Avoid reading past buffer when calling GETACL
[zen-stable.git] / drivers / bluetooth / btsdio.c
blob792e32d29a1de981c3bf84ad15a4e7899a94ec5a
1 /*
3 * Generic Bluetooth SDIO driver
5 * Copyright (C) 2007 Cambridge Silicon Radio Ltd.
6 * Copyright (C) 2007 Marcel Holtmann <marcel@holtmann.org>
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
25 #include <linux/kernel.h>
26 #include <linux/module.h>
27 #include <linux/init.h>
28 #include <linux/slab.h>
29 #include <linux/types.h>
30 #include <linux/sched.h>
31 #include <linux/errno.h>
32 #include <linux/skbuff.h>
34 #include <linux/mmc/sdio_ids.h>
35 #include <linux/mmc/sdio_func.h>
37 #include <net/bluetooth/bluetooth.h>
38 #include <net/bluetooth/hci_core.h>
40 #define VERSION "0.1"
42 static const struct sdio_device_id btsdio_table[] = {
43 /* Generic Bluetooth Type-A SDIO device */
44 { SDIO_DEVICE_CLASS(SDIO_CLASS_BT_A) },
46 /* Generic Bluetooth Type-B SDIO device */
47 { SDIO_DEVICE_CLASS(SDIO_CLASS_BT_B) },
49 /* Generic Bluetooth AMP controller */
50 { SDIO_DEVICE_CLASS(SDIO_CLASS_BT_AMP) },
52 { } /* Terminating entry */
55 MODULE_DEVICE_TABLE(sdio, btsdio_table);
57 struct btsdio_data {
58 struct hci_dev *hdev;
59 struct sdio_func *func;
61 struct work_struct work;
63 struct sk_buff_head txq;
66 #define REG_RDAT 0x00 /* Receiver Data */
67 #define REG_TDAT 0x00 /* Transmitter Data */
68 #define REG_PC_RRT 0x10 /* Read Packet Control */
69 #define REG_PC_WRT 0x11 /* Write Packet Control */
70 #define REG_RTC_STAT 0x12 /* Retry Control Status */
71 #define REG_RTC_SET 0x12 /* Retry Control Set */
72 #define REG_INTRD 0x13 /* Interrupt Indication */
73 #define REG_CL_INTRD 0x13 /* Interrupt Clear */
74 #define REG_EN_INTRD 0x14 /* Interrupt Enable */
75 #define REG_MD_STAT 0x20 /* Bluetooth Mode Status */
77 static int btsdio_tx_packet(struct btsdio_data *data, struct sk_buff *skb)
79 int err;
81 BT_DBG("%s", data->hdev->name);
83 /* Prepend Type-A header */
84 skb_push(skb, 4);
85 skb->data[0] = (skb->len & 0x0000ff);
86 skb->data[1] = (skb->len & 0x00ff00) >> 8;
87 skb->data[2] = (skb->len & 0xff0000) >> 16;
88 skb->data[3] = bt_cb(skb)->pkt_type;
90 err = sdio_writesb(data->func, REG_TDAT, skb->data, skb->len);
91 if (err < 0) {
92 skb_pull(skb, 4);
93 sdio_writeb(data->func, 0x01, REG_PC_WRT, NULL);
94 return err;
97 data->hdev->stat.byte_tx += skb->len;
99 kfree_skb(skb);
101 return 0;
104 static void btsdio_work(struct work_struct *work)
106 struct btsdio_data *data = container_of(work, struct btsdio_data, work);
107 struct sk_buff *skb;
108 int err;
110 BT_DBG("%s", data->hdev->name);
112 sdio_claim_host(data->func);
114 while ((skb = skb_dequeue(&data->txq))) {
115 err = btsdio_tx_packet(data, skb);
116 if (err < 0) {
117 data->hdev->stat.err_tx++;
118 skb_queue_head(&data->txq, skb);
119 break;
123 sdio_release_host(data->func);
126 static int btsdio_rx_packet(struct btsdio_data *data)
128 u8 hdr[4] __attribute__ ((aligned(4)));
129 struct sk_buff *skb;
130 int err, len;
132 BT_DBG("%s", data->hdev->name);
134 err = sdio_readsb(data->func, hdr, REG_RDAT, 4);
135 if (err < 0)
136 return err;
138 len = hdr[0] | (hdr[1] << 8) | (hdr[2] << 16);
139 if (len < 4 || len > 65543)
140 return -EILSEQ;
142 skb = bt_skb_alloc(len - 4, GFP_KERNEL);
143 if (!skb) {
144 /* Out of memory. Prepare a read retry and just
145 * return with the expectation that the next time
146 * we're called we'll have more memory. */
147 return -ENOMEM;
150 skb_put(skb, len - 4);
152 err = sdio_readsb(data->func, skb->data, REG_RDAT, len - 4);
153 if (err < 0) {
154 kfree_skb(skb);
155 return err;
158 data->hdev->stat.byte_rx += len;
160 skb->dev = (void *) data->hdev;
161 bt_cb(skb)->pkt_type = hdr[3];
163 err = hci_recv_frame(skb);
164 if (err < 0)
165 return err;
167 sdio_writeb(data->func, 0x00, REG_PC_RRT, NULL);
169 return 0;
172 static void btsdio_interrupt(struct sdio_func *func)
174 struct btsdio_data *data = sdio_get_drvdata(func);
175 int intrd;
177 BT_DBG("%s", data->hdev->name);
179 intrd = sdio_readb(func, REG_INTRD, NULL);
180 if (intrd & 0x01) {
181 sdio_writeb(func, 0x01, REG_CL_INTRD, NULL);
183 if (btsdio_rx_packet(data) < 0) {
184 data->hdev->stat.err_rx++;
185 sdio_writeb(data->func, 0x01, REG_PC_RRT, NULL);
190 static int btsdio_open(struct hci_dev *hdev)
192 struct btsdio_data *data = hdev->driver_data;
193 int err;
195 BT_DBG("%s", hdev->name);
197 if (test_and_set_bit(HCI_RUNNING, &hdev->flags))
198 return 0;
200 sdio_claim_host(data->func);
202 err = sdio_enable_func(data->func);
203 if (err < 0) {
204 clear_bit(HCI_RUNNING, &hdev->flags);
205 goto release;
208 err = sdio_claim_irq(data->func, btsdio_interrupt);
209 if (err < 0) {
210 sdio_disable_func(data->func);
211 clear_bit(HCI_RUNNING, &hdev->flags);
212 goto release;
215 if (data->func->class == SDIO_CLASS_BT_B)
216 sdio_writeb(data->func, 0x00, REG_MD_STAT, NULL);
218 sdio_writeb(data->func, 0x01, REG_EN_INTRD, NULL);
220 release:
221 sdio_release_host(data->func);
223 return err;
226 static int btsdio_close(struct hci_dev *hdev)
228 struct btsdio_data *data = hdev->driver_data;
230 BT_DBG("%s", hdev->name);
232 if (!test_and_clear_bit(HCI_RUNNING, &hdev->flags))
233 return 0;
235 sdio_claim_host(data->func);
237 sdio_writeb(data->func, 0x00, REG_EN_INTRD, NULL);
239 sdio_release_irq(data->func);
240 sdio_disable_func(data->func);
242 sdio_release_host(data->func);
244 return 0;
247 static int btsdio_flush(struct hci_dev *hdev)
249 struct btsdio_data *data = hdev->driver_data;
251 BT_DBG("%s", hdev->name);
253 skb_queue_purge(&data->txq);
255 return 0;
258 static int btsdio_send_frame(struct sk_buff *skb)
260 struct hci_dev *hdev = (struct hci_dev *) skb->dev;
261 struct btsdio_data *data = hdev->driver_data;
263 BT_DBG("%s", hdev->name);
265 if (!test_bit(HCI_RUNNING, &hdev->flags))
266 return -EBUSY;
268 switch (bt_cb(skb)->pkt_type) {
269 case HCI_COMMAND_PKT:
270 hdev->stat.cmd_tx++;
271 break;
273 case HCI_ACLDATA_PKT:
274 hdev->stat.acl_tx++;
275 break;
277 case HCI_SCODATA_PKT:
278 hdev->stat.sco_tx++;
279 break;
281 default:
282 return -EILSEQ;
285 skb_queue_tail(&data->txq, skb);
287 schedule_work(&data->work);
289 return 0;
292 static void btsdio_destruct(struct hci_dev *hdev)
294 struct btsdio_data *data = hdev->driver_data;
296 BT_DBG("%s", hdev->name);
298 kfree(data);
301 static int btsdio_probe(struct sdio_func *func,
302 const struct sdio_device_id *id)
304 struct btsdio_data *data;
305 struct hci_dev *hdev;
306 struct sdio_func_tuple *tuple = func->tuples;
307 int err;
309 BT_DBG("func %p id %p class 0x%04x", func, id, func->class);
311 while (tuple) {
312 BT_DBG("code 0x%x size %d", tuple->code, tuple->size);
313 tuple = tuple->next;
316 data = kzalloc(sizeof(*data), GFP_KERNEL);
317 if (!data)
318 return -ENOMEM;
320 data->func = func;
322 INIT_WORK(&data->work, btsdio_work);
324 skb_queue_head_init(&data->txq);
326 hdev = hci_alloc_dev();
327 if (!hdev) {
328 kfree(data);
329 return -ENOMEM;
332 hdev->bus = HCI_SDIO;
333 hdev->driver_data = data;
335 if (id->class == SDIO_CLASS_BT_AMP)
336 hdev->dev_type = HCI_AMP;
337 else
338 hdev->dev_type = HCI_BREDR;
340 data->hdev = hdev;
342 SET_HCIDEV_DEV(hdev, &func->dev);
344 hdev->open = btsdio_open;
345 hdev->close = btsdio_close;
346 hdev->flush = btsdio_flush;
347 hdev->send = btsdio_send_frame;
348 hdev->destruct = btsdio_destruct;
350 hdev->owner = THIS_MODULE;
352 err = hci_register_dev(hdev);
353 if (err < 0) {
354 hci_free_dev(hdev);
355 kfree(data);
356 return err;
359 sdio_set_drvdata(func, data);
361 return 0;
364 static void btsdio_remove(struct sdio_func *func)
366 struct btsdio_data *data = sdio_get_drvdata(func);
367 struct hci_dev *hdev;
369 BT_DBG("func %p", func);
371 if (!data)
372 return;
374 hdev = data->hdev;
376 sdio_set_drvdata(func, NULL);
378 hci_unregister_dev(hdev);
380 hci_free_dev(hdev);
383 static struct sdio_driver btsdio_driver = {
384 .name = "btsdio",
385 .probe = btsdio_probe,
386 .remove = btsdio_remove,
387 .id_table = btsdio_table,
390 static int __init btsdio_init(void)
392 BT_INFO("Generic Bluetooth SDIO driver ver %s", VERSION);
394 return sdio_register_driver(&btsdio_driver);
397 static void __exit btsdio_exit(void)
399 sdio_unregister_driver(&btsdio_driver);
402 module_init(btsdio_init);
403 module_exit(btsdio_exit);
405 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
406 MODULE_DESCRIPTION("Generic Bluetooth SDIO driver ver " VERSION);
407 MODULE_VERSION(VERSION);
408 MODULE_LICENSE("GPL");