search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
leds: wm831x-status: fix use-after-free on unbind
[linux/fpc-iii.git] / drivers / bluetooth / btbcm.c
blob1b9743b7f2ef9253efa3c4bb8fb5c07096fec2f9
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 *
4 * Bluetooth support for Broadcom devices
5 *
6 * Copyright (C) 2015 Intel Corporation
7 */
8
9 #include <linux/module.h>
10 #include <linux/firmware.h>
11 #include <asm/unaligned.h>
12
13 #include <net/bluetooth/bluetooth.h>
14 #include <net/bluetooth/hci_core.h>
15
16 #include "btbcm.h"
17
18 #define VERSION "0.1"
19
20 #define BDADDR_BCM20702A0 (&(bdaddr_t) {{0x00, 0xa0, 0x02, 0x70, 0x20, 0x00}})
21 #define BDADDR_BCM20702A1 (&(bdaddr_t) {{0x00, 0x00, 0xa0, 0x02, 0x70, 0x20}})
22 #define BDADDR_BCM2076B1 (&(bdaddr_t) {{0x79, 0x56, 0x00, 0xa0, 0x76, 0x20}})
23 #define BDADDR_BCM43430A0 (&(bdaddr_t) {{0xac, 0x1f, 0x12, 0xa0, 0x43, 0x43}})
24 #define BDADDR_BCM4324B3 (&(bdaddr_t) {{0x00, 0x00, 0x00, 0xb3, 0x24, 0x43}})
25 #define BDADDR_BCM4330B1 (&(bdaddr_t) {{0x00, 0x00, 0x00, 0xb1, 0x30, 0x43}})
26 #define BDADDR_BCM4334B0 (&(bdaddr_t) {{0x00, 0x00, 0x00, 0xb0, 0x34, 0x43}})
27 #define BDADDR_BCM4345C5 (&(bdaddr_t) {{0xac, 0x1f, 0x00, 0xc5, 0x45, 0x43}})
28 #define BDADDR_BCM43341B (&(bdaddr_t) {{0xac, 0x1f, 0x00, 0x1b, 0x34, 0x43}})
29
30 #define BCM_FW_NAME_LEN 64
31 #define BCM_FW_NAME_COUNT_MAX 2
32 /* For kmalloc-ing the fw-name array instead of putting it on the stack */
33 typedef char bcm_fw_name[BCM_FW_NAME_LEN];
34
35 int btbcm_check_bdaddr(struct hci_dev *hdev)
36 {
37 struct hci_rp_read_bd_addr *bda;
38 struct sk_buff *skb;
39
40 skb = __hci_cmd_sync(hdev, HCI_OP_READ_BD_ADDR, 0, NULL,
41 HCI_INIT_TIMEOUT);
42 if (IS_ERR(skb)) {
43 int err = PTR_ERR(skb);
44
45 bt_dev_err(hdev, "BCM: Reading device address failed (%d)", err);
46 return err;
47 }
48
49 if (skb->len != sizeof(*bda)) {
50 bt_dev_err(hdev, "BCM: Device address length mismatch");
51 kfree_skb(skb);
52 return -EIO;
53 }
54
55 bda = (struct hci_rp_read_bd_addr *)skb->data;
56
57 /* Check if the address indicates a controller with either an
58 * invalid or default address. In both cases the device needs
59 * to be marked as not having a valid address.
60 *
61 * The address 00:20:70:02:A0:00 indicates a BCM20702A0 controller
62 * with no configured address.
63 *
64 * The address 20:70:02:A0:00:00 indicates a BCM20702A1 controller
65 * with no configured address.
66 *
67 * The address 20:76:A0:00:56:79 indicates a BCM2076B1 controller
68 * with no configured address.
69 *
70 * The address 43:24:B3:00:00:00 indicates a BCM4324B3 controller
71 * with waiting for configuration state.
72 *
73 * The address 43:30:B1:00:00:00 indicates a BCM4330B1 controller
74 * with waiting for configuration state.
75 *
76 * The address 43:43:A0:12:1F:AC indicates a BCM43430A0 controller
77 * with no configured address.
78 */
79 if (!bacmp(&bda->bdaddr, BDADDR_BCM20702A0) ||
80 !bacmp(&bda->bdaddr, BDADDR_BCM20702A1) ||
81 !bacmp(&bda->bdaddr, BDADDR_BCM2076B1) ||
82 !bacmp(&bda->bdaddr, BDADDR_BCM4324B3) ||
83 !bacmp(&bda->bdaddr, BDADDR_BCM4330B1) ||
84 !bacmp(&bda->bdaddr, BDADDR_BCM4334B0) ||
85 !bacmp(&bda->bdaddr, BDADDR_BCM4345C5) ||
86 !bacmp(&bda->bdaddr, BDADDR_BCM43430A0) ||
87 !bacmp(&bda->bdaddr, BDADDR_BCM43341B)) {
88 bt_dev_info(hdev, "BCM: Using default device address (%pMR)",
89 &bda->bdaddr);
90 set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks);
91 }
92
93 kfree_skb(skb);
94
95 return 0;
96 }
97 EXPORT_SYMBOL_GPL(btbcm_check_bdaddr);
98
99 int btbcm_set_bdaddr(struct hci_dev *hdev, const bdaddr_t *bdaddr)
100 {
101 struct sk_buff *skb;
102 int err;
103
104 skb = __hci_cmd_sync(hdev, 0xfc01, 6, bdaddr, HCI_INIT_TIMEOUT);
105 if (IS_ERR(skb)) {
106 err = PTR_ERR(skb);
107 bt_dev_err(hdev, "BCM: Change address command failed (%d)", err);
108 return err;
109 }
110 kfree_skb(skb);
111
112 return 0;
113 }
114 EXPORT_SYMBOL_GPL(btbcm_set_bdaddr);
115
116 int btbcm_read_pcm_int_params(struct hci_dev *hdev,
117 struct bcm_set_pcm_int_params *params)
118 {
119 struct sk_buff *skb;
120 int err = 0;
121
122 skb = __hci_cmd_sync(hdev, 0xfc1d, 0, NULL, HCI_INIT_TIMEOUT);
123 if (IS_ERR(skb)) {
124 err = PTR_ERR(skb);
125 bt_dev_err(hdev, "BCM: Read PCM int params failed (%d)", err);
126 return err;
127 }
128
129 if (skb->len != 6 || skb->data[0]) {
130 bt_dev_err(hdev, "BCM: Read PCM int params length mismatch");
131 kfree_skb(skb);
132 return -EIO;
133 }
134
135 if (params)
136 memcpy(params, skb->data + 1, 5);
137
138 kfree_skb(skb);
139
140 return 0;
141 }
142 EXPORT_SYMBOL_GPL(btbcm_read_pcm_int_params);
143
144 int btbcm_write_pcm_int_params(struct hci_dev *hdev,
145 const struct bcm_set_pcm_int_params *params)
146 {
147 struct sk_buff *skb;
148 int err;
149
150 skb = __hci_cmd_sync(hdev, 0xfc1c, 5, params, HCI_INIT_TIMEOUT);
151 if (IS_ERR(skb)) {
152 err = PTR_ERR(skb);
153 bt_dev_err(hdev, "BCM: Write PCM int params failed (%d)", err);
154 return err;
155 }
156 kfree_skb(skb);
157
158 return 0;
159 }
160 EXPORT_SYMBOL_GPL(btbcm_write_pcm_int_params);
161
162 int btbcm_patchram(struct hci_dev *hdev, const struct firmware *fw)
163 {
164 const struct hci_command_hdr *cmd;
165 const u8 *fw_ptr;
166 size_t fw_size;
167 struct sk_buff *skb;
168 u16 opcode;
169 int err = 0;
170
171 /* Start Download */
172 skb = __hci_cmd_sync(hdev, 0xfc2e, 0, NULL, HCI_INIT_TIMEOUT);
173 if (IS_ERR(skb)) {
174 err = PTR_ERR(skb);
175 bt_dev_err(hdev, "BCM: Download Minidrv command failed (%d)",
176 err);
177 goto done;
178 }
179 kfree_skb(skb);
180
181 /* 50 msec delay after Download Minidrv completes */
182 msleep(50);
183
184 fw_ptr = fw->data;
185 fw_size = fw->size;
186
187 while (fw_size >= sizeof(*cmd)) {
188 const u8 *cmd_param;
189
190 cmd = (struct hci_command_hdr *)fw_ptr;
191 fw_ptr += sizeof(*cmd);
192 fw_size -= sizeof(*cmd);
193
194 if (fw_size < cmd->plen) {
195 bt_dev_err(hdev, "BCM: Patch is corrupted");
196 err = -EINVAL;
197 goto done;
198 }
199
200 cmd_param = fw_ptr;
201 fw_ptr += cmd->plen;
202 fw_size -= cmd->plen;
203
204 opcode = le16_to_cpu(cmd->opcode);
205
206 skb = __hci_cmd_sync(hdev, opcode, cmd->plen, cmd_param,
207 HCI_INIT_TIMEOUT);
208 if (IS_ERR(skb)) {
209 err = PTR_ERR(skb);
210 bt_dev_err(hdev, "BCM: Patch command %04x failed (%d)",
211 opcode, err);
212 goto done;
213 }
214 kfree_skb(skb);
215 }
216
217 /* 250 msec delay after Launch Ram completes */
218 msleep(250);
219
220 done:
221 return err;
222 }
223 EXPORT_SYMBOL(btbcm_patchram);
224
225 static int btbcm_reset(struct hci_dev *hdev)
226 {
227 struct sk_buff *skb;
228
229 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
230 if (IS_ERR(skb)) {
231 int err = PTR_ERR(skb);
232
233 bt_dev_err(hdev, "BCM: Reset failed (%d)", err);
234 return err;
235 }
236 kfree_skb(skb);
237
238 /* 100 msec delay for module to complete reset process */
239 msleep(100);
240
241 return 0;
242 }
243
244 static struct sk_buff *btbcm_read_local_name(struct hci_dev *hdev)
245 {
246 struct sk_buff *skb;
247
248 skb = __hci_cmd_sync(hdev, HCI_OP_READ_LOCAL_NAME, 0, NULL,
249 HCI_INIT_TIMEOUT);
250 if (IS_ERR(skb)) {
251 bt_dev_err(hdev, "BCM: Reading local name failed (%ld)",
252 PTR_ERR(skb));
253 return skb;
254 }
255
256 if (skb->len != sizeof(struct hci_rp_read_local_name)) {
257 bt_dev_err(hdev, "BCM: Local name length mismatch");
258 kfree_skb(skb);
259 return ERR_PTR(-EIO);
260 }
261
262 return skb;
263 }
264
265 static struct sk_buff *btbcm_read_local_version(struct hci_dev *hdev)
266 {
267 struct sk_buff *skb;
268
269 skb = __hci_cmd_sync(hdev, HCI_OP_READ_LOCAL_VERSION, 0, NULL,
270 HCI_INIT_TIMEOUT);
271 if (IS_ERR(skb)) {
272 bt_dev_err(hdev, "BCM: Reading local version info failed (%ld)",
273 PTR_ERR(skb));
274 return skb;
275 }
276
277 if (skb->len != sizeof(struct hci_rp_read_local_version)) {
278 bt_dev_err(hdev, "BCM: Local version length mismatch");
279 kfree_skb(skb);
280 return ERR_PTR(-EIO);
281 }
282
283 return skb;
284 }
285
286 static struct sk_buff *btbcm_read_verbose_config(struct hci_dev *hdev)
287 {
288 struct sk_buff *skb;
289
290 skb = __hci_cmd_sync(hdev, 0xfc79, 0, NULL, HCI_INIT_TIMEOUT);
291 if (IS_ERR(skb)) {
292 bt_dev_err(hdev, "BCM: Read verbose config info failed (%ld)",
293 PTR_ERR(skb));
294 return skb;
295 }
296
297 if (skb->len != 7) {
298 bt_dev_err(hdev, "BCM: Verbose config length mismatch");
299 kfree_skb(skb);
300 return ERR_PTR(-EIO);
301 }
302
303 return skb;
304 }
305
306 static struct sk_buff *btbcm_read_controller_features(struct hci_dev *hdev)
307 {
308 struct sk_buff *skb;
309
310 skb = __hci_cmd_sync(hdev, 0xfc6e, 0, NULL, HCI_INIT_TIMEOUT);
311 if (IS_ERR(skb)) {
312 bt_dev_err(hdev, "BCM: Read controller features failed (%ld)",
313 PTR_ERR(skb));
314 return skb;
315 }
316
317 if (skb->len != 9) {
318 bt_dev_err(hdev, "BCM: Controller features length mismatch");
319 kfree_skb(skb);
320 return ERR_PTR(-EIO);
321 }
322
323 return skb;
324 }
325
326 static struct sk_buff *btbcm_read_usb_product(struct hci_dev *hdev)
327 {
328 struct sk_buff *skb;
329
330 skb = __hci_cmd_sync(hdev, 0xfc5a, 0, NULL, HCI_INIT_TIMEOUT);
331 if (IS_ERR(skb)) {
332 bt_dev_err(hdev, "BCM: Read USB product info failed (%ld)",
333 PTR_ERR(skb));
334 return skb;
335 }
336
337 if (skb->len != 5) {
338 bt_dev_err(hdev, "BCM: USB product length mismatch");
339 kfree_skb(skb);
340 return ERR_PTR(-EIO);
341 }
342
343 return skb;
344 }
345
346 static int btbcm_read_info(struct hci_dev *hdev)
347 {
348 struct sk_buff *skb;
349
350 /* Read Verbose Config Version Info */
351 skb = btbcm_read_verbose_config(hdev);
352 if (IS_ERR(skb))
353 return PTR_ERR(skb);
354
355 bt_dev_info(hdev, "BCM: chip id %u", skb->data[1]);
356 kfree_skb(skb);
357
358 /* Read Controller Features */
359 skb = btbcm_read_controller_features(hdev);
360 if (IS_ERR(skb))
361 return PTR_ERR(skb);
362
363 bt_dev_info(hdev, "BCM: features 0x%2.2x", skb->data[1]);
364 kfree_skb(skb);
365
366 return 0;
367 }
368
369 static int btbcm_print_local_name(struct hci_dev *hdev)
370 {
371 struct sk_buff *skb;
372
373 /* Read Local Name */
374 skb = btbcm_read_local_name(hdev);
375 if (IS_ERR(skb))
376 return PTR_ERR(skb);
377
378 bt_dev_info(hdev, "%s", (char *)(skb->data + 1));
379 kfree_skb(skb);
380
381 return 0;
382 }
383
384 struct bcm_subver_table {
385 u16 subver;
386 const char *name;
387 };
388
389 static const struct bcm_subver_table bcm_uart_subver_table[] = {
390 { 0x4103, "BCM4330B1" }, /* 002.001.003 */
391 { 0x410d, "BCM4334B0" }, /* 002.001.013 */
392 { 0x410e, "BCM43341B0" }, /* 002.001.014 */
393 { 0x4204, "BCM2076B1" }, /* 002.002.004 */
394 { 0x4406, "BCM4324B3" }, /* 002.004.006 */
395 { 0x4606, "BCM4324B5" }, /* 002.006.006 */
396 { 0x6109, "BCM4335C0" }, /* 003.001.009 */
397 { 0x610c, "BCM4354" }, /* 003.001.012 */
398 { 0x2122, "BCM4343A0" }, /* 001.001.034 */
399 { 0x2209, "BCM43430A1" }, /* 001.002.009 */
400 { 0x6119, "BCM4345C0" }, /* 003.001.025 */
401 { 0x6606, "BCM4345C5" }, /* 003.006.006 */
402 { 0x230f, "BCM4356A2" }, /* 001.003.015 */
403 { 0x220e, "BCM20702A1" }, /* 001.002.014 */
404 { 0x4217, "BCM4329B1" }, /* 002.002.023 */
405 { 0x6106, "BCM4359C0" }, /* 003.001.006 */
406 { 0x4106, "BCM4335A0" }, /* 002.001.006 */
407 { }
408 };
409
410 static const struct bcm_subver_table bcm_usb_subver_table[] = {
411 { 0x2105, "BCM20703A1" }, /* 001.001.005 */
412 { 0x210b, "BCM43142A0" }, /* 001.001.011 */
413 { 0x2112, "BCM4314A0" }, /* 001.001.018 */
414 { 0x2118, "BCM20702A0" }, /* 001.001.024 */
415 { 0x2126, "BCM4335A0" }, /* 001.001.038 */
416 { 0x220e, "BCM20702A1" }, /* 001.002.014 */
417 { 0x230f, "BCM4356A2" }, /* 001.003.015 */
418 { 0x4106, "BCM4335B0" }, /* 002.001.006 */
419 { 0x410e, "BCM20702B0" }, /* 002.001.014 */
420 { 0x6109, "BCM4335C0" }, /* 003.001.009 */
421 { 0x610c, "BCM4354" }, /* 003.001.012 */
422 { 0x6607, "BCM4350C5" }, /* 003.006.007 */
423 { }
424 };
425
426 int btbcm_initialize(struct hci_dev *hdev, bool *fw_load_done)
427 {
428 u16 subver, rev, pid, vid;
429 struct sk_buff *skb;
430 struct hci_rp_read_local_version *ver;
431 const struct bcm_subver_table *bcm_subver_table;
432 const char *hw_name = NULL;
433 char postfix[16] = "";
434 int fw_name_count = 0;
435 bcm_fw_name *fw_name;
436 const struct firmware *fw;
437 int i, err;
438
439 /* Reset */
440 err = btbcm_reset(hdev);
441 if (err)
442 return err;
443
444 /* Read Local Version Info */
445 skb = btbcm_read_local_version(hdev);
446 if (IS_ERR(skb))
447 return PTR_ERR(skb);
448
449 ver = (struct hci_rp_read_local_version *)skb->data;
450 rev = le16_to_cpu(ver->hci_rev);
451 subver = le16_to_cpu(ver->lmp_subver);
452 kfree_skb(skb);
453
454 /* Read controller information */
455 if (!(*fw_load_done)) {
456 err = btbcm_read_info(hdev);
457 if (err)
458 return err;
459 }
460 err = btbcm_print_local_name(hdev);
461 if (err)
462 return err;
463
464 bcm_subver_table = (hdev->bus == HCI_USB) ? bcm_usb_subver_table :
465 bcm_uart_subver_table;
466
467 for (i = 0; bcm_subver_table[i].name; i++) {
468 if (subver == bcm_subver_table[i].subver) {
469 hw_name = bcm_subver_table[i].name;
470 break;
471 }
472 }
473
474 bt_dev_info(hdev, "%s (%3.3u.%3.3u.%3.3u) build %4.4u",
475 hw_name ? hw_name : "BCM", (subver & 0xe000) >> 13,
476 (subver & 0x1f00) >> 8, (subver & 0x00ff), rev & 0x0fff);
477
478 if (*fw_load_done)
479 return 0;
480
481 if (hdev->bus == HCI_USB) {
482 /* Read USB Product Info */
483 skb = btbcm_read_usb_product(hdev);
484 if (IS_ERR(skb))
485 return PTR_ERR(skb);
486
487 vid = get_unaligned_le16(skb->data + 1);
488 pid = get_unaligned_le16(skb->data + 3);
489 kfree_skb(skb);
490
491 snprintf(postfix, sizeof(postfix), "-%4.4x-%4.4x", vid, pid);
492 }
493
494 fw_name = kmalloc(BCM_FW_NAME_COUNT_MAX * BCM_FW_NAME_LEN, GFP_KERNEL);
495 if (!fw_name)
496 return -ENOMEM;
497
498 if (hw_name) {
499 snprintf(fw_name[fw_name_count], BCM_FW_NAME_LEN,
500 "brcm/%s%s.hcd", hw_name, postfix);
501 fw_name_count++;
502 }
503
504 snprintf(fw_name[fw_name_count], BCM_FW_NAME_LEN,
505 "brcm/BCM%s.hcd", postfix);
506 fw_name_count++;
507
508 for (i = 0; i < fw_name_count; i++) {
509 err = firmware_request_nowarn(&fw, fw_name[i], &hdev->dev);
510 if (err == 0) {
511 bt_dev_info(hdev, "%s '%s' Patch",
512 hw_name ? hw_name : "BCM", fw_name[i]);
513 *fw_load_done = true;
514 break;
515 }
516 }
517
518 if (*fw_load_done) {
519 err = btbcm_patchram(hdev, fw);
520 if (err)
521 bt_dev_info(hdev, "BCM: Patch failed (%d)", err);
522
523 release_firmware(fw);
524 } else {
525 bt_dev_err(hdev, "BCM: firmware Patch file not found, tried:");
526 for (i = 0; i < fw_name_count; i++)
527 bt_dev_err(hdev, "BCM: '%s'", fw_name[i]);
528 }
529
530 kfree(fw_name);
531 return 0;
532 }
533 EXPORT_SYMBOL_GPL(btbcm_initialize);
534
535 int btbcm_finalize(struct hci_dev *hdev, bool *fw_load_done)
536 {
537 int err;
538
539 /* Re-initialize if necessary */
540 if (*fw_load_done) {
541 err = btbcm_initialize(hdev, fw_load_done);
542 if (err)
543 return err;
544 }
545
546 btbcm_check_bdaddr(hdev);
547
548 set_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks);
549
550 return 0;
551 }
552 EXPORT_SYMBOL_GPL(btbcm_finalize);
553
554 int btbcm_setup_patchram(struct hci_dev *hdev)
555 {
556 bool fw_load_done = false;
557 int err;
558
559 /* Initialize */
560 err = btbcm_initialize(hdev, &fw_load_done);
561 if (err)
562 return err;
563
564 /* Re-initialize after loading Patch */
565 return btbcm_finalize(hdev, &fw_load_done);
566 }
567 EXPORT_SYMBOL_GPL(btbcm_setup_patchram);
568
569 int btbcm_setup_apple(struct hci_dev *hdev)
570 {
571 struct sk_buff *skb;
572 int err;
573
574 /* Reset */
575 err = btbcm_reset(hdev);
576 if (err)
577 return err;
578
579 /* Read Verbose Config Version Info */
580 skb = btbcm_read_verbose_config(hdev);
581 if (!IS_ERR(skb)) {
582 bt_dev_info(hdev, "BCM: chip id %u build %4.4u",
583 skb->data[1], get_unaligned_le16(skb->data + 5));
584 kfree_skb(skb);
585 }
586
587 /* Read USB Product Info */
588 skb = btbcm_read_usb_product(hdev);
589 if (!IS_ERR(skb)) {
590 bt_dev_info(hdev, "BCM: product %4.4x:%4.4x",
591 get_unaligned_le16(skb->data + 1),
592 get_unaligned_le16(skb->data + 3));
593 kfree_skb(skb);
594 }
595
596 /* Read Controller Features */
597 skb = btbcm_read_controller_features(hdev);
598 if (!IS_ERR(skb)) {
599 bt_dev_info(hdev, "BCM: features 0x%2.2x", skb->data[1]);
600 kfree_skb(skb);
601 }
602
603 /* Read Local Name */
604 skb = btbcm_read_local_name(hdev);
605 if (!IS_ERR(skb)) {
606 bt_dev_info(hdev, "%s", (char *)(skb->data + 1));
607 kfree_skb(skb);
608 }
609
610 set_bit(HCI_QUIRK_STRICT_DUPLICATE_FILTER, &hdev->quirks);
611
612 return 0;
613 }
614 EXPORT_SYMBOL_GPL(btbcm_setup_apple);
615
616 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
617 MODULE_DESCRIPTION("Bluetooth support for Broadcom devices ver " VERSION);
618 MODULE_VERSION(VERSION);
619 MODULE_LICENSE("GPL");
Linux with added FPC-III support