xref: /openbmc/linux/drivers/bluetooth/hci_bcsp.c (revision 2d96b44f)
1 /*
2  *
3  *  Bluetooth HCI UART driver
4  *
5  *  Copyright (C) 2002-2003  Fabrizio Gennari <fabrizio.gennari@philips.com>
6  *  Copyright (C) 2004-2005  Marcel Holtmann <marcel@holtmann.org>
7  *
8  *
9  *  This program is free software; you can redistribute it and/or modify
10  *  it under the terms of the GNU General Public License as published by
11  *  the Free Software Foundation; either version 2 of the License, or
12  *  (at your option) any later version.
13  *
14  *  This program is distributed in the hope that it will be useful,
15  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
16  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17  *  GNU General Public License for more details.
18  *
19  *  You should have received a copy of the GNU General Public License
20  *  along with this program; if not, write to the Free Software
21  *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
22  *
23  */
24 
25 #include <linux/module.h>
26 
27 #include <linux/kernel.h>
28 #include <linux/init.h>
29 #include <linux/types.h>
30 #include <linux/fcntl.h>
31 #include <linux/interrupt.h>
32 #include <linux/ptrace.h>
33 #include <linux/poll.h>
34 
35 #include <linux/slab.h>
36 #include <linux/tty.h>
37 #include <linux/errno.h>
38 #include <linux/string.h>
39 #include <linux/signal.h>
40 #include <linux/ioctl.h>
41 #include <linux/skbuff.h>
42 #include <linux/bitrev.h>
43 #include <asm/unaligned.h>
44 
45 #include <net/bluetooth/bluetooth.h>
46 #include <net/bluetooth/hci_core.h>
47 
48 #include "hci_uart.h"
49 
50 static bool txcrc = true;
51 static bool hciextn = true;
52 
53 #define BCSP_TXWINSIZE	4
54 
55 #define BCSP_ACK_PKT	0x05
56 #define BCSP_LE_PKT	0x06
57 
58 struct bcsp_struct {
59 	struct sk_buff_head unack;	/* Unack'ed packets queue */
60 	struct sk_buff_head rel;	/* Reliable packets queue */
61 	struct sk_buff_head unrel;	/* Unreliable packets queue */
62 
63 	unsigned long rx_count;
64 	struct	sk_buff *rx_skb;
65 	u8	rxseq_txack;		/* rxseq == txack. */
66 	u8	rxack;			/* Last packet sent by us that the peer ack'ed */
67 	struct	timer_list tbcsp;
68 
69 	enum {
70 		BCSP_W4_PKT_DELIMITER,
71 		BCSP_W4_PKT_START,
72 		BCSP_W4_BCSP_HDR,
73 		BCSP_W4_DATA,
74 		BCSP_W4_CRC
75 	} rx_state;
76 
77 	enum {
78 		BCSP_ESCSTATE_NOESC,
79 		BCSP_ESCSTATE_ESC
80 	} rx_esc_state;
81 
82 	u8	use_crc;
83 	u16	message_crc;
84 	u8	txack_req;		/* Do we need to send ack's to the peer? */
85 
86 	/* Reliable packet sequence number - used to assign seq to each rel pkt. */
87 	u8	msgq_txseq;
88 };
89 
90 /* ---- BCSP CRC calculation ---- */
91 
92 /* Table for calculating CRC for polynomial 0x1021, LSB processed first,
93  * initial value 0xffff, bits shifted in reverse order.
94  */
95 
96 static const u16 crc_table[] = {
97 	0x0000, 0x1081, 0x2102, 0x3183,
98 	0x4204, 0x5285, 0x6306, 0x7387,
99 	0x8408, 0x9489, 0xa50a, 0xb58b,
100 	0xc60c, 0xd68d, 0xe70e, 0xf78f
101 };
102 
103 /* Initialise the crc calculator */
104 #define BCSP_CRC_INIT(x) x = 0xffff
105 
106 /* Update crc with next data byte
107  *
108  * Implementation note
109  *     The data byte is treated as two nibbles.  The crc is generated
110  *     in reverse, i.e., bits are fed into the register from the top.
111  */
112 static void bcsp_crc_update(u16 *crc, u8 d)
113 {
114 	u16 reg = *crc;
115 
116 	reg = (reg >> 4) ^ crc_table[(reg ^ d) & 0x000f];
117 	reg = (reg >> 4) ^ crc_table[(reg ^ (d >> 4)) & 0x000f];
118 
119 	*crc = reg;
120 }
121 
122 /* ---- BCSP core ---- */
123 
124 static void bcsp_slip_msgdelim(struct sk_buff *skb)
125 {
126 	const char pkt_delim = 0xc0;
127 
128 	memcpy(skb_put(skb, 1), &pkt_delim, 1);
129 }
130 
131 static void bcsp_slip_one_byte(struct sk_buff *skb, u8 c)
132 {
133 	const char esc_c0[2] = { 0xdb, 0xdc };
134 	const char esc_db[2] = { 0xdb, 0xdd };
135 
136 	switch (c) {
137 	case 0xc0:
138 		memcpy(skb_put(skb, 2), &esc_c0, 2);
139 		break;
140 	case 0xdb:
141 		memcpy(skb_put(skb, 2), &esc_db, 2);
142 		break;
143 	default:
144 		memcpy(skb_put(skb, 1), &c, 1);
145 	}
146 }
147 
148 static int bcsp_enqueue(struct hci_uart *hu, struct sk_buff *skb)
149 {
150 	struct bcsp_struct *bcsp = hu->priv;
151 
152 	if (skb->len > 0xFFF) {
153 		BT_ERR("Packet too long");
154 		kfree_skb(skb);
155 		return 0;
156 	}
157 
158 	switch (hci_skb_pkt_type(skb)) {
159 	case HCI_ACLDATA_PKT:
160 	case HCI_COMMAND_PKT:
161 		skb_queue_tail(&bcsp->rel, skb);
162 		break;
163 
164 	case HCI_SCODATA_PKT:
165 		skb_queue_tail(&bcsp->unrel, skb);
166 		break;
167 
168 	default:
169 		BT_ERR("Unknown packet type");
170 		kfree_skb(skb);
171 		break;
172 	}
173 
174 	return 0;
175 }
176 
177 static struct sk_buff *bcsp_prepare_pkt(struct bcsp_struct *bcsp, u8 *data,
178 					int len, int pkt_type)
179 {
180 	struct sk_buff *nskb;
181 	u8 hdr[4], chan;
182 	u16 BCSP_CRC_INIT(bcsp_txmsg_crc);
183 	int rel, i;
184 
185 	switch (pkt_type) {
186 	case HCI_ACLDATA_PKT:
187 		chan = 6;	/* BCSP ACL channel */
188 		rel = 1;	/* reliable channel */
189 		break;
190 	case HCI_COMMAND_PKT:
191 		chan = 5;	/* BCSP cmd/evt channel */
192 		rel = 1;	/* reliable channel */
193 		break;
194 	case HCI_SCODATA_PKT:
195 		chan = 7;	/* BCSP SCO channel */
196 		rel = 0;	/* unreliable channel */
197 		break;
198 	case BCSP_LE_PKT:
199 		chan = 1;	/* BCSP LE channel */
200 		rel = 0;	/* unreliable channel */
201 		break;
202 	case BCSP_ACK_PKT:
203 		chan = 0;	/* BCSP internal channel */
204 		rel = 0;	/* unreliable channel */
205 		break;
206 	default:
207 		BT_ERR("Unknown packet type");
208 		return NULL;
209 	}
210 
211 	if (hciextn && chan == 5) {
212 		__le16 opcode = ((struct hci_command_hdr *)data)->opcode;
213 
214 		/* Vendor specific commands */
215 		if (hci_opcode_ogf(__le16_to_cpu(opcode)) == 0x3f) {
216 			u8 desc = *(data + HCI_COMMAND_HDR_SIZE);
217 
218 			if ((desc & 0xf0) == 0xc0) {
219 				data += HCI_COMMAND_HDR_SIZE + 1;
220 				len  -= HCI_COMMAND_HDR_SIZE + 1;
221 				chan = desc & 0x0f;
222 			}
223 		}
224 	}
225 
226 	/* Max len of packet: (original len +4(bcsp hdr) +2(crc))*2
227 	 * (because bytes 0xc0 and 0xdb are escaped, worst case is
228 	 * when the packet is all made of 0xc0 and 0xdb :) )
229 	 * + 2 (0xc0 delimiters at start and end).
230 	 */
231 
232 	nskb = alloc_skb((len + 6) * 2 + 2, GFP_ATOMIC);
233 	if (!nskb)
234 		return NULL;
235 
236 	hci_skb_pkt_type(nskb) = pkt_type;
237 
238 	bcsp_slip_msgdelim(nskb);
239 
240 	hdr[0] = bcsp->rxseq_txack << 3;
241 	bcsp->txack_req = 0;
242 	BT_DBG("We request packet no %u to card", bcsp->rxseq_txack);
243 
244 	if (rel) {
245 		hdr[0] |= 0x80 + bcsp->msgq_txseq;
246 		BT_DBG("Sending packet with seqno %u", bcsp->msgq_txseq);
247 		bcsp->msgq_txseq = (bcsp->msgq_txseq + 1) & 0x07;
248 	}
249 
250 	if (bcsp->use_crc)
251 		hdr[0] |= 0x40;
252 
253 	hdr[1] = ((len << 4) & 0xff) | chan;
254 	hdr[2] = len >> 4;
255 	hdr[3] = ~(hdr[0] + hdr[1] + hdr[2]);
256 
257 	/* Put BCSP header */
258 	for (i = 0; i < 4; i++) {
259 		bcsp_slip_one_byte(nskb, hdr[i]);
260 
261 		if (bcsp->use_crc)
262 			bcsp_crc_update(&bcsp_txmsg_crc, hdr[i]);
263 	}
264 
265 	/* Put payload */
266 	for (i = 0; i < len; i++) {
267 		bcsp_slip_one_byte(nskb, data[i]);
268 
269 		if (bcsp->use_crc)
270 			bcsp_crc_update(&bcsp_txmsg_crc, data[i]);
271 	}
272 
273 	/* Put CRC */
274 	if (bcsp->use_crc) {
275 		bcsp_txmsg_crc = bitrev16(bcsp_txmsg_crc);
276 		bcsp_slip_one_byte(nskb, (u8)((bcsp_txmsg_crc >> 8) & 0x00ff));
277 		bcsp_slip_one_byte(nskb, (u8)(bcsp_txmsg_crc & 0x00ff));
278 	}
279 
280 	bcsp_slip_msgdelim(nskb);
281 	return nskb;
282 }
283 
284 /* This is a rewrite of pkt_avail in ABCSP */
285 static struct sk_buff *bcsp_dequeue(struct hci_uart *hu)
286 {
287 	struct bcsp_struct *bcsp = hu->priv;
288 	unsigned long flags;
289 	struct sk_buff *skb;
290 
291 	/* First of all, check for unreliable messages in the queue,
292 	 * since they have priority
293 	 */
294 
295 	skb = skb_dequeue(&bcsp->unrel);
296 	if (skb != NULL) {
297 		struct sk_buff *nskb;
298 
299 		nskb = bcsp_prepare_pkt(bcsp, skb->data, skb->len,
300 					hci_skb_pkt_type(skb));
301 		if (nskb) {
302 			kfree_skb(skb);
303 			return nskb;
304 		} else {
305 			skb_queue_head(&bcsp->unrel, skb);
306 			BT_ERR("Could not dequeue pkt because alloc_skb failed");
307 		}
308 	}
309 
310 	/* Now, try to send a reliable pkt. We can only send a
311 	 * reliable packet if the number of packets sent but not yet ack'ed
312 	 * is < than the winsize
313 	 */
314 
315 	spin_lock_irqsave_nested(&bcsp->unack.lock, flags, SINGLE_DEPTH_NESTING);
316 
317 	if (bcsp->unack.qlen < BCSP_TXWINSIZE) {
318 		skb = skb_dequeue(&bcsp->rel);
319 		if (skb != NULL) {
320 			struct sk_buff *nskb;
321 
322 			nskb = bcsp_prepare_pkt(bcsp, skb->data, skb->len,
323 						hci_skb_pkt_type(skb));
324 			if (nskb) {
325 				__skb_queue_tail(&bcsp->unack, skb);
326 				mod_timer(&bcsp->tbcsp, jiffies + HZ / 4);
327 				spin_unlock_irqrestore(&bcsp->unack.lock, flags);
328 				return nskb;
329 			} else {
330 				skb_queue_head(&bcsp->rel, skb);
331 				BT_ERR("Could not dequeue pkt because alloc_skb failed");
332 			}
333 		}
334 	}
335 
336 	spin_unlock_irqrestore(&bcsp->unack.lock, flags);
337 
338 	/* We could not send a reliable packet, either because there are
339 	 * none or because there are too many unack'ed pkts. Did we receive
340 	 * any packets we have not acknowledged yet ?
341 	 */
342 
343 	if (bcsp->txack_req) {
344 		/* if so, craft an empty ACK pkt and send it on BCSP unreliable
345 		 * channel 0
346 		 */
347 		struct sk_buff *nskb = bcsp_prepare_pkt(bcsp, NULL, 0, BCSP_ACK_PKT);
348 		return nskb;
349 	}
350 
351 	/* We have nothing to send */
352 	return NULL;
353 }
354 
355 static int bcsp_flush(struct hci_uart *hu)
356 {
357 	BT_DBG("hu %p", hu);
358 	return 0;
359 }
360 
361 /* Remove ack'ed packets */
362 static void bcsp_pkt_cull(struct bcsp_struct *bcsp)
363 {
364 	struct sk_buff *skb, *tmp;
365 	unsigned long flags;
366 	int i, pkts_to_be_removed;
367 	u8 seqno;
368 
369 	spin_lock_irqsave(&bcsp->unack.lock, flags);
370 
371 	pkts_to_be_removed = skb_queue_len(&bcsp->unack);
372 	seqno = bcsp->msgq_txseq;
373 
374 	while (pkts_to_be_removed) {
375 		if (bcsp->rxack == seqno)
376 			break;
377 		pkts_to_be_removed--;
378 		seqno = (seqno - 1) & 0x07;
379 	}
380 
381 	if (bcsp->rxack != seqno)
382 		BT_ERR("Peer acked invalid packet");
383 
384 	BT_DBG("Removing %u pkts out of %u, up to seqno %u",
385 	       pkts_to_be_removed, skb_queue_len(&bcsp->unack),
386 	       (seqno - 1) & 0x07);
387 
388 	i = 0;
389 	skb_queue_walk_safe(&bcsp->unack, skb, tmp) {
390 		if (i >= pkts_to_be_removed)
391 			break;
392 		i++;
393 
394 		__skb_unlink(skb, &bcsp->unack);
395 		kfree_skb(skb);
396 	}
397 
398 	if (skb_queue_empty(&bcsp->unack))
399 		del_timer(&bcsp->tbcsp);
400 
401 	spin_unlock_irqrestore(&bcsp->unack.lock, flags);
402 
403 	if (i != pkts_to_be_removed)
404 		BT_ERR("Removed only %u out of %u pkts", i, pkts_to_be_removed);
405 }
406 
407 /* Handle BCSP link-establishment packets. When we
408  * detect a "sync" packet, symptom that the BT module has reset,
409  * we do nothing :) (yet)
410  */
411 static void bcsp_handle_le_pkt(struct hci_uart *hu)
412 {
413 	struct bcsp_struct *bcsp = hu->priv;
414 	u8 conf_pkt[4]     = { 0xad, 0xef, 0xac, 0xed };
415 	u8 conf_rsp_pkt[4] = { 0xde, 0xad, 0xd0, 0xd0 };
416 	u8 sync_pkt[4]     = { 0xda, 0xdc, 0xed, 0xed };
417 
418 	/* spot "conf" pkts and reply with a "conf rsp" pkt */
419 	if (bcsp->rx_skb->data[1] >> 4 == 4 && bcsp->rx_skb->data[2] == 0 &&
420 	    !memcmp(&bcsp->rx_skb->data[4], conf_pkt, 4)) {
421 		struct sk_buff *nskb = alloc_skb(4, GFP_ATOMIC);
422 
423 		BT_DBG("Found a LE conf pkt");
424 		if (!nskb)
425 			return;
426 		memcpy(skb_put(nskb, 4), conf_rsp_pkt, 4);
427 		hci_skb_pkt_type(nskb) = BCSP_LE_PKT;
428 
429 		skb_queue_head(&bcsp->unrel, nskb);
430 		hci_uart_tx_wakeup(hu);
431 	}
432 	/* Spot "sync" pkts. If we find one...disaster! */
433 	else if (bcsp->rx_skb->data[1] >> 4 == 4 && bcsp->rx_skb->data[2] == 0 &&
434 		 !memcmp(&bcsp->rx_skb->data[4], sync_pkt, 4)) {
435 		BT_ERR("Found a LE sync pkt, card has reset");
436 	}
437 }
438 
439 static inline void bcsp_unslip_one_byte(struct bcsp_struct *bcsp, unsigned char byte)
440 {
441 	const u8 c0 = 0xc0, db = 0xdb;
442 
443 	switch (bcsp->rx_esc_state) {
444 	case BCSP_ESCSTATE_NOESC:
445 		switch (byte) {
446 		case 0xdb:
447 			bcsp->rx_esc_state = BCSP_ESCSTATE_ESC;
448 			break;
449 		default:
450 			memcpy(skb_put(bcsp->rx_skb, 1), &byte, 1);
451 			if ((bcsp->rx_skb->data[0] & 0x40) != 0 &&
452 			    bcsp->rx_state != BCSP_W4_CRC)
453 				bcsp_crc_update(&bcsp->message_crc, byte);
454 			bcsp->rx_count--;
455 		}
456 		break;
457 
458 	case BCSP_ESCSTATE_ESC:
459 		switch (byte) {
460 		case 0xdc:
461 			memcpy(skb_put(bcsp->rx_skb, 1), &c0, 1);
462 			if ((bcsp->rx_skb->data[0] & 0x40) != 0 &&
463 			    bcsp->rx_state != BCSP_W4_CRC)
464 				bcsp_crc_update(&bcsp->message_crc, 0xc0);
465 			bcsp->rx_esc_state = BCSP_ESCSTATE_NOESC;
466 			bcsp->rx_count--;
467 			break;
468 
469 		case 0xdd:
470 			memcpy(skb_put(bcsp->rx_skb, 1), &db, 1);
471 			if ((bcsp->rx_skb->data[0] & 0x40) != 0 &&
472 			    bcsp->rx_state != BCSP_W4_CRC)
473 				bcsp_crc_update(&bcsp->message_crc, 0xdb);
474 			bcsp->rx_esc_state = BCSP_ESCSTATE_NOESC;
475 			bcsp->rx_count--;
476 			break;
477 
478 		default:
479 			BT_ERR("Invalid byte %02x after esc byte", byte);
480 			kfree_skb(bcsp->rx_skb);
481 			bcsp->rx_skb = NULL;
482 			bcsp->rx_state = BCSP_W4_PKT_DELIMITER;
483 			bcsp->rx_count = 0;
484 		}
485 	}
486 }
487 
488 static void bcsp_complete_rx_pkt(struct hci_uart *hu)
489 {
490 	struct bcsp_struct *bcsp = hu->priv;
491 	int pass_up = 0;
492 
493 	if (bcsp->rx_skb->data[0] & 0x80) {	/* reliable pkt */
494 		BT_DBG("Received seqno %u from card", bcsp->rxseq_txack);
495 
496 		/* check the rx sequence number is as expected */
497 		if ((bcsp->rx_skb->data[0] & 0x07) == bcsp->rxseq_txack) {
498 			bcsp->rxseq_txack++;
499 			bcsp->rxseq_txack %= 0x8;
500 		} else {
501 			/* handle re-transmitted packet or
502 			 * when packet was missed
503 			 */
504 			BT_ERR("Out-of-order packet arrived, got %u expected %u",
505 			       bcsp->rx_skb->data[0] & 0x07, bcsp->rxseq_txack);
506 
507 			/* do not process out-of-order packet payload */
508 			pass_up = 2;
509 		}
510 
511 		/* send current txack value to all received reliable packets */
512 		bcsp->txack_req = 1;
513 
514 		/* If needed, transmit an ack pkt */
515 		hci_uart_tx_wakeup(hu);
516 	}
517 
518 	bcsp->rxack = (bcsp->rx_skb->data[0] >> 3) & 0x07;
519 	BT_DBG("Request for pkt %u from card", bcsp->rxack);
520 
521 	/* handle received ACK indications,
522 	 * including those from out-of-order packets
523 	 */
524 	bcsp_pkt_cull(bcsp);
525 
526 	if (pass_up != 2) {
527 		if ((bcsp->rx_skb->data[1] & 0x0f) == 6 &&
528 		    (bcsp->rx_skb->data[0] & 0x80)) {
529 			hci_skb_pkt_type(bcsp->rx_skb) = HCI_ACLDATA_PKT;
530 			pass_up = 1;
531 		} else if ((bcsp->rx_skb->data[1] & 0x0f) == 5 &&
532 			   (bcsp->rx_skb->data[0] & 0x80)) {
533 			hci_skb_pkt_type(bcsp->rx_skb) = HCI_EVENT_PKT;
534 			pass_up = 1;
535 		} else if ((bcsp->rx_skb->data[1] & 0x0f) == 7) {
536 			hci_skb_pkt_type(bcsp->rx_skb) = HCI_SCODATA_PKT;
537 			pass_up = 1;
538 		} else if ((bcsp->rx_skb->data[1] & 0x0f) == 1 &&
539 			   !(bcsp->rx_skb->data[0] & 0x80)) {
540 			bcsp_handle_le_pkt(hu);
541 			pass_up = 0;
542 		} else {
543 			pass_up = 0;
544 		}
545 	}
546 
547 	if (pass_up == 0) {
548 		struct hci_event_hdr hdr;
549 		u8 desc = (bcsp->rx_skb->data[1] & 0x0f);
550 
551 		if (desc != 0 && desc != 1) {
552 			if (hciextn) {
553 				desc |= 0xc0;
554 				skb_pull(bcsp->rx_skb, 4);
555 				memcpy(skb_push(bcsp->rx_skb, 1), &desc, 1);
556 
557 				hdr.evt = 0xff;
558 				hdr.plen = bcsp->rx_skb->len;
559 				memcpy(skb_push(bcsp->rx_skb, HCI_EVENT_HDR_SIZE), &hdr, HCI_EVENT_HDR_SIZE);
560 				hci_skb_pkt_type(bcsp->rx_skb) = HCI_EVENT_PKT;
561 
562 				hci_recv_frame(hu->hdev, bcsp->rx_skb);
563 			} else {
564 				BT_ERR("Packet for unknown channel (%u %s)",
565 				       bcsp->rx_skb->data[1] & 0x0f,
566 				       bcsp->rx_skb->data[0] & 0x80 ?
567 				       "reliable" : "unreliable");
568 				kfree_skb(bcsp->rx_skb);
569 			}
570 		} else
571 			kfree_skb(bcsp->rx_skb);
572 	} else if (pass_up == 1) {
573 		/* Pull out BCSP hdr */
574 		skb_pull(bcsp->rx_skb, 4);
575 
576 		hci_recv_frame(hu->hdev, bcsp->rx_skb);
577 	} else {
578 		/* ignore packet payload of already ACKed re-transmitted
579 		 * packets or when a packet was missed in the BCSP window
580 		 */
581 		kfree_skb(bcsp->rx_skb);
582 	}
583 
584 	bcsp->rx_state = BCSP_W4_PKT_DELIMITER;
585 	bcsp->rx_skb = NULL;
586 }
587 
588 static u16 bscp_get_crc(struct bcsp_struct *bcsp)
589 {
590 	return get_unaligned_be16(&bcsp->rx_skb->data[bcsp->rx_skb->len - 2]);
591 }
592 
593 /* Recv data */
594 static int bcsp_recv(struct hci_uart *hu, const void *data, int count)
595 {
596 	struct bcsp_struct *bcsp = hu->priv;
597 	const unsigned char *ptr;
598 
599 	BT_DBG("hu %p count %d rx_state %d rx_count %ld",
600 	       hu, count, bcsp->rx_state, bcsp->rx_count);
601 
602 	ptr = data;
603 	while (count) {
604 		if (bcsp->rx_count) {
605 			if (*ptr == 0xc0) {
606 				BT_ERR("Short BCSP packet");
607 				kfree_skb(bcsp->rx_skb);
608 				bcsp->rx_state = BCSP_W4_PKT_START;
609 				bcsp->rx_count = 0;
610 			} else
611 				bcsp_unslip_one_byte(bcsp, *ptr);
612 
613 			ptr++; count--;
614 			continue;
615 		}
616 
617 		switch (bcsp->rx_state) {
618 		case BCSP_W4_BCSP_HDR:
619 			if ((0xff & (u8)~(bcsp->rx_skb->data[0] + bcsp->rx_skb->data[1] +
620 			    bcsp->rx_skb->data[2])) != bcsp->rx_skb->data[3]) {
621 				BT_ERR("Error in BCSP hdr checksum");
622 				kfree_skb(bcsp->rx_skb);
623 				bcsp->rx_state = BCSP_W4_PKT_DELIMITER;
624 				bcsp->rx_count = 0;
625 				continue;
626 			}
627 			bcsp->rx_state = BCSP_W4_DATA;
628 			bcsp->rx_count = (bcsp->rx_skb->data[1] >> 4) +
629 					(bcsp->rx_skb->data[2] << 4);	/* May be 0 */
630 			continue;
631 
632 		case BCSP_W4_DATA:
633 			if (bcsp->rx_skb->data[0] & 0x40) {	/* pkt with crc */
634 				bcsp->rx_state = BCSP_W4_CRC;
635 				bcsp->rx_count = 2;
636 			} else
637 				bcsp_complete_rx_pkt(hu);
638 			continue;
639 
640 		case BCSP_W4_CRC:
641 			if (bitrev16(bcsp->message_crc) != bscp_get_crc(bcsp)) {
642 				BT_ERR("Checksum failed: computed %04x received %04x",
643 				       bitrev16(bcsp->message_crc),
644 				       bscp_get_crc(bcsp));
645 
646 				kfree_skb(bcsp->rx_skb);
647 				bcsp->rx_state = BCSP_W4_PKT_DELIMITER;
648 				bcsp->rx_count = 0;
649 				continue;
650 			}
651 			skb_trim(bcsp->rx_skb, bcsp->rx_skb->len - 2);
652 			bcsp_complete_rx_pkt(hu);
653 			continue;
654 
655 		case BCSP_W4_PKT_DELIMITER:
656 			switch (*ptr) {
657 			case 0xc0:
658 				bcsp->rx_state = BCSP_W4_PKT_START;
659 				break;
660 			default:
661 				/*BT_ERR("Ignoring byte %02x", *ptr);*/
662 				break;
663 			}
664 			ptr++; count--;
665 			break;
666 
667 		case BCSP_W4_PKT_START:
668 			switch (*ptr) {
669 			case 0xc0:
670 				ptr++; count--;
671 				break;
672 
673 			default:
674 				bcsp->rx_state = BCSP_W4_BCSP_HDR;
675 				bcsp->rx_count = 4;
676 				bcsp->rx_esc_state = BCSP_ESCSTATE_NOESC;
677 				BCSP_CRC_INIT(bcsp->message_crc);
678 
679 				/* Do not increment ptr or decrement count
680 				 * Allocate packet. Max len of a BCSP pkt=
681 				 * 0xFFF (payload) +4 (header) +2 (crc)
682 				 */
683 
684 				bcsp->rx_skb = bt_skb_alloc(0x1005, GFP_ATOMIC);
685 				if (!bcsp->rx_skb) {
686 					BT_ERR("Can't allocate mem for new packet");
687 					bcsp->rx_state = BCSP_W4_PKT_DELIMITER;
688 					bcsp->rx_count = 0;
689 					return 0;
690 				}
691 				break;
692 			}
693 			break;
694 		}
695 	}
696 	return count;
697 }
698 
699 	/* Arrange to retransmit all messages in the relq. */
700 static void bcsp_timed_event(unsigned long arg)
701 {
702 	struct hci_uart *hu = (struct hci_uart *)arg;
703 	struct bcsp_struct *bcsp = hu->priv;
704 	struct sk_buff *skb;
705 	unsigned long flags;
706 
707 	BT_DBG("hu %p retransmitting %u pkts", hu, bcsp->unack.qlen);
708 
709 	spin_lock_irqsave_nested(&bcsp->unack.lock, flags, SINGLE_DEPTH_NESTING);
710 
711 	while ((skb = __skb_dequeue_tail(&bcsp->unack)) != NULL) {
712 		bcsp->msgq_txseq = (bcsp->msgq_txseq - 1) & 0x07;
713 		skb_queue_head(&bcsp->rel, skb);
714 	}
715 
716 	spin_unlock_irqrestore(&bcsp->unack.lock, flags);
717 
718 	hci_uart_tx_wakeup(hu);
719 }
720 
721 static int bcsp_open(struct hci_uart *hu)
722 {
723 	struct bcsp_struct *bcsp;
724 
725 	BT_DBG("hu %p", hu);
726 
727 	bcsp = kzalloc(sizeof(*bcsp), GFP_KERNEL);
728 	if (!bcsp)
729 		return -ENOMEM;
730 
731 	hu->priv = bcsp;
732 	skb_queue_head_init(&bcsp->unack);
733 	skb_queue_head_init(&bcsp->rel);
734 	skb_queue_head_init(&bcsp->unrel);
735 
736 	init_timer(&bcsp->tbcsp);
737 	bcsp->tbcsp.function = bcsp_timed_event;
738 	bcsp->tbcsp.data     = (u_long)hu;
739 
740 	bcsp->rx_state = BCSP_W4_PKT_DELIMITER;
741 
742 	if (txcrc)
743 		bcsp->use_crc = 1;
744 
745 	return 0;
746 }
747 
748 static int bcsp_close(struct hci_uart *hu)
749 {
750 	struct bcsp_struct *bcsp = hu->priv;
751 
752 	del_timer_sync(&bcsp->tbcsp);
753 
754 	hu->priv = NULL;
755 
756 	BT_DBG("hu %p", hu);
757 
758 	skb_queue_purge(&bcsp->unack);
759 	skb_queue_purge(&bcsp->rel);
760 	skb_queue_purge(&bcsp->unrel);
761 
762 	kfree(bcsp);
763 	return 0;
764 }
765 
766 static const struct hci_uart_proto bcsp = {
767 	.id		= HCI_UART_BCSP,
768 	.name		= "BCSP",
769 	.open		= bcsp_open,
770 	.close		= bcsp_close,
771 	.enqueue	= bcsp_enqueue,
772 	.dequeue	= bcsp_dequeue,
773 	.recv		= bcsp_recv,
774 	.flush		= bcsp_flush
775 };
776 
777 int __init bcsp_init(void)
778 {
779 	return hci_uart_register_proto(&bcsp);
780 }
781 
782 int __exit bcsp_deinit(void)
783 {
784 	return hci_uart_unregister_proto(&bcsp);
785 }
786 
787 module_param(txcrc, bool, 0644);
788 MODULE_PARM_DESC(txcrc, "Transmit CRC with every BCSP packet");
789 
790 module_param(hciextn, bool, 0644);
791 MODULE_PARM_DESC(hciextn, "Convert HCI Extensions into BCSP packets");
792