search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fix 32-bit overflow in parallels image support
[qemu-kvm/fedora.git] / hw / bt-hid.c
blobe495dbf3f7dded901cb80a5eea0a3ff4be9bbc48
1 /*
2 * QEMU Bluetooth HID Profile wrapper for USB HID.
3 *
4 * Copyright (C) 2007-2008 OpenMoko, Inc.
5 * Written by Andrzej Zaborowski <andrew@openedhand.com>
6 *
7 * This program is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU General Public License as
9 * published by the Free Software Foundation; either version 2 or
10 * (at your option) version 3 of the License.
11 *
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License along
18 * with this program; if not, if not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "qemu-common.h"
22 #include "usb.h"
23 #include "bt.h"
24
25 enum hid_transaction_req {
26 BT_HANDSHAKE = 0x0,
27 BT_HID_CONTROL = 0x1,
28 BT_GET_REPORT = 0x4,
29 BT_SET_REPORT = 0x5,
30 BT_GET_PROTOCOL = 0x6,
31 BT_SET_PROTOCOL = 0x7,
32 BT_GET_IDLE = 0x8,
33 BT_SET_IDLE = 0x9,
34 BT_DATA = 0xa,
35 BT_DATC = 0xb,
36 };
37
38 enum hid_transaction_handshake {
39 BT_HS_SUCCESSFUL = 0x0,
40 BT_HS_NOT_READY = 0x1,
41 BT_HS_ERR_INVALID_REPORT_ID = 0x2,
42 BT_HS_ERR_UNSUPPORTED_REQUEST = 0x3,
43 BT_HS_ERR_INVALID_PARAMETER = 0x4,
44 BT_HS_ERR_UNKNOWN = 0xe,
45 BT_HS_ERR_FATAL = 0xf,
46 };
47
48 enum hid_transaction_control {
49 BT_HC_NOP = 0x0,
50 BT_HC_HARD_RESET = 0x1,
51 BT_HC_SOFT_RESET = 0x2,
52 BT_HC_SUSPEND = 0x3,
53 BT_HC_EXIT_SUSPEND = 0x4,
54 BT_HC_VIRTUAL_CABLE_UNPLUG = 0x5,
55 };
56
57 enum hid_protocol {
58 BT_HID_PROTO_BOOT = 0,
59 BT_HID_PROTO_REPORT = 1,
60 };
61
62 enum hid_boot_reportid {
63 BT_HID_BOOT_INVALID = 0,
64 BT_HID_BOOT_KEYBOARD,
65 BT_HID_BOOT_MOUSE,
66 };
67
68 enum hid_data_pkt {
69 BT_DATA_OTHER = 0,
70 BT_DATA_INPUT,
71 BT_DATA_OUTPUT,
72 BT_DATA_FEATURE,
73 };
74
75 #define BT_HID_MTU 48
76
77 /* HID interface requests */
78 #define GET_REPORT 0xa101
79 #define GET_IDLE 0xa102
80 #define GET_PROTOCOL 0xa103
81 #define SET_REPORT 0x2109
82 #define SET_IDLE 0x210a
83 #define SET_PROTOCOL 0x210b
84
85 struct bt_hid_device_s {
86 struct bt_l2cap_device_s btdev;
87 struct bt_l2cap_conn_params_s *control;
88 struct bt_l2cap_conn_params_s *interrupt;
89 USBDevice *usbdev;
90
91 int proto;
92 int connected;
93 int data_type;
94 int intr_state;
95 struct {
96 int len;
97 uint8_t buffer[1024];
98 } dataother, datain, dataout, feature, intrdataout;
99 enum {
100 bt_state_ready,
101 bt_state_transaction,
102 bt_state_suspend,
103 } state;
104 };
105
106 static void bt_hid_reset(struct bt_hid_device_s *s)
107 {
108 struct bt_scatternet_s *net = s->btdev.device.net;
109
110 /* Go as far as... */
111 bt_l2cap_device_done(&s->btdev);
112 bt_l2cap_device_init(&s->btdev, net);
113
114 s->usbdev->handle_reset(s->usbdev);
115 s->proto = BT_HID_PROTO_REPORT;
116 s->state = bt_state_ready;
117 s->dataother.len = 0;
118 s->datain.len = 0;
119 s->dataout.len = 0;
120 s->feature.len = 0;
121 s->intrdataout.len = 0;
122 s->intr_state = 0;
123 }
124
125 static int bt_hid_out(struct bt_hid_device_s *s)
126 {
127 USBPacket p;
128
129 if (s->data_type == BT_DATA_OUTPUT) {
130 p.pid = USB_TOKEN_OUT;
131 p.devep = 1;
132 p.data = s->dataout.buffer;
133 p.len = s->dataout.len;
134 s->dataout.len = s->usbdev->handle_data(s->usbdev, &p);
135
136 return s->dataout.len;
137 }
138
139 if (s->data_type == BT_DATA_FEATURE) {
140 /* XXX:
141 * does this send a USB_REQ_CLEAR_FEATURE/USB_REQ_SET_FEATURE
142 * or a SET_REPORT? */
143 p.devep = 0;
144 }
145
146 return -1;
147 }
148
149 static int bt_hid_in(struct bt_hid_device_s *s)
150 {
151 USBPacket p;
152
153 p.pid = USB_TOKEN_IN;
154 p.devep = 1;
155 p.data = s->datain.buffer;
156 p.len = sizeof(s->datain.buffer);
157 s->datain.len = s->usbdev->handle_data(s->usbdev, &p);
158
159 return s->datain.len;
160 }
161
162 static void bt_hid_send_handshake(struct bt_hid_device_s *s, int result)
163 {
164 *s->control->sdu_out(s->control, 1) =
165 (BT_HANDSHAKE << 4) | result;
166 s->control->sdu_submit(s->control);
167 }
168
169 static void bt_hid_send_control(struct bt_hid_device_s *s, int operation)
170 {
171 *s->control->sdu_out(s->control, 1) =
172 (BT_HID_CONTROL << 4) | operation;
173 s->control->sdu_submit(s->control);
174 }
175
176 static void bt_hid_disconnect(struct bt_hid_device_s *s)
177 {
178 /* Disconnect s->control and s->interrupt */
179 }
180
181 static void bt_hid_send_data(struct bt_l2cap_conn_params_s *ch, int type,
182 const uint8_t *data, int len)
183 {
184 uint8_t *pkt, hdr = (BT_DATA << 4) | type;
185 int plen;
186
187 do {
188 plen = MIN(len, ch->remote_mtu - 1);
189 pkt = ch->sdu_out(ch, plen + 1);
190
191 pkt[0] = hdr;
192 if (plen)
193 memcpy(pkt + 1, data, plen);
194 ch->sdu_submit(ch);
195
196 len -= plen;
197 data += plen;
198 hdr = (BT_DATC << 4) | type;
199 } while (plen == ch->remote_mtu - 1);
200 }
201
202 static void bt_hid_control_transaction(struct bt_hid_device_s *s,
203 const uint8_t *data, int len)
204 {
205 uint8_t type, parameter;
206 int rlen, ret = -1;
207 if (len < 1)
208 return;
209
210 type = data[0] >> 4;
211 parameter = data[0] & 0xf;
212
213 switch (type) {
214 case BT_HANDSHAKE:
215 case BT_DATA:
216 switch (parameter) {
217 default:
218 /* These are not expected to be sent this direction. */
219 ret = BT_HS_ERR_INVALID_PARAMETER;
220 }
221 break;
222
223 case BT_HID_CONTROL:
224 if (len != 1 || (parameter != BT_HC_VIRTUAL_CABLE_UNPLUG &&
225 s->state == bt_state_transaction)) {
226 ret = BT_HS_ERR_INVALID_PARAMETER;
227 break;
228 }
229 switch (parameter) {
230 case BT_HC_NOP:
231 break;
232 case BT_HC_HARD_RESET:
233 case BT_HC_SOFT_RESET:
234 bt_hid_reset(s);
235 break;
236 case BT_HC_SUSPEND:
237 if (s->state == bt_state_ready)
238 s->state = bt_state_suspend;
239 else
240 ret = BT_HS_ERR_INVALID_PARAMETER;
241 break;
242 case BT_HC_EXIT_SUSPEND:
243 if (s->state == bt_state_suspend)
244 s->state = bt_state_ready;
245 else
246 ret = BT_HS_ERR_INVALID_PARAMETER;
247 break;
248 case BT_HC_VIRTUAL_CABLE_UNPLUG:
249 bt_hid_disconnect(s);
250 break;
251 default:
252 ret = BT_HS_ERR_INVALID_PARAMETER;
253 }
254 break;
255
256 case BT_GET_REPORT:
257 /* No ReportIDs declared. */
258 if (((parameter & 8) && len != 3) ||
259 (!(parameter & 8) && len != 1) ||
260 s->state != bt_state_ready) {
261 ret = BT_HS_ERR_INVALID_PARAMETER;
262 break;
263 }
264 if (parameter & 8)
265 rlen = data[2] | (data[3] << 8);
266 else
267 rlen = INT_MAX;
268 switch (parameter & 3) {
269 case BT_DATA_OTHER:
270 ret = BT_HS_ERR_INVALID_PARAMETER;
271 break;
272 case BT_DATA_INPUT:
273 /* Here we can as well poll s->usbdev */
274 bt_hid_send_data(s->control, BT_DATA_INPUT,
275 s->datain.buffer, MIN(rlen, s->datain.len));
276 break;
277 case BT_DATA_OUTPUT:
278 bt_hid_send_data(s->control, BT_DATA_OUTPUT,
279 s->dataout.buffer, MIN(rlen, s->dataout.len));
280 break;
281 case BT_DATA_FEATURE:
282 bt_hid_send_data(s->control, BT_DATA_FEATURE,
283 s->feature.buffer, MIN(rlen, s->feature.len));
284 break;
285 }
286 break;
287
288 case BT_SET_REPORT:
289 if (len < 2 || len > BT_HID_MTU || s->state != bt_state_ready ||
290 (parameter & 3) == BT_DATA_OTHER ||
291 (parameter & 3) == BT_DATA_INPUT) {
292 ret = BT_HS_ERR_INVALID_PARAMETER;
293 break;
294 }
295 s->data_type = parameter & 3;
296 if (s->data_type == BT_DATA_OUTPUT) {
297 s->dataout.len = len - 1;
298 memcpy(s->dataout.buffer, data + 1, s->dataout.len);
299 } else {
300 s->feature.len = len - 1;
301 memcpy(s->feature.buffer, data + 1, s->feature.len);
302 }
303 if (len == BT_HID_MTU)
304 s->state = bt_state_transaction;
305 else
306 bt_hid_out(s);
307 break;
308
309 case BT_GET_PROTOCOL:
310 if (len != 1 || s->state == bt_state_transaction) {
311 ret = BT_HS_ERR_INVALID_PARAMETER;
312 break;
313 }
314 *s->control->sdu_out(s->control, 1) = s->proto;
315 s->control->sdu_submit(s->control);
316 break;
317
318 case BT_SET_PROTOCOL:
319 if (len != 1 || s->state == bt_state_transaction ||
320 (parameter != BT_HID_PROTO_BOOT &&
321 parameter != BT_HID_PROTO_REPORT)) {
322 ret = BT_HS_ERR_INVALID_PARAMETER;
323 break;
324 }
325 s->proto = parameter;
326 s->usbdev->handle_control(s->usbdev, SET_PROTOCOL, s->proto, 0, 0,
327 NULL);
328 ret = BT_HS_SUCCESSFUL;
329 break;
330
331 case BT_GET_IDLE:
332 if (len != 1 || s->state == bt_state_transaction) {
333 ret = BT_HS_ERR_INVALID_PARAMETER;
334 break;
335 }
336 s->usbdev->handle_control(s->usbdev, GET_IDLE, 0, 0, 1,
337 s->control->sdu_out(s->control, 1));
338 s->control->sdu_submit(s->control);
339 break;
340
341 case BT_SET_IDLE:
342 if (len != 2 || s->state == bt_state_transaction) {
343 ret = BT_HS_ERR_INVALID_PARAMETER;
344 break;
345 }
346
347 /* We don't need to know about the Idle Rate here really,
348 * so just pass it on to the device. */
349 ret = s->usbdev->handle_control(s->usbdev,
350 SET_IDLE, data[1], 0, 0, NULL) ?
351 BT_HS_SUCCESSFUL : BT_HS_ERR_INVALID_PARAMETER;
352 /* XXX: Does this generate a handshake? */
353 break;
354
355 case BT_DATC:
356 if (len > BT_HID_MTU || s->state != bt_state_transaction) {
357 ret = BT_HS_ERR_INVALID_PARAMETER;
358 break;
359 }
360 if (s->data_type == BT_DATA_OUTPUT) {
361 memcpy(s->dataout.buffer + s->dataout.len, data + 1, len - 1);
362 s->dataout.len += len - 1;
363 } else {
364 memcpy(s->feature.buffer + s->feature.len, data + 1, len - 1);
365 s->feature.len += len - 1;
366 }
367 if (len < BT_HID_MTU) {
368 bt_hid_out(s);
369 s->state = bt_state_ready;
370 }
371 break;
372
373 default:
374 ret = BT_HS_ERR_UNSUPPORTED_REQUEST;
375 }
376
377 if (ret != -1)
378 bt_hid_send_handshake(s, ret);
379 }
380
381 static void bt_hid_control_sdu(void *opaque, const uint8_t *data, int len)
382 {
383 struct bt_hid_device_s *hid = opaque;
384
385 bt_hid_control_transaction(hid, data, len);
386 }
387
388 static void bt_hid_datain(void *opaque)
389 {
390 struct bt_hid_device_s *hid = opaque;
391
392 /* If suspended, wake-up and send a wake-up event first. We might
393 * want to also inspect the input report and ignore event like
394 * mouse movements until a button event occurs. */
395 if (hid->state == bt_state_suspend) {
396 hid->state = bt_state_ready;
397 }
398
399 if (bt_hid_in(hid) > 0)
400 /* TODO: when in boot-mode precede any Input reports with the ReportID
401 * byte, here and in GetReport/SetReport on the Control channel. */
402 bt_hid_send_data(hid->interrupt, BT_DATA_INPUT,
403 hid->datain.buffer, hid->datain.len);
404 }
405
406 static void bt_hid_interrupt_sdu(void *opaque, const uint8_t *data, int len)
407 {
408 struct bt_hid_device_s *hid = opaque;
409
410 if (len > BT_HID_MTU || len < 1)
411 goto bad;
412 if ((data[0] & 3) != BT_DATA_OUTPUT)
413 goto bad;
414 if ((data[0] >> 4) == BT_DATA) {
415 if (hid->intr_state)
416 goto bad;
417
418 hid->data_type = BT_DATA_OUTPUT;
419 hid->intrdataout.len = 0;
420 } else if ((data[0] >> 4) == BT_DATC) {
421 if (!hid->intr_state)
422 goto bad;
423 } else
424 goto bad;
425
426 memcpy(hid->intrdataout.buffer + hid->intrdataout.len, data + 1, len - 1);
427 hid->intrdataout.len += len - 1;
428 hid->intr_state = (len == BT_HID_MTU);
429 if (!hid->intr_state) {
430 memcpy(hid->dataout.buffer, hid->intrdataout.buffer,
431 hid->dataout.len = hid->intrdataout.len);
432 bt_hid_out(hid);
433 }
434
435 return;
436 bad:
437 fprintf(stderr, "%s: bad transaction on Interrupt channel.\n",
438 __FUNCTION__);
439 }
440
441 /* "Virtual cable" plug/unplug event. */
442 static void bt_hid_connected_update(struct bt_hid_device_s *hid)
443 {
444 int prev = hid->connected;
445
446 hid->connected = hid->control && hid->interrupt;
447
448 /* Stop page-/inquiry-scanning when a host is connected. */
449 hid->btdev.device.page_scan = !hid->connected;
450 hid->btdev.device.inquiry_scan = !hid->connected;
451
452 if (hid->connected && !prev) {
453 hid->usbdev->handle_reset(hid->usbdev);
454 hid->proto = BT_HID_PROTO_REPORT;
455 }
456
457 /* Should set HIDVirtualCable in SDP (possibly need to check that SDP
458 * isn't destroyed yet, in case we're being called from handle_destroy) */
459 }
460
461 static void bt_hid_close_control(void *opaque)
462 {
463 struct bt_hid_device_s *hid = opaque;
464
465 hid->control = NULL;
466 bt_hid_connected_update(hid);
467 }
468
469 static void bt_hid_close_interrupt(void *opaque)
470 {
471 struct bt_hid_device_s *hid = opaque;
472
473 hid->interrupt = NULL;
474 bt_hid_connected_update(hid);
475 }
476
477 static int bt_hid_new_control_ch(struct bt_l2cap_device_s *dev,
478 struct bt_l2cap_conn_params_s *params)
479 {
480 struct bt_hid_device_s *hid = (struct bt_hid_device_s *) dev;
481
482 if (hid->control)
483 return 1;
484
485 hid->control = params;
486 hid->control->opaque = hid;
487 hid->control->close = bt_hid_close_control;
488 hid->control->sdu_in = bt_hid_control_sdu;
489
490 bt_hid_connected_update(hid);
491
492 return 0;
493 }
494
495 static int bt_hid_new_interrupt_ch(struct bt_l2cap_device_s *dev,
496 struct bt_l2cap_conn_params_s *params)
497 {
498 struct bt_hid_device_s *hid = (struct bt_hid_device_s *) dev;
499
500 if (hid->interrupt)
501 return 1;
502
503 hid->interrupt = params;
504 hid->interrupt->opaque = hid;
505 hid->interrupt->close = bt_hid_close_interrupt;
506 hid->interrupt->sdu_in = bt_hid_interrupt_sdu;
507
508 bt_hid_connected_update(hid);
509
510 return 0;
511 }
512
513 static void bt_hid_destroy(struct bt_device_s *dev)
514 {
515 struct bt_hid_device_s *hid = (struct bt_hid_device_s *) dev;
516
517 if (hid->connected)
518 bt_hid_send_control(hid, BT_HC_VIRTUAL_CABLE_UNPLUG);
519 bt_l2cap_device_done(&hid->btdev);
520
521 hid->usbdev->handle_destroy(hid->usbdev);
522
523 qemu_free(hid);
524 }
525
526 enum peripheral_minor_class {
527 class_other = 0 << 4,
528 class_keyboard = 1 << 4,
529 class_pointing = 2 << 4,
530 class_combo = 3 << 4,
531 };
532
533 static struct bt_device_s *bt_hid_init(struct bt_scatternet_s *net,
534 USBDevice *dev, enum peripheral_minor_class minor)
535 {
536 struct bt_hid_device_s *s = qemu_mallocz(sizeof(*s));
537 uint32_t class =
538 /* Format type */
539 (0 << 0) |
540 /* Device class */
541 (minor << 2) |
542 (5 << 8) | /* "Peripheral" */
543 /* Service classes */
544 (1 << 13) | /* Limited discoverable mode */
545 (1 << 19); /* Capturing device (?) */
546
547 bt_l2cap_device_init(&s->btdev, net);
548 bt_l2cap_sdp_init(&s->btdev);
549 bt_l2cap_psm_register(&s->btdev, BT_PSM_HID_CTRL,
550 BT_HID_MTU, bt_hid_new_control_ch);
551 bt_l2cap_psm_register(&s->btdev, BT_PSM_HID_INTR,
552 BT_HID_MTU, bt_hid_new_interrupt_ch);
553
554 s->usbdev = dev;
555 s->btdev.device.lmp_name = s->usbdev->devname;
556 usb_hid_datain_cb(s->usbdev, s, bt_hid_datain);
557
558 s->btdev.device.handle_destroy = bt_hid_destroy;
559
560 s->btdev.device.class[0] = (class >> 0) & 0xff;
561 s->btdev.device.class[1] = (class >> 8) & 0xff;
562 s->btdev.device.class[2] = (class >> 16) & 0xff;
563
564 return &s->btdev.device;
565 }
566
567 struct bt_device_s *bt_keyboard_init(struct bt_scatternet_s *net)
568 {
569 return bt_hid_init(net, usb_keyboard_init(), class_keyboard);
570 }
Patches shipped by Fedora