mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2025-01-19 04:14:49 +08:00
45611c61dd
The bug is not easily reproducable, as it may occur very infrequently (we had machines with 20minutes heavy downloading before it occurred) However, on a virual machine (VMWare on Windows 10 host) it occurred pretty frequently (1-2 seconds after a speedtest was started) dev->tx_skb mab be freed via dev_kfree_skb_irq on a callback before it is set. This causes the following problems: - double free of the skb or potential memory leak - in dmesg: 'recvmsg bug' and 'recvmsg bug 2' and eventually general protection fault Example dmesg output: [ 134.841986] ------------[ cut here ]------------ [ 134.841987] recvmsg bug: copied 9C24A555 seq 9C24B557 rcvnxt 9C25A6B3 fl 0 [ 134.841993] WARNING: CPU: 7 PID: 2629 at /build/linux-hwe-On9fm7/linux-hwe-4.15.0/net/ipv4/tcp.c:1865 tcp_recvmsg+0x44d/0xab0 [ 134.841994] Modules linked in: ipheth(OE) kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd glue_helper cryptd vmw_balloon intel_rapl_perf joydev input_leds serio_raw vmw_vsock_vmci_transport vsock shpchp i2c_piix4 mac_hid binfmt_misc vmw_vmci parport_pc ppdev lp parport autofs4 vmw_pvscsi vmxnet3 hid_generic usbhid hid vmwgfx ttm drm_kms_helper syscopyarea sysfillrect mptspi mptscsih sysimgblt ahci psmouse fb_sys_fops pata_acpi mptbase libahci e1000 drm scsi_transport_spi [ 134.842046] CPU: 7 PID: 2629 Comm: python Tainted: G W OE 4.15.0-34-generic #37~16.04.1-Ubuntu [ 134.842046] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/19/2017 [ 134.842048] RIP: 0010:tcp_recvmsg+0x44d/0xab0 [ 134.842048] RSP: 0018:ffffa6630422bcc8 EFLAGS: 00010286 [ 134.842049] RAX: 0000000000000000 RBX: ffff997616f4f200 RCX: 0000000000000006 [ 134.842049] RDX: 0000000000000007 RSI: 0000000000000082 RDI: ffff9976257d6490 [ 134.842050] RBP: ffffa6630422bd98 R08: 0000000000000001 R09: 000000000004bba4 [ 134.842050] R10: 0000000001e00c6f R11: 000000000004bba4 R12: ffff99760dee3000 [ 134.842051] R13: 0000000000000000 R14: ffff99760dee3514 R15: 0000000000000000 [ 134.842051] FS: 00007fe332347700(0000) GS:ffff9976257c0000(0000) knlGS:0000000000000000 [ 134.842052] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 134.842053] CR2: 0000000001e41000 CR3: 000000020e9b4006 CR4: 00000000003606e0 [ 134.842055] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 134.842055] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 134.842057] Call Trace: [ 134.842060] ? aa_sk_perm+0x53/0x1a0 [ 134.842064] inet_recvmsg+0x51/0xc0 [ 134.842066] sock_recvmsg+0x43/0x50 [ 134.842070] SYSC_recvfrom+0xe4/0x160 [ 134.842072] ? __schedule+0x3de/0x8b0 [ 134.842075] ? ktime_get_ts64+0x4c/0xf0 [ 134.842079] SyS_recvfrom+0xe/0x10 [ 134.842082] do_syscall_64+0x73/0x130 [ 134.842086] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 [ 134.842086] RIP: 0033:0x7fe331f5a81d [ 134.842088] RSP: 002b:00007ffe8da98398 EFLAGS: 00000246 ORIG_RAX: 000000000000002d [ 134.842090] RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 00007fe331f5a81d [ 134.842094] RDX: 00000000000003fb RSI: 0000000001e00874 RDI: 0000000000000003 [ 134.842095] RBP: 00007fe32f642c70 R08: 0000000000000000 R09: 0000000000000000 [ 134.842097] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe332347698 [ 134.842099] R13: 0000000001b7e0a0 R14: 0000000001e00874 R15: 0000000000000000 [ 134.842103] Code: 24 fd ff ff e9 cc fe ff ff 48 89 d8 41 8b 8c 24 10 05 00 00 44 8b 45 80 48 c7 c7 08 bd 59 8b 48 89 85 68 ff ff ff e8 b3 c4 7d ff <0f> 0b 48 8b 85 68 ff ff ff e9 e9 fe ff ff 41 8b 8c 24 10 05 00 [ 134.842126] ---[ end trace b7138fc08c83147f ]--- [ 134.842144] general protection fault: 0000 [#1] SMP PTI [ 134.842145] Modules linked in: ipheth(OE) kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd glue_helper cryptd vmw_balloon intel_rapl_perf joydev input_leds serio_raw vmw_vsock_vmci_transport vsock shpchp i2c_piix4 mac_hid binfmt_misc vmw_vmci parport_pc ppdev lp parport autofs4 vmw_pvscsi vmxnet3 hid_generic usbhid hid vmwgfx ttm drm_kms_helper syscopyarea sysfillrect mptspi mptscsih sysimgblt ahci psmouse fb_sys_fops pata_acpi mptbase libahci e1000 drm scsi_transport_spi [ 134.842161] CPU: 7 PID: 2629 Comm: python Tainted: G W OE 4.15.0-34-generic #37~16.04.1-Ubuntu [ 134.842162] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/19/2017 [ 134.842164] RIP: 0010:tcp_close+0x2c6/0x440 [ 134.842165] RSP: 0018:ffffa6630422bde8 EFLAGS: 00010202 [ 134.842167] RAX: 0000000000000000 RBX: ffff99760dee3000 RCX: 0000000180400034 [ 134.842168] RDX: 5c4afd407207a6c4 RSI: ffffe868495bd300 RDI: ffff997616f4f200 [ 134.842169] RBP: ffffa6630422be08 R08: 0000000016f4d401 R09: 0000000180400034 [ 134.842169] R10: ffffa6630422bd98 R11: 0000000000000000 R12: 000000000000600c [ 134.842170] R13: 0000000000000000 R14: ffff99760dee30c8 R15: ffff9975bd44fe00 [ 134.842171] FS: 00007fe332347700(0000) GS:ffff9976257c0000(0000) knlGS:0000000000000000 [ 134.842173] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 134.842174] CR2: 0000000001e41000 CR3: 000000020e9b4006 CR4: 00000000003606e0 [ 134.842177] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 134.842178] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 134.842179] Call Trace: [ 134.842181] inet_release+0x42/0x70 [ 134.842183] __sock_release+0x42/0xb0 [ 134.842184] sock_close+0x15/0x20 [ 134.842187] __fput+0xea/0x220 [ 134.842189] ____fput+0xe/0x10 [ 134.842191] task_work_run+0x8a/0xb0 [ 134.842193] exit_to_usermode_loop+0xc4/0xd0 [ 134.842195] do_syscall_64+0xf4/0x130 [ 134.842197] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 [ 134.842197] RIP: 0033:0x7fe331f5a560 [ 134.842198] RSP: 002b:00007ffe8da982e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000003 [ 134.842200] RAX: 0000000000000000 RBX: 00007fe32f642c70 RCX: 00007fe331f5a560 [ 134.842201] RDX: 00000000008f5320 RSI: 0000000001cd4b50 RDI: 0000000000000003 [ 134.842202] RBP: 00007fe32f6500f8 R08: 000000000000003c R09: 00000000009343c0 [ 134.842203] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe32f6500d0 [ 134.842204] R13: 00000000008f5320 R14: 00000000008f5320 R15: 0000000001cd4770 [ 134.842205] Code: c8 00 00 00 45 31 e4 49 39 fe 75 4d eb 50 83 ab d8 00 00 00 01 48 8b 17 48 8b 47 08 48 c7 07 00 00 00 00 48 c7 47 08 00 00 00 00 <48> 89 42 08 48 89 10 0f b6 57 34 8b 47 2c 2b 47 28 83 e2 01 80 [ 134.842226] RIP: tcp_close+0x2c6/0x440 RSP: ffffa6630422bde8 [ 134.842227] ---[ end trace b7138fc08c831480 ]--- The proposed patch eliminates a potential racing condition. Before, usb_submit_urb was called and _after_ that, the skb was attached (dev->tx_skb). So, on a callback it was possible, however unlikely that the skb was freed before it was set. That way (because dev->tx_skb was not set to NULL after it was freed), it could happen that a skb from a earlier transmission was freed a second time (and the skb we should have freed did not get freed at all) Now we free the skb directly in ipheth_tx(). It is not passed to the callback anymore, eliminating the posibility of a double free of the same skb. Depending on the retval of usb_submit_urb() we use dev_kfree_skb_any() respectively dev_consume_skb_any() to free the skb. Signed-off-by: Oliver Zweigle <Oliver.Zweigle@faro.com> Signed-off-by: Bernd Eckstein <3ernd.Eckstein@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
602 lines
16 KiB
C
602 lines
16 KiB
C
/*
|
|
* ipheth.c - Apple iPhone USB Ethernet driver
|
|
*
|
|
* Copyright (c) 2009 Diego Giagio <diego@giagio.com>
|
|
* All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
* 3. Neither the name of GIAGIO.COM nor the names of its contributors
|
|
* may be used to endorse or promote products derived from this software
|
|
* without specific prior written permission.
|
|
*
|
|
* Alternatively, provided that this notice is retained in full, this
|
|
* software may be distributed under the terms of the GNU General
|
|
* Public License ("GPL") version 2, in which case the provisions of the
|
|
* GPL apply INSTEAD OF those given above.
|
|
*
|
|
* The provided data structures and external interfaces from this code
|
|
* are not restricted to be used by modules with a GPL compatible license.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
|
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
|
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
|
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
|
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
|
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
|
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
|
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
|
|
* DAMAGE.
|
|
*
|
|
*
|
|
* Attention: iPhone device must be paired, otherwise it won't respond to our
|
|
* driver. For more info: http://giagio.com/wiki/moin.cgi/iPhoneEthernetDriver
|
|
*
|
|
*/
|
|
|
|
#include <linux/kernel.h>
|
|
#include <linux/errno.h>
|
|
#include <linux/slab.h>
|
|
#include <linux/module.h>
|
|
#include <linux/netdevice.h>
|
|
#include <linux/etherdevice.h>
|
|
#include <linux/ethtool.h>
|
|
#include <linux/usb.h>
|
|
#include <linux/workqueue.h>
|
|
|
|
#define USB_VENDOR_APPLE 0x05ac
|
|
#define USB_PRODUCT_IPHONE 0x1290
|
|
#define USB_PRODUCT_IPHONE_3G 0x1292
|
|
#define USB_PRODUCT_IPHONE_3GS 0x1294
|
|
#define USB_PRODUCT_IPHONE_4 0x1297
|
|
#define USB_PRODUCT_IPAD 0x129a
|
|
#define USB_PRODUCT_IPAD_2 0x12a2
|
|
#define USB_PRODUCT_IPAD_3 0x12a6
|
|
#define USB_PRODUCT_IPAD_MINI 0x12ab
|
|
#define USB_PRODUCT_IPHONE_4_VZW 0x129c
|
|
#define USB_PRODUCT_IPHONE_4S 0x12a0
|
|
#define USB_PRODUCT_IPHONE_5 0x12a8
|
|
|
|
#define IPHETH_USBINTF_CLASS 255
|
|
#define IPHETH_USBINTF_SUBCLASS 253
|
|
#define IPHETH_USBINTF_PROTO 1
|
|
|
|
#define IPHETH_BUF_SIZE 1516
|
|
#define IPHETH_IP_ALIGN 2 /* padding at front of URB */
|
|
#define IPHETH_TX_TIMEOUT (5 * HZ)
|
|
|
|
#define IPHETH_INTFNUM 2
|
|
#define IPHETH_ALT_INTFNUM 1
|
|
|
|
#define IPHETH_CTRL_ENDP 0x00
|
|
#define IPHETH_CTRL_BUF_SIZE 0x40
|
|
#define IPHETH_CTRL_TIMEOUT (5 * HZ)
|
|
|
|
#define IPHETH_CMD_GET_MACADDR 0x00
|
|
#define IPHETH_CMD_CARRIER_CHECK 0x45
|
|
|
|
#define IPHETH_CARRIER_CHECK_TIMEOUT round_jiffies_relative(1 * HZ)
|
|
#define IPHETH_CARRIER_ON 0x04
|
|
|
|
static const struct usb_device_id ipheth_table[] = {
|
|
{ USB_DEVICE_AND_INTERFACE_INFO(
|
|
USB_VENDOR_APPLE, USB_PRODUCT_IPHONE,
|
|
IPHETH_USBINTF_CLASS, IPHETH_USBINTF_SUBCLASS,
|
|
IPHETH_USBINTF_PROTO) },
|
|
{ USB_DEVICE_AND_INTERFACE_INFO(
|
|
USB_VENDOR_APPLE, USB_PRODUCT_IPHONE_3G,
|
|
IPHETH_USBINTF_CLASS, IPHETH_USBINTF_SUBCLASS,
|
|
IPHETH_USBINTF_PROTO) },
|
|
{ USB_DEVICE_AND_INTERFACE_INFO(
|
|
USB_VENDOR_APPLE, USB_PRODUCT_IPHONE_3GS,
|
|
IPHETH_USBINTF_CLASS, IPHETH_USBINTF_SUBCLASS,
|
|
IPHETH_USBINTF_PROTO) },
|
|
{ USB_DEVICE_AND_INTERFACE_INFO(
|
|
USB_VENDOR_APPLE, USB_PRODUCT_IPHONE_4,
|
|
IPHETH_USBINTF_CLASS, IPHETH_USBINTF_SUBCLASS,
|
|
IPHETH_USBINTF_PROTO) },
|
|
{ USB_DEVICE_AND_INTERFACE_INFO(
|
|
USB_VENDOR_APPLE, USB_PRODUCT_IPAD,
|
|
IPHETH_USBINTF_CLASS, IPHETH_USBINTF_SUBCLASS,
|
|
IPHETH_USBINTF_PROTO) },
|
|
{ USB_DEVICE_AND_INTERFACE_INFO(
|
|
USB_VENDOR_APPLE, USB_PRODUCT_IPAD_2,
|
|
IPHETH_USBINTF_CLASS, IPHETH_USBINTF_SUBCLASS,
|
|
IPHETH_USBINTF_PROTO) },
|
|
{ USB_DEVICE_AND_INTERFACE_INFO(
|
|
USB_VENDOR_APPLE, USB_PRODUCT_IPAD_3,
|
|
IPHETH_USBINTF_CLASS, IPHETH_USBINTF_SUBCLASS,
|
|
IPHETH_USBINTF_PROTO) },
|
|
{ USB_DEVICE_AND_INTERFACE_INFO(
|
|
USB_VENDOR_APPLE, USB_PRODUCT_IPAD_MINI,
|
|
IPHETH_USBINTF_CLASS, IPHETH_USBINTF_SUBCLASS,
|
|
IPHETH_USBINTF_PROTO) },
|
|
{ USB_DEVICE_AND_INTERFACE_INFO(
|
|
USB_VENDOR_APPLE, USB_PRODUCT_IPHONE_4_VZW,
|
|
IPHETH_USBINTF_CLASS, IPHETH_USBINTF_SUBCLASS,
|
|
IPHETH_USBINTF_PROTO) },
|
|
{ USB_DEVICE_AND_INTERFACE_INFO(
|
|
USB_VENDOR_APPLE, USB_PRODUCT_IPHONE_4S,
|
|
IPHETH_USBINTF_CLASS, IPHETH_USBINTF_SUBCLASS,
|
|
IPHETH_USBINTF_PROTO) },
|
|
{ USB_DEVICE_AND_INTERFACE_INFO(
|
|
USB_VENDOR_APPLE, USB_PRODUCT_IPHONE_5,
|
|
IPHETH_USBINTF_CLASS, IPHETH_USBINTF_SUBCLASS,
|
|
IPHETH_USBINTF_PROTO) },
|
|
{ }
|
|
};
|
|
MODULE_DEVICE_TABLE(usb, ipheth_table);
|
|
|
|
struct ipheth_device {
|
|
struct usb_device *udev;
|
|
struct usb_interface *intf;
|
|
struct net_device *net;
|
|
struct urb *tx_urb;
|
|
struct urb *rx_urb;
|
|
unsigned char *tx_buf;
|
|
unsigned char *rx_buf;
|
|
unsigned char *ctrl_buf;
|
|
u8 bulk_in;
|
|
u8 bulk_out;
|
|
struct delayed_work carrier_work;
|
|
bool confirmed_pairing;
|
|
};
|
|
|
|
static int ipheth_rx_submit(struct ipheth_device *dev, gfp_t mem_flags);
|
|
|
|
static int ipheth_alloc_urbs(struct ipheth_device *iphone)
|
|
{
|
|
struct urb *tx_urb = NULL;
|
|
struct urb *rx_urb = NULL;
|
|
u8 *tx_buf = NULL;
|
|
u8 *rx_buf = NULL;
|
|
|
|
tx_urb = usb_alloc_urb(0, GFP_KERNEL);
|
|
if (tx_urb == NULL)
|
|
goto error_nomem;
|
|
|
|
rx_urb = usb_alloc_urb(0, GFP_KERNEL);
|
|
if (rx_urb == NULL)
|
|
goto free_tx_urb;
|
|
|
|
tx_buf = usb_alloc_coherent(iphone->udev, IPHETH_BUF_SIZE,
|
|
GFP_KERNEL, &tx_urb->transfer_dma);
|
|
if (tx_buf == NULL)
|
|
goto free_rx_urb;
|
|
|
|
rx_buf = usb_alloc_coherent(iphone->udev, IPHETH_BUF_SIZE,
|
|
GFP_KERNEL, &rx_urb->transfer_dma);
|
|
if (rx_buf == NULL)
|
|
goto free_tx_buf;
|
|
|
|
|
|
iphone->tx_urb = tx_urb;
|
|
iphone->rx_urb = rx_urb;
|
|
iphone->tx_buf = tx_buf;
|
|
iphone->rx_buf = rx_buf;
|
|
return 0;
|
|
|
|
free_tx_buf:
|
|
usb_free_coherent(iphone->udev, IPHETH_BUF_SIZE, tx_buf,
|
|
tx_urb->transfer_dma);
|
|
free_rx_urb:
|
|
usb_free_urb(rx_urb);
|
|
free_tx_urb:
|
|
usb_free_urb(tx_urb);
|
|
error_nomem:
|
|
return -ENOMEM;
|
|
}
|
|
|
|
static void ipheth_free_urbs(struct ipheth_device *iphone)
|
|
{
|
|
usb_free_coherent(iphone->udev, IPHETH_BUF_SIZE, iphone->rx_buf,
|
|
iphone->rx_urb->transfer_dma);
|
|
usb_free_coherent(iphone->udev, IPHETH_BUF_SIZE, iphone->tx_buf,
|
|
iphone->tx_urb->transfer_dma);
|
|
usb_free_urb(iphone->rx_urb);
|
|
usb_free_urb(iphone->tx_urb);
|
|
}
|
|
|
|
static void ipheth_kill_urbs(struct ipheth_device *dev)
|
|
{
|
|
usb_kill_urb(dev->tx_urb);
|
|
usb_kill_urb(dev->rx_urb);
|
|
}
|
|
|
|
static void ipheth_rcvbulk_callback(struct urb *urb)
|
|
{
|
|
struct ipheth_device *dev;
|
|
struct sk_buff *skb;
|
|
int status;
|
|
char *buf;
|
|
int len;
|
|
|
|
dev = urb->context;
|
|
if (dev == NULL)
|
|
return;
|
|
|
|
status = urb->status;
|
|
switch (status) {
|
|
case -ENOENT:
|
|
case -ECONNRESET:
|
|
case -ESHUTDOWN:
|
|
case -EPROTO:
|
|
return;
|
|
case 0:
|
|
break;
|
|
default:
|
|
dev_err(&dev->intf->dev, "%s: urb status: %d\n",
|
|
__func__, status);
|
|
return;
|
|
}
|
|
|
|
if (urb->actual_length <= IPHETH_IP_ALIGN) {
|
|
dev->net->stats.rx_length_errors++;
|
|
return;
|
|
}
|
|
len = urb->actual_length - IPHETH_IP_ALIGN;
|
|
buf = urb->transfer_buffer + IPHETH_IP_ALIGN;
|
|
|
|
skb = dev_alloc_skb(len);
|
|
if (!skb) {
|
|
dev_err(&dev->intf->dev, "%s: dev_alloc_skb: -ENOMEM\n",
|
|
__func__);
|
|
dev->net->stats.rx_dropped++;
|
|
return;
|
|
}
|
|
|
|
skb_put_data(skb, buf, len);
|
|
skb->dev = dev->net;
|
|
skb->protocol = eth_type_trans(skb, dev->net);
|
|
|
|
dev->net->stats.rx_packets++;
|
|
dev->net->stats.rx_bytes += len;
|
|
dev->confirmed_pairing = true;
|
|
netif_rx(skb);
|
|
ipheth_rx_submit(dev, GFP_ATOMIC);
|
|
}
|
|
|
|
static void ipheth_sndbulk_callback(struct urb *urb)
|
|
{
|
|
struct ipheth_device *dev;
|
|
int status = urb->status;
|
|
|
|
dev = urb->context;
|
|
if (dev == NULL)
|
|
return;
|
|
|
|
if (status != 0 &&
|
|
status != -ENOENT &&
|
|
status != -ECONNRESET &&
|
|
status != -ESHUTDOWN)
|
|
dev_err(&dev->intf->dev, "%s: urb status: %d\n",
|
|
__func__, status);
|
|
|
|
if (status == 0)
|
|
netif_wake_queue(dev->net);
|
|
else
|
|
// on URB error, trigger immediate poll
|
|
schedule_delayed_work(&dev->carrier_work, 0);
|
|
}
|
|
|
|
static int ipheth_carrier_set(struct ipheth_device *dev)
|
|
{
|
|
struct usb_device *udev;
|
|
int retval;
|
|
|
|
if (!dev)
|
|
return 0;
|
|
if (!dev->confirmed_pairing)
|
|
return 0;
|
|
|
|
udev = dev->udev;
|
|
retval = usb_control_msg(udev,
|
|
usb_rcvctrlpipe(udev, IPHETH_CTRL_ENDP),
|
|
IPHETH_CMD_CARRIER_CHECK, /* request */
|
|
0xc0, /* request type */
|
|
0x00, /* value */
|
|
0x02, /* index */
|
|
dev->ctrl_buf, IPHETH_CTRL_BUF_SIZE,
|
|
IPHETH_CTRL_TIMEOUT);
|
|
if (retval < 0) {
|
|
dev_err(&dev->intf->dev, "%s: usb_control_msg: %d\n",
|
|
__func__, retval);
|
|
return retval;
|
|
}
|
|
|
|
if (dev->ctrl_buf[0] == IPHETH_CARRIER_ON) {
|
|
netif_carrier_on(dev->net);
|
|
if (dev->tx_urb->status != -EINPROGRESS)
|
|
netif_wake_queue(dev->net);
|
|
} else {
|
|
netif_carrier_off(dev->net);
|
|
netif_stop_queue(dev->net);
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
static void ipheth_carrier_check_work(struct work_struct *work)
|
|
{
|
|
struct ipheth_device *dev = container_of(work, struct ipheth_device,
|
|
carrier_work.work);
|
|
|
|
ipheth_carrier_set(dev);
|
|
schedule_delayed_work(&dev->carrier_work, IPHETH_CARRIER_CHECK_TIMEOUT);
|
|
}
|
|
|
|
static int ipheth_get_macaddr(struct ipheth_device *dev)
|
|
{
|
|
struct usb_device *udev = dev->udev;
|
|
struct net_device *net = dev->net;
|
|
int retval;
|
|
|
|
retval = usb_control_msg(udev,
|
|
usb_rcvctrlpipe(udev, IPHETH_CTRL_ENDP),
|
|
IPHETH_CMD_GET_MACADDR, /* request */
|
|
0xc0, /* request type */
|
|
0x00, /* value */
|
|
0x02, /* index */
|
|
dev->ctrl_buf,
|
|
IPHETH_CTRL_BUF_SIZE,
|
|
IPHETH_CTRL_TIMEOUT);
|
|
if (retval < 0) {
|
|
dev_err(&dev->intf->dev, "%s: usb_control_msg: %d\n",
|
|
__func__, retval);
|
|
} else if (retval < ETH_ALEN) {
|
|
dev_err(&dev->intf->dev,
|
|
"%s: usb_control_msg: short packet: %d bytes\n",
|
|
__func__, retval);
|
|
retval = -EINVAL;
|
|
} else {
|
|
memcpy(net->dev_addr, dev->ctrl_buf, ETH_ALEN);
|
|
retval = 0;
|
|
}
|
|
|
|
return retval;
|
|
}
|
|
|
|
static int ipheth_rx_submit(struct ipheth_device *dev, gfp_t mem_flags)
|
|
{
|
|
struct usb_device *udev = dev->udev;
|
|
int retval;
|
|
|
|
usb_fill_bulk_urb(dev->rx_urb, udev,
|
|
usb_rcvbulkpipe(udev, dev->bulk_in),
|
|
dev->rx_buf, IPHETH_BUF_SIZE,
|
|
ipheth_rcvbulk_callback,
|
|
dev);
|
|
dev->rx_urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
|
|
|
|
retval = usb_submit_urb(dev->rx_urb, mem_flags);
|
|
if (retval)
|
|
dev_err(&dev->intf->dev, "%s: usb_submit_urb: %d\n",
|
|
__func__, retval);
|
|
return retval;
|
|
}
|
|
|
|
static int ipheth_open(struct net_device *net)
|
|
{
|
|
struct ipheth_device *dev = netdev_priv(net);
|
|
struct usb_device *udev = dev->udev;
|
|
int retval = 0;
|
|
|
|
usb_set_interface(udev, IPHETH_INTFNUM, IPHETH_ALT_INTFNUM);
|
|
|
|
retval = ipheth_carrier_set(dev);
|
|
if (retval)
|
|
return retval;
|
|
|
|
retval = ipheth_rx_submit(dev, GFP_KERNEL);
|
|
if (retval)
|
|
return retval;
|
|
|
|
schedule_delayed_work(&dev->carrier_work, IPHETH_CARRIER_CHECK_TIMEOUT);
|
|
return retval;
|
|
}
|
|
|
|
static int ipheth_close(struct net_device *net)
|
|
{
|
|
struct ipheth_device *dev = netdev_priv(net);
|
|
|
|
cancel_delayed_work_sync(&dev->carrier_work);
|
|
netif_stop_queue(net);
|
|
return 0;
|
|
}
|
|
|
|
static int ipheth_tx(struct sk_buff *skb, struct net_device *net)
|
|
{
|
|
struct ipheth_device *dev = netdev_priv(net);
|
|
struct usb_device *udev = dev->udev;
|
|
int retval;
|
|
|
|
/* Paranoid */
|
|
if (skb->len > IPHETH_BUF_SIZE) {
|
|
WARN(1, "%s: skb too large: %d bytes\n", __func__, skb->len);
|
|
dev->net->stats.tx_dropped++;
|
|
dev_kfree_skb_any(skb);
|
|
return NETDEV_TX_OK;
|
|
}
|
|
|
|
memcpy(dev->tx_buf, skb->data, skb->len);
|
|
if (skb->len < IPHETH_BUF_SIZE)
|
|
memset(dev->tx_buf + skb->len, 0, IPHETH_BUF_SIZE - skb->len);
|
|
|
|
usb_fill_bulk_urb(dev->tx_urb, udev,
|
|
usb_sndbulkpipe(udev, dev->bulk_out),
|
|
dev->tx_buf, IPHETH_BUF_SIZE,
|
|
ipheth_sndbulk_callback,
|
|
dev);
|
|
dev->tx_urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
|
|
|
|
retval = usb_submit_urb(dev->tx_urb, GFP_ATOMIC);
|
|
if (retval) {
|
|
dev_err(&dev->intf->dev, "%s: usb_submit_urb: %d\n",
|
|
__func__, retval);
|
|
dev->net->stats.tx_errors++;
|
|
dev_kfree_skb_any(skb);
|
|
} else {
|
|
dev->net->stats.tx_packets++;
|
|
dev->net->stats.tx_bytes += skb->len;
|
|
dev_consume_skb_any(skb);
|
|
netif_stop_queue(net);
|
|
}
|
|
|
|
return NETDEV_TX_OK;
|
|
}
|
|
|
|
static void ipheth_tx_timeout(struct net_device *net)
|
|
{
|
|
struct ipheth_device *dev = netdev_priv(net);
|
|
|
|
dev_err(&dev->intf->dev, "%s: TX timeout\n", __func__);
|
|
dev->net->stats.tx_errors++;
|
|
usb_unlink_urb(dev->tx_urb);
|
|
}
|
|
|
|
static u32 ipheth_ethtool_op_get_link(struct net_device *net)
|
|
{
|
|
struct ipheth_device *dev = netdev_priv(net);
|
|
return netif_carrier_ok(dev->net);
|
|
}
|
|
|
|
static const struct ethtool_ops ops = {
|
|
.get_link = ipheth_ethtool_op_get_link
|
|
};
|
|
|
|
static const struct net_device_ops ipheth_netdev_ops = {
|
|
.ndo_open = ipheth_open,
|
|
.ndo_stop = ipheth_close,
|
|
.ndo_start_xmit = ipheth_tx,
|
|
.ndo_tx_timeout = ipheth_tx_timeout,
|
|
};
|
|
|
|
static int ipheth_probe(struct usb_interface *intf,
|
|
const struct usb_device_id *id)
|
|
{
|
|
struct usb_device *udev = interface_to_usbdev(intf);
|
|
struct usb_host_interface *hintf;
|
|
struct usb_endpoint_descriptor *endp;
|
|
struct ipheth_device *dev;
|
|
struct net_device *netdev;
|
|
int i;
|
|
int retval;
|
|
|
|
netdev = alloc_etherdev(sizeof(struct ipheth_device));
|
|
if (!netdev)
|
|
return -ENOMEM;
|
|
|
|
netdev->netdev_ops = &ipheth_netdev_ops;
|
|
netdev->watchdog_timeo = IPHETH_TX_TIMEOUT;
|
|
strcpy(netdev->name, "eth%d");
|
|
|
|
dev = netdev_priv(netdev);
|
|
dev->udev = udev;
|
|
dev->net = netdev;
|
|
dev->intf = intf;
|
|
dev->confirmed_pairing = false;
|
|
/* Set up endpoints */
|
|
hintf = usb_altnum_to_altsetting(intf, IPHETH_ALT_INTFNUM);
|
|
if (hintf == NULL) {
|
|
retval = -ENODEV;
|
|
dev_err(&intf->dev, "Unable to find alternate settings interface\n");
|
|
goto err_endpoints;
|
|
}
|
|
|
|
for (i = 0; i < hintf->desc.bNumEndpoints; i++) {
|
|
endp = &hintf->endpoint[i].desc;
|
|
if (usb_endpoint_is_bulk_in(endp))
|
|
dev->bulk_in = endp->bEndpointAddress;
|
|
else if (usb_endpoint_is_bulk_out(endp))
|
|
dev->bulk_out = endp->bEndpointAddress;
|
|
}
|
|
if (!(dev->bulk_in && dev->bulk_out)) {
|
|
retval = -ENODEV;
|
|
dev_err(&intf->dev, "Unable to find endpoints\n");
|
|
goto err_endpoints;
|
|
}
|
|
|
|
dev->ctrl_buf = kmalloc(IPHETH_CTRL_BUF_SIZE, GFP_KERNEL);
|
|
if (dev->ctrl_buf == NULL) {
|
|
retval = -ENOMEM;
|
|
goto err_alloc_ctrl_buf;
|
|
}
|
|
|
|
retval = ipheth_get_macaddr(dev);
|
|
if (retval)
|
|
goto err_get_macaddr;
|
|
|
|
INIT_DELAYED_WORK(&dev->carrier_work, ipheth_carrier_check_work);
|
|
|
|
retval = ipheth_alloc_urbs(dev);
|
|
if (retval) {
|
|
dev_err(&intf->dev, "error allocating urbs: %d\n", retval);
|
|
goto err_alloc_urbs;
|
|
}
|
|
|
|
usb_set_intfdata(intf, dev);
|
|
|
|
SET_NETDEV_DEV(netdev, &intf->dev);
|
|
netdev->ethtool_ops = &ops;
|
|
|
|
retval = register_netdev(netdev);
|
|
if (retval) {
|
|
dev_err(&intf->dev, "error registering netdev: %d\n", retval);
|
|
retval = -EIO;
|
|
goto err_register_netdev;
|
|
}
|
|
// carrier down and transmit queues stopped until packet from device
|
|
netif_carrier_off(netdev);
|
|
netif_tx_stop_all_queues(netdev);
|
|
dev_info(&intf->dev, "Apple iPhone USB Ethernet device attached\n");
|
|
return 0;
|
|
|
|
err_register_netdev:
|
|
ipheth_free_urbs(dev);
|
|
err_alloc_urbs:
|
|
err_get_macaddr:
|
|
err_alloc_ctrl_buf:
|
|
kfree(dev->ctrl_buf);
|
|
err_endpoints:
|
|
free_netdev(netdev);
|
|
return retval;
|
|
}
|
|
|
|
static void ipheth_disconnect(struct usb_interface *intf)
|
|
{
|
|
struct ipheth_device *dev;
|
|
|
|
dev = usb_get_intfdata(intf);
|
|
if (dev != NULL) {
|
|
unregister_netdev(dev->net);
|
|
ipheth_kill_urbs(dev);
|
|
ipheth_free_urbs(dev);
|
|
kfree(dev->ctrl_buf);
|
|
free_netdev(dev->net);
|
|
}
|
|
usb_set_intfdata(intf, NULL);
|
|
dev_info(&intf->dev, "Apple iPhone USB Ethernet now disconnected\n");
|
|
}
|
|
|
|
static struct usb_driver ipheth_driver = {
|
|
.name = "ipheth",
|
|
.probe = ipheth_probe,
|
|
.disconnect = ipheth_disconnect,
|
|
.id_table = ipheth_table,
|
|
.disable_hub_initiated_lpm = 1,
|
|
};
|
|
|
|
module_usb_driver(ipheth_driver);
|
|
|
|
MODULE_AUTHOR("Diego Giagio <diego@giagio.com>");
|
|
MODULE_DESCRIPTION("Apple iPhone USB Ethernet driver");
|
|
MODULE_LICENSE("Dual BSD/GPL");
|