1 // SPDX-License-Identifier: GPL-2.0-or-later
4 * AVM BlueFRITZ! USB driver
6 * Copyright (C) 2003-2006 Marcel Holtmann <marcel@holtmann.org>
9 #include <linux/module.h>
11 #include <linux/kernel.h>
12 #include <linux/init.h>
13 #include <linux/slab.h>
14 #include <linux/types.h>
15 #include <linux/errno.h>
16 #include <linux/skbuff.h>
18 #include <linux/device.h>
19 #include <linux/firmware.h>
21 #include <linux/usb.h>
23 #include <net/bluetooth/bluetooth.h>
24 #include <net/bluetooth/hci_core.h>
28 static struct usb_driver bfusb_driver
;
30 static const struct usb_device_id bfusb_table
[] = {
31 /* AVM BlueFRITZ! USB */
32 { USB_DEVICE(0x057c, 0x2200) },
34 { } /* Terminating entry */
37 MODULE_DEVICE_TABLE(usb
, bfusb_table
);
39 #define BFUSB_MAX_BLOCK_SIZE 256
41 #define BFUSB_BLOCK_TIMEOUT 3000
43 #define BFUSB_TX_PROCESS 1
44 #define BFUSB_TX_WAKEUP 2
46 #define BFUSB_MAX_BULK_TX 2
47 #define BFUSB_MAX_BULK_RX 2
54 struct usb_device
*udev
;
56 unsigned int bulk_in_ep
;
57 unsigned int bulk_out_ep
;
58 unsigned int bulk_pkt_size
;
62 struct sk_buff_head transmit_q
;
64 struct sk_buff
*reassembly
;
67 struct sk_buff_head pending_q
;
68 struct sk_buff_head completed_q
;
71 struct bfusb_data_scb
{
75 static void bfusb_tx_complete(struct urb
*urb
);
76 static void bfusb_rx_complete(struct urb
*urb
);
78 static struct urb
*bfusb_get_completed(struct bfusb_data
*data
)
81 struct urb
*urb
= NULL
;
83 BT_DBG("bfusb %p", data
);
85 skb
= skb_dequeue(&data
->completed_q
);
87 urb
= ((struct bfusb_data_scb
*) skb
->cb
)->urb
;
94 static void bfusb_unlink_urbs(struct bfusb_data
*data
)
99 BT_DBG("bfusb %p", data
);
101 while ((skb
= skb_dequeue(&data
->pending_q
))) {
102 urb
= ((struct bfusb_data_scb
*) skb
->cb
)->urb
;
104 skb_queue_tail(&data
->completed_q
, skb
);
107 while ((urb
= bfusb_get_completed(data
)))
111 static int bfusb_send_bulk(struct bfusb_data
*data
, struct sk_buff
*skb
)
113 struct bfusb_data_scb
*scb
= (void *) skb
->cb
;
114 struct urb
*urb
= bfusb_get_completed(data
);
117 BT_DBG("bfusb %p skb %p len %d", data
, skb
, skb
->len
);
120 urb
= usb_alloc_urb(0, GFP_ATOMIC
);
125 pipe
= usb_sndbulkpipe(data
->udev
, data
->bulk_out_ep
);
127 usb_fill_bulk_urb(urb
, data
->udev
, pipe
, skb
->data
, skb
->len
,
128 bfusb_tx_complete
, skb
);
132 skb_queue_tail(&data
->pending_q
, skb
);
134 err
= usb_submit_urb(urb
, GFP_ATOMIC
);
136 bt_dev_err(data
->hdev
, "bulk tx submit failed urb %p err %d",
138 skb_unlink(skb
, &data
->pending_q
);
141 atomic_inc(&data
->pending_tx
);
146 static void bfusb_tx_wakeup(struct bfusb_data
*data
)
150 BT_DBG("bfusb %p", data
);
152 if (test_and_set_bit(BFUSB_TX_PROCESS
, &data
->state
)) {
153 set_bit(BFUSB_TX_WAKEUP
, &data
->state
);
158 clear_bit(BFUSB_TX_WAKEUP
, &data
->state
);
160 while ((atomic_read(&data
->pending_tx
) < BFUSB_MAX_BULK_TX
) &&
161 (skb
= skb_dequeue(&data
->transmit_q
))) {
162 if (bfusb_send_bulk(data
, skb
) < 0) {
163 skb_queue_head(&data
->transmit_q
, skb
);
168 } while (test_bit(BFUSB_TX_WAKEUP
, &data
->state
));
170 clear_bit(BFUSB_TX_PROCESS
, &data
->state
);
173 static void bfusb_tx_complete(struct urb
*urb
)
175 struct sk_buff
*skb
= (struct sk_buff
*) urb
->context
;
176 struct bfusb_data
*data
= (struct bfusb_data
*) skb
->dev
;
178 BT_DBG("bfusb %p urb %p skb %p len %d", data
, urb
, skb
, skb
->len
);
180 atomic_dec(&data
->pending_tx
);
182 if (!test_bit(HCI_RUNNING
, &data
->hdev
->flags
))
186 data
->hdev
->stat
.byte_tx
+= skb
->len
;
188 data
->hdev
->stat
.err_tx
++;
190 read_lock(&data
->lock
);
192 skb_unlink(skb
, &data
->pending_q
);
193 skb_queue_tail(&data
->completed_q
, skb
);
195 bfusb_tx_wakeup(data
);
197 read_unlock(&data
->lock
);
201 static int bfusb_rx_submit(struct bfusb_data
*data
, struct urb
*urb
)
203 struct bfusb_data_scb
*scb
;
205 int err
, pipe
, size
= HCI_MAX_FRAME_SIZE
+ 32;
207 BT_DBG("bfusb %p urb %p", data
, urb
);
210 urb
= usb_alloc_urb(0, GFP_ATOMIC
);
215 skb
= bt_skb_alloc(size
, GFP_ATOMIC
);
221 skb
->dev
= (void *) data
;
223 scb
= (struct bfusb_data_scb
*) skb
->cb
;
226 pipe
= usb_rcvbulkpipe(data
->udev
, data
->bulk_in_ep
);
228 usb_fill_bulk_urb(urb
, data
->udev
, pipe
, skb
->data
, size
,
229 bfusb_rx_complete
, skb
);
231 skb_queue_tail(&data
->pending_q
, skb
);
233 err
= usb_submit_urb(urb
, GFP_ATOMIC
);
235 bt_dev_err(data
->hdev
, "bulk rx submit failed urb %p err %d",
237 skb_unlink(skb
, &data
->pending_q
);
245 static inline int bfusb_recv_block(struct bfusb_data
*data
, int hdr
, unsigned char *buf
, int len
)
247 BT_DBG("bfusb %p hdr 0x%02x data %p len %d", data
, hdr
, buf
, len
);
250 bt_dev_err(data
->hdev
, "error in block");
251 kfree_skb(data
->reassembly
);
252 data
->reassembly
= NULL
;
258 unsigned char pkt_type
;
261 if (data
->reassembly
) {
262 bt_dev_err(data
->hdev
, "unexpected start block");
263 kfree_skb(data
->reassembly
);
264 data
->reassembly
= NULL
;
268 bt_dev_err(data
->hdev
, "no packet type found");
272 pkt_type
= *buf
++; len
--;
276 if (len
>= HCI_EVENT_HDR_SIZE
) {
277 struct hci_event_hdr
*hdr
= (struct hci_event_hdr
*) buf
;
278 pkt_len
= HCI_EVENT_HDR_SIZE
+ hdr
->plen
;
280 bt_dev_err(data
->hdev
, "event block is too short");
285 case HCI_ACLDATA_PKT
:
286 if (len
>= HCI_ACL_HDR_SIZE
) {
287 struct hci_acl_hdr
*hdr
= (struct hci_acl_hdr
*) buf
;
288 pkt_len
= HCI_ACL_HDR_SIZE
+ __le16_to_cpu(hdr
->dlen
);
290 bt_dev_err(data
->hdev
, "data block is too short");
295 case HCI_SCODATA_PKT
:
296 if (len
>= HCI_SCO_HDR_SIZE
) {
297 struct hci_sco_hdr
*hdr
= (struct hci_sco_hdr
*) buf
;
298 pkt_len
= HCI_SCO_HDR_SIZE
+ hdr
->dlen
;
300 bt_dev_err(data
->hdev
, "audio block is too short");
306 skb
= bt_skb_alloc(pkt_len
, GFP_ATOMIC
);
308 bt_dev_err(data
->hdev
, "no memory for the packet");
312 hci_skb_pkt_type(skb
) = pkt_type
;
314 data
->reassembly
= skb
;
316 if (!data
->reassembly
) {
317 bt_dev_err(data
->hdev
, "unexpected continuation block");
323 skb_put_data(data
->reassembly
, buf
, len
);
326 hci_recv_frame(data
->hdev
, data
->reassembly
);
327 data
->reassembly
= NULL
;
333 static void bfusb_rx_complete(struct urb
*urb
)
335 struct sk_buff
*skb
= (struct sk_buff
*) urb
->context
;
336 struct bfusb_data
*data
= (struct bfusb_data
*) skb
->dev
;
337 unsigned char *buf
= urb
->transfer_buffer
;
338 int count
= urb
->actual_length
;
341 BT_DBG("bfusb %p urb %p skb %p len %d", data
, urb
, skb
, skb
->len
);
343 read_lock(&data
->lock
);
345 if (!test_bit(HCI_RUNNING
, &data
->hdev
->flags
))
348 if (urb
->status
|| !count
)
351 data
->hdev
->stat
.byte_rx
+= count
;
356 hdr
= buf
[0] | (buf
[1] << 8);
363 len
= (buf
[2] == 0) ? 256 : buf
[2];
369 bt_dev_err(data
->hdev
, "block extends over URB buffer ranges");
372 if ((hdr
& 0xe1) == 0xc1)
373 bfusb_recv_block(data
, hdr
, buf
, len
);
379 skb_unlink(skb
, &data
->pending_q
);
382 bfusb_rx_submit(data
, urb
);
384 read_unlock(&data
->lock
);
389 urb
->dev
= data
->udev
;
391 err
= usb_submit_urb(urb
, GFP_ATOMIC
);
393 bt_dev_err(data
->hdev
, "bulk resubmit failed urb %p err %d",
398 read_unlock(&data
->lock
);
401 static int bfusb_open(struct hci_dev
*hdev
)
403 struct bfusb_data
*data
= hci_get_drvdata(hdev
);
407 BT_DBG("hdev %p bfusb %p", hdev
, data
);
409 write_lock_irqsave(&data
->lock
, flags
);
411 err
= bfusb_rx_submit(data
, NULL
);
413 for (i
= 1; i
< BFUSB_MAX_BULK_RX
; i
++)
414 bfusb_rx_submit(data
, NULL
);
417 write_unlock_irqrestore(&data
->lock
, flags
);
422 static int bfusb_flush(struct hci_dev
*hdev
)
424 struct bfusb_data
*data
= hci_get_drvdata(hdev
);
426 BT_DBG("hdev %p bfusb %p", hdev
, data
);
428 skb_queue_purge(&data
->transmit_q
);
433 static int bfusb_close(struct hci_dev
*hdev
)
435 struct bfusb_data
*data
= hci_get_drvdata(hdev
);
438 BT_DBG("hdev %p bfusb %p", hdev
, data
);
440 write_lock_irqsave(&data
->lock
, flags
);
441 write_unlock_irqrestore(&data
->lock
, flags
);
443 bfusb_unlink_urbs(data
);
449 static int bfusb_send_frame(struct hci_dev
*hdev
, struct sk_buff
*skb
)
451 struct bfusb_data
*data
= hci_get_drvdata(hdev
);
452 struct sk_buff
*nskb
;
453 unsigned char buf
[3];
454 int sent
= 0, size
, count
;
456 BT_DBG("hdev %p skb %p type %d len %d", hdev
, skb
,
457 hci_skb_pkt_type(skb
), skb
->len
);
459 switch (hci_skb_pkt_type(skb
)) {
460 case HCI_COMMAND_PKT
:
463 case HCI_ACLDATA_PKT
:
466 case HCI_SCODATA_PKT
:
471 /* Prepend skb with frame type */
472 memcpy(skb_push(skb
, 1), &hci_skb_pkt_type(skb
), 1);
476 /* Max HCI frame size seems to be 1511 + 1 */
477 nskb
= bt_skb_alloc(count
+ 32, GFP_KERNEL
);
479 bt_dev_err(hdev
, "Can't allocate memory for new packet");
483 nskb
->dev
= (void *) data
;
486 size
= min_t(uint
, count
, BFUSB_MAX_BLOCK_SIZE
);
488 buf
[0] = 0xc1 | ((sent
== 0) ? 0x04 : 0) | ((count
== size
) ? 0x08 : 0);
490 buf
[2] = (size
== BFUSB_MAX_BLOCK_SIZE
) ? 0 : size
;
492 skb_put_data(nskb
, buf
, 3);
493 skb_copy_from_linear_data_offset(skb
, sent
, skb_put(nskb
, size
), size
);
499 /* Don't send frame with multiple size of bulk max packet */
500 if ((nskb
->len
% data
->bulk_pkt_size
) == 0) {
503 skb_put_data(nskb
, buf
, 2);
506 read_lock(&data
->lock
);
508 skb_queue_tail(&data
->transmit_q
, nskb
);
509 bfusb_tx_wakeup(data
);
511 read_unlock(&data
->lock
);
518 static int bfusb_load_firmware(struct bfusb_data
*data
,
519 const unsigned char *firmware
, int count
)
522 int err
, pipe
, len
, size
, sent
= 0;
524 BT_DBG("bfusb %p udev %p", data
, data
->udev
);
526 BT_INFO("BlueFRITZ! USB loading firmware");
528 buf
= kmalloc(BFUSB_MAX_BLOCK_SIZE
+ 3, GFP_KERNEL
);
530 BT_ERR("Can't allocate memory chunk for firmware");
534 pipe
= usb_sndctrlpipe(data
->udev
, 0);
536 if (usb_control_msg(data
->udev
, pipe
, USB_REQ_SET_CONFIGURATION
,
537 0, 1, 0, NULL
, 0, USB_CTRL_SET_TIMEOUT
) < 0) {
538 BT_ERR("Can't change to loading configuration");
543 data
->udev
->toggle
[0] = data
->udev
->toggle
[1] = 0;
545 pipe
= usb_sndbulkpipe(data
->udev
, data
->bulk_out_ep
);
548 size
= min_t(uint
, count
, BFUSB_MAX_BLOCK_SIZE
+ 3);
550 memcpy(buf
, firmware
+ sent
, size
);
552 err
= usb_bulk_msg(data
->udev
, pipe
, buf
, size
,
553 &len
, BFUSB_BLOCK_TIMEOUT
);
555 if (err
|| (len
!= size
)) {
556 BT_ERR("Error in firmware loading");
564 err
= usb_bulk_msg(data
->udev
, pipe
, NULL
, 0,
565 &len
, BFUSB_BLOCK_TIMEOUT
);
567 BT_ERR("Error in null packet request");
571 pipe
= usb_sndctrlpipe(data
->udev
, 0);
573 err
= usb_control_msg(data
->udev
, pipe
, USB_REQ_SET_CONFIGURATION
,
574 0, 2, 0, NULL
, 0, USB_CTRL_SET_TIMEOUT
);
576 BT_ERR("Can't change to running configuration");
580 data
->udev
->toggle
[0] = data
->udev
->toggle
[1] = 0;
582 BT_INFO("BlueFRITZ! USB device ready");
590 pipe
= usb_sndctrlpipe(data
->udev
, 0);
592 usb_control_msg(data
->udev
, pipe
, USB_REQ_SET_CONFIGURATION
,
593 0, 0, 0, NULL
, 0, USB_CTRL_SET_TIMEOUT
);
598 static int bfusb_probe(struct usb_interface
*intf
, const struct usb_device_id
*id
)
600 const struct firmware
*firmware
;
601 struct usb_device
*udev
= interface_to_usbdev(intf
);
602 struct usb_host_endpoint
*bulk_out_ep
;
603 struct usb_host_endpoint
*bulk_in_ep
;
604 struct hci_dev
*hdev
;
605 struct bfusb_data
*data
;
607 BT_DBG("intf %p id %p", intf
, id
);
609 /* Check number of endpoints */
610 if (intf
->cur_altsetting
->desc
.bNumEndpoints
< 2)
613 bulk_out_ep
= &intf
->cur_altsetting
->endpoint
[0];
614 bulk_in_ep
= &intf
->cur_altsetting
->endpoint
[1];
616 if (!bulk_out_ep
|| !bulk_in_ep
) {
617 BT_ERR("Bulk endpoints not found");
621 /* Initialize control structure and load firmware */
622 data
= devm_kzalloc(&intf
->dev
, sizeof(struct bfusb_data
), GFP_KERNEL
);
627 data
->bulk_in_ep
= bulk_in_ep
->desc
.bEndpointAddress
;
628 data
->bulk_out_ep
= bulk_out_ep
->desc
.bEndpointAddress
;
629 data
->bulk_pkt_size
= le16_to_cpu(bulk_out_ep
->desc
.wMaxPacketSize
);
631 if (!data
->bulk_pkt_size
)
634 rwlock_init(&data
->lock
);
636 data
->reassembly
= NULL
;
638 skb_queue_head_init(&data
->transmit_q
);
639 skb_queue_head_init(&data
->pending_q
);
640 skb_queue_head_init(&data
->completed_q
);
642 if (request_firmware(&firmware
, "bfubase.frm", &udev
->dev
) < 0) {
643 BT_ERR("Firmware request failed");
647 BT_DBG("firmware data %p size %zu", firmware
->data
, firmware
->size
);
649 if (bfusb_load_firmware(data
, firmware
->data
, firmware
->size
) < 0) {
650 BT_ERR("Firmware loading failed");
654 release_firmware(firmware
);
656 /* Initialize and register HCI device */
657 hdev
= hci_alloc_dev();
659 BT_ERR("Can't allocate HCI device");
666 hci_set_drvdata(hdev
, data
);
667 SET_HCIDEV_DEV(hdev
, &intf
->dev
);
669 hdev
->open
= bfusb_open
;
670 hdev
->close
= bfusb_close
;
671 hdev
->flush
= bfusb_flush
;
672 hdev
->send
= bfusb_send_frame
;
674 set_bit(HCI_QUIRK_BROKEN_LOCAL_COMMANDS
, &hdev
->quirks
);
676 if (hci_register_dev(hdev
) < 0) {
677 BT_ERR("Can't register HCI device");
682 usb_set_intfdata(intf
, data
);
687 release_firmware(firmware
);
693 static void bfusb_disconnect(struct usb_interface
*intf
)
695 struct bfusb_data
*data
= usb_get_intfdata(intf
);
696 struct hci_dev
*hdev
= data
->hdev
;
698 BT_DBG("intf %p", intf
);
703 usb_set_intfdata(intf
, NULL
);
707 hci_unregister_dev(hdev
);
711 static struct usb_driver bfusb_driver
= {
713 .probe
= bfusb_probe
,
714 .disconnect
= bfusb_disconnect
,
715 .id_table
= bfusb_table
,
716 .disable_hub_initiated_lpm
= 1,
719 module_usb_driver(bfusb_driver
);
721 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
722 MODULE_DESCRIPTION("BlueFRITZ! USB driver ver " VERSION
);
723 MODULE_VERSION(VERSION
);
724 MODULE_LICENSE("GPL");
725 MODULE_FIRMWARE("bfubase.frm");