xref: /linux/drivers/usb/storage/sddr09.c (revision 2b64b2ed277ff23e785fbdb65098ee7e1252d64f)
1 // SPDX-License-Identifier: GPL-2.0+
2 /*
3  * Driver for SanDisk SDDR-09 SmartMedia reader
4  *
5  *   (c) 2000, 2001 Robert Baruch (autophile@starband.net)
6  *   (c) 2002 Andries Brouwer (aeb@cwi.nl)
7  * Developed with the assistance of:
8  *   (c) 2002 Alan Stern <stern@rowland.org>
9  *
10  * The SanDisk SDDR-09 SmartMedia reader uses the Shuttle EUSB-01 chip.
11  * This chip is a programmable USB controller. In the SDDR-09, it has
12  * been programmed to obey a certain limited set of SCSI commands.
13  * This driver translates the "real" SCSI commands to the SDDR-09 SCSI
14  * commands.
15  */
16 
17 /*
18  * Known vendor commands: 12 bytes, first byte is opcode
19  *
20  * E7: read scatter gather
21  * E8: read
22  * E9: write
23  * EA: erase
24  * EB: reset
25  * EC: read status
26  * ED: read ID
27  * EE: write CIS (?)
28  * EF: compute checksum (?)
29  */
30 
31 #include <linux/errno.h>
32 #include <linux/module.h>
33 #include <linux/slab.h>
34 
35 #include <scsi/scsi.h>
36 #include <scsi/scsi_cmnd.h>
37 #include <scsi/scsi_device.h>
38 
39 #include "usb.h"
40 #include "transport.h"
41 #include "protocol.h"
42 #include "debug.h"
43 #include "scsiglue.h"
44 
45 #define DRV_NAME "ums-sddr09"
46 
47 MODULE_DESCRIPTION("Driver for SanDisk SDDR-09 SmartMedia reader");
48 MODULE_AUTHOR("Andries Brouwer <aeb@cwi.nl>, Robert Baruch <autophile@starband.net>");
49 MODULE_LICENSE("GPL");
50 
51 static int usb_stor_sddr09_dpcm_init(struct us_data *us);
52 static int sddr09_transport(struct scsi_cmnd *srb, struct us_data *us);
53 static int usb_stor_sddr09_init(struct us_data *us);
54 
55 
56 /*
57  * The table of devices
58  */
59 #define UNUSUAL_DEV(id_vendor, id_product, bcdDeviceMin, bcdDeviceMax, \
60 		    vendorName, productName, useProtocol, useTransport, \
61 		    initFunction, flags) \
62 { USB_DEVICE_VER(id_vendor, id_product, bcdDeviceMin, bcdDeviceMax), \
63   .driver_info = (flags) }
64 
65 static struct usb_device_id sddr09_usb_ids[] = {
66 #	include "unusual_sddr09.h"
67 	{ }		/* Terminating entry */
68 };
69 MODULE_DEVICE_TABLE(usb, sddr09_usb_ids);
70 
71 #undef UNUSUAL_DEV
72 
73 /*
74  * The flags table
75  */
76 #define UNUSUAL_DEV(idVendor, idProduct, bcdDeviceMin, bcdDeviceMax, \
77 		    vendor_name, product_name, use_protocol, use_transport, \
78 		    init_function, Flags) \
79 { \
80 	.vendorName = vendor_name,	\
81 	.productName = product_name,	\
82 	.useProtocol = use_protocol,	\
83 	.useTransport = use_transport,	\
84 	.initFunction = init_function,	\
85 }
86 
87 static struct us_unusual_dev sddr09_unusual_dev_list[] = {
88 #	include "unusual_sddr09.h"
89 	{ }		/* Terminating entry */
90 };
91 
92 #undef UNUSUAL_DEV
93 
94 
95 #define short_pack(lsb,msb) ( ((u16)(lsb)) | ( ((u16)(msb))<<8 ) )
96 #define LSB_of(s) ((s)&0xFF)
97 #define MSB_of(s) ((s)>>8)
98 
99 /*
100  * First some stuff that does not belong here:
101  * data on SmartMedia and other cards, completely
102  * unrelated to this driver.
103  * Similar stuff occurs in <linux/mtd/nand_ids.h>.
104  */
105 
106 struct nand_flash_dev {
107 	int model_id;
108 	int chipshift;		/* 1<<cs bytes total capacity */
109 	char pageshift;		/* 1<<ps bytes in a page */
110 	char blockshift;	/* 1<<bs pages in an erase block */
111 	char zoneshift;		/* 1<<zs blocks in a zone */
112 				/* # of logical blocks is 125/128 of this */
113 	char pageadrlen;	/* length of an address in bytes - 1 */
114 };
115 
116 /*
117  * NAND Flash Manufacturer ID Codes
118  */
119 #define NAND_MFR_AMD		0x01
120 #define NAND_MFR_NATSEMI	0x8f
121 #define NAND_MFR_TOSHIBA	0x98
122 #define NAND_MFR_SAMSUNG	0xec
123 
124 static inline char *nand_flash_manufacturer(int manuf_id) {
125 	switch(manuf_id) {
126 	case NAND_MFR_AMD:
127 		return "AMD";
128 	case NAND_MFR_NATSEMI:
129 		return "NATSEMI";
130 	case NAND_MFR_TOSHIBA:
131 		return "Toshiba";
132 	case NAND_MFR_SAMSUNG:
133 		return "Samsung";
134 	default:
135 		return "unknown";
136 	}
137 }
138 
139 /*
140  * It looks like it is unnecessary to attach manufacturer to the
141  * remaining data: SSFDC prescribes manufacturer-independent id codes.
142  *
143  * 256 MB NAND flash has a 5-byte ID with 2nd byte 0xaa, 0xba, 0xca or 0xda.
144  */
145 
146 static struct nand_flash_dev nand_flash_ids[] = {
147 	/* NAND flash */
148 	{ 0x6e, 20, 8, 4, 8, 2},	/* 1 MB */
149 	{ 0xe8, 20, 8, 4, 8, 2},	/* 1 MB */
150 	{ 0xec, 20, 8, 4, 8, 2},	/* 1 MB */
151 	{ 0x64, 21, 8, 4, 9, 2}, 	/* 2 MB */
152 	{ 0xea, 21, 8, 4, 9, 2},	/* 2 MB */
153 	{ 0x6b, 22, 9, 4, 9, 2},	/* 4 MB */
154 	{ 0xe3, 22, 9, 4, 9, 2},	/* 4 MB */
155 	{ 0xe5, 22, 9, 4, 9, 2},	/* 4 MB */
156 	{ 0xe6, 23, 9, 4, 10, 2},	/* 8 MB */
157 	{ 0x73, 24, 9, 5, 10, 2},	/* 16 MB */
158 	{ 0x75, 25, 9, 5, 10, 2},	/* 32 MB */
159 	{ 0x76, 26, 9, 5, 10, 3},	/* 64 MB */
160 	{ 0x79, 27, 9, 5, 10, 3},	/* 128 MB */
161 
162 	/* MASK ROM */
163 	{ 0x5d, 21, 9, 4, 8, 2},	/* 2 MB */
164 	{ 0xd5, 22, 9, 4, 9, 2},	/* 4 MB */
165 	{ 0xd6, 23, 9, 4, 10, 2},	/* 8 MB */
166 	{ 0x57, 24, 9, 4, 11, 2},	/* 16 MB */
167 	{ 0x58, 25, 9, 4, 12, 2},	/* 32 MB */
168 	{ 0,}
169 };
170 
171 static struct nand_flash_dev *
172 nand_find_id(unsigned char id) {
173 	int i;
174 
175 	for (i = 0; i < ARRAY_SIZE(nand_flash_ids); i++)
176 		if (nand_flash_ids[i].model_id == id)
177 			return &(nand_flash_ids[i]);
178 	return NULL;
179 }
180 
181 /*
182  * ECC computation.
183  */
184 static unsigned char parity[256];
185 static unsigned char ecc2[256];
186 
187 static void nand_init_ecc(void) {
188 	int i, j, a;
189 
190 	parity[0] = 0;
191 	for (i = 1; i < 256; i++)
192 		parity[i] = (parity[i&(i-1)] ^ 1);
193 
194 	for (i = 0; i < 256; i++) {
195 		a = 0;
196 		for (j = 0; j < 8; j++) {
197 			if (i & (1<<j)) {
198 				if ((j & 1) == 0)
199 					a ^= 0x04;
200 				if ((j & 2) == 0)
201 					a ^= 0x10;
202 				if ((j & 4) == 0)
203 					a ^= 0x40;
204 			}
205 		}
206 		ecc2[i] = ~(a ^ (a<<1) ^ (parity[i] ? 0xa8 : 0));
207 	}
208 }
209 
210 /* compute 3-byte ecc on 256 bytes */
211 static void nand_compute_ecc(unsigned char *data, unsigned char *ecc) {
212 	int i, j, a;
213 	unsigned char par = 0, bit, bits[8] = {0};
214 
215 	/* collect 16 checksum bits */
216 	for (i = 0; i < 256; i++) {
217 		par ^= data[i];
218 		bit = parity[data[i]];
219 		for (j = 0; j < 8; j++)
220 			if ((i & (1<<j)) == 0)
221 				bits[j] ^= bit;
222 	}
223 
224 	/* put 4+4+4 = 12 bits in the ecc */
225 	a = (bits[3] << 6) + (bits[2] << 4) + (bits[1] << 2) + bits[0];
226 	ecc[0] = ~(a ^ (a<<1) ^ (parity[par] ? 0xaa : 0));
227 
228 	a = (bits[7] << 6) + (bits[6] << 4) + (bits[5] << 2) + bits[4];
229 	ecc[1] = ~(a ^ (a<<1) ^ (parity[par] ? 0xaa : 0));
230 
231 	ecc[2] = ecc2[par];
232 }
233 
234 static int nand_compare_ecc(unsigned char *data, unsigned char *ecc) {
235 	return (data[0] == ecc[0] && data[1] == ecc[1] && data[2] == ecc[2]);
236 }
237 
238 static void nand_store_ecc(unsigned char *data, unsigned char *ecc) {
239 	memcpy(data, ecc, 3);
240 }
241 
242 /*
243  * The actual driver starts here.
244  */
245 
246 struct sddr09_card_info {
247 	unsigned long	capacity;	/* Size of card in bytes */
248 	int		pagesize;	/* Size of page in bytes */
249 	int		pageshift;	/* log2 of pagesize */
250 	int		blocksize;	/* Size of block in pages */
251 	int		blockshift;	/* log2 of blocksize */
252 	int		blockmask;	/* 2^blockshift - 1 */
253 	int		*lba_to_pba;	/* logical to physical map */
254 	int		*pba_to_lba;	/* physical to logical map */
255 	int		lbact;		/* number of available pages */
256 	int		flags;
257 #define	SDDR09_WP	1		/* write protected */
258 };
259 
260 /*
261  * On my 16MB card, control blocks have size 64 (16 real control bytes,
262  * and 48 junk bytes). In reality of course the card uses 16 control bytes,
263  * so the reader makes up the remaining 48. Don't know whether these numbers
264  * depend on the card. For now a constant.
265  */
266 #define CONTROL_SHIFT 6
267 
268 /*
269  * On my Combo CF/SM reader, the SM reader has LUN 1.
270  * (and things fail with LUN 0).
271  * It seems LUN is irrelevant for others.
272  */
273 #define LUN	1
274 #define	LUNBITS	(LUN << 5)
275 
276 /*
277  * LBA and PBA are unsigned ints. Special values.
278  */
279 #define UNDEF    0xffffffff
280 #define SPARE    0xfffffffe
281 #define UNUSABLE 0xfffffffd
282 
283 static const int erase_bad_lba_entries = 0;
284 
285 /* send vendor interface command (0x41) */
286 /* called for requests 0, 1, 8 */
287 static int
288 sddr09_send_command(struct us_data *us,
289 		    unsigned char request,
290 		    unsigned char direction,
291 		    unsigned char *xfer_data,
292 		    unsigned int xfer_len) {
293 	unsigned int pipe;
294 	unsigned char requesttype = (0x41 | direction);
295 	int rc;
296 
297 	// Get the receive or send control pipe number
298 
299 	if (direction == USB_DIR_IN)
300 		pipe = us->recv_ctrl_pipe;
301 	else
302 		pipe = us->send_ctrl_pipe;
303 
304 	rc = usb_stor_ctrl_transfer(us, pipe, request, requesttype,
305 				   0, 0, xfer_data, xfer_len);
306 	switch (rc) {
307 		case USB_STOR_XFER_GOOD:	return 0;
308 		case USB_STOR_XFER_STALLED:	return -EPIPE;
309 		default:			return -EIO;
310 	}
311 }
312 
313 static int
314 sddr09_send_scsi_command(struct us_data *us,
315 			 unsigned char *command,
316 			 unsigned int command_len) {
317 	return sddr09_send_command(us, 0, USB_DIR_OUT, command, command_len);
318 }
319 
320 #if 0
321 /*
322  * Test Unit Ready Command: 12 bytes.
323  * byte 0: opcode: 00
324  */
325 static int
326 sddr09_test_unit_ready(struct us_data *us) {
327 	unsigned char *command = us->iobuf;
328 	int result;
329 
330 	memset(command, 0, 6);
331 	command[1] = LUNBITS;
332 
333 	result = sddr09_send_scsi_command(us, command, 6);
334 
335 	usb_stor_dbg(us, "sddr09_test_unit_ready returns %d\n", result);
336 
337 	return result;
338 }
339 #endif
340 
341 /*
342  * Request Sense Command: 12 bytes.
343  * byte 0: opcode: 03
344  * byte 4: data length
345  */
346 static int
347 sddr09_request_sense(struct us_data *us, unsigned char *sensebuf, int buflen) {
348 	unsigned char *command = us->iobuf;
349 	int result;
350 
351 	memset(command, 0, 12);
352 	command[0] = 0x03;
353 	command[1] = LUNBITS;
354 	command[4] = buflen;
355 
356 	result = sddr09_send_scsi_command(us, command, 12);
357 	if (result)
358 		return result;
359 
360 	result = usb_stor_bulk_transfer_buf(us, us->recv_bulk_pipe,
361 			sensebuf, buflen, NULL);
362 	return (result == USB_STOR_XFER_GOOD ? 0 : -EIO);
363 }
364 
365 /*
366  * Read Command: 12 bytes.
367  * byte 0: opcode: E8
368  * byte 1: last two bits: 00: read data, 01: read blockwise control,
369  *			10: read both, 11: read pagewise control.
370  *	 It turns out we need values 20, 21, 22, 23 here (LUN 1).
371  * bytes 2-5: address (interpretation depends on byte 1, see below)
372  * bytes 10-11: count (idem)
373  *
374  * A page has 512 data bytes and 64 control bytes (16 control and 48 junk).
375  * A read data command gets data in 512-byte pages.
376  * A read control command gets control in 64-byte chunks.
377  * A read both command gets data+control in 576-byte chunks.
378  *
379  * Blocks are groups of 32 pages, and read blockwise control jumps to the
380  * next block, while read pagewise control jumps to the next page after
381  * reading a group of 64 control bytes.
382  * [Here 512 = 1<<pageshift, 32 = 1<<blockshift, 64 is constant?]
383  *
384  * (1 MB and 2 MB cards are a bit different, but I have only a 16 MB card.)
385  */
386 
387 static int
388 sddr09_readX(struct us_data *us, int x, unsigned long fromaddress,
389 	     int nr_of_pages, int bulklen, unsigned char *buf,
390 	     int use_sg) {
391 
392 	unsigned char *command = us->iobuf;
393 	int result;
394 
395 	command[0] = 0xE8;
396 	command[1] = LUNBITS | x;
397 	command[2] = MSB_of(fromaddress>>16);
398 	command[3] = LSB_of(fromaddress>>16);
399 	command[4] = MSB_of(fromaddress & 0xFFFF);
400 	command[5] = LSB_of(fromaddress & 0xFFFF);
401 	command[6] = 0;
402 	command[7] = 0;
403 	command[8] = 0;
404 	command[9] = 0;
405 	command[10] = MSB_of(nr_of_pages);
406 	command[11] = LSB_of(nr_of_pages);
407 
408 	result = sddr09_send_scsi_command(us, command, 12);
409 
410 	if (result) {
411 		usb_stor_dbg(us, "Result for send_control in sddr09_read2%d %d\n",
412 			     x, result);
413 		return result;
414 	}
415 
416 	result = usb_stor_bulk_transfer_sg(us, us->recv_bulk_pipe,
417 				       buf, bulklen, use_sg, NULL);
418 
419 	if (result != USB_STOR_XFER_GOOD) {
420 		usb_stor_dbg(us, "Result for bulk_transfer in sddr09_read2%d %d\n",
421 			     x, result);
422 		return -EIO;
423 	}
424 	return 0;
425 }
426 
427 /*
428  * Read Data
429  *
430  * fromaddress counts data shorts:
431  * increasing it by 256 shifts the bytestream by 512 bytes;
432  * the last 8 bits are ignored.
433  *
434  * nr_of_pages counts pages of size (1 << pageshift).
435  */
436 static int
437 sddr09_read20(struct us_data *us, unsigned long fromaddress,
438 	      int nr_of_pages, int pageshift, unsigned char *buf, int use_sg) {
439 	int bulklen = nr_of_pages << pageshift;
440 
441 	/* The last 8 bits of fromaddress are ignored. */
442 	return sddr09_readX(us, 0, fromaddress, nr_of_pages, bulklen,
443 			    buf, use_sg);
444 }
445 
446 /*
447  * Read Blockwise Control
448  *
449  * fromaddress gives the starting position (as in read data;
450  * the last 8 bits are ignored); increasing it by 32*256 shifts
451  * the output stream by 64 bytes.
452  *
453  * count counts control groups of size (1 << controlshift).
454  * For me, controlshift = 6. Is this constant?
455  *
456  * After getting one control group, jump to the next block
457  * (fromaddress += 8192).
458  */
459 static int
460 sddr09_read21(struct us_data *us, unsigned long fromaddress,
461 	      int count, int controlshift, unsigned char *buf, int use_sg) {
462 
463 	int bulklen = (count << controlshift);
464 	return sddr09_readX(us, 1, fromaddress, count, bulklen,
465 			    buf, use_sg);
466 }
467 
468 /*
469  * Read both Data and Control
470  *
471  * fromaddress counts data shorts, ignoring control:
472  * increasing it by 256 shifts the bytestream by 576 = 512+64 bytes;
473  * the last 8 bits are ignored.
474  *
475  * nr_of_pages counts pages of size (1 << pageshift) + (1 << controlshift).
476  */
477 static int
478 sddr09_read22(struct us_data *us, unsigned long fromaddress,
479 	      int nr_of_pages, int pageshift, unsigned char *buf, int use_sg) {
480 
481 	int bulklen = (nr_of_pages << pageshift) + (nr_of_pages << CONTROL_SHIFT);
482 	usb_stor_dbg(us, "reading %d pages, %d bytes\n", nr_of_pages, bulklen);
483 	return sddr09_readX(us, 2, fromaddress, nr_of_pages, bulklen,
484 			    buf, use_sg);
485 }
486 
487 #if 0
488 /*
489  * Read Pagewise Control
490  *
491  * fromaddress gives the starting position (as in read data;
492  * the last 8 bits are ignored); increasing it by 256 shifts
493  * the output stream by 64 bytes.
494  *
495  * count counts control groups of size (1 << controlshift).
496  * For me, controlshift = 6. Is this constant?
497  *
498  * After getting one control group, jump to the next page
499  * (fromaddress += 256).
500  */
501 static int
502 sddr09_read23(struct us_data *us, unsigned long fromaddress,
503 	      int count, int controlshift, unsigned char *buf, int use_sg) {
504 
505 	int bulklen = (count << controlshift);
506 	return sddr09_readX(us, 3, fromaddress, count, bulklen,
507 			    buf, use_sg);
508 }
509 #endif
510 
511 /*
512  * Erase Command: 12 bytes.
513  * byte 0: opcode: EA
514  * bytes 6-9: erase address (big-endian, counting shorts, sector aligned).
515  *
516  * Always precisely one block is erased; bytes 2-5 and 10-11 are ignored.
517  * The byte address being erased is 2*Eaddress.
518  * The CIS cannot be erased.
519  */
520 static int
521 sddr09_erase(struct us_data *us, unsigned long Eaddress) {
522 	unsigned char *command = us->iobuf;
523 	int result;
524 
525 	usb_stor_dbg(us, "erase address %lu\n", Eaddress);
526 
527 	memset(command, 0, 12);
528 	command[0] = 0xEA;
529 	command[1] = LUNBITS;
530 	command[6] = MSB_of(Eaddress>>16);
531 	command[7] = LSB_of(Eaddress>>16);
532 	command[8] = MSB_of(Eaddress & 0xFFFF);
533 	command[9] = LSB_of(Eaddress & 0xFFFF);
534 
535 	result = sddr09_send_scsi_command(us, command, 12);
536 
537 	if (result)
538 		usb_stor_dbg(us, "Result for send_control in sddr09_erase %d\n",
539 			     result);
540 
541 	return result;
542 }
543 
544 /*
545  * Write CIS Command: 12 bytes.
546  * byte 0: opcode: EE
547  * bytes 2-5: write address in shorts
548  * bytes 10-11: sector count
549  *
550  * This writes at the indicated address. Don't know how it differs
551  * from E9. Maybe it does not erase? However, it will also write to
552  * the CIS.
553  *
554  * When two such commands on the same page follow each other directly,
555  * the second one is not done.
556  */
557 
558 /*
559  * Write Command: 12 bytes.
560  * byte 0: opcode: E9
561  * bytes 2-5: write address (big-endian, counting shorts, sector aligned).
562  * bytes 6-9: erase address (big-endian, counting shorts, sector aligned).
563  * bytes 10-11: sector count (big-endian, in 512-byte sectors).
564  *
565  * If write address equals erase address, the erase is done first,
566  * otherwise the write is done first. When erase address equals zero
567  * no erase is done?
568  */
569 static int
570 sddr09_writeX(struct us_data *us,
571 	      unsigned long Waddress, unsigned long Eaddress,
572 	      int nr_of_pages, int bulklen, unsigned char *buf, int use_sg) {
573 
574 	unsigned char *command = us->iobuf;
575 	int result;
576 
577 	command[0] = 0xE9;
578 	command[1] = LUNBITS;
579 
580 	command[2] = MSB_of(Waddress>>16);
581 	command[3] = LSB_of(Waddress>>16);
582 	command[4] = MSB_of(Waddress & 0xFFFF);
583 	command[5] = LSB_of(Waddress & 0xFFFF);
584 
585 	command[6] = MSB_of(Eaddress>>16);
586 	command[7] = LSB_of(Eaddress>>16);
587 	command[8] = MSB_of(Eaddress & 0xFFFF);
588 	command[9] = LSB_of(Eaddress & 0xFFFF);
589 
590 	command[10] = MSB_of(nr_of_pages);
591 	command[11] = LSB_of(nr_of_pages);
592 
593 	result = sddr09_send_scsi_command(us, command, 12);
594 
595 	if (result) {
596 		usb_stor_dbg(us, "Result for send_control in sddr09_writeX %d\n",
597 			     result);
598 		return result;
599 	}
600 
601 	result = usb_stor_bulk_transfer_sg(us, us->send_bulk_pipe,
602 				       buf, bulklen, use_sg, NULL);
603 
604 	if (result != USB_STOR_XFER_GOOD) {
605 		usb_stor_dbg(us, "Result for bulk_transfer in sddr09_writeX %d\n",
606 			     result);
607 		return -EIO;
608 	}
609 	return 0;
610 }
611 
612 /* erase address, write same address */
613 static int
614 sddr09_write_inplace(struct us_data *us, unsigned long address,
615 		     int nr_of_pages, int pageshift, unsigned char *buf,
616 		     int use_sg) {
617 	int bulklen = (nr_of_pages << pageshift) + (nr_of_pages << CONTROL_SHIFT);
618 	return sddr09_writeX(us, address, address, nr_of_pages, bulklen,
619 			     buf, use_sg);
620 }
621 
622 #if 0
623 /*
624  * Read Scatter Gather Command: 3+4n bytes.
625  * byte 0: opcode E7
626  * byte 2: n
627  * bytes 4i-1,4i,4i+1: page address
628  * byte 4i+2: page count
629  * (i=1..n)
630  *
631  * This reads several pages from the card to a single memory buffer.
632  * The last two bits of byte 1 have the same meaning as for E8.
633  */
634 static int
635 sddr09_read_sg_test_only(struct us_data *us) {
636 	unsigned char *command = us->iobuf;
637 	int result, bulklen, nsg, ct;
638 	unsigned char *buf;
639 	unsigned long address;
640 
641 	nsg = bulklen = 0;
642 	command[0] = 0xE7;
643 	command[1] = LUNBITS;
644 	command[2] = 0;
645 	address = 040000; ct = 1;
646 	nsg++;
647 	bulklen += (ct << 9);
648 	command[4*nsg+2] = ct;
649 	command[4*nsg+1] = ((address >> 9) & 0xFF);
650 	command[4*nsg+0] = ((address >> 17) & 0xFF);
651 	command[4*nsg-1] = ((address >> 25) & 0xFF);
652 
653 	address = 0340000; ct = 1;
654 	nsg++;
655 	bulklen += (ct << 9);
656 	command[4*nsg+2] = ct;
657 	command[4*nsg+1] = ((address >> 9) & 0xFF);
658 	command[4*nsg+0] = ((address >> 17) & 0xFF);
659 	command[4*nsg-1] = ((address >> 25) & 0xFF);
660 
661 	address = 01000000; ct = 2;
662 	nsg++;
663 	bulklen += (ct << 9);
664 	command[4*nsg+2] = ct;
665 	command[4*nsg+1] = ((address >> 9) & 0xFF);
666 	command[4*nsg+0] = ((address >> 17) & 0xFF);
667 	command[4*nsg-1] = ((address >> 25) & 0xFF);
668 
669 	command[2] = nsg;
670 
671 	result = sddr09_send_scsi_command(us, command, 4*nsg+3);
672 
673 	if (result) {
674 		usb_stor_dbg(us, "Result for send_control in sddr09_read_sg %d\n",
675 			     result);
676 		return result;
677 	}
678 
679 	buf = kmalloc(bulklen, GFP_NOIO);
680 	if (!buf)
681 		return -ENOMEM;
682 
683 	result = usb_stor_bulk_transfer_buf(us, us->recv_bulk_pipe,
684 				       buf, bulklen, NULL);
685 	kfree(buf);
686 	if (result != USB_STOR_XFER_GOOD) {
687 		usb_stor_dbg(us, "Result for bulk_transfer in sddr09_read_sg %d\n",
688 			     result);
689 		return -EIO;
690 	}
691 
692 	return 0;
693 }
694 #endif
695 
696 /*
697  * Read Status Command: 12 bytes.
698  * byte 0: opcode: EC
699  *
700  * Returns 64 bytes, all zero except for the first.
701  * bit 0: 1: Error
702  * bit 5: 1: Suspended
703  * bit 6: 1: Ready
704  * bit 7: 1: Not write-protected
705  */
706 
707 static int
708 sddr09_read_status(struct us_data *us, unsigned char *status) {
709 
710 	unsigned char *command = us->iobuf;
711 	unsigned char *data = us->iobuf;
712 	int result;
713 
714 	usb_stor_dbg(us, "Reading status...\n");
715 
716 	memset(command, 0, 12);
717 	command[0] = 0xEC;
718 	command[1] = LUNBITS;
719 
720 	result = sddr09_send_scsi_command(us, command, 12);
721 	if (result)
722 		return result;
723 
724 	result = usb_stor_bulk_transfer_buf(us, us->recv_bulk_pipe,
725 				       data, 64, NULL);
726 	*status = data[0];
727 	return (result == USB_STOR_XFER_GOOD ? 0 : -EIO);
728 }
729 
730 static int
731 sddr09_read_data(struct us_data *us,
732 		 unsigned long address,
733 		 unsigned int sectors) {
734 
735 	struct sddr09_card_info *info = (struct sddr09_card_info *) us->extra;
736 	unsigned char *buffer;
737 	unsigned int lba, maxlba, pba;
738 	unsigned int page, pages;
739 	unsigned int len, offset;
740 	struct scatterlist *sg;
741 	int result;
742 
743 	// Figure out the initial LBA and page
744 	lba = address >> info->blockshift;
745 	page = (address & info->blockmask);
746 	maxlba = info->capacity >> (info->pageshift + info->blockshift);
747 	if (lba >= maxlba)
748 		return -EIO;
749 
750 	// Since we only read in one block at a time, we have to create
751 	// a bounce buffer and move the data a piece at a time between the
752 	// bounce buffer and the actual transfer buffer.
753 
754 	len = min(sectors, (unsigned int) info->blocksize) * info->pagesize;
755 	buffer = kmalloc(len, GFP_NOIO);
756 	if (!buffer)
757 		return -ENOMEM;
758 
759 	// This could be made much more efficient by checking for
760 	// contiguous LBA's. Another exercise left to the student.
761 
762 	result = 0;
763 	offset = 0;
764 	sg = NULL;
765 
766 	while (sectors > 0) {
767 
768 		/* Find number of pages we can read in this block */
769 		pages = min(sectors, info->blocksize - page);
770 		len = pages << info->pageshift;
771 
772 		/* Not overflowing capacity? */
773 		if (lba >= maxlba) {
774 			usb_stor_dbg(us, "Error: Requested lba %u exceeds maximum %u\n",
775 				     lba, maxlba);
776 			result = -EIO;
777 			break;
778 		}
779 
780 		/* Find where this lba lives on disk */
781 		pba = info->lba_to_pba[lba];
782 
783 		if (pba == UNDEF) {	/* this lba was never written */
784 
785 			usb_stor_dbg(us, "Read %d zero pages (LBA %d) page %d\n",
786 				     pages, lba, page);
787 
788 			/*
789 			 * This is not really an error. It just means
790 			 * that the block has never been written.
791 			 * Instead of returning an error
792 			 * it is better to return all zero data.
793 			 */
794 
795 			memset(buffer, 0, len);
796 
797 		} else {
798 			usb_stor_dbg(us, "Read %d pages, from PBA %d (LBA %d) page %d\n",
799 				     pages, pba, lba, page);
800 
801 			address = ((pba << info->blockshift) + page) <<
802 				info->pageshift;
803 
804 			result = sddr09_read20(us, address>>1,
805 					pages, info->pageshift, buffer, 0);
806 			if (result)
807 				break;
808 		}
809 
810 		// Store the data in the transfer buffer
811 		usb_stor_access_xfer_buf(buffer, len, us->srb,
812 				&sg, &offset, TO_XFER_BUF);
813 
814 		page = 0;
815 		lba++;
816 		sectors -= pages;
817 	}
818 
819 	kfree(buffer);
820 	return result;
821 }
822 
823 static unsigned int
824 sddr09_find_unused_pba(struct sddr09_card_info *info, unsigned int lba) {
825 	static unsigned int lastpba = 1;
826 	int zonestart, end, i;
827 
828 	zonestart = (lba/1000) << 10;
829 	end = info->capacity >> (info->blockshift + info->pageshift);
830 	end -= zonestart;
831 	if (end > 1024)
832 		end = 1024;
833 
834 	for (i = lastpba+1; i < end; i++) {
835 		if (info->pba_to_lba[zonestart+i] == UNDEF) {
836 			lastpba = i;
837 			return zonestart+i;
838 		}
839 	}
840 	for (i = 0; i <= lastpba; i++) {
841 		if (info->pba_to_lba[zonestart+i] == UNDEF) {
842 			lastpba = i;
843 			return zonestart+i;
844 		}
845 	}
846 	return 0;
847 }
848 
849 static int
850 sddr09_write_lba(struct us_data *us, unsigned int lba,
851 		 unsigned int page, unsigned int pages,
852 		 unsigned char *ptr, unsigned char *blockbuffer) {
853 
854 	struct sddr09_card_info *info = (struct sddr09_card_info *) us->extra;
855 	unsigned long address;
856 	unsigned int pba, lbap;
857 	unsigned int pagelen;
858 	unsigned char *bptr, *cptr, *xptr;
859 	unsigned char ecc[3];
860 	int i, result;
861 
862 	lbap = ((lba % 1000) << 1) | 0x1000;
863 	if (parity[MSB_of(lbap) ^ LSB_of(lbap)])
864 		lbap ^= 1;
865 	pba = info->lba_to_pba[lba];
866 
867 	if (pba == UNDEF) {
868 		pba = sddr09_find_unused_pba(info, lba);
869 		if (!pba) {
870 			printk(KERN_WARNING
871 			       "sddr09_write_lba: Out of unused blocks\n");
872 			return -ENOSPC;
873 		}
874 		info->pba_to_lba[pba] = lba;
875 		info->lba_to_pba[lba] = pba;
876 	}
877 
878 	if (pba == 1) {
879 		/*
880 		 * Maybe it is impossible to write to PBA 1.
881 		 * Fake success, but don't do anything.
882 		 */
883 		printk(KERN_WARNING "sddr09: avoid writing to pba 1\n");
884 		return 0;
885 	}
886 
887 	pagelen = (1 << info->pageshift) + (1 << CONTROL_SHIFT);
888 
889 	/* read old contents */
890 	address = (pba << (info->pageshift + info->blockshift));
891 	result = sddr09_read22(us, address>>1, info->blocksize,
892 			       info->pageshift, blockbuffer, 0);
893 	if (result)
894 		return result;
895 
896 	/* check old contents and fill lba */
897 	for (i = 0; i < info->blocksize; i++) {
898 		bptr = blockbuffer + i*pagelen;
899 		cptr = bptr + info->pagesize;
900 		nand_compute_ecc(bptr, ecc);
901 		if (!nand_compare_ecc(cptr+13, ecc)) {
902 			usb_stor_dbg(us, "Warning: bad ecc in page %d- of pba %d\n",
903 				     i, pba);
904 			nand_store_ecc(cptr+13, ecc);
905 		}
906 		nand_compute_ecc(bptr+(info->pagesize / 2), ecc);
907 		if (!nand_compare_ecc(cptr+8, ecc)) {
908 			usb_stor_dbg(us, "Warning: bad ecc in page %d+ of pba %d\n",
909 				     i, pba);
910 			nand_store_ecc(cptr+8, ecc);
911 		}
912 		cptr[6] = cptr[11] = MSB_of(lbap);
913 		cptr[7] = cptr[12] = LSB_of(lbap);
914 	}
915 
916 	/* copy in new stuff and compute ECC */
917 	xptr = ptr;
918 	for (i = page; i < page+pages; i++) {
919 		bptr = blockbuffer + i*pagelen;
920 		cptr = bptr + info->pagesize;
921 		memcpy(bptr, xptr, info->pagesize);
922 		xptr += info->pagesize;
923 		nand_compute_ecc(bptr, ecc);
924 		nand_store_ecc(cptr+13, ecc);
925 		nand_compute_ecc(bptr+(info->pagesize / 2), ecc);
926 		nand_store_ecc(cptr+8, ecc);
927 	}
928 
929 	usb_stor_dbg(us, "Rewrite PBA %d (LBA %d)\n", pba, lba);
930 
931 	result = sddr09_write_inplace(us, address>>1, info->blocksize,
932 				      info->pageshift, blockbuffer, 0);
933 
934 	usb_stor_dbg(us, "sddr09_write_inplace returns %d\n", result);
935 
936 #if 0
937 	{
938 		unsigned char status = 0;
939 		int result2 = sddr09_read_status(us, &status);
940 		if (result2)
941 			usb_stor_dbg(us, "cannot read status\n");
942 		else if (status != 0xc0)
943 			usb_stor_dbg(us, "status after write: 0x%x\n", status);
944 	}
945 #endif
946 
947 #if 0
948 	{
949 		int result2 = sddr09_test_unit_ready(us);
950 	}
951 #endif
952 
953 	return result;
954 }
955 
956 static int
957 sddr09_write_data(struct us_data *us,
958 		  unsigned long address,
959 		  unsigned int sectors) {
960 
961 	struct sddr09_card_info *info = (struct sddr09_card_info *) us->extra;
962 	unsigned int lba, maxlba, page, pages;
963 	unsigned int pagelen, blocklen;
964 	unsigned char *blockbuffer;
965 	unsigned char *buffer;
966 	unsigned int len, offset;
967 	struct scatterlist *sg;
968 	int result;
969 
970 	/* Figure out the initial LBA and page */
971 	lba = address >> info->blockshift;
972 	page = (address & info->blockmask);
973 	maxlba = info->capacity >> (info->pageshift + info->blockshift);
974 	if (lba >= maxlba)
975 		return -EIO;
976 
977 	/*
978 	 * blockbuffer is used for reading in the old data, overwriting
979 	 * with the new data, and performing ECC calculations
980 	 */
981 
982 	/*
983 	 * TODO: instead of doing kmalloc/kfree for each write,
984 	 * add a bufferpointer to the info structure
985 	 */
986 
987 	pagelen = (1 << info->pageshift) + (1 << CONTROL_SHIFT);
988 	blocklen = (pagelen << info->blockshift);
989 	blockbuffer = kmalloc(blocklen, GFP_NOIO);
990 	if (!blockbuffer)
991 		return -ENOMEM;
992 
993 	/*
994 	 * Since we don't write the user data directly to the device,
995 	 * we have to create a bounce buffer and move the data a piece
996 	 * at a time between the bounce buffer and the actual transfer buffer.
997 	 */
998 
999 	len = min(sectors, (unsigned int) info->blocksize) * info->pagesize;
1000 	buffer = kmalloc(len, GFP_NOIO);
1001 	if (!buffer) {
1002 		kfree(blockbuffer);
1003 		return -ENOMEM;
1004 	}
1005 
1006 	result = 0;
1007 	offset = 0;
1008 	sg = NULL;
1009 
1010 	while (sectors > 0) {
1011 
1012 		/* Write as many sectors as possible in this block */
1013 
1014 		pages = min(sectors, info->blocksize - page);
1015 		len = (pages << info->pageshift);
1016 
1017 		/* Not overflowing capacity? */
1018 		if (lba >= maxlba) {
1019 			usb_stor_dbg(us, "Error: Requested lba %u exceeds maximum %u\n",
1020 				     lba, maxlba);
1021 			result = -EIO;
1022 			break;
1023 		}
1024 
1025 		/* Get the data from the transfer buffer */
1026 		usb_stor_access_xfer_buf(buffer, len, us->srb,
1027 				&sg, &offset, FROM_XFER_BUF);
1028 
1029 		result = sddr09_write_lba(us, lba, page, pages,
1030 				buffer, blockbuffer);
1031 		if (result)
1032 			break;
1033 
1034 		page = 0;
1035 		lba++;
1036 		sectors -= pages;
1037 	}
1038 
1039 	kfree(buffer);
1040 	kfree(blockbuffer);
1041 
1042 	return result;
1043 }
1044 
1045 static int
1046 sddr09_read_control(struct us_data *us,
1047 		unsigned long address,
1048 		unsigned int blocks,
1049 		unsigned char *content,
1050 		int use_sg) {
1051 
1052 	usb_stor_dbg(us, "Read control address %lu, blocks %d\n",
1053 		     address, blocks);
1054 
1055 	return sddr09_read21(us, address, blocks,
1056 			     CONTROL_SHIFT, content, use_sg);
1057 }
1058 
1059 /*
1060  * Read Device ID Command: 12 bytes.
1061  * byte 0: opcode: ED
1062  *
1063  * Returns 2 bytes: Manufacturer ID and Device ID.
1064  * On more recent cards 3 bytes: the third byte is an option code A5
1065  * signifying that the secret command to read an 128-bit ID is available.
1066  * On still more recent cards 4 bytes: the fourth byte C0 means that
1067  * a second read ID cmd is available.
1068  */
1069 static int
1070 sddr09_read_deviceID(struct us_data *us, unsigned char *deviceID) {
1071 	unsigned char *command = us->iobuf;
1072 	unsigned char *content = us->iobuf;
1073 	int result, i;
1074 
1075 	memset(command, 0, 12);
1076 	command[0] = 0xED;
1077 	command[1] = LUNBITS;
1078 
1079 	result = sddr09_send_scsi_command(us, command, 12);
1080 	if (result)
1081 		return result;
1082 
1083 	result = usb_stor_bulk_transfer_buf(us, us->recv_bulk_pipe,
1084 			content, 64, NULL);
1085 
1086 	for (i = 0; i < 4; i++)
1087 		deviceID[i] = content[i];
1088 
1089 	return (result == USB_STOR_XFER_GOOD ? 0 : -EIO);
1090 }
1091 
1092 static int
1093 sddr09_get_wp(struct us_data *us, struct sddr09_card_info *info) {
1094 	int result;
1095 	unsigned char status;
1096 	const char *wp_fmt;
1097 
1098 	result = sddr09_read_status(us, &status);
1099 	if (result) {
1100 		usb_stor_dbg(us, "read_status fails\n");
1101 		return result;
1102 	}
1103 	if ((status & 0x80) == 0) {
1104 		info->flags |= SDDR09_WP;	/* write protected */
1105 		wp_fmt = " WP";
1106 	} else {
1107 		wp_fmt = "";
1108 	}
1109 	usb_stor_dbg(us, "status 0x%02X%s%s%s%s\n", status, wp_fmt,
1110 		     status & 0x40 ? " Ready" : "",
1111 		     status & LUNBITS ? " Suspended" : "",
1112 		     status & 0x01 ? " Error" : "");
1113 
1114 	return 0;
1115 }
1116 
1117 #if 0
1118 /*
1119  * Reset Command: 12 bytes.
1120  * byte 0: opcode: EB
1121  */
1122 static int
1123 sddr09_reset(struct us_data *us) {
1124 
1125 	unsigned char *command = us->iobuf;
1126 
1127 	memset(command, 0, 12);
1128 	command[0] = 0xEB;
1129 	command[1] = LUNBITS;
1130 
1131 	return sddr09_send_scsi_command(us, command, 12);
1132 }
1133 #endif
1134 
1135 static struct nand_flash_dev *
1136 sddr09_get_cardinfo(struct us_data *us, unsigned char flags) {
1137 	struct nand_flash_dev *cardinfo;
1138 	unsigned char deviceID[4];
1139 	char blurbtxt[256];
1140 	int result;
1141 
1142 	usb_stor_dbg(us, "Reading capacity...\n");
1143 
1144 	result = sddr09_read_deviceID(us, deviceID);
1145 
1146 	if (result) {
1147 		usb_stor_dbg(us, "Result of read_deviceID is %d\n", result);
1148 		printk(KERN_WARNING "sddr09: could not read card info\n");
1149 		return NULL;
1150 	}
1151 
1152 	sprintf(blurbtxt, "sddr09: Found Flash card, ID = %4ph", deviceID);
1153 
1154 	/* Byte 0 is the manufacturer */
1155 	sprintf(blurbtxt + strlen(blurbtxt),
1156 		": Manuf. %s",
1157 		nand_flash_manufacturer(deviceID[0]));
1158 
1159 	/* Byte 1 is the device type */
1160 	cardinfo = nand_find_id(deviceID[1]);
1161 	if (cardinfo) {
1162 		/*
1163 		 * MB or MiB? It is neither. A 16 MB card has
1164 		 * 17301504 raw bytes, of which 16384000 are
1165 		 * usable for user data.
1166 		 */
1167 		sprintf(blurbtxt + strlen(blurbtxt),
1168 			", %d MB", 1<<(cardinfo->chipshift - 20));
1169 	} else {
1170 		sprintf(blurbtxt + strlen(blurbtxt),
1171 			", type unrecognized");
1172 	}
1173 
1174 	/* Byte 2 is code to signal availability of 128-bit ID */
1175 	if (deviceID[2] == 0xa5) {
1176 		sprintf(blurbtxt + strlen(blurbtxt),
1177 			", 128-bit ID");
1178 	}
1179 
1180 	/* Byte 3 announces the availability of another read ID command */
1181 	if (deviceID[3] == 0xc0) {
1182 		sprintf(blurbtxt + strlen(blurbtxt),
1183 			", extra cmd");
1184 	}
1185 
1186 	if (flags & SDDR09_WP)
1187 		sprintf(blurbtxt + strlen(blurbtxt),
1188 			", WP");
1189 
1190 	printk(KERN_WARNING "%s\n", blurbtxt);
1191 
1192 	return cardinfo;
1193 }
1194 
1195 static int
1196 sddr09_read_map(struct us_data *us) {
1197 
1198 	struct sddr09_card_info *info = (struct sddr09_card_info *) us->extra;
1199 	int numblocks, alloc_len, alloc_blocks;
1200 	int i, j, result;
1201 	unsigned char *buffer, *buffer_end, *ptr;
1202 	unsigned int lba, lbact;
1203 
1204 	if (!info->capacity)
1205 		return -1;
1206 
1207 	/*
1208 	 * size of a block is 1 << (blockshift + pageshift) bytes
1209 	 * divide into the total capacity to get the number of blocks
1210 	 */
1211 
1212 	numblocks = info->capacity >> (info->blockshift + info->pageshift);
1213 
1214 	/*
1215 	 * read 64 bytes for every block (actually 1 << CONTROL_SHIFT)
1216 	 * but only use a 64 KB buffer
1217 	 * buffer size used must be a multiple of (1 << CONTROL_SHIFT)
1218 	 */
1219 #define SDDR09_READ_MAP_BUFSZ 65536
1220 
1221 	alloc_blocks = min(numblocks, SDDR09_READ_MAP_BUFSZ >> CONTROL_SHIFT);
1222 	alloc_len = (alloc_blocks << CONTROL_SHIFT);
1223 	buffer = kmalloc(alloc_len, GFP_NOIO);
1224 	if (!buffer) {
1225 		result = -1;
1226 		goto done;
1227 	}
1228 	buffer_end = buffer + alloc_len;
1229 
1230 #undef SDDR09_READ_MAP_BUFSZ
1231 
1232 	kfree(info->lba_to_pba);
1233 	kfree(info->pba_to_lba);
1234 	info->lba_to_pba = kmalloc_array(numblocks, sizeof(int), GFP_NOIO);
1235 	info->pba_to_lba = kmalloc_array(numblocks, sizeof(int), GFP_NOIO);
1236 
1237 	if (info->lba_to_pba == NULL || info->pba_to_lba == NULL) {
1238 		printk(KERN_WARNING "sddr09_read_map: out of memory\n");
1239 		result = -1;
1240 		goto done;
1241 	}
1242 
1243 	for (i = 0; i < numblocks; i++)
1244 		info->lba_to_pba[i] = info->pba_to_lba[i] = UNDEF;
1245 
1246 	/*
1247 	 * Define lba-pba translation table
1248 	 */
1249 
1250 	ptr = buffer_end;
1251 	for (i = 0; i < numblocks; i++) {
1252 		ptr += (1 << CONTROL_SHIFT);
1253 		if (ptr >= buffer_end) {
1254 			unsigned long address;
1255 
1256 			address = i << (info->pageshift + info->blockshift);
1257 			result = sddr09_read_control(
1258 				us, address>>1,
1259 				min(alloc_blocks, numblocks - i),
1260 				buffer, 0);
1261 			if (result) {
1262 				result = -1;
1263 				goto done;
1264 			}
1265 			ptr = buffer;
1266 		}
1267 
1268 		if (i == 0 || i == 1) {
1269 			info->pba_to_lba[i] = UNUSABLE;
1270 			continue;
1271 		}
1272 
1273 		/* special PBAs have control field 0^16 */
1274 		for (j = 0; j < 16; j++)
1275 			if (ptr[j] != 0)
1276 				goto nonz;
1277 		info->pba_to_lba[i] = UNUSABLE;
1278 		printk(KERN_WARNING "sddr09: PBA %d has no logical mapping\n",
1279 		       i);
1280 		continue;
1281 
1282 	nonz:
1283 		/* unwritten PBAs have control field FF^16 */
1284 		for (j = 0; j < 16; j++)
1285 			if (ptr[j] != 0xff)
1286 				goto nonff;
1287 		continue;
1288 
1289 	nonff:
1290 		/* normal PBAs start with six FFs */
1291 		if (j < 6) {
1292 			printk(KERN_WARNING
1293 			       "sddr09: PBA %d has no logical mapping: "
1294 			       "reserved area = %02X%02X%02X%02X "
1295 			       "data status %02X block status %02X\n",
1296 			       i, ptr[0], ptr[1], ptr[2], ptr[3],
1297 			       ptr[4], ptr[5]);
1298 			info->pba_to_lba[i] = UNUSABLE;
1299 			continue;
1300 		}
1301 
1302 		if ((ptr[6] >> 4) != 0x01) {
1303 			printk(KERN_WARNING
1304 			       "sddr09: PBA %d has invalid address field "
1305 			       "%02X%02X/%02X%02X\n",
1306 			       i, ptr[6], ptr[7], ptr[11], ptr[12]);
1307 			info->pba_to_lba[i] = UNUSABLE;
1308 			continue;
1309 		}
1310 
1311 		/* check even parity */
1312 		if (parity[ptr[6] ^ ptr[7]]) {
1313 			printk(KERN_WARNING
1314 			       "sddr09: Bad parity in LBA for block %d"
1315 			       " (%02X %02X)\n", i, ptr[6], ptr[7]);
1316 			info->pba_to_lba[i] = UNUSABLE;
1317 			continue;
1318 		}
1319 
1320 		lba = short_pack(ptr[7], ptr[6]);
1321 		lba = (lba & 0x07FF) >> 1;
1322 
1323 		/*
1324 		 * Every 1024 physical blocks ("zone"), the LBA numbers
1325 		 * go back to zero, but are within a higher block of LBA's.
1326 		 * Also, there is a maximum of 1000 LBA's per zone.
1327 		 * In other words, in PBA 1024-2047 you will find LBA 0-999
1328 		 * which are really LBA 1000-1999. This allows for 24 bad
1329 		 * or special physical blocks per zone.
1330 		 */
1331 
1332 		if (lba >= 1000) {
1333 			printk(KERN_WARNING
1334 			       "sddr09: Bad low LBA %d for block %d\n",
1335 			       lba, i);
1336 			goto possibly_erase;
1337 		}
1338 
1339 		lba += 1000*(i/0x400);
1340 
1341 		if (info->lba_to_pba[lba] != UNDEF) {
1342 			printk(KERN_WARNING
1343 			       "sddr09: LBA %d seen for PBA %d and %d\n",
1344 			       lba, info->lba_to_pba[lba], i);
1345 			goto possibly_erase;
1346 		}
1347 
1348 		info->pba_to_lba[i] = lba;
1349 		info->lba_to_pba[lba] = i;
1350 		continue;
1351 
1352 	possibly_erase:
1353 		if (erase_bad_lba_entries) {
1354 			unsigned long address;
1355 
1356 			address = (i << (info->pageshift + info->blockshift));
1357 			sddr09_erase(us, address>>1);
1358 			info->pba_to_lba[i] = UNDEF;
1359 		} else
1360 			info->pba_to_lba[i] = UNUSABLE;
1361 	}
1362 
1363 	/*
1364 	 * Approximate capacity. This is not entirely correct yet,
1365 	 * since a zone with less than 1000 usable pages leads to
1366 	 * missing LBAs. Especially if it is the last zone, some
1367 	 * LBAs can be past capacity.
1368 	 */
1369 	lbact = 0;
1370 	for (i = 0; i < numblocks; i += 1024) {
1371 		int ct = 0;
1372 
1373 		for (j = 0; j < 1024 && i+j < numblocks; j++) {
1374 			if (info->pba_to_lba[i+j] != UNUSABLE) {
1375 				if (ct >= 1000)
1376 					info->pba_to_lba[i+j] = SPARE;
1377 				else
1378 					ct++;
1379 			}
1380 		}
1381 		lbact += ct;
1382 	}
1383 	info->lbact = lbact;
1384 	usb_stor_dbg(us, "Found %d LBA's\n", lbact);
1385 	result = 0;
1386 
1387  done:
1388 	if (result != 0) {
1389 		kfree(info->lba_to_pba);
1390 		kfree(info->pba_to_lba);
1391 		info->lba_to_pba = NULL;
1392 		info->pba_to_lba = NULL;
1393 	}
1394 	kfree(buffer);
1395 	return result;
1396 }
1397 
1398 static void
1399 sddr09_card_info_destructor(void *extra) {
1400 	struct sddr09_card_info *info = (struct sddr09_card_info *)extra;
1401 
1402 	if (!info)
1403 		return;
1404 
1405 	kfree(info->lba_to_pba);
1406 	kfree(info->pba_to_lba);
1407 }
1408 
1409 static int
1410 sddr09_common_init(struct us_data *us) {
1411 	int result;
1412 
1413 	/* set the configuration -- STALL is an acceptable response here */
1414 	if (us->pusb_dev->actconfig->desc.bConfigurationValue != 1) {
1415 		usb_stor_dbg(us, "active config #%d != 1 ??\n",
1416 			     us->pusb_dev->actconfig->desc.bConfigurationValue);
1417 		return -EINVAL;
1418 	}
1419 
1420 	result = usb_reset_configuration(us->pusb_dev);
1421 	usb_stor_dbg(us, "Result of usb_reset_configuration is %d\n", result);
1422 	if (result == -EPIPE) {
1423 		usb_stor_dbg(us, "-- stall on control interface\n");
1424 	} else if (result != 0) {
1425 		/* it's not a stall, but another error -- time to bail */
1426 		usb_stor_dbg(us, "-- Unknown error.  Rejecting device\n");
1427 		return -EINVAL;
1428 	}
1429 
1430 	us->extra = kzalloc(sizeof(struct sddr09_card_info), GFP_NOIO);
1431 	if (!us->extra)
1432 		return -ENOMEM;
1433 	us->extra_destructor = sddr09_card_info_destructor;
1434 
1435 	nand_init_ecc();
1436 	return 0;
1437 }
1438 
1439 
1440 /*
1441  * This is needed at a very early stage. If this is not listed in the
1442  * unusual devices list but called from here then LUN 0 of the combo reader
1443  * is not recognized. But I do not know what precisely these calls do.
1444  */
1445 static int
1446 usb_stor_sddr09_dpcm_init(struct us_data *us) {
1447 	int result;
1448 	unsigned char *data = us->iobuf;
1449 
1450 	result = sddr09_common_init(us);
1451 	if (result)
1452 		return result;
1453 
1454 	result = sddr09_send_command(us, 0x01, USB_DIR_IN, data, 2);
1455 	if (result) {
1456 		usb_stor_dbg(us, "send_command fails\n");
1457 		return result;
1458 	}
1459 
1460 	usb_stor_dbg(us, "%02X %02X\n", data[0], data[1]);
1461 	// get 07 02
1462 
1463 	result = sddr09_send_command(us, 0x08, USB_DIR_IN, data, 2);
1464 	if (result) {
1465 		usb_stor_dbg(us, "2nd send_command fails\n");
1466 		return result;
1467 	}
1468 
1469 	usb_stor_dbg(us, "%02X %02X\n", data[0], data[1]);
1470 	// get 07 00
1471 
1472 	result = sddr09_request_sense(us, data, 18);
1473 	if (result == 0 && data[2] != 0) {
1474 		int j;
1475 		for (j=0; j<18; j++)
1476 			printk(" %02X", data[j]);
1477 		printk("\n");
1478 		// get 70 00 00 00 00 00 00 * 00 00 00 00 00 00
1479 		// 70: current command
1480 		// sense key 0, sense code 0, extd sense code 0
1481 		// additional transfer length * = sizeof(data) - 7
1482 		// Or: 70 00 06 00 00 00 00 0b 00 00 00 00 28 00 00 00 00 00
1483 		// sense key 06, sense code 28: unit attention,
1484 		// not ready to ready transition
1485 	}
1486 
1487 	// test unit ready
1488 
1489 	return 0;		/* not result */
1490 }
1491 
1492 /*
1493  * Transport for the Microtech DPCM-USB
1494  */
1495 static int dpcm_transport(struct scsi_cmnd *srb, struct us_data *us)
1496 {
1497 	int ret;
1498 
1499 	usb_stor_dbg(us, "LUN=%d\n", (u8)srb->device->lun);
1500 
1501 	switch (srb->device->lun) {
1502 	case 0:
1503 
1504 		/*
1505 		 * LUN 0 corresponds to the CompactFlash card reader.
1506 		 */
1507 		ret = usb_stor_CB_transport(srb, us);
1508 		break;
1509 
1510 	case 1:
1511 
1512 		/*
1513 		 * LUN 1 corresponds to the SmartMedia card reader.
1514 		 */
1515 
1516 		/*
1517 		 * Set the LUN to 0 (just in case).
1518 		 */
1519 		srb->device->lun = 0;
1520 		ret = sddr09_transport(srb, us);
1521 		srb->device->lun = 1;
1522 		break;
1523 
1524 	default:
1525 	    usb_stor_dbg(us, "Invalid LUN %d\n", (u8)srb->device->lun);
1526 		ret = USB_STOR_TRANSPORT_ERROR;
1527 		break;
1528 	}
1529 	return ret;
1530 }
1531 
1532 
1533 /*
1534  * Transport for the Sandisk SDDR-09
1535  */
1536 static int sddr09_transport(struct scsi_cmnd *srb, struct us_data *us)
1537 {
1538 	static unsigned char sensekey = 0, sensecode = 0;
1539 	static unsigned char havefakesense = 0;
1540 	int result, i;
1541 	unsigned char *ptr = us->iobuf;
1542 	unsigned long capacity;
1543 	unsigned int page, pages;
1544 
1545 	struct sddr09_card_info *info;
1546 
1547 	static unsigned char inquiry_response[8] = {
1548 		0x00, 0x80, 0x00, 0x02, 0x1F, 0x00, 0x00, 0x00
1549 	};
1550 
1551 	/* note: no block descriptor support */
1552 	static unsigned char mode_page_01[19] = {
1553 		0x00, 0x0F, 0x00, 0x0, 0x0, 0x0, 0x00,
1554 		0x01, 0x0A,
1555 		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
1556 	};
1557 
1558 	info = (struct sddr09_card_info *)us->extra;
1559 
1560 	if (srb->cmnd[0] == REQUEST_SENSE && havefakesense) {
1561 		/* for a faked command, we have to follow with a faked sense */
1562 		memset(ptr, 0, 18);
1563 		ptr[0] = 0x70;
1564 		ptr[2] = sensekey;
1565 		ptr[7] = 11;
1566 		ptr[12] = sensecode;
1567 		usb_stor_set_xfer_buf(ptr, 18, srb);
1568 		sensekey = sensecode = havefakesense = 0;
1569 		return USB_STOR_TRANSPORT_GOOD;
1570 	}
1571 
1572 	havefakesense = 1;
1573 
1574 	/*
1575 	 * Dummy up a response for INQUIRY since SDDR09 doesn't
1576 	 * respond to INQUIRY commands
1577 	 */
1578 
1579 	if (srb->cmnd[0] == INQUIRY) {
1580 		memcpy(ptr, inquiry_response, 8);
1581 		fill_inquiry_response(us, ptr, 36);
1582 		return USB_STOR_TRANSPORT_GOOD;
1583 	}
1584 
1585 	if (srb->cmnd[0] == READ_CAPACITY) {
1586 		struct nand_flash_dev *cardinfo;
1587 
1588 		sddr09_get_wp(us, info);	/* read WP bit */
1589 
1590 		cardinfo = sddr09_get_cardinfo(us, info->flags);
1591 		if (!cardinfo) {
1592 			/* probably no media */
1593 		init_error:
1594 			sensekey = 0x02;	/* not ready */
1595 			sensecode = 0x3a;	/* medium not present */
1596 			return USB_STOR_TRANSPORT_FAILED;
1597 		}
1598 
1599 		info->capacity = (1 << cardinfo->chipshift);
1600 		info->pageshift = cardinfo->pageshift;
1601 		info->pagesize = (1 << info->pageshift);
1602 		info->blockshift = cardinfo->blockshift;
1603 		info->blocksize = (1 << info->blockshift);
1604 		info->blockmask = info->blocksize - 1;
1605 
1606 		// map initialization, must follow get_cardinfo()
1607 		if (sddr09_read_map(us)) {
1608 			/* probably out of memory */
1609 			goto init_error;
1610 		}
1611 
1612 		// Report capacity
1613 
1614 		capacity = (info->lbact << info->blockshift) - 1;
1615 
1616 		((__be32 *) ptr)[0] = cpu_to_be32(capacity);
1617 
1618 		// Report page size
1619 
1620 		((__be32 *) ptr)[1] = cpu_to_be32(info->pagesize);
1621 		usb_stor_set_xfer_buf(ptr, 8, srb);
1622 
1623 		return USB_STOR_TRANSPORT_GOOD;
1624 	}
1625 
1626 	if (srb->cmnd[0] == MODE_SENSE_10) {
1627 		int modepage = (srb->cmnd[2] & 0x3F);
1628 
1629 		/*
1630 		 * They ask for the Read/Write error recovery page,
1631 		 * or for all pages.
1632 		 */
1633 		/* %% We should check DBD %% */
1634 		if (modepage == 0x01 || modepage == 0x3F) {
1635 			usb_stor_dbg(us, "Dummy up request for mode page 0x%x\n",
1636 				     modepage);
1637 
1638 			memcpy(ptr, mode_page_01, sizeof(mode_page_01));
1639 			((__be16*)ptr)[0] = cpu_to_be16(sizeof(mode_page_01) - 2);
1640 			ptr[3] = (info->flags & SDDR09_WP) ? 0x80 : 0;
1641 			usb_stor_set_xfer_buf(ptr, sizeof(mode_page_01), srb);
1642 			return USB_STOR_TRANSPORT_GOOD;
1643 		}
1644 
1645 		sensekey = 0x05;	/* illegal request */
1646 		sensecode = 0x24;	/* invalid field in CDB */
1647 		return USB_STOR_TRANSPORT_FAILED;
1648 	}
1649 
1650 	if (srb->cmnd[0] == ALLOW_MEDIUM_REMOVAL)
1651 		return USB_STOR_TRANSPORT_GOOD;
1652 
1653 	havefakesense = 0;
1654 
1655 	if (srb->cmnd[0] == READ_10) {
1656 
1657 		page = short_pack(srb->cmnd[3], srb->cmnd[2]);
1658 		page <<= 16;
1659 		page |= short_pack(srb->cmnd[5], srb->cmnd[4]);
1660 		pages = short_pack(srb->cmnd[8], srb->cmnd[7]);
1661 
1662 		usb_stor_dbg(us, "READ_10: read page %d pagect %d\n",
1663 			     page, pages);
1664 
1665 		result = sddr09_read_data(us, page, pages);
1666 		return (result == 0 ? USB_STOR_TRANSPORT_GOOD :
1667 				USB_STOR_TRANSPORT_ERROR);
1668 	}
1669 
1670 	if (srb->cmnd[0] == WRITE_10) {
1671 
1672 		page = short_pack(srb->cmnd[3], srb->cmnd[2]);
1673 		page <<= 16;
1674 		page |= short_pack(srb->cmnd[5], srb->cmnd[4]);
1675 		pages = short_pack(srb->cmnd[8], srb->cmnd[7]);
1676 
1677 		usb_stor_dbg(us, "WRITE_10: write page %d pagect %d\n",
1678 			     page, pages);
1679 
1680 		result = sddr09_write_data(us, page, pages);
1681 		return (result == 0 ? USB_STOR_TRANSPORT_GOOD :
1682 				USB_STOR_TRANSPORT_ERROR);
1683 	}
1684 
1685 	/*
1686 	 * catch-all for all other commands, except
1687 	 * pass TEST_UNIT_READY and REQUEST_SENSE through
1688 	 */
1689 	if (srb->cmnd[0] != TEST_UNIT_READY &&
1690 	    srb->cmnd[0] != REQUEST_SENSE) {
1691 		sensekey = 0x05;	/* illegal request */
1692 		sensecode = 0x20;	/* invalid command */
1693 		havefakesense = 1;
1694 		return USB_STOR_TRANSPORT_FAILED;
1695 	}
1696 
1697 	for (; srb->cmd_len<12; srb->cmd_len++)
1698 		srb->cmnd[srb->cmd_len] = 0;
1699 
1700 	srb->cmnd[1] = LUNBITS;
1701 
1702 	ptr[0] = 0;
1703 	for (i=0; i<12; i++)
1704 		sprintf(ptr+strlen(ptr), "%02X ", srb->cmnd[i]);
1705 
1706 	usb_stor_dbg(us, "Send control for command %s\n", ptr);
1707 
1708 	result = sddr09_send_scsi_command(us, srb->cmnd, 12);
1709 	if (result) {
1710 		usb_stor_dbg(us, "sddr09_send_scsi_command returns %d\n",
1711 			     result);
1712 		return USB_STOR_TRANSPORT_ERROR;
1713 	}
1714 
1715 	if (scsi_bufflen(srb) == 0)
1716 		return USB_STOR_TRANSPORT_GOOD;
1717 
1718 	if (srb->sc_data_direction == DMA_TO_DEVICE ||
1719 	    srb->sc_data_direction == DMA_FROM_DEVICE) {
1720 		unsigned int pipe = (srb->sc_data_direction == DMA_TO_DEVICE)
1721 				? us->send_bulk_pipe : us->recv_bulk_pipe;
1722 
1723 		usb_stor_dbg(us, "%s %d bytes\n",
1724 			     (srb->sc_data_direction == DMA_TO_DEVICE) ?
1725 			     "sending" : "receiving",
1726 			     scsi_bufflen(srb));
1727 
1728 		result = usb_stor_bulk_srb(us, pipe, srb);
1729 
1730 		return (result == USB_STOR_XFER_GOOD ?
1731 			USB_STOR_TRANSPORT_GOOD : USB_STOR_TRANSPORT_ERROR);
1732 	}
1733 
1734 	return USB_STOR_TRANSPORT_GOOD;
1735 }
1736 
1737 /*
1738  * Initialization routine for the sddr09 subdriver
1739  */
1740 static int
1741 usb_stor_sddr09_init(struct us_data *us) {
1742 	return sddr09_common_init(us);
1743 }
1744 
1745 static struct scsi_host_template sddr09_host_template;
1746 
1747 static int sddr09_probe(struct usb_interface *intf,
1748 			 const struct usb_device_id *id)
1749 {
1750 	struct us_data *us;
1751 	int result;
1752 
1753 	result = usb_stor_probe1(&us, intf, id,
1754 			(id - sddr09_usb_ids) + sddr09_unusual_dev_list,
1755 			&sddr09_host_template);
1756 	if (result)
1757 		return result;
1758 
1759 	if (us->protocol == USB_PR_DPCM_USB) {
1760 		us->transport_name = "Control/Bulk-EUSB/SDDR09";
1761 		us->transport = dpcm_transport;
1762 		us->transport_reset = usb_stor_CB_reset;
1763 		us->max_lun = 1;
1764 	} else {
1765 		us->transport_name = "EUSB/SDDR09";
1766 		us->transport = sddr09_transport;
1767 		us->transport_reset = usb_stor_CB_reset;
1768 		us->max_lun = 0;
1769 	}
1770 
1771 	result = usb_stor_probe2(us);
1772 	return result;
1773 }
1774 
1775 static struct usb_driver sddr09_driver = {
1776 	.name =		DRV_NAME,
1777 	.probe =	sddr09_probe,
1778 	.disconnect =	usb_stor_disconnect,
1779 	.suspend =	usb_stor_suspend,
1780 	.resume =	usb_stor_resume,
1781 	.reset_resume =	usb_stor_reset_resume,
1782 	.pre_reset =	usb_stor_pre_reset,
1783 	.post_reset =	usb_stor_post_reset,
1784 	.id_table =	sddr09_usb_ids,
1785 	.soft_unbind =	1,
1786 	.no_dynamic_id = 1,
1787 };
1788 
1789 module_usb_stor_driver(sddr09_driver, sddr09_host_template, DRV_NAME);
1790