[PATCH] Bluetooth: fix potential NULL ptr deref in dtl1_cs.c::dtl1_hci_send_frame()
[linux-2.6.git] / drivers / bluetooth / dtl1_cs.c
1 /*
2  *
3  *  A driver for Nokia Connectivity Card DTL-1 devices
4  *
5  *  Copyright (C) 2001-2002  Marcel Holtmann <marcel@holtmann.org>
6  *
7  *
8  *  This program is free software; you can redistribute it and/or modify
9  *  it under the terms of the GNU General Public License version 2 as
10  *  published by the Free Software Foundation;
11  *
12  *  Software distributed under the License is distributed on an "AS
13  *  IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
14  *  implied. See the License for the specific language governing
15  *  rights and limitations under the License.
16  *
17  *  The initial developer of the original code is David A. Hinds
18  *  <dahinds@users.sourceforge.net>.  Portions created by David A. Hinds
19  *  are Copyright (C) 1999 David A. Hinds.  All Rights Reserved.
20  *
21  */
22
23 #include <linux/config.h>
24 #include <linux/module.h>
25
26 #include <linux/kernel.h>
27 #include <linux/init.h>
28 #include <linux/slab.h>
29 #include <linux/types.h>
30 #include <linux/sched.h>
31 #include <linux/delay.h>
32 #include <linux/errno.h>
33 #include <linux/ptrace.h>
34 #include <linux/ioport.h>
35 #include <linux/spinlock.h>
36 #include <linux/moduleparam.h>
37
38 #include <linux/skbuff.h>
39 #include <linux/string.h>
40 #include <linux/serial.h>
41 #include <linux/serial_reg.h>
42 #include <linux/bitops.h>
43 #include <asm/system.h>
44 #include <asm/io.h>
45
46 #include <pcmcia/cs_types.h>
47 #include <pcmcia/cs.h>
48 #include <pcmcia/cistpl.h>
49 #include <pcmcia/ciscode.h>
50 #include <pcmcia/ds.h>
51 #include <pcmcia/cisreg.h>
52
53 #include <net/bluetooth/bluetooth.h>
54 #include <net/bluetooth/hci_core.h>
55
56
57
58 /* ======================== Module parameters ======================== */
59
60
61 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
62 MODULE_DESCRIPTION("Bluetooth driver for Nokia Connectivity Card DTL-1");
63 MODULE_LICENSE("GPL");
64
65
66
67 /* ======================== Local structures ======================== */
68
69
70 typedef struct dtl1_info_t {
71         struct pcmcia_device *p_dev;
72         dev_node_t node;
73
74         struct hci_dev *hdev;
75
76         spinlock_t lock;                /* For serializing operations */
77
78         unsigned long flowmask;         /* HCI flow mask */
79         int ri_latch;
80
81         struct sk_buff_head txq;
82         unsigned long tx_state;
83
84         unsigned long rx_state;
85         unsigned long rx_count;
86         struct sk_buff *rx_skb;
87 } dtl1_info_t;
88
89
90 static int dtl1_config(struct pcmcia_device *link);
91 static void dtl1_release(struct pcmcia_device *link);
92
93 static void dtl1_detach(struct pcmcia_device *p_dev);
94
95
96 /* Transmit states  */
97 #define XMIT_SENDING  1
98 #define XMIT_WAKEUP   2
99 #define XMIT_WAITING  8
100
101 /* Receiver States */
102 #define RECV_WAIT_NSH   0
103 #define RECV_WAIT_DATA  1
104
105
106 typedef struct {
107         u8 type;
108         u8 zero;
109         u16 len;
110 } __attribute__ ((packed)) nsh_t;       /* Nokia Specific Header */
111
112 #define NSHL  4                         /* Nokia Specific Header Length */
113
114
115
116 /* ======================== Interrupt handling ======================== */
117
118
119 static int dtl1_write(unsigned int iobase, int fifo_size, __u8 *buf, int len)
120 {
121         int actual = 0;
122
123         /* Tx FIFO should be empty */
124         if (!(inb(iobase + UART_LSR) & UART_LSR_THRE))
125                 return 0;
126
127         /* Fill FIFO with current frame */
128         while ((fifo_size-- > 0) && (actual < len)) {
129                 /* Transmit next byte */
130                 outb(buf[actual], iobase + UART_TX);
131                 actual++;
132         }
133
134         return actual;
135 }
136
137
138 static void dtl1_write_wakeup(dtl1_info_t *info)
139 {
140         if (!info) {
141                 BT_ERR("Unknown device");
142                 return;
143         }
144
145         if (test_bit(XMIT_WAITING, &(info->tx_state))) {
146                 set_bit(XMIT_WAKEUP, &(info->tx_state));
147                 return;
148         }
149
150         if (test_and_set_bit(XMIT_SENDING, &(info->tx_state))) {
151                 set_bit(XMIT_WAKEUP, &(info->tx_state));
152                 return;
153         }
154
155         do {
156                 register unsigned int iobase = info->p_dev->io.BasePort1;
157                 register struct sk_buff *skb;
158                 register int len;
159
160                 clear_bit(XMIT_WAKEUP, &(info->tx_state));
161
162                 if (!pcmcia_dev_present(info->p_dev))
163                         return;
164
165                 if (!(skb = skb_dequeue(&(info->txq))))
166                         break;
167
168                 /* Send frame */
169                 len = dtl1_write(iobase, 32, skb->data, skb->len);
170
171                 if (len == skb->len) {
172                         set_bit(XMIT_WAITING, &(info->tx_state));
173                         kfree_skb(skb);
174                 } else {
175                         skb_pull(skb, len);
176                         skb_queue_head(&(info->txq), skb);
177                 }
178
179                 info->hdev->stat.byte_tx += len;
180
181         } while (test_bit(XMIT_WAKEUP, &(info->tx_state)));
182
183         clear_bit(XMIT_SENDING, &(info->tx_state));
184 }
185
186
187 static void dtl1_control(dtl1_info_t *info, struct sk_buff *skb)
188 {
189         u8 flowmask = *(u8 *)skb->data;
190         int i;
191
192         printk(KERN_INFO "Bluetooth: Nokia control data =");
193         for (i = 0; i < skb->len; i++) {
194                 printk(" %02x", skb->data[i]);
195         }
196         printk("\n");
197
198         /* transition to active state */
199         if (((info->flowmask & 0x07) == 0) && ((flowmask & 0x07) != 0)) {
200                 clear_bit(XMIT_WAITING, &(info->tx_state));
201                 dtl1_write_wakeup(info);
202         }
203
204         info->flowmask = flowmask;
205
206         kfree_skb(skb);
207 }
208
209
210 static void dtl1_receive(dtl1_info_t *info)
211 {
212         unsigned int iobase;
213         nsh_t *nsh;
214         int boguscount = 0;
215
216         if (!info) {
217                 BT_ERR("Unknown device");
218                 return;
219         }
220
221         iobase = info->p_dev->io.BasePort1;
222
223         do {
224                 info->hdev->stat.byte_rx++;
225
226                 /* Allocate packet */
227                 if (info->rx_skb == NULL)
228                         if (!(info->rx_skb = bt_skb_alloc(HCI_MAX_FRAME_SIZE, GFP_ATOMIC))) {
229                                 BT_ERR("Can't allocate mem for new packet");
230                                 info->rx_state = RECV_WAIT_NSH;
231                                 info->rx_count = NSHL;
232                                 return;
233                         }
234
235                 *skb_put(info->rx_skb, 1) = inb(iobase + UART_RX);
236                 nsh = (nsh_t *)info->rx_skb->data;
237
238                 info->rx_count--;
239
240                 if (info->rx_count == 0) {
241
242                         switch (info->rx_state) {
243                         case RECV_WAIT_NSH:
244                                 info->rx_state = RECV_WAIT_DATA;
245                                 info->rx_count = nsh->len + (nsh->len & 0x0001);
246                                 break;
247                         case RECV_WAIT_DATA:
248                                 bt_cb(info->rx_skb)->pkt_type = nsh->type;
249
250                                 /* remove PAD byte if it exists */
251                                 if (nsh->len & 0x0001) {
252                                         info->rx_skb->tail--;
253                                         info->rx_skb->len--;
254                                 }
255
256                                 /* remove NSH */
257                                 skb_pull(info->rx_skb, NSHL);
258
259                                 switch (bt_cb(info->rx_skb)->pkt_type) {
260                                 case 0x80:
261                                         /* control data for the Nokia Card */
262                                         dtl1_control(info, info->rx_skb);
263                                         break;
264                                 case 0x82:
265                                 case 0x83:
266                                 case 0x84:
267                                         /* send frame to the HCI layer */
268                                         info->rx_skb->dev = (void *) info->hdev;
269                                         bt_cb(info->rx_skb)->pkt_type &= 0x0f;
270                                         hci_recv_frame(info->rx_skb);
271                                         break;
272                                 default:
273                                         /* unknown packet */
274                                         BT_ERR("Unknown HCI packet with type 0x%02x received", bt_cb(info->rx_skb)->pkt_type);
275                                         kfree_skb(info->rx_skb);
276                                         break;
277                                 }
278
279                                 info->rx_state = RECV_WAIT_NSH;
280                                 info->rx_count = NSHL;
281                                 info->rx_skb = NULL;
282                                 break;
283                         }
284
285                 }
286
287                 /* Make sure we don't stay here too long */
288                 if (boguscount++ > 32)
289                         break;
290
291         } while (inb(iobase + UART_LSR) & UART_LSR_DR);
292 }
293
294
295 static irqreturn_t dtl1_interrupt(int irq, void *dev_inst, struct pt_regs *regs)
296 {
297         dtl1_info_t *info = dev_inst;
298         unsigned int iobase;
299         unsigned char msr;
300         int boguscount = 0;
301         int iir, lsr;
302
303         if (!info || !info->hdev) {
304                 BT_ERR("Call of irq %d for unknown device", irq);
305                 return IRQ_NONE;
306         }
307
308         iobase = info->p_dev->io.BasePort1;
309
310         spin_lock(&(info->lock));
311
312         iir = inb(iobase + UART_IIR) & UART_IIR_ID;
313         while (iir) {
314
315                 /* Clear interrupt */
316                 lsr = inb(iobase + UART_LSR);
317
318                 switch (iir) {
319                 case UART_IIR_RLSI:
320                         BT_ERR("RLSI");
321                         break;
322                 case UART_IIR_RDI:
323                         /* Receive interrupt */
324                         dtl1_receive(info);
325                         break;
326                 case UART_IIR_THRI:
327                         if (lsr & UART_LSR_THRE) {
328                                 /* Transmitter ready for data */
329                                 dtl1_write_wakeup(info);
330                         }
331                         break;
332                 default:
333                         BT_ERR("Unhandled IIR=%#x", iir);
334                         break;
335                 }
336
337                 /* Make sure we don't stay here too long */
338                 if (boguscount++ > 100)
339                         break;
340
341                 iir = inb(iobase + UART_IIR) & UART_IIR_ID;
342
343         }
344
345         msr = inb(iobase + UART_MSR);
346
347         if (info->ri_latch ^ (msr & UART_MSR_RI)) {
348                 info->ri_latch = msr & UART_MSR_RI;
349                 clear_bit(XMIT_WAITING, &(info->tx_state));
350                 dtl1_write_wakeup(info);
351         }
352
353         spin_unlock(&(info->lock));
354
355         return IRQ_HANDLED;
356 }
357
358
359
360 /* ======================== HCI interface ======================== */
361
362
363 static int dtl1_hci_open(struct hci_dev *hdev)
364 {
365         set_bit(HCI_RUNNING, &(hdev->flags));
366
367         return 0;
368 }
369
370
371 static int dtl1_hci_flush(struct hci_dev *hdev)
372 {
373         dtl1_info_t *info = (dtl1_info_t *)(hdev->driver_data);
374
375         /* Drop TX queue */
376         skb_queue_purge(&(info->txq));
377
378         return 0;
379 }
380
381
382 static int dtl1_hci_close(struct hci_dev *hdev)
383 {
384         if (!test_and_clear_bit(HCI_RUNNING, &(hdev->flags)))
385                 return 0;
386
387         dtl1_hci_flush(hdev);
388
389         return 0;
390 }
391
392
393 static int dtl1_hci_send_frame(struct sk_buff *skb)
394 {
395         dtl1_info_t *info;
396         struct hci_dev *hdev = (struct hci_dev *)(skb->dev);
397         struct sk_buff *s;
398         nsh_t nsh;
399
400         if (!hdev) {
401                 BT_ERR("Frame for unknown HCI device (hdev=NULL)");
402                 return -ENODEV;
403         }
404
405         info = (dtl1_info_t *)(hdev->driver_data);
406
407         switch (bt_cb(skb)->pkt_type) {
408         case HCI_COMMAND_PKT:
409                 hdev->stat.cmd_tx++;
410                 nsh.type = 0x81;
411                 break;
412         case HCI_ACLDATA_PKT:
413                 hdev->stat.acl_tx++;
414                 nsh.type = 0x82;
415                 break;
416         case HCI_SCODATA_PKT:
417                 hdev->stat.sco_tx++;
418                 nsh.type = 0x83;
419                 break;
420         };
421
422         nsh.zero = 0;
423         nsh.len = skb->len;
424
425         s = bt_skb_alloc(NSHL + skb->len + 1, GFP_ATOMIC);
426         if (!s)
427                 return -ENOMEM;
428
429         skb_reserve(s, NSHL);
430         memcpy(skb_put(s, skb->len), skb->data, skb->len);
431         if (skb->len & 0x0001)
432                 *skb_put(s, 1) = 0;     /* PAD */
433
434         /* Prepend skb with Nokia frame header and queue */
435         memcpy(skb_push(s, NSHL), &nsh, NSHL);
436         skb_queue_tail(&(info->txq), s);
437
438         dtl1_write_wakeup(info);
439
440         kfree_skb(skb);
441
442         return 0;
443 }
444
445
446 static void dtl1_hci_destruct(struct hci_dev *hdev)
447 {
448 }
449
450
451 static int dtl1_hci_ioctl(struct hci_dev *hdev, unsigned int cmd,  unsigned long arg)
452 {
453         return -ENOIOCTLCMD;
454 }
455
456
457
458 /* ======================== Card services HCI interaction ======================== */
459
460
461 static int dtl1_open(dtl1_info_t *info)
462 {
463         unsigned long flags;
464         unsigned int iobase = info->p_dev->io.BasePort1;
465         struct hci_dev *hdev;
466
467         spin_lock_init(&(info->lock));
468
469         skb_queue_head_init(&(info->txq));
470
471         info->rx_state = RECV_WAIT_NSH;
472         info->rx_count = NSHL;
473         info->rx_skb = NULL;
474
475         set_bit(XMIT_WAITING, &(info->tx_state));
476
477         /* Initialize HCI device */
478         hdev = hci_alloc_dev();
479         if (!hdev) {
480                 BT_ERR("Can't allocate HCI device");
481                 return -ENOMEM;
482         }
483
484         info->hdev = hdev;
485
486         hdev->type = HCI_PCCARD;
487         hdev->driver_data = info;
488
489         hdev->open     = dtl1_hci_open;
490         hdev->close    = dtl1_hci_close;
491         hdev->flush    = dtl1_hci_flush;
492         hdev->send     = dtl1_hci_send_frame;
493         hdev->destruct = dtl1_hci_destruct;
494         hdev->ioctl    = dtl1_hci_ioctl;
495
496         hdev->owner = THIS_MODULE;
497
498         spin_lock_irqsave(&(info->lock), flags);
499
500         /* Reset UART */
501         outb(0, iobase + UART_MCR);
502
503         /* Turn off interrupts */
504         outb(0, iobase + UART_IER);
505
506         /* Initialize UART */
507         outb(UART_LCR_WLEN8, iobase + UART_LCR);        /* Reset DLAB */
508         outb((UART_MCR_DTR | UART_MCR_RTS | UART_MCR_OUT2), iobase + UART_MCR);
509
510         info->ri_latch = inb(info->p_dev->io.BasePort1 + UART_MSR) & UART_MSR_RI;
511
512         /* Turn on interrupts */
513         outb(UART_IER_RLSI | UART_IER_RDI | UART_IER_THRI, iobase + UART_IER);
514
515         spin_unlock_irqrestore(&(info->lock), flags);
516
517         /* Timeout before it is safe to send the first HCI packet */
518         msleep(2000);
519
520         /* Register HCI device */
521         if (hci_register_dev(hdev) < 0) {
522                 BT_ERR("Can't register HCI device");
523                 info->hdev = NULL;
524                 hci_free_dev(hdev);
525                 return -ENODEV;
526         }
527
528         return 0;
529 }
530
531
532 static int dtl1_close(dtl1_info_t *info)
533 {
534         unsigned long flags;
535         unsigned int iobase = info->p_dev->io.BasePort1;
536         struct hci_dev *hdev = info->hdev;
537
538         if (!hdev)
539                 return -ENODEV;
540
541         dtl1_hci_close(hdev);
542
543         spin_lock_irqsave(&(info->lock), flags);
544
545         /* Reset UART */
546         outb(0, iobase + UART_MCR);
547
548         /* Turn off interrupts */
549         outb(0, iobase + UART_IER);
550
551         spin_unlock_irqrestore(&(info->lock), flags);
552
553         if (hci_unregister_dev(hdev) < 0)
554                 BT_ERR("Can't unregister HCI device %s", hdev->name);
555
556         hci_free_dev(hdev);
557
558         return 0;
559 }
560
561 static int dtl1_probe(struct pcmcia_device *link)
562 {
563         dtl1_info_t *info;
564
565         /* Create new info device */
566         info = kzalloc(sizeof(*info), GFP_KERNEL);
567         if (!info)
568                 return -ENOMEM;
569
570         info->p_dev = link;
571         link->priv = info;
572
573         link->io.Attributes1 = IO_DATA_PATH_WIDTH_8;
574         link->io.NumPorts1 = 8;
575         link->irq.Attributes = IRQ_TYPE_EXCLUSIVE | IRQ_HANDLE_PRESENT;
576         link->irq.IRQInfo1 = IRQ_LEVEL_ID;
577
578         link->irq.Handler = dtl1_interrupt;
579         link->irq.Instance = info;
580
581         link->conf.Attributes = CONF_ENABLE_IRQ;
582         link->conf.IntType = INT_MEMORY_AND_IO;
583
584         return dtl1_config(link);
585 }
586
587
588 static void dtl1_detach(struct pcmcia_device *link)
589 {
590         dtl1_info_t *info = link->priv;
591
592         dtl1_release(link);
593
594         kfree(info);
595 }
596
597 static int get_tuple(struct pcmcia_device *handle, tuple_t *tuple, cisparse_t *parse)
598 {
599         int i;
600
601         i = pcmcia_get_tuple_data(handle, tuple);
602         if (i != CS_SUCCESS)
603                 return i;
604
605         return pcmcia_parse_tuple(handle, tuple, parse);
606 }
607
608 static int first_tuple(struct pcmcia_device *handle, tuple_t *tuple, cisparse_t *parse)
609 {
610         if (pcmcia_get_first_tuple(handle, tuple) != CS_SUCCESS)
611                 return CS_NO_MORE_ITEMS;
612         return get_tuple(handle, tuple, parse);
613 }
614
615 static int next_tuple(struct pcmcia_device *handle, tuple_t *tuple, cisparse_t *parse)
616 {
617         if (pcmcia_get_next_tuple(handle, tuple) != CS_SUCCESS)
618                 return CS_NO_MORE_ITEMS;
619         return get_tuple(handle, tuple, parse);
620 }
621
622 static int dtl1_config(struct pcmcia_device *link)
623 {
624         dtl1_info_t *info = link->priv;
625         tuple_t tuple;
626         u_short buf[256];
627         cisparse_t parse;
628         cistpl_cftable_entry_t *cf = &parse.cftable_entry;
629         int i, last_ret, last_fn;
630
631         tuple.TupleData = (cisdata_t *)buf;
632         tuple.TupleOffset = 0;
633         tuple.TupleDataMax = 255;
634         tuple.Attributes = 0;
635
636         /* Get configuration register information */
637         tuple.DesiredTuple = CISTPL_CONFIG;
638         last_ret = first_tuple(link, &tuple, &parse);
639         if (last_ret != CS_SUCCESS) {
640                 last_fn = ParseTuple;
641                 goto cs_failed;
642         }
643         link->conf.ConfigBase = parse.config.base;
644         link->conf.Present = parse.config.rmask[0];
645
646         tuple.TupleData = (cisdata_t *)buf;
647         tuple.TupleOffset = 0;
648         tuple.TupleDataMax = 255;
649         tuple.Attributes = 0;
650         tuple.DesiredTuple = CISTPL_CFTABLE_ENTRY;
651
652         /* Look for a generic full-sized window */
653         link->io.NumPorts1 = 8;
654         i = first_tuple(link, &tuple, &parse);
655         while (i != CS_NO_MORE_ITEMS) {
656                 if ((i == CS_SUCCESS) && (cf->io.nwin == 1) && (cf->io.win[0].len > 8)) {
657                         link->conf.ConfigIndex = cf->index;
658                         link->io.BasePort1 = cf->io.win[0].base;
659                         link->io.NumPorts1 = cf->io.win[0].len; /*yo */
660                         link->io.IOAddrLines = cf->io.flags & CISTPL_IO_LINES_MASK;
661                         i = pcmcia_request_io(link, &link->io);
662                         if (i == CS_SUCCESS)
663                                 break;
664                 }
665                 i = next_tuple(link, &tuple, &parse);
666         }
667
668         if (i != CS_SUCCESS) {
669                 cs_error(link, RequestIO, i);
670                 goto failed;
671         }
672
673         i = pcmcia_request_irq(link, &link->irq);
674         if (i != CS_SUCCESS) {
675                 cs_error(link, RequestIRQ, i);
676                 link->irq.AssignedIRQ = 0;
677         }
678
679         i = pcmcia_request_configuration(link, &link->conf);
680         if (i != CS_SUCCESS) {
681                 cs_error(link, RequestConfiguration, i);
682                 goto failed;
683         }
684
685         if (dtl1_open(info) != 0)
686                 goto failed;
687
688         strcpy(info->node.dev_name, info->hdev->name);
689         link->dev_node = &info->node;
690
691         return 0;
692
693 cs_failed:
694         cs_error(link, last_fn, last_ret);
695
696 failed:
697         dtl1_release(link);
698         return -ENODEV;
699 }
700
701
702 static void dtl1_release(struct pcmcia_device *link)
703 {
704         dtl1_info_t *info = link->priv;
705
706         dtl1_close(info);
707
708         pcmcia_disable_device(link);
709 }
710
711
712 static struct pcmcia_device_id dtl1_ids[] = {
713         PCMCIA_DEVICE_PROD_ID12("Nokia Mobile Phones", "DTL-1", 0xe1bfdd64, 0xe168480d),
714         PCMCIA_DEVICE_PROD_ID12("Socket", "CF", 0xb38bcc2e, 0x44ebf863),
715         PCMCIA_DEVICE_PROD_ID12("Socket", "CF+ Personal Network Card", 0xb38bcc2e, 0xe732bae3),
716         PCMCIA_DEVICE_NULL
717 };
718 MODULE_DEVICE_TABLE(pcmcia, dtl1_ids);
719
720 static struct pcmcia_driver dtl1_driver = {
721         .owner          = THIS_MODULE,
722         .drv            = {
723                 .name   = "dtl1_cs",
724         },
725         .probe          = dtl1_probe,
726         .remove         = dtl1_detach,
727         .id_table       = dtl1_ids,
728 };
729
730 static int __init init_dtl1_cs(void)
731 {
732         return pcmcia_register_driver(&dtl1_driver);
733 }
734
735
736 static void __exit exit_dtl1_cs(void)
737 {
738         pcmcia_unregister_driver(&dtl1_driver);
739 }
740
741 module_init(init_dtl1_cs);
742 module_exit(exit_dtl1_cs);