xref: /linux/drivers/net/hamradio/mkiss.c (revision 15a1fbdcfb519c2bd291ed01c6c94e0b89537a77)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  *
4  * Copyright (C) Hans Alblas PE1AYX <hans@esrac.ele.tue.nl>
5  * Copyright (C) 2004, 05 Ralf Baechle DL5RB <ralf@linux-mips.org>
6  * Copyright (C) 2004, 05 Thomas Osterried DL9SAU <thomas@x-berg.in-berlin.de>
7  */
8 #include <linux/module.h>
9 #include <linux/bitops.h>
10 #include <linux/uaccess.h>
11 #include <linux/crc16.h>
12 #include <linux/string.h>
13 #include <linux/mm.h>
14 #include <linux/interrupt.h>
15 #include <linux/in.h>
16 #include <linux/inet.h>
17 #include <linux/slab.h>
18 #include <linux/tty.h>
19 #include <linux/errno.h>
20 #include <linux/netdevice.h>
21 #include <linux/major.h>
22 #include <linux/init.h>
23 #include <linux/rtnetlink.h>
24 #include <linux/etherdevice.h>
25 #include <linux/skbuff.h>
26 #include <linux/if_arp.h>
27 #include <linux/jiffies.h>
28 #include <linux/refcount.h>
29 
30 #include <net/ax25.h>
31 
32 #define AX_MTU		236
33 
34 /* SLIP/KISS protocol characters. */
35 #define END             0300		/* indicates end of frame	*/
36 #define ESC             0333		/* indicates byte stuffing	*/
37 #define ESC_END         0334		/* ESC ESC_END means END 'data'	*/
38 #define ESC_ESC         0335		/* ESC ESC_ESC means ESC 'data'	*/
39 
40 struct mkiss {
41 	struct tty_struct	*tty;	/* ptr to TTY structure		*/
42 	struct net_device	*dev;	/* easy for intr handling	*/
43 
44 	/* These are pointers to the malloc()ed frame buffers. */
45 	spinlock_t		buflock;/* lock for rbuf and xbuf */
46 	unsigned char		*rbuff;	/* receiver buffer		*/
47 	int			rcount;	/* received chars counter       */
48 	unsigned char		*xbuff;	/* transmitter buffer		*/
49 	unsigned char		*xhead;	/* pointer to next byte to XMIT */
50 	int			xleft;	/* bytes left in XMIT queue     */
51 
52 	/* Detailed SLIP statistics. */
53 	int		mtu;		/* Our mtu (to spot changes!)   */
54 	int		buffsize;	/* Max buffers sizes            */
55 
56 	unsigned long	flags;		/* Flag values/ mode etc	*/
57 					/* long req'd: used by set_bit --RR */
58 #define AXF_INUSE	0		/* Channel in use               */
59 #define AXF_ESCAPE	1               /* ESC received                 */
60 #define AXF_ERROR	2               /* Parity, etc. error           */
61 #define AXF_KEEPTEST	3		/* Keepalive test flag		*/
62 #define AXF_OUTWAIT	4		/* is outpacket was flag	*/
63 
64 	int		mode;
65         int		crcmode;	/* MW: for FlexNet, SMACK etc.  */
66 	int		crcauto;	/* CRC auto mode */
67 
68 #define CRC_MODE_NONE		0
69 #define CRC_MODE_FLEX		1
70 #define CRC_MODE_SMACK		2
71 #define CRC_MODE_FLEX_TEST	3
72 #define CRC_MODE_SMACK_TEST	4
73 
74 	refcount_t		refcnt;
75 	struct completion	dead;
76 };
77 
78 /*---------------------------------------------------------------------------*/
79 
80 static const unsigned short crc_flex_table[] = {
81 	0x0f87, 0x1e0e, 0x2c95, 0x3d1c, 0x49a3, 0x582a, 0x6ab1, 0x7b38,
82 	0x83cf, 0x9246, 0xa0dd, 0xb154, 0xc5eb, 0xd462, 0xe6f9, 0xf770,
83 	0x1f06, 0x0e8f, 0x3c14, 0x2d9d, 0x5922, 0x48ab, 0x7a30, 0x6bb9,
84 	0x934e, 0x82c7, 0xb05c, 0xa1d5, 0xd56a, 0xc4e3, 0xf678, 0xe7f1,
85 	0x2e85, 0x3f0c, 0x0d97, 0x1c1e, 0x68a1, 0x7928, 0x4bb3, 0x5a3a,
86 	0xa2cd, 0xb344, 0x81df, 0x9056, 0xe4e9, 0xf560, 0xc7fb, 0xd672,
87 	0x3e04, 0x2f8d, 0x1d16, 0x0c9f, 0x7820, 0x69a9, 0x5b32, 0x4abb,
88 	0xb24c, 0xa3c5, 0x915e, 0x80d7, 0xf468, 0xe5e1, 0xd77a, 0xc6f3,
89 	0x4d83, 0x5c0a, 0x6e91, 0x7f18, 0x0ba7, 0x1a2e, 0x28b5, 0x393c,
90 	0xc1cb, 0xd042, 0xe2d9, 0xf350, 0x87ef, 0x9666, 0xa4fd, 0xb574,
91 	0x5d02, 0x4c8b, 0x7e10, 0x6f99, 0x1b26, 0x0aaf, 0x3834, 0x29bd,
92 	0xd14a, 0xc0c3, 0xf258, 0xe3d1, 0x976e, 0x86e7, 0xb47c, 0xa5f5,
93 	0x6c81, 0x7d08, 0x4f93, 0x5e1a, 0x2aa5, 0x3b2c, 0x09b7, 0x183e,
94 	0xe0c9, 0xf140, 0xc3db, 0xd252, 0xa6ed, 0xb764, 0x85ff, 0x9476,
95 	0x7c00, 0x6d89, 0x5f12, 0x4e9b, 0x3a24, 0x2bad, 0x1936, 0x08bf,
96 	0xf048, 0xe1c1, 0xd35a, 0xc2d3, 0xb66c, 0xa7e5, 0x957e, 0x84f7,
97 	0x8b8f, 0x9a06, 0xa89d, 0xb914, 0xcdab, 0xdc22, 0xeeb9, 0xff30,
98 	0x07c7, 0x164e, 0x24d5, 0x355c, 0x41e3, 0x506a, 0x62f1, 0x7378,
99 	0x9b0e, 0x8a87, 0xb81c, 0xa995, 0xdd2a, 0xcca3, 0xfe38, 0xefb1,
100 	0x1746, 0x06cf, 0x3454, 0x25dd, 0x5162, 0x40eb, 0x7270, 0x63f9,
101 	0xaa8d, 0xbb04, 0x899f, 0x9816, 0xeca9, 0xfd20, 0xcfbb, 0xde32,
102 	0x26c5, 0x374c, 0x05d7, 0x145e, 0x60e1, 0x7168, 0x43f3, 0x527a,
103 	0xba0c, 0xab85, 0x991e, 0x8897, 0xfc28, 0xeda1, 0xdf3a, 0xceb3,
104 	0x3644, 0x27cd, 0x1556, 0x04df, 0x7060, 0x61e9, 0x5372, 0x42fb,
105 	0xc98b, 0xd802, 0xea99, 0xfb10, 0x8faf, 0x9e26, 0xacbd, 0xbd34,
106 	0x45c3, 0x544a, 0x66d1, 0x7758, 0x03e7, 0x126e, 0x20f5, 0x317c,
107 	0xd90a, 0xc883, 0xfa18, 0xeb91, 0x9f2e, 0x8ea7, 0xbc3c, 0xadb5,
108 	0x5542, 0x44cb, 0x7650, 0x67d9, 0x1366, 0x02ef, 0x3074, 0x21fd,
109 	0xe889, 0xf900, 0xcb9b, 0xda12, 0xaead, 0xbf24, 0x8dbf, 0x9c36,
110 	0x64c1, 0x7548, 0x47d3, 0x565a, 0x22e5, 0x336c, 0x01f7, 0x107e,
111 	0xf808, 0xe981, 0xdb1a, 0xca93, 0xbe2c, 0xafa5, 0x9d3e, 0x8cb7,
112 	0x7440, 0x65c9, 0x5752, 0x46db, 0x3264, 0x23ed, 0x1176, 0x00ff
113 };
114 
115 static unsigned short calc_crc_flex(unsigned char *cp, int size)
116 {
117 	unsigned short crc = 0xffff;
118 
119 	while (size--)
120 		crc = (crc << 8) ^ crc_flex_table[((crc >> 8) ^ *cp++) & 0xff];
121 
122 	return crc;
123 }
124 
125 static int check_crc_flex(unsigned char *cp, int size)
126 {
127 	unsigned short crc = 0xffff;
128 
129 	if (size < 3)
130 		return -1;
131 
132 	while (size--)
133 		crc = (crc << 8) ^ crc_flex_table[((crc >> 8) ^ *cp++) & 0xff];
134 
135 	if ((crc & 0xffff) != 0x7070)
136 		return -1;
137 
138 	return 0;
139 }
140 
141 static int check_crc_16(unsigned char *cp, int size)
142 {
143 	unsigned short crc = 0x0000;
144 
145 	if (size < 3)
146 		return -1;
147 
148 	crc = crc16(0, cp, size);
149 
150 	if (crc != 0x0000)
151 		return -1;
152 
153 	return 0;
154 }
155 
156 /*
157  * Standard encapsulation
158  */
159 
160 static int kiss_esc(unsigned char *s, unsigned char *d, int len)
161 {
162 	unsigned char *ptr = d;
163 	unsigned char c;
164 
165 	/*
166 	 * Send an initial END character to flush out any data that may have
167 	 * accumulated in the receiver due to line noise.
168 	 */
169 
170 	*ptr++ = END;
171 
172 	while (len-- > 0) {
173 		switch (c = *s++) {
174 		case END:
175 			*ptr++ = ESC;
176 			*ptr++ = ESC_END;
177 			break;
178 		case ESC:
179 			*ptr++ = ESC;
180 			*ptr++ = ESC_ESC;
181 			break;
182 		default:
183 			*ptr++ = c;
184 			break;
185 		}
186 	}
187 
188 	*ptr++ = END;
189 
190 	return ptr - d;
191 }
192 
193 /*
194  * MW:
195  * OK its ugly, but tell me a better solution without copying the
196  * packet to a temporary buffer :-)
197  */
198 static int kiss_esc_crc(unsigned char *s, unsigned char *d, unsigned short crc,
199 	int len)
200 {
201 	unsigned char *ptr = d;
202 	unsigned char c=0;
203 
204 	*ptr++ = END;
205 	while (len > 0) {
206 		if (len > 2)
207 			c = *s++;
208 		else if (len > 1)
209 			c = crc >> 8;
210 		else
211 			c = crc & 0xff;
212 
213 		len--;
214 
215 		switch (c) {
216 		case END:
217 			*ptr++ = ESC;
218 			*ptr++ = ESC_END;
219 			break;
220 		case ESC:
221 			*ptr++ = ESC;
222 			*ptr++ = ESC_ESC;
223 			break;
224 		default:
225 			*ptr++ = c;
226 			break;
227 		}
228 	}
229 	*ptr++ = END;
230 
231 	return ptr - d;
232 }
233 
234 /* Send one completely decapsulated AX.25 packet to the AX.25 layer. */
235 static void ax_bump(struct mkiss *ax)
236 {
237 	struct sk_buff *skb;
238 	int count;
239 
240 	spin_lock_bh(&ax->buflock);
241 	if (ax->rbuff[0] > 0x0f) {
242 		if (ax->rbuff[0] & 0x80) {
243 			if (check_crc_16(ax->rbuff, ax->rcount) < 0) {
244 				ax->dev->stats.rx_errors++;
245 				spin_unlock_bh(&ax->buflock);
246 
247 				return;
248 			}
249 			if (ax->crcmode != CRC_MODE_SMACK && ax->crcauto) {
250 				printk(KERN_INFO
251 				       "mkiss: %s: Switching to crc-smack\n",
252 				       ax->dev->name);
253 				ax->crcmode = CRC_MODE_SMACK;
254 			}
255 			ax->rcount -= 2;
256 			*ax->rbuff &= ~0x80;
257 		} else if (ax->rbuff[0] & 0x20)  {
258 			if (check_crc_flex(ax->rbuff, ax->rcount) < 0) {
259 				ax->dev->stats.rx_errors++;
260 				spin_unlock_bh(&ax->buflock);
261 				return;
262 			}
263 			if (ax->crcmode != CRC_MODE_FLEX && ax->crcauto) {
264 				printk(KERN_INFO
265 				       "mkiss: %s: Switching to crc-flexnet\n",
266 				       ax->dev->name);
267 				ax->crcmode = CRC_MODE_FLEX;
268 			}
269 			ax->rcount -= 2;
270 
271 			/*
272 			 * dl9sau bugfix: the trailling two bytes flexnet crc
273 			 * will not be passed to the kernel. thus we have to
274 			 * correct the kissparm signature, because it indicates
275 			 * a crc but there's none
276 			 */
277 			*ax->rbuff &= ~0x20;
278 		}
279  	}
280 
281 	count = ax->rcount;
282 
283 	if ((skb = dev_alloc_skb(count)) == NULL) {
284 		printk(KERN_ERR "mkiss: %s: memory squeeze, dropping packet.\n",
285 		       ax->dev->name);
286 		ax->dev->stats.rx_dropped++;
287 		spin_unlock_bh(&ax->buflock);
288 		return;
289 	}
290 
291 	skb_put_data(skb, ax->rbuff, count);
292 	skb->protocol = ax25_type_trans(skb, ax->dev);
293 	netif_rx(skb);
294 	ax->dev->stats.rx_packets++;
295 	ax->dev->stats.rx_bytes += count;
296 	spin_unlock_bh(&ax->buflock);
297 }
298 
299 static void kiss_unesc(struct mkiss *ax, unsigned char s)
300 {
301 	switch (s) {
302 	case END:
303 		/* drop keeptest bit = VSV */
304 		if (test_bit(AXF_KEEPTEST, &ax->flags))
305 			clear_bit(AXF_KEEPTEST, &ax->flags);
306 
307 		if (!test_and_clear_bit(AXF_ERROR, &ax->flags) && (ax->rcount > 2))
308 			ax_bump(ax);
309 
310 		clear_bit(AXF_ESCAPE, &ax->flags);
311 		ax->rcount = 0;
312 		return;
313 
314 	case ESC:
315 		set_bit(AXF_ESCAPE, &ax->flags);
316 		return;
317 	case ESC_ESC:
318 		if (test_and_clear_bit(AXF_ESCAPE, &ax->flags))
319 			s = ESC;
320 		break;
321 	case ESC_END:
322 		if (test_and_clear_bit(AXF_ESCAPE, &ax->flags))
323 			s = END;
324 		break;
325 	}
326 
327 	spin_lock_bh(&ax->buflock);
328 	if (!test_bit(AXF_ERROR, &ax->flags)) {
329 		if (ax->rcount < ax->buffsize) {
330 			ax->rbuff[ax->rcount++] = s;
331 			spin_unlock_bh(&ax->buflock);
332 			return;
333 		}
334 
335 		ax->dev->stats.rx_over_errors++;
336 		set_bit(AXF_ERROR, &ax->flags);
337 	}
338 	spin_unlock_bh(&ax->buflock);
339 }
340 
341 static int ax_set_mac_address(struct net_device *dev, void *addr)
342 {
343 	struct sockaddr_ax25 *sa = addr;
344 
345 	netif_tx_lock_bh(dev);
346 	netif_addr_lock(dev);
347 	memcpy(dev->dev_addr, &sa->sax25_call, AX25_ADDR_LEN);
348 	netif_addr_unlock(dev);
349 	netif_tx_unlock_bh(dev);
350 
351 	return 0;
352 }
353 
354 /*---------------------------------------------------------------------------*/
355 
356 static void ax_changedmtu(struct mkiss *ax)
357 {
358 	struct net_device *dev = ax->dev;
359 	unsigned char *xbuff, *rbuff, *oxbuff, *orbuff;
360 	int len;
361 
362 	len = dev->mtu * 2;
363 
364 	/*
365 	 * allow for arrival of larger UDP packets, even if we say not to
366 	 * also fixes a bug in which SunOS sends 512-byte packets even with
367 	 * an MSS of 128
368 	 */
369 	if (len < 576 * 2)
370 		len = 576 * 2;
371 
372 	xbuff = kmalloc(len + 4, GFP_ATOMIC);
373 	rbuff = kmalloc(len + 4, GFP_ATOMIC);
374 
375 	if (xbuff == NULL || rbuff == NULL)  {
376 		printk(KERN_ERR "mkiss: %s: unable to grow ax25 buffers, "
377 		       "MTU change cancelled.\n",
378 		       ax->dev->name);
379 		dev->mtu = ax->mtu;
380 		kfree(xbuff);
381 		kfree(rbuff);
382 		return;
383 	}
384 
385 	spin_lock_bh(&ax->buflock);
386 
387 	oxbuff    = ax->xbuff;
388 	ax->xbuff = xbuff;
389 	orbuff    = ax->rbuff;
390 	ax->rbuff = rbuff;
391 
392 	if (ax->xleft) {
393 		if (ax->xleft <= len) {
394 			memcpy(ax->xbuff, ax->xhead, ax->xleft);
395 		} else  {
396 			ax->xleft = 0;
397 			dev->stats.tx_dropped++;
398 		}
399 	}
400 
401 	ax->xhead = ax->xbuff;
402 
403 	if (ax->rcount) {
404 		if (ax->rcount <= len) {
405 			memcpy(ax->rbuff, orbuff, ax->rcount);
406 		} else  {
407 			ax->rcount = 0;
408 			dev->stats.rx_over_errors++;
409 			set_bit(AXF_ERROR, &ax->flags);
410 		}
411 	}
412 
413 	ax->mtu      = dev->mtu + 73;
414 	ax->buffsize = len;
415 
416 	spin_unlock_bh(&ax->buflock);
417 
418 	kfree(oxbuff);
419 	kfree(orbuff);
420 }
421 
422 /* Encapsulate one AX.25 packet and stuff into a TTY queue. */
423 static void ax_encaps(struct net_device *dev, unsigned char *icp, int len)
424 {
425 	struct mkiss *ax = netdev_priv(dev);
426 	unsigned char *p;
427 	int actual, count;
428 
429 	if (ax->mtu != ax->dev->mtu + 73)	/* Someone has been ifconfigging */
430 		ax_changedmtu(ax);
431 
432 	if (len > ax->mtu) {		/* Sigh, shouldn't occur BUT ... */
433 		printk(KERN_ERR "mkiss: %s: truncating oversized transmit packet!\n", ax->dev->name);
434 		dev->stats.tx_dropped++;
435 		netif_start_queue(dev);
436 		return;
437 	}
438 
439 	p = icp;
440 
441 	spin_lock_bh(&ax->buflock);
442 	if ((*p & 0x0f) != 0) {
443 		/* Configuration Command (kissparms(1).
444 		 * Protocol spec says: never append CRC.
445 		 * This fixes a very old bug in the linux
446 		 * kiss driver. -- dl9sau */
447 		switch (*p & 0xff) {
448 		case 0x85:
449 			/* command from userspace especially for us,
450 			 * not for delivery to the tnc */
451 			if (len > 1) {
452 				int cmd = (p[1] & 0xff);
453 				switch(cmd) {
454 				case 3:
455 				  ax->crcmode = CRC_MODE_SMACK;
456 				  break;
457 				case 2:
458 				  ax->crcmode = CRC_MODE_FLEX;
459 				  break;
460 				case 1:
461 				  ax->crcmode = CRC_MODE_NONE;
462 				  break;
463 				case 0:
464 				default:
465 				  ax->crcmode = CRC_MODE_SMACK_TEST;
466 				  cmd = 0;
467 				}
468 				ax->crcauto = (cmd ? 0 : 1);
469 				printk(KERN_INFO "mkiss: %s: crc mode set to %d\n",
470 				       ax->dev->name, cmd);
471 			}
472 			spin_unlock_bh(&ax->buflock);
473 			netif_start_queue(dev);
474 
475 			return;
476 		default:
477 			count = kiss_esc(p, ax->xbuff, len);
478 		}
479 	} else {
480 		unsigned short crc;
481 		switch (ax->crcmode) {
482 		case CRC_MODE_SMACK_TEST:
483 			ax->crcmode  = CRC_MODE_FLEX_TEST;
484 			printk(KERN_INFO "mkiss: %s: Trying crc-smack\n", ax->dev->name);
485 			// fall through
486 		case CRC_MODE_SMACK:
487 			*p |= 0x80;
488 			crc = swab16(crc16(0, p, len));
489 			count = kiss_esc_crc(p, ax->xbuff, crc, len+2);
490 			break;
491 		case CRC_MODE_FLEX_TEST:
492 			ax->crcmode = CRC_MODE_NONE;
493 			printk(KERN_INFO "mkiss: %s: Trying crc-flexnet\n", ax->dev->name);
494 			// fall through
495 		case CRC_MODE_FLEX:
496 			*p |= 0x20;
497 			crc = calc_crc_flex(p, len);
498 			count = kiss_esc_crc(p, ax->xbuff, crc, len+2);
499 			break;
500 
501 		default:
502 			count = kiss_esc(p, ax->xbuff, len);
503 		}
504   	}
505 	spin_unlock_bh(&ax->buflock);
506 
507 	set_bit(TTY_DO_WRITE_WAKEUP, &ax->tty->flags);
508 	actual = ax->tty->ops->write(ax->tty, ax->xbuff, count);
509 	dev->stats.tx_packets++;
510 	dev->stats.tx_bytes += actual;
511 
512 	netif_trans_update(ax->dev);
513 	ax->xleft = count - actual;
514 	ax->xhead = ax->xbuff + actual;
515 }
516 
517 /* Encapsulate an AX.25 packet and kick it into a TTY queue. */
518 static netdev_tx_t ax_xmit(struct sk_buff *skb, struct net_device *dev)
519 {
520 	struct mkiss *ax = netdev_priv(dev);
521 
522 	if (skb->protocol == htons(ETH_P_IP))
523 		return ax25_ip_xmit(skb);
524 
525 	if (!netif_running(dev))  {
526 		printk(KERN_ERR "mkiss: %s: xmit call when iface is down\n", dev->name);
527 		return NETDEV_TX_BUSY;
528 	}
529 
530 	if (netif_queue_stopped(dev)) {
531 		/*
532 		 * May be we must check transmitter timeout here ?
533 		 *      14 Oct 1994 Dmitry Gorodchanin.
534 		 */
535 		if (time_before(jiffies, dev_trans_start(dev) + 20 * HZ)) {
536 			/* 20 sec timeout not reached */
537 			return NETDEV_TX_BUSY;
538 		}
539 
540 		printk(KERN_ERR "mkiss: %s: transmit timed out, %s?\n", dev->name,
541 		       (tty_chars_in_buffer(ax->tty) || ax->xleft) ?
542 		       "bad line quality" : "driver error");
543 
544 		ax->xleft = 0;
545 		clear_bit(TTY_DO_WRITE_WAKEUP, &ax->tty->flags);
546 		netif_start_queue(dev);
547 	}
548 
549 	/* We were not busy, so we are now... :-) */
550 	netif_stop_queue(dev);
551 	ax_encaps(dev, skb->data, skb->len);
552 	kfree_skb(skb);
553 
554 	return NETDEV_TX_OK;
555 }
556 
557 static int ax_open_dev(struct net_device *dev)
558 {
559 	struct mkiss *ax = netdev_priv(dev);
560 
561 	if (ax->tty == NULL)
562 		return -ENODEV;
563 
564 	return 0;
565 }
566 
567 /* Open the low-level part of the AX25 channel. Easy! */
568 static int ax_open(struct net_device *dev)
569 {
570 	struct mkiss *ax = netdev_priv(dev);
571 	unsigned long len;
572 
573 	if (ax->tty == NULL)
574 		return -ENODEV;
575 
576 	/*
577 	 * Allocate the frame buffers:
578 	 *
579 	 * rbuff	Receive buffer.
580 	 * xbuff	Transmit buffer.
581 	 */
582 	len = dev->mtu * 2;
583 
584 	/*
585 	 * allow for arrival of larger UDP packets, even if we say not to
586 	 * also fixes a bug in which SunOS sends 512-byte packets even with
587 	 * an MSS of 128
588 	 */
589 	if (len < 576 * 2)
590 		len = 576 * 2;
591 
592 	if ((ax->rbuff = kmalloc(len + 4, GFP_KERNEL)) == NULL)
593 		goto norbuff;
594 
595 	if ((ax->xbuff = kmalloc(len + 4, GFP_KERNEL)) == NULL)
596 		goto noxbuff;
597 
598 	ax->mtu	     = dev->mtu + 73;
599 	ax->buffsize = len;
600 	ax->rcount   = 0;
601 	ax->xleft    = 0;
602 
603 	ax->flags   &= (1 << AXF_INUSE);      /* Clear ESCAPE & ERROR flags */
604 
605 	spin_lock_init(&ax->buflock);
606 
607 	return 0;
608 
609 noxbuff:
610 	kfree(ax->rbuff);
611 
612 norbuff:
613 	return -ENOMEM;
614 }
615 
616 
617 /* Close the low-level part of the AX25 channel. Easy! */
618 static int ax_close(struct net_device *dev)
619 {
620 	struct mkiss *ax = netdev_priv(dev);
621 
622 	if (ax->tty)
623 		clear_bit(TTY_DO_WRITE_WAKEUP, &ax->tty->flags);
624 
625 	netif_stop_queue(dev);
626 
627 	return 0;
628 }
629 
630 static const struct net_device_ops ax_netdev_ops = {
631 	.ndo_open            = ax_open_dev,
632 	.ndo_stop            = ax_close,
633 	.ndo_start_xmit	     = ax_xmit,
634 	.ndo_set_mac_address = ax_set_mac_address,
635 };
636 
637 static void ax_setup(struct net_device *dev)
638 {
639 	/* Finish setting up the DEVICE info. */
640 	dev->mtu             = AX_MTU;
641 	dev->hard_header_len = AX25_MAX_HEADER_LEN;
642 	dev->addr_len        = AX25_ADDR_LEN;
643 	dev->type            = ARPHRD_AX25;
644 	dev->tx_queue_len    = 10;
645 	dev->header_ops      = &ax25_header_ops;
646 	dev->netdev_ops	     = &ax_netdev_ops;
647 
648 
649 	memcpy(dev->broadcast, &ax25_bcast, AX25_ADDR_LEN);
650 	memcpy(dev->dev_addr,  &ax25_defaddr,  AX25_ADDR_LEN);
651 
652 	dev->flags      = IFF_BROADCAST | IFF_MULTICAST;
653 }
654 
655 /*
656  * We have a potential race on dereferencing tty->disc_data, because the tty
657  * layer provides no locking at all - thus one cpu could be running
658  * sixpack_receive_buf while another calls sixpack_close, which zeroes
659  * tty->disc_data and frees the memory that sixpack_receive_buf is using.  The
660  * best way to fix this is to use a rwlock in the tty struct, but for now we
661  * use a single global rwlock for all ttys in ppp line discipline.
662  */
663 static DEFINE_RWLOCK(disc_data_lock);
664 
665 static struct mkiss *mkiss_get(struct tty_struct *tty)
666 {
667 	struct mkiss *ax;
668 
669 	read_lock(&disc_data_lock);
670 	ax = tty->disc_data;
671 	if (ax)
672 		refcount_inc(&ax->refcnt);
673 	read_unlock(&disc_data_lock);
674 
675 	return ax;
676 }
677 
678 static void mkiss_put(struct mkiss *ax)
679 {
680 	if (refcount_dec_and_test(&ax->refcnt))
681 		complete(&ax->dead);
682 }
683 
684 static int crc_force = 0;	/* Can be overridden with insmod */
685 
686 static int mkiss_open(struct tty_struct *tty)
687 {
688 	struct net_device *dev;
689 	struct mkiss *ax;
690 	int err;
691 
692 	if (!capable(CAP_NET_ADMIN))
693 		return -EPERM;
694 	if (tty->ops->write == NULL)
695 		return -EOPNOTSUPP;
696 
697 	dev = alloc_netdev(sizeof(struct mkiss), "ax%d", NET_NAME_UNKNOWN,
698 			   ax_setup);
699 	if (!dev) {
700 		err = -ENOMEM;
701 		goto out;
702 	}
703 
704 	ax = netdev_priv(dev);
705 	ax->dev = dev;
706 
707 	spin_lock_init(&ax->buflock);
708 	refcount_set(&ax->refcnt, 1);
709 	init_completion(&ax->dead);
710 
711 	ax->tty = tty;
712 	tty->disc_data = ax;
713 	tty->receive_room = 65535;
714 
715 	tty_driver_flush_buffer(tty);
716 
717 	/* Restore default settings */
718 	dev->type = ARPHRD_AX25;
719 
720 	/* Perform the low-level AX25 initialization. */
721 	err = ax_open(ax->dev);
722 	if (err)
723 		goto out_free_netdev;
724 
725 	err = register_netdev(dev);
726 	if (err)
727 		goto out_free_buffers;
728 
729 	/* after register_netdev() - because else printk smashes the kernel */
730 	switch (crc_force) {
731 	case 3:
732 		ax->crcmode  = CRC_MODE_SMACK;
733 		printk(KERN_INFO "mkiss: %s: crc mode smack forced.\n",
734 		       ax->dev->name);
735 		break;
736 	case 2:
737 		ax->crcmode  = CRC_MODE_FLEX;
738 		printk(KERN_INFO "mkiss: %s: crc mode flexnet forced.\n",
739 		       ax->dev->name);
740 		break;
741 	case 1:
742 		ax->crcmode  = CRC_MODE_NONE;
743 		printk(KERN_INFO "mkiss: %s: crc mode disabled.\n",
744 		       ax->dev->name);
745 		break;
746 	case 0:
747 		/* fall through */
748 	default:
749 		crc_force = 0;
750 		printk(KERN_INFO "mkiss: %s: crc mode is auto.\n",
751 		       ax->dev->name);
752 		ax->crcmode  = CRC_MODE_SMACK_TEST;
753 	}
754 	ax->crcauto = (crc_force ? 0 : 1);
755 
756 	netif_start_queue(dev);
757 
758 	/* Done.  We have linked the TTY line to a channel. */
759 	return 0;
760 
761 out_free_buffers:
762 	kfree(ax->rbuff);
763 	kfree(ax->xbuff);
764 
765 out_free_netdev:
766 	free_netdev(dev);
767 
768 out:
769 	return err;
770 }
771 
772 static void mkiss_close(struct tty_struct *tty)
773 {
774 	struct mkiss *ax;
775 
776 	write_lock_irq(&disc_data_lock);
777 	ax = tty->disc_data;
778 	tty->disc_data = NULL;
779 	write_unlock_irq(&disc_data_lock);
780 
781 	if (!ax)
782 		return;
783 
784 	/*
785 	 * We have now ensured that nobody can start using ap from now on, but
786 	 * we have to wait for all existing users to finish.
787 	 */
788 	if (!refcount_dec_and_test(&ax->refcnt))
789 		wait_for_completion(&ax->dead);
790 	/*
791 	 * Halt the transmit queue so that a new transmit cannot scribble
792 	 * on our buffers
793 	 */
794 	netif_stop_queue(ax->dev);
795 
796 	/* Free all AX25 frame buffers. */
797 	kfree(ax->rbuff);
798 	kfree(ax->xbuff);
799 
800 	ax->tty = NULL;
801 
802 	unregister_netdev(ax->dev);
803 }
804 
805 /* Perform I/O control on an active ax25 channel. */
806 static int mkiss_ioctl(struct tty_struct *tty, struct file *file,
807 	unsigned int cmd, unsigned long arg)
808 {
809 	struct mkiss *ax = mkiss_get(tty);
810 	struct net_device *dev;
811 	unsigned int tmp, err;
812 
813 	/* First make sure we're connected. */
814 	if (ax == NULL)
815 		return -ENXIO;
816 	dev = ax->dev;
817 
818 	switch (cmd) {
819  	case SIOCGIFNAME:
820 		err = copy_to_user((void __user *) arg, ax->dev->name,
821 		                   strlen(ax->dev->name) + 1) ? -EFAULT : 0;
822 		break;
823 
824 	case SIOCGIFENCAP:
825 		err = put_user(4, (int __user *) arg);
826 		break;
827 
828 	case SIOCSIFENCAP:
829 		if (get_user(tmp, (int __user *) arg)) {
830 			err = -EFAULT;
831 			break;
832 		}
833 
834 		ax->mode = tmp;
835 		dev->addr_len        = AX25_ADDR_LEN;
836 		dev->hard_header_len = AX25_KISS_HEADER_LEN +
837 		                       AX25_MAX_HEADER_LEN + 3;
838 		dev->type            = ARPHRD_AX25;
839 
840 		err = 0;
841 		break;
842 
843 	case SIOCSIFHWADDR: {
844 		char addr[AX25_ADDR_LEN];
845 
846 		if (copy_from_user(&addr,
847 		                   (void __user *) arg, AX25_ADDR_LEN)) {
848 			err = -EFAULT;
849 			break;
850 		}
851 
852 		netif_tx_lock_bh(dev);
853 		memcpy(dev->dev_addr, addr, AX25_ADDR_LEN);
854 		netif_tx_unlock_bh(dev);
855 
856 		err = 0;
857 		break;
858 	}
859 	default:
860 		err = -ENOIOCTLCMD;
861 	}
862 
863 	mkiss_put(ax);
864 
865 	return err;
866 }
867 
868 /*
869  * Handle the 'receiver data ready' interrupt.
870  * This function is called by the 'tty_io' module in the kernel when
871  * a block of data has been received, which can now be decapsulated
872  * and sent on to the AX.25 layer for further processing.
873  */
874 static void mkiss_receive_buf(struct tty_struct *tty, const unsigned char *cp,
875 	char *fp, int count)
876 {
877 	struct mkiss *ax = mkiss_get(tty);
878 
879 	if (!ax)
880 		return;
881 
882 	/*
883 	 * Argh! mtu change time! - costs us the packet part received
884 	 * at the change
885 	 */
886 	if (ax->mtu != ax->dev->mtu + 73)
887 		ax_changedmtu(ax);
888 
889 	/* Read the characters out of the buffer */
890 	while (count--) {
891 		if (fp != NULL && *fp++) {
892 			if (!test_and_set_bit(AXF_ERROR, &ax->flags))
893 				ax->dev->stats.rx_errors++;
894 			cp++;
895 			continue;
896 		}
897 
898 		kiss_unesc(ax, *cp++);
899 	}
900 
901 	mkiss_put(ax);
902 	tty_unthrottle(tty);
903 }
904 
905 /*
906  * Called by the driver when there's room for more data.  If we have
907  * more packets to send, we send them here.
908  */
909 static void mkiss_write_wakeup(struct tty_struct *tty)
910 {
911 	struct mkiss *ax = mkiss_get(tty);
912 	int actual;
913 
914 	if (!ax)
915 		return;
916 
917 	if (ax->xleft <= 0)  {
918 		/* Now serial buffer is almost free & we can start
919 		 * transmission of another packet
920 		 */
921 		clear_bit(TTY_DO_WRITE_WAKEUP, &tty->flags);
922 
923 		netif_wake_queue(ax->dev);
924 		goto out;
925 	}
926 
927 	actual = tty->ops->write(tty, ax->xhead, ax->xleft);
928 	ax->xleft -= actual;
929 	ax->xhead += actual;
930 
931 out:
932 	mkiss_put(ax);
933 }
934 
935 static struct tty_ldisc_ops ax_ldisc = {
936 	.owner		= THIS_MODULE,
937 	.magic		= TTY_LDISC_MAGIC,
938 	.name		= "mkiss",
939 	.open		= mkiss_open,
940 	.close		= mkiss_close,
941 	.ioctl		= mkiss_ioctl,
942 	.receive_buf	= mkiss_receive_buf,
943 	.write_wakeup	= mkiss_write_wakeup
944 };
945 
946 static const char banner[] __initconst = KERN_INFO \
947 	"mkiss: AX.25 Multikiss, Hans Albas PE1AYX\n";
948 static const char msg_regfail[] __initconst = KERN_ERR \
949 	"mkiss: can't register line discipline (err = %d)\n";
950 
951 static int __init mkiss_init_driver(void)
952 {
953 	int status;
954 
955 	printk(banner);
956 
957 	status = tty_register_ldisc(N_AX25, &ax_ldisc);
958 	if (status != 0)
959 		printk(msg_regfail, status);
960 
961 	return status;
962 }
963 
964 static const char msg_unregfail[] = KERN_ERR \
965 	"mkiss: can't unregister line discipline (err = %d)\n";
966 
967 static void __exit mkiss_exit_driver(void)
968 {
969 	int ret;
970 
971 	if ((ret = tty_unregister_ldisc(N_AX25)))
972 		printk(msg_unregfail, ret);
973 }
974 
975 MODULE_AUTHOR("Ralf Baechle DL5RB <ralf@linux-mips.org>");
976 MODULE_DESCRIPTION("KISS driver for AX.25 over TTYs");
977 module_param(crc_force, int, 0);
978 MODULE_PARM_DESC(crc_force, "crc [0 = auto | 1 = none | 2 = flexnet | 3 = smack]");
979 MODULE_LICENSE("GPL");
980 MODULE_ALIAS_LDISC(N_AX25);
981 
982 module_init(mkiss_init_driver);
983 module_exit(mkiss_exit_driver);
984