| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 29 Mar 2011 00:56:33 +0200
From: Andrzej Zaborowski <andrew.zaborowski@...el.com>
To: netdev@...r.kernel.org
Cc: Oliver Neukum <oliver@...kum.name>,
David Brownell <dbrownell@...rs.sourceforge.net>,
linux-kernel@...r.kernel.org, balrogg@...il.com
Subject: [PATCH v2] net/usb: Ethernet quirks for the LG-VL600 4G modem
This adds a driver for the CDC Ethernet part of this modem. The
device's ID is blacklisted in cdc_ether.c and is white-listed in
this new driver because of the quirks needed to make it useful.
The modem's firmware exposes a CDC ACM port for modem control and a
CDC Ethernet port for network data. The descriptors look fine but
both ports actually are some sort of multiplexers requiring non-
standard headers added/removed from every packet or they get
ignored. All information is based on a usb traffic log from a
Windows machine.
On the Verizon 4G network I've seen speeds up to 1.1MB/s so far with
this driver, a speed-o-meter site reports 16.2Mbps/10.5Mbps.
Userspace scripts are required to talk to the CDC ACM port.
Signed-off-by: Andrzej Zaborowski <balrogg@...il.com>
---
Changes in this version:
I just found out about IFF_NOARP which made a big ugly hack in the
code unnecessary.
Also the driver now handles potential fragmented packets spanning
multiple incoming URBs. Note I used the .driver_priv field in usbnet
which none of the other drivers uses, possibly would be better to
extend cdc_state with a "void *priv_data" field.
---
drivers/net/usb/Kconfig | 15 ++
drivers/net/usb/Makefile | 1 +
drivers/net/usb/cdc_ether.c | 21 ++-
drivers/net/usb/lg-vl600.c | 346 +++++++++++++++++++++++++++++++++++++++++++
include/linux/usb/usbnet.h | 3 +-
5 files changed, 356 insertions(+), 7 deletions(-)
create mode 100644 drivers/net/usb/lg-vl600.c
diff --git a/drivers/net/usb/Kconfig b/drivers/net/usb/Kconfig
index 6f600cc..3ec22c3 100644
--- a/drivers/net/usb/Kconfig
+++ b/drivers/net/usb/Kconfig
@@ -433,4 +433,19 @@ config USB_SIERRA_NET
To compile this driver as a module, choose M here: the
module will be called sierra_net.
+config USB_VL600
+ tristate "LG VL600 modem dongle"
+ depends on USB_NET_CDCETHER
+ select USB_ACM
+ help
+ Select this if you want to use an LG Electronics 4G/LTE usb modem
+ called VL600. This driver only handles the ethernet
+ interface exposed by the modem firmware. To establish a connection
+ you will first need a userspace program that sends the right
+ command to the modem through its CDC ACM port, and most
+ likely also a DHCP client. See this thread about using the
+ 4G modem from Verizon:
+
+ http://ubuntuforums.org/showpost.php?p=10589647&postcount=17
+
endmenu
diff --git a/drivers/net/usb/Makefile b/drivers/net/usb/Makefile
index cac1703..c7ec8a5 100644
--- a/drivers/net/usb/Makefile
+++ b/drivers/net/usb/Makefile
@@ -27,4 +27,5 @@ obj-$(CONFIG_USB_IPHETH) += ipheth.o
obj-$(CONFIG_USB_SIERRA_NET) += sierra_net.o
obj-$(CONFIG_USB_NET_CX82310_ETH) += cx82310_eth.o
obj-$(CONFIG_USB_NET_CDC_NCM) += cdc_ncm.o
+obj-$(CONFIG_USB_VL600) += lg-vl600.o
diff --git a/drivers/net/usb/cdc_ether.c b/drivers/net/usb/cdc_ether.c
index 9a60e41..51c259b 100644
--- a/drivers/net/usb/cdc_ether.c
+++ b/drivers/net/usb/cdc_ether.c
@@ -378,7 +378,7 @@ static void dumpspeed(struct usbnet *dev, __le32 *speeds)
__le32_to_cpu(speeds[1]) / 1000);
}
-static void cdc_status(struct usbnet *dev, struct urb *urb)
+void usbnet_cdc_status(struct usbnet *dev, struct urb *urb)
{
struct usb_cdc_notification *event;
@@ -418,8 +418,9 @@ static void cdc_status(struct usbnet *dev, struct urb *urb)
break;
}
}
+EXPORT_SYMBOL_GPL(usbnet_cdc_status);
-static int cdc_bind(struct usbnet *dev, struct usb_interface *intf)
+int usbnet_cdc_bind(struct usbnet *dev, struct usb_interface *intf)
{
int status;
struct cdc_state *info = (void *) &dev->data;
@@ -441,6 +442,7 @@ static int cdc_bind(struct usbnet *dev, struct usb_interface *intf)
*/
return 0;
}
+EXPORT_SYMBOL_GPL(usbnet_cdc_bind);
static int cdc_manage_power(struct usbnet *dev, int on)
{
@@ -452,18 +454,18 @@ static const struct driver_info cdc_info = {
.description = "CDC Ethernet Device",
.flags = FLAG_ETHER,
// .check_connect = cdc_check_connect,
- .bind = cdc_bind,
+ .bind = usbnet_cdc_bind,
.unbind = usbnet_cdc_unbind,
- .status = cdc_status,
+ .status = usbnet_cdc_status,
.manage_power = cdc_manage_power,
};
static const struct driver_info mbm_info = {
.description = "Mobile Broadband Network Device",
.flags = FLAG_WWAN,
- .bind = cdc_bind,
+ .bind = usbnet_cdc_bind,
.unbind = usbnet_cdc_unbind,
- .status = cdc_status,
+ .status = usbnet_cdc_status,
.manage_power = cdc_manage_power,
};
@@ -560,6 +562,13 @@ static const struct usb_device_id products [] = {
.driver_info = 0,
},
+/* LG Electronics VL600 wants additional headers on every frame */
+{
+ USB_DEVICE_AND_INTERFACE_INFO(0x1004, 0x61aa, USB_CLASS_COMM,
+ USB_CDC_SUBCLASS_ETHERNET, USB_CDC_PROTO_NONE),
+ .driver_info = 0,
+},
+
/*
* WHITELIST!!!
*
diff --git a/drivers/net/usb/lg-vl600.c b/drivers/net/usb/lg-vl600.c
new file mode 100644
index 0000000..f9a7ced
--- /dev/null
+++ b/drivers/net/usb/lg-vl600.c
@@ -0,0 +1,346 @@
+/*
+ * Ethernet interface part of the LG VL600 LTE modem (4G dongle)
+ *
+ * Copyright (C) 2011 Intel Corporation
+ * Author: Andrzej Zaborowski <balrogg@...il.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+#include <linux/etherdevice.h>
+#include <linux/ethtool.h>
+#include <linux/mii.h>
+#include <linux/usb.h>
+#include <linux/usb/cdc.h>
+#include <linux/usb/usbnet.h>
+#include <linux/if_ether.h>
+#include <linux/if_arp.h>
+#include <linux/inetdevice.h>
+
+/*
+ * The device has a CDC ACM port for modem control (it claims to be
+ * CDC ACM anyway) and a CDC Ethernet port for actual network data.
+ * It will however ignore data on both ports that is not encapsulated
+ * in a specific way, any data returned is also encapsulated the same
+ * way. The headers don't seem to follow any popular standard.
+ *
+ * This driver adds and strips these headers from the ethernet frames
+ * sent/received from the CDC Ethernet port. The proprietary header
+ * replaces the standard ethernet header in a packet so only actual
+ * ethernet frames are allowed. The headers allow some form of
+ * multiplexing by using non standard values of the .h_proto field.
+ * Windows/Mac drivers do send a couple of such frames to the device
+ * during initialisation, with protocol set to 0x0906 or 0x0b06 and (what
+ * seems to be) a flag in the .dummy_flags. This doesn't seem necessary
+ * for modem operation but can possibly be used for GPS or other funcitons.
+ */
+
+struct vl600_frame_hdr {
+ __le32 len;
+ __le32 serial;
+ __le32 pkt_cnt;
+ __le32 dummy_flags;
+ __le32 dummy;
+ __le32 magic;
+} __attribute__((packed));
+
+struct vl600_pkt_hdr {
+ __le32 dummy[2];
+ __le32 len;
+ __be16 h_proto;
+} __attribute__((packed));
+
+struct vl600_state {
+ struct sk_buff *current_rx_buf;
+};
+
+static int vl600_bind(struct usbnet *dev, struct usb_interface *intf)
+{
+ int ret;
+ struct vl600_state *s = kzalloc(sizeof(struct vl600_state), GFP_KERNEL);
+
+ if (!s)
+ return -ENOMEM;
+
+ ret = usbnet_cdc_bind(dev, intf);
+ if (ret) {
+ kfree(s);
+ return ret;
+ }
+
+ dev->driver_priv = s;
+
+ /* ARP packets don't go through, but they're also of no use. The
+ * subnet has only two hosts anyway: us and the gateway / DHCP
+ * server (probably simulated by modem firmware or network operator)
+ * whose address changes everytime we connect to the intarwebz and
+ * who doesn't bother answering ARP requests either. So hardware
+ * addresses have no meaning, the destination and the source of every
+ * packet depend only on whether it is on the IN or OUT endpoint. */
+ dev->net->flags |= IFF_NOARP;
+
+ return ret;
+}
+
+static void vl600_unbind(struct usbnet *dev, struct usb_interface *intf)
+{
+ struct vl600_state *s = dev->driver_priv;
+
+ if (s->current_rx_buf)
+ dev_kfree_skb(s->current_rx_buf);
+
+ kfree(s);
+
+ return usbnet_cdc_unbind(dev, intf);
+}
+
+static int vl600_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
+{
+ struct vl600_frame_hdr *frame;
+ struct vl600_pkt_hdr *packet;
+ struct ethhdr *ethhdr;
+ int packet_len, count;
+ struct sk_buff *buf = skb;
+ struct sk_buff *clone;
+ struct vl600_state *s = dev->driver_priv;
+
+ /* Frame lengths are generally 4B multiplies but every couple of
+ * hours there's an odd number of bytes sized yet correct frame,
+ * so don't require this. */
+
+ /* Allow a packet (or multiple packets batched together) to be
+ * split across many frames. We don't allow a new batch to
+ * begin in the same frame another one is ending however, and no
+ * leading or trailing pad bytes. */
+ if (s->current_rx_buf) {
+ frame = (struct vl600_frame_hdr *) s->current_rx_buf->data;
+ if (skb->len + s->current_rx_buf->len >
+ le32_to_cpup(&frame->len)) {
+ netif_err(dev, ifup, dev->net, "Fragment too long\n");
+ dev->net->stats.rx_length_errors++;
+ goto error;
+ }
+
+ buf = s->current_rx_buf;
+ memcpy(skb_put(buf, skb->len), skb->data, skb->len);
+ } else if (skb->len < 4) {
+ netif_err(dev, ifup, dev->net, "Frame too short\n");
+ dev->net->stats.rx_length_errors++;
+ goto error;
+ }
+
+ frame = (struct vl600_frame_hdr *) buf->data;
+ /* NOTE: Should check that frame->magic == 0x53544448?
+ * Otherwise if we receive garbage at the beginning of the frame
+ * we may end up allocating a huge buffer and saving all the
+ * future incoming data into it. */
+
+ if (buf->len < sizeof(*frame) ||
+ buf->len != le32_to_cpup(&frame->len)) {
+ /* Save this fragment for later assembly */
+ if (s->current_rx_buf)
+ return 0;
+
+ s->current_rx_buf = skb_copy_expand(skb, 0,
+ le32_to_cpup(&frame->len), GFP_ATOMIC);
+ if (!s->current_rx_buf) {
+ netif_err(dev, ifup, dev->net, "Reserving %i bytes "
+ "for packet assembly failed.\n",
+ le32_to_cpup(&frame->len));
+ dev->net->stats.rx_errors++;
+ }
+
+ return 0;
+ }
+
+ count = le32_to_cpup(&frame->pkt_cnt);
+
+ skb_pull(buf, sizeof(*frame));
+
+ while (count--) {
+ if (buf->len < sizeof(*packet)) {
+ netif_err(dev, ifup, dev->net, "Packet too short\n");
+ goto error;
+ }
+
+ packet = (struct vl600_pkt_hdr *) buf->data;
+ packet_len = sizeof(*packet) + le32_to_cpup(&packet->len);
+ if (packet_len > buf->len) {
+ netif_err(dev, ifup, dev->net,
+ "Bad packet length stored in header\n");
+ goto error;
+ }
+
+ /* Packet header is same size as the ethernet header
+ * (sizeof(*packet) == sizeof(*ethhdr)), additionally
+ * the h_proto field is in the same place so we just leave it
+ * alone and fill in the remaining fields.
+ */
+ ethhdr = (struct ethhdr *) skb->data;
+ if (be16_to_cpup(ðhdr->h_proto) == ETH_P_ARP &&
+ buf->len > 0x26) {
+ /* Copy the addresses from packet contents */
+ memcpy(ethhdr->h_source,
+ &buf->data[sizeof(*ethhdr) + 0x8],
+ ETH_ALEN);
+ memcpy(ethhdr->h_dest,
+ &buf->data[sizeof(*ethhdr) + 0x12],
+ ETH_ALEN);
+ } else {
+ memset(ethhdr->h_source, 0, ETH_ALEN);
+ memcpy(ethhdr->h_dest, dev->net->dev_addr, ETH_ALEN);
+ }
+
+ if (count) {
+ /* Not the last packet in this batch */
+ clone = skb_clone(buf, GFP_ATOMIC);
+ if (!clone)
+ goto error;
+
+ skb_trim(clone, packet_len);
+ usbnet_skb_return(dev, clone);
+
+ skb_pull(buf, (packet_len + 3) & ~3);
+ } else {
+ skb_trim(buf, packet_len);
+
+ if (s->current_rx_buf) {
+ usbnet_skb_return(dev, buf);
+ s->current_rx_buf = NULL;
+ return 0;
+ }
+
+ return 1;
+ }
+ }
+
+error:
+ if (s->current_rx_buf) {
+ dev_kfree_skb_any(s->current_rx_buf);
+ s->current_rx_buf = NULL;
+ }
+ dev->net->stats.rx_errors++;
+ return 0;
+}
+
+static struct sk_buff *vl600_tx_fixup(struct usbnet *dev,
+ struct sk_buff *skb, gfp_t flags)
+{
+ struct sk_buff *ret;
+ struct vl600_frame_hdr *frame;
+ struct vl600_pkt_hdr *packet;
+ static uint32_t serial = 1;
+ int orig_len = skb->len - sizeof(struct ethhdr);
+ int full_len = (skb->len + sizeof(struct vl600_frame_hdr) + 3) & ~3;
+
+ frame = (struct vl600_frame_hdr *) skb->data;
+ if (skb->len > sizeof(*frame) && skb->len == le32_to_cpup(&frame->len))
+ return skb; /* Already encapsulated? */
+
+ if (skb->len < sizeof(struct ethhdr))
+ /* Drop, device can only deal with ethernet packets */
+ return NULL;
+
+ if (!skb_cloned(skb)) {
+ int headroom = skb_headroom(skb);
+ int tailroom = skb_tailroom(skb);
+
+ if (tailroom >= full_len - skb->len - sizeof(*frame) &&
+ headroom >= sizeof(*frame))
+ /* There's enough head and tail room */
+ goto encapsulate;
+
+ if (headroom + tailroom + skb->len >= full_len) {
+ /* There's enough total room, just readjust */
+ skb->data = memmove(skb->head + sizeof(*frame),
+ skb->data, skb->len);
+ skb_set_tail_pointer(skb, skb->len);
+ goto encapsulate;
+ }
+ }
+
+ /* Alloc a new skb with the required size */
+ ret = skb_copy_expand(skb, sizeof(struct vl600_frame_hdr), full_len -
+ skb->len - sizeof(struct vl600_frame_hdr), flags);
+ dev_kfree_skb_any(skb);
+ if (!ret)
+ return ret;
+ skb = ret;
+
+encapsulate:
+ /* Packet header is same size as ethernet packet header
+ * (sizeof(*packet) == sizeof(struct ethhdr)), additionally the
+ * h_proto field is in the same place so we just leave it alone and
+ * overwrite the remaining fields.
+ */
+ packet = (struct vl600_pkt_hdr *) skb->data;
+ memset(&packet->dummy, 0, sizeof(packet->dummy));
+ packet->len = cpu_to_le32(orig_len);
+
+ frame = (struct vl600_frame_hdr *) skb_push(skb, sizeof(*frame));
+ memset(frame, 0, sizeof(*frame));
+ frame->len = cpu_to_le32(full_len);
+ frame->serial = cpu_to_le32(serial++);
+ frame->pkt_cnt = cpu_to_le32(1);
+
+ if (skb->len < full_len) /* Pad */
+ skb_put(skb, full_len - skb->len);
+
+ return skb;
+}
+
+static const struct driver_info vl600_info = {
+ .description = "LG VL600 modem",
+ .flags = FLAG_ETHER | FLAG_RX_ASSEMBLE,
+ .bind = vl600_bind,
+ .unbind = vl600_unbind,
+ .status = usbnet_cdc_status,
+ .rx_fixup = vl600_rx_fixup,
+ .tx_fixup = vl600_tx_fixup,
+};
+
+static const struct usb_device_id products[] = {
+ {
+ USB_DEVICE_AND_INTERFACE_INFO(0x1004, 0x61aa, USB_CLASS_COMM,
+ USB_CDC_SUBCLASS_ETHERNET, USB_CDC_PROTO_NONE),
+ .driver_info = (unsigned long) &vl600_info,
+ },
+ {}, /* End */
+};
+MODULE_DEVICE_TABLE(usb, products);
+
+static struct usb_driver lg_vl600_driver = {
+ .name = "lg-vl600",
+ .id_table = products,
+ .probe = usbnet_probe,
+ .disconnect = usbnet_disconnect,
+ .suspend = usbnet_suspend,
+ .resume = usbnet_resume,
+};
+
+static int __init vl600_init(void)
+{
+ return usb_register(&lg_vl600_driver);
+}
+module_init(vl600_init);
+
+static void __exit vl600_exit(void)
+{
+ usb_deregister(&lg_vl600_driver);
+}
+module_exit(vl600_exit);
+
+MODULE_AUTHOR("Anrzej Zaborowski");
+MODULE_DESCRIPTION("LG-VL600 modem's ethernet link");
+MODULE_LICENSE("GPL");
diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
index 95c41d5..cf58b76 100644
--- a/drivers/net/usb/usbnet.c
+++ b/drivers/net/usb/usbnet.c
@@ -387,8 +387,12 @@ static int rx_submit (struct usbnet *dev, struct urb *urb, gfp_t flags)
static inline void rx_process (struct usbnet *dev, struct sk_buff *skb)
{
if (dev->driver_info->rx_fixup &&
- !dev->driver_info->rx_fixup (dev, skb))
- goto error;
+ !dev->driver_info->rx_fixup (dev, skb)) {
+ /* With RX_ASSEMBLE, rx_fixup() must update counters */
+ if (!(dev->driver_info->flags & FLAG_RX_ASSEMBLE))
+ dev->net->stats.rx_errors++;
+ goto done;
+ }
// else network stack removes extra byte if we forced a short packet
if (skb->len) {
@@ -401,8 +405,8 @@ static inline void rx_process (struct usbnet *dev, struct sk_buff *skb)
}
netif_dbg(dev, rx_err, dev->net, "drop\n");
-error:
dev->net->stats.rx_errors++;
+done:
skb_queue_tail(&dev->done, skb);
}
diff --git a/include/linux/usb/usbnet.h b/include/linux/usb/usbnet.h
index 44842c8..201f222 100644
--- a/include/linux/usb/usbnet.h
+++ b/include/linux/usb/usbnet.h
@@ -102,6 +102,7 @@ struct driver_info {
* Affects statistic (counters) and short packet handling.
*/
#define FLAG_MULTI_PACKET 0x1000
+#define FLAG_RX_ASSEMBLE 0x2000 /* rx packets may span >1 frames */
/* init device ... can sleep, or cause probe() failure */
int (*bind)(struct usbnet *, struct usb_interface *);
@@ -172,7 +173,9 @@ struct cdc_state {
};
extern int usbnet_generic_cdc_bind(struct usbnet *, struct usb_interface *);
+extern int usbnet_cdc_bind(struct usbnet *, struct usb_interface *);
extern void usbnet_cdc_unbind(struct usbnet *, struct usb_interface *);
+extern void usbnet_cdc_status(struct usbnet *, struct urb *);
/* CDC and RNDIS support the same host-chosen packet filters for IN transfers */
#define DEFAULT_FILTER (USB_CDC_PACKET_TYPE_BROADCAST \
--
1.7.1.86.g0e460.dirty
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists