Avoid reading past buffer when calling GETACL
[zen-stable.git] / drivers / bluetooth / bt3c_cs.c
blob0c97e5d514b635b0574d3832d6b593263146f56e
1 /*
3 * Driver for the 3Com Bluetooth PCMCIA card
5 * Copyright (C) 2001-2002 Marcel Holtmann <marcel@holtmann.org>
6 * Jose Orlando Pereira <jop@di.uminho.pt>
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License version 2 as
11 * published by the Free Software Foundation;
13 * Software distributed under the License is distributed on an "AS
14 * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
15 * implied. See the License for the specific language governing
16 * rights and limitations under the License.
18 * The initial developer of the original code is David A. Hinds
19 * <dahinds@users.sourceforge.net>. Portions created by David A. Hinds
20 * are Copyright (C) 1999 David A. Hinds. All Rights Reserved.
24 #include <linux/module.h>
26 #include <linux/kernel.h>
27 #include <linux/init.h>
28 #include <linux/slab.h>
29 #include <linux/types.h>
30 #include <linux/delay.h>
31 #include <linux/errno.h>
32 #include <linux/ptrace.h>
33 #include <linux/ioport.h>
34 #include <linux/spinlock.h>
35 #include <linux/moduleparam.h>
37 #include <linux/skbuff.h>
38 #include <linux/string.h>
39 #include <linux/serial.h>
40 #include <linux/serial_reg.h>
41 #include <linux/bitops.h>
42 #include <asm/system.h>
43 #include <asm/io.h>
45 #include <linux/device.h>
46 #include <linux/firmware.h>
48 #include <pcmcia/cistpl.h>
49 #include <pcmcia/ciscode.h>
50 #include <pcmcia/ds.h>
51 #include <pcmcia/cisreg.h>
53 #include <net/bluetooth/bluetooth.h>
54 #include <net/bluetooth/hci_core.h>
58 /* ======================== Module parameters ======================== */
61 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
62 MODULE_DESCRIPTION("Bluetooth driver for the 3Com Bluetooth PCMCIA card");
63 MODULE_LICENSE("GPL");
64 MODULE_FIRMWARE("BT3CPCC.bin");
68 /* ======================== Local structures ======================== */
71 typedef struct bt3c_info_t {
72 struct pcmcia_device *p_dev;
74 struct hci_dev *hdev;
76 spinlock_t lock; /* For serializing operations */
78 struct sk_buff_head txq;
79 unsigned long tx_state;
81 unsigned long rx_state;
82 unsigned long rx_count;
83 struct sk_buff *rx_skb;
84 } bt3c_info_t;
87 static int bt3c_config(struct pcmcia_device *link);
88 static void bt3c_release(struct pcmcia_device *link);
90 static void bt3c_detach(struct pcmcia_device *p_dev);
93 /* Transmit states */
94 #define XMIT_SENDING 1
95 #define XMIT_WAKEUP 2
96 #define XMIT_WAITING 8
98 /* Receiver states */
99 #define RECV_WAIT_PACKET_TYPE 0
100 #define RECV_WAIT_EVENT_HEADER 1
101 #define RECV_WAIT_ACL_HEADER 2
102 #define RECV_WAIT_SCO_HEADER 3
103 #define RECV_WAIT_DATA 4
107 /* ======================== Special I/O functions ======================== */
110 #define DATA_L 0
111 #define DATA_H 1
112 #define ADDR_L 2
113 #define ADDR_H 3
114 #define CONTROL 4
117 static inline void bt3c_address(unsigned int iobase, unsigned short addr)
119 outb(addr & 0xff, iobase + ADDR_L);
120 outb((addr >> 8) & 0xff, iobase + ADDR_H);
124 static inline void bt3c_put(unsigned int iobase, unsigned short value)
126 outb(value & 0xff, iobase + DATA_L);
127 outb((value >> 8) & 0xff, iobase + DATA_H);
131 static inline void bt3c_io_write(unsigned int iobase, unsigned short addr, unsigned short value)
133 bt3c_address(iobase, addr);
134 bt3c_put(iobase, value);
138 static inline unsigned short bt3c_get(unsigned int iobase)
140 unsigned short value = inb(iobase + DATA_L);
142 value |= inb(iobase + DATA_H) << 8;
144 return value;
148 static inline unsigned short bt3c_read(unsigned int iobase, unsigned short addr)
150 bt3c_address(iobase, addr);
152 return bt3c_get(iobase);
157 /* ======================== Interrupt handling ======================== */
160 static int bt3c_write(unsigned int iobase, int fifo_size, __u8 *buf, int len)
162 int actual = 0;
164 bt3c_address(iobase, 0x7080);
166 /* Fill FIFO with current frame */
167 while (actual < len) {
168 /* Transmit next byte */
169 bt3c_put(iobase, buf[actual]);
170 actual++;
173 bt3c_io_write(iobase, 0x7005, actual);
175 return actual;
179 static void bt3c_write_wakeup(bt3c_info_t *info)
181 if (!info) {
182 BT_ERR("Unknown device");
183 return;
186 if (test_and_set_bit(XMIT_SENDING, &(info->tx_state)))
187 return;
189 do {
190 register unsigned int iobase = info->p_dev->resource[0]->start;
191 register struct sk_buff *skb;
192 register int len;
194 if (!pcmcia_dev_present(info->p_dev))
195 break;
198 if (!(skb = skb_dequeue(&(info->txq)))) {
199 clear_bit(XMIT_SENDING, &(info->tx_state));
200 break;
203 /* Send frame */
204 len = bt3c_write(iobase, 256, skb->data, skb->len);
206 if (len != skb->len) {
207 BT_ERR("Very strange");
210 kfree_skb(skb);
212 info->hdev->stat.byte_tx += len;
214 } while (0);
218 static void bt3c_receive(bt3c_info_t *info)
220 unsigned int iobase;
221 int size = 0, avail;
223 if (!info) {
224 BT_ERR("Unknown device");
225 return;
228 iobase = info->p_dev->resource[0]->start;
230 avail = bt3c_read(iobase, 0x7006);
231 //printk("bt3c_cs: receiving %d bytes\n", avail);
233 bt3c_address(iobase, 0x7480);
234 while (size < avail) {
235 size++;
236 info->hdev->stat.byte_rx++;
238 /* Allocate packet */
239 if (info->rx_skb == NULL) {
240 info->rx_state = RECV_WAIT_PACKET_TYPE;
241 info->rx_count = 0;
242 if (!(info->rx_skb = bt_skb_alloc(HCI_MAX_FRAME_SIZE, GFP_ATOMIC))) {
243 BT_ERR("Can't allocate mem for new packet");
244 return;
249 if (info->rx_state == RECV_WAIT_PACKET_TYPE) {
251 info->rx_skb->dev = (void *) info->hdev;
252 bt_cb(info->rx_skb)->pkt_type = inb(iobase + DATA_L);
253 inb(iobase + DATA_H);
254 //printk("bt3c: PACKET_TYPE=%02x\n", bt_cb(info->rx_skb)->pkt_type);
256 switch (bt_cb(info->rx_skb)->pkt_type) {
258 case HCI_EVENT_PKT:
259 info->rx_state = RECV_WAIT_EVENT_HEADER;
260 info->rx_count = HCI_EVENT_HDR_SIZE;
261 break;
263 case HCI_ACLDATA_PKT:
264 info->rx_state = RECV_WAIT_ACL_HEADER;
265 info->rx_count = HCI_ACL_HDR_SIZE;
266 break;
268 case HCI_SCODATA_PKT:
269 info->rx_state = RECV_WAIT_SCO_HEADER;
270 info->rx_count = HCI_SCO_HDR_SIZE;
271 break;
273 default:
274 /* Unknown packet */
275 BT_ERR("Unknown HCI packet with type 0x%02x received", bt_cb(info->rx_skb)->pkt_type);
276 info->hdev->stat.err_rx++;
277 clear_bit(HCI_RUNNING, &(info->hdev->flags));
279 kfree_skb(info->rx_skb);
280 info->rx_skb = NULL;
281 break;
285 } else {
287 __u8 x = inb(iobase + DATA_L);
289 *skb_put(info->rx_skb, 1) = x;
290 inb(iobase + DATA_H);
291 info->rx_count--;
293 if (info->rx_count == 0) {
295 int dlen;
296 struct hci_event_hdr *eh;
297 struct hci_acl_hdr *ah;
298 struct hci_sco_hdr *sh;
300 switch (info->rx_state) {
302 case RECV_WAIT_EVENT_HEADER:
303 eh = hci_event_hdr(info->rx_skb);
304 info->rx_state = RECV_WAIT_DATA;
305 info->rx_count = eh->plen;
306 break;
308 case RECV_WAIT_ACL_HEADER:
309 ah = hci_acl_hdr(info->rx_skb);
310 dlen = __le16_to_cpu(ah->dlen);
311 info->rx_state = RECV_WAIT_DATA;
312 info->rx_count = dlen;
313 break;
315 case RECV_WAIT_SCO_HEADER:
316 sh = hci_sco_hdr(info->rx_skb);
317 info->rx_state = RECV_WAIT_DATA;
318 info->rx_count = sh->dlen;
319 break;
321 case RECV_WAIT_DATA:
322 hci_recv_frame(info->rx_skb);
323 info->rx_skb = NULL;
324 break;
334 bt3c_io_write(iobase, 0x7006, 0x0000);
338 static irqreturn_t bt3c_interrupt(int irq, void *dev_inst)
340 bt3c_info_t *info = dev_inst;
341 unsigned int iobase;
342 int iir;
343 irqreturn_t r = IRQ_NONE;
345 if (!info || !info->hdev)
346 /* our irq handler is shared */
347 return IRQ_NONE;
349 iobase = info->p_dev->resource[0]->start;
351 spin_lock(&(info->lock));
353 iir = inb(iobase + CONTROL);
354 if (iir & 0x80) {
355 int stat = bt3c_read(iobase, 0x7001);
357 if ((stat & 0xff) == 0x7f) {
358 BT_ERR("Very strange (stat=0x%04x)", stat);
359 } else if ((stat & 0xff) != 0xff) {
360 if (stat & 0x0020) {
361 int status = bt3c_read(iobase, 0x7002) & 0x10;
362 BT_INFO("%s: Antenna %s", info->hdev->name,
363 status ? "out" : "in");
365 if (stat & 0x0001)
366 bt3c_receive(info);
367 if (stat & 0x0002) {
368 //BT_ERR("Ack (stat=0x%04x)", stat);
369 clear_bit(XMIT_SENDING, &(info->tx_state));
370 bt3c_write_wakeup(info);
373 bt3c_io_write(iobase, 0x7001, 0x0000);
375 outb(iir, iobase + CONTROL);
377 r = IRQ_HANDLED;
380 spin_unlock(&(info->lock));
382 return r;
387 /* ======================== HCI interface ======================== */
390 static int bt3c_hci_flush(struct hci_dev *hdev)
392 bt3c_info_t *info = (bt3c_info_t *)(hdev->driver_data);
394 /* Drop TX queue */
395 skb_queue_purge(&(info->txq));
397 return 0;
401 static int bt3c_hci_open(struct hci_dev *hdev)
403 set_bit(HCI_RUNNING, &(hdev->flags));
405 return 0;
409 static int bt3c_hci_close(struct hci_dev *hdev)
411 if (!test_and_clear_bit(HCI_RUNNING, &(hdev->flags)))
412 return 0;
414 bt3c_hci_flush(hdev);
416 return 0;
420 static int bt3c_hci_send_frame(struct sk_buff *skb)
422 bt3c_info_t *info;
423 struct hci_dev *hdev = (struct hci_dev *)(skb->dev);
424 unsigned long flags;
426 if (!hdev) {
427 BT_ERR("Frame for unknown HCI device (hdev=NULL)");
428 return -ENODEV;
431 info = (bt3c_info_t *) (hdev->driver_data);
433 switch (bt_cb(skb)->pkt_type) {
434 case HCI_COMMAND_PKT:
435 hdev->stat.cmd_tx++;
436 break;
437 case HCI_ACLDATA_PKT:
438 hdev->stat.acl_tx++;
439 break;
440 case HCI_SCODATA_PKT:
441 hdev->stat.sco_tx++;
442 break;
445 /* Prepend skb with frame type */
446 memcpy(skb_push(skb, 1), &bt_cb(skb)->pkt_type, 1);
447 skb_queue_tail(&(info->txq), skb);
449 spin_lock_irqsave(&(info->lock), flags);
451 bt3c_write_wakeup(info);
453 spin_unlock_irqrestore(&(info->lock), flags);
455 return 0;
459 static void bt3c_hci_destruct(struct hci_dev *hdev)
464 static int bt3c_hci_ioctl(struct hci_dev *hdev, unsigned int cmd, unsigned long arg)
466 return -ENOIOCTLCMD;
471 /* ======================== Card services HCI interaction ======================== */
474 static int bt3c_load_firmware(bt3c_info_t *info, const unsigned char *firmware,
475 int count)
477 char *ptr = (char *) firmware;
478 char b[9];
479 unsigned int iobase, size, addr, fcs, tmp;
480 int i, err = 0;
482 iobase = info->p_dev->resource[0]->start;
484 /* Reset */
485 bt3c_io_write(iobase, 0x8040, 0x0404);
486 bt3c_io_write(iobase, 0x8040, 0x0400);
488 udelay(1);
490 bt3c_io_write(iobase, 0x8040, 0x0404);
492 udelay(17);
494 /* Load */
495 while (count) {
496 if (ptr[0] != 'S') {
497 BT_ERR("Bad address in firmware");
498 err = -EFAULT;
499 goto error;
502 memset(b, 0, sizeof(b));
503 memcpy(b, ptr + 2, 2);
504 size = simple_strtoul(b, NULL, 16);
506 memset(b, 0, sizeof(b));
507 memcpy(b, ptr + 4, 8);
508 addr = simple_strtoul(b, NULL, 16);
510 memset(b, 0, sizeof(b));
511 memcpy(b, ptr + (size * 2) + 2, 2);
512 fcs = simple_strtoul(b, NULL, 16);
514 memset(b, 0, sizeof(b));
515 for (tmp = 0, i = 0; i < size; i++) {
516 memcpy(b, ptr + (i * 2) + 2, 2);
517 tmp += simple_strtol(b, NULL, 16);
520 if (((tmp + fcs) & 0xff) != 0xff) {
521 BT_ERR("Checksum error in firmware");
522 err = -EILSEQ;
523 goto error;
526 if (ptr[1] == '3') {
527 bt3c_address(iobase, addr);
529 memset(b, 0, sizeof(b));
530 for (i = 0; i < (size - 4) / 2; i++) {
531 memcpy(b, ptr + (i * 4) + 12, 4);
532 tmp = simple_strtoul(b, NULL, 16);
533 bt3c_put(iobase, tmp);
537 ptr += (size * 2) + 6;
538 count -= (size * 2) + 6;
541 udelay(17);
543 /* Boot */
544 bt3c_address(iobase, 0x3000);
545 outb(inb(iobase + CONTROL) | 0x40, iobase + CONTROL);
547 error:
548 udelay(17);
550 /* Clear */
551 bt3c_io_write(iobase, 0x7006, 0x0000);
552 bt3c_io_write(iobase, 0x7005, 0x0000);
553 bt3c_io_write(iobase, 0x7001, 0x0000);
555 return err;
559 static int bt3c_open(bt3c_info_t *info)
561 const struct firmware *firmware;
562 struct hci_dev *hdev;
563 int err;
565 spin_lock_init(&(info->lock));
567 skb_queue_head_init(&(info->txq));
569 info->rx_state = RECV_WAIT_PACKET_TYPE;
570 info->rx_count = 0;
571 info->rx_skb = NULL;
573 /* Initialize HCI device */
574 hdev = hci_alloc_dev();
575 if (!hdev) {
576 BT_ERR("Can't allocate HCI device");
577 return -ENOMEM;
580 info->hdev = hdev;
582 hdev->bus = HCI_PCCARD;
583 hdev->driver_data = info;
584 SET_HCIDEV_DEV(hdev, &info->p_dev->dev);
586 hdev->open = bt3c_hci_open;
587 hdev->close = bt3c_hci_close;
588 hdev->flush = bt3c_hci_flush;
589 hdev->send = bt3c_hci_send_frame;
590 hdev->destruct = bt3c_hci_destruct;
591 hdev->ioctl = bt3c_hci_ioctl;
593 hdev->owner = THIS_MODULE;
595 /* Load firmware */
596 err = request_firmware(&firmware, "BT3CPCC.bin", &info->p_dev->dev);
597 if (err < 0) {
598 BT_ERR("Firmware request failed");
599 goto error;
602 err = bt3c_load_firmware(info, firmware->data, firmware->size);
604 release_firmware(firmware);
606 if (err < 0) {
607 BT_ERR("Firmware loading failed");
608 goto error;
611 /* Timeout before it is safe to send the first HCI packet */
612 msleep(1000);
614 /* Register HCI device */
615 err = hci_register_dev(hdev);
616 if (err < 0) {
617 BT_ERR("Can't register HCI device");
618 goto error;
621 return 0;
623 error:
624 info->hdev = NULL;
625 hci_free_dev(hdev);
626 return err;
630 static int bt3c_close(bt3c_info_t *info)
632 struct hci_dev *hdev = info->hdev;
634 if (!hdev)
635 return -ENODEV;
637 bt3c_hci_close(hdev);
639 hci_unregister_dev(hdev);
640 hci_free_dev(hdev);
642 return 0;
645 static int bt3c_probe(struct pcmcia_device *link)
647 bt3c_info_t *info;
649 /* Create new info device */
650 info = kzalloc(sizeof(*info), GFP_KERNEL);
651 if (!info)
652 return -ENOMEM;
654 info->p_dev = link;
655 link->priv = info;
657 link->config_flags |= CONF_ENABLE_IRQ | CONF_AUTO_SET_VPP |
658 CONF_AUTO_SET_IO;
660 return bt3c_config(link);
664 static void bt3c_detach(struct pcmcia_device *link)
666 bt3c_info_t *info = link->priv;
668 bt3c_release(link);
669 kfree(info);
672 static int bt3c_check_config(struct pcmcia_device *p_dev, void *priv_data)
674 int *try = priv_data;
676 if (try == 0)
677 p_dev->io_lines = 16;
679 if ((p_dev->resource[0]->end != 8) || (p_dev->resource[0]->start == 0))
680 return -EINVAL;
682 p_dev->resource[0]->end = 8;
683 p_dev->resource[0]->flags &= ~IO_DATA_PATH_WIDTH;
684 p_dev->resource[0]->flags |= IO_DATA_PATH_WIDTH_8;
686 return pcmcia_request_io(p_dev);
689 static int bt3c_check_config_notpicky(struct pcmcia_device *p_dev,
690 void *priv_data)
692 static unsigned int base[5] = { 0x3f8, 0x2f8, 0x3e8, 0x2e8, 0x0 };
693 int j;
695 if (p_dev->io_lines > 3)
696 return -ENODEV;
698 p_dev->resource[0]->flags &= ~IO_DATA_PATH_WIDTH;
699 p_dev->resource[0]->flags |= IO_DATA_PATH_WIDTH_8;
700 p_dev->resource[0]->end = 8;
702 for (j = 0; j < 5; j++) {
703 p_dev->resource[0]->start = base[j];
704 p_dev->io_lines = base[j] ? 16 : 3;
705 if (!pcmcia_request_io(p_dev))
706 return 0;
708 return -ENODEV;
711 static int bt3c_config(struct pcmcia_device *link)
713 bt3c_info_t *info = link->priv;
714 int i;
715 unsigned long try;
717 /* First pass: look for a config entry that looks normal.
718 Two tries: without IO aliases, then with aliases */
719 for (try = 0; try < 2; try++)
720 if (!pcmcia_loop_config(link, bt3c_check_config, (void *) try))
721 goto found_port;
723 /* Second pass: try to find an entry that isn't picky about
724 its base address, then try to grab any standard serial port
725 address, and finally try to get any free port. */
726 if (!pcmcia_loop_config(link, bt3c_check_config_notpicky, NULL))
727 goto found_port;
729 BT_ERR("No usable port range found");
730 goto failed;
732 found_port:
733 i = pcmcia_request_irq(link, &bt3c_interrupt);
734 if (i != 0)
735 goto failed;
737 i = pcmcia_enable_device(link);
738 if (i != 0)
739 goto failed;
741 if (bt3c_open(info) != 0)
742 goto failed;
744 return 0;
746 failed:
747 bt3c_release(link);
748 return -ENODEV;
752 static void bt3c_release(struct pcmcia_device *link)
754 bt3c_info_t *info = link->priv;
756 bt3c_close(info);
758 pcmcia_disable_device(link);
762 static const struct pcmcia_device_id bt3c_ids[] = {
763 PCMCIA_DEVICE_PROD_ID13("3COM", "Bluetooth PC Card", 0xefce0a31, 0xd4ce9b02),
764 PCMCIA_DEVICE_NULL
766 MODULE_DEVICE_TABLE(pcmcia, bt3c_ids);
768 static struct pcmcia_driver bt3c_driver = {
769 .owner = THIS_MODULE,
770 .name = "bt3c_cs",
771 .probe = bt3c_probe,
772 .remove = bt3c_detach,
773 .id_table = bt3c_ids,
776 static int __init init_bt3c_cs(void)
778 return pcmcia_register_driver(&bt3c_driver);
782 static void __exit exit_bt3c_cs(void)
784 pcmcia_unregister_driver(&bt3c_driver);
787 module_init(init_bt3c_cs);
788 module_exit(exit_bt3c_cs);