1 /* 2 * 3 * Generic Bluetooth USB driver 4 * 5 * Copyright (C) 2005-2008 Marcel Holtmann <marcel@holtmann.org> 6 * 7 * 8 * This program is free software; you can redistribute it and/or modify 9 * it under the terms of the GNU General Public License as published by 10 * the Free Software Foundation; either version 2 of the License, or 11 * (at your option) any later version. 12 * 13 * This program is distributed in the hope that it will be useful, 14 * but WITHOUT ANY WARRANTY; without even the implied warranty of 15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16 * GNU General Public License for more details. 17 * 18 * You should have received a copy of the GNU General Public License 19 * along with this program; if not, write to the Free Software 20 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 21 * 22 */ 23 24 #include <linux/module.h> 25 #include <linux/usb.h> 26 #include <linux/firmware.h> 27 28 #include <net/bluetooth/bluetooth.h> 29 #include <net/bluetooth/hci_core.h> 30 31 #define VERSION "0.7" 32 33 static bool disable_scofix; 34 static bool force_scofix; 35 36 static bool reset = 1; 37 38 static struct usb_driver btusb_driver; 39 40 #define BTUSB_IGNORE 0x01 41 #define BTUSB_DIGIANSWER 0x02 42 #define BTUSB_CSR 0x04 43 #define BTUSB_SNIFFER 0x08 44 #define BTUSB_BCM92035 0x10 45 #define BTUSB_BROKEN_ISOC 0x20 46 #define BTUSB_WRONG_SCO_MTU 0x40 47 #define BTUSB_ATH3012 0x80 48 #define BTUSB_INTEL 0x100 49 #define BTUSB_INTEL_BOOT 0x200 50 #define BTUSB_BCM_PATCHRAM 0x400 51 #define BTUSB_MARVELL 0x800 52 #define BTUSB_SWAVE 0x1000 53 #define BTUSB_INTEL_NEW 0x2000 54 #define BTUSB_AMP 0x4000 55 56 static const struct usb_device_id btusb_table[] = { 57 /* Generic Bluetooth USB device */ 58 { USB_DEVICE_INFO(0xe0, 0x01, 0x01) }, 59 60 /* Generic Bluetooth AMP device */ 61 { USB_DEVICE_INFO(0xe0, 0x01, 0x04), .driver_info = BTUSB_AMP }, 62 63 /* Apple-specific (Broadcom) devices */ 64 { USB_VENDOR_AND_INTERFACE_INFO(0x05ac, 0xff, 0x01, 0x01) }, 65 66 /* MediaTek MT76x0E */ 67 { USB_DEVICE(0x0e8d, 0x763f) }, 68 69 /* Broadcom SoftSailing reporting vendor specific */ 70 { USB_DEVICE(0x0a5c, 0x21e1) }, 71 72 /* Apple MacBookPro 7,1 */ 73 { USB_DEVICE(0x05ac, 0x8213) }, 74 75 /* Apple iMac11,1 */ 76 { USB_DEVICE(0x05ac, 0x8215) }, 77 78 /* Apple MacBookPro6,2 */ 79 { USB_DEVICE(0x05ac, 0x8218) }, 80 81 /* Apple MacBookAir3,1, MacBookAir3,2 */ 82 { USB_DEVICE(0x05ac, 0x821b) }, 83 84 /* Apple MacBookAir4,1 */ 85 { USB_DEVICE(0x05ac, 0x821f) }, 86 87 /* Apple MacBookPro8,2 */ 88 { USB_DEVICE(0x05ac, 0x821a) }, 89 90 /* Apple MacMini5,1 */ 91 { USB_DEVICE(0x05ac, 0x8281) }, 92 93 /* AVM BlueFRITZ! USB v2.0 */ 94 { USB_DEVICE(0x057c, 0x3800), .driver_info = BTUSB_SWAVE }, 95 96 /* Bluetooth Ultraport Module from IBM */ 97 { USB_DEVICE(0x04bf, 0x030a) }, 98 99 /* ALPS Modules with non-standard id */ 100 { USB_DEVICE(0x044e, 0x3001) }, 101 { USB_DEVICE(0x044e, 0x3002) }, 102 103 /* Ericsson with non-standard id */ 104 { USB_DEVICE(0x0bdb, 0x1002) }, 105 106 /* Canyon CN-BTU1 with HID interfaces */ 107 { USB_DEVICE(0x0c10, 0x0000) }, 108 109 /* Broadcom BCM20702A0 */ 110 { USB_DEVICE(0x0489, 0xe042) }, 111 { USB_DEVICE(0x04ca, 0x2003) }, 112 { USB_DEVICE(0x0b05, 0x17b5) }, 113 { USB_DEVICE(0x0b05, 0x17cb) }, 114 { USB_DEVICE(0x413c, 0x8197) }, 115 { USB_DEVICE(0x13d3, 0x3404), 116 .driver_info = BTUSB_BCM_PATCHRAM }, 117 118 /* Broadcom BCM20702B0 (Dynex/Insignia) */ 119 { USB_DEVICE(0x19ff, 0x0239), .driver_info = BTUSB_BCM_PATCHRAM }, 120 121 /* Foxconn - Hon Hai */ 122 { USB_VENDOR_AND_INTERFACE_INFO(0x0489, 0xff, 0x01, 0x01), 123 .driver_info = BTUSB_BCM_PATCHRAM }, 124 125 /* Lite-On Technology - Broadcom based */ 126 { USB_VENDOR_AND_INTERFACE_INFO(0x04ca, 0xff, 0x01, 0x01), 127 .driver_info = BTUSB_BCM_PATCHRAM }, 128 129 /* Broadcom devices with vendor specific id */ 130 { USB_VENDOR_AND_INTERFACE_INFO(0x0a5c, 0xff, 0x01, 0x01), 131 .driver_info = BTUSB_BCM_PATCHRAM }, 132 133 /* ASUSTek Computer - Broadcom based */ 134 { USB_VENDOR_AND_INTERFACE_INFO(0x0b05, 0xff, 0x01, 0x01), 135 .driver_info = BTUSB_BCM_PATCHRAM }, 136 137 /* Belkin F8065bf - Broadcom based */ 138 { USB_VENDOR_AND_INTERFACE_INFO(0x050d, 0xff, 0x01, 0x01) }, 139 140 /* IMC Networks - Broadcom based */ 141 { USB_VENDOR_AND_INTERFACE_INFO(0x13d3, 0xff, 0x01, 0x01) }, 142 143 /* Intel Bluetooth USB Bootloader (RAM module) */ 144 { USB_DEVICE(0x8087, 0x0a5a), 145 .driver_info = BTUSB_INTEL_BOOT | BTUSB_BROKEN_ISOC }, 146 147 { } /* Terminating entry */ 148 }; 149 150 MODULE_DEVICE_TABLE(usb, btusb_table); 151 152 static const struct usb_device_id blacklist_table[] = { 153 /* CSR BlueCore devices */ 154 { USB_DEVICE(0x0a12, 0x0001), .driver_info = BTUSB_CSR }, 155 156 /* Broadcom BCM2033 without firmware */ 157 { USB_DEVICE(0x0a5c, 0x2033), .driver_info = BTUSB_IGNORE }, 158 159 /* Atheros 3011 with sflash firmware */ 160 { USB_DEVICE(0x0489, 0xe027), .driver_info = BTUSB_IGNORE }, 161 { USB_DEVICE(0x0489, 0xe03d), .driver_info = BTUSB_IGNORE }, 162 { USB_DEVICE(0x04f2, 0xaff1), .driver_info = BTUSB_IGNORE }, 163 { USB_DEVICE(0x0930, 0x0215), .driver_info = BTUSB_IGNORE }, 164 { USB_DEVICE(0x0cf3, 0x3002), .driver_info = BTUSB_IGNORE }, 165 { USB_DEVICE(0x0cf3, 0xe019), .driver_info = BTUSB_IGNORE }, 166 { USB_DEVICE(0x13d3, 0x3304), .driver_info = BTUSB_IGNORE }, 167 168 /* Atheros AR9285 Malbec with sflash firmware */ 169 { USB_DEVICE(0x03f0, 0x311d), .driver_info = BTUSB_IGNORE }, 170 171 /* Atheros 3012 with sflash firmware */ 172 { USB_DEVICE(0x0489, 0xe04d), .driver_info = BTUSB_ATH3012 }, 173 { USB_DEVICE(0x0489, 0xe04e), .driver_info = BTUSB_ATH3012 }, 174 { USB_DEVICE(0x0489, 0xe056), .driver_info = BTUSB_ATH3012 }, 175 { USB_DEVICE(0x0489, 0xe057), .driver_info = BTUSB_ATH3012 }, 176 { USB_DEVICE(0x0489, 0xe05f), .driver_info = BTUSB_ATH3012 }, 177 { USB_DEVICE(0x0489, 0xe078), .driver_info = BTUSB_ATH3012 }, 178 { USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 }, 179 { USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 }, 180 { USB_DEVICE(0x04ca, 0x3005), .driver_info = BTUSB_ATH3012 }, 181 { USB_DEVICE(0x04ca, 0x3006), .driver_info = BTUSB_ATH3012 }, 182 { USB_DEVICE(0x04ca, 0x3007), .driver_info = BTUSB_ATH3012 }, 183 { USB_DEVICE(0x04ca, 0x3008), .driver_info = BTUSB_ATH3012 }, 184 { USB_DEVICE(0x04ca, 0x300b), .driver_info = BTUSB_ATH3012 }, 185 { USB_DEVICE(0x04ca, 0x3010), .driver_info = BTUSB_ATH3012 }, 186 { USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 }, 187 { USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 }, 188 { USB_DEVICE(0x0930, 0x0227), .driver_info = BTUSB_ATH3012 }, 189 { USB_DEVICE(0x0b05, 0x17d0), .driver_info = BTUSB_ATH3012 }, 190 { USB_DEVICE(0x0cf3, 0x0036), .driver_info = BTUSB_ATH3012 }, 191 { USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_ATH3012 }, 192 { USB_DEVICE(0x0cf3, 0x3008), .driver_info = BTUSB_ATH3012 }, 193 { USB_DEVICE(0x0cf3, 0x311d), .driver_info = BTUSB_ATH3012 }, 194 { USB_DEVICE(0x0cf3, 0x311e), .driver_info = BTUSB_ATH3012 }, 195 { USB_DEVICE(0x0cf3, 0x311f), .driver_info = BTUSB_ATH3012 }, 196 { USB_DEVICE(0x0cf3, 0x3121), .driver_info = BTUSB_ATH3012 }, 197 { USB_DEVICE(0x0cf3, 0x817a), .driver_info = BTUSB_ATH3012 }, 198 { USB_DEVICE(0x0cf3, 0xe003), .driver_info = BTUSB_ATH3012 }, 199 { USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 }, 200 { USB_DEVICE(0x0cf3, 0xe005), .driver_info = BTUSB_ATH3012 }, 201 { USB_DEVICE(0x13d3, 0x3362), .driver_info = BTUSB_ATH3012 }, 202 { USB_DEVICE(0x13d3, 0x3375), .driver_info = BTUSB_ATH3012 }, 203 { USB_DEVICE(0x13d3, 0x3393), .driver_info = BTUSB_ATH3012 }, 204 { USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 }, 205 { USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 }, 206 { USB_DEVICE(0x13d3, 0x3423), .driver_info = BTUSB_ATH3012 }, 207 { USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 }, 208 209 /* Atheros AR5BBU12 with sflash firmware */ 210 { USB_DEVICE(0x0489, 0xe02c), .driver_info = BTUSB_IGNORE }, 211 212 /* Atheros AR5BBU12 with sflash firmware */ 213 { USB_DEVICE(0x0489, 0xe036), .driver_info = BTUSB_ATH3012 }, 214 { USB_DEVICE(0x0489, 0xe03c), .driver_info = BTUSB_ATH3012 }, 215 216 /* Broadcom BCM2035 */ 217 { USB_DEVICE(0x0a5c, 0x2009), .driver_info = BTUSB_BCM92035 }, 218 { USB_DEVICE(0x0a5c, 0x200a), .driver_info = BTUSB_WRONG_SCO_MTU }, 219 { USB_DEVICE(0x0a5c, 0x2035), .driver_info = BTUSB_WRONG_SCO_MTU }, 220 221 /* Broadcom BCM2045 */ 222 { USB_DEVICE(0x0a5c, 0x2039), .driver_info = BTUSB_WRONG_SCO_MTU }, 223 { USB_DEVICE(0x0a5c, 0x2101), .driver_info = BTUSB_WRONG_SCO_MTU }, 224 225 /* IBM/Lenovo ThinkPad with Broadcom chip */ 226 { USB_DEVICE(0x0a5c, 0x201e), .driver_info = BTUSB_WRONG_SCO_MTU }, 227 { USB_DEVICE(0x0a5c, 0x2110), .driver_info = BTUSB_WRONG_SCO_MTU }, 228 229 /* HP laptop with Broadcom chip */ 230 { USB_DEVICE(0x03f0, 0x171d), .driver_info = BTUSB_WRONG_SCO_MTU }, 231 232 /* Dell laptop with Broadcom chip */ 233 { USB_DEVICE(0x413c, 0x8126), .driver_info = BTUSB_WRONG_SCO_MTU }, 234 235 /* Dell Wireless 370 and 410 devices */ 236 { USB_DEVICE(0x413c, 0x8152), .driver_info = BTUSB_WRONG_SCO_MTU }, 237 { USB_DEVICE(0x413c, 0x8156), .driver_info = BTUSB_WRONG_SCO_MTU }, 238 239 /* Belkin F8T012 and F8T013 devices */ 240 { USB_DEVICE(0x050d, 0x0012), .driver_info = BTUSB_WRONG_SCO_MTU }, 241 { USB_DEVICE(0x050d, 0x0013), .driver_info = BTUSB_WRONG_SCO_MTU }, 242 243 /* Asus WL-BTD202 device */ 244 { USB_DEVICE(0x0b05, 0x1715), .driver_info = BTUSB_WRONG_SCO_MTU }, 245 246 /* Kensington Bluetooth USB adapter */ 247 { USB_DEVICE(0x047d, 0x105e), .driver_info = BTUSB_WRONG_SCO_MTU }, 248 249 /* RTX Telecom based adapters with buggy SCO support */ 250 { USB_DEVICE(0x0400, 0x0807), .driver_info = BTUSB_BROKEN_ISOC }, 251 { USB_DEVICE(0x0400, 0x080a), .driver_info = BTUSB_BROKEN_ISOC }, 252 253 /* CONWISE Technology based adapters with buggy SCO support */ 254 { USB_DEVICE(0x0e5e, 0x6622), .driver_info = BTUSB_BROKEN_ISOC }, 255 256 /* Roper Class 1 Bluetooth Dongle (Silicon Wave based) */ 257 { USB_DEVICE(0x1300, 0x0001), .driver_info = BTUSB_SWAVE }, 258 259 /* Digianswer devices */ 260 { USB_DEVICE(0x08fd, 0x0001), .driver_info = BTUSB_DIGIANSWER }, 261 { USB_DEVICE(0x08fd, 0x0002), .driver_info = BTUSB_IGNORE }, 262 263 /* CSR BlueCore Bluetooth Sniffer */ 264 { USB_DEVICE(0x0a12, 0x0002), 265 .driver_info = BTUSB_SNIFFER | BTUSB_BROKEN_ISOC }, 266 267 /* Frontline ComProbe Bluetooth Sniffer */ 268 { USB_DEVICE(0x16d3, 0x0002), 269 .driver_info = BTUSB_SNIFFER | BTUSB_BROKEN_ISOC }, 270 271 /* Marvell Bluetooth devices */ 272 { USB_DEVICE(0x1286, 0x2044), .driver_info = BTUSB_MARVELL }, 273 { USB_DEVICE(0x1286, 0x2046), .driver_info = BTUSB_MARVELL }, 274 275 /* Intel Bluetooth devices */ 276 { USB_DEVICE(0x8087, 0x07da), .driver_info = BTUSB_CSR }, 277 { USB_DEVICE(0x8087, 0x07dc), .driver_info = BTUSB_INTEL }, 278 { USB_DEVICE(0x8087, 0x0a2a), .driver_info = BTUSB_INTEL }, 279 { USB_DEVICE(0x8087, 0x0a2b), .driver_info = BTUSB_INTEL_NEW }, 280 281 /* Other Intel Bluetooth devices */ 282 { USB_VENDOR_AND_INTERFACE_INFO(0x8087, 0xe0, 0x01, 0x01), 283 .driver_info = BTUSB_IGNORE }, 284 285 { } /* Terminating entry */ 286 }; 287 288 #define BTUSB_MAX_ISOC_FRAMES 10 289 290 #define BTUSB_INTR_RUNNING 0 291 #define BTUSB_BULK_RUNNING 1 292 #define BTUSB_ISOC_RUNNING 2 293 #define BTUSB_SUSPENDING 3 294 #define BTUSB_DID_ISO_RESUME 4 295 #define BTUSB_BOOTLOADER 5 296 #define BTUSB_DOWNLOADING 6 297 #define BTUSB_FIRMWARE_LOADED 7 298 #define BTUSB_FIRMWARE_FAILED 8 299 #define BTUSB_BOOTING 9 300 301 struct btusb_data { 302 struct hci_dev *hdev; 303 struct usb_device *udev; 304 struct usb_interface *intf; 305 struct usb_interface *isoc; 306 307 unsigned long flags; 308 309 struct work_struct work; 310 struct work_struct waker; 311 312 struct usb_anchor deferred; 313 struct usb_anchor tx_anchor; 314 int tx_in_flight; 315 spinlock_t txlock; 316 317 struct usb_anchor intr_anchor; 318 struct usb_anchor bulk_anchor; 319 struct usb_anchor isoc_anchor; 320 spinlock_t rxlock; 321 322 struct sk_buff *evt_skb; 323 struct sk_buff *acl_skb; 324 struct sk_buff *sco_skb; 325 326 struct usb_endpoint_descriptor *intr_ep; 327 struct usb_endpoint_descriptor *bulk_tx_ep; 328 struct usb_endpoint_descriptor *bulk_rx_ep; 329 struct usb_endpoint_descriptor *isoc_tx_ep; 330 struct usb_endpoint_descriptor *isoc_rx_ep; 331 332 __u8 cmdreq_type; 333 __u8 cmdreq; 334 335 unsigned int sco_num; 336 int isoc_altsetting; 337 int suspend_count; 338 339 int (*recv_event)(struct hci_dev *hdev, struct sk_buff *skb); 340 int (*recv_bulk)(struct btusb_data *data, void *buffer, int count); 341 }; 342 343 static inline void btusb_free_frags(struct btusb_data *data) 344 { 345 unsigned long flags; 346 347 spin_lock_irqsave(&data->rxlock, flags); 348 349 kfree_skb(data->evt_skb); 350 data->evt_skb = NULL; 351 352 kfree_skb(data->acl_skb); 353 data->acl_skb = NULL; 354 355 kfree_skb(data->sco_skb); 356 data->sco_skb = NULL; 357 358 spin_unlock_irqrestore(&data->rxlock, flags); 359 } 360 361 static int btusb_recv_intr(struct btusb_data *data, void *buffer, int count) 362 { 363 struct sk_buff *skb; 364 int err = 0; 365 366 spin_lock(&data->rxlock); 367 skb = data->evt_skb; 368 369 while (count) { 370 int len; 371 372 if (!skb) { 373 skb = bt_skb_alloc(HCI_MAX_EVENT_SIZE, GFP_ATOMIC); 374 if (!skb) { 375 err = -ENOMEM; 376 break; 377 } 378 379 bt_cb(skb)->pkt_type = HCI_EVENT_PKT; 380 bt_cb(skb)->expect = HCI_EVENT_HDR_SIZE; 381 } 382 383 len = min_t(uint, bt_cb(skb)->expect, count); 384 memcpy(skb_put(skb, len), buffer, len); 385 386 count -= len; 387 buffer += len; 388 bt_cb(skb)->expect -= len; 389 390 if (skb->len == HCI_EVENT_HDR_SIZE) { 391 /* Complete event header */ 392 bt_cb(skb)->expect = hci_event_hdr(skb)->plen; 393 394 if (skb_tailroom(skb) < bt_cb(skb)->expect) { 395 kfree_skb(skb); 396 skb = NULL; 397 398 err = -EILSEQ; 399 break; 400 } 401 } 402 403 if (bt_cb(skb)->expect == 0) { 404 /* Complete frame */ 405 data->recv_event(data->hdev, skb); 406 skb = NULL; 407 } 408 } 409 410 data->evt_skb = skb; 411 spin_unlock(&data->rxlock); 412 413 return err; 414 } 415 416 static int btusb_recv_bulk(struct btusb_data *data, void *buffer, int count) 417 { 418 struct sk_buff *skb; 419 int err = 0; 420 421 spin_lock(&data->rxlock); 422 skb = data->acl_skb; 423 424 while (count) { 425 int len; 426 427 if (!skb) { 428 skb = bt_skb_alloc(HCI_MAX_FRAME_SIZE, GFP_ATOMIC); 429 if (!skb) { 430 err = -ENOMEM; 431 break; 432 } 433 434 bt_cb(skb)->pkt_type = HCI_ACLDATA_PKT; 435 bt_cb(skb)->expect = HCI_ACL_HDR_SIZE; 436 } 437 438 len = min_t(uint, bt_cb(skb)->expect, count); 439 memcpy(skb_put(skb, len), buffer, len); 440 441 count -= len; 442 buffer += len; 443 bt_cb(skb)->expect -= len; 444 445 if (skb->len == HCI_ACL_HDR_SIZE) { 446 __le16 dlen = hci_acl_hdr(skb)->dlen; 447 448 /* Complete ACL header */ 449 bt_cb(skb)->expect = __le16_to_cpu(dlen); 450 451 if (skb_tailroom(skb) < bt_cb(skb)->expect) { 452 kfree_skb(skb); 453 skb = NULL; 454 455 err = -EILSEQ; 456 break; 457 } 458 } 459 460 if (bt_cb(skb)->expect == 0) { 461 /* Complete frame */ 462 hci_recv_frame(data->hdev, skb); 463 skb = NULL; 464 } 465 } 466 467 data->acl_skb = skb; 468 spin_unlock(&data->rxlock); 469 470 return err; 471 } 472 473 static int btusb_recv_isoc(struct btusb_data *data, void *buffer, int count) 474 { 475 struct sk_buff *skb; 476 int err = 0; 477 478 spin_lock(&data->rxlock); 479 skb = data->sco_skb; 480 481 while (count) { 482 int len; 483 484 if (!skb) { 485 skb = bt_skb_alloc(HCI_MAX_SCO_SIZE, GFP_ATOMIC); 486 if (!skb) { 487 err = -ENOMEM; 488 break; 489 } 490 491 bt_cb(skb)->pkt_type = HCI_SCODATA_PKT; 492 bt_cb(skb)->expect = HCI_SCO_HDR_SIZE; 493 } 494 495 len = min_t(uint, bt_cb(skb)->expect, count); 496 memcpy(skb_put(skb, len), buffer, len); 497 498 count -= len; 499 buffer += len; 500 bt_cb(skb)->expect -= len; 501 502 if (skb->len == HCI_SCO_HDR_SIZE) { 503 /* Complete SCO header */ 504 bt_cb(skb)->expect = hci_sco_hdr(skb)->dlen; 505 506 if (skb_tailroom(skb) < bt_cb(skb)->expect) { 507 kfree_skb(skb); 508 skb = NULL; 509 510 err = -EILSEQ; 511 break; 512 } 513 } 514 515 if (bt_cb(skb)->expect == 0) { 516 /* Complete frame */ 517 hci_recv_frame(data->hdev, skb); 518 skb = NULL; 519 } 520 } 521 522 data->sco_skb = skb; 523 spin_unlock(&data->rxlock); 524 525 return err; 526 } 527 528 static void btusb_intr_complete(struct urb *urb) 529 { 530 struct hci_dev *hdev = urb->context; 531 struct btusb_data *data = hci_get_drvdata(hdev); 532 int err; 533 534 BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status, 535 urb->actual_length); 536 537 if (!test_bit(HCI_RUNNING, &hdev->flags)) 538 return; 539 540 if (urb->status == 0) { 541 hdev->stat.byte_rx += urb->actual_length; 542 543 if (btusb_recv_intr(data, urb->transfer_buffer, 544 urb->actual_length) < 0) { 545 BT_ERR("%s corrupted event packet", hdev->name); 546 hdev->stat.err_rx++; 547 } 548 } else if (urb->status == -ENOENT) { 549 /* Avoid suspend failed when usb_kill_urb */ 550 return; 551 } 552 553 if (!test_bit(BTUSB_INTR_RUNNING, &data->flags)) 554 return; 555 556 usb_mark_last_busy(data->udev); 557 usb_anchor_urb(urb, &data->intr_anchor); 558 559 err = usb_submit_urb(urb, GFP_ATOMIC); 560 if (err < 0) { 561 /* -EPERM: urb is being killed; 562 * -ENODEV: device got disconnected */ 563 if (err != -EPERM && err != -ENODEV) 564 BT_ERR("%s urb %p failed to resubmit (%d)", 565 hdev->name, urb, -err); 566 usb_unanchor_urb(urb); 567 } 568 } 569 570 static int btusb_submit_intr_urb(struct hci_dev *hdev, gfp_t mem_flags) 571 { 572 struct btusb_data *data = hci_get_drvdata(hdev); 573 struct urb *urb; 574 unsigned char *buf; 575 unsigned int pipe; 576 int err, size; 577 578 BT_DBG("%s", hdev->name); 579 580 if (!data->intr_ep) 581 return -ENODEV; 582 583 urb = usb_alloc_urb(0, mem_flags); 584 if (!urb) 585 return -ENOMEM; 586 587 size = le16_to_cpu(data->intr_ep->wMaxPacketSize); 588 589 buf = kmalloc(size, mem_flags); 590 if (!buf) { 591 usb_free_urb(urb); 592 return -ENOMEM; 593 } 594 595 pipe = usb_rcvintpipe(data->udev, data->intr_ep->bEndpointAddress); 596 597 usb_fill_int_urb(urb, data->udev, pipe, buf, size, 598 btusb_intr_complete, hdev, data->intr_ep->bInterval); 599 600 urb->transfer_flags |= URB_FREE_BUFFER; 601 602 usb_anchor_urb(urb, &data->intr_anchor); 603 604 err = usb_submit_urb(urb, mem_flags); 605 if (err < 0) { 606 if (err != -EPERM && err != -ENODEV) 607 BT_ERR("%s urb %p submission failed (%d)", 608 hdev->name, urb, -err); 609 usb_unanchor_urb(urb); 610 } 611 612 usb_free_urb(urb); 613 614 return err; 615 } 616 617 static void btusb_bulk_complete(struct urb *urb) 618 { 619 struct hci_dev *hdev = urb->context; 620 struct btusb_data *data = hci_get_drvdata(hdev); 621 int err; 622 623 BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status, 624 urb->actual_length); 625 626 if (!test_bit(HCI_RUNNING, &hdev->flags)) 627 return; 628 629 if (urb->status == 0) { 630 hdev->stat.byte_rx += urb->actual_length; 631 632 if (data->recv_bulk(data, urb->transfer_buffer, 633 urb->actual_length) < 0) { 634 BT_ERR("%s corrupted ACL packet", hdev->name); 635 hdev->stat.err_rx++; 636 } 637 } else if (urb->status == -ENOENT) { 638 /* Avoid suspend failed when usb_kill_urb */ 639 return; 640 } 641 642 if (!test_bit(BTUSB_BULK_RUNNING, &data->flags)) 643 return; 644 645 usb_anchor_urb(urb, &data->bulk_anchor); 646 usb_mark_last_busy(data->udev); 647 648 err = usb_submit_urb(urb, GFP_ATOMIC); 649 if (err < 0) { 650 /* -EPERM: urb is being killed; 651 * -ENODEV: device got disconnected */ 652 if (err != -EPERM && err != -ENODEV) 653 BT_ERR("%s urb %p failed to resubmit (%d)", 654 hdev->name, urb, -err); 655 usb_unanchor_urb(urb); 656 } 657 } 658 659 static int btusb_submit_bulk_urb(struct hci_dev *hdev, gfp_t mem_flags) 660 { 661 struct btusb_data *data = hci_get_drvdata(hdev); 662 struct urb *urb; 663 unsigned char *buf; 664 unsigned int pipe; 665 int err, size = HCI_MAX_FRAME_SIZE; 666 667 BT_DBG("%s", hdev->name); 668 669 if (!data->bulk_rx_ep) 670 return -ENODEV; 671 672 urb = usb_alloc_urb(0, mem_flags); 673 if (!urb) 674 return -ENOMEM; 675 676 buf = kmalloc(size, mem_flags); 677 if (!buf) { 678 usb_free_urb(urb); 679 return -ENOMEM; 680 } 681 682 pipe = usb_rcvbulkpipe(data->udev, data->bulk_rx_ep->bEndpointAddress); 683 684 usb_fill_bulk_urb(urb, data->udev, pipe, buf, size, 685 btusb_bulk_complete, hdev); 686 687 urb->transfer_flags |= URB_FREE_BUFFER; 688 689 usb_mark_last_busy(data->udev); 690 usb_anchor_urb(urb, &data->bulk_anchor); 691 692 err = usb_submit_urb(urb, mem_flags); 693 if (err < 0) { 694 if (err != -EPERM && err != -ENODEV) 695 BT_ERR("%s urb %p submission failed (%d)", 696 hdev->name, urb, -err); 697 usb_unanchor_urb(urb); 698 } 699 700 usb_free_urb(urb); 701 702 return err; 703 } 704 705 static void btusb_isoc_complete(struct urb *urb) 706 { 707 struct hci_dev *hdev = urb->context; 708 struct btusb_data *data = hci_get_drvdata(hdev); 709 int i, err; 710 711 BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status, 712 urb->actual_length); 713 714 if (!test_bit(HCI_RUNNING, &hdev->flags)) 715 return; 716 717 if (urb->status == 0) { 718 for (i = 0; i < urb->number_of_packets; i++) { 719 unsigned int offset = urb->iso_frame_desc[i].offset; 720 unsigned int length = urb->iso_frame_desc[i].actual_length; 721 722 if (urb->iso_frame_desc[i].status) 723 continue; 724 725 hdev->stat.byte_rx += length; 726 727 if (btusb_recv_isoc(data, urb->transfer_buffer + offset, 728 length) < 0) { 729 BT_ERR("%s corrupted SCO packet", hdev->name); 730 hdev->stat.err_rx++; 731 } 732 } 733 } else if (urb->status == -ENOENT) { 734 /* Avoid suspend failed when usb_kill_urb */ 735 return; 736 } 737 738 if (!test_bit(BTUSB_ISOC_RUNNING, &data->flags)) 739 return; 740 741 usb_anchor_urb(urb, &data->isoc_anchor); 742 743 err = usb_submit_urb(urb, GFP_ATOMIC); 744 if (err < 0) { 745 /* -EPERM: urb is being killed; 746 * -ENODEV: device got disconnected */ 747 if (err != -EPERM && err != -ENODEV) 748 BT_ERR("%s urb %p failed to resubmit (%d)", 749 hdev->name, urb, -err); 750 usb_unanchor_urb(urb); 751 } 752 } 753 754 static inline void __fill_isoc_descriptor(struct urb *urb, int len, int mtu) 755 { 756 int i, offset = 0; 757 758 BT_DBG("len %d mtu %d", len, mtu); 759 760 for (i = 0; i < BTUSB_MAX_ISOC_FRAMES && len >= mtu; 761 i++, offset += mtu, len -= mtu) { 762 urb->iso_frame_desc[i].offset = offset; 763 urb->iso_frame_desc[i].length = mtu; 764 } 765 766 if (len && i < BTUSB_MAX_ISOC_FRAMES) { 767 urb->iso_frame_desc[i].offset = offset; 768 urb->iso_frame_desc[i].length = len; 769 i++; 770 } 771 772 urb->number_of_packets = i; 773 } 774 775 static int btusb_submit_isoc_urb(struct hci_dev *hdev, gfp_t mem_flags) 776 { 777 struct btusb_data *data = hci_get_drvdata(hdev); 778 struct urb *urb; 779 unsigned char *buf; 780 unsigned int pipe; 781 int err, size; 782 783 BT_DBG("%s", hdev->name); 784 785 if (!data->isoc_rx_ep) 786 return -ENODEV; 787 788 urb = usb_alloc_urb(BTUSB_MAX_ISOC_FRAMES, mem_flags); 789 if (!urb) 790 return -ENOMEM; 791 792 size = le16_to_cpu(data->isoc_rx_ep->wMaxPacketSize) * 793 BTUSB_MAX_ISOC_FRAMES; 794 795 buf = kmalloc(size, mem_flags); 796 if (!buf) { 797 usb_free_urb(urb); 798 return -ENOMEM; 799 } 800 801 pipe = usb_rcvisocpipe(data->udev, data->isoc_rx_ep->bEndpointAddress); 802 803 usb_fill_int_urb(urb, data->udev, pipe, buf, size, btusb_isoc_complete, 804 hdev, data->isoc_rx_ep->bInterval); 805 806 urb->transfer_flags = URB_FREE_BUFFER | URB_ISO_ASAP; 807 808 __fill_isoc_descriptor(urb, size, 809 le16_to_cpu(data->isoc_rx_ep->wMaxPacketSize)); 810 811 usb_anchor_urb(urb, &data->isoc_anchor); 812 813 err = usb_submit_urb(urb, mem_flags); 814 if (err < 0) { 815 if (err != -EPERM && err != -ENODEV) 816 BT_ERR("%s urb %p submission failed (%d)", 817 hdev->name, urb, -err); 818 usb_unanchor_urb(urb); 819 } 820 821 usb_free_urb(urb); 822 823 return err; 824 } 825 826 static void btusb_tx_complete(struct urb *urb) 827 { 828 struct sk_buff *skb = urb->context; 829 struct hci_dev *hdev = (struct hci_dev *)skb->dev; 830 struct btusb_data *data = hci_get_drvdata(hdev); 831 832 BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status, 833 urb->actual_length); 834 835 if (!test_bit(HCI_RUNNING, &hdev->flags)) 836 goto done; 837 838 if (!urb->status) 839 hdev->stat.byte_tx += urb->transfer_buffer_length; 840 else 841 hdev->stat.err_tx++; 842 843 done: 844 spin_lock(&data->txlock); 845 data->tx_in_flight--; 846 spin_unlock(&data->txlock); 847 848 kfree(urb->setup_packet); 849 850 kfree_skb(skb); 851 } 852 853 static void btusb_isoc_tx_complete(struct urb *urb) 854 { 855 struct sk_buff *skb = urb->context; 856 struct hci_dev *hdev = (struct hci_dev *)skb->dev; 857 858 BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status, 859 urb->actual_length); 860 861 if (!test_bit(HCI_RUNNING, &hdev->flags)) 862 goto done; 863 864 if (!urb->status) 865 hdev->stat.byte_tx += urb->transfer_buffer_length; 866 else 867 hdev->stat.err_tx++; 868 869 done: 870 kfree(urb->setup_packet); 871 872 kfree_skb(skb); 873 } 874 875 static int btusb_open(struct hci_dev *hdev) 876 { 877 struct btusb_data *data = hci_get_drvdata(hdev); 878 int err; 879 880 BT_DBG("%s", hdev->name); 881 882 err = usb_autopm_get_interface(data->intf); 883 if (err < 0) 884 return err; 885 886 data->intf->needs_remote_wakeup = 1; 887 888 if (test_and_set_bit(HCI_RUNNING, &hdev->flags)) 889 goto done; 890 891 if (test_and_set_bit(BTUSB_INTR_RUNNING, &data->flags)) 892 goto done; 893 894 err = btusb_submit_intr_urb(hdev, GFP_KERNEL); 895 if (err < 0) 896 goto failed; 897 898 err = btusb_submit_bulk_urb(hdev, GFP_KERNEL); 899 if (err < 0) { 900 usb_kill_anchored_urbs(&data->intr_anchor); 901 goto failed; 902 } 903 904 set_bit(BTUSB_BULK_RUNNING, &data->flags); 905 btusb_submit_bulk_urb(hdev, GFP_KERNEL); 906 907 done: 908 usb_autopm_put_interface(data->intf); 909 return 0; 910 911 failed: 912 clear_bit(BTUSB_INTR_RUNNING, &data->flags); 913 clear_bit(HCI_RUNNING, &hdev->flags); 914 usb_autopm_put_interface(data->intf); 915 return err; 916 } 917 918 static void btusb_stop_traffic(struct btusb_data *data) 919 { 920 usb_kill_anchored_urbs(&data->intr_anchor); 921 usb_kill_anchored_urbs(&data->bulk_anchor); 922 usb_kill_anchored_urbs(&data->isoc_anchor); 923 } 924 925 static int btusb_close(struct hci_dev *hdev) 926 { 927 struct btusb_data *data = hci_get_drvdata(hdev); 928 int err; 929 930 BT_DBG("%s", hdev->name); 931 932 if (!test_and_clear_bit(HCI_RUNNING, &hdev->flags)) 933 return 0; 934 935 cancel_work_sync(&data->work); 936 cancel_work_sync(&data->waker); 937 938 clear_bit(BTUSB_ISOC_RUNNING, &data->flags); 939 clear_bit(BTUSB_BULK_RUNNING, &data->flags); 940 clear_bit(BTUSB_INTR_RUNNING, &data->flags); 941 942 btusb_stop_traffic(data); 943 btusb_free_frags(data); 944 945 err = usb_autopm_get_interface(data->intf); 946 if (err < 0) 947 goto failed; 948 949 data->intf->needs_remote_wakeup = 0; 950 usb_autopm_put_interface(data->intf); 951 952 failed: 953 usb_scuttle_anchored_urbs(&data->deferred); 954 return 0; 955 } 956 957 static int btusb_flush(struct hci_dev *hdev) 958 { 959 struct btusb_data *data = hci_get_drvdata(hdev); 960 961 BT_DBG("%s", hdev->name); 962 963 usb_kill_anchored_urbs(&data->tx_anchor); 964 btusb_free_frags(data); 965 966 return 0; 967 } 968 969 static struct urb *alloc_ctrl_urb(struct hci_dev *hdev, struct sk_buff *skb) 970 { 971 struct btusb_data *data = hci_get_drvdata(hdev); 972 struct usb_ctrlrequest *dr; 973 struct urb *urb; 974 unsigned int pipe; 975 976 urb = usb_alloc_urb(0, GFP_KERNEL); 977 if (!urb) 978 return ERR_PTR(-ENOMEM); 979 980 dr = kmalloc(sizeof(*dr), GFP_KERNEL); 981 if (!dr) { 982 usb_free_urb(urb); 983 return ERR_PTR(-ENOMEM); 984 } 985 986 dr->bRequestType = data->cmdreq_type; 987 dr->bRequest = data->cmdreq; 988 dr->wIndex = 0; 989 dr->wValue = 0; 990 dr->wLength = __cpu_to_le16(skb->len); 991 992 pipe = usb_sndctrlpipe(data->udev, 0x00); 993 994 usb_fill_control_urb(urb, data->udev, pipe, (void *)dr, 995 skb->data, skb->len, btusb_tx_complete, skb); 996 997 skb->dev = (void *)hdev; 998 999 return urb; 1000 } 1001 1002 static struct urb *alloc_bulk_urb(struct hci_dev *hdev, struct sk_buff *skb) 1003 { 1004 struct btusb_data *data = hci_get_drvdata(hdev); 1005 struct urb *urb; 1006 unsigned int pipe; 1007 1008 if (!data->bulk_tx_ep) 1009 return ERR_PTR(-ENODEV); 1010 1011 urb = usb_alloc_urb(0, GFP_KERNEL); 1012 if (!urb) 1013 return ERR_PTR(-ENOMEM); 1014 1015 pipe = usb_sndbulkpipe(data->udev, data->bulk_tx_ep->bEndpointAddress); 1016 1017 usb_fill_bulk_urb(urb, data->udev, pipe, 1018 skb->data, skb->len, btusb_tx_complete, skb); 1019 1020 skb->dev = (void *)hdev; 1021 1022 return urb; 1023 } 1024 1025 static struct urb *alloc_isoc_urb(struct hci_dev *hdev, struct sk_buff *skb) 1026 { 1027 struct btusb_data *data = hci_get_drvdata(hdev); 1028 struct urb *urb; 1029 unsigned int pipe; 1030 1031 if (!data->isoc_tx_ep) 1032 return ERR_PTR(-ENODEV); 1033 1034 urb = usb_alloc_urb(BTUSB_MAX_ISOC_FRAMES, GFP_KERNEL); 1035 if (!urb) 1036 return ERR_PTR(-ENOMEM); 1037 1038 pipe = usb_sndisocpipe(data->udev, data->isoc_tx_ep->bEndpointAddress); 1039 1040 usb_fill_int_urb(urb, data->udev, pipe, 1041 skb->data, skb->len, btusb_isoc_tx_complete, 1042 skb, data->isoc_tx_ep->bInterval); 1043 1044 urb->transfer_flags = URB_ISO_ASAP; 1045 1046 __fill_isoc_descriptor(urb, skb->len, 1047 le16_to_cpu(data->isoc_tx_ep->wMaxPacketSize)); 1048 1049 skb->dev = (void *)hdev; 1050 1051 return urb; 1052 } 1053 1054 static int submit_tx_urb(struct hci_dev *hdev, struct urb *urb) 1055 { 1056 struct btusb_data *data = hci_get_drvdata(hdev); 1057 int err; 1058 1059 usb_anchor_urb(urb, &data->tx_anchor); 1060 1061 err = usb_submit_urb(urb, GFP_KERNEL); 1062 if (err < 0) { 1063 if (err != -EPERM && err != -ENODEV) 1064 BT_ERR("%s urb %p submission failed (%d)", 1065 hdev->name, urb, -err); 1066 kfree(urb->setup_packet); 1067 usb_unanchor_urb(urb); 1068 } else { 1069 usb_mark_last_busy(data->udev); 1070 } 1071 1072 usb_free_urb(urb); 1073 return err; 1074 } 1075 1076 static int submit_or_queue_tx_urb(struct hci_dev *hdev, struct urb *urb) 1077 { 1078 struct btusb_data *data = hci_get_drvdata(hdev); 1079 unsigned long flags; 1080 bool suspending; 1081 1082 spin_lock_irqsave(&data->txlock, flags); 1083 suspending = test_bit(BTUSB_SUSPENDING, &data->flags); 1084 if (!suspending) 1085 data->tx_in_flight++; 1086 spin_unlock_irqrestore(&data->txlock, flags); 1087 1088 if (!suspending) 1089 return submit_tx_urb(hdev, urb); 1090 1091 usb_anchor_urb(urb, &data->deferred); 1092 schedule_work(&data->waker); 1093 1094 usb_free_urb(urb); 1095 return 0; 1096 } 1097 1098 static int btusb_send_frame(struct hci_dev *hdev, struct sk_buff *skb) 1099 { 1100 struct urb *urb; 1101 1102 BT_DBG("%s", hdev->name); 1103 1104 if (!test_bit(HCI_RUNNING, &hdev->flags)) 1105 return -EBUSY; 1106 1107 switch (bt_cb(skb)->pkt_type) { 1108 case HCI_COMMAND_PKT: 1109 urb = alloc_ctrl_urb(hdev, skb); 1110 if (IS_ERR(urb)) 1111 return PTR_ERR(urb); 1112 1113 hdev->stat.cmd_tx++; 1114 return submit_or_queue_tx_urb(hdev, urb); 1115 1116 case HCI_ACLDATA_PKT: 1117 urb = alloc_bulk_urb(hdev, skb); 1118 if (IS_ERR(urb)) 1119 return PTR_ERR(urb); 1120 1121 hdev->stat.acl_tx++; 1122 return submit_or_queue_tx_urb(hdev, urb); 1123 1124 case HCI_SCODATA_PKT: 1125 if (hci_conn_num(hdev, SCO_LINK) < 1) 1126 return -ENODEV; 1127 1128 urb = alloc_isoc_urb(hdev, skb); 1129 if (IS_ERR(urb)) 1130 return PTR_ERR(urb); 1131 1132 hdev->stat.sco_tx++; 1133 return submit_tx_urb(hdev, urb); 1134 } 1135 1136 return -EILSEQ; 1137 } 1138 1139 static void btusb_notify(struct hci_dev *hdev, unsigned int evt) 1140 { 1141 struct btusb_data *data = hci_get_drvdata(hdev); 1142 1143 BT_DBG("%s evt %d", hdev->name, evt); 1144 1145 if (hci_conn_num(hdev, SCO_LINK) != data->sco_num) { 1146 data->sco_num = hci_conn_num(hdev, SCO_LINK); 1147 schedule_work(&data->work); 1148 } 1149 } 1150 1151 static inline int __set_isoc_interface(struct hci_dev *hdev, int altsetting) 1152 { 1153 struct btusb_data *data = hci_get_drvdata(hdev); 1154 struct usb_interface *intf = data->isoc; 1155 struct usb_endpoint_descriptor *ep_desc; 1156 int i, err; 1157 1158 if (!data->isoc) 1159 return -ENODEV; 1160 1161 err = usb_set_interface(data->udev, 1, altsetting); 1162 if (err < 0) { 1163 BT_ERR("%s setting interface failed (%d)", hdev->name, -err); 1164 return err; 1165 } 1166 1167 data->isoc_altsetting = altsetting; 1168 1169 data->isoc_tx_ep = NULL; 1170 data->isoc_rx_ep = NULL; 1171 1172 for (i = 0; i < intf->cur_altsetting->desc.bNumEndpoints; i++) { 1173 ep_desc = &intf->cur_altsetting->endpoint[i].desc; 1174 1175 if (!data->isoc_tx_ep && usb_endpoint_is_isoc_out(ep_desc)) { 1176 data->isoc_tx_ep = ep_desc; 1177 continue; 1178 } 1179 1180 if (!data->isoc_rx_ep && usb_endpoint_is_isoc_in(ep_desc)) { 1181 data->isoc_rx_ep = ep_desc; 1182 continue; 1183 } 1184 } 1185 1186 if (!data->isoc_tx_ep || !data->isoc_rx_ep) { 1187 BT_ERR("%s invalid SCO descriptors", hdev->name); 1188 return -ENODEV; 1189 } 1190 1191 return 0; 1192 } 1193 1194 static void btusb_work(struct work_struct *work) 1195 { 1196 struct btusb_data *data = container_of(work, struct btusb_data, work); 1197 struct hci_dev *hdev = data->hdev; 1198 int new_alts; 1199 int err; 1200 1201 if (data->sco_num > 0) { 1202 if (!test_bit(BTUSB_DID_ISO_RESUME, &data->flags)) { 1203 err = usb_autopm_get_interface(data->isoc ? data->isoc : data->intf); 1204 if (err < 0) { 1205 clear_bit(BTUSB_ISOC_RUNNING, &data->flags); 1206 usb_kill_anchored_urbs(&data->isoc_anchor); 1207 return; 1208 } 1209 1210 set_bit(BTUSB_DID_ISO_RESUME, &data->flags); 1211 } 1212 1213 if (hdev->voice_setting & 0x0020) { 1214 static const int alts[3] = { 2, 4, 5 }; 1215 1216 new_alts = alts[data->sco_num - 1]; 1217 } else { 1218 new_alts = data->sco_num; 1219 } 1220 1221 if (data->isoc_altsetting != new_alts) { 1222 clear_bit(BTUSB_ISOC_RUNNING, &data->flags); 1223 usb_kill_anchored_urbs(&data->isoc_anchor); 1224 1225 if (__set_isoc_interface(hdev, new_alts) < 0) 1226 return; 1227 } 1228 1229 if (!test_and_set_bit(BTUSB_ISOC_RUNNING, &data->flags)) { 1230 if (btusb_submit_isoc_urb(hdev, GFP_KERNEL) < 0) 1231 clear_bit(BTUSB_ISOC_RUNNING, &data->flags); 1232 else 1233 btusb_submit_isoc_urb(hdev, GFP_KERNEL); 1234 } 1235 } else { 1236 clear_bit(BTUSB_ISOC_RUNNING, &data->flags); 1237 usb_kill_anchored_urbs(&data->isoc_anchor); 1238 1239 __set_isoc_interface(hdev, 0); 1240 if (test_and_clear_bit(BTUSB_DID_ISO_RESUME, &data->flags)) 1241 usb_autopm_put_interface(data->isoc ? data->isoc : data->intf); 1242 } 1243 } 1244 1245 static void btusb_waker(struct work_struct *work) 1246 { 1247 struct btusb_data *data = container_of(work, struct btusb_data, waker); 1248 int err; 1249 1250 err = usb_autopm_get_interface(data->intf); 1251 if (err < 0) 1252 return; 1253 1254 usb_autopm_put_interface(data->intf); 1255 } 1256 1257 static int btusb_setup_bcm92035(struct hci_dev *hdev) 1258 { 1259 struct sk_buff *skb; 1260 u8 val = 0x00; 1261 1262 BT_DBG("%s", hdev->name); 1263 1264 skb = __hci_cmd_sync(hdev, 0xfc3b, 1, &val, HCI_INIT_TIMEOUT); 1265 if (IS_ERR(skb)) 1266 BT_ERR("BCM92035 command failed (%ld)", -PTR_ERR(skb)); 1267 else 1268 kfree_skb(skb); 1269 1270 return 0; 1271 } 1272 1273 static int btusb_setup_csr(struct hci_dev *hdev) 1274 { 1275 struct hci_rp_read_local_version *rp; 1276 struct sk_buff *skb; 1277 int ret; 1278 1279 BT_DBG("%s", hdev->name); 1280 1281 skb = __hci_cmd_sync(hdev, HCI_OP_READ_LOCAL_VERSION, 0, NULL, 1282 HCI_INIT_TIMEOUT); 1283 if (IS_ERR(skb)) { 1284 BT_ERR("Reading local version failed (%ld)", -PTR_ERR(skb)); 1285 return -PTR_ERR(skb); 1286 } 1287 1288 rp = (struct hci_rp_read_local_version *)skb->data; 1289 1290 if (!rp->status) { 1291 if (le16_to_cpu(rp->manufacturer) != 10) { 1292 /* Clear the reset quirk since this is not an actual 1293 * early Bluetooth 1.1 device from CSR. 1294 */ 1295 clear_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks); 1296 1297 /* These fake CSR controllers have all a broken 1298 * stored link key handling and so just disable it. 1299 */ 1300 set_bit(HCI_QUIRK_BROKEN_STORED_LINK_KEY, 1301 &hdev->quirks); 1302 } 1303 } 1304 1305 ret = -bt_to_errno(rp->status); 1306 1307 kfree_skb(skb); 1308 1309 return ret; 1310 } 1311 1312 struct intel_version { 1313 u8 status; 1314 u8 hw_platform; 1315 u8 hw_variant; 1316 u8 hw_revision; 1317 u8 fw_variant; 1318 u8 fw_revision; 1319 u8 fw_build_num; 1320 u8 fw_build_ww; 1321 u8 fw_build_yy; 1322 u8 fw_patch_num; 1323 } __packed; 1324 1325 struct intel_boot_params { 1326 __u8 status; 1327 __u8 otp_format; 1328 __u8 otp_content; 1329 __u8 otp_patch; 1330 __le16 dev_revid; 1331 __u8 secure_boot; 1332 __u8 key_from_hdr; 1333 __u8 key_type; 1334 __u8 otp_lock; 1335 __u8 api_lock; 1336 __u8 debug_lock; 1337 bdaddr_t otp_bdaddr; 1338 __u8 min_fw_build_nn; 1339 __u8 min_fw_build_cw; 1340 __u8 min_fw_build_yy; 1341 __u8 limited_cce; 1342 __u8 unlocked_state; 1343 } __packed; 1344 1345 static const struct firmware *btusb_setup_intel_get_fw(struct hci_dev *hdev, 1346 struct intel_version *ver) 1347 { 1348 const struct firmware *fw; 1349 char fwname[64]; 1350 int ret; 1351 1352 snprintf(fwname, sizeof(fwname), 1353 "intel/ibt-hw-%x.%x.%x-fw-%x.%x.%x.%x.%x.bseq", 1354 ver->hw_platform, ver->hw_variant, ver->hw_revision, 1355 ver->fw_variant, ver->fw_revision, ver->fw_build_num, 1356 ver->fw_build_ww, ver->fw_build_yy); 1357 1358 ret = request_firmware(&fw, fwname, &hdev->dev); 1359 if (ret < 0) { 1360 if (ret == -EINVAL) { 1361 BT_ERR("%s Intel firmware file request failed (%d)", 1362 hdev->name, ret); 1363 return NULL; 1364 } 1365 1366 BT_ERR("%s failed to open Intel firmware file: %s(%d)", 1367 hdev->name, fwname, ret); 1368 1369 /* If the correct firmware patch file is not found, use the 1370 * default firmware patch file instead 1371 */ 1372 snprintf(fwname, sizeof(fwname), "intel/ibt-hw-%x.%x.bseq", 1373 ver->hw_platform, ver->hw_variant); 1374 if (request_firmware(&fw, fwname, &hdev->dev) < 0) { 1375 BT_ERR("%s failed to open default Intel fw file: %s", 1376 hdev->name, fwname); 1377 return NULL; 1378 } 1379 } 1380 1381 BT_INFO("%s: Intel Bluetooth firmware file: %s", hdev->name, fwname); 1382 1383 return fw; 1384 } 1385 1386 static int btusb_setup_intel_patching(struct hci_dev *hdev, 1387 const struct firmware *fw, 1388 const u8 **fw_ptr, int *disable_patch) 1389 { 1390 struct sk_buff *skb; 1391 struct hci_command_hdr *cmd; 1392 const u8 *cmd_param; 1393 struct hci_event_hdr *evt = NULL; 1394 const u8 *evt_param = NULL; 1395 int remain = fw->size - (*fw_ptr - fw->data); 1396 1397 /* The first byte indicates the types of the patch command or event. 1398 * 0x01 means HCI command and 0x02 is HCI event. If the first bytes 1399 * in the current firmware buffer doesn't start with 0x01 or 1400 * the size of remain buffer is smaller than HCI command header, 1401 * the firmware file is corrupted and it should stop the patching 1402 * process. 1403 */ 1404 if (remain > HCI_COMMAND_HDR_SIZE && *fw_ptr[0] != 0x01) { 1405 BT_ERR("%s Intel fw corrupted: invalid cmd read", hdev->name); 1406 return -EINVAL; 1407 } 1408 (*fw_ptr)++; 1409 remain--; 1410 1411 cmd = (struct hci_command_hdr *)(*fw_ptr); 1412 *fw_ptr += sizeof(*cmd); 1413 remain -= sizeof(*cmd); 1414 1415 /* Ensure that the remain firmware data is long enough than the length 1416 * of command parameter. If not, the firmware file is corrupted. 1417 */ 1418 if (remain < cmd->plen) { 1419 BT_ERR("%s Intel fw corrupted: invalid cmd len", hdev->name); 1420 return -EFAULT; 1421 } 1422 1423 /* If there is a command that loads a patch in the firmware 1424 * file, then enable the patch upon success, otherwise just 1425 * disable the manufacturer mode, for example patch activation 1426 * is not required when the default firmware patch file is used 1427 * because there are no patch data to load. 1428 */ 1429 if (*disable_patch && le16_to_cpu(cmd->opcode) == 0xfc8e) 1430 *disable_patch = 0; 1431 1432 cmd_param = *fw_ptr; 1433 *fw_ptr += cmd->plen; 1434 remain -= cmd->plen; 1435 1436 /* This reads the expected events when the above command is sent to the 1437 * device. Some vendor commands expects more than one events, for 1438 * example command status event followed by vendor specific event. 1439 * For this case, it only keeps the last expected event. so the command 1440 * can be sent with __hci_cmd_sync_ev() which returns the sk_buff of 1441 * last expected event. 1442 */ 1443 while (remain > HCI_EVENT_HDR_SIZE && *fw_ptr[0] == 0x02) { 1444 (*fw_ptr)++; 1445 remain--; 1446 1447 evt = (struct hci_event_hdr *)(*fw_ptr); 1448 *fw_ptr += sizeof(*evt); 1449 remain -= sizeof(*evt); 1450 1451 if (remain < evt->plen) { 1452 BT_ERR("%s Intel fw corrupted: invalid evt len", 1453 hdev->name); 1454 return -EFAULT; 1455 } 1456 1457 evt_param = *fw_ptr; 1458 *fw_ptr += evt->plen; 1459 remain -= evt->plen; 1460 } 1461 1462 /* Every HCI commands in the firmware file has its correspond event. 1463 * If event is not found or remain is smaller than zero, the firmware 1464 * file is corrupted. 1465 */ 1466 if (!evt || !evt_param || remain < 0) { 1467 BT_ERR("%s Intel fw corrupted: invalid evt read", hdev->name); 1468 return -EFAULT; 1469 } 1470 1471 skb = __hci_cmd_sync_ev(hdev, le16_to_cpu(cmd->opcode), cmd->plen, 1472 cmd_param, evt->evt, HCI_INIT_TIMEOUT); 1473 if (IS_ERR(skb)) { 1474 BT_ERR("%s sending Intel patch command (0x%4.4x) failed (%ld)", 1475 hdev->name, cmd->opcode, PTR_ERR(skb)); 1476 return PTR_ERR(skb); 1477 } 1478 1479 /* It ensures that the returned event matches the event data read from 1480 * the firmware file. At fist, it checks the length and then 1481 * the contents of the event. 1482 */ 1483 if (skb->len != evt->plen) { 1484 BT_ERR("%s mismatch event length (opcode 0x%4.4x)", hdev->name, 1485 le16_to_cpu(cmd->opcode)); 1486 kfree_skb(skb); 1487 return -EFAULT; 1488 } 1489 1490 if (memcmp(skb->data, evt_param, evt->plen)) { 1491 BT_ERR("%s mismatch event parameter (opcode 0x%4.4x)", 1492 hdev->name, le16_to_cpu(cmd->opcode)); 1493 kfree_skb(skb); 1494 return -EFAULT; 1495 } 1496 kfree_skb(skb); 1497 1498 return 0; 1499 } 1500 1501 #define BDADDR_INTEL (&(bdaddr_t) {{0x00, 0x8b, 0x9e, 0x19, 0x03, 0x00}}) 1502 1503 static int btusb_check_bdaddr_intel(struct hci_dev *hdev) 1504 { 1505 struct sk_buff *skb; 1506 struct hci_rp_read_bd_addr *rp; 1507 1508 skb = __hci_cmd_sync(hdev, HCI_OP_READ_BD_ADDR, 0, NULL, 1509 HCI_INIT_TIMEOUT); 1510 if (IS_ERR(skb)) { 1511 BT_ERR("%s reading Intel device address failed (%ld)", 1512 hdev->name, PTR_ERR(skb)); 1513 return PTR_ERR(skb); 1514 } 1515 1516 if (skb->len != sizeof(*rp)) { 1517 BT_ERR("%s Intel device address length mismatch", hdev->name); 1518 kfree_skb(skb); 1519 return -EIO; 1520 } 1521 1522 rp = (struct hci_rp_read_bd_addr *)skb->data; 1523 if (rp->status) { 1524 BT_ERR("%s Intel device address result failed (%02x)", 1525 hdev->name, rp->status); 1526 kfree_skb(skb); 1527 return -bt_to_errno(rp->status); 1528 } 1529 1530 /* For some Intel based controllers, the default Bluetooth device 1531 * address 00:03:19:9E:8B:00 can be found. These controllers are 1532 * fully operational, but have the danger of duplicate addresses 1533 * and that in turn can cause problems with Bluetooth operation. 1534 */ 1535 if (!bacmp(&rp->bdaddr, BDADDR_INTEL)) { 1536 BT_ERR("%s found Intel default device address (%pMR)", 1537 hdev->name, &rp->bdaddr); 1538 set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks); 1539 } 1540 1541 kfree_skb(skb); 1542 1543 return 0; 1544 } 1545 1546 static int btusb_setup_intel(struct hci_dev *hdev) 1547 { 1548 struct sk_buff *skb; 1549 const struct firmware *fw; 1550 const u8 *fw_ptr; 1551 int disable_patch; 1552 struct intel_version *ver; 1553 1554 const u8 mfg_enable[] = { 0x01, 0x00 }; 1555 const u8 mfg_disable[] = { 0x00, 0x00 }; 1556 const u8 mfg_reset_deactivate[] = { 0x00, 0x01 }; 1557 const u8 mfg_reset_activate[] = { 0x00, 0x02 }; 1558 1559 BT_DBG("%s", hdev->name); 1560 1561 /* The controller has a bug with the first HCI command sent to it 1562 * returning number of completed commands as zero. This would stall the 1563 * command processing in the Bluetooth core. 1564 * 1565 * As a workaround, send HCI Reset command first which will reset the 1566 * number of completed commands and allow normal command processing 1567 * from now on. 1568 */ 1569 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT); 1570 if (IS_ERR(skb)) { 1571 BT_ERR("%s sending initial HCI reset command failed (%ld)", 1572 hdev->name, PTR_ERR(skb)); 1573 return PTR_ERR(skb); 1574 } 1575 kfree_skb(skb); 1576 1577 /* Read Intel specific controller version first to allow selection of 1578 * which firmware file to load. 1579 * 1580 * The returned information are hardware variant and revision plus 1581 * firmware variant, revision and build number. 1582 */ 1583 skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_INIT_TIMEOUT); 1584 if (IS_ERR(skb)) { 1585 BT_ERR("%s reading Intel fw version command failed (%ld)", 1586 hdev->name, PTR_ERR(skb)); 1587 return PTR_ERR(skb); 1588 } 1589 1590 if (skb->len != sizeof(*ver)) { 1591 BT_ERR("%s Intel version event length mismatch", hdev->name); 1592 kfree_skb(skb); 1593 return -EIO; 1594 } 1595 1596 ver = (struct intel_version *)skb->data; 1597 if (ver->status) { 1598 BT_ERR("%s Intel fw version event failed (%02x)", hdev->name, 1599 ver->status); 1600 kfree_skb(skb); 1601 return -bt_to_errno(ver->status); 1602 } 1603 1604 BT_INFO("%s: read Intel version: %02x%02x%02x%02x%02x%02x%02x%02x%02x", 1605 hdev->name, ver->hw_platform, ver->hw_variant, 1606 ver->hw_revision, ver->fw_variant, ver->fw_revision, 1607 ver->fw_build_num, ver->fw_build_ww, ver->fw_build_yy, 1608 ver->fw_patch_num); 1609 1610 /* fw_patch_num indicates the version of patch the device currently 1611 * have. If there is no patch data in the device, it is always 0x00. 1612 * So, if it is other than 0x00, no need to patch the deivce again. 1613 */ 1614 if (ver->fw_patch_num) { 1615 BT_INFO("%s: Intel device is already patched. patch num: %02x", 1616 hdev->name, ver->fw_patch_num); 1617 kfree_skb(skb); 1618 btusb_check_bdaddr_intel(hdev); 1619 return 0; 1620 } 1621 1622 /* Opens the firmware patch file based on the firmware version read 1623 * from the controller. If it fails to open the matching firmware 1624 * patch file, it tries to open the default firmware patch file. 1625 * If no patch file is found, allow the device to operate without 1626 * a patch. 1627 */ 1628 fw = btusb_setup_intel_get_fw(hdev, ver); 1629 if (!fw) { 1630 kfree_skb(skb); 1631 btusb_check_bdaddr_intel(hdev); 1632 return 0; 1633 } 1634 fw_ptr = fw->data; 1635 1636 /* This Intel specific command enables the manufacturer mode of the 1637 * controller. 1638 * 1639 * Only while this mode is enabled, the driver can download the 1640 * firmware patch data and configuration parameters. 1641 */ 1642 skb = __hci_cmd_sync(hdev, 0xfc11, 2, mfg_enable, HCI_INIT_TIMEOUT); 1643 if (IS_ERR(skb)) { 1644 BT_ERR("%s entering Intel manufacturer mode failed (%ld)", 1645 hdev->name, PTR_ERR(skb)); 1646 release_firmware(fw); 1647 return PTR_ERR(skb); 1648 } 1649 1650 if (skb->data[0]) { 1651 u8 evt_status = skb->data[0]; 1652 1653 BT_ERR("%s enable Intel manufacturer mode event failed (%02x)", 1654 hdev->name, evt_status); 1655 kfree_skb(skb); 1656 release_firmware(fw); 1657 return -bt_to_errno(evt_status); 1658 } 1659 kfree_skb(skb); 1660 1661 disable_patch = 1; 1662 1663 /* The firmware data file consists of list of Intel specific HCI 1664 * commands and its expected events. The first byte indicates the 1665 * type of the message, either HCI command or HCI event. 1666 * 1667 * It reads the command and its expected event from the firmware file, 1668 * and send to the controller. Once __hci_cmd_sync_ev() returns, 1669 * the returned event is compared with the event read from the firmware 1670 * file and it will continue until all the messages are downloaded to 1671 * the controller. 1672 * 1673 * Once the firmware patching is completed successfully, 1674 * the manufacturer mode is disabled with reset and activating the 1675 * downloaded patch. 1676 * 1677 * If the firmware patching fails, the manufacturer mode is 1678 * disabled with reset and deactivating the patch. 1679 * 1680 * If the default patch file is used, no reset is done when disabling 1681 * the manufacturer. 1682 */ 1683 while (fw->size > fw_ptr - fw->data) { 1684 int ret; 1685 1686 ret = btusb_setup_intel_patching(hdev, fw, &fw_ptr, 1687 &disable_patch); 1688 if (ret < 0) 1689 goto exit_mfg_deactivate; 1690 } 1691 1692 release_firmware(fw); 1693 1694 if (disable_patch) 1695 goto exit_mfg_disable; 1696 1697 /* Patching completed successfully and disable the manufacturer mode 1698 * with reset and activate the downloaded firmware patches. 1699 */ 1700 skb = __hci_cmd_sync(hdev, 0xfc11, sizeof(mfg_reset_activate), 1701 mfg_reset_activate, HCI_INIT_TIMEOUT); 1702 if (IS_ERR(skb)) { 1703 BT_ERR("%s exiting Intel manufacturer mode failed (%ld)", 1704 hdev->name, PTR_ERR(skb)); 1705 return PTR_ERR(skb); 1706 } 1707 kfree_skb(skb); 1708 1709 BT_INFO("%s: Intel Bluetooth firmware patch completed and activated", 1710 hdev->name); 1711 1712 btusb_check_bdaddr_intel(hdev); 1713 return 0; 1714 1715 exit_mfg_disable: 1716 /* Disable the manufacturer mode without reset */ 1717 skb = __hci_cmd_sync(hdev, 0xfc11, sizeof(mfg_disable), mfg_disable, 1718 HCI_INIT_TIMEOUT); 1719 if (IS_ERR(skb)) { 1720 BT_ERR("%s exiting Intel manufacturer mode failed (%ld)", 1721 hdev->name, PTR_ERR(skb)); 1722 return PTR_ERR(skb); 1723 } 1724 kfree_skb(skb); 1725 1726 BT_INFO("%s: Intel Bluetooth firmware patch completed", hdev->name); 1727 1728 btusb_check_bdaddr_intel(hdev); 1729 return 0; 1730 1731 exit_mfg_deactivate: 1732 release_firmware(fw); 1733 1734 /* Patching failed. Disable the manufacturer mode with reset and 1735 * deactivate the downloaded firmware patches. 1736 */ 1737 skb = __hci_cmd_sync(hdev, 0xfc11, sizeof(mfg_reset_deactivate), 1738 mfg_reset_deactivate, HCI_INIT_TIMEOUT); 1739 if (IS_ERR(skb)) { 1740 BT_ERR("%s exiting Intel manufacturer mode failed (%ld)", 1741 hdev->name, PTR_ERR(skb)); 1742 return PTR_ERR(skb); 1743 } 1744 kfree_skb(skb); 1745 1746 BT_INFO("%s: Intel Bluetooth firmware patch completed and deactivated", 1747 hdev->name); 1748 1749 btusb_check_bdaddr_intel(hdev); 1750 return 0; 1751 } 1752 1753 static int inject_cmd_complete(struct hci_dev *hdev, __u16 opcode) 1754 { 1755 struct sk_buff *skb; 1756 struct hci_event_hdr *hdr; 1757 struct hci_ev_cmd_complete *evt; 1758 1759 skb = bt_skb_alloc(sizeof(*hdr) + sizeof(*evt) + 1, GFP_ATOMIC); 1760 if (!skb) 1761 return -ENOMEM; 1762 1763 hdr = (struct hci_event_hdr *)skb_put(skb, sizeof(*hdr)); 1764 hdr->evt = HCI_EV_CMD_COMPLETE; 1765 hdr->plen = sizeof(*evt) + 1; 1766 1767 evt = (struct hci_ev_cmd_complete *)skb_put(skb, sizeof(*evt)); 1768 evt->ncmd = 0x01; 1769 evt->opcode = cpu_to_le16(opcode); 1770 1771 *skb_put(skb, 1) = 0x00; 1772 1773 bt_cb(skb)->pkt_type = HCI_EVENT_PKT; 1774 1775 return hci_recv_frame(hdev, skb); 1776 } 1777 1778 static int btusb_recv_bulk_intel(struct btusb_data *data, void *buffer, 1779 int count) 1780 { 1781 /* When the device is in bootloader mode, then it can send 1782 * events via the bulk endpoint. These events are treated the 1783 * same way as the ones received from the interrupt endpoint. 1784 */ 1785 if (test_bit(BTUSB_BOOTLOADER, &data->flags)) 1786 return btusb_recv_intr(data, buffer, count); 1787 1788 return btusb_recv_bulk(data, buffer, count); 1789 } 1790 1791 static int btusb_recv_event_intel(struct hci_dev *hdev, struct sk_buff *skb) 1792 { 1793 struct btusb_data *data = hci_get_drvdata(hdev); 1794 1795 if (test_bit(BTUSB_BOOTLOADER, &data->flags)) { 1796 struct hci_event_hdr *hdr = (void *)skb->data; 1797 1798 /* When the firmware loading completes the device sends 1799 * out a vendor specific event indicating the result of 1800 * the firmware loading. 1801 */ 1802 if (skb->len == 7 && hdr->evt == 0xff && hdr->plen == 0x05 && 1803 skb->data[2] == 0x06) { 1804 if (skb->data[3] != 0x00) 1805 test_bit(BTUSB_FIRMWARE_FAILED, &data->flags); 1806 1807 if (test_and_clear_bit(BTUSB_DOWNLOADING, 1808 &data->flags) && 1809 test_bit(BTUSB_FIRMWARE_LOADED, &data->flags)) { 1810 smp_mb__after_atomic(); 1811 wake_up_bit(&data->flags, BTUSB_DOWNLOADING); 1812 } 1813 } 1814 1815 /* When switching to the operational firmware the device 1816 * sends a vendor specific event indicating that the bootup 1817 * completed. 1818 */ 1819 if (skb->len == 9 && hdr->evt == 0xff && hdr->plen == 0x07 && 1820 skb->data[2] == 0x02) { 1821 if (test_and_clear_bit(BTUSB_BOOTING, &data->flags)) { 1822 smp_mb__after_atomic(); 1823 wake_up_bit(&data->flags, BTUSB_BOOTING); 1824 } 1825 } 1826 } 1827 1828 return hci_recv_frame(hdev, skb); 1829 } 1830 1831 static int btusb_send_frame_intel(struct hci_dev *hdev, struct sk_buff *skb) 1832 { 1833 struct btusb_data *data = hci_get_drvdata(hdev); 1834 struct urb *urb; 1835 1836 BT_DBG("%s", hdev->name); 1837 1838 if (!test_bit(HCI_RUNNING, &hdev->flags)) 1839 return -EBUSY; 1840 1841 switch (bt_cb(skb)->pkt_type) { 1842 case HCI_COMMAND_PKT: 1843 if (test_bit(BTUSB_BOOTLOADER, &data->flags)) { 1844 struct hci_command_hdr *cmd = (void *)skb->data; 1845 __u16 opcode = le16_to_cpu(cmd->opcode); 1846 1847 /* When in bootloader mode and the command 0xfc09 1848 * is received, it needs to be send down the 1849 * bulk endpoint. So allocate a bulk URB instead. 1850 */ 1851 if (opcode == 0xfc09) 1852 urb = alloc_bulk_urb(hdev, skb); 1853 else 1854 urb = alloc_ctrl_urb(hdev, skb); 1855 1856 /* When the 0xfc01 command is issued to boot into 1857 * the operational firmware, it will actually not 1858 * send a command complete event. To keep the flow 1859 * control working inject that event here. 1860 */ 1861 if (opcode == 0xfc01) 1862 inject_cmd_complete(hdev, opcode); 1863 } else { 1864 urb = alloc_ctrl_urb(hdev, skb); 1865 } 1866 if (IS_ERR(urb)) 1867 return PTR_ERR(urb); 1868 1869 hdev->stat.cmd_tx++; 1870 return submit_or_queue_tx_urb(hdev, urb); 1871 1872 case HCI_ACLDATA_PKT: 1873 urb = alloc_bulk_urb(hdev, skb); 1874 if (IS_ERR(urb)) 1875 return PTR_ERR(urb); 1876 1877 hdev->stat.acl_tx++; 1878 return submit_or_queue_tx_urb(hdev, urb); 1879 1880 case HCI_SCODATA_PKT: 1881 if (hci_conn_num(hdev, SCO_LINK) < 1) 1882 return -ENODEV; 1883 1884 urb = alloc_isoc_urb(hdev, skb); 1885 if (IS_ERR(urb)) 1886 return PTR_ERR(urb); 1887 1888 hdev->stat.sco_tx++; 1889 return submit_tx_urb(hdev, urb); 1890 } 1891 1892 return -EILSEQ; 1893 } 1894 1895 static int btusb_intel_secure_send(struct hci_dev *hdev, u8 fragment_type, 1896 u32 plen, const void *param) 1897 { 1898 while (plen > 0) { 1899 struct sk_buff *skb; 1900 u8 cmd_param[253], fragment_len = (plen > 252) ? 252 : plen; 1901 1902 cmd_param[0] = fragment_type; 1903 memcpy(cmd_param + 1, param, fragment_len); 1904 1905 skb = __hci_cmd_sync(hdev, 0xfc09, fragment_len + 1, 1906 cmd_param, HCI_INIT_TIMEOUT); 1907 if (IS_ERR(skb)) 1908 return PTR_ERR(skb); 1909 1910 kfree_skb(skb); 1911 1912 plen -= fragment_len; 1913 param += fragment_len; 1914 } 1915 1916 return 0; 1917 } 1918 1919 static void btusb_intel_version_info(struct hci_dev *hdev, 1920 struct intel_version *ver) 1921 { 1922 const char *variant; 1923 1924 switch (ver->fw_variant) { 1925 case 0x06: 1926 variant = "Bootloader"; 1927 break; 1928 case 0x23: 1929 variant = "Firmware"; 1930 break; 1931 default: 1932 return; 1933 } 1934 1935 BT_INFO("%s: %s revision %u.%u build %u week %u %u", hdev->name, 1936 variant, ver->fw_revision >> 4, ver->fw_revision & 0x0f, 1937 ver->fw_build_num, ver->fw_build_ww, 2000 + ver->fw_build_yy); 1938 } 1939 1940 static int btusb_setup_intel_new(struct hci_dev *hdev) 1941 { 1942 static const u8 reset_param[] = { 0x00, 0x01, 0x00, 0x01, 1943 0x00, 0x08, 0x04, 0x00 }; 1944 struct btusb_data *data = hci_get_drvdata(hdev); 1945 struct sk_buff *skb; 1946 struct intel_version *ver; 1947 struct intel_boot_params *params; 1948 const struct firmware *fw; 1949 const u8 *fw_ptr; 1950 char fwname[64]; 1951 ktime_t calltime, delta, rettime; 1952 unsigned long long duration; 1953 int err; 1954 1955 BT_DBG("%s", hdev->name); 1956 1957 calltime = ktime_get(); 1958 1959 /* Read the Intel version information to determine if the device 1960 * is in bootloader mode or if it already has operational firmware 1961 * loaded. 1962 */ 1963 skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_INIT_TIMEOUT); 1964 if (IS_ERR(skb)) { 1965 BT_ERR("%s: Reading Intel version information failed (%ld)", 1966 hdev->name, PTR_ERR(skb)); 1967 return PTR_ERR(skb); 1968 } 1969 1970 if (skb->len != sizeof(*ver)) { 1971 BT_ERR("%s: Intel version event size mismatch", hdev->name); 1972 kfree_skb(skb); 1973 return -EILSEQ; 1974 } 1975 1976 ver = (struct intel_version *)skb->data; 1977 if (ver->status) { 1978 BT_ERR("%s: Intel version command failure (%02x)", 1979 hdev->name, ver->status); 1980 err = -bt_to_errno(ver->status); 1981 kfree_skb(skb); 1982 return err; 1983 } 1984 1985 /* The hardware platform number has a fixed value of 0x37 and 1986 * for now only accept this single value. 1987 */ 1988 if (ver->hw_platform != 0x37) { 1989 BT_ERR("%s: Unsupported Intel hardware platform (%u)", 1990 hdev->name, ver->hw_platform); 1991 kfree_skb(skb); 1992 return -EINVAL; 1993 } 1994 1995 /* At the moment only the hardware variant iBT 3.0 (LnP/SfP) is 1996 * supported by this firmware loading method. This check has been 1997 * put in place to ensure correct forward compatibility options 1998 * when newer hardware variants come along. 1999 */ 2000 if (ver->hw_variant != 0x0b) { 2001 BT_ERR("%s: Unsupported Intel hardware variant (%u)", 2002 hdev->name, ver->hw_variant); 2003 kfree_skb(skb); 2004 return -EINVAL; 2005 } 2006 2007 btusb_intel_version_info(hdev, ver); 2008 2009 /* The firmware variant determines if the device is in bootloader 2010 * mode or is running operational firmware. The value 0x06 identifies 2011 * the bootloader and the value 0x23 identifies the operational 2012 * firmware. 2013 * 2014 * When the operational firmware is already present, then only 2015 * the check for valid Bluetooth device address is needed. This 2016 * determines if the device will be added as configured or 2017 * unconfigured controller. 2018 * 2019 * It is not possible to use the Secure Boot Parameters in this 2020 * case since that command is only available in bootloader mode. 2021 */ 2022 if (ver->fw_variant == 0x23) { 2023 kfree_skb(skb); 2024 clear_bit(BTUSB_BOOTLOADER, &data->flags); 2025 btusb_check_bdaddr_intel(hdev); 2026 return 0; 2027 } 2028 2029 /* If the device is not in bootloader mode, then the only possible 2030 * choice is to return an error and abort the device initialization. 2031 */ 2032 if (ver->fw_variant != 0x06) { 2033 BT_ERR("%s: Unsupported Intel firmware variant (%u)", 2034 hdev->name, ver->fw_variant); 2035 kfree_skb(skb); 2036 return -ENODEV; 2037 } 2038 2039 kfree_skb(skb); 2040 2041 /* Read the secure boot parameters to identify the operating 2042 * details of the bootloader. 2043 */ 2044 skb = __hci_cmd_sync(hdev, 0xfc0d, 0, NULL, HCI_INIT_TIMEOUT); 2045 if (IS_ERR(skb)) { 2046 BT_ERR("%s: Reading Intel boot parameters failed (%ld)", 2047 hdev->name, PTR_ERR(skb)); 2048 return PTR_ERR(skb); 2049 } 2050 2051 if (skb->len != sizeof(*params)) { 2052 BT_ERR("%s: Intel boot parameters size mismatch", hdev->name); 2053 kfree_skb(skb); 2054 return -EILSEQ; 2055 } 2056 2057 params = (struct intel_boot_params *)skb->data; 2058 if (params->status) { 2059 BT_ERR("%s: Intel boot parameters command failure (%02x)", 2060 hdev->name, params->status); 2061 err = -bt_to_errno(params->status); 2062 kfree_skb(skb); 2063 return err; 2064 } 2065 2066 BT_INFO("%s: Device revision is %u", hdev->name, 2067 le16_to_cpu(params->dev_revid)); 2068 2069 BT_INFO("%s: Secure boot is %s", hdev->name, 2070 params->secure_boot ? "enabled" : "disabled"); 2071 2072 BT_INFO("%s: Minimum firmware build %u week %u %u", hdev->name, 2073 params->min_fw_build_nn, params->min_fw_build_cw, 2074 2000 + params->min_fw_build_yy); 2075 2076 /* It is required that every single firmware fragment is acknowledged 2077 * with a command complete event. If the boot parameters indicate 2078 * that this bootloader does not send them, then abort the setup. 2079 */ 2080 if (params->limited_cce != 0x00) { 2081 BT_ERR("%s: Unsupported Intel firmware loading method (%u)", 2082 hdev->name, params->limited_cce); 2083 kfree_skb(skb); 2084 return -EINVAL; 2085 } 2086 2087 /* If the OTP has no valid Bluetooth device address, then there will 2088 * also be no valid address for the operational firmware. 2089 */ 2090 if (!bacmp(¶ms->otp_bdaddr, BDADDR_ANY)) { 2091 BT_INFO("%s: No device address configured", hdev->name); 2092 set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks); 2093 } 2094 2095 /* With this Intel bootloader only the hardware variant and device 2096 * revision information are used to select the right firmware. 2097 * 2098 * Currently this bootloader support is limited to hardware variant 2099 * iBT 3.0 (LnP/SfP) which is identified by the value 11 (0x0b). 2100 */ 2101 snprintf(fwname, sizeof(fwname), "intel/ibt-11-%u.sfi", 2102 le16_to_cpu(params->dev_revid)); 2103 2104 err = request_firmware(&fw, fwname, &hdev->dev); 2105 if (err < 0) { 2106 BT_ERR("%s: Failed to load Intel firmware file (%d)", 2107 hdev->name, err); 2108 kfree_skb(skb); 2109 return err; 2110 } 2111 2112 BT_INFO("%s: Found device firmware: %s", hdev->name, fwname); 2113 2114 kfree_skb(skb); 2115 2116 if (fw->size < 644) { 2117 BT_ERR("%s: Invalid size of firmware file (%zu)", 2118 hdev->name, fw->size); 2119 err = -EBADF; 2120 goto done; 2121 } 2122 2123 set_bit(BTUSB_DOWNLOADING, &data->flags); 2124 2125 /* Start the firmware download transaction with the Init fragment 2126 * represented by the 128 bytes of CSS header. 2127 */ 2128 err = btusb_intel_secure_send(hdev, 0x00, 128, fw->data); 2129 if (err < 0) { 2130 BT_ERR("%s: Failed to send firmware header (%d)", 2131 hdev->name, err); 2132 goto done; 2133 } 2134 2135 /* Send the 256 bytes of public key information from the firmware 2136 * as the PKey fragment. 2137 */ 2138 err = btusb_intel_secure_send(hdev, 0x03, 256, fw->data + 128); 2139 if (err < 0) { 2140 BT_ERR("%s: Failed to send firmware public key (%d)", 2141 hdev->name, err); 2142 goto done; 2143 } 2144 2145 /* Send the 256 bytes of signature information from the firmware 2146 * as the Sign fragment. 2147 */ 2148 err = btusb_intel_secure_send(hdev, 0x02, 256, fw->data + 388); 2149 if (err < 0) { 2150 BT_ERR("%s: Failed to send firmware signature (%d)", 2151 hdev->name, err); 2152 goto done; 2153 } 2154 2155 fw_ptr = fw->data + 644; 2156 2157 while (fw_ptr - fw->data < fw->size) { 2158 struct hci_command_hdr *cmd = (void *)fw_ptr; 2159 u8 cmd_len; 2160 2161 cmd_len = sizeof(*cmd) + cmd->plen; 2162 2163 /* Send each command from the firmware data buffer as 2164 * a single Data fragment. 2165 */ 2166 err = btusb_intel_secure_send(hdev, 0x01, cmd_len, fw_ptr); 2167 if (err < 0) { 2168 BT_ERR("%s: Failed to send firmware data (%d)", 2169 hdev->name, err); 2170 goto done; 2171 } 2172 2173 fw_ptr += cmd_len; 2174 } 2175 2176 set_bit(BTUSB_FIRMWARE_LOADED, &data->flags); 2177 2178 BT_INFO("%s: Waiting for firmware download to complete", hdev->name); 2179 2180 /* Before switching the device into operational mode and with that 2181 * booting the loaded firmware, wait for the bootloader notification 2182 * that all fragments have been successfully received. 2183 * 2184 * When the event processing receives the notification, then the 2185 * BTUSB_DOWNLOADING flag will be cleared. 2186 * 2187 * The firmware loading should not take longer than 5 seconds 2188 * and thus just timeout if that happens and fail the setup 2189 * of this device. 2190 */ 2191 err = wait_on_bit_timeout(&data->flags, BTUSB_DOWNLOADING, 2192 TASK_INTERRUPTIBLE, 2193 msecs_to_jiffies(5000)); 2194 if (err == 1) { 2195 BT_ERR("%s: Firmware loading interrupted", hdev->name); 2196 err = -EINTR; 2197 goto done; 2198 } 2199 2200 if (err) { 2201 BT_ERR("%s: Firmware loading timeout", hdev->name); 2202 err = -ETIMEDOUT; 2203 goto done; 2204 } 2205 2206 if (test_bit(BTUSB_FIRMWARE_FAILED, &data->flags)) { 2207 BT_ERR("%s: Firmware loading failed", hdev->name); 2208 err = -ENOEXEC; 2209 goto done; 2210 } 2211 2212 rettime = ktime_get(); 2213 delta = ktime_sub(rettime, calltime); 2214 duration = (unsigned long long) ktime_to_ns(delta) >> 10; 2215 2216 BT_INFO("%s: Firmware loaded in %llu usecs", hdev->name, duration); 2217 2218 done: 2219 release_firmware(fw); 2220 2221 if (err < 0) 2222 return err; 2223 2224 calltime = ktime_get(); 2225 2226 set_bit(BTUSB_BOOTING, &data->flags); 2227 2228 skb = __hci_cmd_sync(hdev, 0xfc01, sizeof(reset_param), reset_param, 2229 HCI_INIT_TIMEOUT); 2230 if (IS_ERR(skb)) 2231 return PTR_ERR(skb); 2232 2233 kfree_skb(skb); 2234 2235 /* The bootloader will not indicate when the device is ready. This 2236 * is done by the operational firmware sending bootup notification. 2237 * 2238 * Booting into operational firmware should not take longer than 2239 * 1 second. However if that happens, then just fail the setup 2240 * since something went wrong. 2241 */ 2242 BT_INFO("%s: Waiting for device to boot", hdev->name); 2243 2244 err = wait_on_bit_timeout(&data->flags, BTUSB_BOOTING, 2245 TASK_INTERRUPTIBLE, 2246 msecs_to_jiffies(1000)); 2247 2248 if (err == 1) { 2249 BT_ERR("%s: Device boot interrupted", hdev->name); 2250 return -EINTR; 2251 } 2252 2253 if (err) { 2254 BT_ERR("%s: Device boot timeout", hdev->name); 2255 return -ETIMEDOUT; 2256 } 2257 2258 rettime = ktime_get(); 2259 delta = ktime_sub(rettime, calltime); 2260 duration = (unsigned long long) ktime_to_ns(delta) >> 10; 2261 2262 BT_INFO("%s: Device booted in %llu usecs", hdev->name, duration); 2263 2264 clear_bit(BTUSB_BOOTLOADER, &data->flags); 2265 2266 return 0; 2267 } 2268 2269 static void btusb_hw_error_intel(struct hci_dev *hdev, u8 code) 2270 { 2271 struct sk_buff *skb; 2272 u8 type = 0x00; 2273 2274 BT_ERR("%s: Hardware error 0x%2.2x", hdev->name, code); 2275 2276 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT); 2277 if (IS_ERR(skb)) { 2278 BT_ERR("%s: Reset after hardware error failed (%ld)", 2279 hdev->name, PTR_ERR(skb)); 2280 return; 2281 } 2282 kfree_skb(skb); 2283 2284 skb = __hci_cmd_sync(hdev, 0xfc22, 1, &type, HCI_INIT_TIMEOUT); 2285 if (IS_ERR(skb)) { 2286 BT_ERR("%s: Retrieving Intel exception info failed (%ld)", 2287 hdev->name, PTR_ERR(skb)); 2288 return; 2289 } 2290 2291 if (skb->len != 13) { 2292 BT_ERR("%s: Exception info size mismatch", hdev->name); 2293 kfree_skb(skb); 2294 return; 2295 } 2296 2297 if (skb->data[0] != 0x00) { 2298 BT_ERR("%s: Exception info command failure (%02x)", 2299 hdev->name, skb->data[0]); 2300 kfree_skb(skb); 2301 return; 2302 } 2303 2304 BT_ERR("%s: Exception info %s", hdev->name, (char *)(skb->data + 1)); 2305 2306 kfree_skb(skb); 2307 } 2308 2309 static int btusb_set_bdaddr_intel(struct hci_dev *hdev, const bdaddr_t *bdaddr) 2310 { 2311 struct sk_buff *skb; 2312 long ret; 2313 2314 skb = __hci_cmd_sync(hdev, 0xfc31, 6, bdaddr, HCI_INIT_TIMEOUT); 2315 if (IS_ERR(skb)) { 2316 ret = PTR_ERR(skb); 2317 BT_ERR("%s: changing Intel device address failed (%ld)", 2318 hdev->name, ret); 2319 return ret; 2320 } 2321 kfree_skb(skb); 2322 2323 return 0; 2324 } 2325 2326 static int btusb_shutdown_intel(struct hci_dev *hdev) 2327 { 2328 struct sk_buff *skb; 2329 long ret; 2330 2331 /* Some platforms have an issue with BT LED when the interface is 2332 * down or BT radio is turned off, which takes 5 seconds to BT LED 2333 * goes off. This command turns off the BT LED immediately. 2334 */ 2335 skb = __hci_cmd_sync(hdev, 0xfc3f, 0, NULL, HCI_INIT_TIMEOUT); 2336 if (IS_ERR(skb)) { 2337 ret = PTR_ERR(skb); 2338 BT_ERR("%s: turning off Intel device LED failed (%ld)", 2339 hdev->name, ret); 2340 return ret; 2341 } 2342 kfree_skb(skb); 2343 2344 return 0; 2345 } 2346 2347 static int btusb_set_bdaddr_marvell(struct hci_dev *hdev, 2348 const bdaddr_t *bdaddr) 2349 { 2350 struct sk_buff *skb; 2351 u8 buf[8]; 2352 long ret; 2353 2354 buf[0] = 0xfe; 2355 buf[1] = sizeof(bdaddr_t); 2356 memcpy(buf + 2, bdaddr, sizeof(bdaddr_t)); 2357 2358 skb = __hci_cmd_sync(hdev, 0xfc22, sizeof(buf), buf, HCI_INIT_TIMEOUT); 2359 if (IS_ERR(skb)) { 2360 ret = PTR_ERR(skb); 2361 BT_ERR("%s: changing Marvell device address failed (%ld)", 2362 hdev->name, ret); 2363 return ret; 2364 } 2365 kfree_skb(skb); 2366 2367 return 0; 2368 } 2369 2370 static const struct { 2371 u16 subver; 2372 const char *name; 2373 } bcm_subver_table[] = { 2374 { 0x210b, "BCM43142A0" }, /* 001.001.011 */ 2375 { 0x2112, "BCM4314A0" }, /* 001.001.018 */ 2376 { 0x2118, "BCM20702A0" }, /* 001.001.024 */ 2377 { 0x2126, "BCM4335A0" }, /* 001.001.038 */ 2378 { 0x220e, "BCM20702A1" }, /* 001.002.014 */ 2379 { 0x230f, "BCM4354A2" }, /* 001.003.015 */ 2380 { 0x4106, "BCM4335B0" }, /* 002.001.006 */ 2381 { 0x410e, "BCM20702B0" }, /* 002.001.014 */ 2382 { 0x6109, "BCM4335C0" }, /* 003.001.009 */ 2383 { 0x610c, "BCM4354" }, /* 003.001.012 */ 2384 { } 2385 }; 2386 2387 #define BDADDR_BCM20702A0 (&(bdaddr_t) {{0x00, 0xa0, 0x02, 0x70, 0x20, 0x00}}) 2388 2389 static int btusb_setup_bcm_patchram(struct hci_dev *hdev) 2390 { 2391 struct btusb_data *data = hci_get_drvdata(hdev); 2392 struct usb_device *udev = data->udev; 2393 char fw_name[64]; 2394 const struct firmware *fw; 2395 const u8 *fw_ptr; 2396 size_t fw_size; 2397 const struct hci_command_hdr *cmd; 2398 const u8 *cmd_param; 2399 u16 opcode, subver, rev; 2400 const char *hw_name = NULL; 2401 struct sk_buff *skb; 2402 struct hci_rp_read_local_version *ver; 2403 struct hci_rp_read_bd_addr *bda; 2404 long ret; 2405 int i; 2406 2407 /* Reset */ 2408 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT); 2409 if (IS_ERR(skb)) { 2410 ret = PTR_ERR(skb); 2411 BT_ERR("%s: HCI_OP_RESET failed (%ld)", hdev->name, ret); 2412 return ret; 2413 } 2414 kfree_skb(skb); 2415 2416 /* Read Local Version Info */ 2417 skb = __hci_cmd_sync(hdev, HCI_OP_READ_LOCAL_VERSION, 0, NULL, 2418 HCI_INIT_TIMEOUT); 2419 if (IS_ERR(skb)) { 2420 ret = PTR_ERR(skb); 2421 BT_ERR("%s: HCI_OP_READ_LOCAL_VERSION failed (%ld)", 2422 hdev->name, ret); 2423 return ret; 2424 } 2425 2426 if (skb->len != sizeof(*ver)) { 2427 BT_ERR("%s: HCI_OP_READ_LOCAL_VERSION event length mismatch", 2428 hdev->name); 2429 kfree_skb(skb); 2430 return -EIO; 2431 } 2432 2433 ver = (struct hci_rp_read_local_version *)skb->data; 2434 rev = le16_to_cpu(ver->hci_rev); 2435 subver = le16_to_cpu(ver->lmp_subver); 2436 kfree_skb(skb); 2437 2438 for (i = 0; bcm_subver_table[i].name; i++) { 2439 if (subver == bcm_subver_table[i].subver) { 2440 hw_name = bcm_subver_table[i].name; 2441 break; 2442 } 2443 } 2444 2445 BT_INFO("%s: %s (%3.3u.%3.3u.%3.3u) build %4.4u", hdev->name, 2446 hw_name ? : "BCM", (subver & 0x7000) >> 13, 2447 (subver & 0x1f00) >> 8, (subver & 0x00ff), rev & 0x0fff); 2448 2449 snprintf(fw_name, sizeof(fw_name), "brcm/%s-%4.4x-%4.4x.hcd", 2450 hw_name ? : "BCM", 2451 le16_to_cpu(udev->descriptor.idVendor), 2452 le16_to_cpu(udev->descriptor.idProduct)); 2453 2454 ret = request_firmware(&fw, fw_name, &hdev->dev); 2455 if (ret < 0) { 2456 BT_INFO("%s: BCM: patch %s not found", hdev->name, fw_name); 2457 return 0; 2458 } 2459 2460 /* Start Download */ 2461 skb = __hci_cmd_sync(hdev, 0xfc2e, 0, NULL, HCI_INIT_TIMEOUT); 2462 if (IS_ERR(skb)) { 2463 ret = PTR_ERR(skb); 2464 BT_ERR("%s: BCM: Download Minidrv command failed (%ld)", 2465 hdev->name, ret); 2466 goto reset_fw; 2467 } 2468 kfree_skb(skb); 2469 2470 /* 50 msec delay after Download Minidrv completes */ 2471 msleep(50); 2472 2473 fw_ptr = fw->data; 2474 fw_size = fw->size; 2475 2476 while (fw_size >= sizeof(*cmd)) { 2477 cmd = (struct hci_command_hdr *)fw_ptr; 2478 fw_ptr += sizeof(*cmd); 2479 fw_size -= sizeof(*cmd); 2480 2481 if (fw_size < cmd->plen) { 2482 BT_ERR("%s: BCM: patch %s is corrupted", 2483 hdev->name, fw_name); 2484 ret = -EINVAL; 2485 goto reset_fw; 2486 } 2487 2488 cmd_param = fw_ptr; 2489 fw_ptr += cmd->plen; 2490 fw_size -= cmd->plen; 2491 2492 opcode = le16_to_cpu(cmd->opcode); 2493 2494 skb = __hci_cmd_sync(hdev, opcode, cmd->plen, cmd_param, 2495 HCI_INIT_TIMEOUT); 2496 if (IS_ERR(skb)) { 2497 ret = PTR_ERR(skb); 2498 BT_ERR("%s: BCM: patch command %04x failed (%ld)", 2499 hdev->name, opcode, ret); 2500 goto reset_fw; 2501 } 2502 kfree_skb(skb); 2503 } 2504 2505 /* 250 msec delay after Launch Ram completes */ 2506 msleep(250); 2507 2508 reset_fw: 2509 /* Reset */ 2510 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT); 2511 if (IS_ERR(skb)) { 2512 ret = PTR_ERR(skb); 2513 BT_ERR("%s: HCI_OP_RESET failed (%ld)", hdev->name, ret); 2514 goto done; 2515 } 2516 kfree_skb(skb); 2517 2518 /* Read Local Version Info */ 2519 skb = __hci_cmd_sync(hdev, HCI_OP_READ_LOCAL_VERSION, 0, NULL, 2520 HCI_INIT_TIMEOUT); 2521 if (IS_ERR(skb)) { 2522 ret = PTR_ERR(skb); 2523 BT_ERR("%s: HCI_OP_READ_LOCAL_VERSION failed (%ld)", 2524 hdev->name, ret); 2525 goto done; 2526 } 2527 2528 if (skb->len != sizeof(*ver)) { 2529 BT_ERR("%s: HCI_OP_READ_LOCAL_VERSION event length mismatch", 2530 hdev->name); 2531 kfree_skb(skb); 2532 ret = -EIO; 2533 goto done; 2534 } 2535 2536 ver = (struct hci_rp_read_local_version *)skb->data; 2537 rev = le16_to_cpu(ver->hci_rev); 2538 subver = le16_to_cpu(ver->lmp_subver); 2539 kfree_skb(skb); 2540 2541 BT_INFO("%s: %s (%3.3u.%3.3u.%3.3u) build %4.4u", hdev->name, 2542 hw_name ? : "BCM", (subver & 0x7000) >> 13, 2543 (subver & 0x1f00) >> 8, (subver & 0x00ff), rev & 0x0fff); 2544 2545 /* Read BD Address */ 2546 skb = __hci_cmd_sync(hdev, HCI_OP_READ_BD_ADDR, 0, NULL, 2547 HCI_INIT_TIMEOUT); 2548 if (IS_ERR(skb)) { 2549 ret = PTR_ERR(skb); 2550 BT_ERR("%s: HCI_OP_READ_BD_ADDR failed (%ld)", 2551 hdev->name, ret); 2552 goto done; 2553 } 2554 2555 if (skb->len != sizeof(*bda)) { 2556 BT_ERR("%s: HCI_OP_READ_BD_ADDR event length mismatch", 2557 hdev->name); 2558 kfree_skb(skb); 2559 ret = -EIO; 2560 goto done; 2561 } 2562 2563 bda = (struct hci_rp_read_bd_addr *)skb->data; 2564 if (bda->status) { 2565 BT_ERR("%s: HCI_OP_READ_BD_ADDR error status (%02x)", 2566 hdev->name, bda->status); 2567 kfree_skb(skb); 2568 ret = -bt_to_errno(bda->status); 2569 goto done; 2570 } 2571 2572 /* The address 00:20:70:02:A0:00 indicates a BCM20702A0 controller 2573 * with no configured address. 2574 */ 2575 if (!bacmp(&bda->bdaddr, BDADDR_BCM20702A0)) { 2576 BT_INFO("%s: BCM: using default device address (%pMR)", 2577 hdev->name, &bda->bdaddr); 2578 set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks); 2579 } 2580 2581 kfree_skb(skb); 2582 2583 done: 2584 release_firmware(fw); 2585 2586 return ret; 2587 } 2588 2589 static int btusb_set_bdaddr_bcm(struct hci_dev *hdev, const bdaddr_t *bdaddr) 2590 { 2591 struct sk_buff *skb; 2592 long ret; 2593 2594 skb = __hci_cmd_sync(hdev, 0xfc01, 6, bdaddr, HCI_INIT_TIMEOUT); 2595 if (IS_ERR(skb)) { 2596 ret = PTR_ERR(skb); 2597 BT_ERR("%s: BCM: Change address command failed (%ld)", 2598 hdev->name, ret); 2599 return ret; 2600 } 2601 kfree_skb(skb); 2602 2603 return 0; 2604 } 2605 2606 static int btusb_set_bdaddr_ath3012(struct hci_dev *hdev, 2607 const bdaddr_t *bdaddr) 2608 { 2609 struct sk_buff *skb; 2610 u8 buf[10]; 2611 long ret; 2612 2613 buf[0] = 0x01; 2614 buf[1] = 0x01; 2615 buf[2] = 0x00; 2616 buf[3] = sizeof(bdaddr_t); 2617 memcpy(buf + 4, bdaddr, sizeof(bdaddr_t)); 2618 2619 skb = __hci_cmd_sync(hdev, 0xfc0b, sizeof(buf), buf, HCI_INIT_TIMEOUT); 2620 if (IS_ERR(skb)) { 2621 ret = PTR_ERR(skb); 2622 BT_ERR("%s: Change address command failed (%ld)", 2623 hdev->name, ret); 2624 return ret; 2625 } 2626 kfree_skb(skb); 2627 2628 return 0; 2629 } 2630 2631 static int btusb_probe(struct usb_interface *intf, 2632 const struct usb_device_id *id) 2633 { 2634 struct usb_endpoint_descriptor *ep_desc; 2635 struct btusb_data *data; 2636 struct hci_dev *hdev; 2637 int i, err; 2638 2639 BT_DBG("intf %p id %p", intf, id); 2640 2641 /* interface numbers are hardcoded in the spec */ 2642 if (intf->cur_altsetting->desc.bInterfaceNumber != 0) 2643 return -ENODEV; 2644 2645 if (!id->driver_info) { 2646 const struct usb_device_id *match; 2647 2648 match = usb_match_id(intf, blacklist_table); 2649 if (match) 2650 id = match; 2651 } 2652 2653 if (id->driver_info == BTUSB_IGNORE) 2654 return -ENODEV; 2655 2656 if (id->driver_info & BTUSB_ATH3012) { 2657 struct usb_device *udev = interface_to_usbdev(intf); 2658 2659 /* Old firmware would otherwise let ath3k driver load 2660 * patch and sysconfig files */ 2661 if (le16_to_cpu(udev->descriptor.bcdDevice) <= 0x0001) 2662 return -ENODEV; 2663 } 2664 2665 data = devm_kzalloc(&intf->dev, sizeof(*data), GFP_KERNEL); 2666 if (!data) 2667 return -ENOMEM; 2668 2669 for (i = 0; i < intf->cur_altsetting->desc.bNumEndpoints; i++) { 2670 ep_desc = &intf->cur_altsetting->endpoint[i].desc; 2671 2672 if (!data->intr_ep && usb_endpoint_is_int_in(ep_desc)) { 2673 data->intr_ep = ep_desc; 2674 continue; 2675 } 2676 2677 if (!data->bulk_tx_ep && usb_endpoint_is_bulk_out(ep_desc)) { 2678 data->bulk_tx_ep = ep_desc; 2679 continue; 2680 } 2681 2682 if (!data->bulk_rx_ep && usb_endpoint_is_bulk_in(ep_desc)) { 2683 data->bulk_rx_ep = ep_desc; 2684 continue; 2685 } 2686 } 2687 2688 if (!data->intr_ep || !data->bulk_tx_ep || !data->bulk_rx_ep) 2689 return -ENODEV; 2690 2691 if (id->driver_info & BTUSB_AMP) { 2692 data->cmdreq_type = USB_TYPE_CLASS | 0x01; 2693 data->cmdreq = 0x2b; 2694 } else { 2695 data->cmdreq_type = USB_TYPE_CLASS; 2696 data->cmdreq = 0x00; 2697 } 2698 2699 data->udev = interface_to_usbdev(intf); 2700 data->intf = intf; 2701 2702 INIT_WORK(&data->work, btusb_work); 2703 INIT_WORK(&data->waker, btusb_waker); 2704 init_usb_anchor(&data->deferred); 2705 init_usb_anchor(&data->tx_anchor); 2706 spin_lock_init(&data->txlock); 2707 2708 init_usb_anchor(&data->intr_anchor); 2709 init_usb_anchor(&data->bulk_anchor); 2710 init_usb_anchor(&data->isoc_anchor); 2711 spin_lock_init(&data->rxlock); 2712 2713 if (id->driver_info & BTUSB_INTEL_NEW) { 2714 data->recv_event = btusb_recv_event_intel; 2715 data->recv_bulk = btusb_recv_bulk_intel; 2716 set_bit(BTUSB_BOOTLOADER, &data->flags); 2717 } else { 2718 data->recv_event = hci_recv_frame; 2719 data->recv_bulk = btusb_recv_bulk; 2720 } 2721 2722 hdev = hci_alloc_dev(); 2723 if (!hdev) 2724 return -ENOMEM; 2725 2726 hdev->bus = HCI_USB; 2727 hci_set_drvdata(hdev, data); 2728 2729 if (id->driver_info & BTUSB_AMP) 2730 hdev->dev_type = HCI_AMP; 2731 else 2732 hdev->dev_type = HCI_BREDR; 2733 2734 data->hdev = hdev; 2735 2736 SET_HCIDEV_DEV(hdev, &intf->dev); 2737 2738 hdev->open = btusb_open; 2739 hdev->close = btusb_close; 2740 hdev->flush = btusb_flush; 2741 hdev->send = btusb_send_frame; 2742 hdev->notify = btusb_notify; 2743 2744 if (id->driver_info & BTUSB_BCM92035) 2745 hdev->setup = btusb_setup_bcm92035; 2746 2747 if (id->driver_info & BTUSB_BCM_PATCHRAM) { 2748 hdev->setup = btusb_setup_bcm_patchram; 2749 hdev->set_bdaddr = btusb_set_bdaddr_bcm; 2750 set_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks); 2751 } 2752 2753 if (id->driver_info & BTUSB_INTEL) { 2754 hdev->setup = btusb_setup_intel; 2755 hdev->shutdown = btusb_shutdown_intel; 2756 hdev->set_bdaddr = btusb_set_bdaddr_intel; 2757 set_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks); 2758 } 2759 2760 if (id->driver_info & BTUSB_INTEL_NEW) { 2761 hdev->send = btusb_send_frame_intel; 2762 hdev->setup = btusb_setup_intel_new; 2763 hdev->hw_error = btusb_hw_error_intel; 2764 hdev->set_bdaddr = btusb_set_bdaddr_intel; 2765 set_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks); 2766 } 2767 2768 if (id->driver_info & BTUSB_MARVELL) 2769 hdev->set_bdaddr = btusb_set_bdaddr_marvell; 2770 2771 if (id->driver_info & BTUSB_SWAVE) { 2772 set_bit(HCI_QUIRK_FIXUP_INQUIRY_MODE, &hdev->quirks); 2773 set_bit(HCI_QUIRK_BROKEN_LOCAL_COMMANDS, &hdev->quirks); 2774 } 2775 2776 if (id->driver_info & BTUSB_INTEL_BOOT) 2777 set_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks); 2778 2779 if (id->driver_info & BTUSB_ATH3012) { 2780 hdev->set_bdaddr = btusb_set_bdaddr_ath3012; 2781 set_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks); 2782 } 2783 2784 if (id->driver_info & BTUSB_AMP) { 2785 /* AMP controllers do not support SCO packets */ 2786 data->isoc = NULL; 2787 } else { 2788 /* Interface numbers are hardcoded in the specification */ 2789 data->isoc = usb_ifnum_to_if(data->udev, 1); 2790 } 2791 2792 if (!reset) 2793 set_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks); 2794 2795 if (force_scofix || id->driver_info & BTUSB_WRONG_SCO_MTU) { 2796 if (!disable_scofix) 2797 set_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks); 2798 } 2799 2800 if (id->driver_info & BTUSB_BROKEN_ISOC) 2801 data->isoc = NULL; 2802 2803 if (id->driver_info & BTUSB_DIGIANSWER) { 2804 data->cmdreq_type = USB_TYPE_VENDOR; 2805 set_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks); 2806 } 2807 2808 if (id->driver_info & BTUSB_CSR) { 2809 struct usb_device *udev = data->udev; 2810 u16 bcdDevice = le16_to_cpu(udev->descriptor.bcdDevice); 2811 2812 /* Old firmware would otherwise execute USB reset */ 2813 if (bcdDevice < 0x117) 2814 set_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks); 2815 2816 /* Fake CSR devices with broken commands */ 2817 if (bcdDevice <= 0x100) 2818 hdev->setup = btusb_setup_csr; 2819 } 2820 2821 if (id->driver_info & BTUSB_SNIFFER) { 2822 struct usb_device *udev = data->udev; 2823 2824 /* New sniffer firmware has crippled HCI interface */ 2825 if (le16_to_cpu(udev->descriptor.bcdDevice) > 0x997) 2826 set_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks); 2827 } 2828 2829 if (id->driver_info & BTUSB_INTEL_BOOT) { 2830 /* A bug in the bootloader causes that interrupt interface is 2831 * only enabled after receiving SetInterface(0, AltSetting=0). 2832 */ 2833 err = usb_set_interface(data->udev, 0, 0); 2834 if (err < 0) { 2835 BT_ERR("failed to set interface 0, alt 0 %d", err); 2836 hci_free_dev(hdev); 2837 return err; 2838 } 2839 } 2840 2841 if (data->isoc) { 2842 err = usb_driver_claim_interface(&btusb_driver, 2843 data->isoc, data); 2844 if (err < 0) { 2845 hci_free_dev(hdev); 2846 return err; 2847 } 2848 } 2849 2850 err = hci_register_dev(hdev); 2851 if (err < 0) { 2852 hci_free_dev(hdev); 2853 return err; 2854 } 2855 2856 usb_set_intfdata(intf, data); 2857 2858 return 0; 2859 } 2860 2861 static void btusb_disconnect(struct usb_interface *intf) 2862 { 2863 struct btusb_data *data = usb_get_intfdata(intf); 2864 struct hci_dev *hdev; 2865 2866 BT_DBG("intf %p", intf); 2867 2868 if (!data) 2869 return; 2870 2871 hdev = data->hdev; 2872 usb_set_intfdata(data->intf, NULL); 2873 2874 if (data->isoc) 2875 usb_set_intfdata(data->isoc, NULL); 2876 2877 hci_unregister_dev(hdev); 2878 2879 if (intf == data->isoc) 2880 usb_driver_release_interface(&btusb_driver, data->intf); 2881 else if (data->isoc) 2882 usb_driver_release_interface(&btusb_driver, data->isoc); 2883 2884 hci_free_dev(hdev); 2885 } 2886 2887 #ifdef CONFIG_PM 2888 static int btusb_suspend(struct usb_interface *intf, pm_message_t message) 2889 { 2890 struct btusb_data *data = usb_get_intfdata(intf); 2891 2892 BT_DBG("intf %p", intf); 2893 2894 if (data->suspend_count++) 2895 return 0; 2896 2897 spin_lock_irq(&data->txlock); 2898 if (!(PMSG_IS_AUTO(message) && data->tx_in_flight)) { 2899 set_bit(BTUSB_SUSPENDING, &data->flags); 2900 spin_unlock_irq(&data->txlock); 2901 } else { 2902 spin_unlock_irq(&data->txlock); 2903 data->suspend_count--; 2904 return -EBUSY; 2905 } 2906 2907 cancel_work_sync(&data->work); 2908 2909 btusb_stop_traffic(data); 2910 usb_kill_anchored_urbs(&data->tx_anchor); 2911 2912 return 0; 2913 } 2914 2915 static void play_deferred(struct btusb_data *data) 2916 { 2917 struct urb *urb; 2918 int err; 2919 2920 while ((urb = usb_get_from_anchor(&data->deferred))) { 2921 err = usb_submit_urb(urb, GFP_ATOMIC); 2922 if (err < 0) 2923 break; 2924 2925 data->tx_in_flight++; 2926 } 2927 usb_scuttle_anchored_urbs(&data->deferred); 2928 } 2929 2930 static int btusb_resume(struct usb_interface *intf) 2931 { 2932 struct btusb_data *data = usb_get_intfdata(intf); 2933 struct hci_dev *hdev = data->hdev; 2934 int err = 0; 2935 2936 BT_DBG("intf %p", intf); 2937 2938 if (--data->suspend_count) 2939 return 0; 2940 2941 if (!test_bit(HCI_RUNNING, &hdev->flags)) 2942 goto done; 2943 2944 if (test_bit(BTUSB_INTR_RUNNING, &data->flags)) { 2945 err = btusb_submit_intr_urb(hdev, GFP_NOIO); 2946 if (err < 0) { 2947 clear_bit(BTUSB_INTR_RUNNING, &data->flags); 2948 goto failed; 2949 } 2950 } 2951 2952 if (test_bit(BTUSB_BULK_RUNNING, &data->flags)) { 2953 err = btusb_submit_bulk_urb(hdev, GFP_NOIO); 2954 if (err < 0) { 2955 clear_bit(BTUSB_BULK_RUNNING, &data->flags); 2956 goto failed; 2957 } 2958 2959 btusb_submit_bulk_urb(hdev, GFP_NOIO); 2960 } 2961 2962 if (test_bit(BTUSB_ISOC_RUNNING, &data->flags)) { 2963 if (btusb_submit_isoc_urb(hdev, GFP_NOIO) < 0) 2964 clear_bit(BTUSB_ISOC_RUNNING, &data->flags); 2965 else 2966 btusb_submit_isoc_urb(hdev, GFP_NOIO); 2967 } 2968 2969 spin_lock_irq(&data->txlock); 2970 play_deferred(data); 2971 clear_bit(BTUSB_SUSPENDING, &data->flags); 2972 spin_unlock_irq(&data->txlock); 2973 schedule_work(&data->work); 2974 2975 return 0; 2976 2977 failed: 2978 usb_scuttle_anchored_urbs(&data->deferred); 2979 done: 2980 spin_lock_irq(&data->txlock); 2981 clear_bit(BTUSB_SUSPENDING, &data->flags); 2982 spin_unlock_irq(&data->txlock); 2983 2984 return err; 2985 } 2986 #endif 2987 2988 static struct usb_driver btusb_driver = { 2989 .name = "btusb", 2990 .probe = btusb_probe, 2991 .disconnect = btusb_disconnect, 2992 #ifdef CONFIG_PM 2993 .suspend = btusb_suspend, 2994 .resume = btusb_resume, 2995 #endif 2996 .id_table = btusb_table, 2997 .supports_autosuspend = 1, 2998 .disable_hub_initiated_lpm = 1, 2999 }; 3000 3001 module_usb_driver(btusb_driver); 3002 3003 module_param(disable_scofix, bool, 0644); 3004 MODULE_PARM_DESC(disable_scofix, "Disable fixup of wrong SCO buffer size"); 3005 3006 module_param(force_scofix, bool, 0644); 3007 MODULE_PARM_DESC(force_scofix, "Force fixup of wrong SCO buffers size"); 3008 3009 module_param(reset, bool, 0644); 3010 MODULE_PARM_DESC(reset, "Send HCI reset command on initialization"); 3011 3012 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>"); 3013 MODULE_DESCRIPTION("Generic Bluetooth USB driver ver " VERSION); 3014 MODULE_VERSION(VERSION); 3015 MODULE_LICENSE("GPL"); 3016