xref: /linux/drivers/net/hamradio/mkiss.c (revision e9f0878c4b2004ac19581274c1ae4c61ae3ca70e)
1 /*
2  *  This program is free software; you can distribute it and/or modify it
3  *  under the terms of the GNU General Public License (Version 2) as
4  *  published by the Free Software Foundation.
5  *
6  *  This program is distributed in the hope it will be useful, but WITHOUT
7  *  ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
8  *  FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
9  *  for more details.
10  *
11  *  You should have received a copy of the GNU General Public License along
12  *  with this program; if not, see <http://www.gnu.org/licenses/>.
13  *
14  * Copyright (C) Hans Alblas PE1AYX <hans@esrac.ele.tue.nl>
15  * Copyright (C) 2004, 05 Ralf Baechle DL5RB <ralf@linux-mips.org>
16  * Copyright (C) 2004, 05 Thomas Osterried DL9SAU <thomas@x-berg.in-berlin.de>
17  */
18 #include <linux/module.h>
19 #include <linux/bitops.h>
20 #include <linux/uaccess.h>
21 #include <linux/crc16.h>
22 #include <linux/string.h>
23 #include <linux/mm.h>
24 #include <linux/interrupt.h>
25 #include <linux/in.h>
26 #include <linux/inet.h>
27 #include <linux/slab.h>
28 #include <linux/tty.h>
29 #include <linux/errno.h>
30 #include <linux/netdevice.h>
31 #include <linux/major.h>
32 #include <linux/init.h>
33 #include <linux/rtnetlink.h>
34 #include <linux/etherdevice.h>
35 #include <linux/skbuff.h>
36 #include <linux/if_arp.h>
37 #include <linux/jiffies.h>
38 #include <linux/compat.h>
39 
40 #include <net/ax25.h>
41 
42 #define AX_MTU		236
43 
44 /* SLIP/KISS protocol characters. */
45 #define END             0300		/* indicates end of frame	*/
46 #define ESC             0333		/* indicates byte stuffing	*/
47 #define ESC_END         0334		/* ESC ESC_END means END 'data'	*/
48 #define ESC_ESC         0335		/* ESC ESC_ESC means ESC 'data'	*/
49 
50 struct mkiss {
51 	struct tty_struct	*tty;	/* ptr to TTY structure		*/
52 	struct net_device	*dev;	/* easy for intr handling	*/
53 
54 	/* These are pointers to the malloc()ed frame buffers. */
55 	spinlock_t		buflock;/* lock for rbuf and xbuf */
56 	unsigned char		*rbuff;	/* receiver buffer		*/
57 	int			rcount;	/* received chars counter       */
58 	unsigned char		*xbuff;	/* transmitter buffer		*/
59 	unsigned char		*xhead;	/* pointer to next byte to XMIT */
60 	int			xleft;	/* bytes left in XMIT queue     */
61 
62 	/* Detailed SLIP statistics. */
63 	int		mtu;		/* Our mtu (to spot changes!)   */
64 	int		buffsize;	/* Max buffers sizes            */
65 
66 	unsigned long	flags;		/* Flag values/ mode etc	*/
67 					/* long req'd: used by set_bit --RR */
68 #define AXF_INUSE	0		/* Channel in use               */
69 #define AXF_ESCAPE	1               /* ESC received                 */
70 #define AXF_ERROR	2               /* Parity, etc. error           */
71 #define AXF_KEEPTEST	3		/* Keepalive test flag		*/
72 #define AXF_OUTWAIT	4		/* is outpacket was flag	*/
73 
74 	int		mode;
75         int		crcmode;	/* MW: for FlexNet, SMACK etc.  */
76 	int		crcauto;	/* CRC auto mode */
77 
78 #define CRC_MODE_NONE		0
79 #define CRC_MODE_FLEX		1
80 #define CRC_MODE_SMACK		2
81 #define CRC_MODE_FLEX_TEST	3
82 #define CRC_MODE_SMACK_TEST	4
83 
84 	atomic_t		refcnt;
85 	struct semaphore	dead_sem;
86 };
87 
88 /*---------------------------------------------------------------------------*/
89 
90 static const unsigned short crc_flex_table[] = {
91 	0x0f87, 0x1e0e, 0x2c95, 0x3d1c, 0x49a3, 0x582a, 0x6ab1, 0x7b38,
92 	0x83cf, 0x9246, 0xa0dd, 0xb154, 0xc5eb, 0xd462, 0xe6f9, 0xf770,
93 	0x1f06, 0x0e8f, 0x3c14, 0x2d9d, 0x5922, 0x48ab, 0x7a30, 0x6bb9,
94 	0x934e, 0x82c7, 0xb05c, 0xa1d5, 0xd56a, 0xc4e3, 0xf678, 0xe7f1,
95 	0x2e85, 0x3f0c, 0x0d97, 0x1c1e, 0x68a1, 0x7928, 0x4bb3, 0x5a3a,
96 	0xa2cd, 0xb344, 0x81df, 0x9056, 0xe4e9, 0xf560, 0xc7fb, 0xd672,
97 	0x3e04, 0x2f8d, 0x1d16, 0x0c9f, 0x7820, 0x69a9, 0x5b32, 0x4abb,
98 	0xb24c, 0xa3c5, 0x915e, 0x80d7, 0xf468, 0xe5e1, 0xd77a, 0xc6f3,
99 	0x4d83, 0x5c0a, 0x6e91, 0x7f18, 0x0ba7, 0x1a2e, 0x28b5, 0x393c,
100 	0xc1cb, 0xd042, 0xe2d9, 0xf350, 0x87ef, 0x9666, 0xa4fd, 0xb574,
101 	0x5d02, 0x4c8b, 0x7e10, 0x6f99, 0x1b26, 0x0aaf, 0x3834, 0x29bd,
102 	0xd14a, 0xc0c3, 0xf258, 0xe3d1, 0x976e, 0x86e7, 0xb47c, 0xa5f5,
103 	0x6c81, 0x7d08, 0x4f93, 0x5e1a, 0x2aa5, 0x3b2c, 0x09b7, 0x183e,
104 	0xe0c9, 0xf140, 0xc3db, 0xd252, 0xa6ed, 0xb764, 0x85ff, 0x9476,
105 	0x7c00, 0x6d89, 0x5f12, 0x4e9b, 0x3a24, 0x2bad, 0x1936, 0x08bf,
106 	0xf048, 0xe1c1, 0xd35a, 0xc2d3, 0xb66c, 0xa7e5, 0x957e, 0x84f7,
107 	0x8b8f, 0x9a06, 0xa89d, 0xb914, 0xcdab, 0xdc22, 0xeeb9, 0xff30,
108 	0x07c7, 0x164e, 0x24d5, 0x355c, 0x41e3, 0x506a, 0x62f1, 0x7378,
109 	0x9b0e, 0x8a87, 0xb81c, 0xa995, 0xdd2a, 0xcca3, 0xfe38, 0xefb1,
110 	0x1746, 0x06cf, 0x3454, 0x25dd, 0x5162, 0x40eb, 0x7270, 0x63f9,
111 	0xaa8d, 0xbb04, 0x899f, 0x9816, 0xeca9, 0xfd20, 0xcfbb, 0xde32,
112 	0x26c5, 0x374c, 0x05d7, 0x145e, 0x60e1, 0x7168, 0x43f3, 0x527a,
113 	0xba0c, 0xab85, 0x991e, 0x8897, 0xfc28, 0xeda1, 0xdf3a, 0xceb3,
114 	0x3644, 0x27cd, 0x1556, 0x04df, 0x7060, 0x61e9, 0x5372, 0x42fb,
115 	0xc98b, 0xd802, 0xea99, 0xfb10, 0x8faf, 0x9e26, 0xacbd, 0xbd34,
116 	0x45c3, 0x544a, 0x66d1, 0x7758, 0x03e7, 0x126e, 0x20f5, 0x317c,
117 	0xd90a, 0xc883, 0xfa18, 0xeb91, 0x9f2e, 0x8ea7, 0xbc3c, 0xadb5,
118 	0x5542, 0x44cb, 0x7650, 0x67d9, 0x1366, 0x02ef, 0x3074, 0x21fd,
119 	0xe889, 0xf900, 0xcb9b, 0xda12, 0xaead, 0xbf24, 0x8dbf, 0x9c36,
120 	0x64c1, 0x7548, 0x47d3, 0x565a, 0x22e5, 0x336c, 0x01f7, 0x107e,
121 	0xf808, 0xe981, 0xdb1a, 0xca93, 0xbe2c, 0xafa5, 0x9d3e, 0x8cb7,
122 	0x7440, 0x65c9, 0x5752, 0x46db, 0x3264, 0x23ed, 0x1176, 0x00ff
123 };
124 
125 static unsigned short calc_crc_flex(unsigned char *cp, int size)
126 {
127 	unsigned short crc = 0xffff;
128 
129 	while (size--)
130 		crc = (crc << 8) ^ crc_flex_table[((crc >> 8) ^ *cp++) & 0xff];
131 
132 	return crc;
133 }
134 
135 static int check_crc_flex(unsigned char *cp, int size)
136 {
137 	unsigned short crc = 0xffff;
138 
139 	if (size < 3)
140 		return -1;
141 
142 	while (size--)
143 		crc = (crc << 8) ^ crc_flex_table[((crc >> 8) ^ *cp++) & 0xff];
144 
145 	if ((crc & 0xffff) != 0x7070)
146 		return -1;
147 
148 	return 0;
149 }
150 
151 static int check_crc_16(unsigned char *cp, int size)
152 {
153 	unsigned short crc = 0x0000;
154 
155 	if (size < 3)
156 		return -1;
157 
158 	crc = crc16(0, cp, size);
159 
160 	if (crc != 0x0000)
161 		return -1;
162 
163 	return 0;
164 }
165 
166 /*
167  * Standard encapsulation
168  */
169 
170 static int kiss_esc(unsigned char *s, unsigned char *d, int len)
171 {
172 	unsigned char *ptr = d;
173 	unsigned char c;
174 
175 	/*
176 	 * Send an initial END character to flush out any data that may have
177 	 * accumulated in the receiver due to line noise.
178 	 */
179 
180 	*ptr++ = END;
181 
182 	while (len-- > 0) {
183 		switch (c = *s++) {
184 		case END:
185 			*ptr++ = ESC;
186 			*ptr++ = ESC_END;
187 			break;
188 		case ESC:
189 			*ptr++ = ESC;
190 			*ptr++ = ESC_ESC;
191 			break;
192 		default:
193 			*ptr++ = c;
194 			break;
195 		}
196 	}
197 
198 	*ptr++ = END;
199 
200 	return ptr - d;
201 }
202 
203 /*
204  * MW:
205  * OK its ugly, but tell me a better solution without copying the
206  * packet to a temporary buffer :-)
207  */
208 static int kiss_esc_crc(unsigned char *s, unsigned char *d, unsigned short crc,
209 	int len)
210 {
211 	unsigned char *ptr = d;
212 	unsigned char c=0;
213 
214 	*ptr++ = END;
215 	while (len > 0) {
216 		if (len > 2)
217 			c = *s++;
218 		else if (len > 1)
219 			c = crc >> 8;
220 		else
221 			c = crc & 0xff;
222 
223 		len--;
224 
225 		switch (c) {
226 		case END:
227 			*ptr++ = ESC;
228 			*ptr++ = ESC_END;
229 			break;
230 		case ESC:
231 			*ptr++ = ESC;
232 			*ptr++ = ESC_ESC;
233 			break;
234 		default:
235 			*ptr++ = c;
236 			break;
237 		}
238 	}
239 	*ptr++ = END;
240 
241 	return ptr - d;
242 }
243 
244 /* Send one completely decapsulated AX.25 packet to the AX.25 layer. */
245 static void ax_bump(struct mkiss *ax)
246 {
247 	struct sk_buff *skb;
248 	int count;
249 
250 	spin_lock_bh(&ax->buflock);
251 	if (ax->rbuff[0] > 0x0f) {
252 		if (ax->rbuff[0] & 0x80) {
253 			if (check_crc_16(ax->rbuff, ax->rcount) < 0) {
254 				ax->dev->stats.rx_errors++;
255 				spin_unlock_bh(&ax->buflock);
256 
257 				return;
258 			}
259 			if (ax->crcmode != CRC_MODE_SMACK && ax->crcauto) {
260 				printk(KERN_INFO
261 				       "mkiss: %s: Switching to crc-smack\n",
262 				       ax->dev->name);
263 				ax->crcmode = CRC_MODE_SMACK;
264 			}
265 			ax->rcount -= 2;
266 			*ax->rbuff &= ~0x80;
267 		} else if (ax->rbuff[0] & 0x20)  {
268 			if (check_crc_flex(ax->rbuff, ax->rcount) < 0) {
269 				ax->dev->stats.rx_errors++;
270 				spin_unlock_bh(&ax->buflock);
271 				return;
272 			}
273 			if (ax->crcmode != CRC_MODE_FLEX && ax->crcauto) {
274 				printk(KERN_INFO
275 				       "mkiss: %s: Switching to crc-flexnet\n",
276 				       ax->dev->name);
277 				ax->crcmode = CRC_MODE_FLEX;
278 			}
279 			ax->rcount -= 2;
280 
281 			/*
282 			 * dl9sau bugfix: the trailling two bytes flexnet crc
283 			 * will not be passed to the kernel. thus we have to
284 			 * correct the kissparm signature, because it indicates
285 			 * a crc but there's none
286 			 */
287 			*ax->rbuff &= ~0x20;
288 		}
289  	}
290 
291 	count = ax->rcount;
292 
293 	if ((skb = dev_alloc_skb(count)) == NULL) {
294 		printk(KERN_ERR "mkiss: %s: memory squeeze, dropping packet.\n",
295 		       ax->dev->name);
296 		ax->dev->stats.rx_dropped++;
297 		spin_unlock_bh(&ax->buflock);
298 		return;
299 	}
300 
301 	skb_put_data(skb, ax->rbuff, count);
302 	skb->protocol = ax25_type_trans(skb, ax->dev);
303 	netif_rx(skb);
304 	ax->dev->stats.rx_packets++;
305 	ax->dev->stats.rx_bytes += count;
306 	spin_unlock_bh(&ax->buflock);
307 }
308 
309 static void kiss_unesc(struct mkiss *ax, unsigned char s)
310 {
311 	switch (s) {
312 	case END:
313 		/* drop keeptest bit = VSV */
314 		if (test_bit(AXF_KEEPTEST, &ax->flags))
315 			clear_bit(AXF_KEEPTEST, &ax->flags);
316 
317 		if (!test_and_clear_bit(AXF_ERROR, &ax->flags) && (ax->rcount > 2))
318 			ax_bump(ax);
319 
320 		clear_bit(AXF_ESCAPE, &ax->flags);
321 		ax->rcount = 0;
322 		return;
323 
324 	case ESC:
325 		set_bit(AXF_ESCAPE, &ax->flags);
326 		return;
327 	case ESC_ESC:
328 		if (test_and_clear_bit(AXF_ESCAPE, &ax->flags))
329 			s = ESC;
330 		break;
331 	case ESC_END:
332 		if (test_and_clear_bit(AXF_ESCAPE, &ax->flags))
333 			s = END;
334 		break;
335 	}
336 
337 	spin_lock_bh(&ax->buflock);
338 	if (!test_bit(AXF_ERROR, &ax->flags)) {
339 		if (ax->rcount < ax->buffsize) {
340 			ax->rbuff[ax->rcount++] = s;
341 			spin_unlock_bh(&ax->buflock);
342 			return;
343 		}
344 
345 		ax->dev->stats.rx_over_errors++;
346 		set_bit(AXF_ERROR, &ax->flags);
347 	}
348 	spin_unlock_bh(&ax->buflock);
349 }
350 
351 static int ax_set_mac_address(struct net_device *dev, void *addr)
352 {
353 	struct sockaddr_ax25 *sa = addr;
354 
355 	netif_tx_lock_bh(dev);
356 	netif_addr_lock(dev);
357 	memcpy(dev->dev_addr, &sa->sax25_call, AX25_ADDR_LEN);
358 	netif_addr_unlock(dev);
359 	netif_tx_unlock_bh(dev);
360 
361 	return 0;
362 }
363 
364 /*---------------------------------------------------------------------------*/
365 
366 static void ax_changedmtu(struct mkiss *ax)
367 {
368 	struct net_device *dev = ax->dev;
369 	unsigned char *xbuff, *rbuff, *oxbuff, *orbuff;
370 	int len;
371 
372 	len = dev->mtu * 2;
373 
374 	/*
375 	 * allow for arrival of larger UDP packets, even if we say not to
376 	 * also fixes a bug in which SunOS sends 512-byte packets even with
377 	 * an MSS of 128
378 	 */
379 	if (len < 576 * 2)
380 		len = 576 * 2;
381 
382 	xbuff = kmalloc(len + 4, GFP_ATOMIC);
383 	rbuff = kmalloc(len + 4, GFP_ATOMIC);
384 
385 	if (xbuff == NULL || rbuff == NULL)  {
386 		printk(KERN_ERR "mkiss: %s: unable to grow ax25 buffers, "
387 		       "MTU change cancelled.\n",
388 		       ax->dev->name);
389 		dev->mtu = ax->mtu;
390 		kfree(xbuff);
391 		kfree(rbuff);
392 		return;
393 	}
394 
395 	spin_lock_bh(&ax->buflock);
396 
397 	oxbuff    = ax->xbuff;
398 	ax->xbuff = xbuff;
399 	orbuff    = ax->rbuff;
400 	ax->rbuff = rbuff;
401 
402 	if (ax->xleft) {
403 		if (ax->xleft <= len) {
404 			memcpy(ax->xbuff, ax->xhead, ax->xleft);
405 		} else  {
406 			ax->xleft = 0;
407 			dev->stats.tx_dropped++;
408 		}
409 	}
410 
411 	ax->xhead = ax->xbuff;
412 
413 	if (ax->rcount) {
414 		if (ax->rcount <= len) {
415 			memcpy(ax->rbuff, orbuff, ax->rcount);
416 		} else  {
417 			ax->rcount = 0;
418 			dev->stats.rx_over_errors++;
419 			set_bit(AXF_ERROR, &ax->flags);
420 		}
421 	}
422 
423 	ax->mtu      = dev->mtu + 73;
424 	ax->buffsize = len;
425 
426 	spin_unlock_bh(&ax->buflock);
427 
428 	kfree(oxbuff);
429 	kfree(orbuff);
430 }
431 
432 /* Encapsulate one AX.25 packet and stuff into a TTY queue. */
433 static void ax_encaps(struct net_device *dev, unsigned char *icp, int len)
434 {
435 	struct mkiss *ax = netdev_priv(dev);
436 	unsigned char *p;
437 	int actual, count;
438 
439 	if (ax->mtu != ax->dev->mtu + 73)	/* Someone has been ifconfigging */
440 		ax_changedmtu(ax);
441 
442 	if (len > ax->mtu) {		/* Sigh, shouldn't occur BUT ... */
443 		printk(KERN_ERR "mkiss: %s: truncating oversized transmit packet!\n", ax->dev->name);
444 		dev->stats.tx_dropped++;
445 		netif_start_queue(dev);
446 		return;
447 	}
448 
449 	p = icp;
450 
451 	spin_lock_bh(&ax->buflock);
452 	if ((*p & 0x0f) != 0) {
453 		/* Configuration Command (kissparms(1).
454 		 * Protocol spec says: never append CRC.
455 		 * This fixes a very old bug in the linux
456 		 * kiss driver. -- dl9sau */
457 		switch (*p & 0xff) {
458 		case 0x85:
459 			/* command from userspace especially for us,
460 			 * not for delivery to the tnc */
461 			if (len > 1) {
462 				int cmd = (p[1] & 0xff);
463 				switch(cmd) {
464 				case 3:
465 				  ax->crcmode = CRC_MODE_SMACK;
466 				  break;
467 				case 2:
468 				  ax->crcmode = CRC_MODE_FLEX;
469 				  break;
470 				case 1:
471 				  ax->crcmode = CRC_MODE_NONE;
472 				  break;
473 				case 0:
474 				default:
475 				  ax->crcmode = CRC_MODE_SMACK_TEST;
476 				  cmd = 0;
477 				}
478 				ax->crcauto = (cmd ? 0 : 1);
479 				printk(KERN_INFO "mkiss: %s: crc mode set to %d\n",
480 				       ax->dev->name, cmd);
481 			}
482 			spin_unlock_bh(&ax->buflock);
483 			netif_start_queue(dev);
484 
485 			return;
486 		default:
487 			count = kiss_esc(p, ax->xbuff, len);
488 		}
489 	} else {
490 		unsigned short crc;
491 		switch (ax->crcmode) {
492 		case CRC_MODE_SMACK_TEST:
493 			ax->crcmode  = CRC_MODE_FLEX_TEST;
494 			printk(KERN_INFO "mkiss: %s: Trying crc-smack\n", ax->dev->name);
495 			// fall through
496 		case CRC_MODE_SMACK:
497 			*p |= 0x80;
498 			crc = swab16(crc16(0, p, len));
499 			count = kiss_esc_crc(p, ax->xbuff, crc, len+2);
500 			break;
501 		case CRC_MODE_FLEX_TEST:
502 			ax->crcmode = CRC_MODE_NONE;
503 			printk(KERN_INFO "mkiss: %s: Trying crc-flexnet\n", ax->dev->name);
504 			// fall through
505 		case CRC_MODE_FLEX:
506 			*p |= 0x20;
507 			crc = calc_crc_flex(p, len);
508 			count = kiss_esc_crc(p, ax->xbuff, crc, len+2);
509 			break;
510 
511 		default:
512 			count = kiss_esc(p, ax->xbuff, len);
513 		}
514   	}
515 	spin_unlock_bh(&ax->buflock);
516 
517 	set_bit(TTY_DO_WRITE_WAKEUP, &ax->tty->flags);
518 	actual = ax->tty->ops->write(ax->tty, ax->xbuff, count);
519 	dev->stats.tx_packets++;
520 	dev->stats.tx_bytes += actual;
521 
522 	netif_trans_update(ax->dev);
523 	ax->xleft = count - actual;
524 	ax->xhead = ax->xbuff + actual;
525 }
526 
527 /* Encapsulate an AX.25 packet and kick it into a TTY queue. */
528 static netdev_tx_t ax_xmit(struct sk_buff *skb, struct net_device *dev)
529 {
530 	struct mkiss *ax = netdev_priv(dev);
531 
532 	if (skb->protocol == htons(ETH_P_IP))
533 		return ax25_ip_xmit(skb);
534 
535 	if (!netif_running(dev))  {
536 		printk(KERN_ERR "mkiss: %s: xmit call when iface is down\n", dev->name);
537 		return NETDEV_TX_BUSY;
538 	}
539 
540 	if (netif_queue_stopped(dev)) {
541 		/*
542 		 * May be we must check transmitter timeout here ?
543 		 *      14 Oct 1994 Dmitry Gorodchanin.
544 		 */
545 		if (time_before(jiffies, dev_trans_start(dev) + 20 * HZ)) {
546 			/* 20 sec timeout not reached */
547 			return NETDEV_TX_BUSY;
548 		}
549 
550 		printk(KERN_ERR "mkiss: %s: transmit timed out, %s?\n", dev->name,
551 		       (tty_chars_in_buffer(ax->tty) || ax->xleft) ?
552 		       "bad line quality" : "driver error");
553 
554 		ax->xleft = 0;
555 		clear_bit(TTY_DO_WRITE_WAKEUP, &ax->tty->flags);
556 		netif_start_queue(dev);
557 	}
558 
559 	/* We were not busy, so we are now... :-) */
560 	netif_stop_queue(dev);
561 	ax_encaps(dev, skb->data, skb->len);
562 	kfree_skb(skb);
563 
564 	return NETDEV_TX_OK;
565 }
566 
567 static int ax_open_dev(struct net_device *dev)
568 {
569 	struct mkiss *ax = netdev_priv(dev);
570 
571 	if (ax->tty == NULL)
572 		return -ENODEV;
573 
574 	return 0;
575 }
576 
577 /* Open the low-level part of the AX25 channel. Easy! */
578 static int ax_open(struct net_device *dev)
579 {
580 	struct mkiss *ax = netdev_priv(dev);
581 	unsigned long len;
582 
583 	if (ax->tty == NULL)
584 		return -ENODEV;
585 
586 	/*
587 	 * Allocate the frame buffers:
588 	 *
589 	 * rbuff	Receive buffer.
590 	 * xbuff	Transmit buffer.
591 	 */
592 	len = dev->mtu * 2;
593 
594 	/*
595 	 * allow for arrival of larger UDP packets, even if we say not to
596 	 * also fixes a bug in which SunOS sends 512-byte packets even with
597 	 * an MSS of 128
598 	 */
599 	if (len < 576 * 2)
600 		len = 576 * 2;
601 
602 	if ((ax->rbuff = kmalloc(len + 4, GFP_KERNEL)) == NULL)
603 		goto norbuff;
604 
605 	if ((ax->xbuff = kmalloc(len + 4, GFP_KERNEL)) == NULL)
606 		goto noxbuff;
607 
608 	ax->mtu	     = dev->mtu + 73;
609 	ax->buffsize = len;
610 	ax->rcount   = 0;
611 	ax->xleft    = 0;
612 
613 	ax->flags   &= (1 << AXF_INUSE);      /* Clear ESCAPE & ERROR flags */
614 
615 	spin_lock_init(&ax->buflock);
616 
617 	return 0;
618 
619 noxbuff:
620 	kfree(ax->rbuff);
621 
622 norbuff:
623 	return -ENOMEM;
624 }
625 
626 
627 /* Close the low-level part of the AX25 channel. Easy! */
628 static int ax_close(struct net_device *dev)
629 {
630 	struct mkiss *ax = netdev_priv(dev);
631 
632 	if (ax->tty)
633 		clear_bit(TTY_DO_WRITE_WAKEUP, &ax->tty->flags);
634 
635 	netif_stop_queue(dev);
636 
637 	return 0;
638 }
639 
640 static const struct net_device_ops ax_netdev_ops = {
641 	.ndo_open            = ax_open_dev,
642 	.ndo_stop            = ax_close,
643 	.ndo_start_xmit	     = ax_xmit,
644 	.ndo_set_mac_address = ax_set_mac_address,
645 };
646 
647 static void ax_setup(struct net_device *dev)
648 {
649 	/* Finish setting up the DEVICE info. */
650 	dev->mtu             = AX_MTU;
651 	dev->hard_header_len = AX25_MAX_HEADER_LEN;
652 	dev->addr_len        = AX25_ADDR_LEN;
653 	dev->type            = ARPHRD_AX25;
654 	dev->tx_queue_len    = 10;
655 	dev->header_ops      = &ax25_header_ops;
656 	dev->netdev_ops	     = &ax_netdev_ops;
657 
658 
659 	memcpy(dev->broadcast, &ax25_bcast, AX25_ADDR_LEN);
660 	memcpy(dev->dev_addr,  &ax25_defaddr,  AX25_ADDR_LEN);
661 
662 	dev->flags      = IFF_BROADCAST | IFF_MULTICAST;
663 }
664 
665 /*
666  * We have a potential race on dereferencing tty->disc_data, because the tty
667  * layer provides no locking at all - thus one cpu could be running
668  * sixpack_receive_buf while another calls sixpack_close, which zeroes
669  * tty->disc_data and frees the memory that sixpack_receive_buf is using.  The
670  * best way to fix this is to use a rwlock in the tty struct, but for now we
671  * use a single global rwlock for all ttys in ppp line discipline.
672  */
673 static DEFINE_RWLOCK(disc_data_lock);
674 
675 static struct mkiss *mkiss_get(struct tty_struct *tty)
676 {
677 	struct mkiss *ax;
678 
679 	read_lock(&disc_data_lock);
680 	ax = tty->disc_data;
681 	if (ax)
682 		atomic_inc(&ax->refcnt);
683 	read_unlock(&disc_data_lock);
684 
685 	return ax;
686 }
687 
688 static void mkiss_put(struct mkiss *ax)
689 {
690 	if (atomic_dec_and_test(&ax->refcnt))
691 		up(&ax->dead_sem);
692 }
693 
694 static int crc_force = 0;	/* Can be overridden with insmod */
695 
696 static int mkiss_open(struct tty_struct *tty)
697 {
698 	struct net_device *dev;
699 	struct mkiss *ax;
700 	int err;
701 
702 	if (!capable(CAP_NET_ADMIN))
703 		return -EPERM;
704 	if (tty->ops->write == NULL)
705 		return -EOPNOTSUPP;
706 
707 	dev = alloc_netdev(sizeof(struct mkiss), "ax%d", NET_NAME_UNKNOWN,
708 			   ax_setup);
709 	if (!dev) {
710 		err = -ENOMEM;
711 		goto out;
712 	}
713 
714 	ax = netdev_priv(dev);
715 	ax->dev = dev;
716 
717 	spin_lock_init(&ax->buflock);
718 	atomic_set(&ax->refcnt, 1);
719 	sema_init(&ax->dead_sem, 0);
720 
721 	ax->tty = tty;
722 	tty->disc_data = ax;
723 	tty->receive_room = 65535;
724 
725 	tty_driver_flush_buffer(tty);
726 
727 	/* Restore default settings */
728 	dev->type = ARPHRD_AX25;
729 
730 	/* Perform the low-level AX25 initialization. */
731 	err = ax_open(ax->dev);
732 	if (err)
733 		goto out_free_netdev;
734 
735 	err = register_netdev(dev);
736 	if (err)
737 		goto out_free_buffers;
738 
739 	/* after register_netdev() - because else printk smashes the kernel */
740 	switch (crc_force) {
741 	case 3:
742 		ax->crcmode  = CRC_MODE_SMACK;
743 		printk(KERN_INFO "mkiss: %s: crc mode smack forced.\n",
744 		       ax->dev->name);
745 		break;
746 	case 2:
747 		ax->crcmode  = CRC_MODE_FLEX;
748 		printk(KERN_INFO "mkiss: %s: crc mode flexnet forced.\n",
749 		       ax->dev->name);
750 		break;
751 	case 1:
752 		ax->crcmode  = CRC_MODE_NONE;
753 		printk(KERN_INFO "mkiss: %s: crc mode disabled.\n",
754 		       ax->dev->name);
755 		break;
756 	case 0:
757 		/* fall through */
758 	default:
759 		crc_force = 0;
760 		printk(KERN_INFO "mkiss: %s: crc mode is auto.\n",
761 		       ax->dev->name);
762 		ax->crcmode  = CRC_MODE_SMACK_TEST;
763 	}
764 	ax->crcauto = (crc_force ? 0 : 1);
765 
766 	netif_start_queue(dev);
767 
768 	/* Done.  We have linked the TTY line to a channel. */
769 	return 0;
770 
771 out_free_buffers:
772 	kfree(ax->rbuff);
773 	kfree(ax->xbuff);
774 
775 out_free_netdev:
776 	free_netdev(dev);
777 
778 out:
779 	return err;
780 }
781 
782 static void mkiss_close(struct tty_struct *tty)
783 {
784 	struct mkiss *ax;
785 
786 	write_lock_bh(&disc_data_lock);
787 	ax = tty->disc_data;
788 	tty->disc_data = NULL;
789 	write_unlock_bh(&disc_data_lock);
790 
791 	if (!ax)
792 		return;
793 
794 	/*
795 	 * We have now ensured that nobody can start using ap from now on, but
796 	 * we have to wait for all existing users to finish.
797 	 */
798 	if (!atomic_dec_and_test(&ax->refcnt))
799 		down(&ax->dead_sem);
800 	/*
801 	 * Halt the transmit queue so that a new transmit cannot scribble
802 	 * on our buffers
803 	 */
804 	netif_stop_queue(ax->dev);
805 
806 	/* Free all AX25 frame buffers. */
807 	kfree(ax->rbuff);
808 	kfree(ax->xbuff);
809 
810 	ax->tty = NULL;
811 
812 	unregister_netdev(ax->dev);
813 }
814 
815 /* Perform I/O control on an active ax25 channel. */
816 static int mkiss_ioctl(struct tty_struct *tty, struct file *file,
817 	unsigned int cmd, unsigned long arg)
818 {
819 	struct mkiss *ax = mkiss_get(tty);
820 	struct net_device *dev;
821 	unsigned int tmp, err;
822 
823 	/* First make sure we're connected. */
824 	if (ax == NULL)
825 		return -ENXIO;
826 	dev = ax->dev;
827 
828 	switch (cmd) {
829  	case SIOCGIFNAME:
830 		err = copy_to_user((void __user *) arg, ax->dev->name,
831 		                   strlen(ax->dev->name) + 1) ? -EFAULT : 0;
832 		break;
833 
834 	case SIOCGIFENCAP:
835 		err = put_user(4, (int __user *) arg);
836 		break;
837 
838 	case SIOCSIFENCAP:
839 		if (get_user(tmp, (int __user *) arg)) {
840 			err = -EFAULT;
841 			break;
842 		}
843 
844 		ax->mode = tmp;
845 		dev->addr_len        = AX25_ADDR_LEN;
846 		dev->hard_header_len = AX25_KISS_HEADER_LEN +
847 		                       AX25_MAX_HEADER_LEN + 3;
848 		dev->type            = ARPHRD_AX25;
849 
850 		err = 0;
851 		break;
852 
853 	case SIOCSIFHWADDR: {
854 		char addr[AX25_ADDR_LEN];
855 
856 		if (copy_from_user(&addr,
857 		                   (void __user *) arg, AX25_ADDR_LEN)) {
858 			err = -EFAULT;
859 			break;
860 		}
861 
862 		netif_tx_lock_bh(dev);
863 		memcpy(dev->dev_addr, addr, AX25_ADDR_LEN);
864 		netif_tx_unlock_bh(dev);
865 
866 		err = 0;
867 		break;
868 	}
869 	default:
870 		err = -ENOIOCTLCMD;
871 	}
872 
873 	mkiss_put(ax);
874 
875 	return err;
876 }
877 
878 #ifdef CONFIG_COMPAT
879 static long mkiss_compat_ioctl(struct tty_struct *tty, struct file *file,
880 	unsigned int cmd, unsigned long arg)
881 {
882 	switch (cmd) {
883 	case SIOCGIFNAME:
884 	case SIOCGIFENCAP:
885 	case SIOCSIFENCAP:
886 	case SIOCSIFHWADDR:
887 		return mkiss_ioctl(tty, file, cmd,
888 				   (unsigned long)compat_ptr(arg));
889 	}
890 
891 	return -ENOIOCTLCMD;
892 }
893 #endif
894 
895 /*
896  * Handle the 'receiver data ready' interrupt.
897  * This function is called by the 'tty_io' module in the kernel when
898  * a block of data has been received, which can now be decapsulated
899  * and sent on to the AX.25 layer for further processing.
900  */
901 static void mkiss_receive_buf(struct tty_struct *tty, const unsigned char *cp,
902 	char *fp, int count)
903 {
904 	struct mkiss *ax = mkiss_get(tty);
905 
906 	if (!ax)
907 		return;
908 
909 	/*
910 	 * Argh! mtu change time! - costs us the packet part received
911 	 * at the change
912 	 */
913 	if (ax->mtu != ax->dev->mtu + 73)
914 		ax_changedmtu(ax);
915 
916 	/* Read the characters out of the buffer */
917 	while (count--) {
918 		if (fp != NULL && *fp++) {
919 			if (!test_and_set_bit(AXF_ERROR, &ax->flags))
920 				ax->dev->stats.rx_errors++;
921 			cp++;
922 			continue;
923 		}
924 
925 		kiss_unesc(ax, *cp++);
926 	}
927 
928 	mkiss_put(ax);
929 	tty_unthrottle(tty);
930 }
931 
932 /*
933  * Called by the driver when there's room for more data.  If we have
934  * more packets to send, we send them here.
935  */
936 static void mkiss_write_wakeup(struct tty_struct *tty)
937 {
938 	struct mkiss *ax = mkiss_get(tty);
939 	int actual;
940 
941 	if (!ax)
942 		return;
943 
944 	if (ax->xleft <= 0)  {
945 		/* Now serial buffer is almost free & we can start
946 		 * transmission of another packet
947 		 */
948 		clear_bit(TTY_DO_WRITE_WAKEUP, &tty->flags);
949 
950 		netif_wake_queue(ax->dev);
951 		goto out;
952 	}
953 
954 	actual = tty->ops->write(tty, ax->xhead, ax->xleft);
955 	ax->xleft -= actual;
956 	ax->xhead += actual;
957 
958 out:
959 	mkiss_put(ax);
960 }
961 
962 static struct tty_ldisc_ops ax_ldisc = {
963 	.owner		= THIS_MODULE,
964 	.magic		= TTY_LDISC_MAGIC,
965 	.name		= "mkiss",
966 	.open		= mkiss_open,
967 	.close		= mkiss_close,
968 	.ioctl		= mkiss_ioctl,
969 #ifdef CONFIG_COMPAT
970 	.compat_ioctl	= mkiss_compat_ioctl,
971 #endif
972 	.receive_buf	= mkiss_receive_buf,
973 	.write_wakeup	= mkiss_write_wakeup
974 };
975 
976 static const char banner[] __initconst = KERN_INFO \
977 	"mkiss: AX.25 Multikiss, Hans Albas PE1AYX\n";
978 static const char msg_regfail[] __initconst = KERN_ERR \
979 	"mkiss: can't register line discipline (err = %d)\n";
980 
981 static int __init mkiss_init_driver(void)
982 {
983 	int status;
984 
985 	printk(banner);
986 
987 	status = tty_register_ldisc(N_AX25, &ax_ldisc);
988 	if (status != 0)
989 		printk(msg_regfail, status);
990 
991 	return status;
992 }
993 
994 static const char msg_unregfail[] = KERN_ERR \
995 	"mkiss: can't unregister line discipline (err = %d)\n";
996 
997 static void __exit mkiss_exit_driver(void)
998 {
999 	int ret;
1000 
1001 	if ((ret = tty_unregister_ldisc(N_AX25)))
1002 		printk(msg_unregfail, ret);
1003 }
1004 
1005 MODULE_AUTHOR("Ralf Baechle DL5RB <ralf@linux-mips.org>");
1006 MODULE_DESCRIPTION("KISS driver for AX.25 over TTYs");
1007 module_param(crc_force, int, 0);
1008 MODULE_PARM_DESC(crc_force, "crc [0 = auto | 1 = none | 2 = flexnet | 3 = smack]");
1009 MODULE_LICENSE("GPL");
1010 MODULE_ALIAS_LDISC(N_AX25);
1011 
1012 module_init(mkiss_init_driver);
1013 module_exit(mkiss_exit_driver);
1014