/usr/src/sys/dev/usb/if

Bug Summary

File:	dev/usb/if_umb.c
Warning:	line 2344, column 3 Dereference of null pointer
Annotated Source Code

Press '?' to see keyboard shortcuts
Show analyzer invocation
clang -cc1 -cc1 -triple amd64-unknown-openbsd7.4 -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name if_umb.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model static -mframe-pointer=all -relaxed-aliasing -ffp-contract=on -fno-rounding-math -mconstructor-aliases -ffreestanding -mcmodel=kernel -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -target-feature -sse2 -target-feature -sse -target-feature -3dnow -target-feature -mmx -target-feature +save-args -target-feature +retpoline-external-thunk -disable-red-zone -no-implicit-float -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/sys/arch/amd64/compile/GENERIC.MP/obj -nostdsysteminc -nobuiltininc -resource-dir /usr/local/llvm16/lib/clang/16 -I /usr/src/sys -I /usr/src/sys/arch/amd64/compile/GENERIC.MP/obj -I /usr/src/sys/arch -I /usr/src/sys/dev/pci/drm/include -I /usr/src/sys/dev/pci/drm/include/uapi -I /usr/src/sys/dev/pci/drm/amd/include/asic_reg -I /usr/src/sys/dev/pci/drm/amd/include -I /usr/src/sys/dev/pci/drm/amd/amdgpu -I /usr/src/sys/dev/pci/drm/amd/display -I /usr/src/sys/dev/pci/drm/amd/display/include -I /usr/src/sys/dev/pci/drm/amd/display/dc -I /usr/src/sys/dev/pci/drm/amd/display/amdgpu_dm -I /usr/src/sys/dev/pci/drm/amd/pm/inc -I /usr/src/sys/dev/pci/drm/amd/pm/legacy-dpm -I /usr/src/sys/dev/pci/drm/amd/pm/swsmu -I /usr/src/sys/dev/pci/drm/amd/pm/swsmu/inc -I /usr/src/sys/dev/pci/drm/amd/pm/swsmu/smu11 -I /usr/src/sys/dev/pci/drm/amd/pm/swsmu/smu12 -I /usr/src/sys/dev/pci/drm/amd/pm/swsmu/smu13 -I /usr/src/sys/dev/pci/drm/amd/pm/powerplay/inc -I /usr/src/sys/dev/pci/drm/amd/pm/powerplay/hwmgr -I /usr/src/sys/dev/pci/drm/amd/pm/powerplay/smumgr -I /usr/src/sys/dev/pci/drm/amd/pm/swsmu/inc -I /usr/src/sys/dev/pci/drm/amd/pm/swsmu/inc/pmfw_if -I /usr/src/sys/dev/pci/drm/amd/display/dc/inc -I /usr/src/sys/dev/pci/drm/amd/display/dc/inc/hw -I /usr/src/sys/dev/pci/drm/amd/display/dc/clk_mgr -I /usr/src/sys/dev/pci/drm/amd/display/modules/inc -I /usr/src/sys/dev/pci/drm/amd/display/modules/hdcp -I /usr/src/sys/dev/pci/drm/amd/display/dmub/inc -I /usr/src/sys/dev/pci/drm/i915 -D DDB -D DIAGNOSTIC -D KTRACE -D ACCOUNTING -D KMEMSTATS -D PTRACE -D POOL_DEBUG -D CRYPTO -D SYSVMSG -D SYSVSEM -D SYSVSHM -D UVM_SWAP_ENCRYPT -D FFS -D FFS2 -D FFS_SOFTUPDATES -D UFS_DIRHASH -D QUOTA -D EXT2FS -D MFS -D NFSCLIENT -D NFSSERVER -D CD9660 -D UDF -D MSDOSFS -D FIFO -D FUSE -D SOCKET_SPLICE -D TCP_ECN -D TCP_SIGNATURE -D INET6 -D IPSEC -D PPP_BSDCOMP -D PPP_DEFLATE -D PIPEX -D MROUTING -D MPLS -D BOOT_CONFIG -D USER_PCICONF -D APERTURE -D MTRR -D NTFS -D SUSPEND -D HIBERNATE -D PCIVERBOSE -D USBVERBOSE -D WSDISPLAY_COMPAT_USL -D WSDISPLAY_COMPAT_RAWKBD -D WSDISPLAY_DEFAULTSCREENS=6 -D X86EMU -D ONEWIREVERBOSE -D MULTIPROCESSOR -D MAXUSERS=80 -D _KERNEL -O2 -Wno-pointer-sign -Wno-address-of-packed-member -Wno-constant-conversion -Wno-unused-but-set-variable -Wno-gnu-folding-constant -fdebug-compilation-dir=/usr/src/sys/arch/amd64/compile/GENERIC.MP/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fcf-protection=branch -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -o /home/ben/Projects/scan/2024-01-11-110808-61670-1 -x c /usr/src/sys/dev/usb/if_umb.c
1/*	$OpenBSD: if_umb.c,v 1.56 2023/10/24 09:13:22 jmatthew Exp $ */

3/*
* Copyright (c) 2016 genua mbH
* All rights reserved.
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/

20/*
* Mobile Broadband Interface Model specification:
* https://www.usb.org/sites/default/files/MBIM10Errata1_073013.zip
* Compliance testing guide
* https://www.usb.org/sites/default/files/MBIM-Compliance-1.0.pdf
*/

27#include "bpfilter.h"
28#include "kstat.h"

30#include <sys/param.h>
31#include <sys/mbuf.h>
32#include <sys/socket.h>
33#include <sys/systm.h>
34#include <sys/syslog.h>
35#include <sys/kstat.h>

37#if NBPFILTER1 > 0
38#include <net/bpf.h>
39#endif
40#include <net/if.h>
41#include <net/if_var.h>
42#include <net/if_types.h>
43#include <net/route.h>

45#include <netinet/in.h>
46#include <netinet/in_var.h>
47#include <netinet/ip.h>

49#ifdef INET61
50#include <netinet/ip6.h>
51#include <netinet6/in6_var.h>
52#include <netinet6/ip6_var.h>
53#include <netinet6/in6_ifattach.h>
54#include <netinet6/nd6.h>
55#endif

57#include <machine/bus.h>

59#include <dev/usb/usb.h>
60#include <dev/usb/usbdi.h>
61#include <dev/usb/usbdivar.h>
62#include <dev/usb/usbdi_util.h>
63#include <dev/usb/usbdevs.h>
64#include <dev/usb/usbcdc.h>

66#include <dev/usb/mbim.h>
67#include <dev/usb/if_umb.h>

69#ifdef UMB_DEBUG
70#define DPRINTF(x...)do { } while (0)							\
do { if (umb_debug) log(LOG_DEBUG7, x); } while (0)

73#define DPRINTFN(n, x...)do { } while (0)						\
do { if (umb_debug >= (n)) log(LOG_DEBUG7, x); } while (0)

76#define DDUMPN(n, b, l)do { } while (0)							\
do {							\
	if (umb_debug >= (n))				\
		umb_dump((b), (l));			\
} while (0)

82int	 umb_debug = 0;
83char	*umb_uuid2str(uint8_t [MBIM_UUID_LEN16]);
84void	 umb_dump(void *, int);

86#else
87#define DPRINTF(x...)do { } while (0)		do { } while (0)
88#define DPRINTFN(n, x...)do { } while (0)	do { } while (0)
89#define DDUMPN(n, b, l)do { } while (0)		do { } while (0)
90#endif

92#define DEVNAM(sc)(((struct umb_softc *)(sc))->sc_dev.dv_xname)		(((struct umb_softc *)(sc))->sc_dev.dv_xname)

94/*
* State change timeout
*/
97#define UMB_STATE_CHANGE_TIMEOUT30	30

99/*
* State change flags
*/
102#define UMB_NS_DONT_DROP0x0001	0x0001	/* do not drop below current state */
103#define UMB_NS_DONT_RAISE0x0002	0x0002	/* do not raise below current state */

105/*
* Diagnostic macros
*/
108const struct umb_valdescr umb_regstates[] = MBIM_REGSTATE_DESCRIPTIONS{ { 0, "unknown" }, { 1, "not registered" }, { 2, "searching"
 }, { 3, "home network" }, { 4, "roaming network" }, { 5, "partner network"
 }, { 6, "access denied" }, { 0, ((void *)0) } };
109const struct umb_valdescr umb_dataclasses[] = MBIM_DATACLASS_DESCRIPTIONS{ { 0x00000000, "none" }, { 0x00000001, "GPRS" }, { 0x00000002
, "EDGE" }, { 0x00000004, "UMTS" }, { 0x00000008, "HSDPA" }, {
 0x00000010, "HSUPA" }, { 0x00000008|0x00000010, "HSPA" }, { 0x00000020
, "LTE" }, { 0x00010000, "CDMA2000" }, { 0x00020000, "CDMA2000"
 }, { 0x00040000, "CDMA2000" }, { 0x00080000, "CDMA2000" }, {
 0x00100000, "CDMA2000" }, { 0x00200000, "CDMA2000" }, { 0x00400000
, "CDMA2000" }, { 0x80000000, "custom" }, { 0, ((void *)0) } };
110const struct umb_valdescr umb_simstate[] = MBIM_SIMSTATE_DESCRIPTIONS{ { 0, "not initialized" }, { 1, "initialized" }, { 2, "not inserted"
 }, { 3, "bad type" }, { 4, "failed" }, { 5, "not activated" }
, { 6, "locked" }, { 0, ((void *)0) } };
111const struct umb_valdescr umb_messages[] = MBIM_MESSAGES_DESCRIPTIONS{ { (1U), "MBIM_OPEN_MSG" }, { (2U), "MBIM_CLOSE_MSG" }, { (3U
), "MBIM_COMMAND_MSG" }, { (4U), "MBIM_HOST_ERROR_MSG" }, { (
0x80000001U), "MBIM_OPEN_DONE" }, { (0x80000002U), "MBIM_CLOSE_DONE"
 }, { (0x80000003U), "MBIM_COMMAND_DONE" }, { (0x80000004U), "MBIM_FUNCTION_ERROR_MSG"
 }, { (0x80000007U), "MBIM_INDICATE_STATUS_MSG" }, { 0, ((void
 *)0) } };
112const struct umb_valdescr umb_status[] = MBIM_STATUS_DESCRIPTIONS{ { 0, "SUCCESS" }, { 1, "BUSY" }, { 2, "FAILURE" }, { 3, "SIM_NOT_INSERTED"
 }, { 4, "BAD_SIM" }, { 5, "PIN_REQUIRED" }, { 6, "PIN_DISABLED"
 }, { 7, "NOT_REGISTERED" }, { 8, "PROVIDERS_NOT_FOUND" }, { 9
, "NO_DEVICE_SUPPORT" }, { 10, "PROVIDER_NOT_VISIBLE" }, { 11
, "DATA_CLASS_NOT_AVAILABLE" }, { 12, "PACKET_SERVICE_DETACHED"
 }, { 13, "MAX_ACTIVATED_CONTEXTS" }, { 14, "NOT_INITIALIZED"
 }, { 15, "VOICE_CALL_IN_PROGRESS" }, { 16, "CONTEXT_NOT_ACTIVATED"
 }, { 17, "SERVICE_NOT_ACTIVATED" }, { 18, "INVALID_ACCESS_STRING"
 }, { 19, "INVALID_USER_NAME_PWD" }, { 20, "RADIO_POWER_OFF" }
, { 21, "INVALID_PARAMETERS" }, { 22, "READ_FAILURE" }, { 23,
 "WRITE_FAILURE" }, { 25, "NO_PHONEBOOK" }, { 26, "PARAMETER_TOO_LONG"
 }, { 27, "STK_BUSY" }, { 28, "OPERATION_NOT_ALLOWED" }, { 29
, "MEMORY_FAILURE" }, { 30, "INVALID_MEMORY_INDEX" }, { 31, "MEMORY_FULL"
 }, { 32, "FILTER_NOT_SUPPORTED" }, { 33, "DSS_INSTANCE_LIMIT"
 }, { 34, "INVALID_DEVICE_SERVICE_OPERATION" }, { 35, "AUTH_INCORRECT_AUTN"
 }, { 36, "AUTH_SYNC_FAILURE" }, { 37, "AUTH_AMF_NOT_SET" }, {
 38, "CONTEXT_NOT_SUPPORTED" }, { 100, "SMS_UNKNOWN_SMSC_ADDRESS"
 }, { 101, "SMS_NETWORK_TIMEOUT" }, { 102, "SMS_LANG_NOT_SUPPORTED"
 }, { 103, "SMS_ENCODING_NOT_SUPPORTED" }, { 104, "SMS_FORMAT_NOT_SUPPORTED"
 }, { 0, ((void *)0) } };
113const struct umb_valdescr umb_cids[] = MBIM_CID_DESCRIPTIONS{ { (1), "MBIM_CID_DEVICE_CAPS" }, { (2), "MBIM_CID_SUBSCRIBER_READY_STATUS"
 }, { (3), "MBIM_CID_RADIO_STATE" }, { (4), "MBIM_CID_PIN" },
 { (5), "MBIM_CID_PIN_LIST" }, { (6), "MBIM_CID_HOME_PROVIDER"
 }, { (7), "MBIM_CID_PREFERRED_PROVIDERS" }, { (8), "MBIM_CID_VISIBLE_PROVIDERS"
 }, { (9), "MBIM_CID_REGISTER_STATE" }, { (10), "MBIM_CID_PACKET_SERVICE"
 }, { (11), "MBIM_CID_SIGNAL_STATE" }, { (12), "MBIM_CID_CONNECT"
 }, { (13), "MBIM_CID_PROVISIONED_CONTEXTS" }, { (14), "MBIM_CID_SERVICE_ACTIVATION"
 }, { (15), "MBIM_CID_IP_CONFIGURATION" }, { (16), "MBIM_CID_DEVICE_SERVICES"
 }, { (19), "MBIM_CID_DEVICE_SERVICE_SUBSCRIBE_LIST" }, { (20
), "MBIM_CID_PACKET_STATISTICS" }, { (21), "MBIM_CID_NETWORK_IDLE_HINT"
 }, { (22), "MBIM_CID_EMERGENCY_MODE" }, { (23), "MBIM_CID_IP_PACKET_FILTERS"
 }, { (24), "MBIM_CID_MULTICARRIER_PROVIDERS" }, { 0, ((void *
)0) } };
114const struct umb_valdescr umb_pktstate[] = MBIM_PKTSRV_STATE_DESCRIPTIONS{ { 0, "unknown" }, { 1, "attaching" }, { 2, "attached" }, { 3
, "detaching" }, { 4, "detached" }, { 0, ((void *)0) } };
115const struct umb_valdescr umb_actstate[] = MBIM_ACTIVATION_STATE_DESCRIPTIONS{ { 0, "unknown" }, { 1, "activated" }, { 2, "activating" }, {
 3, "deactivated" }, { 4, "deactivating" }, { 0, ((void *)0) }
 };
116const struct umb_valdescr umb_error[] = MBIM_ERROR_DESCRIPTIONS{ { 1, "TIMEOUT_FRAGMENT" }, { 2, "FRAGMENT_OUT_OF_SEQUENCE" }
, { 3, "LENGTH_MISMATCH" }, { 4, "DUPLICATED_TID" }, { 5, "NOT_OPENED"
 }, { 6, "UNKNOWN" }, { 7, "CANCEL" }, { 8, "MAX_TRANSFER" },
 { 0, ((void *)0) } };
117const struct umb_valdescr umb_pintype[] = MBIM_PINTYPE_DESCRIPTIONS{ { 0, "none" }, { 1, "custom" }, { 2, "PIN1" }, { 3, "PIN2" }
, { 4, "device PIN" }, { 5, "device 1st PIN" }, { 6, "network PIN"
 }, { 7, "network subset PIN" }, { 8, "provider PIN" }, { 9, "corporate PIN"
 }, { 10, "subsidy lock" }, { 11, "PUK" }, { 12, "PUK2" }, { 13
, "device 1st PUK" }, { 14, "network PUK" }, { 15, "network subset PUK"
 }, { 16, "provider PUK" }, { 17, "corporate PUK" }, { 0, ((void
 *)0) } };
118const struct umb_valdescr umb_istate[] = UMB_INTERNAL_STATE_DESCRIPTIONS{ { UMB_S_DOWN, "down" }, { UMB_S_OPEN, "open" }, { UMB_S_CID
, "CID allocated" }, { UMB_S_RADIO, "radio on" }, { UMB_S_SIMREADY
, "SIM is ready" }, { UMB_S_ATTACHED, "attached" }, { UMB_S_CONNECTED
, "connected" }, { UMB_S_UP, "up" }, { 0, ((void *)0) } };

120#define umb_regstate(c)umb_val2descr(umb_regstates, (c))		umb_val2descr(umb_regstates, (c))
121#define umb_dataclass(c)umb_val2descr(umb_dataclasses, (c))	umb_val2descr(umb_dataclasses, (c))
122#define umb_simstate(s)umb_val2descr(umb_simstate, (s))		umb_val2descr(umb_simstate, (s))
123#define umb_request2str(m)umb_val2descr(umb_messages, (m))	umb_val2descr(umb_messages, (m))
124#define umb_status2str(s)umb_val2descr(umb_status, (s))	umb_val2descr(umb_status, (s))
125#define umb_cid2str(c)umb_val2descr(umb_cids, (c))		umb_val2descr(umb_cids, (c))
126#define umb_packet_state(s)umb_val2descr(umb_pktstate, (s))	umb_val2descr(umb_pktstate, (s))
127#define umb_activation(s)umb_val2descr(umb_actstate, (s))	umb_val2descr(umb_actstate, (s))
128#define umb_error2str(e)umb_val2descr(umb_error, (e))	umb_val2descr(umb_error, (e))
129#define umb_pin_type(t)umb_val2descr(umb_pintype, (t))		umb_val2descr(umb_pintype, (t))
130#define umb_istate(s)umb_val2descr(umb_istate, (s))		umb_val2descr(umb_istate, (s))

132int		 umb_match(struct device *, void *, void *);
133void		 umb_attach(struct device *, struct device *, void *);
134int		 umb_detach(struct device *, int);
135void		 umb_ncm_setup(struct umb_softc *);
136void		 umb_ncm_setup_format(struct umb_softc *);
137int		 umb_alloc_xfers(struct umb_softc *);
138void		 umb_free_xfers(struct umb_softc *);
139int		 umb_alloc_bulkpipes(struct umb_softc *);
140void		 umb_close_bulkpipes(struct umb_softc *);
141int		 umb_ioctl(struct ifnet *, u_long, caddr_t);
142int		 umb_output(struct ifnet *, struct mbuf *, struct sockaddr *,
    struct rtentry *);
144void		 umb_start(struct ifnet *);
145void		 umb_rtrequest(struct ifnet *, int, struct rtentry *);
146void		 umb_watchdog(struct ifnet *);
147void		 umb_statechg_timeout(void *);

149void		 umb_newstate(struct umb_softc *, enum umb_state, int);
150void		 umb_state_task(void *);
151void		 umb_up(struct umb_softc *);
152void		 umb_down(struct umb_softc *, int);

154void		 umb_get_response_task(void *);

156void		 umb_decode_response(struct umb_softc *, void *, int);
157void		 umb_handle_indicate_status_msg(struct umb_softc *, void *,
    int);
159void		 umb_handle_opendone_msg(struct umb_softc *, void *, int);
160void		 umb_handle_closedone_msg(struct umb_softc *, void *, int);
161int		 umb_decode_register_state(struct umb_softc *, void *, int);
162int		 umb_decode_devices_caps(struct umb_softc *, void *, int);
163int		 umb_decode_subscriber_status(struct umb_softc *, void *, int);
164int		 umb_decode_radio_state(struct umb_softc *, void *, int);
165int		 umb_decode_pin(struct umb_softc *, void *, int);
166int		 umb_decode_packet_service(struct umb_softc *, void *, int);
167int		 umb_decode_signal_state(struct umb_softc *, void *, int);
168int		 umb_decode_connect_info(struct umb_softc *, void *, int);
169void		 umb_clear_addr(struct umb_softc *);
170int		 umb_add_inet_config(struct umb_softc *, struct in_addr, u_int,
    struct in_addr);
172int		 umb_add_inet6_config(struct umb_softc *, struct in6_addr *,
    u_int, struct in6_addr *);
174void		 umb_send_inet_proposal(struct umb_softc *, int);
175int		 umb_decode_ip_configuration(struct umb_softc *, void *, int);
176void		 umb_rx(struct umb_softc *);
177void		 umb_rxeof(struct usbd_xfer *, void *, usbd_status);
178int		 umb_encap(struct umb_softc *, int);
179void		 umb_txeof(struct usbd_xfer *, void *, usbd_status);
180void		 umb_decap(struct umb_softc *, struct usbd_xfer *);

182usbd_status	 umb_send_encap_command(struct umb_softc *, void *, int);
183int		 umb_get_encap_response(struct umb_softc *, void *, int *);
184void		 umb_ctrl_msg(struct umb_softc *, uint32_t, void *, int);

186void		 umb_open(struct umb_softc *);
187void		 umb_close(struct umb_softc *);

189int		 umb_setpin(struct umb_softc *, int, int, void *, int, void *,
    int);
191void		 umb_setdataclass(struct umb_softc *);
192void		 umb_radio(struct umb_softc *, int);
193void		 umb_allocate_cid(struct umb_softc *);
194void		 umb_send_fcc_auth(struct umb_softc *);
195void		 umb_packet_service(struct umb_softc *, int);
196void		 umb_connect(struct umb_softc *);
197void		 umb_disconnect(struct umb_softc *);
198void		 umb_send_connect(struct umb_softc *, int);

200void		 umb_qry_ipconfig(struct umb_softc *);
201void		 umb_cmd(struct umb_softc *, int, int, void *, int);
202void		 umb_cmd1(struct umb_softc *, int, int, void *, int, uint8_t *);
203void		 umb_command_done(struct umb_softc *, void *, int);
204void		 umb_decode_cid(struct umb_softc *, uint32_t, void *, int);
205void		 umb_decode_qmi(struct umb_softc *, uint8_t *, int);

207void		 umb_intr(struct usbd_xfer *, void *, usbd_status);

209#if NKSTAT1 > 0
210void		 umb_kstat_attach(struct umb_softc *);
211void		 umb_kstat_detach(struct umb_softc *);

213struct umb_kstat_signal {
struct kstat_kv		rssi;
struct kstat_kv		error_rate;
struct kstat_kv		reports;
217};
218#endif

220int		 umb_xfer_tout = USBD_DEFAULT_TIMEOUT5000;

222uint8_t		 umb_uuid_basic_connect[] = MBIM_UUID_BASIC_CONNECT{ 0xa2, 0x89, 0xcc, 0x33, 0xbc, 0xbb, 0x8b, 0x4f, 0xb6, 0xb0,
 0x13, 0x3e, 0xc2, 0xaa, 0xe6, 0xdf };
223uint8_t		 umb_uuid_context_internet[] = MBIM_UUID_CONTEXT_INTERNET{ 0x7e, 0x5e, 0x2a, 0x7e, 0x4e, 0x6f, 0x72, 0x72, 0x73, 0x6b,
 0x65, 0x6e, 0x7e, 0x5e, 0x2a, 0x7e };
224uint8_t		 umb_uuid_qmi_mbim[] = MBIM_UUID_QMI_MBIM{ 0xd1, 0xa3, 0x0b, 0xc2, 0xf9, 0x7a, 0x6e, 0x43, 0xbf, 0x65,
 0xc7, 0xe2, 0x4f, 0xb0, 0xf0, 0xd3 };
225uint32_t	 umb_session_id = 0;

227struct cfdriver umb_cd = {
NULL((void *)0), "umb", DV_IFNET
229};

231const struct cfattach umb_ca = {
sizeof (struct umb_softc),
umb_match,
umb_attach,
umb_detach,
NULL((void *)0),
237};

239int umb_delay = 4000;

241struct umb_quirk {
struct usb_devno	 dev;
u_int32_t		 umb_flags;
int			 umb_confno;
int			 umb_match;
246};
247const struct umb_quirk umb_quirks[] = {
{ { USB_VENDOR_DELL0x413c, USB_PRODUCT_DELL_DW5821E0x81d7 },
 0,
 2,
 UMATCH_VENDOR_PRODUCT13
},

{ { USB_VENDOR_HUAWEI0x12d1, USB_PRODUCT_HUAWEI_ME906S0x15c1 },
 UMBFLG_NDP_AT_END0x0004,
 3,
 UMATCH_VENDOR_PRODUCT13
},

{ { USB_VENDOR_SIERRA0x1199, USB_PRODUCT_SIERRA_EM74550x9079 },
 UMBFLG_FCC_AUTH_REQUIRED0x0001,
 0,
 0
},

{ { USB_VENDOR_SIMCOM0x1e0e, USB_PRODUCT_SIMCOM_SIM76000x9003 },
 0,
 1,
 UMATCH_VENDOR_PRODUCT13
},
271};

273#define umb_lookup(vid, pid)((const struct umb_quirk *)usbd_match_device((const struct usb_devno
 *)(umb_quirks), sizeof (umb_quirks) / sizeof ((umb_quirks)[0
]), sizeof ((umb_quirks)[0]), (vid), (pid)))		\
((const struct umb_quirk *)usb_lookup(umb_quirks, vid, pid)usbd_match_device((const struct usb_devno *)(umb_quirks), sizeof
 (umb_quirks) / sizeof ((umb_quirks)[0]), sizeof ((umb_quirks
)[0]), (vid), (pid)))

276uint8_t umb_qmi_alloc_cid[] = {
0x01,
0x0f, 0x00,		/* len */
0x00,			/* QMUX flags */
0x00,			/* service "ctl" */
0x00,			/* CID */
0x00,			/* QMI flags */
0x01,			/* transaction */
0x22, 0x00,		/* msg "Allocate CID" */
0x04, 0x00,		/* TLV len */
0x01, 0x01, 0x00, 0x02	/* TLV */
287};

289uint8_t umb_qmi_fcc_auth[] = {
0x01,
0x0c, 0x00,		/* len */
0x00,			/* QMUX flags */
0x02,			/* service "dms" */
294#define UMB_QMI_CID_OFFS5	5
0x00,			/* CID (filled in later) */
0x00,			/* QMI flags */
0x01, 0x00,		/* transaction */
0x5f, 0x55,		/* msg "Send FCC Authentication" */
0x00, 0x00		/* TLV len */
300};

302int
303umb_match(struct device *parent, void *match, void *aux)
304{
struct usb_attach_arg *uaa = aux;
const struct umb_quirk *quirk;
usb_interface_descriptor_t *id;

quirk = umb_lookup(uaa->vendor, uaa->product)((const struct umb_quirk *)usbd_match_device((const struct usb_devno
 *)(umb_quirks), sizeof (umb_quirks) / sizeof ((umb_quirks)[0
]), sizeof ((umb_quirks)[0]), (uaa->vendor), (uaa->product
)));
if (quirk != NULL((void *)0) && quirk->umb_match)
return (quirk->umb_match);
if (!uaa->iface)
return UMATCH_NONE0;
if ((id = usbd_get_interface_descriptor(uaa->iface)) == NULL((void *)0))
return UMATCH_NONE0;

/*
* If this function implements NCM, check if alternate setting
* 1 implements MBIM.
*/
if (id->bInterfaceClass == UICLASS_CDC0x02 &&
   id->bInterfaceSubClass ==
   UISUBCLASS_NETWORK_CONTROL_MODEL13)
id = usbd_find_idesc(uaa->device->cdesc, uaa->iface->index, 1);
if (id == NULL((void *)0))
return UMATCH_NONE0;

if (id->bInterfaceClass == UICLASS_CDC0x02 &&
   id->bInterfaceSubClass ==
   UISUBCLASS_MOBILE_BROADBAND_INTERFACE_MODEL14 &&
   id->bInterfaceProtocol == 0)
return UMATCH_IFACECLASS_IFACESUBCLASS_IFACEPROTO5;

return UMATCH_NONE0;
335}

337void
338umb_attach(struct device *parent, struct device *self, void *aux)
339{
struct umb_softc *sc = (struct umb_softc *)self;
struct usb_attach_arg *uaa = aux;
const struct umb_quirk *quirk;
usbd_status status;
struct usbd_desc_iter iter;
const usb_descriptor_t *desc;
int	 v;
struct usb_cdc_union_descriptor *ud;
struct mbim_descriptor *md;
int	 i;
int	 ctrl_ep;
usb_interface_descriptor_t *id;
usb_config_descriptor_t	*cd;
usb_endpoint_descriptor_t *ed;
usb_interface_assoc_descriptor_t *ad;
int	 current_ifaceno = -1;
int	 data_ifaceno = -1;
int	 altnum;
int	 s;
struct ifnet *ifp;

sc->sc_udev = uaa->device;
sc->sc_ctrl_ifaceno = uaa->ifaceno;
ml_init(&sc->sc_tx_ml);

quirk = umb_lookup(uaa->vendor, uaa->product)((const struct umb_quirk *)usbd_match_device((const struct usb_devno
 *)(umb_quirks), sizeof (umb_quirks) / sizeof ((umb_quirks)[0
]), sizeof ((umb_quirks)[0]), (uaa->vendor), (uaa->product
)));
if (quirk != NULL((void *)0) && quirk->umb_flags) {
DPRINTF("%s: setting flags 0x%x from quirk\n", DEVNAM(sc),do { } while (0)
                  quirk->umb_flags)do { } while (0);
sc->sc_flags |= quirk->umb_flags;
}

/*
* Normally, MBIM devices are detected by their interface class and
* subclass. But for some models that have multiple configurations, it
* is better to match by vendor and product id so that we can select
* the desired configuration ourselves, e.g. to override a class-based
* match to another driver.
*/
if (uaa->configno < 0) {
if (quirk == NULL((void *)0)) {
	printf("%s: unknown configuration for vid/pid match\n",
	    DEVNAM(sc)(((struct umb_softc *)(sc))->sc_dev.dv_xname));
	goto fail;
}
uaa->configno = quirk->umb_confno;
DPRINTF("%s: switching to config #%d\n", DEVNAM(sc),do { } while (0)
    uaa->configno)do { } while (0);
status = usbd_set_config_no(sc->sc_udev, uaa->configno, 1);
if (status) {
	printf("%s: failed to switch to config #%d: %s\n",
	    DEVNAM(sc)(((struct umb_softc *)(sc))->sc_dev.dv_xname), uaa->configno, usbd_errstr(status));
	goto fail;
}
usbd_delay_ms(sc->sc_udev, 200);

/*
 * Need to do some manual setup that usbd_probe_and_attach()
 * would do for us otherwise.
 */
uaa->nifaces = uaa->device->cdesc->bNumInterfaces;
for (i = 0; i < uaa->nifaces; i++) {
	if (usbd_iface_claimed(sc->sc_udev, i))
		continue;
	id = usbd_get_interface_descriptor(&uaa->device->ifaces[i]);
	if (id != NULL((void *)0) && id->bInterfaceClass == UICLASS_CDC0x02 &&
	    id->bInterfaceSubClass ==
	    UISUBCLASS_MOBILE_BROADBAND_INTERFACE_MODEL14) {
		uaa->iface = &uaa->device->ifaces[i];
		uaa->ifaceno = uaa->iface->idesc->bInterfaceNumber;
		sc->sc_ctrl_ifaceno = uaa->ifaceno;
		break;
	}
}
}

/*
* Some MBIM hardware does not provide the mandatory CDC Union
* Descriptor, so we also look at matching Interface
* Association Descriptors to find out the MBIM Data Interface
* number.
*/
sc->sc_ver_maj = sc->sc_ver_min = -1;
sc->sc_maxpktlen = MBIM_MAXSEGSZ_MINVAL(2 * 1024);
usbd_desc_iter_init(sc->sc_udev, &iter);
while ((desc = usbd_desc_iter_next(&iter))) {
if (desc->bDescriptorType == UDESC_IFACE_ASSOC0x0B) {
	ad = (usb_interface_assoc_descriptor_t *)desc;
	if (ad->bFirstInterface == uaa->ifaceno &&
	    ad->bInterfaceCount > 1)
		data_ifaceno = uaa->ifaceno + 1;
	continue;
}
if (desc->bDescriptorType == UDESC_INTERFACE0x04) {
	id = (usb_interface_descriptor_t *)desc;
	current_ifaceno = id->bInterfaceNumber;
	continue;
}
if (current_ifaceno != uaa->ifaceno)
	continue;
if (desc->bDescriptorType != UDESC_CS_INTERFACE0x24)
	continue;
switch (desc->bDescriptorSubtype) {
case UDESCSUB_CDC_UNION6:
	ud = (struct usb_cdc_union_descriptor *)desc;
	data_ifaceno = ud->bSlaveInterface[0];
	break;
case UDESCSUB_MBIM27:
	md = (struct mbim_descriptor *)desc;
	v = UGETW(md->bcdMBIMVersion)(*(u_int16_t *)(md->bcdMBIMVersion));
	sc->sc_ver_maj = MBIM_VER_MAJOR(v)(((v) >> 8) & 0x0f);
	sc->sc_ver_min = MBIM_VER_MINOR(v)((v) & 0x0f);
	sc->sc_ctrl_len = UGETW(md->wMaxControlMessage)(*(u_int16_t *)(md->wMaxControlMessage));
	/* Never trust a USB device! Could try to exploit us */
	if (sc->sc_ctrl_len < MBIM_CTRLMSG_MINLEN64 ||
	    sc->sc_ctrl_len > MBIM_CTRLMSG_MAXLEN(4 * 1204)) {
		DPRINTF("%s: control message len %d out of "do { } while (0)
		    "bounds [%d .. %d]\n", DEVNAM(sc),do { } while (0)
		    sc->sc_ctrl_len, MBIM_CTRLMSG_MINLEN,do { } while (0)
		    MBIM_CTRLMSG_MAXLEN)do { } while (0);
		/* cont. anyway */
	}
	sc->sc_maxpktlen = UGETW(md->wMaxSegmentSize)(*(u_int16_t *)(md->wMaxSegmentSize));
	DPRINTFN(2, "%s: ctrl_len=%d, maxpktlen=%d, cap=0x%x\n",do { } while (0)
	    DEVNAM(sc), sc->sc_ctrl_len, sc->sc_maxpktlen,do { } while (0)
	    md->bmNetworkCapabilities)do { } while (0);
	break;
default:
	break;
}
}
if (sc->sc_ver_maj < 0) {
printf("%s: missing MBIM descriptor\n", DEVNAM(sc)(((struct umb_softc *)(sc))->sc_dev.dv_xname));
goto fail;
}
if (sc->sc_flags & UMBFLG_FCC_AUTH_REQUIRED0x0001)
sc->sc_cid = -1;

for (i = 0; i < uaa->nifaces; i++) {
if (usbd_iface_claimed(sc->sc_udev, i))
	continue;
id = usbd_get_interface_descriptor(&sc->sc_udev->ifaces[i]);
if (id != NULL((void *)0) && id->bInterfaceNumber == data_ifaceno) {
	sc->sc_data_iface = &sc->sc_udev->ifaces[i];
	usbd_claim_iface(sc->sc_udev, i);
}
}
if (sc->sc_data_iface == NULL((void *)0)) {
printf("%s: no data interface found\n", DEVNAM(sc)(((struct umb_softc *)(sc))->sc_dev.dv_xname));
goto fail;
}

/*
* If this is a combined NCM/MBIM function, switch to
* alternate setting one to enable MBIM.
*/
id = usbd_get_interface_descriptor(uaa->iface);
if (id->bInterfaceClass == UICLASS_CDC0x02 &&
   id->bInterfaceSubClass ==
   UISUBCLASS_NETWORK_CONTROL_MODEL13)
usbd_set_interface(uaa->iface, 1);

id = usbd_get_interface_descriptor(uaa->iface);
ctrl_ep = -1;
for (i = 0; i < id->bNumEndpoints && ctrl_ep == -1; i++) {
ed = usbd_interface2endpoint_descriptor(uaa->iface, i);
if (ed == NULL((void *)0))
	break;
if (UE_GET_XFERTYPE(ed->bmAttributes)((ed->bmAttributes) & 0x03) == UE_INTERRUPT0x03 &&
    UE_GET_DIR(ed->bEndpointAddress)((ed->bEndpointAddress) & 0x80) == UE_DIR_IN0x80)
	ctrl_ep = ed->bEndpointAddress;
}
if (ctrl_ep == -1) {
printf("%s: missing interrupt endpoint\n", DEVNAM(sc)(((struct umb_softc *)(sc))->sc_dev.dv_xname));
goto fail;
}

/*
* For the MBIM Data Interface, select the appropriate
* alternate setting by looking for a matching descriptor that
* has two endpoints.
*/
cd = usbd_get_config_descriptor(sc->sc_udev);
altnum = usbd_get_no_alts(cd, data_ifaceno);
for (i = 0; i < altnum; i++) {
id = usbd_find_idesc(cd, sc->sc_data_iface->index, i);
if (id == NULL((void *)0))
	continue;
if (id->bInterfaceClass == UICLASS_CDC_DATA0x0a &&
    id->bInterfaceSubClass == UISUBCLASS_DATA0 &&
    id->bInterfaceProtocol == UIPROTO_DATA_MBIM0x02 &&
    id->bNumEndpoints == 2)
	break;
}
if (i == altnum || id == NULL((void *)0)) {
printf("%s: missing alt setting for interface #%d\n",
    DEVNAM(sc)(((struct umb_softc *)(sc))->sc_dev.dv_xname), data_ifaceno);
goto fail;
}
status = usbd_set_interface(sc->sc_data_iface, i);
if (status) {
printf("%s: select alt setting %d for interface #%d "
    "failed: %s\n", DEVNAM(sc)(((struct umb_softc *)(sc))->sc_dev.dv_xname), i, data_ifaceno,
    usbd_errstr(status));
goto fail;
}

id = usbd_get_interface_descriptor(sc->sc_data_iface);
sc->sc_rx_ep = sc->sc_tx_ep = -1;
for (i = 0; i < id->bNumEndpoints; i++) {
if ((ed = usbd_interface2endpoint_descriptor(sc->sc_data_iface,
    i)) == NULL((void *)0))
	break;
if (UE_GET_XFERTYPE(ed->bmAttributes)((ed->bmAttributes) & 0x03) == UE_BULK0x02 &&
    UE_GET_DIR(ed->bEndpointAddress)((ed->bEndpointAddress) & 0x80) == UE_DIR_IN0x80)
	sc->sc_rx_ep = ed->bEndpointAddress;
else if (UE_GET_XFERTYPE(ed->bmAttributes)((ed->bmAttributes) & 0x03) == UE_BULK0x02 &&
    UE_GET_DIR(ed->bEndpointAddress)((ed->bEndpointAddress) & 0x80) == UE_DIR_OUT0x00)
	sc->sc_tx_ep = ed->bEndpointAddress;
}
if (sc->sc_rx_ep == -1 || sc->sc_tx_ep == -1) {
printf("%s: missing bulk endpoints\n", DEVNAM(sc)(((struct umb_softc *)(sc))->sc_dev.dv_xname));
goto fail;
}

DPRINTFN(2, "%s: ctrl-ifno#%d: ep-ctrl=%d, data-ifno#%d: ep-rx=%d, "do { } while (0)
   "ep-tx=%d\n", DEVNAM(sc), sc->sc_ctrl_ifaceno,do { } while (0)
   UE_GET_ADDR(ctrl_ep), data_ifaceno,do { } while (0)
   UE_GET_ADDR(sc->sc_rx_ep), UE_GET_ADDR(sc->sc_tx_ep))do { } while (0);

usb_init_task(&sc->sc_umb_task, umb_state_task, sc,((&sc->sc_umb_task)->fun = (umb_state_task), (&
sc->sc_umb_task)->arg = (sc), (&sc->sc_umb_task)
->type = (0), (&sc->sc_umb_task)->state = 0x0)
   USB_TASK_TYPE_GENERIC)((&sc->sc_umb_task)->fun = (umb_state_task), (&
sc->sc_umb_task)->arg = (sc), (&sc->sc_umb_task)
->type = (0), (&sc->sc_umb_task)->state = 0x0);
usb_init_task(&sc->sc_get_response_task, umb_get_response_task, sc,((&sc->sc_get_response_task)->fun = (umb_get_response_task
), (&sc->sc_get_response_task)->arg = (sc), (&sc
->sc_get_response_task)->type = (0), (&sc->sc_get_response_task
)->state = 0x0)
   USB_TASK_TYPE_GENERIC)((&sc->sc_get_response_task)->fun = (umb_get_response_task
), (&sc->sc_get_response_task)->arg = (sc), (&sc
->sc_get_response_task)->type = (0), (&sc->sc_get_response_task
)->state = 0x0);
timeout_set(&sc->sc_statechg_timer, umb_statechg_timeout, sc);

if (usbd_open_pipe_intr(uaa->iface, ctrl_ep, USBD_SHORT_XFER_OK0x04,
   &sc->sc_ctrl_pipe, sc, &sc->sc_intr_msg, sizeof (sc->sc_intr_msg),
   umb_intr, USBD_DEFAULT_INTERVAL(-1))) {
printf("%s: failed to open control pipe\n", DEVNAM(sc)(((struct umb_softc *)(sc))->sc_dev.dv_xname));
goto fail;
}
sc->sc_resp_buf = malloc(sc->sc_ctrl_len, M_USBDEV102, M_NOWAIT0x0002);
if (sc->sc_resp_buf == NULL((void *)0)) {
printf("%s: allocation of resp buffer failed\n", DEVNAM(sc)(((struct umb_softc *)(sc))->sc_dev.dv_xname));
goto fail;
}
sc->sc_ctrl_msg = malloc(sc->sc_ctrl_len, M_USBDEV102, M_NOWAIT0x0002);
if (sc->sc_ctrl_msg == NULL((void *)0)) {
printf("%s: allocation of ctrl msg buffer failed\n",
    DEVNAM(sc)(((struct umb_softc *)(sc))->sc_dev.dv_xname));
goto fail;
}

sc->sc_info.regstate = MBIM_REGSTATE_UNKNOWN0;
sc->sc_info.pin_attempts_left = UMB_VALUE_UNKNOWN-999;
sc->sc_info.rssi = UMB_VALUE_UNKNOWN-999;
sc->sc_info.ber = UMB_VALUE_UNKNOWN-999;

/* Default to 16 bit NTB format. */
sc->sc_ncm_format = NCM_FORMAT_NTB160x00;
umb_ncm_setup(sc);
umb_ncm_setup_format(sc);
if (sc->sc_ncm_supported_formats == 0)
goto fail;
DPRINTFN(2, "%s: rx/tx size %d/%d\n", DEVNAM(sc),do { } while (0)
   sc->sc_rx_bufsz, sc->sc_tx_bufsz)do { } while (0);

s = splnet()splraise(0x4);
ifp = GET_IFP(sc)(&(sc)->sc_if);
ifp->if_flags = IFF_SIMPLEX0x800 | IFF_MULTICAST0x8000 | IFF_POINTOPOINT0x10;
ifp->if_ioctl = umb_ioctl;
ifp->if_start = umb_start;
ifp->if_rtrequest = umb_rtrequest;

ifp->if_watchdog = umb_watchdog;
strlcpy(ifp->if_xname, DEVNAM(sc)(((struct umb_softc *)(sc))->sc_dev.dv_xname), IFNAMSIZ16);
ifp->if_link_stateif_data.ifi_link_state = LINK_STATE_DOWN2;

ifp->if_typeif_data.ifi_type = IFT_MBIM0xfa;
ifp->if_priority = IF_WWAN_DEFAULT_PRIORITY6;
ifp->if_addrlenif_data.ifi_addrlen = 0;
ifp->if_hdrlenif_data.ifi_hdrlen = sizeof (struct ncm_header16) +
   sizeof (struct ncm_pointer16);
ifp->if_mtuif_data.ifi_mtu = 1500;		/* use a common default */
ifp->if_hardmtu = sc->sc_maxpktlen;
ifp->if_bpf_mtap = p2p_bpf_mtap;
ifp->if_input = p2p_input;
ifp->if_output = umb_output;
if_attach(ifp);
if_alloc_sadl(ifp);
ifp->if_softc = sc;
632#if NBPFILTER1 > 0
bpfattach(&ifp->if_bpf, ifp, DLT_LOOP12, sizeof(uint32_t));
634#endif

636#if NKSTAT1 > 0
umb_kstat_attach(sc);
638#endif

/*
* Open the device now so that we are able to query device information.
* XXX maybe close when done?
*/
umb_open(sc);
splx(s)spllower(s);

DPRINTF("%s: vers %d.%d\n", DEVNAM(sc), sc->sc_ver_maj, sc->sc_ver_min)do { } while (0);
return;

650fail:
usbd_deactivate(sc->sc_udev);
return;
653}

655int
656umb_detach(struct device *self, int flags)
657{
struct umb_softc *sc = (struct umb_softc *)self;
struct ifnet *ifp = GET_IFP(sc)(&(sc)->sc_if);
int	 s;

s = splnet()splraise(0x4);
if (ifp->if_flags & IFF_RUNNING0x40)
umb_down(sc, 1);
umb_close(sc);

667#if NKSTAT1 > 0
umb_kstat_detach(sc);
669#endif

usb_rem_wait_task(sc->sc_udev, &sc->sc_get_response_task);
if (timeout_initialized(&sc->sc_statechg_timer)((&sc->sc_statechg_timer)->to_flags & 0x04))
timeout_del(&sc->sc_statechg_timer);
sc->sc_nresp = 0;
usb_rem_wait_task(sc->sc_udev, &sc->sc_umb_task);
if (sc->sc_ctrl_pipe) {
usbd_close_pipe(sc->sc_ctrl_pipe);
sc->sc_ctrl_pipe = NULL((void *)0);
}
if (sc->sc_ctrl_msg) {
free(sc->sc_ctrl_msg, M_USBDEV102, sc->sc_ctrl_len);
sc->sc_ctrl_msg = NULL((void *)0);
}
if (sc->sc_resp_buf) {
free(sc->sc_resp_buf, M_USBDEV102, sc->sc_ctrl_len);
sc->sc_resp_buf = NULL((void *)0);
}
if (ifp->if_softc != NULL((void *)0)) {
if_detach(ifp);
}

splx(s)spllower(s);
return 0;
694}

696void
697umb_ncm_setup(struct umb_softc *sc)
698{
usb_device_request_t req;
struct ncm_ntb_parameters np;

/* Query NTB transfer sizes */
req.bmRequestType = UT_READ_CLASS_INTERFACE(0x80 | 0x20 | 0x01);
req.bRequest = NCM_GET_NTB_PARAMETERS0x80;
USETW(req.wValue, 0)(*(u_int16_t *)(req.wValue) = (0));
USETW(req.wIndex, sc->sc_ctrl_ifaceno)(*(u_int16_t *)(req.wIndex) = (sc->sc_ctrl_ifaceno));
USETW(req.wLength, sizeof (np))(*(u_int16_t *)(req.wLength) = (sizeof (np)));
if (usbd_do_request(sc->sc_udev, &req, &np) == USBD_NORMAL_COMPLETION &&
   UGETW(np.wLength)(*(u_int16_t *)(np.wLength)) == sizeof (np)) {
sc->sc_rx_bufsz = UGETDW(np.dwNtbInMaxSize)(*(u_int32_t *)(np.dwNtbInMaxSize));
sc->sc_tx_bufsz = UGETDW(np.dwNtbOutMaxSize)(*(u_int32_t *)(np.dwNtbOutMaxSize));
sc->sc_maxdgram = UGETW(np.wNtbOutMaxDatagrams)(*(u_int16_t *)(np.wNtbOutMaxDatagrams));
sc->sc_align = UGETW(np.wNdpOutAlignment)(*(u_int16_t *)(np.wNdpOutAlignment));
sc->sc_ndp_div = UGETW(np.wNdpOutDivisor)(*(u_int16_t *)(np.wNdpOutDivisor));
sc->sc_ndp_remainder = UGETW(np.wNdpOutPayloadRemainder)(*(u_int16_t *)(np.wNdpOutPayloadRemainder));
/* Validate values */
if (!powerof2(sc->sc_align)((((sc->sc_align)-1)&(sc->sc_align))==0) || sc->sc_align == 0 ||
    sc->sc_align >= sc->sc_tx_bufsz)
	sc->sc_align = sizeof (uint32_t);
if (!powerof2(sc->sc_ndp_div)((((sc->sc_ndp_div)-1)&(sc->sc_ndp_div))==0) || sc->sc_ndp_div == 0 ||
    sc->sc_ndp_div >= sc->sc_tx_bufsz)
	sc->sc_ndp_div = sizeof (uint32_t);
if (sc->sc_ndp_remainder >= sc->sc_ndp_div)
	sc->sc_ndp_remainder = 0;
DPRINTF("%s: NCM align=%d div=%d rem=%d\n", DEVNAM(sc),do { } while (0)
    sc->sc_align, sc->sc_ndp_div, sc->sc_ndp_remainder)do { } while (0);
sc->sc_ncm_supported_formats = UGETW(np.bmNtbFormatsSupported)(*(u_int16_t *)(np.bmNtbFormatsSupported));
} else {
sc->sc_rx_bufsz = sc->sc_tx_bufsz = 8 * 1024;
sc->sc_maxdgram = 0;
sc->sc_align = sc->sc_ndp_div = sizeof (uint32_t);
sc->sc_ndp_remainder = 0;
DPRINTF("%s: align=default div=default rem=default\n",do { } while (0)
    DEVNAM(sc))do { } while (0);
sc->sc_ncm_supported_formats = NCM_FORMAT_NTB16_MASK(1U << 0x00);
}
737}

739void
740umb_ncm_setup_format(struct umb_softc *sc)
741{
usb_device_request_t req;
uWord wFmt;
uint16_t fmt;

assertwaitok();
if (sc->sc_ncm_supported_formats == 0)
goto fail;

/* NCM_GET_NTB_FORMAT is not allowed for 16-bit only devices. */
if (sc->sc_ncm_supported_formats == NCM_FORMAT_NTB16_MASK(1U << 0x00)) {
DPRINTF("%s: Only NTB16 format supported.\n", DEVNAM(sc))do { } while (0);
sc->sc_ncm_format = NCM_FORMAT_NTB160x00;
return;
}

/* Query NTB FORMAT (16 vs. 32 bit) */
req.bmRequestType = UT_READ_CLASS_INTERFACE(0x80 | 0x20 | 0x01);
req.bRequest = NCM_GET_NTB_FORMAT0x83;
USETW(req.wValue, 0)(*(u_int16_t *)(req.wValue) = (0));
USETW(req.wIndex, sc->sc_ctrl_ifaceno)(*(u_int16_t *)(req.wIndex) = (sc->sc_ctrl_ifaceno));
USETW(req.wLength, sizeof (wFmt))(*(u_int16_t *)(req.wLength) = (sizeof (wFmt)));
if (usbd_do_request(sc->sc_udev, &req, wFmt) != USBD_NORMAL_COMPLETION)
goto fail;
fmt = UGETW(wFmt)(*(u_int16_t *)(wFmt));
if ((sc->sc_ncm_supported_formats & (1UL << fmt)) == 0)
goto fail;
if (fmt != NCM_FORMAT_NTB160x00 && fmt != NCM_FORMAT_NTB320x01)
goto fail;
sc->sc_ncm_format = fmt;

DPRINTF("%s: Using NCM format %d, supported=0x%x\n",do { } while (0)
   DEVNAM(sc), sc->sc_ncm_format, sc->sc_ncm_supported_formats)do { } while (0);
return;

776fail:
DPRINTF("%s: Cannot setup NCM format\n", DEVNAM(sc))do { } while (0);
sc->sc_ncm_supported_formats = 0;
779}

781int
782umb_alloc_xfers(struct umb_softc *sc)
783{
if (!sc->sc_rx_xfer) {
if ((sc->sc_rx_xfer = usbd_alloc_xfer(sc->sc_udev)) != NULL((void *)0))
	sc->sc_rx_buf = usbd_alloc_buffer(sc->sc_rx_xfer,
	    sc->sc_rx_bufsz);
}
if (!sc->sc_tx_xfer) {
if ((sc->sc_tx_xfer = usbd_alloc_xfer(sc->sc_udev)) != NULL((void *)0))
	sc->sc_tx_buf = usbd_alloc_buffer(sc->sc_tx_xfer,
	    sc->sc_tx_bufsz);
}
return (sc->sc_rx_buf && sc->sc_tx_buf) ? 1 : 0;
795}

797void
798umb_free_xfers(struct umb_softc *sc)
799{
if (sc->sc_rx_xfer) {
/* implicit usbd_free_buffer() */
usbd_free_xfer(sc->sc_rx_xfer);
sc->sc_rx_xfer = NULL((void *)0);
sc->sc_rx_buf = NULL((void *)0);
}
if (sc->sc_tx_xfer) {
usbd_free_xfer(sc->sc_tx_xfer);
sc->sc_tx_xfer = NULL((void *)0);
sc->sc_tx_buf = NULL((void *)0);
}
ml_purge(&sc->sc_tx_ml);
812}

814int
815umb_alloc_bulkpipes(struct umb_softc *sc)
816{
struct ifnet *ifp = GET_IFP(sc)(&(sc)->sc_if);

if (!(ifp->if_flags & IFF_RUNNING0x40)) {
if (usbd_open_pipe(sc->sc_data_iface, sc->sc_rx_ep,
    USBD_EXCLUSIVE_USE0x01, &sc->sc_rx_pipe))
	return 0;
if (usbd_open_pipe(sc->sc_data_iface, sc->sc_tx_ep,
    USBD_EXCLUSIVE_USE0x01, &sc->sc_tx_pipe))
	return 0;

ifp->if_flags |= IFF_RUNNING0x40;
ifq_clr_oactive(&ifp->if_snd);
umb_rx(sc);
}
return 1;
832}

834void
835umb_close_bulkpipes(struct umb_softc *sc)
836{
struct ifnet *ifp = GET_IFP(sc)(&(sc)->sc_if);

ifp->if_flags &= ~IFF_RUNNING0x40;
ifq_clr_oactive(&ifp->if_snd);
ifp->if_timer = 0;
if (sc->sc_rx_pipe) {
usbd_close_pipe(sc->sc_rx_pipe);
sc->sc_rx_pipe = NULL((void *)0);
}
if (sc->sc_tx_pipe) {
usbd_close_pipe(sc->sc_tx_pipe);
sc->sc_tx_pipe = NULL((void *)0);
}
850}

852int
853umb_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
854{
struct proc *p = curproc({struct cpu_info *__ci; asm volatile("movq %%gs:%P1,%0" : "=r"
 (__ci) :"n" (__builtin_offsetof(struct cpu_info, ci_self)));
 __ci;})->ci_curproc;
struct umb_softc *sc = ifp->if_softc;
struct ifreq *ifr = (struct ifreq *)data;
int	 s, error = 0;
struct umb_parameter mp;

if (usbd_is_dying(sc->sc_udev))
return ENXIO6;

s = splnet()splraise(0x4);
switch (cmd) {
case SIOCSIFFLAGS((unsigned long)0x80000000 | ((sizeof(struct ifreq) & 0x1fff
) << 16) | ((('i')) << 8) | ((16))):
usb_add_task(sc->sc_udev, &sc->sc_umb_task);
break;
case SIOCGUMBINFO(((unsigned long)0x80000000|(unsigned long)0x40000000) | ((sizeof
(struct ifreq) & 0x1fff) << 16) | ((('i')) <<
 8) | ((190))):
error = copyout(&sc->sc_info, ifr->ifr_dataifr_ifru.ifru_data,
    sizeof (sc->sc_info));
break;
case SIOCSUMBPARAM((unsigned long)0x80000000 | ((sizeof(struct ifreq) & 0x1fff
) << 16) | ((('i')) << 8) | ((191))):
if ((error = suser(p)) != 0)
	break;
if ((error = copyin(ifr->ifr_dataifr_ifru.ifru_data, &mp, sizeof (mp))) != 0)
	break;

if ((error = umb_setpin(sc, mp.op, mp.is_puk, mp.pin, mp.pinlen,
    mp.newpin, mp.newpinlen)) != 0)
	break;

if (mp.apnlen < 0 || mp.apnlen > sizeof (sc->sc_info.apn)) {
	error = EINVAL22;
	break;
}
sc->sc_roamingsc_info.enable_roaming = mp.roaming ? 1 : 0;
memset(sc->sc_info.apn, 0, sizeof (sc->sc_info.apn))__builtin_memset((sc->sc_info.apn), (0), (sizeof (sc->sc_info
.apn)));
memcpy(sc->sc_info.apn, mp.apn, mp.apnlen)__builtin_memcpy((sc->sc_info.apn), (mp.apn), (mp.apnlen));
sc->sc_info.apnlen = mp.apnlen;
sc->sc_info.preferredclasses = mp.preferredclasses;
umb_setdataclass(sc);
break;
case SIOCGUMBPARAM(((unsigned long)0x80000000|(unsigned long)0x40000000) | ((sizeof
(struct ifreq) & 0x1fff) << 16) | ((('i')) <<
 8) | ((192))):
memset(&mp, 0, sizeof (mp))__builtin_memset((&mp), (0), (sizeof (mp)));
memcpy(mp.apn, sc->sc_info.apn, sc->sc_info.apnlen)__builtin_memcpy((mp.apn), (sc->sc_info.apn), (sc->sc_info
.apnlen));
mp.apnlen = sc->sc_info.apnlen;
mp.roaming = sc->sc_roamingsc_info.enable_roaming;
mp.preferredclasses = sc->sc_info.preferredclasses;
error = copyout(&mp, ifr->ifr_dataifr_ifru.ifru_data, sizeof (mp));
break;
case SIOCSIFMTU((unsigned long)0x80000000 | ((sizeof(struct ifreq) & 0x1fff
) << 16) | ((('i')) << 8) | ((127))):
/* Does this include the NCM headers and tail? */
if (ifr->ifr_mtuifr_ifru.ifru_metric > ifp->if_hardmtu) {
	error = EINVAL22;
	break;
}
ifp->if_mtuif_data.ifi_mtu = ifr->ifr_mtuifr_ifru.ifru_metric;
break;
case SIOCSIFADDR((unsigned long)0x80000000 | ((sizeof(struct ifreq) & 0x1fff
) << 16) | ((('i')) << 8) | ((12))):
case SIOCAIFADDR((unsigned long)0x80000000 | ((sizeof(struct ifaliasreq) &
 0x1fff) << 16) | ((('i')) << 8) | ((26))):
case SIOCSIFDSTADDR((unsigned long)0x80000000 | ((sizeof(struct ifreq) & 0x1fff
) << 16) | ((('i')) << 8) | ((14))):
case SIOCADDMULTI((unsigned long)0x80000000 | ((sizeof(struct ifreq) & 0x1fff
) << 16) | ((('i')) << 8) | ((49))):
case SIOCDELMULTI((unsigned long)0x80000000 | ((sizeof(struct ifreq) & 0x1fff
) << 16) | ((('i')) << 8) | ((50))):
break;
default:
error = ENOTTY25;
break;
}
splx(s)spllower(s);
return error;
922}

924int
925umb_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst,
  struct rtentry *rtp)
927{
if ((ifp->if_flags & (IFF_UP0x1|IFF_RUNNING0x40)) != (IFF_UP0x1|IFF_RUNNING0x40)) {
m_freem(m);
return ENETDOWN50;
}
m->m_pkthdrM_dat.MH.MH_pkthdr.ph_family = dst->sa_family;
return if_enqueue(ifp, m);
934}

936static inline int
937umb_align(size_t bufsz, int offs, int alignment, int remainder)
938{
size_t	 m = alignment - 1;
int	 align;

align = (((size_t)offs + m) & ~m) - alignment + remainder;
if (align < offs)
align += alignment;
if (align > bufsz)
align = bufsz;
return align - offs;
948}

950static inline int
951umb_padding(void *buf, size_t bufsz, int offs, int alignment, int remainder)
952{
int	 nb;

nb = umb_align(bufsz, offs, alignment, remainder);
if (nb > 0)
memset(buf + offs, 0, nb)__builtin_memset((buf + offs), (0), (nb));
return nb;
959}

961void
962umb_start(struct ifnet *ifp)
963{
struct umb_softc *sc = ifp->if_softc;
struct mbuf *m = NULL((void *)0);
int	 ndgram = 0;
int	 offs, len, mlen;
int	 maxoverhead;

if (usbd_is_dying(sc->sc_udev) ||
6
←
Assuming the condition is false→
   !(ifp->if_flags & IFF_RUNNING0x40) ||
7
←
Assuming the condition is false→
   ifq_is_oactive(&ifp->if_snd))
return;

KASSERT(ml_empty(&sc->sc_tx_ml))((((&sc->sc_tx_ml)->ml_len == 0)) ? (void)0 : __assert
("diagnostic ", "/usr/src/sys/dev/usb/if_umb.c", 975, "ml_empty(&sc->sc_tx_ml)"
));
8
←
Taking false branch→
9
←
Assuming field 'ml_len' is equal to 0→
10
←
'?' condition is true→

switch (sc->sc_ncm_format) {
11
←
Control jumps to 'case 1:'  at line 984→
case NCM_FORMAT_NTB160x00:
offs = sizeof (struct ncm_header16);
offs += umb_align(sc->sc_tx_bufsz, offs, sc->sc_align, 0);
offs += sizeof (struct ncm_pointer16);
maxoverhead = sizeof (struct ncm_pointer16_dgram);
break;
case NCM_FORMAT_NTB320x01:
offs = sizeof (struct ncm_header32);
offs += umb_align(sc->sc_tx_bufsz, offs, sc->sc_align, 0);
offs += sizeof (struct ncm_pointer32);
maxoverhead = sizeof (struct ncm_pointer32_dgram);
break;
12
←
 Execution continues on line 997→
}

/*
* Overhead for per packet alignment plus packet pointer. Note
* that 'struct ncm_pointer{16,32}' already includes space for
* the terminating zero pointer.
*/
maxoverhead += sc->sc_ndp_div - 1;

len = 0;
while (1) {
13
←
Loop condition is true.  Entering loop body→
21
←
Loop condition is true.  Entering loop body→
m = ifq_deq_begin(&ifp->if_snd);
if (m == NULL((void *)0))
14
←
Assuming 'm' is not equal to NULL→
15
←
Taking false branch→
22
←
Assuming 'm' is equal to NULL→
23
←
Taking true branch→
	break;
24
←
 Execution continues on line 1027→

/*
 * Check if mbuf plus required NCM pointer still fits into
 * xfer buffers. Assume maximal padding.
 */
mlen = maxoverhead +  m->m_pkthdrM_dat.MH.MH_pkthdr.len;
if ((sc->sc_maxdgram != 0 && ndgram >= sc->sc_maxdgram) ||
16
←
Assuming field 'sc_maxdgram' is equal to 0→
18
←
Taking false branch→
    (offs + len + mlen > sc->sc_tx_bufsz)) {
17
←
Assuming the condition is false→
	ifq_deq_rollback(&ifp->if_snd, m);
	break;
}
ifq_deq_commit(&ifp->if_snd, m);

ndgram++;
len += mlen;
ml_enqueue(&sc->sc_tx_ml, m);

1021#if NBPFILTER1 > 0
if (ifp->if_bpf)
19
←
Assuming field 'if_bpf' is null→
20
←
Taking false branch→
	bpf_mtap_af(ifp->if_bpf, m->m_pkthdrM_dat.MH.MH_pkthdr.ph_family, m,
	    BPF_DIRECTION_OUT(1 << 1));
1025#endif
}
if (ml_empty(&sc->sc_tx_ml)((&sc->sc_tx_ml)->ml_len == 0))
25
←
Assuming field 'ml_len' is not equal to 0→
26
←
Taking false branch→
return;
if (umb_encap(sc, ndgram)) {
27
←
Calling 'umb_encap'→
ifq_set_oactive(&ifp->if_snd);
ifp->if_timer = (2 * umb_xfer_tout) / 1000;
}
1033}

1035void
1036umb_rtrequest(struct ifnet *ifp, int req, struct rtentry *rt)
1037{
struct umb_softc *sc = ifp->if_softc;

if (req == RTM_PROPOSAL0x13) {
KERNEL_LOCK()_kernel_lock();
umb_send_inet_proposal(sc, AF_INET2);
1043#ifdef INET61
umb_send_inet_proposal(sc, AF_INET624);
1045#endif
KERNEL_UNLOCK()_kernel_unlock();
return;
}

p2p_rtrequest(ifp, req, rt);
1051}


1054void
1055umb_watchdog(struct ifnet *ifp)
1056{
struct umb_softc *sc = ifp->if_softc;

if (usbd_is_dying(sc->sc_udev))
return;

ifp->if_oerrorsif_data.ifi_oerrors++;
printf("%s: watchdog timeout\n", DEVNAM(sc)(((struct umb_softc *)(sc))->sc_dev.dv_xname));
usbd_abort_pipe(sc->sc_tx_pipe);
return;
1066}

1068void
1069umb_statechg_timeout(void *arg)
1070{
struct umb_softc *sc = arg;
struct ifnet *ifp = GET_IFP(sc)(&(sc)->sc_if);

if (sc->sc_info.regstate != MBIM_REGSTATE_ROAMING4 || sc->sc_roamingsc_info.enable_roaming)
if (ifp->if_flags & IFF_DEBUG0x4)
	log(LOG_DEBUG7, "%s: state change timeout\n",
	    DEVNAM(sc)(((struct umb_softc *)(sc))->sc_dev.dv_xname));
usb_add_task(sc->sc_udev, &sc->sc_umb_task);
1079}

1081void
1082umb_newstate(struct umb_softc *sc, enum umb_state newstate, int flags)
1083{
struct ifnet *ifp = GET_IFP(sc)(&(sc)->sc_if);

if (newstate == sc->sc_statesc_info.state)
return;
if (((flags & UMB_NS_DONT_DROP0x0001) && newstate < sc->sc_statesc_info.state) ||
   ((flags & UMB_NS_DONT_RAISE0x0002) && newstate > sc->sc_statesc_info.state))
return;
if (ifp->if_flags & IFF_DEBUG0x4)
log(LOG_DEBUG7, "%s: state going %s from '%s' to '%s'\n",
    DEVNAM(sc)(((struct umb_softc *)(sc))->sc_dev.dv_xname), newstate > sc->sc_statesc_info.state ? "up" : "down",
    umb_istate(sc->sc_state)umb_val2descr(umb_istate, (sc->sc_info.state)), umb_istate(newstate)umb_val2descr(umb_istate, (newstate)));
sc->sc_statesc_info.state = newstate;
usb_add_task(sc->sc_udev, &sc->sc_umb_task);
1097}

1099void
1100umb_state_task(void *arg)
1101{
struct umb_softc *sc = arg;
struct ifnet *ifp = GET_IFP(sc)(&(sc)->sc_if);
int	 s;
int	 state;

if (sc->sc_info.regstate == MBIM_REGSTATE_ROAMING4 && !sc->sc_roamingsc_info.enable_roaming) {
/*
 * Query the registration state until we're with the home
 * network again.
 */
umb_cmd(sc, MBIM_CID_REGISTER_STATE9, MBIM_CMDOP_QRY0, NULL((void *)0), 0);
return;
}

s = splnet()splraise(0x4);
if (ifp->if_flags & IFF_UP0x1)
umb_up(sc);
else
umb_down(sc, 0);

state = sc->sc_statesc_info.state == UMB_S_UP ? LINK_STATE_UP4 : LINK_STATE_DOWN2;
if (ifp->if_link_stateif_data.ifi_link_state != state) {
if (ifp->if_flags & IFF_DEBUG0x4)
	log(LOG_DEBUG7, "%s: link state changed from %s to %s\n",
	    DEVNAM(sc)(((struct umb_softc *)(sc))->sc_dev.dv_xname),
	    LINK_STATE_IS_UP(ifp->if_link_state)((ifp->if_data.ifi_link_state) >= 4 || (ifp->if_data
.ifi_link_state) == 0)
	    ? "up" : "down",
	    LINK_STATE_IS_UP(state)((state) >= 4 || (state) == 0) ? "up" : "down");
ifp->if_link_stateif_data.ifi_link_state = state;
if_link_state_change(ifp);
}
splx(s)spllower(s);
1134}

1136void
1137umb_up(struct umb_softc *sc)
1138{
splassert(IPL_NET)do { if (splassert_ctl > 0) { splassert_check(0x4, __func__
); } } while (0);

switch (sc->sc_statesc_info.state) {
case UMB_S_DOWN:
DPRINTF("%s: init: opening ...\n", DEVNAM(sc))do { } while (0);
umb_open(sc);
break;
case UMB_S_OPEN:
if (sc->sc_flags & UMBFLG_FCC_AUTH_REQUIRED0x0001) {
	if (sc->sc_cid == -1) {
		DPRINTF("%s: init: allocating CID ...\n",do { } while (0)
		    DEVNAM(sc))do { } while (0);
		umb_allocate_cid(sc);
		break;
	} else
		umb_newstate(sc, UMB_S_CID, UMB_NS_DONT_DROP0x0001);
} else {
	DPRINTF("%s: init: turning radio on ...\n", DEVNAM(sc))do { } while (0);
	umb_radio(sc, 1);
	break;
}
/*FALLTHROUGH*/
case UMB_S_CID:
DPRINTF("%s: init: sending FCC auth ...\n", DEVNAM(sc))do { } while (0);
umb_send_fcc_auth(sc);
break;
case UMB_S_RADIO:
DPRINTF("%s: init: checking SIM state ...\n", DEVNAM(sc))do { } while (0);
umb_cmd(sc, MBIM_CID_SUBSCRIBER_READY_STATUS2, MBIM_CMDOP_QRY0,
    NULL((void *)0), 0);
break;
case UMB_S_SIMREADY:
DPRINTF("%s: init: attaching ...\n", DEVNAM(sc))do { } while (0);
umb_packet_service(sc, 1);
break;
case UMB_S_ATTACHED:
sc->sc_tx_seq = 0;
if (!umb_alloc_xfers(sc)) {
	umb_free_xfers(sc);
	printf("%s: allocation of xfers failed\n", DEVNAM(sc)(((struct umb_softc *)(sc))->sc_dev.dv_xname));
	break;
}
DPRINTF("%s: init: connecting ...\n", DEVNAM(sc))do { } while (0);
umb_connect(sc);
break;
case UMB_S_CONNECTED:
DPRINTF("%s: init: getting IP config ...\n", DEVNAM(sc))do { } while (0);
umb_qry_ipconfig(sc);
break;
case UMB_S_UP:
DPRINTF("%s: init: reached state UP\n", DEVNAM(sc))do { } while (0);
if (!umb_alloc_bulkpipes(sc)) {
	printf("%s: opening bulk pipes failed\n", DEVNAM(sc)(((struct umb_softc *)(sc))->sc_dev.dv_xname));
	umb_down(sc, 1);
}
break;
}
if (sc->sc_statesc_info.state < UMB_S_UP)
timeout_add_sec(&sc->sc_statechg_timer,
    UMB_STATE_CHANGE_TIMEOUT30);
else
timeout_del(&sc->sc_statechg_timer);
return;
1202}

1204void
1205umb_down(struct umb_softc *sc, int force)
1206{
splassert(IPL_NET)do { if (splassert_ctl > 0) { splassert_check(0x4, __func__
); } } while (0);

umb_close_bulkpipes(sc);
if (sc->sc_statesc_info.state < UMB_S_CONNECTED)
umb_free_xfers(sc);

switch (sc->sc_statesc_info.state) {
case UMB_S_UP:
umb_clear_addr(sc);
/*FALLTHROUGH*/
case UMB_S_CONNECTED:
DPRINTF("%s: stop: disconnecting ...\n", DEVNAM(sc))do { } while (0);
umb_disconnect(sc);
if (!force)
	break;
/*FALLTHROUGH*/
case UMB_S_ATTACHED:
DPRINTF("%s: stop: detaching ...\n", DEVNAM(sc))do { } while (0);
umb_packet_service(sc, 0);
if (!force)
	break;
/*FALLTHROUGH*/
case UMB_S_SIMREADY:
case UMB_S_RADIO:
DPRINTF("%s: stop: turning radio off ...\n", DEVNAM(sc))do { } while (0);
umb_radio(sc, 0);
if (!force)
	break;
/*FALLTHROUGH*/
case UMB_S_CID:
case UMB_S_OPEN:
case UMB_S_DOWN:
/* Do not close the device */
DPRINTF("%s: stop: reached state DOWN\n", DEVNAM(sc))do { } while (0);
break;
}
if (force)
sc->sc_statesc_info.state = UMB_S_OPEN;

if (sc->sc_statesc_info.state > UMB_S_OPEN)
timeout_add_sec(&sc->sc_statechg_timer,
    UMB_STATE_CHANGE_TIMEOUT30);
else
timeout_del(&sc->sc_statechg_timer);
1251}

1253void
1254umb_get_response_task(void *arg)
1255{
struct umb_softc *sc = arg;
int	 len;
int	 s;

/*
* Function is required to send on RESPONSE_AVAILABLE notification for
* each encapsulated response that is to be processed by the host.
* But of course, we can receive multiple notifications before the
* response task is run.
*/
s = splusb()splraise(0x2);
while (sc->sc_nresp > 0) {
--sc->sc_nresp;
len = sc->sc_ctrl_len;
if (umb_get_encap_response(sc, sc->sc_resp_buf, &len))
	umb_decode_response(sc, sc->sc_resp_buf, len);
}
splx(s)spllower(s);
1274}

1276void
1277umb_decode_response(struct umb_softc *sc, void *response, int len)
1278{
struct mbim_msghdr *hdr = response;
struct mbim_fragmented_msg_hdr *fraghdr;
uint32_t type;
uint32_t tid;

DPRINTFN(3, "%s: got response: len %d\n", DEVNAM(sc), len)do { } while (0);
DDUMPN(4, response, len)do { } while (0);

if (len < sizeof (*hdr) || letoh32(hdr->len)((__uint32_t)(hdr->len)) != len) {
/*
 * We should probably cancel a transaction, but since the
 * message is too short, we cannot decode the transaction
 * id (tid) and hence don't know, whom to cancel. Must wait
 * for the timeout.
 */
DPRINTF("%s: received short response (len %d)\n",do { } while (0)
    DEVNAM(sc), len)do { } while (0);
return;
}

/*
* XXX FIXME: if message is fragmented, store it until last frag
*	is received and then re-assemble all fragments.
*/
type = letoh32(hdr->type)((__uint32_t)(hdr->type));
tid = letoh32(hdr->tid)((__uint32_t)(hdr->tid));
switch (type) {
case MBIM_INDICATE_STATUS_MSG0x80000007U:
case MBIM_COMMAND_DONE0x80000003U:
fraghdr = response;
if (letoh32(fraghdr->frag.nfrag)((__uint32_t)(fraghdr->frag.nfrag)) != 1) {
	DPRINTF("%s: discarding fragmented messages\n",do { } while (0)
	    DEVNAM(sc))do { } while (0);
	return;
}
break;
default:
break;
}

DPRINTF("%s: <- rcv %s (tid %u)\n", DEVNAM(sc), umb_request2str(type),do { } while (0)
   tid)do { } while (0);
switch (type) {
case MBIM_FUNCTION_ERROR_MSG0x80000004U:
case MBIM_HOST_ERROR_MSG4U:
{
struct mbim_f2h_hosterr *e;
int	 err;

if (len >= sizeof (*e)) {
	e = response;
	err = letoh32(e->err)((__uint32_t)(e->err));

	DPRINTF("%s: %s message, error %s (tid %u)\n",do { } while (0)
	    DEVNAM(sc), umb_request2str(type),do { } while (0)
	    umb_error2str(err), tid)do { } while (0);
	if (err == MBIM_ERROR_NOT_OPENED5)
		umb_newstate(sc, UMB_S_DOWN, 0);
}
break;
}
case MBIM_INDICATE_STATUS_MSG0x80000007U:
umb_handle_indicate_status_msg(sc, response, len);
break;
case MBIM_OPEN_DONE0x80000001U:
umb_handle_opendone_msg(sc, response, len);
break;
case MBIM_CLOSE_DONE0x80000002U:
umb_handle_closedone_msg(sc, response, len);
break;
case MBIM_COMMAND_DONE0x80000003U:
umb_command_done(sc, response, len);
break;
default:
DPRINTF("%s: discard message %s\n", DEVNAM(sc),do { } while (0)
    umb_request2str(type))do { } while (0);
break;
}
1357}

1359void
1360umb_handle_indicate_status_msg(struct umb_softc *sc, void *data, int len)
1361{
struct mbim_f2h_indicate_status *m = data;
uint32_t infolen;
uint32_t cid;

if (len < sizeof (*m)) {
DPRINTF("%s: discard short %s message\n", DEVNAM(sc),do { } while (0)
    umb_request2str(letoh32(m->hdr.type)))do { } while (0);
return;
}
if (memcmp(m->devid, umb_uuid_basic_connect, sizeof (m->devid))__builtin_memcmp((m->devid), (umb_uuid_basic_connect), (sizeof
 (m->devid)))) {
DPRINTF("%s: discard %s message for other UUID '%s'\n",do { } while (0)
    DEVNAM(sc), umb_request2str(letoh32(m->hdr.type)),do { } while (0)
    umb_uuid2str(m->devid))do { } while (0);
return;
}
infolen = letoh32(m->infolen)((__uint32_t)(m->infolen));
if (len < sizeof (*m) + infolen) {
DPRINTF("%s: discard truncated %s message (want %d, got %d)\n",do { } while (0)
    DEVNAM(sc), umb_request2str(letoh32(m->hdr.type)),do { } while (0)
    (int)sizeof (*m) + infolen, len)do { } while (0);
return;
}

cid = letoh32(m->cid)((__uint32_t)(m->cid));
DPRINTF("%s: indicate %s status\n", DEVNAM(sc), umb_cid2str(cid))do { } while (0);
umb_decode_cid(sc, cid, m->info, infolen);
1388}

1390void
1391umb_handle_opendone_msg(struct umb_softc *sc, void *data, int len)
1392{
struct mbim_f2h_openclosedone *resp = data;
struct ifnet *ifp = GET_IFP(sc)(&(sc)->sc_if);
uint32_t status;

status = letoh32(resp->status)((__uint32_t)(resp->status));
if (status == MBIM_STATUS_SUCCESS0) {
if (sc->sc_maxsessions == 0) {
	umb_cmd(sc, MBIM_CID_DEVICE_CAPS1, MBIM_CMDOP_QRY0, NULL((void *)0),
	    0);
	umb_cmd(sc, MBIM_CID_PIN4, MBIM_CMDOP_QRY0, NULL((void *)0), 0);
	umb_cmd(sc, MBIM_CID_REGISTER_STATE9, MBIM_CMDOP_QRY0,
	    NULL((void *)0), 0);
}
umb_newstate(sc, UMB_S_OPEN, UMB_NS_DONT_DROP0x0001);
} else if (ifp->if_flags & IFF_DEBUG0x4)
log(LOG_ERR3, "%s: open error: %s\n", DEVNAM(sc)(((struct umb_softc *)(sc))->sc_dev.dv_xname),
    umb_status2str(status)umb_val2descr(umb_status, (status)));
return;
1411}

1413void
1414umb_handle_closedone_msg(struct umb_softc *sc, void *data, int len)
1415{
struct mbim_f2h_openclosedone *resp = data;
uint32_t status;

status = letoh32(resp->status)((__uint32_t)(resp->status));
if (status == MBIM_STATUS_SUCCESS0)
umb_newstate(sc, UMB_S_DOWN, 0);
else
DPRINTF("%s: close error: %s\n", DEVNAM(sc),do { } while (0)
    umb_status2str(status))do { } while (0);
return;
1426}

1428static inline void
1429umb_getinfobuf(void *in, int inlen, uint32_t offs, uint32_t sz,
  void *out, size_t outlen)
1431{
offs = letoh32(offs)((__uint32_t)(offs));
sz = letoh32(sz)((__uint32_t)(sz));
if (inlen >= offs + sz) {
memset(out, 0, outlen)__builtin_memset((out), (0), (outlen));
memcpy(out, in + offs, MIN(sz, outlen))__builtin_memcpy((out), (in + offs), ((((sz)<(outlen))?(sz
):(outlen))));
}
1438}

1440static inline int
1441umb_addstr(void *buf, size_t bufsz, int *offs, void *str, int slen,
  uint32_t *offsmember, uint32_t *sizemember)
1443{
if (*offs + slen > bufsz)
return 0;

*sizemember = htole32((uint32_t)slen)((__uint32_t)((uint32_t)slen));
if (slen && str) {
*offsmember = htole32((uint32_t)*offs)((__uint32_t)((uint32_t)*offs));
memcpy(buf + *offs, str, slen)__builtin_memcpy((buf + *offs), (str), (slen));
*offs += slen;
*offs += umb_padding(buf, bufsz, *offs, sizeof (uint32_t), 0);
} else
*offsmember = htole32(0)((__uint32_t)(0));
return 1;
1456}

1458int
1459umb_decode_register_state(struct umb_softc *sc, void *data, int len)
1460{
struct mbim_cid_registration_state_info *rs = data;
struct ifnet *ifp = GET_IFP(sc)(&(sc)->sc_if);

if (len < sizeof (*rs))
return 0;
sc->sc_info.nwerror = letoh32(rs->nwerror)((__uint32_t)(rs->nwerror));
sc->sc_info.regstate = letoh32(rs->regstate)((__uint32_t)(rs->regstate));
sc->sc_info.regmode = letoh32(rs->regmode)((__uint32_t)(rs->regmode));
sc->sc_info.cellclass = letoh32(rs->curcellclass)((__uint32_t)(rs->curcellclass));

umb_getinfobuf(data, len, rs->provname_offs, rs->provname_size,
   sc->sc_info.provider, sizeof (sc->sc_info.provider));
umb_getinfobuf(data, len, rs->provid_offs, rs->provid_size,
   sc->sc_info.providerid, sizeof (sc->sc_info.providerid));
umb_getinfobuf(data, len, rs->roamingtxt_offs, rs->roamingtxt_size,
   sc->sc_info.roamingtxt, sizeof (sc->sc_info.roamingtxt));

DPRINTFN(2, "%s: %s, availclass 0x%x, class 0x%x, regmode %d\n",do { } while (0)
   DEVNAM(sc), umb_regstate(sc->sc_info.regstate),do { } while (0)
   letoh32(rs->availclasses), sc->sc_info.cellclass,do { } while (0)
   sc->sc_info.regmode)do { } while (0);

if (sc->sc_info.regstate == MBIM_REGSTATE_ROAMING4 &&
   !sc->sc_roamingsc_info.enable_roaming &&
   sc->sc_info.activation == MBIM_ACTIVATION_STATE_ACTIVATED1) {
if (ifp->if_flags & IFF_DEBUG0x4)
	log(LOG_INFO6,
	    "%s: disconnecting from roaming network\n",
	    DEVNAM(sc)(((struct umb_softc *)(sc))->sc_dev.dv_xname));
umb_disconnect(sc);
}
return 1;
1493}

1495int
1496umb_decode_devices_caps(struct umb_softc *sc, void *data, int len)
1497{
struct mbim_cid_device_caps *dc = data;

if (len < sizeof (*dc))
return 0;
sc->sc_maxsessions = letoh32(dc->max_sessions)((__uint32_t)(dc->max_sessions));
sc->sc_info.supportedclasses = letoh32(dc->dataclass)((__uint32_t)(dc->dataclass));
umb_getinfobuf(data, len, dc->devid_offs, dc->devid_size,
   sc->sc_info.devid, sizeof (sc->sc_info.devid));
umb_getinfobuf(data, len, dc->fwinfo_offs, dc->fwinfo_size,
   sc->sc_info.fwinfo, sizeof (sc->sc_info.fwinfo));
umb_getinfobuf(data, len, dc->hwinfo_offs, dc->hwinfo_size,
   sc->sc_info.hwinfo, sizeof (sc->sc_info.hwinfo));
DPRINTFN(2, "%s: max sessions %d, supported classes 0x%x\n",do { } while (0)
   DEVNAM(sc), sc->sc_maxsessions, sc->sc_info.supportedclasses)do { } while (0);
return 1;
1513}

1515int
1516umb_decode_subscriber_status(struct umb_softc *sc, void *data, int len)
1517{
struct mbim_cid_subscriber_ready_info *si = data;
struct ifnet *ifp = GET_IFP(sc)(&(sc)->sc_if);
int	npn;

if (len < sizeof (*si))
return 0;
sc->sc_info.sim_state = letoh32(si->ready)((__uint32_t)(si->ready));

umb_getinfobuf(data, len, si->sid_offs, si->sid_size,
   sc->sc_info.sid, sizeof (sc->sc_info.sid));
umb_getinfobuf(data, len, si->icc_offs, si->icc_size,
   sc->sc_info.iccid, sizeof (sc->sc_info.iccid));

npn = letoh32(si->no_pn)((__uint32_t)(si->no_pn));
if (npn > 0)
umb_getinfobuf(data, len, si->pn[0].offs, si->pn[0].size,
    sc->sc_info.pn, sizeof (sc->sc_info.pn));
else
memset(sc->sc_info.pn, 0, sizeof (sc->sc_info.pn))__builtin_memset((sc->sc_info.pn), (0), (sizeof (sc->sc_info
.pn)));

if (sc->sc_info.sim_state == MBIM_SIMSTATE_LOCKED6)
sc->sc_info.pin_state = UMB_PUK_REQUIRED2;
if (ifp->if_flags & IFF_DEBUG0x4)
log(LOG_INFO6, "%s: SIM %s\n", DEVNAM(sc)(((struct umb_softc *)(sc))->sc_dev.dv_xname),
    umb_simstate(sc->sc_info.sim_state)umb_val2descr(umb_simstate, (sc->sc_info.sim_state)));
if (sc->sc_info.sim_state == MBIM_SIMSTATE_INITIALIZED1)
umb_newstate(sc, UMB_S_SIMREADY, UMB_NS_DONT_DROP0x0001);
return 1;
1546}

1548int
1549umb_decode_radio_state(struct umb_softc *sc, void *data, int len)
1550{
struct mbim_cid_radio_state_info *rs = data;
struct ifnet *ifp = GET_IFP(sc)(&(sc)->sc_if);

if (len < sizeof (*rs))
return 0;

sc->sc_info.hw_radio_on =
   (letoh32(rs->hw_state)((__uint32_t)(rs->hw_state)) == MBIM_RADIO_STATE_ON1) ? 1 : 0;
sc->sc_info.sw_radio_on =
   (letoh32(rs->sw_state)((__uint32_t)(rs->sw_state)) == MBIM_RADIO_STATE_ON1) ? 1 : 0;
if (!sc->sc_info.hw_radio_on) {
printf("%s: radio is disabled by hardware switch\n",
    DEVNAM(sc)(((struct umb_softc *)(sc))->sc_dev.dv_xname));
/*
 * XXX do we need a time to poll the state of the rfkill switch
 *	or will the device send an unsolicited notification
 *	in case the state changes?
 */
umb_newstate(sc, UMB_S_OPEN, 0);
} else if (!sc->sc_info.sw_radio_on) {
if (ifp->if_flags & IFF_DEBUG0x4)
	log(LOG_INFO6, "%s: radio is off\n", DEVNAM(sc)(((struct umb_softc *)(sc))->sc_dev.dv_xname));
umb_newstate(sc, UMB_S_OPEN, 0);
} else
umb_newstate(sc, UMB_S_RADIO, UMB_NS_DONT_DROP0x0001);
return 1;
1577}

1579int
1580umb_decode_pin(struct umb_softc *sc, void *data, int len)
1581{
struct mbim_cid_pin_info *pi = data;
struct ifnet *ifp = GET_IFP(sc)(&(sc)->sc_if);
uint32_t	attempts_left;

if (len < sizeof (*pi))
return 0;

attempts_left = letoh32(pi->remaining_attempts)((__uint32_t)(pi->remaining_attempts));
if (attempts_left != 0xffffffff)
sc->sc_info.pin_attempts_left = attempts_left;

switch (letoh32(pi->state)((__uint32_t)(pi->state))) {
case MBIM_PIN_STATE_UNLOCKED0:
sc->sc_info.pin_state = UMB_PIN_UNLOCKED1;
break;
case MBIM_PIN_STATE_LOCKED1:
switch (letoh32(pi->type)((__uint32_t)(pi->type))) {
case MBIM_PIN_TYPE_PIN12:
	sc->sc_info.pin_state = UMB_PIN_REQUIRED0;
	break;
case MBIM_PIN_TYPE_PUK111:
	sc->sc_info.pin_state = UMB_PUK_REQUIRED2;
	break;
case MBIM_PIN_TYPE_PIN23:
case MBIM_PIN_TYPE_PUK212:
	/* Assume that PIN1 was accepted */
	sc->sc_info.pin_state = UMB_PIN_UNLOCKED1;
	break;
}
break;
}
if (ifp->if_flags & IFF_DEBUG0x4)
log(LOG_INFO6, "%s: %s state %s (%d attempts left)\n",
    DEVNAM(sc)(((struct umb_softc *)(sc))->sc_dev.dv_xname), umb_pin_type(letoh32(pi->type))umb_val2descr(umb_pintype, (((__uint32_t)(pi->type)))),
    (letoh32(pi->state)((__uint32_t)(pi->state)) == MBIM_PIN_STATE_UNLOCKED0) ?
	"unlocked" : "locked",
    letoh32(pi->remaining_attempts)((__uint32_t)(pi->remaining_attempts)));

/*
* In case the PIN was set after IFF_UP, retrigger the state machine
*/
usb_add_task(sc->sc_udev, &sc->sc_umb_task);
return 1;
1625}

1627int
1628umb_decode_packet_service(struct umb_softc *sc, void *data, int len)
1629{
struct mbim_cid_packet_service_info *psi = data;
int	 state, highestclass;
uint64_t up_speed, down_speed;
struct ifnet *ifp = GET_IFP(sc)(&(sc)->sc_if);

if (len < sizeof (*psi))
return 0;

sc->sc_info.nwerror = letoh32(psi->nwerror)((__uint32_t)(psi->nwerror));
state = letoh32(psi->state)((__uint32_t)(psi->state));
highestclass = letoh32(psi->highest_dataclass)((__uint32_t)(psi->highest_dataclass));
up_speed = letoh64(psi->uplink_speed)((__uint64_t)(psi->uplink_speed));
down_speed = letoh64(psi->downlink_speed)((__uint64_t)(psi->downlink_speed));
if (sc->sc_info.packetstate  != state ||
   sc->sc_info.uplink_speed != up_speed ||
   sc->sc_info.downlink_speed != down_speed) {
if (ifp->if_flags & IFF_DEBUG0x4) {
	log(LOG_INFO6, "%s: packet service ", DEVNAM(sc)(((struct umb_softc *)(sc))->sc_dev.dv_xname));
	if (sc->sc_info.packetstate  != state)
		addlog("changed from %s to ",
		    umb_packet_state(sc->sc_info.packetstate)umb_val2descr(umb_pktstate, (sc->sc_info.packetstate)));
	addlog("%s, class %s, speed: %llu up / %llu down\n",
	    umb_packet_state(state)umb_val2descr(umb_pktstate, (state)), 
	    umb_dataclass(highestclass)umb_val2descr(umb_dataclasses, (highestclass)), up_speed, down_speed);
}
}
sc->sc_info.packetstate = state;
sc->sc_info.highestclass = highestclass;
sc->sc_info.uplink_speed = up_speed;
sc->sc_info.downlink_speed = down_speed;

if (sc->sc_info.regmode == MBIM_REGMODE_AUTOMATIC1) {
/*
 * For devices using automatic registration mode, just proceed,
 * once registration has completed.
 */
if (ifp->if_flags & IFF_UP0x1) {
	switch (sc->sc_info.regstate) {
	case MBIM_REGSTATE_HOME3:
	case MBIM_REGSTATE_ROAMING4:
	case MBIM_REGSTATE_PARTNER5:
		umb_newstate(sc, UMB_S_ATTACHED,
		    UMB_NS_DONT_DROP0x0001);
		break;
	default:
		break;
	}
} else
	umb_newstate(sc, UMB_S_SIMREADY, UMB_NS_DONT_RAISE0x0002);
} else switch (sc->sc_info.packetstate) {
case MBIM_PKTSERVICE_STATE_ATTACHED2:
umb_newstate(sc, UMB_S_ATTACHED, UMB_NS_DONT_DROP0x0001);
break;
case MBIM_PKTSERVICE_STATE_DETACHED4:
umb_newstate(sc, UMB_S_SIMREADY, UMB_NS_DONT_RAISE0x0002);
break;
}
return 1;
1688}

1690int
1691umb_decode_signal_state(struct umb_softc *sc, void *data, int len)
1692{
struct mbim_cid_signal_state *ss = data;
struct ifnet *ifp = GET_IFP(sc)(&(sc)->sc_if);
int	 rssi;
1696#if NKSTAT1 > 0
struct kstat *ks;
1698#endif

if (len < sizeof (*ss))
return 0;

if (letoh32(ss->rssi)((__uint32_t)(ss->rssi)) == 99)
rssi = UMB_VALUE_UNKNOWN-999;
else {
rssi = -113 + 2 * letoh32(ss->rssi)((__uint32_t)(ss->rssi));
if ((ifp->if_flags & IFF_DEBUG0x4) && sc->sc_info.rssi != rssi &&
    sc->sc_statesc_info.state >= UMB_S_CONNECTED)
	log(LOG_INFO6, "%s: rssi %d dBm\n", DEVNAM(sc)(((struct umb_softc *)(sc))->sc_dev.dv_xname), rssi);
}
sc->sc_info.rssi = rssi;
sc->sc_info.ber = letoh32(ss->err_rate)((__uint32_t)(ss->err_rate));
if (sc->sc_info.ber == 99)
sc->sc_info.ber = UMB_VALUE_UNKNOWN-999;

1716#if NKSTAT1 > 0
ks = sc->sc_kstat_signal;
if (ks != NULL((void *)0)) {
struct umb_kstat_signal *uks = ks->ks_data;

rw_enter_write(&sc->sc_kstat_lock);
kstat_kv_u64(&uks->reports)(&uks->reports)->kv_v.v_u64++;

if (sc->sc_info.rssi == UMB_VALUE_UNKNOWN-999)
	uks->rssi.kv_type = KSTAT_KV_T_NULL;
else {
	uks->rssi.kv_type = KSTAT_KV_T_INT32;
	kstat_kv_s32(&uks->rssi)(&uks->rssi)->kv_v.v_s32 = sc->sc_info.rssi;
}

if (sc->sc_info.ber == UMB_VALUE_UNKNOWN-999)
	uks->error_rate.kv_type = KSTAT_KV_T_NULL;
else {
	uks->error_rate.kv_type = KSTAT_KV_T_INT32;
	kstat_kv_s32(&uks->error_rate)(&uks->error_rate)->kv_v.v_s32 = sc->sc_info.ber;
}

ks->ks_interval.tv_sec = letoh32(ss->ss_intvl)((__uint32_t)(ss->ss_intvl));
getnanouptime(&ks->ks_updated);
rw_exit_write(&sc->sc_kstat_lock);
}
1742#endif

return 1;
1745}

1747int
1748umb_decode_connect_info(struct umb_softc *sc, void *data, int len)
1749{
struct mbim_cid_connect_info *ci = data;
struct ifnet *ifp = GET_IFP(sc)(&(sc)->sc_if);
int	 act;

if (len < sizeof (*ci))
return 0;

if (letoh32(ci->sessionid)((__uint32_t)(ci->sessionid)) != umb_session_id) {
DPRINTF("%s: discard connection info for session %u\n",do { } while (0)
    DEVNAM(sc), letoh32(ci->sessionid))do { } while (0);
return 1;
}
if (memcmp(ci->context, umb_uuid_context_internet,__builtin_memcmp((ci->context), (umb_uuid_context_internet
), (sizeof (ci->context)))
   sizeof (ci->context))__builtin_memcmp((ci->context), (umb_uuid_context_internet
), (sizeof (ci->context)))) {
DPRINTF("%s: discard connection info for other context\n",do { } while (0)
    DEVNAM(sc))do { } while (0);
return 1;
}
act = letoh32(ci->activation)((__uint32_t)(ci->activation));
if (sc->sc_info.activation != act) {
if (ifp->if_flags & IFF_DEBUG0x4)
	log(LOG_INFO6, "%s: connection %s\n", DEVNAM(sc)(((struct umb_softc *)(sc))->sc_dev.dv_xname),
	    umb_activation(act)umb_val2descr(umb_actstate, (act)));

sc->sc_info.activation = act;
sc->sc_info.nwerror = letoh32(ci->nwerror)((__uint32_t)(ci->nwerror));

if (sc->sc_info.activation == MBIM_ACTIVATION_STATE_ACTIVATED1)
	umb_newstate(sc, UMB_S_CONNECTED, UMB_NS_DONT_DROP0x0001);
else if (sc->sc_info.activation ==
    MBIM_ACTIVATION_STATE_DEACTIVATED3)
	umb_newstate(sc, UMB_S_ATTACHED, 0);
/* else: other states are purely transitional */
}
return 1;
1785}

1787void
1788umb_clear_addr(struct umb_softc *sc)
1789{
struct ifnet *ifp = GET_IFP(sc)(&(sc)->sc_if);

memset(sc->sc_info.ipv4dns, 0, sizeof (sc->sc_info.ipv4dns))__builtin_memset((sc->sc_info.ipv4dns), (0), (sizeof (sc->
sc_info.ipv4dns)));
memset(sc->sc_info.ipv6dns, 0, sizeof (sc->sc_info.ipv6dns))__builtin_memset((sc->sc_info.ipv6dns), (0), (sizeof (sc->
sc_info.ipv6dns)));
umb_send_inet_proposal(sc, AF_INET2);
1795#ifdef INET61
umb_send_inet_proposal(sc, AF_INET624);
1797#endif
NET_LOCK()do { rw_enter_write(&netlock); } while (0);
in_ifdetach(ifp);
1800#ifdef INET61
in6_ifdetach(ifp);
1802#endif
NET_UNLOCK()do { rw_exit_write(&netlock); } while (0);
1804}

1806int
1807umb_add_inet_config(struct umb_softc *sc, struct in_addr ip, u_int prefixlen,
  struct in_addr gw)
1809{
struct ifnet *ifp = GET_IFP(sc)(&(sc)->sc_if);
struct in_aliasreq ifra;
struct sockaddr_in *sin, default_sin;
struct rt_addrinfo info;
struct rtentry *rt;
int	 rv;

memset(&ifra, 0, sizeof (ifra))__builtin_memset((&ifra), (0), (sizeof (ifra)));
rv = in_ioctl(SIOCDIFADDR((unsigned long)0x80000000 | ((sizeof(struct ifreq) & 0x1fff
) << 16) | ((('i')) << 8) | ((25))), (caddr_t)&ifra, ifp, 1);
if (rv != 0 && rv != EADDRNOTAVAIL49) {
printf("%s: unable to delete IPv4 address, error %d\n",
    DEVNAM(ifp->if_softc)(((struct umb_softc *)(ifp->if_softc))->sc_dev.dv_xname
), rv);
return rv;
}

memset(&ifra, 0, sizeof (ifra))__builtin_memset((&ifra), (0), (sizeof (ifra)));
sin = &ifra.ifra_addrifra_ifrau.ifrau_addr;
sin->sin_family = AF_INET2;
sin->sin_len = sizeof (*sin);
sin->sin_addr = ip;

sin = &ifra.ifra_dstaddr;
sin->sin_family = AF_INET2;
sin->sin_len = sizeof (*sin);
sin->sin_addr = gw;

sin = &ifra.ifra_mask;
sin->sin_family = AF_INET2;
sin->sin_len = sizeof (*sin);
in_len2mask(&sin->sin_addr, prefixlen);

rv = in_ioctl(SIOCAIFADDR((unsigned long)0x80000000 | ((sizeof(struct ifaliasreq) &
 0x1fff) << 16) | ((('i')) << 8) | ((26))), (caddr_t)&ifra, ifp, 1);
if (rv != 0) {
printf("%s: unable to set IPv4 address, error %d\n",
    DEVNAM(ifp->if_softc)(((struct umb_softc *)(ifp->if_softc))->sc_dev.dv_xname
), rv);
return rv;
}

memset(&default_sin, 0, sizeof(default_sin))__builtin_memset((&default_sin), (0), (sizeof(default_sin
)));
default_sin.sin_family = AF_INET2;
default_sin.sin_len = sizeof (default_sin);

memset(&info, 0, sizeof(info))__builtin_memset((&info), (0), (sizeof(info)));
NET_LOCK()do { rw_enter_write(&netlock); } while (0);
info.rti_flags = RTF_GATEWAY0x2 /* maybe | RTF_STATIC */;
info.rti_ifa = ifa_ifwithaddr(sintosa(&ifra.ifra_addrifra_ifrau.ifrau_addr),
   ifp->if_rdomainif_data.ifi_rdomain);
info.rti_info[RTAX_DST0] = sintosa(&default_sin);
info.rti_info[RTAX_NETMASK2] = sintosa(&default_sin);
info.rti_info[RTAX_GATEWAY1] = sintosa(&ifra.ifra_dstaddr);

rv = rtrequest(RTM_ADD0x1, &info, 0, &rt, ifp->if_rdomainif_data.ifi_rdomain);
if (rv) {
printf("%s: unable to set IPv4 default route, "
    "error %d\n", DEVNAM(ifp->if_softc)(((struct umb_softc *)(ifp->if_softc))->sc_dev.dv_xname
), rv);
rtm_miss(RTM_MISS0x7, &info, 0, RTP_NONE0, 0, rv,
    ifp->if_rdomainif_data.ifi_rdomain);
} else {
/* Inform listeners of the new route */
rtm_send(rt, RTM_ADD0x1, rv, ifp->if_rdomainif_data.ifi_rdomain);
rtfree(rt);
}
NET_UNLOCK()do { rw_exit_write(&netlock); } while (0);

if (ifp->if_flags & IFF_DEBUG0x4) {
char str[3][INET_ADDRSTRLEN16];
log(LOG_INFO6, "%s: IPv4 addr %s, mask %s, gateway %s\n",
    DEVNAM(ifp->if_softc)(((struct umb_softc *)(ifp->if_softc))->sc_dev.dv_xname
),
    sockaddr_ntop(sintosa(&ifra.ifra_addrifra_ifrau.ifrau_addr), str[0],
    sizeof(str[0])),
    sockaddr_ntop(sintosa(&ifra.ifra_mask), str[1],
    sizeof(str[1])),
    sockaddr_ntop(sintosa(&ifra.ifra_dstaddr), str[2],
    sizeof(str[2])));
}
return 0;
1886}

1888#ifdef INET61
1889int
1890umb_add_inet6_config(struct umb_softc *sc, struct in6_addr *ip, u_int prefixlen,
  struct in6_addr *gw)
1892{
struct ifnet *ifp = GET_IFP(sc)(&(sc)->sc_if);
struct in6_aliasreq ifra;
struct sockaddr_in6 *sin6, default_sin6;
struct rt_addrinfo info;
struct rtentry *rt;
int	 rv;

memset(&ifra, 0, sizeof (ifra))__builtin_memset((&ifra), (0), (sizeof (ifra)));
sin6 = &ifra.ifra_addrifra_ifrau.ifrau_addr;
sin6->sin6_family = AF_INET624;
sin6->sin6_len = sizeof (*sin6);
memcpy(&sin6->sin6_addr, ip, sizeof (sin6->sin6_addr))__builtin_memcpy((&sin6->sin6_addr), (ip), (sizeof (sin6
->sin6_addr)));

sin6 = &ifra.ifra_dstaddr;
sin6->sin6_family = AF_INET624;
sin6->sin6_len = sizeof (*sin6);
memcpy(&sin6->sin6_addr, gw, sizeof (sin6->sin6_addr))__builtin_memcpy((&sin6->sin6_addr), (gw), (sizeof (sin6
->sin6_addr)));

/* XXX: in6_update_ifa() accepts only 128 bits for P2P interfaces. */
prefixlen = 128;

sin6 = &ifra.ifra_prefixmask;
sin6->sin6_family = AF_INET624;
sin6->sin6_len = sizeof (*sin6);
in6_prefixlen2mask(&sin6->sin6_addr, prefixlen);

ifra.ifra_lifetime.ia6t_vltime = ND6_INFINITE_LIFETIME0xffffffff;
ifra.ifra_lifetime.ia6t_pltime = ND6_INFINITE_LIFETIME0xffffffff;

rv = in6_ioctl(SIOCAIFADDR_IN6((unsigned long)0x80000000 | ((sizeof(struct in6_aliasreq) &
 0x1fff) << 16) | ((('i')) << 8) | ((26))), (caddr_t)&ifra, ifp, 1);
if (rv != 0) {
printf("%s: unable to set IPv6 address, error %d\n",
    DEVNAM(ifp->if_softc)(((struct umb_softc *)(ifp->if_softc))->sc_dev.dv_xname
), rv);
return rv;
}

memset(&default_sin6, 0, sizeof(default_sin6))__builtin_memset((&default_sin6), (0), (sizeof(default_sin6
)));
default_sin6.sin6_family = AF_INET624;
default_sin6.sin6_len = sizeof (default_sin6);

memset(&info, 0, sizeof(info))__builtin_memset((&info), (0), (sizeof(info)));
NET_LOCK()do { rw_enter_write(&netlock); } while (0);
info.rti_flags = RTF_GATEWAY0x2 /* maybe | RTF_STATIC */;
info.rti_ifa = ifa_ifwithaddr(sin6tosa(&ifra.ifra_addrifra_ifrau.ifrau_addr),
   ifp->if_rdomainif_data.ifi_rdomain);
info.rti_info[RTAX_DST0] = sin6tosa(&default_sin6);
info.rti_info[RTAX_NETMASK2] = sin6tosa(&default_sin6);
info.rti_info[RTAX_GATEWAY1] = sin6tosa(&ifra.ifra_dstaddr);

rv = rtrequest(RTM_ADD0x1, &info, 0, &rt, ifp->if_rdomainif_data.ifi_rdomain);
if (rv) {
printf("%s: unable to set IPv6 default route, "
    "error %d\n", DEVNAM(ifp->if_softc)(((struct umb_softc *)(ifp->if_softc))->sc_dev.dv_xname
), rv);
rtm_miss(RTM_MISS0x7, &info, 0, RTP_NONE0, 0, rv,
    ifp->if_rdomainif_data.ifi_rdomain);
} else {
/* Inform listeners of the new route */
rtm_send(rt, RTM_ADD0x1, rv, ifp->if_rdomainif_data.ifi_rdomain);
rtfree(rt);
}
NET_UNLOCK()do { rw_exit_write(&netlock); } while (0);

if (ifp->if_flags & IFF_DEBUG0x4) {
char str[3][INET6_ADDRSTRLEN46];
log(LOG_INFO6, "%s: IPv6 addr %s, mask %s, gateway %s\n",
    DEVNAM(ifp->if_softc)(((struct umb_softc *)(ifp->if_softc))->sc_dev.dv_xname
),
    sockaddr_ntop(sin6tosa(&ifra.ifra_addrifra_ifrau.ifrau_addr), str[0],
    sizeof(str[0])),
    sockaddr_ntop(sin6tosa(&ifra.ifra_prefixmask), str[1],
    sizeof(str[1])),
    sockaddr_ntop(sin6tosa(&ifra.ifra_dstaddr), str[2],
    sizeof(str[2])));
}
return 0;
1967}
1968#endif

1970void
1971umb_send_inet_proposal(struct umb_softc *sc, int af)
1972{
struct ifnet *ifp = GET_IFP(sc)(&(sc)->sc_if);
struct sockaddr_rtdns rtdns;
struct rt_addrinfo info;
int i, flag = 0;
size_t sz = 0;

memset(&rtdns, 0, sizeof(rtdns))__builtin_memset((&rtdns), (0), (sizeof(rtdns)));
memset(&info, 0, sizeof(info))__builtin_memset((&info), (0), (sizeof(info)));

for (i = 0; i < UMB_MAX_DNSSRV2; i++) {
if (af == AF_INET2) {
	sz = sizeof (sc->sc_info.ipv4dns[i]);
	if (sc->sc_info.ipv4dns[i].s_addr == INADDR_ANY((u_int32_t) (__uint32_t)(__builtin_constant_p((u_int32_t)(0x00000000
)) ? (__uint32_t)(((__uint32_t)((u_int32_t)(0x00000000)) &
 0xff) << 24 | ((__uint32_t)((u_int32_t)(0x00000000)) &
 0xff00) << 8 | ((__uint32_t)((u_int32_t)(0x00000000)) &
 0xff0000) >> 8 | ((__uint32_t)((u_int32_t)(0x00000000)
) & 0xff000000) >> 24) : __swap32md((u_int32_t)(0x00000000
)))))
		break;
	memcpy(rtdns.sr_dns + i * sz, &sc->sc_info.ipv4dns[i],__builtin_memcpy((rtdns.sr_dns + i * sz), (&sc->sc_info
.ipv4dns[i]), (sz))
	    sz)__builtin_memcpy((rtdns.sr_dns + i * sz), (&sc->sc_info
.ipv4dns[i]), (sz));
	flag = RTF_UP0x1;
1990#ifdef INET61
} else if (af == AF_INET624) {
	sz = sizeof (sc->sc_info.ipv6dns[i]);
	if (IN6_ARE_ADDR_EQUAL(&sc->sc_info.ipv6dns[i],(__builtin_memcmp((&(&sc->sc_info.ipv6dns[i])->
__u6_addr.__u6_addr8[0]), (&(&in6addr_any)->__u6_addr
.__u6_addr8[0]), (sizeof(struct in6_addr))) == 0)
	    &in6addr_any)(__builtin_memcmp((&(&sc->sc_info.ipv6dns[i])->
__u6_addr.__u6_addr8[0]), (&(&in6addr_any)->__u6_addr
.__u6_addr8[0]), (sizeof(struct in6_addr))) == 0))
		break;
	memcpy(rtdns.sr_dns + i * sz, &sc->sc_info.ipv6dns[i],__builtin_memcpy((rtdns.sr_dns + i * sz), (&sc->sc_info
.ipv6dns[i]), (sz))
	    sz)__builtin_memcpy((rtdns.sr_dns + i * sz), (&sc->sc_info
.ipv6dns[i]), (sz));
	flag = RTF_UP0x1;
1999#endif
}
}
rtdns.sr_family = af;
rtdns.sr_len = 2 + i * sz;
info.rti_info[RTAX_DNS12] = srtdnstosa(&rtdns);

rtm_proposal(ifp, &info, flag, RTP_PROPOSAL_UMB60);
2007}

2009int
2010umb_decode_ip_configuration(struct umb_softc *sc, void *data, int len)
2011{
struct mbim_cid_ip_configuration_info *ic = data;
struct ifnet *ifp = GET_IFP(sc)(&(sc)->sc_if);
int	 s;
uint32_t avail_v4;
uint32_t val;
int	 n, i;
int	 off;
struct mbim_cid_ipv4_element ipv4elem;
struct in_addr addr, gw;
int	 state = -1;
int	 rv;
int	 hasmtu = 0;
2024#ifdef INET61
uint32_t avail_v6;
struct mbim_cid_ipv6_element ipv6elem;
struct in6_addr addr6, gw6;
2028#endif

if (len < sizeof (*ic))
return 0;
if (letoh32(ic->sessionid)((__uint32_t)(ic->sessionid)) != umb_session_id) {
DPRINTF("%s: ignore IP configuration for session id %d\n",do { } while (0)
    DEVNAM(sc), letoh32(ic->sessionid))do { } while (0);
return 0;
}
s = splnet()splraise(0x4);

memset(sc->sc_info.ipv4dns, 0, sizeof (sc->sc_info.ipv4dns))__builtin_memset((sc->sc_info.ipv4dns), (0), (sizeof (sc->
sc_info.ipv4dns)));
memset(sc->sc_info.ipv6dns, 0, sizeof (sc->sc_info.ipv6dns))__builtin_memset((sc->sc_info.ipv6dns), (0), (sizeof (sc->
sc_info.ipv6dns)));

/*
* IPv4 configuration
*/
avail_v4 = letoh32(ic->ipv4_available)((__uint32_t)(ic->ipv4_available));
if ((avail_v4 & (MBIM_IPCONF_HAS_ADDRINFO0x0001 | MBIM_IPCONF_HAS_GWINFO0x0002)) ==
   (MBIM_IPCONF_HAS_ADDRINFO0x0001 | MBIM_IPCONF_HAS_GWINFO0x0002)) {
n = letoh32(ic->ipv4_naddr)((__uint32_t)(ic->ipv4_naddr));
off = letoh32(ic->ipv4_addroffs)((__uint32_t)(ic->ipv4_addroffs));

if (n == 0 || off + sizeof (ipv4elem) > len)
	goto tryv6;
if (n != 1 && ifp->if_flags & IFF_DEBUG0x4)
	log(LOG_INFO6, "%s: more than one IPv4 addr: %d\n",
	    DEVNAM(ifp->if_softc)(((struct umb_softc *)(ifp->if_softc))->sc_dev.dv_xname
), n);

/* Only pick the first one */
memcpy(&ipv4elem, data + off, sizeof (ipv4elem))__builtin_memcpy((&ipv4elem), (data + off), (sizeof (ipv4elem
)));
ipv4elem.prefixlen = letoh32(ipv4elem.prefixlen)((__uint32_t)(ipv4elem.prefixlen));
addr.s_addr = ipv4elem.addr;

off = letoh32(ic->ipv4_gwoffs)((__uint32_t)(ic->ipv4_gwoffs));
if (off + sizeof (gw) > len)
	goto done;
memcpy(&gw, data + off, sizeof(gw))__builtin_memcpy((&gw), (data + off), (sizeof(gw)));

rv = umb_add_inet_config(sc, addr, ipv4elem.prefixlen, gw);
if (rv == 0) 
	state = UMB_S_UP;

}

memset(sc->sc_info.ipv4dns, 0, sizeof (sc->sc_info.ipv4dns))__builtin_memset((sc->sc_info.ipv4dns), (0), (sizeof (sc->
sc_info.ipv4dns)));
if (avail_v4 & MBIM_IPCONF_HAS_DNSINFO0x0004) {
n = letoh32(ic->ipv4_ndnssrv)((__uint32_t)(ic->ipv4_ndnssrv));
off = letoh32(ic->ipv4_dnssrvoffs)((__uint32_t)(ic->ipv4_dnssrvoffs));
i = 0;
while (n-- > 0) {
	if (off + sizeof (addr) > len)
		break;
	memcpy(&addr, data + off, sizeof(addr))__builtin_memcpy((&addr), (data + off), (sizeof(addr)));
	if (i < UMB_MAX_DNSSRV2)
		sc->sc_info.ipv4dns[i++] = addr;
	off += sizeof(addr);
	if (ifp->if_flags & IFF_DEBUG0x4) {
		char str[INET_ADDRSTRLEN16];
		log(LOG_INFO6, "%s: IPv4 nameserver %s\n",
		    DEVNAM(ifp->if_softc)(((struct umb_softc *)(ifp->if_softc))->sc_dev.dv_xname
), inet_ntop(AF_INET2,
		    &addr, str, sizeof(str)));
	}
}
umb_send_inet_proposal(sc, AF_INET2);
}
if ((avail_v4 & MBIM_IPCONF_HAS_MTUINFO0x0008)) {
val = letoh32(ic->ipv4_mtu)((__uint32_t)(ic->ipv4_mtu));
if (ifp->if_hardmtu != val && val <= sc->sc_maxpktlen) {
	hasmtu = 1;
	ifp->if_hardmtu = val;
	if (ifp->if_mtuif_data.ifi_mtu > val)
		ifp->if_mtuif_data.ifi_mtu = val;
}
}

2104tryv6:;
2105#ifdef INET61
/*
* IPv6 configuration
*/
avail_v6 = letoh32(ic->ipv6_available)((__uint32_t)(ic->ipv6_available));
if (avail_v6 == 0) {
if (ifp->if_flags & IFF_DEBUG0x4)
	log(LOG_INFO6, "%s: ISP or WWAN module offers no IPv6 "
	    "support\n", DEVNAM(ifp->if_softc)(((struct umb_softc *)(ifp->if_softc))->sc_dev.dv_xname
));
goto done;
}

if ((avail_v6 & (MBIM_IPCONF_HAS_ADDRINFO0x0001 | MBIM_IPCONF_HAS_GWINFO0x0002)) ==
   (MBIM_IPCONF_HAS_ADDRINFO0x0001 | MBIM_IPCONF_HAS_GWINFO0x0002)) {
n = letoh32(ic->ipv6_naddr)((__uint32_t)(ic->ipv6_naddr));
off = letoh32(ic->ipv6_addroffs)((__uint32_t)(ic->ipv6_addroffs));

if (n == 0 || off + sizeof (ipv6elem) > len)
	goto done;
if (n != 1 && ifp->if_flags & IFF_DEBUG0x4)
	log(LOG_INFO6, "%s: more than one IPv6 addr: %d\n",
	    DEVNAM(ifp->if_softc)(((struct umb_softc *)(ifp->if_softc))->sc_dev.dv_xname
), n);

/* Only pick the first one */
memcpy(&ipv6elem, data + off, sizeof (ipv6elem))__builtin_memcpy((&ipv6elem), (data + off), (sizeof (ipv6elem
)));
memcpy(&addr6, ipv6elem.addr, sizeof (addr6))__builtin_memcpy((&addr6), (ipv6elem.addr), (sizeof (addr6
)));

off = letoh32(ic->ipv6_gwoffs)((__uint32_t)(ic->ipv6_gwoffs));
if (off + sizeof (gw6) > len)
	goto done;
memcpy(&gw6, data + off, sizeof (gw6))__builtin_memcpy((&gw6), (data + off), (sizeof (gw6)));

rv = umb_add_inet6_config(sc, &addr6, ipv6elem.prefixlen, &gw6);
if (rv == 0)
	state = UMB_S_UP;
}

if (avail_v6 & MBIM_IPCONF_HAS_DNSINFO0x0004) {
n = letoh32(ic->ipv6_ndnssrv)((__uint32_t)(ic->ipv6_ndnssrv));
off = letoh32(ic->ipv6_dnssrvoffs)((__uint32_t)(ic->ipv6_dnssrvoffs));
i = 0;
while (n-- > 0) {
	if (off + sizeof (addr6) > len)
		break;
	memcpy(&addr6, data + off, sizeof(addr6))__builtin_memcpy((&addr6), (data + off), (sizeof(addr6)));
	if (i < UMB_MAX_DNSSRV2)
		sc->sc_info.ipv6dns[i++] = addr6;
	off += sizeof(addr6);
	if (ifp->if_flags & IFF_DEBUG0x4) {
		char str[INET6_ADDRSTRLEN46];
		log(LOG_INFO6, "%s: IPv6 nameserver %s\n",
		    DEVNAM(ifp->if_softc)(((struct umb_softc *)(ifp->if_softc))->sc_dev.dv_xname
), inet_ntop(AF_INET624,
		    &addr6, str, sizeof(str)));
	}
}
umb_send_inet_proposal(sc, AF_INET624);
}

if ((avail_v6 & MBIM_IPCONF_HAS_MTUINFO0x0008)) {
val = letoh32(ic->ipv6_mtu)((__uint32_t)(ic->ipv6_mtu));
if (ifp->if_hardmtu != val && val <= sc->sc_maxpktlen) {
	hasmtu = 1;
	ifp->if_hardmtu = val;
	if (ifp->if_mtuif_data.ifi_mtu > val)
		ifp->if_mtuif_data.ifi_mtu = val;
}
}
2172#endif

2174done:
if (hasmtu && (ifp->if_flags & IFF_DEBUG0x4))
log(LOG_INFO6, "%s: MTU %d\n", DEVNAM(sc)(((struct umb_softc *)(sc))->sc_dev.dv_xname), ifp->if_hardmtu);

if (state != -1)
umb_newstate(sc, state, 0);

splx(s)spllower(s);
return 1;
2183}

2185void
2186umb_rx(struct umb_softc *sc)
2187{
usbd_setup_xfer(sc->sc_rx_xfer, sc->sc_rx_pipe, sc, sc->sc_rx_buf,
   sc->sc_rx_bufsz, USBD_SHORT_XFER_OK0x04 | USBD_NO_COPY0x01,
   USBD_NO_TIMEOUT0, umb_rxeof);
usbd_transfer(sc->sc_rx_xfer);
2192}

2194void
2195umb_rxeof(struct usbd_xfer *xfer, void *priv, usbd_status status)
2196{
struct umb_softc *sc = priv;
struct ifnet *ifp = GET_IFP(sc)(&(sc)->sc_if);

if (usbd_is_dying(sc->sc_udev) || !(ifp->if_flags & IFF_RUNNING0x40))
return;

if (status != USBD_NORMAL_COMPLETION) {
if (status == USBD_NOT_STARTED || status == USBD_CANCELLED)
	return;
DPRINTF("%s: rx error: %s\n", DEVNAM(sc), usbd_errstr(status))do { } while (0);
if (status == USBD_STALLED)
	usbd_clear_endpoint_stall_async(sc->sc_rx_pipe);
if (++sc->sc_rx_nerr > 100) {
	log(LOG_ERR3, "%s: too many rx errors, disabling\n",
	    DEVNAM(sc)(((struct umb_softc *)(sc))->sc_dev.dv_xname));
	usbd_deactivate(sc->sc_udev);
}
} else {
sc->sc_rx_nerr = 0;
umb_decap(sc, xfer);
}

umb_rx(sc);
return;
2221}

2223int
2224umb_encap(struct umb_softc *sc, int ndgram)
2225{
struct ncm_header16 *hdr16 = NULL((void *)0);
struct ncm_header32 *hdr32 = NULL((void *)0);
struct ncm_pointer16 *ptr16 = NULL((void *)0);
struct ncm_pointer32 *ptr32 = NULL((void *)0);
struct ncm_pointer16_dgram *dgram16 = NULL((void *)0);
struct ncm_pointer32_dgram *dgram32 = NULL((void *)0);
28
←
'dgram32' initialized to a null pointer value→
int	 offs = 0, plen = 0;
int	 dgoffs = 0, poffs;
struct mbuf *m;
usbd_status  err;

/* All size constraints have been validated by the caller! */

/* NCM Header */
switch (sc->sc_ncm_format) {
29
←
'Default' branch taken. Execution continues on line 2258→
case NCM_FORMAT_NTB160x00:
hdr16 = sc->sc_tx_buf;
USETDW(hdr16->dwSignature, NCM_HDR16_SIG)(*(u_int32_t *)(hdr16->dwSignature) = (0x484d434e));
USETW(hdr16->wHeaderLength, sizeof (*hdr16))(*(u_int16_t *)(hdr16->wHeaderLength) = (sizeof (*hdr16)));
USETW(hdr16->wSequence, sc->sc_tx_seq)(*(u_int16_t *)(hdr16->wSequence) = (sc->sc_tx_seq));
USETW(hdr16->wBlockLength, 0)(*(u_int16_t *)(hdr16->wBlockLength) = (0));
offs = sizeof (*hdr16);
break;
case NCM_FORMAT_NTB320x01:
hdr32 = sc->sc_tx_buf;
USETDW(hdr32->dwSignature, NCM_HDR32_SIG)(*(u_int32_t *)(hdr32->dwSignature) = (0x686d636e));
USETW(hdr32->wHeaderLength, sizeof (*hdr32))(*(u_int16_t *)(hdr32->wHeaderLength) = (sizeof (*hdr32)));
USETW(hdr32->wSequence, sc->sc_tx_seq)(*(u_int16_t *)(hdr32->wSequence) = (sc->sc_tx_seq));
USETDW(hdr32->dwBlockLength, 0)(*(u_int32_t *)(hdr32->dwBlockLength) = (0));
offs = sizeof (*hdr32);
break;
}
offs += umb_padding(sc->sc_tx_buf, sc->sc_tx_bufsz, offs,
   sc->sc_align, 0);

if (sc->sc_flags & UMBFLG_NDP_AT_END0x0004) {
30
←
Assuming the condition is false→
31
←
Taking false branch→
dgoffs = offs;

/*
 * Calculate space needed for datagrams.
 *
 * XXX cannot use ml_len(&sc->sc_tx_ml), since it ignores
 *	the padding requirements.
 */
poffs = dgoffs;
MBUF_LIST_FOREACH(&sc->sc_tx_ml, m)for ((m) = ((&sc->sc_tx_ml)->ml_head); (m) != ((void
 *)0); (m) = ((m)->m_hdr.mh_nextpkt)) {
	poffs += umb_padding(sc->sc_tx_buf, sc->sc_tx_bufsz,
	    poffs, sc->sc_ndp_div, sc->sc_ndp_remainder);
	poffs += m->m_pkthdrM_dat.MH.MH_pkthdr.len;
}
poffs += umb_padding(sc->sc_tx_buf, sc->sc_tx_bufsz,
    poffs, sc->sc_ndp_div, sc->sc_ndp_remainder);
} else
poffs = offs;

/* NCM Pointer */
switch (sc->sc_ncm_format) {
case NCM_FORMAT_NTB160x00:
USETW(hdr16->wNdpIndex, poffs)(*(u_int16_t *)(hdr16->wNdpIndex) = (poffs));
ptr16 = (struct ncm_pointer16 *)(sc->sc_tx_buf + poffs);
plen = sizeof(*ptr16) + ndgram * sizeof(*dgram16);
USETDW(ptr16->dwSignature, MBIM_NCM_NTH16_SIG(umb_session_id))(*(u_int32_t *)(ptr16->dwSignature) = (((((umb_session_id)
 & 0xff) << 24) | 0x00535049)));
USETW(ptr16->wLength, plen)(*(u_int16_t *)(ptr16->wLength) = (plen));
USETW(ptr16->wNextNdpIndex, 0)(*(u_int16_t *)(ptr16->wNextNdpIndex) = (0));
dgram16 = ptr16->dgram;
break;
case NCM_FORMAT_NTB320x01:
USETDW(hdr32->dwNdpIndex, poffs)(*(u_int32_t *)(hdr32->dwNdpIndex) = (poffs));
ptr32 = (struct ncm_pointer32 *)(sc->sc_tx_buf + poffs);
plen = sizeof(*ptr32) + ndgram * sizeof(*dgram32);
USETDW(ptr32->dwSignature, MBIM_NCM_NTH32_SIG(umb_session_id))(*(u_int32_t *)(ptr32->dwSignature) = (((((umb_session_id)
 & 0xff) << 24) | 0x00737069)));
USETW(ptr32->wLength, plen)(*(u_int16_t *)(ptr32->wLength) = (plen));
USETW(ptr32->wReserved6, 0)(*(u_int16_t *)(ptr32->wReserved6) = (0));
USETDW(ptr32->dwNextNdpIndex, 0)(*(u_int32_t *)(ptr32->dwNextNdpIndex) = (0));
USETDW(ptr32->dwReserved12, 0)(*(u_int32_t *)(ptr32->dwReserved12) = (0));
dgram32 = ptr32->dgram;
break;
}

if (!(sc->sc_flags & UMBFLG_NDP_AT_END0x0004))
32
←
Taking true branch→
dgoffs = offs + plen;

/* Encap mbufs to NCM dgrams */
sc->sc_tx_seq++;
while ((m = ml_dequeue(&sc->sc_tx_ml)) != NULL((void *)0)) {
33
←
Assuming the condition is false→
34
←
Loop condition is false. Execution continues on line 2330→
dgoffs += umb_padding(sc->sc_tx_buf, sc->sc_tx_bufsz, dgoffs,
    sc->sc_ndp_div, sc->sc_ndp_remainder);
switch (sc->sc_ncm_format) {
case NCM_FORMAT_NTB160x00:
	USETW(dgram16->wDatagramIndex, dgoffs)(*(u_int16_t *)(dgram16->wDatagramIndex) = (dgoffs));
	USETW(dgram16->wDatagramLen, m->m_pkthdr.len)(*(u_int16_t *)(dgram16->wDatagramLen) = (m->M_dat.MH.MH_pkthdr
.len));
	dgram16++;
	break;
case NCM_FORMAT_NTB320x01:
	USETDW(dgram32->dwDatagramIndex, dgoffs)(*(u_int32_t *)(dgram32->dwDatagramIndex) = (dgoffs));
	USETDW(dgram32->dwDatagramLen, m->m_pkthdr.len)(*(u_int32_t *)(dgram32->dwDatagramLen) = (m->M_dat.MH.
MH_pkthdr.len));
	dgram32++;
	break;
}
m_copydata(m, 0, m->m_pkthdrM_dat.MH.MH_pkthdr.len, sc->sc_tx_buf + dgoffs);
dgoffs += m->m_pkthdrM_dat.MH.MH_pkthdr.len;
m_freem(m);
}

if (sc->sc_flags & UMBFLG_NDP_AT_END0x0004)
35
←
Assuming the condition is false→
36
←
Taking false branch→
offs = poffs + plen;
else
offs = dgoffs;

/* Terminating pointer and datagram size */
switch (sc->sc_ncm_format) {
37
←
Control jumps to 'case 1:'  at line 2343→
case NCM_FORMAT_NTB160x00:
USETW(dgram16->wDatagramIndex, 0)(*(u_int16_t *)(dgram16->wDatagramIndex) = (0));
USETW(dgram16->wDatagramLen, 0)(*(u_int16_t *)(dgram16->wDatagramLen) = (0));
USETW(hdr16->wBlockLength, offs)(*(u_int16_t *)(hdr16->wBlockLength) = (offs));
KASSERT(dgram16 - ptr16->dgram == ndgram)((dgram16 - ptr16->dgram == ndgram) ? (void)0 : __assert("diagnostic "
, "/usr/src/sys/dev/usb/if_umb.c", 2341, "dgram16 - ptr16->dgram == ndgram"
));
break;
case NCM_FORMAT_NTB320x01:
USETDW(dgram32->dwDatagramIndex, 0)(*(u_int32_t *)(dgram32->dwDatagramIndex) = (0));
38
←
Dereference of null pointer
USETDW(dgram32->dwDatagramLen, 0)(*(u_int32_t *)(dgram32->dwDatagramLen) = (0));
USETDW(hdr32->dwBlockLength, offs)(*(u_int32_t *)(hdr32->dwBlockLength) = (offs));
KASSERT(dgram32 - ptr32->dgram == ndgram)((dgram32 - ptr32->dgram == ndgram) ? (void)0 : __assert("diagnostic "
, "/usr/src/sys/dev/usb/if_umb.c", 2347, "dgram32 - ptr32->dgram == ndgram"
));
break;
}

DPRINTFN(3, "%s: encap %d bytes\n", DEVNAM(sc), offs)do { } while (0);
DDUMPN(5, sc->sc_tx_buf, offs)do { } while (0);
KASSERT(offs <= sc->sc_tx_bufsz)((offs <= sc->sc_tx_bufsz) ? (void)0 : __assert("diagnostic "
, "/usr/src/sys/dev/usb/if_umb.c", 2353, "offs <= sc->sc_tx_bufsz"
));

usbd_setup_xfer(sc->sc_tx_xfer, sc->sc_tx_pipe, sc, sc->sc_tx_buf, offs,
   USBD_FORCE_SHORT_XFER0x08 | USBD_NO_COPY0x01, umb_xfer_tout, umb_txeof);
err = usbd_transfer(sc->sc_tx_xfer);
if (err != USBD_IN_PROGRESS) {
DPRINTF("%s: start tx error: %s\n", DEVNAM(sc),do { } while (0)
    usbd_errstr(err))do { } while (0);
ml_purge(&sc->sc_tx_ml);
return 0;
}
return 1;
2365}

2367void
2368umb_txeof(struct usbd_xfer *xfer, void *priv, usbd_status status)
2369{
struct umb_softc *sc = priv;
struct ifnet *ifp = GET_IFP(sc)(&(sc)->sc_if);
int	 s;

s = splnet()splraise(0x4);
ml_purge(&sc->sc_tx_ml);
ifq_clr_oactive(&ifp->if_snd);
ifp->if_timer = 0;

if (status != USBD_NORMAL_COMPLETION) {
1
Assuming 'status' is equal to USBD_NORMAL_COMPLETION→
2
←
Taking false branch→
if (status != USBD_NOT_STARTED && status != USBD_CANCELLED) {
	ifp->if_oerrorsif_data.ifi_oerrors++;
	DPRINTF("%s: tx error: %s\n", DEVNAM(sc),do { } while (0)
	    usbd_errstr(status))do { } while (0);
	if (status == USBD_STALLED)
		usbd_clear_endpoint_stall_async(sc->sc_tx_pipe);
}
}
if (ifq_empty(&ifp->if_snd)(({ typeof((&ifp->if_snd)->ifq_len) __tmp = *(volatile
 typeof((&ifp->if_snd)->ifq_len) *)&((&ifp->
if_snd)->ifq_len); membar_datadep_consumer(); __tmp; }) ==
 0) == 0)
3
←
Assuming the condition is false→
4
←
Taking true branch→
umb_start(ifp);
5
←
Calling 'umb_start'→

splx(s)spllower(s);
2392}

2394void
2395umb_decap(struct umb_softc *sc, struct usbd_xfer *xfer)
2396{
struct ifnet *ifp = GET_IFP(sc)(&(sc)->sc_if);
int	 s;
void	*buf;
uint32_t len;
char	*dp;
struct ncm_header16 *hdr16;
struct ncm_header32 *hdr32;
struct ncm_pointer16 *ptr16;
struct ncm_pointer16_dgram *dgram16;
struct ncm_pointer32_dgram *dgram32;
uint32_t hsig, psig;
int	 blen;
int	 ptrlen, ptroff, dgentryoff;
uint32_t doff, dlen;
struct mbuf_list ml = MBUF_LIST_INITIALIZER(){ ((void *)0), ((void *)0), 0 };
struct mbuf *m;

usbd_get_xfer_status(xfer, NULL((void *)0), &buf, &len, NULL((void *)0));
DPRINTFN(4, "%s: recv %d bytes\n", DEVNAM(sc), len)do { } while (0);
DDUMPN(5, buf, len)do { } while (0);
s = splnet()splraise(0x4);
if (len < sizeof (*hdr16))
goto toosmall;

hdr16 = (struct ncm_header16 *)buf;
hsig = UGETDW(hdr16->dwSignature)(*(u_int32_t *)(hdr16->dwSignature));

switch (hsig) {
case NCM_HDR16_SIG0x484d434e:
blen = UGETW(hdr16->wBlockLength)(*(u_int16_t *)(hdr16->wBlockLength));
ptroff = UGETW(hdr16->wNdpIndex)(*(u_int16_t *)(hdr16->wNdpIndex));
if (UGETW(hdr16->wHeaderLength)(*(u_int16_t *)(hdr16->wHeaderLength)) != sizeof (*hdr16)) {
	DPRINTF("%s: bad header len %d for NTH16 (exp %zu)\n",do { } while (0)
	    DEVNAM(sc), UGETW(hdr16->wHeaderLength),do { } while (0)
	    sizeof (*hdr16))do { } while (0);
	goto fail;
}
break;
case NCM_HDR32_SIG0x686d636e:
if (len < sizeof (*hdr32))
	goto toosmall;
hdr32 = (struct ncm_header32 *)hdr16;
blen = UGETDW(hdr32->dwBlockLength)(*(u_int32_t *)(hdr32->dwBlockLength));
ptroff = UGETDW(hdr32->dwNdpIndex)(*(u_int32_t *)(hdr32->dwNdpIndex));
if (UGETW(hdr32->wHeaderLength)(*(u_int16_t *)(hdr32->wHeaderLength)) != sizeof (*hdr32)) {
	DPRINTF("%s: bad header len %d for NTH32 (exp %zu)\n",do { } while (0)
	    DEVNAM(sc), UGETW(hdr32->wHeaderLength),do { } while (0)
	    sizeof (*hdr32))do { } while (0);
	goto fail;
}
break;
default:
DPRINTF("%s: unsupported NCM header signature (0x%08x)\n",do { } while (0)
    DEVNAM(sc), hsig)do { } while (0);
goto fail;
}
if (blen != 0 && len < blen) {
DPRINTF("%s: bad NTB len (%d) for %d bytes of data\n",do { } while (0)
    DEVNAM(sc), blen, len)do { } while (0);
goto fail;
}

ptr16 = (struct ncm_pointer16 *)(buf + ptroff);
psig = UGETDW(ptr16->dwSignature)(*(u_int32_t *)(ptr16->dwSignature));
ptrlen = UGETW(ptr16->wLength)(*(u_int16_t *)(ptr16->wLength));
if (len < ptrlen + ptroff)
goto toosmall;
if (!MBIM_NCM_NTH16_ISISG(psig)(((psig) & 0x00ffffff) == 0x00535049) && !MBIM_NCM_NTH32_ISISG(psig)(((psig) & 0x00ffffff) == 0x00737069)) {
DPRINTF("%s: unsupported NCM pointer signature (0x%08x)\n",do { } while (0)
    DEVNAM(sc), psig)do { } while (0);
goto fail;
}

switch (hsig) {
case NCM_HDR16_SIG0x484d434e:
dgentryoff = offsetof(struct ncm_pointer16, dgram)__builtin_offsetof(struct ncm_pointer16, dgram);
break;
case NCM_HDR32_SIG0x686d636e:
dgentryoff = offsetof(struct ncm_pointer32, dgram)__builtin_offsetof(struct ncm_pointer32, dgram);
break;
default:
goto fail;
}

while (dgentryoff < ptrlen) {
switch (hsig) {
case NCM_HDR16_SIG0x484d434e:
	if (ptroff + dgentryoff < sizeof (*dgram16))
		goto done;
	dgram16 = (struct ncm_pointer16_dgram *)
	    (buf + ptroff + dgentryoff);
	dgentryoff += sizeof (*dgram16);
	dlen = UGETW(dgram16->wDatagramLen)(*(u_int16_t *)(dgram16->wDatagramLen));
	doff = UGETW(dgram16->wDatagramIndex)(*(u_int16_t *)(dgram16->wDatagramIndex));
	break;
case NCM_HDR32_SIG0x686d636e:
	if (ptroff + dgentryoff < sizeof (*dgram32))
		goto done;
	dgram32 = (struct ncm_pointer32_dgram *)
	    (buf + ptroff + dgentryoff);
	dgentryoff += sizeof (*dgram32);
	dlen = UGETDW(dgram32->dwDatagramLen)(*(u_int32_t *)(dgram32->dwDatagramLen));
	doff = UGETDW(dgram32->dwDatagramIndex)(*(u_int32_t *)(dgram32->dwDatagramIndex));
	break;
default:
	ifp->if_ierrorsif_data.ifi_ierrors++;
	goto done;
}

/* Terminating zero entry */
if (dlen == 0 || doff == 0)
	break;
if (len < dlen + doff) {
	/* Skip giant datagram but continue processing */
	DPRINTF("%s: datagram too large (%d @ off %d)\n",do { } while (0)
	    DEVNAM(sc), dlen, doff)do { } while (0);
	continue;
}

dp = buf + doff;
DPRINTFN(3, "%s: decap %d bytes\n", DEVNAM(sc), dlen)do { } while (0);
m = m_devget(dp, dlen, sizeof(uint32_t));
if (m == NULL((void *)0)) {
	ifp->if_iqdropsif_data.ifi_iqdrops++;
	continue;
}
switch (*dp & 0xf0) {
case 4 << 4:
	m->m_pkthdrM_dat.MH.MH_pkthdr.ph_family = AF_INET2;
	break;
case 6 << 4:
	m->m_pkthdrM_dat.MH.MH_pkthdr.ph_family = AF_INET624;
	break;
}
ml_enqueue(&ml, m);
}
2533done:
if_input(ifp, &ml);
splx(s)spllower(s);
return;
2537toosmall:
DPRINTF("%s: packet too small (%d)\n", DEVNAM(sc), len)do { } while (0);
2539fail:
ifp->if_ierrorsif_data.ifi_ierrors++;
splx(s)spllower(s);
2542}

2544usbd_status
2545umb_send_encap_command(struct umb_softc *sc, void *data, int len)
2546{
struct usbd_xfer *xfer;
usb_device_request_t req;
char *buf;

if (len > sc->sc_ctrl_len)
return USBD_INVAL;

if ((xfer = usbd_alloc_xfer(sc->sc_udev)) == NULL((void *)0))
return USBD_NOMEM;
if ((buf = usbd_alloc_buffer(xfer, len)) == NULL((void *)0)) {
usbd_free_xfer(xfer);
return USBD_NOMEM;
}
memcpy(buf, data, len)__builtin_memcpy((buf), (data), (len));

/* XXX FIXME: if (total len > sc->sc_ctrl_len) => must fragment */
req.bmRequestType = UT_WRITE_CLASS_INTERFACE(0x00 | 0x20 | 0x01);
req.bRequest = UCDC_SEND_ENCAPSULATED_COMMAND0x00;
USETW(req.wValue, 0)(*(u_int16_t *)(req.wValue) = (0));
USETW(req.wIndex, sc->sc_ctrl_ifaceno)(*(u_int16_t *)(req.wIndex) = (sc->sc_ctrl_ifaceno));
USETW(req.wLength, len)(*(u_int16_t *)(req.wLength) = (len));
DELAY(umb_delay)(*delay_func)(umb_delay);
return usbd_request_async(xfer, &req, NULL((void *)0), NULL((void *)0));
2570}

2572int
2573umb_get_encap_response(struct umb_softc *sc, void *buf, int *len)
2574{
usb_device_request_t req;
usbd_status err;

req.bmRequestType = UT_READ_CLASS_INTERFACE(0x80 | 0x20 | 0x01);
req.bRequest = UCDC_GET_ENCAPSULATED_RESPONSE0x01;
USETW(req.wValue, 0)(*(u_int16_t *)(req.wValue) = (0));
USETW(req.wIndex, sc->sc_ctrl_ifaceno)(*(u_int16_t *)(req.wIndex) = (sc->sc_ctrl_ifaceno));
USETW(req.wLength, *len)(*(u_int16_t *)(req.wLength) = (*len));
/* XXX FIXME: re-assemble fragments */

DELAY(umb_delay)(*delay_func)(umb_delay);
err = usbd_do_request_flags(sc->sc_udev, &req, buf, USBD_SHORT_XFER_OK0x04,
   len, umb_xfer_tout);
if (err == USBD_NORMAL_COMPLETION)
return 1;
DPRINTF("%s: ctrl recv: %s\n", DEVNAM(sc), usbd_errstr(err))do { } while (0);
return 0;
2592}

2594void
2595umb_ctrl_msg(struct umb_softc *sc, uint32_t req, void *data, int len)
2596{
struct ifnet *ifp = GET_IFP(sc)(&(sc)->sc_if);
uint32_t tid;
struct mbim_msghdr *hdr = data;
usbd_status err;
int	 s;

assertwaitok();
if (usbd_is_dying(sc->sc_udev))
return;
if (len < sizeof (*hdr))
return;
tid = ++sc->sc_tid;

hdr->type = htole32(req)((__uint32_t)(req));
hdr->len = htole32(len)((__uint32_t)(len));
hdr->tid = htole32(tid)((__uint32_t)(tid));

2614#ifdef UMB_DEBUG
if (umb_debug) {
const char *op, *str;
if (req == MBIM_COMMAND_MSG3U) {
	struct mbim_h2f_cmd *c = data;
	if (letoh32(c->op)((__uint32_t)(c->op)) == MBIM_CMDOP_SET1)
		op = "set";
	else
		op = "qry";
	str = umb_cid2str(letoh32(c->cid))umb_val2descr(umb_cids, (((__uint32_t)(c->cid))));
} else {
	op = "snd";
	str = umb_request2str(req)umb_val2descr(umb_messages, (req));
}
DPRINTF("%s: -> %s %s (tid %u)\n", DEVNAM(sc), op, str, tid)do { } while (0);
}
2630#endif
s = splusb()splraise(0x2);
err = umb_send_encap_command(sc, data, len);
splx(s)spllower(s);
if (err != USBD_NORMAL_COMPLETION) {
if (ifp->if_flags & IFF_DEBUG0x4)
	log(LOG_ERR3, "%s: send %s msg (tid %u) failed: %s\n",
	    DEVNAM(sc)(((struct umb_softc *)(sc))->sc_dev.dv_xname), umb_request2str(req)umb_val2descr(umb_messages, (req)), tid,
	    usbd_errstr(err));

/* will affect other transactions, too */
usbd_abort_pipe(sc->sc_udev->default_pipe);
} else {
DPRINTFN(2, "%s: sent %s (tid %u)\n", DEVNAM(sc),do { } while (0)
    umb_request2str(req), tid)do { } while (0);
DDUMPN(3, data, len)do { } while (0);
}
return;
2648}

2650void
2651umb_open(struct umb_softc *sc)
2652{
struct mbim_h2f_openmsg msg;

memset(&msg, 0, sizeof (msg))__builtin_memset((&msg), (0), (sizeof (msg)));
msg.maxlen = htole32(sc->sc_ctrl_len)((__uint32_t)(sc->sc_ctrl_len));
umb_ctrl_msg(sc, MBIM_OPEN_MSG1U, &msg, sizeof (msg));
return;
2659}

2661void
2662umb_close(struct umb_softc *sc)
2663{
struct mbim_h2f_closemsg msg;

memset(&msg, 0, sizeof (msg))__builtin_memset((&msg), (0), (sizeof (msg)));
umb_ctrl_msg(sc, MBIM_CLOSE_MSG2U, &msg, sizeof (msg));
2668}

2670int
2671umb_setpin(struct umb_softc *sc, int op, int is_puk, void *pin, int pinlen,
  void *newpin, int newpinlen)
2673{
struct mbim_cid_pin cp;
int	 off;

if (pinlen == 0)
return 0;
if (pinlen < 0 || pinlen > MBIM_PIN_MAXLEN32 ||
   newpinlen < 0 || newpinlen > MBIM_PIN_MAXLEN32 ||
   op < 0 || op > MBIM_PIN_OP_CHANGE3 ||
   (is_puk && op != MBIM_PIN_OP_ENTER0))
return EINVAL22;

memset(&cp, 0, sizeof (cp))__builtin_memset((&cp), (0), (sizeof (cp)));
cp.type = htole32(is_puk ? MBIM_PIN_TYPE_PUK1 : MBIM_PIN_TYPE_PIN1)((__uint32_t)(is_puk ? 11 : 2));

off = offsetof(struct mbim_cid_pin, data)__builtin_offsetof(struct mbim_cid_pin, data);
if (!umb_addstr(&cp, sizeof (cp), &off, pin, pinlen,
   &cp.pin_offs, &cp.pin_size))
return EINVAL22;

cp.op  = htole32(op)((__uint32_t)(op));
if (newpinlen) {
if (!umb_addstr(&cp, sizeof (cp), &off, newpin, newpinlen,
    &cp.newpin_offs, &cp.newpin_size))
	return EINVAL22;
} else {
if ((op == MBIM_PIN_OP_CHANGE3) || is_puk)
	return EINVAL22;
if (!umb_addstr(&cp, sizeof (cp), &off, NULL((void *)0), 0,
    &cp.newpin_offs, &cp.newpin_size))
	return EINVAL22;
}
umb_cmd(sc, MBIM_CID_PIN4, MBIM_CMDOP_SET1, &cp, off);
return 0;
2707}

2709void
2710umb_setdataclass(struct umb_softc *sc)
2711{
struct mbim_cid_registration_state rs;
uint32_t	 classes;

if (sc->sc_info.supportedclasses == MBIM_DATACLASS_NONE0x00000000)
return;

memset(&rs, 0, sizeof (rs))__builtin_memset((&rs), (0), (sizeof (rs)));
rs.regaction = htole32(MBIM_REGACTION_AUTOMATIC)((__uint32_t)(0));
classes = sc->sc_info.supportedclasses;
if (sc->sc_info.preferredclasses != MBIM_DATACLASS_NONE0x00000000)
classes &= sc->sc_info.preferredclasses;
rs.data_class = htole32(classes)((__uint32_t)(classes));
umb_cmd(sc, MBIM_CID_REGISTER_STATE9, MBIM_CMDOP_SET1, &rs, sizeof (rs));
2725}

2727void
2728umb_radio(struct umb_softc *sc, int on)
2729{
struct mbim_cid_radio_state s;

DPRINTF("%s: set radio %s\n", DEVNAM(sc), on ? "on" : "off")do { } while (0);
memset(&s, 0, sizeof (s))__builtin_memset((&s), (0), (sizeof (s)));
s.state = htole32(on ? MBIM_RADIO_STATE_ON : MBIM_RADIO_STATE_OFF)((__uint32_t)(on ? 1 : 0));
umb_cmd(sc, MBIM_CID_RADIO_STATE3, MBIM_CMDOP_SET1, &s, sizeof (s));
2736}

2738void
2739umb_allocate_cid(struct umb_softc *sc)
2740{
umb_cmd1(sc, MBIM_CID_DEVICE_CAPS1, MBIM_CMDOP_SET1,
   umb_qmi_alloc_cid, sizeof (umb_qmi_alloc_cid), umb_uuid_qmi_mbim);
2743}

2745void
2746umb_send_fcc_auth(struct umb_softc *sc)
2747{
uint8_t	 fccauth[sizeof (umb_qmi_fcc_auth)];

if (sc->sc_cid == -1) {
DPRINTF("%s: missing CID, cannot send FCC auth\n", DEVNAM(sc))do { } while (0);
umb_allocate_cid(sc);
return;
}
memcpy(fccauth, umb_qmi_fcc_auth, sizeof (fccauth))__builtin_memcpy((fccauth), (umb_qmi_fcc_auth), (sizeof (fccauth
)));
fccauth[UMB_QMI_CID_OFFS5] = sc->sc_cid;
umb_cmd1(sc, MBIM_CID_DEVICE_CAPS1, MBIM_CMDOP_SET1,
   fccauth, sizeof (fccauth), umb_uuid_qmi_mbim);
2759}

2761void
2762umb_packet_service(struct umb_softc *sc, int attach)
2763{
struct mbim_cid_packet_service	s;

DPRINTF("%s: %s packet service\n", DEVNAM(sc),do { } while (0)
   attach ? "attach" : "detach")do { } while (0);
memset(&s, 0, sizeof (s))__builtin_memset((&s), (0), (sizeof (s)));
s.action = htole32(attach ?((__uint32_t)(attach ? 0 : 1))
   MBIM_PKTSERVICE_ACTION_ATTACH : MBIM_PKTSERVICE_ACTION_DETACH)((__uint32_t)(attach ? 0 : 1));
umb_cmd(sc, MBIM_CID_PACKET_SERVICE10, MBIM_CMDOP_SET1, &s, sizeof (s));
2772}

2774void
2775umb_connect(struct umb_softc *sc)
2776{
struct ifnet *ifp = GET_IFP(sc)(&(sc)->sc_if);

if (sc->sc_info.regstate == MBIM_REGSTATE_ROAMING4 && !sc->sc_roamingsc_info.enable_roaming) {
log(LOG_INFO6, "%s: connection disabled in roaming network\n",
    DEVNAM(sc)(((struct umb_softc *)(sc))->sc_dev.dv_xname));
return;
}
if (ifp->if_flags & IFF_DEBUG0x4)
log(LOG_DEBUG7, "%s: connecting ...\n", DEVNAM(sc)(((struct umb_softc *)(sc))->sc_dev.dv_xname));
umb_send_connect(sc, MBIM_CONNECT_ACTIVATE1);
2787}

2789void
2790umb_disconnect(struct umb_softc *sc)
2791{
struct ifnet *ifp = GET_IFP(sc)(&(sc)->sc_if);

if (ifp->if_flags & IFF_DEBUG0x4)
log(LOG_DEBUG7, "%s: disconnecting ...\n", DEVNAM(sc)(((struct umb_softc *)(sc))->sc_dev.dv_xname));
umb_send_connect(sc, MBIM_CONNECT_DEACTIVATE0);
2797}

2799void
2800umb_send_connect(struct umb_softc *sc, int command)
2801{
struct mbim_cid_connect *c;
int	 off;

/* Too large or the stack */
c = malloc(sizeof (*c), M_USBDEV102, M_WAIT0x0001|M_ZERO0x0008);
c->sessionid = htole32(umb_session_id)((__uint32_t)(umb_session_id));
c->command = htole32(command)((__uint32_t)(command));
off = offsetof(struct mbim_cid_connect, data)__builtin_offsetof(struct mbim_cid_connect, data);
if (!umb_addstr(c, sizeof (*c), &off, sc->sc_info.apn,
   sc->sc_info.apnlen, &c->access_offs, &c->access_size))
goto done;
/* XXX FIXME: support user name and passphrase */
c->user_offs = htole32(0)((__uint32_t)(0));
c->user_size = htole32(0)((__uint32_t)(0));
c->passwd_offs = htole32(0)((__uint32_t)(0));
c->passwd_size = htole32(0)((__uint32_t)(0));
c->authprot = htole32(MBIM_AUTHPROT_NONE)((__uint32_t)(0));
c->compression = htole32(MBIM_COMPRESSION_NONE)((__uint32_t)(0));
c->iptype = htole32(MBIM_CONTEXT_IPTYPE_IPV4)((__uint32_t)(1));
2821#ifdef INET61
/* XXX FIXME: support IPv6-only mode, too */
if ((sc->sc_flags & UMBFLG_NO_INET60x0002) == 0 &&
   in6ifa_ifpforlinklocal(GET_IFP(sc)(&(sc)->sc_if), 0) != NULL((void *)0))
c->iptype = htole32(MBIM_CONTEXT_IPTYPE_IPV4V6)((__uint32_t)(3));
2826#endif
memcpy(c->context, umb_uuid_context_internet, sizeof (c->context))__builtin_memcpy((c->context), (umb_uuid_context_internet)
, (sizeof (c->context)));
umb_cmd(sc, MBIM_CID_CONNECT12, MBIM_CMDOP_SET1, c, off);
2829done:
free(c, M_USBDEV102, sizeof (*c));
return;
2832}

2834void
2835umb_qry_ipconfig(struct umb_softc *sc)
2836{
struct mbim_cid_ip_configuration_info ipc;

memset(&ipc, 0, sizeof (ipc))__builtin_memset((&ipc), (0), (sizeof (ipc)));
ipc.sessionid = htole32(umb_session_id)((__uint32_t)(umb_session_id));
umb_cmd(sc, MBIM_CID_IP_CONFIGURATION15, MBIM_CMDOP_QRY0,
   &ipc, sizeof (ipc));
2843}

2845void
2846umb_cmd(struct umb_softc *sc, int cid, int op, void *data, int len)
2847{
umb_cmd1(sc, cid, op, data, len, umb_uuid_basic_connect);
2849}

2851void
2852umb_cmd1(struct umb_softc *sc, int cid, int op, void *data, int len,
  uint8_t *uuid)
2854{
struct mbim_h2f_cmd *cmd;
int	totlen;

/* XXX FIXME support sending fragments */
if (sizeof (*cmd) + len > sc->sc_ctrl_len) {
DPRINTF("%s: set %s msg too long: cannot send\n",do { } while (0)
    DEVNAM(sc), umb_cid2str(cid))do { } while (0);
return;
}
cmd = sc->sc_ctrl_msg;
memset(cmd, 0, sizeof (*cmd))__builtin_memset((cmd), (0), (sizeof (*cmd)));
cmd->frag.nfrag = htole32(1)((__uint32_t)(1));
memcpy(cmd->devid, uuid, sizeof (cmd->devid))__builtin_memcpy((cmd->devid), (uuid), (sizeof (cmd->devid
)));
cmd->cid = htole32(cid)((__uint32_t)(cid));
cmd->op = htole32(op)((__uint32_t)(op));
cmd->infolen = htole32(len)((__uint32_t)(len));
totlen = sizeof (*cmd);
if (len > 0) {
memcpy(cmd + 1, data, len)__builtin_memcpy((cmd + 1), (data), (len));
totlen += len;
}
umb_ctrl_msg(sc, MBIM_COMMAND_MSG3U, cmd, totlen);
2877}

2879void
2880umb_command_done(struct umb_softc *sc, void *data, int len)
2881{
struct mbim_f2h_cmddone *cmd = data;
struct ifnet *ifp = GET_IFP(sc)(&(sc)->sc_if);
uint32_t status;
uint32_t cid;
uint32_t infolen;
int	 qmimsg = 0;

if (len < sizeof (*cmd)) {
DPRINTF("%s: discard short %s message\n", DEVNAM(sc),do { } while (0)
    umb_request2str(letoh32(cmd->hdr.type)))do { } while (0);
return;
}
cid = letoh32(cmd->cid)((__uint32_t)(cmd->cid));
if (memcmp(cmd->devid, umb_uuid_basic_connect, sizeof (cmd->devid))__builtin_memcmp((cmd->devid), (umb_uuid_basic_connect), (
sizeof (cmd->devid)))) {
if (memcmp(cmd->devid, umb_uuid_qmi_mbim,__builtin_memcmp((cmd->devid), (umb_uuid_qmi_mbim), (sizeof
 (cmd->devid)))
    sizeof (cmd->devid))__builtin_memcmp((cmd->devid), (umb_uuid_qmi_mbim), (sizeof
 (cmd->devid)))) {
	DPRINTF("%s: discard %s message for other UUID '%s'\n",do { } while (0)
	    DEVNAM(sc), umb_request2str(letoh32(cmd->hdr.type)),do { } while (0)
	    umb_uuid2str(cmd->devid))do { } while (0);
	return;
} else
	qmimsg = 1;
}

status = letoh32(cmd->status)((__uint32_t)(cmd->status));
switch (status) {
case MBIM_STATUS_SUCCESS0:
break;
2910#ifdef INET61
case MBIM_STATUS_NO_DEVICE_SUPPORT9:
if ((cid == MBIM_CID_CONNECT12) &&
    (sc->sc_flags & UMBFLG_NO_INET60x0002) == 0) {
	sc->sc_flags |= UMBFLG_NO_INET60x0002;
	if (ifp->if_flags & IFF_DEBUG0x4)
		log(LOG_ERR3,
		    "%s: device does not support IPv6\n",
		    DEVNAM(sc)(((struct umb_softc *)(sc))->sc_dev.dv_xname));
}
/* Re-trigger the connect, this time IPv4 only */
usb_add_task(sc->sc_udev, &sc->sc_umb_task);
return;
2923#endif
case MBIM_STATUS_NOT_INITIALIZED14:
if (ifp->if_flags & IFF_DEBUG0x4)
	log(LOG_ERR3, "%s: SIM not initialized (PIN missing)\n",
	    DEVNAM(sc)(((struct umb_softc *)(sc))->sc_dev.dv_xname));
return;
case MBIM_STATUS_PIN_REQUIRED5:
sc->sc_info.pin_state = UMB_PIN_REQUIRED0;
/*FALLTHROUGH*/
default:
if (ifp->if_flags & IFF_DEBUG0x4)
	log(LOG_ERR3, "%s: set/qry %s failed: %s\n", DEVNAM(sc)(((struct umb_softc *)(sc))->sc_dev.dv_xname),
	    umb_cid2str(cid)umb_val2descr(umb_cids, (cid)), umb_status2str(status)umb_val2descr(umb_status, (status)));
return;
}

infolen = letoh32(cmd->infolen)((__uint32_t)(cmd->infolen));
if (len < sizeof (*cmd) + infolen) {
DPRINTF("%s: discard truncated %s message (want %d, got %d)\n",do { } while (0)
    DEVNAM(sc), umb_cid2str(cid),do { } while (0)
    (int)sizeof (*cmd) + infolen, len)do { } while (0);
return;
}
if (qmimsg) {
if (sc->sc_flags & UMBFLG_FCC_AUTH_REQUIRED0x0001)
	umb_decode_qmi(sc, cmd->info, infolen);
} else {
DPRINTFN(2, "%s: set/qry %s done\n", DEVNAM(sc),do { } while (0)
    umb_cid2str(cid))do { } while (0);
umb_decode_cid(sc, cid, cmd->info, infolen);
}
2954}

2956void
2957umb_decode_cid(struct umb_softc *sc, uint32_t cid, void *data, int len)
2958{
int	 ok = 1;

switch (cid) {
case MBIM_CID_DEVICE_CAPS1:
ok = umb_decode_devices_caps(sc, data, len);
break;
case MBIM_CID_SUBSCRIBER_READY_STATUS2:
ok = umb_decode_subscriber_status(sc, data, len);
break;
case MBIM_CID_RADIO_STATE3:
ok = umb_decode_radio_state(sc, data, len);
break;
case MBIM_CID_PIN4:
ok = umb_decode_pin(sc, data, len);
break;
case MBIM_CID_REGISTER_STATE9:
ok = umb_decode_register_state(sc, data, len);
break;
case MBIM_CID_PACKET_SERVICE10:
ok = umb_decode_packet_service(sc, data, len);
break;
case MBIM_CID_SIGNAL_STATE11:
ok = umb_decode_signal_state(sc, data, len);
break;
case MBIM_CID_CONNECT12:
ok = umb_decode_connect_info(sc, data, len);
break;
case MBIM_CID_IP_CONFIGURATION15:
ok = umb_decode_ip_configuration(sc, data, len);
break;
default:
/*
 * Note: the above list is incomplete and only contains
 *	mandatory CIDs from the BASIC_CONNECT set.
 *	So alternate values are not unusual.
 */
DPRINTFN(4, "%s: ignore %s\n", DEVNAM(sc), umb_cid2str(cid))do { } while (0);
break;
}
if (!ok)
DPRINTF("%s: discard %s with bad info length %d\n",do { } while (0)
    DEVNAM(sc), umb_cid2str(cid), len)do { } while (0);
return;
3002}

3004void
3005umb_decode_qmi(struct umb_softc *sc, uint8_t *data, int len)
3006{
uint8_t	srv;
uint16_t msg, tlvlen;
uint32_t val;

3011#define UMB_QMI_QMUXLEN6		6
if (len < UMB_QMI_QMUXLEN6)
goto tooshort;

srv = data[4];
data += UMB_QMI_QMUXLEN6;
len -= UMB_QMI_QMUXLEN6;

3019#define UMB_GET16(p)((uint16_t)*p | (uint16_t)*(p + 1) << 8)	((uint16_t)*p | (uint16_t)*(p + 1) << 8)
3020#define UMB_GET32(p)((uint32_t)*p | (uint32_t)*(p + 1) << 8 | (uint32_t)*(p
 + 2) << 16 |(uint32_t)*(p + 3) << 24)	((uint32_t)*p | (uint32_t)*(p + 1) << 8 | \
	    (uint32_t)*(p + 2) << 16 |(uint32_t)*(p + 3) << 24)
switch (srv) {
case 0:	/* ctl */
3024#define UMB_QMI_CTLLEN6		6
if (len < UMB_QMI_CTLLEN6)
	goto tooshort;
msg = UMB_GET16(&data[2])((uint16_t)*&data[2] | (uint16_t)*(&data[2] + 1) <<
 8);
tlvlen = UMB_GET16(&data[4])((uint16_t)*&data[4] | (uint16_t)*(&data[4] + 1) <<
 8);
data += UMB_QMI_CTLLEN6;
len -= UMB_QMI_CTLLEN6;
break;
case 2:	/* dms  */
3033#define UMB_QMI_DMSLEN7		7
if (len < UMB_QMI_DMSLEN7)
	goto tooshort;
msg = UMB_GET16(&data[3])((uint16_t)*&data[3] | (uint16_t)*(&data[3] + 1) <<
 8);
tlvlen = UMB_GET16(&data[5])((uint16_t)*&data[5] | (uint16_t)*(&data[5] + 1) <<
 8);
data += UMB_QMI_DMSLEN7;
len -= UMB_QMI_DMSLEN7;
break;
default:
DPRINTF("%s: discard QMI message for unknown service type %d\n",do { } while (0)
    DEVNAM(sc), srv)do { } while (0);
return;
}

if (len < tlvlen)
goto tooshort;

3050#define UMB_QMI_TLVLEN3		3
while (len > 0) {
if (len < UMB_QMI_TLVLEN3)
	goto tooshort;
tlvlen = UMB_GET16(&data[1])((uint16_t)*&data[1] | (uint16_t)*(&data[1] + 1) <<
 8);
if (len < UMB_QMI_TLVLEN3 + tlvlen)
	goto tooshort;
switch (data[0]) {
case 1:	/* allocation info */
	if (msg == 0x0022) {	/* Allocate CID */
		if (tlvlen != 2 || data[3] != 2) /* dms */
			break;
		sc->sc_cid = data[4];
		DPRINTF("%s: QMI CID %d allocated\n",do { } while (0)
		    DEVNAM(sc), sc->sc_cid)do { } while (0);
		umb_newstate(sc, UMB_S_CID, UMB_NS_DONT_DROP0x0001);
	}
	break;
case 2:	/* response */
	if (tlvlen != sizeof (val))
		break;
	val = UMB_GET32(&data[3])((uint32_t)*&data[3] | (uint32_t)*(&data[3] + 1) <<
| (uint32_t)*(&data[3] + 2) << 16 |(uint32_t)*(&
data[3] + 3) << 24);
	switch (msg) {
	case 0x0022:	/* Allocate CID */
		if (val != 0) {
			log(LOG_ERR3, "%s: allocation of QMI CID"
			    " failed, error 0x%x\n", DEVNAM(sc)(((struct umb_softc *)(sc))->sc_dev.dv_xname),
			    val);
			/* XXX how to proceed? */
			return;
		}
		break;
	case 0x555f:	/* Send FCC Authentication */
		if (val == 0)
			DPRINTF("%s: send FCC "do { } while (0)
			    "Authentication succeeded\n",do { } while (0)
			    DEVNAM(sc))do { } while (0);
		else if (val == 0x001a0001)
			DPRINTF("%s: FCC Authentication "do { } while (0)
			    "not required\n", DEVNAM(sc))do { } while (0);
		else
			log(LOG_INFO6, "%s: send FCC "
			    "Authentication failed, "
			    "error 0x%x\n", DEVNAM(sc)(((struct umb_softc *)(sc))->sc_dev.dv_xname), val);

		/* FCC Auth is needed only once after power-on*/
		sc->sc_flags &= ~UMBFLG_FCC_AUTH_REQUIRED0x0001;

		/* Try to proceed anyway */
		DPRINTF("%s: init: turning radio on ...\n",do { } while (0)
		    DEVNAM(sc))do { } while (0);
		umb_radio(sc, 1);
		break;
	default:
		break;
	}
	break;
default:
	break;
}
data += UMB_QMI_TLVLEN3 + tlvlen;
len -= UMB_QMI_TLVLEN3 + tlvlen;
}
return;

3115tooshort:
DPRINTF("%s: discard short QMI message\n", DEVNAM(sc))do { } while (0);
return;
3118}

3120void
3121umb_intr(struct usbd_xfer *xfer, void *priv, usbd_status status)
3122{
struct umb_softc *sc = priv;
struct ifnet *ifp = GET_IFP(sc)(&(sc)->sc_if);
int	 total_len;

if (status != USBD_NORMAL_COMPLETION) {
DPRINTF("%s: notification error: %s\n", DEVNAM(sc),do { } while (0)
    usbd_errstr(status))do { } while (0);
if (status == USBD_STALLED)
	usbd_clear_endpoint_stall_async(sc->sc_ctrl_pipe);
return;
}
usbd_get_xfer_status(xfer, NULL((void *)0), NULL((void *)0), &total_len, NULL((void *)0));
if (total_len < UCDC_NOTIFICATION_LENGTH8) {
DPRINTF("%s: short notification (%d<%d)\n", DEVNAM(sc),do { } while (0)
    total_len, UCDC_NOTIFICATION_LENGTH)do { } while (0);
    return;
}
if (sc->sc_intr_msg.bmRequestType != UCDC_NOTIFICATION0xa1) {
DPRINTF("%s: unexpected notification (type=0x%02x)\n",do { } while (0)
    DEVNAM(sc), sc->sc_intr_msg.bmRequestType)do { } while (0);
return;
}

switch (sc->sc_intr_msg.bNotification) {
case UCDC_N_NETWORK_CONNECTION0x00:
if (ifp->if_flags & IFF_DEBUG0x4)
	log(LOG_DEBUG7, "%s: network %sconnected\n", DEVNAM(sc)(((struct umb_softc *)(sc))->sc_dev.dv_xname),
	    UGETW(sc->sc_intr_msg.wValue)(*(u_int16_t *)(sc->sc_intr_msg.wValue)) ? "" : "dis");
break;
case UCDC_N_RESPONSE_AVAILABLE0x01:
DPRINTFN(2, "%s: umb_intr: response available\n", DEVNAM(sc))do { } while (0);
++sc->sc_nresp;
usb_add_task(sc->sc_udev, &sc->sc_get_response_task);
break;
case UCDC_N_CONNECTION_SPEED_CHANGE0x2a:
DPRINTFN(2, "%s: umb_intr: connection speed changed\n",do { } while (0)
    DEVNAM(sc))do { } while (0);
break;
default:
DPRINTF("%s: unexpected notification (0x%02x)\n",do { } while (0)
    DEVNAM(sc), sc->sc_intr_msg.bNotification)do { } while (0);
break;
}
3166}

3168/*
* Diagnostic routines
*/
3171#ifdef UMB_DEBUG
3172char *
3173umb_uuid2str(uint8_t uuid[MBIM_UUID_LEN16])
3174{
static char uuidstr[2 * MBIM_UUID_LEN16 + 5];

3177#define UUID_BFMT	"%02X"
3178#define UUID_SEP	"-"
snprintf(uuidstr, sizeof (uuidstr),
   UUID_BFMT UUID_BFMT UUID_BFMT UUID_BFMT UUID_SEP
   UUID_BFMT UUID_BFMT UUID_SEP
   UUID_BFMT UUID_BFMT UUID_SEP
   UUID_BFMT UUID_BFMT UUID_SEP
   UUID_BFMT UUID_BFMT UUID_BFMT UUID_BFMT UUID_BFMT UUID_BFMT,
   uuid[0], uuid[1], uuid[2], uuid[3], uuid[4], uuid[5],
   uuid[6], uuid[7], uuid[8], uuid[9], uuid[10], uuid[11],
   uuid[12], uuid[13], uuid[14], uuid[15]);
return uuidstr;
3189}

3191void
3192umb_dump(void *buf, int len)
3193{
int	 i = 0;
uint8_t	*c = buf;

if (len == 0)
return;
while (i < len) {
if ((i % 16) == 0) {
	if (i > 0)
		addlog("\n");
	log(LOG_DEBUG7, "%4d:  ", i);
}
addlog(" %02x", *c);
c++;
i++;
}
addlog("\n");
3210}
3211#endif /* UMB_DEBUG */

3213#if NKSTAT1 > 0

3215void
3216umb_kstat_attach(struct umb_softc *sc)
3217{
struct kstat *ks;
struct umb_kstat_signal *uks;

rw_init(&sc->sc_kstat_lock, "umbkstat")_rw_init_flags(&sc->sc_kstat_lock, "umbkstat", 0, ((void
 *)0));

ks = kstat_create(DEVNAM(sc)(((struct umb_softc *)(sc))->sc_dev.dv_xname), 0, "mbim-signal", 0, KSTAT_T_KV1, 0);
if (ks == NULL((void *)0))
return;

uks = malloc(sizeof(*uks), M_DEVBUF2, M_WAITOK0x0001|M_ZERO0x0008);
kstat_kv_init(&uks->rssi, "rssi", KSTAT_KV_T_NULL);
kstat_kv_init(&uks->error_rate, "error rate", KSTAT_KV_T_NULL);
kstat_kv_init(&uks->reports, "reports", KSTAT_KV_T_COUNTER64);

kstat_set_rlock(ks, &sc->sc_kstat_lock);
ks->ks_data = uks;
ks->ks_datalen = sizeof(*uks);
ks->ks_read = kstat_read_nop;

ks->ks_softc = sc;
sc->sc_kstat_signal = ks;
kstat_install(ks);
3240}

3242void
3243umb_kstat_detach(struct umb_softc *sc)
3244{
struct kstat *ks = sc->sc_kstat_signal;
struct umb_kstat_signal *uks;

if (ks == NULL((void *)0))
return;

kstat_remove(ks);
sc->sc_kstat_signal = NULL((void *)0);

uks = ks->ks_data;
free(uks, M_DEVBUF2, sizeof(*uks));

kstat_destroy(ks);
3258}
3259#endif /* NKSTAT > 0 */