1 // SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause
2 /*
3  * Copyright (C) 2020-2021 Intel Corporation
4  */
5 #include <net/tso.h>
6 #include <linux/tcp.h>
7 
8 #include "iwl-debug.h"
9 #include "iwl-io.h"
10 #include "fw/api/tx.h"
11 #include "queue/tx.h"
12 #include "iwl-fh.h"
13 #include "iwl-scd.h"
14 #include <linux/dmapool.h>
15 
16 /*
17  * iwl_txq_update_byte_tbl - Set up entry in Tx byte-count array
18  */
19 static void iwl_pcie_gen2_update_byte_tbl(struct iwl_trans *trans,
20 					  struct iwl_txq *txq, u16 byte_cnt,
21 					  int num_tbs)
22 {
23 	int idx = iwl_txq_get_cmd_index(txq, txq->write_ptr);
24 	u8 filled_tfd_size, num_fetch_chunks;
25 	u16 len = byte_cnt;
26 	__le16 bc_ent;
27 
28 	if (WARN(idx >= txq->n_window, "%d >= %d\n", idx, txq->n_window))
29 		return;
30 
31 	filled_tfd_size = offsetof(struct iwl_tfh_tfd, tbs) +
32 			  num_tbs * sizeof(struct iwl_tfh_tb);
33 	/*
34 	 * filled_tfd_size contains the number of filled bytes in the TFD.
35 	 * Dividing it by 64 will give the number of chunks to fetch
36 	 * to SRAM- 0 for one chunk, 1 for 2 and so on.
37 	 * If, for example, TFD contains only 3 TBs then 32 bytes
38 	 * of the TFD are used, and only one chunk of 64 bytes should
39 	 * be fetched
40 	 */
41 	num_fetch_chunks = DIV_ROUND_UP(filled_tfd_size, 64) - 1;
42 
43 	if (trans->trans_cfg->device_family >= IWL_DEVICE_FAMILY_AX210) {
44 		struct iwl_gen3_bc_tbl *scd_bc_tbl_gen3 = txq->bc_tbl.addr;
45 
46 		/* Starting from AX210, the HW expects bytes */
47 		WARN_ON(trans->txqs.bc_table_dword);
48 		WARN_ON(len > 0x3FFF);
49 		bc_ent = cpu_to_le16(len | (num_fetch_chunks << 14));
50 		scd_bc_tbl_gen3->tfd_offset[idx] = bc_ent;
51 	} else {
52 		struct iwlagn_scd_bc_tbl *scd_bc_tbl = txq->bc_tbl.addr;
53 
54 		/* Before AX210, the HW expects DW */
55 		WARN_ON(!trans->txqs.bc_table_dword);
56 		len = DIV_ROUND_UP(len, 4);
57 		WARN_ON(len > 0xFFF);
58 		bc_ent = cpu_to_le16(len | (num_fetch_chunks << 12));
59 		scd_bc_tbl->tfd_offset[idx] = bc_ent;
60 	}
61 }
62 
63 /*
64  * iwl_txq_inc_wr_ptr - Send new write index to hardware
65  */
66 void iwl_txq_inc_wr_ptr(struct iwl_trans *trans, struct iwl_txq *txq)
67 {
68 	lockdep_assert_held(&txq->lock);
69 
70 	IWL_DEBUG_TX(trans, "Q:%d WR: 0x%x\n", txq->id, txq->write_ptr);
71 
72 	/*
73 	 * if not in power-save mode, uCode will never sleep when we're
74 	 * trying to tx (during RFKILL, we're not trying to tx).
75 	 */
76 	iwl_write32(trans, HBUS_TARG_WRPTR, txq->write_ptr | (txq->id << 16));
77 }
78 
79 static u8 iwl_txq_gen2_get_num_tbs(struct iwl_trans *trans,
80 				   struct iwl_tfh_tfd *tfd)
81 {
82 	return le16_to_cpu(tfd->num_tbs) & 0x1f;
83 }
84 
85 void iwl_txq_gen2_tfd_unmap(struct iwl_trans *trans, struct iwl_cmd_meta *meta,
86 			    struct iwl_tfh_tfd *tfd)
87 {
88 	int i, num_tbs;
89 
90 	/* Sanity check on number of chunks */
91 	num_tbs = iwl_txq_gen2_get_num_tbs(trans, tfd);
92 
93 	if (num_tbs > trans->txqs.tfd.max_tbs) {
94 		IWL_ERR(trans, "Too many chunks: %i\n", num_tbs);
95 		return;
96 	}
97 
98 	/* first TB is never freed - it's the bidirectional DMA data */
99 	for (i = 1; i < num_tbs; i++) {
100 		if (meta->tbs & BIT(i))
101 			dma_unmap_page(trans->dev,
102 				       le64_to_cpu(tfd->tbs[i].addr),
103 				       le16_to_cpu(tfd->tbs[i].tb_len),
104 				       DMA_TO_DEVICE);
105 		else
106 			dma_unmap_single(trans->dev,
107 					 le64_to_cpu(tfd->tbs[i].addr),
108 					 le16_to_cpu(tfd->tbs[i].tb_len),
109 					 DMA_TO_DEVICE);
110 	}
111 
112 	tfd->num_tbs = 0;
113 }
114 
115 void iwl_txq_gen2_free_tfd(struct iwl_trans *trans, struct iwl_txq *txq)
116 {
117 	/* rd_ptr is bounded by TFD_QUEUE_SIZE_MAX and
118 	 * idx is bounded by n_window
119 	 */
120 	int idx = iwl_txq_get_cmd_index(txq, txq->read_ptr);
121 	struct sk_buff *skb;
122 
123 	lockdep_assert_held(&txq->lock);
124 
125 	if (!txq->entries)
126 		return;
127 
128 	iwl_txq_gen2_tfd_unmap(trans, &txq->entries[idx].meta,
129 			       iwl_txq_get_tfd(trans, txq, idx));
130 
131 	skb = txq->entries[idx].skb;
132 
133 	/* Can be called from irqs-disabled context
134 	 * If skb is not NULL, it means that the whole queue is being
135 	 * freed and that the queue is not empty - free the skb
136 	 */
137 	if (skb) {
138 		iwl_op_mode_free_skb(trans->op_mode, skb);
139 		txq->entries[idx].skb = NULL;
140 	}
141 }
142 
143 int iwl_txq_gen2_set_tb(struct iwl_trans *trans, struct iwl_tfh_tfd *tfd,
144 			dma_addr_t addr, u16 len)
145 {
146 	int idx = iwl_txq_gen2_get_num_tbs(trans, tfd);
147 	struct iwl_tfh_tb *tb;
148 
149 	/*
150 	 * Only WARN here so we know about the issue, but we mess up our
151 	 * unmap path because not every place currently checks for errors
152 	 * returned from this function - it can only return an error if
153 	 * there's no more space, and so when we know there is enough we
154 	 * don't always check ...
155 	 */
156 	WARN(iwl_txq_crosses_4g_boundary(addr, len),
157 	     "possible DMA problem with iova:0x%llx, len:%d\n",
158 	     (unsigned long long)addr, len);
159 
160 	if (WARN_ON(idx >= IWL_TFH_NUM_TBS))
161 		return -EINVAL;
162 	tb = &tfd->tbs[idx];
163 
164 	/* Each TFD can point to a maximum max_tbs Tx buffers */
165 	if (le16_to_cpu(tfd->num_tbs) >= trans->txqs.tfd.max_tbs) {
166 		IWL_ERR(trans, "Error can not send more than %d chunks\n",
167 			trans->txqs.tfd.max_tbs);
168 		return -EINVAL;
169 	}
170 
171 	put_unaligned_le64(addr, &tb->addr);
172 	tb->tb_len = cpu_to_le16(len);
173 
174 	tfd->num_tbs = cpu_to_le16(idx + 1);
175 
176 	return idx;
177 }
178 
179 static struct page *get_workaround_page(struct iwl_trans *trans,
180 					struct sk_buff *skb)
181 {
182 	struct page **page_ptr;
183 	struct page *ret;
184 
185 	page_ptr = (void *)((u8 *)skb->cb + trans->txqs.page_offs);
186 
187 	ret = alloc_page(GFP_ATOMIC);
188 	if (!ret)
189 		return NULL;
190 
191 	/* set the chaining pointer to the previous page if there */
192 	*(void **)(page_address(ret) + PAGE_SIZE - sizeof(void *)) = *page_ptr;
193 	*page_ptr = ret;
194 
195 	return ret;
196 }
197 
198 /*
199  * Add a TB and if needed apply the FH HW bug workaround;
200  * meta != NULL indicates that it's a page mapping and we
201  * need to dma_unmap_page() and set the meta->tbs bit in
202  * this case.
203  */
204 static int iwl_txq_gen2_set_tb_with_wa(struct iwl_trans *trans,
205 				       struct sk_buff *skb,
206 				       struct iwl_tfh_tfd *tfd,
207 				       dma_addr_t phys, void *virt,
208 				       u16 len, struct iwl_cmd_meta *meta)
209 {
210 	dma_addr_t oldphys = phys;
211 	struct page *page;
212 	int ret;
213 
214 	if (unlikely(dma_mapping_error(trans->dev, phys)))
215 		return -ENOMEM;
216 
217 	if (likely(!iwl_txq_crosses_4g_boundary(phys, len))) {
218 		ret = iwl_txq_gen2_set_tb(trans, tfd, phys, len);
219 
220 		if (ret < 0)
221 			goto unmap;
222 
223 		if (meta)
224 			meta->tbs |= BIT(ret);
225 
226 		ret = 0;
227 		goto trace;
228 	}
229 
230 	/*
231 	 * Work around a hardware bug. If (as expressed in the
232 	 * condition above) the TB ends on a 32-bit boundary,
233 	 * then the next TB may be accessed with the wrong
234 	 * address.
235 	 * To work around it, copy the data elsewhere and make
236 	 * a new mapping for it so the device will not fail.
237 	 */
238 
239 	if (WARN_ON(len > PAGE_SIZE - sizeof(void *))) {
240 		ret = -ENOBUFS;
241 		goto unmap;
242 	}
243 
244 	page = get_workaround_page(trans, skb);
245 	if (!page) {
246 		ret = -ENOMEM;
247 		goto unmap;
248 	}
249 
250 	memcpy(page_address(page), virt, len);
251 
252 	phys = dma_map_single(trans->dev, page_address(page), len,
253 			      DMA_TO_DEVICE);
254 	if (unlikely(dma_mapping_error(trans->dev, phys)))
255 		return -ENOMEM;
256 	ret = iwl_txq_gen2_set_tb(trans, tfd, phys, len);
257 	if (ret < 0) {
258 		/* unmap the new allocation as single */
259 		oldphys = phys;
260 		meta = NULL;
261 		goto unmap;
262 	}
263 	IWL_WARN(trans,
264 		 "TB bug workaround: copied %d bytes from 0x%llx to 0x%llx\n",
265 		 len, (unsigned long long)oldphys, (unsigned long long)phys);
266 
267 	ret = 0;
268 unmap:
269 	if (meta)
270 		dma_unmap_page(trans->dev, oldphys, len, DMA_TO_DEVICE);
271 	else
272 		dma_unmap_single(trans->dev, oldphys, len, DMA_TO_DEVICE);
273 trace:
274 	trace_iwlwifi_dev_tx_tb(trans->dev, skb, virt, phys, len);
275 
276 	return ret;
277 }
278 
279 #ifdef CONFIG_INET
280 struct iwl_tso_hdr_page *get_page_hdr(struct iwl_trans *trans, size_t len,
281 				      struct sk_buff *skb)
282 {
283 	struct iwl_tso_hdr_page *p = this_cpu_ptr(trans->txqs.tso_hdr_page);
284 	struct page **page_ptr;
285 
286 	page_ptr = (void *)((u8 *)skb->cb + trans->txqs.page_offs);
287 
288 	if (WARN_ON(*page_ptr))
289 		return NULL;
290 
291 	if (!p->page)
292 		goto alloc;
293 
294 	/*
295 	 * Check if there's enough room on this page
296 	 *
297 	 * Note that we put a page chaining pointer *last* in the
298 	 * page - we need it somewhere, and if it's there then we
299 	 * avoid DMA mapping the last bits of the page which may
300 	 * trigger the 32-bit boundary hardware bug.
301 	 *
302 	 * (see also get_workaround_page() in tx-gen2.c)
303 	 */
304 	if (p->pos + len < (u8 *)page_address(p->page) + PAGE_SIZE -
305 			   sizeof(void *))
306 		goto out;
307 
308 	/* We don't have enough room on this page, get a new one. */
309 	__free_page(p->page);
310 
311 alloc:
312 	p->page = alloc_page(GFP_ATOMIC);
313 	if (!p->page)
314 		return NULL;
315 	p->pos = page_address(p->page);
316 	/* set the chaining pointer to NULL */
317 	*(void **)(page_address(p->page) + PAGE_SIZE - sizeof(void *)) = NULL;
318 out:
319 	*page_ptr = p->page;
320 	get_page(p->page);
321 	return p;
322 }
323 #endif
324 
325 static int iwl_txq_gen2_build_amsdu(struct iwl_trans *trans,
326 				    struct sk_buff *skb,
327 				    struct iwl_tfh_tfd *tfd, int start_len,
328 				    u8 hdr_len,
329 				    struct iwl_device_tx_cmd *dev_cmd)
330 {
331 #ifdef CONFIG_INET
332 	struct iwl_tx_cmd_gen2 *tx_cmd = (void *)dev_cmd->payload;
333 	struct ieee80211_hdr *hdr = (void *)skb->data;
334 	unsigned int snap_ip_tcp_hdrlen, ip_hdrlen, total_len, hdr_room;
335 	unsigned int mss = skb_shinfo(skb)->gso_size;
336 	u16 length, amsdu_pad;
337 	u8 *start_hdr;
338 	struct iwl_tso_hdr_page *hdr_page;
339 	struct tso_t tso;
340 
341 	trace_iwlwifi_dev_tx(trans->dev, skb, tfd, sizeof(*tfd),
342 			     &dev_cmd->hdr, start_len, 0);
343 
344 	ip_hdrlen = skb_transport_header(skb) - skb_network_header(skb);
345 	snap_ip_tcp_hdrlen = 8 + ip_hdrlen + tcp_hdrlen(skb);
346 	total_len = skb->len - snap_ip_tcp_hdrlen - hdr_len;
347 	amsdu_pad = 0;
348 
349 	/* total amount of header we may need for this A-MSDU */
350 	hdr_room = DIV_ROUND_UP(total_len, mss) *
351 		(3 + snap_ip_tcp_hdrlen + sizeof(struct ethhdr));
352 
353 	/* Our device supports 9 segments at most, it will fit in 1 page */
354 	hdr_page = get_page_hdr(trans, hdr_room, skb);
355 	if (!hdr_page)
356 		return -ENOMEM;
357 
358 	start_hdr = hdr_page->pos;
359 
360 	/*
361 	 * Pull the ieee80211 header to be able to use TSO core,
362 	 * we will restore it for the tx_status flow.
363 	 */
364 	skb_pull(skb, hdr_len);
365 
366 	/*
367 	 * Remove the length of all the headers that we don't actually
368 	 * have in the MPDU by themselves, but that we duplicate into
369 	 * all the different MSDUs inside the A-MSDU.
370 	 */
371 	le16_add_cpu(&tx_cmd->len, -snap_ip_tcp_hdrlen);
372 
373 	tso_start(skb, &tso);
374 
375 	while (total_len) {
376 		/* this is the data left for this subframe */
377 		unsigned int data_left = min_t(unsigned int, mss, total_len);
378 		unsigned int tb_len;
379 		dma_addr_t tb_phys;
380 		u8 *subf_hdrs_start = hdr_page->pos;
381 
382 		total_len -= data_left;
383 
384 		memset(hdr_page->pos, 0, amsdu_pad);
385 		hdr_page->pos += amsdu_pad;
386 		amsdu_pad = (4 - (sizeof(struct ethhdr) + snap_ip_tcp_hdrlen +
387 				  data_left)) & 0x3;
388 		ether_addr_copy(hdr_page->pos, ieee80211_get_DA(hdr));
389 		hdr_page->pos += ETH_ALEN;
390 		ether_addr_copy(hdr_page->pos, ieee80211_get_SA(hdr));
391 		hdr_page->pos += ETH_ALEN;
392 
393 		length = snap_ip_tcp_hdrlen + data_left;
394 		*((__be16 *)hdr_page->pos) = cpu_to_be16(length);
395 		hdr_page->pos += sizeof(length);
396 
397 		/*
398 		 * This will copy the SNAP as well which will be considered
399 		 * as MAC header.
400 		 */
401 		tso_build_hdr(skb, hdr_page->pos, &tso, data_left, !total_len);
402 
403 		hdr_page->pos += snap_ip_tcp_hdrlen;
404 
405 		tb_len = hdr_page->pos - start_hdr;
406 		tb_phys = dma_map_single(trans->dev, start_hdr,
407 					 tb_len, DMA_TO_DEVICE);
408 		if (unlikely(dma_mapping_error(trans->dev, tb_phys)))
409 			goto out_err;
410 		/*
411 		 * No need for _with_wa, this is from the TSO page and
412 		 * we leave some space at the end of it so can't hit
413 		 * the buggy scenario.
414 		 */
415 		iwl_txq_gen2_set_tb(trans, tfd, tb_phys, tb_len);
416 		trace_iwlwifi_dev_tx_tb(trans->dev, skb, start_hdr,
417 					tb_phys, tb_len);
418 		/* add this subframe's headers' length to the tx_cmd */
419 		le16_add_cpu(&tx_cmd->len, hdr_page->pos - subf_hdrs_start);
420 
421 		/* prepare the start_hdr for the next subframe */
422 		start_hdr = hdr_page->pos;
423 
424 		/* put the payload */
425 		while (data_left) {
426 			int ret;
427 
428 			tb_len = min_t(unsigned int, tso.size, data_left);
429 			tb_phys = dma_map_single(trans->dev, tso.data,
430 						 tb_len, DMA_TO_DEVICE);
431 			ret = iwl_txq_gen2_set_tb_with_wa(trans, skb, tfd,
432 							  tb_phys, tso.data,
433 							  tb_len, NULL);
434 			if (ret)
435 				goto out_err;
436 
437 			data_left -= tb_len;
438 			tso_build_data(skb, &tso, tb_len);
439 		}
440 	}
441 
442 	/* re -add the WiFi header */
443 	skb_push(skb, hdr_len);
444 
445 	return 0;
446 
447 out_err:
448 #endif
449 	return -EINVAL;
450 }
451 
452 static struct
453 iwl_tfh_tfd *iwl_txq_gen2_build_tx_amsdu(struct iwl_trans *trans,
454 					 struct iwl_txq *txq,
455 					 struct iwl_device_tx_cmd *dev_cmd,
456 					 struct sk_buff *skb,
457 					 struct iwl_cmd_meta *out_meta,
458 					 int hdr_len,
459 					 int tx_cmd_len)
460 {
461 	int idx = iwl_txq_get_cmd_index(txq, txq->write_ptr);
462 	struct iwl_tfh_tfd *tfd = iwl_txq_get_tfd(trans, txq, idx);
463 	dma_addr_t tb_phys;
464 	int len;
465 	void *tb1_addr;
466 
467 	tb_phys = iwl_txq_get_first_tb_dma(txq, idx);
468 
469 	/*
470 	 * No need for _with_wa, the first TB allocation is aligned up
471 	 * to a 64-byte boundary and thus can't be at the end or cross
472 	 * a page boundary (much less a 2^32 boundary).
473 	 */
474 	iwl_txq_gen2_set_tb(trans, tfd, tb_phys, IWL_FIRST_TB_SIZE);
475 
476 	/*
477 	 * The second TB (tb1) points to the remainder of the TX command
478 	 * and the 802.11 header - dword aligned size
479 	 * (This calculation modifies the TX command, so do it before the
480 	 * setup of the first TB)
481 	 */
482 	len = tx_cmd_len + sizeof(struct iwl_cmd_header) + hdr_len -
483 	      IWL_FIRST_TB_SIZE;
484 
485 	/* do not align A-MSDU to dword as the subframe header aligns it */
486 
487 	/* map the data for TB1 */
488 	tb1_addr = ((u8 *)&dev_cmd->hdr) + IWL_FIRST_TB_SIZE;
489 	tb_phys = dma_map_single(trans->dev, tb1_addr, len, DMA_TO_DEVICE);
490 	if (unlikely(dma_mapping_error(trans->dev, tb_phys)))
491 		goto out_err;
492 	/*
493 	 * No need for _with_wa(), we ensure (via alignment) that the data
494 	 * here can never cross or end at a page boundary.
495 	 */
496 	iwl_txq_gen2_set_tb(trans, tfd, tb_phys, len);
497 
498 	if (iwl_txq_gen2_build_amsdu(trans, skb, tfd, len + IWL_FIRST_TB_SIZE,
499 				     hdr_len, dev_cmd))
500 		goto out_err;
501 
502 	/* building the A-MSDU might have changed this data, memcpy it now */
503 	memcpy(&txq->first_tb_bufs[idx], dev_cmd, IWL_FIRST_TB_SIZE);
504 	return tfd;
505 
506 out_err:
507 	iwl_txq_gen2_tfd_unmap(trans, out_meta, tfd);
508 	return NULL;
509 }
510 
511 static int iwl_txq_gen2_tx_add_frags(struct iwl_trans *trans,
512 				     struct sk_buff *skb,
513 				     struct iwl_tfh_tfd *tfd,
514 				     struct iwl_cmd_meta *out_meta)
515 {
516 	int i;
517 
518 	for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) {
519 		const skb_frag_t *frag = &skb_shinfo(skb)->frags[i];
520 		dma_addr_t tb_phys;
521 		unsigned int fragsz = skb_frag_size(frag);
522 		int ret;
523 
524 		if (!fragsz)
525 			continue;
526 
527 		tb_phys = skb_frag_dma_map(trans->dev, frag, 0,
528 					   fragsz, DMA_TO_DEVICE);
529 		ret = iwl_txq_gen2_set_tb_with_wa(trans, skb, tfd, tb_phys,
530 						  skb_frag_address(frag),
531 						  fragsz, out_meta);
532 		if (ret)
533 			return ret;
534 	}
535 
536 	return 0;
537 }
538 
539 static struct
540 iwl_tfh_tfd *iwl_txq_gen2_build_tx(struct iwl_trans *trans,
541 				   struct iwl_txq *txq,
542 				   struct iwl_device_tx_cmd *dev_cmd,
543 				   struct sk_buff *skb,
544 				   struct iwl_cmd_meta *out_meta,
545 				   int hdr_len,
546 				   int tx_cmd_len,
547 				   bool pad)
548 {
549 	int idx = iwl_txq_get_cmd_index(txq, txq->write_ptr);
550 	struct iwl_tfh_tfd *tfd = iwl_txq_get_tfd(trans, txq, idx);
551 	dma_addr_t tb_phys;
552 	int len, tb1_len, tb2_len;
553 	void *tb1_addr;
554 	struct sk_buff *frag;
555 
556 	tb_phys = iwl_txq_get_first_tb_dma(txq, idx);
557 
558 	/* The first TB points to bi-directional DMA data */
559 	memcpy(&txq->first_tb_bufs[idx], dev_cmd, IWL_FIRST_TB_SIZE);
560 
561 	/*
562 	 * No need for _with_wa, the first TB allocation is aligned up
563 	 * to a 64-byte boundary and thus can't be at the end or cross
564 	 * a page boundary (much less a 2^32 boundary).
565 	 */
566 	iwl_txq_gen2_set_tb(trans, tfd, tb_phys, IWL_FIRST_TB_SIZE);
567 
568 	/*
569 	 * The second TB (tb1) points to the remainder of the TX command
570 	 * and the 802.11 header - dword aligned size
571 	 * (This calculation modifies the TX command, so do it before the
572 	 * setup of the first TB)
573 	 */
574 	len = tx_cmd_len + sizeof(struct iwl_cmd_header) + hdr_len -
575 	      IWL_FIRST_TB_SIZE;
576 
577 	if (pad)
578 		tb1_len = ALIGN(len, 4);
579 	else
580 		tb1_len = len;
581 
582 	/* map the data for TB1 */
583 	tb1_addr = ((u8 *)&dev_cmd->hdr) + IWL_FIRST_TB_SIZE;
584 	tb_phys = dma_map_single(trans->dev, tb1_addr, tb1_len, DMA_TO_DEVICE);
585 	if (unlikely(dma_mapping_error(trans->dev, tb_phys)))
586 		goto out_err;
587 	/*
588 	 * No need for _with_wa(), we ensure (via alignment) that the data
589 	 * here can never cross or end at a page boundary.
590 	 */
591 	iwl_txq_gen2_set_tb(trans, tfd, tb_phys, tb1_len);
592 	trace_iwlwifi_dev_tx(trans->dev, skb, tfd, sizeof(*tfd), &dev_cmd->hdr,
593 			     IWL_FIRST_TB_SIZE + tb1_len, hdr_len);
594 
595 	/* set up TFD's third entry to point to remainder of skb's head */
596 	tb2_len = skb_headlen(skb) - hdr_len;
597 
598 	if (tb2_len > 0) {
599 		int ret;
600 
601 		tb_phys = dma_map_single(trans->dev, skb->data + hdr_len,
602 					 tb2_len, DMA_TO_DEVICE);
603 		ret = iwl_txq_gen2_set_tb_with_wa(trans, skb, tfd, tb_phys,
604 						  skb->data + hdr_len, tb2_len,
605 						  NULL);
606 		if (ret)
607 			goto out_err;
608 	}
609 
610 	if (iwl_txq_gen2_tx_add_frags(trans, skb, tfd, out_meta))
611 		goto out_err;
612 
613 	skb_walk_frags(skb, frag) {
614 		int ret;
615 
616 		tb_phys = dma_map_single(trans->dev, frag->data,
617 					 skb_headlen(frag), DMA_TO_DEVICE);
618 		ret = iwl_txq_gen2_set_tb_with_wa(trans, skb, tfd, tb_phys,
619 						  frag->data,
620 						  skb_headlen(frag), NULL);
621 		if (ret)
622 			goto out_err;
623 		if (iwl_txq_gen2_tx_add_frags(trans, frag, tfd, out_meta))
624 			goto out_err;
625 	}
626 
627 	return tfd;
628 
629 out_err:
630 	iwl_txq_gen2_tfd_unmap(trans, out_meta, tfd);
631 	return NULL;
632 }
633 
634 static
635 struct iwl_tfh_tfd *iwl_txq_gen2_build_tfd(struct iwl_trans *trans,
636 					   struct iwl_txq *txq,
637 					   struct iwl_device_tx_cmd *dev_cmd,
638 					   struct sk_buff *skb,
639 					   struct iwl_cmd_meta *out_meta)
640 {
641 	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
642 	int idx = iwl_txq_get_cmd_index(txq, txq->write_ptr);
643 	struct iwl_tfh_tfd *tfd = iwl_txq_get_tfd(trans, txq, idx);
644 	int len, hdr_len;
645 	bool amsdu;
646 
647 	/* There must be data left over for TB1 or this code must be changed */
648 	BUILD_BUG_ON(sizeof(struct iwl_tx_cmd_gen2) < IWL_FIRST_TB_SIZE);
649 
650 	memset(tfd, 0, sizeof(*tfd));
651 
652 	if (trans->trans_cfg->device_family < IWL_DEVICE_FAMILY_AX210)
653 		len = sizeof(struct iwl_tx_cmd_gen2);
654 	else
655 		len = sizeof(struct iwl_tx_cmd_gen3);
656 
657 	amsdu = ieee80211_is_data_qos(hdr->frame_control) &&
658 			(*ieee80211_get_qos_ctl(hdr) &
659 			 IEEE80211_QOS_CTL_A_MSDU_PRESENT);
660 
661 	hdr_len = ieee80211_hdrlen(hdr->frame_control);
662 
663 	/*
664 	 * Only build A-MSDUs here if doing so by GSO, otherwise it may be
665 	 * an A-MSDU for other reasons, e.g. NAN or an A-MSDU having been
666 	 * built in the higher layers already.
667 	 */
668 	if (amsdu && skb_shinfo(skb)->gso_size)
669 		return iwl_txq_gen2_build_tx_amsdu(trans, txq, dev_cmd, skb,
670 						    out_meta, hdr_len, len);
671 	return iwl_txq_gen2_build_tx(trans, txq, dev_cmd, skb, out_meta,
672 				      hdr_len, len, !amsdu);
673 }
674 
675 int iwl_txq_space(struct iwl_trans *trans, const struct iwl_txq *q)
676 {
677 	unsigned int max;
678 	unsigned int used;
679 
680 	/*
681 	 * To avoid ambiguity between empty and completely full queues, there
682 	 * should always be less than max_tfd_queue_size elements in the queue.
683 	 * If q->n_window is smaller than max_tfd_queue_size, there is no need
684 	 * to reserve any queue entries for this purpose.
685 	 */
686 	if (q->n_window < trans->trans_cfg->base_params->max_tfd_queue_size)
687 		max = q->n_window;
688 	else
689 		max = trans->trans_cfg->base_params->max_tfd_queue_size - 1;
690 
691 	/*
692 	 * max_tfd_queue_size is a power of 2, so the following is equivalent to
693 	 * modulo by max_tfd_queue_size and is well defined.
694 	 */
695 	used = (q->write_ptr - q->read_ptr) &
696 		(trans->trans_cfg->base_params->max_tfd_queue_size - 1);
697 
698 	if (WARN_ON(used > max))
699 		return 0;
700 
701 	return max - used;
702 }
703 
704 int iwl_txq_gen2_tx(struct iwl_trans *trans, struct sk_buff *skb,
705 		    struct iwl_device_tx_cmd *dev_cmd, int txq_id)
706 {
707 	struct iwl_cmd_meta *out_meta;
708 	struct iwl_txq *txq = trans->txqs.txq[txq_id];
709 	u16 cmd_len;
710 	int idx;
711 	void *tfd;
712 
713 	if (WARN_ONCE(txq_id >= IWL_MAX_TVQM_QUEUES,
714 		      "queue %d out of range", txq_id))
715 		return -EINVAL;
716 
717 	if (WARN_ONCE(!test_bit(txq_id, trans->txqs.queue_used),
718 		      "TX on unused queue %d\n", txq_id))
719 		return -EINVAL;
720 
721 	if (skb_is_nonlinear(skb) &&
722 	    skb_shinfo(skb)->nr_frags > IWL_TRANS_MAX_FRAGS(trans) &&
723 	    __skb_linearize(skb))
724 		return -ENOMEM;
725 
726 	spin_lock(&txq->lock);
727 
728 	if (iwl_txq_space(trans, txq) < txq->high_mark) {
729 		iwl_txq_stop(trans, txq);
730 
731 		/* don't put the packet on the ring, if there is no room */
732 		if (unlikely(iwl_txq_space(trans, txq) < 3)) {
733 			struct iwl_device_tx_cmd **dev_cmd_ptr;
734 
735 			dev_cmd_ptr = (void *)((u8 *)skb->cb +
736 					       trans->txqs.dev_cmd_offs);
737 
738 			*dev_cmd_ptr = dev_cmd;
739 			__skb_queue_tail(&txq->overflow_q, skb);
740 			spin_unlock(&txq->lock);
741 			return 0;
742 		}
743 	}
744 
745 	idx = iwl_txq_get_cmd_index(txq, txq->write_ptr);
746 
747 	/* Set up driver data for this TFD */
748 	txq->entries[idx].skb = skb;
749 	txq->entries[idx].cmd = dev_cmd;
750 
751 	dev_cmd->hdr.sequence =
752 		cpu_to_le16((u16)(QUEUE_TO_SEQ(txq_id) |
753 			    INDEX_TO_SEQ(idx)));
754 
755 	/* Set up first empty entry in queue's array of Tx/cmd buffers */
756 	out_meta = &txq->entries[idx].meta;
757 	out_meta->flags = 0;
758 
759 	tfd = iwl_txq_gen2_build_tfd(trans, txq, dev_cmd, skb, out_meta);
760 	if (!tfd) {
761 		spin_unlock(&txq->lock);
762 		return -1;
763 	}
764 
765 	if (trans->trans_cfg->device_family >= IWL_DEVICE_FAMILY_AX210) {
766 		struct iwl_tx_cmd_gen3 *tx_cmd_gen3 =
767 			(void *)dev_cmd->payload;
768 
769 		cmd_len = le16_to_cpu(tx_cmd_gen3->len);
770 	} else {
771 		struct iwl_tx_cmd_gen2 *tx_cmd_gen2 =
772 			(void *)dev_cmd->payload;
773 
774 		cmd_len = le16_to_cpu(tx_cmd_gen2->len);
775 	}
776 
777 	/* Set up entry for this TFD in Tx byte-count array */
778 	iwl_pcie_gen2_update_byte_tbl(trans, txq, cmd_len,
779 				      iwl_txq_gen2_get_num_tbs(trans, tfd));
780 
781 	/* start timer if queue currently empty */
782 	if (txq->read_ptr == txq->write_ptr && txq->wd_timeout)
783 		mod_timer(&txq->stuck_timer, jiffies + txq->wd_timeout);
784 
785 	/* Tell device the write index *just past* this latest filled TFD */
786 	txq->write_ptr = iwl_txq_inc_wrap(trans, txq->write_ptr);
787 	iwl_txq_inc_wr_ptr(trans, txq);
788 	/*
789 	 * At this point the frame is "transmitted" successfully
790 	 * and we will get a TX status notification eventually.
791 	 */
792 	spin_unlock(&txq->lock);
793 	return 0;
794 }
795 
796 /*************** HOST COMMAND QUEUE FUNCTIONS   *****/
797 
798 /*
799  * iwl_txq_gen2_unmap -  Unmap any remaining DMA mappings and free skb's
800  */
801 void iwl_txq_gen2_unmap(struct iwl_trans *trans, int txq_id)
802 {
803 	struct iwl_txq *txq = trans->txqs.txq[txq_id];
804 
805 	spin_lock_bh(&txq->lock);
806 	while (txq->write_ptr != txq->read_ptr) {
807 		IWL_DEBUG_TX_REPLY(trans, "Q %d Free %d\n",
808 				   txq_id, txq->read_ptr);
809 
810 		if (txq_id != trans->txqs.cmd.q_id) {
811 			int idx = iwl_txq_get_cmd_index(txq, txq->read_ptr);
812 			struct sk_buff *skb = txq->entries[idx].skb;
813 
814 			if (!WARN_ON_ONCE(!skb))
815 				iwl_txq_free_tso_page(trans, skb);
816 		}
817 		iwl_txq_gen2_free_tfd(trans, txq);
818 		txq->read_ptr = iwl_txq_inc_wrap(trans, txq->read_ptr);
819 	}
820 
821 	while (!skb_queue_empty(&txq->overflow_q)) {
822 		struct sk_buff *skb = __skb_dequeue(&txq->overflow_q);
823 
824 		iwl_op_mode_free_skb(trans->op_mode, skb);
825 	}
826 
827 	spin_unlock_bh(&txq->lock);
828 
829 	/* just in case - this queue may have been stopped */
830 	iwl_wake_queue(trans, txq);
831 }
832 
833 static void iwl_txq_gen2_free_memory(struct iwl_trans *trans,
834 				     struct iwl_txq *txq)
835 {
836 	struct device *dev = trans->dev;
837 
838 	/* De-alloc circular buffer of TFDs */
839 	if (txq->tfds) {
840 		dma_free_coherent(dev,
841 				  trans->txqs.tfd.size * txq->n_window,
842 				  txq->tfds, txq->dma_addr);
843 		dma_free_coherent(dev,
844 				  sizeof(*txq->first_tb_bufs) * txq->n_window,
845 				  txq->first_tb_bufs, txq->first_tb_dma);
846 	}
847 
848 	kfree(txq->entries);
849 	if (txq->bc_tbl.addr)
850 		dma_pool_free(trans->txqs.bc_pool,
851 			      txq->bc_tbl.addr, txq->bc_tbl.dma);
852 	kfree(txq);
853 }
854 
855 /*
856  * iwl_pcie_txq_free - Deallocate DMA queue.
857  * @txq: Transmit queue to deallocate.
858  *
859  * Empty queue by removing and destroying all BD's.
860  * Free all buffers.
861  * 0-fill, but do not free "txq" descriptor structure.
862  */
863 static void iwl_txq_gen2_free(struct iwl_trans *trans, int txq_id)
864 {
865 	struct iwl_txq *txq;
866 	int i;
867 
868 	if (WARN_ONCE(txq_id >= IWL_MAX_TVQM_QUEUES,
869 		      "queue %d out of range", txq_id))
870 		return;
871 
872 	txq = trans->txqs.txq[txq_id];
873 
874 	if (WARN_ON(!txq))
875 		return;
876 
877 	iwl_txq_gen2_unmap(trans, txq_id);
878 
879 	/* De-alloc array of command/tx buffers */
880 	if (txq_id == trans->txqs.cmd.q_id)
881 		for (i = 0; i < txq->n_window; i++) {
882 			kfree_sensitive(txq->entries[i].cmd);
883 			kfree_sensitive(txq->entries[i].free_buf);
884 		}
885 	del_timer_sync(&txq->stuck_timer);
886 
887 	iwl_txq_gen2_free_memory(trans, txq);
888 
889 	trans->txqs.txq[txq_id] = NULL;
890 
891 	clear_bit(txq_id, trans->txqs.queue_used);
892 }
893 
894 /*
895  * iwl_queue_init - Initialize queue's high/low-water and read/write indexes
896  */
897 static int iwl_queue_init(struct iwl_txq *q, int slots_num)
898 {
899 	q->n_window = slots_num;
900 
901 	/* slots_num must be power-of-two size, otherwise
902 	 * iwl_txq_get_cmd_index is broken. */
903 	if (WARN_ON(!is_power_of_2(slots_num)))
904 		return -EINVAL;
905 
906 	q->low_mark = q->n_window / 4;
907 	if (q->low_mark < 4)
908 		q->low_mark = 4;
909 
910 	q->high_mark = q->n_window / 8;
911 	if (q->high_mark < 2)
912 		q->high_mark = 2;
913 
914 	q->write_ptr = 0;
915 	q->read_ptr = 0;
916 
917 	return 0;
918 }
919 
920 int iwl_txq_init(struct iwl_trans *trans, struct iwl_txq *txq, int slots_num,
921 		 bool cmd_queue)
922 {
923 	int ret;
924 	u32 tfd_queue_max_size =
925 		trans->trans_cfg->base_params->max_tfd_queue_size;
926 
927 	txq->need_update = false;
928 
929 	/* max_tfd_queue_size must be power-of-two size, otherwise
930 	 * iwl_txq_inc_wrap and iwl_txq_dec_wrap are broken. */
931 	if (WARN_ONCE(tfd_queue_max_size & (tfd_queue_max_size - 1),
932 		      "Max tfd queue size must be a power of two, but is %d",
933 		      tfd_queue_max_size))
934 		return -EINVAL;
935 
936 	/* Initialize queue's high/low-water marks, and head/tail indexes */
937 	ret = iwl_queue_init(txq, slots_num);
938 	if (ret)
939 		return ret;
940 
941 	spin_lock_init(&txq->lock);
942 
943 	if (cmd_queue) {
944 		static struct lock_class_key iwl_txq_cmd_queue_lock_class;
945 
946 		lockdep_set_class(&txq->lock, &iwl_txq_cmd_queue_lock_class);
947 	}
948 
949 	__skb_queue_head_init(&txq->overflow_q);
950 
951 	return 0;
952 }
953 
954 void iwl_txq_free_tso_page(struct iwl_trans *trans, struct sk_buff *skb)
955 {
956 	struct page **page_ptr;
957 	struct page *next;
958 
959 	page_ptr = (void *)((u8 *)skb->cb + trans->txqs.page_offs);
960 	next = *page_ptr;
961 	*page_ptr = NULL;
962 
963 	while (next) {
964 		struct page *tmp = next;
965 
966 		next = *(void **)(page_address(next) + PAGE_SIZE -
967 				  sizeof(void *));
968 		__free_page(tmp);
969 	}
970 }
971 
972 void iwl_txq_log_scd_error(struct iwl_trans *trans, struct iwl_txq *txq)
973 {
974 	u32 txq_id = txq->id;
975 	u32 status;
976 	bool active;
977 	u8 fifo;
978 
979 	if (trans->trans_cfg->use_tfh) {
980 		IWL_ERR(trans, "Queue %d is stuck %d %d\n", txq_id,
981 			txq->read_ptr, txq->write_ptr);
982 		/* TODO: access new SCD registers and dump them */
983 		return;
984 	}
985 
986 	status = iwl_read_prph(trans, SCD_QUEUE_STATUS_BITS(txq_id));
987 	fifo = (status >> SCD_QUEUE_STTS_REG_POS_TXF) & 0x7;
988 	active = !!(status & BIT(SCD_QUEUE_STTS_REG_POS_ACTIVE));
989 
990 	IWL_ERR(trans,
991 		"Queue %d is %sactive on fifo %d and stuck for %u ms. SW [%d, %d] HW [%d, %d] FH TRB=0x0%x\n",
992 		txq_id, active ? "" : "in", fifo,
993 		jiffies_to_msecs(txq->wd_timeout),
994 		txq->read_ptr, txq->write_ptr,
995 		iwl_read_prph(trans, SCD_QUEUE_RDPTR(txq_id)) &
996 			(trans->trans_cfg->base_params->max_tfd_queue_size - 1),
997 			iwl_read_prph(trans, SCD_QUEUE_WRPTR(txq_id)) &
998 			(trans->trans_cfg->base_params->max_tfd_queue_size - 1),
999 			iwl_read_direct32(trans, FH_TX_TRB_REG(fifo)));
1000 }
1001 
1002 static void iwl_txq_stuck_timer(struct timer_list *t)
1003 {
1004 	struct iwl_txq *txq = from_timer(txq, t, stuck_timer);
1005 	struct iwl_trans *trans = txq->trans;
1006 
1007 	spin_lock(&txq->lock);
1008 	/* check if triggered erroneously */
1009 	if (txq->read_ptr == txq->write_ptr) {
1010 		spin_unlock(&txq->lock);
1011 		return;
1012 	}
1013 	spin_unlock(&txq->lock);
1014 
1015 	iwl_txq_log_scd_error(trans, txq);
1016 
1017 	iwl_force_nmi(trans);
1018 }
1019 
1020 int iwl_txq_alloc(struct iwl_trans *trans, struct iwl_txq *txq, int slots_num,
1021 		  bool cmd_queue)
1022 {
1023 	size_t tfd_sz = trans->txqs.tfd.size *
1024 		trans->trans_cfg->base_params->max_tfd_queue_size;
1025 	size_t tb0_buf_sz;
1026 	int i;
1027 
1028 	if (WARN_ON(txq->entries || txq->tfds))
1029 		return -EINVAL;
1030 
1031 	if (trans->trans_cfg->use_tfh)
1032 		tfd_sz = trans->txqs.tfd.size * slots_num;
1033 
1034 	timer_setup(&txq->stuck_timer, iwl_txq_stuck_timer, 0);
1035 	txq->trans = trans;
1036 
1037 	txq->n_window = slots_num;
1038 
1039 	txq->entries = kcalloc(slots_num,
1040 			       sizeof(struct iwl_pcie_txq_entry),
1041 			       GFP_KERNEL);
1042 
1043 	if (!txq->entries)
1044 		goto error;
1045 
1046 	if (cmd_queue)
1047 		for (i = 0; i < slots_num; i++) {
1048 			txq->entries[i].cmd =
1049 				kmalloc(sizeof(struct iwl_device_cmd),
1050 					GFP_KERNEL);
1051 			if (!txq->entries[i].cmd)
1052 				goto error;
1053 		}
1054 
1055 	/* Circular buffer of transmit frame descriptors (TFDs),
1056 	 * shared with device */
1057 	txq->tfds = dma_alloc_coherent(trans->dev, tfd_sz,
1058 				       &txq->dma_addr, GFP_KERNEL);
1059 	if (!txq->tfds)
1060 		goto error;
1061 
1062 	BUILD_BUG_ON(sizeof(*txq->first_tb_bufs) != IWL_FIRST_TB_SIZE_ALIGN);
1063 
1064 	tb0_buf_sz = sizeof(*txq->first_tb_bufs) * slots_num;
1065 
1066 	txq->first_tb_bufs = dma_alloc_coherent(trans->dev, tb0_buf_sz,
1067 						&txq->first_tb_dma,
1068 						GFP_KERNEL);
1069 	if (!txq->first_tb_bufs)
1070 		goto err_free_tfds;
1071 
1072 	return 0;
1073 err_free_tfds:
1074 	dma_free_coherent(trans->dev, tfd_sz, txq->tfds, txq->dma_addr);
1075 	txq->tfds = NULL;
1076 error:
1077 	if (txq->entries && cmd_queue)
1078 		for (i = 0; i < slots_num; i++)
1079 			kfree(txq->entries[i].cmd);
1080 	kfree(txq->entries);
1081 	txq->entries = NULL;
1082 
1083 	return -ENOMEM;
1084 }
1085 
1086 static int iwl_txq_dyn_alloc_dma(struct iwl_trans *trans,
1087 				 struct iwl_txq **intxq, int size,
1088 				 unsigned int timeout)
1089 {
1090 	size_t bc_tbl_size, bc_tbl_entries;
1091 	struct iwl_txq *txq;
1092 	int ret;
1093 
1094 	WARN_ON(!trans->txqs.bc_tbl_size);
1095 
1096 	bc_tbl_size = trans->txqs.bc_tbl_size;
1097 	bc_tbl_entries = bc_tbl_size / sizeof(u16);
1098 
1099 	if (WARN_ON(size > bc_tbl_entries))
1100 		return -EINVAL;
1101 
1102 	txq = kzalloc(sizeof(*txq), GFP_KERNEL);
1103 	if (!txq)
1104 		return -ENOMEM;
1105 
1106 	txq->bc_tbl.addr = dma_pool_alloc(trans->txqs.bc_pool, GFP_KERNEL,
1107 					  &txq->bc_tbl.dma);
1108 	if (!txq->bc_tbl.addr) {
1109 		IWL_ERR(trans, "Scheduler BC Table allocation failed\n");
1110 		kfree(txq);
1111 		return -ENOMEM;
1112 	}
1113 
1114 	ret = iwl_txq_alloc(trans, txq, size, false);
1115 	if (ret) {
1116 		IWL_ERR(trans, "Tx queue alloc failed\n");
1117 		goto error;
1118 	}
1119 	ret = iwl_txq_init(trans, txq, size, false);
1120 	if (ret) {
1121 		IWL_ERR(trans, "Tx queue init failed\n");
1122 		goto error;
1123 	}
1124 
1125 	txq->wd_timeout = msecs_to_jiffies(timeout);
1126 
1127 	*intxq = txq;
1128 	return 0;
1129 
1130 error:
1131 	iwl_txq_gen2_free_memory(trans, txq);
1132 	return ret;
1133 }
1134 
1135 static int iwl_txq_alloc_response(struct iwl_trans *trans, struct iwl_txq *txq,
1136 				  struct iwl_host_cmd *hcmd)
1137 {
1138 	struct iwl_tx_queue_cfg_rsp *rsp;
1139 	int ret, qid;
1140 	u32 wr_ptr;
1141 
1142 	if (WARN_ON(iwl_rx_packet_payload_len(hcmd->resp_pkt) !=
1143 		    sizeof(*rsp))) {
1144 		ret = -EINVAL;
1145 		goto error_free_resp;
1146 	}
1147 
1148 	rsp = (void *)hcmd->resp_pkt->data;
1149 	qid = le16_to_cpu(rsp->queue_number);
1150 	wr_ptr = le16_to_cpu(rsp->write_pointer);
1151 
1152 	if (qid >= ARRAY_SIZE(trans->txqs.txq)) {
1153 		WARN_ONCE(1, "queue index %d unsupported", qid);
1154 		ret = -EIO;
1155 		goto error_free_resp;
1156 	}
1157 
1158 	if (test_and_set_bit(qid, trans->txqs.queue_used)) {
1159 		WARN_ONCE(1, "queue %d already used", qid);
1160 		ret = -EIO;
1161 		goto error_free_resp;
1162 	}
1163 
1164 	if (WARN_ONCE(trans->txqs.txq[qid],
1165 		      "queue %d already allocated\n", qid)) {
1166 		ret = -EIO;
1167 		goto error_free_resp;
1168 	}
1169 
1170 	txq->id = qid;
1171 	trans->txqs.txq[qid] = txq;
1172 	wr_ptr &= (trans->trans_cfg->base_params->max_tfd_queue_size - 1);
1173 
1174 	/* Place first TFD at index corresponding to start sequence number */
1175 	txq->read_ptr = wr_ptr;
1176 	txq->write_ptr = wr_ptr;
1177 
1178 	IWL_DEBUG_TX_QUEUES(trans, "Activate queue %d\n", qid);
1179 
1180 	iwl_free_resp(hcmd);
1181 	return qid;
1182 
1183 error_free_resp:
1184 	iwl_free_resp(hcmd);
1185 	iwl_txq_gen2_free_memory(trans, txq);
1186 	return ret;
1187 }
1188 
1189 int iwl_txq_dyn_alloc(struct iwl_trans *trans, __le16 flags, u8 sta_id, u8 tid,
1190 		      int cmd_id, int size, unsigned int timeout)
1191 {
1192 	struct iwl_txq *txq = NULL;
1193 	struct iwl_tx_queue_cfg_cmd cmd = {
1194 		.flags = flags,
1195 		.sta_id = sta_id,
1196 		.tid = tid,
1197 	};
1198 	struct iwl_host_cmd hcmd = {
1199 		.id = cmd_id,
1200 		.len = { sizeof(cmd) },
1201 		.data = { &cmd, },
1202 		.flags = CMD_WANT_SKB,
1203 	};
1204 	int ret;
1205 
1206 	ret = iwl_txq_dyn_alloc_dma(trans, &txq, size, timeout);
1207 	if (ret)
1208 		return ret;
1209 
1210 	cmd.tfdq_addr = cpu_to_le64(txq->dma_addr);
1211 	cmd.byte_cnt_addr = cpu_to_le64(txq->bc_tbl.dma);
1212 	cmd.cb_size = cpu_to_le32(TFD_QUEUE_CB_SIZE(size));
1213 
1214 	ret = iwl_trans_send_cmd(trans, &hcmd);
1215 	if (ret)
1216 		goto error;
1217 
1218 	return iwl_txq_alloc_response(trans, txq, &hcmd);
1219 
1220 error:
1221 	iwl_txq_gen2_free_memory(trans, txq);
1222 	return ret;
1223 }
1224 
1225 void iwl_txq_dyn_free(struct iwl_trans *trans, int queue)
1226 {
1227 	if (WARN(queue >= IWL_MAX_TVQM_QUEUES,
1228 		 "queue %d out of range", queue))
1229 		return;
1230 
1231 	/*
1232 	 * Upon HW Rfkill - we stop the device, and then stop the queues
1233 	 * in the op_mode. Just for the sake of the simplicity of the op_mode,
1234 	 * allow the op_mode to call txq_disable after it already called
1235 	 * stop_device.
1236 	 */
1237 	if (!test_and_clear_bit(queue, trans->txqs.queue_used)) {
1238 		WARN_ONCE(test_bit(STATUS_DEVICE_ENABLED, &trans->status),
1239 			  "queue %d not used", queue);
1240 		return;
1241 	}
1242 
1243 	iwl_txq_gen2_free(trans, queue);
1244 
1245 	IWL_DEBUG_TX_QUEUES(trans, "Deactivate queue %d\n", queue);
1246 }
1247 
1248 void iwl_txq_gen2_tx_free(struct iwl_trans *trans)
1249 {
1250 	int i;
1251 
1252 	memset(trans->txqs.queue_used, 0, sizeof(trans->txqs.queue_used));
1253 
1254 	/* Free all TX queues */
1255 	for (i = 0; i < ARRAY_SIZE(trans->txqs.txq); i++) {
1256 		if (!trans->txqs.txq[i])
1257 			continue;
1258 
1259 		iwl_txq_gen2_free(trans, i);
1260 	}
1261 }
1262 
1263 int iwl_txq_gen2_init(struct iwl_trans *trans, int txq_id, int queue_size)
1264 {
1265 	struct iwl_txq *queue;
1266 	int ret;
1267 
1268 	/* alloc and init the tx queue */
1269 	if (!trans->txqs.txq[txq_id]) {
1270 		queue = kzalloc(sizeof(*queue), GFP_KERNEL);
1271 		if (!queue) {
1272 			IWL_ERR(trans, "Not enough memory for tx queue\n");
1273 			return -ENOMEM;
1274 		}
1275 		trans->txqs.txq[txq_id] = queue;
1276 		ret = iwl_txq_alloc(trans, queue, queue_size, true);
1277 		if (ret) {
1278 			IWL_ERR(trans, "Tx %d queue init failed\n", txq_id);
1279 			goto error;
1280 		}
1281 	} else {
1282 		queue = trans->txqs.txq[txq_id];
1283 	}
1284 
1285 	ret = iwl_txq_init(trans, queue, queue_size,
1286 			   (txq_id == trans->txqs.cmd.q_id));
1287 	if (ret) {
1288 		IWL_ERR(trans, "Tx %d queue alloc failed\n", txq_id);
1289 		goto error;
1290 	}
1291 	trans->txqs.txq[txq_id]->id = txq_id;
1292 	set_bit(txq_id, trans->txqs.queue_used);
1293 
1294 	return 0;
1295 
1296 error:
1297 	iwl_txq_gen2_tx_free(trans);
1298 	return ret;
1299 }
1300 
1301 static inline dma_addr_t iwl_txq_gen1_tfd_tb_get_addr(struct iwl_trans *trans,
1302 						      void *_tfd, u8 idx)
1303 {
1304 	struct iwl_tfd *tfd;
1305 	struct iwl_tfd_tb *tb;
1306 	dma_addr_t addr;
1307 	dma_addr_t hi_len;
1308 
1309 	if (trans->trans_cfg->use_tfh) {
1310 		struct iwl_tfh_tfd *tfd = _tfd;
1311 		struct iwl_tfh_tb *tb = &tfd->tbs[idx];
1312 
1313 		return (dma_addr_t)(le64_to_cpu(tb->addr));
1314 	}
1315 
1316 	tfd = _tfd;
1317 	tb = &tfd->tbs[idx];
1318 	addr = get_unaligned_le32(&tb->lo);
1319 
1320 	if (sizeof(dma_addr_t) <= sizeof(u32))
1321 		return addr;
1322 
1323 	hi_len = le16_to_cpu(tb->hi_n_len) & 0xF;
1324 
1325 	/*
1326 	 * shift by 16 twice to avoid warnings on 32-bit
1327 	 * (where this code never runs anyway due to the
1328 	 * if statement above)
1329 	 */
1330 	return addr | ((hi_len << 16) << 16);
1331 }
1332 
1333 void iwl_txq_gen1_tfd_unmap(struct iwl_trans *trans,
1334 			    struct iwl_cmd_meta *meta,
1335 			    struct iwl_txq *txq, int index)
1336 {
1337 	int i, num_tbs;
1338 	void *tfd = iwl_txq_get_tfd(trans, txq, index);
1339 
1340 	/* Sanity check on number of chunks */
1341 	num_tbs = iwl_txq_gen1_tfd_get_num_tbs(trans, tfd);
1342 
1343 	if (num_tbs > trans->txqs.tfd.max_tbs) {
1344 		IWL_ERR(trans, "Too many chunks: %i\n", num_tbs);
1345 		/* @todo issue fatal error, it is quite serious situation */
1346 		return;
1347 	}
1348 
1349 	/* first TB is never freed - it's the bidirectional DMA data */
1350 
1351 	for (i = 1; i < num_tbs; i++) {
1352 		if (meta->tbs & BIT(i))
1353 			dma_unmap_page(trans->dev,
1354 				       iwl_txq_gen1_tfd_tb_get_addr(trans,
1355 								    tfd, i),
1356 				       iwl_txq_gen1_tfd_tb_get_len(trans,
1357 								   tfd, i),
1358 				       DMA_TO_DEVICE);
1359 		else
1360 			dma_unmap_single(trans->dev,
1361 					 iwl_txq_gen1_tfd_tb_get_addr(trans,
1362 								      tfd, i),
1363 					 iwl_txq_gen1_tfd_tb_get_len(trans,
1364 								     tfd, i),
1365 					 DMA_TO_DEVICE);
1366 	}
1367 
1368 	meta->tbs = 0;
1369 
1370 	if (trans->trans_cfg->use_tfh) {
1371 		struct iwl_tfh_tfd *tfd_fh = (void *)tfd;
1372 
1373 		tfd_fh->num_tbs = 0;
1374 	} else {
1375 		struct iwl_tfd *tfd_fh = (void *)tfd;
1376 
1377 		tfd_fh->num_tbs = 0;
1378 	}
1379 }
1380 
1381 #define IWL_TX_CRC_SIZE 4
1382 #define IWL_TX_DELIMITER_SIZE 4
1383 
1384 /*
1385  * iwl_txq_gen1_update_byte_cnt_tbl - Set up entry in Tx byte-count array
1386  */
1387 void iwl_txq_gen1_update_byte_cnt_tbl(struct iwl_trans *trans,
1388 				      struct iwl_txq *txq, u16 byte_cnt,
1389 				      int num_tbs)
1390 {
1391 	struct iwlagn_scd_bc_tbl *scd_bc_tbl;
1392 	int write_ptr = txq->write_ptr;
1393 	int txq_id = txq->id;
1394 	u8 sec_ctl = 0;
1395 	u16 len = byte_cnt + IWL_TX_CRC_SIZE + IWL_TX_DELIMITER_SIZE;
1396 	__le16 bc_ent;
1397 	struct iwl_device_tx_cmd *dev_cmd = txq->entries[txq->write_ptr].cmd;
1398 	struct iwl_tx_cmd *tx_cmd = (void *)dev_cmd->payload;
1399 	u8 sta_id = tx_cmd->sta_id;
1400 
1401 	scd_bc_tbl = trans->txqs.scd_bc_tbls.addr;
1402 
1403 	sec_ctl = tx_cmd->sec_ctl;
1404 
1405 	switch (sec_ctl & TX_CMD_SEC_MSK) {
1406 	case TX_CMD_SEC_CCM:
1407 		len += IEEE80211_CCMP_MIC_LEN;
1408 		break;
1409 	case TX_CMD_SEC_TKIP:
1410 		len += IEEE80211_TKIP_ICV_LEN;
1411 		break;
1412 	case TX_CMD_SEC_WEP:
1413 		len += IEEE80211_WEP_IV_LEN + IEEE80211_WEP_ICV_LEN;
1414 		break;
1415 	}
1416 	if (trans->txqs.bc_table_dword)
1417 		len = DIV_ROUND_UP(len, 4);
1418 
1419 	if (WARN_ON(len > 0xFFF || write_ptr >= TFD_QUEUE_SIZE_MAX))
1420 		return;
1421 
1422 	bc_ent = cpu_to_le16(len | (sta_id << 12));
1423 
1424 	scd_bc_tbl[txq_id].tfd_offset[write_ptr] = bc_ent;
1425 
1426 	if (write_ptr < TFD_QUEUE_SIZE_BC_DUP)
1427 		scd_bc_tbl[txq_id].tfd_offset[TFD_QUEUE_SIZE_MAX + write_ptr] =
1428 			bc_ent;
1429 }
1430 
1431 void iwl_txq_gen1_inval_byte_cnt_tbl(struct iwl_trans *trans,
1432 				     struct iwl_txq *txq)
1433 {
1434 	struct iwlagn_scd_bc_tbl *scd_bc_tbl = trans->txqs.scd_bc_tbls.addr;
1435 	int txq_id = txq->id;
1436 	int read_ptr = txq->read_ptr;
1437 	u8 sta_id = 0;
1438 	__le16 bc_ent;
1439 	struct iwl_device_tx_cmd *dev_cmd = txq->entries[read_ptr].cmd;
1440 	struct iwl_tx_cmd *tx_cmd = (void *)dev_cmd->payload;
1441 
1442 	WARN_ON(read_ptr >= TFD_QUEUE_SIZE_MAX);
1443 
1444 	if (txq_id != trans->txqs.cmd.q_id)
1445 		sta_id = tx_cmd->sta_id;
1446 
1447 	bc_ent = cpu_to_le16(1 | (sta_id << 12));
1448 
1449 	scd_bc_tbl[txq_id].tfd_offset[read_ptr] = bc_ent;
1450 
1451 	if (read_ptr < TFD_QUEUE_SIZE_BC_DUP)
1452 		scd_bc_tbl[txq_id].tfd_offset[TFD_QUEUE_SIZE_MAX + read_ptr] =
1453 			bc_ent;
1454 }
1455 
1456 /*
1457  * iwl_txq_free_tfd - Free all chunks referenced by TFD [txq->q.read_ptr]
1458  * @trans - transport private data
1459  * @txq - tx queue
1460  * @dma_dir - the direction of the DMA mapping
1461  *
1462  * Does NOT advance any TFD circular buffer read/write indexes
1463  * Does NOT free the TFD itself (which is within circular buffer)
1464  */
1465 void iwl_txq_free_tfd(struct iwl_trans *trans, struct iwl_txq *txq)
1466 {
1467 	/* rd_ptr is bounded by TFD_QUEUE_SIZE_MAX and
1468 	 * idx is bounded by n_window
1469 	 */
1470 	int rd_ptr = txq->read_ptr;
1471 	int idx = iwl_txq_get_cmd_index(txq, rd_ptr);
1472 	struct sk_buff *skb;
1473 
1474 	lockdep_assert_held(&txq->lock);
1475 
1476 	if (!txq->entries)
1477 		return;
1478 
1479 	/* We have only q->n_window txq->entries, but we use
1480 	 * TFD_QUEUE_SIZE_MAX tfds
1481 	 */
1482 	iwl_txq_gen1_tfd_unmap(trans, &txq->entries[idx].meta, txq, rd_ptr);
1483 
1484 	/* free SKB */
1485 	skb = txq->entries[idx].skb;
1486 
1487 	/* Can be called from irqs-disabled context
1488 	 * If skb is not NULL, it means that the whole queue is being
1489 	 * freed and that the queue is not empty - free the skb
1490 	 */
1491 	if (skb) {
1492 		iwl_op_mode_free_skb(trans->op_mode, skb);
1493 		txq->entries[idx].skb = NULL;
1494 	}
1495 }
1496 
1497 void iwl_txq_progress(struct iwl_txq *txq)
1498 {
1499 	lockdep_assert_held(&txq->lock);
1500 
1501 	if (!txq->wd_timeout)
1502 		return;
1503 
1504 	/*
1505 	 * station is asleep and we send data - that must
1506 	 * be uAPSD or PS-Poll. Don't rearm the timer.
1507 	 */
1508 	if (txq->frozen)
1509 		return;
1510 
1511 	/*
1512 	 * if empty delete timer, otherwise move timer forward
1513 	 * since we're making progress on this queue
1514 	 */
1515 	if (txq->read_ptr == txq->write_ptr)
1516 		del_timer(&txq->stuck_timer);
1517 	else
1518 		mod_timer(&txq->stuck_timer, jiffies + txq->wd_timeout);
1519 }
1520 
1521 /* Frees buffers until index _not_ inclusive */
1522 void iwl_txq_reclaim(struct iwl_trans *trans, int txq_id, int ssn,
1523 		     struct sk_buff_head *skbs)
1524 {
1525 	struct iwl_txq *txq = trans->txqs.txq[txq_id];
1526 	int tfd_num = iwl_txq_get_cmd_index(txq, ssn);
1527 	int read_ptr = iwl_txq_get_cmd_index(txq, txq->read_ptr);
1528 	int last_to_free;
1529 
1530 	/* This function is not meant to release cmd queue*/
1531 	if (WARN_ON(txq_id == trans->txqs.cmd.q_id))
1532 		return;
1533 
1534 	spin_lock_bh(&txq->lock);
1535 
1536 	if (!test_bit(txq_id, trans->txqs.queue_used)) {
1537 		IWL_DEBUG_TX_QUEUES(trans, "Q %d inactive - ignoring idx %d\n",
1538 				    txq_id, ssn);
1539 		goto out;
1540 	}
1541 
1542 	if (read_ptr == tfd_num)
1543 		goto out;
1544 
1545 	IWL_DEBUG_TX_REPLY(trans, "[Q %d] %d -> %d (%d)\n",
1546 			   txq_id, txq->read_ptr, tfd_num, ssn);
1547 
1548 	/*Since we free until index _not_ inclusive, the one before index is
1549 	 * the last we will free. This one must be used */
1550 	last_to_free = iwl_txq_dec_wrap(trans, tfd_num);
1551 
1552 	if (!iwl_txq_used(txq, last_to_free)) {
1553 		IWL_ERR(trans,
1554 			"%s: Read index for txq id (%d), last_to_free %d is out of range [0-%d] %d %d.\n",
1555 			__func__, txq_id, last_to_free,
1556 			trans->trans_cfg->base_params->max_tfd_queue_size,
1557 			txq->write_ptr, txq->read_ptr);
1558 
1559 		iwl_op_mode_time_point(trans->op_mode,
1560 				       IWL_FW_INI_TIME_POINT_FAKE_TX,
1561 				       NULL);
1562 		goto out;
1563 	}
1564 
1565 	if (WARN_ON(!skb_queue_empty(skbs)))
1566 		goto out;
1567 
1568 	for (;
1569 	     read_ptr != tfd_num;
1570 	     txq->read_ptr = iwl_txq_inc_wrap(trans, txq->read_ptr),
1571 	     read_ptr = iwl_txq_get_cmd_index(txq, txq->read_ptr)) {
1572 		struct sk_buff *skb = txq->entries[read_ptr].skb;
1573 
1574 		if (WARN_ON_ONCE(!skb))
1575 			continue;
1576 
1577 		iwl_txq_free_tso_page(trans, skb);
1578 
1579 		__skb_queue_tail(skbs, skb);
1580 
1581 		txq->entries[read_ptr].skb = NULL;
1582 
1583 		if (!trans->trans_cfg->use_tfh)
1584 			iwl_txq_gen1_inval_byte_cnt_tbl(trans, txq);
1585 
1586 		iwl_txq_free_tfd(trans, txq);
1587 	}
1588 
1589 	iwl_txq_progress(txq);
1590 
1591 	if (iwl_txq_space(trans, txq) > txq->low_mark &&
1592 	    test_bit(txq_id, trans->txqs.queue_stopped)) {
1593 		struct sk_buff_head overflow_skbs;
1594 
1595 		__skb_queue_head_init(&overflow_skbs);
1596 		skb_queue_splice_init(&txq->overflow_q, &overflow_skbs);
1597 
1598 		/*
1599 		 * We are going to transmit from the overflow queue.
1600 		 * Remember this state so that wait_for_txq_empty will know we
1601 		 * are adding more packets to the TFD queue. It cannot rely on
1602 		 * the state of &txq->overflow_q, as we just emptied it, but
1603 		 * haven't TXed the content yet.
1604 		 */
1605 		txq->overflow_tx = true;
1606 
1607 		/*
1608 		 * This is tricky: we are in reclaim path which is non
1609 		 * re-entrant, so noone will try to take the access the
1610 		 * txq data from that path. We stopped tx, so we can't
1611 		 * have tx as well. Bottom line, we can unlock and re-lock
1612 		 * later.
1613 		 */
1614 		spin_unlock_bh(&txq->lock);
1615 
1616 		while (!skb_queue_empty(&overflow_skbs)) {
1617 			struct sk_buff *skb = __skb_dequeue(&overflow_skbs);
1618 			struct iwl_device_tx_cmd *dev_cmd_ptr;
1619 
1620 			dev_cmd_ptr = *(void **)((u8 *)skb->cb +
1621 						 trans->txqs.dev_cmd_offs);
1622 
1623 			/*
1624 			 * Note that we can very well be overflowing again.
1625 			 * In that case, iwl_txq_space will be small again
1626 			 * and we won't wake mac80211's queue.
1627 			 */
1628 			iwl_trans_tx(trans, skb, dev_cmd_ptr, txq_id);
1629 		}
1630 
1631 		if (iwl_txq_space(trans, txq) > txq->low_mark)
1632 			iwl_wake_queue(trans, txq);
1633 
1634 		spin_lock_bh(&txq->lock);
1635 		txq->overflow_tx = false;
1636 	}
1637 
1638 out:
1639 	spin_unlock_bh(&txq->lock);
1640 }
1641 
1642 /* Set wr_ptr of specific device and txq  */
1643 void iwl_txq_set_q_ptrs(struct iwl_trans *trans, int txq_id, int ptr)
1644 {
1645 	struct iwl_txq *txq = trans->txqs.txq[txq_id];
1646 
1647 	spin_lock_bh(&txq->lock);
1648 
1649 	txq->write_ptr = ptr;
1650 	txq->read_ptr = txq->write_ptr;
1651 
1652 	spin_unlock_bh(&txq->lock);
1653 }
1654 
1655 void iwl_trans_txq_freeze_timer(struct iwl_trans *trans, unsigned long txqs,
1656 				bool freeze)
1657 {
1658 	int queue;
1659 
1660 	for_each_set_bit(queue, &txqs, BITS_PER_LONG) {
1661 		struct iwl_txq *txq = trans->txqs.txq[queue];
1662 		unsigned long now;
1663 
1664 		spin_lock_bh(&txq->lock);
1665 
1666 		now = jiffies;
1667 
1668 		if (txq->frozen == freeze)
1669 			goto next_queue;
1670 
1671 		IWL_DEBUG_TX_QUEUES(trans, "%s TXQ %d\n",
1672 				    freeze ? "Freezing" : "Waking", queue);
1673 
1674 		txq->frozen = freeze;
1675 
1676 		if (txq->read_ptr == txq->write_ptr)
1677 			goto next_queue;
1678 
1679 		if (freeze) {
1680 			if (unlikely(time_after(now,
1681 						txq->stuck_timer.expires))) {
1682 				/*
1683 				 * The timer should have fired, maybe it is
1684 				 * spinning right now on the lock.
1685 				 */
1686 				goto next_queue;
1687 			}
1688 			/* remember how long until the timer fires */
1689 			txq->frozen_expiry_remainder =
1690 				txq->stuck_timer.expires - now;
1691 			del_timer(&txq->stuck_timer);
1692 			goto next_queue;
1693 		}
1694 
1695 		/*
1696 		 * Wake a non-empty queue -> arm timer with the
1697 		 * remainder before it froze
1698 		 */
1699 		mod_timer(&txq->stuck_timer,
1700 			  now + txq->frozen_expiry_remainder);
1701 
1702 next_queue:
1703 		spin_unlock_bh(&txq->lock);
1704 	}
1705 }
1706 
1707 #define HOST_COMPLETE_TIMEOUT	(2 * HZ)
1708 
1709 static int iwl_trans_txq_send_hcmd_sync(struct iwl_trans *trans,
1710 					struct iwl_host_cmd *cmd)
1711 {
1712 	const char *cmd_str = iwl_get_cmd_string(trans, cmd->id);
1713 	struct iwl_txq *txq = trans->txqs.txq[trans->txqs.cmd.q_id];
1714 	int cmd_idx;
1715 	int ret;
1716 
1717 	IWL_DEBUG_INFO(trans, "Attempting to send sync command %s\n", cmd_str);
1718 
1719 	if (WARN(test_and_set_bit(STATUS_SYNC_HCMD_ACTIVE,
1720 				  &trans->status),
1721 		 "Command %s: a command is already active!\n", cmd_str))
1722 		return -EIO;
1723 
1724 	IWL_DEBUG_INFO(trans, "Setting HCMD_ACTIVE for command %s\n", cmd_str);
1725 
1726 	cmd_idx = trans->ops->send_cmd(trans, cmd);
1727 	if (cmd_idx < 0) {
1728 		ret = cmd_idx;
1729 		clear_bit(STATUS_SYNC_HCMD_ACTIVE, &trans->status);
1730 		IWL_ERR(trans, "Error sending %s: enqueue_hcmd failed: %d\n",
1731 			cmd_str, ret);
1732 		return ret;
1733 	}
1734 
1735 	ret = wait_event_timeout(trans->wait_command_queue,
1736 				 !test_bit(STATUS_SYNC_HCMD_ACTIVE,
1737 					   &trans->status),
1738 				 HOST_COMPLETE_TIMEOUT);
1739 	if (!ret) {
1740 		IWL_ERR(trans, "Error sending %s: time out after %dms.\n",
1741 			cmd_str, jiffies_to_msecs(HOST_COMPLETE_TIMEOUT));
1742 
1743 		IWL_ERR(trans, "Current CMD queue read_ptr %d write_ptr %d\n",
1744 			txq->read_ptr, txq->write_ptr);
1745 
1746 		clear_bit(STATUS_SYNC_HCMD_ACTIVE, &trans->status);
1747 		IWL_DEBUG_INFO(trans, "Clearing HCMD_ACTIVE for command %s\n",
1748 			       cmd_str);
1749 		ret = -ETIMEDOUT;
1750 
1751 		iwl_trans_sync_nmi(trans);
1752 		goto cancel;
1753 	}
1754 
1755 	if (test_bit(STATUS_FW_ERROR, &trans->status)) {
1756 		if (!test_and_clear_bit(STATUS_SUPPRESS_CMD_ERROR_ONCE,
1757 					&trans->status)) {
1758 			IWL_ERR(trans, "FW error in SYNC CMD %s\n", cmd_str);
1759 			dump_stack();
1760 		}
1761 		ret = -EIO;
1762 		goto cancel;
1763 	}
1764 
1765 	if (!(cmd->flags & CMD_SEND_IN_RFKILL) &&
1766 	    test_bit(STATUS_RFKILL_OPMODE, &trans->status)) {
1767 		IWL_DEBUG_RF_KILL(trans, "RFKILL in SYNC CMD... no rsp\n");
1768 		ret = -ERFKILL;
1769 		goto cancel;
1770 	}
1771 
1772 	if ((cmd->flags & CMD_WANT_SKB) && !cmd->resp_pkt) {
1773 		IWL_ERR(trans, "Error: Response NULL in '%s'\n", cmd_str);
1774 		ret = -EIO;
1775 		goto cancel;
1776 	}
1777 
1778 	return 0;
1779 
1780 cancel:
1781 	if (cmd->flags & CMD_WANT_SKB) {
1782 		/*
1783 		 * Cancel the CMD_WANT_SKB flag for the cmd in the
1784 		 * TX cmd queue. Otherwise in case the cmd comes
1785 		 * in later, it will possibly set an invalid
1786 		 * address (cmd->meta.source).
1787 		 */
1788 		txq->entries[cmd_idx].meta.flags &= ~CMD_WANT_SKB;
1789 	}
1790 
1791 	if (cmd->resp_pkt) {
1792 		iwl_free_resp(cmd);
1793 		cmd->resp_pkt = NULL;
1794 	}
1795 
1796 	return ret;
1797 }
1798 
1799 int iwl_trans_txq_send_hcmd(struct iwl_trans *trans,
1800 			    struct iwl_host_cmd *cmd)
1801 {
1802 	/* Make sure the NIC is still alive in the bus */
1803 	if (test_bit(STATUS_TRANS_DEAD, &trans->status))
1804 		return -ENODEV;
1805 
1806 	if (!(cmd->flags & CMD_SEND_IN_RFKILL) &&
1807 	    test_bit(STATUS_RFKILL_OPMODE, &trans->status)) {
1808 		IWL_DEBUG_RF_KILL(trans, "Dropping CMD 0x%x: RF KILL\n",
1809 				  cmd->id);
1810 		return -ERFKILL;
1811 	}
1812 
1813 	if (unlikely(trans->system_pm_mode == IWL_PLAT_PM_MODE_D3 &&
1814 		     !(cmd->flags & CMD_SEND_IN_D3))) {
1815 		IWL_DEBUG_WOWLAN(trans, "Dropping CMD 0x%x: D3\n", cmd->id);
1816 		return -EHOSTDOWN;
1817 	}
1818 
1819 	if (cmd->flags & CMD_ASYNC) {
1820 		int ret;
1821 
1822 		/* An asynchronous command can not expect an SKB to be set. */
1823 		if (WARN_ON(cmd->flags & CMD_WANT_SKB))
1824 			return -EINVAL;
1825 
1826 		ret = trans->ops->send_cmd(trans, cmd);
1827 		if (ret < 0) {
1828 			IWL_ERR(trans,
1829 				"Error sending %s: enqueue_hcmd failed: %d\n",
1830 				iwl_get_cmd_string(trans, cmd->id), ret);
1831 			return ret;
1832 		}
1833 		return 0;
1834 	}
1835 
1836 	return iwl_trans_txq_send_hcmd_sync(trans, cmd);
1837 }
1838 
1839