git.openpandora.org / pandora-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input
[pandora-kernel.git] / drivers / bluetooth / btusb.c
1 /*
2  *
3  *  Generic Bluetooth USB driver
4  *
5  *  Copyright (C) 2005-2008  Marcel Holtmann <marcel@holtmann.org>
6  *
7  *
8  *  This program is free software; you can redistribute it and/or modify
9  *  it under the terms of the GNU General Public License as published by
10  *  the Free Software Foundation; either version 2 of the License, or
11  *  (at your option) any later version.
12  *
13  *  This program is distributed in the hope that it will be useful,
14  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
15  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16  *  GNU General Public License for more details.
17  *
18  *  You should have received a copy of the GNU General Public License
19  *  along with this program; if not, write to the Free Software
20  *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
21  *
22  */
23
24 #include <linux/module.h>
25 #include <linux/usb.h>
26 #include <linux/firmware.h>
27
28 #include <net/bluetooth/bluetooth.h>
29 #include <net/bluetooth/hci_core.h>
30
31 #define VERSION "0.6"
32
33 static bool disable_scofix;
34 static bool force_scofix;
35
36 static bool reset = 1;
37
38 static struct usb_driver btusb_driver;
39
40 #define BTUSB_IGNORE            0x01
41 #define BTUSB_DIGIANSWER        0x02
42 #define BTUSB_CSR               0x04
43 #define BTUSB_SNIFFER           0x08
44 #define BTUSB_BCM92035          0x10
45 #define BTUSB_BROKEN_ISOC       0x20
46 #define BTUSB_WRONG_SCO_MTU     0x40
47 #define BTUSB_ATH3012           0x80
48 #define BTUSB_INTEL             0x100
49 #define BTUSB_INTEL_BOOT        0x200
50 #define BTUSB_BCM_PATCHRAM      0x400
51 #define BTUSB_MARVELL           0x800
52
53 static const struct usb_device_id btusb_table[] = {
54         /* Generic Bluetooth USB device */
55         { USB_DEVICE_INFO(0xe0, 0x01, 0x01) },
56
57         /* Apple-specific (Broadcom) devices */
58         { USB_VENDOR_AND_INTERFACE_INFO(0x05ac, 0xff, 0x01, 0x01) },
59
60         /* MediaTek MT76x0E */
61         { USB_DEVICE(0x0e8d, 0x763f) },
62
63         /* Broadcom SoftSailing reporting vendor specific */
64         { USB_DEVICE(0x0a5c, 0x21e1) },
65
66         /* Apple MacBookPro 7,1 */
67         { USB_DEVICE(0x05ac, 0x8213) },
68
69         /* Apple iMac11,1 */
70         { USB_DEVICE(0x05ac, 0x8215) },
71
72         /* Apple MacBookPro6,2 */
73         { USB_DEVICE(0x05ac, 0x8218) },
74
75         /* Apple MacBookAir3,1, MacBookAir3,2 */
76         { USB_DEVICE(0x05ac, 0x821b) },
77
78         /* Apple MacBookAir4,1 */
79         { USB_DEVICE(0x05ac, 0x821f) },
80
81         /* Apple MacBookPro8,2 */
82         { USB_DEVICE(0x05ac, 0x821a) },
83
84         /* Apple MacMini5,1 */
85         { USB_DEVICE(0x05ac, 0x8281) },
86
87         /* AVM BlueFRITZ! USB v2.0 */
88         { USB_DEVICE(0x057c, 0x3800) },
89
90         /* Bluetooth Ultraport Module from IBM */
91         { USB_DEVICE(0x04bf, 0x030a) },
92
93         /* ALPS Modules with non-standard id */
94         { USB_DEVICE(0x044e, 0x3001) },
95         { USB_DEVICE(0x044e, 0x3002) },
96
97         /* Ericsson with non-standard id */
98         { USB_DEVICE(0x0bdb, 0x1002) },
99
100         /* Canyon CN-BTU1 with HID interfaces */
101         { USB_DEVICE(0x0c10, 0x0000) },
102
103         /* Broadcom BCM20702A0 */
104         { USB_DEVICE(0x0489, 0xe042) },
105         { USB_DEVICE(0x04ca, 0x2003) },
106         { USB_DEVICE(0x0b05, 0x17b5) },
107         { USB_DEVICE(0x0b05, 0x17cb) },
108         { USB_DEVICE(0x413c, 0x8197) },
109         { USB_DEVICE(0x13d3, 0x3404),
110           .driver_info = BTUSB_BCM_PATCHRAM },
111
112         /* Foxconn - Hon Hai */
113         { USB_VENDOR_AND_INTERFACE_INFO(0x0489, 0xff, 0x01, 0x01),
114           .driver_info = BTUSB_BCM_PATCHRAM },
115
116         /* Broadcom devices with vendor specific id */
117         { USB_VENDOR_AND_INTERFACE_INFO(0x0a5c, 0xff, 0x01, 0x01),
118           .driver_info = BTUSB_BCM_PATCHRAM },
119
120         /* ASUSTek Computer - Broadcom based */
121         { USB_VENDOR_AND_INTERFACE_INFO(0x0b05, 0xff, 0x01, 0x01) },
122
123         /* Belkin F8065bf - Broadcom based */
124         { USB_VENDOR_AND_INTERFACE_INFO(0x050d, 0xff, 0x01, 0x01) },
125
126         /* IMC Networks - Broadcom based */
127         { USB_VENDOR_AND_INTERFACE_INFO(0x13d3, 0xff, 0x01, 0x01) },
128
129         /* Intel Bluetooth USB Bootloader (RAM module) */
130         { USB_DEVICE(0x8087, 0x0a5a),
131           .driver_info = BTUSB_INTEL_BOOT | BTUSB_BROKEN_ISOC },
132
133         { }     /* Terminating entry */
134 };
135
136 MODULE_DEVICE_TABLE(usb, btusb_table);
137
138 static const struct usb_device_id blacklist_table[] = {
139         /* CSR BlueCore devices */
140         { USB_DEVICE(0x0a12, 0x0001), .driver_info = BTUSB_CSR },
141
142         /* Broadcom BCM2033 without firmware */
143         { USB_DEVICE(0x0a5c, 0x2033), .driver_info = BTUSB_IGNORE },
144
145         /* Atheros 3011 with sflash firmware */
146         { USB_DEVICE(0x0489, 0xe027), .driver_info = BTUSB_IGNORE },
147         { USB_DEVICE(0x0489, 0xe03d), .driver_info = BTUSB_IGNORE },
148         { USB_DEVICE(0x0930, 0x0215), .driver_info = BTUSB_IGNORE },
149         { USB_DEVICE(0x0cf3, 0x3002), .driver_info = BTUSB_IGNORE },
150         { USB_DEVICE(0x0cf3, 0xe019), .driver_info = BTUSB_IGNORE },
151         { USB_DEVICE(0x13d3, 0x3304), .driver_info = BTUSB_IGNORE },
152
153         /* Atheros AR9285 Malbec with sflash firmware */
154         { USB_DEVICE(0x03f0, 0x311d), .driver_info = BTUSB_IGNORE },
155
156         /* Atheros 3012 with sflash firmware */
157         { USB_DEVICE(0x0489, 0xe04d), .driver_info = BTUSB_ATH3012 },
158         { USB_DEVICE(0x0489, 0xe04e), .driver_info = BTUSB_ATH3012 },
159         { USB_DEVICE(0x0489, 0xe056), .driver_info = BTUSB_ATH3012 },
160         { USB_DEVICE(0x0489, 0xe057), .driver_info = BTUSB_ATH3012 },
161         { USB_DEVICE(0x0489, 0xe05f), .driver_info = BTUSB_ATH3012 },
162         { USB_DEVICE(0x0489, 0xe078), .driver_info = BTUSB_ATH3012 },
163         { USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 },
164         { USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 },
165         { USB_DEVICE(0x04ca, 0x3005), .driver_info = BTUSB_ATH3012 },
166         { USB_DEVICE(0x04ca, 0x3006), .driver_info = BTUSB_ATH3012 },
167         { USB_DEVICE(0x04ca, 0x3007), .driver_info = BTUSB_ATH3012 },
168         { USB_DEVICE(0x04ca, 0x3008), .driver_info = BTUSB_ATH3012 },
169         { USB_DEVICE(0x04ca, 0x300b), .driver_info = BTUSB_ATH3012 },
170         { USB_DEVICE(0x04ca, 0x3010), .driver_info = BTUSB_ATH3012 },
171         { USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 },
172         { USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 },
173         { USB_DEVICE(0x0930, 0x0227), .driver_info = BTUSB_ATH3012 },
174         { USB_DEVICE(0x0b05, 0x17d0), .driver_info = BTUSB_ATH3012 },
175         { USB_DEVICE(0x0cf3, 0x0036), .driver_info = BTUSB_ATH3012 },
176         { USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_ATH3012 },
177         { USB_DEVICE(0x0cf3, 0x3008), .driver_info = BTUSB_ATH3012 },
178         { USB_DEVICE(0x0cf3, 0x311d), .driver_info = BTUSB_ATH3012 },
179         { USB_DEVICE(0x0cf3, 0x311e), .driver_info = BTUSB_ATH3012 },
180         { USB_DEVICE(0x0cf3, 0x311f), .driver_info = BTUSB_ATH3012 },
181         { USB_DEVICE(0x0cf3, 0x3121), .driver_info = BTUSB_ATH3012 },
182         { USB_DEVICE(0x0cf3, 0x817a), .driver_info = BTUSB_ATH3012 },
183         { USB_DEVICE(0x0cf3, 0xe003), .driver_info = BTUSB_ATH3012 },
184         { USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 },
185         { USB_DEVICE(0x0cf3, 0xe005), .driver_info = BTUSB_ATH3012 },
186         { USB_DEVICE(0x13d3, 0x3362), .driver_info = BTUSB_ATH3012 },
187         { USB_DEVICE(0x13d3, 0x3375), .driver_info = BTUSB_ATH3012 },
188         { USB_DEVICE(0x13d3, 0x3393), .driver_info = BTUSB_ATH3012 },
189         { USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 },
190         { USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 },
191         { USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 },
192
193         /* Atheros AR5BBU12 with sflash firmware */
194         { USB_DEVICE(0x0489, 0xe02c), .driver_info = BTUSB_IGNORE },
195
196         /* Atheros AR5BBU12 with sflash firmware */
197         { USB_DEVICE(0x0489, 0xe036), .driver_info = BTUSB_ATH3012 },
198         { USB_DEVICE(0x0489, 0xe03c), .driver_info = BTUSB_ATH3012 },
199
200         /* Broadcom BCM2035 */
201         { USB_DEVICE(0x0a5c, 0x2009), .driver_info = BTUSB_BCM92035 },
202         { USB_DEVICE(0x0a5c, 0x200a), .driver_info = BTUSB_WRONG_SCO_MTU },
203         { USB_DEVICE(0x0a5c, 0x2035), .driver_info = BTUSB_WRONG_SCO_MTU },
204
205         /* Broadcom BCM2045 */
206         { USB_DEVICE(0x0a5c, 0x2039), .driver_info = BTUSB_WRONG_SCO_MTU },
207         { USB_DEVICE(0x0a5c, 0x2101), .driver_info = BTUSB_WRONG_SCO_MTU },
208
209         /* IBM/Lenovo ThinkPad with Broadcom chip */
210         { USB_DEVICE(0x0a5c, 0x201e), .driver_info = BTUSB_WRONG_SCO_MTU },
211         { USB_DEVICE(0x0a5c, 0x2110), .driver_info = BTUSB_WRONG_SCO_MTU },
212
213         /* HP laptop with Broadcom chip */
214         { USB_DEVICE(0x03f0, 0x171d), .driver_info = BTUSB_WRONG_SCO_MTU },
215
216         /* Dell laptop with Broadcom chip */
217         { USB_DEVICE(0x413c, 0x8126), .driver_info = BTUSB_WRONG_SCO_MTU },
218
219         /* Dell Wireless 370 and 410 devices */
220         { USB_DEVICE(0x413c, 0x8152), .driver_info = BTUSB_WRONG_SCO_MTU },
221         { USB_DEVICE(0x413c, 0x8156), .driver_info = BTUSB_WRONG_SCO_MTU },
222
223         /* Belkin F8T012 and F8T013 devices */
224         { USB_DEVICE(0x050d, 0x0012), .driver_info = BTUSB_WRONG_SCO_MTU },
225         { USB_DEVICE(0x050d, 0x0013), .driver_info = BTUSB_WRONG_SCO_MTU },
226
227         /* Asus WL-BTD202 device */
228         { USB_DEVICE(0x0b05, 0x1715), .driver_info = BTUSB_WRONG_SCO_MTU },
229
230         /* Kensington Bluetooth USB adapter */
231         { USB_DEVICE(0x047d, 0x105e), .driver_info = BTUSB_WRONG_SCO_MTU },
232
233         /* RTX Telecom based adapters with buggy SCO support */
234         { USB_DEVICE(0x0400, 0x0807), .driver_info = BTUSB_BROKEN_ISOC },
235         { USB_DEVICE(0x0400, 0x080a), .driver_info = BTUSB_BROKEN_ISOC },
236
237         /* CONWISE Technology based adapters with buggy SCO support */
238         { USB_DEVICE(0x0e5e, 0x6622), .driver_info = BTUSB_BROKEN_ISOC },
239
240         /* Digianswer devices */
241         { USB_DEVICE(0x08fd, 0x0001), .driver_info = BTUSB_DIGIANSWER },
242         { USB_DEVICE(0x08fd, 0x0002), .driver_info = BTUSB_IGNORE },
243
244         /* CSR BlueCore Bluetooth Sniffer */
245         { USB_DEVICE(0x0a12, 0x0002),
246           .driver_info = BTUSB_SNIFFER | BTUSB_BROKEN_ISOC },
247
248         /* Frontline ComProbe Bluetooth Sniffer */
249         { USB_DEVICE(0x16d3, 0x0002),
250           .driver_info = BTUSB_SNIFFER | BTUSB_BROKEN_ISOC },
251
252         /* Intel Bluetooth device */
253         { USB_DEVICE(0x8087, 0x07dc), .driver_info = BTUSB_INTEL },
254         { USB_DEVICE(0x8087, 0x0a2a), .driver_info = BTUSB_INTEL },
255
256         /* Marvell device */
257         { USB_DEVICE(0x1286, 0x2044), .driver_info = BTUSB_MARVELL },
258         { USB_DEVICE(0x1286, 0x2046), .driver_info = BTUSB_MARVELL },
259
260         { }     /* Terminating entry */
261 };
262
263 #define BTUSB_MAX_ISOC_FRAMES   10
264
265 #define BTUSB_INTR_RUNNING      0
266 #define BTUSB_BULK_RUNNING      1
267 #define BTUSB_ISOC_RUNNING      2
268 #define BTUSB_SUSPENDING        3
269 #define BTUSB_DID_ISO_RESUME    4
270
271 struct btusb_data {
272         struct hci_dev       *hdev;
273         struct usb_device    *udev;
274         struct usb_interface *intf;
275         struct usb_interface *isoc;
276
277         unsigned long flags;
278
279         struct work_struct work;
280         struct work_struct waker;
281
282         struct usb_anchor deferred;
283         struct usb_anchor tx_anchor;
284         int tx_in_flight;
285         spinlock_t txlock;
286
287         struct usb_anchor intr_anchor;
288         struct usb_anchor bulk_anchor;
289         struct usb_anchor isoc_anchor;
290         spinlock_t rxlock;
291
292         struct sk_buff *evt_skb;
293         struct sk_buff *acl_skb;
294         struct sk_buff *sco_skb;
295
296         struct usb_endpoint_descriptor *intr_ep;
297         struct usb_endpoint_descriptor *bulk_tx_ep;
298         struct usb_endpoint_descriptor *bulk_rx_ep;
299         struct usb_endpoint_descriptor *isoc_tx_ep;
300         struct usb_endpoint_descriptor *isoc_rx_ep;
301
302         __u8 cmdreq_type;
303
304         unsigned int sco_num;
305         int isoc_altsetting;
306         int suspend_count;
307
308         int (*recv_bulk)(struct btusb_data *data, void *buffer, int count);
309 };
310
311 static inline void btusb_free_frags(struct btusb_data *data)
312 {
313         unsigned long flags;
314
315         spin_lock_irqsave(&data->rxlock, flags);
316
317         kfree_skb(data->evt_skb);
318         data->evt_skb = NULL;
319
320         kfree_skb(data->acl_skb);
321         data->acl_skb = NULL;
322
323         kfree_skb(data->sco_skb);
324         data->sco_skb = NULL;
325
326         spin_unlock_irqrestore(&data->rxlock, flags);
327 }
328
329 static int btusb_recv_intr(struct btusb_data *data, void *buffer, int count)
330 {
331         struct sk_buff *skb;
332         int err = 0;
333
334         spin_lock(&data->rxlock);
335         skb = data->evt_skb;
336
337         while (count) {
338                 int len;
339
340                 if (!skb) {
341                         skb = bt_skb_alloc(HCI_MAX_EVENT_SIZE, GFP_ATOMIC);
342                         if (!skb) {
343                                 err = -ENOMEM;
344                                 break;
345                         }
346
347                         bt_cb(skb)->pkt_type = HCI_EVENT_PKT;
348                         bt_cb(skb)->expect = HCI_EVENT_HDR_SIZE;
349                 }
350
351                 len = min_t(uint, bt_cb(skb)->expect, count);
352                 memcpy(skb_put(skb, len), buffer, len);
353
354                 count -= len;
355                 buffer += len;
356                 bt_cb(skb)->expect -= len;
357
358                 if (skb->len == HCI_EVENT_HDR_SIZE) {
359                         /* Complete event header */
360                         bt_cb(skb)->expect = hci_event_hdr(skb)->plen;
361
362                         if (skb_tailroom(skb) < bt_cb(skb)->expect) {
363                                 kfree_skb(skb);
364                                 skb = NULL;
365
366                                 err = -EILSEQ;
367                                 break;
368                         }
369                 }
370
371                 if (bt_cb(skb)->expect == 0) {
372                         /* Complete frame */
373                         hci_recv_frame(data->hdev, skb);
374                         skb = NULL;
375                 }
376         }
377
378         data->evt_skb = skb;
379         spin_unlock(&data->rxlock);
380
381         return err;
382 }
383
384 static int btusb_recv_bulk(struct btusb_data *data, void *buffer, int count)
385 {
386         struct sk_buff *skb;
387         int err = 0;
388
389         spin_lock(&data->rxlock);
390         skb = data->acl_skb;
391
392         while (count) {
393                 int len;
394
395                 if (!skb) {
396                         skb = bt_skb_alloc(HCI_MAX_FRAME_SIZE, GFP_ATOMIC);
397                         if (!skb) {
398                                 err = -ENOMEM;
399                                 break;
400                         }
401
402                         bt_cb(skb)->pkt_type = HCI_ACLDATA_PKT;
403                         bt_cb(skb)->expect = HCI_ACL_HDR_SIZE;
404                 }
405
406                 len = min_t(uint, bt_cb(skb)->expect, count);
407                 memcpy(skb_put(skb, len), buffer, len);
408
409                 count -= len;
410                 buffer += len;
411                 bt_cb(skb)->expect -= len;
412
413                 if (skb->len == HCI_ACL_HDR_SIZE) {
414                         __le16 dlen = hci_acl_hdr(skb)->dlen;
415
416                         /* Complete ACL header */
417                         bt_cb(skb)->expect = __le16_to_cpu(dlen);
418
419                         if (skb_tailroom(skb) < bt_cb(skb)->expect) {
420                                 kfree_skb(skb);
421                                 skb = NULL;
422
423                                 err = -EILSEQ;
424                                 break;
425                         }
426                 }
427
428                 if (bt_cb(skb)->expect == 0) {
429                         /* Complete frame */
430                         hci_recv_frame(data->hdev, skb);
431                         skb = NULL;
432                 }
433         }
434
435         data->acl_skb = skb;
436         spin_unlock(&data->rxlock);
437
438         return err;
439 }
440
441 static int btusb_recv_isoc(struct btusb_data *data, void *buffer, int count)
442 {
443         struct sk_buff *skb;
444         int err = 0;
445
446         spin_lock(&data->rxlock);
447         skb = data->sco_skb;
448
449         while (count) {
450                 int len;
451
452                 if (!skb) {
453                         skb = bt_skb_alloc(HCI_MAX_SCO_SIZE, GFP_ATOMIC);
454                         if (!skb) {
455                                 err = -ENOMEM;
456                                 break;
457                         }
458
459                         bt_cb(skb)->pkt_type = HCI_SCODATA_PKT;
460                         bt_cb(skb)->expect = HCI_SCO_HDR_SIZE;
461                 }
462
463                 len = min_t(uint, bt_cb(skb)->expect, count);
464                 memcpy(skb_put(skb, len), buffer, len);
465
466                 count -= len;
467                 buffer += len;
468                 bt_cb(skb)->expect -= len;
469
470                 if (skb->len == HCI_SCO_HDR_SIZE) {
471                         /* Complete SCO header */
472                         bt_cb(skb)->expect = hci_sco_hdr(skb)->dlen;
473
474                         if (skb_tailroom(skb) < bt_cb(skb)->expect) {
475                                 kfree_skb(skb);
476                                 skb = NULL;
477
478                                 err = -EILSEQ;
479                                 break;
480                         }
481                 }
482
483                 if (bt_cb(skb)->expect == 0) {
484                         /* Complete frame */
485                         hci_recv_frame(data->hdev, skb);
486                         skb = NULL;
487                 }
488         }
489
490         data->sco_skb = skb;
491         spin_unlock(&data->rxlock);
492
493         return err;
494 }
495
496 static void btusb_intr_complete(struct urb *urb)
497 {
498         struct hci_dev *hdev = urb->context;
499         struct btusb_data *data = hci_get_drvdata(hdev);
500         int err;
501
502         BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status,
503                urb->actual_length);
504
505         if (!test_bit(HCI_RUNNING, &hdev->flags))
506                 return;
507
508         if (urb->status == 0) {
509                 hdev->stat.byte_rx += urb->actual_length;
510
511                 if (btusb_recv_intr(data, urb->transfer_buffer,
512                                     urb->actual_length) < 0) {
513                         BT_ERR("%s corrupted event packet", hdev->name);
514                         hdev->stat.err_rx++;
515                 }
516         } else if (urb->status == -ENOENT) {
517                 /* Avoid suspend failed when usb_kill_urb */
518                 return;
519         }
520
521         if (!test_bit(BTUSB_INTR_RUNNING, &data->flags))
522                 return;
523
524         usb_mark_last_busy(data->udev);
525         usb_anchor_urb(urb, &data->intr_anchor);
526
527         err = usb_submit_urb(urb, GFP_ATOMIC);
528         if (err < 0) {
529                 /* -EPERM: urb is being killed;
530                  * -ENODEV: device got disconnected */
531                 if (err != -EPERM && err != -ENODEV)
532                         BT_ERR("%s urb %p failed to resubmit (%d)",
533                                hdev->name, urb, -err);
534                 usb_unanchor_urb(urb);
535         }
536 }
537
538 static int btusb_submit_intr_urb(struct hci_dev *hdev, gfp_t mem_flags)
539 {
540         struct btusb_data *data = hci_get_drvdata(hdev);
541         struct urb *urb;
542         unsigned char *buf;
543         unsigned int pipe;
544         int err, size;
545
546         BT_DBG("%s", hdev->name);
547
548         if (!data->intr_ep)
549                 return -ENODEV;
550
551         urb = usb_alloc_urb(0, mem_flags);
552         if (!urb)
553                 return -ENOMEM;
554
555         size = le16_to_cpu(data->intr_ep->wMaxPacketSize);
556
557         buf = kmalloc(size, mem_flags);
558         if (!buf) {
559                 usb_free_urb(urb);
560                 return -ENOMEM;
561         }
562
563         pipe = usb_rcvintpipe(data->udev, data->intr_ep->bEndpointAddress);
564
565         usb_fill_int_urb(urb, data->udev, pipe, buf, size,
566                          btusb_intr_complete, hdev, data->intr_ep->bInterval);
567
568         urb->transfer_flags |= URB_FREE_BUFFER;
569
570         usb_anchor_urb(urb, &data->intr_anchor);
571
572         err = usb_submit_urb(urb, mem_flags);
573         if (err < 0) {
574                 if (err != -EPERM && err != -ENODEV)
575                         BT_ERR("%s urb %p submission failed (%d)",
576                                hdev->name, urb, -err);
577                 usb_unanchor_urb(urb);
578         }
579
580         usb_free_urb(urb);
581
582         return err;
583 }
584
585 static void btusb_bulk_complete(struct urb *urb)
586 {
587         struct hci_dev *hdev = urb->context;
588         struct btusb_data *data = hci_get_drvdata(hdev);
589         int err;
590
591         BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status,
592                urb->actual_length);
593
594         if (!test_bit(HCI_RUNNING, &hdev->flags))
595                 return;
596
597         if (urb->status == 0) {
598                 hdev->stat.byte_rx += urb->actual_length;
599
600                 if (data->recv_bulk(data, urb->transfer_buffer,
601                                     urb->actual_length) < 0) {
602                         BT_ERR("%s corrupted ACL packet", hdev->name);
603                         hdev->stat.err_rx++;
604                 }
605         } else if (urb->status == -ENOENT) {
606                 /* Avoid suspend failed when usb_kill_urb */
607                 return;
608         }
609
610         if (!test_bit(BTUSB_BULK_RUNNING, &data->flags))
611                 return;
612
613         usb_anchor_urb(urb, &data->bulk_anchor);
614         usb_mark_last_busy(data->udev);
615
616         err = usb_submit_urb(urb, GFP_ATOMIC);
617         if (err < 0) {
618                 /* -EPERM: urb is being killed;
619                  * -ENODEV: device got disconnected */
620                 if (err != -EPERM && err != -ENODEV)
621                         BT_ERR("%s urb %p failed to resubmit (%d)",
622                                hdev->name, urb, -err);
623                 usb_unanchor_urb(urb);
624         }
625 }
626
627 static int btusb_submit_bulk_urb(struct hci_dev *hdev, gfp_t mem_flags)
628 {
629         struct btusb_data *data = hci_get_drvdata(hdev);
630         struct urb *urb;
631         unsigned char *buf;
632         unsigned int pipe;
633         int err, size = HCI_MAX_FRAME_SIZE;
634
635         BT_DBG("%s", hdev->name);
636
637         if (!data->bulk_rx_ep)
638                 return -ENODEV;
639
640         urb = usb_alloc_urb(0, mem_flags);
641         if (!urb)
642                 return -ENOMEM;
643
644         buf = kmalloc(size, mem_flags);
645         if (!buf) {
646                 usb_free_urb(urb);
647                 return -ENOMEM;
648         }
649
650         pipe = usb_rcvbulkpipe(data->udev, data->bulk_rx_ep->bEndpointAddress);
651
652         usb_fill_bulk_urb(urb, data->udev, pipe, buf, size,
653                           btusb_bulk_complete, hdev);
654
655         urb->transfer_flags |= URB_FREE_BUFFER;
656
657         usb_mark_last_busy(data->udev);
658         usb_anchor_urb(urb, &data->bulk_anchor);
659
660         err = usb_submit_urb(urb, mem_flags);
661         if (err < 0) {
662                 if (err != -EPERM && err != -ENODEV)
663                         BT_ERR("%s urb %p submission failed (%d)",
664                                hdev->name, urb, -err);
665                 usb_unanchor_urb(urb);
666         }
667
668         usb_free_urb(urb);
669
670         return err;
671 }
672
673 static void btusb_isoc_complete(struct urb *urb)
674 {
675         struct hci_dev *hdev = urb->context;
676         struct btusb_data *data = hci_get_drvdata(hdev);
677         int i, err;
678
679         BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status,
680                urb->actual_length);
681
682         if (!test_bit(HCI_RUNNING, &hdev->flags))
683                 return;
684
685         if (urb->status == 0) {
686                 for (i = 0; i < urb->number_of_packets; i++) {
687                         unsigned int offset = urb->iso_frame_desc[i].offset;
688                         unsigned int length = urb->iso_frame_desc[i].actual_length;
689
690                         if (urb->iso_frame_desc[i].status)
691                                 continue;
692
693                         hdev->stat.byte_rx += length;
694
695                         if (btusb_recv_isoc(data, urb->transfer_buffer + offset,
696                                             length) < 0) {
697                                 BT_ERR("%s corrupted SCO packet", hdev->name);
698                                 hdev->stat.err_rx++;
699                         }
700                 }
701         } else if (urb->status == -ENOENT) {
702                 /* Avoid suspend failed when usb_kill_urb */
703                 return;
704         }
705
706         if (!test_bit(BTUSB_ISOC_RUNNING, &data->flags))
707                 return;
708
709         usb_anchor_urb(urb, &data->isoc_anchor);
710
711         err = usb_submit_urb(urb, GFP_ATOMIC);
712         if (err < 0) {
713                 /* -EPERM: urb is being killed;
714                  * -ENODEV: device got disconnected */
715                 if (err != -EPERM && err != -ENODEV)
716                         BT_ERR("%s urb %p failed to resubmit (%d)",
717                                hdev->name, urb, -err);
718                 usb_unanchor_urb(urb);
719         }
720 }
721
722 static inline void __fill_isoc_descriptor(struct urb *urb, int len, int mtu)
723 {
724         int i, offset = 0;
725
726         BT_DBG("len %d mtu %d", len, mtu);
727
728         for (i = 0; i < BTUSB_MAX_ISOC_FRAMES && len >= mtu;
729                                         i++, offset += mtu, len -= mtu) {
730                 urb->iso_frame_desc[i].offset = offset;
731                 urb->iso_frame_desc[i].length = mtu;
732         }
733
734         if (len && i < BTUSB_MAX_ISOC_FRAMES) {
735                 urb->iso_frame_desc[i].offset = offset;
736                 urb->iso_frame_desc[i].length = len;
737                 i++;
738         }
739
740         urb->number_of_packets = i;
741 }
742
743 static int btusb_submit_isoc_urb(struct hci_dev *hdev, gfp_t mem_flags)
744 {
745         struct btusb_data *data = hci_get_drvdata(hdev);
746         struct urb *urb;
747         unsigned char *buf;
748         unsigned int pipe;
749         int err, size;
750
751         BT_DBG("%s", hdev->name);
752
753         if (!data->isoc_rx_ep)
754                 return -ENODEV;
755
756         urb = usb_alloc_urb(BTUSB_MAX_ISOC_FRAMES, mem_flags);
757         if (!urb)
758                 return -ENOMEM;
759
760         size = le16_to_cpu(data->isoc_rx_ep->wMaxPacketSize) *
761                                                 BTUSB_MAX_ISOC_FRAMES;
762
763         buf = kmalloc(size, mem_flags);
764         if (!buf) {
765                 usb_free_urb(urb);
766                 return -ENOMEM;
767         }
768
769         pipe = usb_rcvisocpipe(data->udev, data->isoc_rx_ep->bEndpointAddress);
770
771         usb_fill_int_urb(urb, data->udev, pipe, buf, size, btusb_isoc_complete,
772                          hdev, data->isoc_rx_ep->bInterval);
773
774         urb->transfer_flags = URB_FREE_BUFFER | URB_ISO_ASAP;
775
776         __fill_isoc_descriptor(urb, size,
777                                le16_to_cpu(data->isoc_rx_ep->wMaxPacketSize));
778
779         usb_anchor_urb(urb, &data->isoc_anchor);
780
781         err = usb_submit_urb(urb, mem_flags);
782         if (err < 0) {
783                 if (err != -EPERM && err != -ENODEV)
784                         BT_ERR("%s urb %p submission failed (%d)",
785                                hdev->name, urb, -err);
786                 usb_unanchor_urb(urb);
787         }
788
789         usb_free_urb(urb);
790
791         return err;
792 }
793
794 static void btusb_tx_complete(struct urb *urb)
795 {
796         struct sk_buff *skb = urb->context;
797         struct hci_dev *hdev = (struct hci_dev *)skb->dev;
798         struct btusb_data *data = hci_get_drvdata(hdev);
799
800         BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status,
801                urb->actual_length);
802
803         if (!test_bit(HCI_RUNNING, &hdev->flags))
804                 goto done;
805
806         if (!urb->status)
807                 hdev->stat.byte_tx += urb->transfer_buffer_length;
808         else
809                 hdev->stat.err_tx++;
810
811 done:
812         spin_lock(&data->txlock);
813         data->tx_in_flight--;
814         spin_unlock(&data->txlock);
815
816         kfree(urb->setup_packet);
817
818         kfree_skb(skb);
819 }
820
821 static void btusb_isoc_tx_complete(struct urb *urb)
822 {
823         struct sk_buff *skb = urb->context;
824         struct hci_dev *hdev = (struct hci_dev *)skb->dev;
825
826         BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status,
827                urb->actual_length);
828
829         if (!test_bit(HCI_RUNNING, &hdev->flags))
830                 goto done;
831
832         if (!urb->status)
833                 hdev->stat.byte_tx += urb->transfer_buffer_length;
834         else
835                 hdev->stat.err_tx++;
836
837 done:
838         kfree(urb->setup_packet);
839
840         kfree_skb(skb);
841 }
842
843 static int btusb_open(struct hci_dev *hdev)
844 {
845         struct btusb_data *data = hci_get_drvdata(hdev);
846         int err;
847
848         BT_DBG("%s", hdev->name);
849
850         err = usb_autopm_get_interface(data->intf);
851         if (err < 0)
852                 return err;
853
854         data->intf->needs_remote_wakeup = 1;
855
856         if (test_and_set_bit(HCI_RUNNING, &hdev->flags))
857                 goto done;
858
859         if (test_and_set_bit(BTUSB_INTR_RUNNING, &data->flags))
860                 goto done;
861
862         err = btusb_submit_intr_urb(hdev, GFP_KERNEL);
863         if (err < 0)
864                 goto failed;
865
866         err = btusb_submit_bulk_urb(hdev, GFP_KERNEL);
867         if (err < 0) {
868                 usb_kill_anchored_urbs(&data->intr_anchor);
869                 goto failed;
870         }
871
872         set_bit(BTUSB_BULK_RUNNING, &data->flags);
873         btusb_submit_bulk_urb(hdev, GFP_KERNEL);
874
875 done:
876         usb_autopm_put_interface(data->intf);
877         return 0;
878
879 failed:
880         clear_bit(BTUSB_INTR_RUNNING, &data->flags);
881         clear_bit(HCI_RUNNING, &hdev->flags);
882         usb_autopm_put_interface(data->intf);
883         return err;
884 }
885
886 static void btusb_stop_traffic(struct btusb_data *data)
887 {
888         usb_kill_anchored_urbs(&data->intr_anchor);
889         usb_kill_anchored_urbs(&data->bulk_anchor);
890         usb_kill_anchored_urbs(&data->isoc_anchor);
891 }
892
893 static int btusb_close(struct hci_dev *hdev)
894 {
895         struct btusb_data *data = hci_get_drvdata(hdev);
896         int err;
897
898         BT_DBG("%s", hdev->name);
899
900         if (!test_and_clear_bit(HCI_RUNNING, &hdev->flags))
901                 return 0;
902
903         cancel_work_sync(&data->work);
904         cancel_work_sync(&data->waker);
905
906         clear_bit(BTUSB_ISOC_RUNNING, &data->flags);
907         clear_bit(BTUSB_BULK_RUNNING, &data->flags);
908         clear_bit(BTUSB_INTR_RUNNING, &data->flags);
909
910         btusb_stop_traffic(data);
911         btusb_free_frags(data);
912
913         err = usb_autopm_get_interface(data->intf);
914         if (err < 0)
915                 goto failed;
916
917         data->intf->needs_remote_wakeup = 0;
918         usb_autopm_put_interface(data->intf);
919
920 failed:
921         usb_scuttle_anchored_urbs(&data->deferred);
922         return 0;
923 }
924
925 static int btusb_flush(struct hci_dev *hdev)
926 {
927         struct btusb_data *data = hci_get_drvdata(hdev);
928
929         BT_DBG("%s", hdev->name);
930
931         usb_kill_anchored_urbs(&data->tx_anchor);
932         btusb_free_frags(data);
933
934         return 0;
935 }
936
937 static struct urb *alloc_ctrl_urb(struct hci_dev *hdev, struct sk_buff *skb)
938 {
939         struct btusb_data *data = hci_get_drvdata(hdev);
940         struct usb_ctrlrequest *dr;
941         struct urb *urb;
942         unsigned int pipe;
943
944         urb = usb_alloc_urb(0, GFP_KERNEL);
945         if (!urb)
946                 return ERR_PTR(-ENOMEM);
947
948         dr = kmalloc(sizeof(*dr), GFP_KERNEL);
949         if (!dr) {
950                 usb_free_urb(urb);
951                 return ERR_PTR(-ENOMEM);
952         }
953
954         dr->bRequestType = data->cmdreq_type;
955         dr->bRequest     = 0;
956         dr->wIndex       = 0;
957         dr->wValue       = 0;
958         dr->wLength      = __cpu_to_le16(skb->len);
959
960         pipe = usb_sndctrlpipe(data->udev, 0x00);
961
962         usb_fill_control_urb(urb, data->udev, pipe, (void *)dr,
963                              skb->data, skb->len, btusb_tx_complete, skb);
964
965         skb->dev = (void *)hdev;
966
967         return urb;
968 }
969
970 static struct urb *alloc_bulk_urb(struct hci_dev *hdev, struct sk_buff *skb)
971 {
972         struct btusb_data *data = hci_get_drvdata(hdev);
973         struct urb *urb;
974         unsigned int pipe;
975
976         if (!data->bulk_tx_ep)
977                 return ERR_PTR(-ENODEV);
978
979         urb = usb_alloc_urb(0, GFP_KERNEL);
980         if (!urb)
981                 return ERR_PTR(-ENOMEM);
982
983         pipe = usb_sndbulkpipe(data->udev, data->bulk_tx_ep->bEndpointAddress);
984
985         usb_fill_bulk_urb(urb, data->udev, pipe,
986                           skb->data, skb->len, btusb_tx_complete, skb);
987
988         skb->dev = (void *)hdev;
989
990         return urb;
991 }
992
993 static struct urb *alloc_isoc_urb(struct hci_dev *hdev, struct sk_buff *skb)
994 {
995         struct btusb_data *data = hci_get_drvdata(hdev);
996         struct urb *urb;
997         unsigned int pipe;
998
999         if (!data->isoc_tx_ep)
1000                 return ERR_PTR(-ENODEV);
1001
1002         urb = usb_alloc_urb(BTUSB_MAX_ISOC_FRAMES, GFP_KERNEL);
1003         if (!urb)
1004                 return ERR_PTR(-ENOMEM);
1005
1006         pipe = usb_sndisocpipe(data->udev, data->isoc_tx_ep->bEndpointAddress);
1007
1008         usb_fill_int_urb(urb, data->udev, pipe,
1009                          skb->data, skb->len, btusb_isoc_tx_complete,
1010                          skb, data->isoc_tx_ep->bInterval);
1011
1012         urb->transfer_flags  = URB_ISO_ASAP;
1013
1014         __fill_isoc_descriptor(urb, skb->len,
1015                                le16_to_cpu(data->isoc_tx_ep->wMaxPacketSize));
1016
1017         skb->dev = (void *)hdev;
1018
1019         return urb;
1020 }
1021
1022 static int submit_tx_urb(struct hci_dev *hdev, struct urb *urb)
1023 {
1024         struct btusb_data *data = hci_get_drvdata(hdev);
1025         int err;
1026
1027         usb_anchor_urb(urb, &data->tx_anchor);
1028
1029         err = usb_submit_urb(urb, GFP_KERNEL);
1030         if (err < 0) {
1031                 if (err != -EPERM && err != -ENODEV)
1032                         BT_ERR("%s urb %p submission failed (%d)",
1033                                hdev->name, urb, -err);
1034                 kfree(urb->setup_packet);
1035                 usb_unanchor_urb(urb);
1036         } else {
1037                 usb_mark_last_busy(data->udev);
1038         }
1039
1040         usb_free_urb(urb);
1041         return err;
1042 }
1043
1044 static int submit_or_queue_tx_urb(struct hci_dev *hdev, struct urb *urb)
1045 {
1046         struct btusb_data *data = hci_get_drvdata(hdev);
1047         unsigned long flags;
1048         bool suspending;
1049
1050         spin_lock_irqsave(&data->txlock, flags);
1051         suspending = test_bit(BTUSB_SUSPENDING, &data->flags);
1052         if (!suspending)
1053                 data->tx_in_flight++;
1054         spin_unlock_irqrestore(&data->txlock, flags);
1055
1056         if (!suspending)
1057                 return submit_tx_urb(hdev, urb);
1058
1059         usb_anchor_urb(urb, &data->deferred);
1060         schedule_work(&data->waker);
1061
1062         usb_free_urb(urb);
1063         return 0;
1064 }
1065
1066 static int btusb_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
1067 {
1068         struct urb *urb;
1069
1070         BT_DBG("%s", hdev->name);
1071
1072         if (!test_bit(HCI_RUNNING, &hdev->flags))
1073                 return -EBUSY;
1074
1075         switch (bt_cb(skb)->pkt_type) {
1076         case HCI_COMMAND_PKT:
1077                 urb = alloc_ctrl_urb(hdev, skb);
1078                 if (IS_ERR(urb))
1079                         return PTR_ERR(urb);
1080
1081                 hdev->stat.cmd_tx++;
1082                 return submit_or_queue_tx_urb(hdev, urb);
1083
1084         case HCI_ACLDATA_PKT:
1085                 urb = alloc_bulk_urb(hdev, skb);
1086                 if (IS_ERR(urb))
1087                         return PTR_ERR(urb);
1088
1089                 hdev->stat.acl_tx++;
1090                 return submit_or_queue_tx_urb(hdev, urb);
1091
1092         case HCI_SCODATA_PKT:
1093                 if (hci_conn_num(hdev, SCO_LINK) < 1)
1094                         return -ENODEV;
1095
1096                 urb = alloc_isoc_urb(hdev, skb);
1097                 if (IS_ERR(urb))
1098                         return PTR_ERR(urb);
1099
1100                 hdev->stat.sco_tx++;
1101                 return submit_tx_urb(hdev, urb);
1102         }
1103
1104         return -EILSEQ;
1105 }
1106
1107 static void btusb_notify(struct hci_dev *hdev, unsigned int evt)
1108 {
1109         struct btusb_data *data = hci_get_drvdata(hdev);
1110
1111         BT_DBG("%s evt %d", hdev->name, evt);
1112
1113         if (hci_conn_num(hdev, SCO_LINK) != data->sco_num) {
1114                 data->sco_num = hci_conn_num(hdev, SCO_LINK);
1115                 schedule_work(&data->work);
1116         }
1117 }
1118
1119 static inline int __set_isoc_interface(struct hci_dev *hdev, int altsetting)
1120 {
1121         struct btusb_data *data = hci_get_drvdata(hdev);
1122         struct usb_interface *intf = data->isoc;
1123         struct usb_endpoint_descriptor *ep_desc;
1124         int i, err;
1125
1126         if (!data->isoc)
1127                 return -ENODEV;
1128
1129         err = usb_set_interface(data->udev, 1, altsetting);
1130         if (err < 0) {
1131                 BT_ERR("%s setting interface failed (%d)", hdev->name, -err);
1132                 return err;
1133         }
1134
1135         data->isoc_altsetting = altsetting;
1136
1137         data->isoc_tx_ep = NULL;
1138         data->isoc_rx_ep = NULL;
1139
1140         for (i = 0; i < intf->cur_altsetting->desc.bNumEndpoints; i++) {
1141                 ep_desc = &intf->cur_altsetting->endpoint[i].desc;
1142
1143                 if (!data->isoc_tx_ep && usb_endpoint_is_isoc_out(ep_desc)) {
1144                         data->isoc_tx_ep = ep_desc;
1145                         continue;
1146                 }
1147
1148                 if (!data->isoc_rx_ep && usb_endpoint_is_isoc_in(ep_desc)) {
1149                         data->isoc_rx_ep = ep_desc;
1150                         continue;
1151                 }
1152         }
1153
1154         if (!data->isoc_tx_ep || !data->isoc_rx_ep) {
1155                 BT_ERR("%s invalid SCO descriptors", hdev->name);
1156                 return -ENODEV;
1157         }
1158
1159         return 0;
1160 }
1161
1162 static void btusb_work(struct work_struct *work)
1163 {
1164         struct btusb_data *data = container_of(work, struct btusb_data, work);
1165         struct hci_dev *hdev = data->hdev;
1166         int new_alts;
1167         int err;
1168
1169         if (data->sco_num > 0) {
1170                 if (!test_bit(BTUSB_DID_ISO_RESUME, &data->flags)) {
1171                         err = usb_autopm_get_interface(data->isoc ? data->isoc : data->intf);
1172                         if (err < 0) {
1173                                 clear_bit(BTUSB_ISOC_RUNNING, &data->flags);
1174                                 usb_kill_anchored_urbs(&data->isoc_anchor);
1175                                 return;
1176                         }
1177
1178                         set_bit(BTUSB_DID_ISO_RESUME, &data->flags);
1179                 }
1180
1181                 if (hdev->voice_setting & 0x0020) {
1182                         static const int alts[3] = { 2, 4, 5 };
1183
1184                         new_alts = alts[data->sco_num - 1];
1185                 } else {
1186                         new_alts = data->sco_num;
1187                 }
1188
1189                 if (data->isoc_altsetting != new_alts) {
1190                         clear_bit(BTUSB_ISOC_RUNNING, &data->flags);
1191                         usb_kill_anchored_urbs(&data->isoc_anchor);
1192
1193                         if (__set_isoc_interface(hdev, new_alts) < 0)
1194                                 return;
1195                 }
1196
1197                 if (!test_and_set_bit(BTUSB_ISOC_RUNNING, &data->flags)) {
1198                         if (btusb_submit_isoc_urb(hdev, GFP_KERNEL) < 0)
1199                                 clear_bit(BTUSB_ISOC_RUNNING, &data->flags);
1200                         else
1201                                 btusb_submit_isoc_urb(hdev, GFP_KERNEL);
1202                 }
1203         } else {
1204                 clear_bit(BTUSB_ISOC_RUNNING, &data->flags);
1205                 usb_kill_anchored_urbs(&data->isoc_anchor);
1206
1207                 __set_isoc_interface(hdev, 0);
1208                 if (test_and_clear_bit(BTUSB_DID_ISO_RESUME, &data->flags))
1209                         usb_autopm_put_interface(data->isoc ? data->isoc : data->intf);
1210         }
1211 }
1212
1213 static void btusb_waker(struct work_struct *work)
1214 {
1215         struct btusb_data *data = container_of(work, struct btusb_data, waker);
1216         int err;
1217
1218         err = usb_autopm_get_interface(data->intf);
1219         if (err < 0)
1220                 return;
1221
1222         usb_autopm_put_interface(data->intf);
1223 }
1224
1225 static int btusb_setup_bcm92035(struct hci_dev *hdev)
1226 {
1227         struct sk_buff *skb;
1228         u8 val = 0x00;
1229
1230         BT_DBG("%s", hdev->name);
1231
1232         skb = __hci_cmd_sync(hdev, 0xfc3b, 1, &val, HCI_INIT_TIMEOUT);
1233         if (IS_ERR(skb))
1234                 BT_ERR("BCM92035 command failed (%ld)", -PTR_ERR(skb));
1235         else
1236                 kfree_skb(skb);
1237
1238         return 0;
1239 }
1240
1241 static int btusb_setup_csr(struct hci_dev *hdev)
1242 {
1243         struct hci_rp_read_local_version *rp;
1244         struct sk_buff *skb;
1245         int ret;
1246
1247         BT_DBG("%s", hdev->name);
1248
1249         skb = __hci_cmd_sync(hdev, HCI_OP_READ_LOCAL_VERSION, 0, NULL,
1250                              HCI_INIT_TIMEOUT);
1251         if (IS_ERR(skb)) {
1252                 BT_ERR("Reading local version failed (%ld)", -PTR_ERR(skb));
1253                 return -PTR_ERR(skb);
1254         }
1255
1256         rp = (struct hci_rp_read_local_version *)skb->data;
1257
1258         if (!rp->status) {
1259                 if (le16_to_cpu(rp->manufacturer) != 10) {
1260                         /* Clear the reset quirk since this is not an actual
1261                          * early Bluetooth 1.1 device from CSR.
1262                          */
1263                         clear_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks);
1264
1265                         /* These fake CSR controllers have all a broken
1266                          * stored link key handling and so just disable it.
1267                          */
1268                         set_bit(HCI_QUIRK_BROKEN_STORED_LINK_KEY,
1269                                 &hdev->quirks);
1270                 }
1271         }
1272
1273         ret = -bt_to_errno(rp->status);
1274
1275         kfree_skb(skb);
1276
1277         return ret;
1278 }
1279
1280 struct intel_version {
1281         u8 status;
1282         u8 hw_platform;
1283         u8 hw_variant;
1284         u8 hw_revision;
1285         u8 fw_variant;
1286         u8 fw_revision;
1287         u8 fw_build_num;
1288         u8 fw_build_ww;
1289         u8 fw_build_yy;
1290         u8 fw_patch_num;
1291 } __packed;
1292
1293 static const struct firmware *btusb_setup_intel_get_fw(struct hci_dev *hdev,
1294                                                        struct intel_version *ver)
1295 {
1296         const struct firmware *fw;
1297         char fwname[64];
1298         int ret;
1299
1300         snprintf(fwname, sizeof(fwname),
1301                  "intel/ibt-hw-%x.%x.%x-fw-%x.%x.%x.%x.%x.bseq",
1302                  ver->hw_platform, ver->hw_variant, ver->hw_revision,
1303                  ver->fw_variant,  ver->fw_revision, ver->fw_build_num,
1304                  ver->fw_build_ww, ver->fw_build_yy);
1305
1306         ret = request_firmware(&fw, fwname, &hdev->dev);
1307         if (ret < 0) {
1308                 if (ret == -EINVAL) {
1309                         BT_ERR("%s Intel firmware file request failed (%d)",
1310                                hdev->name, ret);
1311                         return NULL;
1312                 }
1313
1314                 BT_ERR("%s failed to open Intel firmware file: %s(%d)",
1315                        hdev->name, fwname, ret);
1316
1317                 /* If the correct firmware patch file is not found, use the
1318                  * default firmware patch file instead
1319                  */
1320                 snprintf(fwname, sizeof(fwname), "intel/ibt-hw-%x.%x.bseq",
1321                          ver->hw_platform, ver->hw_variant);
1322                 if (request_firmware(&fw, fwname, &hdev->dev) < 0) {
1323                         BT_ERR("%s failed to open default Intel fw file: %s",
1324                                hdev->name, fwname);
1325                         return NULL;
1326                 }
1327         }
1328
1329         BT_INFO("%s: Intel Bluetooth firmware file: %s", hdev->name, fwname);
1330
1331         return fw;
1332 }
1333
1334 static int btusb_setup_intel_patching(struct hci_dev *hdev,
1335                                       const struct firmware *fw,
1336                                       const u8 **fw_ptr, int *disable_patch)
1337 {
1338         struct sk_buff *skb;
1339         struct hci_command_hdr *cmd;
1340         const u8 *cmd_param;
1341         struct hci_event_hdr *evt = NULL;
1342         const u8 *evt_param = NULL;
1343         int remain = fw->size - (*fw_ptr - fw->data);
1344
1345         /* The first byte indicates the types of the patch command or event.
1346          * 0x01 means HCI command and 0x02 is HCI event. If the first bytes
1347          * in the current firmware buffer doesn't start with 0x01 or
1348          * the size of remain buffer is smaller than HCI command header,
1349          * the firmware file is corrupted and it should stop the patching
1350          * process.
1351          */
1352         if (remain > HCI_COMMAND_HDR_SIZE && *fw_ptr[0] != 0x01) {
1353                 BT_ERR("%s Intel fw corrupted: invalid cmd read", hdev->name);
1354                 return -EINVAL;
1355         }
1356         (*fw_ptr)++;
1357         remain--;
1358
1359         cmd = (struct hci_command_hdr *)(*fw_ptr);
1360         *fw_ptr += sizeof(*cmd);
1361         remain -= sizeof(*cmd);
1362
1363         /* Ensure that the remain firmware data is long enough than the length
1364          * of command parameter. If not, the firmware file is corrupted.
1365          */
1366         if (remain < cmd->plen) {
1367                 BT_ERR("%s Intel fw corrupted: invalid cmd len", hdev->name);
1368                 return -EFAULT;
1369         }
1370
1371         /* If there is a command that loads a patch in the firmware
1372          * file, then enable the patch upon success, otherwise just
1373          * disable the manufacturer mode, for example patch activation
1374          * is not required when the default firmware patch file is used
1375          * because there are no patch data to load.
1376          */
1377         if (*disable_patch && le16_to_cpu(cmd->opcode) == 0xfc8e)
1378                 *disable_patch = 0;
1379
1380         cmd_param = *fw_ptr;
1381         *fw_ptr += cmd->plen;
1382         remain -= cmd->plen;
1383
1384         /* This reads the expected events when the above command is sent to the
1385          * device. Some vendor commands expects more than one events, for
1386          * example command status event followed by vendor specific event.
1387          * For this case, it only keeps the last expected event. so the command
1388          * can be sent with __hci_cmd_sync_ev() which returns the sk_buff of
1389          * last expected event.
1390          */
1391         while (remain > HCI_EVENT_HDR_SIZE && *fw_ptr[0] == 0x02) {
1392                 (*fw_ptr)++;
1393                 remain--;
1394
1395                 evt = (struct hci_event_hdr *)(*fw_ptr);
1396                 *fw_ptr += sizeof(*evt);
1397                 remain -= sizeof(*evt);
1398
1399                 if (remain < evt->plen) {
1400                         BT_ERR("%s Intel fw corrupted: invalid evt len",
1401                                hdev->name);
1402                         return -EFAULT;
1403                 }
1404
1405                 evt_param = *fw_ptr;
1406                 *fw_ptr += evt->plen;
1407                 remain -= evt->plen;
1408         }
1409
1410         /* Every HCI commands in the firmware file has its correspond event.
1411          * If event is not found or remain is smaller than zero, the firmware
1412          * file is corrupted.
1413          */
1414         if (!evt || !evt_param || remain < 0) {
1415                 BT_ERR("%s Intel fw corrupted: invalid evt read", hdev->name);
1416                 return -EFAULT;
1417         }
1418
1419         skb = __hci_cmd_sync_ev(hdev, le16_to_cpu(cmd->opcode), cmd->plen,
1420                                 cmd_param, evt->evt, HCI_INIT_TIMEOUT);
1421         if (IS_ERR(skb)) {
1422                 BT_ERR("%s sending Intel patch command (0x%4.4x) failed (%ld)",
1423                        hdev->name, cmd->opcode, PTR_ERR(skb));
1424                 return PTR_ERR(skb);
1425         }
1426
1427         /* It ensures that the returned event matches the event data read from
1428          * the firmware file. At fist, it checks the length and then
1429          * the contents of the event.
1430          */
1431         if (skb->len != evt->plen) {
1432                 BT_ERR("%s mismatch event length (opcode 0x%4.4x)", hdev->name,
1433                        le16_to_cpu(cmd->opcode));
1434                 kfree_skb(skb);
1435                 return -EFAULT;
1436         }
1437
1438         if (memcmp(skb->data, evt_param, evt->plen)) {
1439                 BT_ERR("%s mismatch event parameter (opcode 0x%4.4x)",
1440                        hdev->name, le16_to_cpu(cmd->opcode));
1441                 kfree_skb(skb);
1442                 return -EFAULT;
1443         }
1444         kfree_skb(skb);
1445
1446         return 0;
1447 }
1448
1449 #define BDADDR_INTEL (&(bdaddr_t) {{0x00, 0x8b, 0x9e, 0x19, 0x03, 0x00}})
1450
1451 static int btusb_check_bdaddr_intel(struct hci_dev *hdev)
1452 {
1453         struct sk_buff *skb;
1454         struct hci_rp_read_bd_addr *rp;
1455
1456         skb = __hci_cmd_sync(hdev, HCI_OP_READ_BD_ADDR, 0, NULL,
1457                              HCI_INIT_TIMEOUT);
1458         if (IS_ERR(skb)) {
1459                 BT_ERR("%s reading Intel device address failed (%ld)",
1460                        hdev->name, PTR_ERR(skb));
1461                 return PTR_ERR(skb);
1462         }
1463
1464         if (skb->len != sizeof(*rp)) {
1465                 BT_ERR("%s Intel device address length mismatch", hdev->name);
1466                 kfree_skb(skb);
1467                 return -EIO;
1468         }
1469
1470         rp = (struct hci_rp_read_bd_addr *)skb->data;
1471         if (rp->status) {
1472                 BT_ERR("%s Intel device address result failed (%02x)",
1473                        hdev->name, rp->status);
1474                 kfree_skb(skb);
1475                 return -bt_to_errno(rp->status);
1476         }
1477
1478         /* For some Intel based controllers, the default Bluetooth device
1479          * address 00:03:19:9E:8B:00 can be found. These controllers are
1480          * fully operational, but have the danger of duplicate addresses
1481          * and that in turn can cause problems with Bluetooth operation.
1482          */
1483         if (!bacmp(&rp->bdaddr, BDADDR_INTEL)) {
1484                 BT_ERR("%s found Intel default device address (%pMR)",
1485                        hdev->name, &rp->bdaddr);
1486                 set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks);
1487         }
1488
1489         kfree_skb(skb);
1490
1491         return 0;
1492 }
1493
1494 static int btusb_setup_intel(struct hci_dev *hdev)
1495 {
1496         struct sk_buff *skb;
1497         const struct firmware *fw;
1498         const u8 *fw_ptr;
1499         int disable_patch;
1500         struct intel_version *ver;
1501
1502         const u8 mfg_enable[] = { 0x01, 0x00 };
1503         const u8 mfg_disable[] = { 0x00, 0x00 };
1504         const u8 mfg_reset_deactivate[] = { 0x00, 0x01 };
1505         const u8 mfg_reset_activate[] = { 0x00, 0x02 };
1506
1507         BT_DBG("%s", hdev->name);
1508
1509         /* The controller has a bug with the first HCI command sent to it
1510          * returning number of completed commands as zero. This would stall the
1511          * command processing in the Bluetooth core.
1512          *
1513          * As a workaround, send HCI Reset command first which will reset the
1514          * number of completed commands and allow normal command processing
1515          * from now on.
1516          */
1517         skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
1518         if (IS_ERR(skb)) {
1519                 BT_ERR("%s sending initial HCI reset command failed (%ld)",
1520                        hdev->name, PTR_ERR(skb));
1521                 return PTR_ERR(skb);
1522         }
1523         kfree_skb(skb);
1524
1525         /* Read Intel specific controller version first to allow selection of
1526          * which firmware file to load.
1527          *
1528          * The returned information are hardware variant and revision plus
1529          * firmware variant, revision and build number.
1530          */
1531         skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_INIT_TIMEOUT);
1532         if (IS_ERR(skb)) {
1533                 BT_ERR("%s reading Intel fw version command failed (%ld)",
1534                        hdev->name, PTR_ERR(skb));
1535                 return PTR_ERR(skb);
1536         }
1537
1538         if (skb->len != sizeof(*ver)) {
1539                 BT_ERR("%s Intel version event length mismatch", hdev->name);
1540                 kfree_skb(skb);
1541                 return -EIO;
1542         }
1543
1544         ver = (struct intel_version *)skb->data;
1545         if (ver->status) {
1546                 BT_ERR("%s Intel fw version event failed (%02x)", hdev->name,
1547                        ver->status);
1548                 kfree_skb(skb);
1549                 return -bt_to_errno(ver->status);
1550         }
1551
1552         BT_INFO("%s: read Intel version: %02x%02x%02x%02x%02x%02x%02x%02x%02x",
1553                 hdev->name, ver->hw_platform, ver->hw_variant,
1554                 ver->hw_revision, ver->fw_variant,  ver->fw_revision,
1555                 ver->fw_build_num, ver->fw_build_ww, ver->fw_build_yy,
1556                 ver->fw_patch_num);
1557
1558         /* fw_patch_num indicates the version of patch the device currently
1559          * have. If there is no patch data in the device, it is always 0x00.
1560          * So, if it is other than 0x00, no need to patch the deivce again.
1561          */
1562         if (ver->fw_patch_num) {
1563                 BT_INFO("%s: Intel device is already patched. patch num: %02x",
1564                         hdev->name, ver->fw_patch_num);
1565                 kfree_skb(skb);
1566                 btusb_check_bdaddr_intel(hdev);
1567                 return 0;
1568         }
1569
1570         /* Opens the firmware patch file based on the firmware version read
1571          * from the controller. If it fails to open the matching firmware
1572          * patch file, it tries to open the default firmware patch file.
1573          * If no patch file is found, allow the device to operate without
1574          * a patch.
1575          */
1576         fw = btusb_setup_intel_get_fw(hdev, ver);
1577         if (!fw) {
1578                 kfree_skb(skb);
1579                 btusb_check_bdaddr_intel(hdev);
1580                 return 0;
1581         }
1582         fw_ptr = fw->data;
1583
1584         /* This Intel specific command enables the manufacturer mode of the
1585          * controller.
1586          *
1587          * Only while this mode is enabled, the driver can download the
1588          * firmware patch data and configuration parameters.
1589          */
1590         skb = __hci_cmd_sync(hdev, 0xfc11, 2, mfg_enable, HCI_INIT_TIMEOUT);
1591         if (IS_ERR(skb)) {
1592                 BT_ERR("%s entering Intel manufacturer mode failed (%ld)",
1593                        hdev->name, PTR_ERR(skb));
1594                 release_firmware(fw);
1595                 return PTR_ERR(skb);
1596         }
1597
1598         if (skb->data[0]) {
1599                 u8 evt_status = skb->data[0];
1600
1601                 BT_ERR("%s enable Intel manufacturer mode event failed (%02x)",
1602                        hdev->name, evt_status);
1603                 kfree_skb(skb);
1604                 release_firmware(fw);
1605                 return -bt_to_errno(evt_status);
1606         }
1607         kfree_skb(skb);
1608
1609         disable_patch = 1;
1610
1611         /* The firmware data file consists of list of Intel specific HCI
1612          * commands and its expected events. The first byte indicates the
1613          * type of the message, either HCI command or HCI event.
1614          *
1615          * It reads the command and its expected event from the firmware file,
1616          * and send to the controller. Once __hci_cmd_sync_ev() returns,
1617          * the returned event is compared with the event read from the firmware
1618          * file and it will continue until all the messages are downloaded to
1619          * the controller.
1620          *
1621          * Once the firmware patching is completed successfully,
1622          * the manufacturer mode is disabled with reset and activating the
1623          * downloaded patch.
1624          *
1625          * If the firmware patching fails, the manufacturer mode is
1626          * disabled with reset and deactivating the patch.
1627          *
1628          * If the default patch file is used, no reset is done when disabling
1629          * the manufacturer.
1630          */
1631         while (fw->size > fw_ptr - fw->data) {
1632                 int ret;
1633
1634                 ret = btusb_setup_intel_patching(hdev, fw, &fw_ptr,
1635                                                  &disable_patch);
1636                 if (ret < 0)
1637                         goto exit_mfg_deactivate;
1638         }
1639
1640         release_firmware(fw);
1641
1642         if (disable_patch)
1643                 goto exit_mfg_disable;
1644
1645         /* Patching completed successfully and disable the manufacturer mode
1646          * with reset and activate the downloaded firmware patches.
1647          */
1648         skb = __hci_cmd_sync(hdev, 0xfc11, sizeof(mfg_reset_activate),
1649                              mfg_reset_activate, HCI_INIT_TIMEOUT);
1650         if (IS_ERR(skb)) {
1651                 BT_ERR("%s exiting Intel manufacturer mode failed (%ld)",
1652                        hdev->name, PTR_ERR(skb));
1653                 return PTR_ERR(skb);
1654         }
1655         kfree_skb(skb);
1656
1657         BT_INFO("%s: Intel Bluetooth firmware patch completed and activated",
1658                 hdev->name);
1659
1660         btusb_check_bdaddr_intel(hdev);
1661         return 0;
1662
1663 exit_mfg_disable:
1664         /* Disable the manufacturer mode without reset */
1665         skb = __hci_cmd_sync(hdev, 0xfc11, sizeof(mfg_disable), mfg_disable,
1666                              HCI_INIT_TIMEOUT);
1667         if (IS_ERR(skb)) {
1668                 BT_ERR("%s exiting Intel manufacturer mode failed (%ld)",
1669                        hdev->name, PTR_ERR(skb));
1670                 return PTR_ERR(skb);
1671         }
1672         kfree_skb(skb);
1673
1674         BT_INFO("%s: Intel Bluetooth firmware patch completed", hdev->name);
1675
1676         btusb_check_bdaddr_intel(hdev);
1677         return 0;
1678
1679 exit_mfg_deactivate:
1680         release_firmware(fw);
1681
1682         /* Patching failed. Disable the manufacturer mode with reset and
1683          * deactivate the downloaded firmware patches.
1684          */
1685         skb = __hci_cmd_sync(hdev, 0xfc11, sizeof(mfg_reset_deactivate),
1686                              mfg_reset_deactivate, HCI_INIT_TIMEOUT);
1687         if (IS_ERR(skb)) {
1688                 BT_ERR("%s exiting Intel manufacturer mode failed (%ld)",
1689                        hdev->name, PTR_ERR(skb));
1690                 return PTR_ERR(skb);
1691         }
1692         kfree_skb(skb);
1693
1694         BT_INFO("%s: Intel Bluetooth firmware patch completed and deactivated",
1695                 hdev->name);
1696
1697         btusb_check_bdaddr_intel(hdev);
1698         return 0;
1699 }
1700
1701 static int btusb_set_bdaddr_intel(struct hci_dev *hdev, const bdaddr_t *bdaddr)
1702 {
1703         struct sk_buff *skb;
1704         long ret;
1705
1706         skb = __hci_cmd_sync(hdev, 0xfc31, 6, bdaddr, HCI_INIT_TIMEOUT);
1707         if (IS_ERR(skb)) {
1708                 ret = PTR_ERR(skb);
1709                 BT_ERR("%s: changing Intel device address failed (%ld)",
1710                        hdev->name, ret);
1711                 return ret;
1712         }
1713         kfree_skb(skb);
1714
1715         return 0;
1716 }
1717
1718 static int btusb_set_bdaddr_marvell(struct hci_dev *hdev,
1719                                     const bdaddr_t *bdaddr)
1720 {
1721         struct sk_buff *skb;
1722         u8 buf[8];
1723         long ret;
1724
1725         buf[0] = 0xfe;
1726         buf[1] = sizeof(bdaddr_t);
1727         memcpy(buf + 2, bdaddr, sizeof(bdaddr_t));
1728
1729         skb = __hci_cmd_sync(hdev, 0xfc22, sizeof(buf), buf, HCI_INIT_TIMEOUT);
1730         if (IS_ERR(skb)) {
1731                 ret = PTR_ERR(skb);
1732                 BT_ERR("%s: changing Marvell device address failed (%ld)",
1733                        hdev->name, ret);
1734                 return ret;
1735         }
1736         kfree_skb(skb);
1737
1738         return 0;
1739 }
1740
1741 #define BDADDR_BCM20702A0 (&(bdaddr_t) {{0x00, 0xa0, 0x02, 0x70, 0x20, 0x00}})
1742
1743 static int btusb_setup_bcm_patchram(struct hci_dev *hdev)
1744 {
1745         struct btusb_data *data = hci_get_drvdata(hdev);
1746         struct usb_device *udev = data->udev;
1747         char fw_name[64];
1748         const struct firmware *fw;
1749         const u8 *fw_ptr;
1750         size_t fw_size;
1751         const struct hci_command_hdr *cmd;
1752         const u8 *cmd_param;
1753         u16 opcode;
1754         struct sk_buff *skb;
1755         struct hci_rp_read_local_version *ver;
1756         struct hci_rp_read_bd_addr *bda;
1757         long ret;
1758
1759         snprintf(fw_name, sizeof(fw_name), "brcm/%s-%04x-%04x.hcd",
1760                  udev->product ? udev->product : "BCM",
1761                  le16_to_cpu(udev->descriptor.idVendor),
1762                  le16_to_cpu(udev->descriptor.idProduct));
1763
1764         ret = request_firmware(&fw, fw_name, &hdev->dev);
1765         if (ret < 0) {
1766                 BT_INFO("%s: BCM: patch %s not found", hdev->name, fw_name);
1767                 return 0;
1768         }
1769
1770         /* Reset */
1771         skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
1772         if (IS_ERR(skb)) {
1773                 ret = PTR_ERR(skb);
1774                 BT_ERR("%s: HCI_OP_RESET failed (%ld)", hdev->name, ret);
1775                 goto done;
1776         }
1777         kfree_skb(skb);
1778
1779         /* Read Local Version Info */
1780         skb = __hci_cmd_sync(hdev, HCI_OP_READ_LOCAL_VERSION, 0, NULL,
1781                              HCI_INIT_TIMEOUT);
1782         if (IS_ERR(skb)) {
1783                 ret = PTR_ERR(skb);
1784                 BT_ERR("%s: HCI_OP_READ_LOCAL_VERSION failed (%ld)",
1785                        hdev->name, ret);
1786                 goto done;
1787         }
1788
1789         if (skb->len != sizeof(*ver)) {
1790                 BT_ERR("%s: HCI_OP_READ_LOCAL_VERSION event length mismatch",
1791                        hdev->name);
1792                 kfree_skb(skb);
1793                 ret = -EIO;
1794                 goto done;
1795         }
1796
1797         ver = (struct hci_rp_read_local_version *)skb->data;
1798         BT_INFO("%s: BCM: patching hci_ver=%02x hci_rev=%04x lmp_ver=%02x "
1799                 "lmp_subver=%04x", hdev->name, ver->hci_ver, ver->hci_rev,
1800                 ver->lmp_ver, ver->lmp_subver);
1801         kfree_skb(skb);
1802
1803         /* Start Download */
1804         skb = __hci_cmd_sync(hdev, 0xfc2e, 0, NULL, HCI_INIT_TIMEOUT);
1805         if (IS_ERR(skb)) {
1806                 ret = PTR_ERR(skb);
1807                 BT_ERR("%s: BCM: Download Minidrv command failed (%ld)",
1808                        hdev->name, ret);
1809                 goto reset_fw;
1810         }
1811         kfree_skb(skb);
1812
1813         /* 50 msec delay after Download Minidrv completes */
1814         msleep(50);
1815
1816         fw_ptr = fw->data;
1817         fw_size = fw->size;
1818
1819         while (fw_size >= sizeof(*cmd)) {
1820                 cmd = (struct hci_command_hdr *)fw_ptr;
1821                 fw_ptr += sizeof(*cmd);
1822                 fw_size -= sizeof(*cmd);
1823
1824                 if (fw_size < cmd->plen) {
1825                         BT_ERR("%s: BCM: patch %s is corrupted",
1826                                hdev->name, fw_name);
1827                         ret = -EINVAL;
1828                         goto reset_fw;
1829                 }
1830
1831                 cmd_param = fw_ptr;
1832                 fw_ptr += cmd->plen;
1833                 fw_size -= cmd->plen;
1834
1835                 opcode = le16_to_cpu(cmd->opcode);
1836
1837                 skb = __hci_cmd_sync(hdev, opcode, cmd->plen, cmd_param,
1838                                      HCI_INIT_TIMEOUT);
1839                 if (IS_ERR(skb)) {
1840                         ret = PTR_ERR(skb);
1841                         BT_ERR("%s: BCM: patch command %04x failed (%ld)",
1842                                hdev->name, opcode, ret);
1843                         goto reset_fw;
1844                 }
1845                 kfree_skb(skb);
1846         }
1847
1848         /* 250 msec delay after Launch Ram completes */
1849         msleep(250);
1850
1851 reset_fw:
1852         /* Reset */
1853         skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
1854         if (IS_ERR(skb)) {
1855                 ret = PTR_ERR(skb);
1856                 BT_ERR("%s: HCI_OP_RESET failed (%ld)", hdev->name, ret);
1857                 goto done;
1858         }
1859         kfree_skb(skb);
1860
1861         /* Read Local Version Info */
1862         skb = __hci_cmd_sync(hdev, HCI_OP_READ_LOCAL_VERSION, 0, NULL,
1863                              HCI_INIT_TIMEOUT);
1864         if (IS_ERR(skb)) {
1865                 ret = PTR_ERR(skb);
1866                 BT_ERR("%s: HCI_OP_READ_LOCAL_VERSION failed (%ld)",
1867                        hdev->name, ret);
1868                 goto done;
1869         }
1870
1871         if (skb->len != sizeof(*ver)) {
1872                 BT_ERR("%s: HCI_OP_READ_LOCAL_VERSION event length mismatch",
1873                        hdev->name);
1874                 kfree_skb(skb);
1875                 ret = -EIO;
1876                 goto done;
1877         }
1878
1879         ver = (struct hci_rp_read_local_version *)skb->data;
1880         BT_INFO("%s: BCM: firmware hci_ver=%02x hci_rev=%04x lmp_ver=%02x "
1881                 "lmp_subver=%04x", hdev->name, ver->hci_ver, ver->hci_rev,
1882                 ver->lmp_ver, ver->lmp_subver);
1883         kfree_skb(skb);
1884
1885         /* Read BD Address */
1886         skb = __hci_cmd_sync(hdev, HCI_OP_READ_BD_ADDR, 0, NULL,
1887                              HCI_INIT_TIMEOUT);
1888         if (IS_ERR(skb)) {
1889                 ret = PTR_ERR(skb);
1890                 BT_ERR("%s: HCI_OP_READ_BD_ADDR failed (%ld)",
1891                        hdev->name, ret);
1892                 goto done;
1893         }
1894
1895         if (skb->len != sizeof(*bda)) {
1896                 BT_ERR("%s: HCI_OP_READ_BD_ADDR event length mismatch",
1897                        hdev->name);
1898                 kfree_skb(skb);
1899                 ret = -EIO;
1900                 goto done;
1901         }
1902
1903         bda = (struct hci_rp_read_bd_addr *)skb->data;
1904         if (bda->status) {
1905                 BT_ERR("%s: HCI_OP_READ_BD_ADDR error status (%02x)",
1906                        hdev->name, bda->status);
1907                 kfree_skb(skb);
1908                 ret = -bt_to_errno(bda->status);
1909                 goto done;
1910         }
1911
1912         /* The address 00:20:70:02:A0:00 indicates a BCM20702A0 controller
1913          * with no configured address.
1914          */
1915         if (!bacmp(&bda->bdaddr, BDADDR_BCM20702A0)) {
1916                 BT_INFO("%s: BCM: using default device address (%pMR)",
1917                         hdev->name, &bda->bdaddr);
1918                 set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks);
1919         }
1920
1921         kfree_skb(skb);
1922
1923 done:
1924         release_firmware(fw);
1925
1926         return ret;
1927 }
1928
1929 static int btusb_set_bdaddr_bcm(struct hci_dev *hdev, const bdaddr_t *bdaddr)
1930 {
1931         struct sk_buff *skb;
1932         long ret;
1933
1934         skb = __hci_cmd_sync(hdev, 0xfc01, 6, bdaddr, HCI_INIT_TIMEOUT);
1935         if (IS_ERR(skb)) {
1936                 ret = PTR_ERR(skb);
1937                 BT_ERR("%s: BCM: Change address command failed (%ld)",
1938                        hdev->name, ret);
1939                 return ret;
1940         }
1941         kfree_skb(skb);
1942
1943         return 0;
1944 }
1945
1946 static int btusb_probe(struct usb_interface *intf,
1947                        const struct usb_device_id *id)
1948 {
1949         struct usb_endpoint_descriptor *ep_desc;
1950         struct btusb_data *data;
1951         struct hci_dev *hdev;
1952         int i, err;
1953
1954         BT_DBG("intf %p id %p", intf, id);
1955
1956         /* interface numbers are hardcoded in the spec */
1957         if (intf->cur_altsetting->desc.bInterfaceNumber != 0)
1958                 return -ENODEV;
1959
1960         if (!id->driver_info) {
1961                 const struct usb_device_id *match;
1962
1963                 match = usb_match_id(intf, blacklist_table);
1964                 if (match)
1965                         id = match;
1966         }
1967
1968         if (id->driver_info == BTUSB_IGNORE)
1969                 return -ENODEV;
1970
1971         if (id->driver_info & BTUSB_ATH3012) {
1972                 struct usb_device *udev = interface_to_usbdev(intf);
1973
1974                 /* Old firmware would otherwise let ath3k driver load
1975                  * patch and sysconfig files */
1976                 if (le16_to_cpu(udev->descriptor.bcdDevice) <= 0x0001)
1977                         return -ENODEV;
1978         }
1979
1980         data = devm_kzalloc(&intf->dev, sizeof(*data), GFP_KERNEL);
1981         if (!data)
1982                 return -ENOMEM;
1983
1984         for (i = 0; i < intf->cur_altsetting->desc.bNumEndpoints; i++) {
1985                 ep_desc = &intf->cur_altsetting->endpoint[i].desc;
1986
1987                 if (!data->intr_ep && usb_endpoint_is_int_in(ep_desc)) {
1988                         data->intr_ep = ep_desc;
1989                         continue;
1990                 }
1991
1992                 if (!data->bulk_tx_ep && usb_endpoint_is_bulk_out(ep_desc)) {
1993                         data->bulk_tx_ep = ep_desc;
1994                         continue;
1995                 }
1996
1997                 if (!data->bulk_rx_ep && usb_endpoint_is_bulk_in(ep_desc)) {
1998                         data->bulk_rx_ep = ep_desc;
1999                         continue;
2000                 }
2001         }
2002
2003         if (!data->intr_ep || !data->bulk_tx_ep || !data->bulk_rx_ep)
2004                 return -ENODEV;
2005
2006         data->cmdreq_type = USB_TYPE_CLASS;
2007
2008         data->udev = interface_to_usbdev(intf);
2009         data->intf = intf;
2010
2011         INIT_WORK(&data->work, btusb_work);
2012         INIT_WORK(&data->waker, btusb_waker);
2013         init_usb_anchor(&data->deferred);
2014         init_usb_anchor(&data->tx_anchor);
2015         spin_lock_init(&data->txlock);
2016
2017         init_usb_anchor(&data->intr_anchor);
2018         init_usb_anchor(&data->bulk_anchor);
2019         init_usb_anchor(&data->isoc_anchor);
2020         spin_lock_init(&data->rxlock);
2021
2022         data->recv_bulk = btusb_recv_bulk;
2023
2024         hdev = hci_alloc_dev();
2025         if (!hdev)
2026                 return -ENOMEM;
2027
2028         hdev->bus = HCI_USB;
2029         hci_set_drvdata(hdev, data);
2030
2031         data->hdev = hdev;
2032
2033         SET_HCIDEV_DEV(hdev, &intf->dev);
2034
2035         hdev->open   = btusb_open;
2036         hdev->close  = btusb_close;
2037         hdev->flush  = btusb_flush;
2038         hdev->send   = btusb_send_frame;
2039         hdev->notify = btusb_notify;
2040
2041         if (id->driver_info & BTUSB_BCM92035)
2042                 hdev->setup = btusb_setup_bcm92035;
2043
2044         if (id->driver_info & BTUSB_BCM_PATCHRAM) {
2045                 hdev->setup = btusb_setup_bcm_patchram;
2046                 hdev->set_bdaddr = btusb_set_bdaddr_bcm;
2047                 set_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks);
2048         }
2049
2050         if (id->driver_info & BTUSB_INTEL) {
2051                 hdev->setup = btusb_setup_intel;
2052                 hdev->set_bdaddr = btusb_set_bdaddr_intel;
2053         }
2054
2055         if (id->driver_info & BTUSB_MARVELL)
2056                 hdev->set_bdaddr = btusb_set_bdaddr_marvell;
2057
2058         if (id->driver_info & BTUSB_INTEL_BOOT)
2059                 set_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks);
2060
2061         /* Interface numbers are hardcoded in the specification */
2062         data->isoc = usb_ifnum_to_if(data->udev, 1);
2063
2064         if (!reset)
2065                 set_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks);
2066
2067         if (force_scofix || id->driver_info & BTUSB_WRONG_SCO_MTU) {
2068                 if (!disable_scofix)
2069                         set_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks);
2070         }
2071
2072         if (id->driver_info & BTUSB_BROKEN_ISOC)
2073                 data->isoc = NULL;
2074
2075         if (id->driver_info & BTUSB_DIGIANSWER) {
2076                 data->cmdreq_type = USB_TYPE_VENDOR;
2077                 set_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks);
2078         }
2079
2080         if (id->driver_info & BTUSB_CSR) {
2081                 struct usb_device *udev = data->udev;
2082                 u16 bcdDevice = le16_to_cpu(udev->descriptor.bcdDevice);
2083
2084                 /* Old firmware would otherwise execute USB reset */
2085                 if (bcdDevice < 0x117)
2086                         set_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks);
2087
2088                 /* Fake CSR devices with broken commands */
2089                 if (bcdDevice <= 0x100)
2090                         hdev->setup = btusb_setup_csr;
2091         }
2092
2093         if (id->driver_info & BTUSB_SNIFFER) {
2094                 struct usb_device *udev = data->udev;
2095
2096                 /* New sniffer firmware has crippled HCI interface */
2097                 if (le16_to_cpu(udev->descriptor.bcdDevice) > 0x997)
2098                         set_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks);
2099         }
2100
2101         if (id->driver_info & BTUSB_INTEL_BOOT) {
2102                 /* A bug in the bootloader causes that interrupt interface is
2103                  * only enabled after receiving SetInterface(0, AltSetting=0).
2104                  */
2105                 err = usb_set_interface(data->udev, 0, 0);
2106                 if (err < 0) {
2107                         BT_ERR("failed to set interface 0, alt 0 %d", err);
2108                         hci_free_dev(hdev);
2109                         return err;
2110                 }
2111         }
2112
2113         if (data->isoc) {
2114                 err = usb_driver_claim_interface(&btusb_driver,
2115                                                  data->isoc, data);
2116                 if (err < 0) {
2117                         hci_free_dev(hdev);
2118                         return err;
2119                 }
2120         }
2121
2122         err = hci_register_dev(hdev);
2123         if (err < 0) {
2124                 hci_free_dev(hdev);
2125                 return err;
2126         }
2127
2128         usb_set_intfdata(intf, data);
2129
2130         return 0;
2131 }
2132
2133 static void btusb_disconnect(struct usb_interface *intf)
2134 {
2135         struct btusb_data *data = usb_get_intfdata(intf);
2136         struct hci_dev *hdev;
2137
2138         BT_DBG("intf %p", intf);
2139
2140         if (!data)
2141                 return;
2142
2143         hdev = data->hdev;
2144         usb_set_intfdata(data->intf, NULL);
2145
2146         if (data->isoc)
2147                 usb_set_intfdata(data->isoc, NULL);
2148
2149         hci_unregister_dev(hdev);
2150
2151         if (intf == data->isoc)
2152                 usb_driver_release_interface(&btusb_driver, data->intf);
2153         else if (data->isoc)
2154                 usb_driver_release_interface(&btusb_driver, data->isoc);
2155
2156         btusb_free_frags(data);
2157         hci_free_dev(hdev);
2158 }
2159
2160 #ifdef CONFIG_PM
2161 static int btusb_suspend(struct usb_interface *intf, pm_message_t message)
2162 {
2163         struct btusb_data *data = usb_get_intfdata(intf);
2164
2165         BT_DBG("intf %p", intf);
2166
2167         if (data->suspend_count++)
2168                 return 0;
2169
2170         spin_lock_irq(&data->txlock);
2171         if (!(PMSG_IS_AUTO(message) && data->tx_in_flight)) {
2172                 set_bit(BTUSB_SUSPENDING, &data->flags);
2173                 spin_unlock_irq(&data->txlock);
2174         } else {
2175                 spin_unlock_irq(&data->txlock);
2176                 data->suspend_count--;
2177                 return -EBUSY;
2178         }
2179
2180         cancel_work_sync(&data->work);
2181
2182         btusb_stop_traffic(data);
2183         usb_kill_anchored_urbs(&data->tx_anchor);
2184
2185         return 0;
2186 }
2187
2188 static void play_deferred(struct btusb_data *data)
2189 {
2190         struct urb *urb;
2191         int err;
2192
2193         while ((urb = usb_get_from_anchor(&data->deferred))) {
2194                 err = usb_submit_urb(urb, GFP_ATOMIC);
2195                 if (err < 0)
2196                         break;
2197
2198                 data->tx_in_flight++;
2199         }
2200         usb_scuttle_anchored_urbs(&data->deferred);
2201 }
2202
2203 static int btusb_resume(struct usb_interface *intf)
2204 {
2205         struct btusb_data *data = usb_get_intfdata(intf);
2206         struct hci_dev *hdev = data->hdev;
2207         int err = 0;
2208
2209         BT_DBG("intf %p", intf);
2210
2211         if (--data->suspend_count)
2212                 return 0;
2213
2214         if (!test_bit(HCI_RUNNING, &hdev->flags))
2215                 goto done;
2216
2217         if (test_bit(BTUSB_INTR_RUNNING, &data->flags)) {
2218                 err = btusb_submit_intr_urb(hdev, GFP_NOIO);
2219                 if (err < 0) {
2220                         clear_bit(BTUSB_INTR_RUNNING, &data->flags);
2221                         goto failed;
2222                 }
2223         }
2224
2225         if (test_bit(BTUSB_BULK_RUNNING, &data->flags)) {
2226                 err = btusb_submit_bulk_urb(hdev, GFP_NOIO);
2227                 if (err < 0) {
2228                         clear_bit(BTUSB_BULK_RUNNING, &data->flags);
2229                         goto failed;
2230                 }
2231
2232                 btusb_submit_bulk_urb(hdev, GFP_NOIO);
2233         }
2234
2235         if (test_bit(BTUSB_ISOC_RUNNING, &data->flags)) {
2236                 if (btusb_submit_isoc_urb(hdev, GFP_NOIO) < 0)
2237                         clear_bit(BTUSB_ISOC_RUNNING, &data->flags);
2238                 else
2239                         btusb_submit_isoc_urb(hdev, GFP_NOIO);
2240         }
2241
2242         spin_lock_irq(&data->txlock);
2243         play_deferred(data);
2244         clear_bit(BTUSB_SUSPENDING, &data->flags);
2245         spin_unlock_irq(&data->txlock);
2246         schedule_work(&data->work);
2247
2248         return 0;
2249
2250 failed:
2251         usb_scuttle_anchored_urbs(&data->deferred);
2252 done:
2253         spin_lock_irq(&data->txlock);
2254         clear_bit(BTUSB_SUSPENDING, &data->flags);
2255         spin_unlock_irq(&data->txlock);
2256
2257         return err;
2258 }
2259 #endif
2260
2261 static struct usb_driver btusb_driver = {
2262         .name           = "btusb",
2263         .probe          = btusb_probe,
2264         .disconnect     = btusb_disconnect,
2265 #ifdef CONFIG_PM
2266         .suspend        = btusb_suspend,
2267         .resume         = btusb_resume,
2268 #endif
2269         .id_table       = btusb_table,
2270         .supports_autosuspend = 1,
2271         .disable_hub_initiated_lpm = 1,
2272 };
2273
2274 module_usb_driver(btusb_driver);
2275
2276 module_param(disable_scofix, bool, 0644);
2277 MODULE_PARM_DESC(disable_scofix, "Disable fixup of wrong SCO buffer size");
2278
2279 module_param(force_scofix, bool, 0644);
2280 MODULE_PARM_DESC(force_scofix, "Force fixup of wrong SCO buffers size");
2281
2282 module_param(reset, bool, 0644);
2283 MODULE_PARM_DESC(reset, "Send HCI reset command on initialization");
2284
2285 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
2286 MODULE_DESCRIPTION("Generic Bluetooth USB driver ver " VERSION);
2287 MODULE_VERSION(VERSION);
2288 MODULE_LICENSE("GPL");
Pandora Kernel Repository