xref: /openbmc/linux/drivers/tty/n_gsm.c (revision e65e175b07bef5974045cc42238de99057669ca7)
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3  * n_gsm.c GSM 0710 tty multiplexor
4  * Copyright (c) 2009/10 Intel Corporation
5  *
6  *	* THIS IS A DEVELOPMENT SNAPSHOT IT IS NOT A FINAL RELEASE *
7  *
8  * Outgoing path:
9  * tty -> DLCI fifo -> scheduler -> GSM MUX data queue    ---o-> ldisc
10  * control message               -> GSM MUX control queue --´
11  *
12  * Incoming path:
13  * ldisc -> gsm_queue() -o--> tty
14  *                        `-> gsm_control_response()
15  *
16  * TO DO:
17  *	Mostly done:	ioctls for setting modes/timing
18  *	Partly done:	hooks so you can pull off frames to non tty devs
19  *	Restart DLCI 0 when it closes ?
20  *	Improve the tx engine
21  *	Resolve tx side locking by adding a queue_head and routing
22  *		all control traffic via it
23  *	General tidy/document
24  *	Review the locking/move to refcounts more (mux now moved to an
25  *		alloc/free model ready)
26  *	Use newest tty open/close port helpers and install hooks
27  *	What to do about power functions ?
28  *	Termios setting and negotiation
29  *	Do we need a 'which mux are you' ioctl to correlate mux and tty sets
30  *
31  */
32 
33 #include <linux/types.h>
34 #include <linux/major.h>
35 #include <linux/errno.h>
36 #include <linux/signal.h>
37 #include <linux/fcntl.h>
38 #include <linux/sched/signal.h>
39 #include <linux/interrupt.h>
40 #include <linux/tty.h>
41 #include <linux/bitfield.h>
42 #include <linux/ctype.h>
43 #include <linux/mm.h>
44 #include <linux/math.h>
45 #include <linux/string.h>
46 #include <linux/slab.h>
47 #include <linux/poll.h>
48 #include <linux/bitops.h>
49 #include <linux/file.h>
50 #include <linux/uaccess.h>
51 #include <linux/module.h>
52 #include <linux/timer.h>
53 #include <linux/tty_flip.h>
54 #include <linux/tty_driver.h>
55 #include <linux/serial.h>
56 #include <linux/kfifo.h>
57 #include <linux/skbuff.h>
58 #include <net/arp.h>
59 #include <linux/ip.h>
60 #include <linux/netdevice.h>
61 #include <linux/etherdevice.h>
62 #include <linux/gsmmux.h>
63 #include "tty.h"
64 
65 static int debug;
66 module_param(debug, int, 0600);
67 
68 /* Module debug bits */
69 #define DBG_DUMP	BIT(0) /* Data transmission dump. */
70 #define DBG_CD_ON	BIT(1) /* Always assume CD line on. */
71 #define DBG_DATA	BIT(2) /* Data transmission details. */
72 #define DBG_ERRORS	BIT(3) /* Details for fail conditions. */
73 #define DBG_TTY		BIT(4) /* Transmission statistics for DLCI TTYs. */
74 #define DBG_PAYLOAD	BIT(5) /* Limits DBG_DUMP to payload frames. */
75 
76 /* Defaults: these are from the specification */
77 
78 #define T1	10		/* 100mS */
79 #define T2	34		/* 333mS */
80 #define T3	10		/* 10s */
81 #define N2	3		/* Retry 3 times */
82 #define K	2		/* outstanding I frames */
83 
84 #define MAX_T3 255		/* In seconds. */
85 #define MAX_WINDOW_SIZE 7	/* Limit of K in error recovery mode. */
86 
87 /* Use long timers for testing at low speed with debug on */
88 #ifdef DEBUG_TIMING
89 #define T1	100
90 #define T2	200
91 #endif
92 
93 /*
94  * Semi-arbitrary buffer size limits. 0710 is normally run with 32-64 byte
95  * limits so this is plenty
96  */
97 #define MAX_MRU 1500
98 #define MAX_MTU 1500
99 #define MIN_MTU (PROT_OVERHEAD + 1)
100 /* SOF, ADDR, CTRL, LEN1, LEN2, ..., FCS, EOF */
101 #define PROT_OVERHEAD 7
102 #define	GSM_NET_TX_TIMEOUT (HZ*10)
103 
104 /*
105  *	struct gsm_mux_net	-	network interface
106  *
107  *	Created when net interface is initialized.
108  */
109 struct gsm_mux_net {
110 	struct kref ref;
111 	struct gsm_dlci *dlci;
112 };
113 
114 /*
115  *	Each block of data we have queued to go out is in the form of
116  *	a gsm_msg which holds everything we need in a link layer independent
117  *	format
118  */
119 
120 struct gsm_msg {
121 	struct list_head list;
122 	u8 addr;		/* DLCI address + flags */
123 	u8 ctrl;		/* Control byte + flags */
124 	unsigned int len;	/* Length of data block (can be zero) */
125 	unsigned char *data;	/* Points into buffer but not at the start */
126 	unsigned char buffer[];
127 };
128 
129 enum gsm_dlci_state {
130 	DLCI_CLOSED,
131 	DLCI_CONFIGURE,		/* Sending PN (for adaption > 1) */
132 	DLCI_OPENING,		/* Sending SABM not seen UA */
133 	DLCI_OPEN,		/* SABM/UA complete */
134 	DLCI_CLOSING,		/* Sending DISC not seen UA/DM */
135 };
136 
137 enum gsm_dlci_mode {
138 	DLCI_MODE_ABM,		/* Normal Asynchronous Balanced Mode */
139 	DLCI_MODE_ADM,		/* Asynchronous Disconnected Mode */
140 };
141 
142 /*
143  *	Each active data link has a gsm_dlci structure associated which ties
144  *	the link layer to an optional tty (if the tty side is open). To avoid
145  *	complexity right now these are only ever freed up when the mux is
146  *	shut down.
147  *
148  *	At the moment we don't free DLCI objects until the mux is torn down
149  *	this avoid object life time issues but might be worth review later.
150  */
151 
152 struct gsm_dlci {
153 	struct gsm_mux *gsm;
154 	int addr;
155 	enum gsm_dlci_state state;
156 	struct mutex mutex;
157 
158 	/* Link layer */
159 	enum gsm_dlci_mode mode;
160 	spinlock_t lock;	/* Protects the internal state */
161 	struct timer_list t1;	/* Retransmit timer for SABM and UA */
162 	int retries;
163 	/* Uplink tty if active */
164 	struct tty_port port;	/* The tty bound to this DLCI if there is one */
165 #define TX_SIZE		4096    /* Must be power of 2. */
166 	struct kfifo fifo;	/* Queue fifo for the DLCI */
167 	int adaption;		/* Adaption layer in use */
168 	int prev_adaption;
169 	u32 modem_rx;		/* Our incoming virtual modem lines */
170 	u32 modem_tx;		/* Our outgoing modem lines */
171 	unsigned int mtu;
172 	bool dead;		/* Refuse re-open */
173 	/* Configuration */
174 	u8 prio;		/* Priority */
175 	u8 ftype;		/* Frame type */
176 	u8 k;			/* Window size */
177 	/* Flow control */
178 	bool throttled;		/* Private copy of throttle state */
179 	bool constipated;	/* Throttle status for outgoing */
180 	/* Packetised I/O */
181 	struct sk_buff *skb;	/* Frame being sent */
182 	struct sk_buff_head skb_list;	/* Queued frames */
183 	/* Data handling callback */
184 	void (*data)(struct gsm_dlci *dlci, const u8 *data, int len);
185 	void (*prev_data)(struct gsm_dlci *dlci, const u8 *data, int len);
186 	struct net_device *net; /* network interface, if created */
187 };
188 
189 /*
190  * Parameter bits used for parameter negotiation according to 3GPP 27.010
191  * chapter 5.4.6.3.1.
192  */
193 
194 struct gsm_dlci_param_bits {
195 	u8 d_bits;
196 	u8 i_cl_bits;
197 	u8 p_bits;
198 	u8 t_bits;
199 	__le16 n_bits;
200 	u8 na_bits;
201 	u8 k_bits;
202 };
203 
204 static_assert(sizeof(struct gsm_dlci_param_bits) == 8);
205 
206 #define PN_D_FIELD_DLCI		GENMASK(5, 0)
207 #define PN_I_CL_FIELD_FTYPE	GENMASK(3, 0)
208 #define PN_I_CL_FIELD_ADAPTION	GENMASK(7, 4)
209 #define PN_P_FIELD_PRIO		GENMASK(5, 0)
210 #define PN_T_FIELD_T1		GENMASK(7, 0)
211 #define PN_N_FIELD_N1		GENMASK(15, 0)
212 #define PN_NA_FIELD_N2		GENMASK(7, 0)
213 #define PN_K_FIELD_K		GENMASK(2, 0)
214 
215 /* Total number of supported devices */
216 #define GSM_TTY_MINORS		256
217 
218 /* DLCI 0, 62/63 are special or reserved see gsmtty_open */
219 
220 #define NUM_DLCI		64
221 
222 /*
223  *	DLCI 0 is used to pass control blocks out of band of the data
224  *	flow (and with a higher link priority). One command can be outstanding
225  *	at a time and we use this structure to manage them. They are created
226  *	and destroyed by the user context, and updated by the receive paths
227  *	and timers
228  */
229 
230 struct gsm_control {
231 	u8 cmd;		/* Command we are issuing */
232 	u8 *data;	/* Data for the command in case we retransmit */
233 	int len;	/* Length of block for retransmission */
234 	int done;	/* Done flag */
235 	int error;	/* Error if any */
236 };
237 
238 enum gsm_encoding {
239 	GSM_BASIC_OPT,
240 	GSM_ADV_OPT,
241 };
242 
243 enum gsm_mux_state {
244 	GSM_SEARCH,
245 	GSM_START,
246 	GSM_ADDRESS,
247 	GSM_CONTROL,
248 	GSM_LEN,
249 	GSM_DATA,
250 	GSM_FCS,
251 	GSM_OVERRUN,
252 	GSM_LEN0,
253 	GSM_LEN1,
254 	GSM_SSOF,
255 };
256 
257 /*
258  *	Each GSM mux we have is represented by this structure. If we are
259  *	operating as an ldisc then we use this structure as our ldisc
260  *	state. We need to sort out lifetimes and locking with respect
261  *	to the gsm mux array. For now we don't free DLCI objects that
262  *	have been instantiated until the mux itself is terminated.
263  *
264  *	To consider further: tty open versus mux shutdown.
265  */
266 
267 struct gsm_mux {
268 	struct tty_struct *tty;		/* The tty our ldisc is bound to */
269 	spinlock_t lock;
270 	struct mutex mutex;
271 	unsigned int num;
272 	struct kref ref;
273 
274 	/* Events on the GSM channel */
275 	wait_queue_head_t event;
276 
277 	/* ldisc send work */
278 	struct work_struct tx_work;
279 
280 	/* Bits for GSM mode decoding */
281 
282 	/* Framing Layer */
283 	unsigned char *buf;
284 	enum gsm_mux_state state;
285 	unsigned int len;
286 	unsigned int address;
287 	unsigned int count;
288 	bool escape;
289 	enum gsm_encoding encoding;
290 	u8 control;
291 	u8 fcs;
292 	u8 *txframe;			/* TX framing buffer */
293 
294 	/* Method for the receiver side */
295 	void (*receive)(struct gsm_mux *gsm, u8 ch);
296 
297 	/* Link Layer */
298 	unsigned int mru;
299 	unsigned int mtu;
300 	int initiator;			/* Did we initiate connection */
301 	bool dead;			/* Has the mux been shut down */
302 	struct gsm_dlci *dlci[NUM_DLCI];
303 	int old_c_iflag;		/* termios c_iflag value before attach */
304 	bool constipated;		/* Asked by remote to shut up */
305 	bool has_devices;		/* Devices were registered */
306 
307 	spinlock_t tx_lock;
308 	unsigned int tx_bytes;		/* TX data outstanding */
309 #define TX_THRESH_HI		8192
310 #define TX_THRESH_LO		2048
311 	struct list_head tx_ctrl_list;	/* Pending control packets */
312 	struct list_head tx_data_list;	/* Pending data packets */
313 
314 	/* Control messages */
315 	struct timer_list kick_timer;	/* Kick TX queuing on timeout */
316 	struct timer_list t2_timer;	/* Retransmit timer for commands */
317 	int cretries;			/* Command retry counter */
318 	struct gsm_control *pending_cmd;/* Our current pending command */
319 	spinlock_t control_lock;	/* Protects the pending command */
320 
321 	/* Configuration */
322 	int adaption;		/* 1 or 2 supported */
323 	u8 ftype;		/* UI or UIH */
324 	int t1, t2;		/* Timers in 1/100th of a sec */
325 	unsigned int t3;	/* Power wake-up timer in seconds. */
326 	int n2;			/* Retry count */
327 	u8 k;			/* Window size */
328 
329 	/* Statistics (not currently exposed) */
330 	unsigned long bad_fcs;
331 	unsigned long malformed;
332 	unsigned long io_error;
333 	unsigned long bad_size;
334 	unsigned long unsupported;
335 };
336 
337 
338 /*
339  *	Mux objects - needed so that we can translate a tty index into the
340  *	relevant mux and DLCI.
341  */
342 
343 #define MAX_MUX		4			/* 256 minors */
344 static struct gsm_mux *gsm_mux[MAX_MUX];	/* GSM muxes */
345 static DEFINE_SPINLOCK(gsm_mux_lock);
346 
347 static struct tty_driver *gsm_tty_driver;
348 
349 /*
350  *	This section of the driver logic implements the GSM encodings
351  *	both the basic and the 'advanced'. Reliable transport is not
352  *	supported.
353  */
354 
355 #define CR			0x02
356 #define EA			0x01
357 #define	PF			0x10
358 
359 /* I is special: the rest are ..*/
360 #define RR			0x01
361 #define UI			0x03
362 #define RNR			0x05
363 #define REJ			0x09
364 #define DM			0x0F
365 #define SABM			0x2F
366 #define DISC			0x43
367 #define UA			0x63
368 #define	UIH			0xEF
369 
370 /* Channel commands */
371 #define CMD_NSC			0x09
372 #define CMD_TEST		0x11
373 #define CMD_PSC			0x21
374 #define CMD_RLS			0x29
375 #define CMD_FCOFF		0x31
376 #define CMD_PN			0x41
377 #define CMD_RPN			0x49
378 #define CMD_FCON		0x51
379 #define CMD_CLD			0x61
380 #define CMD_SNC			0x69
381 #define CMD_MSC			0x71
382 
383 /* Virtual modem bits */
384 #define MDM_FC			0x01
385 #define MDM_RTC			0x02
386 #define MDM_RTR			0x04
387 #define MDM_IC			0x20
388 #define MDM_DV			0x40
389 
390 #define GSM0_SOF		0xF9
391 #define GSM1_SOF		0x7E
392 #define GSM1_ESCAPE		0x7D
393 #define GSM1_ESCAPE_BITS	0x20
394 #define XON			0x11
395 #define XOFF			0x13
396 #define ISO_IEC_646_MASK	0x7F
397 
398 static const struct tty_port_operations gsm_port_ops;
399 
400 /*
401  *	CRC table for GSM 0710
402  */
403 
404 static const u8 gsm_fcs8[256] = {
405 	0x00, 0x91, 0xE3, 0x72, 0x07, 0x96, 0xE4, 0x75,
406 	0x0E, 0x9F, 0xED, 0x7C, 0x09, 0x98, 0xEA, 0x7B,
407 	0x1C, 0x8D, 0xFF, 0x6E, 0x1B, 0x8A, 0xF8, 0x69,
408 	0x12, 0x83, 0xF1, 0x60, 0x15, 0x84, 0xF6, 0x67,
409 	0x38, 0xA9, 0xDB, 0x4A, 0x3F, 0xAE, 0xDC, 0x4D,
410 	0x36, 0xA7, 0xD5, 0x44, 0x31, 0xA0, 0xD2, 0x43,
411 	0x24, 0xB5, 0xC7, 0x56, 0x23, 0xB2, 0xC0, 0x51,
412 	0x2A, 0xBB, 0xC9, 0x58, 0x2D, 0xBC, 0xCE, 0x5F,
413 	0x70, 0xE1, 0x93, 0x02, 0x77, 0xE6, 0x94, 0x05,
414 	0x7E, 0xEF, 0x9D, 0x0C, 0x79, 0xE8, 0x9A, 0x0B,
415 	0x6C, 0xFD, 0x8F, 0x1E, 0x6B, 0xFA, 0x88, 0x19,
416 	0x62, 0xF3, 0x81, 0x10, 0x65, 0xF4, 0x86, 0x17,
417 	0x48, 0xD9, 0xAB, 0x3A, 0x4F, 0xDE, 0xAC, 0x3D,
418 	0x46, 0xD7, 0xA5, 0x34, 0x41, 0xD0, 0xA2, 0x33,
419 	0x54, 0xC5, 0xB7, 0x26, 0x53, 0xC2, 0xB0, 0x21,
420 	0x5A, 0xCB, 0xB9, 0x28, 0x5D, 0xCC, 0xBE, 0x2F,
421 	0xE0, 0x71, 0x03, 0x92, 0xE7, 0x76, 0x04, 0x95,
422 	0xEE, 0x7F, 0x0D, 0x9C, 0xE9, 0x78, 0x0A, 0x9B,
423 	0xFC, 0x6D, 0x1F, 0x8E, 0xFB, 0x6A, 0x18, 0x89,
424 	0xF2, 0x63, 0x11, 0x80, 0xF5, 0x64, 0x16, 0x87,
425 	0xD8, 0x49, 0x3B, 0xAA, 0xDF, 0x4E, 0x3C, 0xAD,
426 	0xD6, 0x47, 0x35, 0xA4, 0xD1, 0x40, 0x32, 0xA3,
427 	0xC4, 0x55, 0x27, 0xB6, 0xC3, 0x52, 0x20, 0xB1,
428 	0xCA, 0x5B, 0x29, 0xB8, 0xCD, 0x5C, 0x2E, 0xBF,
429 	0x90, 0x01, 0x73, 0xE2, 0x97, 0x06, 0x74, 0xE5,
430 	0x9E, 0x0F, 0x7D, 0xEC, 0x99, 0x08, 0x7A, 0xEB,
431 	0x8C, 0x1D, 0x6F, 0xFE, 0x8B, 0x1A, 0x68, 0xF9,
432 	0x82, 0x13, 0x61, 0xF0, 0x85, 0x14, 0x66, 0xF7,
433 	0xA8, 0x39, 0x4B, 0xDA, 0xAF, 0x3E, 0x4C, 0xDD,
434 	0xA6, 0x37, 0x45, 0xD4, 0xA1, 0x30, 0x42, 0xD3,
435 	0xB4, 0x25, 0x57, 0xC6, 0xB3, 0x22, 0x50, 0xC1,
436 	0xBA, 0x2B, 0x59, 0xC8, 0xBD, 0x2C, 0x5E, 0xCF
437 };
438 
439 #define INIT_FCS	0xFF
440 #define GOOD_FCS	0xCF
441 
442 static void gsm_dlci_close(struct gsm_dlci *dlci);
443 static int gsmld_output(struct gsm_mux *gsm, u8 *data, int len);
444 static int gsm_modem_update(struct gsm_dlci *dlci, u8 brk);
445 static struct gsm_msg *gsm_data_alloc(struct gsm_mux *gsm, u8 addr, int len,
446 								u8 ctrl);
447 static int gsm_send_packet(struct gsm_mux *gsm, struct gsm_msg *msg);
448 static void gsmld_write_trigger(struct gsm_mux *gsm);
449 static void gsmld_write_task(struct work_struct *work);
450 
451 /**
452  *	gsm_fcs_add	-	update FCS
453  *	@fcs: Current FCS
454  *	@c: Next data
455  *
456  *	Update the FCS to include c. Uses the algorithm in the specification
457  *	notes.
458  */
459 
460 static inline u8 gsm_fcs_add(u8 fcs, u8 c)
461 {
462 	return gsm_fcs8[fcs ^ c];
463 }
464 
465 /**
466  *	gsm_fcs_add_block	-	update FCS for a block
467  *	@fcs: Current FCS
468  *	@c: buffer of data
469  *	@len: length of buffer
470  *
471  *	Update the FCS to include c. Uses the algorithm in the specification
472  *	notes.
473  */
474 
475 static inline u8 gsm_fcs_add_block(u8 fcs, u8 *c, int len)
476 {
477 	while (len--)
478 		fcs = gsm_fcs8[fcs ^ *c++];
479 	return fcs;
480 }
481 
482 /**
483  *	gsm_read_ea		-	read a byte into an EA
484  *	@val: variable holding value
485  *	@c: byte going into the EA
486  *
487  *	Processes one byte of an EA. Updates the passed variable
488  *	and returns 1 if the EA is now completely read
489  */
490 
491 static int gsm_read_ea(unsigned int *val, u8 c)
492 {
493 	/* Add the next 7 bits into the value */
494 	*val <<= 7;
495 	*val |= c >> 1;
496 	/* Was this the last byte of the EA 1 = yes*/
497 	return c & EA;
498 }
499 
500 /**
501  *	gsm_read_ea_val	-	read a value until EA
502  *	@val: variable holding value
503  *	@data: buffer of data
504  *	@dlen: length of data
505  *
506  *	Processes an EA value. Updates the passed variable and
507  *	returns the processed data length.
508  */
509 static unsigned int gsm_read_ea_val(unsigned int *val, const u8 *data, int dlen)
510 {
511 	unsigned int len = 0;
512 
513 	for (; dlen > 0; dlen--) {
514 		len++;
515 		if (gsm_read_ea(val, *data++))
516 			break;
517 	}
518 	return len;
519 }
520 
521 /**
522  *	gsm_encode_modem	-	encode modem data bits
523  *	@dlci: DLCI to encode from
524  *
525  *	Returns the correct GSM encoded modem status bits (6 bit field) for
526  *	the current status of the DLCI and attached tty object
527  */
528 
529 static u8 gsm_encode_modem(const struct gsm_dlci *dlci)
530 {
531 	u8 modembits = 0;
532 	/* FC is true flow control not modem bits */
533 	if (dlci->throttled)
534 		modembits |= MDM_FC;
535 	if (dlci->modem_tx & TIOCM_DTR)
536 		modembits |= MDM_RTC;
537 	if (dlci->modem_tx & TIOCM_RTS)
538 		modembits |= MDM_RTR;
539 	if (dlci->modem_tx & TIOCM_RI)
540 		modembits |= MDM_IC;
541 	if (dlci->modem_tx & TIOCM_CD || dlci->gsm->initiator)
542 		modembits |= MDM_DV;
543 	return modembits;
544 }
545 
546 static void gsm_hex_dump_bytes(const char *fname, const u8 *data,
547 			       unsigned long len)
548 {
549 	char *prefix;
550 
551 	if (!fname) {
552 		print_hex_dump(KERN_INFO, "", DUMP_PREFIX_NONE, 16, 1, data, len,
553 			       true);
554 		return;
555 	}
556 
557 	prefix = kasprintf(GFP_ATOMIC, "%s: ", fname);
558 	if (!prefix)
559 		return;
560 	print_hex_dump(KERN_INFO, prefix, DUMP_PREFIX_OFFSET, 16, 1, data, len,
561 		       true);
562 	kfree(prefix);
563 }
564 
565 /**
566  * gsm_encode_params	-	encode DLCI parameters
567  * @dlci: DLCI to encode from
568  * @params: buffer to fill with the encoded parameters
569  *
570  * Encodes the parameters according to GSM 07.10 section 5.4.6.3.1
571  * table 3.
572  */
573 static int gsm_encode_params(const struct gsm_dlci *dlci,
574 			     struct gsm_dlci_param_bits *params)
575 {
576 	const struct gsm_mux *gsm = dlci->gsm;
577 	unsigned int i, cl;
578 
579 	switch (dlci->ftype) {
580 	case UIH:
581 		i = 0; /* UIH */
582 		break;
583 	case UI:
584 		i = 1; /* UI */
585 		break;
586 	default:
587 		pr_debug("unsupported frame type %d\n", dlci->ftype);
588 		return -EINVAL;
589 	}
590 
591 	switch (dlci->adaption) {
592 	case 1: /* Unstructured */
593 		cl = 0; /* convergence layer type 1 */
594 		break;
595 	case 2: /* Unstructured with modem bits. */
596 		cl = 1; /* convergence layer type 2 */
597 		break;
598 	default:
599 		pr_debug("unsupported adaption %d\n", dlci->adaption);
600 		return -EINVAL;
601 	}
602 
603 	params->d_bits = FIELD_PREP(PN_D_FIELD_DLCI, dlci->addr);
604 	/* UIH, convergence layer type 1 */
605 	params->i_cl_bits = FIELD_PREP(PN_I_CL_FIELD_FTYPE, i) |
606 			    FIELD_PREP(PN_I_CL_FIELD_ADAPTION, cl);
607 	params->p_bits = FIELD_PREP(PN_P_FIELD_PRIO, dlci->prio);
608 	params->t_bits = FIELD_PREP(PN_T_FIELD_T1, gsm->t1);
609 	params->n_bits = cpu_to_le16(FIELD_PREP(PN_N_FIELD_N1, dlci->mtu));
610 	params->na_bits = FIELD_PREP(PN_NA_FIELD_N2, gsm->n2);
611 	params->k_bits = FIELD_PREP(PN_K_FIELD_K, dlci->k);
612 
613 	return 0;
614 }
615 
616 /**
617  *	gsm_register_devices	-	register all tty devices for a given mux index
618  *
619  *	@driver: the tty driver that describes the tty devices
620  *	@index:  the mux number is used to calculate the minor numbers of the
621  *	         ttys for this mux and may differ from the position in the
622  *	         mux array.
623  */
624 static int gsm_register_devices(struct tty_driver *driver, unsigned int index)
625 {
626 	struct device *dev;
627 	int i;
628 	unsigned int base;
629 
630 	if (!driver || index >= MAX_MUX)
631 		return -EINVAL;
632 
633 	base = index * NUM_DLCI; /* first minor for this index */
634 	for (i = 1; i < NUM_DLCI; i++) {
635 		/* Don't register device 0 - this is the control channel
636 		 * and not a usable tty interface
637 		 */
638 		dev = tty_register_device(gsm_tty_driver, base + i, NULL);
639 		if (IS_ERR(dev)) {
640 			if (debug & DBG_ERRORS)
641 				pr_info("%s failed to register device minor %u",
642 					__func__, base + i);
643 			for (i--; i >= 1; i--)
644 				tty_unregister_device(gsm_tty_driver, base + i);
645 			return PTR_ERR(dev);
646 		}
647 	}
648 
649 	return 0;
650 }
651 
652 /**
653  *	gsm_unregister_devices	-	unregister all tty devices for a given mux index
654  *
655  *	@driver: the tty driver that describes the tty devices
656  *	@index:  the mux number is used to calculate the minor numbers of the
657  *	         ttys for this mux and may differ from the position in the
658  *	         mux array.
659  */
660 static void gsm_unregister_devices(struct tty_driver *driver,
661 				   unsigned int index)
662 {
663 	int i;
664 	unsigned int base;
665 
666 	if (!driver || index >= MAX_MUX)
667 		return;
668 
669 	base = index * NUM_DLCI; /* first minor for this index */
670 	for (i = 1; i < NUM_DLCI; i++) {
671 		/* Don't unregister device 0 - this is the control
672 		 * channel and not a usable tty interface
673 		 */
674 		tty_unregister_device(gsm_tty_driver, base + i);
675 	}
676 }
677 
678 /**
679  *	gsm_print_packet	-	display a frame for debug
680  *	@hdr: header to print before decode
681  *	@addr: address EA from the frame
682  *	@cr: C/R bit seen as initiator
683  *	@control: control including PF bit
684  *	@data: following data bytes
685  *	@dlen: length of data
686  *
687  *	Displays a packet in human readable format for debugging purposes. The
688  *	style is based on amateur radio LAP-B dump display.
689  */
690 
691 static void gsm_print_packet(const char *hdr, int addr, int cr,
692 					u8 control, const u8 *data, int dlen)
693 {
694 	if (!(debug & DBG_DUMP))
695 		return;
696 	/* Only show user payload frames if debug & DBG_PAYLOAD */
697 	if (!(debug & DBG_PAYLOAD) && addr != 0)
698 		if ((control & ~PF) == UI || (control & ~PF) == UIH)
699 			return;
700 
701 	pr_info("%s %d) %c: ", hdr, addr, "RC"[cr]);
702 
703 	switch (control & ~PF) {
704 	case SABM:
705 		pr_cont("SABM");
706 		break;
707 	case UA:
708 		pr_cont("UA");
709 		break;
710 	case DISC:
711 		pr_cont("DISC");
712 		break;
713 	case DM:
714 		pr_cont("DM");
715 		break;
716 	case UI:
717 		pr_cont("UI");
718 		break;
719 	case UIH:
720 		pr_cont("UIH");
721 		break;
722 	default:
723 		if (!(control & 0x01)) {
724 			pr_cont("I N(S)%d N(R)%d",
725 				(control & 0x0E) >> 1, (control & 0xE0) >> 5);
726 		} else switch (control & 0x0F) {
727 			case RR:
728 				pr_cont("RR(%d)", (control & 0xE0) >> 5);
729 				break;
730 			case RNR:
731 				pr_cont("RNR(%d)", (control & 0xE0) >> 5);
732 				break;
733 			case REJ:
734 				pr_cont("REJ(%d)", (control & 0xE0) >> 5);
735 				break;
736 			default:
737 				pr_cont("[%02X]", control);
738 		}
739 	}
740 
741 	if (control & PF)
742 		pr_cont("(P)");
743 	else
744 		pr_cont("(F)");
745 
746 	gsm_hex_dump_bytes(NULL, data, dlen);
747 }
748 
749 
750 /*
751  *	Link level transmission side
752  */
753 
754 /**
755  *	gsm_stuff_frame	-	bytestuff a packet
756  *	@input: input buffer
757  *	@output: output buffer
758  *	@len: length of input
759  *
760  *	Expand a buffer by bytestuffing it. The worst case size change
761  *	is doubling and the caller is responsible for handing out
762  *	suitable sized buffers.
763  */
764 
765 static int gsm_stuff_frame(const u8 *input, u8 *output, int len)
766 {
767 	int olen = 0;
768 	while (len--) {
769 		if (*input == GSM1_SOF || *input == GSM1_ESCAPE
770 		    || (*input & ISO_IEC_646_MASK) == XON
771 		    || (*input & ISO_IEC_646_MASK) == XOFF) {
772 			*output++ = GSM1_ESCAPE;
773 			*output++ = *input++ ^ GSM1_ESCAPE_BITS;
774 			olen++;
775 		} else
776 			*output++ = *input++;
777 		olen++;
778 	}
779 	return olen;
780 }
781 
782 /**
783  *	gsm_send	-	send a control frame
784  *	@gsm: our GSM mux
785  *	@addr: address for control frame
786  *	@cr: command/response bit seen as initiator
787  *	@control:  control byte including PF bit
788  *
789  *	Format up and transmit a control frame. These should be transmitted
790  *	ahead of data when they are needed.
791  */
792 static int gsm_send(struct gsm_mux *gsm, int addr, int cr, int control)
793 {
794 	struct gsm_msg *msg;
795 	u8 *dp;
796 	int ocr;
797 	unsigned long flags;
798 
799 	msg = gsm_data_alloc(gsm, addr, 0, control);
800 	if (!msg)
801 		return -ENOMEM;
802 
803 	/* toggle C/R coding if not initiator */
804 	ocr = cr ^ (gsm->initiator ? 0 : 1);
805 
806 	msg->data -= 3;
807 	dp = msg->data;
808 	*dp++ = (addr << 2) | (ocr << 1) | EA;
809 	*dp++ = control;
810 
811 	if (gsm->encoding == GSM_BASIC_OPT)
812 		*dp++ = EA; /* Length of data = 0 */
813 
814 	*dp = 0xFF - gsm_fcs_add_block(INIT_FCS, msg->data, dp - msg->data);
815 	msg->len = (dp - msg->data) + 1;
816 
817 	gsm_print_packet("Q->", addr, cr, control, NULL, 0);
818 
819 	spin_lock_irqsave(&gsm->tx_lock, flags);
820 	list_add_tail(&msg->list, &gsm->tx_ctrl_list);
821 	gsm->tx_bytes += msg->len;
822 	spin_unlock_irqrestore(&gsm->tx_lock, flags);
823 	gsmld_write_trigger(gsm);
824 
825 	return 0;
826 }
827 
828 /**
829  *	gsm_dlci_clear_queues	-	remove outstanding data for a DLCI
830  *	@gsm: mux
831  *	@dlci: clear for this DLCI
832  *
833  *	Clears the data queues for a given DLCI.
834  */
835 static void gsm_dlci_clear_queues(struct gsm_mux *gsm, struct gsm_dlci *dlci)
836 {
837 	struct gsm_msg *msg, *nmsg;
838 	int addr = dlci->addr;
839 	unsigned long flags;
840 
841 	/* Clear DLCI write fifo first */
842 	spin_lock_irqsave(&dlci->lock, flags);
843 	kfifo_reset(&dlci->fifo);
844 	spin_unlock_irqrestore(&dlci->lock, flags);
845 
846 	/* Clear data packets in MUX write queue */
847 	spin_lock_irqsave(&gsm->tx_lock, flags);
848 	list_for_each_entry_safe(msg, nmsg, &gsm->tx_data_list, list) {
849 		if (msg->addr != addr)
850 			continue;
851 		gsm->tx_bytes -= msg->len;
852 		list_del(&msg->list);
853 		kfree(msg);
854 	}
855 	spin_unlock_irqrestore(&gsm->tx_lock, flags);
856 }
857 
858 /**
859  *	gsm_response	-	send a control response
860  *	@gsm: our GSM mux
861  *	@addr: address for control frame
862  *	@control:  control byte including PF bit
863  *
864  *	Format up and transmit a link level response frame.
865  */
866 
867 static inline void gsm_response(struct gsm_mux *gsm, int addr, int control)
868 {
869 	gsm_send(gsm, addr, 0, control);
870 }
871 
872 /**
873  *	gsm_command	-	send a control command
874  *	@gsm: our GSM mux
875  *	@addr: address for control frame
876  *	@control:  control byte including PF bit
877  *
878  *	Format up and transmit a link level command frame.
879  */
880 
881 static inline void gsm_command(struct gsm_mux *gsm, int addr, int control)
882 {
883 	gsm_send(gsm, addr, 1, control);
884 }
885 
886 /* Data transmission */
887 
888 #define HDR_LEN		6	/* ADDR CTRL [LEN.2] DATA FCS */
889 
890 /**
891  *	gsm_data_alloc		-	allocate data frame
892  *	@gsm: GSM mux
893  *	@addr: DLCI address
894  *	@len: length excluding header and FCS
895  *	@ctrl: control byte
896  *
897  *	Allocate a new data buffer for sending frames with data. Space is left
898  *	at the front for header bytes but that is treated as an implementation
899  *	detail and not for the high level code to use
900  */
901 
902 static struct gsm_msg *gsm_data_alloc(struct gsm_mux *gsm, u8 addr, int len,
903 								u8 ctrl)
904 {
905 	struct gsm_msg *m = kmalloc(sizeof(struct gsm_msg) + len + HDR_LEN,
906 								GFP_ATOMIC);
907 	if (m == NULL)
908 		return NULL;
909 	m->data = m->buffer + HDR_LEN - 1;	/* Allow for FCS */
910 	m->len = len;
911 	m->addr = addr;
912 	m->ctrl = ctrl;
913 	INIT_LIST_HEAD(&m->list);
914 	return m;
915 }
916 
917 /**
918  *	gsm_send_packet	-	sends a single packet
919  *	@gsm: GSM Mux
920  *	@msg: packet to send
921  *
922  *	The given packet is encoded and sent out. No memory is freed.
923  *	The caller must hold the gsm tx lock.
924  */
925 static int gsm_send_packet(struct gsm_mux *gsm, struct gsm_msg *msg)
926 {
927 	int len, ret;
928 
929 
930 	if (gsm->encoding == GSM_BASIC_OPT) {
931 		gsm->txframe[0] = GSM0_SOF;
932 		memcpy(gsm->txframe + 1, msg->data, msg->len);
933 		gsm->txframe[msg->len + 1] = GSM0_SOF;
934 		len = msg->len + 2;
935 	} else {
936 		gsm->txframe[0] = GSM1_SOF;
937 		len = gsm_stuff_frame(msg->data, gsm->txframe + 1, msg->len);
938 		gsm->txframe[len + 1] = GSM1_SOF;
939 		len += 2;
940 	}
941 
942 	if (debug & DBG_DATA)
943 		gsm_hex_dump_bytes(__func__, gsm->txframe, len);
944 	gsm_print_packet("-->", msg->addr, gsm->initiator, msg->ctrl, msg->data,
945 			 msg->len);
946 
947 	ret = gsmld_output(gsm, gsm->txframe, len);
948 	if (ret <= 0)
949 		return ret;
950 	/* FIXME: Can eliminate one SOF in many more cases */
951 	gsm->tx_bytes -= msg->len;
952 
953 	return 0;
954 }
955 
956 /**
957  *	gsm_is_flow_ctrl_msg	-	checks if flow control message
958  *	@msg: message to check
959  *
960  *	Returns true if the given message is a flow control command of the
961  *	control channel. False is returned in any other case.
962  */
963 static bool gsm_is_flow_ctrl_msg(struct gsm_msg *msg)
964 {
965 	unsigned int cmd;
966 
967 	if (msg->addr > 0)
968 		return false;
969 
970 	switch (msg->ctrl & ~PF) {
971 	case UI:
972 	case UIH:
973 		cmd = 0;
974 		if (gsm_read_ea_val(&cmd, msg->data + 2, msg->len - 2) < 1)
975 			break;
976 		switch (cmd & ~PF) {
977 		case CMD_FCOFF:
978 		case CMD_FCON:
979 			return true;
980 		}
981 		break;
982 	}
983 
984 	return false;
985 }
986 
987 /**
988  *	gsm_data_kick	-	poke the queue
989  *	@gsm: GSM Mux
990  *
991  *	The tty device has called us to indicate that room has appeared in
992  *	the transmit queue. Ram more data into the pipe if we have any.
993  *	If we have been flow-stopped by a CMD_FCOFF, then we can only
994  *	send messages on DLCI0 until CMD_FCON. The caller must hold
995  *	the gsm tx lock.
996  */
997 static int gsm_data_kick(struct gsm_mux *gsm)
998 {
999 	struct gsm_msg *msg, *nmsg;
1000 	struct gsm_dlci *dlci;
1001 	int ret;
1002 
1003 	clear_bit(TTY_DO_WRITE_WAKEUP, &gsm->tty->flags);
1004 
1005 	/* Serialize control messages and control channel messages first */
1006 	list_for_each_entry_safe(msg, nmsg, &gsm->tx_ctrl_list, list) {
1007 		if (gsm->constipated && !gsm_is_flow_ctrl_msg(msg))
1008 			continue;
1009 		ret = gsm_send_packet(gsm, msg);
1010 		switch (ret) {
1011 		case -ENOSPC:
1012 			return -ENOSPC;
1013 		case -ENODEV:
1014 			/* ldisc not open */
1015 			gsm->tx_bytes -= msg->len;
1016 			list_del(&msg->list);
1017 			kfree(msg);
1018 			continue;
1019 		default:
1020 			if (ret >= 0) {
1021 				list_del(&msg->list);
1022 				kfree(msg);
1023 			}
1024 			break;
1025 		}
1026 	}
1027 
1028 	if (gsm->constipated)
1029 		return -EAGAIN;
1030 
1031 	/* Serialize other channels */
1032 	if (list_empty(&gsm->tx_data_list))
1033 		return 0;
1034 	list_for_each_entry_safe(msg, nmsg, &gsm->tx_data_list, list) {
1035 		dlci = gsm->dlci[msg->addr];
1036 		/* Send only messages for DLCIs with valid state */
1037 		if (dlci->state != DLCI_OPEN) {
1038 			gsm->tx_bytes -= msg->len;
1039 			list_del(&msg->list);
1040 			kfree(msg);
1041 			continue;
1042 		}
1043 		ret = gsm_send_packet(gsm, msg);
1044 		switch (ret) {
1045 		case -ENOSPC:
1046 			return -ENOSPC;
1047 		case -ENODEV:
1048 			/* ldisc not open */
1049 			gsm->tx_bytes -= msg->len;
1050 			list_del(&msg->list);
1051 			kfree(msg);
1052 			continue;
1053 		default:
1054 			if (ret >= 0) {
1055 				list_del(&msg->list);
1056 				kfree(msg);
1057 			}
1058 			break;
1059 		}
1060 	}
1061 
1062 	return 1;
1063 }
1064 
1065 /**
1066  *	__gsm_data_queue		-	queue a UI or UIH frame
1067  *	@dlci: DLCI sending the data
1068  *	@msg: message queued
1069  *
1070  *	Add data to the transmit queue and try and get stuff moving
1071  *	out of the mux tty if not already doing so. The Caller must hold
1072  *	the gsm tx lock.
1073  */
1074 
1075 static void __gsm_data_queue(struct gsm_dlci *dlci, struct gsm_msg *msg)
1076 {
1077 	struct gsm_mux *gsm = dlci->gsm;
1078 	u8 *dp = msg->data;
1079 	u8 *fcs = dp + msg->len;
1080 
1081 	/* Fill in the header */
1082 	if (gsm->encoding == GSM_BASIC_OPT) {
1083 		if (msg->len < 128)
1084 			*--dp = (msg->len << 1) | EA;
1085 		else {
1086 			*--dp = (msg->len >> 7);	/* bits 7 - 15 */
1087 			*--dp = (msg->len & 127) << 1;	/* bits 0 - 6 */
1088 		}
1089 	}
1090 
1091 	*--dp = msg->ctrl;
1092 	if (gsm->initiator)
1093 		*--dp = (msg->addr << 2) | CR | EA;
1094 	else
1095 		*--dp = (msg->addr << 2) | EA;
1096 	*fcs = gsm_fcs_add_block(INIT_FCS, dp , msg->data - dp);
1097 	/* Ugly protocol layering violation */
1098 	if (msg->ctrl == UI || msg->ctrl == (UI|PF))
1099 		*fcs = gsm_fcs_add_block(*fcs, msg->data, msg->len);
1100 	*fcs = 0xFF - *fcs;
1101 
1102 	gsm_print_packet("Q> ", msg->addr, gsm->initiator, msg->ctrl,
1103 							msg->data, msg->len);
1104 
1105 	/* Move the header back and adjust the length, also allow for the FCS
1106 	   now tacked on the end */
1107 	msg->len += (msg->data - dp) + 1;
1108 	msg->data = dp;
1109 
1110 	/* Add to the actual output queue */
1111 	switch (msg->ctrl & ~PF) {
1112 	case UI:
1113 	case UIH:
1114 		if (msg->addr > 0) {
1115 			list_add_tail(&msg->list, &gsm->tx_data_list);
1116 			break;
1117 		}
1118 		fallthrough;
1119 	default:
1120 		list_add_tail(&msg->list, &gsm->tx_ctrl_list);
1121 		break;
1122 	}
1123 	gsm->tx_bytes += msg->len;
1124 
1125 	gsmld_write_trigger(gsm);
1126 	mod_timer(&gsm->kick_timer, jiffies + 10 * gsm->t1 * HZ / 100);
1127 }
1128 
1129 /**
1130  *	gsm_data_queue		-	queue a UI or UIH frame
1131  *	@dlci: DLCI sending the data
1132  *	@msg: message queued
1133  *
1134  *	Add data to the transmit queue and try and get stuff moving
1135  *	out of the mux tty if not already doing so. Take the
1136  *	the gsm tx lock and dlci lock.
1137  */
1138 
1139 static void gsm_data_queue(struct gsm_dlci *dlci, struct gsm_msg *msg)
1140 {
1141 	unsigned long flags;
1142 	spin_lock_irqsave(&dlci->gsm->tx_lock, flags);
1143 	__gsm_data_queue(dlci, msg);
1144 	spin_unlock_irqrestore(&dlci->gsm->tx_lock, flags);
1145 }
1146 
1147 /**
1148  *	gsm_dlci_data_output	-	try and push data out of a DLCI
1149  *	@gsm: mux
1150  *	@dlci: the DLCI to pull data from
1151  *
1152  *	Pull data from a DLCI and send it into the transmit queue if there
1153  *	is data. Keep to the MRU of the mux. This path handles the usual tty
1154  *	interface which is a byte stream with optional modem data.
1155  *
1156  *	Caller must hold the tx_lock of the mux.
1157  */
1158 
1159 static int gsm_dlci_data_output(struct gsm_mux *gsm, struct gsm_dlci *dlci)
1160 {
1161 	struct gsm_msg *msg;
1162 	u8 *dp;
1163 	int h, len, size;
1164 
1165 	/* for modem bits without break data */
1166 	h = ((dlci->adaption == 1) ? 0 : 1);
1167 
1168 	len = kfifo_len(&dlci->fifo);
1169 	if (len == 0)
1170 		return 0;
1171 
1172 	/* MTU/MRU count only the data bits but watch adaption mode */
1173 	if ((len + h) > dlci->mtu)
1174 		len = dlci->mtu - h;
1175 
1176 	size = len + h;
1177 
1178 	msg = gsm_data_alloc(gsm, dlci->addr, size, dlci->ftype);
1179 	if (!msg)
1180 		return -ENOMEM;
1181 	dp = msg->data;
1182 	switch (dlci->adaption) {
1183 	case 1: /* Unstructured */
1184 		break;
1185 	case 2: /* Unstructured with modem bits.
1186 		 * Always one byte as we never send inline break data
1187 		 */
1188 		*dp++ = (gsm_encode_modem(dlci) << 1) | EA;
1189 		break;
1190 	default:
1191 		pr_err("%s: unsupported adaption %d\n", __func__,
1192 		       dlci->adaption);
1193 		break;
1194 	}
1195 
1196 	WARN_ON(len != kfifo_out_locked(&dlci->fifo, dp, len,
1197 		&dlci->lock));
1198 
1199 	/* Notify upper layer about available send space. */
1200 	tty_port_tty_wakeup(&dlci->port);
1201 
1202 	__gsm_data_queue(dlci, msg);
1203 	/* Bytes of data we used up */
1204 	return size;
1205 }
1206 
1207 /**
1208  *	gsm_dlci_data_output_framed  -	try and push data out of a DLCI
1209  *	@gsm: mux
1210  *	@dlci: the DLCI to pull data from
1211  *
1212  *	Pull data from a DLCI and send it into the transmit queue if there
1213  *	is data. Keep to the MRU of the mux. This path handles framed data
1214  *	queued as skbuffs to the DLCI.
1215  *
1216  *	Caller must hold the tx_lock of the mux.
1217  */
1218 
1219 static int gsm_dlci_data_output_framed(struct gsm_mux *gsm,
1220 						struct gsm_dlci *dlci)
1221 {
1222 	struct gsm_msg *msg;
1223 	u8 *dp;
1224 	int len, size;
1225 	int last = 0, first = 0;
1226 	int overhead = 0;
1227 
1228 	/* One byte per frame is used for B/F flags */
1229 	if (dlci->adaption == 4)
1230 		overhead = 1;
1231 
1232 	/* dlci->skb is locked by tx_lock */
1233 	if (dlci->skb == NULL) {
1234 		dlci->skb = skb_dequeue_tail(&dlci->skb_list);
1235 		if (dlci->skb == NULL)
1236 			return 0;
1237 		first = 1;
1238 	}
1239 	len = dlci->skb->len + overhead;
1240 
1241 	/* MTU/MRU count only the data bits */
1242 	if (len > dlci->mtu) {
1243 		if (dlci->adaption == 3) {
1244 			/* Over long frame, bin it */
1245 			dev_kfree_skb_any(dlci->skb);
1246 			dlci->skb = NULL;
1247 			return 0;
1248 		}
1249 		len = dlci->mtu;
1250 	} else
1251 		last = 1;
1252 
1253 	size = len + overhead;
1254 	msg = gsm_data_alloc(gsm, dlci->addr, size, dlci->ftype);
1255 	if (msg == NULL) {
1256 		skb_queue_tail(&dlci->skb_list, dlci->skb);
1257 		dlci->skb = NULL;
1258 		return -ENOMEM;
1259 	}
1260 	dp = msg->data;
1261 
1262 	if (dlci->adaption == 4) { /* Interruptible framed (Packetised Data) */
1263 		/* Flag byte to carry the start/end info */
1264 		*dp++ = last << 7 | first << 6 | 1;	/* EA */
1265 		len--;
1266 	}
1267 	memcpy(dp, dlci->skb->data, len);
1268 	skb_pull(dlci->skb, len);
1269 	__gsm_data_queue(dlci, msg);
1270 	if (last) {
1271 		dev_kfree_skb_any(dlci->skb);
1272 		dlci->skb = NULL;
1273 	}
1274 	return size;
1275 }
1276 
1277 /**
1278  *	gsm_dlci_modem_output	-	try and push modem status out of a DLCI
1279  *	@gsm: mux
1280  *	@dlci: the DLCI to pull modem status from
1281  *	@brk: break signal
1282  *
1283  *	Push an empty frame in to the transmit queue to update the modem status
1284  *	bits and to transmit an optional break.
1285  *
1286  *	Caller must hold the tx_lock of the mux.
1287  */
1288 
1289 static int gsm_dlci_modem_output(struct gsm_mux *gsm, struct gsm_dlci *dlci,
1290 				 u8 brk)
1291 {
1292 	u8 *dp = NULL;
1293 	struct gsm_msg *msg;
1294 	int size = 0;
1295 
1296 	/* for modem bits without break data */
1297 	switch (dlci->adaption) {
1298 	case 1: /* Unstructured */
1299 		break;
1300 	case 2: /* Unstructured with modem bits. */
1301 		size++;
1302 		if (brk > 0)
1303 			size++;
1304 		break;
1305 	default:
1306 		pr_err("%s: unsupported adaption %d\n", __func__,
1307 		       dlci->adaption);
1308 		return -EINVAL;
1309 	}
1310 
1311 	msg = gsm_data_alloc(gsm, dlci->addr, size, dlci->ftype);
1312 	if (!msg) {
1313 		pr_err("%s: gsm_data_alloc error", __func__);
1314 		return -ENOMEM;
1315 	}
1316 	dp = msg->data;
1317 	switch (dlci->adaption) {
1318 	case 1: /* Unstructured */
1319 		break;
1320 	case 2: /* Unstructured with modem bits. */
1321 		if (brk == 0) {
1322 			*dp++ = (gsm_encode_modem(dlci) << 1) | EA;
1323 		} else {
1324 			*dp++ = gsm_encode_modem(dlci) << 1;
1325 			*dp++ = (brk << 4) | 2 | EA; /* Length, Break, EA */
1326 		}
1327 		break;
1328 	default:
1329 		/* Handled above */
1330 		break;
1331 	}
1332 
1333 	__gsm_data_queue(dlci, msg);
1334 	return size;
1335 }
1336 
1337 /**
1338  *	gsm_dlci_data_sweep		-	look for data to send
1339  *	@gsm: the GSM mux
1340  *
1341  *	Sweep the GSM mux channels in priority order looking for ones with
1342  *	data to send. We could do with optimising this scan a bit. We aim
1343  *	to fill the queue totally or up to TX_THRESH_HI bytes. Once we hit
1344  *	TX_THRESH_LO we get called again
1345  *
1346  *	FIXME: We should round robin between groups and in theory you can
1347  *	renegotiate DLCI priorities with optional stuff. Needs optimising.
1348  */
1349 
1350 static int gsm_dlci_data_sweep(struct gsm_mux *gsm)
1351 {
1352 	/* Priority ordering: We should do priority with RR of the groups */
1353 	int i, len, ret = 0;
1354 	bool sent;
1355 	struct gsm_dlci *dlci;
1356 
1357 	while (gsm->tx_bytes < TX_THRESH_HI) {
1358 		for (sent = false, i = 1; i < NUM_DLCI; i++) {
1359 			dlci = gsm->dlci[i];
1360 			/* skip unused or blocked channel */
1361 			if (!dlci || dlci->constipated)
1362 				continue;
1363 			/* skip channels with invalid state */
1364 			if (dlci->state != DLCI_OPEN)
1365 				continue;
1366 			/* count the sent data per adaption */
1367 			if (dlci->adaption < 3 && !dlci->net)
1368 				len = gsm_dlci_data_output(gsm, dlci);
1369 			else
1370 				len = gsm_dlci_data_output_framed(gsm, dlci);
1371 			/* on error exit */
1372 			if (len < 0)
1373 				return ret;
1374 			if (len > 0) {
1375 				ret++;
1376 				sent = true;
1377 				/* The lower DLCs can starve the higher DLCs! */
1378 				break;
1379 			}
1380 			/* try next */
1381 		}
1382 		if (!sent)
1383 			break;
1384 	}
1385 
1386 	return ret;
1387 }
1388 
1389 /**
1390  *	gsm_dlci_data_kick	-	transmit if possible
1391  *	@dlci: DLCI to kick
1392  *
1393  *	Transmit data from this DLCI if the queue is empty. We can't rely on
1394  *	a tty wakeup except when we filled the pipe so we need to fire off
1395  *	new data ourselves in other cases.
1396  */
1397 
1398 static void gsm_dlci_data_kick(struct gsm_dlci *dlci)
1399 {
1400 	unsigned long flags;
1401 	int sweep;
1402 
1403 	if (dlci->constipated)
1404 		return;
1405 
1406 	spin_lock_irqsave(&dlci->gsm->tx_lock, flags);
1407 	/* If we have nothing running then we need to fire up */
1408 	sweep = (dlci->gsm->tx_bytes < TX_THRESH_LO);
1409 	if (dlci->gsm->tx_bytes == 0) {
1410 		if (dlci->net)
1411 			gsm_dlci_data_output_framed(dlci->gsm, dlci);
1412 		else
1413 			gsm_dlci_data_output(dlci->gsm, dlci);
1414 	}
1415 	if (sweep)
1416 		gsm_dlci_data_sweep(dlci->gsm);
1417 	spin_unlock_irqrestore(&dlci->gsm->tx_lock, flags);
1418 }
1419 
1420 /*
1421  *	Control message processing
1422  */
1423 
1424 
1425 /**
1426  * gsm_control_command	-	send a command frame to a control
1427  * @gsm: gsm channel
1428  * @cmd: the command to use
1429  * @data: data to follow encoded info
1430  * @dlen: length of data
1431  *
1432  * Encode up and queue a UI/UIH frame containing our command.
1433  */
1434 static int gsm_control_command(struct gsm_mux *gsm, int cmd, const u8 *data,
1435 			       int dlen)
1436 {
1437 	struct gsm_msg *msg;
1438 
1439 	msg = gsm_data_alloc(gsm, 0, dlen + 2, gsm->dlci[0]->ftype);
1440 	if (msg == NULL)
1441 		return -ENOMEM;
1442 
1443 	msg->data[0] = (cmd << 1) | CR | EA;	/* Set C/R */
1444 	msg->data[1] = (dlen << 1) | EA;
1445 	memcpy(msg->data + 2, data, dlen);
1446 	gsm_data_queue(gsm->dlci[0], msg);
1447 
1448 	return 0;
1449 }
1450 
1451 /**
1452  *	gsm_control_reply	-	send a response frame to a control
1453  *	@gsm: gsm channel
1454  *	@cmd: the command to use
1455  *	@data: data to follow encoded info
1456  *	@dlen: length of data
1457  *
1458  *	Encode up and queue a UI/UIH frame containing our response.
1459  */
1460 
1461 static void gsm_control_reply(struct gsm_mux *gsm, int cmd, const u8 *data,
1462 					int dlen)
1463 {
1464 	struct gsm_msg *msg;
1465 
1466 	msg = gsm_data_alloc(gsm, 0, dlen + 2, gsm->dlci[0]->ftype);
1467 	if (msg == NULL)
1468 		return;
1469 	msg->data[0] = (cmd & 0xFE) << 1 | EA;	/* Clear C/R */
1470 	msg->data[1] = (dlen << 1) | EA;
1471 	memcpy(msg->data + 2, data, dlen);
1472 	gsm_data_queue(gsm->dlci[0], msg);
1473 }
1474 
1475 /**
1476  *	gsm_process_modem	-	process received modem status
1477  *	@tty: virtual tty bound to the DLCI
1478  *	@dlci: DLCI to affect
1479  *	@modem: modem bits (full EA)
1480  *	@slen: number of signal octets
1481  *
1482  *	Used when a modem control message or line state inline in adaption
1483  *	layer 2 is processed. Sort out the local modem state and throttles
1484  */
1485 
1486 static void gsm_process_modem(struct tty_struct *tty, struct gsm_dlci *dlci,
1487 							u32 modem, int slen)
1488 {
1489 	int  mlines = 0;
1490 	u8 brk = 0;
1491 	int fc;
1492 
1493 	/* The modem status command can either contain one octet (V.24 signals)
1494 	 * or two octets (V.24 signals + break signals). This is specified in
1495 	 * section 5.4.6.3.7 of the 07.10 mux spec.
1496 	 */
1497 
1498 	if (slen == 1)
1499 		modem = modem & 0x7f;
1500 	else {
1501 		brk = modem & 0x7f;
1502 		modem = (modem >> 7) & 0x7f;
1503 	}
1504 
1505 	/* Flow control/ready to communicate */
1506 	fc = (modem & MDM_FC) || !(modem & MDM_RTR);
1507 	if (fc && !dlci->constipated) {
1508 		/* Need to throttle our output on this device */
1509 		dlci->constipated = true;
1510 	} else if (!fc && dlci->constipated) {
1511 		dlci->constipated = false;
1512 		gsm_dlci_data_kick(dlci);
1513 	}
1514 
1515 	/* Map modem bits */
1516 	if (modem & MDM_RTC)
1517 		mlines |= TIOCM_DSR | TIOCM_DTR;
1518 	if (modem & MDM_RTR)
1519 		mlines |= TIOCM_RTS | TIOCM_CTS;
1520 	if (modem & MDM_IC)
1521 		mlines |= TIOCM_RI;
1522 	if (modem & MDM_DV)
1523 		mlines |= TIOCM_CD;
1524 
1525 	/* Carrier drop -> hangup */
1526 	if (tty) {
1527 		if ((mlines & TIOCM_CD) == 0 && (dlci->modem_rx & TIOCM_CD))
1528 			if (!C_CLOCAL(tty))
1529 				tty_hangup(tty);
1530 	}
1531 	if (brk & 0x01)
1532 		tty_insert_flip_char(&dlci->port, 0, TTY_BREAK);
1533 	dlci->modem_rx = mlines;
1534 }
1535 
1536 /**
1537  * gsm_process_negotiation	-	process received parameters
1538  * @gsm: GSM channel
1539  * @addr: DLCI address
1540  * @cr: command/response
1541  * @params: encoded parameters from the parameter negotiation message
1542  *
1543  * Used when the response for our parameter negotiation command was
1544  * received.
1545  */
1546 static int gsm_process_negotiation(struct gsm_mux *gsm, unsigned int addr,
1547 				   unsigned int cr,
1548 				   const struct gsm_dlci_param_bits *params)
1549 {
1550 	struct gsm_dlci *dlci = gsm->dlci[addr];
1551 	unsigned int ftype, i, adaption, prio, n1, k;
1552 
1553 	i = FIELD_GET(PN_I_CL_FIELD_FTYPE, params->i_cl_bits);
1554 	adaption = FIELD_GET(PN_I_CL_FIELD_ADAPTION, params->i_cl_bits) + 1;
1555 	prio = FIELD_GET(PN_P_FIELD_PRIO, params->p_bits);
1556 	n1 = FIELD_GET(PN_N_FIELD_N1, get_unaligned_le16(&params->n_bits));
1557 	k = FIELD_GET(PN_K_FIELD_K, params->k_bits);
1558 
1559 	if (n1 < MIN_MTU) {
1560 		if (debug & DBG_ERRORS)
1561 			pr_info("%s N1 out of range in PN\n", __func__);
1562 		return -EINVAL;
1563 	}
1564 
1565 	switch (i) {
1566 	case 0x00:
1567 		ftype = UIH;
1568 		break;
1569 	case 0x01:
1570 		ftype = UI;
1571 		break;
1572 	case 0x02: /* I frames are not supported */
1573 		if (debug & DBG_ERRORS)
1574 			pr_info("%s unsupported I frame request in PN\n",
1575 				__func__);
1576 		return -EINVAL;
1577 	default:
1578 		if (debug & DBG_ERRORS)
1579 			pr_info("%s i out of range in PN\n", __func__);
1580 		return -EINVAL;
1581 	}
1582 
1583 	if (!cr && gsm->initiator) {
1584 		if (adaption != dlci->adaption) {
1585 			if (debug & DBG_ERRORS)
1586 				pr_info("%s invalid adaption %d in PN\n",
1587 					__func__, adaption);
1588 			return -EINVAL;
1589 		}
1590 		if (prio != dlci->prio) {
1591 			if (debug & DBG_ERRORS)
1592 				pr_info("%s invalid priority %d in PN",
1593 					__func__, prio);
1594 			return -EINVAL;
1595 		}
1596 		if (n1 > gsm->mru || n1 > dlci->mtu) {
1597 			/* We requested a frame size but the other party wants
1598 			 * to send larger frames. The standard allows only a
1599 			 * smaller response value than requested (5.4.6.3.1).
1600 			 */
1601 			if (debug & DBG_ERRORS)
1602 				pr_info("%s invalid N1 %d in PN\n", __func__,
1603 					n1);
1604 			return -EINVAL;
1605 		}
1606 		dlci->mtu = n1;
1607 		if (ftype != dlci->ftype) {
1608 			if (debug & DBG_ERRORS)
1609 				pr_info("%s invalid i %d in PN\n", __func__, i);
1610 			return -EINVAL;
1611 		}
1612 		if (ftype != UI && ftype != UIH && k > dlci->k) {
1613 			if (debug & DBG_ERRORS)
1614 				pr_info("%s invalid k %d in PN\n", __func__, k);
1615 			return -EINVAL;
1616 		}
1617 		dlci->k = k;
1618 	} else if (cr && !gsm->initiator) {
1619 		/* Only convergence layer type 1 and 2 are supported. */
1620 		if (adaption != 1 && adaption != 2) {
1621 			if (debug & DBG_ERRORS)
1622 				pr_info("%s invalid adaption %d in PN\n",
1623 					__func__, adaption);
1624 			return -EINVAL;
1625 		}
1626 		dlci->adaption = adaption;
1627 		if (n1 > gsm->mru) {
1628 			/* Propose a smaller value */
1629 			dlci->mtu = gsm->mru;
1630 		} else if (n1 > MAX_MTU) {
1631 			/* Propose a smaller value */
1632 			dlci->mtu = MAX_MTU;
1633 		} else {
1634 			dlci->mtu = n1;
1635 		}
1636 		dlci->prio = prio;
1637 		dlci->ftype = ftype;
1638 		dlci->k = k;
1639 	} else {
1640 		return -EINVAL;
1641 	}
1642 
1643 	return 0;
1644 }
1645 
1646 /**
1647  *	gsm_control_modem	-	modem status received
1648  *	@gsm: GSM channel
1649  *	@data: data following command
1650  *	@clen: command length
1651  *
1652  *	We have received a modem status control message. This is used by
1653  *	the GSM mux protocol to pass virtual modem line status and optionally
1654  *	to indicate break signals. Unpack it, convert to Linux representation
1655  *	and if need be stuff a break message down the tty.
1656  */
1657 
1658 static void gsm_control_modem(struct gsm_mux *gsm, const u8 *data, int clen)
1659 {
1660 	unsigned int addr = 0;
1661 	unsigned int modem = 0;
1662 	struct gsm_dlci *dlci;
1663 	int len = clen;
1664 	int cl = clen;
1665 	const u8 *dp = data;
1666 	struct tty_struct *tty;
1667 
1668 	len = gsm_read_ea_val(&addr, data, cl);
1669 	if (len < 1)
1670 		return;
1671 
1672 	addr >>= 1;
1673 	/* Closed port, or invalid ? */
1674 	if (addr == 0 || addr >= NUM_DLCI || gsm->dlci[addr] == NULL)
1675 		return;
1676 	dlci = gsm->dlci[addr];
1677 
1678 	/* Must be at least one byte following the EA */
1679 	if ((cl - len) < 1)
1680 		return;
1681 
1682 	dp += len;
1683 	cl -= len;
1684 
1685 	/* get the modem status */
1686 	len = gsm_read_ea_val(&modem, dp, cl);
1687 	if (len < 1)
1688 		return;
1689 
1690 	tty = tty_port_tty_get(&dlci->port);
1691 	gsm_process_modem(tty, dlci, modem, cl);
1692 	if (tty) {
1693 		tty_wakeup(tty);
1694 		tty_kref_put(tty);
1695 	}
1696 	gsm_control_reply(gsm, CMD_MSC, data, clen);
1697 }
1698 
1699 /**
1700  * gsm_control_negotiation	-	parameter negotiation received
1701  * @gsm: GSM channel
1702  * @cr: command/response flag
1703  * @data: data following command
1704  * @dlen: data length
1705  *
1706  * We have received a parameter negotiation message. This is used by
1707  * the GSM mux protocol to configure protocol parameters for a new DLCI.
1708  */
1709 static void gsm_control_negotiation(struct gsm_mux *gsm, unsigned int cr,
1710 				    const u8 *data, unsigned int dlen)
1711 {
1712 	unsigned int addr;
1713 	struct gsm_dlci_param_bits pn_reply;
1714 	struct gsm_dlci *dlci;
1715 	struct gsm_dlci_param_bits *params;
1716 
1717 	if (dlen < sizeof(struct gsm_dlci_param_bits))
1718 		return;
1719 
1720 	/* Invalid DLCI? */
1721 	params = (struct gsm_dlci_param_bits *)data;
1722 	addr = FIELD_GET(PN_D_FIELD_DLCI, params->d_bits);
1723 	if (addr == 0 || addr >= NUM_DLCI || !gsm->dlci[addr])
1724 		return;
1725 	dlci = gsm->dlci[addr];
1726 
1727 	/* Too late for parameter negotiation? */
1728 	if ((!cr && dlci->state == DLCI_OPENING) || dlci->state == DLCI_OPEN)
1729 		return;
1730 
1731 	/* Process the received parameters */
1732 	if (gsm_process_negotiation(gsm, addr, cr, params) != 0) {
1733 		/* Negotiation failed. Close the link. */
1734 		if (debug & DBG_ERRORS)
1735 			pr_info("%s PN failed\n", __func__);
1736 		gsm_dlci_close(dlci);
1737 		return;
1738 	}
1739 
1740 	if (cr) {
1741 		/* Reply command with accepted parameters. */
1742 		if (gsm_encode_params(dlci, &pn_reply) == 0)
1743 			gsm_control_reply(gsm, CMD_PN, (const u8 *)&pn_reply,
1744 					  sizeof(pn_reply));
1745 		else if (debug & DBG_ERRORS)
1746 			pr_info("%s PN invalid\n", __func__);
1747 	} else if (dlci->state == DLCI_CONFIGURE) {
1748 		/* Proceed with link setup by sending SABM before UA */
1749 		dlci->state = DLCI_OPENING;
1750 		gsm_command(gsm, dlci->addr, SABM|PF);
1751 		mod_timer(&dlci->t1, jiffies + gsm->t1 * HZ / 100);
1752 	} else {
1753 		if (debug & DBG_ERRORS)
1754 			pr_info("%s PN in invalid state\n", __func__);
1755 	}
1756 }
1757 
1758 /**
1759  *	gsm_control_rls		-	remote line status
1760  *	@gsm: GSM channel
1761  *	@data: data bytes
1762  *	@clen: data length
1763  *
1764  *	The modem sends us a two byte message on the control channel whenever
1765  *	it wishes to send us an error state from the virtual link. Stuff
1766  *	this into the uplink tty if present
1767  */
1768 
1769 static void gsm_control_rls(struct gsm_mux *gsm, const u8 *data, int clen)
1770 {
1771 	struct tty_port *port;
1772 	unsigned int addr = 0;
1773 	u8 bits;
1774 	int len = clen;
1775 	const u8 *dp = data;
1776 
1777 	while (gsm_read_ea(&addr, *dp++) == 0) {
1778 		len--;
1779 		if (len == 0)
1780 			return;
1781 	}
1782 	/* Must be at least one byte following ea */
1783 	len--;
1784 	if (len <= 0)
1785 		return;
1786 	addr >>= 1;
1787 	/* Closed port, or invalid ? */
1788 	if (addr == 0 || addr >= NUM_DLCI || gsm->dlci[addr] == NULL)
1789 		return;
1790 	/* No error ? */
1791 	bits = *dp;
1792 	if ((bits & 1) == 0)
1793 		return;
1794 
1795 	port = &gsm->dlci[addr]->port;
1796 
1797 	if (bits & 2)
1798 		tty_insert_flip_char(port, 0, TTY_OVERRUN);
1799 	if (bits & 4)
1800 		tty_insert_flip_char(port, 0, TTY_PARITY);
1801 	if (bits & 8)
1802 		tty_insert_flip_char(port, 0, TTY_FRAME);
1803 
1804 	tty_flip_buffer_push(port);
1805 
1806 	gsm_control_reply(gsm, CMD_RLS, data, clen);
1807 }
1808 
1809 static void gsm_dlci_begin_close(struct gsm_dlci *dlci);
1810 
1811 /**
1812  *	gsm_control_message	-	DLCI 0 control processing
1813  *	@gsm: our GSM mux
1814  *	@command:  the command EA
1815  *	@data: data beyond the command/length EAs
1816  *	@clen: length
1817  *
1818  *	Input processor for control messages from the other end of the link.
1819  *	Processes the incoming request and queues a response frame or an
1820  *	NSC response if not supported
1821  */
1822 
1823 static void gsm_control_message(struct gsm_mux *gsm, unsigned int command,
1824 						const u8 *data, int clen)
1825 {
1826 	u8 buf[1];
1827 
1828 	switch (command) {
1829 	case CMD_CLD: {
1830 		struct gsm_dlci *dlci = gsm->dlci[0];
1831 		/* Modem wishes to close down */
1832 		if (dlci) {
1833 			dlci->dead = true;
1834 			gsm->dead = true;
1835 			gsm_dlci_begin_close(dlci);
1836 		}
1837 		}
1838 		break;
1839 	case CMD_TEST:
1840 		/* Modem wishes to test, reply with the data */
1841 		gsm_control_reply(gsm, CMD_TEST, data, clen);
1842 		break;
1843 	case CMD_FCON:
1844 		/* Modem can accept data again */
1845 		gsm->constipated = false;
1846 		gsm_control_reply(gsm, CMD_FCON, NULL, 0);
1847 		/* Kick the link in case it is idling */
1848 		gsmld_write_trigger(gsm);
1849 		break;
1850 	case CMD_FCOFF:
1851 		/* Modem wants us to STFU */
1852 		gsm->constipated = true;
1853 		gsm_control_reply(gsm, CMD_FCOFF, NULL, 0);
1854 		break;
1855 	case CMD_MSC:
1856 		/* Out of band modem line change indicator for a DLCI */
1857 		gsm_control_modem(gsm, data, clen);
1858 		break;
1859 	case CMD_RLS:
1860 		/* Out of band error reception for a DLCI */
1861 		gsm_control_rls(gsm, data, clen);
1862 		break;
1863 	case CMD_PSC:
1864 		/* Modem wishes to enter power saving state */
1865 		gsm_control_reply(gsm, CMD_PSC, NULL, 0);
1866 		break;
1867 		/* Optional commands */
1868 	case CMD_PN:
1869 		/* Modem sends a parameter negotiation command */
1870 		gsm_control_negotiation(gsm, 1, data, clen);
1871 		break;
1872 		/* Optional unsupported commands */
1873 	case CMD_RPN:	/* Remote port negotiation */
1874 	case CMD_SNC:	/* Service negotiation command */
1875 	default:
1876 		/* Reply to bad commands with an NSC */
1877 		buf[0] = command;
1878 		gsm_control_reply(gsm, CMD_NSC, buf, 1);
1879 		break;
1880 	}
1881 }
1882 
1883 /**
1884  *	gsm_control_response	-	process a response to our control
1885  *	@gsm: our GSM mux
1886  *	@command: the command (response) EA
1887  *	@data: data beyond the command/length EA
1888  *	@clen: length
1889  *
1890  *	Process a response to an outstanding command. We only allow a single
1891  *	control message in flight so this is fairly easy. All the clean up
1892  *	is done by the caller, we just update the fields, flag it as done
1893  *	and return
1894  */
1895 
1896 static void gsm_control_response(struct gsm_mux *gsm, unsigned int command,
1897 						const u8 *data, int clen)
1898 {
1899 	struct gsm_control *ctrl;
1900 	unsigned long flags;
1901 
1902 	spin_lock_irqsave(&gsm->control_lock, flags);
1903 
1904 	ctrl = gsm->pending_cmd;
1905 	command |= 1;
1906 	/* Does the reply match our command */
1907 	if (ctrl != NULL && (command == ctrl->cmd || command == CMD_NSC)) {
1908 		/* Our command was replied to, kill the retry timer */
1909 		del_timer(&gsm->t2_timer);
1910 		gsm->pending_cmd = NULL;
1911 		/* Rejected by the other end */
1912 		if (command == CMD_NSC)
1913 			ctrl->error = -EOPNOTSUPP;
1914 		ctrl->done = 1;
1915 		wake_up(&gsm->event);
1916 	/* Or did we receive the PN response to our PN command */
1917 	} else if (command == CMD_PN) {
1918 		gsm_control_negotiation(gsm, 0, data, clen);
1919 	}
1920 	spin_unlock_irqrestore(&gsm->control_lock, flags);
1921 }
1922 
1923 /**
1924  *	gsm_control_transmit	-	send control packet
1925  *	@gsm: gsm mux
1926  *	@ctrl: frame to send
1927  *
1928  *	Send out a pending control command (called under control lock)
1929  */
1930 
1931 static void gsm_control_transmit(struct gsm_mux *gsm, struct gsm_control *ctrl)
1932 {
1933 	gsm_control_command(gsm, ctrl->cmd, ctrl->data, ctrl->len);
1934 }
1935 
1936 /**
1937  *	gsm_control_retransmit	-	retransmit a control frame
1938  *	@t: timer contained in our gsm object
1939  *
1940  *	Called off the T2 timer expiry in order to retransmit control frames
1941  *	that have been lost in the system somewhere. The control_lock protects
1942  *	us from colliding with another sender or a receive completion event.
1943  *	In that situation the timer may still occur in a small window but
1944  *	gsm->pending_cmd will be NULL and we just let the timer expire.
1945  */
1946 
1947 static void gsm_control_retransmit(struct timer_list *t)
1948 {
1949 	struct gsm_mux *gsm = from_timer(gsm, t, t2_timer);
1950 	struct gsm_control *ctrl;
1951 	unsigned long flags;
1952 	spin_lock_irqsave(&gsm->control_lock, flags);
1953 	ctrl = gsm->pending_cmd;
1954 	if (ctrl) {
1955 		if (gsm->cretries == 0 || !gsm->dlci[0] || gsm->dlci[0]->dead) {
1956 			gsm->pending_cmd = NULL;
1957 			ctrl->error = -ETIMEDOUT;
1958 			ctrl->done = 1;
1959 			spin_unlock_irqrestore(&gsm->control_lock, flags);
1960 			wake_up(&gsm->event);
1961 			return;
1962 		}
1963 		gsm->cretries--;
1964 		gsm_control_transmit(gsm, ctrl);
1965 		mod_timer(&gsm->t2_timer, jiffies + gsm->t2 * HZ / 100);
1966 	}
1967 	spin_unlock_irqrestore(&gsm->control_lock, flags);
1968 }
1969 
1970 /**
1971  *	gsm_control_send	-	send a control frame on DLCI 0
1972  *	@gsm: the GSM channel
1973  *	@command: command  to send including CR bit
1974  *	@data: bytes of data (must be kmalloced)
1975  *	@clen: length of the block to send
1976  *
1977  *	Queue and dispatch a control command. Only one command can be
1978  *	active at a time. In theory more can be outstanding but the matching
1979  *	gets really complicated so for now stick to one outstanding.
1980  */
1981 
1982 static struct gsm_control *gsm_control_send(struct gsm_mux *gsm,
1983 		unsigned int command, u8 *data, int clen)
1984 {
1985 	struct gsm_control *ctrl = kzalloc(sizeof(struct gsm_control),
1986 						GFP_ATOMIC);
1987 	unsigned long flags;
1988 	if (ctrl == NULL)
1989 		return NULL;
1990 retry:
1991 	wait_event(gsm->event, gsm->pending_cmd == NULL);
1992 	spin_lock_irqsave(&gsm->control_lock, flags);
1993 	if (gsm->pending_cmd != NULL) {
1994 		spin_unlock_irqrestore(&gsm->control_lock, flags);
1995 		goto retry;
1996 	}
1997 	ctrl->cmd = command;
1998 	ctrl->data = data;
1999 	ctrl->len = clen;
2000 	gsm->pending_cmd = ctrl;
2001 
2002 	/* If DLCI0 is in ADM mode skip retries, it won't respond */
2003 	if (gsm->dlci[0]->mode == DLCI_MODE_ADM)
2004 		gsm->cretries = 0;
2005 	else
2006 		gsm->cretries = gsm->n2;
2007 
2008 	mod_timer(&gsm->t2_timer, jiffies + gsm->t2 * HZ / 100);
2009 	gsm_control_transmit(gsm, ctrl);
2010 	spin_unlock_irqrestore(&gsm->control_lock, flags);
2011 	return ctrl;
2012 }
2013 
2014 /**
2015  *	gsm_control_wait	-	wait for a control to finish
2016  *	@gsm: GSM mux
2017  *	@control: control we are waiting on
2018  *
2019  *	Waits for the control to complete or time out. Frees any used
2020  *	resources and returns 0 for success, or an error if the remote
2021  *	rejected or ignored the request.
2022  */
2023 
2024 static int gsm_control_wait(struct gsm_mux *gsm, struct gsm_control *control)
2025 {
2026 	int err;
2027 	wait_event(gsm->event, control->done == 1);
2028 	err = control->error;
2029 	kfree(control);
2030 	return err;
2031 }
2032 
2033 
2034 /*
2035  *	DLCI level handling: Needs krefs
2036  */
2037 
2038 /*
2039  *	State transitions and timers
2040  */
2041 
2042 /**
2043  *	gsm_dlci_close		-	a DLCI has closed
2044  *	@dlci: DLCI that closed
2045  *
2046  *	Perform processing when moving a DLCI into closed state. If there
2047  *	is an attached tty this is hung up
2048  */
2049 
2050 static void gsm_dlci_close(struct gsm_dlci *dlci)
2051 {
2052 	del_timer(&dlci->t1);
2053 	if (debug & DBG_ERRORS)
2054 		pr_debug("DLCI %d goes closed.\n", dlci->addr);
2055 	dlci->state = DLCI_CLOSED;
2056 	/* Prevent us from sending data before the link is up again */
2057 	dlci->constipated = true;
2058 	if (dlci->addr != 0) {
2059 		tty_port_tty_hangup(&dlci->port, false);
2060 		gsm_dlci_clear_queues(dlci->gsm, dlci);
2061 		/* Ensure that gsmtty_open() can return. */
2062 		tty_port_set_initialized(&dlci->port, 0);
2063 		wake_up_interruptible(&dlci->port.open_wait);
2064 	} else
2065 		dlci->gsm->dead = true;
2066 	/* A DLCI 0 close is a MUX termination so we need to kick that
2067 	   back to userspace somehow */
2068 	gsm_dlci_data_kick(dlci);
2069 	wake_up(&dlci->gsm->event);
2070 }
2071 
2072 /**
2073  *	gsm_dlci_open		-	a DLCI has opened
2074  *	@dlci: DLCI that opened
2075  *
2076  *	Perform processing when moving a DLCI into open state.
2077  */
2078 
2079 static void gsm_dlci_open(struct gsm_dlci *dlci)
2080 {
2081 	/* Note that SABM UA .. SABM UA first UA lost can mean that we go
2082 	   open -> open */
2083 	del_timer(&dlci->t1);
2084 	/* This will let a tty open continue */
2085 	dlci->state = DLCI_OPEN;
2086 	dlci->constipated = false;
2087 	if (debug & DBG_ERRORS)
2088 		pr_debug("DLCI %d goes open.\n", dlci->addr);
2089 	/* Send current modem state */
2090 	if (dlci->addr)
2091 		gsm_modem_update(dlci, 0);
2092 	gsm_dlci_data_kick(dlci);
2093 	wake_up(&dlci->gsm->event);
2094 }
2095 
2096 /**
2097  * gsm_dlci_negotiate	-	start parameter negotiation
2098  * @dlci: DLCI to open
2099  *
2100  * Starts the parameter negotiation for the new DLCI. This needs to be done
2101  * before the DLCI initialized the channel via SABM.
2102  */
2103 static int gsm_dlci_negotiate(struct gsm_dlci *dlci)
2104 {
2105 	struct gsm_mux *gsm = dlci->gsm;
2106 	struct gsm_dlci_param_bits params;
2107 	int ret;
2108 
2109 	ret = gsm_encode_params(dlci, &params);
2110 	if (ret != 0)
2111 		return ret;
2112 
2113 	/* We cannot asynchronous wait for the command response with
2114 	 * gsm_command() and gsm_control_wait() at this point.
2115 	 */
2116 	ret = gsm_control_command(gsm, CMD_PN, (const u8 *)&params,
2117 				  sizeof(params));
2118 
2119 	return ret;
2120 }
2121 
2122 /**
2123  *	gsm_dlci_t1		-	T1 timer expiry
2124  *	@t: timer contained in the DLCI that opened
2125  *
2126  *	The T1 timer handles retransmits of control frames (essentially of
2127  *	SABM and DISC). We resend the command until the retry count runs out
2128  *	in which case an opening port goes back to closed and a closing port
2129  *	is simply put into closed state (any further frames from the other
2130  *	end will get a DM response)
2131  *
2132  *	Some control dlci can stay in ADM mode with other dlci working just
2133  *	fine. In that case we can just keep the control dlci open after the
2134  *	DLCI_OPENING retries time out.
2135  */
2136 
2137 static void gsm_dlci_t1(struct timer_list *t)
2138 {
2139 	struct gsm_dlci *dlci = from_timer(dlci, t, t1);
2140 	struct gsm_mux *gsm = dlci->gsm;
2141 
2142 	switch (dlci->state) {
2143 	case DLCI_CONFIGURE:
2144 		if (dlci->retries && gsm_dlci_negotiate(dlci) == 0) {
2145 			dlci->retries--;
2146 			mod_timer(&dlci->t1, jiffies + gsm->t1 * HZ / 100);
2147 		} else {
2148 			gsm_dlci_begin_close(dlci); /* prevent half open link */
2149 		}
2150 		break;
2151 	case DLCI_OPENING:
2152 		if (dlci->retries) {
2153 			dlci->retries--;
2154 			gsm_command(dlci->gsm, dlci->addr, SABM|PF);
2155 			mod_timer(&dlci->t1, jiffies + gsm->t1 * HZ / 100);
2156 		} else if (!dlci->addr && gsm->control == (DM | PF)) {
2157 			if (debug & DBG_ERRORS)
2158 				pr_info("DLCI %d opening in ADM mode.\n",
2159 					dlci->addr);
2160 			dlci->mode = DLCI_MODE_ADM;
2161 			gsm_dlci_open(dlci);
2162 		} else {
2163 			gsm_dlci_begin_close(dlci); /* prevent half open link */
2164 		}
2165 
2166 		break;
2167 	case DLCI_CLOSING:
2168 		if (dlci->retries) {
2169 			dlci->retries--;
2170 			gsm_command(dlci->gsm, dlci->addr, DISC|PF);
2171 			mod_timer(&dlci->t1, jiffies + gsm->t1 * HZ / 100);
2172 		} else
2173 			gsm_dlci_close(dlci);
2174 		break;
2175 	default:
2176 		pr_debug("%s: unhandled state: %d\n", __func__, dlci->state);
2177 		break;
2178 	}
2179 }
2180 
2181 /**
2182  *	gsm_dlci_begin_open	-	start channel open procedure
2183  *	@dlci: DLCI to open
2184  *
2185  *	Commence opening a DLCI from the Linux side. We issue SABM messages
2186  *	to the modem which should then reply with a UA or ADM, at which point
2187  *	we will move into open state. Opening is done asynchronously with retry
2188  *	running off timers and the responses.
2189  *	Parameter negotiation is performed before SABM if required.
2190  */
2191 
2192 static void gsm_dlci_begin_open(struct gsm_dlci *dlci)
2193 {
2194 	struct gsm_mux *gsm = dlci ? dlci->gsm : NULL;
2195 	bool need_pn = false;
2196 
2197 	if (!gsm)
2198 		return;
2199 
2200 	if (dlci->addr != 0) {
2201 		if (gsm->adaption != 1 || gsm->adaption != dlci->adaption)
2202 			need_pn = true;
2203 		if (dlci->prio != (roundup(dlci->addr + 1, 8) - 1))
2204 			need_pn = true;
2205 		if (gsm->ftype != dlci->ftype)
2206 			need_pn = true;
2207 	}
2208 
2209 	switch (dlci->state) {
2210 	case DLCI_CLOSED:
2211 	case DLCI_CLOSING:
2212 		dlci->retries = gsm->n2;
2213 		if (!need_pn) {
2214 			dlci->state = DLCI_OPENING;
2215 			gsm_command(gsm, dlci->addr, SABM|PF);
2216 		} else {
2217 			/* Configure DLCI before setup */
2218 			dlci->state = DLCI_CONFIGURE;
2219 			if (gsm_dlci_negotiate(dlci) != 0) {
2220 				gsm_dlci_close(dlci);
2221 				return;
2222 			}
2223 		}
2224 		mod_timer(&dlci->t1, jiffies + gsm->t1 * HZ / 100);
2225 		break;
2226 	default:
2227 		break;
2228 	}
2229 }
2230 
2231 /**
2232  *	gsm_dlci_set_opening	-	change state to opening
2233  *	@dlci: DLCI to open
2234  *
2235  *	Change internal state to wait for DLCI open from initiator side.
2236  *	We set off timers and responses upon reception of an SABM.
2237  */
2238 static void gsm_dlci_set_opening(struct gsm_dlci *dlci)
2239 {
2240 	switch (dlci->state) {
2241 	case DLCI_CLOSED:
2242 	case DLCI_CLOSING:
2243 		dlci->state = DLCI_OPENING;
2244 		break;
2245 	default:
2246 		break;
2247 	}
2248 }
2249 
2250 /**
2251  *	gsm_dlci_begin_close	-	start channel open procedure
2252  *	@dlci: DLCI to open
2253  *
2254  *	Commence closing a DLCI from the Linux side. We issue DISC messages
2255  *	to the modem which should then reply with a UA, at which point we
2256  *	will move into closed state. Closing is done asynchronously with retry
2257  *	off timers. We may also receive a DM reply from the other end which
2258  *	indicates the channel was already closed.
2259  */
2260 
2261 static void gsm_dlci_begin_close(struct gsm_dlci *dlci)
2262 {
2263 	struct gsm_mux *gsm = dlci->gsm;
2264 	if (dlci->state == DLCI_CLOSED || dlci->state == DLCI_CLOSING)
2265 		return;
2266 	dlci->retries = gsm->n2;
2267 	dlci->state = DLCI_CLOSING;
2268 	gsm_command(dlci->gsm, dlci->addr, DISC|PF);
2269 	mod_timer(&dlci->t1, jiffies + gsm->t1 * HZ / 100);
2270 }
2271 
2272 /**
2273  *	gsm_dlci_data		-	data arrived
2274  *	@dlci: channel
2275  *	@data: block of bytes received
2276  *	@clen: length of received block
2277  *
2278  *	A UI or UIH frame has arrived which contains data for a channel
2279  *	other than the control channel. If the relevant virtual tty is
2280  *	open we shovel the bits down it, if not we drop them.
2281  */
2282 
2283 static void gsm_dlci_data(struct gsm_dlci *dlci, const u8 *data, int clen)
2284 {
2285 	/* krefs .. */
2286 	struct tty_port *port = &dlci->port;
2287 	struct tty_struct *tty;
2288 	unsigned int modem = 0;
2289 	int len;
2290 
2291 	if (debug & DBG_TTY)
2292 		pr_debug("%d bytes for tty\n", clen);
2293 	switch (dlci->adaption)  {
2294 	/* Unsupported types */
2295 	case 4:		/* Packetised interruptible data */
2296 		break;
2297 	case 3:		/* Packetised uininterruptible voice/data */
2298 		break;
2299 	case 2:		/* Asynchronous serial with line state in each frame */
2300 		len = gsm_read_ea_val(&modem, data, clen);
2301 		if (len < 1)
2302 			return;
2303 		tty = tty_port_tty_get(port);
2304 		if (tty) {
2305 			gsm_process_modem(tty, dlci, modem, len);
2306 			tty_wakeup(tty);
2307 			tty_kref_put(tty);
2308 		}
2309 		/* Skip processed modem data */
2310 		data += len;
2311 		clen -= len;
2312 		fallthrough;
2313 	case 1:		/* Line state will go via DLCI 0 controls only */
2314 	default:
2315 		tty_insert_flip_string(port, data, clen);
2316 		tty_flip_buffer_push(port);
2317 	}
2318 }
2319 
2320 /**
2321  *	gsm_dlci_command	-	data arrived on control channel
2322  *	@dlci: channel
2323  *	@data: block of bytes received
2324  *	@len: length of received block
2325  *
2326  *	A UI or UIH frame has arrived which contains data for DLCI 0 the
2327  *	control channel. This should contain a command EA followed by
2328  *	control data bytes. The command EA contains a command/response bit
2329  *	and we divide up the work accordingly.
2330  */
2331 
2332 static void gsm_dlci_command(struct gsm_dlci *dlci, const u8 *data, int len)
2333 {
2334 	/* See what command is involved */
2335 	unsigned int command = 0;
2336 	unsigned int clen = 0;
2337 	unsigned int dlen;
2338 
2339 	/* read the command */
2340 	dlen = gsm_read_ea_val(&command, data, len);
2341 	len -= dlen;
2342 	data += dlen;
2343 
2344 	/* read any control data */
2345 	dlen = gsm_read_ea_val(&clen, data, len);
2346 	len -= dlen;
2347 	data += dlen;
2348 
2349 	/* Malformed command? */
2350 	if (clen > len)
2351 		return;
2352 
2353 	if (command & 1)
2354 		gsm_control_message(dlci->gsm, command, data, clen);
2355 	else
2356 		gsm_control_response(dlci->gsm, command, data, clen);
2357 }
2358 
2359 /**
2360  *	gsm_kick_timer	-	transmit if possible
2361  *	@t: timer contained in our gsm object
2362  *
2363  *	Transmit data from DLCIs if the queue is empty. We can't rely on
2364  *	a tty wakeup except when we filled the pipe so we need to fire off
2365  *	new data ourselves in other cases.
2366  */
2367 static void gsm_kick_timer(struct timer_list *t)
2368 {
2369 	struct gsm_mux *gsm = from_timer(gsm, t, kick_timer);
2370 	unsigned long flags;
2371 	int sent = 0;
2372 
2373 	spin_lock_irqsave(&gsm->tx_lock, flags);
2374 	/* If we have nothing running then we need to fire up */
2375 	if (gsm->tx_bytes < TX_THRESH_LO)
2376 		sent = gsm_dlci_data_sweep(gsm);
2377 	spin_unlock_irqrestore(&gsm->tx_lock, flags);
2378 
2379 	if (sent && debug & DBG_DATA)
2380 		pr_info("%s TX queue stalled\n", __func__);
2381 }
2382 
2383 /*
2384  *	Allocate/Free DLCI channels
2385  */
2386 
2387 /**
2388  *	gsm_dlci_alloc		-	allocate a DLCI
2389  *	@gsm: GSM mux
2390  *	@addr: address of the DLCI
2391  *
2392  *	Allocate and install a new DLCI object into the GSM mux.
2393  *
2394  *	FIXME: review locking races
2395  */
2396 
2397 static struct gsm_dlci *gsm_dlci_alloc(struct gsm_mux *gsm, int addr)
2398 {
2399 	struct gsm_dlci *dlci = kzalloc(sizeof(struct gsm_dlci), GFP_ATOMIC);
2400 	if (dlci == NULL)
2401 		return NULL;
2402 	spin_lock_init(&dlci->lock);
2403 	mutex_init(&dlci->mutex);
2404 	if (kfifo_alloc(&dlci->fifo, TX_SIZE, GFP_KERNEL) < 0) {
2405 		kfree(dlci);
2406 		return NULL;
2407 	}
2408 
2409 	skb_queue_head_init(&dlci->skb_list);
2410 	timer_setup(&dlci->t1, gsm_dlci_t1, 0);
2411 	tty_port_init(&dlci->port);
2412 	dlci->port.ops = &gsm_port_ops;
2413 	dlci->gsm = gsm;
2414 	dlci->addr = addr;
2415 	dlci->adaption = gsm->adaption;
2416 	dlci->mtu = gsm->mtu;
2417 	if (addr == 0)
2418 		dlci->prio = 0;
2419 	else
2420 		dlci->prio = roundup(addr + 1, 8) - 1;
2421 	dlci->ftype = gsm->ftype;
2422 	dlci->k = gsm->k;
2423 	dlci->state = DLCI_CLOSED;
2424 	if (addr) {
2425 		dlci->data = gsm_dlci_data;
2426 		/* Prevent us from sending data before the link is up */
2427 		dlci->constipated = true;
2428 	} else {
2429 		dlci->data = gsm_dlci_command;
2430 	}
2431 	gsm->dlci[addr] = dlci;
2432 	return dlci;
2433 }
2434 
2435 /**
2436  *	gsm_dlci_free		-	free DLCI
2437  *	@port: tty port for DLCI to free
2438  *
2439  *	Free up a DLCI.
2440  *
2441  *	Can sleep.
2442  */
2443 static void gsm_dlci_free(struct tty_port *port)
2444 {
2445 	struct gsm_dlci *dlci = container_of(port, struct gsm_dlci, port);
2446 
2447 	timer_shutdown_sync(&dlci->t1);
2448 	dlci->gsm->dlci[dlci->addr] = NULL;
2449 	kfifo_free(&dlci->fifo);
2450 	while ((dlci->skb = skb_dequeue(&dlci->skb_list)))
2451 		dev_kfree_skb(dlci->skb);
2452 	kfree(dlci);
2453 }
2454 
2455 static inline void dlci_get(struct gsm_dlci *dlci)
2456 {
2457 	tty_port_get(&dlci->port);
2458 }
2459 
2460 static inline void dlci_put(struct gsm_dlci *dlci)
2461 {
2462 	tty_port_put(&dlci->port);
2463 }
2464 
2465 static void gsm_destroy_network(struct gsm_dlci *dlci);
2466 
2467 /**
2468  *	gsm_dlci_release		-	release DLCI
2469  *	@dlci: DLCI to destroy
2470  *
2471  *	Release a DLCI. Actual free is deferred until either
2472  *	mux is closed or tty is closed - whichever is last.
2473  *
2474  *	Can sleep.
2475  */
2476 static void gsm_dlci_release(struct gsm_dlci *dlci)
2477 {
2478 	struct tty_struct *tty = tty_port_tty_get(&dlci->port);
2479 	if (tty) {
2480 		mutex_lock(&dlci->mutex);
2481 		gsm_destroy_network(dlci);
2482 		mutex_unlock(&dlci->mutex);
2483 
2484 		/* We cannot use tty_hangup() because in tty_kref_put() the tty
2485 		 * driver assumes that the hangup queue is free and reuses it to
2486 		 * queue release_one_tty() -> NULL pointer panic in
2487 		 * process_one_work().
2488 		 */
2489 		tty_vhangup(tty);
2490 
2491 		tty_port_tty_set(&dlci->port, NULL);
2492 		tty_kref_put(tty);
2493 	}
2494 	dlci->state = DLCI_CLOSED;
2495 	dlci_put(dlci);
2496 }
2497 
2498 /*
2499  *	LAPBish link layer logic
2500  */
2501 
2502 /**
2503  *	gsm_queue		-	a GSM frame is ready to process
2504  *	@gsm: pointer to our gsm mux
2505  *
2506  *	At this point in time a frame has arrived and been demangled from
2507  *	the line encoding. All the differences between the encodings have
2508  *	been handled below us and the frame is unpacked into the structures.
2509  *	The fcs holds the header FCS but any data FCS must be added here.
2510  */
2511 
2512 static void gsm_queue(struct gsm_mux *gsm)
2513 {
2514 	struct gsm_dlci *dlci;
2515 	u8 cr;
2516 	int address;
2517 
2518 	if (gsm->fcs != GOOD_FCS) {
2519 		gsm->bad_fcs++;
2520 		if (debug & DBG_DATA)
2521 			pr_debug("BAD FCS %02x\n", gsm->fcs);
2522 		return;
2523 	}
2524 	address = gsm->address >> 1;
2525 	if (address >= NUM_DLCI)
2526 		goto invalid;
2527 
2528 	cr = gsm->address & 1;		/* C/R bit */
2529 	cr ^= gsm->initiator ? 0 : 1;	/* Flip so 1 always means command */
2530 
2531 	gsm_print_packet("<--", address, cr, gsm->control, gsm->buf, gsm->len);
2532 
2533 	dlci = gsm->dlci[address];
2534 
2535 	switch (gsm->control) {
2536 	case SABM|PF:
2537 		if (cr == 1)
2538 			goto invalid;
2539 		if (dlci == NULL)
2540 			dlci = gsm_dlci_alloc(gsm, address);
2541 		if (dlci == NULL)
2542 			return;
2543 		if (dlci->dead)
2544 			gsm_response(gsm, address, DM|PF);
2545 		else {
2546 			gsm_response(gsm, address, UA|PF);
2547 			gsm_dlci_open(dlci);
2548 		}
2549 		break;
2550 	case DISC|PF:
2551 		if (cr == 1)
2552 			goto invalid;
2553 		if (dlci == NULL || dlci->state == DLCI_CLOSED) {
2554 			gsm_response(gsm, address, DM|PF);
2555 			return;
2556 		}
2557 		/* Real close complete */
2558 		gsm_response(gsm, address, UA|PF);
2559 		gsm_dlci_close(dlci);
2560 		break;
2561 	case UA|PF:
2562 		if (cr == 0 || dlci == NULL)
2563 			break;
2564 		switch (dlci->state) {
2565 		case DLCI_CLOSING:
2566 			gsm_dlci_close(dlci);
2567 			break;
2568 		case DLCI_OPENING:
2569 			gsm_dlci_open(dlci);
2570 			break;
2571 		default:
2572 			pr_debug("%s: unhandled state: %d\n", __func__,
2573 					dlci->state);
2574 			break;
2575 		}
2576 		break;
2577 	case DM:	/* DM can be valid unsolicited */
2578 	case DM|PF:
2579 		if (cr)
2580 			goto invalid;
2581 		if (dlci == NULL)
2582 			return;
2583 		gsm_dlci_close(dlci);
2584 		break;
2585 	case UI:
2586 	case UI|PF:
2587 	case UIH:
2588 	case UIH|PF:
2589 		if (dlci == NULL || dlci->state != DLCI_OPEN) {
2590 			gsm_response(gsm, address, DM|PF);
2591 			return;
2592 		}
2593 		dlci->data(dlci, gsm->buf, gsm->len);
2594 		break;
2595 	default:
2596 		goto invalid;
2597 	}
2598 	return;
2599 invalid:
2600 	gsm->malformed++;
2601 	return;
2602 }
2603 
2604 
2605 /**
2606  *	gsm0_receive	-	perform processing for non-transparency
2607  *	@gsm: gsm data for this ldisc instance
2608  *	@c: character
2609  *
2610  *	Receive bytes in gsm mode 0
2611  */
2612 
2613 static void gsm0_receive(struct gsm_mux *gsm, unsigned char c)
2614 {
2615 	unsigned int len;
2616 
2617 	switch (gsm->state) {
2618 	case GSM_SEARCH:	/* SOF marker */
2619 		if (c == GSM0_SOF) {
2620 			gsm->state = GSM_ADDRESS;
2621 			gsm->address = 0;
2622 			gsm->len = 0;
2623 			gsm->fcs = INIT_FCS;
2624 		}
2625 		break;
2626 	case GSM_ADDRESS:	/* Address EA */
2627 		gsm->fcs = gsm_fcs_add(gsm->fcs, c);
2628 		if (gsm_read_ea(&gsm->address, c))
2629 			gsm->state = GSM_CONTROL;
2630 		break;
2631 	case GSM_CONTROL:	/* Control Byte */
2632 		gsm->fcs = gsm_fcs_add(gsm->fcs, c);
2633 		gsm->control = c;
2634 		gsm->state = GSM_LEN0;
2635 		break;
2636 	case GSM_LEN0:		/* Length EA */
2637 		gsm->fcs = gsm_fcs_add(gsm->fcs, c);
2638 		if (gsm_read_ea(&gsm->len, c)) {
2639 			if (gsm->len > gsm->mru) {
2640 				gsm->bad_size++;
2641 				gsm->state = GSM_SEARCH;
2642 				break;
2643 			}
2644 			gsm->count = 0;
2645 			if (!gsm->len)
2646 				gsm->state = GSM_FCS;
2647 			else
2648 				gsm->state = GSM_DATA;
2649 			break;
2650 		}
2651 		gsm->state = GSM_LEN1;
2652 		break;
2653 	case GSM_LEN1:
2654 		gsm->fcs = gsm_fcs_add(gsm->fcs, c);
2655 		len = c;
2656 		gsm->len |= len << 7;
2657 		if (gsm->len > gsm->mru) {
2658 			gsm->bad_size++;
2659 			gsm->state = GSM_SEARCH;
2660 			break;
2661 		}
2662 		gsm->count = 0;
2663 		if (!gsm->len)
2664 			gsm->state = GSM_FCS;
2665 		else
2666 			gsm->state = GSM_DATA;
2667 		break;
2668 	case GSM_DATA:		/* Data */
2669 		gsm->buf[gsm->count++] = c;
2670 		if (gsm->count == gsm->len) {
2671 			/* Calculate final FCS for UI frames over all data */
2672 			if ((gsm->control & ~PF) != UIH) {
2673 				gsm->fcs = gsm_fcs_add_block(gsm->fcs, gsm->buf,
2674 							     gsm->count);
2675 			}
2676 			gsm->state = GSM_FCS;
2677 		}
2678 		break;
2679 	case GSM_FCS:		/* FCS follows the packet */
2680 		gsm->fcs = gsm_fcs_add(gsm->fcs, c);
2681 		gsm->state = GSM_SSOF;
2682 		break;
2683 	case GSM_SSOF:
2684 		gsm->state = GSM_SEARCH;
2685 		if (c == GSM0_SOF)
2686 			gsm_queue(gsm);
2687 		else
2688 			gsm->bad_size++;
2689 		break;
2690 	default:
2691 		pr_debug("%s: unhandled state: %d\n", __func__, gsm->state);
2692 		break;
2693 	}
2694 }
2695 
2696 /**
2697  *	gsm1_receive	-	perform processing for non-transparency
2698  *	@gsm: gsm data for this ldisc instance
2699  *	@c: character
2700  *
2701  *	Receive bytes in mode 1 (Advanced option)
2702  */
2703 
2704 static void gsm1_receive(struct gsm_mux *gsm, unsigned char c)
2705 {
2706 	/* handle XON/XOFF */
2707 	if ((c & ISO_IEC_646_MASK) == XON) {
2708 		gsm->constipated = true;
2709 		return;
2710 	} else if ((c & ISO_IEC_646_MASK) == XOFF) {
2711 		gsm->constipated = false;
2712 		/* Kick the link in case it is idling */
2713 		gsmld_write_trigger(gsm);
2714 		return;
2715 	}
2716 	if (c == GSM1_SOF) {
2717 		/* EOF is only valid in frame if we have got to the data state */
2718 		if (gsm->state == GSM_DATA) {
2719 			if (gsm->count < 1) {
2720 				/* Missing FSC */
2721 				gsm->malformed++;
2722 				gsm->state = GSM_START;
2723 				return;
2724 			}
2725 			/* Remove the FCS from data */
2726 			gsm->count--;
2727 			if ((gsm->control & ~PF) != UIH) {
2728 				/* Calculate final FCS for UI frames over all
2729 				 * data but FCS
2730 				 */
2731 				gsm->fcs = gsm_fcs_add_block(gsm->fcs, gsm->buf,
2732 							     gsm->count);
2733 			}
2734 			/* Add the FCS itself to test against GOOD_FCS */
2735 			gsm->fcs = gsm_fcs_add(gsm->fcs, gsm->buf[gsm->count]);
2736 			gsm->len = gsm->count;
2737 			gsm_queue(gsm);
2738 			gsm->state  = GSM_START;
2739 			return;
2740 		}
2741 		/* Any partial frame was a runt so go back to start */
2742 		if (gsm->state != GSM_START) {
2743 			if (gsm->state != GSM_SEARCH)
2744 				gsm->malformed++;
2745 			gsm->state = GSM_START;
2746 		}
2747 		/* A SOF in GSM_START means we are still reading idling or
2748 		   framing bytes */
2749 		return;
2750 	}
2751 
2752 	if (c == GSM1_ESCAPE) {
2753 		gsm->escape = true;
2754 		return;
2755 	}
2756 
2757 	/* Only an unescaped SOF gets us out of GSM search */
2758 	if (gsm->state == GSM_SEARCH)
2759 		return;
2760 
2761 	if (gsm->escape) {
2762 		c ^= GSM1_ESCAPE_BITS;
2763 		gsm->escape = false;
2764 	}
2765 	switch (gsm->state) {
2766 	case GSM_START:		/* First byte after SOF */
2767 		gsm->address = 0;
2768 		gsm->state = GSM_ADDRESS;
2769 		gsm->fcs = INIT_FCS;
2770 		fallthrough;
2771 	case GSM_ADDRESS:	/* Address continuation */
2772 		gsm->fcs = gsm_fcs_add(gsm->fcs, c);
2773 		if (gsm_read_ea(&gsm->address, c))
2774 			gsm->state = GSM_CONTROL;
2775 		break;
2776 	case GSM_CONTROL:	/* Control Byte */
2777 		gsm->fcs = gsm_fcs_add(gsm->fcs, c);
2778 		gsm->control = c;
2779 		gsm->count = 0;
2780 		gsm->state = GSM_DATA;
2781 		break;
2782 	case GSM_DATA:		/* Data */
2783 		if (gsm->count > gsm->mru) {	/* Allow one for the FCS */
2784 			gsm->state = GSM_OVERRUN;
2785 			gsm->bad_size++;
2786 		} else
2787 			gsm->buf[gsm->count++] = c;
2788 		break;
2789 	case GSM_OVERRUN:	/* Over-long - eg a dropped SOF */
2790 		break;
2791 	default:
2792 		pr_debug("%s: unhandled state: %d\n", __func__, gsm->state);
2793 		break;
2794 	}
2795 }
2796 
2797 /**
2798  *	gsm_error		-	handle tty error
2799  *	@gsm: ldisc data
2800  *
2801  *	Handle an error in the receipt of data for a frame. Currently we just
2802  *	go back to hunting for a SOF.
2803  *
2804  *	FIXME: better diagnostics ?
2805  */
2806 
2807 static void gsm_error(struct gsm_mux *gsm)
2808 {
2809 	gsm->state = GSM_SEARCH;
2810 	gsm->io_error++;
2811 }
2812 
2813 /**
2814  *	gsm_cleanup_mux		-	generic GSM protocol cleanup
2815  *	@gsm: our mux
2816  *	@disc: disconnect link?
2817  *
2818  *	Clean up the bits of the mux which are the same for all framing
2819  *	protocols. Remove the mux from the mux table, stop all the timers
2820  *	and then shut down each device hanging up the channels as we go.
2821  */
2822 
2823 static void gsm_cleanup_mux(struct gsm_mux *gsm, bool disc)
2824 {
2825 	int i;
2826 	struct gsm_dlci *dlci = gsm->dlci[0];
2827 	struct gsm_msg *txq, *ntxq;
2828 
2829 	gsm->dead = true;
2830 	mutex_lock(&gsm->mutex);
2831 
2832 	if (dlci) {
2833 		if (disc && dlci->state != DLCI_CLOSED) {
2834 			gsm_dlci_begin_close(dlci);
2835 			wait_event(gsm->event, dlci->state == DLCI_CLOSED);
2836 		}
2837 		dlci->dead = true;
2838 	}
2839 
2840 	/* Finish outstanding timers, making sure they are done */
2841 	del_timer_sync(&gsm->kick_timer);
2842 	del_timer_sync(&gsm->t2_timer);
2843 
2844 	/* Finish writing to ldisc */
2845 	flush_work(&gsm->tx_work);
2846 
2847 	/* Free up any link layer users and finally the control channel */
2848 	if (gsm->has_devices) {
2849 		gsm_unregister_devices(gsm_tty_driver, gsm->num);
2850 		gsm->has_devices = false;
2851 	}
2852 	for (i = NUM_DLCI - 1; i >= 0; i--)
2853 		if (gsm->dlci[i])
2854 			gsm_dlci_release(gsm->dlci[i]);
2855 	mutex_unlock(&gsm->mutex);
2856 	/* Now wipe the queues */
2857 	tty_ldisc_flush(gsm->tty);
2858 	list_for_each_entry_safe(txq, ntxq, &gsm->tx_ctrl_list, list)
2859 		kfree(txq);
2860 	INIT_LIST_HEAD(&gsm->tx_ctrl_list);
2861 	list_for_each_entry_safe(txq, ntxq, &gsm->tx_data_list, list)
2862 		kfree(txq);
2863 	INIT_LIST_HEAD(&gsm->tx_data_list);
2864 }
2865 
2866 /**
2867  *	gsm_activate_mux	-	generic GSM setup
2868  *	@gsm: our mux
2869  *
2870  *	Set up the bits of the mux which are the same for all framing
2871  *	protocols. Add the mux to the mux table so it can be opened and
2872  *	finally kick off connecting to DLCI 0 on the modem.
2873  */
2874 
2875 static int gsm_activate_mux(struct gsm_mux *gsm)
2876 {
2877 	struct gsm_dlci *dlci;
2878 	int ret;
2879 
2880 	dlci = gsm_dlci_alloc(gsm, 0);
2881 	if (dlci == NULL)
2882 		return -ENOMEM;
2883 
2884 	if (gsm->encoding == GSM_BASIC_OPT)
2885 		gsm->receive = gsm0_receive;
2886 	else
2887 		gsm->receive = gsm1_receive;
2888 
2889 	ret = gsm_register_devices(gsm_tty_driver, gsm->num);
2890 	if (ret)
2891 		return ret;
2892 
2893 	gsm->has_devices = true;
2894 	gsm->dead = false;		/* Tty opens are now permissible */
2895 	return 0;
2896 }
2897 
2898 /**
2899  *	gsm_free_mux		-	free up a mux
2900  *	@gsm: mux to free
2901  *
2902  *	Dispose of allocated resources for a dead mux
2903  */
2904 static void gsm_free_mux(struct gsm_mux *gsm)
2905 {
2906 	int i;
2907 
2908 	for (i = 0; i < MAX_MUX; i++) {
2909 		if (gsm == gsm_mux[i]) {
2910 			gsm_mux[i] = NULL;
2911 			break;
2912 		}
2913 	}
2914 	mutex_destroy(&gsm->mutex);
2915 	kfree(gsm->txframe);
2916 	kfree(gsm->buf);
2917 	kfree(gsm);
2918 }
2919 
2920 /**
2921  *	gsm_free_muxr		-	free up a mux
2922  *	@ref: kreference to the mux to free
2923  *
2924  *	Dispose of allocated resources for a dead mux
2925  */
2926 static void gsm_free_muxr(struct kref *ref)
2927 {
2928 	struct gsm_mux *gsm = container_of(ref, struct gsm_mux, ref);
2929 	gsm_free_mux(gsm);
2930 }
2931 
2932 static inline void mux_get(struct gsm_mux *gsm)
2933 {
2934 	unsigned long flags;
2935 
2936 	spin_lock_irqsave(&gsm_mux_lock, flags);
2937 	kref_get(&gsm->ref);
2938 	spin_unlock_irqrestore(&gsm_mux_lock, flags);
2939 }
2940 
2941 static inline void mux_put(struct gsm_mux *gsm)
2942 {
2943 	unsigned long flags;
2944 
2945 	spin_lock_irqsave(&gsm_mux_lock, flags);
2946 	kref_put(&gsm->ref, gsm_free_muxr);
2947 	spin_unlock_irqrestore(&gsm_mux_lock, flags);
2948 }
2949 
2950 static inline unsigned int mux_num_to_base(struct gsm_mux *gsm)
2951 {
2952 	return gsm->num * NUM_DLCI;
2953 }
2954 
2955 static inline unsigned int mux_line_to_num(unsigned int line)
2956 {
2957 	return line / NUM_DLCI;
2958 }
2959 
2960 /**
2961  *	gsm_alloc_mux		-	allocate a mux
2962  *
2963  *	Creates a new mux ready for activation.
2964  */
2965 
2966 static struct gsm_mux *gsm_alloc_mux(void)
2967 {
2968 	int i;
2969 	struct gsm_mux *gsm = kzalloc(sizeof(struct gsm_mux), GFP_KERNEL);
2970 	if (gsm == NULL)
2971 		return NULL;
2972 	gsm->buf = kmalloc(MAX_MRU + 1, GFP_KERNEL);
2973 	if (gsm->buf == NULL) {
2974 		kfree(gsm);
2975 		return NULL;
2976 	}
2977 	gsm->txframe = kmalloc(2 * (MAX_MTU + PROT_OVERHEAD - 1), GFP_KERNEL);
2978 	if (gsm->txframe == NULL) {
2979 		kfree(gsm->buf);
2980 		kfree(gsm);
2981 		return NULL;
2982 	}
2983 	spin_lock_init(&gsm->lock);
2984 	mutex_init(&gsm->mutex);
2985 	kref_init(&gsm->ref);
2986 	INIT_LIST_HEAD(&gsm->tx_ctrl_list);
2987 	INIT_LIST_HEAD(&gsm->tx_data_list);
2988 	timer_setup(&gsm->kick_timer, gsm_kick_timer, 0);
2989 	timer_setup(&gsm->t2_timer, gsm_control_retransmit, 0);
2990 	INIT_WORK(&gsm->tx_work, gsmld_write_task);
2991 	init_waitqueue_head(&gsm->event);
2992 	spin_lock_init(&gsm->control_lock);
2993 	spin_lock_init(&gsm->tx_lock);
2994 
2995 	gsm->t1 = T1;
2996 	gsm->t2 = T2;
2997 	gsm->t3 = T3;
2998 	gsm->n2 = N2;
2999 	gsm->k = K;
3000 	gsm->ftype = UIH;
3001 	gsm->adaption = 1;
3002 	gsm->encoding = GSM_ADV_OPT;
3003 	gsm->mru = 64;	/* Default to encoding 1 so these should be 64 */
3004 	gsm->mtu = 64;
3005 	gsm->dead = true;	/* Avoid early tty opens */
3006 
3007 	/* Store the instance to the mux array or abort if no space is
3008 	 * available.
3009 	 */
3010 	spin_lock(&gsm_mux_lock);
3011 	for (i = 0; i < MAX_MUX; i++) {
3012 		if (!gsm_mux[i]) {
3013 			gsm_mux[i] = gsm;
3014 			gsm->num = i;
3015 			break;
3016 		}
3017 	}
3018 	spin_unlock(&gsm_mux_lock);
3019 	if (i == MAX_MUX) {
3020 		mutex_destroy(&gsm->mutex);
3021 		kfree(gsm->txframe);
3022 		kfree(gsm->buf);
3023 		kfree(gsm);
3024 		return NULL;
3025 	}
3026 
3027 	return gsm;
3028 }
3029 
3030 static void gsm_copy_config_values(struct gsm_mux *gsm,
3031 				   struct gsm_config *c)
3032 {
3033 	memset(c, 0, sizeof(*c));
3034 	c->adaption = gsm->adaption;
3035 	c->encapsulation = gsm->encoding;
3036 	c->initiator = gsm->initiator;
3037 	c->t1 = gsm->t1;
3038 	c->t2 = gsm->t2;
3039 	c->t3 = gsm->t3;
3040 	c->n2 = gsm->n2;
3041 	if (gsm->ftype == UIH)
3042 		c->i = 1;
3043 	else
3044 		c->i = 2;
3045 	pr_debug("Ftype %d i %d\n", gsm->ftype, c->i);
3046 	c->mru = gsm->mru;
3047 	c->mtu = gsm->mtu;
3048 	c->k = gsm->k;
3049 }
3050 
3051 static int gsm_config(struct gsm_mux *gsm, struct gsm_config *c)
3052 {
3053 	int ret = 0;
3054 	int need_close = 0;
3055 	int need_restart = 0;
3056 
3057 	/* Stuff we don't support yet - UI or I frame transport, windowing */
3058 	if ((c->adaption != 1 && c->adaption != 2) || c->k)
3059 		return -EOPNOTSUPP;
3060 	/* Check the MRU/MTU range looks sane */
3061 	if (c->mru < MIN_MTU || c->mtu < MIN_MTU)
3062 		return -EINVAL;
3063 	if (c->mru > MAX_MRU || c->mtu > MAX_MTU)
3064 		return -EINVAL;
3065 	if (c->t3 > MAX_T3)
3066 		return -EINVAL;
3067 	if (c->n2 > 255)
3068 		return -EINVAL;
3069 	if (c->encapsulation > 1)	/* Basic, advanced, no I */
3070 		return -EINVAL;
3071 	if (c->initiator > 1)
3072 		return -EINVAL;
3073 	if (c->k > MAX_WINDOW_SIZE)
3074 		return -EINVAL;
3075 	if (c->i == 0 || c->i > 2)	/* UIH and UI only */
3076 		return -EINVAL;
3077 	/*
3078 	 * See what is needed for reconfiguration
3079 	 */
3080 
3081 	/* Timing fields */
3082 	if (c->t1 != 0 && c->t1 != gsm->t1)
3083 		need_restart = 1;
3084 	if (c->t2 != 0 && c->t2 != gsm->t2)
3085 		need_restart = 1;
3086 	if (c->encapsulation != gsm->encoding)
3087 		need_restart = 1;
3088 	if (c->adaption != gsm->adaption)
3089 		need_restart = 1;
3090 	/* Requires care */
3091 	if (c->initiator != gsm->initiator)
3092 		need_close = 1;
3093 	if (c->mru != gsm->mru)
3094 		need_restart = 1;
3095 	if (c->mtu != gsm->mtu)
3096 		need_restart = 1;
3097 
3098 	/*
3099 	 * Close down what is needed, restart and initiate the new
3100 	 * configuration. On the first time there is no DLCI[0]
3101 	 * and closing or cleaning up is not necessary.
3102 	 */
3103 	if (need_close || need_restart)
3104 		gsm_cleanup_mux(gsm, true);
3105 
3106 	gsm->initiator = c->initiator;
3107 	gsm->mru = c->mru;
3108 	gsm->mtu = c->mtu;
3109 	gsm->encoding = c->encapsulation ? GSM_ADV_OPT : GSM_BASIC_OPT;
3110 	gsm->adaption = c->adaption;
3111 	gsm->n2 = c->n2;
3112 
3113 	if (c->i == 1)
3114 		gsm->ftype = UIH;
3115 	else if (c->i == 2)
3116 		gsm->ftype = UI;
3117 
3118 	if (c->t1)
3119 		gsm->t1 = c->t1;
3120 	if (c->t2)
3121 		gsm->t2 = c->t2;
3122 	if (c->t3)
3123 		gsm->t3 = c->t3;
3124 	if (c->k)
3125 		gsm->k = c->k;
3126 
3127 	/*
3128 	 * FIXME: We need to separate activation/deactivation from adding
3129 	 * and removing from the mux array
3130 	 */
3131 	if (gsm->dead) {
3132 		ret = gsm_activate_mux(gsm);
3133 		if (ret)
3134 			return ret;
3135 		if (gsm->initiator)
3136 			gsm_dlci_begin_open(gsm->dlci[0]);
3137 	}
3138 	return 0;
3139 }
3140 
3141 /**
3142  *	gsmld_output		-	write to link
3143  *	@gsm: our mux
3144  *	@data: bytes to output
3145  *	@len: size
3146  *
3147  *	Write a block of data from the GSM mux to the data channel. This
3148  *	will eventually be serialized from above but at the moment isn't.
3149  */
3150 
3151 static int gsmld_output(struct gsm_mux *gsm, u8 *data, int len)
3152 {
3153 	if (tty_write_room(gsm->tty) < len) {
3154 		set_bit(TTY_DO_WRITE_WAKEUP, &gsm->tty->flags);
3155 		return -ENOSPC;
3156 	}
3157 	if (debug & DBG_DATA)
3158 		gsm_hex_dump_bytes(__func__, data, len);
3159 	return gsm->tty->ops->write(gsm->tty, data, len);
3160 }
3161 
3162 
3163 /**
3164  *	gsmld_write_trigger	-	schedule ldisc write task
3165  *	@gsm: our mux
3166  */
3167 static void gsmld_write_trigger(struct gsm_mux *gsm)
3168 {
3169 	if (!gsm || !gsm->dlci[0] || gsm->dlci[0]->dead)
3170 		return;
3171 	schedule_work(&gsm->tx_work);
3172 }
3173 
3174 
3175 /**
3176  *	gsmld_write_task	-	ldisc write task
3177  *	@work: our tx write work
3178  *
3179  *	Writes out data to the ldisc if possible. We are doing this here to
3180  *	avoid dead-locking. This returns if no space or data is left for output.
3181  */
3182 static void gsmld_write_task(struct work_struct *work)
3183 {
3184 	struct gsm_mux *gsm = container_of(work, struct gsm_mux, tx_work);
3185 	unsigned long flags;
3186 	int i, ret;
3187 
3188 	/* All outstanding control channel and control messages and one data
3189 	 * frame is sent.
3190 	 */
3191 	ret = -ENODEV;
3192 	spin_lock_irqsave(&gsm->tx_lock, flags);
3193 	if (gsm->tty)
3194 		ret = gsm_data_kick(gsm);
3195 	spin_unlock_irqrestore(&gsm->tx_lock, flags);
3196 
3197 	if (ret >= 0)
3198 		for (i = 0; i < NUM_DLCI; i++)
3199 			if (gsm->dlci[i])
3200 				tty_port_tty_wakeup(&gsm->dlci[i]->port);
3201 }
3202 
3203 /**
3204  *	gsmld_attach_gsm	-	mode set up
3205  *	@tty: our tty structure
3206  *	@gsm: our mux
3207  *
3208  *	Set up the MUX for basic mode and commence connecting to the
3209  *	modem. Currently called from the line discipline set up but
3210  *	will need moving to an ioctl path.
3211  */
3212 
3213 static void gsmld_attach_gsm(struct tty_struct *tty, struct gsm_mux *gsm)
3214 {
3215 	gsm->tty = tty_kref_get(tty);
3216 	/* Turn off tty XON/XOFF handling to handle it explicitly. */
3217 	gsm->old_c_iflag = tty->termios.c_iflag;
3218 	tty->termios.c_iflag &= (IXON | IXOFF);
3219 }
3220 
3221 /**
3222  *	gsmld_detach_gsm	-	stop doing 0710 mux
3223  *	@tty: tty attached to the mux
3224  *	@gsm: mux
3225  *
3226  *	Shutdown and then clean up the resources used by the line discipline
3227  */
3228 
3229 static void gsmld_detach_gsm(struct tty_struct *tty, struct gsm_mux *gsm)
3230 {
3231 	WARN_ON(tty != gsm->tty);
3232 	/* Restore tty XON/XOFF handling. */
3233 	gsm->tty->termios.c_iflag = gsm->old_c_iflag;
3234 	tty_kref_put(gsm->tty);
3235 	gsm->tty = NULL;
3236 }
3237 
3238 static void gsmld_receive_buf(struct tty_struct *tty, const unsigned char *cp,
3239 			      const char *fp, int count)
3240 {
3241 	struct gsm_mux *gsm = tty->disc_data;
3242 	char flags = TTY_NORMAL;
3243 
3244 	if (debug & DBG_DATA)
3245 		gsm_hex_dump_bytes(__func__, cp, count);
3246 
3247 	for (; count; count--, cp++) {
3248 		if (fp)
3249 			flags = *fp++;
3250 		switch (flags) {
3251 		case TTY_NORMAL:
3252 			if (gsm->receive)
3253 				gsm->receive(gsm, *cp);
3254 			break;
3255 		case TTY_OVERRUN:
3256 		case TTY_BREAK:
3257 		case TTY_PARITY:
3258 		case TTY_FRAME:
3259 			gsm_error(gsm);
3260 			break;
3261 		default:
3262 			WARN_ONCE(1, "%s: unknown flag %d\n",
3263 			       tty_name(tty), flags);
3264 			break;
3265 		}
3266 	}
3267 	/* FASYNC if needed ? */
3268 	/* If clogged call tty_throttle(tty); */
3269 }
3270 
3271 /**
3272  *	gsmld_flush_buffer	-	clean input queue
3273  *	@tty:	terminal device
3274  *
3275  *	Flush the input buffer. Called when the line discipline is
3276  *	being closed, when the tty layer wants the buffer flushed (eg
3277  *	at hangup).
3278  */
3279 
3280 static void gsmld_flush_buffer(struct tty_struct *tty)
3281 {
3282 }
3283 
3284 /**
3285  *	gsmld_close		-	close the ldisc for this tty
3286  *	@tty: device
3287  *
3288  *	Called from the terminal layer when this line discipline is
3289  *	being shut down, either because of a close or becsuse of a
3290  *	discipline change. The function will not be called while other
3291  *	ldisc methods are in progress.
3292  */
3293 
3294 static void gsmld_close(struct tty_struct *tty)
3295 {
3296 	struct gsm_mux *gsm = tty->disc_data;
3297 
3298 	/* The ldisc locks and closes the port before calling our close. This
3299 	 * means we have no way to do a proper disconnect. We will not bother
3300 	 * to do one.
3301 	 */
3302 	gsm_cleanup_mux(gsm, false);
3303 
3304 	gsmld_detach_gsm(tty, gsm);
3305 
3306 	gsmld_flush_buffer(tty);
3307 	/* Do other clean up here */
3308 	mux_put(gsm);
3309 }
3310 
3311 /**
3312  *	gsmld_open		-	open an ldisc
3313  *	@tty: terminal to open
3314  *
3315  *	Called when this line discipline is being attached to the
3316  *	terminal device. Can sleep. Called serialized so that no
3317  *	other events will occur in parallel. No further open will occur
3318  *	until a close.
3319  */
3320 
3321 static int gsmld_open(struct tty_struct *tty)
3322 {
3323 	struct gsm_mux *gsm;
3324 
3325 	if (tty->ops->write == NULL)
3326 		return -EINVAL;
3327 
3328 	/* Attach our ldisc data */
3329 	gsm = gsm_alloc_mux();
3330 	if (gsm == NULL)
3331 		return -ENOMEM;
3332 
3333 	tty->disc_data = gsm;
3334 	tty->receive_room = 65536;
3335 
3336 	/* Attach the initial passive connection */
3337 	gsm->encoding = GSM_ADV_OPT;
3338 	gsmld_attach_gsm(tty, gsm);
3339 
3340 	return 0;
3341 }
3342 
3343 /**
3344  *	gsmld_write_wakeup	-	asynchronous I/O notifier
3345  *	@tty: tty device
3346  *
3347  *	Required for the ptys, serial driver etc. since processes
3348  *	that attach themselves to the master and rely on ASYNC
3349  *	IO must be woken up
3350  */
3351 
3352 static void gsmld_write_wakeup(struct tty_struct *tty)
3353 {
3354 	struct gsm_mux *gsm = tty->disc_data;
3355 
3356 	/* Queue poll */
3357 	gsmld_write_trigger(gsm);
3358 }
3359 
3360 /**
3361  *	gsmld_read		-	read function for tty
3362  *	@tty: tty device
3363  *	@file: file object
3364  *	@buf: userspace buffer pointer
3365  *	@nr: size of I/O
3366  *	@cookie: unused
3367  *	@offset: unused
3368  *
3369  *	Perform reads for the line discipline. We are guaranteed that the
3370  *	line discipline will not be closed under us but we may get multiple
3371  *	parallel readers and must handle this ourselves. We may also get
3372  *	a hangup. Always called in user context, may sleep.
3373  *
3374  *	This code must be sure never to sleep through a hangup.
3375  */
3376 
3377 static ssize_t gsmld_read(struct tty_struct *tty, struct file *file,
3378 			  unsigned char *buf, size_t nr,
3379 			  void **cookie, unsigned long offset)
3380 {
3381 	return -EOPNOTSUPP;
3382 }
3383 
3384 /**
3385  *	gsmld_write		-	write function for tty
3386  *	@tty: tty device
3387  *	@file: file object
3388  *	@buf: userspace buffer pointer
3389  *	@nr: size of I/O
3390  *
3391  *	Called when the owner of the device wants to send a frame
3392  *	itself (or some other control data). The data is transferred
3393  *	as-is and must be properly framed and checksummed as appropriate
3394  *	by userspace. Frames are either sent whole or not at all as this
3395  *	avoids pain user side.
3396  */
3397 
3398 static ssize_t gsmld_write(struct tty_struct *tty, struct file *file,
3399 			   const unsigned char *buf, size_t nr)
3400 {
3401 	struct gsm_mux *gsm = tty->disc_data;
3402 	unsigned long flags;
3403 	int space;
3404 	int ret;
3405 
3406 	if (!gsm)
3407 		return -ENODEV;
3408 
3409 	ret = -ENOBUFS;
3410 	spin_lock_irqsave(&gsm->tx_lock, flags);
3411 	space = tty_write_room(tty);
3412 	if (space >= nr)
3413 		ret = tty->ops->write(tty, buf, nr);
3414 	else
3415 		set_bit(TTY_DO_WRITE_WAKEUP, &tty->flags);
3416 	spin_unlock_irqrestore(&gsm->tx_lock, flags);
3417 
3418 	return ret;
3419 }
3420 
3421 /**
3422  *	gsmld_poll		-	poll method for N_GSM0710
3423  *	@tty: terminal device
3424  *	@file: file accessing it
3425  *	@wait: poll table
3426  *
3427  *	Called when the line discipline is asked to poll() for data or
3428  *	for special events. This code is not serialized with respect to
3429  *	other events save open/close.
3430  *
3431  *	This code must be sure never to sleep through a hangup.
3432  *	Called without the kernel lock held - fine
3433  */
3434 
3435 static __poll_t gsmld_poll(struct tty_struct *tty, struct file *file,
3436 							poll_table *wait)
3437 {
3438 	__poll_t mask = 0;
3439 	struct gsm_mux *gsm = tty->disc_data;
3440 
3441 	poll_wait(file, &tty->read_wait, wait);
3442 	poll_wait(file, &tty->write_wait, wait);
3443 
3444 	if (gsm->dead)
3445 		mask |= EPOLLHUP;
3446 	if (tty_hung_up_p(file))
3447 		mask |= EPOLLHUP;
3448 	if (test_bit(TTY_OTHER_CLOSED, &tty->flags))
3449 		mask |= EPOLLHUP;
3450 	if (!tty_is_writelocked(tty) && tty_write_room(tty) > 0)
3451 		mask |= EPOLLOUT | EPOLLWRNORM;
3452 	return mask;
3453 }
3454 
3455 static int gsmld_ioctl(struct tty_struct *tty, unsigned int cmd,
3456 		       unsigned long arg)
3457 {
3458 	struct gsm_config c;
3459 	struct gsm_mux *gsm = tty->disc_data;
3460 	unsigned int base;
3461 
3462 	switch (cmd) {
3463 	case GSMIOC_GETCONF:
3464 		gsm_copy_config_values(gsm, &c);
3465 		if (copy_to_user((void __user *)arg, &c, sizeof(c)))
3466 			return -EFAULT;
3467 		return 0;
3468 	case GSMIOC_SETCONF:
3469 		if (copy_from_user(&c, (void __user *)arg, sizeof(c)))
3470 			return -EFAULT;
3471 		return gsm_config(gsm, &c);
3472 	case GSMIOC_GETFIRST:
3473 		base = mux_num_to_base(gsm);
3474 		return put_user(base + 1, (__u32 __user *)arg);
3475 	default:
3476 		return n_tty_ioctl_helper(tty, cmd, arg);
3477 	}
3478 }
3479 
3480 /*
3481  *	Network interface
3482  *
3483  */
3484 
3485 static int gsm_mux_net_open(struct net_device *net)
3486 {
3487 	pr_debug("%s called\n", __func__);
3488 	netif_start_queue(net);
3489 	return 0;
3490 }
3491 
3492 static int gsm_mux_net_close(struct net_device *net)
3493 {
3494 	netif_stop_queue(net);
3495 	return 0;
3496 }
3497 
3498 static void dlci_net_free(struct gsm_dlci *dlci)
3499 {
3500 	if (!dlci->net) {
3501 		WARN_ON(1);
3502 		return;
3503 	}
3504 	dlci->adaption = dlci->prev_adaption;
3505 	dlci->data = dlci->prev_data;
3506 	free_netdev(dlci->net);
3507 	dlci->net = NULL;
3508 }
3509 static void net_free(struct kref *ref)
3510 {
3511 	struct gsm_mux_net *mux_net;
3512 	struct gsm_dlci *dlci;
3513 
3514 	mux_net = container_of(ref, struct gsm_mux_net, ref);
3515 	dlci = mux_net->dlci;
3516 
3517 	if (dlci->net) {
3518 		unregister_netdev(dlci->net);
3519 		dlci_net_free(dlci);
3520 	}
3521 }
3522 
3523 static inline void muxnet_get(struct gsm_mux_net *mux_net)
3524 {
3525 	kref_get(&mux_net->ref);
3526 }
3527 
3528 static inline void muxnet_put(struct gsm_mux_net *mux_net)
3529 {
3530 	kref_put(&mux_net->ref, net_free);
3531 }
3532 
3533 static netdev_tx_t gsm_mux_net_start_xmit(struct sk_buff *skb,
3534 				      struct net_device *net)
3535 {
3536 	struct gsm_mux_net *mux_net = netdev_priv(net);
3537 	struct gsm_dlci *dlci = mux_net->dlci;
3538 	muxnet_get(mux_net);
3539 
3540 	skb_queue_head(&dlci->skb_list, skb);
3541 	net->stats.tx_packets++;
3542 	net->stats.tx_bytes += skb->len;
3543 	gsm_dlci_data_kick(dlci);
3544 	/* And tell the kernel when the last transmit started. */
3545 	netif_trans_update(net);
3546 	muxnet_put(mux_net);
3547 	return NETDEV_TX_OK;
3548 }
3549 
3550 /* called when a packet did not ack after watchdogtimeout */
3551 static void gsm_mux_net_tx_timeout(struct net_device *net, unsigned int txqueue)
3552 {
3553 	/* Tell syslog we are hosed. */
3554 	dev_dbg(&net->dev, "Tx timed out.\n");
3555 
3556 	/* Update statistics */
3557 	net->stats.tx_errors++;
3558 }
3559 
3560 static void gsm_mux_rx_netchar(struct gsm_dlci *dlci,
3561 				const unsigned char *in_buf, int size)
3562 {
3563 	struct net_device *net = dlci->net;
3564 	struct sk_buff *skb;
3565 	struct gsm_mux_net *mux_net = netdev_priv(net);
3566 	muxnet_get(mux_net);
3567 
3568 	/* Allocate an sk_buff */
3569 	skb = dev_alloc_skb(size + NET_IP_ALIGN);
3570 	if (!skb) {
3571 		/* We got no receive buffer. */
3572 		net->stats.rx_dropped++;
3573 		muxnet_put(mux_net);
3574 		return;
3575 	}
3576 	skb_reserve(skb, NET_IP_ALIGN);
3577 	skb_put_data(skb, in_buf, size);
3578 
3579 	skb->dev = net;
3580 	skb->protocol = htons(ETH_P_IP);
3581 
3582 	/* Ship it off to the kernel */
3583 	netif_rx(skb);
3584 
3585 	/* update out statistics */
3586 	net->stats.rx_packets++;
3587 	net->stats.rx_bytes += size;
3588 	muxnet_put(mux_net);
3589 	return;
3590 }
3591 
3592 static void gsm_mux_net_init(struct net_device *net)
3593 {
3594 	static const struct net_device_ops gsm_netdev_ops = {
3595 		.ndo_open		= gsm_mux_net_open,
3596 		.ndo_stop		= gsm_mux_net_close,
3597 		.ndo_start_xmit		= gsm_mux_net_start_xmit,
3598 		.ndo_tx_timeout		= gsm_mux_net_tx_timeout,
3599 	};
3600 
3601 	net->netdev_ops = &gsm_netdev_ops;
3602 
3603 	/* fill in the other fields */
3604 	net->watchdog_timeo = GSM_NET_TX_TIMEOUT;
3605 	net->flags = IFF_POINTOPOINT | IFF_NOARP | IFF_MULTICAST;
3606 	net->type = ARPHRD_NONE;
3607 	net->tx_queue_len = 10;
3608 }
3609 
3610 
3611 /* caller holds the dlci mutex */
3612 static void gsm_destroy_network(struct gsm_dlci *dlci)
3613 {
3614 	struct gsm_mux_net *mux_net;
3615 
3616 	pr_debug("destroy network interface\n");
3617 	if (!dlci->net)
3618 		return;
3619 	mux_net = netdev_priv(dlci->net);
3620 	muxnet_put(mux_net);
3621 }
3622 
3623 
3624 /* caller holds the dlci mutex */
3625 static int gsm_create_network(struct gsm_dlci *dlci, struct gsm_netconfig *nc)
3626 {
3627 	char *netname;
3628 	int retval = 0;
3629 	struct net_device *net;
3630 	struct gsm_mux_net *mux_net;
3631 
3632 	if (!capable(CAP_NET_ADMIN))
3633 		return -EPERM;
3634 
3635 	/* Already in a non tty mode */
3636 	if (dlci->adaption > 2)
3637 		return -EBUSY;
3638 
3639 	if (nc->protocol != htons(ETH_P_IP))
3640 		return -EPROTONOSUPPORT;
3641 
3642 	if (nc->adaption != 3 && nc->adaption != 4)
3643 		return -EPROTONOSUPPORT;
3644 
3645 	pr_debug("create network interface\n");
3646 
3647 	netname = "gsm%d";
3648 	if (nc->if_name[0] != '\0')
3649 		netname = nc->if_name;
3650 	net = alloc_netdev(sizeof(struct gsm_mux_net), netname,
3651 			   NET_NAME_UNKNOWN, gsm_mux_net_init);
3652 	if (!net) {
3653 		pr_err("alloc_netdev failed\n");
3654 		return -ENOMEM;
3655 	}
3656 	net->mtu = dlci->mtu;
3657 	net->min_mtu = MIN_MTU;
3658 	net->max_mtu = dlci->mtu;
3659 	mux_net = netdev_priv(net);
3660 	mux_net->dlci = dlci;
3661 	kref_init(&mux_net->ref);
3662 	strncpy(nc->if_name, net->name, IFNAMSIZ); /* return net name */
3663 
3664 	/* reconfigure dlci for network */
3665 	dlci->prev_adaption = dlci->adaption;
3666 	dlci->prev_data = dlci->data;
3667 	dlci->adaption = nc->adaption;
3668 	dlci->data = gsm_mux_rx_netchar;
3669 	dlci->net = net;
3670 
3671 	pr_debug("register netdev\n");
3672 	retval = register_netdev(net);
3673 	if (retval) {
3674 		pr_err("network register fail %d\n", retval);
3675 		dlci_net_free(dlci);
3676 		return retval;
3677 	}
3678 	return net->ifindex;	/* return network index */
3679 }
3680 
3681 /* Line discipline for real tty */
3682 static struct tty_ldisc_ops tty_ldisc_packet = {
3683 	.owner		 = THIS_MODULE,
3684 	.num		 = N_GSM0710,
3685 	.name            = "n_gsm",
3686 	.open            = gsmld_open,
3687 	.close           = gsmld_close,
3688 	.flush_buffer    = gsmld_flush_buffer,
3689 	.read            = gsmld_read,
3690 	.write           = gsmld_write,
3691 	.ioctl           = gsmld_ioctl,
3692 	.poll            = gsmld_poll,
3693 	.receive_buf     = gsmld_receive_buf,
3694 	.write_wakeup    = gsmld_write_wakeup
3695 };
3696 
3697 /*
3698  *	Virtual tty side
3699  */
3700 
3701 /**
3702  *	gsm_modem_upd_via_data	-	send modem bits via convergence layer
3703  *	@dlci: channel
3704  *	@brk: break signal
3705  *
3706  *	Send an empty frame to signal mobile state changes and to transmit the
3707  *	break signal for adaption 2.
3708  */
3709 
3710 static void gsm_modem_upd_via_data(struct gsm_dlci *dlci, u8 brk)
3711 {
3712 	struct gsm_mux *gsm = dlci->gsm;
3713 	unsigned long flags;
3714 
3715 	if (dlci->state != DLCI_OPEN || dlci->adaption != 2)
3716 		return;
3717 
3718 	spin_lock_irqsave(&gsm->tx_lock, flags);
3719 	gsm_dlci_modem_output(gsm, dlci, brk);
3720 	spin_unlock_irqrestore(&gsm->tx_lock, flags);
3721 }
3722 
3723 /**
3724  *	gsm_modem_upd_via_msc	-	send modem bits via control frame
3725  *	@dlci: channel
3726  *	@brk: break signal
3727  */
3728 
3729 static int gsm_modem_upd_via_msc(struct gsm_dlci *dlci, u8 brk)
3730 {
3731 	u8 modembits[3];
3732 	struct gsm_control *ctrl;
3733 	int len = 2;
3734 
3735 	if (dlci->gsm->encoding != GSM_BASIC_OPT)
3736 		return 0;
3737 
3738 	modembits[0] = (dlci->addr << 2) | 2 | EA;  /* DLCI, Valid, EA */
3739 	if (!brk) {
3740 		modembits[1] = (gsm_encode_modem(dlci) << 1) | EA;
3741 	} else {
3742 		modembits[1] = gsm_encode_modem(dlci) << 1;
3743 		modembits[2] = (brk << 4) | 2 | EA; /* Length, Break, EA */
3744 		len++;
3745 	}
3746 	ctrl = gsm_control_send(dlci->gsm, CMD_MSC, modembits, len);
3747 	if (ctrl == NULL)
3748 		return -ENOMEM;
3749 	return gsm_control_wait(dlci->gsm, ctrl);
3750 }
3751 
3752 /**
3753  *	gsm_modem_update	-	send modem status line state
3754  *	@dlci: channel
3755  *	@brk: break signal
3756  */
3757 
3758 static int gsm_modem_update(struct gsm_dlci *dlci, u8 brk)
3759 {
3760 	if (dlci->adaption == 2) {
3761 		/* Send convergence layer type 2 empty data frame. */
3762 		gsm_modem_upd_via_data(dlci, brk);
3763 		return 0;
3764 	} else if (dlci->gsm->encoding == GSM_BASIC_OPT) {
3765 		/* Send as MSC control message. */
3766 		return gsm_modem_upd_via_msc(dlci, brk);
3767 	}
3768 
3769 	/* Modem status lines are not supported. */
3770 	return -EPROTONOSUPPORT;
3771 }
3772 
3773 static int gsm_carrier_raised(struct tty_port *port)
3774 {
3775 	struct gsm_dlci *dlci = container_of(port, struct gsm_dlci, port);
3776 	struct gsm_mux *gsm = dlci->gsm;
3777 
3778 	/* Not yet open so no carrier info */
3779 	if (dlci->state != DLCI_OPEN)
3780 		return 0;
3781 	if (debug & DBG_CD_ON)
3782 		return 1;
3783 
3784 	/*
3785 	 * Basic mode with control channel in ADM mode may not respond
3786 	 * to CMD_MSC at all and modem_rx is empty.
3787 	 */
3788 	if (gsm->encoding == GSM_BASIC_OPT &&
3789 	    gsm->dlci[0]->mode == DLCI_MODE_ADM && !dlci->modem_rx)
3790 		return 1;
3791 
3792 	return dlci->modem_rx & TIOCM_CD;
3793 }
3794 
3795 static void gsm_dtr_rts(struct tty_port *port, int onoff)
3796 {
3797 	struct gsm_dlci *dlci = container_of(port, struct gsm_dlci, port);
3798 	unsigned int modem_tx = dlci->modem_tx;
3799 	if (onoff)
3800 		modem_tx |= TIOCM_DTR | TIOCM_RTS;
3801 	else
3802 		modem_tx &= ~(TIOCM_DTR | TIOCM_RTS);
3803 	if (modem_tx != dlci->modem_tx) {
3804 		dlci->modem_tx = modem_tx;
3805 		gsm_modem_update(dlci, 0);
3806 	}
3807 }
3808 
3809 static const struct tty_port_operations gsm_port_ops = {
3810 	.carrier_raised = gsm_carrier_raised,
3811 	.dtr_rts = gsm_dtr_rts,
3812 	.destruct = gsm_dlci_free,
3813 };
3814 
3815 static int gsmtty_install(struct tty_driver *driver, struct tty_struct *tty)
3816 {
3817 	struct gsm_mux *gsm;
3818 	struct gsm_dlci *dlci;
3819 	unsigned int line = tty->index;
3820 	unsigned int mux = mux_line_to_num(line);
3821 	bool alloc = false;
3822 	int ret;
3823 
3824 	line = line & 0x3F;
3825 
3826 	if (mux >= MAX_MUX)
3827 		return -ENXIO;
3828 	/* FIXME: we need to lock gsm_mux for lifetimes of ttys eventually */
3829 	if (gsm_mux[mux] == NULL)
3830 		return -EUNATCH;
3831 	if (line == 0 || line > 61)	/* 62/63 reserved */
3832 		return -ECHRNG;
3833 	gsm = gsm_mux[mux];
3834 	if (gsm->dead)
3835 		return -EL2HLT;
3836 	/* If DLCI 0 is not yet fully open return an error.
3837 	This is ok from a locking
3838 	perspective as we don't have to worry about this
3839 	if DLCI0 is lost */
3840 	mutex_lock(&gsm->mutex);
3841 	if (gsm->dlci[0] && gsm->dlci[0]->state != DLCI_OPEN) {
3842 		mutex_unlock(&gsm->mutex);
3843 		return -EL2NSYNC;
3844 	}
3845 	dlci = gsm->dlci[line];
3846 	if (dlci == NULL) {
3847 		alloc = true;
3848 		dlci = gsm_dlci_alloc(gsm, line);
3849 	}
3850 	if (dlci == NULL) {
3851 		mutex_unlock(&gsm->mutex);
3852 		return -ENOMEM;
3853 	}
3854 	ret = tty_port_install(&dlci->port, driver, tty);
3855 	if (ret) {
3856 		if (alloc)
3857 			dlci_put(dlci);
3858 		mutex_unlock(&gsm->mutex);
3859 		return ret;
3860 	}
3861 
3862 	dlci_get(dlci);
3863 	dlci_get(gsm->dlci[0]);
3864 	mux_get(gsm);
3865 	tty->driver_data = dlci;
3866 	mutex_unlock(&gsm->mutex);
3867 
3868 	return 0;
3869 }
3870 
3871 static int gsmtty_open(struct tty_struct *tty, struct file *filp)
3872 {
3873 	struct gsm_dlci *dlci = tty->driver_data;
3874 	struct tty_port *port = &dlci->port;
3875 	struct gsm_mux *gsm = dlci->gsm;
3876 
3877 	port->count++;
3878 	tty_port_tty_set(port, tty);
3879 
3880 	dlci->modem_rx = 0;
3881 	/* We could in theory open and close before we wait - eg if we get
3882 	   a DM straight back. This is ok as that will have caused a hangup */
3883 	tty_port_set_initialized(port, 1);
3884 	/* Start sending off SABM messages */
3885 	if (gsm->initiator)
3886 		gsm_dlci_begin_open(dlci);
3887 	else
3888 		gsm_dlci_set_opening(dlci);
3889 	/* And wait for virtual carrier */
3890 	return tty_port_block_til_ready(port, tty, filp);
3891 }
3892 
3893 static void gsmtty_close(struct tty_struct *tty, struct file *filp)
3894 {
3895 	struct gsm_dlci *dlci = tty->driver_data;
3896 
3897 	if (dlci == NULL)
3898 		return;
3899 	if (dlci->state == DLCI_CLOSED)
3900 		return;
3901 	mutex_lock(&dlci->mutex);
3902 	gsm_destroy_network(dlci);
3903 	mutex_unlock(&dlci->mutex);
3904 	if (tty_port_close_start(&dlci->port, tty, filp) == 0)
3905 		return;
3906 	gsm_dlci_begin_close(dlci);
3907 	if (tty_port_initialized(&dlci->port) && C_HUPCL(tty))
3908 		tty_port_lower_dtr_rts(&dlci->port);
3909 	tty_port_close_end(&dlci->port, tty);
3910 	tty_port_tty_set(&dlci->port, NULL);
3911 	return;
3912 }
3913 
3914 static void gsmtty_hangup(struct tty_struct *tty)
3915 {
3916 	struct gsm_dlci *dlci = tty->driver_data;
3917 	if (dlci->state == DLCI_CLOSED)
3918 		return;
3919 	tty_port_hangup(&dlci->port);
3920 	gsm_dlci_begin_close(dlci);
3921 }
3922 
3923 static int gsmtty_write(struct tty_struct *tty, const unsigned char *buf,
3924 								    int len)
3925 {
3926 	int sent;
3927 	struct gsm_dlci *dlci = tty->driver_data;
3928 	if (dlci->state == DLCI_CLOSED)
3929 		return -EINVAL;
3930 	/* Stuff the bytes into the fifo queue */
3931 	sent = kfifo_in_locked(&dlci->fifo, buf, len, &dlci->lock);
3932 	/* Need to kick the channel */
3933 	gsm_dlci_data_kick(dlci);
3934 	return sent;
3935 }
3936 
3937 static unsigned int gsmtty_write_room(struct tty_struct *tty)
3938 {
3939 	struct gsm_dlci *dlci = tty->driver_data;
3940 	if (dlci->state == DLCI_CLOSED)
3941 		return 0;
3942 	return kfifo_avail(&dlci->fifo);
3943 }
3944 
3945 static unsigned int gsmtty_chars_in_buffer(struct tty_struct *tty)
3946 {
3947 	struct gsm_dlci *dlci = tty->driver_data;
3948 	if (dlci->state == DLCI_CLOSED)
3949 		return 0;
3950 	return kfifo_len(&dlci->fifo);
3951 }
3952 
3953 static void gsmtty_flush_buffer(struct tty_struct *tty)
3954 {
3955 	struct gsm_dlci *dlci = tty->driver_data;
3956 	unsigned long flags;
3957 
3958 	if (dlci->state == DLCI_CLOSED)
3959 		return;
3960 	/* Caution needed: If we implement reliable transport classes
3961 	   then the data being transmitted can't simply be junked once
3962 	   it has first hit the stack. Until then we can just blow it
3963 	   away */
3964 	spin_lock_irqsave(&dlci->lock, flags);
3965 	kfifo_reset(&dlci->fifo);
3966 	spin_unlock_irqrestore(&dlci->lock, flags);
3967 	/* Need to unhook this DLCI from the transmit queue logic */
3968 }
3969 
3970 static void gsmtty_wait_until_sent(struct tty_struct *tty, int timeout)
3971 {
3972 	/* The FIFO handles the queue so the kernel will do the right
3973 	   thing waiting on chars_in_buffer before calling us. No work
3974 	   to do here */
3975 }
3976 
3977 static int gsmtty_tiocmget(struct tty_struct *tty)
3978 {
3979 	struct gsm_dlci *dlci = tty->driver_data;
3980 	if (dlci->state == DLCI_CLOSED)
3981 		return -EINVAL;
3982 	return dlci->modem_rx;
3983 }
3984 
3985 static int gsmtty_tiocmset(struct tty_struct *tty,
3986 	unsigned int set, unsigned int clear)
3987 {
3988 	struct gsm_dlci *dlci = tty->driver_data;
3989 	unsigned int modem_tx = dlci->modem_tx;
3990 
3991 	if (dlci->state == DLCI_CLOSED)
3992 		return -EINVAL;
3993 	modem_tx &= ~clear;
3994 	modem_tx |= set;
3995 
3996 	if (modem_tx != dlci->modem_tx) {
3997 		dlci->modem_tx = modem_tx;
3998 		return gsm_modem_update(dlci, 0);
3999 	}
4000 	return 0;
4001 }
4002 
4003 
4004 static int gsmtty_ioctl(struct tty_struct *tty,
4005 			unsigned int cmd, unsigned long arg)
4006 {
4007 	struct gsm_dlci *dlci = tty->driver_data;
4008 	struct gsm_netconfig nc;
4009 	int index;
4010 
4011 	if (dlci->state == DLCI_CLOSED)
4012 		return -EINVAL;
4013 	switch (cmd) {
4014 	case GSMIOC_ENABLE_NET:
4015 		if (copy_from_user(&nc, (void __user *)arg, sizeof(nc)))
4016 			return -EFAULT;
4017 		nc.if_name[IFNAMSIZ-1] = '\0';
4018 		/* return net interface index or error code */
4019 		mutex_lock(&dlci->mutex);
4020 		index = gsm_create_network(dlci, &nc);
4021 		mutex_unlock(&dlci->mutex);
4022 		if (copy_to_user((void __user *)arg, &nc, sizeof(nc)))
4023 			return -EFAULT;
4024 		return index;
4025 	case GSMIOC_DISABLE_NET:
4026 		if (!capable(CAP_NET_ADMIN))
4027 			return -EPERM;
4028 		mutex_lock(&dlci->mutex);
4029 		gsm_destroy_network(dlci);
4030 		mutex_unlock(&dlci->mutex);
4031 		return 0;
4032 	default:
4033 		return -ENOIOCTLCMD;
4034 	}
4035 }
4036 
4037 static void gsmtty_set_termios(struct tty_struct *tty,
4038 			       const struct ktermios *old)
4039 {
4040 	struct gsm_dlci *dlci = tty->driver_data;
4041 	if (dlci->state == DLCI_CLOSED)
4042 		return;
4043 	/* For the moment its fixed. In actual fact the speed information
4044 	   for the virtual channel can be propogated in both directions by
4045 	   the RPN control message. This however rapidly gets nasty as we
4046 	   then have to remap modem signals each way according to whether
4047 	   our virtual cable is null modem etc .. */
4048 	tty_termios_copy_hw(&tty->termios, old);
4049 }
4050 
4051 static void gsmtty_throttle(struct tty_struct *tty)
4052 {
4053 	struct gsm_dlci *dlci = tty->driver_data;
4054 	if (dlci->state == DLCI_CLOSED)
4055 		return;
4056 	if (C_CRTSCTS(tty))
4057 		dlci->modem_tx &= ~TIOCM_RTS;
4058 	dlci->throttled = true;
4059 	/* Send an MSC with RTS cleared */
4060 	gsm_modem_update(dlci, 0);
4061 }
4062 
4063 static void gsmtty_unthrottle(struct tty_struct *tty)
4064 {
4065 	struct gsm_dlci *dlci = tty->driver_data;
4066 	if (dlci->state == DLCI_CLOSED)
4067 		return;
4068 	if (C_CRTSCTS(tty))
4069 		dlci->modem_tx |= TIOCM_RTS;
4070 	dlci->throttled = false;
4071 	/* Send an MSC with RTS set */
4072 	gsm_modem_update(dlci, 0);
4073 }
4074 
4075 static int gsmtty_break_ctl(struct tty_struct *tty, int state)
4076 {
4077 	struct gsm_dlci *dlci = tty->driver_data;
4078 	int encode = 0;	/* Off */
4079 	if (dlci->state == DLCI_CLOSED)
4080 		return -EINVAL;
4081 
4082 	if (state == -1)	/* "On indefinitely" - we can't encode this
4083 				    properly */
4084 		encode = 0x0F;
4085 	else if (state > 0) {
4086 		encode = state / 200;	/* mS to encoding */
4087 		if (encode > 0x0F)
4088 			encode = 0x0F;	/* Best effort */
4089 	}
4090 	return gsm_modem_update(dlci, encode);
4091 }
4092 
4093 static void gsmtty_cleanup(struct tty_struct *tty)
4094 {
4095 	struct gsm_dlci *dlci = tty->driver_data;
4096 	struct gsm_mux *gsm = dlci->gsm;
4097 
4098 	dlci_put(dlci);
4099 	dlci_put(gsm->dlci[0]);
4100 	mux_put(gsm);
4101 }
4102 
4103 /* Virtual ttys for the demux */
4104 static const struct tty_operations gsmtty_ops = {
4105 	.install		= gsmtty_install,
4106 	.open			= gsmtty_open,
4107 	.close			= gsmtty_close,
4108 	.write			= gsmtty_write,
4109 	.write_room		= gsmtty_write_room,
4110 	.chars_in_buffer	= gsmtty_chars_in_buffer,
4111 	.flush_buffer		= gsmtty_flush_buffer,
4112 	.ioctl			= gsmtty_ioctl,
4113 	.throttle		= gsmtty_throttle,
4114 	.unthrottle		= gsmtty_unthrottle,
4115 	.set_termios		= gsmtty_set_termios,
4116 	.hangup			= gsmtty_hangup,
4117 	.wait_until_sent	= gsmtty_wait_until_sent,
4118 	.tiocmget		= gsmtty_tiocmget,
4119 	.tiocmset		= gsmtty_tiocmset,
4120 	.break_ctl		= gsmtty_break_ctl,
4121 	.cleanup		= gsmtty_cleanup,
4122 };
4123 
4124 
4125 
4126 static int __init gsm_init(void)
4127 {
4128 	/* Fill in our line protocol discipline, and register it */
4129 	int status = tty_register_ldisc(&tty_ldisc_packet);
4130 	if (status != 0) {
4131 		pr_err("n_gsm: can't register line discipline (err = %d)\n",
4132 								status);
4133 		return status;
4134 	}
4135 
4136 	gsm_tty_driver = tty_alloc_driver(GSM_TTY_MINORS, TTY_DRIVER_REAL_RAW |
4137 			TTY_DRIVER_DYNAMIC_DEV | TTY_DRIVER_HARDWARE_BREAK);
4138 	if (IS_ERR(gsm_tty_driver)) {
4139 		pr_err("gsm_init: tty allocation failed.\n");
4140 		status = PTR_ERR(gsm_tty_driver);
4141 		goto err_unreg_ldisc;
4142 	}
4143 	gsm_tty_driver->driver_name	= "gsmtty";
4144 	gsm_tty_driver->name		= "gsmtty";
4145 	gsm_tty_driver->major		= 0;	/* Dynamic */
4146 	gsm_tty_driver->minor_start	= 0;
4147 	gsm_tty_driver->type		= TTY_DRIVER_TYPE_SERIAL;
4148 	gsm_tty_driver->subtype	= SERIAL_TYPE_NORMAL;
4149 	gsm_tty_driver->init_termios	= tty_std_termios;
4150 	/* Fixme */
4151 	gsm_tty_driver->init_termios.c_lflag &= ~ECHO;
4152 	tty_set_operations(gsm_tty_driver, &gsmtty_ops);
4153 
4154 	if (tty_register_driver(gsm_tty_driver)) {
4155 		pr_err("gsm_init: tty registration failed.\n");
4156 		status = -EBUSY;
4157 		goto err_put_driver;
4158 	}
4159 	pr_debug("gsm_init: loaded as %d,%d.\n",
4160 			gsm_tty_driver->major, gsm_tty_driver->minor_start);
4161 	return 0;
4162 err_put_driver:
4163 	tty_driver_kref_put(gsm_tty_driver);
4164 err_unreg_ldisc:
4165 	tty_unregister_ldisc(&tty_ldisc_packet);
4166 	return status;
4167 }
4168 
4169 static void __exit gsm_exit(void)
4170 {
4171 	tty_unregister_ldisc(&tty_ldisc_packet);
4172 	tty_unregister_driver(gsm_tty_driver);
4173 	tty_driver_kref_put(gsm_tty_driver);
4174 }
4175 
4176 module_init(gsm_init);
4177 module_exit(gsm_exit);
4178 
4179 
4180 MODULE_LICENSE("GPL");
4181 MODULE_ALIAS_LDISC(N_GSM0710);
4182