cachepc-linux

Fork of AMDESE/linux with modifications for CachePC side-channel attack
git clone https://git.sinitax.com/sinitax/cachepc-linux
Log | Files | Refs | README | LICENSE | sfeed.txt

lg-vl600.c (9739B)

      1// SPDX-License-Identifier: GPL-2.0-or-later
      2/*
      3 * Ethernet interface part of the LG VL600 LTE modem (4G dongle)
      4 *
      5 * Copyright (C) 2011 Intel Corporation
      6 * Author: Andrzej Zaborowski <balrogg@gmail.com>
      7 */
      8#include <linux/etherdevice.h>
      9#include <linux/ethtool.h>
     10#include <linux/mii.h>
     11#include <linux/usb.h>
     12#include <linux/usb/cdc.h>
     13#include <linux/usb/usbnet.h>
     14#include <linux/if_ether.h>
     15#include <linux/if_arp.h>
     16#include <linux/inetdevice.h>
     17#include <linux/module.h>
     18
     19/*
     20 * The device has a CDC ACM port for modem control (it claims to be
     21 * CDC ACM anyway) and a CDC Ethernet port for actual network data.
     22 * It will however ignore data on both ports that is not encapsulated
     23 * in a specific way, any data returned is also encapsulated the same
     24 * way.  The headers don't seem to follow any popular standard.
     25 *
     26 * This driver adds and strips these headers from the ethernet frames
     27 * sent/received from the CDC Ethernet port.  The proprietary header
     28 * replaces the standard ethernet header in a packet so only actual
     29 * ethernet frames are allowed.  The headers allow some form of
     30 * multiplexing by using non standard values of the .h_proto field.
     31 * Windows/Mac drivers do send a couple of such frames to the device
     32 * during initialisation, with protocol set to 0x0906 or 0x0b06 and (what
     33 * seems to be) a flag in the .dummy_flags.  This doesn't seem necessary
     34 * for modem operation but can possibly be used for GPS or other functions.
     35 */
     36
     37struct vl600_frame_hdr {
     38	__le32 len;
     39	__le32 serial;
     40	__le32 pkt_cnt;
     41	__le32 dummy_flags;
     42	__le32 dummy;
     43	__le32 magic;
     44} __attribute__((packed));
     45
     46struct vl600_pkt_hdr {
     47	__le32 dummy[2];
     48	__le32 len;
     49	__be16 h_proto;
     50} __attribute__((packed));
     51
     52struct vl600_state {
     53	struct sk_buff *current_rx_buf;
     54};
     55
     56static int vl600_bind(struct usbnet *dev, struct usb_interface *intf)
     57{
     58	int ret;
     59	struct vl600_state *s = kzalloc(sizeof(struct vl600_state), GFP_KERNEL);
     60
     61	if (!s)
     62		return -ENOMEM;
     63
     64	ret = usbnet_cdc_bind(dev, intf);
     65	if (ret) {
     66		kfree(s);
     67		return ret;
     68	}
     69
     70	dev->driver_priv = s;
     71
     72	/* ARP packets don't go through, but they're also of no use.  The
     73	 * subnet has only two hosts anyway: us and the gateway / DHCP
     74	 * server (probably simulated by modem firmware or network operator)
     75	 * whose address changes every time we connect to the intarwebz and
     76	 * who doesn't bother answering ARP requests either.  So hardware
     77	 * addresses have no meaning, the destination and the source of every
     78	 * packet depend only on whether it is on the IN or OUT endpoint.  */
     79	dev->net->flags |= IFF_NOARP;
     80	/* IPv6 NDP relies on multicast.  Enable it by default. */
     81	dev->net->flags |= IFF_MULTICAST;
     82
     83	return ret;
     84}
     85
     86static void vl600_unbind(struct usbnet *dev, struct usb_interface *intf)
     87{
     88	struct vl600_state *s = dev->driver_priv;
     89
     90	dev_kfree_skb(s->current_rx_buf);
     91	kfree(s);
     92
     93	return usbnet_cdc_unbind(dev, intf);
     94}
     95
     96static int vl600_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
     97{
     98	struct vl600_frame_hdr *frame;
     99	struct vl600_pkt_hdr *packet;
    100	struct ethhdr *ethhdr;
    101	int packet_len, count;
    102	struct sk_buff *buf = skb;
    103	struct sk_buff *clone;
    104	struct vl600_state *s = dev->driver_priv;
    105
    106	/* Frame lengths are generally 4B multiplies but every couple of
    107	 * hours there's an odd number of bytes sized yet correct frame,
    108	 * so don't require this.  */
    109
    110	/* Allow a packet (or multiple packets batched together) to be
    111	 * split across many frames.  We don't allow a new batch to
    112	 * begin in the same frame another one is ending however, and no
    113	 * leading or trailing pad bytes.  */
    114	if (s->current_rx_buf) {
    115		frame = (struct vl600_frame_hdr *) s->current_rx_buf->data;
    116		if (skb->len + s->current_rx_buf->len >
    117				le32_to_cpup(&frame->len)) {
    118			netif_err(dev, ifup, dev->net, "Fragment too long\n");
    119			dev->net->stats.rx_length_errors++;
    120			goto error;
    121		}
    122
    123		buf = s->current_rx_buf;
    124		skb_put_data(buf, skb->data, skb->len);
    125	} else if (skb->len < 4) {
    126		netif_err(dev, ifup, dev->net, "Frame too short\n");
    127		dev->net->stats.rx_length_errors++;
    128		goto error;
    129	}
    130
    131	frame = (struct vl600_frame_hdr *) buf->data;
    132	/* Yes, check that frame->magic == 0x53544448 (or 0x44544d48),
    133	 * otherwise we may run out of memory w/a bad packet */
    134	if (ntohl(frame->magic) != 0x53544448 &&
    135			ntohl(frame->magic) != 0x44544d48)
    136		goto error;
    137
    138	if (buf->len < sizeof(*frame) ||
    139			buf->len != le32_to_cpup(&frame->len)) {
    140		/* Save this fragment for later assembly */
    141		if (s->current_rx_buf)
    142			return 0;
    143
    144		s->current_rx_buf = skb_copy_expand(skb, 0,
    145				le32_to_cpup(&frame->len), GFP_ATOMIC);
    146		if (!s->current_rx_buf)
    147			dev->net->stats.rx_errors++;
    148
    149		return 0;
    150	}
    151
    152	count = le32_to_cpup(&frame->pkt_cnt);
    153
    154	skb_pull(buf, sizeof(*frame));
    155
    156	while (count--) {
    157		if (buf->len < sizeof(*packet)) {
    158			netif_err(dev, ifup, dev->net, "Packet too short\n");
    159			goto error;
    160		}
    161
    162		packet = (struct vl600_pkt_hdr *) buf->data;
    163		packet_len = sizeof(*packet) + le32_to_cpup(&packet->len);
    164		if (packet_len > buf->len) {
    165			netif_err(dev, ifup, dev->net,
    166					"Bad packet length stored in header\n");
    167			goto error;
    168		}
    169
    170		/* Packet header is same size as the ethernet header
    171		 * (sizeof(*packet) == sizeof(*ethhdr)), additionally
    172		 * the h_proto field is in the same place so we just leave it
    173		 * alone and fill in the remaining fields.
    174		 */
    175		ethhdr = (struct ethhdr *) skb->data;
    176		if (be16_to_cpup(&ethhdr->h_proto) == ETH_P_ARP &&
    177				buf->len > 0x26) {
    178			/* Copy the addresses from packet contents */
    179			memcpy(ethhdr->h_source,
    180					&buf->data[sizeof(*ethhdr) + 0x8],
    181					ETH_ALEN);
    182			memcpy(ethhdr->h_dest,
    183					&buf->data[sizeof(*ethhdr) + 0x12],
    184					ETH_ALEN);
    185		} else {
    186			eth_zero_addr(ethhdr->h_source);
    187			memcpy(ethhdr->h_dest, dev->net->dev_addr, ETH_ALEN);
    188
    189			/* Inbound IPv6 packets have an IPv4 ethertype (0x800)
    190			 * for some reason.  Peek at the L3 header to check
    191			 * for IPv6 packets, and set the ethertype to IPv6
    192			 * (0x86dd) so Linux can understand it.
    193			 */
    194			if ((buf->data[sizeof(*ethhdr)] & 0xf0) == 0x60)
    195				ethhdr->h_proto = htons(ETH_P_IPV6);
    196		}
    197
    198		if (count) {
    199			/* Not the last packet in this batch */
    200			clone = skb_clone(buf, GFP_ATOMIC);
    201			if (!clone)
    202				goto error;
    203
    204			skb_trim(clone, packet_len);
    205			usbnet_skb_return(dev, clone);
    206
    207			skb_pull(buf, (packet_len + 3) & ~3);
    208		} else {
    209			skb_trim(buf, packet_len);
    210
    211			if (s->current_rx_buf) {
    212				usbnet_skb_return(dev, buf);
    213				s->current_rx_buf = NULL;
    214				return 0;
    215			}
    216
    217			return 1;
    218		}
    219	}
    220
    221error:
    222	if (s->current_rx_buf) {
    223		dev_kfree_skb_any(s->current_rx_buf);
    224		s->current_rx_buf = NULL;
    225	}
    226	dev->net->stats.rx_errors++;
    227	return 0;
    228}
    229
    230static struct sk_buff *vl600_tx_fixup(struct usbnet *dev,
    231		struct sk_buff *skb, gfp_t flags)
    232{
    233	struct sk_buff *ret;
    234	struct vl600_frame_hdr *frame;
    235	struct vl600_pkt_hdr *packet;
    236	static uint32_t serial = 1;
    237	int orig_len = skb->len - sizeof(struct ethhdr);
    238	int full_len = (skb->len + sizeof(struct vl600_frame_hdr) + 3) & ~3;
    239
    240	frame = (struct vl600_frame_hdr *) skb->data;
    241	if (skb->len > sizeof(*frame) && skb->len == le32_to_cpup(&frame->len))
    242		return skb; /* Already encapsulated? */
    243
    244	if (skb->len < sizeof(struct ethhdr))
    245		/* Drop, device can only deal with ethernet packets */
    246		return NULL;
    247
    248	if (!skb_cloned(skb)) {
    249		int headroom = skb_headroom(skb);
    250		int tailroom = skb_tailroom(skb);
    251
    252		if (tailroom >= full_len - skb->len - sizeof(*frame) &&
    253				headroom >= sizeof(*frame))
    254			/* There's enough head and tail room */
    255			goto encapsulate;
    256
    257		if (headroom + tailroom + skb->len >= full_len) {
    258			/* There's enough total room, just readjust */
    259			skb->data = memmove(skb->head + sizeof(*frame),
    260					skb->data, skb->len);
    261			skb_set_tail_pointer(skb, skb->len);
    262			goto encapsulate;
    263		}
    264	}
    265
    266	/* Alloc a new skb with the required size */
    267	ret = skb_copy_expand(skb, sizeof(struct vl600_frame_hdr), full_len -
    268			skb->len - sizeof(struct vl600_frame_hdr), flags);
    269	dev_kfree_skb_any(skb);
    270	if (!ret)
    271		return ret;
    272	skb = ret;
    273
    274encapsulate:
    275	/* Packet header is same size as ethernet packet header
    276	 * (sizeof(*packet) == sizeof(struct ethhdr)), additionally the
    277	 * h_proto field is in the same place so we just leave it alone and
    278	 * overwrite the remaining fields.
    279	 */
    280	packet = (struct vl600_pkt_hdr *) skb->data;
    281	/* The VL600 wants IPv6 packets to have an IPv4 ethertype
    282	 * Since this modem only supports IPv4 and IPv6, just set all
    283	 * frames to 0x0800 (ETH_P_IP)
    284	 */
    285	packet->h_proto = htons(ETH_P_IP);
    286	memset(&packet->dummy, 0, sizeof(packet->dummy));
    287	packet->len = cpu_to_le32(orig_len);
    288
    289	frame = skb_push(skb, sizeof(*frame));
    290	memset(frame, 0, sizeof(*frame));
    291	frame->len = cpu_to_le32(full_len);
    292	frame->serial = cpu_to_le32(serial++);
    293	frame->pkt_cnt = cpu_to_le32(1);
    294
    295	if (skb->len < full_len) /* Pad */
    296		skb_put(skb, full_len - skb->len);
    297
    298	return skb;
    299}
    300
    301static const struct driver_info	vl600_info = {
    302	.description	= "LG VL600 modem",
    303	.flags		= FLAG_RX_ASSEMBLE | FLAG_WWAN,
    304	.bind		= vl600_bind,
    305	.unbind		= vl600_unbind,
    306	.status		= usbnet_cdc_status,
    307	.rx_fixup	= vl600_rx_fixup,
    308	.tx_fixup	= vl600_tx_fixup,
    309};
    310
    311static const struct usb_device_id products[] = {
    312	{
    313		USB_DEVICE_AND_INTERFACE_INFO(0x1004, 0x61aa, USB_CLASS_COMM,
    314				USB_CDC_SUBCLASS_ETHERNET, USB_CDC_PROTO_NONE),
    315		.driver_info	= (unsigned long) &vl600_info,
    316	},
    317	{},	/* End */
    318};
    319MODULE_DEVICE_TABLE(usb, products);
    320
    321static struct usb_driver lg_vl600_driver = {
    322	.name		= "lg-vl600",
    323	.id_table	= products,
    324	.probe		= usbnet_probe,
    325	.disconnect	= usbnet_disconnect,
    326	.suspend	= usbnet_suspend,
    327	.resume		= usbnet_resume,
    328	.disable_hub_initiated_lpm = 1,
    329};
    330
    331module_usb_driver(lg_vl600_driver);
    332
    333MODULE_AUTHOR("Anrzej Zaborowski");
    334MODULE_DESCRIPTION("LG-VL600 modem's ethernet link");
    335MODULE_LICENSE("GPL");