blob: 112cc362e8e72a9a7e4869e585e7b907d975e67c [file] [log] [blame]
// SPDX-License-Identifier: GPL-2.0-only
/*
* Copyright (C) 2021 Intel Corporation
*/
#include <linux/etherdevice.h>
#include <linux/netdevice.h>
#include <linux/ieee80211.h>
#include <linux/rtnetlink.h>
#include <linux/module.h>
#include <linux/moduleparam.h>
#include <linux/mei_cl_bus.h>
#include <linux/rcupdate.h>
#include <linux/debugfs.h>
#include <linux/skbuff.h>
#include <linux/wait.h>
#include <linux/slab.h>
#include <linux/mm.h>
#include <net/cfg80211.h>
#include "internal.h"
#include "iwl-mei.h"
#include "trace.h"
#include "trace-data.h"
#include "sap.h"
MODULE_DESCRIPTION("The Intel(R) wireless / CSME firmware interface");
MODULE_LICENSE("GPL");
#define MEI_WLAN_UUID UUID_LE(0x13280904, 0x7792, 0x4fcb, \
0xa1, 0xaa, 0x5e, 0x70, 0xcb, 0xb1, 0xe8, 0x65)
/*
* Since iwlwifi calls iwlmei without any context, hold a pointer to the
* mei_cl_device structure here.
* Define a mutex that will synchronize all the flows between iwlwifi and
* iwlmei.
* Note that iwlmei can't have several instances, so it ok to have static
* variables here.
*/
static struct mei_cl_device *iwl_mei_global_cldev;
static DEFINE_MUTEX(iwl_mei_mutex);
static unsigned long iwl_mei_status;
enum iwl_mei_status_bits {
IWL_MEI_STATUS_SAP_CONNECTED,
};
bool iwl_mei_is_connected(void)
{
return test_bit(IWL_MEI_STATUS_SAP_CONNECTED, &iwl_mei_status);
}
EXPORT_SYMBOL_GPL(iwl_mei_is_connected);
#define SAP_VERSION 3
#define SAP_CONTROL_BLOCK_ID 0x21504153 /* SAP! in ASCII */
struct iwl_sap_q_ctrl_blk {
__le32 wr_ptr;
__le32 rd_ptr;
__le32 size;
};
enum iwl_sap_q_idx {
SAP_QUEUE_IDX_NOTIF = 0,
SAP_QUEUE_IDX_DATA,
SAP_QUEUE_IDX_MAX,
};
struct iwl_sap_dir {
__le32 reserved;
struct iwl_sap_q_ctrl_blk q_ctrl_blk[SAP_QUEUE_IDX_MAX];
};
enum iwl_sap_dir_idx {
SAP_DIRECTION_HOST_TO_ME = 0,
SAP_DIRECTION_ME_TO_HOST,
SAP_DIRECTION_MAX,
};
struct iwl_sap_shared_mem_ctrl_blk {
__le32 sap_id;
__le32 size;
struct iwl_sap_dir dir[SAP_DIRECTION_MAX];
};
/*
* The shared area has the following layout:
*
* +-----------------------------------+
* |struct iwl_sap_shared_mem_ctrl_blk |
* +-----------------------------------+
* |Host -> ME data queue |
* +-----------------------------------+
* |Host -> ME notif queue |
* +-----------------------------------+
* |ME -> Host data queue |
* +-----------------------------------+
* |ME -> host notif queue |
* +-----------------------------------+
* |SAP control block id (SAP!) |
* +-----------------------------------+
*/
#define SAP_H2M_DATA_Q_SZ 48256
#define SAP_M2H_DATA_Q_SZ 24128
#define SAP_H2M_NOTIF_Q_SZ 2240
#define SAP_M2H_NOTIF_Q_SZ 62720
#define _IWL_MEI_SAP_SHARED_MEM_SZ \
(sizeof(struct iwl_sap_shared_mem_ctrl_blk) + \
SAP_H2M_DATA_Q_SZ + SAP_H2M_NOTIF_Q_SZ + \
SAP_M2H_DATA_Q_SZ + SAP_M2H_NOTIF_Q_SZ + 4)
#define IWL_MEI_SAP_SHARED_MEM_SZ \
(roundup(_IWL_MEI_SAP_SHARED_MEM_SZ, PAGE_SIZE))
struct iwl_mei_shared_mem_ptrs {
struct iwl_sap_shared_mem_ctrl_blk *ctrl;
void *q_head[SAP_DIRECTION_MAX][SAP_QUEUE_IDX_MAX];
};
struct iwl_mei_filters {
struct rcu_head rcu_head;
struct iwl_sap_oob_filters filters;
};
/**
* struct iwl_mei - holds the private date for iwl_mei
*
* @get_nvm_wq: the wait queue for the get_nvm flow
* @send_csa_msg_wk: used to defer the transmission of the CHECK_SHARED_AREA
* message. Used so that we can send CHECK_SHARED_AREA from atomic
* contexts.
* @get_ownership_wq: the wait queue for the get_ownership_flow
* @shared_mem: the memory that is shared between CSME and the host
* @cldev: the pointer to the MEI client device
* @nvm: the data returned by the CSME for the NVM
* @filters: the filters sent by CSME
* @got_ownership: true if we own the device
* @amt_enabled: true if CSME has wireless enabled
* @csa_throttled: when true, we can't send CHECK_SHARED_AREA over the MEI
* bus, but rather need to wait until send_csa_msg_wk runs
* @csme_taking_ownership: true when CSME is taking ownership. Used to remember
* to send CSME_OWNERSHIP_CONFIRMED when the driver completes its down
* flow.
* @csa_throttle_end_wk: used when &csa_throttled is true
* @data_q_lock: protects the access to the data queues which are
* accessed without the mutex.
* @sap_seq_no: the sequence number for the SAP messages
* @seq_no: the sequence number for the SAP messages
* @dbgfs_dir: the debugfs dir entry
*/
struct iwl_mei {
wait_queue_head_t get_nvm_wq;
struct work_struct send_csa_msg_wk;
wait_queue_head_t get_ownership_wq;
struct iwl_mei_shared_mem_ptrs shared_mem;
struct mei_cl_device *cldev;
struct iwl_mei_nvm *nvm;
struct iwl_mei_filters __rcu *filters;
bool got_ownership;
bool amt_enabled;
bool csa_throttled;
bool csme_taking_ownership;
struct delayed_work csa_throttle_end_wk;
spinlock_t data_q_lock;
atomic_t sap_seq_no;
atomic_t seq_no;
struct dentry *dbgfs_dir;
};
/**
* iwl_mei_cache - cache for the parameters from iwlwifi
* @ops: Callbacks to iwlwifi.
* @netdev: The netdev that will be used to transmit / receive packets.
* @conn_info: The connection info message triggered by iwlwifi's association.
* @power_limit: pointer to an array of 10 elements (le16) represents the power
* restrictions per chain.
* @rf_kill: rf kill state.
* @mcc: MCC info
* @mac_address: interface MAC address.
* @nvm_address: NVM MAC address.
* @priv: A pointer to iwlwifi.
*
* This used to cache the configurations coming from iwlwifi's way. The data
* is cached here so that we can buffer the configuration even if we don't have
* a bind from the mei bus and hence, on iwl_mei structure.
*/
static struct {
const struct iwl_mei_ops *ops;
struct net_device __rcu *netdev;
const struct iwl_sap_notif_connection_info *conn_info;
const __le16 *power_limit;
u32 rf_kill;
u16 mcc;
u8 mac_address[6];
u8 nvm_address[6];
void *priv;
} iwl_mei_cache = {
.rf_kill = SAP_HW_RFKILL_DEASSERTED | SAP_SW_RFKILL_DEASSERTED
};
static void iwl_mei_free_shared_mem(struct mei_cl_device *cldev)
{
struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
if (mei_cldev_dma_unmap(cldev))
dev_err(&cldev->dev, "Coudln't unmap the shared mem properly\n");
memset(&mei->shared_mem, 0, sizeof(mei->shared_mem));
}
#define HBM_DMA_BUF_ID_WLAN 1
static int iwl_mei_alloc_shared_mem(struct mei_cl_device *cldev)
{
struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
struct iwl_mei_shared_mem_ptrs *mem = &mei->shared_mem;
mem->ctrl = mei_cldev_dma_map(cldev, HBM_DMA_BUF_ID_WLAN,
IWL_MEI_SAP_SHARED_MEM_SZ);
if (IS_ERR(mem->ctrl)) {
int ret = PTR_ERR(mem->ctrl);
dev_err(&cldev->dev, "Couldn't allocate the shared memory: %d\n",
ret);
mem->ctrl = NULL;
return ret;
}
memset(mem->ctrl, 0, IWL_MEI_SAP_SHARED_MEM_SZ);
return 0;
}
static void iwl_mei_init_shared_mem(struct iwl_mei *mei)
{
struct iwl_mei_shared_mem_ptrs *mem = &mei->shared_mem;
struct iwl_sap_dir *h2m;
struct iwl_sap_dir *m2h;
int dir, queue;
u8 *q_head;
mem->ctrl->sap_id = cpu_to_le32(SAP_CONTROL_BLOCK_ID);
mem->ctrl->size = cpu_to_le32(sizeof(*mem->ctrl));
h2m = &mem->ctrl->dir[SAP_DIRECTION_HOST_TO_ME];
m2h = &mem->ctrl->dir[SAP_DIRECTION_ME_TO_HOST];
h2m->q_ctrl_blk[SAP_QUEUE_IDX_DATA].size =
cpu_to_le32(SAP_H2M_DATA_Q_SZ);
h2m->q_ctrl_blk[SAP_QUEUE_IDX_NOTIF].size =
cpu_to_le32(SAP_H2M_NOTIF_Q_SZ);
m2h->q_ctrl_blk[SAP_QUEUE_IDX_DATA].size =
cpu_to_le32(SAP_M2H_DATA_Q_SZ);
m2h->q_ctrl_blk[SAP_QUEUE_IDX_NOTIF].size =
cpu_to_le32(SAP_M2H_NOTIF_Q_SZ);
/* q_head points to the start of the first queue */
q_head = (void *)(mem->ctrl + 1);
/* Initialize the queue heads */
for (dir = 0; dir < SAP_DIRECTION_MAX; dir++) {
for (queue = 0; queue < SAP_QUEUE_IDX_MAX; queue++) {
mem->q_head[dir][queue] = q_head;
q_head +=
le32_to_cpu(mem->ctrl->dir[dir].q_ctrl_blk[queue].size);
}
}
*(__le32 *)q_head = cpu_to_le32(SAP_CONTROL_BLOCK_ID);
}
static ssize_t iwl_mei_write_cyclic_buf(struct mei_cl_device *cldev,
struct iwl_sap_q_ctrl_blk *notif_q,
u8 *q_head,
const struct iwl_sap_hdr *hdr)
{
u32 rd = le32_to_cpu(READ_ONCE(notif_q->rd_ptr));
u32 wr = le32_to_cpu(READ_ONCE(notif_q->wr_ptr));
u32 q_sz = le32_to_cpu(notif_q->size);
size_t room_in_buf;
size_t tx_sz = sizeof(*hdr) + le16_to_cpu(hdr->len);
if (rd > q_sz || wr > q_sz) {
dev_err(&cldev->dev,
"Pointers are past the end of the buffer\n");
return -EINVAL;
}
room_in_buf = wr >= rd ? q_sz - wr + rd : rd - wr;
/* we don't have enough room for the data to write */
if (room_in_buf < tx_sz) {
dev_err(&cldev->dev,
"Not enough room in the buffer\n");
return -ENOSPC;
}
if (wr + tx_sz <= q_sz) {
memcpy(q_head + wr, hdr, tx_sz);
} else {
memcpy(q_head + wr, hdr, q_sz - wr);
memcpy(q_head, (u8 *)hdr + q_sz - wr, tx_sz - (q_sz - wr));
}
WRITE_ONCE(notif_q->wr_ptr, cpu_to_le32((wr + tx_sz) % q_sz));
return 0;
}
static bool iwl_mei_host_to_me_data_pending(const struct iwl_mei *mei)
{
struct iwl_sap_q_ctrl_blk *notif_q;
struct iwl_sap_dir *dir;
dir = &mei->shared_mem.ctrl->dir[SAP_DIRECTION_HOST_TO_ME];
notif_q = &dir->q_ctrl_blk[SAP_QUEUE_IDX_DATA];
if (READ_ONCE(notif_q->wr_ptr) != READ_ONCE(notif_q->rd_ptr))
return true;
notif_q = &dir->q_ctrl_blk[SAP_QUEUE_IDX_NOTIF];
return READ_ONCE(notif_q->wr_ptr) != READ_ONCE(notif_q->rd_ptr);
}
static int iwl_mei_send_check_shared_area(struct mei_cl_device *cldev)
{
struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
struct iwl_sap_me_msg_start msg = {
.hdr.type = cpu_to_le32(SAP_ME_MSG_CHECK_SHARED_AREA),
.hdr.seq_num = cpu_to_le32(atomic_inc_return(&mei->seq_no)),
};
int ret;
lockdep_assert_held(&iwl_mei_mutex);
if (mei->csa_throttled)
return 0;
trace_iwlmei_me_msg(&msg.hdr, true);
ret = mei_cldev_send(cldev, (void *)&msg, sizeof(msg));
if (ret != sizeof(msg)) {
dev_err(&cldev->dev,
"failed to send the SAP_ME_MSG_CHECK_SHARED_AREA message %d\n",
ret);
return ret;
}
mei->csa_throttled = true;
schedule_delayed_work(&mei->csa_throttle_end_wk,
msecs_to_jiffies(100));
return 0;
}
static void iwl_mei_csa_throttle_end_wk(struct work_struct *wk)
{
struct iwl_mei *mei =
container_of(wk, struct iwl_mei, csa_throttle_end_wk.work);
mutex_lock(&iwl_mei_mutex);
mei->csa_throttled = false;
if (iwl_mei_host_to_me_data_pending(mei))
iwl_mei_send_check_shared_area(mei->cldev);
mutex_unlock(&iwl_mei_mutex);
}
static int iwl_mei_send_sap_msg_payload(struct mei_cl_device *cldev,
struct iwl_sap_hdr *hdr)
{
struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
struct iwl_sap_q_ctrl_blk *notif_q;
struct iwl_sap_dir *dir;
void *q_head;
int ret;
lockdep_assert_held(&iwl_mei_mutex);
if (!mei->shared_mem.ctrl) {
dev_err(&cldev->dev,
"No shared memory, can't send any SAP message\n");
return -EINVAL;
}
if (!iwl_mei_is_connected()) {
dev_err(&cldev->dev,
"Can't send a SAP message if we're not connected\n");
return -ENODEV;
}
hdr->seq_num = cpu_to_le32(atomic_inc_return(&mei->sap_seq_no));
dev_dbg(&cldev->dev, "Sending %d\n", hdr->type);
dir = &mei->shared_mem.ctrl->dir[SAP_DIRECTION_HOST_TO_ME];
notif_q = &dir->q_ctrl_blk[SAP_QUEUE_IDX_NOTIF];
q_head = mei->shared_mem.q_head[SAP_DIRECTION_HOST_TO_ME][SAP_QUEUE_IDX_NOTIF];
ret = iwl_mei_write_cyclic_buf(q_head, notif_q, q_head, hdr);
if (ret < 0)
return ret;
trace_iwlmei_sap_cmd(hdr, true);
return iwl_mei_send_check_shared_area(cldev);
}
void iwl_mei_add_data_to_ring(struct sk_buff *skb, bool cb_tx)
{
struct iwl_sap_q_ctrl_blk *notif_q;
struct iwl_sap_dir *dir;
struct iwl_mei *mei;
size_t room_in_buf;
size_t tx_sz;
size_t hdr_sz;
u32 q_sz;
u32 rd;
u32 wr;
void *q_head;
if (!iwl_mei_global_cldev)
return;
mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
/*
* We access this path for Rx packets (the more common case)
* and from Tx path when we send DHCP packets, the latter is
* very unlikely.
* Take the lock already here to make sure we see that remove()
* might have cleared the IWL_MEI_STATUS_SAP_CONNECTED bit.
*/
spin_lock_bh(&mei->data_q_lock);
if (!iwl_mei_is_connected()) {
spin_unlock_bh(&mei->data_q_lock);
return;
}
/*
* We are in a RCU critical section and the remove from the CSME bus
* which would free this memory waits for the readers to complete (this
* is done in netdev_rx_handler_unregister).
*/
dir = &mei->shared_mem.ctrl->dir[SAP_DIRECTION_HOST_TO_ME];
notif_q = &dir->q_ctrl_blk[SAP_QUEUE_IDX_DATA];
q_head = mei->shared_mem.q_head[SAP_DIRECTION_HOST_TO_ME][SAP_QUEUE_IDX_DATA];
rd = le32_to_cpu(READ_ONCE(notif_q->rd_ptr));
wr = le32_to_cpu(READ_ONCE(notif_q->wr_ptr));
q_sz = le32_to_cpu(notif_q->size);
hdr_sz = cb_tx ? sizeof(struct iwl_sap_cb_data) :
sizeof(struct iwl_sap_hdr);
tx_sz = skb->len + hdr_sz;
if (rd > q_sz || wr > q_sz) {
dev_err(&mei->cldev->dev,
"can't write the data: pointers are past the end of the buffer\n");
goto out;
}
room_in_buf = wr >= rd ? q_sz - wr + rd : rd - wr;
/* we don't have enough room for the data to write */
if (room_in_buf < tx_sz) {
dev_err(&mei->cldev->dev,
"Not enough room in the buffer for this data\n");
goto out;
}
if (skb_headroom(skb) < hdr_sz) {
dev_err(&mei->cldev->dev,
"Not enough headroom in the skb to write the SAP header\n");
goto out;
}
if (cb_tx) {
struct iwl_sap_cb_data *cb_hdr = skb_push(skb, sizeof(*cb_hdr));
cb_hdr->hdr.type = cpu_to_le16(SAP_MSG_CB_DATA_PACKET);
cb_hdr->hdr.len = cpu_to_le16(skb->len - sizeof(cb_hdr->hdr));
cb_hdr->hdr.seq_num = cpu_to_le32(atomic_inc_return(&mei->sap_seq_no));
cb_hdr->to_me_filt_status = cpu_to_le32(BIT(CB_TX_DHCP_FILT_IDX));
cb_hdr->data_len = cpu_to_le32(skb->len - sizeof(*cb_hdr));
trace_iwlmei_sap_data(skb, IWL_SAP_TX_DHCP);
} else {
struct iwl_sap_hdr *hdr = skb_push(skb, sizeof(*hdr));
hdr->type = cpu_to_le16(SAP_MSG_DATA_PACKET);
hdr->len = cpu_to_le16(skb->len - sizeof(*hdr));
hdr->seq_num = cpu_to_le32(atomic_inc_return(&mei->sap_seq_no));
trace_iwlmei_sap_data(skb, IWL_SAP_TX_DATA_FROM_AIR);
}
if (wr + tx_sz <= q_sz) {
skb_copy_bits(skb, 0, q_head + wr, tx_sz);
} else {
skb_copy_bits(skb, 0, q_head + wr, q_sz - wr);
skb_copy_bits(skb, q_sz - wr, q_head, tx_sz - (q_sz - wr));
}
WRITE_ONCE(notif_q->wr_ptr, cpu_to_le32((wr + tx_sz) % q_sz));
out:
spin_unlock_bh(&mei->data_q_lock);
}
static int
iwl_mei_send_sap_msg(struct mei_cl_device *cldev, u16 type)
{
struct iwl_sap_hdr msg = {
.type = cpu_to_le16(type),
};
return iwl_mei_send_sap_msg_payload(cldev, &msg);
}
static void iwl_mei_send_csa_msg_wk(struct work_struct *wk)
{
struct iwl_mei *mei =
container_of(wk, struct iwl_mei, send_csa_msg_wk);
if (!iwl_mei_is_connected())
return;
mutex_lock(&iwl_mei_mutex);
iwl_mei_send_check_shared_area(mei->cldev);
mutex_unlock(&iwl_mei_mutex);
}
/* Called in a RCU read critical section from netif_receive_skb */
static rx_handler_result_t iwl_mei_rx_handler(struct sk_buff **pskb)
{
struct sk_buff *skb = *pskb;
struct iwl_mei *mei =
rcu_dereference(skb->dev->rx_handler_data);
struct iwl_mei_filters *filters = rcu_dereference(mei->filters);
bool rx_for_csme = false;
rx_handler_result_t res;
/*
* remove() unregisters this handler and synchronize_net, so this
* should never happen.
*/
if (!iwl_mei_is_connected()) {
dev_err(&mei->cldev->dev,
"Got an Rx packet, but we're not connected to SAP?\n");
return RX_HANDLER_PASS;
}
if (filters)
res = iwl_mei_rx_filter(skb, &filters->filters, &rx_for_csme);
else
res = RX_HANDLER_PASS;
/*
* The data is already on the ring of the shared area, all we
* need to do is to tell the CSME firmware to check what we have
* there.
*/
if (rx_for_csme)
schedule_work(&mei->send_csa_msg_wk);
if (res != RX_HANDLER_PASS) {
trace_iwlmei_sap_data(skb, IWL_SAP_RX_DATA_DROPPED_FROM_AIR);
dev_kfree_skb(skb);
}
return res;
}
static void
iwl_mei_handle_rx_start_ok(struct mei_cl_device *cldev,
const struct iwl_sap_me_msg_start_ok *rsp,
ssize_t len)
{
struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
if (len != sizeof(*rsp)) {
dev_err(&cldev->dev,
"got invalid SAP_ME_MSG_START_OK from CSME firmware\n");
dev_err(&cldev->dev,
"size is incorrect: %zd instead of %zu\n",
len, sizeof(*rsp));
return;
}
if (rsp->supported_version != SAP_VERSION) {
dev_err(&cldev->dev,
"didn't get the expected version: got %d\n",
rsp->supported_version);
return;
}
mutex_lock(&iwl_mei_mutex);
set_bit(IWL_MEI_STATUS_SAP_CONNECTED, &iwl_mei_status);
/* wifi driver has registered already */
if (iwl_mei_cache.ops) {
iwl_mei_send_sap_msg(mei->cldev,
SAP_MSG_NOTIF_WIFIDR_UP);
iwl_mei_cache.ops->sap_connected(iwl_mei_cache.priv);
}
mutex_unlock(&iwl_mei_mutex);
}
static void iwl_mei_handle_csme_filters(struct mei_cl_device *cldev,
const struct iwl_sap_csme_filters *filters)
{
struct iwl_mei *mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
struct iwl_mei_filters *new_filters;
struct iwl_mei_filters *old_filters;
old_filters =
rcu_dereference_protected(mei->filters,
lockdep_is_held(&iwl_mei_mutex));
new_filters = kzalloc(sizeof(*new_filters), GFP_KERNEL);
/* Copy the OOB filters */
new_filters->filters = filters->filters;
rcu_assign_pointer(mei->filters, new_filters);
if (old_filters)
kfree_rcu(old_filters, rcu_head);
}
static void
iwl_mei_handle_conn_status(struct mei_cl_device *cldev,
const struct iwl_sap_notif_conn_status *status)
{
struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
struct iwl_mei_conn_info conn_info = {
.lp_state = le32_to_cpu(status->link_prot_state),
.ssid_len = le32_to_cpu(status->conn_info.ssid_len),
.channel = status->conn_info.channel,
.band = status->conn_info.band,
.auth_mode = le32_to_cpu(status->conn_info.auth_mode),
.pairwise_cipher = le32_to_cpu(status->conn_info.pairwise_cipher),
};
if (!iwl_mei_cache.ops ||
conn_info.ssid_len > ARRAY_SIZE(conn_info.ssid))
return;
memcpy(conn_info.ssid, status->conn_info.ssid, conn_info.ssid_len);
ether_addr_copy(conn_info.bssid, status->conn_info.bssid);
iwl_mei_cache.ops->me_conn_status(iwl_mei_cache.priv, &conn_info);
/*
* Update the Rfkill state in case the host does not own the device:
* if we are in Link Protection, ask to not touch the device, else,
* unblock rfkill.
* If the host owns the device, inform the user space whether it can
* roam.
*/
if (mei->got_ownership)
iwl_mei_cache.ops->roaming_forbidden(iwl_mei_cache.priv,
status->link_prot_state);
else
iwl_mei_cache.ops->rfkill(iwl_mei_cache.priv,
status->link_prot_state);
}
static void iwl_mei_set_init_conf(struct iwl_mei *mei)
{
struct iwl_sap_notif_host_link_up link_msg = {
.hdr.type = cpu_to_le16(SAP_MSG_NOTIF_HOST_LINK_UP),
.hdr.len = cpu_to_le16(sizeof(link_msg) - sizeof(link_msg.hdr)),
};
struct iwl_sap_notif_country_code mcc_msg = {
.hdr.type = cpu_to_le16(SAP_MSG_NOTIF_COUNTRY_CODE),
.hdr.len = cpu_to_le16(sizeof(mcc_msg) - sizeof(mcc_msg.hdr)),
.mcc = cpu_to_le16(iwl_mei_cache.mcc),
};
struct iwl_sap_notif_sar_limits sar_msg = {
.hdr.type = cpu_to_le16(SAP_MSG_NOTIF_SAR_LIMITS),
.hdr.len = cpu_to_le16(sizeof(sar_msg) - sizeof(sar_msg.hdr)),
};
struct iwl_sap_notif_host_nic_info nic_info_msg = {
.hdr.type = cpu_to_le16(SAP_MSG_NOTIF_NIC_INFO),
.hdr.len = cpu_to_le16(sizeof(nic_info_msg) - sizeof(nic_info_msg.hdr)),
};
struct iwl_sap_msg_dw rfkill_msg = {
.hdr.type = cpu_to_le16(SAP_MSG_NOTIF_RADIO_STATE),
.hdr.len = cpu_to_le16(sizeof(rfkill_msg) - sizeof(rfkill_msg.hdr)),
.val = cpu_to_le32(iwl_mei_cache.rf_kill),
};
iwl_mei_send_sap_msg(mei->cldev, SAP_MSG_NOTIF_WHO_OWNS_NIC);
if (iwl_mei_cache.conn_info) {
link_msg.conn_info = *iwl_mei_cache.conn_info;
iwl_mei_send_sap_msg_payload(mei->cldev, &link_msg.hdr);
}
iwl_mei_send_sap_msg_payload(mei->cldev, &mcc_msg.hdr);
if (iwl_mei_cache.power_limit) {
memcpy(sar_msg.sar_chain_info_table, iwl_mei_cache.power_limit,
sizeof(sar_msg.sar_chain_info_table));
iwl_mei_send_sap_msg_payload(mei->cldev, &sar_msg.hdr);
}
ether_addr_copy(nic_info_msg.mac_address, iwl_mei_cache.mac_address);
ether_addr_copy(nic_info_msg.nvm_address, iwl_mei_cache.nvm_address);
iwl_mei_send_sap_msg_payload(mei->cldev, &nic_info_msg.hdr);
iwl_mei_send_sap_msg_payload(mei->cldev, &rfkill_msg.hdr);
}
static void iwl_mei_handle_amt_state(struct mei_cl_device *cldev,
const struct iwl_sap_msg_dw *dw)
{
struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
struct net_device *netdev;
/*
* First take rtnl and only then the mutex to avoid an ABBA
* with iwl_mei_set_netdev()
*/
rtnl_lock();
mutex_lock(&iwl_mei_mutex);
netdev = rcu_dereference_protected(iwl_mei_cache.netdev,
lockdep_is_held(&iwl_mei_mutex));
if (mei->amt_enabled == !!le32_to_cpu(dw->val))
goto out;
mei->amt_enabled = dw->val;
if (mei->amt_enabled) {
if (netdev)
netdev_rx_handler_register(netdev, iwl_mei_rx_handler, mei);
iwl_mei_set_init_conf(mei);
} else {
if (iwl_mei_cache.ops)
iwl_mei_cache.ops->rfkill(iwl_mei_cache.priv, false);
if (netdev)
netdev_rx_handler_unregister(netdev);
}
out:
mutex_unlock(&iwl_mei_mutex);
rtnl_unlock();
}
static void iwl_mei_handle_nic_owner(struct mei_cl_device *cldev,
const struct iwl_sap_msg_dw *dw)
{
struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
mei->got_ownership = dw->val != cpu_to_le32(SAP_NIC_OWNER_ME);
}
static void iwl_mei_handle_can_release_ownership(struct mei_cl_device *cldev,
const void *payload)
{
/* We can get ownership and driver is registered, go ahead */
if (iwl_mei_cache.ops)
iwl_mei_send_sap_msg(cldev,
SAP_MSG_NOTIF_HOST_ASKS_FOR_NIC_OWNERSHIP);
}
static void iwl_mei_handle_csme_taking_ownership(struct mei_cl_device *cldev,
const void *payload)
{
struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
dev_info(&cldev->dev, "CSME takes ownership\n");
mei->got_ownership = false;
/*
* Remember to send CSME_OWNERSHIP_CONFIRMED when the wifi driver
* is finished taking the device down.
*/
mei->csme_taking_ownership = true;
if (iwl_mei_cache.ops)
iwl_mei_cache.ops->rfkill(iwl_mei_cache.priv, true);
}
static void iwl_mei_handle_nvm(struct mei_cl_device *cldev,
const struct iwl_sap_nvm *sap_nvm)
{
struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
const struct iwl_mei_nvm *mei_nvm = (const void *)sap_nvm;
int i;
kfree(mei->nvm);
mei->nvm = kzalloc(sizeof(*mei_nvm), GFP_KERNEL);
if (!mei->nvm)
return;
ether_addr_copy(mei->nvm->hw_addr, sap_nvm->hw_addr);
mei->nvm->n_hw_addrs = sap_nvm->n_hw_addrs;
mei->nvm->radio_cfg = le32_to_cpu(sap_nvm->radio_cfg);
mei->nvm->caps = le32_to_cpu(sap_nvm->caps);
mei->nvm->nvm_version = le32_to_cpu(sap_nvm->nvm_version);
for (i = 0; i < ARRAY_SIZE(mei->nvm->channels); i++)
mei->nvm->channels[i] = le32_to_cpu(sap_nvm->channels[i]);
wake_up_all(&mei->get_nvm_wq);
}
static void iwl_mei_handle_rx_host_own_req(struct mei_cl_device *cldev,
const struct iwl_sap_msg_dw *dw)
{
struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
/*
* This means that we can't use the wifi device right now, CSME is not
* ready to let us use it.
*/
if (!dw->val) {
dev_info(&cldev->dev, "Ownership req denied\n");
return;
}
mei->got_ownership = true;
wake_up_all(&mei->get_ownership_wq);
iwl_mei_send_sap_msg(cldev,
SAP_MSG_NOTIF_HOST_OWNERSHIP_CONFIRMED);
/* We can now start the connection, unblock rfkill */
if (iwl_mei_cache.ops)
iwl_mei_cache.ops->rfkill(iwl_mei_cache.priv, false);
}
static void iwl_mei_handle_ping(struct mei_cl_device *cldev,
const struct iwl_sap_hdr *hdr)
{
iwl_mei_send_sap_msg(cldev, SAP_MSG_NOTIF_PONG);
}
static void iwl_mei_handle_sap_msg(struct mei_cl_device *cldev,
const struct iwl_sap_hdr *hdr)
{
u16 len = le16_to_cpu(hdr->len) + sizeof(*hdr);
u16 type = le16_to_cpu(hdr->type);
dev_dbg(&cldev->dev,
"Got a new SAP message: type %d, len %d, seq %d\n",
le16_to_cpu(hdr->type), len,
le32_to_cpu(hdr->seq_num));
#define SAP_MSG_HANDLER(_cmd, _handler, _sz) \
case SAP_MSG_NOTIF_ ## _cmd: \
if (len < _sz) { \
dev_err(&cldev->dev, \
"Bad size for %d: %u < %u\n", \
le16_to_cpu(hdr->type), \
(unsigned int)len, \
(unsigned int)_sz); \
break; \
} \
mutex_lock(&iwl_mei_mutex); \
_handler(cldev, (const void *)hdr); \
mutex_unlock(&iwl_mei_mutex); \
break
#define SAP_MSG_HANDLER_NO_LOCK(_cmd, _handler, _sz) \
case SAP_MSG_NOTIF_ ## _cmd: \
if (len < _sz) { \
dev_err(&cldev->dev, \
"Bad size for %d: %u < %u\n", \
le16_to_cpu(hdr->type), \
(unsigned int)len, \
(unsigned int)_sz); \
break; \
} \
_handler(cldev, (const void *)hdr); \
break
#define SAP_MSG_HANDLER_NO_HANDLER(_cmd, _sz) \
case SAP_MSG_NOTIF_ ## _cmd: \
if (len < _sz) { \
dev_err(&cldev->dev, \
"Bad size for %d: %u < %u\n", \
le16_to_cpu(hdr->type), \
(unsigned int)len, \
(unsigned int)_sz); \
break; \
} \
break
switch (type) {
SAP_MSG_HANDLER(PING, iwl_mei_handle_ping, 0);
SAP_MSG_HANDLER(CSME_FILTERS,
iwl_mei_handle_csme_filters,
sizeof(struct iwl_sap_csme_filters));
SAP_MSG_HANDLER(CSME_CONN_STATUS,
iwl_mei_handle_conn_status,
sizeof(struct iwl_sap_notif_conn_status));
SAP_MSG_HANDLER_NO_LOCK(AMT_STATE,
iwl_mei_handle_amt_state,
sizeof(struct iwl_sap_msg_dw));
SAP_MSG_HANDLER_NO_HANDLER(PONG, 0);
SAP_MSG_HANDLER(NVM, iwl_mei_handle_nvm,
sizeof(struct iwl_sap_nvm));
SAP_MSG_HANDLER(CSME_REPLY_TO_HOST_OWNERSHIP_REQ,
iwl_mei_handle_rx_host_own_req,
sizeof(struct iwl_sap_msg_dw));
SAP_MSG_HANDLER(NIC_OWNER, iwl_mei_handle_nic_owner,
sizeof(struct iwl_sap_msg_dw));
SAP_MSG_HANDLER(CSME_CAN_RELEASE_OWNERSHIP,
iwl_mei_handle_can_release_ownership, 0);
SAP_MSG_HANDLER(CSME_TAKING_OWNERSHIP,
iwl_mei_handle_csme_taking_ownership, 0);
default:
/*
* This is not really an error, there are message that we decided
* to ignore, yet, it is useful to be able to leave a note if debug
* is enabled.
*/
dev_dbg(&cldev->dev, "Unsupported message: type %d, len %d\n",
le16_to_cpu(hdr->type), len);
}
#undef SAP_MSG_HANDLER
#undef SAP_MSG_HANDLER_NO_LOCK
}
static void iwl_mei_read_from_q(const u8 *q_head, u32 q_sz,
u32 *_rd, u32 wr,
void *_buf, u32 len)
{
u8 *buf = _buf;
u32 rd = *_rd;
if (rd + len <= q_sz) {
memcpy(buf, q_head + rd, len);
rd += len;
} else {
memcpy(buf, q_head + rd, q_sz - rd);
memcpy(buf + q_sz - rd, q_head, len - (q_sz - rd));
rd = len - (q_sz - rd);
}
*_rd = rd;
}
#define QOS_HDR_IV_SNAP_LEN (sizeof(struct ieee80211_qos_hdr) + \
IEEE80211_TKIP_IV_LEN + \
sizeof(rfc1042_header) + ETH_TLEN)
static void iwl_mei_handle_sap_data(struct mei_cl_device *cldev,
const u8 *q_head, u32 q_sz,
u32 rd, u32 wr, ssize_t valid_rx_sz,
struct sk_buff_head *tx_skbs)
{
struct iwl_sap_hdr hdr;
struct net_device *netdev =
rcu_dereference_protected(iwl_mei_cache.netdev,
lockdep_is_held(&iwl_mei_mutex));
if (!netdev)
return;
while (valid_rx_sz >= sizeof(hdr)) {
struct ethhdr *ethhdr;
unsigned char *data;
struct sk_buff *skb;
u16 len;
iwl_mei_read_from_q(q_head, q_sz, &rd, wr, &hdr, sizeof(hdr));
valid_rx_sz -= sizeof(hdr);
len = le16_to_cpu(hdr.len);
if (valid_rx_sz < len) {
dev_err(&cldev->dev,
"Data queue is corrupted: valid data len %zd, len %d\n",
valid_rx_sz, len);
break;
}
if (len < sizeof(*ethhdr)) {
dev_err(&cldev->dev,
"Data len is smaller than an ethernet header? len = %d\n",
len);
}
valid_rx_sz -= len;
if (le16_to_cpu(hdr.type) != SAP_MSG_DATA_PACKET) {
dev_err(&cldev->dev, "Unsupported Rx data: type %d, len %d\n",
le16_to_cpu(hdr.type), len);
continue;
}
/* We need enough room for the WiFi header + SNAP + IV */
skb = netdev_alloc_skb(netdev, len + QOS_HDR_IV_SNAP_LEN);
skb_reserve(skb, QOS_HDR_IV_SNAP_LEN);
ethhdr = skb_push(skb, sizeof(*ethhdr));
iwl_mei_read_from_q(q_head, q_sz, &rd, wr,
ethhdr, sizeof(*ethhdr));
len -= sizeof(*ethhdr);
skb_reset_mac_header(skb);
skb_reset_network_header(skb);
skb->protocol = ethhdr->h_proto;
data = skb_put(skb, len);
iwl_mei_read_from_q(q_head, q_sz, &rd, wr, data, len);
/*
* Enqueue the skb here so that it can be sent later when we
* do not hold the mutex. TX'ing a packet with a mutex held is
* possible, but it wouldn't be nice to forbid the TX path to
* call any of iwlmei's functions, since every API from iwlmei
* needs the mutex.
*/
__skb_queue_tail(tx_skbs, skb);
}
}
static void iwl_mei_handle_sap_rx_cmd(struct mei_cl_device *cldev,
const u8 *q_head, u32 q_sz,
u32 rd, u32 wr, ssize_t valid_rx_sz)
{
struct page *p = alloc_page(GFP_KERNEL);
struct iwl_sap_hdr *hdr;
if (!p)
return;
hdr = page_address(p);
while (valid_rx_sz >= sizeof(*hdr)) {
u16 len;
iwl_mei_read_from_q(q_head, q_sz, &rd, wr, hdr, sizeof(*hdr));
valid_rx_sz -= sizeof(*hdr);
len = le16_to_cpu(hdr->len);
if (valid_rx_sz < len)
break;
iwl_mei_read_from_q(q_head, q_sz, &rd, wr, hdr + 1, len);
trace_iwlmei_sap_cmd(hdr, false);
iwl_mei_handle_sap_msg(cldev, hdr);
valid_rx_sz -= len;
}
/* valid_rx_sz must be 0 now... */
if (valid_rx_sz)
dev_err(&cldev->dev,
"More data in the buffer although we read it all\n");
__free_page(p);
}
static void iwl_mei_handle_sap_rx(struct mei_cl_device *cldev,
struct iwl_sap_q_ctrl_blk *notif_q,
const u8 *q_head,
struct sk_buff_head *skbs)
{
u32 rd = le32_to_cpu(READ_ONCE(notif_q->rd_ptr));
u32 wr = le32_to_cpu(READ_ONCE(notif_q->wr_ptr));
u32 q_sz = le32_to_cpu(notif_q->size);
ssize_t valid_rx_sz;
if (rd > q_sz || wr > q_sz) {
dev_err(&cldev->dev,
"Pointers are past the buffer limit\n");
return;
}
if (rd == wr)
return;
valid_rx_sz = wr > rd ? wr - rd : q_sz - rd + wr;
if (skbs)
iwl_mei_handle_sap_data(cldev, q_head, q_sz, rd, wr,
valid_rx_sz, skbs);
else
iwl_mei_handle_sap_rx_cmd(cldev, q_head, q_sz, rd, wr,
valid_rx_sz);
/* Increment the read pointer to point to the write pointer */
WRITE_ONCE(notif_q->rd_ptr, cpu_to_le32(wr));
}
static void iwl_mei_handle_check_shared_area(struct mei_cl_device *cldev)
{
struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
struct iwl_sap_q_ctrl_blk *notif_q;
struct sk_buff_head tx_skbs;
struct iwl_sap_dir *dir;
void *q_head;
if (!mei->shared_mem.ctrl)
return;
dir = &mei->shared_mem.ctrl->dir[SAP_DIRECTION_ME_TO_HOST];
notif_q = &dir->q_ctrl_blk[SAP_QUEUE_IDX_NOTIF];
q_head = mei->shared_mem.q_head[SAP_DIRECTION_ME_TO_HOST][SAP_QUEUE_IDX_NOTIF];
/*
* Do not hold the mutex here, but rather each and every message
* handler takes it.
* This allows message handlers to take it at a certain time.
*/
iwl_mei_handle_sap_rx(cldev, notif_q, q_head, NULL);
mutex_lock(&iwl_mei_mutex);
dir = &mei->shared_mem.ctrl->dir[SAP_DIRECTION_ME_TO_HOST];
notif_q = &dir->q_ctrl_blk[SAP_QUEUE_IDX_DATA];
q_head = mei->shared_mem.q_head[SAP_DIRECTION_ME_TO_HOST][SAP_QUEUE_IDX_DATA];
__skb_queue_head_init(&tx_skbs);
iwl_mei_handle_sap_rx(cldev, notif_q, q_head, &tx_skbs);
if (skb_queue_empty(&tx_skbs)) {
mutex_unlock(&iwl_mei_mutex);
return;
}
/*
* Take the RCU read lock before we unlock the mutex to make sure that
* even if the netdev is replaced by another non-NULL netdev right after
* we unlock the mutex, the old netdev will still be valid when we
* transmit the frames. We can't allow to replace the netdev here because
* the skbs hold a pointer to the netdev.
*/
rcu_read_lock();
mutex_unlock(&iwl_mei_mutex);
if (!rcu_access_pointer(iwl_mei_cache.netdev)) {
dev_err(&cldev->dev, "Can't Tx without a netdev\n");
skb_queue_purge(&tx_skbs);
goto out;
}
while (!skb_queue_empty(&tx_skbs)) {
struct sk_buff *skb = __skb_dequeue(&tx_skbs);
trace_iwlmei_sap_data(skb, IWL_SAP_RX_DATA_TO_AIR);
dev_queue_xmit(skb);
}
out:
rcu_read_unlock();
}
static void iwl_mei_rx(struct mei_cl_device *cldev)
{
struct iwl_sap_me_msg_hdr *hdr;
u8 msg[100];
ssize_t ret;
ret = mei_cldev_recv(cldev, (u8 *)&msg, sizeof(msg));
if (ret < 0) {
dev_err(&cldev->dev, "failed to receive data: %zd\n", ret);
return;
}
if (ret == 0) {
dev_err(&cldev->dev, "got an empty response\n");
return;
}
hdr = (void *)msg;
trace_iwlmei_me_msg(hdr, false);
switch (le32_to_cpu(hdr->type)) {
case SAP_ME_MSG_START_OK:
BUILD_BUG_ON(sizeof(struct iwl_sap_me_msg_start_ok) >
sizeof(msg));
iwl_mei_handle_rx_start_ok(cldev, (void *)msg, ret);
break;
case SAP_ME_MSG_CHECK_SHARED_AREA:
iwl_mei_handle_check_shared_area(cldev);
break;
default:
dev_err(&cldev->dev, "got a RX notification: %d\n",
le32_to_cpu(hdr->type));
break;
}
}
static int iwl_mei_send_start(struct mei_cl_device *cldev)
{
struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
struct iwl_sap_me_msg_start msg = {
.hdr.type = cpu_to_le32(SAP_ME_MSG_START),
.hdr.seq_num = cpu_to_le32(atomic_inc_return(&mei->seq_no)),
.hdr.len = cpu_to_le32(sizeof(msg)),
.supported_versions[0] = SAP_VERSION,
.init_data_seq_num = cpu_to_le16(0x100),
.init_notif_seq_num = cpu_to_le16(0x800),
};
int ret;
trace_iwlmei_me_msg(&msg.hdr, true);
ret = mei_cldev_send(cldev, (void *)&msg, sizeof(msg));
if (ret != sizeof(msg)) {
dev_err(&cldev->dev,
"failed to send the SAP_ME_MSG_START message %d\n",
ret);
return ret;
}
return 0;
}
static int iwl_mei_enable(struct mei_cl_device *cldev)
{
int ret;
ret = mei_cldev_enable(cldev);
if (ret < 0) {
dev_err(&cldev->dev, "failed to enable the device: %d\n", ret);
return ret;
}
ret = mei_cldev_register_rx_cb(cldev, iwl_mei_rx);
if (ret) {
dev_err(&cldev->dev,
"failed to register to the rx cb: %d\n", ret);
mei_cldev_disable(cldev);
return ret;
}
return 0;
}
struct iwl_mei_nvm *iwl_mei_get_nvm(void)
{
struct iwl_mei_nvm *nvm = NULL;
struct iwl_mei *mei;
int ret;
mutex_lock(&iwl_mei_mutex);
if (!iwl_mei_is_connected())
goto out;
mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
if (!mei)
goto out;
ret = iwl_mei_send_sap_msg(iwl_mei_global_cldev,
SAP_MSG_NOTIF_GET_NVM);
if (ret)
goto out;
mutex_unlock(&iwl_mei_mutex);
ret = wait_event_timeout(mei->get_nvm_wq, mei->nvm, 2 * HZ);
if (!ret)
return NULL;
mutex_lock(&iwl_mei_mutex);
if (!iwl_mei_is_connected())
goto out;
mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
if (!mei)
goto out;
if (mei->nvm)
nvm = kmemdup(mei->nvm, sizeof(*mei->nvm), GFP_KERNEL);
out:
mutex_unlock(&iwl_mei_mutex);
return nvm;
}
EXPORT_SYMBOL_GPL(iwl_mei_get_nvm);
int iwl_mei_get_ownership(void)
{
struct iwl_mei *mei;
int ret;
mutex_lock(&iwl_mei_mutex);
/* In case we didn't have a bind */
if (!iwl_mei_is_connected()) {
ret = 0;
goto out;
}
mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
if (!mei) {
ret = -ENODEV;
goto out;
}
if (!mei->amt_enabled) {
ret = 0;
goto out;
}
if (mei->got_ownership) {
ret = 0;
goto out;
}
ret = iwl_mei_send_sap_msg(mei->cldev,
SAP_MSG_NOTIF_HOST_ASKS_FOR_NIC_OWNERSHIP);
if (ret)
goto out;
mutex_unlock(&iwl_mei_mutex);
ret = wait_event_timeout(mei->get_ownership_wq,
mei->got_ownership, HZ / 2);
if (!ret)
return -ETIMEDOUT;
mutex_lock(&iwl_mei_mutex);
/* In case we didn't have a bind */
if (!iwl_mei_is_connected()) {
ret = 0;
goto out;
}
mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
if (!mei) {
ret = -ENODEV;
goto out;
}
ret = !mei->got_ownership;
out:
mutex_unlock(&iwl_mei_mutex);
return ret;
}
EXPORT_SYMBOL_GPL(iwl_mei_get_ownership);
void iwl_mei_host_associated(const struct iwl_mei_conn_info *conn_info,
const struct iwl_mei_colloc_info *colloc_info)
{
struct iwl_sap_notif_host_link_up msg = {
.hdr.type = cpu_to_le16(SAP_MSG_NOTIF_HOST_LINK_UP),
.hdr.len = cpu_to_le16(sizeof(msg) - sizeof(msg.hdr)),
.conn_info = {
.ssid_len = cpu_to_le32(conn_info->ssid_len),
.channel = conn_info->channel,
.band = conn_info->band,
.pairwise_cipher = cpu_to_le32(conn_info->pairwise_cipher),
.auth_mode = cpu_to_le32(conn_info->auth_mode),
},
};
struct iwl_mei *mei;
if (conn_info->ssid_len > ARRAY_SIZE(msg.conn_info.ssid))
return;
memcpy(msg.conn_info.ssid, conn_info->ssid, conn_info->ssid_len);
memcpy(msg.conn_info.bssid, conn_info->bssid, ETH_ALEN);
if (colloc_info) {
msg.colloc_channel = colloc_info->channel;
msg.colloc_band = colloc_info->channel <= 14 ? 0 : 1;
memcpy(msg.colloc_bssid, colloc_info->bssid, ETH_ALEN);
}
mutex_lock(&iwl_mei_mutex);
if (!iwl_mei_is_connected())
goto out;
mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
if (!mei)
goto out;
if (!mei->amt_enabled)
goto out;
iwl_mei_send_sap_msg_payload(mei->cldev, &msg.hdr);
out:
kfree(iwl_mei_cache.conn_info);
iwl_mei_cache.conn_info =
kmemdup(&msg.conn_info, sizeof(msg.conn_info), GFP_KERNEL);
mutex_unlock(&iwl_mei_mutex);
}
EXPORT_SYMBOL_GPL(iwl_mei_host_associated);
void iwl_mei_host_disassociated(void)
{
struct iwl_mei *mei;
struct iwl_sap_notif_host_link_down msg = {
.hdr.type = cpu_to_le16(SAP_MSG_NOTIF_HOST_LINK_DOWN),
.hdr.len = cpu_to_le16(sizeof(msg) - sizeof(msg.hdr)),
.type = HOST_LINK_DOWN_TYPE_LONG,
};
mutex_lock(&iwl_mei_mutex);
if (!iwl_mei_is_connected())
goto out;
mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
if (!mei)
goto out;
iwl_mei_send_sap_msg_payload(mei->cldev, &msg.hdr);
out:
kfree(iwl_mei_cache.conn_info);
iwl_mei_cache.conn_info = NULL;
mutex_unlock(&iwl_mei_mutex);
}
EXPORT_SYMBOL_GPL(iwl_mei_host_disassociated);
void iwl_mei_set_rfkill_state(bool hw_rfkill, bool sw_rfkill)
{
struct iwl_mei *mei;
u32 rfkill_state = 0;
struct iwl_sap_msg_dw msg = {
.hdr.type = cpu_to_le16(SAP_MSG_NOTIF_RADIO_STATE),
.hdr.len = cpu_to_le16(sizeof(msg) - sizeof(msg.hdr)),
};
if (!sw_rfkill)
rfkill_state |= SAP_SW_RFKILL_DEASSERTED;
if (!hw_rfkill)
rfkill_state |= SAP_HW_RFKILL_DEASSERTED;
mutex_lock(&iwl_mei_mutex);
if (!iwl_mei_is_connected())
goto out;
msg.val = cpu_to_le32(rfkill_state);
mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
if (!mei)
goto out;
iwl_mei_send_sap_msg_payload(mei->cldev, &msg.hdr);
out:
iwl_mei_cache.rf_kill = rfkill_state;
mutex_unlock(&iwl_mei_mutex);
}
EXPORT_SYMBOL_GPL(iwl_mei_set_rfkill_state);
void iwl_mei_set_nic_info(const u8 *mac_address, const u8 *nvm_address)
{
struct iwl_mei *mei;
struct iwl_sap_notif_host_nic_info msg = {
.hdr.type = cpu_to_le16(SAP_MSG_NOTIF_NIC_INFO),
.hdr.len = cpu_to_le16(sizeof(msg) - sizeof(msg.hdr)),
};
mutex_lock(&iwl_mei_mutex);
if (!iwl_mei_is_connected())
goto out;
ether_addr_copy(msg.mac_address, mac_address);
ether_addr_copy(msg.nvm_address, nvm_address);
mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
if (!mei)
goto out;
iwl_mei_send_sap_msg_payload(mei->cldev, &msg.hdr);
out:
ether_addr_copy(iwl_mei_cache.mac_address, mac_address);
ether_addr_copy(iwl_mei_cache.nvm_address, nvm_address);
mutex_unlock(&iwl_mei_mutex);
}
EXPORT_SYMBOL_GPL(iwl_mei_set_nic_info);
void iwl_mei_set_country_code(u16 mcc)
{
struct iwl_mei *mei;
struct iwl_sap_notif_country_code msg = {
.hdr.type = cpu_to_le16(SAP_MSG_NOTIF_COUNTRY_CODE),
.hdr.len = cpu_to_le16(sizeof(msg) - sizeof(msg.hdr)),
.mcc = cpu_to_le16(mcc),
};
mutex_lock(&iwl_mei_mutex);
if (!iwl_mei_is_connected())
goto out;
mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
if (!mei)
goto out;
iwl_mei_send_sap_msg_payload(mei->cldev, &msg.hdr);
out:
iwl_mei_cache.mcc = mcc;
mutex_unlock(&iwl_mei_mutex);
}
EXPORT_SYMBOL_GPL(iwl_mei_set_country_code);
void iwl_mei_set_power_limit(const __le16 *power_limit)
{
struct iwl_mei *mei;
struct iwl_sap_notif_sar_limits msg = {
.hdr.type = cpu_to_le16(SAP_MSG_NOTIF_SAR_LIMITS),
.hdr.len = cpu_to_le16(sizeof(msg) - sizeof(msg.hdr)),
};
mutex_lock(&iwl_mei_mutex);
if (!iwl_mei_is_connected())
goto out;
mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
if (!mei)
goto out;
memcpy(msg.sar_chain_info_table, power_limit, sizeof(msg.sar_chain_info_table));
iwl_mei_send_sap_msg_payload(mei->cldev, &msg.hdr);
out:
kfree(iwl_mei_cache.power_limit);
iwl_mei_cache.power_limit = kmemdup(power_limit,
sizeof(msg.sar_chain_info_table), GFP_KERNEL);
mutex_unlock(&iwl_mei_mutex);
}
EXPORT_SYMBOL_GPL(iwl_mei_set_power_limit);
void iwl_mei_set_netdev(struct net_device *netdev)
{
struct iwl_mei *mei;
mutex_lock(&iwl_mei_mutex);
if (!iwl_mei_is_connected()) {
rcu_assign_pointer(iwl_mei_cache.netdev, netdev);
goto out;
}
mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
if (!mei)
goto out;
if (!netdev) {
struct net_device *dev =
rcu_dereference_protected(iwl_mei_cache.netdev,
lockdep_is_held(&iwl_mei_mutex));
if (!dev)
goto out;
netdev_rx_handler_unregister(dev);
}
rcu_assign_pointer(iwl_mei_cache.netdev, netdev);
if (netdev && mei->amt_enabled)
netdev_rx_handler_register(netdev, iwl_mei_rx_handler, mei);
out:
mutex_unlock(&iwl_mei_mutex);
}
EXPORT_SYMBOL_GPL(iwl_mei_set_netdev);
void iwl_mei_device_down(void)
{
struct iwl_mei *mei;
mutex_lock(&iwl_mei_mutex);
if (!iwl_mei_is_connected())
goto out;
mei = mei_cldev_get_drvdata(iwl_mei_global_cldev);
if (!mei)
goto out;
if (!mei->csme_taking_ownership)
goto out;
iwl_mei_send_sap_msg(mei->cldev,
SAP_MSG_NOTIF_CSME_OWNERSHIP_CONFIRMED);
mei->csme_taking_ownership = false;
out:
mutex_unlock(&iwl_mei_mutex);
}
EXPORT_SYMBOL_GPL(iwl_mei_device_down);
int iwl_mei_register(void *priv, const struct iwl_mei_ops *ops)
{
int ret;
/*
* We must have a non-NULL priv pointer to not crash when there are
* multiple WiFi devices.
*/
if (!priv)
return -EINVAL;
mutex_lock(&iwl_mei_mutex);
/* do not allow registration if someone else already registered */
if (iwl_mei_cache.priv || iwl_mei_cache.ops) {
ret = -EBUSY;
goto out;
}
iwl_mei_cache.priv = priv;
iwl_mei_cache.ops = ops;
if (iwl_mei_global_cldev) {
struct iwl_mei *mei =
mei_cldev_get_drvdata(iwl_mei_global_cldev);
/* we have already a SAP connection */
if (iwl_mei_is_connected())
iwl_mei_send_sap_msg(mei->cldev,
SAP_MSG_NOTIF_WIFIDR_UP);
}
ret = 0;
out:
mutex_unlock(&iwl_mei_mutex);
return ret;
}
EXPORT_SYMBOL_GPL(iwl_mei_register);
void iwl_mei_start_unregister(void)
{
mutex_lock(&iwl_mei_mutex);
/* At this point, the wifi driver should have removed the netdev */
if (rcu_access_pointer(iwl_mei_cache.netdev))
pr_err("Still had a netdev pointer set upon unregister\n");
kfree(iwl_mei_cache.conn_info);
iwl_mei_cache.conn_info = NULL;
kfree(iwl_mei_cache.power_limit);
iwl_mei_cache.power_limit = NULL;
iwl_mei_cache.ops = NULL;
/* leave iwl_mei_cache.priv non-NULL to prevent any new registration */
mutex_unlock(&iwl_mei_mutex);
}
EXPORT_SYMBOL_GPL(iwl_mei_start_unregister);
void iwl_mei_unregister_complete(void)
{
mutex_lock(&iwl_mei_mutex);
iwl_mei_cache.priv = NULL;
if (iwl_mei_global_cldev) {
struct iwl_mei *mei =
mei_cldev_get_drvdata(iwl_mei_global_cldev);
iwl_mei_send_sap_msg(mei->cldev, SAP_MSG_NOTIF_WIFIDR_DOWN);
}
mutex_unlock(&iwl_mei_mutex);
}
EXPORT_SYMBOL_GPL(iwl_mei_unregister_complete);
#if IS_ENABLED(CONFIG_DEBUG_FS)
static ssize_t
iwl_mei_dbgfs_send_start_message_write(struct file *file,
const char __user *user_buf,
size_t count, loff_t *ppos)
{
int ret;
mutex_lock(&iwl_mei_mutex);
if (!iwl_mei_global_cldev) {
ret = -ENODEV;
goto out;
}
ret = iwl_mei_send_start(iwl_mei_global_cldev);
out:
mutex_unlock(&iwl_mei_mutex);
return ret ?: count;
}
static const struct file_operations iwl_mei_dbgfs_send_start_message_ops = {
.write = iwl_mei_dbgfs_send_start_message_write,
.open = simple_open,
.llseek = default_llseek,
};
static ssize_t iwl_mei_dbgfs_req_ownership_write(struct file *file,
const char __user *user_buf,
size_t count, loff_t *ppos)
{
iwl_mei_get_ownership();
return count;
}
static const struct file_operations iwl_mei_dbgfs_req_ownership_ops = {
.write = iwl_mei_dbgfs_req_ownership_write,
.open = simple_open,
.llseek = default_llseek,
};
static void iwl_mei_dbgfs_register(struct iwl_mei *mei)
{
mei->dbgfs_dir = debugfs_create_dir(KBUILD_MODNAME, NULL);
if (!mei->dbgfs_dir)
return;
debugfs_create_ulong("status", S_IRUSR,
mei->dbgfs_dir, &iwl_mei_status);
debugfs_create_file("send_start_message", S_IWUSR, mei->dbgfs_dir,
mei, &iwl_mei_dbgfs_send_start_message_ops);
debugfs_create_file("req_ownserhip", S_IWUSR, mei->dbgfs_dir,
mei, &iwl_mei_dbgfs_req_ownership_ops);
}
static void iwl_mei_dbgfs_unregister(struct iwl_mei *mei)
{
debugfs_remove_recursive(mei->dbgfs_dir);
mei->dbgfs_dir = NULL;
}
#else
static void iwl_mei_dbgfs_register(struct iwl_mei *mei) {}
static void iwl_mei_dbgfs_unregister(struct iwl_mei *mei) {}
#endif /* CONFIG_DEBUG_FS */
/**
* iwl_mei_probe - the probe function called by the mei bus enumeration
*
* This allocates the data needed by iwlmei and sets a pointer to this data
* into the mei_cl_device's drvdata.
* It starts the SAP protocol by sending the SAP_ME_MSG_START without
* waiting for the answer. The answer will be caught later by the Rx callback.
*/
static int iwl_mei_probe(struct mei_cl_device *cldev,
const struct mei_cl_device_id *id)
{
struct iwl_mei *mei;
int ret;
mei = devm_kzalloc(&cldev->dev, sizeof(*mei), GFP_KERNEL);
if (!mei)
return -ENOMEM;
init_waitqueue_head(&mei->get_nvm_wq);
INIT_WORK(&mei->send_csa_msg_wk, iwl_mei_send_csa_msg_wk);
INIT_DELAYED_WORK(&mei->csa_throttle_end_wk,
iwl_mei_csa_throttle_end_wk);
init_waitqueue_head(&mei->get_ownership_wq);
spin_lock_init(&mei->data_q_lock);
mei_cldev_set_drvdata(cldev, mei);
mei->cldev = cldev;
ret = iwl_mei_alloc_shared_mem(cldev);
if (ret)
goto free;
iwl_mei_init_shared_mem(mei);
ret = iwl_mei_enable(cldev);
if (ret)
goto free_shared_mem;
iwl_mei_dbgfs_register(mei);
/*
* We now have a Rx function in place, start the SAP procotol
* we expect to get the SAP_ME_MSG_START_OK response later on.
*/
mutex_lock(&iwl_mei_mutex);
ret = iwl_mei_send_start(cldev);
mutex_unlock(&iwl_mei_mutex);
if (ret)
goto debugfs_unregister;
/* must be last */
iwl_mei_global_cldev = cldev;
return 0;
debugfs_unregister:
iwl_mei_dbgfs_unregister(mei);
mei_cldev_disable(cldev);
free_shared_mem:
iwl_mei_free_shared_mem(cldev);
free:
mei_cldev_set_drvdata(cldev, NULL);
devm_kfree(&cldev->dev, mei);
return ret;
}
#define SEND_SAP_MAX_WAIT_ITERATION 10
static void iwl_mei_remove(struct mei_cl_device *cldev)
{
struct iwl_mei *mei = mei_cldev_get_drvdata(cldev);
int i;
/*
* We are being removed while the bus is active, it means we are
* going to suspend/ shutdown, so the NIC will disappear.
*/
if (mei_cldev_enabled(cldev) && iwl_mei_cache.ops)
iwl_mei_cache.ops->nic_stolen(iwl_mei_cache.priv);
if (rcu_access_pointer(iwl_mei_cache.netdev)) {
struct net_device *dev;
/*
* First take rtnl and only then the mutex to avoid an ABBA
* with iwl_mei_set_netdev()
*/
rtnl_lock();
mutex_lock(&iwl_mei_mutex);
/*
* If we are suspending and the wifi driver hasn't removed it's netdev
* yet, do it now. In any case, don't change the cache.netdev pointer.
*/
dev = rcu_dereference_protected(iwl_mei_cache.netdev,
lockdep_is_held(&iwl_mei_mutex));
netdev_rx_handler_unregister(dev);
mutex_unlock(&iwl_mei_mutex);
rtnl_unlock();
}
mutex_lock(&iwl_mei_mutex);
/*
* Tell CSME that we are going down so that it won't access the
* memory anymore, make sure this message goes through immediately.
*/
mei->csa_throttled = false;
iwl_mei_send_sap_msg(mei->cldev,
SAP_MSG_NOTIF_HOST_GOES_DOWN);
for (i = 0; i < SEND_SAP_MAX_WAIT_ITERATION; i++) {
if (!iwl_mei_host_to_me_data_pending(mei))
break;
msleep(5);
}
/*
* If we couldn't make sure that CSME saw the HOST_GOES_DOWN message,
* it means that it will probably keep reading memory that we are going
* to unmap and free, expect IOMMU error messages.
*/
if (i == SEND_SAP_MAX_WAIT_ITERATION)
dev_err(&mei->cldev->dev,
"Couldn't get ACK from CSME on HOST_GOES_DOWN message\n");
mutex_unlock(&iwl_mei_mutex);
/*
* This looks strange, but this lock is taken here to make sure that
* iwl_mei_add_data_to_ring called from the Tx path sees that we
* clear the IWL_MEI_STATUS_SAP_CONNECTED bit.
* Rx isn't a problem because the rx_handler can't be called after
* having been unregistered.
*/
spin_lock_bh(&mei->data_q_lock);
clear_bit(IWL_MEI_STATUS_SAP_CONNECTED, &iwl_mei_status);
spin_unlock_bh(&mei->data_q_lock);
if (iwl_mei_cache.ops)
iwl_mei_cache.ops->rfkill(iwl_mei_cache.priv, false);
/*
* mei_cldev_disable will return only after all the MEI Rx is done.
* It must be called when iwl_mei_mutex is *not* held, since it waits
* for our Rx handler to complete.
* After it returns, no new Rx will start.
*/
mei_cldev_disable(cldev);
/*
* Since the netdev was already removed and the netdev's removal
* includes a call to synchronize_net() so that we know there won't be
* any new Rx that will trigger the following workers.
*/
cancel_work_sync(&mei->send_csa_msg_wk);
cancel_delayed_work_sync(&mei->csa_throttle_end_wk);
/*
* If someone waits for the ownership, let him know that we are going
* down and that we are not connected anymore. He'll be able to take
* the device.
*/
wake_up_all(&mei->get_ownership_wq);
mutex_lock(&iwl_mei_mutex);
iwl_mei_global_cldev = NULL;
wake_up_all(&mei->get_nvm_wq);
iwl_mei_free_shared_mem(cldev);
iwl_mei_dbgfs_unregister(mei);
mei_cldev_set_drvdata(cldev, NULL);
kfree(mei->nvm);
kfree(rcu_access_pointer(mei->filters));
devm_kfree(&cldev->dev, mei);
mutex_unlock(&iwl_mei_mutex);
}
static const struct mei_cl_device_id iwl_mei_tbl[] = {
{ KBUILD_MODNAME, MEI_WLAN_UUID, MEI_CL_VERSION_ANY},
/* required last entry */
{ }
};
/*
* Do not export the device table because this module is loaded by
* iwlwifi's dependency.
*/
static struct mei_cl_driver iwl_mei_cl_driver = {
.id_table = iwl_mei_tbl,
.name = KBUILD_MODNAME,
.probe = iwl_mei_probe,
.remove = iwl_mei_remove,
};
module_mei_cl_driver(iwl_mei_cl_driver);