Avoid reading past buffer when calling GETACL
[zen-stable.git] / drivers / net / usb / lg-vl600.c
blob45a981fde43fc278cc1d418fc9d2fb7ba19b9060
1 /*
2 * Ethernet interface part of the LG VL600 LTE modem (4G dongle)
4 * Copyright (C) 2011 Intel Corporation
5 * Author: Andrzej Zaborowski <balrogg@gmail.com>
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
21 #include <linux/etherdevice.h>
22 #include <linux/ethtool.h>
23 #include <linux/mii.h>
24 #include <linux/usb.h>
25 #include <linux/usb/cdc.h>
26 #include <linux/usb/usbnet.h>
27 #include <linux/if_ether.h>
28 #include <linux/if_arp.h>
29 #include <linux/inetdevice.h>
30 #include <linux/module.h>
33 * The device has a CDC ACM port for modem control (it claims to be
34 * CDC ACM anyway) and a CDC Ethernet port for actual network data.
35 * It will however ignore data on both ports that is not encapsulated
36 * in a specific way, any data returned is also encapsulated the same
37 * way. The headers don't seem to follow any popular standard.
39 * This driver adds and strips these headers from the ethernet frames
40 * sent/received from the CDC Ethernet port. The proprietary header
41 * replaces the standard ethernet header in a packet so only actual
42 * ethernet frames are allowed. The headers allow some form of
43 * multiplexing by using non standard values of the .h_proto field.
44 * Windows/Mac drivers do send a couple of such frames to the device
45 * during initialisation, with protocol set to 0x0906 or 0x0b06 and (what
46 * seems to be) a flag in the .dummy_flags. This doesn't seem necessary
47 * for modem operation but can possibly be used for GPS or other funcitons.
50 struct vl600_frame_hdr {
51 __le32 len;
52 __le32 serial;
53 __le32 pkt_cnt;
54 __le32 dummy_flags;
55 __le32 dummy;
56 __le32 magic;
57 } __attribute__((packed));
59 struct vl600_pkt_hdr {
60 __le32 dummy[2];
61 __le32 len;
62 __be16 h_proto;
63 } __attribute__((packed));
65 struct vl600_state {
66 struct sk_buff *current_rx_buf;
69 static int vl600_bind(struct usbnet *dev, struct usb_interface *intf)
71 int ret;
72 struct vl600_state *s = kzalloc(sizeof(struct vl600_state), GFP_KERNEL);
74 if (!s)
75 return -ENOMEM;
77 ret = usbnet_cdc_bind(dev, intf);
78 if (ret) {
79 kfree(s);
80 return ret;
83 dev->driver_priv = s;
85 /* ARP packets don't go through, but they're also of no use. The
86 * subnet has only two hosts anyway: us and the gateway / DHCP
87 * server (probably simulated by modem firmware or network operator)
88 * whose address changes everytime we connect to the intarwebz and
89 * who doesn't bother answering ARP requests either. So hardware
90 * addresses have no meaning, the destination and the source of every
91 * packet depend only on whether it is on the IN or OUT endpoint. */
92 dev->net->flags |= IFF_NOARP;
93 /* IPv6 NDP relies on multicast. Enable it by default. */
94 dev->net->flags |= IFF_MULTICAST;
96 return ret;
99 static void vl600_unbind(struct usbnet *dev, struct usb_interface *intf)
101 struct vl600_state *s = dev->driver_priv;
103 if (s->current_rx_buf)
104 dev_kfree_skb(s->current_rx_buf);
106 kfree(s);
108 return usbnet_cdc_unbind(dev, intf);
111 static int vl600_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
113 struct vl600_frame_hdr *frame;
114 struct vl600_pkt_hdr *packet;
115 struct ethhdr *ethhdr;
116 int packet_len, count;
117 struct sk_buff *buf = skb;
118 struct sk_buff *clone;
119 struct vl600_state *s = dev->driver_priv;
121 /* Frame lengths are generally 4B multiplies but every couple of
122 * hours there's an odd number of bytes sized yet correct frame,
123 * so don't require this. */
125 /* Allow a packet (or multiple packets batched together) to be
126 * split across many frames. We don't allow a new batch to
127 * begin in the same frame another one is ending however, and no
128 * leading or trailing pad bytes. */
129 if (s->current_rx_buf) {
130 frame = (struct vl600_frame_hdr *) s->current_rx_buf->data;
131 if (skb->len + s->current_rx_buf->len >
132 le32_to_cpup(&frame->len)) {
133 netif_err(dev, ifup, dev->net, "Fragment too long\n");
134 dev->net->stats.rx_length_errors++;
135 goto error;
138 buf = s->current_rx_buf;
139 memcpy(skb_put(buf, skb->len), skb->data, skb->len);
140 } else if (skb->len < 4) {
141 netif_err(dev, ifup, dev->net, "Frame too short\n");
142 dev->net->stats.rx_length_errors++;
143 goto error;
146 frame = (struct vl600_frame_hdr *) buf->data;
147 /* Yes, check that frame->magic == 0x53544448 (or 0x44544d48),
148 * otherwise we may run out of memory w/a bad packet */
149 if (ntohl(frame->magic) != 0x53544448 &&
150 ntohl(frame->magic) != 0x44544d48)
151 goto error;
153 if (buf->len < sizeof(*frame) ||
154 buf->len != le32_to_cpup(&frame->len)) {
155 /* Save this fragment for later assembly */
156 if (s->current_rx_buf)
157 return 0;
159 s->current_rx_buf = skb_copy_expand(skb, 0,
160 le32_to_cpup(&frame->len), GFP_ATOMIC);
161 if (!s->current_rx_buf) {
162 netif_err(dev, ifup, dev->net, "Reserving %i bytes "
163 "for packet assembly failed.\n",
164 le32_to_cpup(&frame->len));
165 dev->net->stats.rx_errors++;
168 return 0;
171 count = le32_to_cpup(&frame->pkt_cnt);
173 skb_pull(buf, sizeof(*frame));
175 while (count--) {
176 if (buf->len < sizeof(*packet)) {
177 netif_err(dev, ifup, dev->net, "Packet too short\n");
178 goto error;
181 packet = (struct vl600_pkt_hdr *) buf->data;
182 packet_len = sizeof(*packet) + le32_to_cpup(&packet->len);
183 if (packet_len > buf->len) {
184 netif_err(dev, ifup, dev->net,
185 "Bad packet length stored in header\n");
186 goto error;
189 /* Packet header is same size as the ethernet header
190 * (sizeof(*packet) == sizeof(*ethhdr)), additionally
191 * the h_proto field is in the same place so we just leave it
192 * alone and fill in the remaining fields.
194 ethhdr = (struct ethhdr *) skb->data;
195 if (be16_to_cpup(&ethhdr->h_proto) == ETH_P_ARP &&
196 buf->len > 0x26) {
197 /* Copy the addresses from packet contents */
198 memcpy(ethhdr->h_source,
199 &buf->data[sizeof(*ethhdr) + 0x8],
200 ETH_ALEN);
201 memcpy(ethhdr->h_dest,
202 &buf->data[sizeof(*ethhdr) + 0x12],
203 ETH_ALEN);
204 } else {
205 memset(ethhdr->h_source, 0, ETH_ALEN);
206 memcpy(ethhdr->h_dest, dev->net->dev_addr, ETH_ALEN);
208 /* Inbound IPv6 packets have an IPv4 ethertype (0x800)
209 * for some reason. Peek at the L3 header to check
210 * for IPv6 packets, and set the ethertype to IPv6
211 * (0x86dd) so Linux can understand it.
213 if ((buf->data[sizeof(*ethhdr)] & 0xf0) == 0x60)
214 ethhdr->h_proto = __constant_htons(ETH_P_IPV6);
217 if (count) {
218 /* Not the last packet in this batch */
219 clone = skb_clone(buf, GFP_ATOMIC);
220 if (!clone)
221 goto error;
223 skb_trim(clone, packet_len);
224 usbnet_skb_return(dev, clone);
226 skb_pull(buf, (packet_len + 3) & ~3);
227 } else {
228 skb_trim(buf, packet_len);
230 if (s->current_rx_buf) {
231 usbnet_skb_return(dev, buf);
232 s->current_rx_buf = NULL;
233 return 0;
236 return 1;
240 error:
241 if (s->current_rx_buf) {
242 dev_kfree_skb_any(s->current_rx_buf);
243 s->current_rx_buf = NULL;
245 dev->net->stats.rx_errors++;
246 return 0;
249 static struct sk_buff *vl600_tx_fixup(struct usbnet *dev,
250 struct sk_buff *skb, gfp_t flags)
252 struct sk_buff *ret;
253 struct vl600_frame_hdr *frame;
254 struct vl600_pkt_hdr *packet;
255 static uint32_t serial = 1;
256 int orig_len = skb->len - sizeof(struct ethhdr);
257 int full_len = (skb->len + sizeof(struct vl600_frame_hdr) + 3) & ~3;
259 frame = (struct vl600_frame_hdr *) skb->data;
260 if (skb->len > sizeof(*frame) && skb->len == le32_to_cpup(&frame->len))
261 return skb; /* Already encapsulated? */
263 if (skb->len < sizeof(struct ethhdr))
264 /* Drop, device can only deal with ethernet packets */
265 return NULL;
267 if (!skb_cloned(skb)) {
268 int headroom = skb_headroom(skb);
269 int tailroom = skb_tailroom(skb);
271 if (tailroom >= full_len - skb->len - sizeof(*frame) &&
272 headroom >= sizeof(*frame))
273 /* There's enough head and tail room */
274 goto encapsulate;
276 if (headroom + tailroom + skb->len >= full_len) {
277 /* There's enough total room, just readjust */
278 skb->data = memmove(skb->head + sizeof(*frame),
279 skb->data, skb->len);
280 skb_set_tail_pointer(skb, skb->len);
281 goto encapsulate;
285 /* Alloc a new skb with the required size */
286 ret = skb_copy_expand(skb, sizeof(struct vl600_frame_hdr), full_len -
287 skb->len - sizeof(struct vl600_frame_hdr), flags);
288 dev_kfree_skb_any(skb);
289 if (!ret)
290 return ret;
291 skb = ret;
293 encapsulate:
294 /* Packet header is same size as ethernet packet header
295 * (sizeof(*packet) == sizeof(struct ethhdr)), additionally the
296 * h_proto field is in the same place so we just leave it alone and
297 * overwrite the remaining fields.
299 packet = (struct vl600_pkt_hdr *) skb->data;
300 /* The VL600 wants IPv6 packets to have an IPv4 ethertype
301 * Since this modem only supports IPv4 and IPv6, just set all
302 * frames to 0x0800 (ETH_P_IP)
304 packet->h_proto = htons(ETH_P_IP);
305 memset(&packet->dummy, 0, sizeof(packet->dummy));
306 packet->len = cpu_to_le32(orig_len);
308 frame = (struct vl600_frame_hdr *) skb_push(skb, sizeof(*frame));
309 memset(frame, 0, sizeof(*frame));
310 frame->len = cpu_to_le32(full_len);
311 frame->serial = cpu_to_le32(serial++);
312 frame->pkt_cnt = cpu_to_le32(1);
314 if (skb->len < full_len) /* Pad */
315 skb_put(skb, full_len - skb->len);
317 return skb;
320 static const struct driver_info vl600_info = {
321 .description = "LG VL600 modem",
322 .flags = FLAG_RX_ASSEMBLE | FLAG_WWAN,
323 .bind = vl600_bind,
324 .unbind = vl600_unbind,
325 .status = usbnet_cdc_status,
326 .rx_fixup = vl600_rx_fixup,
327 .tx_fixup = vl600_tx_fixup,
330 static const struct usb_device_id products[] = {
332 USB_DEVICE_AND_INTERFACE_INFO(0x1004, 0x61aa, USB_CLASS_COMM,
333 USB_CDC_SUBCLASS_ETHERNET, USB_CDC_PROTO_NONE),
334 .driver_info = (unsigned long) &vl600_info,
336 {}, /* End */
338 MODULE_DEVICE_TABLE(usb, products);
340 static struct usb_driver lg_vl600_driver = {
341 .name = "lg-vl600",
342 .id_table = products,
343 .probe = usbnet_probe,
344 .disconnect = usbnet_disconnect,
345 .suspend = usbnet_suspend,
346 .resume = usbnet_resume,
349 module_usb_driver(lg_vl600_driver);
351 MODULE_AUTHOR("Anrzej Zaborowski");
352 MODULE_DESCRIPTION("LG-VL600 modem's ethernet link");
353 MODULE_LICENSE("GPL");