kernel-fxtec-pro1x/drivers/uwb/hwa-rc.c
Andrey Konovalov 70e743e4ce uwb: ensure that endpoint is interrupt
hwarc_neep_init() assumes that endpoint 0 is interrupt, but there's no
check for that, which results in a WARNING in USB core code, when a bad
USB descriptor is provided from a device:

usb 1-1: BOGUS urb xfer, pipe 1 != type 3
------------[ cut here ]------------
WARNING: CPU: 0 PID: 3 at drivers/usb/core/urb.c:449 usb_submit_urb+0xf8a/0x11d0
Modules linked in:
CPU: 0 PID: 3 Comm: kworker/0:0 Not tainted 4.13.0+ #111
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: usb_hub_wq hub_event
task: ffff88006bdc1a00 task.stack: ffff88006bde8000
RIP: 0010:usb_submit_urb+0xf8a/0x11d0 drivers/usb/core/urb.c:448
RSP: 0018:ffff88006bdee3c0 EFLAGS: 00010282
RAX: 0000000000000029 RBX: ffff8800672a7200 RCX: 0000000000000000
RDX: 0000000000000029 RSI: ffff88006c815c78 RDI: ffffed000d7bdc6a
RBP: ffff88006bdee4c0 R08: fffffbfff0fe00ff R09: fffffbfff0fe00ff
R10: 0000000000000018 R11: fffffbfff0fe00fe R12: 1ffff1000d7bdc7f
R13: 0000000000000003 R14: 0000000000000001 R15: ffff88006b02cc90
FS:  0000000000000000(0000) GS:ffff88006c800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe4daddf000 CR3: 000000006add6000 CR4: 00000000000006f0
Call Trace:
 hwarc_neep_init+0x4ce/0x9c0 drivers/uwb/hwa-rc.c:710
 uwb_rc_add+0x2fb/0x730 drivers/uwb/lc-rc.c:361
 hwarc_probe+0x34e/0x9b0 drivers/uwb/hwa-rc.c:858
 usb_probe_interface+0x351/0x8d0 drivers/usb/core/driver.c:361
 really_probe drivers/base/dd.c:385
 driver_probe_device+0x610/0xa00 drivers/base/dd.c:529
 __device_attach_driver+0x230/0x290 drivers/base/dd.c:625
 bus_for_each_drv+0x15e/0x210 drivers/base/bus.c:463
 __device_attach+0x269/0x3c0 drivers/base/dd.c:682
 device_initial_probe+0x1f/0x30 drivers/base/dd.c:729
 bus_probe_device+0x1da/0x280 drivers/base/bus.c:523
 device_add+0xcf9/0x1640 drivers/base/core.c:1703
 usb_set_configuration+0x1064/0x1890 drivers/usb/core/message.c:1932
 generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174
 usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266
 really_probe drivers/base/dd.c:385
 driver_probe_device+0x610/0xa00 drivers/base/dd.c:529
 __device_attach_driver+0x230/0x290 drivers/base/dd.c:625
 bus_for_each_drv+0x15e/0x210 drivers/base/bus.c:463
 __device_attach+0x269/0x3c0 drivers/base/dd.c:682
 device_initial_probe+0x1f/0x30 drivers/base/dd.c:729
 bus_probe_device+0x1da/0x280 drivers/base/bus.c:523
 device_add+0xcf9/0x1640 drivers/base/core.c:1703
 usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457
 hub_port_connect drivers/usb/core/hub.c:4890
 hub_port_connect_change drivers/usb/core/hub.c:4996
 port_event drivers/usb/core/hub.c:5102
 hub_event+0x23c8/0x37c0 drivers/usb/core/hub.c:5182
 process_one_work+0x9fb/0x1570 kernel/workqueue.c:2097
 worker_thread+0x1e4/0x1350 kernel/workqueue.c:2231
 kthread+0x324/0x3f0 kernel/kthread.c:231
 ret_from_fork+0x25/0x30 arch/x86/entry/entry_64.S:425
Code: 48 8b 85 30 ff ff ff 48 8d b8 98 00 00 00 e8 8e 93 07 ff 45 89
e8 44 89 f1 4c 89 fa 48 89 c6 48 c7 c7 a0 e5 55 86 e8 20 08 8f fd <0f>
ff e9 9b f7 ff ff e8 4a 04 d6 fd e9 80 f7 ff ff e8 60 11 a6
---[ end trace 55d741234124cfc3 ]---

Check that endpoint is interrupt.

Found by syzkaller.

Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-09-18 11:28:23 +02:00

945 lines
28 KiB
C

/*
* WUSB Host Wire Adapter: Radio Control Interface (WUSB[8.6])
* Radio Control command/event transport
*
* Copyright (C) 2005-2006 Intel Corporation
* Inaky Perez-Gonzalez <inaky.perez-gonzalez@intel.com>
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License version
* 2 as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*
*
* Initialize the Radio Control interface Driver.
*
* For each device probed, creates an 'struct hwarc' which contains
* just the representation of the UWB Radio Controller, and the logic
* for reading notifications and passing them to the UWB Core.
*
* So we initialize all of those, register the UWB Radio Controller
* and setup the notification/event handle to pipe the notifications
* to the UWB management Daemon.
*
* Command and event filtering.
*
* This is the driver for the Radio Control Interface described in WUSB
* 1.0. The core UWB module assumes that all drivers are compliant to the
* WHCI 0.95 specification. We thus create a filter that parses all
* incoming messages from the (WUSB 1.0) device and manipulate them to
* conform to the WHCI 0.95 specification. Similarly, outgoing messages
* are parsed and manipulated to conform to the WUSB 1.0 compliant messages
* that the device expects. Only a few messages are affected:
* Affected events:
* UWB_RC_EVT_BEACON
* UWB_RC_EVT_BP_SLOT_CHANGE
* UWB_RC_EVT_DRP_AVAIL
* UWB_RC_EVT_DRP
* Affected commands:
* UWB_RC_CMD_SCAN
* UWB_RC_CMD_SET_DRP_IE
*
*
*
*/
#include <linux/init.h>
#include <linux/module.h>
#include <linux/slab.h>
#include <linux/usb.h>
#include <linux/usb/wusb.h>
#include <linux/usb/wusb-wa.h>
#include <linux/uwb.h>
#include "uwb-internal.h"
/* The device uses commands and events from the WHCI specification, although
* reporting itself as WUSB compliant. */
#define WUSB_QUIRK_WHCI_CMD_EVT 0x01
/**
* Descriptor for an instance of the UWB Radio Control Driver that
* attaches to the RCI interface of the Host Wired Adapter.
*
* Unless there is a lock specific to the 'data members', all access
* is protected by uwb_rc->mutex.
*
* The NEEP (Notification/Event EndPoint) URB (@neep_urb) writes to
* @rd_buffer. Note there is no locking because it is perfectly (heh!)
* serialized--probe() submits an URB, callback is called, processes
* the data (synchronously), submits another URB, and so on. There is
* no concurrent access to the buffer.
*/
struct hwarc {
struct usb_device *usb_dev;
struct usb_interface *usb_iface;
struct uwb_rc *uwb_rc; /* UWB host controller */
struct urb *neep_urb; /* Notification endpoint handling */
struct edc neep_edc;
void *rd_buffer; /* NEEP read buffer */
};
/* Beacon received notification (WUSB 1.0 [8.6.3.2]) */
struct uwb_rc_evt_beacon_WUSB_0100 {
struct uwb_rceb rceb;
u8 bChannelNumber;
__le16 wBPSTOffset;
u8 bLQI;
u8 bRSSI;
__le16 wBeaconInfoLength;
u8 BeaconInfo[];
} __attribute__((packed));
/**
* Filter WUSB 1.0 BEACON RCV notification to be WHCI 0.95
*
* @header: the incoming event
* @buf_size: size of buffer containing incoming event
* @new_size: size of event after filtering completed
*
* The WHCI 0.95 spec has a "Beacon Type" field. This value is unknown at
* the time we receive the beacon from WUSB so we just set it to
* UWB_RC_BEACON_TYPE_NEIGHBOR as a default.
* The solution below allocates memory upon receipt of every beacon from a
* WUSB device. This will deteriorate performance. What is the right way to
* do this?
*/
static
int hwarc_filter_evt_beacon_WUSB_0100(struct uwb_rc *rc,
struct uwb_rceb **header,
const size_t buf_size,
size_t *new_size)
{
struct uwb_rc_evt_beacon_WUSB_0100 *be;
struct uwb_rc_evt_beacon *newbe;
size_t bytes_left, ielength;
struct device *dev = &rc->uwb_dev.dev;
be = container_of(*header, struct uwb_rc_evt_beacon_WUSB_0100, rceb);
bytes_left = buf_size;
if (bytes_left < sizeof(*be)) {
dev_err(dev, "Beacon Received Notification: Not enough data "
"to decode for filtering (%zu vs %zu bytes needed)\n",
bytes_left, sizeof(*be));
return -EINVAL;
}
bytes_left -= sizeof(*be);
ielength = le16_to_cpu(be->wBeaconInfoLength);
if (bytes_left < ielength) {
dev_err(dev, "Beacon Received Notification: Not enough data "
"to decode IEs (%zu vs %zu bytes needed)\n",
bytes_left, ielength);
return -EINVAL;
}
newbe = kzalloc(sizeof(*newbe) + ielength, GFP_ATOMIC);
if (newbe == NULL)
return -ENOMEM;
newbe->rceb = be->rceb;
newbe->bChannelNumber = be->bChannelNumber;
newbe->bBeaconType = UWB_RC_BEACON_TYPE_NEIGHBOR;
newbe->wBPSTOffset = be->wBPSTOffset;
newbe->bLQI = be->bLQI;
newbe->bRSSI = be->bRSSI;
newbe->wBeaconInfoLength = be->wBeaconInfoLength;
memcpy(newbe->BeaconInfo, be->BeaconInfo, ielength);
*header = &newbe->rceb;
*new_size = sizeof(*newbe) + ielength;
return 1; /* calling function will free memory */
}
/* DRP Availability change notification (WUSB 1.0 [8.6.3.8]) */
struct uwb_rc_evt_drp_avail_WUSB_0100 {
struct uwb_rceb rceb;
__le16 wIELength;
u8 IEData[];
} __attribute__((packed));
/**
* Filter WUSB 1.0 DRP AVAILABILITY CHANGE notification to be WHCI 0.95
*
* @header: the incoming event
* @buf_size: size of buffer containing incoming event
* @new_size: size of event after filtering completed
*/
static
int hwarc_filter_evt_drp_avail_WUSB_0100(struct uwb_rc *rc,
struct uwb_rceb **header,
const size_t buf_size,
size_t *new_size)
{
struct uwb_rc_evt_drp_avail_WUSB_0100 *da;
struct uwb_rc_evt_drp_avail *newda;
struct uwb_ie_hdr *ie_hdr;
size_t bytes_left, ielength;
struct device *dev = &rc->uwb_dev.dev;
da = container_of(*header, struct uwb_rc_evt_drp_avail_WUSB_0100, rceb);
bytes_left = buf_size;
if (bytes_left < sizeof(*da)) {
dev_err(dev, "Not enough data to decode DRP Avail "
"Notification for filtering. Expected %zu, "
"received %zu.\n", (size_t)sizeof(*da), bytes_left);
return -EINVAL;
}
bytes_left -= sizeof(*da);
ielength = le16_to_cpu(da->wIELength);
if (bytes_left < ielength) {
dev_err(dev, "DRP Avail Notification filter: IE length "
"[%zu bytes] does not match actual length "
"[%zu bytes].\n", ielength, bytes_left);
return -EINVAL;
}
if (ielength < sizeof(*ie_hdr)) {
dev_err(dev, "DRP Avail Notification filter: Not enough "
"data to decode IE [%zu bytes, %zu needed]\n",
ielength, sizeof(*ie_hdr));
return -EINVAL;
}
ie_hdr = (void *) da->IEData;
if (ie_hdr->length > 32) {
dev_err(dev, "DRP Availability Change event has unexpected "
"length for filtering. Expected < 32 bytes, "
"got %zu bytes.\n", (size_t)ie_hdr->length);
return -EINVAL;
}
newda = kzalloc(sizeof(*newda), GFP_ATOMIC);
if (newda == NULL)
return -ENOMEM;
newda->rceb = da->rceb;
memcpy(newda->bmp, (u8 *) ie_hdr + sizeof(*ie_hdr), ie_hdr->length);
*header = &newda->rceb;
*new_size = sizeof(*newda);
return 1; /* calling function will free memory */
}
/* DRP notification (WUSB 1.0 [8.6.3.9]) */
struct uwb_rc_evt_drp_WUSB_0100 {
struct uwb_rceb rceb;
struct uwb_dev_addr wSrcAddr;
u8 bExplicit;
__le16 wIELength;
u8 IEData[];
} __attribute__((packed));
/**
* Filter WUSB 1.0 DRP Notification to be WHCI 0.95
*
* @header: the incoming event
* @buf_size: size of buffer containing incoming event
* @new_size: size of event after filtering completed
*
* It is hard to manage DRP reservations without having a Reason code.
* Unfortunately there is none in the WUSB spec. We just set the default to
* DRP IE RECEIVED.
* We do not currently use the bBeaconSlotNumber value, so we set this to
* zero for now.
*/
static
int hwarc_filter_evt_drp_WUSB_0100(struct uwb_rc *rc,
struct uwb_rceb **header,
const size_t buf_size,
size_t *new_size)
{
struct uwb_rc_evt_drp_WUSB_0100 *drpev;
struct uwb_rc_evt_drp *newdrpev;
size_t bytes_left, ielength;
struct device *dev = &rc->uwb_dev.dev;
drpev = container_of(*header, struct uwb_rc_evt_drp_WUSB_0100, rceb);
bytes_left = buf_size;
if (bytes_left < sizeof(*drpev)) {
dev_err(dev, "Not enough data to decode DRP Notification "
"for filtering. Expected %zu, received %zu.\n",
(size_t)sizeof(*drpev), bytes_left);
return -EINVAL;
}
ielength = le16_to_cpu(drpev->wIELength);
bytes_left -= sizeof(*drpev);
if (bytes_left < ielength) {
dev_err(dev, "DRP Notification filter: header length [%zu "
"bytes] does not match actual length [%zu "
"bytes].\n", ielength, bytes_left);
return -EINVAL;
}
newdrpev = kzalloc(sizeof(*newdrpev) + ielength, GFP_ATOMIC);
if (newdrpev == NULL)
return -ENOMEM;
newdrpev->rceb = drpev->rceb;
newdrpev->src_addr = drpev->wSrcAddr;
newdrpev->reason = UWB_DRP_NOTIF_DRP_IE_RCVD;
newdrpev->beacon_slot_number = 0;
newdrpev->ie_length = drpev->wIELength;
memcpy(newdrpev->ie_data, drpev->IEData, ielength);
*header = &newdrpev->rceb;
*new_size = sizeof(*newdrpev) + ielength;
return 1; /* calling function will free memory */
}
/* Scan Command (WUSB 1.0 [8.6.2.5]) */
struct uwb_rc_cmd_scan_WUSB_0100 {
struct uwb_rccb rccb;
u8 bChannelNumber;
u8 bScanState;
} __attribute__((packed));
/**
* Filter WHCI 0.95 SCAN command to be WUSB 1.0 SCAN command
*
* @header: command sent to device (compliant to WHCI 0.95)
* @size: size of command sent to device
*
* We only reduce the size by two bytes because the WUSB 1.0 scan command
* does not have the last field (wStarttime). Also, make sure we don't send
* the device an unexpected scan type.
*/
static
int hwarc_filter_cmd_scan_WUSB_0100(struct uwb_rc *rc,
struct uwb_rccb **header,
size_t *size)
{
struct uwb_rc_cmd_scan *sc;
sc = container_of(*header, struct uwb_rc_cmd_scan, rccb);
if (sc->bScanState == UWB_SCAN_ONLY_STARTTIME)
sc->bScanState = UWB_SCAN_ONLY;
/* Don't send the last two bytes. */
*size -= 2;
return 0;
}
/* SET DRP IE command (WUSB 1.0 [8.6.2.7]) */
struct uwb_rc_cmd_set_drp_ie_WUSB_0100 {
struct uwb_rccb rccb;
u8 bExplicit;
__le16 wIELength;
struct uwb_ie_drp IEData[];
} __attribute__((packed));
/**
* Filter WHCI 0.95 SET DRP IE command to be WUSB 1.0 SET DRP IE command
*
* @header: command sent to device (compliant to WHCI 0.95)
* @size: size of command sent to device
*
* WUSB has an extra bExplicit field - we assume always explicit
* negotiation so this field is set. The command expected by the device is
* thus larger than the one prepared by the driver so we need to
* reallocate memory to accommodate this.
* We trust the driver to send us the correct data so no checking is done
* on incoming data - evn though it is variable length.
*/
static
int hwarc_filter_cmd_set_drp_ie_WUSB_0100(struct uwb_rc *rc,
struct uwb_rccb **header,
size_t *size)
{
struct uwb_rc_cmd_set_drp_ie *orgcmd;
struct uwb_rc_cmd_set_drp_ie_WUSB_0100 *cmd;
size_t ielength;
orgcmd = container_of(*header, struct uwb_rc_cmd_set_drp_ie, rccb);
ielength = le16_to_cpu(orgcmd->wIELength);
cmd = kzalloc(sizeof(*cmd) + ielength, GFP_KERNEL);
if (cmd == NULL)
return -ENOMEM;
cmd->rccb = orgcmd->rccb;
cmd->bExplicit = 0;
cmd->wIELength = orgcmd->wIELength;
memcpy(cmd->IEData, orgcmd->IEData, ielength);
*header = &cmd->rccb;
*size = sizeof(*cmd) + ielength;
return 1; /* calling function will free memory */
}
/**
* Filter data from WHCI driver to WUSB device
*
* @header: WHCI 0.95 compliant command from driver
* @size: length of command
*
* The routine managing commands to the device (uwb_rc_cmd()) will call the
* filtering function pointer (if it exists) before it passes any data to
* the device. At this time the command has been formatted according to
* WHCI 0.95 and is ready to be sent to the device.
*
* The filter function will be provided with the current command and its
* length. The function will manipulate the command if necessary and
* potentially reallocate memory for a command that needed more memory that
* the given command. If new memory was created the function will return 1
* to indicate to the calling function that the memory need to be freed
* when not needed any more. The size will contain the new length of the
* command.
* If memory has not been allocated we rely on the original mechanisms to
* free the memory of the command - even when we reduce the value of size.
*/
static
int hwarc_filter_cmd_WUSB_0100(struct uwb_rc *rc, struct uwb_rccb **header,
size_t *size)
{
int result;
struct uwb_rccb *rccb = *header;
int cmd = le16_to_cpu(rccb->wCommand);
switch (cmd) {
case UWB_RC_CMD_SCAN:
result = hwarc_filter_cmd_scan_WUSB_0100(rc, header, size);
break;
case UWB_RC_CMD_SET_DRP_IE:
result = hwarc_filter_cmd_set_drp_ie_WUSB_0100(rc, header, size);
break;
default:
result = -ENOANO;
break;
}
return result;
}
/**
* Filter data from WHCI driver to WUSB device
*
* @header: WHCI 0.95 compliant command from driver
* @size: length of command
*
* Filter commands based on which protocol the device supports. The WUSB
* errata should be the same as WHCI 0.95 so we do not filter that here -
* only WUSB 1.0.
*/
static
int hwarc_filter_cmd(struct uwb_rc *rc, struct uwb_rccb **header,
size_t *size)
{
int result = -ENOANO;
if (rc->version == 0x0100)
result = hwarc_filter_cmd_WUSB_0100(rc, header, size);
return result;
}
/**
* Compute return value as sum of incoming value and value at given offset
*
* @rceb: event for which we compute the size, it contains a variable
* length field.
* @core_size: size of the "non variable" part of the event
* @offset: place in event where the length of the variable part is stored
* @buf_size: total length of buffer in which event arrived - we need to make
* sure we read the offset in memory that is still part of the event
*/
static
ssize_t hwarc_get_event_size(struct uwb_rc *rc, const struct uwb_rceb *rceb,
size_t core_size, size_t offset,
const size_t buf_size)
{
ssize_t size = -ENOSPC;
const void *ptr = rceb;
size_t type_size = sizeof(__le16);
struct device *dev = &rc->uwb_dev.dev;
if (offset + type_size >= buf_size) {
dev_err(dev, "Not enough data to read extra size of event "
"0x%02x/%04x/%02x, only got %zu bytes.\n",
rceb->bEventType, le16_to_cpu(rceb->wEvent),
rceb->bEventContext, buf_size);
goto out;
}
ptr += offset;
size = core_size + le16_to_cpu(*(__le16 *)ptr);
out:
return size;
}
/* Beacon slot change notification (WUSB 1.0 [8.6.3.5]) */
struct uwb_rc_evt_bp_slot_change_WUSB_0100 {
struct uwb_rceb rceb;
u8 bSlotNumber;
} __attribute__((packed));
/**
* Filter data from WUSB device to WHCI driver
*
* @header: incoming event
* @buf_size: size of buffer in which event arrived
* @_event_size: actual size of event in the buffer
* @new_size: size of event after filtered
*
* We don't know how the buffer is constructed - there may be more than one
* event in it so buffer length does not determine event length. We first
* determine the expected size of the incoming event. This value is passed
* back only if the actual filtering succeeded (so we know the computed
* expected size is correct). This value will be zero if
* the event did not need any filtering.
*
* WHCI interprets the BP Slot Change event's data differently than
* WUSB. The event sizes are exactly the same. The data field
* indicates the new beacon slot in which a RC is transmitting its
* beacon. The maximum value of this is 96 (wMacBPLength ECMA-368
* 17.16 (Table 117)). We thus know that the WUSB value will not set
* the bit bNoSlot, so we don't really do anything (placeholder).
*/
static
int hwarc_filter_event_WUSB_0100(struct uwb_rc *rc, struct uwb_rceb **header,
const size_t buf_size, size_t *_real_size,
size_t *_new_size)
{
int result = -ENOANO;
struct uwb_rceb *rceb = *header;
int event = le16_to_cpu(rceb->wEvent);
ssize_t event_size;
size_t core_size, offset;
if (rceb->bEventType != UWB_RC_CET_GENERAL)
goto out;
switch (event) {
case UWB_RC_EVT_BEACON:
core_size = sizeof(struct uwb_rc_evt_beacon_WUSB_0100);
offset = offsetof(struct uwb_rc_evt_beacon_WUSB_0100,
wBeaconInfoLength);
event_size = hwarc_get_event_size(rc, rceb, core_size,
offset, buf_size);
if (event_size < 0)
goto out;
*_real_size = event_size;
result = hwarc_filter_evt_beacon_WUSB_0100(rc, header,
buf_size, _new_size);
break;
case UWB_RC_EVT_BP_SLOT_CHANGE:
*_new_size = *_real_size =
sizeof(struct uwb_rc_evt_bp_slot_change_WUSB_0100);
result = 0;
break;
case UWB_RC_EVT_DRP_AVAIL:
core_size = sizeof(struct uwb_rc_evt_drp_avail_WUSB_0100);
offset = offsetof(struct uwb_rc_evt_drp_avail_WUSB_0100,
wIELength);
event_size = hwarc_get_event_size(rc, rceb, core_size,
offset, buf_size);
if (event_size < 0)
goto out;
*_real_size = event_size;
result = hwarc_filter_evt_drp_avail_WUSB_0100(
rc, header, buf_size, _new_size);
break;
case UWB_RC_EVT_DRP:
core_size = sizeof(struct uwb_rc_evt_drp_WUSB_0100);
offset = offsetof(struct uwb_rc_evt_drp_WUSB_0100, wIELength);
event_size = hwarc_get_event_size(rc, rceb, core_size,
offset, buf_size);
if (event_size < 0)
goto out;
*_real_size = event_size;
result = hwarc_filter_evt_drp_WUSB_0100(rc, header,
buf_size, _new_size);
break;
default:
break;
}
out:
return result;
}
/**
* Filter data from WUSB device to WHCI driver
*
* @header: incoming event
* @buf_size: size of buffer in which event arrived
* @_event_size: actual size of event in the buffer
* @_new_size: size of event after filtered
*
* Filter events based on which protocol the device supports. The WUSB
* errata should be the same as WHCI 0.95 so we do not filter that here -
* only WUSB 1.0.
*
* If we don't handle it, we return -ENOANO (why the weird error code?
* well, so if I get it, I can pinpoint in the code that raised
* it...after all, not too many places use the higher error codes).
*/
static
int hwarc_filter_event(struct uwb_rc *rc, struct uwb_rceb **header,
const size_t buf_size, size_t *_real_size,
size_t *_new_size)
{
int result = -ENOANO;
if (rc->version == 0x0100)
result = hwarc_filter_event_WUSB_0100(
rc, header, buf_size, _real_size, _new_size);
return result;
}
/**
* Execute an UWB RC command on HWA
*
* @rc: Instance of a Radio Controller that is a HWA
* @cmd: Buffer containing the RCCB and payload to execute
* @cmd_size: Size of the command buffer.
*
* NOTE: rc's mutex has to be locked
*/
static
int hwarc_cmd(struct uwb_rc *uwb_rc, const struct uwb_rccb *cmd, size_t cmd_size)
{
struct hwarc *hwarc = uwb_rc->priv;
return usb_control_msg(
hwarc->usb_dev, usb_sndctrlpipe(hwarc->usb_dev, 0),
WA_EXEC_RC_CMD, USB_DIR_OUT | USB_TYPE_CLASS | USB_RECIP_INTERFACE,
0, hwarc->usb_iface->cur_altsetting->desc.bInterfaceNumber,
(void *) cmd, cmd_size, 100 /* FIXME: this is totally arbitrary */);
}
static
int hwarc_reset(struct uwb_rc *uwb_rc)
{
struct hwarc *hwarc = uwb_rc->priv;
int result;
/* device lock must be held when calling usb_reset_device. */
result = usb_lock_device_for_reset(hwarc->usb_dev, NULL);
if (result >= 0) {
result = usb_reset_device(hwarc->usb_dev);
usb_unlock_device(hwarc->usb_dev);
}
return result;
}
/**
* Callback for the notification and event endpoint
*
* Check's that everything is fine and then passes the read data to
* the notification/event handling mechanism (neh).
*/
static
void hwarc_neep_cb(struct urb *urb)
{
struct hwarc *hwarc = urb->context;
struct usb_interface *usb_iface = hwarc->usb_iface;
struct device *dev = &usb_iface->dev;
int result;
switch (result = urb->status) {
case 0:
uwb_rc_neh_grok(hwarc->uwb_rc, urb->transfer_buffer,
urb->actual_length);
break;
case -ECONNRESET: /* Not an error, but a controlled situation; */
case -ENOENT: /* (we killed the URB)...so, no broadcast */
goto out;
case -ESHUTDOWN: /* going away! */
goto out;
default: /* On general errors, retry unless it gets ugly */
if (edc_inc(&hwarc->neep_edc, EDC_MAX_ERRORS,
EDC_ERROR_TIMEFRAME))
goto error_exceeded;
dev_err(dev, "NEEP: URB error %d\n", urb->status);
}
result = usb_submit_urb(urb, GFP_ATOMIC);
if (result < 0 && result != -ENODEV && result != -EPERM) {
/* ignoring unrecoverable errors */
dev_err(dev, "NEEP: Can't resubmit URB (%d) resetting device\n",
result);
goto error;
}
out:
return;
error_exceeded:
dev_err(dev, "NEEP: URB max acceptable errors "
"exceeded, resetting device\n");
error:
uwb_rc_neh_error(hwarc->uwb_rc, result);
uwb_rc_reset_all(hwarc->uwb_rc);
return;
}
static void hwarc_init(struct hwarc *hwarc)
{
edc_init(&hwarc->neep_edc);
}
/**
* Initialize the notification/event endpoint stuff
*
* Note this is effectively a parallel thread; it knows that
* hwarc->uwb_rc always exists because the existence of a 'hwarc'
* means that there is a reverence on the hwarc->uwb_rc (see
* _probe()), and thus _neep_cb() can execute safely.
*/
static int hwarc_neep_init(struct uwb_rc *rc)
{
struct hwarc *hwarc = rc->priv;
struct usb_interface *iface = hwarc->usb_iface;
struct usb_device *usb_dev = interface_to_usbdev(iface);
struct device *dev = &iface->dev;
int result;
struct usb_endpoint_descriptor *epd;
epd = &iface->cur_altsetting->endpoint[0].desc;
hwarc->rd_buffer = (void *) __get_free_page(GFP_KERNEL);
if (hwarc->rd_buffer == NULL) {
dev_err(dev, "Unable to allocate notification's read buffer\n");
goto error_rd_buffer;
}
hwarc->neep_urb = usb_alloc_urb(0, GFP_KERNEL);
if (hwarc->neep_urb == NULL)
goto error_urb_alloc;
usb_fill_int_urb(hwarc->neep_urb, usb_dev,
usb_rcvintpipe(usb_dev, epd->bEndpointAddress),
hwarc->rd_buffer, PAGE_SIZE,
hwarc_neep_cb, hwarc, epd->bInterval);
result = usb_submit_urb(hwarc->neep_urb, GFP_ATOMIC);
if (result < 0) {
dev_err(dev, "Cannot submit notification URB: %d\n", result);
goto error_neep_submit;
}
return 0;
error_neep_submit:
usb_free_urb(hwarc->neep_urb);
hwarc->neep_urb = NULL;
error_urb_alloc:
free_page((unsigned long)hwarc->rd_buffer);
hwarc->rd_buffer = NULL;
error_rd_buffer:
return -ENOMEM;
}
/** Clean up all the notification endpoint resources */
static void hwarc_neep_release(struct uwb_rc *rc)
{
struct hwarc *hwarc = rc->priv;
usb_kill_urb(hwarc->neep_urb);
usb_free_urb(hwarc->neep_urb);
hwarc->neep_urb = NULL;
free_page((unsigned long)hwarc->rd_buffer);
hwarc->rd_buffer = NULL;
}
/**
* Get the version from class-specific descriptor
*
* NOTE: this descriptor comes with the big bundled configuration
* descriptor that includes the interfaces' and endpoints', so
* we just look for it in the cached copy kept by the USB stack.
*
* NOTE2: We convert LE fields to CPU order.
*/
static int hwarc_get_version(struct uwb_rc *rc)
{
int result;
struct hwarc *hwarc = rc->priv;
struct uwb_rc_control_intf_class_desc *descr;
struct device *dev = &rc->uwb_dev.dev;
struct usb_device *usb_dev = hwarc->usb_dev;
char *itr;
struct usb_descriptor_header *hdr;
size_t itr_size, actconfig_idx;
u16 version;
actconfig_idx = (usb_dev->actconfig - usb_dev->config) /
sizeof(usb_dev->config[0]);
itr = usb_dev->rawdescriptors[actconfig_idx];
itr_size = le16_to_cpu(usb_dev->actconfig->desc.wTotalLength);
while (itr_size >= sizeof(*hdr)) {
hdr = (struct usb_descriptor_header *) itr;
dev_dbg(dev, "Extra device descriptor: "
"type %02x/%u bytes @ %zu (%zu left)\n",
hdr->bDescriptorType, hdr->bLength,
(itr - usb_dev->rawdescriptors[actconfig_idx]),
itr_size);
if (hdr->bDescriptorType == USB_DT_CS_RADIO_CONTROL)
goto found;
itr += hdr->bLength;
itr_size -= hdr->bLength;
}
dev_err(dev, "cannot find Radio Control Interface Class descriptor\n");
return -ENODEV;
found:
result = -EINVAL;
if (hdr->bLength > itr_size) { /* is it available? */
dev_err(dev, "incomplete Radio Control Interface Class "
"descriptor (%zu bytes left, %u needed)\n",
itr_size, hdr->bLength);
goto error;
}
if (hdr->bLength < sizeof(*descr)) {
dev_err(dev, "short Radio Control Interface Class "
"descriptor\n");
goto error;
}
descr = (struct uwb_rc_control_intf_class_desc *) hdr;
/* Make LE fields CPU order */
version = __le16_to_cpu(descr->bcdRCIVersion);
if (version != 0x0100) {
dev_err(dev, "Device reports protocol version 0x%04x. We "
"do not support that. \n", version);
result = -EINVAL;
goto error;
}
rc->version = version;
dev_dbg(dev, "Device supports WUSB protocol version 0x%04x \n", rc->version);
result = 0;
error:
return result;
}
/*
* By creating a 'uwb_rc', we have a reference on it -- that reference
* is the one we drop when we disconnect.
*
* No need to switch altsettings; according to WUSB1.0[8.6.1.1], there
* is only one altsetting allowed.
*/
static int hwarc_probe(struct usb_interface *iface,
const struct usb_device_id *id)
{
int result;
struct uwb_rc *uwb_rc;
struct hwarc *hwarc;
struct device *dev = &iface->dev;
if (iface->cur_altsetting->desc.bNumEndpoints < 1)
return -ENODEV;
if (!usb_endpoint_xfer_int(&iface->cur_altsetting->endpoint[0].desc))
return -ENODEV;
result = -ENOMEM;
uwb_rc = uwb_rc_alloc();
if (uwb_rc == NULL) {
dev_err(dev, "unable to allocate RC instance\n");
goto error_rc_alloc;
}
hwarc = kzalloc(sizeof(*hwarc), GFP_KERNEL);
if (hwarc == NULL) {
dev_err(dev, "unable to allocate HWA RC instance\n");
goto error_alloc;
}
hwarc_init(hwarc);
hwarc->usb_dev = usb_get_dev(interface_to_usbdev(iface));
hwarc->usb_iface = usb_get_intf(iface);
hwarc->uwb_rc = uwb_rc;
uwb_rc->owner = THIS_MODULE;
uwb_rc->start = hwarc_neep_init;
uwb_rc->stop = hwarc_neep_release;
uwb_rc->cmd = hwarc_cmd;
uwb_rc->reset = hwarc_reset;
if (id->driver_info & WUSB_QUIRK_WHCI_CMD_EVT) {
uwb_rc->filter_cmd = NULL;
uwb_rc->filter_event = NULL;
} else {
uwb_rc->filter_cmd = hwarc_filter_cmd;
uwb_rc->filter_event = hwarc_filter_event;
}
result = uwb_rc_add(uwb_rc, dev, hwarc);
if (result < 0)
goto error_rc_add;
result = hwarc_get_version(uwb_rc);
if (result < 0) {
dev_err(dev, "cannot retrieve version of RC \n");
goto error_get_version;
}
usb_set_intfdata(iface, hwarc);
return 0;
error_get_version:
uwb_rc_rm(uwb_rc);
error_rc_add:
usb_put_intf(iface);
usb_put_dev(hwarc->usb_dev);
error_alloc:
uwb_rc_put(uwb_rc);
error_rc_alloc:
return result;
}
static void hwarc_disconnect(struct usb_interface *iface)
{
struct hwarc *hwarc = usb_get_intfdata(iface);
struct uwb_rc *uwb_rc = hwarc->uwb_rc;
usb_set_intfdata(hwarc->usb_iface, NULL);
uwb_rc_rm(uwb_rc);
usb_put_intf(hwarc->usb_iface);
usb_put_dev(hwarc->usb_dev);
kfree(hwarc);
uwb_rc_put(uwb_rc); /* when creating the device, refcount = 1 */
}
static int hwarc_pre_reset(struct usb_interface *iface)
{
struct hwarc *hwarc = usb_get_intfdata(iface);
struct uwb_rc *uwb_rc = hwarc->uwb_rc;
uwb_rc_pre_reset(uwb_rc);
return 0;
}
static int hwarc_post_reset(struct usb_interface *iface)
{
struct hwarc *hwarc = usb_get_intfdata(iface);
struct uwb_rc *uwb_rc = hwarc->uwb_rc;
return uwb_rc_post_reset(uwb_rc);
}
/** USB device ID's that we handle */
static const struct usb_device_id hwarc_id_table[] = {
/* D-Link DUB-1210 */
{ USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3d02, 0xe0, 0x01, 0x02),
.driver_info = WUSB_QUIRK_WHCI_CMD_EVT },
/* Intel i1480 (using firmware 1.3PA2-20070828) */
{ USB_DEVICE_AND_INTERFACE_INFO(0x8086, 0x0c3b, 0xe0, 0x01, 0x02),
.driver_info = WUSB_QUIRK_WHCI_CMD_EVT },
/* Alereon 5310 */
{ USB_DEVICE_AND_INTERFACE_INFO(0x13dc, 0x5310, 0xe0, 0x01, 0x02),
.driver_info = WUSB_QUIRK_WHCI_CMD_EVT },
/* Alereon 5611 */
{ USB_DEVICE_AND_INTERFACE_INFO(0x13dc, 0x5611, 0xe0, 0x01, 0x02),
.driver_info = WUSB_QUIRK_WHCI_CMD_EVT },
/* Generic match for the Radio Control interface */
{ USB_INTERFACE_INFO(0xe0, 0x01, 0x02), },
{ },
};
MODULE_DEVICE_TABLE(usb, hwarc_id_table);
static struct usb_driver hwarc_driver = {
.name = "hwa-rc",
.id_table = hwarc_id_table,
.probe = hwarc_probe,
.disconnect = hwarc_disconnect,
.pre_reset = hwarc_pre_reset,
.post_reset = hwarc_post_reset,
};
module_usb_driver(hwarc_driver);
MODULE_AUTHOR("Inaky Perez-Gonzalez <inaky.perez-gonzalez@intel.com>");
MODULE_DESCRIPTION("Host Wireless Adapter Radio Control Driver");
MODULE_LICENSE("GPL");