1// Copyright 2018 The Fuchsia Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#include <ddk/binding.h> 6#include <ddk/debug.h> 7#include <ddk/device.h> 8#include <ddk/driver.h> 9#include <ddk/protocol/bt-hci.h> 10#include <ddk/protocol/platform-defs.h> 11#include <ddk/protocol/serial.h> 12#include <zircon/device/bt-hci.h> 13#include <zircon/status.h> 14 15#include <assert.h> 16#include <stdio.h> 17#include <stdlib.h> 18#include <string.h> 19#include <threads.h> 20#include <unistd.h> 21 22// The maximum HCI ACL frame size used for data transactions 23#define ACL_MAX_FRAME_SIZE 1029 // (1024 + 4 bytes for the ACL header + 1 byte packet indicator) 24 25#define CMD_BUF_SIZE 255 + 4 // 1 byte packet indicator + 3 byte header + payload 26#define EVENT_BUF_SIZE 255 + 3 // 1 byte packet indicator + 2 byte header + payload 27 28// The number of currently supported HCI channel endpoints. We currently have 29// one channel for command/event flow and one for ACL data flow. The sniff channel is managed 30// separately. 31#define NUM_CHANNELS 2 32 33#define NUM_WAIT_ITEMS NUM_CHANNELS + 2 // add one for the changed event and one for UART socket 34 35// HCI UART packet indicators 36enum { 37 HCI_NONE = 0, 38 HCI_COMMAND = 1, 39 HCI_ACL_DATA = 2, 40 HCI_SCO = 3, 41 HCI_EVENT = 4, 42}; 43 44typedef struct { 45 zx_device_t* zxdev; 46 zx_device_t* parent; 47 zx_handle_t uart_socket; 48 zx_handle_t cmd_channel; 49 zx_handle_t acl_channel; 50 zx_handle_t snoop_channel; 51 52 // Signaled when a channel opens or closes 53 zx_handle_t channels_changed_evt; 54 55 zx_wait_item_t read_wait_items[NUM_WAIT_ITEMS]; 56 uint32_t read_wait_item_count; 57 58 bool read_thread_running; 59 60 // type of current packet being read from the UART 61 uint8_t cur_uart_packet_type; 62 63 // for accumulating HCI events 64 uint8_t event_buffer[EVENT_BUF_SIZE]; 65 size_t event_buffer_offset; 66 67 // for accumulating ACL data packets 68 uint8_t acl_buffer[EVENT_BUF_SIZE]; 69 size_t acl_buffer_offset; 70 71 mtx_t mutex; 72} hci_t; 73 74// macro for returning length of current event packet being received 75// payload length is in byte 2 of the packet 76// add 3 bytes for packet indicator, event code and length byte 77#define EVENT_PACKET_LENGTH(hci) ((hci)->event_buffer_offset > 2 ? (hci)->event_buffer[2] + 3 : 0) 78 79// macro for returning length of current ACL data packet being received 80// length is in bytes 3 and 4 of the packet 81// add 5 bytes for packet indicator, control info and length fields 82#define ACL_PACKET_LENGTH(hci) ((hci)->acl_buffer_offset > 4 ? \ 83 ((hci)->acl_buffer[3] | ((hci)->acl_buffer[4] << 8)) + 5 : 0) 84 85static void channel_cleanup_locked(hci_t* hci, zx_handle_t* channel) { 86 if (*channel == ZX_HANDLE_INVALID) 87 return; 88 89 zx_handle_close(*channel); 90 *channel = ZX_HANDLE_INVALID; 91 zx_object_signal(hci->channels_changed_evt, 0, ZX_EVENT_SIGNALED); 92} 93 94static void snoop_channel_write_locked(hci_t* hci, uint8_t flags, uint8_t* bytes, size_t length) { 95 if (hci->snoop_channel == ZX_HANDLE_INVALID) 96 return; 97 98 // We tack on a flags byte to the beginning of the payload. 99 uint8_t snoop_buffer[length + 1]; 100 snoop_buffer[0] = flags; 101 memcpy(snoop_buffer + 1, bytes, length); 102 zx_status_t status = zx_channel_write(hci->snoop_channel, 0, snoop_buffer, length + 1, NULL, 0); 103 if (status < 0) { 104 zxlogf(ERROR, "bt-transport-uart: failed to write to snoop channel: %s\n", 105 zx_status_get_string(status)); 106 channel_cleanup_locked(hci, &hci->snoop_channel); 107 } 108} 109 110static void hci_build_read_wait_items_locked(hci_t* hci) { 111 zx_wait_item_t* items = hci->read_wait_items; 112 memset(items, 0, sizeof(hci->read_wait_items)); 113 uint32_t count = 0; 114 115 if (hci->cmd_channel != ZX_HANDLE_INVALID) { 116 items[count].handle = hci->cmd_channel; 117 items[count].waitfor = ZX_CHANNEL_READABLE | ZX_CHANNEL_PEER_CLOSED; 118 count++; 119 } 120 121 if (hci->acl_channel != ZX_HANDLE_INVALID) { 122 items[count].handle = hci->acl_channel; 123 items[count].waitfor = ZX_CHANNEL_READABLE | ZX_CHANNEL_PEER_CLOSED; 124 count++; 125 } 126 127 items[count].handle = hci->uart_socket; 128 items[count].waitfor = ZX_CHANNEL_READABLE | ZX_CHANNEL_PEER_CLOSED; 129 count++; 130 131 items[count].handle = hci->channels_changed_evt; 132 items[count].waitfor = ZX_EVENT_SIGNALED; 133 count++; 134 135 hci->read_wait_item_count = count; 136 137 zx_object_signal(hci->channels_changed_evt, ZX_EVENT_SIGNALED, 0); 138} 139 140static void hci_build_read_wait_items(hci_t* hci) { 141 mtx_lock(&hci->mutex); 142 hci_build_read_wait_items_locked(hci); 143 mtx_unlock(&hci->mutex); 144} 145 146// Returns false if there's an error while sending the packet to the hardware or 147// if the channel peer closed its endpoint. 148static void hci_handle_cmd_read_events(hci_t* hci, zx_wait_item_t* item) { 149 if (item->pending & (ZX_CHANNEL_READABLE | ZX_CHANNEL_PEER_CLOSED)) { 150 uint8_t buf[CMD_BUF_SIZE]; 151 uint32_t length = sizeof(buf) - 1; 152 zx_status_t status = 153 zx_channel_read(item->handle, 0, buf + 1, NULL, length, 0, &length, NULL); 154 if (status < 0) { 155 if (status != ZX_ERR_PEER_CLOSED) { 156 zxlogf(ERROR, "hci_read_thread: failed to read from command channel %s\n", 157 zx_status_get_string(status)); 158 } 159 goto fail; 160 } 161 162 buf[0] = HCI_COMMAND; 163 length++; 164 status = zx_socket_write(hci->uart_socket, 0, buf, length, NULL); 165 if (status < 0) { 166 zxlogf(ERROR, "hci_read_thread: zx_socket_write failed: %s\n", 167 zx_status_get_string(status)); 168 goto fail; 169 } 170 171 mtx_lock(&hci->mutex); 172 snoop_channel_write_locked(hci, bt_hci_snoop_flags(BT_HCI_SNOOP_TYPE_CMD, false), buf + 1, length - 1); 173 mtx_unlock(&hci->mutex); 174 } 175 176 return; 177 178fail: 179 mtx_lock(&hci->mutex); 180 channel_cleanup_locked(hci, &hci->cmd_channel); 181 mtx_unlock(&hci->mutex); 182} 183 184static void hci_handle_acl_read_events(hci_t* hci, zx_wait_item_t* item) { 185 if (item->pending & (ZX_CHANNEL_READABLE | ZX_CHANNEL_PEER_CLOSED)) { 186 uint8_t buf[ACL_MAX_FRAME_SIZE]; 187 uint32_t length = sizeof(buf) - 1; 188 zx_status_t status = 189 zx_channel_read(item->handle, 0, buf + 1, NULL, length, 0, &length, NULL); 190 if (status < 0) { 191 zxlogf(ERROR, "hci_read_thread: failed to read from ACL channel %s\n", 192 zx_status_get_string(status)); 193 goto fail; 194 } 195 196 buf[0] = HCI_ACL_DATA; 197 length++; 198 status = zx_socket_write(hci->uart_socket, 0, buf, length, NULL); 199 if (status < 0) { 200 zxlogf(ERROR, "hci_read_thread: zx_socket_write failed: %s\n", 201 zx_status_get_string(status)); 202 goto fail; 203 } 204 snoop_channel_write_locked( 205 hci, bt_hci_snoop_flags(BT_HCI_SNOOP_TYPE_ACL, false), buf + 1, length - 1); 206 } 207 208 return; 209 210fail: 211 mtx_lock(&hci->mutex); 212 channel_cleanup_locked(hci, &hci->acl_channel); 213 mtx_unlock(&hci->mutex); 214} 215 216static void hci_handle_uart_read_events(hci_t* hci, zx_wait_item_t* item) { 217 if (item->pending & (ZX_CHANNEL_READABLE | ZX_CHANNEL_PEER_CLOSED)) { 218 uint8_t buf[ACL_MAX_FRAME_SIZE]; 219 size_t length = sizeof(buf); 220 zx_status_t status = zx_socket_read(item->handle, 0, buf, length, &length); 221 if (status < 0) { 222 zxlogf(ERROR, "hci_read_thread: failed to read from ACL channel %s\n", 223 zx_status_get_string(status)); 224 goto fail; 225 } 226 227 const uint8_t* src = buf; 228 const uint8_t* end = src + length; 229 uint8_t packet_type = hci->cur_uart_packet_type; 230 231 while (src < end) { 232 if (packet_type == HCI_NONE) { 233 // start of new packet. read packet type 234 packet_type = *src++; 235 if (packet_type != HCI_EVENT && packet_type != HCI_ACL_DATA) { 236 zxlogf(INFO, "unsupported HCI packet type %u. We may be out of sync\n", 237 packet_type); 238 return; 239 } 240 } 241 242 if (packet_type == HCI_EVENT) { 243 size_t packet_length = EVENT_PACKET_LENGTH(hci); 244 245 while (!packet_length && src < end) { 246 // read until we have enough to compute packet length 247 hci->event_buffer[hci->event_buffer_offset++] = *src++; 248 packet_length = EVENT_PACKET_LENGTH(hci); 249 } 250 if (!packet_length) { 251 break; 252 } 253 254 size_t remaining = end - src; 255 size_t copy = packet_length - hci->event_buffer_offset; 256 if (copy > remaining) copy = remaining; 257 memcpy(hci->event_buffer + hci->event_buffer_offset, src, copy); 258 src += copy; 259 hci->event_buffer_offset += copy; 260 261 if (hci->event_buffer_offset == packet_length) { 262 // send accumulated event packet, minus the packet indicator 263 zx_status_t status = zx_channel_write(hci->cmd_channel, 0, 264 &hci->event_buffer[1], 265 packet_length - 1, NULL, 0); 266 if (status < 0) { 267 zxlogf(ERROR, "bt-transport-uart: failed to write event packet: %s\n", 268 zx_status_get_string(status)); 269 } 270 snoop_channel_write_locked(hci, bt_hci_snoop_flags(BT_HCI_SNOOP_TYPE_EVT, true), 271 &hci->event_buffer[1], packet_length - 1); 272 273 // reset buffer 274 packet_type = HCI_NONE; 275 hci->event_buffer_offset = 1; 276 } 277 } else { // HCI_ACL_DATA 278 size_t packet_length = EVENT_PACKET_LENGTH(hci); 279 280 while (!packet_length && src < end) { 281 // read until we have enough to compute packet length 282 hci->acl_buffer[hci->acl_buffer_offset++] = *src++; 283 packet_length = ACL_PACKET_LENGTH(hci); 284 } 285 if (!packet_length) { 286 break; 287 } 288 289 size_t remaining = end - src; 290 size_t copy = packet_length - hci->acl_buffer_offset; 291 if (copy > remaining) copy = remaining; 292 memcpy(hci->acl_buffer + hci->acl_buffer_offset, src, copy); 293 src += copy; 294 hci->acl_buffer_offset += copy; 295 296 if (hci->acl_buffer_offset == packet_length) { 297 // send accumulated ACL data packet, minus the packet indicator 298 zx_status_t status = zx_channel_write(hci->acl_channel, 0, 299 &hci->acl_buffer[1], 300 packet_length - 1, NULL, 0); 301 if (status < 0) { 302 zxlogf(ERROR, "bt-transport-uart: failed to write ACL packet: %s\n", 303 zx_status_get_string(status)); 304 } 305 306 // If the snoop channel is open then try to write the packet 307 // even if acl_channel was closed. 308 snoop_channel_write_locked(hci, 309 bt_hci_snoop_flags(BT_HCI_SNOOP_TYPE_ACL, true), 310 &hci->acl_buffer[1], packet_length - 1); 311 312 // reset buffer 313 packet_type = HCI_NONE; 314 hci->acl_buffer_offset = 1; 315 } 316 } 317 } 318 319 hci->cur_uart_packet_type = packet_type; 320 } 321 322 return; 323 324fail: 325 mtx_lock(&hci->mutex); 326 channel_cleanup_locked(hci, &hci->acl_channel); 327 mtx_unlock(&hci->mutex); 328} 329 330static bool hci_has_read_channels_locked(hci_t* hci) { 331 // One for the signal event and one for uart socket, any additional are read channels. 332 return hci->read_wait_item_count > 2; 333} 334 335static int hci_read_thread(void* arg) { 336 hci_t* hci = (hci_t*)arg; 337 338 mtx_lock(&hci->mutex); 339 340 if (!hci_has_read_channels_locked(hci)) { 341 zxlogf(ERROR, "bt-transport-uart: no channels are open - exiting\n"); 342 hci->read_thread_running = false; 343 mtx_unlock(&hci->mutex); 344 return 0; 345 } 346 347 mtx_unlock(&hci->mutex); 348 349 while (1) { 350 zx_status_t status = zx_object_wait_many(hci->read_wait_items, hci->read_wait_item_count, 351 ZX_TIME_INFINITE); 352 if (status < 0) { 353 zxlogf(ERROR, "bt-transport-uart: zx_object_wait_many failed (%s) - exiting\n", 354 zx_status_get_string(status)); 355 mtx_lock(&hci->mutex); 356 channel_cleanup_locked(hci, &hci->cmd_channel); 357 channel_cleanup_locked(hci, &hci->acl_channel); 358 mtx_unlock(&hci->mutex); 359 break; 360 } 361 362 for (unsigned i = 0; i < hci->read_wait_item_count; ++i) { 363 mtx_lock(&hci->mutex); 364 zx_wait_item_t item = hci->read_wait_items[i]; 365 mtx_unlock(&hci->mutex); 366 367 if (item.handle == hci->cmd_channel) { 368 hci_handle_cmd_read_events(hci, &item); 369 } else if (item.handle == hci->acl_channel) { 370 hci_handle_acl_read_events(hci, &item); 371 } else if (item.handle == hci->uart_socket) { 372 hci_handle_uart_read_events(hci, &item); 373 } 374 } 375 376 // The channels might have been changed by the *_read_events, recheck the event. 377 status = zx_object_wait_one(hci->channels_changed_evt, ZX_EVENT_SIGNALED, 0u, NULL); 378 if (status == ZX_OK) { 379 hci_build_read_wait_items(hci); 380 if (!hci_has_read_channels_locked(hci)) { 381 zxlogf(TRACE, "bt-transport-uart: all channels closed - exiting\n"); 382 break; 383 } 384 } 385 } 386 387 mtx_lock(&hci->mutex); 388 hci->read_thread_running = false; 389 mtx_unlock(&hci->mutex); 390 return 0; 391} 392 393static zx_status_t hci_open_channel(hci_t* hci, zx_handle_t* in_channel, zx_handle_t* out_channel) { 394 zx_status_t result = ZX_OK; 395 mtx_lock(&hci->mutex); 396 397 if (*in_channel != ZX_HANDLE_INVALID) { 398 zxlogf(ERROR, "bt-transport-uart: already bound, failing\n"); 399 result = ZX_ERR_ALREADY_BOUND; 400 goto done; 401 } 402 403 zx_status_t status = zx_channel_create(0, in_channel, out_channel); 404 if (status < 0) { 405 zxlogf(ERROR, "bt-transport-uart: Failed to create channel: %s\n", 406 zx_status_get_string(status)); 407 result = ZX_ERR_INTERNAL; 408 goto done; 409 } 410 411 // Kick off the hci_read_thread if it's not already running. 412 if (!hci->read_thread_running) { 413 hci_build_read_wait_items_locked(hci); 414 thrd_t read_thread; 415 thrd_create_with_name(&read_thread, hci_read_thread, hci, "bt_usb_read_thread"); 416 hci->read_thread_running = true; 417 thrd_detach(read_thread); 418 } else { 419 // Poke the changed event to get the new channel. 420 zx_object_signal(hci->channels_changed_evt, 0, ZX_EVENT_SIGNALED); 421 } 422 423done: 424 mtx_unlock(&hci->mutex); 425 return result; 426} 427 428static void hci_unbind(void* ctx) { 429 hci_t* hci = ctx; 430 431 // Close the transport channels so that the host stack is notified of device removal. 432 mtx_lock(&hci->mutex); 433 434 channel_cleanup_locked(hci, &hci->cmd_channel); 435 channel_cleanup_locked(hci, &hci->acl_channel); 436 channel_cleanup_locked(hci, &hci->snoop_channel); 437 438 mtx_unlock(&hci->mutex); 439 440 device_remove(hci->zxdev); 441} 442 443static void hci_release(void* ctx) { 444 hci_t* hci = ctx; 445 zx_handle_close(hci->uart_socket); 446 free(hci); 447} 448 449static zx_status_t hci_open_command_channel(void* ctx, zx_handle_t* out_channel) { 450 hci_t* hci = ctx; 451 return hci_open_channel(hci, &hci->cmd_channel, out_channel); 452} 453 454static zx_status_t hci_open_acl_data_channel(void* ctx, zx_handle_t* out_channel) { 455 hci_t* hci = ctx; 456 return hci_open_channel(hci, &hci->acl_channel, out_channel); 457} 458 459static zx_status_t hci_open_snoop_channel(void* ctx, zx_handle_t* out_channel) { 460 hci_t* hci = ctx; 461 return hci_open_channel(hci, &hci->snoop_channel, out_channel); 462} 463 464static bt_hci_protocol_ops_t hci_protocol_ops = { 465 .open_command_channel = hci_open_command_channel, 466 .open_acl_data_channel = hci_open_acl_data_channel, 467 .open_snoop_channel = hci_open_snoop_channel, 468}; 469 470static zx_status_t hci_get_protocol(void* ctx, uint32_t proto_id, void* protocol) { 471 hci_t* hci = ctx; 472 if (proto_id != ZX_PROTOCOL_BT_HCI) { 473 // Pass this on for drivers to load firmware / initialize 474 return device_get_protocol(hci->parent, proto_id, protocol); 475 } 476 477 bt_hci_protocol_t* hci_proto = protocol; 478 479 hci_proto->ops = &hci_protocol_ops; 480 hci_proto->ctx = ctx; 481 return ZX_OK; 482}; 483 484static zx_protocol_device_t hci_device_proto = { 485 .version = DEVICE_OPS_VERSION, 486 .get_protocol = hci_get_protocol, 487 .unbind = hci_unbind, 488 .release = hci_release, 489}; 490 491static zx_status_t hci_bind(void* ctx, zx_device_t* parent) { 492 serial_protocol_t serial; 493 494 zx_status_t status = device_get_protocol(parent, ZX_PROTOCOL_SERIAL, &serial); 495 if (status != ZX_OK) { 496 zxlogf(ERROR, "bt-transport-uart: get protocol ZX_PROTOCOL_SERIAL failed\n"); 497 return status; 498 } 499 500 hci_t* hci = calloc(1, sizeof(hci_t)); 501 if (!hci) { 502 zxlogf(ERROR, "bt-transport-uart: Not enough memory for hci_t\n"); 503 return ZX_ERR_NO_MEMORY; 504 } 505 506 status = serial_open_socket(&serial, &hci->uart_socket); 507 if (status != ZX_OK) { 508 zxlogf(ERROR, "bt-transport-uart: serial_open_socket failed: %s\n", 509 zx_status_get_string(status)); 510 goto fail; 511 } 512 513 zx_event_create(0, &hci->channels_changed_evt); 514 mtx_init(&hci->mutex, mtx_plain); 515 hci->parent = parent; 516 hci->cur_uart_packet_type = HCI_NONE; 517 518 // pre-populate event packet indicators 519 hci->event_buffer[0] = HCI_EVENT; 520 hci->event_buffer_offset = 1; 521 hci->acl_buffer[0] = HCI_ACL_DATA; 522 hci->acl_buffer_offset = 1; 523 524 serial_port_info_t info; 525 status = serial_get_info(&serial, &info); 526 if (status != ZX_OK) { 527 zxlogf(ERROR, "hci_bind: serial_get_info failed\n"); 528 goto fail; 529 } 530 if (info.serial_class != SERIAL_CLASS_BLUETOOTH_HCI) { 531 zxlogf(ERROR, "hci_bind: info.device_class != SERIAL_CLASS_BLUETOOTH_HCI\n"); 532 status = ZX_ERR_INTERNAL; 533 goto fail; 534 } 535 536 // Copy the PID and VID from the platform device info so it can be filtered on 537 // for HCI drivers 538 zx_device_prop_t props[] = { 539 { BIND_PROTOCOL, 0, ZX_PROTOCOL_BT_TRANSPORT }, 540 { BIND_SERIAL_VID, 0, info.serial_vid }, 541 { BIND_SERIAL_PID, 0, info.serial_pid }, 542 }; 543 544 device_add_args_t args = { 545 .version = DEVICE_ADD_ARGS_VERSION, 546 .name = "bt-transport-uart", 547 .ctx = hci, 548 .ops = &hci_device_proto, 549 .proto_id = ZX_PROTOCOL_BT_TRANSPORT, 550 .props = props, 551 .prop_count = countof(props), 552 }; 553 554 status = device_add(parent, &args, &hci->zxdev); 555 if (status == ZX_OK) { 556 return ZX_OK; 557 } 558 559fail: 560 zxlogf(ERROR, "hci_bind: bind failed: %s\n", zx_status_get_string(status)); 561 hci_release(hci); 562 return status; 563} 564 565static zx_driver_ops_t bt_hci_driver_ops = { 566 .version = DRIVER_OPS_VERSION, 567 .bind = hci_bind, 568}; 569 570// clang-format off 571ZIRCON_DRIVER_BEGIN(bt_transport_uart, bt_hci_driver_ops, "zircon", "0.1", 2) 572 BI_ABORT_IF(NE, BIND_PROTOCOL, ZX_PROTOCOL_SERIAL), 573 BI_MATCH_IF(EQ, BIND_SERIAL_CLASS, SERIAL_CLASS_BLUETOOTH_HCI), 574ZIRCON_DRIVER_END(bt_transport_uart) 575