xref: /freebsd/sys/netgraph/bluetooth/drivers/ubt/ng_ubt.c (revision b4af4f93c682e445bf159f0d1ec90b636296c946)
1 /*
2  * ng_ubt.c
3  */
4 
5 /*-
6  * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
7  *
8  * Copyright (c) 2001-2009 Maksim Yevmenkin <m_evmenkin@yahoo.com>
9  * All rights reserved.
10  *
11  * Redistribution and use in source and binary forms, with or without
12  * modification, are permitted provided that the following conditions
13  * are met:
14  * 1. Redistributions of source code must retain the above copyright
15  *    notice, this list of conditions and the following disclaimer.
16  * 2. Redistributions in binary form must reproduce the above copyright
17  *    notice, this list of conditions and the following disclaimer in the
18  *    documentation and/or other materials provided with the distribution.
19  *
20  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
21  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23  * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
24  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30  * SUCH DAMAGE.
31  *
32  * $Id: ng_ubt.c,v 1.16 2003/10/10 19:15:06 max Exp $
33  * $FreeBSD$
34  */
35 
36 /*
37  * NOTE: ng_ubt2 driver has a split personality. On one side it is
38  * a USB device driver and on the other it is a Netgraph node. This
39  * driver will *NOT* create traditional /dev/ enties, only Netgraph
40  * node.
41  *
42  * NOTE ON LOCKS USED: ng_ubt2 drives uses 2 locks (mutexes)
43  *
44  * 1) sc_if_mtx - lock for device's interface #0 and #1. This lock is used
45  *    by USB for any USB request going over device's interface #0 and #1,
46  *    i.e. interrupt, control, bulk and isoc. transfers.
47  *
48  * 2) sc_ng_mtx - this lock is used to protect shared (between USB, Netgraph
49  *    and Taskqueue) data, such as outgoing mbuf queues, task flags and hook
50  *    pointer. This lock *SHOULD NOT* be grabbed for a long time. In fact,
51  *    think of it as a spin lock.
52  *
53  * NOTE ON LOCKING STRATEGY: ng_ubt2 driver operates in 3 different contexts.
54  *
55  * 1) USB context. This is where all the USB related stuff happens. All
56  *    callbacks run in this context. All callbacks are called (by USB) with
57  *    appropriate interface lock held. It is (generally) allowed to grab
58  *    any additional locks.
59  *
60  * 2) Netgraph context. This is where all the Netgraph related stuff happens.
61  *    Since we mark node as WRITER, the Netgraph node will be "locked" (from
62  *    Netgraph point of view). Any variable that is only modified from the
63  *    Netgraph context does not require any additional locking. It is generally
64  *    *NOT* allowed to grab *ANY* additional locks. Whatever you do, *DO NOT*
65  *    grab any lock in the Netgraph context that could cause de-scheduling of
66  *    the Netgraph thread for significant amount of time. In fact, the only
67  *    lock that is allowed in the Netgraph context is the sc_ng_mtx lock.
68  *    Also make sure that any code that is called from the Netgraph context
69  *    follows the rule above.
70  *
71  * 3) Taskqueue context. This is where ubt_task runs. Since we are generally
72  *    NOT allowed to grab any lock that could cause de-scheduling in the
73  *    Netgraph context, and, USB requires us to grab interface lock before
74  *    doing things with transfers, it is safer to transition from the Netgraph
75  *    context to the Taskqueue context before we can call into USB subsystem.
76  *
77  * So, to put everything together, the rules are as follows.
78  *	It is OK to call from the USB context or the Taskqueue context into
79  * the Netgraph context (i.e. call NG_SEND_xxx functions). In other words
80  * it is allowed to call into the Netgraph context with locks held.
81  *	Is it *NOT* OK to call from the Netgraph context into the USB context,
82  * because USB requires us to grab interface locks, and, it is safer to
83  * avoid it. So, to make things safer we set task flags to indicate which
84  * actions we want to perform and schedule ubt_task which would run in the
85  * Taskqueue context.
86  *	Is is OK to call from the Taskqueue context into the USB context,
87  * and, ubt_task does just that (i.e. grabs appropriate interface locks
88  * before calling into USB).
89  *	Access to the outgoing queues, task flags and hook pointer is
90  * controlled by the sc_ng_mtx lock. It is an unavoidable evil. Again,
91  * sc_ng_mtx should really be a spin lock (and it is very likely to an
92  * equivalent of spin lock due to adaptive nature of FreeBSD mutexes).
93  *	All USB callbacks accept softc pointer as a private data. USB ensures
94  * that this pointer is valid.
95  */
96 
97 #include <sys/stdint.h>
98 #include <sys/stddef.h>
99 #include <sys/param.h>
100 #include <sys/queue.h>
101 #include <sys/types.h>
102 #include <sys/systm.h>
103 #include <sys/kernel.h>
104 #include <sys/bus.h>
105 #include <sys/module.h>
106 #include <sys/lock.h>
107 #include <sys/mutex.h>
108 #include <sys/condvar.h>
109 #include <sys/sysctl.h>
110 #include <sys/sx.h>
111 #include <sys/unistd.h>
112 #include <sys/callout.h>
113 #include <sys/malloc.h>
114 #include <sys/priv.h>
115 
116 #include "usbdevs.h"
117 #include <dev/usb/usb.h>
118 #include <dev/usb/usbdi.h>
119 #include <dev/usb/usbdi_util.h>
120 
121 #define	USB_DEBUG_VAR usb_debug
122 #include <dev/usb/usb_debug.h>
123 #include <dev/usb/usb_busdma.h>
124 
125 #include <sys/mbuf.h>
126 #include <sys/taskqueue.h>
127 
128 #include <netgraph/ng_message.h>
129 #include <netgraph/netgraph.h>
130 #include <netgraph/ng_parse.h>
131 #include <netgraph/bluetooth/include/ng_bluetooth.h>
132 #include <netgraph/bluetooth/include/ng_hci.h>
133 #include <netgraph/bluetooth/include/ng_ubt.h>
134 #include <netgraph/bluetooth/drivers/ubt/ng_ubt_var.h>
135 
136 static int		ubt_modevent(module_t, int, void *);
137 static device_probe_t	ubt_probe;
138 static device_attach_t	ubt_attach;
139 static device_detach_t	ubt_detach;
140 
141 static void		ubt_task_schedule(ubt_softc_p, int);
142 static task_fn_t	ubt_task;
143 
144 #define	ubt_xfer_start(sc, i)	usbd_transfer_start((sc)->sc_xfer[(i)])
145 
146 /* Netgraph methods */
147 static ng_constructor_t	ng_ubt_constructor;
148 static ng_shutdown_t	ng_ubt_shutdown;
149 static ng_newhook_t	ng_ubt_newhook;
150 static ng_connect_t	ng_ubt_connect;
151 static ng_disconnect_t	ng_ubt_disconnect;
152 static ng_rcvmsg_t	ng_ubt_rcvmsg;
153 static ng_rcvdata_t	ng_ubt_rcvdata;
154 
155 /* Queue length */
156 static const struct ng_parse_struct_field	ng_ubt_node_qlen_type_fields[] =
157 {
158 	{ "queue", &ng_parse_int32_type, },
159 	{ "qlen",  &ng_parse_int32_type, },
160 	{ NULL, }
161 };
162 static const struct ng_parse_type		ng_ubt_node_qlen_type =
163 {
164 	&ng_parse_struct_type,
165 	&ng_ubt_node_qlen_type_fields
166 };
167 
168 /* Stat info */
169 static const struct ng_parse_struct_field	ng_ubt_node_stat_type_fields[] =
170 {
171 	{ "pckts_recv", &ng_parse_uint32_type, },
172 	{ "bytes_recv", &ng_parse_uint32_type, },
173 	{ "pckts_sent", &ng_parse_uint32_type, },
174 	{ "bytes_sent", &ng_parse_uint32_type, },
175 	{ "oerrors",    &ng_parse_uint32_type, },
176 	{ "ierrors",    &ng_parse_uint32_type, },
177 	{ NULL, }
178 };
179 static const struct ng_parse_type		ng_ubt_node_stat_type =
180 {
181 	&ng_parse_struct_type,
182 	&ng_ubt_node_stat_type_fields
183 };
184 
185 /* Netgraph node command list */
186 static const struct ng_cmdlist			ng_ubt_cmdlist[] =
187 {
188 	{
189 		NGM_UBT_COOKIE,
190 		NGM_UBT_NODE_SET_DEBUG,
191 		"set_debug",
192 		&ng_parse_uint16_type,
193 		NULL
194 	},
195 	{
196 		NGM_UBT_COOKIE,
197 		NGM_UBT_NODE_GET_DEBUG,
198 		"get_debug",
199 		NULL,
200 		&ng_parse_uint16_type
201 	},
202 	{
203 		NGM_UBT_COOKIE,
204 		NGM_UBT_NODE_SET_QLEN,
205 		"set_qlen",
206 		&ng_ubt_node_qlen_type,
207 		NULL
208 	},
209 	{
210 		NGM_UBT_COOKIE,
211 		NGM_UBT_NODE_GET_QLEN,
212 		"get_qlen",
213 		&ng_ubt_node_qlen_type,
214 		&ng_ubt_node_qlen_type
215 	},
216 	{
217 		NGM_UBT_COOKIE,
218 		NGM_UBT_NODE_GET_STAT,
219 		"get_stat",
220 		NULL,
221 		&ng_ubt_node_stat_type
222 	},
223 	{
224 		NGM_UBT_COOKIE,
225 		NGM_UBT_NODE_RESET_STAT,
226 		"reset_stat",
227 		NULL,
228 		NULL
229 	},
230 	{ 0, }
231 };
232 
233 /* Netgraph node type */
234 static struct ng_type	typestruct =
235 {
236 	.version = 	NG_ABI_VERSION,
237 	.name =		NG_UBT_NODE_TYPE,
238 	.constructor =	ng_ubt_constructor,
239 	.rcvmsg =	ng_ubt_rcvmsg,
240 	.shutdown =	ng_ubt_shutdown,
241 	.newhook =	ng_ubt_newhook,
242 	.connect =	ng_ubt_connect,
243 	.rcvdata =	ng_ubt_rcvdata,
244 	.disconnect =	ng_ubt_disconnect,
245 	.cmdlist =	ng_ubt_cmdlist
246 };
247 
248 /****************************************************************************
249  ****************************************************************************
250  **                              USB specific
251  ****************************************************************************
252  ****************************************************************************/
253 
254 /* USB methods */
255 static usb_callback_t	ubt_probe_intr_callback;
256 static usb_callback_t	ubt_ctrl_write_callback;
257 static usb_callback_t	ubt_intr_read_callback;
258 static usb_callback_t	ubt_bulk_read_callback;
259 static usb_callback_t	ubt_bulk_write_callback;
260 static usb_callback_t	ubt_isoc_read_callback;
261 static usb_callback_t	ubt_isoc_write_callback;
262 
263 static int		ubt_fwd_mbuf_up(ubt_softc_p, struct mbuf **);
264 static int		ubt_isoc_read_one_frame(struct usb_xfer *, int);
265 
266 /*
267  * USB config
268  *
269  * The following desribes usb transfers that could be submitted on USB device.
270  *
271  * Interface 0 on the USB device must present the following endpoints
272  *	1) Interrupt endpoint to receive HCI events
273  *	2) Bulk IN endpoint to receive ACL data
274  *	3) Bulk OUT endpoint to send ACL data
275  *
276  * Interface 1 on the USB device must present the following endpoints
277  *	1) Isochronous IN endpoint to receive SCO data
278  *	2) Isochronous OUT endpoint to send SCO data
279  */
280 
281 static const struct usb_config		ubt_config[UBT_N_TRANSFER] =
282 {
283 	/*
284 	 * Interface #0
285  	 */
286 
287 	/* Outgoing bulk transfer - ACL packets */
288 	[UBT_IF_0_BULK_DT_WR] = {
289 		.type =		UE_BULK,
290 		.endpoint =	UE_ADDR_ANY,
291 		.direction =	UE_DIR_OUT,
292 		.if_index = 	0,
293 		.bufsize =	UBT_BULK_WRITE_BUFFER_SIZE,
294 		.flags =	{ .pipe_bof = 1, .force_short_xfer = 1, },
295 		.callback =	&ubt_bulk_write_callback,
296 	},
297 	/* Incoming bulk transfer - ACL packets */
298 	[UBT_IF_0_BULK_DT_RD] = {
299 		.type =		UE_BULK,
300 		.endpoint =	UE_ADDR_ANY,
301 		.direction =	UE_DIR_IN,
302 		.if_index = 	0,
303 		.bufsize =	UBT_BULK_READ_BUFFER_SIZE,
304 		.flags =	{ .pipe_bof = 1, .short_xfer_ok = 1, },
305 		.callback =	&ubt_bulk_read_callback,
306 	},
307 	/* Incoming interrupt transfer - HCI events */
308 	[UBT_IF_0_INTR_DT_RD] = {
309 		.type =		UE_INTERRUPT,
310 		.endpoint =	UE_ADDR_ANY,
311 		.direction =	UE_DIR_IN,
312 		.if_index = 	0,
313 		.flags =	{ .pipe_bof = 1, .short_xfer_ok = 1, },
314 		.bufsize =	UBT_INTR_BUFFER_SIZE,
315 		.callback =	&ubt_intr_read_callback,
316 	},
317 	/* Outgoing control transfer - HCI commands */
318 	[UBT_IF_0_CTRL_DT_WR] = {
319 		.type =		UE_CONTROL,
320 		.endpoint =	0x00,	/* control pipe */
321 		.direction =	UE_DIR_ANY,
322 		.if_index = 	0,
323 		.bufsize =	UBT_CTRL_BUFFER_SIZE,
324 		.callback =	&ubt_ctrl_write_callback,
325 		.timeout =	5000,	/* 5 seconds */
326 	},
327 
328 	/*
329 	 * Interface #1
330  	 */
331 
332 	/* Incoming isochronous transfer #1 - SCO packets */
333 	[UBT_IF_1_ISOC_DT_RD1] = {
334 		.type =		UE_ISOCHRONOUS,
335 		.endpoint =	UE_ADDR_ANY,
336 		.direction =	UE_DIR_IN,
337 		.if_index = 	1,
338 		.bufsize =	0,	/* use "wMaxPacketSize * frames" */
339 		.frames =	UBT_ISOC_NFRAMES,
340 		.flags =	{ .short_xfer_ok = 1, },
341 		.callback =	&ubt_isoc_read_callback,
342 	},
343 	/* Incoming isochronous transfer #2 - SCO packets */
344 	[UBT_IF_1_ISOC_DT_RD2] = {
345 		.type =		UE_ISOCHRONOUS,
346 		.endpoint =	UE_ADDR_ANY,
347 		.direction =	UE_DIR_IN,
348 		.if_index = 	1,
349 		.bufsize =	0,	/* use "wMaxPacketSize * frames" */
350 		.frames =	UBT_ISOC_NFRAMES,
351 		.flags =	{ .short_xfer_ok = 1, },
352 		.callback =	&ubt_isoc_read_callback,
353 	},
354 	/* Outgoing isochronous transfer #1 - SCO packets */
355 	[UBT_IF_1_ISOC_DT_WR1] = {
356 		.type =		UE_ISOCHRONOUS,
357 		.endpoint =	UE_ADDR_ANY,
358 		.direction =	UE_DIR_OUT,
359 		.if_index = 	1,
360 		.bufsize =	0,	/* use "wMaxPacketSize * frames" */
361 		.frames =	UBT_ISOC_NFRAMES,
362 		.flags =	{ .short_xfer_ok = 1, },
363 		.callback =	&ubt_isoc_write_callback,
364 	},
365 	/* Outgoing isochronous transfer #2 - SCO packets */
366 	[UBT_IF_1_ISOC_DT_WR2] = {
367 		.type =		UE_ISOCHRONOUS,
368 		.endpoint =	UE_ADDR_ANY,
369 		.direction =	UE_DIR_OUT,
370 		.if_index = 	1,
371 		.bufsize =	0,	/* use "wMaxPacketSize * frames" */
372 		.frames =	UBT_ISOC_NFRAMES,
373 		.flags =	{ .short_xfer_ok = 1, },
374 		.callback =	&ubt_isoc_write_callback,
375 	},
376 };
377 
378 /*
379  * If for some reason device should not be attached then put
380  * VendorID/ProductID pair into the list below. The format is
381  * as follows:
382  *
383  *	{ USB_VPI(VENDOR_ID, PRODUCT_ID, 0) },
384  *
385  * where VENDOR_ID and PRODUCT_ID are hex numbers.
386  */
387 
388 static const STRUCT_USB_HOST_ID ubt_ignore_devs[] =
389 {
390 	/* AVM USB Bluetooth-Adapter BlueFritz! v1.0 */
391 	{ USB_VPI(USB_VENDOR_AVM, 0x2200, 0) },
392 
393 	/* Atheros 3011 with sflash firmware */
394 	{ USB_VPI(0x0cf3, 0x3002, 0) },
395 	{ USB_VPI(0x0cf3, 0xe019, 0) },
396 	{ USB_VPI(0x13d3, 0x3304, 0) },
397 	{ USB_VPI(0x0930, 0x0215, 0) },
398 	{ USB_VPI(0x0489, 0xe03d, 0) },
399 	{ USB_VPI(0x0489, 0xe027, 0) },
400 
401 	/* Atheros AR9285 Malbec with sflash firmware */
402 	{ USB_VPI(0x03f0, 0x311d, 0) },
403 
404 	/* Atheros 3012 with sflash firmware */
405 	{ USB_VPI(0x0cf3, 0x3004, 0), USB_DEV_BCD_LTEQ(1) },
406 	{ USB_VPI(0x0cf3, 0x311d, 0), USB_DEV_BCD_LTEQ(1) },
407 	{ USB_VPI(0x13d3, 0x3375, 0), USB_DEV_BCD_LTEQ(1) },
408 	{ USB_VPI(0x04ca, 0x3005, 0), USB_DEV_BCD_LTEQ(1) },
409 	{ USB_VPI(0x04ca, 0x3006, 0), USB_DEV_BCD_LTEQ(1) },
410 	{ USB_VPI(0x04ca, 0x3008, 0), USB_DEV_BCD_LTEQ(1) },
411 	{ USB_VPI(0x13d3, 0x3362, 0), USB_DEV_BCD_LTEQ(1) },
412 	{ USB_VPI(0x0cf3, 0xe004, 0), USB_DEV_BCD_LTEQ(1) },
413 	{ USB_VPI(0x0930, 0x0219, 0), USB_DEV_BCD_LTEQ(1) },
414 	{ USB_VPI(0x0489, 0xe057, 0), USB_DEV_BCD_LTEQ(1) },
415 	{ USB_VPI(0x13d3, 0x3393, 0), USB_DEV_BCD_LTEQ(1) },
416 	{ USB_VPI(0x0489, 0xe04e, 0), USB_DEV_BCD_LTEQ(1) },
417 	{ USB_VPI(0x0489, 0xe056, 0), USB_DEV_BCD_LTEQ(1) },
418 
419 	/* Atheros AR5BBU12 with sflash firmware */
420 	{ USB_VPI(0x0489, 0xe02c, 0), USB_DEV_BCD_LTEQ(1) },
421 
422 	/* Atheros AR5BBU12 with sflash firmware */
423 	{ USB_VPI(0x0489, 0xe03c, 0), USB_DEV_BCD_LTEQ(1) },
424 	{ USB_VPI(0x0489, 0xe036, 0), USB_DEV_BCD_LTEQ(1) },
425 
426 	/* Intel Wireless 8260 and successors are handled in ng_ubt_intel.c */
427 	{ USB_VPI(USB_VENDOR_INTEL2, 0x0a2b, 0) },
428 	{ USB_VPI(USB_VENDOR_INTEL2, 0x0aaa, 0) },
429 	{ USB_VPI(USB_VENDOR_INTEL2, 0x0025, 0) },
430 	{ USB_VPI(USB_VENDOR_INTEL2, 0x0026, 0) },
431 	{ USB_VPI(USB_VENDOR_INTEL2, 0x0029, 0) },
432 };
433 
434 /* List of supported bluetooth devices */
435 static const STRUCT_USB_HOST_ID ubt_devs[] =
436 {
437 	/* Generic Bluetooth class devices */
438 	{ USB_IFACE_CLASS(UDCLASS_WIRELESS),
439 	  USB_IFACE_SUBCLASS(UDSUBCLASS_RF),
440 	  USB_IFACE_PROTOCOL(UDPROTO_BLUETOOTH) },
441 
442 	/* AVM USB Bluetooth-Adapter BlueFritz! v2.0 */
443 	{ USB_VPI(USB_VENDOR_AVM, 0x3800, 0) },
444 
445 	/* Broadcom USB dongles, mostly BCM20702 and BCM20702A0 */
446 	{ USB_VENDOR(USB_VENDOR_BROADCOM),
447 	  USB_IFACE_CLASS(UICLASS_VENDOR),
448 	  USB_IFACE_SUBCLASS(UDSUBCLASS_RF),
449 	  USB_IFACE_PROTOCOL(UDPROTO_BLUETOOTH) },
450 
451 	/* Apple-specific (Broadcom) devices */
452 	{ USB_VENDOR(USB_VENDOR_APPLE),
453 	  USB_IFACE_CLASS(UICLASS_VENDOR),
454 	  USB_IFACE_SUBCLASS(UDSUBCLASS_RF),
455 	  USB_IFACE_PROTOCOL(UDPROTO_BLUETOOTH) },
456 
457 	/* Foxconn - Hon Hai */
458 	{ USB_VENDOR(USB_VENDOR_FOXCONN),
459 	  USB_IFACE_CLASS(UICLASS_VENDOR),
460 	  USB_IFACE_SUBCLASS(UDSUBCLASS_RF),
461 	  USB_IFACE_PROTOCOL(UDPROTO_BLUETOOTH) },
462 
463 	/* MediaTek MT76x0E */
464 	{ USB_VPI(USB_VENDOR_MEDIATEK, 0x763f, 0) },
465 
466 	/* Broadcom SoftSailing reporting vendor specific */
467 	{ USB_VPI(USB_VENDOR_BROADCOM, 0x21e1, 0) },
468 
469 	/* Apple MacBookPro 7,1 */
470 	{ USB_VPI(USB_VENDOR_APPLE, 0x8213, 0) },
471 
472 	/* Apple iMac11,1 */
473 	{ USB_VPI(USB_VENDOR_APPLE, 0x8215, 0) },
474 
475 	/* Apple MacBookPro6,2 */
476 	{ USB_VPI(USB_VENDOR_APPLE, 0x8218, 0) },
477 
478 	/* Apple MacBookAir3,1, MacBookAir3,2 */
479 	{ USB_VPI(USB_VENDOR_APPLE, 0x821b, 0) },
480 
481 	/* Apple MacBookAir4,1 */
482 	{ USB_VPI(USB_VENDOR_APPLE, 0x821f, 0) },
483 
484 	/* MacBookAir6,1 */
485 	{ USB_VPI(USB_VENDOR_APPLE, 0x828f, 0) },
486 
487 	/* Apple MacBookPro8,2 */
488 	{ USB_VPI(USB_VENDOR_APPLE, 0x821a, 0) },
489 
490 	/* Apple MacMini5,1 */
491 	{ USB_VPI(USB_VENDOR_APPLE, 0x8281, 0) },
492 
493 	/* Bluetooth Ultraport Module from IBM */
494 	{ USB_VPI(USB_VENDOR_TDK, 0x030a, 0) },
495 
496 	/* ALPS Modules with non-standard ID */
497 	{ USB_VPI(USB_VENDOR_ALPS, 0x3001, 0) },
498 	{ USB_VPI(USB_VENDOR_ALPS, 0x3002, 0) },
499 
500 	{ USB_VPI(USB_VENDOR_ERICSSON2, 0x1002, 0) },
501 
502 	/* Canyon CN-BTU1 with HID interfaces */
503 	{ USB_VPI(USB_VENDOR_CANYON, 0x0000, 0) },
504 
505 	/* Broadcom BCM20702A0 */
506 	{ USB_VPI(USB_VENDOR_ASUS, 0x17b5, 0) },
507 	{ USB_VPI(USB_VENDOR_ASUS, 0x17cb, 0) },
508 	{ USB_VPI(USB_VENDOR_LITEON, 0x2003, 0) },
509 	{ USB_VPI(USB_VENDOR_FOXCONN, 0xe042, 0) },
510 	{ USB_VPI(USB_VENDOR_DELL, 0x8197, 0) },
511 };
512 
513 /*
514  * Does a synchronous (waits for completion event) execution of HCI command.
515  * Size of both command and response buffers are passed in length field of
516  * corresponding structures in "Parameter Total Length" format i.e.
517  * not including HCI packet headers.
518  *
519  * Must not be used after USB transfers have been configured in attach routine.
520  */
521 
522 usb_error_t
523 ubt_do_hci_request(struct usb_device *udev, struct ubt_hci_cmd *cmd,
524     void *evt, usb_timeout_t timeout)
525 {
526 	static const struct usb_config ubt_probe_config = {
527 		.type = UE_INTERRUPT,
528 		.endpoint = UE_ADDR_ANY,
529 		.direction = UE_DIR_IN,
530 		.flags = { .pipe_bof = 1, .short_xfer_ok = 1 },
531 		.bufsize = UBT_INTR_BUFFER_SIZE,
532 		.callback = &ubt_probe_intr_callback,
533 	};
534 	struct usb_device_request req;
535 	struct usb_xfer *xfer[1];
536 	struct mtx mtx;
537 	usb_error_t error = USB_ERR_NORMAL_COMPLETION;
538 	uint8_t iface_index = 0;
539 
540 	/* Initialize a USB control request and then do it */
541 	bzero(&req, sizeof(req));
542 	req.bmRequestType = UBT_HCI_REQUEST;
543 	req.wIndex[0] = iface_index;
544 	USETW(req.wLength, UBT_HCI_CMD_SIZE(cmd));
545 
546 	error = usbd_do_request(udev, NULL, &req, cmd);
547 	if (error != USB_ERR_NORMAL_COMPLETION) {
548 		printf("ng_ubt: usbd_do_request error=%s\n",
549 			usbd_errstr(error));
550 		return (error);
551 	}
552 
553 	if (evt == NULL)
554 		return (USB_ERR_NORMAL_COMPLETION);
555 
556 	/* Initialize INTR endpoint xfer and wait for response */
557 	mtx_init(&mtx, "ubt pb", NULL, MTX_DEF | MTX_NEW);
558 
559 	error = usbd_transfer_setup(udev, &iface_index, xfer,
560 	    &ubt_probe_config, 1, evt, &mtx);
561 	if (error == USB_ERR_NORMAL_COMPLETION) {
562 
563 		mtx_lock(&mtx);
564 		usbd_transfer_start(*xfer);
565 
566 		if (msleep_sbt(evt, &mtx, 0, "ubt pb", SBT_1MS * timeout,
567 				0, C_HARDCLOCK) == EWOULDBLOCK) {
568 			printf("ng_ubt: HCI command 0x%04x timed out\n",
569 				le16toh(cmd->opcode));
570 			error = USB_ERR_TIMEOUT;
571 		}
572 
573 		usbd_transfer_stop(*xfer);
574 		mtx_unlock(&mtx);
575 
576 		usbd_transfer_unsetup(xfer, 1);
577 	} else
578 		printf("ng_ubt: usbd_transfer_setup error=%s\n",
579 			usbd_errstr(error));
580 
581 	mtx_destroy(&mtx);
582 
583 	return (error);
584 }
585 
586 /*
587  * Probe for a USB Bluetooth device.
588  * USB context.
589  */
590 
591 static int
592 ubt_probe(device_t dev)
593 {
594 	struct usb_attach_arg	*uaa = device_get_ivars(dev);
595 	int error;
596 
597 	if (uaa->usb_mode != USB_MODE_HOST)
598 		return (ENXIO);
599 
600 	if (uaa->info.bIfaceIndex != 0)
601 		return (ENXIO);
602 
603 	if (usbd_lookup_id_by_uaa(ubt_ignore_devs,
604 			sizeof(ubt_ignore_devs), uaa) == 0)
605 		return (ENXIO);
606 
607 	error = usbd_lookup_id_by_uaa(ubt_devs, sizeof(ubt_devs), uaa);
608 	if (error == 0)
609 		return (BUS_PROBE_GENERIC);
610 	return (error);
611 } /* ubt_probe */
612 
613 /*
614  * Attach the device.
615  * USB context.
616  */
617 
618 static int
619 ubt_attach(device_t dev)
620 {
621 	struct usb_attach_arg		*uaa = device_get_ivars(dev);
622 	struct ubt_softc		*sc = device_get_softc(dev);
623 	struct usb_endpoint_descriptor	*ed;
624 	struct usb_interface_descriptor *id;
625 	struct usb_interface		*iface;
626 	uint32_t			wMaxPacketSize;
627 	uint8_t				alt_index, i, j;
628 	uint8_t				iface_index[2] = { 0, 1 };
629 
630 	device_set_usb_desc(dev);
631 
632 	sc->sc_dev = dev;
633 	sc->sc_debug = NG_UBT_WARN_LEVEL;
634 
635 	/*
636 	 * Create Netgraph node
637 	 */
638 
639 	if (ng_make_node_common(&typestruct, &sc->sc_node) != 0) {
640 		UBT_ALERT(sc, "could not create Netgraph node\n");
641 		return (ENXIO);
642 	}
643 
644 	/* Name Netgraph node */
645 	if (ng_name_node(sc->sc_node, device_get_nameunit(dev)) != 0) {
646 		UBT_ALERT(sc, "could not name Netgraph node\n");
647 		NG_NODE_UNREF(sc->sc_node);
648 		return (ENXIO);
649 	}
650 	NG_NODE_SET_PRIVATE(sc->sc_node, sc);
651 	NG_NODE_FORCE_WRITER(sc->sc_node);
652 
653 	/*
654 	 * Initialize device softc structure
655 	 */
656 
657 	/* initialize locks */
658 	mtx_init(&sc->sc_ng_mtx, "ubt ng", NULL, MTX_DEF);
659 	mtx_init(&sc->sc_if_mtx, "ubt if", NULL, MTX_DEF | MTX_RECURSE);
660 
661 	/* initialize packet queues */
662 	NG_BT_MBUFQ_INIT(&sc->sc_cmdq, UBT_DEFAULT_QLEN);
663 	NG_BT_MBUFQ_INIT(&sc->sc_aclq, UBT_DEFAULT_QLEN);
664 	NG_BT_MBUFQ_INIT(&sc->sc_scoq, UBT_DEFAULT_QLEN);
665 
666 	/* initialize glue task */
667 	TASK_INIT(&sc->sc_task, 0, ubt_task, sc);
668 
669 	/*
670 	 * Configure Bluetooth USB device. Discover all required USB
671 	 * interfaces and endpoints.
672 	 *
673 	 * USB device must present two interfaces:
674 	 * 1) Interface 0 that has 3 endpoints
675 	 *	1) Interrupt endpoint to receive HCI events
676 	 *	2) Bulk IN endpoint to receive ACL data
677 	 *	3) Bulk OUT endpoint to send ACL data
678 	 *
679 	 * 2) Interface 1 then has 2 endpoints
680 	 *	1) Isochronous IN endpoint to receive SCO data
681  	 *	2) Isochronous OUT endpoint to send SCO data
682 	 *
683 	 * Interface 1 (with isochronous endpoints) has several alternate
684 	 * configurations with different packet size.
685 	 */
686 
687 	/*
688 	 * For interface #1 search alternate settings, and find
689 	 * the descriptor with the largest wMaxPacketSize
690 	 */
691 
692 	wMaxPacketSize = 0;
693 	alt_index = 0;
694 	i = 0;
695 	j = 0;
696 	ed = NULL;
697 
698 	/*
699 	 * Search through all the descriptors looking for the largest
700 	 * packet size:
701 	 */
702 	while ((ed = (struct usb_endpoint_descriptor *)usb_desc_foreach(
703 	    usbd_get_config_descriptor(uaa->device),
704 	    (struct usb_descriptor *)ed))) {
705 
706 		if ((ed->bDescriptorType == UDESC_INTERFACE) &&
707 		    (ed->bLength >= sizeof(*id))) {
708 			id = (struct usb_interface_descriptor *)ed;
709 			i = id->bInterfaceNumber;
710 			j = id->bAlternateSetting;
711 		}
712 
713 		if ((ed->bDescriptorType == UDESC_ENDPOINT) &&
714 		    (ed->bLength >= sizeof(*ed)) &&
715 		    (i == 1)) {
716 			uint32_t temp;
717 
718 			temp = usbd_get_max_frame_length(
719 			    ed, NULL, usbd_get_speed(uaa->device));
720 			if (temp > wMaxPacketSize) {
721 				wMaxPacketSize = temp;
722 				alt_index = j;
723 			}
724 		}
725 	}
726 
727 	/* Set alt configuration on interface #1 only if we found it */
728 	if (wMaxPacketSize > 0 &&
729 	    usbd_set_alt_interface_index(uaa->device, 1, alt_index)) {
730 		UBT_ALERT(sc, "could not set alternate setting %d " \
731 			"for interface 1!\n", alt_index);
732 		goto detach;
733 	}
734 
735 	/* Setup transfers for both interfaces */
736 	if (usbd_transfer_setup(uaa->device, iface_index, sc->sc_xfer,
737 			ubt_config, UBT_N_TRANSFER, sc, &sc->sc_if_mtx)) {
738 		UBT_ALERT(sc, "could not allocate transfers\n");
739 		goto detach;
740 	}
741 
742 	/* Claim all interfaces belonging to the Bluetooth part */
743 	for (i = 1;; i++) {
744 		iface = usbd_get_iface(uaa->device, i);
745 		if (iface == NULL)
746 			break;
747 		id = usbd_get_interface_descriptor(iface);
748 
749 		if ((id != NULL) &&
750 		    (id->bInterfaceClass == UICLASS_WIRELESS) &&
751 		    (id->bInterfaceSubClass == UISUBCLASS_RF) &&
752 		    (id->bInterfaceProtocol == UIPROTO_BLUETOOTH)) {
753 			usbd_set_parent_iface(uaa->device, i,
754 			    uaa->info.bIfaceIndex);
755 		}
756 	}
757 	return (0); /* success */
758 
759 detach:
760 	ubt_detach(dev);
761 
762 	return (ENXIO);
763 } /* ubt_attach */
764 
765 /*
766  * Detach the device.
767  * USB context.
768  */
769 
770 int
771 ubt_detach(device_t dev)
772 {
773 	struct ubt_softc	*sc = device_get_softc(dev);
774 	node_p			node = sc->sc_node;
775 
776 	/* Destroy Netgraph node */
777 	if (node != NULL) {
778 		sc->sc_node = NULL;
779 		NG_NODE_REALLY_DIE(node);
780 		ng_rmnode_self(node);
781 	}
782 
783 	/* Make sure ubt_task in gone */
784 	taskqueue_drain(taskqueue_swi, &sc->sc_task);
785 
786 	/* Free USB transfers, if any */
787 	usbd_transfer_unsetup(sc->sc_xfer, UBT_N_TRANSFER);
788 
789 	/* Destroy queues */
790 	UBT_NG_LOCK(sc);
791 	NG_BT_MBUFQ_DESTROY(&sc->sc_cmdq);
792 	NG_BT_MBUFQ_DESTROY(&sc->sc_aclq);
793 	NG_BT_MBUFQ_DESTROY(&sc->sc_scoq);
794 	UBT_NG_UNLOCK(sc);
795 
796 	mtx_destroy(&sc->sc_if_mtx);
797 	mtx_destroy(&sc->sc_ng_mtx);
798 
799 	return (0);
800 } /* ubt_detach */
801 
802 /*
803  * Called when incoming interrupt transfer (HCI event) has completed, i.e.
804  * HCI event was received from the device during device probe stage.
805  * USB context.
806  */
807 
808 static void
809 ubt_probe_intr_callback(struct usb_xfer *xfer, usb_error_t error)
810 {
811 	struct ubt_hci_event	*evt = usbd_xfer_softc(xfer);
812 	struct usb_page_cache	*pc;
813 	int			actlen;
814 
815 	usbd_xfer_status(xfer, &actlen, NULL, NULL, NULL);
816 
817 	switch (USB_GET_STATE(xfer)) {
818 	case USB_ST_TRANSFERRED:
819 		if (actlen > UBT_HCI_EVENT_SIZE(evt))
820 			actlen = UBT_HCI_EVENT_SIZE(evt);
821 		pc = usbd_xfer_get_frame(xfer, 0);
822 		usbd_copy_out(pc, 0, evt, actlen);
823 		/* OneShot mode */
824 		wakeup(evt);
825 		break;
826 
827         case USB_ST_SETUP:
828 submit_next:
829 		/* Try clear stall first */
830 		usbd_xfer_set_stall(xfer);
831 		usbd_xfer_set_frame_len(xfer, 0, usbd_xfer_max_len(xfer));
832 		usbd_transfer_submit(xfer);
833 		break;
834 
835 	default:
836 		if (error != USB_ERR_CANCELLED) {
837 			printf("ng_ubt: interrupt transfer failed: %s\n",
838 				usbd_errstr(error));
839 			goto submit_next;
840 		}
841 		break;
842 	}
843 } /* ubt_probe_intr_callback */
844 
845 /*
846  * Called when outgoing control request (HCI command) has completed, i.e.
847  * HCI command was sent to the device.
848  * USB context.
849  */
850 
851 static void
852 ubt_ctrl_write_callback(struct usb_xfer *xfer, usb_error_t error)
853 {
854 	struct ubt_softc		*sc = usbd_xfer_softc(xfer);
855 	struct usb_device_request	req;
856 	struct mbuf			*m;
857 	struct usb_page_cache		*pc;
858 	int				actlen;
859 
860 	usbd_xfer_status(xfer, &actlen, NULL, NULL, NULL);
861 
862 	switch (USB_GET_STATE(xfer)) {
863 	case USB_ST_TRANSFERRED:
864 		UBT_INFO(sc, "sent %d bytes to control pipe\n", actlen);
865 		UBT_STAT_BYTES_SENT(sc, actlen);
866 		UBT_STAT_PCKTS_SENT(sc);
867 		/* FALLTHROUGH */
868 
869 	case USB_ST_SETUP:
870 send_next:
871 		/* Get next command mbuf, if any */
872 		UBT_NG_LOCK(sc);
873 		NG_BT_MBUFQ_DEQUEUE(&sc->sc_cmdq, m);
874 		UBT_NG_UNLOCK(sc);
875 
876 		if (m == NULL) {
877 			UBT_INFO(sc, "HCI command queue is empty\n");
878 			break;	/* transfer complete */
879 		}
880 
881 		/* Initialize a USB control request and then schedule it */
882 		bzero(&req, sizeof(req));
883 		req.bmRequestType = UBT_HCI_REQUEST;
884 		USETW(req.wLength, m->m_pkthdr.len);
885 
886 		UBT_INFO(sc, "Sending control request, " \
887 			"bmRequestType=0x%02x, wLength=%d\n",
888 			req.bmRequestType, UGETW(req.wLength));
889 
890 		pc = usbd_xfer_get_frame(xfer, 0);
891 		usbd_copy_in(pc, 0, &req, sizeof(req));
892 		pc = usbd_xfer_get_frame(xfer, 1);
893 		usbd_m_copy_in(pc, 0, m, 0, m->m_pkthdr.len);
894 
895 		usbd_xfer_set_frame_len(xfer, 0, sizeof(req));
896 		usbd_xfer_set_frame_len(xfer, 1, m->m_pkthdr.len);
897 		usbd_xfer_set_frames(xfer, 2);
898 
899 		NG_FREE_M(m);
900 
901 		usbd_transfer_submit(xfer);
902 		break;
903 
904 	default: /* Error */
905 		if (error != USB_ERR_CANCELLED) {
906 			UBT_WARN(sc, "control transfer failed: %s\n",
907 				usbd_errstr(error));
908 
909 			UBT_STAT_OERROR(sc);
910 			goto send_next;
911 		}
912 
913 		/* transfer cancelled */
914 		break;
915 	}
916 } /* ubt_ctrl_write_callback */
917 
918 /*
919  * Called when incoming interrupt transfer (HCI event) has completed, i.e.
920  * HCI event was received from the device.
921  * USB context.
922  */
923 
924 static void
925 ubt_intr_read_callback(struct usb_xfer *xfer, usb_error_t error)
926 {
927 	struct ubt_softc	*sc = usbd_xfer_softc(xfer);
928 	struct mbuf		*m;
929 	ng_hci_event_pkt_t	*hdr;
930 	struct usb_page_cache	*pc;
931 	int			actlen;
932 
933 	usbd_xfer_status(xfer, &actlen, NULL, NULL, NULL);
934 
935 	m = NULL;
936 
937 	switch (USB_GET_STATE(xfer)) {
938 	case USB_ST_TRANSFERRED:
939 		/* Allocate a new mbuf */
940 		MGETHDR(m, M_NOWAIT, MT_DATA);
941 		if (m == NULL) {
942 			UBT_STAT_IERROR(sc);
943 			goto submit_next;
944 		}
945 
946 		if (!(MCLGET(m, M_NOWAIT))) {
947 			UBT_STAT_IERROR(sc);
948 			goto submit_next;
949 		}
950 
951 		/* Add HCI packet type */
952 		*mtod(m, uint8_t *)= NG_HCI_EVENT_PKT;
953 		m->m_pkthdr.len = m->m_len = 1;
954 
955 		if (actlen > MCLBYTES - 1)
956 			actlen = MCLBYTES - 1;
957 
958 		pc = usbd_xfer_get_frame(xfer, 0);
959 		usbd_copy_out(pc, 0, mtod(m, uint8_t *) + 1, actlen);
960 		m->m_pkthdr.len += actlen;
961 		m->m_len += actlen;
962 
963 		UBT_INFO(sc, "got %d bytes from interrupt pipe\n",
964 			actlen);
965 
966 		/* Validate packet and send it up the stack */
967 		if (m->m_pkthdr.len < (int)sizeof(*hdr)) {
968 			UBT_INFO(sc, "HCI event packet is too short\n");
969 
970 			UBT_STAT_IERROR(sc);
971 			goto submit_next;
972 		}
973 
974 		hdr = mtod(m, ng_hci_event_pkt_t *);
975 		if (hdr->length != (m->m_pkthdr.len - sizeof(*hdr))) {
976 			UBT_ERR(sc, "Invalid HCI event packet size, " \
977 				"length=%d, pktlen=%d\n",
978 				hdr->length, m->m_pkthdr.len);
979 
980 			UBT_STAT_IERROR(sc);
981 			goto submit_next;
982 		}
983 
984 		UBT_INFO(sc, "got complete HCI event frame, pktlen=%d, " \
985 			"length=%d\n", m->m_pkthdr.len, hdr->length);
986 
987 		UBT_STAT_PCKTS_RECV(sc);
988 		UBT_STAT_BYTES_RECV(sc, m->m_pkthdr.len);
989 
990 		ubt_fwd_mbuf_up(sc, &m);
991 		/* m == NULL at this point */
992 		/* FALLTHROUGH */
993 
994 	case USB_ST_SETUP:
995 submit_next:
996 		NG_FREE_M(m); /* checks for m != NULL */
997 
998 		usbd_xfer_set_frame_len(xfer, 0, usbd_xfer_max_len(xfer));
999 		usbd_transfer_submit(xfer);
1000 		break;
1001 
1002 	default: /* Error */
1003 		if (error != USB_ERR_CANCELLED) {
1004 			UBT_WARN(sc, "interrupt transfer failed: %s\n",
1005 				usbd_errstr(error));
1006 
1007 			/* Try to clear stall first */
1008 			usbd_xfer_set_stall(xfer);
1009 			goto submit_next;
1010 		}
1011 			/* transfer cancelled */
1012 		break;
1013 	}
1014 } /* ubt_intr_read_callback */
1015 
1016 /*
1017  * Called when incoming bulk transfer (ACL packet) has completed, i.e.
1018  * ACL packet was received from the device.
1019  * USB context.
1020  */
1021 
1022 static void
1023 ubt_bulk_read_callback(struct usb_xfer *xfer, usb_error_t error)
1024 {
1025 	struct ubt_softc	*sc = usbd_xfer_softc(xfer);
1026 	struct mbuf		*m;
1027 	ng_hci_acldata_pkt_t	*hdr;
1028 	struct usb_page_cache	*pc;
1029 	int len;
1030 	int actlen;
1031 
1032 	usbd_xfer_status(xfer, &actlen, NULL, NULL, NULL);
1033 
1034 	m = NULL;
1035 
1036 	switch (USB_GET_STATE(xfer)) {
1037 	case USB_ST_TRANSFERRED:
1038 		/* Allocate new mbuf */
1039 		MGETHDR(m, M_NOWAIT, MT_DATA);
1040 		if (m == NULL) {
1041 			UBT_STAT_IERROR(sc);
1042 			goto submit_next;
1043 		}
1044 
1045 		if (!(MCLGET(m, M_NOWAIT))) {
1046 			UBT_STAT_IERROR(sc);
1047 			goto submit_next;
1048 		}
1049 
1050 		/* Add HCI packet type */
1051 		*mtod(m, uint8_t *)= NG_HCI_ACL_DATA_PKT;
1052 		m->m_pkthdr.len = m->m_len = 1;
1053 
1054 		if (actlen > MCLBYTES - 1)
1055 			actlen = MCLBYTES - 1;
1056 
1057 		pc = usbd_xfer_get_frame(xfer, 0);
1058 		usbd_copy_out(pc, 0, mtod(m, uint8_t *) + 1, actlen);
1059 		m->m_pkthdr.len += actlen;
1060 		m->m_len += actlen;
1061 
1062 		UBT_INFO(sc, "got %d bytes from bulk-in pipe\n",
1063 			actlen);
1064 
1065 		/* Validate packet and send it up the stack */
1066 		if (m->m_pkthdr.len < (int)sizeof(*hdr)) {
1067 			UBT_INFO(sc, "HCI ACL packet is too short\n");
1068 
1069 			UBT_STAT_IERROR(sc);
1070 			goto submit_next;
1071 		}
1072 
1073 		hdr = mtod(m, ng_hci_acldata_pkt_t *);
1074 		len = le16toh(hdr->length);
1075 		if (len != (int)(m->m_pkthdr.len - sizeof(*hdr))) {
1076 			UBT_ERR(sc, "Invalid ACL packet size, length=%d, " \
1077 				"pktlen=%d\n", len, m->m_pkthdr.len);
1078 
1079 			UBT_STAT_IERROR(sc);
1080 			goto submit_next;
1081 		}
1082 
1083 		UBT_INFO(sc, "got complete ACL data packet, pktlen=%d, " \
1084 			"length=%d\n", m->m_pkthdr.len, len);
1085 
1086 		UBT_STAT_PCKTS_RECV(sc);
1087 		UBT_STAT_BYTES_RECV(sc, m->m_pkthdr.len);
1088 
1089 		ubt_fwd_mbuf_up(sc, &m);
1090 		/* m == NULL at this point */
1091 		/* FALLTHOUGH */
1092 
1093 	case USB_ST_SETUP:
1094 submit_next:
1095 		NG_FREE_M(m); /* checks for m != NULL */
1096 
1097 		usbd_xfer_set_frame_len(xfer, 0, usbd_xfer_max_len(xfer));
1098 		usbd_transfer_submit(xfer);
1099 		break;
1100 
1101 	default: /* Error */
1102 		if (error != USB_ERR_CANCELLED) {
1103 			UBT_WARN(sc, "bulk-in transfer failed: %s\n",
1104 				usbd_errstr(error));
1105 
1106 			/* Try to clear stall first */
1107 			usbd_xfer_set_stall(xfer);
1108 			goto submit_next;
1109 		}
1110 			/* transfer cancelled */
1111 		break;
1112 	}
1113 } /* ubt_bulk_read_callback */
1114 
1115 /*
1116  * Called when outgoing bulk transfer (ACL packet) has completed, i.e.
1117  * ACL packet was sent to the device.
1118  * USB context.
1119  */
1120 
1121 static void
1122 ubt_bulk_write_callback(struct usb_xfer *xfer, usb_error_t error)
1123 {
1124 	struct ubt_softc	*sc = usbd_xfer_softc(xfer);
1125 	struct mbuf		*m;
1126 	struct usb_page_cache	*pc;
1127 	int			actlen;
1128 
1129 	usbd_xfer_status(xfer, &actlen, NULL, NULL, NULL);
1130 
1131 	switch (USB_GET_STATE(xfer)) {
1132 	case USB_ST_TRANSFERRED:
1133 		UBT_INFO(sc, "sent %d bytes to bulk-out pipe\n", actlen);
1134 		UBT_STAT_BYTES_SENT(sc, actlen);
1135 		UBT_STAT_PCKTS_SENT(sc);
1136 		/* FALLTHROUGH */
1137 
1138 	case USB_ST_SETUP:
1139 send_next:
1140 		/* Get next mbuf, if any */
1141 		UBT_NG_LOCK(sc);
1142 		NG_BT_MBUFQ_DEQUEUE(&sc->sc_aclq, m);
1143 		UBT_NG_UNLOCK(sc);
1144 
1145 		if (m == NULL) {
1146 			UBT_INFO(sc, "ACL data queue is empty\n");
1147 			break; /* transfer completed */
1148 		}
1149 
1150 		/*
1151 		 * Copy ACL data frame back to a linear USB transfer buffer
1152 		 * and schedule transfer
1153 		 */
1154 
1155 		pc = usbd_xfer_get_frame(xfer, 0);
1156 		usbd_m_copy_in(pc, 0, m, 0, m->m_pkthdr.len);
1157 		usbd_xfer_set_frame_len(xfer, 0, m->m_pkthdr.len);
1158 
1159 		UBT_INFO(sc, "bulk-out transfer has been started, len=%d\n",
1160 			m->m_pkthdr.len);
1161 
1162 		NG_FREE_M(m);
1163 
1164 		usbd_transfer_submit(xfer);
1165 		break;
1166 
1167 	default: /* Error */
1168 		if (error != USB_ERR_CANCELLED) {
1169 			UBT_WARN(sc, "bulk-out transfer failed: %s\n",
1170 				usbd_errstr(error));
1171 
1172 			UBT_STAT_OERROR(sc);
1173 
1174 			/* try to clear stall first */
1175 			usbd_xfer_set_stall(xfer);
1176 			goto send_next;
1177 		}
1178 			/* transfer cancelled */
1179 		break;
1180 	}
1181 } /* ubt_bulk_write_callback */
1182 
1183 /*
1184  * Called when incoming isoc transfer (SCO packet) has completed, i.e.
1185  * SCO packet was received from the device.
1186  * USB context.
1187  */
1188 
1189 static void
1190 ubt_isoc_read_callback(struct usb_xfer *xfer, usb_error_t error)
1191 {
1192 	struct ubt_softc	*sc = usbd_xfer_softc(xfer);
1193 	int			n;
1194 	int actlen, nframes;
1195 
1196 	usbd_xfer_status(xfer, &actlen, NULL, NULL, &nframes);
1197 
1198 	switch (USB_GET_STATE(xfer)) {
1199 	case USB_ST_TRANSFERRED:
1200 		for (n = 0; n < nframes; n ++)
1201 			if (ubt_isoc_read_one_frame(xfer, n) < 0)
1202 				break;
1203 		/* FALLTHROUGH */
1204 
1205 	case USB_ST_SETUP:
1206 read_next:
1207 		for (n = 0; n < nframes; n ++)
1208 			usbd_xfer_set_frame_len(xfer, n,
1209 			    usbd_xfer_max_framelen(xfer));
1210 
1211 		usbd_transfer_submit(xfer);
1212 		break;
1213 
1214 	default: /* Error */
1215                 if (error != USB_ERR_CANCELLED) {
1216                         UBT_STAT_IERROR(sc);
1217                         goto read_next;
1218                 }
1219 
1220 		/* transfer cancelled */
1221 		break;
1222 	}
1223 } /* ubt_isoc_read_callback */
1224 
1225 /*
1226  * Helper function. Called from ubt_isoc_read_callback() to read
1227  * SCO data from one frame.
1228  * USB context.
1229  */
1230 
1231 static int
1232 ubt_isoc_read_one_frame(struct usb_xfer *xfer, int frame_no)
1233 {
1234 	struct ubt_softc	*sc = usbd_xfer_softc(xfer);
1235 	struct usb_page_cache	*pc;
1236 	struct mbuf		*m;
1237 	int			len, want, got, total;
1238 
1239 	/* Get existing SCO reassembly buffer */
1240 	pc = usbd_xfer_get_frame(xfer, 0);
1241 	m = sc->sc_isoc_in_buffer;
1242 	total = usbd_xfer_frame_len(xfer, frame_no);
1243 
1244 	/* While we have data in the frame */
1245 	while (total > 0) {
1246 		if (m == NULL) {
1247 			/* Start new reassembly buffer */
1248 			MGETHDR(m, M_NOWAIT, MT_DATA);
1249 			if (m == NULL) {
1250 				UBT_STAT_IERROR(sc);
1251 				return (-1);	/* XXX out of sync! */
1252 			}
1253 
1254 			if (!(MCLGET(m, M_NOWAIT))) {
1255 				UBT_STAT_IERROR(sc);
1256 				NG_FREE_M(m);
1257 				return (-1);	/* XXX out of sync! */
1258 			}
1259 
1260 			/* Expect SCO header */
1261 			*mtod(m, uint8_t *) = NG_HCI_SCO_DATA_PKT;
1262 			m->m_pkthdr.len = m->m_len = got = 1;
1263 			want = sizeof(ng_hci_scodata_pkt_t);
1264 		} else {
1265 			/*
1266 			 * Check if we have SCO header and if so
1267 			 * adjust amount of data we want
1268 			 */
1269 			got = m->m_pkthdr.len;
1270 			want = sizeof(ng_hci_scodata_pkt_t);
1271 
1272 			if (got >= want)
1273 				want += mtod(m, ng_hci_scodata_pkt_t *)->length;
1274 		}
1275 
1276 		/* Append frame data to the SCO reassembly buffer */
1277 		len = total;
1278 		if (got + len > want)
1279 			len = want - got;
1280 
1281 		usbd_copy_out(pc, frame_no * usbd_xfer_max_framelen(xfer),
1282 			mtod(m, uint8_t *) + m->m_pkthdr.len, len);
1283 
1284 		m->m_pkthdr.len += len;
1285 		m->m_len += len;
1286 		total -= len;
1287 
1288 		/* Check if we got everything we wanted, if not - continue */
1289 		if (got != want)
1290 			continue;
1291 
1292 		/* If we got here then we got complete SCO frame */
1293 		UBT_INFO(sc, "got complete SCO data frame, pktlen=%d, " \
1294 			"length=%d\n", m->m_pkthdr.len,
1295 			mtod(m, ng_hci_scodata_pkt_t *)->length);
1296 
1297 		UBT_STAT_PCKTS_RECV(sc);
1298 		UBT_STAT_BYTES_RECV(sc, m->m_pkthdr.len);
1299 
1300 		ubt_fwd_mbuf_up(sc, &m);
1301 		/* m == NULL at this point */
1302 	}
1303 
1304 	/* Put SCO reassembly buffer back */
1305 	sc->sc_isoc_in_buffer = m;
1306 
1307 	return (0);
1308 } /* ubt_isoc_read_one_frame */
1309 
1310 /*
1311  * Called when outgoing isoc transfer (SCO packet) has completed, i.e.
1312  * SCO packet was sent to the device.
1313  * USB context.
1314  */
1315 
1316 static void
1317 ubt_isoc_write_callback(struct usb_xfer *xfer, usb_error_t error)
1318 {
1319 	struct ubt_softc	*sc = usbd_xfer_softc(xfer);
1320 	struct usb_page_cache	*pc;
1321 	struct mbuf		*m;
1322 	int			n, space, offset;
1323 	int			actlen, nframes;
1324 
1325 	usbd_xfer_status(xfer, &actlen, NULL, NULL, &nframes);
1326 	pc = usbd_xfer_get_frame(xfer, 0);
1327 
1328 	switch (USB_GET_STATE(xfer)) {
1329 	case USB_ST_TRANSFERRED:
1330 		UBT_INFO(sc, "sent %d bytes to isoc-out pipe\n", actlen);
1331 		UBT_STAT_BYTES_SENT(sc, actlen);
1332 		UBT_STAT_PCKTS_SENT(sc);
1333 		/* FALLTHROUGH */
1334 
1335 	case USB_ST_SETUP:
1336 send_next:
1337 		offset = 0;
1338 		space = usbd_xfer_max_framelen(xfer) * nframes;
1339 		m = NULL;
1340 
1341 		while (space > 0) {
1342 			if (m == NULL) {
1343 				UBT_NG_LOCK(sc);
1344 				NG_BT_MBUFQ_DEQUEUE(&sc->sc_scoq, m);
1345 				UBT_NG_UNLOCK(sc);
1346 
1347 				if (m == NULL)
1348 					break;
1349 			}
1350 
1351 			n = min(space, m->m_pkthdr.len);
1352 			if (n > 0) {
1353 				usbd_m_copy_in(pc, offset, m,0, n);
1354 				m_adj(m, n);
1355 
1356 				offset += n;
1357 				space -= n;
1358 			}
1359 
1360 			if (m->m_pkthdr.len == 0)
1361 				NG_FREE_M(m); /* sets m = NULL */
1362 		}
1363 
1364 		/* Put whatever is left from mbuf back on queue */
1365 		if (m != NULL) {
1366 			UBT_NG_LOCK(sc);
1367 			NG_BT_MBUFQ_PREPEND(&sc->sc_scoq, m);
1368 			UBT_NG_UNLOCK(sc);
1369 		}
1370 
1371 		/*
1372 		 * Calculate sizes for isoc frames.
1373 		 * Note that offset could be 0 at this point (i.e. we have
1374 		 * nothing to send). That is fine, as we have isoc. transfers
1375 		 * going in both directions all the time. In this case it
1376 		 * would be just empty isoc. transfer.
1377 		 */
1378 
1379 		for (n = 0; n < nframes; n ++) {
1380 			usbd_xfer_set_frame_len(xfer, n,
1381 			    min(offset, usbd_xfer_max_framelen(xfer)));
1382 			offset -= usbd_xfer_frame_len(xfer, n);
1383 		}
1384 
1385 		usbd_transfer_submit(xfer);
1386 		break;
1387 
1388 	default: /* Error */
1389 		if (error != USB_ERR_CANCELLED) {
1390 			UBT_STAT_OERROR(sc);
1391 			goto send_next;
1392 		}
1393 
1394 		/* transfer cancelled */
1395 		break;
1396 	}
1397 }
1398 
1399 /*
1400  * Utility function to forward provided mbuf upstream (i.e. up the stack).
1401  * Modifies value of the mbuf pointer (sets it to NULL).
1402  * Save to call from any context.
1403  */
1404 
1405 static int
1406 ubt_fwd_mbuf_up(ubt_softc_p sc, struct mbuf **m)
1407 {
1408 	hook_p	hook;
1409 	int	error;
1410 
1411 	/*
1412 	 * Close the race with Netgraph hook newhook/disconnect methods.
1413 	 * Save the hook pointer atomically. Two cases are possible:
1414 	 *
1415 	 * 1) The hook pointer is NULL. It means disconnect method got
1416 	 *    there first. In this case we are done.
1417 	 *
1418 	 * 2) The hook pointer is not NULL. It means that hook pointer
1419 	 *    could be either in valid or invalid (i.e. in the process
1420 	 *    of disconnect) state. In any case grab an extra reference
1421 	 *    to protect the hook pointer.
1422 	 *
1423 	 * It is ok to pass hook in invalid state to NG_SEND_DATA_ONLY() as
1424 	 * it checks for it. Drop extra reference after NG_SEND_DATA_ONLY().
1425 	 */
1426 
1427 	UBT_NG_LOCK(sc);
1428 	if ((hook = sc->sc_hook) != NULL)
1429 		NG_HOOK_REF(hook);
1430 	UBT_NG_UNLOCK(sc);
1431 
1432 	if (hook == NULL) {
1433 		NG_FREE_M(*m);
1434 		return (ENETDOWN);
1435 	}
1436 
1437 	NG_SEND_DATA_ONLY(error, hook, *m);
1438 	NG_HOOK_UNREF(hook);
1439 
1440 	if (error != 0)
1441 		UBT_STAT_IERROR(sc);
1442 
1443 	return (error);
1444 } /* ubt_fwd_mbuf_up */
1445 
1446 /****************************************************************************
1447  ****************************************************************************
1448  **                                 Glue
1449  ****************************************************************************
1450  ****************************************************************************/
1451 
1452 /*
1453  * Schedule glue task. Should be called with sc_ng_mtx held.
1454  * Netgraph context.
1455  */
1456 
1457 static void
1458 ubt_task_schedule(ubt_softc_p sc, int action)
1459 {
1460 	mtx_assert(&sc->sc_ng_mtx, MA_OWNED);
1461 
1462 	/*
1463 	 * Try to handle corner case when "start all" and "stop all"
1464 	 * actions can both be set before task is executed.
1465 	 *
1466 	 * The rules are
1467 	 *
1468 	 * sc_task_flags	action		new sc_task_flags
1469 	 * ------------------------------------------------------
1470 	 * 0			start		start
1471 	 * 0			stop		stop
1472 	 * start		start		start
1473 	 * start		stop		stop
1474 	 * stop			start		stop|start
1475 	 * stop			stop		stop
1476 	 * stop|start		start		stop|start
1477 	 * stop|start		stop		stop
1478 	 */
1479 
1480 	if (action != 0) {
1481 		if ((action & UBT_FLAG_T_STOP_ALL) != 0)
1482 			sc->sc_task_flags &= ~UBT_FLAG_T_START_ALL;
1483 
1484 		sc->sc_task_flags |= action;
1485 	}
1486 
1487 	if (sc->sc_task_flags & UBT_FLAG_T_PENDING)
1488 		return;
1489 
1490 	if (taskqueue_enqueue(taskqueue_swi, &sc->sc_task) == 0) {
1491 		sc->sc_task_flags |= UBT_FLAG_T_PENDING;
1492 		return;
1493 	}
1494 
1495 	/* XXX: i think this should never happen */
1496 } /* ubt_task_schedule */
1497 
1498 /*
1499  * Glue task. Examines sc_task_flags and does things depending on it.
1500  * Taskqueue context.
1501  */
1502 
1503 static void
1504 ubt_task(void *context, int pending)
1505 {
1506 	ubt_softc_p	sc = context;
1507 	int		task_flags, i;
1508 
1509 	UBT_NG_LOCK(sc);
1510 	task_flags = sc->sc_task_flags;
1511 	sc->sc_task_flags = 0;
1512 	UBT_NG_UNLOCK(sc);
1513 
1514 	/*
1515 	 * Stop all USB transfers synchronously.
1516 	 * Stop interface #0 and #1 transfers at the same time and in the
1517 	 * same loop. usbd_transfer_drain() will do appropriate locking.
1518 	 */
1519 
1520 	if (task_flags & UBT_FLAG_T_STOP_ALL)
1521 		for (i = 0; i < UBT_N_TRANSFER; i ++)
1522 			usbd_transfer_drain(sc->sc_xfer[i]);
1523 
1524 	/* Start incoming interrupt and bulk, and all isoc. USB transfers */
1525 	if (task_flags & UBT_FLAG_T_START_ALL) {
1526 		/*
1527 		 * Interface #0
1528 		 */
1529 
1530 		mtx_lock(&sc->sc_if_mtx);
1531 
1532 		ubt_xfer_start(sc, UBT_IF_0_INTR_DT_RD);
1533 		ubt_xfer_start(sc, UBT_IF_0_BULK_DT_RD);
1534 
1535 		/*
1536 		 * Interface #1
1537 		 * Start both read and write isoc. transfers by default.
1538 		 * Get them going all the time even if we have nothing
1539 		 * to send to avoid any delays.
1540 		 */
1541 
1542 		ubt_xfer_start(sc, UBT_IF_1_ISOC_DT_RD1);
1543 		ubt_xfer_start(sc, UBT_IF_1_ISOC_DT_RD2);
1544 		ubt_xfer_start(sc, UBT_IF_1_ISOC_DT_WR1);
1545 		ubt_xfer_start(sc, UBT_IF_1_ISOC_DT_WR2);
1546 
1547 		mtx_unlock(&sc->sc_if_mtx);
1548 	}
1549 
1550  	/* Start outgoing control transfer */
1551 	if (task_flags & UBT_FLAG_T_START_CTRL) {
1552 		mtx_lock(&sc->sc_if_mtx);
1553 		ubt_xfer_start(sc, UBT_IF_0_CTRL_DT_WR);
1554 		mtx_unlock(&sc->sc_if_mtx);
1555 	}
1556 
1557 	/* Start outgoing bulk transfer */
1558 	if (task_flags & UBT_FLAG_T_START_BULK) {
1559 		mtx_lock(&sc->sc_if_mtx);
1560 		ubt_xfer_start(sc, UBT_IF_0_BULK_DT_WR);
1561 		mtx_unlock(&sc->sc_if_mtx);
1562 	}
1563 } /* ubt_task */
1564 
1565 /****************************************************************************
1566  ****************************************************************************
1567  **                        Netgraph specific
1568  ****************************************************************************
1569  ****************************************************************************/
1570 
1571 /*
1572  * Netgraph node constructor. Do not allow to create node of this type.
1573  * Netgraph context.
1574  */
1575 
1576 static int
1577 ng_ubt_constructor(node_p node)
1578 {
1579 	return (EINVAL);
1580 } /* ng_ubt_constructor */
1581 
1582 /*
1583  * Netgraph node destructor. Destroy node only when device has been detached.
1584  * Netgraph context.
1585  */
1586 
1587 static int
1588 ng_ubt_shutdown(node_p node)
1589 {
1590 	if (node->nd_flags & NGF_REALLY_DIE) {
1591 		/*
1592                  * We came here because the USB device is being
1593 		 * detached, so stop being persistent.
1594                  */
1595 		NG_NODE_SET_PRIVATE(node, NULL);
1596 		NG_NODE_UNREF(node);
1597 	} else
1598 		NG_NODE_REVIVE(node); /* tell ng_rmnode we are persisant */
1599 
1600 	return (0);
1601 } /* ng_ubt_shutdown */
1602 
1603 /*
1604  * Create new hook. There can only be one.
1605  * Netgraph context.
1606  */
1607 
1608 static int
1609 ng_ubt_newhook(node_p node, hook_p hook, char const *name)
1610 {
1611 	struct ubt_softc	*sc = NG_NODE_PRIVATE(node);
1612 
1613 	if (strcmp(name, NG_UBT_HOOK) != 0)
1614 		return (EINVAL);
1615 
1616 	UBT_NG_LOCK(sc);
1617 	if (sc->sc_hook != NULL) {
1618 		UBT_NG_UNLOCK(sc);
1619 
1620 		return (EISCONN);
1621 	}
1622 
1623 	sc->sc_hook = hook;
1624 	UBT_NG_UNLOCK(sc);
1625 
1626 	return (0);
1627 } /* ng_ubt_newhook */
1628 
1629 /*
1630  * Connect hook. Start incoming USB transfers.
1631  * Netgraph context.
1632  */
1633 
1634 static int
1635 ng_ubt_connect(hook_p hook)
1636 {
1637 	struct ubt_softc	*sc = NG_NODE_PRIVATE(NG_HOOK_NODE(hook));
1638 
1639 	NG_HOOK_FORCE_QUEUE(NG_HOOK_PEER(hook));
1640 
1641 	UBT_NG_LOCK(sc);
1642 	ubt_task_schedule(sc, UBT_FLAG_T_START_ALL);
1643 	UBT_NG_UNLOCK(sc);
1644 
1645 	return (0);
1646 } /* ng_ubt_connect */
1647 
1648 /*
1649  * Disconnect hook.
1650  * Netgraph context.
1651  */
1652 
1653 static int
1654 ng_ubt_disconnect(hook_p hook)
1655 {
1656 	struct ubt_softc	*sc = NG_NODE_PRIVATE(NG_HOOK_NODE(hook));
1657 
1658 	UBT_NG_LOCK(sc);
1659 
1660 	if (hook != sc->sc_hook) {
1661 		UBT_NG_UNLOCK(sc);
1662 
1663 		return (EINVAL);
1664 	}
1665 
1666 	sc->sc_hook = NULL;
1667 
1668 	/* Kick off task to stop all USB xfers */
1669 	ubt_task_schedule(sc, UBT_FLAG_T_STOP_ALL);
1670 
1671 	/* Drain queues */
1672 	NG_BT_MBUFQ_DRAIN(&sc->sc_cmdq);
1673 	NG_BT_MBUFQ_DRAIN(&sc->sc_aclq);
1674 	NG_BT_MBUFQ_DRAIN(&sc->sc_scoq);
1675 
1676 	UBT_NG_UNLOCK(sc);
1677 
1678 	return (0);
1679 } /* ng_ubt_disconnect */
1680 
1681 /*
1682  * Process control message.
1683  * Netgraph context.
1684  */
1685 
1686 static int
1687 ng_ubt_rcvmsg(node_p node, item_p item, hook_p lasthook)
1688 {
1689 	struct ubt_softc	*sc = NG_NODE_PRIVATE(node);
1690 	struct ng_mesg		*msg, *rsp = NULL;
1691 	struct ng_bt_mbufq	*q;
1692 	int			error = 0, queue, qlen;
1693 
1694 	NGI_GET_MSG(item, msg);
1695 
1696 	switch (msg->header.typecookie) {
1697 	case NGM_GENERIC_COOKIE:
1698 		switch (msg->header.cmd) {
1699 		case NGM_TEXT_STATUS:
1700 			NG_MKRESPONSE(rsp, msg, NG_TEXTRESPONSE, M_NOWAIT);
1701 			if (rsp == NULL) {
1702 				error = ENOMEM;
1703 				break;
1704 			}
1705 
1706 			snprintf(rsp->data, NG_TEXTRESPONSE,
1707 				"Hook: %s\n" \
1708 				"Task flags: %#x\n" \
1709 				"Debug: %d\n" \
1710 				"CMD queue: [have:%d,max:%d]\n" \
1711 				"ACL queue: [have:%d,max:%d]\n" \
1712 				"SCO queue: [have:%d,max:%d]",
1713 				(sc->sc_hook != NULL) ? NG_UBT_HOOK : "",
1714 				sc->sc_task_flags,
1715 				sc->sc_debug,
1716 				sc->sc_cmdq.len,
1717 				sc->sc_cmdq.maxlen,
1718 				sc->sc_aclq.len,
1719 				sc->sc_aclq.maxlen,
1720 				sc->sc_scoq.len,
1721 				sc->sc_scoq.maxlen);
1722 			break;
1723 
1724 		default:
1725 			error = EINVAL;
1726 			break;
1727 		}
1728 		break;
1729 
1730 	case NGM_UBT_COOKIE:
1731 		switch (msg->header.cmd) {
1732 		case NGM_UBT_NODE_SET_DEBUG:
1733 			if (msg->header.arglen != sizeof(ng_ubt_node_debug_ep)){
1734 				error = EMSGSIZE;
1735 				break;
1736 			}
1737 
1738 			sc->sc_debug = *((ng_ubt_node_debug_ep *) (msg->data));
1739 			break;
1740 
1741 		case NGM_UBT_NODE_GET_DEBUG:
1742 			NG_MKRESPONSE(rsp, msg, sizeof(ng_ubt_node_debug_ep),
1743 			    M_NOWAIT);
1744 			if (rsp == NULL) {
1745 				error = ENOMEM;
1746 				break;
1747 			}
1748 
1749 			*((ng_ubt_node_debug_ep *) (rsp->data)) = sc->sc_debug;
1750 			break;
1751 
1752 		case NGM_UBT_NODE_SET_QLEN:
1753 			if (msg->header.arglen != sizeof(ng_ubt_node_qlen_ep)) {
1754 				error = EMSGSIZE;
1755 				break;
1756 			}
1757 
1758 			queue = ((ng_ubt_node_qlen_ep *) (msg->data))->queue;
1759 			qlen = ((ng_ubt_node_qlen_ep *) (msg->data))->qlen;
1760 
1761 			switch (queue) {
1762 			case NGM_UBT_NODE_QUEUE_CMD:
1763 				q = &sc->sc_cmdq;
1764 				break;
1765 
1766 			case NGM_UBT_NODE_QUEUE_ACL:
1767 				q = &sc->sc_aclq;
1768 				break;
1769 
1770 			case NGM_UBT_NODE_QUEUE_SCO:
1771 				q = &sc->sc_scoq;
1772 				break;
1773 
1774 			default:
1775 				error = EINVAL;
1776 				goto done;
1777 				/* NOT REACHED */
1778 			}
1779 
1780 			q->maxlen = qlen;
1781 			break;
1782 
1783 		case NGM_UBT_NODE_GET_QLEN:
1784 			if (msg->header.arglen != sizeof(ng_ubt_node_qlen_ep)) {
1785 				error = EMSGSIZE;
1786 				break;
1787 			}
1788 
1789 			queue = ((ng_ubt_node_qlen_ep *) (msg->data))->queue;
1790 
1791 			switch (queue) {
1792 			case NGM_UBT_NODE_QUEUE_CMD:
1793 				q = &sc->sc_cmdq;
1794 				break;
1795 
1796 			case NGM_UBT_NODE_QUEUE_ACL:
1797 				q = &sc->sc_aclq;
1798 				break;
1799 
1800 			case NGM_UBT_NODE_QUEUE_SCO:
1801 				q = &sc->sc_scoq;
1802 				break;
1803 
1804 			default:
1805 				error = EINVAL;
1806 				goto done;
1807 				/* NOT REACHED */
1808 			}
1809 
1810 			NG_MKRESPONSE(rsp, msg, sizeof(ng_ubt_node_qlen_ep),
1811 				M_NOWAIT);
1812 			if (rsp == NULL) {
1813 				error = ENOMEM;
1814 				break;
1815 			}
1816 
1817 			((ng_ubt_node_qlen_ep *) (rsp->data))->queue = queue;
1818 			((ng_ubt_node_qlen_ep *) (rsp->data))->qlen = q->maxlen;
1819 			break;
1820 
1821 		case NGM_UBT_NODE_GET_STAT:
1822 			NG_MKRESPONSE(rsp, msg, sizeof(ng_ubt_node_stat_ep),
1823 			    M_NOWAIT);
1824 			if (rsp == NULL) {
1825 				error = ENOMEM;
1826 				break;
1827 			}
1828 
1829 			bcopy(&sc->sc_stat, rsp->data,
1830 				sizeof(ng_ubt_node_stat_ep));
1831 			break;
1832 
1833 		case NGM_UBT_NODE_RESET_STAT:
1834 			UBT_STAT_RESET(sc);
1835 			break;
1836 
1837 		default:
1838 			error = EINVAL;
1839 			break;
1840 		}
1841 		break;
1842 
1843 	default:
1844 		error = EINVAL;
1845 		break;
1846 	}
1847 done:
1848 	NG_RESPOND_MSG(error, node, item, rsp);
1849 	NG_FREE_MSG(msg);
1850 
1851 	return (error);
1852 } /* ng_ubt_rcvmsg */
1853 
1854 /*
1855  * Process data.
1856  * Netgraph context.
1857  */
1858 
1859 static int
1860 ng_ubt_rcvdata(hook_p hook, item_p item)
1861 {
1862 	struct ubt_softc	*sc = NG_NODE_PRIVATE(NG_HOOK_NODE(hook));
1863 	struct mbuf		*m;
1864 	struct ng_bt_mbufq	*q;
1865 	int			action, error = 0;
1866 
1867 	if (hook != sc->sc_hook) {
1868 		error = EINVAL;
1869 		goto done;
1870 	}
1871 
1872 	/* Deatch mbuf and get HCI frame type */
1873 	NGI_GET_M(item, m);
1874 
1875 	/*
1876 	 * Minimal size of the HCI frame is 4 bytes: 1 byte frame type,
1877 	 * 2 bytes connection handle and at least 1 byte of length.
1878 	 * Panic on data frame that has size smaller than 4 bytes (it
1879 	 * should not happen)
1880 	 */
1881 
1882 	if (m->m_pkthdr.len < 4)
1883 		panic("HCI frame size is too small! pktlen=%d\n",
1884 			m->m_pkthdr.len);
1885 
1886 	/* Process HCI frame */
1887 	switch (*mtod(m, uint8_t *)) {	/* XXX call m_pullup ? */
1888 	case NG_HCI_CMD_PKT:
1889 		if (m->m_pkthdr.len - 1 > (int)UBT_CTRL_BUFFER_SIZE)
1890 			panic("HCI command frame size is too big! " \
1891 				"buffer size=%zd, packet len=%d\n",
1892 				UBT_CTRL_BUFFER_SIZE, m->m_pkthdr.len);
1893 
1894 		q = &sc->sc_cmdq;
1895 		action = UBT_FLAG_T_START_CTRL;
1896 		break;
1897 
1898 	case NG_HCI_ACL_DATA_PKT:
1899 		if (m->m_pkthdr.len - 1 > UBT_BULK_WRITE_BUFFER_SIZE)
1900 			panic("ACL data frame size is too big! " \
1901 				"buffer size=%d, packet len=%d\n",
1902 				UBT_BULK_WRITE_BUFFER_SIZE, m->m_pkthdr.len);
1903 
1904 		q = &sc->sc_aclq;
1905 		action = UBT_FLAG_T_START_BULK;
1906 		break;
1907 
1908 	case NG_HCI_SCO_DATA_PKT:
1909 		q = &sc->sc_scoq;
1910 		action = 0;
1911 		break;
1912 
1913 	default:
1914 		UBT_ERR(sc, "Dropping unsupported HCI frame, type=0x%02x, " \
1915 			"pktlen=%d\n", *mtod(m, uint8_t *), m->m_pkthdr.len);
1916 
1917 		NG_FREE_M(m);
1918 		error = EINVAL;
1919 		goto done;
1920 		/* NOT REACHED */
1921 	}
1922 
1923 	UBT_NG_LOCK(sc);
1924 	if (NG_BT_MBUFQ_FULL(q)) {
1925 		NG_BT_MBUFQ_DROP(q);
1926 		UBT_NG_UNLOCK(sc);
1927 
1928 		UBT_ERR(sc, "Dropping HCI frame 0x%02x, len=%d. Queue full\n",
1929 			*mtod(m, uint8_t *), m->m_pkthdr.len);
1930 
1931 		NG_FREE_M(m);
1932 	} else {
1933 		/* Loose HCI packet type, enqueue mbuf and kick off task */
1934 		m_adj(m, sizeof(uint8_t));
1935 		NG_BT_MBUFQ_ENQUEUE(q, m);
1936 		ubt_task_schedule(sc, action);
1937 		UBT_NG_UNLOCK(sc);
1938 	}
1939 done:
1940 	NG_FREE_ITEM(item);
1941 
1942 	return (error);
1943 } /* ng_ubt_rcvdata */
1944 
1945 /****************************************************************************
1946  ****************************************************************************
1947  **                              Module
1948  ****************************************************************************
1949  ****************************************************************************/
1950 
1951 /*
1952  * Load/Unload the driver module
1953  */
1954 
1955 static int
1956 ubt_modevent(module_t mod, int event, void *data)
1957 {
1958 	int	error;
1959 
1960 	switch (event) {
1961 	case MOD_LOAD:
1962 		error = ng_newtype(&typestruct);
1963 		if (error != 0)
1964 			printf("%s: Could not register Netgraph node type, " \
1965 				"error=%d\n", NG_UBT_NODE_TYPE, error);
1966 		break;
1967 
1968 	case MOD_UNLOAD:
1969 		error = ng_rmtype(&typestruct);
1970 		break;
1971 
1972 	default:
1973 		error = EOPNOTSUPP;
1974 		break;
1975 	}
1976 
1977 	return (error);
1978 } /* ubt_modevent */
1979 
1980 devclass_t	ubt_devclass;
1981 
1982 static device_method_t	ubt_methods[] =
1983 {
1984 	DEVMETHOD(device_probe,	ubt_probe),
1985 	DEVMETHOD(device_attach, ubt_attach),
1986 	DEVMETHOD(device_detach, ubt_detach),
1987 	DEVMETHOD_END
1988 };
1989 
1990 driver_t		ubt_driver =
1991 {
1992 	.name =	   "ubt",
1993 	.methods = ubt_methods,
1994 	.size =	   sizeof(struct ubt_softc),
1995 };
1996 
1997 DRIVER_MODULE(ng_ubt, uhub, ubt_driver, ubt_devclass, ubt_modevent, 0);
1998 MODULE_VERSION(ng_ubt, NG_BLUETOOTH_VERSION);
1999 MODULE_DEPEND(ng_ubt, netgraph, NG_ABI_VERSION, NG_ABI_VERSION, NG_ABI_VERSION);
2000 MODULE_DEPEND(ng_ubt, ng_hci, NG_BLUETOOTH_VERSION, NG_BLUETOOTH_VERSION, NG_BLUETOOTH_VERSION);
2001 MODULE_DEPEND(ng_ubt, usb, 1, 1, 1);
2002 USB_PNP_HOST_INFO(ubt_devs);
2003