1 /* 2 * 3 * AVM BlueFRITZ! USB driver 4 * 5 * Copyright (C) 2003-2006 Marcel Holtmann <marcel@holtmann.org> 6 * 7 * 8 * This program is free software; you can redistribute it and/or modify 9 * it under the terms of the GNU General Public License as published by 10 * the Free Software Foundation; either version 2 of the License, or 11 * (at your option) any later version. 12 * 13 * This program is distributed in the hope that it will be useful, 14 * but WITHOUT ANY WARRANTY; without even the implied warranty of 15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16 * GNU General Public License for more details. 17 * 18 * You should have received a copy of the GNU General Public License 19 * along with this program; if not, write to the Free Software 20 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 21 * 22 */ 23 24 #include <linux/module.h> 25 26 #include <linux/kernel.h> 27 #include <linux/init.h> 28 #include <linux/slab.h> 29 #include <linux/types.h> 30 #include <linux/errno.h> 31 #include <linux/skbuff.h> 32 33 #include <linux/device.h> 34 #include <linux/firmware.h> 35 36 #include <linux/usb.h> 37 38 #include <net/bluetooth/bluetooth.h> 39 #include <net/bluetooth/hci_core.h> 40 41 #define VERSION "1.2" 42 43 static struct usb_driver bfusb_driver; 44 45 static const struct usb_device_id bfusb_table[] = { 46 /* AVM BlueFRITZ! USB */ 47 { USB_DEVICE(0x057c, 0x2200) }, 48 49 { } /* Terminating entry */ 50 }; 51 52 MODULE_DEVICE_TABLE(usb, bfusb_table); 53 54 #define BFUSB_MAX_BLOCK_SIZE 256 55 56 #define BFUSB_BLOCK_TIMEOUT 3000 57 58 #define BFUSB_TX_PROCESS 1 59 #define BFUSB_TX_WAKEUP 2 60 61 #define BFUSB_MAX_BULK_TX 2 62 #define BFUSB_MAX_BULK_RX 2 63 64 struct bfusb_data { 65 struct hci_dev *hdev; 66 67 unsigned long state; 68 69 struct usb_device *udev; 70 71 unsigned int bulk_in_ep; 72 unsigned int bulk_out_ep; 73 unsigned int bulk_pkt_size; 74 75 rwlock_t lock; 76 77 struct sk_buff_head transmit_q; 78 79 struct sk_buff *reassembly; 80 81 atomic_t pending_tx; 82 struct sk_buff_head pending_q; 83 struct sk_buff_head completed_q; 84 }; 85 86 struct bfusb_data_scb { 87 struct urb *urb; 88 }; 89 90 static void bfusb_tx_complete(struct urb *urb); 91 static void bfusb_rx_complete(struct urb *urb); 92 93 static struct urb *bfusb_get_completed(struct bfusb_data *data) 94 { 95 struct sk_buff *skb; 96 struct urb *urb = NULL; 97 98 BT_DBG("bfusb %p", data); 99 100 skb = skb_dequeue(&data->completed_q); 101 if (skb) { 102 urb = ((struct bfusb_data_scb *) skb->cb)->urb; 103 kfree_skb(skb); 104 } 105 106 return urb; 107 } 108 109 static void bfusb_unlink_urbs(struct bfusb_data *data) 110 { 111 struct sk_buff *skb; 112 struct urb *urb; 113 114 BT_DBG("bfusb %p", data); 115 116 while ((skb = skb_dequeue(&data->pending_q))) { 117 urb = ((struct bfusb_data_scb *) skb->cb)->urb; 118 usb_kill_urb(urb); 119 skb_queue_tail(&data->completed_q, skb); 120 } 121 122 while ((urb = bfusb_get_completed(data))) 123 usb_free_urb(urb); 124 } 125 126 static int bfusb_send_bulk(struct bfusb_data *data, struct sk_buff *skb) 127 { 128 struct bfusb_data_scb *scb = (void *) skb->cb; 129 struct urb *urb = bfusb_get_completed(data); 130 int err, pipe; 131 132 BT_DBG("bfusb %p skb %p len %d", data, skb, skb->len); 133 134 if (!urb) { 135 urb = usb_alloc_urb(0, GFP_ATOMIC); 136 if (!urb) 137 return -ENOMEM; 138 } 139 140 pipe = usb_sndbulkpipe(data->udev, data->bulk_out_ep); 141 142 usb_fill_bulk_urb(urb, data->udev, pipe, skb->data, skb->len, 143 bfusb_tx_complete, skb); 144 145 scb->urb = urb; 146 147 skb_queue_tail(&data->pending_q, skb); 148 149 err = usb_submit_urb(urb, GFP_ATOMIC); 150 if (err) { 151 BT_ERR("%s bulk tx submit failed urb %p err %d", 152 data->hdev->name, urb, err); 153 skb_unlink(skb, &data->pending_q); 154 usb_free_urb(urb); 155 } else 156 atomic_inc(&data->pending_tx); 157 158 return err; 159 } 160 161 static void bfusb_tx_wakeup(struct bfusb_data *data) 162 { 163 struct sk_buff *skb; 164 165 BT_DBG("bfusb %p", data); 166 167 if (test_and_set_bit(BFUSB_TX_PROCESS, &data->state)) { 168 set_bit(BFUSB_TX_WAKEUP, &data->state); 169 return; 170 } 171 172 do { 173 clear_bit(BFUSB_TX_WAKEUP, &data->state); 174 175 while ((atomic_read(&data->pending_tx) < BFUSB_MAX_BULK_TX) && 176 (skb = skb_dequeue(&data->transmit_q))) { 177 if (bfusb_send_bulk(data, skb) < 0) { 178 skb_queue_head(&data->transmit_q, skb); 179 break; 180 } 181 } 182 183 } while (test_bit(BFUSB_TX_WAKEUP, &data->state)); 184 185 clear_bit(BFUSB_TX_PROCESS, &data->state); 186 } 187 188 static void bfusb_tx_complete(struct urb *urb) 189 { 190 struct sk_buff *skb = (struct sk_buff *) urb->context; 191 struct bfusb_data *data = (struct bfusb_data *) skb->dev; 192 193 BT_DBG("bfusb %p urb %p skb %p len %d", data, urb, skb, skb->len); 194 195 atomic_dec(&data->pending_tx); 196 197 if (!test_bit(HCI_RUNNING, &data->hdev->flags)) 198 return; 199 200 if (!urb->status) 201 data->hdev->stat.byte_tx += skb->len; 202 else 203 data->hdev->stat.err_tx++; 204 205 read_lock(&data->lock); 206 207 skb_unlink(skb, &data->pending_q); 208 skb_queue_tail(&data->completed_q, skb); 209 210 bfusb_tx_wakeup(data); 211 212 read_unlock(&data->lock); 213 } 214 215 216 static int bfusb_rx_submit(struct bfusb_data *data, struct urb *urb) 217 { 218 struct bfusb_data_scb *scb; 219 struct sk_buff *skb; 220 int err, pipe, size = HCI_MAX_FRAME_SIZE + 32; 221 222 BT_DBG("bfusb %p urb %p", data, urb); 223 224 if (!urb) { 225 urb = usb_alloc_urb(0, GFP_ATOMIC); 226 if (!urb) 227 return -ENOMEM; 228 } 229 230 skb = bt_skb_alloc(size, GFP_ATOMIC); 231 if (!skb) { 232 usb_free_urb(urb); 233 return -ENOMEM; 234 } 235 236 skb->dev = (void *) data; 237 238 scb = (struct bfusb_data_scb *) skb->cb; 239 scb->urb = urb; 240 241 pipe = usb_rcvbulkpipe(data->udev, data->bulk_in_ep); 242 243 usb_fill_bulk_urb(urb, data->udev, pipe, skb->data, size, 244 bfusb_rx_complete, skb); 245 246 skb_queue_tail(&data->pending_q, skb); 247 248 err = usb_submit_urb(urb, GFP_ATOMIC); 249 if (err) { 250 BT_ERR("%s bulk rx submit failed urb %p err %d", 251 data->hdev->name, urb, err); 252 skb_unlink(skb, &data->pending_q); 253 kfree_skb(skb); 254 usb_free_urb(urb); 255 } 256 257 return err; 258 } 259 260 static inline int bfusb_recv_block(struct bfusb_data *data, int hdr, unsigned char *buf, int len) 261 { 262 BT_DBG("bfusb %p hdr 0x%02x data %p len %d", data, hdr, buf, len); 263 264 if (hdr & 0x10) { 265 BT_ERR("%s error in block", data->hdev->name); 266 kfree_skb(data->reassembly); 267 data->reassembly = NULL; 268 return -EIO; 269 } 270 271 if (hdr & 0x04) { 272 struct sk_buff *skb; 273 unsigned char pkt_type; 274 int pkt_len = 0; 275 276 if (data->reassembly) { 277 BT_ERR("%s unexpected start block", data->hdev->name); 278 kfree_skb(data->reassembly); 279 data->reassembly = NULL; 280 } 281 282 if (len < 1) { 283 BT_ERR("%s no packet type found", data->hdev->name); 284 return -EPROTO; 285 } 286 287 pkt_type = *buf++; len--; 288 289 switch (pkt_type) { 290 case HCI_EVENT_PKT: 291 if (len >= HCI_EVENT_HDR_SIZE) { 292 struct hci_event_hdr *hdr = (struct hci_event_hdr *) buf; 293 pkt_len = HCI_EVENT_HDR_SIZE + hdr->plen; 294 } else { 295 BT_ERR("%s event block is too short", data->hdev->name); 296 return -EILSEQ; 297 } 298 break; 299 300 case HCI_ACLDATA_PKT: 301 if (len >= HCI_ACL_HDR_SIZE) { 302 struct hci_acl_hdr *hdr = (struct hci_acl_hdr *) buf; 303 pkt_len = HCI_ACL_HDR_SIZE + __le16_to_cpu(hdr->dlen); 304 } else { 305 BT_ERR("%s data block is too short", data->hdev->name); 306 return -EILSEQ; 307 } 308 break; 309 310 case HCI_SCODATA_PKT: 311 if (len >= HCI_SCO_HDR_SIZE) { 312 struct hci_sco_hdr *hdr = (struct hci_sco_hdr *) buf; 313 pkt_len = HCI_SCO_HDR_SIZE + hdr->dlen; 314 } else { 315 BT_ERR("%s audio block is too short", data->hdev->name); 316 return -EILSEQ; 317 } 318 break; 319 } 320 321 skb = bt_skb_alloc(pkt_len, GFP_ATOMIC); 322 if (!skb) { 323 BT_ERR("%s no memory for the packet", data->hdev->name); 324 return -ENOMEM; 325 } 326 327 bt_cb(skb)->pkt_type = pkt_type; 328 329 data->reassembly = skb; 330 } else { 331 if (!data->reassembly) { 332 BT_ERR("%s unexpected continuation block", data->hdev->name); 333 return -EIO; 334 } 335 } 336 337 if (len > 0) 338 memcpy(skb_put(data->reassembly, len), buf, len); 339 340 if (hdr & 0x08) { 341 hci_recv_frame(data->hdev, data->reassembly); 342 data->reassembly = NULL; 343 } 344 345 return 0; 346 } 347 348 static void bfusb_rx_complete(struct urb *urb) 349 { 350 struct sk_buff *skb = (struct sk_buff *) urb->context; 351 struct bfusb_data *data = (struct bfusb_data *) skb->dev; 352 unsigned char *buf = urb->transfer_buffer; 353 int count = urb->actual_length; 354 int err, hdr, len; 355 356 BT_DBG("bfusb %p urb %p skb %p len %d", data, urb, skb, skb->len); 357 358 read_lock(&data->lock); 359 360 if (!test_bit(HCI_RUNNING, &data->hdev->flags)) 361 goto unlock; 362 363 if (urb->status || !count) 364 goto resubmit; 365 366 data->hdev->stat.byte_rx += count; 367 368 skb_put(skb, count); 369 370 while (count) { 371 hdr = buf[0] | (buf[1] << 8); 372 373 if (hdr & 0x4000) { 374 len = 0; 375 count -= 2; 376 buf += 2; 377 } else { 378 len = (buf[2] == 0) ? 256 : buf[2]; 379 count -= 3; 380 buf += 3; 381 } 382 383 if (count < len) { 384 BT_ERR("%s block extends over URB buffer ranges", 385 data->hdev->name); 386 } 387 388 if ((hdr & 0xe1) == 0xc1) 389 bfusb_recv_block(data, hdr, buf, len); 390 391 count -= len; 392 buf += len; 393 } 394 395 skb_unlink(skb, &data->pending_q); 396 kfree_skb(skb); 397 398 bfusb_rx_submit(data, urb); 399 400 read_unlock(&data->lock); 401 402 return; 403 404 resubmit: 405 urb->dev = data->udev; 406 407 err = usb_submit_urb(urb, GFP_ATOMIC); 408 if (err) { 409 BT_ERR("%s bulk resubmit failed urb %p err %d", 410 data->hdev->name, urb, err); 411 } 412 413 unlock: 414 read_unlock(&data->lock); 415 } 416 417 static int bfusb_open(struct hci_dev *hdev) 418 { 419 struct bfusb_data *data = hci_get_drvdata(hdev); 420 unsigned long flags; 421 int i, err; 422 423 BT_DBG("hdev %p bfusb %p", hdev, data); 424 425 write_lock_irqsave(&data->lock, flags); 426 427 err = bfusb_rx_submit(data, NULL); 428 if (!err) { 429 for (i = 1; i < BFUSB_MAX_BULK_RX; i++) 430 bfusb_rx_submit(data, NULL); 431 } 432 433 write_unlock_irqrestore(&data->lock, flags); 434 435 return err; 436 } 437 438 static int bfusb_flush(struct hci_dev *hdev) 439 { 440 struct bfusb_data *data = hci_get_drvdata(hdev); 441 442 BT_DBG("hdev %p bfusb %p", hdev, data); 443 444 skb_queue_purge(&data->transmit_q); 445 446 return 0; 447 } 448 449 static int bfusb_close(struct hci_dev *hdev) 450 { 451 struct bfusb_data *data = hci_get_drvdata(hdev); 452 unsigned long flags; 453 454 BT_DBG("hdev %p bfusb %p", hdev, data); 455 456 write_lock_irqsave(&data->lock, flags); 457 write_unlock_irqrestore(&data->lock, flags); 458 459 bfusb_unlink_urbs(data); 460 bfusb_flush(hdev); 461 462 return 0; 463 } 464 465 static int bfusb_send_frame(struct hci_dev *hdev, struct sk_buff *skb) 466 { 467 struct bfusb_data *data = hci_get_drvdata(hdev); 468 struct sk_buff *nskb; 469 unsigned char buf[3]; 470 int sent = 0, size, count; 471 472 BT_DBG("hdev %p skb %p type %d len %d", hdev, skb, bt_cb(skb)->pkt_type, skb->len); 473 474 switch (bt_cb(skb)->pkt_type) { 475 case HCI_COMMAND_PKT: 476 hdev->stat.cmd_tx++; 477 break; 478 case HCI_ACLDATA_PKT: 479 hdev->stat.acl_tx++; 480 break; 481 case HCI_SCODATA_PKT: 482 hdev->stat.sco_tx++; 483 break; 484 } 485 486 /* Prepend skb with frame type */ 487 memcpy(skb_push(skb, 1), &bt_cb(skb)->pkt_type, 1); 488 489 count = skb->len; 490 491 /* Max HCI frame size seems to be 1511 + 1 */ 492 nskb = bt_skb_alloc(count + 32, GFP_ATOMIC); 493 if (!nskb) { 494 BT_ERR("Can't allocate memory for new packet"); 495 return -ENOMEM; 496 } 497 498 nskb->dev = (void *) data; 499 500 while (count) { 501 size = min_t(uint, count, BFUSB_MAX_BLOCK_SIZE); 502 503 buf[0] = 0xc1 | ((sent == 0) ? 0x04 : 0) | ((count == size) ? 0x08 : 0); 504 buf[1] = 0x00; 505 buf[2] = (size == BFUSB_MAX_BLOCK_SIZE) ? 0 : size; 506 507 memcpy(skb_put(nskb, 3), buf, 3); 508 skb_copy_from_linear_data_offset(skb, sent, skb_put(nskb, size), size); 509 510 sent += size; 511 count -= size; 512 } 513 514 /* Don't send frame with multiple size of bulk max packet */ 515 if ((nskb->len % data->bulk_pkt_size) == 0) { 516 buf[0] = 0xdd; 517 buf[1] = 0x00; 518 memcpy(skb_put(nskb, 2), buf, 2); 519 } 520 521 read_lock(&data->lock); 522 523 skb_queue_tail(&data->transmit_q, nskb); 524 bfusb_tx_wakeup(data); 525 526 read_unlock(&data->lock); 527 528 kfree_skb(skb); 529 530 return 0; 531 } 532 533 static int bfusb_load_firmware(struct bfusb_data *data, 534 const unsigned char *firmware, int count) 535 { 536 unsigned char *buf; 537 int err, pipe, len, size, sent = 0; 538 539 BT_DBG("bfusb %p udev %p", data, data->udev); 540 541 BT_INFO("BlueFRITZ! USB loading firmware"); 542 543 buf = kmalloc(BFUSB_MAX_BLOCK_SIZE + 3, GFP_KERNEL); 544 if (!buf) { 545 BT_ERR("Can't allocate memory chunk for firmware"); 546 return -ENOMEM; 547 } 548 549 pipe = usb_sndctrlpipe(data->udev, 0); 550 551 if (usb_control_msg(data->udev, pipe, USB_REQ_SET_CONFIGURATION, 552 0, 1, 0, NULL, 0, USB_CTRL_SET_TIMEOUT) < 0) { 553 BT_ERR("Can't change to loading configuration"); 554 kfree(buf); 555 return -EBUSY; 556 } 557 558 data->udev->toggle[0] = data->udev->toggle[1] = 0; 559 560 pipe = usb_sndbulkpipe(data->udev, data->bulk_out_ep); 561 562 while (count) { 563 size = min_t(uint, count, BFUSB_MAX_BLOCK_SIZE + 3); 564 565 memcpy(buf, firmware + sent, size); 566 567 err = usb_bulk_msg(data->udev, pipe, buf, size, 568 &len, BFUSB_BLOCK_TIMEOUT); 569 570 if (err || (len != size)) { 571 BT_ERR("Error in firmware loading"); 572 goto error; 573 } 574 575 sent += size; 576 count -= size; 577 } 578 579 err = usb_bulk_msg(data->udev, pipe, NULL, 0, 580 &len, BFUSB_BLOCK_TIMEOUT); 581 if (err < 0) { 582 BT_ERR("Error in null packet request"); 583 goto error; 584 } 585 586 pipe = usb_sndctrlpipe(data->udev, 0); 587 588 err = usb_control_msg(data->udev, pipe, USB_REQ_SET_CONFIGURATION, 589 0, 2, 0, NULL, 0, USB_CTRL_SET_TIMEOUT); 590 if (err < 0) { 591 BT_ERR("Can't change to running configuration"); 592 goto error; 593 } 594 595 data->udev->toggle[0] = data->udev->toggle[1] = 0; 596 597 BT_INFO("BlueFRITZ! USB device ready"); 598 599 kfree(buf); 600 return 0; 601 602 error: 603 kfree(buf); 604 605 pipe = usb_sndctrlpipe(data->udev, 0); 606 607 usb_control_msg(data->udev, pipe, USB_REQ_SET_CONFIGURATION, 608 0, 0, 0, NULL, 0, USB_CTRL_SET_TIMEOUT); 609 610 return err; 611 } 612 613 static int bfusb_probe(struct usb_interface *intf, const struct usb_device_id *id) 614 { 615 const struct firmware *firmware; 616 struct usb_device *udev = interface_to_usbdev(intf); 617 struct usb_host_endpoint *bulk_out_ep; 618 struct usb_host_endpoint *bulk_in_ep; 619 struct hci_dev *hdev; 620 struct bfusb_data *data; 621 622 BT_DBG("intf %p id %p", intf, id); 623 624 /* Check number of endpoints */ 625 if (intf->cur_altsetting->desc.bNumEndpoints < 2) 626 return -EIO; 627 628 bulk_out_ep = &intf->cur_altsetting->endpoint[0]; 629 bulk_in_ep = &intf->cur_altsetting->endpoint[1]; 630 631 if (!bulk_out_ep || !bulk_in_ep) { 632 BT_ERR("Bulk endpoints not found"); 633 goto done; 634 } 635 636 /* Initialize control structure and load firmware */ 637 data = devm_kzalloc(&intf->dev, sizeof(struct bfusb_data), GFP_KERNEL); 638 if (!data) { 639 BT_ERR("Can't allocate memory for control structure"); 640 goto done; 641 } 642 643 data->udev = udev; 644 data->bulk_in_ep = bulk_in_ep->desc.bEndpointAddress; 645 data->bulk_out_ep = bulk_out_ep->desc.bEndpointAddress; 646 data->bulk_pkt_size = le16_to_cpu(bulk_out_ep->desc.wMaxPacketSize); 647 648 rwlock_init(&data->lock); 649 650 data->reassembly = NULL; 651 652 skb_queue_head_init(&data->transmit_q); 653 skb_queue_head_init(&data->pending_q); 654 skb_queue_head_init(&data->completed_q); 655 656 if (request_firmware(&firmware, "bfubase.frm", &udev->dev) < 0) { 657 BT_ERR("Firmware request failed"); 658 goto done; 659 } 660 661 BT_DBG("firmware data %p size %zu", firmware->data, firmware->size); 662 663 if (bfusb_load_firmware(data, firmware->data, firmware->size) < 0) { 664 BT_ERR("Firmware loading failed"); 665 goto release; 666 } 667 668 release_firmware(firmware); 669 670 /* Initialize and register HCI device */ 671 hdev = hci_alloc_dev(); 672 if (!hdev) { 673 BT_ERR("Can't allocate HCI device"); 674 goto done; 675 } 676 677 data->hdev = hdev; 678 679 hdev->bus = HCI_USB; 680 hci_set_drvdata(hdev, data); 681 SET_HCIDEV_DEV(hdev, &intf->dev); 682 683 hdev->open = bfusb_open; 684 hdev->close = bfusb_close; 685 hdev->flush = bfusb_flush; 686 hdev->send = bfusb_send_frame; 687 688 set_bit(HCI_QUIRK_BROKEN_LOCAL_COMMANDS, &hdev->quirks); 689 690 if (hci_register_dev(hdev) < 0) { 691 BT_ERR("Can't register HCI device"); 692 hci_free_dev(hdev); 693 goto done; 694 } 695 696 usb_set_intfdata(intf, data); 697 698 return 0; 699 700 release: 701 release_firmware(firmware); 702 703 done: 704 return -EIO; 705 } 706 707 static void bfusb_disconnect(struct usb_interface *intf) 708 { 709 struct bfusb_data *data = usb_get_intfdata(intf); 710 struct hci_dev *hdev = data->hdev; 711 712 BT_DBG("intf %p", intf); 713 714 if (!hdev) 715 return; 716 717 usb_set_intfdata(intf, NULL); 718 719 bfusb_close(hdev); 720 721 hci_unregister_dev(hdev); 722 hci_free_dev(hdev); 723 } 724 725 static struct usb_driver bfusb_driver = { 726 .name = "bfusb", 727 .probe = bfusb_probe, 728 .disconnect = bfusb_disconnect, 729 .id_table = bfusb_table, 730 .disable_hub_initiated_lpm = 1, 731 }; 732 733 module_usb_driver(bfusb_driver); 734 735 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>"); 736 MODULE_DESCRIPTION("BlueFRITZ! USB driver ver " VERSION); 737 MODULE_VERSION(VERSION); 738 MODULE_LICENSE("GPL"); 739 MODULE_FIRMWARE("bfubase.frm"); 740