Archipelago » qemu

/*

 * QEMU Bluetooth HCI logic.

 *

 * Copyright (C) 2007 OpenMoko, Inc.

 * Copyright (C) 2008 Andrzej Zaborowski  <balrog@zabor.org>

 *

 * This program is free software; you can redistribute it and/or

 * modify it under the terms of the GNU General Public License as

 * published by the Free Software Foundation; either version 2 of

 * the License, or (at your option) any later version.

 *

 * This program is distributed in the hope that it will be useful,

 * but WITHOUT ANY WARRANTY; without even the implied warranty of

 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

 * GNU General Public License for more details.

 *

 * You should have received a copy of the GNU General Public License

 * along with this program; if not, see <http://www.gnu.org/licenses/>.

 */

#include "qemu-common.h"

#include "qemu-timer.h"

#include "usb.h"

#include "net.h"

#include "bt.h"

struct bt_hci_s {

    uint8_t *(*evt_packet)(void *opaque);

    void (*evt_submit)(void *opaque, int len);

    void *opaque;

    uint8_t evt_buf[256];

    uint8_t acl_buf[4096];

    int acl_len;

    uint16_t asb_handle;

    uint16_t psb_handle;

    int last_cmd;        /* Note: Always little-endian */

    struct bt_device_s *conn_req_host;

    struct {

        int inquire;

        int periodic;

        int responses_left;

        int responses;

        QEMUTimer *inquiry_done;

        QEMUTimer *inquiry_next;

        int inquiry_length;

        int inquiry_period;

        int inquiry_mode;

#define HCI_HANDLE_OFFSET        0x20

#define HCI_HANDLES_MAX                0x10

        struct bt_hci_master_link_s {

            struct bt_link_s *link;

            void (*lmp_acl_data)(struct bt_link_s *link,

                            const uint8_t *data, int start, int len);

            QEMUTimer *acl_mode_timer;

        } handle[HCI_HANDLES_MAX];

        uint32_t role_bmp;

        int last_handle;

        int connecting;

        bdaddr_t awaiting_bdaddr[HCI_HANDLES_MAX];

    } lm;

    uint8_t event_mask[8];

    uint16_t voice_setting;        /* Notw: Always little-endian */

    uint16_t conn_accept_tout;

    QEMUTimer *conn_accept_timer;

    struct HCIInfo info;

    struct bt_device_s device;

};

#define DEFAULT_RSSI_DBM        20

#define hci_from_info(ptr)        container_of((ptr), struct bt_hci_s, info)

#define hci_from_device(ptr)        container_of((ptr), struct bt_hci_s, device)

struct bt_hci_link_s {

    struct bt_link_s btlink;

    uint16_t handle;        /* Local */

};

/* LMP layer emulation */

#if 0

static void bt_submit_lmp(struct bt_device_s *bt, int length, uint8_t *data)

{

    int resp, resplen, error, op, tr;

    uint8_t respdata[17];

    if (length < 1)

        return;

    tr = *data & 1;

    op = *(data ++) >> 1;

    resp = LMP_ACCEPTED;

    resplen = 2;

    respdata[1] = op;

    error = 0;

    length --;

    if (op >= 0x7c) {        /* Extended opcode */

        op |= *(data ++) << 8;

        resp = LMP_ACCEPTED_EXT;

        resplen = 4;

        respdata[0] = op >> 8;

        respdata[1] = op & 0xff;

        length --;

    }

    switch (op) {

    case LMP_ACCEPTED:

        /* data[0]        Op code

         */

        if (length < 1) {

            error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;

            goto not_accepted;

        }

        resp = 0;

        break;

    case LMP_ACCEPTED_EXT:

        /* data[0]        Escape op code

         * data[1]        Extended op code

         */

        if (length < 2) {

            error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;

            goto not_accepted;

        }

        resp = 0;

        break;

    case LMP_NOT_ACCEPTED:

        /* data[0]        Op code

         * data[1]        Error code

         */

        if (length < 2) {

            error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;

            goto not_accepted;

        }

        resp = 0;

        break;

    case LMP_NOT_ACCEPTED_EXT:

        /* data[0]        Op code

         * data[1]        Extended op code

         * data[2]        Error code

         */

        if (length < 3) {

            error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;

            goto not_accepted;

        }

        resp = 0;

        break;

    case LMP_HOST_CONNECTION_REQ:

        break;

    case LMP_SETUP_COMPLETE:

        resp = LMP_SETUP_COMPLETE;

        resplen = 1;

        bt->setup = 1;

        break;

    case LMP_DETACH:

        /* data[0]        Error code

         */

        if (length < 1) {

            error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;

            goto not_accepted;

        }

        bt->setup = 0;

        resp = 0;

        break;

    case LMP_SUPERVISION_TIMEOUT:

        /* data[0,1]        Supervision timeout

         */

        if (length < 2) {

            error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;

            goto not_accepted;

        }

        resp = 0;

        break;

    case LMP_QUALITY_OF_SERVICE:

        resp = 0;

        /* Fall through */

    case LMP_QOS_REQ:

        /* data[0,1]        Poll interval

         * data[2]        N(BC)

         */

        if (length < 3) {

            error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;

            goto not_accepted;

        }

        break;

    case LMP_MAX_SLOT:

        resp = 0;

        /* Fall through */

    case LMP_MAX_SLOT_REQ:

        /* data[0]        Max slots

         */

        if (length < 1) {

            error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;

            goto not_accepted;

        }

        break;

    case LMP_AU_RAND:

    case LMP_IN_RAND:

    case LMP_COMB_KEY:

        /* data[0-15]        Random number

         */

        if (length < 16) {

            error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;

            goto not_accepted;

        }

        if (op == LMP_AU_RAND) {

            if (bt->key_present) {

                resp = LMP_SRES;

                resplen = 5;

                /* XXX: [Part H] Section 6.1 on page 801 */

            } else {

                error = HCI_PIN_OR_KEY_MISSING;

                goto not_accepted;

            }

        } else if (op == LMP_IN_RAND) {

            error = HCI_PAIRING_NOT_ALLOWED;

            goto not_accepted;

        } else {

            /* XXX: [Part H] Section 3.2 on page 779 */

            resp = LMP_UNIT_KEY;

            resplen = 17;

            memcpy(respdata + 1, bt->key, 16);

            error = HCI_UNIT_LINK_KEY_USED;

            goto not_accepted;

        }

        break;

    case LMP_UNIT_KEY:

        /* data[0-15]        Key

         */

        if (length < 16) {

            error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;

            goto not_accepted;

        }

        memcpy(bt->key, data, 16);

        bt->key_present = 1;

        break;

    case LMP_SRES:

        /* data[0-3]        Authentication response

         */

        if (length < 4) {

            error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;

            goto not_accepted;

        }

        break;

    case LMP_CLKOFFSET_REQ:

        resp = LMP_CLKOFFSET_RES;

        resplen = 3;

        respdata[1] = 0x33;

        respdata[2] = 0x33;

        break;

    case LMP_CLKOFFSET_RES:

        /* data[0,1]        Clock offset

         * (Slave to master only)

         */

        if (length < 2) {

            error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;

            goto not_accepted;

        }

        break;

    case LMP_VERSION_REQ:

    case LMP_VERSION_RES:

        /* data[0]        VersNr

         * data[1,2]        CompId

         * data[3,4]        SubVersNr

         */

        if (length < 5) {

            error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;

            goto not_accepted;

        }

        if (op == LMP_VERSION_REQ) {

            resp = LMP_VERSION_RES;

            resplen = 6;

            respdata[1] = 0x20;

            respdata[2] = 0xff;

            respdata[3] = 0xff;

            respdata[4] = 0xff;

            respdata[5] = 0xff;

        } else

            resp = 0;

        break;

    case LMP_FEATURES_REQ:

    case LMP_FEATURES_RES:

        /* data[0-7]        Features

         */

        if (length < 8) {

            error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;

            goto not_accepted;

        }

        if (op == LMP_FEATURES_REQ) {

            resp = LMP_FEATURES_RES;

            resplen = 9;

            respdata[1] = (bt->lmp_caps >> 0) & 0xff;

            respdata[2] = (bt->lmp_caps >> 8) & 0xff;

            respdata[3] = (bt->lmp_caps >> 16) & 0xff;

            respdata[4] = (bt->lmp_caps >> 24) & 0xff;

            respdata[5] = (bt->lmp_caps >> 32) & 0xff;

            respdata[6] = (bt->lmp_caps >> 40) & 0xff;

            respdata[7] = (bt->lmp_caps >> 48) & 0xff;

            respdata[8] = (bt->lmp_caps >> 56) & 0xff;

        } else

            resp = 0;

        break;

    case LMP_NAME_REQ:

        /* data[0]        Name offset

         */

        if (length < 1) {

            error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;

            goto not_accepted;

        }

        resp = LMP_NAME_RES;

        resplen = 17;

        respdata[1] = data[0];

        respdata[2] = strlen(bt->lmp_name);

        memset(respdata + 3, 0x00, 14);

        if (respdata[2] > respdata[1])

            memcpy(respdata + 3, bt->lmp_name + respdata[1],

                            respdata[2] - respdata[1]);

        break;

    case LMP_NAME_RES:

        /* data[0]        Name offset

         * data[1]        Name length

         * data[2-15]        Name fragment

         */

        if (length < 16) {

            error = HCI_UNSUPPORTED_LMP_PARAMETER_VALUE;

            goto not_accepted;

        }

        resp = 0;

        break;

    default:

        error = HCI_UNKNOWN_LMP_PDU;

        /* Fall through */

    not_accepted:

        if (op >> 8) {

            resp = LMP_NOT_ACCEPTED_EXT;

            resplen = 5;

            respdata[0] = op >> 8;

            respdata[1] = op & 0xff;

            respdata[2] = error;

        } else {

            resp = LMP_NOT_ACCEPTED;

            resplen = 3;

            respdata[0] = op & 0xff;

            respdata[1] = error;

        }

    }

    if (resp == 0)

        return;

    if (resp >> 8) {

        respdata[0] = resp >> 8;

        respdata[1] = resp & 0xff;

    } else

        respdata[0] = resp & 0xff;

    respdata[0] <<= 1;

    respdata[0] |= tr;

}

static void bt_submit_raw_acl(struct bt_piconet_s *net, int length, uint8_t *data)

{

    struct bt_device_s *slave;

    if (length < 1)

        return;

    slave = 0;

#if 0

    slave = net->slave;

#endif

    switch (data[0] & 3) {

    case LLID_ACLC:

        bt_submit_lmp(slave, length - 1, data + 1);

        break;

    case LLID_ACLU_START:

#if 0

        bt_sumbit_l2cap(slave, length - 1, data + 1, (data[0] >> 2) & 1);

        breka;

#endif

    default:

    case LLID_ACLU_CONT:

        break;

    }

}

#endif

/* HCI layer emulation */

/* Note: we could ignore endiannes because unswapped handles will still

 * be valid as connection identifiers for the guest - they don't have to

 * be continuously allocated.  We do it though, to preserve similar

 * behaviour between hosts.  Some things, like the BD_ADDR cannot be

 * preserved though (for example if a real hci is used).  */

#ifdef HOST_WORDS_BIGENDIAN

# define HNDL(raw)        bswap16(raw)

#else

# define HNDL(raw)        (raw)

#endif

static const uint8_t bt_event_reserved_mask[8] = {

    0xff, 0x9f, 0xfb, 0xff, 0x07, 0x18, 0x00, 0x00,

};

static inline uint8_t *bt_hci_event_start(struct bt_hci_s *hci,

                int evt, int len)

{

    uint8_t *packet, mask;

    int mask_byte;

    if (len > 255) {

        fprintf(stderr, "%s: HCI event params too long (%ib)\n",

                        __FUNCTION__, len);

        exit(-1);

    }

    mask_byte = (evt - 1) >> 3;

    mask = 1 << ((evt - 1) & 3);

    if (mask & bt_event_reserved_mask[mask_byte] & ~hci->event_mask[mask_byte])

        return NULL;

    packet = hci->evt_packet(hci->opaque);

    packet[0] = evt;

    packet[1] = len;

    return &packet[2];

}

static inline void bt_hci_event(struct bt_hci_s *hci, int evt,

                void *params, int len)

{

    uint8_t *packet = bt_hci_event_start(hci, evt, len);

    if (!packet)

        return;

    if (len)

        memcpy(packet, params, len);

    hci->evt_submit(hci->opaque, len + 2);

}

static inline void bt_hci_event_status(struct bt_hci_s *hci, int status)

{

    evt_cmd_status params = {

        .status        = status,

        .ncmd        = 1,

        .opcode        = hci->last_cmd,

    };

    bt_hci_event(hci, EVT_CMD_STATUS, &params, EVT_CMD_STATUS_SIZE);

}

static inline void bt_hci_event_complete(struct bt_hci_s *hci,

                void *ret, int len)

{

    uint8_t *packet = bt_hci_event_start(hci, EVT_CMD_COMPLETE,

                    len + EVT_CMD_COMPLETE_SIZE);

    evt_cmd_complete *params = (evt_cmd_complete *) packet;

    if (!packet)

        return;

    params->ncmd        = 1;

    params->opcode        = hci->last_cmd;

    if (len)

        memcpy(&packet[EVT_CMD_COMPLETE_SIZE], ret, len);

    hci->evt_submit(hci->opaque, len + EVT_CMD_COMPLETE_SIZE + 2);

}

static void bt_hci_inquiry_done(void *opaque)

{

    struct bt_hci_s *hci = (struct bt_hci_s *) opaque;

    uint8_t status = HCI_SUCCESS;

    if (!hci->lm.periodic)

        hci->lm.inquire = 0;

    /* The specification is inconsistent about this one.  Page 565 reads

     * "The event parameters of Inquiry Complete event will have a summary

     * of the result from the Inquiry process, which reports the number of

     * nearby Bluetooth devices that responded [so hci->responses].", but

     * Event Parameters (see page 729) has only Status.  */

    bt_hci_event(hci, EVT_INQUIRY_COMPLETE, &status, 1);

}

static void bt_hci_inquiry_result_standard(struct bt_hci_s *hci,

                struct bt_device_s *slave)

{

    inquiry_info params = {

        .num_responses                = 1,

        .bdaddr                        = BAINIT(&slave->bd_addr),

        .pscan_rep_mode                = 0x00,        /* R0 */

        .pscan_period_mode        = 0x00,        /* P0 - deprecated */

        .pscan_mode                = 0x00,        /* Standard scan - deprecated */

        .dev_class[0]                = slave->class[0],

        .dev_class[1]                = slave->class[1],

        .dev_class[2]                = slave->class[2],

        /* TODO: return the clkoff *differenece* */

        .clock_offset                = slave->clkoff,        /* Note: no swapping */

    };

    bt_hci_event(hci, EVT_INQUIRY_RESULT, &params, INQUIRY_INFO_SIZE);

}

static void bt_hci_inquiry_result_with_rssi(struct bt_hci_s *hci,

                struct bt_device_s *slave)

{

    inquiry_info_with_rssi params = {

        .num_responses                = 1,

        .bdaddr                        = BAINIT(&slave->bd_addr),

        .pscan_rep_mode                = 0x00,        /* R0 */

        .pscan_period_mode        = 0x00,        /* P0 - deprecated */

        .dev_class[0]                = slave->class[0],

        .dev_class[1]                = slave->class[1],

        .dev_class[2]                = slave->class[2],

        /* TODO: return the clkoff *differenece* */

        .clock_offset                = slave->clkoff,        /* Note: no swapping */

        .rssi                        = DEFAULT_RSSI_DBM,

    };

    bt_hci_event(hci, EVT_INQUIRY_RESULT_WITH_RSSI,

                    &params, INQUIRY_INFO_WITH_RSSI_SIZE);

}

static void bt_hci_inquiry_result(struct bt_hci_s *hci,

                struct bt_device_s *slave)

{

    if (!slave->inquiry_scan || !hci->lm.responses_left)

        return;

    hci->lm.responses_left --;

    hci->lm.responses ++;

    switch (hci->lm.inquiry_mode) {

    case 0x00:

        bt_hci_inquiry_result_standard(hci, slave);

        return;

    case 0x01:

        bt_hci_inquiry_result_with_rssi(hci, slave);

        return;

    default:

        fprintf(stderr, "%s: bad inquiry mode %02x\n", __FUNCTION__,

                        hci->lm.inquiry_mode);

        exit(-1);

    }

}

static void bt_hci_mod_timer_1280ms(QEMUTimer *timer, int period)

{

    qemu_mod_timer(timer, qemu_get_clock_ns(vm_clock) +

                   muldiv64(period << 7, get_ticks_per_sec(), 100));

}

static void bt_hci_inquiry_start(struct bt_hci_s *hci, int length)

{

    struct bt_device_s *slave;

    hci->lm.inquiry_length = length;

    for (slave = hci->device.net->slave; slave; slave = slave->next)

        /* Don't uncover ourselves.  */

        if (slave != &hci->device)

            bt_hci_inquiry_result(hci, slave);

    /* TODO: register for a callback on a new device's addition to the

     * scatternet so that if it's added before inquiry_length expires,

     * an Inquiry Result is generated immediately.  Alternatively re-loop

     * through the devices on the inquiry_length expiration and report

     * devices not seen before.  */

    if (hci->lm.responses_left)

        bt_hci_mod_timer_1280ms(hci->lm.inquiry_done, hci->lm.inquiry_length);

    else

        bt_hci_inquiry_done(hci);

    if (hci->lm.periodic)

        bt_hci_mod_timer_1280ms(hci->lm.inquiry_next, hci->lm.inquiry_period);

}

static void bt_hci_inquiry_next(void *opaque)

{

    struct bt_hci_s *hci = (struct bt_hci_s *) opaque;

    hci->lm.responses_left += hci->lm.responses;

    hci->lm.responses = 0;

    bt_hci_inquiry_start(hci,  hci->lm.inquiry_length);

}

static inline int bt_hci_handle_bad(struct bt_hci_s *hci, uint16_t handle)

{

    return !(handle & HCI_HANDLE_OFFSET) ||

            handle >= (HCI_HANDLE_OFFSET | HCI_HANDLES_MAX) ||

            !hci->lm.handle[handle & ~HCI_HANDLE_OFFSET].link;

}

static inline int bt_hci_role_master(struct bt_hci_s *hci, uint16_t handle)

{

    return !!(hci->lm.role_bmp & (1 << (handle & ~HCI_HANDLE_OFFSET)));

}

static inline struct bt_device_s *bt_hci_remote_dev(struct bt_hci_s *hci,

                uint16_t handle)

{

    struct bt_link_s *link = hci->lm.handle[handle & ~HCI_HANDLE_OFFSET].link;

    return bt_hci_role_master(hci, handle) ? link->slave : link->host;

}

static void bt_hci_mode_tick(void *opaque);

static void bt_hci_lmp_link_establish(struct bt_hci_s *hci,

                struct bt_link_s *link, int master)

{

    hci->lm.handle[hci->lm.last_handle].link = link;

    if (master) {

        /* We are the master side of an ACL link */

        hci->lm.role_bmp |= 1 << hci->lm.last_handle;

        hci->lm.handle[hci->lm.last_handle].lmp_acl_data =

                link->slave->lmp_acl_data;

    } else {

        /* We are the slave side of an ACL link */

        hci->lm.role_bmp &= ~(1 << hci->lm.last_handle);

        hci->lm.handle[hci->lm.last_handle].lmp_acl_data =

                link->host->lmp_acl_resp;

    }

    /* Mode */

    if (master) {

        link->acl_mode = acl_active;

        hci->lm.handle[hci->lm.last_handle].acl_mode_timer =

                qemu_new_timer_ns(vm_clock, bt_hci_mode_tick, link);

    }

}

static void bt_hci_lmp_link_teardown(struct bt_hci_s *hci, uint16_t handle)

{

    handle &= ~HCI_HANDLE_OFFSET;

    hci->lm.handle[handle].link = NULL;

    if (bt_hci_role_master(hci, handle)) {

        qemu_del_timer(hci->lm.handle[handle].acl_mode_timer);

        qemu_free_timer(hci->lm.handle[handle].acl_mode_timer);

    }

}

static int bt_hci_connect(struct bt_hci_s *hci, bdaddr_t *bdaddr)

{

    struct bt_device_s *slave;

    struct bt_link_s link;

    for (slave = hci->device.net->slave; slave; slave = slave->next)

        if (slave->page_scan && !bacmp(&slave->bd_addr, bdaddr))

            break;

    if (!slave || slave == &hci->device)

        return -ENODEV;

    bacpy(&hci->lm.awaiting_bdaddr[hci->lm.connecting ++], &slave->bd_addr);

    link.slave = slave;

    link.host = &hci->device;

    link.slave->lmp_connection_request(&link);        /* Always last */

    return 0;

}

static void bt_hci_connection_reject(struct bt_hci_s *hci,

                struct bt_device_s *host, uint8_t because)

{

    struct bt_link_s link = {

        .slave        = &hci->device,

        .host        = host,

        /* Rest uninitialised */

    };

    host->reject_reason = because;

    host->lmp_connection_complete(&link);

}

static void bt_hci_connection_reject_event(struct bt_hci_s *hci,

                bdaddr_t *bdaddr)

{

    evt_conn_complete params;

    params.status        = HCI_NO_CONNECTION;

    params.handle        = 0;

    bacpy(&params.bdaddr, bdaddr);

    params.link_type        = ACL_LINK;

    params.encr_mode        = 0x00;                /* Encryption not required */

    bt_hci_event(hci, EVT_CONN_COMPLETE, &params, EVT_CONN_COMPLETE_SIZE);

}

static void bt_hci_connection_accept(struct bt_hci_s *hci,

                struct bt_device_s *host)

{

    struct bt_hci_link_s *link = qemu_mallocz(sizeof(struct bt_hci_link_s));

    evt_conn_complete params;

    uint16_t handle;

    uint8_t status = HCI_SUCCESS;

    int tries = HCI_HANDLES_MAX;

    /* Make a connection handle */

    do {

        while (hci->lm.handle[++ hci->lm.last_handle].link && -- tries)

            hci->lm.last_handle &= HCI_HANDLES_MAX - 1;

        handle = hci->lm.last_handle | HCI_HANDLE_OFFSET;

    } while ((handle == hci->asb_handle || handle == hci->psb_handle) &&

            tries);

    if (!tries) {

        qemu_free(link);

        bt_hci_connection_reject(hci, host, HCI_REJECTED_LIMITED_RESOURCES);

        status = HCI_NO_CONNECTION;

        goto complete;

    }

    link->btlink.slave        = &hci->device;

    link->btlink.host        = host;

    link->handle = handle;

    /* Link established */

    bt_hci_lmp_link_establish(hci, &link->btlink, 0);

complete:

    params.status        = status;

    params.handle        = HNDL(handle);

    bacpy(&params.bdaddr, &host->bd_addr);

    params.link_type        = ACL_LINK;

    params.encr_mode        = 0x00;                /* Encryption not required */

    bt_hci_event(hci, EVT_CONN_COMPLETE, &params, EVT_CONN_COMPLETE_SIZE);

    /* Neets to be done at the very end because it can trigger a (nested)

     * disconnected, in case the other and had cancelled the request

     * locally.  */

    if (status == HCI_SUCCESS) {

        host->reject_reason = 0;

        host->lmp_connection_complete(&link->btlink);

    }

}

static void bt_hci_lmp_connection_request(struct bt_link_s *link)

{

    struct bt_hci_s *hci = hci_from_device(link->slave);

    evt_conn_request params;

    if (hci->conn_req_host) {

        bt_hci_connection_reject(hci, link->host,

                                 HCI_REJECTED_LIMITED_RESOURCES);

        return;

    }

    hci->conn_req_host = link->host;

    /* TODO: if masked and auto-accept, then auto-accept,

     * if masked and not auto-accept, then auto-reject */

    /* TODO: kick the hci->conn_accept_timer, timeout after

     * hci->conn_accept_tout * 0.625 msec */

    bacpy(&params.bdaddr, &link->host->bd_addr);

    memcpy(&params.dev_class, &link->host->class, sizeof(params.dev_class));

    params.link_type        = ACL_LINK;

    bt_hci_event(hci, EVT_CONN_REQUEST, &params, EVT_CONN_REQUEST_SIZE);

    return;

}

static void bt_hci_conn_accept_timeout(void *opaque)

{

    struct bt_hci_s *hci = (struct bt_hci_s *) opaque;

    if (!hci->conn_req_host)

        /* Already accepted or rejected.  If the other end cancelled the

         * connection request then we still have to reject or accept it

         * and then we'll get a disconnect.  */

        return;

    /* TODO */

}

/* Remove from the list of devices which we wanted to connect to and

 * are awaiting a response from.  If the callback sees a response from

 * a device which is not on the list it will assume it's a connection

 * that's been cancelled by the host in the meantime and immediately

 * try to detach the link and send a Connection Complete.  */

static int bt_hci_lmp_connection_ready(struct bt_hci_s *hci,

                bdaddr_t *bdaddr)

{

    int i;

    for (i = 0; i < hci->lm.connecting; i ++)

        if (!bacmp(&hci->lm.awaiting_bdaddr[i], bdaddr)) {

            if (i < -- hci->lm.connecting)

                bacpy(&hci->lm.awaiting_bdaddr[i],

                                &hci->lm.awaiting_bdaddr[hci->lm.connecting]);

            return 0;

        }

    return 1;

}

static void bt_hci_lmp_connection_complete(struct bt_link_s *link)

{

    struct bt_hci_s *hci = hci_from_device(link->host);

    evt_conn_complete params;

    uint16_t handle;

    uint8_t status = HCI_SUCCESS;

    int tries = HCI_HANDLES_MAX;

    if (bt_hci_lmp_connection_ready(hci, &link->slave->bd_addr)) {

        if (!hci->device.reject_reason)

            link->slave->lmp_disconnect_slave(link);

        handle = 0;

        status = HCI_NO_CONNECTION;

        goto complete;

    }

    if (hci->device.reject_reason) {

        handle = 0;

        status = hci->device.reject_reason;

        goto complete;

    }

    /* Make a connection handle */

    do {

        while (hci->lm.handle[++ hci->lm.last_handle].link && -- tries)

            hci->lm.last_handle &= HCI_HANDLES_MAX - 1;

        handle = hci->lm.last_handle | HCI_HANDLE_OFFSET;

    } while ((handle == hci->asb_handle || handle == hci->psb_handle) &&

            tries);

    if (!tries) {

        link->slave->lmp_disconnect_slave(link);

        status = HCI_NO_CONNECTION;

        goto complete;

    }

    /* Link established */

    link->handle = handle;

    bt_hci_lmp_link_establish(hci, link, 1);

complete:

    params.status        = status;

    params.handle        = HNDL(handle);

    params.link_type        = ACL_LINK;

    bacpy(&params.bdaddr, &link->slave->bd_addr);

    params.encr_mode        = 0x00;                /* Encryption not required */

    bt_hci_event(hci, EVT_CONN_COMPLETE, &params, EVT_CONN_COMPLETE_SIZE);

}

static void bt_hci_disconnect(struct bt_hci_s *hci,

                uint16_t handle, int reason)

{

    struct bt_link_s *btlink =

            hci->lm.handle[handle & ~HCI_HANDLE_OFFSET].link;

    struct bt_hci_link_s *link;

    evt_disconn_complete params;

    if (bt_hci_role_master(hci, handle)) {

        btlink->slave->reject_reason = reason;

        btlink->slave->lmp_disconnect_slave(btlink);

        /* The link pointer is invalid from now on */

        goto complete;

    }

    btlink->host->reject_reason = reason;

    btlink->host->lmp_disconnect_master(btlink);

    /* We are the slave, we get to clean this burden */

    link = (struct bt_hci_link_s *) btlink;

    qemu_free(link);

complete:

    bt_hci_lmp_link_teardown(hci, handle);