linux/drivers/bluetooth/btusb.c
<<
>>
Prefs
   1// SPDX-License-Identifier: GPL-2.0-or-later
   2/*
   3 *
   4 *  Generic Bluetooth USB driver
   5 *
   6 *  Copyright (C) 2005-2008  Marcel Holtmann <marcel@holtmann.org>
   7 */
   8
   9#include <linux/dmi.h>
  10#include <linux/module.h>
  11#include <linux/usb.h>
  12#include <linux/usb/quirks.h>
  13#include <linux/firmware.h>
  14#include <linux/iopoll.h>
  15#include <linux/of_device.h>
  16#include <linux/of_irq.h>
  17#include <linux/suspend.h>
  18#include <linux/gpio/consumer.h>
  19#include <asm/unaligned.h>
  20
  21#include <net/bluetooth/bluetooth.h>
  22#include <net/bluetooth/hci_core.h>
  23
  24#include "btintel.h"
  25#include "btbcm.h"
  26#include "btrtl.h"
  27
  28#define VERSION "0.8"
  29
  30static bool disable_scofix;
  31static bool force_scofix;
  32static bool enable_autosuspend = IS_ENABLED(CONFIG_BT_HCIBTUSB_AUTOSUSPEND);
  33
  34static bool reset = true;
  35
  36static struct usb_driver btusb_driver;
  37
  38#define BTUSB_IGNORE            0x01
  39#define BTUSB_DIGIANSWER        0x02
  40#define BTUSB_CSR               0x04
  41#define BTUSB_SNIFFER           0x08
  42#define BTUSB_BCM92035          0x10
  43#define BTUSB_BROKEN_ISOC       0x20
  44#define BTUSB_WRONG_SCO_MTU     0x40
  45#define BTUSB_ATH3012           0x80
  46#define BTUSB_INTEL             0x100
  47#define BTUSB_INTEL_BOOT        0x200
  48#define BTUSB_BCM_PATCHRAM      0x400
  49#define BTUSB_MARVELL           0x800
  50#define BTUSB_SWAVE             0x1000
  51#define BTUSB_INTEL_NEW         0x2000
  52#define BTUSB_AMP               0x4000
  53#define BTUSB_QCA_ROME          0x8000
  54#define BTUSB_BCM_APPLE         0x10000
  55#define BTUSB_REALTEK           0x20000
  56#define BTUSB_BCM2045           0x40000
  57#define BTUSB_IFNUM_2           0x80000
  58#define BTUSB_CW6622            0x100000
  59#define BTUSB_MEDIATEK          0x200000
  60#define BTUSB_WIDEBAND_SPEECH   0x400000
  61#define BTUSB_VALID_LE_STATES   0x800000
  62#define BTUSB_QCA_WCN6855       0x1000000
  63
  64static const struct usb_device_id btusb_table[] = {
  65        /* Generic Bluetooth USB device */
  66        { USB_DEVICE_INFO(0xe0, 0x01, 0x01) },
  67
  68        /* Generic Bluetooth AMP device */
  69        { USB_DEVICE_INFO(0xe0, 0x01, 0x04), .driver_info = BTUSB_AMP },
  70
  71        /* Generic Bluetooth USB interface */
  72        { USB_INTERFACE_INFO(0xe0, 0x01, 0x01) },
  73
  74        /* Apple-specific (Broadcom) devices */
  75        { USB_VENDOR_AND_INTERFACE_INFO(0x05ac, 0xff, 0x01, 0x01),
  76          .driver_info = BTUSB_BCM_APPLE | BTUSB_IFNUM_2 },
  77
  78        /* MediaTek MT76x0E */
  79        { USB_DEVICE(0x0e8d, 0x763f) },
  80
  81        /* Broadcom SoftSailing reporting vendor specific */
  82        { USB_DEVICE(0x0a5c, 0x21e1) },
  83
  84        /* Apple MacBookPro 7,1 */
  85        { USB_DEVICE(0x05ac, 0x8213) },
  86
  87        /* Apple iMac11,1 */
  88        { USB_DEVICE(0x05ac, 0x8215) },
  89
  90        /* Apple MacBookPro6,2 */
  91        { USB_DEVICE(0x05ac, 0x8218) },
  92
  93        /* Apple MacBookAir3,1, MacBookAir3,2 */
  94        { USB_DEVICE(0x05ac, 0x821b) },
  95
  96        /* Apple MacBookAir4,1 */
  97        { USB_DEVICE(0x05ac, 0x821f) },
  98
  99        /* Apple MacBookPro8,2 */
 100        { USB_DEVICE(0x05ac, 0x821a) },
 101
 102        /* Apple MacMini5,1 */
 103        { USB_DEVICE(0x05ac, 0x8281) },
 104
 105        /* AVM BlueFRITZ! USB v2.0 */
 106        { USB_DEVICE(0x057c, 0x3800), .driver_info = BTUSB_SWAVE },
 107
 108        /* Bluetooth Ultraport Module from IBM */
 109        { USB_DEVICE(0x04bf, 0x030a) },
 110
 111        /* ALPS Modules with non-standard id */
 112        { USB_DEVICE(0x044e, 0x3001) },
 113        { USB_DEVICE(0x044e, 0x3002) },
 114
 115        /* Ericsson with non-standard id */
 116        { USB_DEVICE(0x0bdb, 0x1002) },
 117
 118        /* Canyon CN-BTU1 with HID interfaces */
 119        { USB_DEVICE(0x0c10, 0x0000) },
 120
 121        /* Broadcom BCM20702A0 */
 122        { USB_DEVICE(0x413c, 0x8197) },
 123
 124        /* Broadcom BCM20702B0 (Dynex/Insignia) */
 125        { USB_DEVICE(0x19ff, 0x0239), .driver_info = BTUSB_BCM_PATCHRAM },
 126
 127        /* Broadcom BCM43142A0 (Foxconn/Lenovo) */
 128        { USB_VENDOR_AND_INTERFACE_INFO(0x105b, 0xff, 0x01, 0x01),
 129          .driver_info = BTUSB_BCM_PATCHRAM },
 130
 131        /* Broadcom BCM920703 (HTC Vive) */
 132        { USB_VENDOR_AND_INTERFACE_INFO(0x0bb4, 0xff, 0x01, 0x01),
 133          .driver_info = BTUSB_BCM_PATCHRAM },
 134
 135        /* Foxconn - Hon Hai */
 136        { USB_VENDOR_AND_INTERFACE_INFO(0x0489, 0xff, 0x01, 0x01),
 137          .driver_info = BTUSB_BCM_PATCHRAM },
 138
 139        /* Lite-On Technology - Broadcom based */
 140        { USB_VENDOR_AND_INTERFACE_INFO(0x04ca, 0xff, 0x01, 0x01),
 141          .driver_info = BTUSB_BCM_PATCHRAM },
 142
 143        /* Broadcom devices with vendor specific id */
 144        { USB_VENDOR_AND_INTERFACE_INFO(0x0a5c, 0xff, 0x01, 0x01),
 145          .driver_info = BTUSB_BCM_PATCHRAM },
 146
 147        /* ASUSTek Computer - Broadcom based */
 148        { USB_VENDOR_AND_INTERFACE_INFO(0x0b05, 0xff, 0x01, 0x01),
 149          .driver_info = BTUSB_BCM_PATCHRAM },
 150
 151        /* Belkin F8065bf - Broadcom based */
 152        { USB_VENDOR_AND_INTERFACE_INFO(0x050d, 0xff, 0x01, 0x01),
 153          .driver_info = BTUSB_BCM_PATCHRAM },
 154
 155        /* IMC Networks - Broadcom based */
 156        { USB_VENDOR_AND_INTERFACE_INFO(0x13d3, 0xff, 0x01, 0x01),
 157          .driver_info = BTUSB_BCM_PATCHRAM },
 158
 159        /* Dell Computer - Broadcom based  */
 160        { USB_VENDOR_AND_INTERFACE_INFO(0x413c, 0xff, 0x01, 0x01),
 161          .driver_info = BTUSB_BCM_PATCHRAM },
 162
 163        /* Toshiba Corp - Broadcom based */
 164        { USB_VENDOR_AND_INTERFACE_INFO(0x0930, 0xff, 0x01, 0x01),
 165          .driver_info = BTUSB_BCM_PATCHRAM },
 166
 167        /* Intel Bluetooth USB Bootloader (RAM module) */
 168        { USB_DEVICE(0x8087, 0x0a5a),
 169          .driver_info = BTUSB_INTEL_BOOT | BTUSB_BROKEN_ISOC },
 170
 171        { }     /* Terminating entry */
 172};
 173
 174MODULE_DEVICE_TABLE(usb, btusb_table);
 175
 176static const struct usb_device_id blacklist_table[] = {
 177        /* CSR BlueCore devices */
 178        { USB_DEVICE(0x0a12, 0x0001), .driver_info = BTUSB_CSR },
 179
 180        /* Broadcom BCM2033 without firmware */
 181        { USB_DEVICE(0x0a5c, 0x2033), .driver_info = BTUSB_IGNORE },
 182
 183        /* Broadcom BCM2045 devices */
 184        { USB_DEVICE(0x0a5c, 0x2045), .driver_info = BTUSB_BCM2045 },
 185
 186        /* Atheros 3011 with sflash firmware */
 187        { USB_DEVICE(0x0489, 0xe027), .driver_info = BTUSB_IGNORE },
 188        { USB_DEVICE(0x0489, 0xe03d), .driver_info = BTUSB_IGNORE },
 189        { USB_DEVICE(0x04f2, 0xaff1), .driver_info = BTUSB_IGNORE },
 190        { USB_DEVICE(0x0930, 0x0215), .driver_info = BTUSB_IGNORE },
 191        { USB_DEVICE(0x0cf3, 0x3002), .driver_info = BTUSB_IGNORE },
 192        { USB_DEVICE(0x0cf3, 0xe019), .driver_info = BTUSB_IGNORE },
 193        { USB_DEVICE(0x13d3, 0x3304), .driver_info = BTUSB_IGNORE },
 194
 195        /* Atheros AR9285 Malbec with sflash firmware */
 196        { USB_DEVICE(0x03f0, 0x311d), .driver_info = BTUSB_IGNORE },
 197
 198        /* Atheros 3012 with sflash firmware */
 199        { USB_DEVICE(0x0489, 0xe04d), .driver_info = BTUSB_ATH3012 },
 200        { USB_DEVICE(0x0489, 0xe04e), .driver_info = BTUSB_ATH3012 },
 201        { USB_DEVICE(0x0489, 0xe056), .driver_info = BTUSB_ATH3012 },
 202        { USB_DEVICE(0x0489, 0xe057), .driver_info = BTUSB_ATH3012 },
 203        { USB_DEVICE(0x0489, 0xe05f), .driver_info = BTUSB_ATH3012 },
 204        { USB_DEVICE(0x0489, 0xe076), .driver_info = BTUSB_ATH3012 },
 205        { USB_DEVICE(0x0489, 0xe078), .driver_info = BTUSB_ATH3012 },
 206        { USB_DEVICE(0x0489, 0xe095), .driver_info = BTUSB_ATH3012 },
 207        { USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 },
 208        { USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 },
 209        { USB_DEVICE(0x04ca, 0x3005), .driver_info = BTUSB_ATH3012 },
 210        { USB_DEVICE(0x04ca, 0x3006), .driver_info = BTUSB_ATH3012 },
 211        { USB_DEVICE(0x04ca, 0x3007), .driver_info = BTUSB_ATH3012 },
 212        { USB_DEVICE(0x04ca, 0x3008), .driver_info = BTUSB_ATH3012 },
 213        { USB_DEVICE(0x04ca, 0x300b), .driver_info = BTUSB_ATH3012 },
 214        { USB_DEVICE(0x04ca, 0x300d), .driver_info = BTUSB_ATH3012 },
 215        { USB_DEVICE(0x04ca, 0x300f), .driver_info = BTUSB_ATH3012 },
 216        { USB_DEVICE(0x04ca, 0x3010), .driver_info = BTUSB_ATH3012 },
 217        { USB_DEVICE(0x04ca, 0x3014), .driver_info = BTUSB_ATH3012 },
 218        { USB_DEVICE(0x04ca, 0x3018), .driver_info = BTUSB_ATH3012 },
 219        { USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 },
 220        { USB_DEVICE(0x0930, 0x021c), .driver_info = BTUSB_ATH3012 },
 221        { USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 },
 222        { USB_DEVICE(0x0930, 0x0227), .driver_info = BTUSB_ATH3012 },
 223        { USB_DEVICE(0x0b05, 0x17d0), .driver_info = BTUSB_ATH3012 },
 224        { USB_DEVICE(0x0cf3, 0x0036), .driver_info = BTUSB_ATH3012 },
 225        { USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_ATH3012 },
 226        { USB_DEVICE(0x0cf3, 0x3008), .driver_info = BTUSB_ATH3012 },
 227        { USB_DEVICE(0x0cf3, 0x311d), .driver_info = BTUSB_ATH3012 },
 228        { USB_DEVICE(0x0cf3, 0x311e), .driver_info = BTUSB_ATH3012 },
 229        { USB_DEVICE(0x0cf3, 0x311f), .driver_info = BTUSB_ATH3012 },
 230        { USB_DEVICE(0x0cf3, 0x3121), .driver_info = BTUSB_ATH3012 },
 231        { USB_DEVICE(0x0cf3, 0x817a), .driver_info = BTUSB_ATH3012 },
 232        { USB_DEVICE(0x0cf3, 0x817b), .driver_info = BTUSB_ATH3012 },
 233        { USB_DEVICE(0x0cf3, 0xe003), .driver_info = BTUSB_ATH3012 },
 234        { USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 },
 235        { USB_DEVICE(0x0cf3, 0xe005), .driver_info = BTUSB_ATH3012 },
 236        { USB_DEVICE(0x0cf3, 0xe006), .driver_info = BTUSB_ATH3012 },
 237        { USB_DEVICE(0x13d3, 0x3362), .driver_info = BTUSB_ATH3012 },
 238        { USB_DEVICE(0x13d3, 0x3375), .driver_info = BTUSB_ATH3012 },
 239        { USB_DEVICE(0x13d3, 0x3393), .driver_info = BTUSB_ATH3012 },
 240        { USB_DEVICE(0x13d3, 0x3395), .driver_info = BTUSB_ATH3012 },
 241        { USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 },
 242        { USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 },
 243        { USB_DEVICE(0x13d3, 0x3423), .driver_info = BTUSB_ATH3012 },
 244        { USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 },
 245        { USB_DEVICE(0x13d3, 0x3472), .driver_info = BTUSB_ATH3012 },
 246        { USB_DEVICE(0x13d3, 0x3474), .driver_info = BTUSB_ATH3012 },
 247        { USB_DEVICE(0x13d3, 0x3487), .driver_info = BTUSB_ATH3012 },
 248        { USB_DEVICE(0x13d3, 0x3490), .driver_info = BTUSB_ATH3012 },
 249
 250        /* Atheros AR5BBU12 with sflash firmware */
 251        { USB_DEVICE(0x0489, 0xe02c), .driver_info = BTUSB_IGNORE },
 252
 253        /* Atheros AR5BBU12 with sflash firmware */
 254        { USB_DEVICE(0x0489, 0xe036), .driver_info = BTUSB_ATH3012 },
 255        { USB_DEVICE(0x0489, 0xe03c), .driver_info = BTUSB_ATH3012 },
 256
 257        /* QCA ROME chipset */
 258        { USB_DEVICE(0x0cf3, 0x535b), .driver_info = BTUSB_QCA_ROME |
 259                                                     BTUSB_WIDEBAND_SPEECH },
 260        { USB_DEVICE(0x0cf3, 0xe007), .driver_info = BTUSB_QCA_ROME |
 261                                                     BTUSB_WIDEBAND_SPEECH },
 262        { USB_DEVICE(0x0cf3, 0xe009), .driver_info = BTUSB_QCA_ROME |
 263                                                     BTUSB_WIDEBAND_SPEECH },
 264        { USB_DEVICE(0x0cf3, 0xe010), .driver_info = BTUSB_QCA_ROME |
 265                                                     BTUSB_WIDEBAND_SPEECH },
 266        { USB_DEVICE(0x0cf3, 0xe300), .driver_info = BTUSB_QCA_ROME |
 267                                                     BTUSB_WIDEBAND_SPEECH },
 268        { USB_DEVICE(0x0cf3, 0xe301), .driver_info = BTUSB_QCA_ROME |
 269                                                     BTUSB_WIDEBAND_SPEECH },
 270        { USB_DEVICE(0x0cf3, 0xe360), .driver_info = BTUSB_QCA_ROME |
 271                                                     BTUSB_WIDEBAND_SPEECH },
 272        { USB_DEVICE(0x0489, 0xe092), .driver_info = BTUSB_QCA_ROME |
 273                                                     BTUSB_WIDEBAND_SPEECH },
 274        { USB_DEVICE(0x0489, 0xe09f), .driver_info = BTUSB_QCA_ROME |
 275                                                     BTUSB_WIDEBAND_SPEECH },
 276        { USB_DEVICE(0x0489, 0xe0a2), .driver_info = BTUSB_QCA_ROME |
 277                                                     BTUSB_WIDEBAND_SPEECH },
 278        { USB_DEVICE(0x04ca, 0x3011), .driver_info = BTUSB_QCA_ROME |
 279                                                     BTUSB_WIDEBAND_SPEECH },
 280        { USB_DEVICE(0x04ca, 0x3015), .driver_info = BTUSB_QCA_ROME |
 281                                                     BTUSB_WIDEBAND_SPEECH },
 282        { USB_DEVICE(0x04ca, 0x3016), .driver_info = BTUSB_QCA_ROME |
 283                                                     BTUSB_WIDEBAND_SPEECH },
 284        { USB_DEVICE(0x04ca, 0x301a), .driver_info = BTUSB_QCA_ROME |
 285                                                     BTUSB_WIDEBAND_SPEECH },
 286        { USB_DEVICE(0x04ca, 0x3021), .driver_info = BTUSB_QCA_ROME |
 287                                                     BTUSB_WIDEBAND_SPEECH },
 288        { USB_DEVICE(0x13d3, 0x3491), .driver_info = BTUSB_QCA_ROME |
 289                                                     BTUSB_WIDEBAND_SPEECH },
 290        { USB_DEVICE(0x13d3, 0x3496), .driver_info = BTUSB_QCA_ROME |
 291                                                     BTUSB_WIDEBAND_SPEECH },
 292        { USB_DEVICE(0x13d3, 0x3501), .driver_info = BTUSB_QCA_ROME |
 293                                                     BTUSB_WIDEBAND_SPEECH },
 294
 295        /* QCA WCN6855 chipset */
 296        { USB_DEVICE(0x0cf3, 0xe600), .driver_info = BTUSB_QCA_WCN6855 |
 297                                                     BTUSB_WIDEBAND_SPEECH },
 298
 299        /* Broadcom BCM2035 */
 300        { USB_DEVICE(0x0a5c, 0x2009), .driver_info = BTUSB_BCM92035 },
 301        { USB_DEVICE(0x0a5c, 0x200a), .driver_info = BTUSB_WRONG_SCO_MTU },
 302        { USB_DEVICE(0x0a5c, 0x2035), .driver_info = BTUSB_WRONG_SCO_MTU },
 303
 304        /* Broadcom BCM2045 */
 305        { USB_DEVICE(0x0a5c, 0x2039), .driver_info = BTUSB_WRONG_SCO_MTU },
 306        { USB_DEVICE(0x0a5c, 0x2101), .driver_info = BTUSB_WRONG_SCO_MTU },
 307
 308        /* IBM/Lenovo ThinkPad with Broadcom chip */
 309        { USB_DEVICE(0x0a5c, 0x201e), .driver_info = BTUSB_WRONG_SCO_MTU },
 310        { USB_DEVICE(0x0a5c, 0x2110), .driver_info = BTUSB_WRONG_SCO_MTU },
 311
 312        /* HP laptop with Broadcom chip */
 313        { USB_DEVICE(0x03f0, 0x171d), .driver_info = BTUSB_WRONG_SCO_MTU },
 314
 315        /* Dell laptop with Broadcom chip */
 316        { USB_DEVICE(0x413c, 0x8126), .driver_info = BTUSB_WRONG_SCO_MTU },
 317
 318        /* Dell Wireless 370 and 410 devices */
 319        { USB_DEVICE(0x413c, 0x8152), .driver_info = BTUSB_WRONG_SCO_MTU },
 320        { USB_DEVICE(0x413c, 0x8156), .driver_info = BTUSB_WRONG_SCO_MTU },
 321
 322        /* Belkin F8T012 and F8T013 devices */
 323        { USB_DEVICE(0x050d, 0x0012), .driver_info = BTUSB_WRONG_SCO_MTU },
 324        { USB_DEVICE(0x050d, 0x0013), .driver_info = BTUSB_WRONG_SCO_MTU },
 325
 326        /* Asus WL-BTD202 device */
 327        { USB_DEVICE(0x0b05, 0x1715), .driver_info = BTUSB_WRONG_SCO_MTU },
 328
 329        /* Kensington Bluetooth USB adapter */
 330        { USB_DEVICE(0x047d, 0x105e), .driver_info = BTUSB_WRONG_SCO_MTU },
 331
 332        /* RTX Telecom based adapters with buggy SCO support */
 333        { USB_DEVICE(0x0400, 0x0807), .driver_info = BTUSB_BROKEN_ISOC },
 334        { USB_DEVICE(0x0400, 0x080a), .driver_info = BTUSB_BROKEN_ISOC },
 335
 336        /* CONWISE Technology based adapters with buggy SCO support */
 337        { USB_DEVICE(0x0e5e, 0x6622),
 338          .driver_info = BTUSB_BROKEN_ISOC | BTUSB_CW6622},
 339
 340        /* Roper Class 1 Bluetooth Dongle (Silicon Wave based) */
 341        { USB_DEVICE(0x1310, 0x0001), .driver_info = BTUSB_SWAVE },
 342
 343        /* Digianswer devices */
 344        { USB_DEVICE(0x08fd, 0x0001), .driver_info = BTUSB_DIGIANSWER },
 345        { USB_DEVICE(0x08fd, 0x0002), .driver_info = BTUSB_IGNORE },
 346
 347        /* CSR BlueCore Bluetooth Sniffer */
 348        { USB_DEVICE(0x0a12, 0x0002),
 349          .driver_info = BTUSB_SNIFFER | BTUSB_BROKEN_ISOC },
 350
 351        /* Frontline ComProbe Bluetooth Sniffer */
 352        { USB_DEVICE(0x16d3, 0x0002),
 353          .driver_info = BTUSB_SNIFFER | BTUSB_BROKEN_ISOC },
 354
 355        /* Marvell Bluetooth devices */
 356        { USB_DEVICE(0x1286, 0x2044), .driver_info = BTUSB_MARVELL },
 357        { USB_DEVICE(0x1286, 0x2046), .driver_info = BTUSB_MARVELL },
 358        { USB_DEVICE(0x1286, 0x204e), .driver_info = BTUSB_MARVELL },
 359
 360        /* Intel Bluetooth devices */
 361        { USB_DEVICE(0x8087, 0x0025), .driver_info = BTUSB_INTEL_NEW |
 362                                                     BTUSB_WIDEBAND_SPEECH |
 363                                                     BTUSB_VALID_LE_STATES },
 364        { USB_DEVICE(0x8087, 0x0026), .driver_info = BTUSB_INTEL_NEW |
 365                                                     BTUSB_WIDEBAND_SPEECH },
 366        { USB_DEVICE(0x8087, 0x0029), .driver_info = BTUSB_INTEL_NEW |
 367                                                     BTUSB_WIDEBAND_SPEECH },
 368        { USB_DEVICE(0x8087, 0x0032), .driver_info = BTUSB_INTEL_NEW |
 369                                                     BTUSB_WIDEBAND_SPEECH},
 370        { USB_DEVICE(0x8087, 0x07da), .driver_info = BTUSB_CSR },
 371        { USB_DEVICE(0x8087, 0x07dc), .driver_info = BTUSB_INTEL },
 372        { USB_DEVICE(0x8087, 0x0a2a), .driver_info = BTUSB_INTEL },
 373        { USB_DEVICE(0x8087, 0x0a2b), .driver_info = BTUSB_INTEL_NEW |
 374                                                     BTUSB_WIDEBAND_SPEECH },
 375        { USB_DEVICE(0x8087, 0x0aa7), .driver_info = BTUSB_INTEL |
 376                                                     BTUSB_WIDEBAND_SPEECH },
 377        { USB_DEVICE(0x8087, 0x0aaa), .driver_info = BTUSB_INTEL_NEW |
 378                                                     BTUSB_WIDEBAND_SPEECH |
 379                                                     BTUSB_VALID_LE_STATES },
 380
 381        /* Other Intel Bluetooth devices */
 382        { USB_VENDOR_AND_INTERFACE_INFO(0x8087, 0xe0, 0x01, 0x01),
 383          .driver_info = BTUSB_IGNORE },
 384
 385        /* Realtek 8822CE Bluetooth devices */
 386        { USB_DEVICE(0x0bda, 0xb00c), .driver_info = BTUSB_REALTEK |
 387                                                     BTUSB_WIDEBAND_SPEECH },
 388
 389        /* Realtek Bluetooth devices */
 390        { USB_VENDOR_AND_INTERFACE_INFO(0x0bda, 0xe0, 0x01, 0x01),
 391          .driver_info = BTUSB_REALTEK },
 392
 393        /* MediaTek Bluetooth devices */
 394        { USB_VENDOR_AND_INTERFACE_INFO(0x0e8d, 0xe0, 0x01, 0x01),
 395          .driver_info = BTUSB_MEDIATEK },
 396
 397        /* Additional Realtek 8723AE Bluetooth devices */
 398        { USB_DEVICE(0x0930, 0x021d), .driver_info = BTUSB_REALTEK },
 399        { USB_DEVICE(0x13d3, 0x3394), .driver_info = BTUSB_REALTEK },
 400
 401        /* Additional Realtek 8723BE Bluetooth devices */
 402        { USB_DEVICE(0x0489, 0xe085), .driver_info = BTUSB_REALTEK },
 403        { USB_DEVICE(0x0489, 0xe08b), .driver_info = BTUSB_REALTEK },
 404        { USB_DEVICE(0x13d3, 0x3410), .driver_info = BTUSB_REALTEK },
 405        { USB_DEVICE(0x13d3, 0x3416), .driver_info = BTUSB_REALTEK },
 406        { USB_DEVICE(0x13d3, 0x3459), .driver_info = BTUSB_REALTEK },
 407        { USB_DEVICE(0x13d3, 0x3494), .driver_info = BTUSB_REALTEK },
 408
 409        /* Additional Realtek 8723BU Bluetooth devices */
 410        { USB_DEVICE(0x7392, 0xa611), .driver_info = BTUSB_REALTEK },
 411
 412        /* Additional Realtek 8723DE Bluetooth devices */
 413        { USB_DEVICE(0x0bda, 0xb009), .driver_info = BTUSB_REALTEK },
 414        { USB_DEVICE(0x2ff8, 0xb011), .driver_info = BTUSB_REALTEK },
 415
 416        /* Additional Realtek 8821AE Bluetooth devices */
 417        { USB_DEVICE(0x0b05, 0x17dc), .driver_info = BTUSB_REALTEK },
 418        { USB_DEVICE(0x13d3, 0x3414), .driver_info = BTUSB_REALTEK },
 419        { USB_DEVICE(0x13d3, 0x3458), .driver_info = BTUSB_REALTEK },
 420        { USB_DEVICE(0x13d3, 0x3461), .driver_info = BTUSB_REALTEK },
 421        { USB_DEVICE(0x13d3, 0x3462), .driver_info = BTUSB_REALTEK },
 422
 423        /* Additional Realtek 8822BE Bluetooth devices */
 424        { USB_DEVICE(0x13d3, 0x3526), .driver_info = BTUSB_REALTEK },
 425        { USB_DEVICE(0x0b05, 0x185c), .driver_info = BTUSB_REALTEK },
 426
 427        /* Additional Realtek 8822CE Bluetooth devices */
 428        { USB_DEVICE(0x04ca, 0x4005), .driver_info = BTUSB_REALTEK },
 429        { USB_DEVICE(0x13d3, 0x3548), .driver_info = BTUSB_REALTEK },
 430
 431        /* Silicon Wave based devices */
 432        { USB_DEVICE(0x0c10, 0x0000), .driver_info = BTUSB_SWAVE },
 433
 434        { }     /* Terminating entry */
 435};
 436
 437/* The Bluetooth USB module build into some devices needs to be reset on resume,
 438 * this is a problem with the platform (likely shutting off all power) not with
 439 * the module itself. So we use a DMI list to match known broken platforms.
 440 */
 441static const struct dmi_system_id btusb_needs_reset_resume_table[] = {
 442        {
 443                /* Dell OptiPlex 3060 (QCA ROME device 0cf3:e007) */
 444                .matches = {
 445                        DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
 446                        DMI_MATCH(DMI_PRODUCT_NAME, "OptiPlex 3060"),
 447                },
 448        },
 449        {
 450                /* Dell XPS 9360 (QCA ROME device 0cf3:e300) */
 451                .matches = {
 452                        DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
 453                        DMI_MATCH(DMI_PRODUCT_NAME, "XPS 13 9360"),
 454                },
 455        },
 456        {
 457                /* Dell Inspiron 5565 (QCA ROME device 0cf3:e009) */
 458                .matches = {
 459                        DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
 460                        DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 5565"),
 461                },
 462        },
 463        {}
 464};
 465
 466#define BTUSB_MAX_ISOC_FRAMES   10
 467
 468#define BTUSB_INTR_RUNNING      0
 469#define BTUSB_BULK_RUNNING      1
 470#define BTUSB_ISOC_RUNNING      2
 471#define BTUSB_SUSPENDING        3
 472#define BTUSB_DID_ISO_RESUME    4
 473#define BTUSB_BOOTLOADER        5
 474#define BTUSB_DOWNLOADING       6
 475#define BTUSB_FIRMWARE_LOADED   7
 476#define BTUSB_FIRMWARE_FAILED   8
 477#define BTUSB_BOOTING           9
 478#define BTUSB_DIAG_RUNNING      10
 479#define BTUSB_OOB_WAKE_ENABLED  11
 480#define BTUSB_HW_RESET_ACTIVE   12
 481#define BTUSB_TX_WAIT_VND_EVT   13
 482#define BTUSB_WAKEUP_DISABLE    14
 483#define BTUSB_USE_ALT1_FOR_WBS  15
 484
 485struct btusb_data {
 486        struct hci_dev       *hdev;
 487        struct usb_device    *udev;
 488        struct usb_interface *intf;
 489        struct usb_interface *isoc;
 490        struct usb_interface *diag;
 491        unsigned isoc_ifnum;
 492
 493        unsigned long flags;
 494
 495        struct work_struct work;
 496        struct work_struct waker;
 497
 498        struct usb_anchor deferred;
 499        struct usb_anchor tx_anchor;
 500        int tx_in_flight;
 501        spinlock_t txlock;
 502
 503        struct usb_anchor intr_anchor;
 504        struct usb_anchor bulk_anchor;
 505        struct usb_anchor isoc_anchor;
 506        struct usb_anchor diag_anchor;
 507        struct usb_anchor ctrl_anchor;
 508        spinlock_t rxlock;
 509
 510        struct sk_buff *evt_skb;
 511        struct sk_buff *acl_skb;
 512        struct sk_buff *sco_skb;
 513
 514        struct usb_endpoint_descriptor *intr_ep;
 515        struct usb_endpoint_descriptor *bulk_tx_ep;
 516        struct usb_endpoint_descriptor *bulk_rx_ep;
 517        struct usb_endpoint_descriptor *isoc_tx_ep;
 518        struct usb_endpoint_descriptor *isoc_rx_ep;
 519        struct usb_endpoint_descriptor *diag_tx_ep;
 520        struct usb_endpoint_descriptor *diag_rx_ep;
 521
 522        struct gpio_desc *reset_gpio;
 523
 524        __u8 cmdreq_type;
 525        __u8 cmdreq;
 526
 527        unsigned int sco_num;
 528        unsigned int air_mode;
 529        bool usb_alt6_packet_flow;
 530        int isoc_altsetting;
 531        int suspend_count;
 532
 533        int (*recv_event)(struct hci_dev *hdev, struct sk_buff *skb);
 534        int (*recv_bulk)(struct btusb_data *data, void *buffer, int count);
 535
 536        int (*setup_on_usb)(struct hci_dev *hdev);
 537
 538        int oob_wake_irq;   /* irq for out-of-band wake-on-bt */
 539        unsigned cmd_timeout_cnt;
 540};
 541
 542static void btusb_intel_cmd_timeout(struct hci_dev *hdev)
 543{
 544        struct btusb_data *data = hci_get_drvdata(hdev);
 545        struct gpio_desc *reset_gpio = data->reset_gpio;
 546
 547        if (++data->cmd_timeout_cnt < 5)
 548                return;
 549
 550        if (!reset_gpio) {
 551                bt_dev_err(hdev, "No way to reset. Ignoring and continuing");
 552                return;
 553        }
 554
 555        /*
 556         * Toggle the hard reset line if the platform provides one. The reset
 557         * is going to yank the device off the USB and then replug. So doing
 558         * once is enough. The cleanup is handled correctly on the way out
 559         * (standard USB disconnect), and the new device is detected cleanly
 560         * and bound to the driver again like it should be.
 561         */
 562        if (test_and_set_bit(BTUSB_HW_RESET_ACTIVE, &data->flags)) {
 563                bt_dev_err(hdev, "last reset failed? Not resetting again");
 564                return;
 565        }
 566
 567        bt_dev_err(hdev, "Initiating HW reset via gpio");
 568        gpiod_set_value_cansleep(reset_gpio, 1);
 569        msleep(100);
 570        gpiod_set_value_cansleep(reset_gpio, 0);
 571}
 572
 573static void btusb_rtl_cmd_timeout(struct hci_dev *hdev)
 574{
 575        struct btusb_data *data = hci_get_drvdata(hdev);
 576        struct gpio_desc *reset_gpio = data->reset_gpio;
 577
 578        if (++data->cmd_timeout_cnt < 5)
 579                return;
 580
 581        if (!reset_gpio) {
 582                bt_dev_err(hdev, "No gpio to reset Realtek device, ignoring");
 583                return;
 584        }
 585
 586        /* Toggle the hard reset line. The Realtek device is going to
 587         * yank itself off the USB and then replug. The cleanup is handled
 588         * correctly on the way out (standard USB disconnect), and the new
 589         * device is detected cleanly and bound to the driver again like
 590         * it should be.
 591         */
 592        if (test_and_set_bit(BTUSB_HW_RESET_ACTIVE, &data->flags)) {
 593                bt_dev_err(hdev, "last reset failed? Not resetting again");
 594                return;
 595        }
 596
 597        bt_dev_err(hdev, "Reset Realtek device via gpio");
 598        gpiod_set_value_cansleep(reset_gpio, 1);
 599        msleep(200);
 600        gpiod_set_value_cansleep(reset_gpio, 0);
 601}
 602
 603static void btusb_qca_cmd_timeout(struct hci_dev *hdev)
 604{
 605        struct btusb_data *data = hci_get_drvdata(hdev);
 606        int err;
 607
 608        if (++data->cmd_timeout_cnt < 5)
 609                return;
 610
 611        bt_dev_err(hdev, "Multiple cmd timeouts seen. Resetting usb device.");
 612        /* This is not an unbalanced PM reference since the device will reset */
 613        err = usb_autopm_get_interface(data->intf);
 614        if (!err)
 615                usb_queue_reset_device(data->intf);
 616        else
 617                bt_dev_err(hdev, "Failed usb_autopm_get_interface with %d", err);
 618}
 619
 620static inline void btusb_free_frags(struct btusb_data *data)
 621{
 622        unsigned long flags;
 623
 624        spin_lock_irqsave(&data->rxlock, flags);
 625
 626        kfree_skb(data->evt_skb);
 627        data->evt_skb = NULL;
 628
 629        kfree_skb(data->acl_skb);
 630        data->acl_skb = NULL;
 631
 632        kfree_skb(data->sco_skb);
 633        data->sco_skb = NULL;
 634
 635        spin_unlock_irqrestore(&data->rxlock, flags);
 636}
 637
 638static int btusb_recv_intr(struct btusb_data *data, void *buffer, int count)
 639{
 640        struct sk_buff *skb;
 641        unsigned long flags;
 642        int err = 0;
 643
 644        spin_lock_irqsave(&data->rxlock, flags);
 645        skb = data->evt_skb;
 646
 647        while (count) {
 648                int len;
 649
 650                if (!skb) {
 651                        skb = bt_skb_alloc(HCI_MAX_EVENT_SIZE, GFP_ATOMIC);
 652                        if (!skb) {
 653                                err = -ENOMEM;
 654                                break;
 655                        }
 656
 657                        hci_skb_pkt_type(skb) = HCI_EVENT_PKT;
 658                        hci_skb_expect(skb) = HCI_EVENT_HDR_SIZE;
 659                }
 660
 661                len = min_t(uint, hci_skb_expect(skb), count);
 662                skb_put_data(skb, buffer, len);
 663
 664                count -= len;
 665                buffer += len;
 666                hci_skb_expect(skb) -= len;
 667
 668                if (skb->len == HCI_EVENT_HDR_SIZE) {
 669                        /* Complete event header */
 670                        hci_skb_expect(skb) = hci_event_hdr(skb)->plen;
 671
 672                        if (skb_tailroom(skb) < hci_skb_expect(skb)) {
 673                                kfree_skb(skb);
 674                                skb = NULL;
 675
 676                                err = -EILSEQ;
 677                                break;
 678                        }
 679                }
 680
 681                if (!hci_skb_expect(skb)) {
 682                        /* Complete frame */
 683                        data->recv_event(data->hdev, skb);
 684                        skb = NULL;
 685                }
 686        }
 687
 688        data->evt_skb = skb;
 689        spin_unlock_irqrestore(&data->rxlock, flags);
 690
 691        return err;
 692}
 693
 694static int btusb_recv_bulk(struct btusb_data *data, void *buffer, int count)
 695{
 696        struct sk_buff *skb;
 697        unsigned long flags;
 698        int err = 0;
 699
 700        spin_lock_irqsave(&data->rxlock, flags);
 701        skb = data->acl_skb;
 702
 703        while (count) {
 704                int len;
 705
 706                if (!skb) {
 707                        skb = bt_skb_alloc(HCI_MAX_FRAME_SIZE, GFP_ATOMIC);
 708                        if (!skb) {
 709                                err = -ENOMEM;
 710                                break;
 711                        }
 712
 713                        hci_skb_pkt_type(skb) = HCI_ACLDATA_PKT;
 714                        hci_skb_expect(skb) = HCI_ACL_HDR_SIZE;
 715                }
 716
 717                len = min_t(uint, hci_skb_expect(skb), count);
 718                skb_put_data(skb, buffer, len);
 719
 720                count -= len;
 721                buffer += len;
 722                hci_skb_expect(skb) -= len;
 723
 724                if (skb->len == HCI_ACL_HDR_SIZE) {
 725                        __le16 dlen = hci_acl_hdr(skb)->dlen;
 726
 727                        /* Complete ACL header */
 728                        hci_skb_expect(skb) = __le16_to_cpu(dlen);
 729
 730                        if (skb_tailroom(skb) < hci_skb_expect(skb)) {
 731                                kfree_skb(skb);
 732                                skb = NULL;
 733
 734                                err = -EILSEQ;
 735                                break;
 736                        }
 737                }
 738
 739                if (!hci_skb_expect(skb)) {
 740                        /* Complete frame */
 741                        hci_recv_frame(data->hdev, skb);
 742                        skb = NULL;
 743                }
 744        }
 745
 746        data->acl_skb = skb;
 747        spin_unlock_irqrestore(&data->rxlock, flags);
 748
 749        return err;
 750}
 751
 752static int btusb_recv_isoc(struct btusb_data *data, void *buffer, int count)
 753{
 754        struct sk_buff *skb;
 755        unsigned long flags;
 756        int err = 0;
 757
 758        spin_lock_irqsave(&data->rxlock, flags);
 759        skb = data->sco_skb;
 760
 761        while (count) {
 762                int len;
 763
 764                if (!skb) {
 765                        skb = bt_skb_alloc(HCI_MAX_SCO_SIZE, GFP_ATOMIC);
 766                        if (!skb) {
 767                                err = -ENOMEM;
 768                                break;
 769                        }
 770
 771                        hci_skb_pkt_type(skb) = HCI_SCODATA_PKT;
 772                        hci_skb_expect(skb) = HCI_SCO_HDR_SIZE;
 773                }
 774
 775                len = min_t(uint, hci_skb_expect(skb), count);
 776                skb_put_data(skb, buffer, len);
 777
 778                count -= len;
 779                buffer += len;
 780                hci_skb_expect(skb) -= len;
 781
 782                if (skb->len == HCI_SCO_HDR_SIZE) {
 783                        /* Complete SCO header */
 784                        hci_skb_expect(skb) = hci_sco_hdr(skb)->dlen;
 785
 786                        if (skb_tailroom(skb) < hci_skb_expect(skb)) {
 787                                kfree_skb(skb);
 788                                skb = NULL;
 789
 790                                err = -EILSEQ;
 791                                break;
 792                        }
 793                }
 794
 795                if (!hci_skb_expect(skb)) {
 796                        /* Complete frame */
 797                        hci_recv_frame(data->hdev, skb);
 798                        skb = NULL;
 799                }
 800        }
 801
 802        data->sco_skb = skb;
 803        spin_unlock_irqrestore(&data->rxlock, flags);
 804
 805        return err;
 806}
 807
 808static void btusb_intr_complete(struct urb *urb)
 809{
 810        struct hci_dev *hdev = urb->context;
 811        struct btusb_data *data = hci_get_drvdata(hdev);
 812        int err;
 813
 814        BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status,
 815               urb->actual_length);
 816
 817        if (!test_bit(HCI_RUNNING, &hdev->flags))
 818                return;
 819
 820        if (urb->status == 0) {
 821                hdev->stat.byte_rx += urb->actual_length;
 822
 823                if (btusb_recv_intr(data, urb->transfer_buffer,
 824                                    urb->actual_length) < 0) {
 825                        bt_dev_err(hdev, "corrupted event packet");
 826                        hdev->stat.err_rx++;
 827                }
 828        } else if (urb->status == -ENOENT) {
 829                /* Avoid suspend failed when usb_kill_urb */
 830                return;
 831        }
 832
 833        if (!test_bit(BTUSB_INTR_RUNNING, &data->flags))
 834                return;
 835
 836        usb_mark_last_busy(data->udev);
 837        usb_anchor_urb(urb, &data->intr_anchor);
 838
 839        err = usb_submit_urb(urb, GFP_ATOMIC);
 840        if (err < 0) {
 841                /* -EPERM: urb is being killed;
 842                 * -ENODEV: device got disconnected
 843                 */
 844                if (err != -EPERM && err != -ENODEV)
 845                        bt_dev_err(hdev, "urb %p failed to resubmit (%d)",
 846                                   urb, -err);
 847                usb_unanchor_urb(urb);
 848        }
 849}
 850
 851static int btusb_submit_intr_urb(struct hci_dev *hdev, gfp_t mem_flags)
 852{
 853        struct btusb_data *data = hci_get_drvdata(hdev);
 854        struct urb *urb;
 855        unsigned char *buf;
 856        unsigned int pipe;
 857        int err, size;
 858
 859        BT_DBG("%s", hdev->name);
 860
 861        if (!data->intr_ep)
 862                return -ENODEV;
 863
 864        urb = usb_alloc_urb(0, mem_flags);
 865        if (!urb)
 866                return -ENOMEM;
 867
 868        size = le16_to_cpu(data->intr_ep->wMaxPacketSize);
 869
 870        buf = kmalloc(size, mem_flags);
 871        if (!buf) {
 872                usb_free_urb(urb);
 873                return -ENOMEM;
 874        }
 875
 876        pipe = usb_rcvintpipe(data->udev, data->intr_ep->bEndpointAddress);
 877
 878        usb_fill_int_urb(urb, data->udev, pipe, buf, size,
 879                         btusb_intr_complete, hdev, data->intr_ep->bInterval);
 880
 881        urb->transfer_flags |= URB_FREE_BUFFER;
 882
 883        usb_anchor_urb(urb, &data->intr_anchor);
 884
 885        err = usb_submit_urb(urb, mem_flags);
 886        if (err < 0) {
 887                if (err != -EPERM && err != -ENODEV)
 888                        bt_dev_err(hdev, "urb %p submission failed (%d)",
 889                                   urb, -err);
 890                usb_unanchor_urb(urb);
 891        }
 892
 893        usb_free_urb(urb);
 894
 895        return err;
 896}
 897
 898static void btusb_bulk_complete(struct urb *urb)
 899{
 900        struct hci_dev *hdev = urb->context;
 901        struct btusb_data *data = hci_get_drvdata(hdev);
 902        int err;
 903
 904        BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status,
 905               urb->actual_length);
 906
 907        if (!test_bit(HCI_RUNNING, &hdev->flags))
 908                return;
 909
 910        if (urb->status == 0) {
 911                hdev->stat.byte_rx += urb->actual_length;
 912
 913                if (data->recv_bulk(data, urb->transfer_buffer,
 914                                    urb->actual_length) < 0) {
 915                        bt_dev_err(hdev, "corrupted ACL packet");
 916                        hdev->stat.err_rx++;
 917                }
 918        } else if (urb->status == -ENOENT) {
 919                /* Avoid suspend failed when usb_kill_urb */
 920                return;
 921        }
 922
 923        if (!test_bit(BTUSB_BULK_RUNNING, &data->flags))
 924                return;
 925
 926        usb_anchor_urb(urb, &data->bulk_anchor);
 927        usb_mark_last_busy(data->udev);
 928
 929        err = usb_submit_urb(urb, GFP_ATOMIC);
 930        if (err < 0) {
 931                /* -EPERM: urb is being killed;
 932                 * -ENODEV: device got disconnected
 933                 */
 934                if (err != -EPERM && err != -ENODEV)
 935                        bt_dev_err(hdev, "urb %p failed to resubmit (%d)",
 936                                   urb, -err);
 937                usb_unanchor_urb(urb);
 938        }
 939}
 940
 941static int btusb_submit_bulk_urb(struct hci_dev *hdev, gfp_t mem_flags)
 942{
 943        struct btusb_data *data = hci_get_drvdata(hdev);
 944        struct urb *urb;
 945        unsigned char *buf;
 946        unsigned int pipe;
 947        int err, size = HCI_MAX_FRAME_SIZE;
 948
 949        BT_DBG("%s", hdev->name);
 950
 951        if (!data->bulk_rx_ep)
 952                return -ENODEV;
 953
 954        urb = usb_alloc_urb(0, mem_flags);
 955        if (!urb)
 956                return -ENOMEM;
 957
 958        buf = kmalloc(size, mem_flags);
 959        if (!buf) {
 960                usb_free_urb(urb);
 961                return -ENOMEM;
 962        }
 963
 964        pipe = usb_rcvbulkpipe(data->udev, data->bulk_rx_ep->bEndpointAddress);
 965
 966        usb_fill_bulk_urb(urb, data->udev, pipe, buf, size,
 967                          btusb_bulk_complete, hdev);
 968
 969        urb->transfer_flags |= URB_FREE_BUFFER;
 970
 971        usb_mark_last_busy(data->udev);
 972        usb_anchor_urb(urb, &data->bulk_anchor);
 973
 974        err = usb_submit_urb(urb, mem_flags);
 975        if (err < 0) {
 976                if (err != -EPERM && err != -ENODEV)
 977                        bt_dev_err(hdev, "urb %p submission failed (%d)",
 978                                   urb, -err);
 979                usb_unanchor_urb(urb);
 980        }
 981
 982        usb_free_urb(urb);
 983
 984        return err;
 985}
 986
 987static void btusb_isoc_complete(struct urb *urb)
 988{
 989        struct hci_dev *hdev = urb->context;
 990        struct btusb_data *data = hci_get_drvdata(hdev);
 991        int i, err;
 992
 993        BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status,
 994               urb->actual_length);
 995
 996        if (!test_bit(HCI_RUNNING, &hdev->flags))
 997                return;
 998
 999        if (urb->status == 0) {
1000                for (i = 0; i < urb->number_of_packets; i++) {
1001                        unsigned int offset = urb->iso_frame_desc[i].offset;
1002                        unsigned int length = urb->iso_frame_desc[i].actual_length;
1003
1004                        if (urb->iso_frame_desc[i].status)
1005                                continue;
1006
1007                        hdev->stat.byte_rx += length;
1008
1009                        if (btusb_recv_isoc(data, urb->transfer_buffer + offset,
1010                                            length) < 0) {
1011                                bt_dev_err(hdev, "corrupted SCO packet");
1012                                hdev->stat.err_rx++;
1013                        }
1014                }
1015        } else if (urb->status == -ENOENT) {
1016                /* Avoid suspend failed when usb_kill_urb */
1017                return;
1018        }
1019
1020        if (!test_bit(BTUSB_ISOC_RUNNING, &data->flags))
1021                return;
1022
1023        usb_anchor_urb(urb, &data->isoc_anchor);
1024
1025        err = usb_submit_urb(urb, GFP_ATOMIC);
1026        if (err < 0) {
1027                /* -EPERM: urb is being killed;
1028                 * -ENODEV: device got disconnected
1029                 */
1030                if (err != -EPERM && err != -ENODEV)
1031                        bt_dev_err(hdev, "urb %p failed to resubmit (%d)",
1032                                   urb, -err);
1033                usb_unanchor_urb(urb);
1034        }
1035}
1036
1037static inline void __fill_isoc_descriptor_msbc(struct urb *urb, int len,
1038                                               int mtu, struct btusb_data *data)
1039{
1040        int i, offset = 0;
1041        unsigned int interval;
1042
1043        BT_DBG("len %d mtu %d", len, mtu);
1044
1045        /* For mSBC ALT 6 setting the host will send the packet at continuous
1046         * flow. As per core spec 5, vol 4, part B, table 2.1. For ALT setting
1047         * 6 the HCI PACKET INTERVAL should be 7.5ms for every usb packets.
1048         * To maintain the rate we send 63bytes of usb packets alternatively for
1049         * 7ms and 8ms to maintain the rate as 7.5ms.
1050         */
1051        if (data->usb_alt6_packet_flow) {
1052                interval = 7;
1053                data->usb_alt6_packet_flow = false;
1054        } else {
1055                interval = 6;
1056                data->usb_alt6_packet_flow = true;
1057        }
1058
1059        for (i = 0; i < interval; i++) {
1060                urb->iso_frame_desc[i].offset = offset;
1061                urb->iso_frame_desc[i].length = offset;
1062        }
1063
1064        if (len && i < BTUSB_MAX_ISOC_FRAMES) {
1065                urb->iso_frame_desc[i].offset = offset;
1066                urb->iso_frame_desc[i].length = len;
1067                i++;
1068        }
1069
1070        urb->number_of_packets = i;
1071}
1072
1073static inline void __fill_isoc_descriptor(struct urb *urb, int len, int mtu)
1074{
1075        int i, offset = 0;
1076
1077        BT_DBG("len %d mtu %d", len, mtu);
1078
1079        for (i = 0; i < BTUSB_MAX_ISOC_FRAMES && len >= mtu;
1080                                        i++, offset += mtu, len -= mtu) {
1081                urb->iso_frame_desc[i].offset = offset;
1082                urb->iso_frame_desc[i].length = mtu;
1083        }
1084
1085        if (len && i < BTUSB_MAX_ISOC_FRAMES) {
1086                urb->iso_frame_desc[i].offset = offset;
1087                urb->iso_frame_desc[i].length = len;
1088                i++;
1089        }
1090
1091        urb->number_of_packets = i;
1092}
1093
1094static int btusb_submit_isoc_urb(struct hci_dev *hdev, gfp_t mem_flags)
1095{
1096        struct btusb_data *data = hci_get_drvdata(hdev);
1097        struct urb *urb;
1098        unsigned char *buf;
1099        unsigned int pipe;
1100        int err, size;
1101
1102        BT_DBG("%s", hdev->name);
1103
1104        if (!data->isoc_rx_ep)
1105                return -ENODEV;
1106
1107        urb = usb_alloc_urb(BTUSB_MAX_ISOC_FRAMES, mem_flags);
1108        if (!urb)
1109                return -ENOMEM;
1110
1111        size = le16_to_cpu(data->isoc_rx_ep->wMaxPacketSize) *
1112                                                BTUSB_MAX_ISOC_FRAMES;
1113
1114        buf = kmalloc(size, mem_flags);
1115        if (!buf) {
1116                usb_free_urb(urb);
1117                return -ENOMEM;
1118        }
1119
1120        pipe = usb_rcvisocpipe(data->udev, data->isoc_rx_ep->bEndpointAddress);
1121
1122        usb_fill_int_urb(urb, data->udev, pipe, buf, size, btusb_isoc_complete,
1123                         hdev, data->isoc_rx_ep->bInterval);
1124
1125        urb->transfer_flags = URB_FREE_BUFFER | URB_ISO_ASAP;
1126
1127        __fill_isoc_descriptor(urb, size,
1128                               le16_to_cpu(data->isoc_rx_ep->wMaxPacketSize));
1129
1130        usb_anchor_urb(urb, &data->isoc_anchor);
1131
1132        err = usb_submit_urb(urb, mem_flags);
1133        if (err < 0) {
1134                if (err != -EPERM && err != -ENODEV)
1135                        bt_dev_err(hdev, "urb %p submission failed (%d)",
1136                                   urb, -err);
1137                usb_unanchor_urb(urb);
1138        }
1139
1140        usb_free_urb(urb);
1141
1142        return err;
1143}
1144
1145static void btusb_diag_complete(struct urb *urb)
1146{
1147        struct hci_dev *hdev = urb->context;
1148        struct btusb_data *data = hci_get_drvdata(hdev);
1149        int err;
1150
1151        BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status,
1152               urb->actual_length);
1153
1154        if (urb->status == 0) {
1155                struct sk_buff *skb;
1156
1157                skb = bt_skb_alloc(urb->actual_length, GFP_ATOMIC);
1158                if (skb) {
1159                        skb_put_data(skb, urb->transfer_buffer,
1160                                     urb->actual_length);
1161                        hci_recv_diag(hdev, skb);
1162                }
1163        } else if (urb->status == -ENOENT) {
1164                /* Avoid suspend failed when usb_kill_urb */
1165                return;
1166        }
1167
1168        if (!test_bit(BTUSB_DIAG_RUNNING, &data->flags))
1169                return;
1170
1171        usb_anchor_urb(urb, &data->diag_anchor);
1172        usb_mark_last_busy(data->udev);
1173
1174        err = usb_submit_urb(urb, GFP_ATOMIC);
1175        if (err < 0) {
1176                /* -EPERM: urb is being killed;
1177                 * -ENODEV: device got disconnected
1178                 */
1179                if (err != -EPERM && err != -ENODEV)
1180                        bt_dev_err(hdev, "urb %p failed to resubmit (%d)",
1181                                   urb, -err);
1182                usb_unanchor_urb(urb);
1183        }
1184}
1185
1186static int btusb_submit_diag_urb(struct hci_dev *hdev, gfp_t mem_flags)
1187{
1188        struct btusb_data *data = hci_get_drvdata(hdev);
1189        struct urb *urb;
1190        unsigned char *buf;
1191        unsigned int pipe;
1192        int err, size = HCI_MAX_FRAME_SIZE;
1193
1194        BT_DBG("%s", hdev->name);
1195
1196        if (!data->diag_rx_ep)
1197                return -ENODEV;
1198
1199        urb = usb_alloc_urb(0, mem_flags);
1200        if (!urb)
1201                return -ENOMEM;
1202
1203        buf = kmalloc(size, mem_flags);
1204        if (!buf) {
1205                usb_free_urb(urb);
1206                return -ENOMEM;
1207        }
1208
1209        pipe = usb_rcvbulkpipe(data->udev, data->diag_rx_ep->bEndpointAddress);
1210
1211        usb_fill_bulk_urb(urb, data->udev, pipe, buf, size,
1212                          btusb_diag_complete, hdev);
1213
1214        urb->transfer_flags |= URB_FREE_BUFFER;
1215
1216        usb_mark_last_busy(data->udev);
1217        usb_anchor_urb(urb, &data->diag_anchor);
1218
1219        err = usb_submit_urb(urb, mem_flags);
1220        if (err < 0) {
1221                if (err != -EPERM && err != -ENODEV)
1222                        bt_dev_err(hdev, "urb %p submission failed (%d)",
1223                                   urb, -err);
1224                usb_unanchor_urb(urb);
1225        }
1226
1227        usb_free_urb(urb);
1228
1229        return err;
1230}
1231
1232static void btusb_tx_complete(struct urb *urb)
1233{
1234        struct sk_buff *skb = urb->context;
1235        struct hci_dev *hdev = (struct hci_dev *)skb->dev;
1236        struct btusb_data *data = hci_get_drvdata(hdev);
1237        unsigned long flags;
1238
1239        BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status,
1240               urb->actual_length);
1241
1242        if (!test_bit(HCI_RUNNING, &hdev->flags))
1243                goto done;
1244
1245        if (!urb->status)
1246                hdev->stat.byte_tx += urb->transfer_buffer_length;
1247        else
1248                hdev->stat.err_tx++;
1249
1250done:
1251        spin_lock_irqsave(&data->txlock, flags);
1252        data->tx_in_flight--;
1253        spin_unlock_irqrestore(&data->txlock, flags);
1254
1255        kfree(urb->setup_packet);
1256
1257        kfree_skb(skb);
1258}
1259
1260static void btusb_isoc_tx_complete(struct urb *urb)
1261{
1262        struct sk_buff *skb = urb->context;
1263        struct hci_dev *hdev = (struct hci_dev *)skb->dev;
1264
1265        BT_DBG("%s urb %p status %d count %d", hdev->name, urb, urb->status,
1266               urb->actual_length);
1267
1268        if (!test_bit(HCI_RUNNING, &hdev->flags))
1269                goto done;
1270
1271        if (!urb->status)
1272                hdev->stat.byte_tx += urb->transfer_buffer_length;
1273        else
1274                hdev->stat.err_tx++;
1275
1276done:
1277        kfree(urb->setup_packet);
1278
1279        kfree_skb(skb);
1280}
1281
1282static int btusb_open(struct hci_dev *hdev)
1283{
1284        struct btusb_data *data = hci_get_drvdata(hdev);
1285        int err;
1286
1287        BT_DBG("%s", hdev->name);
1288
1289        err = usb_autopm_get_interface(data->intf);
1290        if (err < 0)
1291                return err;
1292
1293        /* Patching USB firmware files prior to starting any URBs of HCI path
1294         * It is more safe to use USB bulk channel for downloading USB patch
1295         */
1296        if (data->setup_on_usb) {
1297                err = data->setup_on_usb(hdev);
1298                if (err < 0)
1299                        goto setup_fail;
1300        }
1301
1302        data->intf->needs_remote_wakeup = 1;
1303
1304        /* Disable device remote wakeup when host is suspended
1305         * For Realtek chips, global suspend without
1306         * SET_FEATURE (DEVICE_REMOTE_WAKEUP) can save more power in device.
1307         */
1308        if (test_bit(BTUSB_WAKEUP_DISABLE, &data->flags))
1309                device_wakeup_disable(&data->udev->dev);
1310
1311        if (test_and_set_bit(BTUSB_INTR_RUNNING, &data->flags))
1312                goto done;
1313
1314        err = btusb_submit_intr_urb(hdev, GFP_KERNEL);
1315        if (err < 0)
1316                goto failed;
1317
1318        err = btusb_submit_bulk_urb(hdev, GFP_KERNEL);
1319        if (err < 0) {
1320                usb_kill_anchored_urbs(&data->intr_anchor);
1321                goto failed;
1322        }
1323
1324        set_bit(BTUSB_BULK_RUNNING, &data->flags);
1325        btusb_submit_bulk_urb(hdev, GFP_KERNEL);
1326
1327        if (data->diag) {
1328                if (!btusb_submit_diag_urb(hdev, GFP_KERNEL))
1329                        set_bit(BTUSB_DIAG_RUNNING, &data->flags);
1330        }
1331
1332done:
1333        usb_autopm_put_interface(data->intf);
1334        return 0;
1335
1336failed:
1337        clear_bit(BTUSB_INTR_RUNNING, &data->flags);
1338setup_fail:
1339        usb_autopm_put_interface(data->intf);
1340        return err;
1341}
1342
1343static void btusb_stop_traffic(struct btusb_data *data)
1344{
1345        usb_kill_anchored_urbs(&data->intr_anchor);
1346        usb_kill_anchored_urbs(&data->bulk_anchor);
1347        usb_kill_anchored_urbs(&data->isoc_anchor);
1348        usb_kill_anchored_urbs(&data->diag_anchor);
1349        usb_kill_anchored_urbs(&data->ctrl_anchor);
1350}
1351
1352static int btusb_close(struct hci_dev *hdev)
1353{
1354        struct btusb_data *data = hci_get_drvdata(hdev);
1355        int err;
1356
1357        BT_DBG("%s", hdev->name);
1358
1359        cancel_work_sync(&data->work);
1360        cancel_work_sync(&data->waker);
1361
1362        clear_bit(BTUSB_ISOC_RUNNING, &data->flags);
1363        clear_bit(BTUSB_BULK_RUNNING, &data->flags);
1364        clear_bit(BTUSB_INTR_RUNNING, &data->flags);
1365        clear_bit(BTUSB_DIAG_RUNNING, &data->flags);
1366
1367        btusb_stop_traffic(data);
1368        btusb_free_frags(data);
1369
1370        err = usb_autopm_get_interface(data->intf);
1371        if (err < 0)
1372                goto failed;
1373
1374        data->intf->needs_remote_wakeup = 0;
1375
1376        /* Enable remote wake up for auto-suspend */
1377        if (test_bit(BTUSB_WAKEUP_DISABLE, &data->flags))
1378                data->intf->needs_remote_wakeup = 1;
1379
1380        usb_autopm_put_interface(data->intf);
1381
1382failed:
1383        usb_scuttle_anchored_urbs(&data->deferred);
1384        return 0;
1385}
1386
1387static int btusb_flush(struct hci_dev *hdev)
1388{
1389        struct btusb_data *data = hci_get_drvdata(hdev);
1390
1391        BT_DBG("%s", hdev->name);
1392
1393        usb_kill_anchored_urbs(&data->tx_anchor);
1394        btusb_free_frags(data);
1395
1396        return 0;
1397}
1398
1399static struct urb *alloc_ctrl_urb(struct hci_dev *hdev, struct sk_buff *skb)
1400{
1401        struct btusb_data *data = hci_get_drvdata(hdev);
1402        struct usb_ctrlrequest *dr;
1403        struct urb *urb;
1404        unsigned int pipe;
1405
1406        urb = usb_alloc_urb(0, GFP_KERNEL);
1407        if (!urb)
1408                return ERR_PTR(-ENOMEM);
1409
1410        dr = kmalloc(sizeof(*dr), GFP_KERNEL);
1411        if (!dr) {
1412                usb_free_urb(urb);
1413                return ERR_PTR(-ENOMEM);
1414        }
1415
1416        dr->bRequestType = data->cmdreq_type;
1417        dr->bRequest     = data->cmdreq;
1418        dr->wIndex       = 0;
1419        dr->wValue       = 0;
1420        dr->wLength      = __cpu_to_le16(skb->len);
1421
1422        pipe = usb_sndctrlpipe(data->udev, 0x00);
1423
1424        usb_fill_control_urb(urb, data->udev, pipe, (void *)dr,
1425                             skb->data, skb->len, btusb_tx_complete, skb);
1426
1427        skb->dev = (void *)hdev;
1428
1429        return urb;
1430}
1431
1432static struct urb *alloc_bulk_urb(struct hci_dev *hdev, struct sk_buff *skb)
1433{
1434        struct btusb_data *data = hci_get_drvdata(hdev);
1435        struct urb *urb;
1436        unsigned int pipe;
1437
1438        if (!data->bulk_tx_ep)
1439                return ERR_PTR(-ENODEV);
1440
1441        urb = usb_alloc_urb(0, GFP_KERNEL);
1442        if (!urb)
1443                return ERR_PTR(-ENOMEM);
1444
1445        pipe = usb_sndbulkpipe(data->udev, data->bulk_tx_ep->bEndpointAddress);
1446
1447        usb_fill_bulk_urb(urb, data->udev, pipe,
1448                          skb->data, skb->len, btusb_tx_complete, skb);
1449
1450        skb->dev = (void *)hdev;
1451
1452        return urb;
1453}
1454
1455static struct urb *alloc_isoc_urb(struct hci_dev *hdev, struct sk_buff *skb)
1456{
1457        struct btusb_data *data = hci_get_drvdata(hdev);
1458        struct urb *urb;
1459        unsigned int pipe;
1460
1461        if (!data->isoc_tx_ep)
1462                return ERR_PTR(-ENODEV);
1463
1464        urb = usb_alloc_urb(BTUSB_MAX_ISOC_FRAMES, GFP_KERNEL);
1465        if (!urb)
1466                return ERR_PTR(-ENOMEM);
1467
1468        pipe = usb_sndisocpipe(data->udev, data->isoc_tx_ep->bEndpointAddress);
1469
1470        usb_fill_int_urb(urb, data->udev, pipe,
1471                         skb->data, skb->len, btusb_isoc_tx_complete,
1472                         skb, data->isoc_tx_ep->bInterval);
1473
1474        urb->transfer_flags  = URB_ISO_ASAP;
1475
1476        if (data->isoc_altsetting == 6)
1477                __fill_isoc_descriptor_msbc(urb, skb->len,
1478                                            le16_to_cpu(data->isoc_tx_ep->wMaxPacketSize),
1479                                            data);
1480        else
1481                __fill_isoc_descriptor(urb, skb->len,
1482                                       le16_to_cpu(data->isoc_tx_ep->wMaxPacketSize));
1483        skb->dev = (void *)hdev;
1484
1485        return urb;
1486}
1487
1488static int submit_tx_urb(struct hci_dev *hdev, struct urb *urb)
1489{
1490        struct btusb_data *data = hci_get_drvdata(hdev);
1491        int err;
1492
1493        usb_anchor_urb(urb, &data->tx_anchor);
1494
1495        err = usb_submit_urb(urb, GFP_KERNEL);
1496        if (err < 0) {
1497                if (err != -EPERM && err != -ENODEV)
1498                        bt_dev_err(hdev, "urb %p submission failed (%d)",
1499                                   urb, -err);
1500                kfree(urb->setup_packet);
1501                usb_unanchor_urb(urb);
1502        } else {
1503                usb_mark_last_busy(data->udev);
1504        }
1505
1506        usb_free_urb(urb);
1507        return err;
1508}
1509
1510static int submit_or_queue_tx_urb(struct hci_dev *hdev, struct urb *urb)
1511{
1512        struct btusb_data *data = hci_get_drvdata(hdev);
1513        unsigned long flags;
1514        bool suspending;
1515
1516        spin_lock_irqsave(&data->txlock, flags);
1517        suspending = test_bit(BTUSB_SUSPENDING, &data->flags);
1518        if (!suspending)
1519                data->tx_in_flight++;
1520        spin_unlock_irqrestore(&data->txlock, flags);
1521
1522        if (!suspending)
1523                return submit_tx_urb(hdev, urb);
1524
1525        usb_anchor_urb(urb, &data->deferred);
1526        schedule_work(&data->waker);
1527
1528        usb_free_urb(urb);
1529        return 0;
1530}
1531
1532static int btusb_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
1533{
1534        struct urb *urb;
1535
1536        BT_DBG("%s", hdev->name);
1537
1538        switch (hci_skb_pkt_type(skb)) {
1539        case HCI_COMMAND_PKT:
1540                urb = alloc_ctrl_urb(hdev, skb);
1541                if (IS_ERR(urb))
1542                        return PTR_ERR(urb);
1543
1544                hdev->stat.cmd_tx++;
1545                return submit_or_queue_tx_urb(hdev, urb);
1546
1547        case HCI_ACLDATA_PKT:
1548                urb = alloc_bulk_urb(hdev, skb);
1549                if (IS_ERR(urb))
1550                        return PTR_ERR(urb);
1551
1552                hdev->stat.acl_tx++;
1553                return submit_or_queue_tx_urb(hdev, urb);
1554
1555        case HCI_SCODATA_PKT:
1556                if (hci_conn_num(hdev, SCO_LINK) < 1)
1557                        return -ENODEV;
1558
1559                urb = alloc_isoc_urb(hdev, skb);
1560                if (IS_ERR(urb))
1561                        return PTR_ERR(urb);
1562
1563                hdev->stat.sco_tx++;
1564                return submit_tx_urb(hdev, urb);
1565        }
1566
1567        return -EILSEQ;
1568}
1569
1570static void btusb_notify(struct hci_dev *hdev, unsigned int evt)
1571{
1572        struct btusb_data *data = hci_get_drvdata(hdev);
1573
1574        BT_DBG("%s evt %d", hdev->name, evt);
1575
1576        if (hci_conn_num(hdev, SCO_LINK) != data->sco_num) {
1577                data->sco_num = hci_conn_num(hdev, SCO_LINK);
1578                data->air_mode = evt;
1579                schedule_work(&data->work);
1580        }
1581}
1582
1583static inline int __set_isoc_interface(struct hci_dev *hdev, int altsetting)
1584{
1585        struct btusb_data *data = hci_get_drvdata(hdev);
1586        struct usb_interface *intf = data->isoc;
1587        struct usb_endpoint_descriptor *ep_desc;
1588        int i, err;
1589
1590        if (!data->isoc)
1591                return -ENODEV;
1592
1593        err = usb_set_interface(data->udev, data->isoc_ifnum, altsetting);
1594        if (err < 0) {
1595                bt_dev_err(hdev, "setting interface failed (%d)", -err);
1596                return err;
1597        }
1598
1599        data->isoc_altsetting = altsetting;
1600
1601        data->isoc_tx_ep = NULL;
1602        data->isoc_rx_ep = NULL;
1603
1604        for (i = 0; i < intf->cur_altsetting->desc.bNumEndpoints; i++) {
1605                ep_desc = &intf->cur_altsetting->endpoint[i].desc;
1606
1607                if (!data->isoc_tx_ep && usb_endpoint_is_isoc_out(ep_desc)) {
1608                        data->isoc_tx_ep = ep_desc;
1609                        continue;
1610                }
1611
1612                if (!data->isoc_rx_ep && usb_endpoint_is_isoc_in(ep_desc)) {
1613                        data->isoc_rx_ep = ep_desc;
1614                        continue;
1615                }
1616        }
1617
1618        if (!data->isoc_tx_ep || !data->isoc_rx_ep) {
1619                bt_dev_err(hdev, "invalid SCO descriptors");
1620                return -ENODEV;
1621        }
1622
1623        return 0;
1624}
1625
1626static int btusb_switch_alt_setting(struct hci_dev *hdev, int new_alts)
1627{
1628        struct btusb_data *data = hci_get_drvdata(hdev);
1629        int err;
1630
1631        if (data->isoc_altsetting != new_alts) {
1632                unsigned long flags;
1633
1634                clear_bit(BTUSB_ISOC_RUNNING, &data->flags);
1635                usb_kill_anchored_urbs(&data->isoc_anchor);
1636
1637                /* When isochronous alternate setting needs to be
1638                 * changed, because SCO connection has been added
1639                 * or removed, a packet fragment may be left in the
1640                 * reassembling state. This could lead to wrongly
1641                 * assembled fragments.
1642                 *
1643                 * Clear outstanding fragment when selecting a new
1644                 * alternate setting.
1645                 */
1646                spin_lock_irqsave(&data->rxlock, flags);
1647                kfree_skb(data->sco_skb);
1648                data->sco_skb = NULL;
1649                spin_unlock_irqrestore(&data->rxlock, flags);
1650
1651                err = __set_isoc_interface(hdev, new_alts);
1652                if (err < 0)
1653                        return err;
1654        }
1655
1656        if (!test_and_set_bit(BTUSB_ISOC_RUNNING, &data->flags)) {
1657                if (btusb_submit_isoc_urb(hdev, GFP_KERNEL) < 0)
1658                        clear_bit(BTUSB_ISOC_RUNNING, &data->flags);
1659                else
1660                        btusb_submit_isoc_urb(hdev, GFP_KERNEL);
1661        }
1662
1663        return 0;
1664}
1665
1666static struct usb_host_interface *btusb_find_altsetting(struct btusb_data *data,
1667                                                        int alt)
1668{
1669        struct usb_interface *intf = data->isoc;
1670        int i;
1671
1672        BT_DBG("Looking for Alt no :%d", alt);
1673
1674        if (!intf)
1675                return NULL;
1676
1677        for (i = 0; i < intf->num_altsetting; i++) {
1678                if (intf->altsetting[i].desc.bAlternateSetting == alt)
1679                        return &intf->altsetting[i];
1680        }
1681
1682        return NULL;
1683}
1684
1685static void btusb_work(struct work_struct *work)
1686{
1687        struct btusb_data *data = container_of(work, struct btusb_data, work);
1688        struct hci_dev *hdev = data->hdev;
1689        int new_alts = 0;
1690        int err;
1691
1692        if (data->sco_num > 0) {
1693                if (!test_bit(BTUSB_DID_ISO_RESUME, &data->flags)) {
1694                        err = usb_autopm_get_interface(data->isoc ? data->isoc : data->intf);
1695                        if (err < 0) {
1696                                clear_bit(BTUSB_ISOC_RUNNING, &data->flags);
1697                                usb_kill_anchored_urbs(&data->isoc_anchor);
1698                                return;
1699                        }
1700
1701                        set_bit(BTUSB_DID_ISO_RESUME, &data->flags);
1702                }
1703
1704                if (data->air_mode == HCI_NOTIFY_ENABLE_SCO_CVSD) {
1705                        if (hdev->voice_setting & 0x0020) {
1706                                static const int alts[3] = { 2, 4, 5 };
1707
1708                                new_alts = alts[data->sco_num - 1];
1709                        } else {
1710                                new_alts = data->sco_num;
1711                        }
1712                } else if (data->air_mode == HCI_NOTIFY_ENABLE_SCO_TRANSP) {
1713                        /* Check if Alt 6 is supported for Transparent audio */
1714                        if (btusb_find_altsetting(data, 6)) {
1715                                data->usb_alt6_packet_flow = true;
1716                                new_alts = 6;
1717                        } else if (test_bit(BTUSB_USE_ALT1_FOR_WBS, &data->flags)) {
1718                                new_alts = 1;
1719                        } else {
1720                                bt_dev_err(hdev, "Device does not support ALT setting 6");
1721                        }
1722                }
1723
1724                if (btusb_switch_alt_setting(hdev, new_alts) < 0)
1725                        bt_dev_err(hdev, "set USB alt:(%d) failed!", new_alts);
1726        } else {
1727                clear_bit(BTUSB_ISOC_RUNNING, &data->flags);
1728                usb_kill_anchored_urbs(&data->isoc_anchor);
1729
1730                __set_isoc_interface(hdev, 0);
1731                if (test_and_clear_bit(BTUSB_DID_ISO_RESUME, &data->flags))
1732                        usb_autopm_put_interface(data->isoc ? data->isoc : data->intf);
1733        }
1734}
1735
1736static void btusb_waker(struct work_struct *work)
1737{
1738        struct btusb_data *data = container_of(work, struct btusb_data, waker);
1739        int err;
1740
1741        err = usb_autopm_get_interface(data->intf);
1742        if (err < 0)
1743                return;
1744
1745        usb_autopm_put_interface(data->intf);
1746}
1747
1748static int btusb_setup_bcm92035(struct hci_dev *hdev)
1749{
1750        struct sk_buff *skb;
1751        u8 val = 0x00;
1752
1753        BT_DBG("%s", hdev->name);
1754
1755        skb = __hci_cmd_sync(hdev, 0xfc3b, 1, &val, HCI_INIT_TIMEOUT);
1756        if (IS_ERR(skb))
1757                bt_dev_err(hdev, "BCM92035 command failed (%ld)", PTR_ERR(skb));
1758        else
1759                kfree_skb(skb);
1760
1761        return 0;
1762}
1763
1764static int btusb_setup_csr(struct hci_dev *hdev)
1765{
1766        struct hci_rp_read_local_version *rp;
1767        struct sk_buff *skb;
1768        bool is_fake = false;
1769
1770        BT_DBG("%s", hdev->name);
1771
1772        skb = __hci_cmd_sync(hdev, HCI_OP_READ_LOCAL_VERSION, 0, NULL,
1773                             HCI_INIT_TIMEOUT);
1774        if (IS_ERR(skb)) {
1775                int err = PTR_ERR(skb);
1776                bt_dev_err(hdev, "CSR: Local version failed (%d)", err);
1777                return err;
1778        }
1779
1780        if (skb->len != sizeof(struct hci_rp_read_local_version)) {
1781                bt_dev_err(hdev, "CSR: Local version length mismatch");
1782                kfree_skb(skb);
1783                return -EIO;
1784        }
1785
1786        rp = (struct hci_rp_read_local_version *)skb->data;
1787
1788        /* Detect a wide host of Chinese controllers that aren't CSR.
1789         *
1790         * Known fake bcdDevices: 0x0100, 0x0134, 0x1915, 0x2520, 0x7558, 0x8891
1791         *
1792         * The main thing they have in common is that these are really popular low-cost
1793         * options that support newer Bluetooth versions but rely on heavy VID/PID
1794         * squatting of this poor old Bluetooth 1.1 device. Even sold as such.
1795         *
1796         * We detect actual CSR devices by checking that the HCI manufacturer code
1797         * is Cambridge Silicon Radio (10) and ensuring that LMP sub-version and
1798         * HCI rev values always match. As they both store the firmware number.
1799         */
1800        if (le16_to_cpu(rp->manufacturer) != 10 ||
1801            le16_to_cpu(rp->hci_rev) != le16_to_cpu(rp->lmp_subver))
1802                is_fake = true;
1803
1804        /* Known legit CSR firmware build numbers and their supported BT versions:
1805         * - 1.1 (0x1) -> 0x0073, 0x020d, 0x033c, 0x034e
1806         * - 1.2 (0x2) ->                 0x04d9, 0x0529
1807         * - 2.0 (0x3) ->         0x07a6, 0x07ad, 0x0c5c
1808         * - 2.1 (0x4) ->         0x149c, 0x1735, 0x1899 (0x1899 is a BlueCore4-External)
1809         * - 4.0 (0x6) ->         0x1d86, 0x2031, 0x22bb
1810         *
1811         * e.g. Real CSR dongles with LMP subversion 0x73 are old enough that
1812         *      support BT 1.1 only; so it's a dead giveaway when some
1813         *      third-party BT 4.0 dongle reuses it.
1814         */
1815        else if (le16_to_cpu(rp->lmp_subver) <= 0x034e &&
1816                 le16_to_cpu(rp->hci_ver) > BLUETOOTH_VER_1_1)
1817                is_fake = true;
1818
1819        else if (le16_to_cpu(rp->lmp_subver) <= 0x0529 &&
1820                 le16_to_cpu(rp->hci_ver) > BLUETOOTH_VER_1_2)
1821                is_fake = true;
1822
1823        else if (le16_to_cpu(rp->lmp_subver) <= 0x0c5c &&
1824                 le16_to_cpu(rp->hci_ver) > BLUETOOTH_VER_2_0)
1825                is_fake = true;
1826
1827        else if (le16_to_cpu(rp->lmp_subver) <= 0x1899 &&
1828                 le16_to_cpu(rp->hci_ver) > BLUETOOTH_VER_2_1)
1829                is_fake = true;
1830
1831        else if (le16_to_cpu(rp->lmp_subver) <= 0x22bb &&
1832                 le16_to_cpu(rp->hci_ver) > BLUETOOTH_VER_4_0)
1833                is_fake = true;
1834
1835        if (is_fake) {
1836                bt_dev_warn(hdev, "CSR: Unbranded CSR clone detected; adding workarounds...");
1837
1838                /* Generally these clones have big discrepancies between
1839                 * advertised features and what's actually supported.
1840                 * Probably will need to be expanded in the future;
1841                 * without these the controller will lock up.
1842                 */
1843                set_bit(HCI_QUIRK_BROKEN_STORED_LINK_KEY, &hdev->quirks);
1844                set_bit(HCI_QUIRK_BROKEN_ERR_DATA_REPORTING, &hdev->quirks);
1845
1846                /* Clear the reset quirk since this is not an actual
1847                 * early Bluetooth 1.1 device from CSR.
1848                 */
1849                clear_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks);
1850                clear_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks);
1851        }
1852
1853        kfree_skb(skb);
1854
1855        return 0;
1856}
1857
1858static const struct firmware *btusb_setup_intel_get_fw(struct hci_dev *hdev,
1859                                                       struct intel_version *ver)
1860{
1861        const struct firmware *fw;
1862        char fwname[64];
1863        int ret;
1864
1865        snprintf(fwname, sizeof(fwname),
1866                 "intel/ibt-hw-%x.%x.%x-fw-%x.%x.%x.%x.%x.bseq",
1867                 ver->hw_platform, ver->hw_variant, ver->hw_revision,
1868                 ver->fw_variant,  ver->fw_revision, ver->fw_build_num,
1869                 ver->fw_build_ww, ver->fw_build_yy);
1870
1871        ret = request_firmware(&fw, fwname, &hdev->dev);
1872        if (ret < 0) {
1873                if (ret == -EINVAL) {
1874                        bt_dev_err(hdev, "Intel firmware file request failed (%d)",
1875                                   ret);
1876                        return NULL;
1877                }
1878
1879                bt_dev_err(hdev, "failed to open Intel firmware file: %s (%d)",
1880                           fwname, ret);
1881
1882                /* If the correct firmware patch file is not found, use the
1883                 * default firmware patch file instead
1884                 */
1885                snprintf(fwname, sizeof(fwname), "intel/ibt-hw-%x.%x.bseq",
1886                         ver->hw_platform, ver->hw_variant);
1887                if (request_firmware(&fw, fwname, &hdev->dev) < 0) {
1888                        bt_dev_err(hdev, "failed to open default fw file: %s",
1889                                   fwname);
1890                        return NULL;
1891                }
1892        }
1893
1894        bt_dev_info(hdev, "Intel Bluetooth firmware file: %s", fwname);
1895
1896        return fw;
1897}
1898
1899static int btusb_setup_intel_patching(struct hci_dev *hdev,
1900                                      const struct firmware *fw,
1901                                      const u8 **fw_ptr, int *disable_patch)
1902{
1903        struct sk_buff *skb;
1904        struct hci_command_hdr *cmd;
1905        const u8 *cmd_param;
1906        struct hci_event_hdr *evt = NULL;
1907        const u8 *evt_param = NULL;
1908        int remain = fw->size - (*fw_ptr - fw->data);
1909
1910        /* The first byte indicates the types of the patch command or event.
1911         * 0x01 means HCI command and 0x02 is HCI event. If the first bytes
1912         * in the current firmware buffer doesn't start with 0x01 or
1913         * the size of remain buffer is smaller than HCI command header,
1914         * the firmware file is corrupted and it should stop the patching
1915         * process.
1916         */
1917        if (remain > HCI_COMMAND_HDR_SIZE && *fw_ptr[0] != 0x01) {
1918                bt_dev_err(hdev, "Intel fw corrupted: invalid cmd read");
1919                return -EINVAL;
1920        }
1921        (*fw_ptr)++;
1922        remain--;
1923
1924        cmd = (struct hci_command_hdr *)(*fw_ptr);
1925        *fw_ptr += sizeof(*cmd);
1926        remain -= sizeof(*cmd);
1927
1928        /* Ensure that the remain firmware data is long enough than the length
1929         * of command parameter. If not, the firmware file is corrupted.
1930         */
1931        if (remain < cmd->plen) {
1932                bt_dev_err(hdev, "Intel fw corrupted: invalid cmd len");
1933                return -EFAULT;
1934        }
1935
1936        /* If there is a command that loads a patch in the firmware
1937         * file, then enable the patch upon success, otherwise just
1938         * disable the manufacturer mode, for example patch activation
1939         * is not required when the default firmware patch file is used
1940         * because there are no patch data to load.
1941         */
1942        if (*disable_patch && le16_to_cpu(cmd->opcode) == 0xfc8e)
1943                *disable_patch = 0;
1944
1945        cmd_param = *fw_ptr;
1946        *fw_ptr += cmd->plen;
1947        remain -= cmd->plen;
1948
1949        /* This reads the expected events when the above command is sent to the
1950         * device. Some vendor commands expects more than one events, for
1951         * example command status event followed by vendor specific event.
1952         * For this case, it only keeps the last expected event. so the command
1953         * can be sent with __hci_cmd_sync_ev() which returns the sk_buff of
1954         * last expected event.
1955         */
1956        while (remain > HCI_EVENT_HDR_SIZE && *fw_ptr[0] == 0x02) {
1957                (*fw_ptr)++;
1958                remain--;
1959
1960                evt = (struct hci_event_hdr *)(*fw_ptr);
1961                *fw_ptr += sizeof(*evt);
1962                remain -= sizeof(*evt);
1963
1964                if (remain < evt->plen) {
1965                        bt_dev_err(hdev, "Intel fw corrupted: invalid evt len");
1966                        return -EFAULT;
1967                }
1968
1969                evt_param = *fw_ptr;
1970                *fw_ptr += evt->plen;
1971                remain -= evt->plen;
1972        }
1973
1974        /* Every HCI commands in the firmware file has its correspond event.
1975         * If event is not found or remain is smaller than zero, the firmware
1976         * file is corrupted.
1977         */
1978        if (!evt || !evt_param || remain < 0) {
1979                bt_dev_err(hdev, "Intel fw corrupted: invalid evt read");
1980                return -EFAULT;
1981        }
1982
1983        skb = __hci_cmd_sync_ev(hdev, le16_to_cpu(cmd->opcode), cmd->plen,
1984                                cmd_param, evt->evt, HCI_INIT_TIMEOUT);
1985        if (IS_ERR(skb)) {
1986                bt_dev_err(hdev, "sending Intel patch command (0x%4.4x) failed (%ld)",
1987                           cmd->opcode, PTR_ERR(skb));
1988                return PTR_ERR(skb);
1989        }
1990
1991        /* It ensures that the returned event matches the event data read from
1992         * the firmware file. At fist, it checks the length and then
1993         * the contents of the event.
1994         */
1995        if (skb->len != evt->plen) {
1996                bt_dev_err(hdev, "mismatch event length (opcode 0x%4.4x)",
1997                           le16_to_cpu(cmd->opcode));
1998                kfree_skb(skb);
1999                return -EFAULT;
2000        }
2001
2002        if (memcmp(skb->data, evt_param, evt->plen)) {
2003                bt_dev_err(hdev, "mismatch event parameter (opcode 0x%4.4x)",
2004                           le16_to_cpu(cmd->opcode));
2005                kfree_skb(skb);
2006                return -EFAULT;
2007        }
2008        kfree_skb(skb);
2009
2010        return 0;
2011}
2012
2013static int btusb_setup_intel(struct hci_dev *hdev)
2014{
2015        struct sk_buff *skb;
2016        const struct firmware *fw;
2017        const u8 *fw_ptr;
2018        int disable_patch, err;
2019        struct intel_version ver;
2020
2021        BT_DBG("%s", hdev->name);
2022
2023        /* The controller has a bug with the first HCI command sent to it
2024         * returning number of completed commands as zero. This would stall the
2025         * command processing in the Bluetooth core.
2026         *
2027         * As a workaround, send HCI Reset command first which will reset the
2028         * number of completed commands and allow normal command processing
2029         * from now on.
2030         */
2031        skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
2032        if (IS_ERR(skb)) {
2033                bt_dev_err(hdev, "sending initial HCI reset command failed (%ld)",
2034                           PTR_ERR(skb));
2035                return PTR_ERR(skb);
2036        }
2037        kfree_skb(skb);
2038
2039        /* Read Intel specific controller version first to allow selection of
2040         * which firmware file to load.
2041         *
2042         * The returned information are hardware variant and revision plus
2043         * firmware variant, revision and build number.
2044         */
2045        err = btintel_read_version(hdev, &ver);
2046        if (err)
2047                return err;
2048
2049        bt_dev_info(hdev, "read Intel version: %02x%02x%02x%02x%02x%02x%02x%02x%02x",
2050                    ver.hw_platform, ver.hw_variant, ver.hw_revision,
2051                    ver.fw_variant,  ver.fw_revision, ver.fw_build_num,
2052                    ver.fw_build_ww, ver.fw_build_yy, ver.fw_patch_num);
2053
2054        /* fw_patch_num indicates the version of patch the device currently
2055         * have. If there is no patch data in the device, it is always 0x00.
2056         * So, if it is other than 0x00, no need to patch the device again.
2057         */
2058        if (ver.fw_patch_num) {
2059                bt_dev_info(hdev, "Intel device is already patched. "
2060                            "patch num: %02x", ver.fw_patch_num);
2061                goto complete;
2062        }
2063
2064        /* Opens the firmware patch file based on the firmware version read
2065         * from the controller. If it fails to open the matching firmware
2066         * patch file, it tries to open the default firmware patch file.
2067         * If no patch file is found, allow the device to operate without
2068         * a patch.
2069         */
2070        fw = btusb_setup_intel_get_fw(hdev, &ver);
2071        if (!fw)
2072                goto complete;
2073        fw_ptr = fw->data;
2074
2075        /* Enable the manufacturer mode of the controller.
2076         * Only while this mode is enabled, the driver can download the
2077         * firmware patch data and configuration parameters.
2078         */
2079        err = btintel_enter_mfg(hdev);
2080        if (err) {
2081                release_firmware(fw);
2082                return err;
2083        }
2084
2085        disable_patch = 1;
2086
2087        /* The firmware data file consists of list of Intel specific HCI
2088         * commands and its expected events. The first byte indicates the
2089         * type of the message, either HCI command or HCI event.
2090         *
2091         * It reads the command and its expected event from the firmware file,
2092         * and send to the controller. Once __hci_cmd_sync_ev() returns,
2093         * the returned event is compared with the event read from the firmware
2094         * file and it will continue until all the messages are downloaded to
2095         * the controller.
2096         *
2097         * Once the firmware patching is completed successfully,
2098         * the manufacturer mode is disabled with reset and activating the
2099         * downloaded patch.
2100         *
2101         * If the firmware patching fails, the manufacturer mode is
2102         * disabled with reset and deactivating the patch.
2103         *
2104         * If the default patch file is used, no reset is done when disabling
2105         * the manufacturer.
2106         */
2107        while (fw->size > fw_ptr - fw->data) {
2108                int ret;
2109
2110                ret = btusb_setup_intel_patching(hdev, fw, &fw_ptr,
2111                                                 &disable_patch);
2112                if (ret < 0)
2113                        goto exit_mfg_deactivate;
2114        }
2115
2116        release_firmware(fw);
2117
2118        if (disable_patch)
2119                goto exit_mfg_disable;
2120
2121        /* Patching completed successfully and disable the manufacturer mode
2122         * with reset and activate the downloaded firmware patches.
2123         */
2124        err = btintel_exit_mfg(hdev, true, true);
2125        if (err)
2126                return err;
2127
2128        /* Need build number for downloaded fw patches in
2129         * every power-on boot
2130         */
2131       err = btintel_read_version(hdev, &ver);
2132       if (err)
2133               return err;
2134       bt_dev_info(hdev, "Intel BT fw patch 0x%02x completed & activated",
2135                   ver.fw_patch_num);
2136
2137        goto complete;
2138
2139exit_mfg_disable:
2140        /* Disable the manufacturer mode without reset */
2141        err = btintel_exit_mfg(hdev, false, false);
2142        if (err)
2143                return err;
2144
2145        bt_dev_info(hdev, "Intel firmware patch completed");
2146
2147        goto complete;
2148
2149exit_mfg_deactivate:
2150        release_firmware(fw);
2151
2152        /* Patching failed. Disable the manufacturer mode with reset and
2153         * deactivate the downloaded firmware patches.
2154         */
2155        err = btintel_exit_mfg(hdev, true, false);
2156        if (err)
2157                return err;
2158
2159        bt_dev_info(hdev, "Intel firmware patch completed and deactivated");
2160
2161complete:
2162        /* Set the event mask for Intel specific vendor events. This enables
2163         * a few extra events that are useful during general operation.
2164         */
2165        btintel_set_event_mask_mfg(hdev, false);
2166
2167        btintel_check_bdaddr(hdev);
2168        return 0;
2169}
2170
2171static int inject_cmd_complete(struct hci_dev *hdev, __u16 opcode)
2172{
2173        struct sk_buff *skb;
2174        struct hci_event_hdr *hdr;
2175        struct hci_ev_cmd_complete *evt;
2176
2177        skb = bt_skb_alloc(sizeof(*hdr) + sizeof(*evt) + 1, GFP_KERNEL);
2178        if (!skb)
2179                return -ENOMEM;
2180
2181        hdr = skb_put(skb, sizeof(*hdr));
2182        hdr->evt = HCI_EV_CMD_COMPLETE;
2183        hdr->plen = sizeof(*evt) + 1;
2184
2185        evt = skb_put(skb, sizeof(*evt));
2186        evt->ncmd = 0x01;
2187        evt->opcode = cpu_to_le16(opcode);
2188
2189        skb_put_u8(skb, 0x00);
2190
2191        hci_skb_pkt_type(skb) = HCI_EVENT_PKT;
2192
2193        return hci_recv_frame(hdev, skb);
2194}
2195
2196static int btusb_recv_bulk_intel(struct btusb_data *data, void *buffer,
2197                                 int count)
2198{
2199        /* When the device is in bootloader mode, then it can send
2200         * events via the bulk endpoint. These events are treated the
2201         * same way as the ones received from the interrupt endpoint.
2202         */
2203        if (test_bit(BTUSB_BOOTLOADER, &data->flags))
2204                return btusb_recv_intr(data, buffer, count);
2205
2206        return btusb_recv_bulk(data, buffer, count);
2207}
2208
2209static void btusb_intel_bootup(struct btusb_data *data, const void *ptr,
2210                               unsigned int len)
2211{
2212        const struct intel_bootup *evt = ptr;
2213
2214        if (len != sizeof(*evt))
2215                return;
2216
2217        if (test_and_clear_bit(BTUSB_BOOTING, &data->flags))
2218                wake_up_bit(&data->flags, BTUSB_BOOTING);
2219}
2220
2221static void btusb_intel_secure_send_result(struct btusb_data *data,
2222                                           const void *ptr, unsigned int len)
2223{
2224        const struct intel_secure_send_result *evt = ptr;
2225
2226        if (len != sizeof(*evt))
2227                return;
2228
2229        if (evt->result)
2230                set_bit(BTUSB_FIRMWARE_FAILED, &data->flags);
2231
2232        if (test_and_clear_bit(BTUSB_DOWNLOADING, &data->flags) &&
2233            test_bit(BTUSB_FIRMWARE_LOADED, &data->flags))
2234                wake_up_bit(&data->flags, BTUSB_DOWNLOADING);
2235}
2236
2237static int btusb_recv_event_intel(struct hci_dev *hdev, struct sk_buff *skb)
2238{
2239        struct btusb_data *data = hci_get_drvdata(hdev);
2240
2241        if (test_bit(BTUSB_BOOTLOADER, &data->flags)) {
2242                struct hci_event_hdr *hdr = (void *)skb->data;
2243
2244                if (skb->len > HCI_EVENT_HDR_SIZE && hdr->evt == 0xff &&
2245                    hdr->plen > 0) {
2246                        const void *ptr = skb->data + HCI_EVENT_HDR_SIZE + 1;
2247                        unsigned int len = skb->len - HCI_EVENT_HDR_SIZE - 1;
2248
2249                        switch (skb->data[2]) {
2250                        case 0x02:
2251                                /* When switching to the operational firmware
2252                                 * the device sends a vendor specific event
2253                                 * indicating that the bootup completed.
2254                                 */
2255                                btusb_intel_bootup(data, ptr, len);
2256                                break;
2257                        case 0x06:
2258                                /* When the firmware loading completes the
2259                                 * device sends out a vendor specific event
2260                                 * indicating the result of the firmware
2261                                 * loading.
2262                                 */
2263                                btusb_intel_secure_send_result(data, ptr, len);
2264                                break;
2265                        }
2266                }
2267        }
2268
2269        return hci_recv_frame(hdev, skb);
2270}
2271
2272static int btusb_send_frame_intel(struct hci_dev *hdev, struct sk_buff *skb)
2273{
2274        struct btusb_data *data = hci_get_drvdata(hdev);
2275        struct urb *urb;
2276
2277        BT_DBG("%s", hdev->name);
2278
2279        switch (hci_skb_pkt_type(skb)) {
2280        case HCI_COMMAND_PKT:
2281                if (test_bit(BTUSB_BOOTLOADER, &data->flags)) {
2282                        struct hci_command_hdr *cmd = (void *)skb->data;
2283                        __u16 opcode = le16_to_cpu(cmd->opcode);
2284
2285                        /* When in bootloader mode and the command 0xfc09
2286                         * is received, it needs to be send down the
2287                         * bulk endpoint. So allocate a bulk URB instead.
2288                         */
2289                        if (opcode == 0xfc09)
2290                                urb = alloc_bulk_urb(hdev, skb);
2291                        else
2292                                urb = alloc_ctrl_urb(hdev, skb);
2293
2294                        /* When the 0xfc01 command is issued to boot into
2295                         * the operational firmware, it will actually not
2296                         * send a command complete event. To keep the flow
2297                         * control working inject that event here.
2298                         */
2299                        if (opcode == 0xfc01)
2300                                inject_cmd_complete(hdev, opcode);
2301                } else {
2302                        urb = alloc_ctrl_urb(hdev, skb);
2303                }
2304                if (IS_ERR(urb))
2305                        return PTR_ERR(urb);
2306
2307                hdev->stat.cmd_tx++;
2308                return submit_or_queue_tx_urb(hdev, urb);
2309
2310        case HCI_ACLDATA_PKT:
2311                urb = alloc_bulk_urb(hdev, skb);
2312                if (IS_ERR(urb))
2313                        return PTR_ERR(urb);
2314
2315                hdev->stat.acl_tx++;
2316                return submit_or_queue_tx_urb(hdev, urb);
2317
2318        case HCI_SCODATA_PKT:
2319                if (hci_conn_num(hdev, SCO_LINK) < 1)
2320                        return -ENODEV;
2321
2322                urb = alloc_isoc_urb(hdev, skb);
2323                if (IS_ERR(urb))
2324                        return PTR_ERR(urb);
2325
2326                hdev->stat.sco_tx++;
2327                return submit_tx_urb(hdev, urb);
2328        }
2329
2330        return -EILSEQ;
2331}
2332
2333static bool btusb_setup_intel_new_get_fw_name(struct intel_version *ver,
2334                                             struct intel_boot_params *params,
2335                                             char *fw_name, size_t len,
2336                                             const char *suffix)
2337{
2338        switch (ver->hw_variant) {
2339        case 0x0b:      /* SfP */
2340        case 0x0c:      /* WsP */
2341                snprintf(fw_name, len, "intel/ibt-%u-%u.%s",
2342                        le16_to_cpu(ver->hw_variant),
2343                        le16_to_cpu(params->dev_revid),
2344                        suffix);
2345                break;
2346        case 0x11:      /* JfP */
2347        case 0x12:      /* ThP */
2348        case 0x13:      /* HrP */
2349        case 0x14:      /* CcP */
2350                snprintf(fw_name, len, "intel/ibt-%u-%u-%u.%s",
2351                        le16_to_cpu(ver->hw_variant),
2352                        le16_to_cpu(ver->hw_revision),
2353                        le16_to_cpu(ver->fw_revision),
2354                        suffix);
2355                break;
2356        default:
2357                return false;
2358        }
2359        return true;
2360}
2361
2362static int btusb_intel_download_firmware(struct hci_dev *hdev,
2363                                         struct intel_version *ver,
2364                                         struct intel_boot_params *params,
2365                                         u32 *boot_param)
2366{
2367        const struct firmware *fw;
2368        char fwname[64];
2369        int err;
2370        struct btusb_data *data = hci_get_drvdata(hdev);
2371
2372        if (!ver || !params)
2373                return -EINVAL;
2374
2375        /* The hardware platform number has a fixed value of 0x37 and
2376         * for now only accept this single value.
2377         */
2378        if (ver->hw_platform != 0x37) {
2379                bt_dev_err(hdev, "Unsupported Intel hardware platform (%u)",
2380                           ver->hw_platform);
2381                return -EINVAL;
2382        }
2383
2384        /* Check for supported iBT hardware variants of this firmware
2385         * loading method.
2386         *
2387         * This check has been put in place to ensure correct forward
2388         * compatibility options when newer hardware variants come along.
2389         */
2390        switch (ver->hw_variant) {
2391        case 0x0b:      /* SfP */
2392        case 0x0c:      /* WsP */
2393        case 0x11:      /* JfP */
2394        case 0x12:      /* ThP */
2395        case 0x13:      /* HrP */
2396        case 0x14:      /* CcP */
2397                break;
2398        default:
2399                bt_dev_err(hdev, "Unsupported Intel hardware variant (%u)",
2400                           ver->hw_variant);
2401                return -EINVAL;
2402        }
2403
2404        btintel_version_info(hdev, ver);
2405
2406        /* The firmware variant determines if the device is in bootloader
2407         * mode or is running operational firmware. The value 0x06 identifies
2408         * the bootloader and the value 0x23 identifies the operational
2409         * firmware.
2410         *
2411         * When the operational firmware is already present, then only
2412         * the check for valid Bluetooth device address is needed. This
2413         * determines if the device will be added as configured or
2414         * unconfigured controller.
2415         *
2416         * It is not possible to use the Secure Boot Parameters in this
2417         * case since that command is only available in bootloader mode.
2418         */
2419        if (ver->fw_variant == 0x23) {
2420                clear_bit(BTUSB_BOOTLOADER, &data->flags);
2421                btintel_check_bdaddr(hdev);
2422                return 0;
2423        }
2424
2425        /* If the device is not in bootloader mode, then the only possible
2426         * choice is to return an error and abort the device initialization.
2427         */
2428        if (ver->fw_variant != 0x06) {
2429                bt_dev_err(hdev, "Unsupported Intel firmware variant (%u)",
2430                           ver->fw_variant);
2431                return -ENODEV;
2432        }
2433
2434        /* Read the secure boot parameters to identify the operating
2435         * details of the bootloader.
2436         */
2437        err = btintel_read_boot_params(hdev, params);
2438        if (err)
2439                return err;
2440
2441        /* It is required that every single firmware fragment is acknowledged
2442         * with a command complete event. If the boot parameters indicate
2443         * that this bootloader does not send them, then abort the setup.
2444         */
2445        if (params->limited_cce != 0x00) {
2446                bt_dev_err(hdev, "Unsupported Intel firmware loading method (%u)",
2447                           params->limited_cce);
2448                return -EINVAL;
2449        }
2450
2451        /* If the OTP has no valid Bluetooth device address, then there will
2452         * also be no valid address for the operational firmware.
2453         */
2454        if (!bacmp(&params->otp_bdaddr, BDADDR_ANY)) {
2455                bt_dev_info(hdev, "No device address configured");
2456                set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks);
2457        }
2458
2459        /* With this Intel bootloader only the hardware variant and device
2460         * revision information are used to select the right firmware for SfP
2461         * and WsP.
2462         *
2463         * The firmware filename is ibt-<hw_variant>-<dev_revid>.sfi.
2464         *
2465         * Currently the supported hardware variants are:
2466         *   11 (0x0b) for iBT3.0 (LnP/SfP)
2467         *   12 (0x0c) for iBT3.5 (WsP)
2468         *
2469         * For ThP/JfP and for future SKU's, the FW name varies based on HW
2470         * variant, HW revision and FW revision, as these are dependent on CNVi
2471         * and RF Combination.
2472         *
2473         *   17 (0x11) for iBT3.5 (JfP)
2474         *   18 (0x12) for iBT3.5 (ThP)
2475         *
2476         * The firmware file name for these will be
2477         * ibt-<hw_variant>-<hw_revision>-<fw_revision>.sfi.
2478         *
2479         */
2480        err = btusb_setup_intel_new_get_fw_name(ver, params, fwname,
2481                                                sizeof(fwname), "sfi");
2482        if (!err) {
2483                bt_dev_err(hdev, "Unsupported Intel firmware naming");
2484                return -EINVAL;
2485        }
2486
2487        err = request_firmware(&fw, fwname, &hdev->dev);
2488        if (err < 0) {
2489                bt_dev_err(hdev, "Failed to load Intel firmware file (%d)", err);
2490                return err;
2491        }
2492
2493        bt_dev_info(hdev, "Found device firmware: %s", fwname);
2494
2495        if (fw->size < 644) {
2496                bt_dev_err(hdev, "Invalid size of firmware file (%zu)",
2497                           fw->size);
2498                err = -EBADF;
2499                goto done;
2500        }
2501
2502        set_bit(BTUSB_DOWNLOADING, &data->flags);
2503
2504        /* Start firmware downloading and get boot parameter */
2505        err = btintel_download_firmware(hdev, fw, boot_param);
2506        if (err < 0) {
2507                /* When FW download fails, send Intel Reset to retry
2508                 * FW download.
2509                 */
2510                btintel_reset_to_bootloader(hdev);
2511                goto done;
2512        }
2513        set_bit(BTUSB_FIRMWARE_LOADED, &data->flags);
2514
2515        bt_dev_info(hdev, "Waiting for firmware download to complete");
2516
2517        /* Before switching the device into operational mode and with that
2518         * booting the loaded firmware, wait for the bootloader notification
2519         * that all fragments have been successfully received.
2520         *
2521         * When the event processing receives the notification, then the
2522         * BTUSB_DOWNLOADING flag will be cleared.
2523         *
2524         * The firmware loading should not take longer than 5 seconds
2525         * and thus just timeout if that happens and fail the setup
2526         * of this device.
2527         */
2528        err = wait_on_bit_timeout(&data->flags, BTUSB_DOWNLOADING,
2529                                  TASK_INTERRUPTIBLE,
2530                                  msecs_to_jiffies(5000));
2531        if (err == -EINTR) {
2532                bt_dev_err(hdev, "Firmware loading interrupted");
2533                goto done;
2534        }
2535
2536        if (err) {
2537                bt_dev_err(hdev, "Firmware loading timeout");
2538                err = -ETIMEDOUT;
2539                btintel_reset_to_bootloader(hdev);
2540                goto done;
2541        }
2542
2543        if (test_bit(BTUSB_FIRMWARE_FAILED, &data->flags)) {
2544                bt_dev_err(hdev, "Firmware loading failed");
2545                err = -ENOEXEC;
2546                goto done;
2547        }
2548
2549done:
2550        release_firmware(fw);
2551        return err;
2552}
2553
2554static int btusb_setup_intel_new(struct hci_dev *hdev)
2555{
2556        struct btusb_data *data = hci_get_drvdata(hdev);
2557        struct intel_version ver;
2558        struct intel_boot_params params;
2559        u32 boot_param;
2560        char ddcname[64];
2561        ktime_t calltime, delta, rettime;
2562        unsigned long long duration;
2563        int err;
2564        struct intel_debug_features features;
2565
2566        BT_DBG("%s", hdev->name);
2567
2568        /* Set the default boot parameter to 0x0 and it is updated to
2569         * SKU specific boot parameter after reading Intel_Write_Boot_Params
2570         * command while downloading the firmware.
2571         */
2572        boot_param = 0x00000000;
2573
2574        calltime = ktime_get();
2575
2576        /* Read the Intel version information to determine if the device
2577         * is in bootloader mode or if it already has operational firmware
2578         * loaded.
2579         */
2580        err = btintel_read_version(hdev, &ver);
2581        if (err) {
2582                bt_dev_err(hdev, "Intel Read version failed (%d)", err);
2583                btintel_reset_to_bootloader(hdev);
2584                return err;
2585        }
2586
2587        err = btusb_intel_download_firmware(hdev, &ver, &params, &boot_param);
2588        if (err)
2589                return err;
2590
2591        /* controller is already having an operational firmware */
2592        if (ver.fw_variant == 0x23)
2593                goto finish;
2594
2595        rettime = ktime_get();
2596        delta = ktime_sub(rettime, calltime);
2597        duration = (unsigned long long) ktime_to_ns(delta) >> 10;
2598
2599        bt_dev_info(hdev, "Firmware loaded in %llu usecs", duration);
2600
2601        calltime = ktime_get();
2602
2603        set_bit(BTUSB_BOOTING, &data->flags);
2604
2605        err = btintel_send_intel_reset(hdev, boot_param);
2606        if (err) {
2607                bt_dev_err(hdev, "Intel Soft Reset failed (%d)", err);
2608                btintel_reset_to_bootloader(hdev);
2609                return err;
2610        }
2611
2612        /* The bootloader will not indicate when the device is ready. This
2613         * is done by the operational firmware sending bootup notification.
2614         *
2615         * Booting into operational firmware should not take longer than
2616         * 1 second. However if that happens, then just fail the setup
2617         * since something went wrong.
2618         */
2619        bt_dev_info(hdev, "Waiting for device to boot");
2620
2621        err = wait_on_bit_timeout(&data->flags, BTUSB_BOOTING,
2622                                  TASK_INTERRUPTIBLE,
2623                                  msecs_to_jiffies(1000));
2624
2625        if (err == -EINTR) {
2626                bt_dev_err(hdev, "Device boot interrupted");
2627                return -EINTR;
2628        }
2629
2630        if (err) {
2631                bt_dev_err(hdev, "Device boot timeout");
2632                btintel_reset_to_bootloader(hdev);
2633                return -ETIMEDOUT;
2634        }
2635
2636        rettime = ktime_get();
2637        delta = ktime_sub(rettime, calltime);
2638        duration = (unsigned long long) ktime_to_ns(delta) >> 10;
2639
2640        bt_dev_info(hdev, "Device booted in %llu usecs", duration);
2641
2642        clear_bit(BTUSB_BOOTLOADER, &data->flags);
2643
2644        err = btusb_setup_intel_new_get_fw_name(&ver, &params, ddcname,
2645                                                sizeof(ddcname), "ddc");
2646
2647        if (!err) {
2648                bt_dev_err(hdev, "Unsupported Intel firmware naming");
2649        } else {
2650                /* Once the device is running in operational mode, it needs to
2651                 * apply the device configuration (DDC) parameters.
2652                 *
2653                 * The device can work without DDC parameters, so even if it
2654                 * fails to load the file, no need to fail the setup.
2655                 */
2656                btintel_load_ddc_config(hdev, ddcname);
2657        }
2658
2659        /* Read the Intel supported features and if new exception formats
2660         * supported, need to load the additional DDC config to enable.
2661         */
2662        btintel_read_debug_features(hdev, &features);
2663
2664        /* Set DDC mask for available debug features */
2665        btintel_set_debug_features(hdev, &features);
2666
2667        /* Read the Intel version information after loading the FW  */
2668        err = btintel_read_version(hdev, &ver);
2669        if (err)
2670                return err;
2671
2672        btintel_version_info(hdev, &ver);
2673
2674finish:
2675        /* All Intel controllers that support the Microsoft vendor
2676         * extension are using 0xFC1E for VsMsftOpCode.
2677         */
2678        switch (ver.hw_variant) {
2679        case 0x12:      /* ThP */
2680                hci_set_msft_opcode(hdev, 0xFC1E);
2681                break;
2682        }
2683
2684        /* Set the event mask for Intel specific vendor events. This enables
2685         * a few extra events that are useful during general operation. It
2686         * does not enable any debugging related events.
2687         *
2688         * The device will function correctly without these events enabled
2689         * and thus no need to fail the setup.
2690         */
2691        btintel_set_event_mask(hdev, false);
2692
2693        return 0;
2694}
2695
2696static int btusb_shutdown_intel(struct hci_dev *hdev)
2697{
2698        struct sk_buff *skb;
2699        long ret;
2700
2701        /* In the shutdown sequence where Bluetooth is turned off followed
2702         * by WiFi being turned off, turning WiFi back on causes issue with
2703         * the RF calibration.
2704         *
2705         * To ensure that any RF activity has been stopped, issue HCI Reset
2706         * command to clear all ongoing activity including advertising,
2707         * scanning etc.
2708         */
2709        skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
2710        if (IS_ERR(skb)) {
2711                ret = PTR_ERR(skb);
2712                bt_dev_err(hdev, "HCI reset during shutdown failed");
2713                return ret;
2714        }
2715        kfree_skb(skb);
2716
2717        /* Some platforms have an issue with BT LED when the interface is
2718         * down or BT radio is turned off, which takes 5 seconds to BT LED
2719         * goes off. This command turns off the BT LED immediately.
2720         */
2721        skb = __hci_cmd_sync(hdev, 0xfc3f, 0, NULL, HCI_INIT_TIMEOUT);
2722        if (IS_ERR(skb)) {
2723                ret = PTR_ERR(skb);
2724                bt_dev_err(hdev, "turning off Intel device LED failed");
2725                return ret;
2726        }
2727        kfree_skb(skb);
2728
2729        return 0;
2730}
2731
2732static int btusb_shutdown_intel_new(struct hci_dev *hdev)
2733{
2734        struct sk_buff *skb;
2735
2736        /* Send HCI Reset to the controller to stop any BT activity which
2737         * were triggered. This will help to save power and maintain the
2738         * sync b/w Host and controller
2739         */
2740        skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
2741        if (IS_ERR(skb)) {
2742                bt_dev_err(hdev, "HCI reset during shutdown failed");
2743                return PTR_ERR(skb);
2744        }
2745        kfree_skb(skb);
2746
2747        return 0;
2748}
2749
2750#define FIRMWARE_MT7663         "mediatek/mt7663pr2h.bin"
2751#define FIRMWARE_MT7668         "mediatek/mt7668pr2h.bin"
2752
2753#define HCI_WMT_MAX_EVENT_SIZE          64
2754
2755enum {
2756        BTMTK_WMT_PATCH_DWNLD = 0x1,
2757        BTMTK_WMT_FUNC_CTRL = 0x6,
2758        BTMTK_WMT_RST = 0x7,
2759        BTMTK_WMT_SEMAPHORE = 0x17,
2760};
2761
2762enum {
2763        BTMTK_WMT_INVALID,
2764        BTMTK_WMT_PATCH_UNDONE,
2765        BTMTK_WMT_PATCH_DONE,
2766        BTMTK_WMT_ON_UNDONE,
2767        BTMTK_WMT_ON_DONE,
2768        BTMTK_WMT_ON_PROGRESS,
2769};
2770
2771struct btmtk_wmt_hdr {
2772        u8      dir;
2773        u8      op;
2774        __le16  dlen;
2775        u8      flag;
2776} __packed;
2777
2778struct btmtk_hci_wmt_cmd {
2779        struct btmtk_wmt_hdr hdr;
2780        u8 data[256];
2781} __packed;
2782
2783struct btmtk_hci_wmt_evt {
2784        struct hci_event_hdr hhdr;
2785        struct btmtk_wmt_hdr whdr;
2786} __packed;
2787
2788struct btmtk_hci_wmt_evt_funcc {
2789        struct btmtk_hci_wmt_evt hwhdr;
2790        __be16 status;
2791} __packed;
2792
2793struct btmtk_tci_sleep {
2794        u8 mode;
2795        __le16 duration;
2796        __le16 host_duration;
2797        u8 host_wakeup_pin;
2798        u8 time_compensation;
2799} __packed;
2800
2801struct btmtk_hci_wmt_params {
2802        u8 op;
2803        u8 flag;
2804        u16 dlen;
2805        const void *data;
2806        u32 *status;
2807};
2808
2809static void btusb_mtk_wmt_recv(struct urb *urb)
2810{
2811        struct hci_dev *hdev = urb->context;
2812        struct btusb_data *data = hci_get_drvdata(hdev);
2813        struct hci_event_hdr *hdr;
2814        struct sk_buff *skb;
2815        int err;
2816
2817        if (urb->status == 0 && urb->actual_length > 0) {
2818                hdev->stat.byte_rx += urb->actual_length;
2819
2820                /* WMT event shouldn't be fragmented and the size should be
2821                 * less than HCI_WMT_MAX_EVENT_SIZE.
2822                 */
2823                skb = bt_skb_alloc(HCI_WMT_MAX_EVENT_SIZE, GFP_ATOMIC);
2824                if (!skb) {
2825                        hdev->stat.err_rx++;
2826                        goto err_out;
2827                }
2828
2829                hci_skb_pkt_type(skb) = HCI_EVENT_PKT;
2830                skb_put_data(skb, urb->transfer_buffer, urb->actual_length);
2831
2832                hdr = (void *)skb->data;
2833                /* Fix up the vendor event id with 0xff for vendor specific
2834                 * instead of 0xe4 so that event send via monitoring socket can
2835                 * be parsed properly.
2836                 */
2837                hdr->evt = 0xff;
2838
2839                /* When someone waits for the WMT event, the skb is being cloned
2840                 * and being processed the events from there then.
2841                 */
2842                if (test_bit(BTUSB_TX_WAIT_VND_EVT, &data->flags)) {
2843                        data->evt_skb = skb_clone(skb, GFP_ATOMIC);
2844                        if (!data->evt_skb)
2845                                goto err_out;
2846                }
2847
2848                err = hci_recv_frame(hdev, skb);
2849                if (err < 0)
2850                        goto err_free_skb;
2851
2852                if (test_and_clear_bit(BTUSB_TX_WAIT_VND_EVT,
2853                                       &data->flags)) {
2854                        /* Barrier to sync with other CPUs */
2855                        smp_mb__after_atomic();
2856                        wake_up_bit(&data->flags,
2857                                    BTUSB_TX_WAIT_VND_EVT);
2858                }
2859err_out:
2860                return;
2861err_free_skb:
2862                kfree_skb(data->evt_skb);
2863                data->evt_skb = NULL;
2864                return;
2865        } else if (urb->status == -ENOENT) {
2866                /* Avoid suspend failed when usb_kill_urb */
2867                return;
2868        }
2869
2870        usb_mark_last_busy(data->udev);
2871
2872        /* The URB complete handler is still called with urb->actual_length = 0
2873         * when the event is not available, so we should keep re-submitting
2874         * URB until WMT event returns, Also, It's necessary to wait some time
2875         * between the two consecutive control URBs to relax the target device
2876         * to generate the event. Otherwise, the WMT event cannot return from
2877         * the device successfully.
2878         */
2879        udelay(100);
2880
2881        usb_anchor_urb(urb, &data->ctrl_anchor);
2882        err = usb_submit_urb(urb, GFP_ATOMIC);
2883        if (err < 0) {
2884                /* -EPERM: urb is being killed;
2885                 * -ENODEV: device got disconnected
2886                 */
2887                if (err != -EPERM && err != -ENODEV)
2888                        bt_dev_err(hdev, "urb %p failed to resubmit (%d)",
2889                                   urb, -err);
2890                usb_unanchor_urb(urb);
2891        }
2892}
2893
2894static int btusb_mtk_submit_wmt_recv_urb(struct hci_dev *hdev)
2895{
2896        struct btusb_data *data = hci_get_drvdata(hdev);
2897        struct usb_ctrlrequest *dr;
2898        unsigned char *buf;
2899        int err, size = 64;
2900        unsigned int pipe;
2901        struct urb *urb;
2902
2903        urb = usb_alloc_urb(0, GFP_KERNEL);
2904        if (!urb)
2905                return -ENOMEM;
2906
2907        dr = kmalloc(sizeof(*dr), GFP_KERNEL);
2908        if (!dr) {
2909                usb_free_urb(urb);
2910                return -ENOMEM;
2911        }
2912
2913        dr->bRequestType = USB_TYPE_VENDOR | USB_DIR_IN;
2914        dr->bRequest     = 1;
2915        dr->wIndex       = cpu_to_le16(0);
2916        dr->wValue       = cpu_to_le16(48);
2917        dr->wLength      = cpu_to_le16(size);
2918
2919        buf = kmalloc(size, GFP_KERNEL);
2920        if (!buf) {
2921                kfree(dr);
2922                usb_free_urb(urb);
2923                return -ENOMEM;
2924        }
2925
2926        pipe = usb_rcvctrlpipe(data->udev, 0);
2927
2928        usb_fill_control_urb(urb, data->udev, pipe, (void *)dr,
2929                             buf, size, btusb_mtk_wmt_recv, hdev);
2930
2931        urb->transfer_flags |= URB_FREE_BUFFER;
2932
2933        usb_anchor_urb(urb, &data->ctrl_anchor);
2934        err = usb_submit_urb(urb, GFP_KERNEL);
2935        if (err < 0) {
2936                if (err != -EPERM && err != -ENODEV)
2937                        bt_dev_err(hdev, "urb %p submission failed (%d)",
2938                                   urb, -err);
2939                usb_unanchor_urb(urb);
2940        }
2941
2942        usb_free_urb(urb);
2943
2944        return err;
2945}
2946
2947static int btusb_mtk_hci_wmt_sync(struct hci_dev *hdev,
2948                                  struct btmtk_hci_wmt_params *wmt_params)
2949{
2950        struct btusb_data *data = hci_get_drvdata(hdev);
2951        struct btmtk_hci_wmt_evt_funcc *wmt_evt_funcc;
2952        u32 hlen, status = BTMTK_WMT_INVALID;
2953        struct btmtk_hci_wmt_evt *wmt_evt;
2954        struct btmtk_hci_wmt_cmd wc;
2955        struct btmtk_wmt_hdr *hdr;
2956        int err;
2957
2958        /* Submit control IN URB on demand to process the WMT event */
2959        err = btusb_mtk_submit_wmt_recv_urb(hdev);
2960        if (err < 0)
2961                return err;
2962
2963        /* Send the WMT command and wait until the WMT event returns */
2964        hlen = sizeof(*hdr) + wmt_params->dlen;
2965        if (hlen > 255)
2966                return -EINVAL;
2967
2968        hdr = (struct btmtk_wmt_hdr *)&wc;
2969        hdr->dir = 1;
2970        hdr->op = wmt_params->op;
2971        hdr->dlen = cpu_to_le16(wmt_params->dlen + 1);
2972        hdr->flag = wmt_params->flag;
2973        memcpy(wc.data, wmt_params->data, wmt_params->dlen);
2974
2975        set_bit(BTUSB_TX_WAIT_VND_EVT, &data->flags);
2976
2977        err = __hci_cmd_send(hdev, 0xfc6f, hlen, &wc);
2978
2979        if (err < 0) {
2980                clear_bit(BTUSB_TX_WAIT_VND_EVT, &data->flags);
2981                return err;
2982        }
2983
2984        /* The vendor specific WMT commands are all answered by a vendor
2985         * specific event and will have the Command Status or Command
2986         * Complete as with usual HCI command flow control.
2987         *
2988         * After sending the command, wait for BTUSB_TX_WAIT_VND_EVT
2989         * state to be cleared. The driver specific event receive routine
2990         * will clear that state and with that indicate completion of the
2991         * WMT command.
2992         */
2993        err = wait_on_bit_timeout(&data->flags, BTUSB_TX_WAIT_VND_EVT,
2994                                  TASK_INTERRUPTIBLE, HCI_INIT_TIMEOUT);
2995        if (err == -EINTR) {
2996                bt_dev_err(hdev, "Execution of wmt command interrupted");
2997                clear_bit(BTUSB_TX_WAIT_VND_EVT, &data->flags);
2998                return err;
2999        }
3000
3001        if (err) {
3002                bt_dev_err(hdev, "Execution of wmt command timed out");
3003                clear_bit(BTUSB_TX_WAIT_VND_EVT, &data->flags);
3004                return -ETIMEDOUT;
3005        }
3006
3007        /* Parse and handle the return WMT event */
3008        wmt_evt = (struct btmtk_hci_wmt_evt *)data->evt_skb->data;
3009        if (wmt_evt->whdr.op != hdr->op) {
3010                bt_dev_err(hdev, "Wrong op received %d expected %d",
3011                           wmt_evt->whdr.op, hdr->op);
3012                err = -EIO;
3013                goto err_free_skb;
3014        }
3015
3016        switch (wmt_evt->whdr.op) {
3017        case BTMTK_WMT_SEMAPHORE:
3018                if (wmt_evt->whdr.flag == 2)
3019                        status = BTMTK_WMT_PATCH_UNDONE;
3020                else
3021                        status = BTMTK_WMT_PATCH_DONE;
3022                break;
3023        case BTMTK_WMT_FUNC_CTRL:
3024                wmt_evt_funcc = (struct btmtk_hci_wmt_evt_funcc *)wmt_evt;
3025                if (be16_to_cpu(wmt_evt_funcc->status) == 0x404)
3026                        status = BTMTK_WMT_ON_DONE;
3027                else if (be16_to_cpu(wmt_evt_funcc->status) == 0x420)
3028                        status = BTMTK_WMT_ON_PROGRESS;
3029                else
3030                        status = BTMTK_WMT_ON_UNDONE;
3031                break;
3032        }
3033
3034        if (wmt_params->status)
3035                *wmt_params->status = status;
3036
3037err_free_skb:
3038        kfree_skb(data->evt_skb);
3039        data->evt_skb = NULL;
3040
3041        return err;
3042}
3043
3044static int btusb_mtk_setup_firmware(struct hci_dev *hdev, const char *fwname)
3045{
3046        struct btmtk_hci_wmt_params wmt_params;
3047        const struct firmware *fw;
3048        const u8 *fw_ptr;
3049        size_t fw_size;
3050        int err, dlen;
3051        u8 flag, param;
3052
3053        err = request_firmware(&fw, fwname, &hdev->dev);
3054        if (err < 0) {
3055                bt_dev_err(hdev, "Failed to load firmware file (%d)", err);
3056                return err;
3057        }
3058
3059        /* Power on data RAM the firmware relies on. */
3060        param = 1;
3061        wmt_params.op = BTMTK_WMT_FUNC_CTRL;
3062        wmt_params.flag = 3;
3063        wmt_params.dlen = sizeof(param);
3064        wmt_params.data = &param;
3065        wmt_params.status = NULL;
3066
3067        err = btusb_mtk_hci_wmt_sync(hdev, &wmt_params);
3068        if (err < 0) {
3069                bt_dev_err(hdev, "Failed to power on data RAM (%d)", err);
3070                return err;
3071        }
3072
3073        fw_ptr = fw->data;
3074        fw_size = fw->size;
3075
3076        /* The size of patch header is 30 bytes, should be skip */
3077        if (fw_size < 30) {
3078                err = -EINVAL;
3079                goto err_release_fw;
3080        }
3081
3082        fw_size -= 30;
3083        fw_ptr += 30;
3084        flag = 1;
3085
3086        wmt_params.op = BTMTK_WMT_PATCH_DWNLD;
3087        wmt_params.status = NULL;
3088
3089        while (fw_size > 0) {
3090                dlen = min_t(int, 250, fw_size);
3091
3092                /* Tell deivice the position in sequence */
3093                if (fw_size - dlen <= 0)
3094                        flag = 3;
3095                else if (fw_size < fw->size - 30)
3096                        flag = 2;
3097
3098                wmt_params.flag = flag;
3099                wmt_params.dlen = dlen;
3100                wmt_params.data = fw_ptr;
3101
3102                err = btusb_mtk_hci_wmt_sync(hdev, &wmt_params);
3103                if (err < 0) {
3104                        bt_dev_err(hdev, "Failed to send wmt patch dwnld (%d)",
3105                                   err);
3106                        goto err_release_fw;
3107                }
3108
3109                fw_size -= dlen;
3110                fw_ptr += dlen;
3111        }
3112
3113        wmt_params.op = BTMTK_WMT_RST;
3114        wmt_params.flag = 4;
3115        wmt_params.dlen = 0;
3116        wmt_params.data = NULL;
3117        wmt_params.status = NULL;
3118
3119        /* Activate funciton the firmware providing to */
3120        err = btusb_mtk_hci_wmt_sync(hdev, &wmt_params);
3121        if (err < 0) {
3122                bt_dev_err(hdev, "Failed to send wmt rst (%d)", err);
3123                goto err_release_fw;
3124        }
3125
3126        /* Wait a few moments for firmware activation done */
3127        usleep_range(10000, 12000);
3128
3129err_release_fw:
3130        release_firmware(fw);
3131
3132        return err;
3133}
3134
3135static int btusb_mtk_func_query(struct hci_dev *hdev)
3136{
3137        struct btmtk_hci_wmt_params wmt_params;
3138        int status, err;
3139        u8 param = 0;
3140
3141        /* Query whether the function is enabled */
3142        wmt_params.op = BTMTK_WMT_FUNC_CTRL;
3143        wmt_params.flag = 4;
3144        wmt_params.dlen = sizeof(param);
3145        wmt_params.data = &param;
3146        wmt_params.status = &status;
3147
3148        err = btusb_mtk_hci_wmt_sync(hdev, &wmt_params);
3149        if (err < 0) {
3150                bt_dev_err(hdev, "Failed to query function status (%d)", err);
3151                return err;
3152        }
3153
3154        return status;
3155}
3156
3157static int btusb_mtk_reg_read(struct btusb_data *data, u32 reg, u32 *val)
3158{
3159        int pipe, err, size = sizeof(u32);
3160        void *buf;
3161
3162        buf = kzalloc(size, GFP_KERNEL);
3163        if (!buf)
3164                return -ENOMEM;
3165
3166        pipe = usb_rcvctrlpipe(data->udev, 0);
3167        err = usb_control_msg(data->udev, pipe, 0x63,
3168                              USB_TYPE_VENDOR | USB_DIR_IN,
3169                              reg >> 16, reg & 0xffff,
3170                              buf, size, USB_CTRL_SET_TIMEOUT);
3171        if (err < 0)
3172                goto err_free_buf;
3173
3174        *val = get_unaligned_le32(buf);
3175
3176err_free_buf:
3177        kfree(buf);
3178
3179        return err;
3180}
3181
3182static int btusb_mtk_id_get(struct btusb_data *data, u32 *id)
3183{
3184        return btusb_mtk_reg_read(data, 0x80000008, id);
3185}
3186
3187static int btusb_mtk_setup(struct hci_dev *hdev)
3188{
3189        struct btusb_data *data = hci_get_drvdata(hdev);
3190        struct btmtk_hci_wmt_params wmt_params;
3191        ktime_t calltime, delta, rettime;
3192        struct btmtk_tci_sleep tci_sleep;
3193        unsigned long long duration;
3194        struct sk_buff *skb;
3195        const char *fwname;
3196        int err, status;
3197        u32 dev_id;
3198        u8 param;
3199
3200        calltime = ktime_get();
3201
3202        err = btusb_mtk_id_get(data, &dev_id);
3203        if (err < 0) {
3204                bt_dev_err(hdev, "Failed to get device id (%d)", err);
3205                return err;
3206        }
3207
3208        switch (dev_id) {
3209        case 0x7663:
3210                fwname = FIRMWARE_MT7663;
3211                break;
3212        case 0x7668:
3213                fwname = FIRMWARE_MT7668;
3214                break;
3215        default:
3216                bt_dev_err(hdev, "Unsupported support hardware variant (%08x)",
3217                           dev_id);
3218                return -ENODEV;
3219        }
3220
3221        /* Query whether the firmware is already download */
3222        wmt_params.op = BTMTK_WMT_SEMAPHORE;
3223        wmt_params.flag = 1;
3224        wmt_params.dlen = 0;
3225        wmt_params.data = NULL;
3226        wmt_params.status = &status;
3227
3228        err = btusb_mtk_hci_wmt_sync(hdev, &wmt_params);
3229        if (err < 0) {
3230                bt_dev_err(hdev, "Failed to query firmware status (%d)", err);
3231                return err;
3232        }
3233
3234        if (status == BTMTK_WMT_PATCH_DONE) {
3235                bt_dev_info(hdev, "firmware already downloaded");
3236                goto ignore_setup_fw;
3237        }
3238
3239        /* Setup a firmware which the device definitely requires */
3240        err = btusb_mtk_setup_firmware(hdev, fwname);
3241        if (err < 0)
3242                return err;
3243
3244ignore_setup_fw:
3245        err = readx_poll_timeout(btusb_mtk_func_query, hdev, status,
3246                                 status < 0 || status != BTMTK_WMT_ON_PROGRESS,
3247                                 2000, 5000000);
3248        /* -ETIMEDOUT happens */
3249        if (err < 0)
3250                return err;
3251
3252        /* The other errors happen in btusb_mtk_func_query */
3253        if (status < 0)
3254                return status;
3255
3256        if (status == BTMTK_WMT_ON_DONE) {
3257                bt_dev_info(hdev, "function already on");
3258                goto ignore_func_on;
3259        }
3260
3261        /* Enable Bluetooth protocol */
3262        param = 1;
3263        wmt_params.op = BTMTK_WMT_FUNC_CTRL;
3264        wmt_params.flag = 0;
3265        wmt_params.dlen = sizeof(param);
3266        wmt_params.data = &param;
3267        wmt_params.status = NULL;
3268
3269        err = btusb_mtk_hci_wmt_sync(hdev, &wmt_params);
3270        if (err < 0) {
3271                bt_dev_err(hdev, "Failed to send wmt func ctrl (%d)", err);
3272                return err;
3273        }
3274
3275ignore_func_on:
3276        /* Apply the low power environment setup */
3277        tci_sleep.mode = 0x5;
3278        tci_sleep.duration = cpu_to_le16(0x640);
3279        tci_sleep.host_duration = cpu_to_le16(0x640);
3280        tci_sleep.host_wakeup_pin = 0;
3281        tci_sleep.time_compensation = 0;
3282
3283        skb = __hci_cmd_sync(hdev, 0xfc7a, sizeof(tci_sleep), &tci_sleep,
3284                             HCI_INIT_TIMEOUT);
3285        if (IS_ERR(skb)) {
3286                err = PTR_ERR(skb);
3287                bt_dev_err(hdev, "Failed to apply low power setting (%d)", err);
3288                return err;
3289        }
3290        kfree_skb(skb);
3291
3292        rettime = ktime_get();
3293        delta = ktime_sub(rettime, calltime);
3294        duration = (unsigned long long)ktime_to_ns(delta) >> 10;
3295
3296        bt_dev_info(hdev, "Device setup in %llu usecs", duration);
3297
3298        return 0;
3299}
3300
3301static int btusb_mtk_shutdown(struct hci_dev *hdev)
3302{
3303        struct btmtk_hci_wmt_params wmt_params;
3304        u8 param = 0;
3305        int err;
3306
3307        /* Disable the device */
3308        wmt_params.op = BTMTK_WMT_FUNC_CTRL;
3309        wmt_params.flag = 0;
3310        wmt_params.dlen = sizeof(param);
3311        wmt_params.data = &param;
3312        wmt_params.status = NULL;
3313
3314        err = btusb_mtk_hci_wmt_sync(hdev, &wmt_params);
3315        if (err < 0) {
3316                bt_dev_err(hdev, "Failed to send wmt func ctrl (%d)", err);
3317                return err;
3318        }
3319
3320        return 0;
3321}
3322
3323MODULE_FIRMWARE(FIRMWARE_MT7663);
3324MODULE_FIRMWARE(FIRMWARE_MT7668);
3325
3326#ifdef CONFIG_PM
3327/* Configure an out-of-band gpio as wake-up pin, if specified in device tree */
3328static int marvell_config_oob_wake(struct hci_dev *hdev)
3329{
3330        struct sk_buff *skb;
3331        struct btusb_data *data = hci_get_drvdata(hdev);
3332        struct device *dev = &data->udev->dev;
3333        u16 pin, gap, opcode;
3334        int ret;
3335        u8 cmd[5];
3336
3337        /* Move on if no wakeup pin specified */
3338        if (of_property_read_u16(dev->of_node, "marvell,wakeup-pin", &pin) ||
3339            of_property_read_u16(dev->of_node, "marvell,wakeup-gap-ms", &gap))
3340                return 0;
3341
3342        /* Vendor specific command to configure a GPIO as wake-up pin */
3343        opcode = hci_opcode_pack(0x3F, 0x59);
3344        cmd[0] = opcode & 0xFF;
3345        cmd[1] = opcode >> 8;
3346        cmd[2] = 2; /* length of parameters that follow */
3347        cmd[3] = pin;
3348        cmd[4] = gap; /* time in ms, for which wakeup pin should be asserted */
3349
3350        skb = bt_skb_alloc(sizeof(cmd), GFP_KERNEL);
3351        if (!skb) {
3352                bt_dev_err(hdev, "%s: No memory\n", __func__);
3353                return -ENOMEM;
3354        }
3355
3356        skb_put_data(skb, cmd, sizeof(cmd));
3357        hci_skb_pkt_type(skb) = HCI_COMMAND_PKT;
3358
3359        ret = btusb_send_frame(hdev, skb);
3360        if (ret) {
3361                bt_dev_err(hdev, "%s: configuration failed\n", __func__);
3362                kfree_skb(skb);
3363                return ret;
3364        }
3365
3366        return 0;
3367}
3368#endif
3369
3370static int btusb_set_bdaddr_marvell(struct hci_dev *hdev,
3371                                    const bdaddr_t *bdaddr)
3372{
3373        struct sk_buff *skb;
3374        u8 buf[8];
3375        long ret;
3376
3377        buf[0] = 0xfe;
3378        buf[1] = sizeof(bdaddr_t);
3379        memcpy(buf + 2, bdaddr, sizeof(bdaddr_t));
3380
3381        skb = __hci_cmd_sync(hdev, 0xfc22, sizeof(buf), buf, HCI_INIT_TIMEOUT);
3382        if (IS_ERR(skb)) {
3383                ret = PTR_ERR(skb);
3384                bt_dev_err(hdev, "changing Marvell device address failed (%ld)",
3385                           ret);
3386                return ret;
3387        }
3388        kfree_skb(skb);
3389
3390        return 0;
3391}
3392
3393static int btusb_set_bdaddr_ath3012(struct hci_dev *hdev,
3394                                    const bdaddr_t *bdaddr)
3395{
3396        struct sk_buff *skb;
3397        u8 buf[10];
3398        long ret;
3399
3400        buf[0] = 0x01;
3401        buf[1] = 0x01;
3402        buf[2] = 0x00;
3403        buf[3] = sizeof(bdaddr_t);
3404        memcpy(buf + 4, bdaddr, sizeof(bdaddr_t));
3405
3406        skb = __hci_cmd_sync(hdev, 0xfc0b, sizeof(buf), buf, HCI_INIT_TIMEOUT);
3407        if (IS_ERR(skb)) {
3408                ret = PTR_ERR(skb);
3409                bt_dev_err(hdev, "Change address command failed (%ld)", ret);
3410                return ret;
3411        }
3412        kfree_skb(skb);
3413
3414        return 0;
3415}
3416
3417static int btusb_set_bdaddr_wcn6855(struct hci_dev *hdev,
3418                                const bdaddr_t *bdaddr)
3419{
3420        struct sk_buff *skb;
3421        u8 buf[6];
3422        long ret;
3423
3424        memcpy(buf, bdaddr, sizeof(bdaddr_t));
3425
3426        skb = __hci_cmd_sync_ev(hdev, 0xfc14, sizeof(buf), buf,
3427                                HCI_EV_CMD_COMPLETE, HCI_INIT_TIMEOUT);
3428        if (IS_ERR(skb)) {
3429                ret = PTR_ERR(skb);
3430                bt_dev_err(hdev, "Change address command failed (%ld)", ret);
3431                return ret;
3432        }
3433        kfree_skb(skb);
3434
3435        return 0;
3436}
3437
3438#define QCA_DFU_PACKET_LEN      4096
3439
3440#define QCA_GET_TARGET_VERSION  0x09
3441#define QCA_CHECK_STATUS        0x05
3442#define QCA_DFU_DOWNLOAD        0x01
3443
3444#define QCA_SYSCFG_UPDATED      0x40
3445#define QCA_PATCH_UPDATED       0x80
3446#define QCA_DFU_TIMEOUT         3000
3447
3448struct qca_version {
3449        __le32  rom_version;
3450        __le32  patch_version;
3451        __le32  ram_version;
3452        __le32  ref_clock;
3453        __u8    reserved[4];
3454} __packed;
3455
3456struct qca_rampatch_version {
3457        __le16  rom_version_high;
3458        __le16  rom_version_low;
3459        __le16  patch_version;
3460} __packed;
3461
3462struct qca_device_info {
3463        u32     rom_version;
3464        u8      rampatch_hdr;   /* length of header in rampatch */
3465        u8      nvm_hdr;        /* length of header in NVM */
3466        u8      ver_offset;     /* offset of version structure in rampatch */
3467};
3468
3469static const struct qca_device_info qca_devices_table[] = {
3470        { 0x00000100, 20, 4,  8 }, /* Rome 1.0 */
3471        { 0x00000101, 20, 4,  8 }, /* Rome 1.1 */
3472        { 0x00000200, 28, 4, 16 }, /* Rome 2.0 */
3473        { 0x00000201, 28, 4, 16 }, /* Rome 2.1 */
3474        { 0x00000300, 28, 4, 16 }, /* Rome 3.0 */
3475        { 0x00000302, 28, 4, 16 }, /* Rome 3.2 */
3476        { 0x00130100, 40, 4, 16 }, /* WCN6855 1.0 */
3477        { 0x00130200, 40, 4, 16 }, /* WCN6855 2.0 */
3478};
3479
3480static int btusb_qca_send_vendor_req(struct usb_device *udev, u8 request,
3481                                     void *data, u16 size)
3482{
3483        int pipe, err;
3484        u8 *buf;
3485
3486        buf = kmalloc(size, GFP_KERNEL);
3487        if (!buf)
3488                return -ENOMEM;
3489
3490        /* Found some of USB hosts have IOT issues with ours so that we should
3491         * not wait until HCI layer is ready.
3492         */
3493        pipe = usb_rcvctrlpipe(udev, 0);
3494        err = usb_control_msg(udev, pipe, request, USB_TYPE_VENDOR | USB_DIR_IN,
3495                              0, 0, buf, size, USB_CTRL_SET_TIMEOUT);
3496        if (err < 0) {
3497                dev_err(&udev->dev, "Failed to access otp area (%d)", err);
3498                goto done;
3499        }
3500
3501        memcpy(data, buf, size);
3502
3503done:
3504        kfree(buf);
3505
3506        return err;
3507}
3508
3509static int btusb_setup_qca_download_fw(struct hci_dev *hdev,
3510                                       const struct firmware *firmware,
3511                                       size_t hdr_size)
3512{
3513        struct btusb_data *btdata = hci_get_drvdata(hdev);
3514        struct usb_device *udev = btdata->udev;
3515        size_t count, size, sent = 0;
3516        int pipe, len, err;
3517        u8 *buf;
3518
3519        buf = kmalloc(QCA_DFU_PACKET_LEN, GFP_KERNEL);
3520        if (!buf)
3521                return -ENOMEM;
3522
3523        count = firmware->size;
3524
3525        size = min_t(size_t, count, hdr_size);
3526        memcpy(buf, firmware->data, size);
3527
3528        /* USB patches should go down to controller through USB path
3529         * because binary format fits to go down through USB channel.
3530         * USB control path is for patching headers and USB bulk is for
3531         * patch body.
3532         */
3533        pipe = usb_sndctrlpipe(udev, 0);
3534        err = usb_control_msg(udev, pipe, QCA_DFU_DOWNLOAD, USB_TYPE_VENDOR,
3535                              0, 0, buf, size, USB_CTRL_SET_TIMEOUT);
3536        if (err < 0) {
3537                bt_dev_err(hdev, "Failed to send headers (%d)", err);
3538                goto done;
3539        }
3540
3541        sent += size;
3542        count -= size;
3543
3544        while (count) {
3545                size = min_t(size_t, count, QCA_DFU_PACKET_LEN);
3546
3547                memcpy(buf, firmware->data + sent, size);
3548
3549                pipe = usb_sndbulkpipe(udev, 0x02);
3550                err = usb_bulk_msg(udev, pipe, buf, size, &len,
3551                                   QCA_DFU_TIMEOUT);
3552                if (err < 0) {
3553                        bt_dev_err(hdev, "Failed to send body at %zd of %zd (%d)",
3554                                   sent, firmware->size, err);
3555                        break;
3556                }
3557
3558                if (size != len) {
3559                        bt_dev_err(hdev, "Failed to get bulk buffer");
3560                        err = -EILSEQ;
3561                        break;
3562                }
3563
3564                sent  += size;
3565                count -= size;
3566        }
3567
3568done:
3569        kfree(buf);
3570        return err;
3571}
3572
3573static int btusb_setup_qca_load_rampatch(struct hci_dev *hdev,
3574                                         struct qca_version *ver,
3575                                         const struct qca_device_info *info)
3576{
3577        struct qca_rampatch_version *rver;
3578        const struct firmware *fw;
3579        u32 ver_rom, ver_patch, rver_rom;
3580        u16 rver_rom_low, rver_rom_high, rver_patch;
3581        char fwname[64];
3582        int err;
3583
3584        ver_rom = le32_to_cpu(ver->rom_version);
3585        ver_patch = le32_to_cpu(ver->patch_version);
3586
3587        snprintf(fwname, sizeof(fwname), "qca/rampatch_usb_%08x.bin", ver_rom);
3588
3589        err = request_firmware(&fw, fwname, &hdev->dev);
3590        if (err) {
3591                bt_dev_err(hdev, "failed to request rampatch file: %s (%d)",
3592                           fwname, err);
3593                return err;
3594        }
3595
3596        bt_dev_info(hdev, "using rampatch file: %s", fwname);
3597
3598        rver = (struct qca_rampatch_version *)(fw->data + info->ver_offset);
3599        rver_rom_low = le16_to_cpu(rver->rom_version_low);
3600        rver_patch = le16_to_cpu(rver->patch_version);
3601
3602        if (ver_rom & ~0xffffU) {
3603                rver_rom_high = le16_to_cpu(rver->rom_version_high);
3604                rver_rom = le32_to_cpu(rver_rom_high << 16 | rver_rom_low);
3605        } else {
3606                rver_rom = rver_rom_low;
3607        }
3608
3609        bt_dev_info(hdev, "QCA: patch rome 0x%x build 0x%x, "
3610                    "firmware rome 0x%x build 0x%x",
3611                    rver_rom, rver_patch, ver_rom, ver_patch);
3612
3613        if (rver_rom != ver_rom || rver_patch <= ver_patch) {
3614                bt_dev_err(hdev, "rampatch file version did not match with firmware");
3615                err = -EINVAL;
3616                goto done;
3617        }
3618
3619        err = btusb_setup_qca_download_fw(hdev, fw, info->rampatch_hdr);
3620
3621done:
3622        release_firmware(fw);
3623
3624        return err;
3625}
3626
3627static int btusb_setup_qca_load_nvm(struct hci_dev *hdev,
3628                                    struct qca_version *ver,
3629                                    const struct qca_device_info *info)
3630{
3631        const struct firmware *fw;
3632        char fwname[64];
3633        int err;
3634
3635        snprintf(fwname, sizeof(fwname), "qca/nvm_usb_%08x.bin",
3636                 le32_to_cpu(ver->rom_version));
3637
3638        err = request_firmware(&fw, fwname, &hdev->dev);
3639        if (err) {
3640                bt_dev_err(hdev, "failed to request NVM file: %s (%d)",
3641                           fwname, err);
3642                return err;
3643        }
3644
3645        bt_dev_info(hdev, "using NVM file: %s", fwname);
3646
3647        err = btusb_setup_qca_download_fw(hdev, fw, info->nvm_hdr);
3648
3649        release_firmware(fw);
3650
3651        return err;
3652}
3653
3654/* identify the ROM version and check whether patches are needed */
3655static bool btusb_qca_need_patch(struct usb_device *udev)
3656{
3657        struct qca_version ver;
3658
3659        if (btusb_qca_send_vendor_req(udev, QCA_GET_TARGET_VERSION, &ver,
3660                                      sizeof(ver)) < 0)
3661                return false;
3662        /* only low ROM versions need patches */
3663        return !(le32_to_cpu(ver.rom_version) & ~0xffffU);
3664}
3665
3666static int btusb_setup_qca(struct hci_dev *hdev)
3667{
3668        struct btusb_data *btdata = hci_get_drvdata(hdev);
3669        struct usb_device *udev = btdata->udev;
3670        const struct qca_device_info *info = NULL;
3671        struct qca_version ver;
3672        u32 ver_rom;
3673        u8 status;
3674        int i, err;
3675
3676        err = btusb_qca_send_vendor_req(udev, QCA_GET_TARGET_VERSION, &ver,
3677                                        sizeof(ver));
3678        if (err < 0)
3679                return err;
3680
3681        ver_rom = le32_to_cpu(ver.rom_version);
3682
3683        for (i = 0; i < ARRAY_SIZE(qca_devices_table); i++) {
3684                if (ver_rom == qca_devices_table[i].rom_version)
3685                        info = &qca_devices_table[i];
3686        }
3687        if (!info) {
3688                bt_dev_err(hdev, "don't support firmware rome 0x%x", ver_rom);
3689                return -ENODEV;
3690        }
3691
3692        err = btusb_qca_send_vendor_req(udev, QCA_CHECK_STATUS, &status,
3693                                        sizeof(status));
3694        if (err < 0)
3695                return err;
3696
3697        if (!(status & QCA_PATCH_UPDATED)) {
3698                err = btusb_setup_qca_load_rampatch(hdev, &ver, info);
3699                if (err < 0)
3700                        return err;
3701        }
3702
3703        if (!(status & QCA_SYSCFG_UPDATED)) {
3704                err = btusb_setup_qca_load_nvm(hdev, &ver, info);
3705                if (err < 0)
3706                        return err;
3707        }
3708
3709        return 0;
3710}
3711
3712static inline int __set_diag_interface(struct hci_dev *hdev)
3713{
3714        struct btusb_data *data = hci_get_drvdata(hdev);
3715        struct usb_interface *intf = data->diag;
3716        int i;
3717
3718        if (!data->diag)
3719                return -ENODEV;
3720
3721        data->diag_tx_ep = NULL;
3722        data->diag_rx_ep = NULL;
3723
3724        for (i = 0; i < intf->cur_altsetting->desc.bNumEndpoints; i++) {
3725                struct usb_endpoint_descriptor *ep_desc;
3726
3727                ep_desc = &intf->cur_altsetting->endpoint[i].desc;
3728
3729                if (!data->diag_tx_ep && usb_endpoint_is_bulk_out(ep_desc)) {
3730                        data->diag_tx_ep = ep_desc;
3731                        continue;
3732                }
3733
3734                if (!data->diag_rx_ep && usb_endpoint_is_bulk_in(ep_desc)) {
3735                        data->diag_rx_ep = ep_desc;
3736                        continue;
3737                }
3738        }
3739
3740        if (!data->diag_tx_ep || !data->diag_rx_ep) {
3741                bt_dev_err(hdev, "invalid diagnostic descriptors");
3742                return -ENODEV;
3743        }
3744
3745        return 0;
3746}
3747
3748static struct urb *alloc_diag_urb(struct hci_dev *hdev, bool enable)
3749{
3750        struct btusb_data *data = hci_get_drvdata(hdev);
3751        struct sk_buff *skb;
3752        struct urb *urb;
3753        unsigned int pipe;
3754
3755        if (!data->diag_tx_ep)
3756                return ERR_PTR(-ENODEV);
3757
3758        urb = usb_alloc_urb(0, GFP_KERNEL);
3759        if (!urb)
3760                return ERR_PTR(-ENOMEM);
3761
3762        skb = bt_skb_alloc(2, GFP_KERNEL);
3763        if (!skb) {
3764                usb_free_urb(urb);
3765                return ERR_PTR(-ENOMEM);
3766        }
3767
3768        skb_put_u8(skb, 0xf0);
3769        skb_put_u8(skb, enable);
3770
3771        pipe = usb_sndbulkpipe(data->udev, data->diag_tx_ep->bEndpointAddress);
3772
3773        usb_fill_bulk_urb(urb, data->udev, pipe,
3774                          skb->data, skb->len, btusb_tx_complete, skb);
3775
3776        skb->dev = (void *)hdev;
3777
3778        return urb;
3779}
3780
3781static int btusb_bcm_set_diag(struct hci_dev *hdev, bool enable)
3782{
3783        struct btusb_data *data = hci_get_drvdata(hdev);
3784        struct urb *urb;
3785
3786        if (!data->diag)
3787                return -ENODEV;
3788
3789        if (!test_bit(HCI_RUNNING, &hdev->flags))
3790                return -ENETDOWN;
3791
3792        urb = alloc_diag_urb(hdev, enable);
3793        if (IS_ERR(urb))
3794                return PTR_ERR(urb);
3795
3796        return submit_or_queue_tx_urb(hdev, urb);
3797}
3798
3799#ifdef CONFIG_PM
3800static irqreturn_t btusb_oob_wake_handler(int irq, void *priv)
3801{
3802        struct btusb_data *data = priv;
3803
3804        pm_wakeup_event(&data->udev->dev, 0);
3805        pm_system_wakeup();
3806
3807        /* Disable only if not already disabled (keep it balanced) */
3808        if (test_and_clear_bit(BTUSB_OOB_WAKE_ENABLED, &data->flags)) {
3809                disable_irq_nosync(irq);
3810                disable_irq_wake(irq);
3811        }
3812        return IRQ_HANDLED;
3813}
3814
3815static const struct of_device_id btusb_match_table[] = {
3816        { .compatible = "usb1286,204e" },
3817        { .compatible = "usbcf3,e300" }, /* QCA6174A */
3818        { .compatible = "usb4ca,301a" }, /* QCA6174A (Lite-On) */
3819        { }
3820};
3821MODULE_DEVICE_TABLE(of, btusb_match_table);
3822
3823/* Use an oob wakeup pin? */
3824static int btusb_config_oob_wake(struct hci_dev *hdev)
3825{
3826        struct btusb_data *data = hci_get_drvdata(hdev);
3827        struct device *dev = &data->udev->dev;
3828        int irq, ret;
3829
3830        clear_bit(BTUSB_OOB_WAKE_ENABLED, &data->flags);
3831
3832        if (!of_match_device(btusb_match_table, dev))
3833                return 0;
3834
3835        /* Move on if no IRQ specified */
3836        irq = of_irq_get_byname(dev->of_node, "wakeup");
3837        if (irq <= 0) {
3838                bt_dev_dbg(hdev, "%s: no OOB Wakeup IRQ in DT", __func__);
3839                return 0;
3840        }
3841
3842        irq_set_status_flags(irq, IRQ_NOAUTOEN);
3843        ret = devm_request_irq(&hdev->dev, irq, btusb_oob_wake_handler,
3844                               0, "OOB Wake-on-BT", data);
3845        if (ret) {
3846                bt_dev_err(hdev, "%s: IRQ request failed", __func__);
3847                return ret;
3848        }
3849
3850        ret = device_init_wakeup(dev, true);
3851        if (ret) {
3852                bt_dev_err(hdev, "%s: failed to init_wakeup", __func__);
3853                return ret;
3854        }
3855
3856        data->oob_wake_irq = irq;
3857        bt_dev_info(hdev, "OOB Wake-on-BT configured at IRQ %u", irq);
3858        return 0;
3859}
3860#endif
3861
3862static void btusb_check_needs_reset_resume(struct usb_interface *intf)
3863{
3864        if (dmi_check_system(btusb_needs_reset_resume_table))
3865                interface_to_usbdev(intf)->quirks |= USB_QUIRK_RESET_RESUME;
3866}
3867
3868static bool btusb_prevent_wake(struct hci_dev *hdev)
3869{
3870        struct btusb_data *data = hci_get_drvdata(hdev);
3871
3872        if (test_bit(BTUSB_WAKEUP_DISABLE, &data->flags))
3873                return true;
3874
3875        return !device_may_wakeup(&data->udev->dev);
3876}
3877
3878static int btusb_probe(struct usb_interface *intf,
3879                       const struct usb_device_id *id)
3880{
3881        struct usb_endpoint_descriptor *ep_desc;
3882        struct gpio_desc *reset_gpio;
3883        struct btusb_data *data;
3884        struct hci_dev *hdev;
3885        unsigned ifnum_base;
3886        int i, err;
3887
3888        BT_DBG("intf %p id %p", intf, id);
3889
3890        /* interface numbers are hardcoded in the spec */
3891        if (intf->cur_altsetting->desc.bInterfaceNumber != 0) {
3892                if (!(id->driver_info & BTUSB_IFNUM_2))
3893                        return -ENODEV;
3894                if (intf->cur_altsetting->desc.bInterfaceNumber != 2)
3895                        return -ENODEV;
3896        }
3897
3898        ifnum_base = intf->cur_altsetting->desc.bInterfaceNumber;
3899
3900        if (!id->driver_info) {
3901                const struct usb_device_id *match;
3902
3903                match = usb_match_id(intf, blacklist_table);
3904                if (match)
3905                        id = match;
3906        }
3907
3908        if (id->driver_info == BTUSB_IGNORE)
3909                return -ENODEV;
3910
3911        if (id->driver_info & BTUSB_ATH3012) {
3912                struct usb_device *udev = interface_to_usbdev(intf);
3913
3914                /* Old firmware would otherwise let ath3k driver load
3915                 * patch and sysconfig files
3916                 */
3917                if (le16_to_cpu(udev->descriptor.bcdDevice) <= 0x0001 &&
3918                    !btusb_qca_need_patch(udev))
3919                        return -ENODEV;
3920        }
3921
3922        data = devm_kzalloc(&intf->dev, sizeof(*data), GFP_KERNEL);
3923        if (!data)
3924                return -ENOMEM;
3925
3926        for (i = 0; i < intf->cur_altsetting->desc.bNumEndpoints; i++) {
3927                ep_desc = &intf->cur_altsetting->endpoint[i].desc;
3928
3929                if (!data->intr_ep && usb_endpoint_is_int_in(ep_desc)) {
3930                        data->intr_ep = ep_desc;
3931                        continue;
3932                }
3933
3934                if (!data->bulk_tx_ep && usb_endpoint_is_bulk_out(ep_desc)) {
3935                        data->bulk_tx_ep = ep_desc;
3936                        continue;
3937                }
3938
3939                if (!data->bulk_rx_ep && usb_endpoint_is_bulk_in(ep_desc)) {
3940                        data->bulk_rx_ep = ep_desc;
3941                        continue;
3942                }
3943        }
3944
3945        if (!data->intr_ep || !data->bulk_tx_ep || !data->bulk_rx_ep)
3946                return -ENODEV;
3947
3948        if (id->driver_info & BTUSB_AMP) {
3949                data->cmdreq_type = USB_TYPE_CLASS | 0x01;
3950                data->cmdreq = 0x2b;
3951        } else {
3952                data->cmdreq_type = USB_TYPE_CLASS;
3953                data->cmdreq = 0x00;
3954        }
3955
3956        data->udev = interface_to_usbdev(intf);
3957        data->intf = intf;
3958
3959        INIT_WORK(&data->work, btusb_work);
3960        INIT_WORK(&data->waker, btusb_waker);
3961        init_usb_anchor(&data->deferred);
3962        init_usb_anchor(&data->tx_anchor);
3963        spin_lock_init(&data->txlock);
3964
3965        init_usb_anchor(&data->intr_anchor);
3966        init_usb_anchor(&data->bulk_anchor);
3967        init_usb_anchor(&data->isoc_anchor);
3968        init_usb_anchor(&data->diag_anchor);
3969        init_usb_anchor(&data->ctrl_anchor);
3970        spin_lock_init(&data->rxlock);
3971
3972        if (id->driver_info & BTUSB_INTEL_NEW) {
3973                data->recv_event = btusb_recv_event_intel;
3974                data->recv_bulk = btusb_recv_bulk_intel;
3975                set_bit(BTUSB_BOOTLOADER, &data->flags);
3976        } else {
3977                data->recv_event = hci_recv_frame;
3978                data->recv_bulk = btusb_recv_bulk;
3979        }
3980
3981        hdev = hci_alloc_dev();
3982        if (!hdev)
3983                return -ENOMEM;
3984
3985        hdev->bus = HCI_USB;
3986        hci_set_drvdata(hdev, data);
3987
3988        if (id->driver_info & BTUSB_AMP)
3989                hdev->dev_type = HCI_AMP;
3990        else
3991                hdev->dev_type = HCI_PRIMARY;
3992
3993        data->hdev = hdev;
3994
3995        SET_HCIDEV_DEV(hdev, &intf->dev);
3996
3997        reset_gpio = gpiod_get_optional(&data->udev->dev, "reset",
3998                                        GPIOD_OUT_LOW);
3999        if (IS_ERR(reset_gpio)) {
4000                err = PTR_ERR(reset_gpio);
4001                goto out_free_dev;
4002        } else if (reset_gpio) {
4003                data->reset_gpio = reset_gpio;
4004        }
4005
4006        hdev->open   = btusb_open;
4007        hdev->close  = btusb_close;
4008        hdev->flush  = btusb_flush;
4009        hdev->send   = btusb_send_frame;
4010        hdev->notify = btusb_notify;
4011        hdev->prevent_wake = btusb_prevent_wake;
4012
4013#ifdef CONFIG_PM
4014        err = btusb_config_oob_wake(hdev);
4015        if (err)
4016                goto out_free_dev;
4017
4018        /* Marvell devices may need a specific chip configuration */
4019        if (id->driver_info & BTUSB_MARVELL && data->oob_wake_irq) {
4020                err = marvell_config_oob_wake(hdev);
4021                if (err)
4022                        goto out_free_dev;
4023        }
4024#endif
4025        if (id->driver_info & BTUSB_CW6622)
4026                set_bit(HCI_QUIRK_BROKEN_STORED_LINK_KEY, &hdev->quirks);
4027
4028        if (id->driver_info & BTUSB_BCM2045)
4029                set_bit(HCI_QUIRK_BROKEN_STORED_LINK_KEY, &hdev->quirks);
4030
4031        if (id->driver_info & BTUSB_BCM92035)
4032                hdev->setup = btusb_setup_bcm92035;
4033
4034        if (IS_ENABLED(CONFIG_BT_HCIBTUSB_BCM) &&
4035            (id->driver_info & BTUSB_BCM_PATCHRAM)) {
4036                hdev->manufacturer = 15;
4037                hdev->setup = btbcm_setup_patchram;
4038                hdev->set_diag = btusb_bcm_set_diag;
4039                hdev->set_bdaddr = btbcm_set_bdaddr;
4040
4041                /* Broadcom LM_DIAG Interface numbers are hardcoded */
4042                data->diag = usb_ifnum_to_if(data->udev, ifnum_base + 2);
4043        }
4044
4045        if (IS_ENABLED(CONFIG_BT_HCIBTUSB_BCM) &&
4046            (id->driver_info & BTUSB_BCM_APPLE)) {
4047                hdev->manufacturer = 15;
4048                hdev->setup = btbcm_setup_apple;
4049                hdev->set_diag = btusb_bcm_set_diag;
4050
4051                /* Broadcom LM_DIAG Interface numbers are hardcoded */
4052                data->diag = usb_ifnum_to_if(data->udev, ifnum_base + 2);
4053        }
4054
4055        if (id->driver_info & BTUSB_INTEL) {
4056                hdev->manufacturer = 2;
4057                hdev->setup = btusb_setup_intel;
4058                hdev->shutdown = btusb_shutdown_intel;
4059                hdev->set_diag = btintel_set_diag_mfg;
4060                hdev->set_bdaddr = btintel_set_bdaddr;
4061                hdev->cmd_timeout = btusb_intel_cmd_timeout;
4062                set_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks);
4063                set_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks);
4064                set_bit(HCI_QUIRK_NON_PERSISTENT_DIAG, &hdev->quirks);
4065        }
4066
4067        if (id->driver_info & BTUSB_INTEL_NEW) {
4068                hdev->manufacturer = 2;
4069                hdev->send = btusb_send_frame_intel;
4070                hdev->setup = btusb_setup_intel_new;
4071                hdev->shutdown = btusb_shutdown_intel_new;
4072                hdev->hw_error = btintel_hw_error;
4073                hdev->set_diag = btintel_set_diag;
4074                hdev->set_bdaddr = btintel_set_bdaddr;
4075                hdev->cmd_timeout = btusb_intel_cmd_timeout;
4076                set_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks);
4077                set_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks);
4078                set_bit(HCI_QUIRK_NON_PERSISTENT_DIAG, &hdev->quirks);
4079        }
4080
4081        if (id->driver_info & BTUSB_MARVELL)
4082                hdev->set_bdaddr = btusb_set_bdaddr_marvell;
4083
4084        if (IS_ENABLED(CONFIG_BT_HCIBTUSB_MTK) &&
4085            (id->driver_info & BTUSB_MEDIATEK)) {
4086                hdev->setup = btusb_mtk_setup;
4087                hdev->shutdown = btusb_mtk_shutdown;
4088                hdev->manufacturer = 70;
4089                set_bit(HCI_QUIRK_NON_PERSISTENT_SETUP, &hdev->quirks);
4090        }
4091
4092        if (id->driver_info & BTUSB_SWAVE) {
4093                set_bit(HCI_QUIRK_FIXUP_INQUIRY_MODE, &hdev->quirks);
4094                set_bit(HCI_QUIRK_BROKEN_LOCAL_COMMANDS, &hdev->quirks);
4095        }
4096
4097        if (id->driver_info & BTUSB_INTEL_BOOT) {
4098                hdev->manufacturer = 2;
4099                set_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks);
4100        }
4101
4102        if (id->driver_info & BTUSB_ATH3012) {
4103                data->setup_on_usb = btusb_setup_qca;
4104                hdev->set_bdaddr = btusb_set_bdaddr_ath3012;
4105                set_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks);
4106                set_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks);
4107        }
4108
4109        if (id->driver_info & BTUSB_QCA_ROME) {
4110                data->setup_on_usb = btusb_setup_qca;
4111                hdev->set_bdaddr = btusb_set_bdaddr_ath3012;
4112                hdev->cmd_timeout = btusb_qca_cmd_timeout;
4113                set_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks);
4114                btusb_check_needs_reset_resume(intf);
4115        }
4116
4117        if (id->driver_info & BTUSB_QCA_WCN6855) {
4118                data->setup_on_usb = btusb_setup_qca;
4119                hdev->set_bdaddr = btusb_set_bdaddr_wcn6855;
4120                hdev->cmd_timeout = btusb_qca_cmd_timeout;
4121                set_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks);
4122        }
4123
4124        if (id->driver_info & BTUSB_AMP) {
4125                /* AMP controllers do not support SCO packets */
4126                data->isoc = NULL;
4127        } else {
4128                /* Interface orders are hardcoded in the specification */
4129                data->isoc = usb_ifnum_to_if(data->udev, ifnum_base + 1);
4130                data->isoc_ifnum = ifnum_base + 1;
4131        }
4132
4133        if (IS_ENABLED(CONFIG_BT_HCIBTUSB_RTL) &&
4134            (id->driver_info & BTUSB_REALTEK)) {
4135                hdev->setup = btrtl_setup_realtek;
4136                hdev->shutdown = btrtl_shutdown_realtek;
4137                hdev->cmd_timeout = btusb_rtl_cmd_timeout;
4138
4139                /* Realtek devices lose their updated firmware over global
4140                 * suspend that means host doesn't send SET_FEATURE
4141                 * (DEVICE_REMOTE_WAKEUP)
4142                 */
4143                set_bit(BTUSB_WAKEUP_DISABLE, &data->flags);
4144                if (btusb_find_altsetting(data, 1))
4145                        set_bit(BTUSB_USE_ALT1_FOR_WBS, &data->flags);
4146                else
4147                        bt_dev_err(hdev, "Device does not support ALT setting 1");
4148        }
4149
4150        if (!reset)
4151                set_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks);
4152
4153        if (force_scofix || id->driver_info & BTUSB_WRONG_SCO_MTU) {
4154                if (!disable_scofix)
4155                        set_bit(HCI_QUIRK_FIXUP_BUFFER_SIZE, &hdev->quirks);
4156        }
4157
4158        if (id->driver_info & BTUSB_BROKEN_ISOC)
4159                data->isoc = NULL;
4160
4161        if (id->driver_info & BTUSB_WIDEBAND_SPEECH)
4162                set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, &hdev->quirks);
4163
4164        if (id->driver_info & BTUSB_VALID_LE_STATES)
4165                set_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks);
4166
4167        if (id->driver_info & BTUSB_DIGIANSWER) {
4168                data->cmdreq_type = USB_TYPE_VENDOR;
4169                set_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks);
4170        }
4171
4172        if (id->driver_info & BTUSB_CSR) {
4173                struct usb_device *udev = data->udev;
4174                u16 bcdDevice = le16_to_cpu(udev->descriptor.bcdDevice);
4175
4176                /* Old firmware would otherwise execute USB reset */
4177                if (bcdDevice < 0x117)
4178                        set_bit(HCI_QUIRK_RESET_ON_CLOSE, &hdev->quirks);
4179
4180                /* This must be set first in case we disable it for fakes */
4181                set_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks);
4182
4183                /* Fake CSR devices with broken commands */
4184                if (le16_to_cpu(udev->descriptor.idVendor)  == 0x0a12 &&
4185                    le16_to_cpu(udev->descriptor.idProduct) == 0x0001)
4186                        hdev->setup = btusb_setup_csr;
4187        }
4188
4189        if (id->driver_info & BTUSB_SNIFFER) {
4190                struct usb_device *udev = data->udev;
4191
4192                /* New sniffer firmware has crippled HCI interface */
4193                if (le16_to_cpu(udev->descriptor.bcdDevice) > 0x997)
4194                        set_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks);
4195        }
4196
4197        if (id->driver_info & BTUSB_INTEL_BOOT) {
4198                /* A bug in the bootloader causes that interrupt interface is
4199                 * only enabled after receiving SetInterface(0, AltSetting=0).
4200                 */
4201                err = usb_set_interface(data->udev, 0, 0);
4202                if (err < 0) {
4203                        BT_ERR("failed to set interface 0, alt 0 %d", err);
4204                        goto out_free_dev;
4205                }
4206        }
4207
4208        if (data->isoc) {
4209                err = usb_driver_claim_interface(&btusb_driver,
4210                                                 data->isoc, data);
4211                if (err < 0)
4212                        goto out_free_dev;
4213        }
4214
4215        if (IS_ENABLED(CONFIG_BT_HCIBTUSB_BCM) && data->diag) {
4216                if (!usb_driver_claim_interface(&btusb_driver,
4217                                                data->diag, data))
4218                        __set_diag_interface(hdev);
4219                else
4220                        data->diag = NULL;
4221        }
4222
4223        if (enable_autosuspend)
4224                usb_enable_autosuspend(data->udev);
4225
4226        err = hci_register_dev(hdev);
4227        if (err < 0)
4228                goto out_free_dev;
4229
4230        usb_set_intfdata(intf, data);
4231
4232        return 0;
4233
4234out_free_dev:
4235        if (data->reset_gpio)
4236                gpiod_put(data->reset_gpio);
4237        hci_free_dev(hdev);
4238        return err;
4239}
4240
4241static void btusb_disconnect(struct usb_interface *intf)
4242{
4243        struct btusb_data *data = usb_get_intfdata(intf);
4244        struct hci_dev *hdev;
4245
4246        BT_DBG("intf %p", intf);
4247
4248        if (!data)
4249                return;
4250
4251        hdev = data->hdev;
4252        usb_set_intfdata(data->intf, NULL);
4253
4254        if (data->isoc)
4255                usb_set_intfdata(data->isoc, NULL);
4256
4257        if (data->diag)
4258                usb_set_intfdata(data->diag, NULL);
4259
4260        hci_unregister_dev(hdev);
4261
4262        if (intf == data->intf) {
4263                if (data->isoc)
4264                        usb_driver_release_interface(&btusb_driver, data->isoc);
4265                if (data->diag)
4266                        usb_driver_release_interface(&btusb_driver, data->diag);
4267        } else if (intf == data->isoc) {
4268                if (data->diag)
4269                        usb_driver_release_interface(&btusb_driver, data->diag);
4270                usb_driver_release_interface(&btusb_driver, data->intf);
4271        } else if (intf == data->diag) {
4272                usb_driver_release_interface(&btusb_driver, data->intf);
4273                if (data->isoc)
4274                        usb_driver_release_interface(&btusb_driver, data->isoc);
4275        }
4276
4277        if (data->oob_wake_irq)
4278                device_init_wakeup(&data->udev->dev, false);
4279
4280        if (data->reset_gpio)
4281                gpiod_put(data->reset_gpio);
4282
4283        hci_free_dev(hdev);
4284}
4285
4286#ifdef CONFIG_PM
4287static int btusb_suspend(struct usb_interface *intf, pm_message_t message)
4288{
4289        struct btusb_data *data = usb_get_intfdata(intf);
4290
4291        BT_DBG("intf %p", intf);
4292
4293        if (data->suspend_count++)
4294                return 0;
4295
4296        spin_lock_irq(&data->txlock);
4297        if (!(PMSG_IS_AUTO(message) && data->tx_in_flight)) {
4298                set_bit(BTUSB_SUSPENDING, &data->flags);
4299                spin_unlock_irq(&data->txlock);
4300        } else {
4301                spin_unlock_irq(&data->txlock);
4302                data->suspend_count--;
4303                return -EBUSY;
4304        }
4305
4306        cancel_work_sync(&data->work);
4307
4308        btusb_stop_traffic(data);
4309        usb_kill_anchored_urbs(&data->tx_anchor);
4310
4311        if (data->oob_wake_irq && device_may_wakeup(&data->udev->dev)) {
4312                set_bit(BTUSB_OOB_WAKE_ENABLED, &data->flags);
4313                enable_irq_wake(data->oob_wake_irq);
4314                enable_irq(data->oob_wake_irq);
4315        }
4316
4317        /* For global suspend, Realtek devices lose the loaded fw
4318         * in them. But for autosuspend, firmware should remain.
4319         * Actually, it depends on whether the usb host sends
4320         * set feature (enable wakeup) or not.
4321         */
4322        if (test_bit(BTUSB_WAKEUP_DISABLE, &data->flags)) {
4323                if (PMSG_IS_AUTO(message) &&
4324                    device_can_wakeup(&data->udev->dev))
4325                        data->udev->do_remote_wakeup = 1;
4326                else if (!PMSG_IS_AUTO(message))
4327                        data->udev->reset_resume = 1;
4328        }
4329
4330        return 0;
4331}
4332
4333static void play_deferred(struct btusb_data *data)
4334{
4335        struct urb *urb;
4336        int err;
4337
4338        while ((urb = usb_get_from_anchor(&data->deferred))) {
4339                usb_anchor_urb(urb, &data->tx_anchor);
4340
4341                err = usb_submit_urb(urb, GFP_ATOMIC);
4342                if (err < 0) {
4343                        if (err != -EPERM && err != -ENODEV)
4344                                BT_ERR("%s urb %p submission failed (%d)",
4345                                       data->hdev->name, urb, -err);
4346                        kfree(urb->setup_packet);
4347                        usb_unanchor_urb(urb);
4348                        usb_free_urb(urb);
4349                        break;
4350                }
4351
4352                data->tx_in_flight++;
4353                usb_free_urb(urb);
4354        }
4355
4356        /* Cleanup the rest deferred urbs. */
4357        while ((urb = usb_get_from_anchor(&data->deferred))) {
4358                kfree(urb->setup_packet);
4359                usb_free_urb(urb);
4360        }
4361}
4362
4363static int btusb_resume(struct usb_interface *intf)
4364{
4365        struct btusb_data *data = usb_get_intfdata(intf);
4366        struct hci_dev *hdev = data->hdev;
4367        int err = 0;
4368
4369        BT_DBG("intf %p", intf);
4370
4371        if (--data->suspend_count)
4372                return 0;
4373
4374        /* Disable only if not already disabled (keep it balanced) */
4375        if (test_and_clear_bit(BTUSB_OOB_WAKE_ENABLED, &data->flags)) {
4376                disable_irq(data->oob_wake_irq);
4377                disable_irq_wake(data->oob_wake_irq);
4378        }
4379
4380        if (!test_bit(HCI_RUNNING, &hdev->flags))
4381                goto done;
4382
4383        if (test_bit(BTUSB_INTR_RUNNING, &data->flags)) {
4384                err = btusb_submit_intr_urb(hdev, GFP_NOIO);
4385                if (err < 0) {
4386                        clear_bit(BTUSB_INTR_RUNNING, &data->flags);
4387                        goto failed;
4388                }
4389        }
4390
4391        if (test_bit(BTUSB_BULK_RUNNING, &data->flags)) {
4392                err = btusb_submit_bulk_urb(hdev, GFP_NOIO);
4393                if (err < 0) {
4394                        clear_bit(BTUSB_BULK_RUNNING, &data->flags);
4395                        goto failed;
4396                }
4397
4398                btusb_submit_bulk_urb(hdev, GFP_NOIO);
4399        }
4400
4401        if (test_bit(BTUSB_ISOC_RUNNING, &data->flags)) {
4402                if (btusb_submit_isoc_urb(hdev, GFP_NOIO) < 0)
4403                        clear_bit(BTUSB_ISOC_RUNNING, &data->flags);
4404                else
4405                        btusb_submit_isoc_urb(hdev, GFP_NOIO);
4406        }
4407
4408        spin_lock_irq(&data->txlock);
4409        play_deferred(data);
4410        clear_bit(BTUSB_SUSPENDING, &data->flags);
4411        spin_unlock_irq(&data->txlock);
4412        schedule_work(&data->work);
4413
4414        return 0;
4415
4416failed:
4417        usb_scuttle_anchored_urbs(&data->deferred);
4418done:
4419        spin_lock_irq(&data->txlock);
4420        clear_bit(BTUSB_SUSPENDING, &data->flags);
4421        spin_unlock_irq(&data->txlock);
4422
4423        return err;
4424}
4425#endif
4426
4427static struct usb_driver btusb_driver = {
4428        .name           = "btusb",
4429        .probe          = btusb_probe,
4430        .disconnect     = btusb_disconnect,
4431#ifdef CONFIG_PM
4432        .suspend        = btusb_suspend,
4433        .resume         = btusb_resume,
4434#endif
4435        .id_table       = btusb_table,
4436        .supports_autosuspend = 1,
4437        .disable_hub_initiated_lpm = 1,
4438};
4439
4440module_usb_driver(btusb_driver);
4441
4442module_param(disable_scofix, bool, 0644);
4443MODULE_PARM_DESC(disable_scofix, "Disable fixup of wrong SCO buffer size");
4444
4445module_param(force_scofix, bool, 0644);
4446MODULE_PARM_DESC(force_scofix, "Force fixup of wrong SCO buffers size");
4447
4448module_param(enable_autosuspend, bool, 0644);
4449MODULE_PARM_DESC(enable_autosuspend, "Enable USB autosuspend by default");
4450
4451module_param(reset, bool, 0644);
4452MODULE_PARM_DESC(reset, "Send HCI reset command on initialization");
4453
4454MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
4455MODULE_DESCRIPTION("Generic Bluetooth USB driver ver " VERSION);
4456MODULE_VERSION(VERSION);
4457MODULE_LICENSE("GPL");
4458