search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge tag 'trace-printf-v6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/trace...
[drm/drm-misc.git] / drivers / net / wireless / intel / iwlwifi / mei / main.c
blobdce0b7cf7b265c6d37fe5c515f7048cea41f7005
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Copyright (C) 2021-2024 Intel Corporation
4 */
5
6 #include <linux/etherdevice.h>
7 #include <linux/netdevice.h>
8 #include <linux/ieee80211.h>
9 #include <linux/rtnetlink.h>
10 #include <linux/module.h>
11 #include <linux/moduleparam.h>
12 #include <linux/mei_cl_bus.h>
13 #include <linux/rcupdate.h>
14 #include <linux/debugfs.h>
15 #include <linux/skbuff.h>
16 #include <linux/wait.h>
17 #include <linux/slab.h>
18 #include <linux/mm.h>
19
20 #include <net/cfg80211.h>
21
22 #include "internal.h"
23 #include "iwl-mei.h"
24 #include "trace.h"
25 #include "trace-data.h"
26 #include "sap.h"
27
28 MODULE_DESCRIPTION("The Intel(R) wireless / CSME firmware interface");
29 MODULE_LICENSE("GPL");
30
31 #define MEI_WLAN_UUID UUID_LE(0x13280904, 0x7792, 0x4fcb, \
32 0xa1, 0xaa, 0x5e, 0x70, 0xcb, 0xb1, 0xe8, 0x65)
33
34 /* After CSME takes ownership, it won't release it for 60 seconds to avoid
35 * frequent ownership transitions.
36 */
37 #define MEI_OWNERSHIP_RETAKE_TIMEOUT_MS msecs_to_jiffies(60000)
38
39 /*
40 * Since iwlwifi calls iwlmei without any context, hold a pointer to the
41 * mei_cl_device structure here.
42 * Define a mutex that will synchronize all the flows between iwlwifi and
43 * iwlmei.
44 * Note that iwlmei can't have several instances, so it ok to have static
45 * variables here.
46 */
47 static struct mei_cl_device *iwl_mei_global_cldev;
48 static DEFINE_MUTEX(iwl_mei_mutex);
49 static unsigned long iwl_mei_status;
50
51 enum iwl_mei_status_bits {
52 IWL_MEI_STATUS_SAP_CONNECTED,
53 };
54
55 bool iwl_mei_is_connected(void)
56 {
57 return test_bit(IWL_MEI_STATUS_SAP_CONNECTED, &iwl_mei_status);
58 }
59 EXPORT_SYMBOL_GPL(iwl_mei_is_connected);
60
61 #define SAP_CONTROL_BLOCK_ID 0x21504153 /* SAP! in ASCII */
62
63 struct iwl_sap_q_ctrl_blk {
64 __le32 wr_ptr;
65 __le32 rd_ptr;
66 __le32 size;
67 };
68
69 enum iwl_sap_q_idx {
70 SAP_QUEUE_IDX_NOTIF = 0,
71 SAP_QUEUE_IDX_DATA,
72 SAP_QUEUE_IDX_MAX,
73 };
74
75 struct iwl_sap_dir {
76 __le32 reserved;
77 struct iwl_sap_q_ctrl_blk q_ctrl_blk[SAP_QUEUE_IDX_MAX];
78 };
79
80 enum iwl_sap_dir_idx {
81 SAP_DIRECTION_HOST_TO_ME = 0,
82 SAP_DIRECTION_ME_TO_HOST,
83 SAP_DIRECTION_MAX,
84 };
85
86 struct iwl_sap_shared_mem_ctrl_blk {
87 __le32 sap_id;
88 __le32 size;
89 struct iwl_sap_dir dir[SAP_DIRECTION_MAX];
90 };
91
92 /*
93 * The shared area has the following layout:
94 *
95 * +-----------------------------------+
96 * |struct iwl_sap_shared_mem_ctrl_blk |
97 * +-----------------------------------+
98 * |Host -> ME data queue |
99 * +-----------------------------------+
100 * |Host -> ME notif queue |
101 * +-----------------------------------+
102 * |ME -> Host data queue |
103 * +-----------------------------------+
104 * |ME -> host notif queue |
105 * +-----------------------------------+
106 * |SAP control block id (SAP!) |
107 * +-----------------------------------+
108 */
109
110 #define SAP_H2M_DATA_Q_SZ 48256
111 #define SAP_M2H_DATA_Q_SZ 24128
112 #define SAP_H2M_NOTIF_Q_SZ_VER3 2240
113 #define SAP_H2M_NOTIF_Q_SZ_VER4 32768
114 #define SAP_M2H_NOTIF_Q_SZ 62720
115
116 #define _IWL_MEI_SAP_SHARED_MEM_SZ_VER3 \
117 (sizeof(struct iwl_sap_shared_mem_ctrl_blk) + \
118 SAP_H2M_DATA_Q_SZ + SAP_H2M_NOTIF_Q_SZ_VER3 + \
119 SAP_M2H_DATA_Q_SZ + SAP_M2H_NOTIF_Q_SZ + 4)
120
121 #define _IWL_MEI_SAP_SHARED_MEM_SZ_VER4 \
122 (sizeof(struct iwl_sap_shared_mem_ctrl_blk) + \
123 SAP_H2M_DATA_Q_SZ + SAP_H2M_NOTIF_Q_SZ_VER4 + \
124 SAP_M2H_DATA_Q_SZ + SAP_M2H_NOTIF_Q_SZ + 4)
125
126 struct iwl_mei_shared_mem_ptrs {
127 struct iwl_sap_shared_mem_ctrl_blk *ctrl;
128 void *q_head[SAP_DIRECTION_MAX][SAP_QUEUE_IDX_MAX];
129 size_t q_size[SAP_DIRECTION_MAX][SAP_QUEUE_IDX_MAX];
130 };
131
132 struct iwl_mei_filters {
133 struct rcu_head rcu_head;
134 struct iwl_sap_oob_filters filters;
135 };
136
137 /**
138 * struct iwl_mei - holds the private date for iwl_mei
139 *
140 * @get_nvm_wq: the wait queue for the get_nvm flow
141 * @send_csa_msg_wk: used to defer the transmission of the CHECK_SHARED_AREA
142 * message. Used so that we can send CHECK_SHARED_AREA from atomic
143 * contexts.
144 * @get_ownership_wq: the wait queue for the get_ownership_flow
145 * @shared_mem: the memory that is shared between CSME and the host
146 * @cldev: the pointer to the MEI client device
147 * @nvm: the data returned by the CSME for the NVM
148 * @filters: the filters sent by CSME
149 * @got_ownership: true if we own the device
150 * @amt_enabled: true if CSME has wireless enabled
151 * @csa_throttled: when true, we can't send CHECK_SHARED_AREA over the MEI
152 * bus, but rather need to wait until send_csa_msg_wk runs
153 * @csme_taking_ownership: true when CSME is taking ownership. Used to remember
154 * to send CSME_OWNERSHIP_CONFIRMED when the driver completes its down
155 * flow.
156 * @link_prot_state: true when we are in link protection PASSIVE
157 * @device_down: true if the device is down. Used to remember to send
158 * CSME_OWNERSHIP_CONFIRMED when the driver is already down.
159 * @csa_throttle_end_wk: used when &csa_throttled is true
160 * @pldr_wq: the wait queue for PLDR flow
161 * @pldr_active: PLDR flow is in progress
162 * @data_q_lock: protects the access to the data queues which are
163 * accessed without the mutex.
164 * @netdev_work: used to defer registering and unregistering of the netdev to
165 * avoid taking the rtnl lock in the SAP messages handlers.
166 * @ownership_dwork: used to re-ask for NIC ownership after ownership was taken
167 * by CSME or when a previous ownership request failed.
168 * @sap_seq_no: the sequence number for the SAP messages
169 * @seq_no: the sequence number for the SAP messages
170 * @dbgfs_dir: the debugfs dir entry
171 */
172 struct iwl_mei {
173 wait_queue_head_t get_nvm_wq;
174 struct work_struct send_csa_msg_wk;
175 wait_queue_head_t get_ownership_wq;
176 struct iwl_mei_shared_mem_ptrs shared_mem;
177 struct mei_cl_device *cldev;
178 struct iwl_mei_nvm *nvm;
179 struct iwl_mei_filters __rcu *filters;
180 bool got_ownership;
181 bool amt_enabled;
182 bool csa_throttled;
183 bool csme_taking_ownership;
184 bool link_prot_state;
185 bool device_down;
186 struct delayed_work csa_throttle_end_wk;
187 wait_queue_head_t pldr_wq;
188 bool pldr_active;
189 spinlock_t data_q_lock;
190 struct work_struct netdev_work;
191 struct delayed_work ownership_dwork;
192
193 atomic_t sap_seq_no;
194 atomic_t seq_no;
195
196 struct dentry *dbgfs_dir;
197 };
198
199 /**
200 * struct iwl_mei_cache - cache for the parameters from iwlwifi
201 * @ops: Callbacks to iwlwifi.
202 * @netdev: The netdev that will be used to transmit / receive packets.
203 * @conn_info: The connection info message triggered by iwlwifi's association.
204 * @power_limit: pointer to an array of 10 elements (le16) represents the power
205 * restrictions per chain.
206 * @rf_kill: rf kill state.
207 * @mcc: MCC info
208 * @mac_address: interface MAC address.
209 * @nvm_address: NVM MAC address.
210 * @priv: A pointer to iwlwifi.
211 * @sap_version: The SAP version to use. enum iwl_mei_sap_version.
212 *
213 * This used to cache the configurations coming from iwlwifi's way. The data
214 * is cached here so that we can buffer the configuration even if we don't have
215 * a bind from the mei bus and hence, on iwl_mei structure.
216 */
217 struct iwl_mei_cache {
218 const struct iwl_mei_ops *ops;
219 struct net_device __rcu *netdev;
220 const struct iwl_sap_notif_connection_info *conn_info;
221 const __le16 *power_limit;
222 u32 rf_kill;
223 u16 mcc;
224 u8 mac_address[6];
225 u8 nvm_address[6];
226 enum iwl_mei_sap_version sap_version;
227 void *priv;
228 };
229
230 static struct iwl_mei_cache iwl_mei_cache = {
231 .rf_kill = SAP_HW_RFKILL_DEASSERTED | SAP_SW_RFKILL_DEASSERTED
232 };
233
234 static void iwl_mei_free_shared_mem(struct mei_cl_device *cldev)
235 {
236 struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
237
238 if (mei_cldev_dma_unmap(cldev))
239 dev_err(&cldev->dev, "Couldn't unmap the shared mem properly\n");
240 memset(&mei->shared_mem, 0, sizeof(mei->shared_mem));
241 }
242
243 #define HBM_DMA_BUF_ID_WLAN 1
244
245 static int iwl_mei_alloc_mem_for_version(struct mei_cl_device *cldev,
246 enum iwl_mei_sap_version version)
247 {
248 struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
249 struct iwl_mei_shared_mem_ptrs *mem = &mei->shared_mem;
250 u32 mem_size = roundup(version == IWL_MEI_SAP_VERSION_4 ?
251 _IWL_MEI_SAP_SHARED_MEM_SZ_VER4 :
252 _IWL_MEI_SAP_SHARED_MEM_SZ_VER3, PAGE_SIZE);
253
254 iwl_mei_cache.sap_version = version;
255 mem->ctrl = mei_cldev_dma_map(cldev, HBM_DMA_BUF_ID_WLAN, mem_size);
256 if (IS_ERR(mem->ctrl)) {
257 int ret = PTR_ERR(mem->ctrl);
258
259 mem->ctrl = NULL;
260
261 return ret;
262 }
263
264 memset(mem->ctrl, 0, mem_size);
265
266 return 0;
267 }
268
269 static int iwl_mei_alloc_shared_mem(struct mei_cl_device *cldev)
270 {
271 int ret;
272
273 /*
274 * SAP version 4 uses a larger Host to MEI notif queue.
275 * Since it is unknown at this stage which SAP version is used by the
276 * CSME firmware on this platform, try to allocate the version 4 first.
277 * If the CSME firmware uses version 3, this allocation is expected to
278 * fail because the CSME firmware allocated less memory for our driver.
279 */
280 ret = iwl_mei_alloc_mem_for_version(cldev, IWL_MEI_SAP_VERSION_4);
281 if (ret)
282 ret = iwl_mei_alloc_mem_for_version(cldev,
283 IWL_MEI_SAP_VERSION_3);
284
285 return ret;
286 }
287
288 static void iwl_mei_init_shared_mem(struct iwl_mei *mei)
289 {
290 struct iwl_mei_shared_mem_ptrs *mem = &mei->shared_mem;
291 struct iwl_sap_dir *h2m;
292 struct iwl_sap_dir *m2h;
293 int dir, queue;
294 u8 *q_head;
295
296 mem->ctrl->sap_id = cpu_to_le32(SAP_CONTROL_BLOCK_ID);
297
298 mem->ctrl->size = cpu_to_le32(sizeof(*mem->ctrl));
299
300 h2m = &mem->ctrl->dir[SAP_DIRECTION_HOST_TO_ME];
301 m2h = &mem->ctrl->dir[SAP_DIRECTION_ME_TO_HOST];
302
303 h2m->q_ctrl_blk[SAP_QUEUE_IDX_DATA].size =
304 cpu_to_le32(SAP_H2M_DATA_Q_SZ);
305 h2m->q_ctrl_blk[SAP_QUEUE_IDX_NOTIF].size =
306 iwl_mei_cache.sap_version == IWL_MEI_SAP_VERSION_3 ?
307 cpu_to_le32(SAP_H2M_NOTIF_Q_SZ_VER3) :
308 cpu_to_le32(SAP_H2M_NOTIF_Q_SZ_VER4);
309 m2h->q_ctrl_blk[SAP_QUEUE_IDX_DATA].size =
310 cpu_to_le32(SAP_M2H_DATA_Q_SZ);
311 m2h->q_ctrl_blk[SAP_QUEUE_IDX_NOTIF].size =
312 cpu_to_le32(SAP_M2H_NOTIF_Q_SZ);
313
314 /* q_head points to the start of the first queue */
315 q_head = (void *)(mem->ctrl + 1);
316
317 /* Initialize the queue heads */
318 for (dir = 0; dir < SAP_DIRECTION_MAX; dir++) {
319 for (queue = 0; queue < SAP_QUEUE_IDX_MAX; queue++) {
320 mem->q_head[dir][queue] = q_head;
321 q_head +=
322 le32_to_cpu(mem->ctrl->dir[dir].q_ctrl_blk[queue].size);
323 mem->q_size[dir][queue] =
324 le32_to_cpu(mem->ctrl->dir[dir].q_ctrl_blk[queue].size);
325 }
326 }
327
328 *(__le32 *)q_head = cpu_to_le32(SAP_CONTROL_BLOCK_ID);
329 }
330
331 static ssize_t iwl_mei_write_cyclic_buf(struct mei_cl_device *cldev,
332 struct iwl_sap_q_ctrl_blk *notif_q,
333 u8 *q_head,
334 const struct iwl_sap_hdr *hdr,
335 u32 q_sz)
336 {
337 u32 rd = le32_to_cpu(READ_ONCE(notif_q->rd_ptr));
338 u32 wr = le32_to_cpu(READ_ONCE(notif_q->wr_ptr));
339 size_t room_in_buf;
340 size_t tx_sz = sizeof(*hdr) + le16_to_cpu(hdr->len);
341
342 if (rd > q_sz || wr > q_sz) {
343 dev_err(&cldev->dev,
344 "Pointers are past the end of the buffer\n");
345 return -EINVAL;
346 }
347
348 room_in_buf = wr >= rd ? q_sz - wr + rd : rd - wr;
349
350 /* we don't have enough room for the data to write */
351 if (room_in_buf < tx_sz) {
352 dev_err(&cldev->dev,
353 "Not enough room in the buffer\n");
354 return -ENOSPC;
355 }
356
357 if (wr + tx_sz <= q_sz) {
358 memcpy(q_head + wr, hdr, tx_sz);
359 } else {
360 memcpy(q_head + wr, hdr, q_sz - wr);
361 memcpy(q_head, (const u8 *)hdr + q_sz - wr, tx_sz - (q_sz - wr));
362 }
363
364 WRITE_ONCE(notif_q->wr_ptr, cpu_to_le32((wr + tx_sz) % q_sz));
365 return 0;
366 }
367
368 static bool iwl_mei_host_to_me_data_pending(const struct iwl_mei *mei)
369 {
370 struct iwl_sap_q_ctrl_blk *notif_q;
371 struct iwl_sap_dir *dir;
372
373 dir = &mei->shared_mem.ctrl->dir[SAP_DIRECTION_HOST_TO_ME];
374 notif_q = &dir->q_ctrl_blk[SAP_QUEUE_IDX_DATA];
375
376 if (READ_ONCE(notif_q->wr_ptr) != READ_ONCE(notif_q->rd_ptr))
377 return true;
378
379 notif_q = &dir->q_ctrl_blk[SAP_QUEUE_IDX_NOTIF];
380 return READ_ONCE(notif_q->wr_ptr) != READ_ONCE(notif_q->rd_ptr);
381 }
382
383 static int iwl_mei_send_check_shared_area(struct mei_cl_device *cldev)
384 {
385 struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
386 struct iwl_sap_me_msg_start msg = {
387 .hdr.type = cpu_to_le32(SAP_ME_MSG_CHECK_SHARED_AREA),
388 .hdr.seq_num = cpu_to_le32(atomic_inc_return(&mei->seq_no)),
389 };
390 int ret;
391
392 lockdep_assert_held(&iwl_mei_mutex);
393
394 if (mei->csa_throttled)
395 return 0;
396
397 trace_iwlmei_me_msg(&msg.hdr, true);
398 ret = mei_cldev_send(cldev, (void *)&msg, sizeof(msg));
399 if (ret != sizeof(msg)) {
400 dev_err(&cldev->dev,
401 "failed to send the SAP_ME_MSG_CHECK_SHARED_AREA message %d\n",
402 ret);
403 return ret;
404 }
405
406 mei->csa_throttled = true;
407
408 schedule_delayed_work(&mei->csa_throttle_end_wk,
409 msecs_to_jiffies(100));
410
411 return 0;
412 }
413
414 static void iwl_mei_csa_throttle_end_wk(struct work_struct *wk)
415 {
416 struct iwl_mei *mei =
417 container_of(wk, struct iwl_mei, csa_throttle_end_wk.work);
418
419 mutex_lock(&iwl_mei_mutex);
420
421 mei->csa_throttled = false;
422
423 if (iwl_mei_host_to_me_data_pending(mei))
424 iwl_mei_send_check_shared_area(mei->cldev);
425
426 mutex_unlock(&iwl_mei_mutex);
427 }
428
429 static int iwl_mei_send_sap_msg_payload(struct mei_cl_device *cldev,
430 struct iwl_sap_hdr *hdr)
431 {
432 struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
433 struct iwl_sap_q_ctrl_blk *notif_q;
434 struct iwl_sap_dir *dir;
435 void *q_head;
436 u32 q_sz;
437 int ret;
438
439 lockdep_assert_held(&iwl_mei_mutex);
440
441 if (!mei->shared_mem.ctrl) {
442 dev_err(&cldev->dev,
443 "No shared memory, can't send any SAP message\n");
444 return -EINVAL;
445 }
446
447 if (!iwl_mei_is_connected()) {
448 dev_err(&cldev->dev,
449 "Can't send a SAP message if we're not connected\n");
450 return -ENODEV;
451 }
452
453 hdr->seq_num = cpu_to_le32(atomic_inc_return(&mei->sap_seq_no));
454 dev_dbg(&cldev->dev, "Sending %d\n", hdr->type);
455
456 dir = &mei->shared_mem.ctrl->dir[SAP_DIRECTION_HOST_TO_ME];
457 notif_q = &dir->q_ctrl_blk[SAP_QUEUE_IDX_NOTIF];
458 q_head = mei->shared_mem.q_head[SAP_DIRECTION_HOST_TO_ME][SAP_QUEUE_IDX_NOTIF];
459 q_sz = mei->shared_mem.q_size[SAP_DIRECTION_HOST_TO_ME][SAP_QUEUE_IDX_NOTIF];
460 ret = iwl_mei_write_cyclic_buf(q_head, notif_q, q_head, hdr, q_sz);
461
462 if (ret < 0)
463 return ret;
464
465 trace_iwlmei_sap_cmd(hdr, true);
466
467 return iwl_mei_send_check_shared_area(cldev);
468 }
469
470 void iwl_mei_add_data_to_ring(struct sk_buff *skb, bool cb_tx)
471 {
472 struct iwl_sap_q_ctrl_blk *notif_q;
473 struct iwl_sap_dir *dir;
474 struct iwl_mei *mei;
475 size_t room_in_buf;
476 size_t tx_sz;
477 size_t hdr_sz;
478 u32 q_sz;
479 u32 rd;
480 u32 wr;
481 u8 *q_head;
482
483 if (!iwl_mei_global_cldev)
484 return;
485
486 mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
487
488 /*
489 * We access this path for Rx packets (the more common case)
490 * and from Tx path when we send DHCP packets, the latter is
491 * very unlikely.
492 * Take the lock already here to make sure we see that remove()
493 * might have cleared the IWL_MEI_STATUS_SAP_CONNECTED bit.
494 */
495 spin_lock_bh(&mei->data_q_lock);
496
497 if (!iwl_mei_is_connected()) {
498 spin_unlock_bh(&mei->data_q_lock);
499 return;
500 }
501
502 /*
503 * We are in a RCU critical section and the remove from the CSME bus
504 * which would free this memory waits for the readers to complete (this
505 * is done in netdev_rx_handler_unregister).
506 */
507 dir = &mei->shared_mem.ctrl->dir[SAP_DIRECTION_HOST_TO_ME];
508 notif_q = &dir->q_ctrl_blk[SAP_QUEUE_IDX_DATA];
509 q_head = mei->shared_mem.q_head[SAP_DIRECTION_HOST_TO_ME][SAP_QUEUE_IDX_DATA];
510 q_sz = mei->shared_mem.q_size[SAP_DIRECTION_HOST_TO_ME][SAP_QUEUE_IDX_DATA];
511
512 rd = le32_to_cpu(READ_ONCE(notif_q->rd_ptr));
513 wr = le32_to_cpu(READ_ONCE(notif_q->wr_ptr));
514 hdr_sz = cb_tx ? sizeof(struct iwl_sap_cb_data) :
515 sizeof(struct iwl_sap_hdr);
516 tx_sz = skb->len + hdr_sz;
517
518 if (rd > q_sz || wr > q_sz) {
519 dev_err(&mei->cldev->dev,
520 "can't write the data: pointers are past the end of the buffer\n");
521 goto out;
522 }
523
524 room_in_buf = wr >= rd ? q_sz - wr + rd : rd - wr;
525
526 /* we don't have enough room for the data to write */
527 if (room_in_buf < tx_sz) {
528 dev_err(&mei->cldev->dev,
529 "Not enough room in the buffer for this data\n");
530 goto out;
531 }
532
533 if (skb_headroom(skb) < hdr_sz) {
534 dev_err(&mei->cldev->dev,
535 "Not enough headroom in the skb to write the SAP header\n");
536 goto out;
537 }
538
539 if (cb_tx) {
540 struct iwl_sap_cb_data *cb_hdr = skb_push(skb, sizeof(*cb_hdr));
541
542 memset(cb_hdr, 0, sizeof(*cb_hdr));
543 cb_hdr->hdr.type = cpu_to_le16(SAP_MSG_CB_DATA_PACKET);
544 cb_hdr->hdr.len = cpu_to_le16(skb->len - sizeof(cb_hdr->hdr));
545 cb_hdr->hdr.seq_num = cpu_to_le32(atomic_inc_return(&mei->sap_seq_no));
546 cb_hdr->to_me_filt_status = cpu_to_le32(BIT(CB_TX_DHCP_FILT_IDX));
547 cb_hdr->data_len = cpu_to_le32(skb->len - sizeof(*cb_hdr));
548 trace_iwlmei_sap_data(skb, IWL_SAP_TX_DHCP);
549 } else {
550 struct iwl_sap_hdr *hdr = skb_push(skb, sizeof(*hdr));
551
552 hdr->type = cpu_to_le16(SAP_MSG_DATA_PACKET);
553 hdr->len = cpu_to_le16(skb->len - sizeof(*hdr));
554 hdr->seq_num = cpu_to_le32(atomic_inc_return(&mei->sap_seq_no));
555 trace_iwlmei_sap_data(skb, IWL_SAP_TX_DATA_FROM_AIR);
556 }
557
558 if (wr + tx_sz <= q_sz) {
559 skb_copy_bits(skb, 0, q_head + wr, tx_sz);
560 } else {
561 skb_copy_bits(skb, 0, q_head + wr, q_sz - wr);
562 skb_copy_bits(skb, q_sz - wr, q_head, tx_sz - (q_sz - wr));
563 }
564
565 WRITE_ONCE(notif_q->wr_ptr, cpu_to_le32((wr + tx_sz) % q_sz));
566
567 out:
568 spin_unlock_bh(&mei->data_q_lock);
569 }
570
571 static int
572 iwl_mei_send_sap_msg(struct mei_cl_device *cldev, u16 type)
573 {
574 struct iwl_sap_hdr msg = {
575 .type = cpu_to_le16(type),
576 };
577
578 return iwl_mei_send_sap_msg_payload(cldev, &msg);
579 }
580
581 static void iwl_mei_send_csa_msg_wk(struct work_struct *wk)
582 {
583 struct iwl_mei *mei =
584 container_of(wk, struct iwl_mei, send_csa_msg_wk);
585
586 if (!iwl_mei_is_connected())
587 return;
588
589 mutex_lock(&iwl_mei_mutex);
590
591 iwl_mei_send_check_shared_area(mei->cldev);
592
593 mutex_unlock(&iwl_mei_mutex);
594 }
595
596 /* Called in a RCU read critical section from netif_receive_skb */
597 static rx_handler_result_t iwl_mei_rx_handler(struct sk_buff **pskb)
598 {
599 struct sk_buff *skb = *pskb;
600 struct iwl_mei *mei =
601 rcu_dereference(skb->dev->rx_handler_data);
602 struct iwl_mei_filters *filters = rcu_dereference(mei->filters);
603 bool rx_for_csme = false;
604 rx_handler_result_t res;
605
606 /*
607 * remove() unregisters this handler and synchronize_net, so this
608 * should never happen.
609 */
610 if (!iwl_mei_is_connected()) {
611 dev_err(&mei->cldev->dev,
612 "Got an Rx packet, but we're not connected to SAP?\n");
613 return RX_HANDLER_PASS;
614 }
615
616 if (filters)
617 res = iwl_mei_rx_filter(skb, &filters->filters, &rx_for_csme);
618 else
619 res = RX_HANDLER_PASS;
620
621 /*
622 * The data is already on the ring of the shared area, all we
623 * need to do is to tell the CSME firmware to check what we have
624 * there.
625 */
626 if (rx_for_csme)
627 schedule_work(&mei->send_csa_msg_wk);
628
629 if (res != RX_HANDLER_PASS) {
630 trace_iwlmei_sap_data(skb, IWL_SAP_RX_DATA_DROPPED_FROM_AIR);
631 dev_kfree_skb(skb);
632 }
633
634 return res;
635 }
636
637 static void iwl_mei_netdev_work(struct work_struct *wk)
638 {
639 struct iwl_mei *mei =
640 container_of(wk, struct iwl_mei, netdev_work);
641 struct net_device *netdev;
642
643 /*
644 * First take rtnl and only then the mutex to avoid an ABBA
645 * with iwl_mei_set_netdev()
646 */
647 rtnl_lock();
648 mutex_lock(&iwl_mei_mutex);
649
650 netdev = rcu_dereference_protected(iwl_mei_cache.netdev,
651 lockdep_is_held(&iwl_mei_mutex));
652 if (netdev) {
653 if (mei->amt_enabled)
654 netdev_rx_handler_register(netdev, iwl_mei_rx_handler,
655 mei);
656 else
657 netdev_rx_handler_unregister(netdev);
658 }
659
660 mutex_unlock(&iwl_mei_mutex);
661 rtnl_unlock();
662 }
663
664 static void
665 iwl_mei_handle_rx_start_ok(struct mei_cl_device *cldev,
666 const struct iwl_sap_me_msg_start_ok *rsp,
667 ssize_t len)
668 {
669 if (len != sizeof(*rsp)) {
670 dev_err(&cldev->dev,
671 "got invalid SAP_ME_MSG_START_OK from CSME firmware\n");
672 dev_err(&cldev->dev,
673 "size is incorrect: %zd instead of %zu\n",
674 len, sizeof(*rsp));
675 return;
676 }
677
678 if (rsp->supported_version != iwl_mei_cache.sap_version) {
679 dev_err(&cldev->dev,
680 "didn't get the expected version: got %d\n",
681 rsp->supported_version);
682 return;
683 }
684
685 mutex_lock(&iwl_mei_mutex);
686 set_bit(IWL_MEI_STATUS_SAP_CONNECTED, &iwl_mei_status);
687 /*
688 * We'll receive AMT_STATE SAP message in a bit and
689 * that will continue the flow
690 */
691 mutex_unlock(&iwl_mei_mutex);
692 }
693
694 static void iwl_mei_handle_csme_filters(struct mei_cl_device *cldev,
695 const struct iwl_sap_csme_filters *filters)
696 {
697 struct iwl_mei *mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
698 struct iwl_mei_filters *new_filters;
699 struct iwl_mei_filters *old_filters;
700
701 old_filters =
702 rcu_dereference_protected(mei->filters,
703 lockdep_is_held(&iwl_mei_mutex));
704
705 new_filters = kzalloc(sizeof(*new_filters), GFP_KERNEL);
706 if (!new_filters)
707 return;
708
709 /* Copy the OOB filters */
710 new_filters->filters = filters->filters;
711
712 rcu_assign_pointer(mei->filters, new_filters);
713
714 if (old_filters)
715 kfree_rcu(old_filters, rcu_head);
716 }
717
718 static void
719 iwl_mei_handle_conn_status(struct mei_cl_device *cldev,
720 const struct iwl_sap_notif_conn_status *status)
721 {
722 struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
723 struct iwl_mei_conn_info conn_info = {
724 .lp_state = le32_to_cpu(status->link_prot_state),
725 .ssid_len = le32_to_cpu(status->conn_info.ssid_len),
726 .channel = status->conn_info.channel,
727 .band = status->conn_info.band,
728 .auth_mode = le32_to_cpu(status->conn_info.auth_mode),
729 .pairwise_cipher = le32_to_cpu(status->conn_info.pairwise_cipher),
730 };
731
732 if (!iwl_mei_cache.ops ||
733 conn_info.ssid_len > ARRAY_SIZE(conn_info.ssid))
734 return;
735
736 memcpy(conn_info.ssid, status->conn_info.ssid, conn_info.ssid_len);
737 ether_addr_copy(conn_info.bssid, status->conn_info.bssid);
738
739 iwl_mei_cache.ops->me_conn_status(iwl_mei_cache.priv, &conn_info);
740
741 mei->link_prot_state = status->link_prot_state;
742
743 /*
744 * Update the Rfkill state in case the host does not own the device:
745 * if we are in Link Protection, ask to not touch the device, else,
746 * unblock rfkill.
747 * If the host owns the device, inform the user space whether it can
748 * roam.
749 */
750 if (mei->got_ownership)
751 iwl_mei_cache.ops->roaming_forbidden(iwl_mei_cache.priv,
752 status->link_prot_state);
753 else
754 iwl_mei_cache.ops->rfkill(iwl_mei_cache.priv,
755 status->link_prot_state, false);
756 }
757
758 static void iwl_mei_set_init_conf(struct iwl_mei *mei)
759 {
760 struct iwl_sap_notif_host_link_up link_msg = {
761 .hdr.type = cpu_to_le16(SAP_MSG_NOTIF_HOST_LINK_UP),
762 .hdr.len = cpu_to_le16(sizeof(link_msg) - sizeof(link_msg.hdr)),
763 };
764 struct iwl_sap_notif_country_code mcc_msg = {
765 .hdr.type = cpu_to_le16(SAP_MSG_NOTIF_COUNTRY_CODE),
766 .hdr.len = cpu_to_le16(sizeof(mcc_msg) - sizeof(mcc_msg.hdr)),
767 .mcc = cpu_to_le16(iwl_mei_cache.mcc),
768 };
769 struct iwl_sap_notif_sar_limits sar_msg = {
770 .hdr.type = cpu_to_le16(SAP_MSG_NOTIF_SAR_LIMITS),
771 .hdr.len = cpu_to_le16(sizeof(sar_msg) - sizeof(sar_msg.hdr)),
772 };
773 struct iwl_sap_notif_host_nic_info nic_info_msg = {
774 .hdr.type = cpu_to_le16(SAP_MSG_NOTIF_NIC_INFO),
775 .hdr.len = cpu_to_le16(sizeof(nic_info_msg) - sizeof(nic_info_msg.hdr)),
776 };
777 struct iwl_sap_msg_dw rfkill_msg = {
778 .hdr.type = cpu_to_le16(SAP_MSG_NOTIF_RADIO_STATE),
779 .hdr.len = cpu_to_le16(sizeof(rfkill_msg) - sizeof(rfkill_msg.hdr)),
780 .val = cpu_to_le32(iwl_mei_cache.rf_kill),
781 };
782
783 /* wifi driver has registered already */
784 if (iwl_mei_cache.ops) {
785 iwl_mei_send_sap_msg(mei->cldev,
786 SAP_MSG_NOTIF_WIFIDR_UP);
787 iwl_mei_cache.ops->sap_connected(iwl_mei_cache.priv);
788 }
789
790 iwl_mei_send_sap_msg(mei->cldev, SAP_MSG_NOTIF_WHO_OWNS_NIC);
791
792 if (iwl_mei_cache.conn_info) {
793 link_msg.conn_info = *iwl_mei_cache.conn_info;
794 iwl_mei_send_sap_msg_payload(mei->cldev, &link_msg.hdr);
795 }
796
797 iwl_mei_send_sap_msg_payload(mei->cldev, &mcc_msg.hdr);
798
799 if (iwl_mei_cache.power_limit) {
800 memcpy(sar_msg.sar_chain_info_table, iwl_mei_cache.power_limit,
801 sizeof(sar_msg.sar_chain_info_table));
802 iwl_mei_send_sap_msg_payload(mei->cldev, &sar_msg.hdr);
803 }
804
805 if (is_valid_ether_addr(iwl_mei_cache.mac_address)) {
806 ether_addr_copy(nic_info_msg.mac_address,
807 iwl_mei_cache.mac_address);
808 ether_addr_copy(nic_info_msg.nvm_address,
809 iwl_mei_cache.nvm_address);
810 iwl_mei_send_sap_msg_payload(mei->cldev, &nic_info_msg.hdr);
811 }
812
813 iwl_mei_send_sap_msg_payload(mei->cldev, &rfkill_msg.hdr);
814 }
815
816 static void iwl_mei_handle_amt_state(struct mei_cl_device *cldev,
817 const struct iwl_sap_msg_dw *dw)
818 {
819 struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
820
821 mutex_lock(&iwl_mei_mutex);
822
823 if (mei->amt_enabled == !!le32_to_cpu(dw->val))
824 goto out;
825
826 mei->amt_enabled = dw->val;
827
828 if (mei->amt_enabled)
829 iwl_mei_set_init_conf(mei);
830 else if (iwl_mei_cache.ops)
831 iwl_mei_cache.ops->rfkill(iwl_mei_cache.priv, false, false);
832
833 schedule_work(&mei->netdev_work);
834
835 out:
836 mutex_unlock(&iwl_mei_mutex);
837 }
838
839 static void iwl_mei_handle_nic_owner(struct mei_cl_device *cldev,
840 const struct iwl_sap_msg_dw *dw)
841 {
842 struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
843
844 mei->got_ownership = dw->val != cpu_to_le32(SAP_NIC_OWNER_ME);
845 }
846
847 static void iwl_mei_handle_can_release_ownership(struct mei_cl_device *cldev,
848 const void *payload)
849 {
850 /* We can get ownership and driver is registered, go ahead */
851 if (iwl_mei_cache.ops)
852 iwl_mei_send_sap_msg(cldev,
853 SAP_MSG_NOTIF_HOST_ASKS_FOR_NIC_OWNERSHIP);
854 }
855
856 static void iwl_mei_handle_csme_taking_ownership(struct mei_cl_device *cldev,
857 const void *payload)
858 {
859 struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
860
861 dev_info(&cldev->dev, "CSME takes ownership\n");
862
863 mei->got_ownership = false;
864
865 if (iwl_mei_cache.ops && !mei->device_down) {
866 /*
867 * Remember to send CSME_OWNERSHIP_CONFIRMED when the wifi
868 * driver is finished taking the device down.
869 */
870 mei->csme_taking_ownership = true;
871
872 iwl_mei_cache.ops->rfkill(iwl_mei_cache.priv, true, true);
873 } else {
874 iwl_mei_send_sap_msg(cldev,
875 SAP_MSG_NOTIF_CSME_OWNERSHIP_CONFIRMED);
876 schedule_delayed_work(&mei->ownership_dwork,
877 MEI_OWNERSHIP_RETAKE_TIMEOUT_MS);
878 }
879 }
880
881 static void iwl_mei_handle_nvm(struct mei_cl_device *cldev,
882 const struct iwl_sap_nvm *sap_nvm)
883 {
884 struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
885 const struct iwl_mei_nvm *mei_nvm = (const void *)sap_nvm;
886 int i;
887
888 kfree(mei->nvm);
889 mei->nvm = kzalloc(sizeof(*mei_nvm), GFP_KERNEL);
890 if (!mei->nvm)
891 return;
892
893 ether_addr_copy(mei->nvm->hw_addr, sap_nvm->hw_addr);
894 mei->nvm->n_hw_addrs = sap_nvm->n_hw_addrs;
895 mei->nvm->radio_cfg = le32_to_cpu(sap_nvm->radio_cfg);
896 mei->nvm->caps = le32_to_cpu(sap_nvm->caps);
897 mei->nvm->nvm_version = le32_to_cpu(sap_nvm->nvm_version);
898
899 for (i = 0; i < ARRAY_SIZE(mei->nvm->channels); i++)
900 mei->nvm->channels[i] = le32_to_cpu(sap_nvm->channels[i]);
901
902 wake_up_all(&mei->get_nvm_wq);
903 }
904
905 static void iwl_mei_handle_rx_host_own_req(struct mei_cl_device *cldev,
906 const struct iwl_sap_msg_dw *dw)
907 {
908 struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
909
910 /*
911 * This means that we can't use the wifi device right now, CSME is not
912 * ready to let us use it.
913 */
914 if (!dw->val) {
915 dev_info(&cldev->dev, "Ownership req denied\n");
916 return;
917 }
918
919 mei->got_ownership = true;
920 wake_up_all(&mei->get_ownership_wq);
921
922 iwl_mei_send_sap_msg(cldev,
923 SAP_MSG_NOTIF_HOST_OWNERSHIP_CONFIRMED);
924
925 /* We can now start the connection, unblock rfkill */
926 if (iwl_mei_cache.ops)
927 iwl_mei_cache.ops->rfkill(iwl_mei_cache.priv, false, false);
928 }
929
930 static void iwl_mei_handle_pldr_ack(struct mei_cl_device *cldev,
931 const struct iwl_sap_pldr_ack_data *ack)
932 {
933 struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
934
935 mei->pldr_active = le32_to_cpu(ack->status) == SAP_PLDR_STATUS_SUCCESS;
936 wake_up_all(&mei->pldr_wq);
937 }
938
939 static void iwl_mei_handle_ping(struct mei_cl_device *cldev,
940 const struct iwl_sap_hdr *hdr)
941 {
942 iwl_mei_send_sap_msg(cldev, SAP_MSG_NOTIF_PONG);
943 }
944
945 static void iwl_mei_handle_sap_msg(struct mei_cl_device *cldev,
946 const struct iwl_sap_hdr *hdr)
947 {
948 u16 len = le16_to_cpu(hdr->len) + sizeof(*hdr);
949 u16 type = le16_to_cpu(hdr->type);
950
951 dev_dbg(&cldev->dev,
952 "Got a new SAP message: type %d, len %d, seq %d\n",
953 le16_to_cpu(hdr->type), len,
954 le32_to_cpu(hdr->seq_num));
955
956 #define SAP_MSG_HANDLER(_cmd, _handler, _sz) \
957 case SAP_MSG_NOTIF_ ## _cmd: \
958 if (len < _sz) { \
959 dev_err(&cldev->dev, \
960 "Bad size for %d: %u < %u\n", \
961 le16_to_cpu(hdr->type), \
962 (unsigned int)len, \
963 (unsigned int)_sz); \
964 break; \
965 } \
966 mutex_lock(&iwl_mei_mutex); \
967 _handler(cldev, (const void *)hdr); \
968 mutex_unlock(&iwl_mei_mutex); \
969 break
970
971 #define SAP_MSG_HANDLER_NO_LOCK(_cmd, _handler, _sz) \
972 case SAP_MSG_NOTIF_ ## _cmd: \
973 if (len < _sz) { \
974 dev_err(&cldev->dev, \
975 "Bad size for %d: %u < %u\n", \
976 le16_to_cpu(hdr->type), \
977 (unsigned int)len, \
978 (unsigned int)_sz); \
979 break; \
980 } \
981 _handler(cldev, (const void *)hdr); \
982 break
983
984 #define SAP_MSG_HANDLER_NO_HANDLER(_cmd, _sz) \
985 case SAP_MSG_NOTIF_ ## _cmd: \
986 if (len < _sz) { \
987 dev_err(&cldev->dev, \
988 "Bad size for %d: %u < %u\n", \
989 le16_to_cpu(hdr->type), \
990 (unsigned int)len, \
991 (unsigned int)_sz); \
992 break; \
993 } \
994 break
995
996 switch (type) {
997 SAP_MSG_HANDLER(PING, iwl_mei_handle_ping, 0);
998 SAP_MSG_HANDLER(CSME_FILTERS,
999 iwl_mei_handle_csme_filters,
1000 sizeof(struct iwl_sap_csme_filters));
1001 SAP_MSG_HANDLER(CSME_CONN_STATUS,
1002 iwl_mei_handle_conn_status,
1003 sizeof(struct iwl_sap_notif_conn_status));
1004 SAP_MSG_HANDLER_NO_LOCK(AMT_STATE,
1005 iwl_mei_handle_amt_state,
1006 sizeof(struct iwl_sap_msg_dw));
1007 SAP_MSG_HANDLER_NO_HANDLER(PONG, 0);
1008 SAP_MSG_HANDLER(NVM, iwl_mei_handle_nvm,
1009 sizeof(struct iwl_sap_nvm));
1010 SAP_MSG_HANDLER(CSME_REPLY_TO_HOST_OWNERSHIP_REQ,
1011 iwl_mei_handle_rx_host_own_req,
1012 sizeof(struct iwl_sap_msg_dw));
1013 SAP_MSG_HANDLER(NIC_OWNER, iwl_mei_handle_nic_owner,
1014 sizeof(struct iwl_sap_msg_dw));
1015 SAP_MSG_HANDLER(CSME_CAN_RELEASE_OWNERSHIP,
1016 iwl_mei_handle_can_release_ownership, 0);
1017 SAP_MSG_HANDLER(CSME_TAKING_OWNERSHIP,
1018 iwl_mei_handle_csme_taking_ownership, 0);
1019 SAP_MSG_HANDLER(PLDR_ACK, iwl_mei_handle_pldr_ack,
1020 sizeof(struct iwl_sap_pldr_ack_data));
1021 default:
1022 /*
1023 * This is not really an error, there are message that we decided
1024 * to ignore, yet, it is useful to be able to leave a note if debug
1025 * is enabled.
1026 */
1027 dev_dbg(&cldev->dev, "Unsupported message: type %d, len %d\n",
1028 le16_to_cpu(hdr->type), len);
1029 }
1030
1031 #undef SAP_MSG_HANDLER
1032 #undef SAP_MSG_HANDLER_NO_LOCK
1033 }
1034
1035 static void iwl_mei_read_from_q(const u8 *q_head, u32 q_sz,
1036 u32 *_rd, u32 wr,
1037 void *_buf, u32 len)
1038 {
1039 u8 *buf = _buf;
1040 u32 rd = *_rd;
1041
1042 if (rd + len <= q_sz) {
1043 memcpy(buf, q_head + rd, len);
1044 rd += len;
1045 } else {
1046 memcpy(buf, q_head + rd, q_sz - rd);
1047 memcpy(buf + q_sz - rd, q_head, len - (q_sz - rd));
1048 rd = len - (q_sz - rd);
1049 }
1050
1051 *_rd = rd;
1052 }
1053
1054 #define QOS_HDR_IV_SNAP_LEN (sizeof(struct ieee80211_qos_hdr) + \
1055 IEEE80211_TKIP_IV_LEN + \
1056 sizeof(rfc1042_header) + ETH_TLEN)
1057
1058 static void iwl_mei_handle_sap_data(struct mei_cl_device *cldev,
1059 const u8 *q_head, u32 q_sz,
1060 u32 rd, u32 wr, ssize_t valid_rx_sz,
1061 struct sk_buff_head *tx_skbs)
1062 {
1063 struct iwl_sap_hdr hdr;
1064 struct net_device *netdev =
1065 rcu_dereference_protected(iwl_mei_cache.netdev,
1066 lockdep_is_held(&iwl_mei_mutex));
1067
1068 if (!netdev)
1069 return;
1070
1071 while (valid_rx_sz >= sizeof(hdr)) {
1072 struct ethhdr *ethhdr;
1073 unsigned char *data;
1074 struct sk_buff *skb;
1075 u16 len;
1076
1077 iwl_mei_read_from_q(q_head, q_sz, &rd, wr, &hdr, sizeof(hdr));
1078 valid_rx_sz -= sizeof(hdr);
1079 len = le16_to_cpu(hdr.len);
1080
1081 if (valid_rx_sz < len) {
1082 dev_err(&cldev->dev,
1083 "Data queue is corrupted: valid data len %zd, len %d\n",
1084 valid_rx_sz, len);
1085 break;
1086 }
1087
1088 if (len < sizeof(*ethhdr)) {
1089 dev_err(&cldev->dev,
1090 "Data len is smaller than an ethernet header? len = %d\n",
1091 len);
1092 }
1093
1094 valid_rx_sz -= len;
1095
1096 if (le16_to_cpu(hdr.type) != SAP_MSG_DATA_PACKET) {
1097 dev_err(&cldev->dev, "Unsupported Rx data: type %d, len %d\n",
1098 le16_to_cpu(hdr.type), len);
1099 continue;
1100 }
1101
1102 /* We need enough room for the WiFi header + SNAP + IV */
1103 skb = netdev_alloc_skb(netdev, len + QOS_HDR_IV_SNAP_LEN);
1104 if (!skb)
1105 continue;
1106
1107 skb_reserve(skb, QOS_HDR_IV_SNAP_LEN);
1108 ethhdr = skb_push(skb, sizeof(*ethhdr));
1109
1110 iwl_mei_read_from_q(q_head, q_sz, &rd, wr,
1111 ethhdr, sizeof(*ethhdr));
1112 len -= sizeof(*ethhdr);
1113
1114 skb_reset_mac_header(skb);
1115 skb_reset_network_header(skb);
1116 skb->protocol = ethhdr->h_proto;
1117
1118 data = skb_put(skb, len);
1119 iwl_mei_read_from_q(q_head, q_sz, &rd, wr, data, len);
1120
1121 /*
1122 * Enqueue the skb here so that it can be sent later when we
1123 * do not hold the mutex. TX'ing a packet with a mutex held is
1124 * possible, but it wouldn't be nice to forbid the TX path to
1125 * call any of iwlmei's functions, since every API from iwlmei
1126 * needs the mutex.
1127 */
1128 __skb_queue_tail(tx_skbs, skb);
1129 }
1130 }
1131
1132 static void iwl_mei_handle_sap_rx_cmd(struct mei_cl_device *cldev,
1133 const u8 *q_head, u32 q_sz,
1134 u32 rd, u32 wr, ssize_t valid_rx_sz)
1135 {
1136 struct page *p = alloc_page(GFP_KERNEL);
1137 struct iwl_sap_hdr *hdr;
1138
1139 if (!p)
1140 return;
1141
1142 hdr = page_address(p);
1143
1144 while (valid_rx_sz >= sizeof(*hdr)) {
1145 u16 len;
1146
1147 iwl_mei_read_from_q(q_head, q_sz, &rd, wr, hdr, sizeof(*hdr));
1148 valid_rx_sz -= sizeof(*hdr);
1149 len = le16_to_cpu(hdr->len);
1150
1151 if (valid_rx_sz < len)
1152 break;
1153
1154 iwl_mei_read_from_q(q_head, q_sz, &rd, wr, hdr + 1, len);
1155
1156 trace_iwlmei_sap_cmd(hdr, false);
1157 iwl_mei_handle_sap_msg(cldev, hdr);
1158 valid_rx_sz -= len;
1159 }
1160
1161 /* valid_rx_sz must be 0 now... */
1162 if (valid_rx_sz)
1163 dev_err(&cldev->dev,
1164 "More data in the buffer although we read it all\n");
1165
1166 __free_page(p);
1167 }
1168
1169 static void iwl_mei_handle_sap_rx(struct mei_cl_device *cldev,
1170 struct iwl_sap_q_ctrl_blk *notif_q,
1171 const u8 *q_head,
1172 struct sk_buff_head *skbs,
1173 u32 q_sz)
1174 {
1175 u32 rd = le32_to_cpu(READ_ONCE(notif_q->rd_ptr));
1176 u32 wr = le32_to_cpu(READ_ONCE(notif_q->wr_ptr));
1177 ssize_t valid_rx_sz;
1178
1179 if (rd > q_sz || wr > q_sz) {
1180 dev_err(&cldev->dev,
1181 "Pointers are past the buffer limit\n");
1182 return;
1183 }
1184
1185 if (rd == wr)
1186 return;
1187
1188 valid_rx_sz = wr > rd ? wr - rd : q_sz - rd + wr;
1189
1190 if (skbs)
1191 iwl_mei_handle_sap_data(cldev, q_head, q_sz, rd, wr,
1192 valid_rx_sz, skbs);
1193 else
1194 iwl_mei_handle_sap_rx_cmd(cldev, q_head, q_sz, rd, wr,
1195 valid_rx_sz);
1196
1197 /* Increment the read pointer to point to the write pointer */
1198 WRITE_ONCE(notif_q->rd_ptr, cpu_to_le32(wr));
1199 }
1200
1201 static void iwl_mei_handle_check_shared_area(struct mei_cl_device *cldev)
1202 {
1203 struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
1204 struct iwl_sap_q_ctrl_blk *notif_q;
1205 struct sk_buff_head tx_skbs;
1206 struct iwl_sap_dir *dir;
1207 void *q_head;
1208 u32 q_sz;
1209
1210 if (!mei->shared_mem.ctrl)
1211 return;
1212
1213 dir = &mei->shared_mem.ctrl->dir[SAP_DIRECTION_ME_TO_HOST];
1214 notif_q = &dir->q_ctrl_blk[SAP_QUEUE_IDX_NOTIF];
1215 q_head = mei->shared_mem.q_head[SAP_DIRECTION_ME_TO_HOST][SAP_QUEUE_IDX_NOTIF];
1216 q_sz = mei->shared_mem.q_size[SAP_DIRECTION_ME_TO_HOST][SAP_QUEUE_IDX_NOTIF];
1217
1218 /*
1219 * Do not hold the mutex here, but rather each and every message
1220 * handler takes it.
1221 * This allows message handlers to take it at a certain time.
1222 */
1223 iwl_mei_handle_sap_rx(cldev, notif_q, q_head, NULL, q_sz);
1224
1225 mutex_lock(&iwl_mei_mutex);
1226 dir = &mei->shared_mem.ctrl->dir[SAP_DIRECTION_ME_TO_HOST];
1227 notif_q = &dir->q_ctrl_blk[SAP_QUEUE_IDX_DATA];
1228 q_head = mei->shared_mem.q_head[SAP_DIRECTION_ME_TO_HOST][SAP_QUEUE_IDX_DATA];
1229 q_sz = mei->shared_mem.q_size[SAP_DIRECTION_ME_TO_HOST][SAP_QUEUE_IDX_DATA];
1230
1231 __skb_queue_head_init(&tx_skbs);
1232
1233 iwl_mei_handle_sap_rx(cldev, notif_q, q_head, &tx_skbs, q_sz);
1234
1235 if (skb_queue_empty(&tx_skbs)) {
1236 mutex_unlock(&iwl_mei_mutex);
1237 return;
1238 }
1239
1240 /*
1241 * Take the RCU read lock before we unlock the mutex to make sure that
1242 * even if the netdev is replaced by another non-NULL netdev right after
1243 * we unlock the mutex, the old netdev will still be valid when we
1244 * transmit the frames. We can't allow to replace the netdev here because
1245 * the skbs hold a pointer to the netdev.
1246 */
1247 rcu_read_lock();
1248
1249 mutex_unlock(&iwl_mei_mutex);
1250
1251 if (!rcu_access_pointer(iwl_mei_cache.netdev)) {
1252 dev_err(&cldev->dev, "Can't Tx without a netdev\n");
1253 skb_queue_purge(&tx_skbs);
1254 goto out;
1255 }
1256
1257 while (!skb_queue_empty(&tx_skbs)) {
1258 struct sk_buff *skb = __skb_dequeue(&tx_skbs);
1259
1260 trace_iwlmei_sap_data(skb, IWL_SAP_RX_DATA_TO_AIR);
1261 dev_queue_xmit(skb);
1262 }
1263
1264 out:
1265 rcu_read_unlock();
1266 }
1267
1268 static void iwl_mei_rx(struct mei_cl_device *cldev)
1269 {
1270 struct iwl_sap_me_msg_hdr *hdr;
1271 u8 msg[100];
1272 ssize_t ret;
1273
1274 ret = mei_cldev_recv(cldev, (u8 *)&msg, sizeof(msg));
1275 if (ret < 0) {
1276 dev_err(&cldev->dev, "failed to receive data: %zd\n", ret);
1277 return;
1278 }
1279
1280 if (ret == 0) {
1281 dev_err(&cldev->dev, "got an empty response\n");
1282 return;
1283 }
1284
1285 hdr = (void *)msg;
1286 trace_iwlmei_me_msg(hdr, false);
1287
1288 switch (le32_to_cpu(hdr->type)) {
1289 case SAP_ME_MSG_START_OK:
1290 BUILD_BUG_ON(sizeof(struct iwl_sap_me_msg_start_ok) >
1291 sizeof(msg));
1292
1293 iwl_mei_handle_rx_start_ok(cldev, (void *)msg, ret);
1294 break;
1295 case SAP_ME_MSG_CHECK_SHARED_AREA:
1296 iwl_mei_handle_check_shared_area(cldev);
1297 break;
1298 default:
1299 dev_err(&cldev->dev, "got a RX notification: %d\n",
1300 le32_to_cpu(hdr->type));
1301 break;
1302 }
1303 }
1304
1305 static int iwl_mei_send_start(struct mei_cl_device *cldev)
1306 {
1307 struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
1308 struct iwl_sap_me_msg_start msg = {
1309 .hdr.type = cpu_to_le32(SAP_ME_MSG_START),
1310 .hdr.seq_num = cpu_to_le32(atomic_inc_return(&mei->seq_no)),
1311 .hdr.len = cpu_to_le32(sizeof(msg)),
1312 .supported_versions[0] = iwl_mei_cache.sap_version,
1313 .init_data_seq_num = cpu_to_le16(0x100),
1314 .init_notif_seq_num = cpu_to_le16(0x800),
1315 };
1316 int ret;
1317
1318 trace_iwlmei_me_msg(&msg.hdr, true);
1319 ret = mei_cldev_send(cldev, (void *)&msg, sizeof(msg));
1320 if (ret != sizeof(msg)) {
1321 dev_err(&cldev->dev,
1322 "failed to send the SAP_ME_MSG_START message %d\n",
1323 ret);
1324 return ret;
1325 }
1326
1327 return 0;
1328 }
1329
1330 static int iwl_mei_enable(struct mei_cl_device *cldev)
1331 {
1332 int ret;
1333
1334 ret = mei_cldev_enable(cldev);
1335 if (ret < 0) {
1336 dev_err(&cldev->dev, "failed to enable the device: %d\n", ret);
1337 return ret;
1338 }
1339
1340 ret = mei_cldev_register_rx_cb(cldev, iwl_mei_rx);
1341 if (ret) {
1342 dev_err(&cldev->dev,
1343 "failed to register to the rx cb: %d\n", ret);
1344 mei_cldev_disable(cldev);
1345 return ret;
1346 }
1347
1348 return 0;
1349 }
1350
1351 struct iwl_mei_nvm *iwl_mei_get_nvm(void)
1352 {
1353 struct iwl_mei_nvm *nvm = NULL;
1354 struct iwl_mei *mei;
1355 int ret;
1356
1357 mutex_lock(&iwl_mei_mutex);
1358
1359 if (!iwl_mei_is_connected())
1360 goto out;
1361
1362 mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
1363
1364 if (!mei)
1365 goto out;
1366
1367 ret = iwl_mei_send_sap_msg(iwl_mei_global_cldev,
1368 SAP_MSG_NOTIF_GET_NVM);
1369 if (ret)
1370 goto out;
1371
1372 mutex_unlock(&iwl_mei_mutex);
1373
1374 ret = wait_event_timeout(mei->get_nvm_wq, mei->nvm, 2 * HZ);
1375 if (!ret)
1376 return NULL;
1377
1378 mutex_lock(&iwl_mei_mutex);
1379
1380 if (!iwl_mei_is_connected())
1381 goto out;
1382
1383 mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
1384
1385 if (!mei)
1386 goto out;
1387
1388 if (mei->nvm)
1389 nvm = kmemdup(mei->nvm, sizeof(*mei->nvm), GFP_KERNEL);
1390
1391 out:
1392 mutex_unlock(&iwl_mei_mutex);
1393 return nvm;
1394 }
1395 EXPORT_SYMBOL_GPL(iwl_mei_get_nvm);
1396
1397 #define IWL_MEI_PLDR_NUM_RETRIES 3
1398
1399 int iwl_mei_pldr_req(void)
1400 {
1401 struct iwl_mei *mei;
1402 int ret;
1403 struct iwl_sap_pldr_data msg = {
1404 .hdr.type = cpu_to_le16(SAP_MSG_NOTIF_PLDR),
1405 .hdr.len = cpu_to_le16(sizeof(msg) - sizeof(msg.hdr)),
1406 };
1407 int i;
1408
1409 mutex_lock(&iwl_mei_mutex);
1410
1411 /* In case we didn't have a bind */
1412 if (!iwl_mei_is_connected()) {
1413 ret = 0;
1414 goto out;
1415 }
1416
1417 mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
1418
1419 if (!mei) {
1420 ret = -ENODEV;
1421 goto out;
1422 }
1423
1424 if (!mei->amt_enabled) {
1425 ret = 0;
1426 goto out;
1427 }
1428
1429 for (i = 0; i < IWL_MEI_PLDR_NUM_RETRIES; i++) {
1430 ret = iwl_mei_send_sap_msg_payload(mei->cldev, &msg.hdr);
1431 mutex_unlock(&iwl_mei_mutex);
1432 if (ret)
1433 return ret;
1434
1435 ret = wait_event_timeout(mei->pldr_wq, mei->pldr_active, HZ / 2);
1436 if (ret)
1437 break;
1438
1439 /* Take the mutex for the next iteration */
1440 mutex_lock(&iwl_mei_mutex);
1441 }
1442
1443 if (ret)
1444 return 0;
1445
1446 ret = -ETIMEDOUT;
1447 out:
1448 mutex_unlock(&iwl_mei_mutex);
1449 return ret;
1450 }
1451 EXPORT_SYMBOL_GPL(iwl_mei_pldr_req);
1452
1453 int iwl_mei_get_ownership(void)
1454 {
1455 struct iwl_mei *mei;
1456 int ret;
1457
1458 mutex_lock(&iwl_mei_mutex);
1459
1460 /* In case we didn't have a bind */
1461 if (!iwl_mei_is_connected()) {
1462 ret = 0;
1463 goto out;
1464 }
1465
1466 mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
1467
1468 if (!mei) {
1469 ret = -ENODEV;
1470 goto out;
1471 }
1472
1473 if (!mei->amt_enabled) {
1474 ret = 0;
1475 goto out;
1476 }
1477
1478 if (mei->got_ownership) {
1479 ret = 0;
1480 goto out;
1481 }
1482
1483 ret = iwl_mei_send_sap_msg(mei->cldev,
1484 SAP_MSG_NOTIF_HOST_ASKS_FOR_NIC_OWNERSHIP);
1485 if (ret)
1486 goto out;
1487
1488 mutex_unlock(&iwl_mei_mutex);
1489
1490 ret = wait_event_timeout(mei->get_ownership_wq,
1491 mei->got_ownership, HZ / 2);
1492 if (!ret) {
1493 schedule_delayed_work(&mei->ownership_dwork,
1494 MEI_OWNERSHIP_RETAKE_TIMEOUT_MS);
1495 return -ETIMEDOUT;
1496 }
1497
1498 return 0;
1499 out:
1500 mutex_unlock(&iwl_mei_mutex);
1501 return ret;
1502 }
1503 EXPORT_SYMBOL_GPL(iwl_mei_get_ownership);
1504
1505 void iwl_mei_alive_notif(bool success)
1506 {
1507 struct iwl_mei *mei;
1508 struct iwl_sap_pldr_end_data msg = {
1509 .hdr.type = cpu_to_le16(SAP_MSG_NOTIF_PLDR_END),
1510 .hdr.len = cpu_to_le16(sizeof(msg) - sizeof(msg.hdr)),
1511 .status = success ? cpu_to_le32(SAP_PLDR_STATUS_SUCCESS) :
1512 cpu_to_le32(SAP_PLDR_STATUS_FAILURE),
1513 };
1514
1515 mutex_lock(&iwl_mei_mutex);
1516
1517 if (!iwl_mei_is_connected())
1518 goto out;
1519
1520 mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
1521 if (!mei || !mei->pldr_active)
1522 goto out;
1523
1524 mei->pldr_active = false;
1525
1526 iwl_mei_send_sap_msg_payload(mei->cldev, &msg.hdr);
1527 out:
1528 mutex_unlock(&iwl_mei_mutex);
1529 }
1530 EXPORT_SYMBOL_GPL(iwl_mei_alive_notif);
1531
1532 void iwl_mei_host_associated(const struct iwl_mei_conn_info *conn_info,
1533 const struct iwl_mei_colloc_info *colloc_info)
1534 {
1535 struct iwl_sap_notif_host_link_up msg = {
1536 .hdr.type = cpu_to_le16(SAP_MSG_NOTIF_HOST_LINK_UP),
1537 .hdr.len = cpu_to_le16(sizeof(msg) - sizeof(msg.hdr)),
1538 .conn_info = {
1539 .ssid_len = cpu_to_le32(conn_info->ssid_len),
1540 .channel = conn_info->channel,
1541 .band = conn_info->band,
1542 .pairwise_cipher = cpu_to_le32(conn_info->pairwise_cipher),
1543 .auth_mode = cpu_to_le32(conn_info->auth_mode),
1544 },
1545 };
1546 struct iwl_mei *mei;
1547
1548 if (conn_info->ssid_len > ARRAY_SIZE(msg.conn_info.ssid))
1549 return;
1550
1551 memcpy(msg.conn_info.ssid, conn_info->ssid, conn_info->ssid_len);
1552 memcpy(msg.conn_info.bssid, conn_info->bssid, ETH_ALEN);
1553
1554 if (colloc_info) {
1555 msg.colloc_channel = colloc_info->channel;
1556 msg.colloc_band = colloc_info->channel <= 14 ? 0 : 1;
1557 memcpy(msg.colloc_bssid, colloc_info->bssid, ETH_ALEN);
1558 }
1559
1560 mutex_lock(&iwl_mei_mutex);
1561
1562 if (!iwl_mei_is_connected())
1563 goto out;
1564
1565 mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
1566
1567 if (!mei || !mei->amt_enabled)
1568 goto out;
1569
1570 iwl_mei_send_sap_msg_payload(mei->cldev, &msg.hdr);
1571
1572 out:
1573 kfree(iwl_mei_cache.conn_info);
1574 iwl_mei_cache.conn_info =
1575 kmemdup(&msg.conn_info, sizeof(msg.conn_info), GFP_KERNEL);
1576 mutex_unlock(&iwl_mei_mutex);
1577 }
1578 EXPORT_SYMBOL_GPL(iwl_mei_host_associated);
1579
1580 void iwl_mei_host_disassociated(void)
1581 {
1582 struct iwl_mei *mei;
1583 struct iwl_sap_notif_host_link_down msg = {
1584 .hdr.type = cpu_to_le16(SAP_MSG_NOTIF_HOST_LINK_DOWN),
1585 .hdr.len = cpu_to_le16(sizeof(msg) - sizeof(msg.hdr)),
1586 .type = HOST_LINK_DOWN_TYPE_TEMPORARY,
1587 };
1588
1589 mutex_lock(&iwl_mei_mutex);
1590
1591 if (!iwl_mei_is_connected())
1592 goto out;
1593
1594 mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
1595
1596 if (!mei || !mei->amt_enabled)
1597 goto out;
1598
1599 iwl_mei_send_sap_msg_payload(mei->cldev, &msg.hdr);
1600
1601 out:
1602 kfree(iwl_mei_cache.conn_info);
1603 iwl_mei_cache.conn_info = NULL;
1604 mutex_unlock(&iwl_mei_mutex);
1605 }
1606 EXPORT_SYMBOL_GPL(iwl_mei_host_disassociated);
1607
1608 void iwl_mei_set_rfkill_state(bool hw_rfkill, bool sw_rfkill)
1609 {
1610 struct iwl_mei *mei;
1611 u32 rfkill_state = 0;
1612 struct iwl_sap_msg_dw msg = {
1613 .hdr.type = cpu_to_le16(SAP_MSG_NOTIF_RADIO_STATE),
1614 .hdr.len = cpu_to_le16(sizeof(msg) - sizeof(msg.hdr)),
1615 };
1616
1617 if (!sw_rfkill)
1618 rfkill_state |= SAP_SW_RFKILL_DEASSERTED;
1619
1620 if (!hw_rfkill)
1621 rfkill_state |= SAP_HW_RFKILL_DEASSERTED;
1622
1623 mutex_lock(&iwl_mei_mutex);
1624
1625 if (!iwl_mei_is_connected())
1626 goto out;
1627
1628 msg.val = cpu_to_le32(rfkill_state);
1629
1630 mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
1631
1632 if (!mei || !mei->amt_enabled)
1633 goto out;
1634
1635 iwl_mei_send_sap_msg_payload(mei->cldev, &msg.hdr);
1636
1637 out:
1638 iwl_mei_cache.rf_kill = rfkill_state;
1639 mutex_unlock(&iwl_mei_mutex);
1640 }
1641 EXPORT_SYMBOL_GPL(iwl_mei_set_rfkill_state);
1642
1643 void iwl_mei_set_nic_info(const u8 *mac_address, const u8 *nvm_address)
1644 {
1645 struct iwl_mei *mei;
1646 struct iwl_sap_notif_host_nic_info msg = {
1647 .hdr.type = cpu_to_le16(SAP_MSG_NOTIF_NIC_INFO),
1648 .hdr.len = cpu_to_le16(sizeof(msg) - sizeof(msg.hdr)),
1649 };
1650
1651 mutex_lock(&iwl_mei_mutex);
1652
1653 if (!iwl_mei_is_connected())
1654 goto out;
1655
1656 ether_addr_copy(msg.mac_address, mac_address);
1657 ether_addr_copy(msg.nvm_address, nvm_address);
1658
1659 mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
1660
1661 if (!mei || !mei->amt_enabled)
1662 goto out;
1663
1664 iwl_mei_send_sap_msg_payload(mei->cldev, &msg.hdr);
1665
1666 out:
1667 ether_addr_copy(iwl_mei_cache.mac_address, mac_address);
1668 ether_addr_copy(iwl_mei_cache.nvm_address, nvm_address);
1669 mutex_unlock(&iwl_mei_mutex);
1670 }
1671 EXPORT_SYMBOL_GPL(iwl_mei_set_nic_info);
1672
1673 void iwl_mei_set_country_code(u16 mcc)
1674 {
1675 struct iwl_mei *mei;
1676 struct iwl_sap_notif_country_code msg = {
1677 .hdr.type = cpu_to_le16(SAP_MSG_NOTIF_COUNTRY_CODE),
1678 .hdr.len = cpu_to_le16(sizeof(msg) - sizeof(msg.hdr)),
1679 .mcc = cpu_to_le16(mcc),
1680 };
1681
1682 mutex_lock(&iwl_mei_mutex);
1683
1684 if (!iwl_mei_is_connected())
1685 goto out;
1686
1687 mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
1688
1689 if (!mei || !mei->amt_enabled)
1690 goto out;
1691
1692 iwl_mei_send_sap_msg_payload(mei->cldev, &msg.hdr);
1693
1694 out:
1695 iwl_mei_cache.mcc = mcc;
1696 mutex_unlock(&iwl_mei_mutex);
1697 }
1698 EXPORT_SYMBOL_GPL(iwl_mei_set_country_code);
1699
1700 void iwl_mei_set_power_limit(const __le16 *power_limit)
1701 {
1702 struct iwl_mei *mei;
1703 struct iwl_sap_notif_sar_limits msg = {
1704 .hdr.type = cpu_to_le16(SAP_MSG_NOTIF_SAR_LIMITS),
1705 .hdr.len = cpu_to_le16(sizeof(msg) - sizeof(msg.hdr)),
1706 };
1707
1708 mutex_lock(&iwl_mei_mutex);
1709
1710 if (!iwl_mei_is_connected())
1711 goto out;
1712
1713 mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
1714
1715 if (!mei || !mei->amt_enabled)
1716 goto out;
1717
1718 memcpy(msg.sar_chain_info_table, power_limit, sizeof(msg.sar_chain_info_table));
1719
1720 iwl_mei_send_sap_msg_payload(mei->cldev, &msg.hdr);
1721
1722 out:
1723 kfree(iwl_mei_cache.power_limit);
1724 iwl_mei_cache.power_limit = kmemdup(power_limit,
1725 sizeof(msg.sar_chain_info_table), GFP_KERNEL);
1726 mutex_unlock(&iwl_mei_mutex);
1727 }
1728 EXPORT_SYMBOL_GPL(iwl_mei_set_power_limit);
1729
1730 void iwl_mei_set_netdev(struct net_device *netdev)
1731 {
1732 struct iwl_mei *mei;
1733
1734 mutex_lock(&iwl_mei_mutex);
1735
1736 if (!iwl_mei_is_connected()) {
1737 rcu_assign_pointer(iwl_mei_cache.netdev, netdev);
1738 goto out;
1739 }
1740
1741 mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
1742
1743 if (!mei)
1744 goto out;
1745
1746 if (!netdev) {
1747 struct net_device *dev =
1748 rcu_dereference_protected(iwl_mei_cache.netdev,
1749 lockdep_is_held(&iwl_mei_mutex));
1750
1751 if (!dev)
1752 goto out;
1753
1754 netdev_rx_handler_unregister(dev);
1755 }
1756
1757 rcu_assign_pointer(iwl_mei_cache.netdev, netdev);
1758
1759 if (netdev && mei->amt_enabled)
1760 netdev_rx_handler_register(netdev, iwl_mei_rx_handler, mei);
1761
1762 out:
1763 mutex_unlock(&iwl_mei_mutex);
1764 }
1765 EXPORT_SYMBOL_GPL(iwl_mei_set_netdev);
1766
1767 void iwl_mei_device_state(bool up)
1768 {
1769 struct iwl_mei *mei;
1770
1771 mutex_lock(&iwl_mei_mutex);
1772
1773 if (!iwl_mei_is_connected())
1774 goto out;
1775
1776 mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
1777
1778 if (!mei)
1779 goto out;
1780
1781 mei->device_down = !up;
1782
1783 if (up || !mei->csme_taking_ownership)
1784 goto out;
1785
1786 iwl_mei_send_sap_msg(mei->cldev,
1787 SAP_MSG_NOTIF_CSME_OWNERSHIP_CONFIRMED);
1788 mei->csme_taking_ownership = false;
1789 schedule_delayed_work(&mei->ownership_dwork,
1790 MEI_OWNERSHIP_RETAKE_TIMEOUT_MS);
1791 out:
1792 mutex_unlock(&iwl_mei_mutex);
1793 }
1794 EXPORT_SYMBOL_GPL(iwl_mei_device_state);
1795
1796 int iwl_mei_register(void *priv, const struct iwl_mei_ops *ops)
1797 {
1798 int ret;
1799
1800 /*
1801 * We must have a non-NULL priv pointer to not crash when there are
1802 * multiple WiFi devices.
1803 */
1804 if (!priv)
1805 return -EINVAL;
1806
1807 mutex_lock(&iwl_mei_mutex);
1808
1809 /* do not allow registration if someone else already registered */
1810 if (iwl_mei_cache.priv || iwl_mei_cache.ops) {
1811 ret = -EBUSY;
1812 goto out;
1813 }
1814
1815 iwl_mei_cache.priv = priv;
1816 iwl_mei_cache.ops = ops;
1817
1818 if (iwl_mei_global_cldev) {
1819 struct iwl_mei *mei =
1820 mei_cldev_get_drvdata(iwl_mei_global_cldev);
1821
1822 /* we have already a SAP connection */
1823 if (iwl_mei_is_connected()) {
1824 if (mei->amt_enabled)
1825 iwl_mei_send_sap_msg(mei->cldev,
1826 SAP_MSG_NOTIF_WIFIDR_UP);
1827 ops->rfkill(priv, mei->link_prot_state, false);
1828 }
1829 }
1830 ret = 0;
1831
1832 out:
1833 mutex_unlock(&iwl_mei_mutex);
1834 return ret;
1835 }
1836 EXPORT_SYMBOL_GPL(iwl_mei_register);
1837
1838 void iwl_mei_start_unregister(void)
1839 {
1840 mutex_lock(&iwl_mei_mutex);
1841
1842 /* At this point, the wifi driver should have removed the netdev */
1843 if (rcu_access_pointer(iwl_mei_cache.netdev))
1844 pr_err("Still had a netdev pointer set upon unregister\n");
1845
1846 kfree(iwl_mei_cache.conn_info);
1847 iwl_mei_cache.conn_info = NULL;
1848 kfree(iwl_mei_cache.power_limit);
1849 iwl_mei_cache.power_limit = NULL;
1850 iwl_mei_cache.ops = NULL;
1851 /* leave iwl_mei_cache.priv non-NULL to prevent any new registration */
1852
1853 mutex_unlock(&iwl_mei_mutex);
1854 }
1855 EXPORT_SYMBOL_GPL(iwl_mei_start_unregister);
1856
1857 void iwl_mei_unregister_complete(void)
1858 {
1859 mutex_lock(&iwl_mei_mutex);
1860
1861 iwl_mei_cache.priv = NULL;
1862
1863 if (iwl_mei_global_cldev) {
1864 struct iwl_mei *mei =
1865 mei_cldev_get_drvdata(iwl_mei_global_cldev);
1866
1867 if (mei->amt_enabled)
1868 iwl_mei_send_sap_msg(mei->cldev,
1869 SAP_MSG_NOTIF_WIFIDR_DOWN);
1870 mei->got_ownership = false;
1871 }
1872
1873 mutex_unlock(&iwl_mei_mutex);
1874 }
1875 EXPORT_SYMBOL_GPL(iwl_mei_unregister_complete);
1876
1877 #if IS_ENABLED(CONFIG_DEBUG_FS)
1878
1879 static ssize_t
1880 iwl_mei_dbgfs_send_start_message_write(struct file *file,
1881 const char __user *user_buf,
1882 size_t count, loff_t *ppos)
1883 {
1884 int ret;
1885
1886 mutex_lock(&iwl_mei_mutex);
1887
1888 if (!iwl_mei_global_cldev) {
1889 ret = -ENODEV;
1890 goto out;
1891 }
1892
1893 ret = iwl_mei_send_start(iwl_mei_global_cldev);
1894
1895 out:
1896 mutex_unlock(&iwl_mei_mutex);
1897 return ret ?: count;
1898 }
1899
1900 static const struct file_operations iwl_mei_dbgfs_send_start_message_ops = {
1901 .write = iwl_mei_dbgfs_send_start_message_write,
1902 .open = simple_open,
1903 .llseek = default_llseek,
1904 };
1905
1906 static ssize_t iwl_mei_dbgfs_req_ownership_write(struct file *file,
1907 const char __user *user_buf,
1908 size_t count, loff_t *ppos)
1909 {
1910 iwl_mei_get_ownership();
1911
1912 return count;
1913 }
1914
1915 static const struct file_operations iwl_mei_dbgfs_req_ownership_ops = {
1916 .write = iwl_mei_dbgfs_req_ownership_write,
1917 .open = simple_open,
1918 .llseek = default_llseek,
1919 };
1920
1921 static void iwl_mei_dbgfs_register(struct iwl_mei *mei)
1922 {
1923 mei->dbgfs_dir = debugfs_create_dir(KBUILD_MODNAME, NULL);
1924
1925 if (!mei->dbgfs_dir)
1926 return;
1927
1928 debugfs_create_ulong("status", S_IRUSR,
1929 mei->dbgfs_dir, &iwl_mei_status);
1930 debugfs_create_file("send_start_message", S_IWUSR, mei->dbgfs_dir,
1931 mei, &iwl_mei_dbgfs_send_start_message_ops);
1932 debugfs_create_file("req_ownership", S_IWUSR, mei->dbgfs_dir,
1933 mei, &iwl_mei_dbgfs_req_ownership_ops);
1934 }
1935
1936 static void iwl_mei_dbgfs_unregister(struct iwl_mei *mei)
1937 {
1938 debugfs_remove_recursive(mei->dbgfs_dir);
1939 mei->dbgfs_dir = NULL;
1940 }
1941
1942 #else
1943
1944 static void iwl_mei_dbgfs_register(struct iwl_mei *mei) {}
1945 static void iwl_mei_dbgfs_unregister(struct iwl_mei *mei) {}
1946
1947 #endif /* CONFIG_DEBUG_FS */
1948
1949 static void iwl_mei_ownership_dwork(struct work_struct *wk)
1950 {
1951 iwl_mei_get_ownership();
1952 }
1953
1954 #define ALLOC_SHARED_MEM_RETRY_MAX_NUM 3
1955
1956 /*
1957 * iwl_mei_probe - the probe function called by the mei bus enumeration
1958 *
1959 * This allocates the data needed by iwlmei and sets a pointer to this data
1960 * into the mei_cl_device's drvdata.
1961 * It starts the SAP protocol by sending the SAP_ME_MSG_START without
1962 * waiting for the answer. The answer will be caught later by the Rx callback.
1963 */
1964 static int iwl_mei_probe(struct mei_cl_device *cldev,
1965 const struct mei_cl_device_id *id)
1966 {
1967 int alloc_retry = ALLOC_SHARED_MEM_RETRY_MAX_NUM;
1968 struct iwl_mei *mei;
1969 int ret;
1970
1971 mei = devm_kzalloc(&cldev->dev, sizeof(*mei), GFP_KERNEL);
1972 if (!mei)
1973 return -ENOMEM;
1974
1975 init_waitqueue_head(&mei->get_nvm_wq);
1976 INIT_WORK(&mei->send_csa_msg_wk, iwl_mei_send_csa_msg_wk);
1977 INIT_DELAYED_WORK(&mei->csa_throttle_end_wk,
1978 iwl_mei_csa_throttle_end_wk);
1979 init_waitqueue_head(&mei->get_ownership_wq);
1980 init_waitqueue_head(&mei->pldr_wq);
1981 spin_lock_init(&mei->data_q_lock);
1982 INIT_WORK(&mei->netdev_work, iwl_mei_netdev_work);
1983 INIT_DELAYED_WORK(&mei->ownership_dwork, iwl_mei_ownership_dwork);
1984
1985 mei_cldev_set_drvdata(cldev, mei);
1986 mei->cldev = cldev;
1987 mei->device_down = true;
1988
1989 do {
1990 ret = iwl_mei_alloc_shared_mem(cldev);
1991 if (!ret)
1992 break;
1993 /*
1994 * The CSME firmware needs to boot the internal WLAN client.
1995 * This can take time in certain configurations (usually
1996 * upon resume and when the whole CSME firmware is shut down
1997 * during suspend).
1998 *
1999 * Wait a bit before retrying and hope we'll succeed next time.
2000 */
2001
2002 dev_dbg(&cldev->dev,
2003 "Couldn't allocate the shared memory: %d, attempt %d / %d\n",
2004 ret, alloc_retry, ALLOC_SHARED_MEM_RETRY_MAX_NUM);
2005 msleep(100);
2006 alloc_retry--;
2007 } while (alloc_retry);
2008
2009 if (ret) {
2010 dev_err(&cldev->dev, "Couldn't allocate the shared memory: %d\n",
2011 ret);
2012 goto free;
2013 }
2014
2015 iwl_mei_init_shared_mem(mei);
2016
2017 ret = iwl_mei_enable(cldev);
2018 if (ret)
2019 goto free_shared_mem;
2020
2021 iwl_mei_dbgfs_register(mei);
2022
2023 /*
2024 * We now have a Rx function in place, start the SAP protocol
2025 * we expect to get the SAP_ME_MSG_START_OK response later on.
2026 */
2027 mutex_lock(&iwl_mei_mutex);
2028 ret = iwl_mei_send_start(cldev);
2029 mutex_unlock(&iwl_mei_mutex);
2030 if (ret)
2031 goto debugfs_unregister;
2032
2033 /* must be last */
2034 iwl_mei_global_cldev = cldev;
2035
2036 return 0;
2037
2038 debugfs_unregister:
2039 iwl_mei_dbgfs_unregister(mei);
2040 mei_cldev_disable(cldev);
2041 free_shared_mem:
2042 iwl_mei_free_shared_mem(cldev);
2043 free:
2044 mei_cldev_set_drvdata(cldev, NULL);
2045 devm_kfree(&cldev->dev, mei);
2046
2047 return ret;
2048 }
2049
2050 #define SEND_SAP_MAX_WAIT_ITERATION 10
2051 #define IWLMEI_DEVICE_DOWN_WAIT_ITERATION 50
2052
2053 static void iwl_mei_remove(struct mei_cl_device *cldev)
2054 {
2055 struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
2056 int i;
2057
2058 /*
2059 * We are being removed while the bus is active, it means we are
2060 * going to suspend/ shutdown, so the NIC will disappear.
2061 */
2062 if (mei_cldev_enabled(cldev) && iwl_mei_cache.ops) {
2063 unsigned int iter = IWLMEI_DEVICE_DOWN_WAIT_ITERATION;
2064 bool down = false;
2065
2066 /*
2067 * In case of suspend, wait for the mac to stop and don't remove
2068 * the interface. This will allow the interface to come back
2069 * on resume.
2070 */
2071 while (!down && iter--) {
2072 mdelay(1);
2073
2074 mutex_lock(&iwl_mei_mutex);
2075 down = mei->device_down;
2076 mutex_unlock(&iwl_mei_mutex);
2077 }
2078
2079 if (!down)
2080 iwl_mei_cache.ops->nic_stolen(iwl_mei_cache.priv);
2081 }
2082
2083 if (rcu_access_pointer(iwl_mei_cache.netdev)) {
2084 struct net_device *dev;
2085
2086 /*
2087 * First take rtnl and only then the mutex to avoid an ABBA
2088 * with iwl_mei_set_netdev()
2089 */
2090 rtnl_lock();
2091 mutex_lock(&iwl_mei_mutex);
2092
2093 /*
2094 * If we are suspending and the wifi driver hasn't removed it's netdev
2095 * yet, do it now. In any case, don't change the cache.netdev pointer.
2096 */
2097 dev = rcu_dereference_protected(iwl_mei_cache.netdev,
2098 lockdep_is_held(&iwl_mei_mutex));
2099
2100 netdev_rx_handler_unregister(dev);
2101 mutex_unlock(&iwl_mei_mutex);
2102 rtnl_unlock();
2103 }
2104
2105 mutex_lock(&iwl_mei_mutex);
2106
2107 /* Tell CSME that we are going down so that it won't access the
2108 * memory anymore, make sure this message goes through immediately.
2109 */
2110 mei->csa_throttled = false;
2111 iwl_mei_send_sap_msg(mei->cldev,
2112 SAP_MSG_NOTIF_HOST_GOES_DOWN);
2113
2114 for (i = 0; i < SEND_SAP_MAX_WAIT_ITERATION; i++) {
2115 if (!iwl_mei_host_to_me_data_pending(mei))
2116 break;
2117
2118 msleep(20);
2119 }
2120
2121 /* If we couldn't make sure that CSME saw the HOST_GOES_DOWN
2122 * message, it means that it will probably keep reading memory
2123 * that we are going to unmap and free, expect IOMMU error
2124 * messages.
2125 */
2126 if (i == SEND_SAP_MAX_WAIT_ITERATION)
2127 dev_err(&mei->cldev->dev,
2128 "Couldn't get ACK from CSME on HOST_GOES_DOWN message\n");
2129
2130 mutex_unlock(&iwl_mei_mutex);
2131
2132 /*
2133 * This looks strange, but this lock is taken here to make sure that
2134 * iwl_mei_add_data_to_ring called from the Tx path sees that we
2135 * clear the IWL_MEI_STATUS_SAP_CONNECTED bit.
2136 * Rx isn't a problem because the rx_handler can't be called after
2137 * having been unregistered.
2138 */
2139 spin_lock_bh(&mei->data_q_lock);
2140 clear_bit(IWL_MEI_STATUS_SAP_CONNECTED, &iwl_mei_status);
2141 spin_unlock_bh(&mei->data_q_lock);
2142
2143 if (iwl_mei_cache.ops)
2144 iwl_mei_cache.ops->rfkill(iwl_mei_cache.priv, false, false);
2145
2146 /*
2147 * mei_cldev_disable will return only after all the MEI Rx is done.
2148 * It must be called when iwl_mei_mutex is *not* held, since it waits
2149 * for our Rx handler to complete.
2150 * After it returns, no new Rx will start.
2151 */
2152 mei_cldev_disable(cldev);
2153
2154 /*
2155 * Since the netdev was already removed and the netdev's removal
2156 * includes a call to synchronize_net() so that we know there won't be
2157 * any new Rx that will trigger the following workers.
2158 */
2159 cancel_work_sync(&mei->send_csa_msg_wk);
2160 cancel_delayed_work_sync(&mei->csa_throttle_end_wk);
2161 cancel_work_sync(&mei->netdev_work);
2162 cancel_delayed_work_sync(&mei->ownership_dwork);
2163
2164 /*
2165 * If someone waits for the ownership, let him know that we are going
2166 * down and that we are not connected anymore. He'll be able to take
2167 * the device.
2168 */
2169 wake_up_all(&mei->get_ownership_wq);
2170 wake_up_all(&mei->pldr_wq);
2171
2172 mutex_lock(&iwl_mei_mutex);
2173
2174 iwl_mei_global_cldev = NULL;
2175
2176 wake_up_all(&mei->get_nvm_wq);
2177
2178 iwl_mei_free_shared_mem(cldev);
2179
2180 iwl_mei_dbgfs_unregister(mei);
2181
2182 mei_cldev_set_drvdata(cldev, NULL);
2183
2184 kfree(mei->nvm);
2185
2186 kfree(rcu_access_pointer(mei->filters));
2187
2188 devm_kfree(&cldev->dev, mei);
2189
2190 mutex_unlock(&iwl_mei_mutex);
2191 }
2192
2193 static const struct mei_cl_device_id iwl_mei_tbl[] = {
2194 {
2195 .name = KBUILD_MODNAME,
2196 .uuid = MEI_WLAN_UUID,
2197 .version = MEI_CL_VERSION_ANY,
2198 },
2199
2200 /* required last entry */
2201 { }
2202 };
2203
2204 /*
2205 * Do not export the device table because this module is loaded by
2206 * iwlwifi's dependency.
2207 */
2208
2209 static struct mei_cl_driver iwl_mei_cl_driver = {
2210 .id_table = iwl_mei_tbl,
2211 .name = KBUILD_MODNAME,
2212 .probe = iwl_mei_probe,
2213 .remove = iwl_mei_remove,
2214 };
2215
2216 module_mei_cl_driver(iwl_mei_cl_driver);
Kernel DRM miscellaneous fixes and cross-tree changes