1 /* 2 * 3 * Generic Bluetooth USB driver 4 * 5 * Copyright (C) 2005-2008 Marcel Holtmann <marcel@holtmann.org> 6 * 7 * 8 * This program is free software; you can redistribute it and/or modify 9 * it under the terms of the GNU General Public License as published by 10 * the Free Software Foundation; either version 2 of the License, or 11 * (at your option) any later version. 12 * 13 * This program is distributed in the hope that it will be useful, 14 * but WITHOUT ANY WARRANTY; without even the implied warranty of 15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16 * GNU General Public License for more details. 17 * 18 * You should have received a copy of the GNU General Public License 19 * along with this program; if not, write to the Free Software 20 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 21 * 22 */ 23 24 #include <linux/module.h> 25 #include <linux/usb.h> 26 #include <linux/firmware.h> 27 28 #include <net/bluetooth/bluetooth.h> 29 #include <net/bluetooth/hci_core.h> 30 31 #define VERSION "0.7" 32 33 static bool disable_scofix; 34 static bool force_scofix; 35 36 static bool reset = 1; 37 38 static struct usb_driver btusb_driver; 39 40 #define BTUSB_IGNORE 0x01 41 #define BTUSB_DIGIANSWER 0x02 42 #define BTUSB_CSR 0x04 43 #define BTUSB_SNIFFER 0x08 44 #define BTUSB_BCM92035 0x10 45 #define BTUSB_BROKEN_ISOC 0x20 46 #define BTUSB_WRONG_SCO_MTU 0x40 47 #define BTUSB_ATH3012 0x80 48 #define BTUSB_INTEL 0x100 49 #define BTUSB_INTEL_BOOT 0x200 50 #define BTUSB_BCM_PATCHRAM 0x400 51 #define BTUSB_MARVELL 0x800 52 #define BTUSB_SWAVE 0x1000 53 #define BTUSB_INTEL_NEW 0x2000 54 #define BTUSB_AMP 0x4000 55 56 static const struct usb_device_id btusb_table[] = { 57 /* Generic Bluetooth USB device */ 58 { USB_DEVICE_INFO(0xe0, 0x01, 0x01) }, 59 60 /* Generic Bluetooth AMP device */ 61 { USB_DEVICE_INFO(0xe0, 0x01, 0x04), .driver_info = BTUSB_AMP }, 62 63 /* Apple-specific (Broadcom) devices */ 64 { USB_VENDOR_AND_INTERFACE_INFO(0x05ac, 0xff, 0x01, 0x01) }, 65 66 /* MediaTek MT76x0E */ 67 { USB_DEVICE(0x0e8d, 0x763f) }, 68 69 /* Broadcom SoftSailing reporting vendor specific */ 70 { USB_DEVICE(0x0a5c, 0x21e1) }, 71 72 /* Apple MacBookPro 7,1 */ 73 { USB_DEVICE(0x05ac, 0x8213) }, 74 75 /* Apple iMac11,1 */ 76 { USB_DEVICE(0x05ac, 0x8215) }, 77 78 /* Apple MacBookPro6,2 */ 79 { USB_DEVICE(0x05ac, 0x8218) }, 80 81 /* Apple MacBookAir3,1, MacBookAir3,2 */ 82 { USB_DEVICE(0x05ac, 0x821b) }, 83 84 /* Apple MacBookAir4,1 */ 85 { USB_DEVICE(0x05ac, 0x821f) }, 86 87 /* Apple MacBookPro8,2 */ 88 { USB_DEVICE(0x05ac, 0x821a) }, 89 90 /* Apple MacMini5,1 */ 91 { USB_DEVICE(0x05ac, 0x8281) }, 92 93 /* AVM BlueFRITZ! USB v2.0 */ 94 { USB_DEVICE(0x057c, 0x3800), .driver_info = BTUSB_SWAVE }, 95 96 /* Bluetooth Ultraport Module from IBM */ 97 { USB_DEVICE(0x04bf, 0x030a) }, 98 99 /* ALPS Modules with non-standard id */ 100 { USB_DEVICE(0x044e, 0x3001) }, 101 { USB_DEVICE(0x044e, 0x3002) }, 102 103 /* Ericsson with non-standard id */ 104 { USB_DEVICE(0x0bdb, 0x1002) }, 105 106 /* Canyon CN-BTU1 with HID interfaces */ 107 { USB_DEVICE(0x0c10, 0x0000) }, 108 109 /* Broadcom BCM20702A0 */ 110 { USB_DEVICE(0x0489, 0xe042) }, 111 { USB_DEVICE(0x04ca, 0x2003) }, 112 { USB_DEVICE(0x0b05, 0x17b5) }, 113 { USB_DEVICE(0x0b05, 0x17cb) }, 114 { USB_DEVICE(0x413c, 0x8197) }, 115 { USB_DEVICE(0x13d3, 0x3404), 116 .driver_info = BTUSB_BCM_PATCHRAM }, 117 118 /* Broadcom BCM20702B0 (Dynex/Insignia) */ 119 { USB_DEVICE(0x19ff, 0x0239), .driver_info = BTUSB_BCM_PATCHRAM }, 120 121 /* Foxconn - Hon Hai */ 122 { USB_VENDOR_AND_INTERFACE_INFO(0x0489, 0xff, 0x01, 0x01), 123 .driver_info = BTUSB_BCM_PATCHRAM }, 124 125 /* Lite-On Technology - Broadcom based */ 126 { USB_VENDOR_AND_INTERFACE_INFO(0x04ca, 0xff, 0x01, 0x01), 127 .driver_info = BTUSB_BCM_PATCHRAM }, 128 129 /* Broadcom devices with vendor specific id */ 130 { USB_VENDOR_AND_INTERFACE_INFO(0x0a5c, 0xff, 0x01, 0x01), 131 .driver_info = BTUSB_BCM_PATCHRAM }, 132 133 /* ASUSTek Computer - Broadcom based */ 134 { USB_VENDOR_AND_INTERFACE_INFO(0x0b05, 0xff, 0x01, 0x01), 135 .driver_info = BTUSB_BCM_PATCHRAM }, 136 137 /* Belkin F8065bf - Broadcom based */ 138 { USB_VENDOR_AND_INTERFACE_INFO(0x050d, 0xff, 0x01, 0x01) }, 139 140 /* IMC Networks - Broadcom based */ 141 { USB_VENDOR_AND_INTERFACE_INFO(0x13d3, 0xff, 0x01, 0x01) }, 142 143 /* Intel Bluetooth USB Bootloader (RAM module) */ 144 { USB_DEVICE(0x8087, 0x0a5a), 145 .driver_info = BTUSB_INTEL_BOOT | BTUSB_BROKEN_ISOC }, 146 147 { } /* Terminating entry */ 148 }; 149 150 MODULE_DEVICE_TABLE(usb, btusb_table); 151 152 static const struct usb_device_id blacklist_table[] = { 153 /* CSR BlueCore devices */ 154 { USB_DEVICE(0x0a12, 0x0001), .driver_info = BTUSB_CSR }, 155 156 /* Broadcom BCM2033 without firmware */ 157 { USB_DEVICE(0x0a5c, 0x2033), .driver_info = BTUSB_IGNORE }, 158 159 /* Atheros 3011 with sflash firmware */ 160 { USB_DEVICE(0x0489, 0xe027), .driver_info = BTUSB_IGNORE }, 161 { USB_DEVICE(0x0489, 0xe03d), .driver_info = BTUSB_IGNORE }, 162 { USB_DEVICE(0x0930, 0x0215), .driver_info = BTUSB_IGNORE }, 163 { USB_DEVICE(0x0cf3, 0x3002), .driver_info = BTUSB_IGNORE }, 164 { USB_DEVICE(0x0cf3, 0xe019), .driver_info = BTUSB_IGNORE }, 165 { USB_DEVICE(0x13d3, 0x3304), .driver_info = BTUSB_IGNORE }, 166 167 /* Atheros AR9285 Malbec with sflash firmware */ 168 { USB_DEVICE(0x03f0, 0x311d), .driver_info = BTUSB_IGNORE }, 169 170 /* Atheros 3012 with sflash firmware */ 171 { USB_DEVICE(0x0489, 0xe04d), .driver_info = BTUSB_ATH3012 }, 172 { USB_DEVICE(0x0489, 0xe04e), .driver_info = BTUSB_ATH3012 }, 173 { USB_DEVICE(0x0489, 0xe056), .driver_info = BTUSB_ATH3012 }, 174 { USB_DEVICE(0x0489, 0xe057), .driver_info = BTUSB_ATH3012 }, 175 { USB_DEVICE(0x0489, 0xe05f), .driver_info = BTUSB_ATH3012 }, 176 { USB_DEVICE(0x0489, 0xe078), .driver_info = BTUSB_ATH3012 }, 177 { USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 }, 178 { USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 }, 179 { USB_DEVICE(0x04ca, 0x3005), .driver_info = BTUSB_ATH3012 }, 180 { USB_DEVICE(0x04ca, 0x3006), .driver_info = BTUSB_ATH3012 }, 181 { USB_DEVICE(0x04ca, 0x3007), .driver_info = BTUSB_ATH3012 }, 182 { USB_DEVICE(0x04ca, 0x3008), .driver_info = BTUSB_ATH3012 }, 183 { USB_DEVICE(0x04ca, 0x300b), .driver_info = BTUSB_ATH3012 }, 184 { USB_DEVICE(0x04ca, 0x3010), .driver_info = BTUSB_ATH3012 }, 185 { USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 }, 186 { USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 }, 187 { USB_DEVICE(0x0930, 0x0227), .driver_info = BTUSB_ATH3012 }, 188 { USB_DEVICE(0x0b05, 0x17d0), .driver_info = BTUSB_ATH3012 }, 189 { USB_DEVICE(0x0cf3, 0x0036), .driver_info = BTUSB_ATH3012 }, 190 { USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_ATH3012 }, 191 { USB_DEVICE(0x0cf3, 0x3008), .driver_info = BTUSB_ATH3012 }, 192 { USB_DEVICE(0x0cf3, 0x311d), .driver_info = BTUSB_ATH3012 }, 193 { USB_DEVICE(0x0cf3, 0x311e), .driver_info = BTUSB_ATH3012 }, 194 { USB_DEVICE(0x0cf3, 0x311f), .driver_info = BTUSB_ATH3012 }, 195 { USB_DEVICE(0x0cf3, 0x3121), .driver_info = BTUSB_ATH3012 }, 196 { USB_DEVICE(0x0cf3, 0x817a), .driver_info = BTUSB_ATH3012 }, 197 { USB_DEVICE(0x0cf3, 0xe003), .driver_info = BTUSB_ATH3012 }, 198 { USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 }, 199 { USB_DEVICE(0x0cf3, 0xe005), .driver_info = BTUSB_ATH3012 }, 200 { USB_DEVICE(0x13d3, 0x3362), .driver_info = BTUSB_ATH3012 }, 201 { USB_DEVICE(0x13d3, 0x3375), .driver_info = BTUSB_ATH3012 }, 202 { USB_DEVICE(0x13d3, 0x3393), .driver_info = BTUSB_ATH3012 }, 203 { USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 }, 204 { USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 }, 205 { USB_DEVICE(0x13d3, 0x3423), .driver_info = BTUSB_ATH3012 }, 206 { USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 }, 207 208 /* Atheros AR5BBU12 with sflash firmware */ 209 { USB_DEVICE(0x0489, 0xe02c), .driver_info = BTUSB_IGNORE }, 210 211 /* Atheros AR5BBU12 with sflash firmware */ 212 { USB_DEVICE(0x0489, 0xe036), .driver_info = BTUSB_ATH3012 }, 213 { USB_DEVICE(0x0489, 0xe03c), .driver_info = BTUSB_ATH3012 }, 214 215 /* Broadcom BCM2035 */ 216 { USB_DEVICE(0x0a5c, 0x2009), .driver_info = BTUSB_BCM92035 }, 217 { USB_DEVICE(0x0a5c, 0x200a), .driver_info = BTUSB_WRONG_SCO_MTU }, 218 { USB_DEVICE(0x0a5c, 0x2035), .driver_info = BTUSB_WRONG_SCO_MTU }, 219 220 /* Broadcom BCM2045 */ 221 { USB_DEVICE(0x0a5c, 0x2039), .driver_info = BTUSB_WRONG_SCO_MTU }, 222 { USB_DEVICE(0x0a5c, 0x2101), .driver_info = BTUSB_WRONG_SCO_MTU }, 223 224 /* IBM/Lenovo ThinkPad with Broadcom chip */ 225 { USB_DEVICE(0x0a5c, 0x201e), .driver_info = BTUSB_WRONG_SCO_MTU }, 226 { USB_DEVICE(0x0a5c, 0x2110), .driver_info = BTUSB_WRONG_SCO_MTU }, 227 228 /* HP laptop with Broadcom chip */ 229 { USB_DEVICE(0x03f0, 0x171d), .driver_info = BTUSB_WRONG_SCO_MTU }, 230 231 /* Dell laptop with Broadcom chip */ 232 { USB_DEVICE(0x413c, 0x8126), .driver_info = BTUSB_WRONG_SCO_MTU }, 233 234 /* Dell Wireless 370 and 410 devices */ 235 { USB_DEVICE(0x413c, 0x8152), .driver_info = BTUSB_WRONG_SCO_MTU }, 236 { USB_DEVICE(0x413c, 0x8156), .driver_info = BTUSB_WRONG_SCO_MTU }, 237 238 /* Belkin F8T012 and F8T013 devices */ 239 { USB_DEVICE(0x050d, 0x0012), .driver_info = BTUSB_WRONG_SCO_MTU }, 240 { USB_DEVICE(0x050d, 0x0013), .driver_info = BTUSB_WRONG_SCO_MTU }, 241 242 /* Asus WL-BTD202 device */ 243 { USB_DEVICE(0x0b05, 0x1715), .driver_info = BTUSB_WRONG_SCO_MTU }, 244 245 /* Kensington Bluetooth USB adapter */ 246 { USB_DEVICE(0x047d, 0x105e), .driver_info = BTUSB_WRONG_SCO_MTU }, 247 248 /* RTX Telecom based adapters with buggy SCO support */ 249 { USB_DEVICE(0x0400, 0x0807), .driver_info = BTUSB_BROKEN_ISOC }, 250 { USB_DEVICE(0x0400, 0x080a), .driver_info = BTUSB_BROKEN_ISOC }, 251 252 /* CONWISE Technology based adapters with buggy SCO support */ 253 { USB_DEVICE(0x0e5e, 0x6622), .driver_info = BTUSB_BROKEN_ISOC }, 254 255 /* Roper Class 1 Bluetooth Dongle (Silicon Wave based) */ 256 { USB_DEVICE(0x1300, 0x0001), .driver_info = BTUSB_SWAVE }, 257 258 /* Digianswer devices */ 259 { USB_DEVICE(0x08fd, 0x0001), .driver_info = BTUSB_DIGIANSWER }, 260 { USB_DEVICE(0x08fd, 0x0002), .driver_info = BTUSB_IGNORE }, 261 262 /* CSR BlueCore Bluetooth Sniffer */ 263 { USB_DEVICE(0x0a12, 0x0002), 264 .driver_info = BTUSB_SNIFFER | BTUSB_BROKEN_ISOC }, 265 266 /* Frontline ComProbe Bluetooth Sniffer */ 267 { USB_DEVICE(0x16d3, 0x0002), 268 .driver_info = BTUSB_SNIFFER | BTUSB_BROKEN_ISOC }, 269 270 /* Marvell Bluetooth devices */ 271 { USB_DEVICE(0x1286, 0x2044), .driver_info = BTUSB_MARVELL }, 272 { USB_DEVICE(0x1286, 0x2046), .driver_info = BTUSB_MARVELL }, 273 274 /* Intel Bluetooth devices */ 275 { USB_DEVICE(0x8087, 0x07da), .driver_info = BTUSB_CSR }, 276 { USB_DEVICE(0x8087, 0x07dc), .driver_info = BTUSB_INTEL }, 277 { USB_DEVICE(0x8087, 0x0a2a), .driver_info = BTUSB_INTEL }, 278 { USB_DEVICE(0x8087, 0x0a2b), .driver_info = BTUSB_INTEL_NEW }, 279 280 /* Other Intel Bluetooth devices */ 281 { USB_VENDOR_AND_INTERFACE_INFO(0x8087, 0xe0, 0x01, 0x01), 282 .driver_info = BTUSB_IGNORE }, 283 284 { } /* Terminating entry */ 285 }; 286 287 #define BTUSB_MAX_ISOC_FRAMES 10 288 289 #define BTUSB_INTR_RUNNING 0 290 #define BTUSB_BULK_RUNNING 1 291 #define BTUSB_ISOC_RUNNING 2 292 #define BTUSB_SUSPENDING 3 293 #define BTUSB_DID_ISO_RESUME 4 294 #define BTUSB_BOOTLOADER 5 295 #define BTUSB_DOWNLOADING 6 296 #define BTUSB_FIRMWARE_LOADED 7 297 #define BTUSB_FIRMWARE_FAILED 8 298 #define BTUSB_BOOTING 9 299 300 struct btusb_data { 301 struct hci_dev *hdev; 302 struct usb_device *udev; 303 struct usb_interface *intf; 304 struct usb_interface *isoc; 305 306 unsigned long flags; 307 308 struct work_struct work; 309 struct work_struct waker; 310 311 struct usb_anchor deferred; 312 struct usb_anchor tx_anchor; 313 int tx_in_flight; 314 spinlock_t txlock; 315 316 struct usb_anchor intr_anchor; 317 struct usb_anchor bulk_anchor; 318 struct usb_anchor isoc_anchor; 319 spinlock_t rxlock; 320 321 struct sk_buff *evt_skb; 322 struct sk_buff *acl_skb; 323 struct sk_buff *sco_skb; 324 325 struct usb_endpoint_descriptor *intr_ep; 326 struct usb_endpoint_descriptor *bulk_tx_ep; 327 struct usb_endpoint_descriptor *bulk_rx_ep; 328 struct usb_endpoint_descriptor *isoc_tx_ep; 329 struct usb_endpoint_descriptor *isoc_rx_ep; 330 331 __u8 cmdreq_type; 332 __u8 cmdreq; 333 334 unsigned int sco_num; 335 int isoc_altsetting; 336 int suspend_count; 337 338 int (*recv_event)(struct hci_dev *hdev, struct sk_buff *skb); 339 int (*recv_bulk)(struct btusb_data *data, void *buffer, int count); 340 }; 341 342 static int btusb_wait_on_bit_timeout(void *word, int bit, unsigned long timeout, 343 unsigned mode) 344 { 345 might_sleep(); 346 if (!test_bit(bit, word)) 347 return 0; 348 return out_of_line_wait_on_bit_timeout(word, bit, bit_wait_timeout, 349 mode, timeout); 350 } 351 352 static inline void btusb_free_frags(struct btusb_data *data) 353 { 354 unsigned long flags; 355 356 spin_lock_irqsave(&data->rxlock, flags); 357 358 kfree_skb(data->evt_skb); 359 data->evt_skb = NULL; 360 361 kfree_skb(data->acl_skb); 362 data->acl_skb = NULL; 363 364 kfree_skb(data->sco_skb); 365 data->sco_skb = NULL; 366 367 spin_unlock_irqrestore(&data->rxlock, flags); 368 } 369 370 static int btusb_recv_intr(struct btusb_data *data, void *buffer, int count) 371 { 372 struct sk_buff *skb; 373 int err = 0; 374 375 spin_lock(&data->rxlock); 376 skb = data->evt_skb; 377 378 while (count) { 379 int len; 380 381 if (!skb) { 382 skb = bt_skb_alloc(HCI_MAX_EVENT_SIZE, GFP_ATOMIC); 383 if (!skb) { 384 err = -ENOMEM; 385 break; 386 } 387 388 bt_cb(skb)->pkt_type = HCI_EVENT_PKT; 389 bt_cb(skb)->expect = HCI_EVENT_HDR_SIZE; 390 } 391 392 len = min_t(uint, bt_cb(skb)->expect, count); 393 memcpy(skb_put(skb, len), buffer, len); 394 395 count -= len; 396 buffer += len; 397 bt_cb(skb)->expect -= len; 398 399 if (skb->len == HCI_EVENT_HDR_SIZE) { 400 /* Complete event header */ 401 bt_cb(skb)->expect = hci_event_hdr(skb)->plen; 402 403 if (skb_tailroom(skb) < bt_cb(skb)->expect) { 404 kfree_skb(skb); 405 skb = NULL; 406 407 err = -EILSEQ; 408 break; 409 } 410 } 411 412 if (bt_cb(skb)->expect == 0) { 413 /* Complete frame */ 414 data->recv_event(data->hdev, skb); 415 skb = NULL; 416 } 417 } 418 419 data->evt_skb = skb; 420 spin_unlock(&data->rxlock); 421 422 return err; 423 } 424 425 static int btusb_recv_bulk(struct btusb_data *data, void *buffer, int count) 426 { 427 struct sk_buff *skb; 428 int err = 0; 429 430 spin_lock(&data->rxlock); 431 skb = data->acl_skb; 432 433 while (count) { 434 int len; 435 436 if (!skb) { 437 skb = bt_skb_alloc(HCI_MAX_FRAME_SIZE, GFP_ATOMIC); 438 if (!skb) { 439 err = -ENOMEM; 440 break; 441 } 442 443 bt_cb(skb)->pkt_type = HCI_ACLDATA_PKT; 444 bt_cb(skb)->expect = HCI_ACL_HDR_SIZE; 445 } 446 447 len = min_t(uint, bt_cb(skb)->expect, count); 448 memcpy(skb_put(skb, len), buffer, len); 449 450 count -= len; 451 buffer += len; 452 bt_cb(skb)->expect -= len; 453 454 if (skb->len == HCI_ACL_HDR_SIZE) { 455 __le16 dlen = hci_acl_hdr(skb)->dlen; 456 457 /* Complete ACL header */ 458 bt_cb(skb)->expect = __le16_to_cpu(dlen); 459 460 if (skb_tailroom(skb) < bt_cb(skb)->expect) { 461 kfree_skb(skb); 462 skb = NULL; 463 464 err = -EILSEQ; 465 break; 466 } 467 } 468 469 if (bt_cb(skb)->expect == 0) { 470 /* Complete frame */ 471 hci_recv_frame(data->hdev, skb); 472 skb = NULL; 473 } 474 } 475 476 data->acl_skb = skb; 477 spin_unlock(&data->rxlock); 478 479 return err; 480 } 481 482 static int btusb_recv_isoc(struct btusb_data *data, void *buffer, int count) 483 { 484 struct sk_buff *skb; 485 int err = 0; 486 487 spin_lock(&data->rxlock); 488 skb = data->sco_skb; 489 490 while (count) { 491 int len; 492 493 if (!skb) { 494 skb = bt_skb_alloc(HCI_MAX_SCO_SIZE, GFP_ATOMIC); 495 if (!skb) { 496 err = -ENOMEM; 497 break; 498 } 499 500 bt_cb(skb)->pkt_type = HCI_SCODATA_PKT; 501 bt_cb(skb)->expect = HCI_SCO_HDR_SIZE; 502 } 503 504 len = min_t(uint, bt_cb(skb)->expect, count); 505 memcpy(skb_put(skb, len), buffer, len); 506 507 count -= len; 508 buffer += len; 509 bt_cb(skb)->expect -= len; 510 511 if (skb->len == HCI_SCO_HDR_SIZE) { 512 /* Complete SCO header */ 513 bt_cb(skb)->expect = hci_sco_hdr(skb)->dlen; 514 515 if (skb_tailroom(skb) < bt_cb(skb)->expect) { 516 kfree_skb(skb); 517 skb = NULL; 518 519 err = -EILSEQ; 520 break; 521 } 522 } 523 524 if (bt_cb(skb)->expect == 0) { 525 /* Complete frame */ 526 hci_recv_frame(data->hdev, skb); 527 skb = NULL; 528 } 529 } 530 531 data->sco_skb = skb; 532 spin_unlock(&data->rxlock); 533 534 return err; 535 } 536 537 static void btusb_intr_complete(struct urb *urb) 538 { 539 struct hci_dev *hdev = urb->context; 540 struct btusb_data *data = hci_get_drvdata(hdev); 541 int err; 542 543 BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status, 544 urb->actual_length); 545 546 if (!test_bit(HCI_RUNNING, &hdev->flags)) 547 return; 548 549 if (urb->status == 0) { 550 hdev->stat.byte_rx += urb->actual_length; 551 552 if (btusb_recv_intr(data, urb->transfer_buffer, 553 urb->actual_length) < 0) { 554 BT_ERR("%s corrupted event packet", hdev->name); 555 hdev->stat.err_rx++; 556 } 557 } else if (urb->status == -ENOENT) { 558 /* Avoid suspend failed when usb_kill_urb */ 559 return; 560 } 561 562 if (!test_bit(BTUSB_INTR_RUNNING, &data->flags)) 563 return; 564 565 usb_mark_last_busy(data->udev); 566 usb_anchor_urb(urb, &data->intr_anchor); 567 568 err = usb_submit_urb(urb, GFP_ATOMIC); 569 if (err < 0) { 570 /* -EPERM: urb is being killed; 571 * -ENODEV: device got disconnected */ 572 if (err != -EPERM && err != -ENODEV) 573 BT_ERR("%s urb %p failed to resubmit (%d)", 574 hdev->name, urb, -err); 575 usb_unanchor_urb(urb); 576 } 577 } 578 579 static int btusb_submit_intr_urb(struct hci_dev *hdev, gfp_t mem_flags) 580 { 581 struct btusb_data *data = hci_get_drvdata(hdev); 582 struct urb *urb; 583 unsigned char *buf; 584 unsigned int pipe; 585 int err, size; 586 587 BT_DBG("%s", hdev->name); 588 589 if (!data->intr_ep) 590 return -ENODEV; 591 592 urb = usb_alloc_urb(0, mem_flags); 593 if (!urb) 594 return -ENOMEM; 595 596 size = le16_to_cpu(data->intr_ep->wMaxPacketSize); 597 598 buf = kmalloc(size, mem_flags); 599 if (!buf) { 600 usb_free_urb(urb); 601 return -ENOMEM; 602 } 603 604 pipe = usb_rcvintpipe(data->udev, data->intr_ep->bEndpointAddress); 605 606 usb_fill_int_urb(urb, data->udev, pipe, buf, size, 607 btusb_intr_complete, hdev, data->intr_ep->bInterval); 608 609 urb->transfer_flags |= URB_FREE_BUFFER; 610 611 usb_anchor_urb(urb, &data->intr_anchor); 612 613 err = usb_submit_urb(urb, mem_flags); 614 if (err < 0) { 615 if (err != -EPERM && err != -ENODEV) 616 BT_ERR("%s urb %p submission failed (%d)", 617 hdev->name, urb, -err); 618 usb_unanchor_urb(urb); 619 } 620 621 usb_free_urb(urb); 622 623 return err; 624 } 625 626 static void btusb_bulk_complete(struct urb *urb) 627 { 628 struct hci_dev *hdev = urb->context; 629 struct btusb_data *data = hci_get_drvdata(hdev); 630 int err; 631 632 BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status, 633 urb->actual_length); 634 635 if (!test_bit(HCI_RUNNING, &hdev->flags)) 636 return; 637 638 if (urb->status == 0) { 639 hdev->stat.byte_rx += urb->actual_length; 640 641 if (data->recv_bulk(data, urb->transfer_buffer, 642 urb->actual_length) < 0) { 643 BT_ERR("%s corrupted ACL packet", hdev->name); 644 hdev->stat.err_rx++; 645 } 646 } else if (urb->status == -ENOENT) { 647 /* Avoid suspend failed when usb_kill_urb */ 648 return; 649 } 650 651 if (!test_bit(BTUSB_BULK_RUNNING, &data->flags)) 652 return; 653 654 usb_anchor_urb(urb, &data->bulk_anchor); 655 usb_mark_last_busy(data->udev); 656 657 err = usb_submit_urb(urb, GFP_ATOMIC); 658 if (err < 0) { 659 /* -EPERM: urb is being killed; 660 * -ENODEV: device got disconnected */ 661 if (err != -EPERM && err != -ENODEV) 662 BT_ERR("%s urb %p failed to resubmit (%d)", 663 hdev->name, urb, -err); 664 usb_unanchor_urb(urb); 665 } 666 } 667 668 static int btusb_submit_bulk_urb(struct hci_dev *hdev, gfp_t mem_flags) 669 { 670 struct btusb_data *data = hci_get_drvdata(hdev); 671 struct urb *urb; 672 unsigned char *buf; 673 unsigned int pipe; 674 int err, size = HCI_MAX_FRAME_SIZE; 675 676 BT_DBG("%s", hdev->name); 677 678 if (!data->bulk_rx_ep) 679 return -ENODEV; 680 681 urb = usb_alloc_urb(0, mem_flags); 682 if (!urb) 683 return -ENOMEM; 684 685 buf = kmalloc(size, mem_flags); 686 if (!buf) { 687 usb_free_urb(urb); 688 return -ENOMEM; 689 } 690 691 pipe = usb_rcvbulkpipe(data->udev, data->bulk_rx_ep->bEndpointAddress); 692 693 usb_fill_bulk_urb(urb, data->udev, pipe, buf, size, 694 btusb_bulk_complete, hdev); 695 696 urb->transfer_flags |= URB_FREE_BUFFER; 697 698 usb_mark_last_busy(data->udev); 699 usb_anchor_urb(urb, &data->bulk_anchor); 700 701 err = usb_submit_urb(urb, mem_flags); 702 if (err < 0) { 703 if (err != -EPERM && err != -ENODEV) 704 BT_ERR("%s urb %p submission failed (%d)", 705 hdev->name, urb, -err); 706 usb_unanchor_urb(urb); 707 } 708 709 usb_free_urb(urb); 710 711 return err; 712 } 713 714 static void btusb_isoc_complete(struct urb *urb) 715 { 716 struct hci_dev *hdev = urb->context; 717 struct btusb_data *data = hci_get_drvdata(hdev); 718 int i, err; 719 720 BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status, 721 urb->actual_length); 722 723 if (!test_bit(HCI_RUNNING, &hdev->flags)) 724 return; 725 726 if (urb->status == 0) { 727 for (i = 0; i < urb->number_of_packets; i++) { 728 unsigned int offset = urb->iso_frame_desc[i].offset; 729 unsigned int length = urb->iso_frame_desc[i].actual_length; 730 731 if (urb->iso_frame_desc[i].status) 732 continue; 733 734 hdev->stat.byte_rx += length; 735 736 if (btusb_recv_isoc(data, urb->transfer_buffer + offset, 737 length) < 0) { 738 BT_ERR("%s corrupted SCO packet", hdev->name); 739 hdev->stat.err_rx++; 740 } 741 } 742 } else if (urb->status == -ENOENT) { 743 /* Avoid suspend failed when usb_kill_urb */ 744 return; 745 } 746 747 if (!test_bit(BTUSB_ISOC_RUNNING, &data->flags)) 748 return; 749 750 usb_anchor_urb(urb, &data->isoc_anchor); 751 752 err = usb_submit_urb(urb, GFP_ATOMIC); 753 if (err < 0) { 754 /* -EPERM: urb is being killed; 755 * -ENODEV: device got disconnected */ 756 if (err != -EPERM && err != -ENODEV) 757 BT_ERR("%s urb %p failed to resubmit (%d)", 758 hdev->name, urb, -err); 759 usb_unanchor_urb(urb); 760 } 761 } 762 763 static inline void __fill_isoc_descriptor(struct urb *urb, int len, int mtu) 764 { 765 int i, offset = 0; 766 767 BT_DBG("len %d mtu %d", len, mtu); 768 769 for (i = 0; i < BTUSB_MAX_ISOC_FRAMES && len >= mtu; 770 i++, offset += mtu, len -= mtu) { 771 urb->iso_frame_desc[i].offset = offset; 772 urb->iso_frame_desc[i].length = mtu; 773 } 774 775 if (len && i < BTUSB_MAX_ISOC_FRAMES) { 776 urb->iso_frame_desc[i].offset = offset; 777 urb->iso_frame_desc[i].length = len; 778 i++; 779 } 780 781 urb->number_of_packets = i; 782 } 783 784 static int btusb_submit_isoc_urb(struct hci_dev *hdev, gfp_t mem_flags) 785 { 786 struct btusb_data *data = hci_get_drvdata(hdev); 787 struct urb *urb; 788 unsigned char *buf; 789 unsigned int pipe; 790 int err, size; 791 792 BT_DBG("%s", hdev->name); 793 794 if (!data->isoc_rx_ep) 795 return -ENODEV; 796 797 urb = usb_alloc_urb(BTUSB_MAX_ISOC_FRAMES, mem_flags); 798 if (!urb) 799 return -ENOMEM; 800 801 size = le16_to_cpu(data->isoc_rx_ep->wMaxPacketSize) * 802 BTUSB_MAX_ISOC_FRAMES; 803 804 buf = kmalloc(size, mem_flags); 805 if (!buf) { 806 usb_free_urb(urb); 807 return -ENOMEM; 808 } 809 810 pipe = usb_rcvisocpipe(data->udev, data->isoc_rx_ep->bEndpointAddress); 811 812 usb_fill_int_urb(urb, data->udev, pipe, buf, size, btusb_isoc_complete, 813 hdev, data->isoc_rx_ep->bInterval); 814 815 urb->transfer_flags = URB_FREE_BUFFER | URB_ISO_ASAP; 816 817 __fill_isoc_descriptor(urb, size, 818 le16_to_cpu(data->isoc_rx_ep->wMaxPacketSize)); 819 820 usb_anchor_urb(urb, &data->isoc_anchor); 821 822 err = usb_submit_urb(urb, mem_flags); 823 if (err < 0) { 824 if (err != -EPERM && err != -ENODEV) 825 BT_ERR("%s urb %p submission failed (%d)", 826 hdev->name, urb, -err); 827 usb_unanchor_urb(urb); 828 } 829 830 usb_free_urb(urb); 831 832 return err; 833 } 834 835 static void btusb_tx_complete(struct urb *urb) 836 { 837 struct sk_buff *skb = urb->context; 838 struct hci_dev *hdev = (struct hci_dev *)skb->dev; 839 struct btusb_data *data = hci_get_drvdata(hdev); 840 841 BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status, 842 urb->actual_length); 843 844 if (!test_bit(HCI_RUNNING, &hdev->flags)) 845 goto done; 846 847 if (!urb->status) 848 hdev->stat.byte_tx += urb->transfer_buffer_length; 849 else 850 hdev->stat.err_tx++; 851 852 done: 853 spin_lock(&data->txlock); 854 data->tx_in_flight--; 855 spin_unlock(&data->txlock); 856 857 kfree(urb->setup_packet); 858 859 kfree_skb(skb); 860 } 861 862 static void btusb_isoc_tx_complete(struct urb *urb) 863 { 864 struct sk_buff *skb = urb->context; 865 struct hci_dev *hdev = (struct hci_dev *)skb->dev; 866 867 BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status, 868 urb->actual_length); 869 870 if (!test_bit(HCI_RUNNING, &hdev->flags)) 871 goto done; 872 873 if (!urb->status) 874 hdev->stat.byte_tx += urb->transfer_buffer_length; 875 else 876 hdev->stat.err_tx++; 877 878 done: 879 kfree(urb->setup_packet); 880 881 kfree_skb(skb); 882 } 883 884 static int btusb_open(struct hci_dev *hdev) 885 { 886 struct btusb_data *data = hci_get_drvdata(hdev); 887 int err; 888 889 BT_DBG("%s", hdev->name); 890 891 err = usb_autopm_get_interface(data->intf); 892 if (err < 0) 893 return err; 894 895 data->intf->needs_remote_wakeup = 1; 896 897 if (test_and_set_bit(HCI_RUNNING, &hdev->flags)) 898 goto done; 899 900 if (test_and_set_bit(BTUSB_INTR_RUNNING, &data->flags)) 901 goto done; 902 903 err = btusb_submit_intr_urb(hdev, GFP_KERNEL); 904 if (err < 0) 905 goto failed; 906 907 err = btusb_submit_bulk_urb(hdev, GFP_KERNEL); 908 if (err < 0) { 909 usb_kill_anchored_urbs(&data->intr_anchor); 910 goto failed; 911 } 912 913 set_bit(BTUSB_BULK_RUNNING, &data->flags); 914 btusb_submit_bulk_urb(hdev, GFP_KERNEL); 915 916 done: 917 usb_autopm_put_interface(data->intf); 918 return 0; 919 920 failed: 921 clear_bit(BTUSB_INTR_RUNNING, &data->flags); 922 clear_bit(HCI_RUNNING, &hdev->flags); 923 usb_autopm_put_interface(data->intf); 924 return err; 925 } 926 927 static void btusb_stop_traffic(struct btusb_data *data) 928 { 929 usb_kill_anchored_urbs(&data->intr_anchor); 930 usb_kill_anchored_urbs(&data->bulk_anchor); 931 usb_kill_anchored_urbs(&data->isoc_anchor); 932 } 933 934 static int btusb_close(struct hci_dev *hdev) 935 { 936 struct btusb_data *data = hci_get_drvdata(hdev); 937 int err; 938 939 BT_DBG("%s", hdev->name); 940 941 if (!test_and_clear_bit(HCI_RUNNING, &hdev->flags)) 942 return 0; 943 944 cancel_work_sync(&data->work); 945 cancel_work_sync(&data->waker); 946 947 clear_bit(BTUSB_ISOC_RUNNING, &data->flags); 948 clear_bit(BTUSB_BULK_RUNNING, &data->flags); 949 clear_bit(BTUSB_INTR_RUNNING, &data->flags); 950 951 btusb_stop_traffic(data); 952 btusb_free_frags(data); 953 954 err = usb_autopm_get_interface(data->intf); 955 if (err < 0) 956 goto failed; 957 958 data->intf->needs_remote_wakeup = 0; 959 usb_autopm_put_interface(data->intf); 960 961 failed: 962 usb_scuttle_anchored_urbs(&data->deferred); 963 return 0; 964 } 965 966 static int btusb_flush(struct hci_dev *hdev) 967 { 968 struct btusb_data *data = hci_get_drvdata(hdev); 969 970 BT_DBG("%s", hdev->name); 971 972 usb_kill_anchored_urbs(&data->tx_anchor); 973 btusb_free_frags(data); 974 975 return 0; 976 } 977 978 static struct urb *alloc_ctrl_urb(struct hci_dev *hdev, struct sk_buff *skb) 979 { 980 struct btusb_data *data = hci_get_drvdata(hdev); 981 struct usb_ctrlrequest *dr; 982 struct urb *urb; 983 unsigned int pipe; 984 985 urb = usb_alloc_urb(0, GFP_KERNEL); 986 if (!urb) 987 return ERR_PTR(-ENOMEM); 988 989 dr = kmalloc(sizeof(*dr), GFP_KERNEL); 990 if (!dr) { 991 usb_free_urb(urb); 992 return ERR_PTR(-ENOMEM); 993 } 994 995 dr->bRequestType = data->cmdreq_type; 996 dr->bRequest = data->cmdreq; 997 dr->wIndex = 0; 998 dr->wValue = 0; 999 dr->wLength = __cpu_to_le16(skb->len); 1000 1001 pipe = usb_sndctrlpipe(data->udev, 0x00); 1002 1003 usb_fill_control_urb(urb, data->udev, pipe, (void *)dr, 1004 skb->data, skb->len, btusb_tx_complete, skb); 1005 1006 skb->dev = (void *)hdev; 1007 1008 return urb; 1009 } 1010 1011 static struct urb *alloc_bulk_urb(struct hci_dev *hdev, struct sk_buff *skb) 1012 { 1013 struct btusb_data *data = hci_get_drvdata(hdev); 1014 struct urb *urb; 1015 unsigned int pipe; 1016 1017 if (!data->bulk_tx_ep) 1018 return ERR_PTR(-ENODEV); 1019 1020 urb = usb_alloc_urb(0, GFP_KERNEL); 1021 if (!urb) 1022 return ERR_PTR(-ENOMEM); 1023 1024 pipe = usb_sndbulkpipe(data->udev, data->bulk_tx_ep->bEndpointAddress); 1025 1026 usb_fill_bulk_urb(urb, data->udev, pipe, 1027 skb->data, skb->len, btusb_tx_complete, skb); 1028 1029 skb->dev = (void *)hdev; 1030 1031 return urb; 1032 } 1033 1034 static struct urb *alloc_isoc_urb(struct hci_dev *hdev, struct sk_buff *skb) 1035 { 1036 struct btusb_data *data = hci_get_drvdata(hdev); 1037 struct urb *urb; 1038 unsigned int pipe; 1039 1040 if (!data->isoc_tx_ep) 1041 return ERR_PTR(-ENODEV); 1042 1043 urb = usb_alloc_urb(BTUSB_MAX_ISOC_FRAMES, GFP_KERNEL); 1044 if (!urb) 1045 return ERR_PTR(-ENOMEM); 1046 1047 pipe = usb_sndisocpipe(data->udev, data->isoc_tx_ep->bEndpointAddress); 1048 1049 usb_fill_int_urb(urb, data->udev, pipe, 1050 skb->data, skb->len, btusb_isoc_tx_complete, 1051 skb, data->isoc_tx_ep->bInterval); 1052 1053 urb->transfer_flags = URB_ISO_ASAP; 1054 1055 __fill_isoc_descriptor(urb, skb->len, 1056 le16_to_cpu(data->isoc_tx_ep->wMaxPacketSize)); 1057 1058 skb->dev = (void *)hdev; 1059 1060 return urb; 1061 } 1062 1063 static int submit_tx_urb(struct hci_dev *hdev, struct urb *urb) 1064 { 1065 struct btusb_data *data = hci_get_drvdata(hdev); 1066 int err; 1067 1068 usb_anchor_urb(urb, &data->tx_anchor); 1069 1070 err = usb_submit_urb(urb, GFP_KERNEL); 1071 if (err < 0) { 1072 if (err != -EPERM && err != -ENODEV) 1073 BT_ERR("%s urb %p submission failed (%d)", 1074 hdev->name, urb, -err); 1075 kfree(urb->setup_packet); 1076 usb_unanchor_urb(urb); 1077 } else { 1078 usb_mark_last_busy(data->udev); 1079 } 1080 1081 usb_free_urb(urb); 1082 return err; 1083 } 1084 1085 static int submit_or_queue_tx_urb(struct hci_dev *hdev, struct urb *urb) 1086 { 1087 struct btusb_data *data = hci_get_drvdata(hdev); 1088 unsigned long flags; 1089 bool suspending; 1090 1091 spin_lock_irqsave(&data->txlock, flags); 1092 suspending = test_bit(BTUSB_SUSPENDING, &data->flags); 1093 if (!suspending) 1094 data->tx_in_flight++; 1095 spin_unlock_irqrestore(&data->txlock, flags); 1096 1097 if (!suspending) 1098 return submit_tx_urb(hdev, urb); 1099 1100 usb_anchor_urb(urb, &data->deferred); 1101 schedule_work(&data->waker); 1102 1103 usb_free_urb(urb); 1104 return 0; 1105 } 1106 1107 static int btusb_send_frame(struct hci_dev *hdev, struct sk_buff *skb) 1108 { 1109 struct urb *urb; 1110 1111 BT_DBG("%s", hdev->name); 1112 1113 if (!test_bit(HCI_RUNNING, &hdev->flags)) 1114 return -EBUSY; 1115 1116 switch (bt_cb(skb)->pkt_type) { 1117 case HCI_COMMAND_PKT: 1118 urb = alloc_ctrl_urb(hdev, skb); 1119 if (IS_ERR(urb)) 1120 return PTR_ERR(urb); 1121 1122 hdev->stat.cmd_tx++; 1123 return submit_or_queue_tx_urb(hdev, urb); 1124 1125 case HCI_ACLDATA_PKT: 1126 urb = alloc_bulk_urb(hdev, skb); 1127 if (IS_ERR(urb)) 1128 return PTR_ERR(urb); 1129 1130 hdev->stat.acl_tx++; 1131 return submit_or_queue_tx_urb(hdev, urb); 1132 1133 case HCI_SCODATA_PKT: 1134 if (hci_conn_num(hdev, SCO_LINK) < 1) 1135 return -ENODEV; 1136 1137 urb = alloc_isoc_urb(hdev, skb); 1138 if (IS_ERR(urb)) 1139 return PTR_ERR(urb); 1140 1141 hdev->stat.sco_tx++; 1142 return submit_tx_urb(hdev, urb); 1143 } 1144 1145 return -EILSEQ; 1146 } 1147 1148 static void btusb_notify(struct hci_dev *hdev, unsigned int evt) 1149 { 1150 struct btusb_data *data = hci_get_drvdata(hdev); 1151 1152 BT_DBG("%s evt %d", hdev->name, evt); 1153 1154 if (hci_conn_num(hdev, SCO_LINK) != data->sco_num) { 1155 data->sco_num = hci_conn_num(hdev, SCO_LINK); 1156 schedule_work(&data->work); 1157 } 1158 } 1159 1160 static inline int __set_isoc_interface(struct hci_dev *hdev, int altsetting) 1161 { 1162 struct btusb_data *data = hci_get_drvdata(hdev); 1163 struct usb_interface *intf = data->isoc; 1164 struct usb_endpoint_descriptor *ep_desc; 1165 int i, err; 1166 1167 if (!data->isoc) 1168 return -ENODEV; 1169 1170 err = usb_set_interface(data->udev, 1, altsetting); 1171 if (err < 0) { 1172 BT_ERR("%s setting interface failed (%d)", hdev->name, -err); 1173 return err; 1174 } 1175 1176 data->isoc_altsetting = altsetting; 1177 1178 data->isoc_tx_ep = NULL; 1179 data->isoc_rx_ep = NULL; 1180 1181 for (i = 0; i < intf->cur_altsetting->desc.bNumEndpoints; i++) { 1182 ep_desc = &intf->cur_altsetting->endpoint[i].desc; 1183 1184 if (!data->isoc_tx_ep && usb_endpoint_is_isoc_out(ep_desc)) { 1185 data->isoc_tx_ep = ep_desc; 1186 continue; 1187 } 1188 1189 if (!data->isoc_rx_ep && usb_endpoint_is_isoc_in(ep_desc)) { 1190 data->isoc_rx_ep = ep_desc; 1191 continue; 1192 } 1193 } 1194 1195 if (!data->isoc_tx_ep || !data->isoc_rx_ep) { 1196 BT_ERR("%s invalid SCO descriptors", hdev->name); 1197 return -ENODEV; 1198 } 1199 1200 return 0; 1201 } 1202 1203 static void btusb_work(struct work_struct *work) 1204 { 1205 struct btusb_data *data = container_of(work, struct btusb_data, work); 1206 struct hci_dev *hdev = data->hdev; 1207 int new_alts; 1208 int err; 1209 1210 if (data->sco_num > 0) { 1211 if (!test_bit(BTUSB_DID_ISO_RESUME, &data->flags)) { 1212 err = usb_autopm_get_interface(data->isoc ? data->isoc : data->intf); 1213 if (err < 0) { 1214 clear_bit(BTUSB_ISOC_RUNNING, &data->flags); 1215 usb_kill_anchored_urbs(&data->isoc_anchor); 1216 return; 1217 } 1218 1219 set_bit(BTUSB_DID_ISO_RESUME, &data->flags); 1220 } 1221 1222 if (hdev->voice_setting & 0x0020) { 1223 static const int alts[3] = { 2, 4, 5 }; 1224 1225 new_alts = alts[data->sco_num - 1]; 1226 } else { 1227 new_alts = data->sco_num; 1228 } 1229 1230 if (data->isoc_altsetting != new_alts) { 1231 clear_bit(BTUSB_ISOC_RUNNING, &data->flags); 1232 usb_kill_anchored_urbs(&data->isoc_anchor); 1233 1234 if (__set_isoc_interface(hdev, new_alts) < 0) 1235 return; 1236 } 1237 1238 if (!test_and_set_bit(BTUSB_ISOC_RUNNING, &data->flags)) { 1239 if (btusb_submit_isoc_urb(hdev, GFP_KERNEL) < 0) 1240 clear_bit(BTUSB_ISOC_RUNNING, &data->flags); 1241 else 1242 btusb_submit_isoc_urb(hdev, GFP_KERNEL); 1243 } 1244 } else { 1245 clear_bit(BTUSB_ISOC_RUNNING, &data->flags); 1246 usb_kill_anchored_urbs(&data->isoc_anchor); 1247 1248 __set_isoc_interface(hdev, 0); 1249 if (test_and_clear_bit(BTUSB_DID_ISO_RESUME, &data->flags)) 1250 usb_autopm_put_interface(data->isoc ? data->isoc : data->intf); 1251 } 1252 } 1253 1254 static void btusb_waker(struct work_struct *work) 1255 { 1256 struct btusb_data *data = container_of(work, struct btusb_data, waker); 1257 int err; 1258 1259 err = usb_autopm_get_interface(data->intf); 1260 if (err < 0) 1261 return; 1262 1263 usb_autopm_put_interface(data->intf); 1264 } 1265 1266 static int btusb_setup_bcm92035(struct hci_dev *hdev) 1267 { 1268 struct sk_buff *skb; 1269 u8 val = 0x00; 1270 1271 BT_DBG("%s", hdev->name); 1272 1273 skb = __hci_cmd_sync(hdev, 0xfc3b, 1, &val, HCI_INIT_TIMEOUT); 1274 if (IS_ERR(skb)) 1275 BT_ERR("BCM92035 command failed (%ld)", -PTR_ERR(skb)); 1276 else 1277 kfree_skb(skb); 1278 1279 return 0; 1280 } 1281 1282 static int btusb_setup_csr(struct hci_dev *hdev) 1283 { 1284 struct hci_rp_read_local_version *rp; 1285 struct sk_buff *skb; 1286 int ret; 1287 1288 BT_DBG("%s", hdev->name); 1289 1290 skb = __hci_cmd_sync(hdev, HCI_OP_READ_LOCAL_VERSION, 0, NULL, 1291 HCI_INIT_TIMEOUT); 1292 if (IS_ERR(skb)) { 1293 BT_ERR("Reading local version failed (%ld)", -PTR_ERR(skb)); 1294 return -PTR_ERR(skb); 1295 } 1296 1297 rp = (struct hci_rp_read_local_version *)skb->data; 1298 1299 if (!rp->status) { 1300 if (le16_to_cpu(rp->manufacturer) != 10) { 1301 /* Clear the reset quirk since this is not an actual 1302 * early Bluetooth 1.1 device from CSR. 1303 */ 1304 clear_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks); 1305 1306 /* These fake CSR controllers have all a broken 1307 * stored link key handling and so just disable it. 1308 */ 1309 set_bit(HCI_QUIRK_BROKEN_STORED_LINK_KEY, 1310 &hdev->quirks); 1311 } 1312 } 1313 1314 ret = -bt_to_errno(rp->status); 1315 1316 kfree_skb(skb); 1317 1318 return ret; 1319 } 1320 1321 struct intel_version { 1322 u8 status; 1323 u8 hw_platform; 1324 u8 hw_variant; 1325 u8 hw_revision; 1326 u8 fw_variant; 1327 u8 fw_revision; 1328 u8 fw_build_num; 1329 u8 fw_build_ww; 1330 u8 fw_build_yy; 1331 u8 fw_patch_num; 1332 } __packed; 1333 1334 struct intel_boot_params { 1335 __u8 status; 1336 __u8 otp_format; 1337 __u8 otp_content; 1338 __u8 otp_patch; 1339 __le16 dev_revid; 1340 __u8 secure_boot; 1341 __u8 key_from_hdr; 1342 __u8 key_type; 1343 __u8 otp_lock; 1344 __u8 api_lock; 1345 __u8 debug_lock; 1346 bdaddr_t otp_bdaddr; 1347 __u8 min_fw_build_nn; 1348 __u8 min_fw_build_cw; 1349 __u8 min_fw_build_yy; 1350 __u8 limited_cce; 1351 __u8 unlocked_state; 1352 } __packed; 1353 1354 static const struct firmware *btusb_setup_intel_get_fw(struct hci_dev *hdev, 1355 struct intel_version *ver) 1356 { 1357 const struct firmware *fw; 1358 char fwname[64]; 1359 int ret; 1360 1361 snprintf(fwname, sizeof(fwname), 1362 "intel/ibt-hw-%x.%x.%x-fw-%x.%x.%x.%x.%x.bseq", 1363 ver->hw_platform, ver->hw_variant, ver->hw_revision, 1364 ver->fw_variant, ver->fw_revision, ver->fw_build_num, 1365 ver->fw_build_ww, ver->fw_build_yy); 1366 1367 ret = request_firmware(&fw, fwname, &hdev->dev); 1368 if (ret < 0) { 1369 if (ret == -EINVAL) { 1370 BT_ERR("%s Intel firmware file request failed (%d)", 1371 hdev->name, ret); 1372 return NULL; 1373 } 1374 1375 BT_ERR("%s failed to open Intel firmware file: %s(%d)", 1376 hdev->name, fwname, ret); 1377 1378 /* If the correct firmware patch file is not found, use the 1379 * default firmware patch file instead 1380 */ 1381 snprintf(fwname, sizeof(fwname), "intel/ibt-hw-%x.%x.bseq", 1382 ver->hw_platform, ver->hw_variant); 1383 if (request_firmware(&fw, fwname, &hdev->dev) < 0) { 1384 BT_ERR("%s failed to open default Intel fw file: %s", 1385 hdev->name, fwname); 1386 return NULL; 1387 } 1388 } 1389 1390 BT_INFO("%s: Intel Bluetooth firmware file: %s", hdev->name, fwname); 1391 1392 return fw; 1393 } 1394 1395 static int btusb_setup_intel_patching(struct hci_dev *hdev, 1396 const struct firmware *fw, 1397 const u8 **fw_ptr, int *disable_patch) 1398 { 1399 struct sk_buff *skb; 1400 struct hci_command_hdr *cmd; 1401 const u8 *cmd_param; 1402 struct hci_event_hdr *evt = NULL; 1403 const u8 *evt_param = NULL; 1404 int remain = fw->size - (*fw_ptr - fw->data); 1405 1406 /* The first byte indicates the types of the patch command or event. 1407 * 0x01 means HCI command and 0x02 is HCI event. If the first bytes 1408 * in the current firmware buffer doesn't start with 0x01 or 1409 * the size of remain buffer is smaller than HCI command header, 1410 * the firmware file is corrupted and it should stop the patching 1411 * process. 1412 */ 1413 if (remain > HCI_COMMAND_HDR_SIZE && *fw_ptr[0] != 0x01) { 1414 BT_ERR("%s Intel fw corrupted: invalid cmd read", hdev->name); 1415 return -EINVAL; 1416 } 1417 (*fw_ptr)++; 1418 remain--; 1419 1420 cmd = (struct hci_command_hdr *)(*fw_ptr); 1421 *fw_ptr += sizeof(*cmd); 1422 remain -= sizeof(*cmd); 1423 1424 /* Ensure that the remain firmware data is long enough than the length 1425 * of command parameter. If not, the firmware file is corrupted. 1426 */ 1427 if (remain < cmd->plen) { 1428 BT_ERR("%s Intel fw corrupted: invalid cmd len", hdev->name); 1429 return -EFAULT; 1430 } 1431 1432 /* If there is a command that loads a patch in the firmware 1433 * file, then enable the patch upon success, otherwise just 1434 * disable the manufacturer mode, for example patch activation 1435 * is not required when the default firmware patch file is used 1436 * because there are no patch data to load. 1437 */ 1438 if (*disable_patch && le16_to_cpu(cmd->opcode) == 0xfc8e) 1439 *disable_patch = 0; 1440 1441 cmd_param = *fw_ptr; 1442 *fw_ptr += cmd->plen; 1443 remain -= cmd->plen; 1444 1445 /* This reads the expected events when the above command is sent to the 1446 * device. Some vendor commands expects more than one events, for 1447 * example command status event followed by vendor specific event. 1448 * For this case, it only keeps the last expected event. so the command 1449 * can be sent with __hci_cmd_sync_ev() which returns the sk_buff of 1450 * last expected event. 1451 */ 1452 while (remain > HCI_EVENT_HDR_SIZE && *fw_ptr[0] == 0x02) { 1453 (*fw_ptr)++; 1454 remain--; 1455 1456 evt = (struct hci_event_hdr *)(*fw_ptr); 1457 *fw_ptr += sizeof(*evt); 1458 remain -= sizeof(*evt); 1459 1460 if (remain < evt->plen) { 1461 BT_ERR("%s Intel fw corrupted: invalid evt len", 1462 hdev->name); 1463 return -EFAULT; 1464 } 1465 1466 evt_param = *fw_ptr; 1467 *fw_ptr += evt->plen; 1468 remain -= evt->plen; 1469 } 1470 1471 /* Every HCI commands in the firmware file has its correspond event. 1472 * If event is not found or remain is smaller than zero, the firmware 1473 * file is corrupted. 1474 */ 1475 if (!evt || !evt_param || remain < 0) { 1476 BT_ERR("%s Intel fw corrupted: invalid evt read", hdev->name); 1477 return -EFAULT; 1478 } 1479 1480 skb = __hci_cmd_sync_ev(hdev, le16_to_cpu(cmd->opcode), cmd->plen, 1481 cmd_param, evt->evt, HCI_INIT_TIMEOUT); 1482 if (IS_ERR(skb)) { 1483 BT_ERR("%s sending Intel patch command (0x%4.4x) failed (%ld)", 1484 hdev->name, cmd->opcode, PTR_ERR(skb)); 1485 return PTR_ERR(skb); 1486 } 1487 1488 /* It ensures that the returned event matches the event data read from 1489 * the firmware file. At fist, it checks the length and then 1490 * the contents of the event. 1491 */ 1492 if (skb->len != evt->plen) { 1493 BT_ERR("%s mismatch event length (opcode 0x%4.4x)", hdev->name, 1494 le16_to_cpu(cmd->opcode)); 1495 kfree_skb(skb); 1496 return -EFAULT; 1497 } 1498 1499 if (memcmp(skb->data, evt_param, evt->plen)) { 1500 BT_ERR("%s mismatch event parameter (opcode 0x%4.4x)", 1501 hdev->name, le16_to_cpu(cmd->opcode)); 1502 kfree_skb(skb); 1503 return -EFAULT; 1504 } 1505 kfree_skb(skb); 1506 1507 return 0; 1508 } 1509 1510 #define BDADDR_INTEL (&(bdaddr_t) {{0x00, 0x8b, 0x9e, 0x19, 0x03, 0x00}}) 1511 1512 static int btusb_check_bdaddr_intel(struct hci_dev *hdev) 1513 { 1514 struct sk_buff *skb; 1515 struct hci_rp_read_bd_addr *rp; 1516 1517 skb = __hci_cmd_sync(hdev, HCI_OP_READ_BD_ADDR, 0, NULL, 1518 HCI_INIT_TIMEOUT); 1519 if (IS_ERR(skb)) { 1520 BT_ERR("%s reading Intel device address failed (%ld)", 1521 hdev->name, PTR_ERR(skb)); 1522 return PTR_ERR(skb); 1523 } 1524 1525 if (skb->len != sizeof(*rp)) { 1526 BT_ERR("%s Intel device address length mismatch", hdev->name); 1527 kfree_skb(skb); 1528 return -EIO; 1529 } 1530 1531 rp = (struct hci_rp_read_bd_addr *)skb->data; 1532 if (rp->status) { 1533 BT_ERR("%s Intel device address result failed (%02x)", 1534 hdev->name, rp->status); 1535 kfree_skb(skb); 1536 return -bt_to_errno(rp->status); 1537 } 1538 1539 /* For some Intel based controllers, the default Bluetooth device 1540 * address 00:03:19:9E:8B:00 can be found. These controllers are 1541 * fully operational, but have the danger of duplicate addresses 1542 * and that in turn can cause problems with Bluetooth operation. 1543 */ 1544 if (!bacmp(&rp->bdaddr, BDADDR_INTEL)) { 1545 BT_ERR("%s found Intel default device address (%pMR)", 1546 hdev->name, &rp->bdaddr); 1547 set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks); 1548 } 1549 1550 kfree_skb(skb); 1551 1552 return 0; 1553 } 1554 1555 static int btusb_setup_intel(struct hci_dev *hdev) 1556 { 1557 struct sk_buff *skb; 1558 const struct firmware *fw; 1559 const u8 *fw_ptr; 1560 int disable_patch; 1561 struct intel_version *ver; 1562 1563 const u8 mfg_enable[] = { 0x01, 0x00 }; 1564 const u8 mfg_disable[] = { 0x00, 0x00 }; 1565 const u8 mfg_reset_deactivate[] = { 0x00, 0x01 }; 1566 const u8 mfg_reset_activate[] = { 0x00, 0x02 }; 1567 1568 BT_DBG("%s", hdev->name); 1569 1570 /* The controller has a bug with the first HCI command sent to it 1571 * returning number of completed commands as zero. This would stall the 1572 * command processing in the Bluetooth core. 1573 * 1574 * As a workaround, send HCI Reset command first which will reset the 1575 * number of completed commands and allow normal command processing 1576 * from now on. 1577 */ 1578 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT); 1579 if (IS_ERR(skb)) { 1580 BT_ERR("%s sending initial HCI reset command failed (%ld)", 1581 hdev->name, PTR_ERR(skb)); 1582 return PTR_ERR(skb); 1583 } 1584 kfree_skb(skb); 1585 1586 /* Read Intel specific controller version first to allow selection of 1587 * which firmware file to load. 1588 * 1589 * The returned information are hardware variant and revision plus 1590 * firmware variant, revision and build number. 1591 */ 1592 skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_INIT_TIMEOUT); 1593 if (IS_ERR(skb)) { 1594 BT_ERR("%s reading Intel fw version command failed (%ld)", 1595 hdev->name, PTR_ERR(skb)); 1596 return PTR_ERR(skb); 1597 } 1598 1599 if (skb->len != sizeof(*ver)) { 1600 BT_ERR("%s Intel version event length mismatch", hdev->name); 1601 kfree_skb(skb); 1602 return -EIO; 1603 } 1604 1605 ver = (struct intel_version *)skb->data; 1606 if (ver->status) { 1607 BT_ERR("%s Intel fw version event failed (%02x)", hdev->name, 1608 ver->status); 1609 kfree_skb(skb); 1610 return -bt_to_errno(ver->status); 1611 } 1612 1613 BT_INFO("%s: read Intel version: %02x%02x%02x%02x%02x%02x%02x%02x%02x", 1614 hdev->name, ver->hw_platform, ver->hw_variant, 1615 ver->hw_revision, ver->fw_variant, ver->fw_revision, 1616 ver->fw_build_num, ver->fw_build_ww, ver->fw_build_yy, 1617 ver->fw_patch_num); 1618 1619 /* fw_patch_num indicates the version of patch the device currently 1620 * have. If there is no patch data in the device, it is always 0x00. 1621 * So, if it is other than 0x00, no need to patch the deivce again. 1622 */ 1623 if (ver->fw_patch_num) { 1624 BT_INFO("%s: Intel device is already patched. patch num: %02x", 1625 hdev->name, ver->fw_patch_num); 1626 kfree_skb(skb); 1627 btusb_check_bdaddr_intel(hdev); 1628 return 0; 1629 } 1630 1631 /* Opens the firmware patch file based on the firmware version read 1632 * from the controller. If it fails to open the matching firmware 1633 * patch file, it tries to open the default firmware patch file. 1634 * If no patch file is found, allow the device to operate without 1635 * a patch. 1636 */ 1637 fw = btusb_setup_intel_get_fw(hdev, ver); 1638 if (!fw) { 1639 kfree_skb(skb); 1640 btusb_check_bdaddr_intel(hdev); 1641 return 0; 1642 } 1643 fw_ptr = fw->data; 1644 1645 /* This Intel specific command enables the manufacturer mode of the 1646 * controller. 1647 * 1648 * Only while this mode is enabled, the driver can download the 1649 * firmware patch data and configuration parameters. 1650 */ 1651 skb = __hci_cmd_sync(hdev, 0xfc11, 2, mfg_enable, HCI_INIT_TIMEOUT); 1652 if (IS_ERR(skb)) { 1653 BT_ERR("%s entering Intel manufacturer mode failed (%ld)", 1654 hdev->name, PTR_ERR(skb)); 1655 release_firmware(fw); 1656 return PTR_ERR(skb); 1657 } 1658 1659 if (skb->data[0]) { 1660 u8 evt_status = skb->data[0]; 1661 1662 BT_ERR("%s enable Intel manufacturer mode event failed (%02x)", 1663 hdev->name, evt_status); 1664 kfree_skb(skb); 1665 release_firmware(fw); 1666 return -bt_to_errno(evt_status); 1667 } 1668 kfree_skb(skb); 1669 1670 disable_patch = 1; 1671 1672 /* The firmware data file consists of list of Intel specific HCI 1673 * commands and its expected events. The first byte indicates the 1674 * type of the message, either HCI command or HCI event. 1675 * 1676 * It reads the command and its expected event from the firmware file, 1677 * and send to the controller. Once __hci_cmd_sync_ev() returns, 1678 * the returned event is compared with the event read from the firmware 1679 * file and it will continue until all the messages are downloaded to 1680 * the controller. 1681 * 1682 * Once the firmware patching is completed successfully, 1683 * the manufacturer mode is disabled with reset and activating the 1684 * downloaded patch. 1685 * 1686 * If the firmware patching fails, the manufacturer mode is 1687 * disabled with reset and deactivating the patch. 1688 * 1689 * If the default patch file is used, no reset is done when disabling 1690 * the manufacturer. 1691 */ 1692 while (fw->size > fw_ptr - fw->data) { 1693 int ret; 1694 1695 ret = btusb_setup_intel_patching(hdev, fw, &fw_ptr, 1696 &disable_patch); 1697 if (ret < 0) 1698 goto exit_mfg_deactivate; 1699 } 1700 1701 release_firmware(fw); 1702 1703 if (disable_patch) 1704 goto exit_mfg_disable; 1705 1706 /* Patching completed successfully and disable the manufacturer mode 1707 * with reset and activate the downloaded firmware patches. 1708 */ 1709 skb = __hci_cmd_sync(hdev, 0xfc11, sizeof(mfg_reset_activate), 1710 mfg_reset_activate, HCI_INIT_TIMEOUT); 1711 if (IS_ERR(skb)) { 1712 BT_ERR("%s exiting Intel manufacturer mode failed (%ld)", 1713 hdev->name, PTR_ERR(skb)); 1714 return PTR_ERR(skb); 1715 } 1716 kfree_skb(skb); 1717 1718 BT_INFO("%s: Intel Bluetooth firmware patch completed and activated", 1719 hdev->name); 1720 1721 btusb_check_bdaddr_intel(hdev); 1722 return 0; 1723 1724 exit_mfg_disable: 1725 /* Disable the manufacturer mode without reset */ 1726 skb = __hci_cmd_sync(hdev, 0xfc11, sizeof(mfg_disable), mfg_disable, 1727 HCI_INIT_TIMEOUT); 1728 if (IS_ERR(skb)) { 1729 BT_ERR("%s exiting Intel manufacturer mode failed (%ld)", 1730 hdev->name, PTR_ERR(skb)); 1731 return PTR_ERR(skb); 1732 } 1733 kfree_skb(skb); 1734 1735 BT_INFO("%s: Intel Bluetooth firmware patch completed", hdev->name); 1736 1737 btusb_check_bdaddr_intel(hdev); 1738 return 0; 1739 1740 exit_mfg_deactivate: 1741 release_firmware(fw); 1742 1743 /* Patching failed. Disable the manufacturer mode with reset and 1744 * deactivate the downloaded firmware patches. 1745 */ 1746 skb = __hci_cmd_sync(hdev, 0xfc11, sizeof(mfg_reset_deactivate), 1747 mfg_reset_deactivate, HCI_INIT_TIMEOUT); 1748 if (IS_ERR(skb)) { 1749 BT_ERR("%s exiting Intel manufacturer mode failed (%ld)", 1750 hdev->name, PTR_ERR(skb)); 1751 return PTR_ERR(skb); 1752 } 1753 kfree_skb(skb); 1754 1755 BT_INFO("%s: Intel Bluetooth firmware patch completed and deactivated", 1756 hdev->name); 1757 1758 btusb_check_bdaddr_intel(hdev); 1759 return 0; 1760 } 1761 1762 static int inject_cmd_complete(struct hci_dev *hdev, __u16 opcode) 1763 { 1764 struct sk_buff *skb; 1765 struct hci_event_hdr *hdr; 1766 struct hci_ev_cmd_complete *evt; 1767 1768 skb = bt_skb_alloc(sizeof(*hdr) + sizeof(*evt) + 1, GFP_ATOMIC); 1769 if (!skb) 1770 return -ENOMEM; 1771 1772 hdr = (struct hci_event_hdr *)skb_put(skb, sizeof(*hdr)); 1773 hdr->evt = HCI_EV_CMD_COMPLETE; 1774 hdr->plen = sizeof(*evt) + 1; 1775 1776 evt = (struct hci_ev_cmd_complete *)skb_put(skb, sizeof(*evt)); 1777 evt->ncmd = 0x01; 1778 evt->opcode = cpu_to_le16(opcode); 1779 1780 *skb_put(skb, 1) = 0x00; 1781 1782 bt_cb(skb)->pkt_type = HCI_EVENT_PKT; 1783 1784 return hci_recv_frame(hdev, skb); 1785 } 1786 1787 static int btusb_recv_bulk_intel(struct btusb_data *data, void *buffer, 1788 int count) 1789 { 1790 /* When the device is in bootloader mode, then it can send 1791 * events via the bulk endpoint. These events are treated the 1792 * same way as the ones received from the interrupt endpoint. 1793 */ 1794 if (test_bit(BTUSB_BOOTLOADER, &data->flags)) 1795 return btusb_recv_intr(data, buffer, count); 1796 1797 return btusb_recv_bulk(data, buffer, count); 1798 } 1799 1800 static int btusb_recv_event_intel(struct hci_dev *hdev, struct sk_buff *skb) 1801 { 1802 struct btusb_data *data = hci_get_drvdata(hdev); 1803 1804 if (test_bit(BTUSB_BOOTLOADER, &data->flags)) { 1805 struct hci_event_hdr *hdr = (void *)skb->data; 1806 1807 /* When the firmware loading completes the device sends 1808 * out a vendor specific event indicating the result of 1809 * the firmware loading. 1810 */ 1811 if (skb->len == 7 && hdr->evt == 0xff && hdr->plen == 0x05 && 1812 skb->data[2] == 0x06) { 1813 if (skb->data[3] != 0x00) 1814 test_bit(BTUSB_FIRMWARE_FAILED, &data->flags); 1815 1816 if (test_and_clear_bit(BTUSB_DOWNLOADING, 1817 &data->flags) && 1818 test_bit(BTUSB_FIRMWARE_LOADED, &data->flags)) { 1819 smp_mb__after_atomic(); 1820 wake_up_bit(&data->flags, BTUSB_DOWNLOADING); 1821 } 1822 } 1823 1824 /* When switching to the operational firmware the device 1825 * sends a vendor specific event indicating that the bootup 1826 * completed. 1827 */ 1828 if (skb->len == 9 && hdr->evt == 0xff && hdr->plen == 0x07 && 1829 skb->data[2] == 0x02) { 1830 if (test_and_clear_bit(BTUSB_BOOTING, &data->flags)) { 1831 smp_mb__after_atomic(); 1832 wake_up_bit(&data->flags, BTUSB_BOOTING); 1833 } 1834 } 1835 } 1836 1837 return hci_recv_frame(hdev, skb); 1838 } 1839 1840 static int btusb_send_frame_intel(struct hci_dev *hdev, struct sk_buff *skb) 1841 { 1842 struct btusb_data *data = hci_get_drvdata(hdev); 1843 struct urb *urb; 1844 1845 BT_DBG("%s", hdev->name); 1846 1847 if (!test_bit(HCI_RUNNING, &hdev->flags)) 1848 return -EBUSY; 1849 1850 switch (bt_cb(skb)->pkt_type) { 1851 case HCI_COMMAND_PKT: 1852 if (test_bit(BTUSB_BOOTLOADER, &data->flags)) { 1853 struct hci_command_hdr *cmd = (void *)skb->data; 1854 __u16 opcode = le16_to_cpu(cmd->opcode); 1855 1856 /* When in bootloader mode and the command 0xfc09 1857 * is received, it needs to be send down the 1858 * bulk endpoint. So allocate a bulk URB instead. 1859 */ 1860 if (opcode == 0xfc09) 1861 urb = alloc_bulk_urb(hdev, skb); 1862 else 1863 urb = alloc_ctrl_urb(hdev, skb); 1864 1865 /* When the 0xfc01 command is issued to boot into 1866 * the operational firmware, it will actually not 1867 * send a command complete event. To keep the flow 1868 * control working inject that event here. 1869 */ 1870 if (opcode == 0xfc01) 1871 inject_cmd_complete(hdev, opcode); 1872 } else { 1873 urb = alloc_ctrl_urb(hdev, skb); 1874 } 1875 if (IS_ERR(urb)) 1876 return PTR_ERR(urb); 1877 1878 hdev->stat.cmd_tx++; 1879 return submit_or_queue_tx_urb(hdev, urb); 1880 1881 case HCI_ACLDATA_PKT: 1882 urb = alloc_bulk_urb(hdev, skb); 1883 if (IS_ERR(urb)) 1884 return PTR_ERR(urb); 1885 1886 hdev->stat.acl_tx++; 1887 return submit_or_queue_tx_urb(hdev, urb); 1888 1889 case HCI_SCODATA_PKT: 1890 if (hci_conn_num(hdev, SCO_LINK) < 1) 1891 return -ENODEV; 1892 1893 urb = alloc_isoc_urb(hdev, skb); 1894 if (IS_ERR(urb)) 1895 return PTR_ERR(urb); 1896 1897 hdev->stat.sco_tx++; 1898 return submit_tx_urb(hdev, urb); 1899 } 1900 1901 return -EILSEQ; 1902 } 1903 1904 static int btusb_intel_secure_send(struct hci_dev *hdev, u8 fragment_type, 1905 u32 plen, const void *param) 1906 { 1907 while (plen > 0) { 1908 struct sk_buff *skb; 1909 u8 cmd_param[253], fragment_len = (plen > 252) ? 252 : plen; 1910 1911 cmd_param[0] = fragment_type; 1912 memcpy(cmd_param + 1, param, fragment_len); 1913 1914 skb = __hci_cmd_sync(hdev, 0xfc09, fragment_len + 1, 1915 cmd_param, HCI_INIT_TIMEOUT); 1916 if (IS_ERR(skb)) 1917 return PTR_ERR(skb); 1918 1919 kfree_skb(skb); 1920 1921 plen -= fragment_len; 1922 param += fragment_len; 1923 } 1924 1925 return 0; 1926 } 1927 1928 static void btusb_intel_version_info(struct hci_dev *hdev, 1929 struct intel_version *ver) 1930 { 1931 const char *variant; 1932 1933 switch (ver->fw_variant) { 1934 case 0x06: 1935 variant = "Bootloader"; 1936 break; 1937 case 0x23: 1938 variant = "Firmware"; 1939 break; 1940 default: 1941 return; 1942 } 1943 1944 BT_INFO("%s: %s revision %u.%u build %u week %u %u", hdev->name, 1945 variant, ver->fw_revision >> 4, ver->fw_revision & 0x0f, 1946 ver->fw_build_num, ver->fw_build_ww, 2000 + ver->fw_build_yy); 1947 } 1948 1949 static int btusb_setup_intel_new(struct hci_dev *hdev) 1950 { 1951 static const u8 reset_param[] = { 0x00, 0x01, 0x00, 0x01, 1952 0x00, 0x08, 0x04, 0x00 }; 1953 struct btusb_data *data = hci_get_drvdata(hdev); 1954 struct sk_buff *skb; 1955 struct intel_version *ver; 1956 struct intel_boot_params *params; 1957 const struct firmware *fw; 1958 const u8 *fw_ptr; 1959 char fwname[64]; 1960 ktime_t calltime, delta, rettime; 1961 unsigned long long duration; 1962 int err; 1963 1964 BT_DBG("%s", hdev->name); 1965 1966 calltime = ktime_get(); 1967 1968 /* Read the Intel version information to determine if the device 1969 * is in bootloader mode or if it already has operational firmware 1970 * loaded. 1971 */ 1972 skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_INIT_TIMEOUT); 1973 if (IS_ERR(skb)) { 1974 BT_ERR("%s: Reading Intel version information failed (%ld)", 1975 hdev->name, PTR_ERR(skb)); 1976 return PTR_ERR(skb); 1977 } 1978 1979 if (skb->len != sizeof(*ver)) { 1980 BT_ERR("%s: Intel version event size mismatch", hdev->name); 1981 kfree_skb(skb); 1982 return -EILSEQ; 1983 } 1984 1985 ver = (struct intel_version *)skb->data; 1986 if (ver->status) { 1987 BT_ERR("%s: Intel version command failure (%02x)", 1988 hdev->name, ver->status); 1989 err = -bt_to_errno(ver->status); 1990 kfree_skb(skb); 1991 return err; 1992 } 1993 1994 /* The hardware platform number has a fixed value of 0x37 and 1995 * for now only accept this single value. 1996 */ 1997 if (ver->hw_platform != 0x37) { 1998 BT_ERR("%s: Unsupported Intel hardware platform (%u)", 1999 hdev->name, ver->hw_platform); 2000 kfree_skb(skb); 2001 return -EINVAL; 2002 } 2003 2004 /* At the moment only the hardware variant iBT 3.0 (LnP/SfP) is 2005 * supported by this firmware loading method. This check has been 2006 * put in place to ensure correct forward compatibility options 2007 * when newer hardware variants come along. 2008 */ 2009 if (ver->hw_variant != 0x0b) { 2010 BT_ERR("%s: Unsupported Intel hardware variant (%u)", 2011 hdev->name, ver->hw_variant); 2012 kfree_skb(skb); 2013 return -EINVAL; 2014 } 2015 2016 btusb_intel_version_info(hdev, ver); 2017 2018 /* The firmware variant determines if the device is in bootloader 2019 * mode or is running operational firmware. The value 0x06 identifies 2020 * the bootloader and the value 0x23 identifies the operational 2021 * firmware. 2022 * 2023 * When the operational firmware is already present, then only 2024 * the check for valid Bluetooth device address is needed. This 2025 * determines if the device will be added as configured or 2026 * unconfigured controller. 2027 * 2028 * It is not possible to use the Secure Boot Parameters in this 2029 * case since that command is only available in bootloader mode. 2030 */ 2031 if (ver->fw_variant == 0x23) { 2032 kfree_skb(skb); 2033 clear_bit(BTUSB_BOOTLOADER, &data->flags); 2034 btusb_check_bdaddr_intel(hdev); 2035 return 0; 2036 } 2037 2038 /* If the device is not in bootloader mode, then the only possible 2039 * choice is to return an error and abort the device initialization. 2040 */ 2041 if (ver->fw_variant != 0x06) { 2042 BT_ERR("%s: Unsupported Intel firmware variant (%u)", 2043 hdev->name, ver->fw_variant); 2044 kfree_skb(skb); 2045 return -ENODEV; 2046 } 2047 2048 kfree_skb(skb); 2049 2050 /* Read the secure boot parameters to identify the operating 2051 * details of the bootloader. 2052 */ 2053 skb = __hci_cmd_sync(hdev, 0xfc0d, 0, NULL, HCI_INIT_TIMEOUT); 2054 if (IS_ERR(skb)) { 2055 BT_ERR("%s: Reading Intel boot parameters failed (%ld)", 2056 hdev->name, PTR_ERR(skb)); 2057 return PTR_ERR(skb); 2058 } 2059 2060 if (skb->len != sizeof(*params)) { 2061 BT_ERR("%s: Intel boot parameters size mismatch", hdev->name); 2062 kfree_skb(skb); 2063 return -EILSEQ; 2064 } 2065 2066 params = (struct intel_boot_params *)skb->data; 2067 if (params->status) { 2068 BT_ERR("%s: Intel boot parameters command failure (%02x)", 2069 hdev->name, params->status); 2070 err = -bt_to_errno(params->status); 2071 kfree_skb(skb); 2072 return err; 2073 } 2074 2075 BT_INFO("%s: Device revision is %u", hdev->name, 2076 le16_to_cpu(params->dev_revid)); 2077 2078 BT_INFO("%s: Secure boot is %s", hdev->name, 2079 params->secure_boot ? "enabled" : "disabled"); 2080 2081 BT_INFO("%s: Minimum firmware build %u week %u %u", hdev->name, 2082 params->min_fw_build_nn, params->min_fw_build_cw, 2083 2000 + params->min_fw_build_yy); 2084 2085 /* It is required that every single firmware fragment is acknowledged 2086 * with a command complete event. If the boot parameters indicate 2087 * that this bootloader does not send them, then abort the setup. 2088 */ 2089 if (params->limited_cce != 0x00) { 2090 BT_ERR("%s: Unsupported Intel firmware loading method (%u)", 2091 hdev->name, params->limited_cce); 2092 kfree_skb(skb); 2093 return -EINVAL; 2094 } 2095 2096 /* If the OTP has no valid Bluetooth device address, then there will 2097 * also be no valid address for the operational firmware. 2098 */ 2099 if (!bacmp(¶ms->otp_bdaddr, BDADDR_ANY)) { 2100 BT_INFO("%s: No device address configured", hdev->name); 2101 set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks); 2102 } 2103 2104 /* With this Intel bootloader only the hardware variant and device 2105 * revision information are used to select the right firmware. 2106 * 2107 * Currently this bootloader support is limited to hardware variant 2108 * iBT 3.0 (LnP/SfP) which is identified by the value 11 (0x0b). 2109 */ 2110 snprintf(fwname, sizeof(fwname), "intel/ibt-11-%u.sfi", 2111 le16_to_cpu(params->dev_revid)); 2112 2113 err = request_firmware(&fw, fwname, &hdev->dev); 2114 if (err < 0) { 2115 BT_ERR("%s: Failed to load Intel firmware file (%d)", 2116 hdev->name, err); 2117 kfree_skb(skb); 2118 return err; 2119 } 2120 2121 BT_INFO("%s: Found device firmware: %s", hdev->name, fwname); 2122 2123 kfree_skb(skb); 2124 2125 if (fw->size < 644) { 2126 BT_ERR("%s: Invalid size of firmware file (%zu)", 2127 hdev->name, fw->size); 2128 err = -EBADF; 2129 goto done; 2130 } 2131 2132 set_bit(BTUSB_DOWNLOADING, &data->flags); 2133 2134 /* Start the firmware download transaction with the Init fragment 2135 * represented by the 128 bytes of CSS header. 2136 */ 2137 err = btusb_intel_secure_send(hdev, 0x00, 128, fw->data); 2138 if (err < 0) { 2139 BT_ERR("%s: Failed to send firmware header (%d)", 2140 hdev->name, err); 2141 goto done; 2142 } 2143 2144 /* Send the 256 bytes of public key information from the firmware 2145 * as the PKey fragment. 2146 */ 2147 err = btusb_intel_secure_send(hdev, 0x03, 256, fw->data + 128); 2148 if (err < 0) { 2149 BT_ERR("%s: Failed to send firmware public key (%d)", 2150 hdev->name, err); 2151 goto done; 2152 } 2153 2154 /* Send the 256 bytes of signature information from the firmware 2155 * as the Sign fragment. 2156 */ 2157 err = btusb_intel_secure_send(hdev, 0x02, 256, fw->data + 388); 2158 if (err < 0) { 2159 BT_ERR("%s: Failed to send firmware signature (%d)", 2160 hdev->name, err); 2161 goto done; 2162 } 2163 2164 fw_ptr = fw->data + 644; 2165 2166 while (fw_ptr - fw->data < fw->size) { 2167 struct hci_command_hdr *cmd = (void *)fw_ptr; 2168 u8 cmd_len; 2169 2170 cmd_len = sizeof(*cmd) + cmd->plen; 2171 2172 /* Send each command from the firmware data buffer as 2173 * a single Data fragment. 2174 */ 2175 err = btusb_intel_secure_send(hdev, 0x01, cmd_len, fw_ptr); 2176 if (err < 0) { 2177 BT_ERR("%s: Failed to send firmware data (%d)", 2178 hdev->name, err); 2179 goto done; 2180 } 2181 2182 fw_ptr += cmd_len; 2183 } 2184 2185 set_bit(BTUSB_FIRMWARE_LOADED, &data->flags); 2186 2187 BT_INFO("%s: Waiting for firmware download to complete", hdev->name); 2188 2189 /* Before switching the device into operational mode and with that 2190 * booting the loaded firmware, wait for the bootloader notification 2191 * that all fragments have been successfully received. 2192 * 2193 * When the event processing receives the notification, then the 2194 * BTUSB_DOWNLOADING flag will be cleared. 2195 * 2196 * The firmware loading should not take longer than 5 seconds 2197 * and thus just timeout if that happens and fail the setup 2198 * of this device. 2199 */ 2200 err = btusb_wait_on_bit_timeout(&data->flags, BTUSB_DOWNLOADING, 2201 msecs_to_jiffies(5000), 2202 TASK_INTERRUPTIBLE); 2203 if (err == 1) { 2204 BT_ERR("%s: Firmware loading interrupted", hdev->name); 2205 err = -EINTR; 2206 goto done; 2207 } 2208 2209 if (err) { 2210 BT_ERR("%s: Firmware loading timeout", hdev->name); 2211 err = -ETIMEDOUT; 2212 goto done; 2213 } 2214 2215 if (test_bit(BTUSB_FIRMWARE_FAILED, &data->flags)) { 2216 BT_ERR("%s: Firmware loading failed", hdev->name); 2217 err = -ENOEXEC; 2218 goto done; 2219 } 2220 2221 rettime = ktime_get(); 2222 delta = ktime_sub(rettime, calltime); 2223 duration = (unsigned long long) ktime_to_ns(delta) >> 10; 2224 2225 BT_INFO("%s: Firmware loaded in %llu usecs", hdev->name, duration); 2226 2227 done: 2228 release_firmware(fw); 2229 2230 if (err < 0) 2231 return err; 2232 2233 calltime = ktime_get(); 2234 2235 set_bit(BTUSB_BOOTING, &data->flags); 2236 2237 skb = __hci_cmd_sync(hdev, 0xfc01, sizeof(reset_param), reset_param, 2238 HCI_INIT_TIMEOUT); 2239 if (IS_ERR(skb)) 2240 return PTR_ERR(skb); 2241 2242 kfree_skb(skb); 2243 2244 /* The bootloader will not indicate when the device is ready. This 2245 * is done by the operational firmware sending bootup notification. 2246 * 2247 * Booting into operational firmware should not take longer than 2248 * 1 second. However if that happens, then just fail the setup 2249 * since something went wrong. 2250 */ 2251 BT_INFO("%s: Waiting for device to boot", hdev->name); 2252 2253 err = btusb_wait_on_bit_timeout(&data->flags, BTUSB_BOOTING, 2254 msecs_to_jiffies(1000), 2255 TASK_INTERRUPTIBLE); 2256 2257 if (err == 1) { 2258 BT_ERR("%s: Device boot interrupted", hdev->name); 2259 return -EINTR; 2260 } 2261 2262 if (err) { 2263 BT_ERR("%s: Device boot timeout", hdev->name); 2264 return -ETIMEDOUT; 2265 } 2266 2267 rettime = ktime_get(); 2268 delta = ktime_sub(rettime, calltime); 2269 duration = (unsigned long long) ktime_to_ns(delta) >> 10; 2270 2271 BT_INFO("%s: Device booted in %llu usecs", hdev->name, duration); 2272 2273 clear_bit(BTUSB_BOOTLOADER, &data->flags); 2274 2275 return 0; 2276 } 2277 2278 static void btusb_hw_error_intel(struct hci_dev *hdev, u8 code) 2279 { 2280 struct sk_buff *skb; 2281 u8 type = 0x00; 2282 2283 BT_ERR("%s: Hardware error 0x%2.2x", hdev->name, code); 2284 2285 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT); 2286 if (IS_ERR(skb)) { 2287 BT_ERR("%s: Reset after hardware error failed (%ld)", 2288 hdev->name, PTR_ERR(skb)); 2289 return; 2290 } 2291 kfree_skb(skb); 2292 2293 skb = __hci_cmd_sync(hdev, 0xfc22, 1, &type, HCI_INIT_TIMEOUT); 2294 if (IS_ERR(skb)) { 2295 BT_ERR("%s: Retrieving Intel exception info failed (%ld)", 2296 hdev->name, PTR_ERR(skb)); 2297 return; 2298 } 2299 2300 if (skb->len != 13) { 2301 BT_ERR("%s: Exception info size mismatch", hdev->name); 2302 kfree_skb(skb); 2303 return; 2304 } 2305 2306 if (skb->data[0] != 0x00) { 2307 BT_ERR("%s: Exception info command failure (%02x)", 2308 hdev->name, skb->data[0]); 2309 kfree_skb(skb); 2310 return; 2311 } 2312 2313 BT_ERR("%s: Exception info %s", hdev->name, (char *)(skb->data + 1)); 2314 2315 kfree_skb(skb); 2316 } 2317 2318 static int btusb_set_bdaddr_intel(struct hci_dev *hdev, const bdaddr_t *bdaddr) 2319 { 2320 struct sk_buff *skb; 2321 long ret; 2322 2323 skb = __hci_cmd_sync(hdev, 0xfc31, 6, bdaddr, HCI_INIT_TIMEOUT); 2324 if (IS_ERR(skb)) { 2325 ret = PTR_ERR(skb); 2326 BT_ERR("%s: changing Intel device address failed (%ld)", 2327 hdev->name, ret); 2328 return ret; 2329 } 2330 kfree_skb(skb); 2331 2332 return 0; 2333 } 2334 2335 static int btusb_set_bdaddr_marvell(struct hci_dev *hdev, 2336 const bdaddr_t *bdaddr) 2337 { 2338 struct sk_buff *skb; 2339 u8 buf[8]; 2340 long ret; 2341 2342 buf[0] = 0xfe; 2343 buf[1] = sizeof(bdaddr_t); 2344 memcpy(buf + 2, bdaddr, sizeof(bdaddr_t)); 2345 2346 skb = __hci_cmd_sync(hdev, 0xfc22, sizeof(buf), buf, HCI_INIT_TIMEOUT); 2347 if (IS_ERR(skb)) { 2348 ret = PTR_ERR(skb); 2349 BT_ERR("%s: changing Marvell device address failed (%ld)", 2350 hdev->name, ret); 2351 return ret; 2352 } 2353 kfree_skb(skb); 2354 2355 return 0; 2356 } 2357 2358 #define BDADDR_BCM20702A0 (&(bdaddr_t) {{0x00, 0xa0, 0x02, 0x70, 0x20, 0x00}}) 2359 2360 static int btusb_setup_bcm_patchram(struct hci_dev *hdev) 2361 { 2362 struct btusb_data *data = hci_get_drvdata(hdev); 2363 struct usb_device *udev = data->udev; 2364 char fw_name[64]; 2365 const struct firmware *fw; 2366 const u8 *fw_ptr; 2367 size_t fw_size; 2368 const struct hci_command_hdr *cmd; 2369 const u8 *cmd_param; 2370 u16 opcode; 2371 struct sk_buff *skb; 2372 struct hci_rp_read_local_version *ver; 2373 struct hci_rp_read_bd_addr *bda; 2374 long ret; 2375 2376 snprintf(fw_name, sizeof(fw_name), "brcm/%s-%04x-%04x.hcd", 2377 udev->product ? udev->product : "BCM", 2378 le16_to_cpu(udev->descriptor.idVendor), 2379 le16_to_cpu(udev->descriptor.idProduct)); 2380 2381 ret = request_firmware(&fw, fw_name, &hdev->dev); 2382 if (ret < 0) { 2383 BT_INFO("%s: BCM: patch %s not found", hdev->name, fw_name); 2384 return 0; 2385 } 2386 2387 /* Reset */ 2388 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT); 2389 if (IS_ERR(skb)) { 2390 ret = PTR_ERR(skb); 2391 BT_ERR("%s: HCI_OP_RESET failed (%ld)", hdev->name, ret); 2392 goto done; 2393 } 2394 kfree_skb(skb); 2395 2396 /* Read Local Version Info */ 2397 skb = __hci_cmd_sync(hdev, HCI_OP_READ_LOCAL_VERSION, 0, NULL, 2398 HCI_INIT_TIMEOUT); 2399 if (IS_ERR(skb)) { 2400 ret = PTR_ERR(skb); 2401 BT_ERR("%s: HCI_OP_READ_LOCAL_VERSION failed (%ld)", 2402 hdev->name, ret); 2403 goto done; 2404 } 2405 2406 if (skb->len != sizeof(*ver)) { 2407 BT_ERR("%s: HCI_OP_READ_LOCAL_VERSION event length mismatch", 2408 hdev->name); 2409 kfree_skb(skb); 2410 ret = -EIO; 2411 goto done; 2412 } 2413 2414 ver = (struct hci_rp_read_local_version *)skb->data; 2415 BT_INFO("%s: BCM: patching hci_ver=%02x hci_rev=%04x lmp_ver=%02x " 2416 "lmp_subver=%04x", hdev->name, ver->hci_ver, ver->hci_rev, 2417 ver->lmp_ver, ver->lmp_subver); 2418 kfree_skb(skb); 2419 2420 /* Start Download */ 2421 skb = __hci_cmd_sync(hdev, 0xfc2e, 0, NULL, HCI_INIT_TIMEOUT); 2422 if (IS_ERR(skb)) { 2423 ret = PTR_ERR(skb); 2424 BT_ERR("%s: BCM: Download Minidrv command failed (%ld)", 2425 hdev->name, ret); 2426 goto reset_fw; 2427 } 2428 kfree_skb(skb); 2429 2430 /* 50 msec delay after Download Minidrv completes */ 2431 msleep(50); 2432 2433 fw_ptr = fw->data; 2434 fw_size = fw->size; 2435 2436 while (fw_size >= sizeof(*cmd)) { 2437 cmd = (struct hci_command_hdr *)fw_ptr; 2438 fw_ptr += sizeof(*cmd); 2439 fw_size -= sizeof(*cmd); 2440 2441 if (fw_size < cmd->plen) { 2442 BT_ERR("%s: BCM: patch %s is corrupted", 2443 hdev->name, fw_name); 2444 ret = -EINVAL; 2445 goto reset_fw; 2446 } 2447 2448 cmd_param = fw_ptr; 2449 fw_ptr += cmd->plen; 2450 fw_size -= cmd->plen; 2451 2452 opcode = le16_to_cpu(cmd->opcode); 2453 2454 skb = __hci_cmd_sync(hdev, opcode, cmd->plen, cmd_param, 2455 HCI_INIT_TIMEOUT); 2456 if (IS_ERR(skb)) { 2457 ret = PTR_ERR(skb); 2458 BT_ERR("%s: BCM: patch command %04x failed (%ld)", 2459 hdev->name, opcode, ret); 2460 goto reset_fw; 2461 } 2462 kfree_skb(skb); 2463 } 2464 2465 /* 250 msec delay after Launch Ram completes */ 2466 msleep(250); 2467 2468 reset_fw: 2469 /* Reset */ 2470 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT); 2471 if (IS_ERR(skb)) { 2472 ret = PTR_ERR(skb); 2473 BT_ERR("%s: HCI_OP_RESET failed (%ld)", hdev->name, ret); 2474 goto done; 2475 } 2476 kfree_skb(skb); 2477 2478 /* Read Local Version Info */ 2479 skb = __hci_cmd_sync(hdev, HCI_OP_READ_LOCAL_VERSION, 0, NULL, 2480 HCI_INIT_TIMEOUT); 2481 if (IS_ERR(skb)) { 2482 ret = PTR_ERR(skb); 2483 BT_ERR("%s: HCI_OP_READ_LOCAL_VERSION failed (%ld)", 2484 hdev->name, ret); 2485 goto done; 2486 } 2487 2488 if (skb->len != sizeof(*ver)) { 2489 BT_ERR("%s: HCI_OP_READ_LOCAL_VERSION event length mismatch", 2490 hdev->name); 2491 kfree_skb(skb); 2492 ret = -EIO; 2493 goto done; 2494 } 2495 2496 ver = (struct hci_rp_read_local_version *)skb->data; 2497 BT_INFO("%s: BCM: firmware hci_ver=%02x hci_rev=%04x lmp_ver=%02x " 2498 "lmp_subver=%04x", hdev->name, ver->hci_ver, ver->hci_rev, 2499 ver->lmp_ver, ver->lmp_subver); 2500 kfree_skb(skb); 2501 2502 /* Read BD Address */ 2503 skb = __hci_cmd_sync(hdev, HCI_OP_READ_BD_ADDR, 0, NULL, 2504 HCI_INIT_TIMEOUT); 2505 if (IS_ERR(skb)) { 2506 ret = PTR_ERR(skb); 2507 BT_ERR("%s: HCI_OP_READ_BD_ADDR failed (%ld)", 2508 hdev->name, ret); 2509 goto done; 2510 } 2511 2512 if (skb->len != sizeof(*bda)) { 2513 BT_ERR("%s: HCI_OP_READ_BD_ADDR event length mismatch", 2514 hdev->name); 2515 kfree_skb(skb); 2516 ret = -EIO; 2517 goto done; 2518 } 2519 2520 bda = (struct hci_rp_read_bd_addr *)skb->data; 2521 if (bda->status) { 2522 BT_ERR("%s: HCI_OP_READ_BD_ADDR error status (%02x)", 2523 hdev->name, bda->status); 2524 kfree_skb(skb); 2525 ret = -bt_to_errno(bda->status); 2526 goto done; 2527 } 2528 2529 /* The address 00:20:70:02:A0:00 indicates a BCM20702A0 controller 2530 * with no configured address. 2531 */ 2532 if (!bacmp(&bda->bdaddr, BDADDR_BCM20702A0)) { 2533 BT_INFO("%s: BCM: using default device address (%pMR)", 2534 hdev->name, &bda->bdaddr); 2535 set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks); 2536 } 2537 2538 kfree_skb(skb); 2539 2540 done: 2541 release_firmware(fw); 2542 2543 return ret; 2544 } 2545 2546 static int btusb_set_bdaddr_bcm(struct hci_dev *hdev, const bdaddr_t *bdaddr) 2547 { 2548 struct sk_buff *skb; 2549 long ret; 2550 2551 skb = __hci_cmd_sync(hdev, 0xfc01, 6, bdaddr, HCI_INIT_TIMEOUT); 2552 if (IS_ERR(skb)) { 2553 ret = PTR_ERR(skb); 2554 BT_ERR("%s: BCM: Change address command failed (%ld)", 2555 hdev->name, ret); 2556 return ret; 2557 } 2558 kfree_skb(skb); 2559 2560 return 0; 2561 } 2562 2563 static int btusb_set_bdaddr_ath3012(struct hci_dev *hdev, 2564 const bdaddr_t *bdaddr) 2565 { 2566 struct sk_buff *skb; 2567 u8 buf[10]; 2568 long ret; 2569 2570 buf[0] = 0x01; 2571 buf[1] = 0x01; 2572 buf[2] = 0x00; 2573 buf[3] = sizeof(bdaddr_t); 2574 memcpy(buf + 4, bdaddr, sizeof(bdaddr_t)); 2575 2576 skb = __hci_cmd_sync(hdev, 0xfc0b, sizeof(buf), buf, HCI_INIT_TIMEOUT); 2577 if (IS_ERR(skb)) { 2578 ret = PTR_ERR(skb); 2579 BT_ERR("%s: Change address command failed (%ld)", 2580 hdev->name, ret); 2581 return ret; 2582 } 2583 kfree_skb(skb); 2584 2585 return 0; 2586 } 2587 2588 static int btusb_probe(struct usb_interface *intf, 2589 const struct usb_device_id *id) 2590 { 2591 struct usb_endpoint_descriptor *ep_desc; 2592 struct btusb_data *data; 2593 struct hci_dev *hdev; 2594 int i, err; 2595 2596 BT_DBG("intf %p id %p", intf, id); 2597 2598 /* interface numbers are hardcoded in the spec */ 2599 if (intf->cur_altsetting->desc.bInterfaceNumber != 0) 2600 return -ENODEV; 2601 2602 if (!id->driver_info) { 2603 const struct usb_device_id *match; 2604 2605 match = usb_match_id(intf, blacklist_table); 2606 if (match) 2607 id = match; 2608 } 2609 2610 if (id->driver_info == BTUSB_IGNORE) 2611 return -ENODEV; 2612 2613 if (id->driver_info & BTUSB_ATH3012) { 2614 struct usb_device *udev = interface_to_usbdev(intf); 2615 2616 /* Old firmware would otherwise let ath3k driver load 2617 * patch and sysconfig files */ 2618 if (le16_to_cpu(udev->descriptor.bcdDevice) <= 0x0001) 2619 return -ENODEV; 2620 } 2621 2622 data = devm_kzalloc(&intf->dev, sizeof(*data), GFP_KERNEL); 2623 if (!data) 2624 return -ENOMEM; 2625 2626 for (i = 0; i < intf->cur_altsetting->desc.bNumEndpoints; i++) { 2627 ep_desc = &intf->cur_altsetting->endpoint[i].desc; 2628 2629 if (!data->intr_ep && usb_endpoint_is_int_in(ep_desc)) { 2630 data->intr_ep = ep_desc; 2631 continue; 2632 } 2633 2634 if (!data->bulk_tx_ep && usb_endpoint_is_bulk_out(ep_desc)) { 2635 data->bulk_tx_ep = ep_desc; 2636 continue; 2637 } 2638 2639 if (!data->bulk_rx_ep && usb_endpoint_is_bulk_in(ep_desc)) { 2640 data->bulk_rx_ep = ep_desc; 2641 continue; 2642 } 2643 } 2644 2645 if (!data->intr_ep || !data->bulk_tx_ep || !data->bulk_rx_ep) 2646 return -ENODEV; 2647 2648 if (id->driver_info & BTUSB_AMP) { 2649 data->cmdreq_type = USB_TYPE_CLASS | 0x01; 2650 data->cmdreq = 0x2b; 2651 } else { 2652 data->cmdreq_type = USB_TYPE_CLASS; 2653 data->cmdreq = 0x00; 2654 } 2655 2656 data->udev = interface_to_usbdev(intf); 2657 data->intf = intf; 2658 2659 INIT_WORK(&data->work, btusb_work); 2660 INIT_WORK(&data->waker, btusb_waker); 2661 init_usb_anchor(&data->deferred); 2662 init_usb_anchor(&data->tx_anchor); 2663 spin_lock_init(&data->txlock); 2664 2665 init_usb_anchor(&data->intr_anchor); 2666 init_usb_anchor(&data->bulk_anchor); 2667 init_usb_anchor(&data->isoc_anchor); 2668 spin_lock_init(&data->rxlock); 2669 2670 if (id->driver_info & BTUSB_INTEL_NEW) { 2671 data->recv_event = btusb_recv_event_intel; 2672 data->recv_bulk = btusb_recv_bulk_intel; 2673 set_bit(BTUSB_BOOTLOADER, &data->flags); 2674 } else { 2675 data->recv_event = hci_recv_frame; 2676 data->recv_bulk = btusb_recv_bulk; 2677 } 2678 2679 hdev = hci_alloc_dev(); 2680 if (!hdev) 2681 return -ENOMEM; 2682 2683 hdev->bus = HCI_USB; 2684 hci_set_drvdata(hdev, data); 2685 2686 if (id->driver_info & BTUSB_AMP) 2687 hdev->dev_type = HCI_AMP; 2688 else 2689 hdev->dev_type = HCI_BREDR; 2690 2691 data->hdev = hdev; 2692 2693 SET_HCIDEV_DEV(hdev, &intf->dev); 2694 2695 hdev->open = btusb_open; 2696 hdev->close = btusb_close; 2697 hdev->flush = btusb_flush; 2698 hdev->send = btusb_send_frame; 2699 hdev->notify = btusb_notify; 2700 2701 if (id->driver_info & BTUSB_BCM92035) 2702 hdev->setup = btusb_setup_bcm92035; 2703 2704 if (id->driver_info & BTUSB_BCM_PATCHRAM) { 2705 hdev->setup = btusb_setup_bcm_patchram; 2706 hdev->set_bdaddr = btusb_set_bdaddr_bcm; 2707 set_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks); 2708 } 2709 2710 if (id->driver_info & BTUSB_INTEL) { 2711 hdev->setup = btusb_setup_intel; 2712 hdev->set_bdaddr = btusb_set_bdaddr_intel; 2713 set_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks); 2714 } 2715 2716 if (id->driver_info & BTUSB_INTEL_NEW) { 2717 hdev->send = btusb_send_frame_intel; 2718 hdev->setup = btusb_setup_intel_new; 2719 hdev->hw_error = btusb_hw_error_intel; 2720 hdev->set_bdaddr = btusb_set_bdaddr_intel; 2721 set_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks); 2722 } 2723 2724 if (id->driver_info & BTUSB_MARVELL) 2725 hdev->set_bdaddr = btusb_set_bdaddr_marvell; 2726 2727 if (id->driver_info & BTUSB_SWAVE) { 2728 set_bit(HCI_QUIRK_FIXUP_INQUIRY_MODE, &hdev->quirks); 2729 set_bit(HCI_QUIRK_BROKEN_LOCAL_COMMANDS, &hdev->quirks); 2730 } 2731 2732 if (id->driver_info & BTUSB_INTEL_BOOT) 2733 set_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks); 2734 2735 if (id->driver_info & BTUSB_ATH3012) { 2736 hdev->set_bdaddr = btusb_set_bdaddr_ath3012; 2737 set_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks); 2738 } 2739 2740 if (id->driver_info & BTUSB_AMP) { 2741 /* AMP controllers do not support SCO packets */ 2742 data->isoc = NULL; 2743 } else { 2744 /* Interface numbers are hardcoded in the specification */ 2745 data->isoc = usb_ifnum_to_if(data->udev, 1); 2746 } 2747 2748 if (!reset) 2749 set_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks); 2750 2751 if (force_scofix || id->driver_info & BTUSB_WRONG_SCO_MTU) { 2752 if (!disable_scofix) 2753 set_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks); 2754 } 2755 2756 if (id->driver_info & BTUSB_BROKEN_ISOC) 2757 data->isoc = NULL; 2758 2759 if (id->driver_info & BTUSB_DIGIANSWER) { 2760 data->cmdreq_type = USB_TYPE_VENDOR; 2761 set_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks); 2762 } 2763 2764 if (id->driver_info & BTUSB_CSR) { 2765 struct usb_device *udev = data->udev; 2766 u16 bcdDevice = le16_to_cpu(udev->descriptor.bcdDevice); 2767 2768 /* Old firmware would otherwise execute USB reset */ 2769 if (bcdDevice < 0x117) 2770 set_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks); 2771 2772 /* Fake CSR devices with broken commands */ 2773 if (bcdDevice <= 0x100) 2774 hdev->setup = btusb_setup_csr; 2775 } 2776 2777 if (id->driver_info & BTUSB_SNIFFER) { 2778 struct usb_device *udev = data->udev; 2779 2780 /* New sniffer firmware has crippled HCI interface */ 2781 if (le16_to_cpu(udev->descriptor.bcdDevice) > 0x997) 2782 set_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks); 2783 } 2784 2785 if (id->driver_info & BTUSB_INTEL_BOOT) { 2786 /* A bug in the bootloader causes that interrupt interface is 2787 * only enabled after receiving SetInterface(0, AltSetting=0). 2788 */ 2789 err = usb_set_interface(data->udev, 0, 0); 2790 if (err < 0) { 2791 BT_ERR("failed to set interface 0, alt 0 %d", err); 2792 hci_free_dev(hdev); 2793 return err; 2794 } 2795 } 2796 2797 if (data->isoc) { 2798 err = usb_driver_claim_interface(&btusb_driver, 2799 data->isoc, data); 2800 if (err < 0) { 2801 hci_free_dev(hdev); 2802 return err; 2803 } 2804 } 2805 2806 err = hci_register_dev(hdev); 2807 if (err < 0) { 2808 hci_free_dev(hdev); 2809 return err; 2810 } 2811 2812 usb_set_intfdata(intf, data); 2813 2814 return 0; 2815 } 2816 2817 static void btusb_disconnect(struct usb_interface *intf) 2818 { 2819 struct btusb_data *data = usb_get_intfdata(intf); 2820 struct hci_dev *hdev; 2821 2822 BT_DBG("intf %p", intf); 2823 2824 if (!data) 2825 return; 2826 2827 hdev = data->hdev; 2828 usb_set_intfdata(data->intf, NULL); 2829 2830 if (data->isoc) 2831 usb_set_intfdata(data->isoc, NULL); 2832 2833 hci_unregister_dev(hdev); 2834 2835 if (intf == data->isoc) 2836 usb_driver_release_interface(&btusb_driver, data->intf); 2837 else if (data->isoc) 2838 usb_driver_release_interface(&btusb_driver, data->isoc); 2839 2840 hci_free_dev(hdev); 2841 } 2842 2843 #ifdef CONFIG_PM 2844 static int btusb_suspend(struct usb_interface *intf, pm_message_t message) 2845 { 2846 struct btusb_data *data = usb_get_intfdata(intf); 2847 2848 BT_DBG("intf %p", intf); 2849 2850 if (data->suspend_count++) 2851 return 0; 2852 2853 spin_lock_irq(&data->txlock); 2854 if (!(PMSG_IS_AUTO(message) && data->tx_in_flight)) { 2855 set_bit(BTUSB_SUSPENDING, &data->flags); 2856 spin_unlock_irq(&data->txlock); 2857 } else { 2858 spin_unlock_irq(&data->txlock); 2859 data->suspend_count--; 2860 return -EBUSY; 2861 } 2862 2863 cancel_work_sync(&data->work); 2864 2865 btusb_stop_traffic(data); 2866 usb_kill_anchored_urbs(&data->tx_anchor); 2867 2868 return 0; 2869 } 2870 2871 static void play_deferred(struct btusb_data *data) 2872 { 2873 struct urb *urb; 2874 int err; 2875 2876 while ((urb = usb_get_from_anchor(&data->deferred))) { 2877 err = usb_submit_urb(urb, GFP_ATOMIC); 2878 if (err < 0) 2879 break; 2880 2881 data->tx_in_flight++; 2882 } 2883 usb_scuttle_anchored_urbs(&data->deferred); 2884 } 2885 2886 static int btusb_resume(struct usb_interface *intf) 2887 { 2888 struct btusb_data *data = usb_get_intfdata(intf); 2889 struct hci_dev *hdev = data->hdev; 2890 int err = 0; 2891 2892 BT_DBG("intf %p", intf); 2893 2894 if (--data->suspend_count) 2895 return 0; 2896 2897 if (!test_bit(HCI_RUNNING, &hdev->flags)) 2898 goto done; 2899 2900 if (test_bit(BTUSB_INTR_RUNNING, &data->flags)) { 2901 err = btusb_submit_intr_urb(hdev, GFP_NOIO); 2902 if (err < 0) { 2903 clear_bit(BTUSB_INTR_RUNNING, &data->flags); 2904 goto failed; 2905 } 2906 } 2907 2908 if (test_bit(BTUSB_BULK_RUNNING, &data->flags)) { 2909 err = btusb_submit_bulk_urb(hdev, GFP_NOIO); 2910 if (err < 0) { 2911 clear_bit(BTUSB_BULK_RUNNING, &data->flags); 2912 goto failed; 2913 } 2914 2915 btusb_submit_bulk_urb(hdev, GFP_NOIO); 2916 } 2917 2918 if (test_bit(BTUSB_ISOC_RUNNING, &data->flags)) { 2919 if (btusb_submit_isoc_urb(hdev, GFP_NOIO) < 0) 2920 clear_bit(BTUSB_ISOC_RUNNING, &data->flags); 2921 else 2922 btusb_submit_isoc_urb(hdev, GFP_NOIO); 2923 } 2924 2925 spin_lock_irq(&data->txlock); 2926 play_deferred(data); 2927 clear_bit(BTUSB_SUSPENDING, &data->flags); 2928 spin_unlock_irq(&data->txlock); 2929 schedule_work(&data->work); 2930 2931 return 0; 2932 2933 failed: 2934 usb_scuttle_anchored_urbs(&data->deferred); 2935 done: 2936 spin_lock_irq(&data->txlock); 2937 clear_bit(BTUSB_SUSPENDING, &data->flags); 2938 spin_unlock_irq(&data->txlock); 2939 2940 return err; 2941 } 2942 #endif 2943 2944 static struct usb_driver btusb_driver = { 2945 .name = "btusb", 2946 .probe = btusb_probe, 2947 .disconnect = btusb_disconnect, 2948 #ifdef CONFIG_PM 2949 .suspend = btusb_suspend, 2950 .resume = btusb_resume, 2951 #endif 2952 .id_table = btusb_table, 2953 .supports_autosuspend = 1, 2954 .disable_hub_initiated_lpm = 1, 2955 }; 2956 2957 module_usb_driver(btusb_driver); 2958 2959 module_param(disable_scofix, bool, 0644); 2960 MODULE_PARM_DESC(disable_scofix, "Disable fixup of wrong SCO buffer size"); 2961 2962 module_param(force_scofix, bool, 0644); 2963 MODULE_PARM_DESC(force_scofix, "Force fixup of wrong SCO buffers size"); 2964 2965 module_param(reset, bool, 0644); 2966 MODULE_PARM_DESC(reset, "Send HCI reset command on initialization"); 2967 2968 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>"); 2969 MODULE_DESCRIPTION("Generic Bluetooth USB driver ver " VERSION); 2970 MODULE_VERSION(VERSION); 2971 MODULE_LICENSE("GPL"); 2972