intersil/orinoco/orinoco_usb.c

0001 /*
0002  * USB Orinoco driver
0003  *
0004  * Copyright (c) 2003 Manuel Estrada Sainz
0005  *
0006  * The contents of this file are subject to the Mozilla Public License
0007  * Version 1.1 (the "License"); you may not use this file except in
0008  * compliance with the License. You may obtain a copy of the License
0009  * at http://www.mozilla.org/MPL/
0010  *
0011  * Software distributed under the License is distributed on an "AS IS"
0012  * basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
0013  * the License for the specific language governing rights and
0014  * limitations under the License.
0015  *
0016  * Alternatively, the contents of this file may be used under the
0017  * terms of the GNU General Public License version 2 (the "GPL"), in
0018  * which case the provisions of the GPL are applicable instead of the
0019  * above.  If you wish to allow the use of your version of this file
0020  * only under the terms of the GPL and not to allow others to use your
0021  * version of this file under the MPL, indicate your decision by
0022  * deleting the provisions above and replace them with the notice and
0023  * other provisions required by the GPL.  If you do not delete the
0024  * provisions above, a recipient may use your version of this file
0025  * under either the MPL or the GPL.
0026  *
0027  * Queueing code based on linux-wlan-ng 0.2.1-pre5
0028  *
0029  * Copyright (C) 1999 AbsoluteValue Systems, Inc.  All Rights Reserved.
0030  *
0031  *  The license is the same as above.
0032  *
0033  * Initialy based on USB Skeleton driver - 0.7
0034  *
0035  * Copyright (c) 2001 Greg Kroah-Hartman (greg@kroah.com)
0036  *
0037  *  This program is free software; you can redistribute it and/or
0038  *  modify it under the terms of the GNU General Public License as
0039  *  published by the Free Software Foundation; either version 2 of
0040  *  the License, or (at your option) any later version.
0041  *
0042  * NOTE: The original USB Skeleton driver is GPL, but all that code is
0043  * gone so MPL/GPL applies.
0044  */
0045
0046 #define DRIVER_NAME "orinoco_usb"
0047 #define PFX DRIVER_NAME ": "
0048
0049 #include <linux/module.h>
0050 #include <linux/kernel.h>
0051 #include <linux/sched.h>
0052 #include <linux/signal.h>
0053 #include <linux/errno.h>
0054 #include <linux/poll.h>
0055 #include <linux/slab.h>
0056 #include <linux/fcntl.h>
0057 #include <linux/spinlock.h>
0058 #include <linux/list.h>
0059 #include <linux/usb.h>
0060 #include <linux/timer.h>
0061
0062 #include <linux/netdevice.h>
0063 #include <linux/if_arp.h>
0064 #include <linux/etherdevice.h>
0065 #include <linux/wireless.h>
0066 #include <linux/firmware.h>
0067 #include <linux/refcount.h>
0068
0069 #include "mic.h"
0070 #include "orinoco.h"
0071
0072 #ifndef URB_ASYNC_UNLINK
0073 #define URB_ASYNC_UNLINK 0
0074 #endif
0075
0076 struct header_struct {
0077     /* 802.3 */
0078     u8 dest[ETH_ALEN];
0079     u8 src[ETH_ALEN];
0080     __be16 len;
0081     /* 802.2 */
0082     u8 dsap;
0083     u8 ssap;
0084     u8 ctrl;
0085     /* SNAP */
0086     u8 oui[3];
0087     __be16 ethertype;
0088 } __packed;
0089
0090 struct ez_usb_fw {
0091     u16 size;
0092     const u8 *code;
0093 };
0094
0095 static struct ez_usb_fw firmware = {
0096     .size = 0,
0097     .code = NULL,
0098 };
0099
0100 /* Debugging macros */
0101 #undef err
0102 #define err(format, arg...) \
0103     do { printk(KERN_ERR PFX format "\n", ## arg); } while (0)
0104
0105 MODULE_FIRMWARE("orinoco_ezusb_fw");
0106
0107 /*
0108  * Under some conditions, the card gets stuck and stops paying attention
0109  * to the world (i.e. data communication stalls) until we do something to
0110  * it.  Sending an INQ_TALLIES command seems to be enough and should be
0111  * harmless otherwise.  This behaviour has been observed when using the
0112  * driver on a systemimager client during installation.  In the past a
0113  * timer was used to send INQ_TALLIES commands when there was no other
0114  * activity, but it was troublesome and was removed.
0115  */
0116
0117 #define USB_COMPAQ_VENDOR_ID     0x049f /* Compaq Computer Corp. */
0118 #define USB_COMPAQ_WL215_ID      0x001f /* Compaq WL215 USB Adapter */
0119 #define USB_COMPAQ_W200_ID       0x0076 /* Compaq W200 USB Adapter */
0120 #define USB_HP_WL215_ID          0x0082 /* Compaq WL215 USB Adapter */
0121
0122 #define USB_MELCO_VENDOR_ID      0x0411
0123 #define USB_BUFFALO_L11_ID       0x0006 /* BUFFALO WLI-USB-L11 */
0124 #define USB_BUFFALO_L11G_WR_ID   0x000B /* BUFFALO WLI-USB-L11G-WR */
0125 #define USB_BUFFALO_L11G_ID      0x000D /* BUFFALO WLI-USB-L11G */
0126
0127 #define USB_LUCENT_VENDOR_ID     0x047E /* Lucent Technologies */
0128 #define USB_LUCENT_ORINOCO_ID    0x0300 /* Lucent/Agere Orinoco USB Client */
0129
0130 #define USB_AVAYA8_VENDOR_ID     0x0D98
0131 #define USB_AVAYAE_VENDOR_ID     0x0D9E
0132 #define USB_AVAYA_WIRELESS_ID    0x0300 /* Avaya Wireless USB Card */
0133
0134 #define USB_AGERE_VENDOR_ID      0x0D4E /* Agere Systems */
0135 #define USB_AGERE_MODEL0801_ID   0x1000 /* Wireless USB Card Model 0801 */
0136 #define USB_AGERE_MODEL0802_ID   0x1001 /* Wireless USB Card Model 0802 */
0137 #define USB_AGERE_REBRANDED_ID   0x047A /* WLAN USB Card */
0138
0139 #define USB_ELSA_VENDOR_ID       0x05CC
0140 #define USB_ELSA_AIRLANCER_ID    0x3100 /* ELSA AirLancer USB-11 */
0141
0142 #define USB_LEGEND_VENDOR_ID     0x0E7C
0143 #define USB_LEGEND_JOYNET_ID     0x0300 /* Joynet WLAN USB Card */
0144
0145 #define USB_SAMSUNG_VENDOR_ID    0x04E8
0146 #define USB_SAMSUNG_SEW2001U1_ID 0x5002 /* Samsung SEW-2001u Card */
0147 #define USB_SAMSUNG_SEW2001U2_ID 0x5B11 /* Samsung SEW-2001u Card */
0148 #define USB_SAMSUNG_SEW2003U_ID  0x7011 /* Samsung SEW-2003U Card */
0149
0150 #define USB_IGATE_VENDOR_ID      0x0681
0151 #define USB_IGATE_IGATE_11M_ID   0x0012 /* I-GATE 11M USB Card */
0152
0153 #define USB_FUJITSU_VENDOR_ID    0x0BF8
0154 #define USB_FUJITSU_E1100_ID     0x1002 /* connect2AIR WLAN E-1100 USB */
0155
0156 #define USB_2WIRE_VENDOR_ID      0x1630
0157 #define USB_2WIRE_WIRELESS_ID    0xff81 /* 2Wire Wireless USB adapter */
0158
0159
0160 #define EZUSB_REQUEST_FW_TRANS      0xA0
0161 #define EZUSB_REQUEST_TRIGGER       0xAA
0162 #define EZUSB_REQUEST_TRIG_AC       0xAC
0163 #define EZUSB_CPUCS_REG         0x7F92
0164
0165 #define EZUSB_RID_TX            0x0700
0166 #define EZUSB_RID_RX            0x0701
0167 #define EZUSB_RID_INIT1         0x0702
0168 #define EZUSB_RID_ACK           0x0710
0169 #define EZUSB_RID_READ_PDA      0x0800
0170 #define EZUSB_RID_PROG_INIT     0x0852
0171 #define EZUSB_RID_PROG_SET_ADDR     0x0853
0172 #define EZUSB_RID_PROG_BYTES        0x0854
0173 #define EZUSB_RID_PROG_END      0x0855
0174 #define EZUSB_RID_DOCMD         0x0860
0175
0176 /* Recognize info frames */
0177 #define EZUSB_IS_INFO(id)       ((id >= 0xF000) && (id <= 0xF2FF))
0178
0179 #define EZUSB_MAGIC         0x0210
0180
0181 #define EZUSB_FRAME_DATA        1
0182 #define EZUSB_FRAME_CONTROL     2
0183
0184 #define DEF_TIMEOUT         (3 * HZ)
0185
0186 #define BULK_BUF_SIZE           2048
0187
0188 #define MAX_DL_SIZE (BULK_BUF_SIZE - sizeof(struct ezusb_packet))
0189
0190 #define FW_BUF_SIZE         64
0191 #define FW_VAR_OFFSET_PTR       0x359
0192 #define FW_VAR_VALUE            0
0193 #define FW_HOLE_START           0x100
0194 #define FW_HOLE_END         0x300
0195
0196 struct ezusb_packet {
0197     __le16 magic;       /* 0x0210 */
0198     u8 req_reply_count;
0199     u8 ans_reply_count;
0200     __le16 frame_type;  /* 0x01 for data frames, 0x02 otherwise */
0201     __le16 size;        /* transport size */
0202     __le16 crc;     /* CRC up to here */
0203     __le16 hermes_len;
0204     __le16 hermes_rid;
0205     u8 data[];
0206 } __packed;
0207
0208 /* Table of devices that work or may work with this driver */
0209 static const struct usb_device_id ezusb_table[] = {
0210     {USB_DEVICE(USB_COMPAQ_VENDOR_ID, USB_COMPAQ_WL215_ID)},
0211     {USB_DEVICE(USB_COMPAQ_VENDOR_ID, USB_HP_WL215_ID)},
0212     {USB_DEVICE(USB_COMPAQ_VENDOR_ID, USB_COMPAQ_W200_ID)},
0213     {USB_DEVICE(USB_MELCO_VENDOR_ID, USB_BUFFALO_L11_ID)},
0214     {USB_DEVICE(USB_MELCO_VENDOR_ID, USB_BUFFALO_L11G_WR_ID)},
0215     {USB_DEVICE(USB_MELCO_VENDOR_ID, USB_BUFFALO_L11G_ID)},
0216     {USB_DEVICE(USB_LUCENT_VENDOR_ID, USB_LUCENT_ORINOCO_ID)},
0217     {USB_DEVICE(USB_AVAYA8_VENDOR_ID, USB_AVAYA_WIRELESS_ID)},
0218     {USB_DEVICE(USB_AVAYAE_VENDOR_ID, USB_AVAYA_WIRELESS_ID)},
0219     {USB_DEVICE(USB_AGERE_VENDOR_ID, USB_AGERE_MODEL0801_ID)},
0220     {USB_DEVICE(USB_AGERE_VENDOR_ID, USB_AGERE_MODEL0802_ID)},
0221     {USB_DEVICE(USB_ELSA_VENDOR_ID, USB_ELSA_AIRLANCER_ID)},
0222     {USB_DEVICE(USB_LEGEND_VENDOR_ID, USB_LEGEND_JOYNET_ID)},
0223     {USB_DEVICE_VER(USB_SAMSUNG_VENDOR_ID, USB_SAMSUNG_SEW2001U1_ID,
0224             0, 0)},
0225     {USB_DEVICE(USB_SAMSUNG_VENDOR_ID, USB_SAMSUNG_SEW2001U2_ID)},
0226     {USB_DEVICE(USB_SAMSUNG_VENDOR_ID, USB_SAMSUNG_SEW2003U_ID)},
0227     {USB_DEVICE(USB_IGATE_VENDOR_ID, USB_IGATE_IGATE_11M_ID)},
0228     {USB_DEVICE(USB_FUJITSU_VENDOR_ID, USB_FUJITSU_E1100_ID)},
0229     {USB_DEVICE(USB_2WIRE_VENDOR_ID, USB_2WIRE_WIRELESS_ID)},
0230     {USB_DEVICE(USB_AGERE_VENDOR_ID, USB_AGERE_REBRANDED_ID)},
0231     {}          /* Terminating entry */
0232 };
0233
0234 MODULE_DEVICE_TABLE(usb, ezusb_table);
0235
0236 /* Structure to hold all of our device specific stuff */
0237 struct ezusb_priv {
0238     struct usb_device *udev;
0239     struct net_device *dev;
0240     struct mutex mtx;
0241     spinlock_t req_lock;
0242     struct list_head req_pending;
0243     struct list_head req_active;
0244     spinlock_t reply_count_lock;
0245     u16 hermes_reg_fake[0x40];
0246     u8 *bap_buf;
0247     struct urb *read_urb;
0248     int read_pipe;
0249     int write_pipe;
0250     u8 reply_count;
0251 };
0252
0253 enum ezusb_state {
0254     EZUSB_CTX_START,
0255     EZUSB_CTX_QUEUED,
0256     EZUSB_CTX_REQ_SUBMITTED,
0257     EZUSB_CTX_REQ_COMPLETE,
0258     EZUSB_CTX_RESP_RECEIVED,
0259     EZUSB_CTX_REQ_TIMEOUT,
0260     EZUSB_CTX_REQ_FAILED,
0261     EZUSB_CTX_RESP_TIMEOUT,
0262     EZUSB_CTX_REQSUBMIT_FAIL,
0263     EZUSB_CTX_COMPLETE,
0264 };
0265
0266 struct request_context {
0267     struct list_head list;
0268     refcount_t refcount;
0269     struct completion done; /* Signals that CTX is dead */
0270     int killed;
0271     struct urb *outurb; /* OUT for req pkt */
0272     struct ezusb_priv *upriv;
0273     struct ezusb_packet *buf;
0274     int buf_length;
0275     struct timer_list timer;    /* Timeout handling */
0276     enum ezusb_state state; /* Current state */
0277     /* the RID that we will wait for */
0278     u16 out_rid;
0279     u16 in_rid;
0280 };
0281
0282
0283 /* Forward declarations */
0284 static void ezusb_ctx_complete(struct request_context *ctx);
0285 static void ezusb_req_queue_run(struct ezusb_priv *upriv);
0286 static void ezusb_bulk_in_callback(struct urb *urb);
0287
0288 static inline u8 ezusb_reply_inc(u8 count)
0289 {
0290     if (count < 0x7F)
0291         return count + 1;
0292     else
0293         return 1;
0294 }
0295
0296 static void ezusb_request_context_put(struct request_context *ctx)
0297 {
0298     if (!refcount_dec_and_test(&ctx->refcount))
0299         return;
0300
0301     WARN_ON(!ctx->done.done);
0302     BUG_ON(ctx->outurb->status == -EINPROGRESS);
0303     BUG_ON(timer_pending(&ctx->timer));
0304     usb_free_urb(ctx->outurb);
0305     kfree(ctx->buf);
0306     kfree(ctx);
0307 }
0308
0309 static inline void ezusb_mod_timer(struct ezusb_priv *upriv,
0310                    struct timer_list *timer,
0311                    unsigned long expire)
0312 {
0313     if (!upriv->udev)
0314         return;
0315     mod_timer(timer, expire);
0316 }
0317
0318 static void ezusb_request_timerfn(struct timer_list *t)
0319 {
0320     struct request_context *ctx = from_timer(ctx, t, timer);
0321
0322     ctx->outurb->transfer_flags |= URB_ASYNC_UNLINK;
0323     if (usb_unlink_urb(ctx->outurb) == -EINPROGRESS) {
0324         ctx->state = EZUSB_CTX_REQ_TIMEOUT;
0325     } else {
0326         ctx->state = EZUSB_CTX_RESP_TIMEOUT;
0327         dev_dbg(&ctx->outurb->dev->dev, "couldn't unlink\n");
0328         refcount_inc(&ctx->refcount);
0329         ctx->killed = 1;
0330         ezusb_ctx_complete(ctx);
0331         ezusb_request_context_put(ctx);
0332     }
0333 };
0334
0335 static struct request_context *ezusb_alloc_ctx(struct ezusb_priv *upriv,
0336                            u16 out_rid, u16 in_rid)
0337 {
0338     struct request_context *ctx;
0339
0340     ctx = kzalloc(sizeof(*ctx), GFP_ATOMIC);
0341     if (!ctx)
0342         return NULL;
0343
0344     ctx->buf = kmalloc(BULK_BUF_SIZE, GFP_ATOMIC);
0345     if (!ctx->buf) {
0346         kfree(ctx);
0347         return NULL;
0348     }
0349     ctx->outurb = usb_alloc_urb(0, GFP_ATOMIC);
0350     if (!ctx->outurb) {
0351         kfree(ctx->buf);
0352         kfree(ctx);
0353         return NULL;
0354     }
0355
0356     ctx->upriv = upriv;
0357     ctx->state = EZUSB_CTX_START;
0358     ctx->out_rid = out_rid;
0359     ctx->in_rid = in_rid;
0360
0361     refcount_set(&ctx->refcount, 1);
0362     init_completion(&ctx->done);
0363
0364     timer_setup(&ctx->timer, ezusb_request_timerfn, 0);
0365     return ctx;
0366 }
0367
0368 static void ezusb_ctx_complete(struct request_context *ctx)
0369 {
0370     struct ezusb_priv *upriv = ctx->upriv;
0371     unsigned long flags;
0372
0373     spin_lock_irqsave(&upriv->req_lock, flags);
0374
0375     list_del_init(&ctx->list);
0376     if (upriv->udev) {
0377         spin_unlock_irqrestore(&upriv->req_lock, flags);
0378         ezusb_req_queue_run(upriv);
0379         spin_lock_irqsave(&upriv->req_lock, flags);
0380     }
0381
0382     switch (ctx->state) {
0383     case EZUSB_CTX_COMPLETE:
0384     case EZUSB_CTX_REQSUBMIT_FAIL:
0385     case EZUSB_CTX_REQ_FAILED:
0386     case EZUSB_CTX_REQ_TIMEOUT:
0387     case EZUSB_CTX_RESP_TIMEOUT:
0388         spin_unlock_irqrestore(&upriv->req_lock, flags);
0389
0390         if ((ctx->out_rid == EZUSB_RID_TX) && upriv->dev) {
0391             struct net_device *dev = upriv->dev;
0392             struct net_device_stats *stats = &dev->stats;
0393
0394             if (ctx->state != EZUSB_CTX_COMPLETE)
0395                 stats->tx_errors++;
0396             else
0397                 stats->tx_packets++;
0398
0399             netif_wake_queue(dev);
0400         }
0401         complete_all(&ctx->done);
0402         ezusb_request_context_put(ctx);
0403         break;
0404
0405     default:
0406         spin_unlock_irqrestore(&upriv->req_lock, flags);
0407         if (!upriv->udev) {
0408             /* This is normal, as all request contexts get flushed
0409              * when the device is disconnected */
0410             err("Called, CTX not terminating, but device gone");
0411             complete_all(&ctx->done);
0412             ezusb_request_context_put(ctx);
0413             break;
0414         }
0415
0416         err("Called, CTX not in terminating state.");
0417         /* Things are really bad if this happens. Just leak
0418          * the CTX because it may still be linked to the
0419          * queue or the OUT urb may still be active.
0420          * Just leaking at least prevents an Oops or Panic.
0421          */
0422         break;
0423     }
0424 }
0425
0426 /*
0427  * ezusb_req_queue_run:
0428  * Description:
0429  *  Note: Only one active CTX at any one time, because there's no
0430  *  other (reliable) way to match the response URB to the correct
0431  *  CTX.
0432  */
0433 static void ezusb_req_queue_run(struct ezusb_priv *upriv)
0434 {
0435     unsigned long flags;
0436     struct request_context *ctx;
0437     int result;
0438
0439     spin_lock_irqsave(&upriv->req_lock, flags);
0440
0441     if (!list_empty(&upriv->req_active))
0442         goto unlock;
0443
0444     if (list_empty(&upriv->req_pending))
0445         goto unlock;
0446
0447     ctx =
0448         list_entry(upriv->req_pending.next, struct request_context,
0449                list);
0450
0451     if (!ctx->upriv->udev)
0452         goto unlock;
0453
0454     /* We need to split this off to avoid a race condition */
0455     list_move_tail(&ctx->list, &upriv->req_active);
0456
0457     if (ctx->state == EZUSB_CTX_QUEUED) {
0458         refcount_inc(&ctx->refcount);
0459         result = usb_submit_urb(ctx->outurb, GFP_ATOMIC);
0460         if (result) {
0461             ctx->state = EZUSB_CTX_REQSUBMIT_FAIL;
0462
0463             spin_unlock_irqrestore(&upriv->req_lock, flags);
0464
0465             err("Fatal, failed to submit command urb."
0466                 " error=%d\n", result);
0467
0468             ezusb_ctx_complete(ctx);
0469             ezusb_request_context_put(ctx);
0470             goto done;
0471         }
0472
0473         ctx->state = EZUSB_CTX_REQ_SUBMITTED;
0474         ezusb_mod_timer(ctx->upriv, &ctx->timer,
0475                 jiffies + DEF_TIMEOUT);
0476     }
0477
0478  unlock:
0479     spin_unlock_irqrestore(&upriv->req_lock, flags);
0480
0481  done:
0482     return;
0483 }
0484
0485 static void ezusb_req_enqueue_run(struct ezusb_priv *upriv,
0486                   struct request_context *ctx)
0487 {
0488     unsigned long flags;
0489
0490     spin_lock_irqsave(&upriv->req_lock, flags);
0491
0492     if (!ctx->upriv->udev) {
0493         spin_unlock_irqrestore(&upriv->req_lock, flags);
0494         goto done;
0495     }
0496     refcount_inc(&ctx->refcount);
0497     list_add_tail(&ctx->list, &upriv->req_pending);
0498     spin_unlock_irqrestore(&upriv->req_lock, flags);
0499
0500     ctx->state = EZUSB_CTX_QUEUED;
0501     ezusb_req_queue_run(upriv);
0502
0503  done:
0504     return;
0505 }
0506
0507 static void ezusb_request_out_callback(struct urb *urb)
0508 {
0509     unsigned long flags;
0510     enum ezusb_state state;
0511     struct request_context *ctx = urb->context;
0512     struct ezusb_priv *upriv = ctx->upriv;
0513
0514     spin_lock_irqsave(&upriv->req_lock, flags);
0515
0516     del_timer(&ctx->timer);
0517
0518     if (ctx->killed) {
0519         spin_unlock_irqrestore(&upriv->req_lock, flags);
0520         pr_warn("interrupt called with dead ctx\n");
0521         goto out;
0522     }
0523
0524     state = ctx->state;
0525
0526     if (urb->status == 0) {
0527         switch (state) {
0528         case EZUSB_CTX_REQ_SUBMITTED:
0529             if (ctx->in_rid) {
0530                 ctx->state = EZUSB_CTX_REQ_COMPLETE;
0531                 /* reply URB still pending */
0532                 ezusb_mod_timer(upriv, &ctx->timer,
0533                         jiffies + DEF_TIMEOUT);
0534                 spin_unlock_irqrestore(&upriv->req_lock,
0535                                flags);
0536                 break;
0537             }
0538             fallthrough;
0539         case EZUSB_CTX_RESP_RECEIVED:
0540             /* IN already received before this OUT-ACK */
0541             ctx->state = EZUSB_CTX_COMPLETE;
0542             spin_unlock_irqrestore(&upriv->req_lock, flags);
0543             ezusb_ctx_complete(ctx);
0544             break;
0545
0546         default:
0547             spin_unlock_irqrestore(&upriv->req_lock, flags);
0548             err("Unexpected state(0x%x, %d) in OUT URB",
0549                 state, urb->status);
0550             break;
0551         }
0552     } else {
0553         /* If someone cancels the OUT URB then its status
0554          * should be either -ECONNRESET or -ENOENT.
0555          */
0556         switch (state) {
0557         case EZUSB_CTX_REQ_SUBMITTED:
0558         case EZUSB_CTX_RESP_RECEIVED:
0559             ctx->state = EZUSB_CTX_REQ_FAILED;
0560             fallthrough;
0561
0562         case EZUSB_CTX_REQ_FAILED:
0563         case EZUSB_CTX_REQ_TIMEOUT:
0564             spin_unlock_irqrestore(&upriv->req_lock, flags);
0565
0566             ezusb_ctx_complete(ctx);
0567             break;
0568
0569         default:
0570             spin_unlock_irqrestore(&upriv->req_lock, flags);
0571
0572             err("Unexpected state(0x%x, %d) in OUT URB",
0573                 state, urb->status);
0574             break;
0575         }
0576     }
0577  out:
0578     ezusb_request_context_put(ctx);
0579 }
0580
0581 static void ezusb_request_in_callback(struct ezusb_priv *upriv,
0582                       struct urb *urb)
0583 {
0584     struct ezusb_packet *ans = urb->transfer_buffer;
0585     struct request_context *ctx = NULL;
0586     enum ezusb_state state;
0587     unsigned long flags;
0588
0589     /* Find the CTX on the active queue that requested this URB */
0590     spin_lock_irqsave(&upriv->req_lock, flags);
0591     if (upriv->udev) {
0592         struct list_head *item;
0593
0594         list_for_each(item, &upriv->req_active) {
0595             struct request_context *c;
0596             int reply_count;
0597
0598             c = list_entry(item, struct request_context, list);
0599             reply_count =
0600                 ezusb_reply_inc(c->buf->req_reply_count);
0601             if ((ans->ans_reply_count == reply_count)
0602                 && (le16_to_cpu(ans->hermes_rid) == c->in_rid)) {
0603                 ctx = c;
0604                 break;
0605             }
0606             netdev_dbg(upriv->dev, "Skipped (0x%x/0x%x) (%d/%d)\n",
0607                    le16_to_cpu(ans->hermes_rid), c->in_rid,
0608                    ans->ans_reply_count, reply_count);
0609         }
0610     }
0611
0612     if (ctx == NULL) {
0613         spin_unlock_irqrestore(&upriv->req_lock, flags);
0614         err("%s: got unexpected RID: 0x%04X", __func__,
0615             le16_to_cpu(ans->hermes_rid));
0616         ezusb_req_queue_run(upriv);
0617         return;
0618     }
0619
0620     /* The data we want is in the in buffer, exchange */
0621     urb->transfer_buffer = ctx->buf;
0622     ctx->buf = (void *) ans;
0623     ctx->buf_length = urb->actual_length;
0624
0625     state = ctx->state;
0626     switch (state) {
0627     case EZUSB_CTX_REQ_SUBMITTED:
0628         /* We have received our response URB before
0629          * our request has been acknowledged. Do NOT
0630          * destroy our CTX yet, because our OUT URB
0631          * is still alive ...
0632          */
0633         ctx->state = EZUSB_CTX_RESP_RECEIVED;
0634         spin_unlock_irqrestore(&upriv->req_lock, flags);
0635
0636         /* Let the machine continue running. */
0637         break;
0638
0639     case EZUSB_CTX_REQ_COMPLETE:
0640         /* This is the usual path: our request
0641          * has already been acknowledged, and
0642          * we have now received the reply.
0643          */
0644         ctx->state = EZUSB_CTX_COMPLETE;
0645
0646         /* Stop the intimer */
0647         del_timer(&ctx->timer);
0648         spin_unlock_irqrestore(&upriv->req_lock, flags);
0649
0650         /* Call the completion handler */
0651         ezusb_ctx_complete(ctx);
0652         break;
0653
0654     default:
0655         spin_unlock_irqrestore(&upriv->req_lock, flags);
0656
0657         pr_warn("Matched IN URB, unexpected context state(0x%x)\n",
0658             state);
0659         /* Throw this CTX away and try submitting another */
0660         del_timer(&ctx->timer);
0661         ctx->outurb->transfer_flags |= URB_ASYNC_UNLINK;
0662         usb_unlink_urb(ctx->outurb);
0663         ezusb_req_queue_run(upriv);
0664         break;
0665     }           /* switch */
0666 }
0667
0668 typedef void (*ezusb_ctx_wait)(struct ezusb_priv *, struct request_context *);
0669
0670 static void ezusb_req_ctx_wait_compl(struct ezusb_priv *upriv,
0671                      struct request_context *ctx)
0672 {
0673     switch (ctx->state) {
0674     case EZUSB_CTX_QUEUED:
0675     case EZUSB_CTX_REQ_SUBMITTED:
0676     case EZUSB_CTX_REQ_COMPLETE:
0677     case EZUSB_CTX_RESP_RECEIVED:
0678         wait_for_completion(&ctx->done);
0679         break;
0680     default:
0681         /* Done or failed - nothing to wait for */
0682         break;
0683     }
0684 }
0685
0686 static void ezusb_req_ctx_wait_poll(struct ezusb_priv *upriv,
0687                     struct request_context *ctx)
0688 {
0689     int msecs;
0690
0691     switch (ctx->state) {
0692     case EZUSB_CTX_QUEUED:
0693     case EZUSB_CTX_REQ_SUBMITTED:
0694     case EZUSB_CTX_REQ_COMPLETE:
0695     case EZUSB_CTX_RESP_RECEIVED:
0696         /* If we get called from a timer or with our lock acquired, then
0697          * we can't wait for the completion and have to poll. This won't
0698          * happen if the USB controller completes the URB requests in
0699          * BH.
0700          */
0701         msecs = DEF_TIMEOUT * (1000 / HZ);
0702
0703         while (!try_wait_for_completion(&ctx->done) && msecs--)
0704             udelay(1000);
0705         break;
0706     default:
0707         /* Done or failed - nothing to wait for */
0708         break;
0709     }
0710 }
0711
0712 static void ezusb_req_ctx_wait_skip(struct ezusb_priv *upriv,
0713                     struct request_context *ctx)
0714 {
0715     WARN(1, "Shouldn't be invoked for in_rid\n");
0716 }
0717
0718 static inline u16 build_crc(struct ezusb_packet *data)
0719 {
0720     u16 crc = 0;
0721     u8 *bytes = (u8 *)data;
0722     int i;
0723
0724     for (i = 0; i < 8; i++)
0725         crc = (crc << 1) + bytes[i];
0726
0727     return crc;
0728 }
0729
0730 /*
0731  * ezusb_fill_req:
0732  *
0733  * if data == NULL and length > 0 the data is assumed to be already in
0734  * the target buffer and only the header is filled.
0735  *
0736  */
0737 static int ezusb_fill_req(struct ezusb_packet *req, u16 length, u16 rid,
0738               const void *data, u16 frame_type, u8 reply_count)
0739 {
0740     int total_size = sizeof(*req) + length;
0741
0742     BUG_ON(total_size > BULK_BUF_SIZE);
0743
0744     req->magic = cpu_to_le16(EZUSB_MAGIC);
0745     req->req_reply_count = reply_count;
0746     req->ans_reply_count = 0;
0747     req->frame_type = cpu_to_le16(frame_type);
0748     req->size = cpu_to_le16(length + 4);
0749     req->crc = cpu_to_le16(build_crc(req));
0750     req->hermes_len = cpu_to_le16(HERMES_BYTES_TO_RECLEN(length));
0751     req->hermes_rid = cpu_to_le16(rid);
0752     if (data)
0753         memcpy(req->data, data, length);
0754     return total_size;
0755 }
0756
0757 static int ezusb_submit_in_urb(struct ezusb_priv *upriv)
0758 {
0759     int retval = 0;
0760     void *cur_buf = upriv->read_urb->transfer_buffer;
0761
0762     if (upriv->read_urb->status == -EINPROGRESS) {
0763         netdev_dbg(upriv->dev, "urb busy, not resubmiting\n");
0764         retval = -EBUSY;
0765         goto exit;
0766     }
0767     usb_fill_bulk_urb(upriv->read_urb, upriv->udev, upriv->read_pipe,
0768               cur_buf, BULK_BUF_SIZE,
0769               ezusb_bulk_in_callback, upriv);
0770     upriv->read_urb->transfer_flags = 0;
0771     retval = usb_submit_urb(upriv->read_urb, GFP_ATOMIC);
0772     if (retval)
0773         err("%s submit failed %d", __func__, retval);
0774
0775  exit:
0776     return retval;
0777 }
0778
0779 static inline int ezusb_8051_cpucs(struct ezusb_priv *upriv, int reset)
0780 {
0781     int ret;
0782     u8 *res_val = NULL;
0783
0784     if (!upriv->udev) {
0785         err("%s: !upriv->udev", __func__);
0786         return -EFAULT;
0787     }
0788
0789     res_val = kmalloc(sizeof(*res_val), GFP_KERNEL);
0790
0791     if (!res_val)
0792         return -ENOMEM;
0793
0794     *res_val = reset;   /* avoid argument promotion */
0795
0796     ret =  usb_control_msg(upriv->udev,
0797                    usb_sndctrlpipe(upriv->udev, 0),
0798                    EZUSB_REQUEST_FW_TRANS,
0799                    USB_TYPE_VENDOR | USB_RECIP_DEVICE |
0800                    USB_DIR_OUT, EZUSB_CPUCS_REG, 0, res_val,
0801                    sizeof(*res_val), DEF_TIMEOUT);
0802
0803     kfree(res_val);
0804
0805     return ret;
0806 }
0807
0808 static int ezusb_firmware_download(struct ezusb_priv *upriv,
0809                    struct ez_usb_fw *fw)
0810 {
0811     u8 *fw_buffer;
0812     int retval, addr;
0813     int variant_offset;
0814
0815     fw_buffer = kmalloc(FW_BUF_SIZE, GFP_KERNEL);
0816     if (!fw_buffer) {
0817         printk(KERN_ERR PFX "Out of memory for firmware buffer.\n");
0818         return -ENOMEM;
0819     }
0820     /*
0821      * This byte is 1 and should be replaced with 0.  The offset is
0822      * 0x10AD in version 0.0.6.  The byte in question should follow
0823      * the end of the code pointed to by the jump in the beginning
0824      * of the firmware.  Also, it is read by code located at 0x358.
0825      */
0826     variant_offset = be16_to_cpup((__be16 *) &fw->code[FW_VAR_OFFSET_PTR]);
0827     if (variant_offset >= fw->size) {
0828         printk(KERN_ERR PFX "Invalid firmware variant offset: "
0829                "0x%04x\n", variant_offset);
0830         retval = -EINVAL;
0831         goto fail;
0832     }
0833
0834     retval = ezusb_8051_cpucs(upriv, 1);
0835     if (retval < 0)
0836         goto fail;
0837     for (addr = 0; addr < fw->size; addr += FW_BUF_SIZE) {
0838         /* 0x100-0x300 should be left alone, it contains card
0839          * specific data, like USB enumeration information */
0840         if ((addr >= FW_HOLE_START) && (addr < FW_HOLE_END))
0841             continue;
0842
0843         memcpy(fw_buffer, &fw->code[addr], FW_BUF_SIZE);
0844         if (variant_offset >= addr &&
0845             variant_offset < addr + FW_BUF_SIZE) {
0846             netdev_dbg(upriv->dev,
0847                    "Patching card_variant byte at 0x%04X\n",
0848                    variant_offset);
0849             fw_buffer[variant_offset - addr] = FW_VAR_VALUE;
0850         }
0851         retval = usb_control_msg(upriv->udev,
0852                      usb_sndctrlpipe(upriv->udev, 0),
0853                      EZUSB_REQUEST_FW_TRANS,
0854                      USB_TYPE_VENDOR | USB_RECIP_DEVICE
0855                      | USB_DIR_OUT,
0856                      addr, 0x0,
0857                      fw_buffer, FW_BUF_SIZE,
0858                      DEF_TIMEOUT);
0859
0860         if (retval < 0)
0861             goto fail;
0862     }
0863     retval = ezusb_8051_cpucs(upriv, 0);
0864     if (retval < 0)
0865         goto fail;
0866
0867     goto exit;
0868  fail:
0869     printk(KERN_ERR PFX "Firmware download failed, error %d\n",
0870            retval);
0871  exit:
0872     kfree(fw_buffer);
0873     return retval;
0874 }
0875
0876 static int ezusb_access_ltv(struct ezusb_priv *upriv,
0877                 struct request_context *ctx,
0878                 u16 length, const void *data, u16 frame_type,
0879                 void *ans_buff, unsigned ans_size, u16 *ans_length,
0880                 ezusb_ctx_wait ezusb_ctx_wait_func)
0881 {
0882     int req_size;
0883     int retval = 0;
0884     enum ezusb_state state;
0885
0886     if (!upriv->udev) {
0887         retval = -ENODEV;
0888         goto exit;
0889     }
0890
0891     if (upriv->read_urb->status != -EINPROGRESS)
0892         err("%s: in urb not pending", __func__);
0893
0894     /* protect upriv->reply_count, guarantee sequential numbers */
0895     spin_lock_bh(&upriv->reply_count_lock);
0896     req_size = ezusb_fill_req(ctx->buf, length, ctx->out_rid, data,
0897                   frame_type, upriv->reply_count);
0898     usb_fill_bulk_urb(ctx->outurb, upriv->udev, upriv->write_pipe,
0899               ctx->buf, req_size,
0900               ezusb_request_out_callback, ctx);
0901
0902     if (ctx->in_rid)
0903         upriv->reply_count = ezusb_reply_inc(upriv->reply_count);
0904
0905     ezusb_req_enqueue_run(upriv, ctx);
0906
0907     spin_unlock_bh(&upriv->reply_count_lock);
0908
0909     if (ctx->in_rid)
0910         ezusb_ctx_wait_func(upriv, ctx);
0911
0912     state = ctx->state;
0913     switch (state) {
0914     case EZUSB_CTX_COMPLETE:
0915         retval = ctx->outurb->status;
0916         break;
0917
0918     case EZUSB_CTX_QUEUED:
0919     case EZUSB_CTX_REQ_SUBMITTED:
0920         if (!ctx->in_rid)
0921             break;
0922         fallthrough;
0923     default:
0924         err("%s: Unexpected context state %d", __func__,
0925             state);
0926         fallthrough;
0927     case EZUSB_CTX_REQ_TIMEOUT:
0928     case EZUSB_CTX_REQ_FAILED:
0929     case EZUSB_CTX_RESP_TIMEOUT:
0930     case EZUSB_CTX_REQSUBMIT_FAIL:
0931         printk(KERN_ERR PFX "Access failed, resetting (state %d,"
0932                " reply_count %d)\n", state, upriv->reply_count);
0933         upriv->reply_count = 0;
0934         if (state == EZUSB_CTX_REQ_TIMEOUT
0935             || state == EZUSB_CTX_RESP_TIMEOUT) {
0936             printk(KERN_ERR PFX "ctx timed out\n");
0937             retval = -ETIMEDOUT;
0938         } else {
0939             printk(KERN_ERR PFX "ctx failed\n");
0940             retval = -EFAULT;
0941         }
0942         goto exit;
0943     }
0944     if (ctx->in_rid) {
0945         struct ezusb_packet *ans = ctx->buf;
0946         unsigned exp_len;
0947
0948         if (ans->hermes_len != 0)
0949             exp_len = le16_to_cpu(ans->hermes_len) * 2 + 12;
0950         else
0951             exp_len = 14;
0952
0953         if (exp_len != ctx->buf_length) {
0954             err("%s: length mismatch for RID 0x%04x: "
0955                 "expected %d, got %d", __func__,
0956                 ctx->in_rid, exp_len, ctx->buf_length);
0957             retval = -EIO;
0958             goto exit;
0959         }
0960
0961         if (ans_buff)
0962             memcpy(ans_buff, ans->data, min(exp_len, ans_size));
0963         if (ans_length)
0964             *ans_length = le16_to_cpu(ans->hermes_len);
0965     }
0966  exit:
0967     ezusb_request_context_put(ctx);
0968     return retval;
0969 }
0970
0971 static int __ezusb_write_ltv(struct hermes *hw, int bap, u16 rid,
0972                u16 length, const void *data,
0973                ezusb_ctx_wait ezusb_ctx_wait_func)
0974 {
0975     struct ezusb_priv *upriv = hw->priv;
0976     u16 frame_type;
0977     struct request_context *ctx;
0978
0979     if (length == 0)
0980         return -EINVAL;
0981
0982     length = HERMES_RECLEN_TO_BYTES(length);
0983
0984     /* On memory mapped devices HERMES_RID_CNFGROUPADDRESSES can be
0985      * set to be empty, but the USB bridge doesn't like it */
0986     if (length == 0)
0987         return 0;
0988
0989     ctx = ezusb_alloc_ctx(upriv, rid, EZUSB_RID_ACK);
0990     if (!ctx)
0991         return -ENOMEM;
0992
0993     if (rid == EZUSB_RID_TX)
0994         frame_type = EZUSB_FRAME_DATA;
0995     else
0996         frame_type = EZUSB_FRAME_CONTROL;
0997
0998     return ezusb_access_ltv(upriv, ctx, length, data, frame_type,
0999                 NULL, 0, NULL, ezusb_ctx_wait_func);
1000 }
1001
1002 static int ezusb_write_ltv(struct hermes *hw, int bap, u16 rid,
1003                u16 length, const void *data)
1004 {
1005     return __ezusb_write_ltv(hw, bap, rid, length, data,
1006                  ezusb_req_ctx_wait_poll);
1007 }
1008
1009 static int __ezusb_read_ltv(struct hermes *hw, int bap, u16 rid,
1010                 unsigned bufsize, u16 *length, void *buf,
1011                 ezusb_ctx_wait ezusb_ctx_wait_func)
1012
1013 {
1014     struct ezusb_priv *upriv = hw->priv;
1015     struct request_context *ctx;
1016
1017     if (bufsize % 2)
1018         return -EINVAL;
1019
1020     ctx = ezusb_alloc_ctx(upriv, rid, rid);
1021     if (!ctx)
1022         return -ENOMEM;
1023
1024     return ezusb_access_ltv(upriv, ctx, 0, NULL, EZUSB_FRAME_CONTROL,
1025                 buf, bufsize, length, ezusb_req_ctx_wait_poll);
1026 }
1027
1028 static int ezusb_read_ltv(struct hermes *hw, int bap, u16 rid,
1029                 unsigned bufsize, u16 *length, void *buf)
1030 {
1031     return __ezusb_read_ltv(hw, bap, rid, bufsize, length, buf,
1032                 ezusb_req_ctx_wait_poll);
1033 }
1034
1035 static int ezusb_read_ltv_preempt(struct hermes *hw, int bap, u16 rid,
1036                   unsigned bufsize, u16 *length, void *buf)
1037 {
1038     return __ezusb_read_ltv(hw, bap, rid, bufsize, length, buf,
1039                 ezusb_req_ctx_wait_compl);
1040 }
1041
1042 static int ezusb_doicmd_wait(struct hermes *hw, u16 cmd, u16 parm0, u16 parm1,
1043                  u16 parm2, struct hermes_response *resp)
1044 {
1045     WARN_ON_ONCE(1);
1046     return -EINVAL;
1047 }
1048
1049 static int __ezusb_docmd_wait(struct hermes *hw, u16 cmd, u16 parm0,
1050                 struct hermes_response *resp,
1051                 ezusb_ctx_wait ezusb_ctx_wait_func)
1052 {
1053     struct ezusb_priv *upriv = hw->priv;
1054     struct request_context *ctx;
1055
1056     __le16 data[4] = {
1057         cpu_to_le16(cmd),
1058         cpu_to_le16(parm0),
1059         0,
1060         0,
1061     };
1062     netdev_dbg(upriv->dev, "0x%04X, parm0 0x%04X\n", cmd, parm0);
1063     ctx = ezusb_alloc_ctx(upriv, EZUSB_RID_DOCMD, EZUSB_RID_ACK);
1064     if (!ctx)
1065         return -ENOMEM;
1066
1067     return ezusb_access_ltv(upriv, ctx, sizeof(data), &data,
1068                 EZUSB_FRAME_CONTROL, NULL, 0, NULL,
1069                 ezusb_ctx_wait_func);
1070 }
1071
1072 static int ezusb_docmd_wait(struct hermes *hw, u16 cmd, u16 parm0,
1073                 struct hermes_response *resp)
1074 {
1075     return __ezusb_docmd_wait(hw, cmd, parm0, resp, ezusb_req_ctx_wait_poll);
1076 }
1077
1078 static int ezusb_bap_pread(struct hermes *hw, int bap,
1079                void *buf, int len, u16 id, u16 offset)
1080 {
1081     struct ezusb_priv *upriv = hw->priv;
1082     struct ezusb_packet *ans = (void *) upriv->read_urb->transfer_buffer;
1083     int actual_length = upriv->read_urb->actual_length;
1084
1085     if (id == EZUSB_RID_RX) {
1086         if ((sizeof(*ans) + offset + len) > actual_length) {
1087             printk(KERN_ERR PFX "BAP read beyond buffer end "
1088                    "in rx frame\n");
1089             return -EINVAL;
1090         }
1091         memcpy(buf, ans->data + offset, len);
1092         return 0;
1093     }
1094
1095     if (EZUSB_IS_INFO(id)) {
1096         /* Include 4 bytes for length/type */
1097         if ((sizeof(*ans) + offset + len - 4) > actual_length) {
1098             printk(KERN_ERR PFX "BAP read beyond buffer end "
1099                    "in info frame\n");
1100             return -EFAULT;
1101         }
1102         memcpy(buf, ans->data + offset - 4, len);
1103     } else {
1104         printk(KERN_ERR PFX "Unexpected fid 0x%04x\n", id);
1105         return -EINVAL;
1106     }
1107
1108     return 0;
1109 }
1110
1111 static int ezusb_read_pda(struct hermes *hw, __le16 *pda,
1112               u32 pda_addr, u16 pda_len)
1113 {
1114     struct ezusb_priv *upriv = hw->priv;
1115     struct request_context *ctx;
1116     __le16 data[] = {
1117         cpu_to_le16(pda_addr & 0xffff),
1118         cpu_to_le16(pda_len - 4)
1119     };
1120     ctx = ezusb_alloc_ctx(upriv, EZUSB_RID_READ_PDA, EZUSB_RID_READ_PDA);
1121     if (!ctx)
1122         return -ENOMEM;
1123
1124     /* wl_lkm does not include PDA size in the PDA area.
1125      * We will pad the information into pda, so other routines
1126      * don't have to be modified */
1127     pda[0] = cpu_to_le16(pda_len - 2);
1128     /* Includes CFG_PROD_DATA but not itself */
1129     pda[1] = cpu_to_le16(0x0800); /* CFG_PROD_DATA */
1130
1131     return ezusb_access_ltv(upriv, ctx, sizeof(data), &data,
1132                 EZUSB_FRAME_CONTROL, &pda[2], pda_len - 4,
1133                 NULL, ezusb_req_ctx_wait_compl);
1134 }
1135
1136 static int ezusb_program_init(struct hermes *hw, u32 entry_point)
1137 {
1138     struct ezusb_priv *upriv = hw->priv;
1139     struct request_context *ctx;
1140     __le32 data = cpu_to_le32(entry_point);
1141
1142     ctx = ezusb_alloc_ctx(upriv, EZUSB_RID_PROG_INIT, EZUSB_RID_ACK);
1143     if (!ctx)
1144         return -ENOMEM;
1145
1146     return ezusb_access_ltv(upriv, ctx, sizeof(data), &data,
1147                 EZUSB_FRAME_CONTROL, NULL, 0, NULL,
1148                 ezusb_req_ctx_wait_compl);
1149 }
1150
1151 static int ezusb_program_end(struct hermes *hw)
1152 {
1153     struct ezusb_priv *upriv = hw->priv;
1154     struct request_context *ctx;
1155
1156     ctx = ezusb_alloc_ctx(upriv, EZUSB_RID_PROG_END, EZUSB_RID_ACK);
1157     if (!ctx)
1158         return -ENOMEM;
1159
1160     return ezusb_access_ltv(upriv, ctx, 0, NULL,
1161                 EZUSB_FRAME_CONTROL, NULL, 0, NULL,
1162                 ezusb_req_ctx_wait_compl);
1163 }
1164
1165 static int ezusb_program_bytes(struct hermes *hw, const char *buf,
1166                    u32 addr, u32 len)
1167 {
1168     struct ezusb_priv *upriv = hw->priv;
1169     struct request_context *ctx;
1170     __le32 data = cpu_to_le32(addr);
1171     int err;
1172
1173     ctx = ezusb_alloc_ctx(upriv, EZUSB_RID_PROG_SET_ADDR, EZUSB_RID_ACK);
1174     if (!ctx)
1175         return -ENOMEM;
1176
1177     err = ezusb_access_ltv(upriv, ctx, sizeof(data), &data,
1178                    EZUSB_FRAME_CONTROL, NULL, 0, NULL,
1179                    ezusb_req_ctx_wait_compl);
1180     if (err)
1181         return err;
1182
1183     ctx = ezusb_alloc_ctx(upriv, EZUSB_RID_PROG_BYTES, EZUSB_RID_ACK);
1184     if (!ctx)
1185         return -ENOMEM;
1186
1187     return ezusb_access_ltv(upriv, ctx, len, buf,
1188                 EZUSB_FRAME_CONTROL, NULL, 0, NULL,
1189                 ezusb_req_ctx_wait_compl);
1190 }
1191
1192 static int ezusb_program(struct hermes *hw, const char *buf,
1193              u32 addr, u32 len)
1194 {
1195     u32 ch_addr;
1196     u32 ch_len;
1197     int err = 0;
1198
1199     /* We can only send 2048 bytes out of the bulk xmit at a time,
1200      * so we have to split any programming into chunks of <2048
1201      * bytes. */
1202
1203     ch_len = (len < MAX_DL_SIZE) ? len : MAX_DL_SIZE;
1204     ch_addr = addr;
1205
1206     while (ch_addr < (addr + len)) {
1207         pr_debug("Programming subblock of length %d "
1208              "to address 0x%08x. Data @ %p\n",
1209              ch_len, ch_addr, &buf[ch_addr - addr]);
1210
1211         err = ezusb_program_bytes(hw, &buf[ch_addr - addr],
1212                       ch_addr, ch_len);
1213         if (err)
1214             break;
1215
1216         ch_addr += ch_len;
1217         ch_len = ((addr + len - ch_addr) < MAX_DL_SIZE) ?
1218             (addr + len - ch_addr) : MAX_DL_SIZE;
1219     }
1220
1221     return err;
1222 }
1223
1224 static netdev_tx_t ezusb_xmit(struct sk_buff *skb, struct net_device *dev)
1225 {
1226     struct orinoco_private *priv = ndev_priv(dev);
1227     struct net_device_stats *stats = &dev->stats;
1228     struct ezusb_priv *upriv = priv->card;
1229     u8 mic[MICHAEL_MIC_LEN + 1];
1230     int err = 0;
1231     int tx_control;
1232     unsigned long flags;
1233     struct request_context *ctx;
1234     u8 *buf;
1235     int tx_size;
1236
1237     if (!netif_running(dev)) {
1238         printk(KERN_ERR "%s: Tx on stopped device!\n",
1239                dev->name);
1240         return NETDEV_TX_BUSY;
1241     }
1242
1243     if (netif_queue_stopped(dev)) {
1244         printk(KERN_DEBUG "%s: Tx while transmitter busy!\n",
1245                dev->name);
1246         return NETDEV_TX_BUSY;
1247     }
1248
1249     if (orinoco_lock(priv, &flags) != 0) {
1250         printk(KERN_ERR
1251                "%s: ezusb_xmit() called while hw_unavailable\n",
1252                dev->name);
1253         return NETDEV_TX_BUSY;
1254     }
1255
1256     if (!netif_carrier_ok(dev) ||
1257         (priv->iw_mode == NL80211_IFTYPE_MONITOR)) {
1258         /* Oops, the firmware hasn't established a connection,
1259            silently drop the packet (this seems to be the
1260            safest approach). */
1261         goto drop;
1262     }
1263
1264     /* Check packet length */
1265     if (skb->len < ETH_HLEN)
1266         goto drop;
1267
1268     tx_control = 0;
1269
1270     err = orinoco_process_xmit_skb(skb, dev, priv, &tx_control,
1271                        &mic[0]);
1272     if (err)
1273         goto drop;
1274
1275     ctx = ezusb_alloc_ctx(upriv, EZUSB_RID_TX, 0);
1276     if (!ctx)
1277         goto drop;
1278
1279     memset(ctx->buf, 0, BULK_BUF_SIZE);
1280     buf = ctx->buf->data;
1281
1282     {
1283         __le16 *tx_cntl = (__le16 *)buf;
1284         *tx_cntl = cpu_to_le16(tx_control);
1285         buf += sizeof(*tx_cntl);
1286     }
1287
1288     memcpy(buf, skb->data, skb->len);
1289     buf += skb->len;
1290
1291     if (tx_control & HERMES_TXCTRL_MIC) {
1292         u8 *m = mic;
1293         /* Mic has been offset so it can be copied to an even
1294          * address. We're copying eveything anyway, so we
1295          * don't need to copy that first byte. */
1296         if (skb->len % 2)
1297             m++;
1298         memcpy(buf, m, MICHAEL_MIC_LEN);
1299         buf += MICHAEL_MIC_LEN;
1300     }
1301
1302     /* Finally, we actually initiate the send */
1303     netif_stop_queue(dev);
1304
1305     /* The card may behave better if we send evenly sized usb transfers */
1306     tx_size = ALIGN(buf - ctx->buf->data, 2);
1307
1308     err = ezusb_access_ltv(upriv, ctx, tx_size, NULL,
1309                    EZUSB_FRAME_DATA, NULL, 0, NULL,
1310                    ezusb_req_ctx_wait_skip);
1311
1312     if (err) {
1313         netif_start_queue(dev);
1314         if (net_ratelimit())
1315             printk(KERN_ERR "%s: Error %d transmitting packet\n",
1316                 dev->name, err);
1317         goto busy;
1318     }
1319
1320     netif_trans_update(dev);
1321     stats->tx_bytes += skb->len;
1322     goto ok;
1323
1324  drop:
1325     stats->tx_errors++;
1326     stats->tx_dropped++;
1327
1328  ok:
1329     orinoco_unlock(priv, &flags);
1330     dev_kfree_skb(skb);
1331     return NETDEV_TX_OK;
1332
1333  busy:
1334     orinoco_unlock(priv, &flags);
1335     return NETDEV_TX_BUSY;
1336 }
1337
1338 static int ezusb_allocate(struct hermes *hw, u16 size, u16 *fid)
1339 {
1340     *fid = EZUSB_RID_TX;
1341     return 0;
1342 }
1343
1344
1345 static int ezusb_hard_reset(struct orinoco_private *priv)
1346 {
1347     struct ezusb_priv *upriv = priv->card;
1348     int retval = ezusb_8051_cpucs(upriv, 1);
1349
1350     if (retval < 0) {
1351         err("Failed to reset");
1352         return retval;
1353     }
1354
1355     retval = ezusb_8051_cpucs(upriv, 0);
1356     if (retval < 0) {
1357         err("Failed to unreset");
1358         return retval;
1359     }
1360
1361     netdev_dbg(upriv->dev, "sending control message\n");
1362     retval = usb_control_msg(upriv->udev,
1363                  usb_sndctrlpipe(upriv->udev, 0),
1364                  EZUSB_REQUEST_TRIGGER,
1365                  USB_TYPE_VENDOR | USB_RECIP_DEVICE |
1366                  USB_DIR_OUT, 0x0, 0x0, NULL, 0,
1367                  DEF_TIMEOUT);
1368     if (retval < 0) {
1369         err("EZUSB_REQUEST_TRIGGER failed retval %d", retval);
1370         return retval;
1371     }
1372 #if 0
1373     dbg("Sending EZUSB_REQUEST_TRIG_AC");
1374     retval = usb_control_msg(upriv->udev,
1375                  usb_sndctrlpipe(upriv->udev, 0),
1376                  EZUSB_REQUEST_TRIG_AC,
1377                  USB_TYPE_VENDOR | USB_RECIP_DEVICE |
1378                  USB_DIR_OUT, 0x00FA, 0x0, NULL, 0,
1379                  DEF_TIMEOUT);
1380     if (retval < 0) {
1381         err("EZUSB_REQUEST_TRIG_AC failed retval %d", retval);
1382         return retval;
1383     }
1384 #endif
1385
1386     return 0;
1387 }
1388
1389
1390 static int ezusb_init(struct hermes *hw)
1391 {
1392     struct ezusb_priv *upriv = hw->priv;
1393     int retval;
1394
1395     if (!upriv)
1396         return -EINVAL;
1397
1398     upriv->reply_count = 0;
1399     /* Write the MAGIC number on the simulated registers to keep
1400      * orinoco.c happy */
1401     hermes_write_regn(hw, SWSUPPORT0, HERMES_MAGIC);
1402     hermes_write_regn(hw, RXFID, EZUSB_RID_RX);
1403
1404     usb_kill_urb(upriv->read_urb);
1405     ezusb_submit_in_urb(upriv);
1406
1407     retval = __ezusb_write_ltv(hw, 0, EZUSB_RID_INIT1,
1408                  HERMES_BYTES_TO_RECLEN(2), "\x10\x00",
1409                  ezusb_req_ctx_wait_compl);
1410     if (retval < 0) {
1411         printk(KERN_ERR PFX "EZUSB_RID_INIT1 error %d\n", retval);
1412         return retval;
1413     }
1414
1415     retval = __ezusb_docmd_wait(hw, HERMES_CMD_INIT, 0, NULL,
1416                     ezusb_req_ctx_wait_compl);
1417     if (retval < 0) {
1418         printk(KERN_ERR PFX "HERMES_CMD_INIT error %d\n", retval);
1419         return retval;
1420     }
1421
1422     return 0;
1423 }
1424
1425 static void ezusb_bulk_in_callback(struct urb *urb)
1426 {
1427     struct ezusb_priv *upriv = (struct ezusb_priv *) urb->context;
1428     struct ezusb_packet *ans = urb->transfer_buffer;
1429     u16 crc;
1430     u16 hermes_rid;
1431
1432     if (upriv->udev == NULL)
1433         return;
1434
1435     if (urb->status == -ETIMEDOUT) {
1436         /* When a device gets unplugged we get this every time
1437          * we resubmit, flooding the logs.  Since we don't use
1438          * USB timeouts, it shouldn't happen any other time*/
1439         pr_warn("%s: urb timed out, not resubmitting\n", __func__);
1440         return;
1441     }
1442     if (urb->status == -ECONNABORTED) {
1443         pr_warn("%s: connection abort, resubmitting urb\n",
1444             __func__);
1445         goto resubmit;
1446     }
1447     if ((urb->status == -EILSEQ)
1448         || (urb->status == -ENOENT)
1449         || (urb->status == -ECONNRESET)) {
1450         netdev_dbg(upriv->dev, "status %d, not resubmiting\n",
1451                urb->status);
1452         return;
1453     }
1454     if (urb->status)
1455         netdev_dbg(upriv->dev, "status: %d length: %d\n",
1456                urb->status, urb->actual_length);
1457     if (urb->actual_length < sizeof(*ans)) {
1458         err("%s: short read, ignoring", __func__);
1459         goto resubmit;
1460     }
1461     crc = build_crc(ans);
1462     if (le16_to_cpu(ans->crc) != crc) {
1463         err("CRC error, ignoring packet");
1464         goto resubmit;
1465     }
1466
1467     hermes_rid = le16_to_cpu(ans->hermes_rid);
1468     if ((hermes_rid != EZUSB_RID_RX) && !EZUSB_IS_INFO(hermes_rid)) {
1469         ezusb_request_in_callback(upriv, urb);
1470     } else if (upriv->dev) {
1471         struct net_device *dev = upriv->dev;
1472         struct orinoco_private *priv = ndev_priv(dev);
1473         struct hermes *hw = &priv->hw;
1474
1475         if (hermes_rid == EZUSB_RID_RX) {
1476             __orinoco_ev_rx(dev, hw);
1477         } else {
1478             hermes_write_regn(hw, INFOFID,
1479                       le16_to_cpu(ans->hermes_rid));
1480             __orinoco_ev_info(dev, hw);
1481         }
1482     }
1483
1484  resubmit:
1485     if (upriv->udev)
1486         ezusb_submit_in_urb(upriv);
1487 }
1488
1489 static inline void ezusb_delete(struct ezusb_priv *upriv)
1490 {
1491     struct list_head *item;
1492     struct list_head *tmp_item;
1493     unsigned long flags;
1494
1495     BUG_ON(!upriv);
1496
1497     mutex_lock(&upriv->mtx);
1498
1499     upriv->udev = NULL; /* No timer will be rearmed from here */
1500
1501     usb_kill_urb(upriv->read_urb);
1502
1503     spin_lock_irqsave(&upriv->req_lock, flags);
1504     list_for_each_safe(item, tmp_item, &upriv->req_active) {
1505         struct request_context *ctx;
1506         int err;
1507
1508         ctx = list_entry(item, struct request_context, list);
1509         refcount_inc(&ctx->refcount);
1510
1511         ctx->outurb->transfer_flags |= URB_ASYNC_UNLINK;
1512         err = usb_unlink_urb(ctx->outurb);
1513
1514         spin_unlock_irqrestore(&upriv->req_lock, flags);
1515         if (err == -EINPROGRESS)
1516             wait_for_completion(&ctx->done);
1517
1518         del_timer_sync(&ctx->timer);
1519         /* FIXME: there is an slight chance for the irq handler to
1520          * be running */
1521         if (!list_empty(&ctx->list))
1522             ezusb_ctx_complete(ctx);
1523
1524         ezusb_request_context_put(ctx);
1525         spin_lock_irqsave(&upriv->req_lock, flags);
1526     }
1527     spin_unlock_irqrestore(&upriv->req_lock, flags);
1528
1529     list_for_each_safe(item, tmp_item, &upriv->req_pending)
1530         ezusb_ctx_complete(list_entry(item,
1531                       struct request_context, list));
1532
1533     if (upriv->read_urb && upriv->read_urb->status == -EINPROGRESS)
1534         printk(KERN_ERR PFX "Some URB in progress\n");
1535
1536     mutex_unlock(&upriv->mtx);
1537
1538     if (upriv->read_urb) {
1539         kfree(upriv->read_urb->transfer_buffer);
1540         usb_free_urb(upriv->read_urb);
1541     }
1542     kfree(upriv->bap_buf);
1543     if (upriv->dev) {
1544         struct orinoco_private *priv = ndev_priv(upriv->dev);
1545         orinoco_if_del(priv);
1546         wiphy_unregister(priv_to_wiphy(upriv));
1547         free_orinocodev(priv);
1548     }
1549 }
1550
1551 static void ezusb_lock_irqsave(spinlock_t *lock,
1552                    unsigned long *flags) __acquires(lock)
1553 {
1554     spin_lock_bh(lock);
1555 }
1556
1557 static void ezusb_unlock_irqrestore(spinlock_t *lock,
1558                     unsigned long *flags) __releases(lock)
1559 {
1560     spin_unlock_bh(lock);
1561 }
1562
1563 static void ezusb_lock_irq(spinlock_t *lock) __acquires(lock)
1564 {
1565     spin_lock_bh(lock);
1566 }
1567
1568 static void ezusb_unlock_irq(spinlock_t *lock) __releases(lock)
1569 {
1570     spin_unlock_bh(lock);
1571 }
1572
1573 static const struct hermes_ops ezusb_ops = {
1574     .init = ezusb_init,
1575     .cmd_wait = ezusb_docmd_wait,
1576     .init_cmd_wait = ezusb_doicmd_wait,
1577     .allocate = ezusb_allocate,
1578     .read_ltv = ezusb_read_ltv,
1579     .read_ltv_pr = ezusb_read_ltv_preempt,
1580     .write_ltv = ezusb_write_ltv,
1581     .bap_pread = ezusb_bap_pread,
1582     .read_pda = ezusb_read_pda,
1583     .program_init = ezusb_program_init,
1584     .program_end = ezusb_program_end,
1585     .program = ezusb_program,
1586     .lock_irqsave = ezusb_lock_irqsave,
1587     .unlock_irqrestore = ezusb_unlock_irqrestore,
1588     .lock_irq = ezusb_lock_irq,
1589     .unlock_irq = ezusb_unlock_irq,
1590 };
1591
1592 static const struct net_device_ops ezusb_netdev_ops = {
1593     .ndo_open       = orinoco_open,
1594     .ndo_stop       = orinoco_stop,
1595     .ndo_start_xmit     = ezusb_xmit,
1596     .ndo_set_rx_mode    = orinoco_set_multicast_list,
1597     .ndo_change_mtu     = orinoco_change_mtu,
1598     .ndo_set_mac_address    = eth_mac_addr,
1599     .ndo_validate_addr  = eth_validate_addr,
1600     .ndo_tx_timeout     = orinoco_tx_timeout,
1601 };
1602
1603 static int ezusb_probe(struct usb_interface *interface,
1604                const struct usb_device_id *id)
1605 {
1606     struct usb_device *udev = interface_to_usbdev(interface);
1607     struct orinoco_private *priv;
1608     struct hermes *hw;
1609     struct ezusb_priv *upriv = NULL;
1610     struct usb_interface_descriptor *iface_desc;
1611     struct usb_endpoint_descriptor *ep;
1612     const struct firmware *fw_entry = NULL;
1613     int retval = 0;
1614     int i;
1615
1616     priv = alloc_orinocodev(sizeof(*upriv), &udev->dev,
1617                 ezusb_hard_reset, NULL);
1618     if (!priv) {
1619         err("Couldn't allocate orinocodev");
1620         retval = -ENOMEM;
1621         goto exit;
1622     }
1623
1624     hw = &priv->hw;
1625
1626     upriv = priv->card;
1627
1628     mutex_init(&upriv->mtx);
1629     spin_lock_init(&upriv->reply_count_lock);
1630
1631     spin_lock_init(&upriv->req_lock);
1632     INIT_LIST_HEAD(&upriv->req_pending);
1633     INIT_LIST_HEAD(&upriv->req_active);
1634
1635     upriv->udev = udev;
1636
1637     hw->iobase = (void __force __iomem *) &upriv->hermes_reg_fake;
1638     hw->reg_spacing = HERMES_16BIT_REGSPACING;
1639     hw->priv = upriv;
1640     hw->ops = &ezusb_ops;
1641
1642     /* set up the endpoint information */
1643     /* check out the endpoints */
1644
1645     iface_desc = &interface->cur_altsetting->desc;
1646     for (i = 0; i < iface_desc->bNumEndpoints; ++i) {
1647         ep = &interface->cur_altsetting->endpoint[i].desc;
1648
1649         if (usb_endpoint_is_bulk_in(ep)) {
1650             /* we found a bulk in endpoint */
1651             if (upriv->read_urb != NULL) {
1652                 pr_warn("Found a second bulk in ep, ignored\n");
1653                 continue;
1654             }
1655
1656             upriv->read_urb = usb_alloc_urb(0, GFP_KERNEL);
1657             if (!upriv->read_urb)
1658                 goto error;
1659             if (le16_to_cpu(ep->wMaxPacketSize) != 64)
1660                 pr_warn("bulk in: wMaxPacketSize!= 64\n");
1661             if (ep->bEndpointAddress != (2 | USB_DIR_IN))
1662                 pr_warn("bulk in: bEndpointAddress: %d\n",
1663                     ep->bEndpointAddress);
1664             upriv->read_pipe = usb_rcvbulkpipe(udev,
1665                              ep->
1666                              bEndpointAddress);
1667             upriv->read_urb->transfer_buffer =
1668                 kmalloc(BULK_BUF_SIZE, GFP_KERNEL);
1669             if (!upriv->read_urb->transfer_buffer) {
1670                 err("Couldn't allocate IN buffer");
1671                 goto error;
1672             }
1673         }
1674
1675         if (usb_endpoint_is_bulk_out(ep)) {
1676             /* we found a bulk out endpoint */
1677             if (upriv->bap_buf != NULL) {
1678                 pr_warn("Found a second bulk out ep, ignored\n");
1679                 continue;
1680             }
1681
1682             if (le16_to_cpu(ep->wMaxPacketSize) != 64)
1683                 pr_warn("bulk out: wMaxPacketSize != 64\n");
1684             if (ep->bEndpointAddress != 2)
1685                 pr_warn("bulk out: bEndpointAddress: %d\n",
1686                     ep->bEndpointAddress);
1687             upriv->write_pipe = usb_sndbulkpipe(udev,
1688                               ep->
1689                               bEndpointAddress);
1690             upriv->bap_buf = kmalloc(BULK_BUF_SIZE, GFP_KERNEL);
1691             if (!upriv->bap_buf) {
1692                 err("Couldn't allocate bulk_out_buffer");
1693                 goto error;
1694             }
1695         }
1696     }
1697     if (!upriv->bap_buf || !upriv->read_urb) {
1698         err("Didn't find the required bulk endpoints");
1699         goto error;
1700     }
1701
1702     if (request_firmware(&fw_entry, "orinoco_ezusb_fw",
1703                  &interface->dev) == 0) {
1704         firmware.size = fw_entry->size;
1705         firmware.code = fw_entry->data;
1706     }
1707     if (firmware.size && firmware.code) {
1708         if (ezusb_firmware_download(upriv, &firmware) < 0)
1709             goto error;
1710     } else {
1711         err("No firmware to download");
1712         goto error;
1713     }
1714
1715     if (ezusb_hard_reset(priv) < 0) {
1716         err("Cannot reset the device");
1717         goto error;
1718     }
1719
1720     /* If the firmware is already downloaded orinoco.c will call
1721      * ezusb_init but if the firmware is not already there, that will make
1722      * the kernel very unstable, so we try initializing here and quit in
1723      * case of error */
1724     if (ezusb_init(hw) < 0) {
1725         err("Couldn't initialize the device");
1726         err("Firmware may not be downloaded or may be wrong.");
1727         goto error;
1728     }
1729
1730     /* Initialise the main driver */
1731     if (orinoco_init(priv) != 0) {
1732         err("orinoco_init() failed\n");
1733         goto error;
1734     }
1735
1736     if (orinoco_if_add(priv, 0, 0, &ezusb_netdev_ops) != 0) {
1737         upriv->dev = NULL;
1738         err("%s: orinoco_if_add() failed", __func__);
1739         wiphy_unregister(priv_to_wiphy(priv));
1740         goto error;
1741     }
1742     upriv->dev = priv->ndev;
1743
1744     goto exit;
1745
1746  error:
1747     ezusb_delete(upriv);
1748     if (upriv->dev) {
1749         /* upriv->dev was 0, so ezusb_delete() didn't free it */
1750         free_orinocodev(priv);
1751     }
1752     upriv = NULL;
1753     retval = -EFAULT;
1754  exit:
1755     if (fw_entry) {
1756         firmware.code = NULL;
1757         firmware.size = 0;
1758         release_firmware(fw_entry);
1759     }
1760     usb_set_intfdata(interface, upriv);
1761     return retval;
1762 }
1763
1764
1765 static void ezusb_disconnect(struct usb_interface *intf)
1766 {
1767     struct ezusb_priv *upriv = usb_get_intfdata(intf);
1768     usb_set_intfdata(intf, NULL);
1769     ezusb_delete(upriv);
1770     printk(KERN_INFO PFX "Disconnected\n");
1771 }
1772
1773
1774 /* usb specific object needed to register this driver with the usb subsystem */
1775 static struct usb_driver orinoco_driver = {
1776     .name = DRIVER_NAME,
1777     .probe = ezusb_probe,
1778     .disconnect = ezusb_disconnect,
1779     .id_table = ezusb_table,
1780     .disable_hub_initiated_lpm = 1,
1781 };
1782
1783 module_usb_driver(orinoco_driver);
1784
1785 MODULE_AUTHOR("Manuel Estrada Sainz");
1786 MODULE_DESCRIPTION("Driver for Orinoco wireless LAN cards using EZUSB bridge");
1787 MODULE_LICENSE("Dual MPL/GPL");