V4L/DVB (4176): Bug-fix: Fix memory overflow
[linux-2.6.git] / drivers / media / dvb / bt8xx / bt878.c
1 /*
2  * bt878.c: part of the driver for the Pinnacle PCTV Sat DVB PCI card
3  *
4  * Copyright (C) 2002 Peter Hettkamp <peter.hettkamp@htp-tel.de>
5  *
6  * large parts based on the bttv driver
7  * Copyright (C) 1996,97,98 Ralph  Metzler (rjkm@metzlerbros.de)
8  *                        & Marcus Metzler (mocm@metzlerbros.de)
9  * (c) 1999,2000 Gerd Knorr <kraxel@goldbach.in-berlin.de>
10  *
11  * This program is free software; you can redistribute it and/or
12  * modify it under the terms of the GNU General Public License
13  * as published by the Free Software Foundation; either version 2
14  * of the License, or (at your option) any later version.
15  *
16
17  * This program is distributed in the hope that it will be useful,
18  * but WITHOUT ANY WARRANTY; without even the implied warranty of
19  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
20  * GNU General Public License for more details.
21  *
22
23  * You should have received a copy of the GNU General Public License
24  * along with this program; if not, write to the Free Software
25  * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
26  * Or, point your browser to http://www.gnu.org/copyleft/gpl.html
27  *
28  */
29
30 #include <linux/module.h>
31 #include <linux/moduleparam.h>
32 #include <linux/kernel.h>
33 #include <linux/pci.h>
34 #include <asm/io.h>
35 #include <linux/ioport.h>
36 #include <asm/pgtable.h>
37 #include <asm/page.h>
38 #include <linux/types.h>
39 #include <linux/interrupt.h>
40 #include <linux/kmod.h>
41 #include <linux/vmalloc.h>
42 #include <linux/init.h>
43
44 #include "dmxdev.h"
45 #include "dvbdev.h"
46 #include "bt878.h"
47 #include "dst_priv.h"
48
49
50 /**************************************/
51 /* Miscellaneous utility  definitions */
52 /**************************************/
53
54 static unsigned int bt878_verbose = 1;
55 static unsigned int bt878_debug;
56
57 module_param_named(verbose, bt878_verbose, int, 0444);
58 MODULE_PARM_DESC(verbose,
59                  "verbose startup messages, default is 1 (yes)");
60 module_param_named(debug, bt878_debug, int, 0644);
61 MODULE_PARM_DESC(debug, "Turn on/off debugging, default is 0 (off).");
62
63 int bt878_num;
64 struct bt878 bt878[BT878_MAX];
65
66 EXPORT_SYMBOL(bt878_debug);
67 EXPORT_SYMBOL(bt878_verbose);
68 EXPORT_SYMBOL(bt878_num);
69 EXPORT_SYMBOL(bt878);
70
71 #define btwrite(dat,adr)    bmtwrite((dat), (bt->bt878_mem+(adr)))
72 #define btread(adr)         bmtread(bt->bt878_mem+(adr))
73
74 #define btand(dat,adr)      btwrite((dat) & btread(adr), adr)
75 #define btor(dat,adr)       btwrite((dat) | btread(adr), adr)
76 #define btaor(dat,mask,adr) btwrite((dat) | ((mask) & btread(adr)), adr)
77
78 #if defined(dprintk)
79 #undef dprintk
80 #endif
81 #define dprintk if(bt878_debug) printk
82
83 static void bt878_mem_free(struct bt878 *bt)
84 {
85         if (bt->buf_cpu) {
86                 pci_free_consistent(bt->dev, bt->buf_size, bt->buf_cpu,
87                                     bt->buf_dma);
88                 bt->buf_cpu = NULL;
89         }
90
91         if (bt->risc_cpu) {
92                 pci_free_consistent(bt->dev, bt->risc_size, bt->risc_cpu,
93                                     bt->risc_dma);
94                 bt->risc_cpu = NULL;
95         }
96 }
97
98 static int bt878_mem_alloc(struct bt878 *bt)
99 {
100         if (!bt->buf_cpu) {
101                 bt->buf_size = 128 * 1024;
102
103                 bt->buf_cpu =
104                     pci_alloc_consistent(bt->dev, bt->buf_size,
105                                          &bt->buf_dma);
106
107                 if (!bt->buf_cpu)
108                         return -ENOMEM;
109
110                 memset(bt->buf_cpu, 0, bt->buf_size);
111         }
112
113         if (!bt->risc_cpu) {
114                 bt->risc_size = PAGE_SIZE;
115                 bt->risc_cpu =
116                     pci_alloc_consistent(bt->dev, bt->risc_size,
117                                          &bt->risc_dma);
118
119                 if (!bt->risc_cpu) {
120                         bt878_mem_free(bt);
121                         return -ENOMEM;
122                 }
123
124                 memset(bt->risc_cpu, 0, bt->risc_size);
125         }
126
127         return 0;
128 }
129
130 /* RISC instructions */
131 #define RISC_WRITE              (0x01 << 28)
132 #define RISC_JUMP               (0x07 << 28)
133 #define RISC_SYNC               (0x08 << 28)
134
135 /* RISC bits */
136 #define RISC_WR_SOL             (1 << 27)
137 #define RISC_WR_EOL             (1 << 26)
138 #define RISC_IRQ                (1 << 24)
139 #define RISC_STATUS(status)     ((((~status) & 0x0F) << 20) | ((status & 0x0F) << 16))
140 #define RISC_SYNC_RESYNC        (1 << 15)
141 #define RISC_SYNC_FM1           0x06
142 #define RISC_SYNC_VRO           0x0C
143
144 #define RISC_FLUSH()            bt->risc_pos = 0
145 #define RISC_INSTR(instr)       bt->risc_cpu[bt->risc_pos++] = cpu_to_le32(instr)
146
147 static int bt878_make_risc(struct bt878 *bt)
148 {
149         bt->block_bytes = bt->buf_size >> 4;
150         bt->block_count = 1 << 4;
151         bt->line_bytes = bt->block_bytes;
152         bt->line_count = bt->block_count;
153
154         while (bt->line_bytes > 4095) {
155                 bt->line_bytes >>= 1;
156                 bt->line_count <<= 1;
157         }
158
159         if (bt->line_count > 255) {
160                 printk("bt878: buffer size error!\n");
161                 return -EINVAL;
162         }
163         return 0;
164 }
165
166
167 static void bt878_risc_program(struct bt878 *bt, u32 op_sync_orin)
168 {
169         u32 buf_pos = 0;
170         u32 line;
171
172         RISC_FLUSH();
173         RISC_INSTR(RISC_SYNC | RISC_SYNC_FM1 | op_sync_orin);
174         RISC_INSTR(0);
175
176         dprintk("bt878: risc len lines %u, bytes per line %u\n",
177                         bt->line_count, bt->line_bytes);
178         for (line = 0; line < bt->line_count; line++) {
179                 // At the beginning of every block we issue an IRQ with previous (finished) block number set
180                 if (!(buf_pos % bt->block_bytes))
181                         RISC_INSTR(RISC_WRITE | RISC_WR_SOL | RISC_WR_EOL |
182                                    RISC_IRQ |
183                                    RISC_STATUS(((buf_pos /
184                                                  bt->block_bytes) +
185                                                 (bt->block_count -
186                                                  1)) %
187                                                bt->block_count) | bt->
188                                    line_bytes);
189                 else
190                         RISC_INSTR(RISC_WRITE | RISC_WR_SOL | RISC_WR_EOL |
191                                    bt->line_bytes);
192                 RISC_INSTR(bt->buf_dma + buf_pos);
193                 buf_pos += bt->line_bytes;
194         }
195
196         RISC_INSTR(RISC_SYNC | op_sync_orin | RISC_SYNC_VRO);
197         RISC_INSTR(0);
198
199         RISC_INSTR(RISC_JUMP);
200         RISC_INSTR(bt->risc_dma);
201
202         btwrite((bt->line_count << 16) | bt->line_bytes, BT878_APACK_LEN);
203 }
204
205 /*****************************/
206 /* Start/Stop grabbing funcs */
207 /*****************************/
208
209 void bt878_start(struct bt878 *bt, u32 controlreg, u32 op_sync_orin,
210                 u32 irq_err_ignore)
211 {
212         u32 int_mask;
213
214         dprintk("bt878 debug: bt878_start (ctl=%8.8x)\n", controlreg);
215         /* complete the writing of the risc dma program now we have
216          * the card specifics
217          */
218         bt878_risc_program(bt, op_sync_orin);
219         controlreg &= ~0x1f;
220         controlreg |= 0x1b;
221
222         btwrite(bt->risc_dma, BT878_ARISC_START);
223
224         /* original int mask had :
225          *    6    2    8    4    0
226          * 1111 1111 1000 0000 0000
227          * SCERR|OCERR|PABORT|RIPERR|FDSR|FTRGT|FBUS|RISCI
228          * Hacked for DST to:
229          * SCERR | OCERR | FDSR | FTRGT | FBUS | RISCI
230          */
231         int_mask = BT878_ASCERR | BT878_AOCERR | BT878_APABORT |
232                 BT878_ARIPERR | BT878_APPERR | BT878_AFDSR | BT878_AFTRGT |
233                 BT878_AFBUS | BT878_ARISCI;
234
235
236         /* ignore pesky bits */
237         int_mask &= ~irq_err_ignore;
238
239         btwrite(int_mask, BT878_AINT_MASK);
240         btwrite(controlreg, BT878_AGPIO_DMA_CTL);
241 }
242
243 void bt878_stop(struct bt878 *bt)
244 {
245         u32 stat;
246         int i = 0;
247
248         dprintk("bt878 debug: bt878_stop\n");
249
250         btwrite(0, BT878_AINT_MASK);
251         btand(~0x13, BT878_AGPIO_DMA_CTL);
252
253         do {
254                 stat = btread(BT878_AINT_STAT);
255                 if (!(stat & BT878_ARISC_EN))
256                         break;
257                 i++;
258         } while (i < 500);
259
260         dprintk("bt878(%d) debug: bt878_stop, i=%d, stat=0x%8.8x\n",
261                 bt->nr, i, stat);
262 }
263
264 EXPORT_SYMBOL(bt878_start);
265 EXPORT_SYMBOL(bt878_stop);
266
267 /*****************************/
268 /* Interrupt service routine */
269 /*****************************/
270
271 static irqreturn_t bt878_irq(int irq, void *dev_id, struct pt_regs *regs)
272 {
273         u32 stat, astat, mask;
274         int count;
275         struct bt878 *bt;
276
277         bt = (struct bt878 *) dev_id;
278
279         count = 0;
280         while (1) {
281                 stat = btread(BT878_AINT_STAT);
282                 mask = btread(BT878_AINT_MASK);
283                 if (!(astat = (stat & mask)))
284                         return IRQ_NONE;        /* this interrupt is not for me */
285 /*              dprintk("bt878(%d) debug: irq count %d, stat 0x%8.8x, mask 0x%8.8x\n",bt->nr,count,stat,mask); */
286                 btwrite(astat, BT878_AINT_STAT);        /* try to clear interupt condition */
287
288
289                 if (astat & (BT878_ASCERR | BT878_AOCERR)) {
290                         if (bt878_verbose) {
291                                 printk("bt878(%d): irq%s%s risc_pc=%08x\n",
292                                        bt->nr,
293                                        (astat & BT878_ASCERR) ? " SCERR" :
294                                        "",
295                                        (astat & BT878_AOCERR) ? " OCERR" :
296                                        "", btread(BT878_ARISC_PC));
297                         }
298                 }
299                 if (astat & (BT878_APABORT | BT878_ARIPERR | BT878_APPERR)) {
300                         if (bt878_verbose) {
301                                 printk
302                                     ("bt878(%d): irq%s%s%s risc_pc=%08x\n",
303                                      bt->nr,
304                                      (astat & BT878_APABORT) ? " PABORT" :
305                                      "",
306                                      (astat & BT878_ARIPERR) ? " RIPERR" :
307                                      "",
308                                      (astat & BT878_APPERR) ? " PPERR" :
309                                      "", btread(BT878_ARISC_PC));
310                         }
311                 }
312                 if (astat & (BT878_AFDSR | BT878_AFTRGT | BT878_AFBUS)) {
313                         if (bt878_verbose) {
314                                 printk
315                                     ("bt878(%d): irq%s%s%s risc_pc=%08x\n",
316                                      bt->nr,
317                                      (astat & BT878_AFDSR) ? " FDSR" : "",
318                                      (astat & BT878_AFTRGT) ? " FTRGT" :
319                                      "",
320                                      (astat & BT878_AFBUS) ? " FBUS" : "",
321                                      btread(BT878_ARISC_PC));
322                         }
323                 }
324                 if (astat & BT878_ARISCI) {
325                         bt->finished_block = (stat & BT878_ARISCS) >> 28;
326                         tasklet_schedule(&bt->tasklet);
327                         break;
328                 }
329                 count++;
330                 if (count > 20) {
331                         btwrite(0, BT878_AINT_MASK);
332                         printk(KERN_ERR
333                                "bt878(%d): IRQ lockup, cleared int mask\n",
334                                bt->nr);
335                         break;
336                 }
337         }
338         return IRQ_HANDLED;
339 }
340
341 int
342 bt878_device_control(struct bt878 *bt, unsigned int cmd, union dst_gpio_packet *mp)
343 {
344         int retval;
345
346         retval = 0;
347         if (mutex_lock_interruptible(&bt->gpio_lock))
348                 return -ERESTARTSYS;
349         /* special gpio signal */
350         switch (cmd) {
351             case DST_IG_ENABLE:
352                 // dprintk("dvb_bt8xx: dst enable mask 0x%02x enb 0x%02x \n", mp->dstg.enb.mask, mp->dstg.enb.enable);
353                 retval = bttv_gpio_enable(bt->bttv_nr,
354                                 mp->enb.mask,
355                                 mp->enb.enable);
356                 break;
357             case DST_IG_WRITE:
358                 // dprintk("dvb_bt8xx: dst write gpio mask 0x%02x out 0x%02x\n", mp->dstg.outp.mask, mp->dstg.outp.highvals);
359                 retval = bttv_write_gpio(bt->bttv_nr,
360                                 mp->outp.mask,
361                                 mp->outp.highvals);
362
363                 break;
364             case DST_IG_READ:
365                 /* read */
366                 retval =  bttv_read_gpio(bt->bttv_nr, &mp->rd.value);
367                 // dprintk("dvb_bt8xx: dst read gpio 0x%02x\n", (unsigned)mp->dstg.rd.value);
368                 break;
369             case DST_IG_TS:
370                 /* Set packet size */
371                 bt->TS_Size = mp->psize;
372                 break;
373
374             default:
375                 retval = -EINVAL;
376                 break;
377         }
378         mutex_unlock(&bt->gpio_lock);
379         return retval;
380 }
381
382 EXPORT_SYMBOL(bt878_device_control);
383
384
385 static struct cards card_list[] __devinitdata = {
386
387         { 0x01010071, BTTV_BOARD_NEBULA_DIGITV,                 "Nebula Electronics DigiTV" },
388         { 0x07611461, BTTV_BOARD_AVDVBT_761,                    "AverMedia AverTV DVB-T 761" },
389         { 0x001c11bd, BTTV_BOARD_PINNACLESAT,                   "Pinnacle PCTV Sat" },
390         { 0x002611bd, BTTV_BOARD_TWINHAN_DST,                   "Pinnacle PCTV SAT CI" },
391         { 0x00011822, BTTV_BOARD_TWINHAN_DST,                   "Twinhan VisionPlus DVB" },
392         { 0xfc00270f, BTTV_BOARD_TWINHAN_DST,                   "ChainTech digitop DST-1000 DVB-S" },
393         { 0x07711461, BTTV_BOARD_AVDVBT_771,                    "AVermedia AverTV DVB-T 771" },
394         { 0xdb1018ac, BTTV_BOARD_DVICO_DVBT_LITE,               "DViCO FusionHDTV DVB-T Lite" },
395         { 0xd50018ac, BTTV_BOARD_DVICO_FUSIONHDTV_5_LITE,       "DViCO FusionHDTV 5 Lite" },
396         { 0x20007063, BTTV_BOARD_PC_HDTV,                       "pcHDTV HD-2000 TV"},
397         { 0, -1, NULL }
398 };
399
400
401 /***********************/
402 /* PCI device handling */
403 /***********************/
404
405 static int __devinit bt878_probe(struct pci_dev *dev,
406                                  const struct pci_device_id *pci_id)
407 {
408         int result = 0, has_dvb = 0, i;
409         unsigned char lat;
410         struct bt878 *bt;
411 #if defined(__powerpc__)
412         unsigned int cmd;
413 #endif
414         unsigned int cardid;
415         unsigned short id;
416         struct cards *dvb_cards;
417
418         printk(KERN_INFO "bt878: Bt878 AUDIO function found (%d).\n",
419                bt878_num);
420         if (bt878_num >= BT878_MAX) {
421                 printk(KERN_ERR "bt878: Too many devices inserted\n");
422                 result = -ENOMEM;
423                 goto fail0;
424         }
425         if (pci_enable_device(dev))
426                 return -EIO;
427
428         pci_read_config_word(dev, PCI_SUBSYSTEM_ID, &id);
429         cardid = id << 16;
430         pci_read_config_word(dev, PCI_SUBSYSTEM_VENDOR_ID, &id);
431         cardid |= id;
432
433         for (i = 0, dvb_cards = card_list; i < ARRAY_SIZE(card_list); i++, dvb_cards++) {
434                 if (cardid == dvb_cards->pci_id) {
435                         printk("%s: card id=[0x%x],[ %s ] has DVB functions.\n",
436                                 __func__, cardid, dvb_cards->name);
437                         has_dvb = 1;
438                 }
439         }
440
441         if (!has_dvb) {
442                 printk("%s: card id=[0x%x], Unknown card.\nExiting..\n", __func__, cardid);
443                 result = -EINVAL;
444
445                 goto fail0;
446         }
447
448         bt = &bt878[bt878_num];
449         bt->dev = dev;
450         bt->nr = bt878_num;
451         bt->shutdown = 0;
452
453         bt->id = dev->device;
454         bt->irq = dev->irq;
455         bt->bt878_adr = pci_resource_start(dev, 0);
456         if (!request_mem_region(pci_resource_start(dev, 0),
457                                 pci_resource_len(dev, 0), "bt878")) {
458                 result = -EBUSY;
459                 goto fail0;
460         }
461
462         pci_read_config_byte(dev, PCI_CLASS_REVISION, &bt->revision);
463         pci_read_config_byte(dev, PCI_LATENCY_TIMER, &lat);
464
465
466         printk(KERN_INFO "bt878(%d): Bt%x (rev %d) at %02x:%02x.%x, ",
467                bt878_num, bt->id, bt->revision, dev->bus->number,
468                PCI_SLOT(dev->devfn), PCI_FUNC(dev->devfn));
469         printk("irq: %d, latency: %d, memory: 0x%lx\n",
470                bt->irq, lat, bt->bt878_adr);
471
472
473 #if defined(__powerpc__)
474         /* on OpenFirmware machines (PowerMac at least), PCI memory cycle */
475         /* response on cards with no firmware is not enabled by OF */
476         pci_read_config_dword(dev, PCI_COMMAND, &cmd);
477         cmd = (cmd | PCI_COMMAND_MEMORY);
478         pci_write_config_dword(dev, PCI_COMMAND, cmd);
479 #endif
480
481 #ifdef __sparc__
482         bt->bt878_mem = (unsigned char *) bt->bt878_adr;
483 #else
484         bt->bt878_mem = ioremap(bt->bt878_adr, 0x1000);
485 #endif
486
487         /* clear interrupt mask */
488         btwrite(0, BT848_INT_MASK);
489
490         result = request_irq(bt->irq, bt878_irq,
491                              SA_SHIRQ | SA_INTERRUPT, "bt878",
492                              (void *) bt);
493         if (result == -EINVAL) {
494                 printk(KERN_ERR "bt878(%d): Bad irq number or handler\n",
495                        bt878_num);
496                 goto fail1;
497         }
498         if (result == -EBUSY) {
499                 printk(KERN_ERR
500                        "bt878(%d): IRQ %d busy, change your PnP config in BIOS\n",
501                        bt878_num, bt->irq);
502                 goto fail1;
503         }
504         if (result < 0)
505                 goto fail1;
506
507         pci_set_master(dev);
508         pci_set_drvdata(dev, bt);
509
510 /*        if(init_bt878(btv) < 0) {
511                 bt878_remove(dev);
512                 return -EIO;
513         }
514 */
515
516         if ((result = bt878_mem_alloc(bt))) {
517                 printk("bt878: failed to allocate memory!\n");
518                 goto fail2;
519         }
520
521         bt878_make_risc(bt);
522         btwrite(0, BT878_AINT_MASK);
523         bt878_num++;
524
525         return 0;
526
527       fail2:
528         free_irq(bt->irq, bt);
529       fail1:
530         release_mem_region(pci_resource_start(bt->dev, 0),
531                            pci_resource_len(bt->dev, 0));
532       fail0:
533         pci_disable_device(dev);
534         return result;
535 }
536
537 static void __devexit bt878_remove(struct pci_dev *pci_dev)
538 {
539         u8 command;
540         struct bt878 *bt = pci_get_drvdata(pci_dev);
541
542         if (bt878_verbose)
543                 printk("bt878(%d): unloading\n", bt->nr);
544
545         /* turn off all capturing, DMA and IRQs */
546         btand(~0x13, BT878_AGPIO_DMA_CTL);
547
548         /* first disable interrupts before unmapping the memory! */
549         btwrite(0, BT878_AINT_MASK);
550         btwrite(~0U, BT878_AINT_STAT);
551
552         /* disable PCI bus-mastering */
553         pci_read_config_byte(bt->dev, PCI_COMMAND, &command);
554         /* Should this be &=~ ?? */
555         command &= ~PCI_COMMAND_MASTER;
556         pci_write_config_byte(bt->dev, PCI_COMMAND, command);
557
558         free_irq(bt->irq, bt);
559         printk(KERN_DEBUG "bt878_mem: 0x%p.\n", bt->bt878_mem);
560         if (bt->bt878_mem)
561                 iounmap(bt->bt878_mem);
562
563         release_mem_region(pci_resource_start(bt->dev, 0),
564                            pci_resource_len(bt->dev, 0));
565         /* wake up any waiting processes
566            because shutdown flag is set, no new processes (in this queue)
567            are expected
568          */
569         bt->shutdown = 1;
570         bt878_mem_free(bt);
571
572         pci_set_drvdata(pci_dev, NULL);
573         pci_disable_device(pci_dev);
574         return;
575 }
576
577 static struct pci_device_id bt878_pci_tbl[] __devinitdata = {
578         {PCI_VENDOR_ID_BROOKTREE, PCI_DEVICE_ID_BROOKTREE_878,
579          PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0},
580         {0,}
581 };
582
583 MODULE_DEVICE_TABLE(pci, bt878_pci_tbl);
584
585 static struct pci_driver bt878_pci_driver = {
586       .name     = "bt878",
587       .id_table = bt878_pci_tbl,
588       .probe    = bt878_probe,
589       .remove   = bt878_remove,
590 };
591
592 static int bt878_pci_driver_registered;
593
594 /*******************************/
595 /* Module management functions */
596 /*******************************/
597
598 static int bt878_init_module(void)
599 {
600         bt878_num = 0;
601         bt878_pci_driver_registered = 0;
602
603         printk(KERN_INFO "bt878: AUDIO driver version %d.%d.%d loaded\n",
604                (BT878_VERSION_CODE >> 16) & 0xff,
605                (BT878_VERSION_CODE >> 8) & 0xff,
606                BT878_VERSION_CODE & 0xff);
607 /*
608         bt878_check_chipset();
609 */
610         /* later we register inside of bt878_find_audio_dma()
611          * because we may want to ignore certain cards */
612         bt878_pci_driver_registered = 1;
613         return pci_register_driver(&bt878_pci_driver);
614 }
615
616 static void bt878_cleanup_module(void)
617 {
618         if (bt878_pci_driver_registered) {
619                 bt878_pci_driver_registered = 0;
620                 pci_unregister_driver(&bt878_pci_driver);
621         }
622         return;
623 }
624
625 module_init(bt878_init_module);
626 module_exit(bt878_cleanup_module);
627
628 //MODULE_AUTHOR("XXX");
629 MODULE_LICENSE("GPL");
630
631 /*
632  * Local variables:
633  * c-basic-offset: 8
634  * End:
635  */