drivers/bluetooth/btusb.c

   1 /*
   2  *
   3  *  Generic Bluetooth USB driver
   4  *
   5  *  Copyright (C) 2005-2008  Marcel Holtmann <marcel@holtmann.org>
   6  *
   7  *
   8  *  This program is free software; you can redistribute it and/or modify
   9  *  it under the terms of the GNU General Public License as published by
  10  *  the Free Software Foundation; either version 2 of the License, or
  11  *  (at your option) any later version.
  12  *
  13  *  This program is distributed in the hope that it will be useful,
  14  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  15  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16  *  GNU General Public License for more details.
  17  *
  18  *  You should have received a copy of the GNU General Public License
  19  *  along with this program; if not, write to the Free Software
  20  *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  21  *
  22  */
  23
  24 #include <linux/module.h>
  25 #include <linux/usb.h>
  26 #include <linux/firmware.h>
  27
  28 #include <net/bluetooth/bluetooth.h>
  29 #include <net/bluetooth/hci_core.h>
  30
  31 #define VERSION "0.6"
  32
  33 static bool disable_scofix;
  34 static bool force_scofix;
  35
  36 static bool reset = 1;
  37
  38 static struct usb_driver btusb_driver;
  39
  40 #define BTUSB_IGNORE            0x01
  41 #define BTUSB_DIGIANSWER        0x02
  42 #define BTUSB_CSR               0x04
  43 #define BTUSB_SNIFFER           0x08
  44 #define BTUSB_BCM92035          0x10
  45 #define BTUSB_BROKEN_ISOC       0x20
  46 #define BTUSB_WRONG_SCO_MTU     0x40
  47 #define BTUSB_ATH3012           0x80
  48 #define BTUSB_INTEL             0x100
  49 #define BTUSB_INTEL_BOOT        0x200
  50 #define BTUSB_BCM_PATCHRAM      0x400
  51 #define BTUSB_MARVELL           0x800
  52 #define BTUSB_SWAVE             0x1000
  53
  54 static const struct usb_device_id btusb_table[] = {
  55         /* Generic Bluetooth USB device */
  56         { USB_DEVICE_INFO(0xe0, 0x01, 0x01) },
  57
  58         /* Apple-specific (Broadcom) devices */
  59         { USB_VENDOR_AND_INTERFACE_INFO(0x05ac, 0xff, 0x01, 0x01) },
  60
  61         /* MediaTek MT76x0E */
  62         { USB_DEVICE(0x0e8d, 0x763f) },
  63
  64         /* Broadcom SoftSailing reporting vendor specific */
  65         { USB_DEVICE(0x0a5c, 0x21e1) },
  66
  67         /* Apple MacBookPro 7,1 */
  68         { USB_DEVICE(0x05ac, 0x8213) },
  69
  70         /* Apple iMac11,1 */
  71         { USB_DEVICE(0x05ac, 0x8215) },
  72
  73         /* Apple MacBookPro6,2 */
  74         { USB_DEVICE(0x05ac, 0x8218) },
  75
  76         /* Apple MacBookAir3,1, MacBookAir3,2 */
  77         { USB_DEVICE(0x05ac, 0x821b) },
  78
  79         /* Apple MacBookAir4,1 */
  80         { USB_DEVICE(0x05ac, 0x821f) },
  81
  82         /* Apple MacBookPro8,2 */
  83         { USB_DEVICE(0x05ac, 0x821a) },
  84
  85         /* Apple MacMini5,1 */
  86         { USB_DEVICE(0x05ac, 0x8281) },
  87
  88         /* AVM BlueFRITZ! USB v2.0 */
  89         { USB_DEVICE(0x057c, 0x3800), .driver_info = BTUSB_SWAVE },
  90
  91         /* Bluetooth Ultraport Module from IBM */
  92         { USB_DEVICE(0x04bf, 0x030a) },
  93
  94         /* ALPS Modules with non-standard id */
  95         { USB_DEVICE(0x044e, 0x3001) },
  96         { USB_DEVICE(0x044e, 0x3002) },
  97
  98         /* Ericsson with non-standard id */
  99         { USB_DEVICE(0x0bdb, 0x1002) },
 100
 101         /* Canyon CN-BTU1 with HID interfaces */
 102         { USB_DEVICE(0x0c10, 0x0000) },
 103
 104         /* Broadcom BCM20702A0 */
 105         { USB_DEVICE(0x0489, 0xe042) },
 106         { USB_DEVICE(0x04ca, 0x2003) },
 107         { USB_DEVICE(0x0b05, 0x17b5) },
 108         { USB_DEVICE(0x0b05, 0x17cb) },
 109         { USB_DEVICE(0x413c, 0x8197) },
 110         { USB_DEVICE(0x13d3, 0x3404),
 111           .driver_info = BTUSB_BCM_PATCHRAM },
 112
 113         /* Broadcom BCM20702B0 (Dynex/Insignia) */
 114         { USB_DEVICE(0x19ff, 0x0239), .driver_info = BTUSB_BCM_PATCHRAM },
 115
 116         /* Foxconn - Hon Hai */
 117         { USB_VENDOR_AND_INTERFACE_INFO(0x0489, 0xff, 0x01, 0x01),
 118           .driver_info = BTUSB_BCM_PATCHRAM },
 119
 120         /* Broadcom devices with vendor specific id */
 121         { USB_VENDOR_AND_INTERFACE_INFO(0x0a5c, 0xff, 0x01, 0x01),
 122           .driver_info = BTUSB_BCM_PATCHRAM },
 123
 124         /* ASUSTek Computer - Broadcom based */
 125         { USB_VENDOR_AND_INTERFACE_INFO(0x0b05, 0xff, 0x01, 0x01),
 126           .driver_info = BTUSB_BCM_PATCHRAM },
 127
 128         /* Belkin F8065bf - Broadcom based */
 129         { USB_VENDOR_AND_INTERFACE_INFO(0x050d, 0xff, 0x01, 0x01) },
 130
 131         /* IMC Networks - Broadcom based */
 132         { USB_VENDOR_AND_INTERFACE_INFO(0x13d3, 0xff, 0x01, 0x01) },
 133
 134         /* Intel Bluetooth USB Bootloader (RAM module) */
 135         { USB_DEVICE(0x8087, 0x0a5a),
 136           .driver_info = BTUSB_INTEL_BOOT | BTUSB_BROKEN_ISOC },
 137
 138         { }     /* Terminating entry */
 139 };
 140
 141 MODULE_DEVICE_TABLE(usb, btusb_table);
 142
 143 static const struct usb_device_id blacklist_table[] = {
 144         /* CSR BlueCore devices */
 145         { USB_DEVICE(0x0a12, 0x0001), .driver_info = BTUSB_CSR },
 146
 147         /* Broadcom BCM2033 without firmware */
 148         { USB_DEVICE(0x0a5c, 0x2033), .driver_info = BTUSB_IGNORE },
 149
 150         /* Atheros 3011 with sflash firmware */
 151         { USB_DEVICE(0x0489, 0xe027), .driver_info = BTUSB_IGNORE },
 152         { USB_DEVICE(0x0489, 0xe03d), .driver_info = BTUSB_IGNORE },
 153         { USB_DEVICE(0x0930, 0x0215), .driver_info = BTUSB_IGNORE },
 154         { USB_DEVICE(0x0cf3, 0x3002), .driver_info = BTUSB_IGNORE },
 155         { USB_DEVICE(0x0cf3, 0xe019), .driver_info = BTUSB_IGNORE },
 156         { USB_DEVICE(0x13d3, 0x3304), .driver_info = BTUSB_IGNORE },
 157
 158         /* Atheros AR9285 Malbec with sflash firmware */
 159         { USB_DEVICE(0x03f0, 0x311d), .driver_info = BTUSB_IGNORE },
 160
 161         /* Atheros 3012 with sflash firmware */
 162         { USB_DEVICE(0x0489, 0xe04d), .driver_info = BTUSB_ATH3012 },
 163         { USB_DEVICE(0x0489, 0xe04e), .driver_info = BTUSB_ATH3012 },
 164         { USB_DEVICE(0x0489, 0xe056), .driver_info = BTUSB_ATH3012 },
 165         { USB_DEVICE(0x0489, 0xe057), .driver_info = BTUSB_ATH3012 },
 166         { USB_DEVICE(0x0489, 0xe05f), .driver_info = BTUSB_ATH3012 },
 167         { USB_DEVICE(0x0489, 0xe078), .driver_info = BTUSB_ATH3012 },
 168         { USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 },
 169         { USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 },
 170         { USB_DEVICE(0x04ca, 0x3005), .driver_info = BTUSB_ATH3012 },
 171         { USB_DEVICE(0x04ca, 0x3006), .driver_info = BTUSB_ATH3012 },
 172         { USB_DEVICE(0x04ca, 0x3007), .driver_info = BTUSB_ATH3012 },
 173         { USB_DEVICE(0x04ca, 0x3008), .driver_info = BTUSB_ATH3012 },
 174         { USB_DEVICE(0x04ca, 0x300b), .driver_info = BTUSB_ATH3012 },
 175         { USB_DEVICE(0x04ca, 0x3010), .driver_info = BTUSB_ATH3012 },
 176         { USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 },
 177         { USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 },
 178         { USB_DEVICE(0x0930, 0x0227), .driver_info = BTUSB_ATH3012 },
 179         { USB_DEVICE(0x0b05, 0x17d0), .driver_info = BTUSB_ATH3012 },
 180         { USB_DEVICE(0x0cf3, 0x0036), .driver_info = BTUSB_ATH3012 },
 181         { USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_ATH3012 },
 182         { USB_DEVICE(0x0cf3, 0x3008), .driver_info = BTUSB_ATH3012 },
 183         { USB_DEVICE(0x0cf3, 0x311d), .driver_info = BTUSB_ATH3012 },
 184         { USB_DEVICE(0x0cf3, 0x311e), .driver_info = BTUSB_ATH3012 },
 185         { USB_DEVICE(0x0cf3, 0x311f), .driver_info = BTUSB_ATH3012 },
 186         { USB_DEVICE(0x0cf3, 0x3121), .driver_info = BTUSB_ATH3012 },
 187         { USB_DEVICE(0x0cf3, 0x817a), .driver_info = BTUSB_ATH3012 },
 188         { USB_DEVICE(0x0cf3, 0xe003), .driver_info = BTUSB_ATH3012 },
 189         { USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 },
 190         { USB_DEVICE(0x0cf3, 0xe005), .driver_info = BTUSB_ATH3012 },
 191         { USB_DEVICE(0x13d3, 0x3362), .driver_info = BTUSB_ATH3012 },
 192         { USB_DEVICE(0x13d3, 0x3375), .driver_info = BTUSB_ATH3012 },
 193         { USB_DEVICE(0x13d3, 0x3393), .driver_info = BTUSB_ATH3012 },
 194         { USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 },
 195         { USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 },
 196         { USB_DEVICE(0x13d3, 0x3423), .driver_info = BTUSB_ATH3012 },
 197         { USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 },
 198
 199         /* Atheros AR5BBU12 with sflash firmware */
 200         { USB_DEVICE(0x0489, 0xe02c), .driver_info = BTUSB_IGNORE },
 201
 202         /* Atheros AR5BBU12 with sflash firmware */
 203         { USB_DEVICE(0x0489, 0xe036), .driver_info = BTUSB_ATH3012 },
 204         { USB_DEVICE(0x0489, 0xe03c), .driver_info = BTUSB_ATH3012 },
 205
 206         /* Broadcom BCM2035 */
 207         { USB_DEVICE(0x0a5c, 0x2009), .driver_info = BTUSB_BCM92035 },
 208         { USB_DEVICE(0x0a5c, 0x200a), .driver_info = BTUSB_WRONG_SCO_MTU },
 209         { USB_DEVICE(0x0a5c, 0x2035), .driver_info = BTUSB_WRONG_SCO_MTU },
 210
 211         /* Broadcom BCM2045 */
 212         { USB_DEVICE(0x0a5c, 0x2039), .driver_info = BTUSB_WRONG_SCO_MTU },
 213         { USB_DEVICE(0x0a5c, 0x2101), .driver_info = BTUSB_WRONG_SCO_MTU },
 214
 215         /* IBM/Lenovo ThinkPad with Broadcom chip */
 216         { USB_DEVICE(0x0a5c, 0x201e), .driver_info = BTUSB_WRONG_SCO_MTU },
 217         { USB_DEVICE(0x0a5c, 0x2110), .driver_info = BTUSB_WRONG_SCO_MTU },
 218
 219         /* HP laptop with Broadcom chip */
 220         { USB_DEVICE(0x03f0, 0x171d), .driver_info = BTUSB_WRONG_SCO_MTU },
 221
 222         /* Dell laptop with Broadcom chip */
 223         { USB_DEVICE(0x413c, 0x8126), .driver_info = BTUSB_WRONG_SCO_MTU },
 224
 225         /* Dell Wireless 370 and 410 devices */
 226         { USB_DEVICE(0x413c, 0x8152), .driver_info = BTUSB_WRONG_SCO_MTU },
 227         { USB_DEVICE(0x413c, 0x8156), .driver_info = BTUSB_WRONG_SCO_MTU },
 228
 229         /* Belkin F8T012 and F8T013 devices */
 230         { USB_DEVICE(0x050d, 0x0012), .driver_info = BTUSB_WRONG_SCO_MTU },
 231         { USB_DEVICE(0x050d, 0x0013), .driver_info = BTUSB_WRONG_SCO_MTU },
 232
 233         /* Asus WL-BTD202 device */
 234         { USB_DEVICE(0x0b05, 0x1715), .driver_info = BTUSB_WRONG_SCO_MTU },
 235
 236         /* Kensington Bluetooth USB adapter */
 237         { USB_DEVICE(0x047d, 0x105e), .driver_info = BTUSB_WRONG_SCO_MTU },
 238
 239         /* RTX Telecom based adapters with buggy SCO support */
 240         { USB_DEVICE(0x0400, 0x0807), .driver_info = BTUSB_BROKEN_ISOC },
 241         { USB_DEVICE(0x0400, 0x080a), .driver_info = BTUSB_BROKEN_ISOC },
 242
 243         /* CONWISE Technology based adapters with buggy SCO support */
 244         { USB_DEVICE(0x0e5e, 0x6622), .driver_info = BTUSB_BROKEN_ISOC },
 245
 246         /* Roper Class 1 Bluetooth Dongle (Silicon Wave based) */
 247         { USB_DEVICE(0x1300, 0x0001), .driver_info = BTUSB_SWAVE },
 248
 249         /* Digianswer devices */
 250         { USB_DEVICE(0x08fd, 0x0001), .driver_info = BTUSB_DIGIANSWER },
 251         { USB_DEVICE(0x08fd, 0x0002), .driver_info = BTUSB_IGNORE },
 252
 253         /* CSR BlueCore Bluetooth Sniffer */
 254         { USB_DEVICE(0x0a12, 0x0002),
 255           .driver_info = BTUSB_SNIFFER | BTUSB_BROKEN_ISOC },
 256
 257         /* Frontline ComProbe Bluetooth Sniffer */
 258         { USB_DEVICE(0x16d3, 0x0002),
 259           .driver_info = BTUSB_SNIFFER | BTUSB_BROKEN_ISOC },
 260
 261         /* Intel Bluetooth device */
 262         { USB_DEVICE(0x8087, 0x07dc), .driver_info = BTUSB_INTEL },
 263         { USB_DEVICE(0x8087, 0x0a2a), .driver_info = BTUSB_INTEL },
 264
 265         /* Marvell device */
 266         { USB_DEVICE(0x1286, 0x2044), .driver_info = BTUSB_MARVELL },
 267         { USB_DEVICE(0x1286, 0x2046), .driver_info = BTUSB_MARVELL },
 268
 269         { }     /* Terminating entry */
 270 };
 271
 272 #define BTUSB_MAX_ISOC_FRAMES   10
 273
 274 #define BTUSB_INTR_RUNNING      0
 275 #define BTUSB_BULK_RUNNING      1
 276 #define BTUSB_ISOC_RUNNING      2
 277 #define BTUSB_SUSPENDING        3
 278 #define BTUSB_DID_ISO_RESUME    4
 279
 280 struct btusb_data {
 281         struct hci_dev       *hdev;
 282         struct usb_device    *udev;
 283         struct usb_interface *intf;
 284         struct usb_interface *isoc;
 285
 286         unsigned long flags;
 287
 288         struct work_struct work;
 289         struct work_struct waker;
 290
 291         struct usb_anchor deferred;
 292         struct usb_anchor tx_anchor;
 293         int tx_in_flight;
 294         spinlock_t txlock;
 295
 296         struct usb_anchor intr_anchor;
 297         struct usb_anchor bulk_anchor;
 298         struct usb_anchor isoc_anchor;
 299         spinlock_t rxlock;
 300
 301         struct sk_buff *evt_skb;
 302         struct sk_buff *acl_skb;
 303         struct sk_buff *sco_skb;
 304
 305         struct usb_endpoint_descriptor *intr_ep;
 306         struct usb_endpoint_descriptor *bulk_tx_ep;
 307         struct usb_endpoint_descriptor *bulk_rx_ep;
 308         struct usb_endpoint_descriptor *isoc_tx_ep;
 309         struct usb_endpoint_descriptor *isoc_rx_ep;
 310
 311         __u8 cmdreq_type;
 312
 313         unsigned int sco_num;
 314         int isoc_altsetting;
 315         int suspend_count;
 316
 317         int (*recv_event)(struct hci_dev *hdev, struct sk_buff *skb);
 318         int (*recv_bulk)(struct btusb_data *data, void *buffer, int count);
 319 };
 320
 321 static inline void btusb_free_frags(struct btusb_data *data)
 322 {
 323         unsigned long flags;
 324
 325         spin_lock_irqsave(&data->rxlock, flags);
 326
 327         kfree_skb(data->evt_skb);
 328         data->evt_skb = NULL;
 329
 330         kfree_skb(data->acl_skb);
 331         data->acl_skb = NULL;
 332
 333         kfree_skb(data->sco_skb);
 334         data->sco_skb = NULL;
 335
 336         spin_unlock_irqrestore(&data->rxlock, flags);
 337 }
 338
 339 static int btusb_recv_intr(struct btusb_data *data, void *buffer, int count)
 340 {
 341         struct sk_buff *skb;
 342         int err = 0;
 343
 344         spin_lock(&data->rxlock);
 345         skb = data->evt_skb;
 346
 347         while (count) {
 348                 int len;
 349
 350                 if (!skb) {
 351                         skb = bt_skb_alloc(HCI_MAX_EVENT_SIZE, GFP_ATOMIC);
 352                         if (!skb) {
 353                                 err = -ENOMEM;
 354                                 break;
 355                         }
 356
 357                         bt_cb(skb)->pkt_type = HCI_EVENT_PKT;
 358                         bt_cb(skb)->expect = HCI_EVENT_HDR_SIZE;
 359                 }
 360
 361                 len = min_t(uint, bt_cb(skb)->expect, count);
 362                 memcpy(skb_put(skb, len), buffer, len);
 363
 364                 count -= len;
 365                 buffer += len;
 366                 bt_cb(skb)->expect -= len;
 367
 368                 if (skb->len == HCI_EVENT_HDR_SIZE) {
 369                         /* Complete event header */
 370                         bt_cb(skb)->expect = hci_event_hdr(skb)->plen;
 371
 372                         if (skb_tailroom(skb) < bt_cb(skb)->expect) {
 373                                 kfree_skb(skb);
 374                                 skb = NULL;
 375
 376                                 err = -EILSEQ;
 377                                 break;
 378                         }
 379                 }
 380
 381                 if (bt_cb(skb)->expect == 0) {
 382                         /* Complete frame */
 383                         data->recv_event(data->hdev, skb);
 384                         skb = NULL;
 385                 }
 386         }
 387
 388         data->evt_skb = skb;
 389         spin_unlock(&data->rxlock);
 390
 391         return err;
 392 }
 393
 394 static int btusb_recv_bulk(struct btusb_data *data, void *buffer, int count)
 395 {
 396         struct sk_buff *skb;
 397         int err = 0;
 398
 399         spin_lock(&data->rxlock);
 400         skb = data->acl_skb;
 401
 402         while (count) {
 403                 int len;
 404
 405                 if (!skb) {
 406                         skb = bt_skb_alloc(HCI_MAX_FRAME_SIZE, GFP_ATOMIC);
 407                         if (!skb) {
 408                                 err = -ENOMEM;
 409                                 break;
 410                         }
 411
 412                         bt_cb(skb)->pkt_type = HCI_ACLDATA_PKT;
 413                         bt_cb(skb)->expect = HCI_ACL_HDR_SIZE;
 414                 }
 415
 416                 len = min_t(uint, bt_cb(skb)->expect, count);
 417                 memcpy(skb_put(skb, len), buffer, len);
 418
 419                 count -= len;
 420                 buffer += len;
 421                 bt_cb(skb)->expect -= len;
 422
 423                 if (skb->len == HCI_ACL_HDR_SIZE) {
 424                         __le16 dlen = hci_acl_hdr(skb)->dlen;
 425
 426                         /* Complete ACL header */
 427                         bt_cb(skb)->expect = __le16_to_cpu(dlen);
 428
 429                         if (skb_tailroom(skb) < bt_cb(skb)->expect) {
 430                                 kfree_skb(skb);
 431                                 skb = NULL;
 432
 433                                 err = -EILSEQ;
 434                                 break;
 435                         }
 436                 }
 437
 438                 if (bt_cb(skb)->expect == 0) {
 439                         /* Complete frame */
 440                         hci_recv_frame(data->hdev, skb);
 441                         skb = NULL;
 442                 }
 443         }
 444
 445         data->acl_skb = skb;
 446         spin_unlock(&data->rxlock);
 447
 448         return err;
 449 }
 450
 451 static int btusb_recv_isoc(struct btusb_data *data, void *buffer, int count)
 452 {
 453         struct sk_buff *skb;
 454         int err = 0;
 455
 456         spin_lock(&data->rxlock);
 457         skb = data->sco_skb;
 458
 459         while (count) {
 460                 int len;
 461
 462                 if (!skb) {
 463                         skb = bt_skb_alloc(HCI_MAX_SCO_SIZE, GFP_ATOMIC);
 464                         if (!skb) {
 465                                 err = -ENOMEM;
 466                                 break;
 467                         }
 468
 469                         bt_cb(skb)->pkt_type = HCI_SCODATA_PKT;
 470                         bt_cb(skb)->expect = HCI_SCO_HDR_SIZE;
 471                 }
 472
 473                 len = min_t(uint, bt_cb(skb)->expect, count);
 474                 memcpy(skb_put(skb, len), buffer, len);
 475
 476                 count -= len;
 477                 buffer += len;
 478                 bt_cb(skb)->expect -= len;
 479
 480                 if (skb->len == HCI_SCO_HDR_SIZE) {
 481                         /* Complete SCO header */
 482                         bt_cb(skb)->expect = hci_sco_hdr(skb)->dlen;
 483
 484                         if (skb_tailroom(skb) < bt_cb(skb)->expect) {
 485                                 kfree_skb(skb);
 486                                 skb = NULL;
 487
 488                                 err = -EILSEQ;
 489                                 break;
 490                         }
 491                 }
 492
 493                 if (bt_cb(skb)->expect == 0) {
 494                         /* Complete frame */
 495                         hci_recv_frame(data->hdev, skb);
 496                         skb = NULL;
 497                 }
 498         }
 499
 500         data->sco_skb = skb;
 501         spin_unlock(&data->rxlock);
 502
 503         return err;
 504 }
 505
 506 static void btusb_intr_complete(struct urb *urb)
 507 {
 508         struct hci_dev *hdev = urb->context;
 509         struct btusb_data *data = hci_get_drvdata(hdev);
 510         int err;
 511
 512         BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status,
 513                urb->actual_length);
 514
 515         if (!test_bit(HCI_RUNNING, &hdev->flags))
 516                 return;
 517
 518         if (urb->status == 0) {
 519                 hdev->stat.byte_rx += urb->actual_length;
 520
 521                 if (btusb_recv_intr(data, urb->transfer_buffer,
 522                                     urb->actual_length) < 0) {
 523                         BT_ERR("%s corrupted event packet", hdev->name);
 524                         hdev->stat.err_rx++;
 525                 }
 526         } else if (urb->status == -ENOENT) {
 527                 /* Avoid suspend failed when usb_kill_urb */
 528                 return;
 529         }
 530
 531         if (!test_bit(BTUSB_INTR_RUNNING, &data->flags))
 532                 return;
 533
 534         usb_mark_last_busy(data->udev);
 535         usb_anchor_urb(urb, &data->intr_anchor);
 536
 537         err = usb_submit_urb(urb, GFP_ATOMIC);
 538         if (err < 0) {
 539                 /* -EPERM: urb is being killed;
 540                  * -ENODEV: device got disconnected */
 541                 if (err != -EPERM && err != -ENODEV)
 542                         BT_ERR("%s urb %p failed to resubmit (%d)",
 543                                hdev->name, urb, -err);
 544                 usb_unanchor_urb(urb);
 545         }
 546 }
 547
 548 static int btusb_submit_intr_urb(struct hci_dev *hdev, gfp_t mem_flags)
 549 {
 550         struct btusb_data *data = hci_get_drvdata(hdev);
 551         struct urb *urb;
 552         unsigned char *buf;
 553         unsigned int pipe;
 554         int err, size;
 555
 556         BT_DBG("%s", hdev->name);
 557
 558         if (!data->intr_ep)
 559                 return -ENODEV;
 560
 561         urb = usb_alloc_urb(0, mem_flags);
 562         if (!urb)
 563                 return -ENOMEM;
 564
 565         size = le16_to_cpu(data->intr_ep->wMaxPacketSize);
 566
 567         buf = kmalloc(size, mem_flags);
 568         if (!buf) {
 569                 usb_free_urb(urb);
 570                 return -ENOMEM;
 571         }
 572
 573         pipe = usb_rcvintpipe(data->udev, data->intr_ep->bEndpointAddress);
 574
 575         usb_fill_int_urb(urb, data->udev, pipe, buf, size,
 576                          btusb_intr_complete, hdev, data->intr_ep->bInterval);
 577
 578         urb->transfer_flags |= URB_FREE_BUFFER;
 579
 580         usb_anchor_urb(urb, &data->intr_anchor);
 581
 582         err = usb_submit_urb(urb, mem_flags);
 583         if (err < 0) {
 584                 if (err != -EPERM && err != -ENODEV)
 585                         BT_ERR("%s urb %p submission failed (%d)",
 586                                hdev->name, urb, -err);
 587                 usb_unanchor_urb(urb);
 588         }
 589
 590         usb_free_urb(urb);
 591
 592         return err;
 593 }
 594
 595 static void btusb_bulk_complete(struct urb *urb)
 596 {
 597         struct hci_dev *hdev = urb->context;
 598         struct btusb_data *data = hci_get_drvdata(hdev);
 599         int err;
 600
 601         BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status,
 602                urb->actual_length);
 603
 604         if (!test_bit(HCI_RUNNING, &hdev->flags))
 605                 return;
 606
 607         if (urb->status == 0) {
 608                 hdev->stat.byte_rx += urb->actual_length;
 609
 610                 if (data->recv_bulk(data, urb->transfer_buffer,
 611                                     urb->actual_length) < 0) {
 612                         BT_ERR("%s corrupted ACL packet", hdev->name);
 613                         hdev->stat.err_rx++;
 614                 }
 615         } else if (urb->status == -ENOENT) {
 616                 /* Avoid suspend failed when usb_kill_urb */
 617                 return;
 618         }
 619
 620         if (!test_bit(BTUSB_BULK_RUNNING, &data->flags))
 621                 return;
 622
 623         usb_anchor_urb(urb, &data->bulk_anchor);
 624         usb_mark_last_busy(data->udev);
 625
 626         err = usb_submit_urb(urb, GFP_ATOMIC);
 627         if (err < 0) {
 628                 /* -EPERM: urb is being killed;
 629                  * -ENODEV: device got disconnected */
 630                 if (err != -EPERM && err != -ENODEV)
 631                         BT_ERR("%s urb %p failed to resubmit (%d)",
 632                                hdev->name, urb, -err);
 633                 usb_unanchor_urb(urb);
 634         }
 635 }
 636
 637 static int btusb_submit_bulk_urb(struct hci_dev *hdev, gfp_t mem_flags)
 638 {
 639         struct btusb_data *data = hci_get_drvdata(hdev);
 640         struct urb *urb;
 641         unsigned char *buf;
 642         unsigned int pipe;
 643         int err, size = HCI_MAX_FRAME_SIZE;
 644
 645         BT_DBG("%s", hdev->name);
 646
 647         if (!data->bulk_rx_ep)
 648                 return -ENODEV;
 649
 650         urb = usb_alloc_urb(0, mem_flags);
 651         if (!urb)
 652                 return -ENOMEM;
 653
 654         buf = kmalloc(size, mem_flags);
 655         if (!buf) {
 656                 usb_free_urb(urb);
 657                 return -ENOMEM;
 658         }
 659
 660         pipe = usb_rcvbulkpipe(data->udev, data->bulk_rx_ep->bEndpointAddress);
 661
 662         usb_fill_bulk_urb(urb, data->udev, pipe, buf, size,
 663                           btusb_bulk_complete, hdev);
 664
 665         urb->transfer_flags |= URB_FREE_BUFFER;
 666
 667         usb_mark_last_busy(data->udev);
 668         usb_anchor_urb(urb, &data->bulk_anchor);
 669
 670         err = usb_submit_urb(urb, mem_flags);
 671         if (err < 0) {
 672                 if (err != -EPERM && err != -ENODEV)
 673                         BT_ERR("%s urb %p submission failed (%d)",
 674                                hdev->name, urb, -err);
 675                 usb_unanchor_urb(urb);
 676         }
 677
 678         usb_free_urb(urb);
 679
 680         return err;
 681 }
 682
 683 static void btusb_isoc_complete(struct urb *urb)
 684 {
 685         struct hci_dev *hdev = urb->context;
 686         struct btusb_data *data = hci_get_drvdata(hdev);
 687         int i, err;
 688
 689         BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status,
 690                urb->actual_length);
 691
 692         if (!test_bit(HCI_RUNNING, &hdev->flags))
 693                 return;
 694
 695         if (urb->status == 0) {
 696                 for (i = 0; i < urb->number_of_packets; i++) {
 697                         unsigned int offset = urb->iso_frame_desc[i].offset;
 698                         unsigned int length = urb->iso_frame_desc[i].actual_length;
 699
 700                         if (urb->iso_frame_desc[i].status)
 701                                 continue;
 702
 703                         hdev->stat.byte_rx += length;
 704
 705                         if (btusb_recv_isoc(data, urb->transfer_buffer + offset,
 706                                             length) < 0) {
 707                                 BT_ERR("%s corrupted SCO packet", hdev->name);
 708                                 hdev->stat.err_rx++;
 709                         }
 710                 }
 711         } else if (urb->status == -ENOENT) {
 712                 /* Avoid suspend failed when usb_kill_urb */
 713                 return;
 714         }
 715
 716         if (!test_bit(BTUSB_ISOC_RUNNING, &data->flags))
 717                 return;
 718
 719         usb_anchor_urb(urb, &data->isoc_anchor);
 720
 721         err = usb_submit_urb(urb, GFP_ATOMIC);
 722         if (err < 0) {
 723                 /* -EPERM: urb is being killed;
 724                  * -ENODEV: device got disconnected */
 725                 if (err != -EPERM && err != -ENODEV)
 726                         BT_ERR("%s urb %p failed to resubmit (%d)",
 727                                hdev->name, urb, -err);
 728                 usb_unanchor_urb(urb);
 729         }
 730 }
 731
 732 static inline void __fill_isoc_descriptor(struct urb *urb, int len, int mtu)
 733 {
 734         int i, offset = 0;
 735
 736         BT_DBG("len %d mtu %d", len, mtu);
 737
 738         for (i = 0; i < BTUSB_MAX_ISOC_FRAMES && len >= mtu;
 739                                         i++, offset += mtu, len -= mtu) {
 740                 urb->iso_frame_desc[i].offset = offset;
 741                 urb->iso_frame_desc[i].length = mtu;
 742         }
 743
 744         if (len && i < BTUSB_MAX_ISOC_FRAMES) {
 745                 urb->iso_frame_desc[i].offset = offset;
 746                 urb->iso_frame_desc[i].length = len;
 747                 i++;
 748         }
 749
 750         urb->number_of_packets = i;
 751 }
 752
 753 static int btusb_submit_isoc_urb(struct hci_dev *hdev, gfp_t mem_flags)
 754 {
 755         struct btusb_data *data = hci_get_drvdata(hdev);
 756         struct urb *urb;
 757         unsigned char *buf;
 758         unsigned int pipe;
 759         int err, size;
 760
 761         BT_DBG("%s", hdev->name);
 762
 763         if (!data->isoc_rx_ep)
 764                 return -ENODEV;
 765
 766         urb = usb_alloc_urb(BTUSB_MAX_ISOC_FRAMES, mem_flags);
 767         if (!urb)
 768                 return -ENOMEM;
 769
 770         size = le16_to_cpu(data->isoc_rx_ep->wMaxPacketSize) *
 771                                                 BTUSB_MAX_ISOC_FRAMES;
 772
 773         buf = kmalloc(size, mem_flags);
 774         if (!buf) {
 775                 usb_free_urb(urb);
 776                 return -ENOMEM;
 777         }
 778
 779         pipe = usb_rcvisocpipe(data->udev, data->isoc_rx_ep->bEndpointAddress);
 780
 781         usb_fill_int_urb(urb, data->udev, pipe, buf, size, btusb_isoc_complete,
 782                          hdev, data->isoc_rx_ep->bInterval);
 783
 784         urb->transfer_flags = URB_FREE_BUFFER | URB_ISO_ASAP;
 785
 786         __fill_isoc_descriptor(urb, size,
 787                                le16_to_cpu(data->isoc_rx_ep->wMaxPacketSize));
 788
 789         usb_anchor_urb(urb, &data->isoc_anchor);
 790
 791         err = usb_submit_urb(urb, mem_flags);
 792         if (err < 0) {
 793                 if (err != -EPERM && err != -ENODEV)
 794                         BT_ERR("%s urb %p submission failed (%d)",
 795                                hdev->name, urb, -err);
 796                 usb_unanchor_urb(urb);
 797         }
 798
 799         usb_free_urb(urb);
 800
 801         return err;
 802 }
 803
 804 static void btusb_tx_complete(struct urb *urb)
 805 {
 806         struct sk_buff *skb = urb->context;
 807         struct hci_dev *hdev = (struct hci_dev *)skb->dev;
 808         struct btusb_data *data = hci_get_drvdata(hdev);
 809
 810         BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status,
 811                urb->actual_length);
 812
 813         if (!test_bit(HCI_RUNNING, &hdev->flags))
 814                 goto done;
 815
 816         if (!urb->status)
 817                 hdev->stat.byte_tx += urb->transfer_buffer_length;
 818         else
 819                 hdev->stat.err_tx++;
 820
 821 done:
 822         spin_lock(&data->txlock);
 823         data->tx_in_flight--;
 824         spin_unlock(&data->txlock);
 825
 826         kfree(urb->setup_packet);
 827
 828         kfree_skb(skb);
 829 }
 830
 831 static void btusb_isoc_tx_complete(struct urb *urb)
 832 {
 833         struct sk_buff *skb = urb->context;
 834         struct hci_dev *hdev = (struct hci_dev *)skb->dev;
 835
 836         BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status,
 837                urb->actual_length);
 838
 839         if (!test_bit(HCI_RUNNING, &hdev->flags))
 840                 goto done;
 841
 842         if (!urb->status)
 843                 hdev->stat.byte_tx += urb->transfer_buffer_length;
 844         else
 845                 hdev->stat.err_tx++;
 846
 847 done:
 848         kfree(urb->setup_packet);
 849
 850         kfree_skb(skb);
 851 }
 852
 853 static int btusb_open(struct hci_dev *hdev)
 854 {
 855         struct btusb_data *data = hci_get_drvdata(hdev);
 856         int err;
 857
 858         BT_DBG("%s", hdev->name);
 859
 860         err = usb_autopm_get_interface(data->intf);
 861         if (err < 0)
 862                 return err;
 863
 864         data->intf->needs_remote_wakeup = 1;
 865
 866         if (test_and_set_bit(HCI_RUNNING, &hdev->flags))
 867                 goto done;
 868
 869         if (test_and_set_bit(BTUSB_INTR_RUNNING, &data->flags))
 870                 goto done;
 871
 872         err = btusb_submit_intr_urb(hdev, GFP_KERNEL);
 873         if (err < 0)
 874                 goto failed;
 875
 876         err = btusb_submit_bulk_urb(hdev, GFP_KERNEL);
 877         if (err < 0) {
 878                 usb_kill_anchored_urbs(&data->intr_anchor);
 879                 goto failed;
 880         }
 881
 882         set_bit(BTUSB_BULK_RUNNING, &data->flags);
 883         btusb_submit_bulk_urb(hdev, GFP_KERNEL);
 884
 885 done:
 886         usb_autopm_put_interface(data->intf);
 887         return 0;
 888
 889 failed:
 890         clear_bit(BTUSB_INTR_RUNNING, &data->flags);
 891         clear_bit(HCI_RUNNING, &hdev->flags);
 892         usb_autopm_put_interface(data->intf);
 893         return err;
 894 }
 895
 896 static void btusb_stop_traffic(struct btusb_data *data)
 897 {
 898         usb_kill_anchored_urbs(&data->intr_anchor);
 899         usb_kill_anchored_urbs(&data->bulk_anchor);
 900         usb_kill_anchored_urbs(&data->isoc_anchor);
 901 }
 902
 903 static int btusb_close(struct hci_dev *hdev)
 904 {
 905         struct btusb_data *data = hci_get_drvdata(hdev);
 906         int err;
 907
 908         BT_DBG("%s", hdev->name);
 909
 910         if (!test_and_clear_bit(HCI_RUNNING, &hdev->flags))
 911                 return 0;
 912
 913         cancel_work_sync(&data->work);
 914         cancel_work_sync(&data->waker);
 915
 916         clear_bit(BTUSB_ISOC_RUNNING, &data->flags);
 917         clear_bit(BTUSB_BULK_RUNNING, &data->flags);
 918         clear_bit(BTUSB_INTR_RUNNING, &data->flags);
 919
 920         btusb_stop_traffic(data);
 921         btusb_free_frags(data);
 922
 923         err = usb_autopm_get_interface(data->intf);
 924         if (err < 0)
 925                 goto failed;
 926
 927         data->intf->needs_remote_wakeup = 0;
 928         usb_autopm_put_interface(data->intf);
 929
 930 failed:
 931         usb_scuttle_anchored_urbs(&data->deferred);
 932         return 0;
 933 }
 934
 935 static int btusb_flush(struct hci_dev *hdev)
 936 {
 937         struct btusb_data *data = hci_get_drvdata(hdev);
 938
 939         BT_DBG("%s", hdev->name);
 940
 941         usb_kill_anchored_urbs(&data->tx_anchor);
 942         btusb_free_frags(data);
 943
 944         return 0;
 945 }
 946
 947 static struct urb *alloc_ctrl_urb(struct hci_dev *hdev, struct sk_buff *skb)
 948 {
 949         struct btusb_data *data = hci_get_drvdata(hdev);
 950         struct usb_ctrlrequest *dr;
 951         struct urb *urb;
 952         unsigned int pipe;
 953
 954         urb = usb_alloc_urb(0, GFP_KERNEL);
 955         if (!urb)
 956                 return ERR_PTR(-ENOMEM);
 957
 958         dr = kmalloc(sizeof(*dr), GFP_KERNEL);
 959         if (!dr) {
 960                 usb_free_urb(urb);
 961                 return ERR_PTR(-ENOMEM);
 962         }
 963
 964         dr->bRequestType = data->cmdreq_type;
 965         dr->bRequest     = 0;
 966         dr->wIndex       = 0;
 967         dr->wValue       = 0;
 968         dr->wLength      = __cpu_to_le16(skb->len);
 969
 970         pipe = usb_sndctrlpipe(data->udev, 0x00);
 971
 972         usb_fill_control_urb(urb, data->udev, pipe, (void *)dr,
 973                              skb->data, skb->len, btusb_tx_complete, skb);
 974
 975         skb->dev = (void *)hdev;
 976
 977         return urb;
 978 }
 979
 980 static struct urb *alloc_bulk_urb(struct hci_dev *hdev, struct sk_buff *skb)
 981 {
 982         struct btusb_data *data = hci_get_drvdata(hdev);
 983         struct urb *urb;
 984         unsigned int pipe;
 985
 986         if (!data->bulk_tx_ep)
 987                 return ERR_PTR(-ENODEV);
 988
 989         urb = usb_alloc_urb(0, GFP_KERNEL);
 990         if (!urb)
 991                 return ERR_PTR(-ENOMEM);
 992
 993         pipe = usb_sndbulkpipe(data->udev, data->bulk_tx_ep->bEndpointAddress);
 994
 995         usb_fill_bulk_urb(urb, data->udev, pipe,
 996                           skb->data, skb->len, btusb_tx_complete, skb);
 997
 998         skb->dev = (void *)hdev;
 999
1000         return urb;
1001 }
1002
1003 static struct urb *alloc_isoc_urb(struct hci_dev *hdev, struct sk_buff *skb)
1004 {
1005         struct btusb_data *data = hci_get_drvdata(hdev);
1006         struct urb *urb;
1007         unsigned int pipe;
1008
1009         if (!data->isoc_tx_ep)
1010                 return ERR_PTR(-ENODEV);
1011
1012         urb = usb_alloc_urb(BTUSB_MAX_ISOC_FRAMES, GFP_KERNEL);
1013         if (!urb)
1014                 return ERR_PTR(-ENOMEM);
1015
1016         pipe = usb_sndisocpipe(data->udev, data->isoc_tx_ep->bEndpointAddress);
1017
1018         usb_fill_int_urb(urb, data->udev, pipe,
1019                          skb->data, skb->len, btusb_isoc_tx_complete,
1020                          skb, data->isoc_tx_ep->bInterval);
1021
1022         urb->transfer_flags  = URB_ISO_ASAP;
1023
1024         __fill_isoc_descriptor(urb, skb->len,
1025                                le16_to_cpu(data->isoc_tx_ep->wMaxPacketSize));
1026
1027         skb->dev = (void *)hdev;
1028
1029         return urb;
1030 }
1031
1032 static int submit_tx_urb(struct hci_dev *hdev, struct urb *urb)
1033 {
1034         struct btusb_data *data = hci_get_drvdata(hdev);
1035         int err;
1036
1037         usb_anchor_urb(urb, &data->tx_anchor);
1038
1039         err = usb_submit_urb(urb, GFP_KERNEL);
1040         if (err < 0) {
1041                 if (err != -EPERM && err != -ENODEV)
1042                         BT_ERR("%s urb %p submission failed (%d)",
1043                                hdev->name, urb, -err);
1044                 kfree(urb->setup_packet);
1045                 usb_unanchor_urb(urb);
1046         } else {
1047                 usb_mark_last_busy(data->udev);
1048         }
1049
1050         usb_free_urb(urb);
1051         return err;
1052 }
1053
1054 static int submit_or_queue_tx_urb(struct hci_dev *hdev, struct urb *urb)
1055 {
1056         struct btusb_data *data = hci_get_drvdata(hdev);
1057         unsigned long flags;
1058         bool suspending;
1059
1060         spin_lock_irqsave(&data->txlock, flags);
1061         suspending = test_bit(BTUSB_SUSPENDING, &data->flags);
1062         if (!suspending)
1063                 data->tx_in_flight++;
1064         spin_unlock_irqrestore(&data->txlock, flags);
1065
1066         if (!suspending)
1067                 return submit_tx_urb(hdev, urb);
1068
1069         usb_anchor_urb(urb, &data->deferred);
1070         schedule_work(&data->waker);
1071
1072         usb_free_urb(urb);
1073         return 0;
1074 }
1075
1076 static int btusb_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
1077 {
1078         struct urb *urb;
1079
1080         BT_DBG("%s", hdev->name);
1081
1082         if (!test_bit(HCI_RUNNING, &hdev->flags))
1083                 return -EBUSY;
1084
1085         switch (bt_cb(skb)->pkt_type) {
1086         case HCI_COMMAND_PKT:
1087                 urb = alloc_ctrl_urb(hdev, skb);
1088                 if (IS_ERR(urb))
1089                         return PTR_ERR(urb);
1090
1091                 hdev->stat.cmd_tx++;
1092                 return submit_or_queue_tx_urb(hdev, urb);
1093
1094         case HCI_ACLDATA_PKT:
1095                 urb = alloc_bulk_urb(hdev, skb);
1096                 if (IS_ERR(urb))
1097                         return PTR_ERR(urb);
1098
1099                 hdev->stat.acl_tx++;
1100                 return submit_or_queue_tx_urb(hdev, urb);
1101
1102         case HCI_SCODATA_PKT:
1103                 if (hci_conn_num(hdev, SCO_LINK) < 1)
1104                         return -ENODEV;
1105
1106                 urb = alloc_isoc_urb(hdev, skb);
1107                 if (IS_ERR(urb))
1108                         return PTR_ERR(urb);
1109
1110                 hdev->stat.sco_tx++;
1111                 return submit_tx_urb(hdev, urb);
1112         }
1113
1114         return -EILSEQ;
1115 }
1116
1117 static void btusb_notify(struct hci_dev *hdev, unsigned int evt)
1118 {
1119         struct btusb_data *data = hci_get_drvdata(hdev);
1120
1121         BT_DBG("%s evt %d", hdev->name, evt);
1122
1123         if (hci_conn_num(hdev, SCO_LINK) != data->sco_num) {
1124                 data->sco_num = hci_conn_num(hdev, SCO_LINK);
1125                 schedule_work(&data->work);
1126         }
1127 }
1128
1129 static inline int __set_isoc_interface(struct hci_dev *hdev, int altsetting)
1130 {
1131         struct btusb_data *data = hci_get_drvdata(hdev);
1132         struct usb_interface *intf = data->isoc;
1133         struct usb_endpoint_descriptor *ep_desc;
1134         int i, err;
1135
1136         if (!data->isoc)
1137                 return -ENODEV;
1138
1139         err = usb_set_interface(data->udev, 1, altsetting);
1140         if (err < 0) {
1141                 BT_ERR("%s setting interface failed (%d)", hdev->name, -err);
1142                 return err;
1143         }
1144
1145         data->isoc_altsetting = altsetting;
1146
1147         data->isoc_tx_ep = NULL;
1148         data->isoc_rx_ep = NULL;
1149
1150         for (i = 0; i < intf->cur_altsetting->desc.bNumEndpoints; i++) {
1151                 ep_desc = &intf->cur_altsetting->endpoint[i].desc;
1152
1153                 if (!data->isoc_tx_ep && usb_endpoint_is_isoc_out(ep_desc)) {
1154                         data->isoc_tx_ep = ep_desc;
1155                         continue;
1156                 }
1157
1158                 if (!data->isoc_rx_ep && usb_endpoint_is_isoc_in(ep_desc)) {
1159                         data->isoc_rx_ep = ep_desc;
1160                         continue;
1161                 }
1162         }
1163
1164         if (!data->isoc_tx_ep || !data->isoc_rx_ep) {
1165                 BT_ERR("%s invalid SCO descriptors", hdev->name);
1166                 return -ENODEV;
1167         }
1168
1169         return 0;
1170 }
1171
1172 static void btusb_work(struct work_struct *work)
1173 {
1174         struct btusb_data *data = container_of(work, struct btusb_data, work);
1175         struct hci_dev *hdev = data->hdev;
1176         int new_alts;
1177         int err;
1178
1179         if (data->sco_num > 0) {
1180                 if (!test_bit(BTUSB_DID_ISO_RESUME, &data->flags)) {
1181                         err = usb_autopm_get_interface(data->isoc ? data->isoc : data->intf);
1182                         if (err < 0) {
1183                                 clear_bit(BTUSB_ISOC_RUNNING, &data->flags);
1184                                 usb_kill_anchored_urbs(&data->isoc_anchor);
1185                                 return;
1186                         }
1187
1188                         set_bit(BTUSB_DID_ISO_RESUME, &data->flags);
1189                 }
1190
1191                 if (hdev->voice_setting & 0x0020) {
1192                         static const int alts[3] = { 2, 4, 5 };
1193
1194                         new_alts = alts[data->sco_num - 1];
1195                 } else {
1196                         new_alts = data->sco_num;
1197                 }
1198
1199                 if (data->isoc_altsetting != new_alts) {
1200                         clear_bit(BTUSB_ISOC_RUNNING, &data->flags);
1201                         usb_kill_anchored_urbs(&data->isoc_anchor);
1202
1203                         if (__set_isoc_interface(hdev, new_alts) < 0)
1204                                 return;
1205                 }
1206
1207                 if (!test_and_set_bit(BTUSB_ISOC_RUNNING, &data->flags)) {
1208                         if (btusb_submit_isoc_urb(hdev, GFP_KERNEL) < 0)
1209                                 clear_bit(BTUSB_ISOC_RUNNING, &data->flags);
1210                         else
1211                                 btusb_submit_isoc_urb(hdev, GFP_KERNEL);
1212                 }
1213         } else {
1214                 clear_bit(BTUSB_ISOC_RUNNING, &data->flags);
1215                 usb_kill_anchored_urbs(&data->isoc_anchor);
1216
1217                 __set_isoc_interface(hdev, 0);
1218                 if (test_and_clear_bit(BTUSB_DID_ISO_RESUME, &data->flags))
1219                         usb_autopm_put_interface(data->isoc ? data->isoc : data->intf);
1220         }
1221 }
1222
1223 static void btusb_waker(struct work_struct *work)
1224 {
1225         struct btusb_data *data = container_of(work, struct btusb_data, waker);
1226         int err;
1227
1228         err = usb_autopm_get_interface(data->intf);
1229         if (err < 0)
1230                 return;
1231
1232         usb_autopm_put_interface(data->intf);
1233 }
1234
1235 static int btusb_setup_bcm92035(struct hci_dev *hdev)
1236 {
1237         struct sk_buff *skb;
1238         u8 val = 0x00;
1239
1240         BT_DBG("%s", hdev->name);
1241
1242         skb = __hci_cmd_sync(hdev, 0xfc3b, 1, &val, HCI_INIT_TIMEOUT);
1243         if (IS_ERR(skb))
1244                 BT_ERR("BCM92035 command failed (%ld)", -PTR_ERR(skb));
1245         else
1246                 kfree_skb(skb);
1247
1248         return 0;
1249 }
1250
1251 static int btusb_setup_csr(struct hci_dev *hdev)
1252 {
1253         struct hci_rp_read_local_version *rp;
1254         struct sk_buff *skb;
1255         int ret;
1256
1257         BT_DBG("%s", hdev->name);
1258
1259         skb = __hci_cmd_sync(hdev, HCI_OP_READ_LOCAL_VERSION, 0, NULL,
1260                              HCI_INIT_TIMEOUT);
1261         if (IS_ERR(skb)) {
1262                 BT_ERR("Reading local version failed (%ld)", -PTR_ERR(skb));
1263                 return -PTR_ERR(skb);
1264         }
1265
1266         rp = (struct hci_rp_read_local_version *)skb->data;
1267
1268         if (!rp->status) {
1269                 if (le16_to_cpu(rp->manufacturer) != 10) {
1270                         /* Clear the reset quirk since this is not an actual
1271                          * early Bluetooth 1.1 device from CSR.
1272                          */
1273                         clear_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks);
1274
1275                         /* These fake CSR controllers have all a broken
1276                          * stored link key handling and so just disable it.
1277                          */
1278                         set_bit(HCI_QUIRK_BROKEN_STORED_LINK_KEY,
1279                                 &hdev->quirks);
1280                 }
1281         }
1282
1283         ret = -bt_to_errno(rp->status);
1284
1285         kfree_skb(skb);
1286
1287         return ret;
1288 }
1289
1290 struct intel_version {
1291         u8 status;
1292         u8 hw_platform;
1293         u8 hw_variant;
1294         u8 hw_revision;
1295         u8 fw_variant;
1296         u8 fw_revision;
1297         u8 fw_build_num;
1298         u8 fw_build_ww;
1299         u8 fw_build_yy;
1300         u8 fw_patch_num;
1301 } __packed;
1302
1303 static const struct firmware *btusb_setup_intel_get_fw(struct hci_dev *hdev,
1304                                                        struct intel_version *ver)
1305 {
1306         const struct firmware *fw;
1307         char fwname[64];
1308         int ret;
1309
1310         snprintf(fwname, sizeof(fwname),
1311                  "intel/ibt-hw-%x.%x.%x-fw-%x.%x.%x.%x.%x.bseq",
1312                  ver->hw_platform, ver->hw_variant, ver->hw_revision,
1313                  ver->fw_variant,  ver->fw_revision, ver->fw_build_num,
1314                  ver->fw_build_ww, ver->fw_build_yy);
1315
1316         ret = request_firmware(&fw, fwname, &hdev->dev);
1317         if (ret < 0) {
1318                 if (ret == -EINVAL) {
1319                         BT_ERR("%s Intel firmware file request failed (%d)",
1320                                hdev->name, ret);
1321                         return NULL;
1322                 }
1323
1324                 BT_ERR("%s failed to open Intel firmware file: %s(%d)",
1325                        hdev->name, fwname, ret);
1326
1327                 /* If the correct firmware patch file is not found, use the
1328                  * default firmware patch file instead
1329                  */
1330                 snprintf(fwname, sizeof(fwname), "intel/ibt-hw-%x.%x.bseq",
1331                          ver->hw_platform, ver->hw_variant);
1332                 if (request_firmware(&fw, fwname, &hdev->dev) < 0) {
1333                         BT_ERR("%s failed to open default Intel fw file: %s",
1334                                hdev->name, fwname);
1335                         return NULL;
1336                 }
1337         }
1338
1339         BT_INFO("%s: Intel Bluetooth firmware file: %s", hdev->name, fwname);
1340
1341         return fw;
1342 }
1343
1344 static int btusb_setup_intel_patching(struct hci_dev *hdev,
1345                                       const struct firmware *fw,
1346                                       const u8 **fw_ptr, int *disable_patch)
1347 {
1348         struct sk_buff *skb;
1349         struct hci_command_hdr *cmd;
1350         const u8 *cmd_param;
1351         struct hci_event_hdr *evt = NULL;
1352         const u8 *evt_param = NULL;
1353         int remain = fw->size - (*fw_ptr - fw->data);
1354
1355         /* The first byte indicates the types of the patch command or event.
1356          * 0x01 means HCI command and 0x02 is HCI event. If the first bytes
1357          * in the current firmware buffer doesn't start with 0x01 or
1358          * the size of remain buffer is smaller than HCI command header,
1359          * the firmware file is corrupted and it should stop the patching
1360          * process.
1361          */
1362         if (remain > HCI_COMMAND_HDR_SIZE && *fw_ptr[0] != 0x01) {
1363                 BT_ERR("%s Intel fw corrupted: invalid cmd read", hdev->name);
1364                 return -EINVAL;
1365         }
1366         (*fw_ptr)++;
1367         remain--;
1368
1369         cmd = (struct hci_command_hdr *)(*fw_ptr);
1370         *fw_ptr += sizeof(*cmd);
1371         remain -= sizeof(*cmd);
1372
1373         /* Ensure that the remain firmware data is long enough than the length
1374          * of command parameter. If not, the firmware file is corrupted.
1375          */
1376         if (remain < cmd->plen) {
1377                 BT_ERR("%s Intel fw corrupted: invalid cmd len", hdev->name);
1378                 return -EFAULT;
1379         }
1380
1381         /* If there is a command that loads a patch in the firmware
1382          * file, then enable the patch upon success, otherwise just
1383          * disable the manufacturer mode, for example patch activation
1384          * is not required when the default firmware patch file is used
1385          * because there are no patch data to load.
1386          */
1387         if (*disable_patch && le16_to_cpu(cmd->opcode) == 0xfc8e)
1388                 *disable_patch = 0;
1389
1390         cmd_param = *fw_ptr;
1391         *fw_ptr += cmd->plen;
1392         remain -= cmd->plen;
1393
1394         /* This reads the expected events when the above command is sent to the
1395          * device. Some vendor commands expects more than one events, for
1396          * example command status event followed by vendor specific event.
1397          * For this case, it only keeps the last expected event. so the command
1398          * can be sent with __hci_cmd_sync_ev() which returns the sk_buff of
1399          * last expected event.
1400          */
1401         while (remain > HCI_EVENT_HDR_SIZE && *fw_ptr[0] == 0x02) {
1402                 (*fw_ptr)++;
1403                 remain--;
1404
1405                 evt = (struct hci_event_hdr *)(*fw_ptr);
1406                 *fw_ptr += sizeof(*evt);
1407                 remain -= sizeof(*evt);
1408
1409                 if (remain < evt->plen) {
1410                         BT_ERR("%s Intel fw corrupted: invalid evt len",
1411                                hdev->name);
1412                         return -EFAULT;
1413                 }
1414
1415                 evt_param = *fw_ptr;
1416                 *fw_ptr += evt->plen;
1417                 remain -= evt->plen;
1418         }
1419
1420         /* Every HCI commands in the firmware file has its correspond event.
1421          * If event is not found or remain is smaller than zero, the firmware
1422          * file is corrupted.
1423          */
1424         if (!evt || !evt_param || remain < 0) {
1425                 BT_ERR("%s Intel fw corrupted: invalid evt read", hdev->name);
1426                 return -EFAULT;
1427         }
1428
1429         skb = __hci_cmd_sync_ev(hdev, le16_to_cpu(cmd->opcode), cmd->plen,
1430                                 cmd_param, evt->evt, HCI_INIT_TIMEOUT);
1431         if (IS_ERR(skb)) {
1432                 BT_ERR("%s sending Intel patch command (0x%4.4x) failed (%ld)",
1433                        hdev->name, cmd->opcode, PTR_ERR(skb));
1434                 return PTR_ERR(skb);
1435         }
1436
1437         /* It ensures that the returned event matches the event data read from
1438          * the firmware file. At fist, it checks the length and then
1439          * the contents of the event.
1440          */
1441         if (skb->len != evt->plen) {
1442                 BT_ERR("%s mismatch event length (opcode 0x%4.4x)", hdev->name,
1443                        le16_to_cpu(cmd->opcode));
1444                 kfree_skb(skb);
1445                 return -EFAULT;
1446         }
1447
1448         if (memcmp(skb->data, evt_param, evt->plen)) {
1449                 BT_ERR("%s mismatch event parameter (opcode 0x%4.4x)",
1450                        hdev->name, le16_to_cpu(cmd->opcode));
1451                 kfree_skb(skb);
1452                 return -EFAULT;
1453         }
1454         kfree_skb(skb);
1455
1456         return 0;
1457 }
1458
1459 #define BDADDR_INTEL (&(bdaddr_t) {{0x00, 0x8b, 0x9e, 0x19, 0x03, 0x00}})
1460
1461 static int btusb_check_bdaddr_intel(struct hci_dev *hdev)
1462 {
1463         struct sk_buff *skb;
1464         struct hci_rp_read_bd_addr *rp;
1465
1466         skb = __hci_cmd_sync(hdev, HCI_OP_READ_BD_ADDR, 0, NULL,
1467                              HCI_INIT_TIMEOUT);
1468         if (IS_ERR(skb)) {
1469                 BT_ERR("%s reading Intel device address failed (%ld)",
1470                        hdev->name, PTR_ERR(skb));
1471                 return PTR_ERR(skb);
1472         }
1473
1474         if (skb->len != sizeof(*rp)) {
1475                 BT_ERR("%s Intel device address length mismatch", hdev->name);
1476                 kfree_skb(skb);
1477                 return -EIO;
1478         }
1479
1480         rp = (struct hci_rp_read_bd_addr *)skb->data;
1481         if (rp->status) {
1482                 BT_ERR("%s Intel device address result failed (%02x)",
1483                        hdev->name, rp->status);
1484                 kfree_skb(skb);
1485                 return -bt_to_errno(rp->status);
1486         }
1487
1488         /* For some Intel based controllers, the default Bluetooth device
1489          * address 00:03:19:9E:8B:00 can be found. These controllers are
1490          * fully operational, but have the danger of duplicate addresses
1491          * and that in turn can cause problems with Bluetooth operation.
1492          */
1493         if (!bacmp(&rp->bdaddr, BDADDR_INTEL)) {
1494                 BT_ERR("%s found Intel default device address (%pMR)",
1495                        hdev->name, &rp->bdaddr);
1496                 set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks);
1497         }
1498
1499         kfree_skb(skb);
1500
1501         return 0;
1502 }
1503
1504 static int btusb_setup_intel(struct hci_dev *hdev)
1505 {
1506         struct sk_buff *skb;
1507         const struct firmware *fw;
1508         const u8 *fw_ptr;
1509         int disable_patch;
1510         struct intel_version *ver;
1511
1512         const u8 mfg_enable[] = { 0x01, 0x00 };
1513         const u8 mfg_disable[] = { 0x00, 0x00 };
1514         const u8 mfg_reset_deactivate[] = { 0x00, 0x01 };
1515         const u8 mfg_reset_activate[] = { 0x00, 0x02 };
1516
1517         BT_DBG("%s", hdev->name);
1518
1519         /* The controller has a bug with the first HCI command sent to it
1520          * returning number of completed commands as zero. This would stall the
1521          * command processing in the Bluetooth core.
1522          *
1523          * As a workaround, send HCI Reset command first which will reset the
1524          * number of completed commands and allow normal command processing
1525          * from now on.
1526          */
1527         skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
1528         if (IS_ERR(skb)) {
1529                 BT_ERR("%s sending initial HCI reset command failed (%ld)",
1530                        hdev->name, PTR_ERR(skb));
1531                 return PTR_ERR(skb);
1532         }
1533         kfree_skb(skb);
1534
1535         /* Read Intel specific controller version first to allow selection of
1536          * which firmware file to load.
1537          *
1538          * The returned information are hardware variant and revision plus
1539          * firmware variant, revision and build number.
1540          */
1541         skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_INIT_TIMEOUT);
1542         if (IS_ERR(skb)) {
1543                 BT_ERR("%s reading Intel fw version command failed (%ld)",
1544                        hdev->name, PTR_ERR(skb));
1545                 return PTR_ERR(skb);
1546         }
1547
1548         if (skb->len != sizeof(*ver)) {
1549                 BT_ERR("%s Intel version event length mismatch", hdev->name);
1550                 kfree_skb(skb);
1551                 return -EIO;
1552         }
1553
1554         ver = (struct intel_version *)skb->data;
1555         if (ver->status) {
1556                 BT_ERR("%s Intel fw version event failed (%02x)", hdev->name,
1557                        ver->status);
1558                 kfree_skb(skb);
1559                 return -bt_to_errno(ver->status);
1560         }
1561
1562         BT_INFO("%s: read Intel version: %02x%02x%02x%02x%02x%02x%02x%02x%02x",
1563                 hdev->name, ver->hw_platform, ver->hw_variant,
1564                 ver->hw_revision, ver->fw_variant,  ver->fw_revision,
1565                 ver->fw_build_num, ver->fw_build_ww, ver->fw_build_yy,
1566                 ver->fw_patch_num);
1567
1568         /* fw_patch_num indicates the version of patch the device currently
1569          * have. If there is no patch data in the device, it is always 0x00.
1570          * So, if it is other than 0x00, no need to patch the deivce again.
1571          */
1572         if (ver->fw_patch_num) {
1573                 BT_INFO("%s: Intel device is already patched. patch num: %02x",
1574                         hdev->name, ver->fw_patch_num);
1575                 kfree_skb(skb);
1576                 btusb_check_bdaddr_intel(hdev);
1577                 return 0;
1578         }
1579
1580         /* Opens the firmware patch file based on the firmware version read
1581          * from the controller. If it fails to open the matching firmware
1582          * patch file, it tries to open the default firmware patch file.
1583          * If no patch file is found, allow the device to operate without
1584          * a patch.
1585          */
1586         fw = btusb_setup_intel_get_fw(hdev, ver);
1587         if (!fw) {
1588                 kfree_skb(skb);
1589                 btusb_check_bdaddr_intel(hdev);
1590                 return 0;
1591         }
1592         fw_ptr = fw->data;
1593
1594         /* This Intel specific command enables the manufacturer mode of the
1595          * controller.
1596          *
1597          * Only while this mode is enabled, the driver can download the
1598          * firmware patch data and configuration parameters.
1599          */
1600         skb = __hci_cmd_sync(hdev, 0xfc11, 2, mfg_enable, HCI_INIT_TIMEOUT);
1601         if (IS_ERR(skb)) {
1602                 BT_ERR("%s entering Intel manufacturer mode failed (%ld)",
1603                        hdev->name, PTR_ERR(skb));
1604                 release_firmware(fw);
1605                 return PTR_ERR(skb);
1606         }
1607
1608         if (skb->data[0]) {
1609                 u8 evt_status = skb->data[0];
1610
1611                 BT_ERR("%s enable Intel manufacturer mode event failed (%02x)",
1612                        hdev->name, evt_status);
1613                 kfree_skb(skb);
1614                 release_firmware(fw);
1615                 return -bt_to_errno(evt_status);
1616         }
1617         kfree_skb(skb);
1618
1619         disable_patch = 1;
1620
1621         /* The firmware data file consists of list of Intel specific HCI
1622          * commands and its expected events. The first byte indicates the
1623          * type of the message, either HCI command or HCI event.
1624          *
1625          * It reads the command and its expected event from the firmware file,
1626          * and send to the controller. Once __hci_cmd_sync_ev() returns,
1627          * the returned event is compared with the event read from the firmware
1628          * file and it will continue until all the messages are downloaded to
1629          * the controller.
1630          *
1631          * Once the firmware patching is completed successfully,
1632          * the manufacturer mode is disabled with reset and activating the
1633          * downloaded patch.
1634          *
1635          * If the firmware patching fails, the manufacturer mode is
1636          * disabled with reset and deactivating the patch.
1637          *
1638          * If the default patch file is used, no reset is done when disabling
1639          * the manufacturer.
1640          */
1641         while (fw->size > fw_ptr - fw->data) {
1642                 int ret;
1643
1644                 ret = btusb_setup_intel_patching(hdev, fw, &fw_ptr,
1645                                                  &disable_patch);
1646                 if (ret < 0)
1647                         goto exit_mfg_deactivate;
1648         }
1649
1650         release_firmware(fw);
1651
1652         if (disable_patch)
1653                 goto exit_mfg_disable;
1654
1655         /* Patching completed successfully and disable the manufacturer mode
1656          * with reset and activate the downloaded firmware patches.
1657          */
1658         skb = __hci_cmd_sync(hdev, 0xfc11, sizeof(mfg_reset_activate),
1659                              mfg_reset_activate, HCI_INIT_TIMEOUT);
1660         if (IS_ERR(skb)) {
1661                 BT_ERR("%s exiting Intel manufacturer mode failed (%ld)",
1662                        hdev->name, PTR_ERR(skb));
1663                 return PTR_ERR(skb);
1664         }
1665         kfree_skb(skb);
1666
1667         BT_INFO("%s: Intel Bluetooth firmware patch completed and activated",
1668                 hdev->name);
1669
1670         btusb_check_bdaddr_intel(hdev);
1671         return 0;
1672
1673 exit_mfg_disable:
1674         /* Disable the manufacturer mode without reset */
1675         skb = __hci_cmd_sync(hdev, 0xfc11, sizeof(mfg_disable), mfg_disable,
1676                              HCI_INIT_TIMEOUT);
1677         if (IS_ERR(skb)) {
1678                 BT_ERR("%s exiting Intel manufacturer mode failed (%ld)",
1679                        hdev->name, PTR_ERR(skb));
1680                 return PTR_ERR(skb);
1681         }
1682         kfree_skb(skb);
1683
1684         BT_INFO("%s: Intel Bluetooth firmware patch completed", hdev->name);
1685
1686         btusb_check_bdaddr_intel(hdev);
1687         return 0;
1688
1689 exit_mfg_deactivate:
1690         release_firmware(fw);
1691
1692         /* Patching failed. Disable the manufacturer mode with reset and
1693          * deactivate the downloaded firmware patches.
1694          */
1695         skb = __hci_cmd_sync(hdev, 0xfc11, sizeof(mfg_reset_deactivate),
1696                              mfg_reset_deactivate, HCI_INIT_TIMEOUT);
1697         if (IS_ERR(skb)) {
1698                 BT_ERR("%s exiting Intel manufacturer mode failed (%ld)",
1699                        hdev->name, PTR_ERR(skb));
1700                 return PTR_ERR(skb);
1701         }
1702         kfree_skb(skb);
1703
1704         BT_INFO("%s: Intel Bluetooth firmware patch completed and deactivated",
1705                 hdev->name);
1706
1707         btusb_check_bdaddr_intel(hdev);
1708         return 0;
1709 }
1710
1711 static int btusb_set_bdaddr_intel(struct hci_dev *hdev, const bdaddr_t *bdaddr)
1712 {
1713         struct sk_buff *skb;
1714         long ret;
1715
1716         skb = __hci_cmd_sync(hdev, 0xfc31, 6, bdaddr, HCI_INIT_TIMEOUT);
1717         if (IS_ERR(skb)) {
1718                 ret = PTR_ERR(skb);
1719                 BT_ERR("%s: changing Intel device address failed (%ld)",
1720                        hdev->name, ret);
1721                 return ret;
1722         }
1723         kfree_skb(skb);
1724
1725         return 0;
1726 }
1727
1728 static int btusb_set_bdaddr_marvell(struct hci_dev *hdev,
1729                                     const bdaddr_t *bdaddr)
1730 {
1731         struct sk_buff *skb;
1732         u8 buf[8];
1733         long ret;
1734
1735         buf[0] = 0xfe;
1736         buf[1] = sizeof(bdaddr_t);
1737         memcpy(buf + 2, bdaddr, sizeof(bdaddr_t));
1738
1739         skb = __hci_cmd_sync(hdev, 0xfc22, sizeof(buf), buf, HCI_INIT_TIMEOUT);
1740         if (IS_ERR(skb)) {
1741                 ret = PTR_ERR(skb);
1742                 BT_ERR("%s: changing Marvell device address failed (%ld)",
1743                        hdev->name, ret);
1744                 return ret;
1745         }
1746         kfree_skb(skb);
1747
1748         return 0;
1749 }
1750
1751 #define BDADDR_BCM20702A0 (&(bdaddr_t) {{0x00, 0xa0, 0x02, 0x70, 0x20, 0x00}})
1752
1753 static int btusb_setup_bcm_patchram(struct hci_dev *hdev)
1754 {
1755         struct btusb_data *data = hci_get_drvdata(hdev);
1756         struct usb_device *udev = data->udev;
1757         char fw_name[64];
1758         const struct firmware *fw;
1759         const u8 *fw_ptr;
1760         size_t fw_size;
1761         const struct hci_command_hdr *cmd;
1762         const u8 *cmd_param;
1763         u16 opcode;
1764         struct sk_buff *skb;
1765         struct hci_rp_read_local_version *ver;
1766         struct hci_rp_read_bd_addr *bda;
1767         long ret;
1768
1769         snprintf(fw_name, sizeof(fw_name), "brcm/%s-%04x-%04x.hcd",
1770                  udev->product ? udev->product : "BCM",
1771                  le16_to_cpu(udev->descriptor.idVendor),
1772                  le16_to_cpu(udev->descriptor.idProduct));
1773
1774         ret = request_firmware(&fw, fw_name, &hdev->dev);
1775         if (ret < 0) {
1776                 BT_INFO("%s: BCM: patch %s not found", hdev->name, fw_name);
1777                 return 0;
1778         }
1779
1780         /* Reset */
1781         skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
1782         if (IS_ERR(skb)) {
1783                 ret = PTR_ERR(skb);
1784                 BT_ERR("%s: HCI_OP_RESET failed (%ld)", hdev->name, ret);
1785                 goto done;
1786         }
1787         kfree_skb(skb);
1788
1789         /* Read Local Version Info */
1790         skb = __hci_cmd_sync(hdev, HCI_OP_READ_LOCAL_VERSION, 0, NULL,
1791                              HCI_INIT_TIMEOUT);
1792         if (IS_ERR(skb)) {
1793                 ret = PTR_ERR(skb);
1794                 BT_ERR("%s: HCI_OP_READ_LOCAL_VERSION failed (%ld)",
1795                        hdev->name, ret);
1796                 goto done;
1797         }
1798
1799         if (skb->len != sizeof(*ver)) {
1800                 BT_ERR("%s: HCI_OP_READ_LOCAL_VERSION event length mismatch",
1801                        hdev->name);
1802                 kfree_skb(skb);
1803                 ret = -EIO;
1804                 goto done;
1805         }
1806
1807         ver = (struct hci_rp_read_local_version *)skb->data;
1808         BT_INFO("%s: BCM: patching hci_ver=%02x hci_rev=%04x lmp_ver=%02x "
1809                 "lmp_subver=%04x", hdev->name, ver->hci_ver, ver->hci_rev,
1810                 ver->lmp_ver, ver->lmp_subver);
1811         kfree_skb(skb);
1812
1813         /* Start Download */
1814         skb = __hci_cmd_sync(hdev, 0xfc2e, 0, NULL, HCI_INIT_TIMEOUT);
1815         if (IS_ERR(skb)) {
1816                 ret = PTR_ERR(skb);
1817                 BT_ERR("%s: BCM: Download Minidrv command failed (%ld)",
1818                        hdev->name, ret);
1819                 goto reset_fw;
1820         }
1821         kfree_skb(skb);
1822
1823         /* 50 msec delay after Download Minidrv completes */
1824         msleep(50);
1825
1826         fw_ptr = fw->data;
1827         fw_size = fw->size;
1828
1829         while (fw_size >= sizeof(*cmd)) {
1830                 cmd = (struct hci_command_hdr *)fw_ptr;
1831                 fw_ptr += sizeof(*cmd);
1832                 fw_size -= sizeof(*cmd);
1833
1834                 if (fw_size < cmd->plen) {
1835                         BT_ERR("%s: BCM: patch %s is corrupted",
1836                                hdev->name, fw_name);
1837                         ret = -EINVAL;
1838                         goto reset_fw;
1839                 }
1840
1841                 cmd_param = fw_ptr;
1842                 fw_ptr += cmd->plen;
1843                 fw_size -= cmd->plen;
1844
1845                 opcode = le16_to_cpu(cmd->opcode);
1846
1847                 skb = __hci_cmd_sync(hdev, opcode, cmd->plen, cmd_param,
1848                                      HCI_INIT_TIMEOUT);
1849                 if (IS_ERR(skb)) {
1850                         ret = PTR_ERR(skb);
1851                         BT_ERR("%s: BCM: patch command %04x failed (%ld)",
1852                                hdev->name, opcode, ret);
1853                         goto reset_fw;
1854                 }
1855                 kfree_skb(skb);
1856         }
1857
1858         /* 250 msec delay after Launch Ram completes */
1859         msleep(250);
1860
1861 reset_fw:
1862         /* Reset */
1863         skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
1864         if (IS_ERR(skb)) {
1865                 ret = PTR_ERR(skb);
1866                 BT_ERR("%s: HCI_OP_RESET failed (%ld)", hdev->name, ret);
1867                 goto done;
1868         }
1869         kfree_skb(skb);
1870
1871         /* Read Local Version Info */
1872         skb = __hci_cmd_sync(hdev, HCI_OP_READ_LOCAL_VERSION, 0, NULL,
1873                              HCI_INIT_TIMEOUT);
1874         if (IS_ERR(skb)) {
1875                 ret = PTR_ERR(skb);
1876                 BT_ERR("%s: HCI_OP_READ_LOCAL_VERSION failed (%ld)",
1877                        hdev->name, ret);
1878                 goto done;
1879         }
1880
1881         if (skb->len != sizeof(*ver)) {
1882                 BT_ERR("%s: HCI_OP_READ_LOCAL_VERSION event length mismatch",
1883                        hdev->name);
1884                 kfree_skb(skb);
1885                 ret = -EIO;
1886                 goto done;
1887         }
1888
1889         ver = (struct hci_rp_read_local_version *)skb->data;
1890         BT_INFO("%s: BCM: firmware hci_ver=%02x hci_rev=%04x lmp_ver=%02x "
1891                 "lmp_subver=%04x", hdev->name, ver->hci_ver, ver->hci_rev,
1892                 ver->lmp_ver, ver->lmp_subver);
1893         kfree_skb(skb);
1894
1895         /* Read BD Address */
1896         skb = __hci_cmd_sync(hdev, HCI_OP_READ_BD_ADDR, 0, NULL,
1897                              HCI_INIT_TIMEOUT);
1898         if (IS_ERR(skb)) {
1899                 ret = PTR_ERR(skb);
1900                 BT_ERR("%s: HCI_OP_READ_BD_ADDR failed (%ld)",
1901                        hdev->name, ret);
1902                 goto done;
1903         }
1904
1905         if (skb->len != sizeof(*bda)) {
1906                 BT_ERR("%s: HCI_OP_READ_BD_ADDR event length mismatch",
1907                        hdev->name);
1908                 kfree_skb(skb);
1909                 ret = -EIO;
1910                 goto done;
1911         }
1912
1913         bda = (struct hci_rp_read_bd_addr *)skb->data;
1914         if (bda->status) {
1915                 BT_ERR("%s: HCI_OP_READ_BD_ADDR error status (%02x)",
1916                        hdev->name, bda->status);
1917                 kfree_skb(skb);
1918                 ret = -bt_to_errno(bda->status);
1919                 goto done;
1920         }
1921
1922         /* The address 00:20:70:02:A0:00 indicates a BCM20702A0 controller
1923          * with no configured address.
1924          */
1925         if (!bacmp(&bda->bdaddr, BDADDR_BCM20702A0)) {
1926                 BT_INFO("%s: BCM: using default device address (%pMR)",
1927                         hdev->name, &bda->bdaddr);
1928                 set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks);
1929         }
1930
1931         kfree_skb(skb);
1932
1933 done:
1934         release_firmware(fw);
1935
1936         return ret;
1937 }
1938
1939 static int btusb_set_bdaddr_bcm(struct hci_dev *hdev, const bdaddr_t *bdaddr)
1940 {
1941         struct sk_buff *skb;
1942         long ret;
1943
1944         skb = __hci_cmd_sync(hdev, 0xfc01, 6, bdaddr, HCI_INIT_TIMEOUT);
1945         if (IS_ERR(skb)) {
1946                 ret = PTR_ERR(skb);
1947                 BT_ERR("%s: BCM: Change address command failed (%ld)",
1948                        hdev->name, ret);
1949                 return ret;
1950         }
1951         kfree_skb(skb);
1952
1953         return 0;
1954 }
1955
1956 static int btusb_set_bdaddr_ath3012(struct hci_dev *hdev,
1957                                     const bdaddr_t *bdaddr)
1958 {
1959         struct sk_buff *skb;
1960         u8 buf[10];
1961         long ret;
1962
1963         buf[0] = 0x01;
1964         buf[1] = 0x01;
1965         buf[2] = 0x00;
1966         buf[3] = sizeof(bdaddr_t);
1967         memcpy(buf + 4, bdaddr, sizeof(bdaddr_t));
1968
1969         skb = __hci_cmd_sync(hdev, 0xfc0b, sizeof(buf), buf, HCI_INIT_TIMEOUT);
1970         if (IS_ERR(skb)) {
1971                 ret = PTR_ERR(skb);
1972                 BT_ERR("%s: Change address command failed (%ld)",
1973                        hdev->name, ret);
1974                 return ret;
1975         }
1976         kfree_skb(skb);
1977
1978         return 0;
1979 }
1980
1981 static int btusb_probe(struct usb_interface *intf,
1982                        const struct usb_device_id *id)
1983 {
1984         struct usb_endpoint_descriptor *ep_desc;
1985         struct btusb_data *data;
1986         struct hci_dev *hdev;
1987         int i, err;
1988
1989         BT_DBG("intf %p id %p", intf, id);
1990
1991         /* interface numbers are hardcoded in the spec */
1992         if (intf->cur_altsetting->desc.bInterfaceNumber != 0)
1993                 return -ENODEV;
1994
1995         if (!id->driver_info) {
1996                 const struct usb_device_id *match;
1997
1998                 match = usb_match_id(intf, blacklist_table);
1999                 if (match)
2000                         id = match;
2001         }
2002
2003         if (id->driver_info == BTUSB_IGNORE)
2004                 return -ENODEV;
2005
2006         if (id->driver_info & BTUSB_ATH3012) {
2007                 struct usb_device *udev = interface_to_usbdev(intf);
2008
2009                 /* Old firmware would otherwise let ath3k driver load
2010                  * patch and sysconfig files */
2011                 if (le16_to_cpu(udev->descriptor.bcdDevice) <= 0x0001)
2012                         return -ENODEV;
2013         }
2014
2015         data = devm_kzalloc(&intf->dev, sizeof(*data), GFP_KERNEL);
2016         if (!data)
2017                 return -ENOMEM;
2018
2019         for (i = 0; i < intf->cur_altsetting->desc.bNumEndpoints; i++) {
2020                 ep_desc = &intf->cur_altsetting->endpoint[i].desc;
2021
2022                 if (!data->intr_ep && usb_endpoint_is_int_in(ep_desc)) {
2023                         data->intr_ep = ep_desc;
2024                         continue;
2025                 }
2026
2027                 if (!data->bulk_tx_ep && usb_endpoint_is_bulk_out(ep_desc)) {
2028                         data->bulk_tx_ep = ep_desc;
2029                         continue;
2030                 }
2031
2032                 if (!data->bulk_rx_ep && usb_endpoint_is_bulk_in(ep_desc)) {
2033                         data->bulk_rx_ep = ep_desc;
2034                         continue;
2035                 }
2036         }
2037
2038         if (!data->intr_ep || !data->bulk_tx_ep || !data->bulk_rx_ep)
2039                 return -ENODEV;
2040
2041         data->cmdreq_type = USB_TYPE_CLASS;
2042
2043         data->udev = interface_to_usbdev(intf);
2044         data->intf = intf;
2045
2046         INIT_WORK(&data->work, btusb_work);
2047         INIT_WORK(&data->waker, btusb_waker);
2048         init_usb_anchor(&data->deferred);
2049         init_usb_anchor(&data->tx_anchor);
2050         spin_lock_init(&data->txlock);
2051
2052         init_usb_anchor(&data->intr_anchor);
2053         init_usb_anchor(&data->bulk_anchor);
2054         init_usb_anchor(&data->isoc_anchor);
2055         spin_lock_init(&data->rxlock);
2056
2057         data->recv_event = hci_recv_frame;
2058         data->recv_bulk = btusb_recv_bulk;
2059
2060         hdev = hci_alloc_dev();
2061         if (!hdev)
2062                 return -ENOMEM;
2063
2064         hdev->bus = HCI_USB;
2065         hci_set_drvdata(hdev, data);
2066
2067         data->hdev = hdev;
2068
2069         SET_HCIDEV_DEV(hdev, &intf->dev);
2070
2071         hdev->open   = btusb_open;
2072         hdev->close  = btusb_close;
2073         hdev->flush  = btusb_flush;
2074         hdev->send   = btusb_send_frame;
2075         hdev->notify = btusb_notify;
2076
2077         if (id->driver_info & BTUSB_BCM92035)
2078                 hdev->setup = btusb_setup_bcm92035;
2079
2080         if (id->driver_info & BTUSB_BCM_PATCHRAM) {
2081                 hdev->setup = btusb_setup_bcm_patchram;
2082                 hdev->set_bdaddr = btusb_set_bdaddr_bcm;
2083                 set_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks);
2084         }
2085
2086         if (id->driver_info & BTUSB_INTEL) {
2087                 hdev->setup = btusb_setup_intel;
2088                 hdev->set_bdaddr = btusb_set_bdaddr_intel;
2089         }
2090
2091         if (id->driver_info & BTUSB_MARVELL)
2092                 hdev->set_bdaddr = btusb_set_bdaddr_marvell;
2093
2094         if (id->driver_info & BTUSB_SWAVE) {
2095                 set_bit(HCI_QUIRK_FIXUP_INQUIRY_MODE, &hdev->quirks);
2096                 set_bit(HCI_QUIRK_BROKEN_LOCAL_COMMANDS, &hdev->quirks);
2097         }
2098
2099         if (id->driver_info & BTUSB_INTEL_BOOT)
2100                 set_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks);
2101
2102         if (id->driver_info & BTUSB_ATH3012)
2103                 hdev->set_bdaddr = btusb_set_bdaddr_ath3012;
2104
2105         /* Interface numbers are hardcoded in the specification */
2106         data->isoc = usb_ifnum_to_if(data->udev, 1);
2107
2108         if (!reset)
2109                 set_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks);
2110
2111         if (force_scofix || id->driver_info & BTUSB_WRONG_SCO_MTU) {
2112                 if (!disable_scofix)
2113                         set_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks);
2114         }
2115
2116         if (id->driver_info & BTUSB_BROKEN_ISOC)
2117                 data->isoc = NULL;
2118
2119         if (id->driver_info & BTUSB_DIGIANSWER) {
2120                 data->cmdreq_type = USB_TYPE_VENDOR;
2121                 set_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks);
2122         }
2123
2124         if (id->driver_info & BTUSB_CSR) {
2125                 struct usb_device *udev = data->udev;
2126                 u16 bcdDevice = le16_to_cpu(udev->descriptor.bcdDevice);
2127
2128                 /* Old firmware would otherwise execute USB reset */
2129                 if (bcdDevice < 0x117)
2130                         set_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks);
2131
2132                 /* Fake CSR devices with broken commands */
2133                 if (bcdDevice <= 0x100)
2134                         hdev->setup = btusb_setup_csr;
2135         }
2136
2137         if (id->driver_info & BTUSB_SNIFFER) {
2138                 struct usb_device *udev = data->udev;
2139
2140                 /* New sniffer firmware has crippled HCI interface */
2141                 if (le16_to_cpu(udev->descriptor.bcdDevice) > 0x997)
2142                         set_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks);
2143         }
2144
2145         if (id->driver_info & BTUSB_INTEL_BOOT) {
2146                 /* A bug in the bootloader causes that interrupt interface is
2147                  * only enabled after receiving SetInterface(0, AltSetting=0).
2148                  */
2149                 err = usb_set_interface(data->udev, 0, 0);
2150                 if (err < 0) {
2151                         BT_ERR("failed to set interface 0, alt 0 %d", err);
2152                         hci_free_dev(hdev);
2153                         return err;
2154                 }
2155         }
2156
2157         if (data->isoc) {
2158                 err = usb_driver_claim_interface(&btusb_driver,
2159                                                  data->isoc, data);
2160                 if (err < 0) {
2161                         hci_free_dev(hdev);
2162                         return err;
2163                 }
2164         }
2165
2166         err = hci_register_dev(hdev);
2167         if (err < 0) {
2168                 hci_free_dev(hdev);
2169                 return err;
2170         }
2171
2172         usb_set_intfdata(intf, data);
2173
2174         return 0;
2175 }
2176
2177 static void btusb_disconnect(struct usb_interface *intf)
2178 {
2179         struct btusb_data *data = usb_get_intfdata(intf);
2180         struct hci_dev *hdev;
2181
2182         BT_DBG("intf %p", intf);
2183
2184         if (!data)
2185                 return;
2186
2187         hdev = data->hdev;
2188         usb_set_intfdata(data->intf, NULL);
2189
2190         if (data->isoc)
2191                 usb_set_intfdata(data->isoc, NULL);
2192
2193         hci_unregister_dev(hdev);
2194
2195         if (intf == data->isoc)
2196                 usb_driver_release_interface(&btusb_driver, data->intf);
2197         else if (data->isoc)
2198                 usb_driver_release_interface(&btusb_driver, data->isoc);
2199
2200         btusb_free_frags(data);
2201         hci_free_dev(hdev);
2202 }
2203
2204 #ifdef CONFIG_PM
2205 static int btusb_suspend(struct usb_interface *intf, pm_message_t message)
2206 {
2207         struct btusb_data *data = usb_get_intfdata(intf);
2208
2209         BT_DBG("intf %p", intf);
2210
2211         if (data->suspend_count++)
2212                 return 0;
2213
2214         spin_lock_irq(&data->txlock);
2215         if (!(PMSG_IS_AUTO(message) && data->tx_in_flight)) {
2216                 set_bit(BTUSB_SUSPENDING, &data->flags);
2217                 spin_unlock_irq(&data->txlock);
2218         } else {
2219                 spin_unlock_irq(&data->txlock);
2220                 data->suspend_count--;
2221                 return -EBUSY;
2222         }
2223
2224         cancel_work_sync(&data->work);
2225
2226         btusb_stop_traffic(data);
2227         usb_kill_anchored_urbs(&data->tx_anchor);
2228
2229         return 0;
2230 }
2231
2232 static void play_deferred(struct btusb_data *data)
2233 {
2234         struct urb *urb;
2235         int err;
2236
2237         while ((urb = usb_get_from_anchor(&data->deferred))) {
2238                 err = usb_submit_urb(urb, GFP_ATOMIC);
2239                 if (err < 0)
2240                         break;
2241
2242                 data->tx_in_flight++;
2243         }
2244         usb_scuttle_anchored_urbs(&data->deferred);
2245 }
2246
2247 static int btusb_resume(struct usb_interface *intf)
2248 {
2249         struct btusb_data *data = usb_get_intfdata(intf);
2250         struct hci_dev *hdev = data->hdev;
2251         int err = 0;
2252
2253         BT_DBG("intf %p", intf);
2254
2255         if (--data->suspend_count)
2256                 return 0;
2257
2258         if (!test_bit(HCI_RUNNING, &hdev->flags))
2259                 goto done;
2260
2261         if (test_bit(BTUSB_INTR_RUNNING, &data->flags)) {
2262                 err = btusb_submit_intr_urb(hdev, GFP_NOIO);
2263                 if (err < 0) {
2264                         clear_bit(BTUSB_INTR_RUNNING, &data->flags);
2265                         goto failed;
2266                 }
2267         }
2268
2269         if (test_bit(BTUSB_BULK_RUNNING, &data->flags)) {
2270                 err = btusb_submit_bulk_urb(hdev, GFP_NOIO);
2271                 if (err < 0) {
2272                         clear_bit(BTUSB_BULK_RUNNING, &data->flags);
2273                         goto failed;
2274                 }
2275
2276                 btusb_submit_bulk_urb(hdev, GFP_NOIO);
2277         }
2278
2279         if (test_bit(BTUSB_ISOC_RUNNING, &data->flags)) {
2280                 if (btusb_submit_isoc_urb(hdev, GFP_NOIO) < 0)
2281                         clear_bit(BTUSB_ISOC_RUNNING, &data->flags);
2282                 else
2283                         btusb_submit_isoc_urb(hdev, GFP_NOIO);
2284         }
2285
2286         spin_lock_irq(&data->txlock);
2287         play_deferred(data);
2288         clear_bit(BTUSB_SUSPENDING, &data->flags);
2289         spin_unlock_irq(&data->txlock);
2290         schedule_work(&data->work);
2291
2292         return 0;
2293
2294 failed:
2295         usb_scuttle_anchored_urbs(&data->deferred);
2296 done:
2297         spin_lock_irq(&data->txlock);
2298         clear_bit(BTUSB_SUSPENDING, &data->flags);
2299         spin_unlock_irq(&data->txlock);
2300
2301         return err;
2302 }
2303 #endif
2304
2305 static struct usb_driver btusb_driver = {
2306         .name           = "btusb",
2307         .probe          = btusb_probe,
2308         .disconnect     = btusb_disconnect,
2309 #ifdef CONFIG_PM
2310         .suspend        = btusb_suspend,
2311         .resume         = btusb_resume,
2312 #endif
2313         .id_table       = btusb_table,
2314         .supports_autosuspend = 1,
2315         .disable_hub_initiated_lpm = 1,
2316 };
2317
2318 module_usb_driver(btusb_driver);
2319
2320 module_param(disable_scofix, bool, 0644);
2321 MODULE_PARM_DESC(disable_scofix, "Disable fixup of wrong SCO buffer size");
2322
2323 module_param(force_scofix, bool, 0644);
2324 MODULE_PARM_DESC(force_scofix, "Force fixup of wrong SCO buffers size");
2325
2326 module_param(reset, bool, 0644);
2327 MODULE_PARM_DESC(reset, "Send HCI reset command on initialization");
2328
2329 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
2330 MODULE_DESCRIPTION("Generic Bluetooth USB driver ver " VERSION);
2331 MODULE_VERSION(VERSION);
2332 MODULE_LICENSE("GPL");