[PATCH] zd1201: avoid null ptr access of skb->dev
[linux-2.6] / drivers / net / wireless / prism54 / islpci_mgt.c
1 /*
2  *  Copyright (C) 2002 Intersil Americas Inc.
3  *  Copyright 2004 Jens Maurer <Jens.Maurer@gmx.net>
4  *
5  *  This program is free software; you can redistribute it and/or modify
6  *  it under the terms of the GNU General Public License as published by
7  *  the Free Software Foundation; either version 2 of the License
8  *
9  *  This program is distributed in the hope that it will be useful,
10  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
11  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12  *  GNU General Public License for more details.
13  *
14  *  You should have received a copy of the GNU General Public License
15  *  along with this program; if not, write to the Free Software
16  *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
17  *
18  */
19
20 #include <linux/netdevice.h>
21 #include <linux/module.h>
22 #include <linux/pci.h>
23
24 #include <asm/io.h>
25 #include <asm/system.h>
26 #include <linux/if_arp.h>
27
28 #include "prismcompat.h"
29 #include "isl_38xx.h"
30 #include "islpci_mgt.h"
31 #include "isl_oid.h"            /* additional types and defs for isl38xx fw */
32 #include "isl_ioctl.h"
33
34 #include <net/iw_handler.h>
35
36 /******************************************************************************
37         Global variable definition section
38 ******************************************************************************/
39 int pc_debug = VERBOSE;
40 module_param(pc_debug, int, 0);
41
42 /******************************************************************************
43     Driver general functions
44 ******************************************************************************/
45 #if VERBOSE > SHOW_ERROR_MESSAGES
46 void
47 display_buffer(char *buffer, int length)
48 {
49         if ((pc_debug & SHOW_BUFFER_CONTENTS) == 0)
50                 return;
51
52         while (length > 0) {
53                 printk("[%02x]", *buffer & 255);
54                 length--;
55                 buffer++;
56         }
57
58         printk("\n");
59 }
60 #endif
61
62 /*****************************************************************************
63     Queue handling for management frames
64 ******************************************************************************/
65
66 /*
67  * Helper function to create a PIMFOR management frame header.
68  */
69 static void
70 pimfor_encode_header(int operation, u32 oid, u32 length, pimfor_header_t *h)
71 {
72         h->version = PIMFOR_VERSION;
73         h->operation = operation;
74         h->device_id = PIMFOR_DEV_ID_MHLI_MIB;
75         h->flags = 0;
76         h->oid = cpu_to_be32(oid);
77         h->length = cpu_to_be32(length);
78 }
79
80 /*
81  * Helper function to analyze a PIMFOR management frame header.
82  */
83 static pimfor_header_t *
84 pimfor_decode_header(void *data, int len)
85 {
86         pimfor_header_t *h = data;
87
88         while ((void *) h < data + len) {
89                 if (h->flags & PIMFOR_FLAG_LITTLE_ENDIAN) {
90                         le32_to_cpus(&h->oid);
91                         le32_to_cpus(&h->length);
92                 } else {
93                         be32_to_cpus(&h->oid);
94                         be32_to_cpus(&h->length);
95                 }
96                 if (h->oid != OID_INL_TUNNEL)
97                         return h;
98                 h++;
99         }
100         return NULL;
101 }
102
103 /*
104  * Fill the receive queue for management frames with fresh buffers.
105  */
106 int
107 islpci_mgmt_rx_fill(struct net_device *ndev)
108 {
109         islpci_private *priv = netdev_priv(ndev);
110         isl38xx_control_block *cb =     /* volatile not needed */
111             (isl38xx_control_block *) priv->control_block;
112         u32 curr = le32_to_cpu(cb->driver_curr_frag[ISL38XX_CB_RX_MGMTQ]);
113
114 #if VERBOSE > SHOW_ERROR_MESSAGES
115         DEBUG(SHOW_FUNCTION_CALLS, "islpci_mgmt_rx_fill \n");
116 #endif
117
118         while (curr - priv->index_mgmt_rx < ISL38XX_CB_MGMT_QSIZE) {
119                 u32 index = curr % ISL38XX_CB_MGMT_QSIZE;
120                 struct islpci_membuf *buf = &priv->mgmt_rx[index];
121                 isl38xx_fragment *frag = &cb->rx_data_mgmt[index];
122
123                 if (buf->mem == NULL) {
124                         buf->mem = kmalloc(MGMT_FRAME_SIZE, GFP_ATOMIC);
125                         if (!buf->mem) {
126                                 printk(KERN_WARNING
127                                        "Error allocating management frame.\n");
128                                 return -ENOMEM;
129                         }
130                         buf->size = MGMT_FRAME_SIZE;
131                 }
132                 if (buf->pci_addr == 0) {
133                         buf->pci_addr = pci_map_single(priv->pdev, buf->mem,
134                                                        MGMT_FRAME_SIZE,
135                                                        PCI_DMA_FROMDEVICE);
136                         if (!buf->pci_addr) {
137                                 printk(KERN_WARNING
138                                        "Failed to make memory DMA'able.\n");
139                                 return -ENOMEM;
140                         }
141                 }
142
143                 /* be safe: always reset control block information */
144                 frag->size = cpu_to_le16(MGMT_FRAME_SIZE);
145                 frag->flags = 0;
146                 frag->address = cpu_to_le32(buf->pci_addr);
147                 curr++;
148
149                 /* The fragment address in the control block must have
150                  * been written before announcing the frame buffer to
151                  * device */
152                 wmb();
153                 cb->driver_curr_frag[ISL38XX_CB_RX_MGMTQ] = cpu_to_le32(curr);
154         }
155         return 0;
156 }
157
158 /*
159  * Create and transmit a management frame using "operation" and "oid",
160  * with arguments data/length.
161  * We either return an error and free the frame, or we return 0 and
162  * islpci_mgt_cleanup_transmit() frees the frame in the tx-done
163  * interrupt.
164  */
165 static int
166 islpci_mgt_transmit(struct net_device *ndev, int operation, unsigned long oid,
167                     void *data, int length)
168 {
169         islpci_private *priv = netdev_priv(ndev);
170         isl38xx_control_block *cb =
171             (isl38xx_control_block *) priv->control_block;
172         void *p;
173         int err = -EINVAL;
174         unsigned long flags;
175         isl38xx_fragment *frag;
176         struct islpci_membuf buf;
177         u32 curr_frag;
178         int index;
179         int frag_len = length + PIMFOR_HEADER_SIZE;
180
181 #if VERBOSE > SHOW_ERROR_MESSAGES
182         DEBUG(SHOW_FUNCTION_CALLS, "islpci_mgt_transmit\n");
183 #endif
184
185         if (frag_len > MGMT_FRAME_SIZE) {
186                 printk(KERN_DEBUG "%s: mgmt frame too large %d\n",
187                        ndev->name, frag_len);
188                 goto error;
189         }
190
191         err = -ENOMEM;
192         p = buf.mem = kmalloc(frag_len, GFP_KERNEL);
193         if (!buf.mem) {
194                 printk(KERN_DEBUG "%s: cannot allocate mgmt frame\n",
195                        ndev->name);
196                 goto error;
197         }
198         buf.size = frag_len;
199
200         /* create the header directly in the fragment data area */
201         pimfor_encode_header(operation, oid, length, (pimfor_header_t *) p);
202         p += PIMFOR_HEADER_SIZE;
203
204         if (data)
205                 memcpy(p, data, length);
206         else
207                 memset(p, 0, length);
208
209 #if VERBOSE > SHOW_ERROR_MESSAGES
210         {
211                 pimfor_header_t *h = buf.mem;
212                 DEBUG(SHOW_PIMFOR_FRAMES,
213                       "PIMFOR: op %i, oid 0x%08lx, device %i, flags 0x%x length 0x%x \n",
214                       h->operation, oid, h->device_id, h->flags, length);
215
216                 /* display the buffer contents for debugging */
217                 display_buffer((char *) h, sizeof (pimfor_header_t));
218                 display_buffer(p, length);
219         }
220 #endif
221
222         err = -ENOMEM;
223         buf.pci_addr = pci_map_single(priv->pdev, buf.mem, frag_len,
224                                       PCI_DMA_TODEVICE);
225         if (!buf.pci_addr) {
226                 printk(KERN_WARNING "%s: cannot map PCI memory for mgmt\n",
227                        ndev->name);
228                 goto error_free;
229         }
230
231         /* Protect the control block modifications against interrupts. */
232         spin_lock_irqsave(&priv->slock, flags);
233         curr_frag = le32_to_cpu(cb->driver_curr_frag[ISL38XX_CB_TX_MGMTQ]);
234         if (curr_frag - priv->index_mgmt_tx >= ISL38XX_CB_MGMT_QSIZE) {
235                 printk(KERN_WARNING "%s: mgmt tx queue is still full\n",
236                        ndev->name);
237                 goto error_unlock;
238         }
239
240         /* commit the frame to the tx device queue */
241         index = curr_frag % ISL38XX_CB_MGMT_QSIZE;
242         priv->mgmt_tx[index] = buf;
243         frag = &cb->tx_data_mgmt[index];
244         frag->size = cpu_to_le16(frag_len);
245         frag->flags = 0;        /* for any other than the last fragment, set to 1 */
246         frag->address = cpu_to_le32(buf.pci_addr);
247
248         /* The fragment address in the control block must have
249          * been written before announcing the frame buffer to
250          * device */
251         wmb();
252         cb->driver_curr_frag[ISL38XX_CB_TX_MGMTQ] = cpu_to_le32(curr_frag + 1);
253         spin_unlock_irqrestore(&priv->slock, flags);
254
255         /* trigger the device */
256         islpci_trigger(priv);
257         return 0;
258
259       error_unlock:
260         spin_unlock_irqrestore(&priv->slock, flags);
261       error_free:
262         kfree(buf.mem);
263       error:
264         return err;
265 }
266
267 /*
268  * Receive a management frame from the device.
269  * This can be an arbitrary number of traps, and at most one response
270  * frame for a previous request sent via islpci_mgt_transmit().
271  */
272 int
273 islpci_mgt_receive(struct net_device *ndev)
274 {
275         islpci_private *priv = netdev_priv(ndev);
276         isl38xx_control_block *cb =
277             (isl38xx_control_block *) priv->control_block;
278         u32 curr_frag;
279
280 #if VERBOSE > SHOW_ERROR_MESSAGES
281         DEBUG(SHOW_FUNCTION_CALLS, "islpci_mgt_receive \n");
282 #endif
283
284         /* Only once per interrupt, determine fragment range to
285          * process.  This avoids an endless loop (i.e. lockup) if
286          * frames come in faster than we can process them. */
287         curr_frag = le32_to_cpu(cb->device_curr_frag[ISL38XX_CB_RX_MGMTQ]);
288         barrier();
289
290         for (; priv->index_mgmt_rx < curr_frag; priv->index_mgmt_rx++) {
291                 pimfor_header_t *header;
292                 u32 index = priv->index_mgmt_rx % ISL38XX_CB_MGMT_QSIZE;
293                 struct islpci_membuf *buf = &priv->mgmt_rx[index];
294                 u16 frag_len;
295                 int size;
296                 struct islpci_mgmtframe *frame;
297
298                 /* I have no idea (and no documentation) if flags != 0
299                  * is possible.  Drop the frame, reuse the buffer. */
300                 if (le16_to_cpu(cb->rx_data_mgmt[index].flags) != 0) {
301                         printk(KERN_WARNING "%s: unknown flags 0x%04x\n",
302                                ndev->name,
303                                le16_to_cpu(cb->rx_data_mgmt[index].flags));
304                         continue;
305                 }
306
307                 /* The device only returns the size of the header(s) here. */
308                 frag_len = le16_to_cpu(cb->rx_data_mgmt[index].size);
309
310                 /*
311                  * We appear to have no way to tell the device the
312                  * size of a receive buffer.  Thus, if this check
313                  * triggers, we likely have kernel heap corruption. */
314                 if (frag_len > MGMT_FRAME_SIZE) {
315                         printk(KERN_WARNING
316                                 "%s: Bogus packet size of %d (%#x).\n",
317                                 ndev->name, frag_len, frag_len);
318                         frag_len = MGMT_FRAME_SIZE;
319                 }
320
321                 /* Ensure the results of device DMA are visible to the CPU. */
322                 pci_dma_sync_single_for_cpu(priv->pdev, buf->pci_addr,
323                                             buf->size, PCI_DMA_FROMDEVICE);
324
325                 /* Perform endianess conversion for PIMFOR header in-place. */
326                 header = pimfor_decode_header(buf->mem, frag_len);
327                 if (!header) {
328                         printk(KERN_WARNING "%s: no PIMFOR header found\n",
329                                ndev->name);
330                         continue;
331                 }
332
333                 /* The device ID from the PIMFOR packet received from
334                  * the MVC is always 0.  We forward a sensible device_id.
335                  * Not that anyone upstream would care... */
336                 header->device_id = priv->ndev->ifindex;
337
338 #if VERBOSE > SHOW_ERROR_MESSAGES
339                 DEBUG(SHOW_PIMFOR_FRAMES,
340                       "PIMFOR: op %i, oid 0x%08x, device %i, flags 0x%x length 0x%x \n",
341                       header->operation, header->oid, header->device_id,
342                       header->flags, header->length);
343
344                 /* display the buffer contents for debugging */
345                 display_buffer((char *) header, PIMFOR_HEADER_SIZE);
346                 display_buffer((char *) header + PIMFOR_HEADER_SIZE,
347                                header->length);
348 #endif
349
350                 /* nobody sends these */
351                 if (header->flags & PIMFOR_FLAG_APPLIC_ORIGIN) {
352                         printk(KERN_DEBUG
353                                "%s: errant PIMFOR application frame\n",
354                                ndev->name);
355                         continue;
356                 }
357
358                 /* Determine frame size, skipping OID_INL_TUNNEL headers. */
359                 size = PIMFOR_HEADER_SIZE + header->length;
360                 frame = kmalloc(sizeof (struct islpci_mgmtframe) + size,
361                                 GFP_ATOMIC);
362                 if (!frame) {
363                         printk(KERN_WARNING
364                                "%s: Out of memory, cannot handle oid 0x%08x\n",
365                                ndev->name, header->oid);
366                         continue;
367                 }
368                 frame->ndev = ndev;
369                 memcpy(&frame->buf, header, size);
370                 frame->header = (pimfor_header_t *) frame->buf;
371                 frame->data = frame->buf + PIMFOR_HEADER_SIZE;
372
373 #if VERBOSE > SHOW_ERROR_MESSAGES
374                 DEBUG(SHOW_PIMFOR_FRAMES,
375                       "frame: header: %p, data: %p, size: %d\n",
376                       frame->header, frame->data, size);
377 #endif
378
379                 if (header->operation == PIMFOR_OP_TRAP) {
380 #if VERBOSE > SHOW_ERROR_MESSAGES
381                         printk(KERN_DEBUG
382                                "TRAP: oid 0x%x, device %i, flags 0x%x length %i\n",
383                                header->oid, header->device_id, header->flags,
384                                header->length);
385 #endif
386
387                         /* Create work to handle trap out of interrupt
388                          * context. */
389                         INIT_WORK(&frame->ws, prism54_process_trap);
390                         schedule_work(&frame->ws);
391
392                 } else {
393                         /* Signal the one waiting process that a response
394                          * has been received. */
395                         if ((frame = xchg(&priv->mgmt_received, frame)) != NULL) {
396                                 printk(KERN_WARNING
397                                        "%s: mgmt response not collected\n",
398                                        ndev->name);
399                                 kfree(frame);
400                         }
401 #if VERBOSE > SHOW_ERROR_MESSAGES
402                         DEBUG(SHOW_TRACING, "Wake up Mgmt Queue\n");
403 #endif
404                         wake_up(&priv->mgmt_wqueue);
405                 }
406
407         }
408
409         return 0;
410 }
411
412 /*
413  * Cleanup the transmit queue by freeing all frames handled by the device.
414  */
415 void
416 islpci_mgt_cleanup_transmit(struct net_device *ndev)
417 {
418         islpci_private *priv = netdev_priv(ndev);
419         isl38xx_control_block *cb =     /* volatile not needed */
420             (isl38xx_control_block *) priv->control_block;
421         u32 curr_frag;
422
423 #if VERBOSE > SHOW_ERROR_MESSAGES
424         DEBUG(SHOW_FUNCTION_CALLS, "islpci_mgt_cleanup_transmit\n");
425 #endif
426
427         /* Only once per cleanup, determine fragment range to
428          * process.  This avoids an endless loop (i.e. lockup) if
429          * the device became confused, incrementing device_curr_frag
430          * rapidly. */
431         curr_frag = le32_to_cpu(cb->device_curr_frag[ISL38XX_CB_TX_MGMTQ]);
432         barrier();
433
434         for (; priv->index_mgmt_tx < curr_frag; priv->index_mgmt_tx++) {
435                 int index = priv->index_mgmt_tx % ISL38XX_CB_MGMT_QSIZE;
436                 struct islpci_membuf *buf = &priv->mgmt_tx[index];
437                 pci_unmap_single(priv->pdev, buf->pci_addr, buf->size,
438                                  PCI_DMA_TODEVICE);
439                 buf->pci_addr = 0;
440                 kfree(buf->mem);
441                 buf->mem = NULL;
442                 buf->size = 0;
443         }
444 }
445
446 /*
447  * Perform one request-response transaction to the device.
448  */
449 int
450 islpci_mgt_transaction(struct net_device *ndev,
451                        int operation, unsigned long oid,
452                        void *senddata, int sendlen,
453                        struct islpci_mgmtframe **recvframe)
454 {
455         islpci_private *priv = netdev_priv(ndev);
456         const long wait_cycle_jiffies = msecs_to_jiffies(ISL38XX_WAIT_CYCLE * 10);
457         long timeout_left = ISL38XX_MAX_WAIT_CYCLES * wait_cycle_jiffies;
458         int err;
459         DEFINE_WAIT(wait);
460
461         *recvframe = NULL;
462
463         if (down_interruptible(&priv->mgmt_sem))
464                 return -ERESTARTSYS;
465
466         prepare_to_wait(&priv->mgmt_wqueue, &wait, TASK_UNINTERRUPTIBLE);
467         err = islpci_mgt_transmit(ndev, operation, oid, senddata, sendlen);
468         if (err)
469                 goto out;
470
471         err = -ETIMEDOUT;
472         while (timeout_left > 0) {
473                 int timeleft;
474                 struct islpci_mgmtframe *frame;
475
476                 timeleft = schedule_timeout_uninterruptible(wait_cycle_jiffies);
477                 frame = xchg(&priv->mgmt_received, NULL);
478                 if (frame) {
479                         if (frame->header->oid == oid) {
480                                 *recvframe = frame;
481                                 err = 0;
482                                 goto out;
483                         } else {
484                                 printk(KERN_DEBUG
485                                        "%s: expecting oid 0x%x, received 0x%x.\n",
486                                        ndev->name, (unsigned int) oid,
487                                        frame->header->oid);
488                                 kfree(frame);
489                                 frame = NULL;
490                         }
491                 }
492                 if (timeleft == 0) {
493                         printk(KERN_DEBUG
494                                 "%s: timeout waiting for mgmt response %lu, "
495                                 "triggering device\n",
496                                 ndev->name, timeout_left);
497                         islpci_trigger(priv);
498                 }
499                 timeout_left += timeleft - wait_cycle_jiffies;
500         }
501         printk(KERN_WARNING "%s: timeout waiting for mgmt response\n",
502                ndev->name);
503
504         /* TODO: we should reset the device here */
505  out:
506         finish_wait(&priv->mgmt_wqueue, &wait);
507         up(&priv->mgmt_sem);
508         return err;
509 }
510