Commit 4ce6fa01 authored by Nick Dyer's avatar Nick Dyer Committed by Dmitry Torokhov

Input: atmel_mxt_ts - calculate and check CRC in config file

By validating the checksum, we can identify if the configuration is
corrupt.  In addition, this patch writes the configuration in a short
series of block writes rather than as many individual values.
Signed-off-by: default avatarNick Dyer <nick.dyer@itdev.co.uk>
Acked-by: default avatarBenson Leung <bleung@chromium.org>
Acked-by: default avatarYufeng Shen <miletus@chromium.org>
Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
parent 50a77c65
...@@ -48,6 +48,8 @@ ...@@ -48,6 +48,8 @@
#define MXT_OBJECT_START 0x07 #define MXT_OBJECT_START 0x07
#define MXT_OBJECT_SIZE 6 #define MXT_OBJECT_SIZE 6
#define MXT_INFO_CHECKSUM_SIZE 3
#define MXT_MAX_BLOCK_WRITE 256
/* Object types */ /* Object types */
#define MXT_DEBUG_DIAGNOSTIC_T37 37 #define MXT_DEBUG_DIAGNOSTIC_T37 37
...@@ -238,12 +240,15 @@ struct mxt_data { ...@@ -238,12 +240,15 @@ struct mxt_data {
unsigned int max_x; unsigned int max_x;
unsigned int max_y; unsigned int max_y;
bool in_bootloader; bool in_bootloader;
u16 mem_size;
u32 config_crc; u32 config_crc;
u32 info_crc;
u8 bootloader_addr; u8 bootloader_addr;
/* Cached parameters from object table */ /* Cached parameters from object table */
u8 T6_reportid; u8 T6_reportid;
u16 T6_address; u16 T6_address;
u16 T7_address;
u8 T9_reportid_min; u8 T9_reportid_min;
u8 T9_reportid_max; u8 T9_reportid_max;
u8 T19_reportid; u8 T19_reportid;
...@@ -849,6 +854,45 @@ static void mxt_update_crc(struct mxt_data *data, u8 cmd, u8 value) ...@@ -849,6 +854,45 @@ static void mxt_update_crc(struct mxt_data *data, u8 cmd, u8 value)
mxt_wait_for_completion(data, &data->crc_completion, MXT_CRC_TIMEOUT); mxt_wait_for_completion(data, &data->crc_completion, MXT_CRC_TIMEOUT);
} }
static void mxt_calc_crc24(u32 *crc, u8 firstbyte, u8 secondbyte)
{
static const unsigned int crcpoly = 0x80001B;
u32 result;
u32 data_word;
data_word = (secondbyte << 8) | firstbyte;
result = ((*crc << 1) ^ data_word);
if (result & 0x1000000)
result ^= crcpoly;
*crc = result;
}
static u32 mxt_calculate_crc(u8 *base, off_t start_off, off_t end_off)
{
u32 crc = 0;
u8 *ptr = base + start_off;
u8 *last_val = base + end_off - 1;
if (end_off < start_off)
return -EINVAL;
while (ptr < last_val) {
mxt_calc_crc24(&crc, *ptr, *(ptr + 1));
ptr += 2;
}
/* if len is odd, fill the last byte with 0 */
if (ptr == last_val)
mxt_calc_crc24(&crc, *ptr, 0);
/* Mask to 24-bit */
crc &= 0x00FFFFFF;
return crc;
}
/* /*
* mxt_update_cfg - download configuration to chip * mxt_update_cfg - download configuration to chip
* *
...@@ -875,9 +919,13 @@ static int mxt_update_cfg(struct mxt_data *data, const struct firmware *cfg) ...@@ -875,9 +919,13 @@ static int mxt_update_cfg(struct mxt_data *data, const struct firmware *cfg)
struct mxt_object *object; struct mxt_object *object;
int ret; int ret;
int offset; int offset;
int pos; int data_pos;
int byte_offset;
int i; int i;
u32 info_crc, config_crc; int cfg_start_ofs;
u32 info_crc, config_crc, calculated_crc;
u8 *config_mem;
size_t config_mem_size;
unsigned int type, instance, size; unsigned int type, instance, size;
u8 val; u8 val;
u16 reg; u16 reg;
...@@ -890,11 +938,11 @@ static int mxt_update_cfg(struct mxt_data *data, const struct firmware *cfg) ...@@ -890,11 +938,11 @@ static int mxt_update_cfg(struct mxt_data *data, const struct firmware *cfg)
goto release; goto release;
} }
pos = strlen(MXT_CFG_MAGIC); data_pos = strlen(MXT_CFG_MAGIC);
/* Load information block and check */ /* Load information block and check */
for (i = 0; i < sizeof(struct mxt_info); i++) { for (i = 0; i < sizeof(struct mxt_info); i++) {
ret = sscanf(cfg->data + pos, "%hhx%n", ret = sscanf(cfg->data + data_pos, "%hhx%n",
(unsigned char *)&cfg_info + i, (unsigned char *)&cfg_info + i,
&offset); &offset);
if (ret != 1) { if (ret != 1) {
...@@ -903,7 +951,7 @@ static int mxt_update_cfg(struct mxt_data *data, const struct firmware *cfg) ...@@ -903,7 +951,7 @@ static int mxt_update_cfg(struct mxt_data *data, const struct firmware *cfg)
goto release; goto release;
} }
pos += offset; data_pos += offset;
} }
if (cfg_info.family_id != data->info.family_id) { if (cfg_info.family_id != data->info.family_id) {
...@@ -918,125 +966,188 @@ static int mxt_update_cfg(struct mxt_data *data, const struct firmware *cfg) ...@@ -918,125 +966,188 @@ static int mxt_update_cfg(struct mxt_data *data, const struct firmware *cfg)
goto release; goto release;
} }
if (cfg_info.version != data->info.version) /* Read CRCs */
dev_err(dev, "Warning: version mismatch!\n"); ret = sscanf(cfg->data + data_pos, "%x%n", &info_crc, &offset);
if (cfg_info.build != data->info.build)
dev_err(dev, "Warning: build num mismatch!\n");
ret = sscanf(cfg->data + pos, "%x%n", &info_crc, &offset);
if (ret != 1) { if (ret != 1) {
dev_err(dev, "Bad format: failed to parse Info CRC\n"); dev_err(dev, "Bad format: failed to parse Info CRC\n");
ret = -EINVAL; ret = -EINVAL;
goto release; goto release;
} }
pos += offset; data_pos += offset;
/* Check config CRC */ ret = sscanf(cfg->data + data_pos, "%x%n", &config_crc, &offset);
ret = sscanf(cfg->data + pos, "%x%n", &config_crc, &offset);
if (ret != 1) { if (ret != 1) {
dev_err(dev, "Bad format: failed to parse Config CRC\n"); dev_err(dev, "Bad format: failed to parse Config CRC\n");
ret = -EINVAL; ret = -EINVAL;
goto release; goto release;
} }
pos += offset; data_pos += offset;
if (data->config_crc == config_crc) { /*
dev_dbg(dev, "Config CRC 0x%06X: OK\n", config_crc); * The Info Block CRC is calculated over mxt_info and the object
ret = 0; * table. If it does not match then we are trying to load the
goto release; * configuration from a different chip or firmware version, so
* the configuration CRC is invalid anyway.
*/
if (info_crc == data->info_crc) {
if (config_crc == 0 || data->config_crc == 0) {
dev_info(dev, "CRC zero, attempting to apply config\n");
} else if (config_crc == data->config_crc) {
dev_dbg(dev, "Config CRC 0x%06X: OK\n",
data->config_crc);
ret = 0;
goto release;
} else {
dev_info(dev, "Config CRC 0x%06X: does not match file 0x%06X\n",
data->config_crc, config_crc);
}
} else {
dev_warn(dev,
"Warning: Info CRC error - device=0x%06X file=0x%06X\n",
data->info_crc, info_crc);
} }
dev_info(dev, "Config CRC 0x%06X: does not match file 0x%06X\n", /* Malloc memory to store configuration */
data->config_crc, config_crc); cfg_start_ofs = MXT_OBJECT_START +
data->info.object_num * sizeof(struct mxt_object) +
MXT_INFO_CHECKSUM_SIZE;
config_mem_size = data->mem_size - cfg_start_ofs;
config_mem = kzalloc(config_mem_size, GFP_KERNEL);
if (!config_mem) {
dev_err(dev, "Failed to allocate memory\n");
ret = -ENOMEM;
goto release;
}
while (pos < cfg->size) { while (data_pos < cfg->size) {
/* Read type, instance, length */ /* Read type, instance, length */
ret = sscanf(cfg->data + pos, "%x %x %x%n", ret = sscanf(cfg->data + data_pos, "%x %x %x%n",
&type, &instance, &size, &offset); &type, &instance, &size, &offset);
if (ret == 0) { if (ret == 0) {
/* EOF */ /* EOF */
ret = 1; break;
goto release;
} else if (ret != 3) { } else if (ret != 3) {
dev_err(dev, "Bad format: failed to parse object\n"); dev_err(dev, "Bad format: failed to parse object\n");
ret = -EINVAL; ret = -EINVAL;
goto release; goto release_mem;
} }
pos += offset; data_pos += offset;
object = mxt_get_object(data, type); object = mxt_get_object(data, type);
if (!object) { if (!object) {
/* Skip object */ /* Skip object */
for (i = 0; i < size; i++) { for (i = 0; i < size; i++) {
ret = sscanf(cfg->data + pos, "%hhx%n", ret = sscanf(cfg->data + data_pos, "%hhx%n",
&val, &val,
&offset); &offset);
pos += offset; data_pos += offset;
} }
continue; continue;
} }
if (size > mxt_obj_size(object)) { if (size > mxt_obj_size(object)) {
dev_err(dev, "Discarding %zu byte(s) in T%u\n", /*
size - mxt_obj_size(object), type); * Either we are in fallback mode due to wrong
* config or config from a later fw version,
* or the file is corrupt or hand-edited.
*/
dev_warn(dev, "Discarding %zu byte(s) in T%u\n",
size - mxt_obj_size(object), type);
} else if (mxt_obj_size(object) > size) {
/*
* If firmware is upgraded, new bytes may be added to
* end of objects. It is generally forward compatible
* to zero these bytes - previous behaviour will be
* retained. However this does invalidate the CRC and
* will force fallback mode until the configuration is
* updated. We warn here but do nothing else - the
* malloc has zeroed the entire configuration.
*/
dev_warn(dev, "Zeroing %zu byte(s) in T%d\n",
mxt_obj_size(object) - size, type);
} }
if (instance >= mxt_obj_instances(object)) { if (instance >= mxt_obj_instances(object)) {
dev_err(dev, "Object instances exceeded!\n"); dev_err(dev, "Object instances exceeded!\n");
ret = -EINVAL; ret = -EINVAL;
goto release; goto release_mem;
} }
reg = object->start_address + mxt_obj_size(object) * instance; reg = object->start_address + mxt_obj_size(object) * instance;
for (i = 0; i < size; i++) { for (i = 0; i < size; i++) {
ret = sscanf(cfg->data + pos, "%hhx%n", ret = sscanf(cfg->data + data_pos, "%hhx%n",
&val, &val,
&offset); &offset);
if (ret != 1) { if (ret != 1) {
dev_err(dev, "Bad format in T%d\n", type); dev_err(dev, "Bad format in T%d\n", type);
ret = -EINVAL; ret = -EINVAL;
goto release; goto release_mem;
} }
pos += offset; data_pos += offset;
if (i > mxt_obj_size(object)) if (i > mxt_obj_size(object))
continue; continue;
ret = mxt_write_reg(data->client, reg + i, val); byte_offset = reg + i - cfg_start_ofs;
if (ret)
goto release;
if ((byte_offset >= 0)
&& (byte_offset <= config_mem_size)) {
*(config_mem + byte_offset) = val;
} else {
dev_err(dev, "Bad object: reg:%d, T%d, ofs=%d\n",
reg, object->type, byte_offset);
ret = -EINVAL;
goto release_mem;
}
} }
}
/* /* Calculate crc of the received configs (not the raw config file) */
* If firmware is upgraded, new bytes may be added to end of if (data->T7_address < cfg_start_ofs) {
* objects. It is generally forward compatible to zero these dev_err(dev, "Bad T7 address, T7addr = %x, config offset %x\n",
* bytes - previous behaviour will be retained. However data->T7_address, cfg_start_ofs);
* this does invalidate the CRC and will force a config ret = 0;
* download every time until the configuration is updated. goto release_mem;
*/ }
if (size < mxt_obj_size(object)) {
dev_info(dev, "Zeroing %zu byte(s) in T%d\n",
mxt_obj_size(object) - size, type);
for (i = size + 1; i < mxt_obj_size(object); i++) { calculated_crc = mxt_calculate_crc(config_mem,
ret = mxt_write_reg(data->client, reg + i, 0); data->T7_address - cfg_start_ofs,
if (ret) config_mem_size);
goto release;
} if (config_crc > 0 && (config_crc != calculated_crc))
dev_warn(dev, "Config CRC error, calculated=%06X, file=%06X\n",
calculated_crc, config_crc);
/* Write configuration as blocks */
byte_offset = 0;
while (byte_offset < config_mem_size) {
size = config_mem_size - byte_offset;
if (size > MXT_MAX_BLOCK_WRITE)
size = MXT_MAX_BLOCK_WRITE;
ret = __mxt_write_reg(data->client,
cfg_start_ofs + byte_offset,
size, config_mem + byte_offset);
if (ret != 0) {
dev_err(dev, "Config write error, ret=%d\n", ret);
goto release_mem;
} }
byte_offset += size;
} }
mxt_update_crc(data, MXT_COMMAND_BACKUPNV, MXT_BACKUP_VALUE); mxt_update_crc(data, MXT_COMMAND_BACKUPNV, MXT_BACKUP_VALUE);
ret = mxt_soft_reset(data); ret = mxt_soft_reset(data);
if (ret) if (ret)
goto release; goto release_mem;
dev_info(dev, "Config successfully updated\n"); dev_info(dev, "Config successfully updated\n");
release_mem:
kfree(config_mem);
release: release:
release_firmware(cfg); release_firmware(cfg);
return ret; return ret;
...@@ -1099,6 +1210,7 @@ static int mxt_get_object_table(struct mxt_data *data) ...@@ -1099,6 +1210,7 @@ static int mxt_get_object_table(struct mxt_data *data)
int error; int error;
int i; int i;
u8 reportid; u8 reportid;
u16 end_address;
table_size = data->info.object_num * sizeof(struct mxt_object); table_size = data->info.object_num * sizeof(struct mxt_object);
object_table = kzalloc(table_size, GFP_KERNEL); object_table = kzalloc(table_size, GFP_KERNEL);
...@@ -1116,6 +1228,7 @@ static int mxt_get_object_table(struct mxt_data *data) ...@@ -1116,6 +1228,7 @@ static int mxt_get_object_table(struct mxt_data *data)
/* Valid Report IDs start counting from 1 */ /* Valid Report IDs start counting from 1 */
reportid = 1; reportid = 1;
data->mem_size = 0;
for (i = 0; i < data->info.object_num; i++) { for (i = 0; i < data->info.object_num; i++) {
struct mxt_object *object = object_table + i; struct mxt_object *object = object_table + i;
u8 min_id, max_id; u8 min_id, max_id;
...@@ -1143,6 +1256,9 @@ static int mxt_get_object_table(struct mxt_data *data) ...@@ -1143,6 +1256,9 @@ static int mxt_get_object_table(struct mxt_data *data)
data->T6_reportid = min_id; data->T6_reportid = min_id;
data->T6_address = object->start_address; data->T6_address = object->start_address;
break; break;
case MXT_GEN_POWER_T7:
data->T7_address = object->start_address;
break;
case MXT_TOUCH_MULTI_T9: case MXT_TOUCH_MULTI_T9:
data->T9_reportid_min = min_id; data->T9_reportid_min = min_id;
data->T9_reportid_max = max_id; data->T9_reportid_max = max_id;
...@@ -1151,6 +1267,12 @@ static int mxt_get_object_table(struct mxt_data *data) ...@@ -1151,6 +1267,12 @@ static int mxt_get_object_table(struct mxt_data *data)
data->T19_reportid = min_id; data->T19_reportid = min_id;
break; break;
} }
end_address = object->start_address
+ mxt_obj_size(object) * mxt_obj_instances(object) - 1;
if (end_address >= data->mem_size)
data->mem_size = end_address + 1;
} }
data->object_table = object_table; data->object_table = object_table;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment