xref: /linux/drivers/tty/n_gsm.c (revision 0a94608f0f7de9b1135ffea3546afe68eafef57f)
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3  * n_gsm.c GSM 0710 tty multiplexor
4  * Copyright (c) 2009/10 Intel Corporation
5  *
6  *	* THIS IS A DEVELOPMENT SNAPSHOT IT IS NOT A FINAL RELEASE *
7  *
8  * TO DO:
9  *	Mostly done:	ioctls for setting modes/timing
10  *	Partly done:	hooks so you can pull off frames to non tty devs
11  *	Restart DLCI 0 when it closes ?
12  *	Improve the tx engine
13  *	Resolve tx side locking by adding a queue_head and routing
14  *		all control traffic via it
15  *	General tidy/document
16  *	Review the locking/move to refcounts more (mux now moved to an
17  *		alloc/free model ready)
18  *	Use newest tty open/close port helpers and install hooks
19  *	What to do about power functions ?
20  *	Termios setting and negotiation
21  *	Do we need a 'which mux are you' ioctl to correlate mux and tty sets
22  *
23  */
24 
25 #include <linux/types.h>
26 #include <linux/major.h>
27 #include <linux/errno.h>
28 #include <linux/signal.h>
29 #include <linux/fcntl.h>
30 #include <linux/sched/signal.h>
31 #include <linux/interrupt.h>
32 #include <linux/tty.h>
33 #include <linux/ctype.h>
34 #include <linux/mm.h>
35 #include <linux/string.h>
36 #include <linux/slab.h>
37 #include <linux/poll.h>
38 #include <linux/bitops.h>
39 #include <linux/file.h>
40 #include <linux/uaccess.h>
41 #include <linux/module.h>
42 #include <linux/timer.h>
43 #include <linux/tty_flip.h>
44 #include <linux/tty_driver.h>
45 #include <linux/serial.h>
46 #include <linux/kfifo.h>
47 #include <linux/skbuff.h>
48 #include <net/arp.h>
49 #include <linux/ip.h>
50 #include <linux/netdevice.h>
51 #include <linux/etherdevice.h>
52 #include <linux/gsmmux.h>
53 #include "tty.h"
54 
55 static int debug;
56 module_param(debug, int, 0600);
57 
58 /* Defaults: these are from the specification */
59 
60 #define T1	10		/* 100mS */
61 #define T2	34		/* 333mS */
62 #define N2	3		/* Retry 3 times */
63 
64 /* Use long timers for testing at low speed with debug on */
65 #ifdef DEBUG_TIMING
66 #define T1	100
67 #define T2	200
68 #endif
69 
70 /*
71  * Semi-arbitrary buffer size limits. 0710 is normally run with 32-64 byte
72  * limits so this is plenty
73  */
74 #define MAX_MRU 1500
75 #define MAX_MTU 1500
76 /* SOF, ADDR, CTRL, LEN1, LEN2, ..., FCS, EOF */
77 #define PROT_OVERHEAD 7
78 #define	GSM_NET_TX_TIMEOUT (HZ*10)
79 
80 /*
81  *	struct gsm_mux_net	-	network interface
82  *
83  *	Created when net interface is initialized.
84  */
85 struct gsm_mux_net {
86 	struct kref ref;
87 	struct gsm_dlci *dlci;
88 };
89 
90 /*
91  *	Each block of data we have queued to go out is in the form of
92  *	a gsm_msg which holds everything we need in a link layer independent
93  *	format
94  */
95 
96 struct gsm_msg {
97 	struct list_head list;
98 	u8 addr;		/* DLCI address + flags */
99 	u8 ctrl;		/* Control byte + flags */
100 	unsigned int len;	/* Length of data block (can be zero) */
101 	unsigned char *data;	/* Points into buffer but not at the start */
102 	unsigned char buffer[];
103 };
104 
105 enum gsm_dlci_state {
106 	DLCI_CLOSED,
107 	DLCI_OPENING,		/* Sending SABM not seen UA */
108 	DLCI_OPEN,		/* SABM/UA complete */
109 	DLCI_CLOSING,		/* Sending DISC not seen UA/DM */
110 };
111 
112 enum gsm_dlci_mode {
113 	DLCI_MODE_ABM,		/* Normal Asynchronous Balanced Mode */
114 	DLCI_MODE_ADM,		/* Asynchronous Disconnected Mode */
115 };
116 
117 /*
118  *	Each active data link has a gsm_dlci structure associated which ties
119  *	the link layer to an optional tty (if the tty side is open). To avoid
120  *	complexity right now these are only ever freed up when the mux is
121  *	shut down.
122  *
123  *	At the moment we don't free DLCI objects until the mux is torn down
124  *	this avoid object life time issues but might be worth review later.
125  */
126 
127 struct gsm_dlci {
128 	struct gsm_mux *gsm;
129 	int addr;
130 	enum gsm_dlci_state state;
131 	struct mutex mutex;
132 
133 	/* Link layer */
134 	enum gsm_dlci_mode mode;
135 	spinlock_t lock;	/* Protects the internal state */
136 	struct timer_list t1;	/* Retransmit timer for SABM and UA */
137 	int retries;
138 	/* Uplink tty if active */
139 	struct tty_port port;	/* The tty bound to this DLCI if there is one */
140 	struct kfifo fifo;	/* Queue fifo for the DLCI */
141 	int adaption;		/* Adaption layer in use */
142 	int prev_adaption;
143 	u32 modem_rx;		/* Our incoming virtual modem lines */
144 	u32 modem_tx;		/* Our outgoing modem lines */
145 	bool dead;		/* Refuse re-open */
146 	/* Flow control */
147 	bool throttled;		/* Private copy of throttle state */
148 	bool constipated;	/* Throttle status for outgoing */
149 	/* Packetised I/O */
150 	struct sk_buff *skb;	/* Frame being sent */
151 	struct sk_buff_head skb_list;	/* Queued frames */
152 	/* Data handling callback */
153 	void (*data)(struct gsm_dlci *dlci, const u8 *data, int len);
154 	void (*prev_data)(struct gsm_dlci *dlci, const u8 *data, int len);
155 	struct net_device *net; /* network interface, if created */
156 };
157 
158 /* DLCI 0, 62/63 are special or reserved see gsmtty_open */
159 
160 #define NUM_DLCI		64
161 
162 /*
163  *	DLCI 0 is used to pass control blocks out of band of the data
164  *	flow (and with a higher link priority). One command can be outstanding
165  *	at a time and we use this structure to manage them. They are created
166  *	and destroyed by the user context, and updated by the receive paths
167  *	and timers
168  */
169 
170 struct gsm_control {
171 	u8 cmd;		/* Command we are issuing */
172 	u8 *data;	/* Data for the command in case we retransmit */
173 	int len;	/* Length of block for retransmission */
174 	int done;	/* Done flag */
175 	int error;	/* Error if any */
176 };
177 
178 enum gsm_mux_state {
179 	GSM_SEARCH,
180 	GSM_START,
181 	GSM_ADDRESS,
182 	GSM_CONTROL,
183 	GSM_LEN,
184 	GSM_DATA,
185 	GSM_FCS,
186 	GSM_OVERRUN,
187 	GSM_LEN0,
188 	GSM_LEN1,
189 	GSM_SSOF,
190 };
191 
192 /*
193  *	Each GSM mux we have is represented by this structure. If we are
194  *	operating as an ldisc then we use this structure as our ldisc
195  *	state. We need to sort out lifetimes and locking with respect
196  *	to the gsm mux array. For now we don't free DLCI objects that
197  *	have been instantiated until the mux itself is terminated.
198  *
199  *	To consider further: tty open versus mux shutdown.
200  */
201 
202 struct gsm_mux {
203 	struct tty_struct *tty;		/* The tty our ldisc is bound to */
204 	spinlock_t lock;
205 	struct mutex mutex;
206 	unsigned int num;
207 	struct kref ref;
208 
209 	/* Events on the GSM channel */
210 	wait_queue_head_t event;
211 
212 	/* Bits for GSM mode decoding */
213 
214 	/* Framing Layer */
215 	unsigned char *buf;
216 	enum gsm_mux_state state;
217 	unsigned int len;
218 	unsigned int address;
219 	unsigned int count;
220 	bool escape;
221 	int encoding;
222 	u8 control;
223 	u8 fcs;
224 	u8 *txframe;			/* TX framing buffer */
225 
226 	/* Method for the receiver side */
227 	void (*receive)(struct gsm_mux *gsm, u8 ch);
228 
229 	/* Link Layer */
230 	unsigned int mru;
231 	unsigned int mtu;
232 	int initiator;			/* Did we initiate connection */
233 	bool dead;			/* Has the mux been shut down */
234 	struct gsm_dlci *dlci[NUM_DLCI];
235 	int old_c_iflag;		/* termios c_iflag value before attach */
236 	bool constipated;		/* Asked by remote to shut up */
237 
238 	spinlock_t tx_lock;
239 	unsigned int tx_bytes;		/* TX data outstanding */
240 #define TX_THRESH_HI		8192
241 #define TX_THRESH_LO		2048
242 	struct list_head tx_list;	/* Pending data packets */
243 
244 	/* Control messages */
245 	struct timer_list t2_timer;	/* Retransmit timer for commands */
246 	int cretries;			/* Command retry counter */
247 	struct gsm_control *pending_cmd;/* Our current pending command */
248 	spinlock_t control_lock;	/* Protects the pending command */
249 
250 	/* Configuration */
251 	int adaption;		/* 1 or 2 supported */
252 	u8 ftype;		/* UI or UIH */
253 	int t1, t2;		/* Timers in 1/100th of a sec */
254 	int n2;			/* Retry count */
255 
256 	/* Statistics (not currently exposed) */
257 	unsigned long bad_fcs;
258 	unsigned long malformed;
259 	unsigned long io_error;
260 	unsigned long bad_size;
261 	unsigned long unsupported;
262 };
263 
264 
265 /*
266  *	Mux objects - needed so that we can translate a tty index into the
267  *	relevant mux and DLCI.
268  */
269 
270 #define MAX_MUX		4			/* 256 minors */
271 static struct gsm_mux *gsm_mux[MAX_MUX];	/* GSM muxes */
272 static DEFINE_SPINLOCK(gsm_mux_lock);
273 
274 static struct tty_driver *gsm_tty_driver;
275 
276 /*
277  *	This section of the driver logic implements the GSM encodings
278  *	both the basic and the 'advanced'. Reliable transport is not
279  *	supported.
280  */
281 
282 #define CR			0x02
283 #define EA			0x01
284 #define	PF			0x10
285 
286 /* I is special: the rest are ..*/
287 #define RR			0x01
288 #define UI			0x03
289 #define RNR			0x05
290 #define REJ			0x09
291 #define DM			0x0F
292 #define SABM			0x2F
293 #define DISC			0x43
294 #define UA			0x63
295 #define	UIH			0xEF
296 
297 /* Channel commands */
298 #define CMD_NSC			0x09
299 #define CMD_TEST		0x11
300 #define CMD_PSC			0x21
301 #define CMD_RLS			0x29
302 #define CMD_FCOFF		0x31
303 #define CMD_PN			0x41
304 #define CMD_RPN			0x49
305 #define CMD_FCON		0x51
306 #define CMD_CLD			0x61
307 #define CMD_SNC			0x69
308 #define CMD_MSC			0x71
309 
310 /* Virtual modem bits */
311 #define MDM_FC			0x01
312 #define MDM_RTC			0x02
313 #define MDM_RTR			0x04
314 #define MDM_IC			0x20
315 #define MDM_DV			0x40
316 
317 #define GSM0_SOF		0xF9
318 #define GSM1_SOF		0x7E
319 #define GSM1_ESCAPE		0x7D
320 #define GSM1_ESCAPE_BITS	0x20
321 #define XON			0x11
322 #define XOFF			0x13
323 #define ISO_IEC_646_MASK	0x7F
324 
325 static const struct tty_port_operations gsm_port_ops;
326 
327 /*
328  *	CRC table for GSM 0710
329  */
330 
331 static const u8 gsm_fcs8[256] = {
332 	0x00, 0x91, 0xE3, 0x72, 0x07, 0x96, 0xE4, 0x75,
333 	0x0E, 0x9F, 0xED, 0x7C, 0x09, 0x98, 0xEA, 0x7B,
334 	0x1C, 0x8D, 0xFF, 0x6E, 0x1B, 0x8A, 0xF8, 0x69,
335 	0x12, 0x83, 0xF1, 0x60, 0x15, 0x84, 0xF6, 0x67,
336 	0x38, 0xA9, 0xDB, 0x4A, 0x3F, 0xAE, 0xDC, 0x4D,
337 	0x36, 0xA7, 0xD5, 0x44, 0x31, 0xA0, 0xD2, 0x43,
338 	0x24, 0xB5, 0xC7, 0x56, 0x23, 0xB2, 0xC0, 0x51,
339 	0x2A, 0xBB, 0xC9, 0x58, 0x2D, 0xBC, 0xCE, 0x5F,
340 	0x70, 0xE1, 0x93, 0x02, 0x77, 0xE6, 0x94, 0x05,
341 	0x7E, 0xEF, 0x9D, 0x0C, 0x79, 0xE8, 0x9A, 0x0B,
342 	0x6C, 0xFD, 0x8F, 0x1E, 0x6B, 0xFA, 0x88, 0x19,
343 	0x62, 0xF3, 0x81, 0x10, 0x65, 0xF4, 0x86, 0x17,
344 	0x48, 0xD9, 0xAB, 0x3A, 0x4F, 0xDE, 0xAC, 0x3D,
345 	0x46, 0xD7, 0xA5, 0x34, 0x41, 0xD0, 0xA2, 0x33,
346 	0x54, 0xC5, 0xB7, 0x26, 0x53, 0xC2, 0xB0, 0x21,
347 	0x5A, 0xCB, 0xB9, 0x28, 0x5D, 0xCC, 0xBE, 0x2F,
348 	0xE0, 0x71, 0x03, 0x92, 0xE7, 0x76, 0x04, 0x95,
349 	0xEE, 0x7F, 0x0D, 0x9C, 0xE9, 0x78, 0x0A, 0x9B,
350 	0xFC, 0x6D, 0x1F, 0x8E, 0xFB, 0x6A, 0x18, 0x89,
351 	0xF2, 0x63, 0x11, 0x80, 0xF5, 0x64, 0x16, 0x87,
352 	0xD8, 0x49, 0x3B, 0xAA, 0xDF, 0x4E, 0x3C, 0xAD,
353 	0xD6, 0x47, 0x35, 0xA4, 0xD1, 0x40, 0x32, 0xA3,
354 	0xC4, 0x55, 0x27, 0xB6, 0xC3, 0x52, 0x20, 0xB1,
355 	0xCA, 0x5B, 0x29, 0xB8, 0xCD, 0x5C, 0x2E, 0xBF,
356 	0x90, 0x01, 0x73, 0xE2, 0x97, 0x06, 0x74, 0xE5,
357 	0x9E, 0x0F, 0x7D, 0xEC, 0x99, 0x08, 0x7A, 0xEB,
358 	0x8C, 0x1D, 0x6F, 0xFE, 0x8B, 0x1A, 0x68, 0xF9,
359 	0x82, 0x13, 0x61, 0xF0, 0x85, 0x14, 0x66, 0xF7,
360 	0xA8, 0x39, 0x4B, 0xDA, 0xAF, 0x3E, 0x4C, 0xDD,
361 	0xA6, 0x37, 0x45, 0xD4, 0xA1, 0x30, 0x42, 0xD3,
362 	0xB4, 0x25, 0x57, 0xC6, 0xB3, 0x22, 0x50, 0xC1,
363 	0xBA, 0x2B, 0x59, 0xC8, 0xBD, 0x2C, 0x5E, 0xCF
364 };
365 
366 #define INIT_FCS	0xFF
367 #define GOOD_FCS	0xCF
368 
369 static int gsmld_output(struct gsm_mux *gsm, u8 *data, int len);
370 static int gsm_modem_update(struct gsm_dlci *dlci, u8 brk);
371 
372 /**
373  *	gsm_fcs_add	-	update FCS
374  *	@fcs: Current FCS
375  *	@c: Next data
376  *
377  *	Update the FCS to include c. Uses the algorithm in the specification
378  *	notes.
379  */
380 
381 static inline u8 gsm_fcs_add(u8 fcs, u8 c)
382 {
383 	return gsm_fcs8[fcs ^ c];
384 }
385 
386 /**
387  *	gsm_fcs_add_block	-	update FCS for a block
388  *	@fcs: Current FCS
389  *	@c: buffer of data
390  *	@len: length of buffer
391  *
392  *	Update the FCS to include c. Uses the algorithm in the specification
393  *	notes.
394  */
395 
396 static inline u8 gsm_fcs_add_block(u8 fcs, u8 *c, int len)
397 {
398 	while (len--)
399 		fcs = gsm_fcs8[fcs ^ *c++];
400 	return fcs;
401 }
402 
403 /**
404  *	gsm_read_ea		-	read a byte into an EA
405  *	@val: variable holding value
406  *	@c: byte going into the EA
407  *
408  *	Processes one byte of an EA. Updates the passed variable
409  *	and returns 1 if the EA is now completely read
410  */
411 
412 static int gsm_read_ea(unsigned int *val, u8 c)
413 {
414 	/* Add the next 7 bits into the value */
415 	*val <<= 7;
416 	*val |= c >> 1;
417 	/* Was this the last byte of the EA 1 = yes*/
418 	return c & EA;
419 }
420 
421 /**
422  *	gsm_encode_modem	-	encode modem data bits
423  *	@dlci: DLCI to encode from
424  *
425  *	Returns the correct GSM encoded modem status bits (6 bit field) for
426  *	the current status of the DLCI and attached tty object
427  */
428 
429 static u8 gsm_encode_modem(const struct gsm_dlci *dlci)
430 {
431 	u8 modembits = 0;
432 	/* FC is true flow control not modem bits */
433 	if (dlci->throttled)
434 		modembits |= MDM_FC;
435 	if (dlci->modem_tx & TIOCM_DTR)
436 		modembits |= MDM_RTC;
437 	if (dlci->modem_tx & TIOCM_RTS)
438 		modembits |= MDM_RTR;
439 	if (dlci->modem_tx & TIOCM_RI)
440 		modembits |= MDM_IC;
441 	if (dlci->modem_tx & TIOCM_CD || dlci->gsm->initiator)
442 		modembits |= MDM_DV;
443 	return modembits;
444 }
445 
446 /**
447  *	gsm_print_packet	-	display a frame for debug
448  *	@hdr: header to print before decode
449  *	@addr: address EA from the frame
450  *	@cr: C/R bit seen as initiator
451  *	@control: control including PF bit
452  *	@data: following data bytes
453  *	@dlen: length of data
454  *
455  *	Displays a packet in human readable format for debugging purposes. The
456  *	style is based on amateur radio LAP-B dump display.
457  */
458 
459 static void gsm_print_packet(const char *hdr, int addr, int cr,
460 					u8 control, const u8 *data, int dlen)
461 {
462 	if (!(debug & 1))
463 		return;
464 
465 	pr_info("%s %d) %c: ", hdr, addr, "RC"[cr]);
466 
467 	switch (control & ~PF) {
468 	case SABM:
469 		pr_cont("SABM");
470 		break;
471 	case UA:
472 		pr_cont("UA");
473 		break;
474 	case DISC:
475 		pr_cont("DISC");
476 		break;
477 	case DM:
478 		pr_cont("DM");
479 		break;
480 	case UI:
481 		pr_cont("UI");
482 		break;
483 	case UIH:
484 		pr_cont("UIH");
485 		break;
486 	default:
487 		if (!(control & 0x01)) {
488 			pr_cont("I N(S)%d N(R)%d",
489 				(control & 0x0E) >> 1, (control & 0xE0) >> 5);
490 		} else switch (control & 0x0F) {
491 			case RR:
492 				pr_cont("RR(%d)", (control & 0xE0) >> 5);
493 				break;
494 			case RNR:
495 				pr_cont("RNR(%d)", (control & 0xE0) >> 5);
496 				break;
497 			case REJ:
498 				pr_cont("REJ(%d)", (control & 0xE0) >> 5);
499 				break;
500 			default:
501 				pr_cont("[%02X]", control);
502 		}
503 	}
504 
505 	if (control & PF)
506 		pr_cont("(P)");
507 	else
508 		pr_cont("(F)");
509 
510 	print_hex_dump_bytes("", DUMP_PREFIX_NONE, data, dlen);
511 }
512 
513 
514 /*
515  *	Link level transmission side
516  */
517 
518 /**
519  *	gsm_stuff_frame	-	bytestuff a packet
520  *	@input: input buffer
521  *	@output: output buffer
522  *	@len: length of input
523  *
524  *	Expand a buffer by bytestuffing it. The worst case size change
525  *	is doubling and the caller is responsible for handing out
526  *	suitable sized buffers.
527  */
528 
529 static int gsm_stuff_frame(const u8 *input, u8 *output, int len)
530 {
531 	int olen = 0;
532 	while (len--) {
533 		if (*input == GSM1_SOF || *input == GSM1_ESCAPE
534 		    || (*input & ISO_IEC_646_MASK) == XON
535 		    || (*input & ISO_IEC_646_MASK) == XOFF) {
536 			*output++ = GSM1_ESCAPE;
537 			*output++ = *input++ ^ GSM1_ESCAPE_BITS;
538 			olen++;
539 		} else
540 			*output++ = *input++;
541 		olen++;
542 	}
543 	return olen;
544 }
545 
546 /**
547  *	gsm_send	-	send a control frame
548  *	@gsm: our GSM mux
549  *	@addr: address for control frame
550  *	@cr: command/response bit seen as initiator
551  *	@control:  control byte including PF bit
552  *
553  *	Format up and transmit a control frame. These do not go via the
554  *	queueing logic as they should be transmitted ahead of data when
555  *	they are needed.
556  *
557  *	FIXME: Lock versus data TX path
558  */
559 
560 static void gsm_send(struct gsm_mux *gsm, int addr, int cr, int control)
561 {
562 	int len;
563 	u8 cbuf[10];
564 	u8 ibuf[3];
565 	int ocr;
566 
567 	/* toggle C/R coding if not initiator */
568 	ocr = cr ^ (gsm->initiator ? 0 : 1);
569 
570 	switch (gsm->encoding) {
571 	case 0:
572 		cbuf[0] = GSM0_SOF;
573 		cbuf[1] = (addr << 2) | (ocr << 1) | EA;
574 		cbuf[2] = control;
575 		cbuf[3] = EA;	/* Length of data = 0 */
576 		cbuf[4] = 0xFF - gsm_fcs_add_block(INIT_FCS, cbuf + 1, 3);
577 		cbuf[5] = GSM0_SOF;
578 		len = 6;
579 		break;
580 	case 1:
581 	case 2:
582 		/* Control frame + packing (but not frame stuffing) in mode 1 */
583 		ibuf[0] = (addr << 2) | (ocr << 1) | EA;
584 		ibuf[1] = control;
585 		ibuf[2] = 0xFF - gsm_fcs_add_block(INIT_FCS, ibuf, 2);
586 		/* Stuffing may double the size worst case */
587 		len = gsm_stuff_frame(ibuf, cbuf + 1, 3);
588 		/* Now add the SOF markers */
589 		cbuf[0] = GSM1_SOF;
590 		cbuf[len + 1] = GSM1_SOF;
591 		/* FIXME: we can omit the lead one in many cases */
592 		len += 2;
593 		break;
594 	default:
595 		WARN_ON(1);
596 		return;
597 	}
598 	gsmld_output(gsm, cbuf, len);
599 	if (!gsm->initiator) {
600 		cr = cr & gsm->initiator;
601 		control = control & ~PF;
602 	}
603 	gsm_print_packet("-->", addr, cr, control, NULL, 0);
604 }
605 
606 /**
607  *	gsm_response	-	send a control response
608  *	@gsm: our GSM mux
609  *	@addr: address for control frame
610  *	@control:  control byte including PF bit
611  *
612  *	Format up and transmit a link level response frame.
613  */
614 
615 static inline void gsm_response(struct gsm_mux *gsm, int addr, int control)
616 {
617 	gsm_send(gsm, addr, 0, control);
618 }
619 
620 /**
621  *	gsm_command	-	send a control command
622  *	@gsm: our GSM mux
623  *	@addr: address for control frame
624  *	@control:  control byte including PF bit
625  *
626  *	Format up and transmit a link level command frame.
627  */
628 
629 static inline void gsm_command(struct gsm_mux *gsm, int addr, int control)
630 {
631 	gsm_send(gsm, addr, 1, control);
632 }
633 
634 /* Data transmission */
635 
636 #define HDR_LEN		6	/* ADDR CTRL [LEN.2] DATA FCS */
637 
638 /**
639  *	gsm_data_alloc		-	allocate data frame
640  *	@gsm: GSM mux
641  *	@addr: DLCI address
642  *	@len: length excluding header and FCS
643  *	@ctrl: control byte
644  *
645  *	Allocate a new data buffer for sending frames with data. Space is left
646  *	at the front for header bytes but that is treated as an implementation
647  *	detail and not for the high level code to use
648  */
649 
650 static struct gsm_msg *gsm_data_alloc(struct gsm_mux *gsm, u8 addr, int len,
651 								u8 ctrl)
652 {
653 	struct gsm_msg *m = kmalloc(sizeof(struct gsm_msg) + len + HDR_LEN,
654 								GFP_ATOMIC);
655 	if (m == NULL)
656 		return NULL;
657 	m->data = m->buffer + HDR_LEN - 1;	/* Allow for FCS */
658 	m->len = len;
659 	m->addr = addr;
660 	m->ctrl = ctrl;
661 	INIT_LIST_HEAD(&m->list);
662 	return m;
663 }
664 
665 /**
666  *	gsm_data_kick		-	poke the queue
667  *	@gsm: GSM Mux
668  *	@dlci: DLCI sending the data
669  *
670  *	The tty device has called us to indicate that room has appeared in
671  *	the transmit queue. Ram more data into the pipe if we have any
672  *	If we have been flow-stopped by a CMD_FCOFF, then we can only
673  *	send messages on DLCI0 until CMD_FCON
674  *
675  *	FIXME: lock against link layer control transmissions
676  */
677 
678 static void gsm_data_kick(struct gsm_mux *gsm, struct gsm_dlci *dlci)
679 {
680 	struct gsm_msg *msg, *nmsg;
681 	int len;
682 
683 	list_for_each_entry_safe(msg, nmsg, &gsm->tx_list, list) {
684 		if (gsm->constipated && msg->addr)
685 			continue;
686 		if (gsm->encoding != 0) {
687 			gsm->txframe[0] = GSM1_SOF;
688 			len = gsm_stuff_frame(msg->data,
689 						gsm->txframe + 1, msg->len);
690 			gsm->txframe[len + 1] = GSM1_SOF;
691 			len += 2;
692 		} else {
693 			gsm->txframe[0] = GSM0_SOF;
694 			memcpy(gsm->txframe + 1 , msg->data, msg->len);
695 			gsm->txframe[msg->len + 1] = GSM0_SOF;
696 			len = msg->len + 2;
697 		}
698 
699 		if (debug & 4)
700 			print_hex_dump_bytes("gsm_data_kick: ",
701 					     DUMP_PREFIX_OFFSET,
702 					     gsm->txframe, len);
703 		if (gsmld_output(gsm, gsm->txframe, len) <= 0)
704 			break;
705 		/* FIXME: Can eliminate one SOF in many more cases */
706 		gsm->tx_bytes -= msg->len;
707 
708 		list_del(&msg->list);
709 		kfree(msg);
710 
711 		if (dlci) {
712 			tty_port_tty_wakeup(&dlci->port);
713 		} else {
714 			int i = 0;
715 
716 			for (i = 0; i < NUM_DLCI; i++)
717 				if (gsm->dlci[i])
718 					tty_port_tty_wakeup(&gsm->dlci[i]->port);
719 		}
720 	}
721 }
722 
723 /**
724  *	__gsm_data_queue		-	queue a UI or UIH frame
725  *	@dlci: DLCI sending the data
726  *	@msg: message queued
727  *
728  *	Add data to the transmit queue and try and get stuff moving
729  *	out of the mux tty if not already doing so. The Caller must hold
730  *	the gsm tx lock.
731  */
732 
733 static void __gsm_data_queue(struct gsm_dlci *dlci, struct gsm_msg *msg)
734 {
735 	struct gsm_mux *gsm = dlci->gsm;
736 	u8 *dp = msg->data;
737 	u8 *fcs = dp + msg->len;
738 
739 	/* Fill in the header */
740 	if (gsm->encoding == 0) {
741 		if (msg->len < 128)
742 			*--dp = (msg->len << 1) | EA;
743 		else {
744 			*--dp = (msg->len >> 7);	/* bits 7 - 15 */
745 			*--dp = (msg->len & 127) << 1;	/* bits 0 - 6 */
746 		}
747 	}
748 
749 	*--dp = msg->ctrl;
750 	if (gsm->initiator)
751 		*--dp = (msg->addr << 2) | 2 | EA;
752 	else
753 		*--dp = (msg->addr << 2) | EA;
754 	*fcs = gsm_fcs_add_block(INIT_FCS, dp , msg->data - dp);
755 	/* Ugly protocol layering violation */
756 	if (msg->ctrl == UI || msg->ctrl == (UI|PF))
757 		*fcs = gsm_fcs_add_block(*fcs, msg->data, msg->len);
758 	*fcs = 0xFF - *fcs;
759 
760 	gsm_print_packet("Q> ", msg->addr, gsm->initiator, msg->ctrl,
761 							msg->data, msg->len);
762 
763 	/* Move the header back and adjust the length, also allow for the FCS
764 	   now tacked on the end */
765 	msg->len += (msg->data - dp) + 1;
766 	msg->data = dp;
767 
768 	/* Add to the actual output queue */
769 	list_add_tail(&msg->list, &gsm->tx_list);
770 	gsm->tx_bytes += msg->len;
771 	gsm_data_kick(gsm, dlci);
772 }
773 
774 /**
775  *	gsm_data_queue		-	queue a UI or UIH frame
776  *	@dlci: DLCI sending the data
777  *	@msg: message queued
778  *
779  *	Add data to the transmit queue and try and get stuff moving
780  *	out of the mux tty if not already doing so. Take the
781  *	the gsm tx lock and dlci lock.
782  */
783 
784 static void gsm_data_queue(struct gsm_dlci *dlci, struct gsm_msg *msg)
785 {
786 	unsigned long flags;
787 	spin_lock_irqsave(&dlci->gsm->tx_lock, flags);
788 	__gsm_data_queue(dlci, msg);
789 	spin_unlock_irqrestore(&dlci->gsm->tx_lock, flags);
790 }
791 
792 /**
793  *	gsm_dlci_data_output	-	try and push data out of a DLCI
794  *	@gsm: mux
795  *	@dlci: the DLCI to pull data from
796  *
797  *	Pull data from a DLCI and send it into the transmit queue if there
798  *	is data. Keep to the MRU of the mux. This path handles the usual tty
799  *	interface which is a byte stream with optional modem data.
800  *
801  *	Caller must hold the tx_lock of the mux.
802  */
803 
804 static int gsm_dlci_data_output(struct gsm_mux *gsm, struct gsm_dlci *dlci)
805 {
806 	struct gsm_msg *msg;
807 	u8 *dp;
808 	int len, total_size, size;
809 	int h = dlci->adaption - 1;
810 
811 	total_size = 0;
812 	while (1) {
813 		len = kfifo_len(&dlci->fifo);
814 		if (len == 0)
815 			return total_size;
816 
817 		/* MTU/MRU count only the data bits */
818 		if (len > gsm->mtu)
819 			len = gsm->mtu;
820 
821 		size = len + h;
822 
823 		msg = gsm_data_alloc(gsm, dlci->addr, size, gsm->ftype);
824 		/* FIXME: need a timer or something to kick this so it can't
825 		   get stuck with no work outstanding and no buffer free */
826 		if (msg == NULL)
827 			return -ENOMEM;
828 		dp = msg->data;
829 		switch (dlci->adaption) {
830 		case 1:	/* Unstructured */
831 			break;
832 		case 2:	/* Unstructed with modem bits.
833 		Always one byte as we never send inline break data */
834 			*dp++ = (gsm_encode_modem(dlci) << 1) | EA;
835 			break;
836 		}
837 		WARN_ON(kfifo_out_locked(&dlci->fifo, dp , len, &dlci->lock) != len);
838 		__gsm_data_queue(dlci, msg);
839 		total_size += size;
840 	}
841 	/* Bytes of data we used up */
842 	return total_size;
843 }
844 
845 /**
846  *	gsm_dlci_data_output_framed  -	try and push data out of a DLCI
847  *	@gsm: mux
848  *	@dlci: the DLCI to pull data from
849  *
850  *	Pull data from a DLCI and send it into the transmit queue if there
851  *	is data. Keep to the MRU of the mux. This path handles framed data
852  *	queued as skbuffs to the DLCI.
853  *
854  *	Caller must hold the tx_lock of the mux.
855  */
856 
857 static int gsm_dlci_data_output_framed(struct gsm_mux *gsm,
858 						struct gsm_dlci *dlci)
859 {
860 	struct gsm_msg *msg;
861 	u8 *dp;
862 	int len, size;
863 	int last = 0, first = 0;
864 	int overhead = 0;
865 
866 	/* One byte per frame is used for B/F flags */
867 	if (dlci->adaption == 4)
868 		overhead = 1;
869 
870 	/* dlci->skb is locked by tx_lock */
871 	if (dlci->skb == NULL) {
872 		dlci->skb = skb_dequeue_tail(&dlci->skb_list);
873 		if (dlci->skb == NULL)
874 			return 0;
875 		first = 1;
876 	}
877 	len = dlci->skb->len + overhead;
878 
879 	/* MTU/MRU count only the data bits */
880 	if (len > gsm->mtu) {
881 		if (dlci->adaption == 3) {
882 			/* Over long frame, bin it */
883 			dev_kfree_skb_any(dlci->skb);
884 			dlci->skb = NULL;
885 			return 0;
886 		}
887 		len = gsm->mtu;
888 	} else
889 		last = 1;
890 
891 	size = len + overhead;
892 	msg = gsm_data_alloc(gsm, dlci->addr, size, gsm->ftype);
893 
894 	/* FIXME: need a timer or something to kick this so it can't
895 	   get stuck with no work outstanding and no buffer free */
896 	if (msg == NULL) {
897 		skb_queue_tail(&dlci->skb_list, dlci->skb);
898 		dlci->skb = NULL;
899 		return -ENOMEM;
900 	}
901 	dp = msg->data;
902 
903 	if (dlci->adaption == 4) { /* Interruptible framed (Packetised Data) */
904 		/* Flag byte to carry the start/end info */
905 		*dp++ = last << 7 | first << 6 | 1;	/* EA */
906 		len--;
907 	}
908 	memcpy(dp, dlci->skb->data, len);
909 	skb_pull(dlci->skb, len);
910 	__gsm_data_queue(dlci, msg);
911 	if (last) {
912 		dev_kfree_skb_any(dlci->skb);
913 		dlci->skb = NULL;
914 	}
915 	return size;
916 }
917 
918 /**
919  *	gsm_dlci_modem_output	-	try and push modem status out of a DLCI
920  *	@gsm: mux
921  *	@dlci: the DLCI to pull modem status from
922  *	@brk: break signal
923  *
924  *	Push an empty frame in to the transmit queue to update the modem status
925  *	bits and to transmit an optional break.
926  *
927  *	Caller must hold the tx_lock of the mux.
928  */
929 
930 static int gsm_dlci_modem_output(struct gsm_mux *gsm, struct gsm_dlci *dlci,
931 				 u8 brk)
932 {
933 	u8 *dp = NULL;
934 	struct gsm_msg *msg;
935 	int size = 0;
936 
937 	/* for modem bits without break data */
938 	switch (dlci->adaption) {
939 	case 1: /* Unstructured */
940 		break;
941 	case 2: /* Unstructured with modem bits. */
942 		size++;
943 		if (brk > 0)
944 			size++;
945 		break;
946 	default:
947 		pr_err("%s: unsupported adaption %d\n", __func__,
948 		       dlci->adaption);
949 		return -EINVAL;
950 	}
951 
952 	msg = gsm_data_alloc(gsm, dlci->addr, size, gsm->ftype);
953 	if (!msg) {
954 		pr_err("%s: gsm_data_alloc error", __func__);
955 		return -ENOMEM;
956 	}
957 	dp = msg->data;
958 	switch (dlci->adaption) {
959 	case 1: /* Unstructured */
960 		break;
961 	case 2: /* Unstructured with modem bits. */
962 		if (brk == 0) {
963 			*dp++ = (gsm_encode_modem(dlci) << 1) | EA;
964 		} else {
965 			*dp++ = gsm_encode_modem(dlci) << 1;
966 			*dp++ = (brk << 4) | 2 | EA; /* Length, Break, EA */
967 		}
968 		break;
969 	default:
970 		/* Handled above */
971 		break;
972 	}
973 
974 	__gsm_data_queue(dlci, msg);
975 	return size;
976 }
977 
978 /**
979  *	gsm_dlci_data_sweep		-	look for data to send
980  *	@gsm: the GSM mux
981  *
982  *	Sweep the GSM mux channels in priority order looking for ones with
983  *	data to send. We could do with optimising this scan a bit. We aim
984  *	to fill the queue totally or up to TX_THRESH_HI bytes. Once we hit
985  *	TX_THRESH_LO we get called again
986  *
987  *	FIXME: We should round robin between groups and in theory you can
988  *	renegotiate DLCI priorities with optional stuff. Needs optimising.
989  */
990 
991 static void gsm_dlci_data_sweep(struct gsm_mux *gsm)
992 {
993 	int len;
994 	/* Priority ordering: We should do priority with RR of the groups */
995 	int i = 1;
996 
997 	while (i < NUM_DLCI) {
998 		struct gsm_dlci *dlci;
999 
1000 		if (gsm->tx_bytes > TX_THRESH_HI)
1001 			break;
1002 		dlci = gsm->dlci[i];
1003 		if (dlci == NULL || dlci->constipated) {
1004 			i++;
1005 			continue;
1006 		}
1007 		if (dlci->adaption < 3 && !dlci->net)
1008 			len = gsm_dlci_data_output(gsm, dlci);
1009 		else
1010 			len = gsm_dlci_data_output_framed(gsm, dlci);
1011 		if (len < 0)
1012 			break;
1013 		/* DLCI empty - try the next */
1014 		if (len == 0)
1015 			i++;
1016 	}
1017 }
1018 
1019 /**
1020  *	gsm_dlci_data_kick	-	transmit if possible
1021  *	@dlci: DLCI to kick
1022  *
1023  *	Transmit data from this DLCI if the queue is empty. We can't rely on
1024  *	a tty wakeup except when we filled the pipe so we need to fire off
1025  *	new data ourselves in other cases.
1026  */
1027 
1028 static void gsm_dlci_data_kick(struct gsm_dlci *dlci)
1029 {
1030 	unsigned long flags;
1031 	int sweep;
1032 
1033 	if (dlci->constipated)
1034 		return;
1035 
1036 	spin_lock_irqsave(&dlci->gsm->tx_lock, flags);
1037 	/* If we have nothing running then we need to fire up */
1038 	sweep = (dlci->gsm->tx_bytes < TX_THRESH_LO);
1039 	if (dlci->gsm->tx_bytes == 0) {
1040 		if (dlci->net)
1041 			gsm_dlci_data_output_framed(dlci->gsm, dlci);
1042 		else
1043 			gsm_dlci_data_output(dlci->gsm, dlci);
1044 	}
1045 	if (sweep)
1046 		gsm_dlci_data_sweep(dlci->gsm);
1047 	spin_unlock_irqrestore(&dlci->gsm->tx_lock, flags);
1048 }
1049 
1050 /*
1051  *	Control message processing
1052  */
1053 
1054 
1055 /**
1056  *	gsm_control_reply	-	send a response frame to a control
1057  *	@gsm: gsm channel
1058  *	@cmd: the command to use
1059  *	@data: data to follow encoded info
1060  *	@dlen: length of data
1061  *
1062  *	Encode up and queue a UI/UIH frame containing our response.
1063  */
1064 
1065 static void gsm_control_reply(struct gsm_mux *gsm, int cmd, const u8 *data,
1066 					int dlen)
1067 {
1068 	struct gsm_msg *msg;
1069 	msg = gsm_data_alloc(gsm, 0, dlen + 2, gsm->ftype);
1070 	if (msg == NULL)
1071 		return;
1072 	msg->data[0] = (cmd & 0xFE) << 1 | EA;	/* Clear C/R */
1073 	msg->data[1] = (dlen << 1) | EA;
1074 	memcpy(msg->data + 2, data, dlen);
1075 	gsm_data_queue(gsm->dlci[0], msg);
1076 }
1077 
1078 /**
1079  *	gsm_process_modem	-	process received modem status
1080  *	@tty: virtual tty bound to the DLCI
1081  *	@dlci: DLCI to affect
1082  *	@modem: modem bits (full EA)
1083  *	@slen: number of signal octets
1084  *
1085  *	Used when a modem control message or line state inline in adaption
1086  *	layer 2 is processed. Sort out the local modem state and throttles
1087  */
1088 
1089 static void gsm_process_modem(struct tty_struct *tty, struct gsm_dlci *dlci,
1090 							u32 modem, int slen)
1091 {
1092 	int  mlines = 0;
1093 	u8 brk = 0;
1094 	int fc;
1095 
1096 	/* The modem status command can either contain one octet (V.24 signals)
1097 	 * or two octets (V.24 signals + break signals). This is specified in
1098 	 * section 5.4.6.3.7 of the 07.10 mux spec.
1099 	 */
1100 
1101 	if (slen == 1)
1102 		modem = modem & 0x7f;
1103 	else {
1104 		brk = modem & 0x7f;
1105 		modem = (modem >> 7) & 0x7f;
1106 	}
1107 
1108 	/* Flow control/ready to communicate */
1109 	fc = (modem & MDM_FC) || !(modem & MDM_RTR);
1110 	if (fc && !dlci->constipated) {
1111 		/* Need to throttle our output on this device */
1112 		dlci->constipated = true;
1113 	} else if (!fc && dlci->constipated) {
1114 		dlci->constipated = false;
1115 		gsm_dlci_data_kick(dlci);
1116 	}
1117 
1118 	/* Map modem bits */
1119 	if (modem & MDM_RTC)
1120 		mlines |= TIOCM_DSR | TIOCM_DTR;
1121 	if (modem & MDM_RTR)
1122 		mlines |= TIOCM_RTS | TIOCM_CTS;
1123 	if (modem & MDM_IC)
1124 		mlines |= TIOCM_RI;
1125 	if (modem & MDM_DV)
1126 		mlines |= TIOCM_CD;
1127 
1128 	/* Carrier drop -> hangup */
1129 	if (tty) {
1130 		if ((mlines & TIOCM_CD) == 0 && (dlci->modem_rx & TIOCM_CD))
1131 			if (!C_CLOCAL(tty))
1132 				tty_hangup(tty);
1133 	}
1134 	if (brk & 0x01)
1135 		tty_insert_flip_char(&dlci->port, 0, TTY_BREAK);
1136 	dlci->modem_rx = mlines;
1137 }
1138 
1139 /**
1140  *	gsm_control_modem	-	modem status received
1141  *	@gsm: GSM channel
1142  *	@data: data following command
1143  *	@clen: command length
1144  *
1145  *	We have received a modem status control message. This is used by
1146  *	the GSM mux protocol to pass virtual modem line status and optionally
1147  *	to indicate break signals. Unpack it, convert to Linux representation
1148  *	and if need be stuff a break message down the tty.
1149  */
1150 
1151 static void gsm_control_modem(struct gsm_mux *gsm, const u8 *data, int clen)
1152 {
1153 	unsigned int addr = 0;
1154 	unsigned int modem = 0;
1155 	struct gsm_dlci *dlci;
1156 	int len = clen;
1157 	int slen;
1158 	const u8 *dp = data;
1159 	struct tty_struct *tty;
1160 
1161 	while (gsm_read_ea(&addr, *dp++) == 0) {
1162 		len--;
1163 		if (len == 0)
1164 			return;
1165 	}
1166 	/* Must be at least one byte following the EA */
1167 	len--;
1168 	if (len <= 0)
1169 		return;
1170 
1171 	addr >>= 1;
1172 	/* Closed port, or invalid ? */
1173 	if (addr == 0 || addr >= NUM_DLCI || gsm->dlci[addr] == NULL)
1174 		return;
1175 	dlci = gsm->dlci[addr];
1176 
1177 	slen = len;
1178 	while (gsm_read_ea(&modem, *dp++) == 0) {
1179 		len--;
1180 		if (len == 0)
1181 			return;
1182 	}
1183 	len--;
1184 	tty = tty_port_tty_get(&dlci->port);
1185 	gsm_process_modem(tty, dlci, modem, slen - len);
1186 	if (tty) {
1187 		tty_wakeup(tty);
1188 		tty_kref_put(tty);
1189 	}
1190 	gsm_control_reply(gsm, CMD_MSC, data, clen);
1191 }
1192 
1193 /**
1194  *	gsm_control_rls		-	remote line status
1195  *	@gsm: GSM channel
1196  *	@data: data bytes
1197  *	@clen: data length
1198  *
1199  *	The modem sends us a two byte message on the control channel whenever
1200  *	it wishes to send us an error state from the virtual link. Stuff
1201  *	this into the uplink tty if present
1202  */
1203 
1204 static void gsm_control_rls(struct gsm_mux *gsm, const u8 *data, int clen)
1205 {
1206 	struct tty_port *port;
1207 	unsigned int addr = 0;
1208 	u8 bits;
1209 	int len = clen;
1210 	const u8 *dp = data;
1211 
1212 	while (gsm_read_ea(&addr, *dp++) == 0) {
1213 		len--;
1214 		if (len == 0)
1215 			return;
1216 	}
1217 	/* Must be at least one byte following ea */
1218 	len--;
1219 	if (len <= 0)
1220 		return;
1221 	addr >>= 1;
1222 	/* Closed port, or invalid ? */
1223 	if (addr == 0 || addr >= NUM_DLCI || gsm->dlci[addr] == NULL)
1224 		return;
1225 	/* No error ? */
1226 	bits = *dp;
1227 	if ((bits & 1) == 0)
1228 		return;
1229 
1230 	port = &gsm->dlci[addr]->port;
1231 
1232 	if (bits & 2)
1233 		tty_insert_flip_char(port, 0, TTY_OVERRUN);
1234 	if (bits & 4)
1235 		tty_insert_flip_char(port, 0, TTY_PARITY);
1236 	if (bits & 8)
1237 		tty_insert_flip_char(port, 0, TTY_FRAME);
1238 
1239 	tty_flip_buffer_push(port);
1240 
1241 	gsm_control_reply(gsm, CMD_RLS, data, clen);
1242 }
1243 
1244 static void gsm_dlci_begin_close(struct gsm_dlci *dlci);
1245 
1246 /**
1247  *	gsm_control_message	-	DLCI 0 control processing
1248  *	@gsm: our GSM mux
1249  *	@command:  the command EA
1250  *	@data: data beyond the command/length EAs
1251  *	@clen: length
1252  *
1253  *	Input processor for control messages from the other end of the link.
1254  *	Processes the incoming request and queues a response frame or an
1255  *	NSC response if not supported
1256  */
1257 
1258 static void gsm_control_message(struct gsm_mux *gsm, unsigned int command,
1259 						const u8 *data, int clen)
1260 {
1261 	u8 buf[1];
1262 	unsigned long flags;
1263 
1264 	switch (command) {
1265 	case CMD_CLD: {
1266 		struct gsm_dlci *dlci = gsm->dlci[0];
1267 		/* Modem wishes to close down */
1268 		if (dlci) {
1269 			dlci->dead = true;
1270 			gsm->dead = true;
1271 			gsm_dlci_begin_close(dlci);
1272 		}
1273 		}
1274 		break;
1275 	case CMD_TEST:
1276 		/* Modem wishes to test, reply with the data */
1277 		gsm_control_reply(gsm, CMD_TEST, data, clen);
1278 		break;
1279 	case CMD_FCON:
1280 		/* Modem can accept data again */
1281 		gsm->constipated = false;
1282 		gsm_control_reply(gsm, CMD_FCON, NULL, 0);
1283 		/* Kick the link in case it is idling */
1284 		spin_lock_irqsave(&gsm->tx_lock, flags);
1285 		gsm_data_kick(gsm, NULL);
1286 		spin_unlock_irqrestore(&gsm->tx_lock, flags);
1287 		break;
1288 	case CMD_FCOFF:
1289 		/* Modem wants us to STFU */
1290 		gsm->constipated = true;
1291 		gsm_control_reply(gsm, CMD_FCOFF, NULL, 0);
1292 		break;
1293 	case CMD_MSC:
1294 		/* Out of band modem line change indicator for a DLCI */
1295 		gsm_control_modem(gsm, data, clen);
1296 		break;
1297 	case CMD_RLS:
1298 		/* Out of band error reception for a DLCI */
1299 		gsm_control_rls(gsm, data, clen);
1300 		break;
1301 	case CMD_PSC:
1302 		/* Modem wishes to enter power saving state */
1303 		gsm_control_reply(gsm, CMD_PSC, NULL, 0);
1304 		break;
1305 		/* Optional unsupported commands */
1306 	case CMD_PN:	/* Parameter negotiation */
1307 	case CMD_RPN:	/* Remote port negotiation */
1308 	case CMD_SNC:	/* Service negotiation command */
1309 	default:
1310 		/* Reply to bad commands with an NSC */
1311 		buf[0] = command;
1312 		gsm_control_reply(gsm, CMD_NSC, buf, 1);
1313 		break;
1314 	}
1315 }
1316 
1317 /**
1318  *	gsm_control_response	-	process a response to our control
1319  *	@gsm: our GSM mux
1320  *	@command: the command (response) EA
1321  *	@data: data beyond the command/length EA
1322  *	@clen: length
1323  *
1324  *	Process a response to an outstanding command. We only allow a single
1325  *	control message in flight so this is fairly easy. All the clean up
1326  *	is done by the caller, we just update the fields, flag it as done
1327  *	and return
1328  */
1329 
1330 static void gsm_control_response(struct gsm_mux *gsm, unsigned int command,
1331 						const u8 *data, int clen)
1332 {
1333 	struct gsm_control *ctrl;
1334 	unsigned long flags;
1335 
1336 	spin_lock_irqsave(&gsm->control_lock, flags);
1337 
1338 	ctrl = gsm->pending_cmd;
1339 	/* Does the reply match our command */
1340 	command |= 1;
1341 	if (ctrl != NULL && (command == ctrl->cmd || command == CMD_NSC)) {
1342 		/* Our command was replied to, kill the retry timer */
1343 		del_timer(&gsm->t2_timer);
1344 		gsm->pending_cmd = NULL;
1345 		/* Rejected by the other end */
1346 		if (command == CMD_NSC)
1347 			ctrl->error = -EOPNOTSUPP;
1348 		ctrl->done = 1;
1349 		wake_up(&gsm->event);
1350 	}
1351 	spin_unlock_irqrestore(&gsm->control_lock, flags);
1352 }
1353 
1354 /**
1355  *	gsm_control_transmit	-	send control packet
1356  *	@gsm: gsm mux
1357  *	@ctrl: frame to send
1358  *
1359  *	Send out a pending control command (called under control lock)
1360  */
1361 
1362 static void gsm_control_transmit(struct gsm_mux *gsm, struct gsm_control *ctrl)
1363 {
1364 	struct gsm_msg *msg = gsm_data_alloc(gsm, 0, ctrl->len + 2, gsm->ftype);
1365 	if (msg == NULL)
1366 		return;
1367 	msg->data[0] = (ctrl->cmd << 1) | CR | EA;	/* command */
1368 	msg->data[1] = (ctrl->len << 1) | EA;
1369 	memcpy(msg->data + 2, ctrl->data, ctrl->len);
1370 	gsm_data_queue(gsm->dlci[0], msg);
1371 }
1372 
1373 /**
1374  *	gsm_control_retransmit	-	retransmit a control frame
1375  *	@t: timer contained in our gsm object
1376  *
1377  *	Called off the T2 timer expiry in order to retransmit control frames
1378  *	that have been lost in the system somewhere. The control_lock protects
1379  *	us from colliding with another sender or a receive completion event.
1380  *	In that situation the timer may still occur in a small window but
1381  *	gsm->pending_cmd will be NULL and we just let the timer expire.
1382  */
1383 
1384 static void gsm_control_retransmit(struct timer_list *t)
1385 {
1386 	struct gsm_mux *gsm = from_timer(gsm, t, t2_timer);
1387 	struct gsm_control *ctrl;
1388 	unsigned long flags;
1389 	spin_lock_irqsave(&gsm->control_lock, flags);
1390 	ctrl = gsm->pending_cmd;
1391 	if (ctrl) {
1392 		if (gsm->cretries == 0) {
1393 			gsm->pending_cmd = NULL;
1394 			ctrl->error = -ETIMEDOUT;
1395 			ctrl->done = 1;
1396 			spin_unlock_irqrestore(&gsm->control_lock, flags);
1397 			wake_up(&gsm->event);
1398 			return;
1399 		}
1400 		gsm->cretries--;
1401 		gsm_control_transmit(gsm, ctrl);
1402 		mod_timer(&gsm->t2_timer, jiffies + gsm->t2 * HZ / 100);
1403 	}
1404 	spin_unlock_irqrestore(&gsm->control_lock, flags);
1405 }
1406 
1407 /**
1408  *	gsm_control_send	-	send a control frame on DLCI 0
1409  *	@gsm: the GSM channel
1410  *	@command: command  to send including CR bit
1411  *	@data: bytes of data (must be kmalloced)
1412  *	@clen: length of the block to send
1413  *
1414  *	Queue and dispatch a control command. Only one command can be
1415  *	active at a time. In theory more can be outstanding but the matching
1416  *	gets really complicated so for now stick to one outstanding.
1417  */
1418 
1419 static struct gsm_control *gsm_control_send(struct gsm_mux *gsm,
1420 		unsigned int command, u8 *data, int clen)
1421 {
1422 	struct gsm_control *ctrl = kzalloc(sizeof(struct gsm_control),
1423 						GFP_KERNEL);
1424 	unsigned long flags;
1425 	if (ctrl == NULL)
1426 		return NULL;
1427 retry:
1428 	wait_event(gsm->event, gsm->pending_cmd == NULL);
1429 	spin_lock_irqsave(&gsm->control_lock, flags);
1430 	if (gsm->pending_cmd != NULL) {
1431 		spin_unlock_irqrestore(&gsm->control_lock, flags);
1432 		goto retry;
1433 	}
1434 	ctrl->cmd = command;
1435 	ctrl->data = data;
1436 	ctrl->len = clen;
1437 	gsm->pending_cmd = ctrl;
1438 
1439 	/* If DLCI0 is in ADM mode skip retries, it won't respond */
1440 	if (gsm->dlci[0]->mode == DLCI_MODE_ADM)
1441 		gsm->cretries = 0;
1442 	else
1443 		gsm->cretries = gsm->n2;
1444 
1445 	mod_timer(&gsm->t2_timer, jiffies + gsm->t2 * HZ / 100);
1446 	gsm_control_transmit(gsm, ctrl);
1447 	spin_unlock_irqrestore(&gsm->control_lock, flags);
1448 	return ctrl;
1449 }
1450 
1451 /**
1452  *	gsm_control_wait	-	wait for a control to finish
1453  *	@gsm: GSM mux
1454  *	@control: control we are waiting on
1455  *
1456  *	Waits for the control to complete or time out. Frees any used
1457  *	resources and returns 0 for success, or an error if the remote
1458  *	rejected or ignored the request.
1459  */
1460 
1461 static int gsm_control_wait(struct gsm_mux *gsm, struct gsm_control *control)
1462 {
1463 	int err;
1464 	wait_event(gsm->event, control->done == 1);
1465 	err = control->error;
1466 	kfree(control);
1467 	return err;
1468 }
1469 
1470 
1471 /*
1472  *	DLCI level handling: Needs krefs
1473  */
1474 
1475 /*
1476  *	State transitions and timers
1477  */
1478 
1479 /**
1480  *	gsm_dlci_close		-	a DLCI has closed
1481  *	@dlci: DLCI that closed
1482  *
1483  *	Perform processing when moving a DLCI into closed state. If there
1484  *	is an attached tty this is hung up
1485  */
1486 
1487 static void gsm_dlci_close(struct gsm_dlci *dlci)
1488 {
1489 	unsigned long flags;
1490 
1491 	del_timer(&dlci->t1);
1492 	if (debug & 8)
1493 		pr_debug("DLCI %d goes closed.\n", dlci->addr);
1494 	dlci->state = DLCI_CLOSED;
1495 	if (dlci->addr != 0) {
1496 		tty_port_tty_hangup(&dlci->port, false);
1497 		spin_lock_irqsave(&dlci->lock, flags);
1498 		kfifo_reset(&dlci->fifo);
1499 		spin_unlock_irqrestore(&dlci->lock, flags);
1500 		/* Ensure that gsmtty_open() can return. */
1501 		tty_port_set_initialized(&dlci->port, 0);
1502 		wake_up_interruptible(&dlci->port.open_wait);
1503 	} else
1504 		dlci->gsm->dead = true;
1505 	wake_up(&dlci->gsm->event);
1506 	/* A DLCI 0 close is a MUX termination so we need to kick that
1507 	   back to userspace somehow */
1508 }
1509 
1510 /**
1511  *	gsm_dlci_open		-	a DLCI has opened
1512  *	@dlci: DLCI that opened
1513  *
1514  *	Perform processing when moving a DLCI into open state.
1515  */
1516 
1517 static void gsm_dlci_open(struct gsm_dlci *dlci)
1518 {
1519 	/* Note that SABM UA .. SABM UA first UA lost can mean that we go
1520 	   open -> open */
1521 	del_timer(&dlci->t1);
1522 	/* This will let a tty open continue */
1523 	dlci->state = DLCI_OPEN;
1524 	if (debug & 8)
1525 		pr_debug("DLCI %d goes open.\n", dlci->addr);
1526 	/* Send current modem state */
1527 	if (dlci->addr)
1528 		gsm_modem_update(dlci, 0);
1529 	wake_up(&dlci->gsm->event);
1530 }
1531 
1532 /**
1533  *	gsm_dlci_t1		-	T1 timer expiry
1534  *	@t: timer contained in the DLCI that opened
1535  *
1536  *	The T1 timer handles retransmits of control frames (essentially of
1537  *	SABM and DISC). We resend the command until the retry count runs out
1538  *	in which case an opening port goes back to closed and a closing port
1539  *	is simply put into closed state (any further frames from the other
1540  *	end will get a DM response)
1541  *
1542  *	Some control dlci can stay in ADM mode with other dlci working just
1543  *	fine. In that case we can just keep the control dlci open after the
1544  *	DLCI_OPENING retries time out.
1545  */
1546 
1547 static void gsm_dlci_t1(struct timer_list *t)
1548 {
1549 	struct gsm_dlci *dlci = from_timer(dlci, t, t1);
1550 	struct gsm_mux *gsm = dlci->gsm;
1551 
1552 	switch (dlci->state) {
1553 	case DLCI_OPENING:
1554 		dlci->retries--;
1555 		if (dlci->retries) {
1556 			gsm_command(dlci->gsm, dlci->addr, SABM|PF);
1557 			mod_timer(&dlci->t1, jiffies + gsm->t1 * HZ / 100);
1558 		} else if (!dlci->addr && gsm->control == (DM | PF)) {
1559 			if (debug & 8)
1560 				pr_info("DLCI %d opening in ADM mode.\n",
1561 					dlci->addr);
1562 			dlci->mode = DLCI_MODE_ADM;
1563 			gsm_dlci_open(dlci);
1564 		} else {
1565 			gsm_dlci_begin_close(dlci); /* prevent half open link */
1566 		}
1567 
1568 		break;
1569 	case DLCI_CLOSING:
1570 		dlci->retries--;
1571 		if (dlci->retries) {
1572 			gsm_command(dlci->gsm, dlci->addr, DISC|PF);
1573 			mod_timer(&dlci->t1, jiffies + gsm->t1 * HZ / 100);
1574 		} else
1575 			gsm_dlci_close(dlci);
1576 		break;
1577 	default:
1578 		pr_debug("%s: unhandled state: %d\n", __func__, dlci->state);
1579 		break;
1580 	}
1581 }
1582 
1583 /**
1584  *	gsm_dlci_begin_open	-	start channel open procedure
1585  *	@dlci: DLCI to open
1586  *
1587  *	Commence opening a DLCI from the Linux side. We issue SABM messages
1588  *	to the modem which should then reply with a UA or ADM, at which point
1589  *	we will move into open state. Opening is done asynchronously with retry
1590  *	running off timers and the responses.
1591  */
1592 
1593 static void gsm_dlci_begin_open(struct gsm_dlci *dlci)
1594 {
1595 	struct gsm_mux *gsm = dlci->gsm;
1596 	if (dlci->state == DLCI_OPEN || dlci->state == DLCI_OPENING)
1597 		return;
1598 	dlci->retries = gsm->n2;
1599 	dlci->state = DLCI_OPENING;
1600 	gsm_command(dlci->gsm, dlci->addr, SABM|PF);
1601 	mod_timer(&dlci->t1, jiffies + gsm->t1 * HZ / 100);
1602 }
1603 
1604 /**
1605  *	gsm_dlci_begin_close	-	start channel open procedure
1606  *	@dlci: DLCI to open
1607  *
1608  *	Commence closing a DLCI from the Linux side. We issue DISC messages
1609  *	to the modem which should then reply with a UA, at which point we
1610  *	will move into closed state. Closing is done asynchronously with retry
1611  *	off timers. We may also receive a DM reply from the other end which
1612  *	indicates the channel was already closed.
1613  */
1614 
1615 static void gsm_dlci_begin_close(struct gsm_dlci *dlci)
1616 {
1617 	struct gsm_mux *gsm = dlci->gsm;
1618 	if (dlci->state == DLCI_CLOSED || dlci->state == DLCI_CLOSING)
1619 		return;
1620 	dlci->retries = gsm->n2;
1621 	dlci->state = DLCI_CLOSING;
1622 	gsm_command(dlci->gsm, dlci->addr, DISC|PF);
1623 	mod_timer(&dlci->t1, jiffies + gsm->t1 * HZ / 100);
1624 }
1625 
1626 /**
1627  *	gsm_dlci_data		-	data arrived
1628  *	@dlci: channel
1629  *	@data: block of bytes received
1630  *	@clen: length of received block
1631  *
1632  *	A UI or UIH frame has arrived which contains data for a channel
1633  *	other than the control channel. If the relevant virtual tty is
1634  *	open we shovel the bits down it, if not we drop them.
1635  */
1636 
1637 static void gsm_dlci_data(struct gsm_dlci *dlci, const u8 *data, int clen)
1638 {
1639 	/* krefs .. */
1640 	struct tty_port *port = &dlci->port;
1641 	struct tty_struct *tty;
1642 	unsigned int modem = 0;
1643 	int len = clen;
1644 	int slen = 0;
1645 
1646 	if (debug & 16)
1647 		pr_debug("%d bytes for tty\n", len);
1648 	switch (dlci->adaption)  {
1649 	/* Unsupported types */
1650 	case 4:		/* Packetised interruptible data */
1651 		break;
1652 	case 3:		/* Packetised uininterruptible voice/data */
1653 		break;
1654 	case 2:		/* Asynchronous serial with line state in each frame */
1655 		while (gsm_read_ea(&modem, *data++) == 0) {
1656 			len--;
1657 			slen++;
1658 			if (len == 0)
1659 				return;
1660 		}
1661 		slen++;
1662 		tty = tty_port_tty_get(port);
1663 		if (tty) {
1664 			gsm_process_modem(tty, dlci, modem, slen);
1665 			tty_wakeup(tty);
1666 			tty_kref_put(tty);
1667 		}
1668 		fallthrough;
1669 	case 1:		/* Line state will go via DLCI 0 controls only */
1670 	default:
1671 		tty_insert_flip_string(port, data, len);
1672 		tty_flip_buffer_push(port);
1673 	}
1674 }
1675 
1676 /**
1677  *	gsm_dlci_command	-	data arrived on control channel
1678  *	@dlci: channel
1679  *	@data: block of bytes received
1680  *	@len: length of received block
1681  *
1682  *	A UI or UIH frame has arrived which contains data for DLCI 0 the
1683  *	control channel. This should contain a command EA followed by
1684  *	control data bytes. The command EA contains a command/response bit
1685  *	and we divide up the work accordingly.
1686  */
1687 
1688 static void gsm_dlci_command(struct gsm_dlci *dlci, const u8 *data, int len)
1689 {
1690 	/* See what command is involved */
1691 	unsigned int command = 0;
1692 	while (len-- > 0) {
1693 		if (gsm_read_ea(&command, *data++) == 1) {
1694 			int clen = *data++;
1695 			len--;
1696 			/* FIXME: this is properly an EA */
1697 			clen >>= 1;
1698 			/* Malformed command ? */
1699 			if (clen > len)
1700 				return;
1701 			if (command & 1)
1702 				gsm_control_message(dlci->gsm, command,
1703 								data, clen);
1704 			else
1705 				gsm_control_response(dlci->gsm, command,
1706 								data, clen);
1707 			return;
1708 		}
1709 	}
1710 }
1711 
1712 /*
1713  *	Allocate/Free DLCI channels
1714  */
1715 
1716 /**
1717  *	gsm_dlci_alloc		-	allocate a DLCI
1718  *	@gsm: GSM mux
1719  *	@addr: address of the DLCI
1720  *
1721  *	Allocate and install a new DLCI object into the GSM mux.
1722  *
1723  *	FIXME: review locking races
1724  */
1725 
1726 static struct gsm_dlci *gsm_dlci_alloc(struct gsm_mux *gsm, int addr)
1727 {
1728 	struct gsm_dlci *dlci = kzalloc(sizeof(struct gsm_dlci), GFP_ATOMIC);
1729 	if (dlci == NULL)
1730 		return NULL;
1731 	spin_lock_init(&dlci->lock);
1732 	mutex_init(&dlci->mutex);
1733 	if (kfifo_alloc(&dlci->fifo, 4096, GFP_KERNEL) < 0) {
1734 		kfree(dlci);
1735 		return NULL;
1736 	}
1737 
1738 	skb_queue_head_init(&dlci->skb_list);
1739 	timer_setup(&dlci->t1, gsm_dlci_t1, 0);
1740 	tty_port_init(&dlci->port);
1741 	dlci->port.ops = &gsm_port_ops;
1742 	dlci->gsm = gsm;
1743 	dlci->addr = addr;
1744 	dlci->adaption = gsm->adaption;
1745 	dlci->state = DLCI_CLOSED;
1746 	if (addr)
1747 		dlci->data = gsm_dlci_data;
1748 	else
1749 		dlci->data = gsm_dlci_command;
1750 	gsm->dlci[addr] = dlci;
1751 	return dlci;
1752 }
1753 
1754 /**
1755  *	gsm_dlci_free		-	free DLCI
1756  *	@port: tty port for DLCI to free
1757  *
1758  *	Free up a DLCI.
1759  *
1760  *	Can sleep.
1761  */
1762 static void gsm_dlci_free(struct tty_port *port)
1763 {
1764 	struct gsm_dlci *dlci = container_of(port, struct gsm_dlci, port);
1765 
1766 	del_timer_sync(&dlci->t1);
1767 	dlci->gsm->dlci[dlci->addr] = NULL;
1768 	kfifo_free(&dlci->fifo);
1769 	while ((dlci->skb = skb_dequeue(&dlci->skb_list)))
1770 		dev_kfree_skb(dlci->skb);
1771 	kfree(dlci);
1772 }
1773 
1774 static inline void dlci_get(struct gsm_dlci *dlci)
1775 {
1776 	tty_port_get(&dlci->port);
1777 }
1778 
1779 static inline void dlci_put(struct gsm_dlci *dlci)
1780 {
1781 	tty_port_put(&dlci->port);
1782 }
1783 
1784 static void gsm_destroy_network(struct gsm_dlci *dlci);
1785 
1786 /**
1787  *	gsm_dlci_release		-	release DLCI
1788  *	@dlci: DLCI to destroy
1789  *
1790  *	Release a DLCI. Actual free is deferred until either
1791  *	mux is closed or tty is closed - whichever is last.
1792  *
1793  *	Can sleep.
1794  */
1795 static void gsm_dlci_release(struct gsm_dlci *dlci)
1796 {
1797 	struct tty_struct *tty = tty_port_tty_get(&dlci->port);
1798 	if (tty) {
1799 		mutex_lock(&dlci->mutex);
1800 		gsm_destroy_network(dlci);
1801 		mutex_unlock(&dlci->mutex);
1802 
1803 		/* We cannot use tty_hangup() because in tty_kref_put() the tty
1804 		 * driver assumes that the hangup queue is free and reuses it to
1805 		 * queue release_one_tty() -> NULL pointer panic in
1806 		 * process_one_work().
1807 		 */
1808 		tty_vhangup(tty);
1809 
1810 		tty_port_tty_set(&dlci->port, NULL);
1811 		tty_kref_put(tty);
1812 	}
1813 	dlci->state = DLCI_CLOSED;
1814 	dlci_put(dlci);
1815 }
1816 
1817 /*
1818  *	LAPBish link layer logic
1819  */
1820 
1821 /**
1822  *	gsm_queue		-	a GSM frame is ready to process
1823  *	@gsm: pointer to our gsm mux
1824  *
1825  *	At this point in time a frame has arrived and been demangled from
1826  *	the line encoding. All the differences between the encodings have
1827  *	been handled below us and the frame is unpacked into the structures.
1828  *	The fcs holds the header FCS but any data FCS must be added here.
1829  */
1830 
1831 static void gsm_queue(struct gsm_mux *gsm)
1832 {
1833 	struct gsm_dlci *dlci;
1834 	u8 cr;
1835 	int address;
1836 
1837 	if (gsm->fcs != GOOD_FCS) {
1838 		gsm->bad_fcs++;
1839 		if (debug & 4)
1840 			pr_debug("BAD FCS %02x\n", gsm->fcs);
1841 		return;
1842 	}
1843 	address = gsm->address >> 1;
1844 	if (address >= NUM_DLCI)
1845 		goto invalid;
1846 
1847 	cr = gsm->address & 1;		/* C/R bit */
1848 	cr ^= gsm->initiator ? 0 : 1;	/* Flip so 1 always means command */
1849 
1850 	gsm_print_packet("<--", address, cr, gsm->control, gsm->buf, gsm->len);
1851 
1852 	dlci = gsm->dlci[address];
1853 
1854 	switch (gsm->control) {
1855 	case SABM|PF:
1856 		if (cr == 1)
1857 			goto invalid;
1858 		if (dlci == NULL)
1859 			dlci = gsm_dlci_alloc(gsm, address);
1860 		if (dlci == NULL)
1861 			return;
1862 		if (dlci->dead)
1863 			gsm_response(gsm, address, DM|PF);
1864 		else {
1865 			gsm_response(gsm, address, UA|PF);
1866 			gsm_dlci_open(dlci);
1867 		}
1868 		break;
1869 	case DISC|PF:
1870 		if (cr == 1)
1871 			goto invalid;
1872 		if (dlci == NULL || dlci->state == DLCI_CLOSED) {
1873 			gsm_response(gsm, address, DM|PF);
1874 			return;
1875 		}
1876 		/* Real close complete */
1877 		gsm_response(gsm, address, UA|PF);
1878 		gsm_dlci_close(dlci);
1879 		break;
1880 	case UA|PF:
1881 		if (cr == 0 || dlci == NULL)
1882 			break;
1883 		switch (dlci->state) {
1884 		case DLCI_CLOSING:
1885 			gsm_dlci_close(dlci);
1886 			break;
1887 		case DLCI_OPENING:
1888 			gsm_dlci_open(dlci);
1889 			break;
1890 		default:
1891 			pr_debug("%s: unhandled state: %d\n", __func__,
1892 					dlci->state);
1893 			break;
1894 		}
1895 		break;
1896 	case DM:	/* DM can be valid unsolicited */
1897 	case DM|PF:
1898 		if (cr)
1899 			goto invalid;
1900 		if (dlci == NULL)
1901 			return;
1902 		gsm_dlci_close(dlci);
1903 		break;
1904 	case UI:
1905 	case UI|PF:
1906 	case UIH:
1907 	case UIH|PF:
1908 #if 0
1909 		if (cr)
1910 			goto invalid;
1911 #endif
1912 		if (dlci == NULL || dlci->state != DLCI_OPEN) {
1913 			gsm_command(gsm, address, DM|PF);
1914 			return;
1915 		}
1916 		dlci->data(dlci, gsm->buf, gsm->len);
1917 		break;
1918 	default:
1919 		goto invalid;
1920 	}
1921 	return;
1922 invalid:
1923 	gsm->malformed++;
1924 	return;
1925 }
1926 
1927 
1928 /**
1929  *	gsm0_receive	-	perform processing for non-transparency
1930  *	@gsm: gsm data for this ldisc instance
1931  *	@c: character
1932  *
1933  *	Receive bytes in gsm mode 0
1934  */
1935 
1936 static void gsm0_receive(struct gsm_mux *gsm, unsigned char c)
1937 {
1938 	unsigned int len;
1939 
1940 	switch (gsm->state) {
1941 	case GSM_SEARCH:	/* SOF marker */
1942 		if (c == GSM0_SOF) {
1943 			gsm->state = GSM_ADDRESS;
1944 			gsm->address = 0;
1945 			gsm->len = 0;
1946 			gsm->fcs = INIT_FCS;
1947 		}
1948 		break;
1949 	case GSM_ADDRESS:	/* Address EA */
1950 		gsm->fcs = gsm_fcs_add(gsm->fcs, c);
1951 		if (gsm_read_ea(&gsm->address, c))
1952 			gsm->state = GSM_CONTROL;
1953 		break;
1954 	case GSM_CONTROL:	/* Control Byte */
1955 		gsm->fcs = gsm_fcs_add(gsm->fcs, c);
1956 		gsm->control = c;
1957 		gsm->state = GSM_LEN0;
1958 		break;
1959 	case GSM_LEN0:		/* Length EA */
1960 		gsm->fcs = gsm_fcs_add(gsm->fcs, c);
1961 		if (gsm_read_ea(&gsm->len, c)) {
1962 			if (gsm->len > gsm->mru) {
1963 				gsm->bad_size++;
1964 				gsm->state = GSM_SEARCH;
1965 				break;
1966 			}
1967 			gsm->count = 0;
1968 			if (!gsm->len)
1969 				gsm->state = GSM_FCS;
1970 			else
1971 				gsm->state = GSM_DATA;
1972 			break;
1973 		}
1974 		gsm->state = GSM_LEN1;
1975 		break;
1976 	case GSM_LEN1:
1977 		gsm->fcs = gsm_fcs_add(gsm->fcs, c);
1978 		len = c;
1979 		gsm->len |= len << 7;
1980 		if (gsm->len > gsm->mru) {
1981 			gsm->bad_size++;
1982 			gsm->state = GSM_SEARCH;
1983 			break;
1984 		}
1985 		gsm->count = 0;
1986 		if (!gsm->len)
1987 			gsm->state = GSM_FCS;
1988 		else
1989 			gsm->state = GSM_DATA;
1990 		break;
1991 	case GSM_DATA:		/* Data */
1992 		gsm->buf[gsm->count++] = c;
1993 		if (gsm->count == gsm->len) {
1994 			/* Calculate final FCS for UI frames over all data */
1995 			if ((gsm->control & ~PF) != UIH) {
1996 				gsm->fcs = gsm_fcs_add_block(gsm->fcs, gsm->buf,
1997 							     gsm->count);
1998 			}
1999 			gsm->state = GSM_FCS;
2000 		}
2001 		break;
2002 	case GSM_FCS:		/* FCS follows the packet */
2003 		gsm->fcs = gsm_fcs_add(gsm->fcs, c);
2004 		gsm->state = GSM_SSOF;
2005 		break;
2006 	case GSM_SSOF:
2007 		gsm->state = GSM_SEARCH;
2008 		if (c == GSM0_SOF)
2009 			gsm_queue(gsm);
2010 		else
2011 			gsm->bad_size++;
2012 		break;
2013 	default:
2014 		pr_debug("%s: unhandled state: %d\n", __func__, gsm->state);
2015 		break;
2016 	}
2017 }
2018 
2019 /**
2020  *	gsm1_receive	-	perform processing for non-transparency
2021  *	@gsm: gsm data for this ldisc instance
2022  *	@c: character
2023  *
2024  *	Receive bytes in mode 1 (Advanced option)
2025  */
2026 
2027 static void gsm1_receive(struct gsm_mux *gsm, unsigned char c)
2028 {
2029 	/* handle XON/XOFF */
2030 	if ((c & ISO_IEC_646_MASK) == XON) {
2031 		gsm->constipated = true;
2032 		return;
2033 	} else if ((c & ISO_IEC_646_MASK) == XOFF) {
2034 		gsm->constipated = false;
2035 		/* Kick the link in case it is idling */
2036 		gsm_data_kick(gsm, NULL);
2037 		return;
2038 	}
2039 	if (c == GSM1_SOF) {
2040 		/* EOF is only valid in frame if we have got to the data state */
2041 		if (gsm->state == GSM_DATA) {
2042 			if (gsm->count < 1) {
2043 				/* Missing FSC */
2044 				gsm->malformed++;
2045 				gsm->state = GSM_START;
2046 				return;
2047 			}
2048 			/* Remove the FCS from data */
2049 			gsm->count--;
2050 			if ((gsm->control & ~PF) != UIH) {
2051 				/* Calculate final FCS for UI frames over all
2052 				 * data but FCS
2053 				 */
2054 				gsm->fcs = gsm_fcs_add_block(gsm->fcs, gsm->buf,
2055 							     gsm->count);
2056 			}
2057 			/* Add the FCS itself to test against GOOD_FCS */
2058 			gsm->fcs = gsm_fcs_add(gsm->fcs, gsm->buf[gsm->count]);
2059 			gsm->len = gsm->count;
2060 			gsm_queue(gsm);
2061 			gsm->state  = GSM_START;
2062 			return;
2063 		}
2064 		/* Any partial frame was a runt so go back to start */
2065 		if (gsm->state != GSM_START) {
2066 			if (gsm->state != GSM_SEARCH)
2067 				gsm->malformed++;
2068 			gsm->state = GSM_START;
2069 		}
2070 		/* A SOF in GSM_START means we are still reading idling or
2071 		   framing bytes */
2072 		return;
2073 	}
2074 
2075 	if (c == GSM1_ESCAPE) {
2076 		gsm->escape = true;
2077 		return;
2078 	}
2079 
2080 	/* Only an unescaped SOF gets us out of GSM search */
2081 	if (gsm->state == GSM_SEARCH)
2082 		return;
2083 
2084 	if (gsm->escape) {
2085 		c ^= GSM1_ESCAPE_BITS;
2086 		gsm->escape = false;
2087 	}
2088 	switch (gsm->state) {
2089 	case GSM_START:		/* First byte after SOF */
2090 		gsm->address = 0;
2091 		gsm->state = GSM_ADDRESS;
2092 		gsm->fcs = INIT_FCS;
2093 		fallthrough;
2094 	case GSM_ADDRESS:	/* Address continuation */
2095 		gsm->fcs = gsm_fcs_add(gsm->fcs, c);
2096 		if (gsm_read_ea(&gsm->address, c))
2097 			gsm->state = GSM_CONTROL;
2098 		break;
2099 	case GSM_CONTROL:	/* Control Byte */
2100 		gsm->fcs = gsm_fcs_add(gsm->fcs, c);
2101 		gsm->control = c;
2102 		gsm->count = 0;
2103 		gsm->state = GSM_DATA;
2104 		break;
2105 	case GSM_DATA:		/* Data */
2106 		if (gsm->count > gsm->mru) {	/* Allow one for the FCS */
2107 			gsm->state = GSM_OVERRUN;
2108 			gsm->bad_size++;
2109 		} else
2110 			gsm->buf[gsm->count++] = c;
2111 		break;
2112 	case GSM_OVERRUN:	/* Over-long - eg a dropped SOF */
2113 		break;
2114 	default:
2115 		pr_debug("%s: unhandled state: %d\n", __func__, gsm->state);
2116 		break;
2117 	}
2118 }
2119 
2120 /**
2121  *	gsm_error		-	handle tty error
2122  *	@gsm: ldisc data
2123  *
2124  *	Handle an error in the receipt of data for a frame. Currently we just
2125  *	go back to hunting for a SOF.
2126  *
2127  *	FIXME: better diagnostics ?
2128  */
2129 
2130 static void gsm_error(struct gsm_mux *gsm)
2131 {
2132 	gsm->state = GSM_SEARCH;
2133 	gsm->io_error++;
2134 }
2135 
2136 /**
2137  *	gsm_cleanup_mux		-	generic GSM protocol cleanup
2138  *	@gsm: our mux
2139  *	@disc: disconnect link?
2140  *
2141  *	Clean up the bits of the mux which are the same for all framing
2142  *	protocols. Remove the mux from the mux table, stop all the timers
2143  *	and then shut down each device hanging up the channels as we go.
2144  */
2145 
2146 static void gsm_cleanup_mux(struct gsm_mux *gsm, bool disc)
2147 {
2148 	int i;
2149 	struct gsm_dlci *dlci = gsm->dlci[0];
2150 	struct gsm_msg *txq, *ntxq;
2151 
2152 	gsm->dead = true;
2153 	mutex_lock(&gsm->mutex);
2154 
2155 	if (dlci) {
2156 		if (disc && dlci->state != DLCI_CLOSED) {
2157 			gsm_dlci_begin_close(dlci);
2158 			wait_event(gsm->event, dlci->state == DLCI_CLOSED);
2159 		}
2160 		dlci->dead = true;
2161 	}
2162 
2163 	/* Finish outstanding timers, making sure they are done */
2164 	del_timer_sync(&gsm->t2_timer);
2165 
2166 	/* Free up any link layer users and finally the control channel */
2167 	for (i = NUM_DLCI - 1; i >= 0; i--)
2168 		if (gsm->dlci[i])
2169 			gsm_dlci_release(gsm->dlci[i]);
2170 	mutex_unlock(&gsm->mutex);
2171 	/* Now wipe the queues */
2172 	tty_ldisc_flush(gsm->tty);
2173 	list_for_each_entry_safe(txq, ntxq, &gsm->tx_list, list)
2174 		kfree(txq);
2175 	INIT_LIST_HEAD(&gsm->tx_list);
2176 }
2177 
2178 /**
2179  *	gsm_activate_mux	-	generic GSM setup
2180  *	@gsm: our mux
2181  *
2182  *	Set up the bits of the mux which are the same for all framing
2183  *	protocols. Add the mux to the mux table so it can be opened and
2184  *	finally kick off connecting to DLCI 0 on the modem.
2185  */
2186 
2187 static int gsm_activate_mux(struct gsm_mux *gsm)
2188 {
2189 	struct gsm_dlci *dlci;
2190 
2191 	timer_setup(&gsm->t2_timer, gsm_control_retransmit, 0);
2192 	init_waitqueue_head(&gsm->event);
2193 	spin_lock_init(&gsm->control_lock);
2194 	spin_lock_init(&gsm->tx_lock);
2195 
2196 	if (gsm->encoding == 0)
2197 		gsm->receive = gsm0_receive;
2198 	else
2199 		gsm->receive = gsm1_receive;
2200 
2201 	dlci = gsm_dlci_alloc(gsm, 0);
2202 	if (dlci == NULL)
2203 		return -ENOMEM;
2204 	gsm->dead = false;		/* Tty opens are now permissible */
2205 	return 0;
2206 }
2207 
2208 /**
2209  *	gsm_free_mux		-	free up a mux
2210  *	@gsm: mux to free
2211  *
2212  *	Dispose of allocated resources for a dead mux
2213  */
2214 static void gsm_free_mux(struct gsm_mux *gsm)
2215 {
2216 	int i;
2217 
2218 	for (i = 0; i < MAX_MUX; i++) {
2219 		if (gsm == gsm_mux[i]) {
2220 			gsm_mux[i] = NULL;
2221 			break;
2222 		}
2223 	}
2224 	mutex_destroy(&gsm->mutex);
2225 	kfree(gsm->txframe);
2226 	kfree(gsm->buf);
2227 	kfree(gsm);
2228 }
2229 
2230 /**
2231  *	gsm_free_muxr		-	free up a mux
2232  *	@ref: kreference to the mux to free
2233  *
2234  *	Dispose of allocated resources for a dead mux
2235  */
2236 static void gsm_free_muxr(struct kref *ref)
2237 {
2238 	struct gsm_mux *gsm = container_of(ref, struct gsm_mux, ref);
2239 	gsm_free_mux(gsm);
2240 }
2241 
2242 static inline void mux_get(struct gsm_mux *gsm)
2243 {
2244 	unsigned long flags;
2245 
2246 	spin_lock_irqsave(&gsm_mux_lock, flags);
2247 	kref_get(&gsm->ref);
2248 	spin_unlock_irqrestore(&gsm_mux_lock, flags);
2249 }
2250 
2251 static inline void mux_put(struct gsm_mux *gsm)
2252 {
2253 	unsigned long flags;
2254 
2255 	spin_lock_irqsave(&gsm_mux_lock, flags);
2256 	kref_put(&gsm->ref, gsm_free_muxr);
2257 	spin_unlock_irqrestore(&gsm_mux_lock, flags);
2258 }
2259 
2260 static inline unsigned int mux_num_to_base(struct gsm_mux *gsm)
2261 {
2262 	return gsm->num * NUM_DLCI;
2263 }
2264 
2265 static inline unsigned int mux_line_to_num(unsigned int line)
2266 {
2267 	return line / NUM_DLCI;
2268 }
2269 
2270 /**
2271  *	gsm_alloc_mux		-	allocate a mux
2272  *
2273  *	Creates a new mux ready for activation.
2274  */
2275 
2276 static struct gsm_mux *gsm_alloc_mux(void)
2277 {
2278 	int i;
2279 	struct gsm_mux *gsm = kzalloc(sizeof(struct gsm_mux), GFP_KERNEL);
2280 	if (gsm == NULL)
2281 		return NULL;
2282 	gsm->buf = kmalloc(MAX_MRU + 1, GFP_KERNEL);
2283 	if (gsm->buf == NULL) {
2284 		kfree(gsm);
2285 		return NULL;
2286 	}
2287 	gsm->txframe = kmalloc(2 * (MAX_MTU + PROT_OVERHEAD - 1), GFP_KERNEL);
2288 	if (gsm->txframe == NULL) {
2289 		kfree(gsm->buf);
2290 		kfree(gsm);
2291 		return NULL;
2292 	}
2293 	spin_lock_init(&gsm->lock);
2294 	mutex_init(&gsm->mutex);
2295 	kref_init(&gsm->ref);
2296 	INIT_LIST_HEAD(&gsm->tx_list);
2297 
2298 	gsm->t1 = T1;
2299 	gsm->t2 = T2;
2300 	gsm->n2 = N2;
2301 	gsm->ftype = UIH;
2302 	gsm->adaption = 1;
2303 	gsm->encoding = 1;
2304 	gsm->mru = 64;	/* Default to encoding 1 so these should be 64 */
2305 	gsm->mtu = 64;
2306 	gsm->dead = true;	/* Avoid early tty opens */
2307 
2308 	/* Store the instance to the mux array or abort if no space is
2309 	 * available.
2310 	 */
2311 	spin_lock(&gsm_mux_lock);
2312 	for (i = 0; i < MAX_MUX; i++) {
2313 		if (!gsm_mux[i]) {
2314 			gsm_mux[i] = gsm;
2315 			gsm->num = i;
2316 			break;
2317 		}
2318 	}
2319 	spin_unlock(&gsm_mux_lock);
2320 	if (i == MAX_MUX) {
2321 		mutex_destroy(&gsm->mutex);
2322 		kfree(gsm->txframe);
2323 		kfree(gsm->buf);
2324 		kfree(gsm);
2325 		return NULL;
2326 	}
2327 
2328 	return gsm;
2329 }
2330 
2331 static void gsm_copy_config_values(struct gsm_mux *gsm,
2332 				   struct gsm_config *c)
2333 {
2334 	memset(c, 0, sizeof(*c));
2335 	c->adaption = gsm->adaption;
2336 	c->encapsulation = gsm->encoding;
2337 	c->initiator = gsm->initiator;
2338 	c->t1 = gsm->t1;
2339 	c->t2 = gsm->t2;
2340 	c->t3 = 0;	/* Not supported */
2341 	c->n2 = gsm->n2;
2342 	if (gsm->ftype == UIH)
2343 		c->i = 1;
2344 	else
2345 		c->i = 2;
2346 	pr_debug("Ftype %d i %d\n", gsm->ftype, c->i);
2347 	c->mru = gsm->mru;
2348 	c->mtu = gsm->mtu;
2349 	c->k = 0;
2350 }
2351 
2352 static int gsm_config(struct gsm_mux *gsm, struct gsm_config *c)
2353 {
2354 	int need_close = 0;
2355 	int need_restart = 0;
2356 
2357 	/* Stuff we don't support yet - UI or I frame transport, windowing */
2358 	if ((c->adaption != 1 && c->adaption != 2) || c->k)
2359 		return -EOPNOTSUPP;
2360 	/* Check the MRU/MTU range looks sane */
2361 	if (c->mru > MAX_MRU || c->mtu > MAX_MTU || c->mru < 8 || c->mtu < 8)
2362 		return -EINVAL;
2363 	if (c->n2 > 255)
2364 		return -EINVAL;
2365 	if (c->encapsulation > 1)	/* Basic, advanced, no I */
2366 		return -EINVAL;
2367 	if (c->initiator > 1)
2368 		return -EINVAL;
2369 	if (c->i == 0 || c->i > 2)	/* UIH and UI only */
2370 		return -EINVAL;
2371 	/*
2372 	 * See what is needed for reconfiguration
2373 	 */
2374 
2375 	/* Timing fields */
2376 	if (c->t1 != 0 && c->t1 != gsm->t1)
2377 		need_restart = 1;
2378 	if (c->t2 != 0 && c->t2 != gsm->t2)
2379 		need_restart = 1;
2380 	if (c->encapsulation != gsm->encoding)
2381 		need_restart = 1;
2382 	if (c->adaption != gsm->adaption)
2383 		need_restart = 1;
2384 	/* Requires care */
2385 	if (c->initiator != gsm->initiator)
2386 		need_close = 1;
2387 	if (c->mru != gsm->mru)
2388 		need_restart = 1;
2389 	if (c->mtu != gsm->mtu)
2390 		need_restart = 1;
2391 
2392 	/*
2393 	 * Close down what is needed, restart and initiate the new
2394 	 * configuration. On the first time there is no DLCI[0]
2395 	 * and closing or cleaning up is not necessary.
2396 	 */
2397 	if (need_close || need_restart)
2398 		gsm_cleanup_mux(gsm, true);
2399 
2400 	gsm->initiator = c->initiator;
2401 	gsm->mru = c->mru;
2402 	gsm->mtu = c->mtu;
2403 	gsm->encoding = c->encapsulation;
2404 	gsm->adaption = c->adaption;
2405 	gsm->n2 = c->n2;
2406 
2407 	if (c->i == 1)
2408 		gsm->ftype = UIH;
2409 	else if (c->i == 2)
2410 		gsm->ftype = UI;
2411 
2412 	if (c->t1)
2413 		gsm->t1 = c->t1;
2414 	if (c->t2)
2415 		gsm->t2 = c->t2;
2416 
2417 	/*
2418 	 * FIXME: We need to separate activation/deactivation from adding
2419 	 * and removing from the mux array
2420 	 */
2421 	if (need_restart)
2422 		gsm_activate_mux(gsm);
2423 	if (gsm->initiator && need_close)
2424 		gsm_dlci_begin_open(gsm->dlci[0]);
2425 	return 0;
2426 }
2427 
2428 /**
2429  *	gsmld_output		-	write to link
2430  *	@gsm: our mux
2431  *	@data: bytes to output
2432  *	@len: size
2433  *
2434  *	Write a block of data from the GSM mux to the data channel. This
2435  *	will eventually be serialized from above but at the moment isn't.
2436  */
2437 
2438 static int gsmld_output(struct gsm_mux *gsm, u8 *data, int len)
2439 {
2440 	if (tty_write_room(gsm->tty) < len) {
2441 		set_bit(TTY_DO_WRITE_WAKEUP, &gsm->tty->flags);
2442 		return -ENOSPC;
2443 	}
2444 	if (debug & 4)
2445 		print_hex_dump_bytes("gsmld_output: ", DUMP_PREFIX_OFFSET,
2446 				     data, len);
2447 	return gsm->tty->ops->write(gsm->tty, data, len);
2448 }
2449 
2450 /**
2451  *	gsmld_attach_gsm	-	mode set up
2452  *	@tty: our tty structure
2453  *	@gsm: our mux
2454  *
2455  *	Set up the MUX for basic mode and commence connecting to the
2456  *	modem. Currently called from the line discipline set up but
2457  *	will need moving to an ioctl path.
2458  */
2459 
2460 static int gsmld_attach_gsm(struct tty_struct *tty, struct gsm_mux *gsm)
2461 {
2462 	unsigned int base;
2463 	int ret, i;
2464 
2465 	gsm->tty = tty_kref_get(tty);
2466 	/* Turn off tty XON/XOFF handling to handle it explicitly. */
2467 	gsm->old_c_iflag = tty->termios.c_iflag;
2468 	tty->termios.c_iflag &= (IXON | IXOFF);
2469 	ret =  gsm_activate_mux(gsm);
2470 	if (ret != 0)
2471 		tty_kref_put(gsm->tty);
2472 	else {
2473 		/* Don't register device 0 - this is the control channel and not
2474 		   a usable tty interface */
2475 		base = mux_num_to_base(gsm); /* Base for this MUX */
2476 		for (i = 1; i < NUM_DLCI; i++) {
2477 			struct device *dev;
2478 
2479 			dev = tty_register_device(gsm_tty_driver,
2480 							base + i, NULL);
2481 			if (IS_ERR(dev)) {
2482 				for (i--; i >= 1; i--)
2483 					tty_unregister_device(gsm_tty_driver,
2484 								base + i);
2485 				return PTR_ERR(dev);
2486 			}
2487 		}
2488 	}
2489 	return ret;
2490 }
2491 
2492 
2493 /**
2494  *	gsmld_detach_gsm	-	stop doing 0710 mux
2495  *	@tty: tty attached to the mux
2496  *	@gsm: mux
2497  *
2498  *	Shutdown and then clean up the resources used by the line discipline
2499  */
2500 
2501 static void gsmld_detach_gsm(struct tty_struct *tty, struct gsm_mux *gsm)
2502 {
2503 	unsigned int base = mux_num_to_base(gsm); /* Base for this MUX */
2504 	int i;
2505 
2506 	WARN_ON(tty != gsm->tty);
2507 	for (i = 1; i < NUM_DLCI; i++)
2508 		tty_unregister_device(gsm_tty_driver, base + i);
2509 	/* Restore tty XON/XOFF handling. */
2510 	gsm->tty->termios.c_iflag = gsm->old_c_iflag;
2511 	tty_kref_put(gsm->tty);
2512 	gsm->tty = NULL;
2513 }
2514 
2515 static void gsmld_receive_buf(struct tty_struct *tty, const unsigned char *cp,
2516 			      const char *fp, int count)
2517 {
2518 	struct gsm_mux *gsm = tty->disc_data;
2519 	char flags = TTY_NORMAL;
2520 
2521 	if (debug & 4)
2522 		print_hex_dump_bytes("gsmld_receive: ", DUMP_PREFIX_OFFSET,
2523 				     cp, count);
2524 
2525 	for (; count; count--, cp++) {
2526 		if (fp)
2527 			flags = *fp++;
2528 		switch (flags) {
2529 		case TTY_NORMAL:
2530 			gsm->receive(gsm, *cp);
2531 			break;
2532 		case TTY_OVERRUN:
2533 		case TTY_BREAK:
2534 		case TTY_PARITY:
2535 		case TTY_FRAME:
2536 			gsm_error(gsm);
2537 			break;
2538 		default:
2539 			WARN_ONCE(1, "%s: unknown flag %d\n",
2540 			       tty_name(tty), flags);
2541 			break;
2542 		}
2543 	}
2544 	/* FASYNC if needed ? */
2545 	/* If clogged call tty_throttle(tty); */
2546 }
2547 
2548 /**
2549  *	gsmld_flush_buffer	-	clean input queue
2550  *	@tty:	terminal device
2551  *
2552  *	Flush the input buffer. Called when the line discipline is
2553  *	being closed, when the tty layer wants the buffer flushed (eg
2554  *	at hangup).
2555  */
2556 
2557 static void gsmld_flush_buffer(struct tty_struct *tty)
2558 {
2559 }
2560 
2561 /**
2562  *	gsmld_close		-	close the ldisc for this tty
2563  *	@tty: device
2564  *
2565  *	Called from the terminal layer when this line discipline is
2566  *	being shut down, either because of a close or becsuse of a
2567  *	discipline change. The function will not be called while other
2568  *	ldisc methods are in progress.
2569  */
2570 
2571 static void gsmld_close(struct tty_struct *tty)
2572 {
2573 	struct gsm_mux *gsm = tty->disc_data;
2574 
2575 	/* The ldisc locks and closes the port before calling our close. This
2576 	 * means we have no way to do a proper disconnect. We will not bother
2577 	 * to do one.
2578 	 */
2579 	gsm_cleanup_mux(gsm, false);
2580 
2581 	gsmld_detach_gsm(tty, gsm);
2582 
2583 	gsmld_flush_buffer(tty);
2584 	/* Do other clean up here */
2585 	mux_put(gsm);
2586 }
2587 
2588 /**
2589  *	gsmld_open		-	open an ldisc
2590  *	@tty: terminal to open
2591  *
2592  *	Called when this line discipline is being attached to the
2593  *	terminal device. Can sleep. Called serialized so that no
2594  *	other events will occur in parallel. No further open will occur
2595  *	until a close.
2596  */
2597 
2598 static int gsmld_open(struct tty_struct *tty)
2599 {
2600 	struct gsm_mux *gsm;
2601 	int ret;
2602 
2603 	if (tty->ops->write == NULL)
2604 		return -EINVAL;
2605 
2606 	/* Attach our ldisc data */
2607 	gsm = gsm_alloc_mux();
2608 	if (gsm == NULL)
2609 		return -ENOMEM;
2610 
2611 	tty->disc_data = gsm;
2612 	tty->receive_room = 65536;
2613 
2614 	/* Attach the initial passive connection */
2615 	gsm->encoding = 1;
2616 
2617 	ret = gsmld_attach_gsm(tty, gsm);
2618 	if (ret != 0) {
2619 		gsm_cleanup_mux(gsm, false);
2620 		mux_put(gsm);
2621 	}
2622 	return ret;
2623 }
2624 
2625 /**
2626  *	gsmld_write_wakeup	-	asynchronous I/O notifier
2627  *	@tty: tty device
2628  *
2629  *	Required for the ptys, serial driver etc. since processes
2630  *	that attach themselves to the master and rely on ASYNC
2631  *	IO must be woken up
2632  */
2633 
2634 static void gsmld_write_wakeup(struct tty_struct *tty)
2635 {
2636 	struct gsm_mux *gsm = tty->disc_data;
2637 	unsigned long flags;
2638 
2639 	/* Queue poll */
2640 	clear_bit(TTY_DO_WRITE_WAKEUP, &tty->flags);
2641 	spin_lock_irqsave(&gsm->tx_lock, flags);
2642 	gsm_data_kick(gsm, NULL);
2643 	if (gsm->tx_bytes < TX_THRESH_LO) {
2644 		gsm_dlci_data_sweep(gsm);
2645 	}
2646 	spin_unlock_irqrestore(&gsm->tx_lock, flags);
2647 }
2648 
2649 /**
2650  *	gsmld_read		-	read function for tty
2651  *	@tty: tty device
2652  *	@file: file object
2653  *	@buf: userspace buffer pointer
2654  *	@nr: size of I/O
2655  *	@cookie: unused
2656  *	@offset: unused
2657  *
2658  *	Perform reads for the line discipline. We are guaranteed that the
2659  *	line discipline will not be closed under us but we may get multiple
2660  *	parallel readers and must handle this ourselves. We may also get
2661  *	a hangup. Always called in user context, may sleep.
2662  *
2663  *	This code must be sure never to sleep through a hangup.
2664  */
2665 
2666 static ssize_t gsmld_read(struct tty_struct *tty, struct file *file,
2667 			  unsigned char *buf, size_t nr,
2668 			  void **cookie, unsigned long offset)
2669 {
2670 	return -EOPNOTSUPP;
2671 }
2672 
2673 /**
2674  *	gsmld_write		-	write function for tty
2675  *	@tty: tty device
2676  *	@file: file object
2677  *	@buf: userspace buffer pointer
2678  *	@nr: size of I/O
2679  *
2680  *	Called when the owner of the device wants to send a frame
2681  *	itself (or some other control data). The data is transferred
2682  *	as-is and must be properly framed and checksummed as appropriate
2683  *	by userspace. Frames are either sent whole or not at all as this
2684  *	avoids pain user side.
2685  */
2686 
2687 static ssize_t gsmld_write(struct tty_struct *tty, struct file *file,
2688 			   const unsigned char *buf, size_t nr)
2689 {
2690 	int space = tty_write_room(tty);
2691 	if (space >= nr)
2692 		return tty->ops->write(tty, buf, nr);
2693 	set_bit(TTY_DO_WRITE_WAKEUP, &tty->flags);
2694 	return -ENOBUFS;
2695 }
2696 
2697 /**
2698  *	gsmld_poll		-	poll method for N_GSM0710
2699  *	@tty: terminal device
2700  *	@file: file accessing it
2701  *	@wait: poll table
2702  *
2703  *	Called when the line discipline is asked to poll() for data or
2704  *	for special events. This code is not serialized with respect to
2705  *	other events save open/close.
2706  *
2707  *	This code must be sure never to sleep through a hangup.
2708  *	Called without the kernel lock held - fine
2709  */
2710 
2711 static __poll_t gsmld_poll(struct tty_struct *tty, struct file *file,
2712 							poll_table *wait)
2713 {
2714 	__poll_t mask = 0;
2715 	struct gsm_mux *gsm = tty->disc_data;
2716 
2717 	poll_wait(file, &tty->read_wait, wait);
2718 	poll_wait(file, &tty->write_wait, wait);
2719 	if (tty_hung_up_p(file))
2720 		mask |= EPOLLHUP;
2721 	if (!tty_is_writelocked(tty) && tty_write_room(tty) > 0)
2722 		mask |= EPOLLOUT | EPOLLWRNORM;
2723 	if (gsm->dead)
2724 		mask |= EPOLLHUP;
2725 	return mask;
2726 }
2727 
2728 static int gsmld_ioctl(struct tty_struct *tty, unsigned int cmd,
2729 		       unsigned long arg)
2730 {
2731 	struct gsm_config c;
2732 	struct gsm_mux *gsm = tty->disc_data;
2733 	unsigned int base;
2734 
2735 	switch (cmd) {
2736 	case GSMIOC_GETCONF:
2737 		gsm_copy_config_values(gsm, &c);
2738 		if (copy_to_user((void __user *)arg, &c, sizeof(c)))
2739 			return -EFAULT;
2740 		return 0;
2741 	case GSMIOC_SETCONF:
2742 		if (copy_from_user(&c, (void __user *)arg, sizeof(c)))
2743 			return -EFAULT;
2744 		return gsm_config(gsm, &c);
2745 	case GSMIOC_GETFIRST:
2746 		base = mux_num_to_base(gsm);
2747 		return put_user(base + 1, (__u32 __user *)arg);
2748 	default:
2749 		return n_tty_ioctl_helper(tty, cmd, arg);
2750 	}
2751 }
2752 
2753 /*
2754  *	Network interface
2755  *
2756  */
2757 
2758 static int gsm_mux_net_open(struct net_device *net)
2759 {
2760 	pr_debug("%s called\n", __func__);
2761 	netif_start_queue(net);
2762 	return 0;
2763 }
2764 
2765 static int gsm_mux_net_close(struct net_device *net)
2766 {
2767 	netif_stop_queue(net);
2768 	return 0;
2769 }
2770 
2771 static void dlci_net_free(struct gsm_dlci *dlci)
2772 {
2773 	if (!dlci->net) {
2774 		WARN_ON(1);
2775 		return;
2776 	}
2777 	dlci->adaption = dlci->prev_adaption;
2778 	dlci->data = dlci->prev_data;
2779 	free_netdev(dlci->net);
2780 	dlci->net = NULL;
2781 }
2782 static void net_free(struct kref *ref)
2783 {
2784 	struct gsm_mux_net *mux_net;
2785 	struct gsm_dlci *dlci;
2786 
2787 	mux_net = container_of(ref, struct gsm_mux_net, ref);
2788 	dlci = mux_net->dlci;
2789 
2790 	if (dlci->net) {
2791 		unregister_netdev(dlci->net);
2792 		dlci_net_free(dlci);
2793 	}
2794 }
2795 
2796 static inline void muxnet_get(struct gsm_mux_net *mux_net)
2797 {
2798 	kref_get(&mux_net->ref);
2799 }
2800 
2801 static inline void muxnet_put(struct gsm_mux_net *mux_net)
2802 {
2803 	kref_put(&mux_net->ref, net_free);
2804 }
2805 
2806 static netdev_tx_t gsm_mux_net_start_xmit(struct sk_buff *skb,
2807 				      struct net_device *net)
2808 {
2809 	struct gsm_mux_net *mux_net = netdev_priv(net);
2810 	struct gsm_dlci *dlci = mux_net->dlci;
2811 	muxnet_get(mux_net);
2812 
2813 	skb_queue_head(&dlci->skb_list, skb);
2814 	net->stats.tx_packets++;
2815 	net->stats.tx_bytes += skb->len;
2816 	gsm_dlci_data_kick(dlci);
2817 	/* And tell the kernel when the last transmit started. */
2818 	netif_trans_update(net);
2819 	muxnet_put(mux_net);
2820 	return NETDEV_TX_OK;
2821 }
2822 
2823 /* called when a packet did not ack after watchdogtimeout */
2824 static void gsm_mux_net_tx_timeout(struct net_device *net, unsigned int txqueue)
2825 {
2826 	/* Tell syslog we are hosed. */
2827 	dev_dbg(&net->dev, "Tx timed out.\n");
2828 
2829 	/* Update statistics */
2830 	net->stats.tx_errors++;
2831 }
2832 
2833 static void gsm_mux_rx_netchar(struct gsm_dlci *dlci,
2834 				const unsigned char *in_buf, int size)
2835 {
2836 	struct net_device *net = dlci->net;
2837 	struct sk_buff *skb;
2838 	struct gsm_mux_net *mux_net = netdev_priv(net);
2839 	muxnet_get(mux_net);
2840 
2841 	/* Allocate an sk_buff */
2842 	skb = dev_alloc_skb(size + NET_IP_ALIGN);
2843 	if (!skb) {
2844 		/* We got no receive buffer. */
2845 		net->stats.rx_dropped++;
2846 		muxnet_put(mux_net);
2847 		return;
2848 	}
2849 	skb_reserve(skb, NET_IP_ALIGN);
2850 	skb_put_data(skb, in_buf, size);
2851 
2852 	skb->dev = net;
2853 	skb->protocol = htons(ETH_P_IP);
2854 
2855 	/* Ship it off to the kernel */
2856 	netif_rx(skb);
2857 
2858 	/* update out statistics */
2859 	net->stats.rx_packets++;
2860 	net->stats.rx_bytes += size;
2861 	muxnet_put(mux_net);
2862 	return;
2863 }
2864 
2865 static void gsm_mux_net_init(struct net_device *net)
2866 {
2867 	static const struct net_device_ops gsm_netdev_ops = {
2868 		.ndo_open		= gsm_mux_net_open,
2869 		.ndo_stop		= gsm_mux_net_close,
2870 		.ndo_start_xmit		= gsm_mux_net_start_xmit,
2871 		.ndo_tx_timeout		= gsm_mux_net_tx_timeout,
2872 	};
2873 
2874 	net->netdev_ops = &gsm_netdev_ops;
2875 
2876 	/* fill in the other fields */
2877 	net->watchdog_timeo = GSM_NET_TX_TIMEOUT;
2878 	net->flags = IFF_POINTOPOINT | IFF_NOARP | IFF_MULTICAST;
2879 	net->type = ARPHRD_NONE;
2880 	net->tx_queue_len = 10;
2881 }
2882 
2883 
2884 /* caller holds the dlci mutex */
2885 static void gsm_destroy_network(struct gsm_dlci *dlci)
2886 {
2887 	struct gsm_mux_net *mux_net;
2888 
2889 	pr_debug("destroy network interface\n");
2890 	if (!dlci->net)
2891 		return;
2892 	mux_net = netdev_priv(dlci->net);
2893 	muxnet_put(mux_net);
2894 }
2895 
2896 
2897 /* caller holds the dlci mutex */
2898 static int gsm_create_network(struct gsm_dlci *dlci, struct gsm_netconfig *nc)
2899 {
2900 	char *netname;
2901 	int retval = 0;
2902 	struct net_device *net;
2903 	struct gsm_mux_net *mux_net;
2904 
2905 	if (!capable(CAP_NET_ADMIN))
2906 		return -EPERM;
2907 
2908 	/* Already in a non tty mode */
2909 	if (dlci->adaption > 2)
2910 		return -EBUSY;
2911 
2912 	if (nc->protocol != htons(ETH_P_IP))
2913 		return -EPROTONOSUPPORT;
2914 
2915 	if (nc->adaption != 3 && nc->adaption != 4)
2916 		return -EPROTONOSUPPORT;
2917 
2918 	pr_debug("create network interface\n");
2919 
2920 	netname = "gsm%d";
2921 	if (nc->if_name[0] != '\0')
2922 		netname = nc->if_name;
2923 	net = alloc_netdev(sizeof(struct gsm_mux_net), netname,
2924 			   NET_NAME_UNKNOWN, gsm_mux_net_init);
2925 	if (!net) {
2926 		pr_err("alloc_netdev failed\n");
2927 		return -ENOMEM;
2928 	}
2929 	net->mtu = dlci->gsm->mtu;
2930 	net->min_mtu = 8;
2931 	net->max_mtu = dlci->gsm->mtu;
2932 	mux_net = netdev_priv(net);
2933 	mux_net->dlci = dlci;
2934 	kref_init(&mux_net->ref);
2935 	strncpy(nc->if_name, net->name, IFNAMSIZ); /* return net name */
2936 
2937 	/* reconfigure dlci for network */
2938 	dlci->prev_adaption = dlci->adaption;
2939 	dlci->prev_data = dlci->data;
2940 	dlci->adaption = nc->adaption;
2941 	dlci->data = gsm_mux_rx_netchar;
2942 	dlci->net = net;
2943 
2944 	pr_debug("register netdev\n");
2945 	retval = register_netdev(net);
2946 	if (retval) {
2947 		pr_err("network register fail %d\n", retval);
2948 		dlci_net_free(dlci);
2949 		return retval;
2950 	}
2951 	return net->ifindex;	/* return network index */
2952 }
2953 
2954 /* Line discipline for real tty */
2955 static struct tty_ldisc_ops tty_ldisc_packet = {
2956 	.owner		 = THIS_MODULE,
2957 	.num		 = N_GSM0710,
2958 	.name            = "n_gsm",
2959 	.open            = gsmld_open,
2960 	.close           = gsmld_close,
2961 	.flush_buffer    = gsmld_flush_buffer,
2962 	.read            = gsmld_read,
2963 	.write           = gsmld_write,
2964 	.ioctl           = gsmld_ioctl,
2965 	.poll            = gsmld_poll,
2966 	.receive_buf     = gsmld_receive_buf,
2967 	.write_wakeup    = gsmld_write_wakeup
2968 };
2969 
2970 /*
2971  *	Virtual tty side
2972  */
2973 
2974 #define TX_SIZE		512
2975 
2976 /**
2977  *	gsm_modem_upd_via_data	-	send modem bits via convergence layer
2978  *	@dlci: channel
2979  *	@brk: break signal
2980  *
2981  *	Send an empty frame to signal mobile state changes and to transmit the
2982  *	break signal for adaption 2.
2983  */
2984 
2985 static void gsm_modem_upd_via_data(struct gsm_dlci *dlci, u8 brk)
2986 {
2987 	struct gsm_mux *gsm = dlci->gsm;
2988 	unsigned long flags;
2989 
2990 	if (dlci->state != DLCI_OPEN || dlci->adaption != 2)
2991 		return;
2992 
2993 	spin_lock_irqsave(&gsm->tx_lock, flags);
2994 	gsm_dlci_modem_output(gsm, dlci, brk);
2995 	spin_unlock_irqrestore(&gsm->tx_lock, flags);
2996 }
2997 
2998 /**
2999  *	gsm_modem_upd_via_msc	-	send modem bits via control frame
3000  *	@dlci: channel
3001  *	@brk: break signal
3002  */
3003 
3004 static int gsm_modem_upd_via_msc(struct gsm_dlci *dlci, u8 brk)
3005 {
3006 	u8 modembits[3];
3007 	struct gsm_control *ctrl;
3008 	int len = 2;
3009 
3010 	if (dlci->gsm->encoding != 0)
3011 		return 0;
3012 
3013 	modembits[0] = (dlci->addr << 2) | 2 | EA;  /* DLCI, Valid, EA */
3014 	if (!brk) {
3015 		modembits[1] = (gsm_encode_modem(dlci) << 1) | EA;
3016 	} else {
3017 		modembits[1] = gsm_encode_modem(dlci) << 1;
3018 		modembits[2] = (brk << 4) | 2 | EA; /* Length, Break, EA */
3019 		len++;
3020 	}
3021 	ctrl = gsm_control_send(dlci->gsm, CMD_MSC, modembits, len);
3022 	if (ctrl == NULL)
3023 		return -ENOMEM;
3024 	return gsm_control_wait(dlci->gsm, ctrl);
3025 }
3026 
3027 /**
3028  *	gsm_modem_update	-	send modem status line state
3029  *	@dlci: channel
3030  *	@brk: break signal
3031  */
3032 
3033 static int gsm_modem_update(struct gsm_dlci *dlci, u8 brk)
3034 {
3035 	if (dlci->adaption == 2) {
3036 		/* Send convergence layer type 2 empty data frame. */
3037 		gsm_modem_upd_via_data(dlci, brk);
3038 		return 0;
3039 	} else if (dlci->gsm->encoding == 0) {
3040 		/* Send as MSC control message. */
3041 		return gsm_modem_upd_via_msc(dlci, brk);
3042 	}
3043 
3044 	/* Modem status lines are not supported. */
3045 	return -EPROTONOSUPPORT;
3046 }
3047 
3048 static int gsm_carrier_raised(struct tty_port *port)
3049 {
3050 	struct gsm_dlci *dlci = container_of(port, struct gsm_dlci, port);
3051 	struct gsm_mux *gsm = dlci->gsm;
3052 
3053 	/* Not yet open so no carrier info */
3054 	if (dlci->state != DLCI_OPEN)
3055 		return 0;
3056 	if (debug & 2)
3057 		return 1;
3058 
3059 	/*
3060 	 * Basic mode with control channel in ADM mode may not respond
3061 	 * to CMD_MSC at all and modem_rx is empty.
3062 	 */
3063 	if (gsm->encoding == 0 && gsm->dlci[0]->mode == DLCI_MODE_ADM &&
3064 	    !dlci->modem_rx)
3065 		return 1;
3066 
3067 	return dlci->modem_rx & TIOCM_CD;
3068 }
3069 
3070 static void gsm_dtr_rts(struct tty_port *port, int onoff)
3071 {
3072 	struct gsm_dlci *dlci = container_of(port, struct gsm_dlci, port);
3073 	unsigned int modem_tx = dlci->modem_tx;
3074 	if (onoff)
3075 		modem_tx |= TIOCM_DTR | TIOCM_RTS;
3076 	else
3077 		modem_tx &= ~(TIOCM_DTR | TIOCM_RTS);
3078 	if (modem_tx != dlci->modem_tx) {
3079 		dlci->modem_tx = modem_tx;
3080 		gsm_modem_update(dlci, 0);
3081 	}
3082 }
3083 
3084 static const struct tty_port_operations gsm_port_ops = {
3085 	.carrier_raised = gsm_carrier_raised,
3086 	.dtr_rts = gsm_dtr_rts,
3087 	.destruct = gsm_dlci_free,
3088 };
3089 
3090 static int gsmtty_install(struct tty_driver *driver, struct tty_struct *tty)
3091 {
3092 	struct gsm_mux *gsm;
3093 	struct gsm_dlci *dlci;
3094 	unsigned int line = tty->index;
3095 	unsigned int mux = mux_line_to_num(line);
3096 	bool alloc = false;
3097 	int ret;
3098 
3099 	line = line & 0x3F;
3100 
3101 	if (mux >= MAX_MUX)
3102 		return -ENXIO;
3103 	/* FIXME: we need to lock gsm_mux for lifetimes of ttys eventually */
3104 	if (gsm_mux[mux] == NULL)
3105 		return -EUNATCH;
3106 	if (line == 0 || line > 61)	/* 62/63 reserved */
3107 		return -ECHRNG;
3108 	gsm = gsm_mux[mux];
3109 	if (gsm->dead)
3110 		return -EL2HLT;
3111 	/* If DLCI 0 is not yet fully open return an error.
3112 	This is ok from a locking
3113 	perspective as we don't have to worry about this
3114 	if DLCI0 is lost */
3115 	mutex_lock(&gsm->mutex);
3116 	if (gsm->dlci[0] && gsm->dlci[0]->state != DLCI_OPEN) {
3117 		mutex_unlock(&gsm->mutex);
3118 		return -EL2NSYNC;
3119 	}
3120 	dlci = gsm->dlci[line];
3121 	if (dlci == NULL) {
3122 		alloc = true;
3123 		dlci = gsm_dlci_alloc(gsm, line);
3124 	}
3125 	if (dlci == NULL) {
3126 		mutex_unlock(&gsm->mutex);
3127 		return -ENOMEM;
3128 	}
3129 	ret = tty_port_install(&dlci->port, driver, tty);
3130 	if (ret) {
3131 		if (alloc)
3132 			dlci_put(dlci);
3133 		mutex_unlock(&gsm->mutex);
3134 		return ret;
3135 	}
3136 
3137 	dlci_get(dlci);
3138 	dlci_get(gsm->dlci[0]);
3139 	mux_get(gsm);
3140 	tty->driver_data = dlci;
3141 	mutex_unlock(&gsm->mutex);
3142 
3143 	return 0;
3144 }
3145 
3146 static int gsmtty_open(struct tty_struct *tty, struct file *filp)
3147 {
3148 	struct gsm_dlci *dlci = tty->driver_data;
3149 	struct tty_port *port = &dlci->port;
3150 	struct gsm_mux *gsm = dlci->gsm;
3151 
3152 	port->count++;
3153 	tty_port_tty_set(port, tty);
3154 
3155 	dlci->modem_rx = 0;
3156 	/* We could in theory open and close before we wait - eg if we get
3157 	   a DM straight back. This is ok as that will have caused a hangup */
3158 	tty_port_set_initialized(port, 1);
3159 	/* Start sending off SABM messages */
3160 	if (gsm->initiator)
3161 		gsm_dlci_begin_open(dlci);
3162 	/* And wait for virtual carrier */
3163 	return tty_port_block_til_ready(port, tty, filp);
3164 }
3165 
3166 static void gsmtty_close(struct tty_struct *tty, struct file *filp)
3167 {
3168 	struct gsm_dlci *dlci = tty->driver_data;
3169 
3170 	if (dlci == NULL)
3171 		return;
3172 	if (dlci->state == DLCI_CLOSED)
3173 		return;
3174 	mutex_lock(&dlci->mutex);
3175 	gsm_destroy_network(dlci);
3176 	mutex_unlock(&dlci->mutex);
3177 	if (tty_port_close_start(&dlci->port, tty, filp) == 0)
3178 		return;
3179 	gsm_dlci_begin_close(dlci);
3180 	if (tty_port_initialized(&dlci->port) && C_HUPCL(tty))
3181 		tty_port_lower_dtr_rts(&dlci->port);
3182 	tty_port_close_end(&dlci->port, tty);
3183 	tty_port_tty_set(&dlci->port, NULL);
3184 	return;
3185 }
3186 
3187 static void gsmtty_hangup(struct tty_struct *tty)
3188 {
3189 	struct gsm_dlci *dlci = tty->driver_data;
3190 	if (dlci->state == DLCI_CLOSED)
3191 		return;
3192 	tty_port_hangup(&dlci->port);
3193 	gsm_dlci_begin_close(dlci);
3194 }
3195 
3196 static int gsmtty_write(struct tty_struct *tty, const unsigned char *buf,
3197 								    int len)
3198 {
3199 	int sent;
3200 	struct gsm_dlci *dlci = tty->driver_data;
3201 	if (dlci->state == DLCI_CLOSED)
3202 		return -EINVAL;
3203 	/* Stuff the bytes into the fifo queue */
3204 	sent = kfifo_in_locked(&dlci->fifo, buf, len, &dlci->lock);
3205 	/* Need to kick the channel */
3206 	gsm_dlci_data_kick(dlci);
3207 	return sent;
3208 }
3209 
3210 static unsigned int gsmtty_write_room(struct tty_struct *tty)
3211 {
3212 	struct gsm_dlci *dlci = tty->driver_data;
3213 	if (dlci->state == DLCI_CLOSED)
3214 		return 0;
3215 	return TX_SIZE - kfifo_len(&dlci->fifo);
3216 }
3217 
3218 static unsigned int gsmtty_chars_in_buffer(struct tty_struct *tty)
3219 {
3220 	struct gsm_dlci *dlci = tty->driver_data;
3221 	if (dlci->state == DLCI_CLOSED)
3222 		return 0;
3223 	return kfifo_len(&dlci->fifo);
3224 }
3225 
3226 static void gsmtty_flush_buffer(struct tty_struct *tty)
3227 {
3228 	struct gsm_dlci *dlci = tty->driver_data;
3229 	unsigned long flags;
3230 
3231 	if (dlci->state == DLCI_CLOSED)
3232 		return;
3233 	/* Caution needed: If we implement reliable transport classes
3234 	   then the data being transmitted can't simply be junked once
3235 	   it has first hit the stack. Until then we can just blow it
3236 	   away */
3237 	spin_lock_irqsave(&dlci->lock, flags);
3238 	kfifo_reset(&dlci->fifo);
3239 	spin_unlock_irqrestore(&dlci->lock, flags);
3240 	/* Need to unhook this DLCI from the transmit queue logic */
3241 }
3242 
3243 static void gsmtty_wait_until_sent(struct tty_struct *tty, int timeout)
3244 {
3245 	/* The FIFO handles the queue so the kernel will do the right
3246 	   thing waiting on chars_in_buffer before calling us. No work
3247 	   to do here */
3248 }
3249 
3250 static int gsmtty_tiocmget(struct tty_struct *tty)
3251 {
3252 	struct gsm_dlci *dlci = tty->driver_data;
3253 	if (dlci->state == DLCI_CLOSED)
3254 		return -EINVAL;
3255 	return dlci->modem_rx;
3256 }
3257 
3258 static int gsmtty_tiocmset(struct tty_struct *tty,
3259 	unsigned int set, unsigned int clear)
3260 {
3261 	struct gsm_dlci *dlci = tty->driver_data;
3262 	unsigned int modem_tx = dlci->modem_tx;
3263 
3264 	if (dlci->state == DLCI_CLOSED)
3265 		return -EINVAL;
3266 	modem_tx &= ~clear;
3267 	modem_tx |= set;
3268 
3269 	if (modem_tx != dlci->modem_tx) {
3270 		dlci->modem_tx = modem_tx;
3271 		return gsm_modem_update(dlci, 0);
3272 	}
3273 	return 0;
3274 }
3275 
3276 
3277 static int gsmtty_ioctl(struct tty_struct *tty,
3278 			unsigned int cmd, unsigned long arg)
3279 {
3280 	struct gsm_dlci *dlci = tty->driver_data;
3281 	struct gsm_netconfig nc;
3282 	int index;
3283 
3284 	if (dlci->state == DLCI_CLOSED)
3285 		return -EINVAL;
3286 	switch (cmd) {
3287 	case GSMIOC_ENABLE_NET:
3288 		if (copy_from_user(&nc, (void __user *)arg, sizeof(nc)))
3289 			return -EFAULT;
3290 		nc.if_name[IFNAMSIZ-1] = '\0';
3291 		/* return net interface index or error code */
3292 		mutex_lock(&dlci->mutex);
3293 		index = gsm_create_network(dlci, &nc);
3294 		mutex_unlock(&dlci->mutex);
3295 		if (copy_to_user((void __user *)arg, &nc, sizeof(nc)))
3296 			return -EFAULT;
3297 		return index;
3298 	case GSMIOC_DISABLE_NET:
3299 		if (!capable(CAP_NET_ADMIN))
3300 			return -EPERM;
3301 		mutex_lock(&dlci->mutex);
3302 		gsm_destroy_network(dlci);
3303 		mutex_unlock(&dlci->mutex);
3304 		return 0;
3305 	default:
3306 		return -ENOIOCTLCMD;
3307 	}
3308 }
3309 
3310 static void gsmtty_set_termios(struct tty_struct *tty, struct ktermios *old)
3311 {
3312 	struct gsm_dlci *dlci = tty->driver_data;
3313 	if (dlci->state == DLCI_CLOSED)
3314 		return;
3315 	/* For the moment its fixed. In actual fact the speed information
3316 	   for the virtual channel can be propogated in both directions by
3317 	   the RPN control message. This however rapidly gets nasty as we
3318 	   then have to remap modem signals each way according to whether
3319 	   our virtual cable is null modem etc .. */
3320 	tty_termios_copy_hw(&tty->termios, old);
3321 }
3322 
3323 static void gsmtty_throttle(struct tty_struct *tty)
3324 {
3325 	struct gsm_dlci *dlci = tty->driver_data;
3326 	if (dlci->state == DLCI_CLOSED)
3327 		return;
3328 	if (C_CRTSCTS(tty))
3329 		dlci->modem_tx &= ~TIOCM_RTS;
3330 	dlci->throttled = true;
3331 	/* Send an MSC with RTS cleared */
3332 	gsm_modem_update(dlci, 0);
3333 }
3334 
3335 static void gsmtty_unthrottle(struct tty_struct *tty)
3336 {
3337 	struct gsm_dlci *dlci = tty->driver_data;
3338 	if (dlci->state == DLCI_CLOSED)
3339 		return;
3340 	if (C_CRTSCTS(tty))
3341 		dlci->modem_tx |= TIOCM_RTS;
3342 	dlci->throttled = false;
3343 	/* Send an MSC with RTS set */
3344 	gsm_modem_update(dlci, 0);
3345 }
3346 
3347 static int gsmtty_break_ctl(struct tty_struct *tty, int state)
3348 {
3349 	struct gsm_dlci *dlci = tty->driver_data;
3350 	int encode = 0;	/* Off */
3351 	if (dlci->state == DLCI_CLOSED)
3352 		return -EINVAL;
3353 
3354 	if (state == -1)	/* "On indefinitely" - we can't encode this
3355 				    properly */
3356 		encode = 0x0F;
3357 	else if (state > 0) {
3358 		encode = state / 200;	/* mS to encoding */
3359 		if (encode > 0x0F)
3360 			encode = 0x0F;	/* Best effort */
3361 	}
3362 	return gsm_modem_update(dlci, encode);
3363 }
3364 
3365 static void gsmtty_cleanup(struct tty_struct *tty)
3366 {
3367 	struct gsm_dlci *dlci = tty->driver_data;
3368 	struct gsm_mux *gsm = dlci->gsm;
3369 
3370 	dlci_put(dlci);
3371 	dlci_put(gsm->dlci[0]);
3372 	mux_put(gsm);
3373 }
3374 
3375 /* Virtual ttys for the demux */
3376 static const struct tty_operations gsmtty_ops = {
3377 	.install		= gsmtty_install,
3378 	.open			= gsmtty_open,
3379 	.close			= gsmtty_close,
3380 	.write			= gsmtty_write,
3381 	.write_room		= gsmtty_write_room,
3382 	.chars_in_buffer	= gsmtty_chars_in_buffer,
3383 	.flush_buffer		= gsmtty_flush_buffer,
3384 	.ioctl			= gsmtty_ioctl,
3385 	.throttle		= gsmtty_throttle,
3386 	.unthrottle		= gsmtty_unthrottle,
3387 	.set_termios		= gsmtty_set_termios,
3388 	.hangup			= gsmtty_hangup,
3389 	.wait_until_sent	= gsmtty_wait_until_sent,
3390 	.tiocmget		= gsmtty_tiocmget,
3391 	.tiocmset		= gsmtty_tiocmset,
3392 	.break_ctl		= gsmtty_break_ctl,
3393 	.cleanup		= gsmtty_cleanup,
3394 };
3395 
3396 
3397 
3398 static int __init gsm_init(void)
3399 {
3400 	/* Fill in our line protocol discipline, and register it */
3401 	int status = tty_register_ldisc(&tty_ldisc_packet);
3402 	if (status != 0) {
3403 		pr_err("n_gsm: can't register line discipline (err = %d)\n",
3404 								status);
3405 		return status;
3406 	}
3407 
3408 	gsm_tty_driver = tty_alloc_driver(256, TTY_DRIVER_REAL_RAW |
3409 			TTY_DRIVER_DYNAMIC_DEV | TTY_DRIVER_HARDWARE_BREAK);
3410 	if (IS_ERR(gsm_tty_driver)) {
3411 		pr_err("gsm_init: tty allocation failed.\n");
3412 		status = PTR_ERR(gsm_tty_driver);
3413 		goto err_unreg_ldisc;
3414 	}
3415 	gsm_tty_driver->driver_name	= "gsmtty";
3416 	gsm_tty_driver->name		= "gsmtty";
3417 	gsm_tty_driver->major		= 0;	/* Dynamic */
3418 	gsm_tty_driver->minor_start	= 0;
3419 	gsm_tty_driver->type		= TTY_DRIVER_TYPE_SERIAL;
3420 	gsm_tty_driver->subtype	= SERIAL_TYPE_NORMAL;
3421 	gsm_tty_driver->init_termios	= tty_std_termios;
3422 	/* Fixme */
3423 	gsm_tty_driver->init_termios.c_lflag &= ~ECHO;
3424 	tty_set_operations(gsm_tty_driver, &gsmtty_ops);
3425 
3426 	if (tty_register_driver(gsm_tty_driver)) {
3427 		pr_err("gsm_init: tty registration failed.\n");
3428 		status = -EBUSY;
3429 		goto err_put_driver;
3430 	}
3431 	pr_debug("gsm_init: loaded as %d,%d.\n",
3432 			gsm_tty_driver->major, gsm_tty_driver->minor_start);
3433 	return 0;
3434 err_put_driver:
3435 	tty_driver_kref_put(gsm_tty_driver);
3436 err_unreg_ldisc:
3437 	tty_unregister_ldisc(&tty_ldisc_packet);
3438 	return status;
3439 }
3440 
3441 static void __exit gsm_exit(void)
3442 {
3443 	tty_unregister_ldisc(&tty_ldisc_packet);
3444 	tty_unregister_driver(gsm_tty_driver);
3445 	tty_driver_kref_put(gsm_tty_driver);
3446 }
3447 
3448 module_init(gsm_init);
3449 module_exit(gsm_exit);
3450 
3451 
3452 MODULE_LICENSE("GPL");
3453 MODULE_ALIAS_LDISC(N_GSM0710);
3454