search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
V4L/DVB: v4l2-ioctl: integer overflow in video_usercopy()
[linux-2.6/linux-acpi-2.6/ibm-acpi-2.6.git] / drivers / media / common / saa7146_i2c.c
blob7e8f568159985d4c62a32753e358bfd73b135d8c
1 #include <media/saa7146_vv.h>
2
3 static u32 saa7146_i2c_func(struct i2c_adapter *adapter)
4 {
5 //fm DEB_I2C(("'%s'.\n", adapter->name));
6
7 return I2C_FUNC_I2C
8 | I2C_FUNC_SMBUS_QUICK
9 | I2C_FUNC_SMBUS_READ_BYTE | I2C_FUNC_SMBUS_WRITE_BYTE
10 | I2C_FUNC_SMBUS_READ_BYTE_DATA | I2C_FUNC_SMBUS_WRITE_BYTE_DATA;
11 }
12
13 /* this function returns the status-register of our i2c-device */
14 static inline u32 saa7146_i2c_status(struct saa7146_dev *dev)
15 {
16 u32 iicsta = saa7146_read(dev, I2C_STATUS);
17 /*
18 DEB_I2C(("status: 0x%08x\n",iicsta));
19 */
20 return iicsta;
21 }
22
23 /* this function runs through the i2c-messages and prepares the data to be
24 sent through the saa7146. have a look at the specifications p. 122 ff
25 to understand this. it returns the number of u32s to send, or -1
26 in case of an error. */
27 static int saa7146_i2c_msg_prepare(const struct i2c_msg *m, int num, __le32 *op)
28 {
29 int h1, h2;
30 int i, j, addr;
31 int mem = 0, op_count = 0;
32
33 /* first determine size of needed memory */
34 for(i = 0; i < num; i++) {
35 mem += m[i].len + 1;
36 }
37
38 /* worst case: we need one u32 for three bytes to be send
39 plus one extra byte to address the device */
40 mem = 1 + ((mem-1) / 3);
41
42 /* we assume that op points to a memory of at least SAA7146_I2C_MEM bytes
43 size. if we exceed this limit... */
44 if ( (4*mem) > SAA7146_I2C_MEM ) {
45 //fm DEB_I2C(("cannot prepare i2c-message.\n"));
46 return -ENOMEM;
47 }
48
49 /* be careful: clear out the i2c-mem first */
50 memset(op,0,sizeof(__le32)*mem);
51
52 /* loop through all messages */
53 for(i = 0; i < num; i++) {
54
55 /* insert the address of the i2c-slave.
56 note: we get 7 bit i2c-addresses,
57 so we have to perform a translation */
58 addr = (m[i].addr*2) + ( (0 != (m[i].flags & I2C_M_RD)) ? 1 : 0);
59 h1 = op_count/3; h2 = op_count%3;
60 op[h1] |= cpu_to_le32( (u8)addr << ((3-h2)*8));
61 op[h1] |= cpu_to_le32(SAA7146_I2C_START << ((3-h2)*2));
62 op_count++;
63
64 /* loop through all bytes of message i */
65 for(j = 0; j < m[i].len; j++) {
66 /* insert the data bytes */
67 h1 = op_count/3; h2 = op_count%3;
68 op[h1] |= cpu_to_le32( (u32)((u8)m[i].buf[j]) << ((3-h2)*8));
69 op[h1] |= cpu_to_le32( SAA7146_I2C_CONT << ((3-h2)*2));
70 op_count++;
71 }
72
73 }
74
75 /* have a look at the last byte inserted:
76 if it was: ...CONT change it to ...STOP */
77 h1 = (op_count-1)/3; h2 = (op_count-1)%3;
78 if ( SAA7146_I2C_CONT == (0x3 & (le32_to_cpu(op[h1]) >> ((3-h2)*2))) ) {
79 op[h1] &= ~cpu_to_le32(0x2 << ((3-h2)*2));
80 op[h1] |= cpu_to_le32(SAA7146_I2C_STOP << ((3-h2)*2));
81 }
82
83 /* return the number of u32s to send */
84 return mem;
85 }
86
87 /* this functions loops through all i2c-messages. normally, it should determine
88 which bytes were read through the adapter and write them back to the corresponding
89 i2c-message. but instead, we simply write back all bytes.
90 fixme: this could be improved. */
91 static int saa7146_i2c_msg_cleanup(const struct i2c_msg *m, int num, __le32 *op)
92 {
93 int i, j;
94 int op_count = 0;
95
96 /* loop through all messages */
97 for(i = 0; i < num; i++) {
98
99 op_count++;
100
101 /* loop throgh all bytes of message i */
102 for(j = 0; j < m[i].len; j++) {
103 /* write back all bytes that could have been read */
104 m[i].buf[j] = (le32_to_cpu(op[op_count/3]) >> ((3-(op_count%3))*8));
105 op_count++;
106 }
107 }
108
109 return 0;
110 }
111
112 /* this functions resets the i2c-device and returns 0 if everything was fine, otherwise -1 */
113 static int saa7146_i2c_reset(struct saa7146_dev *dev)
114 {
115 /* get current status */
116 u32 status = saa7146_i2c_status(dev);
117
118 /* clear registers for sure */
119 saa7146_write(dev, I2C_STATUS, dev->i2c_bitrate);
120 saa7146_write(dev, I2C_TRANSFER, 0);
121
122 /* check if any operation is still in progress */
123 if ( 0 != ( status & SAA7146_I2C_BUSY) ) {
124
125 /* yes, kill ongoing operation */
126 DEB_I2C(("busy_state detected.\n"));
127
128 /* set "ABORT-OPERATION"-bit (bit 7)*/
129 saa7146_write(dev, I2C_STATUS, (dev->i2c_bitrate | MASK_07));
130 saa7146_write(dev, MC2, (MASK_00 | MASK_16));
131 msleep(SAA7146_I2C_DELAY);
132
133 /* clear all error-bits pending; this is needed because p.123, note 1 */
134 saa7146_write(dev, I2C_STATUS, dev->i2c_bitrate);
135 saa7146_write(dev, MC2, (MASK_00 | MASK_16));
136 msleep(SAA7146_I2C_DELAY);
137 }
138
139 /* check if any error is (still) present. (this can be necessary because p.123, note 1) */
140 status = saa7146_i2c_status(dev);
141
142 if ( dev->i2c_bitrate != status ) {
143
144 DEB_I2C(("error_state detected. status:0x%08x\n",status));
145
146 /* Repeat the abort operation. This seems to be necessary
147 after serious protocol errors caused by e.g. the SAA7740 */
148 saa7146_write(dev, I2C_STATUS, (dev->i2c_bitrate | MASK_07));
149 saa7146_write(dev, MC2, (MASK_00 | MASK_16));
150 msleep(SAA7146_I2C_DELAY);
151
152 /* clear all error-bits pending */
153 saa7146_write(dev, I2C_STATUS, dev->i2c_bitrate);
154 saa7146_write(dev, MC2, (MASK_00 | MASK_16));
155 msleep(SAA7146_I2C_DELAY);
156
157 /* the data sheet says it might be necessary to clear the status
158 twice after an abort */
159 saa7146_write(dev, I2C_STATUS, dev->i2c_bitrate);
160 saa7146_write(dev, MC2, (MASK_00 | MASK_16));
161 msleep(SAA7146_I2C_DELAY);
162 }
163
164 /* if any error is still present, a fatal error has occured ... */
165 status = saa7146_i2c_status(dev);
166 if ( dev->i2c_bitrate != status ) {
167 DEB_I2C(("fatal error. status:0x%08x\n",status));
168 return -1;
169 }
170
171 return 0;
172 }
173
174 /* this functions writes out the data-byte 'dword' to the i2c-device.
175 it returns 0 if ok, -1 if the transfer failed, -2 if the transfer
176 failed badly (e.g. address error) */
177 static int saa7146_i2c_writeout(struct saa7146_dev *dev, __le32 *dword, int short_delay)
178 {
179 u32 status = 0, mc2 = 0;
180 int trial = 0;
181 unsigned long timeout;
182
183 /* write out i2c-command */
184 DEB_I2C(("before: 0x%08x (status: 0x%08x), %d\n",*dword,saa7146_read(dev, I2C_STATUS), dev->i2c_op));
185
186 if( 0 != (SAA7146_USE_I2C_IRQ & dev->ext->flags)) {
187
188 saa7146_write(dev, I2C_STATUS, dev->i2c_bitrate);
189 saa7146_write(dev, I2C_TRANSFER, le32_to_cpu(*dword));
190
191 dev->i2c_op = 1;
192 SAA7146_ISR_CLEAR(dev, MASK_16|MASK_17);
193 SAA7146_IER_ENABLE(dev, MASK_16|MASK_17);
194 saa7146_write(dev, MC2, (MASK_00 | MASK_16));
195
196 timeout = HZ/100 + 1; /* 10ms */
197 timeout = wait_event_interruptible_timeout(dev->i2c_wq, dev->i2c_op == 0, timeout);
198 if (timeout == -ERESTARTSYS || dev->i2c_op) {
199 SAA7146_IER_DISABLE(dev, MASK_16|MASK_17);
200 SAA7146_ISR_CLEAR(dev, MASK_16|MASK_17);
201 if (timeout == -ERESTARTSYS)
202 /* a signal arrived */
203 return -ERESTARTSYS;
204
205 printk(KERN_WARNING "%s %s [irq]: timed out waiting for end of xfer\n",
206 dev->name, __func__);
207 return -EIO;
208 }
209 status = saa7146_read(dev, I2C_STATUS);
210 } else {
211 saa7146_write(dev, I2C_STATUS, dev->i2c_bitrate);
212 saa7146_write(dev, I2C_TRANSFER, le32_to_cpu(*dword));
213 saa7146_write(dev, MC2, (MASK_00 | MASK_16));
214
215 /* do not poll for i2c-status before upload is complete */
216 timeout = jiffies + HZ/100 + 1; /* 10ms */
217 while(1) {
218 mc2 = (saa7146_read(dev, MC2) & 0x1);
219 if( 0 != mc2 ) {
220 break;
221 }
222 if (time_after(jiffies,timeout)) {
223 printk(KERN_WARNING "%s %s: timed out waiting for MC2\n",
224 dev->name, __func__);
225 return -EIO;
226 }
227 }
228 /* wait until we get a transfer done or error */
229 timeout = jiffies + HZ/100 + 1; /* 10ms */
230 /* first read usually delivers bogus results... */
231 saa7146_i2c_status(dev);
232 while(1) {
233 status = saa7146_i2c_status(dev);
234 if ((status & 0x3) != 1)
235 break;
236 if (time_after(jiffies,timeout)) {
237 /* this is normal when probing the bus
238 * (no answer from nonexisistant device...)
239 */
240 printk(KERN_WARNING "%s %s [poll]: timed out waiting for end of xfer\n",
241 dev->name, __func__);
242 return -EIO;
243 }
244 if (++trial < 50 && short_delay)
245 udelay(10);
246 else
247 msleep(1);
248 }
249 }
250
251 /* give a detailed status report */
252 if ( 0 != (status & (SAA7146_I2C_SPERR | SAA7146_I2C_APERR |
253 SAA7146_I2C_DTERR | SAA7146_I2C_DRERR |
254 SAA7146_I2C_AL | SAA7146_I2C_ERR |
255 SAA7146_I2C_BUSY)) ) {
256
257 if ( 0 == (status & SAA7146_I2C_ERR) ||
258 0 == (status & SAA7146_I2C_BUSY) ) {
259 /* it may take some time until ERR goes high - ignore */
260 DEB_I2C(("unexpected i2c status %04x\n", status));
261 }
262 if( 0 != (status & SAA7146_I2C_SPERR) ) {
263 DEB_I2C(("error due to invalid start/stop condition.\n"));
264 }
265 if( 0 != (status & SAA7146_I2C_DTERR) ) {
266 DEB_I2C(("error in data transmission.\n"));
267 }
268 if( 0 != (status & SAA7146_I2C_DRERR) ) {
269 DEB_I2C(("error when receiving data.\n"));
270 }
271 if( 0 != (status & SAA7146_I2C_AL) ) {
272 DEB_I2C(("error because arbitration lost.\n"));
273 }
274
275 /* we handle address-errors here */
276 if( 0 != (status & SAA7146_I2C_APERR) ) {
277 DEB_I2C(("error in address phase.\n"));
278 return -EREMOTEIO;
279 }
280
281 return -EIO;
282 }
283
284 /* read back data, just in case we were reading ... */
285 *dword = cpu_to_le32(saa7146_read(dev, I2C_TRANSFER));
286
287 DEB_I2C(("after: 0x%08x\n",*dword));
288 return 0;
289 }
290
291 static int saa7146_i2c_transfer(struct saa7146_dev *dev, const struct i2c_msg *msgs, int num, int retries)
292 {
293 int i = 0, count = 0;
294 __le32 *buffer = dev->d_i2c.cpu_addr;
295 int err = 0;
296 int short_delay = 0;
297
298 if (mutex_lock_interruptible(&dev->i2c_lock))
299 return -ERESTARTSYS;
300
301 for(i=0;i<num;i++) {
302 DEB_I2C(("msg:%d/%d\n",i+1,num));
303 }
304
305 /* prepare the message(s), get number of u32s to transfer */
306 count = saa7146_i2c_msg_prepare(msgs, num, buffer);
307 if ( 0 > count ) {
308 err = -1;
309 goto out;
310 }
311
312 if ( count > 3 || 0 != (SAA7146_I2C_SHORT_DELAY & dev->ext->flags) )
313 short_delay = 1;
314
315 do {
316 /* reset the i2c-device if necessary */
317 err = saa7146_i2c_reset(dev);
318 if ( 0 > err ) {
319 DEB_I2C(("could not reset i2c-device.\n"));
320 goto out;
321 }
322
323 /* write out the u32s one after another */
324 for(i = 0; i < count; i++) {
325 err = saa7146_i2c_writeout(dev, &buffer[i], short_delay);
326 if ( 0 != err) {
327 /* this one is unsatisfying: some i2c slaves on some
328 dvb cards don't acknowledge correctly, so the saa7146
329 thinks that an address error occured. in that case, the
330 transaction should be retrying, even if an address error
331 occured. analog saa7146 based cards extensively rely on
332 i2c address probing, however, and address errors indicate that a
333 device is really *not* there. retrying in that case
334 increases the time the device needs to probe greatly, so
335 it should be avoided. So we bail out in irq mode after an
336 address error and trust the saa7146 address error detection. */
337 if (-EREMOTEIO == err && 0 != (SAA7146_USE_I2C_IRQ & dev->ext->flags))
338 goto out;
339 DEB_I2C(("error while sending message(s). starting again.\n"));
340 break;
341 }
342 }
343 if( 0 == err ) {
344 err = num;
345 break;
346 }
347
348 /* delay a bit before retrying */
349 msleep(10);
350
351 } while (err != num && retries--);
352
353 /* quit if any error occurred */
354 if (err != num)
355 goto out;
356
357 /* if any things had to be read, get the results */
358 if ( 0 != saa7146_i2c_msg_cleanup(msgs, num, buffer)) {
359 DEB_I2C(("could not cleanup i2c-message.\n"));
360 err = -1;
361 goto out;
362 }
363
364 /* return the number of delivered messages */
365 DEB_I2C(("transmission successful. (msg:%d).\n",err));
366 out:
367 /* another bug in revision 0: the i2c-registers get uploaded randomly by other
368 uploads, so we better clear them out before continueing */
369 if( 0 == dev->revision ) {
370 __le32 zero = 0;
371 saa7146_i2c_reset(dev);
372 if( 0 != saa7146_i2c_writeout(dev, &zero, short_delay)) {
373 INFO(("revision 0 error. this should never happen.\n"));
374 }
375 }
376
377 mutex_unlock(&dev->i2c_lock);
378 return err;
379 }
380
381 /* utility functions */
382 static int saa7146_i2c_xfer(struct i2c_adapter* adapter, struct i2c_msg *msg, int num)
383 {
384 struct v4l2_device *v4l2_dev = i2c_get_adapdata(adapter);
385 struct saa7146_dev *dev = to_saa7146_dev(v4l2_dev);
386
387 /* use helper function to transfer data */
388 return saa7146_i2c_transfer(dev, msg, num, adapter->retries);
389 }
390
391
392 /*****************************************************************************/
393 /* i2c-adapter helper functions */
394 #include <linux/i2c-id.h>
395
396 /* exported algorithm data */
397 static struct i2c_algorithm saa7146_algo = {
398 .master_xfer = saa7146_i2c_xfer,
399 .functionality = saa7146_i2c_func,
400 };
401
402 int saa7146_i2c_adapter_prepare(struct saa7146_dev *dev, struct i2c_adapter *i2c_adapter, u32 bitrate)
403 {
404 DEB_EE(("bitrate: 0x%08x\n",bitrate));
405
406 /* enable i2c-port pins */
407 saa7146_write(dev, MC1, (MASK_08 | MASK_24));
408
409 dev->i2c_bitrate = bitrate;
410 saa7146_i2c_reset(dev);
411
412 if (i2c_adapter) {
413 i2c_set_adapdata(i2c_adapter, &dev->v4l2_dev);
414 i2c_adapter->dev.parent = &dev->pci->dev;
415 i2c_adapter->algo = &saa7146_algo;
416 i2c_adapter->algo_data = NULL;
417 i2c_adapter->id = I2C_HW_SAA7146;
418 i2c_adapter->timeout = SAA7146_I2C_TIMEOUT;
419 i2c_adapter->retries = SAA7146_I2C_RETRIES;
420 }
421
422 return 0;
423 }
Linux 2.6 ibm-acpi/thinkpad-acpi driver git tree