1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * cistpl.c -- 16-bit PCMCIA Card Information Structure parser
4  *
5  * The initial developer of the original code is David A. Hinds
6  * <dahinds@users.sourceforge.net>.  Portions created by David A. Hinds
7  * are Copyright (C) 1999 David A. Hinds.  All Rights Reserved.
8  *
9  * (C) 1999		David A. Hinds
10  */
11 
12 #include <linux/module.h>
13 #include <linux/moduleparam.h>
14 #include <linux/kernel.h>
15 #include <linux/string.h>
16 #include <linux/major.h>
17 #include <linux/errno.h>
18 #include <linux/timer.h>
19 #include <linux/slab.h>
20 #include <linux/mm.h>
21 #include <linux/pci.h>
22 #include <linux/ioport.h>
23 #include <linux/io.h>
24 #include <linux/security.h>
25 #include <asm/byteorder.h>
26 #include <linux/unaligned.h>
27 
28 #include <pcmcia/ss.h>
29 #include <pcmcia/cisreg.h>
30 #include <pcmcia/cistpl.h>
31 #include <pcmcia/ds.h>
32 #include "cs_internal.h"
33 
34 static const u_char mantissa[] = {
35     10, 12, 13, 15, 20, 25, 30, 35,
36     40, 45, 50, 55, 60, 70, 80, 90
37 };
38 
39 static const u_int exponent[] = {
40     1, 10, 100, 1000, 10000, 100000, 1000000, 10000000
41 };
42 
43 /* Convert an extended speed byte to a time in nanoseconds */
44 #define SPEED_CVT(v) \
45     (mantissa[(((v)>>3)&15)-1] * exponent[(v)&7] / 10)
46 /* Convert a power byte to a current in 0.1 microamps */
47 #define POWER_CVT(v) \
48     (mantissa[((v)>>3)&15] * exponent[(v)&7] / 10)
49 #define POWER_SCALE(v)		(exponent[(v)&7])
50 
51 /* Upper limit on reasonable # of tuples */
52 #define MAX_TUPLES		200
53 
54 /* Bits in IRQInfo1 field */
55 #define IRQ_INFO2_VALID		0x10
56 
57 /* 16-bit CIS? */
58 static int cis_width;
59 module_param(cis_width, int, 0444);
60 
release_cis_mem(struct pcmcia_socket * s)61 void release_cis_mem(struct pcmcia_socket *s)
62 {
63 	mutex_lock(&s->ops_mutex);
64 	if (s->cis_mem.flags & MAP_ACTIVE) {
65 		s->cis_mem.flags &= ~MAP_ACTIVE;
66 		s->ops->set_mem_map(s, &s->cis_mem);
67 		if (s->cis_mem.res) {
68 			release_resource(s->cis_mem.res);
69 			kfree(s->cis_mem.res);
70 			s->cis_mem.res = NULL;
71 		}
72 		iounmap(s->cis_virt);
73 		s->cis_virt = NULL;
74 	}
75 	mutex_unlock(&s->ops_mutex);
76 }
77 
78 /*
79  * set_cis_map() - map the card memory at "card_offset" into virtual space.
80  *
81  * If flags & MAP_ATTRIB, map the attribute space, otherwise
82  * map the memory space.
83  *
84  * Must be called with ops_mutex held.
85  */
set_cis_map(struct pcmcia_socket * s,unsigned int card_offset,unsigned int flags)86 static void __iomem *set_cis_map(struct pcmcia_socket *s,
87 				unsigned int card_offset, unsigned int flags)
88 {
89 	pccard_mem_map *mem = &s->cis_mem;
90 	int ret;
91 
92 	if (!(s->features & SS_CAP_STATIC_MAP) && (mem->res == NULL)) {
93 		mem->res = pcmcia_find_mem_region(0, s->map_size,
94 						s->map_size, 0, s);
95 		if (mem->res == NULL) {
96 			dev_notice(&s->dev, "cs: unable to map card memory!\n");
97 			return NULL;
98 		}
99 		s->cis_virt = NULL;
100 	}
101 
102 	if (!(s->features & SS_CAP_STATIC_MAP) && (!s->cis_virt))
103 		s->cis_virt = ioremap(mem->res->start, s->map_size);
104 
105 	mem->card_start = card_offset;
106 	mem->flags = flags;
107 
108 	ret = s->ops->set_mem_map(s, mem);
109 	if (ret) {
110 		iounmap(s->cis_virt);
111 		s->cis_virt = NULL;
112 		return NULL;
113 	}
114 
115 	if (s->features & SS_CAP_STATIC_MAP) {
116 		if (s->cis_virt)
117 			iounmap(s->cis_virt);
118 		s->cis_virt = ioremap(mem->static_start, s->map_size);
119 	}
120 
121 	return s->cis_virt;
122 }
123 
124 
125 /* Bits in attr field */
126 #define IS_ATTR		1
127 #define IS_INDIRECT	8
128 
129 /*
130  * pcmcia_read_cis_mem() - low-level function to read CIS memory
131  *
132  * must be called with ops_mutex held
133  */
pcmcia_read_cis_mem(struct pcmcia_socket * s,int attr,u_int addr,u_int len,void * ptr)134 int pcmcia_read_cis_mem(struct pcmcia_socket *s, int attr, u_int addr,
135 		 u_int len, void *ptr)
136 {
137 	void __iomem *sys, *end;
138 	unsigned char *buf = ptr;
139 
140 	dev_dbg(&s->dev, "pcmcia_read_cis_mem(%d, %#x, %u)\n", attr, addr, len);
141 
142 	if (attr & IS_INDIRECT) {
143 		/* Indirect accesses use a bunch of special registers at fixed
144 		   locations in common memory */
145 		u_char flags = ICTRL0_COMMON|ICTRL0_AUTOINC|ICTRL0_BYTEGRAN;
146 		if (attr & IS_ATTR) {
147 			addr *= 2;
148 			flags = ICTRL0_AUTOINC;
149 		}
150 
151 		sys = set_cis_map(s, 0, MAP_ACTIVE |
152 				((cis_width) ? MAP_16BIT : 0));
153 		if (!sys) {
154 			dev_dbg(&s->dev, "could not map memory\n");
155 			memset(ptr, 0xff, len);
156 			return -1;
157 		}
158 
159 		writeb(flags, sys+CISREG_ICTRL0);
160 		writeb(addr & 0xff, sys+CISREG_IADDR0);
161 		writeb((addr>>8) & 0xff, sys+CISREG_IADDR1);
162 		writeb((addr>>16) & 0xff, sys+CISREG_IADDR2);
163 		writeb((addr>>24) & 0xff, sys+CISREG_IADDR3);
164 		for ( ; len > 0; len--, buf++)
165 			*buf = readb(sys+CISREG_IDATA0);
166 	} else {
167 		u_int inc = 1, card_offset, flags;
168 
169 		if (addr > CISTPL_MAX_CIS_SIZE) {
170 			dev_dbg(&s->dev,
171 				"attempt to read CIS mem at addr %#x", addr);
172 			memset(ptr, 0xff, len);
173 			return -1;
174 		}
175 
176 		flags = MAP_ACTIVE | ((cis_width) ? MAP_16BIT : 0);
177 		if (attr) {
178 			flags |= MAP_ATTRIB;
179 			inc++;
180 			addr *= 2;
181 		}
182 
183 		card_offset = addr & ~(s->map_size-1);
184 		while (len) {
185 			sys = set_cis_map(s, card_offset, flags);
186 			if (!sys) {
187 				dev_dbg(&s->dev, "could not map memory\n");
188 				memset(ptr, 0xff, len);
189 				return -1;
190 			}
191 			end = sys + s->map_size;
192 			sys = sys + (addr & (s->map_size-1));
193 			for ( ; len > 0; len--, buf++, sys += inc) {
194 				if (sys == end)
195 					break;
196 				*buf = readb(sys);
197 			}
198 			card_offset += s->map_size;
199 			addr = 0;
200 		}
201 	}
202 	dev_dbg(&s->dev, "  %#2.2x %#2.2x %#2.2x %#2.2x ...\n",
203 		*(u_char *)(ptr+0), *(u_char *)(ptr+1),
204 		*(u_char *)(ptr+2), *(u_char *)(ptr+3));
205 	return 0;
206 }
207 
208 
209 /*
210  * pcmcia_write_cis_mem() - low-level function to write CIS memory
211  *
212  * Probably only useful for writing one-byte registers. Must be called
213  * with ops_mutex held.
214  */
pcmcia_write_cis_mem(struct pcmcia_socket * s,int attr,u_int addr,u_int len,void * ptr)215 int pcmcia_write_cis_mem(struct pcmcia_socket *s, int attr, u_int addr,
216 		   u_int len, void *ptr)
217 {
218 	void __iomem *sys, *end;
219 	unsigned char *buf = ptr;
220 
221 	dev_dbg(&s->dev,
222 		"pcmcia_write_cis_mem(%d, %#x, %u)\n", attr, addr, len);
223 
224 	if (attr & IS_INDIRECT) {
225 		/* Indirect accesses use a bunch of special registers at fixed
226 		   locations in common memory */
227 		u_char flags = ICTRL0_COMMON|ICTRL0_AUTOINC|ICTRL0_BYTEGRAN;
228 		if (attr & IS_ATTR) {
229 			addr *= 2;
230 			flags = ICTRL0_AUTOINC;
231 		}
232 
233 		sys = set_cis_map(s, 0, MAP_ACTIVE |
234 				((cis_width) ? MAP_16BIT : 0));
235 		if (!sys) {
236 			dev_dbg(&s->dev, "could not map memory\n");
237 			return -EINVAL;
238 		}
239 
240 		writeb(flags, sys+CISREG_ICTRL0);
241 		writeb(addr & 0xff, sys+CISREG_IADDR0);
242 		writeb((addr>>8) & 0xff, sys+CISREG_IADDR1);
243 		writeb((addr>>16) & 0xff, sys+CISREG_IADDR2);
244 		writeb((addr>>24) & 0xff, sys+CISREG_IADDR3);
245 		for ( ; len > 0; len--, buf++)
246 			writeb(*buf, sys+CISREG_IDATA0);
247 	} else {
248 		u_int inc = 1, card_offset, flags;
249 
250 		flags = MAP_ACTIVE | ((cis_width) ? MAP_16BIT : 0);
251 		if (attr & IS_ATTR) {
252 			flags |= MAP_ATTRIB;
253 			inc++;
254 			addr *= 2;
255 		}
256 
257 		card_offset = addr & ~(s->map_size-1);
258 		while (len) {
259 			sys = set_cis_map(s, card_offset, flags);
260 			if (!sys) {
261 				dev_dbg(&s->dev, "could not map memory\n");
262 				return -EINVAL;
263 			}
264 
265 			end = sys + s->map_size;
266 			sys = sys + (addr & (s->map_size-1));
267 			for ( ; len > 0; len--, buf++, sys += inc) {
268 				if (sys == end)
269 					break;
270 				writeb(*buf, sys);
271 			}
272 			card_offset += s->map_size;
273 			addr = 0;
274 		}
275 	}
276 	return 0;
277 }
278 
279 
280 /*
281  * read_cis_cache() - read CIS memory or its associated cache
282  *
283  * This is a wrapper around read_cis_mem, with the same interface,
284  * but which caches information, for cards whose CIS may not be
285  * readable all the time.
286  */
read_cis_cache(struct pcmcia_socket * s,int attr,u_int addr,size_t len,void * ptr)287 static int read_cis_cache(struct pcmcia_socket *s, int attr, u_int addr,
288 			size_t len, void *ptr)
289 {
290 	struct cis_cache_entry *cis;
291 	int ret = 0;
292 
293 	if (s->state & SOCKET_CARDBUS)
294 		return -EINVAL;
295 
296 	mutex_lock(&s->ops_mutex);
297 	if (s->fake_cis) {
298 		if (s->fake_cis_len >= addr+len)
299 			memcpy(ptr, s->fake_cis+addr, len);
300 		else {
301 			memset(ptr, 0xff, len);
302 			ret = -EINVAL;
303 		}
304 		mutex_unlock(&s->ops_mutex);
305 		return ret;
306 	}
307 
308 	list_for_each_entry(cis, &s->cis_cache, node) {
309 		if (cis->addr == addr && cis->len == len && cis->attr == attr) {
310 			memcpy(ptr, cis->cache, len);
311 			mutex_unlock(&s->ops_mutex);
312 			return 0;
313 		}
314 	}
315 
316 	ret = pcmcia_read_cis_mem(s, attr, addr, len, ptr);
317 
318 	if (ret == 0) {
319 		/* Copy data into the cache */
320 		cis = kmalloc(sizeof(struct cis_cache_entry) + len, GFP_KERNEL);
321 		if (cis) {
322 			cis->addr = addr;
323 			cis->len = len;
324 			cis->attr = attr;
325 			memcpy(cis->cache, ptr, len);
326 			list_add(&cis->node, &s->cis_cache);
327 		}
328 	}
329 	mutex_unlock(&s->ops_mutex);
330 
331 	return ret;
332 }
333 
334 static void
remove_cis_cache(struct pcmcia_socket * s,int attr,u_int addr,u_int len)335 remove_cis_cache(struct pcmcia_socket *s, int attr, u_int addr, u_int len)
336 {
337 	struct cis_cache_entry *cis;
338 
339 	mutex_lock(&s->ops_mutex);
340 	list_for_each_entry(cis, &s->cis_cache, node)
341 		if (cis->addr == addr && cis->len == len && cis->attr == attr) {
342 			list_del(&cis->node);
343 			kfree(cis);
344 			break;
345 		}
346 	mutex_unlock(&s->ops_mutex);
347 }
348 
349 /**
350  * destroy_cis_cache() - destroy the CIS cache
351  * @s:		pcmcia_socket for which CIS cache shall be destroyed
352  *
353  * This destroys the CIS cache but keeps any fake CIS alive. Must be
354  * called with ops_mutex held.
355  */
destroy_cis_cache(struct pcmcia_socket * s)356 void destroy_cis_cache(struct pcmcia_socket *s)
357 {
358 	struct list_head *l, *n;
359 	struct cis_cache_entry *cis;
360 
361 	list_for_each_safe(l, n, &s->cis_cache) {
362 		cis = list_entry(l, struct cis_cache_entry, node);
363 		list_del(&cis->node);
364 		kfree(cis);
365 	}
366 }
367 
368 /*
369  * verify_cis_cache() - does the CIS match what is in the CIS cache?
370  */
verify_cis_cache(struct pcmcia_socket * s)371 int verify_cis_cache(struct pcmcia_socket *s)
372 {
373 	struct cis_cache_entry *cis;
374 	char *buf;
375 	int ret;
376 
377 	if (s->state & SOCKET_CARDBUS)
378 		return -EINVAL;
379 
380 	buf = kmalloc(256, GFP_KERNEL);
381 	if (buf == NULL) {
382 		dev_warn(&s->dev, "no memory for verifying CIS\n");
383 		return -ENOMEM;
384 	}
385 	mutex_lock(&s->ops_mutex);
386 	list_for_each_entry(cis, &s->cis_cache, node) {
387 		int len = cis->len;
388 
389 		if (len > 256)
390 			len = 256;
391 
392 		ret = pcmcia_read_cis_mem(s, cis->attr, cis->addr, len, buf);
393 		if (ret || memcmp(buf, cis->cache, len) != 0) {
394 			kfree(buf);
395 			mutex_unlock(&s->ops_mutex);
396 			return -1;
397 		}
398 	}
399 	kfree(buf);
400 	mutex_unlock(&s->ops_mutex);
401 	return 0;
402 }
403 
404 /*
405  * pcmcia_replace_cis() - use a replacement CIS instead of the card's CIS
406  *
407  * For really bad cards, we provide a facility for uploading a
408  * replacement CIS.
409  */
pcmcia_replace_cis(struct pcmcia_socket * s,const u8 * data,const size_t len)410 int pcmcia_replace_cis(struct pcmcia_socket *s,
411 		       const u8 *data, const size_t len)
412 {
413 	if (len > CISTPL_MAX_CIS_SIZE) {
414 		dev_warn(&s->dev, "replacement CIS too big\n");
415 		return -EINVAL;
416 	}
417 	mutex_lock(&s->ops_mutex);
418 	kfree(s->fake_cis);
419 	s->fake_cis = kmalloc(len, GFP_KERNEL);
420 	if (s->fake_cis == NULL) {
421 		dev_warn(&s->dev, "no memory to replace CIS\n");
422 		mutex_unlock(&s->ops_mutex);
423 		return -ENOMEM;
424 	}
425 	s->fake_cis_len = len;
426 	memcpy(s->fake_cis, data, len);
427 	dev_info(&s->dev, "Using replacement CIS\n");
428 	mutex_unlock(&s->ops_mutex);
429 	return 0;
430 }
431 
432 /* The high-level CIS tuple services */
433 
434 struct tuple_flags {
435 	u_int		link_space:4;
436 	u_int		has_link:1;
437 	u_int		mfc_fn:3;
438 	u_int		space:4;
439 };
440 
441 #define LINK_SPACE(f)	(((struct tuple_flags *)(&(f)))->link_space)
442 #define HAS_LINK(f)	(((struct tuple_flags *)(&(f)))->has_link)
443 #define MFC_FN(f)	(((struct tuple_flags *)(&(f)))->mfc_fn)
444 #define SPACE(f)	(((struct tuple_flags *)(&(f)))->space)
445 
pccard_get_first_tuple(struct pcmcia_socket * s,unsigned int function,tuple_t * tuple)446 int pccard_get_first_tuple(struct pcmcia_socket *s, unsigned int function,
447 			tuple_t *tuple)
448 {
449 	if (!s)
450 		return -EINVAL;
451 
452 	if (!(s->state & SOCKET_PRESENT) || (s->state & SOCKET_CARDBUS))
453 		return -ENODEV;
454 	tuple->TupleLink = tuple->Flags = 0;
455 
456 	/* Assume presence of a LONGLINK_C to address 0 */
457 	tuple->CISOffset = tuple->LinkOffset = 0;
458 	SPACE(tuple->Flags) = HAS_LINK(tuple->Flags) = 1;
459 
460 	if ((s->functions > 1) && !(tuple->Attributes & TUPLE_RETURN_COMMON)) {
461 		cisdata_t req = tuple->DesiredTuple;
462 		tuple->DesiredTuple = CISTPL_LONGLINK_MFC;
463 		if (pccard_get_next_tuple(s, function, tuple) == 0) {
464 			tuple->DesiredTuple = CISTPL_LINKTARGET;
465 			if (pccard_get_next_tuple(s, function, tuple) != 0)
466 				return -ENOSPC;
467 		} else
468 			tuple->CISOffset = tuple->TupleLink = 0;
469 		tuple->DesiredTuple = req;
470 	}
471 	return pccard_get_next_tuple(s, function, tuple);
472 }
473 
follow_link(struct pcmcia_socket * s,tuple_t * tuple)474 static int follow_link(struct pcmcia_socket *s, tuple_t *tuple)
475 {
476 	u_char link[5];
477 	u_int ofs;
478 	int ret;
479 
480 	if (MFC_FN(tuple->Flags)) {
481 		/* Get indirect link from the MFC tuple */
482 		ret = read_cis_cache(s, LINK_SPACE(tuple->Flags),
483 				tuple->LinkOffset, 5, link);
484 		if (ret)
485 			return -1;
486 		ofs = get_unaligned_le32(link + 1);
487 		SPACE(tuple->Flags) = (link[0] == CISTPL_MFC_ATTR);
488 		/* Move to the next indirect link */
489 		tuple->LinkOffset += 5;
490 		MFC_FN(tuple->Flags)--;
491 	} else if (HAS_LINK(tuple->Flags)) {
492 		ofs = tuple->LinkOffset;
493 		SPACE(tuple->Flags) = LINK_SPACE(tuple->Flags);
494 		HAS_LINK(tuple->Flags) = 0;
495 	} else
496 		return -1;
497 
498 	if (SPACE(tuple->Flags)) {
499 		/* This is ugly, but a common CIS error is to code the long
500 		   link offset incorrectly, so we check the right spot... */
501 		ret = read_cis_cache(s, SPACE(tuple->Flags), ofs, 5, link);
502 		if (ret)
503 			return -1;
504 		if ((link[0] == CISTPL_LINKTARGET) && (link[1] >= 3) &&
505 			(strncmp(link+2, "CIS", 3) == 0))
506 			return ofs;
507 		remove_cis_cache(s, SPACE(tuple->Flags), ofs, 5);
508 		/* Then, we try the wrong spot... */
509 		ofs = ofs >> 1;
510 	}
511 	ret = read_cis_cache(s, SPACE(tuple->Flags), ofs, 5, link);
512 	if (ret)
513 		return -1;
514 	if ((link[0] == CISTPL_LINKTARGET) && (link[1] >= 3) &&
515 		(strncmp(link+2, "CIS", 3) == 0))
516 		return ofs;
517 	remove_cis_cache(s, SPACE(tuple->Flags), ofs, 5);
518 	return -1;
519 }
520 
pccard_get_next_tuple(struct pcmcia_socket * s,unsigned int function,tuple_t * tuple)521 int pccard_get_next_tuple(struct pcmcia_socket *s, unsigned int function,
522 			tuple_t *tuple)
523 {
524 	u_char link[2], tmp;
525 	int ofs, i, attr;
526 	int ret;
527 
528 	if (!s)
529 		return -EINVAL;
530 	if (!(s->state & SOCKET_PRESENT) || (s->state & SOCKET_CARDBUS))
531 		return -ENODEV;
532 
533 	link[1] = tuple->TupleLink;
534 	ofs = tuple->CISOffset + tuple->TupleLink;
535 	attr = SPACE(tuple->Flags);
536 
537 	for (i = 0; i < MAX_TUPLES; i++) {
538 		if (link[1] == 0xff)
539 			link[0] = CISTPL_END;
540 		else {
541 			ret = read_cis_cache(s, attr, ofs, 2, link);
542 			if (ret)
543 				return -1;
544 			if (link[0] == CISTPL_NULL) {
545 				ofs++;
546 				continue;
547 			}
548 		}
549 
550 		/* End of chain?  Follow long link if possible */
551 		if (link[0] == CISTPL_END) {
552 			ofs = follow_link(s, tuple);
553 			if (ofs < 0)
554 				return -ENOSPC;
555 			attr = SPACE(tuple->Flags);
556 			ret = read_cis_cache(s, attr, ofs, 2, link);
557 			if (ret)
558 				return -1;
559 		}
560 
561 		/* Is this a link tuple?  Make a note of it */
562 		if ((link[0] == CISTPL_LONGLINK_A) ||
563 			(link[0] == CISTPL_LONGLINK_C) ||
564 			(link[0] == CISTPL_LONGLINK_MFC) ||
565 			(link[0] == CISTPL_LINKTARGET) ||
566 			(link[0] == CISTPL_INDIRECT) ||
567 			(link[0] == CISTPL_NO_LINK)) {
568 			switch (link[0]) {
569 			case CISTPL_LONGLINK_A:
570 				HAS_LINK(tuple->Flags) = 1;
571 				LINK_SPACE(tuple->Flags) = attr | IS_ATTR;
572 				ret = read_cis_cache(s, attr, ofs+2, 4,
573 						&tuple->LinkOffset);
574 				if (ret)
575 					return -1;
576 				break;
577 			case CISTPL_LONGLINK_C:
578 				HAS_LINK(tuple->Flags) = 1;
579 				LINK_SPACE(tuple->Flags) = attr & ~IS_ATTR;
580 				ret = read_cis_cache(s, attr, ofs+2, 4,
581 						&tuple->LinkOffset);
582 				if (ret)
583 					return -1;
584 				break;
585 			case CISTPL_INDIRECT:
586 				HAS_LINK(tuple->Flags) = 1;
587 				LINK_SPACE(tuple->Flags) = IS_ATTR |
588 					IS_INDIRECT;
589 				tuple->LinkOffset = 0;
590 				break;
591 			case CISTPL_LONGLINK_MFC:
592 				tuple->LinkOffset = ofs + 3;
593 				LINK_SPACE(tuple->Flags) = attr;
594 				if (function == BIND_FN_ALL) {
595 					/* Follow all the MFC links */
596 					ret = read_cis_cache(s, attr, ofs+2,
597 							1, &tmp);
598 					if (ret)
599 						return -1;
600 					MFC_FN(tuple->Flags) = tmp;
601 				} else {
602 					/* Follow exactly one of the links */
603 					MFC_FN(tuple->Flags) = 1;
604 					tuple->LinkOffset += function * 5;
605 				}
606 				break;
607 			case CISTPL_NO_LINK:
608 				HAS_LINK(tuple->Flags) = 0;
609 				break;
610 			}
611 			if ((tuple->Attributes & TUPLE_RETURN_LINK) &&
612 				(tuple->DesiredTuple == RETURN_FIRST_TUPLE))
613 				break;
614 		} else
615 			if (tuple->DesiredTuple == RETURN_FIRST_TUPLE)
616 				break;
617 
618 		if (link[0] == tuple->DesiredTuple)
619 			break;
620 		ofs += link[1] + 2;
621 	}
622 	if (i == MAX_TUPLES) {
623 		dev_dbg(&s->dev, "cs: overrun in pcmcia_get_next_tuple\n");
624 		return -ENOSPC;
625 	}
626 
627 	tuple->TupleCode = link[0];
628 	tuple->TupleLink = link[1];
629 	tuple->CISOffset = ofs + 2;
630 	return 0;
631 }
632 
pccard_get_tuple_data(struct pcmcia_socket * s,tuple_t * tuple)633 int pccard_get_tuple_data(struct pcmcia_socket *s, tuple_t *tuple)
634 {
635 	u_int len;
636 	int ret;
637 
638 	if (!s)
639 		return -EINVAL;
640 
641 	if (tuple->TupleLink < tuple->TupleOffset)
642 		return -ENOSPC;
643 	len = tuple->TupleLink - tuple->TupleOffset;
644 	tuple->TupleDataLen = tuple->TupleLink;
645 	if (len == 0)
646 		return 0;
647 	ret = read_cis_cache(s, SPACE(tuple->Flags),
648 			tuple->CISOffset + tuple->TupleOffset,
649 			min(len, (u_int) tuple->TupleDataMax),
650 			tuple->TupleData);
651 	if (ret)
652 		return -1;
653 	return 0;
654 }
655 
656 
657 /* Parsing routines for individual tuples */
658 
parse_device(tuple_t * tuple,cistpl_device_t * device)659 static int parse_device(tuple_t *tuple, cistpl_device_t *device)
660 {
661 	int i;
662 	u_char scale;
663 	u_char *p, *q;
664 
665 	p = (u_char *)tuple->TupleData;
666 	q = p + tuple->TupleDataLen;
667 
668 	device->ndev = 0;
669 	for (i = 0; i < CISTPL_MAX_DEVICES; i++) {
670 
671 		if (*p == 0xff)
672 			break;
673 		device->dev[i].type = (*p >> 4);
674 		device->dev[i].wp = (*p & 0x08) ? 1 : 0;
675 		switch (*p & 0x07) {
676 		case 0:
677 			device->dev[i].speed = 0;
678 			break;
679 		case 1:
680 			device->dev[i].speed = 250;
681 			break;
682 		case 2:
683 			device->dev[i].speed = 200;
684 			break;
685 		case 3:
686 			device->dev[i].speed = 150;
687 			break;
688 		case 4:
689 			device->dev[i].speed = 100;
690 			break;
691 		case 7:
692 			if (++p == q)
693 				return -EINVAL;
694 			device->dev[i].speed = SPEED_CVT(*p);
695 			while (*p & 0x80)
696 				if (++p == q)
697 					return -EINVAL;
698 			break;
699 		default:
700 			return -EINVAL;
701 		}
702 
703 		if (++p == q)
704 			return -EINVAL;
705 		if (*p == 0xff)
706 			break;
707 		scale = *p & 7;
708 		if (scale == 7)
709 			return -EINVAL;
710 		device->dev[i].size = ((*p >> 3) + 1) * (512 << (scale*2));
711 		device->ndev++;
712 		if (++p == q)
713 			break;
714 	}
715 
716 	return 0;
717 }
718 
719 
parse_checksum(tuple_t * tuple,cistpl_checksum_t * csum)720 static int parse_checksum(tuple_t *tuple, cistpl_checksum_t *csum)
721 {
722 	u_char *p;
723 	if (tuple->TupleDataLen < 5)
724 		return -EINVAL;
725 	p = (u_char *) tuple->TupleData;
726 	csum->addr = tuple->CISOffset + get_unaligned_le16(p) - 2;
727 	csum->len = get_unaligned_le16(p + 2);
728 	csum->sum = *(p + 4);
729 	return 0;
730 }
731 
732 
parse_longlink(tuple_t * tuple,cistpl_longlink_t * link)733 static int parse_longlink(tuple_t *tuple, cistpl_longlink_t *link)
734 {
735 	if (tuple->TupleDataLen < 4)
736 		return -EINVAL;
737 	link->addr = get_unaligned_le32(tuple->TupleData);
738 	return 0;
739 }
740 
741 
parse_longlink_mfc(tuple_t * tuple,cistpl_longlink_mfc_t * link)742 static int parse_longlink_mfc(tuple_t *tuple, cistpl_longlink_mfc_t *link)
743 {
744 	u_char *p;
745 	int i;
746 
747 	p = (u_char *)tuple->TupleData;
748 
749 	link->nfn = *p; p++;
750 	if (tuple->TupleDataLen <= link->nfn*5)
751 		return -EINVAL;
752 	for (i = 0; i < link->nfn; i++) {
753 		link->fn[i].space = *p; p++;
754 		link->fn[i].addr = get_unaligned_le32(p);
755 		p += 4;
756 	}
757 	return 0;
758 }
759 
760 
parse_strings(u_char * p,u_char * q,int max,char * s,u_char * ofs,u_char * found)761 static int parse_strings(u_char *p, u_char *q, int max,
762 			 char *s, u_char *ofs, u_char *found)
763 {
764 	int i, j, ns;
765 
766 	if (p == q)
767 		return -EINVAL;
768 	ns = 0; j = 0;
769 	for (i = 0; i < max; i++) {
770 		if (*p == 0xff)
771 			break;
772 		ofs[i] = j;
773 		ns++;
774 		for (;;) {
775 			s[j++] = (*p == 0xff) ? '\0' : *p;
776 			if ((*p == '\0') || (*p == 0xff))
777 				break;
778 			if (++p == q)
779 				return -EINVAL;
780 		}
781 		if ((*p == 0xff) || (++p == q))
782 			break;
783 	}
784 	if (found) {
785 		*found = ns;
786 		return 0;
787 	}
788 
789 	return (ns == max) ? 0 : -EINVAL;
790 }
791 
792 
parse_vers_1(tuple_t * tuple,cistpl_vers_1_t * vers_1)793 static int parse_vers_1(tuple_t *tuple, cistpl_vers_1_t *vers_1)
794 {
795 	u_char *p, *q;
796 
797 	p = (u_char *)tuple->TupleData;
798 	q = p + tuple->TupleDataLen;
799 
800 	vers_1->major = *p; p++;
801 	vers_1->minor = *p; p++;
802 	if (p >= q)
803 		return -EINVAL;
804 
805 	return parse_strings(p, q, CISTPL_VERS_1_MAX_PROD_STRINGS,
806 			vers_1->str, vers_1->ofs, &vers_1->ns);
807 }
808 
809 
parse_altstr(tuple_t * tuple,cistpl_altstr_t * altstr)810 static int parse_altstr(tuple_t *tuple, cistpl_altstr_t *altstr)
811 {
812 	u_char *p, *q;
813 
814 	p = (u_char *)tuple->TupleData;
815 	q = p + tuple->TupleDataLen;
816 
817 	return parse_strings(p, q, CISTPL_MAX_ALTSTR_STRINGS,
818 			altstr->str, altstr->ofs, &altstr->ns);
819 }
820 
821 
parse_jedec(tuple_t * tuple,cistpl_jedec_t * jedec)822 static int parse_jedec(tuple_t *tuple, cistpl_jedec_t *jedec)
823 {
824 	u_char *p, *q;
825 	int nid;
826 
827 	p = (u_char *)tuple->TupleData;
828 	q = p + tuple->TupleDataLen;
829 
830 	for (nid = 0; nid < CISTPL_MAX_DEVICES; nid++) {
831 		if (p > q-2)
832 			break;
833 		jedec->id[nid].mfr = p[0];
834 		jedec->id[nid].info = p[1];
835 		p += 2;
836 	}
837 	jedec->nid = nid;
838 	return 0;
839 }
840 
841 
parse_manfid(tuple_t * tuple,cistpl_manfid_t * m)842 static int parse_manfid(tuple_t *tuple, cistpl_manfid_t *m)
843 {
844 	if (tuple->TupleDataLen < 4)
845 		return -EINVAL;
846 	m->manf = get_unaligned_le16(tuple->TupleData);
847 	m->card = get_unaligned_le16(tuple->TupleData + 2);
848 	return 0;
849 }
850 
851 
parse_funcid(tuple_t * tuple,cistpl_funcid_t * f)852 static int parse_funcid(tuple_t *tuple, cistpl_funcid_t *f)
853 {
854 	u_char *p;
855 	if (tuple->TupleDataLen < 2)
856 		return -EINVAL;
857 	p = (u_char *)tuple->TupleData;
858 	f->func = p[0];
859 	f->sysinit = p[1];
860 	return 0;
861 }
862 
863 
parse_funce(tuple_t * tuple,cistpl_funce_t * f)864 static int parse_funce(tuple_t *tuple, cistpl_funce_t *f)
865 {
866 	u_char *p;
867 	int i;
868 	if (tuple->TupleDataLen < 1)
869 		return -EINVAL;
870 	p = (u_char *)tuple->TupleData;
871 	f->type = p[0];
872 	for (i = 1; i < tuple->TupleDataLen; i++)
873 		f->data[i-1] = p[i];
874 	return 0;
875 }
876 
877 
parse_config(tuple_t * tuple,cistpl_config_t * config)878 static int parse_config(tuple_t *tuple, cistpl_config_t *config)
879 {
880 	int rasz, rmsz, i;
881 	u_char *p;
882 
883 	p = (u_char *)tuple->TupleData;
884 	rasz = *p & 0x03;
885 	rmsz = (*p & 0x3c) >> 2;
886 	if (tuple->TupleDataLen < rasz+rmsz+4)
887 		return -EINVAL;
888 	config->last_idx = *(++p);
889 	p++;
890 	config->base = 0;
891 	for (i = 0; i <= rasz; i++)
892 		config->base += p[i] << (8*i);
893 	p += rasz+1;
894 	for (i = 0; i < 4; i++)
895 		config->rmask[i] = 0;
896 	for (i = 0; i <= rmsz; i++)
897 		config->rmask[i>>2] += p[i] << (8*(i%4));
898 	config->subtuples = tuple->TupleDataLen - (rasz+rmsz+4);
899 	return 0;
900 }
901 
902 /* The following routines are all used to parse the nightmarish
903  * config table entries.
904  */
905 
parse_power(u_char * p,u_char * q,cistpl_power_t * pwr)906 static u_char *parse_power(u_char *p, u_char *q, cistpl_power_t *pwr)
907 {
908 	int i;
909 	u_int scale;
910 
911 	if (p == q)
912 		return NULL;
913 	pwr->present = *p;
914 	pwr->flags = 0;
915 	p++;
916 	for (i = 0; i < 7; i++)
917 		if (pwr->present & (1<<i)) {
918 			if (p == q)
919 				return NULL;
920 			pwr->param[i] = POWER_CVT(*p);
921 			scale = POWER_SCALE(*p);
922 			while (*p & 0x80) {
923 				if (++p == q)
924 					return NULL;
925 				if ((*p & 0x7f) < 100)
926 					pwr->param[i] +=
927 						(*p & 0x7f) * scale / 100;
928 				else if (*p == 0x7d)
929 					pwr->flags |= CISTPL_POWER_HIGHZ_OK;
930 				else if (*p == 0x7e)
931 					pwr->param[i] = 0;
932 				else if (*p == 0x7f)
933 					pwr->flags |= CISTPL_POWER_HIGHZ_REQ;
934 				else
935 					return NULL;
936 			}
937 			p++;
938 		}
939 	return p;
940 }
941 
942 
parse_timing(u_char * p,u_char * q,cistpl_timing_t * timing)943 static u_char *parse_timing(u_char *p, u_char *q, cistpl_timing_t *timing)
944 {
945 	u_char scale;
946 
947 	if (p == q)
948 		return NULL;
949 	scale = *p;
950 	if ((scale & 3) != 3) {
951 		if (++p == q)
952 			return NULL;
953 		timing->wait = SPEED_CVT(*p);
954 		timing->waitscale = exponent[scale & 3];
955 	} else
956 		timing->wait = 0;
957 	scale >>= 2;
958 	if ((scale & 7) != 7) {
959 		if (++p == q)
960 			return NULL;
961 		timing->ready = SPEED_CVT(*p);
962 		timing->rdyscale = exponent[scale & 7];
963 	} else
964 		timing->ready = 0;
965 	scale >>= 3;
966 	if (scale != 7) {
967 		if (++p == q)
968 			return NULL;
969 		timing->reserved = SPEED_CVT(*p);
970 		timing->rsvscale = exponent[scale];
971 	} else
972 		timing->reserved = 0;
973 	p++;
974 	return p;
975 }
976 
977 
parse_io(u_char * p,u_char * q,cistpl_io_t * io)978 static u_char *parse_io(u_char *p, u_char *q, cistpl_io_t *io)
979 {
980 	int i, j, bsz, lsz;
981 
982 	if (p == q)
983 		return NULL;
984 	io->flags = *p;
985 
986 	if (!(*p & 0x80)) {
987 		io->nwin = 1;
988 		io->win[0].base = 0;
989 		io->win[0].len = (1 << (io->flags & CISTPL_IO_LINES_MASK));
990 		return p+1;
991 	}
992 
993 	if (++p == q)
994 		return NULL;
995 	io->nwin = (*p & 0x0f) + 1;
996 	bsz = (*p & 0x30) >> 4;
997 	if (bsz == 3)
998 		bsz++;
999 	lsz = (*p & 0xc0) >> 6;
1000 	if (lsz == 3)
1001 		lsz++;
1002 	p++;
1003 
1004 	for (i = 0; i < io->nwin; i++) {
1005 		io->win[i].base = 0;
1006 		io->win[i].len = 1;
1007 		for (j = 0; j < bsz; j++, p++) {
1008 			if (p == q)
1009 				return NULL;
1010 			io->win[i].base += *p << (j*8);
1011 		}
1012 		for (j = 0; j < lsz; j++, p++) {
1013 			if (p == q)
1014 				return NULL;
1015 			io->win[i].len += *p << (j*8);
1016 		}
1017 	}
1018 	return p;
1019 }
1020 
1021 
parse_mem(u_char * p,u_char * q,cistpl_mem_t * mem)1022 static u_char *parse_mem(u_char *p, u_char *q, cistpl_mem_t *mem)
1023 {
1024 	int i, j, asz, lsz, has_ha;
1025 	u_int len, ca, ha;
1026 
1027 	if (p == q)
1028 		return NULL;
1029 
1030 	mem->nwin = (*p & 0x07) + 1;
1031 	lsz = (*p & 0x18) >> 3;
1032 	asz = (*p & 0x60) >> 5;
1033 	has_ha = (*p & 0x80);
1034 	if (++p == q)
1035 		return NULL;
1036 
1037 	for (i = 0; i < mem->nwin; i++) {
1038 		len = ca = ha = 0;
1039 		for (j = 0; j < lsz; j++, p++) {
1040 			if (p == q)
1041 				return NULL;
1042 			len += *p << (j*8);
1043 		}
1044 		for (j = 0; j < asz; j++, p++) {
1045 			if (p == q)
1046 				return NULL;
1047 			ca += *p << (j*8);
1048 		}
1049 		if (has_ha)
1050 			for (j = 0; j < asz; j++, p++) {
1051 				if (p == q)
1052 					return NULL;
1053 				ha += *p << (j*8);
1054 			}
1055 		mem->win[i].len = len << 8;
1056 		mem->win[i].card_addr = ca << 8;
1057 		mem->win[i].host_addr = ha << 8;
1058 	}
1059 	return p;
1060 }
1061 
1062 
parse_irq(u_char * p,u_char * q,cistpl_irq_t * irq)1063 static u_char *parse_irq(u_char *p, u_char *q, cistpl_irq_t *irq)
1064 {
1065 	if (p == q)
1066 		return NULL;
1067 	irq->IRQInfo1 = *p; p++;
1068 	if (irq->IRQInfo1 & IRQ_INFO2_VALID) {
1069 		if (p+2 > q)
1070 			return NULL;
1071 		irq->IRQInfo2 = (p[1]<<8) + p[0];
1072 		p += 2;
1073 	}
1074 	return p;
1075 }
1076 
1077 
parse_cftable_entry(tuple_t * tuple,cistpl_cftable_entry_t * entry)1078 static int parse_cftable_entry(tuple_t *tuple,
1079 			       cistpl_cftable_entry_t *entry)
1080 {
1081 	u_char *p, *q, features;
1082 
1083 	p = tuple->TupleData;
1084 	q = p + tuple->TupleDataLen;
1085 	entry->index = *p & 0x3f;
1086 	entry->flags = 0;
1087 	if (*p & 0x40)
1088 		entry->flags |= CISTPL_CFTABLE_DEFAULT;
1089 	if (*p & 0x80) {
1090 		if (++p == q)
1091 			return -EINVAL;
1092 		if (*p & 0x10)
1093 			entry->flags |= CISTPL_CFTABLE_BVDS;
1094 		if (*p & 0x20)
1095 			entry->flags |= CISTPL_CFTABLE_WP;
1096 		if (*p & 0x40)
1097 			entry->flags |= CISTPL_CFTABLE_RDYBSY;
1098 		if (*p & 0x80)
1099 			entry->flags |= CISTPL_CFTABLE_MWAIT;
1100 		entry->interface = *p & 0x0f;
1101 	} else
1102 		entry->interface = 0;
1103 
1104 	/* Process optional features */
1105 	if (++p == q)
1106 		return -EINVAL;
1107 	features = *p; p++;
1108 
1109 	/* Power options */
1110 	if ((features & 3) > 0) {
1111 		p = parse_power(p, q, &entry->vcc);
1112 		if (p == NULL)
1113 			return -EINVAL;
1114 	} else
1115 		entry->vcc.present = 0;
1116 	if ((features & 3) > 1) {
1117 		p = parse_power(p, q, &entry->vpp1);
1118 		if (p == NULL)
1119 			return -EINVAL;
1120 	} else
1121 		entry->vpp1.present = 0;
1122 	if ((features & 3) > 2) {
1123 		p = parse_power(p, q, &entry->vpp2);
1124 		if (p == NULL)
1125 			return -EINVAL;
1126 	} else
1127 		entry->vpp2.present = 0;
1128 
1129 	/* Timing options */
1130 	if (features & 0x04) {
1131 		p = parse_timing(p, q, &entry->timing);
1132 		if (p == NULL)
1133 			return -EINVAL;
1134 	} else {
1135 		entry->timing.wait = 0;
1136 		entry->timing.ready = 0;
1137 		entry->timing.reserved = 0;
1138 	}
1139 
1140 	/* I/O window options */
1141 	if (features & 0x08) {
1142 		p = parse_io(p, q, &entry->io);
1143 		if (p == NULL)
1144 			return -EINVAL;
1145 	} else
1146 		entry->io.nwin = 0;
1147 
1148 	/* Interrupt options */
1149 	if (features & 0x10) {
1150 		p = parse_irq(p, q, &entry->irq);
1151 		if (p == NULL)
1152 			return -EINVAL;
1153 	} else
1154 		entry->irq.IRQInfo1 = 0;
1155 
1156 	switch (features & 0x60) {
1157 	case 0x00:
1158 		entry->mem.nwin = 0;
1159 		break;
1160 	case 0x20:
1161 		entry->mem.nwin = 1;
1162 		entry->mem.win[0].len = get_unaligned_le16(p) << 8;
1163 		entry->mem.win[0].card_addr = 0;
1164 		entry->mem.win[0].host_addr = 0;
1165 		p += 2;
1166 		if (p > q)
1167 			return -EINVAL;
1168 		break;
1169 	case 0x40:
1170 		entry->mem.nwin = 1;
1171 		entry->mem.win[0].len = get_unaligned_le16(p) << 8;
1172 		entry->mem.win[0].card_addr = get_unaligned_le16(p + 2) << 8;
1173 		entry->mem.win[0].host_addr = 0;
1174 		p += 4;
1175 		if (p > q)
1176 			return -EINVAL;
1177 		break;
1178 	case 0x60:
1179 		p = parse_mem(p, q, &entry->mem);
1180 		if (p == NULL)
1181 			return -EINVAL;
1182 		break;
1183 	}
1184 
1185 	/* Misc features */
1186 	if (features & 0x80) {
1187 		if (p == q)
1188 			return -EINVAL;
1189 		entry->flags |= (*p << 8);
1190 		while (*p & 0x80)
1191 			if (++p == q)
1192 				return -EINVAL;
1193 		p++;
1194 	}
1195 
1196 	entry->subtuples = q-p;
1197 
1198 	return 0;
1199 }
1200 
1201 
parse_device_geo(tuple_t * tuple,cistpl_device_geo_t * geo)1202 static int parse_device_geo(tuple_t *tuple, cistpl_device_geo_t *geo)
1203 {
1204 	u_char *p, *q;
1205 	int n;
1206 
1207 	p = (u_char *)tuple->TupleData;
1208 	q = p + tuple->TupleDataLen;
1209 
1210 	for (n = 0; n < CISTPL_MAX_DEVICES; n++) {
1211 		if (p > q-6)
1212 			break;
1213 		geo->geo[n].buswidth = p[0];
1214 		geo->geo[n].erase_block = 1 << (p[1]-1);
1215 		geo->geo[n].read_block  = 1 << (p[2]-1);
1216 		geo->geo[n].write_block = 1 << (p[3]-1);
1217 		geo->geo[n].partition   = 1 << (p[4]-1);
1218 		geo->geo[n].interleave  = 1 << (p[5]-1);
1219 		p += 6;
1220 	}
1221 	geo->ngeo = n;
1222 	return 0;
1223 }
1224 
1225 
parse_vers_2(tuple_t * tuple,cistpl_vers_2_t * v2)1226 static int parse_vers_2(tuple_t *tuple, cistpl_vers_2_t *v2)
1227 {
1228 	u_char *p, *q;
1229 
1230 	if (tuple->TupleDataLen < 10)
1231 		return -EINVAL;
1232 
1233 	p = tuple->TupleData;
1234 	q = p + tuple->TupleDataLen;
1235 
1236 	v2->vers = p[0];
1237 	v2->comply = p[1];
1238 	v2->dindex = get_unaligned_le16(p + 2);
1239 	v2->vspec8 = p[6];
1240 	v2->vspec9 = p[7];
1241 	v2->nhdr = p[8];
1242 	p += 9;
1243 	return parse_strings(p, q, 2, v2->str, &v2->vendor, NULL);
1244 }
1245 
1246 
parse_org(tuple_t * tuple,cistpl_org_t * org)1247 static int parse_org(tuple_t *tuple, cistpl_org_t *org)
1248 {
1249 	u_char *p, *q;
1250 	int i;
1251 
1252 	p = tuple->TupleData;
1253 	q = p + tuple->TupleDataLen;
1254 	if (p == q)
1255 		return -EINVAL;
1256 	org->data_org = *p;
1257 	if (++p == q)
1258 		return -EINVAL;
1259 	for (i = 0; i < 30; i++) {
1260 		org->desc[i] = *p;
1261 		if (*p == '\0')
1262 			break;
1263 		if (++p == q)
1264 			return -EINVAL;
1265 	}
1266 	return 0;
1267 }
1268 
1269 
parse_format(tuple_t * tuple,cistpl_format_t * fmt)1270 static int parse_format(tuple_t *tuple, cistpl_format_t *fmt)
1271 {
1272 	u_char *p;
1273 
1274 	if (tuple->TupleDataLen < 10)
1275 		return -EINVAL;
1276 
1277 	p = tuple->TupleData;
1278 
1279 	fmt->type = p[0];
1280 	fmt->edc = p[1];
1281 	fmt->offset = get_unaligned_le32(p + 2);
1282 	fmt->length = get_unaligned_le32(p + 6);
1283 
1284 	return 0;
1285 }
1286 
1287 
pcmcia_parse_tuple(tuple_t * tuple,cisparse_t * parse)1288 int pcmcia_parse_tuple(tuple_t *tuple, cisparse_t *parse)
1289 {
1290 	int ret = 0;
1291 
1292 	if (tuple->TupleDataLen > tuple->TupleDataMax)
1293 		return -EINVAL;
1294 	switch (tuple->TupleCode) {
1295 	case CISTPL_DEVICE:
1296 	case CISTPL_DEVICE_A:
1297 		ret = parse_device(tuple, &parse->device);
1298 		break;
1299 	case CISTPL_CHECKSUM:
1300 		ret = parse_checksum(tuple, &parse->checksum);
1301 		break;
1302 	case CISTPL_LONGLINK_A:
1303 	case CISTPL_LONGLINK_C:
1304 		ret = parse_longlink(tuple, &parse->longlink);
1305 		break;
1306 	case CISTPL_LONGLINK_MFC:
1307 		ret = parse_longlink_mfc(tuple, &parse->longlink_mfc);
1308 		break;
1309 	case CISTPL_VERS_1:
1310 		ret = parse_vers_1(tuple, &parse->version_1);
1311 		break;
1312 	case CISTPL_ALTSTR:
1313 		ret = parse_altstr(tuple, &parse->altstr);
1314 		break;
1315 	case CISTPL_JEDEC_A:
1316 	case CISTPL_JEDEC_C:
1317 		ret = parse_jedec(tuple, &parse->jedec);
1318 		break;
1319 	case CISTPL_MANFID:
1320 		ret = parse_manfid(tuple, &parse->manfid);
1321 		break;
1322 	case CISTPL_FUNCID:
1323 		ret = parse_funcid(tuple, &parse->funcid);
1324 		break;
1325 	case CISTPL_FUNCE:
1326 		ret = parse_funce(tuple, &parse->funce);
1327 		break;
1328 	case CISTPL_CONFIG:
1329 		ret = parse_config(tuple, &parse->config);
1330 		break;
1331 	case CISTPL_CFTABLE_ENTRY:
1332 		ret = parse_cftable_entry(tuple, &parse->cftable_entry);
1333 		break;
1334 	case CISTPL_DEVICE_GEO:
1335 	case CISTPL_DEVICE_GEO_A:
1336 		ret = parse_device_geo(tuple, &parse->device_geo);
1337 		break;
1338 	case CISTPL_VERS_2:
1339 		ret = parse_vers_2(tuple, &parse->vers_2);
1340 		break;
1341 	case CISTPL_ORG:
1342 		ret = parse_org(tuple, &parse->org);
1343 		break;
1344 	case CISTPL_FORMAT:
1345 	case CISTPL_FORMAT_A:
1346 		ret = parse_format(tuple, &parse->format);
1347 		break;
1348 	case CISTPL_NO_LINK:
1349 	case CISTPL_LINKTARGET:
1350 		ret = 0;
1351 		break;
1352 	default:
1353 		ret = -EINVAL;
1354 		break;
1355 	}
1356 	if (ret)
1357 		pr_debug("parse_tuple failed %d\n", ret);
1358 	return ret;
1359 }
1360 EXPORT_SYMBOL(pcmcia_parse_tuple);
1361 
1362 
1363 /**
1364  * pccard_validate_cis() - check whether card has a sensible CIS
1365  * @s:		the struct pcmcia_socket we are to check
1366  * @info:	returns the number of tuples in the (valid) CIS, or 0
1367  *
1368  * This tries to determine if a card has a sensible CIS.  In @info, it
1369  * returns the number of tuples in the CIS, or 0 if the CIS looks bad. The
1370  * checks include making sure several critical tuples are present and
1371  * valid; seeing if the total number of tuples is reasonable; and
1372  * looking for tuples that use reserved codes.
1373  *
1374  * The function returns 0 on success.
1375  */
pccard_validate_cis(struct pcmcia_socket * s,unsigned int * info)1376 int pccard_validate_cis(struct pcmcia_socket *s, unsigned int *info)
1377 {
1378 	tuple_t *tuple;
1379 	cisparse_t *p;
1380 	unsigned int count = 0;
1381 	int ret, reserved, dev_ok = 0, ident_ok = 0;
1382 
1383 	if (!s)
1384 		return -EINVAL;
1385 
1386 	if (s->functions || !(s->state & SOCKET_PRESENT)) {
1387 		WARN_ON(1);
1388 		return -EINVAL;
1389 	}
1390 
1391 	/* We do not want to validate the CIS cache... */
1392 	mutex_lock(&s->ops_mutex);
1393 	destroy_cis_cache(s);
1394 	mutex_unlock(&s->ops_mutex);
1395 
1396 	tuple = kmalloc(sizeof(*tuple), GFP_KERNEL);
1397 	if (tuple == NULL) {
1398 		dev_warn(&s->dev, "no memory to validate CIS\n");
1399 		return -ENOMEM;
1400 	}
1401 	p = kmalloc(sizeof(*p), GFP_KERNEL);
1402 	if (p == NULL) {
1403 		kfree(tuple);
1404 		dev_warn(&s->dev, "no memory to validate CIS\n");
1405 		return -ENOMEM;
1406 	}
1407 
1408 	count = reserved = 0;
1409 	tuple->DesiredTuple = RETURN_FIRST_TUPLE;
1410 	tuple->Attributes = TUPLE_RETURN_COMMON;
1411 	ret = pccard_get_first_tuple(s, BIND_FN_ALL, tuple);
1412 	if (ret != 0)
1413 		goto done;
1414 
1415 	/* First tuple should be DEVICE; we should really have either that
1416 	   or a CFTABLE_ENTRY of some sort */
1417 	if ((tuple->TupleCode == CISTPL_DEVICE) ||
1418 	    (!pccard_read_tuple(s, BIND_FN_ALL, CISTPL_CFTABLE_ENTRY, p)) ||
1419 	    (!pccard_read_tuple(s, BIND_FN_ALL, CISTPL_CFTABLE_ENTRY_CB, p)))
1420 		dev_ok++;
1421 
1422 	/* All cards should have a MANFID tuple, and/or a VERS_1 or VERS_2
1423 	   tuple, for card identification.  Certain old D-Link and Linksys
1424 	   cards have only a broken VERS_2 tuple; hence the bogus test. */
1425 	if ((pccard_read_tuple(s, BIND_FN_ALL, CISTPL_MANFID, p) == 0) ||
1426 	    (pccard_read_tuple(s, BIND_FN_ALL, CISTPL_VERS_1, p) == 0) ||
1427 	    (pccard_read_tuple(s, BIND_FN_ALL, CISTPL_VERS_2, p) != -ENOSPC))
1428 		ident_ok++;
1429 
1430 	if (!dev_ok && !ident_ok)
1431 		goto done;
1432 
1433 	for (count = 1; count < MAX_TUPLES; count++) {
1434 		ret = pccard_get_next_tuple(s, BIND_FN_ALL, tuple);
1435 		if (ret != 0)
1436 			break;
1437 		if (((tuple->TupleCode > 0x23) && (tuple->TupleCode < 0x40)) ||
1438 		    ((tuple->TupleCode > 0x47) && (tuple->TupleCode < 0x80)) ||
1439 		    ((tuple->TupleCode > 0x90) && (tuple->TupleCode < 0xff)))
1440 			reserved++;
1441 	}
1442 	if ((count == MAX_TUPLES) || (reserved > 5) ||
1443 		((!dev_ok || !ident_ok) && (count > 10)))
1444 		count = 0;
1445 
1446 	ret = 0;
1447 
1448 done:
1449 	/* invalidate CIS cache on failure */
1450 	if (!dev_ok || !ident_ok || !count) {
1451 		mutex_lock(&s->ops_mutex);
1452 		destroy_cis_cache(s);
1453 		mutex_unlock(&s->ops_mutex);
1454 		/* We differentiate between dev_ok, ident_ok and count
1455 		   failures to allow for an override for anonymous cards
1456 		   in ds.c */
1457 		if (!dev_ok || !ident_ok)
1458 			ret = -EIO;
1459 		else
1460 			ret = -EFAULT;
1461 	}
1462 
1463 	if (info)
1464 		*info = count;
1465 	kfree(tuple);
1466 	kfree(p);
1467 	return ret;
1468 }
1469 
1470 
1471 #define to_socket(_dev) container_of(_dev, struct pcmcia_socket, dev)
1472 
pccard_extract_cis(struct pcmcia_socket * s,char * buf,loff_t off,size_t count)1473 static ssize_t pccard_extract_cis(struct pcmcia_socket *s, char *buf,
1474 				  loff_t off, size_t count)
1475 {
1476 	tuple_t tuple;
1477 	int status, i;
1478 	loff_t pointer = 0;
1479 	ssize_t ret = 0;
1480 	u_char *tuplebuffer;
1481 	u_char *tempbuffer;
1482 
1483 	tuplebuffer = kmalloc_array(256, sizeof(u_char), GFP_KERNEL);
1484 	if (!tuplebuffer)
1485 		return -ENOMEM;
1486 
1487 	tempbuffer = kmalloc_array(258, sizeof(u_char), GFP_KERNEL);
1488 	if (!tempbuffer) {
1489 		ret = -ENOMEM;
1490 		goto free_tuple;
1491 	}
1492 
1493 	memset(&tuple, 0, sizeof(tuple_t));
1494 
1495 	tuple.Attributes = TUPLE_RETURN_LINK | TUPLE_RETURN_COMMON;
1496 	tuple.DesiredTuple = RETURN_FIRST_TUPLE;
1497 	tuple.TupleOffset = 0;
1498 
1499 	status = pccard_get_first_tuple(s, BIND_FN_ALL, &tuple);
1500 	while (!status) {
1501 		tuple.TupleData = tuplebuffer;
1502 		tuple.TupleDataMax = 255;
1503 		memset(tuplebuffer, 0, sizeof(u_char) * 255);
1504 
1505 		status = pccard_get_tuple_data(s, &tuple);
1506 		if (status)
1507 			break;
1508 
1509 		if (off < (pointer + 2 + tuple.TupleDataLen)) {
1510 			tempbuffer[0] = tuple.TupleCode & 0xff;
1511 			tempbuffer[1] = tuple.TupleLink & 0xff;
1512 			for (i = 0; i < tuple.TupleDataLen; i++)
1513 				tempbuffer[i + 2] = tuplebuffer[i] & 0xff;
1514 
1515 			for (i = 0; i < (2 + tuple.TupleDataLen); i++) {
1516 				if (((i + pointer) >= off) &&
1517 				    (i + pointer) < (off + count)) {
1518 					buf[ret] = tempbuffer[i];
1519 					ret++;
1520 				}
1521 			}
1522 		}
1523 
1524 		pointer += 2 + tuple.TupleDataLen;
1525 
1526 		if (pointer >= (off + count))
1527 			break;
1528 
1529 		if (tuple.TupleCode == CISTPL_END)
1530 			break;
1531 		status = pccard_get_next_tuple(s, BIND_FN_ALL, &tuple);
1532 	}
1533 
1534 	kfree(tempbuffer);
1535  free_tuple:
1536 	kfree(tuplebuffer);
1537 
1538 	return ret;
1539 }
1540 
1541 
pccard_show_cis(struct file * filp,struct kobject * kobj,struct bin_attribute * bin_attr,char * buf,loff_t off,size_t count)1542 static ssize_t pccard_show_cis(struct file *filp, struct kobject *kobj,
1543 			       struct bin_attribute *bin_attr,
1544 			       char *buf, loff_t off, size_t count)
1545 {
1546 	unsigned int size = 0x200;
1547 
1548 	if (off >= size)
1549 		count = 0;
1550 	else {
1551 		struct pcmcia_socket *s;
1552 		unsigned int chains = 1;
1553 
1554 		if (off + count > size)
1555 			count = size - off;
1556 
1557 		s = to_socket(kobj_to_dev(kobj));
1558 
1559 		if (!(s->state & SOCKET_PRESENT))
1560 			return -ENODEV;
1561 		if (!s->functions && pccard_validate_cis(s, &chains))
1562 			return -EIO;
1563 		if (!chains)
1564 			return -ENODATA;
1565 
1566 		count = pccard_extract_cis(s, buf, off, count);
1567 	}
1568 
1569 	return count;
1570 }
1571 
1572 
pccard_store_cis(struct file * filp,struct kobject * kobj,struct bin_attribute * bin_attr,char * buf,loff_t off,size_t count)1573 static ssize_t pccard_store_cis(struct file *filp, struct kobject *kobj,
1574 				struct bin_attribute *bin_attr,
1575 				char *buf, loff_t off, size_t count)
1576 {
1577 	struct pcmcia_socket *s;
1578 	int error;
1579 
1580 	error = security_locked_down(LOCKDOWN_PCMCIA_CIS);
1581 	if (error)
1582 		return error;
1583 
1584 	s = to_socket(kobj_to_dev(kobj));
1585 
1586 	if (off)
1587 		return -EINVAL;
1588 
1589 	if (count >= CISTPL_MAX_CIS_SIZE)
1590 		return -EINVAL;
1591 
1592 	if (!(s->state & SOCKET_PRESENT))
1593 		return -ENODEV;
1594 
1595 	error = pcmcia_replace_cis(s, buf, count);
1596 	if (error)
1597 		return -EIO;
1598 
1599 	pcmcia_parse_uevents(s, PCMCIA_UEVENT_REQUERY);
1600 
1601 	return count;
1602 }
1603 
1604 
1605 const struct bin_attribute pccard_cis_attr = {
1606 	.attr = { .name = "cis", .mode = S_IRUGO | S_IWUSR },
1607 	.size = 0x200,
1608 	.read = pccard_show_cis,
1609 	.write = pccard_store_cis,
1610 };
1611