1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  *
4  *  Bluetooth HCI UART driver
5  *
6  *  Copyright (C) 2002-2003  Fabrizio Gennari <fabrizio.gennari@philips.com>
7  *  Copyright (C) 2004-2005  Marcel Holtmann <marcel@holtmann.org>
8  */
9 
10 #include <linux/module.h>
11 
12 #include <linux/kernel.h>
13 #include <linux/init.h>
14 #include <linux/types.h>
15 #include <linux/fcntl.h>
16 #include <linux/interrupt.h>
17 #include <linux/ptrace.h>
18 #include <linux/poll.h>
19 
20 #include <linux/slab.h>
21 #include <linux/tty.h>
22 #include <linux/errno.h>
23 #include <linux/string.h>
24 #include <linux/signal.h>
25 #include <linux/ioctl.h>
26 #include <linux/skbuff.h>
27 #include <linux/bitrev.h>
28 #include <asm/unaligned.h>
29 
30 #include <net/bluetooth/bluetooth.h>
31 #include <net/bluetooth/hci_core.h>
32 
33 #include "hci_uart.h"
34 
35 static bool txcrc = true;
36 static bool hciextn = true;
37 
38 #define BCSP_TXWINSIZE	4
39 
40 #define BCSP_ACK_PKT	0x05
41 #define BCSP_LE_PKT	0x06
42 
43 struct bcsp_struct {
44 	struct sk_buff_head unack;	/* Unack'ed packets queue */
45 	struct sk_buff_head rel;	/* Reliable packets queue */
46 	struct sk_buff_head unrel;	/* Unreliable packets queue */
47 
48 	unsigned long rx_count;
49 	struct	sk_buff *rx_skb;
50 	u8	rxseq_txack;		/* rxseq == txack. */
51 	u8	rxack;			/* Last packet sent by us that the peer ack'ed */
52 	struct	timer_list tbcsp;
53 	struct	hci_uart *hu;
54 
55 	enum {
56 		BCSP_W4_PKT_DELIMITER,
57 		BCSP_W4_PKT_START,
58 		BCSP_W4_BCSP_HDR,
59 		BCSP_W4_DATA,
60 		BCSP_W4_CRC
61 	} rx_state;
62 
63 	enum {
64 		BCSP_ESCSTATE_NOESC,
65 		BCSP_ESCSTATE_ESC
66 	} rx_esc_state;
67 
68 	u8	use_crc;
69 	u16	message_crc;
70 	u8	txack_req;		/* Do we need to send ack's to the peer? */
71 
72 	/* Reliable packet sequence number - used to assign seq to each rel pkt. */
73 	u8	msgq_txseq;
74 };
75 
76 /* ---- BCSP CRC calculation ---- */
77 
78 /* Table for calculating CRC for polynomial 0x1021, LSB processed first,
79  * initial value 0xffff, bits shifted in reverse order.
80  */
81 
82 static const u16 crc_table[] = {
83 	0x0000, 0x1081, 0x2102, 0x3183,
84 	0x4204, 0x5285, 0x6306, 0x7387,
85 	0x8408, 0x9489, 0xa50a, 0xb58b,
86 	0xc60c, 0xd68d, 0xe70e, 0xf78f
87 };
88 
89 /* Initialise the crc calculator */
90 #define BCSP_CRC_INIT(x) x = 0xffff
91 
92 /* Update crc with next data byte
93  *
94  * Implementation note
95  *     The data byte is treated as two nibbles.  The crc is generated
96  *     in reverse, i.e., bits are fed into the register from the top.
97  */
bcsp_crc_update(u16 * crc,u8 d)98 static void bcsp_crc_update(u16 *crc, u8 d)
99 {
100 	u16 reg = *crc;
101 
102 	reg = (reg >> 4) ^ crc_table[(reg ^ d) & 0x000f];
103 	reg = (reg >> 4) ^ crc_table[(reg ^ (d >> 4)) & 0x000f];
104 
105 	*crc = reg;
106 }
107 
108 /* ---- BCSP core ---- */
109 
bcsp_slip_msgdelim(struct sk_buff * skb)110 static void bcsp_slip_msgdelim(struct sk_buff *skb)
111 {
112 	const char pkt_delim = 0xc0;
113 
114 	skb_put_data(skb, &pkt_delim, 1);
115 }
116 
bcsp_slip_one_byte(struct sk_buff * skb,u8 c)117 static void bcsp_slip_one_byte(struct sk_buff *skb, u8 c)
118 {
119 	const char esc_c0[2] = { 0xdb, 0xdc };
120 	const char esc_db[2] = { 0xdb, 0xdd };
121 
122 	switch (c) {
123 	case 0xc0:
124 		skb_put_data(skb, &esc_c0, 2);
125 		break;
126 	case 0xdb:
127 		skb_put_data(skb, &esc_db, 2);
128 		break;
129 	default:
130 		skb_put_data(skb, &c, 1);
131 	}
132 }
133 
bcsp_enqueue(struct hci_uart * hu,struct sk_buff * skb)134 static int bcsp_enqueue(struct hci_uart *hu, struct sk_buff *skb)
135 {
136 	struct bcsp_struct *bcsp = hu->priv;
137 
138 	if (skb->len > 0xFFF) {
139 		BT_ERR("Packet too long");
140 		kfree_skb(skb);
141 		return 0;
142 	}
143 
144 	switch (hci_skb_pkt_type(skb)) {
145 	case HCI_ACLDATA_PKT:
146 	case HCI_COMMAND_PKT:
147 		skb_queue_tail(&bcsp->rel, skb);
148 		break;
149 
150 	case HCI_SCODATA_PKT:
151 		skb_queue_tail(&bcsp->unrel, skb);
152 		break;
153 
154 	default:
155 		BT_ERR("Unknown packet type");
156 		kfree_skb(skb);
157 		break;
158 	}
159 
160 	return 0;
161 }
162 
bcsp_prepare_pkt(struct bcsp_struct * bcsp,u8 * data,int len,int pkt_type)163 static struct sk_buff *bcsp_prepare_pkt(struct bcsp_struct *bcsp, u8 *data,
164 					int len, int pkt_type)
165 {
166 	struct sk_buff *nskb;
167 	u8 hdr[4], chan;
168 	u16 BCSP_CRC_INIT(bcsp_txmsg_crc);
169 	int rel, i;
170 
171 	switch (pkt_type) {
172 	case HCI_ACLDATA_PKT:
173 		chan = 6;	/* BCSP ACL channel */
174 		rel = 1;	/* reliable channel */
175 		break;
176 	case HCI_COMMAND_PKT:
177 		chan = 5;	/* BCSP cmd/evt channel */
178 		rel = 1;	/* reliable channel */
179 		break;
180 	case HCI_SCODATA_PKT:
181 		chan = 7;	/* BCSP SCO channel */
182 		rel = 0;	/* unreliable channel */
183 		break;
184 	case BCSP_LE_PKT:
185 		chan = 1;	/* BCSP LE channel */
186 		rel = 0;	/* unreliable channel */
187 		break;
188 	case BCSP_ACK_PKT:
189 		chan = 0;	/* BCSP internal channel */
190 		rel = 0;	/* unreliable channel */
191 		break;
192 	default:
193 		BT_ERR("Unknown packet type");
194 		return NULL;
195 	}
196 
197 	if (hciextn && chan == 5) {
198 		__le16 opcode = ((struct hci_command_hdr *)data)->opcode;
199 
200 		/* Vendor specific commands */
201 		if (hci_opcode_ogf(__le16_to_cpu(opcode)) == 0x3f) {
202 			u8 desc = *(data + HCI_COMMAND_HDR_SIZE);
203 
204 			if ((desc & 0xf0) == 0xc0) {
205 				data += HCI_COMMAND_HDR_SIZE + 1;
206 				len  -= HCI_COMMAND_HDR_SIZE + 1;
207 				chan = desc & 0x0f;
208 			}
209 		}
210 	}
211 
212 	/* Max len of packet: (original len +4(bcsp hdr) +2(crc))*2
213 	 * (because bytes 0xc0 and 0xdb are escaped, worst case is
214 	 * when the packet is all made of 0xc0 and 0xdb :) )
215 	 * + 2 (0xc0 delimiters at start and end).
216 	 */
217 
218 	nskb = alloc_skb((len + 6) * 2 + 2, GFP_ATOMIC);
219 	if (!nskb)
220 		return NULL;
221 
222 	hci_skb_pkt_type(nskb) = pkt_type;
223 
224 	bcsp_slip_msgdelim(nskb);
225 
226 	hdr[0] = bcsp->rxseq_txack << 3;
227 	bcsp->txack_req = 0;
228 	BT_DBG("We request packet no %u to card", bcsp->rxseq_txack);
229 
230 	if (rel) {
231 		hdr[0] |= 0x80 + bcsp->msgq_txseq;
232 		BT_DBG("Sending packet with seqno %u", bcsp->msgq_txseq);
233 		bcsp->msgq_txseq = (bcsp->msgq_txseq + 1) & 0x07;
234 	}
235 
236 	if (bcsp->use_crc)
237 		hdr[0] |= 0x40;
238 
239 	hdr[1] = ((len << 4) & 0xff) | chan;
240 	hdr[2] = len >> 4;
241 	hdr[3] = ~(hdr[0] + hdr[1] + hdr[2]);
242 
243 	/* Put BCSP header */
244 	for (i = 0; i < 4; i++) {
245 		bcsp_slip_one_byte(nskb, hdr[i]);
246 
247 		if (bcsp->use_crc)
248 			bcsp_crc_update(&bcsp_txmsg_crc, hdr[i]);
249 	}
250 
251 	/* Put payload */
252 	for (i = 0; i < len; i++) {
253 		bcsp_slip_one_byte(nskb, data[i]);
254 
255 		if (bcsp->use_crc)
256 			bcsp_crc_update(&bcsp_txmsg_crc, data[i]);
257 	}
258 
259 	/* Put CRC */
260 	if (bcsp->use_crc) {
261 		bcsp_txmsg_crc = bitrev16(bcsp_txmsg_crc);
262 		bcsp_slip_one_byte(nskb, (u8)((bcsp_txmsg_crc >> 8) & 0x00ff));
263 		bcsp_slip_one_byte(nskb, (u8)(bcsp_txmsg_crc & 0x00ff));
264 	}
265 
266 	bcsp_slip_msgdelim(nskb);
267 	return nskb;
268 }
269 
270 /* This is a rewrite of pkt_avail in ABCSP */
bcsp_dequeue(struct hci_uart * hu)271 static struct sk_buff *bcsp_dequeue(struct hci_uart *hu)
272 {
273 	struct bcsp_struct *bcsp = hu->priv;
274 	unsigned long flags;
275 	struct sk_buff *skb;
276 
277 	/* First of all, check for unreliable messages in the queue,
278 	 * since they have priority
279 	 */
280 
281 	skb = skb_dequeue(&bcsp->unrel);
282 	if (skb != NULL) {
283 		struct sk_buff *nskb;
284 
285 		nskb = bcsp_prepare_pkt(bcsp, skb->data, skb->len,
286 					hci_skb_pkt_type(skb));
287 		if (nskb) {
288 			kfree_skb(skb);
289 			return nskb;
290 		} else {
291 			skb_queue_head(&bcsp->unrel, skb);
292 			BT_ERR("Could not dequeue pkt because alloc_skb failed");
293 		}
294 	}
295 
296 	/* Now, try to send a reliable pkt. We can only send a
297 	 * reliable packet if the number of packets sent but not yet ack'ed
298 	 * is < than the winsize
299 	 */
300 
301 	spin_lock_irqsave_nested(&bcsp->unack.lock, flags, SINGLE_DEPTH_NESTING);
302 
303 	if (bcsp->unack.qlen < BCSP_TXWINSIZE) {
304 		skb = skb_dequeue(&bcsp->rel);
305 		if (skb != NULL) {
306 			struct sk_buff *nskb;
307 
308 			nskb = bcsp_prepare_pkt(bcsp, skb->data, skb->len,
309 						hci_skb_pkt_type(skb));
310 			if (nskb) {
311 				__skb_queue_tail(&bcsp->unack, skb);
312 				mod_timer(&bcsp->tbcsp, jiffies + HZ / 4);
313 				spin_unlock_irqrestore(&bcsp->unack.lock, flags);
314 				return nskb;
315 			} else {
316 				skb_queue_head(&bcsp->rel, skb);
317 				BT_ERR("Could not dequeue pkt because alloc_skb failed");
318 			}
319 		}
320 	}
321 
322 	spin_unlock_irqrestore(&bcsp->unack.lock, flags);
323 
324 	/* We could not send a reliable packet, either because there are
325 	 * none or because there are too many unack'ed pkts. Did we receive
326 	 * any packets we have not acknowledged yet ?
327 	 */
328 
329 	if (bcsp->txack_req) {
330 		/* if so, craft an empty ACK pkt and send it on BCSP unreliable
331 		 * channel 0
332 		 */
333 		struct sk_buff *nskb = bcsp_prepare_pkt(bcsp, NULL, 0, BCSP_ACK_PKT);
334 		return nskb;
335 	}
336 
337 	/* We have nothing to send */
338 	return NULL;
339 }
340 
bcsp_flush(struct hci_uart * hu)341 static int bcsp_flush(struct hci_uart *hu)
342 {
343 	BT_DBG("hu %p", hu);
344 	return 0;
345 }
346 
347 /* Remove ack'ed packets */
bcsp_pkt_cull(struct bcsp_struct * bcsp)348 static void bcsp_pkt_cull(struct bcsp_struct *bcsp)
349 {
350 	struct sk_buff *skb, *tmp;
351 	unsigned long flags;
352 	int i, pkts_to_be_removed;
353 	u8 seqno;
354 
355 	spin_lock_irqsave(&bcsp->unack.lock, flags);
356 
357 	pkts_to_be_removed = skb_queue_len(&bcsp->unack);
358 	seqno = bcsp->msgq_txseq;
359 
360 	while (pkts_to_be_removed) {
361 		if (bcsp->rxack == seqno)
362 			break;
363 		pkts_to_be_removed--;
364 		seqno = (seqno - 1) & 0x07;
365 	}
366 
367 	if (bcsp->rxack != seqno)
368 		BT_ERR("Peer acked invalid packet");
369 
370 	BT_DBG("Removing %u pkts out of %u, up to seqno %u",
371 	       pkts_to_be_removed, skb_queue_len(&bcsp->unack),
372 	       (seqno - 1) & 0x07);
373 
374 	i = 0;
375 	skb_queue_walk_safe(&bcsp->unack, skb, tmp) {
376 		if (i >= pkts_to_be_removed)
377 			break;
378 		i++;
379 
380 		__skb_unlink(skb, &bcsp->unack);
381 		dev_kfree_skb_irq(skb);
382 	}
383 
384 	if (skb_queue_empty(&bcsp->unack))
385 		del_timer(&bcsp->tbcsp);
386 
387 	spin_unlock_irqrestore(&bcsp->unack.lock, flags);
388 
389 	if (i != pkts_to_be_removed)
390 		BT_ERR("Removed only %u out of %u pkts", i, pkts_to_be_removed);
391 }
392 
393 /* Handle BCSP link-establishment packets. When we
394  * detect a "sync" packet, symptom that the BT module has reset,
395  * we do nothing :) (yet)
396  */
bcsp_handle_le_pkt(struct hci_uart * hu)397 static void bcsp_handle_le_pkt(struct hci_uart *hu)
398 {
399 	struct bcsp_struct *bcsp = hu->priv;
400 	u8 conf_pkt[4]     = { 0xad, 0xef, 0xac, 0xed };
401 	u8 conf_rsp_pkt[4] = { 0xde, 0xad, 0xd0, 0xd0 };
402 	u8 sync_pkt[4]     = { 0xda, 0xdc, 0xed, 0xed };
403 
404 	/* spot "conf" pkts and reply with a "conf rsp" pkt */
405 	if (bcsp->rx_skb->data[1] >> 4 == 4 && bcsp->rx_skb->data[2] == 0 &&
406 	    !memcmp(&bcsp->rx_skb->data[4], conf_pkt, 4)) {
407 		struct sk_buff *nskb = alloc_skb(4, GFP_ATOMIC);
408 
409 		BT_DBG("Found a LE conf pkt");
410 		if (!nskb)
411 			return;
412 		skb_put_data(nskb, conf_rsp_pkt, 4);
413 		hci_skb_pkt_type(nskb) = BCSP_LE_PKT;
414 
415 		skb_queue_head(&bcsp->unrel, nskb);
416 		hci_uart_tx_wakeup(hu);
417 	}
418 	/* Spot "sync" pkts. If we find one...disaster! */
419 	else if (bcsp->rx_skb->data[1] >> 4 == 4 && bcsp->rx_skb->data[2] == 0 &&
420 		 !memcmp(&bcsp->rx_skb->data[4], sync_pkt, 4)) {
421 		BT_ERR("Found a LE sync pkt, card has reset");
422 	}
423 }
424 
bcsp_unslip_one_byte(struct bcsp_struct * bcsp,unsigned char byte)425 static inline void bcsp_unslip_one_byte(struct bcsp_struct *bcsp, unsigned char byte)
426 {
427 	const u8 c0 = 0xc0, db = 0xdb;
428 
429 	switch (bcsp->rx_esc_state) {
430 	case BCSP_ESCSTATE_NOESC:
431 		switch (byte) {
432 		case 0xdb:
433 			bcsp->rx_esc_state = BCSP_ESCSTATE_ESC;
434 			break;
435 		default:
436 			skb_put_data(bcsp->rx_skb, &byte, 1);
437 			if ((bcsp->rx_skb->data[0] & 0x40) != 0 &&
438 			    bcsp->rx_state != BCSP_W4_CRC)
439 				bcsp_crc_update(&bcsp->message_crc, byte);
440 			bcsp->rx_count--;
441 		}
442 		break;
443 
444 	case BCSP_ESCSTATE_ESC:
445 		switch (byte) {
446 		case 0xdc:
447 			skb_put_data(bcsp->rx_skb, &c0, 1);
448 			if ((bcsp->rx_skb->data[0] & 0x40) != 0 &&
449 			    bcsp->rx_state != BCSP_W4_CRC)
450 				bcsp_crc_update(&bcsp->message_crc, 0xc0);
451 			bcsp->rx_esc_state = BCSP_ESCSTATE_NOESC;
452 			bcsp->rx_count--;
453 			break;
454 
455 		case 0xdd:
456 			skb_put_data(bcsp->rx_skb, &db, 1);
457 			if ((bcsp->rx_skb->data[0] & 0x40) != 0 &&
458 			    bcsp->rx_state != BCSP_W4_CRC)
459 				bcsp_crc_update(&bcsp->message_crc, 0xdb);
460 			bcsp->rx_esc_state = BCSP_ESCSTATE_NOESC;
461 			bcsp->rx_count--;
462 			break;
463 
464 		default:
465 			BT_ERR("Invalid byte %02x after esc byte", byte);
466 			kfree_skb(bcsp->rx_skb);
467 			bcsp->rx_skb = NULL;
468 			bcsp->rx_state = BCSP_W4_PKT_DELIMITER;
469 			bcsp->rx_count = 0;
470 		}
471 	}
472 }
473 
bcsp_complete_rx_pkt(struct hci_uart * hu)474 static void bcsp_complete_rx_pkt(struct hci_uart *hu)
475 {
476 	struct bcsp_struct *bcsp = hu->priv;
477 	int pass_up = 0;
478 
479 	if (bcsp->rx_skb->data[0] & 0x80) {	/* reliable pkt */
480 		BT_DBG("Received seqno %u from card", bcsp->rxseq_txack);
481 
482 		/* check the rx sequence number is as expected */
483 		if ((bcsp->rx_skb->data[0] & 0x07) == bcsp->rxseq_txack) {
484 			bcsp->rxseq_txack++;
485 			bcsp->rxseq_txack %= 0x8;
486 		} else {
487 			/* handle re-transmitted packet or
488 			 * when packet was missed
489 			 */
490 			BT_ERR("Out-of-order packet arrived, got %u expected %u",
491 			       bcsp->rx_skb->data[0] & 0x07, bcsp->rxseq_txack);
492 
493 			/* do not process out-of-order packet payload */
494 			pass_up = 2;
495 		}
496 
497 		/* send current txack value to all received reliable packets */
498 		bcsp->txack_req = 1;
499 
500 		/* If needed, transmit an ack pkt */
501 		hci_uart_tx_wakeup(hu);
502 	}
503 
504 	bcsp->rxack = (bcsp->rx_skb->data[0] >> 3) & 0x07;
505 	BT_DBG("Request for pkt %u from card", bcsp->rxack);
506 
507 	/* handle received ACK indications,
508 	 * including those from out-of-order packets
509 	 */
510 	bcsp_pkt_cull(bcsp);
511 
512 	if (pass_up != 2) {
513 		if ((bcsp->rx_skb->data[1] & 0x0f) == 6 &&
514 		    (bcsp->rx_skb->data[0] & 0x80)) {
515 			hci_skb_pkt_type(bcsp->rx_skb) = HCI_ACLDATA_PKT;
516 			pass_up = 1;
517 		} else if ((bcsp->rx_skb->data[1] & 0x0f) == 5 &&
518 			   (bcsp->rx_skb->data[0] & 0x80)) {
519 			hci_skb_pkt_type(bcsp->rx_skb) = HCI_EVENT_PKT;
520 			pass_up = 1;
521 		} else if ((bcsp->rx_skb->data[1] & 0x0f) == 7) {
522 			hci_skb_pkt_type(bcsp->rx_skb) = HCI_SCODATA_PKT;
523 			pass_up = 1;
524 		} else if ((bcsp->rx_skb->data[1] & 0x0f) == 1 &&
525 			   !(bcsp->rx_skb->data[0] & 0x80)) {
526 			bcsp_handle_le_pkt(hu);
527 			pass_up = 0;
528 		} else {
529 			pass_up = 0;
530 		}
531 	}
532 
533 	if (pass_up == 0) {
534 		struct hci_event_hdr hdr;
535 		u8 desc = (bcsp->rx_skb->data[1] & 0x0f);
536 
537 		if (desc != 0 && desc != 1) {
538 			if (hciextn) {
539 				desc |= 0xc0;
540 				skb_pull(bcsp->rx_skb, 4);
541 				memcpy(skb_push(bcsp->rx_skb, 1), &desc, 1);
542 
543 				hdr.evt = 0xff;
544 				hdr.plen = bcsp->rx_skb->len;
545 				memcpy(skb_push(bcsp->rx_skb, HCI_EVENT_HDR_SIZE), &hdr, HCI_EVENT_HDR_SIZE);
546 				hci_skb_pkt_type(bcsp->rx_skb) = HCI_EVENT_PKT;
547 
548 				hci_recv_frame(hu->hdev, bcsp->rx_skb);
549 			} else {
550 				BT_ERR("Packet for unknown channel (%u %s)",
551 				       bcsp->rx_skb->data[1] & 0x0f,
552 				       bcsp->rx_skb->data[0] & 0x80 ?
553 				       "reliable" : "unreliable");
554 				kfree_skb(bcsp->rx_skb);
555 			}
556 		} else
557 			kfree_skb(bcsp->rx_skb);
558 	} else if (pass_up == 1) {
559 		/* Pull out BCSP hdr */
560 		skb_pull(bcsp->rx_skb, 4);
561 
562 		hci_recv_frame(hu->hdev, bcsp->rx_skb);
563 	} else {
564 		/* ignore packet payload of already ACKed re-transmitted
565 		 * packets or when a packet was missed in the BCSP window
566 		 */
567 		kfree_skb(bcsp->rx_skb);
568 	}
569 
570 	bcsp->rx_state = BCSP_W4_PKT_DELIMITER;
571 	bcsp->rx_skb = NULL;
572 }
573 
bscp_get_crc(struct bcsp_struct * bcsp)574 static u16 bscp_get_crc(struct bcsp_struct *bcsp)
575 {
576 	return get_unaligned_be16(&bcsp->rx_skb->data[bcsp->rx_skb->len - 2]);
577 }
578 
579 /* Recv data */
bcsp_recv(struct hci_uart * hu,const void * data,int count)580 static int bcsp_recv(struct hci_uart *hu, const void *data, int count)
581 {
582 	struct bcsp_struct *bcsp = hu->priv;
583 	const unsigned char *ptr;
584 
585 	BT_DBG("hu %p count %d rx_state %d rx_count %ld",
586 	       hu, count, bcsp->rx_state, bcsp->rx_count);
587 
588 	ptr = data;
589 	while (count) {
590 		if (bcsp->rx_count) {
591 			if (*ptr == 0xc0) {
592 				BT_ERR("Short BCSP packet");
593 				kfree_skb(bcsp->rx_skb);
594 				bcsp->rx_skb = NULL;
595 				bcsp->rx_state = BCSP_W4_PKT_START;
596 				bcsp->rx_count = 0;
597 			} else
598 				bcsp_unslip_one_byte(bcsp, *ptr);
599 
600 			ptr++; count--;
601 			continue;
602 		}
603 
604 		switch (bcsp->rx_state) {
605 		case BCSP_W4_BCSP_HDR:
606 			if ((0xff & (u8)~(bcsp->rx_skb->data[0] + bcsp->rx_skb->data[1] +
607 			    bcsp->rx_skb->data[2])) != bcsp->rx_skb->data[3]) {
608 				BT_ERR("Error in BCSP hdr checksum");
609 				kfree_skb(bcsp->rx_skb);
610 				bcsp->rx_skb = NULL;
611 				bcsp->rx_state = BCSP_W4_PKT_DELIMITER;
612 				bcsp->rx_count = 0;
613 				continue;
614 			}
615 			bcsp->rx_state = BCSP_W4_DATA;
616 			bcsp->rx_count = (bcsp->rx_skb->data[1] >> 4) +
617 					(bcsp->rx_skb->data[2] << 4);	/* May be 0 */
618 			continue;
619 
620 		case BCSP_W4_DATA:
621 			if (bcsp->rx_skb->data[0] & 0x40) {	/* pkt with crc */
622 				bcsp->rx_state = BCSP_W4_CRC;
623 				bcsp->rx_count = 2;
624 			} else
625 				bcsp_complete_rx_pkt(hu);
626 			continue;
627 
628 		case BCSP_W4_CRC:
629 			if (bitrev16(bcsp->message_crc) != bscp_get_crc(bcsp)) {
630 				BT_ERR("Checksum failed: computed %04x received %04x",
631 				       bitrev16(bcsp->message_crc),
632 				       bscp_get_crc(bcsp));
633 
634 				kfree_skb(bcsp->rx_skb);
635 				bcsp->rx_skb = NULL;
636 				bcsp->rx_state = BCSP_W4_PKT_DELIMITER;
637 				bcsp->rx_count = 0;
638 				continue;
639 			}
640 			skb_trim(bcsp->rx_skb, bcsp->rx_skb->len - 2);
641 			bcsp_complete_rx_pkt(hu);
642 			continue;
643 
644 		case BCSP_W4_PKT_DELIMITER:
645 			switch (*ptr) {
646 			case 0xc0:
647 				bcsp->rx_state = BCSP_W4_PKT_START;
648 				break;
649 			default:
650 				/*BT_ERR("Ignoring byte %02x", *ptr);*/
651 				break;
652 			}
653 			ptr++; count--;
654 			break;
655 
656 		case BCSP_W4_PKT_START:
657 			switch (*ptr) {
658 			case 0xc0:
659 				ptr++; count--;
660 				break;
661 
662 			default:
663 				bcsp->rx_state = BCSP_W4_BCSP_HDR;
664 				bcsp->rx_count = 4;
665 				bcsp->rx_esc_state = BCSP_ESCSTATE_NOESC;
666 				BCSP_CRC_INIT(bcsp->message_crc);
667 
668 				/* Do not increment ptr or decrement count
669 				 * Allocate packet. Max len of a BCSP pkt=
670 				 * 0xFFF (payload) +4 (header) +2 (crc)
671 				 */
672 
673 				bcsp->rx_skb = bt_skb_alloc(0x1005, GFP_ATOMIC);
674 				if (!bcsp->rx_skb) {
675 					BT_ERR("Can't allocate mem for new packet");
676 					bcsp->rx_state = BCSP_W4_PKT_DELIMITER;
677 					bcsp->rx_count = 0;
678 					return 0;
679 				}
680 				break;
681 			}
682 			break;
683 		}
684 	}
685 	return count;
686 }
687 
688 	/* Arrange to retransmit all messages in the relq. */
bcsp_timed_event(struct timer_list * t)689 static void bcsp_timed_event(struct timer_list *t)
690 {
691 	struct bcsp_struct *bcsp = from_timer(bcsp, t, tbcsp);
692 	struct hci_uart *hu = bcsp->hu;
693 	struct sk_buff *skb;
694 	unsigned long flags;
695 
696 	BT_DBG("hu %p retransmitting %u pkts", hu, bcsp->unack.qlen);
697 
698 	spin_lock_irqsave_nested(&bcsp->unack.lock, flags, SINGLE_DEPTH_NESTING);
699 
700 	while ((skb = __skb_dequeue_tail(&bcsp->unack)) != NULL) {
701 		bcsp->msgq_txseq = (bcsp->msgq_txseq - 1) & 0x07;
702 		skb_queue_head(&bcsp->rel, skb);
703 	}
704 
705 	spin_unlock_irqrestore(&bcsp->unack.lock, flags);
706 
707 	hci_uart_tx_wakeup(hu);
708 }
709 
bcsp_open(struct hci_uart * hu)710 static int bcsp_open(struct hci_uart *hu)
711 {
712 	struct bcsp_struct *bcsp;
713 
714 	BT_DBG("hu %p", hu);
715 
716 	bcsp = kzalloc(sizeof(*bcsp), GFP_KERNEL);
717 	if (!bcsp)
718 		return -ENOMEM;
719 
720 	hu->priv = bcsp;
721 	bcsp->hu = hu;
722 	skb_queue_head_init(&bcsp->unack);
723 	skb_queue_head_init(&bcsp->rel);
724 	skb_queue_head_init(&bcsp->unrel);
725 
726 	timer_setup(&bcsp->tbcsp, bcsp_timed_event, 0);
727 
728 	bcsp->rx_state = BCSP_W4_PKT_DELIMITER;
729 
730 	if (txcrc)
731 		bcsp->use_crc = 1;
732 
733 	return 0;
734 }
735 
bcsp_close(struct hci_uart * hu)736 static int bcsp_close(struct hci_uart *hu)
737 {
738 	struct bcsp_struct *bcsp = hu->priv;
739 
740 	timer_shutdown_sync(&bcsp->tbcsp);
741 
742 	hu->priv = NULL;
743 
744 	BT_DBG("hu %p", hu);
745 
746 	skb_queue_purge(&bcsp->unack);
747 	skb_queue_purge(&bcsp->rel);
748 	skb_queue_purge(&bcsp->unrel);
749 
750 	if (bcsp->rx_skb) {
751 		kfree_skb(bcsp->rx_skb);
752 		bcsp->rx_skb = NULL;
753 	}
754 
755 	kfree(bcsp);
756 	return 0;
757 }
758 
759 static const struct hci_uart_proto bcsp = {
760 	.id		= HCI_UART_BCSP,
761 	.name		= "BCSP",
762 	.open		= bcsp_open,
763 	.close		= bcsp_close,
764 	.enqueue	= bcsp_enqueue,
765 	.dequeue	= bcsp_dequeue,
766 	.recv		= bcsp_recv,
767 	.flush		= bcsp_flush
768 };
769 
bcsp_init(void)770 int __init bcsp_init(void)
771 {
772 	return hci_uart_register_proto(&bcsp);
773 }
774 
bcsp_deinit(void)775 int __exit bcsp_deinit(void)
776 {
777 	return hci_uart_unregister_proto(&bcsp);
778 }
779 
780 module_param(txcrc, bool, 0644);
781 MODULE_PARM_DESC(txcrc, "Transmit CRC with every BCSP packet");
782 
783 module_param(hciextn, bool, 0644);
784 MODULE_PARM_DESC(hciextn, "Convert HCI Extensions into BCSP packets");
785