1 /*
2  * f_ncm.c -- USB CDC Network (NCM) link function driver
3  *
4  * Copyright (C) 2010 Nokia Corporation
5  * Contact: Yauheni Kaliuta <yauheni.kaliuta@nokia.com>
6  *
7  * The driver borrows from f_ecm.c which is:
8  *
9  * Copyright (C) 2003-2005,2008 David Brownell
10  * Copyright (C) 2008 Nokia Corporation
11  *
12  * This program is free software; you can redistribute it and/or modify
13  * it under the terms of the GNU General Public License as published by
14  * the Free Software Foundation; either version 2 of the License, or
15  * (at your option) any later version.
16  */
17 
18 #include <linux/kernel.h>
19 #include <linux/module.h>
20 #include <linux/device.h>
21 #include <linux/etherdevice.h>
22 #include <linux/crc32.h>
23 
24 #include <linux/usb/cdc.h>
25 
26 #include "u_ether.h"
27 #include "u_ether_configfs.h"
28 #include "u_ncm.h"
29 
30 /*
31  * This function is a "CDC Network Control Model" (CDC NCM) Ethernet link.
32  * NCM is intended to be used with high-speed network attachments.
33  *
34  * Note that NCM requires the use of "alternate settings" for its data
35  * interface.  This means that the set_alt() method has real work to do,
36  * and also means that a get_alt() method is required.
37  */
38 
39 /* to trigger crc/non-crc ndp signature */
40 
41 #define NCM_NDP_HDR_CRC_MASK	0x01000000
42 #define NCM_NDP_HDR_CRC		0x01000000
43 #define NCM_NDP_HDR_NOCRC	0x00000000
44 
45 enum ncm_notify_state {
46 	NCM_NOTIFY_NONE,		/* don't notify */
47 	NCM_NOTIFY_CONNECT,		/* issue CONNECT next */
48 	NCM_NOTIFY_SPEED,		/* issue SPEED_CHANGE next */
49 };
50 
51 struct f_ncm {
52 	struct gether			port;
53 	u8				ctrl_id, data_id;
54 
55 	char				ethaddr[14];
56 
57 	struct usb_ep			*notify;
58 	struct usb_request		*notify_req;
59 	u8				notify_state;
60 	bool				is_open;
61 
62 	const struct ndp_parser_opts	*parser_opts;
63 	bool				is_crc;
64 	u32				ndp_sign;
65 
66 	/*
67 	 * for notification, it is accessed from both
68 	 * callback and ethernet open/close
69 	 */
70 	spinlock_t			lock;
71 
72 	struct net_device		*netdev;
73 
74 	/* For multi-frame NDP TX */
75 	struct sk_buff			*skb_tx_data;
76 	struct sk_buff			*skb_tx_ndp;
77 	u16				ndp_dgram_count;
78 	bool				timer_force_tx;
79 	struct tasklet_struct		tx_tasklet;
80 	struct hrtimer			task_timer;
81 
82 	bool				timer_stopping;
83 };
84 
85 static inline struct f_ncm *func_to_ncm(struct usb_function *f)
86 {
87 	return container_of(f, struct f_ncm, port.func);
88 }
89 
90 /* peak (theoretical) bulk transfer rate in bits-per-second */
91 static inline unsigned ncm_bitrate(struct usb_gadget *g)
92 {
93 	if (gadget_is_dualspeed(g) && g->speed == USB_SPEED_HIGH)
94 		return 13 * 512 * 8 * 1000 * 8;
95 	else
96 		return 19 *  64 * 1 * 1000 * 8;
97 }
98 
99 /*-------------------------------------------------------------------------*/
100 
101 /*
102  * We cannot group frames so use just the minimal size which ok to put
103  * one max-size ethernet frame.
104  * If the host can group frames, allow it to do that, 16K is selected,
105  * because it's used by default by the current linux host driver
106  */
107 #define NTB_DEFAULT_IN_SIZE	16384
108 #define NTB_OUT_SIZE		16384
109 
110 /* Allocation for storing the NDP, 32 should suffice for a
111  * 16k packet. This allows a maximum of 32 * 507 Byte packets to
112  * be transmitted in a single 16kB skb, though when sending full size
113  * packets this limit will be plenty.
114  * Smaller packets are not likely to be trying to maximize the
115  * throughput and will be mstly sending smaller infrequent frames.
116  */
117 #define TX_MAX_NUM_DPE		32
118 
119 /* Delay for the transmit to wait before sending an unfilled NTB frame. */
120 #define TX_TIMEOUT_NSECS	300000
121 
122 #define FORMATS_SUPPORTED	(USB_CDC_NCM_NTB16_SUPPORTED |	\
123 				 USB_CDC_NCM_NTB32_SUPPORTED)
124 
125 static struct usb_cdc_ncm_ntb_parameters ntb_parameters = {
126 	.wLength = cpu_to_le16(sizeof(ntb_parameters)),
127 	.bmNtbFormatsSupported = cpu_to_le16(FORMATS_SUPPORTED),
128 	.dwNtbInMaxSize = cpu_to_le32(NTB_DEFAULT_IN_SIZE),
129 	.wNdpInDivisor = cpu_to_le16(4),
130 	.wNdpInPayloadRemainder = cpu_to_le16(0),
131 	.wNdpInAlignment = cpu_to_le16(4),
132 
133 	.dwNtbOutMaxSize = cpu_to_le32(NTB_OUT_SIZE),
134 	.wNdpOutDivisor = cpu_to_le16(4),
135 	.wNdpOutPayloadRemainder = cpu_to_le16(0),
136 	.wNdpOutAlignment = cpu_to_le16(4),
137 };
138 
139 /*
140  * Use wMaxPacketSize big enough to fit CDC_NOTIFY_SPEED_CHANGE in one
141  * packet, to simplify cancellation; and a big transfer interval, to
142  * waste less bandwidth.
143  */
144 
145 #define NCM_STATUS_INTERVAL_MS		32
146 #define NCM_STATUS_BYTECOUNT		16	/* 8 byte header + data */
147 
148 static struct usb_interface_assoc_descriptor ncm_iad_desc = {
149 	.bLength =		sizeof ncm_iad_desc,
150 	.bDescriptorType =	USB_DT_INTERFACE_ASSOCIATION,
151 
152 	/* .bFirstInterface =	DYNAMIC, */
153 	.bInterfaceCount =	2,	/* control + data */
154 	.bFunctionClass =	USB_CLASS_COMM,
155 	.bFunctionSubClass =	USB_CDC_SUBCLASS_NCM,
156 	.bFunctionProtocol =	USB_CDC_PROTO_NONE,
157 	/* .iFunction =		DYNAMIC */
158 };
159 
160 /* interface descriptor: */
161 
162 static struct usb_interface_descriptor ncm_control_intf = {
163 	.bLength =		sizeof ncm_control_intf,
164 	.bDescriptorType =	USB_DT_INTERFACE,
165 
166 	/* .bInterfaceNumber = DYNAMIC */
167 	.bNumEndpoints =	1,
168 	.bInterfaceClass =	USB_CLASS_COMM,
169 	.bInterfaceSubClass =	USB_CDC_SUBCLASS_NCM,
170 	.bInterfaceProtocol =	USB_CDC_PROTO_NONE,
171 	/* .iInterface = DYNAMIC */
172 };
173 
174 static struct usb_cdc_header_desc ncm_header_desc = {
175 	.bLength =		sizeof ncm_header_desc,
176 	.bDescriptorType =	USB_DT_CS_INTERFACE,
177 	.bDescriptorSubType =	USB_CDC_HEADER_TYPE,
178 
179 	.bcdCDC =		cpu_to_le16(0x0110),
180 };
181 
182 static struct usb_cdc_union_desc ncm_union_desc = {
183 	.bLength =		sizeof(ncm_union_desc),
184 	.bDescriptorType =	USB_DT_CS_INTERFACE,
185 	.bDescriptorSubType =	USB_CDC_UNION_TYPE,
186 	/* .bMasterInterface0 =	DYNAMIC */
187 	/* .bSlaveInterface0 =	DYNAMIC */
188 };
189 
190 static struct usb_cdc_ether_desc ecm_desc = {
191 	.bLength =		sizeof ecm_desc,
192 	.bDescriptorType =	USB_DT_CS_INTERFACE,
193 	.bDescriptorSubType =	USB_CDC_ETHERNET_TYPE,
194 
195 	/* this descriptor actually adds value, surprise! */
196 	/* .iMACAddress = DYNAMIC */
197 	.bmEthernetStatistics =	cpu_to_le32(0), /* no statistics */
198 	.wMaxSegmentSize =	cpu_to_le16(ETH_FRAME_LEN),
199 	.wNumberMCFilters =	cpu_to_le16(0),
200 	.bNumberPowerFilters =	0,
201 };
202 
203 #define NCAPS	(USB_CDC_NCM_NCAP_ETH_FILTER | USB_CDC_NCM_NCAP_CRC_MODE)
204 
205 static struct usb_cdc_ncm_desc ncm_desc = {
206 	.bLength =		sizeof ncm_desc,
207 	.bDescriptorType =	USB_DT_CS_INTERFACE,
208 	.bDescriptorSubType =	USB_CDC_NCM_TYPE,
209 
210 	.bcdNcmVersion =	cpu_to_le16(0x0100),
211 	/* can process SetEthernetPacketFilter */
212 	.bmNetworkCapabilities = NCAPS,
213 };
214 
215 /* the default data interface has no endpoints ... */
216 
217 static struct usb_interface_descriptor ncm_data_nop_intf = {
218 	.bLength =		sizeof ncm_data_nop_intf,
219 	.bDescriptorType =	USB_DT_INTERFACE,
220 
221 	.bInterfaceNumber =	1,
222 	.bAlternateSetting =	0,
223 	.bNumEndpoints =	0,
224 	.bInterfaceClass =	USB_CLASS_CDC_DATA,
225 	.bInterfaceSubClass =	0,
226 	.bInterfaceProtocol =	USB_CDC_NCM_PROTO_NTB,
227 	/* .iInterface = DYNAMIC */
228 };
229 
230 /* ... but the "real" data interface has two bulk endpoints */
231 
232 static struct usb_interface_descriptor ncm_data_intf = {
233 	.bLength =		sizeof ncm_data_intf,
234 	.bDescriptorType =	USB_DT_INTERFACE,
235 
236 	.bInterfaceNumber =	1,
237 	.bAlternateSetting =	1,
238 	.bNumEndpoints =	2,
239 	.bInterfaceClass =	USB_CLASS_CDC_DATA,
240 	.bInterfaceSubClass =	0,
241 	.bInterfaceProtocol =	USB_CDC_NCM_PROTO_NTB,
242 	/* .iInterface = DYNAMIC */
243 };
244 
245 /* full speed support: */
246 
247 static struct usb_endpoint_descriptor fs_ncm_notify_desc = {
248 	.bLength =		USB_DT_ENDPOINT_SIZE,
249 	.bDescriptorType =	USB_DT_ENDPOINT,
250 
251 	.bEndpointAddress =	USB_DIR_IN,
252 	.bmAttributes =		USB_ENDPOINT_XFER_INT,
253 	.wMaxPacketSize =	cpu_to_le16(NCM_STATUS_BYTECOUNT),
254 	.bInterval =		NCM_STATUS_INTERVAL_MS,
255 };
256 
257 static struct usb_endpoint_descriptor fs_ncm_in_desc = {
258 	.bLength =		USB_DT_ENDPOINT_SIZE,
259 	.bDescriptorType =	USB_DT_ENDPOINT,
260 
261 	.bEndpointAddress =	USB_DIR_IN,
262 	.bmAttributes =		USB_ENDPOINT_XFER_BULK,
263 };
264 
265 static struct usb_endpoint_descriptor fs_ncm_out_desc = {
266 	.bLength =		USB_DT_ENDPOINT_SIZE,
267 	.bDescriptorType =	USB_DT_ENDPOINT,
268 
269 	.bEndpointAddress =	USB_DIR_OUT,
270 	.bmAttributes =		USB_ENDPOINT_XFER_BULK,
271 };
272 
273 static struct usb_descriptor_header *ncm_fs_function[] = {
274 	(struct usb_descriptor_header *) &ncm_iad_desc,
275 	/* CDC NCM control descriptors */
276 	(struct usb_descriptor_header *) &ncm_control_intf,
277 	(struct usb_descriptor_header *) &ncm_header_desc,
278 	(struct usb_descriptor_header *) &ncm_union_desc,
279 	(struct usb_descriptor_header *) &ecm_desc,
280 	(struct usb_descriptor_header *) &ncm_desc,
281 	(struct usb_descriptor_header *) &fs_ncm_notify_desc,
282 	/* data interface, altsettings 0 and 1 */
283 	(struct usb_descriptor_header *) &ncm_data_nop_intf,
284 	(struct usb_descriptor_header *) &ncm_data_intf,
285 	(struct usb_descriptor_header *) &fs_ncm_in_desc,
286 	(struct usb_descriptor_header *) &fs_ncm_out_desc,
287 	NULL,
288 };
289 
290 /* high speed support: */
291 
292 static struct usb_endpoint_descriptor hs_ncm_notify_desc = {
293 	.bLength =		USB_DT_ENDPOINT_SIZE,
294 	.bDescriptorType =	USB_DT_ENDPOINT,
295 
296 	.bEndpointAddress =	USB_DIR_IN,
297 	.bmAttributes =		USB_ENDPOINT_XFER_INT,
298 	.wMaxPacketSize =	cpu_to_le16(NCM_STATUS_BYTECOUNT),
299 	.bInterval =		USB_MS_TO_HS_INTERVAL(NCM_STATUS_INTERVAL_MS),
300 };
301 static struct usb_endpoint_descriptor hs_ncm_in_desc = {
302 	.bLength =		USB_DT_ENDPOINT_SIZE,
303 	.bDescriptorType =	USB_DT_ENDPOINT,
304 
305 	.bEndpointAddress =	USB_DIR_IN,
306 	.bmAttributes =		USB_ENDPOINT_XFER_BULK,
307 	.wMaxPacketSize =	cpu_to_le16(512),
308 };
309 
310 static struct usb_endpoint_descriptor hs_ncm_out_desc = {
311 	.bLength =		USB_DT_ENDPOINT_SIZE,
312 	.bDescriptorType =	USB_DT_ENDPOINT,
313 
314 	.bEndpointAddress =	USB_DIR_OUT,
315 	.bmAttributes =		USB_ENDPOINT_XFER_BULK,
316 	.wMaxPacketSize =	cpu_to_le16(512),
317 };
318 
319 static struct usb_descriptor_header *ncm_hs_function[] = {
320 	(struct usb_descriptor_header *) &ncm_iad_desc,
321 	/* CDC NCM control descriptors */
322 	(struct usb_descriptor_header *) &ncm_control_intf,
323 	(struct usb_descriptor_header *) &ncm_header_desc,
324 	(struct usb_descriptor_header *) &ncm_union_desc,
325 	(struct usb_descriptor_header *) &ecm_desc,
326 	(struct usb_descriptor_header *) &ncm_desc,
327 	(struct usb_descriptor_header *) &hs_ncm_notify_desc,
328 	/* data interface, altsettings 0 and 1 */
329 	(struct usb_descriptor_header *) &ncm_data_nop_intf,
330 	(struct usb_descriptor_header *) &ncm_data_intf,
331 	(struct usb_descriptor_header *) &hs_ncm_in_desc,
332 	(struct usb_descriptor_header *) &hs_ncm_out_desc,
333 	NULL,
334 };
335 
336 /* string descriptors: */
337 
338 #define STRING_CTRL_IDX	0
339 #define STRING_MAC_IDX	1
340 #define STRING_DATA_IDX	2
341 #define STRING_IAD_IDX	3
342 
343 static struct usb_string ncm_string_defs[] = {
344 	[STRING_CTRL_IDX].s = "CDC Network Control Model (NCM)",
345 	[STRING_MAC_IDX].s = "",
346 	[STRING_DATA_IDX].s = "CDC Network Data",
347 	[STRING_IAD_IDX].s = "CDC NCM",
348 	{  } /* end of list */
349 };
350 
351 static struct usb_gadget_strings ncm_string_table = {
352 	.language =		0x0409,	/* en-us */
353 	.strings =		ncm_string_defs,
354 };
355 
356 static struct usb_gadget_strings *ncm_strings[] = {
357 	&ncm_string_table,
358 	NULL,
359 };
360 
361 /*
362  * Here are options for NCM Datagram Pointer table (NDP) parser.
363  * There are 2 different formats: NDP16 and NDP32 in the spec (ch. 3),
364  * in NDP16 offsets and sizes fields are 1 16bit word wide,
365  * in NDP32 -- 2 16bit words wide. Also signatures are different.
366  * To make the parser code the same, put the differences in the structure,
367  * and switch pointers to the structures when the format is changed.
368  */
369 
370 struct ndp_parser_opts {
371 	u32		nth_sign;
372 	u32		ndp_sign;
373 	unsigned	nth_size;
374 	unsigned	ndp_size;
375 	unsigned	dpe_size;
376 	unsigned	ndplen_align;
377 	/* sizes in u16 units */
378 	unsigned	dgram_item_len; /* index or length */
379 	unsigned	block_length;
380 	unsigned	ndp_index;
381 	unsigned	reserved1;
382 	unsigned	reserved2;
383 	unsigned	next_ndp_index;
384 };
385 
386 #define INIT_NDP16_OPTS {					\
387 		.nth_sign = USB_CDC_NCM_NTH16_SIGN,		\
388 		.ndp_sign = USB_CDC_NCM_NDP16_NOCRC_SIGN,	\
389 		.nth_size = sizeof(struct usb_cdc_ncm_nth16),	\
390 		.ndp_size = sizeof(struct usb_cdc_ncm_ndp16),	\
391 		.dpe_size = sizeof(struct usb_cdc_ncm_dpe16),	\
392 		.ndplen_align = 4,				\
393 		.dgram_item_len = 1,				\
394 		.block_length = 1,				\
395 		.ndp_index = 1,					\
396 		.reserved1 = 0,					\
397 		.reserved2 = 0,					\
398 		.next_ndp_index = 1,				\
399 	}
400 
401 
402 #define INIT_NDP32_OPTS {					\
403 		.nth_sign = USB_CDC_NCM_NTH32_SIGN,		\
404 		.ndp_sign = USB_CDC_NCM_NDP32_NOCRC_SIGN,	\
405 		.nth_size = sizeof(struct usb_cdc_ncm_nth32),	\
406 		.ndp_size = sizeof(struct usb_cdc_ncm_ndp32),	\
407 		.dpe_size = sizeof(struct usb_cdc_ncm_dpe32),	\
408 		.ndplen_align = 8,				\
409 		.dgram_item_len = 2,				\
410 		.block_length = 2,				\
411 		.ndp_index = 2,					\
412 		.reserved1 = 1,					\
413 		.reserved2 = 2,					\
414 		.next_ndp_index = 2,				\
415 	}
416 
417 static const struct ndp_parser_opts ndp16_opts = INIT_NDP16_OPTS;
418 static const struct ndp_parser_opts ndp32_opts = INIT_NDP32_OPTS;
419 
420 static inline void put_ncm(__le16 **p, unsigned size, unsigned val)
421 {
422 	switch (size) {
423 	case 1:
424 		put_unaligned_le16((u16)val, *p);
425 		break;
426 	case 2:
427 		put_unaligned_le32((u32)val, *p);
428 
429 		break;
430 	default:
431 		BUG();
432 	}
433 
434 	*p += size;
435 }
436 
437 static inline unsigned get_ncm(__le16 **p, unsigned size)
438 {
439 	unsigned tmp;
440 
441 	switch (size) {
442 	case 1:
443 		tmp = get_unaligned_le16(*p);
444 		break;
445 	case 2:
446 		tmp = get_unaligned_le32(*p);
447 		break;
448 	default:
449 		BUG();
450 	}
451 
452 	*p += size;
453 	return tmp;
454 }
455 
456 /*-------------------------------------------------------------------------*/
457 
458 static inline void ncm_reset_values(struct f_ncm *ncm)
459 {
460 	ncm->parser_opts = &ndp16_opts;
461 	ncm->is_crc = false;
462 	ncm->port.cdc_filter = DEFAULT_FILTER;
463 
464 	/* doesn't make sense for ncm, fixed size used */
465 	ncm->port.header_len = 0;
466 
467 	ncm->port.fixed_out_len = le32_to_cpu(ntb_parameters.dwNtbOutMaxSize);
468 	ncm->port.fixed_in_len = NTB_DEFAULT_IN_SIZE;
469 }
470 
471 /*
472  * Context: ncm->lock held
473  */
474 static void ncm_do_notify(struct f_ncm *ncm)
475 {
476 	struct usb_request		*req = ncm->notify_req;
477 	struct usb_cdc_notification	*event;
478 	struct usb_composite_dev	*cdev = ncm->port.func.config->cdev;
479 	__le32				*data;
480 	int				status;
481 
482 	/* notification already in flight? */
483 	if (!req)
484 		return;
485 
486 	event = req->buf;
487 	switch (ncm->notify_state) {
488 	case NCM_NOTIFY_NONE:
489 		return;
490 
491 	case NCM_NOTIFY_CONNECT:
492 		event->bNotificationType = USB_CDC_NOTIFY_NETWORK_CONNECTION;
493 		if (ncm->is_open)
494 			event->wValue = cpu_to_le16(1);
495 		else
496 			event->wValue = cpu_to_le16(0);
497 		event->wLength = 0;
498 		req->length = sizeof *event;
499 
500 		DBG(cdev, "notify connect %s\n",
501 				ncm->is_open ? "true" : "false");
502 		ncm->notify_state = NCM_NOTIFY_NONE;
503 		break;
504 
505 	case NCM_NOTIFY_SPEED:
506 		event->bNotificationType = USB_CDC_NOTIFY_SPEED_CHANGE;
507 		event->wValue = cpu_to_le16(0);
508 		event->wLength = cpu_to_le16(8);
509 		req->length = NCM_STATUS_BYTECOUNT;
510 
511 		/* SPEED_CHANGE data is up/down speeds in bits/sec */
512 		data = req->buf + sizeof *event;
513 		data[0] = cpu_to_le32(ncm_bitrate(cdev->gadget));
514 		data[1] = data[0];
515 
516 		DBG(cdev, "notify speed %d\n", ncm_bitrate(cdev->gadget));
517 		ncm->notify_state = NCM_NOTIFY_CONNECT;
518 		break;
519 	}
520 	event->bmRequestType = 0xA1;
521 	event->wIndex = cpu_to_le16(ncm->ctrl_id);
522 
523 	ncm->notify_req = NULL;
524 	/*
525 	 * In double buffering if there is a space in FIFO,
526 	 * completion callback can be called right after the call,
527 	 * so unlocking
528 	 */
529 	spin_unlock(&ncm->lock);
530 	status = usb_ep_queue(ncm->notify, req, GFP_ATOMIC);
531 	spin_lock(&ncm->lock);
532 	if (status < 0) {
533 		ncm->notify_req = req;
534 		DBG(cdev, "notify --> %d\n", status);
535 	}
536 }
537 
538 /*
539  * Context: ncm->lock held
540  */
541 static void ncm_notify(struct f_ncm *ncm)
542 {
543 	/*
544 	 * NOTE on most versions of Linux, host side cdc-ethernet
545 	 * won't listen for notifications until its netdevice opens.
546 	 * The first notification then sits in the FIFO for a long
547 	 * time, and the second one is queued.
548 	 *
549 	 * If ncm_notify() is called before the second (CONNECT)
550 	 * notification is sent, then it will reset to send the SPEED
551 	 * notificaion again (and again, and again), but it's not a problem
552 	 */
553 	ncm->notify_state = NCM_NOTIFY_SPEED;
554 	ncm_do_notify(ncm);
555 }
556 
557 static void ncm_notify_complete(struct usb_ep *ep, struct usb_request *req)
558 {
559 	struct f_ncm			*ncm = req->context;
560 	struct usb_composite_dev	*cdev = ncm->port.func.config->cdev;
561 	struct usb_cdc_notification	*event = req->buf;
562 
563 	spin_lock(&ncm->lock);
564 	switch (req->status) {
565 	case 0:
566 		VDBG(cdev, "Notification %02x sent\n",
567 		     event->bNotificationType);
568 		break;
569 	case -ECONNRESET:
570 	case -ESHUTDOWN:
571 		ncm->notify_state = NCM_NOTIFY_NONE;
572 		break;
573 	default:
574 		DBG(cdev, "event %02x --> %d\n",
575 			event->bNotificationType, req->status);
576 		break;
577 	}
578 	ncm->notify_req = req;
579 	ncm_do_notify(ncm);
580 	spin_unlock(&ncm->lock);
581 }
582 
583 static void ncm_ep0out_complete(struct usb_ep *ep, struct usb_request *req)
584 {
585 	/* now for SET_NTB_INPUT_SIZE only */
586 	unsigned		in_size;
587 	struct usb_function	*f = req->context;
588 	struct f_ncm		*ncm = func_to_ncm(f);
589 	struct usb_composite_dev *cdev = f->config->cdev;
590 
591 	req->context = NULL;
592 	if (req->status || req->actual != req->length) {
593 		DBG(cdev, "Bad control-OUT transfer\n");
594 		goto invalid;
595 	}
596 
597 	in_size = get_unaligned_le32(req->buf);
598 	if (in_size < USB_CDC_NCM_NTB_MIN_IN_SIZE ||
599 	    in_size > le32_to_cpu(ntb_parameters.dwNtbInMaxSize)) {
600 		DBG(cdev, "Got wrong INPUT SIZE (%d) from host\n", in_size);
601 		goto invalid;
602 	}
603 
604 	ncm->port.fixed_in_len = in_size;
605 	VDBG(cdev, "Set NTB INPUT SIZE %d\n", in_size);
606 	return;
607 
608 invalid:
609 	usb_ep_set_halt(ep);
610 	return;
611 }
612 
613 static int ncm_setup(struct usb_function *f, const struct usb_ctrlrequest *ctrl)
614 {
615 	struct f_ncm		*ncm = func_to_ncm(f);
616 	struct usb_composite_dev *cdev = f->config->cdev;
617 	struct usb_request	*req = cdev->req;
618 	int			value = -EOPNOTSUPP;
619 	u16			w_index = le16_to_cpu(ctrl->wIndex);
620 	u16			w_value = le16_to_cpu(ctrl->wValue);
621 	u16			w_length = le16_to_cpu(ctrl->wLength);
622 
623 	/*
624 	 * composite driver infrastructure handles everything except
625 	 * CDC class messages; interface activation uses set_alt().
626 	 */
627 	switch ((ctrl->bRequestType << 8) | ctrl->bRequest) {
628 	case ((USB_DIR_OUT | USB_TYPE_CLASS | USB_RECIP_INTERFACE) << 8)
629 			| USB_CDC_SET_ETHERNET_PACKET_FILTER:
630 		/*
631 		 * see 6.2.30: no data, wIndex = interface,
632 		 * wValue = packet filter bitmap
633 		 */
634 		if (w_length != 0 || w_index != ncm->ctrl_id)
635 			goto invalid;
636 		DBG(cdev, "packet filter %02x\n", w_value);
637 		/*
638 		 * REVISIT locking of cdc_filter.  This assumes the UDC
639 		 * driver won't have a concurrent packet TX irq running on
640 		 * another CPU; or that if it does, this write is atomic...
641 		 */
642 		ncm->port.cdc_filter = w_value;
643 		value = 0;
644 		break;
645 	/*
646 	 * and optionally:
647 	 * case USB_CDC_SEND_ENCAPSULATED_COMMAND:
648 	 * case USB_CDC_GET_ENCAPSULATED_RESPONSE:
649 	 * case USB_CDC_SET_ETHERNET_MULTICAST_FILTERS:
650 	 * case USB_CDC_SET_ETHERNET_PM_PATTERN_FILTER:
651 	 * case USB_CDC_GET_ETHERNET_PM_PATTERN_FILTER:
652 	 * case USB_CDC_GET_ETHERNET_STATISTIC:
653 	 */
654 
655 	case ((USB_DIR_IN | USB_TYPE_CLASS | USB_RECIP_INTERFACE) << 8)
656 		| USB_CDC_GET_NTB_PARAMETERS:
657 
658 		if (w_length == 0 || w_value != 0 || w_index != ncm->ctrl_id)
659 			goto invalid;
660 		value = w_length > sizeof ntb_parameters ?
661 			sizeof ntb_parameters : w_length;
662 		memcpy(req->buf, &ntb_parameters, value);
663 		VDBG(cdev, "Host asked NTB parameters\n");
664 		break;
665 
666 	case ((USB_DIR_IN | USB_TYPE_CLASS | USB_RECIP_INTERFACE) << 8)
667 		| USB_CDC_GET_NTB_INPUT_SIZE:
668 
669 		if (w_length < 4 || w_value != 0 || w_index != ncm->ctrl_id)
670 			goto invalid;
671 		put_unaligned_le32(ncm->port.fixed_in_len, req->buf);
672 		value = 4;
673 		VDBG(cdev, "Host asked INPUT SIZE, sending %d\n",
674 		     ncm->port.fixed_in_len);
675 		break;
676 
677 	case ((USB_DIR_OUT | USB_TYPE_CLASS | USB_RECIP_INTERFACE) << 8)
678 		| USB_CDC_SET_NTB_INPUT_SIZE:
679 	{
680 		if (w_length != 4 || w_value != 0 || w_index != ncm->ctrl_id)
681 			goto invalid;
682 		req->complete = ncm_ep0out_complete;
683 		req->length = w_length;
684 		req->context = f;
685 
686 		value = req->length;
687 		break;
688 	}
689 
690 	case ((USB_DIR_IN | USB_TYPE_CLASS | USB_RECIP_INTERFACE) << 8)
691 		| USB_CDC_GET_NTB_FORMAT:
692 	{
693 		uint16_t format;
694 
695 		if (w_length < 2 || w_value != 0 || w_index != ncm->ctrl_id)
696 			goto invalid;
697 		format = (ncm->parser_opts == &ndp16_opts) ? 0x0000 : 0x0001;
698 		put_unaligned_le16(format, req->buf);
699 		value = 2;
700 		VDBG(cdev, "Host asked NTB FORMAT, sending %d\n", format);
701 		break;
702 	}
703 
704 	case ((USB_DIR_OUT | USB_TYPE_CLASS | USB_RECIP_INTERFACE) << 8)
705 		| USB_CDC_SET_NTB_FORMAT:
706 	{
707 		if (w_length != 0 || w_index != ncm->ctrl_id)
708 			goto invalid;
709 		switch (w_value) {
710 		case 0x0000:
711 			ncm->parser_opts = &ndp16_opts;
712 			DBG(cdev, "NCM16 selected\n");
713 			break;
714 		case 0x0001:
715 			ncm->parser_opts = &ndp32_opts;
716 			DBG(cdev, "NCM32 selected\n");
717 			break;
718 		default:
719 			goto invalid;
720 		}
721 		value = 0;
722 		break;
723 	}
724 	case ((USB_DIR_IN | USB_TYPE_CLASS | USB_RECIP_INTERFACE) << 8)
725 		| USB_CDC_GET_CRC_MODE:
726 	{
727 		uint16_t is_crc;
728 
729 		if (w_length < 2 || w_value != 0 || w_index != ncm->ctrl_id)
730 			goto invalid;
731 		is_crc = ncm->is_crc ? 0x0001 : 0x0000;
732 		put_unaligned_le16(is_crc, req->buf);
733 		value = 2;
734 		VDBG(cdev, "Host asked CRC MODE, sending %d\n", is_crc);
735 		break;
736 	}
737 
738 	case ((USB_DIR_OUT | USB_TYPE_CLASS | USB_RECIP_INTERFACE) << 8)
739 		| USB_CDC_SET_CRC_MODE:
740 	{
741 		int ndp_hdr_crc = 0;
742 
743 		if (w_length != 0 || w_index != ncm->ctrl_id)
744 			goto invalid;
745 		switch (w_value) {
746 		case 0x0000:
747 			ncm->is_crc = false;
748 			ndp_hdr_crc = NCM_NDP_HDR_NOCRC;
749 			DBG(cdev, "non-CRC mode selected\n");
750 			break;
751 		case 0x0001:
752 			ncm->is_crc = true;
753 			ndp_hdr_crc = NCM_NDP_HDR_CRC;
754 			DBG(cdev, "CRC mode selected\n");
755 			break;
756 		default:
757 			goto invalid;
758 		}
759 		ncm->ndp_sign = ncm->parser_opts->ndp_sign | ndp_hdr_crc;
760 		value = 0;
761 		break;
762 	}
763 
764 	/* and disabled in ncm descriptor: */
765 	/* case USB_CDC_GET_NET_ADDRESS: */
766 	/* case USB_CDC_SET_NET_ADDRESS: */
767 	/* case USB_CDC_GET_MAX_DATAGRAM_SIZE: */
768 	/* case USB_CDC_SET_MAX_DATAGRAM_SIZE: */
769 
770 	default:
771 invalid:
772 		DBG(cdev, "invalid control req%02x.%02x v%04x i%04x l%d\n",
773 			ctrl->bRequestType, ctrl->bRequest,
774 			w_value, w_index, w_length);
775 	}
776 
777 	/* respond with data transfer or status phase? */
778 	if (value >= 0) {
779 		DBG(cdev, "ncm req%02x.%02x v%04x i%04x l%d\n",
780 			ctrl->bRequestType, ctrl->bRequest,
781 			w_value, w_index, w_length);
782 		req->zero = 0;
783 		req->length = value;
784 		value = usb_ep_queue(cdev->gadget->ep0, req, GFP_ATOMIC);
785 		if (value < 0)
786 			ERROR(cdev, "ncm req %02x.%02x response err %d\n",
787 					ctrl->bRequestType, ctrl->bRequest,
788 					value);
789 	}
790 
791 	/* device either stalls (value < 0) or reports success */
792 	return value;
793 }
794 
795 
796 static int ncm_set_alt(struct usb_function *f, unsigned intf, unsigned alt)
797 {
798 	struct f_ncm		*ncm = func_to_ncm(f);
799 	struct usb_composite_dev *cdev = f->config->cdev;
800 
801 	/* Control interface has only altsetting 0 */
802 	if (intf == ncm->ctrl_id) {
803 		if (alt != 0)
804 			goto fail;
805 
806 		DBG(cdev, "reset ncm control %d\n", intf);
807 		usb_ep_disable(ncm->notify);
808 
809 		if (!(ncm->notify->desc)) {
810 			DBG(cdev, "init ncm ctrl %d\n", intf);
811 			if (config_ep_by_speed(cdev->gadget, f, ncm->notify))
812 				goto fail;
813 		}
814 		usb_ep_enable(ncm->notify);
815 
816 	/* Data interface has two altsettings, 0 and 1 */
817 	} else if (intf == ncm->data_id) {
818 		if (alt > 1)
819 			goto fail;
820 
821 		if (ncm->port.in_ep->enabled) {
822 			DBG(cdev, "reset ncm\n");
823 			ncm->timer_stopping = true;
824 			ncm->netdev = NULL;
825 			gether_disconnect(&ncm->port);
826 			ncm_reset_values(ncm);
827 		}
828 
829 		/*
830 		 * CDC Network only sends data in non-default altsettings.
831 		 * Changing altsettings resets filters, statistics, etc.
832 		 */
833 		if (alt == 1) {
834 			struct net_device	*net;
835 
836 			if (!ncm->port.in_ep->desc ||
837 			    !ncm->port.out_ep->desc) {
838 				DBG(cdev, "init ncm\n");
839 				if (config_ep_by_speed(cdev->gadget, f,
840 						       ncm->port.in_ep) ||
841 				    config_ep_by_speed(cdev->gadget, f,
842 						       ncm->port.out_ep)) {
843 					ncm->port.in_ep->desc = NULL;
844 					ncm->port.out_ep->desc = NULL;
845 					goto fail;
846 				}
847 			}
848 
849 			/* TODO */
850 			/* Enable zlps by default for NCM conformance;
851 			 * override for musb_hdrc (avoids txdma ovhead)
852 			 */
853 			ncm->port.is_zlp_ok =
854 				gadget_is_zlp_supported(cdev->gadget);
855 			ncm->port.cdc_filter = DEFAULT_FILTER;
856 			DBG(cdev, "activate ncm\n");
857 			net = gether_connect(&ncm->port);
858 			if (IS_ERR(net))
859 				return PTR_ERR(net);
860 			ncm->netdev = net;
861 			ncm->timer_stopping = false;
862 		}
863 
864 		spin_lock(&ncm->lock);
865 		ncm_notify(ncm);
866 		spin_unlock(&ncm->lock);
867 	} else
868 		goto fail;
869 
870 	return 0;
871 fail:
872 	return -EINVAL;
873 }
874 
875 /*
876  * Because the data interface supports multiple altsettings,
877  * this NCM function *MUST* implement a get_alt() method.
878  */
879 static int ncm_get_alt(struct usb_function *f, unsigned intf)
880 {
881 	struct f_ncm		*ncm = func_to_ncm(f);
882 
883 	if (intf == ncm->ctrl_id)
884 		return 0;
885 	return ncm->port.in_ep->enabled ? 1 : 0;
886 }
887 
888 static struct sk_buff *package_for_tx(struct f_ncm *ncm)
889 {
890 	__le16		*ntb_iter;
891 	struct sk_buff	*skb2 = NULL;
892 	unsigned	ndp_pad;
893 	unsigned	ndp_index;
894 	unsigned	new_len;
895 
896 	const struct ndp_parser_opts *opts = ncm->parser_opts;
897 	const int ndp_align = le16_to_cpu(ntb_parameters.wNdpInAlignment);
898 	const int dgram_idx_len = 2 * 2 * opts->dgram_item_len;
899 
900 	/* Stop the timer */
901 	hrtimer_try_to_cancel(&ncm->task_timer);
902 
903 	ndp_pad = ALIGN(ncm->skb_tx_data->len, ndp_align) -
904 			ncm->skb_tx_data->len;
905 	ndp_index = ncm->skb_tx_data->len + ndp_pad;
906 	new_len = ndp_index + dgram_idx_len + ncm->skb_tx_ndp->len;
907 
908 	/* Set the final BlockLength and wNdpIndex */
909 	ntb_iter = (void *) ncm->skb_tx_data->data;
910 	/* Increment pointer to BlockLength */
911 	ntb_iter += 2 + 1 + 1;
912 	put_ncm(&ntb_iter, opts->block_length, new_len);
913 	put_ncm(&ntb_iter, opts->ndp_index, ndp_index);
914 
915 	/* Set the final NDP wLength */
916 	new_len = opts->ndp_size +
917 			(ncm->ndp_dgram_count * dgram_idx_len);
918 	ncm->ndp_dgram_count = 0;
919 	/* Increment from start to wLength */
920 	ntb_iter = (void *) ncm->skb_tx_ndp->data;
921 	ntb_iter += 2;
922 	put_unaligned_le16(new_len, ntb_iter);
923 
924 	/* Merge the skbs */
925 	swap(skb2, ncm->skb_tx_data);
926 	if (ncm->skb_tx_data) {
927 		dev_kfree_skb_any(ncm->skb_tx_data);
928 		ncm->skb_tx_data = NULL;
929 	}
930 
931 	/* Insert NDP alignment. */
932 	ntb_iter = (void *) skb_put(skb2, ndp_pad);
933 	memset(ntb_iter, 0, ndp_pad);
934 
935 	/* Copy NTB across. */
936 	ntb_iter = (void *) skb_put(skb2, ncm->skb_tx_ndp->len);
937 	memcpy(ntb_iter, ncm->skb_tx_ndp->data, ncm->skb_tx_ndp->len);
938 	dev_kfree_skb_any(ncm->skb_tx_ndp);
939 	ncm->skb_tx_ndp = NULL;
940 
941 	/* Insert zero'd datagram. */
942 	ntb_iter = (void *) skb_put(skb2, dgram_idx_len);
943 	memset(ntb_iter, 0, dgram_idx_len);
944 
945 	return skb2;
946 }
947 
948 static struct sk_buff *ncm_wrap_ntb(struct gether *port,
949 				    struct sk_buff *skb)
950 {
951 	struct f_ncm	*ncm = func_to_ncm(&port->func);
952 	struct sk_buff	*skb2 = NULL;
953 	int		ncb_len = 0;
954 	__le16		*ntb_data;
955 	__le16		*ntb_ndp;
956 	int		dgram_pad;
957 
958 	unsigned	max_size = ncm->port.fixed_in_len;
959 	const struct ndp_parser_opts *opts = ncm->parser_opts;
960 	const int ndp_align = le16_to_cpu(ntb_parameters.wNdpInAlignment);
961 	const int div = le16_to_cpu(ntb_parameters.wNdpInDivisor);
962 	const int rem = le16_to_cpu(ntb_parameters.wNdpInPayloadRemainder);
963 	const int dgram_idx_len = 2 * 2 * opts->dgram_item_len;
964 
965 	if (!skb && !ncm->skb_tx_data)
966 		return NULL;
967 
968 	if (skb) {
969 		/* Add the CRC if required up front */
970 		if (ncm->is_crc) {
971 			uint32_t	crc;
972 			__le16		*crc_pos;
973 
974 			crc = ~crc32_le(~0,
975 					skb->data,
976 					skb->len);
977 			crc_pos = (void *) skb_put(skb, sizeof(uint32_t));
978 			put_unaligned_le32(crc, crc_pos);
979 		}
980 
981 		/* If the new skb is too big for the current NCM NTB then
982 		 * set the current stored skb to be sent now and clear it
983 		 * ready for new data.
984 		 * NOTE: Assume maximum align for speed of calculation.
985 		 */
986 		if (ncm->skb_tx_data
987 		    && (ncm->ndp_dgram_count >= TX_MAX_NUM_DPE
988 		    || (ncm->skb_tx_data->len +
989 		    div + rem + skb->len +
990 		    ncm->skb_tx_ndp->len + ndp_align + (2 * dgram_idx_len))
991 		    > max_size)) {
992 			skb2 = package_for_tx(ncm);
993 			if (!skb2)
994 				goto err;
995 		}
996 
997 		if (!ncm->skb_tx_data) {
998 			ncb_len = opts->nth_size;
999 			dgram_pad = ALIGN(ncb_len, div) + rem - ncb_len;
1000 			ncb_len += dgram_pad;
1001 
1002 			/* Create a new skb for the NTH and datagrams. */
1003 			ncm->skb_tx_data = alloc_skb(max_size, GFP_ATOMIC);
1004 			if (!ncm->skb_tx_data)
1005 				goto err;
1006 
1007 			ntb_data = (void *) skb_put(ncm->skb_tx_data, ncb_len);
1008 			memset(ntb_data, 0, ncb_len);
1009 			/* dwSignature */
1010 			put_unaligned_le32(opts->nth_sign, ntb_data);
1011 			ntb_data += 2;
1012 			/* wHeaderLength */
1013 			put_unaligned_le16(opts->nth_size, ntb_data++);
1014 
1015 			/* Allocate an skb for storing the NDP,
1016 			 * TX_MAX_NUM_DPE should easily suffice for a
1017 			 * 16k packet.
1018 			 */
1019 			ncm->skb_tx_ndp = alloc_skb((int)(opts->ndp_size
1020 						    + opts->dpe_size
1021 						    * TX_MAX_NUM_DPE),
1022 						    GFP_ATOMIC);
1023 			if (!ncm->skb_tx_ndp)
1024 				goto err;
1025 			ntb_ndp = (void *) skb_put(ncm->skb_tx_ndp,
1026 						    opts->ndp_size);
1027 			memset(ntb_ndp, 0, ncb_len);
1028 			/* dwSignature */
1029 			put_unaligned_le32(ncm->ndp_sign, ntb_ndp);
1030 			ntb_ndp += 2;
1031 
1032 			/* There is always a zeroed entry */
1033 			ncm->ndp_dgram_count = 1;
1034 
1035 			/* Note: we skip opts->next_ndp_index */
1036 		}
1037 
1038 		/* Delay the timer. */
1039 		hrtimer_start(&ncm->task_timer,
1040 			      ktime_set(0, TX_TIMEOUT_NSECS),
1041 			      HRTIMER_MODE_REL);
1042 
1043 		/* Add the datagram position entries */
1044 		ntb_ndp = (void *) skb_put(ncm->skb_tx_ndp, dgram_idx_len);
1045 		memset(ntb_ndp, 0, dgram_idx_len);
1046 
1047 		ncb_len = ncm->skb_tx_data->len;
1048 		dgram_pad = ALIGN(ncb_len, div) + rem - ncb_len;
1049 		ncb_len += dgram_pad;
1050 
1051 		/* (d)wDatagramIndex */
1052 		put_ncm(&ntb_ndp, opts->dgram_item_len, ncb_len);
1053 		/* (d)wDatagramLength */
1054 		put_ncm(&ntb_ndp, opts->dgram_item_len, skb->len);
1055 		ncm->ndp_dgram_count++;
1056 
1057 		/* Add the new data to the skb */
1058 		ntb_data = (void *) skb_put(ncm->skb_tx_data, dgram_pad);
1059 		memset(ntb_data, 0, dgram_pad);
1060 		ntb_data = (void *) skb_put(ncm->skb_tx_data, skb->len);
1061 		memcpy(ntb_data, skb->data, skb->len);
1062 		dev_kfree_skb_any(skb);
1063 		skb = NULL;
1064 
1065 	} else if (ncm->skb_tx_data && ncm->timer_force_tx) {
1066 		/* If the tx was requested because of a timeout then send */
1067 		skb2 = package_for_tx(ncm);
1068 		if (!skb2)
1069 			goto err;
1070 	}
1071 
1072 	return skb2;
1073 
1074 err:
1075 	ncm->netdev->stats.tx_dropped++;
1076 
1077 	if (skb)
1078 		dev_kfree_skb_any(skb);
1079 	if (ncm->skb_tx_data)
1080 		dev_kfree_skb_any(ncm->skb_tx_data);
1081 	if (ncm->skb_tx_ndp)
1082 		dev_kfree_skb_any(ncm->skb_tx_ndp);
1083 
1084 	return NULL;
1085 }
1086 
1087 /*
1088  * This transmits the NTB if there are frames waiting.
1089  */
1090 static void ncm_tx_tasklet(unsigned long data)
1091 {
1092 	struct f_ncm	*ncm = (void *)data;
1093 
1094 	if (ncm->timer_stopping)
1095 		return;
1096 
1097 	/* Only send if data is available. */
1098 	if (ncm->skb_tx_data) {
1099 		ncm->timer_force_tx = true;
1100 
1101 		/* XXX This allowance of a NULL skb argument to ndo_start_xmit
1102 		 * XXX is not sane.  The gadget layer should be redesigned so
1103 		 * XXX that the dev->wrap() invocations to build SKBs is transparent
1104 		 * XXX and performed in some way outside of the ndo_start_xmit
1105 		 * XXX interface.
1106 		 */
1107 		ncm->netdev->netdev_ops->ndo_start_xmit(NULL, ncm->netdev);
1108 
1109 		ncm->timer_force_tx = false;
1110 	}
1111 }
1112 
1113 /*
1114  * The transmit should only be run if no skb data has been sent
1115  * for a certain duration.
1116  */
1117 static enum hrtimer_restart ncm_tx_timeout(struct hrtimer *data)
1118 {
1119 	struct f_ncm *ncm = container_of(data, struct f_ncm, task_timer);
1120 	tasklet_schedule(&ncm->tx_tasklet);
1121 	return HRTIMER_NORESTART;
1122 }
1123 
1124 static int ncm_unwrap_ntb(struct gether *port,
1125 			  struct sk_buff *skb,
1126 			  struct sk_buff_head *list)
1127 {
1128 	struct f_ncm	*ncm = func_to_ncm(&port->func);
1129 	__le16		*tmp = (void *) skb->data;
1130 	unsigned	index, index2;
1131 	int		ndp_index;
1132 	unsigned	dg_len, dg_len2;
1133 	unsigned	ndp_len;
1134 	struct sk_buff	*skb2;
1135 	int		ret = -EINVAL;
1136 	unsigned	max_size = le32_to_cpu(ntb_parameters.dwNtbOutMaxSize);
1137 	const struct ndp_parser_opts *opts = ncm->parser_opts;
1138 	unsigned	crc_len = ncm->is_crc ? sizeof(uint32_t) : 0;
1139 	int		dgram_counter;
1140 
1141 	/* dwSignature */
1142 	if (get_unaligned_le32(tmp) != opts->nth_sign) {
1143 		INFO(port->func.config->cdev, "Wrong NTH SIGN, skblen %d\n",
1144 			skb->len);
1145 		print_hex_dump(KERN_INFO, "HEAD:", DUMP_PREFIX_ADDRESS, 32, 1,
1146 			       skb->data, 32, false);
1147 
1148 		goto err;
1149 	}
1150 	tmp += 2;
1151 	/* wHeaderLength */
1152 	if (get_unaligned_le16(tmp++) != opts->nth_size) {
1153 		INFO(port->func.config->cdev, "Wrong NTB headersize\n");
1154 		goto err;
1155 	}
1156 	tmp++; /* skip wSequence */
1157 
1158 	/* (d)wBlockLength */
1159 	if (get_ncm(&tmp, opts->block_length) > max_size) {
1160 		INFO(port->func.config->cdev, "OUT size exceeded\n");
1161 		goto err;
1162 	}
1163 
1164 	ndp_index = get_ncm(&tmp, opts->ndp_index);
1165 
1166 	/* Run through all the NDP's in the NTB */
1167 	do {
1168 		/* NCM 3.2 */
1169 		if (((ndp_index % 4) != 0) &&
1170 				(ndp_index < opts->nth_size)) {
1171 			INFO(port->func.config->cdev, "Bad index: %#X\n",
1172 			     ndp_index);
1173 			goto err;
1174 		}
1175 
1176 		/* walk through NDP */
1177 		tmp = (void *)(skb->data + ndp_index);
1178 		if (get_unaligned_le32(tmp) != ncm->ndp_sign) {
1179 			INFO(port->func.config->cdev, "Wrong NDP SIGN\n");
1180 			goto err;
1181 		}
1182 		tmp += 2;
1183 
1184 		ndp_len = get_unaligned_le16(tmp++);
1185 		/*
1186 		 * NCM 3.3.1
1187 		 * entry is 2 items
1188 		 * item size is 16/32 bits, opts->dgram_item_len * 2 bytes
1189 		 * minimal: struct usb_cdc_ncm_ndpX + normal entry + zero entry
1190 		 * Each entry is a dgram index and a dgram length.
1191 		 */
1192 		if ((ndp_len < opts->ndp_size
1193 				+ 2 * 2 * (opts->dgram_item_len * 2))
1194 				|| (ndp_len % opts->ndplen_align != 0)) {
1195 			INFO(port->func.config->cdev, "Bad NDP length: %#X\n",
1196 			     ndp_len);
1197 			goto err;
1198 		}
1199 		tmp += opts->reserved1;
1200 		/* Check for another NDP (d)wNextNdpIndex */
1201 		ndp_index = get_ncm(&tmp, opts->next_ndp_index);
1202 		tmp += opts->reserved2;
1203 
1204 		ndp_len -= opts->ndp_size;
1205 		index2 = get_ncm(&tmp, opts->dgram_item_len);
1206 		dg_len2 = get_ncm(&tmp, opts->dgram_item_len);
1207 		dgram_counter = 0;
1208 
1209 		do {
1210 			index = index2;
1211 			dg_len = dg_len2;
1212 			if (dg_len < 14 + crc_len) { /* ethernet hdr + crc */
1213 				INFO(port->func.config->cdev,
1214 				     "Bad dgram length: %#X\n", dg_len);
1215 				goto err;
1216 			}
1217 			if (ncm->is_crc) {
1218 				uint32_t crc, crc2;
1219 
1220 				crc = get_unaligned_le32(skb->data +
1221 							 index + dg_len -
1222 							 crc_len);
1223 				crc2 = ~crc32_le(~0,
1224 						 skb->data + index,
1225 						 dg_len - crc_len);
1226 				if (crc != crc2) {
1227 					INFO(port->func.config->cdev,
1228 					     "Bad CRC\n");
1229 					goto err;
1230 				}
1231 			}
1232 
1233 			index2 = get_ncm(&tmp, opts->dgram_item_len);
1234 			dg_len2 = get_ncm(&tmp, opts->dgram_item_len);
1235 
1236 			/*
1237 			 * Copy the data into a new skb.
1238 			 * This ensures the truesize is correct
1239 			 */
1240 			skb2 = netdev_alloc_skb_ip_align(ncm->netdev,
1241 							 dg_len - crc_len);
1242 			if (skb2 == NULL)
1243 				goto err;
1244 			memcpy(skb_put(skb2, dg_len - crc_len),
1245 			       skb->data + index, dg_len - crc_len);
1246 
1247 			skb_queue_tail(list, skb2);
1248 
1249 			ndp_len -= 2 * (opts->dgram_item_len * 2);
1250 
1251 			dgram_counter++;
1252 
1253 			if (index2 == 0 || dg_len2 == 0)
1254 				break;
1255 		} while (ndp_len > 2 * (opts->dgram_item_len * 2));
1256 	} while (ndp_index);
1257 
1258 	dev_kfree_skb_any(skb);
1259 
1260 	VDBG(port->func.config->cdev,
1261 	     "Parsed NTB with %d frames\n", dgram_counter);
1262 	return 0;
1263 err:
1264 	skb_queue_purge(list);
1265 	dev_kfree_skb_any(skb);
1266 	return ret;
1267 }
1268 
1269 static void ncm_disable(struct usb_function *f)
1270 {
1271 	struct f_ncm		*ncm = func_to_ncm(f);
1272 	struct usb_composite_dev *cdev = f->config->cdev;
1273 
1274 	DBG(cdev, "ncm deactivated\n");
1275 
1276 	if (ncm->port.in_ep->enabled) {
1277 		ncm->timer_stopping = true;
1278 		ncm->netdev = NULL;
1279 		gether_disconnect(&ncm->port);
1280 	}
1281 
1282 	if (ncm->notify->enabled) {
1283 		usb_ep_disable(ncm->notify);
1284 		ncm->notify->desc = NULL;
1285 	}
1286 }
1287 
1288 /*-------------------------------------------------------------------------*/
1289 
1290 /*
1291  * Callbacks let us notify the host about connect/disconnect when the
1292  * net device is opened or closed.
1293  *
1294  * For testing, note that link states on this side include both opened
1295  * and closed variants of:
1296  *
1297  *   - disconnected/unconfigured
1298  *   - configured but inactive (data alt 0)
1299  *   - configured and active (data alt 1)
1300  *
1301  * Each needs to be tested with unplug, rmmod, SET_CONFIGURATION, and
1302  * SET_INTERFACE (altsetting).  Remember also that "configured" doesn't
1303  * imply the host is actually polling the notification endpoint, and
1304  * likewise that "active" doesn't imply it's actually using the data
1305  * endpoints for traffic.
1306  */
1307 
1308 static void ncm_open(struct gether *geth)
1309 {
1310 	struct f_ncm		*ncm = func_to_ncm(&geth->func);
1311 
1312 	DBG(ncm->port.func.config->cdev, "%s\n", __func__);
1313 
1314 	spin_lock(&ncm->lock);
1315 	ncm->is_open = true;
1316 	ncm_notify(ncm);
1317 	spin_unlock(&ncm->lock);
1318 }
1319 
1320 static void ncm_close(struct gether *geth)
1321 {
1322 	struct f_ncm		*ncm = func_to_ncm(&geth->func);
1323 
1324 	DBG(ncm->port.func.config->cdev, "%s\n", __func__);
1325 
1326 	spin_lock(&ncm->lock);
1327 	ncm->is_open = false;
1328 	ncm_notify(ncm);
1329 	spin_unlock(&ncm->lock);
1330 }
1331 
1332 /*-------------------------------------------------------------------------*/
1333 
1334 /* ethernet function driver setup/binding */
1335 
1336 static int ncm_bind(struct usb_configuration *c, struct usb_function *f)
1337 {
1338 	struct usb_composite_dev *cdev = c->cdev;
1339 	struct f_ncm		*ncm = func_to_ncm(f);
1340 	struct usb_string	*us;
1341 	int			status;
1342 	struct usb_ep		*ep;
1343 	struct f_ncm_opts	*ncm_opts;
1344 
1345 	if (!can_support_ecm(cdev->gadget))
1346 		return -EINVAL;
1347 
1348 	ncm_opts = container_of(f->fi, struct f_ncm_opts, func_inst);
1349 	/*
1350 	 * in drivers/usb/gadget/configfs.c:configfs_composite_bind()
1351 	 * configurations are bound in sequence with list_for_each_entry,
1352 	 * in each configuration its functions are bound in sequence
1353 	 * with list_for_each_entry, so we assume no race condition
1354 	 * with regard to ncm_opts->bound access
1355 	 */
1356 	if (!ncm_opts->bound) {
1357 		mutex_lock(&ncm_opts->lock);
1358 		gether_set_gadget(ncm_opts->net, cdev->gadget);
1359 		status = gether_register_netdev(ncm_opts->net);
1360 		mutex_unlock(&ncm_opts->lock);
1361 		if (status)
1362 			return status;
1363 		ncm_opts->bound = true;
1364 	}
1365 	us = usb_gstrings_attach(cdev, ncm_strings,
1366 				 ARRAY_SIZE(ncm_string_defs));
1367 	if (IS_ERR(us))
1368 		return PTR_ERR(us);
1369 	ncm_control_intf.iInterface = us[STRING_CTRL_IDX].id;
1370 	ncm_data_nop_intf.iInterface = us[STRING_DATA_IDX].id;
1371 	ncm_data_intf.iInterface = us[STRING_DATA_IDX].id;
1372 	ecm_desc.iMACAddress = us[STRING_MAC_IDX].id;
1373 	ncm_iad_desc.iFunction = us[STRING_IAD_IDX].id;
1374 
1375 	/* allocate instance-specific interface IDs */
1376 	status = usb_interface_id(c, f);
1377 	if (status < 0)
1378 		goto fail;
1379 	ncm->ctrl_id = status;
1380 	ncm_iad_desc.bFirstInterface = status;
1381 
1382 	ncm_control_intf.bInterfaceNumber = status;
1383 	ncm_union_desc.bMasterInterface0 = status;
1384 
1385 	status = usb_interface_id(c, f);
1386 	if (status < 0)
1387 		goto fail;
1388 	ncm->data_id = status;
1389 
1390 	ncm_data_nop_intf.bInterfaceNumber = status;
1391 	ncm_data_intf.bInterfaceNumber = status;
1392 	ncm_union_desc.bSlaveInterface0 = status;
1393 
1394 	status = -ENODEV;
1395 
1396 	/* allocate instance-specific endpoints */
1397 	ep = usb_ep_autoconfig(cdev->gadget, &fs_ncm_in_desc);
1398 	if (!ep)
1399 		goto fail;
1400 	ncm->port.in_ep = ep;
1401 
1402 	ep = usb_ep_autoconfig(cdev->gadget, &fs_ncm_out_desc);
1403 	if (!ep)
1404 		goto fail;
1405 	ncm->port.out_ep = ep;
1406 
1407 	ep = usb_ep_autoconfig(cdev->gadget, &fs_ncm_notify_desc);
1408 	if (!ep)
1409 		goto fail;
1410 	ncm->notify = ep;
1411 
1412 	status = -ENOMEM;
1413 
1414 	/* allocate notification request and buffer */
1415 	ncm->notify_req = usb_ep_alloc_request(ep, GFP_KERNEL);
1416 	if (!ncm->notify_req)
1417 		goto fail;
1418 	ncm->notify_req->buf = kmalloc(NCM_STATUS_BYTECOUNT, GFP_KERNEL);
1419 	if (!ncm->notify_req->buf)
1420 		goto fail;
1421 	ncm->notify_req->context = ncm;
1422 	ncm->notify_req->complete = ncm_notify_complete;
1423 
1424 	/*
1425 	 * support all relevant hardware speeds... we expect that when
1426 	 * hardware is dual speed, all bulk-capable endpoints work at
1427 	 * both speeds
1428 	 */
1429 	hs_ncm_in_desc.bEndpointAddress = fs_ncm_in_desc.bEndpointAddress;
1430 	hs_ncm_out_desc.bEndpointAddress = fs_ncm_out_desc.bEndpointAddress;
1431 	hs_ncm_notify_desc.bEndpointAddress =
1432 		fs_ncm_notify_desc.bEndpointAddress;
1433 
1434 	status = usb_assign_descriptors(f, ncm_fs_function, ncm_hs_function,
1435 			NULL);
1436 	if (status)
1437 		goto fail;
1438 
1439 	/*
1440 	 * NOTE:  all that is done without knowing or caring about
1441 	 * the network link ... which is unavailable to this code
1442 	 * until we're activated via set_alt().
1443 	 */
1444 
1445 	ncm->port.open = ncm_open;
1446 	ncm->port.close = ncm_close;
1447 
1448 	tasklet_init(&ncm->tx_tasklet, ncm_tx_tasklet, (unsigned long) ncm);
1449 	hrtimer_init(&ncm->task_timer, CLOCK_MONOTONIC, HRTIMER_MODE_REL);
1450 	ncm->task_timer.function = ncm_tx_timeout;
1451 
1452 	DBG(cdev, "CDC Network: %s speed IN/%s OUT/%s NOTIFY/%s\n",
1453 			gadget_is_dualspeed(c->cdev->gadget) ? "dual" : "full",
1454 			ncm->port.in_ep->name, ncm->port.out_ep->name,
1455 			ncm->notify->name);
1456 	return 0;
1457 
1458 fail:
1459 	if (ncm->notify_req) {
1460 		kfree(ncm->notify_req->buf);
1461 		usb_ep_free_request(ncm->notify, ncm->notify_req);
1462 	}
1463 
1464 	ERROR(cdev, "%s: can't bind, err %d\n", f->name, status);
1465 
1466 	return status;
1467 }
1468 
1469 static inline struct f_ncm_opts *to_f_ncm_opts(struct config_item *item)
1470 {
1471 	return container_of(to_config_group(item), struct f_ncm_opts,
1472 			    func_inst.group);
1473 }
1474 
1475 /* f_ncm_item_ops */
1476 USB_ETHERNET_CONFIGFS_ITEM(ncm);
1477 
1478 /* f_ncm_opts_dev_addr */
1479 USB_ETHERNET_CONFIGFS_ITEM_ATTR_DEV_ADDR(ncm);
1480 
1481 /* f_ncm_opts_host_addr */
1482 USB_ETHERNET_CONFIGFS_ITEM_ATTR_HOST_ADDR(ncm);
1483 
1484 /* f_ncm_opts_qmult */
1485 USB_ETHERNET_CONFIGFS_ITEM_ATTR_QMULT(ncm);
1486 
1487 /* f_ncm_opts_ifname */
1488 USB_ETHERNET_CONFIGFS_ITEM_ATTR_IFNAME(ncm);
1489 
1490 static struct configfs_attribute *ncm_attrs[] = {
1491 	&ncm_opts_attr_dev_addr,
1492 	&ncm_opts_attr_host_addr,
1493 	&ncm_opts_attr_qmult,
1494 	&ncm_opts_attr_ifname,
1495 	NULL,
1496 };
1497 
1498 static struct config_item_type ncm_func_type = {
1499 	.ct_item_ops	= &ncm_item_ops,
1500 	.ct_attrs	= ncm_attrs,
1501 	.ct_owner	= THIS_MODULE,
1502 };
1503 
1504 static void ncm_free_inst(struct usb_function_instance *f)
1505 {
1506 	struct f_ncm_opts *opts;
1507 
1508 	opts = container_of(f, struct f_ncm_opts, func_inst);
1509 	if (opts->bound)
1510 		gether_cleanup(netdev_priv(opts->net));
1511 	else
1512 		free_netdev(opts->net);
1513 	kfree(opts);
1514 }
1515 
1516 static struct usb_function_instance *ncm_alloc_inst(void)
1517 {
1518 	struct f_ncm_opts *opts;
1519 
1520 	opts = kzalloc(sizeof(*opts), GFP_KERNEL);
1521 	if (!opts)
1522 		return ERR_PTR(-ENOMEM);
1523 	mutex_init(&opts->lock);
1524 	opts->func_inst.free_func_inst = ncm_free_inst;
1525 	opts->net = gether_setup_default();
1526 	if (IS_ERR(opts->net)) {
1527 		struct net_device *net = opts->net;
1528 		kfree(opts);
1529 		return ERR_CAST(net);
1530 	}
1531 
1532 	config_group_init_type_name(&opts->func_inst.group, "", &ncm_func_type);
1533 
1534 	return &opts->func_inst;
1535 }
1536 
1537 static void ncm_free(struct usb_function *f)
1538 {
1539 	struct f_ncm *ncm;
1540 	struct f_ncm_opts *opts;
1541 
1542 	ncm = func_to_ncm(f);
1543 	opts = container_of(f->fi, struct f_ncm_opts, func_inst);
1544 	kfree(ncm);
1545 	mutex_lock(&opts->lock);
1546 	opts->refcnt--;
1547 	mutex_unlock(&opts->lock);
1548 }
1549 
1550 static void ncm_unbind(struct usb_configuration *c, struct usb_function *f)
1551 {
1552 	struct f_ncm *ncm = func_to_ncm(f);
1553 
1554 	DBG(c->cdev, "ncm unbind\n");
1555 
1556 	hrtimer_cancel(&ncm->task_timer);
1557 	tasklet_kill(&ncm->tx_tasklet);
1558 
1559 	ncm_string_defs[0].id = 0;
1560 	usb_free_all_descriptors(f);
1561 
1562 	kfree(ncm->notify_req->buf);
1563 	usb_ep_free_request(ncm->notify, ncm->notify_req);
1564 }
1565 
1566 static struct usb_function *ncm_alloc(struct usb_function_instance *fi)
1567 {
1568 	struct f_ncm		*ncm;
1569 	struct f_ncm_opts	*opts;
1570 	int status;
1571 
1572 	/* allocate and initialize one new instance */
1573 	ncm = kzalloc(sizeof(*ncm), GFP_KERNEL);
1574 	if (!ncm)
1575 		return ERR_PTR(-ENOMEM);
1576 
1577 	opts = container_of(fi, struct f_ncm_opts, func_inst);
1578 	mutex_lock(&opts->lock);
1579 	opts->refcnt++;
1580 
1581 	/* export host's Ethernet address in CDC format */
1582 	status = gether_get_host_addr_cdc(opts->net, ncm->ethaddr,
1583 				      sizeof(ncm->ethaddr));
1584 	if (status < 12) { /* strlen("01234567890a") */
1585 		kfree(ncm);
1586 		mutex_unlock(&opts->lock);
1587 		return ERR_PTR(-EINVAL);
1588 	}
1589 	ncm_string_defs[STRING_MAC_IDX].s = ncm->ethaddr;
1590 
1591 	spin_lock_init(&ncm->lock);
1592 	ncm_reset_values(ncm);
1593 	ncm->port.ioport = netdev_priv(opts->net);
1594 	mutex_unlock(&opts->lock);
1595 	ncm->port.is_fixed = true;
1596 	ncm->port.supports_multi_frame = true;
1597 
1598 	ncm->port.func.name = "cdc_network";
1599 	/* descriptors are per-instance copies */
1600 	ncm->port.func.bind = ncm_bind;
1601 	ncm->port.func.unbind = ncm_unbind;
1602 	ncm->port.func.set_alt = ncm_set_alt;
1603 	ncm->port.func.get_alt = ncm_get_alt;
1604 	ncm->port.func.setup = ncm_setup;
1605 	ncm->port.func.disable = ncm_disable;
1606 	ncm->port.func.free_func = ncm_free;
1607 
1608 	ncm->port.wrap = ncm_wrap_ntb;
1609 	ncm->port.unwrap = ncm_unwrap_ntb;
1610 
1611 	return &ncm->port.func;
1612 }
1613 
1614 DECLARE_USB_FUNCTION_INIT(ncm, ncm_alloc_inst, ncm_alloc);
1615 MODULE_LICENSE("GPL");
1616 MODULE_AUTHOR("Yauheni Kaliuta");
1617