1 /* 2 * 3 * Generic Bluetooth USB driver 4 * 5 * Copyright (C) 2005-2008 Marcel Holtmann <marcel@holtmann.org> 6 * 7 * 8 * This program is free software; you can redistribute it and/or modify 9 * it under the terms of the GNU General Public License as published by 10 * the Free Software Foundation; either version 2 of the License, or 11 * (at your option) any later version. 12 * 13 * This program is distributed in the hope that it will be useful, 14 * but WITHOUT ANY WARRANTY; without even the implied warranty of 15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16 * GNU General Public License for more details. 17 * 18 * You should have received a copy of the GNU General Public License 19 * along with this program; if not, write to the Free Software 20 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 21 * 22 */ 23 24 #include <linux/module.h> 25 #include <linux/usb.h> 26 #include <linux/firmware.h> 27 #include <asm/unaligned.h> 28 29 #include <net/bluetooth/bluetooth.h> 30 #include <net/bluetooth/hci_core.h> 31 32 #include "btintel.h" 33 #include "btbcm.h" 34 #include "btrtl.h" 35 36 #define VERSION "0.8" 37 38 static bool disable_scofix; 39 static bool force_scofix; 40 41 static bool reset = true; 42 43 static struct usb_driver btusb_driver; 44 45 #define BTUSB_IGNORE 0x01 46 #define BTUSB_DIGIANSWER 0x02 47 #define BTUSB_CSR 0x04 48 #define BTUSB_SNIFFER 0x08 49 #define BTUSB_BCM92035 0x10 50 #define BTUSB_BROKEN_ISOC 0x20 51 #define BTUSB_WRONG_SCO_MTU 0x40 52 #define BTUSB_ATH3012 0x80 53 #define BTUSB_INTEL 0x100 54 #define BTUSB_INTEL_BOOT 0x200 55 #define BTUSB_BCM_PATCHRAM 0x400 56 #define BTUSB_MARVELL 0x800 57 #define BTUSB_SWAVE 0x1000 58 #define BTUSB_INTEL_NEW 0x2000 59 #define BTUSB_AMP 0x4000 60 #define BTUSB_QCA_ROME 0x8000 61 #define BTUSB_BCM_APPLE 0x10000 62 #define BTUSB_REALTEK 0x20000 63 64 static const struct usb_device_id btusb_table[] = { 65 /* Generic Bluetooth USB device */ 66 { USB_DEVICE_INFO(0xe0, 0x01, 0x01) }, 67 68 /* Generic Bluetooth AMP device */ 69 { USB_DEVICE_INFO(0xe0, 0x01, 0x04), .driver_info = BTUSB_AMP }, 70 71 /* Apple-specific (Broadcom) devices */ 72 { USB_VENDOR_AND_INTERFACE_INFO(0x05ac, 0xff, 0x01, 0x01), 73 .driver_info = BTUSB_BCM_APPLE }, 74 75 /* MediaTek MT76x0E */ 76 { USB_DEVICE(0x0e8d, 0x763f) }, 77 78 /* Broadcom SoftSailing reporting vendor specific */ 79 { USB_DEVICE(0x0a5c, 0x21e1) }, 80 81 /* Apple MacBookPro 7,1 */ 82 { USB_DEVICE(0x05ac, 0x8213) }, 83 84 /* Apple iMac11,1 */ 85 { USB_DEVICE(0x05ac, 0x8215) }, 86 87 /* Apple MacBookPro6,2 */ 88 { USB_DEVICE(0x05ac, 0x8218) }, 89 90 /* Apple MacBookAir3,1, MacBookAir3,2 */ 91 { USB_DEVICE(0x05ac, 0x821b) }, 92 93 /* Apple MacBookAir4,1 */ 94 { USB_DEVICE(0x05ac, 0x821f) }, 95 96 /* Apple MacBookPro8,2 */ 97 { USB_DEVICE(0x05ac, 0x821a) }, 98 99 /* Apple MacMini5,1 */ 100 { USB_DEVICE(0x05ac, 0x8281) }, 101 102 /* AVM BlueFRITZ! USB v2.0 */ 103 { USB_DEVICE(0x057c, 0x3800), .driver_info = BTUSB_SWAVE }, 104 105 /* Bluetooth Ultraport Module from IBM */ 106 { USB_DEVICE(0x04bf, 0x030a) }, 107 108 /* ALPS Modules with non-standard id */ 109 { USB_DEVICE(0x044e, 0x3001) }, 110 { USB_DEVICE(0x044e, 0x3002) }, 111 112 /* Ericsson with non-standard id */ 113 { USB_DEVICE(0x0bdb, 0x1002) }, 114 115 /* Canyon CN-BTU1 with HID interfaces */ 116 { USB_DEVICE(0x0c10, 0x0000) }, 117 118 /* Broadcom BCM20702A0 */ 119 { USB_DEVICE(0x413c, 0x8197) }, 120 121 /* Broadcom BCM20702B0 (Dynex/Insignia) */ 122 { USB_DEVICE(0x19ff, 0x0239), .driver_info = BTUSB_BCM_PATCHRAM }, 123 124 /* Foxconn - Hon Hai */ 125 { USB_VENDOR_AND_INTERFACE_INFO(0x0489, 0xff, 0x01, 0x01), 126 .driver_info = BTUSB_BCM_PATCHRAM }, 127 128 /* Lite-On Technology - Broadcom based */ 129 { USB_VENDOR_AND_INTERFACE_INFO(0x04ca, 0xff, 0x01, 0x01), 130 .driver_info = BTUSB_BCM_PATCHRAM }, 131 132 /* Broadcom devices with vendor specific id */ 133 { USB_VENDOR_AND_INTERFACE_INFO(0x0a5c, 0xff, 0x01, 0x01), 134 .driver_info = BTUSB_BCM_PATCHRAM }, 135 136 /* ASUSTek Computer - Broadcom based */ 137 { USB_VENDOR_AND_INTERFACE_INFO(0x0b05, 0xff, 0x01, 0x01), 138 .driver_info = BTUSB_BCM_PATCHRAM }, 139 140 /* Belkin F8065bf - Broadcom based */ 141 { USB_VENDOR_AND_INTERFACE_INFO(0x050d, 0xff, 0x01, 0x01), 142 .driver_info = BTUSB_BCM_PATCHRAM }, 143 144 /* IMC Networks - Broadcom based */ 145 { USB_VENDOR_AND_INTERFACE_INFO(0x13d3, 0xff, 0x01, 0x01), 146 .driver_info = BTUSB_BCM_PATCHRAM }, 147 148 /* Intel Bluetooth USB Bootloader (RAM module) */ 149 { USB_DEVICE(0x8087, 0x0a5a), 150 .driver_info = BTUSB_INTEL_BOOT | BTUSB_BROKEN_ISOC }, 151 152 { } /* Terminating entry */ 153 }; 154 155 MODULE_DEVICE_TABLE(usb, btusb_table); 156 157 static const struct usb_device_id blacklist_table[] = { 158 /* CSR BlueCore devices */ 159 { USB_DEVICE(0x0a12, 0x0001), .driver_info = BTUSB_CSR }, 160 161 /* Broadcom BCM2033 without firmware */ 162 { USB_DEVICE(0x0a5c, 0x2033), .driver_info = BTUSB_IGNORE }, 163 164 /* Atheros 3011 with sflash firmware */ 165 { USB_DEVICE(0x0489, 0xe027), .driver_info = BTUSB_IGNORE }, 166 { USB_DEVICE(0x0489, 0xe03d), .driver_info = BTUSB_IGNORE }, 167 { USB_DEVICE(0x04f2, 0xaff1), .driver_info = BTUSB_IGNORE }, 168 { USB_DEVICE(0x0930, 0x0215), .driver_info = BTUSB_IGNORE }, 169 { USB_DEVICE(0x0cf3, 0x3002), .driver_info = BTUSB_IGNORE }, 170 { USB_DEVICE(0x0cf3, 0xe019), .driver_info = BTUSB_IGNORE }, 171 { USB_DEVICE(0x13d3, 0x3304), .driver_info = BTUSB_IGNORE }, 172 173 /* Atheros AR9285 Malbec with sflash firmware */ 174 { USB_DEVICE(0x03f0, 0x311d), .driver_info = BTUSB_IGNORE }, 175 176 /* Atheros 3012 with sflash firmware */ 177 { USB_DEVICE(0x0489, 0xe04d), .driver_info = BTUSB_ATH3012 }, 178 { USB_DEVICE(0x0489, 0xe04e), .driver_info = BTUSB_ATH3012 }, 179 { USB_DEVICE(0x0489, 0xe056), .driver_info = BTUSB_ATH3012 }, 180 { USB_DEVICE(0x0489, 0xe057), .driver_info = BTUSB_ATH3012 }, 181 { USB_DEVICE(0x0489, 0xe05f), .driver_info = BTUSB_ATH3012 }, 182 { USB_DEVICE(0x0489, 0xe076), .driver_info = BTUSB_ATH3012 }, 183 { USB_DEVICE(0x0489, 0xe078), .driver_info = BTUSB_ATH3012 }, 184 { USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 }, 185 { USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 }, 186 { USB_DEVICE(0x04ca, 0x3005), .driver_info = BTUSB_ATH3012 }, 187 { USB_DEVICE(0x04ca, 0x3006), .driver_info = BTUSB_ATH3012 }, 188 { USB_DEVICE(0x04ca, 0x3007), .driver_info = BTUSB_ATH3012 }, 189 { USB_DEVICE(0x04ca, 0x3008), .driver_info = BTUSB_ATH3012 }, 190 { USB_DEVICE(0x04ca, 0x300b), .driver_info = BTUSB_ATH3012 }, 191 { USB_DEVICE(0x04ca, 0x300d), .driver_info = BTUSB_ATH3012 }, 192 { USB_DEVICE(0x04ca, 0x300f), .driver_info = BTUSB_ATH3012 }, 193 { USB_DEVICE(0x04ca, 0x3010), .driver_info = BTUSB_ATH3012 }, 194 { USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 }, 195 { USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 }, 196 { USB_DEVICE(0x0930, 0x0227), .driver_info = BTUSB_ATH3012 }, 197 { USB_DEVICE(0x0b05, 0x17d0), .driver_info = BTUSB_ATH3012 }, 198 { USB_DEVICE(0x0cf3, 0x0036), .driver_info = BTUSB_ATH3012 }, 199 { USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_ATH3012 }, 200 { USB_DEVICE(0x0cf3, 0x3008), .driver_info = BTUSB_ATH3012 }, 201 { USB_DEVICE(0x0cf3, 0x311d), .driver_info = BTUSB_ATH3012 }, 202 { USB_DEVICE(0x0cf3, 0x311e), .driver_info = BTUSB_ATH3012 }, 203 { USB_DEVICE(0x0cf3, 0x311f), .driver_info = BTUSB_ATH3012 }, 204 { USB_DEVICE(0x0cf3, 0x3121), .driver_info = BTUSB_ATH3012 }, 205 { USB_DEVICE(0x0cf3, 0x817a), .driver_info = BTUSB_ATH3012 }, 206 { USB_DEVICE(0x0cf3, 0xe003), .driver_info = BTUSB_ATH3012 }, 207 { USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 }, 208 { USB_DEVICE(0x0cf3, 0xe005), .driver_info = BTUSB_ATH3012 }, 209 { USB_DEVICE(0x0cf3, 0xe006), .driver_info = BTUSB_ATH3012 }, 210 { USB_DEVICE(0x13d3, 0x3362), .driver_info = BTUSB_ATH3012 }, 211 { USB_DEVICE(0x13d3, 0x3375), .driver_info = BTUSB_ATH3012 }, 212 { USB_DEVICE(0x13d3, 0x3393), .driver_info = BTUSB_ATH3012 }, 213 { USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 }, 214 { USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 }, 215 { USB_DEVICE(0x13d3, 0x3423), .driver_info = BTUSB_ATH3012 }, 216 { USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 }, 217 { USB_DEVICE(0x13d3, 0x3474), .driver_info = BTUSB_ATH3012 }, 218 219 /* Atheros AR5BBU12 with sflash firmware */ 220 { USB_DEVICE(0x0489, 0xe02c), .driver_info = BTUSB_IGNORE }, 221 222 /* Atheros AR5BBU12 with sflash firmware */ 223 { USB_DEVICE(0x0489, 0xe036), .driver_info = BTUSB_ATH3012 }, 224 { USB_DEVICE(0x0489, 0xe03c), .driver_info = BTUSB_ATH3012 }, 225 226 /* QCA ROME chipset */ 227 { USB_DEVICE(0x0cf3, 0xe007), .driver_info = BTUSB_QCA_ROME }, 228 { USB_DEVICE(0x0cf3, 0xe300), .driver_info = BTUSB_QCA_ROME }, 229 { USB_DEVICE(0x0cf3, 0xe360), .driver_info = BTUSB_QCA_ROME }, 230 231 /* Broadcom BCM2035 */ 232 { USB_DEVICE(0x0a5c, 0x2009), .driver_info = BTUSB_BCM92035 }, 233 { USB_DEVICE(0x0a5c, 0x200a), .driver_info = BTUSB_WRONG_SCO_MTU }, 234 { USB_DEVICE(0x0a5c, 0x2035), .driver_info = BTUSB_WRONG_SCO_MTU }, 235 236 /* Broadcom BCM2045 */ 237 { USB_DEVICE(0x0a5c, 0x2039), .driver_info = BTUSB_WRONG_SCO_MTU }, 238 { USB_DEVICE(0x0a5c, 0x2101), .driver_info = BTUSB_WRONG_SCO_MTU }, 239 240 /* IBM/Lenovo ThinkPad with Broadcom chip */ 241 { USB_DEVICE(0x0a5c, 0x201e), .driver_info = BTUSB_WRONG_SCO_MTU }, 242 { USB_DEVICE(0x0a5c, 0x2110), .driver_info = BTUSB_WRONG_SCO_MTU }, 243 244 /* HP laptop with Broadcom chip */ 245 { USB_DEVICE(0x03f0, 0x171d), .driver_info = BTUSB_WRONG_SCO_MTU }, 246 247 /* Dell laptop with Broadcom chip */ 248 { USB_DEVICE(0x413c, 0x8126), .driver_info = BTUSB_WRONG_SCO_MTU }, 249 250 /* Dell Wireless 370 and 410 devices */ 251 { USB_DEVICE(0x413c, 0x8152), .driver_info = BTUSB_WRONG_SCO_MTU }, 252 { USB_DEVICE(0x413c, 0x8156), .driver_info = BTUSB_WRONG_SCO_MTU }, 253 254 /* Belkin F8T012 and F8T013 devices */ 255 { USB_DEVICE(0x050d, 0x0012), .driver_info = BTUSB_WRONG_SCO_MTU }, 256 { USB_DEVICE(0x050d, 0x0013), .driver_info = BTUSB_WRONG_SCO_MTU }, 257 258 /* Asus WL-BTD202 device */ 259 { USB_DEVICE(0x0b05, 0x1715), .driver_info = BTUSB_WRONG_SCO_MTU }, 260 261 /* Kensington Bluetooth USB adapter */ 262 { USB_DEVICE(0x047d, 0x105e), .driver_info = BTUSB_WRONG_SCO_MTU }, 263 264 /* RTX Telecom based adapters with buggy SCO support */ 265 { USB_DEVICE(0x0400, 0x0807), .driver_info = BTUSB_BROKEN_ISOC }, 266 { USB_DEVICE(0x0400, 0x080a), .driver_info = BTUSB_BROKEN_ISOC }, 267 268 /* CONWISE Technology based adapters with buggy SCO support */ 269 { USB_DEVICE(0x0e5e, 0x6622), .driver_info = BTUSB_BROKEN_ISOC }, 270 271 /* Roper Class 1 Bluetooth Dongle (Silicon Wave based) */ 272 { USB_DEVICE(0x1310, 0x0001), .driver_info = BTUSB_SWAVE }, 273 274 /* Digianswer devices */ 275 { USB_DEVICE(0x08fd, 0x0001), .driver_info = BTUSB_DIGIANSWER }, 276 { USB_DEVICE(0x08fd, 0x0002), .driver_info = BTUSB_IGNORE }, 277 278 /* CSR BlueCore Bluetooth Sniffer */ 279 { USB_DEVICE(0x0a12, 0x0002), 280 .driver_info = BTUSB_SNIFFER | BTUSB_BROKEN_ISOC }, 281 282 /* Frontline ComProbe Bluetooth Sniffer */ 283 { USB_DEVICE(0x16d3, 0x0002), 284 .driver_info = BTUSB_SNIFFER | BTUSB_BROKEN_ISOC }, 285 286 /* Marvell Bluetooth devices */ 287 { USB_DEVICE(0x1286, 0x2044), .driver_info = BTUSB_MARVELL }, 288 { USB_DEVICE(0x1286, 0x2046), .driver_info = BTUSB_MARVELL }, 289 290 /* Intel Bluetooth devices */ 291 { USB_DEVICE(0x8087, 0x07da), .driver_info = BTUSB_CSR }, 292 { USB_DEVICE(0x8087, 0x07dc), .driver_info = BTUSB_INTEL }, 293 { USB_DEVICE(0x8087, 0x0a2a), .driver_info = BTUSB_INTEL }, 294 { USB_DEVICE(0x8087, 0x0a2b), .driver_info = BTUSB_INTEL_NEW }, 295 296 /* Other Intel Bluetooth devices */ 297 { USB_VENDOR_AND_INTERFACE_INFO(0x8087, 0xe0, 0x01, 0x01), 298 .driver_info = BTUSB_IGNORE }, 299 300 /* Realtek Bluetooth devices */ 301 { USB_VENDOR_AND_INTERFACE_INFO(0x0bda, 0xe0, 0x01, 0x01), 302 .driver_info = BTUSB_REALTEK }, 303 304 /* Additional Realtek 8723AE Bluetooth devices */ 305 { USB_DEVICE(0x0930, 0x021d), .driver_info = BTUSB_REALTEK }, 306 { USB_DEVICE(0x13d3, 0x3394), .driver_info = BTUSB_REALTEK }, 307 308 /* Additional Realtek 8723BE Bluetooth devices */ 309 { USB_DEVICE(0x0489, 0xe085), .driver_info = BTUSB_REALTEK }, 310 { USB_DEVICE(0x0489, 0xe08b), .driver_info = BTUSB_REALTEK }, 311 { USB_DEVICE(0x13d3, 0x3410), .driver_info = BTUSB_REALTEK }, 312 { USB_DEVICE(0x13d3, 0x3416), .driver_info = BTUSB_REALTEK }, 313 { USB_DEVICE(0x13d3, 0x3459), .driver_info = BTUSB_REALTEK }, 314 315 /* Additional Realtek 8821AE Bluetooth devices */ 316 { USB_DEVICE(0x0b05, 0x17dc), .driver_info = BTUSB_REALTEK }, 317 { USB_DEVICE(0x13d3, 0x3414), .driver_info = BTUSB_REALTEK }, 318 { USB_DEVICE(0x13d3, 0x3458), .driver_info = BTUSB_REALTEK }, 319 { USB_DEVICE(0x13d3, 0x3461), .driver_info = BTUSB_REALTEK }, 320 { USB_DEVICE(0x13d3, 0x3462), .driver_info = BTUSB_REALTEK }, 321 322 { } /* Terminating entry */ 323 }; 324 325 #define BTUSB_MAX_ISOC_FRAMES 10 326 327 #define BTUSB_INTR_RUNNING 0 328 #define BTUSB_BULK_RUNNING 1 329 #define BTUSB_ISOC_RUNNING 2 330 #define BTUSB_SUSPENDING 3 331 #define BTUSB_DID_ISO_RESUME 4 332 #define BTUSB_BOOTLOADER 5 333 #define BTUSB_DOWNLOADING 6 334 #define BTUSB_FIRMWARE_LOADED 7 335 #define BTUSB_FIRMWARE_FAILED 8 336 #define BTUSB_BOOTING 9 337 #define BTUSB_RESET_RESUME 10 338 339 struct btusb_data { 340 struct hci_dev *hdev; 341 struct usb_device *udev; 342 struct usb_interface *intf; 343 struct usb_interface *isoc; 344 345 unsigned long flags; 346 347 struct work_struct work; 348 struct work_struct waker; 349 350 struct usb_anchor deferred; 351 struct usb_anchor tx_anchor; 352 int tx_in_flight; 353 spinlock_t txlock; 354 355 struct usb_anchor intr_anchor; 356 struct usb_anchor bulk_anchor; 357 struct usb_anchor isoc_anchor; 358 spinlock_t rxlock; 359 360 struct sk_buff *evt_skb; 361 struct sk_buff *acl_skb; 362 struct sk_buff *sco_skb; 363 364 struct usb_endpoint_descriptor *intr_ep; 365 struct usb_endpoint_descriptor *bulk_tx_ep; 366 struct usb_endpoint_descriptor *bulk_rx_ep; 367 struct usb_endpoint_descriptor *isoc_tx_ep; 368 struct usb_endpoint_descriptor *isoc_rx_ep; 369 370 __u8 cmdreq_type; 371 __u8 cmdreq; 372 373 unsigned int sco_num; 374 int isoc_altsetting; 375 int suspend_count; 376 377 int (*recv_event)(struct hci_dev *hdev, struct sk_buff *skb); 378 int (*recv_bulk)(struct btusb_data *data, void *buffer, int count); 379 380 int (*setup_on_usb)(struct hci_dev *hdev); 381 }; 382 383 static inline void btusb_free_frags(struct btusb_data *data) 384 { 385 unsigned long flags; 386 387 spin_lock_irqsave(&data->rxlock, flags); 388 389 kfree_skb(data->evt_skb); 390 data->evt_skb = NULL; 391 392 kfree_skb(data->acl_skb); 393 data->acl_skb = NULL; 394 395 kfree_skb(data->sco_skb); 396 data->sco_skb = NULL; 397 398 spin_unlock_irqrestore(&data->rxlock, flags); 399 } 400 401 static int btusb_recv_intr(struct btusb_data *data, void *buffer, int count) 402 { 403 struct sk_buff *skb; 404 int err = 0; 405 406 spin_lock(&data->rxlock); 407 skb = data->evt_skb; 408 409 while (count) { 410 int len; 411 412 if (!skb) { 413 skb = bt_skb_alloc(HCI_MAX_EVENT_SIZE, GFP_ATOMIC); 414 if (!skb) { 415 err = -ENOMEM; 416 break; 417 } 418 419 bt_cb(skb)->pkt_type = HCI_EVENT_PKT; 420 bt_cb(skb)->expect = HCI_EVENT_HDR_SIZE; 421 } 422 423 len = min_t(uint, bt_cb(skb)->expect, count); 424 memcpy(skb_put(skb, len), buffer, len); 425 426 count -= len; 427 buffer += len; 428 bt_cb(skb)->expect -= len; 429 430 if (skb->len == HCI_EVENT_HDR_SIZE) { 431 /* Complete event header */ 432 bt_cb(skb)->expect = hci_event_hdr(skb)->plen; 433 434 if (skb_tailroom(skb) < bt_cb(skb)->expect) { 435 kfree_skb(skb); 436 skb = NULL; 437 438 err = -EILSEQ; 439 break; 440 } 441 } 442 443 if (bt_cb(skb)->expect == 0) { 444 /* Complete frame */ 445 data->recv_event(data->hdev, skb); 446 skb = NULL; 447 } 448 } 449 450 data->evt_skb = skb; 451 spin_unlock(&data->rxlock); 452 453 return err; 454 } 455 456 static int btusb_recv_bulk(struct btusb_data *data, void *buffer, int count) 457 { 458 struct sk_buff *skb; 459 int err = 0; 460 461 spin_lock(&data->rxlock); 462 skb = data->acl_skb; 463 464 while (count) { 465 int len; 466 467 if (!skb) { 468 skb = bt_skb_alloc(HCI_MAX_FRAME_SIZE, GFP_ATOMIC); 469 if (!skb) { 470 err = -ENOMEM; 471 break; 472 } 473 474 bt_cb(skb)->pkt_type = HCI_ACLDATA_PKT; 475 bt_cb(skb)->expect = HCI_ACL_HDR_SIZE; 476 } 477 478 len = min_t(uint, bt_cb(skb)->expect, count); 479 memcpy(skb_put(skb, len), buffer, len); 480 481 count -= len; 482 buffer += len; 483 bt_cb(skb)->expect -= len; 484 485 if (skb->len == HCI_ACL_HDR_SIZE) { 486 __le16 dlen = hci_acl_hdr(skb)->dlen; 487 488 /* Complete ACL header */ 489 bt_cb(skb)->expect = __le16_to_cpu(dlen); 490 491 if (skb_tailroom(skb) < bt_cb(skb)->expect) { 492 kfree_skb(skb); 493 skb = NULL; 494 495 err = -EILSEQ; 496 break; 497 } 498 } 499 500 if (bt_cb(skb)->expect == 0) { 501 /* Complete frame */ 502 hci_recv_frame(data->hdev, skb); 503 skb = NULL; 504 } 505 } 506 507 data->acl_skb = skb; 508 spin_unlock(&data->rxlock); 509 510 return err; 511 } 512 513 static int btusb_recv_isoc(struct btusb_data *data, void *buffer, int count) 514 { 515 struct sk_buff *skb; 516 int err = 0; 517 518 spin_lock(&data->rxlock); 519 skb = data->sco_skb; 520 521 while (count) { 522 int len; 523 524 if (!skb) { 525 skb = bt_skb_alloc(HCI_MAX_SCO_SIZE, GFP_ATOMIC); 526 if (!skb) { 527 err = -ENOMEM; 528 break; 529 } 530 531 bt_cb(skb)->pkt_type = HCI_SCODATA_PKT; 532 bt_cb(skb)->expect = HCI_SCO_HDR_SIZE; 533 } 534 535 len = min_t(uint, bt_cb(skb)->expect, count); 536 memcpy(skb_put(skb, len), buffer, len); 537 538 count -= len; 539 buffer += len; 540 bt_cb(skb)->expect -= len; 541 542 if (skb->len == HCI_SCO_HDR_SIZE) { 543 /* Complete SCO header */ 544 bt_cb(skb)->expect = hci_sco_hdr(skb)->dlen; 545 546 if (skb_tailroom(skb) < bt_cb(skb)->expect) { 547 kfree_skb(skb); 548 skb = NULL; 549 550 err = -EILSEQ; 551 break; 552 } 553 } 554 555 if (bt_cb(skb)->expect == 0) { 556 /* Complete frame */ 557 hci_recv_frame(data->hdev, skb); 558 skb = NULL; 559 } 560 } 561 562 data->sco_skb = skb; 563 spin_unlock(&data->rxlock); 564 565 return err; 566 } 567 568 static void btusb_intr_complete(struct urb *urb) 569 { 570 struct hci_dev *hdev = urb->context; 571 struct btusb_data *data = hci_get_drvdata(hdev); 572 int err; 573 574 BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status, 575 urb->actual_length); 576 577 if (!test_bit(HCI_RUNNING, &hdev->flags)) 578 return; 579 580 if (urb->status == 0) { 581 hdev->stat.byte_rx += urb->actual_length; 582 583 if (btusb_recv_intr(data, urb->transfer_buffer, 584 urb->actual_length) < 0) { 585 BT_ERR("%s corrupted event packet", hdev->name); 586 hdev->stat.err_rx++; 587 } 588 } else if (urb->status == -ENOENT) { 589 /* Avoid suspend failed when usb_kill_urb */ 590 return; 591 } 592 593 if (!test_bit(BTUSB_INTR_RUNNING, &data->flags)) 594 return; 595 596 usb_mark_last_busy(data->udev); 597 usb_anchor_urb(urb, &data->intr_anchor); 598 599 err = usb_submit_urb(urb, GFP_ATOMIC); 600 if (err < 0) { 601 /* -EPERM: urb is being killed; 602 * -ENODEV: device got disconnected */ 603 if (err != -EPERM && err != -ENODEV) 604 BT_ERR("%s urb %p failed to resubmit (%d)", 605 hdev->name, urb, -err); 606 usb_unanchor_urb(urb); 607 } 608 } 609 610 static int btusb_submit_intr_urb(struct hci_dev *hdev, gfp_t mem_flags) 611 { 612 struct btusb_data *data = hci_get_drvdata(hdev); 613 struct urb *urb; 614 unsigned char *buf; 615 unsigned int pipe; 616 int err, size; 617 618 BT_DBG("%s", hdev->name); 619 620 if (!data->intr_ep) 621 return -ENODEV; 622 623 urb = usb_alloc_urb(0, mem_flags); 624 if (!urb) 625 return -ENOMEM; 626 627 size = le16_to_cpu(data->intr_ep->wMaxPacketSize); 628 629 buf = kmalloc(size, mem_flags); 630 if (!buf) { 631 usb_free_urb(urb); 632 return -ENOMEM; 633 } 634 635 pipe = usb_rcvintpipe(data->udev, data->intr_ep->bEndpointAddress); 636 637 usb_fill_int_urb(urb, data->udev, pipe, buf, size, 638 btusb_intr_complete, hdev, data->intr_ep->bInterval); 639 640 urb->transfer_flags |= URB_FREE_BUFFER; 641 642 usb_anchor_urb(urb, &data->intr_anchor); 643 644 err = usb_submit_urb(urb, mem_flags); 645 if (err < 0) { 646 if (err != -EPERM && err != -ENODEV) 647 BT_ERR("%s urb %p submission failed (%d)", 648 hdev->name, urb, -err); 649 usb_unanchor_urb(urb); 650 } 651 652 usb_free_urb(urb); 653 654 return err; 655 } 656 657 static void btusb_bulk_complete(struct urb *urb) 658 { 659 struct hci_dev *hdev = urb->context; 660 struct btusb_data *data = hci_get_drvdata(hdev); 661 int err; 662 663 BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status, 664 urb->actual_length); 665 666 if (!test_bit(HCI_RUNNING, &hdev->flags)) 667 return; 668 669 if (urb->status == 0) { 670 hdev->stat.byte_rx += urb->actual_length; 671 672 if (data->recv_bulk(data, urb->transfer_buffer, 673 urb->actual_length) < 0) { 674 BT_ERR("%s corrupted ACL packet", hdev->name); 675 hdev->stat.err_rx++; 676 } 677 } else if (urb->status == -ENOENT) { 678 /* Avoid suspend failed when usb_kill_urb */ 679 return; 680 } 681 682 if (!test_bit(BTUSB_BULK_RUNNING, &data->flags)) 683 return; 684 685 usb_anchor_urb(urb, &data->bulk_anchor); 686 usb_mark_last_busy(data->udev); 687 688 err = usb_submit_urb(urb, GFP_ATOMIC); 689 if (err < 0) { 690 /* -EPERM: urb is being killed; 691 * -ENODEV: device got disconnected */ 692 if (err != -EPERM && err != -ENODEV) 693 BT_ERR("%s urb %p failed to resubmit (%d)", 694 hdev->name, urb, -err); 695 usb_unanchor_urb(urb); 696 } 697 } 698 699 static int btusb_submit_bulk_urb(struct hci_dev *hdev, gfp_t mem_flags) 700 { 701 struct btusb_data *data = hci_get_drvdata(hdev); 702 struct urb *urb; 703 unsigned char *buf; 704 unsigned int pipe; 705 int err, size = HCI_MAX_FRAME_SIZE; 706 707 BT_DBG("%s", hdev->name); 708 709 if (!data->bulk_rx_ep) 710 return -ENODEV; 711 712 urb = usb_alloc_urb(0, mem_flags); 713 if (!urb) 714 return -ENOMEM; 715 716 buf = kmalloc(size, mem_flags); 717 if (!buf) { 718 usb_free_urb(urb); 719 return -ENOMEM; 720 } 721 722 pipe = usb_rcvbulkpipe(data->udev, data->bulk_rx_ep->bEndpointAddress); 723 724 usb_fill_bulk_urb(urb, data->udev, pipe, buf, size, 725 btusb_bulk_complete, hdev); 726 727 urb->transfer_flags |= URB_FREE_BUFFER; 728 729 usb_mark_last_busy(data->udev); 730 usb_anchor_urb(urb, &data->bulk_anchor); 731 732 err = usb_submit_urb(urb, mem_flags); 733 if (err < 0) { 734 if (err != -EPERM && err != -ENODEV) 735 BT_ERR("%s urb %p submission failed (%d)", 736 hdev->name, urb, -err); 737 usb_unanchor_urb(urb); 738 } 739 740 usb_free_urb(urb); 741 742 return err; 743 } 744 745 static void btusb_isoc_complete(struct urb *urb) 746 { 747 struct hci_dev *hdev = urb->context; 748 struct btusb_data *data = hci_get_drvdata(hdev); 749 int i, err; 750 751 BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status, 752 urb->actual_length); 753 754 if (!test_bit(HCI_RUNNING, &hdev->flags)) 755 return; 756 757 if (urb->status == 0) { 758 for (i = 0; i < urb->number_of_packets; i++) { 759 unsigned int offset = urb->iso_frame_desc[i].offset; 760 unsigned int length = urb->iso_frame_desc[i].actual_length; 761 762 if (urb->iso_frame_desc[i].status) 763 continue; 764 765 hdev->stat.byte_rx += length; 766 767 if (btusb_recv_isoc(data, urb->transfer_buffer + offset, 768 length) < 0) { 769 BT_ERR("%s corrupted SCO packet", hdev->name); 770 hdev->stat.err_rx++; 771 } 772 } 773 } else if (urb->status == -ENOENT) { 774 /* Avoid suspend failed when usb_kill_urb */ 775 return; 776 } 777 778 if (!test_bit(BTUSB_ISOC_RUNNING, &data->flags)) 779 return; 780 781 usb_anchor_urb(urb, &data->isoc_anchor); 782 783 err = usb_submit_urb(urb, GFP_ATOMIC); 784 if (err < 0) { 785 /* -EPERM: urb is being killed; 786 * -ENODEV: device got disconnected */ 787 if (err != -EPERM && err != -ENODEV) 788 BT_ERR("%s urb %p failed to resubmit (%d)", 789 hdev->name, urb, -err); 790 usb_unanchor_urb(urb); 791 } 792 } 793 794 static inline void __fill_isoc_descriptor(struct urb *urb, int len, int mtu) 795 { 796 int i, offset = 0; 797 798 BT_DBG("len %d mtu %d", len, mtu); 799 800 for (i = 0; i < BTUSB_MAX_ISOC_FRAMES && len >= mtu; 801 i++, offset += mtu, len -= mtu) { 802 urb->iso_frame_desc[i].offset = offset; 803 urb->iso_frame_desc[i].length = mtu; 804 } 805 806 if (len && i < BTUSB_MAX_ISOC_FRAMES) { 807 urb->iso_frame_desc[i].offset = offset; 808 urb->iso_frame_desc[i].length = len; 809 i++; 810 } 811 812 urb->number_of_packets = i; 813 } 814 815 static int btusb_submit_isoc_urb(struct hci_dev *hdev, gfp_t mem_flags) 816 { 817 struct btusb_data *data = hci_get_drvdata(hdev); 818 struct urb *urb; 819 unsigned char *buf; 820 unsigned int pipe; 821 int err, size; 822 823 BT_DBG("%s", hdev->name); 824 825 if (!data->isoc_rx_ep) 826 return -ENODEV; 827 828 urb = usb_alloc_urb(BTUSB_MAX_ISOC_FRAMES, mem_flags); 829 if (!urb) 830 return -ENOMEM; 831 832 size = le16_to_cpu(data->isoc_rx_ep->wMaxPacketSize) * 833 BTUSB_MAX_ISOC_FRAMES; 834 835 buf = kmalloc(size, mem_flags); 836 if (!buf) { 837 usb_free_urb(urb); 838 return -ENOMEM; 839 } 840 841 pipe = usb_rcvisocpipe(data->udev, data->isoc_rx_ep->bEndpointAddress); 842 843 usb_fill_int_urb(urb, data->udev, pipe, buf, size, btusb_isoc_complete, 844 hdev, data->isoc_rx_ep->bInterval); 845 846 urb->transfer_flags = URB_FREE_BUFFER | URB_ISO_ASAP; 847 848 __fill_isoc_descriptor(urb, size, 849 le16_to_cpu(data->isoc_rx_ep->wMaxPacketSize)); 850 851 usb_anchor_urb(urb, &data->isoc_anchor); 852 853 err = usb_submit_urb(urb, mem_flags); 854 if (err < 0) { 855 if (err != -EPERM && err != -ENODEV) 856 BT_ERR("%s urb %p submission failed (%d)", 857 hdev->name, urb, -err); 858 usb_unanchor_urb(urb); 859 } 860 861 usb_free_urb(urb); 862 863 return err; 864 } 865 866 static void btusb_tx_complete(struct urb *urb) 867 { 868 struct sk_buff *skb = urb->context; 869 struct hci_dev *hdev = (struct hci_dev *)skb->dev; 870 struct btusb_data *data = hci_get_drvdata(hdev); 871 872 BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status, 873 urb->actual_length); 874 875 if (!test_bit(HCI_RUNNING, &hdev->flags)) 876 goto done; 877 878 if (!urb->status) 879 hdev->stat.byte_tx += urb->transfer_buffer_length; 880 else 881 hdev->stat.err_tx++; 882 883 done: 884 spin_lock(&data->txlock); 885 data->tx_in_flight--; 886 spin_unlock(&data->txlock); 887 888 kfree(urb->setup_packet); 889 890 kfree_skb(skb); 891 } 892 893 static void btusb_isoc_tx_complete(struct urb *urb) 894 { 895 struct sk_buff *skb = urb->context; 896 struct hci_dev *hdev = (struct hci_dev *)skb->dev; 897 898 BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status, 899 urb->actual_length); 900 901 if (!test_bit(HCI_RUNNING, &hdev->flags)) 902 goto done; 903 904 if (!urb->status) 905 hdev->stat.byte_tx += urb->transfer_buffer_length; 906 else 907 hdev->stat.err_tx++; 908 909 done: 910 kfree(urb->setup_packet); 911 912 kfree_skb(skb); 913 } 914 915 static int btusb_open(struct hci_dev *hdev) 916 { 917 struct btusb_data *data = hci_get_drvdata(hdev); 918 int err; 919 920 BT_DBG("%s", hdev->name); 921 922 /* Patching USB firmware files prior to starting any URBs of HCI path 923 * It is more safe to use USB bulk channel for downloading USB patch 924 */ 925 if (data->setup_on_usb) { 926 err = data->setup_on_usb(hdev); 927 if (err < 0) 928 return err; 929 } 930 931 err = usb_autopm_get_interface(data->intf); 932 if (err < 0) 933 return err; 934 935 data->intf->needs_remote_wakeup = 1; 936 937 if (test_and_set_bit(HCI_RUNNING, &hdev->flags)) 938 goto done; 939 940 if (test_and_set_bit(BTUSB_INTR_RUNNING, &data->flags)) 941 goto done; 942 943 err = btusb_submit_intr_urb(hdev, GFP_KERNEL); 944 if (err < 0) 945 goto failed; 946 947 err = btusb_submit_bulk_urb(hdev, GFP_KERNEL); 948 if (err < 0) { 949 usb_kill_anchored_urbs(&data->intr_anchor); 950 goto failed; 951 } 952 953 set_bit(BTUSB_BULK_RUNNING, &data->flags); 954 btusb_submit_bulk_urb(hdev, GFP_KERNEL); 955 956 done: 957 usb_autopm_put_interface(data->intf); 958 return 0; 959 960 failed: 961 clear_bit(BTUSB_INTR_RUNNING, &data->flags); 962 clear_bit(HCI_RUNNING, &hdev->flags); 963 usb_autopm_put_interface(data->intf); 964 return err; 965 } 966 967 static void btusb_stop_traffic(struct btusb_data *data) 968 { 969 usb_kill_anchored_urbs(&data->intr_anchor); 970 usb_kill_anchored_urbs(&data->bulk_anchor); 971 usb_kill_anchored_urbs(&data->isoc_anchor); 972 } 973 974 static int btusb_close(struct hci_dev *hdev) 975 { 976 struct btusb_data *data = hci_get_drvdata(hdev); 977 int err; 978 979 BT_DBG("%s", hdev->name); 980 981 if (!test_and_clear_bit(HCI_RUNNING, &hdev->flags)) 982 return 0; 983 984 cancel_work_sync(&data->work); 985 cancel_work_sync(&data->waker); 986 987 clear_bit(BTUSB_ISOC_RUNNING, &data->flags); 988 clear_bit(BTUSB_BULK_RUNNING, &data->flags); 989 clear_bit(BTUSB_INTR_RUNNING, &data->flags); 990 991 btusb_stop_traffic(data); 992 btusb_free_frags(data); 993 994 err = usb_autopm_get_interface(data->intf); 995 if (err < 0) 996 goto failed; 997 998 data->intf->needs_remote_wakeup = 0; 999 usb_autopm_put_interface(data->intf); 1000 1001 failed: 1002 usb_scuttle_anchored_urbs(&data->deferred); 1003 return 0; 1004 } 1005 1006 static int btusb_flush(struct hci_dev *hdev) 1007 { 1008 struct btusb_data *data = hci_get_drvdata(hdev); 1009 1010 BT_DBG("%s", hdev->name); 1011 1012 usb_kill_anchored_urbs(&data->tx_anchor); 1013 btusb_free_frags(data); 1014 1015 return 0; 1016 } 1017 1018 static struct urb *alloc_ctrl_urb(struct hci_dev *hdev, struct sk_buff *skb) 1019 { 1020 struct btusb_data *data = hci_get_drvdata(hdev); 1021 struct usb_ctrlrequest *dr; 1022 struct urb *urb; 1023 unsigned int pipe; 1024 1025 urb = usb_alloc_urb(0, GFP_KERNEL); 1026 if (!urb) 1027 return ERR_PTR(-ENOMEM); 1028 1029 dr = kmalloc(sizeof(*dr), GFP_KERNEL); 1030 if (!dr) { 1031 usb_free_urb(urb); 1032 return ERR_PTR(-ENOMEM); 1033 } 1034 1035 dr->bRequestType = data->cmdreq_type; 1036 dr->bRequest = data->cmdreq; 1037 dr->wIndex = 0; 1038 dr->wValue = 0; 1039 dr->wLength = __cpu_to_le16(skb->len); 1040 1041 pipe = usb_sndctrlpipe(data->udev, 0x00); 1042 1043 usb_fill_control_urb(urb, data->udev, pipe, (void *)dr, 1044 skb->data, skb->len, btusb_tx_complete, skb); 1045 1046 skb->dev = (void *)hdev; 1047 1048 return urb; 1049 } 1050 1051 static struct urb *alloc_bulk_urb(struct hci_dev *hdev, struct sk_buff *skb) 1052 { 1053 struct btusb_data *data = hci_get_drvdata(hdev); 1054 struct urb *urb; 1055 unsigned int pipe; 1056 1057 if (!data->bulk_tx_ep) 1058 return ERR_PTR(-ENODEV); 1059 1060 urb = usb_alloc_urb(0, GFP_KERNEL); 1061 if (!urb) 1062 return ERR_PTR(-ENOMEM); 1063 1064 pipe = usb_sndbulkpipe(data->udev, data->bulk_tx_ep->bEndpointAddress); 1065 1066 usb_fill_bulk_urb(urb, data->udev, pipe, 1067 skb->data, skb->len, btusb_tx_complete, skb); 1068 1069 skb->dev = (void *)hdev; 1070 1071 return urb; 1072 } 1073 1074 static struct urb *alloc_isoc_urb(struct hci_dev *hdev, struct sk_buff *skb) 1075 { 1076 struct btusb_data *data = hci_get_drvdata(hdev); 1077 struct urb *urb; 1078 unsigned int pipe; 1079 1080 if (!data->isoc_tx_ep) 1081 return ERR_PTR(-ENODEV); 1082 1083 urb = usb_alloc_urb(BTUSB_MAX_ISOC_FRAMES, GFP_KERNEL); 1084 if (!urb) 1085 return ERR_PTR(-ENOMEM); 1086 1087 pipe = usb_sndisocpipe(data->udev, data->isoc_tx_ep->bEndpointAddress); 1088 1089 usb_fill_int_urb(urb, data->udev, pipe, 1090 skb->data, skb->len, btusb_isoc_tx_complete, 1091 skb, data->isoc_tx_ep->bInterval); 1092 1093 urb->transfer_flags = URB_ISO_ASAP; 1094 1095 __fill_isoc_descriptor(urb, skb->len, 1096 le16_to_cpu(data->isoc_tx_ep->wMaxPacketSize)); 1097 1098 skb->dev = (void *)hdev; 1099 1100 return urb; 1101 } 1102 1103 static int submit_tx_urb(struct hci_dev *hdev, struct urb *urb) 1104 { 1105 struct btusb_data *data = hci_get_drvdata(hdev); 1106 int err; 1107 1108 usb_anchor_urb(urb, &data->tx_anchor); 1109 1110 err = usb_submit_urb(urb, GFP_KERNEL); 1111 if (err < 0) { 1112 if (err != -EPERM && err != -ENODEV) 1113 BT_ERR("%s urb %p submission failed (%d)", 1114 hdev->name, urb, -err); 1115 kfree(urb->setup_packet); 1116 usb_unanchor_urb(urb); 1117 } else { 1118 usb_mark_last_busy(data->udev); 1119 } 1120 1121 usb_free_urb(urb); 1122 return err; 1123 } 1124 1125 static int submit_or_queue_tx_urb(struct hci_dev *hdev, struct urb *urb) 1126 { 1127 struct btusb_data *data = hci_get_drvdata(hdev); 1128 unsigned long flags; 1129 bool suspending; 1130 1131 spin_lock_irqsave(&data->txlock, flags); 1132 suspending = test_bit(BTUSB_SUSPENDING, &data->flags); 1133 if (!suspending) 1134 data->tx_in_flight++; 1135 spin_unlock_irqrestore(&data->txlock, flags); 1136 1137 if (!suspending) 1138 return submit_tx_urb(hdev, urb); 1139 1140 usb_anchor_urb(urb, &data->deferred); 1141 schedule_work(&data->waker); 1142 1143 usb_free_urb(urb); 1144 return 0; 1145 } 1146 1147 static int btusb_send_frame(struct hci_dev *hdev, struct sk_buff *skb) 1148 { 1149 struct urb *urb; 1150 1151 BT_DBG("%s", hdev->name); 1152 1153 if (!test_bit(HCI_RUNNING, &hdev->flags)) 1154 return -EBUSY; 1155 1156 switch (bt_cb(skb)->pkt_type) { 1157 case HCI_COMMAND_PKT: 1158 urb = alloc_ctrl_urb(hdev, skb); 1159 if (IS_ERR(urb)) 1160 return PTR_ERR(urb); 1161 1162 hdev->stat.cmd_tx++; 1163 return submit_or_queue_tx_urb(hdev, urb); 1164 1165 case HCI_ACLDATA_PKT: 1166 urb = alloc_bulk_urb(hdev, skb); 1167 if (IS_ERR(urb)) 1168 return PTR_ERR(urb); 1169 1170 hdev->stat.acl_tx++; 1171 return submit_or_queue_tx_urb(hdev, urb); 1172 1173 case HCI_SCODATA_PKT: 1174 if (hci_conn_num(hdev, SCO_LINK) < 1) 1175 return -ENODEV; 1176 1177 urb = alloc_isoc_urb(hdev, skb); 1178 if (IS_ERR(urb)) 1179 return PTR_ERR(urb); 1180 1181 hdev->stat.sco_tx++; 1182 return submit_tx_urb(hdev, urb); 1183 } 1184 1185 return -EILSEQ; 1186 } 1187 1188 static void btusb_notify(struct hci_dev *hdev, unsigned int evt) 1189 { 1190 struct btusb_data *data = hci_get_drvdata(hdev); 1191 1192 BT_DBG("%s evt %d", hdev->name, evt); 1193 1194 if (hci_conn_num(hdev, SCO_LINK) != data->sco_num) { 1195 data->sco_num = hci_conn_num(hdev, SCO_LINK); 1196 schedule_work(&data->work); 1197 } 1198 } 1199 1200 static inline int __set_isoc_interface(struct hci_dev *hdev, int altsetting) 1201 { 1202 struct btusb_data *data = hci_get_drvdata(hdev); 1203 struct usb_interface *intf = data->isoc; 1204 struct usb_endpoint_descriptor *ep_desc; 1205 int i, err; 1206 1207 if (!data->isoc) 1208 return -ENODEV; 1209 1210 err = usb_set_interface(data->udev, 1, altsetting); 1211 if (err < 0) { 1212 BT_ERR("%s setting interface failed (%d)", hdev->name, -err); 1213 return err; 1214 } 1215 1216 data->isoc_altsetting = altsetting; 1217 1218 data->isoc_tx_ep = NULL; 1219 data->isoc_rx_ep = NULL; 1220 1221 for (i = 0; i < intf->cur_altsetting->desc.bNumEndpoints; i++) { 1222 ep_desc = &intf->cur_altsetting->endpoint[i].desc; 1223 1224 if (!data->isoc_tx_ep && usb_endpoint_is_isoc_out(ep_desc)) { 1225 data->isoc_tx_ep = ep_desc; 1226 continue; 1227 } 1228 1229 if (!data->isoc_rx_ep && usb_endpoint_is_isoc_in(ep_desc)) { 1230 data->isoc_rx_ep = ep_desc; 1231 continue; 1232 } 1233 } 1234 1235 if (!data->isoc_tx_ep || !data->isoc_rx_ep) { 1236 BT_ERR("%s invalid SCO descriptors", hdev->name); 1237 return -ENODEV; 1238 } 1239 1240 return 0; 1241 } 1242 1243 static void btusb_work(struct work_struct *work) 1244 { 1245 struct btusb_data *data = container_of(work, struct btusb_data, work); 1246 struct hci_dev *hdev = data->hdev; 1247 int new_alts; 1248 int err; 1249 1250 if (data->sco_num > 0) { 1251 if (!test_bit(BTUSB_DID_ISO_RESUME, &data->flags)) { 1252 err = usb_autopm_get_interface(data->isoc ? data->isoc : data->intf); 1253 if (err < 0) { 1254 clear_bit(BTUSB_ISOC_RUNNING, &data->flags); 1255 usb_kill_anchored_urbs(&data->isoc_anchor); 1256 return; 1257 } 1258 1259 set_bit(BTUSB_DID_ISO_RESUME, &data->flags); 1260 } 1261 1262 if (hdev->voice_setting & 0x0020) { 1263 static const int alts[3] = { 2, 4, 5 }; 1264 1265 new_alts = alts[data->sco_num - 1]; 1266 } else { 1267 new_alts = data->sco_num; 1268 } 1269 1270 if (data->isoc_altsetting != new_alts) { 1271 clear_bit(BTUSB_ISOC_RUNNING, &data->flags); 1272 usb_kill_anchored_urbs(&data->isoc_anchor); 1273 1274 if (__set_isoc_interface(hdev, new_alts) < 0) 1275 return; 1276 } 1277 1278 if (!test_and_set_bit(BTUSB_ISOC_RUNNING, &data->flags)) { 1279 if (btusb_submit_isoc_urb(hdev, GFP_KERNEL) < 0) 1280 clear_bit(BTUSB_ISOC_RUNNING, &data->flags); 1281 else 1282 btusb_submit_isoc_urb(hdev, GFP_KERNEL); 1283 } 1284 } else { 1285 clear_bit(BTUSB_ISOC_RUNNING, &data->flags); 1286 usb_kill_anchored_urbs(&data->isoc_anchor); 1287 1288 __set_isoc_interface(hdev, 0); 1289 if (test_and_clear_bit(BTUSB_DID_ISO_RESUME, &data->flags)) 1290 usb_autopm_put_interface(data->isoc ? data->isoc : data->intf); 1291 } 1292 } 1293 1294 static void btusb_waker(struct work_struct *work) 1295 { 1296 struct btusb_data *data = container_of(work, struct btusb_data, waker); 1297 int err; 1298 1299 err = usb_autopm_get_interface(data->intf); 1300 if (err < 0) 1301 return; 1302 1303 usb_autopm_put_interface(data->intf); 1304 } 1305 1306 static int btusb_setup_bcm92035(struct hci_dev *hdev) 1307 { 1308 struct sk_buff *skb; 1309 u8 val = 0x00; 1310 1311 BT_DBG("%s", hdev->name); 1312 1313 skb = __hci_cmd_sync(hdev, 0xfc3b, 1, &val, HCI_INIT_TIMEOUT); 1314 if (IS_ERR(skb)) 1315 BT_ERR("BCM92035 command failed (%ld)", -PTR_ERR(skb)); 1316 else 1317 kfree_skb(skb); 1318 1319 return 0; 1320 } 1321 1322 static int btusb_setup_csr(struct hci_dev *hdev) 1323 { 1324 struct hci_rp_read_local_version *rp; 1325 struct sk_buff *skb; 1326 1327 BT_DBG("%s", hdev->name); 1328 1329 skb = __hci_cmd_sync(hdev, HCI_OP_READ_LOCAL_VERSION, 0, NULL, 1330 HCI_INIT_TIMEOUT); 1331 if (IS_ERR(skb)) { 1332 int err = PTR_ERR(skb); 1333 BT_ERR("%s: CSR: Local version failed (%d)", hdev->name, err); 1334 return err; 1335 } 1336 1337 if (skb->len != sizeof(struct hci_rp_read_local_version)) { 1338 BT_ERR("%s: CSR: Local version length mismatch", hdev->name); 1339 kfree_skb(skb); 1340 return -EIO; 1341 } 1342 1343 rp = (struct hci_rp_read_local_version *)skb->data; 1344 1345 if (le16_to_cpu(rp->manufacturer) != 10) { 1346 /* Clear the reset quirk since this is not an actual 1347 * early Bluetooth 1.1 device from CSR. 1348 */ 1349 clear_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks); 1350 1351 /* These fake CSR controllers have all a broken 1352 * stored link key handling and so just disable it. 1353 */ 1354 set_bit(HCI_QUIRK_BROKEN_STORED_LINK_KEY, &hdev->quirks); 1355 } 1356 1357 kfree_skb(skb); 1358 1359 return 0; 1360 } 1361 1362 static const struct firmware *btusb_setup_intel_get_fw(struct hci_dev *hdev, 1363 struct intel_version *ver) 1364 { 1365 const struct firmware *fw; 1366 char fwname[64]; 1367 int ret; 1368 1369 snprintf(fwname, sizeof(fwname), 1370 "intel/ibt-hw-%x.%x.%x-fw-%x.%x.%x.%x.%x.bseq", 1371 ver->hw_platform, ver->hw_variant, ver->hw_revision, 1372 ver->fw_variant, ver->fw_revision, ver->fw_build_num, 1373 ver->fw_build_ww, ver->fw_build_yy); 1374 1375 ret = request_firmware(&fw, fwname, &hdev->dev); 1376 if (ret < 0) { 1377 if (ret == -EINVAL) { 1378 BT_ERR("%s Intel firmware file request failed (%d)", 1379 hdev->name, ret); 1380 return NULL; 1381 } 1382 1383 BT_ERR("%s failed to open Intel firmware file: %s(%d)", 1384 hdev->name, fwname, ret); 1385 1386 /* If the correct firmware patch file is not found, use the 1387 * default firmware patch file instead 1388 */ 1389 snprintf(fwname, sizeof(fwname), "intel/ibt-hw-%x.%x.bseq", 1390 ver->hw_platform, ver->hw_variant); 1391 if (request_firmware(&fw, fwname, &hdev->dev) < 0) { 1392 BT_ERR("%s failed to open default Intel fw file: %s", 1393 hdev->name, fwname); 1394 return NULL; 1395 } 1396 } 1397 1398 BT_INFO("%s: Intel Bluetooth firmware file: %s", hdev->name, fwname); 1399 1400 return fw; 1401 } 1402 1403 static int btusb_setup_intel_patching(struct hci_dev *hdev, 1404 const struct firmware *fw, 1405 const u8 **fw_ptr, int *disable_patch) 1406 { 1407 struct sk_buff *skb; 1408 struct hci_command_hdr *cmd; 1409 const u8 *cmd_param; 1410 struct hci_event_hdr *evt = NULL; 1411 const u8 *evt_param = NULL; 1412 int remain = fw->size - (*fw_ptr - fw->data); 1413 1414 /* The first byte indicates the types of the patch command or event. 1415 * 0x01 means HCI command and 0x02 is HCI event. If the first bytes 1416 * in the current firmware buffer doesn't start with 0x01 or 1417 * the size of remain buffer is smaller than HCI command header, 1418 * the firmware file is corrupted and it should stop the patching 1419 * process. 1420 */ 1421 if (remain > HCI_COMMAND_HDR_SIZE && *fw_ptr[0] != 0x01) { 1422 BT_ERR("%s Intel fw corrupted: invalid cmd read", hdev->name); 1423 return -EINVAL; 1424 } 1425 (*fw_ptr)++; 1426 remain--; 1427 1428 cmd = (struct hci_command_hdr *)(*fw_ptr); 1429 *fw_ptr += sizeof(*cmd); 1430 remain -= sizeof(*cmd); 1431 1432 /* Ensure that the remain firmware data is long enough than the length 1433 * of command parameter. If not, the firmware file is corrupted. 1434 */ 1435 if (remain < cmd->plen) { 1436 BT_ERR("%s Intel fw corrupted: invalid cmd len", hdev->name); 1437 return -EFAULT; 1438 } 1439 1440 /* If there is a command that loads a patch in the firmware 1441 * file, then enable the patch upon success, otherwise just 1442 * disable the manufacturer mode, for example patch activation 1443 * is not required when the default firmware patch file is used 1444 * because there are no patch data to load. 1445 */ 1446 if (*disable_patch && le16_to_cpu(cmd->opcode) == 0xfc8e) 1447 *disable_patch = 0; 1448 1449 cmd_param = *fw_ptr; 1450 *fw_ptr += cmd->plen; 1451 remain -= cmd->plen; 1452 1453 /* This reads the expected events when the above command is sent to the 1454 * device. Some vendor commands expects more than one events, for 1455 * example command status event followed by vendor specific event. 1456 * For this case, it only keeps the last expected event. so the command 1457 * can be sent with __hci_cmd_sync_ev() which returns the sk_buff of 1458 * last expected event. 1459 */ 1460 while (remain > HCI_EVENT_HDR_SIZE && *fw_ptr[0] == 0x02) { 1461 (*fw_ptr)++; 1462 remain--; 1463 1464 evt = (struct hci_event_hdr *)(*fw_ptr); 1465 *fw_ptr += sizeof(*evt); 1466 remain -= sizeof(*evt); 1467 1468 if (remain < evt->plen) { 1469 BT_ERR("%s Intel fw corrupted: invalid evt len", 1470 hdev->name); 1471 return -EFAULT; 1472 } 1473 1474 evt_param = *fw_ptr; 1475 *fw_ptr += evt->plen; 1476 remain -= evt->plen; 1477 } 1478 1479 /* Every HCI commands in the firmware file has its correspond event. 1480 * If event is not found or remain is smaller than zero, the firmware 1481 * file is corrupted. 1482 */ 1483 if (!evt || !evt_param || remain < 0) { 1484 BT_ERR("%s Intel fw corrupted: invalid evt read", hdev->name); 1485 return -EFAULT; 1486 } 1487 1488 skb = __hci_cmd_sync_ev(hdev, le16_to_cpu(cmd->opcode), cmd->plen, 1489 cmd_param, evt->evt, HCI_INIT_TIMEOUT); 1490 if (IS_ERR(skb)) { 1491 BT_ERR("%s sending Intel patch command (0x%4.4x) failed (%ld)", 1492 hdev->name, cmd->opcode, PTR_ERR(skb)); 1493 return PTR_ERR(skb); 1494 } 1495 1496 /* It ensures that the returned event matches the event data read from 1497 * the firmware file. At fist, it checks the length and then 1498 * the contents of the event. 1499 */ 1500 if (skb->len != evt->plen) { 1501 BT_ERR("%s mismatch event length (opcode 0x%4.4x)", hdev->name, 1502 le16_to_cpu(cmd->opcode)); 1503 kfree_skb(skb); 1504 return -EFAULT; 1505 } 1506 1507 if (memcmp(skb->data, evt_param, evt->plen)) { 1508 BT_ERR("%s mismatch event parameter (opcode 0x%4.4x)", 1509 hdev->name, le16_to_cpu(cmd->opcode)); 1510 kfree_skb(skb); 1511 return -EFAULT; 1512 } 1513 kfree_skb(skb); 1514 1515 return 0; 1516 } 1517 1518 static int btusb_setup_intel(struct hci_dev *hdev) 1519 { 1520 struct sk_buff *skb; 1521 const struct firmware *fw; 1522 const u8 *fw_ptr; 1523 int disable_patch; 1524 struct intel_version *ver; 1525 1526 const u8 mfg_enable[] = { 0x01, 0x00 }; 1527 const u8 mfg_disable[] = { 0x00, 0x00 }; 1528 const u8 mfg_reset_deactivate[] = { 0x00, 0x01 }; 1529 const u8 mfg_reset_activate[] = { 0x00, 0x02 }; 1530 1531 BT_DBG("%s", hdev->name); 1532 1533 /* The controller has a bug with the first HCI command sent to it 1534 * returning number of completed commands as zero. This would stall the 1535 * command processing in the Bluetooth core. 1536 * 1537 * As a workaround, send HCI Reset command first which will reset the 1538 * number of completed commands and allow normal command processing 1539 * from now on. 1540 */ 1541 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT); 1542 if (IS_ERR(skb)) { 1543 BT_ERR("%s sending initial HCI reset command failed (%ld)", 1544 hdev->name, PTR_ERR(skb)); 1545 return PTR_ERR(skb); 1546 } 1547 kfree_skb(skb); 1548 1549 /* Read Intel specific controller version first to allow selection of 1550 * which firmware file to load. 1551 * 1552 * The returned information are hardware variant and revision plus 1553 * firmware variant, revision and build number. 1554 */ 1555 skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_INIT_TIMEOUT); 1556 if (IS_ERR(skb)) { 1557 BT_ERR("%s reading Intel fw version command failed (%ld)", 1558 hdev->name, PTR_ERR(skb)); 1559 return PTR_ERR(skb); 1560 } 1561 1562 if (skb->len != sizeof(*ver)) { 1563 BT_ERR("%s Intel version event length mismatch", hdev->name); 1564 kfree_skb(skb); 1565 return -EIO; 1566 } 1567 1568 ver = (struct intel_version *)skb->data; 1569 1570 BT_INFO("%s: read Intel version: %02x%02x%02x%02x%02x%02x%02x%02x%02x", 1571 hdev->name, ver->hw_platform, ver->hw_variant, 1572 ver->hw_revision, ver->fw_variant, ver->fw_revision, 1573 ver->fw_build_num, ver->fw_build_ww, ver->fw_build_yy, 1574 ver->fw_patch_num); 1575 1576 /* fw_patch_num indicates the version of patch the device currently 1577 * have. If there is no patch data in the device, it is always 0x00. 1578 * So, if it is other than 0x00, no need to patch the deivce again. 1579 */ 1580 if (ver->fw_patch_num) { 1581 BT_INFO("%s: Intel device is already patched. patch num: %02x", 1582 hdev->name, ver->fw_patch_num); 1583 kfree_skb(skb); 1584 btintel_check_bdaddr(hdev); 1585 return 0; 1586 } 1587 1588 /* Opens the firmware patch file based on the firmware version read 1589 * from the controller. If it fails to open the matching firmware 1590 * patch file, it tries to open the default firmware patch file. 1591 * If no patch file is found, allow the device to operate without 1592 * a patch. 1593 */ 1594 fw = btusb_setup_intel_get_fw(hdev, ver); 1595 if (!fw) { 1596 kfree_skb(skb); 1597 btintel_check_bdaddr(hdev); 1598 return 0; 1599 } 1600 fw_ptr = fw->data; 1601 1602 kfree_skb(skb); 1603 1604 /* This Intel specific command enables the manufacturer mode of the 1605 * controller. 1606 * 1607 * Only while this mode is enabled, the driver can download the 1608 * firmware patch data and configuration parameters. 1609 */ 1610 skb = __hci_cmd_sync(hdev, 0xfc11, 2, mfg_enable, HCI_INIT_TIMEOUT); 1611 if (IS_ERR(skb)) { 1612 BT_ERR("%s entering Intel manufacturer mode failed (%ld)", 1613 hdev->name, PTR_ERR(skb)); 1614 release_firmware(fw); 1615 return PTR_ERR(skb); 1616 } 1617 1618 kfree_skb(skb); 1619 1620 disable_patch = 1; 1621 1622 /* The firmware data file consists of list of Intel specific HCI 1623 * commands and its expected events. The first byte indicates the 1624 * type of the message, either HCI command or HCI event. 1625 * 1626 * It reads the command and its expected event from the firmware file, 1627 * and send to the controller. Once __hci_cmd_sync_ev() returns, 1628 * the returned event is compared with the event read from the firmware 1629 * file and it will continue until all the messages are downloaded to 1630 * the controller. 1631 * 1632 * Once the firmware patching is completed successfully, 1633 * the manufacturer mode is disabled with reset and activating the 1634 * downloaded patch. 1635 * 1636 * If the firmware patching fails, the manufacturer mode is 1637 * disabled with reset and deactivating the patch. 1638 * 1639 * If the default patch file is used, no reset is done when disabling 1640 * the manufacturer. 1641 */ 1642 while (fw->size > fw_ptr - fw->data) { 1643 int ret; 1644 1645 ret = btusb_setup_intel_patching(hdev, fw, &fw_ptr, 1646 &disable_patch); 1647 if (ret < 0) 1648 goto exit_mfg_deactivate; 1649 } 1650 1651 release_firmware(fw); 1652 1653 if (disable_patch) 1654 goto exit_mfg_disable; 1655 1656 /* Patching completed successfully and disable the manufacturer mode 1657 * with reset and activate the downloaded firmware patches. 1658 */ 1659 skb = __hci_cmd_sync(hdev, 0xfc11, sizeof(mfg_reset_activate), 1660 mfg_reset_activate, HCI_INIT_TIMEOUT); 1661 if (IS_ERR(skb)) { 1662 BT_ERR("%s exiting Intel manufacturer mode failed (%ld)", 1663 hdev->name, PTR_ERR(skb)); 1664 return PTR_ERR(skb); 1665 } 1666 kfree_skb(skb); 1667 1668 BT_INFO("%s: Intel Bluetooth firmware patch completed and activated", 1669 hdev->name); 1670 1671 btintel_check_bdaddr(hdev); 1672 return 0; 1673 1674 exit_mfg_disable: 1675 /* Disable the manufacturer mode without reset */ 1676 skb = __hci_cmd_sync(hdev, 0xfc11, sizeof(mfg_disable), mfg_disable, 1677 HCI_INIT_TIMEOUT); 1678 if (IS_ERR(skb)) { 1679 BT_ERR("%s exiting Intel manufacturer mode failed (%ld)", 1680 hdev->name, PTR_ERR(skb)); 1681 return PTR_ERR(skb); 1682 } 1683 kfree_skb(skb); 1684 1685 BT_INFO("%s: Intel Bluetooth firmware patch completed", hdev->name); 1686 1687 btintel_check_bdaddr(hdev); 1688 return 0; 1689 1690 exit_mfg_deactivate: 1691 release_firmware(fw); 1692 1693 /* Patching failed. Disable the manufacturer mode with reset and 1694 * deactivate the downloaded firmware patches. 1695 */ 1696 skb = __hci_cmd_sync(hdev, 0xfc11, sizeof(mfg_reset_deactivate), 1697 mfg_reset_deactivate, HCI_INIT_TIMEOUT); 1698 if (IS_ERR(skb)) { 1699 BT_ERR("%s exiting Intel manufacturer mode failed (%ld)", 1700 hdev->name, PTR_ERR(skb)); 1701 return PTR_ERR(skb); 1702 } 1703 kfree_skb(skb); 1704 1705 BT_INFO("%s: Intel Bluetooth firmware patch completed and deactivated", 1706 hdev->name); 1707 1708 btintel_check_bdaddr(hdev); 1709 return 0; 1710 } 1711 1712 static int inject_cmd_complete(struct hci_dev *hdev, __u16 opcode) 1713 { 1714 struct sk_buff *skb; 1715 struct hci_event_hdr *hdr; 1716 struct hci_ev_cmd_complete *evt; 1717 1718 skb = bt_skb_alloc(sizeof(*hdr) + sizeof(*evt) + 1, GFP_ATOMIC); 1719 if (!skb) 1720 return -ENOMEM; 1721 1722 hdr = (struct hci_event_hdr *)skb_put(skb, sizeof(*hdr)); 1723 hdr->evt = HCI_EV_CMD_COMPLETE; 1724 hdr->plen = sizeof(*evt) + 1; 1725 1726 evt = (struct hci_ev_cmd_complete *)skb_put(skb, sizeof(*evt)); 1727 evt->ncmd = 0x01; 1728 evt->opcode = cpu_to_le16(opcode); 1729 1730 *skb_put(skb, 1) = 0x00; 1731 1732 bt_cb(skb)->pkt_type = HCI_EVENT_PKT; 1733 1734 return hci_recv_frame(hdev, skb); 1735 } 1736 1737 static int btusb_recv_bulk_intel(struct btusb_data *data, void *buffer, 1738 int count) 1739 { 1740 /* When the device is in bootloader mode, then it can send 1741 * events via the bulk endpoint. These events are treated the 1742 * same way as the ones received from the interrupt endpoint. 1743 */ 1744 if (test_bit(BTUSB_BOOTLOADER, &data->flags)) 1745 return btusb_recv_intr(data, buffer, count); 1746 1747 return btusb_recv_bulk(data, buffer, count); 1748 } 1749 1750 static void btusb_intel_bootup(struct btusb_data *data, const void *ptr, 1751 unsigned int len) 1752 { 1753 const struct intel_bootup *evt = ptr; 1754 1755 if (len != sizeof(*evt)) 1756 return; 1757 1758 if (test_and_clear_bit(BTUSB_BOOTING, &data->flags)) { 1759 smp_mb__after_atomic(); 1760 wake_up_bit(&data->flags, BTUSB_BOOTING); 1761 } 1762 } 1763 1764 static void btusb_intel_secure_send_result(struct btusb_data *data, 1765 const void *ptr, unsigned int len) 1766 { 1767 const struct intel_secure_send_result *evt = ptr; 1768 1769 if (len != sizeof(*evt)) 1770 return; 1771 1772 if (evt->result) 1773 set_bit(BTUSB_FIRMWARE_FAILED, &data->flags); 1774 1775 if (test_and_clear_bit(BTUSB_DOWNLOADING, &data->flags) && 1776 test_bit(BTUSB_FIRMWARE_LOADED, &data->flags)) { 1777 smp_mb__after_atomic(); 1778 wake_up_bit(&data->flags, BTUSB_DOWNLOADING); 1779 } 1780 } 1781 1782 static int btusb_recv_event_intel(struct hci_dev *hdev, struct sk_buff *skb) 1783 { 1784 struct btusb_data *data = hci_get_drvdata(hdev); 1785 1786 if (test_bit(BTUSB_BOOTLOADER, &data->flags)) { 1787 struct hci_event_hdr *hdr = (void *)skb->data; 1788 1789 if (skb->len > HCI_EVENT_HDR_SIZE && hdr->evt == 0xff && 1790 hdr->plen > 0) { 1791 const void *ptr = skb->data + HCI_EVENT_HDR_SIZE + 1; 1792 unsigned int len = skb->len - HCI_EVENT_HDR_SIZE - 1; 1793 1794 switch (skb->data[2]) { 1795 case 0x02: 1796 /* When switching to the operational firmware 1797 * the device sends a vendor specific event 1798 * indicating that the bootup completed. 1799 */ 1800 btusb_intel_bootup(data, ptr, len); 1801 break; 1802 case 0x06: 1803 /* When the firmware loading completes the 1804 * device sends out a vendor specific event 1805 * indicating the result of the firmware 1806 * loading. 1807 */ 1808 btusb_intel_secure_send_result(data, ptr, len); 1809 break; 1810 } 1811 } 1812 } 1813 1814 return hci_recv_frame(hdev, skb); 1815 } 1816 1817 static int btusb_send_frame_intel(struct hci_dev *hdev, struct sk_buff *skb) 1818 { 1819 struct btusb_data *data = hci_get_drvdata(hdev); 1820 struct urb *urb; 1821 1822 BT_DBG("%s", hdev->name); 1823 1824 if (!test_bit(HCI_RUNNING, &hdev->flags)) 1825 return -EBUSY; 1826 1827 switch (bt_cb(skb)->pkt_type) { 1828 case HCI_COMMAND_PKT: 1829 if (test_bit(BTUSB_BOOTLOADER, &data->flags)) { 1830 struct hci_command_hdr *cmd = (void *)skb->data; 1831 __u16 opcode = le16_to_cpu(cmd->opcode); 1832 1833 /* When in bootloader mode and the command 0xfc09 1834 * is received, it needs to be send down the 1835 * bulk endpoint. So allocate a bulk URB instead. 1836 */ 1837 if (opcode == 0xfc09) 1838 urb = alloc_bulk_urb(hdev, skb); 1839 else 1840 urb = alloc_ctrl_urb(hdev, skb); 1841 1842 /* When the 0xfc01 command is issued to boot into 1843 * the operational firmware, it will actually not 1844 * send a command complete event. To keep the flow 1845 * control working inject that event here. 1846 */ 1847 if (opcode == 0xfc01) 1848 inject_cmd_complete(hdev, opcode); 1849 } else { 1850 urb = alloc_ctrl_urb(hdev, skb); 1851 } 1852 if (IS_ERR(urb)) 1853 return PTR_ERR(urb); 1854 1855 hdev->stat.cmd_tx++; 1856 return submit_or_queue_tx_urb(hdev, urb); 1857 1858 case HCI_ACLDATA_PKT: 1859 urb = alloc_bulk_urb(hdev, skb); 1860 if (IS_ERR(urb)) 1861 return PTR_ERR(urb); 1862 1863 hdev->stat.acl_tx++; 1864 return submit_or_queue_tx_urb(hdev, urb); 1865 1866 case HCI_SCODATA_PKT: 1867 if (hci_conn_num(hdev, SCO_LINK) < 1) 1868 return -ENODEV; 1869 1870 urb = alloc_isoc_urb(hdev, skb); 1871 if (IS_ERR(urb)) 1872 return PTR_ERR(urb); 1873 1874 hdev->stat.sco_tx++; 1875 return submit_tx_urb(hdev, urb); 1876 } 1877 1878 return -EILSEQ; 1879 } 1880 1881 static int btusb_intel_secure_send(struct hci_dev *hdev, u8 fragment_type, 1882 u32 plen, const void *param) 1883 { 1884 while (plen > 0) { 1885 struct sk_buff *skb; 1886 u8 cmd_param[253], fragment_len = (plen > 252) ? 252 : plen; 1887 1888 cmd_param[0] = fragment_type; 1889 memcpy(cmd_param + 1, param, fragment_len); 1890 1891 skb = __hci_cmd_sync(hdev, 0xfc09, fragment_len + 1, 1892 cmd_param, HCI_INIT_TIMEOUT); 1893 if (IS_ERR(skb)) 1894 return PTR_ERR(skb); 1895 1896 kfree_skb(skb); 1897 1898 plen -= fragment_len; 1899 param += fragment_len; 1900 } 1901 1902 return 0; 1903 } 1904 1905 static void btusb_intel_version_info(struct hci_dev *hdev, 1906 struct intel_version *ver) 1907 { 1908 const char *variant; 1909 1910 switch (ver->fw_variant) { 1911 case 0x06: 1912 variant = "Bootloader"; 1913 break; 1914 case 0x23: 1915 variant = "Firmware"; 1916 break; 1917 default: 1918 return; 1919 } 1920 1921 BT_INFO("%s: %s revision %u.%u build %u week %u %u", hdev->name, 1922 variant, ver->fw_revision >> 4, ver->fw_revision & 0x0f, 1923 ver->fw_build_num, ver->fw_build_ww, 2000 + ver->fw_build_yy); 1924 } 1925 1926 static int btusb_setup_intel_new(struct hci_dev *hdev) 1927 { 1928 static const u8 reset_param[] = { 0x00, 0x01, 0x00, 0x01, 1929 0x00, 0x08, 0x04, 0x00 }; 1930 struct btusb_data *data = hci_get_drvdata(hdev); 1931 struct sk_buff *skb; 1932 struct intel_version *ver; 1933 struct intel_boot_params *params; 1934 const struct firmware *fw; 1935 const u8 *fw_ptr; 1936 u32 frag_len; 1937 char fwname[64]; 1938 ktime_t calltime, delta, rettime; 1939 unsigned long long duration; 1940 int err; 1941 1942 BT_DBG("%s", hdev->name); 1943 1944 calltime = ktime_get(); 1945 1946 /* Read the Intel version information to determine if the device 1947 * is in bootloader mode or if it already has operational firmware 1948 * loaded. 1949 */ 1950 skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_INIT_TIMEOUT); 1951 if (IS_ERR(skb)) { 1952 BT_ERR("%s: Reading Intel version information failed (%ld)", 1953 hdev->name, PTR_ERR(skb)); 1954 return PTR_ERR(skb); 1955 } 1956 1957 if (skb->len != sizeof(*ver)) { 1958 BT_ERR("%s: Intel version event size mismatch", hdev->name); 1959 kfree_skb(skb); 1960 return -EILSEQ; 1961 } 1962 1963 ver = (struct intel_version *)skb->data; 1964 1965 /* The hardware platform number has a fixed value of 0x37 and 1966 * for now only accept this single value. 1967 */ 1968 if (ver->hw_platform != 0x37) { 1969 BT_ERR("%s: Unsupported Intel hardware platform (%u)", 1970 hdev->name, ver->hw_platform); 1971 kfree_skb(skb); 1972 return -EINVAL; 1973 } 1974 1975 /* At the moment only the hardware variant iBT 3.0 (LnP/SfP) is 1976 * supported by this firmware loading method. This check has been 1977 * put in place to ensure correct forward compatibility options 1978 * when newer hardware variants come along. 1979 */ 1980 if (ver->hw_variant != 0x0b) { 1981 BT_ERR("%s: Unsupported Intel hardware variant (%u)", 1982 hdev->name, ver->hw_variant); 1983 kfree_skb(skb); 1984 return -EINVAL; 1985 } 1986 1987 btusb_intel_version_info(hdev, ver); 1988 1989 /* The firmware variant determines if the device is in bootloader 1990 * mode or is running operational firmware. The value 0x06 identifies 1991 * the bootloader and the value 0x23 identifies the operational 1992 * firmware. 1993 * 1994 * When the operational firmware is already present, then only 1995 * the check for valid Bluetooth device address is needed. This 1996 * determines if the device will be added as configured or 1997 * unconfigured controller. 1998 * 1999 * It is not possible to use the Secure Boot Parameters in this 2000 * case since that command is only available in bootloader mode. 2001 */ 2002 if (ver->fw_variant == 0x23) { 2003 kfree_skb(skb); 2004 clear_bit(BTUSB_BOOTLOADER, &data->flags); 2005 btintel_check_bdaddr(hdev); 2006 return 0; 2007 } 2008 2009 /* If the device is not in bootloader mode, then the only possible 2010 * choice is to return an error and abort the device initialization. 2011 */ 2012 if (ver->fw_variant != 0x06) { 2013 BT_ERR("%s: Unsupported Intel firmware variant (%u)", 2014 hdev->name, ver->fw_variant); 2015 kfree_skb(skb); 2016 return -ENODEV; 2017 } 2018 2019 kfree_skb(skb); 2020 2021 /* Read the secure boot parameters to identify the operating 2022 * details of the bootloader. 2023 */ 2024 skb = __hci_cmd_sync(hdev, 0xfc0d, 0, NULL, HCI_INIT_TIMEOUT); 2025 if (IS_ERR(skb)) { 2026 BT_ERR("%s: Reading Intel boot parameters failed (%ld)", 2027 hdev->name, PTR_ERR(skb)); 2028 return PTR_ERR(skb); 2029 } 2030 2031 if (skb->len != sizeof(*params)) { 2032 BT_ERR("%s: Intel boot parameters size mismatch", hdev->name); 2033 kfree_skb(skb); 2034 return -EILSEQ; 2035 } 2036 2037 params = (struct intel_boot_params *)skb->data; 2038 2039 BT_INFO("%s: Device revision is %u", hdev->name, 2040 le16_to_cpu(params->dev_revid)); 2041 2042 BT_INFO("%s: Secure boot is %s", hdev->name, 2043 params->secure_boot ? "enabled" : "disabled"); 2044 2045 BT_INFO("%s: Minimum firmware build %u week %u %u", hdev->name, 2046 params->min_fw_build_nn, params->min_fw_build_cw, 2047 2000 + params->min_fw_build_yy); 2048 2049 /* It is required that every single firmware fragment is acknowledged 2050 * with a command complete event. If the boot parameters indicate 2051 * that this bootloader does not send them, then abort the setup. 2052 */ 2053 if (params->limited_cce != 0x00) { 2054 BT_ERR("%s: Unsupported Intel firmware loading method (%u)", 2055 hdev->name, params->limited_cce); 2056 kfree_skb(skb); 2057 return -EINVAL; 2058 } 2059 2060 /* If the OTP has no valid Bluetooth device address, then there will 2061 * also be no valid address for the operational firmware. 2062 */ 2063 if (!bacmp(¶ms->otp_bdaddr, BDADDR_ANY)) { 2064 BT_INFO("%s: No device address configured", hdev->name); 2065 set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks); 2066 } 2067 2068 /* With this Intel bootloader only the hardware variant and device 2069 * revision information are used to select the right firmware. 2070 * 2071 * Currently this bootloader support is limited to hardware variant 2072 * iBT 3.0 (LnP/SfP) which is identified by the value 11 (0x0b). 2073 */ 2074 snprintf(fwname, sizeof(fwname), "intel/ibt-11-%u.sfi", 2075 le16_to_cpu(params->dev_revid)); 2076 2077 err = request_firmware(&fw, fwname, &hdev->dev); 2078 if (err < 0) { 2079 BT_ERR("%s: Failed to load Intel firmware file (%d)", 2080 hdev->name, err); 2081 kfree_skb(skb); 2082 return err; 2083 } 2084 2085 BT_INFO("%s: Found device firmware: %s", hdev->name, fwname); 2086 2087 /* Save the DDC file name for later use to apply once the firmware 2088 * downloading is done. 2089 */ 2090 snprintf(fwname, sizeof(fwname), "intel/ibt-11-%u.ddc", 2091 le16_to_cpu(params->dev_revid)); 2092 2093 kfree_skb(skb); 2094 2095 if (fw->size < 644) { 2096 BT_ERR("%s: Invalid size of firmware file (%zu)", 2097 hdev->name, fw->size); 2098 err = -EBADF; 2099 goto done; 2100 } 2101 2102 set_bit(BTUSB_DOWNLOADING, &data->flags); 2103 2104 /* Start the firmware download transaction with the Init fragment 2105 * represented by the 128 bytes of CSS header. 2106 */ 2107 err = btusb_intel_secure_send(hdev, 0x00, 128, fw->data); 2108 if (err < 0) { 2109 BT_ERR("%s: Failed to send firmware header (%d)", 2110 hdev->name, err); 2111 goto done; 2112 } 2113 2114 /* Send the 256 bytes of public key information from the firmware 2115 * as the PKey fragment. 2116 */ 2117 err = btusb_intel_secure_send(hdev, 0x03, 256, fw->data + 128); 2118 if (err < 0) { 2119 BT_ERR("%s: Failed to send firmware public key (%d)", 2120 hdev->name, err); 2121 goto done; 2122 } 2123 2124 /* Send the 256 bytes of signature information from the firmware 2125 * as the Sign fragment. 2126 */ 2127 err = btusb_intel_secure_send(hdev, 0x02, 256, fw->data + 388); 2128 if (err < 0) { 2129 BT_ERR("%s: Failed to send firmware signature (%d)", 2130 hdev->name, err); 2131 goto done; 2132 } 2133 2134 fw_ptr = fw->data + 644; 2135 frag_len = 0; 2136 2137 while (fw_ptr - fw->data < fw->size) { 2138 struct hci_command_hdr *cmd = (void *)(fw_ptr + frag_len); 2139 2140 frag_len += sizeof(*cmd) + cmd->plen; 2141 2142 /* The paramter length of the secure send command requires 2143 * a 4 byte alignment. It happens so that the firmware file 2144 * contains proper Intel_NOP commands to align the fragments 2145 * as needed. 2146 * 2147 * Send set of commands with 4 byte alignment from the 2148 * firmware data buffer as a single Data fragement. 2149 */ 2150 if (!(frag_len % 4)) { 2151 err = btusb_intel_secure_send(hdev, 0x01, frag_len, 2152 fw_ptr); 2153 if (err < 0) { 2154 BT_ERR("%s: Failed to send firmware data (%d)", 2155 hdev->name, err); 2156 goto done; 2157 } 2158 2159 fw_ptr += frag_len; 2160 frag_len = 0; 2161 } 2162 } 2163 2164 set_bit(BTUSB_FIRMWARE_LOADED, &data->flags); 2165 2166 BT_INFO("%s: Waiting for firmware download to complete", hdev->name); 2167 2168 /* Before switching the device into operational mode and with that 2169 * booting the loaded firmware, wait for the bootloader notification 2170 * that all fragments have been successfully received. 2171 * 2172 * When the event processing receives the notification, then the 2173 * BTUSB_DOWNLOADING flag will be cleared. 2174 * 2175 * The firmware loading should not take longer than 5 seconds 2176 * and thus just timeout if that happens and fail the setup 2177 * of this device. 2178 */ 2179 err = wait_on_bit_timeout(&data->flags, BTUSB_DOWNLOADING, 2180 TASK_INTERRUPTIBLE, 2181 msecs_to_jiffies(5000)); 2182 if (err == 1) { 2183 BT_ERR("%s: Firmware loading interrupted", hdev->name); 2184 err = -EINTR; 2185 goto done; 2186 } 2187 2188 if (err) { 2189 BT_ERR("%s: Firmware loading timeout", hdev->name); 2190 err = -ETIMEDOUT; 2191 goto done; 2192 } 2193 2194 if (test_bit(BTUSB_FIRMWARE_FAILED, &data->flags)) { 2195 BT_ERR("%s: Firmware loading failed", hdev->name); 2196 err = -ENOEXEC; 2197 goto done; 2198 } 2199 2200 rettime = ktime_get(); 2201 delta = ktime_sub(rettime, calltime); 2202 duration = (unsigned long long) ktime_to_ns(delta) >> 10; 2203 2204 BT_INFO("%s: Firmware loaded in %llu usecs", hdev->name, duration); 2205 2206 done: 2207 release_firmware(fw); 2208 2209 if (err < 0) 2210 return err; 2211 2212 calltime = ktime_get(); 2213 2214 set_bit(BTUSB_BOOTING, &data->flags); 2215 2216 skb = __hci_cmd_sync(hdev, 0xfc01, sizeof(reset_param), reset_param, 2217 HCI_INIT_TIMEOUT); 2218 if (IS_ERR(skb)) 2219 return PTR_ERR(skb); 2220 2221 kfree_skb(skb); 2222 2223 /* The bootloader will not indicate when the device is ready. This 2224 * is done by the operational firmware sending bootup notification. 2225 * 2226 * Booting into operational firmware should not take longer than 2227 * 1 second. However if that happens, then just fail the setup 2228 * since something went wrong. 2229 */ 2230 BT_INFO("%s: Waiting for device to boot", hdev->name); 2231 2232 err = wait_on_bit_timeout(&data->flags, BTUSB_BOOTING, 2233 TASK_INTERRUPTIBLE, 2234 msecs_to_jiffies(1000)); 2235 2236 if (err == 1) { 2237 BT_ERR("%s: Device boot interrupted", hdev->name); 2238 return -EINTR; 2239 } 2240 2241 if (err) { 2242 BT_ERR("%s: Device boot timeout", hdev->name); 2243 return -ETIMEDOUT; 2244 } 2245 2246 rettime = ktime_get(); 2247 delta = ktime_sub(rettime, calltime); 2248 duration = (unsigned long long) ktime_to_ns(delta) >> 10; 2249 2250 BT_INFO("%s: Device booted in %llu usecs", hdev->name, duration); 2251 2252 clear_bit(BTUSB_BOOTLOADER, &data->flags); 2253 2254 /* Once the device is running in operational mode, it needs to apply 2255 * the device configuration (DDC) parameters. 2256 * 2257 * The device can work without DDC parameters, so even if it fails 2258 * to load the file, no need to fail the setup. 2259 */ 2260 err = request_firmware_direct(&fw, fwname, &hdev->dev); 2261 if (err < 0) 2262 return 0; 2263 2264 BT_INFO("%s: Found Intel DDC parameters: %s", hdev->name, fwname); 2265 2266 fw_ptr = fw->data; 2267 2268 /* DDC file contains one or more DDC structure which has 2269 * Length (1 byte), DDC ID (2 bytes), and DDC value (Length - 2). 2270 */ 2271 while (fw->size > fw_ptr - fw->data) { 2272 u8 cmd_plen = fw_ptr[0] + sizeof(u8); 2273 2274 skb = __hci_cmd_sync(hdev, 0xfc8b, cmd_plen, fw_ptr, 2275 HCI_INIT_TIMEOUT); 2276 if (IS_ERR(skb)) { 2277 BT_ERR("%s: Failed to send Intel_Write_DDC (%ld)", 2278 hdev->name, PTR_ERR(skb)); 2279 release_firmware(fw); 2280 return PTR_ERR(skb); 2281 } 2282 2283 fw_ptr += cmd_plen; 2284 kfree_skb(skb); 2285 } 2286 2287 release_firmware(fw); 2288 2289 BT_INFO("%s: Applying Intel DDC parameters completed", hdev->name); 2290 2291 return 0; 2292 } 2293 2294 static void btusb_hw_error_intel(struct hci_dev *hdev, u8 code) 2295 { 2296 struct sk_buff *skb; 2297 u8 type = 0x00; 2298 2299 BT_ERR("%s: Hardware error 0x%2.2x", hdev->name, code); 2300 2301 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT); 2302 if (IS_ERR(skb)) { 2303 BT_ERR("%s: Reset after hardware error failed (%ld)", 2304 hdev->name, PTR_ERR(skb)); 2305 return; 2306 } 2307 kfree_skb(skb); 2308 2309 skb = __hci_cmd_sync(hdev, 0xfc22, 1, &type, HCI_INIT_TIMEOUT); 2310 if (IS_ERR(skb)) { 2311 BT_ERR("%s: Retrieving Intel exception info failed (%ld)", 2312 hdev->name, PTR_ERR(skb)); 2313 return; 2314 } 2315 2316 if (skb->len != 13) { 2317 BT_ERR("%s: Exception info size mismatch", hdev->name); 2318 kfree_skb(skb); 2319 return; 2320 } 2321 2322 BT_ERR("%s: Exception info %s", hdev->name, (char *)(skb->data + 1)); 2323 2324 kfree_skb(skb); 2325 } 2326 2327 static int btusb_shutdown_intel(struct hci_dev *hdev) 2328 { 2329 struct sk_buff *skb; 2330 long ret; 2331 2332 /* Some platforms have an issue with BT LED when the interface is 2333 * down or BT radio is turned off, which takes 5 seconds to BT LED 2334 * goes off. This command turns off the BT LED immediately. 2335 */ 2336 skb = __hci_cmd_sync(hdev, 0xfc3f, 0, NULL, HCI_INIT_TIMEOUT); 2337 if (IS_ERR(skb)) { 2338 ret = PTR_ERR(skb); 2339 BT_ERR("%s: turning off Intel device LED failed (%ld)", 2340 hdev->name, ret); 2341 return ret; 2342 } 2343 kfree_skb(skb); 2344 2345 return 0; 2346 } 2347 2348 static int btusb_set_bdaddr_marvell(struct hci_dev *hdev, 2349 const bdaddr_t *bdaddr) 2350 { 2351 struct sk_buff *skb; 2352 u8 buf[8]; 2353 long ret; 2354 2355 buf[0] = 0xfe; 2356 buf[1] = sizeof(bdaddr_t); 2357 memcpy(buf + 2, bdaddr, sizeof(bdaddr_t)); 2358 2359 skb = __hci_cmd_sync(hdev, 0xfc22, sizeof(buf), buf, HCI_INIT_TIMEOUT); 2360 if (IS_ERR(skb)) { 2361 ret = PTR_ERR(skb); 2362 BT_ERR("%s: changing Marvell device address failed (%ld)", 2363 hdev->name, ret); 2364 return ret; 2365 } 2366 kfree_skb(skb); 2367 2368 return 0; 2369 } 2370 2371 static int btusb_set_bdaddr_ath3012(struct hci_dev *hdev, 2372 const bdaddr_t *bdaddr) 2373 { 2374 struct sk_buff *skb; 2375 u8 buf[10]; 2376 long ret; 2377 2378 buf[0] = 0x01; 2379 buf[1] = 0x01; 2380 buf[2] = 0x00; 2381 buf[3] = sizeof(bdaddr_t); 2382 memcpy(buf + 4, bdaddr, sizeof(bdaddr_t)); 2383 2384 skb = __hci_cmd_sync(hdev, 0xfc0b, sizeof(buf), buf, HCI_INIT_TIMEOUT); 2385 if (IS_ERR(skb)) { 2386 ret = PTR_ERR(skb); 2387 BT_ERR("%s: Change address command failed (%ld)", 2388 hdev->name, ret); 2389 return ret; 2390 } 2391 kfree_skb(skb); 2392 2393 return 0; 2394 } 2395 2396 #define QCA_DFU_PACKET_LEN 4096 2397 2398 #define QCA_GET_TARGET_VERSION 0x09 2399 #define QCA_CHECK_STATUS 0x05 2400 #define QCA_DFU_DOWNLOAD 0x01 2401 2402 #define QCA_SYSCFG_UPDATED 0x40 2403 #define QCA_PATCH_UPDATED 0x80 2404 #define QCA_DFU_TIMEOUT 3000 2405 2406 struct qca_version { 2407 __le32 rom_version; 2408 __le32 patch_version; 2409 __le32 ram_version; 2410 __le32 ref_clock; 2411 __u8 reserved[4]; 2412 } __packed; 2413 2414 struct qca_rampatch_version { 2415 __le16 rom_version; 2416 __le16 patch_version; 2417 } __packed; 2418 2419 struct qca_device_info { 2420 u32 rom_version; 2421 u8 rampatch_hdr; /* length of header in rampatch */ 2422 u8 nvm_hdr; /* length of header in NVM */ 2423 u8 ver_offset; /* offset of version structure in rampatch */ 2424 }; 2425 2426 static const struct qca_device_info qca_devices_table[] = { 2427 { 0x00000100, 20, 4, 10 }, /* Rome 1.0 */ 2428 { 0x00000101, 20, 4, 10 }, /* Rome 1.1 */ 2429 { 0x00000200, 28, 4, 18 }, /* Rome 2.0 */ 2430 { 0x00000201, 28, 4, 18 }, /* Rome 2.1 */ 2431 { 0x00000300, 28, 4, 18 }, /* Rome 3.0 */ 2432 { 0x00000302, 28, 4, 18 }, /* Rome 3.2 */ 2433 }; 2434 2435 static int btusb_qca_send_vendor_req(struct hci_dev *hdev, u8 request, 2436 void *data, u16 size) 2437 { 2438 struct btusb_data *btdata = hci_get_drvdata(hdev); 2439 struct usb_device *udev = btdata->udev; 2440 int pipe, err; 2441 u8 *buf; 2442 2443 buf = kmalloc(size, GFP_KERNEL); 2444 if (!buf) 2445 return -ENOMEM; 2446 2447 /* Found some of USB hosts have IOT issues with ours so that we should 2448 * not wait until HCI layer is ready. 2449 */ 2450 pipe = usb_rcvctrlpipe(udev, 0); 2451 err = usb_control_msg(udev, pipe, request, USB_TYPE_VENDOR | USB_DIR_IN, 2452 0, 0, buf, size, USB_CTRL_SET_TIMEOUT); 2453 if (err < 0) { 2454 BT_ERR("%s: Failed to access otp area (%d)", hdev->name, err); 2455 goto done; 2456 } 2457 2458 memcpy(data, buf, size); 2459 2460 done: 2461 kfree(buf); 2462 2463 return err; 2464 } 2465 2466 static int btusb_setup_qca_download_fw(struct hci_dev *hdev, 2467 const struct firmware *firmware, 2468 size_t hdr_size) 2469 { 2470 struct btusb_data *btdata = hci_get_drvdata(hdev); 2471 struct usb_device *udev = btdata->udev; 2472 size_t count, size, sent = 0; 2473 int pipe, len, err; 2474 u8 *buf; 2475 2476 buf = kmalloc(QCA_DFU_PACKET_LEN, GFP_KERNEL); 2477 if (!buf) 2478 return -ENOMEM; 2479 2480 count = firmware->size; 2481 2482 size = min_t(size_t, count, hdr_size); 2483 memcpy(buf, firmware->data, size); 2484 2485 /* USB patches should go down to controller through USB path 2486 * because binary format fits to go down through USB channel. 2487 * USB control path is for patching headers and USB bulk is for 2488 * patch body. 2489 */ 2490 pipe = usb_sndctrlpipe(udev, 0); 2491 err = usb_control_msg(udev, pipe, QCA_DFU_DOWNLOAD, USB_TYPE_VENDOR, 2492 0, 0, buf, size, USB_CTRL_SET_TIMEOUT); 2493 if (err < 0) { 2494 BT_ERR("%s: Failed to send headers (%d)", hdev->name, err); 2495 goto done; 2496 } 2497 2498 sent += size; 2499 count -= size; 2500 2501 while (count) { 2502 size = min_t(size_t, count, QCA_DFU_PACKET_LEN); 2503 2504 memcpy(buf, firmware->data + sent, size); 2505 2506 pipe = usb_sndbulkpipe(udev, 0x02); 2507 err = usb_bulk_msg(udev, pipe, buf, size, &len, 2508 QCA_DFU_TIMEOUT); 2509 if (err < 0) { 2510 BT_ERR("%s: Failed to send body at %zd of %zd (%d)", 2511 hdev->name, sent, firmware->size, err); 2512 break; 2513 } 2514 2515 if (size != len) { 2516 BT_ERR("%s: Failed to get bulk buffer", hdev->name); 2517 err = -EILSEQ; 2518 break; 2519 } 2520 2521 sent += size; 2522 count -= size; 2523 } 2524 2525 done: 2526 kfree(buf); 2527 return err; 2528 } 2529 2530 static int btusb_setup_qca_load_rampatch(struct hci_dev *hdev, 2531 struct qca_version *ver, 2532 const struct qca_device_info *info) 2533 { 2534 struct qca_rampatch_version *rver; 2535 const struct firmware *fw; 2536 u32 ver_rom, ver_patch; 2537 u16 rver_rom, rver_patch; 2538 char fwname[64]; 2539 int err; 2540 2541 ver_rom = le32_to_cpu(ver->rom_version); 2542 ver_patch = le32_to_cpu(ver->patch_version); 2543 2544 snprintf(fwname, sizeof(fwname), "qca/rampatch_usb_%08x.bin", ver_rom); 2545 2546 err = request_firmware(&fw, fwname, &hdev->dev); 2547 if (err) { 2548 BT_ERR("%s: failed to request rampatch file: %s (%d)", 2549 hdev->name, fwname, err); 2550 return err; 2551 } 2552 2553 BT_INFO("%s: using rampatch file: %s", hdev->name, fwname); 2554 2555 rver = (struct qca_rampatch_version *)(fw->data + info->ver_offset); 2556 rver_rom = le16_to_cpu(rver->rom_version); 2557 rver_patch = le16_to_cpu(rver->patch_version); 2558 2559 BT_INFO("%s: QCA: patch rome 0x%x build 0x%x, firmware rome 0x%x " 2560 "build 0x%x", hdev->name, rver_rom, rver_patch, ver_rom, 2561 ver_patch); 2562 2563 if (rver_rom != ver_rom || rver_patch <= ver_patch) { 2564 BT_ERR("%s: rampatch file version did not match with firmware", 2565 hdev->name); 2566 err = -EINVAL; 2567 goto done; 2568 } 2569 2570 err = btusb_setup_qca_download_fw(hdev, fw, info->rampatch_hdr); 2571 2572 done: 2573 release_firmware(fw); 2574 2575 return err; 2576 } 2577 2578 static int btusb_setup_qca_load_nvm(struct hci_dev *hdev, 2579 struct qca_version *ver, 2580 const struct qca_device_info *info) 2581 { 2582 const struct firmware *fw; 2583 char fwname[64]; 2584 int err; 2585 2586 snprintf(fwname, sizeof(fwname), "qca/nvm_usb_%08x.bin", 2587 le32_to_cpu(ver->rom_version)); 2588 2589 err = request_firmware(&fw, fwname, &hdev->dev); 2590 if (err) { 2591 BT_ERR("%s: failed to request NVM file: %s (%d)", 2592 hdev->name, fwname, err); 2593 return err; 2594 } 2595 2596 BT_INFO("%s: using NVM file: %s", hdev->name, fwname); 2597 2598 err = btusb_setup_qca_download_fw(hdev, fw, info->nvm_hdr); 2599 2600 release_firmware(fw); 2601 2602 return err; 2603 } 2604 2605 static int btusb_setup_qca(struct hci_dev *hdev) 2606 { 2607 const struct qca_device_info *info = NULL; 2608 struct qca_version ver; 2609 u32 ver_rom; 2610 u8 status; 2611 int i, err; 2612 2613 err = btusb_qca_send_vendor_req(hdev, QCA_GET_TARGET_VERSION, &ver, 2614 sizeof(ver)); 2615 if (err < 0) 2616 return err; 2617 2618 ver_rom = le32_to_cpu(ver.rom_version); 2619 for (i = 0; i < ARRAY_SIZE(qca_devices_table); i++) { 2620 if (ver_rom == qca_devices_table[i].rom_version) 2621 info = &qca_devices_table[i]; 2622 } 2623 if (!info) { 2624 BT_ERR("%s: don't support firmware rome 0x%x", hdev->name, 2625 ver_rom); 2626 return -ENODEV; 2627 } 2628 2629 err = btusb_qca_send_vendor_req(hdev, QCA_CHECK_STATUS, &status, 2630 sizeof(status)); 2631 if (err < 0) 2632 return err; 2633 2634 if (!(status & QCA_PATCH_UPDATED)) { 2635 err = btusb_setup_qca_load_rampatch(hdev, &ver, info); 2636 if (err < 0) 2637 return err; 2638 } 2639 2640 if (!(status & QCA_SYSCFG_UPDATED)) { 2641 err = btusb_setup_qca_load_nvm(hdev, &ver, info); 2642 if (err < 0) 2643 return err; 2644 } 2645 2646 return 0; 2647 } 2648 2649 static int btusb_probe(struct usb_interface *intf, 2650 const struct usb_device_id *id) 2651 { 2652 struct usb_endpoint_descriptor *ep_desc; 2653 struct btusb_data *data; 2654 struct hci_dev *hdev; 2655 int i, err; 2656 2657 BT_DBG("intf %p id %p", intf, id); 2658 2659 /* interface numbers are hardcoded in the spec */ 2660 if (intf->cur_altsetting->desc.bInterfaceNumber != 0) 2661 return -ENODEV; 2662 2663 if (!id->driver_info) { 2664 const struct usb_device_id *match; 2665 2666 match = usb_match_id(intf, blacklist_table); 2667 if (match) 2668 id = match; 2669 } 2670 2671 if (id->driver_info == BTUSB_IGNORE) 2672 return -ENODEV; 2673 2674 if (id->driver_info & BTUSB_ATH3012) { 2675 struct usb_device *udev = interface_to_usbdev(intf); 2676 2677 /* Old firmware would otherwise let ath3k driver load 2678 * patch and sysconfig files */ 2679 if (le16_to_cpu(udev->descriptor.bcdDevice) <= 0x0001) 2680 return -ENODEV; 2681 } 2682 2683 data = devm_kzalloc(&intf->dev, sizeof(*data), GFP_KERNEL); 2684 if (!data) 2685 return -ENOMEM; 2686 2687 for (i = 0; i < intf->cur_altsetting->desc.bNumEndpoints; i++) { 2688 ep_desc = &intf->cur_altsetting->endpoint[i].desc; 2689 2690 if (!data->intr_ep && usb_endpoint_is_int_in(ep_desc)) { 2691 data->intr_ep = ep_desc; 2692 continue; 2693 } 2694 2695 if (!data->bulk_tx_ep && usb_endpoint_is_bulk_out(ep_desc)) { 2696 data->bulk_tx_ep = ep_desc; 2697 continue; 2698 } 2699 2700 if (!data->bulk_rx_ep && usb_endpoint_is_bulk_in(ep_desc)) { 2701 data->bulk_rx_ep = ep_desc; 2702 continue; 2703 } 2704 } 2705 2706 if (!data->intr_ep || !data->bulk_tx_ep || !data->bulk_rx_ep) 2707 return -ENODEV; 2708 2709 if (id->driver_info & BTUSB_AMP) { 2710 data->cmdreq_type = USB_TYPE_CLASS | 0x01; 2711 data->cmdreq = 0x2b; 2712 } else { 2713 data->cmdreq_type = USB_TYPE_CLASS; 2714 data->cmdreq = 0x00; 2715 } 2716 2717 data->udev = interface_to_usbdev(intf); 2718 data->intf = intf; 2719 2720 INIT_WORK(&data->work, btusb_work); 2721 INIT_WORK(&data->waker, btusb_waker); 2722 init_usb_anchor(&data->deferred); 2723 init_usb_anchor(&data->tx_anchor); 2724 spin_lock_init(&data->txlock); 2725 2726 init_usb_anchor(&data->intr_anchor); 2727 init_usb_anchor(&data->bulk_anchor); 2728 init_usb_anchor(&data->isoc_anchor); 2729 spin_lock_init(&data->rxlock); 2730 2731 if (id->driver_info & BTUSB_INTEL_NEW) { 2732 data->recv_event = btusb_recv_event_intel; 2733 data->recv_bulk = btusb_recv_bulk_intel; 2734 set_bit(BTUSB_BOOTLOADER, &data->flags); 2735 } else { 2736 data->recv_event = hci_recv_frame; 2737 data->recv_bulk = btusb_recv_bulk; 2738 } 2739 2740 hdev = hci_alloc_dev(); 2741 if (!hdev) 2742 return -ENOMEM; 2743 2744 hdev->bus = HCI_USB; 2745 hci_set_drvdata(hdev, data); 2746 2747 if (id->driver_info & BTUSB_AMP) 2748 hdev->dev_type = HCI_AMP; 2749 else 2750 hdev->dev_type = HCI_BREDR; 2751 2752 data->hdev = hdev; 2753 2754 SET_HCIDEV_DEV(hdev, &intf->dev); 2755 2756 hdev->open = btusb_open; 2757 hdev->close = btusb_close; 2758 hdev->flush = btusb_flush; 2759 hdev->send = btusb_send_frame; 2760 hdev->notify = btusb_notify; 2761 2762 if (id->driver_info & BTUSB_BCM92035) 2763 hdev->setup = btusb_setup_bcm92035; 2764 2765 #ifdef CONFIG_BT_HCIBTUSB_BCM 2766 if (id->driver_info & BTUSB_BCM_PATCHRAM) { 2767 hdev->setup = btbcm_setup_patchram; 2768 hdev->set_bdaddr = btbcm_set_bdaddr; 2769 } 2770 2771 if (id->driver_info & BTUSB_BCM_APPLE) 2772 hdev->setup = btbcm_setup_apple; 2773 #endif 2774 2775 if (id->driver_info & BTUSB_INTEL) { 2776 hdev->setup = btusb_setup_intel; 2777 hdev->shutdown = btusb_shutdown_intel; 2778 hdev->set_bdaddr = btintel_set_bdaddr; 2779 set_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks); 2780 set_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks); 2781 } 2782 2783 if (id->driver_info & BTUSB_INTEL_NEW) { 2784 hdev->send = btusb_send_frame_intel; 2785 hdev->setup = btusb_setup_intel_new; 2786 hdev->hw_error = btusb_hw_error_intel; 2787 hdev->set_bdaddr = btintel_set_bdaddr; 2788 set_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks); 2789 } 2790 2791 if (id->driver_info & BTUSB_MARVELL) 2792 hdev->set_bdaddr = btusb_set_bdaddr_marvell; 2793 2794 if (id->driver_info & BTUSB_SWAVE) { 2795 set_bit(HCI_QUIRK_FIXUP_INQUIRY_MODE, &hdev->quirks); 2796 set_bit(HCI_QUIRK_BROKEN_LOCAL_COMMANDS, &hdev->quirks); 2797 } 2798 2799 if (id->driver_info & BTUSB_INTEL_BOOT) 2800 set_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks); 2801 2802 if (id->driver_info & BTUSB_ATH3012) { 2803 hdev->set_bdaddr = btusb_set_bdaddr_ath3012; 2804 set_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks); 2805 set_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks); 2806 } 2807 2808 if (id->driver_info & BTUSB_QCA_ROME) { 2809 data->setup_on_usb = btusb_setup_qca; 2810 hdev->set_bdaddr = btusb_set_bdaddr_ath3012; 2811 } 2812 2813 #ifdef CONFIG_BT_HCIBTUSB_RTL 2814 if (id->driver_info & BTUSB_REALTEK) { 2815 hdev->setup = btrtl_setup_realtek; 2816 2817 /* Realtek devices lose their updated firmware over suspend, 2818 * but the USB hub doesn't notice any status change. 2819 * Explicitly request a device reset on resume. 2820 */ 2821 set_bit(BTUSB_RESET_RESUME, &data->flags); 2822 } 2823 #endif 2824 2825 if (id->driver_info & BTUSB_AMP) { 2826 /* AMP controllers do not support SCO packets */ 2827 data->isoc = NULL; 2828 } else { 2829 /* Interface numbers are hardcoded in the specification */ 2830 data->isoc = usb_ifnum_to_if(data->udev, 1); 2831 } 2832 2833 if (!reset) 2834 set_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks); 2835 2836 if (force_scofix || id->driver_info & BTUSB_WRONG_SCO_MTU) { 2837 if (!disable_scofix) 2838 set_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks); 2839 } 2840 2841 if (id->driver_info & BTUSB_BROKEN_ISOC) 2842 data->isoc = NULL; 2843 2844 if (id->driver_info & BTUSB_DIGIANSWER) { 2845 data->cmdreq_type = USB_TYPE_VENDOR; 2846 set_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks); 2847 } 2848 2849 if (id->driver_info & BTUSB_CSR) { 2850 struct usb_device *udev = data->udev; 2851 u16 bcdDevice = le16_to_cpu(udev->descriptor.bcdDevice); 2852 2853 /* Old firmware would otherwise execute USB reset */ 2854 if (bcdDevice < 0x117) 2855 set_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks); 2856 2857 /* Fake CSR devices with broken commands */ 2858 if (bcdDevice <= 0x100) 2859 hdev->setup = btusb_setup_csr; 2860 2861 set_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks); 2862 } 2863 2864 if (id->driver_info & BTUSB_SNIFFER) { 2865 struct usb_device *udev = data->udev; 2866 2867 /* New sniffer firmware has crippled HCI interface */ 2868 if (le16_to_cpu(udev->descriptor.bcdDevice) > 0x997) 2869 set_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks); 2870 } 2871 2872 if (id->driver_info & BTUSB_INTEL_BOOT) { 2873 /* A bug in the bootloader causes that interrupt interface is 2874 * only enabled after receiving SetInterface(0, AltSetting=0). 2875 */ 2876 err = usb_set_interface(data->udev, 0, 0); 2877 if (err < 0) { 2878 BT_ERR("failed to set interface 0, alt 0 %d", err); 2879 hci_free_dev(hdev); 2880 return err; 2881 } 2882 } 2883 2884 if (data->isoc) { 2885 err = usb_driver_claim_interface(&btusb_driver, 2886 data->isoc, data); 2887 if (err < 0) { 2888 hci_free_dev(hdev); 2889 return err; 2890 } 2891 } 2892 2893 err = hci_register_dev(hdev); 2894 if (err < 0) { 2895 hci_free_dev(hdev); 2896 return err; 2897 } 2898 2899 usb_set_intfdata(intf, data); 2900 2901 return 0; 2902 } 2903 2904 static void btusb_disconnect(struct usb_interface *intf) 2905 { 2906 struct btusb_data *data = usb_get_intfdata(intf); 2907 struct hci_dev *hdev; 2908 2909 BT_DBG("intf %p", intf); 2910 2911 if (!data) 2912 return; 2913 2914 hdev = data->hdev; 2915 usb_set_intfdata(data->intf, NULL); 2916 2917 if (data->isoc) 2918 usb_set_intfdata(data->isoc, NULL); 2919 2920 hci_unregister_dev(hdev); 2921 2922 if (intf == data->isoc) 2923 usb_driver_release_interface(&btusb_driver, data->intf); 2924 else if (data->isoc) 2925 usb_driver_release_interface(&btusb_driver, data->isoc); 2926 2927 hci_free_dev(hdev); 2928 } 2929 2930 #ifdef CONFIG_PM 2931 static int btusb_suspend(struct usb_interface *intf, pm_message_t message) 2932 { 2933 struct btusb_data *data = usb_get_intfdata(intf); 2934 2935 BT_DBG("intf %p", intf); 2936 2937 if (data->suspend_count++) 2938 return 0; 2939 2940 spin_lock_irq(&data->txlock); 2941 if (!(PMSG_IS_AUTO(message) && data->tx_in_flight)) { 2942 set_bit(BTUSB_SUSPENDING, &data->flags); 2943 spin_unlock_irq(&data->txlock); 2944 } else { 2945 spin_unlock_irq(&data->txlock); 2946 data->suspend_count--; 2947 return -EBUSY; 2948 } 2949 2950 cancel_work_sync(&data->work); 2951 2952 btusb_stop_traffic(data); 2953 usb_kill_anchored_urbs(&data->tx_anchor); 2954 2955 /* Optionally request a device reset on resume, but only when 2956 * wakeups are disabled. If wakeups are enabled we assume the 2957 * device will stay powered up throughout suspend. 2958 */ 2959 if (test_bit(BTUSB_RESET_RESUME, &data->flags) && 2960 !device_may_wakeup(&data->udev->dev)) 2961 data->udev->reset_resume = 1; 2962 2963 return 0; 2964 } 2965 2966 static void play_deferred(struct btusb_data *data) 2967 { 2968 struct urb *urb; 2969 int err; 2970 2971 while ((urb = usb_get_from_anchor(&data->deferred))) { 2972 err = usb_submit_urb(urb, GFP_ATOMIC); 2973 if (err < 0) 2974 break; 2975 2976 data->tx_in_flight++; 2977 } 2978 usb_scuttle_anchored_urbs(&data->deferred); 2979 } 2980 2981 static int btusb_resume(struct usb_interface *intf) 2982 { 2983 struct btusb_data *data = usb_get_intfdata(intf); 2984 struct hci_dev *hdev = data->hdev; 2985 int err = 0; 2986 2987 BT_DBG("intf %p", intf); 2988 2989 if (--data->suspend_count) 2990 return 0; 2991 2992 if (!test_bit(HCI_RUNNING, &hdev->flags)) 2993 goto done; 2994 2995 if (test_bit(BTUSB_INTR_RUNNING, &data->flags)) { 2996 err = btusb_submit_intr_urb(hdev, GFP_NOIO); 2997 if (err < 0) { 2998 clear_bit(BTUSB_INTR_RUNNING, &data->flags); 2999 goto failed; 3000 } 3001 } 3002 3003 if (test_bit(BTUSB_BULK_RUNNING, &data->flags)) { 3004 err = btusb_submit_bulk_urb(hdev, GFP_NOIO); 3005 if (err < 0) { 3006 clear_bit(BTUSB_BULK_RUNNING, &data->flags); 3007 goto failed; 3008 } 3009 3010 btusb_submit_bulk_urb(hdev, GFP_NOIO); 3011 } 3012 3013 if (test_bit(BTUSB_ISOC_RUNNING, &data->flags)) { 3014 if (btusb_submit_isoc_urb(hdev, GFP_NOIO) < 0) 3015 clear_bit(BTUSB_ISOC_RUNNING, &data->flags); 3016 else 3017 btusb_submit_isoc_urb(hdev, GFP_NOIO); 3018 } 3019 3020 spin_lock_irq(&data->txlock); 3021 play_deferred(data); 3022 clear_bit(BTUSB_SUSPENDING, &data->flags); 3023 spin_unlock_irq(&data->txlock); 3024 schedule_work(&data->work); 3025 3026 return 0; 3027 3028 failed: 3029 usb_scuttle_anchored_urbs(&data->deferred); 3030 done: 3031 spin_lock_irq(&data->txlock); 3032 clear_bit(BTUSB_SUSPENDING, &data->flags); 3033 spin_unlock_irq(&data->txlock); 3034 3035 return err; 3036 } 3037 #endif 3038 3039 static struct usb_driver btusb_driver = { 3040 .name = "btusb", 3041 .probe = btusb_probe, 3042 .disconnect = btusb_disconnect, 3043 #ifdef CONFIG_PM 3044 .suspend = btusb_suspend, 3045 .resume = btusb_resume, 3046 #endif 3047 .id_table = btusb_table, 3048 .supports_autosuspend = 1, 3049 .disable_hub_initiated_lpm = 1, 3050 }; 3051 3052 module_usb_driver(btusb_driver); 3053 3054 module_param(disable_scofix, bool, 0644); 3055 MODULE_PARM_DESC(disable_scofix, "Disable fixup of wrong SCO buffer size"); 3056 3057 module_param(force_scofix, bool, 0644); 3058 MODULE_PARM_DESC(force_scofix, "Force fixup of wrong SCO buffers size"); 3059 3060 module_param(reset, bool, 0644); 3061 MODULE_PARM_DESC(reset, "Send HCI reset command on initialization"); 3062 3063 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>"); 3064 MODULE_DESCRIPTION("Generic Bluetooth USB driver ver " VERSION); 3065 MODULE_VERSION(VERSION); 3066 MODULE_LICENSE("GPL"); 3067