USB: serial: cyberjack: fix NULL-deref at open
[pandora-kernel.git] / drivers / usb / serial / cyberjack.c
1 /*
2  *  REINER SCT cyberJack pinpad/e-com USB Chipcard Reader Driver
3  *
4  *  Copyright (C) 2001  REINER SCT
5  *  Author: Matthias Bruestle
6  *
7  *  Contact: support@reiner-sct.com (see MAINTAINERS)
8  *
9  *  This program is largely derived from work by the linux-usb group
10  *  and associated source files.  Please see the usb/serial files for
11  *  individual credits and copyrights.
12  *
13  *  This program is free software; you can redistribute it and/or modify
14  *  it under the terms of the GNU General Public License as published by
15  *  the Free Software Foundation; either version 2 of the License, or
16  *  (at your option) any later version.
17  *
18  *  Thanks to Greg Kroah-Hartman (greg@kroah.com) for his help and
19  *  patience.
20  *
21  *  In case of problems, please write to the contact e-mail address
22  *  mentioned above.
23  *
24  *  Please note that later models of the cyberjack reader family are
25  *  supported by a libusb-based userspace device driver.
26  *
27  *  Homepage: http://www.reiner-sct.de/support/treiber_cyberjack.php#linux
28  */
29
30
31 #include <linux/kernel.h>
32 #include <linux/errno.h>
33 #include <linux/init.h>
34 #include <linux/slab.h>
35 #include <linux/tty.h>
36 #include <linux/tty_driver.h>
37 #include <linux/tty_flip.h>
38 #include <linux/module.h>
39 #include <linux/spinlock.h>
40 #include <linux/uaccess.h>
41 #include <linux/usb.h>
42 #include <linux/usb/serial.h>
43
44 #define CYBERJACK_LOCAL_BUF_SIZE 32
45
46 static int debug;
47
48 /*
49  * Version Information
50  */
51 #define DRIVER_VERSION "v1.01"
52 #define DRIVER_AUTHOR "Matthias Bruestle"
53 #define DRIVER_DESC "REINER SCT cyberJack pinpad/e-com USB Chipcard Reader Driver"
54
55
56 #define CYBERJACK_VENDOR_ID     0x0C4B
57 #define CYBERJACK_PRODUCT_ID    0x0100
58
59 /* Function prototypes */
60 static int cyberjack_startup(struct usb_serial *serial);
61 static void cyberjack_disconnect(struct usb_serial *serial);
62 static void cyberjack_release(struct usb_serial *serial);
63 static int  cyberjack_open(struct tty_struct *tty,
64         struct usb_serial_port *port);
65 static void cyberjack_close(struct usb_serial_port *port);
66 static int cyberjack_write(struct tty_struct *tty,
67         struct usb_serial_port *port, const unsigned char *buf, int count);
68 static int cyberjack_write_room(struct tty_struct *tty);
69 static void cyberjack_read_int_callback(struct urb *urb);
70 static void cyberjack_read_bulk_callback(struct urb *urb);
71 static void cyberjack_write_bulk_callback(struct urb *urb);
72
73 static const struct usb_device_id id_table[] = {
74         { USB_DEVICE(CYBERJACK_VENDOR_ID, CYBERJACK_PRODUCT_ID) },
75         { }                     /* Terminating entry */
76 };
77
78 MODULE_DEVICE_TABLE(usb, id_table);
79
80 static struct usb_driver cyberjack_driver = {
81         .name =         "cyberjack",
82         .probe =        usb_serial_probe,
83         .disconnect =   usb_serial_disconnect,
84         .id_table =     id_table,
85         .no_dynamic_id =        1,
86 };
87
88 static struct usb_serial_driver cyberjack_device = {
89         .driver = {
90                 .owner =        THIS_MODULE,
91                 .name =         "cyberjack",
92         },
93         .description =          "Reiner SCT Cyberjack USB card reader",
94         .usb_driver =           &cyberjack_driver,
95         .id_table =             id_table,
96         .num_ports =            1,
97         .attach =               cyberjack_startup,
98         .disconnect =           cyberjack_disconnect,
99         .release =              cyberjack_release,
100         .open =                 cyberjack_open,
101         .close =                cyberjack_close,
102         .write =                cyberjack_write,
103         .write_room =           cyberjack_write_room,
104         .read_int_callback =    cyberjack_read_int_callback,
105         .read_bulk_callback =   cyberjack_read_bulk_callback,
106         .write_bulk_callback =  cyberjack_write_bulk_callback,
107 };
108
109 struct cyberjack_private {
110         spinlock_t      lock;           /* Lock for SMP */
111         short           rdtodo;         /* Bytes still to read */
112         unsigned char   wrbuf[5*64];    /* Buffer for collecting data to write */
113         short           wrfilled;       /* Overall data size we already got */
114         short           wrsent;         /* Data already sent */
115 };
116
117 /* do some startup allocations not currently performed by usb_serial_probe() */
118 static int cyberjack_startup(struct usb_serial *serial)
119 {
120         struct cyberjack_private *priv;
121         int i;
122
123         dbg("%s", __func__);
124
125         if (serial->num_bulk_out < serial->num_ports)
126                 return -ENODEV;
127
128         /* allocate the private data structure */
129         priv = kmalloc(sizeof(struct cyberjack_private), GFP_KERNEL);
130         if (!priv)
131                 return -ENOMEM;
132
133         /* set initial values */
134         spin_lock_init(&priv->lock);
135         priv->rdtodo = 0;
136         priv->wrfilled = 0;
137         priv->wrsent = 0;
138         usb_set_serial_port_data(serial->port[0], priv);
139
140         init_waitqueue_head(&serial->port[0]->write_wait);
141
142         for (i = 0; i < serial->num_ports; ++i) {
143                 int result;
144                 serial->port[i]->interrupt_in_urb->dev = serial->dev;
145                 result = usb_submit_urb(serial->port[i]->interrupt_in_urb,
146                                         GFP_KERNEL);
147                 if (result)
148                         dev_err(&serial->dev->dev,
149                                 "usb_submit_urb(read int) failed\n");
150                 dbg("%s - usb_submit_urb(int urb)", __func__);
151         }
152
153         return 0;
154 }
155
156 static void cyberjack_disconnect(struct usb_serial *serial)
157 {
158         int i;
159
160         dbg("%s", __func__);
161
162         for (i = 0; i < serial->num_ports; ++i)
163                 usb_kill_urb(serial->port[i]->interrupt_in_urb);
164 }
165
166 static void cyberjack_release(struct usb_serial *serial)
167 {
168         int i;
169
170         dbg("%s", __func__);
171
172         for (i = 0; i < serial->num_ports; ++i) {
173                 /* My special items, the standard routines free my urbs */
174                 kfree(usb_get_serial_port_data(serial->port[i]));
175         }
176 }
177
178 static int  cyberjack_open(struct tty_struct *tty,
179                                         struct usb_serial_port *port)
180 {
181         struct cyberjack_private *priv;
182         unsigned long flags;
183         int result = 0;
184
185         dbg("%s - port %d", __func__, port->number);
186
187         dbg("%s - usb_clear_halt", __func__);
188         usb_clear_halt(port->serial->dev, port->write_urb->pipe);
189
190         priv = usb_get_serial_port_data(port);
191         spin_lock_irqsave(&priv->lock, flags);
192         priv->rdtodo = 0;
193         priv->wrfilled = 0;
194         priv->wrsent = 0;
195         spin_unlock_irqrestore(&priv->lock, flags);
196
197         return result;
198 }
199
200 static void cyberjack_close(struct usb_serial_port *port)
201 {
202         dbg("%s - port %d", __func__, port->number);
203
204         if (port->serial->dev) {
205                 /* shutdown any bulk reads that might be going on */
206                 usb_kill_urb(port->write_urb);
207                 usb_kill_urb(port->read_urb);
208         }
209 }
210
211 static int cyberjack_write(struct tty_struct *tty,
212         struct usb_serial_port *port, const unsigned char *buf, int count)
213 {
214         struct usb_serial *serial = port->serial;
215         struct cyberjack_private *priv = usb_get_serial_port_data(port);
216         unsigned long flags;
217         int result;
218         int wrexpected;
219
220         dbg("%s - port %d", __func__, port->number);
221
222         if (count == 0) {
223                 dbg("%s - write request of 0 bytes", __func__);
224                 return 0;
225         }
226
227         spin_lock_bh(&port->lock);
228         if (port->write_urb_busy) {
229                 spin_unlock_bh(&port->lock);
230                 dbg("%s - already writing", __func__);
231                 return 0;
232         }
233         port->write_urb_busy = 1;
234         spin_unlock_bh(&port->lock);
235
236         spin_lock_irqsave(&priv->lock, flags);
237
238         if (count+priv->wrfilled > sizeof(priv->wrbuf)) {
239                 /* To much data for buffer. Reset buffer. */
240                 priv->wrfilled = 0;
241                 port->write_urb_busy = 0;
242                 spin_unlock_irqrestore(&priv->lock, flags);
243                 return 0;
244         }
245
246         /* Copy data */
247         memcpy(priv->wrbuf + priv->wrfilled, buf, count);
248
249         usb_serial_debug_data(debug, &port->dev, __func__, count,
250                 priv->wrbuf + priv->wrfilled);
251         priv->wrfilled += count;
252
253         if (priv->wrfilled >= 3) {
254                 wrexpected = ((int)priv->wrbuf[2]<<8)+priv->wrbuf[1]+3;
255                 dbg("%s - expected data: %d", __func__, wrexpected);
256         } else
257                 wrexpected = sizeof(priv->wrbuf);
258
259         if (priv->wrfilled >= wrexpected) {
260                 /* We have enough data to begin transmission */
261                 int length;
262
263                 dbg("%s - transmitting data (frame 1)", __func__);
264                 length = (wrexpected > port->bulk_out_size) ?
265                                         port->bulk_out_size : wrexpected;
266
267                 memcpy(port->write_urb->transfer_buffer, priv->wrbuf, length);
268                 priv->wrsent = length;
269
270                 /* set up our urb */
271                 usb_fill_bulk_urb(port->write_urb, serial->dev,
272                               usb_sndbulkpipe(serial->dev, port->bulk_out_endpointAddress),
273                               port->write_urb->transfer_buffer, length,
274                               ((serial->type->write_bulk_callback) ?
275                                serial->type->write_bulk_callback :
276                                cyberjack_write_bulk_callback),
277                               port);
278
279                 /* send the data out the bulk port */
280                 result = usb_submit_urb(port->write_urb, GFP_ATOMIC);
281                 if (result) {
282                         dev_err(&port->dev,
283                                 "%s - failed submitting write urb, error %d",
284                                 __func__, result);
285                         /* Throw away data. No better idea what to do with it. */
286                         priv->wrfilled = 0;
287                         priv->wrsent = 0;
288                         spin_unlock_irqrestore(&priv->lock, flags);
289                         port->write_urb_busy = 0;
290                         return 0;
291                 }
292
293                 dbg("%s - priv->wrsent=%d", __func__, priv->wrsent);
294                 dbg("%s - priv->wrfilled=%d", __func__, priv->wrfilled);
295
296                 if (priv->wrsent >= priv->wrfilled) {
297                         dbg("%s - buffer cleaned", __func__);
298                         memset(priv->wrbuf, 0, sizeof(priv->wrbuf));
299                         priv->wrfilled = 0;
300                         priv->wrsent = 0;
301                 }
302         }
303
304         spin_unlock_irqrestore(&priv->lock, flags);
305
306         return count;
307 }
308
309 static int cyberjack_write_room(struct tty_struct *tty)
310 {
311         /* FIXME: .... */
312         return CYBERJACK_LOCAL_BUF_SIZE;
313 }
314
315 static void cyberjack_read_int_callback(struct urb *urb)
316 {
317         struct usb_serial_port *port = urb->context;
318         struct cyberjack_private *priv = usb_get_serial_port_data(port);
319         unsigned char *data = urb->transfer_buffer;
320         int status = urb->status;
321         int result;
322
323         dbg("%s - port %d", __func__, port->number);
324
325         /* the urb might have been killed. */
326         if (status)
327                 return;
328
329         usb_serial_debug_data(debug, &port->dev, __func__,
330                                                 urb->actual_length, data);
331
332         /* React only to interrupts signaling a bulk_in transfer */
333         if (urb->actual_length == 4 && data[0] == 0x01) {
334                 short old_rdtodo;
335
336                 /* This is a announcement of coming bulk_ins. */
337                 unsigned short size = ((unsigned short)data[3]<<8)+data[2]+3;
338
339                 spin_lock(&priv->lock);
340
341                 old_rdtodo = priv->rdtodo;
342
343                 if (old_rdtodo + size < old_rdtodo) {
344                         dbg("To many bulk_in urbs to do.");
345                         spin_unlock(&priv->lock);
346                         goto resubmit;
347                 }
348
349                 /* "+=" is probably more fault tollerant than "=" */
350                 priv->rdtodo += size;
351
352                 dbg("%s - rdtodo: %d", __func__, priv->rdtodo);
353
354                 spin_unlock(&priv->lock);
355
356                 if (!old_rdtodo) {
357                         port->read_urb->dev = port->serial->dev;
358                         result = usb_submit_urb(port->read_urb, GFP_ATOMIC);
359                         if (result)
360                                 dev_err(&port->dev, "%s - failed resubmitting "
361                                         "read urb, error %d\n",
362                                         __func__, result);
363                         dbg("%s - usb_submit_urb(read urb)", __func__);
364                 }
365         }
366
367 resubmit:
368         port->interrupt_in_urb->dev = port->serial->dev;
369         result = usb_submit_urb(port->interrupt_in_urb, GFP_ATOMIC);
370         if (result)
371                 dev_err(&port->dev, "usb_submit_urb(read int) failed\n");
372         dbg("%s - usb_submit_urb(int urb)", __func__);
373 }
374
375 static void cyberjack_read_bulk_callback(struct urb *urb)
376 {
377         struct usb_serial_port *port = urb->context;
378         struct cyberjack_private *priv = usb_get_serial_port_data(port);
379         struct tty_struct *tty;
380         unsigned char *data = urb->transfer_buffer;
381         short todo;
382         int result;
383         int status = urb->status;
384
385         dbg("%s - port %d", __func__, port->number);
386
387         usb_serial_debug_data(debug, &port->dev, __func__,
388                                                 urb->actual_length, data);
389         if (status) {
390                 dbg("%s - nonzero read bulk status received: %d",
391                     __func__, status);
392                 return;
393         }
394
395         tty = tty_port_tty_get(&port->port);
396         if (!tty) {
397                 dbg("%s - ignoring since device not open", __func__);
398                 return;
399         }
400         if (urb->actual_length) {
401                 tty_insert_flip_string(tty, data, urb->actual_length);
402                 tty_flip_buffer_push(tty);
403         }
404         tty_kref_put(tty);
405
406         spin_lock(&priv->lock);
407
408         /* Reduce urbs to do by one. */
409         priv->rdtodo -= urb->actual_length;
410         /* Just to be sure */
411         if (priv->rdtodo < 0)
412                 priv->rdtodo = 0;
413         todo = priv->rdtodo;
414
415         spin_unlock(&priv->lock);
416
417         dbg("%s - rdtodo: %d", __func__, todo);
418
419         /* Continue to read if we have still urbs to do. */
420         if (todo /* || (urb->actual_length==port->bulk_in_endpointAddress)*/) {
421                 port->read_urb->dev = port->serial->dev;
422                 result = usb_submit_urb(port->read_urb, GFP_ATOMIC);
423                 if (result)
424                         dev_err(&port->dev, "%s - failed resubmitting read "
425                                 "urb, error %d\n", __func__, result);
426                 dbg("%s - usb_submit_urb(read urb)", __func__);
427         }
428 }
429
430 static void cyberjack_write_bulk_callback(struct urb *urb)
431 {
432         struct usb_serial_port *port = urb->context;
433         struct cyberjack_private *priv = usb_get_serial_port_data(port);
434         int status = urb->status;
435
436         dbg("%s - port %d", __func__, port->number);
437
438         port->write_urb_busy = 0;
439         if (status) {
440                 dbg("%s - nonzero write bulk status received: %d",
441                     __func__, status);
442                 return;
443         }
444
445         spin_lock(&priv->lock);
446
447         /* only do something if we have more data to send */
448         if (priv->wrfilled) {
449                 int length, blksize, result;
450
451                 dbg("%s - transmitting data (frame n)", __func__);
452
453                 length = ((priv->wrfilled - priv->wrsent) > port->bulk_out_size) ?
454                         port->bulk_out_size : (priv->wrfilled - priv->wrsent);
455
456                 memcpy(port->write_urb->transfer_buffer,
457                                         priv->wrbuf + priv->wrsent, length);
458                 priv->wrsent += length;
459
460                 /* set up our urb */
461                 usb_fill_bulk_urb(port->write_urb, port->serial->dev,
462                               usb_sndbulkpipe(port->serial->dev, port->bulk_out_endpointAddress),
463                               port->write_urb->transfer_buffer, length,
464                               ((port->serial->type->write_bulk_callback) ?
465                                port->serial->type->write_bulk_callback :
466                                cyberjack_write_bulk_callback),
467                               port);
468
469                 /* send the data out the bulk port */
470                 result = usb_submit_urb(port->write_urb, GFP_ATOMIC);
471                 if (result) {
472                         dev_err(&port->dev,
473                                 "%s - failed submitting write urb, error %d\n",
474                                 __func__, result);
475                         /* Throw away data. No better idea what to do with it. */
476                         priv->wrfilled = 0;
477                         priv->wrsent = 0;
478                         goto exit;
479                 }
480
481                 dbg("%s - priv->wrsent=%d", __func__, priv->wrsent);
482                 dbg("%s - priv->wrfilled=%d", __func__, priv->wrfilled);
483
484                 blksize = ((int)priv->wrbuf[2]<<8)+priv->wrbuf[1]+3;
485
486                 if (priv->wrsent >= priv->wrfilled ||
487                                         priv->wrsent >= blksize) {
488                         dbg("%s - buffer cleaned", __func__);
489                         memset(priv->wrbuf, 0, sizeof(priv->wrbuf));
490                         priv->wrfilled = 0;
491                         priv->wrsent = 0;
492                 }
493         }
494
495 exit:
496         spin_unlock(&priv->lock);
497         usb_serial_port_softint(port);
498 }
499
500 static int __init cyberjack_init(void)
501 {
502         int retval;
503         retval  = usb_serial_register(&cyberjack_device);
504         if (retval)
505                 goto failed_usb_serial_register;
506         retval = usb_register(&cyberjack_driver);
507         if (retval)
508                 goto failed_usb_register;
509
510         printk(KERN_INFO KBUILD_MODNAME ": " DRIVER_VERSION " "
511                DRIVER_AUTHOR "\n");
512         printk(KERN_INFO KBUILD_MODNAME ": " DRIVER_DESC "\n");
513
514         return 0;
515 failed_usb_register:
516         usb_serial_deregister(&cyberjack_device);
517 failed_usb_serial_register:
518         return retval;
519 }
520
521 static void __exit cyberjack_exit(void)
522 {
523         usb_deregister(&cyberjack_driver);
524         usb_serial_deregister(&cyberjack_device);
525 }
526
527 module_init(cyberjack_init);
528 module_exit(cyberjack_exit);
529
530 MODULE_AUTHOR(DRIVER_AUTHOR);
531 MODULE_DESCRIPTION(DRIVER_DESC);
532 MODULE_VERSION(DRIVER_VERSION);
533 MODULE_LICENSE("GPL");
534
535 module_param(debug, bool, S_IRUGO | S_IWUSR);
536 MODULE_PARM_DESC(debug, "Debug enabled or not");