xref: /linux/drivers/bluetooth/hci_bcsp.c (revision 3932b9ca55b0be314a36d3e84faff3e823c081f5)
1 /*
2  *
3  *  Bluetooth HCI UART driver
4  *
5  *  Copyright (C) 2002-2003  Fabrizio Gennari <fabrizio.gennari@philips.com>
6  *  Copyright (C) 2004-2005  Marcel Holtmann <marcel@holtmann.org>
7  *
8  *
9  *  This program is free software; you can redistribute it and/or modify
10  *  it under the terms of the GNU General Public License as published by
11  *  the Free Software Foundation; either version 2 of the License, or
12  *  (at your option) any later version.
13  *
14  *  This program is distributed in the hope that it will be useful,
15  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
16  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17  *  GNU General Public License for more details.
18  *
19  *  You should have received a copy of the GNU General Public License
20  *  along with this program; if not, write to the Free Software
21  *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
22  *
23  */
24 
25 #include <linux/module.h>
26 
27 #include <linux/kernel.h>
28 #include <linux/init.h>
29 #include <linux/types.h>
30 #include <linux/fcntl.h>
31 #include <linux/interrupt.h>
32 #include <linux/ptrace.h>
33 #include <linux/poll.h>
34 
35 #include <linux/slab.h>
36 #include <linux/tty.h>
37 #include <linux/errno.h>
38 #include <linux/string.h>
39 #include <linux/signal.h>
40 #include <linux/ioctl.h>
41 #include <linux/skbuff.h>
42 #include <linux/bitrev.h>
43 #include <asm/unaligned.h>
44 
45 #include <net/bluetooth/bluetooth.h>
46 #include <net/bluetooth/hci_core.h>
47 
48 #include "hci_uart.h"
49 
50 #define VERSION "0.3"
51 
52 static bool txcrc = 1;
53 static bool hciextn = 1;
54 
55 #define BCSP_TXWINSIZE	4
56 
57 #define BCSP_ACK_PKT	0x05
58 #define BCSP_LE_PKT	0x06
59 
60 struct bcsp_struct {
61 	struct sk_buff_head unack;	/* Unack'ed packets queue */
62 	struct sk_buff_head rel;	/* Reliable packets queue */
63 	struct sk_buff_head unrel;	/* Unreliable packets queue */
64 
65 	unsigned long rx_count;
66 	struct	sk_buff *rx_skb;
67 	u8	rxseq_txack;		/* rxseq == txack. */
68 	u8	rxack;			/* Last packet sent by us that the peer ack'ed */
69 	struct	timer_list tbcsp;
70 
71 	enum {
72 		BCSP_W4_PKT_DELIMITER,
73 		BCSP_W4_PKT_START,
74 		BCSP_W4_BCSP_HDR,
75 		BCSP_W4_DATA,
76 		BCSP_W4_CRC
77 	} rx_state;
78 
79 	enum {
80 		BCSP_ESCSTATE_NOESC,
81 		BCSP_ESCSTATE_ESC
82 	} rx_esc_state;
83 
84 	u8	use_crc;
85 	u16	message_crc;
86 	u8	txack_req;		/* Do we need to send ack's to the peer? */
87 
88 	/* Reliable packet sequence number - used to assign seq to each rel pkt. */
89 	u8	msgq_txseq;
90 };
91 
92 /* ---- BCSP CRC calculation ---- */
93 
94 /* Table for calculating CRC for polynomial 0x1021, LSB processed first,
95 initial value 0xffff, bits shifted in reverse order. */
96 
97 static const u16 crc_table[] = {
98 	0x0000, 0x1081, 0x2102, 0x3183,
99 	0x4204, 0x5285, 0x6306, 0x7387,
100 	0x8408, 0x9489, 0xa50a, 0xb58b,
101 	0xc60c, 0xd68d, 0xe70e, 0xf78f
102 };
103 
104 /* Initialise the crc calculator */
105 #define BCSP_CRC_INIT(x) x = 0xffff
106 
107 /*
108    Update crc with next data byte
109 
110    Implementation note
111         The data byte is treated as two nibbles.  The crc is generated
112         in reverse, i.e., bits are fed into the register from the top.
113 */
114 static void bcsp_crc_update(u16 *crc, u8 d)
115 {
116 	u16 reg = *crc;
117 
118 	reg = (reg >> 4) ^ crc_table[(reg ^ d) & 0x000f];
119 	reg = (reg >> 4) ^ crc_table[(reg ^ (d >> 4)) & 0x000f];
120 
121 	*crc = reg;
122 }
123 
124 /* ---- BCSP core ---- */
125 
126 static void bcsp_slip_msgdelim(struct sk_buff *skb)
127 {
128 	const char pkt_delim = 0xc0;
129 
130 	memcpy(skb_put(skb, 1), &pkt_delim, 1);
131 }
132 
133 static void bcsp_slip_one_byte(struct sk_buff *skb, u8 c)
134 {
135 	const char esc_c0[2] = { 0xdb, 0xdc };
136 	const char esc_db[2] = { 0xdb, 0xdd };
137 
138 	switch (c) {
139 	case 0xc0:
140 		memcpy(skb_put(skb, 2), &esc_c0, 2);
141 		break;
142 	case 0xdb:
143 		memcpy(skb_put(skb, 2), &esc_db, 2);
144 		break;
145 	default:
146 		memcpy(skb_put(skb, 1), &c, 1);
147 	}
148 }
149 
150 static int bcsp_enqueue(struct hci_uart *hu, struct sk_buff *skb)
151 {
152 	struct bcsp_struct *bcsp = hu->priv;
153 
154 	if (skb->len > 0xFFF) {
155 		BT_ERR("Packet too long");
156 		kfree_skb(skb);
157 		return 0;
158 	}
159 
160 	switch (bt_cb(skb)->pkt_type) {
161 	case HCI_ACLDATA_PKT:
162 	case HCI_COMMAND_PKT:
163 		skb_queue_tail(&bcsp->rel, skb);
164 		break;
165 
166 	case HCI_SCODATA_PKT:
167 		skb_queue_tail(&bcsp->unrel, skb);
168 		break;
169 
170 	default:
171 		BT_ERR("Unknown packet type");
172 		kfree_skb(skb);
173 		break;
174 	}
175 
176 	return 0;
177 }
178 
179 static struct sk_buff *bcsp_prepare_pkt(struct bcsp_struct *bcsp, u8 *data,
180 		int len, int pkt_type)
181 {
182 	struct sk_buff *nskb;
183 	u8 hdr[4], chan;
184 	u16 BCSP_CRC_INIT(bcsp_txmsg_crc);
185 	int rel, i;
186 
187 	switch (pkt_type) {
188 	case HCI_ACLDATA_PKT:
189 		chan = 6;	/* BCSP ACL channel */
190 		rel = 1;	/* reliable channel */
191 		break;
192 	case HCI_COMMAND_PKT:
193 		chan = 5;	/* BCSP cmd/evt channel */
194 		rel = 1;	/* reliable channel */
195 		break;
196 	case HCI_SCODATA_PKT:
197 		chan = 7;	/* BCSP SCO channel */
198 		rel = 0;	/* unreliable channel */
199 		break;
200 	case BCSP_LE_PKT:
201 		chan = 1;	/* BCSP LE channel */
202 		rel = 0;	/* unreliable channel */
203 		break;
204 	case BCSP_ACK_PKT:
205 		chan = 0;	/* BCSP internal channel */
206 		rel = 0;	/* unreliable channel */
207 		break;
208 	default:
209 		BT_ERR("Unknown packet type");
210 		return NULL;
211 	}
212 
213 	if (hciextn && chan == 5) {
214 		__le16 opcode = ((struct hci_command_hdr *)data)->opcode;
215 
216 		/* Vendor specific commands */
217 		if (hci_opcode_ogf(__le16_to_cpu(opcode)) == 0x3f) {
218 			u8 desc = *(data + HCI_COMMAND_HDR_SIZE);
219 			if ((desc & 0xf0) == 0xc0) {
220 				data += HCI_COMMAND_HDR_SIZE + 1;
221 				len  -= HCI_COMMAND_HDR_SIZE + 1;
222 				chan = desc & 0x0f;
223 			}
224 		}
225 	}
226 
227 	/* Max len of packet: (original len +4(bcsp hdr) +2(crc))*2
228 	   (because bytes 0xc0 and 0xdb are escaped, worst case is
229 	   when the packet is all made of 0xc0 and 0xdb :) )
230 	   + 2 (0xc0 delimiters at start and end). */
231 
232 	nskb = alloc_skb((len + 6) * 2 + 2, GFP_ATOMIC);
233 	if (!nskb)
234 		return NULL;
235 
236 	bt_cb(nskb)->pkt_type = pkt_type;
237 
238 	bcsp_slip_msgdelim(nskb);
239 
240 	hdr[0] = bcsp->rxseq_txack << 3;
241 	bcsp->txack_req = 0;
242 	BT_DBG("We request packet no %u to card", bcsp->rxseq_txack);
243 
244 	if (rel) {
245 		hdr[0] |= 0x80 + bcsp->msgq_txseq;
246 		BT_DBG("Sending packet with seqno %u", bcsp->msgq_txseq);
247 		bcsp->msgq_txseq = (bcsp->msgq_txseq + 1) & 0x07;
248 	}
249 
250 	if (bcsp->use_crc)
251 		hdr[0] |= 0x40;
252 
253 	hdr[1] = ((len << 4) & 0xff) | chan;
254 	hdr[2] = len >> 4;
255 	hdr[3] = ~(hdr[0] + hdr[1] + hdr[2]);
256 
257 	/* Put BCSP header */
258 	for (i = 0; i < 4; i++) {
259 		bcsp_slip_one_byte(nskb, hdr[i]);
260 
261 		if (bcsp->use_crc)
262 			bcsp_crc_update(&bcsp_txmsg_crc, hdr[i]);
263 	}
264 
265 	/* Put payload */
266 	for (i = 0; i < len; i++) {
267 		bcsp_slip_one_byte(nskb, data[i]);
268 
269 		if (bcsp->use_crc)
270 			bcsp_crc_update(&bcsp_txmsg_crc, data[i]);
271 	}
272 
273 	/* Put CRC */
274 	if (bcsp->use_crc) {
275 		bcsp_txmsg_crc = bitrev16(bcsp_txmsg_crc);
276 		bcsp_slip_one_byte(nskb, (u8) ((bcsp_txmsg_crc >> 8) & 0x00ff));
277 		bcsp_slip_one_byte(nskb, (u8) (bcsp_txmsg_crc & 0x00ff));
278 	}
279 
280 	bcsp_slip_msgdelim(nskb);
281 	return nskb;
282 }
283 
284 /* This is a rewrite of pkt_avail in ABCSP */
285 static struct sk_buff *bcsp_dequeue(struct hci_uart *hu)
286 {
287 	struct bcsp_struct *bcsp = hu->priv;
288 	unsigned long flags;
289 	struct sk_buff *skb;
290 
291 	/* First of all, check for unreliable messages in the queue,
292 	   since they have priority */
293 
294 	skb = skb_dequeue(&bcsp->unrel);
295 	if (skb != NULL) {
296 		struct sk_buff *nskb = bcsp_prepare_pkt(bcsp, skb->data, skb->len, bt_cb(skb)->pkt_type);
297 		if (nskb) {
298 			kfree_skb(skb);
299 			return nskb;
300 		} else {
301 			skb_queue_head(&bcsp->unrel, skb);
302 			BT_ERR("Could not dequeue pkt because alloc_skb failed");
303 		}
304 	}
305 
306 	/* Now, try to send a reliable pkt. We can only send a
307 	   reliable packet if the number of packets sent but not yet ack'ed
308 	   is < than the winsize */
309 
310 	spin_lock_irqsave_nested(&bcsp->unack.lock, flags, SINGLE_DEPTH_NESTING);
311 
312 	if (bcsp->unack.qlen < BCSP_TXWINSIZE) {
313 		skb = skb_dequeue(&bcsp->rel);
314 		if (skb != NULL) {
315 			struct sk_buff *nskb = bcsp_prepare_pkt(bcsp, skb->data, skb->len,
316 								bt_cb(skb)->pkt_type);
317 			if (nskb) {
318 				__skb_queue_tail(&bcsp->unack, skb);
319 				mod_timer(&bcsp->tbcsp, jiffies + HZ / 4);
320 				spin_unlock_irqrestore(&bcsp->unack.lock, flags);
321 				return nskb;
322 			} else {
323 				skb_queue_head(&bcsp->rel, skb);
324 				BT_ERR("Could not dequeue pkt because alloc_skb failed");
325 			}
326 		}
327 	}
328 
329 	spin_unlock_irqrestore(&bcsp->unack.lock, flags);
330 
331 	/* We could not send a reliable packet, either because there are
332 	   none or because there are too many unack'ed pkts. Did we receive
333 	   any packets we have not acknowledged yet ? */
334 
335 	if (bcsp->txack_req) {
336 		/* if so, craft an empty ACK pkt and send it on BCSP unreliable
337 		   channel 0 */
338 		struct sk_buff *nskb = bcsp_prepare_pkt(bcsp, NULL, 0, BCSP_ACK_PKT);
339 		return nskb;
340 	}
341 
342 	/* We have nothing to send */
343 	return NULL;
344 }
345 
346 static int bcsp_flush(struct hci_uart *hu)
347 {
348 	BT_DBG("hu %p", hu);
349 	return 0;
350 }
351 
352 /* Remove ack'ed packets */
353 static void bcsp_pkt_cull(struct bcsp_struct *bcsp)
354 {
355 	struct sk_buff *skb, *tmp;
356 	unsigned long flags;
357 	int i, pkts_to_be_removed;
358 	u8 seqno;
359 
360 	spin_lock_irqsave(&bcsp->unack.lock, flags);
361 
362 	pkts_to_be_removed = skb_queue_len(&bcsp->unack);
363 	seqno = bcsp->msgq_txseq;
364 
365 	while (pkts_to_be_removed) {
366 		if (bcsp->rxack == seqno)
367 			break;
368 		pkts_to_be_removed--;
369 		seqno = (seqno - 1) & 0x07;
370 	}
371 
372 	if (bcsp->rxack != seqno)
373 		BT_ERR("Peer acked invalid packet");
374 
375 	BT_DBG("Removing %u pkts out of %u, up to seqno %u",
376 	       pkts_to_be_removed, skb_queue_len(&bcsp->unack),
377 	       (seqno - 1) & 0x07);
378 
379 	i = 0;
380 	skb_queue_walk_safe(&bcsp->unack, skb, tmp) {
381 		if (i >= pkts_to_be_removed)
382 			break;
383 		i++;
384 
385 		__skb_unlink(skb, &bcsp->unack);
386 		kfree_skb(skb);
387 	}
388 
389 	if (skb_queue_empty(&bcsp->unack))
390 		del_timer(&bcsp->tbcsp);
391 
392 	spin_unlock_irqrestore(&bcsp->unack.lock, flags);
393 
394 	if (i != pkts_to_be_removed)
395 		BT_ERR("Removed only %u out of %u pkts", i, pkts_to_be_removed);
396 }
397 
398 /* Handle BCSP link-establishment packets. When we
399    detect a "sync" packet, symptom that the BT module has reset,
400    we do nothing :) (yet) */
401 static void bcsp_handle_le_pkt(struct hci_uart *hu)
402 {
403 	struct bcsp_struct *bcsp = hu->priv;
404 	u8 conf_pkt[4]     = { 0xad, 0xef, 0xac, 0xed };
405 	u8 conf_rsp_pkt[4] = { 0xde, 0xad, 0xd0, 0xd0 };
406 	u8 sync_pkt[4]     = { 0xda, 0xdc, 0xed, 0xed };
407 
408 	/* spot "conf" pkts and reply with a "conf rsp" pkt */
409 	if (bcsp->rx_skb->data[1] >> 4 == 4 && bcsp->rx_skb->data[2] == 0 &&
410 			!memcmp(&bcsp->rx_skb->data[4], conf_pkt, 4)) {
411 		struct sk_buff *nskb = alloc_skb(4, GFP_ATOMIC);
412 
413 		BT_DBG("Found a LE conf pkt");
414 		if (!nskb)
415 			return;
416 		memcpy(skb_put(nskb, 4), conf_rsp_pkt, 4);
417 		bt_cb(nskb)->pkt_type = BCSP_LE_PKT;
418 
419 		skb_queue_head(&bcsp->unrel, nskb);
420 		hci_uart_tx_wakeup(hu);
421 	}
422 	/* Spot "sync" pkts. If we find one...disaster! */
423 	else if (bcsp->rx_skb->data[1] >> 4 == 4 && bcsp->rx_skb->data[2] == 0 &&
424 			!memcmp(&bcsp->rx_skb->data[4], sync_pkt, 4)) {
425 		BT_ERR("Found a LE sync pkt, card has reset");
426 	}
427 }
428 
429 static inline void bcsp_unslip_one_byte(struct bcsp_struct *bcsp, unsigned char byte)
430 {
431 	const u8 c0 = 0xc0, db = 0xdb;
432 
433 	switch (bcsp->rx_esc_state) {
434 	case BCSP_ESCSTATE_NOESC:
435 		switch (byte) {
436 		case 0xdb:
437 			bcsp->rx_esc_state = BCSP_ESCSTATE_ESC;
438 			break;
439 		default:
440 			memcpy(skb_put(bcsp->rx_skb, 1), &byte, 1);
441 			if ((bcsp->rx_skb-> data[0] & 0x40) != 0 &&
442 					bcsp->rx_state != BCSP_W4_CRC)
443 				bcsp_crc_update(&bcsp->message_crc, byte);
444 			bcsp->rx_count--;
445 		}
446 		break;
447 
448 	case BCSP_ESCSTATE_ESC:
449 		switch (byte) {
450 		case 0xdc:
451 			memcpy(skb_put(bcsp->rx_skb, 1), &c0, 1);
452 			if ((bcsp->rx_skb-> data[0] & 0x40) != 0 &&
453 					bcsp->rx_state != BCSP_W4_CRC)
454 				bcsp_crc_update(&bcsp-> message_crc, 0xc0);
455 			bcsp->rx_esc_state = BCSP_ESCSTATE_NOESC;
456 			bcsp->rx_count--;
457 			break;
458 
459 		case 0xdd:
460 			memcpy(skb_put(bcsp->rx_skb, 1), &db, 1);
461 			if ((bcsp->rx_skb-> data[0] & 0x40) != 0 &&
462 					bcsp->rx_state != BCSP_W4_CRC)
463 				bcsp_crc_update(&bcsp-> message_crc, 0xdb);
464 			bcsp->rx_esc_state = BCSP_ESCSTATE_NOESC;
465 			bcsp->rx_count--;
466 			break;
467 
468 		default:
469 			BT_ERR ("Invalid byte %02x after esc byte", byte);
470 			kfree_skb(bcsp->rx_skb);
471 			bcsp->rx_skb = NULL;
472 			bcsp->rx_state = BCSP_W4_PKT_DELIMITER;
473 			bcsp->rx_count = 0;
474 		}
475 	}
476 }
477 
478 static void bcsp_complete_rx_pkt(struct hci_uart *hu)
479 {
480 	struct bcsp_struct *bcsp = hu->priv;
481 	int pass_up;
482 
483 	if (bcsp->rx_skb->data[0] & 0x80) {	/* reliable pkt */
484 		BT_DBG("Received seqno %u from card", bcsp->rxseq_txack);
485 		bcsp->rxseq_txack++;
486 		bcsp->rxseq_txack %= 0x8;
487 		bcsp->txack_req    = 1;
488 
489 		/* If needed, transmit an ack pkt */
490 		hci_uart_tx_wakeup(hu);
491 	}
492 
493 	bcsp->rxack = (bcsp->rx_skb->data[0] >> 3) & 0x07;
494 	BT_DBG("Request for pkt %u from card", bcsp->rxack);
495 
496 	bcsp_pkt_cull(bcsp);
497 	if ((bcsp->rx_skb->data[1] & 0x0f) == 6 &&
498 			bcsp->rx_skb->data[0] & 0x80) {
499 		bt_cb(bcsp->rx_skb)->pkt_type = HCI_ACLDATA_PKT;
500 		pass_up = 1;
501 	} else if ((bcsp->rx_skb->data[1] & 0x0f) == 5 &&
502 			bcsp->rx_skb->data[0] & 0x80) {
503 		bt_cb(bcsp->rx_skb)->pkt_type = HCI_EVENT_PKT;
504 		pass_up = 1;
505 	} else if ((bcsp->rx_skb->data[1] & 0x0f) == 7) {
506 		bt_cb(bcsp->rx_skb)->pkt_type = HCI_SCODATA_PKT;
507 		pass_up = 1;
508 	} else if ((bcsp->rx_skb->data[1] & 0x0f) == 1 &&
509 			!(bcsp->rx_skb->data[0] & 0x80)) {
510 		bcsp_handle_le_pkt(hu);
511 		pass_up = 0;
512 	} else
513 		pass_up = 0;
514 
515 	if (!pass_up) {
516 		struct hci_event_hdr hdr;
517 		u8 desc = (bcsp->rx_skb->data[1] & 0x0f);
518 
519 		if (desc != 0 && desc != 1) {
520 			if (hciextn) {
521 				desc |= 0xc0;
522 				skb_pull(bcsp->rx_skb, 4);
523 				memcpy(skb_push(bcsp->rx_skb, 1), &desc, 1);
524 
525 				hdr.evt = 0xff;
526 				hdr.plen = bcsp->rx_skb->len;
527 				memcpy(skb_push(bcsp->rx_skb, HCI_EVENT_HDR_SIZE), &hdr, HCI_EVENT_HDR_SIZE);
528 				bt_cb(bcsp->rx_skb)->pkt_type = HCI_EVENT_PKT;
529 
530 				hci_recv_frame(hu->hdev, bcsp->rx_skb);
531 			} else {
532 				BT_ERR ("Packet for unknown channel (%u %s)",
533 					bcsp->rx_skb->data[1] & 0x0f,
534 					bcsp->rx_skb->data[0] & 0x80 ?
535 					"reliable" : "unreliable");
536 				kfree_skb(bcsp->rx_skb);
537 			}
538 		} else
539 			kfree_skb(bcsp->rx_skb);
540 	} else {
541 		/* Pull out BCSP hdr */
542 		skb_pull(bcsp->rx_skb, 4);
543 
544 		hci_recv_frame(hu->hdev, bcsp->rx_skb);
545 	}
546 
547 	bcsp->rx_state = BCSP_W4_PKT_DELIMITER;
548 	bcsp->rx_skb = NULL;
549 }
550 
551 static u16 bscp_get_crc(struct bcsp_struct *bcsp)
552 {
553 	return get_unaligned_be16(&bcsp->rx_skb->data[bcsp->rx_skb->len - 2]);
554 }
555 
556 /* Recv data */
557 static int bcsp_recv(struct hci_uart *hu, void *data, int count)
558 {
559 	struct bcsp_struct *bcsp = hu->priv;
560 	unsigned char *ptr;
561 
562 	BT_DBG("hu %p count %d rx_state %d rx_count %ld",
563 		hu, count, bcsp->rx_state, bcsp->rx_count);
564 
565 	ptr = data;
566 	while (count) {
567 		if (bcsp->rx_count) {
568 			if (*ptr == 0xc0) {
569 				BT_ERR("Short BCSP packet");
570 				kfree_skb(bcsp->rx_skb);
571 				bcsp->rx_state = BCSP_W4_PKT_START;
572 				bcsp->rx_count = 0;
573 			} else
574 				bcsp_unslip_one_byte(bcsp, *ptr);
575 
576 			ptr++; count--;
577 			continue;
578 		}
579 
580 		switch (bcsp->rx_state) {
581 		case BCSP_W4_BCSP_HDR:
582 			if ((0xff & (u8) ~ (bcsp->rx_skb->data[0] + bcsp->rx_skb->data[1] +
583 					bcsp->rx_skb->data[2])) != bcsp->rx_skb->data[3]) {
584 				BT_ERR("Error in BCSP hdr checksum");
585 				kfree_skb(bcsp->rx_skb);
586 				bcsp->rx_state = BCSP_W4_PKT_DELIMITER;
587 				bcsp->rx_count = 0;
588 				continue;
589 			}
590 			if (bcsp->rx_skb->data[0] & 0x80	/* reliable pkt */
591 			    		&& (bcsp->rx_skb->data[0] & 0x07) != bcsp->rxseq_txack) {
592 				BT_ERR ("Out-of-order packet arrived, got %u expected %u",
593 					bcsp->rx_skb->data[0] & 0x07, bcsp->rxseq_txack);
594 
595 				kfree_skb(bcsp->rx_skb);
596 				bcsp->rx_state = BCSP_W4_PKT_DELIMITER;
597 				bcsp->rx_count = 0;
598 				continue;
599 			}
600 			bcsp->rx_state = BCSP_W4_DATA;
601 			bcsp->rx_count = (bcsp->rx_skb->data[1] >> 4) +
602 					(bcsp->rx_skb->data[2] << 4);	/* May be 0 */
603 			continue;
604 
605 		case BCSP_W4_DATA:
606 			if (bcsp->rx_skb->data[0] & 0x40) {	/* pkt with crc */
607 				bcsp->rx_state = BCSP_W4_CRC;
608 				bcsp->rx_count = 2;
609 			} else
610 				bcsp_complete_rx_pkt(hu);
611 			continue;
612 
613 		case BCSP_W4_CRC:
614 			if (bitrev16(bcsp->message_crc) != bscp_get_crc(bcsp)) {
615 				BT_ERR ("Checksum failed: computed %04x received %04x",
616 					bitrev16(bcsp->message_crc),
617 					bscp_get_crc(bcsp));
618 
619 				kfree_skb(bcsp->rx_skb);
620 				bcsp->rx_state = BCSP_W4_PKT_DELIMITER;
621 				bcsp->rx_count = 0;
622 				continue;
623 			}
624 			skb_trim(bcsp->rx_skb, bcsp->rx_skb->len - 2);
625 			bcsp_complete_rx_pkt(hu);
626 			continue;
627 
628 		case BCSP_W4_PKT_DELIMITER:
629 			switch (*ptr) {
630 			case 0xc0:
631 				bcsp->rx_state = BCSP_W4_PKT_START;
632 				break;
633 			default:
634 				/*BT_ERR("Ignoring byte %02x", *ptr);*/
635 				break;
636 			}
637 			ptr++; count--;
638 			break;
639 
640 		case BCSP_W4_PKT_START:
641 			switch (*ptr) {
642 			case 0xc0:
643 				ptr++; count--;
644 				break;
645 
646 			default:
647 				bcsp->rx_state = BCSP_W4_BCSP_HDR;
648 				bcsp->rx_count = 4;
649 				bcsp->rx_esc_state = BCSP_ESCSTATE_NOESC;
650 				BCSP_CRC_INIT(bcsp->message_crc);
651 
652 				/* Do not increment ptr or decrement count
653 				 * Allocate packet. Max len of a BCSP pkt=
654 				 * 0xFFF (payload) +4 (header) +2 (crc) */
655 
656 				bcsp->rx_skb = bt_skb_alloc(0x1005, GFP_ATOMIC);
657 				if (!bcsp->rx_skb) {
658 					BT_ERR("Can't allocate mem for new packet");
659 					bcsp->rx_state = BCSP_W4_PKT_DELIMITER;
660 					bcsp->rx_count = 0;
661 					return 0;
662 				}
663 				break;
664 			}
665 			break;
666 		}
667 	}
668 	return count;
669 }
670 
671 	/* Arrange to retransmit all messages in the relq. */
672 static void bcsp_timed_event(unsigned long arg)
673 {
674 	struct hci_uart *hu = (struct hci_uart *) arg;
675 	struct bcsp_struct *bcsp = hu->priv;
676 	struct sk_buff *skb;
677 	unsigned long flags;
678 
679 	BT_DBG("hu %p retransmitting %u pkts", hu, bcsp->unack.qlen);
680 
681 	spin_lock_irqsave_nested(&bcsp->unack.lock, flags, SINGLE_DEPTH_NESTING);
682 
683 	while ((skb = __skb_dequeue_tail(&bcsp->unack)) != NULL) {
684 		bcsp->msgq_txseq = (bcsp->msgq_txseq - 1) & 0x07;
685 		skb_queue_head(&bcsp->rel, skb);
686 	}
687 
688 	spin_unlock_irqrestore(&bcsp->unack.lock, flags);
689 
690 	hci_uart_tx_wakeup(hu);
691 }
692 
693 static int bcsp_open(struct hci_uart *hu)
694 {
695 	struct bcsp_struct *bcsp;
696 
697 	BT_DBG("hu %p", hu);
698 
699 	bcsp = kzalloc(sizeof(*bcsp), GFP_KERNEL);
700 	if (!bcsp)
701 		return -ENOMEM;
702 
703 	hu->priv = bcsp;
704 	skb_queue_head_init(&bcsp->unack);
705 	skb_queue_head_init(&bcsp->rel);
706 	skb_queue_head_init(&bcsp->unrel);
707 
708 	init_timer(&bcsp->tbcsp);
709 	bcsp->tbcsp.function = bcsp_timed_event;
710 	bcsp->tbcsp.data     = (u_long) hu;
711 
712 	bcsp->rx_state = BCSP_W4_PKT_DELIMITER;
713 
714 	if (txcrc)
715 		bcsp->use_crc = 1;
716 
717 	return 0;
718 }
719 
720 static int bcsp_close(struct hci_uart *hu)
721 {
722 	struct bcsp_struct *bcsp = hu->priv;
723 
724 	del_timer_sync(&bcsp->tbcsp);
725 
726 	hu->priv = NULL;
727 
728 	BT_DBG("hu %p", hu);
729 
730 	skb_queue_purge(&bcsp->unack);
731 	skb_queue_purge(&bcsp->rel);
732 	skb_queue_purge(&bcsp->unrel);
733 
734 	kfree(bcsp);
735 	return 0;
736 }
737 
738 static struct hci_uart_proto bcsp = {
739 	.id		= HCI_UART_BCSP,
740 	.open		= bcsp_open,
741 	.close		= bcsp_close,
742 	.enqueue	= bcsp_enqueue,
743 	.dequeue	= bcsp_dequeue,
744 	.recv		= bcsp_recv,
745 	.flush		= bcsp_flush
746 };
747 
748 int __init bcsp_init(void)
749 {
750 	int err = hci_uart_register_proto(&bcsp);
751 
752 	if (!err)
753 		BT_INFO("HCI BCSP protocol initialized");
754 	else
755 		BT_ERR("HCI BCSP protocol registration failed");
756 
757 	return err;
758 }
759 
760 int __exit bcsp_deinit(void)
761 {
762 	return hci_uart_unregister_proto(&bcsp);
763 }
764 
765 module_param(txcrc, bool, 0644);
766 MODULE_PARM_DESC(txcrc, "Transmit CRC with every BCSP packet");
767 
768 module_param(hciextn, bool, 0644);
769 MODULE_PARM_DESC(hciextn, "Convert HCI Extensions into BCSP packets");
770