1/* 2 * 3 * AVM BlueFRITZ! USB driver 4 * 5 * Copyright (C) 2003-2006 Marcel Holtmann <marcel@holtmann.org> 6 * 7 * 8 * This program is free software; you can redistribute it and/or modify 9 * it under the terms of the GNU General Public License as published by 10 * the Free Software Foundation; either version 2 of the License, or 11 * (at your option) any later version. 12 * 13 * This program is distributed in the hope that it will be useful, 14 * but WITHOUT ANY WARRANTY; without even the implied warranty of 15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16 * GNU General Public License for more details. 17 * 18 * You should have received a copy of the GNU General Public License 19 * along with this program; if not, write to the Free Software 20 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 21 * 22 */ 23 24#include <linux/module.h> 25 26#include <linux/kernel.h> 27#include <linux/init.h> 28#include <linux/slab.h> 29#include <linux/types.h> 30#include <linux/errno.h> 31#include <linux/skbuff.h> 32 33#include <linux/device.h> 34#include <linux/firmware.h> 35 36#include <linux/usb.h> 37 38#include <net/bluetooth/bluetooth.h> 39#include <net/bluetooth/hci_core.h> 40 41#define VERSION "1.2" 42 43static struct usb_driver bfusb_driver; 44 45static const struct usb_device_id bfusb_table[] = { 46 /* AVM BlueFRITZ! USB */ 47 { USB_DEVICE(0x057c, 0x2200) }, 48 49 { } /* Terminating entry */ 50}; 51 52MODULE_DEVICE_TABLE(usb, bfusb_table); 53 54#define BFUSB_MAX_BLOCK_SIZE 256 55 56#define BFUSB_BLOCK_TIMEOUT 3000 57 58#define BFUSB_TX_PROCESS 1 59#define BFUSB_TX_WAKEUP 2 60 61#define BFUSB_MAX_BULK_TX 2 62#define BFUSB_MAX_BULK_RX 2 63 64struct bfusb_data { 65 struct hci_dev *hdev; 66 67 unsigned long state; 68 69 struct usb_device *udev; 70 71 unsigned int bulk_in_ep; 72 unsigned int bulk_out_ep; 73 unsigned int bulk_pkt_size; 74 75 rwlock_t lock; 76 77 struct sk_buff_head transmit_q; 78 79 struct sk_buff *reassembly; 80 81 atomic_t pending_tx; 82 struct sk_buff_head pending_q; 83 struct sk_buff_head completed_q; 84}; 85 86struct bfusb_data_scb { 87 struct urb *urb; 88}; 89 90static void bfusb_tx_complete(struct urb *urb); 91static void bfusb_rx_complete(struct urb *urb); 92 93static struct urb *bfusb_get_completed(struct bfusb_data *data) 94{ 95 struct sk_buff *skb; 96 struct urb *urb = NULL; 97 98 BT_DBG("bfusb %p", data); 99 100 skb = skb_dequeue(&data->completed_q); 101 if (skb) { 102 urb = ((struct bfusb_data_scb *) skb->cb)->urb; 103 kfree_skb(skb); 104 } 105 106 return urb; 107} 108 109static void bfusb_unlink_urbs(struct bfusb_data *data) 110{ 111 struct sk_buff *skb; 112 struct urb *urb; 113 114 BT_DBG("bfusb %p", data); 115 116 while ((skb = skb_dequeue(&data->pending_q))) { 117 urb = ((struct bfusb_data_scb *) skb->cb)->urb; 118 usb_kill_urb(urb); 119 skb_queue_tail(&data->completed_q, skb); 120 } 121 122 while ((urb = bfusb_get_completed(data))) 123 usb_free_urb(urb); 124} 125 126static int bfusb_send_bulk(struct bfusb_data *data, struct sk_buff *skb) 127{ 128 struct bfusb_data_scb *scb = (void *) skb->cb; 129 struct urb *urb = bfusb_get_completed(data); 130 int err, pipe; 131 132 BT_DBG("bfusb %p skb %p len %d", data, skb, skb->len); 133 134 if (!urb) { 135 urb = usb_alloc_urb(0, GFP_ATOMIC); 136 if (!urb) 137 return -ENOMEM; 138 } 139 140 pipe = usb_sndbulkpipe(data->udev, data->bulk_out_ep); 141 142 usb_fill_bulk_urb(urb, data->udev, pipe, skb->data, skb->len, 143 bfusb_tx_complete, skb); 144 145 scb->urb = urb; 146 147 skb_queue_tail(&data->pending_q, skb); 148 149 err = usb_submit_urb(urb, GFP_ATOMIC); 150 if (err) { 151 BT_ERR("%s bulk tx submit failed urb %p err %d", 152 data->hdev->name, urb, err); 153 skb_unlink(skb, &data->pending_q); 154 usb_free_urb(urb); 155 } else 156 atomic_inc(&data->pending_tx); 157 158 return err; 159} 160 161static void bfusb_tx_wakeup(struct bfusb_data *data) 162{ 163 struct sk_buff *skb; 164 165 BT_DBG("bfusb %p", data); 166 167 if (test_and_set_bit(BFUSB_TX_PROCESS, &data->state)) { 168 set_bit(BFUSB_TX_WAKEUP, &data->state); 169 return; 170 } 171 172 do { 173 clear_bit(BFUSB_TX_WAKEUP, &data->state); 174 175 while ((atomic_read(&data->pending_tx) < BFUSB_MAX_BULK_TX) && 176 (skb = skb_dequeue(&data->transmit_q))) { 177 if (bfusb_send_bulk(data, skb) < 0) { 178 skb_queue_head(&data->transmit_q, skb); 179 break; 180 } 181 } 182 183 } while (test_bit(BFUSB_TX_WAKEUP, &data->state)); 184 185 clear_bit(BFUSB_TX_PROCESS, &data->state); 186} 187 188static void bfusb_tx_complete(struct urb *urb) 189{ 190 struct sk_buff *skb = (struct sk_buff *) urb->context; 191 struct bfusb_data *data = (struct bfusb_data *) skb->dev; 192 193 BT_DBG("bfusb %p urb %p skb %p len %d", data, urb, skb, skb->len); 194 195 atomic_dec(&data->pending_tx); 196 197 if (!test_bit(HCI_RUNNING, &data->hdev->flags)) 198 return; 199 200 if (!urb->status) 201 data->hdev->stat.byte_tx += skb->len; 202 else 203 data->hdev->stat.err_tx++; 204 205 read_lock(&data->lock); 206 207 skb_unlink(skb, &data->pending_q); 208 skb_queue_tail(&data->completed_q, skb); 209 210 bfusb_tx_wakeup(data); 211 212 read_unlock(&data->lock); 213} 214 215 216static int bfusb_rx_submit(struct bfusb_data *data, struct urb *urb) 217{ 218 struct bfusb_data_scb *scb; 219 struct sk_buff *skb; 220 int err, pipe, size = HCI_MAX_FRAME_SIZE + 32; 221 222 BT_DBG("bfusb %p urb %p", data, urb); 223 224 if (!urb) { 225 urb = usb_alloc_urb(0, GFP_ATOMIC); 226 if (!urb) 227 return -ENOMEM; 228 } 229 230 skb = bt_skb_alloc(size, GFP_ATOMIC); 231 if (!skb) { 232 usb_free_urb(urb); 233 return -ENOMEM; 234 } 235 236 skb->dev = (void *) data; 237 238 scb = (struct bfusb_data_scb *) skb->cb; 239 scb->urb = urb; 240 241 pipe = usb_rcvbulkpipe(data->udev, data->bulk_in_ep); 242 243 usb_fill_bulk_urb(urb, data->udev, pipe, skb->data, size, 244 bfusb_rx_complete, skb); 245 246 skb_queue_tail(&data->pending_q, skb); 247 248 err = usb_submit_urb(urb, GFP_ATOMIC); 249 if (err) { 250 BT_ERR("%s bulk rx submit failed urb %p err %d", 251 data->hdev->name, urb, err); 252 skb_unlink(skb, &data->pending_q); 253 kfree_skb(skb); 254 usb_free_urb(urb); 255 } 256 257 return err; 258} 259 260static inline int bfusb_recv_block(struct bfusb_data *data, int hdr, unsigned char *buf, int len) 261{ 262 BT_DBG("bfusb %p hdr 0x%02x data %p len %d", data, hdr, buf, len); 263 264 if (hdr & 0x10) { 265 BT_ERR("%s error in block", data->hdev->name); 266 kfree_skb(data->reassembly); 267 data->reassembly = NULL; 268 return -EIO; 269 } 270 271 if (hdr & 0x04) { 272 struct sk_buff *skb; 273 unsigned char pkt_type; 274 int pkt_len = 0; 275 276 if (data->reassembly) { 277 BT_ERR("%s unexpected start block", data->hdev->name); 278 kfree_skb(data->reassembly); 279 data->reassembly = NULL; 280 } 281 282 if (len < 1) { 283 BT_ERR("%s no packet type found", data->hdev->name); 284 return -EPROTO; 285 } 286 287 pkt_type = *buf++; len--; 288 289 switch (pkt_type) { 290 case HCI_EVENT_PKT: 291 if (len >= HCI_EVENT_HDR_SIZE) { 292 struct hci_event_hdr *hdr = (struct hci_event_hdr *) buf; 293 pkt_len = HCI_EVENT_HDR_SIZE + hdr->plen; 294 } else { 295 BT_ERR("%s event block is too short", data->hdev->name); 296 return -EILSEQ; 297 } 298 break; 299 300 case HCI_ACLDATA_PKT: 301 if (len >= HCI_ACL_HDR_SIZE) { 302 struct hci_acl_hdr *hdr = (struct hci_acl_hdr *) buf; 303 pkt_len = HCI_ACL_HDR_SIZE + __le16_to_cpu(hdr->dlen); 304 } else { 305 BT_ERR("%s data block is too short", data->hdev->name); 306 return -EILSEQ; 307 } 308 break; 309 310 case HCI_SCODATA_PKT: 311 if (len >= HCI_SCO_HDR_SIZE) { 312 struct hci_sco_hdr *hdr = (struct hci_sco_hdr *) buf; 313 pkt_len = HCI_SCO_HDR_SIZE + hdr->dlen; 314 } else { 315 BT_ERR("%s audio block is too short", data->hdev->name); 316 return -EILSEQ; 317 } 318 break; 319 } 320 321 skb = bt_skb_alloc(pkt_len, GFP_ATOMIC); 322 if (!skb) { 323 BT_ERR("%s no memory for the packet", data->hdev->name); 324 return -ENOMEM; 325 } 326 327 bt_cb(skb)->pkt_type = pkt_type; 328 329 data->reassembly = skb; 330 } else { 331 if (!data->reassembly) { 332 BT_ERR("%s unexpected continuation block", data->hdev->name); 333 return -EIO; 334 } 335 } 336 337 if (len > 0) 338 memcpy(skb_put(data->reassembly, len), buf, len); 339 340 if (hdr & 0x08) { 341 hci_recv_frame(data->hdev, data->reassembly); 342 data->reassembly = NULL; 343 } 344 345 return 0; 346} 347 348static void bfusb_rx_complete(struct urb *urb) 349{ 350 struct sk_buff *skb = (struct sk_buff *) urb->context; 351 struct bfusb_data *data = (struct bfusb_data *) skb->dev; 352 unsigned char *buf = urb->transfer_buffer; 353 int count = urb->actual_length; 354 int err, hdr, len; 355 356 BT_DBG("bfusb %p urb %p skb %p len %d", data, urb, skb, skb->len); 357 358 read_lock(&data->lock); 359 360 if (!test_bit(HCI_RUNNING, &data->hdev->flags)) 361 goto unlock; 362 363 if (urb->status || !count) 364 goto resubmit; 365 366 data->hdev->stat.byte_rx += count; 367 368 skb_put(skb, count); 369 370 while (count) { 371 hdr = buf[0] | (buf[1] << 8); 372 373 if (hdr & 0x4000) { 374 len = 0; 375 count -= 2; 376 buf += 2; 377 } else { 378 len = (buf[2] == 0) ? 256 : buf[2]; 379 count -= 3; 380 buf += 3; 381 } 382 383 if (count < len) { 384 BT_ERR("%s block extends over URB buffer ranges", 385 data->hdev->name); 386 } 387 388 if ((hdr & 0xe1) == 0xc1) 389 bfusb_recv_block(data, hdr, buf, len); 390 391 count -= len; 392 buf += len; 393 } 394 395 skb_unlink(skb, &data->pending_q); 396 kfree_skb(skb); 397 398 bfusb_rx_submit(data, urb); 399 400 read_unlock(&data->lock); 401 402 return; 403 404resubmit: 405 urb->dev = data->udev; 406 407 err = usb_submit_urb(urb, GFP_ATOMIC); 408 if (err) { 409 BT_ERR("%s bulk resubmit failed urb %p err %d", 410 data->hdev->name, urb, err); 411 } 412 413unlock: 414 read_unlock(&data->lock); 415} 416 417static int bfusb_open(struct hci_dev *hdev) 418{ 419 struct bfusb_data *data = hci_get_drvdata(hdev); 420 unsigned long flags; 421 int i, err; 422 423 BT_DBG("hdev %p bfusb %p", hdev, data); 424 425 if (test_and_set_bit(HCI_RUNNING, &hdev->flags)) 426 return 0; 427 428 write_lock_irqsave(&data->lock, flags); 429 430 err = bfusb_rx_submit(data, NULL); 431 if (!err) { 432 for (i = 1; i < BFUSB_MAX_BULK_RX; i++) 433 bfusb_rx_submit(data, NULL); 434 } else { 435 clear_bit(HCI_RUNNING, &hdev->flags); 436 } 437 438 write_unlock_irqrestore(&data->lock, flags); 439 440 return err; 441} 442 443static int bfusb_flush(struct hci_dev *hdev) 444{ 445 struct bfusb_data *data = hci_get_drvdata(hdev); 446 447 BT_DBG("hdev %p bfusb %p", hdev, data); 448 449 skb_queue_purge(&data->transmit_q); 450 451 return 0; 452} 453 454static int bfusb_close(struct hci_dev *hdev) 455{ 456 struct bfusb_data *data = hci_get_drvdata(hdev); 457 unsigned long flags; 458 459 BT_DBG("hdev %p bfusb %p", hdev, data); 460 461 if (!test_and_clear_bit(HCI_RUNNING, &hdev->flags)) 462 return 0; 463 464 write_lock_irqsave(&data->lock, flags); 465 write_unlock_irqrestore(&data->lock, flags); 466 467 bfusb_unlink_urbs(data); 468 bfusb_flush(hdev); 469 470 return 0; 471} 472 473static int bfusb_send_frame(struct hci_dev *hdev, struct sk_buff *skb) 474{ 475 struct bfusb_data *data = hci_get_drvdata(hdev); 476 struct sk_buff *nskb; 477 unsigned char buf[3]; 478 int sent = 0, size, count; 479 480 BT_DBG("hdev %p skb %p type %d len %d", hdev, skb, bt_cb(skb)->pkt_type, skb->len); 481 482 if (!test_bit(HCI_RUNNING, &hdev->flags)) 483 return -EBUSY; 484 485 switch (bt_cb(skb)->pkt_type) { 486 case HCI_COMMAND_PKT: 487 hdev->stat.cmd_tx++; 488 break; 489 case HCI_ACLDATA_PKT: 490 hdev->stat.acl_tx++; 491 break; 492 case HCI_SCODATA_PKT: 493 hdev->stat.sco_tx++; 494 break; 495 }; 496 497 /* Prepend skb with frame type */ 498 memcpy(skb_push(skb, 1), &bt_cb(skb)->pkt_type, 1); 499 500 count = skb->len; 501 502 /* Max HCI frame size seems to be 1511 + 1 */ 503 nskb = bt_skb_alloc(count + 32, GFP_ATOMIC); 504 if (!nskb) { 505 BT_ERR("Can't allocate memory for new packet"); 506 return -ENOMEM; 507 } 508 509 nskb->dev = (void *) data; 510 511 while (count) { 512 size = min_t(uint, count, BFUSB_MAX_BLOCK_SIZE); 513 514 buf[0] = 0xc1 | ((sent == 0) ? 0x04 : 0) | ((count == size) ? 0x08 : 0); 515 buf[1] = 0x00; 516 buf[2] = (size == BFUSB_MAX_BLOCK_SIZE) ? 0 : size; 517 518 memcpy(skb_put(nskb, 3), buf, 3); 519 skb_copy_from_linear_data_offset(skb, sent, skb_put(nskb, size), size); 520 521 sent += size; 522 count -= size; 523 } 524 525 /* Don't send frame with multiple size of bulk max packet */ 526 if ((nskb->len % data->bulk_pkt_size) == 0) { 527 buf[0] = 0xdd; 528 buf[1] = 0x00; 529 memcpy(skb_put(nskb, 2), buf, 2); 530 } 531 532 read_lock(&data->lock); 533 534 skb_queue_tail(&data->transmit_q, nskb); 535 bfusb_tx_wakeup(data); 536 537 read_unlock(&data->lock); 538 539 kfree_skb(skb); 540 541 return 0; 542} 543 544static int bfusb_load_firmware(struct bfusb_data *data, 545 const unsigned char *firmware, int count) 546{ 547 unsigned char *buf; 548 int err, pipe, len, size, sent = 0; 549 550 BT_DBG("bfusb %p udev %p", data, data->udev); 551 552 BT_INFO("BlueFRITZ! USB loading firmware"); 553 554 buf = kmalloc(BFUSB_MAX_BLOCK_SIZE + 3, GFP_KERNEL); 555 if (!buf) { 556 BT_ERR("Can't allocate memory chunk for firmware"); 557 return -ENOMEM; 558 } 559 560 pipe = usb_sndctrlpipe(data->udev, 0); 561 562 if (usb_control_msg(data->udev, pipe, USB_REQ_SET_CONFIGURATION, 563 0, 1, 0, NULL, 0, USB_CTRL_SET_TIMEOUT) < 0) { 564 BT_ERR("Can't change to loading configuration"); 565 kfree(buf); 566 return -EBUSY; 567 } 568 569 data->udev->toggle[0] = data->udev->toggle[1] = 0; 570 571 pipe = usb_sndbulkpipe(data->udev, data->bulk_out_ep); 572 573 while (count) { 574 size = min_t(uint, count, BFUSB_MAX_BLOCK_SIZE + 3); 575 576 memcpy(buf, firmware + sent, size); 577 578 err = usb_bulk_msg(data->udev, pipe, buf, size, 579 &len, BFUSB_BLOCK_TIMEOUT); 580 581 if (err || (len != size)) { 582 BT_ERR("Error in firmware loading"); 583 goto error; 584 } 585 586 sent += size; 587 count -= size; 588 } 589 590 err = usb_bulk_msg(data->udev, pipe, NULL, 0, 591 &len, BFUSB_BLOCK_TIMEOUT); 592 if (err < 0) { 593 BT_ERR("Error in null packet request"); 594 goto error; 595 } 596 597 pipe = usb_sndctrlpipe(data->udev, 0); 598 599 err = usb_control_msg(data->udev, pipe, USB_REQ_SET_CONFIGURATION, 600 0, 2, 0, NULL, 0, USB_CTRL_SET_TIMEOUT); 601 if (err < 0) { 602 BT_ERR("Can't change to running configuration"); 603 goto error; 604 } 605 606 data->udev->toggle[0] = data->udev->toggle[1] = 0; 607 608 BT_INFO("BlueFRITZ! USB device ready"); 609 610 kfree(buf); 611 return 0; 612 613error: 614 kfree(buf); 615 616 pipe = usb_sndctrlpipe(data->udev, 0); 617 618 usb_control_msg(data->udev, pipe, USB_REQ_SET_CONFIGURATION, 619 0, 0, 0, NULL, 0, USB_CTRL_SET_TIMEOUT); 620 621 return err; 622} 623 624static int bfusb_probe(struct usb_interface *intf, const struct usb_device_id *id) 625{ 626 const struct firmware *firmware; 627 struct usb_device *udev = interface_to_usbdev(intf); 628 struct usb_host_endpoint *bulk_out_ep; 629 struct usb_host_endpoint *bulk_in_ep; 630 struct hci_dev *hdev; 631 struct bfusb_data *data; 632 633 BT_DBG("intf %p id %p", intf, id); 634 635 /* Check number of endpoints */ 636 if (intf->cur_altsetting->desc.bNumEndpoints < 2) 637 return -EIO; 638 639 bulk_out_ep = &intf->cur_altsetting->endpoint[0]; 640 bulk_in_ep = &intf->cur_altsetting->endpoint[1]; 641 642 if (!bulk_out_ep || !bulk_in_ep) { 643 BT_ERR("Bulk endpoints not found"); 644 goto done; 645 } 646 647 /* Initialize control structure and load firmware */ 648 data = devm_kzalloc(&intf->dev, sizeof(struct bfusb_data), GFP_KERNEL); 649 if (!data) { 650 BT_ERR("Can't allocate memory for control structure"); 651 goto done; 652 } 653 654 data->udev = udev; 655 data->bulk_in_ep = bulk_in_ep->desc.bEndpointAddress; 656 data->bulk_out_ep = bulk_out_ep->desc.bEndpointAddress; 657 data->bulk_pkt_size = le16_to_cpu(bulk_out_ep->desc.wMaxPacketSize); 658 659 rwlock_init(&data->lock); 660 661 data->reassembly = NULL; 662 663 skb_queue_head_init(&data->transmit_q); 664 skb_queue_head_init(&data->pending_q); 665 skb_queue_head_init(&data->completed_q); 666 667 if (request_firmware(&firmware, "bfubase.frm", &udev->dev) < 0) { 668 BT_ERR("Firmware request failed"); 669 goto done; 670 } 671 672 BT_DBG("firmware data %p size %zu", firmware->data, firmware->size); 673 674 if (bfusb_load_firmware(data, firmware->data, firmware->size) < 0) { 675 BT_ERR("Firmware loading failed"); 676 goto release; 677 } 678 679 release_firmware(firmware); 680 681 /* Initialize and register HCI device */ 682 hdev = hci_alloc_dev(); 683 if (!hdev) { 684 BT_ERR("Can't allocate HCI device"); 685 goto done; 686 } 687 688 data->hdev = hdev; 689 690 hdev->bus = HCI_USB; 691 hci_set_drvdata(hdev, data); 692 SET_HCIDEV_DEV(hdev, &intf->dev); 693 694 hdev->open = bfusb_open; 695 hdev->close = bfusb_close; 696 hdev->flush = bfusb_flush; 697 hdev->send = bfusb_send_frame; 698 699 set_bit(HCI_QUIRK_BROKEN_LOCAL_COMMANDS, &hdev->quirks); 700 701 if (hci_register_dev(hdev) < 0) { 702 BT_ERR("Can't register HCI device"); 703 hci_free_dev(hdev); 704 goto done; 705 } 706 707 usb_set_intfdata(intf, data); 708 709 return 0; 710 711release: 712 release_firmware(firmware); 713 714done: 715 return -EIO; 716} 717 718static void bfusb_disconnect(struct usb_interface *intf) 719{ 720 struct bfusb_data *data = usb_get_intfdata(intf); 721 struct hci_dev *hdev = data->hdev; 722 723 BT_DBG("intf %p", intf); 724 725 if (!hdev) 726 return; 727 728 usb_set_intfdata(intf, NULL); 729 730 bfusb_close(hdev); 731 732 hci_unregister_dev(hdev); 733 hci_free_dev(hdev); 734} 735 736static struct usb_driver bfusb_driver = { 737 .name = "bfusb", 738 .probe = bfusb_probe, 739 .disconnect = bfusb_disconnect, 740 .id_table = bfusb_table, 741 .disable_hub_initiated_lpm = 1, 742}; 743 744module_usb_driver(bfusb_driver); 745 746MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>"); 747MODULE_DESCRIPTION("BlueFRITZ! USB driver ver " VERSION); 748MODULE_VERSION(VERSION); 749MODULE_LICENSE("GPL"); 750MODULE_FIRMWARE("bfubase.frm"); 751