1 /* 2 * Host Side support for RNDIS Networking Links 3 * Copyright (C) 2005 by David Brownell 4 * 5 * This program is free software; you can redistribute it and/or modify 6 * it under the terms of the GNU General Public License as published by 7 * the Free Software Foundation; either version 2 of the License, or 8 * (at your option) any later version. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program; if not, write to the Free Software 17 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 18 */ 19 #include <linux/module.h> 20 #include <linux/init.h> 21 #include <linux/netdevice.h> 22 #include <linux/etherdevice.h> 23 #include <linux/ethtool.h> 24 #include <linux/workqueue.h> 25 #include <linux/mii.h> 26 #include <linux/usb.h> 27 #include <linux/usb/cdc.h> 28 #include <linux/usb/usbnet.h> 29 #include <linux/usb/rndis_host.h> 30 31 32 /* 33 * RNDIS is NDIS remoted over USB. It's a MSFT variant of CDC ACM ... of 34 * course ACM was intended for modems, not Ethernet links! USB's standard 35 * for Ethernet links is "CDC Ethernet", which is significantly simpler. 36 * 37 * NOTE that Microsoft's "RNDIS 1.0" specification is incomplete. Issues 38 * include: 39 * - Power management in particular relies on information that's scattered 40 * through other documentation, and which is incomplete or incorrect even 41 * there. 42 * - There are various undocumented protocol requirements, such as the 43 * need to send unused garbage in control-OUT messages. 44 * - In some cases, MS-Windows will emit undocumented requests; this 45 * matters more to peripheral implementations than host ones. 46 * 47 * Moreover there's a no-open-specs variant of RNDIS called "ActiveSync". 48 * 49 * For these reasons and others, ** USE OF RNDIS IS STRONGLY DISCOURAGED ** in 50 * favor of such non-proprietary alternatives as CDC Ethernet or the newer (and 51 * currently rare) "Ethernet Emulation Model" (EEM). 52 */ 53 54 /* 55 * RNDIS notifications from device: command completion; "reverse" 56 * keepalives; etc 57 */ 58 void rndis_status(struct usbnet *dev, struct urb *urb) 59 { 60 devdbg(dev, "rndis status urb, len %d stat %d", 61 urb->actual_length, urb->status); 62 // FIXME for keepalives, respond immediately (asynchronously) 63 // if not an RNDIS status, do like cdc_status(dev,urb) does 64 } 65 EXPORT_SYMBOL_GPL(rndis_status); 66 67 /* 68 * RPC done RNDIS-style. Caller guarantees: 69 * - message is properly byteswapped 70 * - there's no other request pending 71 * - buf can hold up to 1KB response (required by RNDIS spec) 72 * On return, the first few entries are already byteswapped. 73 * 74 * Call context is likely probe(), before interface name is known, 75 * which is why we won't try to use it in the diagnostics. 76 */ 77 int rndis_command(struct usbnet *dev, struct rndis_msg_hdr *buf, int buflen) 78 { 79 struct cdc_state *info = (void *) &dev->data; 80 int master_ifnum; 81 int retval; 82 unsigned count; 83 __le32 rsp; 84 u32 xid = 0, msg_len, request_id; 85 86 /* REVISIT when this gets called from contexts other than probe() or 87 * disconnect(): either serialize, or dispatch responses on xid 88 */ 89 90 /* Issue the request; xid is unique, don't bother byteswapping it */ 91 if (likely(buf->msg_type != RNDIS_MSG_HALT 92 && buf->msg_type != RNDIS_MSG_RESET)) { 93 xid = dev->xid++; 94 if (!xid) 95 xid = dev->xid++; 96 buf->request_id = (__force __le32) xid; 97 } 98 master_ifnum = info->control->cur_altsetting->desc.bInterfaceNumber; 99 retval = usb_control_msg(dev->udev, 100 usb_sndctrlpipe(dev->udev, 0), 101 USB_CDC_SEND_ENCAPSULATED_COMMAND, 102 USB_TYPE_CLASS | USB_RECIP_INTERFACE, 103 0, master_ifnum, 104 buf, le32_to_cpu(buf->msg_len), 105 RNDIS_CONTROL_TIMEOUT_MS); 106 if (unlikely(retval < 0 || xid == 0)) 107 return retval; 108 109 // FIXME Seems like some devices discard responses when 110 // we time out and cancel our "get response" requests... 111 // so, this is fragile. Probably need to poll for status. 112 113 /* ignore status endpoint, just poll the control channel; 114 * the request probably completed immediately 115 */ 116 rsp = buf->msg_type | RNDIS_MSG_COMPLETION; 117 for (count = 0; count < 10; count++) { 118 memset(buf, 0, CONTROL_BUFFER_SIZE); 119 retval = usb_control_msg(dev->udev, 120 usb_rcvctrlpipe(dev->udev, 0), 121 USB_CDC_GET_ENCAPSULATED_RESPONSE, 122 USB_DIR_IN | USB_TYPE_CLASS | USB_RECIP_INTERFACE, 123 0, master_ifnum, 124 buf, buflen, 125 RNDIS_CONTROL_TIMEOUT_MS); 126 if (likely(retval >= 8)) { 127 msg_len = le32_to_cpu(buf->msg_len); 128 request_id = (__force u32) buf->request_id; 129 if (likely(buf->msg_type == rsp)) { 130 if (likely(request_id == xid)) { 131 if (unlikely(rsp == RNDIS_MSG_RESET_C)) 132 return 0; 133 if (likely(RNDIS_STATUS_SUCCESS 134 == buf->status)) 135 return 0; 136 dev_dbg(&info->control->dev, 137 "rndis reply status %08x\n", 138 le32_to_cpu(buf->status)); 139 return -EL3RST; 140 } 141 dev_dbg(&info->control->dev, 142 "rndis reply id %d expected %d\n", 143 request_id, xid); 144 /* then likely retry */ 145 } else switch (buf->msg_type) { 146 case RNDIS_MSG_INDICATE: { /* fault/event */ 147 struct rndis_indicate *msg = (void *)buf; 148 int state = 0; 149 150 switch (msg->status) { 151 case RNDIS_STATUS_MEDIA_CONNECT: 152 state = 1; 153 case RNDIS_STATUS_MEDIA_DISCONNECT: 154 dev_info(&info->control->dev, 155 "rndis media %sconnect\n", 156 !state?"dis":""); 157 if (dev->driver_info->link_change) 158 dev->driver_info->link_change( 159 dev, state); 160 break; 161 default: 162 dev_info(&info->control->dev, 163 "rndis indication: 0x%08x\n", 164 le32_to_cpu(msg->status)); 165 } 166 } 167 break; 168 case RNDIS_MSG_KEEPALIVE: { /* ping */ 169 struct rndis_keepalive_c *msg = (void *)buf; 170 171 msg->msg_type = RNDIS_MSG_KEEPALIVE_C; 172 msg->msg_len = ccpu2(sizeof *msg); 173 msg->status = RNDIS_STATUS_SUCCESS; 174 retval = usb_control_msg(dev->udev, 175 usb_sndctrlpipe(dev->udev, 0), 176 USB_CDC_SEND_ENCAPSULATED_COMMAND, 177 USB_TYPE_CLASS | USB_RECIP_INTERFACE, 178 0, master_ifnum, 179 msg, sizeof *msg, 180 RNDIS_CONTROL_TIMEOUT_MS); 181 if (unlikely(retval < 0)) 182 dev_dbg(&info->control->dev, 183 "rndis keepalive err %d\n", 184 retval); 185 } 186 break; 187 default: 188 dev_dbg(&info->control->dev, 189 "unexpected rndis msg %08x len %d\n", 190 le32_to_cpu(buf->msg_type), msg_len); 191 } 192 } else { 193 /* device probably issued a protocol stall; ignore */ 194 dev_dbg(&info->control->dev, 195 "rndis response error, code %d\n", retval); 196 } 197 msleep(20); 198 } 199 dev_dbg(&info->control->dev, "rndis response timeout\n"); 200 return -ETIMEDOUT; 201 } 202 EXPORT_SYMBOL_GPL(rndis_command); 203 204 /* 205 * rndis_query: 206 * 207 * Performs a query for @oid along with 0 or more bytes of payload as 208 * specified by @in_len. If @reply_len is not set to -1 then the reply 209 * length is checked against this value, resulting in an error if it 210 * doesn't match. 211 * 212 * NOTE: Adding a payload exactly or greater than the size of the expected 213 * response payload is an evident requirement MSFT added for ActiveSync. 214 * 215 * The only exception is for OIDs that return a variably sized response, 216 * in which case no payload should be added. This undocumented (and 217 * nonsensical!) issue was found by sniffing protocol requests from the 218 * ActiveSync 4.1 Windows driver. 219 */ 220 static int rndis_query(struct usbnet *dev, struct usb_interface *intf, 221 void *buf, __le32 oid, u32 in_len, 222 void **reply, int *reply_len) 223 { 224 int retval; 225 union { 226 void *buf; 227 struct rndis_msg_hdr *header; 228 struct rndis_query *get; 229 struct rndis_query_c *get_c; 230 } u; 231 u32 off, len; 232 233 u.buf = buf; 234 235 memset(u.get, 0, sizeof *u.get + in_len); 236 u.get->msg_type = RNDIS_MSG_QUERY; 237 u.get->msg_len = cpu_to_le32(sizeof *u.get + in_len); 238 u.get->oid = oid; 239 u.get->len = cpu_to_le32(in_len); 240 u.get->offset = ccpu2(20); 241 242 retval = rndis_command(dev, u.header, CONTROL_BUFFER_SIZE); 243 if (unlikely(retval < 0)) { 244 dev_err(&intf->dev, "RNDIS_MSG_QUERY(0x%08x) failed, %d\n", 245 oid, retval); 246 return retval; 247 } 248 249 off = le32_to_cpu(u.get_c->offset); 250 len = le32_to_cpu(u.get_c->len); 251 if (unlikely((8 + off + len) > CONTROL_BUFFER_SIZE)) 252 goto response_error; 253 254 if (*reply_len != -1 && len != *reply_len) 255 goto response_error; 256 257 *reply = (unsigned char *) &u.get_c->request_id + off; 258 *reply_len = len; 259 260 return retval; 261 262 response_error: 263 dev_err(&intf->dev, "RNDIS_MSG_QUERY(0x%08x) " 264 "invalid response - off %d len %d\n", 265 oid, off, len); 266 return -EDOM; 267 } 268 269 int 270 generic_rndis_bind(struct usbnet *dev, struct usb_interface *intf, int flags) 271 { 272 int retval; 273 struct net_device *net = dev->net; 274 struct cdc_state *info = (void *) &dev->data; 275 union { 276 void *buf; 277 struct rndis_msg_hdr *header; 278 struct rndis_init *init; 279 struct rndis_init_c *init_c; 280 struct rndis_query *get; 281 struct rndis_query_c *get_c; 282 struct rndis_set *set; 283 struct rndis_set_c *set_c; 284 struct rndis_halt *halt; 285 } u; 286 u32 tmp; 287 __le32 phym_unspec, *phym; 288 int reply_len; 289 unsigned char *bp; 290 291 /* we can't rely on i/o from stack working, or stack allocation */ 292 u.buf = kmalloc(CONTROL_BUFFER_SIZE, GFP_KERNEL); 293 if (!u.buf) 294 return -ENOMEM; 295 retval = usbnet_generic_cdc_bind(dev, intf); 296 if (retval < 0) 297 goto fail; 298 299 u.init->msg_type = RNDIS_MSG_INIT; 300 u.init->msg_len = ccpu2(sizeof *u.init); 301 u.init->major_version = ccpu2(1); 302 u.init->minor_version = ccpu2(0); 303 304 /* max transfer (in spec) is 0x4000 at full speed, but for 305 * TX we'll stick to one Ethernet packet plus RNDIS framing. 306 * For RX we handle drivers that zero-pad to end-of-packet. 307 * Don't let userspace change these settings. 308 * 309 * NOTE: there still seems to be wierdness here, as if we need 310 * to do some more things to make sure WinCE targets accept this. 311 * They default to jumbograms of 8KB or 16KB, which is absurd 312 * for such low data rates and which is also more than Linux 313 * can usually expect to allocate for SKB data... 314 */ 315 net->hard_header_len += sizeof (struct rndis_data_hdr); 316 dev->hard_mtu = net->mtu + net->hard_header_len; 317 318 dev->maxpacket = usb_maxpacket(dev->udev, dev->out, 1); 319 if (dev->maxpacket == 0) { 320 if (netif_msg_probe(dev)) 321 dev_dbg(&intf->dev, "dev->maxpacket can't be 0\n"); 322 retval = -EINVAL; 323 goto fail_and_release; 324 } 325 326 dev->rx_urb_size = dev->hard_mtu + (dev->maxpacket + 1); 327 dev->rx_urb_size &= ~(dev->maxpacket - 1); 328 u.init->max_transfer_size = cpu_to_le32(dev->rx_urb_size); 329 330 net->change_mtu = NULL; 331 retval = rndis_command(dev, u.header, CONTROL_BUFFER_SIZE); 332 if (unlikely(retval < 0)) { 333 /* it might not even be an RNDIS device!! */ 334 dev_err(&intf->dev, "RNDIS init failed, %d\n", retval); 335 goto fail_and_release; 336 } 337 tmp = le32_to_cpu(u.init_c->max_transfer_size); 338 if (tmp < dev->hard_mtu) { 339 if (tmp <= net->hard_header_len) { 340 dev_err(&intf->dev, 341 "dev can't take %u byte packets (max %u)\n", 342 dev->hard_mtu, tmp); 343 retval = -EINVAL; 344 goto halt_fail_and_release; 345 } 346 dev->hard_mtu = tmp; 347 net->mtu = dev->hard_mtu - net->hard_header_len; 348 dev_warn(&intf->dev, 349 "dev can't take %u byte packets (max %u), " 350 "adjusting MTU to %u\n", 351 dev->hard_mtu, tmp, net->mtu); 352 } 353 354 /* REVISIT: peripheral "alignment" request is ignored ... */ 355 dev_dbg(&intf->dev, 356 "hard mtu %u (%u from dev), rx buflen %Zu, align %d\n", 357 dev->hard_mtu, tmp, dev->rx_urb_size, 358 1 << le32_to_cpu(u.init_c->packet_alignment)); 359 360 /* module has some device initialization code needs to be done right 361 * after RNDIS_INIT */ 362 if (dev->driver_info->early_init && 363 dev->driver_info->early_init(dev) != 0) 364 goto halt_fail_and_release; 365 366 /* Check physical medium */ 367 phym = NULL; 368 reply_len = sizeof *phym; 369 retval = rndis_query(dev, intf, u.buf, OID_GEN_PHYSICAL_MEDIUM, 370 0, (void **) &phym, &reply_len); 371 if (retval != 0 || !phym) { 372 /* OID is optional so don't fail here. */ 373 phym_unspec = RNDIS_PHYSICAL_MEDIUM_UNSPECIFIED; 374 phym = &phym_unspec; 375 } 376 if ((flags & FLAG_RNDIS_PHYM_WIRELESS) && 377 *phym != RNDIS_PHYSICAL_MEDIUM_WIRELESS_LAN) { 378 if (netif_msg_probe(dev)) 379 dev_dbg(&intf->dev, "driver requires wireless " 380 "physical medium, but device is not.\n"); 381 retval = -ENODEV; 382 goto halt_fail_and_release; 383 } 384 if ((flags & FLAG_RNDIS_PHYM_NOT_WIRELESS) && 385 *phym == RNDIS_PHYSICAL_MEDIUM_WIRELESS_LAN) { 386 if (netif_msg_probe(dev)) 387 dev_dbg(&intf->dev, "driver requires non-wireless " 388 "physical medium, but device is wireless.\n"); 389 retval = -ENODEV; 390 goto halt_fail_and_release; 391 } 392 393 /* Get designated host ethernet address */ 394 reply_len = ETH_ALEN; 395 retval = rndis_query(dev, intf, u.buf, OID_802_3_PERMANENT_ADDRESS, 396 48, (void **) &bp, &reply_len); 397 if (unlikely(retval< 0)) { 398 dev_err(&intf->dev, "rndis get ethaddr, %d\n", retval); 399 goto halt_fail_and_release; 400 } 401 memcpy(net->dev_addr, bp, ETH_ALEN); 402 403 /* set a nonzero filter to enable data transfers */ 404 memset(u.set, 0, sizeof *u.set); 405 u.set->msg_type = RNDIS_MSG_SET; 406 u.set->msg_len = ccpu2(4 + sizeof *u.set); 407 u.set->oid = OID_GEN_CURRENT_PACKET_FILTER; 408 u.set->len = ccpu2(4); 409 u.set->offset = ccpu2((sizeof *u.set) - 8); 410 *(__le32 *)(u.buf + sizeof *u.set) = RNDIS_DEFAULT_FILTER; 411 412 retval = rndis_command(dev, u.header, CONTROL_BUFFER_SIZE); 413 if (unlikely(retval < 0)) { 414 dev_err(&intf->dev, "rndis set packet filter, %d\n", retval); 415 goto halt_fail_and_release; 416 } 417 418 retval = 0; 419 420 kfree(u.buf); 421 return retval; 422 423 halt_fail_and_release: 424 memset(u.halt, 0, sizeof *u.halt); 425 u.halt->msg_type = RNDIS_MSG_HALT; 426 u.halt->msg_len = ccpu2(sizeof *u.halt); 427 (void) rndis_command(dev, (void *)u.halt, CONTROL_BUFFER_SIZE); 428 fail_and_release: 429 usb_set_intfdata(info->data, NULL); 430 usb_driver_release_interface(driver_of(intf), info->data); 431 info->data = NULL; 432 fail: 433 kfree(u.buf); 434 return retval; 435 } 436 EXPORT_SYMBOL_GPL(generic_rndis_bind); 437 438 static int rndis_bind(struct usbnet *dev, struct usb_interface *intf) 439 { 440 return generic_rndis_bind(dev, intf, FLAG_RNDIS_PHYM_NOT_WIRELESS); 441 } 442 443 void rndis_unbind(struct usbnet *dev, struct usb_interface *intf) 444 { 445 struct rndis_halt *halt; 446 447 /* try to clear any rndis state/activity (no i/o from stack!) */ 448 halt = kzalloc(CONTROL_BUFFER_SIZE, GFP_KERNEL); 449 if (halt) { 450 halt->msg_type = RNDIS_MSG_HALT; 451 halt->msg_len = ccpu2(sizeof *halt); 452 (void) rndis_command(dev, (void *)halt, CONTROL_BUFFER_SIZE); 453 kfree(halt); 454 } 455 456 usbnet_cdc_unbind(dev, intf); 457 } 458 EXPORT_SYMBOL_GPL(rndis_unbind); 459 460 /* 461 * DATA -- host must not write zlps 462 */ 463 int rndis_rx_fixup(struct usbnet *dev, struct sk_buff *skb) 464 { 465 /* peripheral may have batched packets to us... */ 466 while (likely(skb->len)) { 467 struct rndis_data_hdr *hdr = (void *)skb->data; 468 struct sk_buff *skb2; 469 u32 msg_len, data_offset, data_len; 470 471 msg_len = le32_to_cpu(hdr->msg_len); 472 data_offset = le32_to_cpu(hdr->data_offset); 473 data_len = le32_to_cpu(hdr->data_len); 474 475 /* don't choke if we see oob, per-packet data, etc */ 476 if (unlikely(hdr->msg_type != RNDIS_MSG_PACKET 477 || skb->len < msg_len 478 || (data_offset + data_len + 8) > msg_len)) { 479 dev->stats.rx_frame_errors++; 480 devdbg(dev, "bad rndis message %d/%d/%d/%d, len %d", 481 le32_to_cpu(hdr->msg_type), 482 msg_len, data_offset, data_len, skb->len); 483 return 0; 484 } 485 skb_pull(skb, 8 + data_offset); 486 487 /* at most one packet left? */ 488 if (likely((data_len - skb->len) <= sizeof *hdr)) { 489 skb_trim(skb, data_len); 490 break; 491 } 492 493 /* try to return all the packets in the batch */ 494 skb2 = skb_clone(skb, GFP_ATOMIC); 495 if (unlikely(!skb2)) 496 break; 497 skb_pull(skb, msg_len - sizeof *hdr); 498 skb_trim(skb2, data_len); 499 usbnet_skb_return(dev, skb2); 500 } 501 502 /* caller will usbnet_skb_return the remaining packet */ 503 return 1; 504 } 505 EXPORT_SYMBOL_GPL(rndis_rx_fixup); 506 507 struct sk_buff * 508 rndis_tx_fixup(struct usbnet *dev, struct sk_buff *skb, gfp_t flags) 509 { 510 struct rndis_data_hdr *hdr; 511 struct sk_buff *skb2; 512 unsigned len = skb->len; 513 514 if (likely(!skb_cloned(skb))) { 515 int room = skb_headroom(skb); 516 517 /* enough head room as-is? */ 518 if (unlikely((sizeof *hdr) <= room)) 519 goto fill; 520 521 /* enough room, but needs to be readjusted? */ 522 room += skb_tailroom(skb); 523 if (likely((sizeof *hdr) <= room)) { 524 skb->data = memmove(skb->head + sizeof *hdr, 525 skb->data, len); 526 skb_set_tail_pointer(skb, len); 527 goto fill; 528 } 529 } 530 531 /* create a new skb, with the correct size (and tailpad) */ 532 skb2 = skb_copy_expand(skb, sizeof *hdr, 1, flags); 533 dev_kfree_skb_any(skb); 534 if (unlikely(!skb2)) 535 return skb2; 536 skb = skb2; 537 538 /* fill out the RNDIS header. we won't bother trying to batch 539 * packets; Linux minimizes wasted bandwidth through tx queues. 540 */ 541 fill: 542 hdr = (void *) __skb_push(skb, sizeof *hdr); 543 memset(hdr, 0, sizeof *hdr); 544 hdr->msg_type = RNDIS_MSG_PACKET; 545 hdr->msg_len = cpu_to_le32(skb->len); 546 hdr->data_offset = ccpu2(sizeof(*hdr) - 8); 547 hdr->data_len = cpu_to_le32(len); 548 549 /* FIXME make the last packet always be short ... */ 550 return skb; 551 } 552 EXPORT_SYMBOL_GPL(rndis_tx_fixup); 553 554 555 static const struct driver_info rndis_info = { 556 .description = "RNDIS device", 557 .flags = FLAG_ETHER | FLAG_FRAMING_RN | FLAG_NO_SETINT, 558 .bind = rndis_bind, 559 .unbind = rndis_unbind, 560 .status = rndis_status, 561 .rx_fixup = rndis_rx_fixup, 562 .tx_fixup = rndis_tx_fixup, 563 }; 564 565 #undef ccpu2 566 567 568 /*-------------------------------------------------------------------------*/ 569 570 static const struct usb_device_id products [] = { 571 { 572 /* RNDIS is MSFT's un-official variant of CDC ACM */ 573 USB_INTERFACE_INFO(USB_CLASS_COMM, 2 /* ACM */, 0x0ff), 574 .driver_info = (unsigned long) &rndis_info, 575 }, { 576 /* "ActiveSync" is an undocumented variant of RNDIS, used in WM5 */ 577 USB_INTERFACE_INFO(USB_CLASS_MISC, 1, 1), 578 .driver_info = (unsigned long) &rndis_info, 579 }, { 580 /* RNDIS for tethering */ 581 USB_INTERFACE_INFO(USB_CLASS_WIRELESS_CONTROLLER, 1, 3), 582 .driver_info = (unsigned long) &rndis_info, 583 }, 584 { }, // END 585 }; 586 MODULE_DEVICE_TABLE(usb, products); 587 588 static struct usb_driver rndis_driver = { 589 .name = "rndis_host", 590 .id_table = products, 591 .probe = usbnet_probe, 592 .disconnect = usbnet_disconnect, 593 .suspend = usbnet_suspend, 594 .resume = usbnet_resume, 595 }; 596 597 static int __init rndis_init(void) 598 { 599 return usb_register(&rndis_driver); 600 } 601 module_init(rndis_init); 602 603 static void __exit rndis_exit(void) 604 { 605 usb_deregister(&rndis_driver); 606 } 607 module_exit(rndis_exit); 608 609 MODULE_AUTHOR("David Brownell"); 610 MODULE_DESCRIPTION("USB Host side RNDIS driver"); 611 MODULE_LICENSE("GPL"); 612