ClabureDB: Classified Bug-Reports Database

Project: Linux Kernel

Showing error 1854

User:	Jiri Slaby
Error type:	Invalid Pointer Dereference
Error type description:	A pointer which is invalid is being dereferenced
File location:	drivers/usb/storage/sddr55.c
Line in file:	901
Project:	Linux Kernel
Project version:	2.6.28
Tools:	Smatch (1.59)
Entered:	2013-09-11 08:47:26 UTC
Source:

  1/* Driver for SanDisk SDDR-55 SmartMedia reader
  2 *
  3 * SDDR55 driver v0.1:
  4 *
  5 * First release
  6 *
  7 * Current development and maintenance by:
  8 *   (c) 2002 Simon Munton
  9 *
 10 * This program is free software; you can redistribute it and/or modify it
 11 * under the terms of the GNU General Public License as published by the
 12 * Free Software Foundation; either version 2, or (at your option) any
 13 * later version.
 14 *
 15 * This program is distributed in the hope that it will be useful, but
 16 * WITHOUT ANY WARRANTY; without even the implied warranty of
 17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 18 * General Public License for more details.
 19 *
 20 * You should have received a copy of the GNU General Public License along
 21 * with this program; if not, write to the Free Software Foundation, Inc.,
 22 * 675 Mass Ave, Cambridge, MA 02139, USA.
 23 */
 24
 25#include <linux/jiffies.h>
 26#include <linux/errno.h>
 27#include <linux/slab.h>
 28
 29#include <scsi/scsi.h>
 30#include <scsi/scsi_cmnd.h>
 31
 32#include "usb.h"
 33#include "transport.h"
 34#include "protocol.h"
 35#include "debug.h"
 36#include "sddr55.h"
 37
 38
 39#define short_pack(lsb,msb) ( ((u16)(lsb)) | ( ((u16)(msb))<<8 ) )
 40#define LSB_of(s) ((s)&0xFF)
 41#define MSB_of(s) ((s)>>8)
 42#define PAGESIZE  512
 43
 44#define set_sense_info(sk, asc, ascq)        \
 45    do {                                \
 46        info->sense_data[2] = sk;        \
 47        info->sense_data[12] = asc;        \
 48        info->sense_data[13] = ascq;        \
 49        } while (0)
 50
 51
 52struct sddr55_card_info {
 53        unsigned long        capacity;        /* Size of card in bytes */
 54        int                max_log_blks;        /* maximum number of logical blocks */
 55        int                pageshift;        /* log2 of pagesize */
 56        int                smallpageshift;        /* 1 if pagesize == 256 */
 57        int                blocksize;        /* Size of block in pages */
 58        int                blockshift;        /* log2 of blocksize */
 59        int                blockmask;        /* 2^blockshift - 1 */
 60        int                read_only;        /* non zero if card is write protected */
 61        int                force_read_only;        /* non zero if we find a map error*/
 62        int                *lba_to_pba;        /* logical to physical map */
 63        int                *pba_to_lba;        /* physical to logical map */
 64        int                fatal_error;        /* set if we detect something nasty */
 65        unsigned long         last_access;        /* number of jiffies since we last talked to device */
 66        unsigned char   sense_data[18];
 67};
 68
 69
 70#define NOT_ALLOCATED                0xffffffff
 71#define BAD_BLOCK                0xffff
 72#define CIS_BLOCK                0x400
 73#define UNUSED_BLOCK                0x3ff
 74
 75static int
 76sddr55_bulk_transport(struct us_data *us, int direction,
 77                      unsigned char *data, unsigned int len) {
 78        struct sddr55_card_info *info = (struct sddr55_card_info *)us->extra;
 79        unsigned int pipe = (direction == DMA_FROM_DEVICE) ?
 80                        us->recv_bulk_pipe : us->send_bulk_pipe;
 81
 82        if (!len)
 83                return USB_STOR_XFER_GOOD;
 84        info->last_access = jiffies;
 85        return usb_stor_bulk_transfer_buf(us, pipe, data, len, NULL);
 86}
 87
 88/* check if card inserted, if there is, update read_only status
 89 * return non zero if no card
 90 */
 91
 92static int sddr55_status(struct us_data *us)
 93{
 94        int result;
 95        unsigned char *command = us->iobuf;
 96        unsigned char *status = us->iobuf;
 97        struct sddr55_card_info *info = (struct sddr55_card_info *)us->extra;
 98
 99        /* send command */
100        memset(command, 0, 8);
101        command[5] = 0xB0;
102        command[7] = 0x80;
103        result = sddr55_bulk_transport(us,
104                DMA_TO_DEVICE, command, 8);
105
106        US_DEBUGP("Result for send_command in status %d\n",
107                result);
108
109        if (result != USB_STOR_XFER_GOOD) {
110                set_sense_info (4, 0, 0);        /* hardware error */
111                return USB_STOR_TRANSPORT_ERROR;
112        }
113
114        result = sddr55_bulk_transport(us,
115                DMA_FROM_DEVICE, status,        4);
116
117        /* expect to get short transfer if no card fitted */
118        if (result == USB_STOR_XFER_SHORT || result == USB_STOR_XFER_STALLED) {
119                /* had a short transfer, no card inserted, free map memory */
120                kfree(info->lba_to_pba);
121                kfree(info->pba_to_lba);
122                info->lba_to_pba = NULL;
123                info->pba_to_lba = NULL;
124
125                info->fatal_error = 0;
126                info->force_read_only = 0;
127
128                set_sense_info (2, 0x3a, 0);        /* not ready, medium not present */
129                return USB_STOR_TRANSPORT_FAILED;
130        }
131
132        if (result != USB_STOR_XFER_GOOD) {
133                set_sense_info (4, 0, 0);        /* hardware error */
134                return USB_STOR_TRANSPORT_FAILED;
135        }
136        
137        /* check write protect status */
138        info->read_only = (status[0] & 0x20);
139
140        /* now read status */
141        result = sddr55_bulk_transport(us,
142                DMA_FROM_DEVICE, status,        2);
143
144        if (result != USB_STOR_XFER_GOOD) {
145                set_sense_info (4, 0, 0);        /* hardware error */
146        }
147
148        return (result == USB_STOR_XFER_GOOD ?
149                        USB_STOR_TRANSPORT_GOOD : USB_STOR_TRANSPORT_FAILED);
150}
151
152
153static int sddr55_read_data(struct us_data *us,
154                unsigned int lba,
155                unsigned int page,
156                unsigned short sectors) {
157
158        int result = USB_STOR_TRANSPORT_GOOD;
159        unsigned char *command = us->iobuf;
160        unsigned char *status = us->iobuf;
161        struct sddr55_card_info *info = (struct sddr55_card_info *)us->extra;
162        unsigned char *buffer;
163
164        unsigned int pba;
165        unsigned long address;
166
167        unsigned short pages;
168        unsigned int len, offset;
169        struct scatterlist *sg;
170
171        // Since we only read in one block at a time, we have to create
172        // a bounce buffer and move the data a piece at a time between the
173        // bounce buffer and the actual transfer buffer.
174
175        len = min((unsigned int) sectors, (unsigned int) info->blocksize >>
176                        info->smallpageshift) * PAGESIZE;
177        buffer = kmalloc(len, GFP_NOIO);
178        if (buffer == NULL)
179                return USB_STOR_TRANSPORT_ERROR; /* out of memory */
180        offset = 0;
181        sg = NULL;
182
183        while (sectors>0) {
184
185                /* have we got to end? */
186                if (lba >= info->max_log_blks)
187                        break;
188
189                pba = info->lba_to_pba[lba];
190
191                // Read as many sectors as possible in this block
192
193                pages = min((unsigned int) sectors << info->smallpageshift,
194                                info->blocksize - page);
195                len = pages << info->pageshift;
196
197                US_DEBUGP("Read %02X pages, from PBA %04X"
198                        " (LBA %04X) page %02X\n",
199                        pages, pba, lba, page);
200
201                if (pba == NOT_ALLOCATED) {
202                        /* no pba for this lba, fill with zeroes */
203                        memset (buffer, 0, len);
204                } else {
205
206                        address = (pba << info->blockshift) + page;
207
208                        command[0] = 0;
209                        command[1] = LSB_of(address>>16);
210                        command[2] = LSB_of(address>>8);
211                        command[3] = LSB_of(address);
212
213                        command[4] = 0;
214                        command[5] = 0xB0;
215                        command[6] = LSB_of(pages << (1 - info->smallpageshift));
216                        command[7] = 0x85;
217
218                        /* send command */
219                        result = sddr55_bulk_transport(us,
220                                DMA_TO_DEVICE, command, 8);
221
222                        US_DEBUGP("Result for send_command in read_data %d\n",
223                                result);
224
225                        if (result != USB_STOR_XFER_GOOD) {
226                                result = USB_STOR_TRANSPORT_ERROR;
227                                goto leave;
228                        }
229
230                        /* read data */
231                        result = sddr55_bulk_transport(us,
232                                DMA_FROM_DEVICE, buffer, len);
233
234                        if (result != USB_STOR_XFER_GOOD) {
235                                result = USB_STOR_TRANSPORT_ERROR;
236                                goto leave;
237                        }
238
239                        /* now read status */
240                        result = sddr55_bulk_transport(us,
241                                DMA_FROM_DEVICE, status, 2);
242
243                        if (result != USB_STOR_XFER_GOOD) {
244                                result = USB_STOR_TRANSPORT_ERROR;
245                                goto leave;
246                        }
247
248                        /* check status for error */
249                        if (status[0] == 0xff && status[1] == 0x4) {
250                                set_sense_info (3, 0x11, 0);
251                                result = USB_STOR_TRANSPORT_FAILED;
252                                goto leave;
253                        }
254                }
255
256                // Store the data in the transfer buffer
257                usb_stor_access_xfer_buf(buffer, len, us->srb,
258                                &sg, &offset, TO_XFER_BUF);
259
260                page = 0;
261                lba++;
262                sectors -= pages >> info->smallpageshift;
263        }
264
265        result = USB_STOR_TRANSPORT_GOOD;
266
267leave:
268        kfree(buffer);
269
270        return result;
271}
272
273static int sddr55_write_data(struct us_data *us,
274                unsigned int lba,
275                unsigned int page,
276                unsigned short sectors) {
277
278        int result = USB_STOR_TRANSPORT_GOOD;
279        unsigned char *command = us->iobuf;
280        unsigned char *status = us->iobuf;
281        struct sddr55_card_info *info = (struct sddr55_card_info *)us->extra;
282        unsigned char *buffer;
283
284        unsigned int pba;
285        unsigned int new_pba;
286        unsigned long address;
287
288        unsigned short pages;
289        int i;
290        unsigned int len, offset;
291        struct scatterlist *sg;
292
293        /* check if we are allowed to write */
294        if (info->read_only || info->force_read_only) {
295                set_sense_info (7, 0x27, 0);        /* read only */
296                return USB_STOR_TRANSPORT_FAILED;
297        }
298
299        // Since we only write one block at a time, we have to create
300        // a bounce buffer and move the data a piece at a time between the
301        // bounce buffer and the actual transfer buffer.
302
303        len = min((unsigned int) sectors, (unsigned int) info->blocksize >>
304                        info->smallpageshift) * PAGESIZE;
305        buffer = kmalloc(len, GFP_NOIO);
306        if (buffer == NULL)
307                return USB_STOR_TRANSPORT_ERROR;
308        offset = 0;
309        sg = NULL;
310
311        while (sectors > 0) {
312
313                /* have we got to end? */
314                if (lba >= info->max_log_blks)
315                        break;
316
317                pba = info->lba_to_pba[lba];
318
319                // Write as many sectors as possible in this block
320
321                pages = min((unsigned int) sectors << info->smallpageshift,
322                                info->blocksize - page);
323                len = pages << info->pageshift;
324
325                // Get the data from the transfer buffer
326                usb_stor_access_xfer_buf(buffer, len, us->srb,
327                                &sg, &offset, FROM_XFER_BUF);
328
329                US_DEBUGP("Write %02X pages, to PBA %04X"
330                        " (LBA %04X) page %02X\n",
331                        pages, pba, lba, page);
332                        
333                command[4] = 0;
334
335                if (pba == NOT_ALLOCATED) {
336                        /* no pba allocated for this lba, find a free pba to use */
337
338                        int max_pba = (info->max_log_blks / 250 ) * 256;
339                        int found_count = 0;
340                        int found_pba = -1;
341
342                        /* set pba to first block in zone lba is in */
343                        pba = (lba / 1000) * 1024;
344
345                        US_DEBUGP("No PBA for LBA %04X\n",lba);
346
347                        if (max_pba > 1024)
348                                max_pba = 1024;
349
350                        /*
351                         * Scan through the map looking for an unused block
352                         * leave 16 unused blocks at start (or as many as
353                         * possible) since the sddr55 seems to reuse a used
354                         * block when it shouldn't if we don't leave space.
355                         */
356                        for (i = 0; i < max_pba; i++, pba++) {
357                                if (info->pba_to_lba[pba] == UNUSED_BLOCK) {
358                                        found_pba = pba;
359                                        if (found_count++ > 16)
360                                                break;
361                                }
362                        }
363
364                        pba = found_pba;
365
366                        if (pba == -1) {
367                                /* oh dear */
368                                US_DEBUGP("Couldn't find unallocated block\n");
369
370                                set_sense_info (3, 0x31, 0);        /* medium error */
371                                result = USB_STOR_TRANSPORT_FAILED;
372                                goto leave;
373                        }
374
375                        US_DEBUGP("Allocating PBA %04X for LBA %04X\n", pba, lba);
376
377                        /* set writing to unallocated block flag */
378                        command[4] = 0x40;
379                }
380
381                address = (pba << info->blockshift) + page;
382
383                command[1] = LSB_of(address>>16);
384                command[2] = LSB_of(address>>8); 
385                command[3] = LSB_of(address);
386
387                /* set the lba into the command, modulo 1000 */
388                command[0] = LSB_of(lba % 1000);
389                command[6] = MSB_of(lba % 1000);
390
391                command[4] |= LSB_of(pages >> info->smallpageshift);
392                command[5] = 0xB0;
393                command[7] = 0x86;
394
395                /* send command */
396                result = sddr55_bulk_transport(us,
397                        DMA_TO_DEVICE, command, 8);
398
399                if (result != USB_STOR_XFER_GOOD) {
400                        US_DEBUGP("Result for send_command in write_data %d\n",
401                        result);
402
403                        /* set_sense_info is superfluous here? */
404                        set_sense_info (3, 0x3, 0);/* peripheral write error */
405                        result = USB_STOR_TRANSPORT_FAILED;
406                        goto leave;
407                }
408
409                /* send the data */
410                result = sddr55_bulk_transport(us,
411                        DMA_TO_DEVICE, buffer, len);
412
413                if (result != USB_STOR_XFER_GOOD) {
414                        US_DEBUGP("Result for send_data in write_data %d\n",
415                                  result);
416
417                        /* set_sense_info is superfluous here? */
418                        set_sense_info (3, 0x3, 0);/* peripheral write error */
419                        result = USB_STOR_TRANSPORT_FAILED;
420                        goto leave;
421                }
422
423                /* now read status */
424                result = sddr55_bulk_transport(us, DMA_FROM_DEVICE, status, 6);
425
426                if (result != USB_STOR_XFER_GOOD) {
427                        US_DEBUGP("Result for get_status in write_data %d\n",
428                                  result);
429
430                        /* set_sense_info is superfluous here? */
431                        set_sense_info (3, 0x3, 0);/* peripheral write error */
432                        result = USB_STOR_TRANSPORT_FAILED;
433                        goto leave;
434                }
435
436                new_pba = (status[3] + (status[4] << 8) + (status[5] << 16))
437                                                  >> info->blockshift;
438
439                /* check status for error */
440                if (status[0] == 0xff && status[1] == 0x4) {
441                        info->pba_to_lba[new_pba] = BAD_BLOCK;
442
443                        set_sense_info (3, 0x0c, 0);
444                        result = USB_STOR_TRANSPORT_FAILED;
445                        goto leave;
446                }
447
448                US_DEBUGP("Updating maps for LBA %04X: old PBA %04X, new PBA %04X\n",
449                        lba, pba, new_pba);
450
451                /* update the lba<->pba maps, note new_pba might be the same as pba */
452                info->lba_to_pba[lba] = new_pba;
453                info->pba_to_lba[pba] = UNUSED_BLOCK;
454
455                /* check that new_pba wasn't already being used */
456                if (info->pba_to_lba[new_pba] != UNUSED_BLOCK) {
457                        printk(KERN_ERR "sddr55 error: new PBA %04X already in use for LBA %04X\n",
458                                new_pba, info->pba_to_lba[new_pba]);
459                        info->fatal_error = 1;
460                        set_sense_info (3, 0x31, 0);
461                        result = USB_STOR_TRANSPORT_FAILED;
462                        goto leave;
463                }
464
465                /* update the pba<->lba maps for new_pba */
466                info->pba_to_lba[new_pba] = lba % 1000;
467
468                page = 0;
469                lba++;
470                sectors -= pages >> info->smallpageshift;
471        }
472        result = USB_STOR_TRANSPORT_GOOD;
473
474 leave:
475        kfree(buffer);
476        return result;
477}
478
479static int sddr55_read_deviceID(struct us_data *us,
480                unsigned char *manufacturerID,
481                unsigned char *deviceID) {
482
483        int result;
484        unsigned char *command = us->iobuf;
485        unsigned char *content = us->iobuf;
486
487        memset(command, 0, 8);
488        command[5] = 0xB0;
489        command[7] = 0x84;
490        result = sddr55_bulk_transport(us, DMA_TO_DEVICE, command, 8);
491
492        US_DEBUGP("Result of send_control for device ID is %d\n",
493                result);
494
495        if (result != USB_STOR_XFER_GOOD)
496                return USB_STOR_TRANSPORT_ERROR;
497
498        result = sddr55_bulk_transport(us,
499                DMA_FROM_DEVICE, content, 4);
500
501        if (result != USB_STOR_XFER_GOOD)
502                return USB_STOR_TRANSPORT_ERROR;
503
504        *manufacturerID = content[0];
505        *deviceID = content[1];
506
507        if (content[0] != 0xff)        {
508                    result = sddr55_bulk_transport(us,
509                        DMA_FROM_DEVICE, content, 2);
510        }
511
512        return USB_STOR_TRANSPORT_GOOD;
513}
514
515
516int sddr55_reset(struct us_data *us) {
517        return 0;
518}
519
520
521static unsigned long sddr55_get_capacity(struct us_data *us) {
522
523        unsigned char uninitialized_var(manufacturerID);
524        unsigned char uninitialized_var(deviceID);
525        int result;
526        struct sddr55_card_info *info = (struct sddr55_card_info *)us->extra;
527
528        US_DEBUGP("Reading capacity...\n");
529
530        result = sddr55_read_deviceID(us,
531                &manufacturerID,
532                &deviceID);
533
534        US_DEBUGP("Result of read_deviceID is %d\n",
535                result);
536
537        if (result != USB_STOR_XFER_GOOD)
538                return 0;
539
540        US_DEBUGP("Device ID = %02X\n", deviceID);
541        US_DEBUGP("Manuf  ID = %02X\n", manufacturerID);
542
543        info->pageshift = 9;
544        info->smallpageshift = 0;
545        info->blocksize = 16;
546        info->blockshift = 4;
547        info->blockmask = 15;
548
549        switch (deviceID) {
550
551        case 0x6e: // 1MB
552        case 0xe8:
553        case 0xec:
554                info->pageshift = 8;
555                info->smallpageshift = 1;
556                return 0x00100000;
557
558        case 0xea: // 2MB
559        case 0x64:
560                info->pageshift = 8;
561                info->smallpageshift = 1;
562        case 0x5d: // 5d is a ROM card with pagesize 512.
563                return 0x00200000;
564
565        case 0xe3: // 4MB
566        case 0xe5:
567        case 0x6b:
568        case 0xd5:
569                return 0x00400000;
570
571        case 0xe6: // 8MB
572        case 0xd6:
573                return 0x00800000;
574
575        case 0x73: // 16MB
576                info->blocksize = 32;
577                info->blockshift = 5;
578                info->blockmask = 31;
579                return 0x01000000;
580
581        case 0x75: // 32MB
582                info->blocksize = 32;
583                info->blockshift = 5;
584                info->blockmask = 31;
585                return 0x02000000;
586
587        case 0x76: // 64MB
588                info->blocksize = 32;
589                info->blockshift = 5;
590                info->blockmask = 31;
591                return 0x04000000;
592
593        case 0x79: // 128MB
594                info->blocksize = 32;
595                info->blockshift = 5;
596                info->blockmask = 31;
597                return 0x08000000;
598
599        default: // unknown
600                return 0;
601
602        }
603}
604
605static int sddr55_read_map(struct us_data *us) {
606
607        struct sddr55_card_info *info = (struct sddr55_card_info *)(us->extra);
608        int numblocks;
609        unsigned char *buffer;
610        unsigned char *command = us->iobuf;
611        int i;
612        unsigned short lba;
613        unsigned short max_lba;
614        int result;
615
616        if (!info->capacity)
617                return -1;
618
619        numblocks = info->capacity >> (info->blockshift + info->pageshift);
620        
621        buffer = kmalloc( numblocks * 2, GFP_NOIO );
622        
623        if (!buffer)
624                return -1;
625
626        memset(command, 0, 8);
627        command[5] = 0xB0;
628        command[6] = numblocks * 2 / 256;
629        command[7] = 0x8A;
630
631        result = sddr55_bulk_transport(us, DMA_TO_DEVICE, command, 8);
632
633        if ( result != USB_STOR_XFER_GOOD) {
634                kfree (buffer);
635                return -1;
636        }
637
638        result = sddr55_bulk_transport(us, DMA_FROM_DEVICE, buffer, numblocks * 2);
639
640        if ( result != USB_STOR_XFER_GOOD) {
641                kfree (buffer);
642                return -1;
643        }
644
645        result = sddr55_bulk_transport(us, DMA_FROM_DEVICE, command, 2);
646
647        if ( result != USB_STOR_XFER_GOOD) {
648                kfree (buffer);
649                return -1;
650        }
651
652        kfree(info->lba_to_pba);
653        kfree(info->pba_to_lba);
654        info->lba_to_pba = kmalloc(numblocks*sizeof(int), GFP_NOIO);
655        info->pba_to_lba = kmalloc(numblocks*sizeof(int), GFP_NOIO);
656
657        if (info->lba_to_pba == NULL || info->pba_to_lba == NULL) {
658                kfree(info->lba_to_pba);
659                kfree(info->pba_to_lba);
660                info->lba_to_pba = NULL;
661                info->pba_to_lba = NULL;
662                kfree(buffer);
663                return -1;
664        }
665
666        memset(info->lba_to_pba, 0xff, numblocks*sizeof(int));
667        memset(info->pba_to_lba, 0xff, numblocks*sizeof(int));
668
669        /* set maximum lba */
670        max_lba = info->max_log_blks;
671        if (max_lba > 1000)
672                max_lba = 1000;
673
674        // Each block is 64 bytes of control data, so block i is located in
675        // scatterlist block i*64/128k = i*(2^6)*(2^-17) = i*(2^-11)
676
677        for (i=0; i<numblocks; i++) {
678                int zone = i / 1024;
679
680                lba = short_pack(buffer[i * 2], buffer[i * 2 + 1]);
681
682                        /* Every 1024 physical blocks ("zone"), the LBA numbers
683                         * go back to zero, but are within a higher
684                         * block of LBA's. Also, there is a maximum of
685                         * 1000 LBA's per zone. In other words, in PBA
686                         * 1024-2047 you will find LBA 0-999 which are
687                         * really LBA 1000-1999. Yes, this wastes 24
688                         * physical blocks per zone. Go figure. 
689                         * These devices can have blocks go bad, so there
690                         * are 24 spare blocks to use when blocks do go bad.
691                         */
692
693                        /* SDDR55 returns 0xffff for a bad block, and 0x400 for the 
694                         * CIS block. (Is this true for cards 8MB or less??)
695                         * Record these in the physical to logical map
696                         */ 
697
698                info->pba_to_lba[i] = lba;
699
700                if (lba >= max_lba) {
701                        continue;
702                }
703                
704                if (info->lba_to_pba[lba + zone * 1000] != NOT_ALLOCATED &&
705                    !info->force_read_only) {
706                        printk("sddr55: map inconsistency at LBA %04X\n", lba + zone * 1000);
707                        info->force_read_only = 1;
708                }
709
710                if (lba<0x10 || (lba>=0x3E0 && lba<0x3EF))
711                        US_DEBUGP("LBA %04X <-> PBA %04X\n", lba, i);
712
713                info->lba_to_pba[lba + zone * 1000] = i;
714        }
715
716        kfree(buffer);
717        return 0;
718}
719
720
721static void sddr55_card_info_destructor(void *extra) {
722        struct sddr55_card_info *info = (struct sddr55_card_info *)extra;
723
724        if (!extra)
725                return;
726
727        kfree(info->lba_to_pba);
728        kfree(info->pba_to_lba);
729}
730
731
732/*
733 * Transport for the Sandisk SDDR-55
734 */
735int sddr55_transport(struct scsi_cmnd *srb, struct us_data *us)
736{
737        int result;
738        static unsigned char inquiry_response[8] = {
739                0x00, 0x80, 0x00, 0x02, 0x1F, 0x00, 0x00, 0x00
740        };
741         // write-protected for now, no block descriptor support
742        static unsigned char mode_page_01[20] = {
743                0x0, 0x12, 0x00, 0x80, 0x0, 0x0, 0x0, 0x0,
744                0x01, 0x0A,
745                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
746        };
747        unsigned char *ptr = us->iobuf;
748        unsigned long capacity;
749        unsigned int lba;
750        unsigned int pba;
751        unsigned int page;
752        unsigned short pages;
753        struct sddr55_card_info *info;
754
755        if (!us->extra) {
756                us->extra = kzalloc(
757                        sizeof(struct sddr55_card_info), GFP_NOIO);
758                if (!us->extra)
759                        return USB_STOR_TRANSPORT_ERROR;
760                us->extra_destructor = sddr55_card_info_destructor;
761        }
762
763        info = (struct sddr55_card_info *)(us->extra);
764
765        if (srb->cmnd[0] == REQUEST_SENSE) {
766                US_DEBUGP("SDDR55: request sense %02x/%02x/%02x\n", info->sense_data[2], info->sense_data[12], info->sense_data[13]);
767
768                memcpy (ptr, info->sense_data, sizeof info->sense_data);
769                ptr[0] = 0x70;
770                ptr[7] = 11;
771                usb_stor_set_xfer_buf (ptr, sizeof info->sense_data, srb);
772                memset (info->sense_data, 0, sizeof info->sense_data);
773
774                return USB_STOR_TRANSPORT_GOOD;
775        }
776
777        memset (info->sense_data, 0, sizeof info->sense_data);
778
779        /* Dummy up a response for INQUIRY since SDDR55 doesn't
780           respond to INQUIRY commands */
781
782        if (srb->cmnd[0] == INQUIRY) {
783                memcpy(ptr, inquiry_response, 8);
784                fill_inquiry_response(us, ptr, 36);
785                return USB_STOR_TRANSPORT_GOOD;
786        }
787
788        /* only check card status if the map isn't allocated, ie no card seen yet
789         * or if it's been over half a second since we last accessed it
790         */
791        if (info->lba_to_pba == NULL || time_after(jiffies, info->last_access + HZ/2)) {
792
793                /* check to see if a card is fitted */
794                result = sddr55_status (us);
795                if (result) {
796                        result = sddr55_status (us);
797                        if (!result) {
798                        set_sense_info (6, 0x28, 0);        /* new media, set unit attention, not ready to ready */
799                        }
800                        return USB_STOR_TRANSPORT_FAILED;
801                }
802        }
803
804        /* if we detected a problem with the map when writing,
805           don't allow any more access */
806        if (info->fatal_error) {
807
808                set_sense_info (3, 0x31, 0);
809                return USB_STOR_TRANSPORT_FAILED;
810        }
811
812        if (srb->cmnd[0] == READ_CAPACITY) {
813
814                capacity = sddr55_get_capacity(us);
815
816                if (!capacity) {
817                        set_sense_info (3, 0x30, 0); /* incompatible medium */
818                        return USB_STOR_TRANSPORT_FAILED;
819                }
820
821                info->capacity = capacity;
822
823                /* figure out the maximum logical block number, allowing for
824                 * the fact that only 250 out of every 256 are used */
825                info->max_log_blks = ((info->capacity >> (info->pageshift + info->blockshift)) / 256) * 250;
826
827                /* Last page in the card, adjust as we only use 250 out of
828                 * every 256 pages */
829                capacity = (capacity / 256) * 250;
830
831                capacity /= PAGESIZE;
832                capacity--;
833
834                ((__be32 *) ptr)[0] = cpu_to_be32(capacity);
835                ((__be32 *) ptr)[1] = cpu_to_be32(PAGESIZE);
836                usb_stor_set_xfer_buf(ptr, 8, srb);
837
838                sddr55_read_map(us);
839
840                return USB_STOR_TRANSPORT_GOOD;
841        }
842
843        if (srb->cmnd[0] == MODE_SENSE_10) {
844
845                memcpy(ptr, mode_page_01, sizeof mode_page_01);
846                ptr[3] = (info->read_only || info->force_read_only) ? 0x80 : 0;
847                usb_stor_set_xfer_buf(ptr, sizeof(mode_page_01), srb);
848
849                if ( (srb->cmnd[2] & 0x3F) == 0x01 ) {
850                        US_DEBUGP(
851                          "SDDR55: Dummy up request for mode page 1\n");
852                        return USB_STOR_TRANSPORT_GOOD;
853
854                } else if ( (srb->cmnd[2] & 0x3F) == 0x3F ) {
855                        US_DEBUGP(
856                          "SDDR55: Dummy up request for all mode pages\n");
857                        return USB_STOR_TRANSPORT_GOOD;
858                }
859
860                set_sense_info (5, 0x24, 0);        /* invalid field in command */
861                return USB_STOR_TRANSPORT_FAILED;
862        }
863
864        if (srb->cmnd[0] == ALLOW_MEDIUM_REMOVAL) {
865
866                US_DEBUGP(
867                  "SDDR55: %s medium removal. Not that I can do"
868                  " anything about it...\n",
869                  (srb->cmnd[4]&0x03) ? "Prevent" : "Allow");
870
871                return USB_STOR_TRANSPORT_GOOD;
872
873        }
874
875        if (srb->cmnd[0] == READ_10 || srb->cmnd[0] == WRITE_10) {
876
877                page = short_pack(srb->cmnd[3], srb->cmnd[2]);
878                page <<= 16;
879                page |= short_pack(srb->cmnd[5], srb->cmnd[4]);
880                pages = short_pack(srb->cmnd[8], srb->cmnd[7]);
881
882                page <<= info->smallpageshift;
883
884                // convert page to block and page-within-block
885
886                lba = page >> info->blockshift;
887                page = page & info->blockmask;
888
889                // locate physical block corresponding to logical block
890
891                if (lba >= info->max_log_blks) {
892
893                        US_DEBUGP("Error: Requested LBA %04X exceeds maximum "
894                          "block %04X\n", lba, info->max_log_blks-1);
895
896                        set_sense_info (5, 0x24, 0);        /* invalid field in command */
897
898                        return USB_STOR_TRANSPORT_FAILED;
899                }
900
901                pba = info->lba_to_pba[lba];
902
903                if (srb->cmnd[0] == WRITE_10) {
904                        US_DEBUGP("WRITE_10: write block %04X (LBA %04X) page %01X"
905                                " pages %d\n",
906                                pba, lba, page, pages);
907
908                        return sddr55_write_data(us, lba, page, pages);
909                } else {
910                        US_DEBUGP("READ_10: read block %04X (LBA %04X) page %01X"
911                                " pages %d\n",
912                                pba, lba, page, pages);
913
914                        return sddr55_read_data(us, lba, page, pages);
915                }
916        }
917
918
919        if (srb->cmnd[0] == TEST_UNIT_READY) {
920                return USB_STOR_TRANSPORT_GOOD;
921        }
922
923        if (srb->cmnd[0] == START_STOP) {
924                return USB_STOR_TRANSPORT_GOOD;
925        }
926
927        set_sense_info (5, 0x20, 0);        /* illegal command */
928
929        return USB_STOR_TRANSPORT_FAILED; // FIXME: sense buffer?
930}
931