1 /* 2 * 3 * AVM BlueFRITZ! USB driver 4 * 5 * Copyright (C) 2003-2006 Marcel Holtmann <marcel@holtmann.org> 6 * 7 * 8 * This program is free software; you can redistribute it and/or modify 9 * it under the terms of the GNU General Public License as published by 10 * the Free Software Foundation; either version 2 of the License, or 11 * (at your option) any later version. 12 * 13 * This program is distributed in the hope that it will be useful, 14 * but WITHOUT ANY WARRANTY; without even the implied warranty of 15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16 * GNU General Public License for more details. 17 * 18 * You should have received a copy of the GNU General Public License 19 * along with this program; if not, write to the Free Software 20 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 21 * 22 */ 23 24 #include <linux/module.h> 25 26 #include <linux/kernel.h> 27 #include <linux/init.h> 28 #include <linux/slab.h> 29 #include <linux/types.h> 30 #include <linux/errno.h> 31 #include <linux/skbuff.h> 32 33 #include <linux/device.h> 34 #include <linux/firmware.h> 35 36 #include <linux/usb.h> 37 38 #include <net/bluetooth/bluetooth.h> 39 #include <net/bluetooth/hci_core.h> 40 41 #define VERSION "1.2" 42 43 static struct usb_driver bfusb_driver; 44 45 static const struct usb_device_id bfusb_table[] = { 46 /* AVM BlueFRITZ! USB */ 47 { USB_DEVICE(0x057c, 0x2200) }, 48 49 { } /* Terminating entry */ 50 }; 51 52 MODULE_DEVICE_TABLE(usb, bfusb_table); 53 54 #define BFUSB_MAX_BLOCK_SIZE 256 55 56 #define BFUSB_BLOCK_TIMEOUT 3000 57 58 #define BFUSB_TX_PROCESS 1 59 #define BFUSB_TX_WAKEUP 2 60 61 #define BFUSB_MAX_BULK_TX 2 62 #define BFUSB_MAX_BULK_RX 2 63 64 struct bfusb_data { 65 struct hci_dev *hdev; 66 67 unsigned long state; 68 69 struct usb_device *udev; 70 71 unsigned int bulk_in_ep; 72 unsigned int bulk_out_ep; 73 unsigned int bulk_pkt_size; 74 75 rwlock_t lock; 76 77 struct sk_buff_head transmit_q; 78 79 struct sk_buff *reassembly; 80 81 atomic_t pending_tx; 82 struct sk_buff_head pending_q; 83 struct sk_buff_head completed_q; 84 }; 85 86 struct bfusb_data_scb { 87 struct urb *urb; 88 }; 89 90 static void bfusb_tx_complete(struct urb *urb); 91 static void bfusb_rx_complete(struct urb *urb); 92 93 static struct urb *bfusb_get_completed(struct bfusb_data *data) 94 { 95 struct sk_buff *skb; 96 struct urb *urb = NULL; 97 98 BT_DBG("bfusb %p", data); 99 100 skb = skb_dequeue(&data->completed_q); 101 if (skb) { 102 urb = ((struct bfusb_data_scb *) skb->cb)->urb; 103 kfree_skb(skb); 104 } 105 106 return urb; 107 } 108 109 static void bfusb_unlink_urbs(struct bfusb_data *data) 110 { 111 struct sk_buff *skb; 112 struct urb *urb; 113 114 BT_DBG("bfusb %p", data); 115 116 while ((skb = skb_dequeue(&data->pending_q))) { 117 urb = ((struct bfusb_data_scb *) skb->cb)->urb; 118 usb_kill_urb(urb); 119 skb_queue_tail(&data->completed_q, skb); 120 } 121 122 while ((urb = bfusb_get_completed(data))) 123 usb_free_urb(urb); 124 } 125 126 static int bfusb_send_bulk(struct bfusb_data *data, struct sk_buff *skb) 127 { 128 struct bfusb_data_scb *scb = (void *) skb->cb; 129 struct urb *urb = bfusb_get_completed(data); 130 int err, pipe; 131 132 BT_DBG("bfusb %p skb %p len %d", data, skb, skb->len); 133 134 if (!urb && !(urb = usb_alloc_urb(0, GFP_ATOMIC))) 135 return -ENOMEM; 136 137 pipe = usb_sndbulkpipe(data->udev, data->bulk_out_ep); 138 139 usb_fill_bulk_urb(urb, data->udev, pipe, skb->data, skb->len, 140 bfusb_tx_complete, skb); 141 142 scb->urb = urb; 143 144 skb_queue_tail(&data->pending_q, skb); 145 146 err = usb_submit_urb(urb, GFP_ATOMIC); 147 if (err) { 148 BT_ERR("%s bulk tx submit failed urb %p err %d", 149 data->hdev->name, urb, err); 150 skb_unlink(skb, &data->pending_q); 151 usb_free_urb(urb); 152 } else 153 atomic_inc(&data->pending_tx); 154 155 return err; 156 } 157 158 static void bfusb_tx_wakeup(struct bfusb_data *data) 159 { 160 struct sk_buff *skb; 161 162 BT_DBG("bfusb %p", data); 163 164 if (test_and_set_bit(BFUSB_TX_PROCESS, &data->state)) { 165 set_bit(BFUSB_TX_WAKEUP, &data->state); 166 return; 167 } 168 169 do { 170 clear_bit(BFUSB_TX_WAKEUP, &data->state); 171 172 while ((atomic_read(&data->pending_tx) < BFUSB_MAX_BULK_TX) && 173 (skb = skb_dequeue(&data->transmit_q))) { 174 if (bfusb_send_bulk(data, skb) < 0) { 175 skb_queue_head(&data->transmit_q, skb); 176 break; 177 } 178 } 179 180 } while (test_bit(BFUSB_TX_WAKEUP, &data->state)); 181 182 clear_bit(BFUSB_TX_PROCESS, &data->state); 183 } 184 185 static void bfusb_tx_complete(struct urb *urb) 186 { 187 struct sk_buff *skb = (struct sk_buff *) urb->context; 188 struct bfusb_data *data = (struct bfusb_data *) skb->dev; 189 190 BT_DBG("bfusb %p urb %p skb %p len %d", data, urb, skb, skb->len); 191 192 atomic_dec(&data->pending_tx); 193 194 if (!test_bit(HCI_RUNNING, &data->hdev->flags)) 195 return; 196 197 if (!urb->status) 198 data->hdev->stat.byte_tx += skb->len; 199 else 200 data->hdev->stat.err_tx++; 201 202 read_lock(&data->lock); 203 204 skb_unlink(skb, &data->pending_q); 205 skb_queue_tail(&data->completed_q, skb); 206 207 bfusb_tx_wakeup(data); 208 209 read_unlock(&data->lock); 210 } 211 212 213 static int bfusb_rx_submit(struct bfusb_data *data, struct urb *urb) 214 { 215 struct bfusb_data_scb *scb; 216 struct sk_buff *skb; 217 int err, pipe, size = HCI_MAX_FRAME_SIZE + 32; 218 219 BT_DBG("bfusb %p urb %p", data, urb); 220 221 if (!urb && !(urb = usb_alloc_urb(0, GFP_ATOMIC))) 222 return -ENOMEM; 223 224 skb = bt_skb_alloc(size, GFP_ATOMIC); 225 if (!skb) { 226 usb_free_urb(urb); 227 return -ENOMEM; 228 } 229 230 skb->dev = (void *) data; 231 232 scb = (struct bfusb_data_scb *) skb->cb; 233 scb->urb = urb; 234 235 pipe = usb_rcvbulkpipe(data->udev, data->bulk_in_ep); 236 237 usb_fill_bulk_urb(urb, data->udev, pipe, skb->data, size, 238 bfusb_rx_complete, skb); 239 240 skb_queue_tail(&data->pending_q, skb); 241 242 err = usb_submit_urb(urb, GFP_ATOMIC); 243 if (err) { 244 BT_ERR("%s bulk rx submit failed urb %p err %d", 245 data->hdev->name, urb, err); 246 skb_unlink(skb, &data->pending_q); 247 kfree_skb(skb); 248 usb_free_urb(urb); 249 } 250 251 return err; 252 } 253 254 static inline int bfusb_recv_block(struct bfusb_data *data, int hdr, unsigned char *buf, int len) 255 { 256 BT_DBG("bfusb %p hdr 0x%02x data %p len %d", data, hdr, buf, len); 257 258 if (hdr & 0x10) { 259 BT_ERR("%s error in block", data->hdev->name); 260 kfree_skb(data->reassembly); 261 data->reassembly = NULL; 262 return -EIO; 263 } 264 265 if (hdr & 0x04) { 266 struct sk_buff *skb; 267 unsigned char pkt_type; 268 int pkt_len = 0; 269 270 if (data->reassembly) { 271 BT_ERR("%s unexpected start block", data->hdev->name); 272 kfree_skb(data->reassembly); 273 data->reassembly = NULL; 274 } 275 276 if (len < 1) { 277 BT_ERR("%s no packet type found", data->hdev->name); 278 return -EPROTO; 279 } 280 281 pkt_type = *buf++; len--; 282 283 switch (pkt_type) { 284 case HCI_EVENT_PKT: 285 if (len >= HCI_EVENT_HDR_SIZE) { 286 struct hci_event_hdr *hdr = (struct hci_event_hdr *) buf; 287 pkt_len = HCI_EVENT_HDR_SIZE + hdr->plen; 288 } else { 289 BT_ERR("%s event block is too short", data->hdev->name); 290 return -EILSEQ; 291 } 292 break; 293 294 case HCI_ACLDATA_PKT: 295 if (len >= HCI_ACL_HDR_SIZE) { 296 struct hci_acl_hdr *hdr = (struct hci_acl_hdr *) buf; 297 pkt_len = HCI_ACL_HDR_SIZE + __le16_to_cpu(hdr->dlen); 298 } else { 299 BT_ERR("%s data block is too short", data->hdev->name); 300 return -EILSEQ; 301 } 302 break; 303 304 case HCI_SCODATA_PKT: 305 if (len >= HCI_SCO_HDR_SIZE) { 306 struct hci_sco_hdr *hdr = (struct hci_sco_hdr *) buf; 307 pkt_len = HCI_SCO_HDR_SIZE + hdr->dlen; 308 } else { 309 BT_ERR("%s audio block is too short", data->hdev->name); 310 return -EILSEQ; 311 } 312 break; 313 } 314 315 skb = bt_skb_alloc(pkt_len, GFP_ATOMIC); 316 if (!skb) { 317 BT_ERR("%s no memory for the packet", data->hdev->name); 318 return -ENOMEM; 319 } 320 321 bt_cb(skb)->pkt_type = pkt_type; 322 323 data->reassembly = skb; 324 } else { 325 if (!data->reassembly) { 326 BT_ERR("%s unexpected continuation block", data->hdev->name); 327 return -EIO; 328 } 329 } 330 331 if (len > 0) 332 memcpy(skb_put(data->reassembly, len), buf, len); 333 334 if (hdr & 0x08) { 335 hci_recv_frame(data->hdev, data->reassembly); 336 data->reassembly = NULL; 337 } 338 339 return 0; 340 } 341 342 static void bfusb_rx_complete(struct urb *urb) 343 { 344 struct sk_buff *skb = (struct sk_buff *) urb->context; 345 struct bfusb_data *data = (struct bfusb_data *) skb->dev; 346 unsigned char *buf = urb->transfer_buffer; 347 int count = urb->actual_length; 348 int err, hdr, len; 349 350 BT_DBG("bfusb %p urb %p skb %p len %d", data, urb, skb, skb->len); 351 352 read_lock(&data->lock); 353 354 if (!test_bit(HCI_RUNNING, &data->hdev->flags)) 355 goto unlock; 356 357 if (urb->status || !count) 358 goto resubmit; 359 360 data->hdev->stat.byte_rx += count; 361 362 skb_put(skb, count); 363 364 while (count) { 365 hdr = buf[0] | (buf[1] << 8); 366 367 if (hdr & 0x4000) { 368 len = 0; 369 count -= 2; 370 buf += 2; 371 } else { 372 len = (buf[2] == 0) ? 256 : buf[2]; 373 count -= 3; 374 buf += 3; 375 } 376 377 if (count < len) { 378 BT_ERR("%s block extends over URB buffer ranges", 379 data->hdev->name); 380 } 381 382 if ((hdr & 0xe1) == 0xc1) 383 bfusb_recv_block(data, hdr, buf, len); 384 385 count -= len; 386 buf += len; 387 } 388 389 skb_unlink(skb, &data->pending_q); 390 kfree_skb(skb); 391 392 bfusb_rx_submit(data, urb); 393 394 read_unlock(&data->lock); 395 396 return; 397 398 resubmit: 399 urb->dev = data->udev; 400 401 err = usb_submit_urb(urb, GFP_ATOMIC); 402 if (err) { 403 BT_ERR("%s bulk resubmit failed urb %p err %d", 404 data->hdev->name, urb, err); 405 } 406 407 unlock: 408 read_unlock(&data->lock); 409 } 410 411 static int bfusb_open(struct hci_dev *hdev) 412 { 413 struct bfusb_data *data = hci_get_drvdata(hdev); 414 unsigned long flags; 415 int i, err; 416 417 BT_DBG("hdev %p bfusb %p", hdev, data); 418 419 if (test_and_set_bit(HCI_RUNNING, &hdev->flags)) 420 return 0; 421 422 write_lock_irqsave(&data->lock, flags); 423 424 err = bfusb_rx_submit(data, NULL); 425 if (!err) { 426 for (i = 1; i < BFUSB_MAX_BULK_RX; i++) 427 bfusb_rx_submit(data, NULL); 428 } else { 429 clear_bit(HCI_RUNNING, &hdev->flags); 430 } 431 432 write_unlock_irqrestore(&data->lock, flags); 433 434 return err; 435 } 436 437 static int bfusb_flush(struct hci_dev *hdev) 438 { 439 struct bfusb_data *data = hci_get_drvdata(hdev); 440 441 BT_DBG("hdev %p bfusb %p", hdev, data); 442 443 skb_queue_purge(&data->transmit_q); 444 445 return 0; 446 } 447 448 static int bfusb_close(struct hci_dev *hdev) 449 { 450 struct bfusb_data *data = hci_get_drvdata(hdev); 451 unsigned long flags; 452 453 BT_DBG("hdev %p bfusb %p", hdev, data); 454 455 if (!test_and_clear_bit(HCI_RUNNING, &hdev->flags)) 456 return 0; 457 458 write_lock_irqsave(&data->lock, flags); 459 write_unlock_irqrestore(&data->lock, flags); 460 461 bfusb_unlink_urbs(data); 462 bfusb_flush(hdev); 463 464 return 0; 465 } 466 467 static int bfusb_send_frame(struct hci_dev *hdev, struct sk_buff *skb) 468 { 469 struct bfusb_data *data = hci_get_drvdata(hdev); 470 struct sk_buff *nskb; 471 unsigned char buf[3]; 472 int sent = 0, size, count; 473 474 BT_DBG("hdev %p skb %p type %d len %d", hdev, skb, bt_cb(skb)->pkt_type, skb->len); 475 476 if (!test_bit(HCI_RUNNING, &hdev->flags)) 477 return -EBUSY; 478 479 switch (bt_cb(skb)->pkt_type) { 480 case HCI_COMMAND_PKT: 481 hdev->stat.cmd_tx++; 482 break; 483 case HCI_ACLDATA_PKT: 484 hdev->stat.acl_tx++; 485 break; 486 case HCI_SCODATA_PKT: 487 hdev->stat.sco_tx++; 488 break; 489 }; 490 491 /* Prepend skb with frame type */ 492 memcpy(skb_push(skb, 1), &bt_cb(skb)->pkt_type, 1); 493 494 count = skb->len; 495 496 /* Max HCI frame size seems to be 1511 + 1 */ 497 nskb = bt_skb_alloc(count + 32, GFP_ATOMIC); 498 if (!nskb) { 499 BT_ERR("Can't allocate memory for new packet"); 500 return -ENOMEM; 501 } 502 503 nskb->dev = (void *) data; 504 505 while (count) { 506 size = min_t(uint, count, BFUSB_MAX_BLOCK_SIZE); 507 508 buf[0] = 0xc1 | ((sent == 0) ? 0x04 : 0) | ((count == size) ? 0x08 : 0); 509 buf[1] = 0x00; 510 buf[2] = (size == BFUSB_MAX_BLOCK_SIZE) ? 0 : size; 511 512 memcpy(skb_put(nskb, 3), buf, 3); 513 skb_copy_from_linear_data_offset(skb, sent, skb_put(nskb, size), size); 514 515 sent += size; 516 count -= size; 517 } 518 519 /* Don't send frame with multiple size of bulk max packet */ 520 if ((nskb->len % data->bulk_pkt_size) == 0) { 521 buf[0] = 0xdd; 522 buf[1] = 0x00; 523 memcpy(skb_put(nskb, 2), buf, 2); 524 } 525 526 read_lock(&data->lock); 527 528 skb_queue_tail(&data->transmit_q, nskb); 529 bfusb_tx_wakeup(data); 530 531 read_unlock(&data->lock); 532 533 kfree_skb(skb); 534 535 return 0; 536 } 537 538 static int bfusb_load_firmware(struct bfusb_data *data, 539 const unsigned char *firmware, int count) 540 { 541 unsigned char *buf; 542 int err, pipe, len, size, sent = 0; 543 544 BT_DBG("bfusb %p udev %p", data, data->udev); 545 546 BT_INFO("BlueFRITZ! USB loading firmware"); 547 548 buf = kmalloc(BFUSB_MAX_BLOCK_SIZE + 3, GFP_KERNEL); 549 if (!buf) { 550 BT_ERR("Can't allocate memory chunk for firmware"); 551 return -ENOMEM; 552 } 553 554 pipe = usb_sndctrlpipe(data->udev, 0); 555 556 if (usb_control_msg(data->udev, pipe, USB_REQ_SET_CONFIGURATION, 557 0, 1, 0, NULL, 0, USB_CTRL_SET_TIMEOUT) < 0) { 558 BT_ERR("Can't change to loading configuration"); 559 kfree(buf); 560 return -EBUSY; 561 } 562 563 data->udev->toggle[0] = data->udev->toggle[1] = 0; 564 565 pipe = usb_sndbulkpipe(data->udev, data->bulk_out_ep); 566 567 while (count) { 568 size = min_t(uint, count, BFUSB_MAX_BLOCK_SIZE + 3); 569 570 memcpy(buf, firmware + sent, size); 571 572 err = usb_bulk_msg(data->udev, pipe, buf, size, 573 &len, BFUSB_BLOCK_TIMEOUT); 574 575 if (err || (len != size)) { 576 BT_ERR("Error in firmware loading"); 577 goto error; 578 } 579 580 sent += size; 581 count -= size; 582 } 583 584 err = usb_bulk_msg(data->udev, pipe, NULL, 0, 585 &len, BFUSB_BLOCK_TIMEOUT); 586 if (err < 0) { 587 BT_ERR("Error in null packet request"); 588 goto error; 589 } 590 591 pipe = usb_sndctrlpipe(data->udev, 0); 592 593 err = usb_control_msg(data->udev, pipe, USB_REQ_SET_CONFIGURATION, 594 0, 2, 0, NULL, 0, USB_CTRL_SET_TIMEOUT); 595 if (err < 0) { 596 BT_ERR("Can't change to running configuration"); 597 goto error; 598 } 599 600 data->udev->toggle[0] = data->udev->toggle[1] = 0; 601 602 BT_INFO("BlueFRITZ! USB device ready"); 603 604 kfree(buf); 605 return 0; 606 607 error: 608 kfree(buf); 609 610 pipe = usb_sndctrlpipe(data->udev, 0); 611 612 usb_control_msg(data->udev, pipe, USB_REQ_SET_CONFIGURATION, 613 0, 0, 0, NULL, 0, USB_CTRL_SET_TIMEOUT); 614 615 return err; 616 } 617 618 static int bfusb_probe(struct usb_interface *intf, const struct usb_device_id *id) 619 { 620 const struct firmware *firmware; 621 struct usb_device *udev = interface_to_usbdev(intf); 622 struct usb_host_endpoint *bulk_out_ep; 623 struct usb_host_endpoint *bulk_in_ep; 624 struct hci_dev *hdev; 625 struct bfusb_data *data; 626 627 BT_DBG("intf %p id %p", intf, id); 628 629 /* Check number of endpoints */ 630 if (intf->cur_altsetting->desc.bNumEndpoints < 2) 631 return -EIO; 632 633 bulk_out_ep = &intf->cur_altsetting->endpoint[0]; 634 bulk_in_ep = &intf->cur_altsetting->endpoint[1]; 635 636 if (!bulk_out_ep || !bulk_in_ep) { 637 BT_ERR("Bulk endpoints not found"); 638 goto done; 639 } 640 641 /* Initialize control structure and load firmware */ 642 data = devm_kzalloc(&intf->dev, sizeof(struct bfusb_data), GFP_KERNEL); 643 if (!data) { 644 BT_ERR("Can't allocate memory for control structure"); 645 goto done; 646 } 647 648 data->udev = udev; 649 data->bulk_in_ep = bulk_in_ep->desc.bEndpointAddress; 650 data->bulk_out_ep = bulk_out_ep->desc.bEndpointAddress; 651 data->bulk_pkt_size = le16_to_cpu(bulk_out_ep->desc.wMaxPacketSize); 652 653 rwlock_init(&data->lock); 654 655 data->reassembly = NULL; 656 657 skb_queue_head_init(&data->transmit_q); 658 skb_queue_head_init(&data->pending_q); 659 skb_queue_head_init(&data->completed_q); 660 661 if (request_firmware(&firmware, "bfubase.frm", &udev->dev) < 0) { 662 BT_ERR("Firmware request failed"); 663 goto done; 664 } 665 666 BT_DBG("firmware data %p size %zu", firmware->data, firmware->size); 667 668 if (bfusb_load_firmware(data, firmware->data, firmware->size) < 0) { 669 BT_ERR("Firmware loading failed"); 670 goto release; 671 } 672 673 release_firmware(firmware); 674 675 /* Initialize and register HCI device */ 676 hdev = hci_alloc_dev(); 677 if (!hdev) { 678 BT_ERR("Can't allocate HCI device"); 679 goto done; 680 } 681 682 data->hdev = hdev; 683 684 hdev->bus = HCI_USB; 685 hci_set_drvdata(hdev, data); 686 SET_HCIDEV_DEV(hdev, &intf->dev); 687 688 hdev->open = bfusb_open; 689 hdev->close = bfusb_close; 690 hdev->flush = bfusb_flush; 691 hdev->send = bfusb_send_frame; 692 693 if (hci_register_dev(hdev) < 0) { 694 BT_ERR("Can't register HCI device"); 695 hci_free_dev(hdev); 696 goto done; 697 } 698 699 usb_set_intfdata(intf, data); 700 701 return 0; 702 703 release: 704 release_firmware(firmware); 705 706 done: 707 return -EIO; 708 } 709 710 static void bfusb_disconnect(struct usb_interface *intf) 711 { 712 struct bfusb_data *data = usb_get_intfdata(intf); 713 struct hci_dev *hdev = data->hdev; 714 715 BT_DBG("intf %p", intf); 716 717 if (!hdev) 718 return; 719 720 usb_set_intfdata(intf, NULL); 721 722 bfusb_close(hdev); 723 724 hci_unregister_dev(hdev); 725 hci_free_dev(hdev); 726 } 727 728 static struct usb_driver bfusb_driver = { 729 .name = "bfusb", 730 .probe = bfusb_probe, 731 .disconnect = bfusb_disconnect, 732 .id_table = bfusb_table, 733 .disable_hub_initiated_lpm = 1, 734 }; 735 736 module_usb_driver(bfusb_driver); 737 738 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>"); 739 MODULE_DESCRIPTION("BlueFRITZ! USB driver ver " VERSION); 740 MODULE_VERSION(VERSION); 741 MODULE_LICENSE("GPL"); 742 MODULE_FIRMWARE("bfubase.frm"); 743