xref: /openbmc/linux/drivers/net/hamradio/mkiss.c (revision 151f4e2b)
1 /*
2  *  This program is free software; you can distribute it and/or modify it
3  *  under the terms of the GNU General Public License (Version 2) as
4  *  published by the Free Software Foundation.
5  *
6  *  This program is distributed in the hope it will be useful, but WITHOUT
7  *  ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
8  *  FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
9  *  for more details.
10  *
11  *  You should have received a copy of the GNU General Public License along
12  *  with this program; if not, see <http://www.gnu.org/licenses/>.
13  *
14  * Copyright (C) Hans Alblas PE1AYX <hans@esrac.ele.tue.nl>
15  * Copyright (C) 2004, 05 Ralf Baechle DL5RB <ralf@linux-mips.org>
16  * Copyright (C) 2004, 05 Thomas Osterried DL9SAU <thomas@x-berg.in-berlin.de>
17  */
18 #include <linux/module.h>
19 #include <linux/bitops.h>
20 #include <linux/uaccess.h>
21 #include <linux/crc16.h>
22 #include <linux/string.h>
23 #include <linux/mm.h>
24 #include <linux/interrupt.h>
25 #include <linux/in.h>
26 #include <linux/inet.h>
27 #include <linux/slab.h>
28 #include <linux/tty.h>
29 #include <linux/errno.h>
30 #include <linux/netdevice.h>
31 #include <linux/major.h>
32 #include <linux/init.h>
33 #include <linux/rtnetlink.h>
34 #include <linux/etherdevice.h>
35 #include <linux/skbuff.h>
36 #include <linux/if_arp.h>
37 #include <linux/jiffies.h>
38 
39 #include <net/ax25.h>
40 
41 #define AX_MTU		236
42 
43 /* SLIP/KISS protocol characters. */
44 #define END             0300		/* indicates end of frame	*/
45 #define ESC             0333		/* indicates byte stuffing	*/
46 #define ESC_END         0334		/* ESC ESC_END means END 'data'	*/
47 #define ESC_ESC         0335		/* ESC ESC_ESC means ESC 'data'	*/
48 
49 struct mkiss {
50 	struct tty_struct	*tty;	/* ptr to TTY structure		*/
51 	struct net_device	*dev;	/* easy for intr handling	*/
52 
53 	/* These are pointers to the malloc()ed frame buffers. */
54 	spinlock_t		buflock;/* lock for rbuf and xbuf */
55 	unsigned char		*rbuff;	/* receiver buffer		*/
56 	int			rcount;	/* received chars counter       */
57 	unsigned char		*xbuff;	/* transmitter buffer		*/
58 	unsigned char		*xhead;	/* pointer to next byte to XMIT */
59 	int			xleft;	/* bytes left in XMIT queue     */
60 
61 	/* Detailed SLIP statistics. */
62 	int		mtu;		/* Our mtu (to spot changes!)   */
63 	int		buffsize;	/* Max buffers sizes            */
64 
65 	unsigned long	flags;		/* Flag values/ mode etc	*/
66 					/* long req'd: used by set_bit --RR */
67 #define AXF_INUSE	0		/* Channel in use               */
68 #define AXF_ESCAPE	1               /* ESC received                 */
69 #define AXF_ERROR	2               /* Parity, etc. error           */
70 #define AXF_KEEPTEST	3		/* Keepalive test flag		*/
71 #define AXF_OUTWAIT	4		/* is outpacket was flag	*/
72 
73 	int		mode;
74         int		crcmode;	/* MW: for FlexNet, SMACK etc.  */
75 	int		crcauto;	/* CRC auto mode */
76 
77 #define CRC_MODE_NONE		0
78 #define CRC_MODE_FLEX		1
79 #define CRC_MODE_SMACK		2
80 #define CRC_MODE_FLEX_TEST	3
81 #define CRC_MODE_SMACK_TEST	4
82 
83 	atomic_t		refcnt;
84 	struct completion	dead;
85 };
86 
87 /*---------------------------------------------------------------------------*/
88 
89 static const unsigned short crc_flex_table[] = {
90 	0x0f87, 0x1e0e, 0x2c95, 0x3d1c, 0x49a3, 0x582a, 0x6ab1, 0x7b38,
91 	0x83cf, 0x9246, 0xa0dd, 0xb154, 0xc5eb, 0xd462, 0xe6f9, 0xf770,
92 	0x1f06, 0x0e8f, 0x3c14, 0x2d9d, 0x5922, 0x48ab, 0x7a30, 0x6bb9,
93 	0x934e, 0x82c7, 0xb05c, 0xa1d5, 0xd56a, 0xc4e3, 0xf678, 0xe7f1,
94 	0x2e85, 0x3f0c, 0x0d97, 0x1c1e, 0x68a1, 0x7928, 0x4bb3, 0x5a3a,
95 	0xa2cd, 0xb344, 0x81df, 0x9056, 0xe4e9, 0xf560, 0xc7fb, 0xd672,
96 	0x3e04, 0x2f8d, 0x1d16, 0x0c9f, 0x7820, 0x69a9, 0x5b32, 0x4abb,
97 	0xb24c, 0xa3c5, 0x915e, 0x80d7, 0xf468, 0xe5e1, 0xd77a, 0xc6f3,
98 	0x4d83, 0x5c0a, 0x6e91, 0x7f18, 0x0ba7, 0x1a2e, 0x28b5, 0x393c,
99 	0xc1cb, 0xd042, 0xe2d9, 0xf350, 0x87ef, 0x9666, 0xa4fd, 0xb574,
100 	0x5d02, 0x4c8b, 0x7e10, 0x6f99, 0x1b26, 0x0aaf, 0x3834, 0x29bd,
101 	0xd14a, 0xc0c3, 0xf258, 0xe3d1, 0x976e, 0x86e7, 0xb47c, 0xa5f5,
102 	0x6c81, 0x7d08, 0x4f93, 0x5e1a, 0x2aa5, 0x3b2c, 0x09b7, 0x183e,
103 	0xe0c9, 0xf140, 0xc3db, 0xd252, 0xa6ed, 0xb764, 0x85ff, 0x9476,
104 	0x7c00, 0x6d89, 0x5f12, 0x4e9b, 0x3a24, 0x2bad, 0x1936, 0x08bf,
105 	0xf048, 0xe1c1, 0xd35a, 0xc2d3, 0xb66c, 0xa7e5, 0x957e, 0x84f7,
106 	0x8b8f, 0x9a06, 0xa89d, 0xb914, 0xcdab, 0xdc22, 0xeeb9, 0xff30,
107 	0x07c7, 0x164e, 0x24d5, 0x355c, 0x41e3, 0x506a, 0x62f1, 0x7378,
108 	0x9b0e, 0x8a87, 0xb81c, 0xa995, 0xdd2a, 0xcca3, 0xfe38, 0xefb1,
109 	0x1746, 0x06cf, 0x3454, 0x25dd, 0x5162, 0x40eb, 0x7270, 0x63f9,
110 	0xaa8d, 0xbb04, 0x899f, 0x9816, 0xeca9, 0xfd20, 0xcfbb, 0xde32,
111 	0x26c5, 0x374c, 0x05d7, 0x145e, 0x60e1, 0x7168, 0x43f3, 0x527a,
112 	0xba0c, 0xab85, 0x991e, 0x8897, 0xfc28, 0xeda1, 0xdf3a, 0xceb3,
113 	0x3644, 0x27cd, 0x1556, 0x04df, 0x7060, 0x61e9, 0x5372, 0x42fb,
114 	0xc98b, 0xd802, 0xea99, 0xfb10, 0x8faf, 0x9e26, 0xacbd, 0xbd34,
115 	0x45c3, 0x544a, 0x66d1, 0x7758, 0x03e7, 0x126e, 0x20f5, 0x317c,
116 	0xd90a, 0xc883, 0xfa18, 0xeb91, 0x9f2e, 0x8ea7, 0xbc3c, 0xadb5,
117 	0x5542, 0x44cb, 0x7650, 0x67d9, 0x1366, 0x02ef, 0x3074, 0x21fd,
118 	0xe889, 0xf900, 0xcb9b, 0xda12, 0xaead, 0xbf24, 0x8dbf, 0x9c36,
119 	0x64c1, 0x7548, 0x47d3, 0x565a, 0x22e5, 0x336c, 0x01f7, 0x107e,
120 	0xf808, 0xe981, 0xdb1a, 0xca93, 0xbe2c, 0xafa5, 0x9d3e, 0x8cb7,
121 	0x7440, 0x65c9, 0x5752, 0x46db, 0x3264, 0x23ed, 0x1176, 0x00ff
122 };
123 
124 static unsigned short calc_crc_flex(unsigned char *cp, int size)
125 {
126 	unsigned short crc = 0xffff;
127 
128 	while (size--)
129 		crc = (crc << 8) ^ crc_flex_table[((crc >> 8) ^ *cp++) & 0xff];
130 
131 	return crc;
132 }
133 
134 static int check_crc_flex(unsigned char *cp, int size)
135 {
136 	unsigned short crc = 0xffff;
137 
138 	if (size < 3)
139 		return -1;
140 
141 	while (size--)
142 		crc = (crc << 8) ^ crc_flex_table[((crc >> 8) ^ *cp++) & 0xff];
143 
144 	if ((crc & 0xffff) != 0x7070)
145 		return -1;
146 
147 	return 0;
148 }
149 
150 static int check_crc_16(unsigned char *cp, int size)
151 {
152 	unsigned short crc = 0x0000;
153 
154 	if (size < 3)
155 		return -1;
156 
157 	crc = crc16(0, cp, size);
158 
159 	if (crc != 0x0000)
160 		return -1;
161 
162 	return 0;
163 }
164 
165 /*
166  * Standard encapsulation
167  */
168 
169 static int kiss_esc(unsigned char *s, unsigned char *d, int len)
170 {
171 	unsigned char *ptr = d;
172 	unsigned char c;
173 
174 	/*
175 	 * Send an initial END character to flush out any data that may have
176 	 * accumulated in the receiver due to line noise.
177 	 */
178 
179 	*ptr++ = END;
180 
181 	while (len-- > 0) {
182 		switch (c = *s++) {
183 		case END:
184 			*ptr++ = ESC;
185 			*ptr++ = ESC_END;
186 			break;
187 		case ESC:
188 			*ptr++ = ESC;
189 			*ptr++ = ESC_ESC;
190 			break;
191 		default:
192 			*ptr++ = c;
193 			break;
194 		}
195 	}
196 
197 	*ptr++ = END;
198 
199 	return ptr - d;
200 }
201 
202 /*
203  * MW:
204  * OK its ugly, but tell me a better solution without copying the
205  * packet to a temporary buffer :-)
206  */
207 static int kiss_esc_crc(unsigned char *s, unsigned char *d, unsigned short crc,
208 	int len)
209 {
210 	unsigned char *ptr = d;
211 	unsigned char c=0;
212 
213 	*ptr++ = END;
214 	while (len > 0) {
215 		if (len > 2)
216 			c = *s++;
217 		else if (len > 1)
218 			c = crc >> 8;
219 		else
220 			c = crc & 0xff;
221 
222 		len--;
223 
224 		switch (c) {
225 		case END:
226 			*ptr++ = ESC;
227 			*ptr++ = ESC_END;
228 			break;
229 		case ESC:
230 			*ptr++ = ESC;
231 			*ptr++ = ESC_ESC;
232 			break;
233 		default:
234 			*ptr++ = c;
235 			break;
236 		}
237 	}
238 	*ptr++ = END;
239 
240 	return ptr - d;
241 }
242 
243 /* Send one completely decapsulated AX.25 packet to the AX.25 layer. */
244 static void ax_bump(struct mkiss *ax)
245 {
246 	struct sk_buff *skb;
247 	int count;
248 
249 	spin_lock_bh(&ax->buflock);
250 	if (ax->rbuff[0] > 0x0f) {
251 		if (ax->rbuff[0] & 0x80) {
252 			if (check_crc_16(ax->rbuff, ax->rcount) < 0) {
253 				ax->dev->stats.rx_errors++;
254 				spin_unlock_bh(&ax->buflock);
255 
256 				return;
257 			}
258 			if (ax->crcmode != CRC_MODE_SMACK && ax->crcauto) {
259 				printk(KERN_INFO
260 				       "mkiss: %s: Switching to crc-smack\n",
261 				       ax->dev->name);
262 				ax->crcmode = CRC_MODE_SMACK;
263 			}
264 			ax->rcount -= 2;
265 			*ax->rbuff &= ~0x80;
266 		} else if (ax->rbuff[0] & 0x20)  {
267 			if (check_crc_flex(ax->rbuff, ax->rcount) < 0) {
268 				ax->dev->stats.rx_errors++;
269 				spin_unlock_bh(&ax->buflock);
270 				return;
271 			}
272 			if (ax->crcmode != CRC_MODE_FLEX && ax->crcauto) {
273 				printk(KERN_INFO
274 				       "mkiss: %s: Switching to crc-flexnet\n",
275 				       ax->dev->name);
276 				ax->crcmode = CRC_MODE_FLEX;
277 			}
278 			ax->rcount -= 2;
279 
280 			/*
281 			 * dl9sau bugfix: the trailling two bytes flexnet crc
282 			 * will not be passed to the kernel. thus we have to
283 			 * correct the kissparm signature, because it indicates
284 			 * a crc but there's none
285 			 */
286 			*ax->rbuff &= ~0x20;
287 		}
288  	}
289 
290 	count = ax->rcount;
291 
292 	if ((skb = dev_alloc_skb(count)) == NULL) {
293 		printk(KERN_ERR "mkiss: %s: memory squeeze, dropping packet.\n",
294 		       ax->dev->name);
295 		ax->dev->stats.rx_dropped++;
296 		spin_unlock_bh(&ax->buflock);
297 		return;
298 	}
299 
300 	skb_put_data(skb, ax->rbuff, count);
301 	skb->protocol = ax25_type_trans(skb, ax->dev);
302 	netif_rx(skb);
303 	ax->dev->stats.rx_packets++;
304 	ax->dev->stats.rx_bytes += count;
305 	spin_unlock_bh(&ax->buflock);
306 }
307 
308 static void kiss_unesc(struct mkiss *ax, unsigned char s)
309 {
310 	switch (s) {
311 	case END:
312 		/* drop keeptest bit = VSV */
313 		if (test_bit(AXF_KEEPTEST, &ax->flags))
314 			clear_bit(AXF_KEEPTEST, &ax->flags);
315 
316 		if (!test_and_clear_bit(AXF_ERROR, &ax->flags) && (ax->rcount > 2))
317 			ax_bump(ax);
318 
319 		clear_bit(AXF_ESCAPE, &ax->flags);
320 		ax->rcount = 0;
321 		return;
322 
323 	case ESC:
324 		set_bit(AXF_ESCAPE, &ax->flags);
325 		return;
326 	case ESC_ESC:
327 		if (test_and_clear_bit(AXF_ESCAPE, &ax->flags))
328 			s = ESC;
329 		break;
330 	case ESC_END:
331 		if (test_and_clear_bit(AXF_ESCAPE, &ax->flags))
332 			s = END;
333 		break;
334 	}
335 
336 	spin_lock_bh(&ax->buflock);
337 	if (!test_bit(AXF_ERROR, &ax->flags)) {
338 		if (ax->rcount < ax->buffsize) {
339 			ax->rbuff[ax->rcount++] = s;
340 			spin_unlock_bh(&ax->buflock);
341 			return;
342 		}
343 
344 		ax->dev->stats.rx_over_errors++;
345 		set_bit(AXF_ERROR, &ax->flags);
346 	}
347 	spin_unlock_bh(&ax->buflock);
348 }
349 
350 static int ax_set_mac_address(struct net_device *dev, void *addr)
351 {
352 	struct sockaddr_ax25 *sa = addr;
353 
354 	netif_tx_lock_bh(dev);
355 	netif_addr_lock(dev);
356 	memcpy(dev->dev_addr, &sa->sax25_call, AX25_ADDR_LEN);
357 	netif_addr_unlock(dev);
358 	netif_tx_unlock_bh(dev);
359 
360 	return 0;
361 }
362 
363 /*---------------------------------------------------------------------------*/
364 
365 static void ax_changedmtu(struct mkiss *ax)
366 {
367 	struct net_device *dev = ax->dev;
368 	unsigned char *xbuff, *rbuff, *oxbuff, *orbuff;
369 	int len;
370 
371 	len = dev->mtu * 2;
372 
373 	/*
374 	 * allow for arrival of larger UDP packets, even if we say not to
375 	 * also fixes a bug in which SunOS sends 512-byte packets even with
376 	 * an MSS of 128
377 	 */
378 	if (len < 576 * 2)
379 		len = 576 * 2;
380 
381 	xbuff = kmalloc(len + 4, GFP_ATOMIC);
382 	rbuff = kmalloc(len + 4, GFP_ATOMIC);
383 
384 	if (xbuff == NULL || rbuff == NULL)  {
385 		printk(KERN_ERR "mkiss: %s: unable to grow ax25 buffers, "
386 		       "MTU change cancelled.\n",
387 		       ax->dev->name);
388 		dev->mtu = ax->mtu;
389 		kfree(xbuff);
390 		kfree(rbuff);
391 		return;
392 	}
393 
394 	spin_lock_bh(&ax->buflock);
395 
396 	oxbuff    = ax->xbuff;
397 	ax->xbuff = xbuff;
398 	orbuff    = ax->rbuff;
399 	ax->rbuff = rbuff;
400 
401 	if (ax->xleft) {
402 		if (ax->xleft <= len) {
403 			memcpy(ax->xbuff, ax->xhead, ax->xleft);
404 		} else  {
405 			ax->xleft = 0;
406 			dev->stats.tx_dropped++;
407 		}
408 	}
409 
410 	ax->xhead = ax->xbuff;
411 
412 	if (ax->rcount) {
413 		if (ax->rcount <= len) {
414 			memcpy(ax->rbuff, orbuff, ax->rcount);
415 		} else  {
416 			ax->rcount = 0;
417 			dev->stats.rx_over_errors++;
418 			set_bit(AXF_ERROR, &ax->flags);
419 		}
420 	}
421 
422 	ax->mtu      = dev->mtu + 73;
423 	ax->buffsize = len;
424 
425 	spin_unlock_bh(&ax->buflock);
426 
427 	kfree(oxbuff);
428 	kfree(orbuff);
429 }
430 
431 /* Encapsulate one AX.25 packet and stuff into a TTY queue. */
432 static void ax_encaps(struct net_device *dev, unsigned char *icp, int len)
433 {
434 	struct mkiss *ax = netdev_priv(dev);
435 	unsigned char *p;
436 	int actual, count;
437 
438 	if (ax->mtu != ax->dev->mtu + 73)	/* Someone has been ifconfigging */
439 		ax_changedmtu(ax);
440 
441 	if (len > ax->mtu) {		/* Sigh, shouldn't occur BUT ... */
442 		printk(KERN_ERR "mkiss: %s: truncating oversized transmit packet!\n", ax->dev->name);
443 		dev->stats.tx_dropped++;
444 		netif_start_queue(dev);
445 		return;
446 	}
447 
448 	p = icp;
449 
450 	spin_lock_bh(&ax->buflock);
451 	if ((*p & 0x0f) != 0) {
452 		/* Configuration Command (kissparms(1).
453 		 * Protocol spec says: never append CRC.
454 		 * This fixes a very old bug in the linux
455 		 * kiss driver. -- dl9sau */
456 		switch (*p & 0xff) {
457 		case 0x85:
458 			/* command from userspace especially for us,
459 			 * not for delivery to the tnc */
460 			if (len > 1) {
461 				int cmd = (p[1] & 0xff);
462 				switch(cmd) {
463 				case 3:
464 				  ax->crcmode = CRC_MODE_SMACK;
465 				  break;
466 				case 2:
467 				  ax->crcmode = CRC_MODE_FLEX;
468 				  break;
469 				case 1:
470 				  ax->crcmode = CRC_MODE_NONE;
471 				  break;
472 				case 0:
473 				default:
474 				  ax->crcmode = CRC_MODE_SMACK_TEST;
475 				  cmd = 0;
476 				}
477 				ax->crcauto = (cmd ? 0 : 1);
478 				printk(KERN_INFO "mkiss: %s: crc mode set to %d\n",
479 				       ax->dev->name, cmd);
480 			}
481 			spin_unlock_bh(&ax->buflock);
482 			netif_start_queue(dev);
483 
484 			return;
485 		default:
486 			count = kiss_esc(p, ax->xbuff, len);
487 		}
488 	} else {
489 		unsigned short crc;
490 		switch (ax->crcmode) {
491 		case CRC_MODE_SMACK_TEST:
492 			ax->crcmode  = CRC_MODE_FLEX_TEST;
493 			printk(KERN_INFO "mkiss: %s: Trying crc-smack\n", ax->dev->name);
494 			// fall through
495 		case CRC_MODE_SMACK:
496 			*p |= 0x80;
497 			crc = swab16(crc16(0, p, len));
498 			count = kiss_esc_crc(p, ax->xbuff, crc, len+2);
499 			break;
500 		case CRC_MODE_FLEX_TEST:
501 			ax->crcmode = CRC_MODE_NONE;
502 			printk(KERN_INFO "mkiss: %s: Trying crc-flexnet\n", ax->dev->name);
503 			// fall through
504 		case CRC_MODE_FLEX:
505 			*p |= 0x20;
506 			crc = calc_crc_flex(p, len);
507 			count = kiss_esc_crc(p, ax->xbuff, crc, len+2);
508 			break;
509 
510 		default:
511 			count = kiss_esc(p, ax->xbuff, len);
512 		}
513   	}
514 	spin_unlock_bh(&ax->buflock);
515 
516 	set_bit(TTY_DO_WRITE_WAKEUP, &ax->tty->flags);
517 	actual = ax->tty->ops->write(ax->tty, ax->xbuff, count);
518 	dev->stats.tx_packets++;
519 	dev->stats.tx_bytes += actual;
520 
521 	netif_trans_update(ax->dev);
522 	ax->xleft = count - actual;
523 	ax->xhead = ax->xbuff + actual;
524 }
525 
526 /* Encapsulate an AX.25 packet and kick it into a TTY queue. */
527 static netdev_tx_t ax_xmit(struct sk_buff *skb, struct net_device *dev)
528 {
529 	struct mkiss *ax = netdev_priv(dev);
530 
531 	if (skb->protocol == htons(ETH_P_IP))
532 		return ax25_ip_xmit(skb);
533 
534 	if (!netif_running(dev))  {
535 		printk(KERN_ERR "mkiss: %s: xmit call when iface is down\n", dev->name);
536 		return NETDEV_TX_BUSY;
537 	}
538 
539 	if (netif_queue_stopped(dev)) {
540 		/*
541 		 * May be we must check transmitter timeout here ?
542 		 *      14 Oct 1994 Dmitry Gorodchanin.
543 		 */
544 		if (time_before(jiffies, dev_trans_start(dev) + 20 * HZ)) {
545 			/* 20 sec timeout not reached */
546 			return NETDEV_TX_BUSY;
547 		}
548 
549 		printk(KERN_ERR "mkiss: %s: transmit timed out, %s?\n", dev->name,
550 		       (tty_chars_in_buffer(ax->tty) || ax->xleft) ?
551 		       "bad line quality" : "driver error");
552 
553 		ax->xleft = 0;
554 		clear_bit(TTY_DO_WRITE_WAKEUP, &ax->tty->flags);
555 		netif_start_queue(dev);
556 	}
557 
558 	/* We were not busy, so we are now... :-) */
559 	netif_stop_queue(dev);
560 	ax_encaps(dev, skb->data, skb->len);
561 	kfree_skb(skb);
562 
563 	return NETDEV_TX_OK;
564 }
565 
566 static int ax_open_dev(struct net_device *dev)
567 {
568 	struct mkiss *ax = netdev_priv(dev);
569 
570 	if (ax->tty == NULL)
571 		return -ENODEV;
572 
573 	return 0;
574 }
575 
576 /* Open the low-level part of the AX25 channel. Easy! */
577 static int ax_open(struct net_device *dev)
578 {
579 	struct mkiss *ax = netdev_priv(dev);
580 	unsigned long len;
581 
582 	if (ax->tty == NULL)
583 		return -ENODEV;
584 
585 	/*
586 	 * Allocate the frame buffers:
587 	 *
588 	 * rbuff	Receive buffer.
589 	 * xbuff	Transmit buffer.
590 	 */
591 	len = dev->mtu * 2;
592 
593 	/*
594 	 * allow for arrival of larger UDP packets, even if we say not to
595 	 * also fixes a bug in which SunOS sends 512-byte packets even with
596 	 * an MSS of 128
597 	 */
598 	if (len < 576 * 2)
599 		len = 576 * 2;
600 
601 	if ((ax->rbuff = kmalloc(len + 4, GFP_KERNEL)) == NULL)
602 		goto norbuff;
603 
604 	if ((ax->xbuff = kmalloc(len + 4, GFP_KERNEL)) == NULL)
605 		goto noxbuff;
606 
607 	ax->mtu	     = dev->mtu + 73;
608 	ax->buffsize = len;
609 	ax->rcount   = 0;
610 	ax->xleft    = 0;
611 
612 	ax->flags   &= (1 << AXF_INUSE);      /* Clear ESCAPE & ERROR flags */
613 
614 	spin_lock_init(&ax->buflock);
615 
616 	return 0;
617 
618 noxbuff:
619 	kfree(ax->rbuff);
620 
621 norbuff:
622 	return -ENOMEM;
623 }
624 
625 
626 /* Close the low-level part of the AX25 channel. Easy! */
627 static int ax_close(struct net_device *dev)
628 {
629 	struct mkiss *ax = netdev_priv(dev);
630 
631 	if (ax->tty)
632 		clear_bit(TTY_DO_WRITE_WAKEUP, &ax->tty->flags);
633 
634 	netif_stop_queue(dev);
635 
636 	return 0;
637 }
638 
639 static const struct net_device_ops ax_netdev_ops = {
640 	.ndo_open            = ax_open_dev,
641 	.ndo_stop            = ax_close,
642 	.ndo_start_xmit	     = ax_xmit,
643 	.ndo_set_mac_address = ax_set_mac_address,
644 };
645 
646 static void ax_setup(struct net_device *dev)
647 {
648 	/* Finish setting up the DEVICE info. */
649 	dev->mtu             = AX_MTU;
650 	dev->hard_header_len = AX25_MAX_HEADER_LEN;
651 	dev->addr_len        = AX25_ADDR_LEN;
652 	dev->type            = ARPHRD_AX25;
653 	dev->tx_queue_len    = 10;
654 	dev->header_ops      = &ax25_header_ops;
655 	dev->netdev_ops	     = &ax_netdev_ops;
656 
657 
658 	memcpy(dev->broadcast, &ax25_bcast, AX25_ADDR_LEN);
659 	memcpy(dev->dev_addr,  &ax25_defaddr,  AX25_ADDR_LEN);
660 
661 	dev->flags      = IFF_BROADCAST | IFF_MULTICAST;
662 }
663 
664 /*
665  * We have a potential race on dereferencing tty->disc_data, because the tty
666  * layer provides no locking at all - thus one cpu could be running
667  * sixpack_receive_buf while another calls sixpack_close, which zeroes
668  * tty->disc_data and frees the memory that sixpack_receive_buf is using.  The
669  * best way to fix this is to use a rwlock in the tty struct, but for now we
670  * use a single global rwlock for all ttys in ppp line discipline.
671  */
672 static DEFINE_RWLOCK(disc_data_lock);
673 
674 static struct mkiss *mkiss_get(struct tty_struct *tty)
675 {
676 	struct mkiss *ax;
677 
678 	read_lock(&disc_data_lock);
679 	ax = tty->disc_data;
680 	if (ax)
681 		atomic_inc(&ax->refcnt);
682 	read_unlock(&disc_data_lock);
683 
684 	return ax;
685 }
686 
687 static void mkiss_put(struct mkiss *ax)
688 {
689 	if (atomic_dec_and_test(&ax->refcnt))
690 		complete(&ax->dead);
691 }
692 
693 static int crc_force = 0;	/* Can be overridden with insmod */
694 
695 static int mkiss_open(struct tty_struct *tty)
696 {
697 	struct net_device *dev;
698 	struct mkiss *ax;
699 	int err;
700 
701 	if (!capable(CAP_NET_ADMIN))
702 		return -EPERM;
703 	if (tty->ops->write == NULL)
704 		return -EOPNOTSUPP;
705 
706 	dev = alloc_netdev(sizeof(struct mkiss), "ax%d", NET_NAME_UNKNOWN,
707 			   ax_setup);
708 	if (!dev) {
709 		err = -ENOMEM;
710 		goto out;
711 	}
712 
713 	ax = netdev_priv(dev);
714 	ax->dev = dev;
715 
716 	spin_lock_init(&ax->buflock);
717 	atomic_set(&ax->refcnt, 1);
718 	init_completion(&ax->dead);
719 
720 	ax->tty = tty;
721 	tty->disc_data = ax;
722 	tty->receive_room = 65535;
723 
724 	tty_driver_flush_buffer(tty);
725 
726 	/* Restore default settings */
727 	dev->type = ARPHRD_AX25;
728 
729 	/* Perform the low-level AX25 initialization. */
730 	err = ax_open(ax->dev);
731 	if (err)
732 		goto out_free_netdev;
733 
734 	err = register_netdev(dev);
735 	if (err)
736 		goto out_free_buffers;
737 
738 	/* after register_netdev() - because else printk smashes the kernel */
739 	switch (crc_force) {
740 	case 3:
741 		ax->crcmode  = CRC_MODE_SMACK;
742 		printk(KERN_INFO "mkiss: %s: crc mode smack forced.\n",
743 		       ax->dev->name);
744 		break;
745 	case 2:
746 		ax->crcmode  = CRC_MODE_FLEX;
747 		printk(KERN_INFO "mkiss: %s: crc mode flexnet forced.\n",
748 		       ax->dev->name);
749 		break;
750 	case 1:
751 		ax->crcmode  = CRC_MODE_NONE;
752 		printk(KERN_INFO "mkiss: %s: crc mode disabled.\n",
753 		       ax->dev->name);
754 		break;
755 	case 0:
756 		/* fall through */
757 	default:
758 		crc_force = 0;
759 		printk(KERN_INFO "mkiss: %s: crc mode is auto.\n",
760 		       ax->dev->name);
761 		ax->crcmode  = CRC_MODE_SMACK_TEST;
762 	}
763 	ax->crcauto = (crc_force ? 0 : 1);
764 
765 	netif_start_queue(dev);
766 
767 	/* Done.  We have linked the TTY line to a channel. */
768 	return 0;
769 
770 out_free_buffers:
771 	kfree(ax->rbuff);
772 	kfree(ax->xbuff);
773 
774 out_free_netdev:
775 	free_netdev(dev);
776 
777 out:
778 	return err;
779 }
780 
781 static void mkiss_close(struct tty_struct *tty)
782 {
783 	struct mkiss *ax;
784 
785 	write_lock_bh(&disc_data_lock);
786 	ax = tty->disc_data;
787 	tty->disc_data = NULL;
788 	write_unlock_bh(&disc_data_lock);
789 
790 	if (!ax)
791 		return;
792 
793 	/*
794 	 * We have now ensured that nobody can start using ap from now on, but
795 	 * we have to wait for all existing users to finish.
796 	 */
797 	if (!atomic_dec_and_test(&ax->refcnt))
798 		wait_for_completion(&ax->dead);
799 	/*
800 	 * Halt the transmit queue so that a new transmit cannot scribble
801 	 * on our buffers
802 	 */
803 	netif_stop_queue(ax->dev);
804 
805 	/* Free all AX25 frame buffers. */
806 	kfree(ax->rbuff);
807 	kfree(ax->xbuff);
808 
809 	ax->tty = NULL;
810 
811 	unregister_netdev(ax->dev);
812 }
813 
814 /* Perform I/O control on an active ax25 channel. */
815 static int mkiss_ioctl(struct tty_struct *tty, struct file *file,
816 	unsigned int cmd, unsigned long arg)
817 {
818 	struct mkiss *ax = mkiss_get(tty);
819 	struct net_device *dev;
820 	unsigned int tmp, err;
821 
822 	/* First make sure we're connected. */
823 	if (ax == NULL)
824 		return -ENXIO;
825 	dev = ax->dev;
826 
827 	switch (cmd) {
828  	case SIOCGIFNAME:
829 		err = copy_to_user((void __user *) arg, ax->dev->name,
830 		                   strlen(ax->dev->name) + 1) ? -EFAULT : 0;
831 		break;
832 
833 	case SIOCGIFENCAP:
834 		err = put_user(4, (int __user *) arg);
835 		break;
836 
837 	case SIOCSIFENCAP:
838 		if (get_user(tmp, (int __user *) arg)) {
839 			err = -EFAULT;
840 			break;
841 		}
842 
843 		ax->mode = tmp;
844 		dev->addr_len        = AX25_ADDR_LEN;
845 		dev->hard_header_len = AX25_KISS_HEADER_LEN +
846 		                       AX25_MAX_HEADER_LEN + 3;
847 		dev->type            = ARPHRD_AX25;
848 
849 		err = 0;
850 		break;
851 
852 	case SIOCSIFHWADDR: {
853 		char addr[AX25_ADDR_LEN];
854 
855 		if (copy_from_user(&addr,
856 		                   (void __user *) arg, AX25_ADDR_LEN)) {
857 			err = -EFAULT;
858 			break;
859 		}
860 
861 		netif_tx_lock_bh(dev);
862 		memcpy(dev->dev_addr, addr, AX25_ADDR_LEN);
863 		netif_tx_unlock_bh(dev);
864 
865 		err = 0;
866 		break;
867 	}
868 	default:
869 		err = -ENOIOCTLCMD;
870 	}
871 
872 	mkiss_put(ax);
873 
874 	return err;
875 }
876 
877 /*
878  * Handle the 'receiver data ready' interrupt.
879  * This function is called by the 'tty_io' module in the kernel when
880  * a block of data has been received, which can now be decapsulated
881  * and sent on to the AX.25 layer for further processing.
882  */
883 static void mkiss_receive_buf(struct tty_struct *tty, const unsigned char *cp,
884 	char *fp, int count)
885 {
886 	struct mkiss *ax = mkiss_get(tty);
887 
888 	if (!ax)
889 		return;
890 
891 	/*
892 	 * Argh! mtu change time! - costs us the packet part received
893 	 * at the change
894 	 */
895 	if (ax->mtu != ax->dev->mtu + 73)
896 		ax_changedmtu(ax);
897 
898 	/* Read the characters out of the buffer */
899 	while (count--) {
900 		if (fp != NULL && *fp++) {
901 			if (!test_and_set_bit(AXF_ERROR, &ax->flags))
902 				ax->dev->stats.rx_errors++;
903 			cp++;
904 			continue;
905 		}
906 
907 		kiss_unesc(ax, *cp++);
908 	}
909 
910 	mkiss_put(ax);
911 	tty_unthrottle(tty);
912 }
913 
914 /*
915  * Called by the driver when there's room for more data.  If we have
916  * more packets to send, we send them here.
917  */
918 static void mkiss_write_wakeup(struct tty_struct *tty)
919 {
920 	struct mkiss *ax = mkiss_get(tty);
921 	int actual;
922 
923 	if (!ax)
924 		return;
925 
926 	if (ax->xleft <= 0)  {
927 		/* Now serial buffer is almost free & we can start
928 		 * transmission of another packet
929 		 */
930 		clear_bit(TTY_DO_WRITE_WAKEUP, &tty->flags);
931 
932 		netif_wake_queue(ax->dev);
933 		goto out;
934 	}
935 
936 	actual = tty->ops->write(tty, ax->xhead, ax->xleft);
937 	ax->xleft -= actual;
938 	ax->xhead += actual;
939 
940 out:
941 	mkiss_put(ax);
942 }
943 
944 static struct tty_ldisc_ops ax_ldisc = {
945 	.owner		= THIS_MODULE,
946 	.magic		= TTY_LDISC_MAGIC,
947 	.name		= "mkiss",
948 	.open		= mkiss_open,
949 	.close		= mkiss_close,
950 	.ioctl		= mkiss_ioctl,
951 	.receive_buf	= mkiss_receive_buf,
952 	.write_wakeup	= mkiss_write_wakeup
953 };
954 
955 static const char banner[] __initconst = KERN_INFO \
956 	"mkiss: AX.25 Multikiss, Hans Albas PE1AYX\n";
957 static const char msg_regfail[] __initconst = KERN_ERR \
958 	"mkiss: can't register line discipline (err = %d)\n";
959 
960 static int __init mkiss_init_driver(void)
961 {
962 	int status;
963 
964 	printk(banner);
965 
966 	status = tty_register_ldisc(N_AX25, &ax_ldisc);
967 	if (status != 0)
968 		printk(msg_regfail, status);
969 
970 	return status;
971 }
972 
973 static const char msg_unregfail[] = KERN_ERR \
974 	"mkiss: can't unregister line discipline (err = %d)\n";
975 
976 static void __exit mkiss_exit_driver(void)
977 {
978 	int ret;
979 
980 	if ((ret = tty_unregister_ldisc(N_AX25)))
981 		printk(msg_unregfail, ret);
982 }
983 
984 MODULE_AUTHOR("Ralf Baechle DL5RB <ralf@linux-mips.org>");
985 MODULE_DESCRIPTION("KISS driver for AX.25 over TTYs");
986 module_param(crc_force, int, 0);
987 MODULE_PARM_DESC(crc_force, "crc [0 = auto | 1 = none | 2 = flexnet | 3 = smack]");
988 MODULE_LICENSE("GPL");
989 MODULE_ALIAS_LDISC(N_AX25);
990 
991 module_init(mkiss_init_driver);
992 module_exit(mkiss_exit_driver);
993