1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* 3 * 4 * AVM BlueFRITZ! USB driver 5 * 6 * Copyright (C) 2003-2006 Marcel Holtmann <marcel@holtmann.org> 7 */ 8 9 #include <linux/module.h> 10 11 #include <linux/kernel.h> 12 #include <linux/init.h> 13 #include <linux/slab.h> 14 #include <linux/types.h> 15 #include <linux/errno.h> 16 #include <linux/skbuff.h> 17 18 #include <linux/device.h> 19 #include <linux/firmware.h> 20 21 #include <linux/usb.h> 22 23 #include <net/bluetooth/bluetooth.h> 24 #include <net/bluetooth/hci_core.h> 25 26 #define VERSION "1.2" 27 28 static struct usb_driver bfusb_driver; 29 30 static const struct usb_device_id bfusb_table[] = { 31 /* AVM BlueFRITZ! USB */ 32 { USB_DEVICE(0x057c, 0x2200) }, 33 34 { } /* Terminating entry */ 35 }; 36 37 MODULE_DEVICE_TABLE(usb, bfusb_table); 38 39 #define BFUSB_MAX_BLOCK_SIZE 256 40 41 #define BFUSB_BLOCK_TIMEOUT 3000 42 43 #define BFUSB_TX_PROCESS 1 44 #define BFUSB_TX_WAKEUP 2 45 46 #define BFUSB_MAX_BULK_TX 2 47 #define BFUSB_MAX_BULK_RX 2 48 49 struct bfusb_data { 50 struct hci_dev *hdev; 51 52 unsigned long state; 53 54 struct usb_device *udev; 55 56 unsigned int bulk_in_ep; 57 unsigned int bulk_out_ep; 58 unsigned int bulk_pkt_size; 59 60 rwlock_t lock; 61 62 struct sk_buff_head transmit_q; 63 64 struct sk_buff *reassembly; 65 66 atomic_t pending_tx; 67 struct sk_buff_head pending_q; 68 struct sk_buff_head completed_q; 69 }; 70 71 struct bfusb_data_scb { 72 struct urb *urb; 73 }; 74 75 static void bfusb_tx_complete(struct urb *urb); 76 static void bfusb_rx_complete(struct urb *urb); 77 78 static struct urb *bfusb_get_completed(struct bfusb_data *data) 79 { 80 struct sk_buff *skb; 81 struct urb *urb = NULL; 82 83 BT_DBG("bfusb %p", data); 84 85 skb = skb_dequeue(&data->completed_q); 86 if (skb) { 87 urb = ((struct bfusb_data_scb *) skb->cb)->urb; 88 kfree_skb(skb); 89 } 90 91 return urb; 92 } 93 94 static void bfusb_unlink_urbs(struct bfusb_data *data) 95 { 96 struct sk_buff *skb; 97 struct urb *urb; 98 99 BT_DBG("bfusb %p", data); 100 101 while ((skb = skb_dequeue(&data->pending_q))) { 102 urb = ((struct bfusb_data_scb *) skb->cb)->urb; 103 usb_kill_urb(urb); 104 skb_queue_tail(&data->completed_q, skb); 105 } 106 107 while ((urb = bfusb_get_completed(data))) 108 usb_free_urb(urb); 109 } 110 111 static int bfusb_send_bulk(struct bfusb_data *data, struct sk_buff *skb) 112 { 113 struct bfusb_data_scb *scb = (void *) skb->cb; 114 struct urb *urb = bfusb_get_completed(data); 115 int err, pipe; 116 117 BT_DBG("bfusb %p skb %p len %d", data, skb, skb->len); 118 119 if (!urb) { 120 urb = usb_alloc_urb(0, GFP_ATOMIC); 121 if (!urb) 122 return -ENOMEM; 123 } 124 125 pipe = usb_sndbulkpipe(data->udev, data->bulk_out_ep); 126 127 usb_fill_bulk_urb(urb, data->udev, pipe, skb->data, skb->len, 128 bfusb_tx_complete, skb); 129 130 scb->urb = urb; 131 132 skb_queue_tail(&data->pending_q, skb); 133 134 err = usb_submit_urb(urb, GFP_ATOMIC); 135 if (err) { 136 BT_ERR("%s bulk tx submit failed urb %p err %d", 137 data->hdev->name, urb, err); 138 skb_unlink(skb, &data->pending_q); 139 usb_free_urb(urb); 140 } else 141 atomic_inc(&data->pending_tx); 142 143 return err; 144 } 145 146 static void bfusb_tx_wakeup(struct bfusb_data *data) 147 { 148 struct sk_buff *skb; 149 150 BT_DBG("bfusb %p", data); 151 152 if (test_and_set_bit(BFUSB_TX_PROCESS, &data->state)) { 153 set_bit(BFUSB_TX_WAKEUP, &data->state); 154 return; 155 } 156 157 do { 158 clear_bit(BFUSB_TX_WAKEUP, &data->state); 159 160 while ((atomic_read(&data->pending_tx) < BFUSB_MAX_BULK_TX) && 161 (skb = skb_dequeue(&data->transmit_q))) { 162 if (bfusb_send_bulk(data, skb) < 0) { 163 skb_queue_head(&data->transmit_q, skb); 164 break; 165 } 166 } 167 168 } while (test_bit(BFUSB_TX_WAKEUP, &data->state)); 169 170 clear_bit(BFUSB_TX_PROCESS, &data->state); 171 } 172 173 static void bfusb_tx_complete(struct urb *urb) 174 { 175 struct sk_buff *skb = (struct sk_buff *) urb->context; 176 struct bfusb_data *data = (struct bfusb_data *) skb->dev; 177 178 BT_DBG("bfusb %p urb %p skb %p len %d", data, urb, skb, skb->len); 179 180 atomic_dec(&data->pending_tx); 181 182 if (!test_bit(HCI_RUNNING, &data->hdev->flags)) 183 return; 184 185 if (!urb->status) 186 data->hdev->stat.byte_tx += skb->len; 187 else 188 data->hdev->stat.err_tx++; 189 190 read_lock(&data->lock); 191 192 skb_unlink(skb, &data->pending_q); 193 skb_queue_tail(&data->completed_q, skb); 194 195 bfusb_tx_wakeup(data); 196 197 read_unlock(&data->lock); 198 } 199 200 201 static int bfusb_rx_submit(struct bfusb_data *data, struct urb *urb) 202 { 203 struct bfusb_data_scb *scb; 204 struct sk_buff *skb; 205 int err, pipe, size = HCI_MAX_FRAME_SIZE + 32; 206 207 BT_DBG("bfusb %p urb %p", data, urb); 208 209 if (!urb) { 210 urb = usb_alloc_urb(0, GFP_ATOMIC); 211 if (!urb) 212 return -ENOMEM; 213 } 214 215 skb = bt_skb_alloc(size, GFP_ATOMIC); 216 if (!skb) { 217 usb_free_urb(urb); 218 return -ENOMEM; 219 } 220 221 skb->dev = (void *) data; 222 223 scb = (struct bfusb_data_scb *) skb->cb; 224 scb->urb = urb; 225 226 pipe = usb_rcvbulkpipe(data->udev, data->bulk_in_ep); 227 228 usb_fill_bulk_urb(urb, data->udev, pipe, skb->data, size, 229 bfusb_rx_complete, skb); 230 231 skb_queue_tail(&data->pending_q, skb); 232 233 err = usb_submit_urb(urb, GFP_ATOMIC); 234 if (err) { 235 BT_ERR("%s bulk rx submit failed urb %p err %d", 236 data->hdev->name, urb, err); 237 skb_unlink(skb, &data->pending_q); 238 kfree_skb(skb); 239 usb_free_urb(urb); 240 } 241 242 return err; 243 } 244 245 static inline int bfusb_recv_block(struct bfusb_data *data, int hdr, unsigned char *buf, int len) 246 { 247 BT_DBG("bfusb %p hdr 0x%02x data %p len %d", data, hdr, buf, len); 248 249 if (hdr & 0x10) { 250 BT_ERR("%s error in block", data->hdev->name); 251 kfree_skb(data->reassembly); 252 data->reassembly = NULL; 253 return -EIO; 254 } 255 256 if (hdr & 0x04) { 257 struct sk_buff *skb; 258 unsigned char pkt_type; 259 int pkt_len = 0; 260 261 if (data->reassembly) { 262 BT_ERR("%s unexpected start block", data->hdev->name); 263 kfree_skb(data->reassembly); 264 data->reassembly = NULL; 265 } 266 267 if (len < 1) { 268 BT_ERR("%s no packet type found", data->hdev->name); 269 return -EPROTO; 270 } 271 272 pkt_type = *buf++; len--; 273 274 switch (pkt_type) { 275 case HCI_EVENT_PKT: 276 if (len >= HCI_EVENT_HDR_SIZE) { 277 struct hci_event_hdr *hdr = (struct hci_event_hdr *) buf; 278 pkt_len = HCI_EVENT_HDR_SIZE + hdr->plen; 279 } else { 280 BT_ERR("%s event block is too short", data->hdev->name); 281 return -EILSEQ; 282 } 283 break; 284 285 case HCI_ACLDATA_PKT: 286 if (len >= HCI_ACL_HDR_SIZE) { 287 struct hci_acl_hdr *hdr = (struct hci_acl_hdr *) buf; 288 pkt_len = HCI_ACL_HDR_SIZE + __le16_to_cpu(hdr->dlen); 289 } else { 290 BT_ERR("%s data block is too short", data->hdev->name); 291 return -EILSEQ; 292 } 293 break; 294 295 case HCI_SCODATA_PKT: 296 if (len >= HCI_SCO_HDR_SIZE) { 297 struct hci_sco_hdr *hdr = (struct hci_sco_hdr *) buf; 298 pkt_len = HCI_SCO_HDR_SIZE + hdr->dlen; 299 } else { 300 BT_ERR("%s audio block is too short", data->hdev->name); 301 return -EILSEQ; 302 } 303 break; 304 } 305 306 skb = bt_skb_alloc(pkt_len, GFP_ATOMIC); 307 if (!skb) { 308 BT_ERR("%s no memory for the packet", data->hdev->name); 309 return -ENOMEM; 310 } 311 312 hci_skb_pkt_type(skb) = pkt_type; 313 314 data->reassembly = skb; 315 } else { 316 if (!data->reassembly) { 317 BT_ERR("%s unexpected continuation block", data->hdev->name); 318 return -EIO; 319 } 320 } 321 322 if (len > 0) 323 skb_put_data(data->reassembly, buf, len); 324 325 if (hdr & 0x08) { 326 hci_recv_frame(data->hdev, data->reassembly); 327 data->reassembly = NULL; 328 } 329 330 return 0; 331 } 332 333 static void bfusb_rx_complete(struct urb *urb) 334 { 335 struct sk_buff *skb = (struct sk_buff *) urb->context; 336 struct bfusb_data *data = (struct bfusb_data *) skb->dev; 337 unsigned char *buf = urb->transfer_buffer; 338 int count = urb->actual_length; 339 int err, hdr, len; 340 341 BT_DBG("bfusb %p urb %p skb %p len %d", data, urb, skb, skb->len); 342 343 read_lock(&data->lock); 344 345 if (!test_bit(HCI_RUNNING, &data->hdev->flags)) 346 goto unlock; 347 348 if (urb->status || !count) 349 goto resubmit; 350 351 data->hdev->stat.byte_rx += count; 352 353 skb_put(skb, count); 354 355 while (count) { 356 hdr = buf[0] | (buf[1] << 8); 357 358 if (hdr & 0x4000) { 359 len = 0; 360 count -= 2; 361 buf += 2; 362 } else { 363 len = (buf[2] == 0) ? 256 : buf[2]; 364 count -= 3; 365 buf += 3; 366 } 367 368 if (count < len) { 369 BT_ERR("%s block extends over URB buffer ranges", 370 data->hdev->name); 371 } 372 373 if ((hdr & 0xe1) == 0xc1) 374 bfusb_recv_block(data, hdr, buf, len); 375 376 count -= len; 377 buf += len; 378 } 379 380 skb_unlink(skb, &data->pending_q); 381 kfree_skb(skb); 382 383 bfusb_rx_submit(data, urb); 384 385 read_unlock(&data->lock); 386 387 return; 388 389 resubmit: 390 urb->dev = data->udev; 391 392 err = usb_submit_urb(urb, GFP_ATOMIC); 393 if (err) { 394 BT_ERR("%s bulk resubmit failed urb %p err %d", 395 data->hdev->name, urb, err); 396 } 397 398 unlock: 399 read_unlock(&data->lock); 400 } 401 402 static int bfusb_open(struct hci_dev *hdev) 403 { 404 struct bfusb_data *data = hci_get_drvdata(hdev); 405 unsigned long flags; 406 int i, err; 407 408 BT_DBG("hdev %p bfusb %p", hdev, data); 409 410 write_lock_irqsave(&data->lock, flags); 411 412 err = bfusb_rx_submit(data, NULL); 413 if (!err) { 414 for (i = 1; i < BFUSB_MAX_BULK_RX; i++) 415 bfusb_rx_submit(data, NULL); 416 } 417 418 write_unlock_irqrestore(&data->lock, flags); 419 420 return err; 421 } 422 423 static int bfusb_flush(struct hci_dev *hdev) 424 { 425 struct bfusb_data *data = hci_get_drvdata(hdev); 426 427 BT_DBG("hdev %p bfusb %p", hdev, data); 428 429 skb_queue_purge(&data->transmit_q); 430 431 return 0; 432 } 433 434 static int bfusb_close(struct hci_dev *hdev) 435 { 436 struct bfusb_data *data = hci_get_drvdata(hdev); 437 unsigned long flags; 438 439 BT_DBG("hdev %p bfusb %p", hdev, data); 440 441 write_lock_irqsave(&data->lock, flags); 442 write_unlock_irqrestore(&data->lock, flags); 443 444 bfusb_unlink_urbs(data); 445 bfusb_flush(hdev); 446 447 return 0; 448 } 449 450 static int bfusb_send_frame(struct hci_dev *hdev, struct sk_buff *skb) 451 { 452 struct bfusb_data *data = hci_get_drvdata(hdev); 453 struct sk_buff *nskb; 454 unsigned char buf[3]; 455 int sent = 0, size, count; 456 457 BT_DBG("hdev %p skb %p type %d len %d", hdev, skb, 458 hci_skb_pkt_type(skb), skb->len); 459 460 switch (hci_skb_pkt_type(skb)) { 461 case HCI_COMMAND_PKT: 462 hdev->stat.cmd_tx++; 463 break; 464 case HCI_ACLDATA_PKT: 465 hdev->stat.acl_tx++; 466 break; 467 case HCI_SCODATA_PKT: 468 hdev->stat.sco_tx++; 469 break; 470 } 471 472 /* Prepend skb with frame type */ 473 memcpy(skb_push(skb, 1), &hci_skb_pkt_type(skb), 1); 474 475 count = skb->len; 476 477 /* Max HCI frame size seems to be 1511 + 1 */ 478 nskb = bt_skb_alloc(count + 32, GFP_KERNEL); 479 if (!nskb) { 480 BT_ERR("Can't allocate memory for new packet"); 481 return -ENOMEM; 482 } 483 484 nskb->dev = (void *) data; 485 486 while (count) { 487 size = min_t(uint, count, BFUSB_MAX_BLOCK_SIZE); 488 489 buf[0] = 0xc1 | ((sent == 0) ? 0x04 : 0) | ((count == size) ? 0x08 : 0); 490 buf[1] = 0x00; 491 buf[2] = (size == BFUSB_MAX_BLOCK_SIZE) ? 0 : size; 492 493 skb_put_data(nskb, buf, 3); 494 skb_copy_from_linear_data_offset(skb, sent, skb_put(nskb, size), size); 495 496 sent += size; 497 count -= size; 498 } 499 500 /* Don't send frame with multiple size of bulk max packet */ 501 if ((nskb->len % data->bulk_pkt_size) == 0) { 502 buf[0] = 0xdd; 503 buf[1] = 0x00; 504 skb_put_data(nskb, buf, 2); 505 } 506 507 read_lock(&data->lock); 508 509 skb_queue_tail(&data->transmit_q, nskb); 510 bfusb_tx_wakeup(data); 511 512 read_unlock(&data->lock); 513 514 kfree_skb(skb); 515 516 return 0; 517 } 518 519 static int bfusb_load_firmware(struct bfusb_data *data, 520 const unsigned char *firmware, int count) 521 { 522 unsigned char *buf; 523 int err, pipe, len, size, sent = 0; 524 525 BT_DBG("bfusb %p udev %p", data, data->udev); 526 527 BT_INFO("BlueFRITZ! USB loading firmware"); 528 529 buf = kmalloc(BFUSB_MAX_BLOCK_SIZE + 3, GFP_KERNEL); 530 if (!buf) { 531 BT_ERR("Can't allocate memory chunk for firmware"); 532 return -ENOMEM; 533 } 534 535 pipe = usb_sndctrlpipe(data->udev, 0); 536 537 if (usb_control_msg(data->udev, pipe, USB_REQ_SET_CONFIGURATION, 538 0, 1, 0, NULL, 0, USB_CTRL_SET_TIMEOUT) < 0) { 539 BT_ERR("Can't change to loading configuration"); 540 kfree(buf); 541 return -EBUSY; 542 } 543 544 data->udev->toggle[0] = data->udev->toggle[1] = 0; 545 546 pipe = usb_sndbulkpipe(data->udev, data->bulk_out_ep); 547 548 while (count) { 549 size = min_t(uint, count, BFUSB_MAX_BLOCK_SIZE + 3); 550 551 memcpy(buf, firmware + sent, size); 552 553 err = usb_bulk_msg(data->udev, pipe, buf, size, 554 &len, BFUSB_BLOCK_TIMEOUT); 555 556 if (err || (len != size)) { 557 BT_ERR("Error in firmware loading"); 558 goto error; 559 } 560 561 sent += size; 562 count -= size; 563 } 564 565 err = usb_bulk_msg(data->udev, pipe, NULL, 0, 566 &len, BFUSB_BLOCK_TIMEOUT); 567 if (err < 0) { 568 BT_ERR("Error in null packet request"); 569 goto error; 570 } 571 572 pipe = usb_sndctrlpipe(data->udev, 0); 573 574 err = usb_control_msg(data->udev, pipe, USB_REQ_SET_CONFIGURATION, 575 0, 2, 0, NULL, 0, USB_CTRL_SET_TIMEOUT); 576 if (err < 0) { 577 BT_ERR("Can't change to running configuration"); 578 goto error; 579 } 580 581 data->udev->toggle[0] = data->udev->toggle[1] = 0; 582 583 BT_INFO("BlueFRITZ! USB device ready"); 584 585 kfree(buf); 586 return 0; 587 588 error: 589 kfree(buf); 590 591 pipe = usb_sndctrlpipe(data->udev, 0); 592 593 usb_control_msg(data->udev, pipe, USB_REQ_SET_CONFIGURATION, 594 0, 0, 0, NULL, 0, USB_CTRL_SET_TIMEOUT); 595 596 return err; 597 } 598 599 static int bfusb_probe(struct usb_interface *intf, const struct usb_device_id *id) 600 { 601 const struct firmware *firmware; 602 struct usb_device *udev = interface_to_usbdev(intf); 603 struct usb_host_endpoint *bulk_out_ep; 604 struct usb_host_endpoint *bulk_in_ep; 605 struct hci_dev *hdev; 606 struct bfusb_data *data; 607 608 BT_DBG("intf %p id %p", intf, id); 609 610 /* Check number of endpoints */ 611 if (intf->cur_altsetting->desc.bNumEndpoints < 2) 612 return -EIO; 613 614 bulk_out_ep = &intf->cur_altsetting->endpoint[0]; 615 bulk_in_ep = &intf->cur_altsetting->endpoint[1]; 616 617 if (!bulk_out_ep || !bulk_in_ep) { 618 BT_ERR("Bulk endpoints not found"); 619 goto done; 620 } 621 622 /* Initialize control structure and load firmware */ 623 data = devm_kzalloc(&intf->dev, sizeof(struct bfusb_data), GFP_KERNEL); 624 if (!data) 625 return -ENOMEM; 626 627 data->udev = udev; 628 data->bulk_in_ep = bulk_in_ep->desc.bEndpointAddress; 629 data->bulk_out_ep = bulk_out_ep->desc.bEndpointAddress; 630 data->bulk_pkt_size = le16_to_cpu(bulk_out_ep->desc.wMaxPacketSize); 631 632 rwlock_init(&data->lock); 633 634 data->reassembly = NULL; 635 636 skb_queue_head_init(&data->transmit_q); 637 skb_queue_head_init(&data->pending_q); 638 skb_queue_head_init(&data->completed_q); 639 640 if (request_firmware(&firmware, "bfubase.frm", &udev->dev) < 0) { 641 BT_ERR("Firmware request failed"); 642 goto done; 643 } 644 645 BT_DBG("firmware data %p size %zu", firmware->data, firmware->size); 646 647 if (bfusb_load_firmware(data, firmware->data, firmware->size) < 0) { 648 BT_ERR("Firmware loading failed"); 649 goto release; 650 } 651 652 release_firmware(firmware); 653 654 /* Initialize and register HCI device */ 655 hdev = hci_alloc_dev(); 656 if (!hdev) { 657 BT_ERR("Can't allocate HCI device"); 658 goto done; 659 } 660 661 data->hdev = hdev; 662 663 hdev->bus = HCI_USB; 664 hci_set_drvdata(hdev, data); 665 SET_HCIDEV_DEV(hdev, &intf->dev); 666 667 hdev->open = bfusb_open; 668 hdev->close = bfusb_close; 669 hdev->flush = bfusb_flush; 670 hdev->send = bfusb_send_frame; 671 672 set_bit(HCI_QUIRK_BROKEN_LOCAL_COMMANDS, &hdev->quirks); 673 674 if (hci_register_dev(hdev) < 0) { 675 BT_ERR("Can't register HCI device"); 676 hci_free_dev(hdev); 677 goto done; 678 } 679 680 usb_set_intfdata(intf, data); 681 682 return 0; 683 684 release: 685 release_firmware(firmware); 686 687 done: 688 return -EIO; 689 } 690 691 static void bfusb_disconnect(struct usb_interface *intf) 692 { 693 struct bfusb_data *data = usb_get_intfdata(intf); 694 struct hci_dev *hdev = data->hdev; 695 696 BT_DBG("intf %p", intf); 697 698 if (!hdev) 699 return; 700 701 usb_set_intfdata(intf, NULL); 702 703 bfusb_close(hdev); 704 705 hci_unregister_dev(hdev); 706 hci_free_dev(hdev); 707 } 708 709 static struct usb_driver bfusb_driver = { 710 .name = "bfusb", 711 .probe = bfusb_probe, 712 .disconnect = bfusb_disconnect, 713 .id_table = bfusb_table, 714 .disable_hub_initiated_lpm = 1, 715 }; 716 717 module_usb_driver(bfusb_driver); 718 719 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>"); 720 MODULE_DESCRIPTION("BlueFRITZ! USB driver ver " VERSION); 721 MODULE_VERSION(VERSION); 722 MODULE_LICENSE("GPL"); 723 MODULE_FIRMWARE("bfubase.frm"); 724