usb: Avoid use-after-free by flushing endpoints early in usb_set_interface()
[linux/fpc-iii.git] / drivers / bluetooth / btintel.c
blobfce1548557181e1fddb8f70e5f5b61eb9e96f40f
1 /*
3 * Bluetooth support for Intel devices
5 * Copyright (C) 2015 Intel Corporation
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
24 #include <linux/module.h>
25 #include <linux/firmware.h>
26 #include <linux/regmap.h>
28 #include <net/bluetooth/bluetooth.h>
29 #include <net/bluetooth/hci_core.h>
31 #include "btintel.h"
33 #define VERSION "0.1"
35 #define BDADDR_INTEL (&(bdaddr_t) {{0x00, 0x8b, 0x9e, 0x19, 0x03, 0x00}})
37 int btintel_check_bdaddr(struct hci_dev *hdev)
39 struct hci_rp_read_bd_addr *bda;
40 struct sk_buff *skb;
42 skb = __hci_cmd_sync(hdev, HCI_OP_READ_BD_ADDR, 0, NULL,
43 HCI_INIT_TIMEOUT);
44 if (IS_ERR(skb)) {
45 int err = PTR_ERR(skb);
46 BT_ERR("%s: Reading Intel device address failed (%d)",
47 hdev->name, err);
48 return err;
51 if (skb->len != sizeof(*bda)) {
52 BT_ERR("%s: Intel device address length mismatch", hdev->name);
53 kfree_skb(skb);
54 return -EIO;
57 bda = (struct hci_rp_read_bd_addr *)skb->data;
59 /* For some Intel based controllers, the default Bluetooth device
60 * address 00:03:19:9E:8B:00 can be found. These controllers are
61 * fully operational, but have the danger of duplicate addresses
62 * and that in turn can cause problems with Bluetooth operation.
64 if (!bacmp(&bda->bdaddr, BDADDR_INTEL)) {
65 BT_ERR("%s: Found Intel default device address (%pMR)",
66 hdev->name, &bda->bdaddr);
67 set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks);
70 kfree_skb(skb);
72 return 0;
74 EXPORT_SYMBOL_GPL(btintel_check_bdaddr);
76 int btintel_enter_mfg(struct hci_dev *hdev)
78 const u8 param[] = { 0x01, 0x00 };
79 struct sk_buff *skb;
81 skb = __hci_cmd_sync(hdev, 0xfc11, 2, param, HCI_CMD_TIMEOUT);
82 if (IS_ERR(skb)) {
83 bt_dev_err(hdev, "Entering manufacturer mode failed (%ld)",
84 PTR_ERR(skb));
85 return PTR_ERR(skb);
87 kfree_skb(skb);
89 return 0;
91 EXPORT_SYMBOL_GPL(btintel_enter_mfg);
93 int btintel_exit_mfg(struct hci_dev *hdev, bool reset, bool patched)
95 u8 param[] = { 0x00, 0x00 };
96 struct sk_buff *skb;
98 /* The 2nd command parameter specifies the manufacturing exit method:
99 * 0x00: Just disable the manufacturing mode (0x00).
100 * 0x01: Disable manufacturing mode and reset with patches deactivated.
101 * 0x02: Disable manufacturing mode and reset with patches activated.
103 if (reset)
104 param[1] |= patched ? 0x02 : 0x01;
106 skb = __hci_cmd_sync(hdev, 0xfc11, 2, param, HCI_CMD_TIMEOUT);
107 if (IS_ERR(skb)) {
108 bt_dev_err(hdev, "Exiting manufacturer mode failed (%ld)",
109 PTR_ERR(skb));
110 return PTR_ERR(skb);
112 kfree_skb(skb);
114 return 0;
116 EXPORT_SYMBOL_GPL(btintel_exit_mfg);
118 int btintel_set_bdaddr(struct hci_dev *hdev, const bdaddr_t *bdaddr)
120 struct sk_buff *skb;
121 int err;
123 skb = __hci_cmd_sync(hdev, 0xfc31, 6, bdaddr, HCI_INIT_TIMEOUT);
124 if (IS_ERR(skb)) {
125 err = PTR_ERR(skb);
126 BT_ERR("%s: Changing Intel device address failed (%d)",
127 hdev->name, err);
128 return err;
130 kfree_skb(skb);
132 return 0;
134 EXPORT_SYMBOL_GPL(btintel_set_bdaddr);
136 int btintel_set_diag(struct hci_dev *hdev, bool enable)
138 struct sk_buff *skb;
139 u8 param[3];
140 int err;
142 if (enable) {
143 param[0] = 0x03;
144 param[1] = 0x03;
145 param[2] = 0x03;
146 } else {
147 param[0] = 0x00;
148 param[1] = 0x00;
149 param[2] = 0x00;
152 skb = __hci_cmd_sync(hdev, 0xfc43, 3, param, HCI_INIT_TIMEOUT);
153 if (IS_ERR(skb)) {
154 err = PTR_ERR(skb);
155 if (err == -ENODATA)
156 goto done;
157 BT_ERR("%s: Changing Intel diagnostic mode failed (%d)",
158 hdev->name, err);
159 return err;
161 kfree_skb(skb);
163 done:
164 btintel_set_event_mask(hdev, enable);
165 return 0;
167 EXPORT_SYMBOL_GPL(btintel_set_diag);
169 int btintel_set_diag_mfg(struct hci_dev *hdev, bool enable)
171 int err, ret;
173 err = btintel_enter_mfg(hdev);
174 if (err)
175 return err;
177 ret = btintel_set_diag(hdev, enable);
179 err = btintel_exit_mfg(hdev, false, false);
180 if (err)
181 return err;
183 return ret;
185 EXPORT_SYMBOL_GPL(btintel_set_diag_mfg);
187 void btintel_hw_error(struct hci_dev *hdev, u8 code)
189 struct sk_buff *skb;
190 u8 type = 0x00;
192 BT_ERR("%s: Hardware error 0x%2.2x", hdev->name, code);
194 skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
195 if (IS_ERR(skb)) {
196 BT_ERR("%s: Reset after hardware error failed (%ld)",
197 hdev->name, PTR_ERR(skb));
198 return;
200 kfree_skb(skb);
202 skb = __hci_cmd_sync(hdev, 0xfc22, 1, &type, HCI_INIT_TIMEOUT);
203 if (IS_ERR(skb)) {
204 BT_ERR("%s: Retrieving Intel exception info failed (%ld)",
205 hdev->name, PTR_ERR(skb));
206 return;
209 if (skb->len != 13) {
210 BT_ERR("%s: Exception info size mismatch", hdev->name);
211 kfree_skb(skb);
212 return;
215 BT_ERR("%s: Exception info %s", hdev->name, (char *)(skb->data + 1));
217 kfree_skb(skb);
219 EXPORT_SYMBOL_GPL(btintel_hw_error);
221 void btintel_version_info(struct hci_dev *hdev, struct intel_version *ver)
223 const char *variant;
225 switch (ver->fw_variant) {
226 case 0x06:
227 variant = "Bootloader";
228 break;
229 case 0x23:
230 variant = "Firmware";
231 break;
232 default:
233 return;
236 BT_INFO("%s: %s revision %u.%u build %u week %u %u", hdev->name,
237 variant, ver->fw_revision >> 4, ver->fw_revision & 0x0f,
238 ver->fw_build_num, ver->fw_build_ww, 2000 + ver->fw_build_yy);
240 EXPORT_SYMBOL_GPL(btintel_version_info);
242 int btintel_secure_send(struct hci_dev *hdev, u8 fragment_type, u32 plen,
243 const void *param)
245 while (plen > 0) {
246 struct sk_buff *skb;
247 u8 cmd_param[253], fragment_len = (plen > 252) ? 252 : plen;
249 cmd_param[0] = fragment_type;
250 memcpy(cmd_param + 1, param, fragment_len);
252 skb = __hci_cmd_sync(hdev, 0xfc09, fragment_len + 1,
253 cmd_param, HCI_INIT_TIMEOUT);
254 if (IS_ERR(skb))
255 return PTR_ERR(skb);
257 kfree_skb(skb);
259 plen -= fragment_len;
260 param += fragment_len;
263 return 0;
265 EXPORT_SYMBOL_GPL(btintel_secure_send);
267 int btintel_load_ddc_config(struct hci_dev *hdev, const char *ddc_name)
269 const struct firmware *fw;
270 struct sk_buff *skb;
271 const u8 *fw_ptr;
272 int err;
274 err = request_firmware_direct(&fw, ddc_name, &hdev->dev);
275 if (err < 0) {
276 bt_dev_err(hdev, "Failed to load Intel DDC file %s (%d)",
277 ddc_name, err);
278 return err;
281 bt_dev_info(hdev, "Found Intel DDC parameters: %s", ddc_name);
283 fw_ptr = fw->data;
285 /* DDC file contains one or more DDC structure which has
286 * Length (1 byte), DDC ID (2 bytes), and DDC value (Length - 2).
288 while (fw->size > fw_ptr - fw->data) {
289 u8 cmd_plen = fw_ptr[0] + sizeof(u8);
291 skb = __hci_cmd_sync(hdev, 0xfc8b, cmd_plen, fw_ptr,
292 HCI_INIT_TIMEOUT);
293 if (IS_ERR(skb)) {
294 bt_dev_err(hdev, "Failed to send Intel_Write_DDC (%ld)",
295 PTR_ERR(skb));
296 release_firmware(fw);
297 return PTR_ERR(skb);
300 fw_ptr += cmd_plen;
301 kfree_skb(skb);
304 release_firmware(fw);
306 bt_dev_info(hdev, "Applying Intel DDC parameters completed");
308 return 0;
310 EXPORT_SYMBOL_GPL(btintel_load_ddc_config);
312 int btintel_set_event_mask(struct hci_dev *hdev, bool debug)
314 u8 mask[8] = { 0x87, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
315 struct sk_buff *skb;
316 int err;
318 if (debug)
319 mask[1] |= 0x62;
321 skb = __hci_cmd_sync(hdev, 0xfc52, 8, mask, HCI_INIT_TIMEOUT);
322 if (IS_ERR(skb)) {
323 err = PTR_ERR(skb);
324 BT_ERR("%s: Setting Intel event mask failed (%d)",
325 hdev->name, err);
326 return err;
328 kfree_skb(skb);
330 return 0;
332 EXPORT_SYMBOL_GPL(btintel_set_event_mask);
334 int btintel_set_event_mask_mfg(struct hci_dev *hdev, bool debug)
336 int err, ret;
338 err = btintel_enter_mfg(hdev);
339 if (err)
340 return err;
342 ret = btintel_set_event_mask(hdev, debug);
344 err = btintel_exit_mfg(hdev, false, false);
345 if (err)
346 return err;
348 return ret;
350 EXPORT_SYMBOL_GPL(btintel_set_event_mask_mfg);
352 int btintel_read_version(struct hci_dev *hdev, struct intel_version *ver)
354 struct sk_buff *skb;
356 skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_CMD_TIMEOUT);
357 if (IS_ERR(skb)) {
358 bt_dev_err(hdev, "Reading Intel version information failed (%ld)",
359 PTR_ERR(skb));
360 return PTR_ERR(skb);
363 if (skb->len != sizeof(*ver)) {
364 bt_dev_err(hdev, "Intel version event size mismatch");
365 kfree_skb(skb);
366 return -EILSEQ;
369 memcpy(ver, skb->data, sizeof(*ver));
371 kfree_skb(skb);
373 return 0;
375 EXPORT_SYMBOL_GPL(btintel_read_version);
377 /* ------- REGMAP IBT SUPPORT ------- */
379 #define IBT_REG_MODE_8BIT 0x00
380 #define IBT_REG_MODE_16BIT 0x01
381 #define IBT_REG_MODE_32BIT 0x02
383 struct regmap_ibt_context {
384 struct hci_dev *hdev;
385 __u16 op_write;
386 __u16 op_read;
389 struct ibt_cp_reg_access {
390 __le32 addr;
391 __u8 mode;
392 __u8 len;
393 __u8 data[0];
394 } __packed;
396 struct ibt_rp_reg_access {
397 __u8 status;
398 __le32 addr;
399 __u8 data[0];
400 } __packed;
402 static int regmap_ibt_read(void *context, const void *addr, size_t reg_size,
403 void *val, size_t val_size)
405 struct regmap_ibt_context *ctx = context;
406 struct ibt_cp_reg_access cp;
407 struct ibt_rp_reg_access *rp;
408 struct sk_buff *skb;
409 int err = 0;
411 if (reg_size != sizeof(__le32))
412 return -EINVAL;
414 switch (val_size) {
415 case 1:
416 cp.mode = IBT_REG_MODE_8BIT;
417 break;
418 case 2:
419 cp.mode = IBT_REG_MODE_16BIT;
420 break;
421 case 4:
422 cp.mode = IBT_REG_MODE_32BIT;
423 break;
424 default:
425 return -EINVAL;
428 /* regmap provides a little-endian formatted addr */
429 cp.addr = *(__le32 *)addr;
430 cp.len = val_size;
432 bt_dev_dbg(ctx->hdev, "Register (0x%x) read", le32_to_cpu(cp.addr));
434 skb = hci_cmd_sync(ctx->hdev, ctx->op_read, sizeof(cp), &cp,
435 HCI_CMD_TIMEOUT);
436 if (IS_ERR(skb)) {
437 err = PTR_ERR(skb);
438 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error (%d)",
439 le32_to_cpu(cp.addr), err);
440 return err;
443 if (skb->len != sizeof(*rp) + val_size) {
444 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error, bad len",
445 le32_to_cpu(cp.addr));
446 err = -EINVAL;
447 goto done;
450 rp = (struct ibt_rp_reg_access *)skb->data;
452 if (rp->addr != cp.addr) {
453 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) read error, bad addr",
454 le32_to_cpu(rp->addr));
455 err = -EINVAL;
456 goto done;
459 memcpy(val, rp->data, val_size);
461 done:
462 kfree_skb(skb);
463 return err;
466 static int regmap_ibt_gather_write(void *context,
467 const void *addr, size_t reg_size,
468 const void *val, size_t val_size)
470 struct regmap_ibt_context *ctx = context;
471 struct ibt_cp_reg_access *cp;
472 struct sk_buff *skb;
473 int plen = sizeof(*cp) + val_size;
474 u8 mode;
475 int err = 0;
477 if (reg_size != sizeof(__le32))
478 return -EINVAL;
480 switch (val_size) {
481 case 1:
482 mode = IBT_REG_MODE_8BIT;
483 break;
484 case 2:
485 mode = IBT_REG_MODE_16BIT;
486 break;
487 case 4:
488 mode = IBT_REG_MODE_32BIT;
489 break;
490 default:
491 return -EINVAL;
494 cp = kmalloc(plen, GFP_KERNEL);
495 if (!cp)
496 return -ENOMEM;
498 /* regmap provides a little-endian formatted addr/value */
499 cp->addr = *(__le32 *)addr;
500 cp->mode = mode;
501 cp->len = val_size;
502 memcpy(&cp->data, val, val_size);
504 bt_dev_dbg(ctx->hdev, "Register (0x%x) write", le32_to_cpu(cp->addr));
506 skb = hci_cmd_sync(ctx->hdev, ctx->op_write, plen, cp, HCI_CMD_TIMEOUT);
507 if (IS_ERR(skb)) {
508 err = PTR_ERR(skb);
509 bt_dev_err(ctx->hdev, "regmap: Register (0x%x) write error (%d)",
510 le32_to_cpu(cp->addr), err);
511 goto done;
513 kfree_skb(skb);
515 done:
516 kfree(cp);
517 return err;
520 static int regmap_ibt_write(void *context, const void *data, size_t count)
522 /* data contains register+value, since we only support 32bit addr,
523 * minimum data size is 4 bytes.
525 if (WARN_ONCE(count < 4, "Invalid register access"))
526 return -EINVAL;
528 return regmap_ibt_gather_write(context, data, 4, data + 4, count - 4);
531 static void regmap_ibt_free_context(void *context)
533 kfree(context);
536 static struct regmap_bus regmap_ibt = {
537 .read = regmap_ibt_read,
538 .write = regmap_ibt_write,
539 .gather_write = regmap_ibt_gather_write,
540 .free_context = regmap_ibt_free_context,
541 .reg_format_endian_default = REGMAP_ENDIAN_LITTLE,
542 .val_format_endian_default = REGMAP_ENDIAN_LITTLE,
545 /* Config is the same for all register regions */
546 static const struct regmap_config regmap_ibt_cfg = {
547 .name = "btintel_regmap",
548 .reg_bits = 32,
549 .val_bits = 32,
552 struct regmap *btintel_regmap_init(struct hci_dev *hdev, u16 opcode_read,
553 u16 opcode_write)
555 struct regmap_ibt_context *ctx;
557 bt_dev_info(hdev, "regmap: Init R%x-W%x region", opcode_read,
558 opcode_write);
560 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
561 if (!ctx)
562 return ERR_PTR(-ENOMEM);
564 ctx->op_read = opcode_read;
565 ctx->op_write = opcode_write;
566 ctx->hdev = hdev;
568 return regmap_init(&hdev->dev, &regmap_ibt, ctx, &regmap_ibt_cfg);
570 EXPORT_SYMBOL_GPL(btintel_regmap_init);
572 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
573 MODULE_DESCRIPTION("Bluetooth support for Intel devices ver " VERSION);
574 MODULE_VERSION(VERSION);
575 MODULE_LICENSE("GPL");
576 MODULE_FIRMWARE("intel/ibt-11-5.sfi");
577 MODULE_FIRMWARE("intel/ibt-11-5.ddc");