1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * Copyright (C) 2021-2023 Intel Corporation
4  */
5 
6 #include <linux/etherdevice.h>
7 #include <linux/netdevice.h>
8 #include <linux/ieee80211.h>
9 #include <linux/rtnetlink.h>
10 #include <linux/module.h>
11 #include <linux/moduleparam.h>
12 #include <linux/mei_cl_bus.h>
13 #include <linux/rcupdate.h>
14 #include <linux/debugfs.h>
15 #include <linux/skbuff.h>
16 #include <linux/wait.h>
17 #include <linux/slab.h>
18 #include <linux/mm.h>
19 
20 #include <net/cfg80211.h>
21 
22 #include "internal.h"
23 #include "iwl-mei.h"
24 #include "trace.h"
25 #include "trace-data.h"
26 #include "sap.h"
27 
28 MODULE_DESCRIPTION("The Intel(R) wireless / CSME firmware interface");
29 MODULE_LICENSE("GPL");
30 
31 #define MEI_WLAN_UUID UUID_LE(0x13280904, 0x7792, 0x4fcb, \
32 			      0xa1, 0xaa, 0x5e, 0x70, 0xcb, 0xb1, 0xe8, 0x65)
33 
34 /* After CSME takes ownership, it won't release it for 60 seconds to avoid
35  * frequent ownership transitions.
36  */
37 #define MEI_OWNERSHIP_RETAKE_TIMEOUT_MS	msecs_to_jiffies(60000)
38 
39 /*
40  * Since iwlwifi calls iwlmei without any context, hold a pointer to the
41  * mei_cl_device structure here.
42  * Define a mutex that will synchronize all the flows between iwlwifi and
43  * iwlmei.
44  * Note that iwlmei can't have several instances, so it ok to have static
45  * variables here.
46  */
47 static struct mei_cl_device *iwl_mei_global_cldev;
48 static DEFINE_MUTEX(iwl_mei_mutex);
49 static unsigned long iwl_mei_status;
50 
51 enum iwl_mei_status_bits {
52 	IWL_MEI_STATUS_SAP_CONNECTED,
53 };
54 
55 bool iwl_mei_is_connected(void)
56 {
57 	return test_bit(IWL_MEI_STATUS_SAP_CONNECTED, &iwl_mei_status);
58 }
59 EXPORT_SYMBOL_GPL(iwl_mei_is_connected);
60 
61 #define SAP_VERSION	3
62 #define SAP_CONTROL_BLOCK_ID 0x21504153 /* SAP! in ASCII */
63 
64 struct iwl_sap_q_ctrl_blk {
65 	__le32 wr_ptr;
66 	__le32 rd_ptr;
67 	__le32 size;
68 };
69 
70 enum iwl_sap_q_idx {
71 	SAP_QUEUE_IDX_NOTIF = 0,
72 	SAP_QUEUE_IDX_DATA,
73 	SAP_QUEUE_IDX_MAX,
74 };
75 
76 struct iwl_sap_dir {
77 	__le32 reserved;
78 	struct iwl_sap_q_ctrl_blk q_ctrl_blk[SAP_QUEUE_IDX_MAX];
79 };
80 
81 enum iwl_sap_dir_idx {
82 	SAP_DIRECTION_HOST_TO_ME = 0,
83 	SAP_DIRECTION_ME_TO_HOST,
84 	SAP_DIRECTION_MAX,
85 };
86 
87 struct iwl_sap_shared_mem_ctrl_blk {
88 	__le32 sap_id;
89 	__le32 size;
90 	struct iwl_sap_dir dir[SAP_DIRECTION_MAX];
91 };
92 
93 /*
94  * The shared area has the following layout:
95  *
96  * +-----------------------------------+
97  * |struct iwl_sap_shared_mem_ctrl_blk |
98  * +-----------------------------------+
99  * |Host -> ME data queue              |
100  * +-----------------------------------+
101  * |Host -> ME notif queue             |
102  * +-----------------------------------+
103  * |ME -> Host data queue              |
104  * +-----------------------------------+
105  * |ME -> host notif queue             |
106  * +-----------------------------------+
107  * |SAP control block id (SAP!)        |
108  * +-----------------------------------+
109  */
110 
111 #define SAP_H2M_DATA_Q_SZ	48256
112 #define SAP_M2H_DATA_Q_SZ	24128
113 #define SAP_H2M_NOTIF_Q_SZ	2240
114 #define SAP_M2H_NOTIF_Q_SZ	62720
115 
116 #define _IWL_MEI_SAP_SHARED_MEM_SZ \
117 	(sizeof(struct iwl_sap_shared_mem_ctrl_blk) + \
118 	 SAP_H2M_DATA_Q_SZ + SAP_H2M_NOTIF_Q_SZ + \
119 	 SAP_M2H_DATA_Q_SZ + SAP_M2H_NOTIF_Q_SZ + 4)
120 
121 #define IWL_MEI_SAP_SHARED_MEM_SZ \
122 	(roundup(_IWL_MEI_SAP_SHARED_MEM_SZ, PAGE_SIZE))
123 
124 struct iwl_mei_shared_mem_ptrs {
125 	struct iwl_sap_shared_mem_ctrl_blk *ctrl;
126 	void *q_head[SAP_DIRECTION_MAX][SAP_QUEUE_IDX_MAX];
127 	size_t q_size[SAP_DIRECTION_MAX][SAP_QUEUE_IDX_MAX];
128 };
129 
130 struct iwl_mei_filters {
131 	struct rcu_head rcu_head;
132 	struct iwl_sap_oob_filters filters;
133 };
134 
135 /**
136  * struct iwl_mei - holds the private date for iwl_mei
137  *
138  * @get_nvm_wq: the wait queue for the get_nvm flow
139  * @send_csa_msg_wk: used to defer the transmission of the CHECK_SHARED_AREA
140  *	message. Used so that we can send CHECK_SHARED_AREA from atomic
141  *	contexts.
142  * @get_ownership_wq: the wait queue for the get_ownership_flow
143  * @shared_mem: the memory that is shared between CSME and the host
144  * @cldev: the pointer to the MEI client device
145  * @nvm: the data returned by the CSME for the NVM
146  * @filters: the filters sent by CSME
147  * @got_ownership: true if we own the device
148  * @amt_enabled: true if CSME has wireless enabled
149  * @csa_throttled: when true, we can't send CHECK_SHARED_AREA over the MEI
150  *	bus, but rather need to wait until send_csa_msg_wk runs
151  * @csme_taking_ownership: true when CSME is taking ownership. Used to remember
152  *	to send CSME_OWNERSHIP_CONFIRMED when the driver completes its down
153  *	flow.
154  * @link_prot_state: true when we are in link protection PASSIVE
155  * @device_down: true if the device is down. Used to remember to send
156  *	CSME_OWNERSHIP_CONFIRMED when the driver is already down.
157  * @csa_throttle_end_wk: used when &csa_throttled is true
158  * @pldr_wq: the wait queue for PLDR flow
159  * @pldr_active: PLDR flow is in progress
160  * @data_q_lock: protects the access to the data queues which are
161  *	accessed without the mutex.
162  * @netdev_work: used to defer registering and unregistering of the netdev to
163  *	avoid taking the rtnl lock in the SAP messages handlers.
164  * @ownership_dwork: used to re-ask for NIC ownership after ownership was taken
165  *	by CSME or when a previous ownership request failed.
166  * @sap_seq_no: the sequence number for the SAP messages
167  * @seq_no: the sequence number for the SAP messages
168  * @dbgfs_dir: the debugfs dir entry
169  */
170 struct iwl_mei {
171 	wait_queue_head_t get_nvm_wq;
172 	struct work_struct send_csa_msg_wk;
173 	wait_queue_head_t get_ownership_wq;
174 	struct iwl_mei_shared_mem_ptrs shared_mem;
175 	struct mei_cl_device *cldev;
176 	struct iwl_mei_nvm *nvm;
177 	struct iwl_mei_filters __rcu *filters;
178 	bool got_ownership;
179 	bool amt_enabled;
180 	bool csa_throttled;
181 	bool csme_taking_ownership;
182 	bool link_prot_state;
183 	bool device_down;
184 	struct delayed_work csa_throttle_end_wk;
185 	wait_queue_head_t pldr_wq;
186 	bool pldr_active;
187 	spinlock_t data_q_lock;
188 	struct work_struct netdev_work;
189 	struct delayed_work ownership_dwork;
190 
191 	atomic_t sap_seq_no;
192 	atomic_t seq_no;
193 
194 	struct dentry *dbgfs_dir;
195 };
196 
197 /**
198  * struct iwl_mei_cache - cache for the parameters from iwlwifi
199  * @ops: Callbacks to iwlwifi.
200  * @netdev: The netdev that will be used to transmit / receive packets.
201  * @conn_info: The connection info message triggered by iwlwifi's association.
202  * @power_limit: pointer to an array of 10 elements (le16) represents the power
203  *	restrictions per chain.
204  * @rf_kill: rf kill state.
205  * @mcc: MCC info
206  * @mac_address: interface MAC address.
207  * @nvm_address: NVM MAC address.
208  * @priv: A pointer to iwlwifi.
209  *
210  * This used to cache the configurations coming from iwlwifi's way. The data
211  * is cached here so that we can buffer the configuration even if we don't have
212  * a bind from the mei bus and hence, on iwl_mei structure.
213  */
214 struct iwl_mei_cache {
215 	const struct iwl_mei_ops *ops;
216 	struct net_device __rcu *netdev;
217 	const struct iwl_sap_notif_connection_info *conn_info;
218 	const __le16 *power_limit;
219 	u32 rf_kill;
220 	u16 mcc;
221 	u8 mac_address[6];
222 	u8 nvm_address[6];
223 	void *priv;
224 };
225 
226 static struct iwl_mei_cache iwl_mei_cache = {
227 	.rf_kill = SAP_HW_RFKILL_DEASSERTED | SAP_SW_RFKILL_DEASSERTED
228 };
229 
230 static void iwl_mei_free_shared_mem(struct mei_cl_device *cldev)
231 {
232 	struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
233 
234 	if (mei_cldev_dma_unmap(cldev))
235 		dev_err(&cldev->dev, "Couldn't unmap the shared mem properly\n");
236 	memset(&mei->shared_mem, 0, sizeof(mei->shared_mem));
237 }
238 
239 #define HBM_DMA_BUF_ID_WLAN 1
240 
241 static int iwl_mei_alloc_shared_mem(struct mei_cl_device *cldev)
242 {
243 	struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
244 	struct iwl_mei_shared_mem_ptrs *mem = &mei->shared_mem;
245 
246 	mem->ctrl = mei_cldev_dma_map(cldev, HBM_DMA_BUF_ID_WLAN,
247 				       IWL_MEI_SAP_SHARED_MEM_SZ);
248 
249 	if (IS_ERR(mem->ctrl)) {
250 		int ret = PTR_ERR(mem->ctrl);
251 
252 		mem->ctrl = NULL;
253 
254 		return ret;
255 	}
256 
257 	memset(mem->ctrl, 0, IWL_MEI_SAP_SHARED_MEM_SZ);
258 
259 	return 0;
260 }
261 
262 static void iwl_mei_init_shared_mem(struct iwl_mei *mei)
263 {
264 	struct iwl_mei_shared_mem_ptrs *mem = &mei->shared_mem;
265 	struct iwl_sap_dir *h2m;
266 	struct iwl_sap_dir *m2h;
267 	int dir, queue;
268 	u8 *q_head;
269 
270 	mem->ctrl->sap_id = cpu_to_le32(SAP_CONTROL_BLOCK_ID);
271 
272 	mem->ctrl->size = cpu_to_le32(sizeof(*mem->ctrl));
273 
274 	h2m = &mem->ctrl->dir[SAP_DIRECTION_HOST_TO_ME];
275 	m2h = &mem->ctrl->dir[SAP_DIRECTION_ME_TO_HOST];
276 
277 	h2m->q_ctrl_blk[SAP_QUEUE_IDX_DATA].size =
278 		cpu_to_le32(SAP_H2M_DATA_Q_SZ);
279 	h2m->q_ctrl_blk[SAP_QUEUE_IDX_NOTIF].size =
280 		cpu_to_le32(SAP_H2M_NOTIF_Q_SZ);
281 	m2h->q_ctrl_blk[SAP_QUEUE_IDX_DATA].size =
282 		cpu_to_le32(SAP_M2H_DATA_Q_SZ);
283 	m2h->q_ctrl_blk[SAP_QUEUE_IDX_NOTIF].size =
284 		cpu_to_le32(SAP_M2H_NOTIF_Q_SZ);
285 
286 	/* q_head points to the start of the first queue */
287 	q_head = (void *)(mem->ctrl + 1);
288 
289 	/* Initialize the queue heads */
290 	for (dir = 0; dir < SAP_DIRECTION_MAX; dir++) {
291 		for (queue = 0; queue < SAP_QUEUE_IDX_MAX; queue++) {
292 			mem->q_head[dir][queue] = q_head;
293 			q_head +=
294 				le32_to_cpu(mem->ctrl->dir[dir].q_ctrl_blk[queue].size);
295 			mem->q_size[dir][queue] =
296 				le32_to_cpu(mem->ctrl->dir[dir].q_ctrl_blk[queue].size);
297 		}
298 	}
299 
300 	*(__le32 *)q_head = cpu_to_le32(SAP_CONTROL_BLOCK_ID);
301 }
302 
303 static ssize_t iwl_mei_write_cyclic_buf(struct mei_cl_device *cldev,
304 					struct iwl_sap_q_ctrl_blk *notif_q,
305 					u8 *q_head,
306 					const struct iwl_sap_hdr *hdr,
307 					u32 q_sz)
308 {
309 	u32 rd = le32_to_cpu(READ_ONCE(notif_q->rd_ptr));
310 	u32 wr = le32_to_cpu(READ_ONCE(notif_q->wr_ptr));
311 	size_t room_in_buf;
312 	size_t tx_sz = sizeof(*hdr) + le16_to_cpu(hdr->len);
313 
314 	if (rd > q_sz || wr > q_sz) {
315 		dev_err(&cldev->dev,
316 			"Pointers are past the end of the buffer\n");
317 		return -EINVAL;
318 	}
319 
320 	room_in_buf = wr >= rd ? q_sz - wr + rd : rd - wr;
321 
322 	/* we don't have enough room for the data to write */
323 	if (room_in_buf < tx_sz) {
324 		dev_err(&cldev->dev,
325 			"Not enough room in the buffer\n");
326 		return -ENOSPC;
327 	}
328 
329 	if (wr + tx_sz <= q_sz) {
330 		memcpy(q_head + wr, hdr, tx_sz);
331 	} else {
332 		memcpy(q_head + wr, hdr, q_sz - wr);
333 		memcpy(q_head, (const u8 *)hdr + q_sz - wr, tx_sz - (q_sz - wr));
334 	}
335 
336 	WRITE_ONCE(notif_q->wr_ptr, cpu_to_le32((wr + tx_sz) % q_sz));
337 	return 0;
338 }
339 
340 static bool iwl_mei_host_to_me_data_pending(const struct iwl_mei *mei)
341 {
342 	struct iwl_sap_q_ctrl_blk *notif_q;
343 	struct iwl_sap_dir *dir;
344 
345 	dir = &mei->shared_mem.ctrl->dir[SAP_DIRECTION_HOST_TO_ME];
346 	notif_q = &dir->q_ctrl_blk[SAP_QUEUE_IDX_DATA];
347 
348 	if (READ_ONCE(notif_q->wr_ptr) != READ_ONCE(notif_q->rd_ptr))
349 		return true;
350 
351 	notif_q = &dir->q_ctrl_blk[SAP_QUEUE_IDX_NOTIF];
352 	return READ_ONCE(notif_q->wr_ptr) != READ_ONCE(notif_q->rd_ptr);
353 }
354 
355 static int iwl_mei_send_check_shared_area(struct mei_cl_device *cldev)
356 {
357 	struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
358 	struct iwl_sap_me_msg_start msg = {
359 		.hdr.type = cpu_to_le32(SAP_ME_MSG_CHECK_SHARED_AREA),
360 		.hdr.seq_num = cpu_to_le32(atomic_inc_return(&mei->seq_no)),
361 	};
362 	int ret;
363 
364 	lockdep_assert_held(&iwl_mei_mutex);
365 
366 	if (mei->csa_throttled)
367 		return 0;
368 
369 	trace_iwlmei_me_msg(&msg.hdr, true);
370 	ret = mei_cldev_send(cldev, (void *)&msg, sizeof(msg));
371 	if (ret != sizeof(msg)) {
372 		dev_err(&cldev->dev,
373 			"failed to send the SAP_ME_MSG_CHECK_SHARED_AREA message %d\n",
374 			ret);
375 		return ret;
376 	}
377 
378 	mei->csa_throttled = true;
379 
380 	schedule_delayed_work(&mei->csa_throttle_end_wk,
381 			      msecs_to_jiffies(100));
382 
383 	return 0;
384 }
385 
386 static void iwl_mei_csa_throttle_end_wk(struct work_struct *wk)
387 {
388 	struct iwl_mei *mei =
389 		container_of(wk, struct iwl_mei, csa_throttle_end_wk.work);
390 
391 	mutex_lock(&iwl_mei_mutex);
392 
393 	mei->csa_throttled = false;
394 
395 	if (iwl_mei_host_to_me_data_pending(mei))
396 		iwl_mei_send_check_shared_area(mei->cldev);
397 
398 	mutex_unlock(&iwl_mei_mutex);
399 }
400 
401 static int iwl_mei_send_sap_msg_payload(struct mei_cl_device *cldev,
402 					struct iwl_sap_hdr *hdr)
403 {
404 	struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
405 	struct iwl_sap_q_ctrl_blk *notif_q;
406 	struct iwl_sap_dir *dir;
407 	void *q_head;
408 	u32 q_sz;
409 	int ret;
410 
411 	lockdep_assert_held(&iwl_mei_mutex);
412 
413 	if (!mei->shared_mem.ctrl) {
414 		dev_err(&cldev->dev,
415 			"No shared memory, can't send any SAP message\n");
416 		return -EINVAL;
417 	}
418 
419 	if (!iwl_mei_is_connected()) {
420 		dev_err(&cldev->dev,
421 			"Can't send a SAP message if we're not connected\n");
422 		return -ENODEV;
423 	}
424 
425 	hdr->seq_num = cpu_to_le32(atomic_inc_return(&mei->sap_seq_no));
426 	dev_dbg(&cldev->dev, "Sending %d\n", hdr->type);
427 
428 	dir = &mei->shared_mem.ctrl->dir[SAP_DIRECTION_HOST_TO_ME];
429 	notif_q = &dir->q_ctrl_blk[SAP_QUEUE_IDX_NOTIF];
430 	q_head = mei->shared_mem.q_head[SAP_DIRECTION_HOST_TO_ME][SAP_QUEUE_IDX_NOTIF];
431 	q_sz = mei->shared_mem.q_size[SAP_DIRECTION_HOST_TO_ME][SAP_QUEUE_IDX_NOTIF];
432 	ret = iwl_mei_write_cyclic_buf(q_head, notif_q, q_head, hdr, q_sz);
433 
434 	if (ret < 0)
435 		return ret;
436 
437 	trace_iwlmei_sap_cmd(hdr, true);
438 
439 	return iwl_mei_send_check_shared_area(cldev);
440 }
441 
442 void iwl_mei_add_data_to_ring(struct sk_buff *skb, bool cb_tx)
443 {
444 	struct iwl_sap_q_ctrl_blk *notif_q;
445 	struct iwl_sap_dir *dir;
446 	struct iwl_mei *mei;
447 	size_t room_in_buf;
448 	size_t tx_sz;
449 	size_t hdr_sz;
450 	u32 q_sz;
451 	u32 rd;
452 	u32 wr;
453 	u8 *q_head;
454 
455 	if (!iwl_mei_global_cldev)
456 		return;
457 
458 	mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
459 
460 	/*
461 	 * We access this path for Rx packets (the more common case)
462 	 * and from Tx path when we send DHCP packets, the latter is
463 	 * very unlikely.
464 	 * Take the lock already here to make sure we see that remove()
465 	 * might have cleared the IWL_MEI_STATUS_SAP_CONNECTED bit.
466 	 */
467 	spin_lock_bh(&mei->data_q_lock);
468 
469 	if (!iwl_mei_is_connected()) {
470 		spin_unlock_bh(&mei->data_q_lock);
471 		return;
472 	}
473 
474 	/*
475 	 * We are in a RCU critical section and the remove from the CSME bus
476 	 * which would free this memory waits for the readers to complete (this
477 	 * is done in netdev_rx_handler_unregister).
478 	 */
479 	dir = &mei->shared_mem.ctrl->dir[SAP_DIRECTION_HOST_TO_ME];
480 	notif_q = &dir->q_ctrl_blk[SAP_QUEUE_IDX_DATA];
481 	q_head = mei->shared_mem.q_head[SAP_DIRECTION_HOST_TO_ME][SAP_QUEUE_IDX_DATA];
482 	q_sz = mei->shared_mem.q_size[SAP_DIRECTION_HOST_TO_ME][SAP_QUEUE_IDX_DATA];
483 
484 	rd = le32_to_cpu(READ_ONCE(notif_q->rd_ptr));
485 	wr = le32_to_cpu(READ_ONCE(notif_q->wr_ptr));
486 	hdr_sz = cb_tx ? sizeof(struct iwl_sap_cb_data) :
487 			 sizeof(struct iwl_sap_hdr);
488 	tx_sz = skb->len + hdr_sz;
489 
490 	if (rd > q_sz || wr > q_sz) {
491 		dev_err(&mei->cldev->dev,
492 			"can't write the data: pointers are past the end of the buffer\n");
493 		goto out;
494 	}
495 
496 	room_in_buf = wr >= rd ? q_sz - wr + rd : rd - wr;
497 
498 	/* we don't have enough room for the data to write */
499 	if (room_in_buf < tx_sz) {
500 		dev_err(&mei->cldev->dev,
501 			"Not enough room in the buffer for this data\n");
502 		goto out;
503 	}
504 
505 	if (skb_headroom(skb) < hdr_sz) {
506 		dev_err(&mei->cldev->dev,
507 			"Not enough headroom in the skb to write the SAP header\n");
508 		goto out;
509 	}
510 
511 	if (cb_tx) {
512 		struct iwl_sap_cb_data *cb_hdr = skb_push(skb, sizeof(*cb_hdr));
513 
514 		memset(cb_hdr, 0, sizeof(*cb_hdr));
515 		cb_hdr->hdr.type = cpu_to_le16(SAP_MSG_CB_DATA_PACKET);
516 		cb_hdr->hdr.len = cpu_to_le16(skb->len - sizeof(cb_hdr->hdr));
517 		cb_hdr->hdr.seq_num = cpu_to_le32(atomic_inc_return(&mei->sap_seq_no));
518 		cb_hdr->to_me_filt_status = cpu_to_le32(BIT(CB_TX_DHCP_FILT_IDX));
519 		cb_hdr->data_len = cpu_to_le32(skb->len - sizeof(*cb_hdr));
520 		trace_iwlmei_sap_data(skb, IWL_SAP_TX_DHCP);
521 	} else {
522 		struct iwl_sap_hdr *hdr = skb_push(skb, sizeof(*hdr));
523 
524 		hdr->type = cpu_to_le16(SAP_MSG_DATA_PACKET);
525 		hdr->len = cpu_to_le16(skb->len - sizeof(*hdr));
526 		hdr->seq_num = cpu_to_le32(atomic_inc_return(&mei->sap_seq_no));
527 		trace_iwlmei_sap_data(skb, IWL_SAP_TX_DATA_FROM_AIR);
528 	}
529 
530 	if (wr + tx_sz <= q_sz) {
531 		skb_copy_bits(skb, 0, q_head + wr, tx_sz);
532 	} else {
533 		skb_copy_bits(skb, 0, q_head + wr, q_sz - wr);
534 		skb_copy_bits(skb, q_sz - wr, q_head, tx_sz - (q_sz - wr));
535 	}
536 
537 	WRITE_ONCE(notif_q->wr_ptr, cpu_to_le32((wr + tx_sz) % q_sz));
538 
539 out:
540 	spin_unlock_bh(&mei->data_q_lock);
541 }
542 
543 static int
544 iwl_mei_send_sap_msg(struct mei_cl_device *cldev, u16 type)
545 {
546 	struct iwl_sap_hdr msg = {
547 		.type = cpu_to_le16(type),
548 	};
549 
550 	return iwl_mei_send_sap_msg_payload(cldev, &msg);
551 }
552 
553 static void iwl_mei_send_csa_msg_wk(struct work_struct *wk)
554 {
555 	struct iwl_mei *mei =
556 		container_of(wk, struct iwl_mei, send_csa_msg_wk);
557 
558 	if (!iwl_mei_is_connected())
559 		return;
560 
561 	mutex_lock(&iwl_mei_mutex);
562 
563 	iwl_mei_send_check_shared_area(mei->cldev);
564 
565 	mutex_unlock(&iwl_mei_mutex);
566 }
567 
568 /* Called in a RCU read critical section from netif_receive_skb */
569 static rx_handler_result_t iwl_mei_rx_handler(struct sk_buff **pskb)
570 {
571 	struct sk_buff *skb = *pskb;
572 	struct iwl_mei *mei =
573 		rcu_dereference(skb->dev->rx_handler_data);
574 	struct iwl_mei_filters *filters = rcu_dereference(mei->filters);
575 	bool rx_for_csme = false;
576 	rx_handler_result_t res;
577 
578 	/*
579 	 * remove() unregisters this handler and synchronize_net, so this
580 	 * should never happen.
581 	 */
582 	if (!iwl_mei_is_connected()) {
583 		dev_err(&mei->cldev->dev,
584 			"Got an Rx packet, but we're not connected to SAP?\n");
585 		return RX_HANDLER_PASS;
586 	}
587 
588 	if (filters)
589 		res = iwl_mei_rx_filter(skb, &filters->filters, &rx_for_csme);
590 	else
591 		res = RX_HANDLER_PASS;
592 
593 	/*
594 	 * The data is already on the ring of the shared area, all we
595 	 * need to do is to tell the CSME firmware to check what we have
596 	 * there.
597 	 */
598 	if (rx_for_csme)
599 		schedule_work(&mei->send_csa_msg_wk);
600 
601 	if (res != RX_HANDLER_PASS) {
602 		trace_iwlmei_sap_data(skb, IWL_SAP_RX_DATA_DROPPED_FROM_AIR);
603 		dev_kfree_skb(skb);
604 	}
605 
606 	return res;
607 }
608 
609 static void iwl_mei_netdev_work(struct work_struct *wk)
610 {
611 	struct iwl_mei *mei =
612 		container_of(wk, struct iwl_mei, netdev_work);
613 	struct net_device *netdev;
614 
615 	/*
616 	 * First take rtnl and only then the mutex to avoid an ABBA
617 	 * with iwl_mei_set_netdev()
618 	 */
619 	rtnl_lock();
620 	mutex_lock(&iwl_mei_mutex);
621 
622 	netdev = rcu_dereference_protected(iwl_mei_cache.netdev,
623 					   lockdep_is_held(&iwl_mei_mutex));
624 	if (netdev) {
625 		if (mei->amt_enabled)
626 			netdev_rx_handler_register(netdev, iwl_mei_rx_handler,
627 						   mei);
628 		else
629 			netdev_rx_handler_unregister(netdev);
630 	}
631 
632 	mutex_unlock(&iwl_mei_mutex);
633 	rtnl_unlock();
634 }
635 
636 static void
637 iwl_mei_handle_rx_start_ok(struct mei_cl_device *cldev,
638 			   const struct iwl_sap_me_msg_start_ok *rsp,
639 			   ssize_t len)
640 {
641 	if (len != sizeof(*rsp)) {
642 		dev_err(&cldev->dev,
643 			"got invalid SAP_ME_MSG_START_OK from CSME firmware\n");
644 		dev_err(&cldev->dev,
645 			"size is incorrect: %zd instead of %zu\n",
646 			len, sizeof(*rsp));
647 		return;
648 	}
649 
650 	if (rsp->supported_version != SAP_VERSION) {
651 		dev_err(&cldev->dev,
652 			"didn't get the expected version: got %d\n",
653 			rsp->supported_version);
654 		return;
655 	}
656 
657 	mutex_lock(&iwl_mei_mutex);
658 	set_bit(IWL_MEI_STATUS_SAP_CONNECTED, &iwl_mei_status);
659 	/*
660 	 * We'll receive AMT_STATE SAP message in a bit and
661 	 * that will continue the flow
662 	 */
663 	mutex_unlock(&iwl_mei_mutex);
664 }
665 
666 static void iwl_mei_handle_csme_filters(struct mei_cl_device *cldev,
667 					const struct iwl_sap_csme_filters *filters)
668 {
669 	struct iwl_mei *mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
670 	struct iwl_mei_filters *new_filters;
671 	struct iwl_mei_filters *old_filters;
672 
673 	old_filters =
674 		rcu_dereference_protected(mei->filters,
675 					  lockdep_is_held(&iwl_mei_mutex));
676 
677 	new_filters = kzalloc(sizeof(*new_filters), GFP_KERNEL);
678 	if (!new_filters)
679 		return;
680 
681 	/* Copy the OOB filters */
682 	new_filters->filters = filters->filters;
683 
684 	rcu_assign_pointer(mei->filters, new_filters);
685 
686 	if (old_filters)
687 		kfree_rcu(old_filters, rcu_head);
688 }
689 
690 static void
691 iwl_mei_handle_conn_status(struct mei_cl_device *cldev,
692 			   const struct iwl_sap_notif_conn_status *status)
693 {
694 	struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
695 	struct iwl_mei_conn_info conn_info = {
696 		.lp_state = le32_to_cpu(status->link_prot_state),
697 		.ssid_len = le32_to_cpu(status->conn_info.ssid_len),
698 		.channel = status->conn_info.channel,
699 		.band = status->conn_info.band,
700 		.auth_mode = le32_to_cpu(status->conn_info.auth_mode),
701 		.pairwise_cipher = le32_to_cpu(status->conn_info.pairwise_cipher),
702 	};
703 
704 	if (!iwl_mei_cache.ops ||
705 	    conn_info.ssid_len > ARRAY_SIZE(conn_info.ssid))
706 		return;
707 
708 	memcpy(conn_info.ssid, status->conn_info.ssid, conn_info.ssid_len);
709 	ether_addr_copy(conn_info.bssid, status->conn_info.bssid);
710 
711 	iwl_mei_cache.ops->me_conn_status(iwl_mei_cache.priv, &conn_info);
712 
713 	mei->link_prot_state = status->link_prot_state;
714 
715 	/*
716 	 * Update the Rfkill state in case the host does not own the device:
717 	 * if we are in Link Protection, ask to not touch the device, else,
718 	 * unblock rfkill.
719 	 * If the host owns the device, inform the user space whether it can
720 	 * roam.
721 	 */
722 	if (mei->got_ownership)
723 		iwl_mei_cache.ops->roaming_forbidden(iwl_mei_cache.priv,
724 						     status->link_prot_state);
725 	else
726 		iwl_mei_cache.ops->rfkill(iwl_mei_cache.priv,
727 					  status->link_prot_state, false);
728 }
729 
730 static void iwl_mei_set_init_conf(struct iwl_mei *mei)
731 {
732 	struct iwl_sap_notif_host_link_up link_msg = {
733 		.hdr.type = cpu_to_le16(SAP_MSG_NOTIF_HOST_LINK_UP),
734 		.hdr.len = cpu_to_le16(sizeof(link_msg) - sizeof(link_msg.hdr)),
735 	};
736 	struct iwl_sap_notif_country_code mcc_msg = {
737 		.hdr.type = cpu_to_le16(SAP_MSG_NOTIF_COUNTRY_CODE),
738 		.hdr.len = cpu_to_le16(sizeof(mcc_msg) - sizeof(mcc_msg.hdr)),
739 		.mcc = cpu_to_le16(iwl_mei_cache.mcc),
740 	};
741 	struct iwl_sap_notif_sar_limits sar_msg = {
742 		.hdr.type = cpu_to_le16(SAP_MSG_NOTIF_SAR_LIMITS),
743 		.hdr.len = cpu_to_le16(sizeof(sar_msg) - sizeof(sar_msg.hdr)),
744 	};
745 	struct iwl_sap_notif_host_nic_info nic_info_msg = {
746 		.hdr.type = cpu_to_le16(SAP_MSG_NOTIF_NIC_INFO),
747 		.hdr.len = cpu_to_le16(sizeof(nic_info_msg) - sizeof(nic_info_msg.hdr)),
748 	};
749 	struct iwl_sap_msg_dw rfkill_msg = {
750 		.hdr.type = cpu_to_le16(SAP_MSG_NOTIF_RADIO_STATE),
751 		.hdr.len = cpu_to_le16(sizeof(rfkill_msg) - sizeof(rfkill_msg.hdr)),
752 		.val = cpu_to_le32(iwl_mei_cache.rf_kill),
753 	};
754 
755 	/* wifi driver has registered already */
756 	if (iwl_mei_cache.ops) {
757 		iwl_mei_send_sap_msg(mei->cldev,
758 				     SAP_MSG_NOTIF_WIFIDR_UP);
759 		iwl_mei_cache.ops->sap_connected(iwl_mei_cache.priv);
760 	}
761 
762 	iwl_mei_send_sap_msg(mei->cldev, SAP_MSG_NOTIF_WHO_OWNS_NIC);
763 
764 	if (iwl_mei_cache.conn_info) {
765 		link_msg.conn_info = *iwl_mei_cache.conn_info;
766 		iwl_mei_send_sap_msg_payload(mei->cldev, &link_msg.hdr);
767 	}
768 
769 	iwl_mei_send_sap_msg_payload(mei->cldev, &mcc_msg.hdr);
770 
771 	if (iwl_mei_cache.power_limit) {
772 		memcpy(sar_msg.sar_chain_info_table, iwl_mei_cache.power_limit,
773 		       sizeof(sar_msg.sar_chain_info_table));
774 		iwl_mei_send_sap_msg_payload(mei->cldev, &sar_msg.hdr);
775 	}
776 
777 	if (is_valid_ether_addr(iwl_mei_cache.mac_address)) {
778 		ether_addr_copy(nic_info_msg.mac_address,
779 				iwl_mei_cache.mac_address);
780 		ether_addr_copy(nic_info_msg.nvm_address,
781 				iwl_mei_cache.nvm_address);
782 		iwl_mei_send_sap_msg_payload(mei->cldev, &nic_info_msg.hdr);
783 	}
784 
785 	iwl_mei_send_sap_msg_payload(mei->cldev, &rfkill_msg.hdr);
786 }
787 
788 static void iwl_mei_handle_amt_state(struct mei_cl_device *cldev,
789 				     const struct iwl_sap_msg_dw *dw)
790 {
791 	struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
792 
793 	mutex_lock(&iwl_mei_mutex);
794 
795 	if (mei->amt_enabled == !!le32_to_cpu(dw->val))
796 		goto out;
797 
798 	mei->amt_enabled = dw->val;
799 
800 	if (mei->amt_enabled)
801 		iwl_mei_set_init_conf(mei);
802 	else if (iwl_mei_cache.ops)
803 		iwl_mei_cache.ops->rfkill(iwl_mei_cache.priv, false, false);
804 
805 	schedule_work(&mei->netdev_work);
806 
807 out:
808 	mutex_unlock(&iwl_mei_mutex);
809 }
810 
811 static void iwl_mei_handle_nic_owner(struct mei_cl_device *cldev,
812 				     const struct iwl_sap_msg_dw *dw)
813 {
814 	struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
815 
816 	mei->got_ownership = dw->val != cpu_to_le32(SAP_NIC_OWNER_ME);
817 }
818 
819 static void iwl_mei_handle_can_release_ownership(struct mei_cl_device *cldev,
820 						 const void *payload)
821 {
822 	/* We can get ownership and driver is registered, go ahead */
823 	if (iwl_mei_cache.ops)
824 		iwl_mei_send_sap_msg(cldev,
825 				     SAP_MSG_NOTIF_HOST_ASKS_FOR_NIC_OWNERSHIP);
826 }
827 
828 static void iwl_mei_handle_csme_taking_ownership(struct mei_cl_device *cldev,
829 						 const void *payload)
830 {
831 	struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
832 
833 	dev_info(&cldev->dev, "CSME takes ownership\n");
834 
835 	mei->got_ownership = false;
836 
837 	if (iwl_mei_cache.ops && !mei->device_down) {
838 		/*
839 		 * Remember to send CSME_OWNERSHIP_CONFIRMED when the wifi
840 		 * driver is finished taking the device down.
841 		 */
842 		mei->csme_taking_ownership = true;
843 
844 		iwl_mei_cache.ops->rfkill(iwl_mei_cache.priv, true, true);
845 	} else {
846 		iwl_mei_send_sap_msg(cldev,
847 				     SAP_MSG_NOTIF_CSME_OWNERSHIP_CONFIRMED);
848 		schedule_delayed_work(&mei->ownership_dwork,
849 				      MEI_OWNERSHIP_RETAKE_TIMEOUT_MS);
850 	}
851 }
852 
853 static void iwl_mei_handle_nvm(struct mei_cl_device *cldev,
854 			       const struct iwl_sap_nvm *sap_nvm)
855 {
856 	struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
857 	const struct iwl_mei_nvm *mei_nvm = (const void *)sap_nvm;
858 	int i;
859 
860 	kfree(mei->nvm);
861 	mei->nvm = kzalloc(sizeof(*mei_nvm), GFP_KERNEL);
862 	if (!mei->nvm)
863 		return;
864 
865 	ether_addr_copy(mei->nvm->hw_addr, sap_nvm->hw_addr);
866 	mei->nvm->n_hw_addrs = sap_nvm->n_hw_addrs;
867 	mei->nvm->radio_cfg = le32_to_cpu(sap_nvm->radio_cfg);
868 	mei->nvm->caps = le32_to_cpu(sap_nvm->caps);
869 	mei->nvm->nvm_version = le32_to_cpu(sap_nvm->nvm_version);
870 
871 	for (i = 0; i < ARRAY_SIZE(mei->nvm->channels); i++)
872 		mei->nvm->channels[i] = le32_to_cpu(sap_nvm->channels[i]);
873 
874 	wake_up_all(&mei->get_nvm_wq);
875 }
876 
877 static void iwl_mei_handle_rx_host_own_req(struct mei_cl_device *cldev,
878 					   const struct iwl_sap_msg_dw *dw)
879 {
880 	struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
881 
882 	/*
883 	 * This means that we can't use the wifi device right now, CSME is not
884 	 * ready to let us use it.
885 	 */
886 	if (!dw->val) {
887 		dev_info(&cldev->dev, "Ownership req denied\n");
888 		return;
889 	}
890 
891 	mei->got_ownership = true;
892 	wake_up_all(&mei->get_ownership_wq);
893 
894 	iwl_mei_send_sap_msg(cldev,
895 			     SAP_MSG_NOTIF_HOST_OWNERSHIP_CONFIRMED);
896 
897 	/* We can now start the connection, unblock rfkill */
898 	if (iwl_mei_cache.ops)
899 		iwl_mei_cache.ops->rfkill(iwl_mei_cache.priv, false, false);
900 }
901 
902 static void iwl_mei_handle_pldr_ack(struct mei_cl_device *cldev,
903 				    const struct iwl_sap_pldr_ack_data *ack)
904 {
905 	struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
906 
907 	mei->pldr_active = le32_to_cpu(ack->status) == SAP_PLDR_STATUS_SUCCESS;
908 	wake_up_all(&mei->pldr_wq);
909 }
910 
911 static void iwl_mei_handle_ping(struct mei_cl_device *cldev,
912 				const struct iwl_sap_hdr *hdr)
913 {
914 	iwl_mei_send_sap_msg(cldev, SAP_MSG_NOTIF_PONG);
915 }
916 
917 static void iwl_mei_handle_sap_msg(struct mei_cl_device *cldev,
918 				   const struct iwl_sap_hdr *hdr)
919 {
920 	u16 len = le16_to_cpu(hdr->len) + sizeof(*hdr);
921 	u16 type = le16_to_cpu(hdr->type);
922 
923 	dev_dbg(&cldev->dev,
924 		"Got a new SAP message: type %d, len %d, seq %d\n",
925 		le16_to_cpu(hdr->type), len,
926 		le32_to_cpu(hdr->seq_num));
927 
928 #define SAP_MSG_HANDLER(_cmd, _handler, _sz)				\
929 	case SAP_MSG_NOTIF_ ## _cmd:					\
930 		if (len < _sz) {					\
931 			dev_err(&cldev->dev,				\
932 				"Bad size for %d: %u < %u\n",		\
933 				le16_to_cpu(hdr->type),			\
934 				(unsigned int)len,			\
935 				(unsigned int)_sz);			\
936 			break;						\
937 		}							\
938 		mutex_lock(&iwl_mei_mutex);				\
939 		_handler(cldev, (const void *)hdr);			\
940 		mutex_unlock(&iwl_mei_mutex);				\
941 		break
942 
943 #define SAP_MSG_HANDLER_NO_LOCK(_cmd, _handler, _sz)			\
944 	case SAP_MSG_NOTIF_ ## _cmd:					\
945 		if (len < _sz) {					\
946 			dev_err(&cldev->dev,				\
947 				"Bad size for %d: %u < %u\n",		\
948 				le16_to_cpu(hdr->type),			\
949 				(unsigned int)len,			\
950 				(unsigned int)_sz);			\
951 			break;						\
952 		}							\
953 		_handler(cldev, (const void *)hdr);			\
954 		break
955 
956 #define SAP_MSG_HANDLER_NO_HANDLER(_cmd, _sz)				\
957 	case SAP_MSG_NOTIF_ ## _cmd:					\
958 		if (len < _sz) {					\
959 			dev_err(&cldev->dev,				\
960 				"Bad size for %d: %u < %u\n",		\
961 				le16_to_cpu(hdr->type),			\
962 				(unsigned int)len,			\
963 				(unsigned int)_sz);			\
964 			break;						\
965 		}							\
966 		break
967 
968 	switch (type) {
969 	SAP_MSG_HANDLER(PING, iwl_mei_handle_ping, 0);
970 	SAP_MSG_HANDLER(CSME_FILTERS,
971 			iwl_mei_handle_csme_filters,
972 			sizeof(struct iwl_sap_csme_filters));
973 	SAP_MSG_HANDLER(CSME_CONN_STATUS,
974 			iwl_mei_handle_conn_status,
975 			sizeof(struct iwl_sap_notif_conn_status));
976 	SAP_MSG_HANDLER_NO_LOCK(AMT_STATE,
977 				iwl_mei_handle_amt_state,
978 				sizeof(struct iwl_sap_msg_dw));
979 	SAP_MSG_HANDLER_NO_HANDLER(PONG, 0);
980 	SAP_MSG_HANDLER(NVM, iwl_mei_handle_nvm,
981 			sizeof(struct iwl_sap_nvm));
982 	SAP_MSG_HANDLER(CSME_REPLY_TO_HOST_OWNERSHIP_REQ,
983 			iwl_mei_handle_rx_host_own_req,
984 			sizeof(struct iwl_sap_msg_dw));
985 	SAP_MSG_HANDLER(NIC_OWNER, iwl_mei_handle_nic_owner,
986 			sizeof(struct iwl_sap_msg_dw));
987 	SAP_MSG_HANDLER(CSME_CAN_RELEASE_OWNERSHIP,
988 			iwl_mei_handle_can_release_ownership, 0);
989 	SAP_MSG_HANDLER(CSME_TAKING_OWNERSHIP,
990 			iwl_mei_handle_csme_taking_ownership, 0);
991 	SAP_MSG_HANDLER(PLDR_ACK, iwl_mei_handle_pldr_ack,
992 			sizeof(struct iwl_sap_pldr_ack_data));
993 	default:
994 	/*
995 	 * This is not really an error, there are message that we decided
996 	 * to ignore, yet, it is useful to be able to leave a note if debug
997 	 * is enabled.
998 	 */
999 	dev_dbg(&cldev->dev, "Unsupported message: type %d, len %d\n",
1000 		le16_to_cpu(hdr->type), len);
1001 	}
1002 
1003 #undef SAP_MSG_HANDLER
1004 #undef SAP_MSG_HANDLER_NO_LOCK
1005 }
1006 
1007 static void iwl_mei_read_from_q(const u8 *q_head, u32 q_sz,
1008 				u32 *_rd, u32 wr,
1009 				void *_buf, u32 len)
1010 {
1011 	u8 *buf = _buf;
1012 	u32 rd = *_rd;
1013 
1014 	if (rd + len <= q_sz) {
1015 		memcpy(buf, q_head + rd, len);
1016 		rd += len;
1017 	} else {
1018 		memcpy(buf, q_head + rd, q_sz - rd);
1019 		memcpy(buf + q_sz - rd, q_head, len - (q_sz - rd));
1020 		rd = len - (q_sz - rd);
1021 	}
1022 
1023 	*_rd = rd;
1024 }
1025 
1026 #define QOS_HDR_IV_SNAP_LEN (sizeof(struct ieee80211_qos_hdr) +      \
1027 			     IEEE80211_TKIP_IV_LEN +                 \
1028 			     sizeof(rfc1042_header) + ETH_TLEN)
1029 
1030 static void iwl_mei_handle_sap_data(struct mei_cl_device *cldev,
1031 				    const u8 *q_head, u32 q_sz,
1032 				    u32 rd, u32 wr, ssize_t valid_rx_sz,
1033 				    struct sk_buff_head *tx_skbs)
1034 {
1035 	struct iwl_sap_hdr hdr;
1036 	struct net_device *netdev =
1037 		rcu_dereference_protected(iwl_mei_cache.netdev,
1038 					  lockdep_is_held(&iwl_mei_mutex));
1039 
1040 	if (!netdev)
1041 		return;
1042 
1043 	while (valid_rx_sz >= sizeof(hdr)) {
1044 		struct ethhdr *ethhdr;
1045 		unsigned char *data;
1046 		struct sk_buff *skb;
1047 		u16 len;
1048 
1049 		iwl_mei_read_from_q(q_head, q_sz, &rd, wr, &hdr, sizeof(hdr));
1050 		valid_rx_sz -= sizeof(hdr);
1051 		len = le16_to_cpu(hdr.len);
1052 
1053 		if (valid_rx_sz < len) {
1054 			dev_err(&cldev->dev,
1055 				"Data queue is corrupted: valid data len %zd, len %d\n",
1056 				valid_rx_sz, len);
1057 			break;
1058 		}
1059 
1060 		if (len < sizeof(*ethhdr)) {
1061 			dev_err(&cldev->dev,
1062 				"Data len is smaller than an ethernet header? len = %d\n",
1063 				len);
1064 		}
1065 
1066 		valid_rx_sz -= len;
1067 
1068 		if (le16_to_cpu(hdr.type) != SAP_MSG_DATA_PACKET) {
1069 			dev_err(&cldev->dev, "Unsupported Rx data: type %d, len %d\n",
1070 				le16_to_cpu(hdr.type), len);
1071 			continue;
1072 		}
1073 
1074 		/* We need enough room for the WiFi header + SNAP + IV */
1075 		skb = netdev_alloc_skb(netdev, len + QOS_HDR_IV_SNAP_LEN);
1076 		if (!skb)
1077 			continue;
1078 
1079 		skb_reserve(skb, QOS_HDR_IV_SNAP_LEN);
1080 		ethhdr = skb_push(skb, sizeof(*ethhdr));
1081 
1082 		iwl_mei_read_from_q(q_head, q_sz, &rd, wr,
1083 				    ethhdr, sizeof(*ethhdr));
1084 		len -= sizeof(*ethhdr);
1085 
1086 		skb_reset_mac_header(skb);
1087 		skb_reset_network_header(skb);
1088 		skb->protocol = ethhdr->h_proto;
1089 
1090 		data = skb_put(skb, len);
1091 		iwl_mei_read_from_q(q_head, q_sz, &rd, wr, data, len);
1092 
1093 		/*
1094 		 * Enqueue the skb here so that it can be sent later when we
1095 		 * do not hold the mutex. TX'ing a packet with a mutex held is
1096 		 * possible, but it wouldn't be nice to forbid the TX path to
1097 		 * call any of iwlmei's functions, since every API from iwlmei
1098 		 * needs the mutex.
1099 		 */
1100 		__skb_queue_tail(tx_skbs, skb);
1101 	}
1102 }
1103 
1104 static void iwl_mei_handle_sap_rx_cmd(struct mei_cl_device *cldev,
1105 				      const u8 *q_head, u32 q_sz,
1106 				      u32 rd, u32 wr, ssize_t valid_rx_sz)
1107 {
1108 	struct page *p = alloc_page(GFP_KERNEL);
1109 	struct iwl_sap_hdr *hdr;
1110 
1111 	if (!p)
1112 		return;
1113 
1114 	hdr = page_address(p);
1115 
1116 	while (valid_rx_sz >= sizeof(*hdr)) {
1117 		u16 len;
1118 
1119 		iwl_mei_read_from_q(q_head, q_sz, &rd, wr, hdr, sizeof(*hdr));
1120 		valid_rx_sz -= sizeof(*hdr);
1121 		len = le16_to_cpu(hdr->len);
1122 
1123 		if (valid_rx_sz < len)
1124 			break;
1125 
1126 		iwl_mei_read_from_q(q_head, q_sz, &rd, wr, hdr + 1, len);
1127 
1128 		trace_iwlmei_sap_cmd(hdr, false);
1129 		iwl_mei_handle_sap_msg(cldev, hdr);
1130 		valid_rx_sz -= len;
1131 	}
1132 
1133 	/* valid_rx_sz must be 0 now... */
1134 	if (valid_rx_sz)
1135 		dev_err(&cldev->dev,
1136 			"More data in the buffer although we read it all\n");
1137 
1138 	__free_page(p);
1139 }
1140 
1141 static void iwl_mei_handle_sap_rx(struct mei_cl_device *cldev,
1142 				  struct iwl_sap_q_ctrl_blk *notif_q,
1143 				  const u8 *q_head,
1144 				  struct sk_buff_head *skbs,
1145 				  u32 q_sz)
1146 {
1147 	u32 rd = le32_to_cpu(READ_ONCE(notif_q->rd_ptr));
1148 	u32 wr = le32_to_cpu(READ_ONCE(notif_q->wr_ptr));
1149 	ssize_t valid_rx_sz;
1150 
1151 	if (rd > q_sz || wr > q_sz) {
1152 		dev_err(&cldev->dev,
1153 			"Pointers are past the buffer limit\n");
1154 		return;
1155 	}
1156 
1157 	if (rd == wr)
1158 		return;
1159 
1160 	valid_rx_sz = wr > rd ? wr - rd : q_sz - rd + wr;
1161 
1162 	if (skbs)
1163 		iwl_mei_handle_sap_data(cldev, q_head, q_sz, rd, wr,
1164 					valid_rx_sz, skbs);
1165 	else
1166 		iwl_mei_handle_sap_rx_cmd(cldev, q_head, q_sz, rd, wr,
1167 					  valid_rx_sz);
1168 
1169 	/* Increment the read pointer to point to the write pointer */
1170 	WRITE_ONCE(notif_q->rd_ptr, cpu_to_le32(wr));
1171 }
1172 
1173 static void iwl_mei_handle_check_shared_area(struct mei_cl_device *cldev)
1174 {
1175 	struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
1176 	struct iwl_sap_q_ctrl_blk *notif_q;
1177 	struct sk_buff_head tx_skbs;
1178 	struct iwl_sap_dir *dir;
1179 	void *q_head;
1180 	u32 q_sz;
1181 
1182 	if (!mei->shared_mem.ctrl)
1183 		return;
1184 
1185 	dir = &mei->shared_mem.ctrl->dir[SAP_DIRECTION_ME_TO_HOST];
1186 	notif_q = &dir->q_ctrl_blk[SAP_QUEUE_IDX_NOTIF];
1187 	q_head = mei->shared_mem.q_head[SAP_DIRECTION_ME_TO_HOST][SAP_QUEUE_IDX_NOTIF];
1188 	q_sz = mei->shared_mem.q_size[SAP_DIRECTION_ME_TO_HOST][SAP_QUEUE_IDX_NOTIF];
1189 
1190 	/*
1191 	 * Do not hold the mutex here, but rather each and every message
1192 	 * handler takes it.
1193 	 * This allows message handlers to take it at a certain time.
1194 	 */
1195 	iwl_mei_handle_sap_rx(cldev, notif_q, q_head, NULL, q_sz);
1196 
1197 	mutex_lock(&iwl_mei_mutex);
1198 	dir = &mei->shared_mem.ctrl->dir[SAP_DIRECTION_ME_TO_HOST];
1199 	notif_q = &dir->q_ctrl_blk[SAP_QUEUE_IDX_DATA];
1200 	q_head = mei->shared_mem.q_head[SAP_DIRECTION_ME_TO_HOST][SAP_QUEUE_IDX_DATA];
1201 	q_sz = mei->shared_mem.q_size[SAP_DIRECTION_ME_TO_HOST][SAP_QUEUE_IDX_DATA];
1202 
1203 	__skb_queue_head_init(&tx_skbs);
1204 
1205 	iwl_mei_handle_sap_rx(cldev, notif_q, q_head, &tx_skbs, q_sz);
1206 
1207 	if (skb_queue_empty(&tx_skbs)) {
1208 		mutex_unlock(&iwl_mei_mutex);
1209 		return;
1210 	}
1211 
1212 	/*
1213 	 * Take the RCU read lock before we unlock the mutex to make sure that
1214 	 * even if the netdev is replaced by another non-NULL netdev right after
1215 	 * we unlock the mutex, the old netdev will still be valid when we
1216 	 * transmit the frames. We can't allow to replace the netdev here because
1217 	 * the skbs hold a pointer to the netdev.
1218 	 */
1219 	rcu_read_lock();
1220 
1221 	mutex_unlock(&iwl_mei_mutex);
1222 
1223 	if (!rcu_access_pointer(iwl_mei_cache.netdev)) {
1224 		dev_err(&cldev->dev, "Can't Tx without a netdev\n");
1225 		skb_queue_purge(&tx_skbs);
1226 		goto out;
1227 	}
1228 
1229 	while (!skb_queue_empty(&tx_skbs)) {
1230 		struct sk_buff *skb = __skb_dequeue(&tx_skbs);
1231 
1232 		trace_iwlmei_sap_data(skb, IWL_SAP_RX_DATA_TO_AIR);
1233 		dev_queue_xmit(skb);
1234 	}
1235 
1236 out:
1237 	rcu_read_unlock();
1238 }
1239 
1240 static void iwl_mei_rx(struct mei_cl_device *cldev)
1241 {
1242 	struct iwl_sap_me_msg_hdr *hdr;
1243 	u8 msg[100];
1244 	ssize_t ret;
1245 
1246 	ret = mei_cldev_recv(cldev, (u8 *)&msg, sizeof(msg));
1247 	if (ret < 0) {
1248 		dev_err(&cldev->dev, "failed to receive data: %zd\n", ret);
1249 		return;
1250 	}
1251 
1252 	if (ret == 0) {
1253 		dev_err(&cldev->dev, "got an empty response\n");
1254 		return;
1255 	}
1256 
1257 	hdr = (void *)msg;
1258 	trace_iwlmei_me_msg(hdr, false);
1259 
1260 	switch (le32_to_cpu(hdr->type)) {
1261 	case SAP_ME_MSG_START_OK:
1262 		BUILD_BUG_ON(sizeof(struct iwl_sap_me_msg_start_ok) >
1263 			     sizeof(msg));
1264 
1265 		iwl_mei_handle_rx_start_ok(cldev, (void *)msg, ret);
1266 		break;
1267 	case SAP_ME_MSG_CHECK_SHARED_AREA:
1268 		iwl_mei_handle_check_shared_area(cldev);
1269 		break;
1270 	default:
1271 		dev_err(&cldev->dev, "got a RX notification: %d\n",
1272 			le32_to_cpu(hdr->type));
1273 		break;
1274 	}
1275 }
1276 
1277 static int iwl_mei_send_start(struct mei_cl_device *cldev)
1278 {
1279 	struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
1280 	struct iwl_sap_me_msg_start msg = {
1281 		.hdr.type = cpu_to_le32(SAP_ME_MSG_START),
1282 		.hdr.seq_num = cpu_to_le32(atomic_inc_return(&mei->seq_no)),
1283 		.hdr.len = cpu_to_le32(sizeof(msg)),
1284 		.supported_versions[0] = SAP_VERSION,
1285 		.init_data_seq_num = cpu_to_le16(0x100),
1286 		.init_notif_seq_num = cpu_to_le16(0x800),
1287 	};
1288 	int ret;
1289 
1290 	trace_iwlmei_me_msg(&msg.hdr, true);
1291 	ret = mei_cldev_send(cldev, (void *)&msg, sizeof(msg));
1292 	if (ret != sizeof(msg)) {
1293 		dev_err(&cldev->dev,
1294 			"failed to send the SAP_ME_MSG_START message %d\n",
1295 			ret);
1296 		return ret;
1297 	}
1298 
1299 	return 0;
1300 }
1301 
1302 static int iwl_mei_enable(struct mei_cl_device *cldev)
1303 {
1304 	int ret;
1305 
1306 	ret = mei_cldev_enable(cldev);
1307 	if (ret < 0) {
1308 		dev_err(&cldev->dev, "failed to enable the device: %d\n", ret);
1309 		return ret;
1310 	}
1311 
1312 	ret = mei_cldev_register_rx_cb(cldev, iwl_mei_rx);
1313 	if (ret) {
1314 		dev_err(&cldev->dev,
1315 			"failed to register to the rx cb: %d\n", ret);
1316 		mei_cldev_disable(cldev);
1317 		return ret;
1318 	}
1319 
1320 	return 0;
1321 }
1322 
1323 struct iwl_mei_nvm *iwl_mei_get_nvm(void)
1324 {
1325 	struct iwl_mei_nvm *nvm = NULL;
1326 	struct iwl_mei *mei;
1327 	int ret;
1328 
1329 	mutex_lock(&iwl_mei_mutex);
1330 
1331 	if (!iwl_mei_is_connected())
1332 		goto out;
1333 
1334 	mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
1335 
1336 	if (!mei)
1337 		goto out;
1338 
1339 	ret = iwl_mei_send_sap_msg(iwl_mei_global_cldev,
1340 				   SAP_MSG_NOTIF_GET_NVM);
1341 	if (ret)
1342 		goto out;
1343 
1344 	mutex_unlock(&iwl_mei_mutex);
1345 
1346 	ret = wait_event_timeout(mei->get_nvm_wq, mei->nvm, 2 * HZ);
1347 	if (!ret)
1348 		return NULL;
1349 
1350 	mutex_lock(&iwl_mei_mutex);
1351 
1352 	if (!iwl_mei_is_connected())
1353 		goto out;
1354 
1355 	mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
1356 
1357 	if (!mei)
1358 		goto out;
1359 
1360 	if (mei->nvm)
1361 		nvm = kmemdup(mei->nvm, sizeof(*mei->nvm), GFP_KERNEL);
1362 
1363 out:
1364 	mutex_unlock(&iwl_mei_mutex);
1365 	return nvm;
1366 }
1367 EXPORT_SYMBOL_GPL(iwl_mei_get_nvm);
1368 
1369 #define IWL_MEI_PLDR_NUM_RETRIES	3
1370 
1371 int iwl_mei_pldr_req(void)
1372 {
1373 	struct iwl_mei *mei;
1374 	int ret;
1375 	struct iwl_sap_pldr_data msg = {
1376 		.hdr.type = cpu_to_le16(SAP_MSG_NOTIF_PLDR),
1377 		.hdr.len = cpu_to_le16(sizeof(msg) - sizeof(msg.hdr)),
1378 	};
1379 	int i;
1380 
1381 	mutex_lock(&iwl_mei_mutex);
1382 
1383 	/* In case we didn't have a bind */
1384 	if (!iwl_mei_is_connected()) {
1385 		ret = 0;
1386 		goto out;
1387 	}
1388 
1389 	mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
1390 
1391 	if (!mei) {
1392 		ret = -ENODEV;
1393 		goto out;
1394 	}
1395 
1396 	if (!mei->amt_enabled) {
1397 		ret = 0;
1398 		goto out;
1399 	}
1400 
1401 	for (i = 0; i < IWL_MEI_PLDR_NUM_RETRIES; i++) {
1402 		ret = iwl_mei_send_sap_msg_payload(mei->cldev, &msg.hdr);
1403 		mutex_unlock(&iwl_mei_mutex);
1404 		if (ret)
1405 			return ret;
1406 
1407 		ret = wait_event_timeout(mei->pldr_wq, mei->pldr_active, HZ / 2);
1408 		if (ret)
1409 			break;
1410 
1411 		/* Take the mutex for the next iteration */
1412 		mutex_lock(&iwl_mei_mutex);
1413 	}
1414 
1415 	if (ret)
1416 		return 0;
1417 
1418 	ret = -ETIMEDOUT;
1419 out:
1420 	mutex_unlock(&iwl_mei_mutex);
1421 	return ret;
1422 }
1423 EXPORT_SYMBOL_GPL(iwl_mei_pldr_req);
1424 
1425 int iwl_mei_get_ownership(void)
1426 {
1427 	struct iwl_mei *mei;
1428 	int ret;
1429 
1430 	mutex_lock(&iwl_mei_mutex);
1431 
1432 	/* In case we didn't have a bind */
1433 	if (!iwl_mei_is_connected()) {
1434 		ret = 0;
1435 		goto out;
1436 	}
1437 
1438 	mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
1439 
1440 	if (!mei) {
1441 		ret = -ENODEV;
1442 		goto out;
1443 	}
1444 
1445 	if (!mei->amt_enabled) {
1446 		ret = 0;
1447 		goto out;
1448 	}
1449 
1450 	if (mei->got_ownership) {
1451 		ret = 0;
1452 		goto out;
1453 	}
1454 
1455 	ret = iwl_mei_send_sap_msg(mei->cldev,
1456 				   SAP_MSG_NOTIF_HOST_ASKS_FOR_NIC_OWNERSHIP);
1457 	if (ret)
1458 		goto out;
1459 
1460 	mutex_unlock(&iwl_mei_mutex);
1461 
1462 	ret = wait_event_timeout(mei->get_ownership_wq,
1463 				 mei->got_ownership, HZ / 2);
1464 	if (!ret) {
1465 		schedule_delayed_work(&mei->ownership_dwork,
1466 				      MEI_OWNERSHIP_RETAKE_TIMEOUT_MS);
1467 		return -ETIMEDOUT;
1468 	}
1469 
1470 	return 0;
1471 out:
1472 	mutex_unlock(&iwl_mei_mutex);
1473 	return ret;
1474 }
1475 EXPORT_SYMBOL_GPL(iwl_mei_get_ownership);
1476 
1477 void iwl_mei_alive_notif(bool success)
1478 {
1479 	struct iwl_mei *mei;
1480 	struct iwl_sap_pldr_end_data msg = {
1481 		.hdr.type = cpu_to_le16(SAP_MSG_NOTIF_PLDR_END),
1482 		.hdr.len = cpu_to_le16(sizeof(msg) - sizeof(msg.hdr)),
1483 		.status = success ? cpu_to_le32(SAP_PLDR_STATUS_SUCCESS) :
1484 			cpu_to_le32(SAP_PLDR_STATUS_FAILURE),
1485 	};
1486 
1487 	mutex_lock(&iwl_mei_mutex);
1488 
1489 	if (!iwl_mei_is_connected())
1490 		goto out;
1491 
1492 	mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
1493 	if (!mei || !mei->pldr_active)
1494 		goto out;
1495 
1496 	mei->pldr_active = false;
1497 
1498 	iwl_mei_send_sap_msg_payload(mei->cldev, &msg.hdr);
1499 out:
1500 	mutex_unlock(&iwl_mei_mutex);
1501 }
1502 EXPORT_SYMBOL_GPL(iwl_mei_alive_notif);
1503 
1504 void iwl_mei_host_associated(const struct iwl_mei_conn_info *conn_info,
1505 			     const struct iwl_mei_colloc_info *colloc_info)
1506 {
1507 	struct iwl_sap_notif_host_link_up msg = {
1508 		.hdr.type = cpu_to_le16(SAP_MSG_NOTIF_HOST_LINK_UP),
1509 		.hdr.len = cpu_to_le16(sizeof(msg) - sizeof(msg.hdr)),
1510 		.conn_info = {
1511 			.ssid_len = cpu_to_le32(conn_info->ssid_len),
1512 			.channel = conn_info->channel,
1513 			.band = conn_info->band,
1514 			.pairwise_cipher = cpu_to_le32(conn_info->pairwise_cipher),
1515 			.auth_mode = cpu_to_le32(conn_info->auth_mode),
1516 		},
1517 	};
1518 	struct iwl_mei *mei;
1519 
1520 	if (conn_info->ssid_len > ARRAY_SIZE(msg.conn_info.ssid))
1521 		return;
1522 
1523 	memcpy(msg.conn_info.ssid, conn_info->ssid, conn_info->ssid_len);
1524 	memcpy(msg.conn_info.bssid, conn_info->bssid, ETH_ALEN);
1525 
1526 	if (colloc_info) {
1527 		msg.colloc_channel = colloc_info->channel;
1528 		msg.colloc_band = colloc_info->channel <= 14 ? 0 : 1;
1529 		memcpy(msg.colloc_bssid, colloc_info->bssid, ETH_ALEN);
1530 	}
1531 
1532 	mutex_lock(&iwl_mei_mutex);
1533 
1534 	if (!iwl_mei_is_connected())
1535 		goto out;
1536 
1537 	mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
1538 
1539 	if (!mei || !mei->amt_enabled)
1540 		goto out;
1541 
1542 	iwl_mei_send_sap_msg_payload(mei->cldev, &msg.hdr);
1543 
1544 out:
1545 	kfree(iwl_mei_cache.conn_info);
1546 	iwl_mei_cache.conn_info =
1547 		kmemdup(&msg.conn_info, sizeof(msg.conn_info), GFP_KERNEL);
1548 	mutex_unlock(&iwl_mei_mutex);
1549 }
1550 EXPORT_SYMBOL_GPL(iwl_mei_host_associated);
1551 
1552 void iwl_mei_host_disassociated(void)
1553 {
1554 	struct iwl_mei *mei;
1555 	struct iwl_sap_notif_host_link_down msg = {
1556 		.hdr.type = cpu_to_le16(SAP_MSG_NOTIF_HOST_LINK_DOWN),
1557 		.hdr.len = cpu_to_le16(sizeof(msg) - sizeof(msg.hdr)),
1558 		.type = HOST_LINK_DOWN_TYPE_TEMPORARY,
1559 	};
1560 
1561 	mutex_lock(&iwl_mei_mutex);
1562 
1563 	if (!iwl_mei_is_connected())
1564 		goto out;
1565 
1566 	mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
1567 
1568 	if (!mei || !mei->amt_enabled)
1569 		goto out;
1570 
1571 	iwl_mei_send_sap_msg_payload(mei->cldev, &msg.hdr);
1572 
1573 out:
1574 	kfree(iwl_mei_cache.conn_info);
1575 	iwl_mei_cache.conn_info = NULL;
1576 	mutex_unlock(&iwl_mei_mutex);
1577 }
1578 EXPORT_SYMBOL_GPL(iwl_mei_host_disassociated);
1579 
1580 void iwl_mei_set_rfkill_state(bool hw_rfkill, bool sw_rfkill)
1581 {
1582 	struct iwl_mei *mei;
1583 	u32 rfkill_state = 0;
1584 	struct iwl_sap_msg_dw msg = {
1585 		.hdr.type = cpu_to_le16(SAP_MSG_NOTIF_RADIO_STATE),
1586 		.hdr.len = cpu_to_le16(sizeof(msg) - sizeof(msg.hdr)),
1587 	};
1588 
1589 	if (!sw_rfkill)
1590 		rfkill_state |= SAP_SW_RFKILL_DEASSERTED;
1591 
1592 	if (!hw_rfkill)
1593 		rfkill_state |= SAP_HW_RFKILL_DEASSERTED;
1594 
1595 	mutex_lock(&iwl_mei_mutex);
1596 
1597 	if (!iwl_mei_is_connected())
1598 		goto out;
1599 
1600 	msg.val = cpu_to_le32(rfkill_state);
1601 
1602 	mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
1603 
1604 	if (!mei || !mei->amt_enabled)
1605 		goto out;
1606 
1607 	iwl_mei_send_sap_msg_payload(mei->cldev, &msg.hdr);
1608 
1609 out:
1610 	iwl_mei_cache.rf_kill = rfkill_state;
1611 	mutex_unlock(&iwl_mei_mutex);
1612 }
1613 EXPORT_SYMBOL_GPL(iwl_mei_set_rfkill_state);
1614 
1615 void iwl_mei_set_nic_info(const u8 *mac_address, const u8 *nvm_address)
1616 {
1617 	struct iwl_mei *mei;
1618 	struct iwl_sap_notif_host_nic_info msg = {
1619 		.hdr.type = cpu_to_le16(SAP_MSG_NOTIF_NIC_INFO),
1620 		.hdr.len = cpu_to_le16(sizeof(msg) - sizeof(msg.hdr)),
1621 	};
1622 
1623 	mutex_lock(&iwl_mei_mutex);
1624 
1625 	if (!iwl_mei_is_connected())
1626 		goto out;
1627 
1628 	ether_addr_copy(msg.mac_address, mac_address);
1629 	ether_addr_copy(msg.nvm_address, nvm_address);
1630 
1631 	mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
1632 
1633 	if (!mei || !mei->amt_enabled)
1634 		goto out;
1635 
1636 	iwl_mei_send_sap_msg_payload(mei->cldev, &msg.hdr);
1637 
1638 out:
1639 	ether_addr_copy(iwl_mei_cache.mac_address, mac_address);
1640 	ether_addr_copy(iwl_mei_cache.nvm_address, nvm_address);
1641 	mutex_unlock(&iwl_mei_mutex);
1642 }
1643 EXPORT_SYMBOL_GPL(iwl_mei_set_nic_info);
1644 
1645 void iwl_mei_set_country_code(u16 mcc)
1646 {
1647 	struct iwl_mei *mei;
1648 	struct iwl_sap_notif_country_code msg = {
1649 		.hdr.type = cpu_to_le16(SAP_MSG_NOTIF_COUNTRY_CODE),
1650 		.hdr.len = cpu_to_le16(sizeof(msg) - sizeof(msg.hdr)),
1651 		.mcc = cpu_to_le16(mcc),
1652 	};
1653 
1654 	mutex_lock(&iwl_mei_mutex);
1655 
1656 	if (!iwl_mei_is_connected())
1657 		goto out;
1658 
1659 	mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
1660 
1661 	if (!mei || !mei->amt_enabled)
1662 		goto out;
1663 
1664 	iwl_mei_send_sap_msg_payload(mei->cldev, &msg.hdr);
1665 
1666 out:
1667 	iwl_mei_cache.mcc = mcc;
1668 	mutex_unlock(&iwl_mei_mutex);
1669 }
1670 EXPORT_SYMBOL_GPL(iwl_mei_set_country_code);
1671 
1672 void iwl_mei_set_power_limit(const __le16 *power_limit)
1673 {
1674 	struct iwl_mei *mei;
1675 	struct iwl_sap_notif_sar_limits msg = {
1676 		.hdr.type = cpu_to_le16(SAP_MSG_NOTIF_SAR_LIMITS),
1677 		.hdr.len = cpu_to_le16(sizeof(msg) - sizeof(msg.hdr)),
1678 	};
1679 
1680 	mutex_lock(&iwl_mei_mutex);
1681 
1682 	if (!iwl_mei_is_connected())
1683 		goto out;
1684 
1685 	mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
1686 
1687 	if (!mei || !mei->amt_enabled)
1688 		goto out;
1689 
1690 	memcpy(msg.sar_chain_info_table, power_limit, sizeof(msg.sar_chain_info_table));
1691 
1692 	iwl_mei_send_sap_msg_payload(mei->cldev, &msg.hdr);
1693 
1694 out:
1695 	kfree(iwl_mei_cache.power_limit);
1696 	iwl_mei_cache.power_limit = kmemdup(power_limit,
1697 					    sizeof(msg.sar_chain_info_table), GFP_KERNEL);
1698 	mutex_unlock(&iwl_mei_mutex);
1699 }
1700 EXPORT_SYMBOL_GPL(iwl_mei_set_power_limit);
1701 
1702 void iwl_mei_set_netdev(struct net_device *netdev)
1703 {
1704 	struct iwl_mei *mei;
1705 
1706 	mutex_lock(&iwl_mei_mutex);
1707 
1708 	if (!iwl_mei_is_connected()) {
1709 		rcu_assign_pointer(iwl_mei_cache.netdev, netdev);
1710 		goto out;
1711 	}
1712 
1713 	mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
1714 
1715 	if (!mei)
1716 		goto out;
1717 
1718 	if (!netdev) {
1719 		struct net_device *dev =
1720 			rcu_dereference_protected(iwl_mei_cache.netdev,
1721 						  lockdep_is_held(&iwl_mei_mutex));
1722 
1723 		if (!dev)
1724 			goto out;
1725 
1726 		netdev_rx_handler_unregister(dev);
1727 	}
1728 
1729 	rcu_assign_pointer(iwl_mei_cache.netdev, netdev);
1730 
1731 	if (netdev && mei->amt_enabled)
1732 		netdev_rx_handler_register(netdev, iwl_mei_rx_handler, mei);
1733 
1734 out:
1735 	mutex_unlock(&iwl_mei_mutex);
1736 }
1737 EXPORT_SYMBOL_GPL(iwl_mei_set_netdev);
1738 
1739 void iwl_mei_device_state(bool up)
1740 {
1741 	struct iwl_mei *mei;
1742 
1743 	mutex_lock(&iwl_mei_mutex);
1744 
1745 	if (!iwl_mei_is_connected())
1746 		goto out;
1747 
1748 	mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
1749 
1750 	if (!mei)
1751 		goto out;
1752 
1753 	mei->device_down = !up;
1754 
1755 	if (up || !mei->csme_taking_ownership)
1756 		goto out;
1757 
1758 	iwl_mei_send_sap_msg(mei->cldev,
1759 			     SAP_MSG_NOTIF_CSME_OWNERSHIP_CONFIRMED);
1760 	mei->csme_taking_ownership = false;
1761 	schedule_delayed_work(&mei->ownership_dwork,
1762 			      MEI_OWNERSHIP_RETAKE_TIMEOUT_MS);
1763 out:
1764 	mutex_unlock(&iwl_mei_mutex);
1765 }
1766 EXPORT_SYMBOL_GPL(iwl_mei_device_state);
1767 
1768 int iwl_mei_register(void *priv, const struct iwl_mei_ops *ops)
1769 {
1770 	int ret;
1771 
1772 	/*
1773 	 * We must have a non-NULL priv pointer to not crash when there are
1774 	 * multiple WiFi devices.
1775 	 */
1776 	if (!priv)
1777 		return -EINVAL;
1778 
1779 	mutex_lock(&iwl_mei_mutex);
1780 
1781 	/* do not allow registration if someone else already registered */
1782 	if (iwl_mei_cache.priv || iwl_mei_cache.ops) {
1783 		ret = -EBUSY;
1784 		goto out;
1785 	}
1786 
1787 	iwl_mei_cache.priv = priv;
1788 	iwl_mei_cache.ops = ops;
1789 
1790 	if (iwl_mei_global_cldev) {
1791 		struct iwl_mei *mei =
1792 			mei_cldev_get_drvdata(iwl_mei_global_cldev);
1793 
1794 		/* we have already a SAP connection */
1795 		if (iwl_mei_is_connected()) {
1796 			if (mei->amt_enabled)
1797 				iwl_mei_send_sap_msg(mei->cldev,
1798 						     SAP_MSG_NOTIF_WIFIDR_UP);
1799 			ops->rfkill(priv, mei->link_prot_state, false);
1800 		}
1801 	}
1802 	ret = 0;
1803 
1804 out:
1805 	mutex_unlock(&iwl_mei_mutex);
1806 	return ret;
1807 }
1808 EXPORT_SYMBOL_GPL(iwl_mei_register);
1809 
1810 void iwl_mei_start_unregister(void)
1811 {
1812 	mutex_lock(&iwl_mei_mutex);
1813 
1814 	/* At this point, the wifi driver should have removed the netdev */
1815 	if (rcu_access_pointer(iwl_mei_cache.netdev))
1816 		pr_err("Still had a netdev pointer set upon unregister\n");
1817 
1818 	kfree(iwl_mei_cache.conn_info);
1819 	iwl_mei_cache.conn_info = NULL;
1820 	kfree(iwl_mei_cache.power_limit);
1821 	iwl_mei_cache.power_limit = NULL;
1822 	iwl_mei_cache.ops = NULL;
1823 	/* leave iwl_mei_cache.priv non-NULL to prevent any new registration */
1824 
1825 	mutex_unlock(&iwl_mei_mutex);
1826 }
1827 EXPORT_SYMBOL_GPL(iwl_mei_start_unregister);
1828 
1829 void iwl_mei_unregister_complete(void)
1830 {
1831 	mutex_lock(&iwl_mei_mutex);
1832 
1833 	iwl_mei_cache.priv = NULL;
1834 
1835 	if (iwl_mei_global_cldev) {
1836 		struct iwl_mei *mei =
1837 			mei_cldev_get_drvdata(iwl_mei_global_cldev);
1838 
1839 		if (mei->amt_enabled)
1840 			iwl_mei_send_sap_msg(mei->cldev,
1841 					     SAP_MSG_NOTIF_WIFIDR_DOWN);
1842 		mei->got_ownership = false;
1843 	}
1844 
1845 	mutex_unlock(&iwl_mei_mutex);
1846 }
1847 EXPORT_SYMBOL_GPL(iwl_mei_unregister_complete);
1848 
1849 #if IS_ENABLED(CONFIG_DEBUG_FS)
1850 
1851 static ssize_t
1852 iwl_mei_dbgfs_send_start_message_write(struct file *file,
1853 				       const char __user *user_buf,
1854 				       size_t count, loff_t *ppos)
1855 {
1856 	int ret;
1857 
1858 	mutex_lock(&iwl_mei_mutex);
1859 
1860 	if (!iwl_mei_global_cldev) {
1861 		ret = -ENODEV;
1862 		goto out;
1863 	}
1864 
1865 	ret = iwl_mei_send_start(iwl_mei_global_cldev);
1866 
1867 out:
1868 	mutex_unlock(&iwl_mei_mutex);
1869 	return ret ?: count;
1870 }
1871 
1872 static const struct file_operations iwl_mei_dbgfs_send_start_message_ops = {
1873 	.write = iwl_mei_dbgfs_send_start_message_write,
1874 	.open = simple_open,
1875 	.llseek = default_llseek,
1876 };
1877 
1878 static ssize_t iwl_mei_dbgfs_req_ownership_write(struct file *file,
1879 						 const char __user *user_buf,
1880 						 size_t count, loff_t *ppos)
1881 {
1882 	iwl_mei_get_ownership();
1883 
1884 	return count;
1885 }
1886 
1887 static const struct file_operations iwl_mei_dbgfs_req_ownership_ops = {
1888 	.write = iwl_mei_dbgfs_req_ownership_write,
1889 	.open = simple_open,
1890 	.llseek = default_llseek,
1891 };
1892 
1893 static void iwl_mei_dbgfs_register(struct iwl_mei *mei)
1894 {
1895 	mei->dbgfs_dir = debugfs_create_dir(KBUILD_MODNAME, NULL);
1896 
1897 	if (!mei->dbgfs_dir)
1898 		return;
1899 
1900 	debugfs_create_ulong("status", S_IRUSR,
1901 			     mei->dbgfs_dir, &iwl_mei_status);
1902 	debugfs_create_file("send_start_message", S_IWUSR, mei->dbgfs_dir,
1903 			    mei, &iwl_mei_dbgfs_send_start_message_ops);
1904 	debugfs_create_file("req_ownership", S_IWUSR, mei->dbgfs_dir,
1905 			    mei, &iwl_mei_dbgfs_req_ownership_ops);
1906 }
1907 
1908 static void iwl_mei_dbgfs_unregister(struct iwl_mei *mei)
1909 {
1910 	debugfs_remove_recursive(mei->dbgfs_dir);
1911 	mei->dbgfs_dir = NULL;
1912 }
1913 
1914 #else
1915 
1916 static void iwl_mei_dbgfs_register(struct iwl_mei *mei) {}
1917 static void iwl_mei_dbgfs_unregister(struct iwl_mei *mei) {}
1918 
1919 #endif /* CONFIG_DEBUG_FS */
1920 
1921 static void iwl_mei_ownership_dwork(struct work_struct *wk)
1922 {
1923 	iwl_mei_get_ownership();
1924 }
1925 
1926 #define ALLOC_SHARED_MEM_RETRY_MAX_NUM	3
1927 
1928 /*
1929  * iwl_mei_probe - the probe function called by the mei bus enumeration
1930  *
1931  * This allocates the data needed by iwlmei and sets a pointer to this data
1932  * into the mei_cl_device's drvdata.
1933  * It starts the SAP protocol by sending the SAP_ME_MSG_START without
1934  * waiting for the answer. The answer will be caught later by the Rx callback.
1935  */
1936 static int iwl_mei_probe(struct mei_cl_device *cldev,
1937 			 const struct mei_cl_device_id *id)
1938 {
1939 	int alloc_retry = ALLOC_SHARED_MEM_RETRY_MAX_NUM;
1940 	struct iwl_mei *mei;
1941 	int ret;
1942 
1943 	mei = devm_kzalloc(&cldev->dev, sizeof(*mei), GFP_KERNEL);
1944 	if (!mei)
1945 		return -ENOMEM;
1946 
1947 	init_waitqueue_head(&mei->get_nvm_wq);
1948 	INIT_WORK(&mei->send_csa_msg_wk, iwl_mei_send_csa_msg_wk);
1949 	INIT_DELAYED_WORK(&mei->csa_throttle_end_wk,
1950 			  iwl_mei_csa_throttle_end_wk);
1951 	init_waitqueue_head(&mei->get_ownership_wq);
1952 	init_waitqueue_head(&mei->pldr_wq);
1953 	spin_lock_init(&mei->data_q_lock);
1954 	INIT_WORK(&mei->netdev_work, iwl_mei_netdev_work);
1955 	INIT_DELAYED_WORK(&mei->ownership_dwork, iwl_mei_ownership_dwork);
1956 
1957 	mei_cldev_set_drvdata(cldev, mei);
1958 	mei->cldev = cldev;
1959 	mei->device_down = true;
1960 
1961 	do {
1962 		ret = iwl_mei_alloc_shared_mem(cldev);
1963 		if (!ret)
1964 			break;
1965 		/*
1966 		 * The CSME firmware needs to boot the internal WLAN client.
1967 		 * This can take time in certain configurations (usually
1968 		 * upon resume and when the whole CSME firmware is shut down
1969 		 * during suspend).
1970 		 *
1971 		 * Wait a bit before retrying and hope we'll succeed next time.
1972 		 */
1973 
1974 		dev_dbg(&cldev->dev,
1975 			"Couldn't allocate the shared memory: %d, attempt %d / %d\n",
1976 			ret, alloc_retry, ALLOC_SHARED_MEM_RETRY_MAX_NUM);
1977 		msleep(100);
1978 		alloc_retry--;
1979 	} while (alloc_retry);
1980 
1981 	if (ret) {
1982 		dev_err(&cldev->dev, "Couldn't allocate the shared memory: %d\n",
1983 			ret);
1984 		goto free;
1985 	}
1986 
1987 	iwl_mei_init_shared_mem(mei);
1988 
1989 	ret = iwl_mei_enable(cldev);
1990 	if (ret)
1991 		goto free_shared_mem;
1992 
1993 	iwl_mei_dbgfs_register(mei);
1994 
1995 	/*
1996 	 * We now have a Rx function in place, start the SAP protocol
1997 	 * we expect to get the SAP_ME_MSG_START_OK response later on.
1998 	 */
1999 	mutex_lock(&iwl_mei_mutex);
2000 	ret = iwl_mei_send_start(cldev);
2001 	mutex_unlock(&iwl_mei_mutex);
2002 	if (ret)
2003 		goto debugfs_unregister;
2004 
2005 	/* must be last */
2006 	iwl_mei_global_cldev = cldev;
2007 
2008 	return 0;
2009 
2010 debugfs_unregister:
2011 	iwl_mei_dbgfs_unregister(mei);
2012 	mei_cldev_disable(cldev);
2013 free_shared_mem:
2014 	iwl_mei_free_shared_mem(cldev);
2015 free:
2016 	mei_cldev_set_drvdata(cldev, NULL);
2017 	devm_kfree(&cldev->dev, mei);
2018 
2019 	return ret;
2020 }
2021 
2022 #define SEND_SAP_MAX_WAIT_ITERATION 10
2023 #define IWLMEI_DEVICE_DOWN_WAIT_ITERATION 50
2024 
2025 static void iwl_mei_remove(struct mei_cl_device *cldev)
2026 {
2027 	struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
2028 	int i;
2029 
2030 	/*
2031 	 * We are being removed while the bus is active, it means we are
2032 	 * going to suspend/ shutdown, so the NIC will disappear.
2033 	 */
2034 	if (mei_cldev_enabled(cldev) && iwl_mei_cache.ops) {
2035 		unsigned int iter = IWLMEI_DEVICE_DOWN_WAIT_ITERATION;
2036 		bool down = false;
2037 
2038 		/*
2039 		 * In case of suspend, wait for the mac to stop and don't remove
2040 		 * the interface. This will allow the interface to come back
2041 		 * on resume.
2042 		 */
2043 		while (!down && iter--) {
2044 			mdelay(1);
2045 
2046 			mutex_lock(&iwl_mei_mutex);
2047 			down = mei->device_down;
2048 			mutex_unlock(&iwl_mei_mutex);
2049 		}
2050 
2051 		if (!down)
2052 			iwl_mei_cache.ops->nic_stolen(iwl_mei_cache.priv);
2053 	}
2054 
2055 	if (rcu_access_pointer(iwl_mei_cache.netdev)) {
2056 		struct net_device *dev;
2057 
2058 		/*
2059 		 * First take rtnl and only then the mutex to avoid an ABBA
2060 		 * with iwl_mei_set_netdev()
2061 		 */
2062 		rtnl_lock();
2063 		mutex_lock(&iwl_mei_mutex);
2064 
2065 		/*
2066 		 * If we are suspending and the wifi driver hasn't removed it's netdev
2067 		 * yet, do it now. In any case, don't change the cache.netdev pointer.
2068 		 */
2069 		dev = rcu_dereference_protected(iwl_mei_cache.netdev,
2070 						lockdep_is_held(&iwl_mei_mutex));
2071 
2072 		netdev_rx_handler_unregister(dev);
2073 		mutex_unlock(&iwl_mei_mutex);
2074 		rtnl_unlock();
2075 	}
2076 
2077 	mutex_lock(&iwl_mei_mutex);
2078 
2079 	/* Tell CSME that we are going down so that it won't access the
2080 	 * memory anymore, make sure this message goes through immediately.
2081 	 */
2082 	mei->csa_throttled = false;
2083 	iwl_mei_send_sap_msg(mei->cldev,
2084 			     SAP_MSG_NOTIF_HOST_GOES_DOWN);
2085 
2086 	for (i = 0; i < SEND_SAP_MAX_WAIT_ITERATION; i++) {
2087 		if (!iwl_mei_host_to_me_data_pending(mei))
2088 			break;
2089 
2090 		msleep(20);
2091 	}
2092 
2093 	/* If we couldn't make sure that CSME saw the HOST_GOES_DOWN
2094 	 * message, it means that it will probably keep reading memory
2095 	 * that we are going to unmap and free, expect IOMMU error
2096 	 * messages.
2097 	 */
2098 	if (i == SEND_SAP_MAX_WAIT_ITERATION)
2099 		dev_err(&mei->cldev->dev,
2100 			"Couldn't get ACK from CSME on HOST_GOES_DOWN message\n");
2101 
2102 	mutex_unlock(&iwl_mei_mutex);
2103 
2104 	/*
2105 	 * This looks strange, but this lock is taken here to make sure that
2106 	 * iwl_mei_add_data_to_ring called from the Tx path sees that we
2107 	 * clear the IWL_MEI_STATUS_SAP_CONNECTED bit.
2108 	 * Rx isn't a problem because the rx_handler can't be called after
2109 	 * having been unregistered.
2110 	 */
2111 	spin_lock_bh(&mei->data_q_lock);
2112 	clear_bit(IWL_MEI_STATUS_SAP_CONNECTED, &iwl_mei_status);
2113 	spin_unlock_bh(&mei->data_q_lock);
2114 
2115 	if (iwl_mei_cache.ops)
2116 		iwl_mei_cache.ops->rfkill(iwl_mei_cache.priv, false, false);
2117 
2118 	/*
2119 	 * mei_cldev_disable will return only after all the MEI Rx is done.
2120 	 * It must be called when iwl_mei_mutex is *not* held, since it waits
2121 	 * for our Rx handler to complete.
2122 	 * After it returns, no new Rx will start.
2123 	 */
2124 	mei_cldev_disable(cldev);
2125 
2126 	/*
2127 	 * Since the netdev was already removed and the netdev's removal
2128 	 * includes a call to synchronize_net() so that we know there won't be
2129 	 * any new Rx that will trigger the following workers.
2130 	 */
2131 	cancel_work_sync(&mei->send_csa_msg_wk);
2132 	cancel_delayed_work_sync(&mei->csa_throttle_end_wk);
2133 	cancel_work_sync(&mei->netdev_work);
2134 	cancel_delayed_work_sync(&mei->ownership_dwork);
2135 
2136 	/*
2137 	 * If someone waits for the ownership, let him know that we are going
2138 	 * down and that we are not connected anymore. He'll be able to take
2139 	 * the device.
2140 	 */
2141 	wake_up_all(&mei->get_ownership_wq);
2142 	wake_up_all(&mei->pldr_wq);
2143 
2144 	mutex_lock(&iwl_mei_mutex);
2145 
2146 	iwl_mei_global_cldev = NULL;
2147 
2148 	wake_up_all(&mei->get_nvm_wq);
2149 
2150 	iwl_mei_free_shared_mem(cldev);
2151 
2152 	iwl_mei_dbgfs_unregister(mei);
2153 
2154 	mei_cldev_set_drvdata(cldev, NULL);
2155 
2156 	kfree(mei->nvm);
2157 
2158 	kfree(rcu_access_pointer(mei->filters));
2159 
2160 	devm_kfree(&cldev->dev, mei);
2161 
2162 	mutex_unlock(&iwl_mei_mutex);
2163 }
2164 
2165 static const struct mei_cl_device_id iwl_mei_tbl[] = {
2166 	{
2167 		.name = KBUILD_MODNAME,
2168 		.uuid = MEI_WLAN_UUID,
2169 		.version = MEI_CL_VERSION_ANY,
2170 	},
2171 
2172 	/* required last entry */
2173 	{ }
2174 };
2175 
2176 /*
2177  * Do not export the device table because this module is loaded by
2178  * iwlwifi's dependency.
2179  */
2180 
2181 static struct mei_cl_driver iwl_mei_cl_driver = {
2182 	.id_table = iwl_mei_tbl,
2183 	.name = KBUILD_MODNAME,
2184 	.probe = iwl_mei_probe,
2185 	.remove = iwl_mei_remove,
2186 };
2187 
2188 module_mei_cl_driver(iwl_mei_cl_driver);
2189