usbnet: fix skb traversing races during unlink(v2)
[linux-2.6.git] / drivers / net / usb / cdc-phonet.c
1 /*
2  * phonet.c -- USB CDC Phonet host driver
3  *
4  * Copyright (C) 2008-2009 Nokia Corporation. All rights reserved.
5  *
6  * Author: Rémi Denis-Courmont
7  *
8  * This program is free software; you can redistribute it and/or
9  * modify it under the terms of the GNU General Public License
10  * version 2 as published by the Free Software Foundation.
11  *
12  * This program is distributed in the hope that it will be useful, but
13  * WITHOUT ANY WARRANTY; without even the implied warranty of
14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
15  * General Public License for more details.
16  *
17  * You should have received a copy of the GNU General Public License
18  * along with this program; if not, write to the Free Software
19  * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
20  * 02110-1301 USA
21  */
22
23 #include <linux/kernel.h>
24 #include <linux/mm.h>
25 #include <linux/module.h>
26 #include <linux/gfp.h>
27 #include <linux/usb.h>
28 #include <linux/usb/cdc.h>
29 #include <linux/netdevice.h>
30 #include <linux/if_arp.h>
31 #include <linux/if_phonet.h>
32 #include <linux/phonet.h>
33
34 #define PN_MEDIA_USB    0x1B
35
36 static const unsigned rxq_size = 17;
37
38 struct usbpn_dev {
39         struct net_device       *dev;
40
41         struct usb_interface    *intf, *data_intf;
42         struct usb_device       *usb;
43         unsigned int            tx_pipe, rx_pipe;
44         u8 active_setting;
45         u8 disconnected;
46
47         unsigned                tx_queue;
48         spinlock_t              tx_lock;
49
50         spinlock_t              rx_lock;
51         struct sk_buff          *rx_skb;
52         struct urb              *urbs[0];
53 };
54
55 static void tx_complete(struct urb *req);
56 static void rx_complete(struct urb *req);
57
58 /*
59  * Network device callbacks
60  */
61 static netdev_tx_t usbpn_xmit(struct sk_buff *skb, struct net_device *dev)
62 {
63         struct usbpn_dev *pnd = netdev_priv(dev);
64         struct urb *req = NULL;
65         unsigned long flags;
66         int err;
67
68         if (skb->protocol != htons(ETH_P_PHONET))
69                 goto drop;
70
71         req = usb_alloc_urb(0, GFP_ATOMIC);
72         if (!req)
73                 goto drop;
74         usb_fill_bulk_urb(req, pnd->usb, pnd->tx_pipe, skb->data, skb->len,
75                                 tx_complete, skb);
76         req->transfer_flags = URB_ZERO_PACKET;
77         err = usb_submit_urb(req, GFP_ATOMIC);
78         if (err) {
79                 usb_free_urb(req);
80                 goto drop;
81         }
82
83         spin_lock_irqsave(&pnd->tx_lock, flags);
84         pnd->tx_queue++;
85         if (pnd->tx_queue >= dev->tx_queue_len)
86                 netif_stop_queue(dev);
87         spin_unlock_irqrestore(&pnd->tx_lock, flags);
88         return NETDEV_TX_OK;
89
90 drop:
91         dev_kfree_skb(skb);
92         dev->stats.tx_dropped++;
93         return NETDEV_TX_OK;
94 }
95
96 static void tx_complete(struct urb *req)
97 {
98         struct sk_buff *skb = req->context;
99         struct net_device *dev = skb->dev;
100         struct usbpn_dev *pnd = netdev_priv(dev);
101         int status = req->status;
102
103         switch (status) {
104         case 0:
105                 dev->stats.tx_bytes += skb->len;
106                 break;
107
108         case -ENOENT:
109         case -ECONNRESET:
110         case -ESHUTDOWN:
111                 dev->stats.tx_aborted_errors++;
112         default:
113                 dev->stats.tx_errors++;
114                 dev_dbg(&dev->dev, "TX error (%d)\n", status);
115         }
116         dev->stats.tx_packets++;
117
118         spin_lock(&pnd->tx_lock);
119         pnd->tx_queue--;
120         netif_wake_queue(dev);
121         spin_unlock(&pnd->tx_lock);
122
123         dev_kfree_skb_any(skb);
124         usb_free_urb(req);
125 }
126
127 static int rx_submit(struct usbpn_dev *pnd, struct urb *req, gfp_t gfp_flags)
128 {
129         struct net_device *dev = pnd->dev;
130         struct page *page;
131         int err;
132
133         page = __netdev_alloc_page(dev, gfp_flags);
134         if (!page)
135                 return -ENOMEM;
136
137         usb_fill_bulk_urb(req, pnd->usb, pnd->rx_pipe, page_address(page),
138                                 PAGE_SIZE, rx_complete, dev);
139         req->transfer_flags = 0;
140         err = usb_submit_urb(req, gfp_flags);
141         if (unlikely(err)) {
142                 dev_dbg(&dev->dev, "RX submit error (%d)\n", err);
143                 netdev_free_page(dev, page);
144         }
145         return err;
146 }
147
148 static void rx_complete(struct urb *req)
149 {
150         struct net_device *dev = req->context;
151         struct usbpn_dev *pnd = netdev_priv(dev);
152         struct page *page = virt_to_page(req->transfer_buffer);
153         struct sk_buff *skb;
154         unsigned long flags;
155         int status = req->status;
156
157         switch (status) {
158         case 0:
159                 spin_lock_irqsave(&pnd->rx_lock, flags);
160                 skb = pnd->rx_skb;
161                 if (!skb) {
162                         skb = pnd->rx_skb = netdev_alloc_skb(dev, 12);
163                         if (likely(skb)) {
164                                 /* Can't use pskb_pull() on page in IRQ */
165                                 memcpy(skb_put(skb, 1), page_address(page), 1);
166                                 skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags,
167                                                 page, 1, req->actual_length);
168                                 page = NULL;
169                         }
170                 } else {
171                         skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags,
172                                         page, 0, req->actual_length);
173                         page = NULL;
174                 }
175                 if (req->actual_length < PAGE_SIZE)
176                         pnd->rx_skb = NULL; /* Last fragment */
177                 else
178                         skb = NULL;
179                 spin_unlock_irqrestore(&pnd->rx_lock, flags);
180                 if (skb) {
181                         skb->protocol = htons(ETH_P_PHONET);
182                         skb_reset_mac_header(skb);
183                         __skb_pull(skb, 1);
184                         skb->dev = dev;
185                         dev->stats.rx_packets++;
186                         dev->stats.rx_bytes += skb->len;
187
188                         netif_rx(skb);
189                 }
190                 goto resubmit;
191
192         case -ENOENT:
193         case -ECONNRESET:
194         case -ESHUTDOWN:
195                 req = NULL;
196                 break;
197
198         case -EOVERFLOW:
199                 dev->stats.rx_over_errors++;
200                 dev_dbg(&dev->dev, "RX overflow\n");
201                 break;
202
203         case -EILSEQ:
204                 dev->stats.rx_crc_errors++;
205                 break;
206         }
207
208         dev->stats.rx_errors++;
209 resubmit:
210         if (page)
211                 netdev_free_page(dev, page);
212         if (req)
213                 rx_submit(pnd, req, GFP_ATOMIC);
214 }
215
216 static int usbpn_close(struct net_device *dev);
217
218 static int usbpn_open(struct net_device *dev)
219 {
220         struct usbpn_dev *pnd = netdev_priv(dev);
221         int err;
222         unsigned i;
223         unsigned num = pnd->data_intf->cur_altsetting->desc.bInterfaceNumber;
224
225         err = usb_set_interface(pnd->usb, num, pnd->active_setting);
226         if (err)
227                 return err;
228
229         for (i = 0; i < rxq_size; i++) {
230                 struct urb *req = usb_alloc_urb(0, GFP_KERNEL);
231
232                 if (!req || rx_submit(pnd, req, GFP_KERNEL)) {
233                         usbpn_close(dev);
234                         return -ENOMEM;
235                 }
236                 pnd->urbs[i] = req;
237         }
238
239         netif_wake_queue(dev);
240         return 0;
241 }
242
243 static int usbpn_close(struct net_device *dev)
244 {
245         struct usbpn_dev *pnd = netdev_priv(dev);
246         unsigned i;
247         unsigned num = pnd->data_intf->cur_altsetting->desc.bInterfaceNumber;
248
249         netif_stop_queue(dev);
250
251         for (i = 0; i < rxq_size; i++) {
252                 struct urb *req = pnd->urbs[i];
253
254                 if (!req)
255                         continue;
256                 usb_kill_urb(req);
257                 usb_free_urb(req);
258                 pnd->urbs[i] = NULL;
259         }
260
261         return usb_set_interface(pnd->usb, num, !pnd->active_setting);
262 }
263
264 static int usbpn_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
265 {
266         struct if_phonet_req *req = (struct if_phonet_req *)ifr;
267
268         switch (cmd) {
269         case SIOCPNGAUTOCONF:
270                 req->ifr_phonet_autoconf.device = PN_DEV_PC;
271                 return 0;
272         }
273         return -ENOIOCTLCMD;
274 }
275
276 static int usbpn_set_mtu(struct net_device *dev, int new_mtu)
277 {
278         if ((new_mtu < PHONET_MIN_MTU) || (new_mtu > PHONET_MAX_MTU))
279                 return -EINVAL;
280
281         dev->mtu = new_mtu;
282         return 0;
283 }
284
285 static const struct net_device_ops usbpn_ops = {
286         .ndo_open       = usbpn_open,
287         .ndo_stop       = usbpn_close,
288         .ndo_start_xmit = usbpn_xmit,
289         .ndo_do_ioctl   = usbpn_ioctl,
290         .ndo_change_mtu = usbpn_set_mtu,
291 };
292
293 static void usbpn_setup(struct net_device *dev)
294 {
295         dev->features           = 0;
296         dev->netdev_ops         = &usbpn_ops,
297         dev->header_ops         = &phonet_header_ops;
298         dev->type               = ARPHRD_PHONET;
299         dev->flags              = IFF_POINTOPOINT | IFF_NOARP;
300         dev->mtu                = PHONET_MAX_MTU;
301         dev->hard_header_len    = 1;
302         dev->dev_addr[0]        = PN_MEDIA_USB;
303         dev->addr_len           = 1;
304         dev->tx_queue_len       = 3;
305
306         dev->destructor         = free_netdev;
307 }
308
309 /*
310  * USB driver callbacks
311  */
312 static struct usb_device_id usbpn_ids[] = {
313         {
314                 .match_flags = USB_DEVICE_ID_MATCH_VENDOR
315                         | USB_DEVICE_ID_MATCH_INT_CLASS
316                         | USB_DEVICE_ID_MATCH_INT_SUBCLASS,
317                 .idVendor = 0x0421, /* Nokia */
318                 .bInterfaceClass = USB_CLASS_COMM,
319                 .bInterfaceSubClass = 0xFE,
320         },
321         { },
322 };
323
324 MODULE_DEVICE_TABLE(usb, usbpn_ids);
325
326 static struct usb_driver usbpn_driver;
327
328 int usbpn_probe(struct usb_interface *intf, const struct usb_device_id *id)
329 {
330         static const char ifname[] = "usbpn%d";
331         const struct usb_cdc_union_desc *union_header = NULL;
332         const struct usb_host_interface *data_desc;
333         struct usb_interface *data_intf;
334         struct usb_device *usbdev = interface_to_usbdev(intf);
335         struct net_device *dev;
336         struct usbpn_dev *pnd;
337         u8 *data;
338         int phonet = 0;
339         int len, err;
340
341         data = intf->altsetting->extra;
342         len = intf->altsetting->extralen;
343         while (len >= 3) {
344                 u8 dlen = data[0];
345                 if (dlen < 3)
346                         return -EINVAL;
347
348                 /* bDescriptorType */
349                 if (data[1] == USB_DT_CS_INTERFACE) {
350                         /* bDescriptorSubType */
351                         switch (data[2]) {
352                         case USB_CDC_UNION_TYPE:
353                                 if (union_header || dlen < 5)
354                                         break;
355                                 union_header =
356                                         (struct usb_cdc_union_desc *)data;
357                                 break;
358                         case 0xAB:
359                                 phonet = 1;
360                                 break;
361                         }
362                 }
363                 data += dlen;
364                 len -= dlen;
365         }
366
367         if (!union_header || !phonet)
368                 return -EINVAL;
369
370         data_intf = usb_ifnum_to_if(usbdev, union_header->bSlaveInterface0);
371         if (data_intf == NULL)
372                 return -ENODEV;
373         /* Data interface has one inactive and one active setting */
374         if (data_intf->num_altsetting != 2)
375                 return -EINVAL;
376         if (data_intf->altsetting[0].desc.bNumEndpoints == 0 &&
377             data_intf->altsetting[1].desc.bNumEndpoints == 2)
378                 data_desc = data_intf->altsetting + 1;
379         else
380         if (data_intf->altsetting[0].desc.bNumEndpoints == 2 &&
381             data_intf->altsetting[1].desc.bNumEndpoints == 0)
382                 data_desc = data_intf->altsetting;
383         else
384                 return -EINVAL;
385
386         dev = alloc_netdev(sizeof(*pnd) + sizeof(pnd->urbs[0]) * rxq_size,
387                                 ifname, usbpn_setup);
388         if (!dev)
389                 return -ENOMEM;
390
391         pnd = netdev_priv(dev);
392         SET_NETDEV_DEV(dev, &intf->dev);
393
394         pnd->dev = dev;
395         pnd->usb = usb_get_dev(usbdev);
396         pnd->intf = intf;
397         pnd->data_intf = data_intf;
398         spin_lock_init(&pnd->tx_lock);
399         spin_lock_init(&pnd->rx_lock);
400         /* Endpoints */
401         if (usb_pipein(data_desc->endpoint[0].desc.bEndpointAddress)) {
402                 pnd->rx_pipe = usb_rcvbulkpipe(usbdev,
403                         data_desc->endpoint[0].desc.bEndpointAddress);
404                 pnd->tx_pipe = usb_sndbulkpipe(usbdev,
405                         data_desc->endpoint[1].desc.bEndpointAddress);
406         } else {
407                 pnd->rx_pipe = usb_rcvbulkpipe(usbdev,
408                         data_desc->endpoint[1].desc.bEndpointAddress);
409                 pnd->tx_pipe = usb_sndbulkpipe(usbdev,
410                         data_desc->endpoint[0].desc.bEndpointAddress);
411         }
412         pnd->active_setting = data_desc - data_intf->altsetting;
413
414         err = usb_driver_claim_interface(&usbpn_driver, data_intf, pnd);
415         if (err)
416                 goto out;
417
418         /* Force inactive mode until the network device is brought UP */
419         usb_set_interface(usbdev, union_header->bSlaveInterface0,
420                                 !pnd->active_setting);
421         usb_set_intfdata(intf, pnd);
422
423         err = register_netdev(dev);
424         if (err) {
425                 usb_driver_release_interface(&usbpn_driver, data_intf);
426                 goto out;
427         }
428
429         dev_dbg(&dev->dev, "USB CDC Phonet device found\n");
430         return 0;
431
432 out:
433         usb_set_intfdata(intf, NULL);
434         free_netdev(dev);
435         return err;
436 }
437
438 static void usbpn_disconnect(struct usb_interface *intf)
439 {
440         struct usbpn_dev *pnd = usb_get_intfdata(intf);
441         struct usb_device *usb = pnd->usb;
442
443         if (pnd->disconnected)
444                 return;
445
446         pnd->disconnected = 1;
447         usb_driver_release_interface(&usbpn_driver,
448                         (pnd->intf == intf) ? pnd->data_intf : pnd->intf);
449         unregister_netdev(pnd->dev);
450         usb_put_dev(usb);
451 }
452
453 static struct usb_driver usbpn_driver = {
454         .name =         "cdc_phonet",
455         .probe =        usbpn_probe,
456         .disconnect =   usbpn_disconnect,
457         .id_table =     usbpn_ids,
458 };
459
460 static int __init usbpn_init(void)
461 {
462         return usb_register(&usbpn_driver);
463 }
464
465 static void __exit usbpn_exit(void)
466 {
467         usb_deregister(&usbpn_driver);
468 }
469
470 module_init(usbpn_init);
471 module_exit(usbpn_exit);
472
473 MODULE_AUTHOR("Remi Denis-Courmont");
474 MODULE_DESCRIPTION("USB CDC Phonet host interface");
475 MODULE_LICENSE("GPL");