aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/bluetooth/btmrvl_sdio.c
diff options
context:
space:
mode:
Diffstat (limited to 'drivers/bluetooth/btmrvl_sdio.c')
-rw-r--r--drivers/bluetooth/btmrvl_sdio.c28
1 files changed, 17 insertions, 11 deletions
diff --git a/drivers/bluetooth/btmrvl_sdio.c b/drivers/bluetooth/btmrvl_sdio.c
index 3f4bfc814dc7..9959d4cb23dc 100644
--- a/drivers/bluetooth/btmrvl_sdio.c
+++ b/drivers/bluetooth/btmrvl_sdio.c
@@ -492,7 +492,7 @@ done:
492static int btmrvl_sdio_card_to_host(struct btmrvl_private *priv) 492static int btmrvl_sdio_card_to_host(struct btmrvl_private *priv)
493{ 493{
494 u16 buf_len = 0; 494 u16 buf_len = 0;
495 int ret, buf_block_len, blksz; 495 int ret, num_blocks, blksz;
496 struct sk_buff *skb = NULL; 496 struct sk_buff *skb = NULL;
497 u32 type; 497 u32 type;
498 u8 *payload = NULL; 498 u8 *payload = NULL;
@@ -514,18 +514,17 @@ static int btmrvl_sdio_card_to_host(struct btmrvl_private *priv)
514 } 514 }
515 515
516 blksz = SDIO_BLOCK_SIZE; 516 blksz = SDIO_BLOCK_SIZE;
517 buf_block_len = (buf_len + blksz - 1) / blksz; 517 num_blocks = DIV_ROUND_UP(buf_len, blksz);
518 518
519 if (buf_len <= SDIO_HEADER_LEN 519 if (buf_len <= SDIO_HEADER_LEN
520 || (buf_block_len * blksz) > ALLOC_BUF_SIZE) { 520 || (num_blocks * blksz) > ALLOC_BUF_SIZE) {
521 BT_ERR("invalid packet length: %d", buf_len); 521 BT_ERR("invalid packet length: %d", buf_len);
522 ret = -EINVAL; 522 ret = -EINVAL;
523 goto exit; 523 goto exit;
524 } 524 }
525 525
526 /* Allocate buffer */ 526 /* Allocate buffer */
527 skb = bt_skb_alloc(buf_block_len * blksz + BTSDIO_DMA_ALIGN, 527 skb = bt_skb_alloc(num_blocks * blksz + BTSDIO_DMA_ALIGN, GFP_ATOMIC);
528 GFP_ATOMIC);
529 if (skb == NULL) { 528 if (skb == NULL) {
530 BT_ERR("No free skb"); 529 BT_ERR("No free skb");
531 goto exit; 530 goto exit;
@@ -541,7 +540,7 @@ static int btmrvl_sdio_card_to_host(struct btmrvl_private *priv)
541 payload = skb->data; 540 payload = skb->data;
542 541
543 ret = sdio_readsb(card->func, payload, card->ioport, 542 ret = sdio_readsb(card->func, payload, card->ioport,
544 buf_block_len * blksz); 543 num_blocks * blksz);
545 if (ret < 0) { 544 if (ret < 0) {
546 BT_ERR("readsb failed: %d", ret); 545 BT_ERR("readsb failed: %d", ret);
547 ret = -EIO; 546 ret = -EIO;
@@ -553,7 +552,16 @@ static int btmrvl_sdio_card_to_host(struct btmrvl_private *priv)
553 */ 552 */
554 553
555 buf_len = payload[0]; 554 buf_len = payload[0];
556 buf_len |= (u16) payload[1] << 8; 555 buf_len |= payload[1] << 8;
556 buf_len |= payload[2] << 16;
557
558 if (buf_len > blksz * num_blocks) {
559 BT_ERR("Skip incorrect packet: hdrlen %d buffer %d",
560 buf_len, blksz * num_blocks);
561 ret = -EIO;
562 goto exit;
563 }
564
557 type = payload[3]; 565 type = payload[3];
558 566
559 switch (type) { 567 switch (type) {
@@ -589,8 +597,7 @@ static int btmrvl_sdio_card_to_host(struct btmrvl_private *priv)
589 597
590 default: 598 default:
591 BT_ERR("Unknown packet type:%d", type); 599 BT_ERR("Unknown packet type:%d", type);
592 print_hex_dump_bytes("", DUMP_PREFIX_OFFSET, payload, 600 BT_ERR("hex: %*ph", blksz * num_blocks, payload);
593 blksz * buf_block_len);
594 601
595 kfree_skb(skb); 602 kfree_skb(skb);
596 skb = NULL; 603 skb = NULL;
@@ -849,8 +856,7 @@ static int btmrvl_sdio_host_to_card(struct btmrvl_private *priv,
849 if (ret < 0) { 856 if (ret < 0) {
850 i++; 857 i++;
851 BT_ERR("i=%d writesb failed: %d", i, ret); 858 BT_ERR("i=%d writesb failed: %d", i, ret);
852 print_hex_dump_bytes("", DUMP_PREFIX_OFFSET, 859 BT_ERR("hex: %*ph", nb, payload);
853 payload, nb);
854 ret = -EIO; 860 ret = -EIO;
855 if (i > MAX_WRITE_IOMEM_RETRY) 861 if (i > MAX_WRITE_IOMEM_RETRY)
856 goto exit; 862 goto exit;
generated by cgit v1.2.2 (git 2.25.0) at 2024-12-28 02:31:19 -0500