]> git.ipfire.org Git - thirdparty/kernel/stable.git/blame - drivers/bluetooth/btusb.c
projects / thirdparty / kernel / stable.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Add 'Already Paired' error for Pair Device command
[thirdparty/kernel/stable.git] / drivers / bluetooth / btusb.c
CommitLineData
5e23b923
MH		 1/*
2 *
3 * Generic Bluetooth USB driver
4 *
9bfa35fe 5 * Copyright (C) 2005-2008 Marcel Holtmann <marcel@holtmann.org>
5e23b923
MH		 6 *
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
21 *
22 */
23
5e23b923 24#include <linux/module.h>
5e23b923 25#include <linux/usb.h>
dffd30ee 26#include <linux/firmware.h>
5e23b923
MH		 27
28#include <net/bluetooth/bluetooth.h>
29#include <net/bluetooth/hci_core.h>
30
cda0dd78 31#define VERSION "0.7"
cfeb4145 32
90ab5ee9
RR		 33static bool disable_scofix;
34static bool force_scofix;
7a9d4020 35
90ab5ee9 36static bool reset = 1;
cfeb4145
MH		 37
38static struct usb_driver btusb_driver;
39
40#define BTUSB_IGNORE 0x01
7a9d4020
MH		 41#define BTUSB_DIGIANSWER 0x02
42#define BTUSB_CSR 0x04
43#define BTUSB_SNIFFER 0x08
44#define BTUSB_BCM92035 0x10
45#define BTUSB_BROKEN_ISOC 0x20
46#define BTUSB_WRONG_SCO_MTU 0x40
2d25f8b4 47#define BTUSB_ATH3012 0x80
dffd30ee 48#define BTUSB_INTEL 0x100
40df783d
MH		 49#define BTUSB_INTEL_BOOT 0x200
50#define BTUSB_BCM_PATCHRAM 0x400
ae8df494 51#define BTUSB_MARVELL 0x800
4fcef8ed 52#define BTUSB_SWAVE 0x1000
cda0dd78 53#define BTUSB_INTEL_NEW 0x2000
893ba544 54#define BTUSB_AMP 0x4000
3267c884 55#define BTUSB_QCA_ROME 0x8000
5e23b923 56
54265202 57static const struct usb_device_id btusb_table[] = {
5e23b923
MH		 58 /* Generic Bluetooth USB device */
59 { USB_DEVICE_INFO(0xe0, 0x01, 0x01) },
60
893ba544
MH		 61 /* Generic Bluetooth AMP device */
62 { USB_DEVICE_INFO(0xe0, 0x01, 0x04), .driver_info = BTUSB_AMP },
63
1fa6535f
HR		 64 /* Apple-specific (Broadcom) devices */
65 { USB_VENDOR_AND_INTERFACE_INFO(0x05ac, 0xff, 0x01, 0x01) },
66
178c059e
CYC		 67 /* MediaTek MT76x0E */
68 { USB_DEVICE(0x0e8d, 0x763f) },
69
c510eae3 70 /* Broadcom SoftSailing reporting vendor specific */
2e8b5063 71 { USB_DEVICE(0x0a5c, 0x21e1) },
c510eae3 72
3cd01976
NI		 73 /* Apple MacBookPro 7,1 */
74 { USB_DEVICE(0x05ac, 0x8213) },
75
0a79f674
CL		 76 /* Apple iMac11,1 */
77 { USB_DEVICE(0x05ac, 0x8215) },
78
9c047157
NI		 79 /* Apple MacBookPro6,2 */
80 { USB_DEVICE(0x05ac, 0x8218) },
81
3e3ede7d
EH		 82 /* Apple MacBookAir3,1, MacBookAir3,2 */
83 { USB_DEVICE(0x05ac, 0x821b) },
84
a63b723d
PAVM		 85 /* Apple MacBookAir4,1 */
86 { USB_DEVICE(0x05ac, 0x821f) },
87
88d377b6
MAP		 88 /* Apple MacBookPro8,2 */
89 { USB_DEVICE(0x05ac, 0x821a) },
90
f78b6826
JK		 91 /* Apple MacMini5,1 */
92 { USB_DEVICE(0x05ac, 0x8281) },
93
cfeb4145 94 /* AVM BlueFRITZ! USB v2.0 */
4fcef8ed 95 { USB_DEVICE(0x057c, 0x3800), .driver_info = BTUSB_SWAVE },
cfeb4145
MH		 96
97 /* Bluetooth Ultraport Module from IBM */
98 { USB_DEVICE(0x04bf, 0x030a) },
99
100 /* ALPS Modules with non-standard id */
101 { USB_DEVICE(0x044e, 0x3001) },
102 { USB_DEVICE(0x044e, 0x3002) },
103
104 /* Ericsson with non-standard id */
105 { USB_DEVICE(0x0bdb, 0x1002) },
106
107 /* Canyon CN-BTU1 with HID interfaces */
7a9d4020 108 { USB_DEVICE(0x0c10, 0x0000) },
cfeb4145 109
d13431ca 110 /* Broadcom BCM20702A0 */
0b880062
AS		 111 { USB_DEVICE(0x0489, 0xe042) },
112 { USB_DEVICE(0x04ca, 0x2003) },
1ee3ff61 113 { USB_DEVICE(0x0b05, 0x17b5) },
38a172be 114 { USB_DEVICE(0x0b05, 0x17cb) },
d13431ca 115 { USB_DEVICE(0x413c, 0x8197) },
a86c02ea
F		 116 { USB_DEVICE(0x13d3, 0x3404),
117 .driver_info = BTUSB_BCM_PATCHRAM },
d13431ca 118
d049f4e5
MH		 119 /* Broadcom BCM20702B0 (Dynex/Insignia) */
120 { USB_DEVICE(0x19ff, 0x0239), .driver_info = BTUSB_BCM_PATCHRAM },
121
98514036 122 /* Foxconn - Hon Hai */
6029ddc2
HS		 123 { USB_VENDOR_AND_INTERFACE_INFO(0x0489, 0xff, 0x01, 0x01),
124 .driver_info = BTUSB_BCM_PATCHRAM },
98514036 125
8f0c304c
MD		 126 /* Lite-On Technology - Broadcom based */
127 { USB_VENDOR_AND_INTERFACE_INFO(0x04ca, 0xff, 0x01, 0x01),
128 .driver_info = BTUSB_BCM_PATCHRAM },
129
0b880062 130 /* Broadcom devices with vendor specific id */
10d4c673
PG		 131 { USB_VENDOR_AND_INTERFACE_INFO(0x0a5c, 0xff, 0x01, 0x01),
132 .driver_info = BTUSB_BCM_PATCHRAM },
92c385f4 133
c2aef6e8 134 /* ASUSTek Computer - Broadcom based */
9a5abdaa
RD		 135 { USB_VENDOR_AND_INTERFACE_INFO(0x0b05, 0xff, 0x01, 0x01),
136 .driver_info = BTUSB_BCM_PATCHRAM },
c2aef6e8 137
5bcecf32
KB		 138 /* Belkin F8065bf - Broadcom based */
139 { USB_VENDOR_AND_INTERFACE_INFO(0x050d, 0xff, 0x01, 0x01) },
140
9113bfd8
JK		 141 /* IMC Networks - Broadcom based */
142 { USB_VENDOR_AND_INTERFACE_INFO(0x13d3, 0xff, 0x01, 0x01) },
143
40df783d 144 /* Intel Bluetooth USB Bootloader (RAM module) */
d92f2df0
MH		 145 { USB_DEVICE(0x8087, 0x0a5a),
146 .driver_info = BTUSB_INTEL_BOOT | BTUSB_BROKEN_ISOC },
40df783d 147
5e23b923
MH		 148 { } /* Terminating entry */
149};
150
151MODULE_DEVICE_TABLE(usb, btusb_table);
152
54265202 153static const struct usb_device_id blacklist_table[] = {
cfeb4145
MH		 154 /* CSR BlueCore devices */
155 { USB_DEVICE(0x0a12, 0x0001), .driver_info = BTUSB_CSR },
156
157 /* Broadcom BCM2033 without firmware */
158 { USB_DEVICE(0x0a5c, 0x2033), .driver_info = BTUSB_IGNORE },
159
be93112a 160 /* Atheros 3011 with sflash firmware */
0b880062
AS		 161 { USB_DEVICE(0x0489, 0xe027), .driver_info = BTUSB_IGNORE },
162 { USB_DEVICE(0x0489, 0xe03d), .driver_info = BTUSB_IGNORE },
2eeff0b4 163 { USB_DEVICE(0x04f2, 0xaff1), .driver_info = BTUSB_IGNORE },
0b880062 164 { USB_DEVICE(0x0930, 0x0215), .driver_info = BTUSB_IGNORE },
be93112a 165 { USB_DEVICE(0x0cf3, 0x3002), .driver_info = BTUSB_IGNORE },
6eda541d 166 { USB_DEVICE(0x0cf3, 0xe019), .driver_info = BTUSB_IGNORE },
2a7bcccc 167 { USB_DEVICE(0x13d3, 0x3304), .driver_info = BTUSB_IGNORE },
be93112a 168
509e7861
CYC		 169 /* Atheros AR9285 Malbec with sflash firmware */
170 { USB_DEVICE(0x03f0, 0x311d), .driver_info = BTUSB_IGNORE },
171
d9f51b51 172 /* Atheros 3012 with sflash firmware */
0b880062
AS		 173 { USB_DEVICE(0x0489, 0xe04d), .driver_info = BTUSB_ATH3012 },
174 { USB_DEVICE(0x0489, 0xe04e), .driver_info = BTUSB_ATH3012 },
175 { USB_DEVICE(0x0489, 0xe056), .driver_info = BTUSB_ATH3012 },
176 { USB_DEVICE(0x0489, 0xe057), .driver_info = BTUSB_ATH3012 },
177 { USB_DEVICE(0x0489, 0xe05f), .driver_info = BTUSB_ATH3012 },
4b552bc9 178 { USB_DEVICE(0x0489, 0xe078), .driver_info = BTUSB_ATH3012 },
0b880062
AS		 179 { USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 },
180 { USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 },
181 { USB_DEVICE(0x04ca, 0x3005), .driver_info = BTUSB_ATH3012 },
182 { USB_DEVICE(0x04ca, 0x3006), .driver_info = BTUSB_ATH3012 },
1fb4e09a 183 { USB_DEVICE(0x04ca, 0x3007), .driver_info = BTUSB_ATH3012 },
0b880062
AS		 184 { USB_DEVICE(0x04ca, 0x3008), .driver_info = BTUSB_ATH3012 },
185 { USB_DEVICE(0x04ca, 0x300b), .driver_info = BTUSB_ATH3012 },
134d3b35 186 { USB_DEVICE(0x04ca, 0x3010), .driver_info = BTUSB_ATH3012 },
0b880062
AS		 187 { USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 },
188 { USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 },
89d2975f 189 { USB_DEVICE(0x0930, 0x0227), .driver_info = BTUSB_ATH3012 },
a735f9e2 190 { USB_DEVICE(0x0b05, 0x17d0), .driver_info = BTUSB_ATH3012 },
d66629c1 191 { USB_DEVICE(0x0cf3, 0x0036), .driver_info = BTUSB_ATH3012 },
2d25f8b4 192 { USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_ATH3012 },
94a32d10 193 { USB_DEVICE(0x0cf3, 0x3008), .driver_info = BTUSB_ATH3012 },
07c0ea87 194 { USB_DEVICE(0x0cf3, 0x311d), .driver_info = BTUSB_ATH3012 },
b131237c 195 { USB_DEVICE(0x0cf3, 0x311e), .driver_info = BTUSB_ATH3012 },
1e56f1eb 196 { USB_DEVICE(0x0cf3, 0x311f), .driver_info = BTUSB_ATH3012 },
0b880062 197 { USB_DEVICE(0x0cf3, 0x3121), .driver_info = BTUSB_ATH3012 },
ebaf5795 198 { USB_DEVICE(0x0cf3, 0x817a), .driver_info = BTUSB_ATH3012 },
0b880062 199 { USB_DEVICE(0x0cf3, 0xe003), .driver_info = BTUSB_ATH3012 },
ac71311e 200 { USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 },
0a3658cc 201 { USB_DEVICE(0x0cf3, 0xe005), .driver_info = BTUSB_ATH3012 },
0b880062
AS		 202 { USB_DEVICE(0x13d3, 0x3362), .driver_info = BTUSB_ATH3012 },
203 { USB_DEVICE(0x13d3, 0x3375), .driver_info = BTUSB_ATH3012 },
eed307e2 204 { USB_DEVICE(0x13d3, 0x3393), .driver_info = BTUSB_ATH3012 },
5b77a1f3 205 { USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 },
3bb30a7c 206 { USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 },
033efa92 207 { USB_DEVICE(0x13d3, 0x3423), .driver_info = BTUSB_ATH3012 },
fa2f1394 208 { USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 },
d9f51b51 209
e9036e33
CYC		 210 /* Atheros AR5BBU12 with sflash firmware */
211 { USB_DEVICE(0x0489, 0xe02c), .driver_info = BTUSB_IGNORE },
212
85d59726 213 /* Atheros AR5BBU12 with sflash firmware */
bc21fde2 214 { USB_DEVICE(0x0489, 0xe036), .driver_info = BTUSB_ATH3012 },
0b880062 215 { USB_DEVICE(0x0489, 0xe03c), .driver_info = BTUSB_ATH3012 },
85d59726 216
3267c884
KBYT		 217 /* QCA ROME chipset */
218 { USB_DEVICE(0x0cf3, 0xe300), .driver_info = BTUSB_QCA_ROME},
219 { USB_DEVICE(0x0cf3, 0xe360), .driver_info = BTUSB_QCA_ROME},
220
cfeb4145 221 /* Broadcom BCM2035 */
7a9d4020 222 { USB_DEVICE(0x0a5c, 0x2009), .driver_info = BTUSB_BCM92035 },
0b880062
AS		 223 { USB_DEVICE(0x0a5c, 0x200a), .driver_info = BTUSB_WRONG_SCO_MTU },
224 { USB_DEVICE(0x0a5c, 0x2035), .driver_info = BTUSB_WRONG_SCO_MTU },
cfeb4145
MH		 225
226 /* Broadcom BCM2045 */
7a9d4020
MH		 227 { USB_DEVICE(0x0a5c, 0x2039), .driver_info = BTUSB_WRONG_SCO_MTU },
228 { USB_DEVICE(0x0a5c, 0x2101), .driver_info = BTUSB_WRONG_SCO_MTU },
bdbef3d6 229
cfeb4145 230 /* IBM/Lenovo ThinkPad with Broadcom chip */
7a9d4020
MH		 231 { USB_DEVICE(0x0a5c, 0x201e), .driver_info = BTUSB_WRONG_SCO_MTU },
232 { USB_DEVICE(0x0a5c, 0x2110), .driver_info = BTUSB_WRONG_SCO_MTU },
cfeb4145
MH		 233
234 /* HP laptop with Broadcom chip */
7a9d4020 235 { USB_DEVICE(0x03f0, 0x171d), .driver_info = BTUSB_WRONG_SCO_MTU },
cfeb4145
MH		 236
237 /* Dell laptop with Broadcom chip */
7a9d4020 238 { USB_DEVICE(0x413c, 0x8126), .driver_info = BTUSB_WRONG_SCO_MTU },
cfeb4145 239
5ddd4a60 240 /* Dell Wireless 370 and 410 devices */
7a9d4020 241 { USB_DEVICE(0x413c, 0x8152), .driver_info = BTUSB_WRONG_SCO_MTU },
5ddd4a60 242 { USB_DEVICE(0x413c, 0x8156), .driver_info = BTUSB_WRONG_SCO_MTU },
cfeb4145 243
7a9d4020
MH		 244 /* Belkin F8T012 and F8T013 devices */
245 { USB_DEVICE(0x050d, 0x0012), .driver_info = BTUSB_WRONG_SCO_MTU },
246 { USB_DEVICE(0x050d, 0x0013), .driver_info = BTUSB_WRONG_SCO_MTU },
cfeb4145 247
5ddd4a60
MH		 248 /* Asus WL-BTD202 device */
249 { USB_DEVICE(0x0b05, 0x1715), .driver_info = BTUSB_WRONG_SCO_MTU },
250
251 /* Kensington Bluetooth USB adapter */
252 { USB_DEVICE(0x047d, 0x105e), .driver_info = BTUSB_WRONG_SCO_MTU },
253
cfeb4145
MH		 254 /* RTX Telecom based adapters with buggy SCO support */
255 { USB_DEVICE(0x0400, 0x0807), .driver_info = BTUSB_BROKEN_ISOC },
256 { USB_DEVICE(0x0400, 0x080a), .driver_info = BTUSB_BROKEN_ISOC },
257
258 /* CONWISE Technology based adapters with buggy SCO support */
259 { USB_DEVICE(0x0e5e, 0x6622), .driver_info = BTUSB_BROKEN_ISOC },
260
4fcef8ed
MH		 261 /* Roper Class 1 Bluetooth Dongle (Silicon Wave based) */
262 { USB_DEVICE(0x1300, 0x0001), .driver_info = BTUSB_SWAVE },
263
cfeb4145
MH		 264 /* Digianswer devices */
265 { USB_DEVICE(0x08fd, 0x0001), .driver_info = BTUSB_DIGIANSWER },
266 { USB_DEVICE(0x08fd, 0x0002), .driver_info = BTUSB_IGNORE },
267
268 /* CSR BlueCore Bluetooth Sniffer */
4f64fa80
MH		 269 { USB_DEVICE(0x0a12, 0x0002),
270 .driver_info = BTUSB_SNIFFER | BTUSB_BROKEN_ISOC },
cfeb4145
MH		 271
272 /* Frontline ComProbe Bluetooth Sniffer */
4f64fa80
MH		 273 { USB_DEVICE(0x16d3, 0x0002),
274 .driver_info = BTUSB_SNIFFER | BTUSB_BROKEN_ISOC },
cfeb4145 275
cb1ee89f
MH		 276 /* Marvell Bluetooth devices */
277 { USB_DEVICE(0x1286, 0x2044), .driver_info = BTUSB_MARVELL },
278 { USB_DEVICE(0x1286, 0x2046), .driver_info = BTUSB_MARVELL },
279
d0ac9eb7 280 /* Intel Bluetooth devices */
dffd30ee 281 { USB_DEVICE(0x8087, 0x07dc), .driver_info = BTUSB_INTEL },
ef4e5e4a 282 { USB_DEVICE(0x8087, 0x0a2a), .driver_info = BTUSB_INTEL },
cda0dd78 283 { USB_DEVICE(0x8087, 0x0a2b), .driver_info = BTUSB_INTEL_NEW },
dffd30ee 284
d0ac9eb7
MH		 285 /* Other Intel Bluetooth devices */
286 { USB_VENDOR_AND_INTERFACE_INFO(0x8087, 0xe0, 0x01, 0x01),
287 .driver_info = BTUSB_IGNORE },
ae8df494 288
5e23b923
MH		 289 { } /* Terminating entry */
290};
291
9bfa35fe
MH		 292#define BTUSB_MAX_ISOC_FRAMES 10
293
5e23b923
MH		 294#define BTUSB_INTR_RUNNING 0
295#define BTUSB_BULK_RUNNING 1
9bfa35fe 296#define BTUSB_ISOC_RUNNING 2
7bee549e 297#define BTUSB_SUSPENDING 3
08b8b6c4 298#define BTUSB_DID_ISO_RESUME 4
cda0dd78
MH		 299#define BTUSB_BOOTLOADER 5
300#define BTUSB_DOWNLOADING 6
ce6bb929 301#define BTUSB_FIRMWARE_LOADED 7
cda0dd78 302#define BTUSB_FIRMWARE_FAILED 8
ce6bb929 303#define BTUSB_BOOTING 9
5e23b923
MH		 304
305struct btusb_data {
306 struct hci_dev *hdev;
307 struct usb_device *udev;
5fbcd260 308 struct usb_interface *intf;
9bfa35fe 309 struct usb_interface *isoc;
5e23b923 310
5e23b923
MH		 311 unsigned long flags;
312
313 struct work_struct work;
7bee549e 314 struct work_struct waker;
5e23b923 315
803b5836 316 struct usb_anchor deferred;
5e23b923 317 struct usb_anchor tx_anchor;
803b5836
MH		 318 int tx_in_flight;
319 spinlock_t txlock;
320
5e23b923
MH		 321 struct usb_anchor intr_anchor;
322 struct usb_anchor bulk_anchor;
9bfa35fe 323 struct usb_anchor isoc_anchor;
803b5836
MH		 324 spinlock_t rxlock;
325
326 struct sk_buff *evt_skb;
327 struct sk_buff *acl_skb;
328 struct sk_buff *sco_skb;
5e23b923
MH		 329
330 struct usb_endpoint_descriptor *intr_ep;
331 struct usb_endpoint_descriptor *bulk_tx_ep;
332 struct usb_endpoint_descriptor *bulk_rx_ep;
9bfa35fe
MH		 333 struct usb_endpoint_descriptor *isoc_tx_ep;
334 struct usb_endpoint_descriptor *isoc_rx_ep;
335
7a9d4020 336 __u8 cmdreq_type;
893ba544 337 __u8 cmdreq;
7a9d4020 338
43c2e57f 339 unsigned int sco_num;
9bfa35fe 340 int isoc_altsetting;
6a88adf2 341 int suspend_count;
2cbd3f5c 342
97307f51 343 int (*recv_event)(struct hci_dev *hdev, struct sk_buff *skb);
2cbd3f5c 344 int (*recv_bulk)(struct btusb_data *data, void *buffer, int count);
ace31982
KBYT		 345
346 int (*setup_on_usb)(struct hci_dev *hdev);
5e23b923
MH		 347};
348
803b5836
MH		 349static inline void btusb_free_frags(struct btusb_data *data)
350{
351 unsigned long flags;
352
353 spin_lock_irqsave(&data->rxlock, flags);
354
355 kfree_skb(data->evt_skb);
356 data->evt_skb = NULL;
357
358 kfree_skb(data->acl_skb);
359 data->acl_skb = NULL;
360
361 kfree_skb(data->sco_skb);
362 data->sco_skb = NULL;
363
364 spin_unlock_irqrestore(&data->rxlock, flags);
365}
366
1ffa4ad0
MH		 367static int btusb_recv_intr(struct btusb_data *data, void *buffer, int count)
368{
803b5836
MH		 369 struct sk_buff *skb;
370 int err = 0;
371
372 spin_lock(&data->rxlock);
373 skb = data->evt_skb;
374
375 while (count) {
376 int len;
377
378 if (!skb) {
379 skb = bt_skb_alloc(HCI_MAX_EVENT_SIZE, GFP_ATOMIC);
380 if (!skb) {
381 err = -ENOMEM;
382 break;
383 }
384
385 bt_cb(skb)->pkt_type = HCI_EVENT_PKT;
386 bt_cb(skb)->expect = HCI_EVENT_HDR_SIZE;
387 }
388
389 len = min_t(uint, bt_cb(skb)->expect, count);
390 memcpy(skb_put(skb, len), buffer, len);
391
392 count -= len;
393 buffer += len;
394 bt_cb(skb)->expect -= len;
395
396 if (skb->len == HCI_EVENT_HDR_SIZE) {
397 /* Complete event header */
398 bt_cb(skb)->expect = hci_event_hdr(skb)->plen;
399
400 if (skb_tailroom(skb) < bt_cb(skb)->expect) {
401 kfree_skb(skb);
402 skb = NULL;
403
404 err = -EILSEQ;
405 break;
406 }
407 }
408
409 if (bt_cb(skb)->expect == 0) {
410 /* Complete frame */
97307f51 411 data->recv_event(data->hdev, skb);
803b5836
MH		 412 skb = NULL;
413 }
414 }
415
416 data->evt_skb = skb;
417 spin_unlock(&data->rxlock);
418
419 return err;
1ffa4ad0
MH		 420}
421
422static int btusb_recv_bulk(struct btusb_data *data, void *buffer, int count)
423{
803b5836
MH		 424 struct sk_buff *skb;
425 int err = 0;
426
427 spin_lock(&data->rxlock);
428 skb = data->acl_skb;
429
430 while (count) {
431 int len;
432
433 if (!skb) {
434 skb = bt_skb_alloc(HCI_MAX_FRAME_SIZE, GFP_ATOMIC);
435 if (!skb) {
436 err = -ENOMEM;
437 break;
438 }
439
440 bt_cb(skb)->pkt_type = HCI_ACLDATA_PKT;
441 bt_cb(skb)->expect = HCI_ACL_HDR_SIZE;
442 }
443
444 len = min_t(uint, bt_cb(skb)->expect, count);
445 memcpy(skb_put(skb, len), buffer, len);
446
447 count -= len;
448 buffer += len;
449 bt_cb(skb)->expect -= len;
450
451 if (skb->len == HCI_ACL_HDR_SIZE) {
452 __le16 dlen = hci_acl_hdr(skb)->dlen;
453
454 /* Complete ACL header */
455 bt_cb(skb)->expect = __le16_to_cpu(dlen);
456
457 if (skb_tailroom(skb) < bt_cb(skb)->expect) {
458 kfree_skb(skb);
459 skb = NULL;
460
461 err = -EILSEQ;
462 break;
463 }
464 }
465
466 if (bt_cb(skb)->expect == 0) {
467 /* Complete frame */
468 hci_recv_frame(data->hdev, skb);
469 skb = NULL;
470 }
471 }
472
473 data->acl_skb = skb;
474 spin_unlock(&data->rxlock);
475
476 return err;
1ffa4ad0
MH		 477}
478
479static int btusb_recv_isoc(struct btusb_data *data, void *buffer, int count)
480{
803b5836
MH		 481 struct sk_buff *skb;
482 int err = 0;
483
484 spin_lock(&data->rxlock);
485 skb = data->sco_skb;
486
487 while (count) {
488 int len;
489
490 if (!skb) {
491 skb = bt_skb_alloc(HCI_MAX_SCO_SIZE, GFP_ATOMIC);
492 if (!skb) {
493 err = -ENOMEM;
494 break;
495 }
496
497 bt_cb(skb)->pkt_type = HCI_SCODATA_PKT;
498 bt_cb(skb)->expect = HCI_SCO_HDR_SIZE;
499 }
500
501 len = min_t(uint, bt_cb(skb)->expect, count);
502 memcpy(skb_put(skb, len), buffer, len);
503
504 count -= len;
505 buffer += len;
506 bt_cb(skb)->expect -= len;
507
508 if (skb->len == HCI_SCO_HDR_SIZE) {
509 /* Complete SCO header */
510 bt_cb(skb)->expect = hci_sco_hdr(skb)->dlen;
511
512 if (skb_tailroom(skb) < bt_cb(skb)->expect) {
513 kfree_skb(skb);
514 skb = NULL;
515
516 err = -EILSEQ;
517 break;
518 }
519 }
520
521 if (bt_cb(skb)->expect == 0) {
522 /* Complete frame */
523 hci_recv_frame(data->hdev, skb);
524 skb = NULL;
525 }
526 }
527
528 data->sco_skb = skb;
529 spin_unlock(&data->rxlock);
530
531 return err;
1ffa4ad0
MH		 532}
533
5e23b923
MH		 534static void btusb_intr_complete(struct urb *urb)
535{
536 struct hci_dev *hdev = urb->context;
155961e8 537 struct btusb_data *data = hci_get_drvdata(hdev);
5e23b923
MH		 538 int err;
539
89e7533d
MH		 540 BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status,
541 urb->actual_length);
5e23b923
MH		 542
543 if (!test_bit(HCI_RUNNING, &hdev->flags))
544 return;
545
546 if (urb->status == 0) {
9bfa35fe
MH		 547 hdev->stat.byte_rx += urb->actual_length;
548
1ffa4ad0
MH		 549 if (btusb_recv_intr(data, urb->transfer_buffer,
550 urb->actual_length) < 0) {
5e23b923
MH		 551 BT_ERR("%s corrupted event packet", hdev->name);
552 hdev->stat.err_rx++;
553 }
85560c4a
CC		 554 } else if (urb->status == -ENOENT) {
555 /* Avoid suspend failed when usb_kill_urb */
556 return;
5e23b923
MH		 557 }
558
559 if (!test_bit(BTUSB_INTR_RUNNING, &data->flags))
560 return;
561
7bee549e 562 usb_mark_last_busy(data->udev);
5e23b923
MH		 563 usb_anchor_urb(urb, &data->intr_anchor);
564
565 err = usb_submit_urb(urb, GFP_ATOMIC);
566 if (err < 0) {
4935f1c1
PB		 567 /* -EPERM: urb is being killed;
568 * -ENODEV: device got disconnected */
569 if (err != -EPERM && err != -ENODEV)
61faddf6 570 BT_ERR("%s urb %p failed to resubmit (%d)",
89e7533d 571 hdev->name, urb, -err);
5e23b923
MH		 572 usb_unanchor_urb(urb);
573 }
574}
575
2eda66f4 576static int btusb_submit_intr_urb(struct hci_dev *hdev, gfp_t mem_flags)
5e23b923 577{
155961e8 578 struct btusb_data *data = hci_get_drvdata(hdev);
5e23b923
MH		 579 struct urb *urb;
580 unsigned char *buf;
581 unsigned int pipe;
582 int err, size;
583
584 BT_DBG("%s", hdev->name);
585
9bfa35fe
MH		 586 if (!data->intr_ep)
587 return -ENODEV;
588
2eda66f4 589 urb = usb_alloc_urb(0, mem_flags);
5e23b923
MH		 590 if (!urb)
591 return -ENOMEM;
592
593 size = le16_to_cpu(data->intr_ep->wMaxPacketSize);
594
2eda66f4 595 buf = kmalloc(size, mem_flags);
5e23b923
MH		 596 if (!buf) {
597 usb_free_urb(urb);
598 return -ENOMEM;
599 }
600
601 pipe = usb_rcvintpipe(data->udev, data->intr_ep->bEndpointAddress);
602
603 usb_fill_int_urb(urb, data->udev, pipe, buf, size,
89e7533d 604 btusb_intr_complete, hdev, data->intr_ep->bInterval);
5e23b923
MH		 605
606 urb->transfer_flags |= URB_FREE_BUFFER;
607
608 usb_anchor_urb(urb, &data->intr_anchor);
609
2eda66f4 610 err = usb_submit_urb(urb, mem_flags);
5e23b923 611 if (err < 0) {
d4b8d1c9
PB		 612 if (err != -EPERM && err != -ENODEV)
613 BT_ERR("%s urb %p submission failed (%d)",
89e7533d 614 hdev->name, urb, -err);
5e23b923 615 usb_unanchor_urb(urb);
5e23b923
MH		 616 }
617
618 usb_free_urb(urb);
619
620 return err;
621}
622
623static void btusb_bulk_complete(struct urb *urb)
624{
625 struct hci_dev *hdev = urb->context;
155961e8 626 struct btusb_data *data = hci_get_drvdata(hdev);
5e23b923
MH		 627 int err;
628
89e7533d
MH		 629 BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status,
630 urb->actual_length);
5e23b923
MH		 631
632 if (!test_bit(HCI_RUNNING, &hdev->flags))
633 return;
634
635 if (urb->status == 0) {
9bfa35fe
MH		 636 hdev->stat.byte_rx += urb->actual_length;
637
2cbd3f5c 638 if (data->recv_bulk(data, urb->transfer_buffer,
1ffa4ad0 639 urb->actual_length) < 0) {
5e23b923
MH		 640 BT_ERR("%s corrupted ACL packet", hdev->name);
641 hdev->stat.err_rx++;
642 }
85560c4a
CC		 643 } else if (urb->status == -ENOENT) {
644 /* Avoid suspend failed when usb_kill_urb */
645 return;
5e23b923
MH		 646 }
647
648 if (!test_bit(BTUSB_BULK_RUNNING, &data->flags))
649 return;
650
651 usb_anchor_urb(urb, &data->bulk_anchor);
652fd781 652 usb_mark_last_busy(data->udev);
5e23b923
MH		 653
654 err = usb_submit_urb(urb, GFP_ATOMIC);
655 if (err < 0) {
4935f1c1
PB		 656 /* -EPERM: urb is being killed;
657 * -ENODEV: device got disconnected */
658 if (err != -EPERM && err != -ENODEV)
61faddf6 659 BT_ERR("%s urb %p failed to resubmit (%d)",
89e7533d 660 hdev->name, urb, -err);
5e23b923
MH		 661 usb_unanchor_urb(urb);
662 }
663}
664
2eda66f4 665static int btusb_submit_bulk_urb(struct hci_dev *hdev, gfp_t mem_flags)
5e23b923 666{
155961e8 667 struct btusb_data *data = hci_get_drvdata(hdev);
5e23b923
MH		 668 struct urb *urb;
669 unsigned char *buf;
670 unsigned int pipe;
290ba200 671 int err, size = HCI_MAX_FRAME_SIZE;
5e23b923
MH		 672
673 BT_DBG("%s", hdev->name);
674
9bfa35fe
MH		 675 if (!data->bulk_rx_ep)
676 return -ENODEV;
677
2eda66f4 678 urb = usb_alloc_urb(0, mem_flags);
5e23b923
MH		 679 if (!urb)
680 return -ENOMEM;
681
2eda66f4 682 buf = kmalloc(size, mem_flags);
5e23b923
MH		 683 if (!buf) {
684 usb_free_urb(urb);
685 return -ENOMEM;
686 }
687
688 pipe = usb_rcvbulkpipe(data->udev, data->bulk_rx_ep->bEndpointAddress);
689
89e7533d
MH		 690 usb_fill_bulk_urb(urb, data->udev, pipe, buf, size,
691 btusb_bulk_complete, hdev);
5e23b923
MH		 692
693 urb->transfer_flags |= URB_FREE_BUFFER;
694
7bee549e 695 usb_mark_last_busy(data->udev);
5e23b923
MH		 696 usb_anchor_urb(urb, &data->bulk_anchor);
697
2eda66f4 698 err = usb_submit_urb(urb, mem_flags);
5e23b923 699 if (err < 0) {
d4b8d1c9
PB		 700 if (err != -EPERM && err != -ENODEV)
701 BT_ERR("%s urb %p submission failed (%d)",
89e7533d 702 hdev->name, urb, -err);
5e23b923 703 usb_unanchor_urb(urb);
5e23b923
MH		 704 }
705
706 usb_free_urb(urb);
707
708 return err;
709}
710
9bfa35fe
MH		 711static void btusb_isoc_complete(struct urb *urb)
712{
713 struct hci_dev *hdev = urb->context;
155961e8 714 struct btusb_data *data = hci_get_drvdata(hdev);
9bfa35fe
MH		 715 int i, err;
716
89e7533d
MH		 717 BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status,
718 urb->actual_length);
9bfa35fe
MH		 719
720 if (!test_bit(HCI_RUNNING, &hdev->flags))
721 return;
722
723 if (urb->status == 0) {
724 for (i = 0; i < urb->number_of_packets; i++) {
725 unsigned int offset = urb->iso_frame_desc[i].offset;
726 unsigned int length = urb->iso_frame_desc[i].actual_length;
727
728 if (urb->iso_frame_desc[i].status)
729 continue;
730
731 hdev->stat.byte_rx += length;
732
1ffa4ad0
MH		 733 if (btusb_recv_isoc(data, urb->transfer_buffer + offset,
734 length) < 0) {
9bfa35fe
MH		 735 BT_ERR("%s corrupted SCO packet", hdev->name);
736 hdev->stat.err_rx++;
737 }
738 }
85560c4a
CC		 739 } else if (urb->status == -ENOENT) {
740 /* Avoid suspend failed when usb_kill_urb */
741 return;
9bfa35fe
MH		 742 }
743
744 if (!test_bit(BTUSB_ISOC_RUNNING, &data->flags))
745 return;
746
747 usb_anchor_urb(urb, &data->isoc_anchor);
748
749 err = usb_submit_urb(urb, GFP_ATOMIC);
750 if (err < 0) {
4935f1c1
PB		 751 /* -EPERM: urb is being killed;
752 * -ENODEV: device got disconnected */
753 if (err != -EPERM && err != -ENODEV)
61faddf6 754 BT_ERR("%s urb %p failed to resubmit (%d)",
89e7533d 755 hdev->name, urb, -err);
9bfa35fe
MH		 756 usb_unanchor_urb(urb);
757 }
758}
759
42b16b3f 760static inline void __fill_isoc_descriptor(struct urb *urb, int len, int mtu)
9bfa35fe
MH		 761{
762 int i, offset = 0;
763
764 BT_DBG("len %d mtu %d", len, mtu);
765
766 for (i = 0; i < BTUSB_MAX_ISOC_FRAMES && len >= mtu;
767 i++, offset += mtu, len -= mtu) {
768 urb->iso_frame_desc[i].offset = offset;
769 urb->iso_frame_desc[i].length = mtu;
770 }
771
772 if (len && i < BTUSB_MAX_ISOC_FRAMES) {
773 urb->iso_frame_desc[i].offset = offset;
774 urb->iso_frame_desc[i].length = len;
775 i++;
776 }
777
778 urb->number_of_packets = i;
779}
780
2eda66f4 781static int btusb_submit_isoc_urb(struct hci_dev *hdev, gfp_t mem_flags)
9bfa35fe 782{
155961e8 783 struct btusb_data *data = hci_get_drvdata(hdev);
9bfa35fe
MH		 784 struct urb *urb;
785 unsigned char *buf;
786 unsigned int pipe;
787 int err, size;
788
789 BT_DBG("%s", hdev->name);
790
791 if (!data->isoc_rx_ep)
792 return -ENODEV;
793
2eda66f4 794 urb = usb_alloc_urb(BTUSB_MAX_ISOC_FRAMES, mem_flags);
9bfa35fe
MH		 795 if (!urb)
796 return -ENOMEM;
797
798 size = le16_to_cpu(data->isoc_rx_ep->wMaxPacketSize) *
799 BTUSB_MAX_ISOC_FRAMES;
800
2eda66f4 801 buf = kmalloc(size, mem_flags);
9bfa35fe
MH		 802 if (!buf) {
803 usb_free_urb(urb);
804 return -ENOMEM;
805 }
806
807 pipe = usb_rcvisocpipe(data->udev, data->isoc_rx_ep->bEndpointAddress);
808
fa0fb93f 809 usb_fill_int_urb(urb, data->udev, pipe, buf, size, btusb_isoc_complete,
89e7533d 810 hdev, data->isoc_rx_ep->bInterval);
9bfa35fe 811
89e7533d 812 urb->transfer_flags = URB_FREE_BUFFER | URB_ISO_ASAP;
9bfa35fe
MH		 813
814 __fill_isoc_descriptor(urb, size,
89e7533d 815 le16_to_cpu(data->isoc_rx_ep->wMaxPacketSize));
9bfa35fe
MH		 816
817 usb_anchor_urb(urb, &data->isoc_anchor);
818
2eda66f4 819 err = usb_submit_urb(urb, mem_flags);
9bfa35fe 820 if (err < 0) {
d4b8d1c9
PB		 821 if (err != -EPERM && err != -ENODEV)
822 BT_ERR("%s urb %p submission failed (%d)",
89e7533d 823 hdev->name, urb, -err);
9bfa35fe 824 usb_unanchor_urb(urb);
9bfa35fe
MH		 825 }
826
827 usb_free_urb(urb);
828
829 return err;
830}
831
5e23b923 832static void btusb_tx_complete(struct urb *urb)
7bee549e
ON		 833{
834 struct sk_buff *skb = urb->context;
89e7533d 835 struct hci_dev *hdev = (struct hci_dev *)skb->dev;
155961e8 836 struct btusb_data *data = hci_get_drvdata(hdev);
7bee549e 837
89e7533d
MH		 838 BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status,
839 urb->actual_length);
7bee549e
ON		 840
841 if (!test_bit(HCI_RUNNING, &hdev->flags))
842 goto done;
843
844 if (!urb->status)
845 hdev->stat.byte_tx += urb->transfer_buffer_length;
846 else
847 hdev->stat.err_tx++;
848
849done:
850 spin_lock(&data->txlock);
851 data->tx_in_flight--;
852 spin_unlock(&data->txlock);
853
854 kfree(urb->setup_packet);
855
856 kfree_skb(skb);
857}
858
859static void btusb_isoc_tx_complete(struct urb *urb)
5e23b923
MH		 860{
861 struct sk_buff *skb = urb->context;
89e7533d 862 struct hci_dev *hdev = (struct hci_dev *)skb->dev;
5e23b923 863
89e7533d
MH		 864 BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status,
865 urb->actual_length);
5e23b923
MH		 866
867 if (!test_bit(HCI_RUNNING, &hdev->flags))
868 goto done;
869
870 if (!urb->status)
871 hdev->stat.byte_tx += urb->transfer_buffer_length;
872 else
873 hdev->stat.err_tx++;
874
875done:
876 kfree(urb->setup_packet);
877
878 kfree_skb(skb);
879}
880
881static int btusb_open(struct hci_dev *hdev)
882{
155961e8 883 struct btusb_data *data = hci_get_drvdata(hdev);
5e23b923
MH		 884 int err;
885
886 BT_DBG("%s", hdev->name);
887
ace31982
KBYT		 888 /* Patching USB firmware files prior to starting any URBs of HCI path
889 * It is more safe to use USB bulk channel for downloading USB patch
890 */
891 if (data->setup_on_usb) {
892 err = data->setup_on_usb(hdev);
893 if (err <0)
894 return err;
895 }
896
7bee549e
ON		 897 err = usb_autopm_get_interface(data->intf);
898 if (err < 0)
899 return err;
900
901 data->intf->needs_remote_wakeup = 1;
902
5e23b923 903 if (test_and_set_bit(HCI_RUNNING, &hdev->flags))
7bee549e 904 goto done;
5e23b923
MH		 905
906 if (test_and_set_bit(BTUSB_INTR_RUNNING, &data->flags))
7bee549e 907 goto done;
5e23b923 908
2eda66f4 909 err = btusb_submit_intr_urb(hdev, GFP_KERNEL);
43c2e57f
MH		 910 if (err < 0)
911 goto failed;
912
913 err = btusb_submit_bulk_urb(hdev, GFP_KERNEL);
5e23b923 914 if (err < 0) {
43c2e57f
MH		 915 usb_kill_anchored_urbs(&data->intr_anchor);
916 goto failed;
5e23b923
MH		 917 }
918
43c2e57f
MH		 919 set_bit(BTUSB_BULK_RUNNING, &data->flags);
920 btusb_submit_bulk_urb(hdev, GFP_KERNEL);
921
7bee549e
ON		 922done:
923 usb_autopm_put_interface(data->intf);
43c2e57f
MH		 924 return 0;
925
926failed:
927 clear_bit(BTUSB_INTR_RUNNING, &data->flags);
928 clear_bit(HCI_RUNNING, &hdev->flags);
7bee549e 929 usb_autopm_put_interface(data->intf);
5e23b923
MH		 930 return err;
931}
932
7bee549e
ON		 933static void btusb_stop_traffic(struct btusb_data *data)
934{
935 usb_kill_anchored_urbs(&data->intr_anchor);
936 usb_kill_anchored_urbs(&data->bulk_anchor);
937 usb_kill_anchored_urbs(&data->isoc_anchor);
938}
939
5e23b923
MH		 940static int btusb_close(struct hci_dev *hdev)
941{
155961e8 942 struct btusb_data *data = hci_get_drvdata(hdev);
7bee549e 943 int err;
5e23b923
MH		 944
945 BT_DBG("%s", hdev->name);
946
947 if (!test_and_clear_bit(HCI_RUNNING, &hdev->flags))
948 return 0;
949
e8c3c3d2 950 cancel_work_sync(&data->work);
404291ac 951 cancel_work_sync(&data->waker);
e8c3c3d2 952
9bfa35fe 953 clear_bit(BTUSB_ISOC_RUNNING, &data->flags);
5e23b923 954 clear_bit(BTUSB_BULK_RUNNING, &data->flags);
5e23b923 955 clear_bit(BTUSB_INTR_RUNNING, &data->flags);
7bee549e
ON		 956
957 btusb_stop_traffic(data);
803b5836
MH		 958 btusb_free_frags(data);
959
7bee549e
ON		 960 err = usb_autopm_get_interface(data->intf);
961 if (err < 0)
7b8e2c1d 962 goto failed;
7bee549e
ON		 963
964 data->intf->needs_remote_wakeup = 0;
965 usb_autopm_put_interface(data->intf);
5e23b923 966
7b8e2c1d
ON		 967failed:
968 usb_scuttle_anchored_urbs(&data->deferred);
5e23b923
MH		 969 return 0;
970}
971
972static int btusb_flush(struct hci_dev *hdev)
973{
155961e8 974 struct btusb_data *data = hci_get_drvdata(hdev);
5e23b923
MH		 975
976 BT_DBG("%s", hdev->name);
977
978 usb_kill_anchored_urbs(&data->tx_anchor);
803b5836 979 btusb_free_frags(data);
5e23b923
MH		 980
981 return 0;
982}
983
047b2ec8 984static struct urb *alloc_ctrl_urb(struct hci_dev *hdev, struct sk_buff *skb)
5e23b923 985{
155961e8 986 struct btusb_data *data = hci_get_drvdata(hdev);
5e23b923
MH		 987 struct usb_ctrlrequest *dr;
988 struct urb *urb;
989 unsigned int pipe;
5e23b923 990
047b2ec8
MH		 991 urb = usb_alloc_urb(0, GFP_KERNEL);
992 if (!urb)
993 return ERR_PTR(-ENOMEM);
5e23b923 994
047b2ec8
MH		 995 dr = kmalloc(sizeof(*dr), GFP_KERNEL);
996 if (!dr) {
997 usb_free_urb(urb);
998 return ERR_PTR(-ENOMEM);
999 }
5e23b923 1000
047b2ec8 1001 dr->bRequestType = data->cmdreq_type;
893ba544 1002 dr->bRequest = data->cmdreq;
047b2ec8
MH		 1003 dr->wIndex = 0;
1004 dr->wValue = 0;
1005 dr->wLength = __cpu_to_le16(skb->len);
7bd8f09f 1006
047b2ec8 1007 pipe = usb_sndctrlpipe(data->udev, 0x00);
5e23b923 1008
89e7533d 1009 usb_fill_control_urb(urb, data->udev, pipe, (void *)dr,
047b2ec8 1010 skb->data, skb->len, btusb_tx_complete, skb);
5e23b923 1011
89e7533d 1012 skb->dev = (void *)hdev;
5e23b923 1013
047b2ec8
MH		 1014 return urb;
1015}
5e23b923 1016
047b2ec8
MH		 1017static struct urb *alloc_bulk_urb(struct hci_dev *hdev, struct sk_buff *skb)
1018{
1019 struct btusb_data *data = hci_get_drvdata(hdev);
1020 struct urb *urb;
1021 unsigned int pipe;
5e23b923 1022
047b2ec8
MH		 1023 if (!data->bulk_tx_ep)
1024 return ERR_PTR(-ENODEV);
9bfa35fe 1025
047b2ec8
MH		 1026 urb = usb_alloc_urb(0, GFP_KERNEL);
1027 if (!urb)
1028 return ERR_PTR(-ENOMEM);
5e23b923 1029
047b2ec8 1030 pipe = usb_sndbulkpipe(data->udev, data->bulk_tx_ep->bEndpointAddress);
5e23b923 1031
047b2ec8
MH		 1032 usb_fill_bulk_urb(urb, data->udev, pipe,
1033 skb->data, skb->len, btusb_tx_complete, skb);
5e23b923 1034
89e7533d 1035 skb->dev = (void *)hdev;
5e23b923 1036
047b2ec8
MH		 1037 return urb;
1038}
9bfa35fe 1039
047b2ec8
MH		 1040static struct urb *alloc_isoc_urb(struct hci_dev *hdev, struct sk_buff *skb)
1041{
1042 struct btusb_data *data = hci_get_drvdata(hdev);
1043 struct urb *urb;
1044 unsigned int pipe;
9bfa35fe 1045
047b2ec8
MH		 1046 if (!data->isoc_tx_ep)
1047 return ERR_PTR(-ENODEV);
9bfa35fe 1048
047b2ec8
MH		 1049 urb = usb_alloc_urb(BTUSB_MAX_ISOC_FRAMES, GFP_KERNEL);
1050 if (!urb)
1051 return ERR_PTR(-ENOMEM);
9bfa35fe 1052
047b2ec8 1053 pipe = usb_sndisocpipe(data->udev, data->isoc_tx_ep->bEndpointAddress);
9bfa35fe 1054
047b2ec8
MH		 1055 usb_fill_int_urb(urb, data->udev, pipe,
1056 skb->data, skb->len, btusb_isoc_tx_complete,
1057 skb, data->isoc_tx_ep->bInterval);
9bfa35fe 1058
047b2ec8 1059 urb->transfer_flags = URB_ISO_ASAP;
5e23b923 1060
047b2ec8
MH		 1061 __fill_isoc_descriptor(urb, skb->len,
1062 le16_to_cpu(data->isoc_tx_ep->wMaxPacketSize));
5e23b923 1063
89e7533d 1064 skb->dev = (void *)hdev;
047b2ec8
MH		 1065
1066 return urb;
1067}
1068
1069static int submit_tx_urb(struct hci_dev *hdev, struct urb *urb)
1070{
1071 struct btusb_data *data = hci_get_drvdata(hdev);
1072 int err;
7bee549e 1073
5e23b923
MH		 1074 usb_anchor_urb(urb, &data->tx_anchor);
1075
e9753eff 1076 err = usb_submit_urb(urb, GFP_KERNEL);
5e23b923 1077 if (err < 0) {
5a9b80e2
PB		 1078 if (err != -EPERM && err != -ENODEV)
1079 BT_ERR("%s urb %p submission failed (%d)",
89e7533d 1080 hdev->name, urb, -err);
5e23b923
MH		 1081 kfree(urb->setup_packet);
1082 usb_unanchor_urb(urb);
7bee549e
ON		 1083 } else {
1084 usb_mark_last_busy(data->udev);
5e23b923
MH		 1085 }
1086
54a8a79c 1087 usb_free_urb(urb);
5e23b923
MH		 1088 return err;
1089}
1090
047b2ec8
MH		 1091static int submit_or_queue_tx_urb(struct hci_dev *hdev, struct urb *urb)
1092{
1093 struct btusb_data *data = hci_get_drvdata(hdev);
1094 unsigned long flags;
1095 bool suspending;
1096
1097 spin_lock_irqsave(&data->txlock, flags);
1098 suspending = test_bit(BTUSB_SUSPENDING, &data->flags);
1099 if (!suspending)
1100 data->tx_in_flight++;
1101 spin_unlock_irqrestore(&data->txlock, flags);
1102
1103 if (!suspending)
1104 return submit_tx_urb(hdev, urb);
1105
1106 usb_anchor_urb(urb, &data->deferred);
1107 schedule_work(&data->waker);
1108
1109 usb_free_urb(urb);
1110 return 0;
1111}
1112
1113static int btusb_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
1114{
1115 struct urb *urb;
1116
1117 BT_DBG("%s", hdev->name);
1118
1119 if (!test_bit(HCI_RUNNING, &hdev->flags))
1120 return -EBUSY;
1121
1122 switch (bt_cb(skb)->pkt_type) {
1123 case HCI_COMMAND_PKT:
1124 urb = alloc_ctrl_urb(hdev, skb);
1125 if (IS_ERR(urb))
1126 return PTR_ERR(urb);
1127
1128 hdev->stat.cmd_tx++;
1129 return submit_or_queue_tx_urb(hdev, urb);
1130
1131 case HCI_ACLDATA_PKT:
1132 urb = alloc_bulk_urb(hdev, skb);
1133 if (IS_ERR(urb))
1134 return PTR_ERR(urb);
1135
1136 hdev->stat.acl_tx++;
1137 return submit_or_queue_tx_urb(hdev, urb);
1138
1139 case HCI_SCODATA_PKT:
1140 if (hci_conn_num(hdev, SCO_LINK) < 1)
1141 return -ENODEV;
1142
1143 urb = alloc_isoc_urb(hdev, skb);
1144 if (IS_ERR(urb))
1145 return PTR_ERR(urb);
1146
1147 hdev->stat.sco_tx++;
1148 return submit_tx_urb(hdev, urb);
1149 }
1150
1151 return -EILSEQ;
1152}
1153
5e23b923
MH		 1154static void btusb_notify(struct hci_dev *hdev, unsigned int evt)
1155{
155961e8 1156 struct btusb_data *data = hci_get_drvdata(hdev);
5e23b923
MH		 1157
1158 BT_DBG("%s evt %d", hdev->name, evt);
1159
014f7bc7
MH		 1160 if (hci_conn_num(hdev, SCO_LINK) != data->sco_num) {
1161 data->sco_num = hci_conn_num(hdev, SCO_LINK);
43c2e57f 1162 schedule_work(&data->work);
a780efa8 1163 }
5e23b923
MH		 1164}
1165
42b16b3f 1166static inline int __set_isoc_interface(struct hci_dev *hdev, int altsetting)
9bfa35fe 1167{
155961e8 1168 struct btusb_data *data = hci_get_drvdata(hdev);
9bfa35fe
MH		 1169 struct usb_interface *intf = data->isoc;
1170 struct usb_endpoint_descriptor *ep_desc;
1171 int i, err;
1172
1173 if (!data->isoc)
1174 return -ENODEV;
1175
1176 err = usb_set_interface(data->udev, 1, altsetting);
1177 if (err < 0) {
1178 BT_ERR("%s setting interface failed (%d)", hdev->name, -err);
1179 return err;
1180 }
1181
1182 data->isoc_altsetting = altsetting;
1183
1184 data->isoc_tx_ep = NULL;
1185 data->isoc_rx_ep = NULL;
1186
1187 for (i = 0; i < intf->cur_altsetting->desc.bNumEndpoints; i++) {
1188 ep_desc = &intf->cur_altsetting->endpoint[i].desc;
1189
1190 if (!data->isoc_tx_ep && usb_endpoint_is_isoc_out(ep_desc)) {
1191 data->isoc_tx_ep = ep_desc;
1192 continue;
1193 }
1194
1195 if (!data->isoc_rx_ep && usb_endpoint_is_isoc_in(ep_desc)) {
1196 data->isoc_rx_ep = ep_desc;
1197 continue;
1198 }
1199 }
1200
1201 if (!data->isoc_tx_ep || !data->isoc_rx_ep) {
1202 BT_ERR("%s invalid SCO descriptors", hdev->name);
1203 return -ENODEV;
1204 }
1205
1206 return 0;
1207}
1208
5e23b923
MH		 1209static void btusb_work(struct work_struct *work)
1210{
1211 struct btusb_data *data = container_of(work, struct btusb_data, work);
1212 struct hci_dev *hdev = data->hdev;
f4001d28 1213 int new_alts;
7bee549e 1214 int err;
5e23b923 1215
014f7bc7 1216 if (data->sco_num > 0) {
08b8b6c4 1217 if (!test_bit(BTUSB_DID_ISO_RESUME, &data->flags)) {
8efdd0cd 1218 err = usb_autopm_get_interface(data->isoc ? data->isoc : data->intf);
7bee549e
ON		 1219 if (err < 0) {
1220 clear_bit(BTUSB_ISOC_RUNNING, &data->flags);
1221 usb_kill_anchored_urbs(&data->isoc_anchor);
1222 return;
1223 }
1224
08b8b6c4 1225 set_bit(BTUSB_DID_ISO_RESUME, &data->flags);
7bee549e 1226 }
f4001d28
MA		 1227
1228 if (hdev->voice_setting & 0x0020) {
1229 static const int alts[3] = { 2, 4, 5 };
89e7533d 1230
014f7bc7 1231 new_alts = alts[data->sco_num - 1];
f4001d28 1232 } else {
014f7bc7 1233 new_alts = data->sco_num;
f4001d28
MA		 1234 }
1235
1236 if (data->isoc_altsetting != new_alts) {
9bfa35fe
MH		 1237 clear_bit(BTUSB_ISOC_RUNNING, &data->flags);
1238 usb_kill_anchored_urbs(&data->isoc_anchor);
1239
f4001d28 1240 if (__set_isoc_interface(hdev, new_alts) < 0)
9bfa35fe
MH		 1241 return;
1242 }
1243
1244 if (!test_and_set_bit(BTUSB_ISOC_RUNNING, &data->flags)) {
2eda66f4 1245 if (btusb_submit_isoc_urb(hdev, GFP_KERNEL) < 0)
9bfa35fe
MH		 1246 clear_bit(BTUSB_ISOC_RUNNING, &data->flags);
1247 else
2eda66f4 1248 btusb_submit_isoc_urb(hdev, GFP_KERNEL);
9bfa35fe
MH		 1249 }
1250 } else {
1251 clear_bit(BTUSB_ISOC_RUNNING, &data->flags);
1252 usb_kill_anchored_urbs(&data->isoc_anchor);
1253
1254 __set_isoc_interface(hdev, 0);
08b8b6c4 1255 if (test_and_clear_bit(BTUSB_DID_ISO_RESUME, &data->flags))
8efdd0cd 1256 usb_autopm_put_interface(data->isoc ? data->isoc : data->intf);
5e23b923
MH		 1257 }
1258}
1259
7bee549e
ON		 1260static void btusb_waker(struct work_struct *work)
1261{
1262 struct btusb_data *data = container_of(work, struct btusb_data, waker);
1263 int err;
1264
1265 err = usb_autopm_get_interface(data->intf);
1266 if (err < 0)
1267 return;
1268
1269 usb_autopm_put_interface(data->intf);
1270}
1271
9f8f962c
MH		 1272static int btusb_setup_bcm92035(struct hci_dev *hdev)
1273{
1274 struct sk_buff *skb;
1275 u8 val = 0x00;
1276
1277 BT_DBG("%s", hdev->name);
1278
1279 skb = __hci_cmd_sync(hdev, 0xfc3b, 1, &val, HCI_INIT_TIMEOUT);
1280 if (IS_ERR(skb))
1281 BT_ERR("BCM92035 command failed (%ld)", -PTR_ERR(skb));
1282 else
1283 kfree_skb(skb);
1284
1285 return 0;
1286}
1287
81cac64b
MH		 1288static int btusb_setup_csr(struct hci_dev *hdev)
1289{
1290 struct hci_rp_read_local_version *rp;
1291 struct sk_buff *skb;
1292 int ret;
1293
1294 BT_DBG("%s", hdev->name);
1295
1296 skb = __hci_cmd_sync(hdev, HCI_OP_READ_LOCAL_VERSION, 0, NULL,
1297 HCI_INIT_TIMEOUT);
1298 if (IS_ERR(skb)) {
1299 BT_ERR("Reading local version failed (%ld)", -PTR_ERR(skb));
1300 return -PTR_ERR(skb);
1301 }
1302
89e7533d 1303 rp = (struct hci_rp_read_local_version *)skb->data;
81cac64b
MH		 1304
1305 if (!rp->status) {
1306 if (le16_to_cpu(rp->manufacturer) != 10) {
1307 /* Clear the reset quirk since this is not an actual
1308 * early Bluetooth 1.1 device from CSR.
1309 */
1310 clear_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks);
1311
1312 /* These fake CSR controllers have all a broken
1313 * stored link key handling and so just disable it.
1314 */
1315 set_bit(HCI_QUIRK_BROKEN_STORED_LINK_KEY,
1316 &hdev->quirks);
1317 }
1318 }
1319
1320 ret = -bt_to_errno(rp->status);
1321
1322 kfree_skb(skb);
1323
1324 return ret;
1325}
1326
dffd30ee
THJA		 1327struct intel_version {
1328 u8 status;
1329 u8 hw_platform;
1330 u8 hw_variant;
1331 u8 hw_revision;
1332 u8 fw_variant;
1333 u8 fw_revision;
1334 u8 fw_build_num;
1335 u8 fw_build_ww;
1336 u8 fw_build_yy;
1337 u8 fw_patch_num;
1338} __packed;
1339
cda0dd78
MH		 1340struct intel_boot_params {
1341 __u8 status;
1342 __u8 otp_format;
1343 __u8 otp_content;
1344 __u8 otp_patch;
1345 __le16 dev_revid;
1346 __u8 secure_boot;
1347 __u8 key_from_hdr;
1348 __u8 key_type;
1349 __u8 otp_lock;
1350 __u8 api_lock;
1351 __u8 debug_lock;
1352 bdaddr_t otp_bdaddr;
1353 __u8 min_fw_build_nn;
1354 __u8 min_fw_build_cw;
1355 __u8 min_fw_build_yy;
1356 __u8 limited_cce;
1357 __u8 unlocked_state;
1358} __packed;
1359
dffd30ee 1360static const struct firmware *btusb_setup_intel_get_fw(struct hci_dev *hdev,
89e7533d 1361 struct intel_version *ver)
dffd30ee
THJA		 1362{
1363 const struct firmware *fw;
1364 char fwname[64];
1365 int ret;
1366
1367 snprintf(fwname, sizeof(fwname),
1368 "intel/ibt-hw-%x.%x.%x-fw-%x.%x.%x.%x.%x.bseq",
1369 ver->hw_platform, ver->hw_variant, ver->hw_revision,
1370 ver->fw_variant, ver->fw_revision, ver->fw_build_num,
1371 ver->fw_build_ww, ver->fw_build_yy);
1372
1373 ret = request_firmware(&fw, fwname, &hdev->dev);
1374 if (ret < 0) {
1375 if (ret == -EINVAL) {
1376 BT_ERR("%s Intel firmware file request failed (%d)",
1377 hdev->name, ret);
1378 return NULL;
1379 }
1380
1381 BT_ERR("%s failed to open Intel firmware file: %s(%d)",
1382 hdev->name, fwname, ret);
1383
1384 /* If the correct firmware patch file is not found, use the
1385 * default firmware patch file instead
1386 */
1387 snprintf(fwname, sizeof(fwname), "intel/ibt-hw-%x.%x.bseq",
1388 ver->hw_platform, ver->hw_variant);
1389 if (request_firmware(&fw, fwname, &hdev->dev) < 0) {
1390 BT_ERR("%s failed to open default Intel fw file: %s",
1391 hdev->name, fwname);
1392 return NULL;
1393 }
1394 }
1395
1396 BT_INFO("%s: Intel Bluetooth firmware file: %s", hdev->name, fwname);
1397
1398 return fw;
1399}
1400
1401static int btusb_setup_intel_patching(struct hci_dev *hdev,
1402 const struct firmware *fw,
1403 const u8 **fw_ptr, int *disable_patch)
1404{
1405 struct sk_buff *skb;
1406 struct hci_command_hdr *cmd;
1407 const u8 *cmd_param;
1408 struct hci_event_hdr *evt = NULL;
1409 const u8 *evt_param = NULL;
1410 int remain = fw->size - (*fw_ptr - fw->data);
1411
1412 /* The first byte indicates the types of the patch command or event.
1413 * 0x01 means HCI command and 0x02 is HCI event. If the first bytes
1414 * in the current firmware buffer doesn't start with 0x01 or
1415 * the size of remain buffer is smaller than HCI command header,
1416 * the firmware file is corrupted and it should stop the patching
1417 * process.
1418 */
1419 if (remain > HCI_COMMAND_HDR_SIZE && *fw_ptr[0] != 0x01) {
1420 BT_ERR("%s Intel fw corrupted: invalid cmd read", hdev->name);
1421 return -EINVAL;
1422 }
1423 (*fw_ptr)++;
1424 remain--;
1425
1426 cmd = (struct hci_command_hdr *)(*fw_ptr);
1427 *fw_ptr += sizeof(*cmd);
1428 remain -= sizeof(*cmd);
1429
1430 /* Ensure that the remain firmware data is long enough than the length
1431 * of command parameter. If not, the firmware file is corrupted.
1432 */
1433 if (remain < cmd->plen) {
1434 BT_ERR("%s Intel fw corrupted: invalid cmd len", hdev->name);
1435 return -EFAULT;
1436 }
1437
1438 /* If there is a command that loads a patch in the firmware
1439 * file, then enable the patch upon success, otherwise just
1440 * disable the manufacturer mode, for example patch activation
1441 * is not required when the default firmware patch file is used
1442 * because there are no patch data to load.
1443 */
1444 if (*disable_patch && le16_to_cpu(cmd->opcode) == 0xfc8e)
1445 *disable_patch = 0;
1446
1447 cmd_param = *fw_ptr;
1448 *fw_ptr += cmd->plen;
1449 remain -= cmd->plen;
1450
1451 /* This reads the expected events when the above command is sent to the
1452 * device. Some vendor commands expects more than one events, for
1453 * example command status event followed by vendor specific event.
1454 * For this case, it only keeps the last expected event. so the command
1455 * can be sent with __hci_cmd_sync_ev() which returns the sk_buff of
1456 * last expected event.
1457 */
1458 while (remain > HCI_EVENT_HDR_SIZE && *fw_ptr[0] == 0x02) {
1459 (*fw_ptr)++;
1460 remain--;
1461
1462 evt = (struct hci_event_hdr *)(*fw_ptr);
1463 *fw_ptr += sizeof(*evt);
1464 remain -= sizeof(*evt);
1465
1466 if (remain < evt->plen) {
1467 BT_ERR("%s Intel fw corrupted: invalid evt len",
1468 hdev->name);
1469 return -EFAULT;
1470 }
1471
1472 evt_param = *fw_ptr;
1473 *fw_ptr += evt->plen;
1474 remain -= evt->plen;
1475 }
1476
1477 /* Every HCI commands in the firmware file has its correspond event.
1478 * If event is not found or remain is smaller than zero, the firmware
1479 * file is corrupted.
1480 */
1481 if (!evt || !evt_param || remain < 0) {
1482 BT_ERR("%s Intel fw corrupted: invalid evt read", hdev->name);
1483 return -EFAULT;
1484 }
1485
1486 skb = __hci_cmd_sync_ev(hdev, le16_to_cpu(cmd->opcode), cmd->plen,
1487 cmd_param, evt->evt, HCI_INIT_TIMEOUT);
1488 if (IS_ERR(skb)) {
1489 BT_ERR("%s sending Intel patch command (0x%4.4x) failed (%ld)",
1490 hdev->name, cmd->opcode, PTR_ERR(skb));
d9c78e97 1491 return PTR_ERR(skb);
dffd30ee
THJA		 1492 }
1493
1494 /* It ensures that the returned event matches the event data read from
1495 * the firmware file. At fist, it checks the length and then
1496 * the contents of the event.
1497 */
1498 if (skb->len != evt->plen) {
1499 BT_ERR("%s mismatch event length (opcode 0x%4.4x)", hdev->name,
1500 le16_to_cpu(cmd->opcode));
1501 kfree_skb(skb);
1502 return -EFAULT;
1503 }
1504
1505 if (memcmp(skb->data, evt_param, evt->plen)) {
1506 BT_ERR("%s mismatch event parameter (opcode 0x%4.4x)",
1507 hdev->name, le16_to_cpu(cmd->opcode));
1508 kfree_skb(skb);
1509 return -EFAULT;
1510 }
1511 kfree_skb(skb);
1512
1513 return 0;
1514}
1515
40cb0984
MH		 1516#define BDADDR_INTEL (&(bdaddr_t) {{0x00, 0x8b, 0x9e, 0x19, 0x03, 0x00}})
1517
1518static int btusb_check_bdaddr_intel(struct hci_dev *hdev)
1519{
1520 struct sk_buff *skb;
1521 struct hci_rp_read_bd_addr *rp;
1522
1523 skb = __hci_cmd_sync(hdev, HCI_OP_READ_BD_ADDR, 0, NULL,
1524 HCI_INIT_TIMEOUT);
1525 if (IS_ERR(skb)) {
1526 BT_ERR("%s reading Intel device address failed (%ld)",
1527 hdev->name, PTR_ERR(skb));
1528 return PTR_ERR(skb);
1529 }
1530
1531 if (skb->len != sizeof(*rp)) {
1532 BT_ERR("%s Intel device address length mismatch", hdev->name);
1533 kfree_skb(skb);
1534 return -EIO;
1535 }
1536
89e7533d 1537 rp = (struct hci_rp_read_bd_addr *)skb->data;
40cb0984
MH		 1538 if (rp->status) {
1539 BT_ERR("%s Intel device address result failed (%02x)",
1540 hdev->name, rp->status);
1541 kfree_skb(skb);
1542 return -bt_to_errno(rp->status);
1543 }
1544
1545 /* For some Intel based controllers, the default Bluetooth device
1546 * address 00:03:19:9E:8B:00 can be found. These controllers are
1547 * fully operational, but have the danger of duplicate addresses
1548 * and that in turn can cause problems with Bluetooth operation.
1549 */
4739b5b1 1550 if (!bacmp(&rp->bdaddr, BDADDR_INTEL)) {
40cb0984
MH		 1551 BT_ERR("%s found Intel default device address (%pMR)",
1552 hdev->name, &rp->bdaddr);
4739b5b1
MH		 1553 set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks);
1554 }
40cb0984
MH		 1555
1556 kfree_skb(skb);
1557
1558 return 0;
1559}
1560
dffd30ee
THJA		 1561static int btusb_setup_intel(struct hci_dev *hdev)
1562{
1563 struct sk_buff *skb;
1564 const struct firmware *fw;
1565 const u8 *fw_ptr;
1566 int disable_patch;
1567 struct intel_version *ver;
1568
1569 const u8 mfg_enable[] = { 0x01, 0x00 };
1570 const u8 mfg_disable[] = { 0x00, 0x00 };
1571 const u8 mfg_reset_deactivate[] = { 0x00, 0x01 };
1572 const u8 mfg_reset_activate[] = { 0x00, 0x02 };
1573
1574 BT_DBG("%s", hdev->name);
1575
1576 /* The controller has a bug with the first HCI command sent to it
1577 * returning number of completed commands as zero. This would stall the
1578 * command processing in the Bluetooth core.
1579 *
1580 * As a workaround, send HCI Reset command first which will reset the
1581 * number of completed commands and allow normal command processing
1582 * from now on.
1583 */
1584 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
1585 if (IS_ERR(skb)) {
1586 BT_ERR("%s sending initial HCI reset command failed (%ld)",
1587 hdev->name, PTR_ERR(skb));
d9c78e97 1588 return PTR_ERR(skb);
dffd30ee
THJA		 1589 }
1590 kfree_skb(skb);
1591
1592 /* Read Intel specific controller version first to allow selection of
1593 * which firmware file to load.
1594 *
1595 * The returned information are hardware variant and revision plus
1596 * firmware variant, revision and build number.
1597 */
1598 skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_INIT_TIMEOUT);
1599 if (IS_ERR(skb)) {
1600 BT_ERR("%s reading Intel fw version command failed (%ld)",
1601 hdev->name, PTR_ERR(skb));
d9c78e97 1602 return PTR_ERR(skb);
dffd30ee
THJA		 1603 }
1604
1605 if (skb->len != sizeof(*ver)) {
1606 BT_ERR("%s Intel version event length mismatch", hdev->name);
1607 kfree_skb(skb);
1608 return -EIO;
1609 }
1610
1611 ver = (struct intel_version *)skb->data;
1612 if (ver->status) {
1613 BT_ERR("%s Intel fw version event failed (%02x)", hdev->name,
1614 ver->status);
1615 kfree_skb(skb);
1616 return -bt_to_errno(ver->status);
1617 }
1618
1619 BT_INFO("%s: read Intel version: %02x%02x%02x%02x%02x%02x%02x%02x%02x",
1620 hdev->name, ver->hw_platform, ver->hw_variant,
1621 ver->hw_revision, ver->fw_variant, ver->fw_revision,
1622 ver->fw_build_num, ver->fw_build_ww, ver->fw_build_yy,
1623 ver->fw_patch_num);
1624
1625 /* fw_patch_num indicates the version of patch the device currently
1626 * have. If there is no patch data in the device, it is always 0x00.
1627 * So, if it is other than 0x00, no need to patch the deivce again.
1628 */
1629 if (ver->fw_patch_num) {
1630 BT_INFO("%s: Intel device is already patched. patch num: %02x",
1631 hdev->name, ver->fw_patch_num);
1632 kfree_skb(skb);
40cb0984 1633 btusb_check_bdaddr_intel(hdev);
dffd30ee
THJA		 1634 return 0;
1635 }
1636
1637 /* Opens the firmware patch file based on the firmware version read
1638 * from the controller. If it fails to open the matching firmware
1639 * patch file, it tries to open the default firmware patch file.
1640 * If no patch file is found, allow the device to operate without
1641 * a patch.
1642 */
1643 fw = btusb_setup_intel_get_fw(hdev, ver);
1644 if (!fw) {
1645 kfree_skb(skb);
40cb0984 1646 btusb_check_bdaddr_intel(hdev);
dffd30ee
THJA		 1647 return 0;
1648 }
1649 fw_ptr = fw->data;
1650
1651 /* This Intel specific command enables the manufacturer mode of the
1652 * controller.
1653 *
1654 * Only while this mode is enabled, the driver can download the
1655 * firmware patch data and configuration parameters.
1656 */
1657 skb = __hci_cmd_sync(hdev, 0xfc11, 2, mfg_enable, HCI_INIT_TIMEOUT);
1658 if (IS_ERR(skb)) {
1659 BT_ERR("%s entering Intel manufacturer mode failed (%ld)",
1660 hdev->name, PTR_ERR(skb));
1661 release_firmware(fw);
d9c78e97 1662 return PTR_ERR(skb);
dffd30ee
THJA		 1663 }
1664
1665 if (skb->data[0]) {
1666 u8 evt_status = skb->data[0];
89e7533d 1667
dffd30ee
THJA		 1668 BT_ERR("%s enable Intel manufacturer mode event failed (%02x)",
1669 hdev->name, evt_status);
1670 kfree_skb(skb);
1671 release_firmware(fw);
1672 return -bt_to_errno(evt_status);
1673 }
1674 kfree_skb(skb);
1675
1676 disable_patch = 1;
1677
1678 /* The firmware data file consists of list of Intel specific HCI
1679 * commands and its expected events. The first byte indicates the
1680 * type of the message, either HCI command or HCI event.
1681 *
1682 * It reads the command and its expected event from the firmware file,
1683 * and send to the controller. Once __hci_cmd_sync_ev() returns,
1684 * the returned event is compared with the event read from the firmware
1685 * file and it will continue until all the messages are downloaded to
1686 * the controller.
1687 *
1688 * Once the firmware patching is completed successfully,
1689 * the manufacturer mode is disabled with reset and activating the
1690 * downloaded patch.
1691 *
1692 * If the firmware patching fails, the manufacturer mode is
1693 * disabled with reset and deactivating the patch.
1694 *
1695 * If the default patch file is used, no reset is done when disabling
1696 * the manufacturer.
1697 */
1698 while (fw->size > fw_ptr - fw->data) {
1699 int ret;
1700
1701 ret = btusb_setup_intel_patching(hdev, fw, &fw_ptr,
1702 &disable_patch);
1703 if (ret < 0)
1704 goto exit_mfg_deactivate;
1705 }
1706
1707 release_firmware(fw);
1708
1709 if (disable_patch)
1710 goto exit_mfg_disable;
1711
1712 /* Patching completed successfully and disable the manufacturer mode
1713 * with reset and activate the downloaded firmware patches.
1714 */
1715 skb = __hci_cmd_sync(hdev, 0xfc11, sizeof(mfg_reset_activate),
1716 mfg_reset_activate, HCI_INIT_TIMEOUT);
1717 if (IS_ERR(skb)) {
1718 BT_ERR("%s exiting Intel manufacturer mode failed (%ld)",
1719 hdev->name, PTR_ERR(skb));
d9c78e97 1720 return PTR_ERR(skb);
dffd30ee
THJA		 1721 }
1722 kfree_skb(skb);
1723
1724 BT_INFO("%s: Intel Bluetooth firmware patch completed and activated",
1725 hdev->name);
1726
40cb0984 1727 btusb_check_bdaddr_intel(hdev);
dffd30ee
THJA		 1728 return 0;
1729
1730exit_mfg_disable:
1731 /* Disable the manufacturer mode without reset */
1732 skb = __hci_cmd_sync(hdev, 0xfc11, sizeof(mfg_disable), mfg_disable,
1733 HCI_INIT_TIMEOUT);
1734 if (IS_ERR(skb)) {
1735 BT_ERR("%s exiting Intel manufacturer mode failed (%ld)",
1736 hdev->name, PTR_ERR(skb));
d9c78e97 1737 return PTR_ERR(skb);
dffd30ee
THJA		 1738 }
1739 kfree_skb(skb);
1740
1741 BT_INFO("%s: Intel Bluetooth firmware patch completed", hdev->name);
40cb0984
MH		 1742
1743 btusb_check_bdaddr_intel(hdev);
dffd30ee
THJA		 1744 return 0;
1745
1746exit_mfg_deactivate:
1747 release_firmware(fw);
1748
1749 /* Patching failed. Disable the manufacturer mode with reset and
1750 * deactivate the downloaded firmware patches.
1751 */
1752 skb = __hci_cmd_sync(hdev, 0xfc11, sizeof(mfg_reset_deactivate),
1753 mfg_reset_deactivate, HCI_INIT_TIMEOUT);
1754 if (IS_ERR(skb)) {
1755 BT_ERR("%s exiting Intel manufacturer mode failed (%ld)",
1756 hdev->name, PTR_ERR(skb));
d9c78e97 1757 return PTR_ERR(skb);
dffd30ee
THJA		 1758 }
1759 kfree_skb(skb);
1760
1761 BT_INFO("%s: Intel Bluetooth firmware patch completed and deactivated",
1762 hdev->name);
1763
40cb0984 1764 btusb_check_bdaddr_intel(hdev);
dffd30ee
THJA		 1765 return 0;
1766}
1767
cda0dd78
MH		 1768static int inject_cmd_complete(struct hci_dev *hdev, __u16 opcode)
1769{
1770 struct sk_buff *skb;
1771 struct hci_event_hdr *hdr;
1772 struct hci_ev_cmd_complete *evt;
1773
1774 skb = bt_skb_alloc(sizeof(*hdr) + sizeof(*evt) + 1, GFP_ATOMIC);
1775 if (!skb)
1776 return -ENOMEM;
1777
1778 hdr = (struct hci_event_hdr *)skb_put(skb, sizeof(*hdr));
1779 hdr->evt = HCI_EV_CMD_COMPLETE;
1780 hdr->plen = sizeof(*evt) + 1;
1781
1782 evt = (struct hci_ev_cmd_complete *)skb_put(skb, sizeof(*evt));
1783 evt->ncmd = 0x01;
1784 evt->opcode = cpu_to_le16(opcode);
1785
1786 *skb_put(skb, 1) = 0x00;
1787
1788 bt_cb(skb)->pkt_type = HCI_EVENT_PKT;
1789
1790 return hci_recv_frame(hdev, skb);
1791}
1792
1793static int btusb_recv_bulk_intel(struct btusb_data *data, void *buffer,
1794 int count)
1795{
1796 /* When the device is in bootloader mode, then it can send
1797 * events via the bulk endpoint. These events are treated the
1798 * same way as the ones received from the interrupt endpoint.
1799 */
1800 if (test_bit(BTUSB_BOOTLOADER, &data->flags))
1801 return btusb_recv_intr(data, buffer, count);
1802
1803 return btusb_recv_bulk(data, buffer, count);
1804}
1805
1806static int btusb_recv_event_intel(struct hci_dev *hdev, struct sk_buff *skb)
1807{
1808 struct btusb_data *data = hci_get_drvdata(hdev);
1809
1810 if (test_bit(BTUSB_BOOTLOADER, &data->flags)) {
1811 struct hci_event_hdr *hdr = (void *)skb->data;
1812
1813 /* When the firmware loading completes the device sends
1814 * out a vendor specific event indicating the result of
1815 * the firmware loading.
1816 */
1817 if (skb->len == 7 && hdr->evt == 0xff && hdr->plen == 0x05 &&
1818 skb->data[2] == 0x06) {
1819 if (skb->data[3] != 0x00)
1820 test_bit(BTUSB_FIRMWARE_FAILED, &data->flags);
1821
ce6bb929
MH		 1822 if (test_and_clear_bit(BTUSB_DOWNLOADING,
1823 &data->flags) &&
a087a98e
JH		 1824 test_bit(BTUSB_FIRMWARE_LOADED, &data->flags)) {
1825 smp_mb__after_atomic();
1826 wake_up_bit(&data->flags, BTUSB_DOWNLOADING);
1827 }
cda0dd78
MH		 1828 }
1829
1830 /* When switching to the operational firmware the device
1831 * sends a vendor specific event indicating that the bootup
1832 * completed.
1833 */
1834 if (skb->len == 9 && hdr->evt == 0xff && hdr->plen == 0x07 &&
1835 skb->data[2] == 0x02) {
fad70972
JH		 1836 if (test_and_clear_bit(BTUSB_BOOTING, &data->flags)) {
1837 smp_mb__after_atomic();
1838 wake_up_bit(&data->flags, BTUSB_BOOTING);
1839 }
cda0dd78
MH		 1840 }
1841 }
1842
1843 return hci_recv_frame(hdev, skb);
1844}
1845
1846static int btusb_send_frame_intel(struct hci_dev *hdev, struct sk_buff *skb)
1847{
1848 struct btusb_data *data = hci_get_drvdata(hdev);
1849 struct urb *urb;
1850
1851 BT_DBG("%s", hdev->name);
1852
1853 if (!test_bit(HCI_RUNNING, &hdev->flags))
1854 return -EBUSY;
1855
1856 switch (bt_cb(skb)->pkt_type) {
1857 case HCI_COMMAND_PKT:
1858 if (test_bit(BTUSB_BOOTLOADER, &data->flags)) {
1859 struct hci_command_hdr *cmd = (void *)skb->data;
1860 __u16 opcode = le16_to_cpu(cmd->opcode);
1861
1862 /* When in bootloader mode and the command 0xfc09
1863 * is received, it needs to be send down the
1864 * bulk endpoint. So allocate a bulk URB instead.
1865 */
1866 if (opcode == 0xfc09)
1867 urb = alloc_bulk_urb(hdev, skb);
1868 else
1869 urb = alloc_ctrl_urb(hdev, skb);
1870
1871 /* When the 0xfc01 command is issued to boot into
1872 * the operational firmware, it will actually not
1873 * send a command complete event. To keep the flow
1874 * control working inject that event here.
1875 */
1876 if (opcode == 0xfc01)
1877 inject_cmd_complete(hdev, opcode);
1878 } else {
1879 urb = alloc_ctrl_urb(hdev, skb);
1880 }
1881 if (IS_ERR(urb))
1882 return PTR_ERR(urb);
1883
1884 hdev->stat.cmd_tx++;
1885 return submit_or_queue_tx_urb(hdev, urb);
1886
1887 case HCI_ACLDATA_PKT:
1888 urb = alloc_bulk_urb(hdev, skb);
1889 if (IS_ERR(urb))
1890 return PTR_ERR(urb);
1891
1892 hdev->stat.acl_tx++;
1893 return submit_or_queue_tx_urb(hdev, urb);
1894
1895 case HCI_SCODATA_PKT:
1896 if (hci_conn_num(hdev, SCO_LINK) < 1)
1897 return -ENODEV;
1898
1899 urb = alloc_isoc_urb(hdev, skb);
1900 if (IS_ERR(urb))
1901 return PTR_ERR(urb);
1902
1903 hdev->stat.sco_tx++;
1904 return submit_tx_urb(hdev, urb);
1905 }
1906
1907 return -EILSEQ;
1908}
1909
1910static int btusb_intel_secure_send(struct hci_dev *hdev, u8 fragment_type,
1911 u32 plen, const void *param)
1912{
1913 while (plen > 0) {
1914 struct sk_buff *skb;
1915 u8 cmd_param[253], fragment_len = (plen > 252) ? 252 : plen;
1916
1917 cmd_param[0] = fragment_type;
1918 memcpy(cmd_param + 1, param, fragment_len);
1919
1920 skb = __hci_cmd_sync(hdev, 0xfc09, fragment_len + 1,
1921 cmd_param, HCI_INIT_TIMEOUT);
1922 if (IS_ERR(skb))
1923 return PTR_ERR(skb);
1924
1925 kfree_skb(skb);
1926
1927 plen -= fragment_len;
1928 param += fragment_len;
1929 }
1930
1931 return 0;
1932}
1933
1934static void btusb_intel_version_info(struct hci_dev *hdev,
1935 struct intel_version *ver)
1936{
1937 const char *variant;
1938
1939 switch (ver->fw_variant) {
1940 case 0x06:
1941 variant = "Bootloader";
1942 break;
1943 case 0x23:
1944 variant = "Firmware";
1945 break;
1946 default:
1947 return;
1948 }
1949
1950 BT_INFO("%s: %s revision %u.%u build %u week %u %u", hdev->name,
1951 variant, ver->fw_revision >> 4, ver->fw_revision & 0x0f,
1952 ver->fw_build_num, ver->fw_build_ww, 2000 + ver->fw_build_yy);
1953}
1954
1955static int btusb_setup_intel_new(struct hci_dev *hdev)
1956{
1957 static const u8 reset_param[] = { 0x00, 0x01, 0x00, 0x01,
1958 0x00, 0x08, 0x04, 0x00 };
1959 struct btusb_data *data = hci_get_drvdata(hdev);
1960 struct sk_buff *skb;
1961 struct intel_version *ver;
1962 struct intel_boot_params *params;
1963 const struct firmware *fw;
1964 const u8 *fw_ptr;
1965 char fwname[64];
1966 ktime_t calltime, delta, rettime;
1967 unsigned long long duration;
1968 int err;
1969
1970 BT_DBG("%s", hdev->name);
1971
1972 calltime = ktime_get();
1973
1974 /* Read the Intel version information to determine if the device
1975 * is in bootloader mode or if it already has operational firmware
1976 * loaded.
1977 */
1978 skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_INIT_TIMEOUT);
1979 if (IS_ERR(skb)) {
1980 BT_ERR("%s: Reading Intel version information failed (%ld)",
1981 hdev->name, PTR_ERR(skb));
1982 return PTR_ERR(skb);
1983 }
1984
1985 if (skb->len != sizeof(*ver)) {
1986 BT_ERR("%s: Intel version event size mismatch", hdev->name);
1987 kfree_skb(skb);
1988 return -EILSEQ;
1989 }
1990
1991 ver = (struct intel_version *)skb->data;
1992 if (ver->status) {
1993 BT_ERR("%s: Intel version command failure (%02x)",
1994 hdev->name, ver->status);
1995 err = -bt_to_errno(ver->status);
1996 kfree_skb(skb);
1997 return err;
1998 }
1999
2000 /* The hardware platform number has a fixed value of 0x37 and
2001 * for now only accept this single value.
2002 */
2003 if (ver->hw_platform != 0x37) {
2004 BT_ERR("%s: Unsupported Intel hardware platform (%u)",
2005 hdev->name, ver->hw_platform);
2006 kfree_skb(skb);
2007 return -EINVAL;
2008 }
2009
2010 /* At the moment only the hardware variant iBT 3.0 (LnP/SfP) is
2011 * supported by this firmware loading method. This check has been
2012 * put in place to ensure correct forward compatibility options
2013 * when newer hardware variants come along.
2014 */
2015 if (ver->hw_variant != 0x0b) {
2016 BT_ERR("%s: Unsupported Intel hardware variant (%u)",
2017 hdev->name, ver->hw_variant);
2018 kfree_skb(skb);
2019 return -EINVAL;
2020 }
2021
2022 btusb_intel_version_info(hdev, ver);
2023
2024 /* The firmware variant determines if the device is in bootloader
2025 * mode or is running operational firmware. The value 0x06 identifies
2026 * the bootloader and the value 0x23 identifies the operational
2027 * firmware.
2028 *
2029 * When the operational firmware is already present, then only
2030 * the check for valid Bluetooth device address is needed. This
2031 * determines if the device will be added as configured or
2032 * unconfigured controller.
2033 *
2034 * It is not possible to use the Secure Boot Parameters in this
2035 * case since that command is only available in bootloader mode.
2036 */
2037 if (ver->fw_variant == 0x23) {
2038 kfree_skb(skb);
2039 clear_bit(BTUSB_BOOTLOADER, &data->flags);
2040 btusb_check_bdaddr_intel(hdev);
2041 return 0;
2042 }
2043
2044 /* If the device is not in bootloader mode, then the only possible
2045 * choice is to return an error and abort the device initialization.
2046 */
2047 if (ver->fw_variant != 0x06) {
2048 BT_ERR("%s: Unsupported Intel firmware variant (%u)",
2049 hdev->name, ver->fw_variant);
2050 kfree_skb(skb);
2051 return -ENODEV;
2052 }
2053
2054 kfree_skb(skb);
2055
2056 /* Read the secure boot parameters to identify the operating
2057 * details of the bootloader.
2058 */
2059 skb = __hci_cmd_sync(hdev, 0xfc0d, 0, NULL, HCI_INIT_TIMEOUT);
2060 if (IS_ERR(skb)) {
2061 BT_ERR("%s: Reading Intel boot parameters failed (%ld)",
2062 hdev->name, PTR_ERR(skb));
2063 return PTR_ERR(skb);
2064 }
2065
2066 if (skb->len != sizeof(*params)) {
2067 BT_ERR("%s: Intel boot parameters size mismatch", hdev->name);
2068 kfree_skb(skb);
2069 return -EILSEQ;
2070 }
2071
2072 params = (struct intel_boot_params *)skb->data;
2073 if (params->status) {
2074 BT_ERR("%s: Intel boot parameters command failure (%02x)",
2075 hdev->name, params->status);
2076 err = -bt_to_errno(params->status);
2077 kfree_skb(skb);
2078 return err;
2079 }
2080
2081 BT_INFO("%s: Device revision is %u", hdev->name,
2082 le16_to_cpu(params->dev_revid));
2083
2084 BT_INFO("%s: Secure boot is %s", hdev->name,
2085 params->secure_boot ? "enabled" : "disabled");
2086
2087 BT_INFO("%s: Minimum firmware build %u week %u %u", hdev->name,
2088 params->min_fw_build_nn, params->min_fw_build_cw,
2089 2000 + params->min_fw_build_yy);
2090
2091 /* It is required that every single firmware fragment is acknowledged
2092 * with a command complete event. If the boot parameters indicate
2093 * that this bootloader does not send them, then abort the setup.
2094 */
2095 if (params->limited_cce != 0x00) {
2096 BT_ERR("%s: Unsupported Intel firmware loading method (%u)",
2097 hdev->name, params->limited_cce);
2098 kfree_skb(skb);
2099 return -EINVAL;
2100 }
2101
2102 /* If the OTP has no valid Bluetooth device address, then there will
2103 * also be no valid address for the operational firmware.
2104 */
2105 if (!bacmp(&params->otp_bdaddr, BDADDR_ANY)) {
2106 BT_INFO("%s: No device address configured", hdev->name);
2107 set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks);
2108 }
2109
2110 /* With this Intel bootloader only the hardware variant and device
2111 * revision information are used to select the right firmware.
2112 *
2113 * Currently this bootloader support is limited to hardware variant
2114 * iBT 3.0 (LnP/SfP) which is identified by the value 11 (0x0b).
2115 */
2116 snprintf(fwname, sizeof(fwname), "intel/ibt-11-%u.sfi",
2117 le16_to_cpu(params->dev_revid));
2118
2119 err = request_firmware(&fw, fwname, &hdev->dev);
2120 if (err < 0) {
2121 BT_ERR("%s: Failed to load Intel firmware file (%d)",
2122 hdev->name, err);
2123 kfree_skb(skb);
2124 return err;
2125 }
2126
2127 BT_INFO("%s: Found device firmware: %s", hdev->name, fwname);
2128
2129 kfree_skb(skb);
2130
2131 if (fw->size < 644) {
2132 BT_ERR("%s: Invalid size of firmware file (%zu)",
2133 hdev->name, fw->size);
2134 err = -EBADF;
2135 goto done;
2136 }
2137
2138 set_bit(BTUSB_DOWNLOADING, &data->flags);
2139
2140 /* Start the firmware download transaction with the Init fragment
2141 * represented by the 128 bytes of CSS header.
2142 */
2143 err = btusb_intel_secure_send(hdev, 0x00, 128, fw->data);
2144 if (err < 0) {
2145 BT_ERR("%s: Failed to send firmware header (%d)",
2146 hdev->name, err);
2147 goto done;
2148 }
2149
2150 /* Send the 256 bytes of public key information from the firmware
2151 * as the PKey fragment.
2152 */
2153 err = btusb_intel_secure_send(hdev, 0x03, 256, fw->data + 128);
2154 if (err < 0) {
2155 BT_ERR("%s: Failed to send firmware public key (%d)",
2156 hdev->name, err);
2157 goto done;
2158 }
2159
2160 /* Send the 256 bytes of signature information from the firmware
2161 * as the Sign fragment.
2162 */
2163 err = btusb_intel_secure_send(hdev, 0x02, 256, fw->data + 388);
2164 if (err < 0) {
2165 BT_ERR("%s: Failed to send firmware signature (%d)",
2166 hdev->name, err);
2167 goto done;
2168 }
2169
2170 fw_ptr = fw->data + 644;
2171
2172 while (fw_ptr - fw->data < fw->size) {
2173 struct hci_command_hdr *cmd = (void *)fw_ptr;
2174 u8 cmd_len;
2175
2176 cmd_len = sizeof(*cmd) + cmd->plen;
2177
2178 /* Send each command from the firmware data buffer as
2179 * a single Data fragment.
2180 */
2181 err = btusb_intel_secure_send(hdev, 0x01, cmd_len, fw_ptr);
2182 if (err < 0) {
2183 BT_ERR("%s: Failed to send firmware data (%d)",
2184 hdev->name, err);
2185 goto done;
2186 }
2187
2188 fw_ptr += cmd_len;
2189 }
2190
ce6bb929
MH		 2191 set_bit(BTUSB_FIRMWARE_LOADED, &data->flags);
2192
a087a98e
JH		 2193 BT_INFO("%s: Waiting for firmware download to complete", hdev->name);
2194
cda0dd78
MH		 2195 /* Before switching the device into operational mode and with that
2196 * booting the loaded firmware, wait for the bootloader notification
2197 * that all fragments have been successfully received.
2198 *
a087a98e
JH		 2199 * When the event processing receives the notification, then the
2200 * BTUSB_DOWNLOADING flag will be cleared.
2201 *
2202 * The firmware loading should not take longer than 5 seconds
2203 * and thus just timeout if that happens and fail the setup
2204 * of this device.
cda0dd78 2205 */
129a7693
JH		 2206 err = wait_on_bit_timeout(&data->flags, BTUSB_DOWNLOADING,
2207 TASK_INTERRUPTIBLE,
2208 msecs_to_jiffies(5000));
a087a98e
JH		 2209 if (err == 1) {
2210 BT_ERR("%s: Firmware loading interrupted", hdev->name);
2211 err = -EINTR;
2212 goto done;
2213 }
cda0dd78 2214
a087a98e
JH		 2215 if (err) {
2216 BT_ERR("%s: Firmware loading timeout", hdev->name);
2217 err = -ETIMEDOUT;
2218 goto done;
cda0dd78
MH		 2219 }
2220
2221 if (test_bit(BTUSB_FIRMWARE_FAILED, &data->flags)) {
2222 BT_ERR("%s: Firmware loading failed", hdev->name);
2223 err = -ENOEXEC;
2224 goto done;
2225 }
2226
2227 rettime = ktime_get();
2228 delta = ktime_sub(rettime, calltime);
2229 duration = (unsigned long long) ktime_to_ns(delta) >> 10;
2230
2231 BT_INFO("%s: Firmware loaded in %llu usecs", hdev->name, duration);
2232
2233done:
2234 release_firmware(fw);
2235
2236 if (err < 0)
2237 return err;
2238
2239 calltime = ktime_get();
2240
2241 set_bit(BTUSB_BOOTING, &data->flags);
2242
2243 skb = __hci_cmd_sync(hdev, 0xfc01, sizeof(reset_param), reset_param,
2244 HCI_INIT_TIMEOUT);
2245 if (IS_ERR(skb))
2246 return PTR_ERR(skb);
2247
2248 kfree_skb(skb);
2249
2250 /* The bootloader will not indicate when the device is ready. This
2251 * is done by the operational firmware sending bootup notification.
fad70972
JH		 2252 *
2253 * Booting into operational firmware should not take longer than
2254 * 1 second. However if that happens, then just fail the setup
2255 * since something went wrong.
cda0dd78 2256 */
fad70972 2257 BT_INFO("%s: Waiting for device to boot", hdev->name);
cda0dd78 2258
129a7693
JH		 2259 err = wait_on_bit_timeout(&data->flags, BTUSB_BOOTING,
2260 TASK_INTERRUPTIBLE,
2261 msecs_to_jiffies(1000));
cda0dd78 2262
fad70972
JH		 2263 if (err == 1) {
2264 BT_ERR("%s: Device boot interrupted", hdev->name);
2265 return -EINTR;
2266 }
cda0dd78 2267
fad70972
JH		 2268 if (err) {
2269 BT_ERR("%s: Device boot timeout", hdev->name);
2270 return -ETIMEDOUT;
cda0dd78
MH		 2271 }
2272
2273 rettime = ktime_get();
2274 delta = ktime_sub(rettime, calltime);
2275 duration = (unsigned long long) ktime_to_ns(delta) >> 10;
2276
2277 BT_INFO("%s: Device booted in %llu usecs", hdev->name, duration);
2278
2279 clear_bit(BTUSB_BOOTLOADER, &data->flags);
2280
2281 return 0;
2282}
2283
385a768c
MH		 2284static void btusb_hw_error_intel(struct hci_dev *hdev, u8 code)
2285{
2286 struct sk_buff *skb;
2287 u8 type = 0x00;
2288
2289 BT_ERR("%s: Hardware error 0x%2.2x", hdev->name, code);
2290
2291 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
2292 if (IS_ERR(skb)) {
2293 BT_ERR("%s: Reset after hardware error failed (%ld)",
2294 hdev->name, PTR_ERR(skb));
2295 return;
2296 }
2297 kfree_skb(skb);
2298
2299 skb = __hci_cmd_sync(hdev, 0xfc22, 1, &type, HCI_INIT_TIMEOUT);
2300 if (IS_ERR(skb)) {
2301 BT_ERR("%s: Retrieving Intel exception info failed (%ld)",
2302 hdev->name, PTR_ERR(skb));
2303 return;
2304 }
2305
2306 if (skb->len != 13) {
2307 BT_ERR("%s: Exception info size mismatch", hdev->name);
2308 kfree_skb(skb);
2309 return;
2310 }
2311
2312 if (skb->data[0] != 0x00) {
2313 BT_ERR("%s: Exception info command failure (%02x)",
2314 hdev->name, skb->data[0]);
2315 kfree_skb(skb);
2316 return;
2317 }
2318
2319 BT_ERR("%s: Exception info %s", hdev->name, (char *)(skb->data + 1));
2320
2321 kfree_skb(skb);
2322}
2323
cb8d6597
MH		 2324static int btusb_set_bdaddr_intel(struct hci_dev *hdev, const bdaddr_t *bdaddr)
2325{
2326 struct sk_buff *skb;
2327 long ret;
2328
2329 skb = __hci_cmd_sync(hdev, 0xfc31, 6, bdaddr, HCI_INIT_TIMEOUT);
2330 if (IS_ERR(skb)) {
2331 ret = PTR_ERR(skb);
2332 BT_ERR("%s: changing Intel device address failed (%ld)",
89e7533d 2333 hdev->name, ret);
cb8d6597
MH		 2334 return ret;
2335 }
2336 kfree_skb(skb);
2337
2338 return 0;
2339}
2340
bfbd45e9
THJA		 2341static int btusb_shutdown_intel(struct hci_dev *hdev)
2342{
2343 struct sk_buff *skb;
2344 long ret;
2345
2346 /* Some platforms have an issue with BT LED when the interface is
2347 * down or BT radio is turned off, which takes 5 seconds to BT LED
2348 * goes off. This command turns off the BT LED immediately.
2349 */
2350 skb = __hci_cmd_sync(hdev, 0xfc3f, 0, NULL, HCI_INIT_TIMEOUT);
2351 if (IS_ERR(skb)) {
2352 ret = PTR_ERR(skb);
2353 BT_ERR("%s: turning off Intel device LED failed (%ld)",
2354 hdev->name, ret);
2355 return ret;
2356 }
2357 kfree_skb(skb);
2358
2359 return 0;
2360}
2361
ae8df494
AK		 2362static int btusb_set_bdaddr_marvell(struct hci_dev *hdev,
2363 const bdaddr_t *bdaddr)
2364{
2365 struct sk_buff *skb;
2366 u8 buf[8];
2367 long ret;
2368
2369 buf[0] = 0xfe;
2370 buf[1] = sizeof(bdaddr_t);
2371 memcpy(buf + 2, bdaddr, sizeof(bdaddr_t));
2372
2373 skb = __hci_cmd_sync(hdev, 0xfc22, sizeof(buf), buf, HCI_INIT_TIMEOUT);
2374 if (IS_ERR(skb)) {
2375 ret = PTR_ERR(skb);
2376 BT_ERR("%s: changing Marvell device address failed (%ld)",
2377 hdev->name, ret);
2378 return ret;
2379 }
2380 kfree_skb(skb);
2381
2382 return 0;
2383}
2384
18835dfa
MH		 2385static const struct {
2386 u16 subver;
2387 const char *name;
2388} bcm_subver_table[] = {
2389 { 0x210b, "BCM43142A0" }, /* 001.001.011 */
2390 { 0x2112, "BCM4314A0" }, /* 001.001.018 */
2391 { 0x2118, "BCM20702A0" }, /* 001.001.024 */
2392 { 0x2126, "BCM4335A0" }, /* 001.001.038 */
2393 { 0x220e, "BCM20702A1" }, /* 001.002.014 */
2394 { 0x230f, "BCM4354A2" }, /* 001.003.015 */
2395 { 0x4106, "BCM4335B0" }, /* 002.001.006 */
2396 { 0x410e, "BCM20702B0" }, /* 002.001.014 */
2397 { 0x6109, "BCM4335C0" }, /* 003.001.009 */
2398 { 0x610c, "BCM4354" }, /* 003.001.012 */
2399 { }
2400};
2401
c8abb73f
MH		 2402#define BDADDR_BCM20702A0 (&(bdaddr_t) {{0x00, 0xa0, 0x02, 0x70, 0x20, 0x00}})
2403
10d4c673
PG		 2404static int btusb_setup_bcm_patchram(struct hci_dev *hdev)
2405{
2406 struct btusb_data *data = hci_get_drvdata(hdev);
2407 struct usb_device *udev = data->udev;
2408 char fw_name[64];
2409 const struct firmware *fw;
2410 const u8 *fw_ptr;
2411 size_t fw_size;
2412 const struct hci_command_hdr *cmd;
2413 const u8 *cmd_param;
18835dfa
MH		 2414 u16 opcode, subver, rev;
2415 const char *hw_name = NULL;
10d4c673
PG		 2416 struct sk_buff *skb;
2417 struct hci_rp_read_local_version *ver;
c8abb73f 2418 struct hci_rp_read_bd_addr *bda;
10d4c673 2419 long ret;
18835dfa 2420 int i;
10d4c673
PG		 2421
2422 /* Reset */
2423 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
2424 if (IS_ERR(skb)) {
2425 ret = PTR_ERR(skb);
2426 BT_ERR("%s: HCI_OP_RESET failed (%ld)", hdev->name, ret);
18835dfa 2427 return ret;
10d4c673
PG		 2428 }
2429 kfree_skb(skb);
2430
2431 /* Read Local Version Info */
2432 skb = __hci_cmd_sync(hdev, HCI_OP_READ_LOCAL_VERSION, 0, NULL,
2433 HCI_INIT_TIMEOUT);
2434 if (IS_ERR(skb)) {
2435 ret = PTR_ERR(skb);
2436 BT_ERR("%s: HCI_OP_READ_LOCAL_VERSION failed (%ld)",
89e7533d 2437 hdev->name, ret);
18835dfa 2438 return ret;
10d4c673
PG		 2439 }
2440
2441 if (skb->len != sizeof(*ver)) {
2442 BT_ERR("%s: HCI_OP_READ_LOCAL_VERSION event length mismatch",
89e7533d 2443 hdev->name);
10d4c673 2444 kfree_skb(skb);
18835dfa 2445 return -EIO;
10d4c673
PG		 2446 }
2447
89e7533d 2448 ver = (struct hci_rp_read_local_version *)skb->data;
18835dfa
MH		 2449 rev = le16_to_cpu(ver->hci_rev);
2450 subver = le16_to_cpu(ver->lmp_subver);
10d4c673
PG		 2451 kfree_skb(skb);
2452
18835dfa
MH		 2453 for (i = 0; bcm_subver_table[i].name; i++) {
2454 if (subver == bcm_subver_table[i].subver) {
2455 hw_name = bcm_subver_table[i].name;
2456 break;
2457 }
2458 }
2459
2460 BT_INFO("%s: %s (%3.3u.%3.3u.%3.3u) build %4.4u", hdev->name,
2461 hw_name ? : "BCM", (subver & 0x7000) >> 13,
2462 (subver & 0x1f00) >> 8, (subver & 0x00ff), rev & 0x0fff);
2463
2464 snprintf(fw_name, sizeof(fw_name), "brcm/%s-%4.4x-%4.4x.hcd",
2465 hw_name ? : "BCM",
2466 le16_to_cpu(udev->descriptor.idVendor),
2467 le16_to_cpu(udev->descriptor.idProduct));
2468
2469 ret = request_firmware(&fw, fw_name, &hdev->dev);
2470 if (ret < 0) {
2471 BT_INFO("%s: BCM: patch %s not found", hdev->name, fw_name);
2472 return 0;
2473 }
2474
10d4c673
PG		 2475 /* Start Download */
2476 skb = __hci_cmd_sync(hdev, 0xfc2e, 0, NULL, HCI_INIT_TIMEOUT);
2477 if (IS_ERR(skb)) {
2478 ret = PTR_ERR(skb);
2479 BT_ERR("%s: BCM: Download Minidrv command failed (%ld)",
89e7533d 2480 hdev->name, ret);
10d4c673
PG		 2481 goto reset_fw;
2482 }
2483 kfree_skb(skb);
2484
2485 /* 50 msec delay after Download Minidrv completes */
2486 msleep(50);
2487
2488 fw_ptr = fw->data;
2489 fw_size = fw->size;
2490
2491 while (fw_size >= sizeof(*cmd)) {
89e7533d 2492 cmd = (struct hci_command_hdr *)fw_ptr;
10d4c673
PG		 2493 fw_ptr += sizeof(*cmd);
2494 fw_size -= sizeof(*cmd);
2495
2496 if (fw_size < cmd->plen) {
2497 BT_ERR("%s: BCM: patch %s is corrupted",
89e7533d 2498 hdev->name, fw_name);
10d4c673
PG		 2499 ret = -EINVAL;
2500 goto reset_fw;
2501 }
2502
2503 cmd_param = fw_ptr;
2504 fw_ptr += cmd->plen;
2505 fw_size -= cmd->plen;
2506
2507 opcode = le16_to_cpu(cmd->opcode);
2508
2509 skb = __hci_cmd_sync(hdev, opcode, cmd->plen, cmd_param,
2510 HCI_INIT_TIMEOUT);
2511 if (IS_ERR(skb)) {
2512 ret = PTR_ERR(skb);
2513 BT_ERR("%s: BCM: patch command %04x failed (%ld)",
89e7533d 2514 hdev->name, opcode, ret);
10d4c673
PG		 2515 goto reset_fw;
2516 }
2517 kfree_skb(skb);
2518 }
2519
2520 /* 250 msec delay after Launch Ram completes */
2521 msleep(250);
2522
2523reset_fw:
2524 /* Reset */
2525 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
2526 if (IS_ERR(skb)) {
2527 ret = PTR_ERR(skb);
2528 BT_ERR("%s: HCI_OP_RESET failed (%ld)", hdev->name, ret);
2529 goto done;
2530 }
2531 kfree_skb(skb);
2532
2533 /* Read Local Version Info */
2534 skb = __hci_cmd_sync(hdev, HCI_OP_READ_LOCAL_VERSION, 0, NULL,
2535 HCI_INIT_TIMEOUT);
2536 if (IS_ERR(skb)) {
2537 ret = PTR_ERR(skb);
2538 BT_ERR("%s: HCI_OP_READ_LOCAL_VERSION failed (%ld)",
89e7533d 2539 hdev->name, ret);
10d4c673
PG		 2540 goto done;
2541 }
2542
2543 if (skb->len != sizeof(*ver)) {
2544 BT_ERR("%s: HCI_OP_READ_LOCAL_VERSION event length mismatch",
89e7533d 2545 hdev->name);
10d4c673
PG		 2546 kfree_skb(skb);
2547 ret = -EIO;
2548 goto done;
2549 }
2550
89e7533d 2551 ver = (struct hci_rp_read_local_version *)skb->data;
18835dfa
MH		 2552 rev = le16_to_cpu(ver->hci_rev);
2553 subver = le16_to_cpu(ver->lmp_subver);
10d4c673
PG		 2554 kfree_skb(skb);
2555
18835dfa
MH		 2556 BT_INFO("%s: %s (%3.3u.%3.3u.%3.3u) build %4.4u", hdev->name,
2557 hw_name ? : "BCM", (subver & 0x7000) >> 13,
2558 (subver & 0x1f00) >> 8, (subver & 0x00ff), rev & 0x0fff);
2559
c8abb73f
MH		 2560 /* Read BD Address */
2561 skb = __hci_cmd_sync(hdev, HCI_OP_READ_BD_ADDR, 0, NULL,
2562 HCI_INIT_TIMEOUT);
2563 if (IS_ERR(skb)) {
2564 ret = PTR_ERR(skb);
2565 BT_ERR("%s: HCI_OP_READ_BD_ADDR failed (%ld)",
89e7533d 2566 hdev->name, ret);
c8abb73f
MH		 2567 goto done;
2568 }
2569
2570 if (skb->len != sizeof(*bda)) {
2571 BT_ERR("%s: HCI_OP_READ_BD_ADDR event length mismatch",
89e7533d 2572 hdev->name);
c8abb73f
MH		 2573 kfree_skb(skb);
2574 ret = -EIO;
2575 goto done;
2576 }
2577
89e7533d 2578 bda = (struct hci_rp_read_bd_addr *)skb->data;
c8abb73f
MH		 2579 if (bda->status) {
2580 BT_ERR("%s: HCI_OP_READ_BD_ADDR error status (%02x)",
2581 hdev->name, bda->status);
2582 kfree_skb(skb);
2583 ret = -bt_to_errno(bda->status);
2584 goto done;
2585 }
2586
2587 /* The address 00:20:70:02:A0:00 indicates a BCM20702A0 controller
2588 * with no configured address.
2589 */
849e5086 2590 if (!bacmp(&bda->bdaddr, BDADDR_BCM20702A0)) {
c8abb73f
MH		 2591 BT_INFO("%s: BCM: using default device address (%pMR)",
2592 hdev->name, &bda->bdaddr);
849e5086
MH		 2593 set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks);
2594 }
c8abb73f
MH		 2595
2596 kfree_skb(skb);
2597
10d4c673
PG		 2598done:
2599 release_firmware(fw);
2600
2601 return ret;
2602}
2603
abbaf50e
MH		 2604static int btusb_set_bdaddr_bcm(struct hci_dev *hdev, const bdaddr_t *bdaddr)
2605{
2606 struct sk_buff *skb;
2607 long ret;
2608
2609 skb = __hci_cmd_sync(hdev, 0xfc01, 6, bdaddr, HCI_INIT_TIMEOUT);
2610 if (IS_ERR(skb)) {
2611 ret = PTR_ERR(skb);
2612 BT_ERR("%s: BCM: Change address command failed (%ld)",
89e7533d 2613 hdev->name, ret);
abbaf50e
MH		 2614 return ret;
2615 }
2616 kfree_skb(skb);
2617
2618 return 0;
2619}
2620
5859223e
TK		 2621static int btusb_set_bdaddr_ath3012(struct hci_dev *hdev,
2622 const bdaddr_t *bdaddr)
2623{
2624 struct sk_buff *skb;
2625 u8 buf[10];
2626 long ret;
2627
2628 buf[0] = 0x01;
2629 buf[1] = 0x01;
2630 buf[2] = 0x00;
2631 buf[3] = sizeof(bdaddr_t);
2632 memcpy(buf + 4, bdaddr, sizeof(bdaddr_t));
2633
2634 skb = __hci_cmd_sync(hdev, 0xfc0b, sizeof(buf), buf, HCI_INIT_TIMEOUT);
2635 if (IS_ERR(skb)) {
2636 ret = PTR_ERR(skb);
2637 BT_ERR("%s: Change address command failed (%ld)",
2638 hdev->name, ret);
2639 return ret;
2640 }
2641 kfree_skb(skb);
2642
2643 return 0;
2644}
2645
3267c884
KBYT		 2646#define QCA_DFU_PACKET_LEN 4096
2647
2648#define QCA_GET_TARGET_VERSION 0x09
2649#define QCA_CHECK_STATUS 0x05
2650#define QCA_DFU_DOWNLOAD 0x01
2651
2652#define QCA_SYSCFG_UPDATED 0x40
2653#define QCA_PATCH_UPDATED 0x80
2654#define QCA_DFU_TIMEOUT 3000
2655
2656struct qca_version {
2657 __le32 rom_version;
2658 __le32 patch_version;
2659 __le32 ram_version;
2660 __le32 ref_clock;
2661 __u8 reserved[4];
2662} __packed;
2663
2664struct qca_rampatch_version {
2665 __le16 rom_version;
2666 __le16 patch_version;
2667} __packed;
2668
2669struct qca_device_info {
2670 __le32 rom_version;
2671 __u8 rampatch_hdr; /* length of header in rampatch */
2672 __u8 nvm_hdr; /* length of header in NVM */
2673 __u8 ver_offset; /* offset of version structure in rampatch */
2674};
2675
2676static const struct qca_device_info qca_devices_table[] = {
2677 { 0x00000100, 20, 4, 10 }, /* Rome 1.0 */
2678 { 0x00000101, 20, 4, 10 }, /* Rome 1.1 */
2679 { 0x00000201, 28, 4, 18 }, /* Rome 2.1 */
2680 { 0x00000300, 28, 4, 18 }, /* Rome 3.0 */
2681 { 0x00000302, 28, 4, 18 }, /* Rome 3.2 */
2682};
2683
2684static int btusb_qca_send_vendor_req(struct hci_dev *hdev, u8 request,
2685 void *data, u16 size)
2686{
2687 struct btusb_data *btdata = hci_get_drvdata(hdev);
2688 struct usb_device *udev = btdata->udev;
2689 int pipe, err;
2690 u8 *buf;
2691
2692 buf = kmalloc(size, GFP_KERNEL);
2693 if (!buf)
2694 return -ENOMEM;
2695
2696 /* Found some of USB hosts have IOT issues with ours so that we should
2697 * not wait until HCI layer is ready.
2698 */
2699 pipe = usb_rcvctrlpipe(udev, 0);
2700 err = usb_control_msg(udev, pipe, request, USB_TYPE_VENDOR | USB_DIR_IN,
2701 0, 0, buf, size, USB_CTRL_SET_TIMEOUT);
2702 if (err < 0) {
2703 BT_ERR("%s: Failed to access otp area (%d)", hdev->name, err);
2704 goto done;
2705 }
2706
2707 memcpy(data, buf, size);
2708
2709done:
2710 kfree(buf);
2711
2712 return err;
2713}
2714
2715static int btusb_setup_qca_download_fw(struct hci_dev *hdev,
2716 const struct firmware *firmware,
2717 size_t hdr_size)
2718{
2719 struct btusb_data *btdata = hci_get_drvdata(hdev);
2720 struct usb_device *udev = btdata->udev;
2721 size_t count, size, sent = 0;
2722 int pipe, len, err;
2723 u8 *buf;
2724
2725 buf = kmalloc(QCA_DFU_PACKET_LEN, GFP_KERNEL);
2726 if (!buf)
2727 return -ENOMEM;
2728
2729 count = firmware->size;
2730
2731 size = min_t(size_t, count, hdr_size);
2732 memcpy(buf, firmware->data, size);
2733
2734 /* USB patches should go down to controller through USB path
2735 * because binary format fits to go down through USB channel.
2736 * USB control path is for patching headers and USB bulk is for
2737 * patch body.
2738 */
2739 pipe = usb_sndctrlpipe(udev, 0);
2740 err = usb_control_msg(udev, pipe, QCA_DFU_DOWNLOAD, USB_TYPE_VENDOR,
2741 0, 0, buf, size, USB_CTRL_SET_TIMEOUT);
2742 if (err < 0) {
2743 BT_ERR("%s: Failed to send headers (%d)", hdev->name, err);
2744 goto done;
2745 }
2746
2747 sent += size;
2748 count -= size;
2749
2750 while (count) {
2751 size = min_t(size_t, count, QCA_DFU_PACKET_LEN);
2752
2753 memcpy(buf, firmware->data + sent, size);
2754
2755 pipe = usb_sndbulkpipe(udev, 0x02);
2756 err = usb_bulk_msg(udev, pipe, buf, size, &len,
2757 QCA_DFU_TIMEOUT);
2758 if (err < 0) {
2759 BT_ERR("%s: Failed to send body at %zd of %zd (%d)",
2760 hdev->name, sent, firmware->size, err);
2761 break;
2762 }
2763
2764 if (size != len) {
2765 BT_ERR("%s: Failed to get bulk buffer", hdev->name);
2766 err = -EILSEQ;
2767 break;
2768 }
2769
2770 sent += size;
2771 count -= size;
2772 }
2773
2774done:
2775 kfree(buf);
2776 return err;
2777}
2778
2779static int btusb_setup_qca_load_rampatch(struct hci_dev *hdev,
2780 struct qca_version *ver,
2781 const struct qca_device_info *info)
2782{
2783 struct qca_rampatch_version *rver;
2784 const struct firmware *fw;
2785 char fwname[64];
2786 int err;
2787
2788 snprintf(fwname, sizeof(fwname), "qca/rampatch_usb_%08x.bin",
2789 le32_to_cpu(ver->rom_version));
2790
2791 err = request_firmware(&fw, fwname, &hdev->dev);
2792 if (err) {
2793 BT_ERR("%s: failed to request rampatch file: %s (%d)",
2794 hdev->name, fwname, err);
2795 return err;
2796 }
2797
2798 BT_INFO("%s: using rampatch file: %s", hdev->name, fwname);
2799 rver = (struct qca_rampatch_version *)(fw->data + info->ver_offset);
2800 BT_INFO("%s: QCA: patch rome 0x%x build 0x%x, firmware rome 0x%x "
2801 "build 0x%x", hdev->name, le16_to_cpu(rver->rom_version),
2802 le16_to_cpu(rver->patch_version), le32_to_cpu(ver->rom_version),
2803 le32_to_cpu(ver->patch_version));
2804
2805 if (rver->rom_version != ver->rom_version ||
2806 rver->patch_version <= ver->patch_version) {
2807 BT_ERR("%s: rampatch file version did not match with firmware",
2808 hdev->name);
2809 err = -EINVAL;
2810 goto done;
2811 }
2812
2813 err = btusb_setup_qca_download_fw(hdev, fw, info->rampatch_hdr);
2814
2815done:
2816 release_firmware(fw);
2817
2818 return err;
2819}
2820
2821static int btusb_setup_qca_load_nvm(struct hci_dev *hdev,
2822 struct qca_version *ver,
2823 const struct qca_device_info *info)
2824{
2825 const struct firmware *fw;
2826 char fwname[64];
2827 int err;
2828
2829 snprintf(fwname, sizeof(fwname), "qca/nvm_usb_%08x.bin",
2830 le32_to_cpu(ver->rom_version));
2831
2832 err = request_firmware(&fw, fwname, &hdev->dev);
2833 if (err) {
2834 BT_ERR("%s: failed to request NVM file: %s (%d)",
2835 hdev->name, fwname, err);
2836 return err;
2837 }
2838
2839 BT_INFO("%s: using NVM file: %s", hdev->name, fwname);
2840
2841 err = btusb_setup_qca_download_fw(hdev, fw, info->nvm_hdr);
2842
2843 release_firmware(fw);
2844
2845 return err;
2846}
2847
2848static int btusb_setup_qca(struct hci_dev *hdev)
2849{
2850 const struct qca_device_info *info = NULL;
2851 struct qca_version ver;
2852 u8 status;
2853 int i, err;
2854
2855 err = btusb_qca_send_vendor_req(hdev, QCA_GET_TARGET_VERSION, &ver,
2856 sizeof(ver));
2857 if (err < 0)
2858 return err;
2859
2860 for (i = 0; i < ARRAY_SIZE(qca_devices_table); i++) {
2861 if (ver.rom_version == qca_devices_table[i].rom_version)
2862 info = &qca_devices_table[i];
2863 }
2864 if (!info) {
2865 BT_ERR("%s: don't support firmware rome 0x%x", hdev->name,
2866 le32_to_cpu(ver.rom_version));
2867 return -ENODEV;
2868 }
2869
2870 err = btusb_qca_send_vendor_req(hdev, QCA_CHECK_STATUS, &status,
2871 sizeof(status));
2872 if (err < 0)
2873 return err;
2874
2875 if (!(status & QCA_PATCH_UPDATED)) {
2876 err = btusb_setup_qca_load_rampatch(hdev, &ver, info);
2877 if (err < 0)
2878 return err;
2879 }
2880
2881 if (!(status & QCA_SYSCFG_UPDATED)) {
2882 err = btusb_setup_qca_load_nvm(hdev, &ver, info);
2883 if (err < 0)
2884 return err;
2885 }
2886
2887 return 0;
2888}
2889
5e23b923 2890static int btusb_probe(struct usb_interface *intf,
89e7533d 2891 const struct usb_device_id *id)
5e23b923
MH		 2892{
2893 struct usb_endpoint_descriptor *ep_desc;
2894 struct btusb_data *data;
2895 struct hci_dev *hdev;
2896 int i, err;
2897
2898 BT_DBG("intf %p id %p", intf, id);
2899
cfeb4145 2900 /* interface numbers are hardcoded in the spec */
5e23b923
MH		 2901 if (intf->cur_altsetting->desc.bInterfaceNumber != 0)
2902 return -ENODEV;
2903
2904 if (!id->driver_info) {
2905 const struct usb_device_id *match;
89e7533d 2906
5e23b923
MH		 2907 match = usb_match_id(intf, blacklist_table);
2908 if (match)
2909 id = match;
2910 }
2911
cfeb4145
MH		 2912 if (id->driver_info == BTUSB_IGNORE)
2913 return -ENODEV;
2914
2d25f8b4
SL		 2915 if (id->driver_info & BTUSB_ATH3012) {
2916 struct usb_device *udev = interface_to_usbdev(intf);
2917
2918 /* Old firmware would otherwise let ath3k driver load
2919 * patch and sysconfig files */
2920 if (le16_to_cpu(udev->descriptor.bcdDevice) <= 0x0001)
2921 return -ENODEV;
2922 }
2923
98921dbd 2924 data = devm_kzalloc(&intf->dev, sizeof(*data), GFP_KERNEL);
5e23b923
MH		 2925 if (!data)
2926 return -ENOMEM;
2927
2928 for (i = 0; i < intf->cur_altsetting->desc.bNumEndpoints; i++) {
2929 ep_desc = &intf->cur_altsetting->endpoint[i].desc;
2930
2931 if (!data->intr_ep && usb_endpoint_is_int_in(ep_desc)) {
2932 data->intr_ep = ep_desc;
2933 continue;
2934 }
2935
2936 if (!data->bulk_tx_ep && usb_endpoint_is_bulk_out(ep_desc)) {
2937 data->bulk_tx_ep = ep_desc;
2938 continue;
2939 }
2940
2941 if (!data->bulk_rx_ep && usb_endpoint_is_bulk_in(ep_desc)) {
2942 data->bulk_rx_ep = ep_desc;
2943 continue;
2944 }
2945 }
2946
98921dbd 2947 if (!data->intr_ep || !data->bulk_tx_ep || !data->bulk_rx_ep)
5e23b923 2948 return -ENODEV;
5e23b923 2949
893ba544
MH		 2950 if (id->driver_info & BTUSB_AMP) {
2951 data->cmdreq_type = USB_TYPE_CLASS | 0x01;
2952 data->cmdreq = 0x2b;
2953 } else {
2954 data->cmdreq_type = USB_TYPE_CLASS;
2955 data->cmdreq = 0x00;
2956 }
7a9d4020 2957
5e23b923 2958 data->udev = interface_to_usbdev(intf);
5fbcd260 2959 data->intf = intf;
5e23b923 2960
5e23b923 2961 INIT_WORK(&data->work, btusb_work);
7bee549e 2962 INIT_WORK(&data->waker, btusb_waker);
803b5836
MH		 2963 init_usb_anchor(&data->deferred);
2964 init_usb_anchor(&data->tx_anchor);
7bee549e 2965 spin_lock_init(&data->txlock);
5e23b923 2966
5e23b923
MH		 2967 init_usb_anchor(&data->intr_anchor);
2968 init_usb_anchor(&data->bulk_anchor);
9bfa35fe 2969 init_usb_anchor(&data->isoc_anchor);
803b5836 2970 spin_lock_init(&data->rxlock);
5e23b923 2971
cda0dd78
MH		 2972 if (id->driver_info & BTUSB_INTEL_NEW) {
2973 data->recv_event = btusb_recv_event_intel;
2974 data->recv_bulk = btusb_recv_bulk_intel;
2975 set_bit(BTUSB_BOOTLOADER, &data->flags);
2976 } else {
2977 data->recv_event = hci_recv_frame;
2978 data->recv_bulk = btusb_recv_bulk;
2979 }
2cbd3f5c 2980
5e23b923 2981 hdev = hci_alloc_dev();
98921dbd 2982 if (!hdev)
5e23b923 2983 return -ENOMEM;
5e23b923 2984
c13854ce 2985 hdev->bus = HCI_USB;
155961e8 2986 hci_set_drvdata(hdev, data);
5e23b923 2987
893ba544
MH		 2988 if (id->driver_info & BTUSB_AMP)
2989 hdev->dev_type = HCI_AMP;
2990 else
2991 hdev->dev_type = HCI_BREDR;
2992
5e23b923
MH		 2993 data->hdev = hdev;
2994
2995 SET_HCIDEV_DEV(hdev, &intf->dev);
2996
9f8f962c
MH		 2997 hdev->open = btusb_open;
2998 hdev->close = btusb_close;
2999 hdev->flush = btusb_flush;
3000 hdev->send = btusb_send_frame;
3001 hdev->notify = btusb_notify;
3002
3003 if (id->driver_info & BTUSB_BCM92035)
3004 hdev->setup = btusb_setup_bcm92035;
5e23b923 3005
abbaf50e 3006 if (id->driver_info & BTUSB_BCM_PATCHRAM) {
10d4c673 3007 hdev->setup = btusb_setup_bcm_patchram;
abbaf50e 3008 hdev->set_bdaddr = btusb_set_bdaddr_bcm;
27c3fbe0 3009 set_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks);
abbaf50e 3010 }
10d4c673 3011
cb8d6597 3012 if (id->driver_info & BTUSB_INTEL) {
dffd30ee 3013 hdev->setup = btusb_setup_intel;
bfbd45e9 3014 hdev->shutdown = btusb_shutdown_intel;
cb8d6597 3015 hdev->set_bdaddr = btusb_set_bdaddr_intel;
c33fb9b4 3016 set_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks);
cb8d6597 3017 }
dffd30ee 3018
cda0dd78
MH		 3019 if (id->driver_info & BTUSB_INTEL_NEW) {
3020 hdev->send = btusb_send_frame_intel;
3021 hdev->setup = btusb_setup_intel_new;
385a768c 3022 hdev->hw_error = btusb_hw_error_intel;
cda0dd78 3023 hdev->set_bdaddr = btusb_set_bdaddr_intel;
b970c5ba 3024 set_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks);
cda0dd78
MH		 3025 }
3026
ae8df494
AK		 3027 if (id->driver_info & BTUSB_MARVELL)
3028 hdev->set_bdaddr = btusb_set_bdaddr_marvell;
3029
661cf88a
MH		 3030 if (id->driver_info & BTUSB_SWAVE) {
3031 set_bit(HCI_QUIRK_FIXUP_INQUIRY_MODE, &hdev->quirks);
d57dbe77 3032 set_bit(HCI_QUIRK_BROKEN_LOCAL_COMMANDS, &hdev->quirks);
661cf88a 3033 }
d57dbe77 3034
40df783d
MH		 3035 if (id->driver_info & BTUSB_INTEL_BOOT)
3036 set_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks);
3037
79f0c87d 3038 if (id->driver_info & BTUSB_ATH3012) {
5859223e 3039 hdev->set_bdaddr = btusb_set_bdaddr_ath3012;
79f0c87d
JP		 3040 set_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks);
3041 }
5859223e 3042
3267c884
KBYT		 3043 if (id->driver_info & BTUSB_QCA_ROME) {
3044 data->setup_on_usb = btusb_setup_qca;
3045 hdev->set_bdaddr = btusb_set_bdaddr_ath3012;
3046 }
3047
893ba544
MH		 3048 if (id->driver_info & BTUSB_AMP) {
3049 /* AMP controllers do not support SCO packets */
3050 data->isoc = NULL;
3051 } else {
3052 /* Interface numbers are hardcoded in the specification */
3053 data->isoc = usb_ifnum_to_if(data->udev, 1);
3054 }
9bfa35fe 3055
7a9d4020 3056 if (!reset)
a6c511c6 3057 set_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks);
cfeb4145
MH		 3058
3059 if (force_scofix || id->driver_info & BTUSB_WRONG_SCO_MTU) {
3060 if (!disable_scofix)
3061 set_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks);
3062 }
3063
9bfa35fe
MH		 3064 if (id->driver_info & BTUSB_BROKEN_ISOC)
3065 data->isoc = NULL;
3066
7a9d4020
MH		 3067 if (id->driver_info & BTUSB_DIGIANSWER) {
3068 data->cmdreq_type = USB_TYPE_VENDOR;
a6c511c6 3069 set_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks);
7a9d4020
MH		 3070 }
3071
3072 if (id->driver_info & BTUSB_CSR) {
3073 struct usb_device *udev = data->udev;
81cac64b 3074 u16 bcdDevice = le16_to_cpu(udev->descriptor.bcdDevice);
7a9d4020
MH		 3075
3076 /* Old firmware would otherwise execute USB reset */
81cac64b 3077 if (bcdDevice < 0x117)
a6c511c6 3078 set_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks);
81cac64b
MH		 3079
3080 /* Fake CSR devices with broken commands */
3081 if (bcdDevice <= 0x100)
3082 hdev->setup = btusb_setup_csr;
7a9d4020
MH		 3083 }
3084
cfeb4145 3085 if (id->driver_info & BTUSB_SNIFFER) {
9bfa35fe 3086 struct usb_device *udev = data->udev;
cfeb4145 3087
7a9d4020 3088 /* New sniffer firmware has crippled HCI interface */
cfeb4145
MH		 3089 if (le16_to_cpu(udev->descriptor.bcdDevice) > 0x997)
3090 set_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks);
3091 }
3092
3a5ef20c
MH		 3093 if (id->driver_info & BTUSB_INTEL_BOOT) {
3094 /* A bug in the bootloader causes that interrupt interface is
3095 * only enabled after receiving SetInterface(0, AltSetting=0).
3096 */
3097 err = usb_set_interface(data->udev, 0, 0);
3098 if (err < 0) {
3099 BT_ERR("failed to set interface 0, alt 0 %d", err);
3100 hci_free_dev(hdev);
3101 return err;
3102 }
3103 }
3104
9bfa35fe
MH		 3105 if (data->isoc) {
3106 err = usb_driver_claim_interface(&btusb_driver,
89e7533d 3107 data->isoc, data);
9bfa35fe
MH		 3108 if (err < 0) {
3109 hci_free_dev(hdev);
9bfa35fe
MH		 3110 return err;
3111 }
3112 }
3113
5e23b923
MH		 3114 err = hci_register_dev(hdev);
3115 if (err < 0) {
3116 hci_free_dev(hdev);
5e23b923
MH		 3117 return err;
3118 }
3119
3120 usb_set_intfdata(intf, data);
3121
3122 return 0;
3123}
3124
3125static void btusb_disconnect(struct usb_interface *intf)
3126{
3127 struct btusb_data *data = usb_get_intfdata(intf);
3128 struct hci_dev *hdev;
3129
3130 BT_DBG("intf %p", intf);
3131
3132 if (!data)
3133 return;
3134
3135 hdev = data->hdev;
5fbcd260
MH		 3136 usb_set_intfdata(data->intf, NULL);
3137
3138 if (data->isoc)
3139 usb_set_intfdata(data->isoc, NULL);
5e23b923
MH		 3140
3141 hci_unregister_dev(hdev);
3142
5fbcd260
MH		 3143 if (intf == data->isoc)
3144 usb_driver_release_interface(&btusb_driver, data->intf);
3145 else if (data->isoc)
3146 usb_driver_release_interface(&btusb_driver, data->isoc);
3147
5e23b923
MH		 3148 hci_free_dev(hdev);
3149}
3150
7bee549e 3151#ifdef CONFIG_PM
6a88adf2
MH		 3152static int btusb_suspend(struct usb_interface *intf, pm_message_t message)
3153{
3154 struct btusb_data *data = usb_get_intfdata(intf);
3155
3156 BT_DBG("intf %p", intf);
3157
3158 if (data->suspend_count++)
3159 return 0;
3160
7bee549e 3161 spin_lock_irq(&data->txlock);
5b1b0b81 3162 if (!(PMSG_IS_AUTO(message) && data->tx_in_flight)) {
7bee549e
ON		 3163 set_bit(BTUSB_SUSPENDING, &data->flags);
3164 spin_unlock_irq(&data->txlock);
3165 } else {
3166 spin_unlock_irq(&data->txlock);
3167 data->suspend_count--;
3168 return -EBUSY;
3169 }
3170
6a88adf2
MH		 3171 cancel_work_sync(&data->work);
3172
7bee549e 3173 btusb_stop_traffic(data);
6a88adf2
MH		 3174 usb_kill_anchored_urbs(&data->tx_anchor);
3175
6a88adf2
MH		 3176 return 0;
3177}
3178
7bee549e
ON		 3179static void play_deferred(struct btusb_data *data)
3180{
3181 struct urb *urb;
3182 int err;
3183
3184 while ((urb = usb_get_from_anchor(&data->deferred))) {
3185 err = usb_submit_urb(urb, GFP_ATOMIC);
3186 if (err < 0)
3187 break;
3188
3189 data->tx_in_flight++;
3190 }
3191 usb_scuttle_anchored_urbs(&data->deferred);
3192}
3193
6a88adf2
MH		 3194static int btusb_resume(struct usb_interface *intf)
3195{
3196 struct btusb_data *data = usb_get_intfdata(intf);
3197 struct hci_dev *hdev = data->hdev;
7bee549e 3198 int err = 0;
6a88adf2
MH		 3199
3200 BT_DBG("intf %p", intf);
3201
3202 if (--data->suspend_count)
3203 return 0;
3204
3205 if (!test_bit(HCI_RUNNING, &hdev->flags))
7bee549e 3206 goto done;
6a88adf2
MH		 3207
3208 if (test_bit(BTUSB_INTR_RUNNING, &data->flags)) {
3209 err = btusb_submit_intr_urb(hdev, GFP_NOIO);
3210 if (err < 0) {
3211 clear_bit(BTUSB_INTR_RUNNING, &data->flags);
7bee549e 3212 goto failed;
6a88adf2
MH		 3213 }
3214 }
3215
3216 if (test_bit(BTUSB_BULK_RUNNING, &data->flags)) {
43c2e57f
MH		 3217 err = btusb_submit_bulk_urb(hdev, GFP_NOIO);
3218 if (err < 0) {
6a88adf2 3219 clear_bit(BTUSB_BULK_RUNNING, &data->flags);
7bee549e
ON		 3220 goto failed;
3221 }
3222
3223 btusb_submit_bulk_urb(hdev, GFP_NOIO);
6a88adf2
MH		 3224 }
3225
3226 if (test_bit(BTUSB_ISOC_RUNNING, &data->flags)) {
3227 if (btusb_submit_isoc_urb(hdev, GFP_NOIO) < 0)
3228 clear_bit(BTUSB_ISOC_RUNNING, &data->flags);
3229 else
3230 btusb_submit_isoc_urb(hdev, GFP_NOIO);
3231 }
3232
7bee549e
ON		 3233 spin_lock_irq(&data->txlock);
3234 play_deferred(data);
3235 clear_bit(BTUSB_SUSPENDING, &data->flags);
3236 spin_unlock_irq(&data->txlock);
3237 schedule_work(&data->work);
3238
6a88adf2 3239 return 0;
7bee549e
ON		 3240
3241failed:
3242 usb_scuttle_anchored_urbs(&data->deferred);
3243done:
3244 spin_lock_irq(&data->txlock);
3245 clear_bit(BTUSB_SUSPENDING, &data->flags);
3246 spin_unlock_irq(&data->txlock);
3247
3248 return err;
6a88adf2 3249}
7bee549e 3250#endif
6a88adf2 3251
5e23b923
MH		 3252static struct usb_driver btusb_driver = {
3253 .name = "btusb",
3254 .probe = btusb_probe,
3255 .disconnect = btusb_disconnect,
7bee549e 3256#ifdef CONFIG_PM
6a88adf2
MH		 3257 .suspend = btusb_suspend,
3258 .resume = btusb_resume,
7bee549e 3259#endif
5e23b923 3260 .id_table = btusb_table,
7bee549e 3261 .supports_autosuspend = 1,
e1f12eb6 3262 .disable_hub_initiated_lpm = 1,
5e23b923
MH		 3263};
3264
93f1508c 3265module_usb_driver(btusb_driver);
5e23b923 3266
cfeb4145
MH		 3267module_param(disable_scofix, bool, 0644);
3268MODULE_PARM_DESC(disable_scofix, "Disable fixup of wrong SCO buffer size");
3269
3270module_param(force_scofix, bool, 0644);
3271MODULE_PARM_DESC(force_scofix, "Force fixup of wrong SCO buffers size");
3272
3273module_param(reset, bool, 0644);
3274MODULE_PARM_DESC(reset, "Send HCI reset command on initialization");
3275
5e23b923
MH		 3276MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
3277MODULE_DESCRIPTION("Generic Bluetooth USB driver ver " VERSION);
3278MODULE_VERSION(VERSION);
3279MODULE_LICENSE("GPL");
Mirror https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git