HID: hiddev: Fix slab-out-of-bounds write in hiddev_ioctl_usage()
[linux/fpc-iii.git] / drivers / bluetooth / ath3k.c
blob5df8e1234505ac22d94db64b8df3505dbe801bd9
1 /*
2 * Copyright (c) 2008-2009 Atheros Communications Inc.
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License as published by
6 * the Free Software Foundation; either version 2 of the License, or
7 * (at your option) any later version.
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, write to the Free Software
16 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
21 #include <linux/module.h>
22 #include <linux/kernel.h>
23 #include <linux/init.h>
24 #include <linux/slab.h>
25 #include <linux/types.h>
26 #include <linux/errno.h>
27 #include <linux/device.h>
28 #include <linux/firmware.h>
29 #include <linux/usb.h>
30 #include <asm/unaligned.h>
31 #include <net/bluetooth/bluetooth.h>
33 #define VERSION "1.0"
34 #define ATH3K_FIRMWARE "ath3k-1.fw"
36 #define ATH3K_DNLOAD 0x01
37 #define ATH3K_GETSTATE 0x05
38 #define ATH3K_SET_NORMAL_MODE 0x07
39 #define ATH3K_GETVERSION 0x09
40 #define USB_REG_SWITCH_VID_PID 0x0a
42 #define ATH3K_MODE_MASK 0x3F
43 #define ATH3K_NORMAL_MODE 0x0E
45 #define ATH3K_PATCH_UPDATE 0x80
46 #define ATH3K_SYSCFG_UPDATE 0x40
48 #define ATH3K_XTAL_FREQ_26M 0x00
49 #define ATH3K_XTAL_FREQ_40M 0x01
50 #define ATH3K_XTAL_FREQ_19P2 0x02
51 #define ATH3K_NAME_LEN 0xFF
53 struct ath3k_version {
54 __le32 rom_version;
55 __le32 build_version;
56 __le32 ram_version;
57 __u8 ref_clock;
58 __u8 reserved[7];
59 } __packed;
61 static const struct usb_device_id ath3k_table[] = {
62 /* Atheros AR3011 */
63 { USB_DEVICE(0x0CF3, 0x3000) },
65 /* Atheros AR3011 with sflash firmware*/
66 { USB_DEVICE(0x0489, 0xE027) },
67 { USB_DEVICE(0x0489, 0xE03D) },
68 { USB_DEVICE(0x04F2, 0xAFF1) },
69 { USB_DEVICE(0x0930, 0x0215) },
70 { USB_DEVICE(0x0CF3, 0x3002) },
71 { USB_DEVICE(0x0CF3, 0xE019) },
72 { USB_DEVICE(0x13d3, 0x3304) },
74 /* Atheros AR9285 Malbec with sflash firmware */
75 { USB_DEVICE(0x03F0, 0x311D) },
77 /* Atheros AR3012 with sflash firmware*/
78 { USB_DEVICE(0x0489, 0xe04d) },
79 { USB_DEVICE(0x0489, 0xe04e) },
80 { USB_DEVICE(0x0489, 0xe057) },
81 { USB_DEVICE(0x0489, 0xe056) },
82 { USB_DEVICE(0x0489, 0xe05f) },
83 { USB_DEVICE(0x0489, 0xe076) },
84 { USB_DEVICE(0x0489, 0xe078) },
85 { USB_DEVICE(0x0489, 0xe095) },
86 { USB_DEVICE(0x04c5, 0x1330) },
87 { USB_DEVICE(0x04CA, 0x3004) },
88 { USB_DEVICE(0x04CA, 0x3005) },
89 { USB_DEVICE(0x04CA, 0x3006) },
90 { USB_DEVICE(0x04CA, 0x3007) },
91 { USB_DEVICE(0x04CA, 0x3008) },
92 { USB_DEVICE(0x04CA, 0x300b) },
93 { USB_DEVICE(0x04CA, 0x300d) },
94 { USB_DEVICE(0x04CA, 0x300f) },
95 { USB_DEVICE(0x04CA, 0x3010) },
96 { USB_DEVICE(0x04CA, 0x3014) },
97 { USB_DEVICE(0x04CA, 0x3018) },
98 { USB_DEVICE(0x0930, 0x0219) },
99 { USB_DEVICE(0x0930, 0x021c) },
100 { USB_DEVICE(0x0930, 0x0220) },
101 { USB_DEVICE(0x0930, 0x0227) },
102 { USB_DEVICE(0x0b05, 0x17d0) },
103 { USB_DEVICE(0x0CF3, 0x0036) },
104 { USB_DEVICE(0x0CF3, 0x3004) },
105 { USB_DEVICE(0x0CF3, 0x3008) },
106 { USB_DEVICE(0x0CF3, 0x311D) },
107 { USB_DEVICE(0x0CF3, 0x311E) },
108 { USB_DEVICE(0x0CF3, 0x311F) },
109 { USB_DEVICE(0x0cf3, 0x3121) },
110 { USB_DEVICE(0x0CF3, 0x817a) },
111 { USB_DEVICE(0x0CF3, 0x817b) },
112 { USB_DEVICE(0x0cf3, 0xe003) },
113 { USB_DEVICE(0x0CF3, 0xE004) },
114 { USB_DEVICE(0x0CF3, 0xE005) },
115 { USB_DEVICE(0x0CF3, 0xE006) },
116 { USB_DEVICE(0x13d3, 0x3362) },
117 { USB_DEVICE(0x13d3, 0x3375) },
118 { USB_DEVICE(0x13d3, 0x3393) },
119 { USB_DEVICE(0x13d3, 0x3395) },
120 { USB_DEVICE(0x13d3, 0x3402) },
121 { USB_DEVICE(0x13d3, 0x3408) },
122 { USB_DEVICE(0x13d3, 0x3423) },
123 { USB_DEVICE(0x13d3, 0x3432) },
124 { USB_DEVICE(0x13d3, 0x3472) },
125 { USB_DEVICE(0x13d3, 0x3474) },
127 /* Atheros AR5BBU12 with sflash firmware */
128 { USB_DEVICE(0x0489, 0xE02C) },
130 /* Atheros AR5BBU22 with sflash firmware */
131 { USB_DEVICE(0x0489, 0xE036) },
132 { USB_DEVICE(0x0489, 0xE03C) },
134 { } /* Terminating entry */
137 MODULE_DEVICE_TABLE(usb, ath3k_table);
139 #define BTUSB_ATH3012 0x80
140 /* This table is to load patch and sysconfig files
141 * for AR3012 */
142 static const struct usb_device_id ath3k_blist_tbl[] = {
144 /* Atheros AR3012 with sflash firmware*/
145 { USB_DEVICE(0x0489, 0xe04e), .driver_info = BTUSB_ATH3012 },
146 { USB_DEVICE(0x0489, 0xe04d), .driver_info = BTUSB_ATH3012 },
147 { USB_DEVICE(0x0489, 0xe056), .driver_info = BTUSB_ATH3012 },
148 { USB_DEVICE(0x0489, 0xe057), .driver_info = BTUSB_ATH3012 },
149 { USB_DEVICE(0x0489, 0xe05f), .driver_info = BTUSB_ATH3012 },
150 { USB_DEVICE(0x0489, 0xe076), .driver_info = BTUSB_ATH3012 },
151 { USB_DEVICE(0x0489, 0xe078), .driver_info = BTUSB_ATH3012 },
152 { USB_DEVICE(0x0489, 0xe095), .driver_info = BTUSB_ATH3012 },
153 { USB_DEVICE(0x04c5, 0x1330), .driver_info = BTUSB_ATH3012 },
154 { USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 },
155 { USB_DEVICE(0x04ca, 0x3005), .driver_info = BTUSB_ATH3012 },
156 { USB_DEVICE(0x04ca, 0x3006), .driver_info = BTUSB_ATH3012 },
157 { USB_DEVICE(0x04ca, 0x3007), .driver_info = BTUSB_ATH3012 },
158 { USB_DEVICE(0x04ca, 0x3008), .driver_info = BTUSB_ATH3012 },
159 { USB_DEVICE(0x04ca, 0x300b), .driver_info = BTUSB_ATH3012 },
160 { USB_DEVICE(0x04ca, 0x300d), .driver_info = BTUSB_ATH3012 },
161 { USB_DEVICE(0x04ca, 0x300f), .driver_info = BTUSB_ATH3012 },
162 { USB_DEVICE(0x04ca, 0x3010), .driver_info = BTUSB_ATH3012 },
163 { USB_DEVICE(0x04ca, 0x3014), .driver_info = BTUSB_ATH3012 },
164 { USB_DEVICE(0x04ca, 0x3018), .driver_info = BTUSB_ATH3012 },
165 { USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 },
166 { USB_DEVICE(0x0930, 0x021c), .driver_info = BTUSB_ATH3012 },
167 { USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 },
168 { USB_DEVICE(0x0930, 0x0227), .driver_info = BTUSB_ATH3012 },
169 { USB_DEVICE(0x0b05, 0x17d0), .driver_info = BTUSB_ATH3012 },
170 { USB_DEVICE(0x0CF3, 0x0036), .driver_info = BTUSB_ATH3012 },
171 { USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_ATH3012 },
172 { USB_DEVICE(0x0cf3, 0x3008), .driver_info = BTUSB_ATH3012 },
173 { USB_DEVICE(0x0cf3, 0x311D), .driver_info = BTUSB_ATH3012 },
174 { USB_DEVICE(0x0cf3, 0x311E), .driver_info = BTUSB_ATH3012 },
175 { USB_DEVICE(0x0cf3, 0x311F), .driver_info = BTUSB_ATH3012 },
176 { USB_DEVICE(0x0cf3, 0x3121), .driver_info = BTUSB_ATH3012 },
177 { USB_DEVICE(0x0CF3, 0x817a), .driver_info = BTUSB_ATH3012 },
178 { USB_DEVICE(0x0CF3, 0x817b), .driver_info = BTUSB_ATH3012 },
179 { USB_DEVICE(0x0cf3, 0xe004), .driver_info = BTUSB_ATH3012 },
180 { USB_DEVICE(0x0cf3, 0xe005), .driver_info = BTUSB_ATH3012 },
181 { USB_DEVICE(0x0cf3, 0xe006), .driver_info = BTUSB_ATH3012 },
182 { USB_DEVICE(0x0cf3, 0xe003), .driver_info = BTUSB_ATH3012 },
183 { USB_DEVICE(0x13d3, 0x3362), .driver_info = BTUSB_ATH3012 },
184 { USB_DEVICE(0x13d3, 0x3375), .driver_info = BTUSB_ATH3012 },
185 { USB_DEVICE(0x13d3, 0x3393), .driver_info = BTUSB_ATH3012 },
186 { USB_DEVICE(0x13d3, 0x3395), .driver_info = BTUSB_ATH3012 },
187 { USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 },
188 { USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 },
189 { USB_DEVICE(0x13d3, 0x3423), .driver_info = BTUSB_ATH3012 },
190 { USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 },
191 { USB_DEVICE(0x13d3, 0x3472), .driver_info = BTUSB_ATH3012 },
192 { USB_DEVICE(0x13d3, 0x3474), .driver_info = BTUSB_ATH3012 },
194 /* Atheros AR5BBU22 with sflash firmware */
195 { USB_DEVICE(0x0489, 0xE036), .driver_info = BTUSB_ATH3012 },
196 { USB_DEVICE(0x0489, 0xE03C), .driver_info = BTUSB_ATH3012 },
198 { } /* Terminating entry */
201 #define USB_REQ_DFU_DNLOAD 1
202 #define BULK_SIZE 4096
203 #define FW_HDR_SIZE 20
204 #define TIMEGAP_USEC_MIN 50
205 #define TIMEGAP_USEC_MAX 100
207 static int ath3k_load_firmware(struct usb_device *udev,
208 const struct firmware *firmware)
210 u8 *send_buf;
211 int err, pipe, len, size, sent = 0;
212 int count = firmware->size;
214 BT_DBG("udev %p", udev);
216 pipe = usb_sndctrlpipe(udev, 0);
218 send_buf = kmalloc(BULK_SIZE, GFP_KERNEL);
219 if (!send_buf) {
220 BT_ERR("Can't allocate memory chunk for firmware");
221 return -ENOMEM;
224 memcpy(send_buf, firmware->data, 20);
225 err = usb_control_msg(udev, pipe, USB_REQ_DFU_DNLOAD, USB_TYPE_VENDOR,
226 0, 0, send_buf, 20, USB_CTRL_SET_TIMEOUT);
227 if (err < 0) {
228 BT_ERR("Can't change to loading configuration err");
229 goto error;
231 sent += 20;
232 count -= 20;
234 pipe = usb_sndbulkpipe(udev, 0x02);
236 while (count) {
237 /* workaround the compatibility issue with xHCI controller*/
238 usleep_range(TIMEGAP_USEC_MIN, TIMEGAP_USEC_MAX);
240 size = min_t(uint, count, BULK_SIZE);
241 memcpy(send_buf, firmware->data + sent, size);
243 err = usb_bulk_msg(udev, pipe, send_buf, size,
244 &len, 3000);
246 if (err || (len != size)) {
247 BT_ERR("Error in firmware loading err = %d,"
248 "len = %d, size = %d", err, len, size);
249 goto error;
252 sent += size;
253 count -= size;
256 error:
257 kfree(send_buf);
258 return err;
261 static int ath3k_get_state(struct usb_device *udev, unsigned char *state)
263 int ret, pipe = 0;
264 char *buf;
266 buf = kmalloc(sizeof(*buf), GFP_KERNEL);
267 if (!buf)
268 return -ENOMEM;
270 pipe = usb_rcvctrlpipe(udev, 0);
271 ret = usb_control_msg(udev, pipe, ATH3K_GETSTATE,
272 USB_TYPE_VENDOR | USB_DIR_IN, 0, 0,
273 buf, sizeof(*buf), USB_CTRL_SET_TIMEOUT);
275 *state = *buf;
276 kfree(buf);
278 return ret;
281 static int ath3k_get_version(struct usb_device *udev,
282 struct ath3k_version *version)
284 int ret, pipe = 0;
285 struct ath3k_version *buf;
286 const int size = sizeof(*buf);
288 buf = kmalloc(size, GFP_KERNEL);
289 if (!buf)
290 return -ENOMEM;
292 pipe = usb_rcvctrlpipe(udev, 0);
293 ret = usb_control_msg(udev, pipe, ATH3K_GETVERSION,
294 USB_TYPE_VENDOR | USB_DIR_IN, 0, 0,
295 buf, size, USB_CTRL_SET_TIMEOUT);
297 memcpy(version, buf, size);
298 kfree(buf);
300 return ret;
303 static int ath3k_load_fwfile(struct usb_device *udev,
304 const struct firmware *firmware)
306 u8 *send_buf;
307 int err, pipe, len, size, count, sent = 0;
308 int ret;
310 count = firmware->size;
312 send_buf = kmalloc(BULK_SIZE, GFP_KERNEL);
313 if (!send_buf) {
314 BT_ERR("Can't allocate memory chunk for firmware");
315 return -ENOMEM;
318 size = min_t(uint, count, FW_HDR_SIZE);
319 memcpy(send_buf, firmware->data, size);
321 pipe = usb_sndctrlpipe(udev, 0);
322 ret = usb_control_msg(udev, pipe, ATH3K_DNLOAD,
323 USB_TYPE_VENDOR, 0, 0, send_buf,
324 size, USB_CTRL_SET_TIMEOUT);
325 if (ret < 0) {
326 BT_ERR("Can't change to loading configuration err");
327 kfree(send_buf);
328 return ret;
331 sent += size;
332 count -= size;
334 pipe = usb_sndbulkpipe(udev, 0x02);
336 while (count) {
337 /* workaround the compatibility issue with xHCI controller*/
338 usleep_range(TIMEGAP_USEC_MIN, TIMEGAP_USEC_MAX);
340 size = min_t(uint, count, BULK_SIZE);
341 memcpy(send_buf, firmware->data + sent, size);
343 err = usb_bulk_msg(udev, pipe, send_buf, size,
344 &len, 3000);
345 if (err || (len != size)) {
346 BT_ERR("Error in firmware loading err = %d,"
347 "len = %d, size = %d", err, len, size);
348 kfree(send_buf);
349 return err;
351 sent += size;
352 count -= size;
355 kfree(send_buf);
356 return 0;
359 static int ath3k_switch_pid(struct usb_device *udev)
361 int pipe = 0;
363 pipe = usb_sndctrlpipe(udev, 0);
364 return usb_control_msg(udev, pipe, USB_REG_SWITCH_VID_PID,
365 USB_TYPE_VENDOR, 0, 0,
366 NULL, 0, USB_CTRL_SET_TIMEOUT);
369 static int ath3k_set_normal_mode(struct usb_device *udev)
371 unsigned char fw_state;
372 int pipe = 0, ret;
374 ret = ath3k_get_state(udev, &fw_state);
375 if (ret < 0) {
376 BT_ERR("Can't get state to change to normal mode err");
377 return ret;
380 if ((fw_state & ATH3K_MODE_MASK) == ATH3K_NORMAL_MODE) {
381 BT_DBG("firmware was already in normal mode");
382 return 0;
385 pipe = usb_sndctrlpipe(udev, 0);
386 return usb_control_msg(udev, pipe, ATH3K_SET_NORMAL_MODE,
387 USB_TYPE_VENDOR, 0, 0,
388 NULL, 0, USB_CTRL_SET_TIMEOUT);
391 static int ath3k_load_patch(struct usb_device *udev)
393 unsigned char fw_state;
394 char filename[ATH3K_NAME_LEN] = {0};
395 const struct firmware *firmware;
396 struct ath3k_version fw_version;
397 __u32 pt_rom_version, pt_build_version;
398 int ret;
400 ret = ath3k_get_state(udev, &fw_state);
401 if (ret < 0) {
402 BT_ERR("Can't get state to change to load ram patch err");
403 return ret;
406 if (fw_state & ATH3K_PATCH_UPDATE) {
407 BT_DBG("Patch was already downloaded");
408 return 0;
411 ret = ath3k_get_version(udev, &fw_version);
412 if (ret < 0) {
413 BT_ERR("Can't get version to change to load ram patch err");
414 return ret;
417 snprintf(filename, ATH3K_NAME_LEN, "ar3k/AthrBT_0x%08x.dfu",
418 le32_to_cpu(fw_version.rom_version));
420 ret = request_firmware(&firmware, filename, &udev->dev);
421 if (ret < 0) {
422 BT_ERR("Patch file not found %s", filename);
423 return ret;
426 pt_rom_version = get_unaligned_le32(firmware->data +
427 firmware->size - 8);
428 pt_build_version = get_unaligned_le32(firmware->data +
429 firmware->size - 4);
431 if (pt_rom_version != le32_to_cpu(fw_version.rom_version) ||
432 pt_build_version <= le32_to_cpu(fw_version.build_version)) {
433 BT_ERR("Patch file version did not match with firmware");
434 release_firmware(firmware);
435 return -EINVAL;
438 ret = ath3k_load_fwfile(udev, firmware);
439 release_firmware(firmware);
441 return ret;
444 static int ath3k_load_syscfg(struct usb_device *udev)
446 unsigned char fw_state;
447 char filename[ATH3K_NAME_LEN] = {0};
448 const struct firmware *firmware;
449 struct ath3k_version fw_version;
450 int clk_value, ret;
452 ret = ath3k_get_state(udev, &fw_state);
453 if (ret < 0) {
454 BT_ERR("Can't get state to change to load configuration err");
455 return -EBUSY;
458 ret = ath3k_get_version(udev, &fw_version);
459 if (ret < 0) {
460 BT_ERR("Can't get version to change to load ram patch err");
461 return ret;
464 switch (fw_version.ref_clock) {
466 case ATH3K_XTAL_FREQ_26M:
467 clk_value = 26;
468 break;
469 case ATH3K_XTAL_FREQ_40M:
470 clk_value = 40;
471 break;
472 case ATH3K_XTAL_FREQ_19P2:
473 clk_value = 19;
474 break;
475 default:
476 clk_value = 0;
477 break;
480 snprintf(filename, ATH3K_NAME_LEN, "ar3k/ramps_0x%08x_%d%s",
481 le32_to_cpu(fw_version.rom_version), clk_value, ".dfu");
483 ret = request_firmware(&firmware, filename, &udev->dev);
484 if (ret < 0) {
485 BT_ERR("Configuration file not found %s", filename);
486 return ret;
489 ret = ath3k_load_fwfile(udev, firmware);
490 release_firmware(firmware);
492 return ret;
495 static int ath3k_probe(struct usb_interface *intf,
496 const struct usb_device_id *id)
498 const struct firmware *firmware;
499 struct usb_device *udev = interface_to_usbdev(intf);
500 int ret;
502 BT_DBG("intf %p id %p", intf, id);
504 if (intf->cur_altsetting->desc.bInterfaceNumber != 0)
505 return -ENODEV;
507 /* match device ID in ath3k blacklist table */
508 if (!id->driver_info) {
509 const struct usb_device_id *match;
510 match = usb_match_id(intf, ath3k_blist_tbl);
511 if (match)
512 id = match;
515 /* load patch and sysconfig files for AR3012 */
516 if (id->driver_info & BTUSB_ATH3012) {
518 /* New firmware with patch and sysconfig files already loaded */
519 if (le16_to_cpu(udev->descriptor.bcdDevice) > 0x0001)
520 return -ENODEV;
522 ret = ath3k_load_patch(udev);
523 if (ret < 0) {
524 BT_ERR("Loading patch file failed");
525 return ret;
527 ret = ath3k_load_syscfg(udev);
528 if (ret < 0) {
529 BT_ERR("Loading sysconfig file failed");
530 return ret;
532 ret = ath3k_set_normal_mode(udev);
533 if (ret < 0) {
534 BT_ERR("Set normal mode failed");
535 return ret;
537 ath3k_switch_pid(udev);
538 return 0;
541 ret = request_firmware(&firmware, ATH3K_FIRMWARE, &udev->dev);
542 if (ret < 0) {
543 if (ret == -ENOENT)
544 BT_ERR("Firmware file \"%s\" not found",
545 ATH3K_FIRMWARE);
546 else
547 BT_ERR("Firmware file \"%s\" request failed (err=%d)",
548 ATH3K_FIRMWARE, ret);
549 return ret;
552 ret = ath3k_load_firmware(udev, firmware);
553 release_firmware(firmware);
555 return ret;
558 static void ath3k_disconnect(struct usb_interface *intf)
560 BT_DBG("ath3k_disconnect intf %p", intf);
563 static struct usb_driver ath3k_driver = {
564 .name = "ath3k",
565 .probe = ath3k_probe,
566 .disconnect = ath3k_disconnect,
567 .id_table = ath3k_table,
568 .disable_hub_initiated_lpm = 1,
571 module_usb_driver(ath3k_driver);
573 MODULE_AUTHOR("Atheros Communications");
574 MODULE_DESCRIPTION("Atheros AR30xx firmware driver");
575 MODULE_VERSION(VERSION);
576 MODULE_LICENSE("GPL");
577 MODULE_FIRMWARE(ATH3K_FIRMWARE);