Avoid beyond bounds copy while caching ACL
[zen-stable.git] / drivers / net / irda / kingsun-sir.c
blob79aebeee928c36a31e851dd354ff11bfd879d04a
1 /*****************************************************************************
3 * Filename: kingsun-sir.c
4 * Version: 0.1.1
5 * Description: Irda KingSun/DonShine USB Dongle
6 * Status: Experimental
7 * Author: Alex Villacís Lasso <a_villacis@palosanto.com>
9 * Based on stir4200 and mcs7780 drivers, with (strange?) differences
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24 *****************************************************************************/
27 * This is my current (2007-04-25) understanding of how this dongle is supposed
28 * to work. This is based on reverse-engineering and examination of the packet
29 * data sent and received by the WinXP driver using USBSnoopy. Feel free to
30 * update here as more of this dongle is known:
32 * General: Unlike the other USB IrDA dongles, this particular dongle exposes,
33 * not two bulk (in and out) endpoints, but two *interrupt* ones. This dongle,
34 * like the bulk based ones (stir4200.c and mcs7780.c), requires polling in
35 * order to receive data.
36 * Transmission: Just like stir4200, this dongle uses a raw stream of data,
37 * which needs to be wrapped and escaped in a similar way as in stir4200.c.
38 * Reception: Poll-based, as in stir4200. Each read returns the contents of a
39 * 8-byte buffer, of which the first byte (LSB) indicates the number of bytes
40 * (1-7) of valid data contained within the remaining 7 bytes. For example, if
41 * the buffer had the following contents:
42 * 06 ff ff ff c0 01 04 aa
43 * This means that (06) there are 6 bytes of valid data. The byte 0xaa at the
44 * end is garbage (left over from a previous reception) and is discarded.
45 * If a read returns an "impossible" value as the length of valid data (such as
46 * 0x36) in the first byte, then the buffer is uninitialized (as is the case of
47 * first plug-in) and its contents should be discarded. There is currently no
48 * evidence that the top 5 bits of the 1st byte of the buffer can have values
49 * other than 0 once reception begins.
50 * Once valid bytes are collected, the assembled stream is a sequence of
51 * wrapped IrDA frames that is unwrapped and unescaped as in stir4200.c.
52 * BIG FAT WARNING: the dongle does *not* reset the RX buffer in any way after
53 * a successful read from the host, which means that in absence of further
54 * reception, repeated reads from the dongle will return the exact same
55 * contents repeatedly. Attempts to be smart and cache a previous read seem
56 * to result in corrupted packets, so this driver depends on the unwrap logic
57 * to sort out any repeated reads.
58 * Speed change: no commands observed so far to change speed, assumed fixed
59 * 9600bps (SIR).
62 #include <linux/module.h>
63 #include <linux/moduleparam.h>
64 #include <linux/kernel.h>
65 #include <linux/types.h>
66 #include <linux/errno.h>
67 #include <linux/init.h>
68 #include <linux/slab.h>
69 #include <linux/usb.h>
70 #include <linux/device.h>
71 #include <linux/crc32.h>
73 #include <asm/unaligned.h>
74 #include <asm/byteorder.h>
75 #include <asm/uaccess.h>
77 #include <net/irda/irda.h>
78 #include <net/irda/wrapper.h>
79 #include <net/irda/crc.h>
82 * According to lsusb, 0x07c0 is assigned to
83 * "Code Mercenaries Hard- und Software GmbH"
85 #define KING_VENDOR_ID 0x07c0
86 #define KING_PRODUCT_ID 0x4200
88 /* These are the currently known USB ids */
89 static struct usb_device_id dongles[] = {
90 /* KingSun Co,Ltd IrDA/USB Bridge */
91 { USB_DEVICE(KING_VENDOR_ID, KING_PRODUCT_ID) },
92 { }
95 MODULE_DEVICE_TABLE(usb, dongles);
97 #define KINGSUN_MTT 0x07
99 #define KINGSUN_FIFO_SIZE 4096
100 #define KINGSUN_EP_IN 0
101 #define KINGSUN_EP_OUT 1
103 struct kingsun_cb {
104 struct usb_device *usbdev; /* init: probe_irda */
105 struct net_device *netdev; /* network layer */
106 struct irlap_cb *irlap; /* The link layer we are binded to */
108 struct qos_info qos;
110 __u8 *in_buf; /* receive buffer */
111 __u8 *out_buf; /* transmit buffer */
112 __u8 max_rx; /* max. atomic read from dongle
113 (usually 8), also size of in_buf */
114 __u8 max_tx; /* max. atomic write to dongle
115 (usually 8) */
117 iobuff_t rx_buff; /* receive unwrap state machine */
118 struct timeval rx_time;
119 spinlock_t lock;
120 int receiving;
122 __u8 ep_in;
123 __u8 ep_out;
125 struct urb *tx_urb;
126 struct urb *rx_urb;
129 /* Callback transmission routine */
130 static void kingsun_send_irq(struct urb *urb)
132 struct kingsun_cb *kingsun = urb->context;
133 struct net_device *netdev = kingsun->netdev;
135 /* in process of stopping, just drop data */
136 if (!netif_running(kingsun->netdev)) {
137 err("kingsun_send_irq: Network not running!");
138 return;
141 /* unlink, shutdown, unplug, other nasties */
142 if (urb->status != 0) {
143 err("kingsun_send_irq: urb asynchronously failed - %d",
144 urb->status);
146 netif_wake_queue(netdev);
150 * Called from net/core when new frame is available.
152 static netdev_tx_t kingsun_hard_xmit(struct sk_buff *skb,
153 struct net_device *netdev)
155 struct kingsun_cb *kingsun;
156 int wraplen;
157 int ret = 0;
159 netif_stop_queue(netdev);
161 /* the IRDA wrapping routines don't deal with non linear skb */
162 SKB_LINEAR_ASSERT(skb);
164 kingsun = netdev_priv(netdev);
166 spin_lock(&kingsun->lock);
168 /* Append data to the end of whatever data remains to be transmitted */
169 wraplen = async_wrap_skb(skb,
170 kingsun->out_buf,
171 KINGSUN_FIFO_SIZE);
173 /* Calculate how much data can be transmitted in this urb */
174 usb_fill_int_urb(kingsun->tx_urb, kingsun->usbdev,
175 usb_sndintpipe(kingsun->usbdev, kingsun->ep_out),
176 kingsun->out_buf, wraplen, kingsun_send_irq,
177 kingsun, 1);
179 if ((ret = usb_submit_urb(kingsun->tx_urb, GFP_ATOMIC))) {
180 err("kingsun_hard_xmit: failed tx_urb submit: %d", ret);
181 switch (ret) {
182 case -ENODEV:
183 case -EPIPE:
184 break;
185 default:
186 netdev->stats.tx_errors++;
187 netif_start_queue(netdev);
189 } else {
190 netdev->stats.tx_packets++;
191 netdev->stats.tx_bytes += skb->len;
194 dev_kfree_skb(skb);
195 spin_unlock(&kingsun->lock);
197 return NETDEV_TX_OK;
200 /* Receive callback function */
201 static void kingsun_rcv_irq(struct urb *urb)
203 struct kingsun_cb *kingsun = urb->context;
204 int ret;
206 /* in process of stopping, just drop data */
207 if (!netif_running(kingsun->netdev)) {
208 kingsun->receiving = 0;
209 return;
212 /* unlink, shutdown, unplug, other nasties */
213 if (urb->status != 0) {
214 err("kingsun_rcv_irq: urb asynchronously failed - %d",
215 urb->status);
216 kingsun->receiving = 0;
217 return;
220 if (urb->actual_length == kingsun->max_rx) {
221 __u8 *bytes = urb->transfer_buffer;
222 int i;
224 /* The very first byte in the buffer indicates the length of
225 valid data in the read. This byte must be in the range
226 1..kingsun->max_rx -1 . Values outside this range indicate
227 an uninitialized Rx buffer when the dongle has just been
228 plugged in. */
229 if (bytes[0] >= 1 && bytes[0] < kingsun->max_rx) {
230 for (i = 1; i <= bytes[0]; i++) {
231 async_unwrap_char(kingsun->netdev,
232 &kingsun->netdev->stats,
233 &kingsun->rx_buff, bytes[i]);
235 do_gettimeofday(&kingsun->rx_time);
236 kingsun->receiving =
237 (kingsun->rx_buff.state != OUTSIDE_FRAME)
238 ? 1 : 0;
240 } else if (urb->actual_length > 0) {
241 err("%s(): Unexpected response length, expected %d got %d",
242 __func__, kingsun->max_rx, urb->actual_length);
244 /* This urb has already been filled in kingsun_net_open */
245 ret = usb_submit_urb(urb, GFP_ATOMIC);
249 * Function kingsun_net_open (dev)
251 * Network device is taken up. Usually this is done by "ifconfig irda0 up"
253 static int kingsun_net_open(struct net_device *netdev)
255 struct kingsun_cb *kingsun = netdev_priv(netdev);
256 int err = -ENOMEM;
257 char hwname[16];
259 /* At this point, urbs are NULL, and skb is NULL (see kingsun_probe) */
260 kingsun->receiving = 0;
262 /* Initialize for SIR to copy data directly into skb. */
263 kingsun->rx_buff.in_frame = FALSE;
264 kingsun->rx_buff.state = OUTSIDE_FRAME;
265 kingsun->rx_buff.truesize = IRDA_SKB_MAX_MTU;
266 kingsun->rx_buff.skb = dev_alloc_skb(IRDA_SKB_MAX_MTU);
267 if (!kingsun->rx_buff.skb)
268 goto free_mem;
270 skb_reserve(kingsun->rx_buff.skb, 1);
271 kingsun->rx_buff.head = kingsun->rx_buff.skb->data;
272 do_gettimeofday(&kingsun->rx_time);
274 kingsun->rx_urb = usb_alloc_urb(0, GFP_KERNEL);
275 if (!kingsun->rx_urb)
276 goto free_mem;
278 kingsun->tx_urb = usb_alloc_urb(0, GFP_KERNEL);
279 if (!kingsun->tx_urb)
280 goto free_mem;
283 * Now that everything should be initialized properly,
284 * Open new IrLAP layer instance to take care of us...
286 sprintf(hwname, "usb#%d", kingsun->usbdev->devnum);
287 kingsun->irlap = irlap_open(netdev, &kingsun->qos, hwname);
288 if (!kingsun->irlap) {
289 err("kingsun-sir: irlap_open failed");
290 goto free_mem;
293 /* Start first reception */
294 usb_fill_int_urb(kingsun->rx_urb, kingsun->usbdev,
295 usb_rcvintpipe(kingsun->usbdev, kingsun->ep_in),
296 kingsun->in_buf, kingsun->max_rx,
297 kingsun_rcv_irq, kingsun, 1);
298 kingsun->rx_urb->status = 0;
299 err = usb_submit_urb(kingsun->rx_urb, GFP_KERNEL);
300 if (err) {
301 err("kingsun-sir: first urb-submit failed: %d", err);
302 goto close_irlap;
305 netif_start_queue(netdev);
307 /* Situation at this point:
308 - all work buffers allocated
309 - urbs allocated and ready to fill
310 - max rx packet known (in max_rx)
311 - unwrap state machine initialized, in state outside of any frame
312 - receive request in progress
313 - IrLAP layer started, about to hand over packets to send
316 return 0;
318 close_irlap:
319 irlap_close(kingsun->irlap);
320 free_mem:
321 if (kingsun->tx_urb) {
322 usb_free_urb(kingsun->tx_urb);
323 kingsun->tx_urb = NULL;
325 if (kingsun->rx_urb) {
326 usb_free_urb(kingsun->rx_urb);
327 kingsun->rx_urb = NULL;
329 if (kingsun->rx_buff.skb) {
330 kfree_skb(kingsun->rx_buff.skb);
331 kingsun->rx_buff.skb = NULL;
332 kingsun->rx_buff.head = NULL;
334 return err;
338 * Function kingsun_net_close (kingsun)
340 * Network device is taken down. Usually this is done by
341 * "ifconfig irda0 down"
343 static int kingsun_net_close(struct net_device *netdev)
345 struct kingsun_cb *kingsun = netdev_priv(netdev);
347 /* Stop transmit processing */
348 netif_stop_queue(netdev);
350 /* Mop up receive && transmit urb's */
351 usb_kill_urb(kingsun->tx_urb);
352 usb_kill_urb(kingsun->rx_urb);
354 usb_free_urb(kingsun->tx_urb);
355 usb_free_urb(kingsun->rx_urb);
357 kingsun->tx_urb = NULL;
358 kingsun->rx_urb = NULL;
360 kfree_skb(kingsun->rx_buff.skb);
361 kingsun->rx_buff.skb = NULL;
362 kingsun->rx_buff.head = NULL;
363 kingsun->rx_buff.in_frame = FALSE;
364 kingsun->rx_buff.state = OUTSIDE_FRAME;
365 kingsun->receiving = 0;
367 /* Stop and remove instance of IrLAP */
368 if (kingsun->irlap)
369 irlap_close(kingsun->irlap);
371 kingsun->irlap = NULL;
373 return 0;
377 * IOCTLs : Extra out-of-band network commands...
379 static int kingsun_net_ioctl(struct net_device *netdev, struct ifreq *rq,
380 int cmd)
382 struct if_irda_req *irq = (struct if_irda_req *) rq;
383 struct kingsun_cb *kingsun = netdev_priv(netdev);
384 int ret = 0;
386 switch (cmd) {
387 case SIOCSBANDWIDTH: /* Set bandwidth */
388 if (!capable(CAP_NET_ADMIN))
389 return -EPERM;
391 /* Check if the device is still there */
392 if (netif_device_present(kingsun->netdev))
393 /* No observed commands for speed change */
394 ret = -EOPNOTSUPP;
395 break;
397 case SIOCSMEDIABUSY: /* Set media busy */
398 if (!capable(CAP_NET_ADMIN))
399 return -EPERM;
401 /* Check if the IrDA stack is still there */
402 if (netif_running(kingsun->netdev))
403 irda_device_set_media_busy(kingsun->netdev, TRUE);
404 break;
406 case SIOCGRECEIVING:
407 /* Only approximately true */
408 irq->ifr_receiving = kingsun->receiving;
409 break;
411 default:
412 ret = -EOPNOTSUPP;
415 return ret;
418 static const struct net_device_ops kingsun_ops = {
419 .ndo_start_xmit = kingsun_hard_xmit,
420 .ndo_open = kingsun_net_open,
421 .ndo_stop = kingsun_net_close,
422 .ndo_do_ioctl = kingsun_net_ioctl,
426 * This routine is called by the USB subsystem for each new device
427 * in the system. We need to check if the device is ours, and in
428 * this case start handling it.
430 static int kingsun_probe(struct usb_interface *intf,
431 const struct usb_device_id *id)
433 struct usb_host_interface *interface;
434 struct usb_endpoint_descriptor *endpoint;
436 struct usb_device *dev = interface_to_usbdev(intf);
437 struct kingsun_cb *kingsun = NULL;
438 struct net_device *net = NULL;
439 int ret = -ENOMEM;
440 int pipe, maxp_in, maxp_out;
441 __u8 ep_in;
442 __u8 ep_out;
444 /* Check that there really are two interrupt endpoints.
445 Check based on the one in drivers/usb/input/usbmouse.c
447 interface = intf->cur_altsetting;
448 if (interface->desc.bNumEndpoints != 2) {
449 err("kingsun-sir: expected 2 endpoints, found %d",
450 interface->desc.bNumEndpoints);
451 return -ENODEV;
453 endpoint = &interface->endpoint[KINGSUN_EP_IN].desc;
454 if (!usb_endpoint_is_int_in(endpoint)) {
455 err("kingsun-sir: endpoint 0 is not interrupt IN");
456 return -ENODEV;
459 ep_in = endpoint->bEndpointAddress;
460 pipe = usb_rcvintpipe(dev, ep_in);
461 maxp_in = usb_maxpacket(dev, pipe, usb_pipeout(pipe));
462 if (maxp_in > 255 || maxp_in <= 1) {
463 err("%s: endpoint 0 has max packet size %d not in range",
464 __FILE__, maxp_in);
465 return -ENODEV;
468 endpoint = &interface->endpoint[KINGSUN_EP_OUT].desc;
469 if (!usb_endpoint_is_int_out(endpoint)) {
470 err("kingsun-sir: endpoint 1 is not interrupt OUT");
471 return -ENODEV;
474 ep_out = endpoint->bEndpointAddress;
475 pipe = usb_sndintpipe(dev, ep_out);
476 maxp_out = usb_maxpacket(dev, pipe, usb_pipeout(pipe));
478 /* Allocate network device container. */
479 net = alloc_irdadev(sizeof(*kingsun));
480 if(!net)
481 goto err_out1;
483 SET_NETDEV_DEV(net, &intf->dev);
484 kingsun = netdev_priv(net);
485 kingsun->irlap = NULL;
486 kingsun->tx_urb = NULL;
487 kingsun->rx_urb = NULL;
488 kingsun->ep_in = ep_in;
489 kingsun->ep_out = ep_out;
490 kingsun->in_buf = NULL;
491 kingsun->out_buf = NULL;
492 kingsun->max_rx = (__u8)maxp_in;
493 kingsun->max_tx = (__u8)maxp_out;
494 kingsun->netdev = net;
495 kingsun->usbdev = dev;
496 kingsun->rx_buff.in_frame = FALSE;
497 kingsun->rx_buff.state = OUTSIDE_FRAME;
498 kingsun->rx_buff.skb = NULL;
499 kingsun->receiving = 0;
500 spin_lock_init(&kingsun->lock);
502 /* Allocate input buffer */
503 kingsun->in_buf = kmalloc(kingsun->max_rx, GFP_KERNEL);
504 if (!kingsun->in_buf)
505 goto free_mem;
507 /* Allocate output buffer */
508 kingsun->out_buf = kmalloc(KINGSUN_FIFO_SIZE, GFP_KERNEL);
509 if (!kingsun->out_buf)
510 goto free_mem;
512 printk(KERN_INFO "KingSun/DonShine IRDA/USB found at address %d, "
513 "Vendor: %x, Product: %x\n",
514 dev->devnum, le16_to_cpu(dev->descriptor.idVendor),
515 le16_to_cpu(dev->descriptor.idProduct));
517 /* Initialize QoS for this device */
518 irda_init_max_qos_capabilies(&kingsun->qos);
520 /* That's the Rx capability. */
521 kingsun->qos.baud_rate.bits &= IR_9600;
522 kingsun->qos.min_turn_time.bits &= KINGSUN_MTT;
523 irda_qos_bits_to_value(&kingsun->qos);
525 /* Override the network functions we need to use */
526 net->netdev_ops = &kingsun_ops;
528 ret = register_netdev(net);
529 if (ret != 0)
530 goto free_mem;
532 dev_info(&net->dev, "IrDA: Registered KingSun/DonShine device %s\n",
533 net->name);
535 usb_set_intfdata(intf, kingsun);
537 /* Situation at this point:
538 - all work buffers allocated
539 - urbs not allocated, set to NULL
540 - max rx packet known (in max_rx)
541 - unwrap state machine (partially) initialized, but skb == NULL
544 return 0;
546 free_mem:
547 if (kingsun->out_buf) kfree(kingsun->out_buf);
548 if (kingsun->in_buf) kfree(kingsun->in_buf);
549 free_netdev(net);
550 err_out1:
551 return ret;
555 * The current device is removed, the USB layer tell us to shut it down...
557 static void kingsun_disconnect(struct usb_interface *intf)
559 struct kingsun_cb *kingsun = usb_get_intfdata(intf);
561 if (!kingsun)
562 return;
564 unregister_netdev(kingsun->netdev);
566 /* Mop up receive && transmit urb's */
567 if (kingsun->tx_urb != NULL) {
568 usb_kill_urb(kingsun->tx_urb);
569 usb_free_urb(kingsun->tx_urb);
570 kingsun->tx_urb = NULL;
572 if (kingsun->rx_urb != NULL) {
573 usb_kill_urb(kingsun->rx_urb);
574 usb_free_urb(kingsun->rx_urb);
575 kingsun->rx_urb = NULL;
578 kfree(kingsun->out_buf);
579 kfree(kingsun->in_buf);
580 free_netdev(kingsun->netdev);
582 usb_set_intfdata(intf, NULL);
585 #ifdef CONFIG_PM
586 /* USB suspend, so power off the transmitter/receiver */
587 static int kingsun_suspend(struct usb_interface *intf, pm_message_t message)
589 struct kingsun_cb *kingsun = usb_get_intfdata(intf);
591 netif_device_detach(kingsun->netdev);
592 if (kingsun->tx_urb != NULL) usb_kill_urb(kingsun->tx_urb);
593 if (kingsun->rx_urb != NULL) usb_kill_urb(kingsun->rx_urb);
594 return 0;
597 /* Coming out of suspend, so reset hardware */
598 static int kingsun_resume(struct usb_interface *intf)
600 struct kingsun_cb *kingsun = usb_get_intfdata(intf);
602 if (kingsun->rx_urb != NULL)
603 usb_submit_urb(kingsun->rx_urb, GFP_KERNEL);
604 netif_device_attach(kingsun->netdev);
606 return 0;
608 #endif
611 * USB device callbacks
613 static struct usb_driver irda_driver = {
614 .name = "kingsun-sir",
615 .probe = kingsun_probe,
616 .disconnect = kingsun_disconnect,
617 .id_table = dongles,
618 #ifdef CONFIG_PM
619 .suspend = kingsun_suspend,
620 .resume = kingsun_resume,
621 #endif
624 module_usb_driver(irda_driver);
626 MODULE_AUTHOR("Alex Villacís Lasso <a_villacis@palosanto.com>");
627 MODULE_DESCRIPTION("IrDA-USB Dongle Driver for KingSun/DonShine");
628 MODULE_LICENSE("GPL");