1 /*
2  * f_ncm.c -- USB CDC Network (NCM) link function driver
3  *
4  * Copyright (C) 2010 Nokia Corporation
5  * Contact: Yauheni Kaliuta <yauheni.kaliuta@nokia.com>
6  *
7  * The driver borrows from f_ecm.c which is:
8  *
9  * Copyright (C) 2003-2005,2008 David Brownell
10  * Copyright (C) 2008 Nokia Corporation
11  *
12  * This program is free software; you can redistribute it and/or modify
13  * it under the terms of the GNU General Public License as published by
14  * the Free Software Foundation; either version 2 of the License, or
15  * (at your option) any later version.
16  */
17 
18 #include <linux/kernel.h>
19 #include <linux/module.h>
20 #include <linux/device.h>
21 #include <linux/etherdevice.h>
22 #include <linux/crc32.h>
23 
24 #include <linux/usb/cdc.h>
25 
26 #include "u_ether.h"
27 #include "u_ether_configfs.h"
28 #include "u_ncm.h"
29 
30 /*
31  * This function is a "CDC Network Control Model" (CDC NCM) Ethernet link.
32  * NCM is intended to be used with high-speed network attachments.
33  *
34  * Note that NCM requires the use of "alternate settings" for its data
35  * interface.  This means that the set_alt() method has real work to do,
36  * and also means that a get_alt() method is required.
37  */
38 
39 /* to trigger crc/non-crc ndp signature */
40 
41 #define NCM_NDP_HDR_CRC_MASK	0x01000000
42 #define NCM_NDP_HDR_CRC		0x01000000
43 #define NCM_NDP_HDR_NOCRC	0x00000000
44 
45 enum ncm_notify_state {
46 	NCM_NOTIFY_NONE,		/* don't notify */
47 	NCM_NOTIFY_CONNECT,		/* issue CONNECT next */
48 	NCM_NOTIFY_SPEED,		/* issue SPEED_CHANGE next */
49 };
50 
51 struct f_ncm {
52 	struct gether			port;
53 	u8				ctrl_id, data_id;
54 
55 	char				ethaddr[14];
56 
57 	struct usb_ep			*notify;
58 	struct usb_request		*notify_req;
59 	u8				notify_state;
60 	bool				is_open;
61 
62 	const struct ndp_parser_opts	*parser_opts;
63 	bool				is_crc;
64 	u32				ndp_sign;
65 
66 	/*
67 	 * for notification, it is accessed from both
68 	 * callback and ethernet open/close
69 	 */
70 	spinlock_t			lock;
71 
72 	struct net_device		*netdev;
73 
74 	/* For multi-frame NDP TX */
75 	struct sk_buff			*skb_tx_data;
76 	struct sk_buff			*skb_tx_ndp;
77 	u16				ndp_dgram_count;
78 	bool				timer_force_tx;
79 	struct tasklet_struct		tx_tasklet;
80 	struct hrtimer			task_timer;
81 
82 	bool				timer_stopping;
83 };
84 
85 static inline struct f_ncm *func_to_ncm(struct usb_function *f)
86 {
87 	return container_of(f, struct f_ncm, port.func);
88 }
89 
90 /* peak (theoretical) bulk transfer rate in bits-per-second */
91 static inline unsigned ncm_bitrate(struct usb_gadget *g)
92 {
93 	if (gadget_is_dualspeed(g) && g->speed == USB_SPEED_HIGH)
94 		return 13 * 512 * 8 * 1000 * 8;
95 	else
96 		return 19 *  64 * 1 * 1000 * 8;
97 }
98 
99 /*-------------------------------------------------------------------------*/
100 
101 /*
102  * We cannot group frames so use just the minimal size which ok to put
103  * one max-size ethernet frame.
104  * If the host can group frames, allow it to do that, 16K is selected,
105  * because it's used by default by the current linux host driver
106  */
107 #define NTB_DEFAULT_IN_SIZE	16384
108 #define NTB_OUT_SIZE		16384
109 
110 /* Allocation for storing the NDP, 32 should suffice for a
111  * 16k packet. This allows a maximum of 32 * 507 Byte packets to
112  * be transmitted in a single 16kB skb, though when sending full size
113  * packets this limit will be plenty.
114  * Smaller packets are not likely to be trying to maximize the
115  * throughput and will be mstly sending smaller infrequent frames.
116  */
117 #define TX_MAX_NUM_DPE		32
118 
119 /* Delay for the transmit to wait before sending an unfilled NTB frame. */
120 #define TX_TIMEOUT_NSECS	300000
121 
122 #define FORMATS_SUPPORTED	(USB_CDC_NCM_NTB16_SUPPORTED |	\
123 				 USB_CDC_NCM_NTB32_SUPPORTED)
124 
125 static struct usb_cdc_ncm_ntb_parameters ntb_parameters = {
126 	.wLength = cpu_to_le16(sizeof(ntb_parameters)),
127 	.bmNtbFormatsSupported = cpu_to_le16(FORMATS_SUPPORTED),
128 	.dwNtbInMaxSize = cpu_to_le32(NTB_DEFAULT_IN_SIZE),
129 	.wNdpInDivisor = cpu_to_le16(4),
130 	.wNdpInPayloadRemainder = cpu_to_le16(0),
131 	.wNdpInAlignment = cpu_to_le16(4),
132 
133 	.dwNtbOutMaxSize = cpu_to_le32(NTB_OUT_SIZE),
134 	.wNdpOutDivisor = cpu_to_le16(4),
135 	.wNdpOutPayloadRemainder = cpu_to_le16(0),
136 	.wNdpOutAlignment = cpu_to_le16(4),
137 };
138 
139 /*
140  * Use wMaxPacketSize big enough to fit CDC_NOTIFY_SPEED_CHANGE in one
141  * packet, to simplify cancellation; and a big transfer interval, to
142  * waste less bandwidth.
143  */
144 
145 #define NCM_STATUS_INTERVAL_MS		32
146 #define NCM_STATUS_BYTECOUNT		16	/* 8 byte header + data */
147 
148 static struct usb_interface_assoc_descriptor ncm_iad_desc = {
149 	.bLength =		sizeof ncm_iad_desc,
150 	.bDescriptorType =	USB_DT_INTERFACE_ASSOCIATION,
151 
152 	/* .bFirstInterface =	DYNAMIC, */
153 	.bInterfaceCount =	2,	/* control + data */
154 	.bFunctionClass =	USB_CLASS_COMM,
155 	.bFunctionSubClass =	USB_CDC_SUBCLASS_NCM,
156 	.bFunctionProtocol =	USB_CDC_PROTO_NONE,
157 	/* .iFunction =		DYNAMIC */
158 };
159 
160 /* interface descriptor: */
161 
162 static struct usb_interface_descriptor ncm_control_intf = {
163 	.bLength =		sizeof ncm_control_intf,
164 	.bDescriptorType =	USB_DT_INTERFACE,
165 
166 	/* .bInterfaceNumber = DYNAMIC */
167 	.bNumEndpoints =	1,
168 	.bInterfaceClass =	USB_CLASS_COMM,
169 	.bInterfaceSubClass =	USB_CDC_SUBCLASS_NCM,
170 	.bInterfaceProtocol =	USB_CDC_PROTO_NONE,
171 	/* .iInterface = DYNAMIC */
172 };
173 
174 static struct usb_cdc_header_desc ncm_header_desc = {
175 	.bLength =		sizeof ncm_header_desc,
176 	.bDescriptorType =	USB_DT_CS_INTERFACE,
177 	.bDescriptorSubType =	USB_CDC_HEADER_TYPE,
178 
179 	.bcdCDC =		cpu_to_le16(0x0110),
180 };
181 
182 static struct usb_cdc_union_desc ncm_union_desc = {
183 	.bLength =		sizeof(ncm_union_desc),
184 	.bDescriptorType =	USB_DT_CS_INTERFACE,
185 	.bDescriptorSubType =	USB_CDC_UNION_TYPE,
186 	/* .bMasterInterface0 =	DYNAMIC */
187 	/* .bSlaveInterface0 =	DYNAMIC */
188 };
189 
190 static struct usb_cdc_ether_desc ecm_desc = {
191 	.bLength =		sizeof ecm_desc,
192 	.bDescriptorType =	USB_DT_CS_INTERFACE,
193 	.bDescriptorSubType =	USB_CDC_ETHERNET_TYPE,
194 
195 	/* this descriptor actually adds value, surprise! */
196 	/* .iMACAddress = DYNAMIC */
197 	.bmEthernetStatistics =	cpu_to_le32(0), /* no statistics */
198 	.wMaxSegmentSize =	cpu_to_le16(ETH_FRAME_LEN),
199 	.wNumberMCFilters =	cpu_to_le16(0),
200 	.bNumberPowerFilters =	0,
201 };
202 
203 #define NCAPS	(USB_CDC_NCM_NCAP_ETH_FILTER | USB_CDC_NCM_NCAP_CRC_MODE)
204 
205 static struct usb_cdc_ncm_desc ncm_desc = {
206 	.bLength =		sizeof ncm_desc,
207 	.bDescriptorType =	USB_DT_CS_INTERFACE,
208 	.bDescriptorSubType =	USB_CDC_NCM_TYPE,
209 
210 	.bcdNcmVersion =	cpu_to_le16(0x0100),
211 	/* can process SetEthernetPacketFilter */
212 	.bmNetworkCapabilities = NCAPS,
213 };
214 
215 /* the default data interface has no endpoints ... */
216 
217 static struct usb_interface_descriptor ncm_data_nop_intf = {
218 	.bLength =		sizeof ncm_data_nop_intf,
219 	.bDescriptorType =	USB_DT_INTERFACE,
220 
221 	.bInterfaceNumber =	1,
222 	.bAlternateSetting =	0,
223 	.bNumEndpoints =	0,
224 	.bInterfaceClass =	USB_CLASS_CDC_DATA,
225 	.bInterfaceSubClass =	0,
226 	.bInterfaceProtocol =	USB_CDC_NCM_PROTO_NTB,
227 	/* .iInterface = DYNAMIC */
228 };
229 
230 /* ... but the "real" data interface has two bulk endpoints */
231 
232 static struct usb_interface_descriptor ncm_data_intf = {
233 	.bLength =		sizeof ncm_data_intf,
234 	.bDescriptorType =	USB_DT_INTERFACE,
235 
236 	.bInterfaceNumber =	1,
237 	.bAlternateSetting =	1,
238 	.bNumEndpoints =	2,
239 	.bInterfaceClass =	USB_CLASS_CDC_DATA,
240 	.bInterfaceSubClass =	0,
241 	.bInterfaceProtocol =	USB_CDC_NCM_PROTO_NTB,
242 	/* .iInterface = DYNAMIC */
243 };
244 
245 /* full speed support: */
246 
247 static struct usb_endpoint_descriptor fs_ncm_notify_desc = {
248 	.bLength =		USB_DT_ENDPOINT_SIZE,
249 	.bDescriptorType =	USB_DT_ENDPOINT,
250 
251 	.bEndpointAddress =	USB_DIR_IN,
252 	.bmAttributes =		USB_ENDPOINT_XFER_INT,
253 	.wMaxPacketSize =	cpu_to_le16(NCM_STATUS_BYTECOUNT),
254 	.bInterval =		NCM_STATUS_INTERVAL_MS,
255 };
256 
257 static struct usb_endpoint_descriptor fs_ncm_in_desc = {
258 	.bLength =		USB_DT_ENDPOINT_SIZE,
259 	.bDescriptorType =	USB_DT_ENDPOINT,
260 
261 	.bEndpointAddress =	USB_DIR_IN,
262 	.bmAttributes =		USB_ENDPOINT_XFER_BULK,
263 };
264 
265 static struct usb_endpoint_descriptor fs_ncm_out_desc = {
266 	.bLength =		USB_DT_ENDPOINT_SIZE,
267 	.bDescriptorType =	USB_DT_ENDPOINT,
268 
269 	.bEndpointAddress =	USB_DIR_OUT,
270 	.bmAttributes =		USB_ENDPOINT_XFER_BULK,
271 };
272 
273 static struct usb_descriptor_header *ncm_fs_function[] = {
274 	(struct usb_descriptor_header *) &ncm_iad_desc,
275 	/* CDC NCM control descriptors */
276 	(struct usb_descriptor_header *) &ncm_control_intf,
277 	(struct usb_descriptor_header *) &ncm_header_desc,
278 	(struct usb_descriptor_header *) &ncm_union_desc,
279 	(struct usb_descriptor_header *) &ecm_desc,
280 	(struct usb_descriptor_header *) &ncm_desc,
281 	(struct usb_descriptor_header *) &fs_ncm_notify_desc,
282 	/* data interface, altsettings 0 and 1 */
283 	(struct usb_descriptor_header *) &ncm_data_nop_intf,
284 	(struct usb_descriptor_header *) &ncm_data_intf,
285 	(struct usb_descriptor_header *) &fs_ncm_in_desc,
286 	(struct usb_descriptor_header *) &fs_ncm_out_desc,
287 	NULL,
288 };
289 
290 /* high speed support: */
291 
292 static struct usb_endpoint_descriptor hs_ncm_notify_desc = {
293 	.bLength =		USB_DT_ENDPOINT_SIZE,
294 	.bDescriptorType =	USB_DT_ENDPOINT,
295 
296 	.bEndpointAddress =	USB_DIR_IN,
297 	.bmAttributes =		USB_ENDPOINT_XFER_INT,
298 	.wMaxPacketSize =	cpu_to_le16(NCM_STATUS_BYTECOUNT),
299 	.bInterval =		USB_MS_TO_HS_INTERVAL(NCM_STATUS_INTERVAL_MS),
300 };
301 static struct usb_endpoint_descriptor hs_ncm_in_desc = {
302 	.bLength =		USB_DT_ENDPOINT_SIZE,
303 	.bDescriptorType =	USB_DT_ENDPOINT,
304 
305 	.bEndpointAddress =	USB_DIR_IN,
306 	.bmAttributes =		USB_ENDPOINT_XFER_BULK,
307 	.wMaxPacketSize =	cpu_to_le16(512),
308 };
309 
310 static struct usb_endpoint_descriptor hs_ncm_out_desc = {
311 	.bLength =		USB_DT_ENDPOINT_SIZE,
312 	.bDescriptorType =	USB_DT_ENDPOINT,
313 
314 	.bEndpointAddress =	USB_DIR_OUT,
315 	.bmAttributes =		USB_ENDPOINT_XFER_BULK,
316 	.wMaxPacketSize =	cpu_to_le16(512),
317 };
318 
319 static struct usb_descriptor_header *ncm_hs_function[] = {
320 	(struct usb_descriptor_header *) &ncm_iad_desc,
321 	/* CDC NCM control descriptors */
322 	(struct usb_descriptor_header *) &ncm_control_intf,
323 	(struct usb_descriptor_header *) &ncm_header_desc,
324 	(struct usb_descriptor_header *) &ncm_union_desc,
325 	(struct usb_descriptor_header *) &ecm_desc,
326 	(struct usb_descriptor_header *) &ncm_desc,
327 	(struct usb_descriptor_header *) &hs_ncm_notify_desc,
328 	/* data interface, altsettings 0 and 1 */
329 	(struct usb_descriptor_header *) &ncm_data_nop_intf,
330 	(struct usb_descriptor_header *) &ncm_data_intf,
331 	(struct usb_descriptor_header *) &hs_ncm_in_desc,
332 	(struct usb_descriptor_header *) &hs_ncm_out_desc,
333 	NULL,
334 };
335 
336 /* string descriptors: */
337 
338 #define STRING_CTRL_IDX	0
339 #define STRING_MAC_IDX	1
340 #define STRING_DATA_IDX	2
341 #define STRING_IAD_IDX	3
342 
343 static struct usb_string ncm_string_defs[] = {
344 	[STRING_CTRL_IDX].s = "CDC Network Control Model (NCM)",
345 	[STRING_MAC_IDX].s = "",
346 	[STRING_DATA_IDX].s = "CDC Network Data",
347 	[STRING_IAD_IDX].s = "CDC NCM",
348 	{  } /* end of list */
349 };
350 
351 static struct usb_gadget_strings ncm_string_table = {
352 	.language =		0x0409,	/* en-us */
353 	.strings =		ncm_string_defs,
354 };
355 
356 static struct usb_gadget_strings *ncm_strings[] = {
357 	&ncm_string_table,
358 	NULL,
359 };
360 
361 /*
362  * Here are options for NCM Datagram Pointer table (NDP) parser.
363  * There are 2 different formats: NDP16 and NDP32 in the spec (ch. 3),
364  * in NDP16 offsets and sizes fields are 1 16bit word wide,
365  * in NDP32 -- 2 16bit words wide. Also signatures are different.
366  * To make the parser code the same, put the differences in the structure,
367  * and switch pointers to the structures when the format is changed.
368  */
369 
370 struct ndp_parser_opts {
371 	u32		nth_sign;
372 	u32		ndp_sign;
373 	unsigned	nth_size;
374 	unsigned	ndp_size;
375 	unsigned	dpe_size;
376 	unsigned	ndplen_align;
377 	/* sizes in u16 units */
378 	unsigned	dgram_item_len; /* index or length */
379 	unsigned	block_length;
380 	unsigned	ndp_index;
381 	unsigned	reserved1;
382 	unsigned	reserved2;
383 	unsigned	next_ndp_index;
384 };
385 
386 #define INIT_NDP16_OPTS {					\
387 		.nth_sign = USB_CDC_NCM_NTH16_SIGN,		\
388 		.ndp_sign = USB_CDC_NCM_NDP16_NOCRC_SIGN,	\
389 		.nth_size = sizeof(struct usb_cdc_ncm_nth16),	\
390 		.ndp_size = sizeof(struct usb_cdc_ncm_ndp16),	\
391 		.dpe_size = sizeof(struct usb_cdc_ncm_dpe16),	\
392 		.ndplen_align = 4,				\
393 		.dgram_item_len = 1,				\
394 		.block_length = 1,				\
395 		.ndp_index = 1,					\
396 		.reserved1 = 0,					\
397 		.reserved2 = 0,					\
398 		.next_ndp_index = 1,				\
399 	}
400 
401 
402 #define INIT_NDP32_OPTS {					\
403 		.nth_sign = USB_CDC_NCM_NTH32_SIGN,		\
404 		.ndp_sign = USB_CDC_NCM_NDP32_NOCRC_SIGN,	\
405 		.nth_size = sizeof(struct usb_cdc_ncm_nth32),	\
406 		.ndp_size = sizeof(struct usb_cdc_ncm_ndp32),	\
407 		.dpe_size = sizeof(struct usb_cdc_ncm_dpe32),	\
408 		.ndplen_align = 8,				\
409 		.dgram_item_len = 2,				\
410 		.block_length = 2,				\
411 		.ndp_index = 2,					\
412 		.reserved1 = 1,					\
413 		.reserved2 = 2,					\
414 		.next_ndp_index = 2,				\
415 	}
416 
417 static const struct ndp_parser_opts ndp16_opts = INIT_NDP16_OPTS;
418 static const struct ndp_parser_opts ndp32_opts = INIT_NDP32_OPTS;
419 
420 static inline void put_ncm(__le16 **p, unsigned size, unsigned val)
421 {
422 	switch (size) {
423 	case 1:
424 		put_unaligned_le16((u16)val, *p);
425 		break;
426 	case 2:
427 		put_unaligned_le32((u32)val, *p);
428 
429 		break;
430 	default:
431 		BUG();
432 	}
433 
434 	*p += size;
435 }
436 
437 static inline unsigned get_ncm(__le16 **p, unsigned size)
438 {
439 	unsigned tmp;
440 
441 	switch (size) {
442 	case 1:
443 		tmp = get_unaligned_le16(*p);
444 		break;
445 	case 2:
446 		tmp = get_unaligned_le32(*p);
447 		break;
448 	default:
449 		BUG();
450 	}
451 
452 	*p += size;
453 	return tmp;
454 }
455 
456 /*-------------------------------------------------------------------------*/
457 
458 static inline void ncm_reset_values(struct f_ncm *ncm)
459 {
460 	ncm->parser_opts = &ndp16_opts;
461 	ncm->is_crc = false;
462 	ncm->port.cdc_filter = DEFAULT_FILTER;
463 
464 	/* doesn't make sense for ncm, fixed size used */
465 	ncm->port.header_len = 0;
466 
467 	ncm->port.fixed_out_len = le32_to_cpu(ntb_parameters.dwNtbOutMaxSize);
468 	ncm->port.fixed_in_len = NTB_DEFAULT_IN_SIZE;
469 }
470 
471 /*
472  * Context: ncm->lock held
473  */
474 static void ncm_do_notify(struct f_ncm *ncm)
475 {
476 	struct usb_request		*req = ncm->notify_req;
477 	struct usb_cdc_notification	*event;
478 	struct usb_composite_dev	*cdev = ncm->port.func.config->cdev;
479 	__le32				*data;
480 	int				status;
481 
482 	/* notification already in flight? */
483 	if (!req)
484 		return;
485 
486 	event = req->buf;
487 	switch (ncm->notify_state) {
488 	case NCM_NOTIFY_NONE:
489 		return;
490 
491 	case NCM_NOTIFY_CONNECT:
492 		event->bNotificationType = USB_CDC_NOTIFY_NETWORK_CONNECTION;
493 		if (ncm->is_open)
494 			event->wValue = cpu_to_le16(1);
495 		else
496 			event->wValue = cpu_to_le16(0);
497 		event->wLength = 0;
498 		req->length = sizeof *event;
499 
500 		DBG(cdev, "notify connect %s\n",
501 				ncm->is_open ? "true" : "false");
502 		ncm->notify_state = NCM_NOTIFY_NONE;
503 		break;
504 
505 	case NCM_NOTIFY_SPEED:
506 		event->bNotificationType = USB_CDC_NOTIFY_SPEED_CHANGE;
507 		event->wValue = cpu_to_le16(0);
508 		event->wLength = cpu_to_le16(8);
509 		req->length = NCM_STATUS_BYTECOUNT;
510 
511 		/* SPEED_CHANGE data is up/down speeds in bits/sec */
512 		data = req->buf + sizeof *event;
513 		data[0] = cpu_to_le32(ncm_bitrate(cdev->gadget));
514 		data[1] = data[0];
515 
516 		DBG(cdev, "notify speed %d\n", ncm_bitrate(cdev->gadget));
517 		ncm->notify_state = NCM_NOTIFY_CONNECT;
518 		break;
519 	}
520 	event->bmRequestType = 0xA1;
521 	event->wIndex = cpu_to_le16(ncm->ctrl_id);
522 
523 	ncm->notify_req = NULL;
524 	/*
525 	 * In double buffering if there is a space in FIFO,
526 	 * completion callback can be called right after the call,
527 	 * so unlocking
528 	 */
529 	spin_unlock(&ncm->lock);
530 	status = usb_ep_queue(ncm->notify, req, GFP_ATOMIC);
531 	spin_lock(&ncm->lock);
532 	if (status < 0) {
533 		ncm->notify_req = req;
534 		DBG(cdev, "notify --> %d\n", status);
535 	}
536 }
537 
538 /*
539  * Context: ncm->lock held
540  */
541 static void ncm_notify(struct f_ncm *ncm)
542 {
543 	/*
544 	 * NOTE on most versions of Linux, host side cdc-ethernet
545 	 * won't listen for notifications until its netdevice opens.
546 	 * The first notification then sits in the FIFO for a long
547 	 * time, and the second one is queued.
548 	 *
549 	 * If ncm_notify() is called before the second (CONNECT)
550 	 * notification is sent, then it will reset to send the SPEED
551 	 * notificaion again (and again, and again), but it's not a problem
552 	 */
553 	ncm->notify_state = NCM_NOTIFY_SPEED;
554 	ncm_do_notify(ncm);
555 }
556 
557 static void ncm_notify_complete(struct usb_ep *ep, struct usb_request *req)
558 {
559 	struct f_ncm			*ncm = req->context;
560 	struct usb_composite_dev	*cdev = ncm->port.func.config->cdev;
561 	struct usb_cdc_notification	*event = req->buf;
562 
563 	spin_lock(&ncm->lock);
564 	switch (req->status) {
565 	case 0:
566 		VDBG(cdev, "Notification %02x sent\n",
567 		     event->bNotificationType);
568 		break;
569 	case -ECONNRESET:
570 	case -ESHUTDOWN:
571 		ncm->notify_state = NCM_NOTIFY_NONE;
572 		break;
573 	default:
574 		DBG(cdev, "event %02x --> %d\n",
575 			event->bNotificationType, req->status);
576 		break;
577 	}
578 	ncm->notify_req = req;
579 	ncm_do_notify(ncm);
580 	spin_unlock(&ncm->lock);
581 }
582 
583 static void ncm_ep0out_complete(struct usb_ep *ep, struct usb_request *req)
584 {
585 	/* now for SET_NTB_INPUT_SIZE only */
586 	unsigned		in_size;
587 	struct usb_function	*f = req->context;
588 	struct f_ncm		*ncm = func_to_ncm(f);
589 	struct usb_composite_dev *cdev = ep->driver_data;
590 
591 	req->context = NULL;
592 	if (req->status || req->actual != req->length) {
593 		DBG(cdev, "Bad control-OUT transfer\n");
594 		goto invalid;
595 	}
596 
597 	in_size = get_unaligned_le32(req->buf);
598 	if (in_size < USB_CDC_NCM_NTB_MIN_IN_SIZE ||
599 	    in_size > le32_to_cpu(ntb_parameters.dwNtbInMaxSize)) {
600 		DBG(cdev, "Got wrong INPUT SIZE (%d) from host\n", in_size);
601 		goto invalid;
602 	}
603 
604 	ncm->port.fixed_in_len = in_size;
605 	VDBG(cdev, "Set NTB INPUT SIZE %d\n", in_size);
606 	return;
607 
608 invalid:
609 	usb_ep_set_halt(ep);
610 	return;
611 }
612 
613 static int ncm_setup(struct usb_function *f, const struct usb_ctrlrequest *ctrl)
614 {
615 	struct f_ncm		*ncm = func_to_ncm(f);
616 	struct usb_composite_dev *cdev = f->config->cdev;
617 	struct usb_request	*req = cdev->req;
618 	int			value = -EOPNOTSUPP;
619 	u16			w_index = le16_to_cpu(ctrl->wIndex);
620 	u16			w_value = le16_to_cpu(ctrl->wValue);
621 	u16			w_length = le16_to_cpu(ctrl->wLength);
622 
623 	/*
624 	 * composite driver infrastructure handles everything except
625 	 * CDC class messages; interface activation uses set_alt().
626 	 */
627 	switch ((ctrl->bRequestType << 8) | ctrl->bRequest) {
628 	case ((USB_DIR_OUT | USB_TYPE_CLASS | USB_RECIP_INTERFACE) << 8)
629 			| USB_CDC_SET_ETHERNET_PACKET_FILTER:
630 		/*
631 		 * see 6.2.30: no data, wIndex = interface,
632 		 * wValue = packet filter bitmap
633 		 */
634 		if (w_length != 0 || w_index != ncm->ctrl_id)
635 			goto invalid;
636 		DBG(cdev, "packet filter %02x\n", w_value);
637 		/*
638 		 * REVISIT locking of cdc_filter.  This assumes the UDC
639 		 * driver won't have a concurrent packet TX irq running on
640 		 * another CPU; or that if it does, this write is atomic...
641 		 */
642 		ncm->port.cdc_filter = w_value;
643 		value = 0;
644 		break;
645 	/*
646 	 * and optionally:
647 	 * case USB_CDC_SEND_ENCAPSULATED_COMMAND:
648 	 * case USB_CDC_GET_ENCAPSULATED_RESPONSE:
649 	 * case USB_CDC_SET_ETHERNET_MULTICAST_FILTERS:
650 	 * case USB_CDC_SET_ETHERNET_PM_PATTERN_FILTER:
651 	 * case USB_CDC_GET_ETHERNET_PM_PATTERN_FILTER:
652 	 * case USB_CDC_GET_ETHERNET_STATISTIC:
653 	 */
654 
655 	case ((USB_DIR_IN | USB_TYPE_CLASS | USB_RECIP_INTERFACE) << 8)
656 		| USB_CDC_GET_NTB_PARAMETERS:
657 
658 		if (w_length == 0 || w_value != 0 || w_index != ncm->ctrl_id)
659 			goto invalid;
660 		value = w_length > sizeof ntb_parameters ?
661 			sizeof ntb_parameters : w_length;
662 		memcpy(req->buf, &ntb_parameters, value);
663 		VDBG(cdev, "Host asked NTB parameters\n");
664 		break;
665 
666 	case ((USB_DIR_IN | USB_TYPE_CLASS | USB_RECIP_INTERFACE) << 8)
667 		| USB_CDC_GET_NTB_INPUT_SIZE:
668 
669 		if (w_length < 4 || w_value != 0 || w_index != ncm->ctrl_id)
670 			goto invalid;
671 		put_unaligned_le32(ncm->port.fixed_in_len, req->buf);
672 		value = 4;
673 		VDBG(cdev, "Host asked INPUT SIZE, sending %d\n",
674 		     ncm->port.fixed_in_len);
675 		break;
676 
677 	case ((USB_DIR_OUT | USB_TYPE_CLASS | USB_RECIP_INTERFACE) << 8)
678 		| USB_CDC_SET_NTB_INPUT_SIZE:
679 	{
680 		if (w_length != 4 || w_value != 0 || w_index != ncm->ctrl_id)
681 			goto invalid;
682 		req->complete = ncm_ep0out_complete;
683 		req->length = w_length;
684 		req->context = f;
685 
686 		value = req->length;
687 		break;
688 	}
689 
690 	case ((USB_DIR_IN | USB_TYPE_CLASS | USB_RECIP_INTERFACE) << 8)
691 		| USB_CDC_GET_NTB_FORMAT:
692 	{
693 		uint16_t format;
694 
695 		if (w_length < 2 || w_value != 0 || w_index != ncm->ctrl_id)
696 			goto invalid;
697 		format = (ncm->parser_opts == &ndp16_opts) ? 0x0000 : 0x0001;
698 		put_unaligned_le16(format, req->buf);
699 		value = 2;
700 		VDBG(cdev, "Host asked NTB FORMAT, sending %d\n", format);
701 		break;
702 	}
703 
704 	case ((USB_DIR_OUT | USB_TYPE_CLASS | USB_RECIP_INTERFACE) << 8)
705 		| USB_CDC_SET_NTB_FORMAT:
706 	{
707 		if (w_length != 0 || w_index != ncm->ctrl_id)
708 			goto invalid;
709 		switch (w_value) {
710 		case 0x0000:
711 			ncm->parser_opts = &ndp16_opts;
712 			DBG(cdev, "NCM16 selected\n");
713 			break;
714 		case 0x0001:
715 			ncm->parser_opts = &ndp32_opts;
716 			DBG(cdev, "NCM32 selected\n");
717 			break;
718 		default:
719 			goto invalid;
720 		}
721 		value = 0;
722 		break;
723 	}
724 	case ((USB_DIR_IN | USB_TYPE_CLASS | USB_RECIP_INTERFACE) << 8)
725 		| USB_CDC_GET_CRC_MODE:
726 	{
727 		uint16_t is_crc;
728 
729 		if (w_length < 2 || w_value != 0 || w_index != ncm->ctrl_id)
730 			goto invalid;
731 		is_crc = ncm->is_crc ? 0x0001 : 0x0000;
732 		put_unaligned_le16(is_crc, req->buf);
733 		value = 2;
734 		VDBG(cdev, "Host asked CRC MODE, sending %d\n", is_crc);
735 		break;
736 	}
737 
738 	case ((USB_DIR_OUT | USB_TYPE_CLASS | USB_RECIP_INTERFACE) << 8)
739 		| USB_CDC_SET_CRC_MODE:
740 	{
741 		int ndp_hdr_crc = 0;
742 
743 		if (w_length != 0 || w_index != ncm->ctrl_id)
744 			goto invalid;
745 		switch (w_value) {
746 		case 0x0000:
747 			ncm->is_crc = false;
748 			ndp_hdr_crc = NCM_NDP_HDR_NOCRC;
749 			DBG(cdev, "non-CRC mode selected\n");
750 			break;
751 		case 0x0001:
752 			ncm->is_crc = true;
753 			ndp_hdr_crc = NCM_NDP_HDR_CRC;
754 			DBG(cdev, "CRC mode selected\n");
755 			break;
756 		default:
757 			goto invalid;
758 		}
759 		ncm->ndp_sign = ncm->parser_opts->ndp_sign | ndp_hdr_crc;
760 		value = 0;
761 		break;
762 	}
763 
764 	/* and disabled in ncm descriptor: */
765 	/* case USB_CDC_GET_NET_ADDRESS: */
766 	/* case USB_CDC_SET_NET_ADDRESS: */
767 	/* case USB_CDC_GET_MAX_DATAGRAM_SIZE: */
768 	/* case USB_CDC_SET_MAX_DATAGRAM_SIZE: */
769 
770 	default:
771 invalid:
772 		DBG(cdev, "invalid control req%02x.%02x v%04x i%04x l%d\n",
773 			ctrl->bRequestType, ctrl->bRequest,
774 			w_value, w_index, w_length);
775 	}
776 
777 	/* respond with data transfer or status phase? */
778 	if (value >= 0) {
779 		DBG(cdev, "ncm req%02x.%02x v%04x i%04x l%d\n",
780 			ctrl->bRequestType, ctrl->bRequest,
781 			w_value, w_index, w_length);
782 		req->zero = 0;
783 		req->length = value;
784 		value = usb_ep_queue(cdev->gadget->ep0, req, GFP_ATOMIC);
785 		if (value < 0)
786 			ERROR(cdev, "ncm req %02x.%02x response err %d\n",
787 					ctrl->bRequestType, ctrl->bRequest,
788 					value);
789 	}
790 
791 	/* device either stalls (value < 0) or reports success */
792 	return value;
793 }
794 
795 
796 static int ncm_set_alt(struct usb_function *f, unsigned intf, unsigned alt)
797 {
798 	struct f_ncm		*ncm = func_to_ncm(f);
799 	struct usb_composite_dev *cdev = f->config->cdev;
800 
801 	/* Control interface has only altsetting 0 */
802 	if (intf == ncm->ctrl_id) {
803 		if (alt != 0)
804 			goto fail;
805 
806 		if (ncm->notify->driver_data) {
807 			DBG(cdev, "reset ncm control %d\n", intf);
808 			usb_ep_disable(ncm->notify);
809 		}
810 
811 		if (!(ncm->notify->desc)) {
812 			DBG(cdev, "init ncm ctrl %d\n", intf);
813 			if (config_ep_by_speed(cdev->gadget, f, ncm->notify))
814 				goto fail;
815 		}
816 		usb_ep_enable(ncm->notify);
817 		ncm->notify->driver_data = ncm;
818 
819 	/* Data interface has two altsettings, 0 and 1 */
820 	} else if (intf == ncm->data_id) {
821 		if (alt > 1)
822 			goto fail;
823 
824 		if (ncm->port.in_ep->driver_data) {
825 			DBG(cdev, "reset ncm\n");
826 			ncm->timer_stopping = true;
827 			ncm->netdev = NULL;
828 			gether_disconnect(&ncm->port);
829 			ncm_reset_values(ncm);
830 		}
831 
832 		/*
833 		 * CDC Network only sends data in non-default altsettings.
834 		 * Changing altsettings resets filters, statistics, etc.
835 		 */
836 		if (alt == 1) {
837 			struct net_device	*net;
838 
839 			if (!ncm->port.in_ep->desc ||
840 			    !ncm->port.out_ep->desc) {
841 				DBG(cdev, "init ncm\n");
842 				if (config_ep_by_speed(cdev->gadget, f,
843 						       ncm->port.in_ep) ||
844 				    config_ep_by_speed(cdev->gadget, f,
845 						       ncm->port.out_ep)) {
846 					ncm->port.in_ep->desc = NULL;
847 					ncm->port.out_ep->desc = NULL;
848 					goto fail;
849 				}
850 			}
851 
852 			/* TODO */
853 			/* Enable zlps by default for NCM conformance;
854 			 * override for musb_hdrc (avoids txdma ovhead)
855 			 */
856 			ncm->port.is_zlp_ok = !(
857 				gadget_is_musbhdrc(cdev->gadget)
858 				);
859 			ncm->port.cdc_filter = DEFAULT_FILTER;
860 			DBG(cdev, "activate ncm\n");
861 			net = gether_connect(&ncm->port);
862 			if (IS_ERR(net))
863 				return PTR_ERR(net);
864 			ncm->netdev = net;
865 			ncm->timer_stopping = false;
866 		}
867 
868 		spin_lock(&ncm->lock);
869 		ncm_notify(ncm);
870 		spin_unlock(&ncm->lock);
871 	} else
872 		goto fail;
873 
874 	return 0;
875 fail:
876 	return -EINVAL;
877 }
878 
879 /*
880  * Because the data interface supports multiple altsettings,
881  * this NCM function *MUST* implement a get_alt() method.
882  */
883 static int ncm_get_alt(struct usb_function *f, unsigned intf)
884 {
885 	struct f_ncm		*ncm = func_to_ncm(f);
886 
887 	if (intf == ncm->ctrl_id)
888 		return 0;
889 	return ncm->port.in_ep->driver_data ? 1 : 0;
890 }
891 
892 static struct sk_buff *package_for_tx(struct f_ncm *ncm)
893 {
894 	__le16		*ntb_iter;
895 	struct sk_buff	*skb2 = NULL;
896 	unsigned	ndp_pad;
897 	unsigned	ndp_index;
898 	unsigned	new_len;
899 
900 	const struct ndp_parser_opts *opts = ncm->parser_opts;
901 	const int ndp_align = le16_to_cpu(ntb_parameters.wNdpInAlignment);
902 	const int dgram_idx_len = 2 * 2 * opts->dgram_item_len;
903 
904 	/* Stop the timer */
905 	hrtimer_try_to_cancel(&ncm->task_timer);
906 
907 	ndp_pad = ALIGN(ncm->skb_tx_data->len, ndp_align) -
908 			ncm->skb_tx_data->len;
909 	ndp_index = ncm->skb_tx_data->len + ndp_pad;
910 	new_len = ndp_index + dgram_idx_len + ncm->skb_tx_ndp->len;
911 
912 	/* Set the final BlockLength and wNdpIndex */
913 	ntb_iter = (void *) ncm->skb_tx_data->data;
914 	/* Increment pointer to BlockLength */
915 	ntb_iter += 2 + 1 + 1;
916 	put_ncm(&ntb_iter, opts->block_length, new_len);
917 	put_ncm(&ntb_iter, opts->ndp_index, ndp_index);
918 
919 	/* Set the final NDP wLength */
920 	new_len = opts->ndp_size +
921 			(ncm->ndp_dgram_count * dgram_idx_len);
922 	ncm->ndp_dgram_count = 0;
923 	/* Increment from start to wLength */
924 	ntb_iter = (void *) ncm->skb_tx_ndp->data;
925 	ntb_iter += 2;
926 	put_unaligned_le16(new_len, ntb_iter);
927 
928 	/* Merge the skbs */
929 	swap(skb2, ncm->skb_tx_data);
930 	if (ncm->skb_tx_data) {
931 		dev_kfree_skb_any(ncm->skb_tx_data);
932 		ncm->skb_tx_data = NULL;
933 	}
934 
935 	/* Insert NDP alignment. */
936 	ntb_iter = (void *) skb_put(skb2, ndp_pad);
937 	memset(ntb_iter, 0, ndp_pad);
938 
939 	/* Copy NTB across. */
940 	ntb_iter = (void *) skb_put(skb2, ncm->skb_tx_ndp->len);
941 	memcpy(ntb_iter, ncm->skb_tx_ndp->data, ncm->skb_tx_ndp->len);
942 	dev_kfree_skb_any(ncm->skb_tx_ndp);
943 	ncm->skb_tx_ndp = NULL;
944 
945 	/* Insert zero'd datagram. */
946 	ntb_iter = (void *) skb_put(skb2, dgram_idx_len);
947 	memset(ntb_iter, 0, dgram_idx_len);
948 
949 	return skb2;
950 }
951 
952 static struct sk_buff *ncm_wrap_ntb(struct gether *port,
953 				    struct sk_buff *skb)
954 {
955 	struct f_ncm	*ncm = func_to_ncm(&port->func);
956 	struct sk_buff	*skb2 = NULL;
957 	int		ncb_len = 0;
958 	__le16		*ntb_data;
959 	__le16		*ntb_ndp;
960 	int		dgram_pad;
961 
962 	unsigned	max_size = ncm->port.fixed_in_len;
963 	const struct ndp_parser_opts *opts = ncm->parser_opts;
964 	const int ndp_align = le16_to_cpu(ntb_parameters.wNdpInAlignment);
965 	const int div = le16_to_cpu(ntb_parameters.wNdpInDivisor);
966 	const int rem = le16_to_cpu(ntb_parameters.wNdpInPayloadRemainder);
967 	const int dgram_idx_len = 2 * 2 * opts->dgram_item_len;
968 
969 	if (!skb && !ncm->skb_tx_data)
970 		return NULL;
971 
972 	if (skb) {
973 		/* Add the CRC if required up front */
974 		if (ncm->is_crc) {
975 			uint32_t	crc;
976 			__le16		*crc_pos;
977 
978 			crc = ~crc32_le(~0,
979 					skb->data,
980 					skb->len);
981 			crc_pos = (void *) skb_put(skb, sizeof(uint32_t));
982 			put_unaligned_le32(crc, crc_pos);
983 		}
984 
985 		/* If the new skb is too big for the current NCM NTB then
986 		 * set the current stored skb to be sent now and clear it
987 		 * ready for new data.
988 		 * NOTE: Assume maximum align for speed of calculation.
989 		 */
990 		if (ncm->skb_tx_data
991 		    && (ncm->ndp_dgram_count >= TX_MAX_NUM_DPE
992 		    || (ncm->skb_tx_data->len +
993 		    div + rem + skb->len +
994 		    ncm->skb_tx_ndp->len + ndp_align + (2 * dgram_idx_len))
995 		    > max_size)) {
996 			skb2 = package_for_tx(ncm);
997 			if (!skb2)
998 				goto err;
999 		}
1000 
1001 		if (!ncm->skb_tx_data) {
1002 			ncb_len = opts->nth_size;
1003 			dgram_pad = ALIGN(ncb_len, div) + rem - ncb_len;
1004 			ncb_len += dgram_pad;
1005 
1006 			/* Create a new skb for the NTH and datagrams. */
1007 			ncm->skb_tx_data = alloc_skb(max_size, GFP_ATOMIC);
1008 			if (!ncm->skb_tx_data)
1009 				goto err;
1010 
1011 			ntb_data = (void *) skb_put(ncm->skb_tx_data, ncb_len);
1012 			memset(ntb_data, 0, ncb_len);
1013 			/* dwSignature */
1014 			put_unaligned_le32(opts->nth_sign, ntb_data);
1015 			ntb_data += 2;
1016 			/* wHeaderLength */
1017 			put_unaligned_le16(opts->nth_size, ntb_data++);
1018 
1019 			/* Allocate an skb for storing the NDP,
1020 			 * TX_MAX_NUM_DPE should easily suffice for a
1021 			 * 16k packet.
1022 			 */
1023 			ncm->skb_tx_ndp = alloc_skb((int)(opts->ndp_size
1024 						    + opts->dpe_size
1025 						    * TX_MAX_NUM_DPE),
1026 						    GFP_ATOMIC);
1027 			if (!ncm->skb_tx_ndp)
1028 				goto err;
1029 			ntb_ndp = (void *) skb_put(ncm->skb_tx_ndp,
1030 						    opts->ndp_size);
1031 			memset(ntb_ndp, 0, ncb_len);
1032 			/* dwSignature */
1033 			put_unaligned_le32(ncm->ndp_sign, ntb_ndp);
1034 			ntb_ndp += 2;
1035 
1036 			/* There is always a zeroed entry */
1037 			ncm->ndp_dgram_count = 1;
1038 
1039 			/* Note: we skip opts->next_ndp_index */
1040 		}
1041 
1042 		/* Delay the timer. */
1043 		hrtimer_start(&ncm->task_timer,
1044 			      ktime_set(0, TX_TIMEOUT_NSECS),
1045 			      HRTIMER_MODE_REL);
1046 
1047 		/* Add the datagram position entries */
1048 		ntb_ndp = (void *) skb_put(ncm->skb_tx_ndp, dgram_idx_len);
1049 		memset(ntb_ndp, 0, dgram_idx_len);
1050 
1051 		ncb_len = ncm->skb_tx_data->len;
1052 		dgram_pad = ALIGN(ncb_len, div) + rem - ncb_len;
1053 		ncb_len += dgram_pad;
1054 
1055 		/* (d)wDatagramIndex */
1056 		put_ncm(&ntb_ndp, opts->dgram_item_len, ncb_len);
1057 		/* (d)wDatagramLength */
1058 		put_ncm(&ntb_ndp, opts->dgram_item_len, skb->len);
1059 		ncm->ndp_dgram_count++;
1060 
1061 		/* Add the new data to the skb */
1062 		ntb_data = (void *) skb_put(ncm->skb_tx_data, dgram_pad);
1063 		memset(ntb_data, 0, dgram_pad);
1064 		ntb_data = (void *) skb_put(ncm->skb_tx_data, skb->len);
1065 		memcpy(ntb_data, skb->data, skb->len);
1066 		dev_kfree_skb_any(skb);
1067 		skb = NULL;
1068 
1069 	} else if (ncm->skb_tx_data && ncm->timer_force_tx) {
1070 		/* If the tx was requested because of a timeout then send */
1071 		skb2 = package_for_tx(ncm);
1072 		if (!skb2)
1073 			goto err;
1074 	}
1075 
1076 	return skb2;
1077 
1078 err:
1079 	ncm->netdev->stats.tx_dropped++;
1080 
1081 	if (skb)
1082 		dev_kfree_skb_any(skb);
1083 	if (ncm->skb_tx_data)
1084 		dev_kfree_skb_any(ncm->skb_tx_data);
1085 	if (ncm->skb_tx_ndp)
1086 		dev_kfree_skb_any(ncm->skb_tx_ndp);
1087 
1088 	return NULL;
1089 }
1090 
1091 /*
1092  * This transmits the NTB if there are frames waiting.
1093  */
1094 static void ncm_tx_tasklet(unsigned long data)
1095 {
1096 	struct f_ncm	*ncm = (void *)data;
1097 
1098 	if (ncm->timer_stopping)
1099 		return;
1100 
1101 	/* Only send if data is available. */
1102 	if (ncm->skb_tx_data) {
1103 		ncm->timer_force_tx = true;
1104 
1105 		/* XXX This allowance of a NULL skb argument to ndo_start_xmit
1106 		 * XXX is not sane.  The gadget layer should be redesigned so
1107 		 * XXX that the dev->wrap() invocations to build SKBs is transparent
1108 		 * XXX and performed in some way outside of the ndo_start_xmit
1109 		 * XXX interface.
1110 		 */
1111 		ncm->netdev->netdev_ops->ndo_start_xmit(NULL, ncm->netdev);
1112 
1113 		ncm->timer_force_tx = false;
1114 	}
1115 }
1116 
1117 /*
1118  * The transmit should only be run if no skb data has been sent
1119  * for a certain duration.
1120  */
1121 static enum hrtimer_restart ncm_tx_timeout(struct hrtimer *data)
1122 {
1123 	struct f_ncm *ncm = container_of(data, struct f_ncm, task_timer);
1124 	tasklet_schedule(&ncm->tx_tasklet);
1125 	return HRTIMER_NORESTART;
1126 }
1127 
1128 static int ncm_unwrap_ntb(struct gether *port,
1129 			  struct sk_buff *skb,
1130 			  struct sk_buff_head *list)
1131 {
1132 	struct f_ncm	*ncm = func_to_ncm(&port->func);
1133 	__le16		*tmp = (void *) skb->data;
1134 	unsigned	index, index2;
1135 	int		ndp_index;
1136 	unsigned	dg_len, dg_len2;
1137 	unsigned	ndp_len;
1138 	struct sk_buff	*skb2;
1139 	int		ret = -EINVAL;
1140 	unsigned	max_size = le32_to_cpu(ntb_parameters.dwNtbOutMaxSize);
1141 	const struct ndp_parser_opts *opts = ncm->parser_opts;
1142 	unsigned	crc_len = ncm->is_crc ? sizeof(uint32_t) : 0;
1143 	int		dgram_counter;
1144 
1145 	/* dwSignature */
1146 	if (get_unaligned_le32(tmp) != opts->nth_sign) {
1147 		INFO(port->func.config->cdev, "Wrong NTH SIGN, skblen %d\n",
1148 			skb->len);
1149 		print_hex_dump(KERN_INFO, "HEAD:", DUMP_PREFIX_ADDRESS, 32, 1,
1150 			       skb->data, 32, false);
1151 
1152 		goto err;
1153 	}
1154 	tmp += 2;
1155 	/* wHeaderLength */
1156 	if (get_unaligned_le16(tmp++) != opts->nth_size) {
1157 		INFO(port->func.config->cdev, "Wrong NTB headersize\n");
1158 		goto err;
1159 	}
1160 	tmp++; /* skip wSequence */
1161 
1162 	/* (d)wBlockLength */
1163 	if (get_ncm(&tmp, opts->block_length) > max_size) {
1164 		INFO(port->func.config->cdev, "OUT size exceeded\n");
1165 		goto err;
1166 	}
1167 
1168 	ndp_index = get_ncm(&tmp, opts->ndp_index);
1169 
1170 	/* Run through all the NDP's in the NTB */
1171 	do {
1172 		/* NCM 3.2 */
1173 		if (((ndp_index % 4) != 0) &&
1174 				(ndp_index < opts->nth_size)) {
1175 			INFO(port->func.config->cdev, "Bad index: %#X\n",
1176 			     ndp_index);
1177 			goto err;
1178 		}
1179 
1180 		/* walk through NDP */
1181 		tmp = (void *)(skb->data + ndp_index);
1182 		if (get_unaligned_le32(tmp) != ncm->ndp_sign) {
1183 			INFO(port->func.config->cdev, "Wrong NDP SIGN\n");
1184 			goto err;
1185 		}
1186 		tmp += 2;
1187 
1188 		ndp_len = get_unaligned_le16(tmp++);
1189 		/*
1190 		 * NCM 3.3.1
1191 		 * entry is 2 items
1192 		 * item size is 16/32 bits, opts->dgram_item_len * 2 bytes
1193 		 * minimal: struct usb_cdc_ncm_ndpX + normal entry + zero entry
1194 		 * Each entry is a dgram index and a dgram length.
1195 		 */
1196 		if ((ndp_len < opts->ndp_size
1197 				+ 2 * 2 * (opts->dgram_item_len * 2))
1198 				|| (ndp_len % opts->ndplen_align != 0)) {
1199 			INFO(port->func.config->cdev, "Bad NDP length: %#X\n",
1200 			     ndp_len);
1201 			goto err;
1202 		}
1203 		tmp += opts->reserved1;
1204 		/* Check for another NDP (d)wNextNdpIndex */
1205 		ndp_index = get_ncm(&tmp, opts->next_ndp_index);
1206 		tmp += opts->reserved2;
1207 
1208 		ndp_len -= opts->ndp_size;
1209 		index2 = get_ncm(&tmp, opts->dgram_item_len);
1210 		dg_len2 = get_ncm(&tmp, opts->dgram_item_len);
1211 		dgram_counter = 0;
1212 
1213 		do {
1214 			index = index2;
1215 			dg_len = dg_len2;
1216 			if (dg_len < 14 + crc_len) { /* ethernet hdr + crc */
1217 				INFO(port->func.config->cdev,
1218 				     "Bad dgram length: %#X\n", dg_len);
1219 				goto err;
1220 			}
1221 			if (ncm->is_crc) {
1222 				uint32_t crc, crc2;
1223 
1224 				crc = get_unaligned_le32(skb->data +
1225 							 index + dg_len -
1226 							 crc_len);
1227 				crc2 = ~crc32_le(~0,
1228 						 skb->data + index,
1229 						 dg_len - crc_len);
1230 				if (crc != crc2) {
1231 					INFO(port->func.config->cdev,
1232 					     "Bad CRC\n");
1233 					goto err;
1234 				}
1235 			}
1236 
1237 			index2 = get_ncm(&tmp, opts->dgram_item_len);
1238 			dg_len2 = get_ncm(&tmp, opts->dgram_item_len);
1239 
1240 			/*
1241 			 * Copy the data into a new skb.
1242 			 * This ensures the truesize is correct
1243 			 */
1244 			skb2 = netdev_alloc_skb_ip_align(ncm->netdev,
1245 							 dg_len - crc_len);
1246 			if (skb2 == NULL)
1247 				goto err;
1248 			memcpy(skb_put(skb2, dg_len - crc_len),
1249 			       skb->data + index, dg_len - crc_len);
1250 
1251 			skb_queue_tail(list, skb2);
1252 
1253 			ndp_len -= 2 * (opts->dgram_item_len * 2);
1254 
1255 			dgram_counter++;
1256 
1257 			if (index2 == 0 || dg_len2 == 0)
1258 				break;
1259 		} while (ndp_len > 2 * (opts->dgram_item_len * 2));
1260 	} while (ndp_index);
1261 
1262 	dev_kfree_skb_any(skb);
1263 
1264 	VDBG(port->func.config->cdev,
1265 	     "Parsed NTB with %d frames\n", dgram_counter);
1266 	return 0;
1267 err:
1268 	skb_queue_purge(list);
1269 	dev_kfree_skb_any(skb);
1270 	return ret;
1271 }
1272 
1273 static void ncm_disable(struct usb_function *f)
1274 {
1275 	struct f_ncm		*ncm = func_to_ncm(f);
1276 	struct usb_composite_dev *cdev = f->config->cdev;
1277 
1278 	DBG(cdev, "ncm deactivated\n");
1279 
1280 	if (ncm->port.in_ep->driver_data) {
1281 		ncm->timer_stopping = true;
1282 		ncm->netdev = NULL;
1283 		gether_disconnect(&ncm->port);
1284 	}
1285 
1286 	if (ncm->notify->driver_data) {
1287 		usb_ep_disable(ncm->notify);
1288 		ncm->notify->driver_data = NULL;
1289 		ncm->notify->desc = NULL;
1290 	}
1291 }
1292 
1293 /*-------------------------------------------------------------------------*/
1294 
1295 /*
1296  * Callbacks let us notify the host about connect/disconnect when the
1297  * net device is opened or closed.
1298  *
1299  * For testing, note that link states on this side include both opened
1300  * and closed variants of:
1301  *
1302  *   - disconnected/unconfigured
1303  *   - configured but inactive (data alt 0)
1304  *   - configured and active (data alt 1)
1305  *
1306  * Each needs to be tested with unplug, rmmod, SET_CONFIGURATION, and
1307  * SET_INTERFACE (altsetting).  Remember also that "configured" doesn't
1308  * imply the host is actually polling the notification endpoint, and
1309  * likewise that "active" doesn't imply it's actually using the data
1310  * endpoints for traffic.
1311  */
1312 
1313 static void ncm_open(struct gether *geth)
1314 {
1315 	struct f_ncm		*ncm = func_to_ncm(&geth->func);
1316 
1317 	DBG(ncm->port.func.config->cdev, "%s\n", __func__);
1318 
1319 	spin_lock(&ncm->lock);
1320 	ncm->is_open = true;
1321 	ncm_notify(ncm);
1322 	spin_unlock(&ncm->lock);
1323 }
1324 
1325 static void ncm_close(struct gether *geth)
1326 {
1327 	struct f_ncm		*ncm = func_to_ncm(&geth->func);
1328 
1329 	DBG(ncm->port.func.config->cdev, "%s\n", __func__);
1330 
1331 	spin_lock(&ncm->lock);
1332 	ncm->is_open = false;
1333 	ncm_notify(ncm);
1334 	spin_unlock(&ncm->lock);
1335 }
1336 
1337 /*-------------------------------------------------------------------------*/
1338 
1339 /* ethernet function driver setup/binding */
1340 
1341 static int ncm_bind(struct usb_configuration *c, struct usb_function *f)
1342 {
1343 	struct usb_composite_dev *cdev = c->cdev;
1344 	struct f_ncm		*ncm = func_to_ncm(f);
1345 	struct usb_string	*us;
1346 	int			status;
1347 	struct usb_ep		*ep;
1348 	struct f_ncm_opts	*ncm_opts;
1349 
1350 	if (!can_support_ecm(cdev->gadget))
1351 		return -EINVAL;
1352 
1353 	ncm_opts = container_of(f->fi, struct f_ncm_opts, func_inst);
1354 	/*
1355 	 * in drivers/usb/gadget/configfs.c:configfs_composite_bind()
1356 	 * configurations are bound in sequence with list_for_each_entry,
1357 	 * in each configuration its functions are bound in sequence
1358 	 * with list_for_each_entry, so we assume no race condition
1359 	 * with regard to ncm_opts->bound access
1360 	 */
1361 	if (!ncm_opts->bound) {
1362 		mutex_lock(&ncm_opts->lock);
1363 		gether_set_gadget(ncm_opts->net, cdev->gadget);
1364 		status = gether_register_netdev(ncm_opts->net);
1365 		mutex_unlock(&ncm_opts->lock);
1366 		if (status)
1367 			return status;
1368 		ncm_opts->bound = true;
1369 	}
1370 	us = usb_gstrings_attach(cdev, ncm_strings,
1371 				 ARRAY_SIZE(ncm_string_defs));
1372 	if (IS_ERR(us))
1373 		return PTR_ERR(us);
1374 	ncm_control_intf.iInterface = us[STRING_CTRL_IDX].id;
1375 	ncm_data_nop_intf.iInterface = us[STRING_DATA_IDX].id;
1376 	ncm_data_intf.iInterface = us[STRING_DATA_IDX].id;
1377 	ecm_desc.iMACAddress = us[STRING_MAC_IDX].id;
1378 	ncm_iad_desc.iFunction = us[STRING_IAD_IDX].id;
1379 
1380 	/* allocate instance-specific interface IDs */
1381 	status = usb_interface_id(c, f);
1382 	if (status < 0)
1383 		goto fail;
1384 	ncm->ctrl_id = status;
1385 	ncm_iad_desc.bFirstInterface = status;
1386 
1387 	ncm_control_intf.bInterfaceNumber = status;
1388 	ncm_union_desc.bMasterInterface0 = status;
1389 
1390 	status = usb_interface_id(c, f);
1391 	if (status < 0)
1392 		goto fail;
1393 	ncm->data_id = status;
1394 
1395 	ncm_data_nop_intf.bInterfaceNumber = status;
1396 	ncm_data_intf.bInterfaceNumber = status;
1397 	ncm_union_desc.bSlaveInterface0 = status;
1398 
1399 	status = -ENODEV;
1400 
1401 	/* allocate instance-specific endpoints */
1402 	ep = usb_ep_autoconfig(cdev->gadget, &fs_ncm_in_desc);
1403 	if (!ep)
1404 		goto fail;
1405 	ncm->port.in_ep = ep;
1406 	ep->driver_data = cdev;	/* claim */
1407 
1408 	ep = usb_ep_autoconfig(cdev->gadget, &fs_ncm_out_desc);
1409 	if (!ep)
1410 		goto fail;
1411 	ncm->port.out_ep = ep;
1412 	ep->driver_data = cdev;	/* claim */
1413 
1414 	ep = usb_ep_autoconfig(cdev->gadget, &fs_ncm_notify_desc);
1415 	if (!ep)
1416 		goto fail;
1417 	ncm->notify = ep;
1418 	ep->driver_data = cdev;	/* claim */
1419 
1420 	status = -ENOMEM;
1421 
1422 	/* allocate notification request and buffer */
1423 	ncm->notify_req = usb_ep_alloc_request(ep, GFP_KERNEL);
1424 	if (!ncm->notify_req)
1425 		goto fail;
1426 	ncm->notify_req->buf = kmalloc(NCM_STATUS_BYTECOUNT, GFP_KERNEL);
1427 	if (!ncm->notify_req->buf)
1428 		goto fail;
1429 	ncm->notify_req->context = ncm;
1430 	ncm->notify_req->complete = ncm_notify_complete;
1431 
1432 	/*
1433 	 * support all relevant hardware speeds... we expect that when
1434 	 * hardware is dual speed, all bulk-capable endpoints work at
1435 	 * both speeds
1436 	 */
1437 	hs_ncm_in_desc.bEndpointAddress = fs_ncm_in_desc.bEndpointAddress;
1438 	hs_ncm_out_desc.bEndpointAddress = fs_ncm_out_desc.bEndpointAddress;
1439 	hs_ncm_notify_desc.bEndpointAddress =
1440 		fs_ncm_notify_desc.bEndpointAddress;
1441 
1442 	status = usb_assign_descriptors(f, ncm_fs_function, ncm_hs_function,
1443 			NULL);
1444 	if (status)
1445 		goto fail;
1446 
1447 	/*
1448 	 * NOTE:  all that is done without knowing or caring about
1449 	 * the network link ... which is unavailable to this code
1450 	 * until we're activated via set_alt().
1451 	 */
1452 
1453 	ncm->port.open = ncm_open;
1454 	ncm->port.close = ncm_close;
1455 
1456 	tasklet_init(&ncm->tx_tasklet, ncm_tx_tasklet, (unsigned long) ncm);
1457 	hrtimer_init(&ncm->task_timer, CLOCK_MONOTONIC, HRTIMER_MODE_REL);
1458 	ncm->task_timer.function = ncm_tx_timeout;
1459 
1460 	DBG(cdev, "CDC Network: %s speed IN/%s OUT/%s NOTIFY/%s\n",
1461 			gadget_is_dualspeed(c->cdev->gadget) ? "dual" : "full",
1462 			ncm->port.in_ep->name, ncm->port.out_ep->name,
1463 			ncm->notify->name);
1464 	return 0;
1465 
1466 fail:
1467 	if (ncm->notify_req) {
1468 		kfree(ncm->notify_req->buf);
1469 		usb_ep_free_request(ncm->notify, ncm->notify_req);
1470 	}
1471 
1472 	/* we might as well release our claims on endpoints */
1473 	if (ncm->notify)
1474 		ncm->notify->driver_data = NULL;
1475 	if (ncm->port.out_ep)
1476 		ncm->port.out_ep->driver_data = NULL;
1477 	if (ncm->port.in_ep)
1478 		ncm->port.in_ep->driver_data = NULL;
1479 
1480 	ERROR(cdev, "%s: can't bind, err %d\n", f->name, status);
1481 
1482 	return status;
1483 }
1484 
1485 static inline struct f_ncm_opts *to_f_ncm_opts(struct config_item *item)
1486 {
1487 	return container_of(to_config_group(item), struct f_ncm_opts,
1488 			    func_inst.group);
1489 }
1490 
1491 /* f_ncm_item_ops */
1492 USB_ETHERNET_CONFIGFS_ITEM(ncm);
1493 
1494 /* f_ncm_opts_dev_addr */
1495 USB_ETHERNET_CONFIGFS_ITEM_ATTR_DEV_ADDR(ncm);
1496 
1497 /* f_ncm_opts_host_addr */
1498 USB_ETHERNET_CONFIGFS_ITEM_ATTR_HOST_ADDR(ncm);
1499 
1500 /* f_ncm_opts_qmult */
1501 USB_ETHERNET_CONFIGFS_ITEM_ATTR_QMULT(ncm);
1502 
1503 /* f_ncm_opts_ifname */
1504 USB_ETHERNET_CONFIGFS_ITEM_ATTR_IFNAME(ncm);
1505 
1506 static struct configfs_attribute *ncm_attrs[] = {
1507 	&f_ncm_opts_dev_addr.attr,
1508 	&f_ncm_opts_host_addr.attr,
1509 	&f_ncm_opts_qmult.attr,
1510 	&f_ncm_opts_ifname.attr,
1511 	NULL,
1512 };
1513 
1514 static struct config_item_type ncm_func_type = {
1515 	.ct_item_ops	= &ncm_item_ops,
1516 	.ct_attrs	= ncm_attrs,
1517 	.ct_owner	= THIS_MODULE,
1518 };
1519 
1520 static void ncm_free_inst(struct usb_function_instance *f)
1521 {
1522 	struct f_ncm_opts *opts;
1523 
1524 	opts = container_of(f, struct f_ncm_opts, func_inst);
1525 	if (opts->bound)
1526 		gether_cleanup(netdev_priv(opts->net));
1527 	else
1528 		free_netdev(opts->net);
1529 	kfree(opts);
1530 }
1531 
1532 static struct usb_function_instance *ncm_alloc_inst(void)
1533 {
1534 	struct f_ncm_opts *opts;
1535 
1536 	opts = kzalloc(sizeof(*opts), GFP_KERNEL);
1537 	if (!opts)
1538 		return ERR_PTR(-ENOMEM);
1539 	mutex_init(&opts->lock);
1540 	opts->func_inst.free_func_inst = ncm_free_inst;
1541 	opts->net = gether_setup_default();
1542 	if (IS_ERR(opts->net)) {
1543 		struct net_device *net = opts->net;
1544 		kfree(opts);
1545 		return ERR_CAST(net);
1546 	}
1547 
1548 	config_group_init_type_name(&opts->func_inst.group, "", &ncm_func_type);
1549 
1550 	return &opts->func_inst;
1551 }
1552 
1553 static void ncm_free(struct usb_function *f)
1554 {
1555 	struct f_ncm *ncm;
1556 	struct f_ncm_opts *opts;
1557 
1558 	ncm = func_to_ncm(f);
1559 	opts = container_of(f->fi, struct f_ncm_opts, func_inst);
1560 	kfree(ncm);
1561 	mutex_lock(&opts->lock);
1562 	opts->refcnt--;
1563 	mutex_unlock(&opts->lock);
1564 }
1565 
1566 static void ncm_unbind(struct usb_configuration *c, struct usb_function *f)
1567 {
1568 	struct f_ncm *ncm = func_to_ncm(f);
1569 
1570 	DBG(c->cdev, "ncm unbind\n");
1571 
1572 	hrtimer_cancel(&ncm->task_timer);
1573 	tasklet_kill(&ncm->tx_tasklet);
1574 
1575 	ncm_string_defs[0].id = 0;
1576 	usb_free_all_descriptors(f);
1577 
1578 	kfree(ncm->notify_req->buf);
1579 	usb_ep_free_request(ncm->notify, ncm->notify_req);
1580 }
1581 
1582 static struct usb_function *ncm_alloc(struct usb_function_instance *fi)
1583 {
1584 	struct f_ncm		*ncm;
1585 	struct f_ncm_opts	*opts;
1586 	int status;
1587 
1588 	/* allocate and initialize one new instance */
1589 	ncm = kzalloc(sizeof(*ncm), GFP_KERNEL);
1590 	if (!ncm)
1591 		return ERR_PTR(-ENOMEM);
1592 
1593 	opts = container_of(fi, struct f_ncm_opts, func_inst);
1594 	mutex_lock(&opts->lock);
1595 	opts->refcnt++;
1596 
1597 	/* export host's Ethernet address in CDC format */
1598 	status = gether_get_host_addr_cdc(opts->net, ncm->ethaddr,
1599 				      sizeof(ncm->ethaddr));
1600 	if (status < 12) { /* strlen("01234567890a") */
1601 		kfree(ncm);
1602 		mutex_unlock(&opts->lock);
1603 		return ERR_PTR(-EINVAL);
1604 	}
1605 	ncm_string_defs[STRING_MAC_IDX].s = ncm->ethaddr;
1606 
1607 	spin_lock_init(&ncm->lock);
1608 	ncm_reset_values(ncm);
1609 	ncm->port.ioport = netdev_priv(opts->net);
1610 	mutex_unlock(&opts->lock);
1611 	ncm->port.is_fixed = true;
1612 	ncm->port.supports_multi_frame = true;
1613 
1614 	ncm->port.func.name = "cdc_network";
1615 	/* descriptors are per-instance copies */
1616 	ncm->port.func.bind = ncm_bind;
1617 	ncm->port.func.unbind = ncm_unbind;
1618 	ncm->port.func.set_alt = ncm_set_alt;
1619 	ncm->port.func.get_alt = ncm_get_alt;
1620 	ncm->port.func.setup = ncm_setup;
1621 	ncm->port.func.disable = ncm_disable;
1622 	ncm->port.func.free_func = ncm_free;
1623 
1624 	ncm->port.wrap = ncm_wrap_ntb;
1625 	ncm->port.unwrap = ncm_unwrap_ntb;
1626 
1627 	return &ncm->port.func;
1628 }
1629 
1630 DECLARE_USB_FUNCTION_INIT(ncm, ncm_alloc_inst, ncm_alloc);
1631 MODULE_LICENSE("GPL");
1632 MODULE_AUTHOR("Yauheni Kaliuta");
1633