Loading...
1// SPDX-License-Identifier: GPL-2.0-or-later
2/*
3 * Host Side support for RNDIS Networking Links
4 * Copyright (C) 2005 by David Brownell
5 */
6#include <linux/module.h>
7#include <linux/netdevice.h>
8#include <linux/etherdevice.h>
9#include <linux/ethtool.h>
10#include <linux/workqueue.h>
11#include <linux/slab.h>
12#include <linux/mii.h>
13#include <linux/usb.h>
14#include <linux/usb/cdc.h>
15#include <linux/usb/usbnet.h>
16#include <linux/usb/rndis_host.h>
17
18
19/*
20 * RNDIS is NDIS remoted over USB. It's a MSFT variant of CDC ACM ... of
21 * course ACM was intended for modems, not Ethernet links! USB's standard
22 * for Ethernet links is "CDC Ethernet", which is significantly simpler.
23 *
24 * NOTE that Microsoft's "RNDIS 1.0" specification is incomplete. Issues
25 * include:
26 * - Power management in particular relies on information that's scattered
27 * through other documentation, and which is incomplete or incorrect even
28 * there.
29 * - There are various undocumented protocol requirements, such as the
30 * need to send unused garbage in control-OUT messages.
31 * - In some cases, MS-Windows will emit undocumented requests; this
32 * matters more to peripheral implementations than host ones.
33 *
34 * Moreover there's a no-open-specs variant of RNDIS called "ActiveSync".
35 *
36 * For these reasons and others, ** USE OF RNDIS IS STRONGLY DISCOURAGED ** in
37 * favor of such non-proprietary alternatives as CDC Ethernet or the newer (and
38 * currently rare) "Ethernet Emulation Model" (EEM).
39 */
40
41/*
42 * RNDIS notifications from device: command completion; "reverse"
43 * keepalives; etc
44 */
45void rndis_status(struct usbnet *dev, struct urb *urb)
46{
47 netdev_dbg(dev->net, "rndis status urb, len %d stat %d\n",
48 urb->actual_length, urb->status);
49 // FIXME for keepalives, respond immediately (asynchronously)
50 // if not an RNDIS status, do like cdc_status(dev,urb) does
51}
52EXPORT_SYMBOL_GPL(rndis_status);
53
54/*
55 * RNDIS indicate messages.
56 */
57static void rndis_msg_indicate(struct usbnet *dev, struct rndis_indicate *msg,
58 int buflen)
59{
60 struct cdc_state *info = (void *)&dev->data;
61 struct device *udev = &info->control->dev;
62
63 if (dev->driver_info->indication) {
64 dev->driver_info->indication(dev, msg, buflen);
65 } else {
66 u32 status = le32_to_cpu(msg->status);
67
68 switch (status) {
69 case RNDIS_STATUS_MEDIA_CONNECT:
70 dev_info(udev, "rndis media connect\n");
71 break;
72 case RNDIS_STATUS_MEDIA_DISCONNECT:
73 dev_info(udev, "rndis media disconnect\n");
74 break;
75 default:
76 dev_info(udev, "rndis indication: 0x%08x\n", status);
77 }
78 }
79}
80
81/*
82 * RPC done RNDIS-style. Caller guarantees:
83 * - message is properly byteswapped
84 * - there's no other request pending
85 * - buf can hold up to 1KB response (required by RNDIS spec)
86 * On return, the first few entries are already byteswapped.
87 *
88 * Call context is likely probe(), before interface name is known,
89 * which is why we won't try to use it in the diagnostics.
90 */
91int rndis_command(struct usbnet *dev, struct rndis_msg_hdr *buf, int buflen)
92{
93 struct cdc_state *info = (void *) &dev->data;
94 struct usb_cdc_notification notification;
95 int master_ifnum;
96 int retval;
97 int partial;
98 unsigned count;
99 u32 xid = 0, msg_len, request_id, msg_type, rsp,
100 status;
101
102 /* REVISIT when this gets called from contexts other than probe() or
103 * disconnect(): either serialize, or dispatch responses on xid
104 */
105
106 msg_type = le32_to_cpu(buf->msg_type);
107
108 /* Issue the request; xid is unique, don't bother byteswapping it */
109 if (likely(msg_type != RNDIS_MSG_HALT && msg_type != RNDIS_MSG_RESET)) {
110 xid = dev->xid++;
111 if (!xid)
112 xid = dev->xid++;
113 buf->request_id = (__force __le32) xid;
114 }
115 master_ifnum = info->control->cur_altsetting->desc.bInterfaceNumber;
116 retval = usb_control_msg(dev->udev,
117 usb_sndctrlpipe(dev->udev, 0),
118 USB_CDC_SEND_ENCAPSULATED_COMMAND,
119 USB_TYPE_CLASS | USB_RECIP_INTERFACE,
120 0, master_ifnum,
121 buf, le32_to_cpu(buf->msg_len),
122 RNDIS_CONTROL_TIMEOUT_MS);
123 if (unlikely(retval < 0 || xid == 0))
124 return retval;
125
126 /* Some devices don't respond on the control channel until
127 * polled on the status channel, so do that first. */
128 if (dev->driver_info->data & RNDIS_DRIVER_DATA_POLL_STATUS) {
129 retval = usb_interrupt_msg(
130 dev->udev,
131 usb_rcvintpipe(dev->udev,
132 dev->status->desc.bEndpointAddress),
133 ¬ification, sizeof(notification), &partial,
134 RNDIS_CONTROL_TIMEOUT_MS);
135 if (unlikely(retval < 0))
136 return retval;
137 }
138
139 /* Poll the control channel; the request probably completed immediately */
140 rsp = le32_to_cpu(buf->msg_type) | RNDIS_MSG_COMPLETION;
141 for (count = 0; count < 10; count++) {
142 memset(buf, 0, CONTROL_BUFFER_SIZE);
143 retval = usb_control_msg(dev->udev,
144 usb_rcvctrlpipe(dev->udev, 0),
145 USB_CDC_GET_ENCAPSULATED_RESPONSE,
146 USB_DIR_IN | USB_TYPE_CLASS | USB_RECIP_INTERFACE,
147 0, master_ifnum,
148 buf, buflen,
149 RNDIS_CONTROL_TIMEOUT_MS);
150 if (likely(retval >= 8)) {
151 msg_type = le32_to_cpu(buf->msg_type);
152 msg_len = le32_to_cpu(buf->msg_len);
153 status = le32_to_cpu(buf->status);
154 request_id = (__force u32) buf->request_id;
155 if (likely(msg_type == rsp)) {
156 if (likely(request_id == xid)) {
157 if (unlikely(rsp == RNDIS_MSG_RESET_C))
158 return 0;
159 if (likely(RNDIS_STATUS_SUCCESS ==
160 status))
161 return 0;
162 dev_dbg(&info->control->dev,
163 "rndis reply status %08x\n",
164 status);
165 return -EL3RST;
166 }
167 dev_dbg(&info->control->dev,
168 "rndis reply id %d expected %d\n",
169 request_id, xid);
170 /* then likely retry */
171 } else switch (msg_type) {
172 case RNDIS_MSG_INDICATE: /* fault/event */
173 rndis_msg_indicate(dev, (void *)buf, buflen);
174 break;
175 case RNDIS_MSG_KEEPALIVE: { /* ping */
176 struct rndis_keepalive_c *msg = (void *)buf;
177
178 msg->msg_type = cpu_to_le32(RNDIS_MSG_KEEPALIVE_C);
179 msg->msg_len = cpu_to_le32(sizeof *msg);
180 msg->status = cpu_to_le32(RNDIS_STATUS_SUCCESS);
181 retval = usb_control_msg(dev->udev,
182 usb_sndctrlpipe(dev->udev, 0),
183 USB_CDC_SEND_ENCAPSULATED_COMMAND,
184 USB_TYPE_CLASS | USB_RECIP_INTERFACE,
185 0, master_ifnum,
186 msg, sizeof *msg,
187 RNDIS_CONTROL_TIMEOUT_MS);
188 if (unlikely(retval < 0))
189 dev_dbg(&info->control->dev,
190 "rndis keepalive err %d\n",
191 retval);
192 }
193 break;
194 default:
195 dev_dbg(&info->control->dev,
196 "unexpected rndis msg %08x len %d\n",
197 le32_to_cpu(buf->msg_type), msg_len);
198 }
199 } else {
200 /* device probably issued a protocol stall; ignore */
201 dev_dbg(&info->control->dev,
202 "rndis response error, code %d\n", retval);
203 }
204 msleep(40);
205 }
206 dev_dbg(&info->control->dev, "rndis response timeout\n");
207 return -ETIMEDOUT;
208}
209EXPORT_SYMBOL_GPL(rndis_command);
210
211/*
212 * rndis_query:
213 *
214 * Performs a query for @oid along with 0 or more bytes of payload as
215 * specified by @in_len. If @reply_len is not set to -1 then the reply
216 * length is checked against this value, resulting in an error if it
217 * doesn't match.
218 *
219 * NOTE: Adding a payload exactly or greater than the size of the expected
220 * response payload is an evident requirement MSFT added for ActiveSync.
221 *
222 * The only exception is for OIDs that return a variably sized response,
223 * in which case no payload should be added. This undocumented (and
224 * nonsensical!) issue was found by sniffing protocol requests from the
225 * ActiveSync 4.1 Windows driver.
226 */
227static int rndis_query(struct usbnet *dev, struct usb_interface *intf,
228 void *buf, u32 oid, u32 in_len,
229 void **reply, int *reply_len)
230{
231 int retval;
232 union {
233 void *buf;
234 struct rndis_msg_hdr *header;
235 struct rndis_query *get;
236 struct rndis_query_c *get_c;
237 } u;
238 u32 off, len;
239
240 u.buf = buf;
241
242 memset(u.get, 0, sizeof *u.get + in_len);
243 u.get->msg_type = cpu_to_le32(RNDIS_MSG_QUERY);
244 u.get->msg_len = cpu_to_le32(sizeof *u.get + in_len);
245 u.get->oid = cpu_to_le32(oid);
246 u.get->len = cpu_to_le32(in_len);
247 u.get->offset = cpu_to_le32(20);
248
249 retval = rndis_command(dev, u.header, CONTROL_BUFFER_SIZE);
250 if (unlikely(retval < 0)) {
251 dev_err(&intf->dev, "RNDIS_MSG_QUERY(0x%08x) failed, %d\n",
252 oid, retval);
253 return retval;
254 }
255
256 off = le32_to_cpu(u.get_c->offset);
257 len = le32_to_cpu(u.get_c->len);
258 if (unlikely((off > CONTROL_BUFFER_SIZE - 8) ||
259 (len > CONTROL_BUFFER_SIZE - 8 - off)))
260 goto response_error;
261
262 if (*reply_len != -1 && len != *reply_len)
263 goto response_error;
264
265 *reply = (unsigned char *) &u.get_c->request_id + off;
266 *reply_len = len;
267
268 return retval;
269
270response_error:
271 dev_err(&intf->dev, "RNDIS_MSG_QUERY(0x%08x) "
272 "invalid response - off %d len %d\n",
273 oid, off, len);
274 return -EDOM;
275}
276
277/* same as usbnet_netdev_ops but MTU change not allowed */
278static const struct net_device_ops rndis_netdev_ops = {
279 .ndo_open = usbnet_open,
280 .ndo_stop = usbnet_stop,
281 .ndo_start_xmit = usbnet_start_xmit,
282 .ndo_tx_timeout = usbnet_tx_timeout,
283 .ndo_get_stats64 = dev_get_tstats64,
284 .ndo_set_mac_address = eth_mac_addr,
285 .ndo_validate_addr = eth_validate_addr,
286};
287
288int
289generic_rndis_bind(struct usbnet *dev, struct usb_interface *intf, int flags)
290{
291 int retval;
292 struct net_device *net = dev->net;
293 struct cdc_state *info = (void *) &dev->data;
294 union {
295 void *buf;
296 struct rndis_msg_hdr *header;
297 struct rndis_init *init;
298 struct rndis_init_c *init_c;
299 struct rndis_query *get;
300 struct rndis_query_c *get_c;
301 struct rndis_set *set;
302 struct rndis_set_c *set_c;
303 struct rndis_halt *halt;
304 } u;
305 u32 tmp;
306 __le32 phym_unspec, *phym;
307 int reply_len;
308 unsigned char *bp;
309
310 /* we can't rely on i/o from stack working, or stack allocation */
311 u.buf = kmalloc(CONTROL_BUFFER_SIZE, GFP_KERNEL);
312 if (!u.buf)
313 return -ENOMEM;
314 retval = usbnet_generic_cdc_bind(dev, intf);
315 if (retval < 0)
316 goto fail;
317
318 u.init->msg_type = cpu_to_le32(RNDIS_MSG_INIT);
319 u.init->msg_len = cpu_to_le32(sizeof *u.init);
320 u.init->major_version = cpu_to_le32(1);
321 u.init->minor_version = cpu_to_le32(0);
322
323 /* max transfer (in spec) is 0x4000 at full speed, but for
324 * TX we'll stick to one Ethernet packet plus RNDIS framing.
325 * For RX we handle drivers that zero-pad to end-of-packet.
326 * Don't let userspace change these settings.
327 *
328 * NOTE: there still seems to be weirdness here, as if we need
329 * to do some more things to make sure WinCE targets accept this.
330 * They default to jumbograms of 8KB or 16KB, which is absurd
331 * for such low data rates and which is also more than Linux
332 * can usually expect to allocate for SKB data...
333 */
334 net->hard_header_len += sizeof (struct rndis_data_hdr);
335 dev->hard_mtu = net->mtu + net->hard_header_len;
336
337 dev->maxpacket = usb_maxpacket(dev->udev, dev->out);
338 if (dev->maxpacket == 0) {
339 netif_dbg(dev, probe, dev->net,
340 "dev->maxpacket can't be 0\n");
341 retval = -EINVAL;
342 goto fail_and_release;
343 }
344
345 dev->rx_urb_size = dev->hard_mtu + (dev->maxpacket + 1);
346 dev->rx_urb_size &= ~(dev->maxpacket - 1);
347 u.init->max_transfer_size = cpu_to_le32(dev->rx_urb_size);
348
349 net->netdev_ops = &rndis_netdev_ops;
350
351 retval = rndis_command(dev, u.header, CONTROL_BUFFER_SIZE);
352 if (unlikely(retval < 0)) {
353 /* it might not even be an RNDIS device!! */
354 dev_err(&intf->dev, "RNDIS init failed, %d\n", retval);
355 goto fail_and_release;
356 }
357 tmp = le32_to_cpu(u.init_c->max_transfer_size);
358 if (tmp < dev->hard_mtu) {
359 if (tmp <= net->hard_header_len) {
360 dev_err(&intf->dev,
361 "dev can't take %u byte packets (max %u)\n",
362 dev->hard_mtu, tmp);
363 retval = -EINVAL;
364 goto halt_fail_and_release;
365 }
366 dev_warn(&intf->dev,
367 "dev can't take %u byte packets (max %u), "
368 "adjusting MTU to %u\n",
369 dev->hard_mtu, tmp, tmp - net->hard_header_len);
370 dev->hard_mtu = tmp;
371 net->mtu = dev->hard_mtu - net->hard_header_len;
372 }
373
374 /* REVISIT: peripheral "alignment" request is ignored ... */
375 dev_dbg(&intf->dev,
376 "hard mtu %u (%u from dev), rx buflen %zu, align %d\n",
377 dev->hard_mtu, tmp, dev->rx_urb_size,
378 1 << le32_to_cpu(u.init_c->packet_alignment));
379
380 /* module has some device initialization code needs to be done right
381 * after RNDIS_INIT */
382 if (dev->driver_info->early_init &&
383 dev->driver_info->early_init(dev) != 0)
384 goto halt_fail_and_release;
385
386 /* Check physical medium */
387 phym = NULL;
388 reply_len = sizeof *phym;
389 retval = rndis_query(dev, intf, u.buf,
390 RNDIS_OID_GEN_PHYSICAL_MEDIUM,
391 reply_len, (void **)&phym, &reply_len);
392 if (retval != 0 || !phym) {
393 /* OID is optional so don't fail here. */
394 phym_unspec = cpu_to_le32(RNDIS_PHYSICAL_MEDIUM_UNSPECIFIED);
395 phym = &phym_unspec;
396 }
397 if ((flags & FLAG_RNDIS_PHYM_WIRELESS) &&
398 le32_to_cpup(phym) != RNDIS_PHYSICAL_MEDIUM_WIRELESS_LAN) {
399 netif_dbg(dev, probe, dev->net,
400 "driver requires wireless physical medium, but device is not\n");
401 retval = -ENODEV;
402 goto halt_fail_and_release;
403 }
404 if ((flags & FLAG_RNDIS_PHYM_NOT_WIRELESS) &&
405 le32_to_cpup(phym) == RNDIS_PHYSICAL_MEDIUM_WIRELESS_LAN) {
406 netif_dbg(dev, probe, dev->net,
407 "driver requires non-wireless physical medium, but device is wireless.\n");
408 retval = -ENODEV;
409 goto halt_fail_and_release;
410 }
411
412 /* Get designated host ethernet address */
413 reply_len = ETH_ALEN;
414 retval = rndis_query(dev, intf, u.buf,
415 RNDIS_OID_802_3_PERMANENT_ADDRESS,
416 48, (void **) &bp, &reply_len);
417 if (unlikely(retval< 0)) {
418 dev_err(&intf->dev, "rndis get ethaddr, %d\n", retval);
419 goto halt_fail_and_release;
420 }
421
422 eth_hw_addr_set(net, bp);
423
424 /* set a nonzero filter to enable data transfers */
425 memset(u.set, 0, sizeof *u.set);
426 u.set->msg_type = cpu_to_le32(RNDIS_MSG_SET);
427 u.set->msg_len = cpu_to_le32(4 + sizeof *u.set);
428 u.set->oid = cpu_to_le32(RNDIS_OID_GEN_CURRENT_PACKET_FILTER);
429 u.set->len = cpu_to_le32(4);
430 u.set->offset = cpu_to_le32((sizeof *u.set) - 8);
431 *(__le32 *)(u.buf + sizeof *u.set) = cpu_to_le32(RNDIS_DEFAULT_FILTER);
432
433 retval = rndis_command(dev, u.header, CONTROL_BUFFER_SIZE);
434 if (unlikely(retval < 0)) {
435 dev_err(&intf->dev, "rndis set packet filter, %d\n", retval);
436 goto halt_fail_and_release;
437 }
438
439 retval = 0;
440
441 kfree(u.buf);
442 return retval;
443
444halt_fail_and_release:
445 memset(u.halt, 0, sizeof *u.halt);
446 u.halt->msg_type = cpu_to_le32(RNDIS_MSG_HALT);
447 u.halt->msg_len = cpu_to_le32(sizeof *u.halt);
448 (void) rndis_command(dev, (void *)u.halt, CONTROL_BUFFER_SIZE);
449fail_and_release:
450 usb_set_intfdata(info->data, NULL);
451 usb_driver_release_interface(driver_of(intf), info->data);
452 info->data = NULL;
453fail:
454 kfree(u.buf);
455 return retval;
456}
457EXPORT_SYMBOL_GPL(generic_rndis_bind);
458
459static int rndis_bind(struct usbnet *dev, struct usb_interface *intf)
460{
461 return generic_rndis_bind(dev, intf, FLAG_RNDIS_PHYM_NOT_WIRELESS);
462}
463
464static int zte_rndis_bind(struct usbnet *dev, struct usb_interface *intf)
465{
466 int status = rndis_bind(dev, intf);
467
468 if (!status && (dev->net->dev_addr[0] & 0x02))
469 eth_hw_addr_random(dev->net);
470
471 return status;
472}
473
474void rndis_unbind(struct usbnet *dev, struct usb_interface *intf)
475{
476 struct rndis_halt *halt;
477
478 /* try to clear any rndis state/activity (no i/o from stack!) */
479 halt = kzalloc(CONTROL_BUFFER_SIZE, GFP_KERNEL);
480 if (halt) {
481 halt->msg_type = cpu_to_le32(RNDIS_MSG_HALT);
482 halt->msg_len = cpu_to_le32(sizeof *halt);
483 (void) rndis_command(dev, (void *)halt, CONTROL_BUFFER_SIZE);
484 kfree(halt);
485 }
486
487 usbnet_cdc_unbind(dev, intf);
488}
489EXPORT_SYMBOL_GPL(rndis_unbind);
490
491/*
492 * DATA -- host must not write zlps
493 */
494int rndis_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
495{
496 bool dst_mac_fixup;
497
498 /* This check is no longer done by usbnet */
499 if (skb->len < dev->net->hard_header_len)
500 return 0;
501
502 dst_mac_fixup = !!(dev->driver_info->data & RNDIS_DRIVER_DATA_DST_MAC_FIXUP);
503
504 /* peripheral may have batched packets to us... */
505 while (likely(skb->len)) {
506 struct rndis_data_hdr *hdr = (void *)skb->data;
507 struct sk_buff *skb2;
508 u32 msg_type, msg_len, data_offset, data_len;
509
510 msg_type = le32_to_cpu(hdr->msg_type);
511 msg_len = le32_to_cpu(hdr->msg_len);
512 data_offset = le32_to_cpu(hdr->data_offset);
513 data_len = le32_to_cpu(hdr->data_len);
514
515 /* don't choke if we see oob, per-packet data, etc */
516 if (unlikely(msg_type != RNDIS_MSG_PACKET || skb->len < msg_len
517 || (data_offset + data_len + 8) > msg_len)) {
518 dev->net->stats.rx_frame_errors++;
519 netdev_dbg(dev->net, "bad rndis message %d/%d/%d/%d, len %d\n",
520 le32_to_cpu(hdr->msg_type),
521 msg_len, data_offset, data_len, skb->len);
522 return 0;
523 }
524 skb_pull(skb, 8 + data_offset);
525
526 /* at most one packet left? */
527 if (likely((data_len - skb->len) <= sizeof *hdr)) {
528 skb_trim(skb, data_len);
529 break;
530 }
531
532 /* try to return all the packets in the batch */
533 skb2 = skb_clone(skb, GFP_ATOMIC);
534 if (unlikely(!skb2))
535 break;
536 skb_pull(skb, msg_len - sizeof *hdr);
537 skb_trim(skb2, data_len);
538
539 if (unlikely(dst_mac_fixup))
540 usbnet_cdc_zte_rx_fixup(dev, skb2);
541
542 usbnet_skb_return(dev, skb2);
543 }
544
545 /* caller will usbnet_skb_return the remaining packet */
546 if (unlikely(dst_mac_fixup))
547 usbnet_cdc_zte_rx_fixup(dev, skb);
548
549 return 1;
550}
551EXPORT_SYMBOL_GPL(rndis_rx_fixup);
552
553struct sk_buff *
554rndis_tx_fixup(struct usbnet *dev, struct sk_buff *skb, gfp_t flags)
555{
556 struct rndis_data_hdr *hdr;
557 struct sk_buff *skb2;
558 unsigned len = skb->len;
559
560 if (likely(!skb_cloned(skb))) {
561 int room = skb_headroom(skb);
562
563 /* enough head room as-is? */
564 if (unlikely((sizeof *hdr) <= room))
565 goto fill;
566
567 /* enough room, but needs to be readjusted? */
568 room += skb_tailroom(skb);
569 if (likely((sizeof *hdr) <= room)) {
570 skb->data = memmove(skb->head + sizeof *hdr,
571 skb->data, len);
572 skb_set_tail_pointer(skb, len);
573 goto fill;
574 }
575 }
576
577 /* create a new skb, with the correct size (and tailpad) */
578 skb2 = skb_copy_expand(skb, sizeof *hdr, 1, flags);
579 dev_kfree_skb_any(skb);
580 if (unlikely(!skb2))
581 return skb2;
582 skb = skb2;
583
584 /* fill out the RNDIS header. we won't bother trying to batch
585 * packets; Linux minimizes wasted bandwidth through tx queues.
586 */
587fill:
588 hdr = __skb_push(skb, sizeof *hdr);
589 memset(hdr, 0, sizeof *hdr);
590 hdr->msg_type = cpu_to_le32(RNDIS_MSG_PACKET);
591 hdr->msg_len = cpu_to_le32(skb->len);
592 hdr->data_offset = cpu_to_le32(sizeof(*hdr) - 8);
593 hdr->data_len = cpu_to_le32(len);
594
595 /* FIXME make the last packet always be short ... */
596 return skb;
597}
598EXPORT_SYMBOL_GPL(rndis_tx_fixup);
599
600
601static const struct driver_info rndis_info = {
602 .description = "RNDIS device",
603 .flags = FLAG_ETHER | FLAG_POINTTOPOINT | FLAG_FRAMING_RN | FLAG_NO_SETINT,
604 .bind = rndis_bind,
605 .unbind = rndis_unbind,
606 .status = rndis_status,
607 .rx_fixup = rndis_rx_fixup,
608 .tx_fixup = rndis_tx_fixup,
609};
610
611static const struct driver_info rndis_poll_status_info = {
612 .description = "RNDIS device (poll status before control)",
613 .flags = FLAG_ETHER | FLAG_POINTTOPOINT | FLAG_FRAMING_RN | FLAG_NO_SETINT,
614 .data = RNDIS_DRIVER_DATA_POLL_STATUS,
615 .bind = rndis_bind,
616 .unbind = rndis_unbind,
617 .status = rndis_status,
618 .rx_fixup = rndis_rx_fixup,
619 .tx_fixup = rndis_tx_fixup,
620};
621
622static const struct driver_info zte_rndis_info = {
623 .description = "ZTE RNDIS device",
624 .flags = FLAG_ETHER | FLAG_POINTTOPOINT | FLAG_FRAMING_RN | FLAG_NO_SETINT,
625 .data = RNDIS_DRIVER_DATA_DST_MAC_FIXUP,
626 .bind = zte_rndis_bind,
627 .unbind = rndis_unbind,
628 .status = rndis_status,
629 .rx_fixup = rndis_rx_fixup,
630 .tx_fixup = rndis_tx_fixup,
631};
632
633/*-------------------------------------------------------------------------*/
634
635static const struct usb_device_id products [] = {
636{
637 /* 2Wire HomePortal 1000SW */
638 USB_DEVICE_AND_INTERFACE_INFO(0x1630, 0x0042,
639 USB_CLASS_COMM, 2 /* ACM */, 0x0ff),
640 .driver_info = (unsigned long) &rndis_poll_status_info,
641}, {
642 /* Hytera Communications DMR radios' "Radio to PC Network" */
643 USB_VENDOR_AND_INTERFACE_INFO(0x238b,
644 USB_CLASS_COMM, 2 /* ACM */, 0x0ff),
645 .driver_info = (unsigned long)&rndis_info,
646}, {
647 /* ZTE WWAN modules */
648 USB_VENDOR_AND_INTERFACE_INFO(0x19d2,
649 USB_CLASS_WIRELESS_CONTROLLER, 1, 3),
650 .driver_info = (unsigned long)&zte_rndis_info,
651}, {
652 /* ZTE WWAN modules, ACM flavour */
653 USB_VENDOR_AND_INTERFACE_INFO(0x19d2,
654 USB_CLASS_COMM, 2 /* ACM */, 0x0ff),
655 .driver_info = (unsigned long)&zte_rndis_info,
656}, {
657 /* RNDIS is MSFT's un-official variant of CDC ACM */
658 USB_INTERFACE_INFO(USB_CLASS_COMM, 2 /* ACM */, 0x0ff),
659 .driver_info = (unsigned long) &rndis_info,
660}, {
661 /* "ActiveSync" is an undocumented variant of RNDIS, used in WM5 */
662 USB_INTERFACE_INFO(USB_CLASS_MISC, 1, 1),
663 .driver_info = (unsigned long) &rndis_poll_status_info,
664}, {
665 /* RNDIS for tethering */
666 USB_INTERFACE_INFO(USB_CLASS_WIRELESS_CONTROLLER, 1, 3),
667 .driver_info = (unsigned long) &rndis_info,
668}, {
669 /* Novatel Verizon USB730L */
670 USB_INTERFACE_INFO(USB_CLASS_MISC, 4, 1),
671 .driver_info = (unsigned long) &rndis_info,
672},
673 { }, // END
674};
675MODULE_DEVICE_TABLE(usb, products);
676
677static struct usb_driver rndis_driver = {
678 .name = "rndis_host",
679 .id_table = products,
680 .probe = usbnet_probe,
681 .disconnect = usbnet_disconnect,
682 .suspend = usbnet_suspend,
683 .resume = usbnet_resume,
684 .disable_hub_initiated_lpm = 1,
685};
686
687module_usb_driver(rndis_driver);
688
689MODULE_AUTHOR("David Brownell");
690MODULE_DESCRIPTION("USB Host side RNDIS driver");
691MODULE_LICENSE("GPL");
1/*
2 * Host Side support for RNDIS Networking Links
3 * Copyright (C) 2005 by David Brownell
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation; either version 2 of the License, or
8 * (at your option) any later version.
9 *
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
14 *
15 * You should have received a copy of the GNU General Public License
16 * along with this program; if not, write to the Free Software
17 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
18 */
19#include <linux/module.h>
20#include <linux/init.h>
21#include <linux/netdevice.h>
22#include <linux/etherdevice.h>
23#include <linux/ethtool.h>
24#include <linux/workqueue.h>
25#include <linux/slab.h>
26#include <linux/mii.h>
27#include <linux/usb.h>
28#include <linux/usb/cdc.h>
29#include <linux/usb/usbnet.h>
30#include <linux/usb/rndis_host.h>
31
32
33/*
34 * RNDIS is NDIS remoted over USB. It's a MSFT variant of CDC ACM ... of
35 * course ACM was intended for modems, not Ethernet links! USB's standard
36 * for Ethernet links is "CDC Ethernet", which is significantly simpler.
37 *
38 * NOTE that Microsoft's "RNDIS 1.0" specification is incomplete. Issues
39 * include:
40 * - Power management in particular relies on information that's scattered
41 * through other documentation, and which is incomplete or incorrect even
42 * there.
43 * - There are various undocumented protocol requirements, such as the
44 * need to send unused garbage in control-OUT messages.
45 * - In some cases, MS-Windows will emit undocumented requests; this
46 * matters more to peripheral implementations than host ones.
47 *
48 * Moreover there's a no-open-specs variant of RNDIS called "ActiveSync".
49 *
50 * For these reasons and others, ** USE OF RNDIS IS STRONGLY DISCOURAGED ** in
51 * favor of such non-proprietary alternatives as CDC Ethernet or the newer (and
52 * currently rare) "Ethernet Emulation Model" (EEM).
53 */
54
55/*
56 * RNDIS notifications from device: command completion; "reverse"
57 * keepalives; etc
58 */
59void rndis_status(struct usbnet *dev, struct urb *urb)
60{
61 netdev_dbg(dev->net, "rndis status urb, len %d stat %d\n",
62 urb->actual_length, urb->status);
63 // FIXME for keepalives, respond immediately (asynchronously)
64 // if not an RNDIS status, do like cdc_status(dev,urb) does
65}
66EXPORT_SYMBOL_GPL(rndis_status);
67
68/*
69 * RNDIS indicate messages.
70 */
71static void rndis_msg_indicate(struct usbnet *dev, struct rndis_indicate *msg,
72 int buflen)
73{
74 struct cdc_state *info = (void *)&dev->data;
75 struct device *udev = &info->control->dev;
76
77 if (dev->driver_info->indication) {
78 dev->driver_info->indication(dev, msg, buflen);
79 } else {
80 u32 status = le32_to_cpu(msg->status);
81
82 switch (status) {
83 case RNDIS_STATUS_MEDIA_CONNECT:
84 dev_info(udev, "rndis media connect\n");
85 break;
86 case RNDIS_STATUS_MEDIA_DISCONNECT:
87 dev_info(udev, "rndis media disconnect\n");
88 break;
89 default:
90 dev_info(udev, "rndis indication: 0x%08x\n", status);
91 }
92 }
93}
94
95/*
96 * RPC done RNDIS-style. Caller guarantees:
97 * - message is properly byteswapped
98 * - there's no other request pending
99 * - buf can hold up to 1KB response (required by RNDIS spec)
100 * On return, the first few entries are already byteswapped.
101 *
102 * Call context is likely probe(), before interface name is known,
103 * which is why we won't try to use it in the diagnostics.
104 */
105int rndis_command(struct usbnet *dev, struct rndis_msg_hdr *buf, int buflen)
106{
107 struct cdc_state *info = (void *) &dev->data;
108 struct usb_cdc_notification notification;
109 int master_ifnum;
110 int retval;
111 int partial;
112 unsigned count;
113 u32 xid = 0, msg_len, request_id, msg_type, rsp,
114 status;
115
116 /* REVISIT when this gets called from contexts other than probe() or
117 * disconnect(): either serialize, or dispatch responses on xid
118 */
119
120 msg_type = le32_to_cpu(buf->msg_type);
121
122 /* Issue the request; xid is unique, don't bother byteswapping it */
123 if (likely(msg_type != RNDIS_MSG_HALT && msg_type != RNDIS_MSG_RESET)) {
124 xid = dev->xid++;
125 if (!xid)
126 xid = dev->xid++;
127 buf->request_id = (__force __le32) xid;
128 }
129 master_ifnum = info->control->cur_altsetting->desc.bInterfaceNumber;
130 retval = usb_control_msg(dev->udev,
131 usb_sndctrlpipe(dev->udev, 0),
132 USB_CDC_SEND_ENCAPSULATED_COMMAND,
133 USB_TYPE_CLASS | USB_RECIP_INTERFACE,
134 0, master_ifnum,
135 buf, le32_to_cpu(buf->msg_len),
136 RNDIS_CONTROL_TIMEOUT_MS);
137 if (unlikely(retval < 0 || xid == 0))
138 return retval;
139
140 /* Some devices don't respond on the control channel until
141 * polled on the status channel, so do that first. */
142 if (dev->driver_info->data & RNDIS_DRIVER_DATA_POLL_STATUS) {
143 retval = usb_interrupt_msg(
144 dev->udev,
145 usb_rcvintpipe(dev->udev,
146 dev->status->desc.bEndpointAddress),
147 ¬ification, sizeof(notification), &partial,
148 RNDIS_CONTROL_TIMEOUT_MS);
149 if (unlikely(retval < 0))
150 return retval;
151 }
152
153 /* Poll the control channel; the request probably completed immediately */
154 rsp = le32_to_cpu(buf->msg_type) | RNDIS_MSG_COMPLETION;
155 for (count = 0; count < 10; count++) {
156 memset(buf, 0, CONTROL_BUFFER_SIZE);
157 retval = usb_control_msg(dev->udev,
158 usb_rcvctrlpipe(dev->udev, 0),
159 USB_CDC_GET_ENCAPSULATED_RESPONSE,
160 USB_DIR_IN | USB_TYPE_CLASS | USB_RECIP_INTERFACE,
161 0, master_ifnum,
162 buf, buflen,
163 RNDIS_CONTROL_TIMEOUT_MS);
164 if (likely(retval >= 8)) {
165 msg_type = le32_to_cpu(buf->msg_type);
166 msg_len = le32_to_cpu(buf->msg_len);
167 status = le32_to_cpu(buf->status);
168 request_id = (__force u32) buf->request_id;
169 if (likely(msg_type == rsp)) {
170 if (likely(request_id == xid)) {
171 if (unlikely(rsp == RNDIS_MSG_RESET_C))
172 return 0;
173 if (likely(RNDIS_STATUS_SUCCESS ==
174 status))
175 return 0;
176 dev_dbg(&info->control->dev,
177 "rndis reply status %08x\n",
178 status);
179 return -EL3RST;
180 }
181 dev_dbg(&info->control->dev,
182 "rndis reply id %d expected %d\n",
183 request_id, xid);
184 /* then likely retry */
185 } else switch (msg_type) {
186 case RNDIS_MSG_INDICATE: /* fault/event */
187 rndis_msg_indicate(dev, (void *)buf, buflen);
188 break;
189 case RNDIS_MSG_KEEPALIVE: { /* ping */
190 struct rndis_keepalive_c *msg = (void *)buf;
191
192 msg->msg_type = cpu_to_le32(RNDIS_MSG_KEEPALIVE_C);
193 msg->msg_len = cpu_to_le32(sizeof *msg);
194 msg->status = cpu_to_le32(RNDIS_STATUS_SUCCESS);
195 retval = usb_control_msg(dev->udev,
196 usb_sndctrlpipe(dev->udev, 0),
197 USB_CDC_SEND_ENCAPSULATED_COMMAND,
198 USB_TYPE_CLASS | USB_RECIP_INTERFACE,
199 0, master_ifnum,
200 msg, sizeof *msg,
201 RNDIS_CONTROL_TIMEOUT_MS);
202 if (unlikely(retval < 0))
203 dev_dbg(&info->control->dev,
204 "rndis keepalive err %d\n",
205 retval);
206 }
207 break;
208 default:
209 dev_dbg(&info->control->dev,
210 "unexpected rndis msg %08x len %d\n",
211 le32_to_cpu(buf->msg_type), msg_len);
212 }
213 } else {
214 /* device probably issued a protocol stall; ignore */
215 dev_dbg(&info->control->dev,
216 "rndis response error, code %d\n", retval);
217 }
218 msleep(20);
219 }
220 dev_dbg(&info->control->dev, "rndis response timeout\n");
221 return -ETIMEDOUT;
222}
223EXPORT_SYMBOL_GPL(rndis_command);
224
225/*
226 * rndis_query:
227 *
228 * Performs a query for @oid along with 0 or more bytes of payload as
229 * specified by @in_len. If @reply_len is not set to -1 then the reply
230 * length is checked against this value, resulting in an error if it
231 * doesn't match.
232 *
233 * NOTE: Adding a payload exactly or greater than the size of the expected
234 * response payload is an evident requirement MSFT added for ActiveSync.
235 *
236 * The only exception is for OIDs that return a variably sized response,
237 * in which case no payload should be added. This undocumented (and
238 * nonsensical!) issue was found by sniffing protocol requests from the
239 * ActiveSync 4.1 Windows driver.
240 */
241static int rndis_query(struct usbnet *dev, struct usb_interface *intf,
242 void *buf, u32 oid, u32 in_len,
243 void **reply, int *reply_len)
244{
245 int retval;
246 union {
247 void *buf;
248 struct rndis_msg_hdr *header;
249 struct rndis_query *get;
250 struct rndis_query_c *get_c;
251 } u;
252 u32 off, len;
253
254 u.buf = buf;
255
256 memset(u.get, 0, sizeof *u.get + in_len);
257 u.get->msg_type = cpu_to_le32(RNDIS_MSG_QUERY);
258 u.get->msg_len = cpu_to_le32(sizeof *u.get + in_len);
259 u.get->oid = cpu_to_le32(oid);
260 u.get->len = cpu_to_le32(in_len);
261 u.get->offset = cpu_to_le32(20);
262
263 retval = rndis_command(dev, u.header, CONTROL_BUFFER_SIZE);
264 if (unlikely(retval < 0)) {
265 dev_err(&intf->dev, "RNDIS_MSG_QUERY(0x%08x) failed, %d\n",
266 oid, retval);
267 return retval;
268 }
269
270 off = le32_to_cpu(u.get_c->offset);
271 len = le32_to_cpu(u.get_c->len);
272 if (unlikely((8 + off + len) > CONTROL_BUFFER_SIZE))
273 goto response_error;
274
275 if (*reply_len != -1 && len != *reply_len)
276 goto response_error;
277
278 *reply = (unsigned char *) &u.get_c->request_id + off;
279 *reply_len = len;
280
281 return retval;
282
283response_error:
284 dev_err(&intf->dev, "RNDIS_MSG_QUERY(0x%08x) "
285 "invalid response - off %d len %d\n",
286 oid, off, len);
287 return -EDOM;
288}
289
290/* same as usbnet_netdev_ops but MTU change not allowed */
291static const struct net_device_ops rndis_netdev_ops = {
292 .ndo_open = usbnet_open,
293 .ndo_stop = usbnet_stop,
294 .ndo_start_xmit = usbnet_start_xmit,
295 .ndo_tx_timeout = usbnet_tx_timeout,
296 .ndo_set_mac_address = eth_mac_addr,
297 .ndo_validate_addr = eth_validate_addr,
298};
299
300int
301generic_rndis_bind(struct usbnet *dev, struct usb_interface *intf, int flags)
302{
303 int retval;
304 struct net_device *net = dev->net;
305 struct cdc_state *info = (void *) &dev->data;
306 union {
307 void *buf;
308 struct rndis_msg_hdr *header;
309 struct rndis_init *init;
310 struct rndis_init_c *init_c;
311 struct rndis_query *get;
312 struct rndis_query_c *get_c;
313 struct rndis_set *set;
314 struct rndis_set_c *set_c;
315 struct rndis_halt *halt;
316 } u;
317 u32 tmp;
318 __le32 phym_unspec, *phym;
319 int reply_len;
320 unsigned char *bp;
321
322 /* we can't rely on i/o from stack working, or stack allocation */
323 u.buf = kmalloc(CONTROL_BUFFER_SIZE, GFP_KERNEL);
324 if (!u.buf)
325 return -ENOMEM;
326 retval = usbnet_generic_cdc_bind(dev, intf);
327 if (retval < 0)
328 goto fail;
329
330 u.init->msg_type = cpu_to_le32(RNDIS_MSG_INIT);
331 u.init->msg_len = cpu_to_le32(sizeof *u.init);
332 u.init->major_version = cpu_to_le32(1);
333 u.init->minor_version = cpu_to_le32(0);
334
335 /* max transfer (in spec) is 0x4000 at full speed, but for
336 * TX we'll stick to one Ethernet packet plus RNDIS framing.
337 * For RX we handle drivers that zero-pad to end-of-packet.
338 * Don't let userspace change these settings.
339 *
340 * NOTE: there still seems to be wierdness here, as if we need
341 * to do some more things to make sure WinCE targets accept this.
342 * They default to jumbograms of 8KB or 16KB, which is absurd
343 * for such low data rates and which is also more than Linux
344 * can usually expect to allocate for SKB data...
345 */
346 net->hard_header_len += sizeof (struct rndis_data_hdr);
347 dev->hard_mtu = net->mtu + net->hard_header_len;
348
349 dev->maxpacket = usb_maxpacket(dev->udev, dev->out, 1);
350 if (dev->maxpacket == 0) {
351 netif_dbg(dev, probe, dev->net,
352 "dev->maxpacket can't be 0\n");
353 retval = -EINVAL;
354 goto fail_and_release;
355 }
356
357 dev->rx_urb_size = dev->hard_mtu + (dev->maxpacket + 1);
358 dev->rx_urb_size &= ~(dev->maxpacket - 1);
359 u.init->max_transfer_size = cpu_to_le32(dev->rx_urb_size);
360
361 net->netdev_ops = &rndis_netdev_ops;
362
363 retval = rndis_command(dev, u.header, CONTROL_BUFFER_SIZE);
364 if (unlikely(retval < 0)) {
365 /* it might not even be an RNDIS device!! */
366 dev_err(&intf->dev, "RNDIS init failed, %d\n", retval);
367 goto fail_and_release;
368 }
369 tmp = le32_to_cpu(u.init_c->max_transfer_size);
370 if (tmp < dev->hard_mtu) {
371 if (tmp <= net->hard_header_len) {
372 dev_err(&intf->dev,
373 "dev can't take %u byte packets (max %u)\n",
374 dev->hard_mtu, tmp);
375 retval = -EINVAL;
376 goto halt_fail_and_release;
377 }
378 dev_warn(&intf->dev,
379 "dev can't take %u byte packets (max %u), "
380 "adjusting MTU to %u\n",
381 dev->hard_mtu, tmp, tmp - net->hard_header_len);
382 dev->hard_mtu = tmp;
383 net->mtu = dev->hard_mtu - net->hard_header_len;
384 }
385
386 /* REVISIT: peripheral "alignment" request is ignored ... */
387 dev_dbg(&intf->dev,
388 "hard mtu %u (%u from dev), rx buflen %Zu, align %d\n",
389 dev->hard_mtu, tmp, dev->rx_urb_size,
390 1 << le32_to_cpu(u.init_c->packet_alignment));
391
392 /* module has some device initialization code needs to be done right
393 * after RNDIS_INIT */
394 if (dev->driver_info->early_init &&
395 dev->driver_info->early_init(dev) != 0)
396 goto halt_fail_and_release;
397
398 /* Check physical medium */
399 phym = NULL;
400 reply_len = sizeof *phym;
401 retval = rndis_query(dev, intf, u.buf,
402 RNDIS_OID_GEN_PHYSICAL_MEDIUM,
403 0, (void **) &phym, &reply_len);
404 if (retval != 0 || !phym) {
405 /* OID is optional so don't fail here. */
406 phym_unspec = cpu_to_le32(RNDIS_PHYSICAL_MEDIUM_UNSPECIFIED);
407 phym = &phym_unspec;
408 }
409 if ((flags & FLAG_RNDIS_PHYM_WIRELESS) &&
410 le32_to_cpup(phym) != RNDIS_PHYSICAL_MEDIUM_WIRELESS_LAN) {
411 netif_dbg(dev, probe, dev->net,
412 "driver requires wireless physical medium, but device is not\n");
413 retval = -ENODEV;
414 goto halt_fail_and_release;
415 }
416 if ((flags & FLAG_RNDIS_PHYM_NOT_WIRELESS) &&
417 le32_to_cpup(phym) == RNDIS_PHYSICAL_MEDIUM_WIRELESS_LAN) {
418 netif_dbg(dev, probe, dev->net,
419 "driver requires non-wireless physical medium, but device is wireless.\n");
420 retval = -ENODEV;
421 goto halt_fail_and_release;
422 }
423
424 /* Get designated host ethernet address */
425 reply_len = ETH_ALEN;
426 retval = rndis_query(dev, intf, u.buf,
427 RNDIS_OID_802_3_PERMANENT_ADDRESS,
428 48, (void **) &bp, &reply_len);
429 if (unlikely(retval< 0)) {
430 dev_err(&intf->dev, "rndis get ethaddr, %d\n", retval);
431 goto halt_fail_and_release;
432 }
433 memcpy(net->dev_addr, bp, ETH_ALEN);
434 memcpy(net->perm_addr, bp, ETH_ALEN);
435
436 /* set a nonzero filter to enable data transfers */
437 memset(u.set, 0, sizeof *u.set);
438 u.set->msg_type = cpu_to_le32(RNDIS_MSG_SET);
439 u.set->msg_len = cpu_to_le32(4 + sizeof *u.set);
440 u.set->oid = cpu_to_le32(RNDIS_OID_GEN_CURRENT_PACKET_FILTER);
441 u.set->len = cpu_to_le32(4);
442 u.set->offset = cpu_to_le32((sizeof *u.set) - 8);
443 *(__le32 *)(u.buf + sizeof *u.set) = cpu_to_le32(RNDIS_DEFAULT_FILTER);
444
445 retval = rndis_command(dev, u.header, CONTROL_BUFFER_SIZE);
446 if (unlikely(retval < 0)) {
447 dev_err(&intf->dev, "rndis set packet filter, %d\n", retval);
448 goto halt_fail_and_release;
449 }
450
451 retval = 0;
452
453 kfree(u.buf);
454 return retval;
455
456halt_fail_and_release:
457 memset(u.halt, 0, sizeof *u.halt);
458 u.halt->msg_type = cpu_to_le32(RNDIS_MSG_HALT);
459 u.halt->msg_len = cpu_to_le32(sizeof *u.halt);
460 (void) rndis_command(dev, (void *)u.halt, CONTROL_BUFFER_SIZE);
461fail_and_release:
462 usb_set_intfdata(info->data, NULL);
463 usb_driver_release_interface(driver_of(intf), info->data);
464 info->data = NULL;
465fail:
466 kfree(u.buf);
467 return retval;
468}
469EXPORT_SYMBOL_GPL(generic_rndis_bind);
470
471static int rndis_bind(struct usbnet *dev, struct usb_interface *intf)
472{
473 return generic_rndis_bind(dev, intf, FLAG_RNDIS_PHYM_NOT_WIRELESS);
474}
475
476void rndis_unbind(struct usbnet *dev, struct usb_interface *intf)
477{
478 struct rndis_halt *halt;
479
480 /* try to clear any rndis state/activity (no i/o from stack!) */
481 halt = kzalloc(CONTROL_BUFFER_SIZE, GFP_KERNEL);
482 if (halt) {
483 halt->msg_type = cpu_to_le32(RNDIS_MSG_HALT);
484 halt->msg_len = cpu_to_le32(sizeof *halt);
485 (void) rndis_command(dev, (void *)halt, CONTROL_BUFFER_SIZE);
486 kfree(halt);
487 }
488
489 usbnet_cdc_unbind(dev, intf);
490}
491EXPORT_SYMBOL_GPL(rndis_unbind);
492
493/*
494 * DATA -- host must not write zlps
495 */
496int rndis_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
497{
498 /* peripheral may have batched packets to us... */
499 while (likely(skb->len)) {
500 struct rndis_data_hdr *hdr = (void *)skb->data;
501 struct sk_buff *skb2;
502 u32 msg_type, msg_len, data_offset, data_len;
503
504 msg_type = le32_to_cpu(hdr->msg_type);
505 msg_len = le32_to_cpu(hdr->msg_len);
506 data_offset = le32_to_cpu(hdr->data_offset);
507 data_len = le32_to_cpu(hdr->data_len);
508
509 /* don't choke if we see oob, per-packet data, etc */
510 if (unlikely(msg_type != RNDIS_MSG_PACKET || skb->len < msg_len
511 || (data_offset + data_len + 8) > msg_len)) {
512 dev->net->stats.rx_frame_errors++;
513 netdev_dbg(dev->net, "bad rndis message %d/%d/%d/%d, len %d\n",
514 le32_to_cpu(hdr->msg_type),
515 msg_len, data_offset, data_len, skb->len);
516 return 0;
517 }
518 skb_pull(skb, 8 + data_offset);
519
520 /* at most one packet left? */
521 if (likely((data_len - skb->len) <= sizeof *hdr)) {
522 skb_trim(skb, data_len);
523 break;
524 }
525
526 /* try to return all the packets in the batch */
527 skb2 = skb_clone(skb, GFP_ATOMIC);
528 if (unlikely(!skb2))
529 break;
530 skb_pull(skb, msg_len - sizeof *hdr);
531 skb_trim(skb2, data_len);
532 usbnet_skb_return(dev, skb2);
533 }
534
535 /* caller will usbnet_skb_return the remaining packet */
536 return 1;
537}
538EXPORT_SYMBOL_GPL(rndis_rx_fixup);
539
540struct sk_buff *
541rndis_tx_fixup(struct usbnet *dev, struct sk_buff *skb, gfp_t flags)
542{
543 struct rndis_data_hdr *hdr;
544 struct sk_buff *skb2;
545 unsigned len = skb->len;
546
547 if (likely(!skb_cloned(skb))) {
548 int room = skb_headroom(skb);
549
550 /* enough head room as-is? */
551 if (unlikely((sizeof *hdr) <= room))
552 goto fill;
553
554 /* enough room, but needs to be readjusted? */
555 room += skb_tailroom(skb);
556 if (likely((sizeof *hdr) <= room)) {
557 skb->data = memmove(skb->head + sizeof *hdr,
558 skb->data, len);
559 skb_set_tail_pointer(skb, len);
560 goto fill;
561 }
562 }
563
564 /* create a new skb, with the correct size (and tailpad) */
565 skb2 = skb_copy_expand(skb, sizeof *hdr, 1, flags);
566 dev_kfree_skb_any(skb);
567 if (unlikely(!skb2))
568 return skb2;
569 skb = skb2;
570
571 /* fill out the RNDIS header. we won't bother trying to batch
572 * packets; Linux minimizes wasted bandwidth through tx queues.
573 */
574fill:
575 hdr = (void *) __skb_push(skb, sizeof *hdr);
576 memset(hdr, 0, sizeof *hdr);
577 hdr->msg_type = cpu_to_le32(RNDIS_MSG_PACKET);
578 hdr->msg_len = cpu_to_le32(skb->len);
579 hdr->data_offset = cpu_to_le32(sizeof(*hdr) - 8);
580 hdr->data_len = cpu_to_le32(len);
581
582 /* FIXME make the last packet always be short ... */
583 return skb;
584}
585EXPORT_SYMBOL_GPL(rndis_tx_fixup);
586
587
588static const struct driver_info rndis_info = {
589 .description = "RNDIS device",
590 .flags = FLAG_ETHER | FLAG_POINTTOPOINT | FLAG_FRAMING_RN | FLAG_NO_SETINT,
591 .bind = rndis_bind,
592 .unbind = rndis_unbind,
593 .status = rndis_status,
594 .rx_fixup = rndis_rx_fixup,
595 .tx_fixup = rndis_tx_fixup,
596};
597
598static const struct driver_info rndis_poll_status_info = {
599 .description = "RNDIS device (poll status before control)",
600 .flags = FLAG_ETHER | FLAG_POINTTOPOINT | FLAG_FRAMING_RN | FLAG_NO_SETINT,
601 .data = RNDIS_DRIVER_DATA_POLL_STATUS,
602 .bind = rndis_bind,
603 .unbind = rndis_unbind,
604 .status = rndis_status,
605 .rx_fixup = rndis_rx_fixup,
606 .tx_fixup = rndis_tx_fixup,
607};
608
609/*-------------------------------------------------------------------------*/
610
611static const struct usb_device_id products [] = {
612{
613 /* 2Wire HomePortal 1000SW */
614 USB_DEVICE_AND_INTERFACE_INFO(0x1630, 0x0042,
615 USB_CLASS_COMM, 2 /* ACM */, 0x0ff),
616 .driver_info = (unsigned long) &rndis_poll_status_info,
617}, {
618 /* RNDIS is MSFT's un-official variant of CDC ACM */
619 USB_INTERFACE_INFO(USB_CLASS_COMM, 2 /* ACM */, 0x0ff),
620 .driver_info = (unsigned long) &rndis_info,
621}, {
622 /* "ActiveSync" is an undocumented variant of RNDIS, used in WM5 */
623 USB_INTERFACE_INFO(USB_CLASS_MISC, 1, 1),
624 .driver_info = (unsigned long) &rndis_poll_status_info,
625}, {
626 /* RNDIS for tethering */
627 USB_INTERFACE_INFO(USB_CLASS_WIRELESS_CONTROLLER, 1, 3),
628 .driver_info = (unsigned long) &rndis_info,
629},
630 { }, // END
631};
632MODULE_DEVICE_TABLE(usb, products);
633
634static struct usb_driver rndis_driver = {
635 .name = "rndis_host",
636 .id_table = products,
637 .probe = usbnet_probe,
638 .disconnect = usbnet_disconnect,
639 .suspend = usbnet_suspend,
640 .resume = usbnet_resume,
641 .disable_hub_initiated_lpm = 1,
642};
643
644module_usb_driver(rndis_driver);
645
646MODULE_AUTHOR("David Brownell");
647MODULE_DESCRIPTION("USB Host side RNDIS driver");
648MODULE_LICENSE("GPL");