diff options
Diffstat (limited to 'drivers/firmware/sigma.c')
-rw-r--r-- | drivers/firmware/sigma.c | 81 |
1 files changed, 58 insertions, 23 deletions
diff --git a/drivers/firmware/sigma.c b/drivers/firmware/sigma.c index f10fc521951b..1eedb6f7fdab 100644 --- a/drivers/firmware/sigma.c +++ b/drivers/firmware/sigma.c | |||
@@ -14,13 +14,34 @@ | |||
14 | #include <linux/module.h> | 14 | #include <linux/module.h> |
15 | #include <linux/sigma.h> | 15 | #include <linux/sigma.h> |
16 | 16 | ||
17 | /* Return: 0==OK, <0==error, =1 ==no more actions */ | 17 | static size_t sigma_action_size(struct sigma_action *sa) |
18 | { | ||
19 | size_t payload = 0; | ||
20 | |||
21 | switch (sa->instr) { | ||
22 | case SIGMA_ACTION_WRITEXBYTES: | ||
23 | case SIGMA_ACTION_WRITESINGLE: | ||
24 | case SIGMA_ACTION_WRITESAFELOAD: | ||
25 | payload = sigma_action_len(sa); | ||
26 | break; | ||
27 | default: | ||
28 | break; | ||
29 | } | ||
30 | |||
31 | payload = ALIGN(payload, 2); | ||
32 | |||
33 | return payload + sizeof(struct sigma_action); | ||
34 | } | ||
35 | |||
36 | /* | ||
37 | * Returns a negative error value in case of an error, 0 if processing of | ||
38 | * the firmware should be stopped after this action, 1 otherwise. | ||
39 | */ | ||
18 | static int | 40 | static int |
19 | process_sigma_action(struct i2c_client *client, struct sigma_firmware *ssfw) | 41 | process_sigma_action(struct i2c_client *client, struct sigma_action *sa) |
20 | { | 42 | { |
21 | struct sigma_action *sa = (void *)(ssfw->fw->data + ssfw->pos); | ||
22 | size_t len = sigma_action_len(sa); | 43 | size_t len = sigma_action_len(sa); |
23 | int ret = 0; | 44 | int ret; |
24 | 45 | ||
25 | pr_debug("%s: instr:%i addr:%#x len:%zu\n", __func__, | 46 | pr_debug("%s: instr:%i addr:%#x len:%zu\n", __func__, |
26 | sa->instr, sa->addr, len); | 47 | sa->instr, sa->addr, len); |
@@ -29,44 +50,50 @@ process_sigma_action(struct i2c_client *client, struct sigma_firmware *ssfw) | |||
29 | case SIGMA_ACTION_WRITEXBYTES: | 50 | case SIGMA_ACTION_WRITEXBYTES: |
30 | case SIGMA_ACTION_WRITESINGLE: | 51 | case SIGMA_ACTION_WRITESINGLE: |
31 | case SIGMA_ACTION_WRITESAFELOAD: | 52 | case SIGMA_ACTION_WRITESAFELOAD: |
32 | if (ssfw->fw->size < ssfw->pos + len) | ||
33 | return -EINVAL; | ||
34 | ret = i2c_master_send(client, (void *)&sa->addr, len); | 53 | ret = i2c_master_send(client, (void *)&sa->addr, len); |
35 | if (ret < 0) | 54 | if (ret < 0) |
36 | return -EINVAL; | 55 | return -EINVAL; |
37 | break; | 56 | break; |
38 | |||
39 | case SIGMA_ACTION_DELAY: | 57 | case SIGMA_ACTION_DELAY: |
40 | ret = 0; | ||
41 | udelay(len); | 58 | udelay(len); |
42 | len = 0; | 59 | len = 0; |
43 | break; | 60 | break; |
44 | |||
45 | case SIGMA_ACTION_END: | 61 | case SIGMA_ACTION_END: |
46 | return 1; | 62 | return 0; |
47 | |||
48 | default: | 63 | default: |
49 | return -EINVAL; | 64 | return -EINVAL; |
50 | } | 65 | } |
51 | 66 | ||
52 | /* when arrive here ret=0 or sent data */ | 67 | return 1; |
53 | ssfw->pos += sigma_action_size(sa, len); | ||
54 | return ssfw->pos == ssfw->fw->size; | ||
55 | } | 68 | } |
56 | 69 | ||
57 | static int | 70 | static int |
58 | process_sigma_actions(struct i2c_client *client, struct sigma_firmware *ssfw) | 71 | process_sigma_actions(struct i2c_client *client, struct sigma_firmware *ssfw) |
59 | { | 72 | { |
60 | pr_debug("%s: processing %p\n", __func__, ssfw); | 73 | struct sigma_action *sa; |
74 | size_t size; | ||
75 | int ret; | ||
76 | |||
77 | while (ssfw->pos + sizeof(*sa) <= ssfw->fw->size) { | ||
78 | sa = (struct sigma_action *)(ssfw->fw->data + ssfw->pos); | ||
79 | |||
80 | size = sigma_action_size(sa); | ||
81 | ssfw->pos += size; | ||
82 | if (ssfw->pos > ssfw->fw->size || size == 0) | ||
83 | break; | ||
84 | |||
85 | ret = process_sigma_action(client, sa); | ||
61 | 86 | ||
62 | while (1) { | ||
63 | int ret = process_sigma_action(client, ssfw); | ||
64 | pr_debug("%s: action returned %i\n", __func__, ret); | 87 | pr_debug("%s: action returned %i\n", __func__, ret); |
65 | if (ret == 1) | 88 | |
66 | return 0; | 89 | if (ret <= 0) |
67 | else if (ret) | ||
68 | return ret; | 90 | return ret; |
69 | } | 91 | } |
92 | |||
93 | if (ssfw->pos != ssfw->fw->size) | ||
94 | return -EINVAL; | ||
95 | |||
96 | return 0; | ||
70 | } | 97 | } |
71 | 98 | ||
72 | int process_sigma_firmware(struct i2c_client *client, const char *name) | 99 | int process_sigma_firmware(struct i2c_client *client, const char *name) |
@@ -89,16 +116,24 @@ int process_sigma_firmware(struct i2c_client *client, const char *name) | |||
89 | 116 | ||
90 | /* then verify the header */ | 117 | /* then verify the header */ |
91 | ret = -EINVAL; | 118 | ret = -EINVAL; |
92 | if (fw->size < sizeof(*ssfw_head)) | 119 | |
120 | /* | ||
121 | * Reject too small or unreasonable large files. The upper limit has been | ||
122 | * chosen a bit arbitrarily, but it should be enough for all practical | ||
123 | * purposes and having the limit makes it easier to avoid integer | ||
124 | * overflows later in the loading process. | ||
125 | */ | ||
126 | if (fw->size < sizeof(*ssfw_head) || fw->size >= 0x4000000) | ||
93 | goto done; | 127 | goto done; |
94 | 128 | ||
95 | ssfw_head = (void *)fw->data; | 129 | ssfw_head = (void *)fw->data; |
96 | if (memcmp(ssfw_head->magic, SIGMA_MAGIC, ARRAY_SIZE(ssfw_head->magic))) | 130 | if (memcmp(ssfw_head->magic, SIGMA_MAGIC, ARRAY_SIZE(ssfw_head->magic))) |
97 | goto done; | 131 | goto done; |
98 | 132 | ||
99 | crc = crc32(0, fw->data, fw->size); | 133 | crc = crc32(0, fw->data + sizeof(*ssfw_head), |
134 | fw->size - sizeof(*ssfw_head)); | ||
100 | pr_debug("%s: crc=%x\n", __func__, crc); | 135 | pr_debug("%s: crc=%x\n", __func__, crc); |
101 | if (crc != ssfw_head->crc) | 136 | if (crc != le32_to_cpu(ssfw_head->crc)) |
102 | goto done; | 137 | goto done; |
103 | 138 | ||
104 | ssfw.pos = sizeof(*ssfw_head); | 139 | ssfw.pos = sizeof(*ssfw_head); |