1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* 3 * 4 * AVM BlueFRITZ! USB driver 5 * 6 * Copyright (C) 2003-2006 Marcel Holtmann <marcel@holtmann.org> 7 */ 8 9 #include <linux/module.h> 10 11 #include <linux/kernel.h> 12 #include <linux/init.h> 13 #include <linux/slab.h> 14 #include <linux/types.h> 15 #include <linux/errno.h> 16 #include <linux/skbuff.h> 17 18 #include <linux/device.h> 19 #include <linux/firmware.h> 20 21 #include <linux/usb.h> 22 23 #include <net/bluetooth/bluetooth.h> 24 #include <net/bluetooth/hci_core.h> 25 26 #define VERSION "1.2" 27 28 static struct usb_driver bfusb_driver; 29 30 static const struct usb_device_id bfusb_table[] = { 31 /* AVM BlueFRITZ! USB */ 32 { USB_DEVICE(0x057c, 0x2200) }, 33 34 { } /* Terminating entry */ 35 }; 36 37 MODULE_DEVICE_TABLE(usb, bfusb_table); 38 39 #define BFUSB_MAX_BLOCK_SIZE 256 40 41 #define BFUSB_BLOCK_TIMEOUT 3000 42 43 #define BFUSB_TX_PROCESS 1 44 #define BFUSB_TX_WAKEUP 2 45 46 #define BFUSB_MAX_BULK_TX 2 47 #define BFUSB_MAX_BULK_RX 2 48 49 struct bfusb_data { 50 struct hci_dev *hdev; 51 52 unsigned long state; 53 54 struct usb_device *udev; 55 56 unsigned int bulk_in_ep; 57 unsigned int bulk_out_ep; 58 unsigned int bulk_pkt_size; 59 60 rwlock_t lock; 61 62 struct sk_buff_head transmit_q; 63 64 struct sk_buff *reassembly; 65 66 atomic_t pending_tx; 67 struct sk_buff_head pending_q; 68 struct sk_buff_head completed_q; 69 }; 70 71 struct bfusb_data_scb { 72 struct urb *urb; 73 }; 74 75 static void bfusb_tx_complete(struct urb *urb); 76 static void bfusb_rx_complete(struct urb *urb); 77 78 static struct urb *bfusb_get_completed(struct bfusb_data *data) 79 { 80 struct sk_buff *skb; 81 struct urb *urb = NULL; 82 83 BT_DBG("bfusb %p", data); 84 85 skb = skb_dequeue(&data->completed_q); 86 if (skb) { 87 urb = ((struct bfusb_data_scb *) skb->cb)->urb; 88 kfree_skb(skb); 89 } 90 91 return urb; 92 } 93 94 static void bfusb_unlink_urbs(struct bfusb_data *data) 95 { 96 struct sk_buff *skb; 97 struct urb *urb; 98 99 BT_DBG("bfusb %p", data); 100 101 while ((skb = skb_dequeue(&data->pending_q))) { 102 urb = ((struct bfusb_data_scb *) skb->cb)->urb; 103 usb_kill_urb(urb); 104 skb_queue_tail(&data->completed_q, skb); 105 } 106 107 while ((urb = bfusb_get_completed(data))) 108 usb_free_urb(urb); 109 } 110 111 static int bfusb_send_bulk(struct bfusb_data *data, struct sk_buff *skb) 112 { 113 struct bfusb_data_scb *scb = (void *) skb->cb; 114 struct urb *urb = bfusb_get_completed(data); 115 int err, pipe; 116 117 BT_DBG("bfusb %p skb %p len %d", data, skb, skb->len); 118 119 if (!urb) { 120 urb = usb_alloc_urb(0, GFP_ATOMIC); 121 if (!urb) 122 return -ENOMEM; 123 } 124 125 pipe = usb_sndbulkpipe(data->udev, data->bulk_out_ep); 126 127 usb_fill_bulk_urb(urb, data->udev, pipe, skb->data, skb->len, 128 bfusb_tx_complete, skb); 129 130 scb->urb = urb; 131 132 skb_queue_tail(&data->pending_q, skb); 133 134 err = usb_submit_urb(urb, GFP_ATOMIC); 135 if (err) { 136 bt_dev_err(data->hdev, "bulk tx submit failed urb %p err %d", 137 urb, err); 138 skb_unlink(skb, &data->pending_q); 139 usb_free_urb(urb); 140 } else 141 atomic_inc(&data->pending_tx); 142 143 return err; 144 } 145 146 static void bfusb_tx_wakeup(struct bfusb_data *data) 147 { 148 struct sk_buff *skb; 149 150 BT_DBG("bfusb %p", data); 151 152 if (test_and_set_bit(BFUSB_TX_PROCESS, &data->state)) { 153 set_bit(BFUSB_TX_WAKEUP, &data->state); 154 return; 155 } 156 157 do { 158 clear_bit(BFUSB_TX_WAKEUP, &data->state); 159 160 while ((atomic_read(&data->pending_tx) < BFUSB_MAX_BULK_TX) && 161 (skb = skb_dequeue(&data->transmit_q))) { 162 if (bfusb_send_bulk(data, skb) < 0) { 163 skb_queue_head(&data->transmit_q, skb); 164 break; 165 } 166 } 167 168 } while (test_bit(BFUSB_TX_WAKEUP, &data->state)); 169 170 clear_bit(BFUSB_TX_PROCESS, &data->state); 171 } 172 173 static void bfusb_tx_complete(struct urb *urb) 174 { 175 struct sk_buff *skb = (struct sk_buff *) urb->context; 176 struct bfusb_data *data = (struct bfusb_data *) skb->dev; 177 178 BT_DBG("bfusb %p urb %p skb %p len %d", data, urb, skb, skb->len); 179 180 atomic_dec(&data->pending_tx); 181 182 if (!test_bit(HCI_RUNNING, &data->hdev->flags)) 183 return; 184 185 if (!urb->status) 186 data->hdev->stat.byte_tx += skb->len; 187 else 188 data->hdev->stat.err_tx++; 189 190 read_lock(&data->lock); 191 192 skb_unlink(skb, &data->pending_q); 193 skb_queue_tail(&data->completed_q, skb); 194 195 bfusb_tx_wakeup(data); 196 197 read_unlock(&data->lock); 198 } 199 200 201 static int bfusb_rx_submit(struct bfusb_data *data, struct urb *urb) 202 { 203 struct bfusb_data_scb *scb; 204 struct sk_buff *skb; 205 int err, pipe, size = HCI_MAX_FRAME_SIZE + 32; 206 207 BT_DBG("bfusb %p urb %p", data, urb); 208 209 if (!urb) { 210 urb = usb_alloc_urb(0, GFP_ATOMIC); 211 if (!urb) 212 return -ENOMEM; 213 } 214 215 skb = bt_skb_alloc(size, GFP_ATOMIC); 216 if (!skb) { 217 usb_free_urb(urb); 218 return -ENOMEM; 219 } 220 221 skb->dev = (void *) data; 222 223 scb = (struct bfusb_data_scb *) skb->cb; 224 scb->urb = urb; 225 226 pipe = usb_rcvbulkpipe(data->udev, data->bulk_in_ep); 227 228 usb_fill_bulk_urb(urb, data->udev, pipe, skb->data, size, 229 bfusb_rx_complete, skb); 230 231 skb_queue_tail(&data->pending_q, skb); 232 233 err = usb_submit_urb(urb, GFP_ATOMIC); 234 if (err) { 235 bt_dev_err(data->hdev, "bulk rx submit failed urb %p err %d", 236 urb, err); 237 skb_unlink(skb, &data->pending_q); 238 kfree_skb(skb); 239 usb_free_urb(urb); 240 } 241 242 return err; 243 } 244 245 static inline int bfusb_recv_block(struct bfusb_data *data, int hdr, unsigned char *buf, int len) 246 { 247 BT_DBG("bfusb %p hdr 0x%02x data %p len %d", data, hdr, buf, len); 248 249 if (hdr & 0x10) { 250 bt_dev_err(data->hdev, "error in block"); 251 kfree_skb(data->reassembly); 252 data->reassembly = NULL; 253 return -EIO; 254 } 255 256 if (hdr & 0x04) { 257 struct sk_buff *skb; 258 unsigned char pkt_type; 259 int pkt_len = 0; 260 261 if (data->reassembly) { 262 bt_dev_err(data->hdev, "unexpected start block"); 263 kfree_skb(data->reassembly); 264 data->reassembly = NULL; 265 } 266 267 if (len < 1) { 268 bt_dev_err(data->hdev, "no packet type found"); 269 return -EPROTO; 270 } 271 272 pkt_type = *buf++; len--; 273 274 switch (pkt_type) { 275 case HCI_EVENT_PKT: 276 if (len >= HCI_EVENT_HDR_SIZE) { 277 struct hci_event_hdr *hdr = (struct hci_event_hdr *) buf; 278 pkt_len = HCI_EVENT_HDR_SIZE + hdr->plen; 279 } else { 280 bt_dev_err(data->hdev, "event block is too short"); 281 return -EILSEQ; 282 } 283 break; 284 285 case HCI_ACLDATA_PKT: 286 if (len >= HCI_ACL_HDR_SIZE) { 287 struct hci_acl_hdr *hdr = (struct hci_acl_hdr *) buf; 288 pkt_len = HCI_ACL_HDR_SIZE + __le16_to_cpu(hdr->dlen); 289 } else { 290 bt_dev_err(data->hdev, "data block is too short"); 291 return -EILSEQ; 292 } 293 break; 294 295 case HCI_SCODATA_PKT: 296 if (len >= HCI_SCO_HDR_SIZE) { 297 struct hci_sco_hdr *hdr = (struct hci_sco_hdr *) buf; 298 pkt_len = HCI_SCO_HDR_SIZE + hdr->dlen; 299 } else { 300 bt_dev_err(data->hdev, "audio block is too short"); 301 return -EILSEQ; 302 } 303 break; 304 } 305 306 skb = bt_skb_alloc(pkt_len, GFP_ATOMIC); 307 if (!skb) { 308 bt_dev_err(data->hdev, "no memory for the packet"); 309 return -ENOMEM; 310 } 311 312 hci_skb_pkt_type(skb) = pkt_type; 313 314 data->reassembly = skb; 315 } else { 316 if (!data->reassembly) { 317 bt_dev_err(data->hdev, "unexpected continuation block"); 318 return -EIO; 319 } 320 } 321 322 if (len > 0) 323 skb_put_data(data->reassembly, buf, len); 324 325 if (hdr & 0x08) { 326 hci_recv_frame(data->hdev, data->reassembly); 327 data->reassembly = NULL; 328 } 329 330 return 0; 331 } 332 333 static void bfusb_rx_complete(struct urb *urb) 334 { 335 struct sk_buff *skb = (struct sk_buff *) urb->context; 336 struct bfusb_data *data = (struct bfusb_data *) skb->dev; 337 unsigned char *buf = urb->transfer_buffer; 338 int count = urb->actual_length; 339 int err, hdr, len; 340 341 BT_DBG("bfusb %p urb %p skb %p len %d", data, urb, skb, skb->len); 342 343 read_lock(&data->lock); 344 345 if (!test_bit(HCI_RUNNING, &data->hdev->flags)) 346 goto unlock; 347 348 if (urb->status || !count) 349 goto resubmit; 350 351 data->hdev->stat.byte_rx += count; 352 353 skb_put(skb, count); 354 355 while (count) { 356 hdr = buf[0] | (buf[1] << 8); 357 358 if (hdr & 0x4000) { 359 len = 0; 360 count -= 2; 361 buf += 2; 362 } else { 363 len = (buf[2] == 0) ? 256 : buf[2]; 364 count -= 3; 365 buf += 3; 366 } 367 368 if (count < len) 369 bt_dev_err(data->hdev, "block extends over URB buffer ranges"); 370 371 if ((hdr & 0xe1) == 0xc1) 372 bfusb_recv_block(data, hdr, buf, len); 373 374 count -= len; 375 buf += len; 376 } 377 378 skb_unlink(skb, &data->pending_q); 379 kfree_skb(skb); 380 381 bfusb_rx_submit(data, urb); 382 383 read_unlock(&data->lock); 384 385 return; 386 387 resubmit: 388 urb->dev = data->udev; 389 390 err = usb_submit_urb(urb, GFP_ATOMIC); 391 if (err) { 392 bt_dev_err(data->hdev, "bulk resubmit failed urb %p err %d", 393 urb, err); 394 } 395 396 unlock: 397 read_unlock(&data->lock); 398 } 399 400 static int bfusb_open(struct hci_dev *hdev) 401 { 402 struct bfusb_data *data = hci_get_drvdata(hdev); 403 unsigned long flags; 404 int i, err; 405 406 BT_DBG("hdev %p bfusb %p", hdev, data); 407 408 write_lock_irqsave(&data->lock, flags); 409 410 err = bfusb_rx_submit(data, NULL); 411 if (!err) { 412 for (i = 1; i < BFUSB_MAX_BULK_RX; i++) 413 bfusb_rx_submit(data, NULL); 414 } 415 416 write_unlock_irqrestore(&data->lock, flags); 417 418 return err; 419 } 420 421 static int bfusb_flush(struct hci_dev *hdev) 422 { 423 struct bfusb_data *data = hci_get_drvdata(hdev); 424 425 BT_DBG("hdev %p bfusb %p", hdev, data); 426 427 skb_queue_purge(&data->transmit_q); 428 429 return 0; 430 } 431 432 static int bfusb_close(struct hci_dev *hdev) 433 { 434 struct bfusb_data *data = hci_get_drvdata(hdev); 435 unsigned long flags; 436 437 BT_DBG("hdev %p bfusb %p", hdev, data); 438 439 write_lock_irqsave(&data->lock, flags); 440 write_unlock_irqrestore(&data->lock, flags); 441 442 bfusb_unlink_urbs(data); 443 bfusb_flush(hdev); 444 445 return 0; 446 } 447 448 static int bfusb_send_frame(struct hci_dev *hdev, struct sk_buff *skb) 449 { 450 struct bfusb_data *data = hci_get_drvdata(hdev); 451 struct sk_buff *nskb; 452 unsigned char buf[3]; 453 int sent = 0, size, count; 454 455 BT_DBG("hdev %p skb %p type %d len %d", hdev, skb, 456 hci_skb_pkt_type(skb), skb->len); 457 458 switch (hci_skb_pkt_type(skb)) { 459 case HCI_COMMAND_PKT: 460 hdev->stat.cmd_tx++; 461 break; 462 case HCI_ACLDATA_PKT: 463 hdev->stat.acl_tx++; 464 break; 465 case HCI_SCODATA_PKT: 466 hdev->stat.sco_tx++; 467 break; 468 } 469 470 /* Prepend skb with frame type */ 471 memcpy(skb_push(skb, 1), &hci_skb_pkt_type(skb), 1); 472 473 count = skb->len; 474 475 /* Max HCI frame size seems to be 1511 + 1 */ 476 nskb = bt_skb_alloc(count + 32, GFP_KERNEL); 477 if (!nskb) { 478 bt_dev_err(hdev, "Can't allocate memory for new packet"); 479 return -ENOMEM; 480 } 481 482 nskb->dev = (void *) data; 483 484 while (count) { 485 size = min_t(uint, count, BFUSB_MAX_BLOCK_SIZE); 486 487 buf[0] = 0xc1 | ((sent == 0) ? 0x04 : 0) | ((count == size) ? 0x08 : 0); 488 buf[1] = 0x00; 489 buf[2] = (size == BFUSB_MAX_BLOCK_SIZE) ? 0 : size; 490 491 skb_put_data(nskb, buf, 3); 492 skb_copy_from_linear_data_offset(skb, sent, skb_put(nskb, size), size); 493 494 sent += size; 495 count -= size; 496 } 497 498 /* Don't send frame with multiple size of bulk max packet */ 499 if ((nskb->len % data->bulk_pkt_size) == 0) { 500 buf[0] = 0xdd; 501 buf[1] = 0x00; 502 skb_put_data(nskb, buf, 2); 503 } 504 505 read_lock(&data->lock); 506 507 skb_queue_tail(&data->transmit_q, nskb); 508 bfusb_tx_wakeup(data); 509 510 read_unlock(&data->lock); 511 512 kfree_skb(skb); 513 514 return 0; 515 } 516 517 static int bfusb_load_firmware(struct bfusb_data *data, 518 const unsigned char *firmware, int count) 519 { 520 unsigned char *buf; 521 int err, pipe, len, size, sent = 0; 522 523 BT_DBG("bfusb %p udev %p", data, data->udev); 524 525 BT_INFO("BlueFRITZ! USB loading firmware"); 526 527 buf = kmalloc(BFUSB_MAX_BLOCK_SIZE + 3, GFP_KERNEL); 528 if (!buf) { 529 BT_ERR("Can't allocate memory chunk for firmware"); 530 return -ENOMEM; 531 } 532 533 pipe = usb_sndctrlpipe(data->udev, 0); 534 535 if (usb_control_msg(data->udev, pipe, USB_REQ_SET_CONFIGURATION, 536 0, 1, 0, NULL, 0, USB_CTRL_SET_TIMEOUT) < 0) { 537 BT_ERR("Can't change to loading configuration"); 538 kfree(buf); 539 return -EBUSY; 540 } 541 542 data->udev->toggle[0] = data->udev->toggle[1] = 0; 543 544 pipe = usb_sndbulkpipe(data->udev, data->bulk_out_ep); 545 546 while (count) { 547 size = min_t(uint, count, BFUSB_MAX_BLOCK_SIZE + 3); 548 549 memcpy(buf, firmware + sent, size); 550 551 err = usb_bulk_msg(data->udev, pipe, buf, size, 552 &len, BFUSB_BLOCK_TIMEOUT); 553 554 if (err || (len != size)) { 555 BT_ERR("Error in firmware loading"); 556 goto error; 557 } 558 559 sent += size; 560 count -= size; 561 } 562 563 err = usb_bulk_msg(data->udev, pipe, NULL, 0, 564 &len, BFUSB_BLOCK_TIMEOUT); 565 if (err < 0) { 566 BT_ERR("Error in null packet request"); 567 goto error; 568 } 569 570 pipe = usb_sndctrlpipe(data->udev, 0); 571 572 err = usb_control_msg(data->udev, pipe, USB_REQ_SET_CONFIGURATION, 573 0, 2, 0, NULL, 0, USB_CTRL_SET_TIMEOUT); 574 if (err < 0) { 575 BT_ERR("Can't change to running configuration"); 576 goto error; 577 } 578 579 data->udev->toggle[0] = data->udev->toggle[1] = 0; 580 581 BT_INFO("BlueFRITZ! USB device ready"); 582 583 kfree(buf); 584 return 0; 585 586 error: 587 kfree(buf); 588 589 pipe = usb_sndctrlpipe(data->udev, 0); 590 591 usb_control_msg(data->udev, pipe, USB_REQ_SET_CONFIGURATION, 592 0, 0, 0, NULL, 0, USB_CTRL_SET_TIMEOUT); 593 594 return err; 595 } 596 597 static int bfusb_probe(struct usb_interface *intf, const struct usb_device_id *id) 598 { 599 const struct firmware *firmware; 600 struct usb_device *udev = interface_to_usbdev(intf); 601 struct usb_host_endpoint *bulk_out_ep; 602 struct usb_host_endpoint *bulk_in_ep; 603 struct hci_dev *hdev; 604 struct bfusb_data *data; 605 606 BT_DBG("intf %p id %p", intf, id); 607 608 /* Check number of endpoints */ 609 if (intf->cur_altsetting->desc.bNumEndpoints < 2) 610 return -EIO; 611 612 bulk_out_ep = &intf->cur_altsetting->endpoint[0]; 613 bulk_in_ep = &intf->cur_altsetting->endpoint[1]; 614 615 if (!bulk_out_ep || !bulk_in_ep) { 616 BT_ERR("Bulk endpoints not found"); 617 goto done; 618 } 619 620 /* Initialize control structure and load firmware */ 621 data = devm_kzalloc(&intf->dev, sizeof(struct bfusb_data), GFP_KERNEL); 622 if (!data) 623 return -ENOMEM; 624 625 data->udev = udev; 626 data->bulk_in_ep = bulk_in_ep->desc.bEndpointAddress; 627 data->bulk_out_ep = bulk_out_ep->desc.bEndpointAddress; 628 data->bulk_pkt_size = le16_to_cpu(bulk_out_ep->desc.wMaxPacketSize); 629 630 if (!data->bulk_pkt_size) 631 goto done; 632 633 rwlock_init(&data->lock); 634 635 data->reassembly = NULL; 636 637 skb_queue_head_init(&data->transmit_q); 638 skb_queue_head_init(&data->pending_q); 639 skb_queue_head_init(&data->completed_q); 640 641 if (request_firmware(&firmware, "bfubase.frm", &udev->dev) < 0) { 642 BT_ERR("Firmware request failed"); 643 goto done; 644 } 645 646 BT_DBG("firmware data %p size %zu", firmware->data, firmware->size); 647 648 if (bfusb_load_firmware(data, firmware->data, firmware->size) < 0) { 649 BT_ERR("Firmware loading failed"); 650 goto release; 651 } 652 653 release_firmware(firmware); 654 655 /* Initialize and register HCI device */ 656 hdev = hci_alloc_dev(); 657 if (!hdev) { 658 BT_ERR("Can't allocate HCI device"); 659 goto done; 660 } 661 662 data->hdev = hdev; 663 664 hdev->bus = HCI_USB; 665 hci_set_drvdata(hdev, data); 666 SET_HCIDEV_DEV(hdev, &intf->dev); 667 668 hdev->open = bfusb_open; 669 hdev->close = bfusb_close; 670 hdev->flush = bfusb_flush; 671 hdev->send = bfusb_send_frame; 672 673 set_bit(HCI_QUIRK_BROKEN_LOCAL_COMMANDS, &hdev->quirks); 674 675 if (hci_register_dev(hdev) < 0) { 676 BT_ERR("Can't register HCI device"); 677 hci_free_dev(hdev); 678 goto done; 679 } 680 681 usb_set_intfdata(intf, data); 682 683 return 0; 684 685 release: 686 release_firmware(firmware); 687 688 done: 689 return -EIO; 690 } 691 692 static void bfusb_disconnect(struct usb_interface *intf) 693 { 694 struct bfusb_data *data = usb_get_intfdata(intf); 695 struct hci_dev *hdev = data->hdev; 696 697 BT_DBG("intf %p", intf); 698 699 if (!hdev) 700 return; 701 702 usb_set_intfdata(intf, NULL); 703 704 bfusb_close(hdev); 705 706 hci_unregister_dev(hdev); 707 hci_free_dev(hdev); 708 } 709 710 static struct usb_driver bfusb_driver = { 711 .name = "bfusb", 712 .probe = bfusb_probe, 713 .disconnect = bfusb_disconnect, 714 .id_table = bfusb_table, 715 .disable_hub_initiated_lpm = 1, 716 }; 717 718 module_usb_driver(bfusb_driver); 719 720 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>"); 721 MODULE_DESCRIPTION("BlueFRITZ! USB driver ver " VERSION); 722 MODULE_VERSION(VERSION); 723 MODULE_LICENSE("GPL"); 724 MODULE_FIRMWARE("bfubase.frm"); 725