search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Input: fix potential overflows in driver/input/touchscreen
[linux-2.6/zen-sources.git] / drivers / input / touchscreen / h3600_ts_input.c
blob2de2139f2fed9f9f62ffe9fb2c4c8cebcb1b204d
1 /*
2 * $Id: h3600_ts_input.c,v 1.4 2002/01/23 06:39:37 jsimmons Exp $
3 *
4 * Copyright (c) 2001 "Crazy" James Simmons jsimmons@transvirtual.com
5 *
6 * Sponsored by Transvirtual Technology.
7 *
8 * Derived from the code in h3600_ts.[ch] by Charles Flynn
9 */
10
11 /*
12 * Driver for the h3600 Touch Screen and other Atmel controlled devices.
13 */
14
15 /*
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License as published by
18 * the Free Software Foundation; either version 2 of the License, or
19 * (at your option) any later version.
20 *
21 * This program is distributed in the hope that it will be useful,
22 * but WITHOUT ANY WARRANTY; without even the implied warranty of
23 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
24 * GNU General Public License for more details.
25 *
26 * You should have received a copy of the GNU General Public License
27 * along with this program; if not, write to the Free Software
28 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
29 *
30 * Should you need to contact me, the author, you can do so by
31 * e-mail - mail your message to <jsimmons@transvirtual.com>.
32 */
33
34 #include <linux/errno.h>
35 #include <linux/kernel.h>
36 #include <linux/module.h>
37 #include <linux/slab.h>
38 #include <linux/input.h>
39 #include <linux/serio.h>
40 #include <linux/init.h>
41 #include <linux/delay.h>
42
43 /* SA1100 serial defines */
44 #include <asm/arch/hardware.h>
45 #include <asm/arch/irqs.h>
46
47 #define DRIVER_DESC "H3600 touchscreen driver"
48
49 MODULE_AUTHOR("James Simmons <jsimmons@transvirtual.com>");
50 MODULE_DESCRIPTION(DRIVER_DESC);
51 MODULE_LICENSE("GPL");
52
53 /*
54 * Definitions & global arrays.
55 */
56
57 /* The start and end of frame characters SOF and EOF */
58 #define CHAR_SOF 0x02
59 #define CHAR_EOF 0x03
60 #define FRAME_OVERHEAD 3 /* CHAR_SOF,CHAR_EOF,LENGTH = 3 */
61
62 /*
63 Atmel events and response IDs contained in frame.
64 Programmer has no control over these numbers.
65 TODO there are holes - specifically 1,7,0x0a
66 */
67 #define VERSION_ID 0 /* Get Version (request/respose) */
68 #define KEYBD_ID 2 /* Keyboard (event) */
69 #define TOUCHS_ID 3 /* Touch Screen (event)*/
70 #define EEPROM_READ_ID 4 /* (request/response) */
71 #define EEPROM_WRITE_ID 5 /* (request/response) */
72 #define THERMAL_ID 6 /* (request/response) */
73 #define NOTIFY_LED_ID 8 /* (request/response) */
74 #define BATTERY_ID 9 /* (request/response) */
75 #define SPI_READ_ID 0x0b /* ( request/response) */
76 #define SPI_WRITE_ID 0x0c /* ( request/response) */
77 #define FLITE_ID 0x0d /* backlight ( request/response) */
78 #define STX_ID 0xa1 /* extension pack status (req/resp) */
79
80 #define MAX_ID 14
81
82 #define H3600_MAX_LENGTH 16
83 #define H3600_KEY 0xf
84
85 #define H3600_SCANCODE_RECORD 1 /* 1 -> record button */
86 #define H3600_SCANCODE_CALENDAR 2 /* 2 -> calendar */
87 #define H3600_SCANCODE_CONTACTS 3 /* 3 -> contact */
88 #define H3600_SCANCODE_Q 4 /* 4 -> Q button */
89 #define H3600_SCANCODE_START 5 /* 5 -> start menu */
90 #define H3600_SCANCODE_UP 6 /* 6 -> up */
91 #define H3600_SCANCODE_RIGHT 7 /* 7 -> right */
92 #define H3600_SCANCODE_LEFT 8 /* 8 -> left */
93 #define H3600_SCANCODE_DOWN 9 /* 9 -> down */
94
95 /*
96 * Per-touchscreen data.
97 */
98 struct h3600_dev {
99 struct input_dev *dev;
100 struct serio *serio;
101 unsigned char event; /* event ID from packet */
102 unsigned char chksum;
103 unsigned char len;
104 unsigned char idx;
105 unsigned char buf[H3600_MAX_LENGTH];
106 char phys[32];
107 };
108
109 static irqreturn_t action_button_handler(int irq, void *dev_id, struct pt_regs *regs)
110 {
111 int down = (GPLR & GPIO_BITSY_ACTION_BUTTON) ? 0 : 1;
112 struct input_dev *dev = (struct input_dev *) dev_id;
113
114 input_regs(dev, regs);
115 input_report_key(dev, KEY_ENTER, down);
116 input_sync(dev);
117
118 return IRQ_HANDLED;
119 }
120
121 static irqreturn_t npower_button_handler(int irq, void *dev_id, struct pt_regs *regs)
122 {
123 int down = (GPLR & GPIO_BITSY_NPOWER_BUTTON) ? 0 : 1;
124 struct input_dev *dev = (struct input_dev *) dev_id;
125
126 /*
127 * This interrupt is only called when we release the key. So we have
128 * to fake a key press.
129 */
130 input_regs(dev, regs);
131 input_report_key(dev, KEY_SUSPEND, 1);
132 input_report_key(dev, KEY_SUSPEND, down);
133 input_sync(dev);
134
135 return IRQ_HANDLED;
136 }
137
138 #ifdef CONFIG_PM
139
140 static int flite_brightness = 25;
141
142 enum flite_pwr {
143 FLITE_PWR_OFF = 0,
144 FLITE_PWR_ON = 1
145 };
146
147 /*
148 * h3600_flite_power: enables or disables power to frontlight, using last bright */
149 unsigned int h3600_flite_power(struct input_dev *dev, enum flite_pwr pwr)
150 {
151 unsigned char brightness = (pwr == FLITE_PWR_OFF) ? 0 : flite_brightness;
152 struct h3600_dev *ts = dev->private;
153
154 /* Must be in this order */
155 ts->serio->write(ts->serio, 1);
156 ts->serio->write(ts->serio, pwr);
157 ts->serio->write(ts->serio, brightness);
158 return 0;
159 }
160
161 #endif
162
163 /*
164 * This function translates the native event packets to linux input event
165 * packets. Some packets coming from serial are not touchscreen related. In
166 * this case we send them off to be processed elsewhere.
167 */
168 static void h3600ts_process_packet(struct h3600_dev *ts, struct pt_regs *regs)
169 {
170 struct input_dev *dev = ts->dev;
171 static int touched = 0;
172 int key, down = 0;
173
174 input_regs(dev, regs);
175
176 switch (ts->event) {
177 /*
178 Buttons - returned as a single byte
179 7 6 5 4 3 2 1 0
180 S x x x N N N N
181
182 S switch state ( 0=pressed 1=released)
183 x Unused.
184 NNNN switch number 0-15
185
186 Note: This is true for non interrupt generated key events.
187 */
188 case KEYBD_ID:
189 down = (ts->buf[0] & 0x80) ? 0 : 1;
190
191 switch (ts->buf[0] & 0x7f) {
192 case H3600_SCANCODE_RECORD:
193 key = KEY_RECORD;
194 break;
195 case H3600_SCANCODE_CALENDAR:
196 key = KEY_PROG1;
197 break;
198 case H3600_SCANCODE_CONTACTS:
199 key = KEY_PROG2;
200 break;
201 case H3600_SCANCODE_Q:
202 key = KEY_Q;
203 break;
204 case H3600_SCANCODE_START:
205 key = KEY_PROG3;
206 break;
207 case H3600_SCANCODE_UP:
208 key = KEY_UP;
209 break;
210 case H3600_SCANCODE_RIGHT:
211 key = KEY_RIGHT;
212 break;
213 case H3600_SCANCODE_LEFT:
214 key = KEY_LEFT;
215 break;
216 case H3600_SCANCODE_DOWN:
217 key = KEY_DOWN;
218 break;
219 default:
220 key = 0;
221 }
222 if (key)
223 input_report_key(dev, key, down);
224 break;
225 /*
226 * Native touchscreen event data is formatted as shown below:-
227 *
228 * +-------+-------+-------+-------+
229 * | Xmsb | Xlsb | Ymsb | Ylsb |
230 * +-------+-------+-------+-------+
231 * byte 0 1 2 3
232 */
233 case TOUCHS_ID:
234 if (!touched) {
235 input_report_key(dev, BTN_TOUCH, 1);
236 touched = 1;
237 }
238
239 if (ts->len) {
240 unsigned short x, y;
241
242 x = ts->buf[0]; x <<= 8; x += ts->buf[1];
243 y = ts->buf[2]; y <<= 8; y += ts->buf[3];
244
245 input_report_abs(dev, ABS_X, x);
246 input_report_abs(dev, ABS_Y, y);
247 } else {
248 input_report_key(dev, BTN_TOUCH, 0);
249 touched = 0;
250 }
251 break;
252 default:
253 /* Send a non input event elsewhere */
254 break;
255 }
256
257 input_sync(dev);
258 }
259
260 /*
261 * h3600ts_event() handles events from the input module.
262 */
263 static int h3600ts_event(struct input_dev *dev, unsigned int type,
264 unsigned int code, int value)
265 {
266 #if 0
267 struct h3600_dev *ts = dev->private;
268
269 switch (type) {
270 case EV_LED: {
271 // ts->serio->write(ts->serio, SOME_CMD);
272 return 0;
273 }
274 }
275 return -1;
276 #endif
277 return 0;
278 }
279
280 /*
281 Frame format
282 byte 1 2 3 len + 4
283 +-------+---------------+---------------+--=------------+
284 |SOF |id |len | len bytes | Chksum |
285 +-------+---------------+---------------+--=------------+
286 bit 0 7 8 11 12 15 16
287
288 +-------+---------------+-------+
289 |SOF |id |0 |Chksum | - Note Chksum does not include SOF
290 +-------+---------------+-------+
291 bit 0 7 8 11 12 15 16
292
293 */
294
295 static int state;
296
297 /* decode States */
298 #define STATE_SOF 0 /* start of FRAME */
299 #define STATE_ID 1 /* state where we decode the ID & len */
300 #define STATE_DATA 2 /* state where we decode data */
301 #define STATE_EOF 3 /* state where we decode checksum or EOF */
302
303 static irqreturn_t h3600ts_interrupt(struct serio *serio, unsigned char data,
304 unsigned int flags, struct pt_regs *regs)
305 {
306 struct h3600_dev *ts = serio_get_drvdata(serio);
307
308 /*
309 * We have a new frame coming in.
310 */
311 switch (state) {
312 case STATE_SOF:
313 if (data == CHAR_SOF)
314 state = STATE_ID;
315 break;
316 case STATE_ID:
317 ts->event = (data & 0xf0) >> 4;
318 ts->len = (data & 0xf);
319 ts->idx = 0;
320 if (ts->event >= MAX_ID) {
321 state = STATE_SOF;
322 break;
323 }
324 ts->chksum = data;
325 state = (ts->len > 0) ? STATE_DATA : STATE_EOF;
326 break;
327 case STATE_DATA:
328 ts->chksum += data;
329 ts->buf[ts->idx]= data;
330 if (++ts->idx == ts->len)
331 state = STATE_EOF;
332 break;
333 case STATE_EOF:
334 state = STATE_SOF;
335 if (data == CHAR_EOF || data == ts->chksum)
336 h3600ts_process_packet(ts, regs);
337 break;
338 default:
339 printk("Error3\n");
340 break;
341 }
342
343 return IRQ_HANDLED;
344 }
345
346 /*
347 * h3600ts_connect() is the routine that is called when someone adds a
348 * new serio device that supports H3600 protocol and registers it as
349 * an input device.
350 */
351 static int h3600ts_connect(struct serio *serio, struct serio_driver *drv)
352 {
353 struct h3600_dev *ts;
354 struct input_dev *input_dev;
355 int err;
356
357 ts = kzalloc(sizeof(struct h3600_dev), GFP_KERNEL);
358 input_dev = input_allocate_device();
359 if (!ts || !input_dev) {
360 err = -ENOMEM;
361 goto fail1;
362 }
363
364 ts->serio = serio;
365 ts->dev = input_dev;
366 snprintf(ts->phys, sizeof(ts->phys), "%s/input0", serio->phys);
367
368 input_dev->name = "H3600 TouchScreen";
369 input_dev->phys = ts->phys;
370 input_dev->id.bustype = BUS_RS232;
371 input_dev->id.vendor = SERIO_H3600;
372 input_dev->id.product = 0x0666; /* FIXME !!! We can ask the hardware */
373 input_dev->id.version = 0x0100;
374 input_dev->cdev.dev = &serio->dev;
375 input_dev->private = ts;
376
377 input_dev->event = h3600ts_event;
378
379 input_dev->evbit[0] = BIT(EV_KEY) | BIT(EV_ABS) | BIT(EV_LED) | BIT(EV_PWR);
380 input_dev->ledbit[0] = BIT(LED_SLEEP);
381 input_set_abs_params(input_dev, ABS_X, 60, 985, 0, 0);
382 input_set_abs_params(input_dev, ABS_Y, 35, 1024, 0, 0);
383
384 set_bit(KEY_RECORD, input_dev->keybit);
385 set_bit(KEY_Q, input_dev->keybit);
386 set_bit(KEY_PROG1, input_dev->keybit);
387 set_bit(KEY_PROG2, input_dev->keybit);
388 set_bit(KEY_PROG3, input_dev->keybit);
389 set_bit(KEY_UP, input_dev->keybit);
390 set_bit(KEY_RIGHT, input_dev->keybit);
391 set_bit(KEY_LEFT, input_dev->keybit);
392 set_bit(KEY_DOWN, input_dev->keybit);
393 set_bit(KEY_ENTER, input_dev->keybit);
394 set_bit(KEY_SUSPEND, input_dev->keybit);
395 set_bit(BTN_TOUCH, input_dev->keybit);
396
397 /* Device specific stuff */
398 set_GPIO_IRQ_edge(GPIO_BITSY_ACTION_BUTTON, GPIO_BOTH_EDGES);
399 set_GPIO_IRQ_edge(GPIO_BITSY_NPOWER_BUTTON, GPIO_RISING_EDGE);
400
401 if (request_irq(IRQ_GPIO_BITSY_ACTION_BUTTON, action_button_handler,
402 SA_SHIRQ | SA_INTERRUPT, "h3600_action", &ts->dev)) {
403 printk(KERN_ERR "h3600ts.c: Could not allocate Action Button IRQ!\n");
404 err = -EBUSY;
405 goto fail2;
406 }
407
408 if (request_irq(IRQ_GPIO_BITSY_NPOWER_BUTTON, npower_button_handler,
409 SA_SHIRQ | SA_INTERRUPT, "h3600_suspend", &ts->dev)) {
410 printk(KERN_ERR "h3600ts.c: Could not allocate Power Button IRQ!\n");
411 err = -EBUSY;
412 goto fail3;
413 }
414
415 serio_set_drvdata(serio, ts);
416
417 err = serio_open(serio, drv);
418 if (err)
419 return err;
420
421 //h3600_flite_control(1, 25); /* default brightness */
422 input_register_device(ts->dev);
423
424 return 0;
425
426 fail3: free_irq(IRQ_GPIO_BITSY_NPOWER_BUTTON, ts->dev);
427 fail2: free_irq(IRQ_GPIO_BITSY_ACTION_BUTTON, ts->dev);
428 fail1: serio_set_drvdata(serio, NULL);
429 input_free_device(input_dev);
430 kfree(ts);
431 return err;
432 }
433
434 /*
435 * h3600ts_disconnect() is the opposite of h3600ts_connect()
436 */
437
438 static void h3600ts_disconnect(struct serio *serio)
439 {
440 struct h3600_dev *ts = serio_get_drvdata(serio);
441
442 free_irq(IRQ_GPIO_BITSY_ACTION_BUTTON, &ts->dev);
443 free_irq(IRQ_GPIO_BITSY_NPOWER_BUTTON, &ts->dev);
444 input_get_device(ts->dev);
445 input_unregister_device(ts->dev);
446 serio_close(serio);
447 serio_set_drvdata(serio, NULL);
448 input_put_device(ts->dev);
449 kfree(ts);
450 }
451
452 /*
453 * The serio driver structure.
454 */
455
456 static struct serio_device_id h3600ts_serio_ids[] = {
457 {
458 .type = SERIO_RS232,
459 .proto = SERIO_H3600,
460 .id = SERIO_ANY,
461 .extra = SERIO_ANY,
462 },
463 { 0 }
464 };
465
466 MODULE_DEVICE_TABLE(serio, h3600ts_serio_ids);
467
468 static struct serio_driver h3600ts_drv = {
469 .driver = {
470 .name = "h3600ts",
471 },
472 .description = DRIVER_DESC,
473 .id_table = h3600ts_serio_ids,
474 .interrupt = h3600ts_interrupt,
475 .connect = h3600ts_connect,
476 .disconnect = h3600ts_disconnect,
477 };
478
479 /*
480 * The functions for inserting/removing us as a module.
481 */
482
483 static int __init h3600ts_init(void)
484 {
485 serio_register_driver(&h3600ts_drv);
486 return 0;
487 }
488
489 static void __exit h3600ts_exit(void)
490 {
491 serio_unregister_driver(&h3600ts_drv);
492 }
493
494 module_init(h3600ts_init);
495 module_exit(h3600ts_exit);
Stable & featurefull patchset based on Linus's git branch