Guest User

linux 4.8 btusb.c

a guest
Jan 1st, 2017
110
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 85.18 KB
  1. /*
  2.  *
  3.  *  Generic Bluetooth USB driver
  4.  *
  5.  *  Copyright (C) 2005-2008  Marcel Holtmann <marcel@holtmann.org>
  6.  *
  7.  *
  8.  *  This program is free software; you can redistribute it and/or modify
  9.  *  it under the terms of the GNU General Public License as published by
  10.  *  the Free Software Foundation; either version 2 of the License, or
  11.  *  (at your option) any later version.
  12.  *
  13.  *  This program is distributed in the hope that it will be useful,
  14.  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  15.  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16.  *  GNU General Public License for more details.
  17.  *
  18.  *  You should have received a copy of the GNU General Public License
  19.  *  along with this program; if not, write to the Free Software
  20.  *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  21.  *
  22.  */
  23.  
  24. #include <linux/module.h>
  25. #include <linux/usb.h>
  26. #include <linux/firmware.h>
  27. #include <asm/unaligned.h>
  28.  
  29. #include <net/bluetooth/bluetooth.h>
  30. #include <net/bluetooth/hci_core.h>
  31.  
  32. #include "btintel.h"
  33. #include "btbcm.h"
  34. #include "btrtl.h"
  35.  
  36. #define VERSION "0.8"
  37.  
  38. static bool disable_scofix;
  39. static bool force_scofix;
  40.  
  41. static bool reset = true;
  42.  
  43. static struct usb_driver btusb_driver;
  44.  
  45. #define BTUSB_IGNORE        0x01
  46. #define BTUSB_DIGIANSWER    0x02
  47. #define BTUSB_CSR       0x04
  48. #define BTUSB_SNIFFER       0x08
  49. #define BTUSB_BCM92035      0x10
  50. #define BTUSB_BROKEN_ISOC   0x20
  51. #define BTUSB_WRONG_SCO_MTU 0x40
  52. #define BTUSB_ATH3012       0x80
  53. #define BTUSB_INTEL     0x100
  54. #define BTUSB_INTEL_BOOT    0x200
  55. #define BTUSB_BCM_PATCHRAM  0x400
  56. #define BTUSB_MARVELL       0x800
  57. #define BTUSB_SWAVE     0x1000
  58. #define BTUSB_INTEL_NEW     0x2000
  59. #define BTUSB_AMP       0x4000
  60. #define BTUSB_QCA_ROME      0x8000
  61. #define BTUSB_BCM_APPLE     0x10000
  62. #define BTUSB_REALTEK       0x20000
  63. #define BTUSB_BCM2045       0x40000
  64. #define BTUSB_IFNUM_2       0x80000
  65.  
  66. static const struct usb_device_id btusb_table[] = {
  67.     /* Generic Bluetooth USB device */
  68.     { USB_DEVICE_INFO(0xe0, 0x01, 0x01) },
  69.  
  70.     /* Generic Bluetooth AMP device */
  71.     { USB_DEVICE_INFO(0xe0, 0x01, 0x04), .driver_info = BTUSB_AMP },
  72.  
  73.     /* Generic Bluetooth USB interface */
  74.     { USB_INTERFACE_INFO(0xe0, 0x01, 0x01) },
  75.  
  76.     /* Apple-specific (Broadcom) devices */
  77.     { USB_VENDOR_AND_INTERFACE_INFO(0x05ac, 0xff, 0x01, 0x01),
  78.       .driver_info = BTUSB_BCM_APPLE | BTUSB_IFNUM_2 },
  79.  
  80.     /* MediaTek MT76x0E */
  81.     { USB_DEVICE(0x0e8d, 0x763f) },
  82.  
  83.     /* Broadcom SoftSailing reporting vendor specific */
  84.     { USB_DEVICE(0x0a5c, 0x21e1) },
  85.  
  86.     /* Apple MacBookPro 7,1 */
  87.     { USB_DEVICE(0x05ac, 0x8213) },
  88.  
  89.     /* Apple iMac11,1 */
  90.     { USB_DEVICE(0x05ac, 0x8215) },
  91.  
  92.     /* Apple MacBookPro6,2 */
  93.     { USB_DEVICE(0x05ac, 0x8218) },
  94.  
  95.     /* Apple MacBookAir3,1, MacBookAir3,2 */
  96.     { USB_DEVICE(0x05ac, 0x821b) },
  97.  
  98.     /* Apple MacBookAir4,1 */
  99.     { USB_DEVICE(0x05ac, 0x821f) },
  100.  
  101.     /* Apple MacBookPro8,2 */
  102.     { USB_DEVICE(0x05ac, 0x821a) },
  103.  
  104.     /* Apple MacMini5,1 */
  105.     { USB_DEVICE(0x05ac, 0x8281) },
  106.  
  107.     /* AVM BlueFRITZ! USB v2.0 */
  108.     { USB_DEVICE(0x057c, 0x3800), .driver_info = BTUSB_SWAVE },
  109.  
  110.     /* Bluetooth Ultraport Module from IBM */
  111.     { USB_DEVICE(0x04bf, 0x030a) },
  112.  
  113.     /* ALPS Modules with non-standard id */
  114.     { USB_DEVICE(0x044e, 0x3001) },
  115.     { USB_DEVICE(0x044e, 0x3002) },
  116.  
  117.     /* Ericsson with non-standard id */
  118.     { USB_DEVICE(0x0bdb, 0x1002) },
  119.  
  120.     /* Canyon CN-BTU1 with HID interfaces */
  121.     { USB_DEVICE(0x0c10, 0x0000) },
  122.  
  123.     /* Broadcom BCM20702A0 */
  124.     { USB_DEVICE(0x413c, 0x8197) },
  125.  
  126.     /* Broadcom BCM20702B0 (Dynex/Insignia) */
  127.     { USB_DEVICE(0x19ff, 0x0239), .driver_info = BTUSB_BCM_PATCHRAM },
  128.  
  129.     /* Broadcom BCM43142A0 (Foxconn/Lenovo) */
  130.     { USB_DEVICE(0x105b, 0xe065), .driver_info = BTUSB_BCM_PATCHRAM },
  131.  
  132.     /* Foxconn - Hon Hai */
  133.     { USB_VENDOR_AND_INTERFACE_INFO(0x0489, 0xff, 0x01, 0x01),
  134.       .driver_info = BTUSB_BCM_PATCHRAM },
  135.  
  136.     /* Lite-On Technology - Broadcom based */
  137.     { USB_VENDOR_AND_INTERFACE_INFO(0x04ca, 0xff, 0x01, 0x01),
  138.       .driver_info = BTUSB_BCM_PATCHRAM },
  139.  
  140.     /* Broadcom devices with vendor specific id */
  141.     { USB_VENDOR_AND_INTERFACE_INFO(0x0a5c, 0xff, 0x01, 0x01),
  142.       .driver_info = BTUSB_BCM_PATCHRAM },
  143.  
  144.     /* ASUSTek Computer - Broadcom based */
  145.     { USB_VENDOR_AND_INTERFACE_INFO(0x0b05, 0xff, 0x01, 0x01),
  146.       .driver_info = BTUSB_BCM_PATCHRAM },
  147.  
  148.     /* Belkin F8065bf - Broadcom based */
  149.     { USB_VENDOR_AND_INTERFACE_INFO(0x050d, 0xff, 0x01, 0x01),
  150.       .driver_info = BTUSB_BCM_PATCHRAM },
  151.  
  152.     /* IMC Networks - Broadcom based */
  153.     { USB_VENDOR_AND_INTERFACE_INFO(0x13d3, 0xff, 0x01, 0x01),
  154.       .driver_info = BTUSB_BCM_PATCHRAM },
  155.  
  156.     /* Toshiba Corp - Broadcom based */
  157.     { USB_VENDOR_AND_INTERFACE_INFO(0x0930, 0xff, 0x01, 0x01),
  158.       .driver_info = BTUSB_BCM_PATCHRAM },
  159.  
  160.     /* Intel Bluetooth USB Bootloader (RAM module) */
  161.     { USB_DEVICE(0x8087, 0x0a5a),
  162.       .driver_info = BTUSB_INTEL_BOOT | BTUSB_BROKEN_ISOC },
  163.  
  164.     { } /* Terminating entry */
  165. };
  166.  
  167. MODULE_DEVICE_TABLE(usb, btusb_table);
  168.  
  169. static const struct usb_device_id blacklist_table[] = {
  170.     /* CSR BlueCore devices */
  171.     { USB_DEVICE(0x0a12, 0x0001), .driver_info = BTUSB_CSR },
  172.  
  173.     /* Broadcom BCM2033 without firmware */
  174.     { USB_DEVICE(0x0a5c, 0x2033), .driver_info = BTUSB_IGNORE },
  175.  
  176.     /* Broadcom BCM2045 devices */
  177.     { USB_DEVICE(0x0a5c, 0x2045), .driver_info = BTUSB_BCM2045 },
  178.  
  179.     /* Atheros 3011 with sflash firmware */
  180.     { USB_DEVICE(0x0489, 0xe027), .driver_info = BTUSB_IGNORE },
  181.     { USB_DEVICE(0x0489, 0xe03d), .driver_info = BTUSB_IGNORE },
  182.     { USB_DEVICE(0x04f2, 0xaff1), .driver_info = BTUSB_IGNORE },
  183.     { USB_DEVICE(0x0930, 0x0215), .driver_info = BTUSB_IGNORE },
  184.     { USB_DEVICE(0x0cf3, 0x3002), .driver_info = BTUSB_IGNORE },
  185.     { USB_DEVICE(0x0cf3, 0xe019), .driver_info = BTUSB_IGNORE },
  186.     { USB_DEVICE(0x13d3, 0x3304), .driver_info = BTUSB_IGNORE },
  187.  
  188.     /* Atheros AR9285 Malbec with sflash firmware */
  189.     { USB_DEVICE(0x03f0, 0x311d), .driver_info = BTUSB_IGNORE },
  190.  
  191.     /* Atheros 3012 with sflash firmware */
  192.     { USB_DEVICE(0x0489, 0xe04d), .driver_info = BTUSB_ATH3012 },
  193.     { USB_DEVICE(0x0489, 0xe04e), .driver_info = BTUSB_ATH3012 },
  194.     { USB_DEVICE(0x0489, 0xe056), .driver_info = BTUSB_ATH3012 },
  195.     { USB_DEVICE(0x0489, 0xe057), .driver_info = BTUSB_ATH3012 },
  196.     { USB_DEVICE(0x0489, 0xe05f), .driver_info = BTUSB_ATH3012 },
  197.     { USB_DEVICE(0x0489, 0xe076), .driver_info = BTUSB_ATH3012 },
  198.     { USB_DEVICE(0x0489, 0xe078), .driver_info = BTUSB_ATH3012 },
  199.     { USB_DEVICE(0x0489, 0xe095), .driver_info = BTUSB_ATH3012 },
  200.     { USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 },
  201.     { USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 },
  202.     { USB_DEVICE(0x04ca, 0x3005), .driver_info = BTUSB_ATH3012 },
  203.     { USB_DEVICE(0x04ca, 0x3006), .driver_info = BTUSB_ATH3012 },
  204.     { USB_DEVICE(0x04ca, 0x3007), .driver_info = BTUSB_ATH3012 },
  205.     { USB_DEVICE(0x04ca, 0x3008), .driver_info = BTUSB_ATH3012 },
  206.     { USB_DEVICE(0x04ca, 0x300b), .driver_info = BTUSB_ATH3012 },
  207.     { USB_DEVICE(0x04ca, 0x300d), .driver_info = BTUSB_ATH3012 },
  208.     { USB_DEVICE(0x04ca, 0x300f), .driver_info = BTUSB_ATH3012 },
  209.     { USB_DEVICE(0x04ca, 0x3010), .driver_info = BTUSB_ATH3012 },
  210.     { USB_DEVICE(0x04ca, 0x3014), .driver_info = BTUSB_ATH3012 },
  211.     { USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 },
  212.     { USB_DEVICE(0x0930, 0x021c), .driver_info = BTUSB_ATH3012 },
  213.     { USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 },
  214.     { USB_DEVICE(0x0930, 0x0227), .driver_info = BTUSB_ATH3012 },
  215.     { USB_DEVICE(0x0b05, 0x17d0), .driver_info = BTUSB_ATH3012 },
  216.     { USB_DEVICE(0x0cf3, 0x0036), .driver_info = BTUSB_ATH3012 },
  217.     { USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_ATH3012 },
  218.     { USB_DEVICE(0x0cf3, 0x3008), .driver_info = BTUSB_ATH3012 },
  219.     { USB_DEVICE(0x0cf3, 0x311d), .driver_info = BTUSB_ATH3012 },
  220.     { USB_DEVICE(0x0cf3, 0x311e), .driver_info = BTUSB_ATH3012 },
  221.     { USB_DEVICE(0x0cf3, 0x311f), .driver_info = BTUSB_ATH3012 },
  222.     { USB_DEVICE(0x0cf3, 0x3121), .driver_info = BTUSB_ATH3012 },
  223.     { USB_DEVICE(0x0cf3, 0x817a), .driver_info = BTUSB_ATH3012 },
  224.     { USB_DEVICE(0x0cf3, 0x817b), .driver_info = BTUSB_ATH3012 },
  225.     { USB_DEVICE(0x0cf3, 0xe003), .driver_info = BTUSB_ATH3012 },
  226.     { USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 },
  227.     { USB_DEVICE(0x0cf3, 0xe005), .driver_info = BTUSB_ATH3012 },
  228.     { USB_DEVICE(0x0cf3, 0xe006), .driver_info = BTUSB_ATH3012 },
  229.     { USB_DEVICE(0x13d3, 0x3362), .driver_info = BTUSB_ATH3012 },
  230.     { USB_DEVICE(0x13d3, 0x3375), .driver_info = BTUSB_ATH3012 },
  231.     { USB_DEVICE(0x13d3, 0x3393), .driver_info = BTUSB_ATH3012 },
  232.     { USB_DEVICE(0x13d3, 0x3395), .driver_info = BTUSB_ATH3012 },
  233.     { USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 },
  234.     { USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 },
  235.     { USB_DEVICE(0x13d3, 0x3423), .driver_info = BTUSB_ATH3012 },
  236.     { USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 },
  237.     { USB_DEVICE(0x13d3, 0x3472), .driver_info = BTUSB_ATH3012 },
  238.     { USB_DEVICE(0x13d3, 0x3474), .driver_info = BTUSB_ATH3012 },
  239.     { USB_DEVICE(0x13d3, 0x3487), .driver_info = BTUSB_ATH3012 },
  240.     { USB_DEVICE(0x13d3, 0x3490), .driver_info = BTUSB_ATH3012 },
  241.  
  242.     /* Atheros AR5BBU12 with sflash firmware */
  243.     { USB_DEVICE(0x0489, 0xe02c), .driver_info = BTUSB_IGNORE },
  244.  
  245.     /* Atheros AR5BBU12 with sflash firmware */
  246.     { USB_DEVICE(0x0489, 0xe036), .driver_info = BTUSB_ATH3012 },
  247.     { USB_DEVICE(0x0489, 0xe03c), .driver_info = BTUSB_ATH3012 },
  248.  
  249.     /* QCA ROME chipset */
  250.     { USB_DEVICE(0x0cf3, 0xe007), .driver_info = BTUSB_QCA_ROME },
  251.     { USB_DEVICE(0x0cf3, 0xe300), .driver_info = BTUSB_QCA_ROME },
  252.     { USB_DEVICE(0x0cf3, 0xe360), .driver_info = BTUSB_QCA_ROME },
  253.     { USB_DEVICE(0x0489, 0xe092), .driver_info = BTUSB_QCA_ROME },
  254.     { USB_DEVICE(0x04ca, 0x3011), .driver_info = BTUSB_QCA_ROME },
  255.  
  256.     /* Broadcom BCM2035 */
  257.     { USB_DEVICE(0x0a5c, 0x2009), .driver_info = BTUSB_BCM92035 },
  258.     { USB_DEVICE(0x0a5c, 0x200a), .driver_info = BTUSB_WRONG_SCO_MTU },
  259.     { USB_DEVICE(0x0a5c, 0x2035), .driver_info = BTUSB_WRONG_SCO_MTU },
  260.  
  261.     /* Broadcom BCM2045 */
  262.     { USB_DEVICE(0x0a5c, 0x2039), .driver_info = BTUSB_WRONG_SCO_MTU },
  263.     { USB_DEVICE(0x0a5c, 0x2101), .driver_info = BTUSB_WRONG_SCO_MTU },
  264.  
  265.     /* IBM/Lenovo ThinkPad with Broadcom chip */
  266.     { USB_DEVICE(0x0a5c, 0x201e), .driver_info = BTUSB_WRONG_SCO_MTU },
  267.     { USB_DEVICE(0x0a5c, 0x2110), .driver_info = BTUSB_WRONG_SCO_MTU },
  268.  
  269.     /* HP laptop with Broadcom chip */
  270.     { USB_DEVICE(0x03f0, 0x171d), .driver_info = BTUSB_WRONG_SCO_MTU },
  271.  
  272.     /* Dell laptop with Broadcom chip */
  273.     { USB_DEVICE(0x413c, 0x8126), .driver_info = BTUSB_WRONG_SCO_MTU },
  274.  
  275.     /* Dell Wireless 370 and 410 devices */
  276.     { USB_DEVICE(0x413c, 0x8152), .driver_info = BTUSB_WRONG_SCO_MTU },
  277.     { USB_DEVICE(0x413c, 0x8156), .driver_info = BTUSB_WRONG_SCO_MTU },
  278.  
  279.     /* Belkin F8T012 and F8T013 devices */
  280.     { USB_DEVICE(0x050d, 0x0012), .driver_info = BTUSB_WRONG_SCO_MTU },
  281.     { USB_DEVICE(0x050d, 0x0013), .driver_info = BTUSB_WRONG_SCO_MTU },
  282.  
  283.     /* Asus WL-BTD202 device */
  284.     { USB_DEVICE(0x0b05, 0x1715), .driver_info = BTUSB_WRONG_SCO_MTU },
  285.  
  286.     /* Kensington Bluetooth USB adapter */
  287.     { USB_DEVICE(0x047d, 0x105e), .driver_info = BTUSB_WRONG_SCO_MTU },
  288.  
  289.     /* RTX Telecom based adapters with buggy SCO support */
  290.     { USB_DEVICE(0x0400, 0x0807), .driver_info = BTUSB_BROKEN_ISOC },
  291.     { USB_DEVICE(0x0400, 0x080a), .driver_info = BTUSB_BROKEN_ISOC },
  292.  
  293.     /* CONWISE Technology based adapters with buggy SCO support */
  294.     { USB_DEVICE(0x0e5e, 0x6622), .driver_info = BTUSB_BROKEN_ISOC },
  295.  
  296.     /* Roper Class 1 Bluetooth Dongle (Silicon Wave based) */
  297.     { USB_DEVICE(0x1310, 0x0001), .driver_info = BTUSB_SWAVE },
  298.  
  299.     /* Digianswer devices */
  300.     { USB_DEVICE(0x08fd, 0x0001), .driver_info = BTUSB_DIGIANSWER },
  301.     { USB_DEVICE(0x08fd, 0x0002), .driver_info = BTUSB_IGNORE },
  302.  
  303.     /* CSR BlueCore Bluetooth Sniffer */
  304.     { USB_DEVICE(0x0a12, 0x0002),
  305.       .driver_info = BTUSB_SNIFFER | BTUSB_BROKEN_ISOC },
  306.  
  307.     /* Frontline ComProbe Bluetooth Sniffer */
  308.     { USB_DEVICE(0x16d3, 0x0002),
  309.       .driver_info = BTUSB_SNIFFER | BTUSB_BROKEN_ISOC },
  310.  
  311.     /* Marvell Bluetooth devices */
  312.     { USB_DEVICE(0x1286, 0x2044), .driver_info = BTUSB_MARVELL },
  313.     { USB_DEVICE(0x1286, 0x2046), .driver_info = BTUSB_MARVELL },
  314.  
  315.     /* Intel Bluetooth devices */
  316.     { USB_DEVICE(0x8087, 0x07da), .driver_info = BTUSB_CSR },
  317.     { USB_DEVICE(0x8087, 0x07dc), .driver_info = BTUSB_INTEL },
  318.     { USB_DEVICE(0x8087, 0x0a2a), .driver_info = BTUSB_INTEL },
  319.     { USB_DEVICE(0x8087, 0x0a2b), .driver_info = BTUSB_INTEL_NEW },
  320.     { USB_DEVICE(0x8087, 0x0aa7), .driver_info = BTUSB_INTEL },
  321.  
  322.     /* Other Intel Bluetooth devices */
  323.     { USB_VENDOR_AND_INTERFACE_INFO(0x8087, 0xe0, 0x01, 0x01),
  324.       .driver_info = BTUSB_IGNORE },
  325.  
  326.     /* Realtek Bluetooth devices */
  327.     { USB_VENDOR_AND_INTERFACE_INFO(0x0bda, 0xe0, 0x01, 0x01),
  328.       .driver_info = BTUSB_REALTEK },
  329.  
  330.     /* Additional Realtek 8723AE Bluetooth devices */
  331.     { USB_DEVICE(0x0930, 0x021d), .driver_info = BTUSB_REALTEK },
  332.     { USB_DEVICE(0x13d3, 0x3394), .driver_info = BTUSB_REALTEK },
  333.  
  334.     /* Additional Realtek 8723BE Bluetooth devices */
  335.     { USB_DEVICE(0x0489, 0xe085), .driver_info = BTUSB_REALTEK },
  336.     { USB_DEVICE(0x0489, 0xe08b), .driver_info = BTUSB_REALTEK },
  337.     { USB_DEVICE(0x13d3, 0x3410), .driver_info = BTUSB_REALTEK },
  338.     { USB_DEVICE(0x13d3, 0x3416), .driver_info = BTUSB_REALTEK },
  339.     { USB_DEVICE(0x13d3, 0x3459), .driver_info = BTUSB_REALTEK },
  340.  
  341.     /* Additional Realtek 8821AE Bluetooth devices */
  342.     { USB_DEVICE(0x0b05, 0x17dc), .driver_info = BTUSB_REALTEK },
  343.     { USB_DEVICE(0x13d3, 0x3414), .driver_info = BTUSB_REALTEK },
  344.     { USB_DEVICE(0x13d3, 0x3458), .driver_info = BTUSB_REALTEK },
  345.     { USB_DEVICE(0x13d3, 0x3461), .driver_info = BTUSB_REALTEK },
  346.     { USB_DEVICE(0x13d3, 0x3462), .driver_info = BTUSB_REALTEK },
  347.  
  348.     /* Silicon Wave based devices */
  349.     { USB_DEVICE(0x0c10, 0x0000), .driver_info = BTUSB_SWAVE },
  350.  
  351.     { } /* Terminating entry */
  352. };
  353.  
  354. #define BTUSB_MAX_ISOC_FRAMES   10
  355.  
  356. #define BTUSB_INTR_RUNNING  0
  357. #define BTUSB_BULK_RUNNING  1
  358. #define BTUSB_ISOC_RUNNING  2
  359. #define BTUSB_SUSPENDING    3
  360. #define BTUSB_DID_ISO_RESUME    4
  361. #define BTUSB_BOOTLOADER    5
  362. #define BTUSB_DOWNLOADING   6
  363. #define BTUSB_FIRMWARE_LOADED   7
  364. #define BTUSB_FIRMWARE_FAILED   8
  365. #define BTUSB_BOOTING       9
  366. #define BTUSB_RESET_RESUME  10
  367. #define BTUSB_DIAG_RUNNING  11
  368.  
  369. struct btusb_data {
  370.     struct hci_dev       *hdev;
  371.     struct usb_device    *udev;
  372.     struct usb_interface *intf;
  373.     struct usb_interface *isoc;
  374.     struct usb_interface *diag;
  375.  
  376.     unsigned long flags;
  377.  
  378.     struct work_struct work;
  379.     struct work_struct waker;
  380.  
  381.     struct usb_anchor deferred;
  382.     struct usb_anchor tx_anchor;
  383.     int tx_in_flight;
  384.     spinlock_t txlock;
  385.  
  386.     struct usb_anchor intr_anchor;
  387.     struct usb_anchor bulk_anchor;
  388.     struct usb_anchor isoc_anchor;
  389.     struct usb_anchor diag_anchor;
  390.     spinlock_t rxlock;
  391.  
  392.     struct sk_buff *evt_skb;
  393.     struct sk_buff *acl_skb;
  394.     struct sk_buff *sco_skb;
  395.  
  396.     struct usb_endpoint_descriptor *intr_ep;
  397.     struct usb_endpoint_descriptor *bulk_tx_ep;
  398.     struct usb_endpoint_descriptor *bulk_rx_ep;
  399.     struct usb_endpoint_descriptor *isoc_tx_ep;
  400.     struct usb_endpoint_descriptor *isoc_rx_ep;
  401.     struct usb_endpoint_descriptor *diag_tx_ep;
  402.     struct usb_endpoint_descriptor *diag_rx_ep;
  403.  
  404.     __u8 cmdreq_type;
  405.     __u8 cmdreq;
  406.  
  407.     unsigned int sco_num;
  408.     int isoc_altsetting;
  409.     int suspend_count;
  410.  
  411.     int (*recv_event)(struct hci_dev *hdev, struct sk_buff *skb);
  412.     int (*recv_bulk)(struct btusb_data *data, void *buffer, int count);
  413.  
  414.     int (*setup_on_usb)(struct hci_dev *hdev);
  415. };
  416.  
  417. static inline void btusb_free_frags(struct btusb_data *data)
  418. {
  419.     unsigned long flags;
  420.  
  421.     spin_lock_irqsave(&data->rxlock, flags);
  422.  
  423.     kfree_skb(data->evt_skb);
  424.     data->evt_skb = NULL;
  425.  
  426.     kfree_skb(data->acl_skb);
  427.     data->acl_skb = NULL;
  428.  
  429.     kfree_skb(data->sco_skb);
  430.     data->sco_skb = NULL;
  431.  
  432.     spin_unlock_irqrestore(&data->rxlock, flags);
  433. }
  434.  
  435. static int btusb_recv_intr(struct btusb_data *data, void *buffer, int count)
  436. {
  437.     struct sk_buff *skb;
  438.     int err = 0;
  439.  
  440.     spin_lock(&data->rxlock);
  441.     skb = data->evt_skb;
  442.  
  443.     while (count) {
  444.         int len;
  445.  
  446.         if (!skb) {
  447.             skb = bt_skb_alloc(HCI_MAX_EVENT_SIZE, GFP_ATOMIC);
  448.             if (!skb) {
  449.                 err = -ENOMEM;
  450.                 break;
  451.             }
  452.  
  453.             hci_skb_pkt_type(skb) = HCI_EVENT_PKT;
  454.             hci_skb_expect(skb) = HCI_EVENT_HDR_SIZE;
  455.         }
  456.  
  457.         len = min_t(uint, hci_skb_expect(skb), count);
  458.         memcpy(skb_put(skb, len), buffer, len);
  459.  
  460.         count -= len;
  461.         buffer += len;
  462.         hci_skb_expect(skb) -= len;
  463.  
  464.         if (skb->len == HCI_EVENT_HDR_SIZE) {
  465.             /* Complete event header */
  466.             hci_skb_expect(skb) = hci_event_hdr(skb)->plen;
  467.  
  468.             if (skb_tailroom(skb) < hci_skb_expect(skb)) {
  469.                 kfree_skb(skb);
  470.                 skb = NULL;
  471.  
  472.                 err = -EILSEQ;
  473.                 break;
  474.             }
  475.         }
  476.  
  477.         if (!hci_skb_expect(skb)) {
  478.             /* Complete frame */
  479.             data->recv_event(data->hdev, skb);
  480.             skb = NULL;
  481.         }
  482.     }
  483.  
  484.     data->evt_skb = skb;
  485.     spin_unlock(&data->rxlock);
  486.  
  487.     return err;
  488. }
  489.  
  490. static int btusb_recv_bulk(struct btusb_data *data, void *buffer, int count)
  491. {
  492.     struct sk_buff *skb;
  493.     int err = 0;
  494.  
  495.     spin_lock(&data->rxlock);
  496.     skb = data->acl_skb;
  497.  
  498.     while (count) {
  499.         int len;
  500.  
  501.         if (!skb) {
  502.             skb = bt_skb_alloc(HCI_MAX_FRAME_SIZE, GFP_ATOMIC);
  503.             if (!skb) {
  504.                 err = -ENOMEM;
  505.                 break;
  506.             }
  507.  
  508.             hci_skb_pkt_type(skb) = HCI_ACLDATA_PKT;
  509.             hci_skb_expect(skb) = HCI_ACL_HDR_SIZE;
  510.         }
  511.  
  512.         len = min_t(uint, hci_skb_expect(skb), count);
  513.         memcpy(skb_put(skb, len), buffer, len);
  514.  
  515.         count -= len;
  516.         buffer += len;
  517.         hci_skb_expect(skb) -= len;
  518.  
  519.         if (skb->len == HCI_ACL_HDR_SIZE) {
  520.             __le16 dlen = hci_acl_hdr(skb)->dlen;
  521.  
  522.             /* Complete ACL header */
  523.             hci_skb_expect(skb) = __le16_to_cpu(dlen);
  524.  
  525.             if (skb_tailroom(skb) < hci_skb_expect(skb)) {
  526.                 kfree_skb(skb);
  527.                 skb = NULL;
  528.  
  529.                 err = -EILSEQ;
  530.                 break;
  531.             }
  532.         }
  533.  
  534.         if (!hci_skb_expect(skb)) {
  535.             /* Complete frame */
  536.             hci_recv_frame(data->hdev, skb);
  537.             skb = NULL;
  538.         }
  539.     }
  540.  
  541.     data->acl_skb = skb;
  542.     spin_unlock(&data->rxlock);
  543.  
  544.     return err;
  545. }
  546.  
  547. static int btusb_recv_isoc(struct btusb_data *data, void *buffer, int count)
  548. {
  549.     struct sk_buff *skb;
  550.     int err = 0;
  551.  
  552.     spin_lock(&data->rxlock);
  553.     skb = data->sco_skb;
  554.  
  555.     while (count) {
  556.         int len;
  557.  
  558.         if (!skb) {
  559.             skb = bt_skb_alloc(HCI_MAX_SCO_SIZE, GFP_ATOMIC);
  560.             if (!skb) {
  561.                 err = -ENOMEM;
  562.                 break;
  563.             }
  564.  
  565.             hci_skb_pkt_type(skb) = HCI_SCODATA_PKT;
  566.             hci_skb_expect(skb) = HCI_SCO_HDR_SIZE;
  567.         }
  568.  
  569.         len = min_t(uint, hci_skb_expect(skb), count);
  570.         memcpy(skb_put(skb, len), buffer, len);
  571.  
  572.         count -= len;
  573.         buffer += len;
  574.         hci_skb_expect(skb) -= len;
  575.  
  576.         if (skb->len == HCI_SCO_HDR_SIZE) {
  577.             /* Complete SCO header */
  578.             hci_skb_expect(skb) = hci_sco_hdr(skb)->dlen;
  579.  
  580.             if (skb_tailroom(skb) < hci_skb_expect(skb)) {
  581.                 kfree_skb(skb);
  582.                 skb = NULL;
  583.  
  584.                 err = -EILSEQ;
  585.                 break;
  586.             }
  587.         }
  588.  
  589.         if (!hci_skb_expect(skb)) {
  590.             /* Complete frame */
  591.             hci_recv_frame(data->hdev, skb);
  592.             skb = NULL;
  593.         }
  594.     }
  595.  
  596.     data->sco_skb = skb;
  597.     spin_unlock(&data->rxlock);
  598.  
  599.     return err;
  600. }
  601.  
  602. static void btusb_intr_complete(struct urb *urb)
  603. {
  604.     struct hci_dev *hdev = urb->context;
  605.     struct btusb_data *data = hci_get_drvdata(hdev);
  606.     int err;
  607.  
  608.     BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status,
  609.            urb->actual_length);
  610.  
  611.     if (!test_bit(HCI_RUNNING, &hdev->flags))
  612.         return;
  613.  
  614.     if (urb->status == 0) {
  615.         hdev->stat.byte_rx += urb->actual_length;
  616.  
  617.         if (btusb_recv_intr(data, urb->transfer_buffer,
  618.                     urb->actual_length) < 0) {
  619.             BT_ERR("%s corrupted event packet", hdev->name);
  620.             hdev->stat.err_rx++;
  621.         }
  622.     } else if (urb->status == -ENOENT) {
  623.         /* Avoid suspend failed when usb_kill_urb */
  624.         return;
  625.     }
  626.  
  627.     if (!test_bit(BTUSB_INTR_RUNNING, &data->flags))
  628.         return;
  629.  
  630.     usb_mark_last_busy(data->udev);
  631.     usb_anchor_urb(urb, &data->intr_anchor);
  632.  
  633.     err = usb_submit_urb(urb, GFP_ATOMIC);
  634.     if (err < 0) {
  635.         /* -EPERM: urb is being killed;
  636.          * -ENODEV: device got disconnected */
  637.         if (err != -EPERM && err != -ENODEV)
  638.             BT_ERR("%s urb %p failed to resubmit (%d)",
  639.                    hdev->name, urb, -err);
  640.         usb_unanchor_urb(urb);
  641.     }
  642. }
  643.  
  644. static int btusb_submit_intr_urb(struct hci_dev *hdev, gfp_t mem_flags)
  645. {
  646.     struct btusb_data *data = hci_get_drvdata(hdev);
  647.     struct urb *urb;
  648.     unsigned char *buf;
  649.     unsigned int pipe;
  650.     int err, size;
  651.  
  652.     BT_DBG("%s", hdev->name);
  653.  
  654.     if (!data->intr_ep)
  655.         return -ENODEV;
  656.  
  657.     urb = usb_alloc_urb(0, mem_flags);
  658.     if (!urb)
  659.         return -ENOMEM;
  660.  
  661.     size = le16_to_cpu(data->intr_ep->wMaxPacketSize);
  662.  
  663.     buf = kmalloc(size, mem_flags);
  664.     if (!buf) {
  665.         usb_free_urb(urb);
  666.         return -ENOMEM;
  667.     }
  668.  
  669.     pipe = usb_rcvintpipe(data->udev, data->intr_ep->bEndpointAddress);
  670.  
  671.     usb_fill_int_urb(urb, data->udev, pipe, buf, size,
  672.              btusb_intr_complete, hdev, data->intr_ep->bInterval);
  673.  
  674.     urb->transfer_flags |= URB_FREE_BUFFER;
  675.  
  676.     usb_anchor_urb(urb, &data->intr_anchor);
  677.  
  678.     err = usb_submit_urb(urb, mem_flags);
  679.     if (err < 0) {
  680.         if (err != -EPERM && err != -ENODEV)
  681.             BT_ERR("%s urb %p submission failed (%d)",
  682.                    hdev->name, urb, -err);
  683.         usb_unanchor_urb(urb);
  684.     }
  685.  
  686.     usb_free_urb(urb);
  687.  
  688.     return err;
  689. }
  690.  
  691. static void btusb_bulk_complete(struct urb *urb)
  692. {
  693.     struct hci_dev *hdev = urb->context;
  694.     struct btusb_data *data = hci_get_drvdata(hdev);
  695.     int err;
  696.  
  697.     BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status,
  698.            urb->actual_length);
  699.  
  700.     if (!test_bit(HCI_RUNNING, &hdev->flags))
  701.         return;
  702.  
  703.     if (urb->status == 0) {
  704.         hdev->stat.byte_rx += urb->actual_length;
  705.  
  706.         if (data->recv_bulk(data, urb->transfer_buffer,
  707.                     urb->actual_length) < 0) {
  708.             BT_ERR("%s corrupted ACL packet", hdev->name);
  709.             hdev->stat.err_rx++;
  710.         }
  711.     } else if (urb->status == -ENOENT) {
  712.         /* Avoid suspend failed when usb_kill_urb */
  713.         return;
  714.     }
  715.  
  716.     if (!test_bit(BTUSB_BULK_RUNNING, &data->flags))
  717.         return;
  718.  
  719.     usb_anchor_urb(urb, &data->bulk_anchor);
  720.     usb_mark_last_busy(data->udev);
  721.  
  722.     err = usb_submit_urb(urb, GFP_ATOMIC);
  723.     if (err < 0) {
  724.         /* -EPERM: urb is being killed;
  725.          * -ENODEV: device got disconnected */
  726.         if (err != -EPERM && err != -ENODEV)
  727.             BT_ERR("%s urb %p failed to resubmit (%d)",
  728.                    hdev->name, urb, -err);
  729.         usb_unanchor_urb(urb);
  730.     }
  731. }
  732.  
  733. static int btusb_submit_bulk_urb(struct hci_dev *hdev, gfp_t mem_flags)
  734. {
  735.     struct btusb_data *data = hci_get_drvdata(hdev);
  736.     struct urb *urb;
  737.     unsigned char *buf;
  738.     unsigned int pipe;
  739.     int err, size = HCI_MAX_FRAME_SIZE;
  740.  
  741.     BT_DBG("%s", hdev->name);
  742.  
  743.     if (!data->bulk_rx_ep)
  744.         return -ENODEV;
  745.  
  746.     urb = usb_alloc_urb(0, mem_flags);
  747.     if (!urb)
  748.         return -ENOMEM;
  749.  
  750.     buf = kmalloc(size, mem_flags);
  751.     if (!buf) {
  752.         usb_free_urb(urb);
  753.         return -ENOMEM;
  754.     }
  755.  
  756.     pipe = usb_rcvbulkpipe(data->udev, data->bulk_rx_ep->bEndpointAddress);
  757.  
  758.     usb_fill_bulk_urb(urb, data->udev, pipe, buf, size,
  759.               btusb_bulk_complete, hdev);
  760.  
  761.     urb->transfer_flags |= URB_FREE_BUFFER;
  762.  
  763.     usb_mark_last_busy(data->udev);
  764.     usb_anchor_urb(urb, &data->bulk_anchor);
  765.  
  766.     err = usb_submit_urb(urb, mem_flags);
  767.     if (err < 0) {
  768.         if (err != -EPERM && err != -ENODEV)
  769.             BT_ERR("%s urb %p submission failed (%d)",
  770.                    hdev->name, urb, -err);
  771.         usb_unanchor_urb(urb);
  772.     }
  773.  
  774.     usb_free_urb(urb);
  775.  
  776.     return err;
  777. }
  778.  
  779. static void btusb_isoc_complete(struct urb *urb)
  780. {
  781.     struct hci_dev *hdev = urb->context;
  782.     struct btusb_data *data = hci_get_drvdata(hdev);
  783.     int i, err;
  784.  
  785.     BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status,
  786.            urb->actual_length);
  787.  
  788.     if (!test_bit(HCI_RUNNING, &hdev->flags))
  789.         return;
  790.  
  791.     if (urb->status == 0) {
  792.         for (i = 0; i < urb->number_of_packets; i++) {
  793.             unsigned int offset = urb->iso_frame_desc[i].offset;
  794.             unsigned int length = urb->iso_frame_desc[i].actual_length;
  795.  
  796.             if (urb->iso_frame_desc[i].status)
  797.                 continue;
  798.  
  799.             hdev->stat.byte_rx += length;
  800.  
  801.             if (btusb_recv_isoc(data, urb->transfer_buffer + offset,
  802.                         length) < 0) {
  803.                 BT_ERR("%s corrupted SCO packet", hdev->name);
  804.                 hdev->stat.err_rx++;
  805.             }
  806.         }
  807.     } else if (urb->status == -ENOENT) {
  808.         /* Avoid suspend failed when usb_kill_urb */
  809.         return;
  810.     }
  811.  
  812.     if (!test_bit(BTUSB_ISOC_RUNNING, &data->flags))
  813.         return;
  814.  
  815.     usb_anchor_urb(urb, &data->isoc_anchor);
  816.  
  817.     err = usb_submit_urb(urb, GFP_ATOMIC);
  818.     if (err < 0) {
  819.         /* -EPERM: urb is being killed;
  820.          * -ENODEV: device got disconnected */
  821.         if (err != -EPERM && err != -ENODEV)
  822.             BT_ERR("%s urb %p failed to resubmit (%d)",
  823.                    hdev->name, urb, -err);
  824.         usb_unanchor_urb(urb);
  825.     }
  826. }
  827.  
  828. static inline void __fill_isoc_descriptor(struct urb *urb, int len, int mtu)
  829. {
  830.     int i, offset = 0;
  831.  
  832.     BT_DBG("len %d mtu %d", len, mtu);
  833.  
  834.     for (i = 0; i < BTUSB_MAX_ISOC_FRAMES && len >= mtu;
  835.                     i++, offset += mtu, len -= mtu) {
  836.         urb->iso_frame_desc[i].offset = offset;
  837.         urb->iso_frame_desc[i].length = mtu;
  838.     }
  839.  
  840.     if (len && i < BTUSB_MAX_ISOC_FRAMES) {
  841.         urb->iso_frame_desc[i].offset = offset;
  842.         urb->iso_frame_desc[i].length = len;
  843.         i++;
  844.     }
  845.  
  846.     urb->number_of_packets = i;
  847. }
  848.  
  849. static int btusb_submit_isoc_urb(struct hci_dev *hdev, gfp_t mem_flags)
  850. {
  851.     struct btusb_data *data = hci_get_drvdata(hdev);
  852.     struct urb *urb;
  853.     unsigned char *buf;
  854.     unsigned int pipe;
  855.     int err, size;
  856.  
  857.     BT_DBG("%s", hdev->name);
  858.  
  859.     if (!data->isoc_rx_ep)
  860.         return -ENODEV;
  861.  
  862.     urb = usb_alloc_urb(BTUSB_MAX_ISOC_FRAMES, mem_flags);
  863.     if (!urb)
  864.         return -ENOMEM;
  865.  
  866.     size = le16_to_cpu(data->isoc_rx_ep->wMaxPacketSize) *
  867.                         BTUSB_MAX_ISOC_FRAMES;
  868.  
  869.     buf = kmalloc(size, mem_flags);
  870.     if (!buf) {
  871.         usb_free_urb(urb);
  872.         return -ENOMEM;
  873.     }
  874.  
  875.     pipe = usb_rcvisocpipe(data->udev, data->isoc_rx_ep->bEndpointAddress);
  876.  
  877.     usb_fill_int_urb(urb, data->udev, pipe, buf, size, btusb_isoc_complete,
  878.              hdev, data->isoc_rx_ep->bInterval);
  879.  
  880.     urb->transfer_flags = URB_FREE_BUFFER | URB_ISO_ASAP;
  881.  
  882.     __fill_isoc_descriptor(urb, size,
  883.                    le16_to_cpu(data->isoc_rx_ep->wMaxPacketSize));
  884.  
  885.     usb_anchor_urb(urb, &data->isoc_anchor);
  886.  
  887.     err = usb_submit_urb(urb, mem_flags);
  888.     if (err < 0) {
  889.         if (err != -EPERM && err != -ENODEV)
  890.             BT_ERR("%s urb %p submission failed (%d)",
  891.                    hdev->name, urb, -err);
  892.         usb_unanchor_urb(urb);
  893.     }
  894.  
  895.     usb_free_urb(urb);
  896.  
  897.     return err;
  898. }
  899.  
  900. static void btusb_diag_complete(struct urb *urb)
  901. {
  902.     struct hci_dev *hdev = urb->context;
  903.     struct btusb_data *data = hci_get_drvdata(hdev);
  904.     int err;
  905.  
  906.     BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status,
  907.            urb->actual_length);
  908.  
  909.     if (urb->status == 0) {
  910.         struct sk_buff *skb;
  911.  
  912.         skb = bt_skb_alloc(urb->actual_length, GFP_ATOMIC);
  913.         if (skb) {
  914.             memcpy(skb_put(skb, urb->actual_length),
  915.                    urb->transfer_buffer, urb->actual_length);
  916.             hci_recv_diag(hdev, skb);
  917.         }
  918.     } else if (urb->status == -ENOENT) {
  919.         /* Avoid suspend failed when usb_kill_urb */
  920.         return;
  921.     }
  922.  
  923.     if (!test_bit(BTUSB_DIAG_RUNNING, &data->flags))
  924.         return;
  925.  
  926.     usb_anchor_urb(urb, &data->diag_anchor);
  927.     usb_mark_last_busy(data->udev);
  928.  
  929.     err = usb_submit_urb(urb, GFP_ATOMIC);
  930.     if (err < 0) {
  931.         /* -EPERM: urb is being killed;
  932.          * -ENODEV: device got disconnected */
  933.         if (err != -EPERM && err != -ENODEV)
  934.             BT_ERR("%s urb %p failed to resubmit (%d)",
  935.                    hdev->name, urb, -err);
  936.         usb_unanchor_urb(urb);
  937.     }
  938. }
  939.  
  940. static int btusb_submit_diag_urb(struct hci_dev *hdev, gfp_t mem_flags)
  941. {
  942.     struct btusb_data *data = hci_get_drvdata(hdev);
  943.     struct urb *urb;
  944.     unsigned char *buf;
  945.     unsigned int pipe;
  946.     int err, size = HCI_MAX_FRAME_SIZE;
  947.  
  948.     BT_DBG("%s", hdev->name);
  949.  
  950.     if (!data->diag_rx_ep)
  951.         return -ENODEV;
  952.  
  953.     urb = usb_alloc_urb(0, mem_flags);
  954.     if (!urb)
  955.         return -ENOMEM;
  956.  
  957.     buf = kmalloc(size, mem_flags);
  958.     if (!buf) {
  959.         usb_free_urb(urb);
  960.         return -ENOMEM;
  961.     }
  962.  
  963.     pipe = usb_rcvbulkpipe(data->udev, data->diag_rx_ep->bEndpointAddress);
  964.  
  965.     usb_fill_bulk_urb(urb, data->udev, pipe, buf, size,
  966.               btusb_diag_complete, hdev);
  967.  
  968.     urb->transfer_flags |= URB_FREE_BUFFER;
  969.  
  970.     usb_mark_last_busy(data->udev);
  971.     usb_anchor_urb(urb, &data->diag_anchor);
  972.  
  973.     err = usb_submit_urb(urb, mem_flags);
  974.     if (err < 0) {
  975.         if (err != -EPERM && err != -ENODEV)
  976.             BT_ERR("%s urb %p submission failed (%d)",
  977.                    hdev->name, urb, -err);
  978.         usb_unanchor_urb(urb);
  979.     }
  980.  
  981.     usb_free_urb(urb);
  982.  
  983.     return err;
  984. }
  985.  
  986. static void btusb_tx_complete(struct urb *urb)
  987. {
  988.     struct sk_buff *skb = urb->context;
  989.     struct hci_dev *hdev = (struct hci_dev *)skb->dev;
  990.     struct btusb_data *data = hci_get_drvdata(hdev);
  991.  
  992.     BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status,
  993.            urb->actual_length);
  994.  
  995.     if (!test_bit(HCI_RUNNING, &hdev->flags))
  996.         goto done;
  997.  
  998.     if (!urb->status)
  999.         hdev->stat.byte_tx += urb->transfer_buffer_length;
  1000.     else
  1001.         hdev->stat.err_tx++;
  1002.  
  1003. done:
  1004.     spin_lock(&data->txlock);
  1005.     data->tx_in_flight--;
  1006.     spin_unlock(&data->txlock);
  1007.  
  1008.     kfree(urb->setup_packet);
  1009.  
  1010.     kfree_skb(skb);
  1011. }
  1012.  
  1013. static void btusb_isoc_tx_complete(struct urb *urb)
  1014. {
  1015.     struct sk_buff *skb = urb->context;
  1016.     struct hci_dev *hdev = (struct hci_dev *)skb->dev;
  1017.  
  1018.     BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status,
  1019.            urb->actual_length);
  1020.  
  1021.     if (!test_bit(HCI_RUNNING, &hdev->flags))
  1022.         goto done;
  1023.  
  1024.     if (!urb->status)
  1025.         hdev->stat.byte_tx += urb->transfer_buffer_length;
  1026.     else
  1027.         hdev->stat.err_tx++;
  1028.  
  1029. done:
  1030.     kfree(urb->setup_packet);
  1031.  
  1032.     kfree_skb(skb);
  1033. }
  1034.  
  1035. static int btusb_open(struct hci_dev *hdev)
  1036. {
  1037.     struct btusb_data *data = hci_get_drvdata(hdev);
  1038.     int err;
  1039.  
  1040.     BT_DBG("%s", hdev->name);
  1041.  
  1042.     /* Patching USB firmware files prior to starting any URBs of HCI path
  1043.      * It is more safe to use USB bulk channel for downloading USB patch
  1044.      */
  1045.     if (data->setup_on_usb) {
  1046.         err = data->setup_on_usb(hdev);
  1047.         if (err < 0)
  1048.             return err;
  1049.     }
  1050.  
  1051.     err = usb_autopm_get_interface(data->intf);
  1052.     if (err < 0)
  1053.         return err;
  1054.  
  1055.     data->intf->needs_remote_wakeup = 1;
  1056.  
  1057.     if (test_and_set_bit(BTUSB_INTR_RUNNING, &data->flags))
  1058.         goto done;
  1059.  
  1060.     err = btusb_submit_intr_urb(hdev, GFP_KERNEL);
  1061.     if (err < 0)
  1062.         goto failed;
  1063.  
  1064.     err = btusb_submit_bulk_urb(hdev, GFP_KERNEL);
  1065.     if (err < 0) {
  1066.         usb_kill_anchored_urbs(&data->intr_anchor);
  1067.         goto failed;
  1068.     }
  1069.  
  1070.     set_bit(BTUSB_BULK_RUNNING, &data->flags);
  1071.     btusb_submit_bulk_urb(hdev, GFP_KERNEL);
  1072.  
  1073.     if (data->diag) {
  1074.         if (!btusb_submit_diag_urb(hdev, GFP_KERNEL))
  1075.             set_bit(BTUSB_DIAG_RUNNING, &data->flags);
  1076.     }
  1077.  
  1078. done:
  1079.     usb_autopm_put_interface(data->intf);
  1080.     return 0;
  1081.  
  1082. failed:
  1083.     clear_bit(BTUSB_INTR_RUNNING, &data->flags);
  1084.     usb_autopm_put_interface(data->intf);
  1085.     return err;
  1086. }
  1087.  
  1088. static void btusb_stop_traffic(struct btusb_data *data)
  1089. {
  1090.     usb_kill_anchored_urbs(&data->intr_anchor);
  1091.     usb_kill_anchored_urbs(&data->bulk_anchor);
  1092.     usb_kill_anchored_urbs(&data->isoc_anchor);
  1093.     usb_kill_anchored_urbs(&data->diag_anchor);
  1094. }
  1095.  
  1096. static int btusb_close(struct hci_dev *hdev)
  1097. {
  1098.     struct btusb_data *data = hci_get_drvdata(hdev);
  1099.     int err;
  1100.  
  1101.     BT_DBG("%s", hdev->name);
  1102.  
  1103.     cancel_work_sync(&data->work);
  1104.     cancel_work_sync(&data->waker);
  1105.  
  1106.     clear_bit(BTUSB_ISOC_RUNNING, &data->flags);
  1107.     clear_bit(BTUSB_BULK_RUNNING, &data->flags);
  1108.     clear_bit(BTUSB_INTR_RUNNING, &data->flags);
  1109.     clear_bit(BTUSB_DIAG_RUNNING, &data->flags);
  1110.  
  1111.     btusb_stop_traffic(data);
  1112.     btusb_free_frags(data);
  1113.  
  1114.     err = usb_autopm_get_interface(data->intf);
  1115.     if (err < 0)
  1116.         goto failed;
  1117.  
  1118.     data->intf->needs_remote_wakeup = 0;
  1119.     usb_autopm_put_interface(data->intf);
  1120.  
  1121. failed:
  1122.     usb_scuttle_anchored_urbs(&data->deferred);
  1123.     return 0;
  1124. }
  1125.  
  1126. static int btusb_flush(struct hci_dev *hdev)
  1127. {
  1128.     struct btusb_data *data = hci_get_drvdata(hdev);
  1129.  
  1130.     BT_DBG("%s", hdev->name);
  1131.  
  1132.     usb_kill_anchored_urbs(&data->tx_anchor);
  1133.     btusb_free_frags(data);
  1134.  
  1135.     return 0;
  1136. }
  1137.  
  1138. static struct urb *alloc_ctrl_urb(struct hci_dev *hdev, struct sk_buff *skb)
  1139. {
  1140.     struct btusb_data *data = hci_get_drvdata(hdev);
  1141.     struct usb_ctrlrequest *dr;
  1142.     struct urb *urb;
  1143.     unsigned int pipe;
  1144.  
  1145.     urb = usb_alloc_urb(0, GFP_KERNEL);
  1146.     if (!urb)
  1147.         return ERR_PTR(-ENOMEM);
  1148.  
  1149.     dr = kmalloc(sizeof(*dr), GFP_KERNEL);
  1150.     if (!dr) {
  1151.         usb_free_urb(urb);
  1152.         return ERR_PTR(-ENOMEM);
  1153.     }
  1154.  
  1155.     dr->bRequestType = data->cmdreq_type;
  1156.     dr->bRequest     = data->cmdreq;
  1157.     dr->wIndex       = 0;
  1158.     dr->wValue       = 0;
  1159.     dr->wLength      = __cpu_to_le16(skb->len);
  1160.  
  1161.     pipe = usb_sndctrlpipe(data->udev, 0x00);
  1162.  
  1163.     usb_fill_control_urb(urb, data->udev, pipe, (void *)dr,
  1164.                  skb->data, skb->len, btusb_tx_complete, skb);
  1165.  
  1166.     skb->dev = (void *)hdev;
  1167.  
  1168.     return urb;
  1169. }
  1170.  
  1171. static struct urb *alloc_bulk_urb(struct hci_dev *hdev, struct sk_buff *skb)
  1172. {
  1173.     struct btusb_data *data = hci_get_drvdata(hdev);
  1174.     struct urb *urb;
  1175.     unsigned int pipe;
  1176.  
  1177.     if (!data->bulk_tx_ep)
  1178.         return ERR_PTR(-ENODEV);
  1179.  
  1180.     urb = usb_alloc_urb(0, GFP_KERNEL);
  1181.     if (!urb)
  1182.         return ERR_PTR(-ENOMEM);
  1183.  
  1184.     pipe = usb_sndbulkpipe(data->udev, data->bulk_tx_ep->bEndpointAddress);
  1185.  
  1186.     usb_fill_bulk_urb(urb, data->udev, pipe,
  1187.               skb->data, skb->len, btusb_tx_complete, skb);
  1188.  
  1189.     skb->dev = (void *)hdev;
  1190.  
  1191.     return urb;
  1192. }
  1193.  
  1194. static struct urb *alloc_isoc_urb(struct hci_dev *hdev, struct sk_buff *skb)
  1195. {
  1196.     struct btusb_data *data = hci_get_drvdata(hdev);
  1197.     struct urb *urb;
  1198.     unsigned int pipe;
  1199.  
  1200.     if (!data->isoc_tx_ep)
  1201.         return ERR_PTR(-ENODEV);
  1202.  
  1203.     urb = usb_alloc_urb(BTUSB_MAX_ISOC_FRAMES, GFP_KERNEL);
  1204.     if (!urb)
  1205.         return ERR_PTR(-ENOMEM);
  1206.  
  1207.     pipe = usb_sndisocpipe(data->udev, data->isoc_tx_ep->bEndpointAddress);
  1208.  
  1209.     usb_fill_int_urb(urb, data->udev, pipe,
  1210.              skb->data, skb->len, btusb_isoc_tx_complete,
  1211.              skb, data->isoc_tx_ep->bInterval);
  1212.  
  1213.     urb->transfer_flags  = URB_ISO_ASAP;
  1214.  
  1215.     __fill_isoc_descriptor(urb, skb->len,
  1216.                    le16_to_cpu(data->isoc_tx_ep->wMaxPacketSize));
  1217.  
  1218.     skb->dev = (void *)hdev;
  1219.  
  1220.     return urb;
  1221. }
  1222.  
  1223. static int submit_tx_urb(struct hci_dev *hdev, struct urb *urb)
  1224. {
  1225.     struct btusb_data *data = hci_get_drvdata(hdev);
  1226.     int err;
  1227.  
  1228.     usb_anchor_urb(urb, &data->tx_anchor);
  1229.  
  1230.     err = usb_submit_urb(urb, GFP_KERNEL);
  1231.     if (err < 0) {
  1232.         if (err != -EPERM && err != -ENODEV)
  1233.             BT_ERR("%s urb %p submission failed (%d)",
  1234.                    hdev->name, urb, -err);
  1235.         kfree(urb->setup_packet);
  1236.         usb_unanchor_urb(urb);
  1237.     } else {
  1238.         usb_mark_last_busy(data->udev);
  1239.     }
  1240.  
  1241.     usb_free_urb(urb);
  1242.     return err;
  1243. }
  1244.  
  1245. static int submit_or_queue_tx_urb(struct hci_dev *hdev, struct urb *urb)
  1246. {
  1247.     struct btusb_data *data = hci_get_drvdata(hdev);
  1248.     unsigned long flags;
  1249.     bool suspending;
  1250.  
  1251.     spin_lock_irqsave(&data->txlock, flags);
  1252.     suspending = test_bit(BTUSB_SUSPENDING, &data->flags);
  1253.     if (!suspending)
  1254.         data->tx_in_flight++;
  1255.     spin_unlock_irqrestore(&data->txlock, flags);
  1256.  
  1257.     if (!suspending)
  1258.         return submit_tx_urb(hdev, urb);
  1259.  
  1260.     usb_anchor_urb(urb, &data->deferred);
  1261.     schedule_work(&data->waker);
  1262.  
  1263.     usb_free_urb(urb);
  1264.     return 0;
  1265. }
  1266.  
  1267. static int btusb_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
  1268. {
  1269.     struct urb *urb;
  1270.  
  1271.     BT_DBG("%s", hdev->name);
  1272.  
  1273.     switch (hci_skb_pkt_type(skb)) {
  1274.     case HCI_COMMAND_PKT:
  1275.         urb = alloc_ctrl_urb(hdev, skb);
  1276.         if (IS_ERR(urb))
  1277.             return PTR_ERR(urb);
  1278.  
  1279.         hdev->stat.cmd_tx++;
  1280.         return submit_or_queue_tx_urb(hdev, urb);
  1281.  
  1282.     case HCI_ACLDATA_PKT:
  1283.         urb = alloc_bulk_urb(hdev, skb);
  1284.         if (IS_ERR(urb))
  1285.             return PTR_ERR(urb);
  1286.  
  1287.         hdev->stat.acl_tx++;
  1288.         return submit_or_queue_tx_urb(hdev, urb);
  1289.  
  1290.     case HCI_SCODATA_PKT:
  1291.         if (hci_conn_num(hdev, SCO_LINK) < 1)
  1292.             return -ENODEV;
  1293.  
  1294.         urb = alloc_isoc_urb(hdev, skb);
  1295.         if (IS_ERR(urb))
  1296.             return PTR_ERR(urb);
  1297.  
  1298.         hdev->stat.sco_tx++;
  1299.         return submit_tx_urb(hdev, urb);
  1300.     }
  1301.  
  1302.     return -EILSEQ;
  1303. }
  1304.  
  1305. static void btusb_notify(struct hci_dev *hdev, unsigned int evt)
  1306. {
  1307.     struct btusb_data *data = hci_get_drvdata(hdev);
  1308.  
  1309.     BT_DBG("%s evt %d", hdev->name, evt);
  1310.  
  1311.     if (hci_conn_num(hdev, SCO_LINK) != data->sco_num) {
  1312.         data->sco_num = hci_conn_num(hdev, SCO_LINK);
  1313.         schedule_work(&data->work);
  1314.     }
  1315. }
  1316.  
  1317. static inline int __set_isoc_interface(struct hci_dev *hdev, int altsetting)
  1318. {
  1319.     struct btusb_data *data = hci_get_drvdata(hdev);
  1320.     struct usb_interface *intf = data->isoc;
  1321.     struct usb_endpoint_descriptor *ep_desc;
  1322.     int i, err;
  1323.  
  1324.     if (!data->isoc)
  1325.         return -ENODEV;
  1326.  
  1327.     err = usb_set_interface(data->udev, 1, altsetting);
  1328.     if (err < 0) {
  1329.         BT_ERR("%s setting interface failed (%d)", hdev->name, -err);
  1330.         return err;
  1331.     }
  1332.  
  1333.     data->isoc_altsetting = altsetting;
  1334.  
  1335.     data->isoc_tx_ep = NULL;
  1336.     data->isoc_rx_ep = NULL;
  1337.  
  1338.     for (i = 0; i < intf->cur_altsetting->desc.bNumEndpoints; i++) {
  1339.         ep_desc = &intf->cur_altsetting->endpoint[i].desc;
  1340.  
  1341.         if (!data->isoc_tx_ep && usb_endpoint_is_isoc_out(ep_desc)) {
  1342.             data->isoc_tx_ep = ep_desc;
  1343.             continue;
  1344.         }
  1345.  
  1346.         if (!data->isoc_rx_ep && usb_endpoint_is_isoc_in(ep_desc)) {
  1347.             data->isoc_rx_ep = ep_desc;
  1348.             continue;
  1349.         }
  1350.     }
  1351.  
  1352.     if (!data->isoc_tx_ep || !data->isoc_rx_ep) {
  1353.         BT_ERR("%s invalid SCO descriptors", hdev->name);
  1354.         return -ENODEV;
  1355.     }
  1356.  
  1357.     return 0;
  1358. }
  1359.  
  1360. static void btusb_work(struct work_struct *work)
  1361. {
  1362.     struct btusb_data *data = container_of(work, struct btusb_data, work);
  1363.     struct hci_dev *hdev = data->hdev;
  1364.     int new_alts;
  1365.     int err;
  1366.  
  1367.     if (data->sco_num > 0) {
  1368.         if (!test_bit(BTUSB_DID_ISO_RESUME, &data->flags)) {
  1369.             err = usb_autopm_get_interface(data->isoc ? data->isoc : data->intf);
  1370.             if (err < 0) {
  1371.                 clear_bit(BTUSB_ISOC_RUNNING, &data->flags);
  1372.                 usb_kill_anchored_urbs(&data->isoc_anchor);
  1373.                 return;
  1374.             }
  1375.  
  1376.             set_bit(BTUSB_DID_ISO_RESUME, &data->flags);
  1377.         }
  1378.  
  1379.         if (hdev->voice_setting & 0x0020) {
  1380.             static const int alts[3] = { 2, 4, 5 };
  1381.  
  1382.             new_alts = alts[data->sco_num - 1];
  1383.         } else {
  1384.             new_alts = data->sco_num;
  1385.         }
  1386.  
  1387.         if (data->isoc_altsetting != new_alts) {
  1388.             unsigned long flags;
  1389.  
  1390.             clear_bit(BTUSB_ISOC_RUNNING, &data->flags);
  1391.             usb_kill_anchored_urbs(&data->isoc_anchor);
  1392.  
  1393.             /* When isochronous alternate setting needs to be
  1394.              * changed, because SCO connection has been added
  1395.              * or removed, a packet fragment may be left in the
  1396.              * reassembling state. This could lead to wrongly
  1397.              * assembled fragments.
  1398.              *
  1399.              * Clear outstanding fragment when selecting a new
  1400.              * alternate setting.
  1401.              */
  1402.             spin_lock_irqsave(&data->rxlock, flags);
  1403.             kfree_skb(data->sco_skb);
  1404.             data->sco_skb = NULL;
  1405.             spin_unlock_irqrestore(&data->rxlock, flags);
  1406.  
  1407.             if (__set_isoc_interface(hdev, new_alts) < 0)
  1408.                 return;
  1409.         }
  1410.  
  1411.         if (!test_and_set_bit(BTUSB_ISOC_RUNNING, &data->flags)) {
  1412.             if (btusb_submit_isoc_urb(hdev, GFP_KERNEL) < 0)
  1413.                 clear_bit(BTUSB_ISOC_RUNNING, &data->flags);
  1414.             else
  1415.                 btusb_submit_isoc_urb(hdev, GFP_KERNEL);
  1416.         }
  1417.     } else {
  1418.         clear_bit(BTUSB_ISOC_RUNNING, &data->flags);
  1419.         usb_kill_anchored_urbs(&data->isoc_anchor);
  1420.  
  1421.         __set_isoc_interface(hdev, 0);
  1422.         if (test_and_clear_bit(BTUSB_DID_ISO_RESUME, &data->flags))
  1423.             usb_autopm_put_interface(data->isoc ? data->isoc : data->intf);
  1424.     }
  1425. }
  1426.  
  1427. static void btusb_waker(struct work_struct *work)
  1428. {
  1429.     struct btusb_data *data = container_of(work, struct btusb_data, waker);
  1430.     int err;
  1431.  
  1432.     err = usb_autopm_get_interface(data->intf);
  1433.     if (err < 0)
  1434.         return;
  1435.  
  1436.     usb_autopm_put_interface(data->intf);
  1437. }
  1438.  
  1439. static int btusb_setup_bcm92035(struct hci_dev *hdev)
  1440. {
  1441.     struct sk_buff *skb;
  1442.     u8 val = 0x00;
  1443.  
  1444.     BT_DBG("%s", hdev->name);
  1445.  
  1446.     skb = __hci_cmd_sync(hdev, 0xfc3b, 1, &val, HCI_INIT_TIMEOUT);
  1447.     if (IS_ERR(skb))
  1448.         BT_ERR("BCM92035 command failed (%ld)", -PTR_ERR(skb));
  1449.     else
  1450.         kfree_skb(skb);
  1451.  
  1452.     return 0;
  1453. }
  1454.  
  1455. static int btusb_setup_csr(struct hci_dev *hdev)
  1456. {
  1457.     struct hci_rp_read_local_version *rp;
  1458.     struct sk_buff *skb;
  1459.  
  1460.     BT_DBG("%s", hdev->name);
  1461.  
  1462.     skb = __hci_cmd_sync(hdev, HCI_OP_READ_LOCAL_VERSION, 0, NULL,
  1463.                  HCI_INIT_TIMEOUT);
  1464.     if (IS_ERR(skb)) {
  1465.         int err = PTR_ERR(skb);
  1466.         BT_ERR("%s: CSR: Local version failed (%d)", hdev->name, err);
  1467.         return err;
  1468.     }
  1469.  
  1470.     if (skb->len != sizeof(struct hci_rp_read_local_version)) {
  1471.         BT_ERR("%s: CSR: Local version length mismatch", hdev->name);
  1472.         kfree_skb(skb);
  1473.         return -EIO;
  1474.     }
  1475.  
  1476.     rp = (struct hci_rp_read_local_version *)skb->data;
  1477.  
  1478.     /* Detect controllers which aren't real CSR ones. */
  1479.     if (le16_to_cpu(rp->manufacturer) != 10 ||
  1480.         le16_to_cpu(rp->lmp_subver) == 0x0c5c) {
  1481.         /* Clear the reset quirk since this is not an actual
  1482.          * early Bluetooth 1.1 device from CSR.
  1483.          */
  1484.         clear_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks);
  1485.  
  1486.         /* These fake CSR controllers have all a broken
  1487.          * stored link key handling and so just disable it.
  1488.          */
  1489.         set_bit(HCI_QUIRK_BROKEN_STORED_LINK_KEY, &hdev->quirks);
  1490.     }
  1491.  
  1492.     kfree_skb(skb);
  1493.  
  1494.     return 0;
  1495. }
  1496.  
  1497. static const struct firmware *btusb_setup_intel_get_fw(struct hci_dev *hdev,
  1498.                                struct intel_version *ver)
  1499. {
  1500.     const struct firmware *fw;
  1501.     char fwname[64];
  1502.     int ret;
  1503.  
  1504.     snprintf(fwname, sizeof(fwname),
  1505.          "intel/ibt-hw-%x.%x.%x-fw-%x.%x.%x.%x.%x.bseq",
  1506.          ver->hw_platform, ver->hw_variant, ver->hw_revision,
  1507.          ver->fw_variant,  ver->fw_revision, ver->fw_build_num,
  1508.          ver->fw_build_ww, ver->fw_build_yy);
  1509.  
  1510.     ret = request_firmware(&fw, fwname, &hdev->dev);
  1511.     if (ret < 0) {
  1512.         if (ret == -EINVAL) {
  1513.             BT_ERR("%s Intel firmware file request failed (%d)",
  1514.                    hdev->name, ret);
  1515.             return NULL;
  1516.         }
  1517.  
  1518.         BT_ERR("%s failed to open Intel firmware file: %s(%d)",
  1519.                hdev->name, fwname, ret);
  1520.  
  1521.         /* If the correct firmware patch file is not found, use the
  1522.          * default firmware patch file instead
  1523.          */
  1524.         snprintf(fwname, sizeof(fwname), "intel/ibt-hw-%x.%x.bseq",
  1525.              ver->hw_platform, ver->hw_variant);
  1526.         if (request_firmware(&fw, fwname, &hdev->dev) < 0) {
  1527.             BT_ERR("%s failed to open default Intel fw file: %s",
  1528.                    hdev->name, fwname);
  1529.             return NULL;
  1530.         }
  1531.     }
  1532.  
  1533.     BT_INFO("%s: Intel Bluetooth firmware file: %s", hdev->name, fwname);
  1534.  
  1535.     return fw;
  1536. }
  1537.  
  1538. static int btusb_setup_intel_patching(struct hci_dev *hdev,
  1539.                       const struct firmware *fw,
  1540.                       const u8 **fw_ptr, int *disable_patch)
  1541. {
  1542.     struct sk_buff *skb;
  1543.     struct hci_command_hdr *cmd;
  1544.     const u8 *cmd_param;
  1545.     struct hci_event_hdr *evt = NULL;
  1546.     const u8 *evt_param = NULL;
  1547.     int remain = fw->size - (*fw_ptr - fw->data);
  1548.  
  1549.     /* The first byte indicates the types of the patch command or event.
  1550.      * 0x01 means HCI command and 0x02 is HCI event. If the first bytes
  1551.      * in the current firmware buffer doesn't start with 0x01 or
  1552.      * the size of remain buffer is smaller than HCI command header,
  1553.      * the firmware file is corrupted and it should stop the patching
  1554.      * process.
  1555.      */
  1556.     if (remain > HCI_COMMAND_HDR_SIZE && *fw_ptr[0] != 0x01) {
  1557.         BT_ERR("%s Intel fw corrupted: invalid cmd read", hdev->name);
  1558.         return -EINVAL;
  1559.     }
  1560.     (*fw_ptr)++;
  1561.     remain--;
  1562.  
  1563.     cmd = (struct hci_command_hdr *)(*fw_ptr);
  1564.     *fw_ptr += sizeof(*cmd);
  1565.     remain -= sizeof(*cmd);
  1566.  
  1567.     /* Ensure that the remain firmware data is long enough than the length
  1568.      * of command parameter. If not, the firmware file is corrupted.
  1569.      */
  1570.     if (remain < cmd->plen) {
  1571.         BT_ERR("%s Intel fw corrupted: invalid cmd len", hdev->name);
  1572.         return -EFAULT;
  1573.     }
  1574.  
  1575.     /* If there is a command that loads a patch in the firmware
  1576.      * file, then enable the patch upon success, otherwise just
  1577.      * disable the manufacturer mode, for example patch activation
  1578.      * is not required when the default firmware patch file is used
  1579.      * because there are no patch data to load.
  1580.      */
  1581.     if (*disable_patch && le16_to_cpu(cmd->opcode) == 0xfc8e)
  1582.         *disable_patch = 0;
  1583.  
  1584.     cmd_param = *fw_ptr;
  1585.     *fw_ptr += cmd->plen;
  1586.     remain -= cmd->plen;
  1587.  
  1588.     /* This reads the expected events when the above command is sent to the
  1589.      * device. Some vendor commands expects more than one events, for
  1590.      * example command status event followed by vendor specific event.
  1591.      * For this case, it only keeps the last expected event. so the command
  1592.      * can be sent with __hci_cmd_sync_ev() which returns the sk_buff of
  1593.      * last expected event.
  1594.      */
  1595.     while (remain > HCI_EVENT_HDR_SIZE && *fw_ptr[0] == 0x02) {
  1596.         (*fw_ptr)++;
  1597.         remain--;
  1598.  
  1599.         evt = (struct hci_event_hdr *)(*fw_ptr);
  1600.         *fw_ptr += sizeof(*evt);
  1601.         remain -= sizeof(*evt);
  1602.  
  1603.         if (remain < evt->plen) {
  1604.             BT_ERR("%s Intel fw corrupted: invalid evt len",
  1605.                    hdev->name);
  1606.             return -EFAULT;
  1607.         }
  1608.  
  1609.         evt_param = *fw_ptr;
  1610.         *fw_ptr += evt->plen;
  1611.         remain -= evt->plen;
  1612.     }
  1613.  
  1614.     /* Every HCI commands in the firmware file has its correspond event.
  1615.      * If event is not found or remain is smaller than zero, the firmware
  1616.      * file is corrupted.
  1617.      */
  1618.     if (!evt || !evt_param || remain < 0) {
  1619.         BT_ERR("%s Intel fw corrupted: invalid evt read", hdev->name);
  1620.         return -EFAULT;
  1621.     }
  1622.  
  1623.     skb = __hci_cmd_sync_ev(hdev, le16_to_cpu(cmd->opcode), cmd->plen,
  1624.                 cmd_param, evt->evt, HCI_INIT_TIMEOUT);
  1625.     if (IS_ERR(skb)) {
  1626.         BT_ERR("%s sending Intel patch command (0x%4.4x) failed (%ld)",
  1627.                hdev->name, cmd->opcode, PTR_ERR(skb));
  1628.         return PTR_ERR(skb);
  1629.     }
  1630.  
  1631.     /* It ensures that the returned event matches the event data read from
  1632.      * the firmware file. At fist, it checks the length and then
  1633.      * the contents of the event.
  1634.      */
  1635.     if (skb->len != evt->plen) {
  1636.         BT_ERR("%s mismatch event length (opcode 0x%4.4x)", hdev->name,
  1637.                le16_to_cpu(cmd->opcode));
  1638.         kfree_skb(skb);
  1639.         return -EFAULT;
  1640.     }
  1641.  
  1642.     if (memcmp(skb->data, evt_param, evt->plen)) {
  1643.         BT_ERR("%s mismatch event parameter (opcode 0x%4.4x)",
  1644.                hdev->name, le16_to_cpu(cmd->opcode));
  1645.         kfree_skb(skb);
  1646.         return -EFAULT;
  1647.     }
  1648.     kfree_skb(skb);
  1649.  
  1650.     return 0;
  1651. }
  1652.  
  1653. static int btusb_setup_intel(struct hci_dev *hdev)
  1654. {
  1655.     struct sk_buff *skb;
  1656.     const struct firmware *fw;
  1657.     const u8 *fw_ptr;
  1658.     int disable_patch, err;
  1659.     struct intel_version ver;
  1660.  
  1661.     BT_DBG("%s", hdev->name);
  1662.  
  1663.     /* The controller has a bug with the first HCI command sent to it
  1664.      * returning number of completed commands as zero. This would stall the
  1665.      * command processing in the Bluetooth core.
  1666.      *
  1667.      * As a workaround, send HCI Reset command first which will reset the
  1668.      * number of completed commands and allow normal command processing
  1669.      * from now on.
  1670.      */
  1671.     skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
  1672.     if (IS_ERR(skb)) {
  1673.         BT_ERR("%s sending initial HCI reset command failed (%ld)",
  1674.                hdev->name, PTR_ERR(skb));
  1675.         return PTR_ERR(skb);
  1676.     }
  1677.     kfree_skb(skb);
  1678.  
  1679.     /* Read Intel specific controller version first to allow selection of
  1680.      * which firmware file to load.
  1681.      *
  1682.      * The returned information are hardware variant and revision plus
  1683.      * firmware variant, revision and build number.
  1684.      */
  1685.     err = btintel_read_version(hdev, &ver);
  1686.     if (err)
  1687.         return err;
  1688.  
  1689.     BT_INFO("%s: read Intel version: %02x%02x%02x%02x%02x%02x%02x%02x%02x",
  1690.         hdev->name, ver.hw_platform, ver.hw_variant, ver.hw_revision,
  1691.         ver.fw_variant,  ver.fw_revision, ver.fw_build_num,
  1692.         ver.fw_build_ww, ver.fw_build_yy, ver.fw_patch_num);
  1693.  
  1694.     /* fw_patch_num indicates the version of patch the device currently
  1695.      * have. If there is no patch data in the device, it is always 0x00.
  1696.      * So, if it is other than 0x00, no need to patch the device again.
  1697.      */
  1698.     if (ver.fw_patch_num) {
  1699.         BT_INFO("%s: Intel device is already patched. patch num: %02x",
  1700.             hdev->name, ver.fw_patch_num);
  1701.         goto complete;
  1702.     }
  1703.  
  1704.     /* Opens the firmware patch file based on the firmware version read
  1705.      * from the controller. If it fails to open the matching firmware
  1706.      * patch file, it tries to open the default firmware patch file.
  1707.      * If no patch file is found, allow the device to operate without
  1708.      * a patch.
  1709.      */
  1710.     fw = btusb_setup_intel_get_fw(hdev, &ver);
  1711.     if (!fw)
  1712.         goto complete;
  1713.     fw_ptr = fw->data;
  1714.  
  1715.     /* Enable the manufacturer mode of the controller.
  1716.      * Only while this mode is enabled, the driver can download the
  1717.      * firmware patch data and configuration parameters.
  1718.      */
  1719.     err = btintel_enter_mfg(hdev);
  1720.     if (err) {
  1721.         release_firmware(fw);
  1722.         return err;
  1723.     }
  1724.  
  1725.     disable_patch = 1;
  1726.  
  1727.     /* The firmware data file consists of list of Intel specific HCI
  1728.      * commands and its expected events. The first byte indicates the
  1729.      * type of the message, either HCI command or HCI event.
  1730.      *
  1731.      * It reads the command and its expected event from the firmware file,
  1732.      * and send to the controller. Once __hci_cmd_sync_ev() returns,
  1733.      * the returned event is compared with the event read from the firmware
  1734.      * file and it will continue until all the messages are downloaded to
  1735.      * the controller.
  1736.      *
  1737.      * Once the firmware patching is completed successfully,
  1738.      * the manufacturer mode is disabled with reset and activating the
  1739.      * downloaded patch.
  1740.      *
  1741.      * If the firmware patching fails, the manufacturer mode is
  1742.      * disabled with reset and deactivating the patch.
  1743.      *
  1744.      * If the default patch file is used, no reset is done when disabling
  1745.      * the manufacturer.
  1746.      */
  1747.     while (fw->size > fw_ptr - fw->data) {
  1748.         int ret;
  1749.  
  1750.         ret = btusb_setup_intel_patching(hdev, fw, &fw_ptr,
  1751.                          &disable_patch);
  1752.         if (ret < 0)
  1753.             goto exit_mfg_deactivate;
  1754.     }
  1755.  
  1756.     release_firmware(fw);
  1757.  
  1758.     if (disable_patch)
  1759.         goto exit_mfg_disable;
  1760.  
  1761.     /* Patching completed successfully and disable the manufacturer mode
  1762.      * with reset and activate the downloaded firmware patches.
  1763.      */
  1764.     err = btintel_exit_mfg(hdev, true, true);
  1765.     if (err)
  1766.         return err;
  1767.  
  1768.     BT_INFO("%s: Intel Bluetooth firmware patch completed and activated",
  1769.         hdev->name);
  1770.  
  1771.     goto complete;
  1772.  
  1773. exit_mfg_disable:
  1774.     /* Disable the manufacturer mode without reset */
  1775.     err = btintel_exit_mfg(hdev, false, false);
  1776.     if (err)
  1777.         return err;
  1778.  
  1779.     BT_INFO("%s: Intel Bluetooth firmware patch completed", hdev->name);
  1780.  
  1781.     goto complete;
  1782.  
  1783. exit_mfg_deactivate:
  1784.     release_firmware(fw);
  1785.  
  1786.     /* Patching failed. Disable the manufacturer mode with reset and
  1787.      * deactivate the downloaded firmware patches.
  1788.      */
  1789.     err = btintel_exit_mfg(hdev, true, false);
  1790.     if (err)
  1791.         return err;
  1792.  
  1793.     BT_INFO("%s: Intel Bluetooth firmware patch completed and deactivated",
  1794.         hdev->name);
  1795.  
  1796. complete:
  1797.     /* Set the event mask for Intel specific vendor events. This enables
  1798.      * a few extra events that are useful during general operation.
  1799.      */
  1800.     btintel_set_event_mask_mfg(hdev, false);
  1801.  
  1802.     btintel_check_bdaddr(hdev);
  1803.     return 0;
  1804. }
  1805.  
  1806. static int inject_cmd_complete(struct hci_dev *hdev, __u16 opcode)
  1807. {
  1808.     struct sk_buff *skb;
  1809.     struct hci_event_hdr *hdr;
  1810.     struct hci_ev_cmd_complete *evt;
  1811.  
  1812.     skb = bt_skb_alloc(sizeof(*hdr) + sizeof(*evt) + 1, GFP_ATOMIC);
  1813.     if (!skb)
  1814.         return -ENOMEM;
  1815.  
  1816.     hdr = (struct hci_event_hdr *)skb_put(skb, sizeof(*hdr));
  1817.     hdr->evt = HCI_EV_CMD_COMPLETE;
  1818.     hdr->plen = sizeof(*evt) + 1;
  1819.  
  1820.     evt = (struct hci_ev_cmd_complete *)skb_put(skb, sizeof(*evt));
  1821.     evt->ncmd = 0x01;
  1822.     evt->opcode = cpu_to_le16(opcode);
  1823.  
  1824.     *skb_put(skb, 1) = 0x00;
  1825.  
  1826.     hci_skb_pkt_type(skb) = HCI_EVENT_PKT;
  1827.  
  1828.     return hci_recv_frame(hdev, skb);
  1829. }
  1830.  
  1831. static int btusb_recv_bulk_intel(struct btusb_data *data, void *buffer,
  1832.                  int count)
  1833. {
  1834.     /* When the device is in bootloader mode, then it can send
  1835.      * events via the bulk endpoint. These events are treated the
  1836.      * same way as the ones received from the interrupt endpoint.
  1837.      */
  1838.     if (test_bit(BTUSB_BOOTLOADER, &data->flags))
  1839.         return btusb_recv_intr(data, buffer, count);
  1840.  
  1841.     return btusb_recv_bulk(data, buffer, count);
  1842. }
  1843.  
  1844. static void btusb_intel_bootup(struct btusb_data *data, const void *ptr,
  1845.                    unsigned int len)
  1846. {
  1847.     const struct intel_bootup *evt = ptr;
  1848.  
  1849.     if (len != sizeof(*evt))
  1850.         return;
  1851.  
  1852.     if (test_and_clear_bit(BTUSB_BOOTING, &data->flags)) {
  1853.         smp_mb__after_atomic();
  1854.         wake_up_bit(&data->flags, BTUSB_BOOTING);
  1855.     }
  1856. }
  1857.  
  1858. static void btusb_intel_secure_send_result(struct btusb_data *data,
  1859.                        const void *ptr, unsigned int len)
  1860. {
  1861.     const struct intel_secure_send_result *evt = ptr;
  1862.  
  1863.     if (len != sizeof(*evt))
  1864.         return;
  1865.  
  1866.     if (evt->result)
  1867.         set_bit(BTUSB_FIRMWARE_FAILED, &data->flags);
  1868.  
  1869.     if (test_and_clear_bit(BTUSB_DOWNLOADING, &data->flags) &&
  1870.         test_bit(BTUSB_FIRMWARE_LOADED, &data->flags)) {
  1871.         smp_mb__after_atomic();
  1872.         wake_up_bit(&data->flags, BTUSB_DOWNLOADING);
  1873.     }
  1874. }
  1875.  
  1876. static int btusb_recv_event_intel(struct hci_dev *hdev, struct sk_buff *skb)
  1877. {
  1878.     struct btusb_data *data = hci_get_drvdata(hdev);
  1879.  
  1880.     if (test_bit(BTUSB_BOOTLOADER, &data->flags)) {
  1881.         struct hci_event_hdr *hdr = (void *)skb->data;
  1882.  
  1883.         if (skb->len > HCI_EVENT_HDR_SIZE && hdr->evt == 0xff &&
  1884.             hdr->plen > 0) {
  1885.             const void *ptr = skb->data + HCI_EVENT_HDR_SIZE + 1;
  1886.             unsigned int len = skb->len - HCI_EVENT_HDR_SIZE - 1;
  1887.  
  1888.             switch (skb->data[2]) {
  1889.             case 0x02:
  1890.                 /* When switching to the operational firmware
  1891.                  * the device sends a vendor specific event
  1892.                  * indicating that the bootup completed.
  1893.                  */
  1894.                 btusb_intel_bootup(data, ptr, len);
  1895.                 break;
  1896.             case 0x06:
  1897.                 /* When the firmware loading completes the
  1898.                  * device sends out a vendor specific event
  1899.                  * indicating the result of the firmware
  1900.                  * loading.
  1901.                  */
  1902.                 btusb_intel_secure_send_result(data, ptr, len);
  1903.                 break;
  1904.             }
  1905.         }
  1906.     }
  1907.  
  1908.     return hci_recv_frame(hdev, skb);
  1909. }
  1910.  
  1911. static int btusb_send_frame_intel(struct hci_dev *hdev, struct sk_buff *skb)
  1912. {
  1913.     struct btusb_data *data = hci_get_drvdata(hdev);
  1914.     struct urb *urb;
  1915.  
  1916.     BT_DBG("%s", hdev->name);
  1917.  
  1918.     switch (hci_skb_pkt_type(skb)) {
  1919.     case HCI_COMMAND_PKT:
  1920.         if (test_bit(BTUSB_BOOTLOADER, &data->flags)) {
  1921.             struct hci_command_hdr *cmd = (void *)skb->data;
  1922.             __u16 opcode = le16_to_cpu(cmd->opcode);
  1923.  
  1924.             /* When in bootloader mode and the command 0xfc09
  1925.              * is received, it needs to be send down the
  1926.              * bulk endpoint. So allocate a bulk URB instead.
  1927.              */
  1928.             if (opcode == 0xfc09)
  1929.                 urb = alloc_bulk_urb(hdev, skb);
  1930.             else
  1931.                 urb = alloc_ctrl_urb(hdev, skb);
  1932.  
  1933.             /* When the 0xfc01 command is issued to boot into
  1934.              * the operational firmware, it will actually not
  1935.              * send a command complete event. To keep the flow
  1936.              * control working inject that event here.
  1937.              */
  1938.             if (opcode == 0xfc01)
  1939.                 inject_cmd_complete(hdev, opcode);
  1940.         } else {
  1941.             urb = alloc_ctrl_urb(hdev, skb);
  1942.         }
  1943.         if (IS_ERR(urb))
  1944.             return PTR_ERR(urb);
  1945.  
  1946.         hdev->stat.cmd_tx++;
  1947.         return submit_or_queue_tx_urb(hdev, urb);
  1948.  
  1949.     case HCI_ACLDATA_PKT:
  1950.         urb = alloc_bulk_urb(hdev, skb);
  1951.         if (IS_ERR(urb))
  1952.             return PTR_ERR(urb);
  1953.  
  1954.         hdev->stat.acl_tx++;
  1955.         return submit_or_queue_tx_urb(hdev, urb);
  1956.  
  1957.     case HCI_SCODATA_PKT:
  1958.         if (hci_conn_num(hdev, SCO_LINK) < 1)
  1959.             return -ENODEV;
  1960.  
  1961.         urb = alloc_isoc_urb(hdev, skb);
  1962.         if (IS_ERR(urb))
  1963.             return PTR_ERR(urb);
  1964.  
  1965.         hdev->stat.sco_tx++;
  1966.         return submit_tx_urb(hdev, urb);
  1967.     }
  1968.  
  1969.     return -EILSEQ;
  1970. }
  1971.  
  1972. static int btusb_setup_intel_new(struct hci_dev *hdev)
  1973. {
  1974.     static const u8 reset_param[] = { 0x00, 0x01, 0x00, 0x01,
  1975.                       0x00, 0x08, 0x04, 0x00 };
  1976.     struct btusb_data *data = hci_get_drvdata(hdev);
  1977.     struct sk_buff *skb;
  1978.     struct intel_version ver;
  1979.     struct intel_boot_params *params;
  1980.     const struct firmware *fw;
  1981.     const u8 *fw_ptr;
  1982.     u32 frag_len;
  1983.     char fwname[64];
  1984.     ktime_t calltime, delta, rettime;
  1985.     unsigned long long duration;
  1986.     int err;
  1987.  
  1988.     BT_DBG("%s", hdev->name);
  1989.  
  1990.     calltime = ktime_get();
  1991.  
  1992.     /* Read the Intel version information to determine if the device
  1993.      * is in bootloader mode or if it already has operational firmware
  1994.      * loaded.
  1995.      */
  1996.     err = btintel_read_version(hdev, &ver);
  1997.     if (err)
  1998.         return err;
  1999.  
  2000.     /* The hardware platform number has a fixed value of 0x37 and
  2001.      * for now only accept this single value.
  2002.      */
  2003.     if (ver.hw_platform != 0x37) {
  2004.         BT_ERR("%s: Unsupported Intel hardware platform (%u)",
  2005.                hdev->name, ver.hw_platform);
  2006.         return -EINVAL;
  2007.     }
  2008.  
  2009.     /* At the moment the iBT 3.0 hardware variants 0x0b (LnP/SfP)
  2010.      * and 0x0c (WsP) are supported by this firmware loading method.
  2011.      *
  2012.      * This check has been put in place to ensure correct forward
  2013.      * compatibility options when newer hardware variants come along.
  2014.      */
  2015.     if (ver.hw_variant != 0x0b && ver.hw_variant != 0x0c) {
  2016.         BT_ERR("%s: Unsupported Intel hardware variant (%u)",
  2017.                hdev->name, ver.hw_variant);
  2018.         return -EINVAL;
  2019.     }
  2020.  
  2021.     btintel_version_info(hdev, &ver);
  2022.  
  2023.     /* The firmware variant determines if the device is in bootloader
  2024.      * mode or is running operational firmware. The value 0x06 identifies
  2025.      * the bootloader and the value 0x23 identifies the operational
  2026.      * firmware.
  2027.      *
  2028.      * When the operational firmware is already present, then only
  2029.      * the check for valid Bluetooth device address is needed. This
  2030.      * determines if the device will be added as configured or
  2031.      * unconfigured controller.
  2032.      *
  2033.      * It is not possible to use the Secure Boot Parameters in this
  2034.      * case since that command is only available in bootloader mode.
  2035.      */
  2036.     if (ver.fw_variant == 0x23) {
  2037.         clear_bit(BTUSB_BOOTLOADER, &data->flags);
  2038.         btintel_check_bdaddr(hdev);
  2039.         return 0;
  2040.     }
  2041.  
  2042.     /* If the device is not in bootloader mode, then the only possible
  2043.      * choice is to return an error and abort the device initialization.
  2044.      */
  2045.     if (ver.fw_variant != 0x06) {
  2046.         BT_ERR("%s: Unsupported Intel firmware variant (%u)",
  2047.                hdev->name, ver.fw_variant);
  2048.         return -ENODEV;
  2049.     }
  2050.  
  2051.     /* Read the secure boot parameters to identify the operating
  2052.      * details of the bootloader.
  2053.      */
  2054.     skb = __hci_cmd_sync(hdev, 0xfc0d, 0, NULL, HCI_INIT_TIMEOUT);
  2055.     if (IS_ERR(skb)) {
  2056.         BT_ERR("%s: Reading Intel boot parameters failed (%ld)",
  2057.                hdev->name, PTR_ERR(skb));
  2058.         return PTR_ERR(skb);
  2059.     }
  2060.  
  2061.     if (skb->len != sizeof(*params)) {
  2062.         BT_ERR("%s: Intel boot parameters size mismatch", hdev->name);
  2063.         kfree_skb(skb);
  2064.         return -EILSEQ;
  2065.     }
  2066.  
  2067.     params = (struct intel_boot_params *)skb->data;
  2068.  
  2069.     BT_INFO("%s: Device revision is %u", hdev->name,
  2070.         le16_to_cpu(params->dev_revid));
  2071.  
  2072.     BT_INFO("%s: Secure boot is %s", hdev->name,
  2073.         params->secure_boot ? "enabled" : "disabled");
  2074.  
  2075.     BT_INFO("%s: OTP lock is %s", hdev->name,
  2076.         params->otp_lock ? "enabled" : "disabled");
  2077.  
  2078.     BT_INFO("%s: API lock is %s", hdev->name,
  2079.         params->api_lock ? "enabled" : "disabled");
  2080.  
  2081.     BT_INFO("%s: Debug lock is %s", hdev->name,
  2082.         params->debug_lock ? "enabled" : "disabled");
  2083.  
  2084.     BT_INFO("%s: Minimum firmware build %u week %u %u", hdev->name,
  2085.         params->min_fw_build_nn, params->min_fw_build_cw,
  2086.         2000 + params->min_fw_build_yy);
  2087.  
  2088.     /* It is required that every single firmware fragment is acknowledged
  2089.      * with a command complete event. If the boot parameters indicate
  2090.      * that this bootloader does not send them, then abort the setup.
  2091.      */
  2092.     if (params->limited_cce != 0x00) {
  2093.         BT_ERR("%s: Unsupported Intel firmware loading method (%u)",
  2094.                hdev->name, params->limited_cce);
  2095.         kfree_skb(skb);
  2096.         return -EINVAL;
  2097.     }
  2098.  
  2099.     /* If the OTP has no valid Bluetooth device address, then there will
  2100.      * also be no valid address for the operational firmware.
  2101.      */
  2102.     if (!bacmp(&params->otp_bdaddr, BDADDR_ANY)) {
  2103.         BT_INFO("%s: No device address configured", hdev->name);
  2104.         set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks);
  2105.     }
  2106.  
  2107.     /* With this Intel bootloader only the hardware variant and device
  2108.      * revision information are used to select the right firmware.
  2109.      *
  2110.      * The firmware filename is ibt-<hw_variant>-<dev_revid>.sfi.
  2111.      *
  2112.      * Currently the supported hardware variants are:
  2113.      *   11 (0x0b) for iBT3.0 (LnP/SfP)
  2114.      *   12 (0x0c) for iBT3.5 (WsP)
  2115.      */
  2116.     snprintf(fwname, sizeof(fwname), "intel/ibt-%u-%u.sfi",
  2117.          le16_to_cpu(ver.hw_variant),
  2118.          le16_to_cpu(params->dev_revid));
  2119.  
  2120.     err = request_firmware(&fw, fwname, &hdev->dev);
  2121.     if (err < 0) {
  2122.         BT_ERR("%s: Failed to load Intel firmware file (%d)",
  2123.                hdev->name, err);
  2124.         kfree_skb(skb);
  2125.         return err;
  2126.     }
  2127.  
  2128.     BT_INFO("%s: Found device firmware: %s", hdev->name, fwname);
  2129.  
  2130.     /* Save the DDC file name for later use to apply once the firmware
  2131.      * downloading is done.
  2132.      */
  2133.     snprintf(fwname, sizeof(fwname), "intel/ibt-%u-%u.ddc",
  2134.          le16_to_cpu(ver.hw_variant),
  2135.          le16_to_cpu(params->dev_revid));
  2136.  
  2137.     kfree_skb(skb);
  2138.  
  2139.     if (fw->size < 644) {
  2140.         BT_ERR("%s: Invalid size of firmware file (%zu)",
  2141.                hdev->name, fw->size);
  2142.         err = -EBADF;
  2143.         goto done;
  2144.     }
  2145.  
  2146.     set_bit(BTUSB_DOWNLOADING, &data->flags);
  2147.  
  2148.     /* Start the firmware download transaction with the Init fragment
  2149.      * represented by the 128 bytes of CSS header.
  2150.      */
  2151.     err = btintel_secure_send(hdev, 0x00, 128, fw->data);
  2152.     if (err < 0) {
  2153.         BT_ERR("%s: Failed to send firmware header (%d)",
  2154.                hdev->name, err);
  2155.         goto done;
  2156.     }
  2157.  
  2158.     /* Send the 256 bytes of public key information from the firmware
  2159.      * as the PKey fragment.
  2160.      */
  2161.     err = btintel_secure_send(hdev, 0x03, 256, fw->data + 128);
  2162.     if (err < 0) {
  2163.         BT_ERR("%s: Failed to send firmware public key (%d)",
  2164.                hdev->name, err);
  2165.         goto done;
  2166.     }
  2167.  
  2168.     /* Send the 256 bytes of signature information from the firmware
  2169.      * as the Sign fragment.
  2170.      */
  2171.     err = btintel_secure_send(hdev, 0x02, 256, fw->data + 388);
  2172.     if (err < 0) {
  2173.         BT_ERR("%s: Failed to send firmware signature (%d)",
  2174.                hdev->name, err);
  2175.         goto done;
  2176.     }
  2177.  
  2178.     fw_ptr = fw->data + 644;
  2179.     frag_len = 0;
  2180.  
  2181.     while (fw_ptr - fw->data < fw->size) {
  2182.         struct hci_command_hdr *cmd = (void *)(fw_ptr + frag_len);
  2183.  
  2184.         frag_len += sizeof(*cmd) + cmd->plen;
  2185.  
  2186.         /* The parameter length of the secure send command requires
  2187.          * a 4 byte alignment. It happens so that the firmware file
  2188.          * contains proper Intel_NOP commands to align the fragments
  2189.          * as needed.
  2190.          *
  2191.          * Send set of commands with 4 byte alignment from the
  2192.          * firmware data buffer as a single Data fragement.
  2193.          */
  2194.         if (!(frag_len % 4)) {
  2195.             err = btintel_secure_send(hdev, 0x01, frag_len, fw_ptr);
  2196.             if (err < 0) {
  2197.                 BT_ERR("%s: Failed to send firmware data (%d)",
  2198.                        hdev->name, err);
  2199.                 goto done;
  2200.             }
  2201.  
  2202.             fw_ptr += frag_len;
  2203.             frag_len = 0;
  2204.         }
  2205.     }
  2206.  
  2207.     set_bit(BTUSB_FIRMWARE_LOADED, &data->flags);
  2208.  
  2209.     BT_INFO("%s: Waiting for firmware download to complete", hdev->name);
  2210.  
  2211.     /* Before switching the device into operational mode and with that
  2212.      * booting the loaded firmware, wait for the bootloader notification
  2213.      * that all fragments have been successfully received.
  2214.      *
  2215.      * When the event processing receives the notification, then the
  2216.      * BTUSB_DOWNLOADING flag will be cleared.
  2217.      *
  2218.      * The firmware loading should not take longer than 5 seconds
  2219.      * and thus just timeout if that happens and fail the setup
  2220.      * of this device.
  2221.      */
  2222.     err = wait_on_bit_timeout(&data->flags, BTUSB_DOWNLOADING,
  2223.                   TASK_INTERRUPTIBLE,
  2224.                   msecs_to_jiffies(5000));
  2225.     if (err == 1) {
  2226.         BT_ERR("%s: Firmware loading interrupted", hdev->name);
  2227.         err = -EINTR;
  2228.         goto done;
  2229.     }
  2230.  
  2231.     if (err) {
  2232.         BT_ERR("%s: Firmware loading timeout", hdev->name);
  2233.         err = -ETIMEDOUT;
  2234.         goto done;
  2235.     }
  2236.  
  2237.     if (test_bit(BTUSB_FIRMWARE_FAILED, &data->flags)) {
  2238.         BT_ERR("%s: Firmware loading failed", hdev->name);
  2239.         err = -ENOEXEC;
  2240.         goto done;
  2241.     }
  2242.  
  2243.     rettime = ktime_get();
  2244.     delta = ktime_sub(rettime, calltime);
  2245.     duration = (unsigned long long) ktime_to_ns(delta) >> 10;
  2246.  
  2247.     BT_INFO("%s: Firmware loaded in %llu usecs", hdev->name, duration);
  2248.  
  2249. done:
  2250.     release_firmware(fw);
  2251.  
  2252.     if (err < 0)
  2253.         return err;
  2254.  
  2255.     calltime = ktime_get();
  2256.  
  2257.     set_bit(BTUSB_BOOTING, &data->flags);
  2258.  
  2259.     skb = __hci_cmd_sync(hdev, 0xfc01, sizeof(reset_param), reset_param,
  2260.                  HCI_INIT_TIMEOUT);
  2261.     if (IS_ERR(skb))
  2262.         return PTR_ERR(skb);
  2263.  
  2264.     kfree_skb(skb);
  2265.  
  2266.     /* The bootloader will not indicate when the device is ready. This
  2267.      * is done by the operational firmware sending bootup notification.
  2268.      *
  2269.      * Booting into operational firmware should not take longer than
  2270.      * 1 second. However if that happens, then just fail the setup
  2271.      * since something went wrong.
  2272.      */
  2273.     BT_INFO("%s: Waiting for device to boot", hdev->name);
  2274.  
  2275.     err = wait_on_bit_timeout(&data->flags, BTUSB_BOOTING,
  2276.                   TASK_INTERRUPTIBLE,
  2277.                   msecs_to_jiffies(1000));
  2278.  
  2279.     if (err == 1) {
  2280.         BT_ERR("%s: Device boot interrupted", hdev->name);
  2281.         return -EINTR;
  2282.     }
  2283.  
  2284.     if (err) {
  2285.         BT_ERR("%s: Device boot timeout", hdev->name);
  2286.         return -ETIMEDOUT;
  2287.     }
  2288.  
  2289.     rettime = ktime_get();
  2290.     delta = ktime_sub(rettime, calltime);
  2291.     duration = (unsigned long long) ktime_to_ns(delta) >> 10;
  2292.  
  2293.     BT_INFO("%s: Device booted in %llu usecs", hdev->name, duration);
  2294.  
  2295.     clear_bit(BTUSB_BOOTLOADER, &data->flags);
  2296.  
  2297.     /* Once the device is running in operational mode, it needs to apply
  2298.      * the device configuration (DDC) parameters.
  2299.      *
  2300.      * The device can work without DDC parameters, so even if it fails
  2301.      * to load the file, no need to fail the setup.
  2302.      */
  2303.     btintel_load_ddc_config(hdev, fwname);
  2304.  
  2305.     /* Set the event mask for Intel specific vendor events. This enables
  2306.      * a few extra events that are useful during general operation. It
  2307.      * does not enable any debugging related events.
  2308.      *
  2309.      * The device will function correctly without these events enabled
  2310.      * and thus no need to fail the setup.
  2311.      */
  2312.     btintel_set_event_mask(hdev, false);
  2313.  
  2314.     return 0;
  2315. }
  2316.  
  2317. static int btusb_shutdown_intel(struct hci_dev *hdev)
  2318. {
  2319.     struct sk_buff *skb;
  2320.     long ret;
  2321.  
  2322.     /* Some platforms have an issue with BT LED when the interface is
  2323.      * down or BT radio is turned off, which takes 5 seconds to BT LED
  2324.      * goes off. This command turns off the BT LED immediately.
  2325.      */
  2326.     skb = __hci_cmd_sync(hdev, 0xfc3f, 0, NULL, HCI_INIT_TIMEOUT);
  2327.     if (IS_ERR(skb)) {
  2328.         ret = PTR_ERR(skb);
  2329.         BT_ERR("%s: turning off Intel device LED failed (%ld)",
  2330.                hdev->name, ret);
  2331.         return ret;
  2332.     }
  2333.     kfree_skb(skb);
  2334.  
  2335.     return 0;
  2336. }
  2337.  
  2338. static int btusb_set_bdaddr_marvell(struct hci_dev *hdev,
  2339.                     const bdaddr_t *bdaddr)
  2340. {
  2341.     struct sk_buff *skb;
  2342.     u8 buf[8];
  2343.     long ret;
  2344.  
  2345.     buf[0] = 0xfe;
  2346.     buf[1] = sizeof(bdaddr_t);
  2347.     memcpy(buf + 2, bdaddr, sizeof(bdaddr_t));
  2348.  
  2349.     skb = __hci_cmd_sync(hdev, 0xfc22, sizeof(buf), buf, HCI_INIT_TIMEOUT);
  2350.     if (IS_ERR(skb)) {
  2351.         ret = PTR_ERR(skb);
  2352.         BT_ERR("%s: changing Marvell device address failed (%ld)",
  2353.                hdev->name, ret);
  2354.         return ret;
  2355.     }
  2356.     kfree_skb(skb);
  2357.  
  2358.     return 0;
  2359. }
  2360.  
  2361. static int btusb_set_bdaddr_ath3012(struct hci_dev *hdev,
  2362.                     const bdaddr_t *bdaddr)
  2363. {
  2364.     struct sk_buff *skb;
  2365.     u8 buf[10];
  2366.     long ret;
  2367.  
  2368.     buf[0] = 0x01;
  2369.     buf[1] = 0x01;
  2370.     buf[2] = 0x00;
  2371.     buf[3] = sizeof(bdaddr_t);
  2372.     memcpy(buf + 4, bdaddr, sizeof(bdaddr_t));
  2373.  
  2374.     skb = __hci_cmd_sync(hdev, 0xfc0b, sizeof(buf), buf, HCI_INIT_TIMEOUT);
  2375.     if (IS_ERR(skb)) {
  2376.         ret = PTR_ERR(skb);
  2377.         BT_ERR("%s: Change address command failed (%ld)",
  2378.                hdev->name, ret);
  2379.         return ret;
  2380.     }
  2381.     kfree_skb(skb);
  2382.  
  2383.     return 0;
  2384. }
  2385.  
  2386. #define QCA_DFU_PACKET_LEN  4096
  2387.  
  2388. #define QCA_GET_TARGET_VERSION  0x09
  2389. #define QCA_CHECK_STATUS    0x05
  2390. #define QCA_DFU_DOWNLOAD    0x01
  2391.  
  2392. #define QCA_SYSCFG_UPDATED  0x40
  2393. #define QCA_PATCH_UPDATED   0x80
  2394. #define QCA_DFU_TIMEOUT     3000
  2395.  
  2396. struct qca_version {
  2397.     __le32  rom_version;
  2398.     __le32  patch_version;
  2399.     __le32  ram_version;
  2400.     __le32  ref_clock;
  2401.     __u8    reserved[4];
  2402. } __packed;
  2403.  
  2404. struct qca_rampatch_version {
  2405.     __le16  rom_version;
  2406.     __le16  patch_version;
  2407. } __packed;
  2408.  
  2409. struct qca_device_info {
  2410.     u32 rom_version;
  2411.     u8  rampatch_hdr;   /* length of header in rampatch */
  2412.     u8  nvm_hdr;    /* length of header in NVM */
  2413.     u8  ver_offset; /* offset of version structure in rampatch */
  2414. };
  2415.  
  2416. static const struct qca_device_info qca_devices_table[] = {
  2417.     { 0x00000100, 20, 4, 10 }, /* Rome 1.0 */
  2418.     { 0x00000101, 20, 4, 10 }, /* Rome 1.1 */
  2419.     { 0x00000200, 28, 4, 18 }, /* Rome 2.0 */
  2420.     { 0x00000201, 28, 4, 18 }, /* Rome 2.1 */
  2421.     { 0x00000300, 28, 4, 18 }, /* Rome 3.0 */
  2422.     { 0x00000302, 28, 4, 18 }, /* Rome 3.2 */
  2423. };
  2424.  
  2425. static int btusb_qca_send_vendor_req(struct hci_dev *hdev, u8 request,
  2426.                      void *data, u16 size)
  2427. {
  2428.     struct btusb_data *btdata = hci_get_drvdata(hdev);
  2429.     struct usb_device *udev = btdata->udev;
  2430.     int pipe, err;
  2431.     u8 *buf;
  2432.  
  2433.     buf = kmalloc(size, GFP_KERNEL);
  2434.     if (!buf)
  2435.         return -ENOMEM;
  2436.  
  2437.     /* Found some of USB hosts have IOT issues with ours so that we should
  2438.      * not wait until HCI layer is ready.
  2439.      */
  2440.     pipe = usb_rcvctrlpipe(udev, 0);
  2441.     err = usb_control_msg(udev, pipe, request, USB_TYPE_VENDOR | USB_DIR_IN,
  2442.                   0, 0, buf, size, USB_CTRL_SET_TIMEOUT);
  2443.     if (err < 0) {
  2444.         BT_ERR("%s: Failed to access otp area (%d)", hdev->name, err);
  2445.         goto done;
  2446.     }
  2447.  
  2448.     memcpy(data, buf, size);
  2449.  
  2450. done:
  2451.     kfree(buf);
  2452.  
  2453.     return err;
  2454. }
  2455.  
  2456. static int btusb_setup_qca_download_fw(struct hci_dev *hdev,
  2457.                        const struct firmware *firmware,
  2458.                        size_t hdr_size)
  2459. {
  2460.     struct btusb_data *btdata = hci_get_drvdata(hdev);
  2461.     struct usb_device *udev = btdata->udev;
  2462.     size_t count, size, sent = 0;
  2463.     int pipe, len, err;
  2464.     u8 *buf;
  2465.  
  2466.     buf = kmalloc(QCA_DFU_PACKET_LEN, GFP_KERNEL);
  2467.     if (!buf)
  2468.         return -ENOMEM;
  2469.  
  2470.     count = firmware->size;
  2471.  
  2472.     size = min_t(size_t, count, hdr_size);
  2473.     memcpy(buf, firmware->data, size);
  2474.  
  2475.     /* USB patches should go down to controller through USB path
  2476.      * because binary format fits to go down through USB channel.
  2477.      * USB control path is for patching headers and USB bulk is for
  2478.      * patch body.
  2479.      */
  2480.     pipe = usb_sndctrlpipe(udev, 0);
  2481.     err = usb_control_msg(udev, pipe, QCA_DFU_DOWNLOAD, USB_TYPE_VENDOR,
  2482.                   0, 0, buf, size, USB_CTRL_SET_TIMEOUT);
  2483.     if (err < 0) {
  2484.         BT_ERR("%s: Failed to send headers (%d)", hdev->name, err);
  2485.         goto done;
  2486.     }
  2487.  
  2488.     sent += size;
  2489.     count -= size;
  2490.  
  2491.     while (count) {
  2492.         size = min_t(size_t, count, QCA_DFU_PACKET_LEN);
  2493.  
  2494.         memcpy(buf, firmware->data + sent, size);
  2495.  
  2496.         pipe = usb_sndbulkpipe(udev, 0x02);
  2497.         err = usb_bulk_msg(udev, pipe, buf, size, &len,
  2498.                    QCA_DFU_TIMEOUT);
  2499.         if (err < 0) {
  2500.             BT_ERR("%s: Failed to send body at %zd of %zd (%d)",
  2501.                    hdev->name, sent, firmware->size, err);
  2502.             break;
  2503.         }
  2504.  
  2505.         if (size != len) {
  2506.             BT_ERR("%s: Failed to get bulk buffer", hdev->name);
  2507.             err = -EILSEQ;
  2508.             break;
  2509.         }
  2510.  
  2511.         sent  += size;
  2512.         count -= size;
  2513.     }
  2514.  
  2515. done:
  2516.     kfree(buf);
  2517.     return err;
  2518. }
  2519.  
  2520. static int btusb_setup_qca_load_rampatch(struct hci_dev *hdev,
  2521.                      struct qca_version *ver,
  2522.                      const struct qca_device_info *info)
  2523. {
  2524.     struct qca_rampatch_version *rver;
  2525.     const struct firmware *fw;
  2526.     u32 ver_rom, ver_patch;
  2527.     u16 rver_rom, rver_patch;
  2528.     char fwname[64];
  2529.     int err;
  2530.  
  2531.     ver_rom = le32_to_cpu(ver->rom_version);
  2532.     ver_patch = le32_to_cpu(ver->patch_version);
  2533.  
  2534.     snprintf(fwname, sizeof(fwname), "qca/rampatch_usb_%08x.bin", ver_rom);
  2535.  
  2536.     err = request_firmware(&fw, fwname, &hdev->dev);
  2537.     if (err) {
  2538.         BT_ERR("%s: failed to request rampatch file: %s (%d)",
  2539.                hdev->name, fwname, err);
  2540.         return err;
  2541.     }
  2542.  
  2543.     BT_INFO("%s: using rampatch file: %s", hdev->name, fwname);
  2544.  
  2545.     rver = (struct qca_rampatch_version *)(fw->data + info->ver_offset);
  2546.     rver_rom = le16_to_cpu(rver->rom_version);
  2547.     rver_patch = le16_to_cpu(rver->patch_version);
  2548.  
  2549.     BT_INFO("%s: QCA: patch rome 0x%x build 0x%x, firmware rome 0x%x "
  2550.         "build 0x%x", hdev->name, rver_rom, rver_patch, ver_rom,
  2551.         ver_patch);
  2552.  
  2553.     if (rver_rom != ver_rom || rver_patch <= ver_patch) {
  2554.         BT_ERR("%s: rampatch file version did not match with firmware",
  2555.                hdev->name);
  2556.         err = -EINVAL;
  2557.         goto done;
  2558.     }
  2559.  
  2560.     err = btusb_setup_qca_download_fw(hdev, fw, info->rampatch_hdr);
  2561.  
  2562. done:
  2563.     release_firmware(fw);
  2564.  
  2565.     return err;
  2566. }
  2567.  
  2568. static int btusb_setup_qca_load_nvm(struct hci_dev *hdev,
  2569.                     struct qca_version *ver,
  2570.                     const struct qca_device_info *info)
  2571. {
  2572.     const struct firmware *fw;
  2573.     char fwname[64];
  2574.     int err;
  2575.  
  2576.     snprintf(fwname, sizeof(fwname), "qca/nvm_usb_%08x.bin",
  2577.          le32_to_cpu(ver->rom_version));
  2578.  
  2579.     err = request_firmware(&fw, fwname, &hdev->dev);
  2580.     if (err) {
  2581.         BT_ERR("%s: failed to request NVM file: %s (%d)",
  2582.                hdev->name, fwname, err);
  2583.         return err;
  2584.     }
  2585.  
  2586.     BT_INFO("%s: using NVM file: %s", hdev->name, fwname);
  2587.  
  2588.     err = btusb_setup_qca_download_fw(hdev, fw, info->nvm_hdr);
  2589.  
  2590.     release_firmware(fw);
  2591.  
  2592.     return err;
  2593. }
  2594.  
  2595. static int btusb_setup_qca(struct hci_dev *hdev)
  2596. {
  2597.     const struct qca_device_info *info = NULL;
  2598.     struct qca_version ver;
  2599.     u32 ver_rom;
  2600.     u8 status;
  2601.     int i, err;
  2602.  
  2603.     err = btusb_qca_send_vendor_req(hdev, QCA_GET_TARGET_VERSION, &ver,
  2604.                     sizeof(ver));
  2605.     if (err < 0)
  2606.         return err;
  2607.  
  2608.     ver_rom = le32_to_cpu(ver.rom_version);
  2609.     for (i = 0; i < ARRAY_SIZE(qca_devices_table); i++) {
  2610.         if (ver_rom == qca_devices_table[i].rom_version)
  2611.             info = &qca_devices_table[i];
  2612.     }
  2613.     if (!info) {
  2614.         BT_ERR("%s: don't support firmware rome 0x%x", hdev->name,
  2615.                ver_rom);
  2616.         return -ENODEV;
  2617.     }
  2618.  
  2619.     err = btusb_qca_send_vendor_req(hdev, QCA_CHECK_STATUS, &status,
  2620.                     sizeof(status));
  2621.     if (err < 0)
  2622.         return err;
  2623.  
  2624.     if (!(status & QCA_PATCH_UPDATED)) {
  2625.         err = btusb_setup_qca_load_rampatch(hdev, &ver, info);
  2626.         if (err < 0)
  2627.             return err;
  2628.     }
  2629.  
  2630.     if (!(status & QCA_SYSCFG_UPDATED)) {
  2631.         err = btusb_setup_qca_load_nvm(hdev, &ver, info);
  2632.         if (err < 0)
  2633.             return err;
  2634.     }
  2635.  
  2636.     return 0;
  2637. }
  2638.  
  2639. #ifdef CONFIG_BT_HCIBTUSB_BCM
  2640. static inline int __set_diag_interface(struct hci_dev *hdev)
  2641. {
  2642.     struct btusb_data *data = hci_get_drvdata(hdev);
  2643.     struct usb_interface *intf = data->diag;
  2644.     int i;
  2645.  
  2646.     if (!data->diag)
  2647.         return -ENODEV;
  2648.  
  2649.     data->diag_tx_ep = NULL;
  2650.     data->diag_rx_ep = NULL;
  2651.  
  2652.     for (i = 0; i < intf->cur_altsetting->desc.bNumEndpoints; i++) {
  2653.         struct usb_endpoint_descriptor *ep_desc;
  2654.  
  2655.         ep_desc = &intf->cur_altsetting->endpoint[i].desc;
  2656.  
  2657.         if (!data->diag_tx_ep && usb_endpoint_is_bulk_out(ep_desc)) {
  2658.             data->diag_tx_ep = ep_desc;
  2659.             continue;
  2660.         }
  2661.  
  2662.         if (!data->diag_rx_ep && usb_endpoint_is_bulk_in(ep_desc)) {
  2663.             data->diag_rx_ep = ep_desc;
  2664.             continue;
  2665.         }
  2666.     }
  2667.  
  2668.     if (!data->diag_tx_ep || !data->diag_rx_ep) {
  2669.         BT_ERR("%s invalid diagnostic descriptors", hdev->name);
  2670.         return -ENODEV;
  2671.     }
  2672.  
  2673.     return 0;
  2674. }
  2675.  
  2676. static struct urb *alloc_diag_urb(struct hci_dev *hdev, bool enable)
  2677. {
  2678.     struct btusb_data *data = hci_get_drvdata(hdev);
  2679.     struct sk_buff *skb;
  2680.     struct urb *urb;
  2681.     unsigned int pipe;
  2682.  
  2683.     if (!data->diag_tx_ep)
  2684.         return ERR_PTR(-ENODEV);
  2685.  
  2686.     urb = usb_alloc_urb(0, GFP_KERNEL);
  2687.     if (!urb)
  2688.         return ERR_PTR(-ENOMEM);
  2689.  
  2690.     skb = bt_skb_alloc(2, GFP_KERNEL);
  2691.     if (!skb) {
  2692.         usb_free_urb(urb);
  2693.         return ERR_PTR(-ENOMEM);
  2694.     }
  2695.  
  2696.     *skb_put(skb, 1) = 0xf0;
  2697.     *skb_put(skb, 1) = enable;
  2698.  
  2699.     pipe = usb_sndbulkpipe(data->udev, data->diag_tx_ep->bEndpointAddress);
  2700.  
  2701.     usb_fill_bulk_urb(urb, data->udev, pipe,
  2702.               skb->data, skb->len, btusb_tx_complete, skb);
  2703.  
  2704.     skb->dev = (void *)hdev;
  2705.  
  2706.     return urb;
  2707. }
  2708.  
  2709. static int btusb_bcm_set_diag(struct hci_dev *hdev, bool enable)
  2710. {
  2711.     struct btusb_data *data = hci_get_drvdata(hdev);
  2712.     struct urb *urb;
  2713.  
  2714.     if (!data->diag)
  2715.         return -ENODEV;
  2716.  
  2717.     if (!test_bit(HCI_RUNNING, &hdev->flags))
  2718.         return -ENETDOWN;
  2719.  
  2720.     urb = alloc_diag_urb(hdev, enable);
  2721.     if (IS_ERR(urb))
  2722.         return PTR_ERR(urb);
  2723.  
  2724.     return submit_or_queue_tx_urb(hdev, urb);
  2725. }
  2726. #endif
  2727.  
  2728. static int btusb_probe(struct usb_interface *intf,
  2729.                const struct usb_device_id *id)
  2730. {
  2731.     struct usb_endpoint_descriptor *ep_desc;
  2732.     struct btusb_data *data;
  2733.     struct hci_dev *hdev;
  2734.     unsigned ifnum_base;
  2735.     int i, err;
  2736.  
  2737.     BT_DBG("intf %p id %p", intf, id);
  2738.  
  2739.     /* interface numbers are hardcoded in the spec */
  2740.     if (intf->cur_altsetting->desc.bInterfaceNumber != 0) {
  2741.         if (!(id->driver_info & BTUSB_IFNUM_2))
  2742.             return -ENODEV;
  2743.         if (intf->cur_altsetting->desc.bInterfaceNumber != 2)
  2744.             return -ENODEV;
  2745.     }
  2746.  
  2747.     ifnum_base = intf->cur_altsetting->desc.bInterfaceNumber;
  2748.  
  2749.     if (!id->driver_info) {
  2750.         const struct usb_device_id *match;
  2751.  
  2752.         match = usb_match_id(intf, blacklist_table);
  2753.         if (match)
  2754.             id = match;
  2755.     }
  2756.  
  2757.     if (id->driver_info == BTUSB_IGNORE)
  2758.         return -ENODEV;
  2759.  
  2760.     if (id->driver_info & BTUSB_ATH3012) {
  2761.         struct usb_device *udev = interface_to_usbdev(intf);
  2762.  
  2763.         /* Old firmware would otherwise let ath3k driver load
  2764.          * patch and sysconfig files */
  2765.         if (le16_to_cpu(udev->descriptor.bcdDevice) <= 0x0001)
  2766.             return -ENODEV;
  2767.     }
  2768.  
  2769.     data = devm_kzalloc(&intf->dev, sizeof(*data), GFP_KERNEL);
  2770.     if (!data)
  2771.         return -ENOMEM;
  2772.  
  2773.     for (i = 0; i < intf->cur_altsetting->desc.bNumEndpoints; i++) {
  2774.         ep_desc = &intf->cur_altsetting->endpoint[i].desc;
  2775.  
  2776.         if (!data->intr_ep && usb_endpoint_is_int_in(ep_desc)) {
  2777.             data->intr_ep = ep_desc;
  2778.             continue;
  2779.         }
  2780.  
  2781.         if (!data->bulk_tx_ep && usb_endpoint_is_bulk_out(ep_desc)) {
  2782.             data->bulk_tx_ep = ep_desc;
  2783.             continue;
  2784.         }
  2785.  
  2786.         if (!data->bulk_rx_ep && usb_endpoint_is_bulk_in(ep_desc)) {
  2787.             data->bulk_rx_ep = ep_desc;
  2788.             continue;
  2789.         }
  2790.     }
  2791.  
  2792.     if (!data->intr_ep || !data->bulk_tx_ep || !data->bulk_rx_ep)
  2793.         return -ENODEV;
  2794.  
  2795.     if (id->driver_info & BTUSB_AMP) {
  2796.         data->cmdreq_type = USB_TYPE_CLASS | 0x01;
  2797.         data->cmdreq = 0x2b;
  2798.     } else {
  2799.         data->cmdreq_type = USB_TYPE_CLASS;
  2800.         data->cmdreq = 0x00;
  2801.     }
  2802.  
  2803.     data->udev = interface_to_usbdev(intf);
  2804.     data->intf = intf;
  2805.  
  2806.     INIT_WORK(&data->work, btusb_work);
  2807.     INIT_WORK(&data->waker, btusb_waker);
  2808.     init_usb_anchor(&data->deferred);
  2809.     init_usb_anchor(&data->tx_anchor);
  2810.     spin_lock_init(&data->txlock);
  2811.  
  2812.     init_usb_anchor(&data->intr_anchor);
  2813.     init_usb_anchor(&data->bulk_anchor);
  2814.     init_usb_anchor(&data->isoc_anchor);
  2815.     init_usb_anchor(&data->diag_anchor);
  2816.     spin_lock_init(&data->rxlock);
  2817.  
  2818.     if (id->driver_info & BTUSB_INTEL_NEW) {
  2819.         data->recv_event = btusb_recv_event_intel;
  2820.         data->recv_bulk = btusb_recv_bulk_intel;
  2821.         set_bit(BTUSB_BOOTLOADER, &data->flags);
  2822.     } else {
  2823.         data->recv_event = hci_recv_frame;
  2824.         data->recv_bulk = btusb_recv_bulk;
  2825.     }
  2826.  
  2827.     hdev = hci_alloc_dev();
  2828.     if (!hdev)
  2829.         return -ENOMEM;
  2830.  
  2831.     hdev->bus = HCI_USB;
  2832.     hci_set_drvdata(hdev, data);
  2833.  
  2834.     if (id->driver_info & BTUSB_AMP)
  2835.         hdev->dev_type = HCI_AMP;
  2836.     else
  2837.         hdev->dev_type = HCI_PRIMARY;
  2838.  
  2839.     data->hdev = hdev;
  2840.  
  2841.     SET_HCIDEV_DEV(hdev, &intf->dev);
  2842.  
  2843.     hdev->open   = btusb_open;
  2844.     hdev->close  = btusb_close;
  2845.     hdev->flush  = btusb_flush;
  2846.     hdev->send   = btusb_send_frame;
  2847.     hdev->notify = btusb_notify;
  2848.  
  2849.     if (id->driver_info & BTUSB_BCM2045)
  2850.         set_bit(HCI_QUIRK_BROKEN_STORED_LINK_KEY, &hdev->quirks);
  2851.  
  2852.     if (id->driver_info & BTUSB_BCM92035)
  2853.         hdev->setup = btusb_setup_bcm92035;
  2854.  
  2855. #ifdef CONFIG_BT_HCIBTUSB_BCM
  2856.     if (id->driver_info & BTUSB_BCM_PATCHRAM) {
  2857.         hdev->manufacturer = 15;
  2858.         hdev->setup = btbcm_setup_patchram;
  2859.         hdev->set_diag = btusb_bcm_set_diag;
  2860.         hdev->set_bdaddr = btbcm_set_bdaddr;
  2861.  
  2862.         /* Broadcom LM_DIAG Interface numbers are hardcoded */
  2863.         data->diag = usb_ifnum_to_if(data->udev, ifnum_base + 2);
  2864.     }
  2865.  
  2866.     if (id->driver_info & BTUSB_BCM_APPLE) {
  2867.         hdev->manufacturer = 15;
  2868.         hdev->setup = btbcm_setup_apple;
  2869.         hdev->set_diag = btusb_bcm_set_diag;
  2870.  
  2871.         /* Broadcom LM_DIAG Interface numbers are hardcoded */
  2872.         data->diag = usb_ifnum_to_if(data->udev, ifnum_base + 2);
  2873.     }
  2874. #endif
  2875.  
  2876.     if (id->driver_info & BTUSB_INTEL) {
  2877.         hdev->manufacturer = 2;
  2878.         hdev->setup = btusb_setup_intel;
  2879.         hdev->shutdown = btusb_shutdown_intel;
  2880.         hdev->set_diag = btintel_set_diag_mfg;
  2881.         hdev->set_bdaddr = btintel_set_bdaddr;
  2882.         set_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks);
  2883.         set_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks);
  2884.         set_bit(HCI_QUIRK_NON_PERSISTENT_DIAG, &hdev->quirks);
  2885.     }
  2886.  
  2887.     if (id->driver_info & BTUSB_INTEL_NEW) {
  2888.         hdev->manufacturer = 2;
  2889.         hdev->send = btusb_send_frame_intel;
  2890.         hdev->setup = btusb_setup_intel_new;
  2891.         hdev->hw_error = btintel_hw_error;
  2892.         hdev->set_diag = btintel_set_diag;
  2893.         hdev->set_bdaddr = btintel_set_bdaddr;
  2894.         set_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks);
  2895.         set_bit(HCI_QUIRK_NON_PERSISTENT_DIAG, &hdev->quirks);
  2896.     }
  2897.  
  2898.     if (id->driver_info & BTUSB_MARVELL)
  2899.         hdev->set_bdaddr = btusb_set_bdaddr_marvell;
  2900.  
  2901.     if (id->driver_info & BTUSB_SWAVE) {
  2902.         set_bit(HCI_QUIRK_FIXUP_INQUIRY_MODE, &hdev->quirks);
  2903.         set_bit(HCI_QUIRK_BROKEN_LOCAL_COMMANDS, &hdev->quirks);
  2904.     }
  2905.  
  2906.     if (id->driver_info & BTUSB_INTEL_BOOT) {
  2907.         hdev->manufacturer = 2;
  2908.         set_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks);
  2909.     }
  2910.  
  2911.     if (id->driver_info & BTUSB_ATH3012) {
  2912.         hdev->set_bdaddr = btusb_set_bdaddr_ath3012;
  2913.         set_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks);
  2914.         set_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks);
  2915.     }
  2916.  
  2917.     if (id->driver_info & BTUSB_QCA_ROME) {
  2918.         data->setup_on_usb = btusb_setup_qca;
  2919.         hdev->set_bdaddr = btusb_set_bdaddr_ath3012;
  2920.     }
  2921.  
  2922. #ifdef CONFIG_BT_HCIBTUSB_RTL
  2923.     if (id->driver_info & BTUSB_REALTEK) {
  2924.         hdev->setup = btrtl_setup_realtek;
  2925.  
  2926.         /* Realtek devices lose their updated firmware over suspend,
  2927.          * but the USB hub doesn't notice any status change.
  2928.          * Explicitly request a device reset on resume.
  2929.          */
  2930.         set_bit(BTUSB_RESET_RESUME, &data->flags);
  2931.     }
  2932. #endif
  2933.  
  2934.     if (id->driver_info & BTUSB_AMP) {
  2935.         /* AMP controllers do not support SCO packets */
  2936.         data->isoc = NULL;
  2937.     } else {
  2938.         /* Interface orders are hardcoded in the specification */
  2939.         data->isoc = usb_ifnum_to_if(data->udev, ifnum_base + 1);
  2940.     }
  2941.  
  2942.     if (!reset)
  2943.         set_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks);
  2944.  
  2945.     if (force_scofix || id->driver_info & BTUSB_WRONG_SCO_MTU) {
  2946.         if (!disable_scofix)
  2947.             set_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks);
  2948.     }
  2949.  
  2950.     if (id->driver_info & BTUSB_BROKEN_ISOC)
  2951.         data->isoc = NULL;
  2952.  
  2953.     if (id->driver_info & BTUSB_DIGIANSWER) {
  2954.         data->cmdreq_type = USB_TYPE_VENDOR;
  2955.         set_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks);
  2956.     }
  2957.  
  2958.     if (id->driver_info & BTUSB_CSR) {
  2959.         struct usb_device *udev = data->udev;
  2960.         u16 bcdDevice = le16_to_cpu(udev->descriptor.bcdDevice);
  2961.  
  2962.         /* Old firmware would otherwise execute USB reset */
  2963.         if (bcdDevice < 0x117)
  2964.             set_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks);
  2965.  
  2966.         /* Fake CSR devices with broken commands */
  2967.         if (bcdDevice <= 0x100 || bcdDevice == 0x134)
  2968.             hdev->setup = btusb_setup_csr;
  2969.  
  2970.         set_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks);
  2971.     }
  2972.  
  2973.     if (id->driver_info & BTUSB_SNIFFER) {
  2974.         struct usb_device *udev = data->udev;
  2975.  
  2976.         /* New sniffer firmware has crippled HCI interface */
  2977.         if (le16_to_cpu(udev->descriptor.bcdDevice) > 0x997)
  2978.             set_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks);
  2979.     }
  2980.  
  2981.     if (id->driver_info & BTUSB_INTEL_BOOT) {
  2982.         /* A bug in the bootloader causes that interrupt interface is
  2983.          * only enabled after receiving SetInterface(0, AltSetting=0).
  2984.          */
  2985.         err = usb_set_interface(data->udev, 0, 0);
  2986.         if (err < 0) {
  2987.             BT_ERR("failed to set interface 0, alt 0 %d", err);
  2988.             hci_free_dev(hdev);
  2989.             return err;
  2990.         }
  2991.     }
  2992.  
  2993.     if (data->isoc) {
  2994.         err = usb_driver_claim_interface(&btusb_driver,
  2995.                          data->isoc, data);
  2996.         if (err < 0) {
  2997.             hci_free_dev(hdev);
  2998.             return err;
  2999.         }
  3000.     }
  3001.  
  3002. #ifdef CONFIG_BT_HCIBTUSB_BCM
  3003.     if (data->diag) {
  3004.         if (!usb_driver_claim_interface(&btusb_driver,
  3005.                         data->diag, data))
  3006.             __set_diag_interface(hdev);
  3007.         else
  3008.             data->diag = NULL;
  3009.     }
  3010. #endif
  3011.  
  3012.     err = hci_register_dev(hdev);
  3013.     if (err < 0) {
  3014.         hci_free_dev(hdev);
  3015.         return err;
  3016.     }
  3017.  
  3018.     usb_set_intfdata(intf, data);
  3019.  
  3020.     return 0;
  3021. }
  3022.  
  3023. static void btusb_disconnect(struct usb_interface *intf)
  3024. {
  3025.     struct btusb_data *data = usb_get_intfdata(intf);
  3026.     struct hci_dev *hdev;
  3027.  
  3028.     BT_DBG("intf %p", intf);
  3029.  
  3030.     if (!data)
  3031.         return;
  3032.  
  3033.     hdev = data->hdev;
  3034.     usb_set_intfdata(data->intf, NULL);
  3035.  
  3036.     if (data->isoc)
  3037.         usb_set_intfdata(data->isoc, NULL);
  3038.  
  3039.     if (data->diag)
  3040.         usb_set_intfdata(data->diag, NULL);
  3041.  
  3042.     hci_unregister_dev(hdev);
  3043.  
  3044.     if (intf == data->intf) {
  3045.         if (data->isoc)
  3046.             usb_driver_release_interface(&btusb_driver, data->isoc);
  3047.         if (data->diag)
  3048.             usb_driver_release_interface(&btusb_driver, data->diag);
  3049.     } else if (intf == data->isoc) {
  3050.         if (data->diag)
  3051.             usb_driver_release_interface(&btusb_driver, data->diag);
  3052.         usb_driver_release_interface(&btusb_driver, data->intf);
  3053.     } else if (intf == data->diag) {
  3054.         usb_driver_release_interface(&btusb_driver, data->intf);
  3055.         if (data->isoc)
  3056.             usb_driver_release_interface(&btusb_driver, data->isoc);
  3057.     }
  3058.  
  3059.     hci_free_dev(hdev);
  3060. }
  3061.  
  3062. #ifdef CONFIG_PM
  3063. static int btusb_suspend(struct usb_interface *intf, pm_message_t message)
  3064. {
  3065.     struct btusb_data *data = usb_get_intfdata(intf);
  3066.  
  3067.     BT_DBG("intf %p", intf);
  3068.  
  3069.     if (data->suspend_count++)
  3070.         return 0;
  3071.  
  3072.     spin_lock_irq(&data->txlock);
  3073.     if (!(PMSG_IS_AUTO(message) && data->tx_in_flight)) {
  3074.         set_bit(BTUSB_SUSPENDING, &data->flags);
  3075.         spin_unlock_irq(&data->txlock);
  3076.     } else {
  3077.         spin_unlock_irq(&data->txlock);
  3078.         data->suspend_count--;
  3079.         return -EBUSY;
  3080.     }
  3081.  
  3082.     cancel_work_sync(&data->work);
  3083.  
  3084.     btusb_stop_traffic(data);
  3085.     usb_kill_anchored_urbs(&data->tx_anchor);
  3086.  
  3087.     /* Optionally request a device reset on resume, but only when
  3088.      * wakeups are disabled. If wakeups are enabled we assume the
  3089.      * device will stay powered up throughout suspend.
  3090.      */
  3091.     if (test_bit(BTUSB_RESET_RESUME, &data->flags) &&
  3092.         !device_may_wakeup(&data->udev->dev))
  3093.         data->udev->reset_resume = 1;
  3094.  
  3095.     return 0;
  3096. }
  3097.  
  3098. static void play_deferred(struct btusb_data *data)
  3099. {
  3100.     struct urb *urb;
  3101.     int err;
  3102.  
  3103.     while ((urb = usb_get_from_anchor(&data->deferred))) {
  3104.         err = usb_submit_urb(urb, GFP_ATOMIC);
  3105.         if (err < 0)
  3106.             break;
  3107.  
  3108.         data->tx_in_flight++;
  3109.     }
  3110.     usb_scuttle_anchored_urbs(&data->deferred);
  3111. }
  3112.  
  3113. static int btusb_resume(struct usb_interface *intf)
  3114. {
  3115.     struct btusb_data *data = usb_get_intfdata(intf);
  3116.     struct hci_dev *hdev = data->hdev;
  3117.     int err = 0;
  3118.  
  3119.     BT_DBG("intf %p", intf);
  3120.  
  3121.     if (--data->suspend_count)
  3122.         return 0;
  3123.  
  3124.     if (!test_bit(HCI_RUNNING, &hdev->flags))
  3125.         goto done;
  3126.  
  3127.     if (test_bit(BTUSB_INTR_RUNNING, &data->flags)) {
  3128.         err = btusb_submit_intr_urb(hdev, GFP_NOIO);
  3129.         if (err < 0) {
  3130.             clear_bit(BTUSB_INTR_RUNNING, &data->flags);
  3131.             goto failed;
  3132.         }
  3133.     }
  3134.  
  3135.     if (test_bit(BTUSB_BULK_RUNNING, &data->flags)) {
  3136.         err = btusb_submit_bulk_urb(hdev, GFP_NOIO);
  3137.         if (err < 0) {
  3138.             clear_bit(BTUSB_BULK_RUNNING, &data->flags);
  3139.             goto failed;
  3140.         }
  3141.  
  3142.         btusb_submit_bulk_urb(hdev, GFP_NOIO);
  3143.     }
  3144.  
  3145.     if (test_bit(BTUSB_ISOC_RUNNING, &data->flags)) {
  3146.         if (btusb_submit_isoc_urb(hdev, GFP_NOIO) < 0)
  3147.             clear_bit(BTUSB_ISOC_RUNNING, &data->flags);
  3148.         else
  3149.             btusb_submit_isoc_urb(hdev, GFP_NOIO);
  3150.     }
  3151.  
  3152.     spin_lock_irq(&data->txlock);
  3153.     play_deferred(data);
  3154.     clear_bit(BTUSB_SUSPENDING, &data->flags);
  3155.     spin_unlock_irq(&data->txlock);
  3156.     schedule_work(&data->work);
  3157.  
  3158.     return 0;
  3159.  
  3160. failed:
  3161.     usb_scuttle_anchored_urbs(&data->deferred);
  3162. done:
  3163.     spin_lock_irq(&data->txlock);
  3164.     clear_bit(BTUSB_SUSPENDING, &data->flags);
  3165.     spin_unlock_irq(&data->txlock);
  3166.  
  3167.     return err;
  3168. }
  3169. #endif
  3170.  
  3171. static struct usb_driver btusb_driver = {
  3172.     .name       = "btusb",
  3173.     .probe      = btusb_probe,
  3174.     .disconnect = btusb_disconnect,
  3175. #ifdef CONFIG_PM
  3176.     .suspend    = btusb_suspend,
  3177.     .resume     = btusb_resume,
  3178. #endif
  3179.     .id_table   = btusb_table,
  3180.     .supports_autosuspend = 1,
  3181.     .disable_hub_initiated_lpm = 1,
  3182. };
  3183.  
  3184. module_usb_driver(btusb_driver);
  3185.  
  3186. module_param(disable_scofix, bool, 0644);
  3187. MODULE_PARM_DESC(disable_scofix, "Disable fixup of wrong SCO buffer size");
  3188.  
  3189. module_param(force_scofix, bool, 0644);
  3190. MODULE_PARM_DESC(force_scofix, "Force fixup of wrong SCO buffers size");
  3191.  
  3192. module_param(reset, bool, 0644);
  3193. MODULE_PARM_DESC(reset, "Send HCI reset command on initialization");
  3194.  
  3195. MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
  3196. MODULE_DESCRIPTION("Generic Bluetooth USB driver ver " VERSION);
  3197. MODULE_VERSION(VERSION);
  3198. MODULE_LICENSE("GPL");
RAW Paste Data Copied