Avoid beyond bounds copy while caching ACL
[zen-stable.git] / drivers / usb / storage / jumpshot.c
bloba19211b5c2654893ecff3feec45b3c02d75f0e10
1 /* Driver for Lexar "Jumpshot" Compact Flash reader
3 * jumpshot driver v0.1:
5 * First release
7 * Current development and maintenance by:
8 * (c) 2000 Jimmie Mayfield (mayfield+usb@sackheads.org)
10 * Many thanks to Robert Baruch for the SanDisk SmartMedia reader driver
11 * which I used as a template for this driver.
13 * Some bugfixes and scatter-gather code by Gregory P. Smith
14 * (greg-usb@electricrain.com)
16 * Fix for media change by Joerg Schneider (js@joergschneider.com)
18 * Developed with the assistance of:
20 * (C) 2002 Alan Stern <stern@rowland.org>
22 * This program is free software; you can redistribute it and/or modify it
23 * under the terms of the GNU General Public License as published by the
24 * Free Software Foundation; either version 2, or (at your option) any
25 * later version.
27 * This program is distributed in the hope that it will be useful, but
28 * WITHOUT ANY WARRANTY; without even the implied warranty of
29 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
30 * General Public License for more details.
32 * You should have received a copy of the GNU General Public License along
33 * with this program; if not, write to the Free Software Foundation, Inc.,
34 * 675 Mass Ave, Cambridge, MA 02139, USA.
38 * This driver attempts to support the Lexar Jumpshot USB CompactFlash
39 * reader. Like many other USB CompactFlash readers, the Jumpshot contains
40 * a USB-to-ATA chip.
42 * This driver supports reading and writing. If you're truly paranoid,
43 * however, you can force the driver into a write-protected state by setting
44 * the WP enable bits in jumpshot_handle_mode_sense. See the comments
45 * in that routine.
48 #include <linux/errno.h>
49 #include <linux/module.h>
50 #include <linux/slab.h>
52 #include <scsi/scsi.h>
53 #include <scsi/scsi_cmnd.h>
55 #include "usb.h"
56 #include "transport.h"
57 #include "protocol.h"
58 #include "debug.h"
61 MODULE_DESCRIPTION("Driver for Lexar \"Jumpshot\" Compact Flash reader");
62 MODULE_AUTHOR("Jimmie Mayfield <mayfield+usb@sackheads.org>");
63 MODULE_LICENSE("GPL");
66 * The table of devices
68 #define UNUSUAL_DEV(id_vendor, id_product, bcdDeviceMin, bcdDeviceMax, \
69 vendorName, productName, useProtocol, useTransport, \
70 initFunction, flags) \
71 { USB_DEVICE_VER(id_vendor, id_product, bcdDeviceMin, bcdDeviceMax), \
72 .driver_info = (flags)|(USB_US_TYPE_STOR<<24) }
74 static struct usb_device_id jumpshot_usb_ids[] = {
75 # include "unusual_jumpshot.h"
76 { } /* Terminating entry */
78 MODULE_DEVICE_TABLE(usb, jumpshot_usb_ids);
80 #undef UNUSUAL_DEV
83 * The flags table
85 #define UNUSUAL_DEV(idVendor, idProduct, bcdDeviceMin, bcdDeviceMax, \
86 vendor_name, product_name, use_protocol, use_transport, \
87 init_function, Flags) \
88 { \
89 .vendorName = vendor_name, \
90 .productName = product_name, \
91 .useProtocol = use_protocol, \
92 .useTransport = use_transport, \
93 .initFunction = init_function, \
96 static struct us_unusual_dev jumpshot_unusual_dev_list[] = {
97 # include "unusual_jumpshot.h"
98 { } /* Terminating entry */
101 #undef UNUSUAL_DEV
104 struct jumpshot_info {
105 unsigned long sectors; /* total sector count */
106 unsigned long ssize; /* sector size in bytes */
108 /* the following aren't used yet */
109 unsigned char sense_key;
110 unsigned long sense_asc; /* additional sense code */
111 unsigned long sense_ascq; /* additional sense code qualifier */
114 static inline int jumpshot_bulk_read(struct us_data *us,
115 unsigned char *data,
116 unsigned int len)
118 if (len == 0)
119 return USB_STOR_XFER_GOOD;
121 US_DEBUGP("jumpshot_bulk_read: len = %d\n", len);
122 return usb_stor_bulk_transfer_buf(us, us->recv_bulk_pipe,
123 data, len, NULL);
127 static inline int jumpshot_bulk_write(struct us_data *us,
128 unsigned char *data,
129 unsigned int len)
131 if (len == 0)
132 return USB_STOR_XFER_GOOD;
134 US_DEBUGP("jumpshot_bulk_write: len = %d\n", len);
135 return usb_stor_bulk_transfer_buf(us, us->send_bulk_pipe,
136 data, len, NULL);
140 static int jumpshot_get_status(struct us_data *us)
142 int rc;
144 if (!us)
145 return USB_STOR_TRANSPORT_ERROR;
147 // send the setup
148 rc = usb_stor_ctrl_transfer(us, us->recv_ctrl_pipe,
149 0, 0xA0, 0, 7, us->iobuf, 1);
151 if (rc != USB_STOR_XFER_GOOD)
152 return USB_STOR_TRANSPORT_ERROR;
154 if (us->iobuf[0] != 0x50) {
155 US_DEBUGP("jumpshot_get_status: 0x%2x\n",
156 us->iobuf[0]);
157 return USB_STOR_TRANSPORT_ERROR;
160 return USB_STOR_TRANSPORT_GOOD;
163 static int jumpshot_read_data(struct us_data *us,
164 struct jumpshot_info *info,
165 u32 sector,
166 u32 sectors)
168 unsigned char *command = us->iobuf;
169 unsigned char *buffer;
170 unsigned char thistime;
171 unsigned int totallen, alloclen;
172 int len, result;
173 unsigned int sg_offset = 0;
174 struct scatterlist *sg = NULL;
176 // we're working in LBA mode. according to the ATA spec,
177 // we can support up to 28-bit addressing. I don't know if Jumpshot
178 // supports beyond 24-bit addressing. It's kind of hard to test
179 // since it requires > 8GB CF card.
181 if (sector > 0x0FFFFFFF)
182 return USB_STOR_TRANSPORT_ERROR;
184 totallen = sectors * info->ssize;
186 // Since we don't read more than 64 KB at a time, we have to create
187 // a bounce buffer and move the data a piece at a time between the
188 // bounce buffer and the actual transfer buffer.
190 alloclen = min(totallen, 65536u);
191 buffer = kmalloc(alloclen, GFP_NOIO);
192 if (buffer == NULL)
193 return USB_STOR_TRANSPORT_ERROR;
195 do {
196 // loop, never allocate or transfer more than 64k at once
197 // (min(128k, 255*info->ssize) is the real limit)
198 len = min(totallen, alloclen);
199 thistime = (len / info->ssize) & 0xff;
201 command[0] = 0;
202 command[1] = thistime;
203 command[2] = sector & 0xFF;
204 command[3] = (sector >> 8) & 0xFF;
205 command[4] = (sector >> 16) & 0xFF;
207 command[5] = 0xE0 | ((sector >> 24) & 0x0F);
208 command[6] = 0x20;
210 // send the setup + command
211 result = usb_stor_ctrl_transfer(us, us->send_ctrl_pipe,
212 0, 0x20, 0, 1, command, 7);
213 if (result != USB_STOR_XFER_GOOD)
214 goto leave;
216 // read the result
217 result = jumpshot_bulk_read(us, buffer, len);
218 if (result != USB_STOR_XFER_GOOD)
219 goto leave;
221 US_DEBUGP("jumpshot_read_data: %d bytes\n", len);
223 // Store the data in the transfer buffer
224 usb_stor_access_xfer_buf(buffer, len, us->srb,
225 &sg, &sg_offset, TO_XFER_BUF);
227 sector += thistime;
228 totallen -= len;
229 } while (totallen > 0);
231 kfree(buffer);
232 return USB_STOR_TRANSPORT_GOOD;
234 leave:
235 kfree(buffer);
236 return USB_STOR_TRANSPORT_ERROR;
240 static int jumpshot_write_data(struct us_data *us,
241 struct jumpshot_info *info,
242 u32 sector,
243 u32 sectors)
245 unsigned char *command = us->iobuf;
246 unsigned char *buffer;
247 unsigned char thistime;
248 unsigned int totallen, alloclen;
249 int len, result, waitcount;
250 unsigned int sg_offset = 0;
251 struct scatterlist *sg = NULL;
253 // we're working in LBA mode. according to the ATA spec,
254 // we can support up to 28-bit addressing. I don't know if Jumpshot
255 // supports beyond 24-bit addressing. It's kind of hard to test
256 // since it requires > 8GB CF card.
258 if (sector > 0x0FFFFFFF)
259 return USB_STOR_TRANSPORT_ERROR;
261 totallen = sectors * info->ssize;
263 // Since we don't write more than 64 KB at a time, we have to create
264 // a bounce buffer and move the data a piece at a time between the
265 // bounce buffer and the actual transfer buffer.
267 alloclen = min(totallen, 65536u);
268 buffer = kmalloc(alloclen, GFP_NOIO);
269 if (buffer == NULL)
270 return USB_STOR_TRANSPORT_ERROR;
272 do {
273 // loop, never allocate or transfer more than 64k at once
274 // (min(128k, 255*info->ssize) is the real limit)
276 len = min(totallen, alloclen);
277 thistime = (len / info->ssize) & 0xff;
279 // Get the data from the transfer buffer
280 usb_stor_access_xfer_buf(buffer, len, us->srb,
281 &sg, &sg_offset, FROM_XFER_BUF);
283 command[0] = 0;
284 command[1] = thistime;
285 command[2] = sector & 0xFF;
286 command[3] = (sector >> 8) & 0xFF;
287 command[4] = (sector >> 16) & 0xFF;
289 command[5] = 0xE0 | ((sector >> 24) & 0x0F);
290 command[6] = 0x30;
292 // send the setup + command
293 result = usb_stor_ctrl_transfer(us, us->send_ctrl_pipe,
294 0, 0x20, 0, 1, command, 7);
295 if (result != USB_STOR_XFER_GOOD)
296 goto leave;
298 // send the data
299 result = jumpshot_bulk_write(us, buffer, len);
300 if (result != USB_STOR_XFER_GOOD)
301 goto leave;
303 // read the result. apparently the bulk write can complete
304 // before the jumpshot drive is finished writing. so we loop
305 // here until we get a good return code
306 waitcount = 0;
307 do {
308 result = jumpshot_get_status(us);
309 if (result != USB_STOR_TRANSPORT_GOOD) {
310 // I have not experimented to find the smallest value.
312 msleep(50);
314 } while ((result != USB_STOR_TRANSPORT_GOOD) && (waitcount < 10));
316 if (result != USB_STOR_TRANSPORT_GOOD)
317 US_DEBUGP("jumpshot_write_data: Gah! Waitcount = 10. Bad write!?\n");
319 sector += thistime;
320 totallen -= len;
321 } while (totallen > 0);
323 kfree(buffer);
324 return result;
326 leave:
327 kfree(buffer);
328 return USB_STOR_TRANSPORT_ERROR;
331 static int jumpshot_id_device(struct us_data *us,
332 struct jumpshot_info *info)
334 unsigned char *command = us->iobuf;
335 unsigned char *reply;
336 int rc;
338 if (!info)
339 return USB_STOR_TRANSPORT_ERROR;
341 command[0] = 0xE0;
342 command[1] = 0xEC;
343 reply = kmalloc(512, GFP_NOIO);
344 if (!reply)
345 return USB_STOR_TRANSPORT_ERROR;
347 // send the setup
348 rc = usb_stor_ctrl_transfer(us, us->send_ctrl_pipe,
349 0, 0x20, 0, 6, command, 2);
351 if (rc != USB_STOR_XFER_GOOD) {
352 US_DEBUGP("jumpshot_id_device: Gah! "
353 "send_control for read_capacity failed\n");
354 rc = USB_STOR_TRANSPORT_ERROR;
355 goto leave;
358 // read the reply
359 rc = jumpshot_bulk_read(us, reply, 512);
360 if (rc != USB_STOR_XFER_GOOD) {
361 rc = USB_STOR_TRANSPORT_ERROR;
362 goto leave;
365 info->sectors = ((u32)(reply[117]) << 24) |
366 ((u32)(reply[116]) << 16) |
367 ((u32)(reply[115]) << 8) |
368 ((u32)(reply[114]) );
370 rc = USB_STOR_TRANSPORT_GOOD;
372 leave:
373 kfree(reply);
374 return rc;
377 static int jumpshot_handle_mode_sense(struct us_data *us,
378 struct scsi_cmnd * srb,
379 int sense_6)
381 static unsigned char rw_err_page[12] = {
382 0x1, 0xA, 0x21, 1, 0, 0, 0, 0, 1, 0, 0, 0
384 static unsigned char cache_page[12] = {
385 0x8, 0xA, 0x1, 0, 0, 0, 0, 0, 0, 0, 0, 0
387 static unsigned char rbac_page[12] = {
388 0x1B, 0xA, 0, 0x81, 0, 0, 0, 0, 0, 0, 0, 0
390 static unsigned char timer_page[8] = {
391 0x1C, 0x6, 0, 0, 0, 0
393 unsigned char pc, page_code;
394 unsigned int i = 0;
395 struct jumpshot_info *info = (struct jumpshot_info *) (us->extra);
396 unsigned char *ptr = us->iobuf;
398 pc = srb->cmnd[2] >> 6;
399 page_code = srb->cmnd[2] & 0x3F;
401 switch (pc) {
402 case 0x0:
403 US_DEBUGP("jumpshot_handle_mode_sense: Current values\n");
404 break;
405 case 0x1:
406 US_DEBUGP("jumpshot_handle_mode_sense: Changeable values\n");
407 break;
408 case 0x2:
409 US_DEBUGP("jumpshot_handle_mode_sense: Default values\n");
410 break;
411 case 0x3:
412 US_DEBUGP("jumpshot_handle_mode_sense: Saves values\n");
413 break;
416 memset(ptr, 0, 8);
417 if (sense_6) {
418 ptr[2] = 0x00; // WP enable: 0x80
419 i = 4;
420 } else {
421 ptr[3] = 0x00; // WP enable: 0x80
422 i = 8;
425 switch (page_code) {
426 case 0x0:
427 // vendor-specific mode
428 info->sense_key = 0x05;
429 info->sense_asc = 0x24;
430 info->sense_ascq = 0x00;
431 return USB_STOR_TRANSPORT_FAILED;
433 case 0x1:
434 memcpy(ptr + i, rw_err_page, sizeof(rw_err_page));
435 i += sizeof(rw_err_page);
436 break;
438 case 0x8:
439 memcpy(ptr + i, cache_page, sizeof(cache_page));
440 i += sizeof(cache_page);
441 break;
443 case 0x1B:
444 memcpy(ptr + i, rbac_page, sizeof(rbac_page));
445 i += sizeof(rbac_page);
446 break;
448 case 0x1C:
449 memcpy(ptr + i, timer_page, sizeof(timer_page));
450 i += sizeof(timer_page);
451 break;
453 case 0x3F:
454 memcpy(ptr + i, timer_page, sizeof(timer_page));
455 i += sizeof(timer_page);
456 memcpy(ptr + i, rbac_page, sizeof(rbac_page));
457 i += sizeof(rbac_page);
458 memcpy(ptr + i, cache_page, sizeof(cache_page));
459 i += sizeof(cache_page);
460 memcpy(ptr + i, rw_err_page, sizeof(rw_err_page));
461 i += sizeof(rw_err_page);
462 break;
465 if (sense_6)
466 ptr[0] = i - 1;
467 else
468 ((__be16 *) ptr)[0] = cpu_to_be16(i - 2);
469 usb_stor_set_xfer_buf(ptr, i, srb);
471 return USB_STOR_TRANSPORT_GOOD;
475 static void jumpshot_info_destructor(void *extra)
477 // this routine is a placeholder...
478 // currently, we don't allocate any extra blocks so we're okay
483 // Transport for the Lexar 'Jumpshot'
485 static int jumpshot_transport(struct scsi_cmnd *srb, struct us_data *us)
487 struct jumpshot_info *info;
488 int rc;
489 unsigned long block, blocks;
490 unsigned char *ptr = us->iobuf;
491 static unsigned char inquiry_response[8] = {
492 0x00, 0x80, 0x00, 0x01, 0x1F, 0x00, 0x00, 0x00
495 if (!us->extra) {
496 us->extra = kzalloc(sizeof(struct jumpshot_info), GFP_NOIO);
497 if (!us->extra) {
498 US_DEBUGP("jumpshot_transport: Gah! Can't allocate storage for jumpshot info struct!\n");
499 return USB_STOR_TRANSPORT_ERROR;
501 us->extra_destructor = jumpshot_info_destructor;
504 info = (struct jumpshot_info *) (us->extra);
506 if (srb->cmnd[0] == INQUIRY) {
507 US_DEBUGP("jumpshot_transport: INQUIRY. Returning bogus response.\n");
508 memcpy(ptr, inquiry_response, sizeof(inquiry_response));
509 fill_inquiry_response(us, ptr, 36);
510 return USB_STOR_TRANSPORT_GOOD;
513 if (srb->cmnd[0] == READ_CAPACITY) {
514 info->ssize = 0x200; // hard coded 512 byte sectors as per ATA spec
516 rc = jumpshot_get_status(us);
517 if (rc != USB_STOR_TRANSPORT_GOOD)
518 return rc;
520 rc = jumpshot_id_device(us, info);
521 if (rc != USB_STOR_TRANSPORT_GOOD)
522 return rc;
524 US_DEBUGP("jumpshot_transport: READ_CAPACITY: %ld sectors, %ld bytes per sector\n",
525 info->sectors, info->ssize);
527 // build the reply
529 ((__be32 *) ptr)[0] = cpu_to_be32(info->sectors - 1);
530 ((__be32 *) ptr)[1] = cpu_to_be32(info->ssize);
531 usb_stor_set_xfer_buf(ptr, 8, srb);
533 return USB_STOR_TRANSPORT_GOOD;
536 if (srb->cmnd[0] == MODE_SELECT_10) {
537 US_DEBUGP("jumpshot_transport: Gah! MODE_SELECT_10.\n");
538 return USB_STOR_TRANSPORT_ERROR;
541 if (srb->cmnd[0] == READ_10) {
542 block = ((u32)(srb->cmnd[2]) << 24) | ((u32)(srb->cmnd[3]) << 16) |
543 ((u32)(srb->cmnd[4]) << 8) | ((u32)(srb->cmnd[5]));
545 blocks = ((u32)(srb->cmnd[7]) << 8) | ((u32)(srb->cmnd[8]));
547 US_DEBUGP("jumpshot_transport: READ_10: read block 0x%04lx count %ld\n", block, blocks);
548 return jumpshot_read_data(us, info, block, blocks);
551 if (srb->cmnd[0] == READ_12) {
552 // I don't think we'll ever see a READ_12 but support it anyway...
554 block = ((u32)(srb->cmnd[2]) << 24) | ((u32)(srb->cmnd[3]) << 16) |
555 ((u32)(srb->cmnd[4]) << 8) | ((u32)(srb->cmnd[5]));
557 blocks = ((u32)(srb->cmnd[6]) << 24) | ((u32)(srb->cmnd[7]) << 16) |
558 ((u32)(srb->cmnd[8]) << 8) | ((u32)(srb->cmnd[9]));
560 US_DEBUGP("jumpshot_transport: READ_12: read block 0x%04lx count %ld\n", block, blocks);
561 return jumpshot_read_data(us, info, block, blocks);
564 if (srb->cmnd[0] == WRITE_10) {
565 block = ((u32)(srb->cmnd[2]) << 24) | ((u32)(srb->cmnd[3]) << 16) |
566 ((u32)(srb->cmnd[4]) << 8) | ((u32)(srb->cmnd[5]));
568 blocks = ((u32)(srb->cmnd[7]) << 8) | ((u32)(srb->cmnd[8]));
570 US_DEBUGP("jumpshot_transport: WRITE_10: write block 0x%04lx count %ld\n", block, blocks);
571 return jumpshot_write_data(us, info, block, blocks);
574 if (srb->cmnd[0] == WRITE_12) {
575 // I don't think we'll ever see a WRITE_12 but support it anyway...
577 block = ((u32)(srb->cmnd[2]) << 24) | ((u32)(srb->cmnd[3]) << 16) |
578 ((u32)(srb->cmnd[4]) << 8) | ((u32)(srb->cmnd[5]));
580 blocks = ((u32)(srb->cmnd[6]) << 24) | ((u32)(srb->cmnd[7]) << 16) |
581 ((u32)(srb->cmnd[8]) << 8) | ((u32)(srb->cmnd[9]));
583 US_DEBUGP("jumpshot_transport: WRITE_12: write block 0x%04lx count %ld\n", block, blocks);
584 return jumpshot_write_data(us, info, block, blocks);
588 if (srb->cmnd[0] == TEST_UNIT_READY) {
589 US_DEBUGP("jumpshot_transport: TEST_UNIT_READY.\n");
590 return jumpshot_get_status(us);
593 if (srb->cmnd[0] == REQUEST_SENSE) {
594 US_DEBUGP("jumpshot_transport: REQUEST_SENSE.\n");
596 memset(ptr, 0, 18);
597 ptr[0] = 0xF0;
598 ptr[2] = info->sense_key;
599 ptr[7] = 11;
600 ptr[12] = info->sense_asc;
601 ptr[13] = info->sense_ascq;
602 usb_stor_set_xfer_buf(ptr, 18, srb);
604 return USB_STOR_TRANSPORT_GOOD;
607 if (srb->cmnd[0] == MODE_SENSE) {
608 US_DEBUGP("jumpshot_transport: MODE_SENSE_6 detected\n");
609 return jumpshot_handle_mode_sense(us, srb, 1);
612 if (srb->cmnd[0] == MODE_SENSE_10) {
613 US_DEBUGP("jumpshot_transport: MODE_SENSE_10 detected\n");
614 return jumpshot_handle_mode_sense(us, srb, 0);
617 if (srb->cmnd[0] == ALLOW_MEDIUM_REMOVAL) {
618 // sure. whatever. not like we can stop the user from popping
619 // the media out of the device (no locking doors, etc)
621 return USB_STOR_TRANSPORT_GOOD;
624 if (srb->cmnd[0] == START_STOP) {
625 /* this is used by sd.c'check_scsidisk_media_change to detect
626 media change */
627 US_DEBUGP("jumpshot_transport: START_STOP.\n");
628 /* the first jumpshot_id_device after a media change returns
629 an error (determined experimentally) */
630 rc = jumpshot_id_device(us, info);
631 if (rc == USB_STOR_TRANSPORT_GOOD) {
632 info->sense_key = NO_SENSE;
633 srb->result = SUCCESS;
634 } else {
635 info->sense_key = UNIT_ATTENTION;
636 srb->result = SAM_STAT_CHECK_CONDITION;
638 return rc;
641 US_DEBUGP("jumpshot_transport: Gah! Unknown command: %d (0x%x)\n",
642 srb->cmnd[0], srb->cmnd[0]);
643 info->sense_key = 0x05;
644 info->sense_asc = 0x20;
645 info->sense_ascq = 0x00;
646 return USB_STOR_TRANSPORT_FAILED;
649 static int jumpshot_probe(struct usb_interface *intf,
650 const struct usb_device_id *id)
652 struct us_data *us;
653 int result;
655 result = usb_stor_probe1(&us, intf, id,
656 (id - jumpshot_usb_ids) + jumpshot_unusual_dev_list);
657 if (result)
658 return result;
660 us->transport_name = "Lexar Jumpshot Control/Bulk";
661 us->transport = jumpshot_transport;
662 us->transport_reset = usb_stor_Bulk_reset;
663 us->max_lun = 1;
665 result = usb_stor_probe2(us);
666 return result;
669 static struct usb_driver jumpshot_driver = {
670 .name = "ums-jumpshot",
671 .probe = jumpshot_probe,
672 .disconnect = usb_stor_disconnect,
673 .suspend = usb_stor_suspend,
674 .resume = usb_stor_resume,
675 .reset_resume = usb_stor_reset_resume,
676 .pre_reset = usb_stor_pre_reset,
677 .post_reset = usb_stor_post_reset,
678 .id_table = jumpshot_usb_ids,
679 .soft_unbind = 1,
682 module_usb_driver(jumpshot_driver);