cachepc-linux

Fork of AMDESE/linux with modifications for CachePC side-channel attack
git clone https://git.sinitax.com/sinitax/cachepc-linux
Log | Files | Refs | README | LICENSE | sfeed.txt

agg-tx.c (30512B)


      1// SPDX-License-Identifier: GPL-2.0-only
      2/*
      3 * HT handling
      4 *
      5 * Copyright 2003, Jouni Malinen <jkmaline@cc.hut.fi>
      6 * Copyright 2002-2005, Instant802 Networks, Inc.
      7 * Copyright 2005-2006, Devicescape Software, Inc.
      8 * Copyright 2006-2007	Jiri Benc <jbenc@suse.cz>
      9 * Copyright 2007, Michael Wu <flamingice@sourmilk.net>
     10 * Copyright 2007-2010, Intel Corporation
     11 * Copyright(c) 2015-2017 Intel Deutschland GmbH
     12 * Copyright (C) 2018 - 2022 Intel Corporation
     13 */
     14
     15#include <linux/ieee80211.h>
     16#include <linux/slab.h>
     17#include <linux/export.h>
     18#include <net/mac80211.h>
     19#include "ieee80211_i.h"
     20#include "driver-ops.h"
     21#include "wme.h"
     22
     23/**
     24 * DOC: TX A-MPDU aggregation
     25 *
     26 * Aggregation on the TX side requires setting the hardware flag
     27 * %IEEE80211_HW_AMPDU_AGGREGATION. The driver will then be handed
     28 * packets with a flag indicating A-MPDU aggregation. The driver
     29 * or device is responsible for actually aggregating the frames,
     30 * as well as deciding how many and which to aggregate.
     31 *
     32 * When TX aggregation is started by some subsystem (usually the rate
     33 * control algorithm would be appropriate) by calling the
     34 * ieee80211_start_tx_ba_session() function, the driver will be
     35 * notified via its @ampdu_action function, with the
     36 * %IEEE80211_AMPDU_TX_START action.
     37 *
     38 * In response to that, the driver is later required to call the
     39 * ieee80211_start_tx_ba_cb_irqsafe() function, which will really
     40 * start the aggregation session after the peer has also responded.
     41 * If the peer responds negatively, the session will be stopped
     42 * again right away. Note that it is possible for the aggregation
     43 * session to be stopped before the driver has indicated that it
     44 * is done setting it up, in which case it must not indicate the
     45 * setup completion.
     46 *
     47 * Also note that, since we also need to wait for a response from
     48 * the peer, the driver is notified of the completion of the
     49 * handshake by the %IEEE80211_AMPDU_TX_OPERATIONAL action to the
     50 * @ampdu_action callback.
     51 *
     52 * Similarly, when the aggregation session is stopped by the peer
     53 * or something calling ieee80211_stop_tx_ba_session(), the driver's
     54 * @ampdu_action function will be called with the action
     55 * %IEEE80211_AMPDU_TX_STOP. In this case, the call must not fail,
     56 * and the driver must later call ieee80211_stop_tx_ba_cb_irqsafe().
     57 * Note that the sta can get destroyed before the BA tear down is
     58 * complete.
     59 */
     60
     61static void ieee80211_send_addba_request(struct ieee80211_sub_if_data *sdata,
     62					 const u8 *da, u16 tid,
     63					 u8 dialog_token, u16 start_seq_num,
     64					 u16 agg_size, u16 timeout)
     65{
     66	struct ieee80211_local *local = sdata->local;
     67	struct sk_buff *skb;
     68	struct ieee80211_mgmt *mgmt;
     69	u16 capab;
     70
     71	skb = dev_alloc_skb(sizeof(*mgmt) + local->hw.extra_tx_headroom);
     72
     73	if (!skb)
     74		return;
     75
     76	skb_reserve(skb, local->hw.extra_tx_headroom);
     77	mgmt = skb_put_zero(skb, 24);
     78	memcpy(mgmt->da, da, ETH_ALEN);
     79	memcpy(mgmt->sa, sdata->vif.addr, ETH_ALEN);
     80	if (sdata->vif.type == NL80211_IFTYPE_AP ||
     81	    sdata->vif.type == NL80211_IFTYPE_AP_VLAN ||
     82	    sdata->vif.type == NL80211_IFTYPE_MESH_POINT)
     83		memcpy(mgmt->bssid, sdata->vif.addr, ETH_ALEN);
     84	else if (sdata->vif.type == NL80211_IFTYPE_STATION)
     85		memcpy(mgmt->bssid, sdata->u.mgd.bssid, ETH_ALEN);
     86	else if (sdata->vif.type == NL80211_IFTYPE_ADHOC)
     87		memcpy(mgmt->bssid, sdata->u.ibss.bssid, ETH_ALEN);
     88
     89	mgmt->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT |
     90					  IEEE80211_STYPE_ACTION);
     91
     92	skb_put(skb, 1 + sizeof(mgmt->u.action.u.addba_req));
     93
     94	mgmt->u.action.category = WLAN_CATEGORY_BACK;
     95	mgmt->u.action.u.addba_req.action_code = WLAN_ACTION_ADDBA_REQ;
     96
     97	mgmt->u.action.u.addba_req.dialog_token = dialog_token;
     98	capab = IEEE80211_ADDBA_PARAM_AMSDU_MASK;
     99	capab |= IEEE80211_ADDBA_PARAM_POLICY_MASK;
    100	capab |= u16_encode_bits(tid, IEEE80211_ADDBA_PARAM_TID_MASK);
    101	capab |= u16_encode_bits(agg_size, IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK);
    102
    103	mgmt->u.action.u.addba_req.capab = cpu_to_le16(capab);
    104
    105	mgmt->u.action.u.addba_req.timeout = cpu_to_le16(timeout);
    106	mgmt->u.action.u.addba_req.start_seq_num =
    107					cpu_to_le16(start_seq_num << 4);
    108
    109	ieee80211_tx_skb_tid(sdata, skb, tid);
    110}
    111
    112void ieee80211_send_bar(struct ieee80211_vif *vif, u8 *ra, u16 tid, u16 ssn)
    113{
    114	struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif);
    115	struct ieee80211_local *local = sdata->local;
    116	struct sk_buff *skb;
    117	struct ieee80211_bar *bar;
    118	u16 bar_control = 0;
    119
    120	skb = dev_alloc_skb(sizeof(*bar) + local->hw.extra_tx_headroom);
    121	if (!skb)
    122		return;
    123
    124	skb_reserve(skb, local->hw.extra_tx_headroom);
    125	bar = skb_put_zero(skb, sizeof(*bar));
    126	bar->frame_control = cpu_to_le16(IEEE80211_FTYPE_CTL |
    127					 IEEE80211_STYPE_BACK_REQ);
    128	memcpy(bar->ra, ra, ETH_ALEN);
    129	memcpy(bar->ta, sdata->vif.addr, ETH_ALEN);
    130	bar_control |= (u16)IEEE80211_BAR_CTRL_ACK_POLICY_NORMAL;
    131	bar_control |= (u16)IEEE80211_BAR_CTRL_CBMTID_COMPRESSED_BA;
    132	bar_control |= (u16)(tid << IEEE80211_BAR_CTRL_TID_INFO_SHIFT);
    133	bar->control = cpu_to_le16(bar_control);
    134	bar->start_seq_num = cpu_to_le16(ssn);
    135
    136	IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_INTFL_DONT_ENCRYPT |
    137					IEEE80211_TX_CTL_REQ_TX_STATUS;
    138	ieee80211_tx_skb_tid(sdata, skb, tid);
    139}
    140EXPORT_SYMBOL(ieee80211_send_bar);
    141
    142void ieee80211_assign_tid_tx(struct sta_info *sta, int tid,
    143			     struct tid_ampdu_tx *tid_tx)
    144{
    145	lockdep_assert_held(&sta->ampdu_mlme.mtx);
    146	lockdep_assert_held(&sta->lock);
    147	rcu_assign_pointer(sta->ampdu_mlme.tid_tx[tid], tid_tx);
    148}
    149
    150/*
    151 * When multiple aggregation sessions on multiple stations
    152 * are being created/destroyed simultaneously, we need to
    153 * refcount the global queue stop caused by that in order
    154 * to not get into a situation where one of the aggregation
    155 * setup or teardown re-enables queues before the other is
    156 * ready to handle that.
    157 *
    158 * These two functions take care of this issue by keeping
    159 * a global "agg_queue_stop" refcount.
    160 */
    161static void __acquires(agg_queue)
    162ieee80211_stop_queue_agg(struct ieee80211_sub_if_data *sdata, int tid)
    163{
    164	int queue = sdata->vif.hw_queue[ieee80211_ac_from_tid(tid)];
    165
    166	/* we do refcounting here, so don't use the queue reason refcounting */
    167
    168	if (atomic_inc_return(&sdata->local->agg_queue_stop[queue]) == 1)
    169		ieee80211_stop_queue_by_reason(
    170			&sdata->local->hw, queue,
    171			IEEE80211_QUEUE_STOP_REASON_AGGREGATION,
    172			false);
    173	__acquire(agg_queue);
    174}
    175
    176static void __releases(agg_queue)
    177ieee80211_wake_queue_agg(struct ieee80211_sub_if_data *sdata, int tid)
    178{
    179	int queue = sdata->vif.hw_queue[ieee80211_ac_from_tid(tid)];
    180
    181	if (atomic_dec_return(&sdata->local->agg_queue_stop[queue]) == 0)
    182		ieee80211_wake_queue_by_reason(
    183			&sdata->local->hw, queue,
    184			IEEE80211_QUEUE_STOP_REASON_AGGREGATION,
    185			false);
    186	__release(agg_queue);
    187}
    188
    189static void
    190ieee80211_agg_stop_txq(struct sta_info *sta, int tid)
    191{
    192	struct ieee80211_txq *txq = sta->sta.txq[tid];
    193	struct ieee80211_sub_if_data *sdata;
    194	struct fq *fq;
    195	struct txq_info *txqi;
    196
    197	if (!txq)
    198		return;
    199
    200	txqi = to_txq_info(txq);
    201	sdata = vif_to_sdata(txq->vif);
    202	fq = &sdata->local->fq;
    203
    204	/* Lock here to protect against further seqno updates on dequeue */
    205	spin_lock_bh(&fq->lock);
    206	set_bit(IEEE80211_TXQ_STOP, &txqi->flags);
    207	spin_unlock_bh(&fq->lock);
    208}
    209
    210static void
    211ieee80211_agg_start_txq(struct sta_info *sta, int tid, bool enable)
    212{
    213	struct ieee80211_txq *txq = sta->sta.txq[tid];
    214	struct txq_info *txqi;
    215
    216	lockdep_assert_held(&sta->ampdu_mlme.mtx);
    217
    218	if (!txq)
    219		return;
    220
    221	txqi = to_txq_info(txq);
    222
    223	if (enable)
    224		set_bit(IEEE80211_TXQ_AMPDU, &txqi->flags);
    225	else
    226		clear_bit(IEEE80211_TXQ_AMPDU, &txqi->flags);
    227
    228	clear_bit(IEEE80211_TXQ_STOP, &txqi->flags);
    229	local_bh_disable();
    230	rcu_read_lock();
    231	schedule_and_wake_txq(sta->sdata->local, txqi);
    232	rcu_read_unlock();
    233	local_bh_enable();
    234}
    235
    236/*
    237 * splice packets from the STA's pending to the local pending,
    238 * requires a call to ieee80211_agg_splice_finish later
    239 */
    240static void __acquires(agg_queue)
    241ieee80211_agg_splice_packets(struct ieee80211_sub_if_data *sdata,
    242			     struct tid_ampdu_tx *tid_tx, u16 tid)
    243{
    244	struct ieee80211_local *local = sdata->local;
    245	int queue = sdata->vif.hw_queue[ieee80211_ac_from_tid(tid)];
    246	unsigned long flags;
    247
    248	ieee80211_stop_queue_agg(sdata, tid);
    249
    250	if (WARN(!tid_tx,
    251		 "TID %d gone but expected when splicing aggregates from the pending queue\n",
    252		 tid))
    253		return;
    254
    255	if (!skb_queue_empty(&tid_tx->pending)) {
    256		spin_lock_irqsave(&local->queue_stop_reason_lock, flags);
    257		/* copy over remaining packets */
    258		skb_queue_splice_tail_init(&tid_tx->pending,
    259					   &local->pending[queue]);
    260		spin_unlock_irqrestore(&local->queue_stop_reason_lock, flags);
    261	}
    262}
    263
    264static void __releases(agg_queue)
    265ieee80211_agg_splice_finish(struct ieee80211_sub_if_data *sdata, u16 tid)
    266{
    267	ieee80211_wake_queue_agg(sdata, tid);
    268}
    269
    270static void ieee80211_remove_tid_tx(struct sta_info *sta, int tid)
    271{
    272	struct tid_ampdu_tx *tid_tx;
    273
    274	lockdep_assert_held(&sta->ampdu_mlme.mtx);
    275	lockdep_assert_held(&sta->lock);
    276
    277	tid_tx = rcu_dereference_protected_tid_tx(sta, tid);
    278
    279	/*
    280	 * When we get here, the TX path will not be lockless any more wrt.
    281	 * aggregation, since the OPERATIONAL bit has long been cleared.
    282	 * Thus it will block on getting the lock, if it occurs. So if we
    283	 * stop the queue now, we will not get any more packets, and any
    284	 * that might be being processed will wait for us here, thereby
    285	 * guaranteeing that no packets go to the tid_tx pending queue any
    286	 * more.
    287	 */
    288
    289	ieee80211_agg_splice_packets(sta->sdata, tid_tx, tid);
    290
    291	/* future packets must not find the tid_tx struct any more */
    292	ieee80211_assign_tid_tx(sta, tid, NULL);
    293
    294	ieee80211_agg_splice_finish(sta->sdata, tid);
    295
    296	kfree_rcu(tid_tx, rcu_head);
    297}
    298
    299int ___ieee80211_stop_tx_ba_session(struct sta_info *sta, u16 tid,
    300				    enum ieee80211_agg_stop_reason reason)
    301{
    302	struct ieee80211_local *local = sta->local;
    303	struct tid_ampdu_tx *tid_tx;
    304	struct ieee80211_ampdu_params params = {
    305		.sta = &sta->sta,
    306		.tid = tid,
    307		.buf_size = 0,
    308		.amsdu = false,
    309		.timeout = 0,
    310		.ssn = 0,
    311	};
    312	int ret;
    313
    314	lockdep_assert_held(&sta->ampdu_mlme.mtx);
    315
    316	switch (reason) {
    317	case AGG_STOP_DECLINED:
    318	case AGG_STOP_LOCAL_REQUEST:
    319	case AGG_STOP_PEER_REQUEST:
    320		params.action = IEEE80211_AMPDU_TX_STOP_CONT;
    321		break;
    322	case AGG_STOP_DESTROY_STA:
    323		params.action = IEEE80211_AMPDU_TX_STOP_FLUSH;
    324		break;
    325	default:
    326		WARN_ON_ONCE(1);
    327		return -EINVAL;
    328	}
    329
    330	spin_lock_bh(&sta->lock);
    331
    332	/* free struct pending for start, if present */
    333	tid_tx = sta->ampdu_mlme.tid_start_tx[tid];
    334	kfree(tid_tx);
    335	sta->ampdu_mlme.tid_start_tx[tid] = NULL;
    336
    337	tid_tx = rcu_dereference_protected_tid_tx(sta, tid);
    338	if (!tid_tx) {
    339		spin_unlock_bh(&sta->lock);
    340		return -ENOENT;
    341	}
    342
    343	/*
    344	 * if we're already stopping ignore any new requests to stop
    345	 * unless we're destroying it in which case notify the driver
    346	 */
    347	if (test_bit(HT_AGG_STATE_STOPPING, &tid_tx->state)) {
    348		spin_unlock_bh(&sta->lock);
    349		if (reason != AGG_STOP_DESTROY_STA)
    350			return -EALREADY;
    351		params.action = IEEE80211_AMPDU_TX_STOP_FLUSH_CONT;
    352		ret = drv_ampdu_action(local, sta->sdata, &params);
    353		WARN_ON_ONCE(ret);
    354		return 0;
    355	}
    356
    357	if (test_bit(HT_AGG_STATE_WANT_START, &tid_tx->state)) {
    358		/* not even started yet! */
    359		ieee80211_assign_tid_tx(sta, tid, NULL);
    360		spin_unlock_bh(&sta->lock);
    361		kfree_rcu(tid_tx, rcu_head);
    362		return 0;
    363	}
    364
    365	set_bit(HT_AGG_STATE_STOPPING, &tid_tx->state);
    366
    367	ieee80211_agg_stop_txq(sta, tid);
    368
    369	spin_unlock_bh(&sta->lock);
    370
    371	ht_dbg(sta->sdata, "Tx BA session stop requested for %pM tid %u\n",
    372	       sta->sta.addr, tid);
    373
    374	del_timer_sync(&tid_tx->addba_resp_timer);
    375	del_timer_sync(&tid_tx->session_timer);
    376
    377	/*
    378	 * After this packets are no longer handed right through
    379	 * to the driver but are put onto tid_tx->pending instead,
    380	 * with locking to ensure proper access.
    381	 */
    382	clear_bit(HT_AGG_STATE_OPERATIONAL, &tid_tx->state);
    383
    384	/*
    385	 * There might be a few packets being processed right now (on
    386	 * another CPU) that have already gotten past the aggregation
    387	 * check when it was still OPERATIONAL and consequently have
    388	 * IEEE80211_TX_CTL_AMPDU set. In that case, this code might
    389	 * call into the driver at the same time or even before the
    390	 * TX paths calls into it, which could confuse the driver.
    391	 *
    392	 * Wait for all currently running TX paths to finish before
    393	 * telling the driver. New packets will not go through since
    394	 * the aggregation session is no longer OPERATIONAL.
    395	 */
    396	if (!local->in_reconfig)
    397		synchronize_net();
    398
    399	tid_tx->stop_initiator = reason == AGG_STOP_PEER_REQUEST ?
    400					WLAN_BACK_RECIPIENT :
    401					WLAN_BACK_INITIATOR;
    402	tid_tx->tx_stop = reason == AGG_STOP_LOCAL_REQUEST;
    403
    404	ret = drv_ampdu_action(local, sta->sdata, &params);
    405
    406	/* HW shall not deny going back to legacy */
    407	if (WARN_ON(ret)) {
    408		/*
    409		 * We may have pending packets get stuck in this case...
    410		 * Not bothering with a workaround for now.
    411		 */
    412	}
    413
    414	/*
    415	 * In the case of AGG_STOP_DESTROY_STA, the driver won't
    416	 * necessarily call ieee80211_stop_tx_ba_cb(), so this may
    417	 * seem like we can leave the tid_tx data pending forever.
    418	 * This is true, in a way, but "forever" is only until the
    419	 * station struct is actually destroyed. In the meantime,
    420	 * leaving it around ensures that we don't transmit packets
    421	 * to the driver on this TID which might confuse it.
    422	 */
    423
    424	return 0;
    425}
    426
    427/*
    428 * After sending add Block Ack request we activated a timer until
    429 * add Block Ack response will arrive from the recipient.
    430 * If this timer expires sta_addba_resp_timer_expired will be executed.
    431 */
    432static void sta_addba_resp_timer_expired(struct timer_list *t)
    433{
    434	struct tid_ampdu_tx *tid_tx = from_timer(tid_tx, t, addba_resp_timer);
    435	struct sta_info *sta = tid_tx->sta;
    436	u8 tid = tid_tx->tid;
    437
    438	/* check if the TID waits for addBA response */
    439	if (test_bit(HT_AGG_STATE_RESPONSE_RECEIVED, &tid_tx->state)) {
    440		ht_dbg(sta->sdata,
    441		       "timer expired on %pM tid %d not expecting addBA response\n",
    442		       sta->sta.addr, tid);
    443		return;
    444	}
    445
    446	ht_dbg(sta->sdata, "addBA response timer expired on %pM tid %d\n",
    447	       sta->sta.addr, tid);
    448
    449	ieee80211_stop_tx_ba_session(&sta->sta, tid);
    450}
    451
    452static void ieee80211_send_addba_with_timeout(struct sta_info *sta,
    453					      struct tid_ampdu_tx *tid_tx)
    454{
    455	struct ieee80211_sub_if_data *sdata = sta->sdata;
    456	struct ieee80211_local *local = sta->local;
    457	u8 tid = tid_tx->tid;
    458	u16 buf_size;
    459
    460	/* activate the timer for the recipient's addBA response */
    461	mod_timer(&tid_tx->addba_resp_timer, jiffies + ADDBA_RESP_INTERVAL);
    462	ht_dbg(sdata, "activated addBA response timer on %pM tid %d\n",
    463	       sta->sta.addr, tid);
    464
    465	spin_lock_bh(&sta->lock);
    466	sta->ampdu_mlme.last_addba_req_time[tid] = jiffies;
    467	sta->ampdu_mlme.addba_req_num[tid]++;
    468	spin_unlock_bh(&sta->lock);
    469
    470	if (sta->sta.deflink.he_cap.has_he) {
    471		buf_size = local->hw.max_tx_aggregation_subframes;
    472	} else {
    473		/*
    474		 * We really should use what the driver told us it will
    475		 * transmit as the maximum, but certain APs (e.g. the
    476		 * LinkSys WRT120N with FW v1.0.07 build 002 Jun 18 2012)
    477		 * will crash when we use a lower number.
    478		 */
    479		buf_size = IEEE80211_MAX_AMPDU_BUF_HT;
    480	}
    481
    482	/* send AddBA request */
    483	ieee80211_send_addba_request(sdata, sta->sta.addr, tid,
    484				     tid_tx->dialog_token, tid_tx->ssn,
    485				     buf_size, tid_tx->timeout);
    486
    487	WARN_ON(test_and_set_bit(HT_AGG_STATE_SENT_ADDBA, &tid_tx->state));
    488}
    489
    490void ieee80211_tx_ba_session_handle_start(struct sta_info *sta, int tid)
    491{
    492	struct tid_ampdu_tx *tid_tx;
    493	struct ieee80211_local *local = sta->local;
    494	struct ieee80211_sub_if_data *sdata = sta->sdata;
    495	struct ieee80211_ampdu_params params = {
    496		.sta = &sta->sta,
    497		.action = IEEE80211_AMPDU_TX_START,
    498		.tid = tid,
    499		.buf_size = 0,
    500		.amsdu = false,
    501		.timeout = 0,
    502	};
    503	int ret;
    504
    505	tid_tx = rcu_dereference_protected_tid_tx(sta, tid);
    506
    507	/*
    508	 * Start queuing up packets for this aggregation session.
    509	 * We're going to release them once the driver is OK with
    510	 * that.
    511	 */
    512	clear_bit(HT_AGG_STATE_WANT_START, &tid_tx->state);
    513
    514	ieee80211_agg_stop_txq(sta, tid);
    515
    516	/*
    517	 * Make sure no packets are being processed. This ensures that
    518	 * we have a valid starting sequence number and that in-flight
    519	 * packets have been flushed out and no packets for this TID
    520	 * will go into the driver during the ampdu_action call.
    521	 */
    522	synchronize_net();
    523
    524	params.ssn = sta->tid_seq[tid] >> 4;
    525	ret = drv_ampdu_action(local, sdata, &params);
    526	tid_tx->ssn = params.ssn;
    527	if (ret == IEEE80211_AMPDU_TX_START_DELAY_ADDBA) {
    528		return;
    529	} else if (ret == IEEE80211_AMPDU_TX_START_IMMEDIATE) {
    530		/*
    531		 * We didn't send the request yet, so don't need to check
    532		 * here if we already got a response, just mark as driver
    533		 * ready immediately.
    534		 */
    535		set_bit(HT_AGG_STATE_DRV_READY, &tid_tx->state);
    536	} else if (ret) {
    537		ht_dbg(sdata,
    538		       "BA request denied - HW unavailable for %pM tid %d\n",
    539		       sta->sta.addr, tid);
    540		spin_lock_bh(&sta->lock);
    541		ieee80211_agg_splice_packets(sdata, tid_tx, tid);
    542		ieee80211_assign_tid_tx(sta, tid, NULL);
    543		ieee80211_agg_splice_finish(sdata, tid);
    544		spin_unlock_bh(&sta->lock);
    545
    546		ieee80211_agg_start_txq(sta, tid, false);
    547
    548		kfree_rcu(tid_tx, rcu_head);
    549		return;
    550	}
    551
    552	ieee80211_send_addba_with_timeout(sta, tid_tx);
    553}
    554
    555/*
    556 * After accepting the AddBA Response we activated a timer,
    557 * resetting it after each frame that we send.
    558 */
    559static void sta_tx_agg_session_timer_expired(struct timer_list *t)
    560{
    561	struct tid_ampdu_tx *tid_tx = from_timer(tid_tx, t, session_timer);
    562	struct sta_info *sta = tid_tx->sta;
    563	u8 tid = tid_tx->tid;
    564	unsigned long timeout;
    565
    566	if (test_bit(HT_AGG_STATE_STOPPING, &tid_tx->state)) {
    567		return;
    568	}
    569
    570	timeout = tid_tx->last_tx + TU_TO_JIFFIES(tid_tx->timeout);
    571	if (time_is_after_jiffies(timeout)) {
    572		mod_timer(&tid_tx->session_timer, timeout);
    573		return;
    574	}
    575
    576	ht_dbg(sta->sdata, "tx session timer expired on %pM tid %d\n",
    577	       sta->sta.addr, tid);
    578
    579	ieee80211_stop_tx_ba_session(&sta->sta, tid);
    580}
    581
    582int ieee80211_start_tx_ba_session(struct ieee80211_sta *pubsta, u16 tid,
    583				  u16 timeout)
    584{
    585	struct sta_info *sta = container_of(pubsta, struct sta_info, sta);
    586	struct ieee80211_sub_if_data *sdata = sta->sdata;
    587	struct ieee80211_local *local = sdata->local;
    588	struct tid_ampdu_tx *tid_tx;
    589	int ret = 0;
    590
    591	trace_api_start_tx_ba_session(pubsta, tid);
    592
    593	if (WARN(sta->reserved_tid == tid,
    594		 "Requested to start BA session on reserved tid=%d", tid))
    595		return -EINVAL;
    596
    597	if (!pubsta->deflink.ht_cap.ht_supported &&
    598	    sta->sdata->vif.bss_conf.chandef.chan->band != NL80211_BAND_6GHZ)
    599		return -EINVAL;
    600
    601	if (WARN_ON_ONCE(!local->ops->ampdu_action))
    602		return -EINVAL;
    603
    604	if ((tid >= IEEE80211_NUM_TIDS) ||
    605	    !ieee80211_hw_check(&local->hw, AMPDU_AGGREGATION) ||
    606	    ieee80211_hw_check(&local->hw, TX_AMPDU_SETUP_IN_HW))
    607		return -EINVAL;
    608
    609	if (WARN_ON(tid >= IEEE80211_FIRST_TSPEC_TSID))
    610		return -EINVAL;
    611
    612	ht_dbg(sdata, "Open BA session requested for %pM tid %u\n",
    613	       pubsta->addr, tid);
    614
    615	if (sdata->vif.type != NL80211_IFTYPE_STATION &&
    616	    sdata->vif.type != NL80211_IFTYPE_MESH_POINT &&
    617	    sdata->vif.type != NL80211_IFTYPE_AP_VLAN &&
    618	    sdata->vif.type != NL80211_IFTYPE_AP &&
    619	    sdata->vif.type != NL80211_IFTYPE_ADHOC)
    620		return -EINVAL;
    621
    622	if (test_sta_flag(sta, WLAN_STA_BLOCK_BA)) {
    623		ht_dbg(sdata,
    624		       "BA sessions blocked - Denying BA session request %pM tid %d\n",
    625		       sta->sta.addr, tid);
    626		return -EINVAL;
    627	}
    628
    629	if (test_sta_flag(sta, WLAN_STA_MFP) &&
    630	    !test_sta_flag(sta, WLAN_STA_AUTHORIZED)) {
    631		ht_dbg(sdata,
    632		       "MFP STA not authorized - deny BA session request %pM tid %d\n",
    633		       sta->sta.addr, tid);
    634		return -EINVAL;
    635	}
    636
    637	/*
    638	 * 802.11n-2009 11.5.1.1: If the initiating STA is an HT STA, is a
    639	 * member of an IBSS, and has no other existing Block Ack agreement
    640	 * with the recipient STA, then the initiating STA shall transmit a
    641	 * Probe Request frame to the recipient STA and shall not transmit an
    642	 * ADDBA Request frame unless it receives a Probe Response frame
    643	 * from the recipient within dot11ADDBAFailureTimeout.
    644	 *
    645	 * The probe request mechanism for ADDBA is currently not implemented,
    646	 * but we only build up Block Ack session with HT STAs. This information
    647	 * is set when we receive a bss info from a probe response or a beacon.
    648	 */
    649	if (sta->sdata->vif.type == NL80211_IFTYPE_ADHOC &&
    650	    !sta->sta.deflink.ht_cap.ht_supported) {
    651		ht_dbg(sdata,
    652		       "BA request denied - IBSS STA %pM does not advertise HT support\n",
    653		       pubsta->addr);
    654		return -EINVAL;
    655	}
    656
    657	spin_lock_bh(&sta->lock);
    658
    659	/* we have tried too many times, receiver does not want A-MPDU */
    660	if (sta->ampdu_mlme.addba_req_num[tid] > HT_AGG_MAX_RETRIES) {
    661		ret = -EBUSY;
    662		goto err_unlock_sta;
    663	}
    664
    665	/*
    666	 * if we have tried more than HT_AGG_BURST_RETRIES times we
    667	 * will spread our requests in time to avoid stalling connection
    668	 * for too long
    669	 */
    670	if (sta->ampdu_mlme.addba_req_num[tid] > HT_AGG_BURST_RETRIES &&
    671	    time_before(jiffies, sta->ampdu_mlme.last_addba_req_time[tid] +
    672			HT_AGG_RETRIES_PERIOD)) {
    673		ht_dbg(sdata,
    674		       "BA request denied - %d failed requests on %pM tid %u\n",
    675		       sta->ampdu_mlme.addba_req_num[tid], sta->sta.addr, tid);
    676		ret = -EBUSY;
    677		goto err_unlock_sta;
    678	}
    679
    680	tid_tx = rcu_dereference_protected_tid_tx(sta, tid);
    681	/* check if the TID is not in aggregation flow already */
    682	if (tid_tx || sta->ampdu_mlme.tid_start_tx[tid]) {
    683		ht_dbg(sdata,
    684		       "BA request denied - session is not idle on %pM tid %u\n",
    685		       sta->sta.addr, tid);
    686		ret = -EAGAIN;
    687		goto err_unlock_sta;
    688	}
    689
    690	/* prepare A-MPDU MLME for Tx aggregation */
    691	tid_tx = kzalloc(sizeof(struct tid_ampdu_tx), GFP_ATOMIC);
    692	if (!tid_tx) {
    693		ret = -ENOMEM;
    694		goto err_unlock_sta;
    695	}
    696
    697	skb_queue_head_init(&tid_tx->pending);
    698	__set_bit(HT_AGG_STATE_WANT_START, &tid_tx->state);
    699
    700	tid_tx->timeout = timeout;
    701	tid_tx->sta = sta;
    702	tid_tx->tid = tid;
    703
    704	/* response timer */
    705	timer_setup(&tid_tx->addba_resp_timer, sta_addba_resp_timer_expired, 0);
    706
    707	/* tx timer */
    708	timer_setup(&tid_tx->session_timer,
    709		    sta_tx_agg_session_timer_expired, TIMER_DEFERRABLE);
    710
    711	/* assign a dialog token */
    712	sta->ampdu_mlme.dialog_token_allocator++;
    713	tid_tx->dialog_token = sta->ampdu_mlme.dialog_token_allocator;
    714
    715	/*
    716	 * Finally, assign it to the start array; the work item will
    717	 * collect it and move it to the normal array.
    718	 */
    719	sta->ampdu_mlme.tid_start_tx[tid] = tid_tx;
    720
    721	ieee80211_queue_work(&local->hw, &sta->ampdu_mlme.work);
    722
    723	/* this flow continues off the work */
    724 err_unlock_sta:
    725	spin_unlock_bh(&sta->lock);
    726	return ret;
    727}
    728EXPORT_SYMBOL(ieee80211_start_tx_ba_session);
    729
    730static void ieee80211_agg_tx_operational(struct ieee80211_local *local,
    731					 struct sta_info *sta, u16 tid)
    732{
    733	struct tid_ampdu_tx *tid_tx;
    734	struct ieee80211_ampdu_params params = {
    735		.sta = &sta->sta,
    736		.action = IEEE80211_AMPDU_TX_OPERATIONAL,
    737		.tid = tid,
    738		.timeout = 0,
    739		.ssn = 0,
    740	};
    741
    742	lockdep_assert_held(&sta->ampdu_mlme.mtx);
    743
    744	tid_tx = rcu_dereference_protected_tid_tx(sta, tid);
    745	params.buf_size = tid_tx->buf_size;
    746	params.amsdu = tid_tx->amsdu;
    747
    748	ht_dbg(sta->sdata, "Aggregation is on for %pM tid %d\n",
    749	       sta->sta.addr, tid);
    750
    751	drv_ampdu_action(local, sta->sdata, &params);
    752
    753	/*
    754	 * synchronize with TX path, while splicing the TX path
    755	 * should block so it won't put more packets onto pending.
    756	 */
    757	spin_lock_bh(&sta->lock);
    758
    759	ieee80211_agg_splice_packets(sta->sdata, tid_tx, tid);
    760	/*
    761	 * Now mark as operational. This will be visible
    762	 * in the TX path, and lets it go lock-free in
    763	 * the common case.
    764	 */
    765	set_bit(HT_AGG_STATE_OPERATIONAL, &tid_tx->state);
    766	ieee80211_agg_splice_finish(sta->sdata, tid);
    767
    768	spin_unlock_bh(&sta->lock);
    769
    770	ieee80211_agg_start_txq(sta, tid, true);
    771}
    772
    773void ieee80211_start_tx_ba_cb(struct sta_info *sta, int tid,
    774			      struct tid_ampdu_tx *tid_tx)
    775{
    776	struct ieee80211_sub_if_data *sdata = sta->sdata;
    777	struct ieee80211_local *local = sdata->local;
    778
    779	if (WARN_ON(test_and_set_bit(HT_AGG_STATE_DRV_READY, &tid_tx->state)))
    780		return;
    781
    782	if (!test_bit(HT_AGG_STATE_SENT_ADDBA, &tid_tx->state)) {
    783		ieee80211_send_addba_with_timeout(sta, tid_tx);
    784		/* RESPONSE_RECEIVED state whould trigger the flow again */
    785		return;
    786	}
    787
    788	if (test_bit(HT_AGG_STATE_RESPONSE_RECEIVED, &tid_tx->state))
    789		ieee80211_agg_tx_operational(local, sta, tid);
    790}
    791
    792static struct tid_ampdu_tx *
    793ieee80211_lookup_tid_tx(struct ieee80211_sub_if_data *sdata,
    794			const u8 *ra, u16 tid, struct sta_info **sta)
    795{
    796	struct tid_ampdu_tx *tid_tx;
    797
    798	if (tid >= IEEE80211_NUM_TIDS) {
    799		ht_dbg(sdata, "Bad TID value: tid = %d (>= %d)\n",
    800		       tid, IEEE80211_NUM_TIDS);
    801		return NULL;
    802	}
    803
    804	*sta = sta_info_get_bss(sdata, ra);
    805	if (!*sta) {
    806		ht_dbg(sdata, "Could not find station: %pM\n", ra);
    807		return NULL;
    808	}
    809
    810	tid_tx = rcu_dereference((*sta)->ampdu_mlme.tid_tx[tid]);
    811
    812	if (WARN_ON(!tid_tx))
    813		ht_dbg(sdata, "addBA was not requested!\n");
    814
    815	return tid_tx;
    816}
    817
    818void ieee80211_start_tx_ba_cb_irqsafe(struct ieee80211_vif *vif,
    819				      const u8 *ra, u16 tid)
    820{
    821	struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif);
    822	struct ieee80211_local *local = sdata->local;
    823	struct sta_info *sta;
    824	struct tid_ampdu_tx *tid_tx;
    825
    826	trace_api_start_tx_ba_cb(sdata, ra, tid);
    827
    828	rcu_read_lock();
    829	tid_tx = ieee80211_lookup_tid_tx(sdata, ra, tid, &sta);
    830	if (!tid_tx)
    831		goto out;
    832
    833	set_bit(HT_AGG_STATE_START_CB, &tid_tx->state);
    834	ieee80211_queue_work(&local->hw, &sta->ampdu_mlme.work);
    835 out:
    836	rcu_read_unlock();
    837}
    838EXPORT_SYMBOL(ieee80211_start_tx_ba_cb_irqsafe);
    839
    840int __ieee80211_stop_tx_ba_session(struct sta_info *sta, u16 tid,
    841				   enum ieee80211_agg_stop_reason reason)
    842{
    843	int ret;
    844
    845	mutex_lock(&sta->ampdu_mlme.mtx);
    846
    847	ret = ___ieee80211_stop_tx_ba_session(sta, tid, reason);
    848
    849	mutex_unlock(&sta->ampdu_mlme.mtx);
    850
    851	return ret;
    852}
    853
    854int ieee80211_stop_tx_ba_session(struct ieee80211_sta *pubsta, u16 tid)
    855{
    856	struct sta_info *sta = container_of(pubsta, struct sta_info, sta);
    857	struct ieee80211_sub_if_data *sdata = sta->sdata;
    858	struct ieee80211_local *local = sdata->local;
    859	struct tid_ampdu_tx *tid_tx;
    860	int ret = 0;
    861
    862	trace_api_stop_tx_ba_session(pubsta, tid);
    863
    864	if (!local->ops->ampdu_action)
    865		return -EINVAL;
    866
    867	if (tid >= IEEE80211_NUM_TIDS)
    868		return -EINVAL;
    869
    870	spin_lock_bh(&sta->lock);
    871	tid_tx = rcu_dereference_protected_tid_tx(sta, tid);
    872
    873	if (!tid_tx) {
    874		ret = -ENOENT;
    875		goto unlock;
    876	}
    877
    878	WARN(sta->reserved_tid == tid,
    879	     "Requested to stop BA session on reserved tid=%d", tid);
    880
    881	if (test_bit(HT_AGG_STATE_STOPPING, &tid_tx->state)) {
    882		/* already in progress stopping it */
    883		ret = 0;
    884		goto unlock;
    885	}
    886
    887	set_bit(HT_AGG_STATE_WANT_STOP, &tid_tx->state);
    888	ieee80211_queue_work(&local->hw, &sta->ampdu_mlme.work);
    889
    890 unlock:
    891	spin_unlock_bh(&sta->lock);
    892	return ret;
    893}
    894EXPORT_SYMBOL(ieee80211_stop_tx_ba_session);
    895
    896void ieee80211_stop_tx_ba_cb(struct sta_info *sta, int tid,
    897			     struct tid_ampdu_tx *tid_tx)
    898{
    899	struct ieee80211_sub_if_data *sdata = sta->sdata;
    900	bool send_delba = false;
    901	bool start_txq = false;
    902
    903	ht_dbg(sdata, "Stopping Tx BA session for %pM tid %d\n",
    904	       sta->sta.addr, tid);
    905
    906	spin_lock_bh(&sta->lock);
    907
    908	if (!test_bit(HT_AGG_STATE_STOPPING, &tid_tx->state)) {
    909		ht_dbg(sdata,
    910		       "unexpected callback to A-MPDU stop for %pM tid %d\n",
    911		       sta->sta.addr, tid);
    912		goto unlock_sta;
    913	}
    914
    915	if (tid_tx->stop_initiator == WLAN_BACK_INITIATOR && tid_tx->tx_stop)
    916		send_delba = true;
    917
    918	ieee80211_remove_tid_tx(sta, tid);
    919	start_txq = true;
    920
    921 unlock_sta:
    922	spin_unlock_bh(&sta->lock);
    923
    924	if (start_txq)
    925		ieee80211_agg_start_txq(sta, tid, false);
    926
    927	if (send_delba)
    928		ieee80211_send_delba(sdata, sta->sta.addr, tid,
    929			WLAN_BACK_INITIATOR, WLAN_REASON_QSTA_NOT_USE);
    930}
    931
    932void ieee80211_stop_tx_ba_cb_irqsafe(struct ieee80211_vif *vif,
    933				     const u8 *ra, u16 tid)
    934{
    935	struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif);
    936	struct ieee80211_local *local = sdata->local;
    937	struct sta_info *sta;
    938	struct tid_ampdu_tx *tid_tx;
    939
    940	trace_api_stop_tx_ba_cb(sdata, ra, tid);
    941
    942	rcu_read_lock();
    943	tid_tx = ieee80211_lookup_tid_tx(sdata, ra, tid, &sta);
    944	if (!tid_tx)
    945		goto out;
    946
    947	set_bit(HT_AGG_STATE_STOP_CB, &tid_tx->state);
    948	ieee80211_queue_work(&local->hw, &sta->ampdu_mlme.work);
    949 out:
    950	rcu_read_unlock();
    951}
    952EXPORT_SYMBOL(ieee80211_stop_tx_ba_cb_irqsafe);
    953
    954
    955void ieee80211_process_addba_resp(struct ieee80211_local *local,
    956				  struct sta_info *sta,
    957				  struct ieee80211_mgmt *mgmt,
    958				  size_t len)
    959{
    960	struct tid_ampdu_tx *tid_tx;
    961	struct ieee80211_txq *txq;
    962	u16 capab, tid, buf_size;
    963	bool amsdu;
    964
    965	capab = le16_to_cpu(mgmt->u.action.u.addba_resp.capab);
    966	amsdu = capab & IEEE80211_ADDBA_PARAM_AMSDU_MASK;
    967	tid = u16_get_bits(capab, IEEE80211_ADDBA_PARAM_TID_MASK);
    968	buf_size = u16_get_bits(capab, IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK);
    969	buf_size = min(buf_size, local->hw.max_tx_aggregation_subframes);
    970
    971	txq = sta->sta.txq[tid];
    972	if (!amsdu && txq)
    973		set_bit(IEEE80211_TXQ_NO_AMSDU, &to_txq_info(txq)->flags);
    974
    975	mutex_lock(&sta->ampdu_mlme.mtx);
    976
    977	tid_tx = rcu_dereference_protected_tid_tx(sta, tid);
    978	if (!tid_tx)
    979		goto out;
    980
    981	if (mgmt->u.action.u.addba_resp.dialog_token != tid_tx->dialog_token) {
    982		ht_dbg(sta->sdata, "wrong addBA response token, %pM tid %d\n",
    983		       sta->sta.addr, tid);
    984		goto out;
    985	}
    986
    987	del_timer_sync(&tid_tx->addba_resp_timer);
    988
    989	ht_dbg(sta->sdata, "switched off addBA timer for %pM tid %d\n",
    990	       sta->sta.addr, tid);
    991
    992	/*
    993	 * addba_resp_timer may have fired before we got here, and
    994	 * caused WANT_STOP to be set. If the stop then was already
    995	 * processed further, STOPPING might be set.
    996	 */
    997	if (test_bit(HT_AGG_STATE_WANT_STOP, &tid_tx->state) ||
    998	    test_bit(HT_AGG_STATE_STOPPING, &tid_tx->state)) {
    999		ht_dbg(sta->sdata,
   1000		       "got addBA resp for %pM tid %d but we already gave up\n",
   1001		       sta->sta.addr, tid);
   1002		goto out;
   1003	}
   1004
   1005	/*
   1006	 * IEEE 802.11-2007 7.3.1.14:
   1007	 * In an ADDBA Response frame, when the Status Code field
   1008	 * is set to 0, the Buffer Size subfield is set to a value
   1009	 * of at least 1.
   1010	 */
   1011	if (le16_to_cpu(mgmt->u.action.u.addba_resp.status)
   1012			== WLAN_STATUS_SUCCESS && buf_size) {
   1013		if (test_and_set_bit(HT_AGG_STATE_RESPONSE_RECEIVED,
   1014				     &tid_tx->state)) {
   1015			/* ignore duplicate response */
   1016			goto out;
   1017		}
   1018
   1019		tid_tx->buf_size = buf_size;
   1020		tid_tx->amsdu = amsdu;
   1021
   1022		if (test_bit(HT_AGG_STATE_DRV_READY, &tid_tx->state))
   1023			ieee80211_agg_tx_operational(local, sta, tid);
   1024
   1025		sta->ampdu_mlme.addba_req_num[tid] = 0;
   1026
   1027		tid_tx->timeout =
   1028			le16_to_cpu(mgmt->u.action.u.addba_resp.timeout);
   1029
   1030		if (tid_tx->timeout) {
   1031			mod_timer(&tid_tx->session_timer,
   1032				  TU_TO_EXP_TIME(tid_tx->timeout));
   1033			tid_tx->last_tx = jiffies;
   1034		}
   1035
   1036	} else {
   1037		___ieee80211_stop_tx_ba_session(sta, tid, AGG_STOP_DECLINED);
   1038	}
   1039
   1040 out:
   1041	mutex_unlock(&sta->ampdu_mlme.mtx);
   1042}