1// SPDX-License-Identifier: GPL-2.0-only
2/*
3 * HT handling
4 *
5 * Copyright 2003, Jouni Malinen <jkmaline@cc.hut.fi>
6 * Copyright 2002-2005, Instant802 Networks, Inc.
7 * Copyright 2005-2006, Devicescape Software, Inc.
8 * Copyright 2006-2007 Jiri Benc <jbenc@suse.cz>
9 * Copyright 2007, Michael Wu <flamingice@sourmilk.net>
10 * Copyright 2007-2010, Intel Corporation
11 * Copyright(c) 2015-2017 Intel Deutschland GmbH
12 * Copyright (C) 2018-2024 Intel Corporation
13 */
14
15/**
16 * DOC: RX A-MPDU aggregation
17 *
18 * Aggregation on the RX side requires only implementing the
19 * @ampdu_action callback that is invoked to start/stop any
20 * block-ack sessions for RX aggregation.
21 *
22 * When RX aggregation is started by the peer, the driver is
23 * notified via @ampdu_action function, with the
24 * %IEEE80211_AMPDU_RX_START action, and may reject the request
25 * in which case a negative response is sent to the peer, if it
26 * accepts it a positive response is sent.
27 *
28 * While the session is active, the device/driver are required
29 * to de-aggregate frames and pass them up one by one to mac80211,
30 * which will handle the reorder buffer.
31 *
32 * When the aggregation session is stopped again by the peer or
33 * ourselves, the driver's @ampdu_action function will be called
34 * with the action %IEEE80211_AMPDU_RX_STOP. In this case, the
35 * call must not fail.
36 */
37
38#include <linux/ieee80211.h>
39#include <linux/slab.h>
40#include <linux/export.h>
41#include <net/mac80211.h>
42#include "ieee80211_i.h"
43#include "driver-ops.h"
44
45static void ieee80211_free_tid_rx(struct rcu_head *h)
46{
47 struct tid_ampdu_rx *tid_rx =
48 container_of(h, struct tid_ampdu_rx, rcu_head);
49 int i;
50
51 for (i = 0; i < tid_rx->buf_size; i++)
52 __skb_queue_purge(list: &tid_rx->reorder_buf[i]);
53 kfree(objp: tid_rx->reorder_buf);
54 kfree(objp: tid_rx->reorder_time);
55 kfree(objp: tid_rx);
56}
57
58void __ieee80211_stop_rx_ba_session(struct sta_info *sta, u16 tid,
59 u16 initiator, u16 reason, bool tx)
60{
61 struct ieee80211_local *local = sta->local;
62 struct tid_ampdu_rx *tid_rx;
63 struct ieee80211_ampdu_params params = {
64 .sta = &sta->sta,
65 .action = IEEE80211_AMPDU_RX_STOP,
66 .tid = tid,
67 .amsdu = false,
68 .timeout = 0,
69 .ssn = 0,
70 };
71
72 lockdep_assert_wiphy(sta->local->hw.wiphy);
73
74 tid_rx = rcu_dereference_protected(sta->ampdu_mlme.tid_rx[tid],
75 lockdep_is_held(&sta->local->hw.wiphy->mtx));
76
77 if (!test_bit(tid, sta->ampdu_mlme.agg_session_valid))
78 return;
79
80 RCU_INIT_POINTER(sta->ampdu_mlme.tid_rx[tid], NULL);
81 __clear_bit(tid, sta->ampdu_mlme.agg_session_valid);
82
83 ht_dbg(sta->sdata,
84 "Rx BA session stop requested for %pM tid %u %s reason: %d\n",
85 sta->sta.addr, tid,
86 initiator == WLAN_BACK_RECIPIENT ? "recipient" : "initiator",
87 (int)reason);
88
89 if (drv_ampdu_action(local, sdata: sta->sdata, params: &params))
90 sdata_info(sta->sdata,
91 "HW problem - can not stop rx aggregation for %pM tid %d\n",
92 sta->sta.addr, tid);
93
94 /* check if this is a self generated aggregation halt */
95 if (initiator == WLAN_BACK_RECIPIENT && tx)
96 ieee80211_send_delba(sdata: sta->sdata, da: sta->sta.addr,
97 tid, initiator: WLAN_BACK_RECIPIENT, reason_code: reason);
98
99 /*
100 * return here in case tid_rx is not assigned - which will happen if
101 * IEEE80211_HW_SUPPORTS_REORDERING_BUFFER is set.
102 */
103 if (!tid_rx)
104 return;
105
106 timer_delete_sync(timer: &tid_rx->session_timer);
107
108 /* make sure ieee80211_sta_reorder_release() doesn't re-arm the timer */
109 spin_lock_bh(lock: &tid_rx->reorder_lock);
110 tid_rx->removed = true;
111 spin_unlock_bh(lock: &tid_rx->reorder_lock);
112 timer_delete_sync(timer: &tid_rx->reorder_timer);
113
114 call_rcu(head: &tid_rx->rcu_head, func: ieee80211_free_tid_rx);
115}
116
117void ieee80211_stop_rx_ba_session(struct ieee80211_vif *vif, u16 ba_rx_bitmap,
118 const u8 *addr)
119{
120 struct ieee80211_sub_if_data *sdata = vif_to_sdata(p: vif);
121 struct sta_info *sta;
122 int i;
123
124 rcu_read_lock();
125 sta = sta_info_get_bss(sdata, addr);
126 if (!sta) {
127 rcu_read_unlock();
128 return;
129 }
130
131 for (i = 0; i < IEEE80211_NUM_TIDS; i++)
132 if (ba_rx_bitmap & BIT(i))
133 set_bit(nr: i, addr: sta->ampdu_mlme.tid_rx_stop_requested);
134
135 wiphy_work_queue(wiphy: sta->local->hw.wiphy, work: &sta->ampdu_mlme.work);
136 rcu_read_unlock();
137}
138EXPORT_SYMBOL(ieee80211_stop_rx_ba_session);
139
140/*
141 * After accepting the AddBA Request we activated a timer,
142 * resetting it after each frame that arrives from the originator.
143 */
144static void sta_rx_agg_session_timer_expired(struct timer_list *t)
145{
146 struct tid_ampdu_rx *tid_rx = timer_container_of(tid_rx, t,
147 session_timer);
148 struct sta_info *sta = tid_rx->sta;
149 u8 tid = tid_rx->tid;
150 unsigned long timeout;
151
152 timeout = tid_rx->last_rx + TU_TO_JIFFIES(tid_rx->timeout);
153 if (time_is_after_jiffies(timeout)) {
154 mod_timer(timer: &tid_rx->session_timer, expires: timeout);
155 return;
156 }
157
158 ht_dbg(sta->sdata, "RX session timer expired on %pM tid %d\n",
159 sta->sta.addr, tid);
160
161 set_bit(nr: tid, addr: sta->ampdu_mlme.tid_rx_timer_expired);
162 wiphy_work_queue(wiphy: sta->local->hw.wiphy, work: &sta->ampdu_mlme.work);
163}
164
165static void sta_rx_agg_reorder_timer_expired(struct timer_list *t)
166{
167 struct tid_ampdu_rx *tid_rx = timer_container_of(tid_rx, t,
168 reorder_timer);
169
170 rcu_read_lock();
171 ieee80211_release_reorder_timeout(sta: tid_rx->sta, tid: tid_rx->tid);
172 rcu_read_unlock();
173}
174
175void ieee80211_add_addbaext(struct sk_buff *skb,
176 const u8 req_addba_ext_data,
177 u16 buf_size)
178{
179 struct ieee80211_addba_ext_ie *addba_ext;
180 u8 *pos;
181
182 pos = skb_put_zero(skb, len: 2 + sizeof(struct ieee80211_addba_ext_ie));
183 *pos++ = WLAN_EID_ADDBA_EXT;
184 *pos++ = sizeof(struct ieee80211_addba_ext_ie);
185 addba_ext = (struct ieee80211_addba_ext_ie *)pos;
186
187 addba_ext->data = IEEE80211_ADDBA_EXT_NO_FRAG;
188 if (req_addba_ext_data)
189 addba_ext->data &= req_addba_ext_data;
190
191 addba_ext->data |=
192 u8_encode_bits(v: buf_size >> IEEE80211_ADDBA_EXT_BUF_SIZE_SHIFT,
193 IEEE80211_ADDBA_EXT_BUF_SIZE_MASK);
194}
195
196u8 ieee80211_retrieve_addba_ext_data(struct sta_info *sta,
197 const void *elem_data, ssize_t elem_len,
198 u16 *buf_size)
199{
200 struct ieee802_11_elems *elems;
201 u8 buf_size_1k, data = 0;
202
203 if (!sta->sta.deflink.he_cap.has_he)
204 return 0;
205
206 if (elem_len <= 0)
207 return 0;
208
209 elems = ieee802_11_parse_elems(start: elem_data, len: elem_len, action: true, NULL);
210
211 if (!elems || elems->parse_error || !elems->addba_ext_ie)
212 goto free;
213
214 data = elems->addba_ext_ie->data;
215
216 if (buf_size &&
217 (sta->sta.valid_links || sta->sta.deflink.eht_cap.has_eht)) {
218 buf_size_1k = u8_get_bits(v: elems->addba_ext_ie->data,
219 IEEE80211_ADDBA_EXT_BUF_SIZE_MASK);
220 *buf_size |= (u16)buf_size_1k <<
221 IEEE80211_ADDBA_EXT_BUF_SIZE_SHIFT;
222 }
223
224free:
225 kfree(objp: elems);
226
227 return data;
228}
229
230static void ieee80211_send_addba_resp(struct sta_info *sta, u8 *da, u16 tid,
231 u8 dialog_token, u16 status, u16 policy,
232 u16 buf_size, u16 timeout,
233 const u8 req_addba_ext_data)
234{
235 struct ieee80211_sub_if_data *sdata = sta->sdata;
236 struct ieee80211_local *local = sdata->local;
237 struct sk_buff *skb;
238 struct ieee80211_mgmt *mgmt;
239 bool amsdu = ieee80211_hw_check(&local->hw, SUPPORTS_AMSDU_IN_AMPDU);
240 u16 capab;
241
242 skb = dev_alloc_skb(length: sizeof(*mgmt) +
243 2 + sizeof(struct ieee80211_addba_ext_ie) +
244 local->hw.extra_tx_headroom);
245 if (!skb)
246 return;
247
248 skb_reserve(skb, len: local->hw.extra_tx_headroom);
249 mgmt = ieee80211_mgmt_ba(skb, da, sdata);
250
251 skb_put(skb, len: 1 + sizeof(mgmt->u.action.u.addba_resp));
252 mgmt->u.action.category = WLAN_CATEGORY_BACK;
253 mgmt->u.action.u.addba_resp.action_code = WLAN_ACTION_ADDBA_RESP;
254 mgmt->u.action.u.addba_resp.dialog_token = dialog_token;
255
256 capab = u16_encode_bits(v: amsdu, IEEE80211_ADDBA_PARAM_AMSDU_MASK);
257 capab |= u16_encode_bits(v: policy, IEEE80211_ADDBA_PARAM_POLICY_MASK);
258 capab |= u16_encode_bits(v: tid, IEEE80211_ADDBA_PARAM_TID_MASK);
259 capab |= u16_encode_bits(v: buf_size, IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK);
260
261 mgmt->u.action.u.addba_resp.capab = cpu_to_le16(capab);
262 mgmt->u.action.u.addba_resp.timeout = cpu_to_le16(timeout);
263 mgmt->u.action.u.addba_resp.status = cpu_to_le16(status);
264
265 if (sta->sta.valid_links || sta->sta.deflink.he_cap.has_he)
266 ieee80211_add_addbaext(skb, req_addba_ext_data, buf_size);
267
268 ieee80211_tx_skb(sdata, skb);
269}
270
271void __ieee80211_start_rx_ba_session(struct sta_info *sta,
272 u8 dialog_token, u16 timeout,
273 u16 start_seq_num, u16 ba_policy, u16 tid,
274 u16 buf_size, bool tx, bool auto_seq,
275 const u8 addba_ext_data)
276{
277 struct ieee80211_local *local = sta->sdata->local;
278 struct tid_ampdu_rx *tid_agg_rx;
279 struct ieee80211_ampdu_params params = {
280 .sta = &sta->sta,
281 .action = IEEE80211_AMPDU_RX_START,
282 .tid = tid,
283 .amsdu = false,
284 .timeout = timeout,
285 .ssn = start_seq_num,
286 };
287 int i, ret = -EOPNOTSUPP;
288 u16 status = WLAN_STATUS_REQUEST_DECLINED;
289 u16 max_buf_size;
290
291 lockdep_assert_wiphy(sta->local->hw.wiphy);
292
293 if (tid >= IEEE80211_FIRST_TSPEC_TSID) {
294 ht_dbg(sta->sdata,
295 "STA %pM requests BA session on unsupported tid %d\n",
296 sta->sta.addr, tid);
297 goto end;
298 }
299
300 if (!sta->sta.valid_links &&
301 !sta->sta.deflink.ht_cap.ht_supported &&
302 !sta->sta.deflink.he_cap.has_he &&
303 !sta->sta.deflink.s1g_cap.s1g) {
304 ht_dbg(sta->sdata,
305 "STA %pM erroneously requests BA session on tid %d w/o HT\n",
306 sta->sta.addr, tid);
307 /* send a response anyway, it's an error case if we get here */
308 goto end;
309 }
310
311 if (test_sta_flag(sta, flag: WLAN_STA_BLOCK_BA)) {
312 ht_dbg(sta->sdata,
313 "Suspend in progress - Denying ADDBA request (%pM tid %d)\n",
314 sta->sta.addr, tid);
315 goto end;
316 }
317
318 if (sta->sta.valid_links || sta->sta.deflink.eht_cap.has_eht)
319 max_buf_size = IEEE80211_MAX_AMPDU_BUF_EHT;
320 else if (sta->sta.deflink.he_cap.has_he)
321 max_buf_size = IEEE80211_MAX_AMPDU_BUF_HE;
322 else
323 max_buf_size = IEEE80211_MAX_AMPDU_BUF_HT;
324
325 /* sanity check for incoming parameters:
326 * check if configuration can support the BA policy
327 * and if buffer size does not exceeds max value */
328 /* XXX: check own ht delayed BA capability?? */
329 if (((ba_policy != 1) &&
330 (sta->sta.valid_links ||
331 !(sta->sta.deflink.ht_cap.cap & IEEE80211_HT_CAP_DELAY_BA) ||
332 !(sta->sta.deflink.s1g_cap.cap[3] & S1G_CAP3_HT_DELAYED_BA))) ||
333 (buf_size > max_buf_size)) {
334 status = WLAN_STATUS_INVALID_QOS_PARAM;
335 ht_dbg_ratelimited(sta->sdata,
336 "AddBA Req with bad params from %pM on tid %u. policy %d, buffer size %d\n",
337 sta->sta.addr, tid, ba_policy, buf_size);
338 goto end;
339 }
340 /* determine default buffer size */
341 if (buf_size == 0)
342 buf_size = max_buf_size;
343
344 /* make sure the size doesn't exceed the maximum supported by the hw */
345 if (buf_size > sta->sta.max_rx_aggregation_subframes)
346 buf_size = sta->sta.max_rx_aggregation_subframes;
347 params.buf_size = buf_size;
348
349 ht_dbg(sta->sdata, "AddBA Req buf_size=%d for %pM\n",
350 buf_size, sta->sta.addr);
351
352 if (test_bit(tid, sta->ampdu_mlme.agg_session_valid)) {
353 if (sta->ampdu_mlme.tid_rx_token[tid] == dialog_token) {
354 struct tid_ampdu_rx *tid_rx;
355
356 ht_dbg_ratelimited(sta->sdata,
357 "updated AddBA Req from %pM on tid %u\n",
358 sta->sta.addr, tid);
359 /* We have no API to update the timeout value in the
360 * driver so reject the timeout update if the timeout
361 * changed. If it did not change, i.e., no real update,
362 * just reply with success.
363 */
364 rcu_read_lock();
365 tid_rx = rcu_dereference(sta->ampdu_mlme.tid_rx[tid]);
366 if (tid_rx && tid_rx->timeout == timeout)
367 status = WLAN_STATUS_SUCCESS;
368 else
369 status = WLAN_STATUS_REQUEST_DECLINED;
370 rcu_read_unlock();
371 goto end;
372 }
373
374 ht_dbg_ratelimited(sta->sdata,
375 "unexpected AddBA Req from %pM on tid %u\n",
376 sta->sta.addr, tid);
377
378 /* delete existing Rx BA session on the same tid */
379 __ieee80211_stop_rx_ba_session(sta, tid, initiator: WLAN_BACK_RECIPIENT,
380 reason: WLAN_STATUS_UNSPECIFIED_QOS,
381 tx: false);
382 }
383
384 if (ieee80211_hw_check(&local->hw, SUPPORTS_REORDERING_BUFFER)) {
385 ret = drv_ampdu_action(local, sdata: sta->sdata, params: &params);
386 ht_dbg(sta->sdata,
387 "Rx A-MPDU request on %pM tid %d result %d\n",
388 sta->sta.addr, tid, ret);
389 if (!ret)
390 status = WLAN_STATUS_SUCCESS;
391 goto end;
392 }
393
394 /* prepare A-MPDU MLME for Rx aggregation */
395 tid_agg_rx = kzalloc(sizeof(*tid_agg_rx), GFP_KERNEL);
396 if (!tid_agg_rx)
397 goto end;
398
399 spin_lock_init(&tid_agg_rx->reorder_lock);
400
401 /* rx timer */
402 timer_setup(&tid_agg_rx->session_timer,
403 sta_rx_agg_session_timer_expired, TIMER_DEFERRABLE);
404
405 /* rx reorder timer */
406 timer_setup(&tid_agg_rx->reorder_timer,
407 sta_rx_agg_reorder_timer_expired, 0);
408
409 /* prepare reordering buffer */
410 tid_agg_rx->reorder_buf =
411 kcalloc(buf_size, sizeof(struct sk_buff_head), GFP_KERNEL);
412 tid_agg_rx->reorder_time =
413 kcalloc(buf_size, sizeof(unsigned long), GFP_KERNEL);
414 if (!tid_agg_rx->reorder_buf || !tid_agg_rx->reorder_time) {
415 kfree(objp: tid_agg_rx->reorder_buf);
416 kfree(objp: tid_agg_rx->reorder_time);
417 kfree(objp: tid_agg_rx);
418 goto end;
419 }
420
421 for (i = 0; i < buf_size; i++)
422 __skb_queue_head_init(list: &tid_agg_rx->reorder_buf[i]);
423
424 ret = drv_ampdu_action(local, sdata: sta->sdata, params: &params);
425 ht_dbg(sta->sdata, "Rx A-MPDU request on %pM tid %d result %d\n",
426 sta->sta.addr, tid, ret);
427 if (ret) {
428 kfree(objp: tid_agg_rx->reorder_buf);
429 kfree(objp: tid_agg_rx->reorder_time);
430 kfree(objp: tid_agg_rx);
431 goto end;
432 }
433
434 /* update data */
435 tid_agg_rx->ssn = start_seq_num;
436 tid_agg_rx->head_seq_num = start_seq_num;
437 tid_agg_rx->buf_size = buf_size;
438 tid_agg_rx->timeout = timeout;
439 tid_agg_rx->stored_mpdu_num = 0;
440 tid_agg_rx->auto_seq = auto_seq;
441 tid_agg_rx->started = false;
442 tid_agg_rx->reorder_buf_filtered = 0;
443 tid_agg_rx->tid = tid;
444 tid_agg_rx->sta = sta;
445 status = WLAN_STATUS_SUCCESS;
446
447 /* activate it for RX */
448 rcu_assign_pointer(sta->ampdu_mlme.tid_rx[tid], tid_agg_rx);
449
450 if (timeout) {
451 mod_timer(timer: &tid_agg_rx->session_timer, TU_TO_EXP_TIME(timeout));
452 tid_agg_rx->last_rx = jiffies;
453 }
454
455end:
456 if (status == WLAN_STATUS_SUCCESS) {
457 __set_bit(tid, sta->ampdu_mlme.agg_session_valid);
458 __clear_bit(tid, sta->ampdu_mlme.unexpected_agg);
459 sta->ampdu_mlme.tid_rx_token[tid] = dialog_token;
460 }
461
462 if (tx)
463 ieee80211_send_addba_resp(sta, da: sta->sta.addr, tid,
464 dialog_token, status, policy: 1, buf_size,
465 timeout, req_addba_ext_data: addba_ext_data);
466}
467
468void ieee80211_process_addba_request(struct ieee80211_local *local,
469 struct sta_info *sta,
470 struct ieee80211_mgmt *mgmt,
471 size_t len)
472{
473 u16 capab, tid, timeout, ba_policy, buf_size, start_seq_num;
474 u8 dialog_token, addba_ext_data;
475
476 /* extract session parameters from addba request frame */
477 dialog_token = mgmt->u.action.u.addba_req.dialog_token;
478 timeout = le16_to_cpu(mgmt->u.action.u.addba_req.timeout);
479 start_seq_num =
480 le16_to_cpu(mgmt->u.action.u.addba_req.start_seq_num) >> 4;
481
482 capab = le16_to_cpu(mgmt->u.action.u.addba_req.capab);
483 ba_policy = (capab & IEEE80211_ADDBA_PARAM_POLICY_MASK) >> 1;
484 tid = (capab & IEEE80211_ADDBA_PARAM_TID_MASK) >> 2;
485 buf_size = (capab & IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK) >> 6;
486
487 addba_ext_data =
488 ieee80211_retrieve_addba_ext_data(sta,
489 elem_data: mgmt->u.action.u.addba_req.variable,
490 elem_len: len -
491 offsetof(typeof(*mgmt),
492 u.action.u.addba_req.variable),
493 buf_size: &buf_size);
494
495 __ieee80211_start_rx_ba_session(sta, dialog_token, timeout,
496 start_seq_num, ba_policy, tid,
497 buf_size, tx: true, auto_seq: false, addba_ext_data);
498}
499
500void ieee80211_manage_rx_ba_offl(struct ieee80211_vif *vif,
501 const u8 *addr, unsigned int tid)
502{
503 struct ieee80211_sub_if_data *sdata = vif_to_sdata(p: vif);
504 struct sta_info *sta;
505
506 rcu_read_lock();
507 sta = sta_info_get_bss(sdata, addr);
508 if (!sta)
509 goto unlock;
510
511 set_bit(nr: tid, addr: sta->ampdu_mlme.tid_rx_manage_offl);
512 wiphy_work_queue(wiphy: sta->local->hw.wiphy, work: &sta->ampdu_mlme.work);
513 unlock:
514 rcu_read_unlock();
515}
516EXPORT_SYMBOL(ieee80211_manage_rx_ba_offl);
517
518void ieee80211_rx_ba_timer_expired(struct ieee80211_vif *vif,
519 const u8 *addr, unsigned int tid)
520{
521 struct ieee80211_sub_if_data *sdata = vif_to_sdata(p: vif);
522 struct sta_info *sta;
523
524 rcu_read_lock();
525 sta = sta_info_get_bss(sdata, addr);
526 if (!sta)
527 goto unlock;
528
529 set_bit(nr: tid, addr: sta->ampdu_mlme.tid_rx_timer_expired);
530 wiphy_work_queue(wiphy: sta->local->hw.wiphy, work: &sta->ampdu_mlme.work);
531
532 unlock:
533 rcu_read_unlock();
534}
535EXPORT_SYMBOL(ieee80211_rx_ba_timer_expired);
536