Avoid reading past buffer when calling GETACL
[zen-stable.git] / drivers / mmc / core / sdio_cis.c
blobf1c7ed8f4d85a2a58b41c7b44d7899f115edaa02
1 /*
2 * linux/drivers/mmc/core/sdio_cis.c
4 * Author: Nicolas Pitre
5 * Created: June 11, 2007
6 * Copyright: MontaVista Software Inc.
8 * Copyright 2007 Pierre Ossman
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or (at
13 * your option) any later version.
16 #include <linux/kernel.h>
17 #include <linux/slab.h>
19 #include <linux/mmc/host.h>
20 #include <linux/mmc/card.h>
21 #include <linux/mmc/sdio.h>
22 #include <linux/mmc/sdio_func.h>
24 #include "sdio_cis.h"
25 #include "sdio_ops.h"
27 static int cistpl_vers_1(struct mmc_card *card, struct sdio_func *func,
28 const unsigned char *buf, unsigned size)
30 unsigned i, nr_strings;
31 char **buffer, *string;
33 /* Find all null-terminated (including zero length) strings in
34 the TPLLV1_INFO field. Trailing garbage is ignored. */
35 buf += 2;
36 size -= 2;
38 nr_strings = 0;
39 for (i = 0; i < size; i++) {
40 if (buf[i] == 0xff)
41 break;
42 if (buf[i] == 0)
43 nr_strings++;
45 if (nr_strings == 0)
46 return 0;
48 size = i;
50 buffer = kzalloc(sizeof(char*) * nr_strings + size, GFP_KERNEL);
51 if (!buffer)
52 return -ENOMEM;
54 string = (char*)(buffer + nr_strings);
56 for (i = 0; i < nr_strings; i++) {
57 buffer[i] = string;
58 strcpy(string, buf);
59 string += strlen(string) + 1;
60 buf += strlen(buf) + 1;
63 if (func) {
64 func->num_info = nr_strings;
65 func->info = (const char**)buffer;
66 } else {
67 card->num_info = nr_strings;
68 card->info = (const char**)buffer;
71 return 0;
74 static int cistpl_manfid(struct mmc_card *card, struct sdio_func *func,
75 const unsigned char *buf, unsigned size)
77 unsigned int vendor, device;
79 /* TPLMID_MANF */
80 vendor = buf[0] | (buf[1] << 8);
82 /* TPLMID_CARD */
83 device = buf[2] | (buf[3] << 8);
85 if (func) {
86 func->vendor = vendor;
87 func->device = device;
88 } else {
89 card->cis.vendor = vendor;
90 card->cis.device = device;
93 return 0;
96 static const unsigned char speed_val[16] =
97 { 0, 10, 12, 13, 15, 20, 25, 30, 35, 40, 45, 50, 55, 60, 70, 80 };
98 static const unsigned int speed_unit[8] =
99 { 10000, 100000, 1000000, 10000000, 0, 0, 0, 0 };
102 typedef int (tpl_parse_t)(struct mmc_card *, struct sdio_func *,
103 const unsigned char *, unsigned);
105 struct cis_tpl {
106 unsigned char code;
107 unsigned char min_size;
108 tpl_parse_t *parse;
111 static int cis_tpl_parse(struct mmc_card *card, struct sdio_func *func,
112 const char *tpl_descr,
113 const struct cis_tpl *tpl, int tpl_count,
114 unsigned char code,
115 const unsigned char *buf, unsigned size)
117 int i, ret;
119 /* look for a matching code in the table */
120 for (i = 0; i < tpl_count; i++, tpl++) {
121 if (tpl->code == code)
122 break;
124 if (i < tpl_count) {
125 if (size >= tpl->min_size) {
126 if (tpl->parse)
127 ret = tpl->parse(card, func, buf, size);
128 else
129 ret = -EILSEQ; /* known tuple, not parsed */
130 } else {
131 /* invalid tuple */
132 ret = -EINVAL;
134 if (ret && ret != -EILSEQ && ret != -ENOENT) {
135 pr_err("%s: bad %s tuple 0x%02x (%u bytes)\n",
136 mmc_hostname(card->host), tpl_descr, code, size);
138 } else {
139 /* unknown tuple */
140 ret = -ENOENT;
143 return ret;
146 static int cistpl_funce_common(struct mmc_card *card, struct sdio_func *func,
147 const unsigned char *buf, unsigned size)
149 /* Only valid for the common CIS (function 0) */
150 if (func)
151 return -EINVAL;
153 /* TPLFE_FN0_BLK_SIZE */
154 card->cis.blksize = buf[1] | (buf[2] << 8);
156 /* TPLFE_MAX_TRAN_SPEED */
157 card->cis.max_dtr = speed_val[(buf[3] >> 3) & 15] *
158 speed_unit[buf[3] & 7];
160 return 0;
163 static int cistpl_funce_func(struct mmc_card *card, struct sdio_func *func,
164 const unsigned char *buf, unsigned size)
166 unsigned vsn;
167 unsigned min_size;
169 /* Only valid for the individual function's CIS (1-7) */
170 if (!func)
171 return -EINVAL;
174 * This tuple has a different length depending on the SDIO spec
175 * version.
177 vsn = func->card->cccr.sdio_vsn;
178 min_size = (vsn == SDIO_SDIO_REV_1_00) ? 28 : 42;
180 if (size < min_size)
181 return -EINVAL;
183 /* TPLFE_MAX_BLK_SIZE */
184 func->max_blksize = buf[12] | (buf[13] << 8);
186 /* TPLFE_ENABLE_TIMEOUT_VAL, present in ver 1.1 and above */
187 if (vsn > SDIO_SDIO_REV_1_00)
188 func->enable_timeout = (buf[28] | (buf[29] << 8)) * 10;
189 else
190 func->enable_timeout = jiffies_to_msecs(HZ);
192 return 0;
196 * Known TPLFE_TYPEs table for CISTPL_FUNCE tuples.
198 * Note that, unlike PCMCIA, CISTPL_FUNCE tuples are not parsed depending
199 * on the TPLFID_FUNCTION value of the previous CISTPL_FUNCID as on SDIO
200 * TPLFID_FUNCTION is always hardcoded to 0x0C.
202 static const struct cis_tpl cis_tpl_funce_list[] = {
203 { 0x00, 4, cistpl_funce_common },
204 { 0x01, 0, cistpl_funce_func },
205 { 0x04, 1+1+6, /* CISTPL_FUNCE_LAN_NODE_ID */ },
208 static int cistpl_funce(struct mmc_card *card, struct sdio_func *func,
209 const unsigned char *buf, unsigned size)
211 if (size < 1)
212 return -EINVAL;
214 return cis_tpl_parse(card, func, "CISTPL_FUNCE",
215 cis_tpl_funce_list,
216 ARRAY_SIZE(cis_tpl_funce_list),
217 buf[0], buf, size);
220 /* Known TPL_CODEs table for CIS tuples */
221 static const struct cis_tpl cis_tpl_list[] = {
222 { 0x15, 3, cistpl_vers_1 },
223 { 0x20, 4, cistpl_manfid },
224 { 0x21, 2, /* cistpl_funcid */ },
225 { 0x22, 0, cistpl_funce },
228 static int sdio_read_cis(struct mmc_card *card, struct sdio_func *func)
230 int ret;
231 struct sdio_func_tuple *this, **prev;
232 unsigned i, ptr = 0;
235 * Note that this works for the common CIS (function number 0) as
236 * well as a function's CIS * since SDIO_CCCR_CIS and SDIO_FBR_CIS
237 * have the same offset.
239 for (i = 0; i < 3; i++) {
240 unsigned char x, fn;
242 if (func)
243 fn = func->num;
244 else
245 fn = 0;
247 ret = mmc_io_rw_direct(card, 0, 0,
248 SDIO_FBR_BASE(fn) + SDIO_FBR_CIS + i, 0, &x);
249 if (ret)
250 return ret;
251 ptr |= x << (i * 8);
254 if (func)
255 prev = &func->tuples;
256 else
257 prev = &card->tuples;
259 BUG_ON(*prev);
261 do {
262 unsigned char tpl_code, tpl_link;
264 ret = mmc_io_rw_direct(card, 0, 0, ptr++, 0, &tpl_code);
265 if (ret)
266 break;
268 /* 0xff means we're done */
269 if (tpl_code == 0xff)
270 break;
272 /* null entries have no link field or data */
273 if (tpl_code == 0x00)
274 continue;
276 ret = mmc_io_rw_direct(card, 0, 0, ptr++, 0, &tpl_link);
277 if (ret)
278 break;
280 /* a size of 0xff also means we're done */
281 if (tpl_link == 0xff)
282 break;
284 this = kmalloc(sizeof(*this) + tpl_link, GFP_KERNEL);
285 if (!this)
286 return -ENOMEM;
288 for (i = 0; i < tpl_link; i++) {
289 ret = mmc_io_rw_direct(card, 0, 0,
290 ptr + i, 0, &this->data[i]);
291 if (ret)
292 break;
294 if (ret) {
295 kfree(this);
296 break;
299 /* Try to parse the CIS tuple */
300 ret = cis_tpl_parse(card, func, "CIS",
301 cis_tpl_list, ARRAY_SIZE(cis_tpl_list),
302 tpl_code, this->data, tpl_link);
303 if (ret == -EILSEQ || ret == -ENOENT) {
305 * The tuple is unknown or known but not parsed.
306 * Queue the tuple for the function driver.
308 this->next = NULL;
309 this->code = tpl_code;
310 this->size = tpl_link;
311 *prev = this;
312 prev = &this->next;
314 if (ret == -ENOENT) {
315 /* warn about unknown tuples */
316 pr_warning("%s: queuing unknown"
317 " CIS tuple 0x%02x (%u bytes)\n",
318 mmc_hostname(card->host),
319 tpl_code, tpl_link);
322 /* keep on analyzing tuples */
323 ret = 0;
324 } else {
326 * We don't need the tuple anymore if it was
327 * successfully parsed by the SDIO core or if it is
328 * not going to be queued for a driver.
330 kfree(this);
333 ptr += tpl_link;
334 } while (!ret);
337 * Link in all unknown tuples found in the common CIS so that
338 * drivers don't have to go digging in two places.
340 if (func)
341 *prev = card->tuples;
343 return ret;
346 int sdio_read_common_cis(struct mmc_card *card)
348 return sdio_read_cis(card, NULL);
351 void sdio_free_common_cis(struct mmc_card *card)
353 struct sdio_func_tuple *tuple, *victim;
355 tuple = card->tuples;
357 while (tuple) {
358 victim = tuple;
359 tuple = tuple->next;
360 kfree(victim);
363 card->tuples = NULL;
366 int sdio_read_func_cis(struct sdio_func *func)
368 int ret;
370 ret = sdio_read_cis(func->card, func);
371 if (ret)
372 return ret;
375 * Since we've linked to tuples in the card structure,
376 * we must make sure we have a reference to it.
378 get_device(&func->card->dev);
381 * Vendor/device id is optional for function CIS, so
382 * copy it from the card structure as needed.
384 if (func->vendor == 0) {
385 func->vendor = func->card->cis.vendor;
386 func->device = func->card->cis.device;
389 return 0;
392 void sdio_free_func_cis(struct sdio_func *func)
394 struct sdio_func_tuple *tuple, *victim;
396 tuple = func->tuples;
398 while (tuple && tuple != func->card->tuples) {
399 victim = tuple;
400 tuple = tuple->next;
401 kfree(victim);
404 func->tuples = NULL;
407 * We have now removed the link to the tuples in the
408 * card structure, so remove the reference.
410 put_device(&func->card->dev);