search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
firewire: potentially invalid pointers used in fw_card_bm_work
[linux-2.6/btrfs-unstable.git] / drivers / firewire / fw-card.c
blobe6395b2985081137a70888dcdb5c41dc3d0ed555
1 /*
2 * Copyright (C) 2005-2007 Kristian Hoegsberg <krh@bitplanet.net>
3 *
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License as published by
6 * the Free Software Foundation; either version 2 of the License, or
7 * (at your option) any later version.
8 *
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, write to the Free Software Foundation,
16 * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
17 */
18
19 #include <linux/module.h>
20 #include <linux/errno.h>
21 #include <linux/device.h>
22 #include <linux/mutex.h>
23 #include <linux/crc-itu-t.h>
24 #include "fw-transaction.h"
25 #include "fw-topology.h"
26 #include "fw-device.h"
27
28 int fw_compute_block_crc(u32 *block)
29 {
30 __be32 be32_block[256];
31 int i, length;
32
33 length = (*block >> 16) & 0xff;
34 for (i = 0; i < length; i++)
35 be32_block[i] = cpu_to_be32(block[i + 1]);
36 *block |= crc_itu_t(0, (u8 *) be32_block, length * 4);
37
38 return length;
39 }
40
41 static DEFINE_MUTEX(card_mutex);
42 static LIST_HEAD(card_list);
43
44 static LIST_HEAD(descriptor_list);
45 static int descriptor_count;
46
47 #define BIB_CRC(v) ((v) << 0)
48 #define BIB_CRC_LENGTH(v) ((v) << 16)
49 #define BIB_INFO_LENGTH(v) ((v) << 24)
50
51 #define BIB_LINK_SPEED(v) ((v) << 0)
52 #define BIB_GENERATION(v) ((v) << 4)
53 #define BIB_MAX_ROM(v) ((v) << 8)
54 #define BIB_MAX_RECEIVE(v) ((v) << 12)
55 #define BIB_CYC_CLK_ACC(v) ((v) << 16)
56 #define BIB_PMC ((1) << 27)
57 #define BIB_BMC ((1) << 28)
58 #define BIB_ISC ((1) << 29)
59 #define BIB_CMC ((1) << 30)
60 #define BIB_IMC ((1) << 31)
61
62 static u32 *
63 generate_config_rom(struct fw_card *card, size_t *config_rom_length)
64 {
65 struct fw_descriptor *desc;
66 static u32 config_rom[256];
67 int i, j, length;
68
69 /*
70 * Initialize contents of config rom buffer. On the OHCI
71 * controller, block reads to the config rom accesses the host
72 * memory, but quadlet read access the hardware bus info block
73 * registers. That's just crack, but it means we should make
74 * sure the contents of bus info block in host memory mathces
75 * the version stored in the OHCI registers.
76 */
77
78 memset(config_rom, 0, sizeof(config_rom));
79 config_rom[0] = BIB_CRC_LENGTH(4) | BIB_INFO_LENGTH(4) | BIB_CRC(0);
80 config_rom[1] = 0x31333934;
81
82 config_rom[2] =
83 BIB_LINK_SPEED(card->link_speed) |
84 BIB_GENERATION(card->config_rom_generation++ % 14 + 2) |
85 BIB_MAX_ROM(2) |
86 BIB_MAX_RECEIVE(card->max_receive) |
87 BIB_BMC | BIB_ISC | BIB_CMC | BIB_IMC;
88 config_rom[3] = card->guid >> 32;
89 config_rom[4] = card->guid;
90
91 /* Generate root directory. */
92 i = 5;
93 config_rom[i++] = 0;
94 config_rom[i++] = 0x0c0083c0; /* node capabilities */
95 j = i + descriptor_count;
96
97 /* Generate root directory entries for descriptors. */
98 list_for_each_entry (desc, &descriptor_list, link) {
99 if (desc->immediate > 0)
100 config_rom[i++] = desc->immediate;
101 config_rom[i] = desc->key | (j - i);
102 i++;
103 j += desc->length;
104 }
105
106 /* Update root directory length. */
107 config_rom[5] = (i - 5 - 1) << 16;
108
109 /* End of root directory, now copy in descriptors. */
110 list_for_each_entry (desc, &descriptor_list, link) {
111 memcpy(&config_rom[i], desc->data, desc->length * 4);
112 i += desc->length;
113 }
114
115 /* Calculate CRCs for all blocks in the config rom. This
116 * assumes that CRC length and info length are identical for
117 * the bus info block, which is always the case for this
118 * implementation. */
119 for (i = 0; i < j; i += length + 1)
120 length = fw_compute_block_crc(config_rom + i);
121
122 *config_rom_length = j;
123
124 return config_rom;
125 }
126
127 static void
128 update_config_roms(void)
129 {
130 struct fw_card *card;
131 u32 *config_rom;
132 size_t length;
133
134 list_for_each_entry (card, &card_list, link) {
135 config_rom = generate_config_rom(card, &length);
136 card->driver->set_config_rom(card, config_rom, length);
137 }
138 }
139
140 int
141 fw_core_add_descriptor(struct fw_descriptor *desc)
142 {
143 size_t i;
144
145 /*
146 * Check descriptor is valid; the length of all blocks in the
147 * descriptor has to add up to exactly the length of the
148 * block.
149 */
150 i = 0;
151 while (i < desc->length)
152 i += (desc->data[i] >> 16) + 1;
153
154 if (i != desc->length)
155 return -EINVAL;
156
157 mutex_lock(&card_mutex);
158
159 list_add_tail(&desc->link, &descriptor_list);
160 descriptor_count++;
161 if (desc->immediate > 0)
162 descriptor_count++;
163 update_config_roms();
164
165 mutex_unlock(&card_mutex);
166
167 return 0;
168 }
169 EXPORT_SYMBOL(fw_core_add_descriptor);
170
171 void
172 fw_core_remove_descriptor(struct fw_descriptor *desc)
173 {
174 mutex_lock(&card_mutex);
175
176 list_del(&desc->link);
177 descriptor_count--;
178 if (desc->immediate > 0)
179 descriptor_count--;
180 update_config_roms();
181
182 mutex_unlock(&card_mutex);
183 }
184 EXPORT_SYMBOL(fw_core_remove_descriptor);
185
186 static const char gap_count_table[] = {
187 63, 5, 7, 8, 10, 13, 16, 18, 21, 24, 26, 29, 32, 35, 37, 40
188 };
189
190 struct bm_data {
191 struct fw_transaction t;
192 struct {
193 __be32 arg;
194 __be32 data;
195 } lock;
196 u32 old;
197 int rcode;
198 struct completion done;
199 };
200
201 static void
202 complete_bm_lock(struct fw_card *card, int rcode,
203 void *payload, size_t length, void *data)
204 {
205 struct bm_data *bmd = data;
206
207 if (rcode == RCODE_COMPLETE)
208 bmd->old = be32_to_cpu(*(__be32 *) payload);
209 bmd->rcode = rcode;
210 complete(&bmd->done);
211 }
212
213 static void
214 fw_card_bm_work(struct work_struct *work)
215 {
216 struct fw_card *card = container_of(work, struct fw_card, work.work);
217 struct fw_device *root_device;
218 struct fw_node *root_node, *local_node;
219 struct bm_data bmd;
220 unsigned long flags;
221 int root_id, new_root_id, irm_id, gap_count, generation, grace;
222 int do_reset = 0;
223
224 spin_lock_irqsave(&card->lock, flags);
225 local_node = card->local_node;
226 root_node = card->root_node;
227
228 if (local_node == NULL) {
229 spin_unlock_irqrestore(&card->lock, flags);
230 return;
231 }
232 fw_node_get(local_node);
233 fw_node_get(root_node);
234
235 generation = card->generation;
236 root_device = root_node->data;
237 if (root_device)
238 fw_device_get(root_device);
239 root_id = root_node->node_id;
240 grace = time_after(jiffies, card->reset_jiffies + DIV_ROUND_UP(HZ, 10));
241
242 if (card->bm_generation + 1 == generation ||
243 (card->bm_generation != generation && grace)) {
244 /*
245 * This first step is to figure out who is IRM and
246 * then try to become bus manager. If the IRM is not
247 * well defined (e.g. does not have an active link
248 * layer or does not responds to our lock request, we
249 * will have to do a little vigilante bus management.
250 * In that case, we do a goto into the gap count logic
251 * so that when we do the reset, we still optimize the
252 * gap count. That could well save a reset in the
253 * next generation.
254 */
255
256 irm_id = card->irm_node->node_id;
257 if (!card->irm_node->link_on) {
258 new_root_id = local_node->node_id;
259 fw_notify("IRM has link off, making local node (%02x) root.\n",
260 new_root_id);
261 goto pick_me;
262 }
263
264 bmd.lock.arg = cpu_to_be32(0x3f);
265 bmd.lock.data = cpu_to_be32(local_node->node_id);
266
267 spin_unlock_irqrestore(&card->lock, flags);
268
269 init_completion(&bmd.done);
270 fw_send_request(card, &bmd.t, TCODE_LOCK_COMPARE_SWAP,
271 irm_id, generation,
272 SCODE_100, CSR_REGISTER_BASE + CSR_BUS_MANAGER_ID,
273 &bmd.lock, sizeof(bmd.lock),
274 complete_bm_lock, &bmd);
275 wait_for_completion(&bmd.done);
276
277 if (bmd.rcode == RCODE_GENERATION) {
278 /*
279 * Another bus reset happened. Just return,
280 * the BM work has been rescheduled.
281 */
282 goto out;
283 }
284
285 if (bmd.rcode == RCODE_COMPLETE && bmd.old != 0x3f)
286 /* Somebody else is BM, let them do the work. */
287 goto out;
288
289 spin_lock_irqsave(&card->lock, flags);
290 if (bmd.rcode != RCODE_COMPLETE) {
291 /*
292 * The lock request failed, maybe the IRM
293 * isn't really IRM capable after all. Let's
294 * do a bus reset and pick the local node as
295 * root, and thus, IRM.
296 */
297 new_root_id = local_node->node_id;
298 fw_notify("BM lock failed, making local node (%02x) root.\n",
299 new_root_id);
300 goto pick_me;
301 }
302 } else if (card->bm_generation != generation) {
303 /*
304 * OK, we weren't BM in the last generation, and it's
305 * less than 100ms since last bus reset. Reschedule
306 * this task 100ms from now.
307 */
308 spin_unlock_irqrestore(&card->lock, flags);
309 schedule_delayed_work(&card->work, DIV_ROUND_UP(HZ, 10));
310 goto out;
311 }
312
313 /*
314 * We're bus manager for this generation, so next step is to
315 * make sure we have an active cycle master and do gap count
316 * optimization.
317 */
318 card->bm_generation = generation;
319
320 if (root_device == NULL) {
321 /*
322 * Either link_on is false, or we failed to read the
323 * config rom. In either case, pick another root.
324 */
325 new_root_id = local_node->node_id;
326 } else if (atomic_read(&root_device->state) != FW_DEVICE_RUNNING) {
327 /*
328 * If we haven't probed this device yet, bail out now
329 * and let's try again once that's done.
330 */
331 spin_unlock_irqrestore(&card->lock, flags);
332 goto out;
333 } else if (root_device->config_rom[2] & BIB_CMC) {
334 /*
335 * FIXME: I suppose we should set the cmstr bit in the
336 * STATE_CLEAR register of this node, as described in
337 * 1394-1995, 8.4.2.6. Also, send out a force root
338 * packet for this node.
339 */
340 new_root_id = root_id;
341 } else {
342 /*
343 * Current root has an active link layer and we
344 * successfully read the config rom, but it's not
345 * cycle master capable.
346 */
347 new_root_id = local_node->node_id;
348 }
349
350 pick_me:
351 /*
352 * Pick a gap count from 1394a table E-1. The table doesn't cover
353 * the typically much larger 1394b beta repeater delays though.
354 */
355 if (!card->beta_repeaters_present &&
356 root_node->max_hops < ARRAY_SIZE(gap_count_table))
357 gap_count = gap_count_table[root_node->max_hops];
358 else
359 gap_count = 63;
360
361 /*
362 * Finally, figure out if we should do a reset or not. If we've
363 * done less that 5 resets with the same physical topology and we
364 * have either a new root or a new gap count setting, let's do it.
365 */
366
367 if (card->bm_retries++ < 5 &&
368 (card->gap_count != gap_count || new_root_id != root_id))
369 do_reset = 1;
370
371 spin_unlock_irqrestore(&card->lock, flags);
372
373 if (do_reset) {
374 fw_notify("phy config: card %d, new root=%x, gap_count=%d\n",
375 card->index, new_root_id, gap_count);
376 fw_send_phy_config(card, new_root_id, generation, gap_count);
377 fw_core_initiate_bus_reset(card, 1);
378 }
379 out:
380 if (root_device)
381 fw_device_put(root_device);
382 fw_node_put(root_node);
383 fw_node_put(local_node);
384 }
385
386 static void
387 flush_timer_callback(unsigned long data)
388 {
389 struct fw_card *card = (struct fw_card *)data;
390
391 fw_flush_transactions(card);
392 }
393
394 void
395 fw_card_initialize(struct fw_card *card, const struct fw_card_driver *driver,
396 struct device *device)
397 {
398 static atomic_t index = ATOMIC_INIT(-1);
399
400 kref_init(&card->kref);
401 card->index = atomic_inc_return(&index);
402 card->driver = driver;
403 card->device = device;
404 card->current_tlabel = 0;
405 card->tlabel_mask = 0;
406 card->color = 0;
407
408 INIT_LIST_HEAD(&card->transaction_list);
409 spin_lock_init(&card->lock);
410 setup_timer(&card->flush_timer,
411 flush_timer_callback, (unsigned long)card);
412
413 card->local_node = NULL;
414
415 INIT_DELAYED_WORK(&card->work, fw_card_bm_work);
416 }
417 EXPORT_SYMBOL(fw_card_initialize);
418
419 int
420 fw_card_add(struct fw_card *card,
421 u32 max_receive, u32 link_speed, u64 guid)
422 {
423 u32 *config_rom;
424 size_t length;
425
426 card->max_receive = max_receive;
427 card->link_speed = link_speed;
428 card->guid = guid;
429
430 /*
431 * The subsystem grabs a reference when the card is added and
432 * drops it when the driver calls fw_core_remove_card.
433 */
434 fw_card_get(card);
435
436 mutex_lock(&card_mutex);
437 config_rom = generate_config_rom(card, &length);
438 list_add_tail(&card->link, &card_list);
439 mutex_unlock(&card_mutex);
440
441 return card->driver->enable(card, config_rom, length);
442 }
443 EXPORT_SYMBOL(fw_card_add);
444
445
446 /*
447 * The next few functions implements a dummy driver that use once a
448 * card driver shuts down an fw_card. This allows the driver to
449 * cleanly unload, as all IO to the card will be handled by the dummy
450 * driver instead of calling into the (possibly) unloaded module. The
451 * dummy driver just fails all IO.
452 */
453
454 static int
455 dummy_enable(struct fw_card *card, u32 *config_rom, size_t length)
456 {
457 BUG();
458 return -1;
459 }
460
461 static int
462 dummy_update_phy_reg(struct fw_card *card, int address,
463 int clear_bits, int set_bits)
464 {
465 return -ENODEV;
466 }
467
468 static int
469 dummy_set_config_rom(struct fw_card *card,
470 u32 *config_rom, size_t length)
471 {
472 /*
473 * We take the card out of card_list before setting the dummy
474 * driver, so this should never get called.
475 */
476 BUG();
477 return -1;
478 }
479
480 static void
481 dummy_send_request(struct fw_card *card, struct fw_packet *packet)
482 {
483 packet->callback(packet, card, -ENODEV);
484 }
485
486 static void
487 dummy_send_response(struct fw_card *card, struct fw_packet *packet)
488 {
489 packet->callback(packet, card, -ENODEV);
490 }
491
492 static int
493 dummy_cancel_packet(struct fw_card *card, struct fw_packet *packet)
494 {
495 return -ENOENT;
496 }
497
498 static int
499 dummy_enable_phys_dma(struct fw_card *card,
500 int node_id, int generation)
501 {
502 return -ENODEV;
503 }
504
505 static struct fw_card_driver dummy_driver = {
506 .name = "dummy",
507 .enable = dummy_enable,
508 .update_phy_reg = dummy_update_phy_reg,
509 .set_config_rom = dummy_set_config_rom,
510 .send_request = dummy_send_request,
511 .cancel_packet = dummy_cancel_packet,
512 .send_response = dummy_send_response,
513 .enable_phys_dma = dummy_enable_phys_dma,
514 };
515
516 void
517 fw_core_remove_card(struct fw_card *card)
518 {
519 card->driver->update_phy_reg(card, 4,
520 PHY_LINK_ACTIVE | PHY_CONTENDER, 0);
521 fw_core_initiate_bus_reset(card, 1);
522
523 mutex_lock(&card_mutex);
524 list_del(&card->link);
525 mutex_unlock(&card_mutex);
526
527 /* Set up the dummy driver. */
528 card->driver = &dummy_driver;
529
530 fw_destroy_nodes(card);
531 flush_scheduled_work();
532
533 fw_flush_transactions(card);
534 del_timer_sync(&card->flush_timer);
535
536 fw_card_put(card);
537 }
538 EXPORT_SYMBOL(fw_core_remove_card);
539
540 struct fw_card *
541 fw_card_get(struct fw_card *card)
542 {
543 kref_get(&card->kref);
544
545 return card;
546 }
547 EXPORT_SYMBOL(fw_card_get);
548
549 static void
550 release_card(struct kref *kref)
551 {
552 struct fw_card *card = container_of(kref, struct fw_card, kref);
553
554 kfree(card);
555 }
556
557 /*
558 * An assumption for fw_card_put() is that the card driver allocates
559 * the fw_card struct with kalloc and that it has been shut down
560 * before the last ref is dropped.
561 */
562 void
563 fw_card_put(struct fw_card *card)
564 {
565 kref_put(&card->kref, release_card);
566 }
567 EXPORT_SYMBOL(fw_card_put);
568
569 int
570 fw_core_initiate_bus_reset(struct fw_card *card, int short_reset)
571 {
572 int reg = short_reset ? 5 : 1;
573 int bit = short_reset ? PHY_BUS_SHORT_RESET : PHY_BUS_RESET;
574
575 return card->driver->update_phy_reg(card, reg, 0, bit);
576 }
577 EXPORT_SYMBOL(fw_core_initiate_bus_reset);
(deprecated) Btrfs devel tree