xref: /linux/drivers/tty/n_gsm.c (revision b5bee6ced21ca98389000b7017dd41b0cc37fa50)
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3  * n_gsm.c GSM 0710 tty multiplexor
4  * Copyright (c) 2009/10 Intel Corporation
5  *
6  *	* THIS IS A DEVELOPMENT SNAPSHOT IT IS NOT A FINAL RELEASE *
7  *
8  * Outgoing path:
9  * tty -> DLCI fifo -> scheduler -> GSM MUX data queue    ---o-> ldisc
10  * control message               -> GSM MUX control queue --´
11  *
12  * Incoming path:
13  * ldisc -> gsm_queue() -o--> tty
14  *                        `-> gsm_control_response()
15  *
16  * TO DO:
17  *	Mostly done:	ioctls for setting modes/timing
18  *	Partly done:	hooks so you can pull off frames to non tty devs
19  *	Restart DLCI 0 when it closes ?
20  *	Improve the tx engine
21  *	Resolve tx side locking by adding a queue_head and routing
22  *		all control traffic via it
23  *	General tidy/document
24  *	Review the locking/move to refcounts more (mux now moved to an
25  *		alloc/free model ready)
26  *	Use newest tty open/close port helpers and install hooks
27  *	What to do about power functions ?
28  *	Termios setting and negotiation
29  *	Do we need a 'which mux are you' ioctl to correlate mux and tty sets
30  *
31  */
32 
33 #include <linux/types.h>
34 #include <linux/major.h>
35 #include <linux/errno.h>
36 #include <linux/signal.h>
37 #include <linux/fcntl.h>
38 #include <linux/sched/signal.h>
39 #include <linux/interrupt.h>
40 #include <linux/tty.h>
41 #include <linux/ctype.h>
42 #include <linux/mm.h>
43 #include <linux/string.h>
44 #include <linux/slab.h>
45 #include <linux/poll.h>
46 #include <linux/bitops.h>
47 #include <linux/file.h>
48 #include <linux/uaccess.h>
49 #include <linux/module.h>
50 #include <linux/timer.h>
51 #include <linux/tty_flip.h>
52 #include <linux/tty_driver.h>
53 #include <linux/serial.h>
54 #include <linux/kfifo.h>
55 #include <linux/skbuff.h>
56 #include <net/arp.h>
57 #include <linux/ip.h>
58 #include <linux/netdevice.h>
59 #include <linux/etherdevice.h>
60 #include <linux/gsmmux.h>
61 #include "tty.h"
62 
63 static int debug;
64 module_param(debug, int, 0600);
65 
66 /* Defaults: these are from the specification */
67 
68 #define T1	10		/* 100mS */
69 #define T2	34		/* 333mS */
70 #define N2	3		/* Retry 3 times */
71 
72 /* Use long timers for testing at low speed with debug on */
73 #ifdef DEBUG_TIMING
74 #define T1	100
75 #define T2	200
76 #endif
77 
78 /*
79  * Semi-arbitrary buffer size limits. 0710 is normally run with 32-64 byte
80  * limits so this is plenty
81  */
82 #define MAX_MRU 1500
83 #define MAX_MTU 1500
84 /* SOF, ADDR, CTRL, LEN1, LEN2, ..., FCS, EOF */
85 #define PROT_OVERHEAD 7
86 #define	GSM_NET_TX_TIMEOUT (HZ*10)
87 
88 /*
89  *	struct gsm_mux_net	-	network interface
90  *
91  *	Created when net interface is initialized.
92  */
93 struct gsm_mux_net {
94 	struct kref ref;
95 	struct gsm_dlci *dlci;
96 };
97 
98 /*
99  *	Each block of data we have queued to go out is in the form of
100  *	a gsm_msg which holds everything we need in a link layer independent
101  *	format
102  */
103 
104 struct gsm_msg {
105 	struct list_head list;
106 	u8 addr;		/* DLCI address + flags */
107 	u8 ctrl;		/* Control byte + flags */
108 	unsigned int len;	/* Length of data block (can be zero) */
109 	unsigned char *data;	/* Points into buffer but not at the start */
110 	unsigned char buffer[];
111 };
112 
113 enum gsm_dlci_state {
114 	DLCI_CLOSED,
115 	DLCI_OPENING,		/* Sending SABM not seen UA */
116 	DLCI_OPEN,		/* SABM/UA complete */
117 	DLCI_CLOSING,		/* Sending DISC not seen UA/DM */
118 };
119 
120 enum gsm_dlci_mode {
121 	DLCI_MODE_ABM,		/* Normal Asynchronous Balanced Mode */
122 	DLCI_MODE_ADM,		/* Asynchronous Disconnected Mode */
123 };
124 
125 /*
126  *	Each active data link has a gsm_dlci structure associated which ties
127  *	the link layer to an optional tty (if the tty side is open). To avoid
128  *	complexity right now these are only ever freed up when the mux is
129  *	shut down.
130  *
131  *	At the moment we don't free DLCI objects until the mux is torn down
132  *	this avoid object life time issues but might be worth review later.
133  */
134 
135 struct gsm_dlci {
136 	struct gsm_mux *gsm;
137 	int addr;
138 	enum gsm_dlci_state state;
139 	struct mutex mutex;
140 
141 	/* Link layer */
142 	enum gsm_dlci_mode mode;
143 	spinlock_t lock;	/* Protects the internal state */
144 	struct timer_list t1;	/* Retransmit timer for SABM and UA */
145 	int retries;
146 	/* Uplink tty if active */
147 	struct tty_port port;	/* The tty bound to this DLCI if there is one */
148 #define TX_SIZE		4096    /* Must be power of 2. */
149 	struct kfifo fifo;	/* Queue fifo for the DLCI */
150 	int adaption;		/* Adaption layer in use */
151 	int prev_adaption;
152 	u32 modem_rx;		/* Our incoming virtual modem lines */
153 	u32 modem_tx;		/* Our outgoing modem lines */
154 	bool dead;		/* Refuse re-open */
155 	/* Flow control */
156 	bool throttled;		/* Private copy of throttle state */
157 	bool constipated;	/* Throttle status for outgoing */
158 	/* Packetised I/O */
159 	struct sk_buff *skb;	/* Frame being sent */
160 	struct sk_buff_head skb_list;	/* Queued frames */
161 	/* Data handling callback */
162 	void (*data)(struct gsm_dlci *dlci, const u8 *data, int len);
163 	void (*prev_data)(struct gsm_dlci *dlci, const u8 *data, int len);
164 	struct net_device *net; /* network interface, if created */
165 };
166 
167 /* DLCI 0, 62/63 are special or reserved see gsmtty_open */
168 
169 #define NUM_DLCI		64
170 
171 /*
172  *	DLCI 0 is used to pass control blocks out of band of the data
173  *	flow (and with a higher link priority). One command can be outstanding
174  *	at a time and we use this structure to manage them. They are created
175  *	and destroyed by the user context, and updated by the receive paths
176  *	and timers
177  */
178 
179 struct gsm_control {
180 	u8 cmd;		/* Command we are issuing */
181 	u8 *data;	/* Data for the command in case we retransmit */
182 	int len;	/* Length of block for retransmission */
183 	int done;	/* Done flag */
184 	int error;	/* Error if any */
185 };
186 
187 enum gsm_mux_state {
188 	GSM_SEARCH,
189 	GSM_START,
190 	GSM_ADDRESS,
191 	GSM_CONTROL,
192 	GSM_LEN,
193 	GSM_DATA,
194 	GSM_FCS,
195 	GSM_OVERRUN,
196 	GSM_LEN0,
197 	GSM_LEN1,
198 	GSM_SSOF,
199 };
200 
201 /*
202  *	Each GSM mux we have is represented by this structure. If we are
203  *	operating as an ldisc then we use this structure as our ldisc
204  *	state. We need to sort out lifetimes and locking with respect
205  *	to the gsm mux array. For now we don't free DLCI objects that
206  *	have been instantiated until the mux itself is terminated.
207  *
208  *	To consider further: tty open versus mux shutdown.
209  */
210 
211 struct gsm_mux {
212 	struct tty_struct *tty;		/* The tty our ldisc is bound to */
213 	spinlock_t lock;
214 	struct mutex mutex;
215 	unsigned int num;
216 	struct kref ref;
217 
218 	/* Events on the GSM channel */
219 	wait_queue_head_t event;
220 
221 	/* ldisc send work */
222 	struct work_struct tx_work;
223 
224 	/* Bits for GSM mode decoding */
225 
226 	/* Framing Layer */
227 	unsigned char *buf;
228 	enum gsm_mux_state state;
229 	unsigned int len;
230 	unsigned int address;
231 	unsigned int count;
232 	bool escape;
233 	int encoding;
234 	u8 control;
235 	u8 fcs;
236 	u8 *txframe;			/* TX framing buffer */
237 
238 	/* Method for the receiver side */
239 	void (*receive)(struct gsm_mux *gsm, u8 ch);
240 
241 	/* Link Layer */
242 	unsigned int mru;
243 	unsigned int mtu;
244 	int initiator;			/* Did we initiate connection */
245 	bool dead;			/* Has the mux been shut down */
246 	struct gsm_dlci *dlci[NUM_DLCI];
247 	int old_c_iflag;		/* termios c_iflag value before attach */
248 	bool constipated;		/* Asked by remote to shut up */
249 	bool has_devices;		/* Devices were registered */
250 
251 	struct mutex tx_mutex;
252 	unsigned int tx_bytes;		/* TX data outstanding */
253 #define TX_THRESH_HI		8192
254 #define TX_THRESH_LO		2048
255 	struct list_head tx_ctrl_list;	/* Pending control packets */
256 	struct list_head tx_data_list;	/* Pending data packets */
257 
258 	/* Control messages */
259 	struct delayed_work kick_timeout;	/* Kick TX queuing on timeout */
260 	struct timer_list t2_timer;	/* Retransmit timer for commands */
261 	int cretries;			/* Command retry counter */
262 	struct gsm_control *pending_cmd;/* Our current pending command */
263 	spinlock_t control_lock;	/* Protects the pending command */
264 
265 	/* Configuration */
266 	int adaption;		/* 1 or 2 supported */
267 	u8 ftype;		/* UI or UIH */
268 	int t1, t2;		/* Timers in 1/100th of a sec */
269 	int n2;			/* Retry count */
270 
271 	/* Statistics (not currently exposed) */
272 	unsigned long bad_fcs;
273 	unsigned long malformed;
274 	unsigned long io_error;
275 	unsigned long bad_size;
276 	unsigned long unsupported;
277 };
278 
279 
280 /*
281  *	Mux objects - needed so that we can translate a tty index into the
282  *	relevant mux and DLCI.
283  */
284 
285 #define MAX_MUX		4			/* 256 minors */
286 static struct gsm_mux *gsm_mux[MAX_MUX];	/* GSM muxes */
287 static DEFINE_SPINLOCK(gsm_mux_lock);
288 
289 static struct tty_driver *gsm_tty_driver;
290 
291 /*
292  *	This section of the driver logic implements the GSM encodings
293  *	both the basic and the 'advanced'. Reliable transport is not
294  *	supported.
295  */
296 
297 #define CR			0x02
298 #define EA			0x01
299 #define	PF			0x10
300 
301 /* I is special: the rest are ..*/
302 #define RR			0x01
303 #define UI			0x03
304 #define RNR			0x05
305 #define REJ			0x09
306 #define DM			0x0F
307 #define SABM			0x2F
308 #define DISC			0x43
309 #define UA			0x63
310 #define	UIH			0xEF
311 
312 /* Channel commands */
313 #define CMD_NSC			0x09
314 #define CMD_TEST		0x11
315 #define CMD_PSC			0x21
316 #define CMD_RLS			0x29
317 #define CMD_FCOFF		0x31
318 #define CMD_PN			0x41
319 #define CMD_RPN			0x49
320 #define CMD_FCON		0x51
321 #define CMD_CLD			0x61
322 #define CMD_SNC			0x69
323 #define CMD_MSC			0x71
324 
325 /* Virtual modem bits */
326 #define MDM_FC			0x01
327 #define MDM_RTC			0x02
328 #define MDM_RTR			0x04
329 #define MDM_IC			0x20
330 #define MDM_DV			0x40
331 
332 #define GSM0_SOF		0xF9
333 #define GSM1_SOF		0x7E
334 #define GSM1_ESCAPE		0x7D
335 #define GSM1_ESCAPE_BITS	0x20
336 #define XON			0x11
337 #define XOFF			0x13
338 #define ISO_IEC_646_MASK	0x7F
339 
340 static const struct tty_port_operations gsm_port_ops;
341 
342 /*
343  *	CRC table for GSM 0710
344  */
345 
346 static const u8 gsm_fcs8[256] = {
347 	0x00, 0x91, 0xE3, 0x72, 0x07, 0x96, 0xE4, 0x75,
348 	0x0E, 0x9F, 0xED, 0x7C, 0x09, 0x98, 0xEA, 0x7B,
349 	0x1C, 0x8D, 0xFF, 0x6E, 0x1B, 0x8A, 0xF8, 0x69,
350 	0x12, 0x83, 0xF1, 0x60, 0x15, 0x84, 0xF6, 0x67,
351 	0x38, 0xA9, 0xDB, 0x4A, 0x3F, 0xAE, 0xDC, 0x4D,
352 	0x36, 0xA7, 0xD5, 0x44, 0x31, 0xA0, 0xD2, 0x43,
353 	0x24, 0xB5, 0xC7, 0x56, 0x23, 0xB2, 0xC0, 0x51,
354 	0x2A, 0xBB, 0xC9, 0x58, 0x2D, 0xBC, 0xCE, 0x5F,
355 	0x70, 0xE1, 0x93, 0x02, 0x77, 0xE6, 0x94, 0x05,
356 	0x7E, 0xEF, 0x9D, 0x0C, 0x79, 0xE8, 0x9A, 0x0B,
357 	0x6C, 0xFD, 0x8F, 0x1E, 0x6B, 0xFA, 0x88, 0x19,
358 	0x62, 0xF3, 0x81, 0x10, 0x65, 0xF4, 0x86, 0x17,
359 	0x48, 0xD9, 0xAB, 0x3A, 0x4F, 0xDE, 0xAC, 0x3D,
360 	0x46, 0xD7, 0xA5, 0x34, 0x41, 0xD0, 0xA2, 0x33,
361 	0x54, 0xC5, 0xB7, 0x26, 0x53, 0xC2, 0xB0, 0x21,
362 	0x5A, 0xCB, 0xB9, 0x28, 0x5D, 0xCC, 0xBE, 0x2F,
363 	0xE0, 0x71, 0x03, 0x92, 0xE7, 0x76, 0x04, 0x95,
364 	0xEE, 0x7F, 0x0D, 0x9C, 0xE9, 0x78, 0x0A, 0x9B,
365 	0xFC, 0x6D, 0x1F, 0x8E, 0xFB, 0x6A, 0x18, 0x89,
366 	0xF2, 0x63, 0x11, 0x80, 0xF5, 0x64, 0x16, 0x87,
367 	0xD8, 0x49, 0x3B, 0xAA, 0xDF, 0x4E, 0x3C, 0xAD,
368 	0xD6, 0x47, 0x35, 0xA4, 0xD1, 0x40, 0x32, 0xA3,
369 	0xC4, 0x55, 0x27, 0xB6, 0xC3, 0x52, 0x20, 0xB1,
370 	0xCA, 0x5B, 0x29, 0xB8, 0xCD, 0x5C, 0x2E, 0xBF,
371 	0x90, 0x01, 0x73, 0xE2, 0x97, 0x06, 0x74, 0xE5,
372 	0x9E, 0x0F, 0x7D, 0xEC, 0x99, 0x08, 0x7A, 0xEB,
373 	0x8C, 0x1D, 0x6F, 0xFE, 0x8B, 0x1A, 0x68, 0xF9,
374 	0x82, 0x13, 0x61, 0xF0, 0x85, 0x14, 0x66, 0xF7,
375 	0xA8, 0x39, 0x4B, 0xDA, 0xAF, 0x3E, 0x4C, 0xDD,
376 	0xA6, 0x37, 0x45, 0xD4, 0xA1, 0x30, 0x42, 0xD3,
377 	0xB4, 0x25, 0x57, 0xC6, 0xB3, 0x22, 0x50, 0xC1,
378 	0xBA, 0x2B, 0x59, 0xC8, 0xBD, 0x2C, 0x5E, 0xCF
379 };
380 
381 #define INIT_FCS	0xFF
382 #define GOOD_FCS	0xCF
383 
384 static int gsmld_output(struct gsm_mux *gsm, u8 *data, int len);
385 static int gsm_modem_update(struct gsm_dlci *dlci, u8 brk);
386 static struct gsm_msg *gsm_data_alloc(struct gsm_mux *gsm, u8 addr, int len,
387 								u8 ctrl);
388 static int gsm_send_packet(struct gsm_mux *gsm, struct gsm_msg *msg);
389 static void gsmld_write_trigger(struct gsm_mux *gsm);
390 static void gsmld_write_task(struct work_struct *work);
391 
392 /**
393  *	gsm_fcs_add	-	update FCS
394  *	@fcs: Current FCS
395  *	@c: Next data
396  *
397  *	Update the FCS to include c. Uses the algorithm in the specification
398  *	notes.
399  */
400 
401 static inline u8 gsm_fcs_add(u8 fcs, u8 c)
402 {
403 	return gsm_fcs8[fcs ^ c];
404 }
405 
406 /**
407  *	gsm_fcs_add_block	-	update FCS for a block
408  *	@fcs: Current FCS
409  *	@c: buffer of data
410  *	@len: length of buffer
411  *
412  *	Update the FCS to include c. Uses the algorithm in the specification
413  *	notes.
414  */
415 
416 static inline u8 gsm_fcs_add_block(u8 fcs, u8 *c, int len)
417 {
418 	while (len--)
419 		fcs = gsm_fcs8[fcs ^ *c++];
420 	return fcs;
421 }
422 
423 /**
424  *	gsm_read_ea		-	read a byte into an EA
425  *	@val: variable holding value
426  *	@c: byte going into the EA
427  *
428  *	Processes one byte of an EA. Updates the passed variable
429  *	and returns 1 if the EA is now completely read
430  */
431 
432 static int gsm_read_ea(unsigned int *val, u8 c)
433 {
434 	/* Add the next 7 bits into the value */
435 	*val <<= 7;
436 	*val |= c >> 1;
437 	/* Was this the last byte of the EA 1 = yes*/
438 	return c & EA;
439 }
440 
441 /**
442  *	gsm_read_ea_val	-	read a value until EA
443  *	@val: variable holding value
444  *	@data: buffer of data
445  *	@dlen: length of data
446  *
447  *	Processes an EA value. Updates the passed variable and
448  *	returns the processed data length.
449  */
450 static unsigned int gsm_read_ea_val(unsigned int *val, const u8 *data, int dlen)
451 {
452 	unsigned int len = 0;
453 
454 	for (; dlen > 0; dlen--) {
455 		len++;
456 		if (gsm_read_ea(val, *data++))
457 			break;
458 	}
459 	return len;
460 }
461 
462 /**
463  *	gsm_encode_modem	-	encode modem data bits
464  *	@dlci: DLCI to encode from
465  *
466  *	Returns the correct GSM encoded modem status bits (6 bit field) for
467  *	the current status of the DLCI and attached tty object
468  */
469 
470 static u8 gsm_encode_modem(const struct gsm_dlci *dlci)
471 {
472 	u8 modembits = 0;
473 	/* FC is true flow control not modem bits */
474 	if (dlci->throttled)
475 		modembits |= MDM_FC;
476 	if (dlci->modem_tx & TIOCM_DTR)
477 		modembits |= MDM_RTC;
478 	if (dlci->modem_tx & TIOCM_RTS)
479 		modembits |= MDM_RTR;
480 	if (dlci->modem_tx & TIOCM_RI)
481 		modembits |= MDM_IC;
482 	if (dlci->modem_tx & TIOCM_CD || dlci->gsm->initiator)
483 		modembits |= MDM_DV;
484 	return modembits;
485 }
486 
487 static void gsm_hex_dump_bytes(const char *fname, const u8 *data,
488 			       unsigned long len)
489 {
490 	char *prefix;
491 
492 	if (!fname) {
493 		print_hex_dump(KERN_INFO, "", DUMP_PREFIX_NONE, 16, 1, data, len,
494 			       true);
495 		return;
496 	}
497 
498 	prefix = kasprintf(GFP_ATOMIC, "%s: ", fname);
499 	if (!prefix)
500 		return;
501 	print_hex_dump(KERN_INFO, prefix, DUMP_PREFIX_OFFSET, 16, 1, data, len,
502 		       true);
503 	kfree(prefix);
504 }
505 
506 /**
507  *	gsm_register_devices	-	register all tty devices for a given mux index
508  *
509  *	@driver: the tty driver that describes the tty devices
510  *	@index:  the mux number is used to calculate the minor numbers of the
511  *	         ttys for this mux and may differ from the position in the
512  *	         mux array.
513  */
514 static int gsm_register_devices(struct tty_driver *driver, unsigned int index)
515 {
516 	struct device *dev;
517 	int i;
518 	unsigned int base;
519 
520 	if (!driver || index >= MAX_MUX)
521 		return -EINVAL;
522 
523 	base = index * NUM_DLCI; /* first minor for this index */
524 	for (i = 1; i < NUM_DLCI; i++) {
525 		/* Don't register device 0 - this is the control channel
526 		 * and not a usable tty interface
527 		 */
528 		dev = tty_register_device(gsm_tty_driver, base + i, NULL);
529 		if (IS_ERR(dev)) {
530 			if (debug & 8)
531 				pr_info("%s failed to register device minor %u",
532 					__func__, base + i);
533 			for (i--; i >= 1; i--)
534 				tty_unregister_device(gsm_tty_driver, base + i);
535 			return PTR_ERR(dev);
536 		}
537 	}
538 
539 	return 0;
540 }
541 
542 /**
543  *	gsm_unregister_devices	-	unregister all tty devices for a given mux index
544  *
545  *	@driver: the tty driver that describes the tty devices
546  *	@index:  the mux number is used to calculate the minor numbers of the
547  *	         ttys for this mux and may differ from the position in the
548  *	         mux array.
549  */
550 static void gsm_unregister_devices(struct tty_driver *driver,
551 				   unsigned int index)
552 {
553 	int i;
554 	unsigned int base;
555 
556 	if (!driver || index >= MAX_MUX)
557 		return;
558 
559 	base = index * NUM_DLCI; /* first minor for this index */
560 	for (i = 1; i < NUM_DLCI; i++) {
561 		/* Don't unregister device 0 - this is the control
562 		 * channel and not a usable tty interface
563 		 */
564 		tty_unregister_device(gsm_tty_driver, base + i);
565 	}
566 }
567 
568 /**
569  *	gsm_print_packet	-	display a frame for debug
570  *	@hdr: header to print before decode
571  *	@addr: address EA from the frame
572  *	@cr: C/R bit seen as initiator
573  *	@control: control including PF bit
574  *	@data: following data bytes
575  *	@dlen: length of data
576  *
577  *	Displays a packet in human readable format for debugging purposes. The
578  *	style is based on amateur radio LAP-B dump display.
579  */
580 
581 static void gsm_print_packet(const char *hdr, int addr, int cr,
582 					u8 control, const u8 *data, int dlen)
583 {
584 	if (!(debug & 1))
585 		return;
586 
587 	pr_info("%s %d) %c: ", hdr, addr, "RC"[cr]);
588 
589 	switch (control & ~PF) {
590 	case SABM:
591 		pr_cont("SABM");
592 		break;
593 	case UA:
594 		pr_cont("UA");
595 		break;
596 	case DISC:
597 		pr_cont("DISC");
598 		break;
599 	case DM:
600 		pr_cont("DM");
601 		break;
602 	case UI:
603 		pr_cont("UI");
604 		break;
605 	case UIH:
606 		pr_cont("UIH");
607 		break;
608 	default:
609 		if (!(control & 0x01)) {
610 			pr_cont("I N(S)%d N(R)%d",
611 				(control & 0x0E) >> 1, (control & 0xE0) >> 5);
612 		} else switch (control & 0x0F) {
613 			case RR:
614 				pr_cont("RR(%d)", (control & 0xE0) >> 5);
615 				break;
616 			case RNR:
617 				pr_cont("RNR(%d)", (control & 0xE0) >> 5);
618 				break;
619 			case REJ:
620 				pr_cont("REJ(%d)", (control & 0xE0) >> 5);
621 				break;
622 			default:
623 				pr_cont("[%02X]", control);
624 		}
625 	}
626 
627 	if (control & PF)
628 		pr_cont("(P)");
629 	else
630 		pr_cont("(F)");
631 
632 	gsm_hex_dump_bytes(NULL, data, dlen);
633 }
634 
635 
636 /*
637  *	Link level transmission side
638  */
639 
640 /**
641  *	gsm_stuff_frame	-	bytestuff a packet
642  *	@input: input buffer
643  *	@output: output buffer
644  *	@len: length of input
645  *
646  *	Expand a buffer by bytestuffing it. The worst case size change
647  *	is doubling and the caller is responsible for handing out
648  *	suitable sized buffers.
649  */
650 
651 static int gsm_stuff_frame(const u8 *input, u8 *output, int len)
652 {
653 	int olen = 0;
654 	while (len--) {
655 		if (*input == GSM1_SOF || *input == GSM1_ESCAPE
656 		    || (*input & ISO_IEC_646_MASK) == XON
657 		    || (*input & ISO_IEC_646_MASK) == XOFF) {
658 			*output++ = GSM1_ESCAPE;
659 			*output++ = *input++ ^ GSM1_ESCAPE_BITS;
660 			olen++;
661 		} else
662 			*output++ = *input++;
663 		olen++;
664 	}
665 	return olen;
666 }
667 
668 /**
669  *	gsm_send	-	send a control frame
670  *	@gsm: our GSM mux
671  *	@addr: address for control frame
672  *	@cr: command/response bit seen as initiator
673  *	@control:  control byte including PF bit
674  *
675  *	Format up and transmit a control frame. These should be transmitted
676  *	ahead of data when they are needed.
677  */
678 static int gsm_send(struct gsm_mux *gsm, int addr, int cr, int control)
679 {
680 	struct gsm_msg *msg;
681 	u8 *dp;
682 	int ocr;
683 
684 	msg = gsm_data_alloc(gsm, addr, 0, control);
685 	if (!msg)
686 		return -ENOMEM;
687 
688 	/* toggle C/R coding if not initiator */
689 	ocr = cr ^ (gsm->initiator ? 0 : 1);
690 
691 	msg->data -= 3;
692 	dp = msg->data;
693 	*dp++ = (addr << 2) | (ocr << 1) | EA;
694 	*dp++ = control;
695 
696 	if (gsm->encoding == 0)
697 		*dp++ = EA; /* Length of data = 0 */
698 
699 	*dp = 0xFF - gsm_fcs_add_block(INIT_FCS, msg->data, dp - msg->data);
700 	msg->len = (dp - msg->data) + 1;
701 
702 	gsm_print_packet("Q->", addr, cr, control, NULL, 0);
703 
704 	mutex_lock(&gsm->tx_mutex);
705 	list_add_tail(&msg->list, &gsm->tx_ctrl_list);
706 	gsm->tx_bytes += msg->len;
707 	mutex_unlock(&gsm->tx_mutex);
708 	gsmld_write_trigger(gsm);
709 
710 	return 0;
711 }
712 
713 /**
714  *	gsm_dlci_clear_queues	-	remove outstanding data for a DLCI
715  *	@gsm: mux
716  *	@dlci: clear for this DLCI
717  *
718  *	Clears the data queues for a given DLCI.
719  */
720 static void gsm_dlci_clear_queues(struct gsm_mux *gsm, struct gsm_dlci *dlci)
721 {
722 	struct gsm_msg *msg, *nmsg;
723 	int addr = dlci->addr;
724 	unsigned long flags;
725 
726 	/* Clear DLCI write fifo first */
727 	spin_lock_irqsave(&dlci->lock, flags);
728 	kfifo_reset(&dlci->fifo);
729 	spin_unlock_irqrestore(&dlci->lock, flags);
730 
731 	/* Clear data packets in MUX write queue */
732 	mutex_lock(&gsm->tx_mutex);
733 	list_for_each_entry_safe(msg, nmsg, &gsm->tx_data_list, list) {
734 		if (msg->addr != addr)
735 			continue;
736 		gsm->tx_bytes -= msg->len;
737 		list_del(&msg->list);
738 		kfree(msg);
739 	}
740 	mutex_unlock(&gsm->tx_mutex);
741 }
742 
743 /**
744  *	gsm_response	-	send a control response
745  *	@gsm: our GSM mux
746  *	@addr: address for control frame
747  *	@control:  control byte including PF bit
748  *
749  *	Format up and transmit a link level response frame.
750  */
751 
752 static inline void gsm_response(struct gsm_mux *gsm, int addr, int control)
753 {
754 	gsm_send(gsm, addr, 0, control);
755 }
756 
757 /**
758  *	gsm_command	-	send a control command
759  *	@gsm: our GSM mux
760  *	@addr: address for control frame
761  *	@control:  control byte including PF bit
762  *
763  *	Format up and transmit a link level command frame.
764  */
765 
766 static inline void gsm_command(struct gsm_mux *gsm, int addr, int control)
767 {
768 	gsm_send(gsm, addr, 1, control);
769 }
770 
771 /* Data transmission */
772 
773 #define HDR_LEN		6	/* ADDR CTRL [LEN.2] DATA FCS */
774 
775 /**
776  *	gsm_data_alloc		-	allocate data frame
777  *	@gsm: GSM mux
778  *	@addr: DLCI address
779  *	@len: length excluding header and FCS
780  *	@ctrl: control byte
781  *
782  *	Allocate a new data buffer for sending frames with data. Space is left
783  *	at the front for header bytes but that is treated as an implementation
784  *	detail and not for the high level code to use
785  */
786 
787 static struct gsm_msg *gsm_data_alloc(struct gsm_mux *gsm, u8 addr, int len,
788 								u8 ctrl)
789 {
790 	struct gsm_msg *m = kmalloc(sizeof(struct gsm_msg) + len + HDR_LEN,
791 								GFP_ATOMIC);
792 	if (m == NULL)
793 		return NULL;
794 	m->data = m->buffer + HDR_LEN - 1;	/* Allow for FCS */
795 	m->len = len;
796 	m->addr = addr;
797 	m->ctrl = ctrl;
798 	INIT_LIST_HEAD(&m->list);
799 	return m;
800 }
801 
802 /**
803  *	gsm_send_packet	-	sends a single packet
804  *	@gsm: GSM Mux
805  *	@msg: packet to send
806  *
807  *	The given packet is encoded and sent out. No memory is freed.
808  *	The caller must hold the gsm tx lock.
809  */
810 static int gsm_send_packet(struct gsm_mux *gsm, struct gsm_msg *msg)
811 {
812 	int len, ret;
813 
814 
815 	if (gsm->encoding == 0) {
816 		gsm->txframe[0] = GSM0_SOF;
817 		memcpy(gsm->txframe + 1, msg->data, msg->len);
818 		gsm->txframe[msg->len + 1] = GSM0_SOF;
819 		len = msg->len + 2;
820 	} else {
821 		gsm->txframe[0] = GSM1_SOF;
822 		len = gsm_stuff_frame(msg->data, gsm->txframe + 1, msg->len);
823 		gsm->txframe[len + 1] = GSM1_SOF;
824 		len += 2;
825 	}
826 
827 	if (debug & 4)
828 		gsm_hex_dump_bytes(__func__, gsm->txframe, len);
829 	gsm_print_packet("-->", msg->addr, gsm->initiator, msg->ctrl, msg->data,
830 			 msg->len);
831 
832 	ret = gsmld_output(gsm, gsm->txframe, len);
833 	if (ret <= 0)
834 		return ret;
835 	/* FIXME: Can eliminate one SOF in many more cases */
836 	gsm->tx_bytes -= msg->len;
837 
838 	return 0;
839 }
840 
841 /**
842  *	gsm_is_flow_ctrl_msg	-	checks if flow control message
843  *	@msg: message to check
844  *
845  *	Returns true if the given message is a flow control command of the
846  *	control channel. False is returned in any other case.
847  */
848 static bool gsm_is_flow_ctrl_msg(struct gsm_msg *msg)
849 {
850 	unsigned int cmd;
851 
852 	if (msg->addr > 0)
853 		return false;
854 
855 	switch (msg->ctrl & ~PF) {
856 	case UI:
857 	case UIH:
858 		cmd = 0;
859 		if (gsm_read_ea_val(&cmd, msg->data + 2, msg->len - 2) < 1)
860 			break;
861 		switch (cmd & ~PF) {
862 		case CMD_FCOFF:
863 		case CMD_FCON:
864 			return true;
865 		}
866 		break;
867 	}
868 
869 	return false;
870 }
871 
872 /**
873  *	gsm_data_kick	-	poke the queue
874  *	@gsm: GSM Mux
875  *
876  *	The tty device has called us to indicate that room has appeared in
877  *	the transmit queue. Ram more data into the pipe if we have any.
878  *	If we have been flow-stopped by a CMD_FCOFF, then we can only
879  *	send messages on DLCI0 until CMD_FCON. The caller must hold
880  *	the gsm tx lock.
881  */
882 static int gsm_data_kick(struct gsm_mux *gsm)
883 {
884 	struct gsm_msg *msg, *nmsg;
885 	struct gsm_dlci *dlci;
886 	int ret;
887 
888 	clear_bit(TTY_DO_WRITE_WAKEUP, &gsm->tty->flags);
889 
890 	/* Serialize control messages and control channel messages first */
891 	list_for_each_entry_safe(msg, nmsg, &gsm->tx_ctrl_list, list) {
892 		if (gsm->constipated && !gsm_is_flow_ctrl_msg(msg))
893 			continue;
894 		ret = gsm_send_packet(gsm, msg);
895 		switch (ret) {
896 		case -ENOSPC:
897 			return -ENOSPC;
898 		case -ENODEV:
899 			/* ldisc not open */
900 			gsm->tx_bytes -= msg->len;
901 			list_del(&msg->list);
902 			kfree(msg);
903 			continue;
904 		default:
905 			if (ret >= 0) {
906 				list_del(&msg->list);
907 				kfree(msg);
908 			}
909 			break;
910 		}
911 	}
912 
913 	if (gsm->constipated)
914 		return -EAGAIN;
915 
916 	/* Serialize other channels */
917 	if (list_empty(&gsm->tx_data_list))
918 		return 0;
919 	list_for_each_entry_safe(msg, nmsg, &gsm->tx_data_list, list) {
920 		dlci = gsm->dlci[msg->addr];
921 		/* Send only messages for DLCIs with valid state */
922 		if (dlci->state != DLCI_OPEN) {
923 			gsm->tx_bytes -= msg->len;
924 			list_del(&msg->list);
925 			kfree(msg);
926 			continue;
927 		}
928 		ret = gsm_send_packet(gsm, msg);
929 		switch (ret) {
930 		case -ENOSPC:
931 			return -ENOSPC;
932 		case -ENODEV:
933 			/* ldisc not open */
934 			gsm->tx_bytes -= msg->len;
935 			list_del(&msg->list);
936 			kfree(msg);
937 			continue;
938 		default:
939 			if (ret >= 0) {
940 				list_del(&msg->list);
941 				kfree(msg);
942 			}
943 			break;
944 		}
945 	}
946 
947 	return 1;
948 }
949 
950 /**
951  *	__gsm_data_queue		-	queue a UI or UIH frame
952  *	@dlci: DLCI sending the data
953  *	@msg: message queued
954  *
955  *	Add data to the transmit queue and try and get stuff moving
956  *	out of the mux tty if not already doing so. The Caller must hold
957  *	the gsm tx lock.
958  */
959 
960 static void __gsm_data_queue(struct gsm_dlci *dlci, struct gsm_msg *msg)
961 {
962 	struct gsm_mux *gsm = dlci->gsm;
963 	u8 *dp = msg->data;
964 	u8 *fcs = dp + msg->len;
965 
966 	/* Fill in the header */
967 	if (gsm->encoding == 0) {
968 		if (msg->len < 128)
969 			*--dp = (msg->len << 1) | EA;
970 		else {
971 			*--dp = (msg->len >> 7);	/* bits 7 - 15 */
972 			*--dp = (msg->len & 127) << 1;	/* bits 0 - 6 */
973 		}
974 	}
975 
976 	*--dp = msg->ctrl;
977 	if (gsm->initiator)
978 		*--dp = (msg->addr << 2) | CR | EA;
979 	else
980 		*--dp = (msg->addr << 2) | EA;
981 	*fcs = gsm_fcs_add_block(INIT_FCS, dp , msg->data - dp);
982 	/* Ugly protocol layering violation */
983 	if (msg->ctrl == UI || msg->ctrl == (UI|PF))
984 		*fcs = gsm_fcs_add_block(*fcs, msg->data, msg->len);
985 	*fcs = 0xFF - *fcs;
986 
987 	gsm_print_packet("Q> ", msg->addr, gsm->initiator, msg->ctrl,
988 							msg->data, msg->len);
989 
990 	/* Move the header back and adjust the length, also allow for the FCS
991 	   now tacked on the end */
992 	msg->len += (msg->data - dp) + 1;
993 	msg->data = dp;
994 
995 	/* Add to the actual output queue */
996 	switch (msg->ctrl & ~PF) {
997 	case UI:
998 	case UIH:
999 		if (msg->addr > 0) {
1000 			list_add_tail(&msg->list, &gsm->tx_data_list);
1001 			break;
1002 		}
1003 		fallthrough;
1004 	default:
1005 		list_add_tail(&msg->list, &gsm->tx_ctrl_list);
1006 		break;
1007 	}
1008 	gsm->tx_bytes += msg->len;
1009 
1010 	gsmld_write_trigger(gsm);
1011 	schedule_delayed_work(&gsm->kick_timeout, 10 * gsm->t1 * HZ / 100);
1012 }
1013 
1014 /**
1015  *	gsm_data_queue		-	queue a UI or UIH frame
1016  *	@dlci: DLCI sending the data
1017  *	@msg: message queued
1018  *
1019  *	Add data to the transmit queue and try and get stuff moving
1020  *	out of the mux tty if not already doing so. Take the
1021  *	the gsm tx lock and dlci lock.
1022  */
1023 
1024 static void gsm_data_queue(struct gsm_dlci *dlci, struct gsm_msg *msg)
1025 {
1026 	mutex_lock(&dlci->gsm->tx_mutex);
1027 	__gsm_data_queue(dlci, msg);
1028 	mutex_unlock(&dlci->gsm->tx_mutex);
1029 }
1030 
1031 /**
1032  *	gsm_dlci_data_output	-	try and push data out of a DLCI
1033  *	@gsm: mux
1034  *	@dlci: the DLCI to pull data from
1035  *
1036  *	Pull data from a DLCI and send it into the transmit queue if there
1037  *	is data. Keep to the MRU of the mux. This path handles the usual tty
1038  *	interface which is a byte stream with optional modem data.
1039  *
1040  *	Caller must hold the tx_mutex of the mux.
1041  */
1042 
1043 static int gsm_dlci_data_output(struct gsm_mux *gsm, struct gsm_dlci *dlci)
1044 {
1045 	struct gsm_msg *msg;
1046 	u8 *dp;
1047 	int h, len, size;
1048 
1049 	/* for modem bits without break data */
1050 	h = ((dlci->adaption == 1) ? 0 : 1);
1051 
1052 	len = kfifo_len(&dlci->fifo);
1053 	if (len == 0)
1054 		return 0;
1055 
1056 	/* MTU/MRU count only the data bits but watch adaption mode */
1057 	if ((len + h) > gsm->mtu)
1058 		len = gsm->mtu - h;
1059 
1060 	size = len + h;
1061 
1062 	msg = gsm_data_alloc(gsm, dlci->addr, size, gsm->ftype);
1063 	if (!msg)
1064 		return -ENOMEM;
1065 	dp = msg->data;
1066 	switch (dlci->adaption) {
1067 	case 1: /* Unstructured */
1068 		break;
1069 	case 2: /* Unstructured with modem bits.
1070 		 * Always one byte as we never send inline break data
1071 		 */
1072 		*dp++ = (gsm_encode_modem(dlci) << 1) | EA;
1073 		break;
1074 	default:
1075 		pr_err("%s: unsupported adaption %d\n", __func__,
1076 		       dlci->adaption);
1077 		break;
1078 	}
1079 
1080 	WARN_ON(len != kfifo_out_locked(&dlci->fifo, dp, len,
1081 		&dlci->lock));
1082 
1083 	/* Notify upper layer about available send space. */
1084 	tty_port_tty_wakeup(&dlci->port);
1085 
1086 	__gsm_data_queue(dlci, msg);
1087 	/* Bytes of data we used up */
1088 	return size;
1089 }
1090 
1091 /**
1092  *	gsm_dlci_data_output_framed  -	try and push data out of a DLCI
1093  *	@gsm: mux
1094  *	@dlci: the DLCI to pull data from
1095  *
1096  *	Pull data from a DLCI and send it into the transmit queue if there
1097  *	is data. Keep to the MRU of the mux. This path handles framed data
1098  *	queued as skbuffs to the DLCI.
1099  *
1100  *	Caller must hold the tx_mutex of the mux.
1101  */
1102 
1103 static int gsm_dlci_data_output_framed(struct gsm_mux *gsm,
1104 						struct gsm_dlci *dlci)
1105 {
1106 	struct gsm_msg *msg;
1107 	u8 *dp;
1108 	int len, size;
1109 	int last = 0, first = 0;
1110 	int overhead = 0;
1111 
1112 	/* One byte per frame is used for B/F flags */
1113 	if (dlci->adaption == 4)
1114 		overhead = 1;
1115 
1116 	/* dlci->skb is locked by tx_mutex */
1117 	if (dlci->skb == NULL) {
1118 		dlci->skb = skb_dequeue_tail(&dlci->skb_list);
1119 		if (dlci->skb == NULL)
1120 			return 0;
1121 		first = 1;
1122 	}
1123 	len = dlci->skb->len + overhead;
1124 
1125 	/* MTU/MRU count only the data bits */
1126 	if (len > gsm->mtu) {
1127 		if (dlci->adaption == 3) {
1128 			/* Over long frame, bin it */
1129 			dev_kfree_skb_any(dlci->skb);
1130 			dlci->skb = NULL;
1131 			return 0;
1132 		}
1133 		len = gsm->mtu;
1134 	} else
1135 		last = 1;
1136 
1137 	size = len + overhead;
1138 	msg = gsm_data_alloc(gsm, dlci->addr, size, gsm->ftype);
1139 	if (msg == NULL) {
1140 		skb_queue_tail(&dlci->skb_list, dlci->skb);
1141 		dlci->skb = NULL;
1142 		return -ENOMEM;
1143 	}
1144 	dp = msg->data;
1145 
1146 	if (dlci->adaption == 4) { /* Interruptible framed (Packetised Data) */
1147 		/* Flag byte to carry the start/end info */
1148 		*dp++ = last << 7 | first << 6 | 1;	/* EA */
1149 		len--;
1150 	}
1151 	memcpy(dp, dlci->skb->data, len);
1152 	skb_pull(dlci->skb, len);
1153 	__gsm_data_queue(dlci, msg);
1154 	if (last) {
1155 		dev_kfree_skb_any(dlci->skb);
1156 		dlci->skb = NULL;
1157 	}
1158 	return size;
1159 }
1160 
1161 /**
1162  *	gsm_dlci_modem_output	-	try and push modem status out of a DLCI
1163  *	@gsm: mux
1164  *	@dlci: the DLCI to pull modem status from
1165  *	@brk: break signal
1166  *
1167  *	Push an empty frame in to the transmit queue to update the modem status
1168  *	bits and to transmit an optional break.
1169  *
1170  *	Caller must hold the tx_mutex of the mux.
1171  */
1172 
1173 static int gsm_dlci_modem_output(struct gsm_mux *gsm, struct gsm_dlci *dlci,
1174 				 u8 brk)
1175 {
1176 	u8 *dp = NULL;
1177 	struct gsm_msg *msg;
1178 	int size = 0;
1179 
1180 	/* for modem bits without break data */
1181 	switch (dlci->adaption) {
1182 	case 1: /* Unstructured */
1183 		break;
1184 	case 2: /* Unstructured with modem bits. */
1185 		size++;
1186 		if (brk > 0)
1187 			size++;
1188 		break;
1189 	default:
1190 		pr_err("%s: unsupported adaption %d\n", __func__,
1191 		       dlci->adaption);
1192 		return -EINVAL;
1193 	}
1194 
1195 	msg = gsm_data_alloc(gsm, dlci->addr, size, gsm->ftype);
1196 	if (!msg) {
1197 		pr_err("%s: gsm_data_alloc error", __func__);
1198 		return -ENOMEM;
1199 	}
1200 	dp = msg->data;
1201 	switch (dlci->adaption) {
1202 	case 1: /* Unstructured */
1203 		break;
1204 	case 2: /* Unstructured with modem bits. */
1205 		if (brk == 0) {
1206 			*dp++ = (gsm_encode_modem(dlci) << 1) | EA;
1207 		} else {
1208 			*dp++ = gsm_encode_modem(dlci) << 1;
1209 			*dp++ = (brk << 4) | 2 | EA; /* Length, Break, EA */
1210 		}
1211 		break;
1212 	default:
1213 		/* Handled above */
1214 		break;
1215 	}
1216 
1217 	__gsm_data_queue(dlci, msg);
1218 	return size;
1219 }
1220 
1221 /**
1222  *	gsm_dlci_data_sweep		-	look for data to send
1223  *	@gsm: the GSM mux
1224  *
1225  *	Sweep the GSM mux channels in priority order looking for ones with
1226  *	data to send. We could do with optimising this scan a bit. We aim
1227  *	to fill the queue totally or up to TX_THRESH_HI bytes. Once we hit
1228  *	TX_THRESH_LO we get called again
1229  *
1230  *	FIXME: We should round robin between groups and in theory you can
1231  *	renegotiate DLCI priorities with optional stuff. Needs optimising.
1232  */
1233 
1234 static int gsm_dlci_data_sweep(struct gsm_mux *gsm)
1235 {
1236 	/* Priority ordering: We should do priority with RR of the groups */
1237 	int i, len, ret = 0;
1238 	bool sent;
1239 	struct gsm_dlci *dlci;
1240 
1241 	while (gsm->tx_bytes < TX_THRESH_HI) {
1242 		for (sent = false, i = 1; i < NUM_DLCI; i++) {
1243 			dlci = gsm->dlci[i];
1244 			/* skip unused or blocked channel */
1245 			if (!dlci || dlci->constipated)
1246 				continue;
1247 			/* skip channels with invalid state */
1248 			if (dlci->state != DLCI_OPEN)
1249 				continue;
1250 			/* count the sent data per adaption */
1251 			if (dlci->adaption < 3 && !dlci->net)
1252 				len = gsm_dlci_data_output(gsm, dlci);
1253 			else
1254 				len = gsm_dlci_data_output_framed(gsm, dlci);
1255 			/* on error exit */
1256 			if (len < 0)
1257 				return ret;
1258 			if (len > 0) {
1259 				ret++;
1260 				sent = true;
1261 				/* The lower DLCs can starve the higher DLCs! */
1262 				break;
1263 			}
1264 			/* try next */
1265 		}
1266 		if (!sent)
1267 			break;
1268 	};
1269 
1270 	return ret;
1271 }
1272 
1273 /**
1274  *	gsm_dlci_data_kick	-	transmit if possible
1275  *	@dlci: DLCI to kick
1276  *
1277  *	Transmit data from this DLCI if the queue is empty. We can't rely on
1278  *	a tty wakeup except when we filled the pipe so we need to fire off
1279  *	new data ourselves in other cases.
1280  */
1281 
1282 static void gsm_dlci_data_kick(struct gsm_dlci *dlci)
1283 {
1284 	int sweep;
1285 
1286 	if (dlci->constipated)
1287 		return;
1288 
1289 	mutex_lock(&dlci->gsm->tx_mutex);
1290 	/* If we have nothing running then we need to fire up */
1291 	sweep = (dlci->gsm->tx_bytes < TX_THRESH_LO);
1292 	if (dlci->gsm->tx_bytes == 0) {
1293 		if (dlci->net)
1294 			gsm_dlci_data_output_framed(dlci->gsm, dlci);
1295 		else
1296 			gsm_dlci_data_output(dlci->gsm, dlci);
1297 	}
1298 	if (sweep)
1299 		gsm_dlci_data_sweep(dlci->gsm);
1300 	mutex_unlock(&dlci->gsm->tx_mutex);
1301 }
1302 
1303 /*
1304  *	Control message processing
1305  */
1306 
1307 
1308 /**
1309  *	gsm_control_reply	-	send a response frame to a control
1310  *	@gsm: gsm channel
1311  *	@cmd: the command to use
1312  *	@data: data to follow encoded info
1313  *	@dlen: length of data
1314  *
1315  *	Encode up and queue a UI/UIH frame containing our response.
1316  */
1317 
1318 static void gsm_control_reply(struct gsm_mux *gsm, int cmd, const u8 *data,
1319 					int dlen)
1320 {
1321 	struct gsm_msg *msg;
1322 	msg = gsm_data_alloc(gsm, 0, dlen + 2, gsm->ftype);
1323 	if (msg == NULL)
1324 		return;
1325 	msg->data[0] = (cmd & 0xFE) << 1 | EA;	/* Clear C/R */
1326 	msg->data[1] = (dlen << 1) | EA;
1327 	memcpy(msg->data + 2, data, dlen);
1328 	gsm_data_queue(gsm->dlci[0], msg);
1329 }
1330 
1331 /**
1332  *	gsm_process_modem	-	process received modem status
1333  *	@tty: virtual tty bound to the DLCI
1334  *	@dlci: DLCI to affect
1335  *	@modem: modem bits (full EA)
1336  *	@slen: number of signal octets
1337  *
1338  *	Used when a modem control message or line state inline in adaption
1339  *	layer 2 is processed. Sort out the local modem state and throttles
1340  */
1341 
1342 static void gsm_process_modem(struct tty_struct *tty, struct gsm_dlci *dlci,
1343 							u32 modem, int slen)
1344 {
1345 	int  mlines = 0;
1346 	u8 brk = 0;
1347 	int fc;
1348 
1349 	/* The modem status command can either contain one octet (V.24 signals)
1350 	 * or two octets (V.24 signals + break signals). This is specified in
1351 	 * section 5.4.6.3.7 of the 07.10 mux spec.
1352 	 */
1353 
1354 	if (slen == 1)
1355 		modem = modem & 0x7f;
1356 	else {
1357 		brk = modem & 0x7f;
1358 		modem = (modem >> 7) & 0x7f;
1359 	}
1360 
1361 	/* Flow control/ready to communicate */
1362 	fc = (modem & MDM_FC) || !(modem & MDM_RTR);
1363 	if (fc && !dlci->constipated) {
1364 		/* Need to throttle our output on this device */
1365 		dlci->constipated = true;
1366 	} else if (!fc && dlci->constipated) {
1367 		dlci->constipated = false;
1368 		gsm_dlci_data_kick(dlci);
1369 	}
1370 
1371 	/* Map modem bits */
1372 	if (modem & MDM_RTC)
1373 		mlines |= TIOCM_DSR | TIOCM_DTR;
1374 	if (modem & MDM_RTR)
1375 		mlines |= TIOCM_RTS | TIOCM_CTS;
1376 	if (modem & MDM_IC)
1377 		mlines |= TIOCM_RI;
1378 	if (modem & MDM_DV)
1379 		mlines |= TIOCM_CD;
1380 
1381 	/* Carrier drop -> hangup */
1382 	if (tty) {
1383 		if ((mlines & TIOCM_CD) == 0 && (dlci->modem_rx & TIOCM_CD))
1384 			if (!C_CLOCAL(tty))
1385 				tty_hangup(tty);
1386 	}
1387 	if (brk & 0x01)
1388 		tty_insert_flip_char(&dlci->port, 0, TTY_BREAK);
1389 	dlci->modem_rx = mlines;
1390 }
1391 
1392 /**
1393  *	gsm_control_modem	-	modem status received
1394  *	@gsm: GSM channel
1395  *	@data: data following command
1396  *	@clen: command length
1397  *
1398  *	We have received a modem status control message. This is used by
1399  *	the GSM mux protocol to pass virtual modem line status and optionally
1400  *	to indicate break signals. Unpack it, convert to Linux representation
1401  *	and if need be stuff a break message down the tty.
1402  */
1403 
1404 static void gsm_control_modem(struct gsm_mux *gsm, const u8 *data, int clen)
1405 {
1406 	unsigned int addr = 0;
1407 	unsigned int modem = 0;
1408 	struct gsm_dlci *dlci;
1409 	int len = clen;
1410 	int slen;
1411 	const u8 *dp = data;
1412 	struct tty_struct *tty;
1413 
1414 	while (gsm_read_ea(&addr, *dp++) == 0) {
1415 		len--;
1416 		if (len == 0)
1417 			return;
1418 	}
1419 	/* Must be at least one byte following the EA */
1420 	len--;
1421 	if (len <= 0)
1422 		return;
1423 
1424 	addr >>= 1;
1425 	/* Closed port, or invalid ? */
1426 	if (addr == 0 || addr >= NUM_DLCI || gsm->dlci[addr] == NULL)
1427 		return;
1428 	dlci = gsm->dlci[addr];
1429 
1430 	slen = len;
1431 	while (gsm_read_ea(&modem, *dp++) == 0) {
1432 		len--;
1433 		if (len == 0)
1434 			return;
1435 	}
1436 	len--;
1437 	tty = tty_port_tty_get(&dlci->port);
1438 	gsm_process_modem(tty, dlci, modem, slen - len);
1439 	if (tty) {
1440 		tty_wakeup(tty);
1441 		tty_kref_put(tty);
1442 	}
1443 	gsm_control_reply(gsm, CMD_MSC, data, clen);
1444 }
1445 
1446 /**
1447  *	gsm_control_rls		-	remote line status
1448  *	@gsm: GSM channel
1449  *	@data: data bytes
1450  *	@clen: data length
1451  *
1452  *	The modem sends us a two byte message on the control channel whenever
1453  *	it wishes to send us an error state from the virtual link. Stuff
1454  *	this into the uplink tty if present
1455  */
1456 
1457 static void gsm_control_rls(struct gsm_mux *gsm, const u8 *data, int clen)
1458 {
1459 	struct tty_port *port;
1460 	unsigned int addr = 0;
1461 	u8 bits;
1462 	int len = clen;
1463 	const u8 *dp = data;
1464 
1465 	while (gsm_read_ea(&addr, *dp++) == 0) {
1466 		len--;
1467 		if (len == 0)
1468 			return;
1469 	}
1470 	/* Must be at least one byte following ea */
1471 	len--;
1472 	if (len <= 0)
1473 		return;
1474 	addr >>= 1;
1475 	/* Closed port, or invalid ? */
1476 	if (addr == 0 || addr >= NUM_DLCI || gsm->dlci[addr] == NULL)
1477 		return;
1478 	/* No error ? */
1479 	bits = *dp;
1480 	if ((bits & 1) == 0)
1481 		return;
1482 
1483 	port = &gsm->dlci[addr]->port;
1484 
1485 	if (bits & 2)
1486 		tty_insert_flip_char(port, 0, TTY_OVERRUN);
1487 	if (bits & 4)
1488 		tty_insert_flip_char(port, 0, TTY_PARITY);
1489 	if (bits & 8)
1490 		tty_insert_flip_char(port, 0, TTY_FRAME);
1491 
1492 	tty_flip_buffer_push(port);
1493 
1494 	gsm_control_reply(gsm, CMD_RLS, data, clen);
1495 }
1496 
1497 static void gsm_dlci_begin_close(struct gsm_dlci *dlci);
1498 
1499 /**
1500  *	gsm_control_message	-	DLCI 0 control processing
1501  *	@gsm: our GSM mux
1502  *	@command:  the command EA
1503  *	@data: data beyond the command/length EAs
1504  *	@clen: length
1505  *
1506  *	Input processor for control messages from the other end of the link.
1507  *	Processes the incoming request and queues a response frame or an
1508  *	NSC response if not supported
1509  */
1510 
1511 static void gsm_control_message(struct gsm_mux *gsm, unsigned int command,
1512 						const u8 *data, int clen)
1513 {
1514 	u8 buf[1];
1515 
1516 	switch (command) {
1517 	case CMD_CLD: {
1518 		struct gsm_dlci *dlci = gsm->dlci[0];
1519 		/* Modem wishes to close down */
1520 		if (dlci) {
1521 			dlci->dead = true;
1522 			gsm->dead = true;
1523 			gsm_dlci_begin_close(dlci);
1524 		}
1525 		}
1526 		break;
1527 	case CMD_TEST:
1528 		/* Modem wishes to test, reply with the data */
1529 		gsm_control_reply(gsm, CMD_TEST, data, clen);
1530 		break;
1531 	case CMD_FCON:
1532 		/* Modem can accept data again */
1533 		gsm->constipated = false;
1534 		gsm_control_reply(gsm, CMD_FCON, NULL, 0);
1535 		/* Kick the link in case it is idling */
1536 		gsmld_write_trigger(gsm);
1537 		break;
1538 	case CMD_FCOFF:
1539 		/* Modem wants us to STFU */
1540 		gsm->constipated = true;
1541 		gsm_control_reply(gsm, CMD_FCOFF, NULL, 0);
1542 		break;
1543 	case CMD_MSC:
1544 		/* Out of band modem line change indicator for a DLCI */
1545 		gsm_control_modem(gsm, data, clen);
1546 		break;
1547 	case CMD_RLS:
1548 		/* Out of band error reception for a DLCI */
1549 		gsm_control_rls(gsm, data, clen);
1550 		break;
1551 	case CMD_PSC:
1552 		/* Modem wishes to enter power saving state */
1553 		gsm_control_reply(gsm, CMD_PSC, NULL, 0);
1554 		break;
1555 		/* Optional unsupported commands */
1556 	case CMD_PN:	/* Parameter negotiation */
1557 	case CMD_RPN:	/* Remote port negotiation */
1558 	case CMD_SNC:	/* Service negotiation command */
1559 	default:
1560 		/* Reply to bad commands with an NSC */
1561 		buf[0] = command;
1562 		gsm_control_reply(gsm, CMD_NSC, buf, 1);
1563 		break;
1564 	}
1565 }
1566 
1567 /**
1568  *	gsm_control_response	-	process a response to our control
1569  *	@gsm: our GSM mux
1570  *	@command: the command (response) EA
1571  *	@data: data beyond the command/length EA
1572  *	@clen: length
1573  *
1574  *	Process a response to an outstanding command. We only allow a single
1575  *	control message in flight so this is fairly easy. All the clean up
1576  *	is done by the caller, we just update the fields, flag it as done
1577  *	and return
1578  */
1579 
1580 static void gsm_control_response(struct gsm_mux *gsm, unsigned int command,
1581 						const u8 *data, int clen)
1582 {
1583 	struct gsm_control *ctrl;
1584 	unsigned long flags;
1585 
1586 	spin_lock_irqsave(&gsm->control_lock, flags);
1587 
1588 	ctrl = gsm->pending_cmd;
1589 	/* Does the reply match our command */
1590 	command |= 1;
1591 	if (ctrl != NULL && (command == ctrl->cmd || command == CMD_NSC)) {
1592 		/* Our command was replied to, kill the retry timer */
1593 		del_timer(&gsm->t2_timer);
1594 		gsm->pending_cmd = NULL;
1595 		/* Rejected by the other end */
1596 		if (command == CMD_NSC)
1597 			ctrl->error = -EOPNOTSUPP;
1598 		ctrl->done = 1;
1599 		wake_up(&gsm->event);
1600 	}
1601 	spin_unlock_irqrestore(&gsm->control_lock, flags);
1602 }
1603 
1604 /**
1605  *	gsm_control_transmit	-	send control packet
1606  *	@gsm: gsm mux
1607  *	@ctrl: frame to send
1608  *
1609  *	Send out a pending control command (called under control lock)
1610  */
1611 
1612 static void gsm_control_transmit(struct gsm_mux *gsm, struct gsm_control *ctrl)
1613 {
1614 	struct gsm_msg *msg = gsm_data_alloc(gsm, 0, ctrl->len + 2, gsm->ftype);
1615 	if (msg == NULL)
1616 		return;
1617 	msg->data[0] = (ctrl->cmd << 1) | CR | EA;	/* command */
1618 	msg->data[1] = (ctrl->len << 1) | EA;
1619 	memcpy(msg->data + 2, ctrl->data, ctrl->len);
1620 	gsm_data_queue(gsm->dlci[0], msg);
1621 }
1622 
1623 /**
1624  *	gsm_control_retransmit	-	retransmit a control frame
1625  *	@t: timer contained in our gsm object
1626  *
1627  *	Called off the T2 timer expiry in order to retransmit control frames
1628  *	that have been lost in the system somewhere. The control_lock protects
1629  *	us from colliding with another sender or a receive completion event.
1630  *	In that situation the timer may still occur in a small window but
1631  *	gsm->pending_cmd will be NULL and we just let the timer expire.
1632  */
1633 
1634 static void gsm_control_retransmit(struct timer_list *t)
1635 {
1636 	struct gsm_mux *gsm = from_timer(gsm, t, t2_timer);
1637 	struct gsm_control *ctrl;
1638 	unsigned long flags;
1639 	spin_lock_irqsave(&gsm->control_lock, flags);
1640 	ctrl = gsm->pending_cmd;
1641 	if (ctrl) {
1642 		if (gsm->cretries == 0 || !gsm->dlci[0] || gsm->dlci[0]->dead) {
1643 			gsm->pending_cmd = NULL;
1644 			ctrl->error = -ETIMEDOUT;
1645 			ctrl->done = 1;
1646 			spin_unlock_irqrestore(&gsm->control_lock, flags);
1647 			wake_up(&gsm->event);
1648 			return;
1649 		}
1650 		gsm->cretries--;
1651 		gsm_control_transmit(gsm, ctrl);
1652 		mod_timer(&gsm->t2_timer, jiffies + gsm->t2 * HZ / 100);
1653 	}
1654 	spin_unlock_irqrestore(&gsm->control_lock, flags);
1655 }
1656 
1657 /**
1658  *	gsm_control_send	-	send a control frame on DLCI 0
1659  *	@gsm: the GSM channel
1660  *	@command: command  to send including CR bit
1661  *	@data: bytes of data (must be kmalloced)
1662  *	@clen: length of the block to send
1663  *
1664  *	Queue and dispatch a control command. Only one command can be
1665  *	active at a time. In theory more can be outstanding but the matching
1666  *	gets really complicated so for now stick to one outstanding.
1667  */
1668 
1669 static struct gsm_control *gsm_control_send(struct gsm_mux *gsm,
1670 		unsigned int command, u8 *data, int clen)
1671 {
1672 	struct gsm_control *ctrl = kzalloc(sizeof(struct gsm_control),
1673 						GFP_KERNEL);
1674 	unsigned long flags;
1675 	if (ctrl == NULL)
1676 		return NULL;
1677 retry:
1678 	wait_event(gsm->event, gsm->pending_cmd == NULL);
1679 	spin_lock_irqsave(&gsm->control_lock, flags);
1680 	if (gsm->pending_cmd != NULL) {
1681 		spin_unlock_irqrestore(&gsm->control_lock, flags);
1682 		goto retry;
1683 	}
1684 	ctrl->cmd = command;
1685 	ctrl->data = data;
1686 	ctrl->len = clen;
1687 	gsm->pending_cmd = ctrl;
1688 
1689 	/* If DLCI0 is in ADM mode skip retries, it won't respond */
1690 	if (gsm->dlci[0]->mode == DLCI_MODE_ADM)
1691 		gsm->cretries = 0;
1692 	else
1693 		gsm->cretries = gsm->n2;
1694 
1695 	mod_timer(&gsm->t2_timer, jiffies + gsm->t2 * HZ / 100);
1696 	gsm_control_transmit(gsm, ctrl);
1697 	spin_unlock_irqrestore(&gsm->control_lock, flags);
1698 	return ctrl;
1699 }
1700 
1701 /**
1702  *	gsm_control_wait	-	wait for a control to finish
1703  *	@gsm: GSM mux
1704  *	@control: control we are waiting on
1705  *
1706  *	Waits for the control to complete or time out. Frees any used
1707  *	resources and returns 0 for success, or an error if the remote
1708  *	rejected or ignored the request.
1709  */
1710 
1711 static int gsm_control_wait(struct gsm_mux *gsm, struct gsm_control *control)
1712 {
1713 	int err;
1714 	wait_event(gsm->event, control->done == 1);
1715 	err = control->error;
1716 	kfree(control);
1717 	return err;
1718 }
1719 
1720 
1721 /*
1722  *	DLCI level handling: Needs krefs
1723  */
1724 
1725 /*
1726  *	State transitions and timers
1727  */
1728 
1729 /**
1730  *	gsm_dlci_close		-	a DLCI has closed
1731  *	@dlci: DLCI that closed
1732  *
1733  *	Perform processing when moving a DLCI into closed state. If there
1734  *	is an attached tty this is hung up
1735  */
1736 
1737 static void gsm_dlci_close(struct gsm_dlci *dlci)
1738 {
1739 	del_timer(&dlci->t1);
1740 	if (debug & 8)
1741 		pr_debug("DLCI %d goes closed.\n", dlci->addr);
1742 	dlci->state = DLCI_CLOSED;
1743 	/* Prevent us from sending data before the link is up again */
1744 	dlci->constipated = true;
1745 	if (dlci->addr != 0) {
1746 		tty_port_tty_hangup(&dlci->port, false);
1747 		gsm_dlci_clear_queues(dlci->gsm, dlci);
1748 		/* Ensure that gsmtty_open() can return. */
1749 		tty_port_set_initialized(&dlci->port, 0);
1750 		wake_up_interruptible(&dlci->port.open_wait);
1751 	} else
1752 		dlci->gsm->dead = true;
1753 	/* A DLCI 0 close is a MUX termination so we need to kick that
1754 	   back to userspace somehow */
1755 	gsm_dlci_data_kick(dlci);
1756 	wake_up(&dlci->gsm->event);
1757 }
1758 
1759 /**
1760  *	gsm_dlci_open		-	a DLCI has opened
1761  *	@dlci: DLCI that opened
1762  *
1763  *	Perform processing when moving a DLCI into open state.
1764  */
1765 
1766 static void gsm_dlci_open(struct gsm_dlci *dlci)
1767 {
1768 	/* Note that SABM UA .. SABM UA first UA lost can mean that we go
1769 	   open -> open */
1770 	del_timer(&dlci->t1);
1771 	/* This will let a tty open continue */
1772 	dlci->state = DLCI_OPEN;
1773 	dlci->constipated = false;
1774 	if (debug & 8)
1775 		pr_debug("DLCI %d goes open.\n", dlci->addr);
1776 	/* Send current modem state */
1777 	if (dlci->addr)
1778 		gsm_modem_update(dlci, 0);
1779 	gsm_dlci_data_kick(dlci);
1780 	wake_up(&dlci->gsm->event);
1781 }
1782 
1783 /**
1784  *	gsm_dlci_t1		-	T1 timer expiry
1785  *	@t: timer contained in the DLCI that opened
1786  *
1787  *	The T1 timer handles retransmits of control frames (essentially of
1788  *	SABM and DISC). We resend the command until the retry count runs out
1789  *	in which case an opening port goes back to closed and a closing port
1790  *	is simply put into closed state (any further frames from the other
1791  *	end will get a DM response)
1792  *
1793  *	Some control dlci can stay in ADM mode with other dlci working just
1794  *	fine. In that case we can just keep the control dlci open after the
1795  *	DLCI_OPENING retries time out.
1796  */
1797 
1798 static void gsm_dlci_t1(struct timer_list *t)
1799 {
1800 	struct gsm_dlci *dlci = from_timer(dlci, t, t1);
1801 	struct gsm_mux *gsm = dlci->gsm;
1802 
1803 	switch (dlci->state) {
1804 	case DLCI_OPENING:
1805 		if (dlci->retries) {
1806 			dlci->retries--;
1807 			gsm_command(dlci->gsm, dlci->addr, SABM|PF);
1808 			mod_timer(&dlci->t1, jiffies + gsm->t1 * HZ / 100);
1809 		} else if (!dlci->addr && gsm->control == (DM | PF)) {
1810 			if (debug & 8)
1811 				pr_info("DLCI %d opening in ADM mode.\n",
1812 					dlci->addr);
1813 			dlci->mode = DLCI_MODE_ADM;
1814 			gsm_dlci_open(dlci);
1815 		} else {
1816 			gsm_dlci_begin_close(dlci); /* prevent half open link */
1817 		}
1818 
1819 		break;
1820 	case DLCI_CLOSING:
1821 		if (dlci->retries) {
1822 			dlci->retries--;
1823 			gsm_command(dlci->gsm, dlci->addr, DISC|PF);
1824 			mod_timer(&dlci->t1, jiffies + gsm->t1 * HZ / 100);
1825 		} else
1826 			gsm_dlci_close(dlci);
1827 		break;
1828 	default:
1829 		pr_debug("%s: unhandled state: %d\n", __func__, dlci->state);
1830 		break;
1831 	}
1832 }
1833 
1834 /**
1835  *	gsm_dlci_begin_open	-	start channel open procedure
1836  *	@dlci: DLCI to open
1837  *
1838  *	Commence opening a DLCI from the Linux side. We issue SABM messages
1839  *	to the modem which should then reply with a UA or ADM, at which point
1840  *	we will move into open state. Opening is done asynchronously with retry
1841  *	running off timers and the responses.
1842  */
1843 
1844 static void gsm_dlci_begin_open(struct gsm_dlci *dlci)
1845 {
1846 	struct gsm_mux *gsm = dlci->gsm;
1847 	if (dlci->state == DLCI_OPEN || dlci->state == DLCI_OPENING)
1848 		return;
1849 	dlci->retries = gsm->n2;
1850 	dlci->state = DLCI_OPENING;
1851 	gsm_command(dlci->gsm, dlci->addr, SABM|PF);
1852 	mod_timer(&dlci->t1, jiffies + gsm->t1 * HZ / 100);
1853 }
1854 
1855 /**
1856  *	gsm_dlci_set_opening	-	change state to opening
1857  *	@dlci: DLCI to open
1858  *
1859  *	Change internal state to wait for DLCI open from initiator side.
1860  *	We set off timers and responses upon reception of an SABM.
1861  */
1862 static void gsm_dlci_set_opening(struct gsm_dlci *dlci)
1863 {
1864 	switch (dlci->state) {
1865 	case DLCI_CLOSED:
1866 	case DLCI_CLOSING:
1867 		dlci->state = DLCI_OPENING;
1868 		break;
1869 	default:
1870 		break;
1871 	}
1872 }
1873 
1874 /**
1875  *	gsm_dlci_begin_close	-	start channel open procedure
1876  *	@dlci: DLCI to open
1877  *
1878  *	Commence closing a DLCI from the Linux side. We issue DISC messages
1879  *	to the modem which should then reply with a UA, at which point we
1880  *	will move into closed state. Closing is done asynchronously with retry
1881  *	off timers. We may also receive a DM reply from the other end which
1882  *	indicates the channel was already closed.
1883  */
1884 
1885 static void gsm_dlci_begin_close(struct gsm_dlci *dlci)
1886 {
1887 	struct gsm_mux *gsm = dlci->gsm;
1888 	if (dlci->state == DLCI_CLOSED || dlci->state == DLCI_CLOSING)
1889 		return;
1890 	dlci->retries = gsm->n2;
1891 	dlci->state = DLCI_CLOSING;
1892 	gsm_command(dlci->gsm, dlci->addr, DISC|PF);
1893 	mod_timer(&dlci->t1, jiffies + gsm->t1 * HZ / 100);
1894 }
1895 
1896 /**
1897  *	gsm_dlci_data		-	data arrived
1898  *	@dlci: channel
1899  *	@data: block of bytes received
1900  *	@clen: length of received block
1901  *
1902  *	A UI or UIH frame has arrived which contains data for a channel
1903  *	other than the control channel. If the relevant virtual tty is
1904  *	open we shovel the bits down it, if not we drop them.
1905  */
1906 
1907 static void gsm_dlci_data(struct gsm_dlci *dlci, const u8 *data, int clen)
1908 {
1909 	/* krefs .. */
1910 	struct tty_port *port = &dlci->port;
1911 	struct tty_struct *tty;
1912 	unsigned int modem = 0;
1913 	int len = clen;
1914 	int slen = 0;
1915 
1916 	if (debug & 16)
1917 		pr_debug("%d bytes for tty\n", len);
1918 	switch (dlci->adaption)  {
1919 	/* Unsupported types */
1920 	case 4:		/* Packetised interruptible data */
1921 		break;
1922 	case 3:		/* Packetised uininterruptible voice/data */
1923 		break;
1924 	case 2:		/* Asynchronous serial with line state in each frame */
1925 		while (gsm_read_ea(&modem, *data++) == 0) {
1926 			len--;
1927 			slen++;
1928 			if (len == 0)
1929 				return;
1930 		}
1931 		len--;
1932 		slen++;
1933 		tty = tty_port_tty_get(port);
1934 		if (tty) {
1935 			gsm_process_modem(tty, dlci, modem, slen);
1936 			tty_wakeup(tty);
1937 			tty_kref_put(tty);
1938 		}
1939 		fallthrough;
1940 	case 1:		/* Line state will go via DLCI 0 controls only */
1941 	default:
1942 		tty_insert_flip_string(port, data, len);
1943 		tty_flip_buffer_push(port);
1944 	}
1945 }
1946 
1947 /**
1948  *	gsm_dlci_command	-	data arrived on control channel
1949  *	@dlci: channel
1950  *	@data: block of bytes received
1951  *	@len: length of received block
1952  *
1953  *	A UI or UIH frame has arrived which contains data for DLCI 0 the
1954  *	control channel. This should contain a command EA followed by
1955  *	control data bytes. The command EA contains a command/response bit
1956  *	and we divide up the work accordingly.
1957  */
1958 
1959 static void gsm_dlci_command(struct gsm_dlci *dlci, const u8 *data, int len)
1960 {
1961 	/* See what command is involved */
1962 	unsigned int command = 0;
1963 	while (len-- > 0) {
1964 		if (gsm_read_ea(&command, *data++) == 1) {
1965 			int clen = *data++;
1966 			len--;
1967 			/* FIXME: this is properly an EA */
1968 			clen >>= 1;
1969 			/* Malformed command ? */
1970 			if (clen > len)
1971 				return;
1972 			if (command & 1)
1973 				gsm_control_message(dlci->gsm, command,
1974 								data, clen);
1975 			else
1976 				gsm_control_response(dlci->gsm, command,
1977 								data, clen);
1978 			return;
1979 		}
1980 	}
1981 }
1982 
1983 /**
1984  *	gsm_kick_timeout	-	transmit if possible
1985  *	@work: work contained in our gsm object
1986  *
1987  *	Transmit data from DLCIs if the queue is empty. We can't rely on
1988  *	a tty wakeup except when we filled the pipe so we need to fire off
1989  *	new data ourselves in other cases.
1990  */
1991 static void gsm_kick_timeout(struct work_struct *work)
1992 {
1993 	struct gsm_mux *gsm = container_of(work, struct gsm_mux, kick_timeout.work);
1994 	int sent = 0;
1995 
1996 	mutex_lock(&gsm->tx_mutex);
1997 	/* If we have nothing running then we need to fire up */
1998 	if (gsm->tx_bytes < TX_THRESH_LO)
1999 		sent = gsm_dlci_data_sweep(gsm);
2000 	mutex_unlock(&gsm->tx_mutex);
2001 
2002 	if (sent && debug & 4)
2003 		pr_info("%s TX queue stalled\n", __func__);
2004 }
2005 
2006 /*
2007  *	Allocate/Free DLCI channels
2008  */
2009 
2010 /**
2011  *	gsm_dlci_alloc		-	allocate a DLCI
2012  *	@gsm: GSM mux
2013  *	@addr: address of the DLCI
2014  *
2015  *	Allocate and install a new DLCI object into the GSM mux.
2016  *
2017  *	FIXME: review locking races
2018  */
2019 
2020 static struct gsm_dlci *gsm_dlci_alloc(struct gsm_mux *gsm, int addr)
2021 {
2022 	struct gsm_dlci *dlci = kzalloc(sizeof(struct gsm_dlci), GFP_ATOMIC);
2023 	if (dlci == NULL)
2024 		return NULL;
2025 	spin_lock_init(&dlci->lock);
2026 	mutex_init(&dlci->mutex);
2027 	if (kfifo_alloc(&dlci->fifo, TX_SIZE, GFP_KERNEL) < 0) {
2028 		kfree(dlci);
2029 		return NULL;
2030 	}
2031 
2032 	skb_queue_head_init(&dlci->skb_list);
2033 	timer_setup(&dlci->t1, gsm_dlci_t1, 0);
2034 	tty_port_init(&dlci->port);
2035 	dlci->port.ops = &gsm_port_ops;
2036 	dlci->gsm = gsm;
2037 	dlci->addr = addr;
2038 	dlci->adaption = gsm->adaption;
2039 	dlci->state = DLCI_CLOSED;
2040 	if (addr) {
2041 		dlci->data = gsm_dlci_data;
2042 		/* Prevent us from sending data before the link is up */
2043 		dlci->constipated = true;
2044 	} else {
2045 		dlci->data = gsm_dlci_command;
2046 	}
2047 	gsm->dlci[addr] = dlci;
2048 	return dlci;
2049 }
2050 
2051 /**
2052  *	gsm_dlci_free		-	free DLCI
2053  *	@port: tty port for DLCI to free
2054  *
2055  *	Free up a DLCI.
2056  *
2057  *	Can sleep.
2058  */
2059 static void gsm_dlci_free(struct tty_port *port)
2060 {
2061 	struct gsm_dlci *dlci = container_of(port, struct gsm_dlci, port);
2062 
2063 	del_timer_sync(&dlci->t1);
2064 	dlci->gsm->dlci[dlci->addr] = NULL;
2065 	kfifo_free(&dlci->fifo);
2066 	while ((dlci->skb = skb_dequeue(&dlci->skb_list)))
2067 		dev_kfree_skb(dlci->skb);
2068 	kfree(dlci);
2069 }
2070 
2071 static inline void dlci_get(struct gsm_dlci *dlci)
2072 {
2073 	tty_port_get(&dlci->port);
2074 }
2075 
2076 static inline void dlci_put(struct gsm_dlci *dlci)
2077 {
2078 	tty_port_put(&dlci->port);
2079 }
2080 
2081 static void gsm_destroy_network(struct gsm_dlci *dlci);
2082 
2083 /**
2084  *	gsm_dlci_release		-	release DLCI
2085  *	@dlci: DLCI to destroy
2086  *
2087  *	Release a DLCI. Actual free is deferred until either
2088  *	mux is closed or tty is closed - whichever is last.
2089  *
2090  *	Can sleep.
2091  */
2092 static void gsm_dlci_release(struct gsm_dlci *dlci)
2093 {
2094 	struct tty_struct *tty = tty_port_tty_get(&dlci->port);
2095 	if (tty) {
2096 		mutex_lock(&dlci->mutex);
2097 		gsm_destroy_network(dlci);
2098 		mutex_unlock(&dlci->mutex);
2099 
2100 		/* We cannot use tty_hangup() because in tty_kref_put() the tty
2101 		 * driver assumes that the hangup queue is free and reuses it to
2102 		 * queue release_one_tty() -> NULL pointer panic in
2103 		 * process_one_work().
2104 		 */
2105 		tty_vhangup(tty);
2106 
2107 		tty_port_tty_set(&dlci->port, NULL);
2108 		tty_kref_put(tty);
2109 	}
2110 	dlci->state = DLCI_CLOSED;
2111 	dlci_put(dlci);
2112 }
2113 
2114 /*
2115  *	LAPBish link layer logic
2116  */
2117 
2118 /**
2119  *	gsm_queue		-	a GSM frame is ready to process
2120  *	@gsm: pointer to our gsm mux
2121  *
2122  *	At this point in time a frame has arrived and been demangled from
2123  *	the line encoding. All the differences between the encodings have
2124  *	been handled below us and the frame is unpacked into the structures.
2125  *	The fcs holds the header FCS but any data FCS must be added here.
2126  */
2127 
2128 static void gsm_queue(struct gsm_mux *gsm)
2129 {
2130 	struct gsm_dlci *dlci;
2131 	u8 cr;
2132 	int address;
2133 
2134 	if (gsm->fcs != GOOD_FCS) {
2135 		gsm->bad_fcs++;
2136 		if (debug & 4)
2137 			pr_debug("BAD FCS %02x\n", gsm->fcs);
2138 		return;
2139 	}
2140 	address = gsm->address >> 1;
2141 	if (address >= NUM_DLCI)
2142 		goto invalid;
2143 
2144 	cr = gsm->address & 1;		/* C/R bit */
2145 	cr ^= gsm->initiator ? 0 : 1;	/* Flip so 1 always means command */
2146 
2147 	gsm_print_packet("<--", address, cr, gsm->control, gsm->buf, gsm->len);
2148 
2149 	dlci = gsm->dlci[address];
2150 
2151 	switch (gsm->control) {
2152 	case SABM|PF:
2153 		if (cr == 1)
2154 			goto invalid;
2155 		if (dlci == NULL)
2156 			dlci = gsm_dlci_alloc(gsm, address);
2157 		if (dlci == NULL)
2158 			return;
2159 		if (dlci->dead)
2160 			gsm_response(gsm, address, DM|PF);
2161 		else {
2162 			gsm_response(gsm, address, UA|PF);
2163 			gsm_dlci_open(dlci);
2164 		}
2165 		break;
2166 	case DISC|PF:
2167 		if (cr == 1)
2168 			goto invalid;
2169 		if (dlci == NULL || dlci->state == DLCI_CLOSED) {
2170 			gsm_response(gsm, address, DM|PF);
2171 			return;
2172 		}
2173 		/* Real close complete */
2174 		gsm_response(gsm, address, UA|PF);
2175 		gsm_dlci_close(dlci);
2176 		break;
2177 	case UA|PF:
2178 		if (cr == 0 || dlci == NULL)
2179 			break;
2180 		switch (dlci->state) {
2181 		case DLCI_CLOSING:
2182 			gsm_dlci_close(dlci);
2183 			break;
2184 		case DLCI_OPENING:
2185 			gsm_dlci_open(dlci);
2186 			break;
2187 		default:
2188 			pr_debug("%s: unhandled state: %d\n", __func__,
2189 					dlci->state);
2190 			break;
2191 		}
2192 		break;
2193 	case DM:	/* DM can be valid unsolicited */
2194 	case DM|PF:
2195 		if (cr)
2196 			goto invalid;
2197 		if (dlci == NULL)
2198 			return;
2199 		gsm_dlci_close(dlci);
2200 		break;
2201 	case UI:
2202 	case UI|PF:
2203 	case UIH:
2204 	case UIH|PF:
2205 		if (dlci == NULL || dlci->state != DLCI_OPEN) {
2206 			gsm_response(gsm, address, DM|PF);
2207 			return;
2208 		}
2209 		dlci->data(dlci, gsm->buf, gsm->len);
2210 		break;
2211 	default:
2212 		goto invalid;
2213 	}
2214 	return;
2215 invalid:
2216 	gsm->malformed++;
2217 	return;
2218 }
2219 
2220 
2221 /**
2222  *	gsm0_receive	-	perform processing for non-transparency
2223  *	@gsm: gsm data for this ldisc instance
2224  *	@c: character
2225  *
2226  *	Receive bytes in gsm mode 0
2227  */
2228 
2229 static void gsm0_receive(struct gsm_mux *gsm, unsigned char c)
2230 {
2231 	unsigned int len;
2232 
2233 	switch (gsm->state) {
2234 	case GSM_SEARCH:	/* SOF marker */
2235 		if (c == GSM0_SOF) {
2236 			gsm->state = GSM_ADDRESS;
2237 			gsm->address = 0;
2238 			gsm->len = 0;
2239 			gsm->fcs = INIT_FCS;
2240 		}
2241 		break;
2242 	case GSM_ADDRESS:	/* Address EA */
2243 		gsm->fcs = gsm_fcs_add(gsm->fcs, c);
2244 		if (gsm_read_ea(&gsm->address, c))
2245 			gsm->state = GSM_CONTROL;
2246 		break;
2247 	case GSM_CONTROL:	/* Control Byte */
2248 		gsm->fcs = gsm_fcs_add(gsm->fcs, c);
2249 		gsm->control = c;
2250 		gsm->state = GSM_LEN0;
2251 		break;
2252 	case GSM_LEN0:		/* Length EA */
2253 		gsm->fcs = gsm_fcs_add(gsm->fcs, c);
2254 		if (gsm_read_ea(&gsm->len, c)) {
2255 			if (gsm->len > gsm->mru) {
2256 				gsm->bad_size++;
2257 				gsm->state = GSM_SEARCH;
2258 				break;
2259 			}
2260 			gsm->count = 0;
2261 			if (!gsm->len)
2262 				gsm->state = GSM_FCS;
2263 			else
2264 				gsm->state = GSM_DATA;
2265 			break;
2266 		}
2267 		gsm->state = GSM_LEN1;
2268 		break;
2269 	case GSM_LEN1:
2270 		gsm->fcs = gsm_fcs_add(gsm->fcs, c);
2271 		len = c;
2272 		gsm->len |= len << 7;
2273 		if (gsm->len > gsm->mru) {
2274 			gsm->bad_size++;
2275 			gsm->state = GSM_SEARCH;
2276 			break;
2277 		}
2278 		gsm->count = 0;
2279 		if (!gsm->len)
2280 			gsm->state = GSM_FCS;
2281 		else
2282 			gsm->state = GSM_DATA;
2283 		break;
2284 	case GSM_DATA:		/* Data */
2285 		gsm->buf[gsm->count++] = c;
2286 		if (gsm->count == gsm->len) {
2287 			/* Calculate final FCS for UI frames over all data */
2288 			if ((gsm->control & ~PF) != UIH) {
2289 				gsm->fcs = gsm_fcs_add_block(gsm->fcs, gsm->buf,
2290 							     gsm->count);
2291 			}
2292 			gsm->state = GSM_FCS;
2293 		}
2294 		break;
2295 	case GSM_FCS:		/* FCS follows the packet */
2296 		gsm->fcs = gsm_fcs_add(gsm->fcs, c);
2297 		gsm->state = GSM_SSOF;
2298 		break;
2299 	case GSM_SSOF:
2300 		gsm->state = GSM_SEARCH;
2301 		if (c == GSM0_SOF)
2302 			gsm_queue(gsm);
2303 		else
2304 			gsm->bad_size++;
2305 		break;
2306 	default:
2307 		pr_debug("%s: unhandled state: %d\n", __func__, gsm->state);
2308 		break;
2309 	}
2310 }
2311 
2312 /**
2313  *	gsm1_receive	-	perform processing for non-transparency
2314  *	@gsm: gsm data for this ldisc instance
2315  *	@c: character
2316  *
2317  *	Receive bytes in mode 1 (Advanced option)
2318  */
2319 
2320 static void gsm1_receive(struct gsm_mux *gsm, unsigned char c)
2321 {
2322 	/* handle XON/XOFF */
2323 	if ((c & ISO_IEC_646_MASK) == XON) {
2324 		gsm->constipated = true;
2325 		return;
2326 	} else if ((c & ISO_IEC_646_MASK) == XOFF) {
2327 		gsm->constipated = false;
2328 		/* Kick the link in case it is idling */
2329 		gsmld_write_trigger(gsm);
2330 		return;
2331 	}
2332 	if (c == GSM1_SOF) {
2333 		/* EOF is only valid in frame if we have got to the data state */
2334 		if (gsm->state == GSM_DATA) {
2335 			if (gsm->count < 1) {
2336 				/* Missing FSC */
2337 				gsm->malformed++;
2338 				gsm->state = GSM_START;
2339 				return;
2340 			}
2341 			/* Remove the FCS from data */
2342 			gsm->count--;
2343 			if ((gsm->control & ~PF) != UIH) {
2344 				/* Calculate final FCS for UI frames over all
2345 				 * data but FCS
2346 				 */
2347 				gsm->fcs = gsm_fcs_add_block(gsm->fcs, gsm->buf,
2348 							     gsm->count);
2349 			}
2350 			/* Add the FCS itself to test against GOOD_FCS */
2351 			gsm->fcs = gsm_fcs_add(gsm->fcs, gsm->buf[gsm->count]);
2352 			gsm->len = gsm->count;
2353 			gsm_queue(gsm);
2354 			gsm->state  = GSM_START;
2355 			return;
2356 		}
2357 		/* Any partial frame was a runt so go back to start */
2358 		if (gsm->state != GSM_START) {
2359 			if (gsm->state != GSM_SEARCH)
2360 				gsm->malformed++;
2361 			gsm->state = GSM_START;
2362 		}
2363 		/* A SOF in GSM_START means we are still reading idling or
2364 		   framing bytes */
2365 		return;
2366 	}
2367 
2368 	if (c == GSM1_ESCAPE) {
2369 		gsm->escape = true;
2370 		return;
2371 	}
2372 
2373 	/* Only an unescaped SOF gets us out of GSM search */
2374 	if (gsm->state == GSM_SEARCH)
2375 		return;
2376 
2377 	if (gsm->escape) {
2378 		c ^= GSM1_ESCAPE_BITS;
2379 		gsm->escape = false;
2380 	}
2381 	switch (gsm->state) {
2382 	case GSM_START:		/* First byte after SOF */
2383 		gsm->address = 0;
2384 		gsm->state = GSM_ADDRESS;
2385 		gsm->fcs = INIT_FCS;
2386 		fallthrough;
2387 	case GSM_ADDRESS:	/* Address continuation */
2388 		gsm->fcs = gsm_fcs_add(gsm->fcs, c);
2389 		if (gsm_read_ea(&gsm->address, c))
2390 			gsm->state = GSM_CONTROL;
2391 		break;
2392 	case GSM_CONTROL:	/* Control Byte */
2393 		gsm->fcs = gsm_fcs_add(gsm->fcs, c);
2394 		gsm->control = c;
2395 		gsm->count = 0;
2396 		gsm->state = GSM_DATA;
2397 		break;
2398 	case GSM_DATA:		/* Data */
2399 		if (gsm->count > gsm->mru) {	/* Allow one for the FCS */
2400 			gsm->state = GSM_OVERRUN;
2401 			gsm->bad_size++;
2402 		} else
2403 			gsm->buf[gsm->count++] = c;
2404 		break;
2405 	case GSM_OVERRUN:	/* Over-long - eg a dropped SOF */
2406 		break;
2407 	default:
2408 		pr_debug("%s: unhandled state: %d\n", __func__, gsm->state);
2409 		break;
2410 	}
2411 }
2412 
2413 /**
2414  *	gsm_error		-	handle tty error
2415  *	@gsm: ldisc data
2416  *
2417  *	Handle an error in the receipt of data for a frame. Currently we just
2418  *	go back to hunting for a SOF.
2419  *
2420  *	FIXME: better diagnostics ?
2421  */
2422 
2423 static void gsm_error(struct gsm_mux *gsm)
2424 {
2425 	gsm->state = GSM_SEARCH;
2426 	gsm->io_error++;
2427 }
2428 
2429 /**
2430  *	gsm_cleanup_mux		-	generic GSM protocol cleanup
2431  *	@gsm: our mux
2432  *	@disc: disconnect link?
2433  *
2434  *	Clean up the bits of the mux which are the same for all framing
2435  *	protocols. Remove the mux from the mux table, stop all the timers
2436  *	and then shut down each device hanging up the channels as we go.
2437  */
2438 
2439 static void gsm_cleanup_mux(struct gsm_mux *gsm, bool disc)
2440 {
2441 	int i;
2442 	struct gsm_dlci *dlci = gsm->dlci[0];
2443 	struct gsm_msg *txq, *ntxq;
2444 
2445 	gsm->dead = true;
2446 	mutex_lock(&gsm->mutex);
2447 
2448 	if (dlci) {
2449 		if (disc && dlci->state != DLCI_CLOSED) {
2450 			gsm_dlci_begin_close(dlci);
2451 			wait_event(gsm->event, dlci->state == DLCI_CLOSED);
2452 		}
2453 		dlci->dead = true;
2454 	}
2455 
2456 	/* Finish outstanding timers, making sure they are done */
2457 	cancel_delayed_work_sync(&gsm->kick_timeout);
2458 	del_timer_sync(&gsm->t2_timer);
2459 
2460 	/* Finish writing to ldisc */
2461 	flush_work(&gsm->tx_work);
2462 
2463 	/* Free up any link layer users and finally the control channel */
2464 	if (gsm->has_devices) {
2465 		gsm_unregister_devices(gsm_tty_driver, gsm->num);
2466 		gsm->has_devices = false;
2467 	}
2468 	for (i = NUM_DLCI - 1; i >= 0; i--)
2469 		if (gsm->dlci[i])
2470 			gsm_dlci_release(gsm->dlci[i]);
2471 	mutex_unlock(&gsm->mutex);
2472 	/* Now wipe the queues */
2473 	tty_ldisc_flush(gsm->tty);
2474 	list_for_each_entry_safe(txq, ntxq, &gsm->tx_ctrl_list, list)
2475 		kfree(txq);
2476 	INIT_LIST_HEAD(&gsm->tx_ctrl_list);
2477 	list_for_each_entry_safe(txq, ntxq, &gsm->tx_data_list, list)
2478 		kfree(txq);
2479 	INIT_LIST_HEAD(&gsm->tx_data_list);
2480 }
2481 
2482 /**
2483  *	gsm_activate_mux	-	generic GSM setup
2484  *	@gsm: our mux
2485  *
2486  *	Set up the bits of the mux which are the same for all framing
2487  *	protocols. Add the mux to the mux table so it can be opened and
2488  *	finally kick off connecting to DLCI 0 on the modem.
2489  */
2490 
2491 static int gsm_activate_mux(struct gsm_mux *gsm)
2492 {
2493 	struct gsm_dlci *dlci;
2494 	int ret;
2495 
2496 	dlci = gsm_dlci_alloc(gsm, 0);
2497 	if (dlci == NULL)
2498 		return -ENOMEM;
2499 
2500 	if (gsm->encoding == 0)
2501 		gsm->receive = gsm0_receive;
2502 	else
2503 		gsm->receive = gsm1_receive;
2504 
2505 	ret = gsm_register_devices(gsm_tty_driver, gsm->num);
2506 	if (ret)
2507 		return ret;
2508 
2509 	gsm->has_devices = true;
2510 	gsm->dead = false;		/* Tty opens are now permissible */
2511 	return 0;
2512 }
2513 
2514 /**
2515  *	gsm_free_mux		-	free up a mux
2516  *	@gsm: mux to free
2517  *
2518  *	Dispose of allocated resources for a dead mux
2519  */
2520 static void gsm_free_mux(struct gsm_mux *gsm)
2521 {
2522 	int i;
2523 
2524 	for (i = 0; i < MAX_MUX; i++) {
2525 		if (gsm == gsm_mux[i]) {
2526 			gsm_mux[i] = NULL;
2527 			break;
2528 		}
2529 	}
2530 	mutex_destroy(&gsm->tx_mutex);
2531 	mutex_destroy(&gsm->mutex);
2532 	kfree(gsm->txframe);
2533 	kfree(gsm->buf);
2534 	kfree(gsm);
2535 }
2536 
2537 /**
2538  *	gsm_free_muxr		-	free up a mux
2539  *	@ref: kreference to the mux to free
2540  *
2541  *	Dispose of allocated resources for a dead mux
2542  */
2543 static void gsm_free_muxr(struct kref *ref)
2544 {
2545 	struct gsm_mux *gsm = container_of(ref, struct gsm_mux, ref);
2546 	gsm_free_mux(gsm);
2547 }
2548 
2549 static inline void mux_get(struct gsm_mux *gsm)
2550 {
2551 	unsigned long flags;
2552 
2553 	spin_lock_irqsave(&gsm_mux_lock, flags);
2554 	kref_get(&gsm->ref);
2555 	spin_unlock_irqrestore(&gsm_mux_lock, flags);
2556 }
2557 
2558 static inline void mux_put(struct gsm_mux *gsm)
2559 {
2560 	unsigned long flags;
2561 
2562 	spin_lock_irqsave(&gsm_mux_lock, flags);
2563 	kref_put(&gsm->ref, gsm_free_muxr);
2564 	spin_unlock_irqrestore(&gsm_mux_lock, flags);
2565 }
2566 
2567 static inline unsigned int mux_num_to_base(struct gsm_mux *gsm)
2568 {
2569 	return gsm->num * NUM_DLCI;
2570 }
2571 
2572 static inline unsigned int mux_line_to_num(unsigned int line)
2573 {
2574 	return line / NUM_DLCI;
2575 }
2576 
2577 /**
2578  *	gsm_alloc_mux		-	allocate a mux
2579  *
2580  *	Creates a new mux ready for activation.
2581  */
2582 
2583 static struct gsm_mux *gsm_alloc_mux(void)
2584 {
2585 	int i;
2586 	struct gsm_mux *gsm = kzalloc(sizeof(struct gsm_mux), GFP_KERNEL);
2587 	if (gsm == NULL)
2588 		return NULL;
2589 	gsm->buf = kmalloc(MAX_MRU + 1, GFP_KERNEL);
2590 	if (gsm->buf == NULL) {
2591 		kfree(gsm);
2592 		return NULL;
2593 	}
2594 	gsm->txframe = kmalloc(2 * (MAX_MTU + PROT_OVERHEAD - 1), GFP_KERNEL);
2595 	if (gsm->txframe == NULL) {
2596 		kfree(gsm->buf);
2597 		kfree(gsm);
2598 		return NULL;
2599 	}
2600 	spin_lock_init(&gsm->lock);
2601 	mutex_init(&gsm->mutex);
2602 	mutex_init(&gsm->tx_mutex);
2603 	kref_init(&gsm->ref);
2604 	INIT_LIST_HEAD(&gsm->tx_ctrl_list);
2605 	INIT_LIST_HEAD(&gsm->tx_data_list);
2606 	INIT_DELAYED_WORK(&gsm->kick_timeout, gsm_kick_timeout);
2607 	timer_setup(&gsm->t2_timer, gsm_control_retransmit, 0);
2608 	INIT_WORK(&gsm->tx_work, gsmld_write_task);
2609 	init_waitqueue_head(&gsm->event);
2610 	spin_lock_init(&gsm->control_lock);
2611 
2612 	gsm->t1 = T1;
2613 	gsm->t2 = T2;
2614 	gsm->n2 = N2;
2615 	gsm->ftype = UIH;
2616 	gsm->adaption = 1;
2617 	gsm->encoding = 1;
2618 	gsm->mru = 64;	/* Default to encoding 1 so these should be 64 */
2619 	gsm->mtu = 64;
2620 	gsm->dead = true;	/* Avoid early tty opens */
2621 
2622 	/* Store the instance to the mux array or abort if no space is
2623 	 * available.
2624 	 */
2625 	spin_lock(&gsm_mux_lock);
2626 	for (i = 0; i < MAX_MUX; i++) {
2627 		if (!gsm_mux[i]) {
2628 			gsm_mux[i] = gsm;
2629 			gsm->num = i;
2630 			break;
2631 		}
2632 	}
2633 	spin_unlock(&gsm_mux_lock);
2634 	if (i == MAX_MUX) {
2635 		mutex_destroy(&gsm->tx_mutex);
2636 		mutex_destroy(&gsm->mutex);
2637 		kfree(gsm->txframe);
2638 		kfree(gsm->buf);
2639 		kfree(gsm);
2640 		return NULL;
2641 	}
2642 
2643 	return gsm;
2644 }
2645 
2646 static void gsm_copy_config_values(struct gsm_mux *gsm,
2647 				   struct gsm_config *c)
2648 {
2649 	memset(c, 0, sizeof(*c));
2650 	c->adaption = gsm->adaption;
2651 	c->encapsulation = gsm->encoding;
2652 	c->initiator = gsm->initiator;
2653 	c->t1 = gsm->t1;
2654 	c->t2 = gsm->t2;
2655 	c->t3 = 0;	/* Not supported */
2656 	c->n2 = gsm->n2;
2657 	if (gsm->ftype == UIH)
2658 		c->i = 1;
2659 	else
2660 		c->i = 2;
2661 	pr_debug("Ftype %d i %d\n", gsm->ftype, c->i);
2662 	c->mru = gsm->mru;
2663 	c->mtu = gsm->mtu;
2664 	c->k = 0;
2665 }
2666 
2667 static int gsm_config(struct gsm_mux *gsm, struct gsm_config *c)
2668 {
2669 	int ret = 0;
2670 	int need_close = 0;
2671 	int need_restart = 0;
2672 
2673 	/* Stuff we don't support yet - UI or I frame transport, windowing */
2674 	if ((c->adaption != 1 && c->adaption != 2) || c->k)
2675 		return -EOPNOTSUPP;
2676 	/* Check the MRU/MTU range looks sane */
2677 	if (c->mru > MAX_MRU || c->mtu > MAX_MTU || c->mru < 8 || c->mtu < 8)
2678 		return -EINVAL;
2679 	if (c->n2 > 255)
2680 		return -EINVAL;
2681 	if (c->encapsulation > 1)	/* Basic, advanced, no I */
2682 		return -EINVAL;
2683 	if (c->initiator > 1)
2684 		return -EINVAL;
2685 	if (c->i == 0 || c->i > 2)	/* UIH and UI only */
2686 		return -EINVAL;
2687 	/*
2688 	 * See what is needed for reconfiguration
2689 	 */
2690 
2691 	/* Timing fields */
2692 	if (c->t1 != 0 && c->t1 != gsm->t1)
2693 		need_restart = 1;
2694 	if (c->t2 != 0 && c->t2 != gsm->t2)
2695 		need_restart = 1;
2696 	if (c->encapsulation != gsm->encoding)
2697 		need_restart = 1;
2698 	if (c->adaption != gsm->adaption)
2699 		need_restart = 1;
2700 	/* Requires care */
2701 	if (c->initiator != gsm->initiator)
2702 		need_close = 1;
2703 	if (c->mru != gsm->mru)
2704 		need_restart = 1;
2705 	if (c->mtu != gsm->mtu)
2706 		need_restart = 1;
2707 
2708 	/*
2709 	 * Close down what is needed, restart and initiate the new
2710 	 * configuration. On the first time there is no DLCI[0]
2711 	 * and closing or cleaning up is not necessary.
2712 	 */
2713 	if (need_close || need_restart)
2714 		gsm_cleanup_mux(gsm, true);
2715 
2716 	gsm->initiator = c->initiator;
2717 	gsm->mru = c->mru;
2718 	gsm->mtu = c->mtu;
2719 	gsm->encoding = c->encapsulation;
2720 	gsm->adaption = c->adaption;
2721 	gsm->n2 = c->n2;
2722 
2723 	if (c->i == 1)
2724 		gsm->ftype = UIH;
2725 	else if (c->i == 2)
2726 		gsm->ftype = UI;
2727 
2728 	if (c->t1)
2729 		gsm->t1 = c->t1;
2730 	if (c->t2)
2731 		gsm->t2 = c->t2;
2732 
2733 	/*
2734 	 * FIXME: We need to separate activation/deactivation from adding
2735 	 * and removing from the mux array
2736 	 */
2737 	if (gsm->dead) {
2738 		ret = gsm_activate_mux(gsm);
2739 		if (ret)
2740 			return ret;
2741 		if (gsm->initiator)
2742 			gsm_dlci_begin_open(gsm->dlci[0]);
2743 	}
2744 	return 0;
2745 }
2746 
2747 /**
2748  *	gsmld_output		-	write to link
2749  *	@gsm: our mux
2750  *	@data: bytes to output
2751  *	@len: size
2752  *
2753  *	Write a block of data from the GSM mux to the data channel. This
2754  *	will eventually be serialized from above but at the moment isn't.
2755  */
2756 
2757 static int gsmld_output(struct gsm_mux *gsm, u8 *data, int len)
2758 {
2759 	if (tty_write_room(gsm->tty) < len) {
2760 		set_bit(TTY_DO_WRITE_WAKEUP, &gsm->tty->flags);
2761 		return -ENOSPC;
2762 	}
2763 	if (debug & 4)
2764 		gsm_hex_dump_bytes(__func__, data, len);
2765 	return gsm->tty->ops->write(gsm->tty, data, len);
2766 }
2767 
2768 
2769 /**
2770  *	gsmld_write_trigger	-	schedule ldisc write task
2771  *	@gsm: our mux
2772  */
2773 static void gsmld_write_trigger(struct gsm_mux *gsm)
2774 {
2775 	if (!gsm || !gsm->dlci[0] || gsm->dlci[0]->dead)
2776 		return;
2777 	schedule_work(&gsm->tx_work);
2778 }
2779 
2780 
2781 /**
2782  *	gsmld_write_task	-	ldisc write task
2783  *	@work: our tx write work
2784  *
2785  *	Writes out data to the ldisc if possible. We are doing this here to
2786  *	avoid dead-locking. This returns if no space or data is left for output.
2787  */
2788 static void gsmld_write_task(struct work_struct *work)
2789 {
2790 	struct gsm_mux *gsm = container_of(work, struct gsm_mux, tx_work);
2791 	int i, ret;
2792 
2793 	/* All outstanding control channel and control messages and one data
2794 	 * frame is sent.
2795 	 */
2796 	ret = -ENODEV;
2797 	mutex_lock(&gsm->tx_mutex);
2798 	if (gsm->tty)
2799 		ret = gsm_data_kick(gsm);
2800 	mutex_unlock(&gsm->tx_mutex);
2801 
2802 	if (ret >= 0)
2803 		for (i = 0; i < NUM_DLCI; i++)
2804 			if (gsm->dlci[i])
2805 				tty_port_tty_wakeup(&gsm->dlci[i]->port);
2806 }
2807 
2808 /**
2809  *	gsmld_attach_gsm	-	mode set up
2810  *	@tty: our tty structure
2811  *	@gsm: our mux
2812  *
2813  *	Set up the MUX for basic mode and commence connecting to the
2814  *	modem. Currently called from the line discipline set up but
2815  *	will need moving to an ioctl path.
2816  */
2817 
2818 static void gsmld_attach_gsm(struct tty_struct *tty, struct gsm_mux *gsm)
2819 {
2820 	gsm->tty = tty_kref_get(tty);
2821 	/* Turn off tty XON/XOFF handling to handle it explicitly. */
2822 	gsm->old_c_iflag = tty->termios.c_iflag;
2823 	tty->termios.c_iflag &= (IXON | IXOFF);
2824 }
2825 
2826 /**
2827  *	gsmld_detach_gsm	-	stop doing 0710 mux
2828  *	@tty: tty attached to the mux
2829  *	@gsm: mux
2830  *
2831  *	Shutdown and then clean up the resources used by the line discipline
2832  */
2833 
2834 static void gsmld_detach_gsm(struct tty_struct *tty, struct gsm_mux *gsm)
2835 {
2836 	WARN_ON(tty != gsm->tty);
2837 	/* Restore tty XON/XOFF handling. */
2838 	gsm->tty->termios.c_iflag = gsm->old_c_iflag;
2839 	tty_kref_put(gsm->tty);
2840 	gsm->tty = NULL;
2841 }
2842 
2843 static void gsmld_receive_buf(struct tty_struct *tty, const unsigned char *cp,
2844 			      const char *fp, int count)
2845 {
2846 	struct gsm_mux *gsm = tty->disc_data;
2847 	char flags = TTY_NORMAL;
2848 
2849 	if (debug & 4)
2850 		gsm_hex_dump_bytes(__func__, cp, count);
2851 
2852 	for (; count; count--, cp++) {
2853 		if (fp)
2854 			flags = *fp++;
2855 		switch (flags) {
2856 		case TTY_NORMAL:
2857 			if (gsm->receive)
2858 				gsm->receive(gsm, *cp);
2859 			break;
2860 		case TTY_OVERRUN:
2861 		case TTY_BREAK:
2862 		case TTY_PARITY:
2863 		case TTY_FRAME:
2864 			gsm_error(gsm);
2865 			break;
2866 		default:
2867 			WARN_ONCE(1, "%s: unknown flag %d\n",
2868 			       tty_name(tty), flags);
2869 			break;
2870 		}
2871 	}
2872 	/* FASYNC if needed ? */
2873 	/* If clogged call tty_throttle(tty); */
2874 }
2875 
2876 /**
2877  *	gsmld_flush_buffer	-	clean input queue
2878  *	@tty:	terminal device
2879  *
2880  *	Flush the input buffer. Called when the line discipline is
2881  *	being closed, when the tty layer wants the buffer flushed (eg
2882  *	at hangup).
2883  */
2884 
2885 static void gsmld_flush_buffer(struct tty_struct *tty)
2886 {
2887 }
2888 
2889 /**
2890  *	gsmld_close		-	close the ldisc for this tty
2891  *	@tty: device
2892  *
2893  *	Called from the terminal layer when this line discipline is
2894  *	being shut down, either because of a close or becsuse of a
2895  *	discipline change. The function will not be called while other
2896  *	ldisc methods are in progress.
2897  */
2898 
2899 static void gsmld_close(struct tty_struct *tty)
2900 {
2901 	struct gsm_mux *gsm = tty->disc_data;
2902 
2903 	/* The ldisc locks and closes the port before calling our close. This
2904 	 * means we have no way to do a proper disconnect. We will not bother
2905 	 * to do one.
2906 	 */
2907 	gsm_cleanup_mux(gsm, false);
2908 
2909 	gsmld_detach_gsm(tty, gsm);
2910 
2911 	gsmld_flush_buffer(tty);
2912 	/* Do other clean up here */
2913 	mux_put(gsm);
2914 }
2915 
2916 /**
2917  *	gsmld_open		-	open an ldisc
2918  *	@tty: terminal to open
2919  *
2920  *	Called when this line discipline is being attached to the
2921  *	terminal device. Can sleep. Called serialized so that no
2922  *	other events will occur in parallel. No further open will occur
2923  *	until a close.
2924  */
2925 
2926 static int gsmld_open(struct tty_struct *tty)
2927 {
2928 	struct gsm_mux *gsm;
2929 
2930 	if (tty->ops->write == NULL)
2931 		return -EINVAL;
2932 
2933 	/* Attach our ldisc data */
2934 	gsm = gsm_alloc_mux();
2935 	if (gsm == NULL)
2936 		return -ENOMEM;
2937 
2938 	tty->disc_data = gsm;
2939 	tty->receive_room = 65536;
2940 
2941 	/* Attach the initial passive connection */
2942 	gsm->encoding = 1;
2943 
2944 	gsmld_attach_gsm(tty, gsm);
2945 
2946 	return 0;
2947 }
2948 
2949 /**
2950  *	gsmld_write_wakeup	-	asynchronous I/O notifier
2951  *	@tty: tty device
2952  *
2953  *	Required for the ptys, serial driver etc. since processes
2954  *	that attach themselves to the master and rely on ASYNC
2955  *	IO must be woken up
2956  */
2957 
2958 static void gsmld_write_wakeup(struct tty_struct *tty)
2959 {
2960 	struct gsm_mux *gsm = tty->disc_data;
2961 
2962 	/* Queue poll */
2963 	gsmld_write_trigger(gsm);
2964 }
2965 
2966 /**
2967  *	gsmld_read		-	read function for tty
2968  *	@tty: tty device
2969  *	@file: file object
2970  *	@buf: userspace buffer pointer
2971  *	@nr: size of I/O
2972  *	@cookie: unused
2973  *	@offset: unused
2974  *
2975  *	Perform reads for the line discipline. We are guaranteed that the
2976  *	line discipline will not be closed under us but we may get multiple
2977  *	parallel readers and must handle this ourselves. We may also get
2978  *	a hangup. Always called in user context, may sleep.
2979  *
2980  *	This code must be sure never to sleep through a hangup.
2981  */
2982 
2983 static ssize_t gsmld_read(struct tty_struct *tty, struct file *file,
2984 			  unsigned char *buf, size_t nr,
2985 			  void **cookie, unsigned long offset)
2986 {
2987 	return -EOPNOTSUPP;
2988 }
2989 
2990 /**
2991  *	gsmld_write		-	write function for tty
2992  *	@tty: tty device
2993  *	@file: file object
2994  *	@buf: userspace buffer pointer
2995  *	@nr: size of I/O
2996  *
2997  *	Called when the owner of the device wants to send a frame
2998  *	itself (or some other control data). The data is transferred
2999  *	as-is and must be properly framed and checksummed as appropriate
3000  *	by userspace. Frames are either sent whole or not at all as this
3001  *	avoids pain user side.
3002  */
3003 
3004 static ssize_t gsmld_write(struct tty_struct *tty, struct file *file,
3005 			   const unsigned char *buf, size_t nr)
3006 {
3007 	struct gsm_mux *gsm = tty->disc_data;
3008 	int space;
3009 	int ret;
3010 
3011 	if (!gsm)
3012 		return -ENODEV;
3013 
3014 	ret = -ENOBUFS;
3015 	mutex_lock(&gsm->tx_mutex);
3016 	space = tty_write_room(tty);
3017 	if (space >= nr)
3018 		ret = tty->ops->write(tty, buf, nr);
3019 	else
3020 		set_bit(TTY_DO_WRITE_WAKEUP, &tty->flags);
3021 	mutex_unlock(&gsm->tx_mutex);
3022 
3023 	return ret;
3024 }
3025 
3026 /**
3027  *	gsmld_poll		-	poll method for N_GSM0710
3028  *	@tty: terminal device
3029  *	@file: file accessing it
3030  *	@wait: poll table
3031  *
3032  *	Called when the line discipline is asked to poll() for data or
3033  *	for special events. This code is not serialized with respect to
3034  *	other events save open/close.
3035  *
3036  *	This code must be sure never to sleep through a hangup.
3037  *	Called without the kernel lock held - fine
3038  */
3039 
3040 static __poll_t gsmld_poll(struct tty_struct *tty, struct file *file,
3041 							poll_table *wait)
3042 {
3043 	__poll_t mask = 0;
3044 	struct gsm_mux *gsm = tty->disc_data;
3045 
3046 	poll_wait(file, &tty->read_wait, wait);
3047 	poll_wait(file, &tty->write_wait, wait);
3048 
3049 	if (gsm->dead)
3050 		mask |= EPOLLHUP;
3051 	if (tty_hung_up_p(file))
3052 		mask |= EPOLLHUP;
3053 	if (test_bit(TTY_OTHER_CLOSED, &tty->flags))
3054 		mask |= EPOLLHUP;
3055 	if (!tty_is_writelocked(tty) && tty_write_room(tty) > 0)
3056 		mask |= EPOLLOUT | EPOLLWRNORM;
3057 	return mask;
3058 }
3059 
3060 static int gsmld_ioctl(struct tty_struct *tty, unsigned int cmd,
3061 		       unsigned long arg)
3062 {
3063 	struct gsm_config c;
3064 	struct gsm_mux *gsm = tty->disc_data;
3065 	unsigned int base;
3066 
3067 	switch (cmd) {
3068 	case GSMIOC_GETCONF:
3069 		gsm_copy_config_values(gsm, &c);
3070 		if (copy_to_user((void __user *)arg, &c, sizeof(c)))
3071 			return -EFAULT;
3072 		return 0;
3073 	case GSMIOC_SETCONF:
3074 		if (copy_from_user(&c, (void __user *)arg, sizeof(c)))
3075 			return -EFAULT;
3076 		return gsm_config(gsm, &c);
3077 	case GSMIOC_GETFIRST:
3078 		base = mux_num_to_base(gsm);
3079 		return put_user(base + 1, (__u32 __user *)arg);
3080 	default:
3081 		return n_tty_ioctl_helper(tty, cmd, arg);
3082 	}
3083 }
3084 
3085 /*
3086  *	Network interface
3087  *
3088  */
3089 
3090 static int gsm_mux_net_open(struct net_device *net)
3091 {
3092 	pr_debug("%s called\n", __func__);
3093 	netif_start_queue(net);
3094 	return 0;
3095 }
3096 
3097 static int gsm_mux_net_close(struct net_device *net)
3098 {
3099 	netif_stop_queue(net);
3100 	return 0;
3101 }
3102 
3103 static void dlci_net_free(struct gsm_dlci *dlci)
3104 {
3105 	if (!dlci->net) {
3106 		WARN_ON(1);
3107 		return;
3108 	}
3109 	dlci->adaption = dlci->prev_adaption;
3110 	dlci->data = dlci->prev_data;
3111 	free_netdev(dlci->net);
3112 	dlci->net = NULL;
3113 }
3114 static void net_free(struct kref *ref)
3115 {
3116 	struct gsm_mux_net *mux_net;
3117 	struct gsm_dlci *dlci;
3118 
3119 	mux_net = container_of(ref, struct gsm_mux_net, ref);
3120 	dlci = mux_net->dlci;
3121 
3122 	if (dlci->net) {
3123 		unregister_netdev(dlci->net);
3124 		dlci_net_free(dlci);
3125 	}
3126 }
3127 
3128 static inline void muxnet_get(struct gsm_mux_net *mux_net)
3129 {
3130 	kref_get(&mux_net->ref);
3131 }
3132 
3133 static inline void muxnet_put(struct gsm_mux_net *mux_net)
3134 {
3135 	kref_put(&mux_net->ref, net_free);
3136 }
3137 
3138 static netdev_tx_t gsm_mux_net_start_xmit(struct sk_buff *skb,
3139 				      struct net_device *net)
3140 {
3141 	struct gsm_mux_net *mux_net = netdev_priv(net);
3142 	struct gsm_dlci *dlci = mux_net->dlci;
3143 	muxnet_get(mux_net);
3144 
3145 	skb_queue_head(&dlci->skb_list, skb);
3146 	net->stats.tx_packets++;
3147 	net->stats.tx_bytes += skb->len;
3148 	gsm_dlci_data_kick(dlci);
3149 	/* And tell the kernel when the last transmit started. */
3150 	netif_trans_update(net);
3151 	muxnet_put(mux_net);
3152 	return NETDEV_TX_OK;
3153 }
3154 
3155 /* called when a packet did not ack after watchdogtimeout */
3156 static void gsm_mux_net_tx_timeout(struct net_device *net, unsigned int txqueue)
3157 {
3158 	/* Tell syslog we are hosed. */
3159 	dev_dbg(&net->dev, "Tx timed out.\n");
3160 
3161 	/* Update statistics */
3162 	net->stats.tx_errors++;
3163 }
3164 
3165 static void gsm_mux_rx_netchar(struct gsm_dlci *dlci,
3166 				const unsigned char *in_buf, int size)
3167 {
3168 	struct net_device *net = dlci->net;
3169 	struct sk_buff *skb;
3170 	struct gsm_mux_net *mux_net = netdev_priv(net);
3171 	muxnet_get(mux_net);
3172 
3173 	/* Allocate an sk_buff */
3174 	skb = dev_alloc_skb(size + NET_IP_ALIGN);
3175 	if (!skb) {
3176 		/* We got no receive buffer. */
3177 		net->stats.rx_dropped++;
3178 		muxnet_put(mux_net);
3179 		return;
3180 	}
3181 	skb_reserve(skb, NET_IP_ALIGN);
3182 	skb_put_data(skb, in_buf, size);
3183 
3184 	skb->dev = net;
3185 	skb->protocol = htons(ETH_P_IP);
3186 
3187 	/* Ship it off to the kernel */
3188 	netif_rx(skb);
3189 
3190 	/* update out statistics */
3191 	net->stats.rx_packets++;
3192 	net->stats.rx_bytes += size;
3193 	muxnet_put(mux_net);
3194 	return;
3195 }
3196 
3197 static void gsm_mux_net_init(struct net_device *net)
3198 {
3199 	static const struct net_device_ops gsm_netdev_ops = {
3200 		.ndo_open		= gsm_mux_net_open,
3201 		.ndo_stop		= gsm_mux_net_close,
3202 		.ndo_start_xmit		= gsm_mux_net_start_xmit,
3203 		.ndo_tx_timeout		= gsm_mux_net_tx_timeout,
3204 	};
3205 
3206 	net->netdev_ops = &gsm_netdev_ops;
3207 
3208 	/* fill in the other fields */
3209 	net->watchdog_timeo = GSM_NET_TX_TIMEOUT;
3210 	net->flags = IFF_POINTOPOINT | IFF_NOARP | IFF_MULTICAST;
3211 	net->type = ARPHRD_NONE;
3212 	net->tx_queue_len = 10;
3213 }
3214 
3215 
3216 /* caller holds the dlci mutex */
3217 static void gsm_destroy_network(struct gsm_dlci *dlci)
3218 {
3219 	struct gsm_mux_net *mux_net;
3220 
3221 	pr_debug("destroy network interface\n");
3222 	if (!dlci->net)
3223 		return;
3224 	mux_net = netdev_priv(dlci->net);
3225 	muxnet_put(mux_net);
3226 }
3227 
3228 
3229 /* caller holds the dlci mutex */
3230 static int gsm_create_network(struct gsm_dlci *dlci, struct gsm_netconfig *nc)
3231 {
3232 	char *netname;
3233 	int retval = 0;
3234 	struct net_device *net;
3235 	struct gsm_mux_net *mux_net;
3236 
3237 	if (!capable(CAP_NET_ADMIN))
3238 		return -EPERM;
3239 
3240 	/* Already in a non tty mode */
3241 	if (dlci->adaption > 2)
3242 		return -EBUSY;
3243 
3244 	if (nc->protocol != htons(ETH_P_IP))
3245 		return -EPROTONOSUPPORT;
3246 
3247 	if (nc->adaption != 3 && nc->adaption != 4)
3248 		return -EPROTONOSUPPORT;
3249 
3250 	pr_debug("create network interface\n");
3251 
3252 	netname = "gsm%d";
3253 	if (nc->if_name[0] != '\0')
3254 		netname = nc->if_name;
3255 	net = alloc_netdev(sizeof(struct gsm_mux_net), netname,
3256 			   NET_NAME_UNKNOWN, gsm_mux_net_init);
3257 	if (!net) {
3258 		pr_err("alloc_netdev failed\n");
3259 		return -ENOMEM;
3260 	}
3261 	net->mtu = dlci->gsm->mtu;
3262 	net->min_mtu = 8;
3263 	net->max_mtu = dlci->gsm->mtu;
3264 	mux_net = netdev_priv(net);
3265 	mux_net->dlci = dlci;
3266 	kref_init(&mux_net->ref);
3267 	strncpy(nc->if_name, net->name, IFNAMSIZ); /* return net name */
3268 
3269 	/* reconfigure dlci for network */
3270 	dlci->prev_adaption = dlci->adaption;
3271 	dlci->prev_data = dlci->data;
3272 	dlci->adaption = nc->adaption;
3273 	dlci->data = gsm_mux_rx_netchar;
3274 	dlci->net = net;
3275 
3276 	pr_debug("register netdev\n");
3277 	retval = register_netdev(net);
3278 	if (retval) {
3279 		pr_err("network register fail %d\n", retval);
3280 		dlci_net_free(dlci);
3281 		return retval;
3282 	}
3283 	return net->ifindex;	/* return network index */
3284 }
3285 
3286 /* Line discipline for real tty */
3287 static struct tty_ldisc_ops tty_ldisc_packet = {
3288 	.owner		 = THIS_MODULE,
3289 	.num		 = N_GSM0710,
3290 	.name            = "n_gsm",
3291 	.open            = gsmld_open,
3292 	.close           = gsmld_close,
3293 	.flush_buffer    = gsmld_flush_buffer,
3294 	.read            = gsmld_read,
3295 	.write           = gsmld_write,
3296 	.ioctl           = gsmld_ioctl,
3297 	.poll            = gsmld_poll,
3298 	.receive_buf     = gsmld_receive_buf,
3299 	.write_wakeup    = gsmld_write_wakeup
3300 };
3301 
3302 /*
3303  *	Virtual tty side
3304  */
3305 
3306 /**
3307  *	gsm_modem_upd_via_data	-	send modem bits via convergence layer
3308  *	@dlci: channel
3309  *	@brk: break signal
3310  *
3311  *	Send an empty frame to signal mobile state changes and to transmit the
3312  *	break signal for adaption 2.
3313  */
3314 
3315 static void gsm_modem_upd_via_data(struct gsm_dlci *dlci, u8 brk)
3316 {
3317 	struct gsm_mux *gsm = dlci->gsm;
3318 
3319 	if (dlci->state != DLCI_OPEN || dlci->adaption != 2)
3320 		return;
3321 
3322 	mutex_lock(&gsm->tx_mutex);
3323 	gsm_dlci_modem_output(gsm, dlci, brk);
3324 	mutex_unlock(&gsm->tx_mutex);
3325 }
3326 
3327 /**
3328  *	gsm_modem_upd_via_msc	-	send modem bits via control frame
3329  *	@dlci: channel
3330  *	@brk: break signal
3331  */
3332 
3333 static int gsm_modem_upd_via_msc(struct gsm_dlci *dlci, u8 brk)
3334 {
3335 	u8 modembits[3];
3336 	struct gsm_control *ctrl;
3337 	int len = 2;
3338 
3339 	if (dlci->gsm->encoding != 0)
3340 		return 0;
3341 
3342 	modembits[0] = (dlci->addr << 2) | 2 | EA;  /* DLCI, Valid, EA */
3343 	if (!brk) {
3344 		modembits[1] = (gsm_encode_modem(dlci) << 1) | EA;
3345 	} else {
3346 		modembits[1] = gsm_encode_modem(dlci) << 1;
3347 		modembits[2] = (brk << 4) | 2 | EA; /* Length, Break, EA */
3348 		len++;
3349 	}
3350 	ctrl = gsm_control_send(dlci->gsm, CMD_MSC, modembits, len);
3351 	if (ctrl == NULL)
3352 		return -ENOMEM;
3353 	return gsm_control_wait(dlci->gsm, ctrl);
3354 }
3355 
3356 /**
3357  *	gsm_modem_update	-	send modem status line state
3358  *	@dlci: channel
3359  *	@brk: break signal
3360  */
3361 
3362 static int gsm_modem_update(struct gsm_dlci *dlci, u8 brk)
3363 {
3364 	if (dlci->adaption == 2) {
3365 		/* Send convergence layer type 2 empty data frame. */
3366 		gsm_modem_upd_via_data(dlci, brk);
3367 		return 0;
3368 	} else if (dlci->gsm->encoding == 0) {
3369 		/* Send as MSC control message. */
3370 		return gsm_modem_upd_via_msc(dlci, brk);
3371 	}
3372 
3373 	/* Modem status lines are not supported. */
3374 	return -EPROTONOSUPPORT;
3375 }
3376 
3377 static int gsm_carrier_raised(struct tty_port *port)
3378 {
3379 	struct gsm_dlci *dlci = container_of(port, struct gsm_dlci, port);
3380 	struct gsm_mux *gsm = dlci->gsm;
3381 
3382 	/* Not yet open so no carrier info */
3383 	if (dlci->state != DLCI_OPEN)
3384 		return 0;
3385 	if (debug & 2)
3386 		return 1;
3387 
3388 	/*
3389 	 * Basic mode with control channel in ADM mode may not respond
3390 	 * to CMD_MSC at all and modem_rx is empty.
3391 	 */
3392 	if (gsm->encoding == 0 && gsm->dlci[0]->mode == DLCI_MODE_ADM &&
3393 	    !dlci->modem_rx)
3394 		return 1;
3395 
3396 	return dlci->modem_rx & TIOCM_CD;
3397 }
3398 
3399 static void gsm_dtr_rts(struct tty_port *port, int onoff)
3400 {
3401 	struct gsm_dlci *dlci = container_of(port, struct gsm_dlci, port);
3402 	unsigned int modem_tx = dlci->modem_tx;
3403 	if (onoff)
3404 		modem_tx |= TIOCM_DTR | TIOCM_RTS;
3405 	else
3406 		modem_tx &= ~(TIOCM_DTR | TIOCM_RTS);
3407 	if (modem_tx != dlci->modem_tx) {
3408 		dlci->modem_tx = modem_tx;
3409 		gsm_modem_update(dlci, 0);
3410 	}
3411 }
3412 
3413 static const struct tty_port_operations gsm_port_ops = {
3414 	.carrier_raised = gsm_carrier_raised,
3415 	.dtr_rts = gsm_dtr_rts,
3416 	.destruct = gsm_dlci_free,
3417 };
3418 
3419 static int gsmtty_install(struct tty_driver *driver, struct tty_struct *tty)
3420 {
3421 	struct gsm_mux *gsm;
3422 	struct gsm_dlci *dlci;
3423 	unsigned int line = tty->index;
3424 	unsigned int mux = mux_line_to_num(line);
3425 	bool alloc = false;
3426 	int ret;
3427 
3428 	line = line & 0x3F;
3429 
3430 	if (mux >= MAX_MUX)
3431 		return -ENXIO;
3432 	/* FIXME: we need to lock gsm_mux for lifetimes of ttys eventually */
3433 	if (gsm_mux[mux] == NULL)
3434 		return -EUNATCH;
3435 	if (line == 0 || line > 61)	/* 62/63 reserved */
3436 		return -ECHRNG;
3437 	gsm = gsm_mux[mux];
3438 	if (gsm->dead)
3439 		return -EL2HLT;
3440 	/* If DLCI 0 is not yet fully open return an error.
3441 	This is ok from a locking
3442 	perspective as we don't have to worry about this
3443 	if DLCI0 is lost */
3444 	mutex_lock(&gsm->mutex);
3445 	if (gsm->dlci[0] && gsm->dlci[0]->state != DLCI_OPEN) {
3446 		mutex_unlock(&gsm->mutex);
3447 		return -EL2NSYNC;
3448 	}
3449 	dlci = gsm->dlci[line];
3450 	if (dlci == NULL) {
3451 		alloc = true;
3452 		dlci = gsm_dlci_alloc(gsm, line);
3453 	}
3454 	if (dlci == NULL) {
3455 		mutex_unlock(&gsm->mutex);
3456 		return -ENOMEM;
3457 	}
3458 	ret = tty_port_install(&dlci->port, driver, tty);
3459 	if (ret) {
3460 		if (alloc)
3461 			dlci_put(dlci);
3462 		mutex_unlock(&gsm->mutex);
3463 		return ret;
3464 	}
3465 
3466 	dlci_get(dlci);
3467 	dlci_get(gsm->dlci[0]);
3468 	mux_get(gsm);
3469 	tty->driver_data = dlci;
3470 	mutex_unlock(&gsm->mutex);
3471 
3472 	return 0;
3473 }
3474 
3475 static int gsmtty_open(struct tty_struct *tty, struct file *filp)
3476 {
3477 	struct gsm_dlci *dlci = tty->driver_data;
3478 	struct tty_port *port = &dlci->port;
3479 	struct gsm_mux *gsm = dlci->gsm;
3480 
3481 	port->count++;
3482 	tty_port_tty_set(port, tty);
3483 
3484 	dlci->modem_rx = 0;
3485 	/* We could in theory open and close before we wait - eg if we get
3486 	   a DM straight back. This is ok as that will have caused a hangup */
3487 	tty_port_set_initialized(port, 1);
3488 	/* Start sending off SABM messages */
3489 	if (gsm->initiator)
3490 		gsm_dlci_begin_open(dlci);
3491 	else
3492 		gsm_dlci_set_opening(dlci);
3493 	/* And wait for virtual carrier */
3494 	return tty_port_block_til_ready(port, tty, filp);
3495 }
3496 
3497 static void gsmtty_close(struct tty_struct *tty, struct file *filp)
3498 {
3499 	struct gsm_dlci *dlci = tty->driver_data;
3500 
3501 	if (dlci == NULL)
3502 		return;
3503 	if (dlci->state == DLCI_CLOSED)
3504 		return;
3505 	mutex_lock(&dlci->mutex);
3506 	gsm_destroy_network(dlci);
3507 	mutex_unlock(&dlci->mutex);
3508 	if (tty_port_close_start(&dlci->port, tty, filp) == 0)
3509 		return;
3510 	gsm_dlci_begin_close(dlci);
3511 	if (tty_port_initialized(&dlci->port) && C_HUPCL(tty))
3512 		tty_port_lower_dtr_rts(&dlci->port);
3513 	tty_port_close_end(&dlci->port, tty);
3514 	tty_port_tty_set(&dlci->port, NULL);
3515 	return;
3516 }
3517 
3518 static void gsmtty_hangup(struct tty_struct *tty)
3519 {
3520 	struct gsm_dlci *dlci = tty->driver_data;
3521 	if (dlci->state == DLCI_CLOSED)
3522 		return;
3523 	tty_port_hangup(&dlci->port);
3524 	gsm_dlci_begin_close(dlci);
3525 }
3526 
3527 static int gsmtty_write(struct tty_struct *tty, const unsigned char *buf,
3528 								    int len)
3529 {
3530 	int sent;
3531 	struct gsm_dlci *dlci = tty->driver_data;
3532 	if (dlci->state == DLCI_CLOSED)
3533 		return -EINVAL;
3534 	/* Stuff the bytes into the fifo queue */
3535 	sent = kfifo_in_locked(&dlci->fifo, buf, len, &dlci->lock);
3536 	/* Need to kick the channel */
3537 	gsm_dlci_data_kick(dlci);
3538 	return sent;
3539 }
3540 
3541 static unsigned int gsmtty_write_room(struct tty_struct *tty)
3542 {
3543 	struct gsm_dlci *dlci = tty->driver_data;
3544 	if (dlci->state == DLCI_CLOSED)
3545 		return 0;
3546 	return kfifo_avail(&dlci->fifo);
3547 }
3548 
3549 static unsigned int gsmtty_chars_in_buffer(struct tty_struct *tty)
3550 {
3551 	struct gsm_dlci *dlci = tty->driver_data;
3552 	if (dlci->state == DLCI_CLOSED)
3553 		return 0;
3554 	return kfifo_len(&dlci->fifo);
3555 }
3556 
3557 static void gsmtty_flush_buffer(struct tty_struct *tty)
3558 {
3559 	struct gsm_dlci *dlci = tty->driver_data;
3560 	unsigned long flags;
3561 
3562 	if (dlci->state == DLCI_CLOSED)
3563 		return;
3564 	/* Caution needed: If we implement reliable transport classes
3565 	   then the data being transmitted can't simply be junked once
3566 	   it has first hit the stack. Until then we can just blow it
3567 	   away */
3568 	spin_lock_irqsave(&dlci->lock, flags);
3569 	kfifo_reset(&dlci->fifo);
3570 	spin_unlock_irqrestore(&dlci->lock, flags);
3571 	/* Need to unhook this DLCI from the transmit queue logic */
3572 }
3573 
3574 static void gsmtty_wait_until_sent(struct tty_struct *tty, int timeout)
3575 {
3576 	/* The FIFO handles the queue so the kernel will do the right
3577 	   thing waiting on chars_in_buffer before calling us. No work
3578 	   to do here */
3579 }
3580 
3581 static int gsmtty_tiocmget(struct tty_struct *tty)
3582 {
3583 	struct gsm_dlci *dlci = tty->driver_data;
3584 	if (dlci->state == DLCI_CLOSED)
3585 		return -EINVAL;
3586 	return dlci->modem_rx;
3587 }
3588 
3589 static int gsmtty_tiocmset(struct tty_struct *tty,
3590 	unsigned int set, unsigned int clear)
3591 {
3592 	struct gsm_dlci *dlci = tty->driver_data;
3593 	unsigned int modem_tx = dlci->modem_tx;
3594 
3595 	if (dlci->state == DLCI_CLOSED)
3596 		return -EINVAL;
3597 	modem_tx &= ~clear;
3598 	modem_tx |= set;
3599 
3600 	if (modem_tx != dlci->modem_tx) {
3601 		dlci->modem_tx = modem_tx;
3602 		return gsm_modem_update(dlci, 0);
3603 	}
3604 	return 0;
3605 }
3606 
3607 
3608 static int gsmtty_ioctl(struct tty_struct *tty,
3609 			unsigned int cmd, unsigned long arg)
3610 {
3611 	struct gsm_dlci *dlci = tty->driver_data;
3612 	struct gsm_netconfig nc;
3613 	int index;
3614 
3615 	if (dlci->state == DLCI_CLOSED)
3616 		return -EINVAL;
3617 	switch (cmd) {
3618 	case GSMIOC_ENABLE_NET:
3619 		if (copy_from_user(&nc, (void __user *)arg, sizeof(nc)))
3620 			return -EFAULT;
3621 		nc.if_name[IFNAMSIZ-1] = '\0';
3622 		/* return net interface index or error code */
3623 		mutex_lock(&dlci->mutex);
3624 		index = gsm_create_network(dlci, &nc);
3625 		mutex_unlock(&dlci->mutex);
3626 		if (copy_to_user((void __user *)arg, &nc, sizeof(nc)))
3627 			return -EFAULT;
3628 		return index;
3629 	case GSMIOC_DISABLE_NET:
3630 		if (!capable(CAP_NET_ADMIN))
3631 			return -EPERM;
3632 		mutex_lock(&dlci->mutex);
3633 		gsm_destroy_network(dlci);
3634 		mutex_unlock(&dlci->mutex);
3635 		return 0;
3636 	default:
3637 		return -ENOIOCTLCMD;
3638 	}
3639 }
3640 
3641 static void gsmtty_set_termios(struct tty_struct *tty, struct ktermios *old)
3642 {
3643 	struct gsm_dlci *dlci = tty->driver_data;
3644 	if (dlci->state == DLCI_CLOSED)
3645 		return;
3646 	/* For the moment its fixed. In actual fact the speed information
3647 	   for the virtual channel can be propogated in both directions by
3648 	   the RPN control message. This however rapidly gets nasty as we
3649 	   then have to remap modem signals each way according to whether
3650 	   our virtual cable is null modem etc .. */
3651 	tty_termios_copy_hw(&tty->termios, old);
3652 }
3653 
3654 static void gsmtty_throttle(struct tty_struct *tty)
3655 {
3656 	struct gsm_dlci *dlci = tty->driver_data;
3657 	if (dlci->state == DLCI_CLOSED)
3658 		return;
3659 	if (C_CRTSCTS(tty))
3660 		dlci->modem_tx &= ~TIOCM_RTS;
3661 	dlci->throttled = true;
3662 	/* Send an MSC with RTS cleared */
3663 	gsm_modem_update(dlci, 0);
3664 }
3665 
3666 static void gsmtty_unthrottle(struct tty_struct *tty)
3667 {
3668 	struct gsm_dlci *dlci = tty->driver_data;
3669 	if (dlci->state == DLCI_CLOSED)
3670 		return;
3671 	if (C_CRTSCTS(tty))
3672 		dlci->modem_tx |= TIOCM_RTS;
3673 	dlci->throttled = false;
3674 	/* Send an MSC with RTS set */
3675 	gsm_modem_update(dlci, 0);
3676 }
3677 
3678 static int gsmtty_break_ctl(struct tty_struct *tty, int state)
3679 {
3680 	struct gsm_dlci *dlci = tty->driver_data;
3681 	int encode = 0;	/* Off */
3682 	if (dlci->state == DLCI_CLOSED)
3683 		return -EINVAL;
3684 
3685 	if (state == -1)	/* "On indefinitely" - we can't encode this
3686 				    properly */
3687 		encode = 0x0F;
3688 	else if (state > 0) {
3689 		encode = state / 200;	/* mS to encoding */
3690 		if (encode > 0x0F)
3691 			encode = 0x0F;	/* Best effort */
3692 	}
3693 	return gsm_modem_update(dlci, encode);
3694 }
3695 
3696 static void gsmtty_cleanup(struct tty_struct *tty)
3697 {
3698 	struct gsm_dlci *dlci = tty->driver_data;
3699 	struct gsm_mux *gsm = dlci->gsm;
3700 
3701 	dlci_put(dlci);
3702 	dlci_put(gsm->dlci[0]);
3703 	mux_put(gsm);
3704 }
3705 
3706 /* Virtual ttys for the demux */
3707 static const struct tty_operations gsmtty_ops = {
3708 	.install		= gsmtty_install,
3709 	.open			= gsmtty_open,
3710 	.close			= gsmtty_close,
3711 	.write			= gsmtty_write,
3712 	.write_room		= gsmtty_write_room,
3713 	.chars_in_buffer	= gsmtty_chars_in_buffer,
3714 	.flush_buffer		= gsmtty_flush_buffer,
3715 	.ioctl			= gsmtty_ioctl,
3716 	.throttle		= gsmtty_throttle,
3717 	.unthrottle		= gsmtty_unthrottle,
3718 	.set_termios		= gsmtty_set_termios,
3719 	.hangup			= gsmtty_hangup,
3720 	.wait_until_sent	= gsmtty_wait_until_sent,
3721 	.tiocmget		= gsmtty_tiocmget,
3722 	.tiocmset		= gsmtty_tiocmset,
3723 	.break_ctl		= gsmtty_break_ctl,
3724 	.cleanup		= gsmtty_cleanup,
3725 };
3726 
3727 
3728 
3729 static int __init gsm_init(void)
3730 {
3731 	/* Fill in our line protocol discipline, and register it */
3732 	int status = tty_register_ldisc(&tty_ldisc_packet);
3733 	if (status != 0) {
3734 		pr_err("n_gsm: can't register line discipline (err = %d)\n",
3735 								status);
3736 		return status;
3737 	}
3738 
3739 	gsm_tty_driver = tty_alloc_driver(256, TTY_DRIVER_REAL_RAW |
3740 			TTY_DRIVER_DYNAMIC_DEV | TTY_DRIVER_HARDWARE_BREAK);
3741 	if (IS_ERR(gsm_tty_driver)) {
3742 		pr_err("gsm_init: tty allocation failed.\n");
3743 		status = PTR_ERR(gsm_tty_driver);
3744 		goto err_unreg_ldisc;
3745 	}
3746 	gsm_tty_driver->driver_name	= "gsmtty";
3747 	gsm_tty_driver->name		= "gsmtty";
3748 	gsm_tty_driver->major		= 0;	/* Dynamic */
3749 	gsm_tty_driver->minor_start	= 0;
3750 	gsm_tty_driver->type		= TTY_DRIVER_TYPE_SERIAL;
3751 	gsm_tty_driver->subtype	= SERIAL_TYPE_NORMAL;
3752 	gsm_tty_driver->init_termios	= tty_std_termios;
3753 	/* Fixme */
3754 	gsm_tty_driver->init_termios.c_lflag &= ~ECHO;
3755 	tty_set_operations(gsm_tty_driver, &gsmtty_ops);
3756 
3757 	if (tty_register_driver(gsm_tty_driver)) {
3758 		pr_err("gsm_init: tty registration failed.\n");
3759 		status = -EBUSY;
3760 		goto err_put_driver;
3761 	}
3762 	pr_debug("gsm_init: loaded as %d,%d.\n",
3763 			gsm_tty_driver->major, gsm_tty_driver->minor_start);
3764 	return 0;
3765 err_put_driver:
3766 	tty_driver_kref_put(gsm_tty_driver);
3767 err_unreg_ldisc:
3768 	tty_unregister_ldisc(&tty_ldisc_packet);
3769 	return status;
3770 }
3771 
3772 static void __exit gsm_exit(void)
3773 {
3774 	tty_unregister_ldisc(&tty_ldisc_packet);
3775 	tty_unregister_driver(gsm_tty_driver);
3776 	tty_driver_kref_put(gsm_tty_driver);
3777 }
3778 
3779 module_init(gsm_init);
3780 module_exit(gsm_exit);
3781 
3782 
3783 MODULE_LICENSE("GPL");
3784 MODULE_ALIAS_LDISC(N_GSM0710);
3785