1 /*
2  * Atheros CARL9170 driver
3  *
4  * USB - frontend
5  *
6  * Copyright 2008, Johannes Berg <johannes@sipsolutions.net>
7  * Copyright 2009, 2010, Christian Lamparter <chunkeey@googlemail.com>
8  *
9  * This program is free software; you can redistribute it and/or modify
10  * it under the terms of the GNU General Public License as published by
11  * the Free Software Foundation; either version 2 of the License, or
12  * (at your option) any later version.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License
20  * along with this program; see the file COPYING.  If not, see
21  * http://www.gnu.org/licenses/.
22  *
23  * This file incorporates work covered by the following copyright and
24  * permission notice:
25  *    Copyright (c) 2007-2008 Atheros Communications, Inc.
26  *
27  *    Permission to use, copy, modify, and/or distribute this software for any
28  *    purpose with or without fee is hereby granted, provided that the above
29  *    copyright notice and this permission notice appear in all copies.
30  *
31  *    THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
32  *    WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
33  *    MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
34  *    ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
35  *    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
36  *    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
37  *    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
38  */
39 
40 #include <linux/module.h>
41 #include <linux/slab.h>
42 #include <linux/usb.h>
43 #include <linux/firmware.h>
44 #include <linux/etherdevice.h>
45 #include <linux/device.h>
46 #include <net/mac80211.h>
47 #include "carl9170.h"
48 #include "cmd.h"
49 #include "hw.h"
50 #include "fwcmd.h"
51 
52 MODULE_AUTHOR("Johannes Berg <johannes@sipsolutions.net>");
53 MODULE_AUTHOR("Christian Lamparter <chunkeey@googlemail.com>");
54 MODULE_LICENSE("GPL");
55 MODULE_DESCRIPTION("Atheros AR9170 802.11n USB wireless");
56 MODULE_FIRMWARE(CARL9170FW_NAME);
57 MODULE_ALIAS("ar9170usb");
58 MODULE_ALIAS("arusb_lnx");
59 
60 /*
61  * Note:
62  *
63  * Always update our wiki's device list (located at:
64  * https://wireless.wiki.kernel.org/en/users/Drivers/ar9170/devices ),
65  * whenever you add a new device.
66  */
67 static const struct usb_device_id carl9170_usb_ids[] = {
68 	/* Atheros 9170 */
69 	{ USB_DEVICE(0x0cf3, 0x9170) },
70 	/* Atheros TG121N */
71 	{ USB_DEVICE(0x0cf3, 0x1001) },
72 	/* TP-Link TL-WN821N v2 */
73 	{ USB_DEVICE(0x0cf3, 0x1002), .driver_info = CARL9170_WPS_BUTTON |
74 		 CARL9170_ONE_LED },
75 	/* 3Com Dual Band 802.11n USB Adapter */
76 	{ USB_DEVICE(0x0cf3, 0x1010) },
77 	/* H3C Dual Band 802.11n USB Adapter */
78 	{ USB_DEVICE(0x0cf3, 0x1011) },
79 	/* Cace Airpcap NX */
80 	{ USB_DEVICE(0xcace, 0x0300) },
81 	/* D-Link DWA 160 A1 */
82 	{ USB_DEVICE(0x07d1, 0x3c10) },
83 	/* D-Link DWA 160 A2 */
84 	{ USB_DEVICE(0x07d1, 0x3a09) },
85 	/* D-Link DWA 130 D */
86 	{ USB_DEVICE(0x07d1, 0x3a0f) },
87 	/* Netgear WNA1000 */
88 	{ USB_DEVICE(0x0846, 0x9040) },
89 	/* Netgear WNDA3100 (v1) */
90 	{ USB_DEVICE(0x0846, 0x9010) },
91 	/* Netgear WN111 v2 */
92 	{ USB_DEVICE(0x0846, 0x9001), .driver_info = CARL9170_ONE_LED },
93 	/* Zydas ZD1221 */
94 	{ USB_DEVICE(0x0ace, 0x1221) },
95 	/* Proxim ORiNOCO 802.11n USB */
96 	{ USB_DEVICE(0x1435, 0x0804) },
97 	/* WNC Generic 11n USB Dongle */
98 	{ USB_DEVICE(0x1435, 0x0326) },
99 	/* ZyXEL NWD271N */
100 	{ USB_DEVICE(0x0586, 0x3417) },
101 	/* Z-Com UB81 BG */
102 	{ USB_DEVICE(0x0cde, 0x0023) },
103 	/* Z-Com UB82 ABG */
104 	{ USB_DEVICE(0x0cde, 0x0026) },
105 	/* Sphairon Homelink 1202 */
106 	{ USB_DEVICE(0x0cde, 0x0027) },
107 	/* Arcadyan WN7512 */
108 	{ USB_DEVICE(0x083a, 0xf522) },
109 	/* Planex GWUS300 */
110 	{ USB_DEVICE(0x2019, 0x5304) },
111 	/* IO-Data WNGDNUS2 */
112 	{ USB_DEVICE(0x04bb, 0x093f) },
113 	/* NEC WL300NU-G */
114 	{ USB_DEVICE(0x0409, 0x0249) },
115 	/* NEC WL300NU-AG */
116 	{ USB_DEVICE(0x0409, 0x02b4) },
117 	/* AVM FRITZ!WLAN USB Stick N */
118 	{ USB_DEVICE(0x057c, 0x8401) },
119 	/* AVM FRITZ!WLAN USB Stick N 2.4 */
120 	{ USB_DEVICE(0x057c, 0x8402) },
121 	/* Qwest/Actiontec 802AIN Wireless N USB Network Adapter */
122 	{ USB_DEVICE(0x1668, 0x1200) },
123 	/* Airlive X.USB a/b/g/n */
124 	{ USB_DEVICE(0x1b75, 0x9170) },
125 
126 	/* terminate */
127 	{}
128 };
129 MODULE_DEVICE_TABLE(usb, carl9170_usb_ids);
130 
131 static struct usb_driver carl9170_driver;
132 
133 static void carl9170_usb_submit_data_urb(struct ar9170 *ar)
134 {
135 	struct urb *urb;
136 	int err;
137 
138 	if (atomic_inc_return(&ar->tx_anch_urbs) > AR9170_NUM_TX_URBS)
139 		goto err_acc;
140 
141 	urb = usb_get_from_anchor(&ar->tx_wait);
142 	if (!urb)
143 		goto err_acc;
144 
145 	usb_anchor_urb(urb, &ar->tx_anch);
146 
147 	err = usb_submit_urb(urb, GFP_ATOMIC);
148 	if (unlikely(err)) {
149 		if (net_ratelimit()) {
150 			dev_err(&ar->udev->dev, "tx submit failed (%d)\n",
151 				urb->status);
152 		}
153 
154 		usb_unanchor_urb(urb);
155 		usb_anchor_urb(urb, &ar->tx_err);
156 	}
157 
158 	usb_free_urb(urb);
159 
160 	if (likely(err == 0))
161 		return;
162 
163 err_acc:
164 	atomic_dec(&ar->tx_anch_urbs);
165 }
166 
167 static void carl9170_usb_tx_data_complete(struct urb *urb)
168 {
169 	struct ar9170 *ar = usb_get_intfdata(usb_ifnum_to_if(urb->dev, 0));
170 
171 	if (WARN_ON_ONCE(!ar)) {
172 		dev_kfree_skb_irq(urb->context);
173 		return;
174 	}
175 
176 	atomic_dec(&ar->tx_anch_urbs);
177 
178 	switch (urb->status) {
179 	/* everything is fine */
180 	case 0:
181 		carl9170_tx_callback(ar, (void *)urb->context);
182 		break;
183 
184 	/* disconnect */
185 	case -ENOENT:
186 	case -ECONNRESET:
187 	case -ENODEV:
188 	case -ESHUTDOWN:
189 		/*
190 		 * Defer the frame clean-up to the tasklet worker.
191 		 * This is necessary, because carl9170_tx_drop
192 		 * does not work in an irqsave context.
193 		 */
194 		usb_anchor_urb(urb, &ar->tx_err);
195 		return;
196 
197 	/* a random transmission error has occurred? */
198 	default:
199 		if (net_ratelimit()) {
200 			dev_err(&ar->udev->dev, "tx failed (%d)\n",
201 				urb->status);
202 		}
203 
204 		usb_anchor_urb(urb, &ar->tx_err);
205 		break;
206 	}
207 
208 	if (likely(IS_STARTED(ar)))
209 		carl9170_usb_submit_data_urb(ar);
210 }
211 
212 static int carl9170_usb_submit_cmd_urb(struct ar9170 *ar)
213 {
214 	struct urb *urb;
215 	int err;
216 
217 	if (atomic_inc_return(&ar->tx_cmd_urbs) != 1) {
218 		atomic_dec(&ar->tx_cmd_urbs);
219 		return 0;
220 	}
221 
222 	urb = usb_get_from_anchor(&ar->tx_cmd);
223 	if (!urb) {
224 		atomic_dec(&ar->tx_cmd_urbs);
225 		return 0;
226 	}
227 
228 	usb_anchor_urb(urb, &ar->tx_anch);
229 	err = usb_submit_urb(urb, GFP_ATOMIC);
230 	if (unlikely(err)) {
231 		usb_unanchor_urb(urb);
232 		atomic_dec(&ar->tx_cmd_urbs);
233 	}
234 	usb_free_urb(urb);
235 
236 	return err;
237 }
238 
239 static void carl9170_usb_cmd_complete(struct urb *urb)
240 {
241 	struct ar9170 *ar = urb->context;
242 	int err = 0;
243 
244 	if (WARN_ON_ONCE(!ar))
245 		return;
246 
247 	atomic_dec(&ar->tx_cmd_urbs);
248 
249 	switch (urb->status) {
250 	/* everything is fine */
251 	case 0:
252 		break;
253 
254 	/* disconnect */
255 	case -ENOENT:
256 	case -ECONNRESET:
257 	case -ENODEV:
258 	case -ESHUTDOWN:
259 		return;
260 
261 	default:
262 		err = urb->status;
263 		break;
264 	}
265 
266 	if (!IS_INITIALIZED(ar))
267 		return;
268 
269 	if (err)
270 		dev_err(&ar->udev->dev, "submit cmd cb failed (%d).\n", err);
271 
272 	err = carl9170_usb_submit_cmd_urb(ar);
273 	if (err)
274 		dev_err(&ar->udev->dev, "submit cmd failed (%d).\n", err);
275 }
276 
277 static void carl9170_usb_rx_irq_complete(struct urb *urb)
278 {
279 	struct ar9170 *ar = urb->context;
280 
281 	if (WARN_ON_ONCE(!ar))
282 		return;
283 
284 	switch (urb->status) {
285 	/* everything is fine */
286 	case 0:
287 		break;
288 
289 	/* disconnect */
290 	case -ENOENT:
291 	case -ECONNRESET:
292 	case -ENODEV:
293 	case -ESHUTDOWN:
294 		return;
295 
296 	default:
297 		goto resubmit;
298 	}
299 
300 	/*
301 	 * While the carl9170 firmware does not use this EP, the
302 	 * firmware loader in the EEPROM unfortunately does.
303 	 * Therefore we need to be ready to handle out-of-band
304 	 * responses and traps in case the firmware crashed and
305 	 * the loader took over again.
306 	 */
307 	carl9170_handle_command_response(ar, urb->transfer_buffer,
308 					 urb->actual_length);
309 
310 resubmit:
311 	usb_anchor_urb(urb, &ar->rx_anch);
312 	if (unlikely(usb_submit_urb(urb, GFP_ATOMIC)))
313 		usb_unanchor_urb(urb);
314 }
315 
316 static int carl9170_usb_submit_rx_urb(struct ar9170 *ar, gfp_t gfp)
317 {
318 	struct urb *urb;
319 	int err = 0, runs = 0;
320 
321 	while ((atomic_read(&ar->rx_anch_urbs) < AR9170_NUM_RX_URBS) &&
322 		(runs++ < AR9170_NUM_RX_URBS)) {
323 		err = -ENOSPC;
324 		urb = usb_get_from_anchor(&ar->rx_pool);
325 		if (urb) {
326 			usb_anchor_urb(urb, &ar->rx_anch);
327 			err = usb_submit_urb(urb, gfp);
328 			if (unlikely(err)) {
329 				usb_unanchor_urb(urb);
330 				usb_anchor_urb(urb, &ar->rx_pool);
331 			} else {
332 				atomic_dec(&ar->rx_pool_urbs);
333 				atomic_inc(&ar->rx_anch_urbs);
334 			}
335 			usb_free_urb(urb);
336 		}
337 	}
338 
339 	return err;
340 }
341 
342 static void carl9170_usb_rx_work(struct ar9170 *ar)
343 {
344 	struct urb *urb;
345 	int i;
346 
347 	for (i = 0; i < AR9170_NUM_RX_URBS_POOL; i++) {
348 		urb = usb_get_from_anchor(&ar->rx_work);
349 		if (!urb)
350 			break;
351 
352 		atomic_dec(&ar->rx_work_urbs);
353 		if (IS_INITIALIZED(ar)) {
354 			carl9170_rx(ar, urb->transfer_buffer,
355 				    urb->actual_length);
356 		}
357 
358 		usb_anchor_urb(urb, &ar->rx_pool);
359 		atomic_inc(&ar->rx_pool_urbs);
360 
361 		usb_free_urb(urb);
362 
363 		carl9170_usb_submit_rx_urb(ar, GFP_ATOMIC);
364 	}
365 }
366 
367 void carl9170_usb_handle_tx_err(struct ar9170 *ar)
368 {
369 	struct urb *urb;
370 
371 	while ((urb = usb_get_from_anchor(&ar->tx_err))) {
372 		struct sk_buff *skb = (void *)urb->context;
373 
374 		carl9170_tx_drop(ar, skb);
375 		carl9170_tx_callback(ar, skb);
376 		usb_free_urb(urb);
377 	}
378 }
379 
380 static void carl9170_usb_tasklet(unsigned long data)
381 {
382 	struct ar9170 *ar = (struct ar9170 *) data;
383 
384 	if (!IS_INITIALIZED(ar))
385 		return;
386 
387 	carl9170_usb_rx_work(ar);
388 
389 	/*
390 	 * Strictly speaking: The tx scheduler is not part of the USB system.
391 	 * But the rx worker returns frames back to the mac80211-stack and
392 	 * this is the _perfect_ place to generate the next transmissions.
393 	 */
394 	if (IS_STARTED(ar))
395 		carl9170_tx_scheduler(ar);
396 }
397 
398 static void carl9170_usb_rx_complete(struct urb *urb)
399 {
400 	struct ar9170 *ar = (struct ar9170 *)urb->context;
401 	int err;
402 
403 	if (WARN_ON_ONCE(!ar))
404 		return;
405 
406 	atomic_dec(&ar->rx_anch_urbs);
407 
408 	switch (urb->status) {
409 	case 0:
410 		/* rx path */
411 		usb_anchor_urb(urb, &ar->rx_work);
412 		atomic_inc(&ar->rx_work_urbs);
413 		break;
414 
415 	case -ENOENT:
416 	case -ECONNRESET:
417 	case -ENODEV:
418 	case -ESHUTDOWN:
419 		/* handle disconnect events*/
420 		return;
421 
422 	default:
423 		/* handle all other errors */
424 		usb_anchor_urb(urb, &ar->rx_pool);
425 		atomic_inc(&ar->rx_pool_urbs);
426 		break;
427 	}
428 
429 	err = carl9170_usb_submit_rx_urb(ar, GFP_ATOMIC);
430 	if (unlikely(err)) {
431 		/*
432 		 * usb_submit_rx_urb reported a problem.
433 		 * In case this is due to a rx buffer shortage,
434 		 * elevate the tasklet worker priority to
435 		 * the highest available level.
436 		 */
437 		tasklet_hi_schedule(&ar->usb_tasklet);
438 
439 		if (atomic_read(&ar->rx_anch_urbs) == 0) {
440 			/*
441 			 * The system is too slow to cope with
442 			 * the enormous workload. We have simply
443 			 * run out of active rx urbs and this
444 			 * unfortunately leads to an unpredictable
445 			 * device.
446 			 */
447 
448 			ieee80211_queue_work(ar->hw, &ar->ping_work);
449 		}
450 	} else {
451 		/*
452 		 * Using anything less than _high_ priority absolutely
453 		 * kills the rx performance my UP-System...
454 		 */
455 		tasklet_hi_schedule(&ar->usb_tasklet);
456 	}
457 }
458 
459 static struct urb *carl9170_usb_alloc_rx_urb(struct ar9170 *ar, gfp_t gfp)
460 {
461 	struct urb *urb;
462 	void *buf;
463 
464 	buf = kmalloc(ar->fw.rx_size, gfp);
465 	if (!buf)
466 		return NULL;
467 
468 	urb = usb_alloc_urb(0, gfp);
469 	if (!urb) {
470 		kfree(buf);
471 		return NULL;
472 	}
473 
474 	usb_fill_bulk_urb(urb, ar->udev, usb_rcvbulkpipe(ar->udev,
475 			  AR9170_USB_EP_RX), buf, ar->fw.rx_size,
476 			  carl9170_usb_rx_complete, ar);
477 
478 	urb->transfer_flags |= URB_FREE_BUFFER;
479 
480 	return urb;
481 }
482 
483 static int carl9170_usb_send_rx_irq_urb(struct ar9170 *ar)
484 {
485 	struct urb *urb = NULL;
486 	void *ibuf;
487 	int err = -ENOMEM;
488 
489 	urb = usb_alloc_urb(0, GFP_KERNEL);
490 	if (!urb)
491 		goto out;
492 
493 	ibuf = kmalloc(AR9170_USB_EP_CTRL_MAX, GFP_KERNEL);
494 	if (!ibuf)
495 		goto out;
496 
497 	usb_fill_int_urb(urb, ar->udev, usb_rcvintpipe(ar->udev,
498 			 AR9170_USB_EP_IRQ), ibuf, AR9170_USB_EP_CTRL_MAX,
499 			 carl9170_usb_rx_irq_complete, ar, 1);
500 
501 	urb->transfer_flags |= URB_FREE_BUFFER;
502 
503 	usb_anchor_urb(urb, &ar->rx_anch);
504 	err = usb_submit_urb(urb, GFP_KERNEL);
505 	if (err)
506 		usb_unanchor_urb(urb);
507 
508 out:
509 	usb_free_urb(urb);
510 	return err;
511 }
512 
513 static int carl9170_usb_init_rx_bulk_urbs(struct ar9170 *ar)
514 {
515 	struct urb *urb;
516 	int i, err = -EINVAL;
517 
518 	/*
519 	 * The driver actively maintains a second shadow
520 	 * pool for inactive, but fully-prepared rx urbs.
521 	 *
522 	 * The pool should help the driver to master huge
523 	 * workload spikes without running the risk of
524 	 * undersupplying the hardware or wasting time by
525 	 * processing rx data (streams) inside the urb
526 	 * completion (hardirq context).
527 	 */
528 	for (i = 0; i < AR9170_NUM_RX_URBS_POOL; i++) {
529 		urb = carl9170_usb_alloc_rx_urb(ar, GFP_KERNEL);
530 		if (!urb) {
531 			err = -ENOMEM;
532 			goto err_out;
533 		}
534 
535 		usb_anchor_urb(urb, &ar->rx_pool);
536 		atomic_inc(&ar->rx_pool_urbs);
537 		usb_free_urb(urb);
538 	}
539 
540 	err = carl9170_usb_submit_rx_urb(ar, GFP_KERNEL);
541 	if (err)
542 		goto err_out;
543 
544 	/* the device now waiting for the firmware. */
545 	carl9170_set_state_when(ar, CARL9170_STOPPED, CARL9170_IDLE);
546 	return 0;
547 
548 err_out:
549 
550 	usb_scuttle_anchored_urbs(&ar->rx_pool);
551 	usb_scuttle_anchored_urbs(&ar->rx_work);
552 	usb_kill_anchored_urbs(&ar->rx_anch);
553 	return err;
554 }
555 
556 static int carl9170_usb_flush(struct ar9170 *ar)
557 {
558 	struct urb *urb;
559 	int ret, err = 0;
560 
561 	while ((urb = usb_get_from_anchor(&ar->tx_wait))) {
562 		struct sk_buff *skb = (void *)urb->context;
563 		carl9170_tx_drop(ar, skb);
564 		carl9170_tx_callback(ar, skb);
565 		usb_free_urb(urb);
566 	}
567 
568 	ret = usb_wait_anchor_empty_timeout(&ar->tx_cmd, 1000);
569 	if (ret == 0)
570 		err = -ETIMEDOUT;
571 
572 	/* lets wait a while until the tx - queues are dried out */
573 	ret = usb_wait_anchor_empty_timeout(&ar->tx_anch, 1000);
574 	if (ret == 0)
575 		err = -ETIMEDOUT;
576 
577 	usb_kill_anchored_urbs(&ar->tx_anch);
578 	carl9170_usb_handle_tx_err(ar);
579 
580 	return err;
581 }
582 
583 static void carl9170_usb_cancel_urbs(struct ar9170 *ar)
584 {
585 	int err;
586 
587 	carl9170_set_state(ar, CARL9170_UNKNOWN_STATE);
588 
589 	err = carl9170_usb_flush(ar);
590 	if (err)
591 		dev_err(&ar->udev->dev, "stuck tx urbs!\n");
592 
593 	usb_poison_anchored_urbs(&ar->tx_anch);
594 	carl9170_usb_handle_tx_err(ar);
595 	usb_poison_anchored_urbs(&ar->rx_anch);
596 
597 	tasklet_kill(&ar->usb_tasklet);
598 
599 	usb_scuttle_anchored_urbs(&ar->rx_work);
600 	usb_scuttle_anchored_urbs(&ar->rx_pool);
601 	usb_scuttle_anchored_urbs(&ar->tx_cmd);
602 }
603 
604 int __carl9170_exec_cmd(struct ar9170 *ar, struct carl9170_cmd *cmd,
605 			const bool free_buf)
606 {
607 	struct urb *urb;
608 	int err = 0;
609 
610 	if (!IS_INITIALIZED(ar)) {
611 		err = -EPERM;
612 		goto err_free;
613 	}
614 
615 	if (WARN_ON(cmd->hdr.len > CARL9170_MAX_CMD_LEN - 4)) {
616 		err = -EINVAL;
617 		goto err_free;
618 	}
619 
620 	urb = usb_alloc_urb(0, GFP_ATOMIC);
621 	if (!urb) {
622 		err = -ENOMEM;
623 		goto err_free;
624 	}
625 
626 	if (ar->usb_ep_cmd_is_bulk)
627 		usb_fill_bulk_urb(urb, ar->udev,
628 				  usb_sndbulkpipe(ar->udev, AR9170_USB_EP_CMD),
629 				  cmd, cmd->hdr.len + 4,
630 				  carl9170_usb_cmd_complete, ar);
631 	else
632 		usb_fill_int_urb(urb, ar->udev,
633 				 usb_sndintpipe(ar->udev, AR9170_USB_EP_CMD),
634 				 cmd, cmd->hdr.len + 4,
635 				 carl9170_usb_cmd_complete, ar, 1);
636 
637 	if (free_buf)
638 		urb->transfer_flags |= URB_FREE_BUFFER;
639 
640 	usb_anchor_urb(urb, &ar->tx_cmd);
641 	usb_free_urb(urb);
642 
643 	return carl9170_usb_submit_cmd_urb(ar);
644 
645 err_free:
646 	if (free_buf)
647 		kfree(cmd);
648 
649 	return err;
650 }
651 
652 int carl9170_exec_cmd(struct ar9170 *ar, const enum carl9170_cmd_oids cmd,
653 	unsigned int plen, void *payload, unsigned int outlen, void *out)
654 {
655 	int err = -ENOMEM;
656 	unsigned long time_left;
657 
658 	if (!IS_ACCEPTING_CMD(ar))
659 		return -EIO;
660 
661 	if (!(cmd & CARL9170_CMD_ASYNC_FLAG))
662 		might_sleep();
663 
664 	ar->cmd.hdr.len = plen;
665 	ar->cmd.hdr.cmd = cmd;
666 	/* writing multiple regs fills this buffer already */
667 	if (plen && payload != (u8 *)(ar->cmd.data))
668 		memcpy(ar->cmd.data, payload, plen);
669 
670 	spin_lock_bh(&ar->cmd_lock);
671 	ar->readbuf = (u8 *)out;
672 	ar->readlen = outlen;
673 	spin_unlock_bh(&ar->cmd_lock);
674 
675 	reinit_completion(&ar->cmd_wait);
676 	err = __carl9170_exec_cmd(ar, &ar->cmd, false);
677 
678 	if (!(cmd & CARL9170_CMD_ASYNC_FLAG)) {
679 		time_left = wait_for_completion_timeout(&ar->cmd_wait, HZ);
680 		if (time_left == 0) {
681 			err = -ETIMEDOUT;
682 			goto err_unbuf;
683 		}
684 
685 		if (ar->readlen != outlen) {
686 			err = -EMSGSIZE;
687 			goto err_unbuf;
688 		}
689 	}
690 
691 	return 0;
692 
693 err_unbuf:
694 	/* Maybe the device was removed in the moment we were waiting? */
695 	if (IS_STARTED(ar)) {
696 		dev_err(&ar->udev->dev, "no command feedback "
697 			"received (%d).\n", err);
698 
699 		/* provide some maybe useful debug information */
700 		print_hex_dump_bytes("carl9170 cmd: ", DUMP_PREFIX_NONE,
701 				     &ar->cmd, plen + 4);
702 
703 		carl9170_restart(ar, CARL9170_RR_COMMAND_TIMEOUT);
704 	}
705 
706 	/* invalidate to avoid completing the next command prematurely */
707 	spin_lock_bh(&ar->cmd_lock);
708 	ar->readbuf = NULL;
709 	ar->readlen = 0;
710 	spin_unlock_bh(&ar->cmd_lock);
711 
712 	return err;
713 }
714 
715 void carl9170_usb_tx(struct ar9170 *ar, struct sk_buff *skb)
716 {
717 	struct urb *urb;
718 	struct ar9170_stream *tx_stream;
719 	void *data;
720 	unsigned int len;
721 
722 	if (!IS_STARTED(ar))
723 		goto err_drop;
724 
725 	urb = usb_alloc_urb(0, GFP_ATOMIC);
726 	if (!urb)
727 		goto err_drop;
728 
729 	if (ar->fw.tx_stream) {
730 		tx_stream = (void *) (skb->data - sizeof(*tx_stream));
731 
732 		len = skb->len + sizeof(*tx_stream);
733 		tx_stream->length = cpu_to_le16(len);
734 		tx_stream->tag = cpu_to_le16(AR9170_TX_STREAM_TAG);
735 		data = tx_stream;
736 	} else {
737 		data = skb->data;
738 		len = skb->len;
739 	}
740 
741 	usb_fill_bulk_urb(urb, ar->udev, usb_sndbulkpipe(ar->udev,
742 		AR9170_USB_EP_TX), data, len,
743 		carl9170_usb_tx_data_complete, skb);
744 
745 	urb->transfer_flags |= URB_ZERO_PACKET;
746 
747 	usb_anchor_urb(urb, &ar->tx_wait);
748 
749 	usb_free_urb(urb);
750 
751 	carl9170_usb_submit_data_urb(ar);
752 	return;
753 
754 err_drop:
755 	carl9170_tx_drop(ar, skb);
756 	carl9170_tx_callback(ar, skb);
757 }
758 
759 static void carl9170_release_firmware(struct ar9170 *ar)
760 {
761 	if (ar->fw.fw) {
762 		release_firmware(ar->fw.fw);
763 		memset(&ar->fw, 0, sizeof(ar->fw));
764 	}
765 }
766 
767 void carl9170_usb_stop(struct ar9170 *ar)
768 {
769 	int ret;
770 
771 	carl9170_set_state_when(ar, CARL9170_IDLE, CARL9170_STOPPED);
772 
773 	ret = carl9170_usb_flush(ar);
774 	if (ret)
775 		dev_err(&ar->udev->dev, "kill pending tx urbs.\n");
776 
777 	usb_poison_anchored_urbs(&ar->tx_anch);
778 	carl9170_usb_handle_tx_err(ar);
779 
780 	/* kill any pending command */
781 	spin_lock_bh(&ar->cmd_lock);
782 	ar->readlen = 0;
783 	spin_unlock_bh(&ar->cmd_lock);
784 	complete(&ar->cmd_wait);
785 
786 	/*
787 	 * Note:
788 	 * So far we freed all tx urbs, but we won't dare to touch any rx urbs.
789 	 * Else we would end up with a unresponsive device...
790 	 */
791 }
792 
793 int carl9170_usb_open(struct ar9170 *ar)
794 {
795 	usb_unpoison_anchored_urbs(&ar->tx_anch);
796 
797 	carl9170_set_state_when(ar, CARL9170_STOPPED, CARL9170_IDLE);
798 	return 0;
799 }
800 
801 static int carl9170_usb_load_firmware(struct ar9170 *ar)
802 {
803 	const u8 *data;
804 	u8 *buf;
805 	unsigned int transfer;
806 	size_t len;
807 	u32 addr;
808 	int err = 0;
809 
810 	buf = kmalloc(4096, GFP_KERNEL);
811 	if (!buf) {
812 		err = -ENOMEM;
813 		goto err_out;
814 	}
815 
816 	data = ar->fw.fw->data;
817 	len = ar->fw.fw->size;
818 	addr = ar->fw.address;
819 
820 	/* this removes the miniboot image */
821 	data += ar->fw.offset;
822 	len -= ar->fw.offset;
823 
824 	while (len) {
825 		transfer = min_t(unsigned int, len, 4096u);
826 		memcpy(buf, data, transfer);
827 
828 		err = usb_control_msg(ar->udev, usb_sndctrlpipe(ar->udev, 0),
829 				      0x30 /* FW DL */, 0x40 | USB_DIR_OUT,
830 				      addr >> 8, 0, buf, transfer, 100);
831 
832 		if (err < 0) {
833 			kfree(buf);
834 			goto err_out;
835 		}
836 
837 		len -= transfer;
838 		data += transfer;
839 		addr += transfer;
840 	}
841 	kfree(buf);
842 
843 	err = usb_control_msg(ar->udev, usb_sndctrlpipe(ar->udev, 0),
844 			      0x31 /* FW DL COMPLETE */,
845 			      0x40 | USB_DIR_OUT, 0, 0, NULL, 0, 200);
846 
847 	if (wait_for_completion_timeout(&ar->fw_boot_wait, HZ) == 0) {
848 		err = -ETIMEDOUT;
849 		goto err_out;
850 	}
851 
852 	err = carl9170_echo_test(ar, 0x4a110123);
853 	if (err)
854 		goto err_out;
855 
856 	/* now, start the command response counter */
857 	ar->cmd_seq = -1;
858 
859 	return 0;
860 
861 err_out:
862 	dev_err(&ar->udev->dev, "firmware upload failed (%d).\n", err);
863 	return err;
864 }
865 
866 int carl9170_usb_restart(struct ar9170 *ar)
867 {
868 	int err = 0;
869 
870 	if (ar->intf->condition != USB_INTERFACE_BOUND)
871 		return 0;
872 
873 	/*
874 	 * Disable the command response sequence counter check.
875 	 * We already know that the device/firmware is in a bad state.
876 	 * So, no extra points are awarded to anyone who reminds the
877 	 * driver about that.
878 	 */
879 	ar->cmd_seq = -2;
880 
881 	err = carl9170_reboot(ar);
882 
883 	carl9170_usb_stop(ar);
884 
885 	if (err)
886 		goto err_out;
887 
888 	tasklet_schedule(&ar->usb_tasklet);
889 
890 	/* The reboot procedure can take quite a while to complete. */
891 	msleep(1100);
892 
893 	err = carl9170_usb_open(ar);
894 	if (err)
895 		goto err_out;
896 
897 	err = carl9170_usb_load_firmware(ar);
898 	if (err)
899 		goto err_out;
900 
901 	return 0;
902 
903 err_out:
904 	carl9170_usb_cancel_urbs(ar);
905 	return err;
906 }
907 
908 void carl9170_usb_reset(struct ar9170 *ar)
909 {
910 	/*
911 	 * This is the last resort to get the device going again
912 	 * without any *user replugging action*.
913 	 *
914 	 * But there is a catch: usb_reset really is like a physical
915 	 * *reconnect*. The mac80211 state will be lost in the process.
916 	 * Therefore a userspace application, which is monitoring
917 	 * the link must step in.
918 	 */
919 	carl9170_usb_cancel_urbs(ar);
920 
921 	carl9170_usb_stop(ar);
922 
923 	usb_queue_reset_device(ar->intf);
924 }
925 
926 static int carl9170_usb_init_device(struct ar9170 *ar)
927 {
928 	int err;
929 
930 	/*
931 	 * The carl9170 firmware let's the driver know when it's
932 	 * ready for action. But we have to be prepared to gracefully
933 	 * handle all spurious [flushed] messages after each (re-)boot.
934 	 * Thus the command response counter remains disabled until it
935 	 * can be safely synchronized.
936 	 */
937 	ar->cmd_seq = -2;
938 
939 	err = carl9170_usb_send_rx_irq_urb(ar);
940 	if (err)
941 		goto err_out;
942 
943 	err = carl9170_usb_init_rx_bulk_urbs(ar);
944 	if (err)
945 		goto err_unrx;
946 
947 	err = carl9170_usb_open(ar);
948 	if (err)
949 		goto err_unrx;
950 
951 	mutex_lock(&ar->mutex);
952 	err = carl9170_usb_load_firmware(ar);
953 	mutex_unlock(&ar->mutex);
954 	if (err)
955 		goto err_stop;
956 
957 	return 0;
958 
959 err_stop:
960 	carl9170_usb_stop(ar);
961 
962 err_unrx:
963 	carl9170_usb_cancel_urbs(ar);
964 
965 err_out:
966 	return err;
967 }
968 
969 static void carl9170_usb_firmware_failed(struct ar9170 *ar)
970 {
971 	/* Store a copies of the usb_interface and usb_device pointer locally.
972 	 * This is because release_driver initiates carl9170_usb_disconnect,
973 	 * which in turn frees our driver context (ar).
974 	 */
975 	struct usb_interface *intf = ar->intf;
976 	struct usb_device *udev = ar->udev;
977 
978 	complete(&ar->fw_load_wait);
979 	/* at this point 'ar' could be already freed. Don't use it anymore */
980 	ar = NULL;
981 
982 	/* unbind anything failed */
983 	usb_lock_device(udev);
984 	usb_driver_release_interface(&carl9170_driver, intf);
985 	usb_unlock_device(udev);
986 
987 	usb_put_intf(intf);
988 }
989 
990 static void carl9170_usb_firmware_finish(struct ar9170 *ar)
991 {
992 	struct usb_interface *intf = ar->intf;
993 	int err;
994 
995 	err = carl9170_parse_firmware(ar);
996 	if (err)
997 		goto err_freefw;
998 
999 	err = carl9170_usb_init_device(ar);
1000 	if (err)
1001 		goto err_freefw;
1002 
1003 	err = carl9170_register(ar);
1004 
1005 	carl9170_usb_stop(ar);
1006 	if (err)
1007 		goto err_unrx;
1008 
1009 	complete(&ar->fw_load_wait);
1010 	usb_put_intf(intf);
1011 	return;
1012 
1013 err_unrx:
1014 	carl9170_usb_cancel_urbs(ar);
1015 
1016 err_freefw:
1017 	carl9170_release_firmware(ar);
1018 	carl9170_usb_firmware_failed(ar);
1019 }
1020 
1021 static void carl9170_usb_firmware_step2(const struct firmware *fw,
1022 					void *context)
1023 {
1024 	struct ar9170 *ar = context;
1025 
1026 	if (fw) {
1027 		ar->fw.fw = fw;
1028 		carl9170_usb_firmware_finish(ar);
1029 		return;
1030 	}
1031 
1032 	dev_err(&ar->udev->dev, "firmware not found.\n");
1033 	carl9170_usb_firmware_failed(ar);
1034 }
1035 
1036 static int carl9170_usb_probe(struct usb_interface *intf,
1037 			      const struct usb_device_id *id)
1038 {
1039 	struct usb_endpoint_descriptor *ep;
1040 	struct ar9170 *ar;
1041 	struct usb_device *udev;
1042 	int i, err;
1043 
1044 	err = usb_reset_device(interface_to_usbdev(intf));
1045 	if (err)
1046 		return err;
1047 
1048 	ar = carl9170_alloc(sizeof(*ar));
1049 	if (IS_ERR(ar))
1050 		return PTR_ERR(ar);
1051 
1052 	udev = interface_to_usbdev(intf);
1053 	ar->udev = udev;
1054 	ar->intf = intf;
1055 	ar->features = id->driver_info;
1056 
1057 	/* We need to remember the type of endpoint 4 because it differs
1058 	 * between high- and full-speed configuration. The high-speed
1059 	 * configuration specifies it as interrupt and the full-speed
1060 	 * configuration as bulk endpoint. This information is required
1061 	 * later when sending urbs to that endpoint.
1062 	 */
1063 	for (i = 0; i < intf->cur_altsetting->desc.bNumEndpoints; ++i) {
1064 		ep = &intf->cur_altsetting->endpoint[i].desc;
1065 
1066 		if (usb_endpoint_num(ep) == AR9170_USB_EP_CMD &&
1067 		    usb_endpoint_dir_out(ep) &&
1068 		    usb_endpoint_type(ep) == USB_ENDPOINT_XFER_BULK)
1069 			ar->usb_ep_cmd_is_bulk = true;
1070 	}
1071 
1072 	usb_set_intfdata(intf, ar);
1073 	SET_IEEE80211_DEV(ar->hw, &intf->dev);
1074 
1075 	init_usb_anchor(&ar->rx_anch);
1076 	init_usb_anchor(&ar->rx_pool);
1077 	init_usb_anchor(&ar->rx_work);
1078 	init_usb_anchor(&ar->tx_wait);
1079 	init_usb_anchor(&ar->tx_anch);
1080 	init_usb_anchor(&ar->tx_cmd);
1081 	init_usb_anchor(&ar->tx_err);
1082 	init_completion(&ar->cmd_wait);
1083 	init_completion(&ar->fw_boot_wait);
1084 	init_completion(&ar->fw_load_wait);
1085 	tasklet_init(&ar->usb_tasklet, carl9170_usb_tasklet,
1086 		     (unsigned long)ar);
1087 
1088 	atomic_set(&ar->tx_cmd_urbs, 0);
1089 	atomic_set(&ar->tx_anch_urbs, 0);
1090 	atomic_set(&ar->rx_work_urbs, 0);
1091 	atomic_set(&ar->rx_anch_urbs, 0);
1092 	atomic_set(&ar->rx_pool_urbs, 0);
1093 
1094 	usb_get_intf(intf);
1095 
1096 	carl9170_set_state(ar, CARL9170_STOPPED);
1097 
1098 	err = request_firmware_nowait(THIS_MODULE, 1, CARL9170FW_NAME,
1099 		&ar->udev->dev, GFP_KERNEL, ar, carl9170_usb_firmware_step2);
1100 	if (err) {
1101 		usb_put_intf(intf);
1102 		carl9170_free(ar);
1103 	}
1104 	return err;
1105 }
1106 
1107 static void carl9170_usb_disconnect(struct usb_interface *intf)
1108 {
1109 	struct ar9170 *ar = usb_get_intfdata(intf);
1110 
1111 	if (WARN_ON(!ar))
1112 		return;
1113 
1114 	wait_for_completion(&ar->fw_load_wait);
1115 
1116 	if (IS_INITIALIZED(ar)) {
1117 		carl9170_reboot(ar);
1118 		carl9170_usb_stop(ar);
1119 	}
1120 
1121 	carl9170_usb_cancel_urbs(ar);
1122 	carl9170_unregister(ar);
1123 
1124 	usb_set_intfdata(intf, NULL);
1125 
1126 	carl9170_release_firmware(ar);
1127 	carl9170_free(ar);
1128 }
1129 
1130 #ifdef CONFIG_PM
1131 static int carl9170_usb_suspend(struct usb_interface *intf,
1132 				pm_message_t message)
1133 {
1134 	struct ar9170 *ar = usb_get_intfdata(intf);
1135 
1136 	if (!ar)
1137 		return -ENODEV;
1138 
1139 	carl9170_usb_cancel_urbs(ar);
1140 
1141 	return 0;
1142 }
1143 
1144 static int carl9170_usb_resume(struct usb_interface *intf)
1145 {
1146 	struct ar9170 *ar = usb_get_intfdata(intf);
1147 	int err;
1148 
1149 	if (!ar)
1150 		return -ENODEV;
1151 
1152 	usb_unpoison_anchored_urbs(&ar->rx_anch);
1153 	carl9170_set_state(ar, CARL9170_STOPPED);
1154 
1155 	/*
1156 	 * The USB documentation demands that [for suspend] all traffic
1157 	 * to and from the device has to stop. This would be fine, but
1158 	 * there's a catch: the device[usb phy] does not come back.
1159 	 *
1160 	 * Upon resume the firmware will "kill" itself and the
1161 	 * boot-code sorts out the magic voodoo.
1162 	 * Not very nice, but there's not much what could go wrong.
1163 	 */
1164 	msleep(1100);
1165 
1166 	err = carl9170_usb_init_device(ar);
1167 	if (err)
1168 		goto err_unrx;
1169 
1170 	return 0;
1171 
1172 err_unrx:
1173 	carl9170_usb_cancel_urbs(ar);
1174 
1175 	return err;
1176 }
1177 #endif /* CONFIG_PM */
1178 
1179 static struct usb_driver carl9170_driver = {
1180 	.name = KBUILD_MODNAME,
1181 	.probe = carl9170_usb_probe,
1182 	.disconnect = carl9170_usb_disconnect,
1183 	.id_table = carl9170_usb_ids,
1184 	.soft_unbind = 1,
1185 #ifdef CONFIG_PM
1186 	.suspend = carl9170_usb_suspend,
1187 	.resume = carl9170_usb_resume,
1188 	.reset_resume = carl9170_usb_resume,
1189 #endif /* CONFIG_PM */
1190 	.disable_hub_initiated_lpm = 1,
1191 };
1192 
1193 module_usb_driver(carl9170_driver);
1194