1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (C) 2021-2022 Intel Corporation 4 */ 5 6 #include <linux/etherdevice.h> 7 #include <linux/netdevice.h> 8 #include <linux/ieee80211.h> 9 #include <linux/rtnetlink.h> 10 #include <linux/module.h> 11 #include <linux/moduleparam.h> 12 #include <linux/mei_cl_bus.h> 13 #include <linux/rcupdate.h> 14 #include <linux/debugfs.h> 15 #include <linux/skbuff.h> 16 #include <linux/wait.h> 17 #include <linux/slab.h> 18 #include <linux/mm.h> 19 20 #include <net/cfg80211.h> 21 22 #include "internal.h" 23 #include "iwl-mei.h" 24 #include "trace.h" 25 #include "trace-data.h" 26 #include "sap.h" 27 28 MODULE_DESCRIPTION("The Intel(R) wireless / CSME firmware interface"); 29 MODULE_LICENSE("GPL"); 30 31 #define MEI_WLAN_UUID UUID_LE(0x13280904, 0x7792, 0x4fcb, \ 32 0xa1, 0xaa, 0x5e, 0x70, 0xcb, 0xb1, 0xe8, 0x65) 33 34 /* 35 * Since iwlwifi calls iwlmei without any context, hold a pointer to the 36 * mei_cl_device structure here. 37 * Define a mutex that will synchronize all the flows between iwlwifi and 38 * iwlmei. 39 * Note that iwlmei can't have several instances, so it ok to have static 40 * variables here. 41 */ 42 static struct mei_cl_device *iwl_mei_global_cldev; 43 static DEFINE_MUTEX(iwl_mei_mutex); 44 static unsigned long iwl_mei_status; 45 46 enum iwl_mei_status_bits { 47 IWL_MEI_STATUS_SAP_CONNECTED, 48 }; 49 50 bool iwl_mei_is_connected(void) 51 { 52 return test_bit(IWL_MEI_STATUS_SAP_CONNECTED, &iwl_mei_status); 53 } 54 EXPORT_SYMBOL_GPL(iwl_mei_is_connected); 55 56 #define SAP_VERSION 3 57 #define SAP_CONTROL_BLOCK_ID 0x21504153 /* SAP! in ASCII */ 58 59 struct iwl_sap_q_ctrl_blk { 60 __le32 wr_ptr; 61 __le32 rd_ptr; 62 __le32 size; 63 }; 64 65 enum iwl_sap_q_idx { 66 SAP_QUEUE_IDX_NOTIF = 0, 67 SAP_QUEUE_IDX_DATA, 68 SAP_QUEUE_IDX_MAX, 69 }; 70 71 struct iwl_sap_dir { 72 __le32 reserved; 73 struct iwl_sap_q_ctrl_blk q_ctrl_blk[SAP_QUEUE_IDX_MAX]; 74 }; 75 76 enum iwl_sap_dir_idx { 77 SAP_DIRECTION_HOST_TO_ME = 0, 78 SAP_DIRECTION_ME_TO_HOST, 79 SAP_DIRECTION_MAX, 80 }; 81 82 struct iwl_sap_shared_mem_ctrl_blk { 83 __le32 sap_id; 84 __le32 size; 85 struct iwl_sap_dir dir[SAP_DIRECTION_MAX]; 86 }; 87 88 /* 89 * The shared area has the following layout: 90 * 91 * +-----------------------------------+ 92 * |struct iwl_sap_shared_mem_ctrl_blk | 93 * +-----------------------------------+ 94 * |Host -> ME data queue | 95 * +-----------------------------------+ 96 * |Host -> ME notif queue | 97 * +-----------------------------------+ 98 * |ME -> Host data queue | 99 * +-----------------------------------+ 100 * |ME -> host notif queue | 101 * +-----------------------------------+ 102 * |SAP control block id (SAP!) | 103 * +-----------------------------------+ 104 */ 105 106 #define SAP_H2M_DATA_Q_SZ 48256 107 #define SAP_M2H_DATA_Q_SZ 24128 108 #define SAP_H2M_NOTIF_Q_SZ 2240 109 #define SAP_M2H_NOTIF_Q_SZ 62720 110 111 #define _IWL_MEI_SAP_SHARED_MEM_SZ \ 112 (sizeof(struct iwl_sap_shared_mem_ctrl_blk) + \ 113 SAP_H2M_DATA_Q_SZ + SAP_H2M_NOTIF_Q_SZ + \ 114 SAP_M2H_DATA_Q_SZ + SAP_M2H_NOTIF_Q_SZ + 4) 115 116 #define IWL_MEI_SAP_SHARED_MEM_SZ \ 117 (roundup(_IWL_MEI_SAP_SHARED_MEM_SZ, PAGE_SIZE)) 118 119 struct iwl_mei_shared_mem_ptrs { 120 struct iwl_sap_shared_mem_ctrl_blk *ctrl; 121 void *q_head[SAP_DIRECTION_MAX][SAP_QUEUE_IDX_MAX]; 122 size_t q_size[SAP_DIRECTION_MAX][SAP_QUEUE_IDX_MAX]; 123 }; 124 125 struct iwl_mei_filters { 126 struct rcu_head rcu_head; 127 struct iwl_sap_oob_filters filters; 128 }; 129 130 /** 131 * struct iwl_mei - holds the private date for iwl_mei 132 * 133 * @get_nvm_wq: the wait queue for the get_nvm flow 134 * @send_csa_msg_wk: used to defer the transmission of the CHECK_SHARED_AREA 135 * message. Used so that we can send CHECK_SHARED_AREA from atomic 136 * contexts. 137 * @get_ownership_wq: the wait queue for the get_ownership_flow 138 * @shared_mem: the memory that is shared between CSME and the host 139 * @cldev: the pointer to the MEI client device 140 * @nvm: the data returned by the CSME for the NVM 141 * @filters: the filters sent by CSME 142 * @got_ownership: true if we own the device 143 * @amt_enabled: true if CSME has wireless enabled 144 * @csa_throttled: when true, we can't send CHECK_SHARED_AREA over the MEI 145 * bus, but rather need to wait until send_csa_msg_wk runs 146 * @csme_taking_ownership: true when CSME is taking ownership. Used to remember 147 * to send CSME_OWNERSHIP_CONFIRMED when the driver completes its down 148 * flow. 149 * @link_prot_state: true when we are in link protection PASSIVE 150 * @csa_throttle_end_wk: used when &csa_throttled is true 151 * @data_q_lock: protects the access to the data queues which are 152 * accessed without the mutex. 153 * @sap_seq_no: the sequence number for the SAP messages 154 * @seq_no: the sequence number for the SAP messages 155 * @dbgfs_dir: the debugfs dir entry 156 */ 157 struct iwl_mei { 158 wait_queue_head_t get_nvm_wq; 159 struct work_struct send_csa_msg_wk; 160 wait_queue_head_t get_ownership_wq; 161 struct iwl_mei_shared_mem_ptrs shared_mem; 162 struct mei_cl_device *cldev; 163 struct iwl_mei_nvm *nvm; 164 struct iwl_mei_filters __rcu *filters; 165 bool got_ownership; 166 bool amt_enabled; 167 bool csa_throttled; 168 bool csme_taking_ownership; 169 bool link_prot_state; 170 struct delayed_work csa_throttle_end_wk; 171 spinlock_t data_q_lock; 172 173 atomic_t sap_seq_no; 174 atomic_t seq_no; 175 176 struct dentry *dbgfs_dir; 177 }; 178 179 /** 180 * struct iwl_mei_cache - cache for the parameters from iwlwifi 181 * @ops: Callbacks to iwlwifi. 182 * @netdev: The netdev that will be used to transmit / receive packets. 183 * @conn_info: The connection info message triggered by iwlwifi's association. 184 * @power_limit: pointer to an array of 10 elements (le16) represents the power 185 * restrictions per chain. 186 * @rf_kill: rf kill state. 187 * @mcc: MCC info 188 * @mac_address: interface MAC address. 189 * @nvm_address: NVM MAC address. 190 * @priv: A pointer to iwlwifi. 191 * 192 * This used to cache the configurations coming from iwlwifi's way. The data 193 * is cached here so that we can buffer the configuration even if we don't have 194 * a bind from the mei bus and hence, on iwl_mei structure. 195 */ 196 struct iwl_mei_cache { 197 const struct iwl_mei_ops *ops; 198 struct net_device __rcu *netdev; 199 const struct iwl_sap_notif_connection_info *conn_info; 200 const __le16 *power_limit; 201 u32 rf_kill; 202 u16 mcc; 203 u8 mac_address[6]; 204 u8 nvm_address[6]; 205 void *priv; 206 }; 207 208 static struct iwl_mei_cache iwl_mei_cache = { 209 .rf_kill = SAP_HW_RFKILL_DEASSERTED | SAP_SW_RFKILL_DEASSERTED 210 }; 211 212 static void iwl_mei_free_shared_mem(struct mei_cl_device *cldev) 213 { 214 struct iwl_mei *mei = mei_cldev_get_drvdata(cldev); 215 216 if (mei_cldev_dma_unmap(cldev)) 217 dev_err(&cldev->dev, "Couldn't unmap the shared mem properly\n"); 218 memset(&mei->shared_mem, 0, sizeof(mei->shared_mem)); 219 } 220 221 #define HBM_DMA_BUF_ID_WLAN 1 222 223 static int iwl_mei_alloc_shared_mem(struct mei_cl_device *cldev) 224 { 225 struct iwl_mei *mei = mei_cldev_get_drvdata(cldev); 226 struct iwl_mei_shared_mem_ptrs *mem = &mei->shared_mem; 227 228 mem->ctrl = mei_cldev_dma_map(cldev, HBM_DMA_BUF_ID_WLAN, 229 IWL_MEI_SAP_SHARED_MEM_SZ); 230 231 if (IS_ERR(mem->ctrl)) { 232 int ret = PTR_ERR(mem->ctrl); 233 234 mem->ctrl = NULL; 235 236 return ret; 237 } 238 239 memset(mem->ctrl, 0, IWL_MEI_SAP_SHARED_MEM_SZ); 240 241 return 0; 242 } 243 244 static void iwl_mei_init_shared_mem(struct iwl_mei *mei) 245 { 246 struct iwl_mei_shared_mem_ptrs *mem = &mei->shared_mem; 247 struct iwl_sap_dir *h2m; 248 struct iwl_sap_dir *m2h; 249 int dir, queue; 250 u8 *q_head; 251 252 mem->ctrl->sap_id = cpu_to_le32(SAP_CONTROL_BLOCK_ID); 253 254 mem->ctrl->size = cpu_to_le32(sizeof(*mem->ctrl)); 255 256 h2m = &mem->ctrl->dir[SAP_DIRECTION_HOST_TO_ME]; 257 m2h = &mem->ctrl->dir[SAP_DIRECTION_ME_TO_HOST]; 258 259 h2m->q_ctrl_blk[SAP_QUEUE_IDX_DATA].size = 260 cpu_to_le32(SAP_H2M_DATA_Q_SZ); 261 h2m->q_ctrl_blk[SAP_QUEUE_IDX_NOTIF].size = 262 cpu_to_le32(SAP_H2M_NOTIF_Q_SZ); 263 m2h->q_ctrl_blk[SAP_QUEUE_IDX_DATA].size = 264 cpu_to_le32(SAP_M2H_DATA_Q_SZ); 265 m2h->q_ctrl_blk[SAP_QUEUE_IDX_NOTIF].size = 266 cpu_to_le32(SAP_M2H_NOTIF_Q_SZ); 267 268 /* q_head points to the start of the first queue */ 269 q_head = (void *)(mem->ctrl + 1); 270 271 /* Initialize the queue heads */ 272 for (dir = 0; dir < SAP_DIRECTION_MAX; dir++) { 273 for (queue = 0; queue < SAP_QUEUE_IDX_MAX; queue++) { 274 mem->q_head[dir][queue] = q_head; 275 q_head += 276 le32_to_cpu(mem->ctrl->dir[dir].q_ctrl_blk[queue].size); 277 mem->q_size[dir][queue] = 278 le32_to_cpu(mem->ctrl->dir[dir].q_ctrl_blk[queue].size); 279 } 280 } 281 282 *(__le32 *)q_head = cpu_to_le32(SAP_CONTROL_BLOCK_ID); 283 } 284 285 static ssize_t iwl_mei_write_cyclic_buf(struct mei_cl_device *cldev, 286 struct iwl_sap_q_ctrl_blk *notif_q, 287 u8 *q_head, 288 const struct iwl_sap_hdr *hdr, 289 u32 q_sz) 290 { 291 u32 rd = le32_to_cpu(READ_ONCE(notif_q->rd_ptr)); 292 u32 wr = le32_to_cpu(READ_ONCE(notif_q->wr_ptr)); 293 size_t room_in_buf; 294 size_t tx_sz = sizeof(*hdr) + le16_to_cpu(hdr->len); 295 296 if (rd > q_sz || wr > q_sz) { 297 dev_err(&cldev->dev, 298 "Pointers are past the end of the buffer\n"); 299 return -EINVAL; 300 } 301 302 room_in_buf = wr >= rd ? q_sz - wr + rd : rd - wr; 303 304 /* we don't have enough room for the data to write */ 305 if (room_in_buf < tx_sz) { 306 dev_err(&cldev->dev, 307 "Not enough room in the buffer\n"); 308 return -ENOSPC; 309 } 310 311 if (wr + tx_sz <= q_sz) { 312 memcpy(q_head + wr, hdr, tx_sz); 313 } else { 314 memcpy(q_head + wr, hdr, q_sz - wr); 315 memcpy(q_head, (const u8 *)hdr + q_sz - wr, tx_sz - (q_sz - wr)); 316 } 317 318 WRITE_ONCE(notif_q->wr_ptr, cpu_to_le32((wr + tx_sz) % q_sz)); 319 return 0; 320 } 321 322 static bool iwl_mei_host_to_me_data_pending(const struct iwl_mei *mei) 323 { 324 struct iwl_sap_q_ctrl_blk *notif_q; 325 struct iwl_sap_dir *dir; 326 327 dir = &mei->shared_mem.ctrl->dir[SAP_DIRECTION_HOST_TO_ME]; 328 notif_q = &dir->q_ctrl_blk[SAP_QUEUE_IDX_DATA]; 329 330 if (READ_ONCE(notif_q->wr_ptr) != READ_ONCE(notif_q->rd_ptr)) 331 return true; 332 333 notif_q = &dir->q_ctrl_blk[SAP_QUEUE_IDX_NOTIF]; 334 return READ_ONCE(notif_q->wr_ptr) != READ_ONCE(notif_q->rd_ptr); 335 } 336 337 static int iwl_mei_send_check_shared_area(struct mei_cl_device *cldev) 338 { 339 struct iwl_mei *mei = mei_cldev_get_drvdata(cldev); 340 struct iwl_sap_me_msg_start msg = { 341 .hdr.type = cpu_to_le32(SAP_ME_MSG_CHECK_SHARED_AREA), 342 .hdr.seq_num = cpu_to_le32(atomic_inc_return(&mei->seq_no)), 343 }; 344 int ret; 345 346 lockdep_assert_held(&iwl_mei_mutex); 347 348 if (mei->csa_throttled) 349 return 0; 350 351 trace_iwlmei_me_msg(&msg.hdr, true); 352 ret = mei_cldev_send(cldev, (void *)&msg, sizeof(msg)); 353 if (ret != sizeof(msg)) { 354 dev_err(&cldev->dev, 355 "failed to send the SAP_ME_MSG_CHECK_SHARED_AREA message %d\n", 356 ret); 357 return ret; 358 } 359 360 mei->csa_throttled = true; 361 362 schedule_delayed_work(&mei->csa_throttle_end_wk, 363 msecs_to_jiffies(100)); 364 365 return 0; 366 } 367 368 static void iwl_mei_csa_throttle_end_wk(struct work_struct *wk) 369 { 370 struct iwl_mei *mei = 371 container_of(wk, struct iwl_mei, csa_throttle_end_wk.work); 372 373 mutex_lock(&iwl_mei_mutex); 374 375 mei->csa_throttled = false; 376 377 if (iwl_mei_host_to_me_data_pending(mei)) 378 iwl_mei_send_check_shared_area(mei->cldev); 379 380 mutex_unlock(&iwl_mei_mutex); 381 } 382 383 static int iwl_mei_send_sap_msg_payload(struct mei_cl_device *cldev, 384 struct iwl_sap_hdr *hdr) 385 { 386 struct iwl_mei *mei = mei_cldev_get_drvdata(cldev); 387 struct iwl_sap_q_ctrl_blk *notif_q; 388 struct iwl_sap_dir *dir; 389 void *q_head; 390 u32 q_sz; 391 int ret; 392 393 lockdep_assert_held(&iwl_mei_mutex); 394 395 if (!mei->shared_mem.ctrl) { 396 dev_err(&cldev->dev, 397 "No shared memory, can't send any SAP message\n"); 398 return -EINVAL; 399 } 400 401 if (!iwl_mei_is_connected()) { 402 dev_err(&cldev->dev, 403 "Can't send a SAP message if we're not connected\n"); 404 return -ENODEV; 405 } 406 407 hdr->seq_num = cpu_to_le32(atomic_inc_return(&mei->sap_seq_no)); 408 dev_dbg(&cldev->dev, "Sending %d\n", hdr->type); 409 410 dir = &mei->shared_mem.ctrl->dir[SAP_DIRECTION_HOST_TO_ME]; 411 notif_q = &dir->q_ctrl_blk[SAP_QUEUE_IDX_NOTIF]; 412 q_head = mei->shared_mem.q_head[SAP_DIRECTION_HOST_TO_ME][SAP_QUEUE_IDX_NOTIF]; 413 q_sz = mei->shared_mem.q_size[SAP_DIRECTION_HOST_TO_ME][SAP_QUEUE_IDX_NOTIF]; 414 ret = iwl_mei_write_cyclic_buf(q_head, notif_q, q_head, hdr, q_sz); 415 416 if (ret < 0) 417 return ret; 418 419 trace_iwlmei_sap_cmd(hdr, true); 420 421 return iwl_mei_send_check_shared_area(cldev); 422 } 423 424 void iwl_mei_add_data_to_ring(struct sk_buff *skb, bool cb_tx) 425 { 426 struct iwl_sap_q_ctrl_blk *notif_q; 427 struct iwl_sap_dir *dir; 428 struct iwl_mei *mei; 429 size_t room_in_buf; 430 size_t tx_sz; 431 size_t hdr_sz; 432 u32 q_sz; 433 u32 rd; 434 u32 wr; 435 u8 *q_head; 436 437 if (!iwl_mei_global_cldev) 438 return; 439 440 mei = mei_cldev_get_drvdata(iwl_mei_global_cldev); 441 442 /* 443 * We access this path for Rx packets (the more common case) 444 * and from Tx path when we send DHCP packets, the latter is 445 * very unlikely. 446 * Take the lock already here to make sure we see that remove() 447 * might have cleared the IWL_MEI_STATUS_SAP_CONNECTED bit. 448 */ 449 spin_lock_bh(&mei->data_q_lock); 450 451 if (!iwl_mei_is_connected()) { 452 spin_unlock_bh(&mei->data_q_lock); 453 return; 454 } 455 456 /* 457 * We are in a RCU critical section and the remove from the CSME bus 458 * which would free this memory waits for the readers to complete (this 459 * is done in netdev_rx_handler_unregister). 460 */ 461 dir = &mei->shared_mem.ctrl->dir[SAP_DIRECTION_HOST_TO_ME]; 462 notif_q = &dir->q_ctrl_blk[SAP_QUEUE_IDX_DATA]; 463 q_head = mei->shared_mem.q_head[SAP_DIRECTION_HOST_TO_ME][SAP_QUEUE_IDX_DATA]; 464 q_sz = mei->shared_mem.q_size[SAP_DIRECTION_HOST_TO_ME][SAP_QUEUE_IDX_DATA]; 465 466 rd = le32_to_cpu(READ_ONCE(notif_q->rd_ptr)); 467 wr = le32_to_cpu(READ_ONCE(notif_q->wr_ptr)); 468 hdr_sz = cb_tx ? sizeof(struct iwl_sap_cb_data) : 469 sizeof(struct iwl_sap_hdr); 470 tx_sz = skb->len + hdr_sz; 471 472 if (rd > q_sz || wr > q_sz) { 473 dev_err(&mei->cldev->dev, 474 "can't write the data: pointers are past the end of the buffer\n"); 475 goto out; 476 } 477 478 room_in_buf = wr >= rd ? q_sz - wr + rd : rd - wr; 479 480 /* we don't have enough room for the data to write */ 481 if (room_in_buf < tx_sz) { 482 dev_err(&mei->cldev->dev, 483 "Not enough room in the buffer for this data\n"); 484 goto out; 485 } 486 487 if (skb_headroom(skb) < hdr_sz) { 488 dev_err(&mei->cldev->dev, 489 "Not enough headroom in the skb to write the SAP header\n"); 490 goto out; 491 } 492 493 if (cb_tx) { 494 struct iwl_sap_cb_data *cb_hdr = skb_push(skb, sizeof(*cb_hdr)); 495 496 memset(cb_hdr, 0, sizeof(*cb_hdr)); 497 cb_hdr->hdr.type = cpu_to_le16(SAP_MSG_CB_DATA_PACKET); 498 cb_hdr->hdr.len = cpu_to_le16(skb->len - sizeof(cb_hdr->hdr)); 499 cb_hdr->hdr.seq_num = cpu_to_le32(atomic_inc_return(&mei->sap_seq_no)); 500 cb_hdr->to_me_filt_status = cpu_to_le32(BIT(CB_TX_DHCP_FILT_IDX)); 501 cb_hdr->data_len = cpu_to_le32(skb->len - sizeof(*cb_hdr)); 502 trace_iwlmei_sap_data(skb, IWL_SAP_TX_DHCP); 503 } else { 504 struct iwl_sap_hdr *hdr = skb_push(skb, sizeof(*hdr)); 505 506 hdr->type = cpu_to_le16(SAP_MSG_DATA_PACKET); 507 hdr->len = cpu_to_le16(skb->len - sizeof(*hdr)); 508 hdr->seq_num = cpu_to_le32(atomic_inc_return(&mei->sap_seq_no)); 509 trace_iwlmei_sap_data(skb, IWL_SAP_TX_DATA_FROM_AIR); 510 } 511 512 if (wr + tx_sz <= q_sz) { 513 skb_copy_bits(skb, 0, q_head + wr, tx_sz); 514 } else { 515 skb_copy_bits(skb, 0, q_head + wr, q_sz - wr); 516 skb_copy_bits(skb, q_sz - wr, q_head, tx_sz - (q_sz - wr)); 517 } 518 519 WRITE_ONCE(notif_q->wr_ptr, cpu_to_le32((wr + tx_sz) % q_sz)); 520 521 out: 522 spin_unlock_bh(&mei->data_q_lock); 523 } 524 525 static int 526 iwl_mei_send_sap_msg(struct mei_cl_device *cldev, u16 type) 527 { 528 struct iwl_sap_hdr msg = { 529 .type = cpu_to_le16(type), 530 }; 531 532 return iwl_mei_send_sap_msg_payload(cldev, &msg); 533 } 534 535 static void iwl_mei_send_csa_msg_wk(struct work_struct *wk) 536 { 537 struct iwl_mei *mei = 538 container_of(wk, struct iwl_mei, send_csa_msg_wk); 539 540 if (!iwl_mei_is_connected()) 541 return; 542 543 mutex_lock(&iwl_mei_mutex); 544 545 iwl_mei_send_check_shared_area(mei->cldev); 546 547 mutex_unlock(&iwl_mei_mutex); 548 } 549 550 /* Called in a RCU read critical section from netif_receive_skb */ 551 static rx_handler_result_t iwl_mei_rx_handler(struct sk_buff **pskb) 552 { 553 struct sk_buff *skb = *pskb; 554 struct iwl_mei *mei = 555 rcu_dereference(skb->dev->rx_handler_data); 556 struct iwl_mei_filters *filters = rcu_dereference(mei->filters); 557 bool rx_for_csme = false; 558 rx_handler_result_t res; 559 560 /* 561 * remove() unregisters this handler and synchronize_net, so this 562 * should never happen. 563 */ 564 if (!iwl_mei_is_connected()) { 565 dev_err(&mei->cldev->dev, 566 "Got an Rx packet, but we're not connected to SAP?\n"); 567 return RX_HANDLER_PASS; 568 } 569 570 if (filters) 571 res = iwl_mei_rx_filter(skb, &filters->filters, &rx_for_csme); 572 else 573 res = RX_HANDLER_PASS; 574 575 /* 576 * The data is already on the ring of the shared area, all we 577 * need to do is to tell the CSME firmware to check what we have 578 * there. 579 */ 580 if (rx_for_csme) 581 schedule_work(&mei->send_csa_msg_wk); 582 583 if (res != RX_HANDLER_PASS) { 584 trace_iwlmei_sap_data(skb, IWL_SAP_RX_DATA_DROPPED_FROM_AIR); 585 dev_kfree_skb(skb); 586 } 587 588 return res; 589 } 590 591 static void 592 iwl_mei_handle_rx_start_ok(struct mei_cl_device *cldev, 593 const struct iwl_sap_me_msg_start_ok *rsp, 594 ssize_t len) 595 { 596 struct iwl_mei *mei = mei_cldev_get_drvdata(cldev); 597 598 if (len != sizeof(*rsp)) { 599 dev_err(&cldev->dev, 600 "got invalid SAP_ME_MSG_START_OK from CSME firmware\n"); 601 dev_err(&cldev->dev, 602 "size is incorrect: %zd instead of %zu\n", 603 len, sizeof(*rsp)); 604 return; 605 } 606 607 if (rsp->supported_version != SAP_VERSION) { 608 dev_err(&cldev->dev, 609 "didn't get the expected version: got %d\n", 610 rsp->supported_version); 611 return; 612 } 613 614 mutex_lock(&iwl_mei_mutex); 615 set_bit(IWL_MEI_STATUS_SAP_CONNECTED, &iwl_mei_status); 616 /* wifi driver has registered already */ 617 if (iwl_mei_cache.ops) { 618 iwl_mei_send_sap_msg(mei->cldev, 619 SAP_MSG_NOTIF_WIFIDR_UP); 620 iwl_mei_cache.ops->sap_connected(iwl_mei_cache.priv); 621 } 622 623 mutex_unlock(&iwl_mei_mutex); 624 } 625 626 static void iwl_mei_handle_csme_filters(struct mei_cl_device *cldev, 627 const struct iwl_sap_csme_filters *filters) 628 { 629 struct iwl_mei *mei = mei_cldev_get_drvdata(iwl_mei_global_cldev); 630 struct iwl_mei_filters *new_filters; 631 struct iwl_mei_filters *old_filters; 632 633 old_filters = 634 rcu_dereference_protected(mei->filters, 635 lockdep_is_held(&iwl_mei_mutex)); 636 637 new_filters = kzalloc(sizeof(*new_filters), GFP_KERNEL); 638 if (!new_filters) 639 return; 640 641 /* Copy the OOB filters */ 642 new_filters->filters = filters->filters; 643 644 rcu_assign_pointer(mei->filters, new_filters); 645 646 if (old_filters) 647 kfree_rcu(old_filters, rcu_head); 648 } 649 650 static void 651 iwl_mei_handle_conn_status(struct mei_cl_device *cldev, 652 const struct iwl_sap_notif_conn_status *status) 653 { 654 struct iwl_mei *mei = mei_cldev_get_drvdata(cldev); 655 struct iwl_mei_conn_info conn_info = { 656 .lp_state = le32_to_cpu(status->link_prot_state), 657 .ssid_len = le32_to_cpu(status->conn_info.ssid_len), 658 .channel = status->conn_info.channel, 659 .band = status->conn_info.band, 660 .auth_mode = le32_to_cpu(status->conn_info.auth_mode), 661 .pairwise_cipher = le32_to_cpu(status->conn_info.pairwise_cipher), 662 }; 663 664 if (!iwl_mei_cache.ops || 665 conn_info.ssid_len > ARRAY_SIZE(conn_info.ssid)) 666 return; 667 668 memcpy(conn_info.ssid, status->conn_info.ssid, conn_info.ssid_len); 669 ether_addr_copy(conn_info.bssid, status->conn_info.bssid); 670 671 iwl_mei_cache.ops->me_conn_status(iwl_mei_cache.priv, &conn_info); 672 673 mei->link_prot_state = status->link_prot_state; 674 675 /* 676 * Update the Rfkill state in case the host does not own the device: 677 * if we are in Link Protection, ask to not touch the device, else, 678 * unblock rfkill. 679 * If the host owns the device, inform the user space whether it can 680 * roam. 681 */ 682 if (mei->got_ownership) 683 iwl_mei_cache.ops->roaming_forbidden(iwl_mei_cache.priv, 684 status->link_prot_state); 685 else 686 iwl_mei_cache.ops->rfkill(iwl_mei_cache.priv, 687 status->link_prot_state); 688 } 689 690 static void iwl_mei_set_init_conf(struct iwl_mei *mei) 691 { 692 struct iwl_sap_notif_host_link_up link_msg = { 693 .hdr.type = cpu_to_le16(SAP_MSG_NOTIF_HOST_LINK_UP), 694 .hdr.len = cpu_to_le16(sizeof(link_msg) - sizeof(link_msg.hdr)), 695 }; 696 struct iwl_sap_notif_country_code mcc_msg = { 697 .hdr.type = cpu_to_le16(SAP_MSG_NOTIF_COUNTRY_CODE), 698 .hdr.len = cpu_to_le16(sizeof(mcc_msg) - sizeof(mcc_msg.hdr)), 699 .mcc = cpu_to_le16(iwl_mei_cache.mcc), 700 }; 701 struct iwl_sap_notif_sar_limits sar_msg = { 702 .hdr.type = cpu_to_le16(SAP_MSG_NOTIF_SAR_LIMITS), 703 .hdr.len = cpu_to_le16(sizeof(sar_msg) - sizeof(sar_msg.hdr)), 704 }; 705 struct iwl_sap_notif_host_nic_info nic_info_msg = { 706 .hdr.type = cpu_to_le16(SAP_MSG_NOTIF_NIC_INFO), 707 .hdr.len = cpu_to_le16(sizeof(nic_info_msg) - sizeof(nic_info_msg.hdr)), 708 }; 709 struct iwl_sap_msg_dw rfkill_msg = { 710 .hdr.type = cpu_to_le16(SAP_MSG_NOTIF_RADIO_STATE), 711 .hdr.len = cpu_to_le16(sizeof(rfkill_msg) - sizeof(rfkill_msg.hdr)), 712 .val = cpu_to_le32(iwl_mei_cache.rf_kill), 713 }; 714 715 iwl_mei_send_sap_msg(mei->cldev, SAP_MSG_NOTIF_WHO_OWNS_NIC); 716 717 if (iwl_mei_cache.conn_info) { 718 link_msg.conn_info = *iwl_mei_cache.conn_info; 719 iwl_mei_send_sap_msg_payload(mei->cldev, &link_msg.hdr); 720 } 721 722 iwl_mei_send_sap_msg_payload(mei->cldev, &mcc_msg.hdr); 723 724 if (iwl_mei_cache.power_limit) { 725 memcpy(sar_msg.sar_chain_info_table, iwl_mei_cache.power_limit, 726 sizeof(sar_msg.sar_chain_info_table)); 727 iwl_mei_send_sap_msg_payload(mei->cldev, &sar_msg.hdr); 728 } 729 730 ether_addr_copy(nic_info_msg.mac_address, iwl_mei_cache.mac_address); 731 ether_addr_copy(nic_info_msg.nvm_address, iwl_mei_cache.nvm_address); 732 iwl_mei_send_sap_msg_payload(mei->cldev, &nic_info_msg.hdr); 733 734 iwl_mei_send_sap_msg_payload(mei->cldev, &rfkill_msg.hdr); 735 } 736 737 static void iwl_mei_handle_amt_state(struct mei_cl_device *cldev, 738 const struct iwl_sap_msg_dw *dw) 739 { 740 struct iwl_mei *mei = mei_cldev_get_drvdata(cldev); 741 struct net_device *netdev; 742 743 /* 744 * First take rtnl and only then the mutex to avoid an ABBA 745 * with iwl_mei_set_netdev() 746 */ 747 rtnl_lock(); 748 mutex_lock(&iwl_mei_mutex); 749 750 netdev = rcu_dereference_protected(iwl_mei_cache.netdev, 751 lockdep_is_held(&iwl_mei_mutex)); 752 753 if (mei->amt_enabled == !!le32_to_cpu(dw->val)) 754 goto out; 755 756 mei->amt_enabled = dw->val; 757 758 if (mei->amt_enabled) { 759 if (netdev) 760 netdev_rx_handler_register(netdev, iwl_mei_rx_handler, mei); 761 762 iwl_mei_set_init_conf(mei); 763 } else { 764 if (iwl_mei_cache.ops) 765 iwl_mei_cache.ops->rfkill(iwl_mei_cache.priv, false); 766 if (netdev) 767 netdev_rx_handler_unregister(netdev); 768 } 769 770 out: 771 mutex_unlock(&iwl_mei_mutex); 772 rtnl_unlock(); 773 } 774 775 static void iwl_mei_handle_nic_owner(struct mei_cl_device *cldev, 776 const struct iwl_sap_msg_dw *dw) 777 { 778 struct iwl_mei *mei = mei_cldev_get_drvdata(cldev); 779 780 mei->got_ownership = dw->val != cpu_to_le32(SAP_NIC_OWNER_ME); 781 } 782 783 static void iwl_mei_handle_can_release_ownership(struct mei_cl_device *cldev, 784 const void *payload) 785 { 786 /* We can get ownership and driver is registered, go ahead */ 787 if (iwl_mei_cache.ops) 788 iwl_mei_send_sap_msg(cldev, 789 SAP_MSG_NOTIF_HOST_ASKS_FOR_NIC_OWNERSHIP); 790 } 791 792 static void iwl_mei_handle_csme_taking_ownership(struct mei_cl_device *cldev, 793 const void *payload) 794 { 795 struct iwl_mei *mei = mei_cldev_get_drvdata(cldev); 796 797 dev_info(&cldev->dev, "CSME takes ownership\n"); 798 799 mei->got_ownership = false; 800 801 /* 802 * Remember to send CSME_OWNERSHIP_CONFIRMED when the wifi driver 803 * is finished taking the device down. 804 */ 805 mei->csme_taking_ownership = true; 806 807 if (iwl_mei_cache.ops) 808 iwl_mei_cache.ops->rfkill(iwl_mei_cache.priv, true); 809 } 810 811 static void iwl_mei_handle_nvm(struct mei_cl_device *cldev, 812 const struct iwl_sap_nvm *sap_nvm) 813 { 814 struct iwl_mei *mei = mei_cldev_get_drvdata(cldev); 815 const struct iwl_mei_nvm *mei_nvm = (const void *)sap_nvm; 816 int i; 817 818 kfree(mei->nvm); 819 mei->nvm = kzalloc(sizeof(*mei_nvm), GFP_KERNEL); 820 if (!mei->nvm) 821 return; 822 823 ether_addr_copy(mei->nvm->hw_addr, sap_nvm->hw_addr); 824 mei->nvm->n_hw_addrs = sap_nvm->n_hw_addrs; 825 mei->nvm->radio_cfg = le32_to_cpu(sap_nvm->radio_cfg); 826 mei->nvm->caps = le32_to_cpu(sap_nvm->caps); 827 mei->nvm->nvm_version = le32_to_cpu(sap_nvm->nvm_version); 828 829 for (i = 0; i < ARRAY_SIZE(mei->nvm->channels); i++) 830 mei->nvm->channels[i] = le32_to_cpu(sap_nvm->channels[i]); 831 832 wake_up_all(&mei->get_nvm_wq); 833 } 834 835 static void iwl_mei_handle_rx_host_own_req(struct mei_cl_device *cldev, 836 const struct iwl_sap_msg_dw *dw) 837 { 838 struct iwl_mei *mei = mei_cldev_get_drvdata(cldev); 839 840 /* 841 * This means that we can't use the wifi device right now, CSME is not 842 * ready to let us use it. 843 */ 844 if (!dw->val) { 845 dev_info(&cldev->dev, "Ownership req denied\n"); 846 return; 847 } 848 849 mei->got_ownership = true; 850 wake_up_all(&mei->get_ownership_wq); 851 852 iwl_mei_send_sap_msg(cldev, 853 SAP_MSG_NOTIF_HOST_OWNERSHIP_CONFIRMED); 854 855 /* We can now start the connection, unblock rfkill */ 856 if (iwl_mei_cache.ops) 857 iwl_mei_cache.ops->rfkill(iwl_mei_cache.priv, false); 858 } 859 860 static void iwl_mei_handle_ping(struct mei_cl_device *cldev, 861 const struct iwl_sap_hdr *hdr) 862 { 863 iwl_mei_send_sap_msg(cldev, SAP_MSG_NOTIF_PONG); 864 } 865 866 static void iwl_mei_handle_sap_msg(struct mei_cl_device *cldev, 867 const struct iwl_sap_hdr *hdr) 868 { 869 u16 len = le16_to_cpu(hdr->len) + sizeof(*hdr); 870 u16 type = le16_to_cpu(hdr->type); 871 872 dev_dbg(&cldev->dev, 873 "Got a new SAP message: type %d, len %d, seq %d\n", 874 le16_to_cpu(hdr->type), len, 875 le32_to_cpu(hdr->seq_num)); 876 877 #define SAP_MSG_HANDLER(_cmd, _handler, _sz) \ 878 case SAP_MSG_NOTIF_ ## _cmd: \ 879 if (len < _sz) { \ 880 dev_err(&cldev->dev, \ 881 "Bad size for %d: %u < %u\n", \ 882 le16_to_cpu(hdr->type), \ 883 (unsigned int)len, \ 884 (unsigned int)_sz); \ 885 break; \ 886 } \ 887 mutex_lock(&iwl_mei_mutex); \ 888 _handler(cldev, (const void *)hdr); \ 889 mutex_unlock(&iwl_mei_mutex); \ 890 break 891 892 #define SAP_MSG_HANDLER_NO_LOCK(_cmd, _handler, _sz) \ 893 case SAP_MSG_NOTIF_ ## _cmd: \ 894 if (len < _sz) { \ 895 dev_err(&cldev->dev, \ 896 "Bad size for %d: %u < %u\n", \ 897 le16_to_cpu(hdr->type), \ 898 (unsigned int)len, \ 899 (unsigned int)_sz); \ 900 break; \ 901 } \ 902 _handler(cldev, (const void *)hdr); \ 903 break 904 905 #define SAP_MSG_HANDLER_NO_HANDLER(_cmd, _sz) \ 906 case SAP_MSG_NOTIF_ ## _cmd: \ 907 if (len < _sz) { \ 908 dev_err(&cldev->dev, \ 909 "Bad size for %d: %u < %u\n", \ 910 le16_to_cpu(hdr->type), \ 911 (unsigned int)len, \ 912 (unsigned int)_sz); \ 913 break; \ 914 } \ 915 break 916 917 switch (type) { 918 SAP_MSG_HANDLER(PING, iwl_mei_handle_ping, 0); 919 SAP_MSG_HANDLER(CSME_FILTERS, 920 iwl_mei_handle_csme_filters, 921 sizeof(struct iwl_sap_csme_filters)); 922 SAP_MSG_HANDLER(CSME_CONN_STATUS, 923 iwl_mei_handle_conn_status, 924 sizeof(struct iwl_sap_notif_conn_status)); 925 SAP_MSG_HANDLER_NO_LOCK(AMT_STATE, 926 iwl_mei_handle_amt_state, 927 sizeof(struct iwl_sap_msg_dw)); 928 SAP_MSG_HANDLER_NO_HANDLER(PONG, 0); 929 SAP_MSG_HANDLER(NVM, iwl_mei_handle_nvm, 930 sizeof(struct iwl_sap_nvm)); 931 SAP_MSG_HANDLER(CSME_REPLY_TO_HOST_OWNERSHIP_REQ, 932 iwl_mei_handle_rx_host_own_req, 933 sizeof(struct iwl_sap_msg_dw)); 934 SAP_MSG_HANDLER(NIC_OWNER, iwl_mei_handle_nic_owner, 935 sizeof(struct iwl_sap_msg_dw)); 936 SAP_MSG_HANDLER(CSME_CAN_RELEASE_OWNERSHIP, 937 iwl_mei_handle_can_release_ownership, 0); 938 SAP_MSG_HANDLER(CSME_TAKING_OWNERSHIP, 939 iwl_mei_handle_csme_taking_ownership, 0); 940 default: 941 /* 942 * This is not really an error, there are message that we decided 943 * to ignore, yet, it is useful to be able to leave a note if debug 944 * is enabled. 945 */ 946 dev_dbg(&cldev->dev, "Unsupported message: type %d, len %d\n", 947 le16_to_cpu(hdr->type), len); 948 } 949 950 #undef SAP_MSG_HANDLER 951 #undef SAP_MSG_HANDLER_NO_LOCK 952 } 953 954 static void iwl_mei_read_from_q(const u8 *q_head, u32 q_sz, 955 u32 *_rd, u32 wr, 956 void *_buf, u32 len) 957 { 958 u8 *buf = _buf; 959 u32 rd = *_rd; 960 961 if (rd + len <= q_sz) { 962 memcpy(buf, q_head + rd, len); 963 rd += len; 964 } else { 965 memcpy(buf, q_head + rd, q_sz - rd); 966 memcpy(buf + q_sz - rd, q_head, len - (q_sz - rd)); 967 rd = len - (q_sz - rd); 968 } 969 970 *_rd = rd; 971 } 972 973 #define QOS_HDR_IV_SNAP_LEN (sizeof(struct ieee80211_qos_hdr) + \ 974 IEEE80211_TKIP_IV_LEN + \ 975 sizeof(rfc1042_header) + ETH_TLEN) 976 977 static void iwl_mei_handle_sap_data(struct mei_cl_device *cldev, 978 const u8 *q_head, u32 q_sz, 979 u32 rd, u32 wr, ssize_t valid_rx_sz, 980 struct sk_buff_head *tx_skbs) 981 { 982 struct iwl_sap_hdr hdr; 983 struct net_device *netdev = 984 rcu_dereference_protected(iwl_mei_cache.netdev, 985 lockdep_is_held(&iwl_mei_mutex)); 986 987 if (!netdev) 988 return; 989 990 while (valid_rx_sz >= sizeof(hdr)) { 991 struct ethhdr *ethhdr; 992 unsigned char *data; 993 struct sk_buff *skb; 994 u16 len; 995 996 iwl_mei_read_from_q(q_head, q_sz, &rd, wr, &hdr, sizeof(hdr)); 997 valid_rx_sz -= sizeof(hdr); 998 len = le16_to_cpu(hdr.len); 999 1000 if (valid_rx_sz < len) { 1001 dev_err(&cldev->dev, 1002 "Data queue is corrupted: valid data len %zd, len %d\n", 1003 valid_rx_sz, len); 1004 break; 1005 } 1006 1007 if (len < sizeof(*ethhdr)) { 1008 dev_err(&cldev->dev, 1009 "Data len is smaller than an ethernet header? len = %d\n", 1010 len); 1011 } 1012 1013 valid_rx_sz -= len; 1014 1015 if (le16_to_cpu(hdr.type) != SAP_MSG_DATA_PACKET) { 1016 dev_err(&cldev->dev, "Unsupported Rx data: type %d, len %d\n", 1017 le16_to_cpu(hdr.type), len); 1018 continue; 1019 } 1020 1021 /* We need enough room for the WiFi header + SNAP + IV */ 1022 skb = netdev_alloc_skb(netdev, len + QOS_HDR_IV_SNAP_LEN); 1023 if (!skb) 1024 continue; 1025 1026 skb_reserve(skb, QOS_HDR_IV_SNAP_LEN); 1027 ethhdr = skb_push(skb, sizeof(*ethhdr)); 1028 1029 iwl_mei_read_from_q(q_head, q_sz, &rd, wr, 1030 ethhdr, sizeof(*ethhdr)); 1031 len -= sizeof(*ethhdr); 1032 1033 skb_reset_mac_header(skb); 1034 skb_reset_network_header(skb); 1035 skb->protocol = ethhdr->h_proto; 1036 1037 data = skb_put(skb, len); 1038 iwl_mei_read_from_q(q_head, q_sz, &rd, wr, data, len); 1039 1040 /* 1041 * Enqueue the skb here so that it can be sent later when we 1042 * do not hold the mutex. TX'ing a packet with a mutex held is 1043 * possible, but it wouldn't be nice to forbid the TX path to 1044 * call any of iwlmei's functions, since every API from iwlmei 1045 * needs the mutex. 1046 */ 1047 __skb_queue_tail(tx_skbs, skb); 1048 } 1049 } 1050 1051 static void iwl_mei_handle_sap_rx_cmd(struct mei_cl_device *cldev, 1052 const u8 *q_head, u32 q_sz, 1053 u32 rd, u32 wr, ssize_t valid_rx_sz) 1054 { 1055 struct page *p = alloc_page(GFP_KERNEL); 1056 struct iwl_sap_hdr *hdr; 1057 1058 if (!p) 1059 return; 1060 1061 hdr = page_address(p); 1062 1063 while (valid_rx_sz >= sizeof(*hdr)) { 1064 u16 len; 1065 1066 iwl_mei_read_from_q(q_head, q_sz, &rd, wr, hdr, sizeof(*hdr)); 1067 valid_rx_sz -= sizeof(*hdr); 1068 len = le16_to_cpu(hdr->len); 1069 1070 if (valid_rx_sz < len) 1071 break; 1072 1073 iwl_mei_read_from_q(q_head, q_sz, &rd, wr, hdr + 1, len); 1074 1075 trace_iwlmei_sap_cmd(hdr, false); 1076 iwl_mei_handle_sap_msg(cldev, hdr); 1077 valid_rx_sz -= len; 1078 } 1079 1080 /* valid_rx_sz must be 0 now... */ 1081 if (valid_rx_sz) 1082 dev_err(&cldev->dev, 1083 "More data in the buffer although we read it all\n"); 1084 1085 __free_page(p); 1086 } 1087 1088 static void iwl_mei_handle_sap_rx(struct mei_cl_device *cldev, 1089 struct iwl_sap_q_ctrl_blk *notif_q, 1090 const u8 *q_head, 1091 struct sk_buff_head *skbs, 1092 u32 q_sz) 1093 { 1094 u32 rd = le32_to_cpu(READ_ONCE(notif_q->rd_ptr)); 1095 u32 wr = le32_to_cpu(READ_ONCE(notif_q->wr_ptr)); 1096 ssize_t valid_rx_sz; 1097 1098 if (rd > q_sz || wr > q_sz) { 1099 dev_err(&cldev->dev, 1100 "Pointers are past the buffer limit\n"); 1101 return; 1102 } 1103 1104 if (rd == wr) 1105 return; 1106 1107 valid_rx_sz = wr > rd ? wr - rd : q_sz - rd + wr; 1108 1109 if (skbs) 1110 iwl_mei_handle_sap_data(cldev, q_head, q_sz, rd, wr, 1111 valid_rx_sz, skbs); 1112 else 1113 iwl_mei_handle_sap_rx_cmd(cldev, q_head, q_sz, rd, wr, 1114 valid_rx_sz); 1115 1116 /* Increment the read pointer to point to the write pointer */ 1117 WRITE_ONCE(notif_q->rd_ptr, cpu_to_le32(wr)); 1118 } 1119 1120 static void iwl_mei_handle_check_shared_area(struct mei_cl_device *cldev) 1121 { 1122 struct iwl_mei *mei = mei_cldev_get_drvdata(cldev); 1123 struct iwl_sap_q_ctrl_blk *notif_q; 1124 struct sk_buff_head tx_skbs; 1125 struct iwl_sap_dir *dir; 1126 void *q_head; 1127 u32 q_sz; 1128 1129 if (!mei->shared_mem.ctrl) 1130 return; 1131 1132 dir = &mei->shared_mem.ctrl->dir[SAP_DIRECTION_ME_TO_HOST]; 1133 notif_q = &dir->q_ctrl_blk[SAP_QUEUE_IDX_NOTIF]; 1134 q_head = mei->shared_mem.q_head[SAP_DIRECTION_ME_TO_HOST][SAP_QUEUE_IDX_NOTIF]; 1135 q_sz = mei->shared_mem.q_size[SAP_DIRECTION_ME_TO_HOST][SAP_QUEUE_IDX_NOTIF]; 1136 1137 /* 1138 * Do not hold the mutex here, but rather each and every message 1139 * handler takes it. 1140 * This allows message handlers to take it at a certain time. 1141 */ 1142 iwl_mei_handle_sap_rx(cldev, notif_q, q_head, NULL, q_sz); 1143 1144 mutex_lock(&iwl_mei_mutex); 1145 dir = &mei->shared_mem.ctrl->dir[SAP_DIRECTION_ME_TO_HOST]; 1146 notif_q = &dir->q_ctrl_blk[SAP_QUEUE_IDX_DATA]; 1147 q_head = mei->shared_mem.q_head[SAP_DIRECTION_ME_TO_HOST][SAP_QUEUE_IDX_DATA]; 1148 q_sz = mei->shared_mem.q_size[SAP_DIRECTION_ME_TO_HOST][SAP_QUEUE_IDX_DATA]; 1149 1150 __skb_queue_head_init(&tx_skbs); 1151 1152 iwl_mei_handle_sap_rx(cldev, notif_q, q_head, &tx_skbs, q_sz); 1153 1154 if (skb_queue_empty(&tx_skbs)) { 1155 mutex_unlock(&iwl_mei_mutex); 1156 return; 1157 } 1158 1159 /* 1160 * Take the RCU read lock before we unlock the mutex to make sure that 1161 * even if the netdev is replaced by another non-NULL netdev right after 1162 * we unlock the mutex, the old netdev will still be valid when we 1163 * transmit the frames. We can't allow to replace the netdev here because 1164 * the skbs hold a pointer to the netdev. 1165 */ 1166 rcu_read_lock(); 1167 1168 mutex_unlock(&iwl_mei_mutex); 1169 1170 if (!rcu_access_pointer(iwl_mei_cache.netdev)) { 1171 dev_err(&cldev->dev, "Can't Tx without a netdev\n"); 1172 skb_queue_purge(&tx_skbs); 1173 goto out; 1174 } 1175 1176 while (!skb_queue_empty(&tx_skbs)) { 1177 struct sk_buff *skb = __skb_dequeue(&tx_skbs); 1178 1179 trace_iwlmei_sap_data(skb, IWL_SAP_RX_DATA_TO_AIR); 1180 dev_queue_xmit(skb); 1181 } 1182 1183 out: 1184 rcu_read_unlock(); 1185 } 1186 1187 static void iwl_mei_rx(struct mei_cl_device *cldev) 1188 { 1189 struct iwl_sap_me_msg_hdr *hdr; 1190 u8 msg[100]; 1191 ssize_t ret; 1192 1193 ret = mei_cldev_recv(cldev, (u8 *)&msg, sizeof(msg)); 1194 if (ret < 0) { 1195 dev_err(&cldev->dev, "failed to receive data: %zd\n", ret); 1196 return; 1197 } 1198 1199 if (ret == 0) { 1200 dev_err(&cldev->dev, "got an empty response\n"); 1201 return; 1202 } 1203 1204 hdr = (void *)msg; 1205 trace_iwlmei_me_msg(hdr, false); 1206 1207 switch (le32_to_cpu(hdr->type)) { 1208 case SAP_ME_MSG_START_OK: 1209 BUILD_BUG_ON(sizeof(struct iwl_sap_me_msg_start_ok) > 1210 sizeof(msg)); 1211 1212 iwl_mei_handle_rx_start_ok(cldev, (void *)msg, ret); 1213 break; 1214 case SAP_ME_MSG_CHECK_SHARED_AREA: 1215 iwl_mei_handle_check_shared_area(cldev); 1216 break; 1217 default: 1218 dev_err(&cldev->dev, "got a RX notification: %d\n", 1219 le32_to_cpu(hdr->type)); 1220 break; 1221 } 1222 } 1223 1224 static int iwl_mei_send_start(struct mei_cl_device *cldev) 1225 { 1226 struct iwl_mei *mei = mei_cldev_get_drvdata(cldev); 1227 struct iwl_sap_me_msg_start msg = { 1228 .hdr.type = cpu_to_le32(SAP_ME_MSG_START), 1229 .hdr.seq_num = cpu_to_le32(atomic_inc_return(&mei->seq_no)), 1230 .hdr.len = cpu_to_le32(sizeof(msg)), 1231 .supported_versions[0] = SAP_VERSION, 1232 .init_data_seq_num = cpu_to_le16(0x100), 1233 .init_notif_seq_num = cpu_to_le16(0x800), 1234 }; 1235 int ret; 1236 1237 trace_iwlmei_me_msg(&msg.hdr, true); 1238 ret = mei_cldev_send(cldev, (void *)&msg, sizeof(msg)); 1239 if (ret != sizeof(msg)) { 1240 dev_err(&cldev->dev, 1241 "failed to send the SAP_ME_MSG_START message %d\n", 1242 ret); 1243 return ret; 1244 } 1245 1246 return 0; 1247 } 1248 1249 static int iwl_mei_enable(struct mei_cl_device *cldev) 1250 { 1251 int ret; 1252 1253 ret = mei_cldev_enable(cldev); 1254 if (ret < 0) { 1255 dev_err(&cldev->dev, "failed to enable the device: %d\n", ret); 1256 return ret; 1257 } 1258 1259 ret = mei_cldev_register_rx_cb(cldev, iwl_mei_rx); 1260 if (ret) { 1261 dev_err(&cldev->dev, 1262 "failed to register to the rx cb: %d\n", ret); 1263 mei_cldev_disable(cldev); 1264 return ret; 1265 } 1266 1267 return 0; 1268 } 1269 1270 struct iwl_mei_nvm *iwl_mei_get_nvm(void) 1271 { 1272 struct iwl_mei_nvm *nvm = NULL; 1273 struct iwl_mei *mei; 1274 int ret; 1275 1276 mutex_lock(&iwl_mei_mutex); 1277 1278 if (!iwl_mei_is_connected()) 1279 goto out; 1280 1281 mei = mei_cldev_get_drvdata(iwl_mei_global_cldev); 1282 1283 if (!mei) 1284 goto out; 1285 1286 ret = iwl_mei_send_sap_msg(iwl_mei_global_cldev, 1287 SAP_MSG_NOTIF_GET_NVM); 1288 if (ret) 1289 goto out; 1290 1291 mutex_unlock(&iwl_mei_mutex); 1292 1293 ret = wait_event_timeout(mei->get_nvm_wq, mei->nvm, 2 * HZ); 1294 if (!ret) 1295 return NULL; 1296 1297 mutex_lock(&iwl_mei_mutex); 1298 1299 if (!iwl_mei_is_connected()) 1300 goto out; 1301 1302 mei = mei_cldev_get_drvdata(iwl_mei_global_cldev); 1303 1304 if (!mei) 1305 goto out; 1306 1307 if (mei->nvm) 1308 nvm = kmemdup(mei->nvm, sizeof(*mei->nvm), GFP_KERNEL); 1309 1310 out: 1311 mutex_unlock(&iwl_mei_mutex); 1312 return nvm; 1313 } 1314 EXPORT_SYMBOL_GPL(iwl_mei_get_nvm); 1315 1316 int iwl_mei_get_ownership(void) 1317 { 1318 struct iwl_mei *mei; 1319 int ret; 1320 1321 mutex_lock(&iwl_mei_mutex); 1322 1323 /* In case we didn't have a bind */ 1324 if (!iwl_mei_is_connected()) { 1325 ret = 0; 1326 goto out; 1327 } 1328 1329 mei = mei_cldev_get_drvdata(iwl_mei_global_cldev); 1330 1331 if (!mei) { 1332 ret = -ENODEV; 1333 goto out; 1334 } 1335 1336 if (!mei->amt_enabled) { 1337 ret = 0; 1338 goto out; 1339 } 1340 1341 if (mei->got_ownership) { 1342 ret = 0; 1343 goto out; 1344 } 1345 1346 ret = iwl_mei_send_sap_msg(mei->cldev, 1347 SAP_MSG_NOTIF_HOST_ASKS_FOR_NIC_OWNERSHIP); 1348 if (ret) 1349 goto out; 1350 1351 mutex_unlock(&iwl_mei_mutex); 1352 1353 ret = wait_event_timeout(mei->get_ownership_wq, 1354 mei->got_ownership, HZ / 2); 1355 if (!ret) 1356 return -ETIMEDOUT; 1357 1358 mutex_lock(&iwl_mei_mutex); 1359 1360 /* In case we didn't have a bind */ 1361 if (!iwl_mei_is_connected()) { 1362 ret = 0; 1363 goto out; 1364 } 1365 1366 mei = mei_cldev_get_drvdata(iwl_mei_global_cldev); 1367 1368 if (!mei) { 1369 ret = -ENODEV; 1370 goto out; 1371 } 1372 1373 ret = !mei->got_ownership; 1374 1375 out: 1376 mutex_unlock(&iwl_mei_mutex); 1377 return ret; 1378 } 1379 EXPORT_SYMBOL_GPL(iwl_mei_get_ownership); 1380 1381 void iwl_mei_host_associated(const struct iwl_mei_conn_info *conn_info, 1382 const struct iwl_mei_colloc_info *colloc_info) 1383 { 1384 struct iwl_sap_notif_host_link_up msg = { 1385 .hdr.type = cpu_to_le16(SAP_MSG_NOTIF_HOST_LINK_UP), 1386 .hdr.len = cpu_to_le16(sizeof(msg) - sizeof(msg.hdr)), 1387 .conn_info = { 1388 .ssid_len = cpu_to_le32(conn_info->ssid_len), 1389 .channel = conn_info->channel, 1390 .band = conn_info->band, 1391 .pairwise_cipher = cpu_to_le32(conn_info->pairwise_cipher), 1392 .auth_mode = cpu_to_le32(conn_info->auth_mode), 1393 }, 1394 }; 1395 struct iwl_mei *mei; 1396 1397 if (conn_info->ssid_len > ARRAY_SIZE(msg.conn_info.ssid)) 1398 return; 1399 1400 memcpy(msg.conn_info.ssid, conn_info->ssid, conn_info->ssid_len); 1401 memcpy(msg.conn_info.bssid, conn_info->bssid, ETH_ALEN); 1402 1403 if (colloc_info) { 1404 msg.colloc_channel = colloc_info->channel; 1405 msg.colloc_band = colloc_info->channel <= 14 ? 0 : 1; 1406 memcpy(msg.colloc_bssid, colloc_info->bssid, ETH_ALEN); 1407 } 1408 1409 mutex_lock(&iwl_mei_mutex); 1410 1411 if (!iwl_mei_is_connected()) 1412 goto out; 1413 1414 mei = mei_cldev_get_drvdata(iwl_mei_global_cldev); 1415 1416 if (!mei) 1417 goto out; 1418 1419 if (!mei->amt_enabled) 1420 goto out; 1421 1422 iwl_mei_send_sap_msg_payload(mei->cldev, &msg.hdr); 1423 1424 out: 1425 kfree(iwl_mei_cache.conn_info); 1426 iwl_mei_cache.conn_info = 1427 kmemdup(&msg.conn_info, sizeof(msg.conn_info), GFP_KERNEL); 1428 mutex_unlock(&iwl_mei_mutex); 1429 } 1430 EXPORT_SYMBOL_GPL(iwl_mei_host_associated); 1431 1432 void iwl_mei_host_disassociated(void) 1433 { 1434 struct iwl_mei *mei; 1435 struct iwl_sap_notif_host_link_down msg = { 1436 .hdr.type = cpu_to_le16(SAP_MSG_NOTIF_HOST_LINK_DOWN), 1437 .hdr.len = cpu_to_le16(sizeof(msg) - sizeof(msg.hdr)), 1438 .type = HOST_LINK_DOWN_TYPE_LONG, 1439 }; 1440 1441 mutex_lock(&iwl_mei_mutex); 1442 1443 if (!iwl_mei_is_connected()) 1444 goto out; 1445 1446 mei = mei_cldev_get_drvdata(iwl_mei_global_cldev); 1447 1448 if (!mei) 1449 goto out; 1450 1451 iwl_mei_send_sap_msg_payload(mei->cldev, &msg.hdr); 1452 1453 out: 1454 kfree(iwl_mei_cache.conn_info); 1455 iwl_mei_cache.conn_info = NULL; 1456 mutex_unlock(&iwl_mei_mutex); 1457 } 1458 EXPORT_SYMBOL_GPL(iwl_mei_host_disassociated); 1459 1460 void iwl_mei_set_rfkill_state(bool hw_rfkill, bool sw_rfkill) 1461 { 1462 struct iwl_mei *mei; 1463 u32 rfkill_state = 0; 1464 struct iwl_sap_msg_dw msg = { 1465 .hdr.type = cpu_to_le16(SAP_MSG_NOTIF_RADIO_STATE), 1466 .hdr.len = cpu_to_le16(sizeof(msg) - sizeof(msg.hdr)), 1467 }; 1468 1469 if (!sw_rfkill) 1470 rfkill_state |= SAP_SW_RFKILL_DEASSERTED; 1471 1472 if (!hw_rfkill) 1473 rfkill_state |= SAP_HW_RFKILL_DEASSERTED; 1474 1475 mutex_lock(&iwl_mei_mutex); 1476 1477 if (!iwl_mei_is_connected()) 1478 goto out; 1479 1480 msg.val = cpu_to_le32(rfkill_state); 1481 1482 mei = mei_cldev_get_drvdata(iwl_mei_global_cldev); 1483 1484 if (!mei) 1485 goto out; 1486 1487 iwl_mei_send_sap_msg_payload(mei->cldev, &msg.hdr); 1488 1489 out: 1490 iwl_mei_cache.rf_kill = rfkill_state; 1491 mutex_unlock(&iwl_mei_mutex); 1492 } 1493 EXPORT_SYMBOL_GPL(iwl_mei_set_rfkill_state); 1494 1495 void iwl_mei_set_nic_info(const u8 *mac_address, const u8 *nvm_address) 1496 { 1497 struct iwl_mei *mei; 1498 struct iwl_sap_notif_host_nic_info msg = { 1499 .hdr.type = cpu_to_le16(SAP_MSG_NOTIF_NIC_INFO), 1500 .hdr.len = cpu_to_le16(sizeof(msg) - sizeof(msg.hdr)), 1501 }; 1502 1503 mutex_lock(&iwl_mei_mutex); 1504 1505 if (!iwl_mei_is_connected()) 1506 goto out; 1507 1508 ether_addr_copy(msg.mac_address, mac_address); 1509 ether_addr_copy(msg.nvm_address, nvm_address); 1510 1511 mei = mei_cldev_get_drvdata(iwl_mei_global_cldev); 1512 1513 if (!mei) 1514 goto out; 1515 1516 iwl_mei_send_sap_msg_payload(mei->cldev, &msg.hdr); 1517 1518 out: 1519 ether_addr_copy(iwl_mei_cache.mac_address, mac_address); 1520 ether_addr_copy(iwl_mei_cache.nvm_address, nvm_address); 1521 mutex_unlock(&iwl_mei_mutex); 1522 } 1523 EXPORT_SYMBOL_GPL(iwl_mei_set_nic_info); 1524 1525 void iwl_mei_set_country_code(u16 mcc) 1526 { 1527 struct iwl_mei *mei; 1528 struct iwl_sap_notif_country_code msg = { 1529 .hdr.type = cpu_to_le16(SAP_MSG_NOTIF_COUNTRY_CODE), 1530 .hdr.len = cpu_to_le16(sizeof(msg) - sizeof(msg.hdr)), 1531 .mcc = cpu_to_le16(mcc), 1532 }; 1533 1534 mutex_lock(&iwl_mei_mutex); 1535 1536 if (!iwl_mei_is_connected()) 1537 goto out; 1538 1539 mei = mei_cldev_get_drvdata(iwl_mei_global_cldev); 1540 1541 if (!mei) 1542 goto out; 1543 1544 iwl_mei_send_sap_msg_payload(mei->cldev, &msg.hdr); 1545 1546 out: 1547 iwl_mei_cache.mcc = mcc; 1548 mutex_unlock(&iwl_mei_mutex); 1549 } 1550 EXPORT_SYMBOL_GPL(iwl_mei_set_country_code); 1551 1552 void iwl_mei_set_power_limit(const __le16 *power_limit) 1553 { 1554 struct iwl_mei *mei; 1555 struct iwl_sap_notif_sar_limits msg = { 1556 .hdr.type = cpu_to_le16(SAP_MSG_NOTIF_SAR_LIMITS), 1557 .hdr.len = cpu_to_le16(sizeof(msg) - sizeof(msg.hdr)), 1558 }; 1559 1560 mutex_lock(&iwl_mei_mutex); 1561 1562 if (!iwl_mei_is_connected()) 1563 goto out; 1564 1565 mei = mei_cldev_get_drvdata(iwl_mei_global_cldev); 1566 1567 if (!mei) 1568 goto out; 1569 1570 memcpy(msg.sar_chain_info_table, power_limit, sizeof(msg.sar_chain_info_table)); 1571 1572 iwl_mei_send_sap_msg_payload(mei->cldev, &msg.hdr); 1573 1574 out: 1575 kfree(iwl_mei_cache.power_limit); 1576 iwl_mei_cache.power_limit = kmemdup(power_limit, 1577 sizeof(msg.sar_chain_info_table), GFP_KERNEL); 1578 mutex_unlock(&iwl_mei_mutex); 1579 } 1580 EXPORT_SYMBOL_GPL(iwl_mei_set_power_limit); 1581 1582 void iwl_mei_set_netdev(struct net_device *netdev) 1583 { 1584 struct iwl_mei *mei; 1585 1586 mutex_lock(&iwl_mei_mutex); 1587 1588 if (!iwl_mei_is_connected()) { 1589 rcu_assign_pointer(iwl_mei_cache.netdev, netdev); 1590 goto out; 1591 } 1592 1593 mei = mei_cldev_get_drvdata(iwl_mei_global_cldev); 1594 1595 if (!mei) 1596 goto out; 1597 1598 if (!netdev) { 1599 struct net_device *dev = 1600 rcu_dereference_protected(iwl_mei_cache.netdev, 1601 lockdep_is_held(&iwl_mei_mutex)); 1602 1603 if (!dev) 1604 goto out; 1605 1606 netdev_rx_handler_unregister(dev); 1607 } 1608 1609 rcu_assign_pointer(iwl_mei_cache.netdev, netdev); 1610 1611 if (netdev && mei->amt_enabled) 1612 netdev_rx_handler_register(netdev, iwl_mei_rx_handler, mei); 1613 1614 out: 1615 mutex_unlock(&iwl_mei_mutex); 1616 } 1617 EXPORT_SYMBOL_GPL(iwl_mei_set_netdev); 1618 1619 void iwl_mei_device_down(void) 1620 { 1621 struct iwl_mei *mei; 1622 1623 mutex_lock(&iwl_mei_mutex); 1624 1625 if (!iwl_mei_is_connected()) 1626 goto out; 1627 1628 mei = mei_cldev_get_drvdata(iwl_mei_global_cldev); 1629 1630 if (!mei) 1631 goto out; 1632 1633 if (!mei->csme_taking_ownership) 1634 goto out; 1635 1636 iwl_mei_send_sap_msg(mei->cldev, 1637 SAP_MSG_NOTIF_CSME_OWNERSHIP_CONFIRMED); 1638 mei->csme_taking_ownership = false; 1639 out: 1640 mutex_unlock(&iwl_mei_mutex); 1641 } 1642 EXPORT_SYMBOL_GPL(iwl_mei_device_down); 1643 1644 int iwl_mei_register(void *priv, const struct iwl_mei_ops *ops) 1645 { 1646 int ret; 1647 1648 /* 1649 * We must have a non-NULL priv pointer to not crash when there are 1650 * multiple WiFi devices. 1651 */ 1652 if (!priv) 1653 return -EINVAL; 1654 1655 mutex_lock(&iwl_mei_mutex); 1656 1657 /* do not allow registration if someone else already registered */ 1658 if (iwl_mei_cache.priv || iwl_mei_cache.ops) { 1659 ret = -EBUSY; 1660 goto out; 1661 } 1662 1663 iwl_mei_cache.priv = priv; 1664 iwl_mei_cache.ops = ops; 1665 1666 if (iwl_mei_global_cldev) { 1667 struct iwl_mei *mei = 1668 mei_cldev_get_drvdata(iwl_mei_global_cldev); 1669 1670 /* we have already a SAP connection */ 1671 if (iwl_mei_is_connected()) { 1672 iwl_mei_send_sap_msg(mei->cldev, 1673 SAP_MSG_NOTIF_WIFIDR_UP); 1674 ops->rfkill(priv, mei->link_prot_state); 1675 } 1676 } 1677 ret = 0; 1678 1679 out: 1680 mutex_unlock(&iwl_mei_mutex); 1681 return ret; 1682 } 1683 EXPORT_SYMBOL_GPL(iwl_mei_register); 1684 1685 void iwl_mei_start_unregister(void) 1686 { 1687 mutex_lock(&iwl_mei_mutex); 1688 1689 /* At this point, the wifi driver should have removed the netdev */ 1690 if (rcu_access_pointer(iwl_mei_cache.netdev)) 1691 pr_err("Still had a netdev pointer set upon unregister\n"); 1692 1693 kfree(iwl_mei_cache.conn_info); 1694 iwl_mei_cache.conn_info = NULL; 1695 kfree(iwl_mei_cache.power_limit); 1696 iwl_mei_cache.power_limit = NULL; 1697 iwl_mei_cache.ops = NULL; 1698 /* leave iwl_mei_cache.priv non-NULL to prevent any new registration */ 1699 1700 mutex_unlock(&iwl_mei_mutex); 1701 } 1702 EXPORT_SYMBOL_GPL(iwl_mei_start_unregister); 1703 1704 void iwl_mei_unregister_complete(void) 1705 { 1706 mutex_lock(&iwl_mei_mutex); 1707 1708 iwl_mei_cache.priv = NULL; 1709 1710 if (iwl_mei_global_cldev) { 1711 struct iwl_mei *mei = 1712 mei_cldev_get_drvdata(iwl_mei_global_cldev); 1713 1714 iwl_mei_send_sap_msg(mei->cldev, SAP_MSG_NOTIF_WIFIDR_DOWN); 1715 mei->got_ownership = false; 1716 } 1717 1718 mutex_unlock(&iwl_mei_mutex); 1719 } 1720 EXPORT_SYMBOL_GPL(iwl_mei_unregister_complete); 1721 1722 #if IS_ENABLED(CONFIG_DEBUG_FS) 1723 1724 static ssize_t 1725 iwl_mei_dbgfs_send_start_message_write(struct file *file, 1726 const char __user *user_buf, 1727 size_t count, loff_t *ppos) 1728 { 1729 int ret; 1730 1731 mutex_lock(&iwl_mei_mutex); 1732 1733 if (!iwl_mei_global_cldev) { 1734 ret = -ENODEV; 1735 goto out; 1736 } 1737 1738 ret = iwl_mei_send_start(iwl_mei_global_cldev); 1739 1740 out: 1741 mutex_unlock(&iwl_mei_mutex); 1742 return ret ?: count; 1743 } 1744 1745 static const struct file_operations iwl_mei_dbgfs_send_start_message_ops = { 1746 .write = iwl_mei_dbgfs_send_start_message_write, 1747 .open = simple_open, 1748 .llseek = default_llseek, 1749 }; 1750 1751 static ssize_t iwl_mei_dbgfs_req_ownership_write(struct file *file, 1752 const char __user *user_buf, 1753 size_t count, loff_t *ppos) 1754 { 1755 iwl_mei_get_ownership(); 1756 1757 return count; 1758 } 1759 1760 static const struct file_operations iwl_mei_dbgfs_req_ownership_ops = { 1761 .write = iwl_mei_dbgfs_req_ownership_write, 1762 .open = simple_open, 1763 .llseek = default_llseek, 1764 }; 1765 1766 static void iwl_mei_dbgfs_register(struct iwl_mei *mei) 1767 { 1768 mei->dbgfs_dir = debugfs_create_dir(KBUILD_MODNAME, NULL); 1769 1770 if (!mei->dbgfs_dir) 1771 return; 1772 1773 debugfs_create_ulong("status", S_IRUSR, 1774 mei->dbgfs_dir, &iwl_mei_status); 1775 debugfs_create_file("send_start_message", S_IWUSR, mei->dbgfs_dir, 1776 mei, &iwl_mei_dbgfs_send_start_message_ops); 1777 debugfs_create_file("req_ownership", S_IWUSR, mei->dbgfs_dir, 1778 mei, &iwl_mei_dbgfs_req_ownership_ops); 1779 } 1780 1781 static void iwl_mei_dbgfs_unregister(struct iwl_mei *mei) 1782 { 1783 debugfs_remove_recursive(mei->dbgfs_dir); 1784 mei->dbgfs_dir = NULL; 1785 } 1786 1787 #else 1788 1789 static void iwl_mei_dbgfs_register(struct iwl_mei *mei) {} 1790 static void iwl_mei_dbgfs_unregister(struct iwl_mei *mei) {} 1791 1792 #endif /* CONFIG_DEBUG_FS */ 1793 1794 #define ALLOC_SHARED_MEM_RETRY_MAX_NUM 3 1795 1796 /* 1797 * iwl_mei_probe - the probe function called by the mei bus enumeration 1798 * 1799 * This allocates the data needed by iwlmei and sets a pointer to this data 1800 * into the mei_cl_device's drvdata. 1801 * It starts the SAP protocol by sending the SAP_ME_MSG_START without 1802 * waiting for the answer. The answer will be caught later by the Rx callback. 1803 */ 1804 static int iwl_mei_probe(struct mei_cl_device *cldev, 1805 const struct mei_cl_device_id *id) 1806 { 1807 int alloc_retry = ALLOC_SHARED_MEM_RETRY_MAX_NUM; 1808 struct iwl_mei *mei; 1809 int ret; 1810 1811 mei = devm_kzalloc(&cldev->dev, sizeof(*mei), GFP_KERNEL); 1812 if (!mei) 1813 return -ENOMEM; 1814 1815 init_waitqueue_head(&mei->get_nvm_wq); 1816 INIT_WORK(&mei->send_csa_msg_wk, iwl_mei_send_csa_msg_wk); 1817 INIT_DELAYED_WORK(&mei->csa_throttle_end_wk, 1818 iwl_mei_csa_throttle_end_wk); 1819 init_waitqueue_head(&mei->get_ownership_wq); 1820 spin_lock_init(&mei->data_q_lock); 1821 1822 mei_cldev_set_drvdata(cldev, mei); 1823 mei->cldev = cldev; 1824 1825 do { 1826 ret = iwl_mei_alloc_shared_mem(cldev); 1827 if (!ret) 1828 break; 1829 /* 1830 * The CSME firmware needs to boot the internal WLAN client. 1831 * This can take time in certain configurations (usually 1832 * upon resume and when the whole CSME firmware is shut down 1833 * during suspend). 1834 * 1835 * Wait a bit before retrying and hope we'll succeed next time. 1836 */ 1837 1838 dev_dbg(&cldev->dev, 1839 "Couldn't allocate the shared memory: %d, attempt %d / %d\n", 1840 ret, alloc_retry, ALLOC_SHARED_MEM_RETRY_MAX_NUM); 1841 msleep(100); 1842 alloc_retry--; 1843 } while (alloc_retry); 1844 1845 if (ret) { 1846 dev_err(&cldev->dev, "Couldn't allocate the shared memory: %d\n", 1847 ret); 1848 goto free; 1849 } 1850 1851 iwl_mei_init_shared_mem(mei); 1852 1853 ret = iwl_mei_enable(cldev); 1854 if (ret) 1855 goto free_shared_mem; 1856 1857 iwl_mei_dbgfs_register(mei); 1858 1859 /* 1860 * We now have a Rx function in place, start the SAP procotol 1861 * we expect to get the SAP_ME_MSG_START_OK response later on. 1862 */ 1863 mutex_lock(&iwl_mei_mutex); 1864 ret = iwl_mei_send_start(cldev); 1865 mutex_unlock(&iwl_mei_mutex); 1866 if (ret) 1867 goto debugfs_unregister; 1868 1869 /* must be last */ 1870 iwl_mei_global_cldev = cldev; 1871 1872 return 0; 1873 1874 debugfs_unregister: 1875 iwl_mei_dbgfs_unregister(mei); 1876 mei_cldev_disable(cldev); 1877 free_shared_mem: 1878 iwl_mei_free_shared_mem(cldev); 1879 free: 1880 mei_cldev_set_drvdata(cldev, NULL); 1881 devm_kfree(&cldev->dev, mei); 1882 1883 return ret; 1884 } 1885 1886 #define SEND_SAP_MAX_WAIT_ITERATION 10 1887 1888 static void iwl_mei_remove(struct mei_cl_device *cldev) 1889 { 1890 struct iwl_mei *mei = mei_cldev_get_drvdata(cldev); 1891 int i; 1892 1893 /* 1894 * We are being removed while the bus is active, it means we are 1895 * going to suspend/ shutdown, so the NIC will disappear. 1896 */ 1897 if (mei_cldev_enabled(cldev) && iwl_mei_cache.ops) 1898 iwl_mei_cache.ops->nic_stolen(iwl_mei_cache.priv); 1899 1900 if (rcu_access_pointer(iwl_mei_cache.netdev)) { 1901 struct net_device *dev; 1902 1903 /* 1904 * First take rtnl and only then the mutex to avoid an ABBA 1905 * with iwl_mei_set_netdev() 1906 */ 1907 rtnl_lock(); 1908 mutex_lock(&iwl_mei_mutex); 1909 1910 /* 1911 * If we are suspending and the wifi driver hasn't removed it's netdev 1912 * yet, do it now. In any case, don't change the cache.netdev pointer. 1913 */ 1914 dev = rcu_dereference_protected(iwl_mei_cache.netdev, 1915 lockdep_is_held(&iwl_mei_mutex)); 1916 1917 netdev_rx_handler_unregister(dev); 1918 mutex_unlock(&iwl_mei_mutex); 1919 rtnl_unlock(); 1920 } 1921 1922 mutex_lock(&iwl_mei_mutex); 1923 1924 /* 1925 * Tell CSME that we are going down so that it won't access the 1926 * memory anymore, make sure this message goes through immediately. 1927 */ 1928 mei->csa_throttled = false; 1929 iwl_mei_send_sap_msg(mei->cldev, 1930 SAP_MSG_NOTIF_HOST_GOES_DOWN); 1931 1932 for (i = 0; i < SEND_SAP_MAX_WAIT_ITERATION; i++) { 1933 if (!iwl_mei_host_to_me_data_pending(mei)) 1934 break; 1935 1936 msleep(5); 1937 } 1938 1939 /* 1940 * If we couldn't make sure that CSME saw the HOST_GOES_DOWN message, 1941 * it means that it will probably keep reading memory that we are going 1942 * to unmap and free, expect IOMMU error messages. 1943 */ 1944 if (i == SEND_SAP_MAX_WAIT_ITERATION) 1945 dev_err(&mei->cldev->dev, 1946 "Couldn't get ACK from CSME on HOST_GOES_DOWN message\n"); 1947 1948 mutex_unlock(&iwl_mei_mutex); 1949 1950 /* 1951 * This looks strange, but this lock is taken here to make sure that 1952 * iwl_mei_add_data_to_ring called from the Tx path sees that we 1953 * clear the IWL_MEI_STATUS_SAP_CONNECTED bit. 1954 * Rx isn't a problem because the rx_handler can't be called after 1955 * having been unregistered. 1956 */ 1957 spin_lock_bh(&mei->data_q_lock); 1958 clear_bit(IWL_MEI_STATUS_SAP_CONNECTED, &iwl_mei_status); 1959 spin_unlock_bh(&mei->data_q_lock); 1960 1961 if (iwl_mei_cache.ops) 1962 iwl_mei_cache.ops->rfkill(iwl_mei_cache.priv, false); 1963 1964 /* 1965 * mei_cldev_disable will return only after all the MEI Rx is done. 1966 * It must be called when iwl_mei_mutex is *not* held, since it waits 1967 * for our Rx handler to complete. 1968 * After it returns, no new Rx will start. 1969 */ 1970 mei_cldev_disable(cldev); 1971 1972 /* 1973 * Since the netdev was already removed and the netdev's removal 1974 * includes a call to synchronize_net() so that we know there won't be 1975 * any new Rx that will trigger the following workers. 1976 */ 1977 cancel_work_sync(&mei->send_csa_msg_wk); 1978 cancel_delayed_work_sync(&mei->csa_throttle_end_wk); 1979 1980 /* 1981 * If someone waits for the ownership, let him know that we are going 1982 * down and that we are not connected anymore. He'll be able to take 1983 * the device. 1984 */ 1985 wake_up_all(&mei->get_ownership_wq); 1986 1987 mutex_lock(&iwl_mei_mutex); 1988 1989 iwl_mei_global_cldev = NULL; 1990 1991 wake_up_all(&mei->get_nvm_wq); 1992 1993 iwl_mei_free_shared_mem(cldev); 1994 1995 iwl_mei_dbgfs_unregister(mei); 1996 1997 mei_cldev_set_drvdata(cldev, NULL); 1998 1999 kfree(mei->nvm); 2000 2001 kfree(rcu_access_pointer(mei->filters)); 2002 2003 devm_kfree(&cldev->dev, mei); 2004 2005 mutex_unlock(&iwl_mei_mutex); 2006 } 2007 2008 static const struct mei_cl_device_id iwl_mei_tbl[] = { 2009 { 2010 .name = KBUILD_MODNAME, 2011 .uuid = MEI_WLAN_UUID, 2012 .version = MEI_CL_VERSION_ANY, 2013 }, 2014 2015 /* required last entry */ 2016 { } 2017 }; 2018 2019 /* 2020 * Do not export the device table because this module is loaded by 2021 * iwlwifi's dependency. 2022 */ 2023 2024 static struct mei_cl_driver iwl_mei_cl_driver = { 2025 .id_table = iwl_mei_tbl, 2026 .name = KBUILD_MODNAME, 2027 .probe = iwl_mei_probe, 2028 .remove = iwl_mei_remove, 2029 }; 2030 2031 module_mei_cl_driver(iwl_mei_cl_driver); 2032