projects / linux-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Fix hci_sock_recvmsg return value
[linux-block.git] / drivers / bluetooth / btusb.c
CommitLineData
5e23b923
MH		 1/*
2 *
3 * Generic Bluetooth USB driver
4 *
9bfa35fe 5 * Copyright (C) 2005-2008 Marcel Holtmann <marcel@holtmann.org>
5e23b923
MH		 6 *
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
21 *
22 */
23
5e23b923 24#include <linux/module.h>
5e23b923 25#include <linux/usb.h>
dffd30ee 26#include <linux/firmware.h>
a2698a9b 27#include <asm/unaligned.h>
5e23b923
MH		 28
29#include <net/bluetooth/bluetooth.h>
30#include <net/bluetooth/hci_core.h>
31
4185a0f5 32#include "btintel.h"
1df1f591 33#include "btbcm.h"
db33c77d 34#include "btrtl.h"
1df1f591 35
34dced9b 36#define VERSION "0.8"
cfeb4145 37
90ab5ee9
RR		 38static bool disable_scofix;
39static bool force_scofix;
7a9d4020 40
917a3337 41static bool reset = true;
cfeb4145
MH		 42
43static struct usb_driver btusb_driver;
44
45#define BTUSB_IGNORE 0x01
7a9d4020
MH		 46#define BTUSB_DIGIANSWER 0x02
47#define BTUSB_CSR 0x04
48#define BTUSB_SNIFFER 0x08
49#define BTUSB_BCM92035 0x10
50#define BTUSB_BROKEN_ISOC 0x20
51#define BTUSB_WRONG_SCO_MTU 0x40
2d25f8b4 52#define BTUSB_ATH3012 0x80
dffd30ee 53#define BTUSB_INTEL 0x100
40df783d
MH		 54#define BTUSB_INTEL_BOOT 0x200
55#define BTUSB_BCM_PATCHRAM 0x400
ae8df494 56#define BTUSB_MARVELL 0x800
4fcef8ed 57#define BTUSB_SWAVE 0x1000
cda0dd78 58#define BTUSB_INTEL_NEW 0x2000
893ba544 59#define BTUSB_AMP 0x4000
3267c884 60#define BTUSB_QCA_ROME 0x8000
17b2772b 61#define BTUSB_BCM_APPLE 0x10000
a2698a9b 62#define BTUSB_REALTEK 0x20000
6c9d435d 63#define BTUSB_BCM2045 0x40000
22f8e9db 64#define BTUSB_IFNUM_2 0x80000
5e23b923 65
54265202 66static const struct usb_device_id btusb_table[] = {
5e23b923
MH		 67 /* Generic Bluetooth USB device */
68 { USB_DEVICE_INFO(0xe0, 0x01, 0x01) },
69
893ba544
MH		 70 /* Generic Bluetooth AMP device */
71 { USB_DEVICE_INFO(0xe0, 0x01, 0x04), .driver_info = BTUSB_AMP },
72
d63b2826
DD		 73 /* Generic Bluetooth USB interface */
74 { USB_INTERFACE_INFO(0xe0, 0x01, 0x01) },
75
1fa6535f 76 /* Apple-specific (Broadcom) devices */
17b2772b 77 { USB_VENDOR_AND_INTERFACE_INFO(0x05ac, 0xff, 0x01, 0x01),
22f8e9db 78 .driver_info = BTUSB_BCM_APPLE | BTUSB_IFNUM_2 },
1fa6535f 79
178c059e
CYC		 80 /* MediaTek MT76x0E */
81 { USB_DEVICE(0x0e8d, 0x763f) },
82
c510eae3 83 /* Broadcom SoftSailing reporting vendor specific */
2e8b5063 84 { USB_DEVICE(0x0a5c, 0x21e1) },
c510eae3 85
3cd01976
NI		 86 /* Apple MacBookPro 7,1 */
87 { USB_DEVICE(0x05ac, 0x8213) },
88
0a79f674
CL		 89 /* Apple iMac11,1 */
90 { USB_DEVICE(0x05ac, 0x8215) },
91
9c047157
NI		 92 /* Apple MacBookPro6,2 */
93 { USB_DEVICE(0x05ac, 0x8218) },
94
3e3ede7d
EH		 95 /* Apple MacBookAir3,1, MacBookAir3,2 */
96 { USB_DEVICE(0x05ac, 0x821b) },
97
a63b723d
PAVM		 98 /* Apple MacBookAir4,1 */
99 { USB_DEVICE(0x05ac, 0x821f) },
100
88d377b6
MAP		 101 /* Apple MacBookPro8,2 */
102 { USB_DEVICE(0x05ac, 0x821a) },
103
f78b6826
JK		 104 /* Apple MacMini5,1 */
105 { USB_DEVICE(0x05ac, 0x8281) },
106
cfeb4145 107 /* AVM BlueFRITZ! USB v2.0 */
4fcef8ed 108 { USB_DEVICE(0x057c, 0x3800), .driver_info = BTUSB_SWAVE },
cfeb4145
MH		 109
110 /* Bluetooth Ultraport Module from IBM */
111 { USB_DEVICE(0x04bf, 0x030a) },
112
113 /* ALPS Modules with non-standard id */
114 { USB_DEVICE(0x044e, 0x3001) },
115 { USB_DEVICE(0x044e, 0x3002) },
116
117 /* Ericsson with non-standard id */
118 { USB_DEVICE(0x0bdb, 0x1002) },
119
120 /* Canyon CN-BTU1 with HID interfaces */
7a9d4020 121 { USB_DEVICE(0x0c10, 0x0000) },
cfeb4145 122
d13431ca
WJS		 123 /* Broadcom BCM20702A0 */
124 { USB_DEVICE(0x413c, 0x8197) },
125
d049f4e5
MH		 126 /* Broadcom BCM20702B0 (Dynex/Insignia) */
127 { USB_DEVICE(0x19ff, 0x0239), .driver_info = BTUSB_BCM_PATCHRAM },
128
2faf71ce
SR		 129 /* Broadcom BCM43142A0 (Foxconn/Lenovo) */
130 { USB_DEVICE(0x105b, 0xe065), .driver_info = BTUSB_BCM_PATCHRAM },
131
98514036 132 /* Foxconn - Hon Hai */
6029ddc2
HS		 133 { USB_VENDOR_AND_INTERFACE_INFO(0x0489, 0xff, 0x01, 0x01),
134 .driver_info = BTUSB_BCM_PATCHRAM },
98514036 135
8f0c304c
MD		 136 /* Lite-On Technology - Broadcom based */
137 { USB_VENDOR_AND_INTERFACE_INFO(0x04ca, 0xff, 0x01, 0x01),
138 .driver_info = BTUSB_BCM_PATCHRAM },
139
0b880062 140 /* Broadcom devices with vendor specific id */
10d4c673
PG		 141 { USB_VENDOR_AND_INTERFACE_INFO(0x0a5c, 0xff, 0x01, 0x01),
142 .driver_info = BTUSB_BCM_PATCHRAM },
92c385f4 143
c2aef6e8 144 /* ASUSTek Computer - Broadcom based */
9a5abdaa
RD		 145 { USB_VENDOR_AND_INTERFACE_INFO(0x0b05, 0xff, 0x01, 0x01),
146 .driver_info = BTUSB_BCM_PATCHRAM },
c2aef6e8 147
5bcecf32 148 /* Belkin F8065bf - Broadcom based */
6331c686
MH		 149 { USB_VENDOR_AND_INTERFACE_INFO(0x050d, 0xff, 0x01, 0x01),
150 .driver_info = BTUSB_BCM_PATCHRAM },
5bcecf32 151
9113bfd8 152 /* IMC Networks - Broadcom based */
6331c686
MH		 153 { USB_VENDOR_AND_INTERFACE_INFO(0x13d3, 0xff, 0x01, 0x01),
154 .driver_info = BTUSB_BCM_PATCHRAM },
9113bfd8 155
1623d0bf
DT		 156 /* Toshiba Corp - Broadcom based */
157 { USB_VENDOR_AND_INTERFACE_INFO(0x0930, 0xff, 0x01, 0x01),
158 .driver_info = BTUSB_BCM_PATCHRAM },
159
40df783d 160 /* Intel Bluetooth USB Bootloader (RAM module) */
d92f2df0
MH		 161 { USB_DEVICE(0x8087, 0x0a5a),
162 .driver_info = BTUSB_INTEL_BOOT | BTUSB_BROKEN_ISOC },
40df783d 163
5e23b923
MH		 164 { } /* Terminating entry */
165};
166
167MODULE_DEVICE_TABLE(usb, btusb_table);
168
54265202 169static const struct usb_device_id blacklist_table[] = {
cfeb4145
MH		 170 /* CSR BlueCore devices */
171 { USB_DEVICE(0x0a12, 0x0001), .driver_info = BTUSB_CSR },
172
173 /* Broadcom BCM2033 without firmware */
174 { USB_DEVICE(0x0a5c, 0x2033), .driver_info = BTUSB_IGNORE },
175
6c9d435d
MH		 176 /* Broadcom BCM2045 devices */
177 { USB_DEVICE(0x0a5c, 0x2045), .driver_info = BTUSB_BCM2045 },
178
be93112a 179 /* Atheros 3011 with sflash firmware */
0b880062
AS		 180 { USB_DEVICE(0x0489, 0xe027), .driver_info = BTUSB_IGNORE },
181 { USB_DEVICE(0x0489, 0xe03d), .driver_info = BTUSB_IGNORE },
2eeff0b4 182 { USB_DEVICE(0x04f2, 0xaff1), .driver_info = BTUSB_IGNORE },
0b880062 183 { USB_DEVICE(0x0930, 0x0215), .driver_info = BTUSB_IGNORE },
be93112a 184 { USB_DEVICE(0x0cf3, 0x3002), .driver_info = BTUSB_IGNORE },
6eda541d 185 { USB_DEVICE(0x0cf3, 0xe019), .driver_info = BTUSB_IGNORE },
2a7bcccc 186 { USB_DEVICE(0x13d3, 0x3304), .driver_info = BTUSB_IGNORE },
be93112a 187
509e7861
CYC		 188 /* Atheros AR9285 Malbec with sflash firmware */
189 { USB_DEVICE(0x03f0, 0x311d), .driver_info = BTUSB_IGNORE },
190
d9f51b51 191 /* Atheros 3012 with sflash firmware */
0b880062
AS		 192 { USB_DEVICE(0x0489, 0xe04d), .driver_info = BTUSB_ATH3012 },
193 { USB_DEVICE(0x0489, 0xe04e), .driver_info = BTUSB_ATH3012 },
194 { USB_DEVICE(0x0489, 0xe056), .driver_info = BTUSB_ATH3012 },
195 { USB_DEVICE(0x0489, 0xe057), .driver_info = BTUSB_ATH3012 },
196 { USB_DEVICE(0x0489, 0xe05f), .driver_info = BTUSB_ATH3012 },
692c062e 197 { USB_DEVICE(0x0489, 0xe076), .driver_info = BTUSB_ATH3012 },
4b552bc9 198 { USB_DEVICE(0x0489, 0xe078), .driver_info = BTUSB_ATH3012 },
28c971d8 199 { USB_DEVICE(0x0489, 0xe095), .driver_info = BTUSB_ATH3012 },
0b880062
AS		 200 { USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 },
201 { USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 },
202 { USB_DEVICE(0x04ca, 0x3005), .driver_info = BTUSB_ATH3012 },
203 { USB_DEVICE(0x04ca, 0x3006), .driver_info = BTUSB_ATH3012 },
1fb4e09a 204 { USB_DEVICE(0x04ca, 0x3007), .driver_info = BTUSB_ATH3012 },
0b880062
AS		 205 { USB_DEVICE(0x04ca, 0x3008), .driver_info = BTUSB_ATH3012 },
206 { USB_DEVICE(0x04ca, 0x300b), .driver_info = BTUSB_ATH3012 },
7e730c7f 207 { USB_DEVICE(0x04ca, 0x300d), .driver_info = BTUSB_ATH3012 },
ec0810d2 208 { USB_DEVICE(0x04ca, 0x300f), .driver_info = BTUSB_ATH3012 },
134d3b35 209 { USB_DEVICE(0x04ca, 0x3010), .driver_info = BTUSB_ATH3012 },
81d90442 210 { USB_DEVICE(0x04ca, 0x3014), .driver_info = BTUSB_ATH3012 },
0b880062 211 { USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 },
cd355ff0 212 { USB_DEVICE(0x0930, 0x021c), .driver_info = BTUSB_ATH3012 },
0b880062 213 { USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 },
89d2975f 214 { USB_DEVICE(0x0930, 0x0227), .driver_info = BTUSB_ATH3012 },
a735f9e2 215 { USB_DEVICE(0x0b05, 0x17d0), .driver_info = BTUSB_ATH3012 },
d66629c1 216 { USB_DEVICE(0x0cf3, 0x0036), .driver_info = BTUSB_ATH3012 },
2d25f8b4 217 { USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_ATH3012 },
94a32d10 218 { USB_DEVICE(0x0cf3, 0x3008), .driver_info = BTUSB_ATH3012 },
07c0ea87 219 { USB_DEVICE(0x0cf3, 0x311d), .driver_info = BTUSB_ATH3012 },
b131237c 220 { USB_DEVICE(0x0cf3, 0x311e), .driver_info = BTUSB_ATH3012 },
1e56f1eb 221 { USB_DEVICE(0x0cf3, 0x311f), .driver_info = BTUSB_ATH3012 },
0b880062 222 { USB_DEVICE(0x0cf3, 0x3121), .driver_info = BTUSB_ATH3012 },
ebaf5795 223 { USB_DEVICE(0x0cf3, 0x817a), .driver_info = BTUSB_ATH3012 },
18e0afab 224 { USB_DEVICE(0x0cf3, 0x817b), .driver_info = BTUSB_ATH3012 },
0b880062 225 { USB_DEVICE(0x0cf3, 0xe003), .driver_info = BTUSB_ATH3012 },
ac71311e 226 { USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 },
0a3658cc 227 { USB_DEVICE(0x0cf3, 0xe005), .driver_info = BTUSB_ATH3012 },
ca79f232 228 { USB_DEVICE(0x0cf3, 0xe006), .driver_info = BTUSB_ATH3012 },
0b880062
AS		 229 { USB_DEVICE(0x13d3, 0x3362), .driver_info = BTUSB_ATH3012 },
230 { USB_DEVICE(0x13d3, 0x3375), .driver_info = BTUSB_ATH3012 },
eed307e2 231 { USB_DEVICE(0x13d3, 0x3393), .driver_info = BTUSB_ATH3012 },
609574eb 232 { USB_DEVICE(0x13d3, 0x3395), .driver_info = BTUSB_ATH3012 },
5b77a1f3 233 { USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 },
3bb30a7c 234 { USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 },
033efa92 235 { USB_DEVICE(0x13d3, 0x3423), .driver_info = BTUSB_ATH3012 },
fa2f1394 236 { USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 },
75c6aca4 237 { USB_DEVICE(0x13d3, 0x3472), .driver_info = BTUSB_ATH3012 },
0d0cef61 238 { USB_DEVICE(0x13d3, 0x3474), .driver_info = BTUSB_ATH3012 },
72f9f8b5 239 { USB_DEVICE(0x13d3, 0x3487), .driver_info = BTUSB_ATH3012 },
d9f51b51 240
e9036e33
CYC		 241 /* Atheros AR5BBU12 with sflash firmware */
242 { USB_DEVICE(0x0489, 0xe02c), .driver_info = BTUSB_IGNORE },
243
85d59726 244 /* Atheros AR5BBU12 with sflash firmware */
bc21fde2 245 { USB_DEVICE(0x0489, 0xe036), .driver_info = BTUSB_ATH3012 },
0b880062 246 { USB_DEVICE(0x0489, 0xe03c), .driver_info = BTUSB_ATH3012 },
85d59726 247
3267c884 248 /* QCA ROME chipset */
2054111b 249 { USB_DEVICE(0x0cf3, 0xe007), .driver_info = BTUSB_QCA_ROME },
c9e44474
MH		 250 { USB_DEVICE(0x0cf3, 0xe300), .driver_info = BTUSB_QCA_ROME },
251 { USB_DEVICE(0x0cf3, 0xe360), .driver_info = BTUSB_QCA_ROME },
3267c884 252
cfeb4145 253 /* Broadcom BCM2035 */
7a9d4020 254 { USB_DEVICE(0x0a5c, 0x2009), .driver_info = BTUSB_BCM92035 },
0b880062
AS		 255 { USB_DEVICE(0x0a5c, 0x200a), .driver_info = BTUSB_WRONG_SCO_MTU },
256 { USB_DEVICE(0x0a5c, 0x2035), .driver_info = BTUSB_WRONG_SCO_MTU },
cfeb4145
MH		 257
258 /* Broadcom BCM2045 */
7a9d4020
MH		 259 { USB_DEVICE(0x0a5c, 0x2039), .driver_info = BTUSB_WRONG_SCO_MTU },
260 { USB_DEVICE(0x0a5c, 0x2101), .driver_info = BTUSB_WRONG_SCO_MTU },
bdbef3d6 261
cfeb4145 262 /* IBM/Lenovo ThinkPad with Broadcom chip */
7a9d4020
MH		 263 { USB_DEVICE(0x0a5c, 0x201e), .driver_info = BTUSB_WRONG_SCO_MTU },
264 { USB_DEVICE(0x0a5c, 0x2110), .driver_info = BTUSB_WRONG_SCO_MTU },
cfeb4145
MH		 265
266 /* HP laptop with Broadcom chip */
7a9d4020 267 { USB_DEVICE(0x03f0, 0x171d), .driver_info = BTUSB_WRONG_SCO_MTU },
cfeb4145
MH		 268
269 /* Dell laptop with Broadcom chip */
7a9d4020 270 { USB_DEVICE(0x413c, 0x8126), .driver_info = BTUSB_WRONG_SCO_MTU },
cfeb4145 271
5ddd4a60 272 /* Dell Wireless 370 and 410 devices */
7a9d4020 273 { USB_DEVICE(0x413c, 0x8152), .driver_info = BTUSB_WRONG_SCO_MTU },
5ddd4a60 274 { USB_DEVICE(0x413c, 0x8156), .driver_info = BTUSB_WRONG_SCO_MTU },
cfeb4145 275
7a9d4020
MH		 276 /* Belkin F8T012 and F8T013 devices */
277 { USB_DEVICE(0x050d, 0x0012), .driver_info = BTUSB_WRONG_SCO_MTU },
278 { USB_DEVICE(0x050d, 0x0013), .driver_info = BTUSB_WRONG_SCO_MTU },
cfeb4145 279
5ddd4a60
MH		 280 /* Asus WL-BTD202 device */
281 { USB_DEVICE(0x0b05, 0x1715), .driver_info = BTUSB_WRONG_SCO_MTU },
282
283 /* Kensington Bluetooth USB adapter */
284 { USB_DEVICE(0x047d, 0x105e), .driver_info = BTUSB_WRONG_SCO_MTU },
285
cfeb4145
MH		 286 /* RTX Telecom based adapters with buggy SCO support */
287 { USB_DEVICE(0x0400, 0x0807), .driver_info = BTUSB_BROKEN_ISOC },
288 { USB_DEVICE(0x0400, 0x080a), .driver_info = BTUSB_BROKEN_ISOC },
289
290 /* CONWISE Technology based adapters with buggy SCO support */
291 { USB_DEVICE(0x0e5e, 0x6622), .driver_info = BTUSB_BROKEN_ISOC },
292
4fcef8ed 293 /* Roper Class 1 Bluetooth Dongle (Silicon Wave based) */
2eeac871 294 { USB_DEVICE(0x1310, 0x0001), .driver_info = BTUSB_SWAVE },
4fcef8ed 295
cfeb4145
MH		 296 /* Digianswer devices */
297 { USB_DEVICE(0x08fd, 0x0001), .driver_info = BTUSB_DIGIANSWER },
298 { USB_DEVICE(0x08fd, 0x0002), .driver_info = BTUSB_IGNORE },
299
300 /* CSR BlueCore Bluetooth Sniffer */
4f64fa80
MH		 301 { USB_DEVICE(0x0a12, 0x0002),
302 .driver_info = BTUSB_SNIFFER | BTUSB_BROKEN_ISOC },
cfeb4145
MH		 303
304 /* Frontline ComProbe Bluetooth Sniffer */
4f64fa80
MH		 305 { USB_DEVICE(0x16d3, 0x0002),
306 .driver_info = BTUSB_SNIFFER | BTUSB_BROKEN_ISOC },
cfeb4145 307
cb1ee89f
MH		 308 /* Marvell Bluetooth devices */
309 { USB_DEVICE(0x1286, 0x2044), .driver_info = BTUSB_MARVELL },
310 { USB_DEVICE(0x1286, 0x2046), .driver_info = BTUSB_MARVELL },
311
d0ac9eb7 312 /* Intel Bluetooth devices */
407550fe 313 { USB_DEVICE(0x8087, 0x07da), .driver_info = BTUSB_CSR },
dffd30ee 314 { USB_DEVICE(0x8087, 0x07dc), .driver_info = BTUSB_INTEL },
ef4e5e4a 315 { USB_DEVICE(0x8087, 0x0a2a), .driver_info = BTUSB_INTEL },
cda0dd78 316 { USB_DEVICE(0x8087, 0x0a2b), .driver_info = BTUSB_INTEL_NEW },
439e65d3 317 { USB_DEVICE(0x8087, 0x0aa7), .driver_info = BTUSB_INTEL },
dffd30ee 318
d0ac9eb7
MH		 319 /* Other Intel Bluetooth devices */
320 { USB_VENDOR_AND_INTERFACE_INFO(0x8087, 0xe0, 0x01, 0x01),
321 .driver_info = BTUSB_IGNORE },
ae8df494 322
a2698a9b
DD		 323 /* Realtek Bluetooth devices */
324 { USB_VENDOR_AND_INTERFACE_INFO(0x0bda, 0xe0, 0x01, 0x01),
325 .driver_info = BTUSB_REALTEK },
326
327 /* Additional Realtek 8723AE Bluetooth devices */
328 { USB_DEVICE(0x0930, 0x021d), .driver_info = BTUSB_REALTEK },
329 { USB_DEVICE(0x13d3, 0x3394), .driver_info = BTUSB_REALTEK },
330
331 /* Additional Realtek 8723BE Bluetooth devices */
332 { USB_DEVICE(0x0489, 0xe085), .driver_info = BTUSB_REALTEK },
333 { USB_DEVICE(0x0489, 0xe08b), .driver_info = BTUSB_REALTEK },
334 { USB_DEVICE(0x13d3, 0x3410), .driver_info = BTUSB_REALTEK },
335 { USB_DEVICE(0x13d3, 0x3416), .driver_info = BTUSB_REALTEK },
336 { USB_DEVICE(0x13d3, 0x3459), .driver_info = BTUSB_REALTEK },
337
338 /* Additional Realtek 8821AE Bluetooth devices */
339 { USB_DEVICE(0x0b05, 0x17dc), .driver_info = BTUSB_REALTEK },
340 { USB_DEVICE(0x13d3, 0x3414), .driver_info = BTUSB_REALTEK },
341 { USB_DEVICE(0x13d3, 0x3458), .driver_info = BTUSB_REALTEK },
342 { USB_DEVICE(0x13d3, 0x3461), .driver_info = BTUSB_REALTEK },
343 { USB_DEVICE(0x13d3, 0x3462), .driver_info = BTUSB_REALTEK },
344
4481c076
PP		 345 /* Silicon Wave based devices */
346 { USB_DEVICE(0x0c10, 0x0000), .driver_info = BTUSB_SWAVE },
347
5e23b923
MH		 348 { } /* Terminating entry */
349};
350
9bfa35fe
MH		 351#define BTUSB_MAX_ISOC_FRAMES 10
352
5e23b923
MH		 353#define BTUSB_INTR_RUNNING 0
354#define BTUSB_BULK_RUNNING 1
9bfa35fe 355#define BTUSB_ISOC_RUNNING 2
7bee549e 356#define BTUSB_SUSPENDING 3
08b8b6c4 357#define BTUSB_DID_ISO_RESUME 4
cda0dd78
MH		 358#define BTUSB_BOOTLOADER 5
359#define BTUSB_DOWNLOADING 6
ce6bb929 360#define BTUSB_FIRMWARE_LOADED 7
cda0dd78 361#define BTUSB_FIRMWARE_FAILED 8
ce6bb929 362#define BTUSB_BOOTING 9
04b8c814 363#define BTUSB_RESET_RESUME 10
9d08f504 364#define BTUSB_DIAG_RUNNING 11
5e23b923
MH		 365
366struct btusb_data {
367 struct hci_dev *hdev;
368 struct usb_device *udev;
5fbcd260 369 struct usb_interface *intf;
9bfa35fe 370 struct usb_interface *isoc;
9d08f504 371 struct usb_interface *diag;
5e23b923 372
5e23b923
MH		 373 unsigned long flags;
374
375 struct work_struct work;
7bee549e 376 struct work_struct waker;
5e23b923 377
803b5836 378 struct usb_anchor deferred;
5e23b923 379 struct usb_anchor tx_anchor;
803b5836
MH		 380 int tx_in_flight;
381 spinlock_t txlock;
382
5e23b923
MH		 383 struct usb_anchor intr_anchor;
384 struct usb_anchor bulk_anchor;
9bfa35fe 385 struct usb_anchor isoc_anchor;
9d08f504 386 struct usb_anchor diag_anchor;
803b5836
MH		 387 spinlock_t rxlock;
388
389 struct sk_buff *evt_skb;
390 struct sk_buff *acl_skb;
391 struct sk_buff *sco_skb;
5e23b923
MH		 392
393 struct usb_endpoint_descriptor *intr_ep;
394 struct usb_endpoint_descriptor *bulk_tx_ep;
395 struct usb_endpoint_descriptor *bulk_rx_ep;
9bfa35fe
MH		 396 struct usb_endpoint_descriptor *isoc_tx_ep;
397 struct usb_endpoint_descriptor *isoc_rx_ep;
9d08f504
MH		 398 struct usb_endpoint_descriptor *diag_tx_ep;
399 struct usb_endpoint_descriptor *diag_rx_ep;
9bfa35fe 400
7a9d4020 401 __u8 cmdreq_type;
893ba544 402 __u8 cmdreq;
7a9d4020 403
43c2e57f 404 unsigned int sco_num;
9bfa35fe 405 int isoc_altsetting;
6a88adf2 406 int suspend_count;
2cbd3f5c 407
97307f51 408 int (*recv_event)(struct hci_dev *hdev, struct sk_buff *skb);
2cbd3f5c 409 int (*recv_bulk)(struct btusb_data *data, void *buffer, int count);
ace31982
KBYT		 410
411 int (*setup_on_usb)(struct hci_dev *hdev);
5e23b923
MH		 412};
413
803b5836
MH		 414static inline void btusb_free_frags(struct btusb_data *data)
415{
416 unsigned long flags;
417
418 spin_lock_irqsave(&data->rxlock, flags);
419
420 kfree_skb(data->evt_skb);
421 data->evt_skb = NULL;
422
423 kfree_skb(data->acl_skb);
424 data->acl_skb = NULL;
425
426 kfree_skb(data->sco_skb);
427 data->sco_skb = NULL;
428
429 spin_unlock_irqrestore(&data->rxlock, flags);
430}
431
1ffa4ad0
MH		 432static int btusb_recv_intr(struct btusb_data *data, void *buffer, int count)
433{
803b5836
MH		 434 struct sk_buff *skb;
435 int err = 0;
436
437 spin_lock(&data->rxlock);
438 skb = data->evt_skb;
439
440 while (count) {
441 int len;
442
443 if (!skb) {
444 skb = bt_skb_alloc(HCI_MAX_EVENT_SIZE, GFP_ATOMIC);
445 if (!skb) {
446 err = -ENOMEM;
447 break;
448 }
449
618e8bc2
MH		 450 hci_skb_pkt_type(skb) = HCI_EVENT_PKT;
451 hci_skb_expect(skb) = HCI_EVENT_HDR_SIZE;
803b5836
MH		 452 }
453
618e8bc2 454 len = min_t(uint, hci_skb_expect(skb), count);
803b5836
MH		 455 memcpy(skb_put(skb, len), buffer, len);
456
457 count -= len;
458 buffer += len;
618e8bc2 459 hci_skb_expect(skb) -= len;
803b5836
MH		 460
461 if (skb->len == HCI_EVENT_HDR_SIZE) {
462 /* Complete event header */
618e8bc2 463 hci_skb_expect(skb) = hci_event_hdr(skb)->plen;
803b5836 464
618e8bc2 465 if (skb_tailroom(skb) < hci_skb_expect(skb)) {
803b5836
MH		 466 kfree_skb(skb);
467 skb = NULL;
468
469 err = -EILSEQ;
470 break;
471 }
472 }
473
618e8bc2 474 if (!hci_skb_expect(skb)) {
803b5836 475 /* Complete frame */
97307f51 476 data->recv_event(data->hdev, skb);
803b5836
MH		 477 skb = NULL;
478 }
479 }
480
481 data->evt_skb = skb;
482 spin_unlock(&data->rxlock);
483
484 return err;
1ffa4ad0
MH		 485}
486
487static int btusb_recv_bulk(struct btusb_data *data, void *buffer, int count)
488{
803b5836
MH		 489 struct sk_buff *skb;
490 int err = 0;
491
492 spin_lock(&data->rxlock);
493 skb = data->acl_skb;
494
495 while (count) {
496 int len;
497
498 if (!skb) {
499 skb = bt_skb_alloc(HCI_MAX_FRAME_SIZE, GFP_ATOMIC);
500 if (!skb) {
501 err = -ENOMEM;
502 break;
503 }
504
618e8bc2
MH		 505 hci_skb_pkt_type(skb) = HCI_ACLDATA_PKT;
506 hci_skb_expect(skb) = HCI_ACL_HDR_SIZE;
803b5836
MH		 507 }
508
618e8bc2 509 len = min_t(uint, hci_skb_expect(skb), count);
803b5836
MH		 510 memcpy(skb_put(skb, len), buffer, len);
511
512 count -= len;
513 buffer += len;
618e8bc2 514 hci_skb_expect(skb) -= len;
803b5836
MH		 515
516 if (skb->len == HCI_ACL_HDR_SIZE) {
517 __le16 dlen = hci_acl_hdr(skb)->dlen;
518
519 /* Complete ACL header */
618e8bc2 520 hci_skb_expect(skb) = __le16_to_cpu(dlen);
803b5836 521
618e8bc2 522 if (skb_tailroom(skb) < hci_skb_expect(skb)) {
803b5836
MH		 523 kfree_skb(skb);
524 skb = NULL;
525
526 err = -EILSEQ;
527 break;
528 }
529 }
530
618e8bc2 531 if (!hci_skb_expect(skb)) {
803b5836
MH		 532 /* Complete frame */
533 hci_recv_frame(data->hdev, skb);
534 skb = NULL;
535 }
536 }
537
538 data->acl_skb = skb;
539 spin_unlock(&data->rxlock);
540
541 return err;
1ffa4ad0
MH		 542}
543
544static int btusb_recv_isoc(struct btusb_data *data, void *buffer, int count)
545{
803b5836
MH		 546 struct sk_buff *skb;
547 int err = 0;
548
549 spin_lock(&data->rxlock);
550 skb = data->sco_skb;
551
552 while (count) {
553 int len;
554
555 if (!skb) {
556 skb = bt_skb_alloc(HCI_MAX_SCO_SIZE, GFP_ATOMIC);
557 if (!skb) {
558 err = -ENOMEM;
559 break;
560 }
561
618e8bc2
MH		 562 hci_skb_pkt_type(skb) = HCI_SCODATA_PKT;
563 hci_skb_expect(skb) = HCI_SCO_HDR_SIZE;
803b5836
MH		 564 }
565
618e8bc2 566 len = min_t(uint, hci_skb_expect(skb), count);
803b5836
MH		 567 memcpy(skb_put(skb, len), buffer, len);
568
569 count -= len;
570 buffer += len;
618e8bc2 571 hci_skb_expect(skb) -= len;
803b5836
MH		 572
573 if (skb->len == HCI_SCO_HDR_SIZE) {
574 /* Complete SCO header */
618e8bc2 575 hci_skb_expect(skb) = hci_sco_hdr(skb)->dlen;
803b5836 576
618e8bc2 577 if (skb_tailroom(skb) < hci_skb_expect(skb)) {
803b5836
MH		 578 kfree_skb(skb);
579 skb = NULL;
580
581 err = -EILSEQ;
582 break;
583 }
584 }
585
618e8bc2 586 if (!hci_skb_expect(skb)) {
803b5836
MH		 587 /* Complete frame */
588 hci_recv_frame(data->hdev, skb);
589 skb = NULL;
590 }
591 }
592
593 data->sco_skb = skb;
594 spin_unlock(&data->rxlock);
595
596 return err;
1ffa4ad0
MH		 597}
598
5e23b923
MH		 599static void btusb_intr_complete(struct urb *urb)
600{
601 struct hci_dev *hdev = urb->context;
155961e8 602 struct btusb_data *data = hci_get_drvdata(hdev);
5e23b923
MH		 603 int err;
604
89e7533d
MH		 605 BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status,
606 urb->actual_length);
5e23b923
MH		 607
608 if (!test_bit(HCI_RUNNING, &hdev->flags))
609 return;
610
611 if (urb->status == 0) {
9bfa35fe
MH		 612 hdev->stat.byte_rx += urb->actual_length;
613
1ffa4ad0
MH		 614 if (btusb_recv_intr(data, urb->transfer_buffer,
615 urb->actual_length) < 0) {
5e23b923
MH		 616 BT_ERR("%s corrupted event packet", hdev->name);
617 hdev->stat.err_rx++;
618 }
85560c4a
CC		 619 } else if (urb->status == -ENOENT) {
620 /* Avoid suspend failed when usb_kill_urb */
621 return;
5e23b923
MH		 622 }
623
624 if (!test_bit(BTUSB_INTR_RUNNING, &data->flags))
625 return;
626
7bee549e 627 usb_mark_last_busy(data->udev);
5e23b923
MH		 628 usb_anchor_urb(urb, &data->intr_anchor);
629
630 err = usb_submit_urb(urb, GFP_ATOMIC);
631 if (err < 0) {
4935f1c1
PB		 632 /* -EPERM: urb is being killed;
633 * -ENODEV: device got disconnected */
634 if (err != -EPERM && err != -ENODEV)
61faddf6 635 BT_ERR("%s urb %p failed to resubmit (%d)",
89e7533d 636 hdev->name, urb, -err);
5e23b923
MH		 637 usb_unanchor_urb(urb);
638 }
639}
640
2eda66f4 641static int btusb_submit_intr_urb(struct hci_dev *hdev, gfp_t mem_flags)
5e23b923 642{
155961e8 643 struct btusb_data *data = hci_get_drvdata(hdev);
5e23b923
MH		 644 struct urb *urb;
645 unsigned char *buf;
646 unsigned int pipe;
647 int err, size;
648
649 BT_DBG("%s", hdev->name);
650
9bfa35fe
MH		 651 if (!data->intr_ep)
652 return -ENODEV;
653
2eda66f4 654 urb = usb_alloc_urb(0, mem_flags);
5e23b923
MH		 655 if (!urb)
656 return -ENOMEM;
657
658 size = le16_to_cpu(data->intr_ep->wMaxPacketSize);
659
2eda66f4 660 buf = kmalloc(size, mem_flags);
5e23b923
MH		 661 if (!buf) {
662 usb_free_urb(urb);
663 return -ENOMEM;
664 }
665
666 pipe = usb_rcvintpipe(data->udev, data->intr_ep->bEndpointAddress);
667
668 usb_fill_int_urb(urb, data->udev, pipe, buf, size,
89e7533d 669 btusb_intr_complete, hdev, data->intr_ep->bInterval);
5e23b923
MH		 670
671 urb->transfer_flags |= URB_FREE_BUFFER;
672
673 usb_anchor_urb(urb, &data->intr_anchor);
674
2eda66f4 675 err = usb_submit_urb(urb, mem_flags);
5e23b923 676 if (err < 0) {
d4b8d1c9
PB		 677 if (err != -EPERM && err != -ENODEV)
678 BT_ERR("%s urb %p submission failed (%d)",
89e7533d 679 hdev->name, urb, -err);
5e23b923 680 usb_unanchor_urb(urb);
5e23b923
MH		 681 }
682
683 usb_free_urb(urb);
684
685 return err;
686}
687
688static void btusb_bulk_complete(struct urb *urb)
689{
690 struct hci_dev *hdev = urb->context;
155961e8 691 struct btusb_data *data = hci_get_drvdata(hdev);
5e23b923
MH		 692 int err;
693
89e7533d
MH		 694 BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status,
695 urb->actual_length);
5e23b923
MH		 696
697 if (!test_bit(HCI_RUNNING, &hdev->flags))
698 return;
699
700 if (urb->status == 0) {
9bfa35fe
MH		 701 hdev->stat.byte_rx += urb->actual_length;
702
2cbd3f5c 703 if (data->recv_bulk(data, urb->transfer_buffer,
1ffa4ad0 704 urb->actual_length) < 0) {
5e23b923
MH		 705 BT_ERR("%s corrupted ACL packet", hdev->name);
706 hdev->stat.err_rx++;
707 }
85560c4a
CC		 708 } else if (urb->status == -ENOENT) {
709 /* Avoid suspend failed when usb_kill_urb */
710 return;
5e23b923
MH		 711 }
712
713 if (!test_bit(BTUSB_BULK_RUNNING, &data->flags))
714 return;
715
716 usb_anchor_urb(urb, &data->bulk_anchor);
652fd781 717 usb_mark_last_busy(data->udev);
5e23b923
MH		 718
719 err = usb_submit_urb(urb, GFP_ATOMIC);
720 if (err < 0) {
4935f1c1
PB		 721 /* -EPERM: urb is being killed;
722 * -ENODEV: device got disconnected */
723 if (err != -EPERM && err != -ENODEV)
61faddf6 724 BT_ERR("%s urb %p failed to resubmit (%d)",
89e7533d 725 hdev->name, urb, -err);
5e23b923
MH		 726 usb_unanchor_urb(urb);
727 }
728}
729
2eda66f4 730static int btusb_submit_bulk_urb(struct hci_dev *hdev, gfp_t mem_flags)
5e23b923 731{
155961e8 732 struct btusb_data *data = hci_get_drvdata(hdev);
5e23b923
MH		 733 struct urb *urb;
734 unsigned char *buf;
735 unsigned int pipe;
290ba200 736 int err, size = HCI_MAX_FRAME_SIZE;
5e23b923
MH		 737
738 BT_DBG("%s", hdev->name);
739
9bfa35fe
MH		 740 if (!data->bulk_rx_ep)
741 return -ENODEV;
742
2eda66f4 743 urb = usb_alloc_urb(0, mem_flags);
5e23b923
MH		 744 if (!urb)
745 return -ENOMEM;
746
2eda66f4 747 buf = kmalloc(size, mem_flags);
5e23b923
MH		 748 if (!buf) {
749 usb_free_urb(urb);
750 return -ENOMEM;
751 }
752
753 pipe = usb_rcvbulkpipe(data->udev, data->bulk_rx_ep->bEndpointAddress);
754
89e7533d
MH		 755 usb_fill_bulk_urb(urb, data->udev, pipe, buf, size,
756 btusb_bulk_complete, hdev);
5e23b923
MH		 757
758 urb->transfer_flags |= URB_FREE_BUFFER;
759
7bee549e 760 usb_mark_last_busy(data->udev);
5e23b923
MH		 761 usb_anchor_urb(urb, &data->bulk_anchor);
762
2eda66f4 763 err = usb_submit_urb(urb, mem_flags);
5e23b923 764 if (err < 0) {
d4b8d1c9
PB		 765 if (err != -EPERM && err != -ENODEV)
766 BT_ERR("%s urb %p submission failed (%d)",
89e7533d 767 hdev->name, urb, -err);
5e23b923 768 usb_unanchor_urb(urb);
5e23b923
MH		 769 }
770
771 usb_free_urb(urb);
772
773 return err;
774}
775
9bfa35fe
MH		 776static void btusb_isoc_complete(struct urb *urb)
777{
778 struct hci_dev *hdev = urb->context;
155961e8 779 struct btusb_data *data = hci_get_drvdata(hdev);
9bfa35fe
MH		 780 int i, err;
781
89e7533d
MH		 782 BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status,
783 urb->actual_length);
9bfa35fe
MH		 784
785 if (!test_bit(HCI_RUNNING, &hdev->flags))
786 return;
787
788 if (urb->status == 0) {
789 for (i = 0; i < urb->number_of_packets; i++) {
790 unsigned int offset = urb->iso_frame_desc[i].offset;
791 unsigned int length = urb->iso_frame_desc[i].actual_length;
792
793 if (urb->iso_frame_desc[i].status)
794 continue;
795
796 hdev->stat.byte_rx += length;
797
1ffa4ad0
MH		 798 if (btusb_recv_isoc(data, urb->transfer_buffer + offset,
799 length) < 0) {
9bfa35fe
MH		 800 BT_ERR("%s corrupted SCO packet", hdev->name);
801 hdev->stat.err_rx++;
802 }
803 }
85560c4a
CC		 804 } else if (urb->status == -ENOENT) {
805 /* Avoid suspend failed when usb_kill_urb */
806 return;
9bfa35fe
MH		 807 }
808
809 if (!test_bit(BTUSB_ISOC_RUNNING, &data->flags))
810 return;
811
812 usb_anchor_urb(urb, &data->isoc_anchor);
813
814 err = usb_submit_urb(urb, GFP_ATOMIC);
815 if (err < 0) {
4935f1c1
PB		 816 /* -EPERM: urb is being killed;
817 * -ENODEV: device got disconnected */
818 if (err != -EPERM && err != -ENODEV)
61faddf6 819 BT_ERR("%s urb %p failed to resubmit (%d)",
89e7533d 820 hdev->name, urb, -err);
9bfa35fe
MH		 821 usb_unanchor_urb(urb);
822 }
823}
824
42b16b3f 825static inline void __fill_isoc_descriptor(struct urb *urb, int len, int mtu)
9bfa35fe
MH		 826{
827 int i, offset = 0;
828
829 BT_DBG("len %d mtu %d", len, mtu);
830
831 for (i = 0; i < BTUSB_MAX_ISOC_FRAMES && len >= mtu;
832 i++, offset += mtu, len -= mtu) {
833 urb->iso_frame_desc[i].offset = offset;
834 urb->iso_frame_desc[i].length = mtu;
835 }
836
837 if (len && i < BTUSB_MAX_ISOC_FRAMES) {
838 urb->iso_frame_desc[i].offset = offset;
839 urb->iso_frame_desc[i].length = len;
840 i++;
841 }
842
843 urb->number_of_packets = i;
844}
845
2eda66f4 846static int btusb_submit_isoc_urb(struct hci_dev *hdev, gfp_t mem_flags)
9bfa35fe 847{
155961e8 848 struct btusb_data *data = hci_get_drvdata(hdev);
9bfa35fe
MH		 849 struct urb *urb;
850 unsigned char *buf;
851 unsigned int pipe;
852 int err, size;
853
854 BT_DBG("%s", hdev->name);
855
856 if (!data->isoc_rx_ep)
857 return -ENODEV;
858
2eda66f4 859 urb = usb_alloc_urb(BTUSB_MAX_ISOC_FRAMES, mem_flags);
9bfa35fe
MH		 860 if (!urb)
861 return -ENOMEM;
862
863 size = le16_to_cpu(data->isoc_rx_ep->wMaxPacketSize) *
864 BTUSB_MAX_ISOC_FRAMES;
865
2eda66f4 866 buf = kmalloc(size, mem_flags);
9bfa35fe
MH		 867 if (!buf) {
868 usb_free_urb(urb);
869 return -ENOMEM;
870 }
871
872 pipe = usb_rcvisocpipe(data->udev, data->isoc_rx_ep->bEndpointAddress);
873
fa0fb93f 874 usb_fill_int_urb(urb, data->udev, pipe, buf, size, btusb_isoc_complete,
89e7533d 875 hdev, data->isoc_rx_ep->bInterval);
9bfa35fe 876
89e7533d 877 urb->transfer_flags = URB_FREE_BUFFER | URB_ISO_ASAP;
9bfa35fe
MH		 878
879 __fill_isoc_descriptor(urb, size,
89e7533d 880 le16_to_cpu(data->isoc_rx_ep->wMaxPacketSize));
9bfa35fe
MH		 881
882 usb_anchor_urb(urb, &data->isoc_anchor);
883
2eda66f4 884 err = usb_submit_urb(urb, mem_flags);
9bfa35fe 885 if (err < 0) {
d4b8d1c9
PB		 886 if (err != -EPERM && err != -ENODEV)
887 BT_ERR("%s urb %p submission failed (%d)",
89e7533d 888 hdev->name, urb, -err);
9bfa35fe 889 usb_unanchor_urb(urb);
9bfa35fe
MH		 890 }
891
892 usb_free_urb(urb);
893
894 return err;
895}
896
9d08f504
MH		 897static void btusb_diag_complete(struct urb *urb)
898{
899 struct hci_dev *hdev = urb->context;
900 struct btusb_data *data = hci_get_drvdata(hdev);
901 int err;
902
903 BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status,
904 urb->actual_length);
905
906 if (urb->status == 0) {
907 struct sk_buff *skb;
908
909 skb = bt_skb_alloc(urb->actual_length, GFP_ATOMIC);
910 if (skb) {
911 memcpy(skb_put(skb, urb->actual_length),
912 urb->transfer_buffer, urb->actual_length);
913 hci_recv_diag(hdev, skb);
914 }
915 } else if (urb->status == -ENOENT) {
916 /* Avoid suspend failed when usb_kill_urb */
917 return;
918 }
919
920 if (!test_bit(BTUSB_DIAG_RUNNING, &data->flags))
921 return;
922
923 usb_anchor_urb(urb, &data->diag_anchor);
924 usb_mark_last_busy(data->udev);
925
926 err = usb_submit_urb(urb, GFP_ATOMIC);
927 if (err < 0) {
928 /* -EPERM: urb is being killed;
929 * -ENODEV: device got disconnected */
930 if (err != -EPERM && err != -ENODEV)
931 BT_ERR("%s urb %p failed to resubmit (%d)",
932 hdev->name, urb, -err);
933 usb_unanchor_urb(urb);
934 }
935}
936
937static int btusb_submit_diag_urb(struct hci_dev *hdev, gfp_t mem_flags)
938{
939 struct btusb_data *data = hci_get_drvdata(hdev);
940 struct urb *urb;
941 unsigned char *buf;
942 unsigned int pipe;
943 int err, size = HCI_MAX_FRAME_SIZE;
944
945 BT_DBG("%s", hdev->name);
946
947 if (!data->diag_rx_ep)
948 return -ENODEV;
949
950 urb = usb_alloc_urb(0, mem_flags);
951 if (!urb)
952 return -ENOMEM;
953
954 buf = kmalloc(size, mem_flags);
955 if (!buf) {
956 usb_free_urb(urb);
957 return -ENOMEM;
958 }
959
960 pipe = usb_rcvbulkpipe(data->udev, data->diag_rx_ep->bEndpointAddress);
961
962 usb_fill_bulk_urb(urb, data->udev, pipe, buf, size,
963 btusb_diag_complete, hdev);
964
965 urb->transfer_flags |= URB_FREE_BUFFER;
966
967 usb_mark_last_busy(data->udev);
968 usb_anchor_urb(urb, &data->diag_anchor);
969
970 err = usb_submit_urb(urb, mem_flags);
971 if (err < 0) {
972 if (err != -EPERM && err != -ENODEV)
973 BT_ERR("%s urb %p submission failed (%d)",
974 hdev->name, urb, -err);
975 usb_unanchor_urb(urb);
976 }
977
978 usb_free_urb(urb);
979
980 return err;
981}
982
5e23b923 983static void btusb_tx_complete(struct urb *urb)
7bee549e
ON		 984{
985 struct sk_buff *skb = urb->context;
89e7533d 986 struct hci_dev *hdev = (struct hci_dev *)skb->dev;
155961e8 987 struct btusb_data *data = hci_get_drvdata(hdev);
7bee549e 988
89e7533d
MH		 989 BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status,
990 urb->actual_length);
7bee549e
ON		 991
992 if (!test_bit(HCI_RUNNING, &hdev->flags))
993 goto done;
994
995 if (!urb->status)
996 hdev->stat.byte_tx += urb->transfer_buffer_length;
997 else
998 hdev->stat.err_tx++;
999
1000done:
1001 spin_lock(&data->txlock);
1002 data->tx_in_flight--;
1003 spin_unlock(&data->txlock);
1004
1005 kfree(urb->setup_packet);
1006
1007 kfree_skb(skb);
1008}
1009
1010static void btusb_isoc_tx_complete(struct urb *urb)
5e23b923
MH		 1011{
1012 struct sk_buff *skb = urb->context;
89e7533d 1013 struct hci_dev *hdev = (struct hci_dev *)skb->dev;
5e23b923 1014
89e7533d
MH		 1015 BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status,
1016 urb->actual_length);
5e23b923
MH		 1017
1018 if (!test_bit(HCI_RUNNING, &hdev->flags))
1019 goto done;
1020
1021 if (!urb->status)
1022 hdev->stat.byte_tx += urb->transfer_buffer_length;
1023 else
1024 hdev->stat.err_tx++;
1025
1026done:
1027 kfree(urb->setup_packet);
1028
1029 kfree_skb(skb);
1030}
1031
1032static int btusb_open(struct hci_dev *hdev)
1033{
155961e8 1034 struct btusb_data *data = hci_get_drvdata(hdev);
5e23b923
MH		 1035 int err;
1036
1037 BT_DBG("%s", hdev->name);
1038
ace31982
KBYT		 1039 /* Patching USB firmware files prior to starting any URBs of HCI path
1040 * It is more safe to use USB bulk channel for downloading USB patch
1041 */
1042 if (data->setup_on_usb) {
1043 err = data->setup_on_usb(hdev);
eb50042f 1044 if (err < 0)
ace31982
KBYT		 1045 return err;
1046 }
1047
7bee549e
ON		 1048 err = usb_autopm_get_interface(data->intf);
1049 if (err < 0)
1050 return err;
1051
1052 data->intf->needs_remote_wakeup = 1;
1053
5e23b923 1054 if (test_and_set_bit(BTUSB_INTR_RUNNING, &data->flags))
7bee549e 1055 goto done;
5e23b923 1056
2eda66f4 1057 err = btusb_submit_intr_urb(hdev, GFP_KERNEL);
43c2e57f
MH		 1058 if (err < 0)
1059 goto failed;
1060
1061 err = btusb_submit_bulk_urb(hdev, GFP_KERNEL);
5e23b923 1062 if (err < 0) {
43c2e57f
MH		 1063 usb_kill_anchored_urbs(&data->intr_anchor);
1064 goto failed;
5e23b923
MH		 1065 }
1066
43c2e57f
MH		 1067 set_bit(BTUSB_BULK_RUNNING, &data->flags);
1068 btusb_submit_bulk_urb(hdev, GFP_KERNEL);
1069
9d08f504
MH		 1070 if (data->diag) {
1071 if (!btusb_submit_diag_urb(hdev, GFP_KERNEL))
1072 set_bit(BTUSB_DIAG_RUNNING, &data->flags);
1073 }
1074
7bee549e
ON		 1075done:
1076 usb_autopm_put_interface(data->intf);
43c2e57f
MH		 1077 return 0;
1078
1079failed:
1080 clear_bit(BTUSB_INTR_RUNNING, &data->flags);
7bee549e 1081 usb_autopm_put_interface(data->intf);
5e23b923
MH		 1082 return err;
1083}
1084
7bee549e
ON		 1085static void btusb_stop_traffic(struct btusb_data *data)
1086{
1087 usb_kill_anchored_urbs(&data->intr_anchor);
1088 usb_kill_anchored_urbs(&data->bulk_anchor);
1089 usb_kill_anchored_urbs(&data->isoc_anchor);
9d08f504 1090 usb_kill_anchored_urbs(&data->diag_anchor);
7bee549e
ON		 1091}
1092
5e23b923
MH		 1093static int btusb_close(struct hci_dev *hdev)
1094{
155961e8 1095 struct btusb_data *data = hci_get_drvdata(hdev);
7bee549e 1096 int err;
5e23b923
MH		 1097
1098 BT_DBG("%s", hdev->name);
1099
e8c3c3d2 1100 cancel_work_sync(&data->work);
404291ac 1101 cancel_work_sync(&data->waker);
e8c3c3d2 1102
9bfa35fe 1103 clear_bit(BTUSB_ISOC_RUNNING, &data->flags);
5e23b923 1104 clear_bit(BTUSB_BULK_RUNNING, &data->flags);
5e23b923 1105 clear_bit(BTUSB_INTR_RUNNING, &data->flags);
9d08f504 1106 clear_bit(BTUSB_DIAG_RUNNING, &data->flags);
7bee549e
ON		 1107
1108 btusb_stop_traffic(data);
803b5836
MH		 1109 btusb_free_frags(data);
1110
7bee549e
ON		 1111 err = usb_autopm_get_interface(data->intf);
1112 if (err < 0)
7b8e2c1d 1113 goto failed;
7bee549e
ON		 1114
1115 data->intf->needs_remote_wakeup = 0;
1116 usb_autopm_put_interface(data->intf);
5e23b923 1117
7b8e2c1d
ON		 1118failed:
1119 usb_scuttle_anchored_urbs(&data->deferred);
5e23b923
MH		 1120 return 0;
1121}
1122
1123static int btusb_flush(struct hci_dev *hdev)
1124{
155961e8 1125 struct btusb_data *data = hci_get_drvdata(hdev);
5e23b923
MH		 1126
1127 BT_DBG("%s", hdev->name);
1128
1129 usb_kill_anchored_urbs(&data->tx_anchor);
803b5836 1130 btusb_free_frags(data);
5e23b923
MH		 1131
1132 return 0;
1133}
1134
047b2ec8 1135static struct urb *alloc_ctrl_urb(struct hci_dev *hdev, struct sk_buff *skb)
5e23b923 1136{
155961e8 1137 struct btusb_data *data = hci_get_drvdata(hdev);
5e23b923
MH		 1138 struct usb_ctrlrequest *dr;
1139 struct urb *urb;
1140 unsigned int pipe;
5e23b923 1141
047b2ec8
MH		 1142 urb = usb_alloc_urb(0, GFP_KERNEL);
1143 if (!urb)
1144 return ERR_PTR(-ENOMEM);
5e23b923 1145
047b2ec8
MH		 1146 dr = kmalloc(sizeof(*dr), GFP_KERNEL);
1147 if (!dr) {
1148 usb_free_urb(urb);
1149 return ERR_PTR(-ENOMEM);
1150 }
5e23b923 1151
047b2ec8 1152 dr->bRequestType = data->cmdreq_type;
893ba544 1153 dr->bRequest = data->cmdreq;
047b2ec8
MH		 1154 dr->wIndex = 0;
1155 dr->wValue = 0;
1156 dr->wLength = __cpu_to_le16(skb->len);
7bd8f09f 1157
047b2ec8 1158 pipe = usb_sndctrlpipe(data->udev, 0x00);
5e23b923 1159
89e7533d 1160 usb_fill_control_urb(urb, data->udev, pipe, (void *)dr,
047b2ec8 1161 skb->data, skb->len, btusb_tx_complete, skb);
5e23b923 1162
89e7533d 1163 skb->dev = (void *)hdev;
5e23b923 1164
047b2ec8
MH		 1165 return urb;
1166}
5e23b923 1167
047b2ec8
MH		 1168static struct urb *alloc_bulk_urb(struct hci_dev *hdev, struct sk_buff *skb)
1169{
1170 struct btusb_data *data = hci_get_drvdata(hdev);
1171 struct urb *urb;
1172 unsigned int pipe;
5e23b923 1173
047b2ec8
MH		 1174 if (!data->bulk_tx_ep)
1175 return ERR_PTR(-ENODEV);
9bfa35fe 1176
047b2ec8
MH		 1177 urb = usb_alloc_urb(0, GFP_KERNEL);
1178 if (!urb)
1179 return ERR_PTR(-ENOMEM);
5e23b923 1180
047b2ec8 1181 pipe = usb_sndbulkpipe(data->udev, data->bulk_tx_ep->bEndpointAddress);
5e23b923 1182
047b2ec8
MH		 1183 usb_fill_bulk_urb(urb, data->udev, pipe,
1184 skb->data, skb->len, btusb_tx_complete, skb);
5e23b923 1185
89e7533d 1186 skb->dev = (void *)hdev;
5e23b923 1187
047b2ec8
MH		 1188 return urb;
1189}
9bfa35fe 1190
047b2ec8
MH		 1191static struct urb *alloc_isoc_urb(struct hci_dev *hdev, struct sk_buff *skb)
1192{
1193 struct btusb_data *data = hci_get_drvdata(hdev);
1194 struct urb *urb;
1195 unsigned int pipe;
9bfa35fe 1196
047b2ec8
MH		 1197 if (!data->isoc_tx_ep)
1198 return ERR_PTR(-ENODEV);
9bfa35fe 1199
047b2ec8
MH		 1200 urb = usb_alloc_urb(BTUSB_MAX_ISOC_FRAMES, GFP_KERNEL);
1201 if (!urb)
1202 return ERR_PTR(-ENOMEM);
9bfa35fe 1203
047b2ec8 1204 pipe = usb_sndisocpipe(data->udev, data->isoc_tx_ep->bEndpointAddress);
9bfa35fe 1205
047b2ec8
MH		 1206 usb_fill_int_urb(urb, data->udev, pipe,
1207 skb->data, skb->len, btusb_isoc_tx_complete,
1208 skb, data->isoc_tx_ep->bInterval);
9bfa35fe 1209
047b2ec8 1210 urb->transfer_flags = URB_ISO_ASAP;
5e23b923 1211
047b2ec8
MH		 1212 __fill_isoc_descriptor(urb, skb->len,
1213 le16_to_cpu(data->isoc_tx_ep->wMaxPacketSize));
5e23b923 1214
89e7533d 1215 skb->dev = (void *)hdev;
047b2ec8
MH		 1216
1217 return urb;
1218}
1219
1220static int submit_tx_urb(struct hci_dev *hdev, struct urb *urb)
1221{
1222 struct btusb_data *data = hci_get_drvdata(hdev);
1223 int err;
7bee549e 1224
5e23b923
MH		 1225 usb_anchor_urb(urb, &data->tx_anchor);
1226
e9753eff 1227 err = usb_submit_urb(urb, GFP_KERNEL);
5e23b923 1228 if (err < 0) {
5a9b80e2
PB		 1229 if (err != -EPERM && err != -ENODEV)
1230 BT_ERR("%s urb %p submission failed (%d)",
89e7533d 1231 hdev->name, urb, -err);
5e23b923
MH		 1232 kfree(urb->setup_packet);
1233 usb_unanchor_urb(urb);
7bee549e
ON		 1234 } else {
1235 usb_mark_last_busy(data->udev);
5e23b923
MH		 1236 }
1237
54a8a79c 1238 usb_free_urb(urb);
5e23b923
MH		 1239 return err;
1240}
1241
047b2ec8
MH		 1242static int submit_or_queue_tx_urb(struct hci_dev *hdev, struct urb *urb)
1243{
1244 struct btusb_data *data = hci_get_drvdata(hdev);
1245 unsigned long flags;
1246 bool suspending;
1247
1248 spin_lock_irqsave(&data->txlock, flags);
1249 suspending = test_bit(BTUSB_SUSPENDING, &data->flags);
1250 if (!suspending)
1251 data->tx_in_flight++;
1252 spin_unlock_irqrestore(&data->txlock, flags);
1253
1254 if (!suspending)
1255 return submit_tx_urb(hdev, urb);
1256
1257 usb_anchor_urb(urb, &data->deferred);
1258 schedule_work(&data->waker);
1259
1260 usb_free_urb(urb);
1261 return 0;
1262}
1263
1264static int btusb_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
1265{
1266 struct urb *urb;
1267
1268 BT_DBG("%s", hdev->name);
1269
618e8bc2 1270 switch (hci_skb_pkt_type(skb)) {
047b2ec8
MH		 1271 case HCI_COMMAND_PKT:
1272 urb = alloc_ctrl_urb(hdev, skb);
1273 if (IS_ERR(urb))
1274 return PTR_ERR(urb);
1275
1276 hdev->stat.cmd_tx++;
1277 return submit_or_queue_tx_urb(hdev, urb);
1278
1279 case HCI_ACLDATA_PKT:
1280 urb = alloc_bulk_urb(hdev, skb);
1281 if (IS_ERR(urb))
1282 return PTR_ERR(urb);
1283
1284 hdev->stat.acl_tx++;
1285 return submit_or_queue_tx_urb(hdev, urb);
1286
1287 case HCI_SCODATA_PKT:
1288 if (hci_conn_num(hdev, SCO_LINK) < 1)
1289 return -ENODEV;
1290
1291 urb = alloc_isoc_urb(hdev, skb);
1292 if (IS_ERR(urb))
1293 return PTR_ERR(urb);
1294
1295 hdev->stat.sco_tx++;
1296 return submit_tx_urb(hdev, urb);
1297 }
1298
1299 return -EILSEQ;
1300}
1301
5e23b923
MH		 1302static void btusb_notify(struct hci_dev *hdev, unsigned int evt)
1303{
155961e8 1304 struct btusb_data *data = hci_get_drvdata(hdev);
5e23b923
MH		 1305
1306 BT_DBG("%s evt %d", hdev->name, evt);
1307
014f7bc7
MH		 1308 if (hci_conn_num(hdev, SCO_LINK) != data->sco_num) {
1309 data->sco_num = hci_conn_num(hdev, SCO_LINK);
43c2e57f 1310 schedule_work(&data->work);
a780efa8 1311 }
5e23b923
MH		 1312}
1313
42b16b3f 1314static inline int __set_isoc_interface(struct hci_dev *hdev, int altsetting)
9bfa35fe 1315{
155961e8 1316 struct btusb_data *data = hci_get_drvdata(hdev);
9bfa35fe
MH		 1317 struct usb_interface *intf = data->isoc;
1318 struct usb_endpoint_descriptor *ep_desc;
1319 int i, err;
1320
1321 if (!data->isoc)
1322 return -ENODEV;
1323
1324 err = usb_set_interface(data->udev, 1, altsetting);
1325 if (err < 0) {
1326 BT_ERR("%s setting interface failed (%d)", hdev->name, -err);
1327 return err;
1328 }
1329
1330 data->isoc_altsetting = altsetting;
1331
1332 data->isoc_tx_ep = NULL;
1333 data->isoc_rx_ep = NULL;
1334
1335 for (i = 0; i < intf->cur_altsetting->desc.bNumEndpoints; i++) {
1336 ep_desc = &intf->cur_altsetting->endpoint[i].desc;
1337
1338 if (!data->isoc_tx_ep && usb_endpoint_is_isoc_out(ep_desc)) {
1339 data->isoc_tx_ep = ep_desc;
1340 continue;
1341 }
1342
1343 if (!data->isoc_rx_ep && usb_endpoint_is_isoc_in(ep_desc)) {
1344 data->isoc_rx_ep = ep_desc;
1345 continue;
1346 }
1347 }
1348
1349 if (!data->isoc_tx_ep || !data->isoc_rx_ep) {
1350 BT_ERR("%s invalid SCO descriptors", hdev->name);
1351 return -ENODEV;
1352 }
1353
1354 return 0;
1355}
1356
5e23b923
MH		 1357static void btusb_work(struct work_struct *work)
1358{
1359 struct btusb_data *data = container_of(work, struct btusb_data, work);
1360 struct hci_dev *hdev = data->hdev;
f4001d28 1361 int new_alts;
7bee549e 1362 int err;
5e23b923 1363
014f7bc7 1364 if (data->sco_num > 0) {
08b8b6c4 1365 if (!test_bit(BTUSB_DID_ISO_RESUME, &data->flags)) {
8efdd0cd 1366 err = usb_autopm_get_interface(data->isoc ? data->isoc : data->intf);
7bee549e
ON		 1367 if (err < 0) {
1368 clear_bit(BTUSB_ISOC_RUNNING, &data->flags);
1369 usb_kill_anchored_urbs(&data->isoc_anchor);
1370 return;
1371 }
1372
08b8b6c4 1373 set_bit(BTUSB_DID_ISO_RESUME, &data->flags);
7bee549e 1374 }
f4001d28
MA		 1375
1376 if (hdev->voice_setting & 0x0020) {
1377 static const int alts[3] = { 2, 4, 5 };
89e7533d 1378
014f7bc7 1379 new_alts = alts[data->sco_num - 1];
f4001d28 1380 } else {
014f7bc7 1381 new_alts = data->sco_num;
f4001d28
MA		 1382 }
1383
1384 if (data->isoc_altsetting != new_alts) {
f6fc86f2
KP		 1385 unsigned long flags;
1386
9bfa35fe
MH		 1387 clear_bit(BTUSB_ISOC_RUNNING, &data->flags);
1388 usb_kill_anchored_urbs(&data->isoc_anchor);
1389
8f9d02f4
KP		 1390 /* When isochronous alternate setting needs to be
1391 * changed, because SCO connection has been added
1392 * or removed, a packet fragment may be left in the
1393 * reassembling state. This could lead to wrongly
1394 * assembled fragments.
1395 *
1396 * Clear outstanding fragment when selecting a new
1397 * alternate setting.
1398 */
f6fc86f2 1399 spin_lock_irqsave(&data->rxlock, flags);
8f9d02f4
KP		 1400 kfree_skb(data->sco_skb);
1401 data->sco_skb = NULL;
f6fc86f2 1402 spin_unlock_irqrestore(&data->rxlock, flags);
8f9d02f4 1403
f4001d28 1404 if (__set_isoc_interface(hdev, new_alts) < 0)
9bfa35fe
MH		 1405 return;
1406 }
1407
1408 if (!test_and_set_bit(BTUSB_ISOC_RUNNING, &data->flags)) {
2eda66f4 1409 if (btusb_submit_isoc_urb(hdev, GFP_KERNEL) < 0)
9bfa35fe
MH		 1410 clear_bit(BTUSB_ISOC_RUNNING, &data->flags);
1411 else
2eda66f4 1412 btusb_submit_isoc_urb(hdev, GFP_KERNEL);
9bfa35fe
MH		 1413 }
1414 } else {
1415 clear_bit(BTUSB_ISOC_RUNNING, &data->flags);
1416 usb_kill_anchored_urbs(&data->isoc_anchor);
1417
1418 __set_isoc_interface(hdev, 0);
08b8b6c4 1419 if (test_and_clear_bit(BTUSB_DID_ISO_RESUME, &data->flags))
8efdd0cd 1420 usb_autopm_put_interface(data->isoc ? data->isoc : data->intf);
5e23b923
MH		 1421 }
1422}
1423
7bee549e
ON		 1424static void btusb_waker(struct work_struct *work)
1425{
1426 struct btusb_data *data = container_of(work, struct btusb_data, waker);
1427 int err;
1428
1429 err = usb_autopm_get_interface(data->intf);
1430 if (err < 0)
1431 return;
1432
1433 usb_autopm_put_interface(data->intf);
1434}
1435
9f8f962c
MH		 1436static int btusb_setup_bcm92035(struct hci_dev *hdev)
1437{
1438 struct sk_buff *skb;
1439 u8 val = 0x00;
1440
1441 BT_DBG("%s", hdev->name);
1442
1443 skb = __hci_cmd_sync(hdev, 0xfc3b, 1, &val, HCI_INIT_TIMEOUT);
1444 if (IS_ERR(skb))
1445 BT_ERR("BCM92035 command failed (%ld)", -PTR_ERR(skb));
1446 else
1447 kfree_skb(skb);
1448
1449 return 0;
1450}
1451
81cac64b
MH		 1452static int btusb_setup_csr(struct hci_dev *hdev)
1453{
1454 struct hci_rp_read_local_version *rp;
1455 struct sk_buff *skb;
81cac64b
MH		 1456
1457 BT_DBG("%s", hdev->name);
1458
7cd84d72
MH		 1459 skb = __hci_cmd_sync(hdev, HCI_OP_READ_LOCAL_VERSION, 0, NULL,
1460 HCI_INIT_TIMEOUT);
1461 if (IS_ERR(skb)) {
1462 int err = PTR_ERR(skb);
1463 BT_ERR("%s: CSR: Local version failed (%d)", hdev->name, err);
1464 return err;
1465 }
1466
1467 if (skb->len != sizeof(struct hci_rp_read_local_version)) {
1468 BT_ERR("%s: CSR: Local version length mismatch", hdev->name);
1469 kfree_skb(skb);
1470 return -EIO;
1471 }
81cac64b 1472
89e7533d 1473 rp = (struct hci_rp_read_local_version *)skb->data;
81cac64b 1474
6cafcd95
JH		 1475 /* Detect controllers which aren't real CSR ones. */
1476 if (le16_to_cpu(rp->manufacturer) != 10 ||
1477 le16_to_cpu(rp->lmp_subver) == 0x0c5c) {
9641d343
MH		 1478 /* Clear the reset quirk since this is not an actual
1479 * early Bluetooth 1.1 device from CSR.
1480 */
1481 clear_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks);
81cac64b 1482
9641d343
MH		 1483 /* These fake CSR controllers have all a broken
1484 * stored link key handling and so just disable it.
1485 */
1486 set_bit(HCI_QUIRK_BROKEN_STORED_LINK_KEY, &hdev->quirks);
1487 }
81cac64b
MH		 1488
1489 kfree_skb(skb);
1490
9641d343 1491 return 0;
81cac64b
MH		 1492}
1493
dffd30ee 1494static const struct firmware *btusb_setup_intel_get_fw(struct hci_dev *hdev,
89e7533d 1495 struct intel_version *ver)
dffd30ee
THJA		 1496{
1497 const struct firmware *fw;
1498 char fwname[64];
1499 int ret;
1500
1501 snprintf(fwname, sizeof(fwname),
1502 "intel/ibt-hw-%x.%x.%x-fw-%x.%x.%x.%x.%x.bseq",
1503 ver->hw_platform, ver->hw_variant, ver->hw_revision,
1504 ver->fw_variant, ver->fw_revision, ver->fw_build_num,
1505 ver->fw_build_ww, ver->fw_build_yy);
1506
1507 ret = request_firmware(&fw, fwname, &hdev->dev);
1508 if (ret < 0) {
1509 if (ret == -EINVAL) {
1510 BT_ERR("%s Intel firmware file request failed (%d)",
1511 hdev->name, ret);
1512 return NULL;
1513 }
1514
1515 BT_ERR("%s failed to open Intel firmware file: %s(%d)",
1516 hdev->name, fwname, ret);
1517
1518 /* If the correct firmware patch file is not found, use the
1519 * default firmware patch file instead
1520 */
1521 snprintf(fwname, sizeof(fwname), "intel/ibt-hw-%x.%x.bseq",
1522 ver->hw_platform, ver->hw_variant);
1523 if (request_firmware(&fw, fwname, &hdev->dev) < 0) {
1524 BT_ERR("%s failed to open default Intel fw file: %s",
1525 hdev->name, fwname);
1526 return NULL;
1527 }
1528 }
1529
1530 BT_INFO("%s: Intel Bluetooth firmware file: %s", hdev->name, fwname);
1531
1532 return fw;
1533}
1534
1535static int btusb_setup_intel_patching(struct hci_dev *hdev,
1536 const struct firmware *fw,
1537 const u8 **fw_ptr, int *disable_patch)
1538{
1539 struct sk_buff *skb;
1540 struct hci_command_hdr *cmd;
1541 const u8 *cmd_param;
1542 struct hci_event_hdr *evt = NULL;
1543 const u8 *evt_param = NULL;
1544 int remain = fw->size - (*fw_ptr - fw->data);
1545
1546 /* The first byte indicates the types of the patch command or event.
1547 * 0x01 means HCI command and 0x02 is HCI event. If the first bytes
1548 * in the current firmware buffer doesn't start with 0x01 or
1549 * the size of remain buffer is smaller than HCI command header,
1550 * the firmware file is corrupted and it should stop the patching
1551 * process.
1552 */
1553 if (remain > HCI_COMMAND_HDR_SIZE && *fw_ptr[0] != 0x01) {
1554 BT_ERR("%s Intel fw corrupted: invalid cmd read", hdev->name);
1555 return -EINVAL;
1556 }
1557 (*fw_ptr)++;
1558 remain--;
1559
1560 cmd = (struct hci_command_hdr *)(*fw_ptr);
1561 *fw_ptr += sizeof(*cmd);
1562 remain -= sizeof(*cmd);
1563
1564 /* Ensure that the remain firmware data is long enough than the length
1565 * of command parameter. If not, the firmware file is corrupted.
1566 */
1567 if (remain < cmd->plen) {
1568 BT_ERR("%s Intel fw corrupted: invalid cmd len", hdev->name);
1569 return -EFAULT;
1570 }
1571
1572 /* If there is a command that loads a patch in the firmware
1573 * file, then enable the patch upon success, otherwise just
1574 * disable the manufacturer mode, for example patch activation
1575 * is not required when the default firmware patch file is used
1576 * because there are no patch data to load.
1577 */
1578 if (*disable_patch && le16_to_cpu(cmd->opcode) == 0xfc8e)
1579 *disable_patch = 0;
1580
1581 cmd_param = *fw_ptr;
1582 *fw_ptr += cmd->plen;
1583 remain -= cmd->plen;
1584
1585 /* This reads the expected events when the above command is sent to the
1586 * device. Some vendor commands expects more than one events, for
1587 * example command status event followed by vendor specific event.
1588 * For this case, it only keeps the last expected event. so the command
1589 * can be sent with __hci_cmd_sync_ev() which returns the sk_buff of
1590 * last expected event.
1591 */
1592 while (remain > HCI_EVENT_HDR_SIZE && *fw_ptr[0] == 0x02) {
1593 (*fw_ptr)++;
1594 remain--;
1595
1596 evt = (struct hci_event_hdr *)(*fw_ptr);
1597 *fw_ptr += sizeof(*evt);
1598 remain -= sizeof(*evt);
1599
1600 if (remain < evt->plen) {
1601 BT_ERR("%s Intel fw corrupted: invalid evt len",
1602 hdev->name);
1603 return -EFAULT;
1604 }
1605
1606 evt_param = *fw_ptr;
1607 *fw_ptr += evt->plen;
1608 remain -= evt->plen;
1609 }
1610
1611 /* Every HCI commands in the firmware file has its correspond event.
1612 * If event is not found or remain is smaller than zero, the firmware
1613 * file is corrupted.
1614 */
1615 if (!evt || !evt_param || remain < 0) {
1616 BT_ERR("%s Intel fw corrupted: invalid evt read", hdev->name);
1617 return -EFAULT;
1618 }
1619
1620 skb = __hci_cmd_sync_ev(hdev, le16_to_cpu(cmd->opcode), cmd->plen,
1621 cmd_param, evt->evt, HCI_INIT_TIMEOUT);
1622 if (IS_ERR(skb)) {
1623 BT_ERR("%s sending Intel patch command (0x%4.4x) failed (%ld)",
1624 hdev->name, cmd->opcode, PTR_ERR(skb));
d9c78e97 1625 return PTR_ERR(skb);
dffd30ee
THJA		 1626 }
1627
1628 /* It ensures that the returned event matches the event data read from
1629 * the firmware file. At fist, it checks the length and then
1630 * the contents of the event.
1631 */
1632 if (skb->len != evt->plen) {
1633 BT_ERR("%s mismatch event length (opcode 0x%4.4x)", hdev->name,
1634 le16_to_cpu(cmd->opcode));
1635 kfree_skb(skb);
1636 return -EFAULT;
1637 }
1638
1639 if (memcmp(skb->data, evt_param, evt->plen)) {
1640 BT_ERR("%s mismatch event parameter (opcode 0x%4.4x)",
1641 hdev->name, le16_to_cpu(cmd->opcode));
1642 kfree_skb(skb);
1643 return -EFAULT;
1644 }
1645 kfree_skb(skb);
1646
1647 return 0;
1648}
1649
1650static int btusb_setup_intel(struct hci_dev *hdev)
1651{
1652 struct sk_buff *skb;
1653 const struct firmware *fw;
1654 const u8 *fw_ptr;
28dc4b92 1655 int disable_patch, err;
6c483de1 1656 struct intel_version ver;
dffd30ee 1657
dffd30ee
THJA		 1658 BT_DBG("%s", hdev->name);
1659
1660 /* The controller has a bug with the first HCI command sent to it
1661 * returning number of completed commands as zero. This would stall the
1662 * command processing in the Bluetooth core.
1663 *
1664 * As a workaround, send HCI Reset command first which will reset the
1665 * number of completed commands and allow normal command processing
1666 * from now on.
1667 */
1668 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
1669 if (IS_ERR(skb)) {
1670 BT_ERR("%s sending initial HCI reset command failed (%ld)",
1671 hdev->name, PTR_ERR(skb));
d9c78e97 1672 return PTR_ERR(skb);
dffd30ee
THJA		 1673 }
1674 kfree_skb(skb);
1675
1676 /* Read Intel specific controller version first to allow selection of
1677 * which firmware file to load.
1678 *
1679 * The returned information are hardware variant and revision plus
1680 * firmware variant, revision and build number.
1681 */
6c483de1
LP		 1682 err = btintel_read_version(hdev, &ver);
1683 if (err)
1684 return err;
dffd30ee
THJA		 1685
1686 BT_INFO("%s: read Intel version: %02x%02x%02x%02x%02x%02x%02x%02x%02x",
6c483de1
LP		 1687 hdev->name, ver.hw_platform, ver.hw_variant, ver.hw_revision,
1688 ver.fw_variant, ver.fw_revision, ver.fw_build_num,
1689 ver.fw_build_ww, ver.fw_build_yy, ver.fw_patch_num);
dffd30ee
THJA		 1690
1691 /* fw_patch_num indicates the version of patch the device currently
1692 * have. If there is no patch data in the device, it is always 0x00.
5075edae 1693 * So, if it is other than 0x00, no need to patch the device again.
dffd30ee 1694 */
6c483de1 1695 if (ver.fw_patch_num) {
dffd30ee 1696 BT_INFO("%s: Intel device is already patched. patch num: %02x",
6c483de1 1697 hdev->name, ver.fw_patch_num);
213445b2 1698 goto complete;
dffd30ee
THJA		 1699 }
1700
1701 /* Opens the firmware patch file based on the firmware version read
1702 * from the controller. If it fails to open the matching firmware
1703 * patch file, it tries to open the default firmware patch file.
1704 * If no patch file is found, allow the device to operate without
1705 * a patch.
1706 */
6c483de1
LP		 1707 fw = btusb_setup_intel_get_fw(hdev, &ver);
1708 if (!fw)
213445b2 1709 goto complete;
dffd30ee
THJA		 1710 fw_ptr = fw->data;
1711
28dc4b92 1712 /* Enable the manufacturer mode of the controller.
dffd30ee
THJA		 1713 * Only while this mode is enabled, the driver can download the
1714 * firmware patch data and configuration parameters.
1715 */
28dc4b92
LP		 1716 err = btintel_enter_mfg(hdev);
1717 if (err) {
dffd30ee 1718 release_firmware(fw);
28dc4b92 1719 return err;
dffd30ee
THJA		 1720 }
1721
dffd30ee
THJA		 1722 disable_patch = 1;
1723
1724 /* The firmware data file consists of list of Intel specific HCI
1725 * commands and its expected events. The first byte indicates the
1726 * type of the message, either HCI command or HCI event.
1727 *
1728 * It reads the command and its expected event from the firmware file,
1729 * and send to the controller. Once __hci_cmd_sync_ev() returns,
1730 * the returned event is compared with the event read from the firmware
1731 * file and it will continue until all the messages are downloaded to
1732 * the controller.
1733 *
1734 * Once the firmware patching is completed successfully,
1735 * the manufacturer mode is disabled with reset and activating the
1736 * downloaded patch.
1737 *
1738 * If the firmware patching fails, the manufacturer mode is
1739 * disabled with reset and deactivating the patch.
1740 *
1741 * If the default patch file is used, no reset is done when disabling
1742 * the manufacturer.
1743 */
1744 while (fw->size > fw_ptr - fw->data) {
1745 int ret;
1746
1747 ret = btusb_setup_intel_patching(hdev, fw, &fw_ptr,
1748 &disable_patch);
1749 if (ret < 0)
1750 goto exit_mfg_deactivate;
1751 }
1752
1753 release_firmware(fw);
1754
1755 if (disable_patch)
1756 goto exit_mfg_disable;
1757
1758 /* Patching completed successfully and disable the manufacturer mode
1759 * with reset and activate the downloaded firmware patches.
1760 */
28dc4b92
LP		 1761 err = btintel_exit_mfg(hdev, true, true);
1762 if (err)
1763 return err;
dffd30ee
THJA		 1764
1765 BT_INFO("%s: Intel Bluetooth firmware patch completed and activated",
1766 hdev->name);
1767
213445b2 1768 goto complete;
dffd30ee
THJA		 1769
1770exit_mfg_disable:
1771 /* Disable the manufacturer mode without reset */
28dc4b92
LP		 1772 err = btintel_exit_mfg(hdev, false, false);
1773 if (err)
1774 return err;
dffd30ee
THJA		 1775
1776 BT_INFO("%s: Intel Bluetooth firmware patch completed", hdev->name);
40cb0984 1777
213445b2 1778 goto complete;
dffd30ee
THJA		 1779
1780exit_mfg_deactivate:
1781 release_firmware(fw);
1782
1783 /* Patching failed. Disable the manufacturer mode with reset and
1784 * deactivate the downloaded firmware patches.
1785 */
28dc4b92
LP		 1786 err = btintel_exit_mfg(hdev, true, false);
1787 if (err)
1788 return err;
dffd30ee
THJA		 1789
1790 BT_INFO("%s: Intel Bluetooth firmware patch completed and deactivated",
1791 hdev->name);
1792
213445b2
MH		 1793complete:
1794 /* Set the event mask for Intel specific vendor events. This enables
1795 * a few extra events that are useful during general operation.
1796 */
1797 btintel_set_event_mask_mfg(hdev, false);
1798
4185a0f5 1799 btintel_check_bdaddr(hdev);
dffd30ee
THJA		 1800 return 0;
1801}
1802
cda0dd78
MH		 1803static int inject_cmd_complete(struct hci_dev *hdev, __u16 opcode)
1804{
1805 struct sk_buff *skb;
1806 struct hci_event_hdr *hdr;
1807 struct hci_ev_cmd_complete *evt;
1808
1809 skb = bt_skb_alloc(sizeof(*hdr) + sizeof(*evt) + 1, GFP_ATOMIC);
1810 if (!skb)
1811 return -ENOMEM;
1812
1813 hdr = (struct hci_event_hdr *)skb_put(skb, sizeof(*hdr));
1814 hdr->evt = HCI_EV_CMD_COMPLETE;
1815 hdr->plen = sizeof(*evt) + 1;
1816
1817 evt = (struct hci_ev_cmd_complete *)skb_put(skb, sizeof(*evt));
1818 evt->ncmd = 0x01;
1819 evt->opcode = cpu_to_le16(opcode);
1820
1821 *skb_put(skb, 1) = 0x00;
1822
618e8bc2 1823 hci_skb_pkt_type(skb) = HCI_EVENT_PKT;
cda0dd78
MH		 1824
1825 return hci_recv_frame(hdev, skb);
1826}
1827
1828static int btusb_recv_bulk_intel(struct btusb_data *data, void *buffer,
1829 int count)
1830{
1831 /* When the device is in bootloader mode, then it can send
1832 * events via the bulk endpoint. These events are treated the
1833 * same way as the ones received from the interrupt endpoint.
1834 */
1835 if (test_bit(BTUSB_BOOTLOADER, &data->flags))
1836 return btusb_recv_intr(data, buffer, count);
1837
1838 return btusb_recv_bulk(data, buffer, count);
1839}
1840
ccd6da2a
MH		 1841static void btusb_intel_bootup(struct btusb_data *data, const void *ptr,
1842 unsigned int len)
1843{
1844 const struct intel_bootup *evt = ptr;
1845
1846 if (len != sizeof(*evt))
1847 return;
1848
1849 if (test_and_clear_bit(BTUSB_BOOTING, &data->flags)) {
1850 smp_mb__after_atomic();
1851 wake_up_bit(&data->flags, BTUSB_BOOTING);
1852 }
1853}
1854
1855static void btusb_intel_secure_send_result(struct btusb_data *data,
1856 const void *ptr, unsigned int len)
1857{
1858 const struct intel_secure_send_result *evt = ptr;
1859
1860 if (len != sizeof(*evt))
1861 return;
1862
1863 if (evt->result)
1864 set_bit(BTUSB_FIRMWARE_FAILED, &data->flags);
1865
1866 if (test_and_clear_bit(BTUSB_DOWNLOADING, &data->flags) &&
1867 test_bit(BTUSB_FIRMWARE_LOADED, &data->flags)) {
1868 smp_mb__after_atomic();
1869 wake_up_bit(&data->flags, BTUSB_DOWNLOADING);
1870 }
1871}
1872
cda0dd78
MH		 1873static int btusb_recv_event_intel(struct hci_dev *hdev, struct sk_buff *skb)
1874{
1875 struct btusb_data *data = hci_get_drvdata(hdev);
1876
1877 if (test_bit(BTUSB_BOOTLOADER, &data->flags)) {
1878 struct hci_event_hdr *hdr = (void *)skb->data;
1879
ccd6da2a
MH		 1880 if (skb->len > HCI_EVENT_HDR_SIZE && hdr->evt == 0xff &&
1881 hdr->plen > 0) {
1882 const void *ptr = skb->data + HCI_EVENT_HDR_SIZE + 1;
1883 unsigned int len = skb->len - HCI_EVENT_HDR_SIZE - 1;
1884
1885 switch (skb->data[2]) {
1886 case 0x02:
1887 /* When switching to the operational firmware
1888 * the device sends a vendor specific event
1889 * indicating that the bootup completed.
1890 */
1891 btusb_intel_bootup(data, ptr, len);
1892 break;
1893 case 0x06:
1894 /* When the firmware loading completes the
1895 * device sends out a vendor specific event
1896 * indicating the result of the firmware
1897 * loading.
1898 */
1899 btusb_intel_secure_send_result(data, ptr, len);
1900 break;
fad70972 1901 }
cda0dd78
MH		 1902 }
1903 }
1904
1905 return hci_recv_frame(hdev, skb);
1906}
1907
1908static int btusb_send_frame_intel(struct hci_dev *hdev, struct sk_buff *skb)
1909{
1910 struct btusb_data *data = hci_get_drvdata(hdev);
1911 struct urb *urb;
1912
1913 BT_DBG("%s", hdev->name);
1914
618e8bc2 1915 switch (hci_skb_pkt_type(skb)) {
cda0dd78
MH		 1916 case HCI_COMMAND_PKT:
1917 if (test_bit(BTUSB_BOOTLOADER, &data->flags)) {
1918 struct hci_command_hdr *cmd = (void *)skb->data;
1919 __u16 opcode = le16_to_cpu(cmd->opcode);
1920
1921 /* When in bootloader mode and the command 0xfc09
1922 * is received, it needs to be send down the
1923 * bulk endpoint. So allocate a bulk URB instead.
1924 */
1925 if (opcode == 0xfc09)
1926 urb = alloc_bulk_urb(hdev, skb);
1927 else
1928 urb = alloc_ctrl_urb(hdev, skb);
1929
1930 /* When the 0xfc01 command is issued to boot into
1931 * the operational firmware, it will actually not
1932 * send a command complete event. To keep the flow
1933 * control working inject that event here.
1934 */
1935 if (opcode == 0xfc01)
1936 inject_cmd_complete(hdev, opcode);
1937 } else {
1938 urb = alloc_ctrl_urb(hdev, skb);
1939 }
1940 if (IS_ERR(urb))
1941 return PTR_ERR(urb);
1942
1943 hdev->stat.cmd_tx++;
1944 return submit_or_queue_tx_urb(hdev, urb);
1945
1946 case HCI_ACLDATA_PKT:
1947 urb = alloc_bulk_urb(hdev, skb);
1948 if (IS_ERR(urb))
1949 return PTR_ERR(urb);
1950
1951 hdev->stat.acl_tx++;
1952 return submit_or_queue_tx_urb(hdev, urb);
1953
1954 case HCI_SCODATA_PKT:
1955 if (hci_conn_num(hdev, SCO_LINK) < 1)
1956 return -ENODEV;
1957
1958 urb = alloc_isoc_urb(hdev, skb);
1959 if (IS_ERR(urb))
1960 return PTR_ERR(urb);
1961
1962 hdev->stat.sco_tx++;
1963 return submit_tx_urb(hdev, urb);
1964 }
1965
1966 return -EILSEQ;
1967}
1968
cda0dd78
MH		 1969static int btusb_setup_intel_new(struct hci_dev *hdev)
1970{
1971 static const u8 reset_param[] = { 0x00, 0x01, 0x00, 0x01,
1972 0x00, 0x08, 0x04, 0x00 };
1973 struct btusb_data *data = hci_get_drvdata(hdev);
1974 struct sk_buff *skb;
6c483de1 1975 struct intel_version ver;
cda0dd78
MH		 1976 struct intel_boot_params *params;
1977 const struct firmware *fw;
1978 const u8 *fw_ptr;
e66890a9 1979 u32 frag_len;
cda0dd78
MH		 1980 char fwname[64];
1981 ktime_t calltime, delta, rettime;
1982 unsigned long long duration;
1983 int err;
1984
1985 BT_DBG("%s", hdev->name);
1986
1987 calltime = ktime_get();
1988
1989 /* Read the Intel version information to determine if the device
1990 * is in bootloader mode or if it already has operational firmware
1991 * loaded.
1992 */
6c483de1
LP		 1993 err = btintel_read_version(hdev, &ver);
1994 if (err)
1995 return err;
cda0dd78
MH		 1996
1997 /* The hardware platform number has a fixed value of 0x37 and
1998 * for now only accept this single value.
1999 */
6c483de1 2000 if (ver.hw_platform != 0x37) {
cda0dd78 2001 BT_ERR("%s: Unsupported Intel hardware platform (%u)",
6c483de1 2002 hdev->name, ver.hw_platform);
cda0dd78
MH		 2003 return -EINVAL;
2004 }
2005
a0af53b5
THJA		 2006 /* At the moment the iBT 3.0 hardware variants 0x0b (LnP/SfP)
2007 * and 0x0c (WsP) are supported by this firmware loading method.
2008 *
2009 * This check has been put in place to ensure correct forward
2010 * compatibility options when newer hardware variants come along.
cda0dd78 2011 */
a0af53b5 2012 if (ver.hw_variant != 0x0b && ver.hw_variant != 0x0c) {
cda0dd78 2013 BT_ERR("%s: Unsupported Intel hardware variant (%u)",
6c483de1 2014 hdev->name, ver.hw_variant);
cda0dd78
MH		 2015 return -EINVAL;
2016 }
2017
6c483de1 2018 btintel_version_info(hdev, &ver);
cda0dd78
MH		 2019
2020 /* The firmware variant determines if the device is in bootloader
2021 * mode or is running operational firmware. The value 0x06 identifies
2022 * the bootloader and the value 0x23 identifies the operational
2023 * firmware.
2024 *
2025 * When the operational firmware is already present, then only
2026 * the check for valid Bluetooth device address is needed. This
2027 * determines if the device will be added as configured or
2028 * unconfigured controller.
2029 *
2030 * It is not possible to use the Secure Boot Parameters in this
2031 * case since that command is only available in bootloader mode.
2032 */
6c483de1 2033 if (ver.fw_variant == 0x23) {
cda0dd78 2034 clear_bit(BTUSB_BOOTLOADER, &data->flags);
4185a0f5 2035 btintel_check_bdaddr(hdev);
cda0dd78
MH		 2036 return 0;
2037 }
2038
2039 /* If the device is not in bootloader mode, then the only possible
2040 * choice is to return an error and abort the device initialization.
2041 */
6c483de1 2042 if (ver.fw_variant != 0x06) {
cda0dd78 2043 BT_ERR("%s: Unsupported Intel firmware variant (%u)",
6c483de1 2044 hdev->name, ver.fw_variant);
cda0dd78
MH		 2045 return -ENODEV;
2046 }
2047
cda0dd78
MH		 2048 /* Read the secure boot parameters to identify the operating
2049 * details of the bootloader.
2050 */
2051 skb = __hci_cmd_sync(hdev, 0xfc0d, 0, NULL, HCI_INIT_TIMEOUT);
2052 if (IS_ERR(skb)) {
2053 BT_ERR("%s: Reading Intel boot parameters failed (%ld)",
2054 hdev->name, PTR_ERR(skb));
2055 return PTR_ERR(skb);
2056 }
2057
2058 if (skb->len != sizeof(*params)) {
2059 BT_ERR("%s: Intel boot parameters size mismatch", hdev->name);
2060 kfree_skb(skb);
2061 return -EILSEQ;
2062 }
2063
2064 params = (struct intel_boot_params *)skb->data;
cda0dd78
MH		 2065
2066 BT_INFO("%s: Device revision is %u", hdev->name,
2067 le16_to_cpu(params->dev_revid));
2068
2069 BT_INFO("%s: Secure boot is %s", hdev->name,
2070 params->secure_boot ? "enabled" : "disabled");
2071
2220994e
MH		 2072 BT_INFO("%s: OTP lock is %s", hdev->name,
2073 params->otp_lock ? "enabled" : "disabled");
2074
2075 BT_INFO("%s: API lock is %s", hdev->name,
2076 params->api_lock ? "enabled" : "disabled");
2077
2078 BT_INFO("%s: Debug lock is %s", hdev->name,
2079 params->debug_lock ? "enabled" : "disabled");
2080
cda0dd78
MH		 2081 BT_INFO("%s: Minimum firmware build %u week %u %u", hdev->name,
2082 params->min_fw_build_nn, params->min_fw_build_cw,
2083 2000 + params->min_fw_build_yy);
2084
2085 /* It is required that every single firmware fragment is acknowledged
2086 * with a command complete event. If the boot parameters indicate
2087 * that this bootloader does not send them, then abort the setup.
2088 */
2089 if (params->limited_cce != 0x00) {
2090 BT_ERR("%s: Unsupported Intel firmware loading method (%u)",
2091 hdev->name, params->limited_cce);
2092 kfree_skb(skb);
2093 return -EINVAL;
2094 }
2095
2096 /* If the OTP has no valid Bluetooth device address, then there will
2097 * also be no valid address for the operational firmware.
2098 */
2099 if (!bacmp(&params->otp_bdaddr, BDADDR_ANY)) {
2100 BT_INFO("%s: No device address configured", hdev->name);
2101 set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks);
2102 }
2103
2104 /* With this Intel bootloader only the hardware variant and device
2105 * revision information are used to select the right firmware.
2106 *
2107 * Currently this bootloader support is limited to hardware variant
2108 * iBT 3.0 (LnP/SfP) which is identified by the value 11 (0x0b).
2109 */
2110 snprintf(fwname, sizeof(fwname), "intel/ibt-11-%u.sfi",
2111 le16_to_cpu(params->dev_revid));
2112
2113 err = request_firmware(&fw, fwname, &hdev->dev);
2114 if (err < 0) {
2115 BT_ERR("%s: Failed to load Intel firmware file (%d)",
2116 hdev->name, err);
2117 kfree_skb(skb);
2118 return err;
2119 }
2120
2121 BT_INFO("%s: Found device firmware: %s", hdev->name, fwname);
2122
52cc9168
THJA		 2123 /* Save the DDC file name for later use to apply once the firmware
2124 * downloading is done.
2125 */
2126 snprintf(fwname, sizeof(fwname), "intel/ibt-11-%u.ddc",
2127 le16_to_cpu(params->dev_revid));
2128
cda0dd78
MH		 2129 kfree_skb(skb);
2130
2131 if (fw->size < 644) {
2132 BT_ERR("%s: Invalid size of firmware file (%zu)",
2133 hdev->name, fw->size);
2134 err = -EBADF;
2135 goto done;
2136 }
2137
2138 set_bit(BTUSB_DOWNLOADING, &data->flags);
2139
2140 /* Start the firmware download transaction with the Init fragment
2141 * represented by the 128 bytes of CSS header.
2142 */
09df123d 2143 err = btintel_secure_send(hdev, 0x00, 128, fw->data);
cda0dd78
MH		 2144 if (err < 0) {
2145 BT_ERR("%s: Failed to send firmware header (%d)",
2146 hdev->name, err);
2147 goto done;
2148 }
2149
2150 /* Send the 256 bytes of public key information from the firmware
2151 * as the PKey fragment.
2152 */
09df123d 2153 err = btintel_secure_send(hdev, 0x03, 256, fw->data + 128);
cda0dd78
MH		 2154 if (err < 0) {
2155 BT_ERR("%s: Failed to send firmware public key (%d)",
2156 hdev->name, err);
2157 goto done;
2158 }
2159
2160 /* Send the 256 bytes of signature information from the firmware
2161 * as the Sign fragment.
2162 */
09df123d 2163 err = btintel_secure_send(hdev, 0x02, 256, fw->data + 388);
cda0dd78
MH		 2164 if (err < 0) {
2165 BT_ERR("%s: Failed to send firmware signature (%d)",
2166 hdev->name, err);
2167 goto done;
2168 }
2169
2170 fw_ptr = fw->data + 644;
e66890a9 2171 frag_len = 0;
cda0dd78
MH		 2172
2173 while (fw_ptr - fw->data < fw->size) {
e66890a9 2174 struct hci_command_hdr *cmd = (void *)(fw_ptr + frag_len);
cda0dd78 2175
e66890a9 2176 frag_len += sizeof(*cmd) + cmd->plen;
cda0dd78 2177
5075edae 2178 /* The parameter length of the secure send command requires
e66890a9
MH		 2179 * a 4 byte alignment. It happens so that the firmware file
2180 * contains proper Intel_NOP commands to align the fragments
2181 * as needed.
2182 *
2183 * Send set of commands with 4 byte alignment from the
2184 * firmware data buffer as a single Data fragement.
cda0dd78 2185 */
e66890a9 2186 if (!(frag_len % 4)) {
09df123d 2187 err = btintel_secure_send(hdev, 0x01, frag_len, fw_ptr);
e66890a9
MH		 2188 if (err < 0) {
2189 BT_ERR("%s: Failed to send firmware data (%d)",
2190 hdev->name, err);
2191 goto done;
2192 }
cda0dd78 2193
e66890a9
MH		 2194 fw_ptr += frag_len;
2195 frag_len = 0;
2196 }
cda0dd78
MH		 2197 }
2198
ce6bb929
MH		 2199 set_bit(BTUSB_FIRMWARE_LOADED, &data->flags);
2200
a087a98e
JH		 2201 BT_INFO("%s: Waiting for firmware download to complete", hdev->name);
2202
cda0dd78
MH		 2203 /* Before switching the device into operational mode and with that
2204 * booting the loaded firmware, wait for the bootloader notification
2205 * that all fragments have been successfully received.
2206 *
a087a98e
JH		 2207 * When the event processing receives the notification, then the
2208 * BTUSB_DOWNLOADING flag will be cleared.
2209 *
2210 * The firmware loading should not take longer than 5 seconds
2211 * and thus just timeout if that happens and fail the setup
2212 * of this device.
cda0dd78 2213 */
129a7693
JH		 2214 err = wait_on_bit_timeout(&data->flags, BTUSB_DOWNLOADING,
2215 TASK_INTERRUPTIBLE,
2216 msecs_to_jiffies(5000));
a087a98e
JH		 2217 if (err == 1) {
2218 BT_ERR("%s: Firmware loading interrupted", hdev->name);
2219 err = -EINTR;
2220 goto done;
2221 }
cda0dd78 2222
a087a98e
JH		 2223 if (err) {
2224 BT_ERR("%s: Firmware loading timeout", hdev->name);
2225 err = -ETIMEDOUT;
2226 goto done;
cda0dd78
MH		 2227 }
2228
2229 if (test_bit(BTUSB_FIRMWARE_FAILED, &data->flags)) {
2230 BT_ERR("%s: Firmware loading failed", hdev->name);
2231 err = -ENOEXEC;
2232 goto done;
2233 }
2234
2235 rettime = ktime_get();
2236 delta = ktime_sub(rettime, calltime);
2237 duration = (unsigned long long) ktime_to_ns(delta) >> 10;
2238
2239 BT_INFO("%s: Firmware loaded in %llu usecs", hdev->name, duration);
2240
2241done:
2242 release_firmware(fw);
2243
2244 if (err < 0)
2245 return err;
2246
2247 calltime = ktime_get();
2248
2249 set_bit(BTUSB_BOOTING, &data->flags);
2250
2251 skb = __hci_cmd_sync(hdev, 0xfc01, sizeof(reset_param), reset_param,
2252 HCI_INIT_TIMEOUT);
2253 if (IS_ERR(skb))
2254 return PTR_ERR(skb);
2255
2256 kfree_skb(skb);
2257
2258 /* The bootloader will not indicate when the device is ready. This
2259 * is done by the operational firmware sending bootup notification.
fad70972
JH		 2260 *
2261 * Booting into operational firmware should not take longer than
2262 * 1 second. However if that happens, then just fail the setup
2263 * since something went wrong.
cda0dd78 2264 */
fad70972 2265 BT_INFO("%s: Waiting for device to boot", hdev->name);
cda0dd78 2266
129a7693
JH		 2267 err = wait_on_bit_timeout(&data->flags, BTUSB_BOOTING,
2268 TASK_INTERRUPTIBLE,
2269 msecs_to_jiffies(1000));
cda0dd78 2270
fad70972
JH		 2271 if (err == 1) {
2272 BT_ERR("%s: Device boot interrupted", hdev->name);
2273 return -EINTR;
2274 }
cda0dd78 2275
fad70972
JH		 2276 if (err) {
2277 BT_ERR("%s: Device boot timeout", hdev->name);
2278 return -ETIMEDOUT;
cda0dd78
MH		 2279 }
2280
2281 rettime = ktime_get();
2282 delta = ktime_sub(rettime, calltime);
2283 duration = (unsigned long long) ktime_to_ns(delta) >> 10;
2284
2285 BT_INFO("%s: Device booted in %llu usecs", hdev->name, duration);
2286
2287 clear_bit(BTUSB_BOOTLOADER, &data->flags);
2288
52cc9168
THJA		 2289 /* Once the device is running in operational mode, it needs to apply
2290 * the device configuration (DDC) parameters.
2291 *
2292 * The device can work without DDC parameters, so even if it fails
2293 * to load the file, no need to fail the setup.
2294 */
e924d3d6 2295 btintel_load_ddc_config(hdev, fwname);
52cc9168 2296
213445b2
MH		 2297 /* Set the event mask for Intel specific vendor events. This enables
2298 * a few extra events that are useful during general operation. It
2299 * does not enable any debugging related events.
2300 *
2301 * The device will function correctly without these events enabled
2302 * and thus no need to fail the setup.
2303 */
2304 btintel_set_event_mask(hdev, false);
2305
cda0dd78
MH		 2306 return 0;
2307}
2308
bfbd45e9
THJA		 2309static int btusb_shutdown_intel(struct hci_dev *hdev)
2310{
2311 struct sk_buff *skb;
2312 long ret;
2313
2314 /* Some platforms have an issue with BT LED when the interface is
2315 * down or BT radio is turned off, which takes 5 seconds to BT LED
2316 * goes off. This command turns off the BT LED immediately.
2317 */
2318 skb = __hci_cmd_sync(hdev, 0xfc3f, 0, NULL, HCI_INIT_TIMEOUT);
2319 if (IS_ERR(skb)) {
2320 ret = PTR_ERR(skb);
2321 BT_ERR("%s: turning off Intel device LED failed (%ld)",
2322 hdev->name, ret);
2323 return ret;
2324 }
2325 kfree_skb(skb);
2326
2327 return 0;
2328}
2329
ae8df494
AK		 2330static int btusb_set_bdaddr_marvell(struct hci_dev *hdev,
2331 const bdaddr_t *bdaddr)
2332{
2333 struct sk_buff *skb;
2334 u8 buf[8];
2335 long ret;
2336
2337 buf[0] = 0xfe;
2338 buf[1] = sizeof(bdaddr_t);
2339 memcpy(buf + 2, bdaddr, sizeof(bdaddr_t));
2340
2341 skb = __hci_cmd_sync(hdev, 0xfc22, sizeof(buf), buf, HCI_INIT_TIMEOUT);
2342 if (IS_ERR(skb)) {
2343 ret = PTR_ERR(skb);
2344 BT_ERR("%s: changing Marvell device address failed (%ld)",
2345 hdev->name, ret);
2346 return ret;
2347 }
2348 kfree_skb(skb);
2349
2350 return 0;
2351}
2352
5859223e
TK		 2353static int btusb_set_bdaddr_ath3012(struct hci_dev *hdev,
2354 const bdaddr_t *bdaddr)
2355{
2356 struct sk_buff *skb;
2357 u8 buf[10];
2358 long ret;
2359
2360 buf[0] = 0x01;
2361 buf[1] = 0x01;
2362 buf[2] = 0x00;
2363 buf[3] = sizeof(bdaddr_t);
2364 memcpy(buf + 4, bdaddr, sizeof(bdaddr_t));
2365
2366 skb = __hci_cmd_sync(hdev, 0xfc0b, sizeof(buf), buf, HCI_INIT_TIMEOUT);
2367 if (IS_ERR(skb)) {
2368 ret = PTR_ERR(skb);
2369 BT_ERR("%s: Change address command failed (%ld)",
2370 hdev->name, ret);
2371 return ret;
2372 }
2373 kfree_skb(skb);
2374
2375 return 0;
2376}
2377
3267c884
KBYT		 2378#define QCA_DFU_PACKET_LEN 4096
2379
2380#define QCA_GET_TARGET_VERSION 0x09
2381#define QCA_CHECK_STATUS 0x05
2382#define QCA_DFU_DOWNLOAD 0x01
2383
2384#define QCA_SYSCFG_UPDATED 0x40
2385#define QCA_PATCH_UPDATED 0x80
2386#define QCA_DFU_TIMEOUT 3000
2387
2388struct qca_version {
2389 __le32 rom_version;
2390 __le32 patch_version;
2391 __le32 ram_version;
2392 __le32 ref_clock;
2393 __u8 reserved[4];
2394} __packed;
2395
2396struct qca_rampatch_version {
2397 __le16 rom_version;
2398 __le16 patch_version;
2399} __packed;
2400
2401struct qca_device_info {
bf906b3d
KBYT		 2402 u32 rom_version;
2403 u8 rampatch_hdr; /* length of header in rampatch */
2404 u8 nvm_hdr; /* length of header in NVM */
2405 u8 ver_offset; /* offset of version structure in rampatch */
3267c884
KBYT		 2406};
2407
2408static const struct qca_device_info qca_devices_table[] = {
2409 { 0x00000100, 20, 4, 10 }, /* Rome 1.0 */
2410 { 0x00000101, 20, 4, 10 }, /* Rome 1.1 */
7f6e6363 2411 { 0x00000200, 28, 4, 18 }, /* Rome 2.0 */
3267c884
KBYT		 2412 { 0x00000201, 28, 4, 18 }, /* Rome 2.1 */
2413 { 0x00000300, 28, 4, 18 }, /* Rome 3.0 */
2414 { 0x00000302, 28, 4, 18 }, /* Rome 3.2 */
2415};
2416
2417static int btusb_qca_send_vendor_req(struct hci_dev *hdev, u8 request,
2418 void *data, u16 size)
2419{
2420 struct btusb_data *btdata = hci_get_drvdata(hdev);
2421 struct usb_device *udev = btdata->udev;
2422 int pipe, err;
2423 u8 *buf;
2424
2425 buf = kmalloc(size, GFP_KERNEL);
2426 if (!buf)
2427 return -ENOMEM;
2428
2429 /* Found some of USB hosts have IOT issues with ours so that we should
2430 * not wait until HCI layer is ready.
2431 */
2432 pipe = usb_rcvctrlpipe(udev, 0);
2433 err = usb_control_msg(udev, pipe, request, USB_TYPE_VENDOR | USB_DIR_IN,
2434 0, 0, buf, size, USB_CTRL_SET_TIMEOUT);
2435 if (err < 0) {
2436 BT_ERR("%s: Failed to access otp area (%d)", hdev->name, err);
2437 goto done;
2438 }
2439
2440 memcpy(data, buf, size);
2441
2442done:
2443 kfree(buf);
2444
2445 return err;
2446}
2447
2448static int btusb_setup_qca_download_fw(struct hci_dev *hdev,
2449 const struct firmware *firmware,
2450 size_t hdr_size)
2451{
2452 struct btusb_data *btdata = hci_get_drvdata(hdev);
2453 struct usb_device *udev = btdata->udev;
2454 size_t count, size, sent = 0;
2455 int pipe, len, err;
2456 u8 *buf;
2457
2458 buf = kmalloc(QCA_DFU_PACKET_LEN, GFP_KERNEL);
2459 if (!buf)
2460 return -ENOMEM;
2461
2462 count = firmware->size;
2463
2464 size = min_t(size_t, count, hdr_size);
2465 memcpy(buf, firmware->data, size);
2466
2467 /* USB patches should go down to controller through USB path
2468 * because binary format fits to go down through USB channel.
2469 * USB control path is for patching headers and USB bulk is for
2470 * patch body.
2471 */
2472 pipe = usb_sndctrlpipe(udev, 0);
2473 err = usb_control_msg(udev, pipe, QCA_DFU_DOWNLOAD, USB_TYPE_VENDOR,
2474 0, 0, buf, size, USB_CTRL_SET_TIMEOUT);
2475 if (err < 0) {
2476 BT_ERR("%s: Failed to send headers (%d)", hdev->name, err);
2477 goto done;
2478 }
2479
2480 sent += size;
2481 count -= size;
2482
2483 while (count) {
2484 size = min_t(size_t, count, QCA_DFU_PACKET_LEN);
2485
2486 memcpy(buf, firmware->data + sent, size);
2487
2488 pipe = usb_sndbulkpipe(udev, 0x02);
2489 err = usb_bulk_msg(udev, pipe, buf, size, &len,
2490 QCA_DFU_TIMEOUT);
2491 if (err < 0) {
2492 BT_ERR("%s: Failed to send body at %zd of %zd (%d)",
2493 hdev->name, sent, firmware->size, err);
2494 break;
2495 }
2496
2497 if (size != len) {
2498 BT_ERR("%s: Failed to get bulk buffer", hdev->name);
2499 err = -EILSEQ;
2500 break;
2501 }
2502
2503 sent += size;
2504 count -= size;
2505 }
2506
2507done:
2508 kfree(buf);
2509 return err;
2510}
2511
2512static int btusb_setup_qca_load_rampatch(struct hci_dev *hdev,
2513 struct qca_version *ver,
2514 const struct qca_device_info *info)
2515{
2516 struct qca_rampatch_version *rver;
2517 const struct firmware *fw;
bf906b3d
KBYT		 2518 u32 ver_rom, ver_patch;
2519 u16 rver_rom, rver_patch;
3267c884
KBYT		 2520 char fwname[64];
2521 int err;
2522
bf906b3d
KBYT		 2523 ver_rom = le32_to_cpu(ver->rom_version);
2524 ver_patch = le32_to_cpu(ver->patch_version);
2525
2526 snprintf(fwname, sizeof(fwname), "qca/rampatch_usb_%08x.bin", ver_rom);
3267c884
KBYT		 2527
2528 err = request_firmware(&fw, fwname, &hdev->dev);
2529 if (err) {
2530 BT_ERR("%s: failed to request rampatch file: %s (%d)",
2531 hdev->name, fwname, err);
2532 return err;
2533 }
2534
2535 BT_INFO("%s: using rampatch file: %s", hdev->name, fwname);
bf906b3d 2536
3267c884 2537 rver = (struct qca_rampatch_version *)(fw->data + info->ver_offset);
bf906b3d
KBYT		 2538 rver_rom = le16_to_cpu(rver->rom_version);
2539 rver_patch = le16_to_cpu(rver->patch_version);
2540
3267c884 2541 BT_INFO("%s: QCA: patch rome 0x%x build 0x%x, firmware rome 0x%x "
bf906b3d
KBYT		 2542 "build 0x%x", hdev->name, rver_rom, rver_patch, ver_rom,
2543 ver_patch);
3267c884 2544
bf906b3d 2545 if (rver_rom != ver_rom || rver_patch <= ver_patch) {
3267c884
KBYT		 2546 BT_ERR("%s: rampatch file version did not match with firmware",
2547 hdev->name);
2548 err = -EINVAL;
2549 goto done;
2550 }
2551
2552 err = btusb_setup_qca_download_fw(hdev, fw, info->rampatch_hdr);
2553
2554done:
2555 release_firmware(fw);
2556
2557 return err;
2558}
2559
2560static int btusb_setup_qca_load_nvm(struct hci_dev *hdev,
2561 struct qca_version *ver,
2562 const struct qca_device_info *info)
2563{
2564 const struct firmware *fw;
2565 char fwname[64];
2566 int err;
2567
2568 snprintf(fwname, sizeof(fwname), "qca/nvm_usb_%08x.bin",
2569 le32_to_cpu(ver->rom_version));
2570
2571 err = request_firmware(&fw, fwname, &hdev->dev);
2572 if (err) {
2573 BT_ERR("%s: failed to request NVM file: %s (%d)",
2574 hdev->name, fwname, err);
2575 return err;
2576 }
2577
2578 BT_INFO("%s: using NVM file: %s", hdev->name, fwname);
2579
2580 err = btusb_setup_qca_download_fw(hdev, fw, info->nvm_hdr);
2581
2582 release_firmware(fw);
2583
2584 return err;
2585}
2586
2587static int btusb_setup_qca(struct hci_dev *hdev)
2588{
2589 const struct qca_device_info *info = NULL;
2590 struct qca_version ver;
bf906b3d 2591 u32 ver_rom;
3267c884
KBYT		 2592 u8 status;
2593 int i, err;
2594
2595 err = btusb_qca_send_vendor_req(hdev, QCA_GET_TARGET_VERSION, &ver,
eb50042f 2596 sizeof(ver));
3267c884
KBYT		 2597 if (err < 0)
2598 return err;
2599
bf906b3d 2600 ver_rom = le32_to_cpu(ver.rom_version);
3267c884 2601 for (i = 0; i < ARRAY_SIZE(qca_devices_table); i++) {
bf906b3d 2602 if (ver_rom == qca_devices_table[i].rom_version)
3267c884
KBYT		 2603 info = &qca_devices_table[i];
2604 }
2605 if (!info) {
2606 BT_ERR("%s: don't support firmware rome 0x%x", hdev->name,
bf906b3d 2607 ver_rom);
3267c884
KBYT		 2608 return -ENODEV;
2609 }
2610
2611 err = btusb_qca_send_vendor_req(hdev, QCA_CHECK_STATUS, &status,
2612 sizeof(status));
2613 if (err < 0)
2614 return err;
2615
2616 if (!(status & QCA_PATCH_UPDATED)) {
2617 err = btusb_setup_qca_load_rampatch(hdev, &ver, info);
2618 if (err < 0)
2619 return err;
2620 }
2621
2622 if (!(status & QCA_SYSCFG_UPDATED)) {
2623 err = btusb_setup_qca_load_nvm(hdev, &ver, info);
2624 if (err < 0)
2625 return err;
2626 }
2627
2628 return 0;
2629}
2630
9d08f504
MH		 2631#ifdef CONFIG_BT_HCIBTUSB_BCM
2632static inline int __set_diag_interface(struct hci_dev *hdev)
2633{
2634 struct btusb_data *data = hci_get_drvdata(hdev);
2635 struct usb_interface *intf = data->diag;
2636 int i;
2637
2638 if (!data->diag)
2639 return -ENODEV;
2640
2641 data->diag_tx_ep = NULL;
2642 data->diag_rx_ep = NULL;
2643
2644 for (i = 0; i < intf->cur_altsetting->desc.bNumEndpoints; i++) {
2645 struct usb_endpoint_descriptor *ep_desc;
2646
2647 ep_desc = &intf->cur_altsetting->endpoint[i].desc;
2648
2649 if (!data->diag_tx_ep && usb_endpoint_is_bulk_out(ep_desc)) {
2650 data->diag_tx_ep = ep_desc;
2651 continue;
2652 }
2653
2654 if (!data->diag_rx_ep && usb_endpoint_is_bulk_in(ep_desc)) {
2655 data->diag_rx_ep = ep_desc;
2656 continue;
2657 }
2658 }
2659
2660 if (!data->diag_tx_ep || !data->diag_rx_ep) {
2661 BT_ERR("%s invalid diagnostic descriptors", hdev->name);
2662 return -ENODEV;
2663 }
2664
2665 return 0;
2666}
2667
2668static struct urb *alloc_diag_urb(struct hci_dev *hdev, bool enable)
2669{
2670 struct btusb_data *data = hci_get_drvdata(hdev);
2671 struct sk_buff *skb;
2672 struct urb *urb;
2673 unsigned int pipe;
2674
2675 if (!data->diag_tx_ep)
2676 return ERR_PTR(-ENODEV);
2677
2678 urb = usb_alloc_urb(0, GFP_KERNEL);
2679 if (!urb)
2680 return ERR_PTR(-ENOMEM);
2681
2682 skb = bt_skb_alloc(2, GFP_KERNEL);
2683 if (!skb) {
2684 usb_free_urb(urb);
2685 return ERR_PTR(-ENOMEM);
2686 }
2687
2688 *skb_put(skb, 1) = 0xf0;
2689 *skb_put(skb, 1) = enable;
2690
2691 pipe = usb_sndbulkpipe(data->udev, data->diag_tx_ep->bEndpointAddress);
2692
2693 usb_fill_bulk_urb(urb, data->udev, pipe,
2694 skb->data, skb->len, btusb_tx_complete, skb);
2695
2696 skb->dev = (void *)hdev;
2697
2698 return urb;
2699}
2700
2701static int btusb_bcm_set_diag(struct hci_dev *hdev, bool enable)
2702{
2703 struct btusb_data *data = hci_get_drvdata(hdev);
2704 struct urb *urb;
2705
2706 if (!data->diag)
2707 return -ENODEV;
2708
2709 if (!test_bit(HCI_RUNNING, &hdev->flags))
2710 return -ENETDOWN;
2711
2712 urb = alloc_diag_urb(hdev, enable);
2713 if (IS_ERR(urb))
2714 return PTR_ERR(urb);
2715
2716 return submit_or_queue_tx_urb(hdev, urb);
2717}
2718#endif
2719
5e23b923 2720static int btusb_probe(struct usb_interface *intf,
89e7533d 2721 const struct usb_device_id *id)
5e23b923
MH		 2722{
2723 struct usb_endpoint_descriptor *ep_desc;
2724 struct btusb_data *data;
2725 struct hci_dev *hdev;
22f8e9db 2726 unsigned ifnum_base;
5e23b923
MH		 2727 int i, err;
2728
2729 BT_DBG("intf %p id %p", intf, id);
2730
cfeb4145 2731 /* interface numbers are hardcoded in the spec */
22f8e9db
MH		 2732 if (intf->cur_altsetting->desc.bInterfaceNumber != 0) {
2733 if (!(id->driver_info & BTUSB_IFNUM_2))
2734 return -ENODEV;
2735 if (intf->cur_altsetting->desc.bInterfaceNumber != 2)
2736 return -ENODEV;
2737 }
2738
2739 ifnum_base = intf->cur_altsetting->desc.bInterfaceNumber;
5e23b923
MH		 2740
2741 if (!id->driver_info) {
2742 const struct usb_device_id *match;
89e7533d 2743
5e23b923
MH		 2744 match = usb_match_id(intf, blacklist_table);
2745 if (match)
2746 id = match;
2747 }
2748
cfeb4145
MH		 2749 if (id->driver_info == BTUSB_IGNORE)
2750 return -ENODEV;
2751
2d25f8b4
SL		 2752 if (id->driver_info & BTUSB_ATH3012) {
2753 struct usb_device *udev = interface_to_usbdev(intf);
2754
2755 /* Old firmware would otherwise let ath3k driver load
2756 * patch and sysconfig files */
2757 if (le16_to_cpu(udev->descriptor.bcdDevice) <= 0x0001)
2758 return -ENODEV;
2759 }
2760
98921dbd 2761 data = devm_kzalloc(&intf->dev, sizeof(*data), GFP_KERNEL);
5e23b923
MH		 2762 if (!data)
2763 return -ENOMEM;
2764
2765 for (i = 0; i < intf->cur_altsetting->desc.bNumEndpoints; i++) {
2766 ep_desc = &intf->cur_altsetting->endpoint[i].desc;
2767
2768 if (!data->intr_ep && usb_endpoint_is_int_in(ep_desc)) {
2769 data->intr_ep = ep_desc;
2770 continue;
2771 }
2772
2773 if (!data->bulk_tx_ep && usb_endpoint_is_bulk_out(ep_desc)) {
2774 data->bulk_tx_ep = ep_desc;
2775 continue;
2776 }
2777
2778 if (!data->bulk_rx_ep && usb_endpoint_is_bulk_in(ep_desc)) {
2779 data->bulk_rx_ep = ep_desc;
2780 continue;
2781 }
2782 }
2783
98921dbd 2784 if (!data->intr_ep || !data->bulk_tx_ep || !data->bulk_rx_ep)
5e23b923 2785 return -ENODEV;
5e23b923 2786
893ba544
MH		 2787 if (id->driver_info & BTUSB_AMP) {
2788 data->cmdreq_type = USB_TYPE_CLASS | 0x01;
2789 data->cmdreq = 0x2b;
2790 } else {
2791 data->cmdreq_type = USB_TYPE_CLASS;
2792 data->cmdreq = 0x00;
2793 }
7a9d4020 2794
5e23b923 2795 data->udev = interface_to_usbdev(intf);
5fbcd260 2796 data->intf = intf;
5e23b923 2797
5e23b923 2798 INIT_WORK(&data->work, btusb_work);
7bee549e 2799 INIT_WORK(&data->waker, btusb_waker);
803b5836
MH		 2800 init_usb_anchor(&data->deferred);
2801 init_usb_anchor(&data->tx_anchor);
7bee549e 2802 spin_lock_init(&data->txlock);
5e23b923 2803
5e23b923
MH		 2804 init_usb_anchor(&data->intr_anchor);
2805 init_usb_anchor(&data->bulk_anchor);
9bfa35fe 2806 init_usb_anchor(&data->isoc_anchor);
9d08f504 2807 init_usb_anchor(&data->diag_anchor);
803b5836 2808 spin_lock_init(&data->rxlock);
5e23b923 2809
cda0dd78
MH		 2810 if (id->driver_info & BTUSB_INTEL_NEW) {
2811 data->recv_event = btusb_recv_event_intel;
2812 data->recv_bulk = btusb_recv_bulk_intel;
2813 set_bit(BTUSB_BOOTLOADER, &data->flags);
2814 } else {
2815 data->recv_event = hci_recv_frame;
2816 data->recv_bulk = btusb_recv_bulk;
2817 }
2cbd3f5c 2818
5e23b923 2819 hdev = hci_alloc_dev();
98921dbd 2820 if (!hdev)
5e23b923 2821 return -ENOMEM;
5e23b923 2822
c13854ce 2823 hdev->bus = HCI_USB;
155961e8 2824 hci_set_drvdata(hdev, data);
5e23b923 2825
893ba544
MH		 2826 if (id->driver_info & BTUSB_AMP)
2827 hdev->dev_type = HCI_AMP;
2828 else
2829 hdev->dev_type = HCI_BREDR;
2830
5e23b923
MH		 2831 data->hdev = hdev;
2832
2833 SET_HCIDEV_DEV(hdev, &intf->dev);
2834
9f8f962c
MH		 2835 hdev->open = btusb_open;
2836 hdev->close = btusb_close;
2837 hdev->flush = btusb_flush;
2838 hdev->send = btusb_send_frame;
2839 hdev->notify = btusb_notify;
2840
6c9d435d
MH		 2841 if (id->driver_info & BTUSB_BCM2045)
2842 set_bit(HCI_QUIRK_BROKEN_STORED_LINK_KEY, &hdev->quirks);
2843
9f8f962c
MH		 2844 if (id->driver_info & BTUSB_BCM92035)
2845 hdev->setup = btusb_setup_bcm92035;
5e23b923 2846
c2bfb100 2847#ifdef CONFIG_BT_HCIBTUSB_BCM
abbaf50e 2848 if (id->driver_info & BTUSB_BCM_PATCHRAM) {
49a5f782 2849 hdev->manufacturer = 15;
c2bfb100 2850 hdev->setup = btbcm_setup_patchram;
9d08f504 2851 hdev->set_diag = btusb_bcm_set_diag;
1df1f591 2852 hdev->set_bdaddr = btbcm_set_bdaddr;
9d08f504
MH		 2853
2854 /* Broadcom LM_DIAG Interface numbers are hardcoded */
22f8e9db 2855 data->diag = usb_ifnum_to_if(data->udev, ifnum_base + 2);
abbaf50e 2856 }
10d4c673 2857
9d08f504 2858 if (id->driver_info & BTUSB_BCM_APPLE) {
49a5f782 2859 hdev->manufacturer = 15;
c2bfb100 2860 hdev->setup = btbcm_setup_apple;
9d08f504
MH		 2861 hdev->set_diag = btusb_bcm_set_diag;
2862
2863 /* Broadcom LM_DIAG Interface numbers are hardcoded */
22f8e9db 2864 data->diag = usb_ifnum_to_if(data->udev, ifnum_base + 2);
9d08f504 2865 }
c2bfb100 2866#endif
17b2772b 2867
cb8d6597 2868 if (id->driver_info & BTUSB_INTEL) {
49a5f782 2869 hdev->manufacturer = 2;
dffd30ee 2870 hdev->setup = btusb_setup_intel;
bfbd45e9 2871 hdev->shutdown = btusb_shutdown_intel;
3e24767b 2872 hdev->set_diag = btintel_set_diag_mfg;
4185a0f5 2873 hdev->set_bdaddr = btintel_set_bdaddr;
c33fb9b4 2874 set_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks);
c1154842 2875 set_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks);
3e24767b 2876 set_bit(HCI_QUIRK_NON_PERSISTENT_DIAG, &hdev->quirks);
cb8d6597 2877 }
dffd30ee 2878
cda0dd78 2879 if (id->driver_info & BTUSB_INTEL_NEW) {
49a5f782 2880 hdev->manufacturer = 2;
cda0dd78
MH		 2881 hdev->send = btusb_send_frame_intel;
2882 hdev->setup = btusb_setup_intel_new;
eeb6abe9 2883 hdev->hw_error = btintel_hw_error;
6d2e50d2 2884 hdev->set_diag = btintel_set_diag;
4185a0f5 2885 hdev->set_bdaddr = btintel_set_bdaddr;
b970c5ba 2886 set_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks);
d8270fbb 2887 set_bit(HCI_QUIRK_NON_PERSISTENT_DIAG, &hdev->quirks);
cda0dd78
MH		 2888 }
2889
ae8df494
AK		 2890 if (id->driver_info & BTUSB_MARVELL)
2891 hdev->set_bdaddr = btusb_set_bdaddr_marvell;
2892
661cf88a
MH		 2893 if (id->driver_info & BTUSB_SWAVE) {
2894 set_bit(HCI_QUIRK_FIXUP_INQUIRY_MODE, &hdev->quirks);
d57dbe77 2895 set_bit(HCI_QUIRK_BROKEN_LOCAL_COMMANDS, &hdev->quirks);
661cf88a 2896 }
d57dbe77 2897
e4c534bb
MH		 2898 if (id->driver_info & BTUSB_INTEL_BOOT) {
2899 hdev->manufacturer = 2;
40df783d 2900 set_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks);
e4c534bb 2901 }
40df783d 2902
79f0c87d 2903 if (id->driver_info & BTUSB_ATH3012) {
5859223e 2904 hdev->set_bdaddr = btusb_set_bdaddr_ath3012;
3d50d51a 2905 set_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks);
79f0c87d
JP		 2906 set_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks);
2907 }
5859223e 2908
3267c884
KBYT		 2909 if (id->driver_info & BTUSB_QCA_ROME) {
2910 data->setup_on_usb = btusb_setup_qca;
2911 hdev->set_bdaddr = btusb_set_bdaddr_ath3012;
2912 }
2913
db33c77d 2914#ifdef CONFIG_BT_HCIBTUSB_RTL
04b8c814 2915 if (id->driver_info & BTUSB_REALTEK) {
db33c77d 2916 hdev->setup = btrtl_setup_realtek;
04b8c814
DD		 2917
2918 /* Realtek devices lose their updated firmware over suspend,
2919 * but the USB hub doesn't notice any status change.
2920 * Explicitly request a device reset on resume.
2921 */
2922 set_bit(BTUSB_RESET_RESUME, &data->flags);
2923 }
db33c77d 2924#endif
a2698a9b 2925
893ba544
MH		 2926 if (id->driver_info & BTUSB_AMP) {
2927 /* AMP controllers do not support SCO packets */
2928 data->isoc = NULL;
2929 } else {
22f8e9db
MH		 2930 /* Interface orders are hardcoded in the specification */
2931 data->isoc = usb_ifnum_to_if(data->udev, ifnum_base + 1);
893ba544 2932 }
9bfa35fe 2933
7a9d4020 2934 if (!reset)
a6c511c6 2935 set_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks);
cfeb4145
MH		 2936
2937 if (force_scofix || id->driver_info & BTUSB_WRONG_SCO_MTU) {
2938 if (!disable_scofix)
2939 set_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks);
2940 }
2941
9bfa35fe
MH		 2942 if (id->driver_info & BTUSB_BROKEN_ISOC)
2943 data->isoc = NULL;
2944
7a9d4020
MH		 2945 if (id->driver_info & BTUSB_DIGIANSWER) {
2946 data->cmdreq_type = USB_TYPE_VENDOR;
a6c511c6 2947 set_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks);
7a9d4020
MH		 2948 }
2949
2950 if (id->driver_info & BTUSB_CSR) {
2951 struct usb_device *udev = data->udev;
81cac64b 2952 u16 bcdDevice = le16_to_cpu(udev->descriptor.bcdDevice);
7a9d4020
MH		 2953
2954 /* Old firmware would otherwise execute USB reset */
81cac64b 2955 if (bcdDevice < 0x117)
a6c511c6 2956 set_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks);
81cac64b
MH		 2957
2958 /* Fake CSR devices with broken commands */
6cafcd95 2959 if (bcdDevice <= 0x100 || bcdDevice == 0x134)
81cac64b 2960 hdev->setup = btusb_setup_csr;
49c989a0
JP		 2961
2962 set_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks);
7a9d4020
MH		 2963 }
2964
cfeb4145 2965 if (id->driver_info & BTUSB_SNIFFER) {
9bfa35fe 2966 struct usb_device *udev = data->udev;
cfeb4145 2967
7a9d4020 2968 /* New sniffer firmware has crippled HCI interface */
cfeb4145
MH		 2969 if (le16_to_cpu(udev->descriptor.bcdDevice) > 0x997)
2970 set_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks);
2971 }
2972
3a5ef20c
MH		 2973 if (id->driver_info & BTUSB_INTEL_BOOT) {
2974 /* A bug in the bootloader causes that interrupt interface is
2975 * only enabled after receiving SetInterface(0, AltSetting=0).
2976 */
2977 err = usb_set_interface(data->udev, 0, 0);
2978 if (err < 0) {
2979 BT_ERR("failed to set interface 0, alt 0 %d", err);
2980 hci_free_dev(hdev);
2981 return err;
2982 }
2983 }
2984
9bfa35fe
MH		 2985 if (data->isoc) {
2986 err = usb_driver_claim_interface(&btusb_driver,
89e7533d 2987 data->isoc, data);
9bfa35fe
MH		 2988 if (err < 0) {
2989 hci_free_dev(hdev);
9bfa35fe
MH		 2990 return err;
2991 }
2992 }
2993
9d08f504
MH		 2994#ifdef CONFIG_BT_HCIBTUSB_BCM
2995 if (data->diag) {
2996 if (!usb_driver_claim_interface(&btusb_driver,
2997 data->diag, data))
2998 __set_diag_interface(hdev);
2999 else
3000 data->diag = NULL;
3001 }
3002#endif
3003
5e23b923
MH		 3004 err = hci_register_dev(hdev);
3005 if (err < 0) {
3006 hci_free_dev(hdev);
5e23b923
MH		 3007 return err;
3008 }
3009
3010 usb_set_intfdata(intf, data);
3011
3012 return 0;
3013}
3014
3015static void btusb_disconnect(struct usb_interface *intf)
3016{
3017 struct btusb_data *data = usb_get_intfdata(intf);
3018 struct hci_dev *hdev;
3019
3020 BT_DBG("intf %p", intf);
3021
3022 if (!data)
3023 return;
3024
3025 hdev = data->hdev;
5fbcd260
MH		 3026 usb_set_intfdata(data->intf, NULL);
3027
3028 if (data->isoc)
3029 usb_set_intfdata(data->isoc, NULL);
5e23b923 3030
9d08f504
MH		 3031 if (data->diag)
3032 usb_set_intfdata(data->diag, NULL);
3033
5e23b923
MH		 3034 hci_unregister_dev(hdev);
3035
9d08f504
MH		 3036 if (intf == data->intf) {
3037 if (data->isoc)
3038 usb_driver_release_interface(&btusb_driver, data->isoc);
3039 if (data->diag)
3040 usb_driver_release_interface(&btusb_driver, data->diag);
3041 } else if (intf == data->isoc) {
3042 if (data->diag)
3043 usb_driver_release_interface(&btusb_driver, data->diag);
5fbcd260 3044 usb_driver_release_interface(&btusb_driver, data->intf);
9d08f504
MH		 3045 } else if (intf == data->diag) {
3046 usb_driver_release_interface(&btusb_driver, data->intf);
3047 if (data->isoc)
3048 usb_driver_release_interface(&btusb_driver, data->isoc);
3049 }
5fbcd260 3050
5e23b923
MH		 3051 hci_free_dev(hdev);
3052}
3053
7bee549e 3054#ifdef CONFIG_PM
6a88adf2
MH		 3055static int btusb_suspend(struct usb_interface *intf, pm_message_t message)
3056{
3057 struct btusb_data *data = usb_get_intfdata(intf);
3058
3059 BT_DBG("intf %p", intf);
3060
3061 if (data->suspend_count++)
3062 return 0;
3063
7bee549e 3064 spin_lock_irq(&data->txlock);
5b1b0b81 3065 if (!(PMSG_IS_AUTO(message) && data->tx_in_flight)) {
7bee549e
ON		 3066 set_bit(BTUSB_SUSPENDING, &data->flags);
3067 spin_unlock_irq(&data->txlock);
3068 } else {
3069 spin_unlock_irq(&data->txlock);
3070 data->suspend_count--;
3071 return -EBUSY;
3072 }
3073
6a88adf2
MH		 3074 cancel_work_sync(&data->work);
3075
7bee549e 3076 btusb_stop_traffic(data);
6a88adf2
MH		 3077 usb_kill_anchored_urbs(&data->tx_anchor);
3078
04b8c814
DD		 3079 /* Optionally request a device reset on resume, but only when
3080 * wakeups are disabled. If wakeups are enabled we assume the
3081 * device will stay powered up throughout suspend.
3082 */
3083 if (test_bit(BTUSB_RESET_RESUME, &data->flags) &&
3084 !device_may_wakeup(&data->udev->dev))
3085 data->udev->reset_resume = 1;
3086
6a88adf2
MH		 3087 return 0;
3088}
3089
7bee549e
ON		 3090static void play_deferred(struct btusb_data *data)
3091{
3092 struct urb *urb;
3093 int err;
3094
3095 while ((urb = usb_get_from_anchor(&data->deferred))) {
3096 err = usb_submit_urb(urb, GFP_ATOMIC);
3097 if (err < 0)
3098 break;
3099
3100 data->tx_in_flight++;
3101 }
3102 usb_scuttle_anchored_urbs(&data->deferred);
3103}
3104
6a88adf2
MH		 3105static int btusb_resume(struct usb_interface *intf)
3106{
3107 struct btusb_data *data = usb_get_intfdata(intf);
3108 struct hci_dev *hdev = data->hdev;
7bee549e 3109 int err = 0;
6a88adf2
MH		 3110
3111 BT_DBG("intf %p", intf);
3112
3113 if (--data->suspend_count)
3114 return 0;
3115
3116 if (!test_bit(HCI_RUNNING, &hdev->flags))
7bee549e 3117 goto done;
6a88adf2
MH		 3118
3119 if (test_bit(BTUSB_INTR_RUNNING, &data->flags)) {
3120 err = btusb_submit_intr_urb(hdev, GFP_NOIO);
3121 if (err < 0) {
3122 clear_bit(BTUSB_INTR_RUNNING, &data->flags);
7bee549e 3123 goto failed;
6a88adf2
MH		 3124 }
3125 }
3126
3127 if (test_bit(BTUSB_BULK_RUNNING, &data->flags)) {
43c2e57f
MH		 3128 err = btusb_submit_bulk_urb(hdev, GFP_NOIO);
3129 if (err < 0) {
6a88adf2 3130 clear_bit(BTUSB_BULK_RUNNING, &data->flags);
7bee549e
ON		 3131 goto failed;
3132 }
3133
3134 btusb_submit_bulk_urb(hdev, GFP_NOIO);
6a88adf2
MH		 3135 }
3136
3137 if (test_bit(BTUSB_ISOC_RUNNING, &data->flags)) {
3138 if (btusb_submit_isoc_urb(hdev, GFP_NOIO) < 0)
3139 clear_bit(BTUSB_ISOC_RUNNING, &data->flags);
3140 else
3141 btusb_submit_isoc_urb(hdev, GFP_NOIO);
3142 }
3143
7bee549e
ON		 3144 spin_lock_irq(&data->txlock);
3145 play_deferred(data);
3146 clear_bit(BTUSB_SUSPENDING, &data->flags);
3147 spin_unlock_irq(&data->txlock);
3148 schedule_work(&data->work);
3149
6a88adf2 3150 return 0;
7bee549e
ON		 3151
3152failed:
3153 usb_scuttle_anchored_urbs(&data->deferred);
3154done:
3155 spin_lock_irq(&data->txlock);
3156 clear_bit(BTUSB_SUSPENDING, &data->flags);
3157 spin_unlock_irq(&data->txlock);
3158
3159 return err;
6a88adf2 3160}
7bee549e 3161#endif
6a88adf2 3162
5e23b923
MH		 3163static struct usb_driver btusb_driver = {
3164 .name = "btusb",
3165 .probe = btusb_probe,
3166 .disconnect = btusb_disconnect,
7bee549e 3167#ifdef CONFIG_PM
6a88adf2
MH		 3168 .suspend = btusb_suspend,
3169 .resume = btusb_resume,
7bee549e 3170#endif
5e23b923 3171 .id_table = btusb_table,
7bee549e 3172 .supports_autosuspend = 1,
e1f12eb6 3173 .disable_hub_initiated_lpm = 1,
5e23b923
MH		 3174};
3175
93f1508c 3176module_usb_driver(btusb_driver);
5e23b923 3177
cfeb4145
MH		 3178module_param(disable_scofix, bool, 0644);
3179MODULE_PARM_DESC(disable_scofix, "Disable fixup of wrong SCO buffer size");
3180
3181module_param(force_scofix, bool, 0644);
3182MODULE_PARM_DESC(force_scofix, "Force fixup of wrong SCO buffers size");
3183
3184module_param(reset, bool, 0644);
3185MODULE_PARM_DESC(reset, "Send HCI reset command on initialization");
3186
5e23b923
MH		 3187MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
3188MODULE_DESCRIPTION("Generic Bluetooth USB driver ver " VERSION);
3189MODULE_VERSION(VERSION);
3190MODULE_LICENSE("GPL");
Linux 6.x block layer and io_uring tree(s)