xref: /linux/drivers/bluetooth/hci_bcsp.c (revision 005438a8eef063495ac059d128eea71b58de50e5)
1 /*
2  *
3  *  Bluetooth HCI UART driver
4  *
5  *  Copyright (C) 2002-2003  Fabrizio Gennari <fabrizio.gennari@philips.com>
6  *  Copyright (C) 2004-2005  Marcel Holtmann <marcel@holtmann.org>
7  *
8  *
9  *  This program is free software; you can redistribute it and/or modify
10  *  it under the terms of the GNU General Public License as published by
11  *  the Free Software Foundation; either version 2 of the License, or
12  *  (at your option) any later version.
13  *
14  *  This program is distributed in the hope that it will be useful,
15  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
16  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17  *  GNU General Public License for more details.
18  *
19  *  You should have received a copy of the GNU General Public License
20  *  along with this program; if not, write to the Free Software
21  *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
22  *
23  */
24 
25 #include <linux/module.h>
26 
27 #include <linux/kernel.h>
28 #include <linux/init.h>
29 #include <linux/types.h>
30 #include <linux/fcntl.h>
31 #include <linux/interrupt.h>
32 #include <linux/ptrace.h>
33 #include <linux/poll.h>
34 
35 #include <linux/slab.h>
36 #include <linux/tty.h>
37 #include <linux/errno.h>
38 #include <linux/string.h>
39 #include <linux/signal.h>
40 #include <linux/ioctl.h>
41 #include <linux/skbuff.h>
42 #include <linux/bitrev.h>
43 #include <asm/unaligned.h>
44 
45 #include <net/bluetooth/bluetooth.h>
46 #include <net/bluetooth/hci_core.h>
47 
48 #include "hci_uart.h"
49 
50 static bool txcrc = true;
51 static bool hciextn = true;
52 
53 #define BCSP_TXWINSIZE	4
54 
55 #define BCSP_ACK_PKT	0x05
56 #define BCSP_LE_PKT	0x06
57 
58 struct bcsp_struct {
59 	struct sk_buff_head unack;	/* Unack'ed packets queue */
60 	struct sk_buff_head rel;	/* Reliable packets queue */
61 	struct sk_buff_head unrel;	/* Unreliable packets queue */
62 
63 	unsigned long rx_count;
64 	struct	sk_buff *rx_skb;
65 	u8	rxseq_txack;		/* rxseq == txack. */
66 	u8	rxack;			/* Last packet sent by us that the peer ack'ed */
67 	struct	timer_list tbcsp;
68 
69 	enum {
70 		BCSP_W4_PKT_DELIMITER,
71 		BCSP_W4_PKT_START,
72 		BCSP_W4_BCSP_HDR,
73 		BCSP_W4_DATA,
74 		BCSP_W4_CRC
75 	} rx_state;
76 
77 	enum {
78 		BCSP_ESCSTATE_NOESC,
79 		BCSP_ESCSTATE_ESC
80 	} rx_esc_state;
81 
82 	u8	use_crc;
83 	u16	message_crc;
84 	u8	txack_req;		/* Do we need to send ack's to the peer? */
85 
86 	/* Reliable packet sequence number - used to assign seq to each rel pkt. */
87 	u8	msgq_txseq;
88 };
89 
90 /* ---- BCSP CRC calculation ---- */
91 
92 /* Table for calculating CRC for polynomial 0x1021, LSB processed first,
93 initial value 0xffff, bits shifted in reverse order. */
94 
95 static const u16 crc_table[] = {
96 	0x0000, 0x1081, 0x2102, 0x3183,
97 	0x4204, 0x5285, 0x6306, 0x7387,
98 	0x8408, 0x9489, 0xa50a, 0xb58b,
99 	0xc60c, 0xd68d, 0xe70e, 0xf78f
100 };
101 
102 /* Initialise the crc calculator */
103 #define BCSP_CRC_INIT(x) x = 0xffff
104 
105 /*
106    Update crc with next data byte
107 
108    Implementation note
109         The data byte is treated as two nibbles.  The crc is generated
110         in reverse, i.e., bits are fed into the register from the top.
111 */
112 static void bcsp_crc_update(u16 *crc, u8 d)
113 {
114 	u16 reg = *crc;
115 
116 	reg = (reg >> 4) ^ crc_table[(reg ^ d) & 0x000f];
117 	reg = (reg >> 4) ^ crc_table[(reg ^ (d >> 4)) & 0x000f];
118 
119 	*crc = reg;
120 }
121 
122 /* ---- BCSP core ---- */
123 
124 static void bcsp_slip_msgdelim(struct sk_buff *skb)
125 {
126 	const char pkt_delim = 0xc0;
127 
128 	memcpy(skb_put(skb, 1), &pkt_delim, 1);
129 }
130 
131 static void bcsp_slip_one_byte(struct sk_buff *skb, u8 c)
132 {
133 	const char esc_c0[2] = { 0xdb, 0xdc };
134 	const char esc_db[2] = { 0xdb, 0xdd };
135 
136 	switch (c) {
137 	case 0xc0:
138 		memcpy(skb_put(skb, 2), &esc_c0, 2);
139 		break;
140 	case 0xdb:
141 		memcpy(skb_put(skb, 2), &esc_db, 2);
142 		break;
143 	default:
144 		memcpy(skb_put(skb, 1), &c, 1);
145 	}
146 }
147 
148 static int bcsp_enqueue(struct hci_uart *hu, struct sk_buff *skb)
149 {
150 	struct bcsp_struct *bcsp = hu->priv;
151 
152 	if (skb->len > 0xFFF) {
153 		BT_ERR("Packet too long");
154 		kfree_skb(skb);
155 		return 0;
156 	}
157 
158 	switch (bt_cb(skb)->pkt_type) {
159 	case HCI_ACLDATA_PKT:
160 	case HCI_COMMAND_PKT:
161 		skb_queue_tail(&bcsp->rel, skb);
162 		break;
163 
164 	case HCI_SCODATA_PKT:
165 		skb_queue_tail(&bcsp->unrel, skb);
166 		break;
167 
168 	default:
169 		BT_ERR("Unknown packet type");
170 		kfree_skb(skb);
171 		break;
172 	}
173 
174 	return 0;
175 }
176 
177 static struct sk_buff *bcsp_prepare_pkt(struct bcsp_struct *bcsp, u8 *data,
178 		int len, int pkt_type)
179 {
180 	struct sk_buff *nskb;
181 	u8 hdr[4], chan;
182 	u16 BCSP_CRC_INIT(bcsp_txmsg_crc);
183 	int rel, i;
184 
185 	switch (pkt_type) {
186 	case HCI_ACLDATA_PKT:
187 		chan = 6;	/* BCSP ACL channel */
188 		rel = 1;	/* reliable channel */
189 		break;
190 	case HCI_COMMAND_PKT:
191 		chan = 5;	/* BCSP cmd/evt channel */
192 		rel = 1;	/* reliable channel */
193 		break;
194 	case HCI_SCODATA_PKT:
195 		chan = 7;	/* BCSP SCO channel */
196 		rel = 0;	/* unreliable channel */
197 		break;
198 	case BCSP_LE_PKT:
199 		chan = 1;	/* BCSP LE channel */
200 		rel = 0;	/* unreliable channel */
201 		break;
202 	case BCSP_ACK_PKT:
203 		chan = 0;	/* BCSP internal channel */
204 		rel = 0;	/* unreliable channel */
205 		break;
206 	default:
207 		BT_ERR("Unknown packet type");
208 		return NULL;
209 	}
210 
211 	if (hciextn && chan == 5) {
212 		__le16 opcode = ((struct hci_command_hdr *)data)->opcode;
213 
214 		/* Vendor specific commands */
215 		if (hci_opcode_ogf(__le16_to_cpu(opcode)) == 0x3f) {
216 			u8 desc = *(data + HCI_COMMAND_HDR_SIZE);
217 			if ((desc & 0xf0) == 0xc0) {
218 				data += HCI_COMMAND_HDR_SIZE + 1;
219 				len  -= HCI_COMMAND_HDR_SIZE + 1;
220 				chan = desc & 0x0f;
221 			}
222 		}
223 	}
224 
225 	/* Max len of packet: (original len +4(bcsp hdr) +2(crc))*2
226 	   (because bytes 0xc0 and 0xdb are escaped, worst case is
227 	   when the packet is all made of 0xc0 and 0xdb :) )
228 	   + 2 (0xc0 delimiters at start and end). */
229 
230 	nskb = alloc_skb((len + 6) * 2 + 2, GFP_ATOMIC);
231 	if (!nskb)
232 		return NULL;
233 
234 	bt_cb(nskb)->pkt_type = pkt_type;
235 
236 	bcsp_slip_msgdelim(nskb);
237 
238 	hdr[0] = bcsp->rxseq_txack << 3;
239 	bcsp->txack_req = 0;
240 	BT_DBG("We request packet no %u to card", bcsp->rxseq_txack);
241 
242 	if (rel) {
243 		hdr[0] |= 0x80 + bcsp->msgq_txseq;
244 		BT_DBG("Sending packet with seqno %u", bcsp->msgq_txseq);
245 		bcsp->msgq_txseq = (bcsp->msgq_txseq + 1) & 0x07;
246 	}
247 
248 	if (bcsp->use_crc)
249 		hdr[0] |= 0x40;
250 
251 	hdr[1] = ((len << 4) & 0xff) | chan;
252 	hdr[2] = len >> 4;
253 	hdr[3] = ~(hdr[0] + hdr[1] + hdr[2]);
254 
255 	/* Put BCSP header */
256 	for (i = 0; i < 4; i++) {
257 		bcsp_slip_one_byte(nskb, hdr[i]);
258 
259 		if (bcsp->use_crc)
260 			bcsp_crc_update(&bcsp_txmsg_crc, hdr[i]);
261 	}
262 
263 	/* Put payload */
264 	for (i = 0; i < len; i++) {
265 		bcsp_slip_one_byte(nskb, data[i]);
266 
267 		if (bcsp->use_crc)
268 			bcsp_crc_update(&bcsp_txmsg_crc, data[i]);
269 	}
270 
271 	/* Put CRC */
272 	if (bcsp->use_crc) {
273 		bcsp_txmsg_crc = bitrev16(bcsp_txmsg_crc);
274 		bcsp_slip_one_byte(nskb, (u8) ((bcsp_txmsg_crc >> 8) & 0x00ff));
275 		bcsp_slip_one_byte(nskb, (u8) (bcsp_txmsg_crc & 0x00ff));
276 	}
277 
278 	bcsp_slip_msgdelim(nskb);
279 	return nskb;
280 }
281 
282 /* This is a rewrite of pkt_avail in ABCSP */
283 static struct sk_buff *bcsp_dequeue(struct hci_uart *hu)
284 {
285 	struct bcsp_struct *bcsp = hu->priv;
286 	unsigned long flags;
287 	struct sk_buff *skb;
288 
289 	/* First of all, check for unreliable messages in the queue,
290 	   since they have priority */
291 
292 	skb = skb_dequeue(&bcsp->unrel);
293 	if (skb != NULL) {
294 		struct sk_buff *nskb = bcsp_prepare_pkt(bcsp, skb->data, skb->len, bt_cb(skb)->pkt_type);
295 		if (nskb) {
296 			kfree_skb(skb);
297 			return nskb;
298 		} else {
299 			skb_queue_head(&bcsp->unrel, skb);
300 			BT_ERR("Could not dequeue pkt because alloc_skb failed");
301 		}
302 	}
303 
304 	/* Now, try to send a reliable pkt. We can only send a
305 	   reliable packet if the number of packets sent but not yet ack'ed
306 	   is < than the winsize */
307 
308 	spin_lock_irqsave_nested(&bcsp->unack.lock, flags, SINGLE_DEPTH_NESTING);
309 
310 	if (bcsp->unack.qlen < BCSP_TXWINSIZE) {
311 		skb = skb_dequeue(&bcsp->rel);
312 		if (skb != NULL) {
313 			struct sk_buff *nskb = bcsp_prepare_pkt(bcsp, skb->data, skb->len,
314 								bt_cb(skb)->pkt_type);
315 			if (nskb) {
316 				__skb_queue_tail(&bcsp->unack, skb);
317 				mod_timer(&bcsp->tbcsp, jiffies + HZ / 4);
318 				spin_unlock_irqrestore(&bcsp->unack.lock, flags);
319 				return nskb;
320 			} else {
321 				skb_queue_head(&bcsp->rel, skb);
322 				BT_ERR("Could not dequeue pkt because alloc_skb failed");
323 			}
324 		}
325 	}
326 
327 	spin_unlock_irqrestore(&bcsp->unack.lock, flags);
328 
329 	/* We could not send a reliable packet, either because there are
330 	   none or because there are too many unack'ed pkts. Did we receive
331 	   any packets we have not acknowledged yet ? */
332 
333 	if (bcsp->txack_req) {
334 		/* if so, craft an empty ACK pkt and send it on BCSP unreliable
335 		   channel 0 */
336 		struct sk_buff *nskb = bcsp_prepare_pkt(bcsp, NULL, 0, BCSP_ACK_PKT);
337 		return nskb;
338 	}
339 
340 	/* We have nothing to send */
341 	return NULL;
342 }
343 
344 static int bcsp_flush(struct hci_uart *hu)
345 {
346 	BT_DBG("hu %p", hu);
347 	return 0;
348 }
349 
350 /* Remove ack'ed packets */
351 static void bcsp_pkt_cull(struct bcsp_struct *bcsp)
352 {
353 	struct sk_buff *skb, *tmp;
354 	unsigned long flags;
355 	int i, pkts_to_be_removed;
356 	u8 seqno;
357 
358 	spin_lock_irqsave(&bcsp->unack.lock, flags);
359 
360 	pkts_to_be_removed = skb_queue_len(&bcsp->unack);
361 	seqno = bcsp->msgq_txseq;
362 
363 	while (pkts_to_be_removed) {
364 		if (bcsp->rxack == seqno)
365 			break;
366 		pkts_to_be_removed--;
367 		seqno = (seqno - 1) & 0x07;
368 	}
369 
370 	if (bcsp->rxack != seqno)
371 		BT_ERR("Peer acked invalid packet");
372 
373 	BT_DBG("Removing %u pkts out of %u, up to seqno %u",
374 	       pkts_to_be_removed, skb_queue_len(&bcsp->unack),
375 	       (seqno - 1) & 0x07);
376 
377 	i = 0;
378 	skb_queue_walk_safe(&bcsp->unack, skb, tmp) {
379 		if (i >= pkts_to_be_removed)
380 			break;
381 		i++;
382 
383 		__skb_unlink(skb, &bcsp->unack);
384 		kfree_skb(skb);
385 	}
386 
387 	if (skb_queue_empty(&bcsp->unack))
388 		del_timer(&bcsp->tbcsp);
389 
390 	spin_unlock_irqrestore(&bcsp->unack.lock, flags);
391 
392 	if (i != pkts_to_be_removed)
393 		BT_ERR("Removed only %u out of %u pkts", i, pkts_to_be_removed);
394 }
395 
396 /* Handle BCSP link-establishment packets. When we
397    detect a "sync" packet, symptom that the BT module has reset,
398    we do nothing :) (yet) */
399 static void bcsp_handle_le_pkt(struct hci_uart *hu)
400 {
401 	struct bcsp_struct *bcsp = hu->priv;
402 	u8 conf_pkt[4]     = { 0xad, 0xef, 0xac, 0xed };
403 	u8 conf_rsp_pkt[4] = { 0xde, 0xad, 0xd0, 0xd0 };
404 	u8 sync_pkt[4]     = { 0xda, 0xdc, 0xed, 0xed };
405 
406 	/* spot "conf" pkts and reply with a "conf rsp" pkt */
407 	if (bcsp->rx_skb->data[1] >> 4 == 4 && bcsp->rx_skb->data[2] == 0 &&
408 			!memcmp(&bcsp->rx_skb->data[4], conf_pkt, 4)) {
409 		struct sk_buff *nskb = alloc_skb(4, GFP_ATOMIC);
410 
411 		BT_DBG("Found a LE conf pkt");
412 		if (!nskb)
413 			return;
414 		memcpy(skb_put(nskb, 4), conf_rsp_pkt, 4);
415 		bt_cb(nskb)->pkt_type = BCSP_LE_PKT;
416 
417 		skb_queue_head(&bcsp->unrel, nskb);
418 		hci_uart_tx_wakeup(hu);
419 	}
420 	/* Spot "sync" pkts. If we find one...disaster! */
421 	else if (bcsp->rx_skb->data[1] >> 4 == 4 && bcsp->rx_skb->data[2] == 0 &&
422 			!memcmp(&bcsp->rx_skb->data[4], sync_pkt, 4)) {
423 		BT_ERR("Found a LE sync pkt, card has reset");
424 	}
425 }
426 
427 static inline void bcsp_unslip_one_byte(struct bcsp_struct *bcsp, unsigned char byte)
428 {
429 	const u8 c0 = 0xc0, db = 0xdb;
430 
431 	switch (bcsp->rx_esc_state) {
432 	case BCSP_ESCSTATE_NOESC:
433 		switch (byte) {
434 		case 0xdb:
435 			bcsp->rx_esc_state = BCSP_ESCSTATE_ESC;
436 			break;
437 		default:
438 			memcpy(skb_put(bcsp->rx_skb, 1), &byte, 1);
439 			if ((bcsp->rx_skb->data[0] & 0x40) != 0 &&
440 					bcsp->rx_state != BCSP_W4_CRC)
441 				bcsp_crc_update(&bcsp->message_crc, byte);
442 			bcsp->rx_count--;
443 		}
444 		break;
445 
446 	case BCSP_ESCSTATE_ESC:
447 		switch (byte) {
448 		case 0xdc:
449 			memcpy(skb_put(bcsp->rx_skb, 1), &c0, 1);
450 			if ((bcsp->rx_skb->data[0] & 0x40) != 0 &&
451 					bcsp->rx_state != BCSP_W4_CRC)
452 				bcsp_crc_update(&bcsp->message_crc, 0xc0);
453 			bcsp->rx_esc_state = BCSP_ESCSTATE_NOESC;
454 			bcsp->rx_count--;
455 			break;
456 
457 		case 0xdd:
458 			memcpy(skb_put(bcsp->rx_skb, 1), &db, 1);
459 			if ((bcsp->rx_skb->data[0] & 0x40) != 0 &&
460 					bcsp->rx_state != BCSP_W4_CRC)
461 				bcsp_crc_update(&bcsp->message_crc, 0xdb);
462 			bcsp->rx_esc_state = BCSP_ESCSTATE_NOESC;
463 			bcsp->rx_count--;
464 			break;
465 
466 		default:
467 			BT_ERR("Invalid byte %02x after esc byte", byte);
468 			kfree_skb(bcsp->rx_skb);
469 			bcsp->rx_skb = NULL;
470 			bcsp->rx_state = BCSP_W4_PKT_DELIMITER;
471 			bcsp->rx_count = 0;
472 		}
473 	}
474 }
475 
476 static void bcsp_complete_rx_pkt(struct hci_uart *hu)
477 {
478 	struct bcsp_struct *bcsp = hu->priv;
479 	int pass_up;
480 
481 	if (bcsp->rx_skb->data[0] & 0x80) {	/* reliable pkt */
482 		BT_DBG("Received seqno %u from card", bcsp->rxseq_txack);
483 		bcsp->rxseq_txack++;
484 		bcsp->rxseq_txack %= 0x8;
485 		bcsp->txack_req    = 1;
486 
487 		/* If needed, transmit an ack pkt */
488 		hci_uart_tx_wakeup(hu);
489 	}
490 
491 	bcsp->rxack = (bcsp->rx_skb->data[0] >> 3) & 0x07;
492 	BT_DBG("Request for pkt %u from card", bcsp->rxack);
493 
494 	bcsp_pkt_cull(bcsp);
495 	if ((bcsp->rx_skb->data[1] & 0x0f) == 6 &&
496 			bcsp->rx_skb->data[0] & 0x80) {
497 		bt_cb(bcsp->rx_skb)->pkt_type = HCI_ACLDATA_PKT;
498 		pass_up = 1;
499 	} else if ((bcsp->rx_skb->data[1] & 0x0f) == 5 &&
500 			bcsp->rx_skb->data[0] & 0x80) {
501 		bt_cb(bcsp->rx_skb)->pkt_type = HCI_EVENT_PKT;
502 		pass_up = 1;
503 	} else if ((bcsp->rx_skb->data[1] & 0x0f) == 7) {
504 		bt_cb(bcsp->rx_skb)->pkt_type = HCI_SCODATA_PKT;
505 		pass_up = 1;
506 	} else if ((bcsp->rx_skb->data[1] & 0x0f) == 1 &&
507 			!(bcsp->rx_skb->data[0] & 0x80)) {
508 		bcsp_handle_le_pkt(hu);
509 		pass_up = 0;
510 	} else
511 		pass_up = 0;
512 
513 	if (!pass_up) {
514 		struct hci_event_hdr hdr;
515 		u8 desc = (bcsp->rx_skb->data[1] & 0x0f);
516 
517 		if (desc != 0 && desc != 1) {
518 			if (hciextn) {
519 				desc |= 0xc0;
520 				skb_pull(bcsp->rx_skb, 4);
521 				memcpy(skb_push(bcsp->rx_skb, 1), &desc, 1);
522 
523 				hdr.evt = 0xff;
524 				hdr.plen = bcsp->rx_skb->len;
525 				memcpy(skb_push(bcsp->rx_skb, HCI_EVENT_HDR_SIZE), &hdr, HCI_EVENT_HDR_SIZE);
526 				bt_cb(bcsp->rx_skb)->pkt_type = HCI_EVENT_PKT;
527 
528 				hci_recv_frame(hu->hdev, bcsp->rx_skb);
529 			} else {
530 				BT_ERR("Packet for unknown channel (%u %s)",
531 					bcsp->rx_skb->data[1] & 0x0f,
532 					bcsp->rx_skb->data[0] & 0x80 ?
533 					"reliable" : "unreliable");
534 				kfree_skb(bcsp->rx_skb);
535 			}
536 		} else
537 			kfree_skb(bcsp->rx_skb);
538 	} else {
539 		/* Pull out BCSP hdr */
540 		skb_pull(bcsp->rx_skb, 4);
541 
542 		hci_recv_frame(hu->hdev, bcsp->rx_skb);
543 	}
544 
545 	bcsp->rx_state = BCSP_W4_PKT_DELIMITER;
546 	bcsp->rx_skb = NULL;
547 }
548 
549 static u16 bscp_get_crc(struct bcsp_struct *bcsp)
550 {
551 	return get_unaligned_be16(&bcsp->rx_skb->data[bcsp->rx_skb->len - 2]);
552 }
553 
554 /* Recv data */
555 static int bcsp_recv(struct hci_uart *hu, const void *data, int count)
556 {
557 	struct bcsp_struct *bcsp = hu->priv;
558 	const unsigned char *ptr;
559 
560 	BT_DBG("hu %p count %d rx_state %d rx_count %ld",
561 		hu, count, bcsp->rx_state, bcsp->rx_count);
562 
563 	ptr = data;
564 	while (count) {
565 		if (bcsp->rx_count) {
566 			if (*ptr == 0xc0) {
567 				BT_ERR("Short BCSP packet");
568 				kfree_skb(bcsp->rx_skb);
569 				bcsp->rx_state = BCSP_W4_PKT_START;
570 				bcsp->rx_count = 0;
571 			} else
572 				bcsp_unslip_one_byte(bcsp, *ptr);
573 
574 			ptr++; count--;
575 			continue;
576 		}
577 
578 		switch (bcsp->rx_state) {
579 		case BCSP_W4_BCSP_HDR:
580 			if ((0xff & (u8) ~ (bcsp->rx_skb->data[0] + bcsp->rx_skb->data[1] +
581 					bcsp->rx_skb->data[2])) != bcsp->rx_skb->data[3]) {
582 				BT_ERR("Error in BCSP hdr checksum");
583 				kfree_skb(bcsp->rx_skb);
584 				bcsp->rx_state = BCSP_W4_PKT_DELIMITER;
585 				bcsp->rx_count = 0;
586 				continue;
587 			}
588 			if (bcsp->rx_skb->data[0] & 0x80	/* reliable pkt */
589 			    		&& (bcsp->rx_skb->data[0] & 0x07) != bcsp->rxseq_txack) {
590 				BT_ERR("Out-of-order packet arrived, got %u expected %u",
591 					bcsp->rx_skb->data[0] & 0x07, bcsp->rxseq_txack);
592 
593 				kfree_skb(bcsp->rx_skb);
594 				bcsp->rx_state = BCSP_W4_PKT_DELIMITER;
595 				bcsp->rx_count = 0;
596 				continue;
597 			}
598 			bcsp->rx_state = BCSP_W4_DATA;
599 			bcsp->rx_count = (bcsp->rx_skb->data[1] >> 4) +
600 					(bcsp->rx_skb->data[2] << 4);	/* May be 0 */
601 			continue;
602 
603 		case BCSP_W4_DATA:
604 			if (bcsp->rx_skb->data[0] & 0x40) {	/* pkt with crc */
605 				bcsp->rx_state = BCSP_W4_CRC;
606 				bcsp->rx_count = 2;
607 			} else
608 				bcsp_complete_rx_pkt(hu);
609 			continue;
610 
611 		case BCSP_W4_CRC:
612 			if (bitrev16(bcsp->message_crc) != bscp_get_crc(bcsp)) {
613 				BT_ERR ("Checksum failed: computed %04x received %04x",
614 					bitrev16(bcsp->message_crc),
615 					bscp_get_crc(bcsp));
616 
617 				kfree_skb(bcsp->rx_skb);
618 				bcsp->rx_state = BCSP_W4_PKT_DELIMITER;
619 				bcsp->rx_count = 0;
620 				continue;
621 			}
622 			skb_trim(bcsp->rx_skb, bcsp->rx_skb->len - 2);
623 			bcsp_complete_rx_pkt(hu);
624 			continue;
625 
626 		case BCSP_W4_PKT_DELIMITER:
627 			switch (*ptr) {
628 			case 0xc0:
629 				bcsp->rx_state = BCSP_W4_PKT_START;
630 				break;
631 			default:
632 				/*BT_ERR("Ignoring byte %02x", *ptr);*/
633 				break;
634 			}
635 			ptr++; count--;
636 			break;
637 
638 		case BCSP_W4_PKT_START:
639 			switch (*ptr) {
640 			case 0xc0:
641 				ptr++; count--;
642 				break;
643 
644 			default:
645 				bcsp->rx_state = BCSP_W4_BCSP_HDR;
646 				bcsp->rx_count = 4;
647 				bcsp->rx_esc_state = BCSP_ESCSTATE_NOESC;
648 				BCSP_CRC_INIT(bcsp->message_crc);
649 
650 				/* Do not increment ptr or decrement count
651 				 * Allocate packet. Max len of a BCSP pkt=
652 				 * 0xFFF (payload) +4 (header) +2 (crc) */
653 
654 				bcsp->rx_skb = bt_skb_alloc(0x1005, GFP_ATOMIC);
655 				if (!bcsp->rx_skb) {
656 					BT_ERR("Can't allocate mem for new packet");
657 					bcsp->rx_state = BCSP_W4_PKT_DELIMITER;
658 					bcsp->rx_count = 0;
659 					return 0;
660 				}
661 				break;
662 			}
663 			break;
664 		}
665 	}
666 	return count;
667 }
668 
669 	/* Arrange to retransmit all messages in the relq. */
670 static void bcsp_timed_event(unsigned long arg)
671 {
672 	struct hci_uart *hu = (struct hci_uart *) arg;
673 	struct bcsp_struct *bcsp = hu->priv;
674 	struct sk_buff *skb;
675 	unsigned long flags;
676 
677 	BT_DBG("hu %p retransmitting %u pkts", hu, bcsp->unack.qlen);
678 
679 	spin_lock_irqsave_nested(&bcsp->unack.lock, flags, SINGLE_DEPTH_NESTING);
680 
681 	while ((skb = __skb_dequeue_tail(&bcsp->unack)) != NULL) {
682 		bcsp->msgq_txseq = (bcsp->msgq_txseq - 1) & 0x07;
683 		skb_queue_head(&bcsp->rel, skb);
684 	}
685 
686 	spin_unlock_irqrestore(&bcsp->unack.lock, flags);
687 
688 	hci_uart_tx_wakeup(hu);
689 }
690 
691 static int bcsp_open(struct hci_uart *hu)
692 {
693 	struct bcsp_struct *bcsp;
694 
695 	BT_DBG("hu %p", hu);
696 
697 	bcsp = kzalloc(sizeof(*bcsp), GFP_KERNEL);
698 	if (!bcsp)
699 		return -ENOMEM;
700 
701 	hu->priv = bcsp;
702 	skb_queue_head_init(&bcsp->unack);
703 	skb_queue_head_init(&bcsp->rel);
704 	skb_queue_head_init(&bcsp->unrel);
705 
706 	init_timer(&bcsp->tbcsp);
707 	bcsp->tbcsp.function = bcsp_timed_event;
708 	bcsp->tbcsp.data     = (u_long) hu;
709 
710 	bcsp->rx_state = BCSP_W4_PKT_DELIMITER;
711 
712 	if (txcrc)
713 		bcsp->use_crc = 1;
714 
715 	return 0;
716 }
717 
718 static int bcsp_close(struct hci_uart *hu)
719 {
720 	struct bcsp_struct *bcsp = hu->priv;
721 
722 	del_timer_sync(&bcsp->tbcsp);
723 
724 	hu->priv = NULL;
725 
726 	BT_DBG("hu %p", hu);
727 
728 	skb_queue_purge(&bcsp->unack);
729 	skb_queue_purge(&bcsp->rel);
730 	skb_queue_purge(&bcsp->unrel);
731 
732 	kfree(bcsp);
733 	return 0;
734 }
735 
736 static const struct hci_uart_proto bcsp = {
737 	.id		= HCI_UART_BCSP,
738 	.name		= "BCSP",
739 	.open		= bcsp_open,
740 	.close		= bcsp_close,
741 	.enqueue	= bcsp_enqueue,
742 	.dequeue	= bcsp_dequeue,
743 	.recv		= bcsp_recv,
744 	.flush		= bcsp_flush
745 };
746 
747 int __init bcsp_init(void)
748 {
749 	return hci_uart_register_proto(&bcsp);
750 }
751 
752 int __exit bcsp_deinit(void)
753 {
754 	return hci_uart_unregister_proto(&bcsp);
755 }
756 
757 module_param(txcrc, bool, 0644);
758 MODULE_PARM_DESC(txcrc, "Transmit CRC with every BCSP packet");
759 
760 module_param(hciextn, bool, 0644);
761 MODULE_PARM_DESC(hciextn, "Convert HCI Extensions into BCSP packets");
762