), HCI_OCF(ep.opcode),
265                     ep.status,
266                     ep.num_cmd_pkts);
267 
268           hci_num_cmds(unit, ep.num_cmd_pkts);
269 
270           /*
271            * post processing of pending commands
272            */
273           switch(ep.opcode) {
274           case HCI_CMD_CREATE_CON:
275                     hci_cmd_create_con(unit, ep.status);
276                     break;
277 
278           default:
279                     if (ep.status == 0)
280                               break;
281 
282                     aprint_error_dev(unit->hci_dev,
283                         "CommandStatus opcode (%03x|%04x) failed (status=0x%02x)\n",
284                         HCI_OGF(ep.opcode), HCI_OCF(ep.opcode),
285                         ep.status);
286 
287                     break;
288           }
289 }
290 
291 /*
292  * Command Complete
293  *
294  * Restart command queue and handle the completed command
295  */
296 static void
hci_event_command_compl(struct hci_unit * unit,struct mbuf * m)297 hci_event_command_compl(struct hci_unit *unit, struct mbuf *m)
298 {
299           hci_command_compl_ep ep;
300           hci_status_rp rp;
301 
302           if (m->m_pkthdr.len < sizeof(ep))
303                     return;
304 
305           m_copydata(m, 0, sizeof(ep), &ep);
306           m_adj(m, sizeof(ep));
307 
308           DPRINTFN(1, "(%s) opcode (%03x|%04x) num_cmd_pkts = %d\n",
309                     device_xname(unit->hci_dev),
310                     HCI_OGF(le16toh(ep.opcode)), HCI_OCF(le16toh(ep.opcode)),
311                     ep.num_cmd_pkts);
312 
313           hci_num_cmds(unit, ep.num_cmd_pkts);
314 
315           /*
316            * I am not sure if this is completely correct, it is not guaranteed
317            * that a command_complete packet will contain the status though most
318            * do seem to.
319            */
320           if (m->m_pkthdr.len >= sizeof(rp)) {
321                     m_copydata(m, 0, sizeof(rp), &rp);
322                     if (rp.status > 0)
323                               aprint_error_dev(unit->hci_dev,
324                                   "CommandComplete opcode (%03x|%04x) failed (status=0x%02x)\n",
325                                   HCI_OGF(le16toh(ep.opcode)), HCI_OCF(le16toh(ep.opcode)),
326                                   rp.status);
327           }
328 
329           /*
330            * post processing of completed commands
331            */
332           switch(le16toh(ep.opcode)) {
333           case HCI_CMD_READ_BDADDR:
334                     hci_cmd_read_bdaddr(unit, m);
335                     break;
336 
337           case HCI_CMD_READ_BUFFER_SIZE:
338                     hci_cmd_read_buffer_size(unit, m);
339                     break;
340 
341           case HCI_CMD_READ_LOCAL_FEATURES:
342                     hci_cmd_read_local_features(unit, m);
343                     break;
344 
345           case HCI_CMD_READ_LOCAL_EXTENDED_FEATURES:
346                     hci_cmd_read_local_extended_features(unit, m);
347                     break;
348 
349           case HCI_CMD_READ_LOCAL_VER:
350                     hci_cmd_read_local_ver(unit, m);
351                     break;
352 
353           case HCI_CMD_READ_LOCAL_COMMANDS:
354                     hci_cmd_read_local_commands(unit, m);
355                     break;
356 
357           case HCI_CMD_READ_ENCRYPTION_KEY_SIZE:
358                     hci_cmd_read_encryption_key_size(unit, m);
359                     break;
360 
361           case HCI_CMD_RESET:
362                     hci_cmd_reset(unit, m);
363                     break;
364 
365           default:
366                     break;
367           }
368 }
369 
370 /*
371  * Number of Completed Packets
372  *
373  * This is sent periodically by the Controller telling us how many
374  * buffers are now freed up and which handle was using them. From
375  * this we determine which type of buffer it was and add the qty
376  * back into the relevant packet counter, then restart output on
377  * links that have halted.
378  */
379 static void
hci_event_num_compl_pkts(struct hci_unit * unit,struct mbuf * m)380 hci_event_num_compl_pkts(struct hci_unit *unit, struct mbuf *m)
381 {
382           hci_num_compl_pkts_ep ep;
383           struct hci_link *link, *next;
384           uint16_t handle, num;
385           int num_acl = 0, num_sco = 0;
386 
387           if (m->m_pkthdr.len < sizeof(ep))
388                     return;
389 
390           m_copydata(m, 0, sizeof(ep), &ep);
391           m_adj(m, sizeof(ep));
392 
393           if (m->m_pkthdr.len < ep.num_con_handles * (sizeof(handle) + sizeof(num)))
394                     return;
395 
396           while (ep.num_con_handles--) {
397                     m_copydata(m, 0, sizeof(handle), &handle);
398                     m_adj(m, sizeof(handle));
399                     handle = le16toh(handle);
400 
401                     m_copydata(m, 0, sizeof(num), &num);
402                     m_adj(m, sizeof(num));
403                     num = le16toh(num);
404 
405                     link = hci_link_lookup_handle(unit, handle);
406                     if (link) {
407                               if (link->hl_type == HCI_LINK_ACL) {
408                                         num_acl += num;
409                                         hci_acl_complete(link, num);
410                               } else {
411                                         num_sco += num;
412                                         hci_sco_complete(link, num);
413                               }
414                     } else {
415                               /* XXX need to issue Read_Buffer_Size or Reset? */
416                               aprint_error_dev(unit->hci_dev,
417                                   "unknown handle %d! (losing track of %d packet buffer%s)\n",
418                                   handle, num, (num == 1 ? "" : "s"));
419                     }
420           }
421 
422           /*
423            * Move up any queued packets. When a link has sent data, it will move
424            * to the back of the queue - technically then if a link had something
425            * to send and there were still buffers available it could get started
426            * twice but it seemed more important to to handle higher loads fairly
427            * than worry about wasting cycles when we are not busy.
428            */
429 
430           unit->hci_num_acl_pkts += num_acl;
431           unit->hci_num_sco_pkts += num_sco;
432 
433           link = TAILQ_FIRST(&unit->hci_links);
434           while (link && (unit->hci_num_acl_pkts > 0 || unit->hci_num_sco_pkts > 0)) {
435                     next = TAILQ_NEXT(link, hl_next);
436 
437                     if (link->hl_type == HCI_LINK_ACL) {
438                               if (unit->hci_num_acl_pkts > 0 && link->hl_txqlen > 0)
439                                         hci_acl_start(link);
440                     } else {
441                               if (unit->hci_num_sco_pkts > 0 && link->hl_txqlen > 0)
442                                         hci_sco_start(link);
443                     }
444 
445                     link = next;
446           }
447 }
448 
449 /*
450  * Inquiry Result
451  *
452  * keep a note of devices seen, so we know which unit to use
453  * on outgoing connections
454  */
455 static void
hci_event_inquiry_result(struct hci_unit * unit,struct mbuf * m)456 hci_event_inquiry_result(struct hci_unit *unit, struct mbuf *m)
457 {
458           hci_inquiry_result_ep ep;
459           hci_inquiry_response ir;
460           struct hci_memo *memo;
461 
462           if (m->m_pkthdr.len < sizeof(ep))
463                     return;
464 
465           m_copydata(m, 0, sizeof(ep), &ep);
466           m_adj(m, sizeof(ep));
467 
468           DPRINTFN(1, "%d response%s\n", ep.num_responses,
469                                         (ep.num_responses == 1 ? "" : "s"));
470 
471           while(ep.num_responses--) {
472                     if (m->m_pkthdr.len < sizeof(ir))
473                               return;
474 
475                     m_copydata(m, 0, sizeof(ir), &ir);
476                     m_adj(m, sizeof(ir));
477 
478                     DPRINTFN(1, "bdaddr %02x:%02x:%02x:%02x:%02x:%02x\n",
479                               ir.bdaddr.b[5], ir.bdaddr.b[4], ir.bdaddr.b[3],
480                               ir.bdaddr.b[2], ir.bdaddr.b[1], ir.bdaddr.b[0]);
481 
482                     memo = hci_memo_new(unit, &ir.bdaddr);
483                     if (memo != NULL) {
484                               memo->page_scan_rep_mode = ir.page_scan_rep_mode;
485                               memo->page_scan_mode = ir.page_scan_mode;
486                               memo->clock_offset = ir.clock_offset;
487                     }
488           }
489 }
490 
491 /*
492  * Inquiry Result with RSSI
493  *
494  * as above but different packet when RSSI result is enabled
495  */
496 static void
hci_event_rssi_result(struct hci_unit * unit,struct mbuf * m)497 hci_event_rssi_result(struct hci_unit *unit, struct mbuf *m)
498 {
499           hci_rssi_result_ep ep;
500           hci_rssi_response rr;
501           struct hci_memo *memo;
502 
503           if (m->m_pkthdr.len < sizeof(ep))
504                     return;
505 
506           m_copydata(m, 0, sizeof(ep), &ep);
507           m_adj(m, sizeof(ep));
508 
509           DPRINTFN(1, "%d response%s\n", ep.num_responses,
510                                         (ep.num_responses == 1 ? "" : "s"));
511 
512           while(ep.num_responses--) {
513                     if (m->m_pkthdr.len < sizeof(rr))
514                               return;
515 
516                     m_copydata(m, 0, sizeof(rr), &rr);
517                     m_adj(m, sizeof(rr));
518 
519                     DPRINTFN(1, "bdaddr %02x:%02x:%02x:%02x:%02x:%02x\n",
520                               rr.bdaddr.b[5], rr.bdaddr.b[4], rr.bdaddr.b[3],
521                               rr.bdaddr.b[2], rr.bdaddr.b[1], rr.bdaddr.b[0]);
522 
523                     memo = hci_memo_new(unit, &rr.bdaddr);
524                     if (memo != NULL) {
525                               memo->page_scan_rep_mode = rr.page_scan_rep_mode;
526                               memo->page_scan_mode = 0;
527                               memo->clock_offset = rr.clock_offset;
528                     }
529           }
530 }
531 
532 /*
533  * Extended Inquiry Result
534  *
535  * as above but provides only one response and extended service info
536  */
537 static void
hci_event_extended_result(struct hci_unit * unit,struct mbuf * m)538 hci_event_extended_result(struct hci_unit *unit, struct mbuf *m)
539 {
540           hci_extended_result_ep ep;
541           struct hci_memo *memo;
542 
543           if (m->m_pkthdr.len < sizeof(ep))
544                     return;
545 
546           m_copydata(m, 0, sizeof(ep), &ep);
547           m_adj(m, sizeof(ep));
548 
549           if (ep.num_responses != 1)
550                     return;
551 
552           DPRINTFN(1, "bdaddr %02x:%02x:%02x:%02x:%02x:%02x\n",
553                     ep.bdaddr.b[5], ep.bdaddr.b[4], ep.bdaddr.b[3],
554                     ep.bdaddr.b[2], ep.bdaddr.b[1], ep.bdaddr.b[0]);
555 
556           memo = hci_memo_new(unit, &ep.bdaddr);
557           if (memo != NULL) {
558                     memo->page_scan_rep_mode = ep.page_scan_rep_mode;
559                     memo->page_scan_mode = 0;
560                     memo->clock_offset = ep.clock_offset;
561           }
562 }
563 
564 /*
565  * Connection Complete
566  *
567  * Sent to us when a connection is made. If there is no link
568  * structure already allocated for this, we must have changed
569  * our mind, so just disconnect.
570  */
571 static void
hci_event_con_compl(struct hci_unit * unit,struct mbuf * m)572 hci_event_con_compl(struct hci_unit *unit, struct mbuf *m)
573 {
574           hci_con_compl_ep ep;
575           hci_write_link_policy_settings_cp cp;
576           struct hci_link *link;
577           int err;
578 
579           if (m->m_pkthdr.len < sizeof(ep))
580                     return;
581 
582           m_copydata(m, 0, sizeof(ep), &ep);
583           m_adj(m, sizeof(ep));
584 
585           DPRINTFN(1, "(%s) %s connection complete for "
586                     "%02x:%02x:%02x:%02x:%02x:%02x status %#x\n",
587                     device_xname(unit->hci_dev),
588                     (ep.link_type == HCI_LINK_ACL ? "ACL" : "SCO"),
589                     ep.bdaddr.b[5], ep.bdaddr.b[4], ep.bdaddr.b[3],
590                     ep.bdaddr.b[2], ep.bdaddr.b[1], ep.bdaddr.b[0],
591                     ep.status);
592 
593           link = hci_link_lookup_bdaddr(unit, &ep.bdaddr, ep.link_type);
594 
595           if (ep.status) {
596                     if (link != NULL) {
597                               switch (ep.status) {
598                               case 0x04: /* "Page Timeout" */
599                                         err = EHOSTDOWN;
600                                         break;
601 
602                               case 0x08: /* "Connection Timed Out" */
603                                         err = ETIMEDOUT;
604                                         break;
605 
606                               case 0x16: /* "Connection Terminated by Local Host" */
607                                         err = 0;
608                                         break;
609 
610                               default:
611                                         err = ECONNREFUSED;
612                                         break;
613                               }
614 
615                               hci_link_free(link, err);
616                     }
617 
618                     return;
619           }
620 
621           if (link == NULL) {
622                     hci_discon_cp dp;
623 
624                     dp.con_handle = ep.con_handle;
625                     dp.reason = 0x13; /* "Remote User Terminated Connection" */
626 
627                     hci_send_cmd(unit, HCI_CMD_DISCONNECT, &dp, sizeof(dp));
628                     return;
629           }
630 
631           /*
632            * We purposefully ignore ep.encryption_mode here - if that is set then
633            * the link will be authenticated and encrypted, but we still want to
634            * verify the key size and setmode sets the right flags
635            */
636 
637           link->hl_state = HCI_LINK_OPEN;
638           link->hl_handle = HCI_CON_HANDLE(le16toh(ep.con_handle));
639 
640           if (ep.link_type == HCI_LINK_ACL) {
641                     cp.con_handle = ep.con_handle;
642                     cp.settings = htole16(unit->hci_link_policy);
643                     err = hci_send_cmd(unit, HCI_CMD_WRITE_LINK_POLICY_SETTINGS,
644                                                             &cp, sizeof(cp));
645                     if (err)
646                               aprint_error_dev(unit->hci_dev,
647                                   "Warning, could not write link policy\n");
648 
649                     err = hci_send_cmd(unit, HCI_CMD_READ_CLOCK_OFFSET,
650                                             &cp.con_handle, sizeof(cp.con_handle));
651                     if (err)
652                               aprint_error_dev(unit->hci_dev,
653                                   "Warning, could not read clock offset\n");
654 
655                     err = hci_acl_setmode(link);
656                     if (err == EINPROGRESS)
657                               return;
658 
659                     hci_acl_linkmode(link);
660           } else {
661                     (*link->hl_sco->sp_proto->connected)(link->hl_sco->sp_upper);
662           }
663 }
664 
665 /*
666  * Disconnection Complete
667  *
668  * This is sent in response to a disconnection request, but also if
669  * the remote device goes out of range.
670  */
671 static void
hci_event_discon_compl(struct hci_unit * unit,struct mbuf * m)672 hci_event_discon_compl(struct hci_unit *unit, struct mbuf *m)
673 {
674           hci_discon_compl_ep ep;
675           struct hci_link *link;
676 
677           if (m->m_pkthdr.len < sizeof(ep))
678                     return;
679 
680           m_copydata(m, 0, sizeof(ep), &ep);
681           m_adj(m, sizeof(ep));
682 
683           ep.con_handle = le16toh(ep.con_handle);
684 
685           DPRINTFN(1, "handle #%d, status=0x%x\n", ep.con_handle, ep.status);
686 
687           link = hci_link_lookup_handle(unit, HCI_CON_HANDLE(ep.con_handle));
688           if (link)
689                     hci_link_free(link, ENOLINK);
690 }
691 
692 /*
693  * Connect Request
694  *
695  * We check upstream for appropriate listeners and accept connections
696  * that are wanted.
697  */
698 static void
hci_event_con_req(struct hci_unit * unit,struct mbuf * m)699 hci_event_con_req(struct hci_unit *unit, struct mbuf *m)
700 {
701           hci_con_req_ep ep;
702           hci_accept_con_cp ap;
703           hci_reject_con_cp rp;
704           struct hci_link *link;
705 
706           if (m->m_pkthdr.len < sizeof(ep))
707                     return;
708 
709           m_copydata(m, 0, sizeof(ep), &ep);
710           m_adj(m, sizeof(ep));
711 
712           DPRINTFN(1, "bdaddr %2.2x:%2.2x:%2.2x:%2.2x:%2.2x:%2.2x "
713                     "class %2.2x%2.2x%2.2x type %s\n",
714                     ep.bdaddr.b[5], ep.bdaddr.b[4], ep.bdaddr.b[3],
715                     ep.bdaddr.b[2], ep.bdaddr.b[1], ep.bdaddr.b[0],
716                     ep.uclass[0], ep.uclass[1], ep.uclass[2],
717                     ep.link_type == HCI_LINK_ACL ? "ACL" : "SCO");
718 
719           if (ep.link_type == HCI_LINK_ACL)
720                     link = hci_acl_newconn(unit, &ep.bdaddr);
721           else
722                     link = hci_sco_newconn(unit, &ep.bdaddr);
723 
724           if (link == NULL) {
725                     memset(&rp, 0, sizeof(rp));
726                     bdaddr_copy(&rp.bdaddr, &ep.bdaddr);
727                     rp.reason = 0x0f;   /* Unacceptable BD_ADDR */
728 
729                     hci_send_cmd(unit, HCI_CMD_REJECT_CON, &rp, sizeof(rp));
730           } else {
731                     memset(&ap, 0, sizeof(ap));
732                     bdaddr_copy(&ap.bdaddr, &ep.bdaddr);
733                     if (unit->hci_flags & BTF_MASTER)
734                               ap.role = HCI_ROLE_MASTER;
735                     else
736                               ap.role = HCI_ROLE_SLAVE;
737 
738                     hci_send_cmd(unit, HCI_CMD_ACCEPT_CON, &ap, sizeof(ap));
739           }
740 }
741 
742 /*
743  * Auth Complete
744  *
745  * Authentication has been completed on an ACL link. We can notify the
746  * upper layer protocols unless further mode changes are pending.
747  */
748 static void
hci_event_auth_compl(struct hci_unit * unit,struct mbuf * m)749 hci_event_auth_compl(struct hci_unit *unit, struct mbuf *m)
750 {
751           hci_auth_compl_ep ep;
752           struct hci_link *link;
753           int err;
754 
755           if (m->m_pkthdr.len < sizeof(ep))
756                     return;
757 
758           m_copydata(m, 0, sizeof(ep), &ep);
759           m_adj(m, sizeof(ep));
760 
761           ep.con_handle = HCI_CON_HANDLE(le16toh(ep.con_handle));
762 
763           DPRINTFN(1, "handle #%d, status=0x%x\n", ep.con_handle, ep.status);
764 
765           link = hci_link_lookup_handle(unit, ep.con_handle);
766           if (link == NULL || link->hl_type != HCI_LINK_ACL)
767                     return;
768 
769           if (ep.status == 0) {
770                     link->hl_flags |= HCI_LINK_AUTH;
771 
772                     if (link->hl_state == HCI_LINK_WAIT_AUTH)
773                               link->hl_state = HCI_LINK_OPEN;
774 
775                     err = hci_acl_setmode(link);
776                     if (err == EINPROGRESS)
777                               return;
778           }
779 
780           hci_acl_linkmode(link);
781 }
782 
783 /*
784  * Encryption Change
785  *
786  * The encryption status has changed. Make a note if disabled, or
787  * check the key size if possible before allowing it is enabled.
788  * (checking of key size was enabled in 3.0 spec)
789  */
790 static void
hci_event_encryption_change(struct hci_unit * unit,struct mbuf * m)791 hci_event_encryption_change(struct hci_unit *unit, struct mbuf *m)
792 {
793           hci_encryption_change_ep ep;
794           struct hci_link *link;
795           uint16_t con_handle;
796           int err;
797 
798           if (m->m_pkthdr.len < sizeof(ep))
799                     return;
800 
801           m_copydata(m, 0, sizeof(ep), &ep);
802           m_adj(m, sizeof(ep));
803 
804           con_handle = HCI_CON_HANDLE(le16toh(ep.con_handle));
805 
806           DPRINTFN(1, "handle #%d, status=0x%x, encryption_enable=0x%x\n",
807                      con_handle, ep.status, ep.encryption_enable);
808 
809           link = hci_link_lookup_handle(unit, con_handle);
810           if (link == NULL || link->hl_type != HCI_LINK_ACL)
811                     return;
812 
813           if (ep.status == 0) {
814                     if (ep.encryption_enable == 0) {
815                               link->hl_flags &= ~HCI_LINK_ENCRYPT;
816                     } else if (unit->hci_cmds[20] & (1<<4)) {
817                               err = hci_send_cmd(unit, HCI_CMD_READ_ENCRYPTION_KEY_SIZE,
818                                   &ep.con_handle, sizeof(ep.con_handle));
819 
820                               if (err == 0)
821                                         return;
822                     } else {
823                               link->hl_flags |= (HCI_LINK_AUTH | HCI_LINK_ENCRYPT);
824 
825                               if (link->hl_state == HCI_LINK_WAIT_ENCRYPT)
826                                         link->hl_state = HCI_LINK_OPEN;
827 
828                               err = hci_acl_setmode(link);
829                               if (err == EINPROGRESS)
830                                         return;
831                     }
832           }
833 
834           hci_acl_linkmode(link);
835 }
836 
837 /*
838  * Change Connection Link Key Complete
839  *
840  * Link keys are handled in userland but if we are waiting to secure
841  * this link, we should notify the upper protocols. A SECURE request
842  * only needs a single key change, so we can cancel the request.
843  */
844 static void
hci_event_change_con_link_key_compl(struct hci_unit * unit,struct mbuf * m)845 hci_event_change_con_link_key_compl(struct hci_unit *unit, struct mbuf *m)
846 {
847           hci_change_con_link_key_compl_ep ep;
848           struct hci_link *link;
849           int err;
850 
851           if (m->m_pkthdr.len < sizeof(ep))
852                     return;
853 
854           m_copydata(m, 0, sizeof(ep), &ep);
855           m_adj(m, sizeof(ep));
856 
857           ep.con_handle = HCI_CON_HANDLE(le16toh(ep.con_handle));
858 
859           DPRINTFN(1, "handle #%d, status=0x%x\n", ep.con_handle, ep.status);
860 
861           link = hci_link_lookup_handle(unit, ep.con_handle);
862           if (link == NULL || link->hl_type != HCI_LINK_ACL)
863                     return;
864 
865           link->hl_flags &= ~HCI_LINK_SECURE_REQ;
866 
867           if (ep.status == 0) {
868                     link->hl_flags |= (HCI_LINK_AUTH | HCI_LINK_SECURE);
869 
870                     if (link->hl_state == HCI_LINK_WAIT_SECURE)
871                               link->hl_state = HCI_LINK_OPEN;
872 
873                     err = hci_acl_setmode(link);
874                     if (err == EINPROGRESS)
875                               return;
876           }
877 
878           hci_acl_linkmode(link);
879 }
880 
881 /*
882  * Read Clock Offset Complete
883  *
884  * We keep a note of the clock offset of remote devices when a
885  * link is made, in order to facilitate reconnections to the device
886  */
887 static void
hci_event_read_clock_offset_compl(struct hci_unit * unit,struct mbuf * m)888 hci_event_read_clock_offset_compl(struct hci_unit *unit, struct mbuf *m)
889 {
890           hci_read_clock_offset_compl_ep ep;
891           struct hci_link *link;
892 
893           if (m->m_pkthdr.len < sizeof(ep))
894                     return;
895 
896           m_copydata(m, 0, sizeof(ep), &ep);
897           m_adj(m, sizeof(ep));
898 
899           DPRINTFN(1, "handle #%d, offset=%u, status=0x%x\n",
900                     le16toh(ep.con_handle), le16toh(ep.clock_offset), ep.status);
901 
902           ep.con_handle = HCI_CON_HANDLE(le16toh(ep.con_handle));
903           link = hci_link_lookup_handle(unit, ep.con_handle);
904           if (link == NULL || link->hl_type != HCI_LINK_ACL)
905                     return;
906 
907           if (ep.status == 0)
908                     link->hl_clock = ep.clock_offset;
909 }
910 
911 /*
912  * process results of read_bdaddr command_complete event
913  */
914 static void
hci_cmd_read_bdaddr(struct hci_unit * unit,struct mbuf * m)915 hci_cmd_read_bdaddr(struct hci_unit *unit, struct mbuf *m)
916 {
917           hci_read_bdaddr_rp rp;
918 
919           if (m->m_pkthdr.len < sizeof(rp))
920                     return;
921 
922           m_copydata(m, 0, sizeof(rp), &rp);
923           m_adj(m, sizeof(rp));
924 
925           if (rp.status > 0)
926                     return;
927 
928           if ((unit->hci_flags & BTF_INIT_BDADDR) == 0)
929                     return;
930 
931           bdaddr_copy(&unit->hci_bdaddr, &rp.bdaddr);
932 
933           unit->hci_flags &= ~BTF_INIT_BDADDR;
934 
935           cv_broadcast(&unit->hci_init);
936 }
937 
938 /*
939  * process results of read_buffer_size command_complete event
940  */
941 static void
hci_cmd_read_buffer_size(struct hci_unit * unit,struct mbuf * m)942 hci_cmd_read_buffer_size(struct hci_unit *unit, struct mbuf *m)
943 {
944           hci_read_buffer_size_rp rp;
945 
946           if (m->m_pkthdr.len < sizeof(rp))
947                     return;
948 
949           m_copydata(m, 0, sizeof(rp), &rp);
950           m_adj(m, sizeof(rp));
951 
952           if (rp.status > 0)
953                     return;
954 
955           if ((unit->hci_flags & BTF_INIT_BUFFER_SIZE) == 0)
956                     return;
957 
958           unit->hci_max_acl_size = le16toh(rp.max_acl_size);
959           unit->hci_num_acl_pkts = le16toh(rp.num_acl_pkts);
960           unit->hci_max_acl_pkts = le16toh(rp.num_acl_pkts);
961           unit->hci_max_sco_size = rp.max_sco_size;
962           unit->hci_num_sco_pkts = le16toh(rp.num_sco_pkts);
963           unit->hci_max_sco_pkts = le16toh(rp.num_sco_pkts);
964 
965           unit->hci_flags &= ~BTF_INIT_BUFFER_SIZE;
966 
967           cv_broadcast(&unit->hci_init);
968 }
969 
970 /*
971  * process results of read_local_features command_complete event
972  */
973 static void
hci_cmd_read_local_features(struct hci_unit * unit,struct mbuf * m)974 hci_cmd_read_local_features(struct hci_unit *unit, struct mbuf *m)
975 {
976           hci_read_local_features_rp rp;
977 
978           if (m->m_pkthdr.len < sizeof(rp))
979                     return;
980 
981           m_copydata(m, 0, sizeof(rp), &rp);
982           m_adj(m, sizeof(rp));
983 
984           if (rp.status > 0)
985                     return;
986 
987           if ((unit->hci_flags & BTF_INIT_FEATURES) == 0)
988                     return;
989 
990           memcpy(unit->hci_feat0, rp.features, HCI_FEATURES_SIZE);
991 
992           unit->hci_lmp_mask = 0;
993 
994           if (rp.features[0] & HCI_LMP_ROLE_SWITCH)
995                     unit->hci_lmp_mask |= HCI_LINK_POLICY_ENABLE_ROLE_SWITCH;
996 
997           if (rp.features[0] & HCI_LMP_HOLD_MODE)
998                     unit->hci_lmp_mask |= HCI_LINK_POLICY_ENABLE_HOLD_MODE;
999 
1000           if (rp.features[0] & HCI_LMP_SNIFF_MODE)
1001                     unit->hci_lmp_mask |= HCI_LINK_POLICY_ENABLE_SNIFF_MODE;
1002 
1003           if (rp.features[1] & HCI_LMP_PARK_MODE)
1004                     unit->hci_lmp_mask |= HCI_LINK_POLICY_ENABLE_PARK_MODE;
1005 
1006           DPRINTFN(1, "%s: lmp_mask %4.4x\n",
1007                     device_xname(unit->hci_dev), unit->hci_lmp_mask);
1008 
1009           /* ACL packet mask */
1010           unit->hci_acl_mask = HCI_PKT_DM1 | HCI_PKT_DH1;
1011 
1012           if (rp.features[0] & HCI_LMP_3SLOT)
1013                     unit->hci_acl_mask |= HCI_PKT_DM3 | HCI_PKT_DH3;
1014 
1015           if (rp.features[0] & HCI_LMP_5SLOT)
1016                     unit->hci_acl_mask |= HCI_PKT_DM5 | HCI_PKT_DH5;
1017 
1018           if ((rp.features[3] & HCI_LMP_EDR_ACL_2MBPS) == 0)
1019                     unit->hci_acl_mask |= HCI_PKT_2MBPS_DH1
1020                                             | HCI_PKT_2MBPS_DH3
1021                                             | HCI_PKT_2MBPS_DH5;
1022 
1023           if ((rp.features[3] & HCI_LMP_EDR_ACL_3MBPS) == 0)
1024                     unit->hci_acl_mask |= HCI_PKT_3MBPS_DH1
1025                                             | HCI_PKT_3MBPS_DH3
1026                                             | HCI_PKT_3MBPS_DH5;
1027 
1028           if ((rp.features[4] & HCI_LMP_3SLOT_EDR_ACL) == 0)
1029                     unit->hci_acl_mask |= HCI_PKT_2MBPS_DH3
1030                                             | HCI_PKT_3MBPS_DH3;
1031 
1032           if ((rp.features[5] & HCI_LMP_5SLOT_EDR_ACL) == 0)
1033                     unit->hci_acl_mask |= HCI_PKT_2MBPS_DH5
1034                                             | HCI_PKT_3MBPS_DH5;
1035 
1036           DPRINTFN(1, "%s: acl_mask %4.4x\n",
1037                     device_xname(unit->hci_dev), unit->hci_acl_mask);
1038 
1039           unit->hci_packet_type = unit->hci_acl_mask;
1040 
1041           /* SCO packet mask */
1042           unit->hci_sco_mask = 0;
1043           if (rp.features[1] & HCI_LMP_SCO_LINK)
1044                     unit->hci_sco_mask |= HCI_PKT_HV1;
1045 
1046           if (rp.features[1] & HCI_LMP_HV2_PKT)
1047                     unit->hci_sco_mask |= HCI_PKT_HV2;
1048 
1049           if (rp.features[1] & HCI_LMP_HV3_PKT)
1050                     unit->hci_sco_mask |= HCI_PKT_HV3;
1051 
1052           if (rp.features[3] & HCI_LMP_EV3_PKT)
1053                     unit->hci_sco_mask |= HCI_PKT_EV3;
1054 
1055           if (rp.features[4] & HCI_LMP_EV4_PKT)
1056                     unit->hci_sco_mask |= HCI_PKT_EV4;
1057 
1058           if (rp.features[4] & HCI_LMP_EV5_PKT)
1059                     unit->hci_sco_mask |= HCI_PKT_EV5;
1060 
1061           /* XXX what do 2MBPS/3MBPS/3SLOT eSCO mean? */
1062 
1063           DPRINTFN(1, "%s: sco_mask %4.4x\n",
1064                     device_xname(unit->hci_dev), unit->hci_sco_mask);
1065 
1066           /* extended feature masks */
1067           if (rp.features[7] & HCI_LMP_EXTENDED_FEATURES) {
1068                     hci_read_local_extended_features_cp cp;
1069 
1070                     cp.page = 0;
1071                     hci_send_cmd(unit, HCI_CMD_READ_LOCAL_EXTENDED_FEATURES,
1072                         &cp, sizeof(cp));
1073 
1074                     return;
1075           }
1076 
1077           unit->hci_flags &= ~BTF_INIT_FEATURES;
1078           cv_broadcast(&unit->hci_init);
1079 }
1080 
1081 /*
1082  * process results of read_local_extended_features command_complete event
1083  */
1084 static void
hci_cmd_read_local_extended_features(struct hci_unit * unit,struct mbuf * m)1085 hci_cmd_read_local_extended_features(struct hci_unit *unit, struct mbuf *m)
1086 {
1087           hci_read_local_extended_features_rp rp;
1088 
1089           if (m->m_pkthdr.len < sizeof(rp))
1090                     return;
1091 
1092           m_copydata(m, 0, sizeof(rp), &rp);
1093           m_adj(m, sizeof(rp));
1094 
1095           if (rp.status > 0)
1096                     return;
1097 
1098           if ((unit->hci_flags & BTF_INIT_FEATURES) == 0)
1099                     return;
1100 
1101           DPRINTFN(1, "%s: page %d of %d\n", device_xname(unit->hci_dev),
1102               rp.page, rp.max_page);
1103 
1104           switch (rp.page) {
1105           case 2:
1106                     memcpy(unit->hci_feat2, rp.features, HCI_FEATURES_SIZE);
1107                     break;
1108 
1109           case 1:
1110                     memcpy(unit->hci_feat1, rp.features, HCI_FEATURES_SIZE);
1111                     break;
1112 
1113           case 0:   /* (already handled) */
1114           default:
1115                     break;
1116           }
1117 
1118           if (rp.page < rp.max_page) {
1119                     hci_read_local_extended_features_cp cp;
1120 
1121                     cp.page = rp.page + 1;
1122                     hci_send_cmd(unit, HCI_CMD_READ_LOCAL_EXTENDED_FEATURES,
1123                         &cp, sizeof(cp));
1124 
1125                     return;
1126           }
1127 
1128           unit->hci_flags &= ~BTF_INIT_FEATURES;
1129           cv_broadcast(&unit->hci_init);
1130 }
1131 
1132 /*
1133  * process results of read_local_ver command_complete event
1134  *
1135  * reading local supported commands is only supported from 1.2 spec
1136  */
1137 static void
hci_cmd_read_local_ver(struct hci_unit * unit,struct mbuf * m)1138 hci_cmd_read_local_ver(struct hci_unit *unit, struct mbuf *m)
1139 {
1140           hci_read_local_ver_rp rp;
1141 
1142           if (m->m_pkthdr.len < sizeof(rp))
1143                     return;
1144 
1145           m_copydata(m, 0, sizeof(rp), &rp);
1146           m_adj(m, sizeof(rp));
1147 
1148           if (rp.status != 0)
1149                     return;
1150 
1151           if ((unit->hci_flags & BTF_INIT_COMMANDS) == 0)
1152                     return;
1153 
1154           if (rp.hci_version < HCI_SPEC_V12) {
1155                     unit->hci_flags &= ~BTF_INIT_COMMANDS;
1156                     cv_broadcast(&unit->hci_init);
1157                     return;
1158           }
1159 
1160           hci_send_cmd(unit, HCI_CMD_READ_LOCAL_COMMANDS, NULL, 0);
1161 }
1162 
1163 /*
1164  * process results of read_local_commands command_complete event
1165  */
1166 static void
hci_cmd_read_local_commands(struct hci_unit * unit,struct mbuf * m)1167 hci_cmd_read_local_commands(struct hci_unit *unit, struct mbuf *m)
1168 {
1169           hci_read_local_commands_rp rp;
1170 
1171           if (m->m_pkthdr.len < sizeof(rp))
1172                     return;
1173 
1174           m_copydata(m, 0, sizeof(rp), &rp);
1175           m_adj(m, sizeof(rp));
1176 
1177           if (rp.status != 0)
1178                     return;
1179 
1180           if ((unit->hci_flags & BTF_INIT_COMMANDS) == 0)
1181                     return;
1182 
1183           unit->hci_flags &= ~BTF_INIT_COMMANDS;
1184           memcpy(unit->hci_cmds, rp.commands, HCI_COMMANDS_SIZE);
1185 
1186           cv_broadcast(&unit->hci_init);
1187 }
1188 
1189 /*
1190  * process results of read_encryption_key_size command_complete event
1191  */
1192 static void
hci_cmd_read_encryption_key_size(struct hci_unit * unit,struct mbuf * m)1193 hci_cmd_read_encryption_key_size(struct hci_unit *unit, struct mbuf *m)
1194 {
1195           hci_read_encryption_key_size_rp rp;
1196           struct hci_link *link;
1197           int err;
1198 
1199           if (m->m_pkthdr.len < sizeof(rp))
1200                     return;
1201 
1202           m_copydata(m, 0, sizeof(rp), &rp);
1203           m_adj(m, sizeof(rp));
1204 
1205           if (rp.status != 0)
1206                     return;
1207 
1208           rp.con_handle = HCI_CON_HANDLE(le16toh(rp.con_handle));
1209 
1210           DPRINTFN(1, "handle #%d, status=0x%x, key_size=0x%x\n",
1211                      rp.con_handle, rp.status, rp.size);
1212 
1213           link = hci_link_lookup_handle(unit, rp.con_handle);
1214           if (link == NULL || link->hl_type != HCI_LINK_ACL)
1215                     return;
1216 
1217           /*
1218            * if the key size is less than minimum standard, go straight to
1219            * linkmode as this is non-recoverable. Otherwise, we are encrypted
1220            * so can proceed with setmode.
1221            */
1222           if (rp.status == 0) {
1223                     if (rp.size < 7) {
1224                               link->hl_flags &= ~HCI_LINK_ENCRYPT;
1225                     } else {
1226                               link->hl_flags |= (HCI_LINK_AUTH | HCI_LINK_ENCRYPT);
1227 
1228                               if (link->hl_state == HCI_LINK_WAIT_ENCRYPT)
1229                                         link->hl_state = HCI_LINK_OPEN;
1230 
1231                               err = hci_acl_setmode(link);
1232                               if (err == EINPROGRESS)
1233                                         return;
1234                     }
1235           }
1236 
1237           hci_acl_linkmode(link);
1238 }
1239 
1240 /*
1241  * process results of reset command_complete event
1242  *
1243  * This has killed all the connections, so close down anything we have left,
1244  * and reinitialise the unit.
1245  */
1246 static void
hci_cmd_reset(struct hci_unit * unit,struct mbuf * m)1247 hci_cmd_reset(struct hci_unit *unit, struct mbuf *m)
1248 {
1249           hci_reset_rp rp;
1250           struct hci_link *link, *next;
1251           int acl;
1252 
1253           if (m->m_pkthdr.len < sizeof(rp))
1254                     return;
1255 
1256           m_copydata(m, 0, sizeof(rp), &rp);
1257           m_adj(m, sizeof(rp));
1258 
1259           if (rp.status != 0)
1260                     return;
1261 
1262           /*
1263            * release SCO links first, since they may be holding
1264            * an ACL link reference.
1265            */
1266           for (acl = 0 ; acl < 2 ; acl++) {
1267                     next = TAILQ_FIRST(&unit->hci_links);
1268                     while ((link = next) != NULL) {
1269                               next = TAILQ_NEXT(link, hl_next);
1270                               if (acl || link->hl_type != HCI_LINK_ACL)
1271                                         hci_link_free(link, ECONNABORTED);
1272                     }
1273           }
1274 
1275           unit->hci_num_acl_pkts = 0;
1276           unit->hci_num_sco_pkts = 0;
1277 
1278           if (hci_send_cmd(unit, HCI_CMD_READ_BDADDR, NULL, 0))
1279                     return;
1280 
1281           if (hci_send_cmd(unit, HCI_CMD_READ_BUFFER_SIZE, NULL, 0))
1282                     return;
1283 
1284           if (hci_send_cmd(unit, HCI_CMD_READ_LOCAL_FEATURES, NULL, 0))
1285                     return;
1286 
1287           if (hci_send_cmd(unit, HCI_CMD_READ_LOCAL_VER, NULL, 0))
1288                     return;
1289 }
1290 
1291 /*
1292  * process command_status event for create_con command
1293  *
1294  * a "Create Connection" command can sometimes fail to start for whatever
1295  * reason and the command_status event returns failure but we get no
1296  * indication of which connection failed (for instance in the case where
1297  * we tried to open too many connections all at once) So, we keep a flag
1298  * on the link to indicate pending status until the command_status event
1299  * is returned to help us decide which needs to be failed.
1300  *
1301  * since created links are inserted at the tail of hci_links, we know that
1302  * the first pending link we find will be the one that this command status
1303  * refers to.
1304  */
1305 static void
hci_cmd_create_con(struct hci_unit * unit,uint8_t status)1306 hci_cmd_create_con(struct hci_unit *unit, uint8_t status)
1307 {
1308           struct hci_link *link;
1309 
1310           TAILQ_FOREACH(link, &unit->hci_links, hl_next) {
1311                     if ((link->hl_flags & HCI_LINK_CREATE_CON) == 0)
1312                               continue;
1313 
1314                     link->hl_flags &= ~HCI_LINK_CREATE_CON;
1315 
1316                     switch(status) {
1317                     case 0x00:          /* success */
1318                               break;
1319 
1320                     case 0x0c:          /* "Command Disallowed" */
1321                               hci_link_free(link, EBUSY);
1322                               break;
1323 
1324                     default:  /* some other trouble */
1325                               hci_link_free(link, EPROTO);
1326                               break;
1327                     }
1328 
1329                     return;
1330           }
1331 }
1332