Avoid reading past buffer when calling GETACL
[zen-stable.git] / drivers / net / wimax / i2400m / sdio-fw.c
blob8e025418f5be16496687ede3588810334fbf1e1e
1 /*
2 * Intel Wireless WiMAX Connection 2400m
3 * Firmware uploader's SDIO specifics
6 * Copyright (C) 2007-2008 Intel Corporation. All rights reserved.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
12 * * Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * * Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in
16 * the documentation and/or other materials provided with the
17 * distribution.
18 * * Neither the name of Intel Corporation nor the names of its
19 * contributors may be used to endorse or promote products derived
20 * from this software without specific prior written permission.
22 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
23 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
24 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
25 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
26 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
27 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
28 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
29 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
30 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
31 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
32 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35 * Intel Corporation <linux-wimax@intel.com>
36 * Yanir Lubetkin <yanirx.lubetkin@intel.com>
37 * Inaky Perez-Gonzalez <inaky.perez-gonzalez@intel.com>
38 * - Initial implementation
40 * Inaky Perez-Gonzalez <inaky.perez-gonzalez@intel.com>
41 * - Bus generic/specific split for USB
43 * Dirk Brandewie <dirk.j.brandewie@intel.com>
44 * - Initial implementation for SDIO
46 * Inaky Perez-Gonzalez <inaky.perez-gonzalez@intel.com>
47 * - SDIO rehash for changes in the bus-driver model
49 * Dirk Brandewie <dirk.j.brandewie@intel.com>
50 * - Make it IRQ based, not polling
52 * THE PROCEDURE
54 * See fw.c for the generic description of this procedure.
56 * This file implements only the SDIO specifics. It boils down to how
57 * to send a command and waiting for an acknowledgement from the
58 * device.
60 * All this code is sequential -- all i2400ms_bus_bm_*() functions are
61 * executed in the same thread, except i2400ms_bm_irq() [on its own by
62 * the SDIO driver]. This makes it possible to avoid locking.
64 * COMMAND EXECUTION
66 * The generic firmware upload code will call i2400m_bus_bm_cmd_send()
67 * to send commands.
69 * The SDIO devices expects things in 256 byte blocks, so it will pad
70 * it, compute the checksum (if needed) and pass it to SDIO.
72 * ACK RECEPTION
74 * This works in IRQ mode -- the fw loader says when to wait for data
75 * and for that it calls i2400ms_bus_bm_wait_for_ack().
77 * This checks if there is any data available (RX size > 0); if not,
78 * waits for the IRQ handler to notify about it. Once there is data,
79 * it is read and passed to the caller. Doing it this way we don't
80 * need much coordination/locking, and it makes it much more difficult
81 * for an interrupt to be lost and the wait_for_ack() function getting
82 * stuck even when data is pending.
84 #include <linux/mmc/sdio_func.h>
85 #include "i2400m-sdio.h"
88 #define D_SUBMODULE fw
89 #include "sdio-debug-levels.h"
93 * Send a boot-mode command to the SDIO function
95 * We use a bounce buffer (i2400m->bm_cmd_buf) because we need to
96 * touch the header if the RAW flag is not set.
98 * @flags: pass thru from i2400m_bm_cmd()
99 * @return: cmd_size if ok, < 0 errno code on error.
101 * Note the command is padded to the SDIO block size for the device.
103 ssize_t i2400ms_bus_bm_cmd_send(struct i2400m *i2400m,
104 const struct i2400m_bootrom_header *_cmd,
105 size_t cmd_size, int flags)
107 ssize_t result;
108 struct device *dev = i2400m_dev(i2400m);
109 struct i2400ms *i2400ms = container_of(i2400m, struct i2400ms, i2400m);
110 int opcode = _cmd == NULL ? -1 : i2400m_brh_get_opcode(_cmd);
111 struct i2400m_bootrom_header *cmd;
112 /* SDIO restriction */
113 size_t cmd_size_a = ALIGN(cmd_size, I2400MS_BLK_SIZE);
115 d_fnstart(5, dev, "(i2400m %p cmd %p size %zu)\n",
116 i2400m, _cmd, cmd_size);
117 result = -E2BIG;
118 if (cmd_size > I2400M_BM_CMD_BUF_SIZE)
119 goto error_too_big;
121 if (_cmd != i2400m->bm_cmd_buf)
122 memmove(i2400m->bm_cmd_buf, _cmd, cmd_size);
123 cmd = i2400m->bm_cmd_buf;
124 if (cmd_size_a > cmd_size) /* Zero pad space */
125 memset(i2400m->bm_cmd_buf + cmd_size, 0, cmd_size_a - cmd_size);
126 if ((flags & I2400M_BM_CMD_RAW) == 0) {
127 if (WARN_ON(i2400m_brh_get_response_required(cmd) == 0))
128 dev_warn(dev, "SW BUG: response_required == 0\n");
129 i2400m_bm_cmd_prepare(cmd);
131 d_printf(4, dev, "BM cmd %d: %zu bytes (%zu padded)\n",
132 opcode, cmd_size, cmd_size_a);
133 d_dump(5, dev, cmd, cmd_size);
135 sdio_claim_host(i2400ms->func); /* Send & check */
136 result = sdio_memcpy_toio(i2400ms->func, I2400MS_DATA_ADDR,
137 i2400m->bm_cmd_buf, cmd_size_a);
138 sdio_release_host(i2400ms->func);
139 if (result < 0) {
140 dev_err(dev, "BM cmd %d: cannot send: %ld\n",
141 opcode, (long) result);
142 goto error_cmd_send;
144 result = cmd_size;
145 error_cmd_send:
146 error_too_big:
147 d_fnend(5, dev, "(i2400m %p cmd %p size %zu) = %d\n",
148 i2400m, _cmd, cmd_size, (int) result);
149 return result;
154 * Read an ack from the device's boot-mode
156 * @i2400m:
157 * @_ack: pointer to where to store the read data
158 * @ack_size: how many bytes we should read
160 * Returns: < 0 errno code on error; otherwise, amount of received bytes.
162 * The ACK for a BM command is always at least sizeof(*ack) bytes, so
163 * check for that. We don't need to check for device reboots
166 ssize_t i2400ms_bus_bm_wait_for_ack(struct i2400m *i2400m,
167 struct i2400m_bootrom_header *ack,
168 size_t ack_size)
170 ssize_t result;
171 struct i2400ms *i2400ms = container_of(i2400m, struct i2400ms, i2400m);
172 struct sdio_func *func = i2400ms->func;
173 struct device *dev = &func->dev;
174 int size;
176 BUG_ON(sizeof(*ack) > ack_size);
178 d_fnstart(5, dev, "(i2400m %p ack %p size %zu)\n",
179 i2400m, ack, ack_size);
181 result = wait_event_timeout(i2400ms->bm_wfa_wq,
182 i2400ms->bm_ack_size != -EINPROGRESS,
183 2 * HZ);
184 if (result == 0) {
185 result = -ETIMEDOUT;
186 dev_err(dev, "BM: error waiting for an ack\n");
187 goto error_timeout;
190 spin_lock(&i2400m->rx_lock);
191 result = i2400ms->bm_ack_size;
192 BUG_ON(result == -EINPROGRESS);
193 if (result < 0) /* so we exit when rx_release() is called */
194 dev_err(dev, "BM: %s failed: %zd\n", __func__, result);
195 else {
196 size = min(ack_size, i2400ms->bm_ack_size);
197 memcpy(ack, i2400m->bm_ack_buf, size);
200 * Remember always to clear the bm_ack_size to -EINPROGRESS
201 * after the RX data is processed
203 i2400ms->bm_ack_size = -EINPROGRESS;
204 spin_unlock(&i2400m->rx_lock);
206 error_timeout:
207 d_fnend(5, dev, "(i2400m %p ack %p size %zu) = %zd\n",
208 i2400m, ack, ack_size, result);
209 return result;