search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
bridge: fix a possible use after free
[linux-2.6/linux-acpi-2.6/ibm-acpi-2.6.git] / drivers / block / paride / pg.c
blob6b9a2000d56affdd7788ff26581ae587f3937f96
1 /*
2 pg.c (c) 1998 Grant R. Guenther <grant@torque.net>
3 Under the terms of the GNU General Public License.
4
5 The pg driver provides a simple character device interface for
6 sending ATAPI commands to a device. With the exception of the
7 ATAPI reset operation, all operations are performed by a pair
8 of read and write operations to the appropriate /dev/pgN device.
9 A write operation delivers a command and any outbound data in
10 a single buffer. Normally, the write will succeed unless the
11 device is offline or malfunctioning, or there is already another
12 command pending. If the write succeeds, it should be followed
13 immediately by a read operation, to obtain any returned data and
14 status information. A read will fail if there is no operation
15 in progress.
16
17 As a special case, the device can be reset with a write operation,
18 and in this case, no following read is expected, or permitted.
19
20 There are no ioctl() operations. Any single operation
21 may transfer at most PG_MAX_DATA bytes. Note that the driver must
22 copy the data through an internal buffer. In keeping with all
23 current ATAPI devices, command packets are assumed to be exactly
24 12 bytes in length.
25
26 To permit future changes to this interface, the headers in the
27 read and write buffers contain a single character "magic" flag.
28 Currently this flag must be the character "P".
29
30 By default, the driver will autoprobe for a single parallel
31 port ATAPI device, but if their individual parameters are
32 specified, the driver can handle up to 4 devices.
33
34 To use this device, you must have the following device
35 special files defined:
36
37 /dev/pg0 c 97 0
38 /dev/pg1 c 97 1
39 /dev/pg2 c 97 2
40 /dev/pg3 c 97 3
41
42 (You'll need to change the 97 to something else if you use
43 the 'major' parameter to install the driver on a different
44 major number.)
45
46 The behaviour of the pg driver can be altered by setting
47 some parameters from the insmod command line. The following
48 parameters are adjustable:
49
50 drive0 These four arguments can be arrays of
51 drive1 1-6 integers as follows:
52 drive2
53 drive3 <prt>,<pro>,<uni>,<mod>,<slv>,<dly>
54
55 Where,
56
57 <prt> is the base of the parallel port address for
58 the corresponding drive. (required)
59
60 <pro> is the protocol number for the adapter that
61 supports this drive. These numbers are
62 logged by 'paride' when the protocol modules
63 are initialised. (0 if not given)
64
65 <uni> for those adapters that support chained
66 devices, this is the unit selector for the
67 chain of devices on the given port. It should
68 be zero for devices that don't support chaining.
69 (0 if not given)
70
71 <mod> this can be -1 to choose the best mode, or one
72 of the mode numbers supported by the adapter.
73 (-1 if not given)
74
75 <slv> ATAPI devices can be jumpered to master or slave.
76 Set this to 0 to choose the master drive, 1 to
77 choose the slave, -1 (the default) to choose the
78 first drive found.
79
80 <dly> some parallel ports require the driver to
81 go more slowly. -1 sets a default value that
82 should work with the chosen protocol. Otherwise,
83 set this to a small integer, the larger it is
84 the slower the port i/o. In some cases, setting
85 this to zero will speed up the device. (default -1)
86
87 major You may use this parameter to overide the
88 default major number (97) that this driver
89 will use. Be sure to change the device
90 name as well.
91
92 name This parameter is a character string that
93 contains the name the kernel will use for this
94 device (in /proc output, for instance).
95 (default "pg").
96
97 verbose This parameter controls the amount of logging
98 that is done by the driver. Set it to 0 for
99 quiet operation, to 1 to enable progress
100 messages while the driver probes for devices,
101 or to 2 for full debug logging. (default 0)
102
103 If this driver is built into the kernel, you can use
104 the following command line parameters, with the same values
105 as the corresponding module parameters listed above:
106
107 pg.drive0
108 pg.drive1
109 pg.drive2
110 pg.drive3
111
112 In addition, you can use the parameter pg.disable to disable
113 the driver entirely.
114
115 */
116
117 /* Changes:
118
119 1.01 GRG 1998.06.16 Bug fixes
120 1.02 GRG 1998.09.24 Added jumbo support
121
122 */
123
124 #define PG_VERSION "1.02"
125 #define PG_MAJOR 97
126 #define PG_NAME "pg"
127 #define PG_UNITS 4
128
129 #ifndef PI_PG
130 #define PI_PG 4
131 #endif
132
133 /* Here are things one can override from the insmod command.
134 Most are autoprobed by paride unless set here. Verbose is 0
135 by default.
136
137 */
138
139 static int verbose = 0;
140 static int major = PG_MAJOR;
141 static char *name = PG_NAME;
142 static int disable = 0;
143
144 static int drive0[6] = { 0, 0, 0, -1, -1, -1 };
145 static int drive1[6] = { 0, 0, 0, -1, -1, -1 };
146 static int drive2[6] = { 0, 0, 0, -1, -1, -1 };
147 static int drive3[6] = { 0, 0, 0, -1, -1, -1 };
148
149 static int (*drives[4])[6] = {&drive0, &drive1, &drive2, &drive3};
150 static int pg_drive_count;
151
152 enum {D_PRT, D_PRO, D_UNI, D_MOD, D_SLV, D_DLY};
153
154 /* end of parameters */
155
156 #include <linux/module.h>
157 #include <linux/init.h>
158 #include <linux/fs.h>
159 #include <linux/delay.h>
160 #include <linux/slab.h>
161 #include <linux/mtio.h>
162 #include <linux/pg.h>
163 #include <linux/device.h>
164 #include <linux/sched.h> /* current, TASK_* */
165 #include <linux/mutex.h>
166 #include <linux/jiffies.h>
167
168 #include <asm/uaccess.h>
169
170 module_param(verbose, bool, 0644);
171 module_param(major, int, 0);
172 module_param(name, charp, 0);
173 module_param_array(drive0, int, NULL, 0);
174 module_param_array(drive1, int, NULL, 0);
175 module_param_array(drive2, int, NULL, 0);
176 module_param_array(drive3, int, NULL, 0);
177
178 #include "paride.h"
179
180 #define PG_SPIN_DEL 50 /* spin delay in micro-seconds */
181 #define PG_SPIN 200
182 #define PG_TMO HZ
183 #define PG_RESET_TMO 10*HZ
184
185 #define STAT_ERR 0x01
186 #define STAT_INDEX 0x02
187 #define STAT_ECC 0x04
188 #define STAT_DRQ 0x08
189 #define STAT_SEEK 0x10
190 #define STAT_WRERR 0x20
191 #define STAT_READY 0x40
192 #define STAT_BUSY 0x80
193
194 #define ATAPI_IDENTIFY 0x12
195
196 static DEFINE_MUTEX(pg_mutex);
197 static int pg_open(struct inode *inode, struct file *file);
198 static int pg_release(struct inode *inode, struct file *file);
199 static ssize_t pg_read(struct file *filp, char __user *buf,
200 size_t count, loff_t * ppos);
201 static ssize_t pg_write(struct file *filp, const char __user *buf,
202 size_t count, loff_t * ppos);
203 static int pg_detect(void);
204
205 #define PG_NAMELEN 8
206
207 struct pg {
208 struct pi_adapter pia; /* interface to paride layer */
209 struct pi_adapter *pi;
210 int busy; /* write done, read expected */
211 int start; /* jiffies at command start */
212 int dlen; /* transfer size requested */
213 unsigned long timeout; /* timeout requested */
214 int status; /* last sense key */
215 int drive; /* drive */
216 unsigned long access; /* count of active opens ... */
217 int present; /* device present ? */
218 char *bufptr;
219 char name[PG_NAMELEN]; /* pg0, pg1, ... */
220 };
221
222 static struct pg devices[PG_UNITS];
223
224 static int pg_identify(struct pg *dev, int log);
225
226 static char pg_scratch[512]; /* scratch block buffer */
227
228 static struct class *pg_class;
229
230 /* kernel glue structures */
231
232 static const struct file_operations pg_fops = {
233 .owner = THIS_MODULE,
234 .read = pg_read,
235 .write = pg_write,
236 .open = pg_open,
237 .release = pg_release,
238 .llseek = noop_llseek,
239 };
240
241 static void pg_init_units(void)
242 {
243 int unit;
244
245 pg_drive_count = 0;
246 for (unit = 0; unit < PG_UNITS; unit++) {
247 int *parm = *drives[unit];
248 struct pg *dev = &devices[unit];
249 dev->pi = &dev->pia;
250 clear_bit(0, &dev->access);
251 dev->busy = 0;
252 dev->present = 0;
253 dev->bufptr = NULL;
254 dev->drive = parm[D_SLV];
255 snprintf(dev->name, PG_NAMELEN, "%s%c", name, 'a'+unit);
256 if (parm[D_PRT])
257 pg_drive_count++;
258 }
259 }
260
261 static inline int status_reg(struct pg *dev)
262 {
263 return pi_read_regr(dev->pi, 1, 6);
264 }
265
266 static inline int read_reg(struct pg *dev, int reg)
267 {
268 return pi_read_regr(dev->pi, 0, reg);
269 }
270
271 static inline void write_reg(struct pg *dev, int reg, int val)
272 {
273 pi_write_regr(dev->pi, 0, reg, val);
274 }
275
276 static inline u8 DRIVE(struct pg *dev)
277 {
278 return 0xa0+0x10*dev->drive;
279 }
280
281 static void pg_sleep(int cs)
282 {
283 schedule_timeout_interruptible(cs);
284 }
285
286 static int pg_wait(struct pg *dev, int go, int stop, unsigned long tmo, char *msg)
287 {
288 int j, r, e, s, p, to;
289
290 dev->status = 0;
291
292 j = 0;
293 while ((((r = status_reg(dev)) & go) || (stop && (!(r & stop))))
294 && time_before(jiffies, tmo)) {
295 if (j++ < PG_SPIN)
296 udelay(PG_SPIN_DEL);
297 else
298 pg_sleep(1);
299 }
300
301 to = time_after_eq(jiffies, tmo);
302
303 if ((r & (STAT_ERR & stop)) || to) {
304 s = read_reg(dev, 7);
305 e = read_reg(dev, 1);
306 p = read_reg(dev, 2);
307 if (verbose > 1)
308 printk("%s: %s: stat=0x%x err=0x%x phase=%d%s\n",
309 dev->name, msg, s, e, p, to ? " timeout" : "");
310 if (to)
311 e |= 0x100;
312 dev->status = (e >> 4) & 0xff;
313 return -1;
314 }
315 return 0;
316 }
317
318 static int pg_command(struct pg *dev, char *cmd, int dlen, unsigned long tmo)
319 {
320 int k;
321
322 pi_connect(dev->pi);
323
324 write_reg(dev, 6, DRIVE(dev));
325
326 if (pg_wait(dev, STAT_BUSY | STAT_DRQ, 0, tmo, "before command"))
327 goto fail;
328
329 write_reg(dev, 4, dlen % 256);
330 write_reg(dev, 5, dlen / 256);
331 write_reg(dev, 7, 0xa0); /* ATAPI packet command */
332
333 if (pg_wait(dev, STAT_BUSY, STAT_DRQ, tmo, "command DRQ"))
334 goto fail;
335
336 if (read_reg(dev, 2) != 1) {
337 printk("%s: command phase error\n", dev->name);
338 goto fail;
339 }
340
341 pi_write_block(dev->pi, cmd, 12);
342
343 if (verbose > 1) {
344 printk("%s: Command sent, dlen=%d packet= ", dev->name, dlen);
345 for (k = 0; k < 12; k++)
346 printk("%02x ", cmd[k] & 0xff);
347 printk("\n");
348 }
349 return 0;
350 fail:
351 pi_disconnect(dev->pi);
352 return -1;
353 }
354
355 static int pg_completion(struct pg *dev, char *buf, unsigned long tmo)
356 {
357 int r, d, n, p;
358
359 r = pg_wait(dev, STAT_BUSY, STAT_DRQ | STAT_READY | STAT_ERR,
360 tmo, "completion");
361
362 dev->dlen = 0;
363
364 while (read_reg(dev, 7) & STAT_DRQ) {
365 d = (read_reg(dev, 4) + 256 * read_reg(dev, 5));
366 n = ((d + 3) & 0xfffc);
367 p = read_reg(dev, 2) & 3;
368 if (p == 0)
369 pi_write_block(dev->pi, buf, n);
370 if (p == 2)
371 pi_read_block(dev->pi, buf, n);
372 if (verbose > 1)
373 printk("%s: %s %d bytes\n", dev->name,
374 p ? "Read" : "Write", n);
375 dev->dlen += (1 - p) * d;
376 buf += d;
377 r = pg_wait(dev, STAT_BUSY, STAT_DRQ | STAT_READY | STAT_ERR,
378 tmo, "completion");
379 }
380
381 pi_disconnect(dev->pi);
382
383 return r;
384 }
385
386 static int pg_reset(struct pg *dev)
387 {
388 int i, k, err;
389 int expect[5] = { 1, 1, 1, 0x14, 0xeb };
390 int got[5];
391
392 pi_connect(dev->pi);
393 write_reg(dev, 6, DRIVE(dev));
394 write_reg(dev, 7, 8);
395
396 pg_sleep(20 * HZ / 1000);
397
398 k = 0;
399 while ((k++ < PG_RESET_TMO) && (status_reg(dev) & STAT_BUSY))
400 pg_sleep(1);
401
402 for (i = 0; i < 5; i++)
403 got[i] = read_reg(dev, i + 1);
404
405 err = memcmp(expect, got, sizeof(got)) ? -1 : 0;
406
407 if (verbose) {
408 printk("%s: Reset (%d) signature = ", dev->name, k);
409 for (i = 0; i < 5; i++)
410 printk("%3x", got[i]);
411 if (err)
412 printk(" (incorrect)");
413 printk("\n");
414 }
415
416 pi_disconnect(dev->pi);
417 return err;
418 }
419
420 static void xs(char *buf, char *targ, int len)
421 {
422 char l = '\0';
423 int k;
424
425 for (k = 0; k < len; k++) {
426 char c = *buf++;
427 if (c != ' ' && c != l)
428 l = *targ++ = c;
429 }
430 if (l == ' ')
431 targ--;
432 *targ = '\0';
433 }
434
435 static int pg_identify(struct pg *dev, int log)
436 {
437 int s;
438 char *ms[2] = { "master", "slave" };
439 char mf[10], id[18];
440 char id_cmd[12] = { ATAPI_IDENTIFY, 0, 0, 0, 36, 0, 0, 0, 0, 0, 0, 0 };
441 char buf[36];
442
443 s = pg_command(dev, id_cmd, 36, jiffies + PG_TMO);
444 if (s)
445 return -1;
446 s = pg_completion(dev, buf, jiffies + PG_TMO);
447 if (s)
448 return -1;
449
450 if (log) {
451 xs(buf + 8, mf, 8);
452 xs(buf + 16, id, 16);
453 printk("%s: %s %s, %s\n", dev->name, mf, id, ms[dev->drive]);
454 }
455
456 return 0;
457 }
458
459 /*
460 * returns 0, with id set if drive is detected
461 * -1, if drive detection failed
462 */
463 static int pg_probe(struct pg *dev)
464 {
465 if (dev->drive == -1) {
466 for (dev->drive = 0; dev->drive <= 1; dev->drive++)
467 if (!pg_reset(dev))
468 return pg_identify(dev, 1);
469 } else {
470 if (!pg_reset(dev))
471 return pg_identify(dev, 1);
472 }
473 return -1;
474 }
475
476 static int pg_detect(void)
477 {
478 struct pg *dev = &devices[0];
479 int k, unit;
480
481 printk("%s: %s version %s, major %d\n", name, name, PG_VERSION, major);
482
483 k = 0;
484 if (pg_drive_count == 0) {
485 if (pi_init(dev->pi, 1, -1, -1, -1, -1, -1, pg_scratch,
486 PI_PG, verbose, dev->name)) {
487 if (!pg_probe(dev)) {
488 dev->present = 1;
489 k++;
490 } else
491 pi_release(dev->pi);
492 }
493
494 } else
495 for (unit = 0; unit < PG_UNITS; unit++, dev++) {
496 int *parm = *drives[unit];
497 if (!parm[D_PRT])
498 continue;
499 if (pi_init(dev->pi, 0, parm[D_PRT], parm[D_MOD],
500 parm[D_UNI], parm[D_PRO], parm[D_DLY],
501 pg_scratch, PI_PG, verbose, dev->name)) {
502 if (!pg_probe(dev)) {
503 dev->present = 1;
504 k++;
505 } else
506 pi_release(dev->pi);
507 }
508 }
509
510 if (k)
511 return 0;
512
513 printk("%s: No ATAPI device detected\n", name);
514 return -1;
515 }
516
517 static int pg_open(struct inode *inode, struct file *file)
518 {
519 int unit = iminor(inode) & 0x7f;
520 struct pg *dev = &devices[unit];
521 int ret = 0;
522
523 mutex_lock(&pg_mutex);
524 if ((unit >= PG_UNITS) || (!dev->present)) {
525 ret = -ENODEV;
526 goto out;
527 }
528
529 if (test_and_set_bit(0, &dev->access)) {
530 ret = -EBUSY;
531 goto out;
532 }
533
534 if (dev->busy) {
535 pg_reset(dev);
536 dev->busy = 0;
537 }
538
539 pg_identify(dev, (verbose > 1));
540
541 dev->bufptr = kmalloc(PG_MAX_DATA, GFP_KERNEL);
542 if (dev->bufptr == NULL) {
543 clear_bit(0, &dev->access);
544 printk("%s: buffer allocation failed\n", dev->name);
545 ret = -ENOMEM;
546 goto out;
547 }
548
549 file->private_data = dev;
550
551 out:
552 mutex_unlock(&pg_mutex);
553 return ret;
554 }
555
556 static int pg_release(struct inode *inode, struct file *file)
557 {
558 struct pg *dev = file->private_data;
559
560 kfree(dev->bufptr);
561 dev->bufptr = NULL;
562 clear_bit(0, &dev->access);
563
564 return 0;
565 }
566
567 static ssize_t pg_write(struct file *filp, const char __user *buf, size_t count, loff_t *ppos)
568 {
569 struct pg *dev = filp->private_data;
570 struct pg_write_hdr hdr;
571 int hs = sizeof (hdr);
572
573 if (dev->busy)
574 return -EBUSY;
575 if (count < hs)
576 return -EINVAL;
577
578 if (copy_from_user(&hdr, buf, hs))
579 return -EFAULT;
580
581 if (hdr.magic != PG_MAGIC)
582 return -EINVAL;
583 if (hdr.dlen > PG_MAX_DATA)
584 return -EINVAL;
585 if ((count - hs) > PG_MAX_DATA)
586 return -EINVAL;
587
588 if (hdr.func == PG_RESET) {
589 if (count != hs)
590 return -EINVAL;
591 if (pg_reset(dev))
592 return -EIO;
593 return count;
594 }
595
596 if (hdr.func != PG_COMMAND)
597 return -EINVAL;
598
599 dev->start = jiffies;
600 dev->timeout = hdr.timeout * HZ + HZ / 2 + jiffies;
601
602 if (pg_command(dev, hdr.packet, hdr.dlen, jiffies + PG_TMO)) {
603 if (dev->status & 0x10)
604 return -ETIME;
605 return -EIO;
606 }
607
608 dev->busy = 1;
609
610 if (copy_from_user(dev->bufptr, buf + hs, count - hs))
611 return -EFAULT;
612 return count;
613 }
614
615 static ssize_t pg_read(struct file *filp, char __user *buf, size_t count, loff_t *ppos)
616 {
617 struct pg *dev = filp->private_data;
618 struct pg_read_hdr hdr;
619 int hs = sizeof (hdr);
620 int copy;
621
622 if (!dev->busy)
623 return -EINVAL;
624 if (count < hs)
625 return -EINVAL;
626
627 dev->busy = 0;
628
629 if (pg_completion(dev, dev->bufptr, dev->timeout))
630 if (dev->status & 0x10)
631 return -ETIME;
632
633 hdr.magic = PG_MAGIC;
634 hdr.dlen = dev->dlen;
635 copy = 0;
636
637 if (hdr.dlen < 0) {
638 hdr.dlen = -1 * hdr.dlen;
639 copy = hdr.dlen;
640 if (copy > (count - hs))
641 copy = count - hs;
642 }
643
644 hdr.duration = (jiffies - dev->start + HZ / 2) / HZ;
645 hdr.scsi = dev->status & 0x0f;
646
647 if (copy_to_user(buf, &hdr, hs))
648 return -EFAULT;
649 if (copy > 0)
650 if (copy_to_user(buf + hs, dev->bufptr, copy))
651 return -EFAULT;
652 return copy + hs;
653 }
654
655 static int __init pg_init(void)
656 {
657 int unit;
658 int err;
659
660 if (disable){
661 err = -EINVAL;
662 goto out;
663 }
664
665 pg_init_units();
666
667 if (pg_detect()) {
668 err = -ENODEV;
669 goto out;
670 }
671
672 err = register_chrdev(major, name, &pg_fops);
673 if (err < 0) {
674 printk("pg_init: unable to get major number %d\n", major);
675 for (unit = 0; unit < PG_UNITS; unit++) {
676 struct pg *dev = &devices[unit];
677 if (dev->present)
678 pi_release(dev->pi);
679 }
680 goto out;
681 }
682 major = err; /* In case the user specified `major=0' (dynamic) */
683 pg_class = class_create(THIS_MODULE, "pg");
684 if (IS_ERR(pg_class)) {
685 err = PTR_ERR(pg_class);
686 goto out_chrdev;
687 }
688 for (unit = 0; unit < PG_UNITS; unit++) {
689 struct pg *dev = &devices[unit];
690 if (dev->present)
691 device_create(pg_class, NULL, MKDEV(major, unit), NULL,
692 "pg%u", unit);
693 }
694 err = 0;
695 goto out;
696
697 out_chrdev:
698 unregister_chrdev(major, "pg");
699 out:
700 return err;
701 }
702
703 static void __exit pg_exit(void)
704 {
705 int unit;
706
707 for (unit = 0; unit < PG_UNITS; unit++) {
708 struct pg *dev = &devices[unit];
709 if (dev->present)
710 device_destroy(pg_class, MKDEV(major, unit));
711 }
712 class_destroy(pg_class);
713 unregister_chrdev(major, name);
714
715 for (unit = 0; unit < PG_UNITS; unit++) {
716 struct pg *dev = &devices[unit];
717 if (dev->present)
718 pi_release(dev->pi);
719 }
720 }
721
722 MODULE_LICENSE("GPL");
723 module_init(pg_init)
724 module_exit(pg_exit)
Linux 2.6 ibm-acpi/thinkpad-acpi driver git tree