Avoid beyond bounds copy while caching ACL
[zen-stable.git] / drivers / bluetooth / bpa10x.c
blob62831603de5e91c7f4bd44774fe37647cb808795
1 /*
3 * Digianswer Bluetooth USB driver
5 * Copyright (C) 2004-2007 Marcel Holtmann <marcel@holtmann.org>
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
24 #include <linux/kernel.h>
25 #include <linux/module.h>
26 #include <linux/init.h>
27 #include <linux/slab.h>
28 #include <linux/types.h>
29 #include <linux/sched.h>
30 #include <linux/errno.h>
31 #include <linux/skbuff.h>
33 #include <linux/usb.h>
35 #include <net/bluetooth/bluetooth.h>
36 #include <net/bluetooth/hci_core.h>
38 #define VERSION "0.10"
40 static struct usb_device_id bpa10x_table[] = {
41 /* Tektronix BPA 100/105 (Digianswer) */
42 { USB_DEVICE(0x08fd, 0x0002) },
44 { } /* Terminating entry */
47 MODULE_DEVICE_TABLE(usb, bpa10x_table);
49 struct bpa10x_data {
50 struct hci_dev *hdev;
51 struct usb_device *udev;
53 struct usb_anchor tx_anchor;
54 struct usb_anchor rx_anchor;
56 struct sk_buff *rx_skb[2];
59 #define HCI_VENDOR_HDR_SIZE 5
61 struct hci_vendor_hdr {
62 __u8 type;
63 __le16 snum;
64 __le16 dlen;
65 } __packed;
67 static int bpa10x_recv(struct hci_dev *hdev, int queue, void *buf, int count)
69 struct bpa10x_data *data = hdev->driver_data;
71 BT_DBG("%s queue %d buffer %p count %d", hdev->name,
72 queue, buf, count);
74 if (queue < 0 || queue > 1)
75 return -EILSEQ;
77 hdev->stat.byte_rx += count;
79 while (count) {
80 struct sk_buff *skb = data->rx_skb[queue];
81 struct { __u8 type; int expect; } *scb;
82 int type, len = 0;
84 if (!skb) {
85 /* Start of the frame */
87 type = *((__u8 *) buf);
88 count--; buf++;
90 switch (type) {
91 case HCI_EVENT_PKT:
92 if (count >= HCI_EVENT_HDR_SIZE) {
93 struct hci_event_hdr *h = buf;
94 len = HCI_EVENT_HDR_SIZE + h->plen;
95 } else
96 return -EILSEQ;
97 break;
99 case HCI_ACLDATA_PKT:
100 if (count >= HCI_ACL_HDR_SIZE) {
101 struct hci_acl_hdr *h = buf;
102 len = HCI_ACL_HDR_SIZE +
103 __le16_to_cpu(h->dlen);
104 } else
105 return -EILSEQ;
106 break;
108 case HCI_SCODATA_PKT:
109 if (count >= HCI_SCO_HDR_SIZE) {
110 struct hci_sco_hdr *h = buf;
111 len = HCI_SCO_HDR_SIZE + h->dlen;
112 } else
113 return -EILSEQ;
114 break;
116 case HCI_VENDOR_PKT:
117 if (count >= HCI_VENDOR_HDR_SIZE) {
118 struct hci_vendor_hdr *h = buf;
119 len = HCI_VENDOR_HDR_SIZE +
120 __le16_to_cpu(h->dlen);
121 } else
122 return -EILSEQ;
123 break;
126 skb = bt_skb_alloc(len, GFP_ATOMIC);
127 if (!skb) {
128 BT_ERR("%s no memory for packet", hdev->name);
129 return -ENOMEM;
132 skb->dev = (void *) hdev;
134 data->rx_skb[queue] = skb;
136 scb = (void *) skb->cb;
137 scb->type = type;
138 scb->expect = len;
139 } else {
140 /* Continuation */
142 scb = (void *) skb->cb;
143 len = scb->expect;
146 len = min(len, count);
148 memcpy(skb_put(skb, len), buf, len);
150 scb->expect -= len;
152 if (scb->expect == 0) {
153 /* Complete frame */
155 data->rx_skb[queue] = NULL;
157 bt_cb(skb)->pkt_type = scb->type;
158 hci_recv_frame(skb);
161 count -= len; buf += len;
164 return 0;
167 static void bpa10x_tx_complete(struct urb *urb)
169 struct sk_buff *skb = urb->context;
170 struct hci_dev *hdev = (struct hci_dev *) skb->dev;
172 BT_DBG("%s urb %p status %d count %d", hdev->name,
173 urb, urb->status, urb->actual_length);
175 if (!test_bit(HCI_RUNNING, &hdev->flags))
176 goto done;
178 if (!urb->status)
179 hdev->stat.byte_tx += urb->transfer_buffer_length;
180 else
181 hdev->stat.err_tx++;
183 done:
184 kfree(urb->setup_packet);
186 kfree_skb(skb);
189 static void bpa10x_rx_complete(struct urb *urb)
191 struct hci_dev *hdev = urb->context;
192 struct bpa10x_data *data = hdev->driver_data;
193 int err;
195 BT_DBG("%s urb %p status %d count %d", hdev->name,
196 urb, urb->status, urb->actual_length);
198 if (!test_bit(HCI_RUNNING, &hdev->flags))
199 return;
201 if (urb->status == 0) {
202 if (bpa10x_recv(hdev, usb_pipebulk(urb->pipe),
203 urb->transfer_buffer,
204 urb->actual_length) < 0) {
205 BT_ERR("%s corrupted event packet", hdev->name);
206 hdev->stat.err_rx++;
210 usb_anchor_urb(urb, &data->rx_anchor);
212 err = usb_submit_urb(urb, GFP_ATOMIC);
213 if (err < 0) {
214 BT_ERR("%s urb %p failed to resubmit (%d)",
215 hdev->name, urb, -err);
216 usb_unanchor_urb(urb);
220 static inline int bpa10x_submit_intr_urb(struct hci_dev *hdev)
222 struct bpa10x_data *data = hdev->driver_data;
223 struct urb *urb;
224 unsigned char *buf;
225 unsigned int pipe;
226 int err, size = 16;
228 BT_DBG("%s", hdev->name);
230 urb = usb_alloc_urb(0, GFP_KERNEL);
231 if (!urb)
232 return -ENOMEM;
234 buf = kmalloc(size, GFP_KERNEL);
235 if (!buf) {
236 usb_free_urb(urb);
237 return -ENOMEM;
240 pipe = usb_rcvintpipe(data->udev, 0x81);
242 usb_fill_int_urb(urb, data->udev, pipe, buf, size,
243 bpa10x_rx_complete, hdev, 1);
245 urb->transfer_flags |= URB_FREE_BUFFER;
247 usb_anchor_urb(urb, &data->rx_anchor);
249 err = usb_submit_urb(urb, GFP_KERNEL);
250 if (err < 0) {
251 BT_ERR("%s urb %p submission failed (%d)",
252 hdev->name, urb, -err);
253 usb_unanchor_urb(urb);
256 usb_free_urb(urb);
258 return err;
261 static inline int bpa10x_submit_bulk_urb(struct hci_dev *hdev)
263 struct bpa10x_data *data = hdev->driver_data;
264 struct urb *urb;
265 unsigned char *buf;
266 unsigned int pipe;
267 int err, size = 64;
269 BT_DBG("%s", hdev->name);
271 urb = usb_alloc_urb(0, GFP_KERNEL);
272 if (!urb)
273 return -ENOMEM;
275 buf = kmalloc(size, GFP_KERNEL);
276 if (!buf) {
277 usb_free_urb(urb);
278 return -ENOMEM;
281 pipe = usb_rcvbulkpipe(data->udev, 0x82);
283 usb_fill_bulk_urb(urb, data->udev, pipe,
284 buf, size, bpa10x_rx_complete, hdev);
286 urb->transfer_flags |= URB_FREE_BUFFER;
288 usb_anchor_urb(urb, &data->rx_anchor);
290 err = usb_submit_urb(urb, GFP_KERNEL);
291 if (err < 0) {
292 BT_ERR("%s urb %p submission failed (%d)",
293 hdev->name, urb, -err);
294 usb_unanchor_urb(urb);
297 usb_free_urb(urb);
299 return err;
302 static int bpa10x_open(struct hci_dev *hdev)
304 struct bpa10x_data *data = hdev->driver_data;
305 int err;
307 BT_DBG("%s", hdev->name);
309 if (test_and_set_bit(HCI_RUNNING, &hdev->flags))
310 return 0;
312 err = bpa10x_submit_intr_urb(hdev);
313 if (err < 0)
314 goto error;
316 err = bpa10x_submit_bulk_urb(hdev);
317 if (err < 0)
318 goto error;
320 return 0;
322 error:
323 usb_kill_anchored_urbs(&data->rx_anchor);
325 clear_bit(HCI_RUNNING, &hdev->flags);
327 return err;
330 static int bpa10x_close(struct hci_dev *hdev)
332 struct bpa10x_data *data = hdev->driver_data;
334 BT_DBG("%s", hdev->name);
336 if (!test_and_clear_bit(HCI_RUNNING, &hdev->flags))
337 return 0;
339 usb_kill_anchored_urbs(&data->rx_anchor);
341 return 0;
344 static int bpa10x_flush(struct hci_dev *hdev)
346 struct bpa10x_data *data = hdev->driver_data;
348 BT_DBG("%s", hdev->name);
350 usb_kill_anchored_urbs(&data->tx_anchor);
352 return 0;
355 static int bpa10x_send_frame(struct sk_buff *skb)
357 struct hci_dev *hdev = (struct hci_dev *) skb->dev;
358 struct bpa10x_data *data = hdev->driver_data;
359 struct usb_ctrlrequest *dr;
360 struct urb *urb;
361 unsigned int pipe;
362 int err;
364 BT_DBG("%s", hdev->name);
366 if (!test_bit(HCI_RUNNING, &hdev->flags))
367 return -EBUSY;
369 urb = usb_alloc_urb(0, GFP_ATOMIC);
370 if (!urb)
371 return -ENOMEM;
373 /* Prepend skb with frame type */
374 *skb_push(skb, 1) = bt_cb(skb)->pkt_type;
376 switch (bt_cb(skb)->pkt_type) {
377 case HCI_COMMAND_PKT:
378 dr = kmalloc(sizeof(*dr), GFP_ATOMIC);
379 if (!dr) {
380 usb_free_urb(urb);
381 return -ENOMEM;
384 dr->bRequestType = USB_TYPE_VENDOR;
385 dr->bRequest = 0;
386 dr->wIndex = 0;
387 dr->wValue = 0;
388 dr->wLength = __cpu_to_le16(skb->len);
390 pipe = usb_sndctrlpipe(data->udev, 0x00);
392 usb_fill_control_urb(urb, data->udev, pipe, (void *) dr,
393 skb->data, skb->len, bpa10x_tx_complete, skb);
395 hdev->stat.cmd_tx++;
396 break;
398 case HCI_ACLDATA_PKT:
399 pipe = usb_sndbulkpipe(data->udev, 0x02);
401 usb_fill_bulk_urb(urb, data->udev, pipe,
402 skb->data, skb->len, bpa10x_tx_complete, skb);
404 hdev->stat.acl_tx++;
405 break;
407 case HCI_SCODATA_PKT:
408 pipe = usb_sndbulkpipe(data->udev, 0x02);
410 usb_fill_bulk_urb(urb, data->udev, pipe,
411 skb->data, skb->len, bpa10x_tx_complete, skb);
413 hdev->stat.sco_tx++;
414 break;
416 default:
417 usb_free_urb(urb);
418 return -EILSEQ;
421 usb_anchor_urb(urb, &data->tx_anchor);
423 err = usb_submit_urb(urb, GFP_ATOMIC);
424 if (err < 0) {
425 BT_ERR("%s urb %p submission failed", hdev->name, urb);
426 kfree(urb->setup_packet);
427 usb_unanchor_urb(urb);
430 usb_free_urb(urb);
432 return 0;
435 static void bpa10x_destruct(struct hci_dev *hdev)
437 struct bpa10x_data *data = hdev->driver_data;
439 BT_DBG("%s", hdev->name);
441 kfree_skb(data->rx_skb[0]);
442 kfree_skb(data->rx_skb[1]);
443 kfree(data);
446 static int bpa10x_probe(struct usb_interface *intf, const struct usb_device_id *id)
448 struct bpa10x_data *data;
449 struct hci_dev *hdev;
450 int err;
452 BT_DBG("intf %p id %p", intf, id);
454 if (intf->cur_altsetting->desc.bInterfaceNumber != 0)
455 return -ENODEV;
457 data = kzalloc(sizeof(*data), GFP_KERNEL);
458 if (!data)
459 return -ENOMEM;
461 data->udev = interface_to_usbdev(intf);
463 init_usb_anchor(&data->tx_anchor);
464 init_usb_anchor(&data->rx_anchor);
466 hdev = hci_alloc_dev();
467 if (!hdev) {
468 kfree(data);
469 return -ENOMEM;
472 hdev->bus = HCI_USB;
473 hdev->driver_data = data;
475 data->hdev = hdev;
477 SET_HCIDEV_DEV(hdev, &intf->dev);
479 hdev->open = bpa10x_open;
480 hdev->close = bpa10x_close;
481 hdev->flush = bpa10x_flush;
482 hdev->send = bpa10x_send_frame;
483 hdev->destruct = bpa10x_destruct;
485 hdev->owner = THIS_MODULE;
487 set_bit(HCI_QUIRK_NO_RESET, &hdev->quirks);
489 err = hci_register_dev(hdev);
490 if (err < 0) {
491 hci_free_dev(hdev);
492 kfree(data);
493 return err;
496 usb_set_intfdata(intf, data);
498 return 0;
501 static void bpa10x_disconnect(struct usb_interface *intf)
503 struct bpa10x_data *data = usb_get_intfdata(intf);
505 BT_DBG("intf %p", intf);
507 if (!data)
508 return;
510 usb_set_intfdata(intf, NULL);
512 hci_unregister_dev(data->hdev);
514 hci_free_dev(data->hdev);
517 static struct usb_driver bpa10x_driver = {
518 .name = "bpa10x",
519 .probe = bpa10x_probe,
520 .disconnect = bpa10x_disconnect,
521 .id_table = bpa10x_table,
524 module_usb_driver(bpa10x_driver);
526 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
527 MODULE_DESCRIPTION("Digianswer Bluetooth USB driver ver " VERSION);
528 MODULE_VERSION(VERSION);
529 MODULE_LICENSE("GPL");