1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  *
4  * Copyright (C) Hans Alblas PE1AYX <hans@esrac.ele.tue.nl>
5  * Copyright (C) 2004, 05 Ralf Baechle DL5RB <ralf@linux-mips.org>
6  * Copyright (C) 2004, 05 Thomas Osterried DL9SAU <thomas@x-berg.in-berlin.de>
7  */
8 #include <linux/module.h>
9 #include <linux/bitops.h>
10 #include <linux/uaccess.h>
11 #include <linux/crc16.h>
12 #include <linux/string.h>
13 #include <linux/mm.h>
14 #include <linux/interrupt.h>
15 #include <linux/in.h>
16 #include <linux/inet.h>
17 #include <linux/slab.h>
18 #include <linux/tty.h>
19 #include <linux/errno.h>
20 #include <linux/netdevice.h>
21 #include <linux/major.h>
22 #include <linux/init.h>
23 #include <linux/rtnetlink.h>
24 #include <linux/etherdevice.h>
25 #include <linux/skbuff.h>
26 #include <linux/if_arp.h>
27 #include <linux/jiffies.h>
28 #include <linux/refcount.h>
29 
30 #include <net/ax25.h>
31 
32 #define AX_MTU		236
33 
34 /* some arch define END as assembly function ending, just undef it */
35 #undef	END
36 /* SLIP/KISS protocol characters. */
37 #define END             0300		/* indicates end of frame	*/
38 #define ESC             0333		/* indicates byte stuffing	*/
39 #define ESC_END         0334		/* ESC ESC_END means END 'data'	*/
40 #define ESC_ESC         0335		/* ESC ESC_ESC means ESC 'data'	*/
41 
42 struct mkiss {
43 	struct tty_struct	*tty;	/* ptr to TTY structure		*/
44 	struct net_device	*dev;	/* easy for intr handling	*/
45 
46 	/* These are pointers to the malloc()ed frame buffers. */
47 	spinlock_t		buflock;/* lock for rbuf and xbuf */
48 	unsigned char		*rbuff;	/* receiver buffer		*/
49 	int			rcount;	/* received chars counter       */
50 	unsigned char		*xbuff;	/* transmitter buffer		*/
51 	unsigned char		*xhead;	/* pointer to next byte to XMIT */
52 	int			xleft;	/* bytes left in XMIT queue     */
53 
54 	/* Detailed SLIP statistics. */
55 	int		mtu;		/* Our mtu (to spot changes!)   */
56 	int		buffsize;	/* Max buffers sizes            */
57 
58 	unsigned long	flags;		/* Flag values/ mode etc	*/
59 					/* long req'd: used by set_bit --RR */
60 #define AXF_INUSE	0		/* Channel in use               */
61 #define AXF_ESCAPE	1               /* ESC received                 */
62 #define AXF_ERROR	2               /* Parity, etc. error           */
63 #define AXF_KEEPTEST	3		/* Keepalive test flag		*/
64 #define AXF_OUTWAIT	4		/* is outpacket was flag	*/
65 
66 	int		mode;
67         int		crcmode;	/* MW: for FlexNet, SMACK etc.  */
68 	int		crcauto;	/* CRC auto mode */
69 
70 #define CRC_MODE_NONE		0
71 #define CRC_MODE_FLEX		1
72 #define CRC_MODE_SMACK		2
73 #define CRC_MODE_FLEX_TEST	3
74 #define CRC_MODE_SMACK_TEST	4
75 
76 	refcount_t		refcnt;
77 	struct completion	dead;
78 };
79 
80 /*---------------------------------------------------------------------------*/
81 
82 static const unsigned short crc_flex_table[] = {
83 	0x0f87, 0x1e0e, 0x2c95, 0x3d1c, 0x49a3, 0x582a, 0x6ab1, 0x7b38,
84 	0x83cf, 0x9246, 0xa0dd, 0xb154, 0xc5eb, 0xd462, 0xe6f9, 0xf770,
85 	0x1f06, 0x0e8f, 0x3c14, 0x2d9d, 0x5922, 0x48ab, 0x7a30, 0x6bb9,
86 	0x934e, 0x82c7, 0xb05c, 0xa1d5, 0xd56a, 0xc4e3, 0xf678, 0xe7f1,
87 	0x2e85, 0x3f0c, 0x0d97, 0x1c1e, 0x68a1, 0x7928, 0x4bb3, 0x5a3a,
88 	0xa2cd, 0xb344, 0x81df, 0x9056, 0xe4e9, 0xf560, 0xc7fb, 0xd672,
89 	0x3e04, 0x2f8d, 0x1d16, 0x0c9f, 0x7820, 0x69a9, 0x5b32, 0x4abb,
90 	0xb24c, 0xa3c5, 0x915e, 0x80d7, 0xf468, 0xe5e1, 0xd77a, 0xc6f3,
91 	0x4d83, 0x5c0a, 0x6e91, 0x7f18, 0x0ba7, 0x1a2e, 0x28b5, 0x393c,
92 	0xc1cb, 0xd042, 0xe2d9, 0xf350, 0x87ef, 0x9666, 0xa4fd, 0xb574,
93 	0x5d02, 0x4c8b, 0x7e10, 0x6f99, 0x1b26, 0x0aaf, 0x3834, 0x29bd,
94 	0xd14a, 0xc0c3, 0xf258, 0xe3d1, 0x976e, 0x86e7, 0xb47c, 0xa5f5,
95 	0x6c81, 0x7d08, 0x4f93, 0x5e1a, 0x2aa5, 0x3b2c, 0x09b7, 0x183e,
96 	0xe0c9, 0xf140, 0xc3db, 0xd252, 0xa6ed, 0xb764, 0x85ff, 0x9476,
97 	0x7c00, 0x6d89, 0x5f12, 0x4e9b, 0x3a24, 0x2bad, 0x1936, 0x08bf,
98 	0xf048, 0xe1c1, 0xd35a, 0xc2d3, 0xb66c, 0xa7e5, 0x957e, 0x84f7,
99 	0x8b8f, 0x9a06, 0xa89d, 0xb914, 0xcdab, 0xdc22, 0xeeb9, 0xff30,
100 	0x07c7, 0x164e, 0x24d5, 0x355c, 0x41e3, 0x506a, 0x62f1, 0x7378,
101 	0x9b0e, 0x8a87, 0xb81c, 0xa995, 0xdd2a, 0xcca3, 0xfe38, 0xefb1,
102 	0x1746, 0x06cf, 0x3454, 0x25dd, 0x5162, 0x40eb, 0x7270, 0x63f9,
103 	0xaa8d, 0xbb04, 0x899f, 0x9816, 0xeca9, 0xfd20, 0xcfbb, 0xde32,
104 	0x26c5, 0x374c, 0x05d7, 0x145e, 0x60e1, 0x7168, 0x43f3, 0x527a,
105 	0xba0c, 0xab85, 0x991e, 0x8897, 0xfc28, 0xeda1, 0xdf3a, 0xceb3,
106 	0x3644, 0x27cd, 0x1556, 0x04df, 0x7060, 0x61e9, 0x5372, 0x42fb,
107 	0xc98b, 0xd802, 0xea99, 0xfb10, 0x8faf, 0x9e26, 0xacbd, 0xbd34,
108 	0x45c3, 0x544a, 0x66d1, 0x7758, 0x03e7, 0x126e, 0x20f5, 0x317c,
109 	0xd90a, 0xc883, 0xfa18, 0xeb91, 0x9f2e, 0x8ea7, 0xbc3c, 0xadb5,
110 	0x5542, 0x44cb, 0x7650, 0x67d9, 0x1366, 0x02ef, 0x3074, 0x21fd,
111 	0xe889, 0xf900, 0xcb9b, 0xda12, 0xaead, 0xbf24, 0x8dbf, 0x9c36,
112 	0x64c1, 0x7548, 0x47d3, 0x565a, 0x22e5, 0x336c, 0x01f7, 0x107e,
113 	0xf808, 0xe981, 0xdb1a, 0xca93, 0xbe2c, 0xafa5, 0x9d3e, 0x8cb7,
114 	0x7440, 0x65c9, 0x5752, 0x46db, 0x3264, 0x23ed, 0x1176, 0x00ff
115 };
116 
calc_crc_flex(unsigned char * cp,int size)117 static unsigned short calc_crc_flex(unsigned char *cp, int size)
118 {
119 	unsigned short crc = 0xffff;
120 
121 	while (size--)
122 		crc = (crc << 8) ^ crc_flex_table[((crc >> 8) ^ *cp++) & 0xff];
123 
124 	return crc;
125 }
126 
check_crc_flex(unsigned char * cp,int size)127 static int check_crc_flex(unsigned char *cp, int size)
128 {
129 	unsigned short crc = 0xffff;
130 
131 	if (size < 3)
132 		return -1;
133 
134 	while (size--)
135 		crc = (crc << 8) ^ crc_flex_table[((crc >> 8) ^ *cp++) & 0xff];
136 
137 	if ((crc & 0xffff) != 0x7070)
138 		return -1;
139 
140 	return 0;
141 }
142 
check_crc_16(unsigned char * cp,int size)143 static int check_crc_16(unsigned char *cp, int size)
144 {
145 	unsigned short crc = 0x0000;
146 
147 	if (size < 3)
148 		return -1;
149 
150 	crc = crc16(0, cp, size);
151 
152 	if (crc != 0x0000)
153 		return -1;
154 
155 	return 0;
156 }
157 
158 /*
159  * Standard encapsulation
160  */
161 
kiss_esc(unsigned char * s,unsigned char * d,int len)162 static int kiss_esc(unsigned char *s, unsigned char *d, int len)
163 {
164 	unsigned char *ptr = d;
165 	unsigned char c;
166 
167 	/*
168 	 * Send an initial END character to flush out any data that may have
169 	 * accumulated in the receiver due to line noise.
170 	 */
171 
172 	*ptr++ = END;
173 
174 	while (len-- > 0) {
175 		switch (c = *s++) {
176 		case END:
177 			*ptr++ = ESC;
178 			*ptr++ = ESC_END;
179 			break;
180 		case ESC:
181 			*ptr++ = ESC;
182 			*ptr++ = ESC_ESC;
183 			break;
184 		default:
185 			*ptr++ = c;
186 			break;
187 		}
188 	}
189 
190 	*ptr++ = END;
191 
192 	return ptr - d;
193 }
194 
195 /*
196  * MW:
197  * OK its ugly, but tell me a better solution without copying the
198  * packet to a temporary buffer :-)
199  */
kiss_esc_crc(unsigned char * s,unsigned char * d,unsigned short crc,int len)200 static int kiss_esc_crc(unsigned char *s, unsigned char *d, unsigned short crc,
201 	int len)
202 {
203 	unsigned char *ptr = d;
204 	unsigned char c=0;
205 
206 	*ptr++ = END;
207 	while (len > 0) {
208 		if (len > 2)
209 			c = *s++;
210 		else if (len > 1)
211 			c = crc >> 8;
212 		else
213 			c = crc & 0xff;
214 
215 		len--;
216 
217 		switch (c) {
218 		case END:
219 			*ptr++ = ESC;
220 			*ptr++ = ESC_END;
221 			break;
222 		case ESC:
223 			*ptr++ = ESC;
224 			*ptr++ = ESC_ESC;
225 			break;
226 		default:
227 			*ptr++ = c;
228 			break;
229 		}
230 	}
231 	*ptr++ = END;
232 
233 	return ptr - d;
234 }
235 
236 /* Send one completely decapsulated AX.25 packet to the AX.25 layer. */
ax_bump(struct mkiss * ax)237 static void ax_bump(struct mkiss *ax)
238 {
239 	struct sk_buff *skb;
240 	int count;
241 
242 	spin_lock_bh(&ax->buflock);
243 	if (ax->rbuff[0] > 0x0f) {
244 		if (ax->rbuff[0] & 0x80) {
245 			if (check_crc_16(ax->rbuff, ax->rcount) < 0) {
246 				ax->dev->stats.rx_errors++;
247 				spin_unlock_bh(&ax->buflock);
248 
249 				return;
250 			}
251 			if (ax->crcmode != CRC_MODE_SMACK && ax->crcauto) {
252 				printk(KERN_INFO
253 				       "mkiss: %s: Switching to crc-smack\n",
254 				       ax->dev->name);
255 				ax->crcmode = CRC_MODE_SMACK;
256 			}
257 			ax->rcount -= 2;
258 			*ax->rbuff &= ~0x80;
259 		} else if (ax->rbuff[0] & 0x20)  {
260 			if (check_crc_flex(ax->rbuff, ax->rcount) < 0) {
261 				ax->dev->stats.rx_errors++;
262 				spin_unlock_bh(&ax->buflock);
263 				return;
264 			}
265 			if (ax->crcmode != CRC_MODE_FLEX && ax->crcauto) {
266 				printk(KERN_INFO
267 				       "mkiss: %s: Switching to crc-flexnet\n",
268 				       ax->dev->name);
269 				ax->crcmode = CRC_MODE_FLEX;
270 			}
271 			ax->rcount -= 2;
272 
273 			/*
274 			 * dl9sau bugfix: the trailling two bytes flexnet crc
275 			 * will not be passed to the kernel. thus we have to
276 			 * correct the kissparm signature, because it indicates
277 			 * a crc but there's none
278 			 */
279 			*ax->rbuff &= ~0x20;
280 		}
281 	}
282 
283 	count = ax->rcount;
284 
285 	if ((skb = dev_alloc_skb(count)) == NULL) {
286 		printk(KERN_ERR "mkiss: %s: memory squeeze, dropping packet.\n",
287 		       ax->dev->name);
288 		ax->dev->stats.rx_dropped++;
289 		spin_unlock_bh(&ax->buflock);
290 		return;
291 	}
292 
293 	skb_put_data(skb, ax->rbuff, count);
294 	skb->protocol = ax25_type_trans(skb, ax->dev);
295 	netif_rx(skb);
296 	ax->dev->stats.rx_packets++;
297 	ax->dev->stats.rx_bytes += count;
298 	spin_unlock_bh(&ax->buflock);
299 }
300 
kiss_unesc(struct mkiss * ax,unsigned char s)301 static void kiss_unesc(struct mkiss *ax, unsigned char s)
302 {
303 	switch (s) {
304 	case END:
305 		/* drop keeptest bit = VSV */
306 		if (test_bit(AXF_KEEPTEST, &ax->flags))
307 			clear_bit(AXF_KEEPTEST, &ax->flags);
308 
309 		if (!test_and_clear_bit(AXF_ERROR, &ax->flags) && (ax->rcount > 2))
310 			ax_bump(ax);
311 
312 		clear_bit(AXF_ESCAPE, &ax->flags);
313 		ax->rcount = 0;
314 		return;
315 
316 	case ESC:
317 		set_bit(AXF_ESCAPE, &ax->flags);
318 		return;
319 	case ESC_ESC:
320 		if (test_and_clear_bit(AXF_ESCAPE, &ax->flags))
321 			s = ESC;
322 		break;
323 	case ESC_END:
324 		if (test_and_clear_bit(AXF_ESCAPE, &ax->flags))
325 			s = END;
326 		break;
327 	}
328 
329 	spin_lock_bh(&ax->buflock);
330 	if (!test_bit(AXF_ERROR, &ax->flags)) {
331 		if (ax->rcount < ax->buffsize) {
332 			ax->rbuff[ax->rcount++] = s;
333 			spin_unlock_bh(&ax->buflock);
334 			return;
335 		}
336 
337 		ax->dev->stats.rx_over_errors++;
338 		set_bit(AXF_ERROR, &ax->flags);
339 	}
340 	spin_unlock_bh(&ax->buflock);
341 }
342 
ax_set_mac_address(struct net_device * dev,void * addr)343 static int ax_set_mac_address(struct net_device *dev, void *addr)
344 {
345 	struct sockaddr_ax25 *sa = addr;
346 
347 	netif_tx_lock_bh(dev);
348 	netif_addr_lock(dev);
349 	__dev_addr_set(dev, &sa->sax25_call, AX25_ADDR_LEN);
350 	netif_addr_unlock(dev);
351 	netif_tx_unlock_bh(dev);
352 
353 	return 0;
354 }
355 
356 /*---------------------------------------------------------------------------*/
357 
ax_changedmtu(struct mkiss * ax)358 static void ax_changedmtu(struct mkiss *ax)
359 {
360 	struct net_device *dev = ax->dev;
361 	unsigned char *xbuff, *rbuff, *oxbuff, *orbuff;
362 	int len;
363 
364 	len = dev->mtu * 2;
365 
366 	/*
367 	 * allow for arrival of larger UDP packets, even if we say not to
368 	 * also fixes a bug in which SunOS sends 512-byte packets even with
369 	 * an MSS of 128
370 	 */
371 	if (len < 576 * 2)
372 		len = 576 * 2;
373 
374 	xbuff = kmalloc(len + 4, GFP_ATOMIC);
375 	rbuff = kmalloc(len + 4, GFP_ATOMIC);
376 
377 	if (xbuff == NULL || rbuff == NULL)  {
378 		printk(KERN_ERR "mkiss: %s: unable to grow ax25 buffers, "
379 		       "MTU change cancelled.\n",
380 		       ax->dev->name);
381 		dev->mtu = ax->mtu;
382 		kfree(xbuff);
383 		kfree(rbuff);
384 		return;
385 	}
386 
387 	spin_lock_bh(&ax->buflock);
388 
389 	oxbuff    = ax->xbuff;
390 	ax->xbuff = xbuff;
391 	orbuff    = ax->rbuff;
392 	ax->rbuff = rbuff;
393 
394 	if (ax->xleft) {
395 		if (ax->xleft <= len) {
396 			memcpy(ax->xbuff, ax->xhead, ax->xleft);
397 		} else  {
398 			ax->xleft = 0;
399 			dev->stats.tx_dropped++;
400 		}
401 	}
402 
403 	ax->xhead = ax->xbuff;
404 
405 	if (ax->rcount) {
406 		if (ax->rcount <= len) {
407 			memcpy(ax->rbuff, orbuff, ax->rcount);
408 		} else  {
409 			ax->rcount = 0;
410 			dev->stats.rx_over_errors++;
411 			set_bit(AXF_ERROR, &ax->flags);
412 		}
413 	}
414 
415 	ax->mtu      = dev->mtu + 73;
416 	ax->buffsize = len;
417 
418 	spin_unlock_bh(&ax->buflock);
419 
420 	kfree(oxbuff);
421 	kfree(orbuff);
422 }
423 
424 /* Encapsulate one AX.25 packet and stuff into a TTY queue. */
ax_encaps(struct net_device * dev,unsigned char * icp,int len)425 static void ax_encaps(struct net_device *dev, unsigned char *icp, int len)
426 {
427 	struct mkiss *ax = netdev_priv(dev);
428 	unsigned char *p;
429 	int actual, count;
430 
431 	if (ax->mtu != ax->dev->mtu + 73)	/* Someone has been ifconfigging */
432 		ax_changedmtu(ax);
433 
434 	if (len > ax->mtu) {		/* Sigh, shouldn't occur BUT ... */
435 		printk(KERN_ERR "mkiss: %s: truncating oversized transmit packet!\n", ax->dev->name);
436 		dev->stats.tx_dropped++;
437 		netif_start_queue(dev);
438 		return;
439 	}
440 
441 	p = icp;
442 
443 	spin_lock_bh(&ax->buflock);
444 	if ((*p & 0x0f) != 0) {
445 		/* Configuration Command (kissparms(1).
446 		 * Protocol spec says: never append CRC.
447 		 * This fixes a very old bug in the linux
448 		 * kiss driver. -- dl9sau */
449 		switch (*p & 0xff) {
450 		case 0x85:
451 			/* command from userspace especially for us,
452 			 * not for delivery to the tnc */
453 			if (len > 1) {
454 				int cmd = (p[1] & 0xff);
455 				switch(cmd) {
456 				case 3:
457 				  ax->crcmode = CRC_MODE_SMACK;
458 				  break;
459 				case 2:
460 				  ax->crcmode = CRC_MODE_FLEX;
461 				  break;
462 				case 1:
463 				  ax->crcmode = CRC_MODE_NONE;
464 				  break;
465 				case 0:
466 				default:
467 				  ax->crcmode = CRC_MODE_SMACK_TEST;
468 				  cmd = 0;
469 				}
470 				ax->crcauto = (cmd ? 0 : 1);
471 				printk(KERN_INFO "mkiss: %s: crc mode set to %d\n",
472 				       ax->dev->name, cmd);
473 			}
474 			spin_unlock_bh(&ax->buflock);
475 			netif_start_queue(dev);
476 
477 			return;
478 		default:
479 			count = kiss_esc(p, ax->xbuff, len);
480 		}
481 	} else {
482 		unsigned short crc;
483 		switch (ax->crcmode) {
484 		case CRC_MODE_SMACK_TEST:
485 			ax->crcmode  = CRC_MODE_FLEX_TEST;
486 			printk(KERN_INFO "mkiss: %s: Trying crc-smack\n", ax->dev->name);
487 			fallthrough;
488 		case CRC_MODE_SMACK:
489 			*p |= 0x80;
490 			crc = swab16(crc16(0, p, len));
491 			count = kiss_esc_crc(p, ax->xbuff, crc, len+2);
492 			break;
493 		case CRC_MODE_FLEX_TEST:
494 			ax->crcmode = CRC_MODE_NONE;
495 			printk(KERN_INFO "mkiss: %s: Trying crc-flexnet\n", ax->dev->name);
496 			fallthrough;
497 		case CRC_MODE_FLEX:
498 			*p |= 0x20;
499 			crc = calc_crc_flex(p, len);
500 			count = kiss_esc_crc(p, ax->xbuff, crc, len+2);
501 			break;
502 
503 		default:
504 			count = kiss_esc(p, ax->xbuff, len);
505 		}
506 	}
507 	spin_unlock_bh(&ax->buflock);
508 
509 	set_bit(TTY_DO_WRITE_WAKEUP, &ax->tty->flags);
510 	actual = ax->tty->ops->write(ax->tty, ax->xbuff, count);
511 	dev->stats.tx_packets++;
512 	dev->stats.tx_bytes += actual;
513 
514 	netif_trans_update(ax->dev);
515 	ax->xleft = count - actual;
516 	ax->xhead = ax->xbuff + actual;
517 }
518 
519 /* Encapsulate an AX.25 packet and kick it into a TTY queue. */
ax_xmit(struct sk_buff * skb,struct net_device * dev)520 static netdev_tx_t ax_xmit(struct sk_buff *skb, struct net_device *dev)
521 {
522 	struct mkiss *ax = netdev_priv(dev);
523 
524 	if (skb->protocol == htons(ETH_P_IP))
525 		return ax25_ip_xmit(skb);
526 
527 	if (!netif_running(dev))  {
528 		printk(KERN_ERR "mkiss: %s: xmit call when iface is down\n", dev->name);
529 		return NETDEV_TX_BUSY;
530 	}
531 
532 	if (netif_queue_stopped(dev)) {
533 		/*
534 		 * May be we must check transmitter timeout here ?
535 		 *      14 Oct 1994 Dmitry Gorodchanin.
536 		 */
537 		if (time_before(jiffies, dev_trans_start(dev) + 20 * HZ)) {
538 			/* 20 sec timeout not reached */
539 			return NETDEV_TX_BUSY;
540 		}
541 
542 		printk(KERN_ERR "mkiss: %s: transmit timed out, %s?\n", dev->name,
543 		       (tty_chars_in_buffer(ax->tty) || ax->xleft) ?
544 		       "bad line quality" : "driver error");
545 
546 		ax->xleft = 0;
547 		clear_bit(TTY_DO_WRITE_WAKEUP, &ax->tty->flags);
548 		netif_start_queue(dev);
549 	}
550 
551 	/* We were not busy, so we are now... :-) */
552 	netif_stop_queue(dev);
553 	ax_encaps(dev, skb->data, skb->len);
554 	kfree_skb(skb);
555 
556 	return NETDEV_TX_OK;
557 }
558 
ax_open_dev(struct net_device * dev)559 static int ax_open_dev(struct net_device *dev)
560 {
561 	struct mkiss *ax = netdev_priv(dev);
562 
563 	if (ax->tty == NULL)
564 		return -ENODEV;
565 
566 	return 0;
567 }
568 
569 /* Open the low-level part of the AX25 channel. Easy! */
ax_open(struct net_device * dev)570 static int ax_open(struct net_device *dev)
571 {
572 	struct mkiss *ax = netdev_priv(dev);
573 	unsigned long len;
574 
575 	if (ax->tty == NULL)
576 		return -ENODEV;
577 
578 	/*
579 	 * Allocate the frame buffers:
580 	 *
581 	 * rbuff	Receive buffer.
582 	 * xbuff	Transmit buffer.
583 	 */
584 	len = dev->mtu * 2;
585 
586 	/*
587 	 * allow for arrival of larger UDP packets, even if we say not to
588 	 * also fixes a bug in which SunOS sends 512-byte packets even with
589 	 * an MSS of 128
590 	 */
591 	if (len < 576 * 2)
592 		len = 576 * 2;
593 
594 	if ((ax->rbuff = kmalloc(len + 4, GFP_KERNEL)) == NULL)
595 		goto norbuff;
596 
597 	if ((ax->xbuff = kmalloc(len + 4, GFP_KERNEL)) == NULL)
598 		goto noxbuff;
599 
600 	ax->mtu	     = dev->mtu + 73;
601 	ax->buffsize = len;
602 	ax->rcount   = 0;
603 	ax->xleft    = 0;
604 
605 	ax->flags   &= (1 << AXF_INUSE);      /* Clear ESCAPE & ERROR flags */
606 
607 	spin_lock_init(&ax->buflock);
608 
609 	return 0;
610 
611 noxbuff:
612 	kfree(ax->rbuff);
613 
614 norbuff:
615 	return -ENOMEM;
616 }
617 
618 
619 /* Close the low-level part of the AX25 channel. Easy! */
ax_close(struct net_device * dev)620 static int ax_close(struct net_device *dev)
621 {
622 	struct mkiss *ax = netdev_priv(dev);
623 
624 	if (ax->tty)
625 		clear_bit(TTY_DO_WRITE_WAKEUP, &ax->tty->flags);
626 
627 	netif_stop_queue(dev);
628 
629 	return 0;
630 }
631 
632 static const struct net_device_ops ax_netdev_ops = {
633 	.ndo_open            = ax_open_dev,
634 	.ndo_stop            = ax_close,
635 	.ndo_start_xmit	     = ax_xmit,
636 	.ndo_set_mac_address = ax_set_mac_address,
637 };
638 
ax_setup(struct net_device * dev)639 static void ax_setup(struct net_device *dev)
640 {
641 	/* Finish setting up the DEVICE info. */
642 	dev->mtu             = AX_MTU;
643 	dev->hard_header_len = AX25_MAX_HEADER_LEN;
644 	dev->addr_len        = AX25_ADDR_LEN;
645 	dev->type            = ARPHRD_AX25;
646 	dev->tx_queue_len    = 10;
647 	dev->header_ops      = &ax25_header_ops;
648 	dev->netdev_ops	     = &ax_netdev_ops;
649 
650 
651 	memcpy(dev->broadcast, &ax25_bcast, AX25_ADDR_LEN);
652 	dev_addr_set(dev, (u8 *)&ax25_defaddr);
653 
654 	dev->flags      = IFF_BROADCAST | IFF_MULTICAST;
655 }
656 
657 /*
658  * We have a potential race on dereferencing tty->disc_data, because the tty
659  * layer provides no locking at all - thus one cpu could be running
660  * sixpack_receive_buf while another calls sixpack_close, which zeroes
661  * tty->disc_data and frees the memory that sixpack_receive_buf is using.  The
662  * best way to fix this is to use a rwlock in the tty struct, but for now we
663  * use a single global rwlock for all ttys in ppp line discipline.
664  */
665 static DEFINE_RWLOCK(disc_data_lock);
666 
mkiss_get(struct tty_struct * tty)667 static struct mkiss *mkiss_get(struct tty_struct *tty)
668 {
669 	struct mkiss *ax;
670 
671 	read_lock(&disc_data_lock);
672 	ax = tty->disc_data;
673 	if (ax)
674 		refcount_inc(&ax->refcnt);
675 	read_unlock(&disc_data_lock);
676 
677 	return ax;
678 }
679 
mkiss_put(struct mkiss * ax)680 static void mkiss_put(struct mkiss *ax)
681 {
682 	if (refcount_dec_and_test(&ax->refcnt))
683 		complete(&ax->dead);
684 }
685 
686 static int crc_force = 0;	/* Can be overridden with insmod */
687 
mkiss_open(struct tty_struct * tty)688 static int mkiss_open(struct tty_struct *tty)
689 {
690 	struct net_device *dev;
691 	struct mkiss *ax;
692 	int err;
693 
694 	if (!capable(CAP_NET_ADMIN))
695 		return -EPERM;
696 	if (tty->ops->write == NULL)
697 		return -EOPNOTSUPP;
698 
699 	dev = alloc_netdev(sizeof(struct mkiss), "ax%d", NET_NAME_UNKNOWN,
700 			   ax_setup);
701 	if (!dev) {
702 		err = -ENOMEM;
703 		goto out;
704 	}
705 
706 	ax = netdev_priv(dev);
707 	ax->dev = dev;
708 
709 	spin_lock_init(&ax->buflock);
710 	refcount_set(&ax->refcnt, 1);
711 	init_completion(&ax->dead);
712 
713 	ax->tty = tty;
714 	tty->disc_data = ax;
715 	tty->receive_room = 65535;
716 
717 	tty_driver_flush_buffer(tty);
718 
719 	/* Restore default settings */
720 	dev->type = ARPHRD_AX25;
721 
722 	/* Perform the low-level AX25 initialization. */
723 	err = ax_open(ax->dev);
724 	if (err)
725 		goto out_free_netdev;
726 
727 	err = register_netdev(dev);
728 	if (err)
729 		goto out_free_buffers;
730 
731 	/* after register_netdev() - because else printk smashes the kernel */
732 	switch (crc_force) {
733 	case 3:
734 		ax->crcmode  = CRC_MODE_SMACK;
735 		printk(KERN_INFO "mkiss: %s: crc mode smack forced.\n",
736 		       ax->dev->name);
737 		break;
738 	case 2:
739 		ax->crcmode  = CRC_MODE_FLEX;
740 		printk(KERN_INFO "mkiss: %s: crc mode flexnet forced.\n",
741 		       ax->dev->name);
742 		break;
743 	case 1:
744 		ax->crcmode  = CRC_MODE_NONE;
745 		printk(KERN_INFO "mkiss: %s: crc mode disabled.\n",
746 		       ax->dev->name);
747 		break;
748 	case 0:
749 	default:
750 		crc_force = 0;
751 		printk(KERN_INFO "mkiss: %s: crc mode is auto.\n",
752 		       ax->dev->name);
753 		ax->crcmode  = CRC_MODE_SMACK_TEST;
754 	}
755 	ax->crcauto = (crc_force ? 0 : 1);
756 
757 	netif_start_queue(dev);
758 
759 	/* Done.  We have linked the TTY line to a channel. */
760 	return 0;
761 
762 out_free_buffers:
763 	kfree(ax->rbuff);
764 	kfree(ax->xbuff);
765 
766 out_free_netdev:
767 	free_netdev(dev);
768 
769 out:
770 	return err;
771 }
772 
mkiss_close(struct tty_struct * tty)773 static void mkiss_close(struct tty_struct *tty)
774 {
775 	struct mkiss *ax;
776 
777 	write_lock_irq(&disc_data_lock);
778 	ax = tty->disc_data;
779 	tty->disc_data = NULL;
780 	write_unlock_irq(&disc_data_lock);
781 
782 	if (!ax)
783 		return;
784 
785 	/*
786 	 * We have now ensured that nobody can start using ap from now on, but
787 	 * we have to wait for all existing users to finish.
788 	 */
789 	if (!refcount_dec_and_test(&ax->refcnt))
790 		wait_for_completion(&ax->dead);
791 	/*
792 	 * Halt the transmit queue so that a new transmit cannot scribble
793 	 * on our buffers
794 	 */
795 	netif_stop_queue(ax->dev);
796 
797 	unregister_netdev(ax->dev);
798 
799 	/* Free all AX25 frame buffers after unreg. */
800 	kfree(ax->rbuff);
801 	kfree(ax->xbuff);
802 
803 	ax->tty = NULL;
804 
805 	free_netdev(ax->dev);
806 }
807 
808 /* Perform I/O control on an active ax25 channel. */
mkiss_ioctl(struct tty_struct * tty,unsigned int cmd,unsigned long arg)809 static int mkiss_ioctl(struct tty_struct *tty, unsigned int cmd,
810 		unsigned long arg)
811 {
812 	struct mkiss *ax = mkiss_get(tty);
813 	struct net_device *dev;
814 	unsigned int tmp, err;
815 
816 	/* First make sure we're connected. */
817 	if (ax == NULL)
818 		return -ENXIO;
819 	dev = ax->dev;
820 
821 	switch (cmd) {
822 	case SIOCGIFNAME:
823 		err = copy_to_user((void __user *) arg, ax->dev->name,
824 		                   strlen(ax->dev->name) + 1) ? -EFAULT : 0;
825 		break;
826 
827 	case SIOCGIFENCAP:
828 		err = put_user(4, (int __user *) arg);
829 		break;
830 
831 	case SIOCSIFENCAP:
832 		if (get_user(tmp, (int __user *) arg)) {
833 			err = -EFAULT;
834 			break;
835 		}
836 
837 		ax->mode = tmp;
838 		dev->addr_len        = AX25_ADDR_LEN;
839 		dev->hard_header_len = AX25_KISS_HEADER_LEN +
840 		                       AX25_MAX_HEADER_LEN + 3;
841 		dev->type            = ARPHRD_AX25;
842 
843 		err = 0;
844 		break;
845 
846 	case SIOCSIFHWADDR: {
847 		char addr[AX25_ADDR_LEN];
848 
849 		if (copy_from_user(&addr,
850 		                   (void __user *) arg, AX25_ADDR_LEN)) {
851 			err = -EFAULT;
852 			break;
853 		}
854 
855 		netif_tx_lock_bh(dev);
856 		__dev_addr_set(dev, addr, AX25_ADDR_LEN);
857 		netif_tx_unlock_bh(dev);
858 
859 		err = 0;
860 		break;
861 	}
862 	default:
863 		err = -ENOIOCTLCMD;
864 	}
865 
866 	mkiss_put(ax);
867 
868 	return err;
869 }
870 
871 /*
872  * Handle the 'receiver data ready' interrupt.
873  * This function is called by the 'tty_io' module in the kernel when
874  * a block of data has been received, which can now be decapsulated
875  * and sent on to the AX.25 layer for further processing.
876  */
mkiss_receive_buf(struct tty_struct * tty,const unsigned char * cp,const char * fp,int count)877 static void mkiss_receive_buf(struct tty_struct *tty, const unsigned char *cp,
878 	const char *fp, int count)
879 {
880 	struct mkiss *ax = mkiss_get(tty);
881 
882 	if (!ax)
883 		return;
884 
885 	/*
886 	 * Argh! mtu change time! - costs us the packet part received
887 	 * at the change
888 	 */
889 	if (ax->mtu != ax->dev->mtu + 73)
890 		ax_changedmtu(ax);
891 
892 	/* Read the characters out of the buffer */
893 	while (count--) {
894 		if (fp != NULL && *fp++) {
895 			if (!test_and_set_bit(AXF_ERROR, &ax->flags))
896 				ax->dev->stats.rx_errors++;
897 			cp++;
898 			continue;
899 		}
900 
901 		kiss_unesc(ax, *cp++);
902 	}
903 
904 	mkiss_put(ax);
905 	tty_unthrottle(tty);
906 }
907 
908 /*
909  * Called by the driver when there's room for more data.  If we have
910  * more packets to send, we send them here.
911  */
mkiss_write_wakeup(struct tty_struct * tty)912 static void mkiss_write_wakeup(struct tty_struct *tty)
913 {
914 	struct mkiss *ax = mkiss_get(tty);
915 	int actual;
916 
917 	if (!ax)
918 		return;
919 
920 	if (ax->xleft <= 0)  {
921 		/* Now serial buffer is almost free & we can start
922 		 * transmission of another packet
923 		 */
924 		clear_bit(TTY_DO_WRITE_WAKEUP, &tty->flags);
925 
926 		netif_wake_queue(ax->dev);
927 		goto out;
928 	}
929 
930 	actual = tty->ops->write(tty, ax->xhead, ax->xleft);
931 	ax->xleft -= actual;
932 	ax->xhead += actual;
933 
934 out:
935 	mkiss_put(ax);
936 }
937 
938 static struct tty_ldisc_ops ax_ldisc = {
939 	.owner		= THIS_MODULE,
940 	.num		= N_AX25,
941 	.name		= "mkiss",
942 	.open		= mkiss_open,
943 	.close		= mkiss_close,
944 	.ioctl		= mkiss_ioctl,
945 	.receive_buf	= mkiss_receive_buf,
946 	.write_wakeup	= mkiss_write_wakeup
947 };
948 
949 static const char banner[] __initconst = KERN_INFO \
950 	"mkiss: AX.25 Multikiss, Hans Albas PE1AYX\n";
951 static const char msg_regfail[] __initconst = KERN_ERR \
952 	"mkiss: can't register line discipline (err = %d)\n";
953 
mkiss_init_driver(void)954 static int __init mkiss_init_driver(void)
955 {
956 	int status;
957 
958 	printk(banner);
959 
960 	status = tty_register_ldisc(&ax_ldisc);
961 	if (status != 0)
962 		printk(msg_regfail, status);
963 
964 	return status;
965 }
966 
mkiss_exit_driver(void)967 static void __exit mkiss_exit_driver(void)
968 {
969 	tty_unregister_ldisc(&ax_ldisc);
970 }
971 
972 MODULE_AUTHOR("Ralf Baechle DL5RB <ralf@linux-mips.org>");
973 MODULE_DESCRIPTION("KISS driver for AX.25 over TTYs");
974 module_param(crc_force, int, 0);
975 MODULE_PARM_DESC(crc_force, "crc [0 = auto | 1 = none | 2 = flexnet | 3 = smack]");
976 MODULE_LICENSE("GPL");
977 MODULE_ALIAS_LDISC(N_AX25);
978 
979 module_init(mkiss_init_driver);
980 module_exit(mkiss_exit_driver);
981