]> git.proxmox.com Git - mirror_ubuntu-zesty-kernel.git/blob - drivers/bluetooth/btusb.c
projects / mirror_ubuntu-zesty-kernel.git / blob
? search:


9cf3796f92aacbf55a438248f966d84d9476709b
[mirror_ubuntu-zesty-kernel.git] / drivers / bluetooth / btusb.c
1 /*
2 *
3 * Generic Bluetooth USB driver
4 *
5 * Copyright (C) 2005-2008 Marcel Holtmann <marcel@holtmann.org>
6 *
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
21 *
22 */
23
24 #include <linux/module.h>
25 #include <linux/usb.h>
26 #include <linux/firmware.h>
27 #include <asm/unaligned.h>
28
29 #include <net/bluetooth/bluetooth.h>
30 #include <net/bluetooth/hci_core.h>
31
32 #include "btintel.h"
33 #include "btbcm.h"
34 #include "btrtl.h"
35
36 #define VERSION "0.8"
37
38 static bool disable_scofix;
39 static bool force_scofix;
40
41 static bool reset = true;
42
43 static struct usb_driver btusb_driver;
44
45 #define BTUSB_IGNORE 0x01
46 #define BTUSB_DIGIANSWER 0x02
47 #define BTUSB_CSR 0x04
48 #define BTUSB_SNIFFER 0x08
49 #define BTUSB_BCM92035 0x10
50 #define BTUSB_BROKEN_ISOC 0x20
51 #define BTUSB_WRONG_SCO_MTU 0x40
52 #define BTUSB_ATH3012 0x80
53 #define BTUSB_INTEL 0x100
54 #define BTUSB_INTEL_BOOT 0x200
55 #define BTUSB_BCM_PATCHRAM 0x400
56 #define BTUSB_MARVELL 0x800
57 #define BTUSB_SWAVE 0x1000
58 #define BTUSB_INTEL_NEW 0x2000
59 #define BTUSB_AMP 0x4000
60 #define BTUSB_QCA_ROME 0x8000
61 #define BTUSB_BCM_APPLE 0x10000
62 #define BTUSB_REALTEK 0x20000
63
64 static const struct usb_device_id btusb_table[] = {
65 /* Generic Bluetooth USB device */
66 { USB_DEVICE_INFO(0xe0, 0x01, 0x01) },
67
68 /* Generic Bluetooth AMP device */
69 { USB_DEVICE_INFO(0xe0, 0x01, 0x04), .driver_info = BTUSB_AMP },
70
71 /* Generic Bluetooth USB interface */
72 { USB_INTERFACE_INFO(0xe0, 0x01, 0x01) },
73
74 /* Apple-specific (Broadcom) devices */
75 { USB_VENDOR_AND_INTERFACE_INFO(0x05ac, 0xff, 0x01, 0x01),
76 .driver_info = BTUSB_BCM_APPLE },
77
78 /* MediaTek MT76x0E */
79 { USB_DEVICE(0x0e8d, 0x763f) },
80
81 /* Broadcom SoftSailing reporting vendor specific */
82 { USB_DEVICE(0x0a5c, 0x21e1) },
83
84 /* Apple MacBookPro 7,1 */
85 { USB_DEVICE(0x05ac, 0x8213) },
86
87 /* Apple iMac11,1 */
88 { USB_DEVICE(0x05ac, 0x8215) },
89
90 /* Apple MacBookPro6,2 */
91 { USB_DEVICE(0x05ac, 0x8218) },
92
93 /* Apple MacBookAir3,1, MacBookAir3,2 */
94 { USB_DEVICE(0x05ac, 0x821b) },
95
96 /* Apple MacBookAir4,1 */
97 { USB_DEVICE(0x05ac, 0x821f) },
98
99 /* Apple MacBookPro8,2 */
100 { USB_DEVICE(0x05ac, 0x821a) },
101
102 /* Apple MacMini5,1 */
103 { USB_DEVICE(0x05ac, 0x8281) },
104
105 /* AVM BlueFRITZ! USB v2.0 */
106 { USB_DEVICE(0x057c, 0x3800), .driver_info = BTUSB_SWAVE },
107
108 /* Bluetooth Ultraport Module from IBM */
109 { USB_DEVICE(0x04bf, 0x030a) },
110
111 /* ALPS Modules with non-standard id */
112 { USB_DEVICE(0x044e, 0x3001) },
113 { USB_DEVICE(0x044e, 0x3002) },
114
115 /* Ericsson with non-standard id */
116 { USB_DEVICE(0x0bdb, 0x1002) },
117
118 /* Canyon CN-BTU1 with HID interfaces */
119 { USB_DEVICE(0x0c10, 0x0000) },
120
121 /* Broadcom BCM20702A0 */
122 { USB_DEVICE(0x413c, 0x8197) },
123
124 /* Broadcom BCM20702B0 (Dynex/Insignia) */
125 { USB_DEVICE(0x19ff, 0x0239), .driver_info = BTUSB_BCM_PATCHRAM },
126
127 /* Foxconn - Hon Hai */
128 { USB_VENDOR_AND_INTERFACE_INFO(0x0489, 0xff, 0x01, 0x01),
129 .driver_info = BTUSB_BCM_PATCHRAM },
130
131 /* Lite-On Technology - Broadcom based */
132 { USB_VENDOR_AND_INTERFACE_INFO(0x04ca, 0xff, 0x01, 0x01),
133 .driver_info = BTUSB_BCM_PATCHRAM },
134
135 /* Broadcom devices with vendor specific id */
136 { USB_VENDOR_AND_INTERFACE_INFO(0x0a5c, 0xff, 0x01, 0x01),
137 .driver_info = BTUSB_BCM_PATCHRAM },
138
139 /* ASUSTek Computer - Broadcom based */
140 { USB_VENDOR_AND_INTERFACE_INFO(0x0b05, 0xff, 0x01, 0x01),
141 .driver_info = BTUSB_BCM_PATCHRAM },
142
143 /* Belkin F8065bf - Broadcom based */
144 { USB_VENDOR_AND_INTERFACE_INFO(0x050d, 0xff, 0x01, 0x01),
145 .driver_info = BTUSB_BCM_PATCHRAM },
146
147 /* IMC Networks - Broadcom based */
148 { USB_VENDOR_AND_INTERFACE_INFO(0x13d3, 0xff, 0x01, 0x01),
149 .driver_info = BTUSB_BCM_PATCHRAM },
150
151 /* Intel Bluetooth USB Bootloader (RAM module) */
152 { USB_DEVICE(0x8087, 0x0a5a),
153 .driver_info = BTUSB_INTEL_BOOT | BTUSB_BROKEN_ISOC },
154
155 { } /* Terminating entry */
156 };
157
158 MODULE_DEVICE_TABLE(usb, btusb_table);
159
160 static const struct usb_device_id blacklist_table[] = {
161 /* CSR BlueCore devices */
162 { USB_DEVICE(0x0a12, 0x0001), .driver_info = BTUSB_CSR },
163
164 /* Broadcom BCM2033 without firmware */
165 { USB_DEVICE(0x0a5c, 0x2033), .driver_info = BTUSB_IGNORE },
166
167 /* Atheros 3011 with sflash firmware */
168 { USB_DEVICE(0x0489, 0xe027), .driver_info = BTUSB_IGNORE },
169 { USB_DEVICE(0x0489, 0xe03d), .driver_info = BTUSB_IGNORE },
170 { USB_DEVICE(0x04f2, 0xaff1), .driver_info = BTUSB_IGNORE },
171 { USB_DEVICE(0x0930, 0x0215), .driver_info = BTUSB_IGNORE },
172 { USB_DEVICE(0x0cf3, 0x3002), .driver_info = BTUSB_IGNORE },
173 { USB_DEVICE(0x0cf3, 0xe019), .driver_info = BTUSB_IGNORE },
174 { USB_DEVICE(0x13d3, 0x3304), .driver_info = BTUSB_IGNORE },
175
176 /* Atheros AR9285 Malbec with sflash firmware */
177 { USB_DEVICE(0x03f0, 0x311d), .driver_info = BTUSB_IGNORE },
178
179 /* Atheros 3012 with sflash firmware */
180 { USB_DEVICE(0x0489, 0xe04d), .driver_info = BTUSB_ATH3012 },
181 { USB_DEVICE(0x0489, 0xe04e), .driver_info = BTUSB_ATH3012 },
182 { USB_DEVICE(0x0489, 0xe056), .driver_info = BTUSB_ATH3012 },
183 { USB_DEVICE(0x0489, 0xe057), .driver_info = BTUSB_ATH3012 },
184 { USB_DEVICE(0x0489, 0xe05f), .driver_info = BTUSB_ATH3012 },
185 { USB_DEVICE(0x0489, 0xe076), .driver_info = BTUSB_ATH3012 },
186 { USB_DEVICE(0x0489, 0xe078), .driver_info = BTUSB_ATH3012 },
187 { USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 },
188 { USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 },
189 { USB_DEVICE(0x04ca, 0x3005), .driver_info = BTUSB_ATH3012 },
190 { USB_DEVICE(0x04ca, 0x3006), .driver_info = BTUSB_ATH3012 },
191 { USB_DEVICE(0x04ca, 0x3007), .driver_info = BTUSB_ATH3012 },
192 { USB_DEVICE(0x04ca, 0x3008), .driver_info = BTUSB_ATH3012 },
193 { USB_DEVICE(0x04ca, 0x300b), .driver_info = BTUSB_ATH3012 },
194 { USB_DEVICE(0x04ca, 0x300d), .driver_info = BTUSB_ATH3012 },
195 { USB_DEVICE(0x04ca, 0x300f), .driver_info = BTUSB_ATH3012 },
196 { USB_DEVICE(0x04ca, 0x3010), .driver_info = BTUSB_ATH3012 },
197 { USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 },
198 { USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 },
199 { USB_DEVICE(0x0930, 0x0227), .driver_info = BTUSB_ATH3012 },
200 { USB_DEVICE(0x0b05, 0x17d0), .driver_info = BTUSB_ATH3012 },
201 { USB_DEVICE(0x0cf3, 0x0036), .driver_info = BTUSB_ATH3012 },
202 { USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_ATH3012 },
203 { USB_DEVICE(0x0cf3, 0x3008), .driver_info = BTUSB_ATH3012 },
204 { USB_DEVICE(0x0cf3, 0x311d), .driver_info = BTUSB_ATH3012 },
205 { USB_DEVICE(0x0cf3, 0x311e), .driver_info = BTUSB_ATH3012 },
206 { USB_DEVICE(0x0cf3, 0x311f), .driver_info = BTUSB_ATH3012 },
207 { USB_DEVICE(0x0cf3, 0x3121), .driver_info = BTUSB_ATH3012 },
208 { USB_DEVICE(0x0cf3, 0x817a), .driver_info = BTUSB_ATH3012 },
209 { USB_DEVICE(0x0cf3, 0xe003), .driver_info = BTUSB_ATH3012 },
210 { USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 },
211 { USB_DEVICE(0x0cf3, 0xe005), .driver_info = BTUSB_ATH3012 },
212 { USB_DEVICE(0x0cf3, 0xe006), .driver_info = BTUSB_ATH3012 },
213 { USB_DEVICE(0x13d3, 0x3362), .driver_info = BTUSB_ATH3012 },
214 { USB_DEVICE(0x13d3, 0x3375), .driver_info = BTUSB_ATH3012 },
215 { USB_DEVICE(0x13d3, 0x3393), .driver_info = BTUSB_ATH3012 },
216 { USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 },
217 { USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 },
218 { USB_DEVICE(0x13d3, 0x3423), .driver_info = BTUSB_ATH3012 },
219 { USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 },
220 { USB_DEVICE(0x13d3, 0x3474), .driver_info = BTUSB_ATH3012 },
221
222 /* Atheros AR5BBU12 with sflash firmware */
223 { USB_DEVICE(0x0489, 0xe02c), .driver_info = BTUSB_IGNORE },
224
225 /* Atheros AR5BBU12 with sflash firmware */
226 { USB_DEVICE(0x0489, 0xe036), .driver_info = BTUSB_ATH3012 },
227 { USB_DEVICE(0x0489, 0xe03c), .driver_info = BTUSB_ATH3012 },
228
229 /* QCA ROME chipset */
230 { USB_DEVICE(0x0cf3, 0xe007), .driver_info = BTUSB_QCA_ROME },
231 { USB_DEVICE(0x0cf3, 0xe300), .driver_info = BTUSB_QCA_ROME },
232 { USB_DEVICE(0x0cf3, 0xe360), .driver_info = BTUSB_QCA_ROME },
233
234 /* Broadcom BCM2035 */
235 { USB_DEVICE(0x0a5c, 0x2009), .driver_info = BTUSB_BCM92035 },
236 { USB_DEVICE(0x0a5c, 0x200a), .driver_info = BTUSB_WRONG_SCO_MTU },
237 { USB_DEVICE(0x0a5c, 0x2035), .driver_info = BTUSB_WRONG_SCO_MTU },
238
239 /* Broadcom BCM2045 */
240 { USB_DEVICE(0x0a5c, 0x2039), .driver_info = BTUSB_WRONG_SCO_MTU },
241 { USB_DEVICE(0x0a5c, 0x2101), .driver_info = BTUSB_WRONG_SCO_MTU },
242
243 /* IBM/Lenovo ThinkPad with Broadcom chip */
244 { USB_DEVICE(0x0a5c, 0x201e), .driver_info = BTUSB_WRONG_SCO_MTU },
245 { USB_DEVICE(0x0a5c, 0x2110), .driver_info = BTUSB_WRONG_SCO_MTU },
246
247 /* HP laptop with Broadcom chip */
248 { USB_DEVICE(0x03f0, 0x171d), .driver_info = BTUSB_WRONG_SCO_MTU },
249
250 /* Dell laptop with Broadcom chip */
251 { USB_DEVICE(0x413c, 0x8126), .driver_info = BTUSB_WRONG_SCO_MTU },
252
253 /* Dell Wireless 370 and 410 devices */
254 { USB_DEVICE(0x413c, 0x8152), .driver_info = BTUSB_WRONG_SCO_MTU },
255 { USB_DEVICE(0x413c, 0x8156), .driver_info = BTUSB_WRONG_SCO_MTU },
256
257 /* Belkin F8T012 and F8T013 devices */
258 { USB_DEVICE(0x050d, 0x0012), .driver_info = BTUSB_WRONG_SCO_MTU },
259 { USB_DEVICE(0x050d, 0x0013), .driver_info = BTUSB_WRONG_SCO_MTU },
260
261 /* Asus WL-BTD202 device */
262 { USB_DEVICE(0x0b05, 0x1715), .driver_info = BTUSB_WRONG_SCO_MTU },
263
264 /* Kensington Bluetooth USB adapter */
265 { USB_DEVICE(0x047d, 0x105e), .driver_info = BTUSB_WRONG_SCO_MTU },
266
267 /* RTX Telecom based adapters with buggy SCO support */
268 { USB_DEVICE(0x0400, 0x0807), .driver_info = BTUSB_BROKEN_ISOC },
269 { USB_DEVICE(0x0400, 0x080a), .driver_info = BTUSB_BROKEN_ISOC },
270
271 /* CONWISE Technology based adapters with buggy SCO support */
272 { USB_DEVICE(0x0e5e, 0x6622), .driver_info = BTUSB_BROKEN_ISOC },
273
274 /* Roper Class 1 Bluetooth Dongle (Silicon Wave based) */
275 { USB_DEVICE(0x1310, 0x0001), .driver_info = BTUSB_SWAVE },
276
277 /* Digianswer devices */
278 { USB_DEVICE(0x08fd, 0x0001), .driver_info = BTUSB_DIGIANSWER },
279 { USB_DEVICE(0x08fd, 0x0002), .driver_info = BTUSB_IGNORE },
280
281 /* CSR BlueCore Bluetooth Sniffer */
282 { USB_DEVICE(0x0a12, 0x0002),
283 .driver_info = BTUSB_SNIFFER | BTUSB_BROKEN_ISOC },
284
285 /* Frontline ComProbe Bluetooth Sniffer */
286 { USB_DEVICE(0x16d3, 0x0002),
287 .driver_info = BTUSB_SNIFFER | BTUSB_BROKEN_ISOC },
288
289 /* Marvell Bluetooth devices */
290 { USB_DEVICE(0x1286, 0x2044), .driver_info = BTUSB_MARVELL },
291 { USB_DEVICE(0x1286, 0x2046), .driver_info = BTUSB_MARVELL },
292
293 /* Intel Bluetooth devices */
294 { USB_DEVICE(0x8087, 0x07da), .driver_info = BTUSB_CSR },
295 { USB_DEVICE(0x8087, 0x07dc), .driver_info = BTUSB_INTEL },
296 { USB_DEVICE(0x8087, 0x0a2a), .driver_info = BTUSB_INTEL },
297 { USB_DEVICE(0x8087, 0x0a2b), .driver_info = BTUSB_INTEL_NEW },
298
299 /* Other Intel Bluetooth devices */
300 { USB_VENDOR_AND_INTERFACE_INFO(0x8087, 0xe0, 0x01, 0x01),
301 .driver_info = BTUSB_IGNORE },
302
303 /* Realtek Bluetooth devices */
304 { USB_VENDOR_AND_INTERFACE_INFO(0x0bda, 0xe0, 0x01, 0x01),
305 .driver_info = BTUSB_REALTEK },
306
307 /* Additional Realtek 8723AE Bluetooth devices */
308 { USB_DEVICE(0x0930, 0x021d), .driver_info = BTUSB_REALTEK },
309 { USB_DEVICE(0x13d3, 0x3394), .driver_info = BTUSB_REALTEK },
310
311 /* Additional Realtek 8723BE Bluetooth devices */
312 { USB_DEVICE(0x0489, 0xe085), .driver_info = BTUSB_REALTEK },
313 { USB_DEVICE(0x0489, 0xe08b), .driver_info = BTUSB_REALTEK },
314 { USB_DEVICE(0x13d3, 0x3410), .driver_info = BTUSB_REALTEK },
315 { USB_DEVICE(0x13d3, 0x3416), .driver_info = BTUSB_REALTEK },
316 { USB_DEVICE(0x13d3, 0x3459), .driver_info = BTUSB_REALTEK },
317
318 /* Additional Realtek 8821AE Bluetooth devices */
319 { USB_DEVICE(0x0b05, 0x17dc), .driver_info = BTUSB_REALTEK },
320 { USB_DEVICE(0x13d3, 0x3414), .driver_info = BTUSB_REALTEK },
321 { USB_DEVICE(0x13d3, 0x3458), .driver_info = BTUSB_REALTEK },
322 { USB_DEVICE(0x13d3, 0x3461), .driver_info = BTUSB_REALTEK },
323 { USB_DEVICE(0x13d3, 0x3462), .driver_info = BTUSB_REALTEK },
324
325 /* Silicon Wave based devices */
326 { USB_DEVICE(0x0c10, 0x0000), .driver_info = BTUSB_SWAVE },
327
328 { } /* Terminating entry */
329 };
330
331 #define BTUSB_MAX_ISOC_FRAMES 10
332
333 #define BTUSB_INTR_RUNNING 0
334 #define BTUSB_BULK_RUNNING 1
335 #define BTUSB_ISOC_RUNNING 2
336 #define BTUSB_SUSPENDING 3
337 #define BTUSB_DID_ISO_RESUME 4
338 #define BTUSB_BOOTLOADER 5
339 #define BTUSB_DOWNLOADING 6
340 #define BTUSB_FIRMWARE_LOADED 7
341 #define BTUSB_FIRMWARE_FAILED 8
342 #define BTUSB_BOOTING 9
343 #define BTUSB_RESET_RESUME 10
344
345 struct btusb_data {
346 struct hci_dev *hdev;
347 struct usb_device *udev;
348 struct usb_interface *intf;
349 struct usb_interface *isoc;
350
351 unsigned long flags;
352
353 struct work_struct work;
354 struct work_struct waker;
355
356 struct usb_anchor deferred;
357 struct usb_anchor tx_anchor;
358 int tx_in_flight;
359 spinlock_t txlock;
360
361 struct usb_anchor intr_anchor;
362 struct usb_anchor bulk_anchor;
363 struct usb_anchor isoc_anchor;
364 spinlock_t rxlock;
365
366 struct sk_buff *evt_skb;
367 struct sk_buff *acl_skb;
368 struct sk_buff *sco_skb;
369
370 struct usb_endpoint_descriptor *intr_ep;
371 struct usb_endpoint_descriptor *bulk_tx_ep;
372 struct usb_endpoint_descriptor *bulk_rx_ep;
373 struct usb_endpoint_descriptor *isoc_tx_ep;
374 struct usb_endpoint_descriptor *isoc_rx_ep;
375
376 __u8 cmdreq_type;
377 __u8 cmdreq;
378
379 unsigned int sco_num;
380 int isoc_altsetting;
381 int suspend_count;
382
383 int (*recv_event)(struct hci_dev *hdev, struct sk_buff *skb);
384 int (*recv_bulk)(struct btusb_data *data, void *buffer, int count);
385
386 int (*setup_on_usb)(struct hci_dev *hdev);
387 };
388
389 static inline void btusb_free_frags(struct btusb_data *data)
390 {
391 unsigned long flags;
392
393 spin_lock_irqsave(&data->rxlock, flags);
394
395 kfree_skb(data->evt_skb);
396 data->evt_skb = NULL;
397
398 kfree_skb(data->acl_skb);
399 data->acl_skb = NULL;
400
401 kfree_skb(data->sco_skb);
402 data->sco_skb = NULL;
403
404 spin_unlock_irqrestore(&data->rxlock, flags);
405 }
406
407 static int btusb_recv_intr(struct btusb_data *data, void *buffer, int count)
408 {
409 struct sk_buff *skb;
410 int err = 0;
411
412 spin_lock(&data->rxlock);
413 skb = data->evt_skb;
414
415 while (count) {
416 int len;
417
418 if (!skb) {
419 skb = bt_skb_alloc(HCI_MAX_EVENT_SIZE, GFP_ATOMIC);
420 if (!skb) {
421 err = -ENOMEM;
422 break;
423 }
424
425 bt_cb(skb)->pkt_type = HCI_EVENT_PKT;
426 bt_cb(skb)->expect = HCI_EVENT_HDR_SIZE;
427 }
428
429 len = min_t(uint, bt_cb(skb)->expect, count);
430 memcpy(skb_put(skb, len), buffer, len);
431
432 count -= len;
433 buffer += len;
434 bt_cb(skb)->expect -= len;
435
436 if (skb->len == HCI_EVENT_HDR_SIZE) {
437 /* Complete event header */
438 bt_cb(skb)->expect = hci_event_hdr(skb)->plen;
439
440 if (skb_tailroom(skb) < bt_cb(skb)->expect) {
441 kfree_skb(skb);
442 skb = NULL;
443
444 err = -EILSEQ;
445 break;
446 }
447 }
448
449 if (bt_cb(skb)->expect == 0) {
450 /* Complete frame */
451 data->recv_event(data->hdev, skb);
452 skb = NULL;
453 }
454 }
455
456 data->evt_skb = skb;
457 spin_unlock(&data->rxlock);
458
459 return err;
460 }
461
462 static int btusb_recv_bulk(struct btusb_data *data, void *buffer, int count)
463 {
464 struct sk_buff *skb;
465 int err = 0;
466
467 spin_lock(&data->rxlock);
468 skb = data->acl_skb;
469
470 while (count) {
471 int len;
472
473 if (!skb) {
474 skb = bt_skb_alloc(HCI_MAX_FRAME_SIZE, GFP_ATOMIC);
475 if (!skb) {
476 err = -ENOMEM;
477 break;
478 }
479
480 bt_cb(skb)->pkt_type = HCI_ACLDATA_PKT;
481 bt_cb(skb)->expect = HCI_ACL_HDR_SIZE;
482 }
483
484 len = min_t(uint, bt_cb(skb)->expect, count);
485 memcpy(skb_put(skb, len), buffer, len);
486
487 count -= len;
488 buffer += len;
489 bt_cb(skb)->expect -= len;
490
491 if (skb->len == HCI_ACL_HDR_SIZE) {
492 __le16 dlen = hci_acl_hdr(skb)->dlen;
493
494 /* Complete ACL header */
495 bt_cb(skb)->expect = __le16_to_cpu(dlen);
496
497 if (skb_tailroom(skb) < bt_cb(skb)->expect) {
498 kfree_skb(skb);
499 skb = NULL;
500
501 err = -EILSEQ;
502 break;
503 }
504 }
505
506 if (bt_cb(skb)->expect == 0) {
507 /* Complete frame */
508 hci_recv_frame(data->hdev, skb);
509 skb = NULL;
510 }
511 }
512
513 data->acl_skb = skb;
514 spin_unlock(&data->rxlock);
515
516 return err;
517 }
518
519 static int btusb_recv_isoc(struct btusb_data *data, void *buffer, int count)
520 {
521 struct sk_buff *skb;
522 int err = 0;
523
524 spin_lock(&data->rxlock);
525 skb = data->sco_skb;
526
527 while (count) {
528 int len;
529
530 if (!skb) {
531 skb = bt_skb_alloc(HCI_MAX_SCO_SIZE, GFP_ATOMIC);
532 if (!skb) {
533 err = -ENOMEM;
534 break;
535 }
536
537 bt_cb(skb)->pkt_type = HCI_SCODATA_PKT;
538 bt_cb(skb)->expect = HCI_SCO_HDR_SIZE;
539 }
540
541 len = min_t(uint, bt_cb(skb)->expect, count);
542 memcpy(skb_put(skb, len), buffer, len);
543
544 count -= len;
545 buffer += len;
546 bt_cb(skb)->expect -= len;
547
548 if (skb->len == HCI_SCO_HDR_SIZE) {
549 /* Complete SCO header */
550 bt_cb(skb)->expect = hci_sco_hdr(skb)->dlen;
551
552 if (skb_tailroom(skb) < bt_cb(skb)->expect) {
553 kfree_skb(skb);
554 skb = NULL;
555
556 err = -EILSEQ;
557 break;
558 }
559 }
560
561 if (bt_cb(skb)->expect == 0) {
562 /* Complete frame */
563 hci_recv_frame(data->hdev, skb);
564 skb = NULL;
565 }
566 }
567
568 data->sco_skb = skb;
569 spin_unlock(&data->rxlock);
570
571 return err;
572 }
573
574 static void btusb_intr_complete(struct urb *urb)
575 {
576 struct hci_dev *hdev = urb->context;
577 struct btusb_data *data = hci_get_drvdata(hdev);
578 int err;
579
580 BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status,
581 urb->actual_length);
582
583 if (!test_bit(HCI_RUNNING, &hdev->flags))
584 return;
585
586 if (urb->status == 0) {
587 hdev->stat.byte_rx += urb->actual_length;
588
589 if (btusb_recv_intr(data, urb->transfer_buffer,
590 urb->actual_length) < 0) {
591 BT_ERR("%s corrupted event packet", hdev->name);
592 hdev->stat.err_rx++;
593 }
594 } else if (urb->status == -ENOENT) {
595 /* Avoid suspend failed when usb_kill_urb */
596 return;
597 }
598
599 if (!test_bit(BTUSB_INTR_RUNNING, &data->flags))
600 return;
601
602 usb_mark_last_busy(data->udev);
603 usb_anchor_urb(urb, &data->intr_anchor);
604
605 err = usb_submit_urb(urb, GFP_ATOMIC);
606 if (err < 0) {
607 /* -EPERM: urb is being killed;
608 * -ENODEV: device got disconnected */
609 if (err != -EPERM && err != -ENODEV)
610 BT_ERR("%s urb %p failed to resubmit (%d)",
611 hdev->name, urb, -err);
612 usb_unanchor_urb(urb);
613 }
614 }
615
616 static int btusb_submit_intr_urb(struct hci_dev *hdev, gfp_t mem_flags)
617 {
618 struct btusb_data *data = hci_get_drvdata(hdev);
619 struct urb *urb;
620 unsigned char *buf;
621 unsigned int pipe;
622 int err, size;
623
624 BT_DBG("%s", hdev->name);
625
626 if (!data->intr_ep)
627 return -ENODEV;
628
629 urb = usb_alloc_urb(0, mem_flags);
630 if (!urb)
631 return -ENOMEM;
632
633 size = le16_to_cpu(data->intr_ep->wMaxPacketSize);
634
635 buf = kmalloc(size, mem_flags);
636 if (!buf) {
637 usb_free_urb(urb);
638 return -ENOMEM;
639 }
640
641 pipe = usb_rcvintpipe(data->udev, data->intr_ep->bEndpointAddress);
642
643 usb_fill_int_urb(urb, data->udev, pipe, buf, size,
644 btusb_intr_complete, hdev, data->intr_ep->bInterval);
645
646 urb->transfer_flags |= URB_FREE_BUFFER;
647
648 usb_anchor_urb(urb, &data->intr_anchor);
649
650 err = usb_submit_urb(urb, mem_flags);
651 if (err < 0) {
652 if (err != -EPERM && err != -ENODEV)
653 BT_ERR("%s urb %p submission failed (%d)",
654 hdev->name, urb, -err);
655 usb_unanchor_urb(urb);
656 }
657
658 usb_free_urb(urb);
659
660 return err;
661 }
662
663 static void btusb_bulk_complete(struct urb *urb)
664 {
665 struct hci_dev *hdev = urb->context;
666 struct btusb_data *data = hci_get_drvdata(hdev);
667 int err;
668
669 BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status,
670 urb->actual_length);
671
672 if (!test_bit(HCI_RUNNING, &hdev->flags))
673 return;
674
675 if (urb->status == 0) {
676 hdev->stat.byte_rx += urb->actual_length;
677
678 if (data->recv_bulk(data, urb->transfer_buffer,
679 urb->actual_length) < 0) {
680 BT_ERR("%s corrupted ACL packet", hdev->name);
681 hdev->stat.err_rx++;
682 }
683 } else if (urb->status == -ENOENT) {
684 /* Avoid suspend failed when usb_kill_urb */
685 return;
686 }
687
688 if (!test_bit(BTUSB_BULK_RUNNING, &data->flags))
689 return;
690
691 usb_anchor_urb(urb, &data->bulk_anchor);
692 usb_mark_last_busy(data->udev);
693
694 err = usb_submit_urb(urb, GFP_ATOMIC);
695 if (err < 0) {
696 /* -EPERM: urb is being killed;
697 * -ENODEV: device got disconnected */
698 if (err != -EPERM && err != -ENODEV)
699 BT_ERR("%s urb %p failed to resubmit (%d)",
700 hdev->name, urb, -err);
701 usb_unanchor_urb(urb);
702 }
703 }
704
705 static int btusb_submit_bulk_urb(struct hci_dev *hdev, gfp_t mem_flags)
706 {
707 struct btusb_data *data = hci_get_drvdata(hdev);
708 struct urb *urb;
709 unsigned char *buf;
710 unsigned int pipe;
711 int err, size = HCI_MAX_FRAME_SIZE;
712
713 BT_DBG("%s", hdev->name);
714
715 if (!data->bulk_rx_ep)
716 return -ENODEV;
717
718 urb = usb_alloc_urb(0, mem_flags);
719 if (!urb)
720 return -ENOMEM;
721
722 buf = kmalloc(size, mem_flags);
723 if (!buf) {
724 usb_free_urb(urb);
725 return -ENOMEM;
726 }
727
728 pipe = usb_rcvbulkpipe(data->udev, data->bulk_rx_ep->bEndpointAddress);
729
730 usb_fill_bulk_urb(urb, data->udev, pipe, buf, size,
731 btusb_bulk_complete, hdev);
732
733 urb->transfer_flags |= URB_FREE_BUFFER;
734
735 usb_mark_last_busy(data->udev);
736 usb_anchor_urb(urb, &data->bulk_anchor);
737
738 err = usb_submit_urb(urb, mem_flags);
739 if (err < 0) {
740 if (err != -EPERM && err != -ENODEV)
741 BT_ERR("%s urb %p submission failed (%d)",
742 hdev->name, urb, -err);
743 usb_unanchor_urb(urb);
744 }
745
746 usb_free_urb(urb);
747
748 return err;
749 }
750
751 static void btusb_isoc_complete(struct urb *urb)
752 {
753 struct hci_dev *hdev = urb->context;
754 struct btusb_data *data = hci_get_drvdata(hdev);
755 int i, err;
756
757 BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status,
758 urb->actual_length);
759
760 if (!test_bit(HCI_RUNNING, &hdev->flags))
761 return;
762
763 if (urb->status == 0) {
764 for (i = 0; i < urb->number_of_packets; i++) {
765 unsigned int offset = urb->iso_frame_desc[i].offset;
766 unsigned int length = urb->iso_frame_desc[i].actual_length;
767
768 if (urb->iso_frame_desc[i].status)
769 continue;
770
771 hdev->stat.byte_rx += length;
772
773 if (btusb_recv_isoc(data, urb->transfer_buffer + offset,
774 length) < 0) {
775 BT_ERR("%s corrupted SCO packet", hdev->name);
776 hdev->stat.err_rx++;
777 }
778 }
779 } else if (urb->status == -ENOENT) {
780 /* Avoid suspend failed when usb_kill_urb */
781 return;
782 }
783
784 if (!test_bit(BTUSB_ISOC_RUNNING, &data->flags))
785 return;
786
787 usb_anchor_urb(urb, &data->isoc_anchor);
788
789 err = usb_submit_urb(urb, GFP_ATOMIC);
790 if (err < 0) {
791 /* -EPERM: urb is being killed;
792 * -ENODEV: device got disconnected */
793 if (err != -EPERM && err != -ENODEV)
794 BT_ERR("%s urb %p failed to resubmit (%d)",
795 hdev->name, urb, -err);
796 usb_unanchor_urb(urb);
797 }
798 }
799
800 static inline void __fill_isoc_descriptor(struct urb *urb, int len, int mtu)
801 {
802 int i, offset = 0;
803
804 BT_DBG("len %d mtu %d", len, mtu);
805
806 for (i = 0; i < BTUSB_MAX_ISOC_FRAMES && len >= mtu;
807 i++, offset += mtu, len -= mtu) {
808 urb->iso_frame_desc[i].offset = offset;
809 urb->iso_frame_desc[i].length = mtu;
810 }
811
812 if (len && i < BTUSB_MAX_ISOC_FRAMES) {
813 urb->iso_frame_desc[i].offset = offset;
814 urb->iso_frame_desc[i].length = len;
815 i++;
816 }
817
818 urb->number_of_packets = i;
819 }
820
821 static int btusb_submit_isoc_urb(struct hci_dev *hdev, gfp_t mem_flags)
822 {
823 struct btusb_data *data = hci_get_drvdata(hdev);
824 struct urb *urb;
825 unsigned char *buf;
826 unsigned int pipe;
827 int err, size;
828
829 BT_DBG("%s", hdev->name);
830
831 if (!data->isoc_rx_ep)
832 return -ENODEV;
833
834 urb = usb_alloc_urb(BTUSB_MAX_ISOC_FRAMES, mem_flags);
835 if (!urb)
836 return -ENOMEM;
837
838 size = le16_to_cpu(data->isoc_rx_ep->wMaxPacketSize) *
839 BTUSB_MAX_ISOC_FRAMES;
840
841 buf = kmalloc(size, mem_flags);
842 if (!buf) {
843 usb_free_urb(urb);
844 return -ENOMEM;
845 }
846
847 pipe = usb_rcvisocpipe(data->udev, data->isoc_rx_ep->bEndpointAddress);
848
849 usb_fill_int_urb(urb, data->udev, pipe, buf, size, btusb_isoc_complete,
850 hdev, data->isoc_rx_ep->bInterval);
851
852 urb->transfer_flags = URB_FREE_BUFFER | URB_ISO_ASAP;
853
854 __fill_isoc_descriptor(urb, size,
855 le16_to_cpu(data->isoc_rx_ep->wMaxPacketSize));
856
857 usb_anchor_urb(urb, &data->isoc_anchor);
858
859 err = usb_submit_urb(urb, mem_flags);
860 if (err < 0) {
861 if (err != -EPERM && err != -ENODEV)
862 BT_ERR("%s urb %p submission failed (%d)",
863 hdev->name, urb, -err);
864 usb_unanchor_urb(urb);
865 }
866
867 usb_free_urb(urb);
868
869 return err;
870 }
871
872 static void btusb_tx_complete(struct urb *urb)
873 {
874 struct sk_buff *skb = urb->context;
875 struct hci_dev *hdev = (struct hci_dev *)skb->dev;
876 struct btusb_data *data = hci_get_drvdata(hdev);
877
878 BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status,
879 urb->actual_length);
880
881 if (!test_bit(HCI_RUNNING, &hdev->flags))
882 goto done;
883
884 if (!urb->status)
885 hdev->stat.byte_tx += urb->transfer_buffer_length;
886 else
887 hdev->stat.err_tx++;
888
889 done:
890 spin_lock(&data->txlock);
891 data->tx_in_flight--;
892 spin_unlock(&data->txlock);
893
894 kfree(urb->setup_packet);
895
896 kfree_skb(skb);
897 }
898
899 static void btusb_isoc_tx_complete(struct urb *urb)
900 {
901 struct sk_buff *skb = urb->context;
902 struct hci_dev *hdev = (struct hci_dev *)skb->dev;
903
904 BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status,
905 urb->actual_length);
906
907 if (!test_bit(HCI_RUNNING, &hdev->flags))
908 goto done;
909
910 if (!urb->status)
911 hdev->stat.byte_tx += urb->transfer_buffer_length;
912 else
913 hdev->stat.err_tx++;
914
915 done:
916 kfree(urb->setup_packet);
917
918 kfree_skb(skb);
919 }
920
921 static int btusb_open(struct hci_dev *hdev)
922 {
923 struct btusb_data *data = hci_get_drvdata(hdev);
924 int err;
925
926 BT_DBG("%s", hdev->name);
927
928 /* Patching USB firmware files prior to starting any URBs of HCI path
929 * It is more safe to use USB bulk channel for downloading USB patch
930 */
931 if (data->setup_on_usb) {
932 err = data->setup_on_usb(hdev);
933 if (err < 0)
934 return err;
935 }
936
937 err = usb_autopm_get_interface(data->intf);
938 if (err < 0)
939 return err;
940
941 data->intf->needs_remote_wakeup = 1;
942
943 if (test_and_set_bit(HCI_RUNNING, &hdev->flags))
944 goto done;
945
946 if (test_and_set_bit(BTUSB_INTR_RUNNING, &data->flags))
947 goto done;
948
949 err = btusb_submit_intr_urb(hdev, GFP_KERNEL);
950 if (err < 0)
951 goto failed;
952
953 err = btusb_submit_bulk_urb(hdev, GFP_KERNEL);
954 if (err < 0) {
955 usb_kill_anchored_urbs(&data->intr_anchor);
956 goto failed;
957 }
958
959 set_bit(BTUSB_BULK_RUNNING, &data->flags);
960 btusb_submit_bulk_urb(hdev, GFP_KERNEL);
961
962 done:
963 usb_autopm_put_interface(data->intf);
964 return 0;
965
966 failed:
967 clear_bit(BTUSB_INTR_RUNNING, &data->flags);
968 clear_bit(HCI_RUNNING, &hdev->flags);
969 usb_autopm_put_interface(data->intf);
970 return err;
971 }
972
973 static void btusb_stop_traffic(struct btusb_data *data)
974 {
975 usb_kill_anchored_urbs(&data->intr_anchor);
976 usb_kill_anchored_urbs(&data->bulk_anchor);
977 usb_kill_anchored_urbs(&data->isoc_anchor);
978 }
979
980 static int btusb_close(struct hci_dev *hdev)
981 {
982 struct btusb_data *data = hci_get_drvdata(hdev);
983 int err;
984
985 BT_DBG("%s", hdev->name);
986
987 if (!test_and_clear_bit(HCI_RUNNING, &hdev->flags))
988 return 0;
989
990 cancel_work_sync(&data->work);
991 cancel_work_sync(&data->waker);
992
993 clear_bit(BTUSB_ISOC_RUNNING, &data->flags);
994 clear_bit(BTUSB_BULK_RUNNING, &data->flags);
995 clear_bit(BTUSB_INTR_RUNNING, &data->flags);
996
997 btusb_stop_traffic(data);
998 btusb_free_frags(data);
999
1000 err = usb_autopm_get_interface(data->intf);
1001 if (err < 0)
1002 goto failed;
1003
1004 data->intf->needs_remote_wakeup = 0;
1005 usb_autopm_put_interface(data->intf);
1006
1007 failed:
1008 usb_scuttle_anchored_urbs(&data->deferred);
1009 return 0;
1010 }
1011
1012 static int btusb_flush(struct hci_dev *hdev)
1013 {
1014 struct btusb_data *data = hci_get_drvdata(hdev);
1015
1016 BT_DBG("%s", hdev->name);
1017
1018 usb_kill_anchored_urbs(&data->tx_anchor);
1019 btusb_free_frags(data);
1020
1021 return 0;
1022 }
1023
1024 static struct urb *alloc_ctrl_urb(struct hci_dev *hdev, struct sk_buff *skb)
1025 {
1026 struct btusb_data *data = hci_get_drvdata(hdev);
1027 struct usb_ctrlrequest *dr;
1028 struct urb *urb;
1029 unsigned int pipe;
1030
1031 urb = usb_alloc_urb(0, GFP_KERNEL);
1032 if (!urb)
1033 return ERR_PTR(-ENOMEM);
1034
1035 dr = kmalloc(sizeof(*dr), GFP_KERNEL);
1036 if (!dr) {
1037 usb_free_urb(urb);
1038 return ERR_PTR(-ENOMEM);
1039 }
1040
1041 dr->bRequestType = data->cmdreq_type;
1042 dr->bRequest = data->cmdreq;
1043 dr->wIndex = 0;
1044 dr->wValue = 0;
1045 dr->wLength = __cpu_to_le16(skb->len);
1046
1047 pipe = usb_sndctrlpipe(data->udev, 0x00);
1048
1049 usb_fill_control_urb(urb, data->udev, pipe, (void *)dr,
1050 skb->data, skb->len, btusb_tx_complete, skb);
1051
1052 skb->dev = (void *)hdev;
1053
1054 return urb;
1055 }
1056
1057 static struct urb *alloc_bulk_urb(struct hci_dev *hdev, struct sk_buff *skb)
1058 {
1059 struct btusb_data *data = hci_get_drvdata(hdev);
1060 struct urb *urb;
1061 unsigned int pipe;
1062
1063 if (!data->bulk_tx_ep)
1064 return ERR_PTR(-ENODEV);
1065
1066 urb = usb_alloc_urb(0, GFP_KERNEL);
1067 if (!urb)
1068 return ERR_PTR(-ENOMEM);
1069
1070 pipe = usb_sndbulkpipe(data->udev, data->bulk_tx_ep->bEndpointAddress);
1071
1072 usb_fill_bulk_urb(urb, data->udev, pipe,
1073 skb->data, skb->len, btusb_tx_complete, skb);
1074
1075 skb->dev = (void *)hdev;
1076
1077 return urb;
1078 }
1079
1080 static struct urb *alloc_isoc_urb(struct hci_dev *hdev, struct sk_buff *skb)
1081 {
1082 struct btusb_data *data = hci_get_drvdata(hdev);
1083 struct urb *urb;
1084 unsigned int pipe;
1085
1086 if (!data->isoc_tx_ep)
1087 return ERR_PTR(-ENODEV);
1088
1089 urb = usb_alloc_urb(BTUSB_MAX_ISOC_FRAMES, GFP_KERNEL);
1090 if (!urb)
1091 return ERR_PTR(-ENOMEM);
1092
1093 pipe = usb_sndisocpipe(data->udev, data->isoc_tx_ep->bEndpointAddress);
1094
1095 usb_fill_int_urb(urb, data->udev, pipe,
1096 skb->data, skb->len, btusb_isoc_tx_complete,
1097 skb, data->isoc_tx_ep->bInterval);
1098
1099 urb->transfer_flags = URB_ISO_ASAP;
1100
1101 __fill_isoc_descriptor(urb, skb->len,
1102 le16_to_cpu(data->isoc_tx_ep->wMaxPacketSize));
1103
1104 skb->dev = (void *)hdev;
1105
1106 return urb;
1107 }
1108
1109 static int submit_tx_urb(struct hci_dev *hdev, struct urb *urb)
1110 {
1111 struct btusb_data *data = hci_get_drvdata(hdev);
1112 int err;
1113
1114 usb_anchor_urb(urb, &data->tx_anchor);
1115
1116 err = usb_submit_urb(urb, GFP_KERNEL);
1117 if (err < 0) {
1118 if (err != -EPERM && err != -ENODEV)
1119 BT_ERR("%s urb %p submission failed (%d)",
1120 hdev->name, urb, -err);
1121 kfree(urb->setup_packet);
1122 usb_unanchor_urb(urb);
1123 } else {
1124 usb_mark_last_busy(data->udev);
1125 }
1126
1127 usb_free_urb(urb);
1128 return err;
1129 }
1130
1131 static int submit_or_queue_tx_urb(struct hci_dev *hdev, struct urb *urb)
1132 {
1133 struct btusb_data *data = hci_get_drvdata(hdev);
1134 unsigned long flags;
1135 bool suspending;
1136
1137 spin_lock_irqsave(&data->txlock, flags);
1138 suspending = test_bit(BTUSB_SUSPENDING, &data->flags);
1139 if (!suspending)
1140 data->tx_in_flight++;
1141 spin_unlock_irqrestore(&data->txlock, flags);
1142
1143 if (!suspending)
1144 return submit_tx_urb(hdev, urb);
1145
1146 usb_anchor_urb(urb, &data->deferred);
1147 schedule_work(&data->waker);
1148
1149 usb_free_urb(urb);
1150 return 0;
1151 }
1152
1153 static int btusb_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
1154 {
1155 struct urb *urb;
1156
1157 BT_DBG("%s", hdev->name);
1158
1159 switch (bt_cb(skb)->pkt_type) {
1160 case HCI_COMMAND_PKT:
1161 urb = alloc_ctrl_urb(hdev, skb);
1162 if (IS_ERR(urb))
1163 return PTR_ERR(urb);
1164
1165 hdev->stat.cmd_tx++;
1166 return submit_or_queue_tx_urb(hdev, urb);
1167
1168 case HCI_ACLDATA_PKT:
1169 urb = alloc_bulk_urb(hdev, skb);
1170 if (IS_ERR(urb))
1171 return PTR_ERR(urb);
1172
1173 hdev->stat.acl_tx++;
1174 return submit_or_queue_tx_urb(hdev, urb);
1175
1176 case HCI_SCODATA_PKT:
1177 if (hci_conn_num(hdev, SCO_LINK) < 1)
1178 return -ENODEV;
1179
1180 urb = alloc_isoc_urb(hdev, skb);
1181 if (IS_ERR(urb))
1182 return PTR_ERR(urb);
1183
1184 hdev->stat.sco_tx++;
1185 return submit_tx_urb(hdev, urb);
1186 }
1187
1188 return -EILSEQ;
1189 }
1190
1191 static void btusb_notify(struct hci_dev *hdev, unsigned int evt)
1192 {
1193 struct btusb_data *data = hci_get_drvdata(hdev);
1194
1195 BT_DBG("%s evt %d", hdev->name, evt);
1196
1197 if (hci_conn_num(hdev, SCO_LINK) != data->sco_num) {
1198 data->sco_num = hci_conn_num(hdev, SCO_LINK);
1199 schedule_work(&data->work);
1200 }
1201 }
1202
1203 static inline int __set_isoc_interface(struct hci_dev *hdev, int altsetting)
1204 {
1205 struct btusb_data *data = hci_get_drvdata(hdev);
1206 struct usb_interface *intf = data->isoc;
1207 struct usb_endpoint_descriptor *ep_desc;
1208 int i, err;
1209
1210 if (!data->isoc)
1211 return -ENODEV;
1212
1213 err = usb_set_interface(data->udev, 1, altsetting);
1214 if (err < 0) {
1215 BT_ERR("%s setting interface failed (%d)", hdev->name, -err);
1216 return err;
1217 }
1218
1219 data->isoc_altsetting = altsetting;
1220
1221 data->isoc_tx_ep = NULL;
1222 data->isoc_rx_ep = NULL;
1223
1224 for (i = 0; i < intf->cur_altsetting->desc.bNumEndpoints; i++) {
1225 ep_desc = &intf->cur_altsetting->endpoint[i].desc;
1226
1227 if (!data->isoc_tx_ep && usb_endpoint_is_isoc_out(ep_desc)) {
1228 data->isoc_tx_ep = ep_desc;
1229 continue;
1230 }
1231
1232 if (!data->isoc_rx_ep && usb_endpoint_is_isoc_in(ep_desc)) {
1233 data->isoc_rx_ep = ep_desc;
1234 continue;
1235 }
1236 }
1237
1238 if (!data->isoc_tx_ep || !data->isoc_rx_ep) {
1239 BT_ERR("%s invalid SCO descriptors", hdev->name);
1240 return -ENODEV;
1241 }
1242
1243 return 0;
1244 }
1245
1246 static void btusb_work(struct work_struct *work)
1247 {
1248 struct btusb_data *data = container_of(work, struct btusb_data, work);
1249 struct hci_dev *hdev = data->hdev;
1250 int new_alts;
1251 int err;
1252
1253 if (data->sco_num > 0) {
1254 if (!test_bit(BTUSB_DID_ISO_RESUME, &data->flags)) {
1255 err = usb_autopm_get_interface(data->isoc ? data->isoc : data->intf);
1256 if (err < 0) {
1257 clear_bit(BTUSB_ISOC_RUNNING, &data->flags);
1258 usb_kill_anchored_urbs(&data->isoc_anchor);
1259 return;
1260 }
1261
1262 set_bit(BTUSB_DID_ISO_RESUME, &data->flags);
1263 }
1264
1265 if (hdev->voice_setting & 0x0020) {
1266 static const int alts[3] = { 2, 4, 5 };
1267
1268 new_alts = alts[data->sco_num - 1];
1269 } else {
1270 new_alts = data->sco_num;
1271 }
1272
1273 if (data->isoc_altsetting != new_alts) {
1274 clear_bit(BTUSB_ISOC_RUNNING, &data->flags);
1275 usb_kill_anchored_urbs(&data->isoc_anchor);
1276
1277 /* When isochronous alternate setting needs to be
1278 * changed, because SCO connection has been added
1279 * or removed, a packet fragment may be left in the
1280 * reassembling state. This could lead to wrongly
1281 * assembled fragments.
1282 *
1283 * Clear outstanding fragment when selecting a new
1284 * alternate setting.
1285 */
1286 spin_lock(&data->rxlock);
1287 kfree_skb(data->sco_skb);
1288 data->sco_skb = NULL;
1289 spin_unlock(&data->rxlock);
1290
1291 if (__set_isoc_interface(hdev, new_alts) < 0)
1292 return;
1293 }
1294
1295 if (!test_and_set_bit(BTUSB_ISOC_RUNNING, &data->flags)) {
1296 if (btusb_submit_isoc_urb(hdev, GFP_KERNEL) < 0)
1297 clear_bit(BTUSB_ISOC_RUNNING, &data->flags);
1298 else
1299 btusb_submit_isoc_urb(hdev, GFP_KERNEL);
1300 }
1301 } else {
1302 clear_bit(BTUSB_ISOC_RUNNING, &data->flags);
1303 usb_kill_anchored_urbs(&data->isoc_anchor);
1304
1305 __set_isoc_interface(hdev, 0);
1306 if (test_and_clear_bit(BTUSB_DID_ISO_RESUME, &data->flags))
1307 usb_autopm_put_interface(data->isoc ? data->isoc : data->intf);
1308 }
1309 }
1310
1311 static void btusb_waker(struct work_struct *work)
1312 {
1313 struct btusb_data *data = container_of(work, struct btusb_data, waker);
1314 int err;
1315
1316 err = usb_autopm_get_interface(data->intf);
1317 if (err < 0)
1318 return;
1319
1320 usb_autopm_put_interface(data->intf);
1321 }
1322
1323 static int btusb_setup_bcm92035(struct hci_dev *hdev)
1324 {
1325 struct sk_buff *skb;
1326 u8 val = 0x00;
1327
1328 BT_DBG("%s", hdev->name);
1329
1330 skb = __hci_cmd_sync(hdev, 0xfc3b, 1, &val, HCI_INIT_TIMEOUT);
1331 if (IS_ERR(skb))
1332 BT_ERR("BCM92035 command failed (%ld)", -PTR_ERR(skb));
1333 else
1334 kfree_skb(skb);
1335
1336 return 0;
1337 }
1338
1339 static int btusb_setup_csr(struct hci_dev *hdev)
1340 {
1341 struct hci_rp_read_local_version *rp;
1342 struct sk_buff *skb;
1343
1344 BT_DBG("%s", hdev->name);
1345
1346 skb = __hci_cmd_sync(hdev, HCI_OP_READ_LOCAL_VERSION, 0, NULL,
1347 HCI_INIT_TIMEOUT);
1348 if (IS_ERR(skb)) {
1349 int err = PTR_ERR(skb);
1350 BT_ERR("%s: CSR: Local version failed (%d)", hdev->name, err);
1351 return err;
1352 }
1353
1354 if (skb->len != sizeof(struct hci_rp_read_local_version)) {
1355 BT_ERR("%s: CSR: Local version length mismatch", hdev->name);
1356 kfree_skb(skb);
1357 return -EIO;
1358 }
1359
1360 rp = (struct hci_rp_read_local_version *)skb->data;
1361
1362 /* Detect controllers which aren't real CSR ones. */
1363 if (le16_to_cpu(rp->manufacturer) != 10 ||
1364 le16_to_cpu(rp->lmp_subver) == 0x0c5c) {
1365 /* Clear the reset quirk since this is not an actual
1366 * early Bluetooth 1.1 device from CSR.
1367 */
1368 clear_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks);
1369
1370 /* These fake CSR controllers have all a broken
1371 * stored link key handling and so just disable it.
1372 */
1373 set_bit(HCI_QUIRK_BROKEN_STORED_LINK_KEY, &hdev->quirks);
1374 }
1375
1376 kfree_skb(skb);
1377
1378 return 0;
1379 }
1380
1381 static const struct firmware *btusb_setup_intel_get_fw(struct hci_dev *hdev,
1382 struct intel_version *ver)
1383 {
1384 const struct firmware *fw;
1385 char fwname[64];
1386 int ret;
1387
1388 snprintf(fwname, sizeof(fwname),
1389 "intel/ibt-hw-%x.%x.%x-fw-%x.%x.%x.%x.%x.bseq",
1390 ver->hw_platform, ver->hw_variant, ver->hw_revision,
1391 ver->fw_variant, ver->fw_revision, ver->fw_build_num,
1392 ver->fw_build_ww, ver->fw_build_yy);
1393
1394 ret = request_firmware(&fw, fwname, &hdev->dev);
1395 if (ret < 0) {
1396 if (ret == -EINVAL) {
1397 BT_ERR("%s Intel firmware file request failed (%d)",
1398 hdev->name, ret);
1399 return NULL;
1400 }
1401
1402 BT_ERR("%s failed to open Intel firmware file: %s(%d)",
1403 hdev->name, fwname, ret);
1404
1405 /* If the correct firmware patch file is not found, use the
1406 * default firmware patch file instead
1407 */
1408 snprintf(fwname, sizeof(fwname), "intel/ibt-hw-%x.%x.bseq",
1409 ver->hw_platform, ver->hw_variant);
1410 if (request_firmware(&fw, fwname, &hdev->dev) < 0) {
1411 BT_ERR("%s failed to open default Intel fw file: %s",
1412 hdev->name, fwname);
1413 return NULL;
1414 }
1415 }
1416
1417 BT_INFO("%s: Intel Bluetooth firmware file: %s", hdev->name, fwname);
1418
1419 return fw;
1420 }
1421
1422 static int btusb_setup_intel_patching(struct hci_dev *hdev,
1423 const struct firmware *fw,
1424 const u8 **fw_ptr, int *disable_patch)
1425 {
1426 struct sk_buff *skb;
1427 struct hci_command_hdr *cmd;
1428 const u8 *cmd_param;
1429 struct hci_event_hdr *evt = NULL;
1430 const u8 *evt_param = NULL;
1431 int remain = fw->size - (*fw_ptr - fw->data);
1432
1433 /* The first byte indicates the types of the patch command or event.
1434 * 0x01 means HCI command and 0x02 is HCI event. If the first bytes
1435 * in the current firmware buffer doesn't start with 0x01 or
1436 * the size of remain buffer is smaller than HCI command header,
1437 * the firmware file is corrupted and it should stop the patching
1438 * process.
1439 */
1440 if (remain > HCI_COMMAND_HDR_SIZE && *fw_ptr[0] != 0x01) {
1441 BT_ERR("%s Intel fw corrupted: invalid cmd read", hdev->name);
1442 return -EINVAL;
1443 }
1444 (*fw_ptr)++;
1445 remain--;
1446
1447 cmd = (struct hci_command_hdr *)(*fw_ptr);
1448 *fw_ptr += sizeof(*cmd);
1449 remain -= sizeof(*cmd);
1450
1451 /* Ensure that the remain firmware data is long enough than the length
1452 * of command parameter. If not, the firmware file is corrupted.
1453 */
1454 if (remain < cmd->plen) {
1455 BT_ERR("%s Intel fw corrupted: invalid cmd len", hdev->name);
1456 return -EFAULT;
1457 }
1458
1459 /* If there is a command that loads a patch in the firmware
1460 * file, then enable the patch upon success, otherwise just
1461 * disable the manufacturer mode, for example patch activation
1462 * is not required when the default firmware patch file is used
1463 * because there are no patch data to load.
1464 */
1465 if (*disable_patch && le16_to_cpu(cmd->opcode) == 0xfc8e)
1466 *disable_patch = 0;
1467
1468 cmd_param = *fw_ptr;
1469 *fw_ptr += cmd->plen;
1470 remain -= cmd->plen;
1471
1472 /* This reads the expected events when the above command is sent to the
1473 * device. Some vendor commands expects more than one events, for
1474 * example command status event followed by vendor specific event.
1475 * For this case, it only keeps the last expected event. so the command
1476 * can be sent with __hci_cmd_sync_ev() which returns the sk_buff of
1477 * last expected event.
1478 */
1479 while (remain > HCI_EVENT_HDR_SIZE && *fw_ptr[0] == 0x02) {
1480 (*fw_ptr)++;
1481 remain--;
1482
1483 evt = (struct hci_event_hdr *)(*fw_ptr);
1484 *fw_ptr += sizeof(*evt);
1485 remain -= sizeof(*evt);
1486
1487 if (remain < evt->plen) {
1488 BT_ERR("%s Intel fw corrupted: invalid evt len",
1489 hdev->name);
1490 return -EFAULT;
1491 }
1492
1493 evt_param = *fw_ptr;
1494 *fw_ptr += evt->plen;
1495 remain -= evt->plen;
1496 }
1497
1498 /* Every HCI commands in the firmware file has its correspond event.
1499 * If event is not found or remain is smaller than zero, the firmware
1500 * file is corrupted.
1501 */
1502 if (!evt || !evt_param || remain < 0) {
1503 BT_ERR("%s Intel fw corrupted: invalid evt read", hdev->name);
1504 return -EFAULT;
1505 }
1506
1507 skb = __hci_cmd_sync_ev(hdev, le16_to_cpu(cmd->opcode), cmd->plen,
1508 cmd_param, evt->evt, HCI_INIT_TIMEOUT);
1509 if (IS_ERR(skb)) {
1510 BT_ERR("%s sending Intel patch command (0x%4.4x) failed (%ld)",
1511 hdev->name, cmd->opcode, PTR_ERR(skb));
1512 return PTR_ERR(skb);
1513 }
1514
1515 /* It ensures that the returned event matches the event data read from
1516 * the firmware file. At fist, it checks the length and then
1517 * the contents of the event.
1518 */
1519 if (skb->len != evt->plen) {
1520 BT_ERR("%s mismatch event length (opcode 0x%4.4x)", hdev->name,
1521 le16_to_cpu(cmd->opcode));
1522 kfree_skb(skb);
1523 return -EFAULT;
1524 }
1525
1526 if (memcmp(skb->data, evt_param, evt->plen)) {
1527 BT_ERR("%s mismatch event parameter (opcode 0x%4.4x)",
1528 hdev->name, le16_to_cpu(cmd->opcode));
1529 kfree_skb(skb);
1530 return -EFAULT;
1531 }
1532 kfree_skb(skb);
1533
1534 return 0;
1535 }
1536
1537 static int btusb_setup_intel(struct hci_dev *hdev)
1538 {
1539 struct sk_buff *skb;
1540 const struct firmware *fw;
1541 const u8 *fw_ptr;
1542 int disable_patch;
1543 struct intel_version *ver;
1544
1545 const u8 mfg_enable[] = { 0x01, 0x00 };
1546 const u8 mfg_disable[] = { 0x00, 0x00 };
1547 const u8 mfg_reset_deactivate[] = { 0x00, 0x01 };
1548 const u8 mfg_reset_activate[] = { 0x00, 0x02 };
1549
1550 BT_DBG("%s", hdev->name);
1551
1552 /* The controller has a bug with the first HCI command sent to it
1553 * returning number of completed commands as zero. This would stall the
1554 * command processing in the Bluetooth core.
1555 *
1556 * As a workaround, send HCI Reset command first which will reset the
1557 * number of completed commands and allow normal command processing
1558 * from now on.
1559 */
1560 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
1561 if (IS_ERR(skb)) {
1562 BT_ERR("%s sending initial HCI reset command failed (%ld)",
1563 hdev->name, PTR_ERR(skb));
1564 return PTR_ERR(skb);
1565 }
1566 kfree_skb(skb);
1567
1568 /* Read Intel specific controller version first to allow selection of
1569 * which firmware file to load.
1570 *
1571 * The returned information are hardware variant and revision plus
1572 * firmware variant, revision and build number.
1573 */
1574 skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_INIT_TIMEOUT);
1575 if (IS_ERR(skb)) {
1576 BT_ERR("%s reading Intel fw version command failed (%ld)",
1577 hdev->name, PTR_ERR(skb));
1578 return PTR_ERR(skb);
1579 }
1580
1581 if (skb->len != sizeof(*ver)) {
1582 BT_ERR("%s Intel version event length mismatch", hdev->name);
1583 kfree_skb(skb);
1584 return -EIO;
1585 }
1586
1587 ver = (struct intel_version *)skb->data;
1588
1589 BT_INFO("%s: read Intel version: %02x%02x%02x%02x%02x%02x%02x%02x%02x",
1590 hdev->name, ver->hw_platform, ver->hw_variant,
1591 ver->hw_revision, ver->fw_variant, ver->fw_revision,
1592 ver->fw_build_num, ver->fw_build_ww, ver->fw_build_yy,
1593 ver->fw_patch_num);
1594
1595 /* fw_patch_num indicates the version of patch the device currently
1596 * have. If there is no patch data in the device, it is always 0x00.
1597 * So, if it is other than 0x00, no need to patch the device again.
1598 */
1599 if (ver->fw_patch_num) {
1600 BT_INFO("%s: Intel device is already patched. patch num: %02x",
1601 hdev->name, ver->fw_patch_num);
1602 kfree_skb(skb);
1603 btintel_check_bdaddr(hdev);
1604 return 0;
1605 }
1606
1607 /* Opens the firmware patch file based on the firmware version read
1608 * from the controller. If it fails to open the matching firmware
1609 * patch file, it tries to open the default firmware patch file.
1610 * If no patch file is found, allow the device to operate without
1611 * a patch.
1612 */
1613 fw = btusb_setup_intel_get_fw(hdev, ver);
1614 if (!fw) {
1615 kfree_skb(skb);
1616 btintel_check_bdaddr(hdev);
1617 return 0;
1618 }
1619 fw_ptr = fw->data;
1620
1621 kfree_skb(skb);
1622
1623 /* This Intel specific command enables the manufacturer mode of the
1624 * controller.
1625 *
1626 * Only while this mode is enabled, the driver can download the
1627 * firmware patch data and configuration parameters.
1628 */
1629 skb = __hci_cmd_sync(hdev, 0xfc11, 2, mfg_enable, HCI_INIT_TIMEOUT);
1630 if (IS_ERR(skb)) {
1631 BT_ERR("%s entering Intel manufacturer mode failed (%ld)",
1632 hdev->name, PTR_ERR(skb));
1633 release_firmware(fw);
1634 return PTR_ERR(skb);
1635 }
1636
1637 kfree_skb(skb);
1638
1639 disable_patch = 1;
1640
1641 /* The firmware data file consists of list of Intel specific HCI
1642 * commands and its expected events. The first byte indicates the
1643 * type of the message, either HCI command or HCI event.
1644 *
1645 * It reads the command and its expected event from the firmware file,
1646 * and send to the controller. Once __hci_cmd_sync_ev() returns,
1647 * the returned event is compared with the event read from the firmware
1648 * file and it will continue until all the messages are downloaded to
1649 * the controller.
1650 *
1651 * Once the firmware patching is completed successfully,
1652 * the manufacturer mode is disabled with reset and activating the
1653 * downloaded patch.
1654 *
1655 * If the firmware patching fails, the manufacturer mode is
1656 * disabled with reset and deactivating the patch.
1657 *
1658 * If the default patch file is used, no reset is done when disabling
1659 * the manufacturer.
1660 */
1661 while (fw->size > fw_ptr - fw->data) {
1662 int ret;
1663
1664 ret = btusb_setup_intel_patching(hdev, fw, &fw_ptr,
1665 &disable_patch);
1666 if (ret < 0)
1667 goto exit_mfg_deactivate;
1668 }
1669
1670 release_firmware(fw);
1671
1672 if (disable_patch)
1673 goto exit_mfg_disable;
1674
1675 /* Patching completed successfully and disable the manufacturer mode
1676 * with reset and activate the downloaded firmware patches.
1677 */
1678 skb = __hci_cmd_sync(hdev, 0xfc11, sizeof(mfg_reset_activate),
1679 mfg_reset_activate, HCI_INIT_TIMEOUT);
1680 if (IS_ERR(skb)) {
1681 BT_ERR("%s exiting Intel manufacturer mode failed (%ld)",
1682 hdev->name, PTR_ERR(skb));
1683 return PTR_ERR(skb);
1684 }
1685 kfree_skb(skb);
1686
1687 BT_INFO("%s: Intel Bluetooth firmware patch completed and activated",
1688 hdev->name);
1689
1690 btintel_check_bdaddr(hdev);
1691 return 0;
1692
1693 exit_mfg_disable:
1694 /* Disable the manufacturer mode without reset */
1695 skb = __hci_cmd_sync(hdev, 0xfc11, sizeof(mfg_disable), mfg_disable,
1696 HCI_INIT_TIMEOUT);
1697 if (IS_ERR(skb)) {
1698 BT_ERR("%s exiting Intel manufacturer mode failed (%ld)",
1699 hdev->name, PTR_ERR(skb));
1700 return PTR_ERR(skb);
1701 }
1702 kfree_skb(skb);
1703
1704 BT_INFO("%s: Intel Bluetooth firmware patch completed", hdev->name);
1705
1706 btintel_check_bdaddr(hdev);
1707 return 0;
1708
1709 exit_mfg_deactivate:
1710 release_firmware(fw);
1711
1712 /* Patching failed. Disable the manufacturer mode with reset and
1713 * deactivate the downloaded firmware patches.
1714 */
1715 skb = __hci_cmd_sync(hdev, 0xfc11, sizeof(mfg_reset_deactivate),
1716 mfg_reset_deactivate, HCI_INIT_TIMEOUT);
1717 if (IS_ERR(skb)) {
1718 BT_ERR("%s exiting Intel manufacturer mode failed (%ld)",
1719 hdev->name, PTR_ERR(skb));
1720 return PTR_ERR(skb);
1721 }
1722 kfree_skb(skb);
1723
1724 BT_INFO("%s: Intel Bluetooth firmware patch completed and deactivated",
1725 hdev->name);
1726
1727 btintel_check_bdaddr(hdev);
1728 return 0;
1729 }
1730
1731 static int inject_cmd_complete(struct hci_dev *hdev, __u16 opcode)
1732 {
1733 struct sk_buff *skb;
1734 struct hci_event_hdr *hdr;
1735 struct hci_ev_cmd_complete *evt;
1736
1737 skb = bt_skb_alloc(sizeof(*hdr) + sizeof(*evt) + 1, GFP_ATOMIC);
1738 if (!skb)
1739 return -ENOMEM;
1740
1741 hdr = (struct hci_event_hdr *)skb_put(skb, sizeof(*hdr));
1742 hdr->evt = HCI_EV_CMD_COMPLETE;
1743 hdr->plen = sizeof(*evt) + 1;
1744
1745 evt = (struct hci_ev_cmd_complete *)skb_put(skb, sizeof(*evt));
1746 evt->ncmd = 0x01;
1747 evt->opcode = cpu_to_le16(opcode);
1748
1749 *skb_put(skb, 1) = 0x00;
1750
1751 bt_cb(skb)->pkt_type = HCI_EVENT_PKT;
1752
1753 return hci_recv_frame(hdev, skb);
1754 }
1755
1756 static int btusb_recv_bulk_intel(struct btusb_data *data, void *buffer,
1757 int count)
1758 {
1759 /* When the device is in bootloader mode, then it can send
1760 * events via the bulk endpoint. These events are treated the
1761 * same way as the ones received from the interrupt endpoint.
1762 */
1763 if (test_bit(BTUSB_BOOTLOADER, &data->flags))
1764 return btusb_recv_intr(data, buffer, count);
1765
1766 return btusb_recv_bulk(data, buffer, count);
1767 }
1768
1769 static void btusb_intel_bootup(struct btusb_data *data, const void *ptr,
1770 unsigned int len)
1771 {
1772 const struct intel_bootup *evt = ptr;
1773
1774 if (len != sizeof(*evt))
1775 return;
1776
1777 if (test_and_clear_bit(BTUSB_BOOTING, &data->flags)) {
1778 smp_mb__after_atomic();
1779 wake_up_bit(&data->flags, BTUSB_BOOTING);
1780 }
1781 }
1782
1783 static void btusb_intel_secure_send_result(struct btusb_data *data,
1784 const void *ptr, unsigned int len)
1785 {
1786 const struct intel_secure_send_result *evt = ptr;
1787
1788 if (len != sizeof(*evt))
1789 return;
1790
1791 if (evt->result)
1792 set_bit(BTUSB_FIRMWARE_FAILED, &data->flags);
1793
1794 if (test_and_clear_bit(BTUSB_DOWNLOADING, &data->flags) &&
1795 test_bit(BTUSB_FIRMWARE_LOADED, &data->flags)) {
1796 smp_mb__after_atomic();
1797 wake_up_bit(&data->flags, BTUSB_DOWNLOADING);
1798 }
1799 }
1800
1801 static int btusb_recv_event_intel(struct hci_dev *hdev, struct sk_buff *skb)
1802 {
1803 struct btusb_data *data = hci_get_drvdata(hdev);
1804
1805 if (test_bit(BTUSB_BOOTLOADER, &data->flags)) {
1806 struct hci_event_hdr *hdr = (void *)skb->data;
1807
1808 if (skb->len > HCI_EVENT_HDR_SIZE && hdr->evt == 0xff &&
1809 hdr->plen > 0) {
1810 const void *ptr = skb->data + HCI_EVENT_HDR_SIZE + 1;
1811 unsigned int len = skb->len - HCI_EVENT_HDR_SIZE - 1;
1812
1813 switch (skb->data[2]) {
1814 case 0x02:
1815 /* When switching to the operational firmware
1816 * the device sends a vendor specific event
1817 * indicating that the bootup completed.
1818 */
1819 btusb_intel_bootup(data, ptr, len);
1820 break;
1821 case 0x06:
1822 /* When the firmware loading completes the
1823 * device sends out a vendor specific event
1824 * indicating the result of the firmware
1825 * loading.
1826 */
1827 btusb_intel_secure_send_result(data, ptr, len);
1828 break;
1829 }
1830 }
1831 }
1832
1833 return hci_recv_frame(hdev, skb);
1834 }
1835
1836 static int btusb_send_frame_intel(struct hci_dev *hdev, struct sk_buff *skb)
1837 {
1838 struct btusb_data *data = hci_get_drvdata(hdev);
1839 struct urb *urb;
1840
1841 BT_DBG("%s", hdev->name);
1842
1843 switch (bt_cb(skb)->pkt_type) {
1844 case HCI_COMMAND_PKT:
1845 if (test_bit(BTUSB_BOOTLOADER, &data->flags)) {
1846 struct hci_command_hdr *cmd = (void *)skb->data;
1847 __u16 opcode = le16_to_cpu(cmd->opcode);
1848
1849 /* When in bootloader mode and the command 0xfc09
1850 * is received, it needs to be send down the
1851 * bulk endpoint. So allocate a bulk URB instead.
1852 */
1853 if (opcode == 0xfc09)
1854 urb = alloc_bulk_urb(hdev, skb);
1855 else
1856 urb = alloc_ctrl_urb(hdev, skb);
1857
1858 /* When the 0xfc01 command is issued to boot into
1859 * the operational firmware, it will actually not
1860 * send a command complete event. To keep the flow
1861 * control working inject that event here.
1862 */
1863 if (opcode == 0xfc01)
1864 inject_cmd_complete(hdev, opcode);
1865 } else {
1866 urb = alloc_ctrl_urb(hdev, skb);
1867 }
1868 if (IS_ERR(urb))
1869 return PTR_ERR(urb);
1870
1871 hdev->stat.cmd_tx++;
1872 return submit_or_queue_tx_urb(hdev, urb);
1873
1874 case HCI_ACLDATA_PKT:
1875 urb = alloc_bulk_urb(hdev, skb);
1876 if (IS_ERR(urb))
1877 return PTR_ERR(urb);
1878
1879 hdev->stat.acl_tx++;
1880 return submit_or_queue_tx_urb(hdev, urb);
1881
1882 case HCI_SCODATA_PKT:
1883 if (hci_conn_num(hdev, SCO_LINK) < 1)
1884 return -ENODEV;
1885
1886 urb = alloc_isoc_urb(hdev, skb);
1887 if (IS_ERR(urb))
1888 return PTR_ERR(urb);
1889
1890 hdev->stat.sco_tx++;
1891 return submit_tx_urb(hdev, urb);
1892 }
1893
1894 return -EILSEQ;
1895 }
1896
1897 static int btusb_setup_intel_new(struct hci_dev *hdev)
1898 {
1899 static const u8 reset_param[] = { 0x00, 0x01, 0x00, 0x01,
1900 0x00, 0x08, 0x04, 0x00 };
1901 struct btusb_data *data = hci_get_drvdata(hdev);
1902 struct sk_buff *skb;
1903 struct intel_version *ver;
1904 struct intel_boot_params *params;
1905 const struct firmware *fw;
1906 const u8 *fw_ptr;
1907 u32 frag_len;
1908 char fwname[64];
1909 ktime_t calltime, delta, rettime;
1910 unsigned long long duration;
1911 int err;
1912
1913 BT_DBG("%s", hdev->name);
1914
1915 calltime = ktime_get();
1916
1917 /* Read the Intel version information to determine if the device
1918 * is in bootloader mode or if it already has operational firmware
1919 * loaded.
1920 */
1921 skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_INIT_TIMEOUT);
1922 if (IS_ERR(skb)) {
1923 BT_ERR("%s: Reading Intel version information failed (%ld)",
1924 hdev->name, PTR_ERR(skb));
1925 return PTR_ERR(skb);
1926 }
1927
1928 if (skb->len != sizeof(*ver)) {
1929 BT_ERR("%s: Intel version event size mismatch", hdev->name);
1930 kfree_skb(skb);
1931 return -EILSEQ;
1932 }
1933
1934 ver = (struct intel_version *)skb->data;
1935
1936 /* The hardware platform number has a fixed value of 0x37 and
1937 * for now only accept this single value.
1938 */
1939 if (ver->hw_platform != 0x37) {
1940 BT_ERR("%s: Unsupported Intel hardware platform (%u)",
1941 hdev->name, ver->hw_platform);
1942 kfree_skb(skb);
1943 return -EINVAL;
1944 }
1945
1946 /* At the moment only the hardware variant iBT 3.0 (LnP/SfP) is
1947 * supported by this firmware loading method. This check has been
1948 * put in place to ensure correct forward compatibility options
1949 * when newer hardware variants come along.
1950 */
1951 if (ver->hw_variant != 0x0b) {
1952 BT_ERR("%s: Unsupported Intel hardware variant (%u)",
1953 hdev->name, ver->hw_variant);
1954 kfree_skb(skb);
1955 return -EINVAL;
1956 }
1957
1958 btintel_version_info(hdev, ver);
1959
1960 /* The firmware variant determines if the device is in bootloader
1961 * mode or is running operational firmware. The value 0x06 identifies
1962 * the bootloader and the value 0x23 identifies the operational
1963 * firmware.
1964 *
1965 * When the operational firmware is already present, then only
1966 * the check for valid Bluetooth device address is needed. This
1967 * determines if the device will be added as configured or
1968 * unconfigured controller.
1969 *
1970 * It is not possible to use the Secure Boot Parameters in this
1971 * case since that command is only available in bootloader mode.
1972 */
1973 if (ver->fw_variant == 0x23) {
1974 kfree_skb(skb);
1975 clear_bit(BTUSB_BOOTLOADER, &data->flags);
1976 btintel_check_bdaddr(hdev);
1977 return 0;
1978 }
1979
1980 /* If the device is not in bootloader mode, then the only possible
1981 * choice is to return an error and abort the device initialization.
1982 */
1983 if (ver->fw_variant != 0x06) {
1984 BT_ERR("%s: Unsupported Intel firmware variant (%u)",
1985 hdev->name, ver->fw_variant);
1986 kfree_skb(skb);
1987 return -ENODEV;
1988 }
1989
1990 kfree_skb(skb);
1991
1992 /* Read the secure boot parameters to identify the operating
1993 * details of the bootloader.
1994 */
1995 skb = __hci_cmd_sync(hdev, 0xfc0d, 0, NULL, HCI_INIT_TIMEOUT);
1996 if (IS_ERR(skb)) {
1997 BT_ERR("%s: Reading Intel boot parameters failed (%ld)",
1998 hdev->name, PTR_ERR(skb));
1999 return PTR_ERR(skb);
2000 }
2001
2002 if (skb->len != sizeof(*params)) {
2003 BT_ERR("%s: Intel boot parameters size mismatch", hdev->name);
2004 kfree_skb(skb);
2005 return -EILSEQ;
2006 }
2007
2008 params = (struct intel_boot_params *)skb->data;
2009
2010 BT_INFO("%s: Device revision is %u", hdev->name,
2011 le16_to_cpu(params->dev_revid));
2012
2013 BT_INFO("%s: Secure boot is %s", hdev->name,
2014 params->secure_boot ? "enabled" : "disabled");
2015
2016 BT_INFO("%s: Minimum firmware build %u week %u %u", hdev->name,
2017 params->min_fw_build_nn, params->min_fw_build_cw,
2018 2000 + params->min_fw_build_yy);
2019
2020 /* It is required that every single firmware fragment is acknowledged
2021 * with a command complete event. If the boot parameters indicate
2022 * that this bootloader does not send them, then abort the setup.
2023 */
2024 if (params->limited_cce != 0x00) {
2025 BT_ERR("%s: Unsupported Intel firmware loading method (%u)",
2026 hdev->name, params->limited_cce);
2027 kfree_skb(skb);
2028 return -EINVAL;
2029 }
2030
2031 /* If the OTP has no valid Bluetooth device address, then there will
2032 * also be no valid address for the operational firmware.
2033 */
2034 if (!bacmp(&params->otp_bdaddr, BDADDR_ANY)) {
2035 BT_INFO("%s: No device address configured", hdev->name);
2036 set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks);
2037 }
2038
2039 /* With this Intel bootloader only the hardware variant and device
2040 * revision information are used to select the right firmware.
2041 *
2042 * Currently this bootloader support is limited to hardware variant
2043 * iBT 3.0 (LnP/SfP) which is identified by the value 11 (0x0b).
2044 */
2045 snprintf(fwname, sizeof(fwname), "intel/ibt-11-%u.sfi",
2046 le16_to_cpu(params->dev_revid));
2047
2048 err = request_firmware(&fw, fwname, &hdev->dev);
2049 if (err < 0) {
2050 BT_ERR("%s: Failed to load Intel firmware file (%d)",
2051 hdev->name, err);
2052 kfree_skb(skb);
2053 return err;
2054 }
2055
2056 BT_INFO("%s: Found device firmware: %s", hdev->name, fwname);
2057
2058 /* Save the DDC file name for later use to apply once the firmware
2059 * downloading is done.
2060 */
2061 snprintf(fwname, sizeof(fwname), "intel/ibt-11-%u.ddc",
2062 le16_to_cpu(params->dev_revid));
2063
2064 kfree_skb(skb);
2065
2066 if (fw->size < 644) {
2067 BT_ERR("%s: Invalid size of firmware file (%zu)",
2068 hdev->name, fw->size);
2069 err = -EBADF;
2070 goto done;
2071 }
2072
2073 set_bit(BTUSB_DOWNLOADING, &data->flags);
2074
2075 /* Start the firmware download transaction with the Init fragment
2076 * represented by the 128 bytes of CSS header.
2077 */
2078 err = btintel_secure_send(hdev, 0x00, 128, fw->data);
2079 if (err < 0) {
2080 BT_ERR("%s: Failed to send firmware header (%d)",
2081 hdev->name, err);
2082 goto done;
2083 }
2084
2085 /* Send the 256 bytes of public key information from the firmware
2086 * as the PKey fragment.
2087 */
2088 err = btintel_secure_send(hdev, 0x03, 256, fw->data + 128);
2089 if (err < 0) {
2090 BT_ERR("%s: Failed to send firmware public key (%d)",
2091 hdev->name, err);
2092 goto done;
2093 }
2094
2095 /* Send the 256 bytes of signature information from the firmware
2096 * as the Sign fragment.
2097 */
2098 err = btintel_secure_send(hdev, 0x02, 256, fw->data + 388);
2099 if (err < 0) {
2100 BT_ERR("%s: Failed to send firmware signature (%d)",
2101 hdev->name, err);
2102 goto done;
2103 }
2104
2105 fw_ptr = fw->data + 644;
2106 frag_len = 0;
2107
2108 while (fw_ptr - fw->data < fw->size) {
2109 struct hci_command_hdr *cmd = (void *)(fw_ptr + frag_len);
2110
2111 frag_len += sizeof(*cmd) + cmd->plen;
2112
2113 /* The parameter length of the secure send command requires
2114 * a 4 byte alignment. It happens so that the firmware file
2115 * contains proper Intel_NOP commands to align the fragments
2116 * as needed.
2117 *
2118 * Send set of commands with 4 byte alignment from the
2119 * firmware data buffer as a single Data fragement.
2120 */
2121 if (!(frag_len % 4)) {
2122 err = btintel_secure_send(hdev, 0x01, frag_len, fw_ptr);
2123 if (err < 0) {
2124 BT_ERR("%s: Failed to send firmware data (%d)",
2125 hdev->name, err);
2126 goto done;
2127 }
2128
2129 fw_ptr += frag_len;
2130 frag_len = 0;
2131 }
2132 }
2133
2134 set_bit(BTUSB_FIRMWARE_LOADED, &data->flags);
2135
2136 BT_INFO("%s: Waiting for firmware download to complete", hdev->name);
2137
2138 /* Before switching the device into operational mode and with that
2139 * booting the loaded firmware, wait for the bootloader notification
2140 * that all fragments have been successfully received.
2141 *
2142 * When the event processing receives the notification, then the
2143 * BTUSB_DOWNLOADING flag will be cleared.
2144 *
2145 * The firmware loading should not take longer than 5 seconds
2146 * and thus just timeout if that happens and fail the setup
2147 * of this device.
2148 */
2149 err = wait_on_bit_timeout(&data->flags, BTUSB_DOWNLOADING,
2150 TASK_INTERRUPTIBLE,
2151 msecs_to_jiffies(5000));
2152 if (err == 1) {
2153 BT_ERR("%s: Firmware loading interrupted", hdev->name);
2154 err = -EINTR;
2155 goto done;
2156 }
2157
2158 if (err) {
2159 BT_ERR("%s: Firmware loading timeout", hdev->name);
2160 err = -ETIMEDOUT;
2161 goto done;
2162 }
2163
2164 if (test_bit(BTUSB_FIRMWARE_FAILED, &data->flags)) {
2165 BT_ERR("%s: Firmware loading failed", hdev->name);
2166 err = -ENOEXEC;
2167 goto done;
2168 }
2169
2170 rettime = ktime_get();
2171 delta = ktime_sub(rettime, calltime);
2172 duration = (unsigned long long) ktime_to_ns(delta) >> 10;
2173
2174 BT_INFO("%s: Firmware loaded in %llu usecs", hdev->name, duration);
2175
2176 done:
2177 release_firmware(fw);
2178
2179 if (err < 0)
2180 return err;
2181
2182 calltime = ktime_get();
2183
2184 set_bit(BTUSB_BOOTING, &data->flags);
2185
2186 skb = __hci_cmd_sync(hdev, 0xfc01, sizeof(reset_param), reset_param,
2187 HCI_INIT_TIMEOUT);
2188 if (IS_ERR(skb))
2189 return PTR_ERR(skb);
2190
2191 kfree_skb(skb);
2192
2193 /* The bootloader will not indicate when the device is ready. This
2194 * is done by the operational firmware sending bootup notification.
2195 *
2196 * Booting into operational firmware should not take longer than
2197 * 1 second. However if that happens, then just fail the setup
2198 * since something went wrong.
2199 */
2200 BT_INFO("%s: Waiting for device to boot", hdev->name);
2201
2202 err = wait_on_bit_timeout(&data->flags, BTUSB_BOOTING,
2203 TASK_INTERRUPTIBLE,
2204 msecs_to_jiffies(1000));
2205
2206 if (err == 1) {
2207 BT_ERR("%s: Device boot interrupted", hdev->name);
2208 return -EINTR;
2209 }
2210
2211 if (err) {
2212 BT_ERR("%s: Device boot timeout", hdev->name);
2213 return -ETIMEDOUT;
2214 }
2215
2216 rettime = ktime_get();
2217 delta = ktime_sub(rettime, calltime);
2218 duration = (unsigned long long) ktime_to_ns(delta) >> 10;
2219
2220 BT_INFO("%s: Device booted in %llu usecs", hdev->name, duration);
2221
2222 clear_bit(BTUSB_BOOTLOADER, &data->flags);
2223
2224 /* Once the device is running in operational mode, it needs to apply
2225 * the device configuration (DDC) parameters.
2226 *
2227 * The device can work without DDC parameters, so even if it fails
2228 * to load the file, no need to fail the setup.
2229 */
2230 btintel_load_ddc_config(hdev, fwname);
2231
2232 return 0;
2233 }
2234
2235 static int btusb_shutdown_intel(struct hci_dev *hdev)
2236 {
2237 struct sk_buff *skb;
2238 long ret;
2239
2240 /* Some platforms have an issue with BT LED when the interface is
2241 * down or BT radio is turned off, which takes 5 seconds to BT LED
2242 * goes off. This command turns off the BT LED immediately.
2243 */
2244 skb = __hci_cmd_sync(hdev, 0xfc3f, 0, NULL, HCI_INIT_TIMEOUT);
2245 if (IS_ERR(skb)) {
2246 ret = PTR_ERR(skb);
2247 BT_ERR("%s: turning off Intel device LED failed (%ld)",
2248 hdev->name, ret);
2249 return ret;
2250 }
2251 kfree_skb(skb);
2252
2253 return 0;
2254 }
2255
2256 static int btusb_set_bdaddr_marvell(struct hci_dev *hdev,
2257 const bdaddr_t *bdaddr)
2258 {
2259 struct sk_buff *skb;
2260 u8 buf[8];
2261 long ret;
2262
2263 buf[0] = 0xfe;
2264 buf[1] = sizeof(bdaddr_t);
2265 memcpy(buf + 2, bdaddr, sizeof(bdaddr_t));
2266
2267 skb = __hci_cmd_sync(hdev, 0xfc22, sizeof(buf), buf, HCI_INIT_TIMEOUT);
2268 if (IS_ERR(skb)) {
2269 ret = PTR_ERR(skb);
2270 BT_ERR("%s: changing Marvell device address failed (%ld)",
2271 hdev->name, ret);
2272 return ret;
2273 }
2274 kfree_skb(skb);
2275
2276 return 0;
2277 }
2278
2279 static int btusb_set_bdaddr_ath3012(struct hci_dev *hdev,
2280 const bdaddr_t *bdaddr)
2281 {
2282 struct sk_buff *skb;
2283 u8 buf[10];
2284 long ret;
2285
2286 buf[0] = 0x01;
2287 buf[1] = 0x01;
2288 buf[2] = 0x00;
2289 buf[3] = sizeof(bdaddr_t);
2290 memcpy(buf + 4, bdaddr, sizeof(bdaddr_t));
2291
2292 skb = __hci_cmd_sync(hdev, 0xfc0b, sizeof(buf), buf, HCI_INIT_TIMEOUT);
2293 if (IS_ERR(skb)) {
2294 ret = PTR_ERR(skb);
2295 BT_ERR("%s: Change address command failed (%ld)",
2296 hdev->name, ret);
2297 return ret;
2298 }
2299 kfree_skb(skb);
2300
2301 return 0;
2302 }
2303
2304 #define QCA_DFU_PACKET_LEN 4096
2305
2306 #define QCA_GET_TARGET_VERSION 0x09
2307 #define QCA_CHECK_STATUS 0x05
2308 #define QCA_DFU_DOWNLOAD 0x01
2309
2310 #define QCA_SYSCFG_UPDATED 0x40
2311 #define QCA_PATCH_UPDATED 0x80
2312 #define QCA_DFU_TIMEOUT 3000
2313
2314 struct qca_version {
2315 __le32 rom_version;
2316 __le32 patch_version;
2317 __le32 ram_version;
2318 __le32 ref_clock;
2319 __u8 reserved[4];
2320 } __packed;
2321
2322 struct qca_rampatch_version {
2323 __le16 rom_version;
2324 __le16 patch_version;
2325 } __packed;
2326
2327 struct qca_device_info {
2328 u32 rom_version;
2329 u8 rampatch_hdr; /* length of header in rampatch */
2330 u8 nvm_hdr; /* length of header in NVM */
2331 u8 ver_offset; /* offset of version structure in rampatch */
2332 };
2333
2334 static const struct qca_device_info qca_devices_table[] = {
2335 { 0x00000100, 20, 4, 10 }, /* Rome 1.0 */
2336 { 0x00000101, 20, 4, 10 }, /* Rome 1.1 */
2337 { 0x00000200, 28, 4, 18 }, /* Rome 2.0 */
2338 { 0x00000201, 28, 4, 18 }, /* Rome 2.1 */
2339 { 0x00000300, 28, 4, 18 }, /* Rome 3.0 */
2340 { 0x00000302, 28, 4, 18 }, /* Rome 3.2 */
2341 };
2342
2343 static int btusb_qca_send_vendor_req(struct hci_dev *hdev, u8 request,
2344 void *data, u16 size)
2345 {
2346 struct btusb_data *btdata = hci_get_drvdata(hdev);
2347 struct usb_device *udev = btdata->udev;
2348 int pipe, err;
2349 u8 *buf;
2350
2351 buf = kmalloc(size, GFP_KERNEL);
2352 if (!buf)
2353 return -ENOMEM;
2354
2355 /* Found some of USB hosts have IOT issues with ours so that we should
2356 * not wait until HCI layer is ready.
2357 */
2358 pipe = usb_rcvctrlpipe(udev, 0);
2359 err = usb_control_msg(udev, pipe, request, USB_TYPE_VENDOR | USB_DIR_IN,
2360 0, 0, buf, size, USB_CTRL_SET_TIMEOUT);
2361 if (err < 0) {
2362 BT_ERR("%s: Failed to access otp area (%d)", hdev->name, err);
2363 goto done;
2364 }
2365
2366 memcpy(data, buf, size);
2367
2368 done:
2369 kfree(buf);
2370
2371 return err;
2372 }
2373
2374 static int btusb_setup_qca_download_fw(struct hci_dev *hdev,
2375 const struct firmware *firmware,
2376 size_t hdr_size)
2377 {
2378 struct btusb_data *btdata = hci_get_drvdata(hdev);
2379 struct usb_device *udev = btdata->udev;
2380 size_t count, size, sent = 0;
2381 int pipe, len, err;
2382 u8 *buf;
2383
2384 buf = kmalloc(QCA_DFU_PACKET_LEN, GFP_KERNEL);
2385 if (!buf)
2386 return -ENOMEM;
2387
2388 count = firmware->size;
2389
2390 size = min_t(size_t, count, hdr_size);
2391 memcpy(buf, firmware->data, size);
2392
2393 /* USB patches should go down to controller through USB path
2394 * because binary format fits to go down through USB channel.
2395 * USB control path is for patching headers and USB bulk is for
2396 * patch body.
2397 */
2398 pipe = usb_sndctrlpipe(udev, 0);
2399 err = usb_control_msg(udev, pipe, QCA_DFU_DOWNLOAD, USB_TYPE_VENDOR,
2400 0, 0, buf, size, USB_CTRL_SET_TIMEOUT);
2401 if (err < 0) {
2402 BT_ERR("%s: Failed to send headers (%d)", hdev->name, err);
2403 goto done;
2404 }
2405
2406 sent += size;
2407 count -= size;
2408
2409 while (count) {
2410 size = min_t(size_t, count, QCA_DFU_PACKET_LEN);
2411
2412 memcpy(buf, firmware->data + sent, size);
2413
2414 pipe = usb_sndbulkpipe(udev, 0x02);
2415 err = usb_bulk_msg(udev, pipe, buf, size, &len,
2416 QCA_DFU_TIMEOUT);
2417 if (err < 0) {
2418 BT_ERR("%s: Failed to send body at %zd of %zd (%d)",
2419 hdev->name, sent, firmware->size, err);
2420 break;
2421 }
2422
2423 if (size != len) {
2424 BT_ERR("%s: Failed to get bulk buffer", hdev->name);
2425 err = -EILSEQ;
2426 break;
2427 }
2428
2429 sent += size;
2430 count -= size;
2431 }
2432
2433 done:
2434 kfree(buf);
2435 return err;
2436 }
2437
2438 static int btusb_setup_qca_load_rampatch(struct hci_dev *hdev,
2439 struct qca_version *ver,
2440 const struct qca_device_info *info)
2441 {
2442 struct qca_rampatch_version *rver;
2443 const struct firmware *fw;
2444 u32 ver_rom, ver_patch;
2445 u16 rver_rom, rver_patch;
2446 char fwname[64];
2447 int err;
2448
2449 ver_rom = le32_to_cpu(ver->rom_version);
2450 ver_patch = le32_to_cpu(ver->patch_version);
2451
2452 snprintf(fwname, sizeof(fwname), "qca/rampatch_usb_%08x.bin", ver_rom);
2453
2454 err = request_firmware(&fw, fwname, &hdev->dev);
2455 if (err) {
2456 BT_ERR("%s: failed to request rampatch file: %s (%d)",
2457 hdev->name, fwname, err);
2458 return err;
2459 }
2460
2461 BT_INFO("%s: using rampatch file: %s", hdev->name, fwname);
2462
2463 rver = (struct qca_rampatch_version *)(fw->data + info->ver_offset);
2464 rver_rom = le16_to_cpu(rver->rom_version);
2465 rver_patch = le16_to_cpu(rver->patch_version);
2466
2467 BT_INFO("%s: QCA: patch rome 0x%x build 0x%x, firmware rome 0x%x "
2468 "build 0x%x", hdev->name, rver_rom, rver_patch, ver_rom,
2469 ver_patch);
2470
2471 if (rver_rom != ver_rom || rver_patch <= ver_patch) {
2472 BT_ERR("%s: rampatch file version did not match with firmware",
2473 hdev->name);
2474 err = -EINVAL;
2475 goto done;
2476 }
2477
2478 err = btusb_setup_qca_download_fw(hdev, fw, info->rampatch_hdr);
2479
2480 done:
2481 release_firmware(fw);
2482
2483 return err;
2484 }
2485
2486 static int btusb_setup_qca_load_nvm(struct hci_dev *hdev,
2487 struct qca_version *ver,
2488 const struct qca_device_info *info)
2489 {
2490 const struct firmware *fw;
2491 char fwname[64];
2492 int err;
2493
2494 snprintf(fwname, sizeof(fwname), "qca/nvm_usb_%08x.bin",
2495 le32_to_cpu(ver->rom_version));
2496
2497 err = request_firmware(&fw, fwname, &hdev->dev);
2498 if (err) {
2499 BT_ERR("%s: failed to request NVM file: %s (%d)",
2500 hdev->name, fwname, err);
2501 return err;
2502 }
2503
2504 BT_INFO("%s: using NVM file: %s", hdev->name, fwname);
2505
2506 err = btusb_setup_qca_download_fw(hdev, fw, info->nvm_hdr);
2507
2508 release_firmware(fw);
2509
2510 return err;
2511 }
2512
2513 static int btusb_setup_qca(struct hci_dev *hdev)
2514 {
2515 const struct qca_device_info *info = NULL;
2516 struct qca_version ver;
2517 u32 ver_rom;
2518 u8 status;
2519 int i, err;
2520
2521 err = btusb_qca_send_vendor_req(hdev, QCA_GET_TARGET_VERSION, &ver,
2522 sizeof(ver));
2523 if (err < 0)
2524 return err;
2525
2526 ver_rom = le32_to_cpu(ver.rom_version);
2527 for (i = 0; i < ARRAY_SIZE(qca_devices_table); i++) {
2528 if (ver_rom == qca_devices_table[i].rom_version)
2529 info = &qca_devices_table[i];
2530 }
2531 if (!info) {
2532 BT_ERR("%s: don't support firmware rome 0x%x", hdev->name,
2533 ver_rom);
2534 return -ENODEV;
2535 }
2536
2537 err = btusb_qca_send_vendor_req(hdev, QCA_CHECK_STATUS, &status,
2538 sizeof(status));
2539 if (err < 0)
2540 return err;
2541
2542 if (!(status & QCA_PATCH_UPDATED)) {
2543 err = btusb_setup_qca_load_rampatch(hdev, &ver, info);
2544 if (err < 0)
2545 return err;
2546 }
2547
2548 if (!(status & QCA_SYSCFG_UPDATED)) {
2549 err = btusb_setup_qca_load_nvm(hdev, &ver, info);
2550 if (err < 0)
2551 return err;
2552 }
2553
2554 return 0;
2555 }
2556
2557 static int btusb_probe(struct usb_interface *intf,
2558 const struct usb_device_id *id)
2559 {
2560 struct usb_endpoint_descriptor *ep_desc;
2561 struct btusb_data *data;
2562 struct hci_dev *hdev;
2563 int i, err;
2564
2565 BT_DBG("intf %p id %p", intf, id);
2566
2567 /* interface numbers are hardcoded in the spec */
2568 if (intf->cur_altsetting->desc.bInterfaceNumber != 0)
2569 return -ENODEV;
2570
2571 if (!id->driver_info) {
2572 const struct usb_device_id *match;
2573
2574 match = usb_match_id(intf, blacklist_table);
2575 if (match)
2576 id = match;
2577 }
2578
2579 if (id->driver_info == BTUSB_IGNORE)
2580 return -ENODEV;
2581
2582 if (id->driver_info & BTUSB_ATH3012) {
2583 struct usb_device *udev = interface_to_usbdev(intf);
2584
2585 /* Old firmware would otherwise let ath3k driver load
2586 * patch and sysconfig files */
2587 if (le16_to_cpu(udev->descriptor.bcdDevice) <= 0x0001)
2588 return -ENODEV;
2589 }
2590
2591 data = devm_kzalloc(&intf->dev, sizeof(*data), GFP_KERNEL);
2592 if (!data)
2593 return -ENOMEM;
2594
2595 for (i = 0; i < intf->cur_altsetting->desc.bNumEndpoints; i++) {
2596 ep_desc = &intf->cur_altsetting->endpoint[i].desc;
2597
2598 if (!data->intr_ep && usb_endpoint_is_int_in(ep_desc)) {
2599 data->intr_ep = ep_desc;
2600 continue;
2601 }
2602
2603 if (!data->bulk_tx_ep && usb_endpoint_is_bulk_out(ep_desc)) {
2604 data->bulk_tx_ep = ep_desc;
2605 continue;
2606 }
2607
2608 if (!data->bulk_rx_ep && usb_endpoint_is_bulk_in(ep_desc)) {
2609 data->bulk_rx_ep = ep_desc;
2610 continue;
2611 }
2612 }
2613
2614 if (!data->intr_ep || !data->bulk_tx_ep || !data->bulk_rx_ep)
2615 return -ENODEV;
2616
2617 if (id->driver_info & BTUSB_AMP) {
2618 data->cmdreq_type = USB_TYPE_CLASS | 0x01;
2619 data->cmdreq = 0x2b;
2620 } else {
2621 data->cmdreq_type = USB_TYPE_CLASS;
2622 data->cmdreq = 0x00;
2623 }
2624
2625 data->udev = interface_to_usbdev(intf);
2626 data->intf = intf;
2627
2628 INIT_WORK(&data->work, btusb_work);
2629 INIT_WORK(&data->waker, btusb_waker);
2630 init_usb_anchor(&data->deferred);
2631 init_usb_anchor(&data->tx_anchor);
2632 spin_lock_init(&data->txlock);
2633
2634 init_usb_anchor(&data->intr_anchor);
2635 init_usb_anchor(&data->bulk_anchor);
2636 init_usb_anchor(&data->isoc_anchor);
2637 spin_lock_init(&data->rxlock);
2638
2639 if (id->driver_info & BTUSB_INTEL_NEW) {
2640 data->recv_event = btusb_recv_event_intel;
2641 data->recv_bulk = btusb_recv_bulk_intel;
2642 set_bit(BTUSB_BOOTLOADER, &data->flags);
2643 } else {
2644 data->recv_event = hci_recv_frame;
2645 data->recv_bulk = btusb_recv_bulk;
2646 }
2647
2648 hdev = hci_alloc_dev();
2649 if (!hdev)
2650 return -ENOMEM;
2651
2652 hdev->bus = HCI_USB;
2653 hci_set_drvdata(hdev, data);
2654
2655 if (id->driver_info & BTUSB_AMP)
2656 hdev->dev_type = HCI_AMP;
2657 else
2658 hdev->dev_type = HCI_BREDR;
2659
2660 data->hdev = hdev;
2661
2662 SET_HCIDEV_DEV(hdev, &intf->dev);
2663
2664 hdev->open = btusb_open;
2665 hdev->close = btusb_close;
2666 hdev->flush = btusb_flush;
2667 hdev->send = btusb_send_frame;
2668 hdev->notify = btusb_notify;
2669
2670 if (id->driver_info & BTUSB_BCM92035)
2671 hdev->setup = btusb_setup_bcm92035;
2672
2673 #ifdef CONFIG_BT_HCIBTUSB_BCM
2674 if (id->driver_info & BTUSB_BCM_PATCHRAM) {
2675 hdev->setup = btbcm_setup_patchram;
2676 hdev->set_bdaddr = btbcm_set_bdaddr;
2677 }
2678
2679 if (id->driver_info & BTUSB_BCM_APPLE)
2680 hdev->setup = btbcm_setup_apple;
2681 #endif
2682
2683 if (id->driver_info & BTUSB_INTEL) {
2684 hdev->setup = btusb_setup_intel;
2685 hdev->shutdown = btusb_shutdown_intel;
2686 hdev->set_bdaddr = btintel_set_bdaddr;
2687 set_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks);
2688 set_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks);
2689 }
2690
2691 if (id->driver_info & BTUSB_INTEL_NEW) {
2692 hdev->send = btusb_send_frame_intel;
2693 hdev->setup = btusb_setup_intel_new;
2694 hdev->hw_error = btintel_hw_error;
2695 hdev->set_bdaddr = btintel_set_bdaddr;
2696 set_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks);
2697 }
2698
2699 if (id->driver_info & BTUSB_MARVELL)
2700 hdev->set_bdaddr = btusb_set_bdaddr_marvell;
2701
2702 if (id->driver_info & BTUSB_SWAVE) {
2703 set_bit(HCI_QUIRK_FIXUP_INQUIRY_MODE, &hdev->quirks);
2704 set_bit(HCI_QUIRK_BROKEN_LOCAL_COMMANDS, &hdev->quirks);
2705 }
2706
2707 if (id->driver_info & BTUSB_INTEL_BOOT)
2708 set_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks);
2709
2710 if (id->driver_info & BTUSB_ATH3012) {
2711 hdev->set_bdaddr = btusb_set_bdaddr_ath3012;
2712 set_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks);
2713 set_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks);
2714 }
2715
2716 if (id->driver_info & BTUSB_QCA_ROME) {
2717 data->setup_on_usb = btusb_setup_qca;
2718 hdev->set_bdaddr = btusb_set_bdaddr_ath3012;
2719 }
2720
2721 #ifdef CONFIG_BT_HCIBTUSB_RTL
2722 if (id->driver_info & BTUSB_REALTEK) {
2723 hdev->setup = btrtl_setup_realtek;
2724
2725 /* Realtek devices lose their updated firmware over suspend,
2726 * but the USB hub doesn't notice any status change.
2727 * Explicitly request a device reset on resume.
2728 */
2729 set_bit(BTUSB_RESET_RESUME, &data->flags);
2730 }
2731 #endif
2732
2733 if (id->driver_info & BTUSB_AMP) {
2734 /* AMP controllers do not support SCO packets */
2735 data->isoc = NULL;
2736 } else {
2737 /* Interface numbers are hardcoded in the specification */
2738 data->isoc = usb_ifnum_to_if(data->udev, 1);
2739 }
2740
2741 if (!reset)
2742 set_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks);
2743
2744 if (force_scofix || id->driver_info & BTUSB_WRONG_SCO_MTU) {
2745 if (!disable_scofix)
2746 set_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks);
2747 }
2748
2749 if (id->driver_info & BTUSB_BROKEN_ISOC)
2750 data->isoc = NULL;
2751
2752 if (id->driver_info & BTUSB_DIGIANSWER) {
2753 data->cmdreq_type = USB_TYPE_VENDOR;
2754 set_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks);
2755 }
2756
2757 if (id->driver_info & BTUSB_CSR) {
2758 struct usb_device *udev = data->udev;
2759 u16 bcdDevice = le16_to_cpu(udev->descriptor.bcdDevice);
2760
2761 /* Old firmware would otherwise execute USB reset */
2762 if (bcdDevice < 0x117)
2763 set_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks);
2764
2765 /* Fake CSR devices with broken commands */
2766 if (bcdDevice <= 0x100 || bcdDevice == 0x134)
2767 hdev->setup = btusb_setup_csr;
2768
2769 set_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks);
2770 }
2771
2772 if (id->driver_info & BTUSB_SNIFFER) {
2773 struct usb_device *udev = data->udev;
2774
2775 /* New sniffer firmware has crippled HCI interface */
2776 if (le16_to_cpu(udev->descriptor.bcdDevice) > 0x997)
2777 set_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks);
2778 }
2779
2780 if (id->driver_info & BTUSB_INTEL_BOOT) {
2781 /* A bug in the bootloader causes that interrupt interface is
2782 * only enabled after receiving SetInterface(0, AltSetting=0).
2783 */
2784 err = usb_set_interface(data->udev, 0, 0);
2785 if (err < 0) {
2786 BT_ERR("failed to set interface 0, alt 0 %d", err);
2787 hci_free_dev(hdev);
2788 return err;
2789 }
2790 }
2791
2792 if (data->isoc) {
2793 err = usb_driver_claim_interface(&btusb_driver,
2794 data->isoc, data);
2795 if (err < 0) {
2796 hci_free_dev(hdev);
2797 return err;
2798 }
2799 }
2800
2801 err = hci_register_dev(hdev);
2802 if (err < 0) {
2803 hci_free_dev(hdev);
2804 return err;
2805 }
2806
2807 usb_set_intfdata(intf, data);
2808
2809 return 0;
2810 }
2811
2812 static void btusb_disconnect(struct usb_interface *intf)
2813 {
2814 struct btusb_data *data = usb_get_intfdata(intf);
2815 struct hci_dev *hdev;
2816
2817 BT_DBG("intf %p", intf);
2818
2819 if (!data)
2820 return;
2821
2822 hdev = data->hdev;
2823 usb_set_intfdata(data->intf, NULL);
2824
2825 if (data->isoc)
2826 usb_set_intfdata(data->isoc, NULL);
2827
2828 hci_unregister_dev(hdev);
2829
2830 if (intf == data->isoc)
2831 usb_driver_release_interface(&btusb_driver, data->intf);
2832 else if (data->isoc)
2833 usb_driver_release_interface(&btusb_driver, data->isoc);
2834
2835 hci_free_dev(hdev);
2836 }
2837
2838 #ifdef CONFIG_PM
2839 static int btusb_suspend(struct usb_interface *intf, pm_message_t message)
2840 {
2841 struct btusb_data *data = usb_get_intfdata(intf);
2842
2843 BT_DBG("intf %p", intf);
2844
2845 if (data->suspend_count++)
2846 return 0;
2847
2848 spin_lock_irq(&data->txlock);
2849 if (!(PMSG_IS_AUTO(message) && data->tx_in_flight)) {
2850 set_bit(BTUSB_SUSPENDING, &data->flags);
2851 spin_unlock_irq(&data->txlock);
2852 } else {
2853 spin_unlock_irq(&data->txlock);
2854 data->suspend_count--;
2855 return -EBUSY;
2856 }
2857
2858 cancel_work_sync(&data->work);
2859
2860 btusb_stop_traffic(data);
2861 usb_kill_anchored_urbs(&data->tx_anchor);
2862
2863 /* Optionally request a device reset on resume, but only when
2864 * wakeups are disabled. If wakeups are enabled we assume the
2865 * device will stay powered up throughout suspend.
2866 */
2867 if (test_bit(BTUSB_RESET_RESUME, &data->flags) &&
2868 !device_may_wakeup(&data->udev->dev))
2869 data->udev->reset_resume = 1;
2870
2871 return 0;
2872 }
2873
2874 static void play_deferred(struct btusb_data *data)
2875 {
2876 struct urb *urb;
2877 int err;
2878
2879 while ((urb = usb_get_from_anchor(&data->deferred))) {
2880 err = usb_submit_urb(urb, GFP_ATOMIC);
2881 if (err < 0)
2882 break;
2883
2884 data->tx_in_flight++;
2885 }
2886 usb_scuttle_anchored_urbs(&data->deferred);
2887 }
2888
2889 static int btusb_resume(struct usb_interface *intf)
2890 {
2891 struct btusb_data *data = usb_get_intfdata(intf);
2892 struct hci_dev *hdev = data->hdev;
2893 int err = 0;
2894
2895 BT_DBG("intf %p", intf);
2896
2897 if (--data->suspend_count)
2898 return 0;
2899
2900 if (!test_bit(HCI_RUNNING, &hdev->flags))
2901 goto done;
2902
2903 if (test_bit(BTUSB_INTR_RUNNING, &data->flags)) {
2904 err = btusb_submit_intr_urb(hdev, GFP_NOIO);
2905 if (err < 0) {
2906 clear_bit(BTUSB_INTR_RUNNING, &data->flags);
2907 goto failed;
2908 }
2909 }
2910
2911 if (test_bit(BTUSB_BULK_RUNNING, &data->flags)) {
2912 err = btusb_submit_bulk_urb(hdev, GFP_NOIO);
2913 if (err < 0) {
2914 clear_bit(BTUSB_BULK_RUNNING, &data->flags);
2915 goto failed;
2916 }
2917
2918 btusb_submit_bulk_urb(hdev, GFP_NOIO);
2919 }
2920
2921 if (test_bit(BTUSB_ISOC_RUNNING, &data->flags)) {
2922 if (btusb_submit_isoc_urb(hdev, GFP_NOIO) < 0)
2923 clear_bit(BTUSB_ISOC_RUNNING, &data->flags);
2924 else
2925 btusb_submit_isoc_urb(hdev, GFP_NOIO);
2926 }
2927
2928 spin_lock_irq(&data->txlock);
2929 play_deferred(data);
2930 clear_bit(BTUSB_SUSPENDING, &data->flags);
2931 spin_unlock_irq(&data->txlock);
2932 schedule_work(&data->work);
2933
2934 return 0;
2935
2936 failed:
2937 usb_scuttle_anchored_urbs(&data->deferred);
2938 done:
2939 spin_lock_irq(&data->txlock);
2940 clear_bit(BTUSB_SUSPENDING, &data->flags);
2941 spin_unlock_irq(&data->txlock);
2942
2943 return err;
2944 }
2945 #endif
2946
2947 static struct usb_driver btusb_driver = {
2948 .name = "btusb",
2949 .probe = btusb_probe,
2950 .disconnect = btusb_disconnect,
2951 #ifdef CONFIG_PM
2952 .suspend = btusb_suspend,
2953 .resume = btusb_resume,
2954 #endif
2955 .id_table = btusb_table,
2956 .supports_autosuspend = 1,
2957 .disable_hub_initiated_lpm = 1,
2958 };
2959
2960 module_usb_driver(btusb_driver);
2961
2962 module_param(disable_scofix, bool, 0644);
2963 MODULE_PARM_DESC(disable_scofix, "Disable fixup of wrong SCO buffer size");
2964
2965 module_param(force_scofix, bool, 0644);
2966 MODULE_PARM_DESC(force_scofix, "Force fixup of wrong SCO buffers size");
2967
2968 module_param(reset, bool, 0644);
2969 MODULE_PARM_DESC(reset, "Send HCI reset command on initialization");
2970
2971 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
2972 MODULE_DESCRIPTION("Generic Bluetooth USB driver ver " VERSION);
2973 MODULE_VERSION(VERSION);
2974 MODULE_LICENSE("GPL");
ubuntu-zesty-kernel mirror