linux/drivers/bluetooth/btusb.c
<<
>>
Prefs
   1/*
   2 *
   3 *  Generic Bluetooth USB driver
   4 *
   5 *  Copyright (C) 2005-2008  Marcel Holtmann <marcel@holtmann.org>
   6 *
   7 *
   8 *  This program is free software; you can redistribute it and/or modify
   9 *  it under the terms of the GNU General Public License as published by
  10 *  the Free Software Foundation; either version 2 of the License, or
  11 *  (at your option) any later version.
  12 *
  13 *  This program is distributed in the hope that it will be useful,
  14 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  15 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16 *  GNU General Public License for more details.
  17 *
  18 *  You should have received a copy of the GNU General Public License
  19 *  along with this program; if not, write to the Free Software
  20 *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  21 *
  22 */
  23
  24#include <linux/module.h>
  25#include <linux/usb.h>
  26#include <linux/firmware.h>
  27
  28#include <net/bluetooth/bluetooth.h>
  29#include <net/bluetooth/hci_core.h>
  30
  31#define VERSION "0.6"
  32
  33static bool disable_scofix;
  34static bool force_scofix;
  35
  36static bool reset = 1;
  37
  38static struct usb_driver btusb_driver;
  39
  40#define BTUSB_IGNORE            0x01
  41#define BTUSB_DIGIANSWER        0x02
  42#define BTUSB_CSR               0x04
  43#define BTUSB_SNIFFER           0x08
  44#define BTUSB_BCM92035          0x10
  45#define BTUSB_BROKEN_ISOC       0x20
  46#define BTUSB_WRONG_SCO_MTU     0x40
  47#define BTUSB_ATH3012           0x80
  48#define BTUSB_INTEL             0x100
  49#define BTUSB_INTEL_BOOT        0x200
  50#define BTUSB_BCM_PATCHRAM      0x400
  51#define BTUSB_MARVELL           0x800
  52
  53static const struct usb_device_id btusb_table[] = {
  54        /* Generic Bluetooth USB device */
  55        { USB_DEVICE_INFO(0xe0, 0x01, 0x01) },
  56
  57        /* Apple-specific (Broadcom) devices */
  58        { USB_VENDOR_AND_INTERFACE_INFO(0x05ac, 0xff, 0x01, 0x01) },
  59
  60        /* MediaTek MT76x0E */
  61        { USB_DEVICE(0x0e8d, 0x763f) },
  62
  63        /* Broadcom SoftSailing reporting vendor specific */
  64        { USB_DEVICE(0x0a5c, 0x21e1) },
  65
  66        /* Apple MacBookPro 7,1 */
  67        { USB_DEVICE(0x05ac, 0x8213) },
  68
  69        /* Apple iMac11,1 */
  70        { USB_DEVICE(0x05ac, 0x8215) },
  71
  72        /* Apple MacBookPro6,2 */
  73        { USB_DEVICE(0x05ac, 0x8218) },
  74
  75        /* Apple MacBookAir3,1, MacBookAir3,2 */
  76        { USB_DEVICE(0x05ac, 0x821b) },
  77
  78        /* Apple MacBookAir4,1 */
  79        { USB_DEVICE(0x05ac, 0x821f) },
  80
  81        /* Apple MacBookPro8,2 */
  82        { USB_DEVICE(0x05ac, 0x821a) },
  83
  84        /* Apple MacMini5,1 */
  85        { USB_DEVICE(0x05ac, 0x8281) },
  86
  87        /* AVM BlueFRITZ! USB v2.0 */
  88        { USB_DEVICE(0x057c, 0x3800) },
  89
  90        /* Bluetooth Ultraport Module from IBM */
  91        { USB_DEVICE(0x04bf, 0x030a) },
  92
  93        /* ALPS Modules with non-standard id */
  94        { USB_DEVICE(0x044e, 0x3001) },
  95        { USB_DEVICE(0x044e, 0x3002) },
  96
  97        /* Ericsson with non-standard id */
  98        { USB_DEVICE(0x0bdb, 0x1002) },
  99
 100        /* Canyon CN-BTU1 with HID interfaces */
 101        { USB_DEVICE(0x0c10, 0x0000) },
 102
 103        /* Broadcom BCM20702A0 */
 104        { USB_DEVICE(0x0489, 0xe042) },
 105        { USB_DEVICE(0x04ca, 0x2003) },
 106        { USB_DEVICE(0x0b05, 0x17b5) },
 107        { USB_DEVICE(0x0b05, 0x17cb) },
 108        { USB_DEVICE(0x413c, 0x8197) },
 109        { USB_DEVICE(0x13d3, 0x3404),
 110          .driver_info = BTUSB_BCM_PATCHRAM },
 111
 112        /* Broadcom BCM20702B0 (Dynex/Insignia) */
 113        { USB_DEVICE(0x19ff, 0x0239), .driver_info = BTUSB_BCM_PATCHRAM },
 114
 115        /* Foxconn - Hon Hai */
 116        { USB_VENDOR_AND_INTERFACE_INFO(0x0489, 0xff, 0x01, 0x01),
 117          .driver_info = BTUSB_BCM_PATCHRAM },
 118
 119        /* Lite-On Technology - Broadcom based */
 120        { USB_VENDOR_AND_INTERFACE_INFO(0x04ca, 0xff, 0x01, 0x01),
 121          .driver_info = BTUSB_BCM_PATCHRAM },
 122
 123        /* Broadcom devices with vendor specific id */
 124        { USB_VENDOR_AND_INTERFACE_INFO(0x0a5c, 0xff, 0x01, 0x01),
 125          .driver_info = BTUSB_BCM_PATCHRAM },
 126
 127        /* ASUSTek Computer - Broadcom based */
 128        { USB_VENDOR_AND_INTERFACE_INFO(0x0b05, 0xff, 0x01, 0x01),
 129          .driver_info = BTUSB_BCM_PATCHRAM },
 130
 131        /* Belkin F8065bf - Broadcom based */
 132        { USB_VENDOR_AND_INTERFACE_INFO(0x050d, 0xff, 0x01, 0x01) },
 133
 134        /* IMC Networks - Broadcom based */
 135        { USB_VENDOR_AND_INTERFACE_INFO(0x13d3, 0xff, 0x01, 0x01) },
 136
 137        /* Intel Bluetooth USB Bootloader (RAM module) */
 138        { USB_DEVICE(0x8087, 0x0a5a),
 139          .driver_info = BTUSB_INTEL_BOOT | BTUSB_BROKEN_ISOC },
 140
 141        { }     /* Terminating entry */
 142};
 143
 144MODULE_DEVICE_TABLE(usb, btusb_table);
 145
 146static const struct usb_device_id blacklist_table[] = {
 147        /* CSR BlueCore devices */
 148        { USB_DEVICE(0x0a12, 0x0001), .driver_info = BTUSB_CSR },
 149
 150        /* Broadcom BCM2033 without firmware */
 151        { USB_DEVICE(0x0a5c, 0x2033), .driver_info = BTUSB_IGNORE },
 152
 153        /* Atheros 3011 with sflash firmware */
 154        { USB_DEVICE(0x0489, 0xe027), .driver_info = BTUSB_IGNORE },
 155        { USB_DEVICE(0x0489, 0xe03d), .driver_info = BTUSB_IGNORE },
 156        { USB_DEVICE(0x0930, 0x0215), .driver_info = BTUSB_IGNORE },
 157        { USB_DEVICE(0x0cf3, 0x3002), .driver_info = BTUSB_IGNORE },
 158        { USB_DEVICE(0x0cf3, 0xe019), .driver_info = BTUSB_IGNORE },
 159        { USB_DEVICE(0x13d3, 0x3304), .driver_info = BTUSB_IGNORE },
 160
 161        /* Atheros AR9285 Malbec with sflash firmware */
 162        { USB_DEVICE(0x03f0, 0x311d), .driver_info = BTUSB_IGNORE },
 163
 164        /* Atheros 3012 with sflash firmware */
 165        { USB_DEVICE(0x0489, 0xe04d), .driver_info = BTUSB_ATH3012 },
 166        { USB_DEVICE(0x0489, 0xe04e), .driver_info = BTUSB_ATH3012 },
 167        { USB_DEVICE(0x0489, 0xe056), .driver_info = BTUSB_ATH3012 },
 168        { USB_DEVICE(0x0489, 0xe057), .driver_info = BTUSB_ATH3012 },
 169        { USB_DEVICE(0x0489, 0xe05f), .driver_info = BTUSB_ATH3012 },
 170        { USB_DEVICE(0x0489, 0xe078), .driver_info = BTUSB_ATH3012 },
 171        { USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 },
 172        { USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 },
 173        { USB_DEVICE(0x04ca, 0x3005), .driver_info = BTUSB_ATH3012 },
 174        { USB_DEVICE(0x04ca, 0x3006), .driver_info = BTUSB_ATH3012 },
 175        { USB_DEVICE(0x04ca, 0x3007), .driver_info = BTUSB_ATH3012 },
 176        { USB_DEVICE(0x04ca, 0x3008), .driver_info = BTUSB_ATH3012 },
 177        { USB_DEVICE(0x04ca, 0x300b), .driver_info = BTUSB_ATH3012 },
 178        { USB_DEVICE(0x04ca, 0x3010), .driver_info = BTUSB_ATH3012 },
 179        { USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 },
 180        { USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 },
 181        { USB_DEVICE(0x0930, 0x0227), .driver_info = BTUSB_ATH3012 },
 182        { USB_DEVICE(0x0b05, 0x17d0), .driver_info = BTUSB_ATH3012 },
 183        { USB_DEVICE(0x0cf3, 0x0036), .driver_info = BTUSB_ATH3012 },
 184        { USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_ATH3012 },
 185        { USB_DEVICE(0x0cf3, 0x3008), .driver_info = BTUSB_ATH3012 },
 186        { USB_DEVICE(0x0cf3, 0x311d), .driver_info = BTUSB_ATH3012 },
 187        { USB_DEVICE(0x0cf3, 0x311e), .driver_info = BTUSB_ATH3012 },
 188        { USB_DEVICE(0x0cf3, 0x311f), .driver_info = BTUSB_ATH3012 },
 189        { USB_DEVICE(0x0cf3, 0x3121), .driver_info = BTUSB_ATH3012 },
 190        { USB_DEVICE(0x0cf3, 0x817a), .driver_info = BTUSB_ATH3012 },
 191        { USB_DEVICE(0x0cf3, 0xe003), .driver_info = BTUSB_ATH3012 },
 192        { USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 },
 193        { USB_DEVICE(0x0cf3, 0xe005), .driver_info = BTUSB_ATH3012 },
 194        { USB_DEVICE(0x13d3, 0x3362), .driver_info = BTUSB_ATH3012 },
 195        { USB_DEVICE(0x13d3, 0x3375), .driver_info = BTUSB_ATH3012 },
 196        { USB_DEVICE(0x13d3, 0x3393), .driver_info = BTUSB_ATH3012 },
 197        { USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 },
 198        { USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 },
 199        { USB_DEVICE(0x13d3, 0x3423), .driver_info = BTUSB_ATH3012 },
 200        { USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 },
 201
 202        /* Atheros AR5BBU12 with sflash firmware */
 203        { USB_DEVICE(0x0489, 0xe02c), .driver_info = BTUSB_IGNORE },
 204
 205        /* Atheros AR5BBU12 with sflash firmware */
 206        { USB_DEVICE(0x0489, 0xe036), .driver_info = BTUSB_ATH3012 },
 207        { USB_DEVICE(0x0489, 0xe03c), .driver_info = BTUSB_ATH3012 },
 208
 209        /* Broadcom BCM2035 */
 210        { USB_DEVICE(0x0a5c, 0x2009), .driver_info = BTUSB_BCM92035 },
 211        { USB_DEVICE(0x0a5c, 0x200a), .driver_info = BTUSB_WRONG_SCO_MTU },
 212        { USB_DEVICE(0x0a5c, 0x2035), .driver_info = BTUSB_WRONG_SCO_MTU },
 213
 214        /* Broadcom BCM2045 */
 215        { USB_DEVICE(0x0a5c, 0x2039), .driver_info = BTUSB_WRONG_SCO_MTU },
 216        { USB_DEVICE(0x0a5c, 0x2101), .driver_info = BTUSB_WRONG_SCO_MTU },
 217
 218        /* IBM/Lenovo ThinkPad with Broadcom chip */
 219        { USB_DEVICE(0x0a5c, 0x201e), .driver_info = BTUSB_WRONG_SCO_MTU },
 220        { USB_DEVICE(0x0a5c, 0x2110), .driver_info = BTUSB_WRONG_SCO_MTU },
 221
 222        /* HP laptop with Broadcom chip */
 223        { USB_DEVICE(0x03f0, 0x171d), .driver_info = BTUSB_WRONG_SCO_MTU },
 224
 225        /* Dell laptop with Broadcom chip */
 226        { USB_DEVICE(0x413c, 0x8126), .driver_info = BTUSB_WRONG_SCO_MTU },
 227
 228        /* Dell Wireless 370 and 410 devices */
 229        { USB_DEVICE(0x413c, 0x8152), .driver_info = BTUSB_WRONG_SCO_MTU },
 230        { USB_DEVICE(0x413c, 0x8156), .driver_info = BTUSB_WRONG_SCO_MTU },
 231
 232        /* Belkin F8T012 and F8T013 devices */
 233        { USB_DEVICE(0x050d, 0x0012), .driver_info = BTUSB_WRONG_SCO_MTU },
 234        { USB_DEVICE(0x050d, 0x0013), .driver_info = BTUSB_WRONG_SCO_MTU },
 235
 236        /* Asus WL-BTD202 device */
 237        { USB_DEVICE(0x0b05, 0x1715), .driver_info = BTUSB_WRONG_SCO_MTU },
 238
 239        /* Kensington Bluetooth USB adapter */
 240        { USB_DEVICE(0x047d, 0x105e), .driver_info = BTUSB_WRONG_SCO_MTU },
 241
 242        /* RTX Telecom based adapters with buggy SCO support */
 243        { USB_DEVICE(0x0400, 0x0807), .driver_info = BTUSB_BROKEN_ISOC },
 244        { USB_DEVICE(0x0400, 0x080a), .driver_info = BTUSB_BROKEN_ISOC },
 245
 246        /* CONWISE Technology based adapters with buggy SCO support */
 247        { USB_DEVICE(0x0e5e, 0x6622), .driver_info = BTUSB_BROKEN_ISOC },
 248
 249        /* Digianswer devices */
 250        { USB_DEVICE(0x08fd, 0x0001), .driver_info = BTUSB_DIGIANSWER },
 251        { USB_DEVICE(0x08fd, 0x0002), .driver_info = BTUSB_IGNORE },
 252
 253        /* CSR BlueCore Bluetooth Sniffer */
 254        { USB_DEVICE(0x0a12, 0x0002),
 255          .driver_info = BTUSB_SNIFFER | BTUSB_BROKEN_ISOC },
 256
 257        /* Frontline ComProbe Bluetooth Sniffer */
 258        { USB_DEVICE(0x16d3, 0x0002),
 259          .driver_info = BTUSB_SNIFFER | BTUSB_BROKEN_ISOC },
 260
 261        /* Intel Bluetooth device */
 262        { USB_DEVICE(0x8087, 0x07dc), .driver_info = BTUSB_INTEL },
 263        { USB_DEVICE(0x8087, 0x0a2a), .driver_info = BTUSB_INTEL },
 264
 265        /* Marvell device */
 266        { USB_DEVICE(0x1286, 0x2044), .driver_info = BTUSB_MARVELL },
 267        { USB_DEVICE(0x1286, 0x2046), .driver_info = BTUSB_MARVELL },
 268
 269        { }     /* Terminating entry */
 270};
 271
 272#define BTUSB_MAX_ISOC_FRAMES   10
 273
 274#define BTUSB_INTR_RUNNING      0
 275#define BTUSB_BULK_RUNNING      1
 276#define BTUSB_ISOC_RUNNING      2
 277#define BTUSB_SUSPENDING        3
 278#define BTUSB_DID_ISO_RESUME    4
 279
 280struct btusb_data {
 281        struct hci_dev       *hdev;
 282        struct usb_device    *udev;
 283        struct usb_interface *intf;
 284        struct usb_interface *isoc;
 285
 286        unsigned long flags;
 287
 288        struct work_struct work;
 289        struct work_struct waker;
 290
 291        struct usb_anchor deferred;
 292        struct usb_anchor tx_anchor;
 293        int tx_in_flight;
 294        spinlock_t txlock;
 295
 296        struct usb_anchor intr_anchor;
 297        struct usb_anchor bulk_anchor;
 298        struct usb_anchor isoc_anchor;
 299        spinlock_t rxlock;
 300
 301        struct sk_buff *evt_skb;
 302        struct sk_buff *acl_skb;
 303        struct sk_buff *sco_skb;
 304
 305        struct usb_endpoint_descriptor *intr_ep;
 306        struct usb_endpoint_descriptor *bulk_tx_ep;
 307        struct usb_endpoint_descriptor *bulk_rx_ep;
 308        struct usb_endpoint_descriptor *isoc_tx_ep;
 309        struct usb_endpoint_descriptor *isoc_rx_ep;
 310
 311        __u8 cmdreq_type;
 312
 313        unsigned int sco_num;
 314        int isoc_altsetting;
 315        int suspend_count;
 316
 317        int (*recv_bulk)(struct btusb_data *data, void *buffer, int count);
 318};
 319
 320static inline void btusb_free_frags(struct btusb_data *data)
 321{
 322        unsigned long flags;
 323
 324        spin_lock_irqsave(&data->rxlock, flags);
 325
 326        kfree_skb(data->evt_skb);
 327        data->evt_skb = NULL;
 328
 329        kfree_skb(data->acl_skb);
 330        data->acl_skb = NULL;
 331
 332        kfree_skb(data->sco_skb);
 333        data->sco_skb = NULL;
 334
 335        spin_unlock_irqrestore(&data->rxlock, flags);
 336}
 337
 338static int btusb_recv_intr(struct btusb_data *data, void *buffer, int count)
 339{
 340        struct sk_buff *skb;
 341        int err = 0;
 342
 343        spin_lock(&data->rxlock);
 344        skb = data->evt_skb;
 345
 346        while (count) {
 347                int len;
 348
 349                if (!skb) {
 350                        skb = bt_skb_alloc(HCI_MAX_EVENT_SIZE, GFP_ATOMIC);
 351                        if (!skb) {
 352                                err = -ENOMEM;
 353                                break;
 354                        }
 355
 356                        bt_cb(skb)->pkt_type = HCI_EVENT_PKT;
 357                        bt_cb(skb)->expect = HCI_EVENT_HDR_SIZE;
 358                }
 359
 360                len = min_t(uint, bt_cb(skb)->expect, count);
 361                memcpy(skb_put(skb, len), buffer, len);
 362
 363                count -= len;
 364                buffer += len;
 365                bt_cb(skb)->expect -= len;
 366
 367                if (skb->len == HCI_EVENT_HDR_SIZE) {
 368                        /* Complete event header */
 369                        bt_cb(skb)->expect = hci_event_hdr(skb)->plen;
 370
 371                        if (skb_tailroom(skb) < bt_cb(skb)->expect) {
 372                                kfree_skb(skb);
 373                                skb = NULL;
 374
 375                                err = -EILSEQ;
 376                                break;
 377                        }
 378                }
 379
 380                if (bt_cb(skb)->expect == 0) {
 381                        /* Complete frame */
 382                        hci_recv_frame(data->hdev, skb);
 383                        skb = NULL;
 384                }
 385        }
 386
 387        data->evt_skb = skb;
 388        spin_unlock(&data->rxlock);
 389
 390        return err;
 391}
 392
 393static int btusb_recv_bulk(struct btusb_data *data, void *buffer, int count)
 394{
 395        struct sk_buff *skb;
 396        int err = 0;
 397
 398        spin_lock(&data->rxlock);
 399        skb = data->acl_skb;
 400
 401        while (count) {
 402                int len;
 403
 404                if (!skb) {
 405                        skb = bt_skb_alloc(HCI_MAX_FRAME_SIZE, GFP_ATOMIC);
 406                        if (!skb) {
 407                                err = -ENOMEM;
 408                                break;
 409                        }
 410
 411                        bt_cb(skb)->pkt_type = HCI_ACLDATA_PKT;
 412                        bt_cb(skb)->expect = HCI_ACL_HDR_SIZE;
 413                }
 414
 415                len = min_t(uint, bt_cb(skb)->expect, count);
 416                memcpy(skb_put(skb, len), buffer, len);
 417
 418                count -= len;
 419                buffer += len;
 420                bt_cb(skb)->expect -= len;
 421
 422                if (skb->len == HCI_ACL_HDR_SIZE) {
 423                        __le16 dlen = hci_acl_hdr(skb)->dlen;
 424
 425                        /* Complete ACL header */
 426                        bt_cb(skb)->expect = __le16_to_cpu(dlen);
 427
 428                        if (skb_tailroom(skb) < bt_cb(skb)->expect) {
 429                                kfree_skb(skb);
 430                                skb = NULL;
 431
 432                                err = -EILSEQ;
 433                                break;
 434                        }
 435                }
 436
 437                if (bt_cb(skb)->expect == 0) {
 438                        /* Complete frame */
 439                        hci_recv_frame(data->hdev, skb);
 440                        skb = NULL;
 441                }
 442        }
 443
 444        data->acl_skb = skb;
 445        spin_unlock(&data->rxlock);
 446
 447        return err;
 448}
 449
 450static int btusb_recv_isoc(struct btusb_data *data, void *buffer, int count)
 451{
 452        struct sk_buff *skb;
 453        int err = 0;
 454
 455        spin_lock(&data->rxlock);
 456        skb = data->sco_skb;
 457
 458        while (count) {
 459                int len;
 460
 461                if (!skb) {
 462                        skb = bt_skb_alloc(HCI_MAX_SCO_SIZE, GFP_ATOMIC);
 463                        if (!skb) {
 464                                err = -ENOMEM;
 465                                break;
 466                        }
 467
 468                        bt_cb(skb)->pkt_type = HCI_SCODATA_PKT;
 469                        bt_cb(skb)->expect = HCI_SCO_HDR_SIZE;
 470                }
 471
 472                len = min_t(uint, bt_cb(skb)->expect, count);
 473                memcpy(skb_put(skb, len), buffer, len);
 474
 475                count -= len;
 476                buffer += len;
 477                bt_cb(skb)->expect -= len;
 478
 479                if (skb->len == HCI_SCO_HDR_SIZE) {
 480                        /* Complete SCO header */
 481                        bt_cb(skb)->expect = hci_sco_hdr(skb)->dlen;
 482
 483                        if (skb_tailroom(skb) < bt_cb(skb)->expect) {
 484                                kfree_skb(skb);
 485                                skb = NULL;
 486
 487                                err = -EILSEQ;
 488                                break;
 489                        }
 490                }
 491
 492                if (bt_cb(skb)->expect == 0) {
 493                        /* Complete frame */
 494                        hci_recv_frame(data->hdev, skb);
 495                        skb = NULL;
 496                }
 497        }
 498
 499        data->sco_skb = skb;
 500        spin_unlock(&data->rxlock);
 501
 502        return err;
 503}
 504
 505static void btusb_intr_complete(struct urb *urb)
 506{
 507        struct hci_dev *hdev = urb->context;
 508        struct btusb_data *data = hci_get_drvdata(hdev);
 509        int err;
 510
 511        BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status,
 512               urb->actual_length);
 513
 514        if (!test_bit(HCI_RUNNING, &hdev->flags))
 515                return;
 516
 517        if (urb->status == 0) {
 518                hdev->stat.byte_rx += urb->actual_length;
 519
 520                if (btusb_recv_intr(data, urb->transfer_buffer,
 521                                    urb->actual_length) < 0) {
 522                        BT_ERR("%s corrupted event packet", hdev->name);
 523                        hdev->stat.err_rx++;
 524                }
 525        } else if (urb->status == -ENOENT) {
 526                /* Avoid suspend failed when usb_kill_urb */
 527                return;
 528        }
 529
 530        if (!test_bit(BTUSB_INTR_RUNNING, &data->flags))
 531                return;
 532
 533        usb_mark_last_busy(data->udev);
 534        usb_anchor_urb(urb, &data->intr_anchor);
 535
 536        err = usb_submit_urb(urb, GFP_ATOMIC);
 537        if (err < 0) {
 538                /* -EPERM: urb is being killed;
 539                 * -ENODEV: device got disconnected */
 540                if (err != -EPERM && err != -ENODEV)
 541                        BT_ERR("%s urb %p failed to resubmit (%d)",
 542                               hdev->name, urb, -err);
 543                usb_unanchor_urb(urb);
 544        }
 545}
 546
 547static int btusb_submit_intr_urb(struct hci_dev *hdev, gfp_t mem_flags)
 548{
 549        struct btusb_data *data = hci_get_drvdata(hdev);
 550        struct urb *urb;
 551        unsigned char *buf;
 552        unsigned int pipe;
 553        int err, size;
 554
 555        BT_DBG("%s", hdev->name);
 556
 557        if (!data->intr_ep)
 558                return -ENODEV;
 559
 560        urb = usb_alloc_urb(0, mem_flags);
 561        if (!urb)
 562                return -ENOMEM;
 563
 564        size = le16_to_cpu(data->intr_ep->wMaxPacketSize);
 565
 566        buf = kmalloc(size, mem_flags);
 567        if (!buf) {
 568                usb_free_urb(urb);
 569                return -ENOMEM;
 570        }
 571
 572        pipe = usb_rcvintpipe(data->udev, data->intr_ep->bEndpointAddress);
 573
 574        usb_fill_int_urb(urb, data->udev, pipe, buf, size,
 575                         btusb_intr_complete, hdev, data->intr_ep->bInterval);
 576
 577        urb->transfer_flags |= URB_FREE_BUFFER;
 578
 579        usb_anchor_urb(urb, &data->intr_anchor);
 580
 581        err = usb_submit_urb(urb, mem_flags);
 582        if (err < 0) {
 583                if (err != -EPERM && err != -ENODEV)
 584                        BT_ERR("%s urb %p submission failed (%d)",
 585                               hdev->name, urb, -err);
 586                usb_unanchor_urb(urb);
 587        }
 588
 589        usb_free_urb(urb);
 590
 591        return err;
 592}
 593
 594static void btusb_bulk_complete(struct urb *urb)
 595{
 596        struct hci_dev *hdev = urb->context;
 597        struct btusb_data *data = hci_get_drvdata(hdev);
 598        int err;
 599
 600        BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status,
 601               urb->actual_length);
 602
 603        if (!test_bit(HCI_RUNNING, &hdev->flags))
 604                return;
 605
 606        if (urb->status == 0) {
 607                hdev->stat.byte_rx += urb->actual_length;
 608
 609                if (data->recv_bulk(data, urb->transfer_buffer,
 610                                    urb->actual_length) < 0) {
 611                        BT_ERR("%s corrupted ACL packet", hdev->name);
 612                        hdev->stat.err_rx++;
 613                }
 614        } else if (urb->status == -ENOENT) {
 615                /* Avoid suspend failed when usb_kill_urb */
 616                return;
 617        }
 618
 619        if (!test_bit(BTUSB_BULK_RUNNING, &data->flags))
 620                return;
 621
 622        usb_anchor_urb(urb, &data->bulk_anchor);
 623        usb_mark_last_busy(data->udev);
 624
 625        err = usb_submit_urb(urb, GFP_ATOMIC);
 626        if (err < 0) {
 627                /* -EPERM: urb is being killed;
 628                 * -ENODEV: device got disconnected */
 629                if (err != -EPERM && err != -ENODEV)
 630                        BT_ERR("%s urb %p failed to resubmit (%d)",
 631                               hdev->name, urb, -err);
 632                usb_unanchor_urb(urb);
 633        }
 634}
 635
 636static int btusb_submit_bulk_urb(struct hci_dev *hdev, gfp_t mem_flags)
 637{
 638        struct btusb_data *data = hci_get_drvdata(hdev);
 639        struct urb *urb;
 640        unsigned char *buf;
 641        unsigned int pipe;
 642        int err, size = HCI_MAX_FRAME_SIZE;
 643
 644        BT_DBG("%s", hdev->name);
 645
 646        if (!data->bulk_rx_ep)
 647                return -ENODEV;
 648
 649        urb = usb_alloc_urb(0, mem_flags);
 650        if (!urb)
 651                return -ENOMEM;
 652
 653        buf = kmalloc(size, mem_flags);
 654        if (!buf) {
 655                usb_free_urb(urb);
 656                return -ENOMEM;
 657        }
 658
 659        pipe = usb_rcvbulkpipe(data->udev, data->bulk_rx_ep->bEndpointAddress);
 660
 661        usb_fill_bulk_urb(urb, data->udev, pipe, buf, size,
 662                          btusb_bulk_complete, hdev);
 663
 664        urb->transfer_flags |= URB_FREE_BUFFER;
 665
 666        usb_mark_last_busy(data->udev);
 667        usb_anchor_urb(urb, &data->bulk_anchor);
 668
 669        err = usb_submit_urb(urb, mem_flags);
 670        if (err < 0) {
 671                if (err != -EPERM && err != -ENODEV)
 672                        BT_ERR("%s urb %p submission failed (%d)",
 673                               hdev->name, urb, -err);
 674                usb_unanchor_urb(urb);
 675        }
 676
 677        usb_free_urb(urb);
 678
 679        return err;
 680}
 681
 682static void btusb_isoc_complete(struct urb *urb)
 683{
 684        struct hci_dev *hdev = urb->context;
 685        struct btusb_data *data = hci_get_drvdata(hdev);
 686        int i, err;
 687
 688        BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status,
 689               urb->actual_length);
 690
 691        if (!test_bit(HCI_RUNNING, &hdev->flags))
 692                return;
 693
 694        if (urb->status == 0) {
 695                for (i = 0; i < urb->number_of_packets; i++) {
 696                        unsigned int offset = urb->iso_frame_desc[i].offset;
 697                        unsigned int length = urb->iso_frame_desc[i].actual_length;
 698
 699                        if (urb->iso_frame_desc[i].status)
 700                                continue;
 701
 702                        hdev->stat.byte_rx += length;
 703
 704                        if (btusb_recv_isoc(data, urb->transfer_buffer + offset,
 705                                            length) < 0) {
 706                                BT_ERR("%s corrupted SCO packet", hdev->name);
 707                                hdev->stat.err_rx++;
 708                        }
 709                }
 710        } else if (urb->status == -ENOENT) {
 711                /* Avoid suspend failed when usb_kill_urb */
 712                return;
 713        }
 714
 715        if (!test_bit(BTUSB_ISOC_RUNNING, &data->flags))
 716                return;
 717
 718        usb_anchor_urb(urb, &data->isoc_anchor);
 719
 720        err = usb_submit_urb(urb, GFP_ATOMIC);
 721        if (err < 0) {
 722                /* -EPERM: urb is being killed;
 723                 * -ENODEV: device got disconnected */
 724                if (err != -EPERM && err != -ENODEV)
 725                        BT_ERR("%s urb %p failed to resubmit (%d)",
 726                               hdev->name, urb, -err);
 727                usb_unanchor_urb(urb);
 728        }
 729}
 730
 731static inline void __fill_isoc_descriptor(struct urb *urb, int len, int mtu)
 732{
 733        int i, offset = 0;
 734
 735        BT_DBG("len %d mtu %d", len, mtu);
 736
 737        for (i = 0; i < BTUSB_MAX_ISOC_FRAMES && len >= mtu;
 738                                        i++, offset += mtu, len -= mtu) {
 739                urb->iso_frame_desc[i].offset = offset;
 740                urb->iso_frame_desc[i].length = mtu;
 741        }
 742
 743        if (len && i < BTUSB_MAX_ISOC_FRAMES) {
 744                urb->iso_frame_desc[i].offset = offset;
 745                urb->iso_frame_desc[i].length = len;
 746                i++;
 747        }
 748
 749        urb->number_of_packets = i;
 750}
 751
 752static int btusb_submit_isoc_urb(struct hci_dev *hdev, gfp_t mem_flags)
 753{
 754        struct btusb_data *data = hci_get_drvdata(hdev);
 755        struct urb *urb;
 756        unsigned char *buf;
 757        unsigned int pipe;
 758        int err, size;
 759
 760        BT_DBG("%s", hdev->name);
 761
 762        if (!data->isoc_rx_ep)
 763                return -ENODEV;
 764
 765        urb = usb_alloc_urb(BTUSB_MAX_ISOC_FRAMES, mem_flags);
 766        if (!urb)
 767                return -ENOMEM;
 768
 769        size = le16_to_cpu(data->isoc_rx_ep->wMaxPacketSize) *
 770                                                BTUSB_MAX_ISOC_FRAMES;
 771
 772        buf = kmalloc(size, mem_flags);
 773        if (!buf) {
 774                usb_free_urb(urb);
 775                return -ENOMEM;
 776        }
 777
 778        pipe = usb_rcvisocpipe(data->udev, data->isoc_rx_ep->bEndpointAddress);
 779
 780        usb_fill_int_urb(urb, data->udev, pipe, buf, size, btusb_isoc_complete,
 781                         hdev, data->isoc_rx_ep->bInterval);
 782
 783        urb->transfer_flags = URB_FREE_BUFFER | URB_ISO_ASAP;
 784
 785        __fill_isoc_descriptor(urb, size,
 786                               le16_to_cpu(data->isoc_rx_ep->wMaxPacketSize));
 787
 788        usb_anchor_urb(urb, &data->isoc_anchor);
 789
 790        err = usb_submit_urb(urb, mem_flags);
 791        if (err < 0) {
 792                if (err != -EPERM && err != -ENODEV)
 793                        BT_ERR("%s urb %p submission failed (%d)",
 794                               hdev->name, urb, -err);
 795                usb_unanchor_urb(urb);
 796        }
 797
 798        usb_free_urb(urb);
 799
 800        return err;
 801}
 802
 803static void btusb_tx_complete(struct urb *urb)
 804{
 805        struct sk_buff *skb = urb->context;
 806        struct hci_dev *hdev = (struct hci_dev *)skb->dev;
 807        struct btusb_data *data = hci_get_drvdata(hdev);
 808
 809        BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status,
 810               urb->actual_length);
 811
 812        if (!test_bit(HCI_RUNNING, &hdev->flags))
 813                goto done;
 814
 815        if (!urb->status)
 816                hdev->stat.byte_tx += urb->transfer_buffer_length;
 817        else
 818                hdev->stat.err_tx++;
 819
 820done:
 821        spin_lock(&data->txlock);
 822        data->tx_in_flight--;
 823        spin_unlock(&data->txlock);
 824
 825        kfree(urb->setup_packet);
 826
 827        kfree_skb(skb);
 828}
 829
 830static void btusb_isoc_tx_complete(struct urb *urb)
 831{
 832        struct sk_buff *skb = urb->context;
 833        struct hci_dev *hdev = (struct hci_dev *)skb->dev;
 834
 835        BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status,
 836               urb->actual_length);
 837
 838        if (!test_bit(HCI_RUNNING, &hdev->flags))
 839                goto done;
 840
 841        if (!urb->status)
 842                hdev->stat.byte_tx += urb->transfer_buffer_length;
 843        else
 844                hdev->stat.err_tx++;
 845
 846done:
 847        kfree(urb->setup_packet);
 848
 849        kfree_skb(skb);
 850}
 851
 852static int btusb_open(struct hci_dev *hdev)
 853{
 854        struct btusb_data *data = hci_get_drvdata(hdev);
 855        int err;
 856
 857        BT_DBG("%s", hdev->name);
 858
 859        err = usb_autopm_get_interface(data->intf);
 860        if (err < 0)
 861                return err;
 862
 863        data->intf->needs_remote_wakeup = 1;
 864
 865        if (test_and_set_bit(HCI_RUNNING, &hdev->flags))
 866                goto done;
 867
 868        if (test_and_set_bit(BTUSB_INTR_RUNNING, &data->flags))
 869                goto done;
 870
 871        err = btusb_submit_intr_urb(hdev, GFP_KERNEL);
 872        if (err < 0)
 873                goto failed;
 874
 875        err = btusb_submit_bulk_urb(hdev, GFP_KERNEL);
 876        if (err < 0) {
 877                usb_kill_anchored_urbs(&data->intr_anchor);
 878                goto failed;
 879        }
 880
 881        set_bit(BTUSB_BULK_RUNNING, &data->flags);
 882        btusb_submit_bulk_urb(hdev, GFP_KERNEL);
 883
 884done:
 885        usb_autopm_put_interface(data->intf);
 886        return 0;
 887
 888failed:
 889        clear_bit(BTUSB_INTR_RUNNING, &data->flags);
 890        clear_bit(HCI_RUNNING, &hdev->flags);
 891        usb_autopm_put_interface(data->intf);
 892        return err;
 893}
 894
 895static void btusb_stop_traffic(struct btusb_data *data)
 896{
 897        usb_kill_anchored_urbs(&data->intr_anchor);
 898        usb_kill_anchored_urbs(&data->bulk_anchor);
 899        usb_kill_anchored_urbs(&data->isoc_anchor);
 900}
 901
 902static int btusb_close(struct hci_dev *hdev)
 903{
 904        struct btusb_data *data = hci_get_drvdata(hdev);
 905        int err;
 906
 907        BT_DBG("%s", hdev->name);
 908
 909        if (!test_and_clear_bit(HCI_RUNNING, &hdev->flags))
 910                return 0;
 911
 912        cancel_work_sync(&data->work);
 913        cancel_work_sync(&data->waker);
 914
 915        clear_bit(BTUSB_ISOC_RUNNING, &data->flags);
 916        clear_bit(BTUSB_BULK_RUNNING, &data->flags);
 917        clear_bit(BTUSB_INTR_RUNNING, &data->flags);
 918
 919        btusb_stop_traffic(data);
 920        btusb_free_frags(data);
 921
 922        err = usb_autopm_get_interface(data->intf);
 923        if (err < 0)
 924                goto failed;
 925
 926        data->intf->needs_remote_wakeup = 0;
 927        usb_autopm_put_interface(data->intf);
 928
 929failed:
 930        usb_scuttle_anchored_urbs(&data->deferred);
 931        return 0;
 932}
 933
 934static int btusb_flush(struct hci_dev *hdev)
 935{
 936        struct btusb_data *data = hci_get_drvdata(hdev);
 937
 938        BT_DBG("%s", hdev->name);
 939
 940        usb_kill_anchored_urbs(&data->tx_anchor);
 941        btusb_free_frags(data);
 942
 943        return 0;
 944}
 945
 946static struct urb *alloc_ctrl_urb(struct hci_dev *hdev, struct sk_buff *skb)
 947{
 948        struct btusb_data *data = hci_get_drvdata(hdev);
 949        struct usb_ctrlrequest *dr;
 950        struct urb *urb;
 951        unsigned int pipe;
 952
 953        urb = usb_alloc_urb(0, GFP_KERNEL);
 954        if (!urb)
 955                return ERR_PTR(-ENOMEM);
 956
 957        dr = kmalloc(sizeof(*dr), GFP_KERNEL);
 958        if (!dr) {
 959                usb_free_urb(urb);
 960                return ERR_PTR(-ENOMEM);
 961        }
 962
 963        dr->bRequestType = data->cmdreq_type;
 964        dr->bRequest     = 0;
 965        dr->wIndex       = 0;
 966        dr->wValue       = 0;
 967        dr->wLength      = __cpu_to_le16(skb->len);
 968
 969        pipe = usb_sndctrlpipe(data->udev, 0x00);
 970
 971        usb_fill_control_urb(urb, data->udev, pipe, (void *)dr,
 972                             skb->data, skb->len, btusb_tx_complete, skb);
 973
 974        skb->dev = (void *)hdev;
 975
 976        return urb;
 977}
 978
 979static struct urb *alloc_bulk_urb(struct hci_dev *hdev, struct sk_buff *skb)
 980{
 981        struct btusb_data *data = hci_get_drvdata(hdev);
 982        struct urb *urb;
 983        unsigned int pipe;
 984
 985        if (!data->bulk_tx_ep)
 986                return ERR_PTR(-ENODEV);
 987
 988        urb = usb_alloc_urb(0, GFP_KERNEL);
 989        if (!urb)
 990                return ERR_PTR(-ENOMEM);
 991
 992        pipe = usb_sndbulkpipe(data->udev, data->bulk_tx_ep->bEndpointAddress);
 993
 994        usb_fill_bulk_urb(urb, data->udev, pipe,
 995                          skb->data, skb->len, btusb_tx_complete, skb);
 996
 997        skb->dev = (void *)hdev;
 998
 999        return urb;
1000}
1001
1002static struct urb *alloc_isoc_urb(struct hci_dev *hdev, struct sk_buff *skb)
1003{
1004        struct btusb_data *data = hci_get_drvdata(hdev);
1005        struct urb *urb;
1006        unsigned int pipe;
1007
1008        if (!data->isoc_tx_ep)
1009                return ERR_PTR(-ENODEV);
1010
1011        urb = usb_alloc_urb(BTUSB_MAX_ISOC_FRAMES, GFP_KERNEL);
1012        if (!urb)
1013                return ERR_PTR(-ENOMEM);
1014
1015        pipe = usb_sndisocpipe(data->udev, data->isoc_tx_ep->bEndpointAddress);
1016
1017        usb_fill_int_urb(urb, data->udev, pipe,
1018                         skb->data, skb->len, btusb_isoc_tx_complete,
1019                         skb, data->isoc_tx_ep->bInterval);
1020
1021        urb->transfer_flags  = URB_ISO_ASAP;
1022
1023        __fill_isoc_descriptor(urb, skb->len,
1024                               le16_to_cpu(data->isoc_tx_ep->wMaxPacketSize));
1025
1026        skb->dev = (void *)hdev;
1027
1028        return urb;
1029}
1030
1031static int submit_tx_urb(struct hci_dev *hdev, struct urb *urb)
1032{
1033        struct btusb_data *data = hci_get_drvdata(hdev);
1034        int err;
1035
1036        usb_anchor_urb(urb, &data->tx_anchor);
1037
1038        err = usb_submit_urb(urb, GFP_KERNEL);
1039        if (err < 0) {
1040                if (err != -EPERM && err != -ENODEV)
1041                        BT_ERR("%s urb %p submission failed (%d)",
1042                               hdev->name, urb, -err);
1043                kfree(urb->setup_packet);
1044                usb_unanchor_urb(urb);
1045        } else {
1046                usb_mark_last_busy(data->udev);
1047        }
1048
1049        usb_free_urb(urb);
1050        return err;
1051}
1052
1053static int submit_or_queue_tx_urb(struct hci_dev *hdev, struct urb *urb)
1054{
1055        struct btusb_data *data = hci_get_drvdata(hdev);
1056        unsigned long flags;
1057        bool suspending;
1058
1059        spin_lock_irqsave(&data->txlock, flags);
1060        suspending = test_bit(BTUSB_SUSPENDING, &data->flags);
1061        if (!suspending)
1062                data->tx_in_flight++;
1063        spin_unlock_irqrestore(&data->txlock, flags);
1064
1065        if (!suspending)
1066                return submit_tx_urb(hdev, urb);
1067
1068        usb_anchor_urb(urb, &data->deferred);
1069        schedule_work(&data->waker);
1070
1071        usb_free_urb(urb);
1072        return 0;
1073}
1074
1075static int btusb_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
1076{
1077        struct urb *urb;
1078
1079        BT_DBG("%s", hdev->name);
1080
1081        if (!test_bit(HCI_RUNNING, &hdev->flags))
1082                return -EBUSY;
1083
1084        switch (bt_cb(skb)->pkt_type) {
1085        case HCI_COMMAND_PKT:
1086                urb = alloc_ctrl_urb(hdev, skb);
1087                if (IS_ERR(urb))
1088                        return PTR_ERR(urb);
1089
1090                hdev->stat.cmd_tx++;
1091                return submit_or_queue_tx_urb(hdev, urb);
1092
1093        case HCI_ACLDATA_PKT:
1094                urb = alloc_bulk_urb(hdev, skb);
1095                if (IS_ERR(urb))
1096                        return PTR_ERR(urb);
1097
1098                hdev->stat.acl_tx++;
1099                return submit_or_queue_tx_urb(hdev, urb);
1100
1101        case HCI_SCODATA_PKT:
1102                if (hci_conn_num(hdev, SCO_LINK) < 1)
1103                        return -ENODEV;
1104
1105                urb = alloc_isoc_urb(hdev, skb);
1106                if (IS_ERR(urb))
1107                        return PTR_ERR(urb);
1108
1109                hdev->stat.sco_tx++;
1110                return submit_tx_urb(hdev, urb);
1111        }
1112
1113        return -EILSEQ;
1114}
1115
1116static void btusb_notify(struct hci_dev *hdev, unsigned int evt)
1117{
1118        struct btusb_data *data = hci_get_drvdata(hdev);
1119
1120        BT_DBG("%s evt %d", hdev->name, evt);
1121
1122        if (hci_conn_num(hdev, SCO_LINK) != data->sco_num) {
1123                data->sco_num = hci_conn_num(hdev, SCO_LINK);
1124                schedule_work(&data->work);
1125        }
1126}
1127
1128static inline int __set_isoc_interface(struct hci_dev *hdev, int altsetting)
1129{
1130        struct btusb_data *data = hci_get_drvdata(hdev);
1131        struct usb_interface *intf = data->isoc;
1132        struct usb_endpoint_descriptor *ep_desc;
1133        int i, err;
1134
1135        if (!data->isoc)
1136                return -ENODEV;
1137
1138        err = usb_set_interface(data->udev, 1, altsetting);
1139        if (err < 0) {
1140                BT_ERR("%s setting interface failed (%d)", hdev->name, -err);
1141                return err;
1142        }
1143
1144        data->isoc_altsetting = altsetting;
1145
1146        data->isoc_tx_ep = NULL;
1147        data->isoc_rx_ep = NULL;
1148
1149        for (i = 0; i < intf->cur_altsetting->desc.bNumEndpoints; i++) {
1150                ep_desc = &intf->cur_altsetting->endpoint[i].desc;
1151
1152                if (!data->isoc_tx_ep && usb_endpoint_is_isoc_out(ep_desc)) {
1153                        data->isoc_tx_ep = ep_desc;
1154                        continue;
1155                }
1156
1157                if (!data->isoc_rx_ep && usb_endpoint_is_isoc_in(ep_desc)) {
1158                        data->isoc_rx_ep = ep_desc;
1159                        continue;
1160                }
1161        }
1162
1163        if (!data->isoc_tx_ep || !data->isoc_rx_ep) {
1164                BT_ERR("%s invalid SCO descriptors", hdev->name);
1165                return -ENODEV;
1166        }
1167
1168        return 0;
1169}
1170
1171static void btusb_work(struct work_struct *work)
1172{
1173        struct btusb_data *data = container_of(work, struct btusb_data, work);
1174        struct hci_dev *hdev = data->hdev;
1175        int new_alts;
1176        int err;
1177
1178        if (data->sco_num > 0) {
1179                if (!test_bit(BTUSB_DID_ISO_RESUME, &data->flags)) {
1180                        err = usb_autopm_get_interface(data->isoc ? data->isoc : data->intf);
1181                        if (err < 0) {
1182                                clear_bit(BTUSB_ISOC_RUNNING, &data->flags);
1183                                usb_kill_anchored_urbs(&data->isoc_anchor);
1184                                return;
1185                        }
1186
1187                        set_bit(BTUSB_DID_ISO_RESUME, &data->flags);
1188                }
1189
1190                if (hdev->voice_setting & 0x0020) {
1191                        static const int alts[3] = { 2, 4, 5 };
1192
1193                        new_alts = alts[data->sco_num - 1];
1194                } else {
1195                        new_alts = data->sco_num;
1196                }
1197
1198                if (data->isoc_altsetting != new_alts) {
1199                        clear_bit(BTUSB_ISOC_RUNNING, &data->flags);
1200                        usb_kill_anchored_urbs(&data->isoc_anchor);
1201
1202                        if (__set_isoc_interface(hdev, new_alts) < 0)
1203                                return;
1204                }
1205
1206                if (!test_and_set_bit(BTUSB_ISOC_RUNNING, &data->flags)) {
1207                        if (btusb_submit_isoc_urb(hdev, GFP_KERNEL) < 0)
1208                                clear_bit(BTUSB_ISOC_RUNNING, &data->flags);
1209                        else
1210                                btusb_submit_isoc_urb(hdev, GFP_KERNEL);
1211                }
1212        } else {
1213                clear_bit(BTUSB_ISOC_RUNNING, &data->flags);
1214                usb_kill_anchored_urbs(&data->isoc_anchor);
1215
1216                __set_isoc_interface(hdev, 0);
1217                if (test_and_clear_bit(BTUSB_DID_ISO_RESUME, &data->flags))
1218                        usb_autopm_put_interface(data->isoc ? data->isoc : data->intf);
1219        }
1220}
1221
1222static void btusb_waker(struct work_struct *work)
1223{
1224        struct btusb_data *data = container_of(work, struct btusb_data, waker);
1225        int err;
1226
1227        err = usb_autopm_get_interface(data->intf);
1228        if (err < 0)
1229                return;
1230
1231        usb_autopm_put_interface(data->intf);
1232}
1233
1234static int btusb_setup_bcm92035(struct hci_dev *hdev)
1235{
1236        struct sk_buff *skb;
1237        u8 val = 0x00;
1238
1239        BT_DBG("%s", hdev->name);
1240
1241        skb = __hci_cmd_sync(hdev, 0xfc3b, 1, &val, HCI_INIT_TIMEOUT);
1242        if (IS_ERR(skb))
1243                BT_ERR("BCM92035 command failed (%ld)", -PTR_ERR(skb));
1244        else
1245                kfree_skb(skb);
1246
1247        return 0;
1248}
1249
1250static int btusb_setup_csr(struct hci_dev *hdev)
1251{
1252        struct hci_rp_read_local_version *rp;
1253        struct sk_buff *skb;
1254        int ret;
1255
1256        BT_DBG("%s", hdev->name);
1257
1258        skb = __hci_cmd_sync(hdev, HCI_OP_READ_LOCAL_VERSION, 0, NULL,
1259                             HCI_INIT_TIMEOUT);
1260        if (IS_ERR(skb)) {
1261                BT_ERR("Reading local version failed (%ld)", -PTR_ERR(skb));
1262                return -PTR_ERR(skb);
1263        }
1264
1265        rp = (struct hci_rp_read_local_version *)skb->data;
1266
1267        if (!rp->status) {
1268                if (le16_to_cpu(rp->manufacturer) != 10) {
1269                        /* Clear the reset quirk since this is not an actual
1270                         * early Bluetooth 1.1 device from CSR.
1271                         */
1272                        clear_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks);
1273
1274                        /* These fake CSR controllers have all a broken
1275                         * stored link key handling and so just disable it.
1276                         */
1277                        set_bit(HCI_QUIRK_BROKEN_STORED_LINK_KEY,
1278                                &hdev->quirks);
1279                }
1280        }
1281
1282        ret = -bt_to_errno(rp->status);
1283
1284        kfree_skb(skb);
1285
1286        return ret;
1287}
1288
1289struct intel_version {
1290        u8 status;
1291        u8 hw_platform;
1292        u8 hw_variant;
1293        u8 hw_revision;
1294        u8 fw_variant;
1295        u8 fw_revision;
1296        u8 fw_build_num;
1297        u8 fw_build_ww;
1298        u8 fw_build_yy;
1299        u8 fw_patch_num;
1300} __packed;
1301
1302static const struct firmware *btusb_setup_intel_get_fw(struct hci_dev *hdev,
1303                                                       struct intel_version *ver)
1304{
1305        const struct firmware *fw;
1306        char fwname[64];
1307        int ret;
1308
1309        snprintf(fwname, sizeof(fwname),
1310                 "intel/ibt-hw-%x.%x.%x-fw-%x.%x.%x.%x.%x.bseq",
1311                 ver->hw_platform, ver->hw_variant, ver->hw_revision,
1312                 ver->fw_variant,  ver->fw_revision, ver->fw_build_num,
1313                 ver->fw_build_ww, ver->fw_build_yy);
1314
1315        ret = request_firmware(&fw, fwname, &hdev->dev);
1316        if (ret < 0) {
1317                if (ret == -EINVAL) {
1318                        BT_ERR("%s Intel firmware file request failed (%d)",
1319                               hdev->name, ret);
1320                        return NULL;
1321                }
1322
1323                BT_ERR("%s failed to open Intel firmware file: %s(%d)",
1324                       hdev->name, fwname, ret);
1325
1326                /* If the correct firmware patch file is not found, use the
1327                 * default firmware patch file instead
1328                 */
1329                snprintf(fwname, sizeof(fwname), "intel/ibt-hw-%x.%x.bseq",
1330                         ver->hw_platform, ver->hw_variant);
1331                if (request_firmware(&fw, fwname, &hdev->dev) < 0) {
1332                        BT_ERR("%s failed to open default Intel fw file: %s",
1333                               hdev->name, fwname);
1334                        return NULL;
1335                }
1336        }
1337
1338        BT_INFO("%s: Intel Bluetooth firmware file: %s", hdev->name, fwname);
1339
1340        return fw;
1341}
1342
1343static int btusb_setup_intel_patching(struct hci_dev *hdev,
1344                                      const struct firmware *fw,
1345                                      const u8 **fw_ptr, int *disable_patch)
1346{
1347        struct sk_buff *skb;
1348        struct hci_command_hdr *cmd;
1349        const u8 *cmd_param;
1350        struct hci_event_hdr *evt = NULL;
1351        const u8 *evt_param = NULL;
1352        int remain = fw->size - (*fw_ptr - fw->data);
1353
1354        /* The first byte indicates the types of the patch command or event.
1355         * 0x01 means HCI command and 0x02 is HCI event. If the first bytes
1356         * in the current firmware buffer doesn't start with 0x01 or
1357         * the size of remain buffer is smaller than HCI command header,
1358         * the firmware file is corrupted and it should stop the patching
1359         * process.
1360         */
1361        if (remain > HCI_COMMAND_HDR_SIZE && *fw_ptr[0] != 0x01) {
1362                BT_ERR("%s Intel fw corrupted: invalid cmd read", hdev->name);
1363                return -EINVAL;
1364        }
1365        (*fw_ptr)++;
1366        remain--;
1367
1368        cmd = (struct hci_command_hdr *)(*fw_ptr);
1369        *fw_ptr += sizeof(*cmd);
1370        remain -= sizeof(*cmd);
1371
1372        /* Ensure that the remain firmware data is long enough than the length
1373         * of command parameter. If not, the firmware file is corrupted.
1374         */
1375        if (remain < cmd->plen) {
1376                BT_ERR("%s Intel fw corrupted: invalid cmd len", hdev->name);
1377                return -EFAULT;
1378        }
1379
1380        /* If there is a command that loads a patch in the firmware
1381         * file, then enable the patch upon success, otherwise just
1382         * disable the manufacturer mode, for example patch activation
1383         * is not required when the default firmware patch file is used
1384         * because there are no patch data to load.
1385         */
1386        if (*disable_patch && le16_to_cpu(cmd->opcode) == 0xfc8e)
1387                *disable_patch = 0;
1388
1389        cmd_param = *fw_ptr;
1390        *fw_ptr += cmd->plen;
1391        remain -= cmd->plen;
1392
1393        /* This reads the expected events when the above command is sent to the
1394         * device. Some vendor commands expects more than one events, for
1395         * example command status event followed by vendor specific event.
1396         * For this case, it only keeps the last expected event. so the command
1397         * can be sent with __hci_cmd_sync_ev() which returns the sk_buff of
1398         * last expected event.
1399         */
1400        while (remain > HCI_EVENT_HDR_SIZE && *fw_ptr[0] == 0x02) {
1401                (*fw_ptr)++;
1402                remain--;
1403
1404                evt = (struct hci_event_hdr *)(*fw_ptr);
1405                *fw_ptr += sizeof(*evt);
1406                remain -= sizeof(*evt);
1407
1408                if (remain < evt->plen) {
1409                        BT_ERR("%s Intel fw corrupted: invalid evt len",
1410                               hdev->name);
1411                        return -EFAULT;
1412                }
1413
1414                evt_param = *fw_ptr;
1415                *fw_ptr += evt->plen;
1416                remain -= evt->plen;
1417        }
1418
1419        /* Every HCI commands in the firmware file has its correspond event.
1420         * If event is not found or remain is smaller than zero, the firmware
1421         * file is corrupted.
1422         */
1423        if (!evt || !evt_param || remain < 0) {
1424                BT_ERR("%s Intel fw corrupted: invalid evt read", hdev->name);
1425                return -EFAULT;
1426        }
1427
1428        skb = __hci_cmd_sync_ev(hdev, le16_to_cpu(cmd->opcode), cmd->plen,
1429                                cmd_param, evt->evt, HCI_INIT_TIMEOUT);
1430        if (IS_ERR(skb)) {
1431                BT_ERR("%s sending Intel patch command (0x%4.4x) failed (%ld)",
1432                       hdev->name, cmd->opcode, PTR_ERR(skb));
1433                return PTR_ERR(skb);
1434        }
1435
1436        /* It ensures that the returned event matches the event data read from
1437         * the firmware file. At fist, it checks the length and then
1438         * the contents of the event.
1439         */
1440        if (skb->len != evt->plen) {
1441                BT_ERR("%s mismatch event length (opcode 0x%4.4x)", hdev->name,
1442                       le16_to_cpu(cmd->opcode));
1443                kfree_skb(skb);
1444                return -EFAULT;
1445        }
1446
1447        if (memcmp(skb->data, evt_param, evt->plen)) {
1448                BT_ERR("%s mismatch event parameter (opcode 0x%4.4x)",
1449                       hdev->name, le16_to_cpu(cmd->opcode));
1450                kfree_skb(skb);
1451                return -EFAULT;
1452        }
1453        kfree_skb(skb);
1454
1455        return 0;
1456}
1457
1458#define BDADDR_INTEL (&(bdaddr_t) {{0x00, 0x8b, 0x9e, 0x19, 0x03, 0x00}})
1459
1460static int btusb_check_bdaddr_intel(struct hci_dev *hdev)
1461{
1462        struct sk_buff *skb;
1463        struct hci_rp_read_bd_addr *rp;
1464
1465        skb = __hci_cmd_sync(hdev, HCI_OP_READ_BD_ADDR, 0, NULL,
1466                             HCI_INIT_TIMEOUT);
1467        if (IS_ERR(skb)) {
1468                BT_ERR("%s reading Intel device address failed (%ld)",
1469                       hdev->name, PTR_ERR(skb));
1470                return PTR_ERR(skb);
1471        }
1472
1473        if (skb->len != sizeof(*rp)) {
1474                BT_ERR("%s Intel device address length mismatch", hdev->name);
1475                kfree_skb(skb);
1476                return -EIO;
1477        }
1478
1479        rp = (struct hci_rp_read_bd_addr *)skb->data;
1480        if (rp->status) {
1481                BT_ERR("%s Intel device address result failed (%02x)",
1482                       hdev->name, rp->status);
1483                kfree_skb(skb);
1484                return -bt_to_errno(rp->status);
1485        }
1486
1487        /* For some Intel based controllers, the default Bluetooth device
1488         * address 00:03:19:9E:8B:00 can be found. These controllers are
1489         * fully operational, but have the danger of duplicate addresses
1490         * and that in turn can cause problems with Bluetooth operation.
1491         */
1492        if (!bacmp(&rp->bdaddr, BDADDR_INTEL)) {
1493                BT_ERR("%s found Intel default device address (%pMR)",
1494                       hdev->name, &rp->bdaddr);
1495                set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks);
1496        }
1497
1498        kfree_skb(skb);
1499
1500        return 0;
1501}
1502
1503static int btusb_setup_intel(struct hci_dev *hdev)
1504{
1505        struct sk_buff *skb;
1506        const struct firmware *fw;
1507        const u8 *fw_ptr;
1508        int disable_patch;
1509        struct intel_version *ver;
1510
1511        const u8 mfg_enable[] = { 0x01, 0x00 };
1512        const u8 mfg_disable[] = { 0x00, 0x00 };
1513        const u8 mfg_reset_deactivate[] = { 0x00, 0x01 };
1514        const u8 mfg_reset_activate[] = { 0x00, 0x02 };
1515
1516        BT_DBG("%s", hdev->name);
1517
1518        /* The controller has a bug with the first HCI command sent to it
1519         * returning number of completed commands as zero. This would stall the
1520         * command processing in the Bluetooth core.
1521         *
1522         * As a workaround, send HCI Reset command first which will reset the
1523         * number of completed commands and allow normal command processing
1524         * from now on.
1525         */
1526        skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
1527        if (IS_ERR(skb)) {
1528                BT_ERR("%s sending initial HCI reset command failed (%ld)",
1529                       hdev->name, PTR_ERR(skb));
1530                return PTR_ERR(skb);
1531        }
1532        kfree_skb(skb);
1533
1534        /* Read Intel specific controller version first to allow selection of
1535         * which firmware file to load.
1536         *
1537         * The returned information are hardware variant and revision plus
1538         * firmware variant, revision and build number.
1539         */
1540        skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_INIT_TIMEOUT);
1541        if (IS_ERR(skb)) {
1542                BT_ERR("%s reading Intel fw version command failed (%ld)",
1543                       hdev->name, PTR_ERR(skb));
1544                return PTR_ERR(skb);
1545        }
1546
1547        if (skb->len != sizeof(*ver)) {
1548                BT_ERR("%s Intel version event length mismatch", hdev->name);
1549                kfree_skb(skb);
1550                return -EIO;
1551        }
1552
1553        ver = (struct intel_version *)skb->data;
1554        if (ver->status) {
1555                BT_ERR("%s Intel fw version event failed (%02x)", hdev->name,
1556                       ver->status);
1557                kfree_skb(skb);
1558                return -bt_to_errno(ver->status);
1559        }
1560
1561        BT_INFO("%s: read Intel version: %02x%02x%02x%02x%02x%02x%02x%02x%02x",
1562                hdev->name, ver->hw_platform, ver->hw_variant,
1563                ver->hw_revision, ver->fw_variant,  ver->fw_revision,
1564                ver->fw_build_num, ver->fw_build_ww, ver->fw_build_yy,
1565                ver->fw_patch_num);
1566
1567        /* fw_patch_num indicates the version of patch the device currently
1568         * have. If there is no patch data in the device, it is always 0x00.
1569         * So, if it is other than 0x00, no need to patch the deivce again.
1570         */
1571        if (ver->fw_patch_num) {
1572                BT_INFO("%s: Intel device is already patched. patch num: %02x",
1573                        hdev->name, ver->fw_patch_num);
1574                kfree_skb(skb);
1575                btusb_check_bdaddr_intel(hdev);
1576                return 0;
1577        }
1578
1579        /* Opens the firmware patch file based on the firmware version read
1580         * from the controller. If it fails to open the matching firmware
1581         * patch file, it tries to open the default firmware patch file.
1582         * If no patch file is found, allow the device to operate without
1583         * a patch.
1584         */
1585        fw = btusb_setup_intel_get_fw(hdev, ver);
1586        if (!fw) {
1587                kfree_skb(skb);
1588                btusb_check_bdaddr_intel(hdev);
1589                return 0;
1590        }
1591        fw_ptr = fw->data;
1592
1593        /* This Intel specific command enables the manufacturer mode of the
1594         * controller.
1595         *
1596         * Only while this mode is enabled, the driver can download the
1597         * firmware patch data and configuration parameters.
1598         */
1599        skb = __hci_cmd_sync(hdev, 0xfc11, 2, mfg_enable, HCI_INIT_TIMEOUT);
1600        if (IS_ERR(skb)) {
1601                BT_ERR("%s entering Intel manufacturer mode failed (%ld)",
1602                       hdev->name, PTR_ERR(skb));
1603                release_firmware(fw);
1604                return PTR_ERR(skb);
1605        }
1606
1607        if (skb->data[0]) {
1608                u8 evt_status = skb->data[0];
1609
1610                BT_ERR("%s enable Intel manufacturer mode event failed (%02x)",
1611                       hdev->name, evt_status);
1612                kfree_skb(skb);
1613                release_firmware(fw);
1614                return -bt_to_errno(evt_status);
1615        }
1616        kfree_skb(skb);
1617
1618        disable_patch = 1;
1619
1620        /* The firmware data file consists of list of Intel specific HCI
1621         * commands and its expected events. The first byte indicates the
1622         * type of the message, either HCI command or HCI event.
1623         *
1624         * It reads the command and its expected event from the firmware file,
1625         * and send to the controller. Once __hci_cmd_sync_ev() returns,
1626         * the returned event is compared with the event read from the firmware
1627         * file and it will continue until all the messages are downloaded to
1628         * the controller.
1629         *
1630         * Once the firmware patching is completed successfully,
1631         * the manufacturer mode is disabled with reset and activating the
1632         * downloaded patch.
1633         *
1634         * If the firmware patching fails, the manufacturer mode is
1635         * disabled with reset and deactivating the patch.
1636         *
1637         * If the default patch file is used, no reset is done when disabling
1638         * the manufacturer.
1639         */
1640        while (fw->size > fw_ptr - fw->data) {
1641                int ret;
1642
1643                ret = btusb_setup_intel_patching(hdev, fw, &fw_ptr,
1644                                                 &disable_patch);
1645                if (ret < 0)
1646                        goto exit_mfg_deactivate;
1647        }
1648
1649        release_firmware(fw);
1650
1651        if (disable_patch)
1652                goto exit_mfg_disable;
1653
1654        /* Patching completed successfully and disable the manufacturer mode
1655         * with reset and activate the downloaded firmware patches.
1656         */
1657        skb = __hci_cmd_sync(hdev, 0xfc11, sizeof(mfg_reset_activate),
1658                             mfg_reset_activate, HCI_INIT_TIMEOUT);
1659        if (IS_ERR(skb)) {
1660                BT_ERR("%s exiting Intel manufacturer mode failed (%ld)",
1661                       hdev->name, PTR_ERR(skb));
1662                return PTR_ERR(skb);
1663        }
1664        kfree_skb(skb);
1665
1666        BT_INFO("%s: Intel Bluetooth firmware patch completed and activated",
1667                hdev->name);
1668
1669        btusb_check_bdaddr_intel(hdev);
1670        return 0;
1671
1672exit_mfg_disable:
1673        /* Disable the manufacturer mode without reset */
1674        skb = __hci_cmd_sync(hdev, 0xfc11, sizeof(mfg_disable), mfg_disable,
1675                             HCI_INIT_TIMEOUT);
1676        if (IS_ERR(skb)) {
1677                BT_ERR("%s exiting Intel manufacturer mode failed (%ld)",
1678                       hdev->name, PTR_ERR(skb));
1679                return PTR_ERR(skb);
1680        }
1681        kfree_skb(skb);
1682
1683        BT_INFO("%s: Intel Bluetooth firmware patch completed", hdev->name);
1684
1685        btusb_check_bdaddr_intel(hdev);
1686        return 0;
1687
1688exit_mfg_deactivate:
1689        release_firmware(fw);
1690
1691        /* Patching failed. Disable the manufacturer mode with reset and
1692         * deactivate the downloaded firmware patches.
1693         */
1694        skb = __hci_cmd_sync(hdev, 0xfc11, sizeof(mfg_reset_deactivate),
1695                             mfg_reset_deactivate, HCI_INIT_TIMEOUT);
1696        if (IS_ERR(skb)) {
1697                BT_ERR("%s exiting Intel manufacturer mode failed (%ld)",
1698                       hdev->name, PTR_ERR(skb));
1699                return PTR_ERR(skb);
1700        }
1701        kfree_skb(skb);
1702
1703        BT_INFO("%s: Intel Bluetooth firmware patch completed and deactivated",
1704                hdev->name);
1705
1706        btusb_check_bdaddr_intel(hdev);
1707        return 0;
1708}
1709
1710static int btusb_set_bdaddr_intel(struct hci_dev *hdev, const bdaddr_t *bdaddr)
1711{
1712        struct sk_buff *skb;
1713        long ret;
1714
1715        skb = __hci_cmd_sync(hdev, 0xfc31, 6, bdaddr, HCI_INIT_TIMEOUT);
1716        if (IS_ERR(skb)) {
1717                ret = PTR_ERR(skb);
1718                BT_ERR("%s: changing Intel device address failed (%ld)",
1719                       hdev->name, ret);
1720                return ret;
1721        }
1722        kfree_skb(skb);
1723
1724        return 0;
1725}
1726
1727static int btusb_set_bdaddr_marvell(struct hci_dev *hdev,
1728                                    const bdaddr_t *bdaddr)
1729{
1730        struct sk_buff *skb;
1731        u8 buf[8];
1732        long ret;
1733
1734        buf[0] = 0xfe;
1735        buf[1] = sizeof(bdaddr_t);
1736        memcpy(buf + 2, bdaddr, sizeof(bdaddr_t));
1737
1738        skb = __hci_cmd_sync(hdev, 0xfc22, sizeof(buf), buf, HCI_INIT_TIMEOUT);
1739        if (IS_ERR(skb)) {
1740                ret = PTR_ERR(skb);
1741                BT_ERR("%s: changing Marvell device address failed (%ld)",
1742                       hdev->name, ret);
1743                return ret;
1744        }
1745        kfree_skb(skb);
1746
1747        return 0;
1748}
1749
1750#define BDADDR_BCM20702A0 (&(bdaddr_t) {{0x00, 0xa0, 0x02, 0x70, 0x20, 0x00}})
1751
1752static int btusb_setup_bcm_patchram(struct hci_dev *hdev)
1753{
1754        struct btusb_data *data = hci_get_drvdata(hdev);
1755        struct usb_device *udev = data->udev;
1756        char fw_name[64];
1757        const struct firmware *fw;
1758        const u8 *fw_ptr;
1759        size_t fw_size;
1760        const struct hci_command_hdr *cmd;
1761        const u8 *cmd_param;
1762        u16 opcode;
1763        struct sk_buff *skb;
1764        struct hci_rp_read_local_version *ver;
1765        struct hci_rp_read_bd_addr *bda;
1766        long ret;
1767
1768        snprintf(fw_name, sizeof(fw_name), "brcm/%s-%04x-%04x.hcd",
1769                 udev->product ? udev->product : "BCM",
1770                 le16_to_cpu(udev->descriptor.idVendor),
1771                 le16_to_cpu(udev->descriptor.idProduct));
1772
1773        ret = request_firmware(&fw, fw_name, &hdev->dev);
1774        if (ret < 0) {
1775                BT_INFO("%s: BCM: patch %s not found", hdev->name, fw_name);
1776                return 0;
1777        }
1778
1779        /* Reset */
1780        skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
1781        if (IS_ERR(skb)) {
1782                ret = PTR_ERR(skb);
1783                BT_ERR("%s: HCI_OP_RESET failed (%ld)", hdev->name, ret);
1784                goto done;
1785        }
1786        kfree_skb(skb);
1787
1788        /* Read Local Version Info */
1789        skb = __hci_cmd_sync(hdev, HCI_OP_READ_LOCAL_VERSION, 0, NULL,
1790                             HCI_INIT_TIMEOUT);
1791        if (IS_ERR(skb)) {
1792                ret = PTR_ERR(skb);
1793                BT_ERR("%s: HCI_OP_READ_LOCAL_VERSION failed (%ld)",
1794                       hdev->name, ret);
1795                goto done;
1796        }
1797
1798        if (skb->len != sizeof(*ver)) {
1799                BT_ERR("%s: HCI_OP_READ_LOCAL_VERSION event length mismatch",
1800                       hdev->name);
1801                kfree_skb(skb);
1802                ret = -EIO;
1803                goto done;
1804        }
1805
1806        ver = (struct hci_rp_read_local_version *)skb->data;
1807        BT_INFO("%s: BCM: patching hci_ver=%02x hci_rev=%04x lmp_ver=%02x "
1808                "lmp_subver=%04x", hdev->name, ver->hci_ver, ver->hci_rev,
1809                ver->lmp_ver, ver->lmp_subver);
1810        kfree_skb(skb);
1811
1812        /* Start Download */
1813        skb = __hci_cmd_sync(hdev, 0xfc2e, 0, NULL, HCI_INIT_TIMEOUT);
1814        if (IS_ERR(skb)) {
1815                ret = PTR_ERR(skb);
1816                BT_ERR("%s: BCM: Download Minidrv command failed (%ld)",
1817                       hdev->name, ret);
1818                goto reset_fw;
1819        }
1820        kfree_skb(skb);
1821
1822        /* 50 msec delay after Download Minidrv completes */
1823        msleep(50);
1824
1825        fw_ptr = fw->data;
1826        fw_size = fw->size;
1827
1828        while (fw_size >= sizeof(*cmd)) {
1829                cmd = (struct hci_command_hdr *)fw_ptr;
1830                fw_ptr += sizeof(*cmd);
1831                fw_size -= sizeof(*cmd);
1832
1833                if (fw_size < cmd->plen) {
1834                        BT_ERR("%s: BCM: patch %s is corrupted",
1835                               hdev->name, fw_name);
1836                        ret = -EINVAL;
1837                        goto reset_fw;
1838                }
1839
1840                cmd_param = fw_ptr;
1841                fw_ptr += cmd->plen;
1842                fw_size -= cmd->plen;
1843
1844                opcode = le16_to_cpu(cmd->opcode);
1845
1846                skb = __hci_cmd_sync(hdev, opcode, cmd->plen, cmd_param,
1847                                     HCI_INIT_TIMEOUT);
1848                if (IS_ERR(skb)) {
1849                        ret = PTR_ERR(skb);
1850                        BT_ERR("%s: BCM: patch command %04x failed (%ld)",
1851                               hdev->name, opcode, ret);
1852                        goto reset_fw;
1853                }
1854                kfree_skb(skb);
1855        }
1856
1857        /* 250 msec delay after Launch Ram completes */
1858        msleep(250);
1859
1860reset_fw:
1861        /* Reset */
1862        skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
1863        if (IS_ERR(skb)) {
1864                ret = PTR_ERR(skb);
1865                BT_ERR("%s: HCI_OP_RESET failed (%ld)", hdev->name, ret);
1866                goto done;
1867        }
1868        kfree_skb(skb);
1869
1870        /* Read Local Version Info */
1871        skb = __hci_cmd_sync(hdev, HCI_OP_READ_LOCAL_VERSION, 0, NULL,
1872                             HCI_INIT_TIMEOUT);
1873        if (IS_ERR(skb)) {
1874                ret = PTR_ERR(skb);
1875                BT_ERR("%s: HCI_OP_READ_LOCAL_VERSION failed (%ld)",
1876                       hdev->name, ret);
1877                goto done;
1878        }
1879
1880        if (skb->len != sizeof(*ver)) {
1881                BT_ERR("%s: HCI_OP_READ_LOCAL_VERSION event length mismatch",
1882                       hdev->name);
1883                kfree_skb(skb);
1884                ret = -EIO;
1885                goto done;
1886        }
1887
1888        ver = (struct hci_rp_read_local_version *)skb->data;
1889        BT_INFO("%s: BCM: firmware hci_ver=%02x hci_rev=%04x lmp_ver=%02x "
1890                "lmp_subver=%04x", hdev->name, ver->hci_ver, ver->hci_rev,
1891                ver->lmp_ver, ver->lmp_subver);
1892        kfree_skb(skb);
1893
1894        /* Read BD Address */
1895        skb = __hci_cmd_sync(hdev, HCI_OP_READ_BD_ADDR, 0, NULL,
1896                             HCI_INIT_TIMEOUT);
1897        if (IS_ERR(skb)) {
1898                ret = PTR_ERR(skb);
1899                BT_ERR("%s: HCI_OP_READ_BD_ADDR failed (%ld)",
1900                       hdev->name, ret);
1901                goto done;
1902        }
1903
1904        if (skb->len != sizeof(*bda)) {
1905                BT_ERR("%s: HCI_OP_READ_BD_ADDR event length mismatch",
1906                       hdev->name);
1907                kfree_skb(skb);
1908                ret = -EIO;
1909                goto done;
1910        }
1911
1912        bda = (struct hci_rp_read_bd_addr *)skb->data;
1913        if (bda->status) {
1914                BT_ERR("%s: HCI_OP_READ_BD_ADDR error status (%02x)",
1915                       hdev->name, bda->status);
1916                kfree_skb(skb);
1917                ret = -bt_to_errno(bda->status);
1918                goto done;
1919        }
1920
1921        /* The address 00:20:70:02:A0:00 indicates a BCM20702A0 controller
1922         * with no configured address.
1923         */
1924        if (!bacmp(&bda->bdaddr, BDADDR_BCM20702A0)) {
1925                BT_INFO("%s: BCM: using default device address (%pMR)",
1926                        hdev->name, &bda->bdaddr);
1927                set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks);
1928        }
1929
1930        kfree_skb(skb);
1931
1932done:
1933        release_firmware(fw);
1934
1935        return ret;
1936}
1937
1938static int btusb_set_bdaddr_bcm(struct hci_dev *hdev, const bdaddr_t *bdaddr)
1939{
1940        struct sk_buff *skb;
1941        long ret;
1942
1943        skb = __hci_cmd_sync(hdev, 0xfc01, 6, bdaddr, HCI_INIT_TIMEOUT);
1944        if (IS_ERR(skb)) {
1945                ret = PTR_ERR(skb);
1946                BT_ERR("%s: BCM: Change address command failed (%ld)",
1947                       hdev->name, ret);
1948                return ret;
1949        }
1950        kfree_skb(skb);
1951
1952        return 0;
1953}
1954
1955static int btusb_probe(struct usb_interface *intf,
1956                       const struct usb_device_id *id)
1957{
1958        struct usb_endpoint_descriptor *ep_desc;
1959        struct btusb_data *data;
1960        struct hci_dev *hdev;
1961        int i, err;
1962
1963        BT_DBG("intf %p id %p", intf, id);
1964
1965        /* interface numbers are hardcoded in the spec */
1966        if (intf->cur_altsetting->desc.bInterfaceNumber != 0)
1967                return -ENODEV;
1968
1969        if (!id->driver_info) {
1970                const struct usb_device_id *match;
1971
1972                match = usb_match_id(intf, blacklist_table);
1973                if (match)
1974                        id = match;
1975        }
1976
1977        if (id->driver_info == BTUSB_IGNORE)
1978                return -ENODEV;
1979
1980        if (id->driver_info & BTUSB_ATH3012) {
1981                struct usb_device *udev = interface_to_usbdev(intf);
1982
1983                /* Old firmware would otherwise let ath3k driver load
1984                 * patch and sysconfig files */
1985                if (le16_to_cpu(udev->descriptor.bcdDevice) <= 0x0001)
1986                        return -ENODEV;
1987        }
1988
1989        data = devm_kzalloc(&intf->dev, sizeof(*data), GFP_KERNEL);
1990        if (!data)
1991                return -ENOMEM;
1992
1993        for (i = 0; i < intf->cur_altsetting->desc.bNumEndpoints; i++) {
1994                ep_desc = &intf->cur_altsetting->endpoint[i].desc;
1995
1996                if (!data->intr_ep && usb_endpoint_is_int_in(ep_desc)) {
1997                        data->intr_ep = ep_desc;
1998                        continue;
1999                }
2000
2001                if (!data->bulk_tx_ep && usb_endpoint_is_bulk_out(ep_desc)) {
2002                        data->bulk_tx_ep = ep_desc;
2003                        continue;
2004                }
2005
2006                if (!data->bulk_rx_ep && usb_endpoint_is_bulk_in(ep_desc)) {
2007                        data->bulk_rx_ep = ep_desc;
2008                        continue;
2009                }
2010        }
2011
2012        if (!data->intr_ep || !data->bulk_tx_ep || !data->bulk_rx_ep)
2013                return -ENODEV;
2014
2015        data->cmdreq_type = USB_TYPE_CLASS;
2016
2017        data->udev = interface_to_usbdev(intf);
2018        data->intf = intf;
2019
2020        INIT_WORK(&data->work, btusb_work);
2021        INIT_WORK(&data->waker, btusb_waker);
2022        init_usb_anchor(&data->deferred);
2023        init_usb_anchor(&data->tx_anchor);
2024        spin_lock_init(&data->txlock);
2025
2026        init_usb_anchor(&data->intr_anchor);
2027        init_usb_anchor(&data->bulk_anchor);
2028        init_usb_anchor(&data->isoc_anchor);
2029        spin_lock_init(&data->rxlock);
2030
2031        data->recv_bulk = btusb_recv_bulk;
2032
2033        hdev = hci_alloc_dev();
2034        if (!hdev)
2035                return -ENOMEM;
2036
2037        hdev->bus = HCI_USB;
2038        hci_set_drvdata(hdev, data);
2039
2040        data->hdev = hdev;
2041
2042        SET_HCIDEV_DEV(hdev, &intf->dev);
2043
2044        hdev->open   = btusb_open;
2045        hdev->close  = btusb_close;
2046        hdev->flush  = btusb_flush;
2047        hdev->send   = btusb_send_frame;
2048        hdev->notify = btusb_notify;
2049
2050        if (id->driver_info & BTUSB_BCM92035)
2051                hdev->setup = btusb_setup_bcm92035;
2052
2053        if (id->driver_info & BTUSB_BCM_PATCHRAM) {
2054                hdev->setup = btusb_setup_bcm_patchram;
2055                hdev->set_bdaddr = btusb_set_bdaddr_bcm;
2056                set_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks);
2057        }
2058
2059        if (id->driver_info & BTUSB_INTEL) {
2060                hdev->setup = btusb_setup_intel;
2061                hdev->set_bdaddr = btusb_set_bdaddr_intel;
2062        }
2063
2064        if (id->driver_info & BTUSB_MARVELL)
2065                hdev->set_bdaddr = btusb_set_bdaddr_marvell;
2066
2067        if (id->driver_info & BTUSB_INTEL_BOOT)
2068                set_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks);
2069
2070        /* Interface numbers are hardcoded in the specification */
2071        data->isoc = usb_ifnum_to_if(data->udev, 1);
2072
2073        if (!reset)
2074                set_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks);
2075
2076        if (force_scofix || id->driver_info & BTUSB_WRONG_SCO_MTU) {
2077                if (!disable_scofix)
2078                        set_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks);
2079        }
2080
2081        if (id->driver_info & BTUSB_BROKEN_ISOC)
2082                data->isoc = NULL;
2083
2084        if (id->driver_info & BTUSB_DIGIANSWER) {
2085                data->cmdreq_type = USB_TYPE_VENDOR;
2086                set_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks);
2087        }
2088
2089        if (id->driver_info & BTUSB_CSR) {
2090                struct usb_device *udev = data->udev;
2091                u16 bcdDevice = le16_to_cpu(udev->descriptor.bcdDevice);
2092
2093                /* Old firmware would otherwise execute USB reset */
2094                if (bcdDevice < 0x117)
2095                        set_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks);
2096
2097                /* Fake CSR devices with broken commands */
2098                if (bcdDevice <= 0x100)
2099                        hdev->setup = btusb_setup_csr;
2100        }
2101
2102        if (id->driver_info & BTUSB_SNIFFER) {
2103                struct usb_device *udev = data->udev;
2104
2105                /* New sniffer firmware has crippled HCI interface */
2106                if (le16_to_cpu(udev->descriptor.bcdDevice) > 0x997)
2107                        set_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks);
2108        }
2109
2110        if (id->driver_info & BTUSB_INTEL_BOOT) {
2111                /* A bug in the bootloader causes that interrupt interface is
2112                 * only enabled after receiving SetInterface(0, AltSetting=0).
2113                 */
2114                err = usb_set_interface(data->udev, 0, 0);
2115                if (err < 0) {
2116                        BT_ERR("failed to set interface 0, alt 0 %d", err);
2117                        hci_free_dev(hdev);
2118                        return err;
2119                }
2120        }
2121
2122        if (data->isoc) {
2123                err = usb_driver_claim_interface(&btusb_driver,
2124                                                 data->isoc, data);
2125                if (err < 0) {
2126                        hci_free_dev(hdev);
2127                        return err;
2128                }
2129        }
2130
2131        err = hci_register_dev(hdev);
2132        if (err < 0) {
2133                hci_free_dev(hdev);
2134                return err;
2135        }
2136
2137        usb_set_intfdata(intf, data);
2138
2139        return 0;
2140}
2141
2142static void btusb_disconnect(struct usb_interface *intf)
2143{
2144        struct btusb_data *data = usb_get_intfdata(intf);
2145        struct hci_dev *hdev;
2146
2147        BT_DBG("intf %p", intf);
2148
2149        if (!data)
2150                return;
2151
2152        hdev = data->hdev;
2153        usb_set_intfdata(data->intf, NULL);
2154
2155        if (data->isoc)
2156                usb_set_intfdata(data->isoc, NULL);
2157
2158        hci_unregister_dev(hdev);
2159
2160        if (intf == data->isoc)
2161                usb_driver_release_interface(&btusb_driver, data->intf);
2162        else if (data->isoc)
2163                usb_driver_release_interface(&btusb_driver, data->isoc);
2164
2165        btusb_free_frags(data);
2166        hci_free_dev(hdev);
2167}
2168
2169#ifdef CONFIG_PM
2170static int btusb_suspend(struct usb_interface *intf, pm_message_t message)
2171{
2172        struct btusb_data *data = usb_get_intfdata(intf);
2173
2174        BT_DBG("intf %p", intf);
2175
2176        if (data->suspend_count++)
2177                return 0;
2178
2179        spin_lock_irq(&data->txlock);
2180        if (!(PMSG_IS_AUTO(message) && data->tx_in_flight)) {
2181                set_bit(BTUSB_SUSPENDING, &data->flags);
2182                spin_unlock_irq(&data->txlock);
2183        } else {
2184                spin_unlock_irq(&data->txlock);
2185                data->suspend_count--;
2186                return -EBUSY;
2187        }
2188
2189        cancel_work_sync(&data->work);
2190
2191        btusb_stop_traffic(data);
2192        usb_kill_anchored_urbs(&data->tx_anchor);
2193
2194        return 0;
2195}
2196
2197static void play_deferred(struct btusb_data *data)
2198{
2199        struct urb *urb;
2200        int err;
2201
2202        while ((urb = usb_get_from_anchor(&data->deferred))) {
2203                err = usb_submit_urb(urb, GFP_ATOMIC);
2204                if (err < 0)
2205                        break;
2206
2207                data->tx_in_flight++;
2208        }
2209        usb_scuttle_anchored_urbs(&data->deferred);
2210}
2211
2212static int btusb_resume(struct usb_interface *intf)
2213{
2214        struct btusb_data *data = usb_get_intfdata(intf);
2215        struct hci_dev *hdev = data->hdev;
2216        int err = 0;
2217
2218        BT_DBG("intf %p", intf);
2219
2220        if (--data->suspend_count)
2221                return 0;
2222
2223        if (!test_bit(HCI_RUNNING, &hdev->flags))
2224                goto done;
2225
2226        if (test_bit(BTUSB_INTR_RUNNING, &data->flags)) {
2227                err = btusb_submit_intr_urb(hdev, GFP_NOIO);
2228                if (err < 0) {
2229                        clear_bit(BTUSB_INTR_RUNNING, &data->flags);
2230                        goto failed;
2231                }
2232        }
2233
2234        if (test_bit(BTUSB_BULK_RUNNING, &data->flags)) {
2235                err = btusb_submit_bulk_urb(hdev, GFP_NOIO);
2236                if (err < 0) {
2237                        clear_bit(BTUSB_BULK_RUNNING, &data->flags);
2238                        goto failed;
2239                }
2240
2241                btusb_submit_bulk_urb(hdev, GFP_NOIO);
2242        }
2243
2244        if (test_bit(BTUSB_ISOC_RUNNING, &data->flags)) {
2245                if (btusb_submit_isoc_urb(hdev, GFP_NOIO) < 0)
2246                        clear_bit(BTUSB_ISOC_RUNNING, &data->flags);
2247                else
2248                        btusb_submit_isoc_urb(hdev, GFP_NOIO);
2249        }
2250
2251        spin_lock_irq(&data->txlock);
2252        play_deferred(data);
2253        clear_bit(BTUSB_SUSPENDING, &data->flags);
2254        spin_unlock_irq(&data->txlock);
2255        schedule_work(&data->work);
2256
2257        return 0;
2258
2259failed:
2260        usb_scuttle_anchored_urbs(&data->deferred);
2261done:
2262        spin_lock_irq(&data->txlock);
2263        clear_bit(BTUSB_SUSPENDING, &data->flags);
2264        spin_unlock_irq(&data->txlock);
2265
2266        return err;
2267}
2268#endif
2269
2270static struct usb_driver btusb_driver = {
2271        .name           = "btusb",
2272        .probe          = btusb_probe,
2273        .disconnect     = btusb_disconnect,
2274#ifdef CONFIG_PM
2275        .suspend        = btusb_suspend,
2276        .resume         = btusb_resume,
2277#endif
2278        .id_table       = btusb_table,
2279        .supports_autosuspend = 1,
2280        .disable_hub_initiated_lpm = 1,
2281};
2282
2283module_usb_driver(btusb_driver);
2284
2285module_param(disable_scofix, bool, 0644);
2286MODULE_PARM_DESC(disable_scofix, "Disable fixup of wrong SCO buffer size");
2287
2288module_param(force_scofix, bool, 0644);
2289MODULE_PARM_DESC(force_scofix, "Force fixup of wrong SCO buffers size");
2290
2291module_param(reset, bool, 0644);
2292MODULE_PARM_DESC(reset, "Send HCI reset command on initialization");
2293
2294MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
2295MODULE_DESCRIPTION("Generic Bluetooth USB driver ver " VERSION);
2296MODULE_VERSION(VERSION);
2297MODULE_LICENSE("GPL");
2298
lxr.linux.no kindly hosted by Redpill Linpro AS, provider of Linux consulting and operations services since 1995.