xref: /openbmc/linux/drivers/bluetooth/btusb.c (revision 275876e2)
1 /*
2  *
3  *  Generic Bluetooth USB driver
4  *
5  *  Copyright (C) 2005-2008  Marcel Holtmann <marcel@holtmann.org>
6  *
7  *
8  *  This program is free software; you can redistribute it and/or modify
9  *  it under the terms of the GNU General Public License as published by
10  *  the Free Software Foundation; either version 2 of the License, or
11  *  (at your option) any later version.
12  *
13  *  This program is distributed in the hope that it will be useful,
14  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
15  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16  *  GNU General Public License for more details.
17  *
18  *  You should have received a copy of the GNU General Public License
19  *  along with this program; if not, write to the Free Software
20  *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
21  *
22  */
23 
24 #include <linux/module.h>
25 #include <linux/usb.h>
26 #include <linux/firmware.h>
27 
28 #include <net/bluetooth/bluetooth.h>
29 #include <net/bluetooth/hci_core.h>
30 
31 #define VERSION "0.6"
32 
33 static bool disable_scofix;
34 static bool force_scofix;
35 
36 static bool reset = 1;
37 
38 static struct usb_driver btusb_driver;
39 
40 #define BTUSB_IGNORE		0x01
41 #define BTUSB_DIGIANSWER	0x02
42 #define BTUSB_CSR		0x04
43 #define BTUSB_SNIFFER		0x08
44 #define BTUSB_BCM92035		0x10
45 #define BTUSB_BROKEN_ISOC	0x20
46 #define BTUSB_WRONG_SCO_MTU	0x40
47 #define BTUSB_ATH3012		0x80
48 #define BTUSB_INTEL		0x100
49 #define BTUSB_INTEL_BOOT	0x200
50 #define BTUSB_BCM_PATCHRAM	0x400
51 #define BTUSB_MARVELL		0x800
52 
53 static const struct usb_device_id btusb_table[] = {
54 	/* Generic Bluetooth USB device */
55 	{ USB_DEVICE_INFO(0xe0, 0x01, 0x01) },
56 
57 	/* Apple-specific (Broadcom) devices */
58 	{ USB_VENDOR_AND_INTERFACE_INFO(0x05ac, 0xff, 0x01, 0x01) },
59 
60 	/* MediaTek MT76x0E */
61 	{ USB_DEVICE(0x0e8d, 0x763f) },
62 
63 	/* Broadcom SoftSailing reporting vendor specific */
64 	{ USB_DEVICE(0x0a5c, 0x21e1) },
65 
66 	/* Apple MacBookPro 7,1 */
67 	{ USB_DEVICE(0x05ac, 0x8213) },
68 
69 	/* Apple iMac11,1 */
70 	{ USB_DEVICE(0x05ac, 0x8215) },
71 
72 	/* Apple MacBookPro6,2 */
73 	{ USB_DEVICE(0x05ac, 0x8218) },
74 
75 	/* Apple MacBookAir3,1, MacBookAir3,2 */
76 	{ USB_DEVICE(0x05ac, 0x821b) },
77 
78 	/* Apple MacBookAir4,1 */
79 	{ USB_DEVICE(0x05ac, 0x821f) },
80 
81 	/* Apple MacBookPro8,2 */
82 	{ USB_DEVICE(0x05ac, 0x821a) },
83 
84 	/* Apple MacMini5,1 */
85 	{ USB_DEVICE(0x05ac, 0x8281) },
86 
87 	/* AVM BlueFRITZ! USB v2.0 */
88 	{ USB_DEVICE(0x057c, 0x3800) },
89 
90 	/* Bluetooth Ultraport Module from IBM */
91 	{ USB_DEVICE(0x04bf, 0x030a) },
92 
93 	/* ALPS Modules with non-standard id */
94 	{ USB_DEVICE(0x044e, 0x3001) },
95 	{ USB_DEVICE(0x044e, 0x3002) },
96 
97 	/* Ericsson with non-standard id */
98 	{ USB_DEVICE(0x0bdb, 0x1002) },
99 
100 	/* Canyon CN-BTU1 with HID interfaces */
101 	{ USB_DEVICE(0x0c10, 0x0000) },
102 
103 	/* Broadcom BCM20702A0 */
104 	{ USB_DEVICE(0x0489, 0xe042) },
105 	{ USB_DEVICE(0x04ca, 0x2003) },
106 	{ USB_DEVICE(0x0b05, 0x17b5) },
107 	{ USB_DEVICE(0x0b05, 0x17cb) },
108 	{ USB_DEVICE(0x413c, 0x8197) },
109 
110 	/* Foxconn - Hon Hai */
111 	{ USB_VENDOR_AND_INTERFACE_INFO(0x0489, 0xff, 0x01, 0x01) },
112 
113 	/* Broadcom devices with vendor specific id */
114 	{ USB_VENDOR_AND_INTERFACE_INFO(0x0a5c, 0xff, 0x01, 0x01),
115 	  .driver_info = BTUSB_BCM_PATCHRAM },
116 
117 	/* ASUSTek Computer - Broadcom based */
118 	{ USB_VENDOR_AND_INTERFACE_INFO(0x0b05, 0xff, 0x01, 0x01) },
119 
120 	/* Belkin F8065bf - Broadcom based */
121 	{ USB_VENDOR_AND_INTERFACE_INFO(0x050d, 0xff, 0x01, 0x01) },
122 
123 	/* IMC Networks - Broadcom based */
124 	{ USB_VENDOR_AND_INTERFACE_INFO(0x13d3, 0xff, 0x01, 0x01) },
125 
126 	/* Intel Bluetooth USB Bootloader (RAM module) */
127 	{ USB_DEVICE(0x8087, 0x0a5a),
128 	  .driver_info = BTUSB_INTEL_BOOT | BTUSB_BROKEN_ISOC },
129 
130 	{ }	/* Terminating entry */
131 };
132 
133 MODULE_DEVICE_TABLE(usb, btusb_table);
134 
135 static const struct usb_device_id blacklist_table[] = {
136 	/* CSR BlueCore devices */
137 	{ USB_DEVICE(0x0a12, 0x0001), .driver_info = BTUSB_CSR },
138 
139 	/* Broadcom BCM2033 without firmware */
140 	{ USB_DEVICE(0x0a5c, 0x2033), .driver_info = BTUSB_IGNORE },
141 
142 	/* Atheros 3011 with sflash firmware */
143 	{ USB_DEVICE(0x0489, 0xe027), .driver_info = BTUSB_IGNORE },
144 	{ USB_DEVICE(0x0489, 0xe03d), .driver_info = BTUSB_IGNORE },
145 	{ USB_DEVICE(0x0930, 0x0215), .driver_info = BTUSB_IGNORE },
146 	{ USB_DEVICE(0x0cf3, 0x3002), .driver_info = BTUSB_IGNORE },
147 	{ USB_DEVICE(0x0cf3, 0xe019), .driver_info = BTUSB_IGNORE },
148 	{ USB_DEVICE(0x13d3, 0x3304), .driver_info = BTUSB_IGNORE },
149 
150 	/* Atheros AR9285 Malbec with sflash firmware */
151 	{ USB_DEVICE(0x03f0, 0x311d), .driver_info = BTUSB_IGNORE },
152 
153 	/* Atheros 3012 with sflash firmware */
154 	{ USB_DEVICE(0x0489, 0xe04d), .driver_info = BTUSB_ATH3012 },
155 	{ USB_DEVICE(0x0489, 0xe04e), .driver_info = BTUSB_ATH3012 },
156 	{ USB_DEVICE(0x0489, 0xe056), .driver_info = BTUSB_ATH3012 },
157 	{ USB_DEVICE(0x0489, 0xe057), .driver_info = BTUSB_ATH3012 },
158 	{ USB_DEVICE(0x0489, 0xe05f), .driver_info = BTUSB_ATH3012 },
159 	{ USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 },
160 	{ USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 },
161 	{ USB_DEVICE(0x04ca, 0x3005), .driver_info = BTUSB_ATH3012 },
162 	{ USB_DEVICE(0x04ca, 0x3006), .driver_info = BTUSB_ATH3012 },
163 	{ USB_DEVICE(0x04ca, 0x3007), .driver_info = BTUSB_ATH3012 },
164 	{ USB_DEVICE(0x04ca, 0x3008), .driver_info = BTUSB_ATH3012 },
165 	{ USB_DEVICE(0x04ca, 0x300b), .driver_info = BTUSB_ATH3012 },
166 	{ USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 },
167 	{ USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 },
168 	{ USB_DEVICE(0x0b05, 0x17d0), .driver_info = BTUSB_ATH3012 },
169 	{ USB_DEVICE(0x0cf3, 0x0036), .driver_info = BTUSB_ATH3012 },
170 	{ USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_ATH3012 },
171 	{ USB_DEVICE(0x0cf3, 0x3008), .driver_info = BTUSB_ATH3012 },
172 	{ USB_DEVICE(0x0cf3, 0x311d), .driver_info = BTUSB_ATH3012 },
173 	{ USB_DEVICE(0x0cf3, 0x311e), .driver_info = BTUSB_ATH3012 },
174 	{ USB_DEVICE(0x0cf3, 0x311f), .driver_info = BTUSB_ATH3012 },
175 	{ USB_DEVICE(0x0cf3, 0x3121), .driver_info = BTUSB_ATH3012 },
176 	{ USB_DEVICE(0x0cf3, 0x817a), .driver_info = BTUSB_ATH3012 },
177 	{ USB_DEVICE(0x0cf3, 0xe003), .driver_info = BTUSB_ATH3012 },
178 	{ USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 },
179 	{ USB_DEVICE(0x0cf3, 0xe005), .driver_info = BTUSB_ATH3012 },
180 	{ USB_DEVICE(0x13d3, 0x3362), .driver_info = BTUSB_ATH3012 },
181 	{ USB_DEVICE(0x13d3, 0x3375), .driver_info = BTUSB_ATH3012 },
182 	{ USB_DEVICE(0x13d3, 0x3393), .driver_info = BTUSB_ATH3012 },
183 	{ USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 },
184 	{ USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 },
185 
186 	/* Atheros AR5BBU12 with sflash firmware */
187 	{ USB_DEVICE(0x0489, 0xe02c), .driver_info = BTUSB_IGNORE },
188 
189 	/* Atheros AR5BBU12 with sflash firmware */
190 	{ USB_DEVICE(0x0489, 0xe036), .driver_info = BTUSB_ATH3012 },
191 	{ USB_DEVICE(0x0489, 0xe03c), .driver_info = BTUSB_ATH3012 },
192 
193 	/* Broadcom BCM2035 */
194 	{ USB_DEVICE(0x0a5c, 0x2009), .driver_info = BTUSB_BCM92035 },
195 	{ USB_DEVICE(0x0a5c, 0x200a), .driver_info = BTUSB_WRONG_SCO_MTU },
196 	{ USB_DEVICE(0x0a5c, 0x2035), .driver_info = BTUSB_WRONG_SCO_MTU },
197 
198 	/* Broadcom BCM2045 */
199 	{ USB_DEVICE(0x0a5c, 0x2039), .driver_info = BTUSB_WRONG_SCO_MTU },
200 	{ USB_DEVICE(0x0a5c, 0x2101), .driver_info = BTUSB_WRONG_SCO_MTU },
201 
202 	/* IBM/Lenovo ThinkPad with Broadcom chip */
203 	{ USB_DEVICE(0x0a5c, 0x201e), .driver_info = BTUSB_WRONG_SCO_MTU },
204 	{ USB_DEVICE(0x0a5c, 0x2110), .driver_info = BTUSB_WRONG_SCO_MTU },
205 
206 	/* HP laptop with Broadcom chip */
207 	{ USB_DEVICE(0x03f0, 0x171d), .driver_info = BTUSB_WRONG_SCO_MTU },
208 
209 	/* Dell laptop with Broadcom chip */
210 	{ USB_DEVICE(0x413c, 0x8126), .driver_info = BTUSB_WRONG_SCO_MTU },
211 
212 	/* Dell Wireless 370 and 410 devices */
213 	{ USB_DEVICE(0x413c, 0x8152), .driver_info = BTUSB_WRONG_SCO_MTU },
214 	{ USB_DEVICE(0x413c, 0x8156), .driver_info = BTUSB_WRONG_SCO_MTU },
215 
216 	/* Belkin F8T012 and F8T013 devices */
217 	{ USB_DEVICE(0x050d, 0x0012), .driver_info = BTUSB_WRONG_SCO_MTU },
218 	{ USB_DEVICE(0x050d, 0x0013), .driver_info = BTUSB_WRONG_SCO_MTU },
219 
220 	/* Asus WL-BTD202 device */
221 	{ USB_DEVICE(0x0b05, 0x1715), .driver_info = BTUSB_WRONG_SCO_MTU },
222 
223 	/* Kensington Bluetooth USB adapter */
224 	{ USB_DEVICE(0x047d, 0x105e), .driver_info = BTUSB_WRONG_SCO_MTU },
225 
226 	/* RTX Telecom based adapters with buggy SCO support */
227 	{ USB_DEVICE(0x0400, 0x0807), .driver_info = BTUSB_BROKEN_ISOC },
228 	{ USB_DEVICE(0x0400, 0x080a), .driver_info = BTUSB_BROKEN_ISOC },
229 
230 	/* CONWISE Technology based adapters with buggy SCO support */
231 	{ USB_DEVICE(0x0e5e, 0x6622), .driver_info = BTUSB_BROKEN_ISOC },
232 
233 	/* Digianswer devices */
234 	{ USB_DEVICE(0x08fd, 0x0001), .driver_info = BTUSB_DIGIANSWER },
235 	{ USB_DEVICE(0x08fd, 0x0002), .driver_info = BTUSB_IGNORE },
236 
237 	/* CSR BlueCore Bluetooth Sniffer */
238 	{ USB_DEVICE(0x0a12, 0x0002),
239 	  .driver_info = BTUSB_SNIFFER | BTUSB_BROKEN_ISOC },
240 
241 	/* Frontline ComProbe Bluetooth Sniffer */
242 	{ USB_DEVICE(0x16d3, 0x0002),
243 	  .driver_info = BTUSB_SNIFFER | BTUSB_BROKEN_ISOC },
244 
245 	/* Intel Bluetooth device */
246 	{ USB_DEVICE(0x8087, 0x07dc), .driver_info = BTUSB_INTEL },
247 	{ USB_DEVICE(0x8087, 0x0a2a), .driver_info = BTUSB_INTEL },
248 
249 	/* Marvell device */
250 	{ USB_DEVICE(0x1286, 0x2044), .driver_info = BTUSB_MARVELL },
251 	{ USB_DEVICE(0x1286, 0x2046), .driver_info = BTUSB_MARVELL },
252 
253 	{ }	/* Terminating entry */
254 };
255 
256 #define BTUSB_MAX_ISOC_FRAMES	10
257 
258 #define BTUSB_INTR_RUNNING	0
259 #define BTUSB_BULK_RUNNING	1
260 #define BTUSB_ISOC_RUNNING	2
261 #define BTUSB_SUSPENDING	3
262 #define BTUSB_DID_ISO_RESUME	4
263 
264 struct btusb_data {
265 	struct hci_dev       *hdev;
266 	struct usb_device    *udev;
267 	struct usb_interface *intf;
268 	struct usb_interface *isoc;
269 
270 	spinlock_t lock;
271 
272 	unsigned long flags;
273 
274 	struct work_struct work;
275 	struct work_struct waker;
276 
277 	struct usb_anchor tx_anchor;
278 	struct usb_anchor intr_anchor;
279 	struct usb_anchor bulk_anchor;
280 	struct usb_anchor isoc_anchor;
281 	struct usb_anchor deferred;
282 	int tx_in_flight;
283 	spinlock_t txlock;
284 
285 	struct usb_endpoint_descriptor *intr_ep;
286 	struct usb_endpoint_descriptor *bulk_tx_ep;
287 	struct usb_endpoint_descriptor *bulk_rx_ep;
288 	struct usb_endpoint_descriptor *isoc_tx_ep;
289 	struct usb_endpoint_descriptor *isoc_rx_ep;
290 
291 	__u8 cmdreq_type;
292 
293 	unsigned int sco_num;
294 	int isoc_altsetting;
295 	int suspend_count;
296 };
297 
298 static int inc_tx(struct btusb_data *data)
299 {
300 	unsigned long flags;
301 	int rv;
302 
303 	spin_lock_irqsave(&data->txlock, flags);
304 	rv = test_bit(BTUSB_SUSPENDING, &data->flags);
305 	if (!rv)
306 		data->tx_in_flight++;
307 	spin_unlock_irqrestore(&data->txlock, flags);
308 
309 	return rv;
310 }
311 
312 static void btusb_intr_complete(struct urb *urb)
313 {
314 	struct hci_dev *hdev = urb->context;
315 	struct btusb_data *data = hci_get_drvdata(hdev);
316 	int err;
317 
318 	BT_DBG("%s urb %p status %d count %d", hdev->name,
319 					urb, urb->status, urb->actual_length);
320 
321 	if (!test_bit(HCI_RUNNING, &hdev->flags))
322 		return;
323 
324 	if (urb->status == 0) {
325 		hdev->stat.byte_rx += urb->actual_length;
326 
327 		if (hci_recv_fragment(hdev, HCI_EVENT_PKT,
328 						urb->transfer_buffer,
329 						urb->actual_length) < 0) {
330 			BT_ERR("%s corrupted event packet", hdev->name);
331 			hdev->stat.err_rx++;
332 		}
333 	}
334 
335 	if (!test_bit(BTUSB_INTR_RUNNING, &data->flags))
336 		return;
337 
338 	usb_mark_last_busy(data->udev);
339 	usb_anchor_urb(urb, &data->intr_anchor);
340 
341 	err = usb_submit_urb(urb, GFP_ATOMIC);
342 	if (err < 0) {
343 		/* -EPERM: urb is being killed;
344 		 * -ENODEV: device got disconnected */
345 		if (err != -EPERM && err != -ENODEV)
346 			BT_ERR("%s urb %p failed to resubmit (%d)",
347 						hdev->name, urb, -err);
348 		usb_unanchor_urb(urb);
349 	}
350 }
351 
352 static int btusb_submit_intr_urb(struct hci_dev *hdev, gfp_t mem_flags)
353 {
354 	struct btusb_data *data = hci_get_drvdata(hdev);
355 	struct urb *urb;
356 	unsigned char *buf;
357 	unsigned int pipe;
358 	int err, size;
359 
360 	BT_DBG("%s", hdev->name);
361 
362 	if (!data->intr_ep)
363 		return -ENODEV;
364 
365 	urb = usb_alloc_urb(0, mem_flags);
366 	if (!urb)
367 		return -ENOMEM;
368 
369 	size = le16_to_cpu(data->intr_ep->wMaxPacketSize);
370 
371 	buf = kmalloc(size, mem_flags);
372 	if (!buf) {
373 		usb_free_urb(urb);
374 		return -ENOMEM;
375 	}
376 
377 	pipe = usb_rcvintpipe(data->udev, data->intr_ep->bEndpointAddress);
378 
379 	usb_fill_int_urb(urb, data->udev, pipe, buf, size,
380 						btusb_intr_complete, hdev,
381 						data->intr_ep->bInterval);
382 
383 	urb->transfer_flags |= URB_FREE_BUFFER;
384 
385 	usb_anchor_urb(urb, &data->intr_anchor);
386 
387 	err = usb_submit_urb(urb, mem_flags);
388 	if (err < 0) {
389 		if (err != -EPERM && err != -ENODEV)
390 			BT_ERR("%s urb %p submission failed (%d)",
391 						hdev->name, urb, -err);
392 		usb_unanchor_urb(urb);
393 	}
394 
395 	usb_free_urb(urb);
396 
397 	return err;
398 }
399 
400 static void btusb_bulk_complete(struct urb *urb)
401 {
402 	struct hci_dev *hdev = urb->context;
403 	struct btusb_data *data = hci_get_drvdata(hdev);
404 	int err;
405 
406 	BT_DBG("%s urb %p status %d count %d", hdev->name,
407 					urb, urb->status, urb->actual_length);
408 
409 	if (!test_bit(HCI_RUNNING, &hdev->flags))
410 		return;
411 
412 	if (urb->status == 0) {
413 		hdev->stat.byte_rx += urb->actual_length;
414 
415 		if (hci_recv_fragment(hdev, HCI_ACLDATA_PKT,
416 						urb->transfer_buffer,
417 						urb->actual_length) < 0) {
418 			BT_ERR("%s corrupted ACL packet", hdev->name);
419 			hdev->stat.err_rx++;
420 		}
421 	}
422 
423 	if (!test_bit(BTUSB_BULK_RUNNING, &data->flags))
424 		return;
425 
426 	usb_anchor_urb(urb, &data->bulk_anchor);
427 	usb_mark_last_busy(data->udev);
428 
429 	err = usb_submit_urb(urb, GFP_ATOMIC);
430 	if (err < 0) {
431 		/* -EPERM: urb is being killed;
432 		 * -ENODEV: device got disconnected */
433 		if (err != -EPERM && err != -ENODEV)
434 			BT_ERR("%s urb %p failed to resubmit (%d)",
435 						hdev->name, urb, -err);
436 		usb_unanchor_urb(urb);
437 	}
438 }
439 
440 static int btusb_submit_bulk_urb(struct hci_dev *hdev, gfp_t mem_flags)
441 {
442 	struct btusb_data *data = hci_get_drvdata(hdev);
443 	struct urb *urb;
444 	unsigned char *buf;
445 	unsigned int pipe;
446 	int err, size = HCI_MAX_FRAME_SIZE;
447 
448 	BT_DBG("%s", hdev->name);
449 
450 	if (!data->bulk_rx_ep)
451 		return -ENODEV;
452 
453 	urb = usb_alloc_urb(0, mem_flags);
454 	if (!urb)
455 		return -ENOMEM;
456 
457 	buf = kmalloc(size, mem_flags);
458 	if (!buf) {
459 		usb_free_urb(urb);
460 		return -ENOMEM;
461 	}
462 
463 	pipe = usb_rcvbulkpipe(data->udev, data->bulk_rx_ep->bEndpointAddress);
464 
465 	usb_fill_bulk_urb(urb, data->udev, pipe,
466 					buf, size, btusb_bulk_complete, hdev);
467 
468 	urb->transfer_flags |= URB_FREE_BUFFER;
469 
470 	usb_mark_last_busy(data->udev);
471 	usb_anchor_urb(urb, &data->bulk_anchor);
472 
473 	err = usb_submit_urb(urb, mem_flags);
474 	if (err < 0) {
475 		if (err != -EPERM && err != -ENODEV)
476 			BT_ERR("%s urb %p submission failed (%d)",
477 						hdev->name, urb, -err);
478 		usb_unanchor_urb(urb);
479 	}
480 
481 	usb_free_urb(urb);
482 
483 	return err;
484 }
485 
486 static void btusb_isoc_complete(struct urb *urb)
487 {
488 	struct hci_dev *hdev = urb->context;
489 	struct btusb_data *data = hci_get_drvdata(hdev);
490 	int i, err;
491 
492 	BT_DBG("%s urb %p status %d count %d", hdev->name,
493 					urb, urb->status, urb->actual_length);
494 
495 	if (!test_bit(HCI_RUNNING, &hdev->flags))
496 		return;
497 
498 	if (urb->status == 0) {
499 		for (i = 0; i < urb->number_of_packets; i++) {
500 			unsigned int offset = urb->iso_frame_desc[i].offset;
501 			unsigned int length = urb->iso_frame_desc[i].actual_length;
502 
503 			if (urb->iso_frame_desc[i].status)
504 				continue;
505 
506 			hdev->stat.byte_rx += length;
507 
508 			if (hci_recv_fragment(hdev, HCI_SCODATA_PKT,
509 						urb->transfer_buffer + offset,
510 								length) < 0) {
511 				BT_ERR("%s corrupted SCO packet", hdev->name);
512 				hdev->stat.err_rx++;
513 			}
514 		}
515 	}
516 
517 	if (!test_bit(BTUSB_ISOC_RUNNING, &data->flags))
518 		return;
519 
520 	usb_anchor_urb(urb, &data->isoc_anchor);
521 
522 	err = usb_submit_urb(urb, GFP_ATOMIC);
523 	if (err < 0) {
524 		/* -EPERM: urb is being killed;
525 		 * -ENODEV: device got disconnected */
526 		if (err != -EPERM && err != -ENODEV)
527 			BT_ERR("%s urb %p failed to resubmit (%d)",
528 						hdev->name, urb, -err);
529 		usb_unanchor_urb(urb);
530 	}
531 }
532 
533 static inline void __fill_isoc_descriptor(struct urb *urb, int len, int mtu)
534 {
535 	int i, offset = 0;
536 
537 	BT_DBG("len %d mtu %d", len, mtu);
538 
539 	for (i = 0; i < BTUSB_MAX_ISOC_FRAMES && len >= mtu;
540 					i++, offset += mtu, len -= mtu) {
541 		urb->iso_frame_desc[i].offset = offset;
542 		urb->iso_frame_desc[i].length = mtu;
543 	}
544 
545 	if (len && i < BTUSB_MAX_ISOC_FRAMES) {
546 		urb->iso_frame_desc[i].offset = offset;
547 		urb->iso_frame_desc[i].length = len;
548 		i++;
549 	}
550 
551 	urb->number_of_packets = i;
552 }
553 
554 static int btusb_submit_isoc_urb(struct hci_dev *hdev, gfp_t mem_flags)
555 {
556 	struct btusb_data *data = hci_get_drvdata(hdev);
557 	struct urb *urb;
558 	unsigned char *buf;
559 	unsigned int pipe;
560 	int err, size;
561 
562 	BT_DBG("%s", hdev->name);
563 
564 	if (!data->isoc_rx_ep)
565 		return -ENODEV;
566 
567 	urb = usb_alloc_urb(BTUSB_MAX_ISOC_FRAMES, mem_flags);
568 	if (!urb)
569 		return -ENOMEM;
570 
571 	size = le16_to_cpu(data->isoc_rx_ep->wMaxPacketSize) *
572 						BTUSB_MAX_ISOC_FRAMES;
573 
574 	buf = kmalloc(size, mem_flags);
575 	if (!buf) {
576 		usb_free_urb(urb);
577 		return -ENOMEM;
578 	}
579 
580 	pipe = usb_rcvisocpipe(data->udev, data->isoc_rx_ep->bEndpointAddress);
581 
582 	usb_fill_int_urb(urb, data->udev, pipe, buf, size, btusb_isoc_complete,
583 				hdev, data->isoc_rx_ep->bInterval);
584 
585 	urb->transfer_flags  = URB_FREE_BUFFER | URB_ISO_ASAP;
586 
587 	__fill_isoc_descriptor(urb, size,
588 			le16_to_cpu(data->isoc_rx_ep->wMaxPacketSize));
589 
590 	usb_anchor_urb(urb, &data->isoc_anchor);
591 
592 	err = usb_submit_urb(urb, mem_flags);
593 	if (err < 0) {
594 		if (err != -EPERM && err != -ENODEV)
595 			BT_ERR("%s urb %p submission failed (%d)",
596 						hdev->name, urb, -err);
597 		usb_unanchor_urb(urb);
598 	}
599 
600 	usb_free_urb(urb);
601 
602 	return err;
603 }
604 
605 static void btusb_tx_complete(struct urb *urb)
606 {
607 	struct sk_buff *skb = urb->context;
608 	struct hci_dev *hdev = (struct hci_dev *) skb->dev;
609 	struct btusb_data *data = hci_get_drvdata(hdev);
610 
611 	BT_DBG("%s urb %p status %d count %d", hdev->name,
612 					urb, urb->status, urb->actual_length);
613 
614 	if (!test_bit(HCI_RUNNING, &hdev->flags))
615 		goto done;
616 
617 	if (!urb->status)
618 		hdev->stat.byte_tx += urb->transfer_buffer_length;
619 	else
620 		hdev->stat.err_tx++;
621 
622 done:
623 	spin_lock(&data->txlock);
624 	data->tx_in_flight--;
625 	spin_unlock(&data->txlock);
626 
627 	kfree(urb->setup_packet);
628 
629 	kfree_skb(skb);
630 }
631 
632 static void btusb_isoc_tx_complete(struct urb *urb)
633 {
634 	struct sk_buff *skb = urb->context;
635 	struct hci_dev *hdev = (struct hci_dev *) skb->dev;
636 
637 	BT_DBG("%s urb %p status %d count %d", hdev->name,
638 					urb, urb->status, urb->actual_length);
639 
640 	if (!test_bit(HCI_RUNNING, &hdev->flags))
641 		goto done;
642 
643 	if (!urb->status)
644 		hdev->stat.byte_tx += urb->transfer_buffer_length;
645 	else
646 		hdev->stat.err_tx++;
647 
648 done:
649 	kfree(urb->setup_packet);
650 
651 	kfree_skb(skb);
652 }
653 
654 static int btusb_open(struct hci_dev *hdev)
655 {
656 	struct btusb_data *data = hci_get_drvdata(hdev);
657 	int err;
658 
659 	BT_DBG("%s", hdev->name);
660 
661 	err = usb_autopm_get_interface(data->intf);
662 	if (err < 0)
663 		return err;
664 
665 	data->intf->needs_remote_wakeup = 1;
666 
667 	if (test_and_set_bit(HCI_RUNNING, &hdev->flags))
668 		goto done;
669 
670 	if (test_and_set_bit(BTUSB_INTR_RUNNING, &data->flags))
671 		goto done;
672 
673 	err = btusb_submit_intr_urb(hdev, GFP_KERNEL);
674 	if (err < 0)
675 		goto failed;
676 
677 	err = btusb_submit_bulk_urb(hdev, GFP_KERNEL);
678 	if (err < 0) {
679 		usb_kill_anchored_urbs(&data->intr_anchor);
680 		goto failed;
681 	}
682 
683 	set_bit(BTUSB_BULK_RUNNING, &data->flags);
684 	btusb_submit_bulk_urb(hdev, GFP_KERNEL);
685 
686 done:
687 	usb_autopm_put_interface(data->intf);
688 	return 0;
689 
690 failed:
691 	clear_bit(BTUSB_INTR_RUNNING, &data->flags);
692 	clear_bit(HCI_RUNNING, &hdev->flags);
693 	usb_autopm_put_interface(data->intf);
694 	return err;
695 }
696 
697 static void btusb_stop_traffic(struct btusb_data *data)
698 {
699 	usb_kill_anchored_urbs(&data->intr_anchor);
700 	usb_kill_anchored_urbs(&data->bulk_anchor);
701 	usb_kill_anchored_urbs(&data->isoc_anchor);
702 }
703 
704 static int btusb_close(struct hci_dev *hdev)
705 {
706 	struct btusb_data *data = hci_get_drvdata(hdev);
707 	int err;
708 
709 	BT_DBG("%s", hdev->name);
710 
711 	if (!test_and_clear_bit(HCI_RUNNING, &hdev->flags))
712 		return 0;
713 
714 	cancel_work_sync(&data->work);
715 	cancel_work_sync(&data->waker);
716 
717 	clear_bit(BTUSB_ISOC_RUNNING, &data->flags);
718 	clear_bit(BTUSB_BULK_RUNNING, &data->flags);
719 	clear_bit(BTUSB_INTR_RUNNING, &data->flags);
720 
721 	btusb_stop_traffic(data);
722 	err = usb_autopm_get_interface(data->intf);
723 	if (err < 0)
724 		goto failed;
725 
726 	data->intf->needs_remote_wakeup = 0;
727 	usb_autopm_put_interface(data->intf);
728 
729 failed:
730 	usb_scuttle_anchored_urbs(&data->deferred);
731 	return 0;
732 }
733 
734 static int btusb_flush(struct hci_dev *hdev)
735 {
736 	struct btusb_data *data = hci_get_drvdata(hdev);
737 
738 	BT_DBG("%s", hdev->name);
739 
740 	usb_kill_anchored_urbs(&data->tx_anchor);
741 
742 	return 0;
743 }
744 
745 static int btusb_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
746 {
747 	struct btusb_data *data = hci_get_drvdata(hdev);
748 	struct usb_ctrlrequest *dr;
749 	struct urb *urb;
750 	unsigned int pipe;
751 	int err;
752 
753 	BT_DBG("%s", hdev->name);
754 
755 	if (!test_bit(HCI_RUNNING, &hdev->flags))
756 		return -EBUSY;
757 
758 	skb->dev = (void *) hdev;
759 
760 	switch (bt_cb(skb)->pkt_type) {
761 	case HCI_COMMAND_PKT:
762 		urb = usb_alloc_urb(0, GFP_ATOMIC);
763 		if (!urb)
764 			return -ENOMEM;
765 
766 		dr = kmalloc(sizeof(*dr), GFP_ATOMIC);
767 		if (!dr) {
768 			usb_free_urb(urb);
769 			return -ENOMEM;
770 		}
771 
772 		dr->bRequestType = data->cmdreq_type;
773 		dr->bRequest     = 0;
774 		dr->wIndex       = 0;
775 		dr->wValue       = 0;
776 		dr->wLength      = __cpu_to_le16(skb->len);
777 
778 		pipe = usb_sndctrlpipe(data->udev, 0x00);
779 
780 		usb_fill_control_urb(urb, data->udev, pipe, (void *) dr,
781 				skb->data, skb->len, btusb_tx_complete, skb);
782 
783 		hdev->stat.cmd_tx++;
784 		break;
785 
786 	case HCI_ACLDATA_PKT:
787 		if (!data->bulk_tx_ep)
788 			return -ENODEV;
789 
790 		urb = usb_alloc_urb(0, GFP_ATOMIC);
791 		if (!urb)
792 			return -ENOMEM;
793 
794 		pipe = usb_sndbulkpipe(data->udev,
795 					data->bulk_tx_ep->bEndpointAddress);
796 
797 		usb_fill_bulk_urb(urb, data->udev, pipe,
798 				skb->data, skb->len, btusb_tx_complete, skb);
799 
800 		hdev->stat.acl_tx++;
801 		break;
802 
803 	case HCI_SCODATA_PKT:
804 		if (!data->isoc_tx_ep || hci_conn_num(hdev, SCO_LINK) < 1)
805 			return -ENODEV;
806 
807 		urb = usb_alloc_urb(BTUSB_MAX_ISOC_FRAMES, GFP_ATOMIC);
808 		if (!urb)
809 			return -ENOMEM;
810 
811 		pipe = usb_sndisocpipe(data->udev,
812 					data->isoc_tx_ep->bEndpointAddress);
813 
814 		usb_fill_int_urb(urb, data->udev, pipe,
815 				skb->data, skb->len, btusb_isoc_tx_complete,
816 				skb, data->isoc_tx_ep->bInterval);
817 
818 		urb->transfer_flags  = URB_ISO_ASAP;
819 
820 		__fill_isoc_descriptor(urb, skb->len,
821 				le16_to_cpu(data->isoc_tx_ep->wMaxPacketSize));
822 
823 		hdev->stat.sco_tx++;
824 		goto skip_waking;
825 
826 	default:
827 		return -EILSEQ;
828 	}
829 
830 	err = inc_tx(data);
831 	if (err) {
832 		usb_anchor_urb(urb, &data->deferred);
833 		schedule_work(&data->waker);
834 		err = 0;
835 		goto done;
836 	}
837 
838 skip_waking:
839 	usb_anchor_urb(urb, &data->tx_anchor);
840 
841 	err = usb_submit_urb(urb, GFP_ATOMIC);
842 	if (err < 0) {
843 		if (err != -EPERM && err != -ENODEV)
844 			BT_ERR("%s urb %p submission failed (%d)",
845 						hdev->name, urb, -err);
846 		kfree(urb->setup_packet);
847 		usb_unanchor_urb(urb);
848 	} else {
849 		usb_mark_last_busy(data->udev);
850 	}
851 
852 done:
853 	usb_free_urb(urb);
854 	return err;
855 }
856 
857 static void btusb_notify(struct hci_dev *hdev, unsigned int evt)
858 {
859 	struct btusb_data *data = hci_get_drvdata(hdev);
860 
861 	BT_DBG("%s evt %d", hdev->name, evt);
862 
863 	if (hci_conn_num(hdev, SCO_LINK) != data->sco_num) {
864 		data->sco_num = hci_conn_num(hdev, SCO_LINK);
865 		schedule_work(&data->work);
866 	}
867 }
868 
869 static inline int __set_isoc_interface(struct hci_dev *hdev, int altsetting)
870 {
871 	struct btusb_data *data = hci_get_drvdata(hdev);
872 	struct usb_interface *intf = data->isoc;
873 	struct usb_endpoint_descriptor *ep_desc;
874 	int i, err;
875 
876 	if (!data->isoc)
877 		return -ENODEV;
878 
879 	err = usb_set_interface(data->udev, 1, altsetting);
880 	if (err < 0) {
881 		BT_ERR("%s setting interface failed (%d)", hdev->name, -err);
882 		return err;
883 	}
884 
885 	data->isoc_altsetting = altsetting;
886 
887 	data->isoc_tx_ep = NULL;
888 	data->isoc_rx_ep = NULL;
889 
890 	for (i = 0; i < intf->cur_altsetting->desc.bNumEndpoints; i++) {
891 		ep_desc = &intf->cur_altsetting->endpoint[i].desc;
892 
893 		if (!data->isoc_tx_ep && usb_endpoint_is_isoc_out(ep_desc)) {
894 			data->isoc_tx_ep = ep_desc;
895 			continue;
896 		}
897 
898 		if (!data->isoc_rx_ep && usb_endpoint_is_isoc_in(ep_desc)) {
899 			data->isoc_rx_ep = ep_desc;
900 			continue;
901 		}
902 	}
903 
904 	if (!data->isoc_tx_ep || !data->isoc_rx_ep) {
905 		BT_ERR("%s invalid SCO descriptors", hdev->name);
906 		return -ENODEV;
907 	}
908 
909 	return 0;
910 }
911 
912 static void btusb_work(struct work_struct *work)
913 {
914 	struct btusb_data *data = container_of(work, struct btusb_data, work);
915 	struct hci_dev *hdev = data->hdev;
916 	int new_alts;
917 	int err;
918 
919 	if (data->sco_num > 0) {
920 		if (!test_bit(BTUSB_DID_ISO_RESUME, &data->flags)) {
921 			err = usb_autopm_get_interface(data->isoc ? data->isoc : data->intf);
922 			if (err < 0) {
923 				clear_bit(BTUSB_ISOC_RUNNING, &data->flags);
924 				usb_kill_anchored_urbs(&data->isoc_anchor);
925 				return;
926 			}
927 
928 			set_bit(BTUSB_DID_ISO_RESUME, &data->flags);
929 		}
930 
931 		if (hdev->voice_setting & 0x0020) {
932 			static const int alts[3] = { 2, 4, 5 };
933 			new_alts = alts[data->sco_num - 1];
934 		} else {
935 			new_alts = data->sco_num;
936 		}
937 
938 		if (data->isoc_altsetting != new_alts) {
939 			clear_bit(BTUSB_ISOC_RUNNING, &data->flags);
940 			usb_kill_anchored_urbs(&data->isoc_anchor);
941 
942 			if (__set_isoc_interface(hdev, new_alts) < 0)
943 				return;
944 		}
945 
946 		if (!test_and_set_bit(BTUSB_ISOC_RUNNING, &data->flags)) {
947 			if (btusb_submit_isoc_urb(hdev, GFP_KERNEL) < 0)
948 				clear_bit(BTUSB_ISOC_RUNNING, &data->flags);
949 			else
950 				btusb_submit_isoc_urb(hdev, GFP_KERNEL);
951 		}
952 	} else {
953 		clear_bit(BTUSB_ISOC_RUNNING, &data->flags);
954 		usb_kill_anchored_urbs(&data->isoc_anchor);
955 
956 		__set_isoc_interface(hdev, 0);
957 		if (test_and_clear_bit(BTUSB_DID_ISO_RESUME, &data->flags))
958 			usb_autopm_put_interface(data->isoc ? data->isoc : data->intf);
959 	}
960 }
961 
962 static void btusb_waker(struct work_struct *work)
963 {
964 	struct btusb_data *data = container_of(work, struct btusb_data, waker);
965 	int err;
966 
967 	err = usb_autopm_get_interface(data->intf);
968 	if (err < 0)
969 		return;
970 
971 	usb_autopm_put_interface(data->intf);
972 }
973 
974 static int btusb_setup_bcm92035(struct hci_dev *hdev)
975 {
976 	struct sk_buff *skb;
977 	u8 val = 0x00;
978 
979 	BT_DBG("%s", hdev->name);
980 
981 	skb = __hci_cmd_sync(hdev, 0xfc3b, 1, &val, HCI_INIT_TIMEOUT);
982 	if (IS_ERR(skb))
983 		BT_ERR("BCM92035 command failed (%ld)", -PTR_ERR(skb));
984 	else
985 		kfree_skb(skb);
986 
987 	return 0;
988 }
989 
990 static int btusb_setup_csr(struct hci_dev *hdev)
991 {
992 	struct hci_rp_read_local_version *rp;
993 	struct sk_buff *skb;
994 	int ret;
995 
996 	BT_DBG("%s", hdev->name);
997 
998 	skb = __hci_cmd_sync(hdev, HCI_OP_READ_LOCAL_VERSION, 0, NULL,
999 			     HCI_INIT_TIMEOUT);
1000 	if (IS_ERR(skb)) {
1001 		BT_ERR("Reading local version failed (%ld)", -PTR_ERR(skb));
1002 		return -PTR_ERR(skb);
1003 	}
1004 
1005 	rp = (struct hci_rp_read_local_version *) skb->data;
1006 
1007 	if (!rp->status) {
1008 		if (le16_to_cpu(rp->manufacturer) != 10) {
1009 			/* Clear the reset quirk since this is not an actual
1010 			 * early Bluetooth 1.1 device from CSR.
1011 			 */
1012 			clear_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks);
1013 
1014 			/* These fake CSR controllers have all a broken
1015 			 * stored link key handling and so just disable it.
1016 			 */
1017 			set_bit(HCI_QUIRK_BROKEN_STORED_LINK_KEY,
1018 				&hdev->quirks);
1019 		}
1020 	}
1021 
1022 	ret = -bt_to_errno(rp->status);
1023 
1024 	kfree_skb(skb);
1025 
1026 	return ret;
1027 }
1028 
1029 struct intel_version {
1030 	u8 status;
1031 	u8 hw_platform;
1032 	u8 hw_variant;
1033 	u8 hw_revision;
1034 	u8 fw_variant;
1035 	u8 fw_revision;
1036 	u8 fw_build_num;
1037 	u8 fw_build_ww;
1038 	u8 fw_build_yy;
1039 	u8 fw_patch_num;
1040 } __packed;
1041 
1042 static const struct firmware *btusb_setup_intel_get_fw(struct hci_dev *hdev,
1043 						struct intel_version *ver)
1044 {
1045 	const struct firmware *fw;
1046 	char fwname[64];
1047 	int ret;
1048 
1049 	snprintf(fwname, sizeof(fwname),
1050 		 "intel/ibt-hw-%x.%x.%x-fw-%x.%x.%x.%x.%x.bseq",
1051 		 ver->hw_platform, ver->hw_variant, ver->hw_revision,
1052 		 ver->fw_variant,  ver->fw_revision, ver->fw_build_num,
1053 		 ver->fw_build_ww, ver->fw_build_yy);
1054 
1055 	ret = request_firmware(&fw, fwname, &hdev->dev);
1056 	if (ret < 0) {
1057 		if (ret == -EINVAL) {
1058 			BT_ERR("%s Intel firmware file request failed (%d)",
1059 			       hdev->name, ret);
1060 			return NULL;
1061 		}
1062 
1063 		BT_ERR("%s failed to open Intel firmware file: %s(%d)",
1064 		       hdev->name, fwname, ret);
1065 
1066 		/* If the correct firmware patch file is not found, use the
1067 		 * default firmware patch file instead
1068 		 */
1069 		snprintf(fwname, sizeof(fwname), "intel/ibt-hw-%x.%x.bseq",
1070 			 ver->hw_platform, ver->hw_variant);
1071 		if (request_firmware(&fw, fwname, &hdev->dev) < 0) {
1072 			BT_ERR("%s failed to open default Intel fw file: %s",
1073 			       hdev->name, fwname);
1074 			return NULL;
1075 		}
1076 	}
1077 
1078 	BT_INFO("%s: Intel Bluetooth firmware file: %s", hdev->name, fwname);
1079 
1080 	return fw;
1081 }
1082 
1083 static int btusb_setup_intel_patching(struct hci_dev *hdev,
1084 				      const struct firmware *fw,
1085 				      const u8 **fw_ptr, int *disable_patch)
1086 {
1087 	struct sk_buff *skb;
1088 	struct hci_command_hdr *cmd;
1089 	const u8 *cmd_param;
1090 	struct hci_event_hdr *evt = NULL;
1091 	const u8 *evt_param = NULL;
1092 	int remain = fw->size - (*fw_ptr - fw->data);
1093 
1094 	/* The first byte indicates the types of the patch command or event.
1095 	 * 0x01 means HCI command and 0x02 is HCI event. If the first bytes
1096 	 * in the current firmware buffer doesn't start with 0x01 or
1097 	 * the size of remain buffer is smaller than HCI command header,
1098 	 * the firmware file is corrupted and it should stop the patching
1099 	 * process.
1100 	 */
1101 	if (remain > HCI_COMMAND_HDR_SIZE && *fw_ptr[0] != 0x01) {
1102 		BT_ERR("%s Intel fw corrupted: invalid cmd read", hdev->name);
1103 		return -EINVAL;
1104 	}
1105 	(*fw_ptr)++;
1106 	remain--;
1107 
1108 	cmd = (struct hci_command_hdr *)(*fw_ptr);
1109 	*fw_ptr += sizeof(*cmd);
1110 	remain -= sizeof(*cmd);
1111 
1112 	/* Ensure that the remain firmware data is long enough than the length
1113 	 * of command parameter. If not, the firmware file is corrupted.
1114 	 */
1115 	if (remain < cmd->plen) {
1116 		BT_ERR("%s Intel fw corrupted: invalid cmd len", hdev->name);
1117 		return -EFAULT;
1118 	}
1119 
1120 	/* If there is a command that loads a patch in the firmware
1121 	 * file, then enable the patch upon success, otherwise just
1122 	 * disable the manufacturer mode, for example patch activation
1123 	 * is not required when the default firmware patch file is used
1124 	 * because there are no patch data to load.
1125 	 */
1126 	if (*disable_patch && le16_to_cpu(cmd->opcode) == 0xfc8e)
1127 		*disable_patch = 0;
1128 
1129 	cmd_param = *fw_ptr;
1130 	*fw_ptr += cmd->plen;
1131 	remain -= cmd->plen;
1132 
1133 	/* This reads the expected events when the above command is sent to the
1134 	 * device. Some vendor commands expects more than one events, for
1135 	 * example command status event followed by vendor specific event.
1136 	 * For this case, it only keeps the last expected event. so the command
1137 	 * can be sent with __hci_cmd_sync_ev() which returns the sk_buff of
1138 	 * last expected event.
1139 	 */
1140 	while (remain > HCI_EVENT_HDR_SIZE && *fw_ptr[0] == 0x02) {
1141 		(*fw_ptr)++;
1142 		remain--;
1143 
1144 		evt = (struct hci_event_hdr *)(*fw_ptr);
1145 		*fw_ptr += sizeof(*evt);
1146 		remain -= sizeof(*evt);
1147 
1148 		if (remain < evt->plen) {
1149 			BT_ERR("%s Intel fw corrupted: invalid evt len",
1150 			       hdev->name);
1151 			return -EFAULT;
1152 		}
1153 
1154 		evt_param = *fw_ptr;
1155 		*fw_ptr += evt->plen;
1156 		remain -= evt->plen;
1157 	}
1158 
1159 	/* Every HCI commands in the firmware file has its correspond event.
1160 	 * If event is not found or remain is smaller than zero, the firmware
1161 	 * file is corrupted.
1162 	 */
1163 	if (!evt || !evt_param || remain < 0) {
1164 		BT_ERR("%s Intel fw corrupted: invalid evt read", hdev->name);
1165 		return -EFAULT;
1166 	}
1167 
1168 	skb = __hci_cmd_sync_ev(hdev, le16_to_cpu(cmd->opcode), cmd->plen,
1169 				cmd_param, evt->evt, HCI_INIT_TIMEOUT);
1170 	if (IS_ERR(skb)) {
1171 		BT_ERR("%s sending Intel patch command (0x%4.4x) failed (%ld)",
1172 		       hdev->name, cmd->opcode, PTR_ERR(skb));
1173 		return PTR_ERR(skb);
1174 	}
1175 
1176 	/* It ensures that the returned event matches the event data read from
1177 	 * the firmware file. At fist, it checks the length and then
1178 	 * the contents of the event.
1179 	 */
1180 	if (skb->len != evt->plen) {
1181 		BT_ERR("%s mismatch event length (opcode 0x%4.4x)", hdev->name,
1182 		       le16_to_cpu(cmd->opcode));
1183 		kfree_skb(skb);
1184 		return -EFAULT;
1185 	}
1186 
1187 	if (memcmp(skb->data, evt_param, evt->plen)) {
1188 		BT_ERR("%s mismatch event parameter (opcode 0x%4.4x)",
1189 		       hdev->name, le16_to_cpu(cmd->opcode));
1190 		kfree_skb(skb);
1191 		return -EFAULT;
1192 	}
1193 	kfree_skb(skb);
1194 
1195 	return 0;
1196 }
1197 
1198 #define BDADDR_INTEL (&(bdaddr_t) {{0x00, 0x8b, 0x9e, 0x19, 0x03, 0x00}})
1199 
1200 static int btusb_check_bdaddr_intel(struct hci_dev *hdev)
1201 {
1202 	struct sk_buff *skb;
1203 	struct hci_rp_read_bd_addr *rp;
1204 
1205 	skb = __hci_cmd_sync(hdev, HCI_OP_READ_BD_ADDR, 0, NULL,
1206 			     HCI_INIT_TIMEOUT);
1207 	if (IS_ERR(skb)) {
1208 		BT_ERR("%s reading Intel device address failed (%ld)",
1209 		       hdev->name, PTR_ERR(skb));
1210 		return PTR_ERR(skb);
1211 	}
1212 
1213 	if (skb->len != sizeof(*rp)) {
1214 		BT_ERR("%s Intel device address length mismatch", hdev->name);
1215 		kfree_skb(skb);
1216 		return -EIO;
1217 	}
1218 
1219 	rp = (struct hci_rp_read_bd_addr *) skb->data;
1220 	if (rp->status) {
1221 		BT_ERR("%s Intel device address result failed (%02x)",
1222 		       hdev->name, rp->status);
1223 		kfree_skb(skb);
1224 		return -bt_to_errno(rp->status);
1225 	}
1226 
1227 	/* For some Intel based controllers, the default Bluetooth device
1228 	 * address 00:03:19:9E:8B:00 can be found. These controllers are
1229 	 * fully operational, but have the danger of duplicate addresses
1230 	 * and that in turn can cause problems with Bluetooth operation.
1231 	 */
1232 	if (!bacmp(&rp->bdaddr, BDADDR_INTEL)) {
1233 		BT_ERR("%s found Intel default device address (%pMR)",
1234 		       hdev->name, &rp->bdaddr);
1235 		set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks);
1236 	}
1237 
1238 	kfree_skb(skb);
1239 
1240 	return 0;
1241 }
1242 
1243 static int btusb_setup_intel(struct hci_dev *hdev)
1244 {
1245 	struct sk_buff *skb;
1246 	const struct firmware *fw;
1247 	const u8 *fw_ptr;
1248 	int disable_patch;
1249 	struct intel_version *ver;
1250 
1251 	const u8 mfg_enable[] = { 0x01, 0x00 };
1252 	const u8 mfg_disable[] = { 0x00, 0x00 };
1253 	const u8 mfg_reset_deactivate[] = { 0x00, 0x01 };
1254 	const u8 mfg_reset_activate[] = { 0x00, 0x02 };
1255 
1256 	BT_DBG("%s", hdev->name);
1257 
1258 	/* The controller has a bug with the first HCI command sent to it
1259 	 * returning number of completed commands as zero. This would stall the
1260 	 * command processing in the Bluetooth core.
1261 	 *
1262 	 * As a workaround, send HCI Reset command first which will reset the
1263 	 * number of completed commands and allow normal command processing
1264 	 * from now on.
1265 	 */
1266 	skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
1267 	if (IS_ERR(skb)) {
1268 		BT_ERR("%s sending initial HCI reset command failed (%ld)",
1269 		       hdev->name, PTR_ERR(skb));
1270 		return PTR_ERR(skb);
1271 	}
1272 	kfree_skb(skb);
1273 
1274 	/* Read Intel specific controller version first to allow selection of
1275 	 * which firmware file to load.
1276 	 *
1277 	 * The returned information are hardware variant and revision plus
1278 	 * firmware variant, revision and build number.
1279 	 */
1280 	skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_INIT_TIMEOUT);
1281 	if (IS_ERR(skb)) {
1282 		BT_ERR("%s reading Intel fw version command failed (%ld)",
1283 		       hdev->name, PTR_ERR(skb));
1284 		return PTR_ERR(skb);
1285 	}
1286 
1287 	if (skb->len != sizeof(*ver)) {
1288 		BT_ERR("%s Intel version event length mismatch", hdev->name);
1289 		kfree_skb(skb);
1290 		return -EIO;
1291 	}
1292 
1293 	ver = (struct intel_version *)skb->data;
1294 	if (ver->status) {
1295 		BT_ERR("%s Intel fw version event failed (%02x)", hdev->name,
1296 		       ver->status);
1297 		kfree_skb(skb);
1298 		return -bt_to_errno(ver->status);
1299 	}
1300 
1301 	BT_INFO("%s: read Intel version: %02x%02x%02x%02x%02x%02x%02x%02x%02x",
1302 		hdev->name, ver->hw_platform, ver->hw_variant,
1303 		ver->hw_revision, ver->fw_variant,  ver->fw_revision,
1304 		ver->fw_build_num, ver->fw_build_ww, ver->fw_build_yy,
1305 		ver->fw_patch_num);
1306 
1307 	/* fw_patch_num indicates the version of patch the device currently
1308 	 * have. If there is no patch data in the device, it is always 0x00.
1309 	 * So, if it is other than 0x00, no need to patch the deivce again.
1310 	 */
1311 	if (ver->fw_patch_num) {
1312 		BT_INFO("%s: Intel device is already patched. patch num: %02x",
1313 			hdev->name, ver->fw_patch_num);
1314 		kfree_skb(skb);
1315 		btusb_check_bdaddr_intel(hdev);
1316 		return 0;
1317 	}
1318 
1319 	/* Opens the firmware patch file based on the firmware version read
1320 	 * from the controller. If it fails to open the matching firmware
1321 	 * patch file, it tries to open the default firmware patch file.
1322 	 * If no patch file is found, allow the device to operate without
1323 	 * a patch.
1324 	 */
1325 	fw = btusb_setup_intel_get_fw(hdev, ver);
1326 	if (!fw) {
1327 		kfree_skb(skb);
1328 		btusb_check_bdaddr_intel(hdev);
1329 		return 0;
1330 	}
1331 	fw_ptr = fw->data;
1332 
1333 	/* This Intel specific command enables the manufacturer mode of the
1334 	 * controller.
1335 	 *
1336 	 * Only while this mode is enabled, the driver can download the
1337 	 * firmware patch data and configuration parameters.
1338 	 */
1339 	skb = __hci_cmd_sync(hdev, 0xfc11, 2, mfg_enable, HCI_INIT_TIMEOUT);
1340 	if (IS_ERR(skb)) {
1341 		BT_ERR("%s entering Intel manufacturer mode failed (%ld)",
1342 		       hdev->name, PTR_ERR(skb));
1343 		release_firmware(fw);
1344 		return PTR_ERR(skb);
1345 	}
1346 
1347 	if (skb->data[0]) {
1348 		u8 evt_status = skb->data[0];
1349 		BT_ERR("%s enable Intel manufacturer mode event failed (%02x)",
1350 		       hdev->name, evt_status);
1351 		kfree_skb(skb);
1352 		release_firmware(fw);
1353 		return -bt_to_errno(evt_status);
1354 	}
1355 	kfree_skb(skb);
1356 
1357 	disable_patch = 1;
1358 
1359 	/* The firmware data file consists of list of Intel specific HCI
1360 	 * commands and its expected events. The first byte indicates the
1361 	 * type of the message, either HCI command or HCI event.
1362 	 *
1363 	 * It reads the command and its expected event from the firmware file,
1364 	 * and send to the controller. Once __hci_cmd_sync_ev() returns,
1365 	 * the returned event is compared with the event read from the firmware
1366 	 * file and it will continue until all the messages are downloaded to
1367 	 * the controller.
1368 	 *
1369 	 * Once the firmware patching is completed successfully,
1370 	 * the manufacturer mode is disabled with reset and activating the
1371 	 * downloaded patch.
1372 	 *
1373 	 * If the firmware patching fails, the manufacturer mode is
1374 	 * disabled with reset and deactivating the patch.
1375 	 *
1376 	 * If the default patch file is used, no reset is done when disabling
1377 	 * the manufacturer.
1378 	 */
1379 	while (fw->size > fw_ptr - fw->data) {
1380 		int ret;
1381 
1382 		ret = btusb_setup_intel_patching(hdev, fw, &fw_ptr,
1383 						 &disable_patch);
1384 		if (ret < 0)
1385 			goto exit_mfg_deactivate;
1386 	}
1387 
1388 	release_firmware(fw);
1389 
1390 	if (disable_patch)
1391 		goto exit_mfg_disable;
1392 
1393 	/* Patching completed successfully and disable the manufacturer mode
1394 	 * with reset and activate the downloaded firmware patches.
1395 	 */
1396 	skb = __hci_cmd_sync(hdev, 0xfc11, sizeof(mfg_reset_activate),
1397 			     mfg_reset_activate, HCI_INIT_TIMEOUT);
1398 	if (IS_ERR(skb)) {
1399 		BT_ERR("%s exiting Intel manufacturer mode failed (%ld)",
1400 		       hdev->name, PTR_ERR(skb));
1401 		return PTR_ERR(skb);
1402 	}
1403 	kfree_skb(skb);
1404 
1405 	BT_INFO("%s: Intel Bluetooth firmware patch completed and activated",
1406 		hdev->name);
1407 
1408 	btusb_check_bdaddr_intel(hdev);
1409 	return 0;
1410 
1411 exit_mfg_disable:
1412 	/* Disable the manufacturer mode without reset */
1413 	skb = __hci_cmd_sync(hdev, 0xfc11, sizeof(mfg_disable), mfg_disable,
1414 			     HCI_INIT_TIMEOUT);
1415 	if (IS_ERR(skb)) {
1416 		BT_ERR("%s exiting Intel manufacturer mode failed (%ld)",
1417 		       hdev->name, PTR_ERR(skb));
1418 		return PTR_ERR(skb);
1419 	}
1420 	kfree_skb(skb);
1421 
1422 	BT_INFO("%s: Intel Bluetooth firmware patch completed", hdev->name);
1423 
1424 	btusb_check_bdaddr_intel(hdev);
1425 	return 0;
1426 
1427 exit_mfg_deactivate:
1428 	release_firmware(fw);
1429 
1430 	/* Patching failed. Disable the manufacturer mode with reset and
1431 	 * deactivate the downloaded firmware patches.
1432 	 */
1433 	skb = __hci_cmd_sync(hdev, 0xfc11, sizeof(mfg_reset_deactivate),
1434 			     mfg_reset_deactivate, HCI_INIT_TIMEOUT);
1435 	if (IS_ERR(skb)) {
1436 		BT_ERR("%s exiting Intel manufacturer mode failed (%ld)",
1437 		       hdev->name, PTR_ERR(skb));
1438 		return PTR_ERR(skb);
1439 	}
1440 	kfree_skb(skb);
1441 
1442 	BT_INFO("%s: Intel Bluetooth firmware patch completed and deactivated",
1443 		hdev->name);
1444 
1445 	btusb_check_bdaddr_intel(hdev);
1446 	return 0;
1447 }
1448 
1449 static int btusb_set_bdaddr_intel(struct hci_dev *hdev, const bdaddr_t *bdaddr)
1450 {
1451 	struct sk_buff *skb;
1452 	long ret;
1453 
1454 	skb = __hci_cmd_sync(hdev, 0xfc31, 6, bdaddr, HCI_INIT_TIMEOUT);
1455 	if (IS_ERR(skb)) {
1456 		ret = PTR_ERR(skb);
1457 		BT_ERR("%s: changing Intel device address failed (%ld)",
1458 			hdev->name, ret);
1459 		return ret;
1460 	}
1461 	kfree_skb(skb);
1462 
1463 	return 0;
1464 }
1465 
1466 static int btusb_set_bdaddr_marvell(struct hci_dev *hdev,
1467 				    const bdaddr_t *bdaddr)
1468 {
1469 	struct sk_buff *skb;
1470 	u8 buf[8];
1471 	long ret;
1472 
1473 	buf[0] = 0xfe;
1474 	buf[1] = sizeof(bdaddr_t);
1475 	memcpy(buf + 2, bdaddr, sizeof(bdaddr_t));
1476 
1477 	skb = __hci_cmd_sync(hdev, 0xfc22, sizeof(buf), buf, HCI_INIT_TIMEOUT);
1478 	if (IS_ERR(skb)) {
1479 		ret = PTR_ERR(skb);
1480 		BT_ERR("%s: changing Marvell device address failed (%ld)",
1481 		       hdev->name, ret);
1482 		return ret;
1483 	}
1484 	kfree_skb(skb);
1485 
1486 	return 0;
1487 }
1488 
1489 #define BDADDR_BCM20702A0 (&(bdaddr_t) {{0x00, 0xa0, 0x02, 0x70, 0x20, 0x00}})
1490 
1491 static int btusb_setup_bcm_patchram(struct hci_dev *hdev)
1492 {
1493 	struct btusb_data *data = hci_get_drvdata(hdev);
1494 	struct usb_device *udev = data->udev;
1495 	char fw_name[64];
1496 	const struct firmware *fw;
1497 	const u8 *fw_ptr;
1498 	size_t fw_size;
1499 	const struct hci_command_hdr *cmd;
1500 	const u8 *cmd_param;
1501 	u16 opcode;
1502 	struct sk_buff *skb;
1503 	struct hci_rp_read_local_version *ver;
1504 	struct hci_rp_read_bd_addr *bda;
1505 	long ret;
1506 
1507 	snprintf(fw_name, sizeof(fw_name), "brcm/%s-%04x-%04x.hcd",
1508 		 udev->product ? udev->product : "BCM",
1509 		 le16_to_cpu(udev->descriptor.idVendor),
1510 		 le16_to_cpu(udev->descriptor.idProduct));
1511 
1512 	ret = request_firmware(&fw, fw_name, &hdev->dev);
1513 	if (ret < 0) {
1514 		BT_INFO("%s: BCM: patch %s not found", hdev->name, fw_name);
1515 		return 0;
1516 	}
1517 
1518 	/* Reset */
1519 	skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
1520 	if (IS_ERR(skb)) {
1521 		ret = PTR_ERR(skb);
1522 		BT_ERR("%s: HCI_OP_RESET failed (%ld)", hdev->name, ret);
1523 		goto done;
1524 	}
1525 	kfree_skb(skb);
1526 
1527 	/* Read Local Version Info */
1528 	skb = __hci_cmd_sync(hdev, HCI_OP_READ_LOCAL_VERSION, 0, NULL,
1529 			     HCI_INIT_TIMEOUT);
1530 	if (IS_ERR(skb)) {
1531 		ret = PTR_ERR(skb);
1532 		BT_ERR("%s: HCI_OP_READ_LOCAL_VERSION failed (%ld)",
1533 			hdev->name, ret);
1534 		goto done;
1535 	}
1536 
1537 	if (skb->len != sizeof(*ver)) {
1538 		BT_ERR("%s: HCI_OP_READ_LOCAL_VERSION event length mismatch",
1539 			hdev->name);
1540 		kfree_skb(skb);
1541 		ret = -EIO;
1542 		goto done;
1543 	}
1544 
1545 	ver = (struct hci_rp_read_local_version *) skb->data;
1546 	BT_INFO("%s: BCM: patching hci_ver=%02x hci_rev=%04x lmp_ver=%02x "
1547 		"lmp_subver=%04x", hdev->name, ver->hci_ver, ver->hci_rev,
1548 		ver->lmp_ver, ver->lmp_subver);
1549 	kfree_skb(skb);
1550 
1551 	/* Start Download */
1552 	skb = __hci_cmd_sync(hdev, 0xfc2e, 0, NULL, HCI_INIT_TIMEOUT);
1553 	if (IS_ERR(skb)) {
1554 		ret = PTR_ERR(skb);
1555 		BT_ERR("%s: BCM: Download Minidrv command failed (%ld)",
1556 			hdev->name, ret);
1557 		goto reset_fw;
1558 	}
1559 	kfree_skb(skb);
1560 
1561 	/* 50 msec delay after Download Minidrv completes */
1562 	msleep(50);
1563 
1564 	fw_ptr = fw->data;
1565 	fw_size = fw->size;
1566 
1567 	while (fw_size >= sizeof(*cmd)) {
1568 		cmd = (struct hci_command_hdr *) fw_ptr;
1569 		fw_ptr += sizeof(*cmd);
1570 		fw_size -= sizeof(*cmd);
1571 
1572 		if (fw_size < cmd->plen) {
1573 			BT_ERR("%s: BCM: patch %s is corrupted",
1574 				hdev->name, fw_name);
1575 			ret = -EINVAL;
1576 			goto reset_fw;
1577 		}
1578 
1579 		cmd_param = fw_ptr;
1580 		fw_ptr += cmd->plen;
1581 		fw_size -= cmd->plen;
1582 
1583 		opcode = le16_to_cpu(cmd->opcode);
1584 
1585 		skb = __hci_cmd_sync(hdev, opcode, cmd->plen, cmd_param,
1586 				     HCI_INIT_TIMEOUT);
1587 		if (IS_ERR(skb)) {
1588 			ret = PTR_ERR(skb);
1589 			BT_ERR("%s: BCM: patch command %04x failed (%ld)",
1590 				hdev->name, opcode, ret);
1591 			goto reset_fw;
1592 		}
1593 		kfree_skb(skb);
1594 	}
1595 
1596 	/* 250 msec delay after Launch Ram completes */
1597 	msleep(250);
1598 
1599 reset_fw:
1600 	/* Reset */
1601 	skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
1602 	if (IS_ERR(skb)) {
1603 		ret = PTR_ERR(skb);
1604 		BT_ERR("%s: HCI_OP_RESET failed (%ld)", hdev->name, ret);
1605 		goto done;
1606 	}
1607 	kfree_skb(skb);
1608 
1609 	/* Read Local Version Info */
1610 	skb = __hci_cmd_sync(hdev, HCI_OP_READ_LOCAL_VERSION, 0, NULL,
1611 			     HCI_INIT_TIMEOUT);
1612 	if (IS_ERR(skb)) {
1613 		ret = PTR_ERR(skb);
1614 		BT_ERR("%s: HCI_OP_READ_LOCAL_VERSION failed (%ld)",
1615 			hdev->name, ret);
1616 		goto done;
1617 	}
1618 
1619 	if (skb->len != sizeof(*ver)) {
1620 		BT_ERR("%s: HCI_OP_READ_LOCAL_VERSION event length mismatch",
1621 			hdev->name);
1622 		kfree_skb(skb);
1623 		ret = -EIO;
1624 		goto done;
1625 	}
1626 
1627 	ver = (struct hci_rp_read_local_version *) skb->data;
1628 	BT_INFO("%s: BCM: firmware hci_ver=%02x hci_rev=%04x lmp_ver=%02x "
1629 		"lmp_subver=%04x", hdev->name, ver->hci_ver, ver->hci_rev,
1630 		ver->lmp_ver, ver->lmp_subver);
1631 	kfree_skb(skb);
1632 
1633 	/* Read BD Address */
1634 	skb = __hci_cmd_sync(hdev, HCI_OP_READ_BD_ADDR, 0, NULL,
1635 			     HCI_INIT_TIMEOUT);
1636 	if (IS_ERR(skb)) {
1637 		ret = PTR_ERR(skb);
1638 		BT_ERR("%s: HCI_OP_READ_BD_ADDR failed (%ld)",
1639 			hdev->name, ret);
1640 		goto done;
1641 	}
1642 
1643 	if (skb->len != sizeof(*bda)) {
1644 		BT_ERR("%s: HCI_OP_READ_BD_ADDR event length mismatch",
1645 			hdev->name);
1646 		kfree_skb(skb);
1647 		ret = -EIO;
1648 		goto done;
1649 	}
1650 
1651 	bda = (struct hci_rp_read_bd_addr *) skb->data;
1652 	if (bda->status) {
1653 		BT_ERR("%s: HCI_OP_READ_BD_ADDR error status (%02x)",
1654 		       hdev->name, bda->status);
1655 		kfree_skb(skb);
1656 		ret = -bt_to_errno(bda->status);
1657 		goto done;
1658 	}
1659 
1660 	/* The address 00:20:70:02:A0:00 indicates a BCM20702A0 controller
1661 	 * with no configured address.
1662 	 */
1663 	if (!bacmp(&bda->bdaddr, BDADDR_BCM20702A0)) {
1664 		BT_INFO("%s: BCM: using default device address (%pMR)",
1665 			hdev->name, &bda->bdaddr);
1666 		set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks);
1667 	}
1668 
1669 	kfree_skb(skb);
1670 
1671 done:
1672 	release_firmware(fw);
1673 
1674 	return ret;
1675 }
1676 
1677 static int btusb_set_bdaddr_bcm(struct hci_dev *hdev, const bdaddr_t *bdaddr)
1678 {
1679 	struct sk_buff *skb;
1680 	long ret;
1681 
1682 	skb = __hci_cmd_sync(hdev, 0xfc01, 6, bdaddr, HCI_INIT_TIMEOUT);
1683 	if (IS_ERR(skb)) {
1684 		ret = PTR_ERR(skb);
1685 		BT_ERR("%s: BCM: Change address command failed (%ld)",
1686 			hdev->name, ret);
1687 		return ret;
1688 	}
1689 	kfree_skb(skb);
1690 
1691 	return 0;
1692 }
1693 
1694 static int btusb_probe(struct usb_interface *intf,
1695 				const struct usb_device_id *id)
1696 {
1697 	struct usb_endpoint_descriptor *ep_desc;
1698 	struct btusb_data *data;
1699 	struct hci_dev *hdev;
1700 	int i, err;
1701 
1702 	BT_DBG("intf %p id %p", intf, id);
1703 
1704 	/* interface numbers are hardcoded in the spec */
1705 	if (intf->cur_altsetting->desc.bInterfaceNumber != 0)
1706 		return -ENODEV;
1707 
1708 	if (!id->driver_info) {
1709 		const struct usb_device_id *match;
1710 		match = usb_match_id(intf, blacklist_table);
1711 		if (match)
1712 			id = match;
1713 	}
1714 
1715 	if (id->driver_info == BTUSB_IGNORE)
1716 		return -ENODEV;
1717 
1718 	if (id->driver_info & BTUSB_ATH3012) {
1719 		struct usb_device *udev = interface_to_usbdev(intf);
1720 
1721 		/* Old firmware would otherwise let ath3k driver load
1722 		 * patch and sysconfig files */
1723 		if (le16_to_cpu(udev->descriptor.bcdDevice) <= 0x0001)
1724 			return -ENODEV;
1725 	}
1726 
1727 	data = devm_kzalloc(&intf->dev, sizeof(*data), GFP_KERNEL);
1728 	if (!data)
1729 		return -ENOMEM;
1730 
1731 	for (i = 0; i < intf->cur_altsetting->desc.bNumEndpoints; i++) {
1732 		ep_desc = &intf->cur_altsetting->endpoint[i].desc;
1733 
1734 		if (!data->intr_ep && usb_endpoint_is_int_in(ep_desc)) {
1735 			data->intr_ep = ep_desc;
1736 			continue;
1737 		}
1738 
1739 		if (!data->bulk_tx_ep && usb_endpoint_is_bulk_out(ep_desc)) {
1740 			data->bulk_tx_ep = ep_desc;
1741 			continue;
1742 		}
1743 
1744 		if (!data->bulk_rx_ep && usb_endpoint_is_bulk_in(ep_desc)) {
1745 			data->bulk_rx_ep = ep_desc;
1746 			continue;
1747 		}
1748 	}
1749 
1750 	if (!data->intr_ep || !data->bulk_tx_ep || !data->bulk_rx_ep)
1751 		return -ENODEV;
1752 
1753 	data->cmdreq_type = USB_TYPE_CLASS;
1754 
1755 	data->udev = interface_to_usbdev(intf);
1756 	data->intf = intf;
1757 
1758 	spin_lock_init(&data->lock);
1759 
1760 	INIT_WORK(&data->work, btusb_work);
1761 	INIT_WORK(&data->waker, btusb_waker);
1762 	spin_lock_init(&data->txlock);
1763 
1764 	init_usb_anchor(&data->tx_anchor);
1765 	init_usb_anchor(&data->intr_anchor);
1766 	init_usb_anchor(&data->bulk_anchor);
1767 	init_usb_anchor(&data->isoc_anchor);
1768 	init_usb_anchor(&data->deferred);
1769 
1770 	hdev = hci_alloc_dev();
1771 	if (!hdev)
1772 		return -ENOMEM;
1773 
1774 	hdev->bus = HCI_USB;
1775 	hci_set_drvdata(hdev, data);
1776 
1777 	data->hdev = hdev;
1778 
1779 	SET_HCIDEV_DEV(hdev, &intf->dev);
1780 
1781 	hdev->open   = btusb_open;
1782 	hdev->close  = btusb_close;
1783 	hdev->flush  = btusb_flush;
1784 	hdev->send   = btusb_send_frame;
1785 	hdev->notify = btusb_notify;
1786 
1787 	if (id->driver_info & BTUSB_BCM92035)
1788 		hdev->setup = btusb_setup_bcm92035;
1789 
1790 	if (id->driver_info & BTUSB_BCM_PATCHRAM) {
1791 		hdev->setup = btusb_setup_bcm_patchram;
1792 		hdev->set_bdaddr = btusb_set_bdaddr_bcm;
1793 	}
1794 
1795 	if (id->driver_info & BTUSB_INTEL) {
1796 		hdev->setup = btusb_setup_intel;
1797 		hdev->set_bdaddr = btusb_set_bdaddr_intel;
1798 	}
1799 
1800 	if (id->driver_info & BTUSB_MARVELL)
1801 		hdev->set_bdaddr = btusb_set_bdaddr_marvell;
1802 
1803 	if (id->driver_info & BTUSB_INTEL_BOOT)
1804 		set_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks);
1805 
1806 	/* Interface numbers are hardcoded in the specification */
1807 	data->isoc = usb_ifnum_to_if(data->udev, 1);
1808 
1809 	if (!reset)
1810 		set_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks);
1811 
1812 	if (force_scofix || id->driver_info & BTUSB_WRONG_SCO_MTU) {
1813 		if (!disable_scofix)
1814 			set_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks);
1815 	}
1816 
1817 	if (id->driver_info & BTUSB_BROKEN_ISOC)
1818 		data->isoc = NULL;
1819 
1820 	if (id->driver_info & BTUSB_DIGIANSWER) {
1821 		data->cmdreq_type = USB_TYPE_VENDOR;
1822 		set_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks);
1823 	}
1824 
1825 	if (id->driver_info & BTUSB_CSR) {
1826 		struct usb_device *udev = data->udev;
1827 		u16 bcdDevice = le16_to_cpu(udev->descriptor.bcdDevice);
1828 
1829 		/* Old firmware would otherwise execute USB reset */
1830 		if (bcdDevice < 0x117)
1831 			set_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks);
1832 
1833 		/* Fake CSR devices with broken commands */
1834 		if (bcdDevice <= 0x100)
1835 			hdev->setup = btusb_setup_csr;
1836 	}
1837 
1838 	if (id->driver_info & BTUSB_SNIFFER) {
1839 		struct usb_device *udev = data->udev;
1840 
1841 		/* New sniffer firmware has crippled HCI interface */
1842 		if (le16_to_cpu(udev->descriptor.bcdDevice) > 0x997)
1843 			set_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks);
1844 	}
1845 
1846 	if (id->driver_info & BTUSB_INTEL_BOOT) {
1847 		/* A bug in the bootloader causes that interrupt interface is
1848 		 * only enabled after receiving SetInterface(0, AltSetting=0).
1849 		 */
1850 		err = usb_set_interface(data->udev, 0, 0);
1851 		if (err < 0) {
1852 			BT_ERR("failed to set interface 0, alt 0 %d", err);
1853 			hci_free_dev(hdev);
1854 			return err;
1855 		}
1856 	}
1857 
1858 	if (data->isoc) {
1859 		err = usb_driver_claim_interface(&btusb_driver,
1860 							data->isoc, data);
1861 		if (err < 0) {
1862 			hci_free_dev(hdev);
1863 			return err;
1864 		}
1865 	}
1866 
1867 	err = hci_register_dev(hdev);
1868 	if (err < 0) {
1869 		hci_free_dev(hdev);
1870 		return err;
1871 	}
1872 
1873 	usb_set_intfdata(intf, data);
1874 
1875 	return 0;
1876 }
1877 
1878 static void btusb_disconnect(struct usb_interface *intf)
1879 {
1880 	struct btusb_data *data = usb_get_intfdata(intf);
1881 	struct hci_dev *hdev;
1882 
1883 	BT_DBG("intf %p", intf);
1884 
1885 	if (!data)
1886 		return;
1887 
1888 	hdev = data->hdev;
1889 	usb_set_intfdata(data->intf, NULL);
1890 
1891 	if (data->isoc)
1892 		usb_set_intfdata(data->isoc, NULL);
1893 
1894 	hci_unregister_dev(hdev);
1895 
1896 	if (intf == data->isoc)
1897 		usb_driver_release_interface(&btusb_driver, data->intf);
1898 	else if (data->isoc)
1899 		usb_driver_release_interface(&btusb_driver, data->isoc);
1900 
1901 	hci_free_dev(hdev);
1902 }
1903 
1904 #ifdef CONFIG_PM
1905 static int btusb_suspend(struct usb_interface *intf, pm_message_t message)
1906 {
1907 	struct btusb_data *data = usb_get_intfdata(intf);
1908 
1909 	BT_DBG("intf %p", intf);
1910 
1911 	if (data->suspend_count++)
1912 		return 0;
1913 
1914 	spin_lock_irq(&data->txlock);
1915 	if (!(PMSG_IS_AUTO(message) && data->tx_in_flight)) {
1916 		set_bit(BTUSB_SUSPENDING, &data->flags);
1917 		spin_unlock_irq(&data->txlock);
1918 	} else {
1919 		spin_unlock_irq(&data->txlock);
1920 		data->suspend_count--;
1921 		return -EBUSY;
1922 	}
1923 
1924 	cancel_work_sync(&data->work);
1925 
1926 	btusb_stop_traffic(data);
1927 	usb_kill_anchored_urbs(&data->tx_anchor);
1928 
1929 	return 0;
1930 }
1931 
1932 static void play_deferred(struct btusb_data *data)
1933 {
1934 	struct urb *urb;
1935 	int err;
1936 
1937 	while ((urb = usb_get_from_anchor(&data->deferred))) {
1938 		err = usb_submit_urb(urb, GFP_ATOMIC);
1939 		if (err < 0)
1940 			break;
1941 
1942 		data->tx_in_flight++;
1943 	}
1944 	usb_scuttle_anchored_urbs(&data->deferred);
1945 }
1946 
1947 static int btusb_resume(struct usb_interface *intf)
1948 {
1949 	struct btusb_data *data = usb_get_intfdata(intf);
1950 	struct hci_dev *hdev = data->hdev;
1951 	int err = 0;
1952 
1953 	BT_DBG("intf %p", intf);
1954 
1955 	if (--data->suspend_count)
1956 		return 0;
1957 
1958 	if (!test_bit(HCI_RUNNING, &hdev->flags))
1959 		goto done;
1960 
1961 	if (test_bit(BTUSB_INTR_RUNNING, &data->flags)) {
1962 		err = btusb_submit_intr_urb(hdev, GFP_NOIO);
1963 		if (err < 0) {
1964 			clear_bit(BTUSB_INTR_RUNNING, &data->flags);
1965 			goto failed;
1966 		}
1967 	}
1968 
1969 	if (test_bit(BTUSB_BULK_RUNNING, &data->flags)) {
1970 		err = btusb_submit_bulk_urb(hdev, GFP_NOIO);
1971 		if (err < 0) {
1972 			clear_bit(BTUSB_BULK_RUNNING, &data->flags);
1973 			goto failed;
1974 		}
1975 
1976 		btusb_submit_bulk_urb(hdev, GFP_NOIO);
1977 	}
1978 
1979 	if (test_bit(BTUSB_ISOC_RUNNING, &data->flags)) {
1980 		if (btusb_submit_isoc_urb(hdev, GFP_NOIO) < 0)
1981 			clear_bit(BTUSB_ISOC_RUNNING, &data->flags);
1982 		else
1983 			btusb_submit_isoc_urb(hdev, GFP_NOIO);
1984 	}
1985 
1986 	spin_lock_irq(&data->txlock);
1987 	play_deferred(data);
1988 	clear_bit(BTUSB_SUSPENDING, &data->flags);
1989 	spin_unlock_irq(&data->txlock);
1990 	schedule_work(&data->work);
1991 
1992 	return 0;
1993 
1994 failed:
1995 	usb_scuttle_anchored_urbs(&data->deferred);
1996 done:
1997 	spin_lock_irq(&data->txlock);
1998 	clear_bit(BTUSB_SUSPENDING, &data->flags);
1999 	spin_unlock_irq(&data->txlock);
2000 
2001 	return err;
2002 }
2003 #endif
2004 
2005 static struct usb_driver btusb_driver = {
2006 	.name		= "btusb",
2007 	.probe		= btusb_probe,
2008 	.disconnect	= btusb_disconnect,
2009 #ifdef CONFIG_PM
2010 	.suspend	= btusb_suspend,
2011 	.resume		= btusb_resume,
2012 #endif
2013 	.id_table	= btusb_table,
2014 	.supports_autosuspend = 1,
2015 	.disable_hub_initiated_lpm = 1,
2016 };
2017 
2018 module_usb_driver(btusb_driver);
2019 
2020 module_param(disable_scofix, bool, 0644);
2021 MODULE_PARM_DESC(disable_scofix, "Disable fixup of wrong SCO buffer size");
2022 
2023 module_param(force_scofix, bool, 0644);
2024 MODULE_PARM_DESC(force_scofix, "Force fixup of wrong SCO buffers size");
2025 
2026 module_param(reset, bool, 0644);
2027 MODULE_PARM_DESC(reset, "Send HCI reset command on initialization");
2028 
2029 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
2030 MODULE_DESCRIPTION("Generic Bluetooth USB driver ver " VERSION);
2031 MODULE_VERSION(VERSION);
2032 MODULE_LICENSE("GPL");
2033