MIPS: Yosemite, Emma: Fix off-by-two in arcs_cmdline buffer size check
[linux-2.6/linux-mips.git] / drivers / bluetooth / bt3c_cs.c
blob4fc01949d39981a77b6e9dca90606ab94ae259b8
1 /*
3 * Driver for the 3Com Bluetooth PCMCIA card
5 * Copyright (C) 2001-2002 Marcel Holtmann <marcel@holtmann.org>
6 * Jose Orlando Pereira <jop@di.uminho.pt>
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License version 2 as
11 * published by the Free Software Foundation;
13 * Software distributed under the License is distributed on an "AS
14 * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
15 * implied. See the License for the specific language governing
16 * rights and limitations under the License.
18 * The initial developer of the original code is David A. Hinds
19 * <dahinds@users.sourceforge.net>. Portions created by David A. Hinds
20 * are Copyright (C) 1999 David A. Hinds. All Rights Reserved.
24 #include <linux/module.h>
26 #include <linux/kernel.h>
27 #include <linux/init.h>
28 #include <linux/slab.h>
29 #include <linux/types.h>
30 #include <linux/delay.h>
31 #include <linux/errno.h>
32 #include <linux/ptrace.h>
33 #include <linux/ioport.h>
34 #include <linux/spinlock.h>
35 #include <linux/moduleparam.h>
37 #include <linux/skbuff.h>
38 #include <linux/string.h>
39 #include <linux/serial.h>
40 #include <linux/serial_reg.h>
41 #include <linux/bitops.h>
42 #include <asm/system.h>
43 #include <asm/io.h>
45 #include <linux/device.h>
46 #include <linux/firmware.h>
48 #include <pcmcia/cistpl.h>
49 #include <pcmcia/ciscode.h>
50 #include <pcmcia/ds.h>
51 #include <pcmcia/cisreg.h>
53 #include <net/bluetooth/bluetooth.h>
54 #include <net/bluetooth/hci_core.h>
58 /* ======================== Module parameters ======================== */
61 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
62 MODULE_DESCRIPTION("Bluetooth driver for the 3Com Bluetooth PCMCIA card");
63 MODULE_LICENSE("GPL");
64 MODULE_FIRMWARE("BT3CPCC.bin");
68 /* ======================== Local structures ======================== */
71 typedef struct bt3c_info_t {
72 struct pcmcia_device *p_dev;
74 struct hci_dev *hdev;
76 spinlock_t lock; /* For serializing operations */
78 struct sk_buff_head txq;
79 unsigned long tx_state;
81 unsigned long rx_state;
82 unsigned long rx_count;
83 struct sk_buff *rx_skb;
84 } bt3c_info_t;
87 static int bt3c_config(struct pcmcia_device *link);
88 static void bt3c_release(struct pcmcia_device *link);
90 static void bt3c_detach(struct pcmcia_device *p_dev);
93 /* Transmit states */
94 #define XMIT_SENDING 1
95 #define XMIT_WAKEUP 2
96 #define XMIT_WAITING 8
98 /* Receiver states */
99 #define RECV_WAIT_PACKET_TYPE 0
100 #define RECV_WAIT_EVENT_HEADER 1
101 #define RECV_WAIT_ACL_HEADER 2
102 #define RECV_WAIT_SCO_HEADER 3
103 #define RECV_WAIT_DATA 4
107 /* ======================== Special I/O functions ======================== */
110 #define DATA_L 0
111 #define DATA_H 1
112 #define ADDR_L 2
113 #define ADDR_H 3
114 #define CONTROL 4
117 static inline void bt3c_address(unsigned int iobase, unsigned short addr)
119 outb(addr & 0xff, iobase + ADDR_L);
120 outb((addr >> 8) & 0xff, iobase + ADDR_H);
124 static inline void bt3c_put(unsigned int iobase, unsigned short value)
126 outb(value & 0xff, iobase + DATA_L);
127 outb((value >> 8) & 0xff, iobase + DATA_H);
131 static inline void bt3c_io_write(unsigned int iobase, unsigned short addr, unsigned short value)
133 bt3c_address(iobase, addr);
134 bt3c_put(iobase, value);
138 static inline unsigned short bt3c_get(unsigned int iobase)
140 unsigned short value = inb(iobase + DATA_L);
142 value |= inb(iobase + DATA_H) << 8;
144 return value;
148 static inline unsigned short bt3c_read(unsigned int iobase, unsigned short addr)
150 bt3c_address(iobase, addr);
152 return bt3c_get(iobase);
157 /* ======================== Interrupt handling ======================== */
160 static int bt3c_write(unsigned int iobase, int fifo_size, __u8 *buf, int len)
162 int actual = 0;
164 bt3c_address(iobase, 0x7080);
166 /* Fill FIFO with current frame */
167 while (actual < len) {
168 /* Transmit next byte */
169 bt3c_put(iobase, buf[actual]);
170 actual++;
173 bt3c_io_write(iobase, 0x7005, actual);
175 return actual;
179 static void bt3c_write_wakeup(bt3c_info_t *info)
181 if (!info) {
182 BT_ERR("Unknown device");
183 return;
186 if (test_and_set_bit(XMIT_SENDING, &(info->tx_state)))
187 return;
189 do {
190 register unsigned int iobase = info->p_dev->resource[0]->start;
191 register struct sk_buff *skb;
192 register int len;
194 if (!pcmcia_dev_present(info->p_dev))
195 break;
198 if (!(skb = skb_dequeue(&(info->txq)))) {
199 clear_bit(XMIT_SENDING, &(info->tx_state));
200 break;
203 /* Send frame */
204 len = bt3c_write(iobase, 256, skb->data, skb->len);
206 if (len != skb->len) {
207 BT_ERR("Very strange");
210 kfree_skb(skb);
212 info->hdev->stat.byte_tx += len;
214 } while (0);
218 static void bt3c_receive(bt3c_info_t *info)
220 unsigned int iobase;
221 int size = 0, avail;
223 if (!info) {
224 BT_ERR("Unknown device");
225 return;
228 iobase = info->p_dev->resource[0]->start;
230 avail = bt3c_read(iobase, 0x7006);
231 //printk("bt3c_cs: receiving %d bytes\n", avail);
233 bt3c_address(iobase, 0x7480);
234 while (size < avail) {
235 size++;
236 info->hdev->stat.byte_rx++;
238 /* Allocate packet */
239 if (info->rx_skb == NULL) {
240 info->rx_state = RECV_WAIT_PACKET_TYPE;
241 info->rx_count = 0;
242 if (!(info->rx_skb = bt_skb_alloc(HCI_MAX_FRAME_SIZE, GFP_ATOMIC))) {
243 BT_ERR("Can't allocate mem for new packet");
244 return;
249 if (info->rx_state == RECV_WAIT_PACKET_TYPE) {
251 info->rx_skb->dev = (void *) info->hdev;
252 bt_cb(info->rx_skb)->pkt_type = inb(iobase + DATA_L);
253 inb(iobase + DATA_H);
254 //printk("bt3c: PACKET_TYPE=%02x\n", bt_cb(info->rx_skb)->pkt_type);
256 switch (bt_cb(info->rx_skb)->pkt_type) {
258 case HCI_EVENT_PKT:
259 info->rx_state = RECV_WAIT_EVENT_HEADER;
260 info->rx_count = HCI_EVENT_HDR_SIZE;
261 break;
263 case HCI_ACLDATA_PKT:
264 info->rx_state = RECV_WAIT_ACL_HEADER;
265 info->rx_count = HCI_ACL_HDR_SIZE;
266 break;
268 case HCI_SCODATA_PKT:
269 info->rx_state = RECV_WAIT_SCO_HEADER;
270 info->rx_count = HCI_SCO_HDR_SIZE;
271 break;
273 default:
274 /* Unknown packet */
275 BT_ERR("Unknown HCI packet with type 0x%02x received", bt_cb(info->rx_skb)->pkt_type);
276 info->hdev->stat.err_rx++;
277 clear_bit(HCI_RUNNING, &(info->hdev->flags));
279 kfree_skb(info->rx_skb);
280 info->rx_skb = NULL;
281 break;
285 } else {
287 __u8 x = inb(iobase + DATA_L);
289 *skb_put(info->rx_skb, 1) = x;
290 inb(iobase + DATA_H);
291 info->rx_count--;
293 if (info->rx_count == 0) {
295 int dlen;
296 struct hci_event_hdr *eh;
297 struct hci_acl_hdr *ah;
298 struct hci_sco_hdr *sh;
300 switch (info->rx_state) {
302 case RECV_WAIT_EVENT_HEADER:
303 eh = hci_event_hdr(info->rx_skb);
304 info->rx_state = RECV_WAIT_DATA;
305 info->rx_count = eh->plen;
306 break;
308 case RECV_WAIT_ACL_HEADER:
309 ah = hci_acl_hdr(info->rx_skb);
310 dlen = __le16_to_cpu(ah->dlen);
311 info->rx_state = RECV_WAIT_DATA;
312 info->rx_count = dlen;
313 break;
315 case RECV_WAIT_SCO_HEADER:
316 sh = hci_sco_hdr(info->rx_skb);
317 info->rx_state = RECV_WAIT_DATA;
318 info->rx_count = sh->dlen;
319 break;
321 case RECV_WAIT_DATA:
322 hci_recv_frame(info->rx_skb);
323 info->rx_skb = NULL;
324 break;
334 bt3c_io_write(iobase, 0x7006, 0x0000);
338 static irqreturn_t bt3c_interrupt(int irq, void *dev_inst)
340 bt3c_info_t *info = dev_inst;
341 unsigned int iobase;
342 int iir;
343 irqreturn_t r = IRQ_NONE;
345 if (!info || !info->hdev)
346 /* our irq handler is shared */
347 return IRQ_NONE;
349 iobase = info->p_dev->resource[0]->start;
351 spin_lock(&(info->lock));
353 iir = inb(iobase + CONTROL);
354 if (iir & 0x80) {
355 int stat = bt3c_read(iobase, 0x7001);
357 if ((stat & 0xff) == 0x7f) {
358 BT_ERR("Very strange (stat=0x%04x)", stat);
359 } else if ((stat & 0xff) != 0xff) {
360 if (stat & 0x0020) {
361 int status = bt3c_read(iobase, 0x7002) & 0x10;
362 BT_INFO("%s: Antenna %s", info->hdev->name,
363 status ? "out" : "in");
365 if (stat & 0x0001)
366 bt3c_receive(info);
367 if (stat & 0x0002) {
368 //BT_ERR("Ack (stat=0x%04x)", stat);
369 clear_bit(XMIT_SENDING, &(info->tx_state));
370 bt3c_write_wakeup(info);
373 bt3c_io_write(iobase, 0x7001, 0x0000);
375 outb(iir, iobase + CONTROL);
377 r = IRQ_HANDLED;
380 spin_unlock(&(info->lock));
382 return r;
387 /* ======================== HCI interface ======================== */
390 static int bt3c_hci_flush(struct hci_dev *hdev)
392 bt3c_info_t *info = (bt3c_info_t *)(hdev->driver_data);
394 /* Drop TX queue */
395 skb_queue_purge(&(info->txq));
397 return 0;
401 static int bt3c_hci_open(struct hci_dev *hdev)
403 set_bit(HCI_RUNNING, &(hdev->flags));
405 return 0;
409 static int bt3c_hci_close(struct hci_dev *hdev)
411 if (!test_and_clear_bit(HCI_RUNNING, &(hdev->flags)))
412 return 0;
414 bt3c_hci_flush(hdev);
416 return 0;
420 static int bt3c_hci_send_frame(struct sk_buff *skb)
422 bt3c_info_t *info;
423 struct hci_dev *hdev = (struct hci_dev *)(skb->dev);
424 unsigned long flags;
426 if (!hdev) {
427 BT_ERR("Frame for unknown HCI device (hdev=NULL)");
428 return -ENODEV;
431 info = (bt3c_info_t *) (hdev->driver_data);
433 switch (bt_cb(skb)->pkt_type) {
434 case HCI_COMMAND_PKT:
435 hdev->stat.cmd_tx++;
436 break;
437 case HCI_ACLDATA_PKT:
438 hdev->stat.acl_tx++;
439 break;
440 case HCI_SCODATA_PKT:
441 hdev->stat.sco_tx++;
442 break;
445 /* Prepend skb with frame type */
446 memcpy(skb_push(skb, 1), &bt_cb(skb)->pkt_type, 1);
447 skb_queue_tail(&(info->txq), skb);
449 spin_lock_irqsave(&(info->lock), flags);
451 bt3c_write_wakeup(info);
453 spin_unlock_irqrestore(&(info->lock), flags);
455 return 0;
459 static void bt3c_hci_destruct(struct hci_dev *hdev)
464 static int bt3c_hci_ioctl(struct hci_dev *hdev, unsigned int cmd, unsigned long arg)
466 return -ENOIOCTLCMD;
471 /* ======================== Card services HCI interaction ======================== */
474 static int bt3c_load_firmware(bt3c_info_t *info, const unsigned char *firmware,
475 int count)
477 char *ptr = (char *) firmware;
478 char b[9];
479 unsigned int iobase, size, addr, fcs, tmp;
480 int i, err = 0;
482 iobase = info->p_dev->resource[0]->start;
484 /* Reset */
485 bt3c_io_write(iobase, 0x8040, 0x0404);
486 bt3c_io_write(iobase, 0x8040, 0x0400);
488 udelay(1);
490 bt3c_io_write(iobase, 0x8040, 0x0404);
492 udelay(17);
494 /* Load */
495 while (count) {
496 if (ptr[0] != 'S') {
497 BT_ERR("Bad address in firmware");
498 err = -EFAULT;
499 goto error;
502 memset(b, 0, sizeof(b));
503 memcpy(b, ptr + 2, 2);
504 size = simple_strtoul(b, NULL, 16);
506 memset(b, 0, sizeof(b));
507 memcpy(b, ptr + 4, 8);
508 addr = simple_strtoul(b, NULL, 16);
510 memset(b, 0, sizeof(b));
511 memcpy(b, ptr + (size * 2) + 2, 2);
512 fcs = simple_strtoul(b, NULL, 16);
514 memset(b, 0, sizeof(b));
515 for (tmp = 0, i = 0; i < size; i++) {
516 memcpy(b, ptr + (i * 2) + 2, 2);
517 tmp += simple_strtol(b, NULL, 16);
520 if (((tmp + fcs) & 0xff) != 0xff) {
521 BT_ERR("Checksum error in firmware");
522 err = -EILSEQ;
523 goto error;
526 if (ptr[1] == '3') {
527 bt3c_address(iobase, addr);
529 memset(b, 0, sizeof(b));
530 for (i = 0; i < (size - 4) / 2; i++) {
531 memcpy(b, ptr + (i * 4) + 12, 4);
532 tmp = simple_strtoul(b, NULL, 16);
533 bt3c_put(iobase, tmp);
537 ptr += (size * 2) + 6;
538 count -= (size * 2) + 6;
541 udelay(17);
543 /* Boot */
544 bt3c_address(iobase, 0x3000);
545 outb(inb(iobase + CONTROL) | 0x40, iobase + CONTROL);
547 error:
548 udelay(17);
550 /* Clear */
551 bt3c_io_write(iobase, 0x7006, 0x0000);
552 bt3c_io_write(iobase, 0x7005, 0x0000);
553 bt3c_io_write(iobase, 0x7001, 0x0000);
555 return err;
559 static int bt3c_open(bt3c_info_t *info)
561 const struct firmware *firmware;
562 struct hci_dev *hdev;
563 int err;
565 spin_lock_init(&(info->lock));
567 skb_queue_head_init(&(info->txq));
569 info->rx_state = RECV_WAIT_PACKET_TYPE;
570 info->rx_count = 0;
571 info->rx_skb = NULL;
573 /* Initialize HCI device */
574 hdev = hci_alloc_dev();
575 if (!hdev) {
576 BT_ERR("Can't allocate HCI device");
577 return -ENOMEM;
580 info->hdev = hdev;
582 hdev->bus = HCI_PCCARD;
583 hdev->driver_data = info;
584 SET_HCIDEV_DEV(hdev, &info->p_dev->dev);
586 hdev->open = bt3c_hci_open;
587 hdev->close = bt3c_hci_close;
588 hdev->flush = bt3c_hci_flush;
589 hdev->send = bt3c_hci_send_frame;
590 hdev->destruct = bt3c_hci_destruct;
591 hdev->ioctl = bt3c_hci_ioctl;
593 hdev->owner = THIS_MODULE;
595 /* Load firmware */
596 err = request_firmware(&firmware, "BT3CPCC.bin", &info->p_dev->dev);
597 if (err < 0) {
598 BT_ERR("Firmware request failed");
599 goto error;
602 err = bt3c_load_firmware(info, firmware->data, firmware->size);
604 release_firmware(firmware);
606 if (err < 0) {
607 BT_ERR("Firmware loading failed");
608 goto error;
611 /* Timeout before it is safe to send the first HCI packet */
612 msleep(1000);
614 /* Register HCI device */
615 err = hci_register_dev(hdev);
616 if (err < 0) {
617 BT_ERR("Can't register HCI device");
618 goto error;
621 return 0;
623 error:
624 info->hdev = NULL;
625 hci_free_dev(hdev);
626 return err;
630 static int bt3c_close(bt3c_info_t *info)
632 struct hci_dev *hdev = info->hdev;
634 if (!hdev)
635 return -ENODEV;
637 bt3c_hci_close(hdev);
639 if (hci_unregister_dev(hdev) < 0)
640 BT_ERR("Can't unregister HCI device %s", hdev->name);
642 hci_free_dev(hdev);
644 return 0;
647 static int bt3c_probe(struct pcmcia_device *link)
649 bt3c_info_t *info;
651 /* Create new info device */
652 info = kzalloc(sizeof(*info), GFP_KERNEL);
653 if (!info)
654 return -ENOMEM;
656 info->p_dev = link;
657 link->priv = info;
659 link->config_flags |= CONF_ENABLE_IRQ | CONF_AUTO_SET_VPP |
660 CONF_AUTO_SET_IO;
662 return bt3c_config(link);
666 static void bt3c_detach(struct pcmcia_device *link)
668 bt3c_info_t *info = link->priv;
670 bt3c_release(link);
671 kfree(info);
674 static int bt3c_check_config(struct pcmcia_device *p_dev, void *priv_data)
676 int *try = priv_data;
678 if (try == 0)
679 p_dev->io_lines = 16;
681 if ((p_dev->resource[0]->end != 8) || (p_dev->resource[0]->start == 0))
682 return -EINVAL;
684 p_dev->resource[0]->end = 8;
685 p_dev->resource[0]->flags &= ~IO_DATA_PATH_WIDTH;
686 p_dev->resource[0]->flags |= IO_DATA_PATH_WIDTH_8;
688 return pcmcia_request_io(p_dev);
691 static int bt3c_check_config_notpicky(struct pcmcia_device *p_dev,
692 void *priv_data)
694 static unsigned int base[5] = { 0x3f8, 0x2f8, 0x3e8, 0x2e8, 0x0 };
695 int j;
697 if (p_dev->io_lines > 3)
698 return -ENODEV;
700 p_dev->resource[0]->flags &= ~IO_DATA_PATH_WIDTH;
701 p_dev->resource[0]->flags |= IO_DATA_PATH_WIDTH_8;
702 p_dev->resource[0]->end = 8;
704 for (j = 0; j < 5; j++) {
705 p_dev->resource[0]->start = base[j];
706 p_dev->io_lines = base[j] ? 16 : 3;
707 if (!pcmcia_request_io(p_dev))
708 return 0;
710 return -ENODEV;
713 static int bt3c_config(struct pcmcia_device *link)
715 bt3c_info_t *info = link->priv;
716 int i;
717 unsigned long try;
719 /* First pass: look for a config entry that looks normal.
720 Two tries: without IO aliases, then with aliases */
721 for (try = 0; try < 2; try++)
722 if (!pcmcia_loop_config(link, bt3c_check_config, (void *) try))
723 goto found_port;
725 /* Second pass: try to find an entry that isn't picky about
726 its base address, then try to grab any standard serial port
727 address, and finally try to get any free port. */
728 if (!pcmcia_loop_config(link, bt3c_check_config_notpicky, NULL))
729 goto found_port;
731 BT_ERR("No usable port range found");
732 goto failed;
734 found_port:
735 i = pcmcia_request_irq(link, &bt3c_interrupt);
736 if (i != 0)
737 goto failed;
739 i = pcmcia_enable_device(link);
740 if (i != 0)
741 goto failed;
743 if (bt3c_open(info) != 0)
744 goto failed;
746 return 0;
748 failed:
749 bt3c_release(link);
750 return -ENODEV;
754 static void bt3c_release(struct pcmcia_device *link)
756 bt3c_info_t *info = link->priv;
758 bt3c_close(info);
760 pcmcia_disable_device(link);
764 static const struct pcmcia_device_id bt3c_ids[] = {
765 PCMCIA_DEVICE_PROD_ID13("3COM", "Bluetooth PC Card", 0xefce0a31, 0xd4ce9b02),
766 PCMCIA_DEVICE_NULL
768 MODULE_DEVICE_TABLE(pcmcia, bt3c_ids);
770 static struct pcmcia_driver bt3c_driver = {
771 .owner = THIS_MODULE,
772 .name = "bt3c_cs",
773 .probe = bt3c_probe,
774 .remove = bt3c_detach,
775 .id_table = bt3c_ids,
778 static int __init init_bt3c_cs(void)
780 return pcmcia_register_driver(&bt3c_driver);
784 static void __exit exit_bt3c_cs(void)
786 pcmcia_unregister_driver(&bt3c_driver);
789 module_init(init_bt3c_cs);
790 module_exit(exit_bt3c_cs);