1// SPDX-License-Identifier: GPL-2.0-only
  2/*
  3 *
  4 * Copyright (C) Hans Alblas PE1AYX <hans@esrac.ele.tue.nl>
  5 * Copyright (C) 2004, 05 Ralf Baechle DL5RB <ralf@linux-mips.org>
  6 * Copyright (C) 2004, 05 Thomas Osterried DL9SAU <thomas@x-berg.in-berlin.de>
  7 */
  8#include <linux/module.h>
  9#include <linux/bitops.h>
 10#include <linux/uaccess.h>
 11#include <linux/crc16.h>
 12#include <linux/string.h>
 13#include <linux/mm.h>
 14#include <linux/interrupt.h>
 15#include <linux/in.h>
 16#include <linux/inet.h>
 17#include <linux/slab.h>
 18#include <linux/tty.h>
 19#include <linux/errno.h>
 20#include <linux/netdevice.h>
 21#include <linux/major.h>
 22#include <linux/init.h>
 23#include <linux/rtnetlink.h>
 24#include <linux/etherdevice.h>
 25#include <linux/skbuff.h>
 26#include <linux/if_arp.h>
 27#include <linux/jiffies.h>
 28#include <linux/refcount.h>
 29
 30#include <net/ax25.h>
 31
 32#define AX_MTU		236
 33
 34/* some arch define END as assembly function ending, just undef it */
 35#undef	END
 36/* SLIP/KISS protocol characters. */
 37#define END             0300		/* indicates end of frame	*/
 38#define ESC             0333		/* indicates byte stuffing	*/
 39#define ESC_END         0334		/* ESC ESC_END means END 'data'	*/
 40#define ESC_ESC         0335		/* ESC ESC_ESC means ESC 'data'	*/
 41
 42struct mkiss {
 43	struct tty_struct	*tty;	/* ptr to TTY structure		*/
 44	struct net_device	*dev;	/* easy for intr handling	*/
 45
 46	/* These are pointers to the malloc()ed frame buffers. */
 47	spinlock_t		buflock;/* lock for rbuf and xbuf */
 48	unsigned char		*rbuff;	/* receiver buffer		*/
 49	int			rcount;	/* received chars counter       */
 50	unsigned char		*xbuff;	/* transmitter buffer		*/
 51	unsigned char		*xhead;	/* pointer to next byte to XMIT */
 52	int			xleft;	/* bytes left in XMIT queue     */
 53
 54	/* Detailed SLIP statistics. */
 55	int		mtu;		/* Our mtu (to spot changes!)   */
 56	int		buffsize;	/* Max buffers sizes            */
 57
 58	unsigned long	flags;		/* Flag values/ mode etc	*/
 59					/* long req'd: used by set_bit --RR */
 60#define AXF_INUSE	0		/* Channel in use               */
 61#define AXF_ESCAPE	1               /* ESC received                 */
 62#define AXF_ERROR	2               /* Parity, etc. error           */
 63#define AXF_KEEPTEST	3		/* Keepalive test flag		*/
 64#define AXF_OUTWAIT	4		/* is outpacket was flag	*/
 65
 66	int		mode;
 67        int		crcmode;	/* MW: for FlexNet, SMACK etc.  */
 68	int		crcauto;	/* CRC auto mode */
 69
 70#define CRC_MODE_NONE		0
 71#define CRC_MODE_FLEX		1
 72#define CRC_MODE_SMACK		2
 73#define CRC_MODE_FLEX_TEST	3
 74#define CRC_MODE_SMACK_TEST	4
 75
 76	refcount_t		refcnt;
 77	struct completion	dead;
 78};
 79
 80/*---------------------------------------------------------------------------*/
 81
 82static const unsigned short crc_flex_table[] = {
 83	0x0f87, 0x1e0e, 0x2c95, 0x3d1c, 0x49a3, 0x582a, 0x6ab1, 0x7b38,
 84	0x83cf, 0x9246, 0xa0dd, 0xb154, 0xc5eb, 0xd462, 0xe6f9, 0xf770,
 85	0x1f06, 0x0e8f, 0x3c14, 0x2d9d, 0x5922, 0x48ab, 0x7a30, 0x6bb9,
 86	0x934e, 0x82c7, 0xb05c, 0xa1d5, 0xd56a, 0xc4e3, 0xf678, 0xe7f1,
 87	0x2e85, 0x3f0c, 0x0d97, 0x1c1e, 0x68a1, 0x7928, 0x4bb3, 0x5a3a,
 88	0xa2cd, 0xb344, 0x81df, 0x9056, 0xe4e9, 0xf560, 0xc7fb, 0xd672,
 89	0x3e04, 0x2f8d, 0x1d16, 0x0c9f, 0x7820, 0x69a9, 0x5b32, 0x4abb,
 90	0xb24c, 0xa3c5, 0x915e, 0x80d7, 0xf468, 0xe5e1, 0xd77a, 0xc6f3,
 91	0x4d83, 0x5c0a, 0x6e91, 0x7f18, 0x0ba7, 0x1a2e, 0x28b5, 0x393c,
 92	0xc1cb, 0xd042, 0xe2d9, 0xf350, 0x87ef, 0x9666, 0xa4fd, 0xb574,
 93	0x5d02, 0x4c8b, 0x7e10, 0x6f99, 0x1b26, 0x0aaf, 0x3834, 0x29bd,
 94	0xd14a, 0xc0c3, 0xf258, 0xe3d1, 0x976e, 0x86e7, 0xb47c, 0xa5f5,
 95	0x6c81, 0x7d08, 0x4f93, 0x5e1a, 0x2aa5, 0x3b2c, 0x09b7, 0x183e,
 96	0xe0c9, 0xf140, 0xc3db, 0xd252, 0xa6ed, 0xb764, 0x85ff, 0x9476,
 97	0x7c00, 0x6d89, 0x5f12, 0x4e9b, 0x3a24, 0x2bad, 0x1936, 0x08bf,
 98	0xf048, 0xe1c1, 0xd35a, 0xc2d3, 0xb66c, 0xa7e5, 0x957e, 0x84f7,
 99	0x8b8f, 0x9a06, 0xa89d, 0xb914, 0xcdab, 0xdc22, 0xeeb9, 0xff30,
100	0x07c7, 0x164e, 0x24d5, 0x355c, 0x41e3, 0x506a, 0x62f1, 0x7378,
101	0x9b0e, 0x8a87, 0xb81c, 0xa995, 0xdd2a, 0xcca3, 0xfe38, 0xefb1,
102	0x1746, 0x06cf, 0x3454, 0x25dd, 0x5162, 0x40eb, 0x7270, 0x63f9,
103	0xaa8d, 0xbb04, 0x899f, 0x9816, 0xeca9, 0xfd20, 0xcfbb, 0xde32,
104	0x26c5, 0x374c, 0x05d7, 0x145e, 0x60e1, 0x7168, 0x43f3, 0x527a,
105	0xba0c, 0xab85, 0x991e, 0x8897, 0xfc28, 0xeda1, 0xdf3a, 0xceb3,
106	0x3644, 0x27cd, 0x1556, 0x04df, 0x7060, 0x61e9, 0x5372, 0x42fb,
107	0xc98b, 0xd802, 0xea99, 0xfb10, 0x8faf, 0x9e26, 0xacbd, 0xbd34,
108	0x45c3, 0x544a, 0x66d1, 0x7758, 0x03e7, 0x126e, 0x20f5, 0x317c,
109	0xd90a, 0xc883, 0xfa18, 0xeb91, 0x9f2e, 0x8ea7, 0xbc3c, 0xadb5,
110	0x5542, 0x44cb, 0x7650, 0x67d9, 0x1366, 0x02ef, 0x3074, 0x21fd,
111	0xe889, 0xf900, 0xcb9b, 0xda12, 0xaead, 0xbf24, 0x8dbf, 0x9c36,
112	0x64c1, 0x7548, 0x47d3, 0x565a, 0x22e5, 0x336c, 0x01f7, 0x107e,
113	0xf808, 0xe981, 0xdb1a, 0xca93, 0xbe2c, 0xafa5, 0x9d3e, 0x8cb7,
114	0x7440, 0x65c9, 0x5752, 0x46db, 0x3264, 0x23ed, 0x1176, 0x00ff
115};
116
117static unsigned short calc_crc_flex(unsigned char *cp, int size)
118{
119	unsigned short crc = 0xffff;
120
121	while (size--)
122		crc = (crc << 8) ^ crc_flex_table[((crc >> 8) ^ *cp++) & 0xff];
123
124	return crc;
125}
126
127static int check_crc_flex(unsigned char *cp, int size)
128{
129	unsigned short crc = 0xffff;
130
131	if (size < 3)
132		return -1;
133
134	while (size--)
135		crc = (crc << 8) ^ crc_flex_table[((crc >> 8) ^ *cp++) & 0xff];
136
137	if ((crc & 0xffff) != 0x7070)
138		return -1;
139
140	return 0;
141}
142
143static int check_crc_16(unsigned char *cp, int size)
144{
145	unsigned short crc = 0x0000;
146
147	if (size < 3)
148		return -1;
149
150	crc = crc16(0, cp, size);
151
152	if (crc != 0x0000)
153		return -1;
154
155	return 0;
156}
157
158/*
159 * Standard encapsulation
160 */
161
162static int kiss_esc(unsigned char *s, unsigned char *d, int len)
163{
164	unsigned char *ptr = d;
165	unsigned char c;
166
167	/*
168	 * Send an initial END character to flush out any data that may have
169	 * accumulated in the receiver due to line noise.
170	 */
171
172	*ptr++ = END;
173
174	while (len-- > 0) {
175		switch (c = *s++) {
176		case END:
177			*ptr++ = ESC;
178			*ptr++ = ESC_END;
179			break;
180		case ESC:
181			*ptr++ = ESC;
182			*ptr++ = ESC_ESC;
183			break;
184		default:
185			*ptr++ = c;
186			break;
187		}
188	}
189
190	*ptr++ = END;
191
192	return ptr - d;
193}
194
195/*
196 * MW:
197 * OK its ugly, but tell me a better solution without copying the
198 * packet to a temporary buffer :-)
199 */
200static int kiss_esc_crc(unsigned char *s, unsigned char *d, unsigned short crc,
201	int len)
202{
203	unsigned char *ptr = d;
204	unsigned char c=0;
205
206	*ptr++ = END;
207	while (len > 0) {
208		if (len > 2)
209			c = *s++;
210		else if (len > 1)
211			c = crc >> 8;
212		else
213			c = crc & 0xff;
214
215		len--;
216
217		switch (c) {
218		case END:
219			*ptr++ = ESC;
220			*ptr++ = ESC_END;
221			break;
222		case ESC:
223			*ptr++ = ESC;
224			*ptr++ = ESC_ESC;
225			break;
226		default:
227			*ptr++ = c;
228			break;
229		}
230	}
231	*ptr++ = END;
232
233	return ptr - d;
234}
235
236/* Send one completely decapsulated AX.25 packet to the AX.25 layer. */
237static void ax_bump(struct mkiss *ax)
238{
239	struct sk_buff *skb;
240	int count;
241
242	spin_lock_bh(&ax->buflock);
243	if (ax->rbuff[0] > 0x0f) {
244		if (ax->rbuff[0] & 0x80) {
245			if (check_crc_16(ax->rbuff, ax->rcount) < 0) {
246				ax->dev->stats.rx_errors++;
247				spin_unlock_bh(&ax->buflock);
248
249				return;
250			}
251			if (ax->crcmode != CRC_MODE_SMACK && ax->crcauto) {
252				printk(KERN_INFO
253				       "mkiss: %s: Switching to crc-smack\n",
254				       ax->dev->name);
255				ax->crcmode = CRC_MODE_SMACK;
256			}
257			ax->rcount -= 2;
258			*ax->rbuff &= ~0x80;
259		} else if (ax->rbuff[0] & 0x20)  {
260			if (check_crc_flex(ax->rbuff, ax->rcount) < 0) {
261				ax->dev->stats.rx_errors++;
262				spin_unlock_bh(&ax->buflock);
263				return;
264			}
265			if (ax->crcmode != CRC_MODE_FLEX && ax->crcauto) {
266				printk(KERN_INFO
267				       "mkiss: %s: Switching to crc-flexnet\n",
268				       ax->dev->name);
269				ax->crcmode = CRC_MODE_FLEX;
270			}
271			ax->rcount -= 2;
272
273			/*
274			 * dl9sau bugfix: the trailling two bytes flexnet crc
275			 * will not be passed to the kernel. thus we have to
276			 * correct the kissparm signature, because it indicates
277			 * a crc but there's none
278			 */
279			*ax->rbuff &= ~0x20;
280		}
281	}
282
283	count = ax->rcount;
284
285	if ((skb = dev_alloc_skb(count)) == NULL) {
286		printk(KERN_ERR "mkiss: %s: memory squeeze, dropping packet.\n",
287		       ax->dev->name);
288		ax->dev->stats.rx_dropped++;
289		spin_unlock_bh(&ax->buflock);
290		return;
291	}
292
293	skb_put_data(skb, ax->rbuff, count);
294	skb->protocol = ax25_type_trans(skb, ax->dev);
295	netif_rx(skb);
296	ax->dev->stats.rx_packets++;
297	ax->dev->stats.rx_bytes += count;
298	spin_unlock_bh(&ax->buflock);
299}
300
301static void kiss_unesc(struct mkiss *ax, unsigned char s)
302{
303	switch (s) {
304	case END:
305		/* drop keeptest bit = VSV */
306		if (test_bit(AXF_KEEPTEST, &ax->flags))
307			clear_bit(AXF_KEEPTEST, &ax->flags);
308
309		if (!test_and_clear_bit(AXF_ERROR, &ax->flags) && (ax->rcount > 2))
310			ax_bump(ax);
311
312		clear_bit(AXF_ESCAPE, &ax->flags);
313		ax->rcount = 0;
314		return;
315
316	case ESC:
317		set_bit(AXF_ESCAPE, &ax->flags);
318		return;
319	case ESC_ESC:
320		if (test_and_clear_bit(AXF_ESCAPE, &ax->flags))
321			s = ESC;
322		break;
323	case ESC_END:
324		if (test_and_clear_bit(AXF_ESCAPE, &ax->flags))
325			s = END;
326		break;
327	}
328
329	spin_lock_bh(&ax->buflock);
330	if (!test_bit(AXF_ERROR, &ax->flags)) {
331		if (ax->rcount < ax->buffsize) {
332			ax->rbuff[ax->rcount++] = s;
333			spin_unlock_bh(&ax->buflock);
334			return;
335		}
336
337		ax->dev->stats.rx_over_errors++;
338		set_bit(AXF_ERROR, &ax->flags);
339	}
340	spin_unlock_bh(&ax->buflock);
341}
342
343static int ax_set_mac_address(struct net_device *dev, void *addr)
344{
345	struct sockaddr_ax25 *sa = addr;
346
347	netif_tx_lock_bh(dev);
348	netif_addr_lock(dev);
349	__dev_addr_set(dev, &sa->sax25_call, AX25_ADDR_LEN);
350	netif_addr_unlock(dev);
351	netif_tx_unlock_bh(dev);
352
353	return 0;
354}
355
356/*---------------------------------------------------------------------------*/
357
358static void ax_changedmtu(struct mkiss *ax)
359{
360	struct net_device *dev = ax->dev;
361	unsigned char *xbuff, *rbuff, *oxbuff, *orbuff;
362	int len;
363
364	len = dev->mtu * 2;
365
366	/*
367	 * allow for arrival of larger UDP packets, even if we say not to
368	 * also fixes a bug in which SunOS sends 512-byte packets even with
369	 * an MSS of 128
370	 */
371	if (len < 576 * 2)
372		len = 576 * 2;
373
374	xbuff = kmalloc(len + 4, GFP_ATOMIC);
375	rbuff = kmalloc(len + 4, GFP_ATOMIC);
376
377	if (xbuff == NULL || rbuff == NULL)  {
378		printk(KERN_ERR "mkiss: %s: unable to grow ax25 buffers, "
379		       "MTU change cancelled.\n",
380		       ax->dev->name);
381		dev->mtu = ax->mtu;
382		kfree(xbuff);
383		kfree(rbuff);
384		return;
385	}
386
387	spin_lock_bh(&ax->buflock);
388
389	oxbuff    = ax->xbuff;
390	ax->xbuff = xbuff;
391	orbuff    = ax->rbuff;
392	ax->rbuff = rbuff;
393
394	if (ax->xleft) {
395		if (ax->xleft <= len) {
396			memcpy(ax->xbuff, ax->xhead, ax->xleft);
397		} else  {
398			ax->xleft = 0;
399			dev->stats.tx_dropped++;
400		}
401	}
402
403	ax->xhead = ax->xbuff;
404
405	if (ax->rcount) {
406		if (ax->rcount <= len) {
407			memcpy(ax->rbuff, orbuff, ax->rcount);
408		} else  {
409			ax->rcount = 0;
410			dev->stats.rx_over_errors++;
411			set_bit(AXF_ERROR, &ax->flags);
412		}
413	}
414
415	ax->mtu      = dev->mtu + 73;
416	ax->buffsize = len;
417
418	spin_unlock_bh(&ax->buflock);
419
420	kfree(oxbuff);
421	kfree(orbuff);
422}
423
424/* Encapsulate one AX.25 packet and stuff into a TTY queue. */
425static void ax_encaps(struct net_device *dev, unsigned char *icp, int len)
426{
427	struct mkiss *ax = netdev_priv(dev);
428	unsigned char *p;
429	int actual, count;
430
431	if (ax->mtu != ax->dev->mtu + 73)	/* Someone has been ifconfigging */
432		ax_changedmtu(ax);
433
434	if (len > ax->mtu) {		/* Sigh, shouldn't occur BUT ... */
435		printk(KERN_ERR "mkiss: %s: truncating oversized transmit packet!\n", ax->dev->name);
436		dev->stats.tx_dropped++;
437		netif_start_queue(dev);
438		return;
439	}
440
441	p = icp;
442
443	spin_lock_bh(&ax->buflock);
444	if ((*p & 0x0f) != 0) {
445		/* Configuration Command (kissparms(1).
446		 * Protocol spec says: never append CRC.
447		 * This fixes a very old bug in the linux
448		 * kiss driver. -- dl9sau */
449		switch (*p & 0xff) {
450		case 0x85:
451			/* command from userspace especially for us,
452			 * not for delivery to the tnc */
453			if (len > 1) {
454				int cmd = (p[1] & 0xff);
455				switch(cmd) {
456				case 3:
457				  ax->crcmode = CRC_MODE_SMACK;
458				  break;
459				case 2:
460				  ax->crcmode = CRC_MODE_FLEX;
461				  break;
462				case 1:
463				  ax->crcmode = CRC_MODE_NONE;
464				  break;
465				case 0:
466				default:
467				  ax->crcmode = CRC_MODE_SMACK_TEST;
468				  cmd = 0;
469				}
470				ax->crcauto = (cmd ? 0 : 1);
471				printk(KERN_INFO "mkiss: %s: crc mode set to %d\n",
472				       ax->dev->name, cmd);
473			}
474			spin_unlock_bh(&ax->buflock);
475			netif_start_queue(dev);
476
477			return;
478		default:
479			count = kiss_esc(p, ax->xbuff, len);
480		}
481	} else {
482		unsigned short crc;
483		switch (ax->crcmode) {
484		case CRC_MODE_SMACK_TEST:
485			ax->crcmode  = CRC_MODE_FLEX_TEST;
486			printk(KERN_INFO "mkiss: %s: Trying crc-smack\n", ax->dev->name);
487			fallthrough;
488		case CRC_MODE_SMACK:
489			*p |= 0x80;
490			crc = swab16(crc16(0, p, len));
491			count = kiss_esc_crc(p, ax->xbuff, crc, len+2);
492			break;
493		case CRC_MODE_FLEX_TEST:
494			ax->crcmode = CRC_MODE_NONE;
495			printk(KERN_INFO "mkiss: %s: Trying crc-flexnet\n", ax->dev->name);
496			fallthrough;
497		case CRC_MODE_FLEX:
498			*p |= 0x20;
499			crc = calc_crc_flex(p, len);
500			count = kiss_esc_crc(p, ax->xbuff, crc, len+2);
501			break;
502
503		default:
504			count = kiss_esc(p, ax->xbuff, len);
505		}
506	}
507	spin_unlock_bh(&ax->buflock);
508
509	set_bit(TTY_DO_WRITE_WAKEUP, &ax->tty->flags);
510	actual = ax->tty->ops->write(ax->tty, ax->xbuff, count);
511	dev->stats.tx_packets++;
512	dev->stats.tx_bytes += actual;
513
514	netif_trans_update(ax->dev);
515	ax->xleft = count - actual;
516	ax->xhead = ax->xbuff + actual;
517}
518
519/* Encapsulate an AX.25 packet and kick it into a TTY queue. */
520static netdev_tx_t ax_xmit(struct sk_buff *skb, struct net_device *dev)
521{
522	struct mkiss *ax = netdev_priv(dev);
523
524	if (skb->protocol == htons(ETH_P_IP))
525		return ax25_ip_xmit(skb);
526
527	if (!netif_running(dev))  {
528		printk(KERN_ERR "mkiss: %s: xmit call when iface is down\n", dev->name);
529		return NETDEV_TX_BUSY;
530	}
531
532	if (netif_queue_stopped(dev)) {
533		/*
534		 * May be we must check transmitter timeout here ?
535		 *      14 Oct 1994 Dmitry Gorodchanin.
536		 */
537		if (time_before(jiffies, dev_trans_start(dev) + 20 * HZ)) {
538			/* 20 sec timeout not reached */
539			return NETDEV_TX_BUSY;
540		}
541
542		printk(KERN_ERR "mkiss: %s: transmit timed out, %s?\n", dev->name,
543		       (tty_chars_in_buffer(ax->tty) || ax->xleft) ?
544		       "bad line quality" : "driver error");
545
546		ax->xleft = 0;
547		clear_bit(TTY_DO_WRITE_WAKEUP, &ax->tty->flags);
548		netif_start_queue(dev);
549	}
550
551	/* We were not busy, so we are now... :-) */
552	netif_stop_queue(dev);
553	ax_encaps(dev, skb->data, skb->len);
554	kfree_skb(skb);
555
556	return NETDEV_TX_OK;
557}
558
559static int ax_open_dev(struct net_device *dev)
560{
561	struct mkiss *ax = netdev_priv(dev);
562
563	if (ax->tty == NULL)
564		return -ENODEV;
565
566	return 0;
567}
568
569/* Open the low-level part of the AX25 channel. Easy! */
570static int ax_open(struct net_device *dev)
571{
572	struct mkiss *ax = netdev_priv(dev);
573	unsigned long len;
574
575	if (ax->tty == NULL)
576		return -ENODEV;
577
578	/*
579	 * Allocate the frame buffers:
580	 *
581	 * rbuff	Receive buffer.
582	 * xbuff	Transmit buffer.
583	 */
584	len = dev->mtu * 2;
585
586	/*
587	 * allow for arrival of larger UDP packets, even if we say not to
588	 * also fixes a bug in which SunOS sends 512-byte packets even with
589	 * an MSS of 128
590	 */
591	if (len < 576 * 2)
592		len = 576 * 2;
593
594	if ((ax->rbuff = kmalloc(len + 4, GFP_KERNEL)) == NULL)
595		goto norbuff;
596
597	if ((ax->xbuff = kmalloc(len + 4, GFP_KERNEL)) == NULL)
598		goto noxbuff;
599
600	ax->mtu	     = dev->mtu + 73;
601	ax->buffsize = len;
602	ax->rcount   = 0;
603	ax->xleft    = 0;
604
605	ax->flags   &= (1 << AXF_INUSE);      /* Clear ESCAPE & ERROR flags */
606
607	spin_lock_init(&ax->buflock);
608
609	return 0;
610
611noxbuff:
612	kfree(ax->rbuff);
613
614norbuff:
615	return -ENOMEM;
616}
617
618
619/* Close the low-level part of the AX25 channel. Easy! */
620static int ax_close(struct net_device *dev)
621{
622	struct mkiss *ax = netdev_priv(dev);
623
624	if (ax->tty)
625		clear_bit(TTY_DO_WRITE_WAKEUP, &ax->tty->flags);
626
627	netif_stop_queue(dev);
628
629	return 0;
630}
631
632static const struct net_device_ops ax_netdev_ops = {
633	.ndo_open            = ax_open_dev,
634	.ndo_stop            = ax_close,
635	.ndo_start_xmit	     = ax_xmit,
636	.ndo_set_mac_address = ax_set_mac_address,
637};
638
639static void ax_setup(struct net_device *dev)
640{
641	/* Finish setting up the DEVICE info. */
642	dev->mtu             = AX_MTU;
643	dev->hard_header_len = AX25_MAX_HEADER_LEN;
644	dev->addr_len        = AX25_ADDR_LEN;
645	dev->type            = ARPHRD_AX25;
646	dev->tx_queue_len    = 10;
647	dev->header_ops      = &ax25_header_ops;
648	dev->netdev_ops	     = &ax_netdev_ops;
649
650
651	memcpy(dev->broadcast, &ax25_bcast, AX25_ADDR_LEN);
652	dev_addr_set(dev, (u8 *)&ax25_defaddr);
653
654	dev->flags      = IFF_BROADCAST | IFF_MULTICAST;
655}
656
657/*
658 * We have a potential race on dereferencing tty->disc_data, because the tty
659 * layer provides no locking at all - thus one cpu could be running
660 * sixpack_receive_buf while another calls sixpack_close, which zeroes
661 * tty->disc_data and frees the memory that sixpack_receive_buf is using.  The
662 * best way to fix this is to use a rwlock in the tty struct, but for now we
663 * use a single global rwlock for all ttys in ppp line discipline.
664 */
665static DEFINE_RWLOCK(disc_data_lock);
666
667static struct mkiss *mkiss_get(struct tty_struct *tty)
668{
669	struct mkiss *ax;
670
671	read_lock(&disc_data_lock);
672	ax = tty->disc_data;
673	if (ax)
674		refcount_inc(&ax->refcnt);
675	read_unlock(&disc_data_lock);
676
677	return ax;
678}
679
680static void mkiss_put(struct mkiss *ax)
681{
682	if (refcount_dec_and_test(&ax->refcnt))
683		complete(&ax->dead);
684}
685
686static int crc_force = 0;	/* Can be overridden with insmod */
687
688static int mkiss_open(struct tty_struct *tty)
689{
690	struct net_device *dev;
691	struct mkiss *ax;
692	int err;
693
694	if (!capable(CAP_NET_ADMIN))
695		return -EPERM;
696	if (tty->ops->write == NULL)
697		return -EOPNOTSUPP;
698
699	dev = alloc_netdev(sizeof(struct mkiss), "ax%d", NET_NAME_UNKNOWN,
700			   ax_setup);
701	if (!dev) {
702		err = -ENOMEM;
703		goto out;
704	}
705
706	ax = netdev_priv(dev);
707	ax->dev = dev;
708
709	spin_lock_init(&ax->buflock);
710	refcount_set(&ax->refcnt, 1);
711	init_completion(&ax->dead);
712
713	ax->tty = tty;
714	tty->disc_data = ax;
715	tty->receive_room = 65535;
716
717	tty_driver_flush_buffer(tty);
718
719	/* Restore default settings */
720	dev->type = ARPHRD_AX25;
721
722	/* Perform the low-level AX25 initialization. */
723	err = ax_open(ax->dev);
724	if (err)
725		goto out_free_netdev;
726
727	err = register_netdev(dev);
728	if (err)
729		goto out_free_buffers;
730
731	/* after register_netdev() - because else printk smashes the kernel */
732	switch (crc_force) {
733	case 3:
734		ax->crcmode  = CRC_MODE_SMACK;
735		printk(KERN_INFO "mkiss: %s: crc mode smack forced.\n",
736		       ax->dev->name);
737		break;
738	case 2:
739		ax->crcmode  = CRC_MODE_FLEX;
740		printk(KERN_INFO "mkiss: %s: crc mode flexnet forced.\n",
741		       ax->dev->name);
742		break;
743	case 1:
744		ax->crcmode  = CRC_MODE_NONE;
745		printk(KERN_INFO "mkiss: %s: crc mode disabled.\n",
746		       ax->dev->name);
747		break;
748	case 0:
749	default:
750		crc_force = 0;
751		printk(KERN_INFO "mkiss: %s: crc mode is auto.\n",
752		       ax->dev->name);
753		ax->crcmode  = CRC_MODE_SMACK_TEST;
754	}
755	ax->crcauto = (crc_force ? 0 : 1);
756
757	netif_start_queue(dev);
758
759	/* Done.  We have linked the TTY line to a channel. */
760	return 0;
761
762out_free_buffers:
763	kfree(ax->rbuff);
764	kfree(ax->xbuff);
765
766out_free_netdev:
767	free_netdev(dev);
768
769out:
770	return err;
771}
772
773static void mkiss_close(struct tty_struct *tty)
774{
775	struct mkiss *ax;
776
777	write_lock_irq(&disc_data_lock);
778	ax = tty->disc_data;
779	tty->disc_data = NULL;
780	write_unlock_irq(&disc_data_lock);
781
782	if (!ax)
783		return;
784
785	/*
786	 * We have now ensured that nobody can start using ap from now on, but
787	 * we have to wait for all existing users to finish.
788	 */
789	if (!refcount_dec_and_test(&ax->refcnt))
790		wait_for_completion(&ax->dead);
791	/*
792	 * Halt the transmit queue so that a new transmit cannot scribble
793	 * on our buffers
794	 */
795	netif_stop_queue(ax->dev);
796
797	unregister_netdev(ax->dev);
798
799	/* Free all AX25 frame buffers after unreg. */
800	kfree(ax->rbuff);
801	kfree(ax->xbuff);
802
803	ax->tty = NULL;
804
805	free_netdev(ax->dev);
806}
807
808/* Perform I/O control on an active ax25 channel. */
809static int mkiss_ioctl(struct tty_struct *tty, unsigned int cmd,
810		unsigned long arg)
811{
812	struct mkiss *ax = mkiss_get(tty);
813	struct net_device *dev;
814	unsigned int tmp, err;
815
816	/* First make sure we're connected. */
817	if (ax == NULL)
818		return -ENXIO;
819	dev = ax->dev;
820
821	switch (cmd) {
822	case SIOCGIFNAME:
823		err = copy_to_user((void __user *) arg, ax->dev->name,
824		                   strlen(ax->dev->name) + 1) ? -EFAULT : 0;
825		break;
826
827	case SIOCGIFENCAP:
828		err = put_user(4, (int __user *) arg);
829		break;
830
831	case SIOCSIFENCAP:
832		if (get_user(tmp, (int __user *) arg)) {
833			err = -EFAULT;
834			break;
835		}
836
837		ax->mode = tmp;
838		dev->addr_len        = AX25_ADDR_LEN;
839		dev->hard_header_len = AX25_KISS_HEADER_LEN +
840		                       AX25_MAX_HEADER_LEN + 3;
841		dev->type            = ARPHRD_AX25;
842
843		err = 0;
844		break;
845
846	case SIOCSIFHWADDR: {
847		char addr[AX25_ADDR_LEN];
848
849		if (copy_from_user(&addr,
850		                   (void __user *) arg, AX25_ADDR_LEN)) {
851			err = -EFAULT;
852			break;
853		}
854
855		netif_tx_lock_bh(dev);
856		__dev_addr_set(dev, addr, AX25_ADDR_LEN);
857		netif_tx_unlock_bh(dev);
858
859		err = 0;
860		break;
861	}
862	default:
863		err = -ENOIOCTLCMD;
864	}
865
866	mkiss_put(ax);
867
868	return err;
869}
870
871/*
872 * Handle the 'receiver data ready' interrupt.
873 * This function is called by the 'tty_io' module in the kernel when
874 * a block of data has been received, which can now be decapsulated
875 * and sent on to the AX.25 layer for further processing.
876 */
877static void mkiss_receive_buf(struct tty_struct *tty, const u8 *cp,
878			      const u8 *fp, size_t count)
879{
880	struct mkiss *ax = mkiss_get(tty);
881
882	if (!ax)
883		return;
884
885	/*
886	 * Argh! mtu change time! - costs us the packet part received
887	 * at the change
888	 */
889	if (ax->mtu != ax->dev->mtu + 73)
890		ax_changedmtu(ax);
891
892	/* Read the characters out of the buffer */
893	while (count--) {
894		if (fp != NULL && *fp++) {
895			if (!test_and_set_bit(AXF_ERROR, &ax->flags))
896				ax->dev->stats.rx_errors++;
897			cp++;
898			continue;
899		}
900
901		kiss_unesc(ax, *cp++);
902	}
903
904	mkiss_put(ax);
905	tty_unthrottle(tty);
906}
907
908/*
909 * Called by the driver when there's room for more data.  If we have
910 * more packets to send, we send them here.
911 */
912static void mkiss_write_wakeup(struct tty_struct *tty)
913{
914	struct mkiss *ax = mkiss_get(tty);
915	int actual;
916
917	if (!ax)
918		return;
919
920	if (ax->xleft <= 0)  {
921		/* Now serial buffer is almost free & we can start
922		 * transmission of another packet
923		 */
924		clear_bit(TTY_DO_WRITE_WAKEUP, &tty->flags);
925
926		netif_wake_queue(ax->dev);
927		goto out;
928	}
929
930	actual = tty->ops->write(tty, ax->xhead, ax->xleft);
931	ax->xleft -= actual;
932	ax->xhead += actual;
933
934out:
935	mkiss_put(ax);
936}
937
938static struct tty_ldisc_ops ax_ldisc = {
939	.owner		= THIS_MODULE,
940	.num		= N_AX25,
941	.name		= "mkiss",
942	.open		= mkiss_open,
943	.close		= mkiss_close,
944	.ioctl		= mkiss_ioctl,
945	.receive_buf	= mkiss_receive_buf,
946	.write_wakeup	= mkiss_write_wakeup
947};
948
949static const char banner[] __initconst = KERN_INFO \
950	"mkiss: AX.25 Multikiss, Hans Albas PE1AYX\n";
951static const char msg_regfail[] __initconst = KERN_ERR \
952	"mkiss: can't register line discipline (err = %d)\n";
953
954static int __init mkiss_init_driver(void)
955{
956	int status;
957
958	printk(banner);
959
960	status = tty_register_ldisc(&ax_ldisc);
961	if (status != 0)
962		printk(msg_regfail, status);
963
964	return status;
965}
966
967static void __exit mkiss_exit_driver(void)
968{
969	tty_unregister_ldisc(&ax_ldisc);
970}
971
972MODULE_AUTHOR("Ralf Baechle DL5RB <ralf@linux-mips.org>");
973MODULE_DESCRIPTION("KISS driver for AX.25 over TTYs");
974module_param(crc_force, int, 0);
975MODULE_PARM_DESC(crc_force, "crc [0 = auto | 1 = none | 2 = flexnet | 3 = smack]");
976MODULE_LICENSE("GPL");
977MODULE_ALIAS_LDISC(N_AX25);
978
979module_init(mkiss_init_driver);
980module_exit(mkiss_exit_driver);