1 /* 2 * 3 * Generic Bluetooth USB driver 4 * 5 * Copyright (C) 2005-2008 Marcel Holtmann <marcel@holtmann.org> 6 * 7 * 8 * This program is free software; you can redistribute it and/or modify 9 * it under the terms of the GNU General Public License as published by 10 * the Free Software Foundation; either version 2 of the License, or 11 * (at your option) any later version. 12 * 13 * This program is distributed in the hope that it will be useful, 14 * but WITHOUT ANY WARRANTY; without even the implied warranty of 15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16 * GNU General Public License for more details. 17 * 18 * You should have received a copy of the GNU General Public License 19 * along with this program; if not, write to the Free Software 20 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 21 * 22 */ 23 24 #include <linux/module.h> 25 #include <linux/usb.h> 26 #include <linux/firmware.h> 27 28 #include <net/bluetooth/bluetooth.h> 29 #include <net/bluetooth/hci_core.h> 30 31 #define VERSION "0.7" 32 33 static bool disable_scofix; 34 static bool force_scofix; 35 36 static bool reset = 1; 37 38 static struct usb_driver btusb_driver; 39 40 #define BTUSB_IGNORE 0x01 41 #define BTUSB_DIGIANSWER 0x02 42 #define BTUSB_CSR 0x04 43 #define BTUSB_SNIFFER 0x08 44 #define BTUSB_BCM92035 0x10 45 #define BTUSB_BROKEN_ISOC 0x20 46 #define BTUSB_WRONG_SCO_MTU 0x40 47 #define BTUSB_ATH3012 0x80 48 #define BTUSB_INTEL 0x100 49 #define BTUSB_INTEL_BOOT 0x200 50 #define BTUSB_BCM_PATCHRAM 0x400 51 #define BTUSB_MARVELL 0x800 52 #define BTUSB_SWAVE 0x1000 53 #define BTUSB_INTEL_NEW 0x2000 54 #define BTUSB_AMP 0x4000 55 56 static const struct usb_device_id btusb_table[] = { 57 /* Generic Bluetooth USB device */ 58 { USB_DEVICE_INFO(0xe0, 0x01, 0x01) }, 59 60 /* Generic Bluetooth AMP device */ 61 { USB_DEVICE_INFO(0xe0, 0x01, 0x04), .driver_info = BTUSB_AMP }, 62 63 /* Apple-specific (Broadcom) devices */ 64 { USB_VENDOR_AND_INTERFACE_INFO(0x05ac, 0xff, 0x01, 0x01) }, 65 66 /* MediaTek MT76x0E */ 67 { USB_DEVICE(0x0e8d, 0x763f) }, 68 69 /* Broadcom SoftSailing reporting vendor specific */ 70 { USB_DEVICE(0x0a5c, 0x21e1) }, 71 72 /* Apple MacBookPro 7,1 */ 73 { USB_DEVICE(0x05ac, 0x8213) }, 74 75 /* Apple iMac11,1 */ 76 { USB_DEVICE(0x05ac, 0x8215) }, 77 78 /* Apple MacBookPro6,2 */ 79 { USB_DEVICE(0x05ac, 0x8218) }, 80 81 /* Apple MacBookAir3,1, MacBookAir3,2 */ 82 { USB_DEVICE(0x05ac, 0x821b) }, 83 84 /* Apple MacBookAir4,1 */ 85 { USB_DEVICE(0x05ac, 0x821f) }, 86 87 /* Apple MacBookPro8,2 */ 88 { USB_DEVICE(0x05ac, 0x821a) }, 89 90 /* Apple MacMini5,1 */ 91 { USB_DEVICE(0x05ac, 0x8281) }, 92 93 /* AVM BlueFRITZ! USB v2.0 */ 94 { USB_DEVICE(0x057c, 0x3800), .driver_info = BTUSB_SWAVE }, 95 96 /* Bluetooth Ultraport Module from IBM */ 97 { USB_DEVICE(0x04bf, 0x030a) }, 98 99 /* ALPS Modules with non-standard id */ 100 { USB_DEVICE(0x044e, 0x3001) }, 101 { USB_DEVICE(0x044e, 0x3002) }, 102 103 /* Ericsson with non-standard id */ 104 { USB_DEVICE(0x0bdb, 0x1002) }, 105 106 /* Canyon CN-BTU1 with HID interfaces */ 107 { USB_DEVICE(0x0c10, 0x0000) }, 108 109 /* Broadcom BCM20702A0 */ 110 { USB_DEVICE(0x0489, 0xe042) }, 111 { USB_DEVICE(0x04ca, 0x2003) }, 112 { USB_DEVICE(0x0b05, 0x17b5) }, 113 { USB_DEVICE(0x0b05, 0x17cb) }, 114 { USB_DEVICE(0x413c, 0x8197) }, 115 { USB_DEVICE(0x13d3, 0x3404), 116 .driver_info = BTUSB_BCM_PATCHRAM }, 117 118 /* Broadcom BCM20702B0 (Dynex/Insignia) */ 119 { USB_DEVICE(0x19ff, 0x0239), .driver_info = BTUSB_BCM_PATCHRAM }, 120 121 /* Foxconn - Hon Hai */ 122 { USB_VENDOR_AND_INTERFACE_INFO(0x0489, 0xff, 0x01, 0x01), 123 .driver_info = BTUSB_BCM_PATCHRAM }, 124 125 /* Lite-On Technology - Broadcom based */ 126 { USB_VENDOR_AND_INTERFACE_INFO(0x04ca, 0xff, 0x01, 0x01), 127 .driver_info = BTUSB_BCM_PATCHRAM }, 128 129 /* Broadcom devices with vendor specific id */ 130 { USB_VENDOR_AND_INTERFACE_INFO(0x0a5c, 0xff, 0x01, 0x01), 131 .driver_info = BTUSB_BCM_PATCHRAM }, 132 133 /* ASUSTek Computer - Broadcom based */ 134 { USB_VENDOR_AND_INTERFACE_INFO(0x0b05, 0xff, 0x01, 0x01), 135 .driver_info = BTUSB_BCM_PATCHRAM }, 136 137 /* Belkin F8065bf - Broadcom based */ 138 { USB_VENDOR_AND_INTERFACE_INFO(0x050d, 0xff, 0x01, 0x01) }, 139 140 /* IMC Networks - Broadcom based */ 141 { USB_VENDOR_AND_INTERFACE_INFO(0x13d3, 0xff, 0x01, 0x01) }, 142 143 /* Intel Bluetooth USB Bootloader (RAM module) */ 144 { USB_DEVICE(0x8087, 0x0a5a), 145 .driver_info = BTUSB_INTEL_BOOT | BTUSB_BROKEN_ISOC }, 146 147 { } /* Terminating entry */ 148 }; 149 150 MODULE_DEVICE_TABLE(usb, btusb_table); 151 152 static const struct usb_device_id blacklist_table[] = { 153 /* CSR BlueCore devices */ 154 { USB_DEVICE(0x0a12, 0x0001), .driver_info = BTUSB_CSR }, 155 156 /* Broadcom BCM2033 without firmware */ 157 { USB_DEVICE(0x0a5c, 0x2033), .driver_info = BTUSB_IGNORE }, 158 159 /* Atheros 3011 with sflash firmware */ 160 { USB_DEVICE(0x0489, 0xe027), .driver_info = BTUSB_IGNORE }, 161 { USB_DEVICE(0x0489, 0xe03d), .driver_info = BTUSB_IGNORE }, 162 { USB_DEVICE(0x0930, 0x0215), .driver_info = BTUSB_IGNORE }, 163 { USB_DEVICE(0x0cf3, 0x3002), .driver_info = BTUSB_IGNORE }, 164 { USB_DEVICE(0x0cf3, 0xe019), .driver_info = BTUSB_IGNORE }, 165 { USB_DEVICE(0x13d3, 0x3304), .driver_info = BTUSB_IGNORE }, 166 167 /* Atheros AR9285 Malbec with sflash firmware */ 168 { USB_DEVICE(0x03f0, 0x311d), .driver_info = BTUSB_IGNORE }, 169 170 /* Atheros 3012 with sflash firmware */ 171 { USB_DEVICE(0x0489, 0xe04d), .driver_info = BTUSB_ATH3012 }, 172 { USB_DEVICE(0x0489, 0xe04e), .driver_info = BTUSB_ATH3012 }, 173 { USB_DEVICE(0x0489, 0xe056), .driver_info = BTUSB_ATH3012 }, 174 { USB_DEVICE(0x0489, 0xe057), .driver_info = BTUSB_ATH3012 }, 175 { USB_DEVICE(0x0489, 0xe05f), .driver_info = BTUSB_ATH3012 }, 176 { USB_DEVICE(0x0489, 0xe078), .driver_info = BTUSB_ATH3012 }, 177 { USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 }, 178 { USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 }, 179 { USB_DEVICE(0x04ca, 0x3005), .driver_info = BTUSB_ATH3012 }, 180 { USB_DEVICE(0x04ca, 0x3006), .driver_info = BTUSB_ATH3012 }, 181 { USB_DEVICE(0x04ca, 0x3007), .driver_info = BTUSB_ATH3012 }, 182 { USB_DEVICE(0x04ca, 0x3008), .driver_info = BTUSB_ATH3012 }, 183 { USB_DEVICE(0x04ca, 0x300b), .driver_info = BTUSB_ATH3012 }, 184 { USB_DEVICE(0x04ca, 0x3010), .driver_info = BTUSB_ATH3012 }, 185 { USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 }, 186 { USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 }, 187 { USB_DEVICE(0x0930, 0x0227), .driver_info = BTUSB_ATH3012 }, 188 { USB_DEVICE(0x0b05, 0x17d0), .driver_info = BTUSB_ATH3012 }, 189 { USB_DEVICE(0x0cf3, 0x0036), .driver_info = BTUSB_ATH3012 }, 190 { USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_ATH3012 }, 191 { USB_DEVICE(0x0cf3, 0x3008), .driver_info = BTUSB_ATH3012 }, 192 { USB_DEVICE(0x0cf3, 0x311d), .driver_info = BTUSB_ATH3012 }, 193 { USB_DEVICE(0x0cf3, 0x311e), .driver_info = BTUSB_ATH3012 }, 194 { USB_DEVICE(0x0cf3, 0x311f), .driver_info = BTUSB_ATH3012 }, 195 { USB_DEVICE(0x0cf3, 0x3121), .driver_info = BTUSB_ATH3012 }, 196 { USB_DEVICE(0x0cf3, 0x817a), .driver_info = BTUSB_ATH3012 }, 197 { USB_DEVICE(0x0cf3, 0xe003), .driver_info = BTUSB_ATH3012 }, 198 { USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 }, 199 { USB_DEVICE(0x0cf3, 0xe005), .driver_info = BTUSB_ATH3012 }, 200 { USB_DEVICE(0x13d3, 0x3362), .driver_info = BTUSB_ATH3012 }, 201 { USB_DEVICE(0x13d3, 0x3375), .driver_info = BTUSB_ATH3012 }, 202 { USB_DEVICE(0x13d3, 0x3393), .driver_info = BTUSB_ATH3012 }, 203 { USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 }, 204 { USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 }, 205 { USB_DEVICE(0x13d3, 0x3423), .driver_info = BTUSB_ATH3012 }, 206 { USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 }, 207 208 /* Atheros AR5BBU12 with sflash firmware */ 209 { USB_DEVICE(0x0489, 0xe02c), .driver_info = BTUSB_IGNORE }, 210 211 /* Atheros AR5BBU12 with sflash firmware */ 212 { USB_DEVICE(0x0489, 0xe036), .driver_info = BTUSB_ATH3012 }, 213 { USB_DEVICE(0x0489, 0xe03c), .driver_info = BTUSB_ATH3012 }, 214 215 /* Broadcom BCM2035 */ 216 { USB_DEVICE(0x0a5c, 0x2009), .driver_info = BTUSB_BCM92035 }, 217 { USB_DEVICE(0x0a5c, 0x200a), .driver_info = BTUSB_WRONG_SCO_MTU }, 218 { USB_DEVICE(0x0a5c, 0x2035), .driver_info = BTUSB_WRONG_SCO_MTU }, 219 220 /* Broadcom BCM2045 */ 221 { USB_DEVICE(0x0a5c, 0x2039), .driver_info = BTUSB_WRONG_SCO_MTU }, 222 { USB_DEVICE(0x0a5c, 0x2101), .driver_info = BTUSB_WRONG_SCO_MTU }, 223 224 /* IBM/Lenovo ThinkPad with Broadcom chip */ 225 { USB_DEVICE(0x0a5c, 0x201e), .driver_info = BTUSB_WRONG_SCO_MTU }, 226 { USB_DEVICE(0x0a5c, 0x2110), .driver_info = BTUSB_WRONG_SCO_MTU }, 227 228 /* HP laptop with Broadcom chip */ 229 { USB_DEVICE(0x03f0, 0x171d), .driver_info = BTUSB_WRONG_SCO_MTU }, 230 231 /* Dell laptop with Broadcom chip */ 232 { USB_DEVICE(0x413c, 0x8126), .driver_info = BTUSB_WRONG_SCO_MTU }, 233 234 /* Dell Wireless 370 and 410 devices */ 235 { USB_DEVICE(0x413c, 0x8152), .driver_info = BTUSB_WRONG_SCO_MTU }, 236 { USB_DEVICE(0x413c, 0x8156), .driver_info = BTUSB_WRONG_SCO_MTU }, 237 238 /* Belkin F8T012 and F8T013 devices */ 239 { USB_DEVICE(0x050d, 0x0012), .driver_info = BTUSB_WRONG_SCO_MTU }, 240 { USB_DEVICE(0x050d, 0x0013), .driver_info = BTUSB_WRONG_SCO_MTU }, 241 242 /* Asus WL-BTD202 device */ 243 { USB_DEVICE(0x0b05, 0x1715), .driver_info = BTUSB_WRONG_SCO_MTU }, 244 245 /* Kensington Bluetooth USB adapter */ 246 { USB_DEVICE(0x047d, 0x105e), .driver_info = BTUSB_WRONG_SCO_MTU }, 247 248 /* RTX Telecom based adapters with buggy SCO support */ 249 { USB_DEVICE(0x0400, 0x0807), .driver_info = BTUSB_BROKEN_ISOC }, 250 { USB_DEVICE(0x0400, 0x080a), .driver_info = BTUSB_BROKEN_ISOC }, 251 252 /* CONWISE Technology based adapters with buggy SCO support */ 253 { USB_DEVICE(0x0e5e, 0x6622), .driver_info = BTUSB_BROKEN_ISOC }, 254 255 /* Roper Class 1 Bluetooth Dongle (Silicon Wave based) */ 256 { USB_DEVICE(0x1300, 0x0001), .driver_info = BTUSB_SWAVE }, 257 258 /* Digianswer devices */ 259 { USB_DEVICE(0x08fd, 0x0001), .driver_info = BTUSB_DIGIANSWER }, 260 { USB_DEVICE(0x08fd, 0x0002), .driver_info = BTUSB_IGNORE }, 261 262 /* CSR BlueCore Bluetooth Sniffer */ 263 { USB_DEVICE(0x0a12, 0x0002), 264 .driver_info = BTUSB_SNIFFER | BTUSB_BROKEN_ISOC }, 265 266 /* Frontline ComProbe Bluetooth Sniffer */ 267 { USB_DEVICE(0x16d3, 0x0002), 268 .driver_info = BTUSB_SNIFFER | BTUSB_BROKEN_ISOC }, 269 270 /* Marvell Bluetooth devices */ 271 { USB_DEVICE(0x1286, 0x2044), .driver_info = BTUSB_MARVELL }, 272 { USB_DEVICE(0x1286, 0x2046), .driver_info = BTUSB_MARVELL }, 273 274 /* Intel Bluetooth devices */ 275 { USB_DEVICE(0x8087, 0x07dc), .driver_info = BTUSB_INTEL }, 276 { USB_DEVICE(0x8087, 0x0a2a), .driver_info = BTUSB_INTEL }, 277 { USB_DEVICE(0x8087, 0x0a2b), .driver_info = BTUSB_INTEL_NEW }, 278 279 /* Other Intel Bluetooth devices */ 280 { USB_VENDOR_AND_INTERFACE_INFO(0x8087, 0xe0, 0x01, 0x01), 281 .driver_info = BTUSB_IGNORE }, 282 283 { } /* Terminating entry */ 284 }; 285 286 #define BTUSB_MAX_ISOC_FRAMES 10 287 288 #define BTUSB_INTR_RUNNING 0 289 #define BTUSB_BULK_RUNNING 1 290 #define BTUSB_ISOC_RUNNING 2 291 #define BTUSB_SUSPENDING 3 292 #define BTUSB_DID_ISO_RESUME 4 293 #define BTUSB_BOOTLOADER 5 294 #define BTUSB_DOWNLOADING 6 295 #define BTUSB_FIRMWARE_LOADED 7 296 #define BTUSB_FIRMWARE_FAILED 8 297 #define BTUSB_BOOTING 9 298 299 struct btusb_data { 300 struct hci_dev *hdev; 301 struct usb_device *udev; 302 struct usb_interface *intf; 303 struct usb_interface *isoc; 304 305 unsigned long flags; 306 307 struct work_struct work; 308 struct work_struct waker; 309 310 struct usb_anchor deferred; 311 struct usb_anchor tx_anchor; 312 int tx_in_flight; 313 spinlock_t txlock; 314 315 struct usb_anchor intr_anchor; 316 struct usb_anchor bulk_anchor; 317 struct usb_anchor isoc_anchor; 318 spinlock_t rxlock; 319 320 struct sk_buff *evt_skb; 321 struct sk_buff *acl_skb; 322 struct sk_buff *sco_skb; 323 324 struct usb_endpoint_descriptor *intr_ep; 325 struct usb_endpoint_descriptor *bulk_tx_ep; 326 struct usb_endpoint_descriptor *bulk_rx_ep; 327 struct usb_endpoint_descriptor *isoc_tx_ep; 328 struct usb_endpoint_descriptor *isoc_rx_ep; 329 330 __u8 cmdreq_type; 331 __u8 cmdreq; 332 333 unsigned int sco_num; 334 int isoc_altsetting; 335 int suspend_count; 336 337 int (*recv_event)(struct hci_dev *hdev, struct sk_buff *skb); 338 int (*recv_bulk)(struct btusb_data *data, void *buffer, int count); 339 }; 340 341 static int btusb_wait_on_bit_timeout(void *word, int bit, unsigned long timeout, 342 unsigned mode) 343 { 344 might_sleep(); 345 if (!test_bit(bit, word)) 346 return 0; 347 return out_of_line_wait_on_bit_timeout(word, bit, bit_wait_timeout, 348 mode, timeout); 349 } 350 351 static inline void btusb_free_frags(struct btusb_data *data) 352 { 353 unsigned long flags; 354 355 spin_lock_irqsave(&data->rxlock, flags); 356 357 kfree_skb(data->evt_skb); 358 data->evt_skb = NULL; 359 360 kfree_skb(data->acl_skb); 361 data->acl_skb = NULL; 362 363 kfree_skb(data->sco_skb); 364 data->sco_skb = NULL; 365 366 spin_unlock_irqrestore(&data->rxlock, flags); 367 } 368 369 static int btusb_recv_intr(struct btusb_data *data, void *buffer, int count) 370 { 371 struct sk_buff *skb; 372 int err = 0; 373 374 spin_lock(&data->rxlock); 375 skb = data->evt_skb; 376 377 while (count) { 378 int len; 379 380 if (!skb) { 381 skb = bt_skb_alloc(HCI_MAX_EVENT_SIZE, GFP_ATOMIC); 382 if (!skb) { 383 err = -ENOMEM; 384 break; 385 } 386 387 bt_cb(skb)->pkt_type = HCI_EVENT_PKT; 388 bt_cb(skb)->expect = HCI_EVENT_HDR_SIZE; 389 } 390 391 len = min_t(uint, bt_cb(skb)->expect, count); 392 memcpy(skb_put(skb, len), buffer, len); 393 394 count -= len; 395 buffer += len; 396 bt_cb(skb)->expect -= len; 397 398 if (skb->len == HCI_EVENT_HDR_SIZE) { 399 /* Complete event header */ 400 bt_cb(skb)->expect = hci_event_hdr(skb)->plen; 401 402 if (skb_tailroom(skb) < bt_cb(skb)->expect) { 403 kfree_skb(skb); 404 skb = NULL; 405 406 err = -EILSEQ; 407 break; 408 } 409 } 410 411 if (bt_cb(skb)->expect == 0) { 412 /* Complete frame */ 413 data->recv_event(data->hdev, skb); 414 skb = NULL; 415 } 416 } 417 418 data->evt_skb = skb; 419 spin_unlock(&data->rxlock); 420 421 return err; 422 } 423 424 static int btusb_recv_bulk(struct btusb_data *data, void *buffer, int count) 425 { 426 struct sk_buff *skb; 427 int err = 0; 428 429 spin_lock(&data->rxlock); 430 skb = data->acl_skb; 431 432 while (count) { 433 int len; 434 435 if (!skb) { 436 skb = bt_skb_alloc(HCI_MAX_FRAME_SIZE, GFP_ATOMIC); 437 if (!skb) { 438 err = -ENOMEM; 439 break; 440 } 441 442 bt_cb(skb)->pkt_type = HCI_ACLDATA_PKT; 443 bt_cb(skb)->expect = HCI_ACL_HDR_SIZE; 444 } 445 446 len = min_t(uint, bt_cb(skb)->expect, count); 447 memcpy(skb_put(skb, len), buffer, len); 448 449 count -= len; 450 buffer += len; 451 bt_cb(skb)->expect -= len; 452 453 if (skb->len == HCI_ACL_HDR_SIZE) { 454 __le16 dlen = hci_acl_hdr(skb)->dlen; 455 456 /* Complete ACL header */ 457 bt_cb(skb)->expect = __le16_to_cpu(dlen); 458 459 if (skb_tailroom(skb) < bt_cb(skb)->expect) { 460 kfree_skb(skb); 461 skb = NULL; 462 463 err = -EILSEQ; 464 break; 465 } 466 } 467 468 if (bt_cb(skb)->expect == 0) { 469 /* Complete frame */ 470 hci_recv_frame(data->hdev, skb); 471 skb = NULL; 472 } 473 } 474 475 data->acl_skb = skb; 476 spin_unlock(&data->rxlock); 477 478 return err; 479 } 480 481 static int btusb_recv_isoc(struct btusb_data *data, void *buffer, int count) 482 { 483 struct sk_buff *skb; 484 int err = 0; 485 486 spin_lock(&data->rxlock); 487 skb = data->sco_skb; 488 489 while (count) { 490 int len; 491 492 if (!skb) { 493 skb = bt_skb_alloc(HCI_MAX_SCO_SIZE, GFP_ATOMIC); 494 if (!skb) { 495 err = -ENOMEM; 496 break; 497 } 498 499 bt_cb(skb)->pkt_type = HCI_SCODATA_PKT; 500 bt_cb(skb)->expect = HCI_SCO_HDR_SIZE; 501 } 502 503 len = min_t(uint, bt_cb(skb)->expect, count); 504 memcpy(skb_put(skb, len), buffer, len); 505 506 count -= len; 507 buffer += len; 508 bt_cb(skb)->expect -= len; 509 510 if (skb->len == HCI_SCO_HDR_SIZE) { 511 /* Complete SCO header */ 512 bt_cb(skb)->expect = hci_sco_hdr(skb)->dlen; 513 514 if (skb_tailroom(skb) < bt_cb(skb)->expect) { 515 kfree_skb(skb); 516 skb = NULL; 517 518 err = -EILSEQ; 519 break; 520 } 521 } 522 523 if (bt_cb(skb)->expect == 0) { 524 /* Complete frame */ 525 hci_recv_frame(data->hdev, skb); 526 skb = NULL; 527 } 528 } 529 530 data->sco_skb = skb; 531 spin_unlock(&data->rxlock); 532 533 return err; 534 } 535 536 static void btusb_intr_complete(struct urb *urb) 537 { 538 struct hci_dev *hdev = urb->context; 539 struct btusb_data *data = hci_get_drvdata(hdev); 540 int err; 541 542 BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status, 543 urb->actual_length); 544 545 if (!test_bit(HCI_RUNNING, &hdev->flags)) 546 return; 547 548 if (urb->status == 0) { 549 hdev->stat.byte_rx += urb->actual_length; 550 551 if (btusb_recv_intr(data, urb->transfer_buffer, 552 urb->actual_length) < 0) { 553 BT_ERR("%s corrupted event packet", hdev->name); 554 hdev->stat.err_rx++; 555 } 556 } else if (urb->status == -ENOENT) { 557 /* Avoid suspend failed when usb_kill_urb */ 558 return; 559 } 560 561 if (!test_bit(BTUSB_INTR_RUNNING, &data->flags)) 562 return; 563 564 usb_mark_last_busy(data->udev); 565 usb_anchor_urb(urb, &data->intr_anchor); 566 567 err = usb_submit_urb(urb, GFP_ATOMIC); 568 if (err < 0) { 569 /* -EPERM: urb is being killed; 570 * -ENODEV: device got disconnected */ 571 if (err != -EPERM && err != -ENODEV) 572 BT_ERR("%s urb %p failed to resubmit (%d)", 573 hdev->name, urb, -err); 574 usb_unanchor_urb(urb); 575 } 576 } 577 578 static int btusb_submit_intr_urb(struct hci_dev *hdev, gfp_t mem_flags) 579 { 580 struct btusb_data *data = hci_get_drvdata(hdev); 581 struct urb *urb; 582 unsigned char *buf; 583 unsigned int pipe; 584 int err, size; 585 586 BT_DBG("%s", hdev->name); 587 588 if (!data->intr_ep) 589 return -ENODEV; 590 591 urb = usb_alloc_urb(0, mem_flags); 592 if (!urb) 593 return -ENOMEM; 594 595 size = le16_to_cpu(data->intr_ep->wMaxPacketSize); 596 597 buf = kmalloc(size, mem_flags); 598 if (!buf) { 599 usb_free_urb(urb); 600 return -ENOMEM; 601 } 602 603 pipe = usb_rcvintpipe(data->udev, data->intr_ep->bEndpointAddress); 604 605 usb_fill_int_urb(urb, data->udev, pipe, buf, size, 606 btusb_intr_complete, hdev, data->intr_ep->bInterval); 607 608 urb->transfer_flags |= URB_FREE_BUFFER; 609 610 usb_anchor_urb(urb, &data->intr_anchor); 611 612 err = usb_submit_urb(urb, mem_flags); 613 if (err < 0) { 614 if (err != -EPERM && err != -ENODEV) 615 BT_ERR("%s urb %p submission failed (%d)", 616 hdev->name, urb, -err); 617 usb_unanchor_urb(urb); 618 } 619 620 usb_free_urb(urb); 621 622 return err; 623 } 624 625 static void btusb_bulk_complete(struct urb *urb) 626 { 627 struct hci_dev *hdev = urb->context; 628 struct btusb_data *data = hci_get_drvdata(hdev); 629 int err; 630 631 BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status, 632 urb->actual_length); 633 634 if (!test_bit(HCI_RUNNING, &hdev->flags)) 635 return; 636 637 if (urb->status == 0) { 638 hdev->stat.byte_rx += urb->actual_length; 639 640 if (data->recv_bulk(data, urb->transfer_buffer, 641 urb->actual_length) < 0) { 642 BT_ERR("%s corrupted ACL packet", hdev->name); 643 hdev->stat.err_rx++; 644 } 645 } else if (urb->status == -ENOENT) { 646 /* Avoid suspend failed when usb_kill_urb */ 647 return; 648 } 649 650 if (!test_bit(BTUSB_BULK_RUNNING, &data->flags)) 651 return; 652 653 usb_anchor_urb(urb, &data->bulk_anchor); 654 usb_mark_last_busy(data->udev); 655 656 err = usb_submit_urb(urb, GFP_ATOMIC); 657 if (err < 0) { 658 /* -EPERM: urb is being killed; 659 * -ENODEV: device got disconnected */ 660 if (err != -EPERM && err != -ENODEV) 661 BT_ERR("%s urb %p failed to resubmit (%d)", 662 hdev->name, urb, -err); 663 usb_unanchor_urb(urb); 664 } 665 } 666 667 static int btusb_submit_bulk_urb(struct hci_dev *hdev, gfp_t mem_flags) 668 { 669 struct btusb_data *data = hci_get_drvdata(hdev); 670 struct urb *urb; 671 unsigned char *buf; 672 unsigned int pipe; 673 int err, size = HCI_MAX_FRAME_SIZE; 674 675 BT_DBG("%s", hdev->name); 676 677 if (!data->bulk_rx_ep) 678 return -ENODEV; 679 680 urb = usb_alloc_urb(0, mem_flags); 681 if (!urb) 682 return -ENOMEM; 683 684 buf = kmalloc(size, mem_flags); 685 if (!buf) { 686 usb_free_urb(urb); 687 return -ENOMEM; 688 } 689 690 pipe = usb_rcvbulkpipe(data->udev, data->bulk_rx_ep->bEndpointAddress); 691 692 usb_fill_bulk_urb(urb, data->udev, pipe, buf, size, 693 btusb_bulk_complete, hdev); 694 695 urb->transfer_flags |= URB_FREE_BUFFER; 696 697 usb_mark_last_busy(data->udev); 698 usb_anchor_urb(urb, &data->bulk_anchor); 699 700 err = usb_submit_urb(urb, mem_flags); 701 if (err < 0) { 702 if (err != -EPERM && err != -ENODEV) 703 BT_ERR("%s urb %p submission failed (%d)", 704 hdev->name, urb, -err); 705 usb_unanchor_urb(urb); 706 } 707 708 usb_free_urb(urb); 709 710 return err; 711 } 712 713 static void btusb_isoc_complete(struct urb *urb) 714 { 715 struct hci_dev *hdev = urb->context; 716 struct btusb_data *data = hci_get_drvdata(hdev); 717 int i, err; 718 719 BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status, 720 urb->actual_length); 721 722 if (!test_bit(HCI_RUNNING, &hdev->flags)) 723 return; 724 725 if (urb->status == 0) { 726 for (i = 0; i < urb->number_of_packets; i++) { 727 unsigned int offset = urb->iso_frame_desc[i].offset; 728 unsigned int length = urb->iso_frame_desc[i].actual_length; 729 730 if (urb->iso_frame_desc[i].status) 731 continue; 732 733 hdev->stat.byte_rx += length; 734 735 if (btusb_recv_isoc(data, urb->transfer_buffer + offset, 736 length) < 0) { 737 BT_ERR("%s corrupted SCO packet", hdev->name); 738 hdev->stat.err_rx++; 739 } 740 } 741 } else if (urb->status == -ENOENT) { 742 /* Avoid suspend failed when usb_kill_urb */ 743 return; 744 } 745 746 if (!test_bit(BTUSB_ISOC_RUNNING, &data->flags)) 747 return; 748 749 usb_anchor_urb(urb, &data->isoc_anchor); 750 751 err = usb_submit_urb(urb, GFP_ATOMIC); 752 if (err < 0) { 753 /* -EPERM: urb is being killed; 754 * -ENODEV: device got disconnected */ 755 if (err != -EPERM && err != -ENODEV) 756 BT_ERR("%s urb %p failed to resubmit (%d)", 757 hdev->name, urb, -err); 758 usb_unanchor_urb(urb); 759 } 760 } 761 762 static inline void __fill_isoc_descriptor(struct urb *urb, int len, int mtu) 763 { 764 int i, offset = 0; 765 766 BT_DBG("len %d mtu %d", len, mtu); 767 768 for (i = 0; i < BTUSB_MAX_ISOC_FRAMES && len >= mtu; 769 i++, offset += mtu, len -= mtu) { 770 urb->iso_frame_desc[i].offset = offset; 771 urb->iso_frame_desc[i].length = mtu; 772 } 773 774 if (len && i < BTUSB_MAX_ISOC_FRAMES) { 775 urb->iso_frame_desc[i].offset = offset; 776 urb->iso_frame_desc[i].length = len; 777 i++; 778 } 779 780 urb->number_of_packets = i; 781 } 782 783 static int btusb_submit_isoc_urb(struct hci_dev *hdev, gfp_t mem_flags) 784 { 785 struct btusb_data *data = hci_get_drvdata(hdev); 786 struct urb *urb; 787 unsigned char *buf; 788 unsigned int pipe; 789 int err, size; 790 791 BT_DBG("%s", hdev->name); 792 793 if (!data->isoc_rx_ep) 794 return -ENODEV; 795 796 urb = usb_alloc_urb(BTUSB_MAX_ISOC_FRAMES, mem_flags); 797 if (!urb) 798 return -ENOMEM; 799 800 size = le16_to_cpu(data->isoc_rx_ep->wMaxPacketSize) * 801 BTUSB_MAX_ISOC_FRAMES; 802 803 buf = kmalloc(size, mem_flags); 804 if (!buf) { 805 usb_free_urb(urb); 806 return -ENOMEM; 807 } 808 809 pipe = usb_rcvisocpipe(data->udev, data->isoc_rx_ep->bEndpointAddress); 810 811 usb_fill_int_urb(urb, data->udev, pipe, buf, size, btusb_isoc_complete, 812 hdev, data->isoc_rx_ep->bInterval); 813 814 urb->transfer_flags = URB_FREE_BUFFER | URB_ISO_ASAP; 815 816 __fill_isoc_descriptor(urb, size, 817 le16_to_cpu(data->isoc_rx_ep->wMaxPacketSize)); 818 819 usb_anchor_urb(urb, &data->isoc_anchor); 820 821 err = usb_submit_urb(urb, mem_flags); 822 if (err < 0) { 823 if (err != -EPERM && err != -ENODEV) 824 BT_ERR("%s urb %p submission failed (%d)", 825 hdev->name, urb, -err); 826 usb_unanchor_urb(urb); 827 } 828 829 usb_free_urb(urb); 830 831 return err; 832 } 833 834 static void btusb_tx_complete(struct urb *urb) 835 { 836 struct sk_buff *skb = urb->context; 837 struct hci_dev *hdev = (struct hci_dev *)skb->dev; 838 struct btusb_data *data = hci_get_drvdata(hdev); 839 840 BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status, 841 urb->actual_length); 842 843 if (!test_bit(HCI_RUNNING, &hdev->flags)) 844 goto done; 845 846 if (!urb->status) 847 hdev->stat.byte_tx += urb->transfer_buffer_length; 848 else 849 hdev->stat.err_tx++; 850 851 done: 852 spin_lock(&data->txlock); 853 data->tx_in_flight--; 854 spin_unlock(&data->txlock); 855 856 kfree(urb->setup_packet); 857 858 kfree_skb(skb); 859 } 860 861 static void btusb_isoc_tx_complete(struct urb *urb) 862 { 863 struct sk_buff *skb = urb->context; 864 struct hci_dev *hdev = (struct hci_dev *)skb->dev; 865 866 BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status, 867 urb->actual_length); 868 869 if (!test_bit(HCI_RUNNING, &hdev->flags)) 870 goto done; 871 872 if (!urb->status) 873 hdev->stat.byte_tx += urb->transfer_buffer_length; 874 else 875 hdev->stat.err_tx++; 876 877 done: 878 kfree(urb->setup_packet); 879 880 kfree_skb(skb); 881 } 882 883 static int btusb_open(struct hci_dev *hdev) 884 { 885 struct btusb_data *data = hci_get_drvdata(hdev); 886 int err; 887 888 BT_DBG("%s", hdev->name); 889 890 err = usb_autopm_get_interface(data->intf); 891 if (err < 0) 892 return err; 893 894 data->intf->needs_remote_wakeup = 1; 895 896 if (test_and_set_bit(HCI_RUNNING, &hdev->flags)) 897 goto done; 898 899 if (test_and_set_bit(BTUSB_INTR_RUNNING, &data->flags)) 900 goto done; 901 902 err = btusb_submit_intr_urb(hdev, GFP_KERNEL); 903 if (err < 0) 904 goto failed; 905 906 err = btusb_submit_bulk_urb(hdev, GFP_KERNEL); 907 if (err < 0) { 908 usb_kill_anchored_urbs(&data->intr_anchor); 909 goto failed; 910 } 911 912 set_bit(BTUSB_BULK_RUNNING, &data->flags); 913 btusb_submit_bulk_urb(hdev, GFP_KERNEL); 914 915 done: 916 usb_autopm_put_interface(data->intf); 917 return 0; 918 919 failed: 920 clear_bit(BTUSB_INTR_RUNNING, &data->flags); 921 clear_bit(HCI_RUNNING, &hdev->flags); 922 usb_autopm_put_interface(data->intf); 923 return err; 924 } 925 926 static void btusb_stop_traffic(struct btusb_data *data) 927 { 928 usb_kill_anchored_urbs(&data->intr_anchor); 929 usb_kill_anchored_urbs(&data->bulk_anchor); 930 usb_kill_anchored_urbs(&data->isoc_anchor); 931 } 932 933 static int btusb_close(struct hci_dev *hdev) 934 { 935 struct btusb_data *data = hci_get_drvdata(hdev); 936 int err; 937 938 BT_DBG("%s", hdev->name); 939 940 if (!test_and_clear_bit(HCI_RUNNING, &hdev->flags)) 941 return 0; 942 943 cancel_work_sync(&data->work); 944 cancel_work_sync(&data->waker); 945 946 clear_bit(BTUSB_ISOC_RUNNING, &data->flags); 947 clear_bit(BTUSB_BULK_RUNNING, &data->flags); 948 clear_bit(BTUSB_INTR_RUNNING, &data->flags); 949 950 btusb_stop_traffic(data); 951 btusb_free_frags(data); 952 953 err = usb_autopm_get_interface(data->intf); 954 if (err < 0) 955 goto failed; 956 957 data->intf->needs_remote_wakeup = 0; 958 usb_autopm_put_interface(data->intf); 959 960 failed: 961 usb_scuttle_anchored_urbs(&data->deferred); 962 return 0; 963 } 964 965 static int btusb_flush(struct hci_dev *hdev) 966 { 967 struct btusb_data *data = hci_get_drvdata(hdev); 968 969 BT_DBG("%s", hdev->name); 970 971 usb_kill_anchored_urbs(&data->tx_anchor); 972 btusb_free_frags(data); 973 974 return 0; 975 } 976 977 static struct urb *alloc_ctrl_urb(struct hci_dev *hdev, struct sk_buff *skb) 978 { 979 struct btusb_data *data = hci_get_drvdata(hdev); 980 struct usb_ctrlrequest *dr; 981 struct urb *urb; 982 unsigned int pipe; 983 984 urb = usb_alloc_urb(0, GFP_KERNEL); 985 if (!urb) 986 return ERR_PTR(-ENOMEM); 987 988 dr = kmalloc(sizeof(*dr), GFP_KERNEL); 989 if (!dr) { 990 usb_free_urb(urb); 991 return ERR_PTR(-ENOMEM); 992 } 993 994 dr->bRequestType = data->cmdreq_type; 995 dr->bRequest = data->cmdreq; 996 dr->wIndex = 0; 997 dr->wValue = 0; 998 dr->wLength = __cpu_to_le16(skb->len); 999 1000 pipe = usb_sndctrlpipe(data->udev, 0x00); 1001 1002 usb_fill_control_urb(urb, data->udev, pipe, (void *)dr, 1003 skb->data, skb->len, btusb_tx_complete, skb); 1004 1005 skb->dev = (void *)hdev; 1006 1007 return urb; 1008 } 1009 1010 static struct urb *alloc_bulk_urb(struct hci_dev *hdev, struct sk_buff *skb) 1011 { 1012 struct btusb_data *data = hci_get_drvdata(hdev); 1013 struct urb *urb; 1014 unsigned int pipe; 1015 1016 if (!data->bulk_tx_ep) 1017 return ERR_PTR(-ENODEV); 1018 1019 urb = usb_alloc_urb(0, GFP_KERNEL); 1020 if (!urb) 1021 return ERR_PTR(-ENOMEM); 1022 1023 pipe = usb_sndbulkpipe(data->udev, data->bulk_tx_ep->bEndpointAddress); 1024 1025 usb_fill_bulk_urb(urb, data->udev, pipe, 1026 skb->data, skb->len, btusb_tx_complete, skb); 1027 1028 skb->dev = (void *)hdev; 1029 1030 return urb; 1031 } 1032 1033 static struct urb *alloc_isoc_urb(struct hci_dev *hdev, struct sk_buff *skb) 1034 { 1035 struct btusb_data *data = hci_get_drvdata(hdev); 1036 struct urb *urb; 1037 unsigned int pipe; 1038 1039 if (!data->isoc_tx_ep) 1040 return ERR_PTR(-ENODEV); 1041 1042 urb = usb_alloc_urb(BTUSB_MAX_ISOC_FRAMES, GFP_KERNEL); 1043 if (!urb) 1044 return ERR_PTR(-ENOMEM); 1045 1046 pipe = usb_sndisocpipe(data->udev, data->isoc_tx_ep->bEndpointAddress); 1047 1048 usb_fill_int_urb(urb, data->udev, pipe, 1049 skb->data, skb->len, btusb_isoc_tx_complete, 1050 skb, data->isoc_tx_ep->bInterval); 1051 1052 urb->transfer_flags = URB_ISO_ASAP; 1053 1054 __fill_isoc_descriptor(urb, skb->len, 1055 le16_to_cpu(data->isoc_tx_ep->wMaxPacketSize)); 1056 1057 skb->dev = (void *)hdev; 1058 1059 return urb; 1060 } 1061 1062 static int submit_tx_urb(struct hci_dev *hdev, struct urb *urb) 1063 { 1064 struct btusb_data *data = hci_get_drvdata(hdev); 1065 int err; 1066 1067 usb_anchor_urb(urb, &data->tx_anchor); 1068 1069 err = usb_submit_urb(urb, GFP_KERNEL); 1070 if (err < 0) { 1071 if (err != -EPERM && err != -ENODEV) 1072 BT_ERR("%s urb %p submission failed (%d)", 1073 hdev->name, urb, -err); 1074 kfree(urb->setup_packet); 1075 usb_unanchor_urb(urb); 1076 } else { 1077 usb_mark_last_busy(data->udev); 1078 } 1079 1080 usb_free_urb(urb); 1081 return err; 1082 } 1083 1084 static int submit_or_queue_tx_urb(struct hci_dev *hdev, struct urb *urb) 1085 { 1086 struct btusb_data *data = hci_get_drvdata(hdev); 1087 unsigned long flags; 1088 bool suspending; 1089 1090 spin_lock_irqsave(&data->txlock, flags); 1091 suspending = test_bit(BTUSB_SUSPENDING, &data->flags); 1092 if (!suspending) 1093 data->tx_in_flight++; 1094 spin_unlock_irqrestore(&data->txlock, flags); 1095 1096 if (!suspending) 1097 return submit_tx_urb(hdev, urb); 1098 1099 usb_anchor_urb(urb, &data->deferred); 1100 schedule_work(&data->waker); 1101 1102 usb_free_urb(urb); 1103 return 0; 1104 } 1105 1106 static int btusb_send_frame(struct hci_dev *hdev, struct sk_buff *skb) 1107 { 1108 struct urb *urb; 1109 1110 BT_DBG("%s", hdev->name); 1111 1112 if (!test_bit(HCI_RUNNING, &hdev->flags)) 1113 return -EBUSY; 1114 1115 switch (bt_cb(skb)->pkt_type) { 1116 case HCI_COMMAND_PKT: 1117 urb = alloc_ctrl_urb(hdev, skb); 1118 if (IS_ERR(urb)) 1119 return PTR_ERR(urb); 1120 1121 hdev->stat.cmd_tx++; 1122 return submit_or_queue_tx_urb(hdev, urb); 1123 1124 case HCI_ACLDATA_PKT: 1125 urb = alloc_bulk_urb(hdev, skb); 1126 if (IS_ERR(urb)) 1127 return PTR_ERR(urb); 1128 1129 hdev->stat.acl_tx++; 1130 return submit_or_queue_tx_urb(hdev, urb); 1131 1132 case HCI_SCODATA_PKT: 1133 if (hci_conn_num(hdev, SCO_LINK) < 1) 1134 return -ENODEV; 1135 1136 urb = alloc_isoc_urb(hdev, skb); 1137 if (IS_ERR(urb)) 1138 return PTR_ERR(urb); 1139 1140 hdev->stat.sco_tx++; 1141 return submit_tx_urb(hdev, urb); 1142 } 1143 1144 return -EILSEQ; 1145 } 1146 1147 static void btusb_notify(struct hci_dev *hdev, unsigned int evt) 1148 { 1149 struct btusb_data *data = hci_get_drvdata(hdev); 1150 1151 BT_DBG("%s evt %d", hdev->name, evt); 1152 1153 if (hci_conn_num(hdev, SCO_LINK) != data->sco_num) { 1154 data->sco_num = hci_conn_num(hdev, SCO_LINK); 1155 schedule_work(&data->work); 1156 } 1157 } 1158 1159 static inline int __set_isoc_interface(struct hci_dev *hdev, int altsetting) 1160 { 1161 struct btusb_data *data = hci_get_drvdata(hdev); 1162 struct usb_interface *intf = data->isoc; 1163 struct usb_endpoint_descriptor *ep_desc; 1164 int i, err; 1165 1166 if (!data->isoc) 1167 return -ENODEV; 1168 1169 err = usb_set_interface(data->udev, 1, altsetting); 1170 if (err < 0) { 1171 BT_ERR("%s setting interface failed (%d)", hdev->name, -err); 1172 return err; 1173 } 1174 1175 data->isoc_altsetting = altsetting; 1176 1177 data->isoc_tx_ep = NULL; 1178 data->isoc_rx_ep = NULL; 1179 1180 for (i = 0; i < intf->cur_altsetting->desc.bNumEndpoints; i++) { 1181 ep_desc = &intf->cur_altsetting->endpoint[i].desc; 1182 1183 if (!data->isoc_tx_ep && usb_endpoint_is_isoc_out(ep_desc)) { 1184 data->isoc_tx_ep = ep_desc; 1185 continue; 1186 } 1187 1188 if (!data->isoc_rx_ep && usb_endpoint_is_isoc_in(ep_desc)) { 1189 data->isoc_rx_ep = ep_desc; 1190 continue; 1191 } 1192 } 1193 1194 if (!data->isoc_tx_ep || !data->isoc_rx_ep) { 1195 BT_ERR("%s invalid SCO descriptors", hdev->name); 1196 return -ENODEV; 1197 } 1198 1199 return 0; 1200 } 1201 1202 static void btusb_work(struct work_struct *work) 1203 { 1204 struct btusb_data *data = container_of(work, struct btusb_data, work); 1205 struct hci_dev *hdev = data->hdev; 1206 int new_alts; 1207 int err; 1208 1209 if (data->sco_num > 0) { 1210 if (!test_bit(BTUSB_DID_ISO_RESUME, &data->flags)) { 1211 err = usb_autopm_get_interface(data->isoc ? data->isoc : data->intf); 1212 if (err < 0) { 1213 clear_bit(BTUSB_ISOC_RUNNING, &data->flags); 1214 usb_kill_anchored_urbs(&data->isoc_anchor); 1215 return; 1216 } 1217 1218 set_bit(BTUSB_DID_ISO_RESUME, &data->flags); 1219 } 1220 1221 if (hdev->voice_setting & 0x0020) { 1222 static const int alts[3] = { 2, 4, 5 }; 1223 1224 new_alts = alts[data->sco_num - 1]; 1225 } else { 1226 new_alts = data->sco_num; 1227 } 1228 1229 if (data->isoc_altsetting != new_alts) { 1230 clear_bit(BTUSB_ISOC_RUNNING, &data->flags); 1231 usb_kill_anchored_urbs(&data->isoc_anchor); 1232 1233 if (__set_isoc_interface(hdev, new_alts) < 0) 1234 return; 1235 } 1236 1237 if (!test_and_set_bit(BTUSB_ISOC_RUNNING, &data->flags)) { 1238 if (btusb_submit_isoc_urb(hdev, GFP_KERNEL) < 0) 1239 clear_bit(BTUSB_ISOC_RUNNING, &data->flags); 1240 else 1241 btusb_submit_isoc_urb(hdev, GFP_KERNEL); 1242 } 1243 } else { 1244 clear_bit(BTUSB_ISOC_RUNNING, &data->flags); 1245 usb_kill_anchored_urbs(&data->isoc_anchor); 1246 1247 __set_isoc_interface(hdev, 0); 1248 if (test_and_clear_bit(BTUSB_DID_ISO_RESUME, &data->flags)) 1249 usb_autopm_put_interface(data->isoc ? data->isoc : data->intf); 1250 } 1251 } 1252 1253 static void btusb_waker(struct work_struct *work) 1254 { 1255 struct btusb_data *data = container_of(work, struct btusb_data, waker); 1256 int err; 1257 1258 err = usb_autopm_get_interface(data->intf); 1259 if (err < 0) 1260 return; 1261 1262 usb_autopm_put_interface(data->intf); 1263 } 1264 1265 static int btusb_setup_bcm92035(struct hci_dev *hdev) 1266 { 1267 struct sk_buff *skb; 1268 u8 val = 0x00; 1269 1270 BT_DBG("%s", hdev->name); 1271 1272 skb = __hci_cmd_sync(hdev, 0xfc3b, 1, &val, HCI_INIT_TIMEOUT); 1273 if (IS_ERR(skb)) 1274 BT_ERR("BCM92035 command failed (%ld)", -PTR_ERR(skb)); 1275 else 1276 kfree_skb(skb); 1277 1278 return 0; 1279 } 1280 1281 static int btusb_setup_csr(struct hci_dev *hdev) 1282 { 1283 struct hci_rp_read_local_version *rp; 1284 struct sk_buff *skb; 1285 int ret; 1286 1287 BT_DBG("%s", hdev->name); 1288 1289 skb = __hci_cmd_sync(hdev, HCI_OP_READ_LOCAL_VERSION, 0, NULL, 1290 HCI_INIT_TIMEOUT); 1291 if (IS_ERR(skb)) { 1292 BT_ERR("Reading local version failed (%ld)", -PTR_ERR(skb)); 1293 return -PTR_ERR(skb); 1294 } 1295 1296 rp = (struct hci_rp_read_local_version *)skb->data; 1297 1298 if (!rp->status) { 1299 if (le16_to_cpu(rp->manufacturer) != 10) { 1300 /* Clear the reset quirk since this is not an actual 1301 * early Bluetooth 1.1 device from CSR. 1302 */ 1303 clear_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks); 1304 1305 /* These fake CSR controllers have all a broken 1306 * stored link key handling and so just disable it. 1307 */ 1308 set_bit(HCI_QUIRK_BROKEN_STORED_LINK_KEY, 1309 &hdev->quirks); 1310 } 1311 } 1312 1313 ret = -bt_to_errno(rp->status); 1314 1315 kfree_skb(skb); 1316 1317 return ret; 1318 } 1319 1320 struct intel_version { 1321 u8 status; 1322 u8 hw_platform; 1323 u8 hw_variant; 1324 u8 hw_revision; 1325 u8 fw_variant; 1326 u8 fw_revision; 1327 u8 fw_build_num; 1328 u8 fw_build_ww; 1329 u8 fw_build_yy; 1330 u8 fw_patch_num; 1331 } __packed; 1332 1333 struct intel_boot_params { 1334 __u8 status; 1335 __u8 otp_format; 1336 __u8 otp_content; 1337 __u8 otp_patch; 1338 __le16 dev_revid; 1339 __u8 secure_boot; 1340 __u8 key_from_hdr; 1341 __u8 key_type; 1342 __u8 otp_lock; 1343 __u8 api_lock; 1344 __u8 debug_lock; 1345 bdaddr_t otp_bdaddr; 1346 __u8 min_fw_build_nn; 1347 __u8 min_fw_build_cw; 1348 __u8 min_fw_build_yy; 1349 __u8 limited_cce; 1350 __u8 unlocked_state; 1351 } __packed; 1352 1353 static const struct firmware *btusb_setup_intel_get_fw(struct hci_dev *hdev, 1354 struct intel_version *ver) 1355 { 1356 const struct firmware *fw; 1357 char fwname[64]; 1358 int ret; 1359 1360 snprintf(fwname, sizeof(fwname), 1361 "intel/ibt-hw-%x.%x.%x-fw-%x.%x.%x.%x.%x.bseq", 1362 ver->hw_platform, ver->hw_variant, ver->hw_revision, 1363 ver->fw_variant, ver->fw_revision, ver->fw_build_num, 1364 ver->fw_build_ww, ver->fw_build_yy); 1365 1366 ret = request_firmware(&fw, fwname, &hdev->dev); 1367 if (ret < 0) { 1368 if (ret == -EINVAL) { 1369 BT_ERR("%s Intel firmware file request failed (%d)", 1370 hdev->name, ret); 1371 return NULL; 1372 } 1373 1374 BT_ERR("%s failed to open Intel firmware file: %s(%d)", 1375 hdev->name, fwname, ret); 1376 1377 /* If the correct firmware patch file is not found, use the 1378 * default firmware patch file instead 1379 */ 1380 snprintf(fwname, sizeof(fwname), "intel/ibt-hw-%x.%x.bseq", 1381 ver->hw_platform, ver->hw_variant); 1382 if (request_firmware(&fw, fwname, &hdev->dev) < 0) { 1383 BT_ERR("%s failed to open default Intel fw file: %s", 1384 hdev->name, fwname); 1385 return NULL; 1386 } 1387 } 1388 1389 BT_INFO("%s: Intel Bluetooth firmware file: %s", hdev->name, fwname); 1390 1391 return fw; 1392 } 1393 1394 static int btusb_setup_intel_patching(struct hci_dev *hdev, 1395 const struct firmware *fw, 1396 const u8 **fw_ptr, int *disable_patch) 1397 { 1398 struct sk_buff *skb; 1399 struct hci_command_hdr *cmd; 1400 const u8 *cmd_param; 1401 struct hci_event_hdr *evt = NULL; 1402 const u8 *evt_param = NULL; 1403 int remain = fw->size - (*fw_ptr - fw->data); 1404 1405 /* The first byte indicates the types of the patch command or event. 1406 * 0x01 means HCI command and 0x02 is HCI event. If the first bytes 1407 * in the current firmware buffer doesn't start with 0x01 or 1408 * the size of remain buffer is smaller than HCI command header, 1409 * the firmware file is corrupted and it should stop the patching 1410 * process. 1411 */ 1412 if (remain > HCI_COMMAND_HDR_SIZE && *fw_ptr[0] != 0x01) { 1413 BT_ERR("%s Intel fw corrupted: invalid cmd read", hdev->name); 1414 return -EINVAL; 1415 } 1416 (*fw_ptr)++; 1417 remain--; 1418 1419 cmd = (struct hci_command_hdr *)(*fw_ptr); 1420 *fw_ptr += sizeof(*cmd); 1421 remain -= sizeof(*cmd); 1422 1423 /* Ensure that the remain firmware data is long enough than the length 1424 * of command parameter. If not, the firmware file is corrupted. 1425 */ 1426 if (remain < cmd->plen) { 1427 BT_ERR("%s Intel fw corrupted: invalid cmd len", hdev->name); 1428 return -EFAULT; 1429 } 1430 1431 /* If there is a command that loads a patch in the firmware 1432 * file, then enable the patch upon success, otherwise just 1433 * disable the manufacturer mode, for example patch activation 1434 * is not required when the default firmware patch file is used 1435 * because there are no patch data to load. 1436 */ 1437 if (*disable_patch && le16_to_cpu(cmd->opcode) == 0xfc8e) 1438 *disable_patch = 0; 1439 1440 cmd_param = *fw_ptr; 1441 *fw_ptr += cmd->plen; 1442 remain -= cmd->plen; 1443 1444 /* This reads the expected events when the above command is sent to the 1445 * device. Some vendor commands expects more than one events, for 1446 * example command status event followed by vendor specific event. 1447 * For this case, it only keeps the last expected event. so the command 1448 * can be sent with __hci_cmd_sync_ev() which returns the sk_buff of 1449 * last expected event. 1450 */ 1451 while (remain > HCI_EVENT_HDR_SIZE && *fw_ptr[0] == 0x02) { 1452 (*fw_ptr)++; 1453 remain--; 1454 1455 evt = (struct hci_event_hdr *)(*fw_ptr); 1456 *fw_ptr += sizeof(*evt); 1457 remain -= sizeof(*evt); 1458 1459 if (remain < evt->plen) { 1460 BT_ERR("%s Intel fw corrupted: invalid evt len", 1461 hdev->name); 1462 return -EFAULT; 1463 } 1464 1465 evt_param = *fw_ptr; 1466 *fw_ptr += evt->plen; 1467 remain -= evt->plen; 1468 } 1469 1470 /* Every HCI commands in the firmware file has its correspond event. 1471 * If event is not found or remain is smaller than zero, the firmware 1472 * file is corrupted. 1473 */ 1474 if (!evt || !evt_param || remain < 0) { 1475 BT_ERR("%s Intel fw corrupted: invalid evt read", hdev->name); 1476 return -EFAULT; 1477 } 1478 1479 skb = __hci_cmd_sync_ev(hdev, le16_to_cpu(cmd->opcode), cmd->plen, 1480 cmd_param, evt->evt, HCI_INIT_TIMEOUT); 1481 if (IS_ERR(skb)) { 1482 BT_ERR("%s sending Intel patch command (0x%4.4x) failed (%ld)", 1483 hdev->name, cmd->opcode, PTR_ERR(skb)); 1484 return PTR_ERR(skb); 1485 } 1486 1487 /* It ensures that the returned event matches the event data read from 1488 * the firmware file. At fist, it checks the length and then 1489 * the contents of the event. 1490 */ 1491 if (skb->len != evt->plen) { 1492 BT_ERR("%s mismatch event length (opcode 0x%4.4x)", hdev->name, 1493 le16_to_cpu(cmd->opcode)); 1494 kfree_skb(skb); 1495 return -EFAULT; 1496 } 1497 1498 if (memcmp(skb->data, evt_param, evt->plen)) { 1499 BT_ERR("%s mismatch event parameter (opcode 0x%4.4x)", 1500 hdev->name, le16_to_cpu(cmd->opcode)); 1501 kfree_skb(skb); 1502 return -EFAULT; 1503 } 1504 kfree_skb(skb); 1505 1506 return 0; 1507 } 1508 1509 #define BDADDR_INTEL (&(bdaddr_t) {{0x00, 0x8b, 0x9e, 0x19, 0x03, 0x00}}) 1510 1511 static int btusb_check_bdaddr_intel(struct hci_dev *hdev) 1512 { 1513 struct sk_buff *skb; 1514 struct hci_rp_read_bd_addr *rp; 1515 1516 skb = __hci_cmd_sync(hdev, HCI_OP_READ_BD_ADDR, 0, NULL, 1517 HCI_INIT_TIMEOUT); 1518 if (IS_ERR(skb)) { 1519 BT_ERR("%s reading Intel device address failed (%ld)", 1520 hdev->name, PTR_ERR(skb)); 1521 return PTR_ERR(skb); 1522 } 1523 1524 if (skb->len != sizeof(*rp)) { 1525 BT_ERR("%s Intel device address length mismatch", hdev->name); 1526 kfree_skb(skb); 1527 return -EIO; 1528 } 1529 1530 rp = (struct hci_rp_read_bd_addr *)skb->data; 1531 if (rp->status) { 1532 BT_ERR("%s Intel device address result failed (%02x)", 1533 hdev->name, rp->status); 1534 kfree_skb(skb); 1535 return -bt_to_errno(rp->status); 1536 } 1537 1538 /* For some Intel based controllers, the default Bluetooth device 1539 * address 00:03:19:9E:8B:00 can be found. These controllers are 1540 * fully operational, but have the danger of duplicate addresses 1541 * and that in turn can cause problems with Bluetooth operation. 1542 */ 1543 if (!bacmp(&rp->bdaddr, BDADDR_INTEL)) { 1544 BT_ERR("%s found Intel default device address (%pMR)", 1545 hdev->name, &rp->bdaddr); 1546 set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks); 1547 } 1548 1549 kfree_skb(skb); 1550 1551 return 0; 1552 } 1553 1554 static int btusb_setup_intel(struct hci_dev *hdev) 1555 { 1556 struct sk_buff *skb; 1557 const struct firmware *fw; 1558 const u8 *fw_ptr; 1559 int disable_patch; 1560 struct intel_version *ver; 1561 1562 const u8 mfg_enable[] = { 0x01, 0x00 }; 1563 const u8 mfg_disable[] = { 0x00, 0x00 }; 1564 const u8 mfg_reset_deactivate[] = { 0x00, 0x01 }; 1565 const u8 mfg_reset_activate[] = { 0x00, 0x02 }; 1566 1567 BT_DBG("%s", hdev->name); 1568 1569 /* The controller has a bug with the first HCI command sent to it 1570 * returning number of completed commands as zero. This would stall the 1571 * command processing in the Bluetooth core. 1572 * 1573 * As a workaround, send HCI Reset command first which will reset the 1574 * number of completed commands and allow normal command processing 1575 * from now on. 1576 */ 1577 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT); 1578 if (IS_ERR(skb)) { 1579 BT_ERR("%s sending initial HCI reset command failed (%ld)", 1580 hdev->name, PTR_ERR(skb)); 1581 return PTR_ERR(skb); 1582 } 1583 kfree_skb(skb); 1584 1585 /* Read Intel specific controller version first to allow selection of 1586 * which firmware file to load. 1587 * 1588 * The returned information are hardware variant and revision plus 1589 * firmware variant, revision and build number. 1590 */ 1591 skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_INIT_TIMEOUT); 1592 if (IS_ERR(skb)) { 1593 BT_ERR("%s reading Intel fw version command failed (%ld)", 1594 hdev->name, PTR_ERR(skb)); 1595 return PTR_ERR(skb); 1596 } 1597 1598 if (skb->len != sizeof(*ver)) { 1599 BT_ERR("%s Intel version event length mismatch", hdev->name); 1600 kfree_skb(skb); 1601 return -EIO; 1602 } 1603 1604 ver = (struct intel_version *)skb->data; 1605 if (ver->status) { 1606 BT_ERR("%s Intel fw version event failed (%02x)", hdev->name, 1607 ver->status); 1608 kfree_skb(skb); 1609 return -bt_to_errno(ver->status); 1610 } 1611 1612 BT_INFO("%s: read Intel version: %02x%02x%02x%02x%02x%02x%02x%02x%02x", 1613 hdev->name, ver->hw_platform, ver->hw_variant, 1614 ver->hw_revision, ver->fw_variant, ver->fw_revision, 1615 ver->fw_build_num, ver->fw_build_ww, ver->fw_build_yy, 1616 ver->fw_patch_num); 1617 1618 /* fw_patch_num indicates the version of patch the device currently 1619 * have. If there is no patch data in the device, it is always 0x00. 1620 * So, if it is other than 0x00, no need to patch the deivce again. 1621 */ 1622 if (ver->fw_patch_num) { 1623 BT_INFO("%s: Intel device is already patched. patch num: %02x", 1624 hdev->name, ver->fw_patch_num); 1625 kfree_skb(skb); 1626 btusb_check_bdaddr_intel(hdev); 1627 return 0; 1628 } 1629 1630 /* Opens the firmware patch file based on the firmware version read 1631 * from the controller. If it fails to open the matching firmware 1632 * patch file, it tries to open the default firmware patch file. 1633 * If no patch file is found, allow the device to operate without 1634 * a patch. 1635 */ 1636 fw = btusb_setup_intel_get_fw(hdev, ver); 1637 if (!fw) { 1638 kfree_skb(skb); 1639 btusb_check_bdaddr_intel(hdev); 1640 return 0; 1641 } 1642 fw_ptr = fw->data; 1643 1644 /* This Intel specific command enables the manufacturer mode of the 1645 * controller. 1646 * 1647 * Only while this mode is enabled, the driver can download the 1648 * firmware patch data and configuration parameters. 1649 */ 1650 skb = __hci_cmd_sync(hdev, 0xfc11, 2, mfg_enable, HCI_INIT_TIMEOUT); 1651 if (IS_ERR(skb)) { 1652 BT_ERR("%s entering Intel manufacturer mode failed (%ld)", 1653 hdev->name, PTR_ERR(skb)); 1654 release_firmware(fw); 1655 return PTR_ERR(skb); 1656 } 1657 1658 if (skb->data[0]) { 1659 u8 evt_status = skb->data[0]; 1660 1661 BT_ERR("%s enable Intel manufacturer mode event failed (%02x)", 1662 hdev->name, evt_status); 1663 kfree_skb(skb); 1664 release_firmware(fw); 1665 return -bt_to_errno(evt_status); 1666 } 1667 kfree_skb(skb); 1668 1669 disable_patch = 1; 1670 1671 /* The firmware data file consists of list of Intel specific HCI 1672 * commands and its expected events. The first byte indicates the 1673 * type of the message, either HCI command or HCI event. 1674 * 1675 * It reads the command and its expected event from the firmware file, 1676 * and send to the controller. Once __hci_cmd_sync_ev() returns, 1677 * the returned event is compared with the event read from the firmware 1678 * file and it will continue until all the messages are downloaded to 1679 * the controller. 1680 * 1681 * Once the firmware patching is completed successfully, 1682 * the manufacturer mode is disabled with reset and activating the 1683 * downloaded patch. 1684 * 1685 * If the firmware patching fails, the manufacturer mode is 1686 * disabled with reset and deactivating the patch. 1687 * 1688 * If the default patch file is used, no reset is done when disabling 1689 * the manufacturer. 1690 */ 1691 while (fw->size > fw_ptr - fw->data) { 1692 int ret; 1693 1694 ret = btusb_setup_intel_patching(hdev, fw, &fw_ptr, 1695 &disable_patch); 1696 if (ret < 0) 1697 goto exit_mfg_deactivate; 1698 } 1699 1700 release_firmware(fw); 1701 1702 if (disable_patch) 1703 goto exit_mfg_disable; 1704 1705 /* Patching completed successfully and disable the manufacturer mode 1706 * with reset and activate the downloaded firmware patches. 1707 */ 1708 skb = __hci_cmd_sync(hdev, 0xfc11, sizeof(mfg_reset_activate), 1709 mfg_reset_activate, HCI_INIT_TIMEOUT); 1710 if (IS_ERR(skb)) { 1711 BT_ERR("%s exiting Intel manufacturer mode failed (%ld)", 1712 hdev->name, PTR_ERR(skb)); 1713 return PTR_ERR(skb); 1714 } 1715 kfree_skb(skb); 1716 1717 BT_INFO("%s: Intel Bluetooth firmware patch completed and activated", 1718 hdev->name); 1719 1720 btusb_check_bdaddr_intel(hdev); 1721 return 0; 1722 1723 exit_mfg_disable: 1724 /* Disable the manufacturer mode without reset */ 1725 skb = __hci_cmd_sync(hdev, 0xfc11, sizeof(mfg_disable), mfg_disable, 1726 HCI_INIT_TIMEOUT); 1727 if (IS_ERR(skb)) { 1728 BT_ERR("%s exiting Intel manufacturer mode failed (%ld)", 1729 hdev->name, PTR_ERR(skb)); 1730 return PTR_ERR(skb); 1731 } 1732 kfree_skb(skb); 1733 1734 BT_INFO("%s: Intel Bluetooth firmware patch completed", hdev->name); 1735 1736 btusb_check_bdaddr_intel(hdev); 1737 return 0; 1738 1739 exit_mfg_deactivate: 1740 release_firmware(fw); 1741 1742 /* Patching failed. Disable the manufacturer mode with reset and 1743 * deactivate the downloaded firmware patches. 1744 */ 1745 skb = __hci_cmd_sync(hdev, 0xfc11, sizeof(mfg_reset_deactivate), 1746 mfg_reset_deactivate, HCI_INIT_TIMEOUT); 1747 if (IS_ERR(skb)) { 1748 BT_ERR("%s exiting Intel manufacturer mode failed (%ld)", 1749 hdev->name, PTR_ERR(skb)); 1750 return PTR_ERR(skb); 1751 } 1752 kfree_skb(skb); 1753 1754 BT_INFO("%s: Intel Bluetooth firmware patch completed and deactivated", 1755 hdev->name); 1756 1757 btusb_check_bdaddr_intel(hdev); 1758 return 0; 1759 } 1760 1761 static int inject_cmd_complete(struct hci_dev *hdev, __u16 opcode) 1762 { 1763 struct sk_buff *skb; 1764 struct hci_event_hdr *hdr; 1765 struct hci_ev_cmd_complete *evt; 1766 1767 skb = bt_skb_alloc(sizeof(*hdr) + sizeof(*evt) + 1, GFP_ATOMIC); 1768 if (!skb) 1769 return -ENOMEM; 1770 1771 hdr = (struct hci_event_hdr *)skb_put(skb, sizeof(*hdr)); 1772 hdr->evt = HCI_EV_CMD_COMPLETE; 1773 hdr->plen = sizeof(*evt) + 1; 1774 1775 evt = (struct hci_ev_cmd_complete *)skb_put(skb, sizeof(*evt)); 1776 evt->ncmd = 0x01; 1777 evt->opcode = cpu_to_le16(opcode); 1778 1779 *skb_put(skb, 1) = 0x00; 1780 1781 bt_cb(skb)->pkt_type = HCI_EVENT_PKT; 1782 1783 return hci_recv_frame(hdev, skb); 1784 } 1785 1786 static int btusb_recv_bulk_intel(struct btusb_data *data, void *buffer, 1787 int count) 1788 { 1789 /* When the device is in bootloader mode, then it can send 1790 * events via the bulk endpoint. These events are treated the 1791 * same way as the ones received from the interrupt endpoint. 1792 */ 1793 if (test_bit(BTUSB_BOOTLOADER, &data->flags)) 1794 return btusb_recv_intr(data, buffer, count); 1795 1796 return btusb_recv_bulk(data, buffer, count); 1797 } 1798 1799 static int btusb_recv_event_intel(struct hci_dev *hdev, struct sk_buff *skb) 1800 { 1801 struct btusb_data *data = hci_get_drvdata(hdev); 1802 1803 if (test_bit(BTUSB_BOOTLOADER, &data->flags)) { 1804 struct hci_event_hdr *hdr = (void *)skb->data; 1805 1806 /* When the firmware loading completes the device sends 1807 * out a vendor specific event indicating the result of 1808 * the firmware loading. 1809 */ 1810 if (skb->len == 7 && hdr->evt == 0xff && hdr->plen == 0x05 && 1811 skb->data[2] == 0x06) { 1812 if (skb->data[3] != 0x00) 1813 test_bit(BTUSB_FIRMWARE_FAILED, &data->flags); 1814 1815 if (test_and_clear_bit(BTUSB_DOWNLOADING, 1816 &data->flags) && 1817 test_bit(BTUSB_FIRMWARE_LOADED, &data->flags)) { 1818 smp_mb__after_atomic(); 1819 wake_up_bit(&data->flags, BTUSB_DOWNLOADING); 1820 } 1821 } 1822 1823 /* When switching to the operational firmware the device 1824 * sends a vendor specific event indicating that the bootup 1825 * completed. 1826 */ 1827 if (skb->len == 9 && hdr->evt == 0xff && hdr->plen == 0x07 && 1828 skb->data[2] == 0x02) { 1829 if (test_and_clear_bit(BTUSB_BOOTING, &data->flags)) { 1830 smp_mb__after_atomic(); 1831 wake_up_bit(&data->flags, BTUSB_BOOTING); 1832 } 1833 } 1834 } 1835 1836 return hci_recv_frame(hdev, skb); 1837 } 1838 1839 static int btusb_send_frame_intel(struct hci_dev *hdev, struct sk_buff *skb) 1840 { 1841 struct btusb_data *data = hci_get_drvdata(hdev); 1842 struct urb *urb; 1843 1844 BT_DBG("%s", hdev->name); 1845 1846 if (!test_bit(HCI_RUNNING, &hdev->flags)) 1847 return -EBUSY; 1848 1849 switch (bt_cb(skb)->pkt_type) { 1850 case HCI_COMMAND_PKT: 1851 if (test_bit(BTUSB_BOOTLOADER, &data->flags)) { 1852 struct hci_command_hdr *cmd = (void *)skb->data; 1853 __u16 opcode = le16_to_cpu(cmd->opcode); 1854 1855 /* When in bootloader mode and the command 0xfc09 1856 * is received, it needs to be send down the 1857 * bulk endpoint. So allocate a bulk URB instead. 1858 */ 1859 if (opcode == 0xfc09) 1860 urb = alloc_bulk_urb(hdev, skb); 1861 else 1862 urb = alloc_ctrl_urb(hdev, skb); 1863 1864 /* When the 0xfc01 command is issued to boot into 1865 * the operational firmware, it will actually not 1866 * send a command complete event. To keep the flow 1867 * control working inject that event here. 1868 */ 1869 if (opcode == 0xfc01) 1870 inject_cmd_complete(hdev, opcode); 1871 } else { 1872 urb = alloc_ctrl_urb(hdev, skb); 1873 } 1874 if (IS_ERR(urb)) 1875 return PTR_ERR(urb); 1876 1877 hdev->stat.cmd_tx++; 1878 return submit_or_queue_tx_urb(hdev, urb); 1879 1880 case HCI_ACLDATA_PKT: 1881 urb = alloc_bulk_urb(hdev, skb); 1882 if (IS_ERR(urb)) 1883 return PTR_ERR(urb); 1884 1885 hdev->stat.acl_tx++; 1886 return submit_or_queue_tx_urb(hdev, urb); 1887 1888 case HCI_SCODATA_PKT: 1889 if (hci_conn_num(hdev, SCO_LINK) < 1) 1890 return -ENODEV; 1891 1892 urb = alloc_isoc_urb(hdev, skb); 1893 if (IS_ERR(urb)) 1894 return PTR_ERR(urb); 1895 1896 hdev->stat.sco_tx++; 1897 return submit_tx_urb(hdev, urb); 1898 } 1899 1900 return -EILSEQ; 1901 } 1902 1903 static int btusb_intel_secure_send(struct hci_dev *hdev, u8 fragment_type, 1904 u32 plen, const void *param) 1905 { 1906 while (plen > 0) { 1907 struct sk_buff *skb; 1908 u8 cmd_param[253], fragment_len = (plen > 252) ? 252 : plen; 1909 1910 cmd_param[0] = fragment_type; 1911 memcpy(cmd_param + 1, param, fragment_len); 1912 1913 skb = __hci_cmd_sync(hdev, 0xfc09, fragment_len + 1, 1914 cmd_param, HCI_INIT_TIMEOUT); 1915 if (IS_ERR(skb)) 1916 return PTR_ERR(skb); 1917 1918 kfree_skb(skb); 1919 1920 plen -= fragment_len; 1921 param += fragment_len; 1922 } 1923 1924 return 0; 1925 } 1926 1927 static void btusb_intel_version_info(struct hci_dev *hdev, 1928 struct intel_version *ver) 1929 { 1930 const char *variant; 1931 1932 switch (ver->fw_variant) { 1933 case 0x06: 1934 variant = "Bootloader"; 1935 break; 1936 case 0x23: 1937 variant = "Firmware"; 1938 break; 1939 default: 1940 return; 1941 } 1942 1943 BT_INFO("%s: %s revision %u.%u build %u week %u %u", hdev->name, 1944 variant, ver->fw_revision >> 4, ver->fw_revision & 0x0f, 1945 ver->fw_build_num, ver->fw_build_ww, 2000 + ver->fw_build_yy); 1946 } 1947 1948 static int btusb_setup_intel_new(struct hci_dev *hdev) 1949 { 1950 static const u8 reset_param[] = { 0x00, 0x01, 0x00, 0x01, 1951 0x00, 0x08, 0x04, 0x00 }; 1952 struct btusb_data *data = hci_get_drvdata(hdev); 1953 struct sk_buff *skb; 1954 struct intel_version *ver; 1955 struct intel_boot_params *params; 1956 const struct firmware *fw; 1957 const u8 *fw_ptr; 1958 char fwname[64]; 1959 ktime_t calltime, delta, rettime; 1960 unsigned long long duration; 1961 int err; 1962 1963 BT_DBG("%s", hdev->name); 1964 1965 calltime = ktime_get(); 1966 1967 /* Read the Intel version information to determine if the device 1968 * is in bootloader mode or if it already has operational firmware 1969 * loaded. 1970 */ 1971 skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_INIT_TIMEOUT); 1972 if (IS_ERR(skb)) { 1973 BT_ERR("%s: Reading Intel version information failed (%ld)", 1974 hdev->name, PTR_ERR(skb)); 1975 return PTR_ERR(skb); 1976 } 1977 1978 if (skb->len != sizeof(*ver)) { 1979 BT_ERR("%s: Intel version event size mismatch", hdev->name); 1980 kfree_skb(skb); 1981 return -EILSEQ; 1982 } 1983 1984 ver = (struct intel_version *)skb->data; 1985 if (ver->status) { 1986 BT_ERR("%s: Intel version command failure (%02x)", 1987 hdev->name, ver->status); 1988 err = -bt_to_errno(ver->status); 1989 kfree_skb(skb); 1990 return err; 1991 } 1992 1993 /* The hardware platform number has a fixed value of 0x37 and 1994 * for now only accept this single value. 1995 */ 1996 if (ver->hw_platform != 0x37) { 1997 BT_ERR("%s: Unsupported Intel hardware platform (%u)", 1998 hdev->name, ver->hw_platform); 1999 kfree_skb(skb); 2000 return -EINVAL; 2001 } 2002 2003 /* At the moment only the hardware variant iBT 3.0 (LnP/SfP) is 2004 * supported by this firmware loading method. This check has been 2005 * put in place to ensure correct forward compatibility options 2006 * when newer hardware variants come along. 2007 */ 2008 if (ver->hw_variant != 0x0b) { 2009 BT_ERR("%s: Unsupported Intel hardware variant (%u)", 2010 hdev->name, ver->hw_variant); 2011 kfree_skb(skb); 2012 return -EINVAL; 2013 } 2014 2015 btusb_intel_version_info(hdev, ver); 2016 2017 /* The firmware variant determines if the device is in bootloader 2018 * mode or is running operational firmware. The value 0x06 identifies 2019 * the bootloader and the value 0x23 identifies the operational 2020 * firmware. 2021 * 2022 * When the operational firmware is already present, then only 2023 * the check for valid Bluetooth device address is needed. This 2024 * determines if the device will be added as configured or 2025 * unconfigured controller. 2026 * 2027 * It is not possible to use the Secure Boot Parameters in this 2028 * case since that command is only available in bootloader mode. 2029 */ 2030 if (ver->fw_variant == 0x23) { 2031 kfree_skb(skb); 2032 clear_bit(BTUSB_BOOTLOADER, &data->flags); 2033 btusb_check_bdaddr_intel(hdev); 2034 return 0; 2035 } 2036 2037 /* If the device is not in bootloader mode, then the only possible 2038 * choice is to return an error and abort the device initialization. 2039 */ 2040 if (ver->fw_variant != 0x06) { 2041 BT_ERR("%s: Unsupported Intel firmware variant (%u)", 2042 hdev->name, ver->fw_variant); 2043 kfree_skb(skb); 2044 return -ENODEV; 2045 } 2046 2047 kfree_skb(skb); 2048 2049 /* Read the secure boot parameters to identify the operating 2050 * details of the bootloader. 2051 */ 2052 skb = __hci_cmd_sync(hdev, 0xfc0d, 0, NULL, HCI_INIT_TIMEOUT); 2053 if (IS_ERR(skb)) { 2054 BT_ERR("%s: Reading Intel boot parameters failed (%ld)", 2055 hdev->name, PTR_ERR(skb)); 2056 return PTR_ERR(skb); 2057 } 2058 2059 if (skb->len != sizeof(*params)) { 2060 BT_ERR("%s: Intel boot parameters size mismatch", hdev->name); 2061 kfree_skb(skb); 2062 return -EILSEQ; 2063 } 2064 2065 params = (struct intel_boot_params *)skb->data; 2066 if (params->status) { 2067 BT_ERR("%s: Intel boot parameters command failure (%02x)", 2068 hdev->name, params->status); 2069 err = -bt_to_errno(params->status); 2070 kfree_skb(skb); 2071 return err; 2072 } 2073 2074 BT_INFO("%s: Device revision is %u", hdev->name, 2075 le16_to_cpu(params->dev_revid)); 2076 2077 BT_INFO("%s: Secure boot is %s", hdev->name, 2078 params->secure_boot ? "enabled" : "disabled"); 2079 2080 BT_INFO("%s: Minimum firmware build %u week %u %u", hdev->name, 2081 params->min_fw_build_nn, params->min_fw_build_cw, 2082 2000 + params->min_fw_build_yy); 2083 2084 /* It is required that every single firmware fragment is acknowledged 2085 * with a command complete event. If the boot parameters indicate 2086 * that this bootloader does not send them, then abort the setup. 2087 */ 2088 if (params->limited_cce != 0x00) { 2089 BT_ERR("%s: Unsupported Intel firmware loading method (%u)", 2090 hdev->name, params->limited_cce); 2091 kfree_skb(skb); 2092 return -EINVAL; 2093 } 2094 2095 /* If the OTP has no valid Bluetooth device address, then there will 2096 * also be no valid address for the operational firmware. 2097 */ 2098 if (!bacmp(¶ms->otp_bdaddr, BDADDR_ANY)) { 2099 BT_INFO("%s: No device address configured", hdev->name); 2100 set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks); 2101 } 2102 2103 /* With this Intel bootloader only the hardware variant and device 2104 * revision information are used to select the right firmware. 2105 * 2106 * Currently this bootloader support is limited to hardware variant 2107 * iBT 3.0 (LnP/SfP) which is identified by the value 11 (0x0b). 2108 */ 2109 snprintf(fwname, sizeof(fwname), "intel/ibt-11-%u.sfi", 2110 le16_to_cpu(params->dev_revid)); 2111 2112 err = request_firmware(&fw, fwname, &hdev->dev); 2113 if (err < 0) { 2114 BT_ERR("%s: Failed to load Intel firmware file (%d)", 2115 hdev->name, err); 2116 kfree_skb(skb); 2117 return err; 2118 } 2119 2120 BT_INFO("%s: Found device firmware: %s", hdev->name, fwname); 2121 2122 kfree_skb(skb); 2123 2124 if (fw->size < 644) { 2125 BT_ERR("%s: Invalid size of firmware file (%zu)", 2126 hdev->name, fw->size); 2127 err = -EBADF; 2128 goto done; 2129 } 2130 2131 set_bit(BTUSB_DOWNLOADING, &data->flags); 2132 2133 /* Start the firmware download transaction with the Init fragment 2134 * represented by the 128 bytes of CSS header. 2135 */ 2136 err = btusb_intel_secure_send(hdev, 0x00, 128, fw->data); 2137 if (err < 0) { 2138 BT_ERR("%s: Failed to send firmware header (%d)", 2139 hdev->name, err); 2140 goto done; 2141 } 2142 2143 /* Send the 256 bytes of public key information from the firmware 2144 * as the PKey fragment. 2145 */ 2146 err = btusb_intel_secure_send(hdev, 0x03, 256, fw->data + 128); 2147 if (err < 0) { 2148 BT_ERR("%s: Failed to send firmware public key (%d)", 2149 hdev->name, err); 2150 goto done; 2151 } 2152 2153 /* Send the 256 bytes of signature information from the firmware 2154 * as the Sign fragment. 2155 */ 2156 err = btusb_intel_secure_send(hdev, 0x02, 256, fw->data + 388); 2157 if (err < 0) { 2158 BT_ERR("%s: Failed to send firmware signature (%d)", 2159 hdev->name, err); 2160 goto done; 2161 } 2162 2163 fw_ptr = fw->data + 644; 2164 2165 while (fw_ptr - fw->data < fw->size) { 2166 struct hci_command_hdr *cmd = (void *)fw_ptr; 2167 u8 cmd_len; 2168 2169 cmd_len = sizeof(*cmd) + cmd->plen; 2170 2171 /* Send each command from the firmware data buffer as 2172 * a single Data fragment. 2173 */ 2174 err = btusb_intel_secure_send(hdev, 0x01, cmd_len, fw_ptr); 2175 if (err < 0) { 2176 BT_ERR("%s: Failed to send firmware data (%d)", 2177 hdev->name, err); 2178 goto done; 2179 } 2180 2181 fw_ptr += cmd_len; 2182 } 2183 2184 set_bit(BTUSB_FIRMWARE_LOADED, &data->flags); 2185 2186 BT_INFO("%s: Waiting for firmware download to complete", hdev->name); 2187 2188 /* Before switching the device into operational mode and with that 2189 * booting the loaded firmware, wait for the bootloader notification 2190 * that all fragments have been successfully received. 2191 * 2192 * When the event processing receives the notification, then the 2193 * BTUSB_DOWNLOADING flag will be cleared. 2194 * 2195 * The firmware loading should not take longer than 5 seconds 2196 * and thus just timeout if that happens and fail the setup 2197 * of this device. 2198 */ 2199 err = btusb_wait_on_bit_timeout(&data->flags, BTUSB_DOWNLOADING, 2200 msecs_to_jiffies(5000), 2201 TASK_INTERRUPTIBLE); 2202 if (err == 1) { 2203 BT_ERR("%s: Firmware loading interrupted", hdev->name); 2204 err = -EINTR; 2205 goto done; 2206 } 2207 2208 if (err) { 2209 BT_ERR("%s: Firmware loading timeout", hdev->name); 2210 err = -ETIMEDOUT; 2211 goto done; 2212 } 2213 2214 if (test_bit(BTUSB_FIRMWARE_FAILED, &data->flags)) { 2215 BT_ERR("%s: Firmware loading failed", hdev->name); 2216 err = -ENOEXEC; 2217 goto done; 2218 } 2219 2220 rettime = ktime_get(); 2221 delta = ktime_sub(rettime, calltime); 2222 duration = (unsigned long long) ktime_to_ns(delta) >> 10; 2223 2224 BT_INFO("%s: Firmware loaded in %llu usecs", hdev->name, duration); 2225 2226 done: 2227 release_firmware(fw); 2228 2229 if (err < 0) 2230 return err; 2231 2232 calltime = ktime_get(); 2233 2234 set_bit(BTUSB_BOOTING, &data->flags); 2235 2236 skb = __hci_cmd_sync(hdev, 0xfc01, sizeof(reset_param), reset_param, 2237 HCI_INIT_TIMEOUT); 2238 if (IS_ERR(skb)) 2239 return PTR_ERR(skb); 2240 2241 kfree_skb(skb); 2242 2243 /* The bootloader will not indicate when the device is ready. This 2244 * is done by the operational firmware sending bootup notification. 2245 * 2246 * Booting into operational firmware should not take longer than 2247 * 1 second. However if that happens, then just fail the setup 2248 * since something went wrong. 2249 */ 2250 BT_INFO("%s: Waiting for device to boot", hdev->name); 2251 2252 err = btusb_wait_on_bit_timeout(&data->flags, BTUSB_BOOTING, 2253 msecs_to_jiffies(1000), 2254 TASK_INTERRUPTIBLE); 2255 2256 if (err == 1) { 2257 BT_ERR("%s: Device boot interrupted", hdev->name); 2258 return -EINTR; 2259 } 2260 2261 if (err) { 2262 BT_ERR("%s: Device boot timeout", hdev->name); 2263 return -ETIMEDOUT; 2264 } 2265 2266 rettime = ktime_get(); 2267 delta = ktime_sub(rettime, calltime); 2268 duration = (unsigned long long) ktime_to_ns(delta) >> 10; 2269 2270 BT_INFO("%s: Device booted in %llu usecs", hdev->name, duration); 2271 2272 clear_bit(BTUSB_BOOTLOADER, &data->flags); 2273 2274 return 0; 2275 } 2276 2277 static void btusb_hw_error_intel(struct hci_dev *hdev, u8 code) 2278 { 2279 struct sk_buff *skb; 2280 u8 type = 0x00; 2281 2282 BT_ERR("%s: Hardware error 0x%2.2x", hdev->name, code); 2283 2284 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT); 2285 if (IS_ERR(skb)) { 2286 BT_ERR("%s: Reset after hardware error failed (%ld)", 2287 hdev->name, PTR_ERR(skb)); 2288 return; 2289 } 2290 kfree_skb(skb); 2291 2292 skb = __hci_cmd_sync(hdev, 0xfc22, 1, &type, HCI_INIT_TIMEOUT); 2293 if (IS_ERR(skb)) { 2294 BT_ERR("%s: Retrieving Intel exception info failed (%ld)", 2295 hdev->name, PTR_ERR(skb)); 2296 return; 2297 } 2298 2299 if (skb->len != 13) { 2300 BT_ERR("%s: Exception info size mismatch", hdev->name); 2301 kfree_skb(skb); 2302 return; 2303 } 2304 2305 if (skb->data[0] != 0x00) { 2306 BT_ERR("%s: Exception info command failure (%02x)", 2307 hdev->name, skb->data[0]); 2308 kfree_skb(skb); 2309 return; 2310 } 2311 2312 BT_ERR("%s: Exception info %s", hdev->name, (char *)(skb->data + 1)); 2313 2314 kfree_skb(skb); 2315 } 2316 2317 static int btusb_set_bdaddr_intel(struct hci_dev *hdev, const bdaddr_t *bdaddr) 2318 { 2319 struct sk_buff *skb; 2320 long ret; 2321 2322 skb = __hci_cmd_sync(hdev, 0xfc31, 6, bdaddr, HCI_INIT_TIMEOUT); 2323 if (IS_ERR(skb)) { 2324 ret = PTR_ERR(skb); 2325 BT_ERR("%s: changing Intel device address failed (%ld)", 2326 hdev->name, ret); 2327 return ret; 2328 } 2329 kfree_skb(skb); 2330 2331 return 0; 2332 } 2333 2334 static int btusb_set_bdaddr_marvell(struct hci_dev *hdev, 2335 const bdaddr_t *bdaddr) 2336 { 2337 struct sk_buff *skb; 2338 u8 buf[8]; 2339 long ret; 2340 2341 buf[0] = 0xfe; 2342 buf[1] = sizeof(bdaddr_t); 2343 memcpy(buf + 2, bdaddr, sizeof(bdaddr_t)); 2344 2345 skb = __hci_cmd_sync(hdev, 0xfc22, sizeof(buf), buf, HCI_INIT_TIMEOUT); 2346 if (IS_ERR(skb)) { 2347 ret = PTR_ERR(skb); 2348 BT_ERR("%s: changing Marvell device address failed (%ld)", 2349 hdev->name, ret); 2350 return ret; 2351 } 2352 kfree_skb(skb); 2353 2354 return 0; 2355 } 2356 2357 #define BDADDR_BCM20702A0 (&(bdaddr_t) {{0x00, 0xa0, 0x02, 0x70, 0x20, 0x00}}) 2358 2359 static int btusb_setup_bcm_patchram(struct hci_dev *hdev) 2360 { 2361 struct btusb_data *data = hci_get_drvdata(hdev); 2362 struct usb_device *udev = data->udev; 2363 char fw_name[64]; 2364 const struct firmware *fw; 2365 const u8 *fw_ptr; 2366 size_t fw_size; 2367 const struct hci_command_hdr *cmd; 2368 const u8 *cmd_param; 2369 u16 opcode; 2370 struct sk_buff *skb; 2371 struct hci_rp_read_local_version *ver; 2372 struct hci_rp_read_bd_addr *bda; 2373 long ret; 2374 2375 snprintf(fw_name, sizeof(fw_name), "brcm/%s-%04x-%04x.hcd", 2376 udev->product ? udev->product : "BCM", 2377 le16_to_cpu(udev->descriptor.idVendor), 2378 le16_to_cpu(udev->descriptor.idProduct)); 2379 2380 ret = request_firmware(&fw, fw_name, &hdev->dev); 2381 if (ret < 0) { 2382 BT_INFO("%s: BCM: patch %s not found", hdev->name, fw_name); 2383 return 0; 2384 } 2385 2386 /* Reset */ 2387 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT); 2388 if (IS_ERR(skb)) { 2389 ret = PTR_ERR(skb); 2390 BT_ERR("%s: HCI_OP_RESET failed (%ld)", hdev->name, ret); 2391 goto done; 2392 } 2393 kfree_skb(skb); 2394 2395 /* Read Local Version Info */ 2396 skb = __hci_cmd_sync(hdev, HCI_OP_READ_LOCAL_VERSION, 0, NULL, 2397 HCI_INIT_TIMEOUT); 2398 if (IS_ERR(skb)) { 2399 ret = PTR_ERR(skb); 2400 BT_ERR("%s: HCI_OP_READ_LOCAL_VERSION failed (%ld)", 2401 hdev->name, ret); 2402 goto done; 2403 } 2404 2405 if (skb->len != sizeof(*ver)) { 2406 BT_ERR("%s: HCI_OP_READ_LOCAL_VERSION event length mismatch", 2407 hdev->name); 2408 kfree_skb(skb); 2409 ret = -EIO; 2410 goto done; 2411 } 2412 2413 ver = (struct hci_rp_read_local_version *)skb->data; 2414 BT_INFO("%s: BCM: patching hci_ver=%02x hci_rev=%04x lmp_ver=%02x " 2415 "lmp_subver=%04x", hdev->name, ver->hci_ver, ver->hci_rev, 2416 ver->lmp_ver, ver->lmp_subver); 2417 kfree_skb(skb); 2418 2419 /* Start Download */ 2420 skb = __hci_cmd_sync(hdev, 0xfc2e, 0, NULL, HCI_INIT_TIMEOUT); 2421 if (IS_ERR(skb)) { 2422 ret = PTR_ERR(skb); 2423 BT_ERR("%s: BCM: Download Minidrv command failed (%ld)", 2424 hdev->name, ret); 2425 goto reset_fw; 2426 } 2427 kfree_skb(skb); 2428 2429 /* 50 msec delay after Download Minidrv completes */ 2430 msleep(50); 2431 2432 fw_ptr = fw->data; 2433 fw_size = fw->size; 2434 2435 while (fw_size >= sizeof(*cmd)) { 2436 cmd = (struct hci_command_hdr *)fw_ptr; 2437 fw_ptr += sizeof(*cmd); 2438 fw_size -= sizeof(*cmd); 2439 2440 if (fw_size < cmd->plen) { 2441 BT_ERR("%s: BCM: patch %s is corrupted", 2442 hdev->name, fw_name); 2443 ret = -EINVAL; 2444 goto reset_fw; 2445 } 2446 2447 cmd_param = fw_ptr; 2448 fw_ptr += cmd->plen; 2449 fw_size -= cmd->plen; 2450 2451 opcode = le16_to_cpu(cmd->opcode); 2452 2453 skb = __hci_cmd_sync(hdev, opcode, cmd->plen, cmd_param, 2454 HCI_INIT_TIMEOUT); 2455 if (IS_ERR(skb)) { 2456 ret = PTR_ERR(skb); 2457 BT_ERR("%s: BCM: patch command %04x failed (%ld)", 2458 hdev->name, opcode, ret); 2459 goto reset_fw; 2460 } 2461 kfree_skb(skb); 2462 } 2463 2464 /* 250 msec delay after Launch Ram completes */ 2465 msleep(250); 2466 2467 reset_fw: 2468 /* Reset */ 2469 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT); 2470 if (IS_ERR(skb)) { 2471 ret = PTR_ERR(skb); 2472 BT_ERR("%s: HCI_OP_RESET failed (%ld)", hdev->name, ret); 2473 goto done; 2474 } 2475 kfree_skb(skb); 2476 2477 /* Read Local Version Info */ 2478 skb = __hci_cmd_sync(hdev, HCI_OP_READ_LOCAL_VERSION, 0, NULL, 2479 HCI_INIT_TIMEOUT); 2480 if (IS_ERR(skb)) { 2481 ret = PTR_ERR(skb); 2482 BT_ERR("%s: HCI_OP_READ_LOCAL_VERSION failed (%ld)", 2483 hdev->name, ret); 2484 goto done; 2485 } 2486 2487 if (skb->len != sizeof(*ver)) { 2488 BT_ERR("%s: HCI_OP_READ_LOCAL_VERSION event length mismatch", 2489 hdev->name); 2490 kfree_skb(skb); 2491 ret = -EIO; 2492 goto done; 2493 } 2494 2495 ver = (struct hci_rp_read_local_version *)skb->data; 2496 BT_INFO("%s: BCM: firmware hci_ver=%02x hci_rev=%04x lmp_ver=%02x " 2497 "lmp_subver=%04x", hdev->name, ver->hci_ver, ver->hci_rev, 2498 ver->lmp_ver, ver->lmp_subver); 2499 kfree_skb(skb); 2500 2501 /* Read BD Address */ 2502 skb = __hci_cmd_sync(hdev, HCI_OP_READ_BD_ADDR, 0, NULL, 2503 HCI_INIT_TIMEOUT); 2504 if (IS_ERR(skb)) { 2505 ret = PTR_ERR(skb); 2506 BT_ERR("%s: HCI_OP_READ_BD_ADDR failed (%ld)", 2507 hdev->name, ret); 2508 goto done; 2509 } 2510 2511 if (skb->len != sizeof(*bda)) { 2512 BT_ERR("%s: HCI_OP_READ_BD_ADDR event length mismatch", 2513 hdev->name); 2514 kfree_skb(skb); 2515 ret = -EIO; 2516 goto done; 2517 } 2518 2519 bda = (struct hci_rp_read_bd_addr *)skb->data; 2520 if (bda->status) { 2521 BT_ERR("%s: HCI_OP_READ_BD_ADDR error status (%02x)", 2522 hdev->name, bda->status); 2523 kfree_skb(skb); 2524 ret = -bt_to_errno(bda->status); 2525 goto done; 2526 } 2527 2528 /* The address 00:20:70:02:A0:00 indicates a BCM20702A0 controller 2529 * with no configured address. 2530 */ 2531 if (!bacmp(&bda->bdaddr, BDADDR_BCM20702A0)) { 2532 BT_INFO("%s: BCM: using default device address (%pMR)", 2533 hdev->name, &bda->bdaddr); 2534 set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks); 2535 } 2536 2537 kfree_skb(skb); 2538 2539 done: 2540 release_firmware(fw); 2541 2542 return ret; 2543 } 2544 2545 static int btusb_set_bdaddr_bcm(struct hci_dev *hdev, const bdaddr_t *bdaddr) 2546 { 2547 struct sk_buff *skb; 2548 long ret; 2549 2550 skb = __hci_cmd_sync(hdev, 0xfc01, 6, bdaddr, HCI_INIT_TIMEOUT); 2551 if (IS_ERR(skb)) { 2552 ret = PTR_ERR(skb); 2553 BT_ERR("%s: BCM: Change address command failed (%ld)", 2554 hdev->name, ret); 2555 return ret; 2556 } 2557 kfree_skb(skb); 2558 2559 return 0; 2560 } 2561 2562 static int btusb_set_bdaddr_ath3012(struct hci_dev *hdev, 2563 const bdaddr_t *bdaddr) 2564 { 2565 struct sk_buff *skb; 2566 u8 buf[10]; 2567 long ret; 2568 2569 buf[0] = 0x01; 2570 buf[1] = 0x01; 2571 buf[2] = 0x00; 2572 buf[3] = sizeof(bdaddr_t); 2573 memcpy(buf + 4, bdaddr, sizeof(bdaddr_t)); 2574 2575 skb = __hci_cmd_sync(hdev, 0xfc0b, sizeof(buf), buf, HCI_INIT_TIMEOUT); 2576 if (IS_ERR(skb)) { 2577 ret = PTR_ERR(skb); 2578 BT_ERR("%s: Change address command failed (%ld)", 2579 hdev->name, ret); 2580 return ret; 2581 } 2582 kfree_skb(skb); 2583 2584 return 0; 2585 } 2586 2587 static int btusb_probe(struct usb_interface *intf, 2588 const struct usb_device_id *id) 2589 { 2590 struct usb_endpoint_descriptor *ep_desc; 2591 struct btusb_data *data; 2592 struct hci_dev *hdev; 2593 int i, err; 2594 2595 BT_DBG("intf %p id %p", intf, id); 2596 2597 /* interface numbers are hardcoded in the spec */ 2598 if (intf->cur_altsetting->desc.bInterfaceNumber != 0) 2599 return -ENODEV; 2600 2601 if (!id->driver_info) { 2602 const struct usb_device_id *match; 2603 2604 match = usb_match_id(intf, blacklist_table); 2605 if (match) 2606 id = match; 2607 } 2608 2609 if (id->driver_info == BTUSB_IGNORE) 2610 return -ENODEV; 2611 2612 if (id->driver_info & BTUSB_ATH3012) { 2613 struct usb_device *udev = interface_to_usbdev(intf); 2614 2615 /* Old firmware would otherwise let ath3k driver load 2616 * patch and sysconfig files */ 2617 if (le16_to_cpu(udev->descriptor.bcdDevice) <= 0x0001) 2618 return -ENODEV; 2619 } 2620 2621 data = devm_kzalloc(&intf->dev, sizeof(*data), GFP_KERNEL); 2622 if (!data) 2623 return -ENOMEM; 2624 2625 for (i = 0; i < intf->cur_altsetting->desc.bNumEndpoints; i++) { 2626 ep_desc = &intf->cur_altsetting->endpoint[i].desc; 2627 2628 if (!data->intr_ep && usb_endpoint_is_int_in(ep_desc)) { 2629 data->intr_ep = ep_desc; 2630 continue; 2631 } 2632 2633 if (!data->bulk_tx_ep && usb_endpoint_is_bulk_out(ep_desc)) { 2634 data->bulk_tx_ep = ep_desc; 2635 continue; 2636 } 2637 2638 if (!data->bulk_rx_ep && usb_endpoint_is_bulk_in(ep_desc)) { 2639 data->bulk_rx_ep = ep_desc; 2640 continue; 2641 } 2642 } 2643 2644 if (!data->intr_ep || !data->bulk_tx_ep || !data->bulk_rx_ep) 2645 return -ENODEV; 2646 2647 if (id->driver_info & BTUSB_AMP) { 2648 data->cmdreq_type = USB_TYPE_CLASS | 0x01; 2649 data->cmdreq = 0x2b; 2650 } else { 2651 data->cmdreq_type = USB_TYPE_CLASS; 2652 data->cmdreq = 0x00; 2653 } 2654 2655 data->udev = interface_to_usbdev(intf); 2656 data->intf = intf; 2657 2658 INIT_WORK(&data->work, btusb_work); 2659 INIT_WORK(&data->waker, btusb_waker); 2660 init_usb_anchor(&data->deferred); 2661 init_usb_anchor(&data->tx_anchor); 2662 spin_lock_init(&data->txlock); 2663 2664 init_usb_anchor(&data->intr_anchor); 2665 init_usb_anchor(&data->bulk_anchor); 2666 init_usb_anchor(&data->isoc_anchor); 2667 spin_lock_init(&data->rxlock); 2668 2669 if (id->driver_info & BTUSB_INTEL_NEW) { 2670 data->recv_event = btusb_recv_event_intel; 2671 data->recv_bulk = btusb_recv_bulk_intel; 2672 set_bit(BTUSB_BOOTLOADER, &data->flags); 2673 } else { 2674 data->recv_event = hci_recv_frame; 2675 data->recv_bulk = btusb_recv_bulk; 2676 } 2677 2678 hdev = hci_alloc_dev(); 2679 if (!hdev) 2680 return -ENOMEM; 2681 2682 hdev->bus = HCI_USB; 2683 hci_set_drvdata(hdev, data); 2684 2685 if (id->driver_info & BTUSB_AMP) 2686 hdev->dev_type = HCI_AMP; 2687 else 2688 hdev->dev_type = HCI_BREDR; 2689 2690 data->hdev = hdev; 2691 2692 SET_HCIDEV_DEV(hdev, &intf->dev); 2693 2694 hdev->open = btusb_open; 2695 hdev->close = btusb_close; 2696 hdev->flush = btusb_flush; 2697 hdev->send = btusb_send_frame; 2698 hdev->notify = btusb_notify; 2699 2700 if (id->driver_info & BTUSB_BCM92035) 2701 hdev->setup = btusb_setup_bcm92035; 2702 2703 if (id->driver_info & BTUSB_BCM_PATCHRAM) { 2704 hdev->setup = btusb_setup_bcm_patchram; 2705 hdev->set_bdaddr = btusb_set_bdaddr_bcm; 2706 set_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks); 2707 } 2708 2709 if (id->driver_info & BTUSB_INTEL) { 2710 hdev->setup = btusb_setup_intel; 2711 hdev->set_bdaddr = btusb_set_bdaddr_intel; 2712 set_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks); 2713 } 2714 2715 if (id->driver_info & BTUSB_INTEL_NEW) { 2716 hdev->send = btusb_send_frame_intel; 2717 hdev->setup = btusb_setup_intel_new; 2718 hdev->hw_error = btusb_hw_error_intel; 2719 hdev->set_bdaddr = btusb_set_bdaddr_intel; 2720 set_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks); 2721 } 2722 2723 if (id->driver_info & BTUSB_MARVELL) 2724 hdev->set_bdaddr = btusb_set_bdaddr_marvell; 2725 2726 if (id->driver_info & BTUSB_SWAVE) { 2727 set_bit(HCI_QUIRK_FIXUP_INQUIRY_MODE, &hdev->quirks); 2728 set_bit(HCI_QUIRK_BROKEN_LOCAL_COMMANDS, &hdev->quirks); 2729 } 2730 2731 if (id->driver_info & BTUSB_INTEL_BOOT) 2732 set_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks); 2733 2734 if (id->driver_info & BTUSB_ATH3012) { 2735 hdev->set_bdaddr = btusb_set_bdaddr_ath3012; 2736 set_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks); 2737 } 2738 2739 if (id->driver_info & BTUSB_AMP) { 2740 /* AMP controllers do not support SCO packets */ 2741 data->isoc = NULL; 2742 } else { 2743 /* Interface numbers are hardcoded in the specification */ 2744 data->isoc = usb_ifnum_to_if(data->udev, 1); 2745 } 2746 2747 if (!reset) 2748 set_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks); 2749 2750 if (force_scofix || id->driver_info & BTUSB_WRONG_SCO_MTU) { 2751 if (!disable_scofix) 2752 set_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks); 2753 } 2754 2755 if (id->driver_info & BTUSB_BROKEN_ISOC) 2756 data->isoc = NULL; 2757 2758 if (id->driver_info & BTUSB_DIGIANSWER) { 2759 data->cmdreq_type = USB_TYPE_VENDOR; 2760 set_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks); 2761 } 2762 2763 if (id->driver_info & BTUSB_CSR) { 2764 struct usb_device *udev = data->udev; 2765 u16 bcdDevice = le16_to_cpu(udev->descriptor.bcdDevice); 2766 2767 /* Old firmware would otherwise execute USB reset */ 2768 if (bcdDevice < 0x117) 2769 set_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks); 2770 2771 /* Fake CSR devices with broken commands */ 2772 if (bcdDevice <= 0x100) 2773 hdev->setup = btusb_setup_csr; 2774 } 2775 2776 if (id->driver_info & BTUSB_SNIFFER) { 2777 struct usb_device *udev = data->udev; 2778 2779 /* New sniffer firmware has crippled HCI interface */ 2780 if (le16_to_cpu(udev->descriptor.bcdDevice) > 0x997) 2781 set_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks); 2782 } 2783 2784 if (id->driver_info & BTUSB_INTEL_BOOT) { 2785 /* A bug in the bootloader causes that interrupt interface is 2786 * only enabled after receiving SetInterface(0, AltSetting=0). 2787 */ 2788 err = usb_set_interface(data->udev, 0, 0); 2789 if (err < 0) { 2790 BT_ERR("failed to set interface 0, alt 0 %d", err); 2791 hci_free_dev(hdev); 2792 return err; 2793 } 2794 } 2795 2796 if (data->isoc) { 2797 err = usb_driver_claim_interface(&btusb_driver, 2798 data->isoc, data); 2799 if (err < 0) { 2800 hci_free_dev(hdev); 2801 return err; 2802 } 2803 } 2804 2805 err = hci_register_dev(hdev); 2806 if (err < 0) { 2807 hci_free_dev(hdev); 2808 return err; 2809 } 2810 2811 usb_set_intfdata(intf, data); 2812 2813 return 0; 2814 } 2815 2816 static void btusb_disconnect(struct usb_interface *intf) 2817 { 2818 struct btusb_data *data = usb_get_intfdata(intf); 2819 struct hci_dev *hdev; 2820 2821 BT_DBG("intf %p", intf); 2822 2823 if (!data) 2824 return; 2825 2826 hdev = data->hdev; 2827 usb_set_intfdata(data->intf, NULL); 2828 2829 if (data->isoc) 2830 usb_set_intfdata(data->isoc, NULL); 2831 2832 hci_unregister_dev(hdev); 2833 2834 if (intf == data->isoc) 2835 usb_driver_release_interface(&btusb_driver, data->intf); 2836 else if (data->isoc) 2837 usb_driver_release_interface(&btusb_driver, data->isoc); 2838 2839 hci_free_dev(hdev); 2840 } 2841 2842 #ifdef CONFIG_PM 2843 static int btusb_suspend(struct usb_interface *intf, pm_message_t message) 2844 { 2845 struct btusb_data *data = usb_get_intfdata(intf); 2846 2847 BT_DBG("intf %p", intf); 2848 2849 if (data->suspend_count++) 2850 return 0; 2851 2852 spin_lock_irq(&data->txlock); 2853 if (!(PMSG_IS_AUTO(message) && data->tx_in_flight)) { 2854 set_bit(BTUSB_SUSPENDING, &data->flags); 2855 spin_unlock_irq(&data->txlock); 2856 } else { 2857 spin_unlock_irq(&data->txlock); 2858 data->suspend_count--; 2859 return -EBUSY; 2860 } 2861 2862 cancel_work_sync(&data->work); 2863 2864 btusb_stop_traffic(data); 2865 usb_kill_anchored_urbs(&data->tx_anchor); 2866 2867 return 0; 2868 } 2869 2870 static void play_deferred(struct btusb_data *data) 2871 { 2872 struct urb *urb; 2873 int err; 2874 2875 while ((urb = usb_get_from_anchor(&data->deferred))) { 2876 err = usb_submit_urb(urb, GFP_ATOMIC); 2877 if (err < 0) 2878 break; 2879 2880 data->tx_in_flight++; 2881 } 2882 usb_scuttle_anchored_urbs(&data->deferred); 2883 } 2884 2885 static int btusb_resume(struct usb_interface *intf) 2886 { 2887 struct btusb_data *data = usb_get_intfdata(intf); 2888 struct hci_dev *hdev = data->hdev; 2889 int err = 0; 2890 2891 BT_DBG("intf %p", intf); 2892 2893 if (--data->suspend_count) 2894 return 0; 2895 2896 if (!test_bit(HCI_RUNNING, &hdev->flags)) 2897 goto done; 2898 2899 if (test_bit(BTUSB_INTR_RUNNING, &data->flags)) { 2900 err = btusb_submit_intr_urb(hdev, GFP_NOIO); 2901 if (err < 0) { 2902 clear_bit(BTUSB_INTR_RUNNING, &data->flags); 2903 goto failed; 2904 } 2905 } 2906 2907 if (test_bit(BTUSB_BULK_RUNNING, &data->flags)) { 2908 err = btusb_submit_bulk_urb(hdev, GFP_NOIO); 2909 if (err < 0) { 2910 clear_bit(BTUSB_BULK_RUNNING, &data->flags); 2911 goto failed; 2912 } 2913 2914 btusb_submit_bulk_urb(hdev, GFP_NOIO); 2915 } 2916 2917 if (test_bit(BTUSB_ISOC_RUNNING, &data->flags)) { 2918 if (btusb_submit_isoc_urb(hdev, GFP_NOIO) < 0) 2919 clear_bit(BTUSB_ISOC_RUNNING, &data->flags); 2920 else 2921 btusb_submit_isoc_urb(hdev, GFP_NOIO); 2922 } 2923 2924 spin_lock_irq(&data->txlock); 2925 play_deferred(data); 2926 clear_bit(BTUSB_SUSPENDING, &data->flags); 2927 spin_unlock_irq(&data->txlock); 2928 schedule_work(&data->work); 2929 2930 return 0; 2931 2932 failed: 2933 usb_scuttle_anchored_urbs(&data->deferred); 2934 done: 2935 spin_lock_irq(&data->txlock); 2936 clear_bit(BTUSB_SUSPENDING, &data->flags); 2937 spin_unlock_irq(&data->txlock); 2938 2939 return err; 2940 } 2941 #endif 2942 2943 static struct usb_driver btusb_driver = { 2944 .name = "btusb", 2945 .probe = btusb_probe, 2946 .disconnect = btusb_disconnect, 2947 #ifdef CONFIG_PM 2948 .suspend = btusb_suspend, 2949 .resume = btusb_resume, 2950 #endif 2951 .id_table = btusb_table, 2952 .supports_autosuspend = 1, 2953 .disable_hub_initiated_lpm = 1, 2954 }; 2955 2956 module_usb_driver(btusb_driver); 2957 2958 module_param(disable_scofix, bool, 0644); 2959 MODULE_PARM_DESC(disable_scofix, "Disable fixup of wrong SCO buffer size"); 2960 2961 module_param(force_scofix, bool, 0644); 2962 MODULE_PARM_DESC(force_scofix, "Force fixup of wrong SCO buffers size"); 2963 2964 module_param(reset, bool, 0644); 2965 MODULE_PARM_DESC(reset, "Send HCI reset command on initialization"); 2966 2967 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>"); 2968 MODULE_DESCRIPTION("Generic Bluetooth USB driver ver " VERSION); 2969 MODULE_VERSION(VERSION); 2970 MODULE_LICENSE("GPL"); 2971