xref: /openbmc/linux/drivers/tty/n_gsm.c (revision 278d3ba6)
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3  * n_gsm.c GSM 0710 tty multiplexor
4  * Copyright (c) 2009/10 Intel Corporation
5  *
6  *	* THIS IS A DEVELOPMENT SNAPSHOT IT IS NOT A FINAL RELEASE *
7  *
8  * Outgoing path:
9  * tty -> DLCI fifo -> scheduler -> GSM MUX data queue    ---o-> ldisc
10  * control message               -> GSM MUX control queue --´
11  *
12  * Incoming path:
13  * ldisc -> gsm_queue() -o--> tty
14  *                        `-> gsm_control_response()
15  *
16  * TO DO:
17  *	Mostly done:	ioctls for setting modes/timing
18  *	Partly done:	hooks so you can pull off frames to non tty devs
19  *	Restart DLCI 0 when it closes ?
20  *	Improve the tx engine
21  *	Resolve tx side locking by adding a queue_head and routing
22  *		all control traffic via it
23  *	General tidy/document
24  *	Review the locking/move to refcounts more (mux now moved to an
25  *		alloc/free model ready)
26  *	Use newest tty open/close port helpers and install hooks
27  *	What to do about power functions ?
28  *	Termios setting and negotiation
29  *	Do we need a 'which mux are you' ioctl to correlate mux and tty sets
30  *
31  */
32 
33 #include <linux/types.h>
34 #include <linux/major.h>
35 #include <linux/errno.h>
36 #include <linux/signal.h>
37 #include <linux/fcntl.h>
38 #include <linux/sched/signal.h>
39 #include <linux/interrupt.h>
40 #include <linux/tty.h>
41 #include <linux/ctype.h>
42 #include <linux/mm.h>
43 #include <linux/string.h>
44 #include <linux/slab.h>
45 #include <linux/poll.h>
46 #include <linux/bitops.h>
47 #include <linux/file.h>
48 #include <linux/uaccess.h>
49 #include <linux/module.h>
50 #include <linux/timer.h>
51 #include <linux/tty_flip.h>
52 #include <linux/tty_driver.h>
53 #include <linux/serial.h>
54 #include <linux/kfifo.h>
55 #include <linux/skbuff.h>
56 #include <net/arp.h>
57 #include <linux/ip.h>
58 #include <linux/netdevice.h>
59 #include <linux/etherdevice.h>
60 #include <linux/gsmmux.h>
61 #include "tty.h"
62 
63 static int debug;
64 module_param(debug, int, 0600);
65 
66 /* Defaults: these are from the specification */
67 
68 #define T1	10		/* 100mS */
69 #define T2	34		/* 333mS */
70 #define N2	3		/* Retry 3 times */
71 
72 /* Use long timers for testing at low speed with debug on */
73 #ifdef DEBUG_TIMING
74 #define T1	100
75 #define T2	200
76 #endif
77 
78 /*
79  * Semi-arbitrary buffer size limits. 0710 is normally run with 32-64 byte
80  * limits so this is plenty
81  */
82 #define MAX_MRU 1500
83 #define MAX_MTU 1500
84 /* SOF, ADDR, CTRL, LEN1, LEN2, ..., FCS, EOF */
85 #define PROT_OVERHEAD 7
86 #define	GSM_NET_TX_TIMEOUT (HZ*10)
87 
88 /*
89  *	struct gsm_mux_net	-	network interface
90  *
91  *	Created when net interface is initialized.
92  */
93 struct gsm_mux_net {
94 	struct kref ref;
95 	struct gsm_dlci *dlci;
96 };
97 
98 /*
99  *	Each block of data we have queued to go out is in the form of
100  *	a gsm_msg which holds everything we need in a link layer independent
101  *	format
102  */
103 
104 struct gsm_msg {
105 	struct list_head list;
106 	u8 addr;		/* DLCI address + flags */
107 	u8 ctrl;		/* Control byte + flags */
108 	unsigned int len;	/* Length of data block (can be zero) */
109 	unsigned char *data;	/* Points into buffer but not at the start */
110 	unsigned char buffer[];
111 };
112 
113 enum gsm_dlci_state {
114 	DLCI_CLOSED,
115 	DLCI_OPENING,		/* Sending SABM not seen UA */
116 	DLCI_OPEN,		/* SABM/UA complete */
117 	DLCI_CLOSING,		/* Sending DISC not seen UA/DM */
118 };
119 
120 enum gsm_dlci_mode {
121 	DLCI_MODE_ABM,		/* Normal Asynchronous Balanced Mode */
122 	DLCI_MODE_ADM,		/* Asynchronous Disconnected Mode */
123 };
124 
125 /*
126  *	Each active data link has a gsm_dlci structure associated which ties
127  *	the link layer to an optional tty (if the tty side is open). To avoid
128  *	complexity right now these are only ever freed up when the mux is
129  *	shut down.
130  *
131  *	At the moment we don't free DLCI objects until the mux is torn down
132  *	this avoid object life time issues but might be worth review later.
133  */
134 
135 struct gsm_dlci {
136 	struct gsm_mux *gsm;
137 	int addr;
138 	enum gsm_dlci_state state;
139 	struct mutex mutex;
140 
141 	/* Link layer */
142 	enum gsm_dlci_mode mode;
143 	spinlock_t lock;	/* Protects the internal state */
144 	struct timer_list t1;	/* Retransmit timer for SABM and UA */
145 	int retries;
146 	/* Uplink tty if active */
147 	struct tty_port port;	/* The tty bound to this DLCI if there is one */
148 #define TX_SIZE		4096    /* Must be power of 2. */
149 	struct kfifo fifo;	/* Queue fifo for the DLCI */
150 	int adaption;		/* Adaption layer in use */
151 	int prev_adaption;
152 	u32 modem_rx;		/* Our incoming virtual modem lines */
153 	u32 modem_tx;		/* Our outgoing modem lines */
154 	bool dead;		/* Refuse re-open */
155 	/* Flow control */
156 	bool throttled;		/* Private copy of throttle state */
157 	bool constipated;	/* Throttle status for outgoing */
158 	/* Packetised I/O */
159 	struct sk_buff *skb;	/* Frame being sent */
160 	struct sk_buff_head skb_list;	/* Queued frames */
161 	/* Data handling callback */
162 	void (*data)(struct gsm_dlci *dlci, const u8 *data, int len);
163 	void (*prev_data)(struct gsm_dlci *dlci, const u8 *data, int len);
164 	struct net_device *net; /* network interface, if created */
165 };
166 
167 /* DLCI 0, 62/63 are special or reserved see gsmtty_open */
168 
169 #define NUM_DLCI		64
170 
171 /*
172  *	DLCI 0 is used to pass control blocks out of band of the data
173  *	flow (and with a higher link priority). One command can be outstanding
174  *	at a time and we use this structure to manage them. They are created
175  *	and destroyed by the user context, and updated by the receive paths
176  *	and timers
177  */
178 
179 struct gsm_control {
180 	u8 cmd;		/* Command we are issuing */
181 	u8 *data;	/* Data for the command in case we retransmit */
182 	int len;	/* Length of block for retransmission */
183 	int done;	/* Done flag */
184 	int error;	/* Error if any */
185 };
186 
187 enum gsm_mux_state {
188 	GSM_SEARCH,
189 	GSM_START,
190 	GSM_ADDRESS,
191 	GSM_CONTROL,
192 	GSM_LEN,
193 	GSM_DATA,
194 	GSM_FCS,
195 	GSM_OVERRUN,
196 	GSM_LEN0,
197 	GSM_LEN1,
198 	GSM_SSOF,
199 };
200 
201 /*
202  *	Each GSM mux we have is represented by this structure. If we are
203  *	operating as an ldisc then we use this structure as our ldisc
204  *	state. We need to sort out lifetimes and locking with respect
205  *	to the gsm mux array. For now we don't free DLCI objects that
206  *	have been instantiated until the mux itself is terminated.
207  *
208  *	To consider further: tty open versus mux shutdown.
209  */
210 
211 struct gsm_mux {
212 	struct tty_struct *tty;		/* The tty our ldisc is bound to */
213 	spinlock_t lock;
214 	struct mutex mutex;
215 	unsigned int num;
216 	struct kref ref;
217 
218 	/* Events on the GSM channel */
219 	wait_queue_head_t event;
220 
221 	/* ldisc send work */
222 	struct work_struct tx_work;
223 
224 	/* Bits for GSM mode decoding */
225 
226 	/* Framing Layer */
227 	unsigned char *buf;
228 	enum gsm_mux_state state;
229 	unsigned int len;
230 	unsigned int address;
231 	unsigned int count;
232 	bool escape;
233 	int encoding;
234 	u8 control;
235 	u8 fcs;
236 	u8 *txframe;			/* TX framing buffer */
237 
238 	/* Method for the receiver side */
239 	void (*receive)(struct gsm_mux *gsm, u8 ch);
240 
241 	/* Link Layer */
242 	unsigned int mru;
243 	unsigned int mtu;
244 	int initiator;			/* Did we initiate connection */
245 	bool dead;			/* Has the mux been shut down */
246 	struct gsm_dlci *dlci[NUM_DLCI];
247 	int old_c_iflag;		/* termios c_iflag value before attach */
248 	bool constipated;		/* Asked by remote to shut up */
249 	bool has_devices;		/* Devices were registered */
250 
251 	spinlock_t tx_lock;
252 	unsigned int tx_bytes;		/* TX data outstanding */
253 #define TX_THRESH_HI		8192
254 #define TX_THRESH_LO		2048
255 	struct list_head tx_ctrl_list;	/* Pending control packets */
256 	struct list_head tx_data_list;	/* Pending data packets */
257 
258 	/* Control messages */
259 	struct timer_list kick_timer;	/* Kick TX queuing on timeout */
260 	struct timer_list t2_timer;	/* Retransmit timer for commands */
261 	int cretries;			/* Command retry counter */
262 	struct gsm_control *pending_cmd;/* Our current pending command */
263 	spinlock_t control_lock;	/* Protects the pending command */
264 
265 	/* Configuration */
266 	int adaption;		/* 1 or 2 supported */
267 	u8 ftype;		/* UI or UIH */
268 	int t1, t2;		/* Timers in 1/100th of a sec */
269 	int n2;			/* Retry count */
270 
271 	/* Statistics (not currently exposed) */
272 	unsigned long bad_fcs;
273 	unsigned long malformed;
274 	unsigned long io_error;
275 	unsigned long bad_size;
276 	unsigned long unsupported;
277 };
278 
279 
280 /*
281  *	Mux objects - needed so that we can translate a tty index into the
282  *	relevant mux and DLCI.
283  */
284 
285 #define MAX_MUX		4			/* 256 minors */
286 static struct gsm_mux *gsm_mux[MAX_MUX];	/* GSM muxes */
287 static DEFINE_SPINLOCK(gsm_mux_lock);
288 
289 static struct tty_driver *gsm_tty_driver;
290 
291 /*
292  *	This section of the driver logic implements the GSM encodings
293  *	both the basic and the 'advanced'. Reliable transport is not
294  *	supported.
295  */
296 
297 #define CR			0x02
298 #define EA			0x01
299 #define	PF			0x10
300 
301 /* I is special: the rest are ..*/
302 #define RR			0x01
303 #define UI			0x03
304 #define RNR			0x05
305 #define REJ			0x09
306 #define DM			0x0F
307 #define SABM			0x2F
308 #define DISC			0x43
309 #define UA			0x63
310 #define	UIH			0xEF
311 
312 /* Channel commands */
313 #define CMD_NSC			0x09
314 #define CMD_TEST		0x11
315 #define CMD_PSC			0x21
316 #define CMD_RLS			0x29
317 #define CMD_FCOFF		0x31
318 #define CMD_PN			0x41
319 #define CMD_RPN			0x49
320 #define CMD_FCON		0x51
321 #define CMD_CLD			0x61
322 #define CMD_SNC			0x69
323 #define CMD_MSC			0x71
324 
325 /* Virtual modem bits */
326 #define MDM_FC			0x01
327 #define MDM_RTC			0x02
328 #define MDM_RTR			0x04
329 #define MDM_IC			0x20
330 #define MDM_DV			0x40
331 
332 #define GSM0_SOF		0xF9
333 #define GSM1_SOF		0x7E
334 #define GSM1_ESCAPE		0x7D
335 #define GSM1_ESCAPE_BITS	0x20
336 #define XON			0x11
337 #define XOFF			0x13
338 #define ISO_IEC_646_MASK	0x7F
339 
340 static const struct tty_port_operations gsm_port_ops;
341 
342 /*
343  *	CRC table for GSM 0710
344  */
345 
346 static const u8 gsm_fcs8[256] = {
347 	0x00, 0x91, 0xE3, 0x72, 0x07, 0x96, 0xE4, 0x75,
348 	0x0E, 0x9F, 0xED, 0x7C, 0x09, 0x98, 0xEA, 0x7B,
349 	0x1C, 0x8D, 0xFF, 0x6E, 0x1B, 0x8A, 0xF8, 0x69,
350 	0x12, 0x83, 0xF1, 0x60, 0x15, 0x84, 0xF6, 0x67,
351 	0x38, 0xA9, 0xDB, 0x4A, 0x3F, 0xAE, 0xDC, 0x4D,
352 	0x36, 0xA7, 0xD5, 0x44, 0x31, 0xA0, 0xD2, 0x43,
353 	0x24, 0xB5, 0xC7, 0x56, 0x23, 0xB2, 0xC0, 0x51,
354 	0x2A, 0xBB, 0xC9, 0x58, 0x2D, 0xBC, 0xCE, 0x5F,
355 	0x70, 0xE1, 0x93, 0x02, 0x77, 0xE6, 0x94, 0x05,
356 	0x7E, 0xEF, 0x9D, 0x0C, 0x79, 0xE8, 0x9A, 0x0B,
357 	0x6C, 0xFD, 0x8F, 0x1E, 0x6B, 0xFA, 0x88, 0x19,
358 	0x62, 0xF3, 0x81, 0x10, 0x65, 0xF4, 0x86, 0x17,
359 	0x48, 0xD9, 0xAB, 0x3A, 0x4F, 0xDE, 0xAC, 0x3D,
360 	0x46, 0xD7, 0xA5, 0x34, 0x41, 0xD0, 0xA2, 0x33,
361 	0x54, 0xC5, 0xB7, 0x26, 0x53, 0xC2, 0xB0, 0x21,
362 	0x5A, 0xCB, 0xB9, 0x28, 0x5D, 0xCC, 0xBE, 0x2F,
363 	0xE0, 0x71, 0x03, 0x92, 0xE7, 0x76, 0x04, 0x95,
364 	0xEE, 0x7F, 0x0D, 0x9C, 0xE9, 0x78, 0x0A, 0x9B,
365 	0xFC, 0x6D, 0x1F, 0x8E, 0xFB, 0x6A, 0x18, 0x89,
366 	0xF2, 0x63, 0x11, 0x80, 0xF5, 0x64, 0x16, 0x87,
367 	0xD8, 0x49, 0x3B, 0xAA, 0xDF, 0x4E, 0x3C, 0xAD,
368 	0xD6, 0x47, 0x35, 0xA4, 0xD1, 0x40, 0x32, 0xA3,
369 	0xC4, 0x55, 0x27, 0xB6, 0xC3, 0x52, 0x20, 0xB1,
370 	0xCA, 0x5B, 0x29, 0xB8, 0xCD, 0x5C, 0x2E, 0xBF,
371 	0x90, 0x01, 0x73, 0xE2, 0x97, 0x06, 0x74, 0xE5,
372 	0x9E, 0x0F, 0x7D, 0xEC, 0x99, 0x08, 0x7A, 0xEB,
373 	0x8C, 0x1D, 0x6F, 0xFE, 0x8B, 0x1A, 0x68, 0xF9,
374 	0x82, 0x13, 0x61, 0xF0, 0x85, 0x14, 0x66, 0xF7,
375 	0xA8, 0x39, 0x4B, 0xDA, 0xAF, 0x3E, 0x4C, 0xDD,
376 	0xA6, 0x37, 0x45, 0xD4, 0xA1, 0x30, 0x42, 0xD3,
377 	0xB4, 0x25, 0x57, 0xC6, 0xB3, 0x22, 0x50, 0xC1,
378 	0xBA, 0x2B, 0x59, 0xC8, 0xBD, 0x2C, 0x5E, 0xCF
379 };
380 
381 #define INIT_FCS	0xFF
382 #define GOOD_FCS	0xCF
383 
384 static int gsmld_output(struct gsm_mux *gsm, u8 *data, int len);
385 static int gsm_modem_update(struct gsm_dlci *dlci, u8 brk);
386 static struct gsm_msg *gsm_data_alloc(struct gsm_mux *gsm, u8 addr, int len,
387 								u8 ctrl);
388 static int gsm_send_packet(struct gsm_mux *gsm, struct gsm_msg *msg);
389 static void gsmld_write_trigger(struct gsm_mux *gsm);
390 static void gsmld_write_task(struct work_struct *work);
391 
392 /**
393  *	gsm_fcs_add	-	update FCS
394  *	@fcs: Current FCS
395  *	@c: Next data
396  *
397  *	Update the FCS to include c. Uses the algorithm in the specification
398  *	notes.
399  */
400 
401 static inline u8 gsm_fcs_add(u8 fcs, u8 c)
402 {
403 	return gsm_fcs8[fcs ^ c];
404 }
405 
406 /**
407  *	gsm_fcs_add_block	-	update FCS for a block
408  *	@fcs: Current FCS
409  *	@c: buffer of data
410  *	@len: length of buffer
411  *
412  *	Update the FCS to include c. Uses the algorithm in the specification
413  *	notes.
414  */
415 
416 static inline u8 gsm_fcs_add_block(u8 fcs, u8 *c, int len)
417 {
418 	while (len--)
419 		fcs = gsm_fcs8[fcs ^ *c++];
420 	return fcs;
421 }
422 
423 /**
424  *	gsm_read_ea		-	read a byte into an EA
425  *	@val: variable holding value
426  *	@c: byte going into the EA
427  *
428  *	Processes one byte of an EA. Updates the passed variable
429  *	and returns 1 if the EA is now completely read
430  */
431 
432 static int gsm_read_ea(unsigned int *val, u8 c)
433 {
434 	/* Add the next 7 bits into the value */
435 	*val <<= 7;
436 	*val |= c >> 1;
437 	/* Was this the last byte of the EA 1 = yes*/
438 	return c & EA;
439 }
440 
441 /**
442  *	gsm_read_ea_val	-	read a value until EA
443  *	@val: variable holding value
444  *	@data: buffer of data
445  *	@dlen: length of data
446  *
447  *	Processes an EA value. Updates the passed variable and
448  *	returns the processed data length.
449  */
450 static unsigned int gsm_read_ea_val(unsigned int *val, const u8 *data, int dlen)
451 {
452 	unsigned int len = 0;
453 
454 	for (; dlen > 0; dlen--) {
455 		len++;
456 		if (gsm_read_ea(val, *data++))
457 			break;
458 	}
459 	return len;
460 }
461 
462 /**
463  *	gsm_encode_modem	-	encode modem data bits
464  *	@dlci: DLCI to encode from
465  *
466  *	Returns the correct GSM encoded modem status bits (6 bit field) for
467  *	the current status of the DLCI and attached tty object
468  */
469 
470 static u8 gsm_encode_modem(const struct gsm_dlci *dlci)
471 {
472 	u8 modembits = 0;
473 	/* FC is true flow control not modem bits */
474 	if (dlci->throttled)
475 		modembits |= MDM_FC;
476 	if (dlci->modem_tx & TIOCM_DTR)
477 		modembits |= MDM_RTC;
478 	if (dlci->modem_tx & TIOCM_RTS)
479 		modembits |= MDM_RTR;
480 	if (dlci->modem_tx & TIOCM_RI)
481 		modembits |= MDM_IC;
482 	if (dlci->modem_tx & TIOCM_CD || dlci->gsm->initiator)
483 		modembits |= MDM_DV;
484 	return modembits;
485 }
486 
487 static void gsm_hex_dump_bytes(const char *fname, const u8 *data,
488 			       unsigned long len)
489 {
490 	char *prefix;
491 
492 	if (!fname) {
493 		print_hex_dump(KERN_INFO, "", DUMP_PREFIX_NONE, 16, 1, data, len,
494 			       true);
495 		return;
496 	}
497 
498 	prefix = kasprintf(GFP_ATOMIC, "%s: ", fname);
499 	if (!prefix)
500 		return;
501 	print_hex_dump(KERN_INFO, prefix, DUMP_PREFIX_OFFSET, 16, 1, data, len,
502 		       true);
503 	kfree(prefix);
504 }
505 
506 /**
507  *	gsm_register_devices	-	register all tty devices for a given mux index
508  *
509  *	@driver: the tty driver that describes the tty devices
510  *	@index:  the mux number is used to calculate the minor numbers of the
511  *	         ttys for this mux and may differ from the position in the
512  *	         mux array.
513  */
514 static int gsm_register_devices(struct tty_driver *driver, unsigned int index)
515 {
516 	struct device *dev;
517 	int i;
518 	unsigned int base;
519 
520 	if (!driver || index >= MAX_MUX)
521 		return -EINVAL;
522 
523 	base = index * NUM_DLCI; /* first minor for this index */
524 	for (i = 1; i < NUM_DLCI; i++) {
525 		/* Don't register device 0 - this is the control channel
526 		 * and not a usable tty interface
527 		 */
528 		dev = tty_register_device(gsm_tty_driver, base + i, NULL);
529 		if (IS_ERR(dev)) {
530 			if (debug & 8)
531 				pr_info("%s failed to register device minor %u",
532 					__func__, base + i);
533 			for (i--; i >= 1; i--)
534 				tty_unregister_device(gsm_tty_driver, base + i);
535 			return PTR_ERR(dev);
536 		}
537 	}
538 
539 	return 0;
540 }
541 
542 /**
543  *	gsm_unregister_devices	-	unregister all tty devices for a given mux index
544  *
545  *	@driver: the tty driver that describes the tty devices
546  *	@index:  the mux number is used to calculate the minor numbers of the
547  *	         ttys for this mux and may differ from the position in the
548  *	         mux array.
549  */
550 static void gsm_unregister_devices(struct tty_driver *driver,
551 				   unsigned int index)
552 {
553 	int i;
554 	unsigned int base;
555 
556 	if (!driver || index >= MAX_MUX)
557 		return;
558 
559 	base = index * NUM_DLCI; /* first minor for this index */
560 	for (i = 1; i < NUM_DLCI; i++) {
561 		/* Don't unregister device 0 - this is the control
562 		 * channel and not a usable tty interface
563 		 */
564 		tty_unregister_device(gsm_tty_driver, base + i);
565 	}
566 }
567 
568 /**
569  *	gsm_print_packet	-	display a frame for debug
570  *	@hdr: header to print before decode
571  *	@addr: address EA from the frame
572  *	@cr: C/R bit seen as initiator
573  *	@control: control including PF bit
574  *	@data: following data bytes
575  *	@dlen: length of data
576  *
577  *	Displays a packet in human readable format for debugging purposes. The
578  *	style is based on amateur radio LAP-B dump display.
579  */
580 
581 static void gsm_print_packet(const char *hdr, int addr, int cr,
582 					u8 control, const u8 *data, int dlen)
583 {
584 	if (!(debug & 1))
585 		return;
586 
587 	pr_info("%s %d) %c: ", hdr, addr, "RC"[cr]);
588 
589 	switch (control & ~PF) {
590 	case SABM:
591 		pr_cont("SABM");
592 		break;
593 	case UA:
594 		pr_cont("UA");
595 		break;
596 	case DISC:
597 		pr_cont("DISC");
598 		break;
599 	case DM:
600 		pr_cont("DM");
601 		break;
602 	case UI:
603 		pr_cont("UI");
604 		break;
605 	case UIH:
606 		pr_cont("UIH");
607 		break;
608 	default:
609 		if (!(control & 0x01)) {
610 			pr_cont("I N(S)%d N(R)%d",
611 				(control & 0x0E) >> 1, (control & 0xE0) >> 5);
612 		} else switch (control & 0x0F) {
613 			case RR:
614 				pr_cont("RR(%d)", (control & 0xE0) >> 5);
615 				break;
616 			case RNR:
617 				pr_cont("RNR(%d)", (control & 0xE0) >> 5);
618 				break;
619 			case REJ:
620 				pr_cont("REJ(%d)", (control & 0xE0) >> 5);
621 				break;
622 			default:
623 				pr_cont("[%02X]", control);
624 		}
625 	}
626 
627 	if (control & PF)
628 		pr_cont("(P)");
629 	else
630 		pr_cont("(F)");
631 
632 	gsm_hex_dump_bytes(NULL, data, dlen);
633 }
634 
635 
636 /*
637  *	Link level transmission side
638  */
639 
640 /**
641  *	gsm_stuff_frame	-	bytestuff a packet
642  *	@input: input buffer
643  *	@output: output buffer
644  *	@len: length of input
645  *
646  *	Expand a buffer by bytestuffing it. The worst case size change
647  *	is doubling and the caller is responsible for handing out
648  *	suitable sized buffers.
649  */
650 
651 static int gsm_stuff_frame(const u8 *input, u8 *output, int len)
652 {
653 	int olen = 0;
654 	while (len--) {
655 		if (*input == GSM1_SOF || *input == GSM1_ESCAPE
656 		    || (*input & ISO_IEC_646_MASK) == XON
657 		    || (*input & ISO_IEC_646_MASK) == XOFF) {
658 			*output++ = GSM1_ESCAPE;
659 			*output++ = *input++ ^ GSM1_ESCAPE_BITS;
660 			olen++;
661 		} else
662 			*output++ = *input++;
663 		olen++;
664 	}
665 	return olen;
666 }
667 
668 /**
669  *	gsm_send	-	send a control frame
670  *	@gsm: our GSM mux
671  *	@addr: address for control frame
672  *	@cr: command/response bit seen as initiator
673  *	@control:  control byte including PF bit
674  *
675  *	Format up and transmit a control frame. These should be transmitted
676  *	ahead of data when they are needed.
677  */
678 static int gsm_send(struct gsm_mux *gsm, int addr, int cr, int control)
679 {
680 	struct gsm_msg *msg;
681 	u8 *dp;
682 	int ocr;
683 	unsigned long flags;
684 
685 	msg = gsm_data_alloc(gsm, addr, 0, control);
686 	if (!msg)
687 		return -ENOMEM;
688 
689 	/* toggle C/R coding if not initiator */
690 	ocr = cr ^ (gsm->initiator ? 0 : 1);
691 
692 	msg->data -= 3;
693 	dp = msg->data;
694 	*dp++ = (addr << 2) | (ocr << 1) | EA;
695 	*dp++ = control;
696 
697 	if (gsm->encoding == 0)
698 		*dp++ = EA; /* Length of data = 0 */
699 
700 	*dp = 0xFF - gsm_fcs_add_block(INIT_FCS, msg->data, dp - msg->data);
701 	msg->len = (dp - msg->data) + 1;
702 
703 	gsm_print_packet("Q->", addr, cr, control, NULL, 0);
704 
705 	spin_lock_irqsave(&gsm->tx_lock, flags);
706 	list_add_tail(&msg->list, &gsm->tx_ctrl_list);
707 	gsm->tx_bytes += msg->len;
708 	spin_unlock_irqrestore(&gsm->tx_lock, flags);
709 	gsmld_write_trigger(gsm);
710 
711 	return 0;
712 }
713 
714 /**
715  *	gsm_dlci_clear_queues	-	remove outstanding data for a DLCI
716  *	@gsm: mux
717  *	@dlci: clear for this DLCI
718  *
719  *	Clears the data queues for a given DLCI.
720  */
721 static void gsm_dlci_clear_queues(struct gsm_mux *gsm, struct gsm_dlci *dlci)
722 {
723 	struct gsm_msg *msg, *nmsg;
724 	int addr = dlci->addr;
725 	unsigned long flags;
726 
727 	/* Clear DLCI write fifo first */
728 	spin_lock_irqsave(&dlci->lock, flags);
729 	kfifo_reset(&dlci->fifo);
730 	spin_unlock_irqrestore(&dlci->lock, flags);
731 
732 	/* Clear data packets in MUX write queue */
733 	spin_lock_irqsave(&gsm->tx_lock, flags);
734 	list_for_each_entry_safe(msg, nmsg, &gsm->tx_data_list, list) {
735 		if (msg->addr != addr)
736 			continue;
737 		gsm->tx_bytes -= msg->len;
738 		list_del(&msg->list);
739 		kfree(msg);
740 	}
741 	spin_unlock_irqrestore(&gsm->tx_lock, flags);
742 }
743 
744 /**
745  *	gsm_response	-	send a control response
746  *	@gsm: our GSM mux
747  *	@addr: address for control frame
748  *	@control:  control byte including PF bit
749  *
750  *	Format up and transmit a link level response frame.
751  */
752 
753 static inline void gsm_response(struct gsm_mux *gsm, int addr, int control)
754 {
755 	gsm_send(gsm, addr, 0, control);
756 }
757 
758 /**
759  *	gsm_command	-	send a control command
760  *	@gsm: our GSM mux
761  *	@addr: address for control frame
762  *	@control:  control byte including PF bit
763  *
764  *	Format up and transmit a link level command frame.
765  */
766 
767 static inline void gsm_command(struct gsm_mux *gsm, int addr, int control)
768 {
769 	gsm_send(gsm, addr, 1, control);
770 }
771 
772 /* Data transmission */
773 
774 #define HDR_LEN		6	/* ADDR CTRL [LEN.2] DATA FCS */
775 
776 /**
777  *	gsm_data_alloc		-	allocate data frame
778  *	@gsm: GSM mux
779  *	@addr: DLCI address
780  *	@len: length excluding header and FCS
781  *	@ctrl: control byte
782  *
783  *	Allocate a new data buffer for sending frames with data. Space is left
784  *	at the front for header bytes but that is treated as an implementation
785  *	detail and not for the high level code to use
786  */
787 
788 static struct gsm_msg *gsm_data_alloc(struct gsm_mux *gsm, u8 addr, int len,
789 								u8 ctrl)
790 {
791 	struct gsm_msg *m = kmalloc(sizeof(struct gsm_msg) + len + HDR_LEN,
792 								GFP_ATOMIC);
793 	if (m == NULL)
794 		return NULL;
795 	m->data = m->buffer + HDR_LEN - 1;	/* Allow for FCS */
796 	m->len = len;
797 	m->addr = addr;
798 	m->ctrl = ctrl;
799 	INIT_LIST_HEAD(&m->list);
800 	return m;
801 }
802 
803 /**
804  *	gsm_send_packet	-	sends a single packet
805  *	@gsm: GSM Mux
806  *	@msg: packet to send
807  *
808  *	The given packet is encoded and sent out. No memory is freed.
809  *	The caller must hold the gsm tx lock.
810  */
811 static int gsm_send_packet(struct gsm_mux *gsm, struct gsm_msg *msg)
812 {
813 	int len, ret;
814 
815 
816 	if (gsm->encoding == 0) {
817 		gsm->txframe[0] = GSM0_SOF;
818 		memcpy(gsm->txframe + 1, msg->data, msg->len);
819 		gsm->txframe[msg->len + 1] = GSM0_SOF;
820 		len = msg->len + 2;
821 	} else {
822 		gsm->txframe[0] = GSM1_SOF;
823 		len = gsm_stuff_frame(msg->data, gsm->txframe + 1, msg->len);
824 		gsm->txframe[len + 1] = GSM1_SOF;
825 		len += 2;
826 	}
827 
828 	if (debug & 4)
829 		gsm_hex_dump_bytes(__func__, gsm->txframe, len);
830 	gsm_print_packet("-->", msg->addr, gsm->initiator, msg->ctrl, msg->data,
831 			 msg->len);
832 
833 	ret = gsmld_output(gsm, gsm->txframe, len);
834 	if (ret <= 0)
835 		return ret;
836 	/* FIXME: Can eliminate one SOF in many more cases */
837 	gsm->tx_bytes -= msg->len;
838 
839 	return 0;
840 }
841 
842 /**
843  *	gsm_is_flow_ctrl_msg	-	checks if flow control message
844  *	@msg: message to check
845  *
846  *	Returns true if the given message is a flow control command of the
847  *	control channel. False is returned in any other case.
848  */
849 static bool gsm_is_flow_ctrl_msg(struct gsm_msg *msg)
850 {
851 	unsigned int cmd;
852 
853 	if (msg->addr > 0)
854 		return false;
855 
856 	switch (msg->ctrl & ~PF) {
857 	case UI:
858 	case UIH:
859 		cmd = 0;
860 		if (gsm_read_ea_val(&cmd, msg->data + 2, msg->len - 2) < 1)
861 			break;
862 		switch (cmd & ~PF) {
863 		case CMD_FCOFF:
864 		case CMD_FCON:
865 			return true;
866 		}
867 		break;
868 	}
869 
870 	return false;
871 }
872 
873 /**
874  *	gsm_data_kick	-	poke the queue
875  *	@gsm: GSM Mux
876  *
877  *	The tty device has called us to indicate that room has appeared in
878  *	the transmit queue. Ram more data into the pipe if we have any.
879  *	If we have been flow-stopped by a CMD_FCOFF, then we can only
880  *	send messages on DLCI0 until CMD_FCON. The caller must hold
881  *	the gsm tx lock.
882  */
883 static int gsm_data_kick(struct gsm_mux *gsm)
884 {
885 	struct gsm_msg *msg, *nmsg;
886 	struct gsm_dlci *dlci;
887 	int ret;
888 
889 	clear_bit(TTY_DO_WRITE_WAKEUP, &gsm->tty->flags);
890 
891 	/* Serialize control messages and control channel messages first */
892 	list_for_each_entry_safe(msg, nmsg, &gsm->tx_ctrl_list, list) {
893 		if (gsm->constipated && !gsm_is_flow_ctrl_msg(msg))
894 			continue;
895 		ret = gsm_send_packet(gsm, msg);
896 		switch (ret) {
897 		case -ENOSPC:
898 			return -ENOSPC;
899 		case -ENODEV:
900 			/* ldisc not open */
901 			gsm->tx_bytes -= msg->len;
902 			list_del(&msg->list);
903 			kfree(msg);
904 			continue;
905 		default:
906 			if (ret >= 0) {
907 				list_del(&msg->list);
908 				kfree(msg);
909 			}
910 			break;
911 		}
912 	}
913 
914 	if (gsm->constipated)
915 		return -EAGAIN;
916 
917 	/* Serialize other channels */
918 	if (list_empty(&gsm->tx_data_list))
919 		return 0;
920 	list_for_each_entry_safe(msg, nmsg, &gsm->tx_data_list, list) {
921 		dlci = gsm->dlci[msg->addr];
922 		/* Send only messages for DLCIs with valid state */
923 		if (dlci->state != DLCI_OPEN) {
924 			gsm->tx_bytes -= msg->len;
925 			list_del(&msg->list);
926 			kfree(msg);
927 			continue;
928 		}
929 		ret = gsm_send_packet(gsm, msg);
930 		switch (ret) {
931 		case -ENOSPC:
932 			return -ENOSPC;
933 		case -ENODEV:
934 			/* ldisc not open */
935 			gsm->tx_bytes -= msg->len;
936 			list_del(&msg->list);
937 			kfree(msg);
938 			continue;
939 		default:
940 			if (ret >= 0) {
941 				list_del(&msg->list);
942 				kfree(msg);
943 			}
944 			break;
945 		}
946 	}
947 
948 	return 1;
949 }
950 
951 /**
952  *	__gsm_data_queue		-	queue a UI or UIH frame
953  *	@dlci: DLCI sending the data
954  *	@msg: message queued
955  *
956  *	Add data to the transmit queue and try and get stuff moving
957  *	out of the mux tty if not already doing so. The Caller must hold
958  *	the gsm tx lock.
959  */
960 
961 static void __gsm_data_queue(struct gsm_dlci *dlci, struct gsm_msg *msg)
962 {
963 	struct gsm_mux *gsm = dlci->gsm;
964 	u8 *dp = msg->data;
965 	u8 *fcs = dp + msg->len;
966 
967 	/* Fill in the header */
968 	if (gsm->encoding == 0) {
969 		if (msg->len < 128)
970 			*--dp = (msg->len << 1) | EA;
971 		else {
972 			*--dp = (msg->len >> 7);	/* bits 7 - 15 */
973 			*--dp = (msg->len & 127) << 1;	/* bits 0 - 6 */
974 		}
975 	}
976 
977 	*--dp = msg->ctrl;
978 	if (gsm->initiator)
979 		*--dp = (msg->addr << 2) | CR | EA;
980 	else
981 		*--dp = (msg->addr << 2) | EA;
982 	*fcs = gsm_fcs_add_block(INIT_FCS, dp , msg->data - dp);
983 	/* Ugly protocol layering violation */
984 	if (msg->ctrl == UI || msg->ctrl == (UI|PF))
985 		*fcs = gsm_fcs_add_block(*fcs, msg->data, msg->len);
986 	*fcs = 0xFF - *fcs;
987 
988 	gsm_print_packet("Q> ", msg->addr, gsm->initiator, msg->ctrl,
989 							msg->data, msg->len);
990 
991 	/* Move the header back and adjust the length, also allow for the FCS
992 	   now tacked on the end */
993 	msg->len += (msg->data - dp) + 1;
994 	msg->data = dp;
995 
996 	/* Add to the actual output queue */
997 	switch (msg->ctrl & ~PF) {
998 	case UI:
999 	case UIH:
1000 		if (msg->addr > 0) {
1001 			list_add_tail(&msg->list, &gsm->tx_data_list);
1002 			break;
1003 		}
1004 		fallthrough;
1005 	default:
1006 		list_add_tail(&msg->list, &gsm->tx_ctrl_list);
1007 		break;
1008 	}
1009 	gsm->tx_bytes += msg->len;
1010 
1011 	gsmld_write_trigger(gsm);
1012 	mod_timer(&gsm->kick_timer, jiffies + 10 * gsm->t1 * HZ / 100);
1013 }
1014 
1015 /**
1016  *	gsm_data_queue		-	queue a UI or UIH frame
1017  *	@dlci: DLCI sending the data
1018  *	@msg: message queued
1019  *
1020  *	Add data to the transmit queue and try and get stuff moving
1021  *	out of the mux tty if not already doing so. Take the
1022  *	the gsm tx lock and dlci lock.
1023  */
1024 
1025 static void gsm_data_queue(struct gsm_dlci *dlci, struct gsm_msg *msg)
1026 {
1027 	unsigned long flags;
1028 	spin_lock_irqsave(&dlci->gsm->tx_lock, flags);
1029 	__gsm_data_queue(dlci, msg);
1030 	spin_unlock_irqrestore(&dlci->gsm->tx_lock, flags);
1031 }
1032 
1033 /**
1034  *	gsm_dlci_data_output	-	try and push data out of a DLCI
1035  *	@gsm: mux
1036  *	@dlci: the DLCI to pull data from
1037  *
1038  *	Pull data from a DLCI and send it into the transmit queue if there
1039  *	is data. Keep to the MRU of the mux. This path handles the usual tty
1040  *	interface which is a byte stream with optional modem data.
1041  *
1042  *	Caller must hold the tx_lock of the mux.
1043  */
1044 
1045 static int gsm_dlci_data_output(struct gsm_mux *gsm, struct gsm_dlci *dlci)
1046 {
1047 	struct gsm_msg *msg;
1048 	u8 *dp;
1049 	int h, len, size;
1050 
1051 	/* for modem bits without break data */
1052 	h = ((dlci->adaption == 1) ? 0 : 1);
1053 
1054 	len = kfifo_len(&dlci->fifo);
1055 	if (len == 0)
1056 		return 0;
1057 
1058 	/* MTU/MRU count only the data bits but watch adaption mode */
1059 	if ((len + h) > gsm->mtu)
1060 		len = gsm->mtu - h;
1061 
1062 	size = len + h;
1063 
1064 	msg = gsm_data_alloc(gsm, dlci->addr, size, gsm->ftype);
1065 	if (!msg)
1066 		return -ENOMEM;
1067 	dp = msg->data;
1068 	switch (dlci->adaption) {
1069 	case 1: /* Unstructured */
1070 		break;
1071 	case 2: /* Unstructured with modem bits.
1072 		 * Always one byte as we never send inline break data
1073 		 */
1074 		*dp++ = (gsm_encode_modem(dlci) << 1) | EA;
1075 		break;
1076 	default:
1077 		pr_err("%s: unsupported adaption %d\n", __func__,
1078 		       dlci->adaption);
1079 		break;
1080 	}
1081 
1082 	WARN_ON(len != kfifo_out_locked(&dlci->fifo, dp, len,
1083 		&dlci->lock));
1084 
1085 	/* Notify upper layer about available send space. */
1086 	tty_port_tty_wakeup(&dlci->port);
1087 
1088 	__gsm_data_queue(dlci, msg);
1089 	/* Bytes of data we used up */
1090 	return size;
1091 }
1092 
1093 /**
1094  *	gsm_dlci_data_output_framed  -	try and push data out of a DLCI
1095  *	@gsm: mux
1096  *	@dlci: the DLCI to pull data from
1097  *
1098  *	Pull data from a DLCI and send it into the transmit queue if there
1099  *	is data. Keep to the MRU of the mux. This path handles framed data
1100  *	queued as skbuffs to the DLCI.
1101  *
1102  *	Caller must hold the tx_lock of the mux.
1103  */
1104 
1105 static int gsm_dlci_data_output_framed(struct gsm_mux *gsm,
1106 						struct gsm_dlci *dlci)
1107 {
1108 	struct gsm_msg *msg;
1109 	u8 *dp;
1110 	int len, size;
1111 	int last = 0, first = 0;
1112 	int overhead = 0;
1113 
1114 	/* One byte per frame is used for B/F flags */
1115 	if (dlci->adaption == 4)
1116 		overhead = 1;
1117 
1118 	/* dlci->skb is locked by tx_lock */
1119 	if (dlci->skb == NULL) {
1120 		dlci->skb = skb_dequeue_tail(&dlci->skb_list);
1121 		if (dlci->skb == NULL)
1122 			return 0;
1123 		first = 1;
1124 	}
1125 	len = dlci->skb->len + overhead;
1126 
1127 	/* MTU/MRU count only the data bits */
1128 	if (len > gsm->mtu) {
1129 		if (dlci->adaption == 3) {
1130 			/* Over long frame, bin it */
1131 			dev_kfree_skb_any(dlci->skb);
1132 			dlci->skb = NULL;
1133 			return 0;
1134 		}
1135 		len = gsm->mtu;
1136 	} else
1137 		last = 1;
1138 
1139 	size = len + overhead;
1140 	msg = gsm_data_alloc(gsm, dlci->addr, size, gsm->ftype);
1141 	if (msg == NULL) {
1142 		skb_queue_tail(&dlci->skb_list, dlci->skb);
1143 		dlci->skb = NULL;
1144 		return -ENOMEM;
1145 	}
1146 	dp = msg->data;
1147 
1148 	if (dlci->adaption == 4) { /* Interruptible framed (Packetised Data) */
1149 		/* Flag byte to carry the start/end info */
1150 		*dp++ = last << 7 | first << 6 | 1;	/* EA */
1151 		len--;
1152 	}
1153 	memcpy(dp, dlci->skb->data, len);
1154 	skb_pull(dlci->skb, len);
1155 	__gsm_data_queue(dlci, msg);
1156 	if (last) {
1157 		dev_kfree_skb_any(dlci->skb);
1158 		dlci->skb = NULL;
1159 	}
1160 	return size;
1161 }
1162 
1163 /**
1164  *	gsm_dlci_modem_output	-	try and push modem status out of a DLCI
1165  *	@gsm: mux
1166  *	@dlci: the DLCI to pull modem status from
1167  *	@brk: break signal
1168  *
1169  *	Push an empty frame in to the transmit queue to update the modem status
1170  *	bits and to transmit an optional break.
1171  *
1172  *	Caller must hold the tx_lock of the mux.
1173  */
1174 
1175 static int gsm_dlci_modem_output(struct gsm_mux *gsm, struct gsm_dlci *dlci,
1176 				 u8 brk)
1177 {
1178 	u8 *dp = NULL;
1179 	struct gsm_msg *msg;
1180 	int size = 0;
1181 
1182 	/* for modem bits without break data */
1183 	switch (dlci->adaption) {
1184 	case 1: /* Unstructured */
1185 		break;
1186 	case 2: /* Unstructured with modem bits. */
1187 		size++;
1188 		if (brk > 0)
1189 			size++;
1190 		break;
1191 	default:
1192 		pr_err("%s: unsupported adaption %d\n", __func__,
1193 		       dlci->adaption);
1194 		return -EINVAL;
1195 	}
1196 
1197 	msg = gsm_data_alloc(gsm, dlci->addr, size, gsm->ftype);
1198 	if (!msg) {
1199 		pr_err("%s: gsm_data_alloc error", __func__);
1200 		return -ENOMEM;
1201 	}
1202 	dp = msg->data;
1203 	switch (dlci->adaption) {
1204 	case 1: /* Unstructured */
1205 		break;
1206 	case 2: /* Unstructured with modem bits. */
1207 		if (brk == 0) {
1208 			*dp++ = (gsm_encode_modem(dlci) << 1) | EA;
1209 		} else {
1210 			*dp++ = gsm_encode_modem(dlci) << 1;
1211 			*dp++ = (brk << 4) | 2 | EA; /* Length, Break, EA */
1212 		}
1213 		break;
1214 	default:
1215 		/* Handled above */
1216 		break;
1217 	}
1218 
1219 	__gsm_data_queue(dlci, msg);
1220 	return size;
1221 }
1222 
1223 /**
1224  *	gsm_dlci_data_sweep		-	look for data to send
1225  *	@gsm: the GSM mux
1226  *
1227  *	Sweep the GSM mux channels in priority order looking for ones with
1228  *	data to send. We could do with optimising this scan a bit. We aim
1229  *	to fill the queue totally or up to TX_THRESH_HI bytes. Once we hit
1230  *	TX_THRESH_LO we get called again
1231  *
1232  *	FIXME: We should round robin between groups and in theory you can
1233  *	renegotiate DLCI priorities with optional stuff. Needs optimising.
1234  */
1235 
1236 static int gsm_dlci_data_sweep(struct gsm_mux *gsm)
1237 {
1238 	/* Priority ordering: We should do priority with RR of the groups */
1239 	int i, len, ret = 0;
1240 	bool sent;
1241 	struct gsm_dlci *dlci;
1242 
1243 	while (gsm->tx_bytes < TX_THRESH_HI) {
1244 		for (sent = false, i = 1; i < NUM_DLCI; i++) {
1245 			dlci = gsm->dlci[i];
1246 			/* skip unused or blocked channel */
1247 			if (!dlci || dlci->constipated)
1248 				continue;
1249 			/* skip channels with invalid state */
1250 			if (dlci->state != DLCI_OPEN)
1251 				continue;
1252 			/* count the sent data per adaption */
1253 			if (dlci->adaption < 3 && !dlci->net)
1254 				len = gsm_dlci_data_output(gsm, dlci);
1255 			else
1256 				len = gsm_dlci_data_output_framed(gsm, dlci);
1257 			/* on error exit */
1258 			if (len < 0)
1259 				return ret;
1260 			if (len > 0) {
1261 				ret++;
1262 				sent = true;
1263 				/* The lower DLCs can starve the higher DLCs! */
1264 				break;
1265 			}
1266 			/* try next */
1267 		}
1268 		if (!sent)
1269 			break;
1270 	};
1271 
1272 	return ret;
1273 }
1274 
1275 /**
1276  *	gsm_dlci_data_kick	-	transmit if possible
1277  *	@dlci: DLCI to kick
1278  *
1279  *	Transmit data from this DLCI if the queue is empty. We can't rely on
1280  *	a tty wakeup except when we filled the pipe so we need to fire off
1281  *	new data ourselves in other cases.
1282  */
1283 
1284 static void gsm_dlci_data_kick(struct gsm_dlci *dlci)
1285 {
1286 	unsigned long flags;
1287 	int sweep;
1288 
1289 	if (dlci->constipated)
1290 		return;
1291 
1292 	spin_lock_irqsave(&dlci->gsm->tx_lock, flags);
1293 	/* If we have nothing running then we need to fire up */
1294 	sweep = (dlci->gsm->tx_bytes < TX_THRESH_LO);
1295 	if (dlci->gsm->tx_bytes == 0) {
1296 		if (dlci->net)
1297 			gsm_dlci_data_output_framed(dlci->gsm, dlci);
1298 		else
1299 			gsm_dlci_data_output(dlci->gsm, dlci);
1300 	}
1301 	if (sweep)
1302 		gsm_dlci_data_sweep(dlci->gsm);
1303 	spin_unlock_irqrestore(&dlci->gsm->tx_lock, flags);
1304 }
1305 
1306 /*
1307  *	Control message processing
1308  */
1309 
1310 
1311 /**
1312  *	gsm_control_reply	-	send a response frame to a control
1313  *	@gsm: gsm channel
1314  *	@cmd: the command to use
1315  *	@data: data to follow encoded info
1316  *	@dlen: length of data
1317  *
1318  *	Encode up and queue a UI/UIH frame containing our response.
1319  */
1320 
1321 static void gsm_control_reply(struct gsm_mux *gsm, int cmd, const u8 *data,
1322 					int dlen)
1323 {
1324 	struct gsm_msg *msg;
1325 	msg = gsm_data_alloc(gsm, 0, dlen + 2, gsm->ftype);
1326 	if (msg == NULL)
1327 		return;
1328 	msg->data[0] = (cmd & 0xFE) << 1 | EA;	/* Clear C/R */
1329 	msg->data[1] = (dlen << 1) | EA;
1330 	memcpy(msg->data + 2, data, dlen);
1331 	gsm_data_queue(gsm->dlci[0], msg);
1332 }
1333 
1334 /**
1335  *	gsm_process_modem	-	process received modem status
1336  *	@tty: virtual tty bound to the DLCI
1337  *	@dlci: DLCI to affect
1338  *	@modem: modem bits (full EA)
1339  *	@slen: number of signal octets
1340  *
1341  *	Used when a modem control message or line state inline in adaption
1342  *	layer 2 is processed. Sort out the local modem state and throttles
1343  */
1344 
1345 static void gsm_process_modem(struct tty_struct *tty, struct gsm_dlci *dlci,
1346 							u32 modem, int slen)
1347 {
1348 	int  mlines = 0;
1349 	u8 brk = 0;
1350 	int fc;
1351 
1352 	/* The modem status command can either contain one octet (V.24 signals)
1353 	 * or two octets (V.24 signals + break signals). This is specified in
1354 	 * section 5.4.6.3.7 of the 07.10 mux spec.
1355 	 */
1356 
1357 	if (slen == 1)
1358 		modem = modem & 0x7f;
1359 	else {
1360 		brk = modem & 0x7f;
1361 		modem = (modem >> 7) & 0x7f;
1362 	}
1363 
1364 	/* Flow control/ready to communicate */
1365 	fc = (modem & MDM_FC) || !(modem & MDM_RTR);
1366 	if (fc && !dlci->constipated) {
1367 		/* Need to throttle our output on this device */
1368 		dlci->constipated = true;
1369 	} else if (!fc && dlci->constipated) {
1370 		dlci->constipated = false;
1371 		gsm_dlci_data_kick(dlci);
1372 	}
1373 
1374 	/* Map modem bits */
1375 	if (modem & MDM_RTC)
1376 		mlines |= TIOCM_DSR | TIOCM_DTR;
1377 	if (modem & MDM_RTR)
1378 		mlines |= TIOCM_RTS | TIOCM_CTS;
1379 	if (modem & MDM_IC)
1380 		mlines |= TIOCM_RI;
1381 	if (modem & MDM_DV)
1382 		mlines |= TIOCM_CD;
1383 
1384 	/* Carrier drop -> hangup */
1385 	if (tty) {
1386 		if ((mlines & TIOCM_CD) == 0 && (dlci->modem_rx & TIOCM_CD))
1387 			if (!C_CLOCAL(tty))
1388 				tty_hangup(tty);
1389 	}
1390 	if (brk & 0x01)
1391 		tty_insert_flip_char(&dlci->port, 0, TTY_BREAK);
1392 	dlci->modem_rx = mlines;
1393 }
1394 
1395 /**
1396  *	gsm_control_modem	-	modem status received
1397  *	@gsm: GSM channel
1398  *	@data: data following command
1399  *	@clen: command length
1400  *
1401  *	We have received a modem status control message. This is used by
1402  *	the GSM mux protocol to pass virtual modem line status and optionally
1403  *	to indicate break signals. Unpack it, convert to Linux representation
1404  *	and if need be stuff a break message down the tty.
1405  */
1406 
1407 static void gsm_control_modem(struct gsm_mux *gsm, const u8 *data, int clen)
1408 {
1409 	unsigned int addr = 0;
1410 	unsigned int modem = 0;
1411 	struct gsm_dlci *dlci;
1412 	int len = clen;
1413 	int slen;
1414 	const u8 *dp = data;
1415 	struct tty_struct *tty;
1416 
1417 	while (gsm_read_ea(&addr, *dp++) == 0) {
1418 		len--;
1419 		if (len == 0)
1420 			return;
1421 	}
1422 	/* Must be at least one byte following the EA */
1423 	len--;
1424 	if (len <= 0)
1425 		return;
1426 
1427 	addr >>= 1;
1428 	/* Closed port, or invalid ? */
1429 	if (addr == 0 || addr >= NUM_DLCI || gsm->dlci[addr] == NULL)
1430 		return;
1431 	dlci = gsm->dlci[addr];
1432 
1433 	slen = len;
1434 	while (gsm_read_ea(&modem, *dp++) == 0) {
1435 		len--;
1436 		if (len == 0)
1437 			return;
1438 	}
1439 	len--;
1440 	tty = tty_port_tty_get(&dlci->port);
1441 	gsm_process_modem(tty, dlci, modem, slen - len);
1442 	if (tty) {
1443 		tty_wakeup(tty);
1444 		tty_kref_put(tty);
1445 	}
1446 	gsm_control_reply(gsm, CMD_MSC, data, clen);
1447 }
1448 
1449 /**
1450  *	gsm_control_rls		-	remote line status
1451  *	@gsm: GSM channel
1452  *	@data: data bytes
1453  *	@clen: data length
1454  *
1455  *	The modem sends us a two byte message on the control channel whenever
1456  *	it wishes to send us an error state from the virtual link. Stuff
1457  *	this into the uplink tty if present
1458  */
1459 
1460 static void gsm_control_rls(struct gsm_mux *gsm, const u8 *data, int clen)
1461 {
1462 	struct tty_port *port;
1463 	unsigned int addr = 0;
1464 	u8 bits;
1465 	int len = clen;
1466 	const u8 *dp = data;
1467 
1468 	while (gsm_read_ea(&addr, *dp++) == 0) {
1469 		len--;
1470 		if (len == 0)
1471 			return;
1472 	}
1473 	/* Must be at least one byte following ea */
1474 	len--;
1475 	if (len <= 0)
1476 		return;
1477 	addr >>= 1;
1478 	/* Closed port, or invalid ? */
1479 	if (addr == 0 || addr >= NUM_DLCI || gsm->dlci[addr] == NULL)
1480 		return;
1481 	/* No error ? */
1482 	bits = *dp;
1483 	if ((bits & 1) == 0)
1484 		return;
1485 
1486 	port = &gsm->dlci[addr]->port;
1487 
1488 	if (bits & 2)
1489 		tty_insert_flip_char(port, 0, TTY_OVERRUN);
1490 	if (bits & 4)
1491 		tty_insert_flip_char(port, 0, TTY_PARITY);
1492 	if (bits & 8)
1493 		tty_insert_flip_char(port, 0, TTY_FRAME);
1494 
1495 	tty_flip_buffer_push(port);
1496 
1497 	gsm_control_reply(gsm, CMD_RLS, data, clen);
1498 }
1499 
1500 static void gsm_dlci_begin_close(struct gsm_dlci *dlci);
1501 
1502 /**
1503  *	gsm_control_message	-	DLCI 0 control processing
1504  *	@gsm: our GSM mux
1505  *	@command:  the command EA
1506  *	@data: data beyond the command/length EAs
1507  *	@clen: length
1508  *
1509  *	Input processor for control messages from the other end of the link.
1510  *	Processes the incoming request and queues a response frame or an
1511  *	NSC response if not supported
1512  */
1513 
1514 static void gsm_control_message(struct gsm_mux *gsm, unsigned int command,
1515 						const u8 *data, int clen)
1516 {
1517 	u8 buf[1];
1518 
1519 	switch (command) {
1520 	case CMD_CLD: {
1521 		struct gsm_dlci *dlci = gsm->dlci[0];
1522 		/* Modem wishes to close down */
1523 		if (dlci) {
1524 			dlci->dead = true;
1525 			gsm->dead = true;
1526 			gsm_dlci_begin_close(dlci);
1527 		}
1528 		}
1529 		break;
1530 	case CMD_TEST:
1531 		/* Modem wishes to test, reply with the data */
1532 		gsm_control_reply(gsm, CMD_TEST, data, clen);
1533 		break;
1534 	case CMD_FCON:
1535 		/* Modem can accept data again */
1536 		gsm->constipated = false;
1537 		gsm_control_reply(gsm, CMD_FCON, NULL, 0);
1538 		/* Kick the link in case it is idling */
1539 		gsmld_write_trigger(gsm);
1540 		break;
1541 	case CMD_FCOFF:
1542 		/* Modem wants us to STFU */
1543 		gsm->constipated = true;
1544 		gsm_control_reply(gsm, CMD_FCOFF, NULL, 0);
1545 		break;
1546 	case CMD_MSC:
1547 		/* Out of band modem line change indicator for a DLCI */
1548 		gsm_control_modem(gsm, data, clen);
1549 		break;
1550 	case CMD_RLS:
1551 		/* Out of band error reception for a DLCI */
1552 		gsm_control_rls(gsm, data, clen);
1553 		break;
1554 	case CMD_PSC:
1555 		/* Modem wishes to enter power saving state */
1556 		gsm_control_reply(gsm, CMD_PSC, NULL, 0);
1557 		break;
1558 		/* Optional unsupported commands */
1559 	case CMD_PN:	/* Parameter negotiation */
1560 	case CMD_RPN:	/* Remote port negotiation */
1561 	case CMD_SNC:	/* Service negotiation command */
1562 	default:
1563 		/* Reply to bad commands with an NSC */
1564 		buf[0] = command;
1565 		gsm_control_reply(gsm, CMD_NSC, buf, 1);
1566 		break;
1567 	}
1568 }
1569 
1570 /**
1571  *	gsm_control_response	-	process a response to our control
1572  *	@gsm: our GSM mux
1573  *	@command: the command (response) EA
1574  *	@data: data beyond the command/length EA
1575  *	@clen: length
1576  *
1577  *	Process a response to an outstanding command. We only allow a single
1578  *	control message in flight so this is fairly easy. All the clean up
1579  *	is done by the caller, we just update the fields, flag it as done
1580  *	and return
1581  */
1582 
1583 static void gsm_control_response(struct gsm_mux *gsm, unsigned int command,
1584 						const u8 *data, int clen)
1585 {
1586 	struct gsm_control *ctrl;
1587 	unsigned long flags;
1588 
1589 	spin_lock_irqsave(&gsm->control_lock, flags);
1590 
1591 	ctrl = gsm->pending_cmd;
1592 	/* Does the reply match our command */
1593 	command |= 1;
1594 	if (ctrl != NULL && (command == ctrl->cmd || command == CMD_NSC)) {
1595 		/* Our command was replied to, kill the retry timer */
1596 		del_timer(&gsm->t2_timer);
1597 		gsm->pending_cmd = NULL;
1598 		/* Rejected by the other end */
1599 		if (command == CMD_NSC)
1600 			ctrl->error = -EOPNOTSUPP;
1601 		ctrl->done = 1;
1602 		wake_up(&gsm->event);
1603 	}
1604 	spin_unlock_irqrestore(&gsm->control_lock, flags);
1605 }
1606 
1607 /**
1608  *	gsm_control_transmit	-	send control packet
1609  *	@gsm: gsm mux
1610  *	@ctrl: frame to send
1611  *
1612  *	Send out a pending control command (called under control lock)
1613  */
1614 
1615 static void gsm_control_transmit(struct gsm_mux *gsm, struct gsm_control *ctrl)
1616 {
1617 	struct gsm_msg *msg = gsm_data_alloc(gsm, 0, ctrl->len + 2, gsm->ftype);
1618 	if (msg == NULL)
1619 		return;
1620 	msg->data[0] = (ctrl->cmd << 1) | CR | EA;	/* command */
1621 	msg->data[1] = (ctrl->len << 1) | EA;
1622 	memcpy(msg->data + 2, ctrl->data, ctrl->len);
1623 	gsm_data_queue(gsm->dlci[0], msg);
1624 }
1625 
1626 /**
1627  *	gsm_control_retransmit	-	retransmit a control frame
1628  *	@t: timer contained in our gsm object
1629  *
1630  *	Called off the T2 timer expiry in order to retransmit control frames
1631  *	that have been lost in the system somewhere. The control_lock protects
1632  *	us from colliding with another sender or a receive completion event.
1633  *	In that situation the timer may still occur in a small window but
1634  *	gsm->pending_cmd will be NULL and we just let the timer expire.
1635  */
1636 
1637 static void gsm_control_retransmit(struct timer_list *t)
1638 {
1639 	struct gsm_mux *gsm = from_timer(gsm, t, t2_timer);
1640 	struct gsm_control *ctrl;
1641 	unsigned long flags;
1642 	spin_lock_irqsave(&gsm->control_lock, flags);
1643 	ctrl = gsm->pending_cmd;
1644 	if (ctrl) {
1645 		if (gsm->cretries == 0 || !gsm->dlci[0] || gsm->dlci[0]->dead) {
1646 			gsm->pending_cmd = NULL;
1647 			ctrl->error = -ETIMEDOUT;
1648 			ctrl->done = 1;
1649 			spin_unlock_irqrestore(&gsm->control_lock, flags);
1650 			wake_up(&gsm->event);
1651 			return;
1652 		}
1653 		gsm->cretries--;
1654 		gsm_control_transmit(gsm, ctrl);
1655 		mod_timer(&gsm->t2_timer, jiffies + gsm->t2 * HZ / 100);
1656 	}
1657 	spin_unlock_irqrestore(&gsm->control_lock, flags);
1658 }
1659 
1660 /**
1661  *	gsm_control_send	-	send a control frame on DLCI 0
1662  *	@gsm: the GSM channel
1663  *	@command: command  to send including CR bit
1664  *	@data: bytes of data (must be kmalloced)
1665  *	@clen: length of the block to send
1666  *
1667  *	Queue and dispatch a control command. Only one command can be
1668  *	active at a time. In theory more can be outstanding but the matching
1669  *	gets really complicated so for now stick to one outstanding.
1670  */
1671 
1672 static struct gsm_control *gsm_control_send(struct gsm_mux *gsm,
1673 		unsigned int command, u8 *data, int clen)
1674 {
1675 	struct gsm_control *ctrl = kzalloc(sizeof(struct gsm_control),
1676 						GFP_KERNEL);
1677 	unsigned long flags;
1678 	if (ctrl == NULL)
1679 		return NULL;
1680 retry:
1681 	wait_event(gsm->event, gsm->pending_cmd == NULL);
1682 	spin_lock_irqsave(&gsm->control_lock, flags);
1683 	if (gsm->pending_cmd != NULL) {
1684 		spin_unlock_irqrestore(&gsm->control_lock, flags);
1685 		goto retry;
1686 	}
1687 	ctrl->cmd = command;
1688 	ctrl->data = data;
1689 	ctrl->len = clen;
1690 	gsm->pending_cmd = ctrl;
1691 
1692 	/* If DLCI0 is in ADM mode skip retries, it won't respond */
1693 	if (gsm->dlci[0]->mode == DLCI_MODE_ADM)
1694 		gsm->cretries = 0;
1695 	else
1696 		gsm->cretries = gsm->n2;
1697 
1698 	mod_timer(&gsm->t2_timer, jiffies + gsm->t2 * HZ / 100);
1699 	gsm_control_transmit(gsm, ctrl);
1700 	spin_unlock_irqrestore(&gsm->control_lock, flags);
1701 	return ctrl;
1702 }
1703 
1704 /**
1705  *	gsm_control_wait	-	wait for a control to finish
1706  *	@gsm: GSM mux
1707  *	@control: control we are waiting on
1708  *
1709  *	Waits for the control to complete or time out. Frees any used
1710  *	resources and returns 0 for success, or an error if the remote
1711  *	rejected or ignored the request.
1712  */
1713 
1714 static int gsm_control_wait(struct gsm_mux *gsm, struct gsm_control *control)
1715 {
1716 	int err;
1717 	wait_event(gsm->event, control->done == 1);
1718 	err = control->error;
1719 	kfree(control);
1720 	return err;
1721 }
1722 
1723 
1724 /*
1725  *	DLCI level handling: Needs krefs
1726  */
1727 
1728 /*
1729  *	State transitions and timers
1730  */
1731 
1732 /**
1733  *	gsm_dlci_close		-	a DLCI has closed
1734  *	@dlci: DLCI that closed
1735  *
1736  *	Perform processing when moving a DLCI into closed state. If there
1737  *	is an attached tty this is hung up
1738  */
1739 
1740 static void gsm_dlci_close(struct gsm_dlci *dlci)
1741 {
1742 	del_timer(&dlci->t1);
1743 	if (debug & 8)
1744 		pr_debug("DLCI %d goes closed.\n", dlci->addr);
1745 	dlci->state = DLCI_CLOSED;
1746 	/* Prevent us from sending data before the link is up again */
1747 	dlci->constipated = true;
1748 	if (dlci->addr != 0) {
1749 		tty_port_tty_hangup(&dlci->port, false);
1750 		gsm_dlci_clear_queues(dlci->gsm, dlci);
1751 		/* Ensure that gsmtty_open() can return. */
1752 		tty_port_set_initialized(&dlci->port, 0);
1753 		wake_up_interruptible(&dlci->port.open_wait);
1754 	} else
1755 		dlci->gsm->dead = true;
1756 	/* A DLCI 0 close is a MUX termination so we need to kick that
1757 	   back to userspace somehow */
1758 	gsm_dlci_data_kick(dlci);
1759 	wake_up(&dlci->gsm->event);
1760 }
1761 
1762 /**
1763  *	gsm_dlci_open		-	a DLCI has opened
1764  *	@dlci: DLCI that opened
1765  *
1766  *	Perform processing when moving a DLCI into open state.
1767  */
1768 
1769 static void gsm_dlci_open(struct gsm_dlci *dlci)
1770 {
1771 	/* Note that SABM UA .. SABM UA first UA lost can mean that we go
1772 	   open -> open */
1773 	del_timer(&dlci->t1);
1774 	/* This will let a tty open continue */
1775 	dlci->state = DLCI_OPEN;
1776 	dlci->constipated = false;
1777 	if (debug & 8)
1778 		pr_debug("DLCI %d goes open.\n", dlci->addr);
1779 	/* Send current modem state */
1780 	if (dlci->addr)
1781 		gsm_modem_update(dlci, 0);
1782 	gsm_dlci_data_kick(dlci);
1783 	wake_up(&dlci->gsm->event);
1784 }
1785 
1786 /**
1787  *	gsm_dlci_t1		-	T1 timer expiry
1788  *	@t: timer contained in the DLCI that opened
1789  *
1790  *	The T1 timer handles retransmits of control frames (essentially of
1791  *	SABM and DISC). We resend the command until the retry count runs out
1792  *	in which case an opening port goes back to closed and a closing port
1793  *	is simply put into closed state (any further frames from the other
1794  *	end will get a DM response)
1795  *
1796  *	Some control dlci can stay in ADM mode with other dlci working just
1797  *	fine. In that case we can just keep the control dlci open after the
1798  *	DLCI_OPENING retries time out.
1799  */
1800 
1801 static void gsm_dlci_t1(struct timer_list *t)
1802 {
1803 	struct gsm_dlci *dlci = from_timer(dlci, t, t1);
1804 	struct gsm_mux *gsm = dlci->gsm;
1805 
1806 	switch (dlci->state) {
1807 	case DLCI_OPENING:
1808 		if (dlci->retries) {
1809 			dlci->retries--;
1810 			gsm_command(dlci->gsm, dlci->addr, SABM|PF);
1811 			mod_timer(&dlci->t1, jiffies + gsm->t1 * HZ / 100);
1812 		} else if (!dlci->addr && gsm->control == (DM | PF)) {
1813 			if (debug & 8)
1814 				pr_info("DLCI %d opening in ADM mode.\n",
1815 					dlci->addr);
1816 			dlci->mode = DLCI_MODE_ADM;
1817 			gsm_dlci_open(dlci);
1818 		} else {
1819 			gsm_dlci_begin_close(dlci); /* prevent half open link */
1820 		}
1821 
1822 		break;
1823 	case DLCI_CLOSING:
1824 		if (dlci->retries) {
1825 			dlci->retries--;
1826 			gsm_command(dlci->gsm, dlci->addr, DISC|PF);
1827 			mod_timer(&dlci->t1, jiffies + gsm->t1 * HZ / 100);
1828 		} else
1829 			gsm_dlci_close(dlci);
1830 		break;
1831 	default:
1832 		pr_debug("%s: unhandled state: %d\n", __func__, dlci->state);
1833 		break;
1834 	}
1835 }
1836 
1837 /**
1838  *	gsm_dlci_begin_open	-	start channel open procedure
1839  *	@dlci: DLCI to open
1840  *
1841  *	Commence opening a DLCI from the Linux side. We issue SABM messages
1842  *	to the modem which should then reply with a UA or ADM, at which point
1843  *	we will move into open state. Opening is done asynchronously with retry
1844  *	running off timers and the responses.
1845  */
1846 
1847 static void gsm_dlci_begin_open(struct gsm_dlci *dlci)
1848 {
1849 	struct gsm_mux *gsm = dlci->gsm;
1850 	if (dlci->state == DLCI_OPEN || dlci->state == DLCI_OPENING)
1851 		return;
1852 	dlci->retries = gsm->n2;
1853 	dlci->state = DLCI_OPENING;
1854 	gsm_command(dlci->gsm, dlci->addr, SABM|PF);
1855 	mod_timer(&dlci->t1, jiffies + gsm->t1 * HZ / 100);
1856 }
1857 
1858 /**
1859  *	gsm_dlci_set_opening	-	change state to opening
1860  *	@dlci: DLCI to open
1861  *
1862  *	Change internal state to wait for DLCI open from initiator side.
1863  *	We set off timers and responses upon reception of an SABM.
1864  */
1865 static void gsm_dlci_set_opening(struct gsm_dlci *dlci)
1866 {
1867 	switch (dlci->state) {
1868 	case DLCI_CLOSED:
1869 	case DLCI_CLOSING:
1870 		dlci->state = DLCI_OPENING;
1871 		break;
1872 	default:
1873 		break;
1874 	}
1875 }
1876 
1877 /**
1878  *	gsm_dlci_begin_close	-	start channel open procedure
1879  *	@dlci: DLCI to open
1880  *
1881  *	Commence closing a DLCI from the Linux side. We issue DISC messages
1882  *	to the modem which should then reply with a UA, at which point we
1883  *	will move into closed state. Closing is done asynchronously with retry
1884  *	off timers. We may also receive a DM reply from the other end which
1885  *	indicates the channel was already closed.
1886  */
1887 
1888 static void gsm_dlci_begin_close(struct gsm_dlci *dlci)
1889 {
1890 	struct gsm_mux *gsm = dlci->gsm;
1891 	if (dlci->state == DLCI_CLOSED || dlci->state == DLCI_CLOSING)
1892 		return;
1893 	dlci->retries = gsm->n2;
1894 	dlci->state = DLCI_CLOSING;
1895 	gsm_command(dlci->gsm, dlci->addr, DISC|PF);
1896 	mod_timer(&dlci->t1, jiffies + gsm->t1 * HZ / 100);
1897 }
1898 
1899 /**
1900  *	gsm_dlci_data		-	data arrived
1901  *	@dlci: channel
1902  *	@data: block of bytes received
1903  *	@clen: length of received block
1904  *
1905  *	A UI or UIH frame has arrived which contains data for a channel
1906  *	other than the control channel. If the relevant virtual tty is
1907  *	open we shovel the bits down it, if not we drop them.
1908  */
1909 
1910 static void gsm_dlci_data(struct gsm_dlci *dlci, const u8 *data, int clen)
1911 {
1912 	/* krefs .. */
1913 	struct tty_port *port = &dlci->port;
1914 	struct tty_struct *tty;
1915 	unsigned int modem = 0;
1916 	int len = clen;
1917 	int slen = 0;
1918 
1919 	if (debug & 16)
1920 		pr_debug("%d bytes for tty\n", len);
1921 	switch (dlci->adaption)  {
1922 	/* Unsupported types */
1923 	case 4:		/* Packetised interruptible data */
1924 		break;
1925 	case 3:		/* Packetised uininterruptible voice/data */
1926 		break;
1927 	case 2:		/* Asynchronous serial with line state in each frame */
1928 		while (gsm_read_ea(&modem, *data++) == 0) {
1929 			len--;
1930 			slen++;
1931 			if (len == 0)
1932 				return;
1933 		}
1934 		len--;
1935 		slen++;
1936 		tty = tty_port_tty_get(port);
1937 		if (tty) {
1938 			gsm_process_modem(tty, dlci, modem, slen);
1939 			tty_wakeup(tty);
1940 			tty_kref_put(tty);
1941 		}
1942 		fallthrough;
1943 	case 1:		/* Line state will go via DLCI 0 controls only */
1944 	default:
1945 		tty_insert_flip_string(port, data, len);
1946 		tty_flip_buffer_push(port);
1947 	}
1948 }
1949 
1950 /**
1951  *	gsm_dlci_command	-	data arrived on control channel
1952  *	@dlci: channel
1953  *	@data: block of bytes received
1954  *	@len: length of received block
1955  *
1956  *	A UI or UIH frame has arrived which contains data for DLCI 0 the
1957  *	control channel. This should contain a command EA followed by
1958  *	control data bytes. The command EA contains a command/response bit
1959  *	and we divide up the work accordingly.
1960  */
1961 
1962 static void gsm_dlci_command(struct gsm_dlci *dlci, const u8 *data, int len)
1963 {
1964 	/* See what command is involved */
1965 	unsigned int command = 0;
1966 	while (len-- > 0) {
1967 		if (gsm_read_ea(&command, *data++) == 1) {
1968 			int clen = *data++;
1969 			len--;
1970 			/* FIXME: this is properly an EA */
1971 			clen >>= 1;
1972 			/* Malformed command ? */
1973 			if (clen > len)
1974 				return;
1975 			if (command & 1)
1976 				gsm_control_message(dlci->gsm, command,
1977 								data, clen);
1978 			else
1979 				gsm_control_response(dlci->gsm, command,
1980 								data, clen);
1981 			return;
1982 		}
1983 	}
1984 }
1985 
1986 /**
1987  *	gsm_kick_timer	-	transmit if possible
1988  *	@t: timer contained in our gsm object
1989  *
1990  *	Transmit data from DLCIs if the queue is empty. We can't rely on
1991  *	a tty wakeup except when we filled the pipe so we need to fire off
1992  *	new data ourselves in other cases.
1993  */
1994 static void gsm_kick_timer(struct timer_list *t)
1995 {
1996 	struct gsm_mux *gsm = from_timer(gsm, t, kick_timer);
1997 	unsigned long flags;
1998 	int sent = 0;
1999 
2000 	spin_lock_irqsave(&gsm->tx_lock, flags);
2001 	/* If we have nothing running then we need to fire up */
2002 	if (gsm->tx_bytes < TX_THRESH_LO)
2003 		sent = gsm_dlci_data_sweep(gsm);
2004 	spin_unlock_irqrestore(&gsm->tx_lock, flags);
2005 
2006 	if (sent && debug & 4)
2007 		pr_info("%s TX queue stalled\n", __func__);
2008 }
2009 
2010 /*
2011  *	Allocate/Free DLCI channels
2012  */
2013 
2014 /**
2015  *	gsm_dlci_alloc		-	allocate a DLCI
2016  *	@gsm: GSM mux
2017  *	@addr: address of the DLCI
2018  *
2019  *	Allocate and install a new DLCI object into the GSM mux.
2020  *
2021  *	FIXME: review locking races
2022  */
2023 
2024 static struct gsm_dlci *gsm_dlci_alloc(struct gsm_mux *gsm, int addr)
2025 {
2026 	struct gsm_dlci *dlci = kzalloc(sizeof(struct gsm_dlci), GFP_ATOMIC);
2027 	if (dlci == NULL)
2028 		return NULL;
2029 	spin_lock_init(&dlci->lock);
2030 	mutex_init(&dlci->mutex);
2031 	if (kfifo_alloc(&dlci->fifo, TX_SIZE, GFP_KERNEL) < 0) {
2032 		kfree(dlci);
2033 		return NULL;
2034 	}
2035 
2036 	skb_queue_head_init(&dlci->skb_list);
2037 	timer_setup(&dlci->t1, gsm_dlci_t1, 0);
2038 	tty_port_init(&dlci->port);
2039 	dlci->port.ops = &gsm_port_ops;
2040 	dlci->gsm = gsm;
2041 	dlci->addr = addr;
2042 	dlci->adaption = gsm->adaption;
2043 	dlci->state = DLCI_CLOSED;
2044 	if (addr) {
2045 		dlci->data = gsm_dlci_data;
2046 		/* Prevent us from sending data before the link is up */
2047 		dlci->constipated = true;
2048 	} else {
2049 		dlci->data = gsm_dlci_command;
2050 	}
2051 	gsm->dlci[addr] = dlci;
2052 	return dlci;
2053 }
2054 
2055 /**
2056  *	gsm_dlci_free		-	free DLCI
2057  *	@port: tty port for DLCI to free
2058  *
2059  *	Free up a DLCI.
2060  *
2061  *	Can sleep.
2062  */
2063 static void gsm_dlci_free(struct tty_port *port)
2064 {
2065 	struct gsm_dlci *dlci = container_of(port, struct gsm_dlci, port);
2066 
2067 	del_timer_sync(&dlci->t1);
2068 	dlci->gsm->dlci[dlci->addr] = NULL;
2069 	kfifo_free(&dlci->fifo);
2070 	while ((dlci->skb = skb_dequeue(&dlci->skb_list)))
2071 		dev_kfree_skb(dlci->skb);
2072 	kfree(dlci);
2073 }
2074 
2075 static inline void dlci_get(struct gsm_dlci *dlci)
2076 {
2077 	tty_port_get(&dlci->port);
2078 }
2079 
2080 static inline void dlci_put(struct gsm_dlci *dlci)
2081 {
2082 	tty_port_put(&dlci->port);
2083 }
2084 
2085 static void gsm_destroy_network(struct gsm_dlci *dlci);
2086 
2087 /**
2088  *	gsm_dlci_release		-	release DLCI
2089  *	@dlci: DLCI to destroy
2090  *
2091  *	Release a DLCI. Actual free is deferred until either
2092  *	mux is closed or tty is closed - whichever is last.
2093  *
2094  *	Can sleep.
2095  */
2096 static void gsm_dlci_release(struct gsm_dlci *dlci)
2097 {
2098 	struct tty_struct *tty = tty_port_tty_get(&dlci->port);
2099 	if (tty) {
2100 		mutex_lock(&dlci->mutex);
2101 		gsm_destroy_network(dlci);
2102 		mutex_unlock(&dlci->mutex);
2103 
2104 		/* We cannot use tty_hangup() because in tty_kref_put() the tty
2105 		 * driver assumes that the hangup queue is free and reuses it to
2106 		 * queue release_one_tty() -> NULL pointer panic in
2107 		 * process_one_work().
2108 		 */
2109 		tty_vhangup(tty);
2110 
2111 		tty_port_tty_set(&dlci->port, NULL);
2112 		tty_kref_put(tty);
2113 	}
2114 	dlci->state = DLCI_CLOSED;
2115 	dlci_put(dlci);
2116 }
2117 
2118 /*
2119  *	LAPBish link layer logic
2120  */
2121 
2122 /**
2123  *	gsm_queue		-	a GSM frame is ready to process
2124  *	@gsm: pointer to our gsm mux
2125  *
2126  *	At this point in time a frame has arrived and been demangled from
2127  *	the line encoding. All the differences between the encodings have
2128  *	been handled below us and the frame is unpacked into the structures.
2129  *	The fcs holds the header FCS but any data FCS must be added here.
2130  */
2131 
2132 static void gsm_queue(struct gsm_mux *gsm)
2133 {
2134 	struct gsm_dlci *dlci;
2135 	u8 cr;
2136 	int address;
2137 
2138 	if (gsm->fcs != GOOD_FCS) {
2139 		gsm->bad_fcs++;
2140 		if (debug & 4)
2141 			pr_debug("BAD FCS %02x\n", gsm->fcs);
2142 		return;
2143 	}
2144 	address = gsm->address >> 1;
2145 	if (address >= NUM_DLCI)
2146 		goto invalid;
2147 
2148 	cr = gsm->address & 1;		/* C/R bit */
2149 	cr ^= gsm->initiator ? 0 : 1;	/* Flip so 1 always means command */
2150 
2151 	gsm_print_packet("<--", address, cr, gsm->control, gsm->buf, gsm->len);
2152 
2153 	dlci = gsm->dlci[address];
2154 
2155 	switch (gsm->control) {
2156 	case SABM|PF:
2157 		if (cr == 1)
2158 			goto invalid;
2159 		if (dlci == NULL)
2160 			dlci = gsm_dlci_alloc(gsm, address);
2161 		if (dlci == NULL)
2162 			return;
2163 		if (dlci->dead)
2164 			gsm_response(gsm, address, DM|PF);
2165 		else {
2166 			gsm_response(gsm, address, UA|PF);
2167 			gsm_dlci_open(dlci);
2168 		}
2169 		break;
2170 	case DISC|PF:
2171 		if (cr == 1)
2172 			goto invalid;
2173 		if (dlci == NULL || dlci->state == DLCI_CLOSED) {
2174 			gsm_response(gsm, address, DM|PF);
2175 			return;
2176 		}
2177 		/* Real close complete */
2178 		gsm_response(gsm, address, UA|PF);
2179 		gsm_dlci_close(dlci);
2180 		break;
2181 	case UA|PF:
2182 		if (cr == 0 || dlci == NULL)
2183 			break;
2184 		switch (dlci->state) {
2185 		case DLCI_CLOSING:
2186 			gsm_dlci_close(dlci);
2187 			break;
2188 		case DLCI_OPENING:
2189 			gsm_dlci_open(dlci);
2190 			break;
2191 		default:
2192 			pr_debug("%s: unhandled state: %d\n", __func__,
2193 					dlci->state);
2194 			break;
2195 		}
2196 		break;
2197 	case DM:	/* DM can be valid unsolicited */
2198 	case DM|PF:
2199 		if (cr)
2200 			goto invalid;
2201 		if (dlci == NULL)
2202 			return;
2203 		gsm_dlci_close(dlci);
2204 		break;
2205 	case UI:
2206 	case UI|PF:
2207 	case UIH:
2208 	case UIH|PF:
2209 		if (dlci == NULL || dlci->state != DLCI_OPEN) {
2210 			gsm_response(gsm, address, DM|PF);
2211 			return;
2212 		}
2213 		dlci->data(dlci, gsm->buf, gsm->len);
2214 		break;
2215 	default:
2216 		goto invalid;
2217 	}
2218 	return;
2219 invalid:
2220 	gsm->malformed++;
2221 	return;
2222 }
2223 
2224 
2225 /**
2226  *	gsm0_receive	-	perform processing for non-transparency
2227  *	@gsm: gsm data for this ldisc instance
2228  *	@c: character
2229  *
2230  *	Receive bytes in gsm mode 0
2231  */
2232 
2233 static void gsm0_receive(struct gsm_mux *gsm, unsigned char c)
2234 {
2235 	unsigned int len;
2236 
2237 	switch (gsm->state) {
2238 	case GSM_SEARCH:	/* SOF marker */
2239 		if (c == GSM0_SOF) {
2240 			gsm->state = GSM_ADDRESS;
2241 			gsm->address = 0;
2242 			gsm->len = 0;
2243 			gsm->fcs = INIT_FCS;
2244 		}
2245 		break;
2246 	case GSM_ADDRESS:	/* Address EA */
2247 		gsm->fcs = gsm_fcs_add(gsm->fcs, c);
2248 		if (gsm_read_ea(&gsm->address, c))
2249 			gsm->state = GSM_CONTROL;
2250 		break;
2251 	case GSM_CONTROL:	/* Control Byte */
2252 		gsm->fcs = gsm_fcs_add(gsm->fcs, c);
2253 		gsm->control = c;
2254 		gsm->state = GSM_LEN0;
2255 		break;
2256 	case GSM_LEN0:		/* Length EA */
2257 		gsm->fcs = gsm_fcs_add(gsm->fcs, c);
2258 		if (gsm_read_ea(&gsm->len, c)) {
2259 			if (gsm->len > gsm->mru) {
2260 				gsm->bad_size++;
2261 				gsm->state = GSM_SEARCH;
2262 				break;
2263 			}
2264 			gsm->count = 0;
2265 			if (!gsm->len)
2266 				gsm->state = GSM_FCS;
2267 			else
2268 				gsm->state = GSM_DATA;
2269 			break;
2270 		}
2271 		gsm->state = GSM_LEN1;
2272 		break;
2273 	case GSM_LEN1:
2274 		gsm->fcs = gsm_fcs_add(gsm->fcs, c);
2275 		len = c;
2276 		gsm->len |= len << 7;
2277 		if (gsm->len > gsm->mru) {
2278 			gsm->bad_size++;
2279 			gsm->state = GSM_SEARCH;
2280 			break;
2281 		}
2282 		gsm->count = 0;
2283 		if (!gsm->len)
2284 			gsm->state = GSM_FCS;
2285 		else
2286 			gsm->state = GSM_DATA;
2287 		break;
2288 	case GSM_DATA:		/* Data */
2289 		gsm->buf[gsm->count++] = c;
2290 		if (gsm->count == gsm->len) {
2291 			/* Calculate final FCS for UI frames over all data */
2292 			if ((gsm->control & ~PF) != UIH) {
2293 				gsm->fcs = gsm_fcs_add_block(gsm->fcs, gsm->buf,
2294 							     gsm->count);
2295 			}
2296 			gsm->state = GSM_FCS;
2297 		}
2298 		break;
2299 	case GSM_FCS:		/* FCS follows the packet */
2300 		gsm->fcs = gsm_fcs_add(gsm->fcs, c);
2301 		gsm->state = GSM_SSOF;
2302 		break;
2303 	case GSM_SSOF:
2304 		gsm->state = GSM_SEARCH;
2305 		if (c == GSM0_SOF)
2306 			gsm_queue(gsm);
2307 		else
2308 			gsm->bad_size++;
2309 		break;
2310 	default:
2311 		pr_debug("%s: unhandled state: %d\n", __func__, gsm->state);
2312 		break;
2313 	}
2314 }
2315 
2316 /**
2317  *	gsm1_receive	-	perform processing for non-transparency
2318  *	@gsm: gsm data for this ldisc instance
2319  *	@c: character
2320  *
2321  *	Receive bytes in mode 1 (Advanced option)
2322  */
2323 
2324 static void gsm1_receive(struct gsm_mux *gsm, unsigned char c)
2325 {
2326 	/* handle XON/XOFF */
2327 	if ((c & ISO_IEC_646_MASK) == XON) {
2328 		gsm->constipated = true;
2329 		return;
2330 	} else if ((c & ISO_IEC_646_MASK) == XOFF) {
2331 		gsm->constipated = false;
2332 		/* Kick the link in case it is idling */
2333 		gsmld_write_trigger(gsm);
2334 		return;
2335 	}
2336 	if (c == GSM1_SOF) {
2337 		/* EOF is only valid in frame if we have got to the data state */
2338 		if (gsm->state == GSM_DATA) {
2339 			if (gsm->count < 1) {
2340 				/* Missing FSC */
2341 				gsm->malformed++;
2342 				gsm->state = GSM_START;
2343 				return;
2344 			}
2345 			/* Remove the FCS from data */
2346 			gsm->count--;
2347 			if ((gsm->control & ~PF) != UIH) {
2348 				/* Calculate final FCS for UI frames over all
2349 				 * data but FCS
2350 				 */
2351 				gsm->fcs = gsm_fcs_add_block(gsm->fcs, gsm->buf,
2352 							     gsm->count);
2353 			}
2354 			/* Add the FCS itself to test against GOOD_FCS */
2355 			gsm->fcs = gsm_fcs_add(gsm->fcs, gsm->buf[gsm->count]);
2356 			gsm->len = gsm->count;
2357 			gsm_queue(gsm);
2358 			gsm->state  = GSM_START;
2359 			return;
2360 		}
2361 		/* Any partial frame was a runt so go back to start */
2362 		if (gsm->state != GSM_START) {
2363 			if (gsm->state != GSM_SEARCH)
2364 				gsm->malformed++;
2365 			gsm->state = GSM_START;
2366 		}
2367 		/* A SOF in GSM_START means we are still reading idling or
2368 		   framing bytes */
2369 		return;
2370 	}
2371 
2372 	if (c == GSM1_ESCAPE) {
2373 		gsm->escape = true;
2374 		return;
2375 	}
2376 
2377 	/* Only an unescaped SOF gets us out of GSM search */
2378 	if (gsm->state == GSM_SEARCH)
2379 		return;
2380 
2381 	if (gsm->escape) {
2382 		c ^= GSM1_ESCAPE_BITS;
2383 		gsm->escape = false;
2384 	}
2385 	switch (gsm->state) {
2386 	case GSM_START:		/* First byte after SOF */
2387 		gsm->address = 0;
2388 		gsm->state = GSM_ADDRESS;
2389 		gsm->fcs = INIT_FCS;
2390 		fallthrough;
2391 	case GSM_ADDRESS:	/* Address continuation */
2392 		gsm->fcs = gsm_fcs_add(gsm->fcs, c);
2393 		if (gsm_read_ea(&gsm->address, c))
2394 			gsm->state = GSM_CONTROL;
2395 		break;
2396 	case GSM_CONTROL:	/* Control Byte */
2397 		gsm->fcs = gsm_fcs_add(gsm->fcs, c);
2398 		gsm->control = c;
2399 		gsm->count = 0;
2400 		gsm->state = GSM_DATA;
2401 		break;
2402 	case GSM_DATA:		/* Data */
2403 		if (gsm->count > gsm->mru) {	/* Allow one for the FCS */
2404 			gsm->state = GSM_OVERRUN;
2405 			gsm->bad_size++;
2406 		} else
2407 			gsm->buf[gsm->count++] = c;
2408 		break;
2409 	case GSM_OVERRUN:	/* Over-long - eg a dropped SOF */
2410 		break;
2411 	default:
2412 		pr_debug("%s: unhandled state: %d\n", __func__, gsm->state);
2413 		break;
2414 	}
2415 }
2416 
2417 /**
2418  *	gsm_error		-	handle tty error
2419  *	@gsm: ldisc data
2420  *
2421  *	Handle an error in the receipt of data for a frame. Currently we just
2422  *	go back to hunting for a SOF.
2423  *
2424  *	FIXME: better diagnostics ?
2425  */
2426 
2427 static void gsm_error(struct gsm_mux *gsm)
2428 {
2429 	gsm->state = GSM_SEARCH;
2430 	gsm->io_error++;
2431 }
2432 
2433 /**
2434  *	gsm_cleanup_mux		-	generic GSM protocol cleanup
2435  *	@gsm: our mux
2436  *	@disc: disconnect link?
2437  *
2438  *	Clean up the bits of the mux which are the same for all framing
2439  *	protocols. Remove the mux from the mux table, stop all the timers
2440  *	and then shut down each device hanging up the channels as we go.
2441  */
2442 
2443 static void gsm_cleanup_mux(struct gsm_mux *gsm, bool disc)
2444 {
2445 	int i;
2446 	struct gsm_dlci *dlci = gsm->dlci[0];
2447 	struct gsm_msg *txq, *ntxq;
2448 
2449 	gsm->dead = true;
2450 	mutex_lock(&gsm->mutex);
2451 
2452 	if (dlci) {
2453 		if (disc && dlci->state != DLCI_CLOSED) {
2454 			gsm_dlci_begin_close(dlci);
2455 			wait_event(gsm->event, dlci->state == DLCI_CLOSED);
2456 		}
2457 		dlci->dead = true;
2458 	}
2459 
2460 	/* Finish outstanding timers, making sure they are done */
2461 	del_timer_sync(&gsm->kick_timer);
2462 	del_timer_sync(&gsm->t2_timer);
2463 
2464 	/* Finish writing to ldisc */
2465 	flush_work(&gsm->tx_work);
2466 
2467 	/* Free up any link layer users and finally the control channel */
2468 	if (gsm->has_devices) {
2469 		gsm_unregister_devices(gsm_tty_driver, gsm->num);
2470 		gsm->has_devices = false;
2471 	}
2472 	for (i = NUM_DLCI - 1; i >= 0; i--)
2473 		if (gsm->dlci[i])
2474 			gsm_dlci_release(gsm->dlci[i]);
2475 	mutex_unlock(&gsm->mutex);
2476 	/* Now wipe the queues */
2477 	tty_ldisc_flush(gsm->tty);
2478 	list_for_each_entry_safe(txq, ntxq, &gsm->tx_ctrl_list, list)
2479 		kfree(txq);
2480 	INIT_LIST_HEAD(&gsm->tx_ctrl_list);
2481 	list_for_each_entry_safe(txq, ntxq, &gsm->tx_data_list, list)
2482 		kfree(txq);
2483 	INIT_LIST_HEAD(&gsm->tx_data_list);
2484 }
2485 
2486 /**
2487  *	gsm_activate_mux	-	generic GSM setup
2488  *	@gsm: our mux
2489  *
2490  *	Set up the bits of the mux which are the same for all framing
2491  *	protocols. Add the mux to the mux table so it can be opened and
2492  *	finally kick off connecting to DLCI 0 on the modem.
2493  */
2494 
2495 static int gsm_activate_mux(struct gsm_mux *gsm)
2496 {
2497 	struct gsm_dlci *dlci;
2498 	int ret;
2499 
2500 	dlci = gsm_dlci_alloc(gsm, 0);
2501 	if (dlci == NULL)
2502 		return -ENOMEM;
2503 
2504 	timer_setup(&gsm->kick_timer, gsm_kick_timer, 0);
2505 	timer_setup(&gsm->t2_timer, gsm_control_retransmit, 0);
2506 	INIT_WORK(&gsm->tx_work, gsmld_write_task);
2507 	init_waitqueue_head(&gsm->event);
2508 	spin_lock_init(&gsm->control_lock);
2509 	spin_lock_init(&gsm->tx_lock);
2510 
2511 	if (gsm->encoding == 0)
2512 		gsm->receive = gsm0_receive;
2513 	else
2514 		gsm->receive = gsm1_receive;
2515 
2516 	ret = gsm_register_devices(gsm_tty_driver, gsm->num);
2517 	if (ret)
2518 		return ret;
2519 
2520 	gsm->has_devices = true;
2521 	gsm->dead = false;		/* Tty opens are now permissible */
2522 	return 0;
2523 }
2524 
2525 /**
2526  *	gsm_free_mux		-	free up a mux
2527  *	@gsm: mux to free
2528  *
2529  *	Dispose of allocated resources for a dead mux
2530  */
2531 static void gsm_free_mux(struct gsm_mux *gsm)
2532 {
2533 	int i;
2534 
2535 	for (i = 0; i < MAX_MUX; i++) {
2536 		if (gsm == gsm_mux[i]) {
2537 			gsm_mux[i] = NULL;
2538 			break;
2539 		}
2540 	}
2541 	mutex_destroy(&gsm->mutex);
2542 	kfree(gsm->txframe);
2543 	kfree(gsm->buf);
2544 	kfree(gsm);
2545 }
2546 
2547 /**
2548  *	gsm_free_muxr		-	free up a mux
2549  *	@ref: kreference to the mux to free
2550  *
2551  *	Dispose of allocated resources for a dead mux
2552  */
2553 static void gsm_free_muxr(struct kref *ref)
2554 {
2555 	struct gsm_mux *gsm = container_of(ref, struct gsm_mux, ref);
2556 	gsm_free_mux(gsm);
2557 }
2558 
2559 static inline void mux_get(struct gsm_mux *gsm)
2560 {
2561 	unsigned long flags;
2562 
2563 	spin_lock_irqsave(&gsm_mux_lock, flags);
2564 	kref_get(&gsm->ref);
2565 	spin_unlock_irqrestore(&gsm_mux_lock, flags);
2566 }
2567 
2568 static inline void mux_put(struct gsm_mux *gsm)
2569 {
2570 	unsigned long flags;
2571 
2572 	spin_lock_irqsave(&gsm_mux_lock, flags);
2573 	kref_put(&gsm->ref, gsm_free_muxr);
2574 	spin_unlock_irqrestore(&gsm_mux_lock, flags);
2575 }
2576 
2577 static inline unsigned int mux_num_to_base(struct gsm_mux *gsm)
2578 {
2579 	return gsm->num * NUM_DLCI;
2580 }
2581 
2582 static inline unsigned int mux_line_to_num(unsigned int line)
2583 {
2584 	return line / NUM_DLCI;
2585 }
2586 
2587 /**
2588  *	gsm_alloc_mux		-	allocate a mux
2589  *
2590  *	Creates a new mux ready for activation.
2591  */
2592 
2593 static struct gsm_mux *gsm_alloc_mux(void)
2594 {
2595 	int i;
2596 	struct gsm_mux *gsm = kzalloc(sizeof(struct gsm_mux), GFP_KERNEL);
2597 	if (gsm == NULL)
2598 		return NULL;
2599 	gsm->buf = kmalloc(MAX_MRU + 1, GFP_KERNEL);
2600 	if (gsm->buf == NULL) {
2601 		kfree(gsm);
2602 		return NULL;
2603 	}
2604 	gsm->txframe = kmalloc(2 * (MAX_MTU + PROT_OVERHEAD - 1), GFP_KERNEL);
2605 	if (gsm->txframe == NULL) {
2606 		kfree(gsm->buf);
2607 		kfree(gsm);
2608 		return NULL;
2609 	}
2610 	spin_lock_init(&gsm->lock);
2611 	mutex_init(&gsm->mutex);
2612 	kref_init(&gsm->ref);
2613 	INIT_LIST_HEAD(&gsm->tx_ctrl_list);
2614 	INIT_LIST_HEAD(&gsm->tx_data_list);
2615 
2616 	gsm->t1 = T1;
2617 	gsm->t2 = T2;
2618 	gsm->n2 = N2;
2619 	gsm->ftype = UIH;
2620 	gsm->adaption = 1;
2621 	gsm->encoding = 1;
2622 	gsm->mru = 64;	/* Default to encoding 1 so these should be 64 */
2623 	gsm->mtu = 64;
2624 	gsm->dead = true;	/* Avoid early tty opens */
2625 
2626 	/* Store the instance to the mux array or abort if no space is
2627 	 * available.
2628 	 */
2629 	spin_lock(&gsm_mux_lock);
2630 	for (i = 0; i < MAX_MUX; i++) {
2631 		if (!gsm_mux[i]) {
2632 			gsm_mux[i] = gsm;
2633 			gsm->num = i;
2634 			break;
2635 		}
2636 	}
2637 	spin_unlock(&gsm_mux_lock);
2638 	if (i == MAX_MUX) {
2639 		mutex_destroy(&gsm->mutex);
2640 		kfree(gsm->txframe);
2641 		kfree(gsm->buf);
2642 		kfree(gsm);
2643 		return NULL;
2644 	}
2645 
2646 	return gsm;
2647 }
2648 
2649 static void gsm_copy_config_values(struct gsm_mux *gsm,
2650 				   struct gsm_config *c)
2651 {
2652 	memset(c, 0, sizeof(*c));
2653 	c->adaption = gsm->adaption;
2654 	c->encapsulation = gsm->encoding;
2655 	c->initiator = gsm->initiator;
2656 	c->t1 = gsm->t1;
2657 	c->t2 = gsm->t2;
2658 	c->t3 = 0;	/* Not supported */
2659 	c->n2 = gsm->n2;
2660 	if (gsm->ftype == UIH)
2661 		c->i = 1;
2662 	else
2663 		c->i = 2;
2664 	pr_debug("Ftype %d i %d\n", gsm->ftype, c->i);
2665 	c->mru = gsm->mru;
2666 	c->mtu = gsm->mtu;
2667 	c->k = 0;
2668 }
2669 
2670 static int gsm_config(struct gsm_mux *gsm, struct gsm_config *c)
2671 {
2672 	int ret = 0;
2673 	int need_close = 0;
2674 	int need_restart = 0;
2675 
2676 	/* Stuff we don't support yet - UI or I frame transport, windowing */
2677 	if ((c->adaption != 1 && c->adaption != 2) || c->k)
2678 		return -EOPNOTSUPP;
2679 	/* Check the MRU/MTU range looks sane */
2680 	if (c->mru > MAX_MRU || c->mtu > MAX_MTU || c->mru < 8 || c->mtu < 8)
2681 		return -EINVAL;
2682 	if (c->n2 > 255)
2683 		return -EINVAL;
2684 	if (c->encapsulation > 1)	/* Basic, advanced, no I */
2685 		return -EINVAL;
2686 	if (c->initiator > 1)
2687 		return -EINVAL;
2688 	if (c->i == 0 || c->i > 2)	/* UIH and UI only */
2689 		return -EINVAL;
2690 	/*
2691 	 * See what is needed for reconfiguration
2692 	 */
2693 
2694 	/* Timing fields */
2695 	if (c->t1 != 0 && c->t1 != gsm->t1)
2696 		need_restart = 1;
2697 	if (c->t2 != 0 && c->t2 != gsm->t2)
2698 		need_restart = 1;
2699 	if (c->encapsulation != gsm->encoding)
2700 		need_restart = 1;
2701 	if (c->adaption != gsm->adaption)
2702 		need_restart = 1;
2703 	/* Requires care */
2704 	if (c->initiator != gsm->initiator)
2705 		need_close = 1;
2706 	if (c->mru != gsm->mru)
2707 		need_restart = 1;
2708 	if (c->mtu != gsm->mtu)
2709 		need_restart = 1;
2710 
2711 	/*
2712 	 * Close down what is needed, restart and initiate the new
2713 	 * configuration. On the first time there is no DLCI[0]
2714 	 * and closing or cleaning up is not necessary.
2715 	 */
2716 	if (need_close || need_restart)
2717 		gsm_cleanup_mux(gsm, true);
2718 
2719 	gsm->initiator = c->initiator;
2720 	gsm->mru = c->mru;
2721 	gsm->mtu = c->mtu;
2722 	gsm->encoding = c->encapsulation;
2723 	gsm->adaption = c->adaption;
2724 	gsm->n2 = c->n2;
2725 
2726 	if (c->i == 1)
2727 		gsm->ftype = UIH;
2728 	else if (c->i == 2)
2729 		gsm->ftype = UI;
2730 
2731 	if (c->t1)
2732 		gsm->t1 = c->t1;
2733 	if (c->t2)
2734 		gsm->t2 = c->t2;
2735 
2736 	/*
2737 	 * FIXME: We need to separate activation/deactivation from adding
2738 	 * and removing from the mux array
2739 	 */
2740 	if (gsm->dead) {
2741 		ret = gsm_activate_mux(gsm);
2742 		if (ret)
2743 			return ret;
2744 		if (gsm->initiator)
2745 			gsm_dlci_begin_open(gsm->dlci[0]);
2746 	}
2747 	return 0;
2748 }
2749 
2750 /**
2751  *	gsmld_output		-	write to link
2752  *	@gsm: our mux
2753  *	@data: bytes to output
2754  *	@len: size
2755  *
2756  *	Write a block of data from the GSM mux to the data channel. This
2757  *	will eventually be serialized from above but at the moment isn't.
2758  */
2759 
2760 static int gsmld_output(struct gsm_mux *gsm, u8 *data, int len)
2761 {
2762 	if (tty_write_room(gsm->tty) < len) {
2763 		set_bit(TTY_DO_WRITE_WAKEUP, &gsm->tty->flags);
2764 		return -ENOSPC;
2765 	}
2766 	if (debug & 4)
2767 		gsm_hex_dump_bytes(__func__, data, len);
2768 	return gsm->tty->ops->write(gsm->tty, data, len);
2769 }
2770 
2771 
2772 /**
2773  *	gsmld_write_trigger	-	schedule ldisc write task
2774  *	@gsm: our mux
2775  */
2776 static void gsmld_write_trigger(struct gsm_mux *gsm)
2777 {
2778 	if (!gsm || !gsm->dlci[0] || gsm->dlci[0]->dead)
2779 		return;
2780 	schedule_work(&gsm->tx_work);
2781 }
2782 
2783 
2784 /**
2785  *	gsmld_write_task	-	ldisc write task
2786  *	@work: our tx write work
2787  *
2788  *	Writes out data to the ldisc if possible. We are doing this here to
2789  *	avoid dead-locking. This returns if no space or data is left for output.
2790  */
2791 static void gsmld_write_task(struct work_struct *work)
2792 {
2793 	struct gsm_mux *gsm = container_of(work, struct gsm_mux, tx_work);
2794 	unsigned long flags;
2795 	int i, ret;
2796 
2797 	/* All outstanding control channel and control messages and one data
2798 	 * frame is sent.
2799 	 */
2800 	ret = -ENODEV;
2801 	spin_lock_irqsave(&gsm->tx_lock, flags);
2802 	if (gsm->tty)
2803 		ret = gsm_data_kick(gsm);
2804 	spin_unlock_irqrestore(&gsm->tx_lock, flags);
2805 
2806 	if (ret >= 0)
2807 		for (i = 0; i < NUM_DLCI; i++)
2808 			if (gsm->dlci[i])
2809 				tty_port_tty_wakeup(&gsm->dlci[i]->port);
2810 }
2811 
2812 /**
2813  *	gsmld_attach_gsm	-	mode set up
2814  *	@tty: our tty structure
2815  *	@gsm: our mux
2816  *
2817  *	Set up the MUX for basic mode and commence connecting to the
2818  *	modem. Currently called from the line discipline set up but
2819  *	will need moving to an ioctl path.
2820  */
2821 
2822 static void gsmld_attach_gsm(struct tty_struct *tty, struct gsm_mux *gsm)
2823 {
2824 	gsm->tty = tty_kref_get(tty);
2825 	/* Turn off tty XON/XOFF handling to handle it explicitly. */
2826 	gsm->old_c_iflag = tty->termios.c_iflag;
2827 	tty->termios.c_iflag &= (IXON | IXOFF);
2828 }
2829 
2830 /**
2831  *	gsmld_detach_gsm	-	stop doing 0710 mux
2832  *	@tty: tty attached to the mux
2833  *	@gsm: mux
2834  *
2835  *	Shutdown and then clean up the resources used by the line discipline
2836  */
2837 
2838 static void gsmld_detach_gsm(struct tty_struct *tty, struct gsm_mux *gsm)
2839 {
2840 	WARN_ON(tty != gsm->tty);
2841 	/* Restore tty XON/XOFF handling. */
2842 	gsm->tty->termios.c_iflag = gsm->old_c_iflag;
2843 	tty_kref_put(gsm->tty);
2844 	gsm->tty = NULL;
2845 }
2846 
2847 static void gsmld_receive_buf(struct tty_struct *tty, const unsigned char *cp,
2848 			      const char *fp, int count)
2849 {
2850 	struct gsm_mux *gsm = tty->disc_data;
2851 	char flags = TTY_NORMAL;
2852 
2853 	if (debug & 4)
2854 		gsm_hex_dump_bytes(__func__, cp, count);
2855 
2856 	for (; count; count--, cp++) {
2857 		if (fp)
2858 			flags = *fp++;
2859 		switch (flags) {
2860 		case TTY_NORMAL:
2861 			gsm->receive(gsm, *cp);
2862 			break;
2863 		case TTY_OVERRUN:
2864 		case TTY_BREAK:
2865 		case TTY_PARITY:
2866 		case TTY_FRAME:
2867 			gsm_error(gsm);
2868 			break;
2869 		default:
2870 			WARN_ONCE(1, "%s: unknown flag %d\n",
2871 			       tty_name(tty), flags);
2872 			break;
2873 		}
2874 	}
2875 	/* FASYNC if needed ? */
2876 	/* If clogged call tty_throttle(tty); */
2877 }
2878 
2879 /**
2880  *	gsmld_flush_buffer	-	clean input queue
2881  *	@tty:	terminal device
2882  *
2883  *	Flush the input buffer. Called when the line discipline is
2884  *	being closed, when the tty layer wants the buffer flushed (eg
2885  *	at hangup).
2886  */
2887 
2888 static void gsmld_flush_buffer(struct tty_struct *tty)
2889 {
2890 }
2891 
2892 /**
2893  *	gsmld_close		-	close the ldisc for this tty
2894  *	@tty: device
2895  *
2896  *	Called from the terminal layer when this line discipline is
2897  *	being shut down, either because of a close or becsuse of a
2898  *	discipline change. The function will not be called while other
2899  *	ldisc methods are in progress.
2900  */
2901 
2902 static void gsmld_close(struct tty_struct *tty)
2903 {
2904 	struct gsm_mux *gsm = tty->disc_data;
2905 
2906 	/* The ldisc locks and closes the port before calling our close. This
2907 	 * means we have no way to do a proper disconnect. We will not bother
2908 	 * to do one.
2909 	 */
2910 	gsm_cleanup_mux(gsm, false);
2911 
2912 	gsmld_detach_gsm(tty, gsm);
2913 
2914 	gsmld_flush_buffer(tty);
2915 	/* Do other clean up here */
2916 	mux_put(gsm);
2917 }
2918 
2919 /**
2920  *	gsmld_open		-	open an ldisc
2921  *	@tty: terminal to open
2922  *
2923  *	Called when this line discipline is being attached to the
2924  *	terminal device. Can sleep. Called serialized so that no
2925  *	other events will occur in parallel. No further open will occur
2926  *	until a close.
2927  */
2928 
2929 static int gsmld_open(struct tty_struct *tty)
2930 {
2931 	struct gsm_mux *gsm;
2932 
2933 	if (tty->ops->write == NULL)
2934 		return -EINVAL;
2935 
2936 	/* Attach our ldisc data */
2937 	gsm = gsm_alloc_mux();
2938 	if (gsm == NULL)
2939 		return -ENOMEM;
2940 
2941 	tty->disc_data = gsm;
2942 	tty->receive_room = 65536;
2943 
2944 	/* Attach the initial passive connection */
2945 	gsm->encoding = 1;
2946 
2947 	gsmld_attach_gsm(tty, gsm);
2948 
2949 	timer_setup(&gsm->kick_timer, gsm_kick_timer, 0);
2950 	timer_setup(&gsm->t2_timer, gsm_control_retransmit, 0);
2951 	INIT_WORK(&gsm->tx_work, gsmld_write_task);
2952 
2953 	return 0;
2954 }
2955 
2956 /**
2957  *	gsmld_write_wakeup	-	asynchronous I/O notifier
2958  *	@tty: tty device
2959  *
2960  *	Required for the ptys, serial driver etc. since processes
2961  *	that attach themselves to the master and rely on ASYNC
2962  *	IO must be woken up
2963  */
2964 
2965 static void gsmld_write_wakeup(struct tty_struct *tty)
2966 {
2967 	struct gsm_mux *gsm = tty->disc_data;
2968 
2969 	/* Queue poll */
2970 	gsmld_write_trigger(gsm);
2971 }
2972 
2973 /**
2974  *	gsmld_read		-	read function for tty
2975  *	@tty: tty device
2976  *	@file: file object
2977  *	@buf: userspace buffer pointer
2978  *	@nr: size of I/O
2979  *	@cookie: unused
2980  *	@offset: unused
2981  *
2982  *	Perform reads for the line discipline. We are guaranteed that the
2983  *	line discipline will not be closed under us but we may get multiple
2984  *	parallel readers and must handle this ourselves. We may also get
2985  *	a hangup. Always called in user context, may sleep.
2986  *
2987  *	This code must be sure never to sleep through a hangup.
2988  */
2989 
2990 static ssize_t gsmld_read(struct tty_struct *tty, struct file *file,
2991 			  unsigned char *buf, size_t nr,
2992 			  void **cookie, unsigned long offset)
2993 {
2994 	return -EOPNOTSUPP;
2995 }
2996 
2997 /**
2998  *	gsmld_write		-	write function for tty
2999  *	@tty: tty device
3000  *	@file: file object
3001  *	@buf: userspace buffer pointer
3002  *	@nr: size of I/O
3003  *
3004  *	Called when the owner of the device wants to send a frame
3005  *	itself (or some other control data). The data is transferred
3006  *	as-is and must be properly framed and checksummed as appropriate
3007  *	by userspace. Frames are either sent whole or not at all as this
3008  *	avoids pain user side.
3009  */
3010 
3011 static ssize_t gsmld_write(struct tty_struct *tty, struct file *file,
3012 			   const unsigned char *buf, size_t nr)
3013 {
3014 	struct gsm_mux *gsm = tty->disc_data;
3015 	unsigned long flags;
3016 	int space;
3017 	int ret;
3018 
3019 	if (!gsm)
3020 		return -ENODEV;
3021 
3022 	ret = -ENOBUFS;
3023 	spin_lock_irqsave(&gsm->tx_lock, flags);
3024 	space = tty_write_room(tty);
3025 	if (space >= nr)
3026 		ret = tty->ops->write(tty, buf, nr);
3027 	else
3028 		set_bit(TTY_DO_WRITE_WAKEUP, &tty->flags);
3029 	spin_unlock_irqrestore(&gsm->tx_lock, flags);
3030 
3031 	return ret;
3032 }
3033 
3034 /**
3035  *	gsmld_poll		-	poll method for N_GSM0710
3036  *	@tty: terminal device
3037  *	@file: file accessing it
3038  *	@wait: poll table
3039  *
3040  *	Called when the line discipline is asked to poll() for data or
3041  *	for special events. This code is not serialized with respect to
3042  *	other events save open/close.
3043  *
3044  *	This code must be sure never to sleep through a hangup.
3045  *	Called without the kernel lock held - fine
3046  */
3047 
3048 static __poll_t gsmld_poll(struct tty_struct *tty, struct file *file,
3049 							poll_table *wait)
3050 {
3051 	__poll_t mask = 0;
3052 	struct gsm_mux *gsm = tty->disc_data;
3053 
3054 	poll_wait(file, &tty->read_wait, wait);
3055 	poll_wait(file, &tty->write_wait, wait);
3056 
3057 	if (gsm->dead)
3058 		mask |= EPOLLHUP;
3059 	if (tty_hung_up_p(file))
3060 		mask |= EPOLLHUP;
3061 	if (test_bit(TTY_OTHER_CLOSED, &tty->flags))
3062 		mask |= EPOLLHUP;
3063 	if (!tty_is_writelocked(tty) && tty_write_room(tty) > 0)
3064 		mask |= EPOLLOUT | EPOLLWRNORM;
3065 	return mask;
3066 }
3067 
3068 static int gsmld_ioctl(struct tty_struct *tty, unsigned int cmd,
3069 		       unsigned long arg)
3070 {
3071 	struct gsm_config c;
3072 	struct gsm_mux *gsm = tty->disc_data;
3073 	unsigned int base;
3074 
3075 	switch (cmd) {
3076 	case GSMIOC_GETCONF:
3077 		gsm_copy_config_values(gsm, &c);
3078 		if (copy_to_user((void __user *)arg, &c, sizeof(c)))
3079 			return -EFAULT;
3080 		return 0;
3081 	case GSMIOC_SETCONF:
3082 		if (copy_from_user(&c, (void __user *)arg, sizeof(c)))
3083 			return -EFAULT;
3084 		return gsm_config(gsm, &c);
3085 	case GSMIOC_GETFIRST:
3086 		base = mux_num_to_base(gsm);
3087 		return put_user(base + 1, (__u32 __user *)arg);
3088 	default:
3089 		return n_tty_ioctl_helper(tty, cmd, arg);
3090 	}
3091 }
3092 
3093 /*
3094  *	Network interface
3095  *
3096  */
3097 
3098 static int gsm_mux_net_open(struct net_device *net)
3099 {
3100 	pr_debug("%s called\n", __func__);
3101 	netif_start_queue(net);
3102 	return 0;
3103 }
3104 
3105 static int gsm_mux_net_close(struct net_device *net)
3106 {
3107 	netif_stop_queue(net);
3108 	return 0;
3109 }
3110 
3111 static void dlci_net_free(struct gsm_dlci *dlci)
3112 {
3113 	if (!dlci->net) {
3114 		WARN_ON(1);
3115 		return;
3116 	}
3117 	dlci->adaption = dlci->prev_adaption;
3118 	dlci->data = dlci->prev_data;
3119 	free_netdev(dlci->net);
3120 	dlci->net = NULL;
3121 }
3122 static void net_free(struct kref *ref)
3123 {
3124 	struct gsm_mux_net *mux_net;
3125 	struct gsm_dlci *dlci;
3126 
3127 	mux_net = container_of(ref, struct gsm_mux_net, ref);
3128 	dlci = mux_net->dlci;
3129 
3130 	if (dlci->net) {
3131 		unregister_netdev(dlci->net);
3132 		dlci_net_free(dlci);
3133 	}
3134 }
3135 
3136 static inline void muxnet_get(struct gsm_mux_net *mux_net)
3137 {
3138 	kref_get(&mux_net->ref);
3139 }
3140 
3141 static inline void muxnet_put(struct gsm_mux_net *mux_net)
3142 {
3143 	kref_put(&mux_net->ref, net_free);
3144 }
3145 
3146 static netdev_tx_t gsm_mux_net_start_xmit(struct sk_buff *skb,
3147 				      struct net_device *net)
3148 {
3149 	struct gsm_mux_net *mux_net = netdev_priv(net);
3150 	struct gsm_dlci *dlci = mux_net->dlci;
3151 	muxnet_get(mux_net);
3152 
3153 	skb_queue_head(&dlci->skb_list, skb);
3154 	net->stats.tx_packets++;
3155 	net->stats.tx_bytes += skb->len;
3156 	gsm_dlci_data_kick(dlci);
3157 	/* And tell the kernel when the last transmit started. */
3158 	netif_trans_update(net);
3159 	muxnet_put(mux_net);
3160 	return NETDEV_TX_OK;
3161 }
3162 
3163 /* called when a packet did not ack after watchdogtimeout */
3164 static void gsm_mux_net_tx_timeout(struct net_device *net, unsigned int txqueue)
3165 {
3166 	/* Tell syslog we are hosed. */
3167 	dev_dbg(&net->dev, "Tx timed out.\n");
3168 
3169 	/* Update statistics */
3170 	net->stats.tx_errors++;
3171 }
3172 
3173 static void gsm_mux_rx_netchar(struct gsm_dlci *dlci,
3174 				const unsigned char *in_buf, int size)
3175 {
3176 	struct net_device *net = dlci->net;
3177 	struct sk_buff *skb;
3178 	struct gsm_mux_net *mux_net = netdev_priv(net);
3179 	muxnet_get(mux_net);
3180 
3181 	/* Allocate an sk_buff */
3182 	skb = dev_alloc_skb(size + NET_IP_ALIGN);
3183 	if (!skb) {
3184 		/* We got no receive buffer. */
3185 		net->stats.rx_dropped++;
3186 		muxnet_put(mux_net);
3187 		return;
3188 	}
3189 	skb_reserve(skb, NET_IP_ALIGN);
3190 	skb_put_data(skb, in_buf, size);
3191 
3192 	skb->dev = net;
3193 	skb->protocol = htons(ETH_P_IP);
3194 
3195 	/* Ship it off to the kernel */
3196 	netif_rx(skb);
3197 
3198 	/* update out statistics */
3199 	net->stats.rx_packets++;
3200 	net->stats.rx_bytes += size;
3201 	muxnet_put(mux_net);
3202 	return;
3203 }
3204 
3205 static void gsm_mux_net_init(struct net_device *net)
3206 {
3207 	static const struct net_device_ops gsm_netdev_ops = {
3208 		.ndo_open		= gsm_mux_net_open,
3209 		.ndo_stop		= gsm_mux_net_close,
3210 		.ndo_start_xmit		= gsm_mux_net_start_xmit,
3211 		.ndo_tx_timeout		= gsm_mux_net_tx_timeout,
3212 	};
3213 
3214 	net->netdev_ops = &gsm_netdev_ops;
3215 
3216 	/* fill in the other fields */
3217 	net->watchdog_timeo = GSM_NET_TX_TIMEOUT;
3218 	net->flags = IFF_POINTOPOINT | IFF_NOARP | IFF_MULTICAST;
3219 	net->type = ARPHRD_NONE;
3220 	net->tx_queue_len = 10;
3221 }
3222 
3223 
3224 /* caller holds the dlci mutex */
3225 static void gsm_destroy_network(struct gsm_dlci *dlci)
3226 {
3227 	struct gsm_mux_net *mux_net;
3228 
3229 	pr_debug("destroy network interface\n");
3230 	if (!dlci->net)
3231 		return;
3232 	mux_net = netdev_priv(dlci->net);
3233 	muxnet_put(mux_net);
3234 }
3235 
3236 
3237 /* caller holds the dlci mutex */
3238 static int gsm_create_network(struct gsm_dlci *dlci, struct gsm_netconfig *nc)
3239 {
3240 	char *netname;
3241 	int retval = 0;
3242 	struct net_device *net;
3243 	struct gsm_mux_net *mux_net;
3244 
3245 	if (!capable(CAP_NET_ADMIN))
3246 		return -EPERM;
3247 
3248 	/* Already in a non tty mode */
3249 	if (dlci->adaption > 2)
3250 		return -EBUSY;
3251 
3252 	if (nc->protocol != htons(ETH_P_IP))
3253 		return -EPROTONOSUPPORT;
3254 
3255 	if (nc->adaption != 3 && nc->adaption != 4)
3256 		return -EPROTONOSUPPORT;
3257 
3258 	pr_debug("create network interface\n");
3259 
3260 	netname = "gsm%d";
3261 	if (nc->if_name[0] != '\0')
3262 		netname = nc->if_name;
3263 	net = alloc_netdev(sizeof(struct gsm_mux_net), netname,
3264 			   NET_NAME_UNKNOWN, gsm_mux_net_init);
3265 	if (!net) {
3266 		pr_err("alloc_netdev failed\n");
3267 		return -ENOMEM;
3268 	}
3269 	net->mtu = dlci->gsm->mtu;
3270 	net->min_mtu = 8;
3271 	net->max_mtu = dlci->gsm->mtu;
3272 	mux_net = netdev_priv(net);
3273 	mux_net->dlci = dlci;
3274 	kref_init(&mux_net->ref);
3275 	strncpy(nc->if_name, net->name, IFNAMSIZ); /* return net name */
3276 
3277 	/* reconfigure dlci for network */
3278 	dlci->prev_adaption = dlci->adaption;
3279 	dlci->prev_data = dlci->data;
3280 	dlci->adaption = nc->adaption;
3281 	dlci->data = gsm_mux_rx_netchar;
3282 	dlci->net = net;
3283 
3284 	pr_debug("register netdev\n");
3285 	retval = register_netdev(net);
3286 	if (retval) {
3287 		pr_err("network register fail %d\n", retval);
3288 		dlci_net_free(dlci);
3289 		return retval;
3290 	}
3291 	return net->ifindex;	/* return network index */
3292 }
3293 
3294 /* Line discipline for real tty */
3295 static struct tty_ldisc_ops tty_ldisc_packet = {
3296 	.owner		 = THIS_MODULE,
3297 	.num		 = N_GSM0710,
3298 	.name            = "n_gsm",
3299 	.open            = gsmld_open,
3300 	.close           = gsmld_close,
3301 	.flush_buffer    = gsmld_flush_buffer,
3302 	.read            = gsmld_read,
3303 	.write           = gsmld_write,
3304 	.ioctl           = gsmld_ioctl,
3305 	.poll            = gsmld_poll,
3306 	.receive_buf     = gsmld_receive_buf,
3307 	.write_wakeup    = gsmld_write_wakeup
3308 };
3309 
3310 /*
3311  *	Virtual tty side
3312  */
3313 
3314 /**
3315  *	gsm_modem_upd_via_data	-	send modem bits via convergence layer
3316  *	@dlci: channel
3317  *	@brk: break signal
3318  *
3319  *	Send an empty frame to signal mobile state changes and to transmit the
3320  *	break signal for adaption 2.
3321  */
3322 
3323 static void gsm_modem_upd_via_data(struct gsm_dlci *dlci, u8 brk)
3324 {
3325 	struct gsm_mux *gsm = dlci->gsm;
3326 	unsigned long flags;
3327 
3328 	if (dlci->state != DLCI_OPEN || dlci->adaption != 2)
3329 		return;
3330 
3331 	spin_lock_irqsave(&gsm->tx_lock, flags);
3332 	gsm_dlci_modem_output(gsm, dlci, brk);
3333 	spin_unlock_irqrestore(&gsm->tx_lock, flags);
3334 }
3335 
3336 /**
3337  *	gsm_modem_upd_via_msc	-	send modem bits via control frame
3338  *	@dlci: channel
3339  *	@brk: break signal
3340  */
3341 
3342 static int gsm_modem_upd_via_msc(struct gsm_dlci *dlci, u8 brk)
3343 {
3344 	u8 modembits[3];
3345 	struct gsm_control *ctrl;
3346 	int len = 2;
3347 
3348 	if (dlci->gsm->encoding != 0)
3349 		return 0;
3350 
3351 	modembits[0] = (dlci->addr << 2) | 2 | EA;  /* DLCI, Valid, EA */
3352 	if (!brk) {
3353 		modembits[1] = (gsm_encode_modem(dlci) << 1) | EA;
3354 	} else {
3355 		modembits[1] = gsm_encode_modem(dlci) << 1;
3356 		modembits[2] = (brk << 4) | 2 | EA; /* Length, Break, EA */
3357 		len++;
3358 	}
3359 	ctrl = gsm_control_send(dlci->gsm, CMD_MSC, modembits, len);
3360 	if (ctrl == NULL)
3361 		return -ENOMEM;
3362 	return gsm_control_wait(dlci->gsm, ctrl);
3363 }
3364 
3365 /**
3366  *	gsm_modem_update	-	send modem status line state
3367  *	@dlci: channel
3368  *	@brk: break signal
3369  */
3370 
3371 static int gsm_modem_update(struct gsm_dlci *dlci, u8 brk)
3372 {
3373 	if (dlci->adaption == 2) {
3374 		/* Send convergence layer type 2 empty data frame. */
3375 		gsm_modem_upd_via_data(dlci, brk);
3376 		return 0;
3377 	} else if (dlci->gsm->encoding == 0) {
3378 		/* Send as MSC control message. */
3379 		return gsm_modem_upd_via_msc(dlci, brk);
3380 	}
3381 
3382 	/* Modem status lines are not supported. */
3383 	return -EPROTONOSUPPORT;
3384 }
3385 
3386 static int gsm_carrier_raised(struct tty_port *port)
3387 {
3388 	struct gsm_dlci *dlci = container_of(port, struct gsm_dlci, port);
3389 	struct gsm_mux *gsm = dlci->gsm;
3390 
3391 	/* Not yet open so no carrier info */
3392 	if (dlci->state != DLCI_OPEN)
3393 		return 0;
3394 	if (debug & 2)
3395 		return 1;
3396 
3397 	/*
3398 	 * Basic mode with control channel in ADM mode may not respond
3399 	 * to CMD_MSC at all and modem_rx is empty.
3400 	 */
3401 	if (gsm->encoding == 0 && gsm->dlci[0]->mode == DLCI_MODE_ADM &&
3402 	    !dlci->modem_rx)
3403 		return 1;
3404 
3405 	return dlci->modem_rx & TIOCM_CD;
3406 }
3407 
3408 static void gsm_dtr_rts(struct tty_port *port, int onoff)
3409 {
3410 	struct gsm_dlci *dlci = container_of(port, struct gsm_dlci, port);
3411 	unsigned int modem_tx = dlci->modem_tx;
3412 	if (onoff)
3413 		modem_tx |= TIOCM_DTR | TIOCM_RTS;
3414 	else
3415 		modem_tx &= ~(TIOCM_DTR | TIOCM_RTS);
3416 	if (modem_tx != dlci->modem_tx) {
3417 		dlci->modem_tx = modem_tx;
3418 		gsm_modem_update(dlci, 0);
3419 	}
3420 }
3421 
3422 static const struct tty_port_operations gsm_port_ops = {
3423 	.carrier_raised = gsm_carrier_raised,
3424 	.dtr_rts = gsm_dtr_rts,
3425 	.destruct = gsm_dlci_free,
3426 };
3427 
3428 static int gsmtty_install(struct tty_driver *driver, struct tty_struct *tty)
3429 {
3430 	struct gsm_mux *gsm;
3431 	struct gsm_dlci *dlci;
3432 	unsigned int line = tty->index;
3433 	unsigned int mux = mux_line_to_num(line);
3434 	bool alloc = false;
3435 	int ret;
3436 
3437 	line = line & 0x3F;
3438 
3439 	if (mux >= MAX_MUX)
3440 		return -ENXIO;
3441 	/* FIXME: we need to lock gsm_mux for lifetimes of ttys eventually */
3442 	if (gsm_mux[mux] == NULL)
3443 		return -EUNATCH;
3444 	if (line == 0 || line > 61)	/* 62/63 reserved */
3445 		return -ECHRNG;
3446 	gsm = gsm_mux[mux];
3447 	if (gsm->dead)
3448 		return -EL2HLT;
3449 	/* If DLCI 0 is not yet fully open return an error.
3450 	This is ok from a locking
3451 	perspective as we don't have to worry about this
3452 	if DLCI0 is lost */
3453 	mutex_lock(&gsm->mutex);
3454 	if (gsm->dlci[0] && gsm->dlci[0]->state != DLCI_OPEN) {
3455 		mutex_unlock(&gsm->mutex);
3456 		return -EL2NSYNC;
3457 	}
3458 	dlci = gsm->dlci[line];
3459 	if (dlci == NULL) {
3460 		alloc = true;
3461 		dlci = gsm_dlci_alloc(gsm, line);
3462 	}
3463 	if (dlci == NULL) {
3464 		mutex_unlock(&gsm->mutex);
3465 		return -ENOMEM;
3466 	}
3467 	ret = tty_port_install(&dlci->port, driver, tty);
3468 	if (ret) {
3469 		if (alloc)
3470 			dlci_put(dlci);
3471 		mutex_unlock(&gsm->mutex);
3472 		return ret;
3473 	}
3474 
3475 	dlci_get(dlci);
3476 	dlci_get(gsm->dlci[0]);
3477 	mux_get(gsm);
3478 	tty->driver_data = dlci;
3479 	mutex_unlock(&gsm->mutex);
3480 
3481 	return 0;
3482 }
3483 
3484 static int gsmtty_open(struct tty_struct *tty, struct file *filp)
3485 {
3486 	struct gsm_dlci *dlci = tty->driver_data;
3487 	struct tty_port *port = &dlci->port;
3488 	struct gsm_mux *gsm = dlci->gsm;
3489 
3490 	port->count++;
3491 	tty_port_tty_set(port, tty);
3492 
3493 	dlci->modem_rx = 0;
3494 	/* We could in theory open and close before we wait - eg if we get
3495 	   a DM straight back. This is ok as that will have caused a hangup */
3496 	tty_port_set_initialized(port, 1);
3497 	/* Start sending off SABM messages */
3498 	if (gsm->initiator)
3499 		gsm_dlci_begin_open(dlci);
3500 	else
3501 		gsm_dlci_set_opening(dlci);
3502 	/* And wait for virtual carrier */
3503 	return tty_port_block_til_ready(port, tty, filp);
3504 }
3505 
3506 static void gsmtty_close(struct tty_struct *tty, struct file *filp)
3507 {
3508 	struct gsm_dlci *dlci = tty->driver_data;
3509 
3510 	if (dlci == NULL)
3511 		return;
3512 	if (dlci->state == DLCI_CLOSED)
3513 		return;
3514 	mutex_lock(&dlci->mutex);
3515 	gsm_destroy_network(dlci);
3516 	mutex_unlock(&dlci->mutex);
3517 	if (tty_port_close_start(&dlci->port, tty, filp) == 0)
3518 		return;
3519 	gsm_dlci_begin_close(dlci);
3520 	if (tty_port_initialized(&dlci->port) && C_HUPCL(tty))
3521 		tty_port_lower_dtr_rts(&dlci->port);
3522 	tty_port_close_end(&dlci->port, tty);
3523 	tty_port_tty_set(&dlci->port, NULL);
3524 	return;
3525 }
3526 
3527 static void gsmtty_hangup(struct tty_struct *tty)
3528 {
3529 	struct gsm_dlci *dlci = tty->driver_data;
3530 	if (dlci->state == DLCI_CLOSED)
3531 		return;
3532 	tty_port_hangup(&dlci->port);
3533 	gsm_dlci_begin_close(dlci);
3534 }
3535 
3536 static int gsmtty_write(struct tty_struct *tty, const unsigned char *buf,
3537 								    int len)
3538 {
3539 	int sent;
3540 	struct gsm_dlci *dlci = tty->driver_data;
3541 	if (dlci->state == DLCI_CLOSED)
3542 		return -EINVAL;
3543 	/* Stuff the bytes into the fifo queue */
3544 	sent = kfifo_in_locked(&dlci->fifo, buf, len, &dlci->lock);
3545 	/* Need to kick the channel */
3546 	gsm_dlci_data_kick(dlci);
3547 	return sent;
3548 }
3549 
3550 static unsigned int gsmtty_write_room(struct tty_struct *tty)
3551 {
3552 	struct gsm_dlci *dlci = tty->driver_data;
3553 	if (dlci->state == DLCI_CLOSED)
3554 		return 0;
3555 	return kfifo_avail(&dlci->fifo);
3556 }
3557 
3558 static unsigned int gsmtty_chars_in_buffer(struct tty_struct *tty)
3559 {
3560 	struct gsm_dlci *dlci = tty->driver_data;
3561 	if (dlci->state == DLCI_CLOSED)
3562 		return 0;
3563 	return kfifo_len(&dlci->fifo);
3564 }
3565 
3566 static void gsmtty_flush_buffer(struct tty_struct *tty)
3567 {
3568 	struct gsm_dlci *dlci = tty->driver_data;
3569 	unsigned long flags;
3570 
3571 	if (dlci->state == DLCI_CLOSED)
3572 		return;
3573 	/* Caution needed: If we implement reliable transport classes
3574 	   then the data being transmitted can't simply be junked once
3575 	   it has first hit the stack. Until then we can just blow it
3576 	   away */
3577 	spin_lock_irqsave(&dlci->lock, flags);
3578 	kfifo_reset(&dlci->fifo);
3579 	spin_unlock_irqrestore(&dlci->lock, flags);
3580 	/* Need to unhook this DLCI from the transmit queue logic */
3581 }
3582 
3583 static void gsmtty_wait_until_sent(struct tty_struct *tty, int timeout)
3584 {
3585 	/* The FIFO handles the queue so the kernel will do the right
3586 	   thing waiting on chars_in_buffer before calling us. No work
3587 	   to do here */
3588 }
3589 
3590 static int gsmtty_tiocmget(struct tty_struct *tty)
3591 {
3592 	struct gsm_dlci *dlci = tty->driver_data;
3593 	if (dlci->state == DLCI_CLOSED)
3594 		return -EINVAL;
3595 	return dlci->modem_rx;
3596 }
3597 
3598 static int gsmtty_tiocmset(struct tty_struct *tty,
3599 	unsigned int set, unsigned int clear)
3600 {
3601 	struct gsm_dlci *dlci = tty->driver_data;
3602 	unsigned int modem_tx = dlci->modem_tx;
3603 
3604 	if (dlci->state == DLCI_CLOSED)
3605 		return -EINVAL;
3606 	modem_tx &= ~clear;
3607 	modem_tx |= set;
3608 
3609 	if (modem_tx != dlci->modem_tx) {
3610 		dlci->modem_tx = modem_tx;
3611 		return gsm_modem_update(dlci, 0);
3612 	}
3613 	return 0;
3614 }
3615 
3616 
3617 static int gsmtty_ioctl(struct tty_struct *tty,
3618 			unsigned int cmd, unsigned long arg)
3619 {
3620 	struct gsm_dlci *dlci = tty->driver_data;
3621 	struct gsm_netconfig nc;
3622 	int index;
3623 
3624 	if (dlci->state == DLCI_CLOSED)
3625 		return -EINVAL;
3626 	switch (cmd) {
3627 	case GSMIOC_ENABLE_NET:
3628 		if (copy_from_user(&nc, (void __user *)arg, sizeof(nc)))
3629 			return -EFAULT;
3630 		nc.if_name[IFNAMSIZ-1] = '\0';
3631 		/* return net interface index or error code */
3632 		mutex_lock(&dlci->mutex);
3633 		index = gsm_create_network(dlci, &nc);
3634 		mutex_unlock(&dlci->mutex);
3635 		if (copy_to_user((void __user *)arg, &nc, sizeof(nc)))
3636 			return -EFAULT;
3637 		return index;
3638 	case GSMIOC_DISABLE_NET:
3639 		if (!capable(CAP_NET_ADMIN))
3640 			return -EPERM;
3641 		mutex_lock(&dlci->mutex);
3642 		gsm_destroy_network(dlci);
3643 		mutex_unlock(&dlci->mutex);
3644 		return 0;
3645 	default:
3646 		return -ENOIOCTLCMD;
3647 	}
3648 }
3649 
3650 static void gsmtty_set_termios(struct tty_struct *tty, struct ktermios *old)
3651 {
3652 	struct gsm_dlci *dlci = tty->driver_data;
3653 	if (dlci->state == DLCI_CLOSED)
3654 		return;
3655 	/* For the moment its fixed. In actual fact the speed information
3656 	   for the virtual channel can be propogated in both directions by
3657 	   the RPN control message. This however rapidly gets nasty as we
3658 	   then have to remap modem signals each way according to whether
3659 	   our virtual cable is null modem etc .. */
3660 	tty_termios_copy_hw(&tty->termios, old);
3661 }
3662 
3663 static void gsmtty_throttle(struct tty_struct *tty)
3664 {
3665 	struct gsm_dlci *dlci = tty->driver_data;
3666 	if (dlci->state == DLCI_CLOSED)
3667 		return;
3668 	if (C_CRTSCTS(tty))
3669 		dlci->modem_tx &= ~TIOCM_RTS;
3670 	dlci->throttled = true;
3671 	/* Send an MSC with RTS cleared */
3672 	gsm_modem_update(dlci, 0);
3673 }
3674 
3675 static void gsmtty_unthrottle(struct tty_struct *tty)
3676 {
3677 	struct gsm_dlci *dlci = tty->driver_data;
3678 	if (dlci->state == DLCI_CLOSED)
3679 		return;
3680 	if (C_CRTSCTS(tty))
3681 		dlci->modem_tx |= TIOCM_RTS;
3682 	dlci->throttled = false;
3683 	/* Send an MSC with RTS set */
3684 	gsm_modem_update(dlci, 0);
3685 }
3686 
3687 static int gsmtty_break_ctl(struct tty_struct *tty, int state)
3688 {
3689 	struct gsm_dlci *dlci = tty->driver_data;
3690 	int encode = 0;	/* Off */
3691 	if (dlci->state == DLCI_CLOSED)
3692 		return -EINVAL;
3693 
3694 	if (state == -1)	/* "On indefinitely" - we can't encode this
3695 				    properly */
3696 		encode = 0x0F;
3697 	else if (state > 0) {
3698 		encode = state / 200;	/* mS to encoding */
3699 		if (encode > 0x0F)
3700 			encode = 0x0F;	/* Best effort */
3701 	}
3702 	return gsm_modem_update(dlci, encode);
3703 }
3704 
3705 static void gsmtty_cleanup(struct tty_struct *tty)
3706 {
3707 	struct gsm_dlci *dlci = tty->driver_data;
3708 	struct gsm_mux *gsm = dlci->gsm;
3709 
3710 	dlci_put(dlci);
3711 	dlci_put(gsm->dlci[0]);
3712 	mux_put(gsm);
3713 }
3714 
3715 /* Virtual ttys for the demux */
3716 static const struct tty_operations gsmtty_ops = {
3717 	.install		= gsmtty_install,
3718 	.open			= gsmtty_open,
3719 	.close			= gsmtty_close,
3720 	.write			= gsmtty_write,
3721 	.write_room		= gsmtty_write_room,
3722 	.chars_in_buffer	= gsmtty_chars_in_buffer,
3723 	.flush_buffer		= gsmtty_flush_buffer,
3724 	.ioctl			= gsmtty_ioctl,
3725 	.throttle		= gsmtty_throttle,
3726 	.unthrottle		= gsmtty_unthrottle,
3727 	.set_termios		= gsmtty_set_termios,
3728 	.hangup			= gsmtty_hangup,
3729 	.wait_until_sent	= gsmtty_wait_until_sent,
3730 	.tiocmget		= gsmtty_tiocmget,
3731 	.tiocmset		= gsmtty_tiocmset,
3732 	.break_ctl		= gsmtty_break_ctl,
3733 	.cleanup		= gsmtty_cleanup,
3734 };
3735 
3736 
3737 
3738 static int __init gsm_init(void)
3739 {
3740 	/* Fill in our line protocol discipline, and register it */
3741 	int status = tty_register_ldisc(&tty_ldisc_packet);
3742 	if (status != 0) {
3743 		pr_err("n_gsm: can't register line discipline (err = %d)\n",
3744 								status);
3745 		return status;
3746 	}
3747 
3748 	gsm_tty_driver = tty_alloc_driver(256, TTY_DRIVER_REAL_RAW |
3749 			TTY_DRIVER_DYNAMIC_DEV | TTY_DRIVER_HARDWARE_BREAK);
3750 	if (IS_ERR(gsm_tty_driver)) {
3751 		pr_err("gsm_init: tty allocation failed.\n");
3752 		status = PTR_ERR(gsm_tty_driver);
3753 		goto err_unreg_ldisc;
3754 	}
3755 	gsm_tty_driver->driver_name	= "gsmtty";
3756 	gsm_tty_driver->name		= "gsmtty";
3757 	gsm_tty_driver->major		= 0;	/* Dynamic */
3758 	gsm_tty_driver->minor_start	= 0;
3759 	gsm_tty_driver->type		= TTY_DRIVER_TYPE_SERIAL;
3760 	gsm_tty_driver->subtype	= SERIAL_TYPE_NORMAL;
3761 	gsm_tty_driver->init_termios	= tty_std_termios;
3762 	/* Fixme */
3763 	gsm_tty_driver->init_termios.c_lflag &= ~ECHO;
3764 	tty_set_operations(gsm_tty_driver, &gsmtty_ops);
3765 
3766 	if (tty_register_driver(gsm_tty_driver)) {
3767 		pr_err("gsm_init: tty registration failed.\n");
3768 		status = -EBUSY;
3769 		goto err_put_driver;
3770 	}
3771 	pr_debug("gsm_init: loaded as %d,%d.\n",
3772 			gsm_tty_driver->major, gsm_tty_driver->minor_start);
3773 	return 0;
3774 err_put_driver:
3775 	tty_driver_kref_put(gsm_tty_driver);
3776 err_unreg_ldisc:
3777 	tty_unregister_ldisc(&tty_ldisc_packet);
3778 	return status;
3779 }
3780 
3781 static void __exit gsm_exit(void)
3782 {
3783 	tty_unregister_ldisc(&tty_ldisc_packet);
3784 	tty_unregister_driver(gsm_tty_driver);
3785 	tty_driver_kref_put(gsm_tty_driver);
3786 }
3787 
3788 module_init(gsm_init);
3789 module_exit(gsm_exit);
3790 
3791 
3792 MODULE_LICENSE("GPL");
3793 MODULE_ALIAS_LDISC(N_GSM0710);
3794