1 /* 2 * 3 * Generic Bluetooth USB driver 4 * 5 * Copyright (C) 2005-2008 Marcel Holtmann <marcel@holtmann.org> 6 * 7 * 8 * This program is free software; you can redistribute it and/or modify 9 * it under the terms of the GNU General Public License as published by 10 * the Free Software Foundation; either version 2 of the License, or 11 * (at your option) any later version. 12 * 13 * This program is distributed in the hope that it will be useful, 14 * but WITHOUT ANY WARRANTY; without even the implied warranty of 15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16 * GNU General Public License for more details. 17 * 18 * You should have received a copy of the GNU General Public License 19 * along with this program; if not, write to the Free Software 20 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 21 * 22 */ 23 24 #include <linux/module.h> 25 #include <linux/usb.h> 26 #include <linux/firmware.h> 27 #include <asm/unaligned.h> 28 29 #include <net/bluetooth/bluetooth.h> 30 #include <net/bluetooth/hci_core.h> 31 32 #include "btintel.h" 33 #include "btbcm.h" 34 #include "btrtl.h" 35 36 #define VERSION "0.8" 37 38 static bool disable_scofix; 39 static bool force_scofix; 40 41 static bool reset = true; 42 43 static struct usb_driver btusb_driver; 44 45 #define BTUSB_IGNORE 0x01 46 #define BTUSB_DIGIANSWER 0x02 47 #define BTUSB_CSR 0x04 48 #define BTUSB_SNIFFER 0x08 49 #define BTUSB_BCM92035 0x10 50 #define BTUSB_BROKEN_ISOC 0x20 51 #define BTUSB_WRONG_SCO_MTU 0x40 52 #define BTUSB_ATH3012 0x80 53 #define BTUSB_INTEL 0x100 54 #define BTUSB_INTEL_BOOT 0x200 55 #define BTUSB_BCM_PATCHRAM 0x400 56 #define BTUSB_MARVELL 0x800 57 #define BTUSB_SWAVE 0x1000 58 #define BTUSB_INTEL_NEW 0x2000 59 #define BTUSB_AMP 0x4000 60 #define BTUSB_QCA_ROME 0x8000 61 #define BTUSB_BCM_APPLE 0x10000 62 #define BTUSB_REALTEK 0x20000 63 64 static const struct usb_device_id btusb_table[] = { 65 /* Generic Bluetooth USB device */ 66 { USB_DEVICE_INFO(0xe0, 0x01, 0x01) }, 67 68 /* Generic Bluetooth AMP device */ 69 { USB_DEVICE_INFO(0xe0, 0x01, 0x04), .driver_info = BTUSB_AMP }, 70 71 /* Generic Bluetooth USB interface */ 72 { USB_INTERFACE_INFO(0xe0, 0x01, 0x01) }, 73 74 /* Apple-specific (Broadcom) devices */ 75 { USB_VENDOR_AND_INTERFACE_INFO(0x05ac, 0xff, 0x01, 0x01), 76 .driver_info = BTUSB_BCM_APPLE }, 77 78 /* MediaTek MT76x0E */ 79 { USB_DEVICE(0x0e8d, 0x763f) }, 80 81 /* Broadcom SoftSailing reporting vendor specific */ 82 { USB_DEVICE(0x0a5c, 0x21e1) }, 83 84 /* Apple MacBookPro 7,1 */ 85 { USB_DEVICE(0x05ac, 0x8213) }, 86 87 /* Apple iMac11,1 */ 88 { USB_DEVICE(0x05ac, 0x8215) }, 89 90 /* Apple MacBookPro6,2 */ 91 { USB_DEVICE(0x05ac, 0x8218) }, 92 93 /* Apple MacBookAir3,1, MacBookAir3,2 */ 94 { USB_DEVICE(0x05ac, 0x821b) }, 95 96 /* Apple MacBookAir4,1 */ 97 { USB_DEVICE(0x05ac, 0x821f) }, 98 99 /* Apple MacBookPro8,2 */ 100 { USB_DEVICE(0x05ac, 0x821a) }, 101 102 /* Apple MacMini5,1 */ 103 { USB_DEVICE(0x05ac, 0x8281) }, 104 105 /* AVM BlueFRITZ! USB v2.0 */ 106 { USB_DEVICE(0x057c, 0x3800), .driver_info = BTUSB_SWAVE }, 107 108 /* Bluetooth Ultraport Module from IBM */ 109 { USB_DEVICE(0x04bf, 0x030a) }, 110 111 /* ALPS Modules with non-standard id */ 112 { USB_DEVICE(0x044e, 0x3001) }, 113 { USB_DEVICE(0x044e, 0x3002) }, 114 115 /* Ericsson with non-standard id */ 116 { USB_DEVICE(0x0bdb, 0x1002) }, 117 118 /* Canyon CN-BTU1 with HID interfaces */ 119 { USB_DEVICE(0x0c10, 0x0000) }, 120 121 /* Broadcom BCM20702A0 */ 122 { USB_DEVICE(0x413c, 0x8197) }, 123 124 /* Broadcom BCM20702B0 (Dynex/Insignia) */ 125 { USB_DEVICE(0x19ff, 0x0239), .driver_info = BTUSB_BCM_PATCHRAM }, 126 127 /* Foxconn - Hon Hai */ 128 { USB_VENDOR_AND_INTERFACE_INFO(0x0489, 0xff, 0x01, 0x01), 129 .driver_info = BTUSB_BCM_PATCHRAM }, 130 131 /* Lite-On Technology - Broadcom based */ 132 { USB_VENDOR_AND_INTERFACE_INFO(0x04ca, 0xff, 0x01, 0x01), 133 .driver_info = BTUSB_BCM_PATCHRAM }, 134 135 /* Broadcom devices with vendor specific id */ 136 { USB_VENDOR_AND_INTERFACE_INFO(0x0a5c, 0xff, 0x01, 0x01), 137 .driver_info = BTUSB_BCM_PATCHRAM }, 138 139 /* ASUSTek Computer - Broadcom based */ 140 { USB_VENDOR_AND_INTERFACE_INFO(0x0b05, 0xff, 0x01, 0x01), 141 .driver_info = BTUSB_BCM_PATCHRAM }, 142 143 /* Belkin F8065bf - Broadcom based */ 144 { USB_VENDOR_AND_INTERFACE_INFO(0x050d, 0xff, 0x01, 0x01), 145 .driver_info = BTUSB_BCM_PATCHRAM }, 146 147 /* IMC Networks - Broadcom based */ 148 { USB_VENDOR_AND_INTERFACE_INFO(0x13d3, 0xff, 0x01, 0x01), 149 .driver_info = BTUSB_BCM_PATCHRAM }, 150 151 /* Intel Bluetooth USB Bootloader (RAM module) */ 152 { USB_DEVICE(0x8087, 0x0a5a), 153 .driver_info = BTUSB_INTEL_BOOT | BTUSB_BROKEN_ISOC }, 154 155 { } /* Terminating entry */ 156 }; 157 158 MODULE_DEVICE_TABLE(usb, btusb_table); 159 160 static const struct usb_device_id blacklist_table[] = { 161 /* CSR BlueCore devices */ 162 { USB_DEVICE(0x0a12, 0x0001), .driver_info = BTUSB_CSR }, 163 164 /* Broadcom BCM2033 without firmware */ 165 { USB_DEVICE(0x0a5c, 0x2033), .driver_info = BTUSB_IGNORE }, 166 167 /* Atheros 3011 with sflash firmware */ 168 { USB_DEVICE(0x0489, 0xe027), .driver_info = BTUSB_IGNORE }, 169 { USB_DEVICE(0x0489, 0xe03d), .driver_info = BTUSB_IGNORE }, 170 { USB_DEVICE(0x04f2, 0xaff1), .driver_info = BTUSB_IGNORE }, 171 { USB_DEVICE(0x0930, 0x0215), .driver_info = BTUSB_IGNORE }, 172 { USB_DEVICE(0x0cf3, 0x3002), .driver_info = BTUSB_IGNORE }, 173 { USB_DEVICE(0x0cf3, 0xe019), .driver_info = BTUSB_IGNORE }, 174 { USB_DEVICE(0x13d3, 0x3304), .driver_info = BTUSB_IGNORE }, 175 176 /* Atheros AR9285 Malbec with sflash firmware */ 177 { USB_DEVICE(0x03f0, 0x311d), .driver_info = BTUSB_IGNORE }, 178 179 /* Atheros 3012 with sflash firmware */ 180 { USB_DEVICE(0x0489, 0xe04d), .driver_info = BTUSB_ATH3012 }, 181 { USB_DEVICE(0x0489, 0xe04e), .driver_info = BTUSB_ATH3012 }, 182 { USB_DEVICE(0x0489, 0xe056), .driver_info = BTUSB_ATH3012 }, 183 { USB_DEVICE(0x0489, 0xe057), .driver_info = BTUSB_ATH3012 }, 184 { USB_DEVICE(0x0489, 0xe05f), .driver_info = BTUSB_ATH3012 }, 185 { USB_DEVICE(0x0489, 0xe076), .driver_info = BTUSB_ATH3012 }, 186 { USB_DEVICE(0x0489, 0xe078), .driver_info = BTUSB_ATH3012 }, 187 { USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 }, 188 { USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 }, 189 { USB_DEVICE(0x04ca, 0x3005), .driver_info = BTUSB_ATH3012 }, 190 { USB_DEVICE(0x04ca, 0x3006), .driver_info = BTUSB_ATH3012 }, 191 { USB_DEVICE(0x04ca, 0x3007), .driver_info = BTUSB_ATH3012 }, 192 { USB_DEVICE(0x04ca, 0x3008), .driver_info = BTUSB_ATH3012 }, 193 { USB_DEVICE(0x04ca, 0x300b), .driver_info = BTUSB_ATH3012 }, 194 { USB_DEVICE(0x04ca, 0x300d), .driver_info = BTUSB_ATH3012 }, 195 { USB_DEVICE(0x04ca, 0x300f), .driver_info = BTUSB_ATH3012 }, 196 { USB_DEVICE(0x04ca, 0x3010), .driver_info = BTUSB_ATH3012 }, 197 { USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 }, 198 { USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 }, 199 { USB_DEVICE(0x0930, 0x0227), .driver_info = BTUSB_ATH3012 }, 200 { USB_DEVICE(0x0b05, 0x17d0), .driver_info = BTUSB_ATH3012 }, 201 { USB_DEVICE(0x0cf3, 0x0036), .driver_info = BTUSB_ATH3012 }, 202 { USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_ATH3012 }, 203 { USB_DEVICE(0x0cf3, 0x3008), .driver_info = BTUSB_ATH3012 }, 204 { USB_DEVICE(0x0cf3, 0x311d), .driver_info = BTUSB_ATH3012 }, 205 { USB_DEVICE(0x0cf3, 0x311e), .driver_info = BTUSB_ATH3012 }, 206 { USB_DEVICE(0x0cf3, 0x311f), .driver_info = BTUSB_ATH3012 }, 207 { USB_DEVICE(0x0cf3, 0x3121), .driver_info = BTUSB_ATH3012 }, 208 { USB_DEVICE(0x0cf3, 0x817a), .driver_info = BTUSB_ATH3012 }, 209 { USB_DEVICE(0x0cf3, 0xe003), .driver_info = BTUSB_ATH3012 }, 210 { USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 }, 211 { USB_DEVICE(0x0cf3, 0xe005), .driver_info = BTUSB_ATH3012 }, 212 { USB_DEVICE(0x0cf3, 0xe006), .driver_info = BTUSB_ATH3012 }, 213 { USB_DEVICE(0x13d3, 0x3362), .driver_info = BTUSB_ATH3012 }, 214 { USB_DEVICE(0x13d3, 0x3375), .driver_info = BTUSB_ATH3012 }, 215 { USB_DEVICE(0x13d3, 0x3393), .driver_info = BTUSB_ATH3012 }, 216 { USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 }, 217 { USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 }, 218 { USB_DEVICE(0x13d3, 0x3423), .driver_info = BTUSB_ATH3012 }, 219 { USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 }, 220 { USB_DEVICE(0x13d3, 0x3474), .driver_info = BTUSB_ATH3012 }, 221 222 /* Atheros AR5BBU12 with sflash firmware */ 223 { USB_DEVICE(0x0489, 0xe02c), .driver_info = BTUSB_IGNORE }, 224 225 /* Atheros AR5BBU12 with sflash firmware */ 226 { USB_DEVICE(0x0489, 0xe036), .driver_info = BTUSB_ATH3012 }, 227 { USB_DEVICE(0x0489, 0xe03c), .driver_info = BTUSB_ATH3012 }, 228 229 /* QCA ROME chipset */ 230 { USB_DEVICE(0x0cf3, 0xe007), .driver_info = BTUSB_QCA_ROME }, 231 { USB_DEVICE(0x0cf3, 0xe300), .driver_info = BTUSB_QCA_ROME }, 232 { USB_DEVICE(0x0cf3, 0xe360), .driver_info = BTUSB_QCA_ROME }, 233 234 /* Broadcom BCM2035 */ 235 { USB_DEVICE(0x0a5c, 0x2009), .driver_info = BTUSB_BCM92035 }, 236 { USB_DEVICE(0x0a5c, 0x200a), .driver_info = BTUSB_WRONG_SCO_MTU }, 237 { USB_DEVICE(0x0a5c, 0x2035), .driver_info = BTUSB_WRONG_SCO_MTU }, 238 239 /* Broadcom BCM2045 */ 240 { USB_DEVICE(0x0a5c, 0x2039), .driver_info = BTUSB_WRONG_SCO_MTU }, 241 { USB_DEVICE(0x0a5c, 0x2101), .driver_info = BTUSB_WRONG_SCO_MTU }, 242 243 /* IBM/Lenovo ThinkPad with Broadcom chip */ 244 { USB_DEVICE(0x0a5c, 0x201e), .driver_info = BTUSB_WRONG_SCO_MTU }, 245 { USB_DEVICE(0x0a5c, 0x2110), .driver_info = BTUSB_WRONG_SCO_MTU }, 246 247 /* HP laptop with Broadcom chip */ 248 { USB_DEVICE(0x03f0, 0x171d), .driver_info = BTUSB_WRONG_SCO_MTU }, 249 250 /* Dell laptop with Broadcom chip */ 251 { USB_DEVICE(0x413c, 0x8126), .driver_info = BTUSB_WRONG_SCO_MTU }, 252 253 /* Dell Wireless 370 and 410 devices */ 254 { USB_DEVICE(0x413c, 0x8152), .driver_info = BTUSB_WRONG_SCO_MTU }, 255 { USB_DEVICE(0x413c, 0x8156), .driver_info = BTUSB_WRONG_SCO_MTU }, 256 257 /* Belkin F8T012 and F8T013 devices */ 258 { USB_DEVICE(0x050d, 0x0012), .driver_info = BTUSB_WRONG_SCO_MTU }, 259 { USB_DEVICE(0x050d, 0x0013), .driver_info = BTUSB_WRONG_SCO_MTU }, 260 261 /* Asus WL-BTD202 device */ 262 { USB_DEVICE(0x0b05, 0x1715), .driver_info = BTUSB_WRONG_SCO_MTU }, 263 264 /* Kensington Bluetooth USB adapter */ 265 { USB_DEVICE(0x047d, 0x105e), .driver_info = BTUSB_WRONG_SCO_MTU }, 266 267 /* RTX Telecom based adapters with buggy SCO support */ 268 { USB_DEVICE(0x0400, 0x0807), .driver_info = BTUSB_BROKEN_ISOC }, 269 { USB_DEVICE(0x0400, 0x080a), .driver_info = BTUSB_BROKEN_ISOC }, 270 271 /* CONWISE Technology based adapters with buggy SCO support */ 272 { USB_DEVICE(0x0e5e, 0x6622), .driver_info = BTUSB_BROKEN_ISOC }, 273 274 /* Roper Class 1 Bluetooth Dongle (Silicon Wave based) */ 275 { USB_DEVICE(0x1310, 0x0001), .driver_info = BTUSB_SWAVE }, 276 277 /* Digianswer devices */ 278 { USB_DEVICE(0x08fd, 0x0001), .driver_info = BTUSB_DIGIANSWER }, 279 { USB_DEVICE(0x08fd, 0x0002), .driver_info = BTUSB_IGNORE }, 280 281 /* CSR BlueCore Bluetooth Sniffer */ 282 { USB_DEVICE(0x0a12, 0x0002), 283 .driver_info = BTUSB_SNIFFER | BTUSB_BROKEN_ISOC }, 284 285 /* Frontline ComProbe Bluetooth Sniffer */ 286 { USB_DEVICE(0x16d3, 0x0002), 287 .driver_info = BTUSB_SNIFFER | BTUSB_BROKEN_ISOC }, 288 289 /* Marvell Bluetooth devices */ 290 { USB_DEVICE(0x1286, 0x2044), .driver_info = BTUSB_MARVELL }, 291 { USB_DEVICE(0x1286, 0x2046), .driver_info = BTUSB_MARVELL }, 292 293 /* Intel Bluetooth devices */ 294 { USB_DEVICE(0x8087, 0x07da), .driver_info = BTUSB_CSR }, 295 { USB_DEVICE(0x8087, 0x07dc), .driver_info = BTUSB_INTEL }, 296 { USB_DEVICE(0x8087, 0x0a2a), .driver_info = BTUSB_INTEL }, 297 { USB_DEVICE(0x8087, 0x0a2b), .driver_info = BTUSB_INTEL_NEW }, 298 299 /* Other Intel Bluetooth devices */ 300 { USB_VENDOR_AND_INTERFACE_INFO(0x8087, 0xe0, 0x01, 0x01), 301 .driver_info = BTUSB_IGNORE }, 302 303 /* Realtek Bluetooth devices */ 304 { USB_VENDOR_AND_INTERFACE_INFO(0x0bda, 0xe0, 0x01, 0x01), 305 .driver_info = BTUSB_REALTEK }, 306 307 /* Additional Realtek 8723AE Bluetooth devices */ 308 { USB_DEVICE(0x0930, 0x021d), .driver_info = BTUSB_REALTEK }, 309 { USB_DEVICE(0x13d3, 0x3394), .driver_info = BTUSB_REALTEK }, 310 311 /* Additional Realtek 8723BE Bluetooth devices */ 312 { USB_DEVICE(0x0489, 0xe085), .driver_info = BTUSB_REALTEK }, 313 { USB_DEVICE(0x0489, 0xe08b), .driver_info = BTUSB_REALTEK }, 314 { USB_DEVICE(0x13d3, 0x3410), .driver_info = BTUSB_REALTEK }, 315 { USB_DEVICE(0x13d3, 0x3416), .driver_info = BTUSB_REALTEK }, 316 { USB_DEVICE(0x13d3, 0x3459), .driver_info = BTUSB_REALTEK }, 317 318 /* Additional Realtek 8821AE Bluetooth devices */ 319 { USB_DEVICE(0x0b05, 0x17dc), .driver_info = BTUSB_REALTEK }, 320 { USB_DEVICE(0x13d3, 0x3414), .driver_info = BTUSB_REALTEK }, 321 { USB_DEVICE(0x13d3, 0x3458), .driver_info = BTUSB_REALTEK }, 322 { USB_DEVICE(0x13d3, 0x3461), .driver_info = BTUSB_REALTEK }, 323 { USB_DEVICE(0x13d3, 0x3462), .driver_info = BTUSB_REALTEK }, 324 325 { } /* Terminating entry */ 326 }; 327 328 #define BTUSB_MAX_ISOC_FRAMES 10 329 330 #define BTUSB_INTR_RUNNING 0 331 #define BTUSB_BULK_RUNNING 1 332 #define BTUSB_ISOC_RUNNING 2 333 #define BTUSB_SUSPENDING 3 334 #define BTUSB_DID_ISO_RESUME 4 335 #define BTUSB_BOOTLOADER 5 336 #define BTUSB_DOWNLOADING 6 337 #define BTUSB_FIRMWARE_LOADED 7 338 #define BTUSB_FIRMWARE_FAILED 8 339 #define BTUSB_BOOTING 9 340 #define BTUSB_RESET_RESUME 10 341 342 struct btusb_data { 343 struct hci_dev *hdev; 344 struct usb_device *udev; 345 struct usb_interface *intf; 346 struct usb_interface *isoc; 347 348 unsigned long flags; 349 350 struct work_struct work; 351 struct work_struct waker; 352 353 struct usb_anchor deferred; 354 struct usb_anchor tx_anchor; 355 int tx_in_flight; 356 spinlock_t txlock; 357 358 struct usb_anchor intr_anchor; 359 struct usb_anchor bulk_anchor; 360 struct usb_anchor isoc_anchor; 361 spinlock_t rxlock; 362 363 struct sk_buff *evt_skb; 364 struct sk_buff *acl_skb; 365 struct sk_buff *sco_skb; 366 367 struct usb_endpoint_descriptor *intr_ep; 368 struct usb_endpoint_descriptor *bulk_tx_ep; 369 struct usb_endpoint_descriptor *bulk_rx_ep; 370 struct usb_endpoint_descriptor *isoc_tx_ep; 371 struct usb_endpoint_descriptor *isoc_rx_ep; 372 373 __u8 cmdreq_type; 374 __u8 cmdreq; 375 376 unsigned int sco_num; 377 int isoc_altsetting; 378 int suspend_count; 379 380 int (*recv_event)(struct hci_dev *hdev, struct sk_buff *skb); 381 int (*recv_bulk)(struct btusb_data *data, void *buffer, int count); 382 383 int (*setup_on_usb)(struct hci_dev *hdev); 384 }; 385 386 static inline void btusb_free_frags(struct btusb_data *data) 387 { 388 unsigned long flags; 389 390 spin_lock_irqsave(&data->rxlock, flags); 391 392 kfree_skb(data->evt_skb); 393 data->evt_skb = NULL; 394 395 kfree_skb(data->acl_skb); 396 data->acl_skb = NULL; 397 398 kfree_skb(data->sco_skb); 399 data->sco_skb = NULL; 400 401 spin_unlock_irqrestore(&data->rxlock, flags); 402 } 403 404 static int btusb_recv_intr(struct btusb_data *data, void *buffer, int count) 405 { 406 struct sk_buff *skb; 407 int err = 0; 408 409 spin_lock(&data->rxlock); 410 skb = data->evt_skb; 411 412 while (count) { 413 int len; 414 415 if (!skb) { 416 skb = bt_skb_alloc(HCI_MAX_EVENT_SIZE, GFP_ATOMIC); 417 if (!skb) { 418 err = -ENOMEM; 419 break; 420 } 421 422 bt_cb(skb)->pkt_type = HCI_EVENT_PKT; 423 bt_cb(skb)->expect = HCI_EVENT_HDR_SIZE; 424 } 425 426 len = min_t(uint, bt_cb(skb)->expect, count); 427 memcpy(skb_put(skb, len), buffer, len); 428 429 count -= len; 430 buffer += len; 431 bt_cb(skb)->expect -= len; 432 433 if (skb->len == HCI_EVENT_HDR_SIZE) { 434 /* Complete event header */ 435 bt_cb(skb)->expect = hci_event_hdr(skb)->plen; 436 437 if (skb_tailroom(skb) < bt_cb(skb)->expect) { 438 kfree_skb(skb); 439 skb = NULL; 440 441 err = -EILSEQ; 442 break; 443 } 444 } 445 446 if (bt_cb(skb)->expect == 0) { 447 /* Complete frame */ 448 data->recv_event(data->hdev, skb); 449 skb = NULL; 450 } 451 } 452 453 data->evt_skb = skb; 454 spin_unlock(&data->rxlock); 455 456 return err; 457 } 458 459 static int btusb_recv_bulk(struct btusb_data *data, void *buffer, int count) 460 { 461 struct sk_buff *skb; 462 int err = 0; 463 464 spin_lock(&data->rxlock); 465 skb = data->acl_skb; 466 467 while (count) { 468 int len; 469 470 if (!skb) { 471 skb = bt_skb_alloc(HCI_MAX_FRAME_SIZE, GFP_ATOMIC); 472 if (!skb) { 473 err = -ENOMEM; 474 break; 475 } 476 477 bt_cb(skb)->pkt_type = HCI_ACLDATA_PKT; 478 bt_cb(skb)->expect = HCI_ACL_HDR_SIZE; 479 } 480 481 len = min_t(uint, bt_cb(skb)->expect, count); 482 memcpy(skb_put(skb, len), buffer, len); 483 484 count -= len; 485 buffer += len; 486 bt_cb(skb)->expect -= len; 487 488 if (skb->len == HCI_ACL_HDR_SIZE) { 489 __le16 dlen = hci_acl_hdr(skb)->dlen; 490 491 /* Complete ACL header */ 492 bt_cb(skb)->expect = __le16_to_cpu(dlen); 493 494 if (skb_tailroom(skb) < bt_cb(skb)->expect) { 495 kfree_skb(skb); 496 skb = NULL; 497 498 err = -EILSEQ; 499 break; 500 } 501 } 502 503 if (bt_cb(skb)->expect == 0) { 504 /* Complete frame */ 505 hci_recv_frame(data->hdev, skb); 506 skb = NULL; 507 } 508 } 509 510 data->acl_skb = skb; 511 spin_unlock(&data->rxlock); 512 513 return err; 514 } 515 516 static int btusb_recv_isoc(struct btusb_data *data, void *buffer, int count) 517 { 518 struct sk_buff *skb; 519 int err = 0; 520 521 spin_lock(&data->rxlock); 522 skb = data->sco_skb; 523 524 while (count) { 525 int len; 526 527 if (!skb) { 528 skb = bt_skb_alloc(HCI_MAX_SCO_SIZE, GFP_ATOMIC); 529 if (!skb) { 530 err = -ENOMEM; 531 break; 532 } 533 534 bt_cb(skb)->pkt_type = HCI_SCODATA_PKT; 535 bt_cb(skb)->expect = HCI_SCO_HDR_SIZE; 536 } 537 538 len = min_t(uint, bt_cb(skb)->expect, count); 539 memcpy(skb_put(skb, len), buffer, len); 540 541 count -= len; 542 buffer += len; 543 bt_cb(skb)->expect -= len; 544 545 if (skb->len == HCI_SCO_HDR_SIZE) { 546 /* Complete SCO header */ 547 bt_cb(skb)->expect = hci_sco_hdr(skb)->dlen; 548 549 if (skb_tailroom(skb) < bt_cb(skb)->expect) { 550 kfree_skb(skb); 551 skb = NULL; 552 553 err = -EILSEQ; 554 break; 555 } 556 } 557 558 if (bt_cb(skb)->expect == 0) { 559 /* Complete frame */ 560 hci_recv_frame(data->hdev, skb); 561 skb = NULL; 562 } 563 } 564 565 data->sco_skb = skb; 566 spin_unlock(&data->rxlock); 567 568 return err; 569 } 570 571 static void btusb_intr_complete(struct urb *urb) 572 { 573 struct hci_dev *hdev = urb->context; 574 struct btusb_data *data = hci_get_drvdata(hdev); 575 int err; 576 577 BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status, 578 urb->actual_length); 579 580 if (!test_bit(HCI_RUNNING, &hdev->flags)) 581 return; 582 583 if (urb->status == 0) { 584 hdev->stat.byte_rx += urb->actual_length; 585 586 if (btusb_recv_intr(data, urb->transfer_buffer, 587 urb->actual_length) < 0) { 588 BT_ERR("%s corrupted event packet", hdev->name); 589 hdev->stat.err_rx++; 590 } 591 } else if (urb->status == -ENOENT) { 592 /* Avoid suspend failed when usb_kill_urb */ 593 return; 594 } 595 596 if (!test_bit(BTUSB_INTR_RUNNING, &data->flags)) 597 return; 598 599 usb_mark_last_busy(data->udev); 600 usb_anchor_urb(urb, &data->intr_anchor); 601 602 err = usb_submit_urb(urb, GFP_ATOMIC); 603 if (err < 0) { 604 /* -EPERM: urb is being killed; 605 * -ENODEV: device got disconnected */ 606 if (err != -EPERM && err != -ENODEV) 607 BT_ERR("%s urb %p failed to resubmit (%d)", 608 hdev->name, urb, -err); 609 usb_unanchor_urb(urb); 610 } 611 } 612 613 static int btusb_submit_intr_urb(struct hci_dev *hdev, gfp_t mem_flags) 614 { 615 struct btusb_data *data = hci_get_drvdata(hdev); 616 struct urb *urb; 617 unsigned char *buf; 618 unsigned int pipe; 619 int err, size; 620 621 BT_DBG("%s", hdev->name); 622 623 if (!data->intr_ep) 624 return -ENODEV; 625 626 urb = usb_alloc_urb(0, mem_flags); 627 if (!urb) 628 return -ENOMEM; 629 630 size = le16_to_cpu(data->intr_ep->wMaxPacketSize); 631 632 buf = kmalloc(size, mem_flags); 633 if (!buf) { 634 usb_free_urb(urb); 635 return -ENOMEM; 636 } 637 638 pipe = usb_rcvintpipe(data->udev, data->intr_ep->bEndpointAddress); 639 640 usb_fill_int_urb(urb, data->udev, pipe, buf, size, 641 btusb_intr_complete, hdev, data->intr_ep->bInterval); 642 643 urb->transfer_flags |= URB_FREE_BUFFER; 644 645 usb_anchor_urb(urb, &data->intr_anchor); 646 647 err = usb_submit_urb(urb, mem_flags); 648 if (err < 0) { 649 if (err != -EPERM && err != -ENODEV) 650 BT_ERR("%s urb %p submission failed (%d)", 651 hdev->name, urb, -err); 652 usb_unanchor_urb(urb); 653 } 654 655 usb_free_urb(urb); 656 657 return err; 658 } 659 660 static void btusb_bulk_complete(struct urb *urb) 661 { 662 struct hci_dev *hdev = urb->context; 663 struct btusb_data *data = hci_get_drvdata(hdev); 664 int err; 665 666 BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status, 667 urb->actual_length); 668 669 if (!test_bit(HCI_RUNNING, &hdev->flags)) 670 return; 671 672 if (urb->status == 0) { 673 hdev->stat.byte_rx += urb->actual_length; 674 675 if (data->recv_bulk(data, urb->transfer_buffer, 676 urb->actual_length) < 0) { 677 BT_ERR("%s corrupted ACL packet", hdev->name); 678 hdev->stat.err_rx++; 679 } 680 } else if (urb->status == -ENOENT) { 681 /* Avoid suspend failed when usb_kill_urb */ 682 return; 683 } 684 685 if (!test_bit(BTUSB_BULK_RUNNING, &data->flags)) 686 return; 687 688 usb_anchor_urb(urb, &data->bulk_anchor); 689 usb_mark_last_busy(data->udev); 690 691 err = usb_submit_urb(urb, GFP_ATOMIC); 692 if (err < 0) { 693 /* -EPERM: urb is being killed; 694 * -ENODEV: device got disconnected */ 695 if (err != -EPERM && err != -ENODEV) 696 BT_ERR("%s urb %p failed to resubmit (%d)", 697 hdev->name, urb, -err); 698 usb_unanchor_urb(urb); 699 } 700 } 701 702 static int btusb_submit_bulk_urb(struct hci_dev *hdev, gfp_t mem_flags) 703 { 704 struct btusb_data *data = hci_get_drvdata(hdev); 705 struct urb *urb; 706 unsigned char *buf; 707 unsigned int pipe; 708 int err, size = HCI_MAX_FRAME_SIZE; 709 710 BT_DBG("%s", hdev->name); 711 712 if (!data->bulk_rx_ep) 713 return -ENODEV; 714 715 urb = usb_alloc_urb(0, mem_flags); 716 if (!urb) 717 return -ENOMEM; 718 719 buf = kmalloc(size, mem_flags); 720 if (!buf) { 721 usb_free_urb(urb); 722 return -ENOMEM; 723 } 724 725 pipe = usb_rcvbulkpipe(data->udev, data->bulk_rx_ep->bEndpointAddress); 726 727 usb_fill_bulk_urb(urb, data->udev, pipe, buf, size, 728 btusb_bulk_complete, hdev); 729 730 urb->transfer_flags |= URB_FREE_BUFFER; 731 732 usb_mark_last_busy(data->udev); 733 usb_anchor_urb(urb, &data->bulk_anchor); 734 735 err = usb_submit_urb(urb, mem_flags); 736 if (err < 0) { 737 if (err != -EPERM && err != -ENODEV) 738 BT_ERR("%s urb %p submission failed (%d)", 739 hdev->name, urb, -err); 740 usb_unanchor_urb(urb); 741 } 742 743 usb_free_urb(urb); 744 745 return err; 746 } 747 748 static void btusb_isoc_complete(struct urb *urb) 749 { 750 struct hci_dev *hdev = urb->context; 751 struct btusb_data *data = hci_get_drvdata(hdev); 752 int i, err; 753 754 BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status, 755 urb->actual_length); 756 757 if (!test_bit(HCI_RUNNING, &hdev->flags)) 758 return; 759 760 if (urb->status == 0) { 761 for (i = 0; i < urb->number_of_packets; i++) { 762 unsigned int offset = urb->iso_frame_desc[i].offset; 763 unsigned int length = urb->iso_frame_desc[i].actual_length; 764 765 if (urb->iso_frame_desc[i].status) 766 continue; 767 768 hdev->stat.byte_rx += length; 769 770 if (btusb_recv_isoc(data, urb->transfer_buffer + offset, 771 length) < 0) { 772 BT_ERR("%s corrupted SCO packet", hdev->name); 773 hdev->stat.err_rx++; 774 } 775 } 776 } else if (urb->status == -ENOENT) { 777 /* Avoid suspend failed when usb_kill_urb */ 778 return; 779 } 780 781 if (!test_bit(BTUSB_ISOC_RUNNING, &data->flags)) 782 return; 783 784 usb_anchor_urb(urb, &data->isoc_anchor); 785 786 err = usb_submit_urb(urb, GFP_ATOMIC); 787 if (err < 0) { 788 /* -EPERM: urb is being killed; 789 * -ENODEV: device got disconnected */ 790 if (err != -EPERM && err != -ENODEV) 791 BT_ERR("%s urb %p failed to resubmit (%d)", 792 hdev->name, urb, -err); 793 usb_unanchor_urb(urb); 794 } 795 } 796 797 static inline void __fill_isoc_descriptor(struct urb *urb, int len, int mtu) 798 { 799 int i, offset = 0; 800 801 BT_DBG("len %d mtu %d", len, mtu); 802 803 for (i = 0; i < BTUSB_MAX_ISOC_FRAMES && len >= mtu; 804 i++, offset += mtu, len -= mtu) { 805 urb->iso_frame_desc[i].offset = offset; 806 urb->iso_frame_desc[i].length = mtu; 807 } 808 809 if (len && i < BTUSB_MAX_ISOC_FRAMES) { 810 urb->iso_frame_desc[i].offset = offset; 811 urb->iso_frame_desc[i].length = len; 812 i++; 813 } 814 815 urb->number_of_packets = i; 816 } 817 818 static int btusb_submit_isoc_urb(struct hci_dev *hdev, gfp_t mem_flags) 819 { 820 struct btusb_data *data = hci_get_drvdata(hdev); 821 struct urb *urb; 822 unsigned char *buf; 823 unsigned int pipe; 824 int err, size; 825 826 BT_DBG("%s", hdev->name); 827 828 if (!data->isoc_rx_ep) 829 return -ENODEV; 830 831 urb = usb_alloc_urb(BTUSB_MAX_ISOC_FRAMES, mem_flags); 832 if (!urb) 833 return -ENOMEM; 834 835 size = le16_to_cpu(data->isoc_rx_ep->wMaxPacketSize) * 836 BTUSB_MAX_ISOC_FRAMES; 837 838 buf = kmalloc(size, mem_flags); 839 if (!buf) { 840 usb_free_urb(urb); 841 return -ENOMEM; 842 } 843 844 pipe = usb_rcvisocpipe(data->udev, data->isoc_rx_ep->bEndpointAddress); 845 846 usb_fill_int_urb(urb, data->udev, pipe, buf, size, btusb_isoc_complete, 847 hdev, data->isoc_rx_ep->bInterval); 848 849 urb->transfer_flags = URB_FREE_BUFFER | URB_ISO_ASAP; 850 851 __fill_isoc_descriptor(urb, size, 852 le16_to_cpu(data->isoc_rx_ep->wMaxPacketSize)); 853 854 usb_anchor_urb(urb, &data->isoc_anchor); 855 856 err = usb_submit_urb(urb, mem_flags); 857 if (err < 0) { 858 if (err != -EPERM && err != -ENODEV) 859 BT_ERR("%s urb %p submission failed (%d)", 860 hdev->name, urb, -err); 861 usb_unanchor_urb(urb); 862 } 863 864 usb_free_urb(urb); 865 866 return err; 867 } 868 869 static void btusb_tx_complete(struct urb *urb) 870 { 871 struct sk_buff *skb = urb->context; 872 struct hci_dev *hdev = (struct hci_dev *)skb->dev; 873 struct btusb_data *data = hci_get_drvdata(hdev); 874 875 BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status, 876 urb->actual_length); 877 878 if (!test_bit(HCI_RUNNING, &hdev->flags)) 879 goto done; 880 881 if (!urb->status) 882 hdev->stat.byte_tx += urb->transfer_buffer_length; 883 else 884 hdev->stat.err_tx++; 885 886 done: 887 spin_lock(&data->txlock); 888 data->tx_in_flight--; 889 spin_unlock(&data->txlock); 890 891 kfree(urb->setup_packet); 892 893 kfree_skb(skb); 894 } 895 896 static void btusb_isoc_tx_complete(struct urb *urb) 897 { 898 struct sk_buff *skb = urb->context; 899 struct hci_dev *hdev = (struct hci_dev *)skb->dev; 900 901 BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status, 902 urb->actual_length); 903 904 if (!test_bit(HCI_RUNNING, &hdev->flags)) 905 goto done; 906 907 if (!urb->status) 908 hdev->stat.byte_tx += urb->transfer_buffer_length; 909 else 910 hdev->stat.err_tx++; 911 912 done: 913 kfree(urb->setup_packet); 914 915 kfree_skb(skb); 916 } 917 918 static int btusb_open(struct hci_dev *hdev) 919 { 920 struct btusb_data *data = hci_get_drvdata(hdev); 921 int err; 922 923 BT_DBG("%s", hdev->name); 924 925 /* Patching USB firmware files prior to starting any URBs of HCI path 926 * It is more safe to use USB bulk channel for downloading USB patch 927 */ 928 if (data->setup_on_usb) { 929 err = data->setup_on_usb(hdev); 930 if (err < 0) 931 return err; 932 } 933 934 err = usb_autopm_get_interface(data->intf); 935 if (err < 0) 936 return err; 937 938 data->intf->needs_remote_wakeup = 1; 939 940 if (test_and_set_bit(HCI_RUNNING, &hdev->flags)) 941 goto done; 942 943 if (test_and_set_bit(BTUSB_INTR_RUNNING, &data->flags)) 944 goto done; 945 946 err = btusb_submit_intr_urb(hdev, GFP_KERNEL); 947 if (err < 0) 948 goto failed; 949 950 err = btusb_submit_bulk_urb(hdev, GFP_KERNEL); 951 if (err < 0) { 952 usb_kill_anchored_urbs(&data->intr_anchor); 953 goto failed; 954 } 955 956 set_bit(BTUSB_BULK_RUNNING, &data->flags); 957 btusb_submit_bulk_urb(hdev, GFP_KERNEL); 958 959 done: 960 usb_autopm_put_interface(data->intf); 961 return 0; 962 963 failed: 964 clear_bit(BTUSB_INTR_RUNNING, &data->flags); 965 clear_bit(HCI_RUNNING, &hdev->flags); 966 usb_autopm_put_interface(data->intf); 967 return err; 968 } 969 970 static void btusb_stop_traffic(struct btusb_data *data) 971 { 972 usb_kill_anchored_urbs(&data->intr_anchor); 973 usb_kill_anchored_urbs(&data->bulk_anchor); 974 usb_kill_anchored_urbs(&data->isoc_anchor); 975 } 976 977 static int btusb_close(struct hci_dev *hdev) 978 { 979 struct btusb_data *data = hci_get_drvdata(hdev); 980 int err; 981 982 BT_DBG("%s", hdev->name); 983 984 if (!test_and_clear_bit(HCI_RUNNING, &hdev->flags)) 985 return 0; 986 987 cancel_work_sync(&data->work); 988 cancel_work_sync(&data->waker); 989 990 clear_bit(BTUSB_ISOC_RUNNING, &data->flags); 991 clear_bit(BTUSB_BULK_RUNNING, &data->flags); 992 clear_bit(BTUSB_INTR_RUNNING, &data->flags); 993 994 btusb_stop_traffic(data); 995 btusb_free_frags(data); 996 997 err = usb_autopm_get_interface(data->intf); 998 if (err < 0) 999 goto failed; 1000 1001 data->intf->needs_remote_wakeup = 0; 1002 usb_autopm_put_interface(data->intf); 1003 1004 failed: 1005 usb_scuttle_anchored_urbs(&data->deferred); 1006 return 0; 1007 } 1008 1009 static int btusb_flush(struct hci_dev *hdev) 1010 { 1011 struct btusb_data *data = hci_get_drvdata(hdev); 1012 1013 BT_DBG("%s", hdev->name); 1014 1015 usb_kill_anchored_urbs(&data->tx_anchor); 1016 btusb_free_frags(data); 1017 1018 return 0; 1019 } 1020 1021 static struct urb *alloc_ctrl_urb(struct hci_dev *hdev, struct sk_buff *skb) 1022 { 1023 struct btusb_data *data = hci_get_drvdata(hdev); 1024 struct usb_ctrlrequest *dr; 1025 struct urb *urb; 1026 unsigned int pipe; 1027 1028 urb = usb_alloc_urb(0, GFP_KERNEL); 1029 if (!urb) 1030 return ERR_PTR(-ENOMEM); 1031 1032 dr = kmalloc(sizeof(*dr), GFP_KERNEL); 1033 if (!dr) { 1034 usb_free_urb(urb); 1035 return ERR_PTR(-ENOMEM); 1036 } 1037 1038 dr->bRequestType = data->cmdreq_type; 1039 dr->bRequest = data->cmdreq; 1040 dr->wIndex = 0; 1041 dr->wValue = 0; 1042 dr->wLength = __cpu_to_le16(skb->len); 1043 1044 pipe = usb_sndctrlpipe(data->udev, 0x00); 1045 1046 usb_fill_control_urb(urb, data->udev, pipe, (void *)dr, 1047 skb->data, skb->len, btusb_tx_complete, skb); 1048 1049 skb->dev = (void *)hdev; 1050 1051 return urb; 1052 } 1053 1054 static struct urb *alloc_bulk_urb(struct hci_dev *hdev, struct sk_buff *skb) 1055 { 1056 struct btusb_data *data = hci_get_drvdata(hdev); 1057 struct urb *urb; 1058 unsigned int pipe; 1059 1060 if (!data->bulk_tx_ep) 1061 return ERR_PTR(-ENODEV); 1062 1063 urb = usb_alloc_urb(0, GFP_KERNEL); 1064 if (!urb) 1065 return ERR_PTR(-ENOMEM); 1066 1067 pipe = usb_sndbulkpipe(data->udev, data->bulk_tx_ep->bEndpointAddress); 1068 1069 usb_fill_bulk_urb(urb, data->udev, pipe, 1070 skb->data, skb->len, btusb_tx_complete, skb); 1071 1072 skb->dev = (void *)hdev; 1073 1074 return urb; 1075 } 1076 1077 static struct urb *alloc_isoc_urb(struct hci_dev *hdev, struct sk_buff *skb) 1078 { 1079 struct btusb_data *data = hci_get_drvdata(hdev); 1080 struct urb *urb; 1081 unsigned int pipe; 1082 1083 if (!data->isoc_tx_ep) 1084 return ERR_PTR(-ENODEV); 1085 1086 urb = usb_alloc_urb(BTUSB_MAX_ISOC_FRAMES, GFP_KERNEL); 1087 if (!urb) 1088 return ERR_PTR(-ENOMEM); 1089 1090 pipe = usb_sndisocpipe(data->udev, data->isoc_tx_ep->bEndpointAddress); 1091 1092 usb_fill_int_urb(urb, data->udev, pipe, 1093 skb->data, skb->len, btusb_isoc_tx_complete, 1094 skb, data->isoc_tx_ep->bInterval); 1095 1096 urb->transfer_flags = URB_ISO_ASAP; 1097 1098 __fill_isoc_descriptor(urb, skb->len, 1099 le16_to_cpu(data->isoc_tx_ep->wMaxPacketSize)); 1100 1101 skb->dev = (void *)hdev; 1102 1103 return urb; 1104 } 1105 1106 static int submit_tx_urb(struct hci_dev *hdev, struct urb *urb) 1107 { 1108 struct btusb_data *data = hci_get_drvdata(hdev); 1109 int err; 1110 1111 usb_anchor_urb(urb, &data->tx_anchor); 1112 1113 err = usb_submit_urb(urb, GFP_KERNEL); 1114 if (err < 0) { 1115 if (err != -EPERM && err != -ENODEV) 1116 BT_ERR("%s urb %p submission failed (%d)", 1117 hdev->name, urb, -err); 1118 kfree(urb->setup_packet); 1119 usb_unanchor_urb(urb); 1120 } else { 1121 usb_mark_last_busy(data->udev); 1122 } 1123 1124 usb_free_urb(urb); 1125 return err; 1126 } 1127 1128 static int submit_or_queue_tx_urb(struct hci_dev *hdev, struct urb *urb) 1129 { 1130 struct btusb_data *data = hci_get_drvdata(hdev); 1131 unsigned long flags; 1132 bool suspending; 1133 1134 spin_lock_irqsave(&data->txlock, flags); 1135 suspending = test_bit(BTUSB_SUSPENDING, &data->flags); 1136 if (!suspending) 1137 data->tx_in_flight++; 1138 spin_unlock_irqrestore(&data->txlock, flags); 1139 1140 if (!suspending) 1141 return submit_tx_urb(hdev, urb); 1142 1143 usb_anchor_urb(urb, &data->deferred); 1144 schedule_work(&data->waker); 1145 1146 usb_free_urb(urb); 1147 return 0; 1148 } 1149 1150 static int btusb_send_frame(struct hci_dev *hdev, struct sk_buff *skb) 1151 { 1152 struct urb *urb; 1153 1154 BT_DBG("%s", hdev->name); 1155 1156 if (!test_bit(HCI_RUNNING, &hdev->flags)) 1157 return -EBUSY; 1158 1159 switch (bt_cb(skb)->pkt_type) { 1160 case HCI_COMMAND_PKT: 1161 urb = alloc_ctrl_urb(hdev, skb); 1162 if (IS_ERR(urb)) 1163 return PTR_ERR(urb); 1164 1165 hdev->stat.cmd_tx++; 1166 return submit_or_queue_tx_urb(hdev, urb); 1167 1168 case HCI_ACLDATA_PKT: 1169 urb = alloc_bulk_urb(hdev, skb); 1170 if (IS_ERR(urb)) 1171 return PTR_ERR(urb); 1172 1173 hdev->stat.acl_tx++; 1174 return submit_or_queue_tx_urb(hdev, urb); 1175 1176 case HCI_SCODATA_PKT: 1177 if (hci_conn_num(hdev, SCO_LINK) < 1) 1178 return -ENODEV; 1179 1180 urb = alloc_isoc_urb(hdev, skb); 1181 if (IS_ERR(urb)) 1182 return PTR_ERR(urb); 1183 1184 hdev->stat.sco_tx++; 1185 return submit_tx_urb(hdev, urb); 1186 } 1187 1188 return -EILSEQ; 1189 } 1190 1191 static void btusb_notify(struct hci_dev *hdev, unsigned int evt) 1192 { 1193 struct btusb_data *data = hci_get_drvdata(hdev); 1194 1195 BT_DBG("%s evt %d", hdev->name, evt); 1196 1197 if (hci_conn_num(hdev, SCO_LINK) != data->sco_num) { 1198 data->sco_num = hci_conn_num(hdev, SCO_LINK); 1199 schedule_work(&data->work); 1200 } 1201 } 1202 1203 static inline int __set_isoc_interface(struct hci_dev *hdev, int altsetting) 1204 { 1205 struct btusb_data *data = hci_get_drvdata(hdev); 1206 struct usb_interface *intf = data->isoc; 1207 struct usb_endpoint_descriptor *ep_desc; 1208 int i, err; 1209 1210 if (!data->isoc) 1211 return -ENODEV; 1212 1213 err = usb_set_interface(data->udev, 1, altsetting); 1214 if (err < 0) { 1215 BT_ERR("%s setting interface failed (%d)", hdev->name, -err); 1216 return err; 1217 } 1218 1219 data->isoc_altsetting = altsetting; 1220 1221 data->isoc_tx_ep = NULL; 1222 data->isoc_rx_ep = NULL; 1223 1224 for (i = 0; i < intf->cur_altsetting->desc.bNumEndpoints; i++) { 1225 ep_desc = &intf->cur_altsetting->endpoint[i].desc; 1226 1227 if (!data->isoc_tx_ep && usb_endpoint_is_isoc_out(ep_desc)) { 1228 data->isoc_tx_ep = ep_desc; 1229 continue; 1230 } 1231 1232 if (!data->isoc_rx_ep && usb_endpoint_is_isoc_in(ep_desc)) { 1233 data->isoc_rx_ep = ep_desc; 1234 continue; 1235 } 1236 } 1237 1238 if (!data->isoc_tx_ep || !data->isoc_rx_ep) { 1239 BT_ERR("%s invalid SCO descriptors", hdev->name); 1240 return -ENODEV; 1241 } 1242 1243 return 0; 1244 } 1245 1246 static void btusb_work(struct work_struct *work) 1247 { 1248 struct btusb_data *data = container_of(work, struct btusb_data, work); 1249 struct hci_dev *hdev = data->hdev; 1250 int new_alts; 1251 int err; 1252 1253 if (data->sco_num > 0) { 1254 if (!test_bit(BTUSB_DID_ISO_RESUME, &data->flags)) { 1255 err = usb_autopm_get_interface(data->isoc ? data->isoc : data->intf); 1256 if (err < 0) { 1257 clear_bit(BTUSB_ISOC_RUNNING, &data->flags); 1258 usb_kill_anchored_urbs(&data->isoc_anchor); 1259 return; 1260 } 1261 1262 set_bit(BTUSB_DID_ISO_RESUME, &data->flags); 1263 } 1264 1265 if (hdev->voice_setting & 0x0020) { 1266 static const int alts[3] = { 2, 4, 5 }; 1267 1268 new_alts = alts[data->sco_num - 1]; 1269 } else { 1270 new_alts = data->sco_num; 1271 } 1272 1273 if (data->isoc_altsetting != new_alts) { 1274 clear_bit(BTUSB_ISOC_RUNNING, &data->flags); 1275 usb_kill_anchored_urbs(&data->isoc_anchor); 1276 1277 if (__set_isoc_interface(hdev, new_alts) < 0) 1278 return; 1279 } 1280 1281 if (!test_and_set_bit(BTUSB_ISOC_RUNNING, &data->flags)) { 1282 if (btusb_submit_isoc_urb(hdev, GFP_KERNEL) < 0) 1283 clear_bit(BTUSB_ISOC_RUNNING, &data->flags); 1284 else 1285 btusb_submit_isoc_urb(hdev, GFP_KERNEL); 1286 } 1287 } else { 1288 clear_bit(BTUSB_ISOC_RUNNING, &data->flags); 1289 usb_kill_anchored_urbs(&data->isoc_anchor); 1290 1291 __set_isoc_interface(hdev, 0); 1292 if (test_and_clear_bit(BTUSB_DID_ISO_RESUME, &data->flags)) 1293 usb_autopm_put_interface(data->isoc ? data->isoc : data->intf); 1294 } 1295 } 1296 1297 static void btusb_waker(struct work_struct *work) 1298 { 1299 struct btusb_data *data = container_of(work, struct btusb_data, waker); 1300 int err; 1301 1302 err = usb_autopm_get_interface(data->intf); 1303 if (err < 0) 1304 return; 1305 1306 usb_autopm_put_interface(data->intf); 1307 } 1308 1309 static int btusb_setup_bcm92035(struct hci_dev *hdev) 1310 { 1311 struct sk_buff *skb; 1312 u8 val = 0x00; 1313 1314 BT_DBG("%s", hdev->name); 1315 1316 skb = __hci_cmd_sync(hdev, 0xfc3b, 1, &val, HCI_INIT_TIMEOUT); 1317 if (IS_ERR(skb)) 1318 BT_ERR("BCM92035 command failed (%ld)", -PTR_ERR(skb)); 1319 else 1320 kfree_skb(skb); 1321 1322 return 0; 1323 } 1324 1325 static int btusb_setup_csr(struct hci_dev *hdev) 1326 { 1327 struct hci_rp_read_local_version *rp; 1328 struct sk_buff *skb; 1329 1330 BT_DBG("%s", hdev->name); 1331 1332 skb = __hci_cmd_sync(hdev, HCI_OP_READ_LOCAL_VERSION, 0, NULL, 1333 HCI_INIT_TIMEOUT); 1334 if (IS_ERR(skb)) { 1335 int err = PTR_ERR(skb); 1336 BT_ERR("%s: CSR: Local version failed (%d)", hdev->name, err); 1337 return err; 1338 } 1339 1340 if (skb->len != sizeof(struct hci_rp_read_local_version)) { 1341 BT_ERR("%s: CSR: Local version length mismatch", hdev->name); 1342 kfree_skb(skb); 1343 return -EIO; 1344 } 1345 1346 rp = (struct hci_rp_read_local_version *)skb->data; 1347 1348 if (le16_to_cpu(rp->manufacturer) != 10) { 1349 /* Clear the reset quirk since this is not an actual 1350 * early Bluetooth 1.1 device from CSR. 1351 */ 1352 clear_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks); 1353 1354 /* These fake CSR controllers have all a broken 1355 * stored link key handling and so just disable it. 1356 */ 1357 set_bit(HCI_QUIRK_BROKEN_STORED_LINK_KEY, &hdev->quirks); 1358 } 1359 1360 kfree_skb(skb); 1361 1362 return 0; 1363 } 1364 1365 static const struct firmware *btusb_setup_intel_get_fw(struct hci_dev *hdev, 1366 struct intel_version *ver) 1367 { 1368 const struct firmware *fw; 1369 char fwname[64]; 1370 int ret; 1371 1372 snprintf(fwname, sizeof(fwname), 1373 "intel/ibt-hw-%x.%x.%x-fw-%x.%x.%x.%x.%x.bseq", 1374 ver->hw_platform, ver->hw_variant, ver->hw_revision, 1375 ver->fw_variant, ver->fw_revision, ver->fw_build_num, 1376 ver->fw_build_ww, ver->fw_build_yy); 1377 1378 ret = request_firmware(&fw, fwname, &hdev->dev); 1379 if (ret < 0) { 1380 if (ret == -EINVAL) { 1381 BT_ERR("%s Intel firmware file request failed (%d)", 1382 hdev->name, ret); 1383 return NULL; 1384 } 1385 1386 BT_ERR("%s failed to open Intel firmware file: %s(%d)", 1387 hdev->name, fwname, ret); 1388 1389 /* If the correct firmware patch file is not found, use the 1390 * default firmware patch file instead 1391 */ 1392 snprintf(fwname, sizeof(fwname), "intel/ibt-hw-%x.%x.bseq", 1393 ver->hw_platform, ver->hw_variant); 1394 if (request_firmware(&fw, fwname, &hdev->dev) < 0) { 1395 BT_ERR("%s failed to open default Intel fw file: %s", 1396 hdev->name, fwname); 1397 return NULL; 1398 } 1399 } 1400 1401 BT_INFO("%s: Intel Bluetooth firmware file: %s", hdev->name, fwname); 1402 1403 return fw; 1404 } 1405 1406 static int btusb_setup_intel_patching(struct hci_dev *hdev, 1407 const struct firmware *fw, 1408 const u8 **fw_ptr, int *disable_patch) 1409 { 1410 struct sk_buff *skb; 1411 struct hci_command_hdr *cmd; 1412 const u8 *cmd_param; 1413 struct hci_event_hdr *evt = NULL; 1414 const u8 *evt_param = NULL; 1415 int remain = fw->size - (*fw_ptr - fw->data); 1416 1417 /* The first byte indicates the types of the patch command or event. 1418 * 0x01 means HCI command and 0x02 is HCI event. If the first bytes 1419 * in the current firmware buffer doesn't start with 0x01 or 1420 * the size of remain buffer is smaller than HCI command header, 1421 * the firmware file is corrupted and it should stop the patching 1422 * process. 1423 */ 1424 if (remain > HCI_COMMAND_HDR_SIZE && *fw_ptr[0] != 0x01) { 1425 BT_ERR("%s Intel fw corrupted: invalid cmd read", hdev->name); 1426 return -EINVAL; 1427 } 1428 (*fw_ptr)++; 1429 remain--; 1430 1431 cmd = (struct hci_command_hdr *)(*fw_ptr); 1432 *fw_ptr += sizeof(*cmd); 1433 remain -= sizeof(*cmd); 1434 1435 /* Ensure that the remain firmware data is long enough than the length 1436 * of command parameter. If not, the firmware file is corrupted. 1437 */ 1438 if (remain < cmd->plen) { 1439 BT_ERR("%s Intel fw corrupted: invalid cmd len", hdev->name); 1440 return -EFAULT; 1441 } 1442 1443 /* If there is a command that loads a patch in the firmware 1444 * file, then enable the patch upon success, otherwise just 1445 * disable the manufacturer mode, for example patch activation 1446 * is not required when the default firmware patch file is used 1447 * because there are no patch data to load. 1448 */ 1449 if (*disable_patch && le16_to_cpu(cmd->opcode) == 0xfc8e) 1450 *disable_patch = 0; 1451 1452 cmd_param = *fw_ptr; 1453 *fw_ptr += cmd->plen; 1454 remain -= cmd->plen; 1455 1456 /* This reads the expected events when the above command is sent to the 1457 * device. Some vendor commands expects more than one events, for 1458 * example command status event followed by vendor specific event. 1459 * For this case, it only keeps the last expected event. so the command 1460 * can be sent with __hci_cmd_sync_ev() which returns the sk_buff of 1461 * last expected event. 1462 */ 1463 while (remain > HCI_EVENT_HDR_SIZE && *fw_ptr[0] == 0x02) { 1464 (*fw_ptr)++; 1465 remain--; 1466 1467 evt = (struct hci_event_hdr *)(*fw_ptr); 1468 *fw_ptr += sizeof(*evt); 1469 remain -= sizeof(*evt); 1470 1471 if (remain < evt->plen) { 1472 BT_ERR("%s Intel fw corrupted: invalid evt len", 1473 hdev->name); 1474 return -EFAULT; 1475 } 1476 1477 evt_param = *fw_ptr; 1478 *fw_ptr += evt->plen; 1479 remain -= evt->plen; 1480 } 1481 1482 /* Every HCI commands in the firmware file has its correspond event. 1483 * If event is not found or remain is smaller than zero, the firmware 1484 * file is corrupted. 1485 */ 1486 if (!evt || !evt_param || remain < 0) { 1487 BT_ERR("%s Intel fw corrupted: invalid evt read", hdev->name); 1488 return -EFAULT; 1489 } 1490 1491 skb = __hci_cmd_sync_ev(hdev, le16_to_cpu(cmd->opcode), cmd->plen, 1492 cmd_param, evt->evt, HCI_INIT_TIMEOUT); 1493 if (IS_ERR(skb)) { 1494 BT_ERR("%s sending Intel patch command (0x%4.4x) failed (%ld)", 1495 hdev->name, cmd->opcode, PTR_ERR(skb)); 1496 return PTR_ERR(skb); 1497 } 1498 1499 /* It ensures that the returned event matches the event data read from 1500 * the firmware file. At fist, it checks the length and then 1501 * the contents of the event. 1502 */ 1503 if (skb->len != evt->plen) { 1504 BT_ERR("%s mismatch event length (opcode 0x%4.4x)", hdev->name, 1505 le16_to_cpu(cmd->opcode)); 1506 kfree_skb(skb); 1507 return -EFAULT; 1508 } 1509 1510 if (memcmp(skb->data, evt_param, evt->plen)) { 1511 BT_ERR("%s mismatch event parameter (opcode 0x%4.4x)", 1512 hdev->name, le16_to_cpu(cmd->opcode)); 1513 kfree_skb(skb); 1514 return -EFAULT; 1515 } 1516 kfree_skb(skb); 1517 1518 return 0; 1519 } 1520 1521 static int btusb_setup_intel(struct hci_dev *hdev) 1522 { 1523 struct sk_buff *skb; 1524 const struct firmware *fw; 1525 const u8 *fw_ptr; 1526 int disable_patch; 1527 struct intel_version *ver; 1528 1529 const u8 mfg_enable[] = { 0x01, 0x00 }; 1530 const u8 mfg_disable[] = { 0x00, 0x00 }; 1531 const u8 mfg_reset_deactivate[] = { 0x00, 0x01 }; 1532 const u8 mfg_reset_activate[] = { 0x00, 0x02 }; 1533 1534 BT_DBG("%s", hdev->name); 1535 1536 /* The controller has a bug with the first HCI command sent to it 1537 * returning number of completed commands as zero. This would stall the 1538 * command processing in the Bluetooth core. 1539 * 1540 * As a workaround, send HCI Reset command first which will reset the 1541 * number of completed commands and allow normal command processing 1542 * from now on. 1543 */ 1544 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT); 1545 if (IS_ERR(skb)) { 1546 BT_ERR("%s sending initial HCI reset command failed (%ld)", 1547 hdev->name, PTR_ERR(skb)); 1548 return PTR_ERR(skb); 1549 } 1550 kfree_skb(skb); 1551 1552 /* Read Intel specific controller version first to allow selection of 1553 * which firmware file to load. 1554 * 1555 * The returned information are hardware variant and revision plus 1556 * firmware variant, revision and build number. 1557 */ 1558 skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_INIT_TIMEOUT); 1559 if (IS_ERR(skb)) { 1560 BT_ERR("%s reading Intel fw version command failed (%ld)", 1561 hdev->name, PTR_ERR(skb)); 1562 return PTR_ERR(skb); 1563 } 1564 1565 if (skb->len != sizeof(*ver)) { 1566 BT_ERR("%s Intel version event length mismatch", hdev->name); 1567 kfree_skb(skb); 1568 return -EIO; 1569 } 1570 1571 ver = (struct intel_version *)skb->data; 1572 1573 BT_INFO("%s: read Intel version: %02x%02x%02x%02x%02x%02x%02x%02x%02x", 1574 hdev->name, ver->hw_platform, ver->hw_variant, 1575 ver->hw_revision, ver->fw_variant, ver->fw_revision, 1576 ver->fw_build_num, ver->fw_build_ww, ver->fw_build_yy, 1577 ver->fw_patch_num); 1578 1579 /* fw_patch_num indicates the version of patch the device currently 1580 * have. If there is no patch data in the device, it is always 0x00. 1581 * So, if it is other than 0x00, no need to patch the deivce again. 1582 */ 1583 if (ver->fw_patch_num) { 1584 BT_INFO("%s: Intel device is already patched. patch num: %02x", 1585 hdev->name, ver->fw_patch_num); 1586 kfree_skb(skb); 1587 btintel_check_bdaddr(hdev); 1588 return 0; 1589 } 1590 1591 /* Opens the firmware patch file based on the firmware version read 1592 * from the controller. If it fails to open the matching firmware 1593 * patch file, it tries to open the default firmware patch file. 1594 * If no patch file is found, allow the device to operate without 1595 * a patch. 1596 */ 1597 fw = btusb_setup_intel_get_fw(hdev, ver); 1598 if (!fw) { 1599 kfree_skb(skb); 1600 btintel_check_bdaddr(hdev); 1601 return 0; 1602 } 1603 fw_ptr = fw->data; 1604 1605 kfree_skb(skb); 1606 1607 /* This Intel specific command enables the manufacturer mode of the 1608 * controller. 1609 * 1610 * Only while this mode is enabled, the driver can download the 1611 * firmware patch data and configuration parameters. 1612 */ 1613 skb = __hci_cmd_sync(hdev, 0xfc11, 2, mfg_enable, HCI_INIT_TIMEOUT); 1614 if (IS_ERR(skb)) { 1615 BT_ERR("%s entering Intel manufacturer mode failed (%ld)", 1616 hdev->name, PTR_ERR(skb)); 1617 release_firmware(fw); 1618 return PTR_ERR(skb); 1619 } 1620 1621 kfree_skb(skb); 1622 1623 disable_patch = 1; 1624 1625 /* The firmware data file consists of list of Intel specific HCI 1626 * commands and its expected events. The first byte indicates the 1627 * type of the message, either HCI command or HCI event. 1628 * 1629 * It reads the command and its expected event from the firmware file, 1630 * and send to the controller. Once __hci_cmd_sync_ev() returns, 1631 * the returned event is compared with the event read from the firmware 1632 * file and it will continue until all the messages are downloaded to 1633 * the controller. 1634 * 1635 * Once the firmware patching is completed successfully, 1636 * the manufacturer mode is disabled with reset and activating the 1637 * downloaded patch. 1638 * 1639 * If the firmware patching fails, the manufacturer mode is 1640 * disabled with reset and deactivating the patch. 1641 * 1642 * If the default patch file is used, no reset is done when disabling 1643 * the manufacturer. 1644 */ 1645 while (fw->size > fw_ptr - fw->data) { 1646 int ret; 1647 1648 ret = btusb_setup_intel_patching(hdev, fw, &fw_ptr, 1649 &disable_patch); 1650 if (ret < 0) 1651 goto exit_mfg_deactivate; 1652 } 1653 1654 release_firmware(fw); 1655 1656 if (disable_patch) 1657 goto exit_mfg_disable; 1658 1659 /* Patching completed successfully and disable the manufacturer mode 1660 * with reset and activate the downloaded firmware patches. 1661 */ 1662 skb = __hci_cmd_sync(hdev, 0xfc11, sizeof(mfg_reset_activate), 1663 mfg_reset_activate, HCI_INIT_TIMEOUT); 1664 if (IS_ERR(skb)) { 1665 BT_ERR("%s exiting Intel manufacturer mode failed (%ld)", 1666 hdev->name, PTR_ERR(skb)); 1667 return PTR_ERR(skb); 1668 } 1669 kfree_skb(skb); 1670 1671 BT_INFO("%s: Intel Bluetooth firmware patch completed and activated", 1672 hdev->name); 1673 1674 btintel_check_bdaddr(hdev); 1675 return 0; 1676 1677 exit_mfg_disable: 1678 /* Disable the manufacturer mode without reset */ 1679 skb = __hci_cmd_sync(hdev, 0xfc11, sizeof(mfg_disable), mfg_disable, 1680 HCI_INIT_TIMEOUT); 1681 if (IS_ERR(skb)) { 1682 BT_ERR("%s exiting Intel manufacturer mode failed (%ld)", 1683 hdev->name, PTR_ERR(skb)); 1684 return PTR_ERR(skb); 1685 } 1686 kfree_skb(skb); 1687 1688 BT_INFO("%s: Intel Bluetooth firmware patch completed", hdev->name); 1689 1690 btintel_check_bdaddr(hdev); 1691 return 0; 1692 1693 exit_mfg_deactivate: 1694 release_firmware(fw); 1695 1696 /* Patching failed. Disable the manufacturer mode with reset and 1697 * deactivate the downloaded firmware patches. 1698 */ 1699 skb = __hci_cmd_sync(hdev, 0xfc11, sizeof(mfg_reset_deactivate), 1700 mfg_reset_deactivate, HCI_INIT_TIMEOUT); 1701 if (IS_ERR(skb)) { 1702 BT_ERR("%s exiting Intel manufacturer mode failed (%ld)", 1703 hdev->name, PTR_ERR(skb)); 1704 return PTR_ERR(skb); 1705 } 1706 kfree_skb(skb); 1707 1708 BT_INFO("%s: Intel Bluetooth firmware patch completed and deactivated", 1709 hdev->name); 1710 1711 btintel_check_bdaddr(hdev); 1712 return 0; 1713 } 1714 1715 static int inject_cmd_complete(struct hci_dev *hdev, __u16 opcode) 1716 { 1717 struct sk_buff *skb; 1718 struct hci_event_hdr *hdr; 1719 struct hci_ev_cmd_complete *evt; 1720 1721 skb = bt_skb_alloc(sizeof(*hdr) + sizeof(*evt) + 1, GFP_ATOMIC); 1722 if (!skb) 1723 return -ENOMEM; 1724 1725 hdr = (struct hci_event_hdr *)skb_put(skb, sizeof(*hdr)); 1726 hdr->evt = HCI_EV_CMD_COMPLETE; 1727 hdr->plen = sizeof(*evt) + 1; 1728 1729 evt = (struct hci_ev_cmd_complete *)skb_put(skb, sizeof(*evt)); 1730 evt->ncmd = 0x01; 1731 evt->opcode = cpu_to_le16(opcode); 1732 1733 *skb_put(skb, 1) = 0x00; 1734 1735 bt_cb(skb)->pkt_type = HCI_EVENT_PKT; 1736 1737 return hci_recv_frame(hdev, skb); 1738 } 1739 1740 static int btusb_recv_bulk_intel(struct btusb_data *data, void *buffer, 1741 int count) 1742 { 1743 /* When the device is in bootloader mode, then it can send 1744 * events via the bulk endpoint. These events are treated the 1745 * same way as the ones received from the interrupt endpoint. 1746 */ 1747 if (test_bit(BTUSB_BOOTLOADER, &data->flags)) 1748 return btusb_recv_intr(data, buffer, count); 1749 1750 return btusb_recv_bulk(data, buffer, count); 1751 } 1752 1753 static void btusb_intel_bootup(struct btusb_data *data, const void *ptr, 1754 unsigned int len) 1755 { 1756 const struct intel_bootup *evt = ptr; 1757 1758 if (len != sizeof(*evt)) 1759 return; 1760 1761 if (test_and_clear_bit(BTUSB_BOOTING, &data->flags)) { 1762 smp_mb__after_atomic(); 1763 wake_up_bit(&data->flags, BTUSB_BOOTING); 1764 } 1765 } 1766 1767 static void btusb_intel_secure_send_result(struct btusb_data *data, 1768 const void *ptr, unsigned int len) 1769 { 1770 const struct intel_secure_send_result *evt = ptr; 1771 1772 if (len != sizeof(*evt)) 1773 return; 1774 1775 if (evt->result) 1776 set_bit(BTUSB_FIRMWARE_FAILED, &data->flags); 1777 1778 if (test_and_clear_bit(BTUSB_DOWNLOADING, &data->flags) && 1779 test_bit(BTUSB_FIRMWARE_LOADED, &data->flags)) { 1780 smp_mb__after_atomic(); 1781 wake_up_bit(&data->flags, BTUSB_DOWNLOADING); 1782 } 1783 } 1784 1785 static int btusb_recv_event_intel(struct hci_dev *hdev, struct sk_buff *skb) 1786 { 1787 struct btusb_data *data = hci_get_drvdata(hdev); 1788 1789 if (test_bit(BTUSB_BOOTLOADER, &data->flags)) { 1790 struct hci_event_hdr *hdr = (void *)skb->data; 1791 1792 if (skb->len > HCI_EVENT_HDR_SIZE && hdr->evt == 0xff && 1793 hdr->plen > 0) { 1794 const void *ptr = skb->data + HCI_EVENT_HDR_SIZE + 1; 1795 unsigned int len = skb->len - HCI_EVENT_HDR_SIZE - 1; 1796 1797 switch (skb->data[2]) { 1798 case 0x02: 1799 /* When switching to the operational firmware 1800 * the device sends a vendor specific event 1801 * indicating that the bootup completed. 1802 */ 1803 btusb_intel_bootup(data, ptr, len); 1804 break; 1805 case 0x06: 1806 /* When the firmware loading completes the 1807 * device sends out a vendor specific event 1808 * indicating the result of the firmware 1809 * loading. 1810 */ 1811 btusb_intel_secure_send_result(data, ptr, len); 1812 break; 1813 } 1814 } 1815 } 1816 1817 return hci_recv_frame(hdev, skb); 1818 } 1819 1820 static int btusb_send_frame_intel(struct hci_dev *hdev, struct sk_buff *skb) 1821 { 1822 struct btusb_data *data = hci_get_drvdata(hdev); 1823 struct urb *urb; 1824 1825 BT_DBG("%s", hdev->name); 1826 1827 if (!test_bit(HCI_RUNNING, &hdev->flags)) 1828 return -EBUSY; 1829 1830 switch (bt_cb(skb)->pkt_type) { 1831 case HCI_COMMAND_PKT: 1832 if (test_bit(BTUSB_BOOTLOADER, &data->flags)) { 1833 struct hci_command_hdr *cmd = (void *)skb->data; 1834 __u16 opcode = le16_to_cpu(cmd->opcode); 1835 1836 /* When in bootloader mode and the command 0xfc09 1837 * is received, it needs to be send down the 1838 * bulk endpoint. So allocate a bulk URB instead. 1839 */ 1840 if (opcode == 0xfc09) 1841 urb = alloc_bulk_urb(hdev, skb); 1842 else 1843 urb = alloc_ctrl_urb(hdev, skb); 1844 1845 /* When the 0xfc01 command is issued to boot into 1846 * the operational firmware, it will actually not 1847 * send a command complete event. To keep the flow 1848 * control working inject that event here. 1849 */ 1850 if (opcode == 0xfc01) 1851 inject_cmd_complete(hdev, opcode); 1852 } else { 1853 urb = alloc_ctrl_urb(hdev, skb); 1854 } 1855 if (IS_ERR(urb)) 1856 return PTR_ERR(urb); 1857 1858 hdev->stat.cmd_tx++; 1859 return submit_or_queue_tx_urb(hdev, urb); 1860 1861 case HCI_ACLDATA_PKT: 1862 urb = alloc_bulk_urb(hdev, skb); 1863 if (IS_ERR(urb)) 1864 return PTR_ERR(urb); 1865 1866 hdev->stat.acl_tx++; 1867 return submit_or_queue_tx_urb(hdev, urb); 1868 1869 case HCI_SCODATA_PKT: 1870 if (hci_conn_num(hdev, SCO_LINK) < 1) 1871 return -ENODEV; 1872 1873 urb = alloc_isoc_urb(hdev, skb); 1874 if (IS_ERR(urb)) 1875 return PTR_ERR(urb); 1876 1877 hdev->stat.sco_tx++; 1878 return submit_tx_urb(hdev, urb); 1879 } 1880 1881 return -EILSEQ; 1882 } 1883 1884 static int btusb_setup_intel_new(struct hci_dev *hdev) 1885 { 1886 static const u8 reset_param[] = { 0x00, 0x01, 0x00, 0x01, 1887 0x00, 0x08, 0x04, 0x00 }; 1888 struct btusb_data *data = hci_get_drvdata(hdev); 1889 struct sk_buff *skb; 1890 struct intel_version *ver; 1891 struct intel_boot_params *params; 1892 const struct firmware *fw; 1893 const u8 *fw_ptr; 1894 u32 frag_len; 1895 char fwname[64]; 1896 ktime_t calltime, delta, rettime; 1897 unsigned long long duration; 1898 int err; 1899 1900 BT_DBG("%s", hdev->name); 1901 1902 calltime = ktime_get(); 1903 1904 /* Read the Intel version information to determine if the device 1905 * is in bootloader mode or if it already has operational firmware 1906 * loaded. 1907 */ 1908 skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_INIT_TIMEOUT); 1909 if (IS_ERR(skb)) { 1910 BT_ERR("%s: Reading Intel version information failed (%ld)", 1911 hdev->name, PTR_ERR(skb)); 1912 return PTR_ERR(skb); 1913 } 1914 1915 if (skb->len != sizeof(*ver)) { 1916 BT_ERR("%s: Intel version event size mismatch", hdev->name); 1917 kfree_skb(skb); 1918 return -EILSEQ; 1919 } 1920 1921 ver = (struct intel_version *)skb->data; 1922 1923 /* The hardware platform number has a fixed value of 0x37 and 1924 * for now only accept this single value. 1925 */ 1926 if (ver->hw_platform != 0x37) { 1927 BT_ERR("%s: Unsupported Intel hardware platform (%u)", 1928 hdev->name, ver->hw_platform); 1929 kfree_skb(skb); 1930 return -EINVAL; 1931 } 1932 1933 /* At the moment only the hardware variant iBT 3.0 (LnP/SfP) is 1934 * supported by this firmware loading method. This check has been 1935 * put in place to ensure correct forward compatibility options 1936 * when newer hardware variants come along. 1937 */ 1938 if (ver->hw_variant != 0x0b) { 1939 BT_ERR("%s: Unsupported Intel hardware variant (%u)", 1940 hdev->name, ver->hw_variant); 1941 kfree_skb(skb); 1942 return -EINVAL; 1943 } 1944 1945 btintel_version_info(hdev, ver); 1946 1947 /* The firmware variant determines if the device is in bootloader 1948 * mode or is running operational firmware. The value 0x06 identifies 1949 * the bootloader and the value 0x23 identifies the operational 1950 * firmware. 1951 * 1952 * When the operational firmware is already present, then only 1953 * the check for valid Bluetooth device address is needed. This 1954 * determines if the device will be added as configured or 1955 * unconfigured controller. 1956 * 1957 * It is not possible to use the Secure Boot Parameters in this 1958 * case since that command is only available in bootloader mode. 1959 */ 1960 if (ver->fw_variant == 0x23) { 1961 kfree_skb(skb); 1962 clear_bit(BTUSB_BOOTLOADER, &data->flags); 1963 btintel_check_bdaddr(hdev); 1964 return 0; 1965 } 1966 1967 /* If the device is not in bootloader mode, then the only possible 1968 * choice is to return an error and abort the device initialization. 1969 */ 1970 if (ver->fw_variant != 0x06) { 1971 BT_ERR("%s: Unsupported Intel firmware variant (%u)", 1972 hdev->name, ver->fw_variant); 1973 kfree_skb(skb); 1974 return -ENODEV; 1975 } 1976 1977 kfree_skb(skb); 1978 1979 /* Read the secure boot parameters to identify the operating 1980 * details of the bootloader. 1981 */ 1982 skb = __hci_cmd_sync(hdev, 0xfc0d, 0, NULL, HCI_INIT_TIMEOUT); 1983 if (IS_ERR(skb)) { 1984 BT_ERR("%s: Reading Intel boot parameters failed (%ld)", 1985 hdev->name, PTR_ERR(skb)); 1986 return PTR_ERR(skb); 1987 } 1988 1989 if (skb->len != sizeof(*params)) { 1990 BT_ERR("%s: Intel boot parameters size mismatch", hdev->name); 1991 kfree_skb(skb); 1992 return -EILSEQ; 1993 } 1994 1995 params = (struct intel_boot_params *)skb->data; 1996 1997 BT_INFO("%s: Device revision is %u", hdev->name, 1998 le16_to_cpu(params->dev_revid)); 1999 2000 BT_INFO("%s: Secure boot is %s", hdev->name, 2001 params->secure_boot ? "enabled" : "disabled"); 2002 2003 BT_INFO("%s: Minimum firmware build %u week %u %u", hdev->name, 2004 params->min_fw_build_nn, params->min_fw_build_cw, 2005 2000 + params->min_fw_build_yy); 2006 2007 /* It is required that every single firmware fragment is acknowledged 2008 * with a command complete event. If the boot parameters indicate 2009 * that this bootloader does not send them, then abort the setup. 2010 */ 2011 if (params->limited_cce != 0x00) { 2012 BT_ERR("%s: Unsupported Intel firmware loading method (%u)", 2013 hdev->name, params->limited_cce); 2014 kfree_skb(skb); 2015 return -EINVAL; 2016 } 2017 2018 /* If the OTP has no valid Bluetooth device address, then there will 2019 * also be no valid address for the operational firmware. 2020 */ 2021 if (!bacmp(¶ms->otp_bdaddr, BDADDR_ANY)) { 2022 BT_INFO("%s: No device address configured", hdev->name); 2023 set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks); 2024 } 2025 2026 /* With this Intel bootloader only the hardware variant and device 2027 * revision information are used to select the right firmware. 2028 * 2029 * Currently this bootloader support is limited to hardware variant 2030 * iBT 3.0 (LnP/SfP) which is identified by the value 11 (0x0b). 2031 */ 2032 snprintf(fwname, sizeof(fwname), "intel/ibt-11-%u.sfi", 2033 le16_to_cpu(params->dev_revid)); 2034 2035 err = request_firmware(&fw, fwname, &hdev->dev); 2036 if (err < 0) { 2037 BT_ERR("%s: Failed to load Intel firmware file (%d)", 2038 hdev->name, err); 2039 kfree_skb(skb); 2040 return err; 2041 } 2042 2043 BT_INFO("%s: Found device firmware: %s", hdev->name, fwname); 2044 2045 /* Save the DDC file name for later use to apply once the firmware 2046 * downloading is done. 2047 */ 2048 snprintf(fwname, sizeof(fwname), "intel/ibt-11-%u.ddc", 2049 le16_to_cpu(params->dev_revid)); 2050 2051 kfree_skb(skb); 2052 2053 if (fw->size < 644) { 2054 BT_ERR("%s: Invalid size of firmware file (%zu)", 2055 hdev->name, fw->size); 2056 err = -EBADF; 2057 goto done; 2058 } 2059 2060 set_bit(BTUSB_DOWNLOADING, &data->flags); 2061 2062 /* Start the firmware download transaction with the Init fragment 2063 * represented by the 128 bytes of CSS header. 2064 */ 2065 err = btintel_secure_send(hdev, 0x00, 128, fw->data); 2066 if (err < 0) { 2067 BT_ERR("%s: Failed to send firmware header (%d)", 2068 hdev->name, err); 2069 goto done; 2070 } 2071 2072 /* Send the 256 bytes of public key information from the firmware 2073 * as the PKey fragment. 2074 */ 2075 err = btintel_secure_send(hdev, 0x03, 256, fw->data + 128); 2076 if (err < 0) { 2077 BT_ERR("%s: Failed to send firmware public key (%d)", 2078 hdev->name, err); 2079 goto done; 2080 } 2081 2082 /* Send the 256 bytes of signature information from the firmware 2083 * as the Sign fragment. 2084 */ 2085 err = btintel_secure_send(hdev, 0x02, 256, fw->data + 388); 2086 if (err < 0) { 2087 BT_ERR("%s: Failed to send firmware signature (%d)", 2088 hdev->name, err); 2089 goto done; 2090 } 2091 2092 fw_ptr = fw->data + 644; 2093 frag_len = 0; 2094 2095 while (fw_ptr - fw->data < fw->size) { 2096 struct hci_command_hdr *cmd = (void *)(fw_ptr + frag_len); 2097 2098 frag_len += sizeof(*cmd) + cmd->plen; 2099 2100 /* The paramter length of the secure send command requires 2101 * a 4 byte alignment. It happens so that the firmware file 2102 * contains proper Intel_NOP commands to align the fragments 2103 * as needed. 2104 * 2105 * Send set of commands with 4 byte alignment from the 2106 * firmware data buffer as a single Data fragement. 2107 */ 2108 if (!(frag_len % 4)) { 2109 err = btintel_secure_send(hdev, 0x01, frag_len, fw_ptr); 2110 if (err < 0) { 2111 BT_ERR("%s: Failed to send firmware data (%d)", 2112 hdev->name, err); 2113 goto done; 2114 } 2115 2116 fw_ptr += frag_len; 2117 frag_len = 0; 2118 } 2119 } 2120 2121 set_bit(BTUSB_FIRMWARE_LOADED, &data->flags); 2122 2123 BT_INFO("%s: Waiting for firmware download to complete", hdev->name); 2124 2125 /* Before switching the device into operational mode and with that 2126 * booting the loaded firmware, wait for the bootloader notification 2127 * that all fragments have been successfully received. 2128 * 2129 * When the event processing receives the notification, then the 2130 * BTUSB_DOWNLOADING flag will be cleared. 2131 * 2132 * The firmware loading should not take longer than 5 seconds 2133 * and thus just timeout if that happens and fail the setup 2134 * of this device. 2135 */ 2136 err = wait_on_bit_timeout(&data->flags, BTUSB_DOWNLOADING, 2137 TASK_INTERRUPTIBLE, 2138 msecs_to_jiffies(5000)); 2139 if (err == 1) { 2140 BT_ERR("%s: Firmware loading interrupted", hdev->name); 2141 err = -EINTR; 2142 goto done; 2143 } 2144 2145 if (err) { 2146 BT_ERR("%s: Firmware loading timeout", hdev->name); 2147 err = -ETIMEDOUT; 2148 goto done; 2149 } 2150 2151 if (test_bit(BTUSB_FIRMWARE_FAILED, &data->flags)) { 2152 BT_ERR("%s: Firmware loading failed", hdev->name); 2153 err = -ENOEXEC; 2154 goto done; 2155 } 2156 2157 rettime = ktime_get(); 2158 delta = ktime_sub(rettime, calltime); 2159 duration = (unsigned long long) ktime_to_ns(delta) >> 10; 2160 2161 BT_INFO("%s: Firmware loaded in %llu usecs", hdev->name, duration); 2162 2163 done: 2164 release_firmware(fw); 2165 2166 if (err < 0) 2167 return err; 2168 2169 calltime = ktime_get(); 2170 2171 set_bit(BTUSB_BOOTING, &data->flags); 2172 2173 skb = __hci_cmd_sync(hdev, 0xfc01, sizeof(reset_param), reset_param, 2174 HCI_INIT_TIMEOUT); 2175 if (IS_ERR(skb)) 2176 return PTR_ERR(skb); 2177 2178 kfree_skb(skb); 2179 2180 /* The bootloader will not indicate when the device is ready. This 2181 * is done by the operational firmware sending bootup notification. 2182 * 2183 * Booting into operational firmware should not take longer than 2184 * 1 second. However if that happens, then just fail the setup 2185 * since something went wrong. 2186 */ 2187 BT_INFO("%s: Waiting for device to boot", hdev->name); 2188 2189 err = wait_on_bit_timeout(&data->flags, BTUSB_BOOTING, 2190 TASK_INTERRUPTIBLE, 2191 msecs_to_jiffies(1000)); 2192 2193 if (err == 1) { 2194 BT_ERR("%s: Device boot interrupted", hdev->name); 2195 return -EINTR; 2196 } 2197 2198 if (err) { 2199 BT_ERR("%s: Device boot timeout", hdev->name); 2200 return -ETIMEDOUT; 2201 } 2202 2203 rettime = ktime_get(); 2204 delta = ktime_sub(rettime, calltime); 2205 duration = (unsigned long long) ktime_to_ns(delta) >> 10; 2206 2207 BT_INFO("%s: Device booted in %llu usecs", hdev->name, duration); 2208 2209 clear_bit(BTUSB_BOOTLOADER, &data->flags); 2210 2211 /* Once the device is running in operational mode, it needs to apply 2212 * the device configuration (DDC) parameters. 2213 * 2214 * The device can work without DDC parameters, so even if it fails 2215 * to load the file, no need to fail the setup. 2216 */ 2217 err = request_firmware_direct(&fw, fwname, &hdev->dev); 2218 if (err < 0) 2219 return 0; 2220 2221 BT_INFO("%s: Found Intel DDC parameters: %s", hdev->name, fwname); 2222 2223 fw_ptr = fw->data; 2224 2225 /* DDC file contains one or more DDC structure which has 2226 * Length (1 byte), DDC ID (2 bytes), and DDC value (Length - 2). 2227 */ 2228 while (fw->size > fw_ptr - fw->data) { 2229 u8 cmd_plen = fw_ptr[0] + sizeof(u8); 2230 2231 skb = __hci_cmd_sync(hdev, 0xfc8b, cmd_plen, fw_ptr, 2232 HCI_INIT_TIMEOUT); 2233 if (IS_ERR(skb)) { 2234 BT_ERR("%s: Failed to send Intel_Write_DDC (%ld)", 2235 hdev->name, PTR_ERR(skb)); 2236 release_firmware(fw); 2237 return PTR_ERR(skb); 2238 } 2239 2240 fw_ptr += cmd_plen; 2241 kfree_skb(skb); 2242 } 2243 2244 release_firmware(fw); 2245 2246 BT_INFO("%s: Applying Intel DDC parameters completed", hdev->name); 2247 2248 return 0; 2249 } 2250 2251 static int btusb_shutdown_intel(struct hci_dev *hdev) 2252 { 2253 struct sk_buff *skb; 2254 long ret; 2255 2256 /* Some platforms have an issue with BT LED when the interface is 2257 * down or BT radio is turned off, which takes 5 seconds to BT LED 2258 * goes off. This command turns off the BT LED immediately. 2259 */ 2260 skb = __hci_cmd_sync(hdev, 0xfc3f, 0, NULL, HCI_INIT_TIMEOUT); 2261 if (IS_ERR(skb)) { 2262 ret = PTR_ERR(skb); 2263 BT_ERR("%s: turning off Intel device LED failed (%ld)", 2264 hdev->name, ret); 2265 return ret; 2266 } 2267 kfree_skb(skb); 2268 2269 return 0; 2270 } 2271 2272 static int btusb_set_bdaddr_marvell(struct hci_dev *hdev, 2273 const bdaddr_t *bdaddr) 2274 { 2275 struct sk_buff *skb; 2276 u8 buf[8]; 2277 long ret; 2278 2279 buf[0] = 0xfe; 2280 buf[1] = sizeof(bdaddr_t); 2281 memcpy(buf + 2, bdaddr, sizeof(bdaddr_t)); 2282 2283 skb = __hci_cmd_sync(hdev, 0xfc22, sizeof(buf), buf, HCI_INIT_TIMEOUT); 2284 if (IS_ERR(skb)) { 2285 ret = PTR_ERR(skb); 2286 BT_ERR("%s: changing Marvell device address failed (%ld)", 2287 hdev->name, ret); 2288 return ret; 2289 } 2290 kfree_skb(skb); 2291 2292 return 0; 2293 } 2294 2295 static int btusb_set_bdaddr_ath3012(struct hci_dev *hdev, 2296 const bdaddr_t *bdaddr) 2297 { 2298 struct sk_buff *skb; 2299 u8 buf[10]; 2300 long ret; 2301 2302 buf[0] = 0x01; 2303 buf[1] = 0x01; 2304 buf[2] = 0x00; 2305 buf[3] = sizeof(bdaddr_t); 2306 memcpy(buf + 4, bdaddr, sizeof(bdaddr_t)); 2307 2308 skb = __hci_cmd_sync(hdev, 0xfc0b, sizeof(buf), buf, HCI_INIT_TIMEOUT); 2309 if (IS_ERR(skb)) { 2310 ret = PTR_ERR(skb); 2311 BT_ERR("%s: Change address command failed (%ld)", 2312 hdev->name, ret); 2313 return ret; 2314 } 2315 kfree_skb(skb); 2316 2317 return 0; 2318 } 2319 2320 #define QCA_DFU_PACKET_LEN 4096 2321 2322 #define QCA_GET_TARGET_VERSION 0x09 2323 #define QCA_CHECK_STATUS 0x05 2324 #define QCA_DFU_DOWNLOAD 0x01 2325 2326 #define QCA_SYSCFG_UPDATED 0x40 2327 #define QCA_PATCH_UPDATED 0x80 2328 #define QCA_DFU_TIMEOUT 3000 2329 2330 struct qca_version { 2331 __le32 rom_version; 2332 __le32 patch_version; 2333 __le32 ram_version; 2334 __le32 ref_clock; 2335 __u8 reserved[4]; 2336 } __packed; 2337 2338 struct qca_rampatch_version { 2339 __le16 rom_version; 2340 __le16 patch_version; 2341 } __packed; 2342 2343 struct qca_device_info { 2344 u32 rom_version; 2345 u8 rampatch_hdr; /* length of header in rampatch */ 2346 u8 nvm_hdr; /* length of header in NVM */ 2347 u8 ver_offset; /* offset of version structure in rampatch */ 2348 }; 2349 2350 static const struct qca_device_info qca_devices_table[] = { 2351 { 0x00000100, 20, 4, 10 }, /* Rome 1.0 */ 2352 { 0x00000101, 20, 4, 10 }, /* Rome 1.1 */ 2353 { 0x00000200, 28, 4, 18 }, /* Rome 2.0 */ 2354 { 0x00000201, 28, 4, 18 }, /* Rome 2.1 */ 2355 { 0x00000300, 28, 4, 18 }, /* Rome 3.0 */ 2356 { 0x00000302, 28, 4, 18 }, /* Rome 3.2 */ 2357 }; 2358 2359 static int btusb_qca_send_vendor_req(struct hci_dev *hdev, u8 request, 2360 void *data, u16 size) 2361 { 2362 struct btusb_data *btdata = hci_get_drvdata(hdev); 2363 struct usb_device *udev = btdata->udev; 2364 int pipe, err; 2365 u8 *buf; 2366 2367 buf = kmalloc(size, GFP_KERNEL); 2368 if (!buf) 2369 return -ENOMEM; 2370 2371 /* Found some of USB hosts have IOT issues with ours so that we should 2372 * not wait until HCI layer is ready. 2373 */ 2374 pipe = usb_rcvctrlpipe(udev, 0); 2375 err = usb_control_msg(udev, pipe, request, USB_TYPE_VENDOR | USB_DIR_IN, 2376 0, 0, buf, size, USB_CTRL_SET_TIMEOUT); 2377 if (err < 0) { 2378 BT_ERR("%s: Failed to access otp area (%d)", hdev->name, err); 2379 goto done; 2380 } 2381 2382 memcpy(data, buf, size); 2383 2384 done: 2385 kfree(buf); 2386 2387 return err; 2388 } 2389 2390 static int btusb_setup_qca_download_fw(struct hci_dev *hdev, 2391 const struct firmware *firmware, 2392 size_t hdr_size) 2393 { 2394 struct btusb_data *btdata = hci_get_drvdata(hdev); 2395 struct usb_device *udev = btdata->udev; 2396 size_t count, size, sent = 0; 2397 int pipe, len, err; 2398 u8 *buf; 2399 2400 buf = kmalloc(QCA_DFU_PACKET_LEN, GFP_KERNEL); 2401 if (!buf) 2402 return -ENOMEM; 2403 2404 count = firmware->size; 2405 2406 size = min_t(size_t, count, hdr_size); 2407 memcpy(buf, firmware->data, size); 2408 2409 /* USB patches should go down to controller through USB path 2410 * because binary format fits to go down through USB channel. 2411 * USB control path is for patching headers and USB bulk is for 2412 * patch body. 2413 */ 2414 pipe = usb_sndctrlpipe(udev, 0); 2415 err = usb_control_msg(udev, pipe, QCA_DFU_DOWNLOAD, USB_TYPE_VENDOR, 2416 0, 0, buf, size, USB_CTRL_SET_TIMEOUT); 2417 if (err < 0) { 2418 BT_ERR("%s: Failed to send headers (%d)", hdev->name, err); 2419 goto done; 2420 } 2421 2422 sent += size; 2423 count -= size; 2424 2425 while (count) { 2426 size = min_t(size_t, count, QCA_DFU_PACKET_LEN); 2427 2428 memcpy(buf, firmware->data + sent, size); 2429 2430 pipe = usb_sndbulkpipe(udev, 0x02); 2431 err = usb_bulk_msg(udev, pipe, buf, size, &len, 2432 QCA_DFU_TIMEOUT); 2433 if (err < 0) { 2434 BT_ERR("%s: Failed to send body at %zd of %zd (%d)", 2435 hdev->name, sent, firmware->size, err); 2436 break; 2437 } 2438 2439 if (size != len) { 2440 BT_ERR("%s: Failed to get bulk buffer", hdev->name); 2441 err = -EILSEQ; 2442 break; 2443 } 2444 2445 sent += size; 2446 count -= size; 2447 } 2448 2449 done: 2450 kfree(buf); 2451 return err; 2452 } 2453 2454 static int btusb_setup_qca_load_rampatch(struct hci_dev *hdev, 2455 struct qca_version *ver, 2456 const struct qca_device_info *info) 2457 { 2458 struct qca_rampatch_version *rver; 2459 const struct firmware *fw; 2460 u32 ver_rom, ver_patch; 2461 u16 rver_rom, rver_patch; 2462 char fwname[64]; 2463 int err; 2464 2465 ver_rom = le32_to_cpu(ver->rom_version); 2466 ver_patch = le32_to_cpu(ver->patch_version); 2467 2468 snprintf(fwname, sizeof(fwname), "qca/rampatch_usb_%08x.bin", ver_rom); 2469 2470 err = request_firmware(&fw, fwname, &hdev->dev); 2471 if (err) { 2472 BT_ERR("%s: failed to request rampatch file: %s (%d)", 2473 hdev->name, fwname, err); 2474 return err; 2475 } 2476 2477 BT_INFO("%s: using rampatch file: %s", hdev->name, fwname); 2478 2479 rver = (struct qca_rampatch_version *)(fw->data + info->ver_offset); 2480 rver_rom = le16_to_cpu(rver->rom_version); 2481 rver_patch = le16_to_cpu(rver->patch_version); 2482 2483 BT_INFO("%s: QCA: patch rome 0x%x build 0x%x, firmware rome 0x%x " 2484 "build 0x%x", hdev->name, rver_rom, rver_patch, ver_rom, 2485 ver_patch); 2486 2487 if (rver_rom != ver_rom || rver_patch <= ver_patch) { 2488 BT_ERR("%s: rampatch file version did not match with firmware", 2489 hdev->name); 2490 err = -EINVAL; 2491 goto done; 2492 } 2493 2494 err = btusb_setup_qca_download_fw(hdev, fw, info->rampatch_hdr); 2495 2496 done: 2497 release_firmware(fw); 2498 2499 return err; 2500 } 2501 2502 static int btusb_setup_qca_load_nvm(struct hci_dev *hdev, 2503 struct qca_version *ver, 2504 const struct qca_device_info *info) 2505 { 2506 const struct firmware *fw; 2507 char fwname[64]; 2508 int err; 2509 2510 snprintf(fwname, sizeof(fwname), "qca/nvm_usb_%08x.bin", 2511 le32_to_cpu(ver->rom_version)); 2512 2513 err = request_firmware(&fw, fwname, &hdev->dev); 2514 if (err) { 2515 BT_ERR("%s: failed to request NVM file: %s (%d)", 2516 hdev->name, fwname, err); 2517 return err; 2518 } 2519 2520 BT_INFO("%s: using NVM file: %s", hdev->name, fwname); 2521 2522 err = btusb_setup_qca_download_fw(hdev, fw, info->nvm_hdr); 2523 2524 release_firmware(fw); 2525 2526 return err; 2527 } 2528 2529 static int btusb_setup_qca(struct hci_dev *hdev) 2530 { 2531 const struct qca_device_info *info = NULL; 2532 struct qca_version ver; 2533 u32 ver_rom; 2534 u8 status; 2535 int i, err; 2536 2537 err = btusb_qca_send_vendor_req(hdev, QCA_GET_TARGET_VERSION, &ver, 2538 sizeof(ver)); 2539 if (err < 0) 2540 return err; 2541 2542 ver_rom = le32_to_cpu(ver.rom_version); 2543 for (i = 0; i < ARRAY_SIZE(qca_devices_table); i++) { 2544 if (ver_rom == qca_devices_table[i].rom_version) 2545 info = &qca_devices_table[i]; 2546 } 2547 if (!info) { 2548 BT_ERR("%s: don't support firmware rome 0x%x", hdev->name, 2549 ver_rom); 2550 return -ENODEV; 2551 } 2552 2553 err = btusb_qca_send_vendor_req(hdev, QCA_CHECK_STATUS, &status, 2554 sizeof(status)); 2555 if (err < 0) 2556 return err; 2557 2558 if (!(status & QCA_PATCH_UPDATED)) { 2559 err = btusb_setup_qca_load_rampatch(hdev, &ver, info); 2560 if (err < 0) 2561 return err; 2562 } 2563 2564 if (!(status & QCA_SYSCFG_UPDATED)) { 2565 err = btusb_setup_qca_load_nvm(hdev, &ver, info); 2566 if (err < 0) 2567 return err; 2568 } 2569 2570 return 0; 2571 } 2572 2573 static int btusb_probe(struct usb_interface *intf, 2574 const struct usb_device_id *id) 2575 { 2576 struct usb_endpoint_descriptor *ep_desc; 2577 struct btusb_data *data; 2578 struct hci_dev *hdev; 2579 int i, err; 2580 2581 BT_DBG("intf %p id %p", intf, id); 2582 2583 /* interface numbers are hardcoded in the spec */ 2584 if (intf->cur_altsetting->desc.bInterfaceNumber != 0) 2585 return -ENODEV; 2586 2587 if (!id->driver_info) { 2588 const struct usb_device_id *match; 2589 2590 match = usb_match_id(intf, blacklist_table); 2591 if (match) 2592 id = match; 2593 } 2594 2595 if (id->driver_info == BTUSB_IGNORE) 2596 return -ENODEV; 2597 2598 if (id->driver_info & BTUSB_ATH3012) { 2599 struct usb_device *udev = interface_to_usbdev(intf); 2600 2601 /* Old firmware would otherwise let ath3k driver load 2602 * patch and sysconfig files */ 2603 if (le16_to_cpu(udev->descriptor.bcdDevice) <= 0x0001) 2604 return -ENODEV; 2605 } 2606 2607 data = devm_kzalloc(&intf->dev, sizeof(*data), GFP_KERNEL); 2608 if (!data) 2609 return -ENOMEM; 2610 2611 for (i = 0; i < intf->cur_altsetting->desc.bNumEndpoints; i++) { 2612 ep_desc = &intf->cur_altsetting->endpoint[i].desc; 2613 2614 if (!data->intr_ep && usb_endpoint_is_int_in(ep_desc)) { 2615 data->intr_ep = ep_desc; 2616 continue; 2617 } 2618 2619 if (!data->bulk_tx_ep && usb_endpoint_is_bulk_out(ep_desc)) { 2620 data->bulk_tx_ep = ep_desc; 2621 continue; 2622 } 2623 2624 if (!data->bulk_rx_ep && usb_endpoint_is_bulk_in(ep_desc)) { 2625 data->bulk_rx_ep = ep_desc; 2626 continue; 2627 } 2628 } 2629 2630 if (!data->intr_ep || !data->bulk_tx_ep || !data->bulk_rx_ep) 2631 return -ENODEV; 2632 2633 if (id->driver_info & BTUSB_AMP) { 2634 data->cmdreq_type = USB_TYPE_CLASS | 0x01; 2635 data->cmdreq = 0x2b; 2636 } else { 2637 data->cmdreq_type = USB_TYPE_CLASS; 2638 data->cmdreq = 0x00; 2639 } 2640 2641 data->udev = interface_to_usbdev(intf); 2642 data->intf = intf; 2643 2644 INIT_WORK(&data->work, btusb_work); 2645 INIT_WORK(&data->waker, btusb_waker); 2646 init_usb_anchor(&data->deferred); 2647 init_usb_anchor(&data->tx_anchor); 2648 spin_lock_init(&data->txlock); 2649 2650 init_usb_anchor(&data->intr_anchor); 2651 init_usb_anchor(&data->bulk_anchor); 2652 init_usb_anchor(&data->isoc_anchor); 2653 spin_lock_init(&data->rxlock); 2654 2655 if (id->driver_info & BTUSB_INTEL_NEW) { 2656 data->recv_event = btusb_recv_event_intel; 2657 data->recv_bulk = btusb_recv_bulk_intel; 2658 set_bit(BTUSB_BOOTLOADER, &data->flags); 2659 } else { 2660 data->recv_event = hci_recv_frame; 2661 data->recv_bulk = btusb_recv_bulk; 2662 } 2663 2664 hdev = hci_alloc_dev(); 2665 if (!hdev) 2666 return -ENOMEM; 2667 2668 hdev->bus = HCI_USB; 2669 hci_set_drvdata(hdev, data); 2670 2671 if (id->driver_info & BTUSB_AMP) 2672 hdev->dev_type = HCI_AMP; 2673 else 2674 hdev->dev_type = HCI_BREDR; 2675 2676 data->hdev = hdev; 2677 2678 SET_HCIDEV_DEV(hdev, &intf->dev); 2679 2680 hdev->open = btusb_open; 2681 hdev->close = btusb_close; 2682 hdev->flush = btusb_flush; 2683 hdev->send = btusb_send_frame; 2684 hdev->notify = btusb_notify; 2685 2686 if (id->driver_info & BTUSB_BCM92035) 2687 hdev->setup = btusb_setup_bcm92035; 2688 2689 #ifdef CONFIG_BT_HCIBTUSB_BCM 2690 if (id->driver_info & BTUSB_BCM_PATCHRAM) { 2691 hdev->setup = btbcm_setup_patchram; 2692 hdev->set_bdaddr = btbcm_set_bdaddr; 2693 } 2694 2695 if (id->driver_info & BTUSB_BCM_APPLE) 2696 hdev->setup = btbcm_setup_apple; 2697 #endif 2698 2699 if (id->driver_info & BTUSB_INTEL) { 2700 hdev->setup = btusb_setup_intel; 2701 hdev->shutdown = btusb_shutdown_intel; 2702 hdev->set_bdaddr = btintel_set_bdaddr; 2703 set_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks); 2704 set_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks); 2705 } 2706 2707 if (id->driver_info & BTUSB_INTEL_NEW) { 2708 hdev->send = btusb_send_frame_intel; 2709 hdev->setup = btusb_setup_intel_new; 2710 hdev->hw_error = btintel_hw_error; 2711 hdev->set_bdaddr = btintel_set_bdaddr; 2712 set_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks); 2713 } 2714 2715 if (id->driver_info & BTUSB_MARVELL) 2716 hdev->set_bdaddr = btusb_set_bdaddr_marvell; 2717 2718 if (id->driver_info & BTUSB_SWAVE) { 2719 set_bit(HCI_QUIRK_FIXUP_INQUIRY_MODE, &hdev->quirks); 2720 set_bit(HCI_QUIRK_BROKEN_LOCAL_COMMANDS, &hdev->quirks); 2721 } 2722 2723 if (id->driver_info & BTUSB_INTEL_BOOT) 2724 set_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks); 2725 2726 if (id->driver_info & BTUSB_ATH3012) { 2727 hdev->set_bdaddr = btusb_set_bdaddr_ath3012; 2728 set_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks); 2729 set_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks); 2730 } 2731 2732 if (id->driver_info & BTUSB_QCA_ROME) { 2733 data->setup_on_usb = btusb_setup_qca; 2734 hdev->set_bdaddr = btusb_set_bdaddr_ath3012; 2735 } 2736 2737 #ifdef CONFIG_BT_HCIBTUSB_RTL 2738 if (id->driver_info & BTUSB_REALTEK) { 2739 hdev->setup = btrtl_setup_realtek; 2740 2741 /* Realtek devices lose their updated firmware over suspend, 2742 * but the USB hub doesn't notice any status change. 2743 * Explicitly request a device reset on resume. 2744 */ 2745 set_bit(BTUSB_RESET_RESUME, &data->flags); 2746 } 2747 #endif 2748 2749 if (id->driver_info & BTUSB_AMP) { 2750 /* AMP controllers do not support SCO packets */ 2751 data->isoc = NULL; 2752 } else { 2753 /* Interface numbers are hardcoded in the specification */ 2754 data->isoc = usb_ifnum_to_if(data->udev, 1); 2755 } 2756 2757 if (!reset) 2758 set_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks); 2759 2760 if (force_scofix || id->driver_info & BTUSB_WRONG_SCO_MTU) { 2761 if (!disable_scofix) 2762 set_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks); 2763 } 2764 2765 if (id->driver_info & BTUSB_BROKEN_ISOC) 2766 data->isoc = NULL; 2767 2768 if (id->driver_info & BTUSB_DIGIANSWER) { 2769 data->cmdreq_type = USB_TYPE_VENDOR; 2770 set_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks); 2771 } 2772 2773 if (id->driver_info & BTUSB_CSR) { 2774 struct usb_device *udev = data->udev; 2775 u16 bcdDevice = le16_to_cpu(udev->descriptor.bcdDevice); 2776 2777 /* Old firmware would otherwise execute USB reset */ 2778 if (bcdDevice < 0x117) 2779 set_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks); 2780 2781 /* Fake CSR devices with broken commands */ 2782 if (bcdDevice <= 0x100) 2783 hdev->setup = btusb_setup_csr; 2784 2785 set_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks); 2786 } 2787 2788 if (id->driver_info & BTUSB_SNIFFER) { 2789 struct usb_device *udev = data->udev; 2790 2791 /* New sniffer firmware has crippled HCI interface */ 2792 if (le16_to_cpu(udev->descriptor.bcdDevice) > 0x997) 2793 set_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks); 2794 } 2795 2796 if (id->driver_info & BTUSB_INTEL_BOOT) { 2797 /* A bug in the bootloader causes that interrupt interface is 2798 * only enabled after receiving SetInterface(0, AltSetting=0). 2799 */ 2800 err = usb_set_interface(data->udev, 0, 0); 2801 if (err < 0) { 2802 BT_ERR("failed to set interface 0, alt 0 %d", err); 2803 hci_free_dev(hdev); 2804 return err; 2805 } 2806 } 2807 2808 if (data->isoc) { 2809 err = usb_driver_claim_interface(&btusb_driver, 2810 data->isoc, data); 2811 if (err < 0) { 2812 hci_free_dev(hdev); 2813 return err; 2814 } 2815 } 2816 2817 err = hci_register_dev(hdev); 2818 if (err < 0) { 2819 hci_free_dev(hdev); 2820 return err; 2821 } 2822 2823 usb_set_intfdata(intf, data); 2824 2825 return 0; 2826 } 2827 2828 static void btusb_disconnect(struct usb_interface *intf) 2829 { 2830 struct btusb_data *data = usb_get_intfdata(intf); 2831 struct hci_dev *hdev; 2832 2833 BT_DBG("intf %p", intf); 2834 2835 if (!data) 2836 return; 2837 2838 hdev = data->hdev; 2839 usb_set_intfdata(data->intf, NULL); 2840 2841 if (data->isoc) 2842 usb_set_intfdata(data->isoc, NULL); 2843 2844 hci_unregister_dev(hdev); 2845 2846 if (intf == data->isoc) 2847 usb_driver_release_interface(&btusb_driver, data->intf); 2848 else if (data->isoc) 2849 usb_driver_release_interface(&btusb_driver, data->isoc); 2850 2851 hci_free_dev(hdev); 2852 } 2853 2854 #ifdef CONFIG_PM 2855 static int btusb_suspend(struct usb_interface *intf, pm_message_t message) 2856 { 2857 struct btusb_data *data = usb_get_intfdata(intf); 2858 2859 BT_DBG("intf %p", intf); 2860 2861 if (data->suspend_count++) 2862 return 0; 2863 2864 spin_lock_irq(&data->txlock); 2865 if (!(PMSG_IS_AUTO(message) && data->tx_in_flight)) { 2866 set_bit(BTUSB_SUSPENDING, &data->flags); 2867 spin_unlock_irq(&data->txlock); 2868 } else { 2869 spin_unlock_irq(&data->txlock); 2870 data->suspend_count--; 2871 return -EBUSY; 2872 } 2873 2874 cancel_work_sync(&data->work); 2875 2876 btusb_stop_traffic(data); 2877 usb_kill_anchored_urbs(&data->tx_anchor); 2878 2879 /* Optionally request a device reset on resume, but only when 2880 * wakeups are disabled. If wakeups are enabled we assume the 2881 * device will stay powered up throughout suspend. 2882 */ 2883 if (test_bit(BTUSB_RESET_RESUME, &data->flags) && 2884 !device_may_wakeup(&data->udev->dev)) 2885 data->udev->reset_resume = 1; 2886 2887 return 0; 2888 } 2889 2890 static void play_deferred(struct btusb_data *data) 2891 { 2892 struct urb *urb; 2893 int err; 2894 2895 while ((urb = usb_get_from_anchor(&data->deferred))) { 2896 err = usb_submit_urb(urb, GFP_ATOMIC); 2897 if (err < 0) 2898 break; 2899 2900 data->tx_in_flight++; 2901 } 2902 usb_scuttle_anchored_urbs(&data->deferred); 2903 } 2904 2905 static int btusb_resume(struct usb_interface *intf) 2906 { 2907 struct btusb_data *data = usb_get_intfdata(intf); 2908 struct hci_dev *hdev = data->hdev; 2909 int err = 0; 2910 2911 BT_DBG("intf %p", intf); 2912 2913 if (--data->suspend_count) 2914 return 0; 2915 2916 if (!test_bit(HCI_RUNNING, &hdev->flags)) 2917 goto done; 2918 2919 if (test_bit(BTUSB_INTR_RUNNING, &data->flags)) { 2920 err = btusb_submit_intr_urb(hdev, GFP_NOIO); 2921 if (err < 0) { 2922 clear_bit(BTUSB_INTR_RUNNING, &data->flags); 2923 goto failed; 2924 } 2925 } 2926 2927 if (test_bit(BTUSB_BULK_RUNNING, &data->flags)) { 2928 err = btusb_submit_bulk_urb(hdev, GFP_NOIO); 2929 if (err < 0) { 2930 clear_bit(BTUSB_BULK_RUNNING, &data->flags); 2931 goto failed; 2932 } 2933 2934 btusb_submit_bulk_urb(hdev, GFP_NOIO); 2935 } 2936 2937 if (test_bit(BTUSB_ISOC_RUNNING, &data->flags)) { 2938 if (btusb_submit_isoc_urb(hdev, GFP_NOIO) < 0) 2939 clear_bit(BTUSB_ISOC_RUNNING, &data->flags); 2940 else 2941 btusb_submit_isoc_urb(hdev, GFP_NOIO); 2942 } 2943 2944 spin_lock_irq(&data->txlock); 2945 play_deferred(data); 2946 clear_bit(BTUSB_SUSPENDING, &data->flags); 2947 spin_unlock_irq(&data->txlock); 2948 schedule_work(&data->work); 2949 2950 return 0; 2951 2952 failed: 2953 usb_scuttle_anchored_urbs(&data->deferred); 2954 done: 2955 spin_lock_irq(&data->txlock); 2956 clear_bit(BTUSB_SUSPENDING, &data->flags); 2957 spin_unlock_irq(&data->txlock); 2958 2959 return err; 2960 } 2961 #endif 2962 2963 static struct usb_driver btusb_driver = { 2964 .name = "btusb", 2965 .probe = btusb_probe, 2966 .disconnect = btusb_disconnect, 2967 #ifdef CONFIG_PM 2968 .suspend = btusb_suspend, 2969 .resume = btusb_resume, 2970 #endif 2971 .id_table = btusb_table, 2972 .supports_autosuspend = 1, 2973 .disable_hub_initiated_lpm = 1, 2974 }; 2975 2976 module_usb_driver(btusb_driver); 2977 2978 module_param(disable_scofix, bool, 0644); 2979 MODULE_PARM_DESC(disable_scofix, "Disable fixup of wrong SCO buffer size"); 2980 2981 module_param(force_scofix, bool, 0644); 2982 MODULE_PARM_DESC(force_scofix, "Force fixup of wrong SCO buffers size"); 2983 2984 module_param(reset, bool, 0644); 2985 MODULE_PARM_DESC(reset, "Send HCI reset command on initialization"); 2986 2987 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>"); 2988 MODULE_DESCRIPTION("Generic Bluetooth USB driver ver " VERSION); 2989 MODULE_VERSION(VERSION); 2990 MODULE_LICENSE("GPL"); 2991