xref: /linux/drivers/net/wireless/intel/iwlwifi/mei/main.c (revision c94cd9508b1335b949fd13ebd269313c65492df0)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * Copyright (C) 2021-2024 Intel Corporation
4  */
5 
6 #include <linux/etherdevice.h>
7 #include <linux/netdevice.h>
8 #include <linux/ieee80211.h>
9 #include <linux/rtnetlink.h>
10 #include <linux/module.h>
11 #include <linux/moduleparam.h>
12 #include <linux/mei_cl_bus.h>
13 #include <linux/rcupdate.h>
14 #include <linux/debugfs.h>
15 #include <linux/skbuff.h>
16 #include <linux/wait.h>
17 #include <linux/slab.h>
18 #include <linux/mm.h>
19 
20 #include <net/cfg80211.h>
21 
22 #include "internal.h"
23 #include "iwl-mei.h"
24 #include "trace.h"
25 #include "trace-data.h"
26 #include "sap.h"
27 
28 MODULE_DESCRIPTION("The Intel(R) wireless / CSME firmware interface");
29 MODULE_LICENSE("GPL");
30 
31 #define MEI_WLAN_UUID UUID_LE(0x13280904, 0x7792, 0x4fcb, \
32 			      0xa1, 0xaa, 0x5e, 0x70, 0xcb, 0xb1, 0xe8, 0x65)
33 
34 /* After CSME takes ownership, it won't release it for 60 seconds to avoid
35  * frequent ownership transitions.
36  */
37 #define MEI_OWNERSHIP_RETAKE_TIMEOUT_MS	msecs_to_jiffies(60000)
38 
39 /*
40  * Since iwlwifi calls iwlmei without any context, hold a pointer to the
41  * mei_cl_device structure here.
42  * Define a mutex that will synchronize all the flows between iwlwifi and
43  * iwlmei.
44  * Note that iwlmei can't have several instances, so it ok to have static
45  * variables here.
46  */
47 static struct mei_cl_device *iwl_mei_global_cldev;
48 static DEFINE_MUTEX(iwl_mei_mutex);
49 static unsigned long iwl_mei_status;
50 
51 enum iwl_mei_status_bits {
52 	IWL_MEI_STATUS_SAP_CONNECTED,
53 };
54 
55 bool iwl_mei_is_connected(void)
56 {
57 	return test_bit(IWL_MEI_STATUS_SAP_CONNECTED, &iwl_mei_status);
58 }
59 EXPORT_SYMBOL_GPL(iwl_mei_is_connected);
60 
61 #define SAP_CONTROL_BLOCK_ID 0x21504153 /* SAP! in ASCII */
62 
63 struct iwl_sap_q_ctrl_blk {
64 	__le32 wr_ptr;
65 	__le32 rd_ptr;
66 	__le32 size;
67 };
68 
69 enum iwl_sap_q_idx {
70 	SAP_QUEUE_IDX_NOTIF = 0,
71 	SAP_QUEUE_IDX_DATA,
72 	SAP_QUEUE_IDX_MAX,
73 };
74 
75 struct iwl_sap_dir {
76 	__le32 reserved;
77 	struct iwl_sap_q_ctrl_blk q_ctrl_blk[SAP_QUEUE_IDX_MAX];
78 };
79 
80 enum iwl_sap_dir_idx {
81 	SAP_DIRECTION_HOST_TO_ME = 0,
82 	SAP_DIRECTION_ME_TO_HOST,
83 	SAP_DIRECTION_MAX,
84 };
85 
86 struct iwl_sap_shared_mem_ctrl_blk {
87 	__le32 sap_id;
88 	__le32 size;
89 	struct iwl_sap_dir dir[SAP_DIRECTION_MAX];
90 };
91 
92 /*
93  * The shared area has the following layout:
94  *
95  * +-----------------------------------+
96  * |struct iwl_sap_shared_mem_ctrl_blk |
97  * +-----------------------------------+
98  * |Host -> ME data queue              |
99  * +-----------------------------------+
100  * |Host -> ME notif queue             |
101  * +-----------------------------------+
102  * |ME -> Host data queue              |
103  * +-----------------------------------+
104  * |ME -> host notif queue             |
105  * +-----------------------------------+
106  * |SAP control block id (SAP!)        |
107  * +-----------------------------------+
108  */
109 
110 #define SAP_H2M_DATA_Q_SZ	48256
111 #define SAP_M2H_DATA_Q_SZ	24128
112 #define SAP_H2M_NOTIF_Q_SZ_VER3	2240
113 #define SAP_H2M_NOTIF_Q_SZ_VER4	32768
114 #define SAP_M2H_NOTIF_Q_SZ	62720
115 
116 #define _IWL_MEI_SAP_SHARED_MEM_SZ_VER3 \
117 	(sizeof(struct iwl_sap_shared_mem_ctrl_blk) + \
118 	 SAP_H2M_DATA_Q_SZ + SAP_H2M_NOTIF_Q_SZ_VER3 + \
119 	 SAP_M2H_DATA_Q_SZ + SAP_M2H_NOTIF_Q_SZ + 4)
120 
121 #define _IWL_MEI_SAP_SHARED_MEM_SZ_VER4 \
122 	(sizeof(struct iwl_sap_shared_mem_ctrl_blk) + \
123 	 SAP_H2M_DATA_Q_SZ + SAP_H2M_NOTIF_Q_SZ_VER4 + \
124 	 SAP_M2H_DATA_Q_SZ + SAP_M2H_NOTIF_Q_SZ + 4)
125 
126 struct iwl_mei_shared_mem_ptrs {
127 	struct iwl_sap_shared_mem_ctrl_blk *ctrl;
128 	void *q_head[SAP_DIRECTION_MAX][SAP_QUEUE_IDX_MAX];
129 	size_t q_size[SAP_DIRECTION_MAX][SAP_QUEUE_IDX_MAX];
130 };
131 
132 struct iwl_mei_filters {
133 	struct rcu_head rcu_head;
134 	struct iwl_sap_oob_filters filters;
135 };
136 
137 /**
138  * struct iwl_mei - holds the private date for iwl_mei
139  *
140  * @get_nvm_wq: the wait queue for the get_nvm flow
141  * @send_csa_msg_wk: used to defer the transmission of the CHECK_SHARED_AREA
142  *	message. Used so that we can send CHECK_SHARED_AREA from atomic
143  *	contexts.
144  * @get_ownership_wq: the wait queue for the get_ownership_flow
145  * @shared_mem: the memory that is shared between CSME and the host
146  * @cldev: the pointer to the MEI client device
147  * @nvm: the data returned by the CSME for the NVM
148  * @filters: the filters sent by CSME
149  * @got_ownership: true if we own the device
150  * @amt_enabled: true if CSME has wireless enabled
151  * @csa_throttled: when true, we can't send CHECK_SHARED_AREA over the MEI
152  *	bus, but rather need to wait until send_csa_msg_wk runs
153  * @csme_taking_ownership: true when CSME is taking ownership. Used to remember
154  *	to send CSME_OWNERSHIP_CONFIRMED when the driver completes its down
155  *	flow.
156  * @link_prot_state: true when we are in link protection PASSIVE
157  * @device_down: true if the device is down. Used to remember to send
158  *	CSME_OWNERSHIP_CONFIRMED when the driver is already down.
159  * @csa_throttle_end_wk: used when &csa_throttled is true
160  * @pldr_wq: the wait queue for PLDR flow
161  * @pldr_active: PLDR flow is in progress
162  * @data_q_lock: protects the access to the data queues which are
163  *	accessed without the mutex.
164  * @netdev_work: used to defer registering and unregistering of the netdev to
165  *	avoid taking the rtnl lock in the SAP messages handlers.
166  * @ownership_dwork: used to re-ask for NIC ownership after ownership was taken
167  *	by CSME or when a previous ownership request failed.
168  * @sap_seq_no: the sequence number for the SAP messages
169  * @seq_no: the sequence number for the SAP messages
170  * @dbgfs_dir: the debugfs dir entry
171  */
172 struct iwl_mei {
173 	wait_queue_head_t get_nvm_wq;
174 	struct work_struct send_csa_msg_wk;
175 	wait_queue_head_t get_ownership_wq;
176 	struct iwl_mei_shared_mem_ptrs shared_mem;
177 	struct mei_cl_device *cldev;
178 	struct iwl_mei_nvm *nvm;
179 	struct iwl_mei_filters __rcu *filters;
180 	bool got_ownership;
181 	bool amt_enabled;
182 	bool csa_throttled;
183 	bool csme_taking_ownership;
184 	bool link_prot_state;
185 	bool device_down;
186 	struct delayed_work csa_throttle_end_wk;
187 	wait_queue_head_t pldr_wq;
188 	bool pldr_active;
189 	spinlock_t data_q_lock;
190 	struct work_struct netdev_work;
191 	struct delayed_work ownership_dwork;
192 
193 	atomic_t sap_seq_no;
194 	atomic_t seq_no;
195 
196 	struct dentry *dbgfs_dir;
197 };
198 
199 /**
200  * struct iwl_mei_cache - cache for the parameters from iwlwifi
201  * @ops: Callbacks to iwlwifi.
202  * @netdev: The netdev that will be used to transmit / receive packets.
203  * @conn_info: The connection info message triggered by iwlwifi's association.
204  * @power_limit: pointer to an array of 10 elements (le16) represents the power
205  *	restrictions per chain.
206  * @rf_kill: rf kill state.
207  * @mcc: MCC info
208  * @mac_address: interface MAC address.
209  * @nvm_address: NVM MAC address.
210  * @priv: A pointer to iwlwifi.
211  * @sap_version: The SAP version to use. enum iwl_mei_sap_version.
212  *
213  * This used to cache the configurations coming from iwlwifi's way. The data
214  * is cached here so that we can buffer the configuration even if we don't have
215  * a bind from the mei bus and hence, on iwl_mei structure.
216  */
217 struct iwl_mei_cache {
218 	const struct iwl_mei_ops *ops;
219 	struct net_device __rcu *netdev;
220 	const struct iwl_sap_notif_connection_info *conn_info;
221 	const __le16 *power_limit;
222 	u32 rf_kill;
223 	u16 mcc;
224 	u8 mac_address[6];
225 	u8 nvm_address[6];
226 	enum iwl_mei_sap_version sap_version;
227 	void *priv;
228 };
229 
230 static struct iwl_mei_cache iwl_mei_cache = {
231 	.rf_kill = SAP_HW_RFKILL_DEASSERTED | SAP_SW_RFKILL_DEASSERTED
232 };
233 
234 static void iwl_mei_free_shared_mem(struct mei_cl_device *cldev)
235 {
236 	struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
237 
238 	if (mei_cldev_dma_unmap(cldev))
239 		dev_err(&cldev->dev, "Couldn't unmap the shared mem properly\n");
240 	memset(&mei->shared_mem, 0, sizeof(mei->shared_mem));
241 }
242 
243 #define HBM_DMA_BUF_ID_WLAN 1
244 
245 static int iwl_mei_alloc_mem_for_version(struct mei_cl_device *cldev,
246 					 enum iwl_mei_sap_version version)
247 {
248 	struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
249 	struct iwl_mei_shared_mem_ptrs *mem = &mei->shared_mem;
250 	u32 mem_size = roundup(version == IWL_MEI_SAP_VERSION_4 ?
251 			       _IWL_MEI_SAP_SHARED_MEM_SZ_VER4 :
252 			       _IWL_MEI_SAP_SHARED_MEM_SZ_VER3, PAGE_SIZE);
253 
254 	iwl_mei_cache.sap_version = version;
255 	mem->ctrl = mei_cldev_dma_map(cldev, HBM_DMA_BUF_ID_WLAN, mem_size);
256 	if (IS_ERR(mem->ctrl)) {
257 		int ret = PTR_ERR(mem->ctrl);
258 
259 		mem->ctrl = NULL;
260 
261 		return ret;
262 	}
263 
264 	memset(mem->ctrl, 0, mem_size);
265 
266 	return 0;
267 }
268 
269 static int iwl_mei_alloc_shared_mem(struct mei_cl_device *cldev)
270 {
271 	int ret;
272 
273 	/*
274 	 * SAP version 4 uses a larger Host to MEI notif queue.
275 	 * Since it is unknown at this stage which SAP version is used by the
276 	 * CSME firmware on this platform, try to allocate the version 4 first.
277 	 * If the CSME firmware uses version 3, this allocation is expected to
278 	 * fail because the CSME firmware allocated less memory for our driver.
279 	 */
280 	ret = iwl_mei_alloc_mem_for_version(cldev, IWL_MEI_SAP_VERSION_4);
281 	if (ret)
282 		ret = iwl_mei_alloc_mem_for_version(cldev,
283 						    IWL_MEI_SAP_VERSION_3);
284 
285 	return ret;
286 }
287 
288 static void iwl_mei_init_shared_mem(struct iwl_mei *mei)
289 {
290 	struct iwl_mei_shared_mem_ptrs *mem = &mei->shared_mem;
291 	struct iwl_sap_dir *h2m;
292 	struct iwl_sap_dir *m2h;
293 	int dir, queue;
294 	u8 *q_head;
295 
296 	mem->ctrl->sap_id = cpu_to_le32(SAP_CONTROL_BLOCK_ID);
297 
298 	mem->ctrl->size = cpu_to_le32(sizeof(*mem->ctrl));
299 
300 	h2m = &mem->ctrl->dir[SAP_DIRECTION_HOST_TO_ME];
301 	m2h = &mem->ctrl->dir[SAP_DIRECTION_ME_TO_HOST];
302 
303 	h2m->q_ctrl_blk[SAP_QUEUE_IDX_DATA].size =
304 		cpu_to_le32(SAP_H2M_DATA_Q_SZ);
305 	h2m->q_ctrl_blk[SAP_QUEUE_IDX_NOTIF].size =
306 		iwl_mei_cache.sap_version == IWL_MEI_SAP_VERSION_3 ?
307 		cpu_to_le32(SAP_H2M_NOTIF_Q_SZ_VER3) :
308 		cpu_to_le32(SAP_H2M_NOTIF_Q_SZ_VER4);
309 	m2h->q_ctrl_blk[SAP_QUEUE_IDX_DATA].size =
310 		cpu_to_le32(SAP_M2H_DATA_Q_SZ);
311 	m2h->q_ctrl_blk[SAP_QUEUE_IDX_NOTIF].size =
312 		cpu_to_le32(SAP_M2H_NOTIF_Q_SZ);
313 
314 	/* q_head points to the start of the first queue */
315 	q_head = (void *)(mem->ctrl + 1);
316 
317 	/* Initialize the queue heads */
318 	for (dir = 0; dir < SAP_DIRECTION_MAX; dir++) {
319 		for (queue = 0; queue < SAP_QUEUE_IDX_MAX; queue++) {
320 			mem->q_head[dir][queue] = q_head;
321 			q_head +=
322 				le32_to_cpu(mem->ctrl->dir[dir].q_ctrl_blk[queue].size);
323 			mem->q_size[dir][queue] =
324 				le32_to_cpu(mem->ctrl->dir[dir].q_ctrl_blk[queue].size);
325 		}
326 	}
327 
328 	*(__le32 *)q_head = cpu_to_le32(SAP_CONTROL_BLOCK_ID);
329 }
330 
331 static ssize_t iwl_mei_write_cyclic_buf(struct mei_cl_device *cldev,
332 					struct iwl_sap_q_ctrl_blk *notif_q,
333 					u8 *q_head,
334 					const struct iwl_sap_hdr *hdr,
335 					u32 q_sz)
336 {
337 	u32 rd = le32_to_cpu(READ_ONCE(notif_q->rd_ptr));
338 	u32 wr = le32_to_cpu(READ_ONCE(notif_q->wr_ptr));
339 	size_t room_in_buf;
340 	size_t tx_sz = sizeof(*hdr) + le16_to_cpu(hdr->len);
341 
342 	if (rd > q_sz || wr > q_sz) {
343 		dev_err(&cldev->dev,
344 			"Pointers are past the end of the buffer\n");
345 		return -EINVAL;
346 	}
347 
348 	room_in_buf = wr >= rd ? q_sz - wr + rd : rd - wr;
349 
350 	/* we don't have enough room for the data to write */
351 	if (room_in_buf < tx_sz) {
352 		dev_err(&cldev->dev,
353 			"Not enough room in the buffer\n");
354 		return -ENOSPC;
355 	}
356 
357 	if (wr + tx_sz <= q_sz) {
358 		memcpy(q_head + wr, hdr, tx_sz);
359 	} else {
360 		memcpy(q_head + wr, hdr, q_sz - wr);
361 		memcpy(q_head, (const u8 *)hdr + q_sz - wr, tx_sz - (q_sz - wr));
362 	}
363 
364 	WRITE_ONCE(notif_q->wr_ptr, cpu_to_le32((wr + tx_sz) % q_sz));
365 	return 0;
366 }
367 
368 static bool iwl_mei_host_to_me_data_pending(const struct iwl_mei *mei)
369 {
370 	struct iwl_sap_q_ctrl_blk *notif_q;
371 	struct iwl_sap_dir *dir;
372 
373 	dir = &mei->shared_mem.ctrl->dir[SAP_DIRECTION_HOST_TO_ME];
374 	notif_q = &dir->q_ctrl_blk[SAP_QUEUE_IDX_DATA];
375 
376 	if (READ_ONCE(notif_q->wr_ptr) != READ_ONCE(notif_q->rd_ptr))
377 		return true;
378 
379 	notif_q = &dir->q_ctrl_blk[SAP_QUEUE_IDX_NOTIF];
380 	return READ_ONCE(notif_q->wr_ptr) != READ_ONCE(notif_q->rd_ptr);
381 }
382 
383 static int iwl_mei_send_check_shared_area(struct mei_cl_device *cldev)
384 {
385 	struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
386 	struct iwl_sap_me_msg_start msg = {
387 		.hdr.type = cpu_to_le32(SAP_ME_MSG_CHECK_SHARED_AREA),
388 		.hdr.seq_num = cpu_to_le32(atomic_inc_return(&mei->seq_no)),
389 	};
390 	int ret;
391 
392 	lockdep_assert_held(&iwl_mei_mutex);
393 
394 	if (mei->csa_throttled)
395 		return 0;
396 
397 	trace_iwlmei_me_msg(&msg.hdr, true);
398 	ret = mei_cldev_send(cldev, (void *)&msg, sizeof(msg));
399 	if (ret != sizeof(msg)) {
400 		dev_err(&cldev->dev,
401 			"failed to send the SAP_ME_MSG_CHECK_SHARED_AREA message %d\n",
402 			ret);
403 		return ret;
404 	}
405 
406 	mei->csa_throttled = true;
407 
408 	schedule_delayed_work(&mei->csa_throttle_end_wk,
409 			      msecs_to_jiffies(100));
410 
411 	return 0;
412 }
413 
414 static void iwl_mei_csa_throttle_end_wk(struct work_struct *wk)
415 {
416 	struct iwl_mei *mei =
417 		container_of(wk, struct iwl_mei, csa_throttle_end_wk.work);
418 
419 	mutex_lock(&iwl_mei_mutex);
420 
421 	mei->csa_throttled = false;
422 
423 	if (iwl_mei_host_to_me_data_pending(mei))
424 		iwl_mei_send_check_shared_area(mei->cldev);
425 
426 	mutex_unlock(&iwl_mei_mutex);
427 }
428 
429 static int iwl_mei_send_sap_msg_payload(struct mei_cl_device *cldev,
430 					struct iwl_sap_hdr *hdr)
431 {
432 	struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
433 	struct iwl_sap_q_ctrl_blk *notif_q;
434 	struct iwl_sap_dir *dir;
435 	void *q_head;
436 	u32 q_sz;
437 	int ret;
438 
439 	lockdep_assert_held(&iwl_mei_mutex);
440 
441 	if (!mei->shared_mem.ctrl) {
442 		dev_err(&cldev->dev,
443 			"No shared memory, can't send any SAP message\n");
444 		return -EINVAL;
445 	}
446 
447 	if (!iwl_mei_is_connected()) {
448 		dev_err(&cldev->dev,
449 			"Can't send a SAP message if we're not connected\n");
450 		return -ENODEV;
451 	}
452 
453 	hdr->seq_num = cpu_to_le32(atomic_inc_return(&mei->sap_seq_no));
454 	dev_dbg(&cldev->dev, "Sending %d\n", hdr->type);
455 
456 	dir = &mei->shared_mem.ctrl->dir[SAP_DIRECTION_HOST_TO_ME];
457 	notif_q = &dir->q_ctrl_blk[SAP_QUEUE_IDX_NOTIF];
458 	q_head = mei->shared_mem.q_head[SAP_DIRECTION_HOST_TO_ME][SAP_QUEUE_IDX_NOTIF];
459 	q_sz = mei->shared_mem.q_size[SAP_DIRECTION_HOST_TO_ME][SAP_QUEUE_IDX_NOTIF];
460 	ret = iwl_mei_write_cyclic_buf(q_head, notif_q, q_head, hdr, q_sz);
461 
462 	if (ret < 0)
463 		return ret;
464 
465 	trace_iwlmei_sap_cmd(hdr, true);
466 
467 	return iwl_mei_send_check_shared_area(cldev);
468 }
469 
470 void iwl_mei_add_data_to_ring(struct sk_buff *skb, bool cb_tx)
471 {
472 	struct iwl_sap_q_ctrl_blk *notif_q;
473 	struct iwl_sap_dir *dir;
474 	struct iwl_mei *mei;
475 	size_t room_in_buf;
476 	size_t tx_sz;
477 	size_t hdr_sz;
478 	u32 q_sz;
479 	u32 rd;
480 	u32 wr;
481 	u8 *q_head;
482 
483 	if (!iwl_mei_global_cldev)
484 		return;
485 
486 	mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
487 
488 	/*
489 	 * We access this path for Rx packets (the more common case)
490 	 * and from Tx path when we send DHCP packets, the latter is
491 	 * very unlikely.
492 	 * Take the lock already here to make sure we see that remove()
493 	 * might have cleared the IWL_MEI_STATUS_SAP_CONNECTED bit.
494 	 */
495 	spin_lock_bh(&mei->data_q_lock);
496 
497 	if (!iwl_mei_is_connected()) {
498 		spin_unlock_bh(&mei->data_q_lock);
499 		return;
500 	}
501 
502 	/*
503 	 * We are in a RCU critical section and the remove from the CSME bus
504 	 * which would free this memory waits for the readers to complete (this
505 	 * is done in netdev_rx_handler_unregister).
506 	 */
507 	dir = &mei->shared_mem.ctrl->dir[SAP_DIRECTION_HOST_TO_ME];
508 	notif_q = &dir->q_ctrl_blk[SAP_QUEUE_IDX_DATA];
509 	q_head = mei->shared_mem.q_head[SAP_DIRECTION_HOST_TO_ME][SAP_QUEUE_IDX_DATA];
510 	q_sz = mei->shared_mem.q_size[SAP_DIRECTION_HOST_TO_ME][SAP_QUEUE_IDX_DATA];
511 
512 	rd = le32_to_cpu(READ_ONCE(notif_q->rd_ptr));
513 	wr = le32_to_cpu(READ_ONCE(notif_q->wr_ptr));
514 	hdr_sz = cb_tx ? sizeof(struct iwl_sap_cb_data) :
515 			 sizeof(struct iwl_sap_hdr);
516 	tx_sz = skb->len + hdr_sz;
517 
518 	if (rd > q_sz || wr > q_sz) {
519 		dev_err(&mei->cldev->dev,
520 			"can't write the data: pointers are past the end of the buffer\n");
521 		goto out;
522 	}
523 
524 	room_in_buf = wr >= rd ? q_sz - wr + rd : rd - wr;
525 
526 	/* we don't have enough room for the data to write */
527 	if (room_in_buf < tx_sz) {
528 		dev_err(&mei->cldev->dev,
529 			"Not enough room in the buffer for this data\n");
530 		goto out;
531 	}
532 
533 	if (skb_headroom(skb) < hdr_sz) {
534 		dev_err(&mei->cldev->dev,
535 			"Not enough headroom in the skb to write the SAP header\n");
536 		goto out;
537 	}
538 
539 	if (cb_tx) {
540 		struct iwl_sap_cb_data *cb_hdr = skb_push(skb, sizeof(*cb_hdr));
541 
542 		memset(cb_hdr, 0, sizeof(*cb_hdr));
543 		cb_hdr->hdr.type = cpu_to_le16(SAP_MSG_CB_DATA_PACKET);
544 		cb_hdr->hdr.len = cpu_to_le16(skb->len - sizeof(cb_hdr->hdr));
545 		cb_hdr->hdr.seq_num = cpu_to_le32(atomic_inc_return(&mei->sap_seq_no));
546 		cb_hdr->to_me_filt_status = cpu_to_le32(BIT(CB_TX_DHCP_FILT_IDX));
547 		cb_hdr->data_len = cpu_to_le32(skb->len - sizeof(*cb_hdr));
548 		trace_iwlmei_sap_data(skb, IWL_SAP_TX_DHCP);
549 	} else {
550 		struct iwl_sap_hdr *hdr = skb_push(skb, sizeof(*hdr));
551 
552 		hdr->type = cpu_to_le16(SAP_MSG_DATA_PACKET);
553 		hdr->len = cpu_to_le16(skb->len - sizeof(*hdr));
554 		hdr->seq_num = cpu_to_le32(atomic_inc_return(&mei->sap_seq_no));
555 		trace_iwlmei_sap_data(skb, IWL_SAP_TX_DATA_FROM_AIR);
556 	}
557 
558 	if (wr + tx_sz <= q_sz) {
559 		skb_copy_bits(skb, 0, q_head + wr, tx_sz);
560 	} else {
561 		skb_copy_bits(skb, 0, q_head + wr, q_sz - wr);
562 		skb_copy_bits(skb, q_sz - wr, q_head, tx_sz - (q_sz - wr));
563 	}
564 
565 	WRITE_ONCE(notif_q->wr_ptr, cpu_to_le32((wr + tx_sz) % q_sz));
566 
567 out:
568 	spin_unlock_bh(&mei->data_q_lock);
569 }
570 
571 static int
572 iwl_mei_send_sap_msg(struct mei_cl_device *cldev, u16 type)
573 {
574 	struct iwl_sap_hdr msg = {
575 		.type = cpu_to_le16(type),
576 	};
577 
578 	return iwl_mei_send_sap_msg_payload(cldev, &msg);
579 }
580 
581 static void iwl_mei_send_csa_msg_wk(struct work_struct *wk)
582 {
583 	struct iwl_mei *mei =
584 		container_of(wk, struct iwl_mei, send_csa_msg_wk);
585 
586 	if (!iwl_mei_is_connected())
587 		return;
588 
589 	mutex_lock(&iwl_mei_mutex);
590 
591 	iwl_mei_send_check_shared_area(mei->cldev);
592 
593 	mutex_unlock(&iwl_mei_mutex);
594 }
595 
596 /* Called in a RCU read critical section from netif_receive_skb */
597 static rx_handler_result_t iwl_mei_rx_handler(struct sk_buff **pskb)
598 {
599 	struct sk_buff *skb = *pskb;
600 	struct iwl_mei *mei =
601 		rcu_dereference(skb->dev->rx_handler_data);
602 	struct iwl_mei_filters *filters = rcu_dereference(mei->filters);
603 	bool rx_for_csme = false;
604 	rx_handler_result_t res;
605 
606 	/*
607 	 * remove() unregisters this handler and synchronize_net, so this
608 	 * should never happen.
609 	 */
610 	if (!iwl_mei_is_connected()) {
611 		dev_err(&mei->cldev->dev,
612 			"Got an Rx packet, but we're not connected to SAP?\n");
613 		return RX_HANDLER_PASS;
614 	}
615 
616 	if (filters)
617 		res = iwl_mei_rx_filter(skb, &filters->filters, &rx_for_csme);
618 	else
619 		res = RX_HANDLER_PASS;
620 
621 	/*
622 	 * The data is already on the ring of the shared area, all we
623 	 * need to do is to tell the CSME firmware to check what we have
624 	 * there.
625 	 */
626 	if (rx_for_csme)
627 		schedule_work(&mei->send_csa_msg_wk);
628 
629 	if (res != RX_HANDLER_PASS) {
630 		trace_iwlmei_sap_data(skb, IWL_SAP_RX_DATA_DROPPED_FROM_AIR);
631 		dev_kfree_skb(skb);
632 	}
633 
634 	return res;
635 }
636 
637 static void iwl_mei_netdev_work(struct work_struct *wk)
638 {
639 	struct iwl_mei *mei =
640 		container_of(wk, struct iwl_mei, netdev_work);
641 	struct net_device *netdev;
642 
643 	/*
644 	 * First take rtnl and only then the mutex to avoid an ABBA
645 	 * with iwl_mei_set_netdev()
646 	 */
647 	rtnl_lock();
648 	mutex_lock(&iwl_mei_mutex);
649 
650 	netdev = rcu_dereference_protected(iwl_mei_cache.netdev,
651 					   lockdep_is_held(&iwl_mei_mutex));
652 	if (netdev) {
653 		if (mei->amt_enabled)
654 			netdev_rx_handler_register(netdev, iwl_mei_rx_handler,
655 						   mei);
656 		else
657 			netdev_rx_handler_unregister(netdev);
658 	}
659 
660 	mutex_unlock(&iwl_mei_mutex);
661 	rtnl_unlock();
662 }
663 
664 static void
665 iwl_mei_handle_rx_start_ok(struct mei_cl_device *cldev,
666 			   const struct iwl_sap_me_msg_start_ok *rsp,
667 			   ssize_t len)
668 {
669 	if (len != sizeof(*rsp)) {
670 		dev_err(&cldev->dev,
671 			"got invalid SAP_ME_MSG_START_OK from CSME firmware\n");
672 		dev_err(&cldev->dev,
673 			"size is incorrect: %zd instead of %zu\n",
674 			len, sizeof(*rsp));
675 		return;
676 	}
677 
678 	if (rsp->supported_version != iwl_mei_cache.sap_version) {
679 		dev_err(&cldev->dev,
680 			"didn't get the expected version: got %d\n",
681 			rsp->supported_version);
682 		return;
683 	}
684 
685 	mutex_lock(&iwl_mei_mutex);
686 	set_bit(IWL_MEI_STATUS_SAP_CONNECTED, &iwl_mei_status);
687 	/*
688 	 * We'll receive AMT_STATE SAP message in a bit and
689 	 * that will continue the flow
690 	 */
691 	mutex_unlock(&iwl_mei_mutex);
692 }
693 
694 static void iwl_mei_handle_csme_filters(struct mei_cl_device *cldev,
695 					const struct iwl_sap_csme_filters *filters)
696 {
697 	struct iwl_mei *mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
698 	struct iwl_mei_filters *new_filters;
699 	struct iwl_mei_filters *old_filters;
700 
701 	old_filters =
702 		rcu_dereference_protected(mei->filters,
703 					  lockdep_is_held(&iwl_mei_mutex));
704 
705 	new_filters = kzalloc(sizeof(*new_filters), GFP_KERNEL);
706 	if (!new_filters)
707 		return;
708 
709 	/* Copy the OOB filters */
710 	new_filters->filters = filters->filters;
711 
712 	rcu_assign_pointer(mei->filters, new_filters);
713 
714 	if (old_filters)
715 		kfree_rcu(old_filters, rcu_head);
716 }
717 
718 static void
719 iwl_mei_handle_conn_status(struct mei_cl_device *cldev,
720 			   const struct iwl_sap_notif_conn_status *status)
721 {
722 	struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
723 	struct iwl_mei_conn_info conn_info = {
724 		.lp_state = le32_to_cpu(status->link_prot_state),
725 		.ssid_len = le32_to_cpu(status->conn_info.ssid_len),
726 		.channel = status->conn_info.channel,
727 		.band = status->conn_info.band,
728 		.auth_mode = le32_to_cpu(status->conn_info.auth_mode),
729 		.pairwise_cipher = le32_to_cpu(status->conn_info.pairwise_cipher),
730 	};
731 
732 	if (!iwl_mei_cache.ops ||
733 	    conn_info.ssid_len > ARRAY_SIZE(conn_info.ssid))
734 		return;
735 
736 	memcpy(conn_info.ssid, status->conn_info.ssid, conn_info.ssid_len);
737 	ether_addr_copy(conn_info.bssid, status->conn_info.bssid);
738 
739 	iwl_mei_cache.ops->me_conn_status(iwl_mei_cache.priv, &conn_info);
740 
741 	mei->link_prot_state = status->link_prot_state;
742 
743 	/*
744 	 * Update the Rfkill state in case the host does not own the device:
745 	 * if we are in Link Protection, ask to not touch the device, else,
746 	 * unblock rfkill.
747 	 * If the host owns the device, inform the user space whether it can
748 	 * roam.
749 	 */
750 	if (mei->got_ownership)
751 		iwl_mei_cache.ops->roaming_forbidden(iwl_mei_cache.priv,
752 						     status->link_prot_state);
753 	else
754 		iwl_mei_cache.ops->rfkill(iwl_mei_cache.priv,
755 					  status->link_prot_state, false);
756 }
757 
758 static void iwl_mei_set_init_conf(struct iwl_mei *mei)
759 {
760 	struct iwl_sap_notif_host_link_up link_msg = {
761 		.hdr.type = cpu_to_le16(SAP_MSG_NOTIF_HOST_LINK_UP),
762 		.hdr.len = cpu_to_le16(sizeof(link_msg) - sizeof(link_msg.hdr)),
763 	};
764 	struct iwl_sap_notif_country_code mcc_msg = {
765 		.hdr.type = cpu_to_le16(SAP_MSG_NOTIF_COUNTRY_CODE),
766 		.hdr.len = cpu_to_le16(sizeof(mcc_msg) - sizeof(mcc_msg.hdr)),
767 		.mcc = cpu_to_le16(iwl_mei_cache.mcc),
768 	};
769 	struct iwl_sap_notif_sar_limits sar_msg = {
770 		.hdr.type = cpu_to_le16(SAP_MSG_NOTIF_SAR_LIMITS),
771 		.hdr.len = cpu_to_le16(sizeof(sar_msg) - sizeof(sar_msg.hdr)),
772 	};
773 	struct iwl_sap_notif_host_nic_info nic_info_msg = {
774 		.hdr.type = cpu_to_le16(SAP_MSG_NOTIF_NIC_INFO),
775 		.hdr.len = cpu_to_le16(sizeof(nic_info_msg) - sizeof(nic_info_msg.hdr)),
776 	};
777 	struct iwl_sap_msg_dw rfkill_msg = {
778 		.hdr.type = cpu_to_le16(SAP_MSG_NOTIF_RADIO_STATE),
779 		.hdr.len = cpu_to_le16(sizeof(rfkill_msg) - sizeof(rfkill_msg.hdr)),
780 		.val = cpu_to_le32(iwl_mei_cache.rf_kill),
781 	};
782 
783 	/* wifi driver has registered already */
784 	if (iwl_mei_cache.ops) {
785 		iwl_mei_send_sap_msg(mei->cldev,
786 				     SAP_MSG_NOTIF_WIFIDR_UP);
787 		iwl_mei_cache.ops->sap_connected(iwl_mei_cache.priv);
788 	}
789 
790 	iwl_mei_send_sap_msg(mei->cldev, SAP_MSG_NOTIF_WHO_OWNS_NIC);
791 
792 	if (iwl_mei_cache.conn_info) {
793 		link_msg.conn_info = *iwl_mei_cache.conn_info;
794 		iwl_mei_send_sap_msg_payload(mei->cldev, &link_msg.hdr);
795 	}
796 
797 	iwl_mei_send_sap_msg_payload(mei->cldev, &mcc_msg.hdr);
798 
799 	if (iwl_mei_cache.power_limit) {
800 		memcpy(sar_msg.sar_chain_info_table, iwl_mei_cache.power_limit,
801 		       sizeof(sar_msg.sar_chain_info_table));
802 		iwl_mei_send_sap_msg_payload(mei->cldev, &sar_msg.hdr);
803 	}
804 
805 	if (is_valid_ether_addr(iwl_mei_cache.mac_address)) {
806 		ether_addr_copy(nic_info_msg.mac_address,
807 				iwl_mei_cache.mac_address);
808 		ether_addr_copy(nic_info_msg.nvm_address,
809 				iwl_mei_cache.nvm_address);
810 		iwl_mei_send_sap_msg_payload(mei->cldev, &nic_info_msg.hdr);
811 	}
812 
813 	iwl_mei_send_sap_msg_payload(mei->cldev, &rfkill_msg.hdr);
814 }
815 
816 static void iwl_mei_handle_amt_state(struct mei_cl_device *cldev,
817 				     const struct iwl_sap_msg_dw *dw)
818 {
819 	struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
820 
821 	mutex_lock(&iwl_mei_mutex);
822 
823 	if (mei->amt_enabled == !!le32_to_cpu(dw->val))
824 		goto out;
825 
826 	mei->amt_enabled = dw->val;
827 
828 	if (mei->amt_enabled)
829 		iwl_mei_set_init_conf(mei);
830 	else if (iwl_mei_cache.ops)
831 		iwl_mei_cache.ops->rfkill(iwl_mei_cache.priv, false, false);
832 
833 	schedule_work(&mei->netdev_work);
834 
835 out:
836 	mutex_unlock(&iwl_mei_mutex);
837 }
838 
839 static void iwl_mei_handle_nic_owner(struct mei_cl_device *cldev,
840 				     const struct iwl_sap_msg_dw *dw)
841 {
842 	struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
843 
844 	mei->got_ownership = dw->val != cpu_to_le32(SAP_NIC_OWNER_ME);
845 }
846 
847 static void iwl_mei_handle_can_release_ownership(struct mei_cl_device *cldev,
848 						 const void *payload)
849 {
850 	/* We can get ownership and driver is registered, go ahead */
851 	if (iwl_mei_cache.ops)
852 		iwl_mei_send_sap_msg(cldev,
853 				     SAP_MSG_NOTIF_HOST_ASKS_FOR_NIC_OWNERSHIP);
854 }
855 
856 static void iwl_mei_handle_csme_taking_ownership(struct mei_cl_device *cldev,
857 						 const void *payload)
858 {
859 	struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
860 
861 	dev_info(&cldev->dev, "CSME takes ownership\n");
862 
863 	mei->got_ownership = false;
864 
865 	if (iwl_mei_cache.ops && !mei->device_down) {
866 		/*
867 		 * Remember to send CSME_OWNERSHIP_CONFIRMED when the wifi
868 		 * driver is finished taking the device down.
869 		 */
870 		mei->csme_taking_ownership = true;
871 
872 		iwl_mei_cache.ops->rfkill(iwl_mei_cache.priv, true, true);
873 	} else {
874 		iwl_mei_send_sap_msg(cldev,
875 				     SAP_MSG_NOTIF_CSME_OWNERSHIP_CONFIRMED);
876 		schedule_delayed_work(&mei->ownership_dwork,
877 				      MEI_OWNERSHIP_RETAKE_TIMEOUT_MS);
878 	}
879 }
880 
881 static void iwl_mei_handle_nvm(struct mei_cl_device *cldev,
882 			       const struct iwl_sap_nvm *sap_nvm)
883 {
884 	struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
885 	const struct iwl_mei_nvm *mei_nvm = (const void *)sap_nvm;
886 	int i;
887 
888 	kfree(mei->nvm);
889 	mei->nvm = kzalloc(sizeof(*mei_nvm), GFP_KERNEL);
890 	if (!mei->nvm)
891 		return;
892 
893 	ether_addr_copy(mei->nvm->hw_addr, sap_nvm->hw_addr);
894 	mei->nvm->n_hw_addrs = sap_nvm->n_hw_addrs;
895 	mei->nvm->radio_cfg = le32_to_cpu(sap_nvm->radio_cfg);
896 	mei->nvm->caps = le32_to_cpu(sap_nvm->caps);
897 	mei->nvm->nvm_version = le32_to_cpu(sap_nvm->nvm_version);
898 
899 	for (i = 0; i < ARRAY_SIZE(mei->nvm->channels); i++)
900 		mei->nvm->channels[i] = le32_to_cpu(sap_nvm->channels[i]);
901 
902 	wake_up_all(&mei->get_nvm_wq);
903 }
904 
905 static void iwl_mei_handle_rx_host_own_req(struct mei_cl_device *cldev,
906 					   const struct iwl_sap_msg_dw *dw)
907 {
908 	struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
909 
910 	/*
911 	 * This means that we can't use the wifi device right now, CSME is not
912 	 * ready to let us use it.
913 	 */
914 	if (!dw->val) {
915 		dev_info(&cldev->dev, "Ownership req denied\n");
916 		return;
917 	}
918 
919 	mei->got_ownership = true;
920 	wake_up_all(&mei->get_ownership_wq);
921 
922 	iwl_mei_send_sap_msg(cldev,
923 			     SAP_MSG_NOTIF_HOST_OWNERSHIP_CONFIRMED);
924 
925 	/* We can now start the connection, unblock rfkill */
926 	if (iwl_mei_cache.ops)
927 		iwl_mei_cache.ops->rfkill(iwl_mei_cache.priv, false, false);
928 }
929 
930 static void iwl_mei_handle_pldr_ack(struct mei_cl_device *cldev,
931 				    const struct iwl_sap_pldr_ack_data *ack)
932 {
933 	struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
934 
935 	mei->pldr_active = le32_to_cpu(ack->status) == SAP_PLDR_STATUS_SUCCESS;
936 	wake_up_all(&mei->pldr_wq);
937 }
938 
939 static void iwl_mei_handle_ping(struct mei_cl_device *cldev,
940 				const struct iwl_sap_hdr *hdr)
941 {
942 	iwl_mei_send_sap_msg(cldev, SAP_MSG_NOTIF_PONG);
943 }
944 
945 static void iwl_mei_handle_sap_msg(struct mei_cl_device *cldev,
946 				   const struct iwl_sap_hdr *hdr)
947 {
948 	u16 len = le16_to_cpu(hdr->len) + sizeof(*hdr);
949 	u16 type = le16_to_cpu(hdr->type);
950 
951 	dev_dbg(&cldev->dev,
952 		"Got a new SAP message: type %d, len %d, seq %d\n",
953 		le16_to_cpu(hdr->type), len,
954 		le32_to_cpu(hdr->seq_num));
955 
956 #define SAP_MSG_HANDLER(_cmd, _handler, _sz)				\
957 	case SAP_MSG_NOTIF_ ## _cmd:					\
958 		if (len < _sz) {					\
959 			dev_err(&cldev->dev,				\
960 				"Bad size for %d: %u < %u\n",		\
961 				le16_to_cpu(hdr->type),			\
962 				(unsigned int)len,			\
963 				(unsigned int)_sz);			\
964 			break;						\
965 		}							\
966 		mutex_lock(&iwl_mei_mutex);				\
967 		_handler(cldev, (const void *)hdr);			\
968 		mutex_unlock(&iwl_mei_mutex);				\
969 		break
970 
971 #define SAP_MSG_HANDLER_NO_LOCK(_cmd, _handler, _sz)			\
972 	case SAP_MSG_NOTIF_ ## _cmd:					\
973 		if (len < _sz) {					\
974 			dev_err(&cldev->dev,				\
975 				"Bad size for %d: %u < %u\n",		\
976 				le16_to_cpu(hdr->type),			\
977 				(unsigned int)len,			\
978 				(unsigned int)_sz);			\
979 			break;						\
980 		}							\
981 		_handler(cldev, (const void *)hdr);			\
982 		break
983 
984 #define SAP_MSG_HANDLER_NO_HANDLER(_cmd, _sz)				\
985 	case SAP_MSG_NOTIF_ ## _cmd:					\
986 		if (len < _sz) {					\
987 			dev_err(&cldev->dev,				\
988 				"Bad size for %d: %u < %u\n",		\
989 				le16_to_cpu(hdr->type),			\
990 				(unsigned int)len,			\
991 				(unsigned int)_sz);			\
992 			break;						\
993 		}							\
994 		break
995 
996 	switch (type) {
997 	SAP_MSG_HANDLER(PING, iwl_mei_handle_ping, 0);
998 	SAP_MSG_HANDLER(CSME_FILTERS,
999 			iwl_mei_handle_csme_filters,
1000 			sizeof(struct iwl_sap_csme_filters));
1001 	SAP_MSG_HANDLER(CSME_CONN_STATUS,
1002 			iwl_mei_handle_conn_status,
1003 			sizeof(struct iwl_sap_notif_conn_status));
1004 	SAP_MSG_HANDLER_NO_LOCK(AMT_STATE,
1005 				iwl_mei_handle_amt_state,
1006 				sizeof(struct iwl_sap_msg_dw));
1007 	SAP_MSG_HANDLER_NO_HANDLER(PONG, 0);
1008 	SAP_MSG_HANDLER(NVM, iwl_mei_handle_nvm,
1009 			sizeof(struct iwl_sap_nvm));
1010 	SAP_MSG_HANDLER(CSME_REPLY_TO_HOST_OWNERSHIP_REQ,
1011 			iwl_mei_handle_rx_host_own_req,
1012 			sizeof(struct iwl_sap_msg_dw));
1013 	SAP_MSG_HANDLER(NIC_OWNER, iwl_mei_handle_nic_owner,
1014 			sizeof(struct iwl_sap_msg_dw));
1015 	SAP_MSG_HANDLER(CSME_CAN_RELEASE_OWNERSHIP,
1016 			iwl_mei_handle_can_release_ownership, 0);
1017 	SAP_MSG_HANDLER(CSME_TAKING_OWNERSHIP,
1018 			iwl_mei_handle_csme_taking_ownership, 0);
1019 	SAP_MSG_HANDLER(PLDR_ACK, iwl_mei_handle_pldr_ack,
1020 			sizeof(struct iwl_sap_pldr_ack_data));
1021 	default:
1022 	/*
1023 	 * This is not really an error, there are message that we decided
1024 	 * to ignore, yet, it is useful to be able to leave a note if debug
1025 	 * is enabled.
1026 	 */
1027 	dev_dbg(&cldev->dev, "Unsupported message: type %d, len %d\n",
1028 		le16_to_cpu(hdr->type), len);
1029 	}
1030 
1031 #undef SAP_MSG_HANDLER
1032 #undef SAP_MSG_HANDLER_NO_LOCK
1033 }
1034 
1035 static void iwl_mei_read_from_q(const u8 *q_head, u32 q_sz,
1036 				u32 *_rd, u32 wr,
1037 				void *_buf, u32 len)
1038 {
1039 	u8 *buf = _buf;
1040 	u32 rd = *_rd;
1041 
1042 	if (rd + len <= q_sz) {
1043 		memcpy(buf, q_head + rd, len);
1044 		rd += len;
1045 	} else {
1046 		memcpy(buf, q_head + rd, q_sz - rd);
1047 		memcpy(buf + q_sz - rd, q_head, len - (q_sz - rd));
1048 		rd = len - (q_sz - rd);
1049 	}
1050 
1051 	*_rd = rd;
1052 }
1053 
1054 #define QOS_HDR_IV_SNAP_LEN (sizeof(struct ieee80211_qos_hdr) +      \
1055 			     IEEE80211_TKIP_IV_LEN +                 \
1056 			     sizeof(rfc1042_header) + ETH_TLEN)
1057 
1058 static void iwl_mei_handle_sap_data(struct mei_cl_device *cldev,
1059 				    const u8 *q_head, u32 q_sz,
1060 				    u32 rd, u32 wr, ssize_t valid_rx_sz,
1061 				    struct sk_buff_head *tx_skbs)
1062 {
1063 	struct iwl_sap_hdr hdr;
1064 	struct net_device *netdev =
1065 		rcu_dereference_protected(iwl_mei_cache.netdev,
1066 					  lockdep_is_held(&iwl_mei_mutex));
1067 
1068 	if (!netdev)
1069 		return;
1070 
1071 	while (valid_rx_sz >= sizeof(hdr)) {
1072 		struct ethhdr *ethhdr;
1073 		unsigned char *data;
1074 		struct sk_buff *skb;
1075 		u16 len;
1076 
1077 		iwl_mei_read_from_q(q_head, q_sz, &rd, wr, &hdr, sizeof(hdr));
1078 		valid_rx_sz -= sizeof(hdr);
1079 		len = le16_to_cpu(hdr.len);
1080 
1081 		if (valid_rx_sz < len) {
1082 			dev_err(&cldev->dev,
1083 				"Data queue is corrupted: valid data len %zd, len %d\n",
1084 				valid_rx_sz, len);
1085 			break;
1086 		}
1087 
1088 		if (len < sizeof(*ethhdr)) {
1089 			dev_err(&cldev->dev,
1090 				"Data len is smaller than an ethernet header? len = %d\n",
1091 				len);
1092 		}
1093 
1094 		valid_rx_sz -= len;
1095 
1096 		if (le16_to_cpu(hdr.type) != SAP_MSG_DATA_PACKET) {
1097 			dev_err(&cldev->dev, "Unsupported Rx data: type %d, len %d\n",
1098 				le16_to_cpu(hdr.type), len);
1099 			continue;
1100 		}
1101 
1102 		/* We need enough room for the WiFi header + SNAP + IV */
1103 		skb = netdev_alloc_skb(netdev, len + QOS_HDR_IV_SNAP_LEN);
1104 		if (!skb)
1105 			continue;
1106 
1107 		skb_reserve(skb, QOS_HDR_IV_SNAP_LEN);
1108 		ethhdr = skb_push(skb, sizeof(*ethhdr));
1109 
1110 		iwl_mei_read_from_q(q_head, q_sz, &rd, wr,
1111 				    ethhdr, sizeof(*ethhdr));
1112 		len -= sizeof(*ethhdr);
1113 
1114 		skb_reset_mac_header(skb);
1115 		skb_reset_network_header(skb);
1116 		skb->protocol = ethhdr->h_proto;
1117 
1118 		data = skb_put(skb, len);
1119 		iwl_mei_read_from_q(q_head, q_sz, &rd, wr, data, len);
1120 
1121 		/*
1122 		 * Enqueue the skb here so that it can be sent later when we
1123 		 * do not hold the mutex. TX'ing a packet with a mutex held is
1124 		 * possible, but it wouldn't be nice to forbid the TX path to
1125 		 * call any of iwlmei's functions, since every API from iwlmei
1126 		 * needs the mutex.
1127 		 */
1128 		__skb_queue_tail(tx_skbs, skb);
1129 	}
1130 }
1131 
1132 static void iwl_mei_handle_sap_rx_cmd(struct mei_cl_device *cldev,
1133 				      const u8 *q_head, u32 q_sz,
1134 				      u32 rd, u32 wr, ssize_t valid_rx_sz)
1135 {
1136 	struct page *p = alloc_page(GFP_KERNEL);
1137 	struct iwl_sap_hdr *hdr;
1138 
1139 	if (!p)
1140 		return;
1141 
1142 	hdr = page_address(p);
1143 
1144 	while (valid_rx_sz >= sizeof(*hdr)) {
1145 		u16 len;
1146 
1147 		iwl_mei_read_from_q(q_head, q_sz, &rd, wr, hdr, sizeof(*hdr));
1148 		valid_rx_sz -= sizeof(*hdr);
1149 		len = le16_to_cpu(hdr->len);
1150 
1151 		if (valid_rx_sz < len)
1152 			break;
1153 
1154 		iwl_mei_read_from_q(q_head, q_sz, &rd, wr, hdr + 1, len);
1155 
1156 		trace_iwlmei_sap_cmd(hdr, false);
1157 		iwl_mei_handle_sap_msg(cldev, hdr);
1158 		valid_rx_sz -= len;
1159 	}
1160 
1161 	/* valid_rx_sz must be 0 now... */
1162 	if (valid_rx_sz)
1163 		dev_err(&cldev->dev,
1164 			"More data in the buffer although we read it all\n");
1165 
1166 	__free_page(p);
1167 }
1168 
1169 static void iwl_mei_handle_sap_rx(struct mei_cl_device *cldev,
1170 				  struct iwl_sap_q_ctrl_blk *notif_q,
1171 				  const u8 *q_head,
1172 				  struct sk_buff_head *skbs,
1173 				  u32 q_sz)
1174 {
1175 	u32 rd = le32_to_cpu(READ_ONCE(notif_q->rd_ptr));
1176 	u32 wr = le32_to_cpu(READ_ONCE(notif_q->wr_ptr));
1177 	ssize_t valid_rx_sz;
1178 
1179 	if (rd > q_sz || wr > q_sz) {
1180 		dev_err(&cldev->dev,
1181 			"Pointers are past the buffer limit\n");
1182 		return;
1183 	}
1184 
1185 	if (rd == wr)
1186 		return;
1187 
1188 	valid_rx_sz = wr > rd ? wr - rd : q_sz - rd + wr;
1189 
1190 	if (skbs)
1191 		iwl_mei_handle_sap_data(cldev, q_head, q_sz, rd, wr,
1192 					valid_rx_sz, skbs);
1193 	else
1194 		iwl_mei_handle_sap_rx_cmd(cldev, q_head, q_sz, rd, wr,
1195 					  valid_rx_sz);
1196 
1197 	/* Increment the read pointer to point to the write pointer */
1198 	WRITE_ONCE(notif_q->rd_ptr, cpu_to_le32(wr));
1199 }
1200 
1201 static void iwl_mei_handle_check_shared_area(struct mei_cl_device *cldev)
1202 {
1203 	struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
1204 	struct iwl_sap_q_ctrl_blk *notif_q;
1205 	struct sk_buff_head tx_skbs;
1206 	struct iwl_sap_dir *dir;
1207 	void *q_head;
1208 	u32 q_sz;
1209 
1210 	if (!mei->shared_mem.ctrl)
1211 		return;
1212 
1213 	dir = &mei->shared_mem.ctrl->dir[SAP_DIRECTION_ME_TO_HOST];
1214 	notif_q = &dir->q_ctrl_blk[SAP_QUEUE_IDX_NOTIF];
1215 	q_head = mei->shared_mem.q_head[SAP_DIRECTION_ME_TO_HOST][SAP_QUEUE_IDX_NOTIF];
1216 	q_sz = mei->shared_mem.q_size[SAP_DIRECTION_ME_TO_HOST][SAP_QUEUE_IDX_NOTIF];
1217 
1218 	/*
1219 	 * Do not hold the mutex here, but rather each and every message
1220 	 * handler takes it.
1221 	 * This allows message handlers to take it at a certain time.
1222 	 */
1223 	iwl_mei_handle_sap_rx(cldev, notif_q, q_head, NULL, q_sz);
1224 
1225 	mutex_lock(&iwl_mei_mutex);
1226 	dir = &mei->shared_mem.ctrl->dir[SAP_DIRECTION_ME_TO_HOST];
1227 	notif_q = &dir->q_ctrl_blk[SAP_QUEUE_IDX_DATA];
1228 	q_head = mei->shared_mem.q_head[SAP_DIRECTION_ME_TO_HOST][SAP_QUEUE_IDX_DATA];
1229 	q_sz = mei->shared_mem.q_size[SAP_DIRECTION_ME_TO_HOST][SAP_QUEUE_IDX_DATA];
1230 
1231 	__skb_queue_head_init(&tx_skbs);
1232 
1233 	iwl_mei_handle_sap_rx(cldev, notif_q, q_head, &tx_skbs, q_sz);
1234 
1235 	if (skb_queue_empty(&tx_skbs)) {
1236 		mutex_unlock(&iwl_mei_mutex);
1237 		return;
1238 	}
1239 
1240 	/*
1241 	 * Take the RCU read lock before we unlock the mutex to make sure that
1242 	 * even if the netdev is replaced by another non-NULL netdev right after
1243 	 * we unlock the mutex, the old netdev will still be valid when we
1244 	 * transmit the frames. We can't allow to replace the netdev here because
1245 	 * the skbs hold a pointer to the netdev.
1246 	 */
1247 	rcu_read_lock();
1248 
1249 	mutex_unlock(&iwl_mei_mutex);
1250 
1251 	if (!rcu_access_pointer(iwl_mei_cache.netdev)) {
1252 		dev_err(&cldev->dev, "Can't Tx without a netdev\n");
1253 		skb_queue_purge(&tx_skbs);
1254 		goto out;
1255 	}
1256 
1257 	while (!skb_queue_empty(&tx_skbs)) {
1258 		struct sk_buff *skb = __skb_dequeue(&tx_skbs);
1259 
1260 		trace_iwlmei_sap_data(skb, IWL_SAP_RX_DATA_TO_AIR);
1261 		dev_queue_xmit(skb);
1262 	}
1263 
1264 out:
1265 	rcu_read_unlock();
1266 }
1267 
1268 static void iwl_mei_rx(struct mei_cl_device *cldev)
1269 {
1270 	struct iwl_sap_me_msg_hdr *hdr;
1271 	u8 msg[100];
1272 	ssize_t ret;
1273 
1274 	ret = mei_cldev_recv(cldev, (u8 *)&msg, sizeof(msg));
1275 	if (ret < 0) {
1276 		dev_err(&cldev->dev, "failed to receive data: %zd\n", ret);
1277 		return;
1278 	}
1279 
1280 	if (ret == 0) {
1281 		dev_err(&cldev->dev, "got an empty response\n");
1282 		return;
1283 	}
1284 
1285 	hdr = (void *)msg;
1286 	trace_iwlmei_me_msg(hdr, false);
1287 
1288 	switch (le32_to_cpu(hdr->type)) {
1289 	case SAP_ME_MSG_START_OK:
1290 		BUILD_BUG_ON(sizeof(struct iwl_sap_me_msg_start_ok) >
1291 			     sizeof(msg));
1292 
1293 		iwl_mei_handle_rx_start_ok(cldev, (void *)msg, ret);
1294 		break;
1295 	case SAP_ME_MSG_CHECK_SHARED_AREA:
1296 		iwl_mei_handle_check_shared_area(cldev);
1297 		break;
1298 	default:
1299 		dev_err(&cldev->dev, "got a RX notification: %d\n",
1300 			le32_to_cpu(hdr->type));
1301 		break;
1302 	}
1303 }
1304 
1305 static int iwl_mei_send_start(struct mei_cl_device *cldev)
1306 {
1307 	struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
1308 	struct iwl_sap_me_msg_start msg = {
1309 		.hdr.type = cpu_to_le32(SAP_ME_MSG_START),
1310 		.hdr.seq_num = cpu_to_le32(atomic_inc_return(&mei->seq_no)),
1311 		.hdr.len = cpu_to_le32(sizeof(msg)),
1312 		.supported_versions[0] = iwl_mei_cache.sap_version,
1313 		.init_data_seq_num = cpu_to_le16(0x100),
1314 		.init_notif_seq_num = cpu_to_le16(0x800),
1315 	};
1316 	int ret;
1317 
1318 	trace_iwlmei_me_msg(&msg.hdr, true);
1319 	ret = mei_cldev_send(cldev, (void *)&msg, sizeof(msg));
1320 	if (ret != sizeof(msg)) {
1321 		dev_err(&cldev->dev,
1322 			"failed to send the SAP_ME_MSG_START message %d\n",
1323 			ret);
1324 		return ret;
1325 	}
1326 
1327 	return 0;
1328 }
1329 
1330 static int iwl_mei_enable(struct mei_cl_device *cldev)
1331 {
1332 	int ret;
1333 
1334 	ret = mei_cldev_enable(cldev);
1335 	if (ret < 0) {
1336 		dev_err(&cldev->dev, "failed to enable the device: %d\n", ret);
1337 		return ret;
1338 	}
1339 
1340 	ret = mei_cldev_register_rx_cb(cldev, iwl_mei_rx);
1341 	if (ret) {
1342 		dev_err(&cldev->dev,
1343 			"failed to register to the rx cb: %d\n", ret);
1344 		mei_cldev_disable(cldev);
1345 		return ret;
1346 	}
1347 
1348 	return 0;
1349 }
1350 
1351 struct iwl_mei_nvm *iwl_mei_get_nvm(void)
1352 {
1353 	struct iwl_mei_nvm *nvm = NULL;
1354 	struct iwl_mei *mei;
1355 	int ret;
1356 
1357 	mutex_lock(&iwl_mei_mutex);
1358 
1359 	if (!iwl_mei_is_connected())
1360 		goto out;
1361 
1362 	mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
1363 
1364 	if (!mei)
1365 		goto out;
1366 
1367 	ret = iwl_mei_send_sap_msg(iwl_mei_global_cldev,
1368 				   SAP_MSG_NOTIF_GET_NVM);
1369 	if (ret)
1370 		goto out;
1371 
1372 	mutex_unlock(&iwl_mei_mutex);
1373 
1374 	ret = wait_event_timeout(mei->get_nvm_wq, mei->nvm, 2 * HZ);
1375 	if (!ret)
1376 		return NULL;
1377 
1378 	mutex_lock(&iwl_mei_mutex);
1379 
1380 	if (!iwl_mei_is_connected())
1381 		goto out;
1382 
1383 	mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
1384 
1385 	if (!mei)
1386 		goto out;
1387 
1388 	if (mei->nvm)
1389 		nvm = kmemdup(mei->nvm, sizeof(*mei->nvm), GFP_KERNEL);
1390 
1391 out:
1392 	mutex_unlock(&iwl_mei_mutex);
1393 	return nvm;
1394 }
1395 EXPORT_SYMBOL_GPL(iwl_mei_get_nvm);
1396 
1397 #define IWL_MEI_PLDR_NUM_RETRIES	3
1398 
1399 int iwl_mei_pldr_req(void)
1400 {
1401 	struct iwl_mei *mei;
1402 	int ret;
1403 	struct iwl_sap_pldr_data msg = {
1404 		.hdr.type = cpu_to_le16(SAP_MSG_NOTIF_PLDR),
1405 		.hdr.len = cpu_to_le16(sizeof(msg) - sizeof(msg.hdr)),
1406 	};
1407 	int i;
1408 
1409 	mutex_lock(&iwl_mei_mutex);
1410 
1411 	/* In case we didn't have a bind */
1412 	if (!iwl_mei_is_connected()) {
1413 		ret = 0;
1414 		goto out;
1415 	}
1416 
1417 	mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
1418 
1419 	if (!mei) {
1420 		ret = -ENODEV;
1421 		goto out;
1422 	}
1423 
1424 	if (!mei->amt_enabled) {
1425 		ret = 0;
1426 		goto out;
1427 	}
1428 
1429 	for (i = 0; i < IWL_MEI_PLDR_NUM_RETRIES; i++) {
1430 		ret = iwl_mei_send_sap_msg_payload(mei->cldev, &msg.hdr);
1431 		mutex_unlock(&iwl_mei_mutex);
1432 		if (ret)
1433 			return ret;
1434 
1435 		ret = wait_event_timeout(mei->pldr_wq, mei->pldr_active, HZ / 2);
1436 		if (ret)
1437 			break;
1438 
1439 		/* Take the mutex for the next iteration */
1440 		mutex_lock(&iwl_mei_mutex);
1441 	}
1442 
1443 	if (ret)
1444 		return 0;
1445 
1446 	ret = -ETIMEDOUT;
1447 out:
1448 	mutex_unlock(&iwl_mei_mutex);
1449 	return ret;
1450 }
1451 EXPORT_SYMBOL_GPL(iwl_mei_pldr_req);
1452 
1453 int iwl_mei_get_ownership(void)
1454 {
1455 	struct iwl_mei *mei;
1456 	int ret;
1457 
1458 	mutex_lock(&iwl_mei_mutex);
1459 
1460 	/* In case we didn't have a bind */
1461 	if (!iwl_mei_is_connected()) {
1462 		ret = 0;
1463 		goto out;
1464 	}
1465 
1466 	mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
1467 
1468 	if (!mei) {
1469 		ret = -ENODEV;
1470 		goto out;
1471 	}
1472 
1473 	if (!mei->amt_enabled) {
1474 		ret = 0;
1475 		goto out;
1476 	}
1477 
1478 	if (mei->got_ownership) {
1479 		ret = 0;
1480 		goto out;
1481 	}
1482 
1483 	ret = iwl_mei_send_sap_msg(mei->cldev,
1484 				   SAP_MSG_NOTIF_HOST_ASKS_FOR_NIC_OWNERSHIP);
1485 	if (ret)
1486 		goto out;
1487 
1488 	mutex_unlock(&iwl_mei_mutex);
1489 
1490 	ret = wait_event_timeout(mei->get_ownership_wq,
1491 				 mei->got_ownership, HZ / 2);
1492 	if (!ret) {
1493 		schedule_delayed_work(&mei->ownership_dwork,
1494 				      MEI_OWNERSHIP_RETAKE_TIMEOUT_MS);
1495 		return -ETIMEDOUT;
1496 	}
1497 
1498 	return 0;
1499 out:
1500 	mutex_unlock(&iwl_mei_mutex);
1501 	return ret;
1502 }
1503 EXPORT_SYMBOL_GPL(iwl_mei_get_ownership);
1504 
1505 void iwl_mei_alive_notif(bool success)
1506 {
1507 	struct iwl_mei *mei;
1508 	struct iwl_sap_pldr_end_data msg = {
1509 		.hdr.type = cpu_to_le16(SAP_MSG_NOTIF_PLDR_END),
1510 		.hdr.len = cpu_to_le16(sizeof(msg) - sizeof(msg.hdr)),
1511 		.status = success ? cpu_to_le32(SAP_PLDR_STATUS_SUCCESS) :
1512 			cpu_to_le32(SAP_PLDR_STATUS_FAILURE),
1513 	};
1514 
1515 	mutex_lock(&iwl_mei_mutex);
1516 
1517 	if (!iwl_mei_is_connected())
1518 		goto out;
1519 
1520 	mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
1521 	if (!mei || !mei->pldr_active)
1522 		goto out;
1523 
1524 	mei->pldr_active = false;
1525 
1526 	iwl_mei_send_sap_msg_payload(mei->cldev, &msg.hdr);
1527 out:
1528 	mutex_unlock(&iwl_mei_mutex);
1529 }
1530 EXPORT_SYMBOL_GPL(iwl_mei_alive_notif);
1531 
1532 void iwl_mei_host_associated(const struct iwl_mei_conn_info *conn_info,
1533 			     const struct iwl_mei_colloc_info *colloc_info)
1534 {
1535 	struct iwl_sap_notif_host_link_up msg = {
1536 		.hdr.type = cpu_to_le16(SAP_MSG_NOTIF_HOST_LINK_UP),
1537 		.hdr.len = cpu_to_le16(sizeof(msg) - sizeof(msg.hdr)),
1538 		.conn_info = {
1539 			.ssid_len = cpu_to_le32(conn_info->ssid_len),
1540 			.channel = conn_info->channel,
1541 			.band = conn_info->band,
1542 			.pairwise_cipher = cpu_to_le32(conn_info->pairwise_cipher),
1543 			.auth_mode = cpu_to_le32(conn_info->auth_mode),
1544 		},
1545 	};
1546 	struct iwl_mei *mei;
1547 
1548 	if (conn_info->ssid_len > ARRAY_SIZE(msg.conn_info.ssid))
1549 		return;
1550 
1551 	memcpy(msg.conn_info.ssid, conn_info->ssid, conn_info->ssid_len);
1552 	memcpy(msg.conn_info.bssid, conn_info->bssid, ETH_ALEN);
1553 
1554 	if (colloc_info) {
1555 		msg.colloc_channel = colloc_info->channel;
1556 		msg.colloc_band = colloc_info->channel <= 14 ? 0 : 1;
1557 		memcpy(msg.colloc_bssid, colloc_info->bssid, ETH_ALEN);
1558 	}
1559 
1560 	mutex_lock(&iwl_mei_mutex);
1561 
1562 	if (!iwl_mei_is_connected())
1563 		goto out;
1564 
1565 	mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
1566 
1567 	if (!mei || !mei->amt_enabled)
1568 		goto out;
1569 
1570 	iwl_mei_send_sap_msg_payload(mei->cldev, &msg.hdr);
1571 
1572 out:
1573 	kfree(iwl_mei_cache.conn_info);
1574 	iwl_mei_cache.conn_info =
1575 		kmemdup(&msg.conn_info, sizeof(msg.conn_info), GFP_KERNEL);
1576 	mutex_unlock(&iwl_mei_mutex);
1577 }
1578 EXPORT_SYMBOL_GPL(iwl_mei_host_associated);
1579 
1580 void iwl_mei_host_disassociated(void)
1581 {
1582 	struct iwl_mei *mei;
1583 	struct iwl_sap_notif_host_link_down msg = {
1584 		.hdr.type = cpu_to_le16(SAP_MSG_NOTIF_HOST_LINK_DOWN),
1585 		.hdr.len = cpu_to_le16(sizeof(msg) - sizeof(msg.hdr)),
1586 		.type = HOST_LINK_DOWN_TYPE_TEMPORARY,
1587 	};
1588 
1589 	mutex_lock(&iwl_mei_mutex);
1590 
1591 	if (!iwl_mei_is_connected())
1592 		goto out;
1593 
1594 	mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
1595 
1596 	if (!mei || !mei->amt_enabled)
1597 		goto out;
1598 
1599 	iwl_mei_send_sap_msg_payload(mei->cldev, &msg.hdr);
1600 
1601 out:
1602 	kfree(iwl_mei_cache.conn_info);
1603 	iwl_mei_cache.conn_info = NULL;
1604 	mutex_unlock(&iwl_mei_mutex);
1605 }
1606 EXPORT_SYMBOL_GPL(iwl_mei_host_disassociated);
1607 
1608 void iwl_mei_set_rfkill_state(bool hw_rfkill, bool sw_rfkill)
1609 {
1610 	struct iwl_mei *mei;
1611 	u32 rfkill_state = 0;
1612 	struct iwl_sap_msg_dw msg = {
1613 		.hdr.type = cpu_to_le16(SAP_MSG_NOTIF_RADIO_STATE),
1614 		.hdr.len = cpu_to_le16(sizeof(msg) - sizeof(msg.hdr)),
1615 	};
1616 
1617 	if (!sw_rfkill)
1618 		rfkill_state |= SAP_SW_RFKILL_DEASSERTED;
1619 
1620 	if (!hw_rfkill)
1621 		rfkill_state |= SAP_HW_RFKILL_DEASSERTED;
1622 
1623 	mutex_lock(&iwl_mei_mutex);
1624 
1625 	if (!iwl_mei_is_connected())
1626 		goto out;
1627 
1628 	msg.val = cpu_to_le32(rfkill_state);
1629 
1630 	mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
1631 
1632 	if (!mei || !mei->amt_enabled)
1633 		goto out;
1634 
1635 	iwl_mei_send_sap_msg_payload(mei->cldev, &msg.hdr);
1636 
1637 out:
1638 	iwl_mei_cache.rf_kill = rfkill_state;
1639 	mutex_unlock(&iwl_mei_mutex);
1640 }
1641 EXPORT_SYMBOL_GPL(iwl_mei_set_rfkill_state);
1642 
1643 void iwl_mei_set_nic_info(const u8 *mac_address, const u8 *nvm_address)
1644 {
1645 	struct iwl_mei *mei;
1646 	struct iwl_sap_notif_host_nic_info msg = {
1647 		.hdr.type = cpu_to_le16(SAP_MSG_NOTIF_NIC_INFO),
1648 		.hdr.len = cpu_to_le16(sizeof(msg) - sizeof(msg.hdr)),
1649 	};
1650 
1651 	mutex_lock(&iwl_mei_mutex);
1652 
1653 	if (!iwl_mei_is_connected())
1654 		goto out;
1655 
1656 	ether_addr_copy(msg.mac_address, mac_address);
1657 	ether_addr_copy(msg.nvm_address, nvm_address);
1658 
1659 	mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
1660 
1661 	if (!mei || !mei->amt_enabled)
1662 		goto out;
1663 
1664 	iwl_mei_send_sap_msg_payload(mei->cldev, &msg.hdr);
1665 
1666 out:
1667 	ether_addr_copy(iwl_mei_cache.mac_address, mac_address);
1668 	ether_addr_copy(iwl_mei_cache.nvm_address, nvm_address);
1669 	mutex_unlock(&iwl_mei_mutex);
1670 }
1671 EXPORT_SYMBOL_GPL(iwl_mei_set_nic_info);
1672 
1673 void iwl_mei_set_country_code(u16 mcc)
1674 {
1675 	struct iwl_mei *mei;
1676 	struct iwl_sap_notif_country_code msg = {
1677 		.hdr.type = cpu_to_le16(SAP_MSG_NOTIF_COUNTRY_CODE),
1678 		.hdr.len = cpu_to_le16(sizeof(msg) - sizeof(msg.hdr)),
1679 		.mcc = cpu_to_le16(mcc),
1680 	};
1681 
1682 	mutex_lock(&iwl_mei_mutex);
1683 
1684 	if (!iwl_mei_is_connected())
1685 		goto out;
1686 
1687 	mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
1688 
1689 	if (!mei || !mei->amt_enabled)
1690 		goto out;
1691 
1692 	iwl_mei_send_sap_msg_payload(mei->cldev, &msg.hdr);
1693 
1694 out:
1695 	iwl_mei_cache.mcc = mcc;
1696 	mutex_unlock(&iwl_mei_mutex);
1697 }
1698 EXPORT_SYMBOL_GPL(iwl_mei_set_country_code);
1699 
1700 void iwl_mei_set_power_limit(const __le16 *power_limit)
1701 {
1702 	struct iwl_mei *mei;
1703 	struct iwl_sap_notif_sar_limits msg = {
1704 		.hdr.type = cpu_to_le16(SAP_MSG_NOTIF_SAR_LIMITS),
1705 		.hdr.len = cpu_to_le16(sizeof(msg) - sizeof(msg.hdr)),
1706 	};
1707 
1708 	mutex_lock(&iwl_mei_mutex);
1709 
1710 	if (!iwl_mei_is_connected())
1711 		goto out;
1712 
1713 	mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
1714 
1715 	if (!mei || !mei->amt_enabled)
1716 		goto out;
1717 
1718 	memcpy(msg.sar_chain_info_table, power_limit, sizeof(msg.sar_chain_info_table));
1719 
1720 	iwl_mei_send_sap_msg_payload(mei->cldev, &msg.hdr);
1721 
1722 out:
1723 	kfree(iwl_mei_cache.power_limit);
1724 	iwl_mei_cache.power_limit = kmemdup(power_limit,
1725 					    sizeof(msg.sar_chain_info_table), GFP_KERNEL);
1726 	mutex_unlock(&iwl_mei_mutex);
1727 }
1728 EXPORT_SYMBOL_GPL(iwl_mei_set_power_limit);
1729 
1730 void iwl_mei_set_netdev(struct net_device *netdev)
1731 {
1732 	struct iwl_mei *mei;
1733 
1734 	mutex_lock(&iwl_mei_mutex);
1735 
1736 	if (!iwl_mei_is_connected()) {
1737 		rcu_assign_pointer(iwl_mei_cache.netdev, netdev);
1738 		goto out;
1739 	}
1740 
1741 	mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
1742 
1743 	if (!mei)
1744 		goto out;
1745 
1746 	if (!netdev) {
1747 		struct net_device *dev =
1748 			rcu_dereference_protected(iwl_mei_cache.netdev,
1749 						  lockdep_is_held(&iwl_mei_mutex));
1750 
1751 		if (!dev)
1752 			goto out;
1753 
1754 		netdev_rx_handler_unregister(dev);
1755 	}
1756 
1757 	rcu_assign_pointer(iwl_mei_cache.netdev, netdev);
1758 
1759 	if (netdev && mei->amt_enabled)
1760 		netdev_rx_handler_register(netdev, iwl_mei_rx_handler, mei);
1761 
1762 out:
1763 	mutex_unlock(&iwl_mei_mutex);
1764 }
1765 EXPORT_SYMBOL_GPL(iwl_mei_set_netdev);
1766 
1767 void iwl_mei_device_state(bool up)
1768 {
1769 	struct iwl_mei *mei;
1770 
1771 	mutex_lock(&iwl_mei_mutex);
1772 
1773 	if (!iwl_mei_is_connected())
1774 		goto out;
1775 
1776 	mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
1777 
1778 	if (!mei)
1779 		goto out;
1780 
1781 	mei->device_down = !up;
1782 
1783 	if (up || !mei->csme_taking_ownership)
1784 		goto out;
1785 
1786 	iwl_mei_send_sap_msg(mei->cldev,
1787 			     SAP_MSG_NOTIF_CSME_OWNERSHIP_CONFIRMED);
1788 	mei->csme_taking_ownership = false;
1789 	schedule_delayed_work(&mei->ownership_dwork,
1790 			      MEI_OWNERSHIP_RETAKE_TIMEOUT_MS);
1791 out:
1792 	mutex_unlock(&iwl_mei_mutex);
1793 }
1794 EXPORT_SYMBOL_GPL(iwl_mei_device_state);
1795 
1796 int iwl_mei_register(void *priv, const struct iwl_mei_ops *ops)
1797 {
1798 	int ret;
1799 
1800 	/*
1801 	 * We must have a non-NULL priv pointer to not crash when there are
1802 	 * multiple WiFi devices.
1803 	 */
1804 	if (!priv)
1805 		return -EINVAL;
1806 
1807 	mutex_lock(&iwl_mei_mutex);
1808 
1809 	/* do not allow registration if someone else already registered */
1810 	if (iwl_mei_cache.priv || iwl_mei_cache.ops) {
1811 		ret = -EBUSY;
1812 		goto out;
1813 	}
1814 
1815 	iwl_mei_cache.priv = priv;
1816 	iwl_mei_cache.ops = ops;
1817 
1818 	if (iwl_mei_global_cldev) {
1819 		struct iwl_mei *mei =
1820 			mei_cldev_get_drvdata(iwl_mei_global_cldev);
1821 
1822 		/* we have already a SAP connection */
1823 		if (iwl_mei_is_connected()) {
1824 			if (mei->amt_enabled)
1825 				iwl_mei_send_sap_msg(mei->cldev,
1826 						     SAP_MSG_NOTIF_WIFIDR_UP);
1827 			ops->rfkill(priv, mei->link_prot_state, false);
1828 		}
1829 	}
1830 	ret = 0;
1831 
1832 out:
1833 	mutex_unlock(&iwl_mei_mutex);
1834 	return ret;
1835 }
1836 EXPORT_SYMBOL_GPL(iwl_mei_register);
1837 
1838 void iwl_mei_start_unregister(void)
1839 {
1840 	mutex_lock(&iwl_mei_mutex);
1841 
1842 	/* At this point, the wifi driver should have removed the netdev */
1843 	if (rcu_access_pointer(iwl_mei_cache.netdev))
1844 		pr_err("Still had a netdev pointer set upon unregister\n");
1845 
1846 	kfree(iwl_mei_cache.conn_info);
1847 	iwl_mei_cache.conn_info = NULL;
1848 	kfree(iwl_mei_cache.power_limit);
1849 	iwl_mei_cache.power_limit = NULL;
1850 	iwl_mei_cache.ops = NULL;
1851 	/* leave iwl_mei_cache.priv non-NULL to prevent any new registration */
1852 
1853 	mutex_unlock(&iwl_mei_mutex);
1854 }
1855 EXPORT_SYMBOL_GPL(iwl_mei_start_unregister);
1856 
1857 void iwl_mei_unregister_complete(void)
1858 {
1859 	mutex_lock(&iwl_mei_mutex);
1860 
1861 	iwl_mei_cache.priv = NULL;
1862 
1863 	if (iwl_mei_global_cldev) {
1864 		struct iwl_mei *mei =
1865 			mei_cldev_get_drvdata(iwl_mei_global_cldev);
1866 
1867 		if (mei->amt_enabled)
1868 			iwl_mei_send_sap_msg(mei->cldev,
1869 					     SAP_MSG_NOTIF_WIFIDR_DOWN);
1870 		mei->got_ownership = false;
1871 	}
1872 
1873 	mutex_unlock(&iwl_mei_mutex);
1874 }
1875 EXPORT_SYMBOL_GPL(iwl_mei_unregister_complete);
1876 
1877 #if IS_ENABLED(CONFIG_DEBUG_FS)
1878 
1879 static ssize_t
1880 iwl_mei_dbgfs_send_start_message_write(struct file *file,
1881 				       const char __user *user_buf,
1882 				       size_t count, loff_t *ppos)
1883 {
1884 	int ret;
1885 
1886 	mutex_lock(&iwl_mei_mutex);
1887 
1888 	if (!iwl_mei_global_cldev) {
1889 		ret = -ENODEV;
1890 		goto out;
1891 	}
1892 
1893 	ret = iwl_mei_send_start(iwl_mei_global_cldev);
1894 
1895 out:
1896 	mutex_unlock(&iwl_mei_mutex);
1897 	return ret ?: count;
1898 }
1899 
1900 static const struct file_operations iwl_mei_dbgfs_send_start_message_ops = {
1901 	.write = iwl_mei_dbgfs_send_start_message_write,
1902 	.open = simple_open,
1903 	.llseek = default_llseek,
1904 };
1905 
1906 static ssize_t iwl_mei_dbgfs_req_ownership_write(struct file *file,
1907 						 const char __user *user_buf,
1908 						 size_t count, loff_t *ppos)
1909 {
1910 	iwl_mei_get_ownership();
1911 
1912 	return count;
1913 }
1914 
1915 static const struct file_operations iwl_mei_dbgfs_req_ownership_ops = {
1916 	.write = iwl_mei_dbgfs_req_ownership_write,
1917 	.open = simple_open,
1918 	.llseek = default_llseek,
1919 };
1920 
1921 static void iwl_mei_dbgfs_register(struct iwl_mei *mei)
1922 {
1923 	mei->dbgfs_dir = debugfs_create_dir(KBUILD_MODNAME, NULL);
1924 
1925 	if (!mei->dbgfs_dir)
1926 		return;
1927 
1928 	debugfs_create_ulong("status", S_IRUSR,
1929 			     mei->dbgfs_dir, &iwl_mei_status);
1930 	debugfs_create_file("send_start_message", S_IWUSR, mei->dbgfs_dir,
1931 			    mei, &iwl_mei_dbgfs_send_start_message_ops);
1932 	debugfs_create_file("req_ownership", S_IWUSR, mei->dbgfs_dir,
1933 			    mei, &iwl_mei_dbgfs_req_ownership_ops);
1934 }
1935 
1936 static void iwl_mei_dbgfs_unregister(struct iwl_mei *mei)
1937 {
1938 	debugfs_remove_recursive(mei->dbgfs_dir);
1939 	mei->dbgfs_dir = NULL;
1940 }
1941 
1942 #else
1943 
1944 static void iwl_mei_dbgfs_register(struct iwl_mei *mei) {}
1945 static void iwl_mei_dbgfs_unregister(struct iwl_mei *mei) {}
1946 
1947 #endif /* CONFIG_DEBUG_FS */
1948 
1949 static void iwl_mei_ownership_dwork(struct work_struct *wk)
1950 {
1951 	iwl_mei_get_ownership();
1952 }
1953 
1954 #define ALLOC_SHARED_MEM_RETRY_MAX_NUM	3
1955 
1956 /*
1957  * iwl_mei_probe - the probe function called by the mei bus enumeration
1958  *
1959  * This allocates the data needed by iwlmei and sets a pointer to this data
1960  * into the mei_cl_device's drvdata.
1961  * It starts the SAP protocol by sending the SAP_ME_MSG_START without
1962  * waiting for the answer. The answer will be caught later by the Rx callback.
1963  */
1964 static int iwl_mei_probe(struct mei_cl_device *cldev,
1965 			 const struct mei_cl_device_id *id)
1966 {
1967 	int alloc_retry = ALLOC_SHARED_MEM_RETRY_MAX_NUM;
1968 	struct iwl_mei *mei;
1969 	int ret;
1970 
1971 	mei = devm_kzalloc(&cldev->dev, sizeof(*mei), GFP_KERNEL);
1972 	if (!mei)
1973 		return -ENOMEM;
1974 
1975 	init_waitqueue_head(&mei->get_nvm_wq);
1976 	INIT_WORK(&mei->send_csa_msg_wk, iwl_mei_send_csa_msg_wk);
1977 	INIT_DELAYED_WORK(&mei->csa_throttle_end_wk,
1978 			  iwl_mei_csa_throttle_end_wk);
1979 	init_waitqueue_head(&mei->get_ownership_wq);
1980 	init_waitqueue_head(&mei->pldr_wq);
1981 	spin_lock_init(&mei->data_q_lock);
1982 	INIT_WORK(&mei->netdev_work, iwl_mei_netdev_work);
1983 	INIT_DELAYED_WORK(&mei->ownership_dwork, iwl_mei_ownership_dwork);
1984 
1985 	mei_cldev_set_drvdata(cldev, mei);
1986 	mei->cldev = cldev;
1987 	mei->device_down = true;
1988 
1989 	do {
1990 		ret = iwl_mei_alloc_shared_mem(cldev);
1991 		if (!ret)
1992 			break;
1993 		/*
1994 		 * The CSME firmware needs to boot the internal WLAN client.
1995 		 * This can take time in certain configurations (usually
1996 		 * upon resume and when the whole CSME firmware is shut down
1997 		 * during suspend).
1998 		 *
1999 		 * Wait a bit before retrying and hope we'll succeed next time.
2000 		 */
2001 
2002 		dev_dbg(&cldev->dev,
2003 			"Couldn't allocate the shared memory: %d, attempt %d / %d\n",
2004 			ret, alloc_retry, ALLOC_SHARED_MEM_RETRY_MAX_NUM);
2005 		msleep(100);
2006 		alloc_retry--;
2007 	} while (alloc_retry);
2008 
2009 	if (ret) {
2010 		dev_err(&cldev->dev, "Couldn't allocate the shared memory: %d\n",
2011 			ret);
2012 		goto free;
2013 	}
2014 
2015 	iwl_mei_init_shared_mem(mei);
2016 
2017 	ret = iwl_mei_enable(cldev);
2018 	if (ret)
2019 		goto free_shared_mem;
2020 
2021 	iwl_mei_dbgfs_register(mei);
2022 
2023 	/*
2024 	 * We now have a Rx function in place, start the SAP protocol
2025 	 * we expect to get the SAP_ME_MSG_START_OK response later on.
2026 	 */
2027 	mutex_lock(&iwl_mei_mutex);
2028 	ret = iwl_mei_send_start(cldev);
2029 	mutex_unlock(&iwl_mei_mutex);
2030 	if (ret)
2031 		goto debugfs_unregister;
2032 
2033 	/* must be last */
2034 	iwl_mei_global_cldev = cldev;
2035 
2036 	return 0;
2037 
2038 debugfs_unregister:
2039 	iwl_mei_dbgfs_unregister(mei);
2040 	mei_cldev_disable(cldev);
2041 free_shared_mem:
2042 	iwl_mei_free_shared_mem(cldev);
2043 free:
2044 	mei_cldev_set_drvdata(cldev, NULL);
2045 	devm_kfree(&cldev->dev, mei);
2046 
2047 	return ret;
2048 }
2049 
2050 #define SEND_SAP_MAX_WAIT_ITERATION 10
2051 #define IWLMEI_DEVICE_DOWN_WAIT_ITERATION 50
2052 
2053 static void iwl_mei_remove(struct mei_cl_device *cldev)
2054 {
2055 	struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
2056 	int i;
2057 
2058 	/*
2059 	 * We are being removed while the bus is active, it means we are
2060 	 * going to suspend/ shutdown, so the NIC will disappear.
2061 	 */
2062 	if (mei_cldev_enabled(cldev) && iwl_mei_cache.ops) {
2063 		unsigned int iter = IWLMEI_DEVICE_DOWN_WAIT_ITERATION;
2064 		bool down = false;
2065 
2066 		/*
2067 		 * In case of suspend, wait for the mac to stop and don't remove
2068 		 * the interface. This will allow the interface to come back
2069 		 * on resume.
2070 		 */
2071 		while (!down && iter--) {
2072 			mdelay(1);
2073 
2074 			mutex_lock(&iwl_mei_mutex);
2075 			down = mei->device_down;
2076 			mutex_unlock(&iwl_mei_mutex);
2077 		}
2078 
2079 		if (!down)
2080 			iwl_mei_cache.ops->nic_stolen(iwl_mei_cache.priv);
2081 	}
2082 
2083 	if (rcu_access_pointer(iwl_mei_cache.netdev)) {
2084 		struct net_device *dev;
2085 
2086 		/*
2087 		 * First take rtnl and only then the mutex to avoid an ABBA
2088 		 * with iwl_mei_set_netdev()
2089 		 */
2090 		rtnl_lock();
2091 		mutex_lock(&iwl_mei_mutex);
2092 
2093 		/*
2094 		 * If we are suspending and the wifi driver hasn't removed it's netdev
2095 		 * yet, do it now. In any case, don't change the cache.netdev pointer.
2096 		 */
2097 		dev = rcu_dereference_protected(iwl_mei_cache.netdev,
2098 						lockdep_is_held(&iwl_mei_mutex));
2099 
2100 		netdev_rx_handler_unregister(dev);
2101 		mutex_unlock(&iwl_mei_mutex);
2102 		rtnl_unlock();
2103 	}
2104 
2105 	mutex_lock(&iwl_mei_mutex);
2106 
2107 	/* Tell CSME that we are going down so that it won't access the
2108 	 * memory anymore, make sure this message goes through immediately.
2109 	 */
2110 	mei->csa_throttled = false;
2111 	iwl_mei_send_sap_msg(mei->cldev,
2112 			     SAP_MSG_NOTIF_HOST_GOES_DOWN);
2113 
2114 	for (i = 0; i < SEND_SAP_MAX_WAIT_ITERATION; i++) {
2115 		if (!iwl_mei_host_to_me_data_pending(mei))
2116 			break;
2117 
2118 		msleep(20);
2119 	}
2120 
2121 	/* If we couldn't make sure that CSME saw the HOST_GOES_DOWN
2122 	 * message, it means that it will probably keep reading memory
2123 	 * that we are going to unmap and free, expect IOMMU error
2124 	 * messages.
2125 	 */
2126 	if (i == SEND_SAP_MAX_WAIT_ITERATION)
2127 		dev_err(&mei->cldev->dev,
2128 			"Couldn't get ACK from CSME on HOST_GOES_DOWN message\n");
2129 
2130 	mutex_unlock(&iwl_mei_mutex);
2131 
2132 	/*
2133 	 * This looks strange, but this lock is taken here to make sure that
2134 	 * iwl_mei_add_data_to_ring called from the Tx path sees that we
2135 	 * clear the IWL_MEI_STATUS_SAP_CONNECTED bit.
2136 	 * Rx isn't a problem because the rx_handler can't be called after
2137 	 * having been unregistered.
2138 	 */
2139 	spin_lock_bh(&mei->data_q_lock);
2140 	clear_bit(IWL_MEI_STATUS_SAP_CONNECTED, &iwl_mei_status);
2141 	spin_unlock_bh(&mei->data_q_lock);
2142 
2143 	if (iwl_mei_cache.ops)
2144 		iwl_mei_cache.ops->rfkill(iwl_mei_cache.priv, false, false);
2145 
2146 	/*
2147 	 * mei_cldev_disable will return only after all the MEI Rx is done.
2148 	 * It must be called when iwl_mei_mutex is *not* held, since it waits
2149 	 * for our Rx handler to complete.
2150 	 * After it returns, no new Rx will start.
2151 	 */
2152 	mei_cldev_disable(cldev);
2153 
2154 	/*
2155 	 * Since the netdev was already removed and the netdev's removal
2156 	 * includes a call to synchronize_net() so that we know there won't be
2157 	 * any new Rx that will trigger the following workers.
2158 	 */
2159 	cancel_work_sync(&mei->send_csa_msg_wk);
2160 	cancel_delayed_work_sync(&mei->csa_throttle_end_wk);
2161 	cancel_work_sync(&mei->netdev_work);
2162 	cancel_delayed_work_sync(&mei->ownership_dwork);
2163 
2164 	/*
2165 	 * If someone waits for the ownership, let him know that we are going
2166 	 * down and that we are not connected anymore. He'll be able to take
2167 	 * the device.
2168 	 */
2169 	wake_up_all(&mei->get_ownership_wq);
2170 	wake_up_all(&mei->pldr_wq);
2171 
2172 	mutex_lock(&iwl_mei_mutex);
2173 
2174 	iwl_mei_global_cldev = NULL;
2175 
2176 	wake_up_all(&mei->get_nvm_wq);
2177 
2178 	iwl_mei_free_shared_mem(cldev);
2179 
2180 	iwl_mei_dbgfs_unregister(mei);
2181 
2182 	mei_cldev_set_drvdata(cldev, NULL);
2183 
2184 	kfree(mei->nvm);
2185 
2186 	kfree(rcu_access_pointer(mei->filters));
2187 
2188 	devm_kfree(&cldev->dev, mei);
2189 
2190 	mutex_unlock(&iwl_mei_mutex);
2191 }
2192 
2193 static const struct mei_cl_device_id iwl_mei_tbl[] = {
2194 	{
2195 		.name = KBUILD_MODNAME,
2196 		.uuid = MEI_WLAN_UUID,
2197 		.version = MEI_CL_VERSION_ANY,
2198 	},
2199 
2200 	/* required last entry */
2201 	{ }
2202 };
2203 
2204 /*
2205  * Do not export the device table because this module is loaded by
2206  * iwlwifi's dependency.
2207  */
2208 
2209 static struct mei_cl_driver iwl_mei_cl_driver = {
2210 	.id_table = iwl_mei_tbl,
2211 	.name = KBUILD_MODNAME,
2212 	.probe = iwl_mei_probe,
2213 	.remove = iwl_mei_remove,
2214 };
2215 
2216 module_mei_cl_driver(iwl_mei_cl_driver);
2217