1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * HT handling 4 * 5 * Copyright 2003, Jouni Malinen <jkmaline@cc.hut.fi> 6 * Copyright 2002-2005, Instant802 Networks, Inc. 7 * Copyright 2005-2006, Devicescape Software, Inc. 8 * Copyright 2006-2007 Jiri Benc <jbenc@suse.cz> 9 * Copyright 2007, Michael Wu <flamingice@sourmilk.net> 10 * Copyright 2007-2010, Intel Corporation 11 * Copyright(c) 2015-2017 Intel Deutschland GmbH 12 * Copyright (C) 2018 - 2023 Intel Corporation 13 */ 14 15 #include <linux/ieee80211.h> 16 #include <linux/slab.h> 17 #include <linux/export.h> 18 #include <net/mac80211.h> 19 #include "ieee80211_i.h" 20 #include "driver-ops.h" 21 #include "wme.h" 22 23 /** 24 * DOC: TX A-MPDU aggregation 25 * 26 * Aggregation on the TX side requires setting the hardware flag 27 * %IEEE80211_HW_AMPDU_AGGREGATION. The driver will then be handed 28 * packets with a flag indicating A-MPDU aggregation. The driver 29 * or device is responsible for actually aggregating the frames, 30 * as well as deciding how many and which to aggregate. 31 * 32 * When TX aggregation is started by some subsystem (usually the rate 33 * control algorithm would be appropriate) by calling the 34 * ieee80211_start_tx_ba_session() function, the driver will be 35 * notified via its @ampdu_action function, with the 36 * %IEEE80211_AMPDU_TX_START action. 37 * 38 * In response to that, the driver is later required to call the 39 * ieee80211_start_tx_ba_cb_irqsafe() function, which will really 40 * start the aggregation session after the peer has also responded. 41 * If the peer responds negatively, the session will be stopped 42 * again right away. Note that it is possible for the aggregation 43 * session to be stopped before the driver has indicated that it 44 * is done setting it up, in which case it must not indicate the 45 * setup completion. 46 * 47 * Also note that, since we also need to wait for a response from 48 * the peer, the driver is notified of the completion of the 49 * handshake by the %IEEE80211_AMPDU_TX_OPERATIONAL action to the 50 * @ampdu_action callback. 51 * 52 * Similarly, when the aggregation session is stopped by the peer 53 * or something calling ieee80211_stop_tx_ba_session(), the driver's 54 * @ampdu_action function will be called with the action 55 * %IEEE80211_AMPDU_TX_STOP. In this case, the call must not fail, 56 * and the driver must later call ieee80211_stop_tx_ba_cb_irqsafe(). 57 * Note that the sta can get destroyed before the BA tear down is 58 * complete. 59 */ 60 61 static void ieee80211_send_addba_request(struct ieee80211_sub_if_data *sdata, 62 const u8 *da, u16 tid, 63 u8 dialog_token, u16 start_seq_num, 64 u16 agg_size, u16 timeout) 65 { 66 struct ieee80211_local *local = sdata->local; 67 struct sk_buff *skb; 68 struct ieee80211_mgmt *mgmt; 69 u16 capab; 70 71 skb = dev_alloc_skb(sizeof(*mgmt) + local->hw.extra_tx_headroom); 72 73 if (!skb) 74 return; 75 76 skb_reserve(skb, local->hw.extra_tx_headroom); 77 mgmt = ieee80211_mgmt_ba(skb, da, sdata); 78 79 skb_put(skb, 1 + sizeof(mgmt->u.action.u.addba_req)); 80 81 mgmt->u.action.category = WLAN_CATEGORY_BACK; 82 mgmt->u.action.u.addba_req.action_code = WLAN_ACTION_ADDBA_REQ; 83 84 mgmt->u.action.u.addba_req.dialog_token = dialog_token; 85 capab = IEEE80211_ADDBA_PARAM_AMSDU_MASK; 86 capab |= IEEE80211_ADDBA_PARAM_POLICY_MASK; 87 capab |= u16_encode_bits(tid, IEEE80211_ADDBA_PARAM_TID_MASK); 88 capab |= u16_encode_bits(agg_size, IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK); 89 90 mgmt->u.action.u.addba_req.capab = cpu_to_le16(capab); 91 92 mgmt->u.action.u.addba_req.timeout = cpu_to_le16(timeout); 93 mgmt->u.action.u.addba_req.start_seq_num = 94 cpu_to_le16(start_seq_num << 4); 95 96 ieee80211_tx_skb_tid(sdata, skb, tid, -1); 97 } 98 99 void ieee80211_send_bar(struct ieee80211_vif *vif, u8 *ra, u16 tid, u16 ssn) 100 { 101 struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif); 102 struct ieee80211_local *local = sdata->local; 103 struct sk_buff *skb; 104 struct ieee80211_bar *bar; 105 u16 bar_control = 0; 106 107 skb = dev_alloc_skb(sizeof(*bar) + local->hw.extra_tx_headroom); 108 if (!skb) 109 return; 110 111 skb_reserve(skb, local->hw.extra_tx_headroom); 112 bar = skb_put_zero(skb, sizeof(*bar)); 113 bar->frame_control = cpu_to_le16(IEEE80211_FTYPE_CTL | 114 IEEE80211_STYPE_BACK_REQ); 115 memcpy(bar->ra, ra, ETH_ALEN); 116 memcpy(bar->ta, sdata->vif.addr, ETH_ALEN); 117 bar_control |= (u16)IEEE80211_BAR_CTRL_ACK_POLICY_NORMAL; 118 bar_control |= (u16)IEEE80211_BAR_CTRL_CBMTID_COMPRESSED_BA; 119 bar_control |= (u16)(tid << IEEE80211_BAR_CTRL_TID_INFO_SHIFT); 120 bar->control = cpu_to_le16(bar_control); 121 bar->start_seq_num = cpu_to_le16(ssn); 122 123 IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_INTFL_DONT_ENCRYPT | 124 IEEE80211_TX_CTL_REQ_TX_STATUS; 125 ieee80211_tx_skb_tid(sdata, skb, tid, -1); 126 } 127 EXPORT_SYMBOL(ieee80211_send_bar); 128 129 void ieee80211_assign_tid_tx(struct sta_info *sta, int tid, 130 struct tid_ampdu_tx *tid_tx) 131 { 132 lockdep_assert_wiphy(sta->local->hw.wiphy); 133 lockdep_assert_held(&sta->lock); 134 rcu_assign_pointer(sta->ampdu_mlme.tid_tx[tid], tid_tx); 135 } 136 137 /* 138 * When multiple aggregation sessions on multiple stations 139 * are being created/destroyed simultaneously, we need to 140 * refcount the global queue stop caused by that in order 141 * to not get into a situation where one of the aggregation 142 * setup or teardown re-enables queues before the other is 143 * ready to handle that. 144 * 145 * These two functions take care of this issue by keeping 146 * a global "agg_queue_stop" refcount. 147 */ 148 static void __acquires(agg_queue) 149 ieee80211_stop_queue_agg(struct ieee80211_sub_if_data *sdata, int tid) 150 { 151 int queue = sdata->vif.hw_queue[ieee80211_ac_from_tid(tid)]; 152 153 /* we do refcounting here, so don't use the queue reason refcounting */ 154 155 if (atomic_inc_return(&sdata->local->agg_queue_stop[queue]) == 1) 156 ieee80211_stop_queue_by_reason( 157 &sdata->local->hw, queue, 158 IEEE80211_QUEUE_STOP_REASON_AGGREGATION, 159 false); 160 __acquire(agg_queue); 161 } 162 163 static void __releases(agg_queue) 164 ieee80211_wake_queue_agg(struct ieee80211_sub_if_data *sdata, int tid) 165 { 166 int queue = sdata->vif.hw_queue[ieee80211_ac_from_tid(tid)]; 167 168 if (atomic_dec_return(&sdata->local->agg_queue_stop[queue]) == 0) 169 ieee80211_wake_queue_by_reason( 170 &sdata->local->hw, queue, 171 IEEE80211_QUEUE_STOP_REASON_AGGREGATION, 172 false); 173 __release(agg_queue); 174 } 175 176 static void 177 ieee80211_agg_stop_txq(struct sta_info *sta, int tid) 178 { 179 struct ieee80211_txq *txq = sta->sta.txq[tid]; 180 struct ieee80211_sub_if_data *sdata; 181 struct fq *fq; 182 struct txq_info *txqi; 183 184 if (!txq) 185 return; 186 187 txqi = to_txq_info(txq); 188 sdata = vif_to_sdata(txq->vif); 189 fq = &sdata->local->fq; 190 191 /* Lock here to protect against further seqno updates on dequeue */ 192 spin_lock_bh(&fq->lock); 193 set_bit(IEEE80211_TXQ_STOP, &txqi->flags); 194 spin_unlock_bh(&fq->lock); 195 } 196 197 static void 198 ieee80211_agg_start_txq(struct sta_info *sta, int tid, bool enable) 199 { 200 struct ieee80211_txq *txq = sta->sta.txq[tid]; 201 struct txq_info *txqi; 202 203 lockdep_assert_wiphy(sta->local->hw.wiphy); 204 205 if (!txq) 206 return; 207 208 txqi = to_txq_info(txq); 209 210 if (enable) 211 set_bit(IEEE80211_TXQ_AMPDU, &txqi->flags); 212 else 213 clear_bit(IEEE80211_TXQ_AMPDU, &txqi->flags); 214 215 clear_bit(IEEE80211_TXQ_STOP, &txqi->flags); 216 local_bh_disable(); 217 rcu_read_lock(); 218 schedule_and_wake_txq(sta->sdata->local, txqi); 219 rcu_read_unlock(); 220 local_bh_enable(); 221 } 222 223 /* 224 * splice packets from the STA's pending to the local pending, 225 * requires a call to ieee80211_agg_splice_finish later 226 */ 227 static void __acquires(agg_queue) 228 ieee80211_agg_splice_packets(struct ieee80211_sub_if_data *sdata, 229 struct tid_ampdu_tx *tid_tx, u16 tid) 230 { 231 struct ieee80211_local *local = sdata->local; 232 int queue = sdata->vif.hw_queue[ieee80211_ac_from_tid(tid)]; 233 unsigned long flags; 234 235 ieee80211_stop_queue_agg(sdata, tid); 236 237 if (WARN(!tid_tx, 238 "TID %d gone but expected when splicing aggregates from the pending queue\n", 239 tid)) 240 return; 241 242 if (!skb_queue_empty(&tid_tx->pending)) { 243 spin_lock_irqsave(&local->queue_stop_reason_lock, flags); 244 /* copy over remaining packets */ 245 skb_queue_splice_tail_init(&tid_tx->pending, 246 &local->pending[queue]); 247 spin_unlock_irqrestore(&local->queue_stop_reason_lock, flags); 248 } 249 } 250 251 static void __releases(agg_queue) 252 ieee80211_agg_splice_finish(struct ieee80211_sub_if_data *sdata, u16 tid) 253 { 254 ieee80211_wake_queue_agg(sdata, tid); 255 } 256 257 static void ieee80211_remove_tid_tx(struct sta_info *sta, int tid) 258 { 259 struct tid_ampdu_tx *tid_tx; 260 261 lockdep_assert_wiphy(sta->local->hw.wiphy); 262 lockdep_assert_held(&sta->lock); 263 264 tid_tx = rcu_dereference_protected_tid_tx(sta, tid); 265 266 /* 267 * When we get here, the TX path will not be lockless any more wrt. 268 * aggregation, since the OPERATIONAL bit has long been cleared. 269 * Thus it will block on getting the lock, if it occurs. So if we 270 * stop the queue now, we will not get any more packets, and any 271 * that might be being processed will wait for us here, thereby 272 * guaranteeing that no packets go to the tid_tx pending queue any 273 * more. 274 */ 275 276 ieee80211_agg_splice_packets(sta->sdata, tid_tx, tid); 277 278 /* future packets must not find the tid_tx struct any more */ 279 ieee80211_assign_tid_tx(sta, tid, NULL); 280 281 ieee80211_agg_splice_finish(sta->sdata, tid); 282 283 kfree_rcu(tid_tx, rcu_head); 284 } 285 286 int __ieee80211_stop_tx_ba_session(struct sta_info *sta, u16 tid, 287 enum ieee80211_agg_stop_reason reason) 288 { 289 struct ieee80211_local *local = sta->local; 290 struct tid_ampdu_tx *tid_tx; 291 struct ieee80211_ampdu_params params = { 292 .sta = &sta->sta, 293 .tid = tid, 294 .buf_size = 0, 295 .amsdu = false, 296 .timeout = 0, 297 .ssn = 0, 298 }; 299 int ret; 300 301 lockdep_assert_wiphy(sta->local->hw.wiphy); 302 303 switch (reason) { 304 case AGG_STOP_DECLINED: 305 case AGG_STOP_LOCAL_REQUEST: 306 case AGG_STOP_PEER_REQUEST: 307 params.action = IEEE80211_AMPDU_TX_STOP_CONT; 308 break; 309 case AGG_STOP_DESTROY_STA: 310 params.action = IEEE80211_AMPDU_TX_STOP_FLUSH; 311 break; 312 default: 313 WARN_ON_ONCE(1); 314 return -EINVAL; 315 } 316 317 spin_lock_bh(&sta->lock); 318 319 /* free struct pending for start, if present */ 320 tid_tx = sta->ampdu_mlme.tid_start_tx[tid]; 321 kfree(tid_tx); 322 sta->ampdu_mlme.tid_start_tx[tid] = NULL; 323 324 tid_tx = rcu_dereference_protected_tid_tx(sta, tid); 325 if (!tid_tx) { 326 spin_unlock_bh(&sta->lock); 327 return -ENOENT; 328 } 329 330 /* 331 * if we're already stopping ignore any new requests to stop 332 * unless we're destroying it in which case notify the driver 333 */ 334 if (test_bit(HT_AGG_STATE_STOPPING, &tid_tx->state)) { 335 spin_unlock_bh(&sta->lock); 336 if (reason != AGG_STOP_DESTROY_STA) 337 return -EALREADY; 338 params.action = IEEE80211_AMPDU_TX_STOP_FLUSH_CONT; 339 ret = drv_ampdu_action(local, sta->sdata, ¶ms); 340 WARN_ON_ONCE(ret); 341 return 0; 342 } 343 344 if (test_bit(HT_AGG_STATE_WANT_START, &tid_tx->state)) { 345 /* not even started yet! */ 346 ieee80211_assign_tid_tx(sta, tid, NULL); 347 spin_unlock_bh(&sta->lock); 348 kfree_rcu(tid_tx, rcu_head); 349 return 0; 350 } 351 352 set_bit(HT_AGG_STATE_STOPPING, &tid_tx->state); 353 354 ieee80211_agg_stop_txq(sta, tid); 355 356 spin_unlock_bh(&sta->lock); 357 358 ht_dbg(sta->sdata, "Tx BA session stop requested for %pM tid %u\n", 359 sta->sta.addr, tid); 360 361 del_timer_sync(&tid_tx->addba_resp_timer); 362 del_timer_sync(&tid_tx->session_timer); 363 364 /* 365 * After this packets are no longer handed right through 366 * to the driver but are put onto tid_tx->pending instead, 367 * with locking to ensure proper access. 368 */ 369 clear_bit(HT_AGG_STATE_OPERATIONAL, &tid_tx->state); 370 371 /* 372 * There might be a few packets being processed right now (on 373 * another CPU) that have already gotten past the aggregation 374 * check when it was still OPERATIONAL and consequently have 375 * IEEE80211_TX_CTL_AMPDU set. In that case, this code might 376 * call into the driver at the same time or even before the 377 * TX paths calls into it, which could confuse the driver. 378 * 379 * Wait for all currently running TX paths to finish before 380 * telling the driver. New packets will not go through since 381 * the aggregation session is no longer OPERATIONAL. 382 */ 383 if (!local->in_reconfig) 384 synchronize_net(); 385 386 tid_tx->stop_initiator = reason == AGG_STOP_PEER_REQUEST ? 387 WLAN_BACK_RECIPIENT : 388 WLAN_BACK_INITIATOR; 389 tid_tx->tx_stop = reason == AGG_STOP_LOCAL_REQUEST; 390 391 ret = drv_ampdu_action(local, sta->sdata, ¶ms); 392 393 /* HW shall not deny going back to legacy */ 394 if (WARN_ON(ret)) { 395 /* 396 * We may have pending packets get stuck in this case... 397 * Not bothering with a workaround for now. 398 */ 399 } 400 401 /* 402 * In the case of AGG_STOP_DESTROY_STA, the driver won't 403 * necessarily call ieee80211_stop_tx_ba_cb(), so this may 404 * seem like we can leave the tid_tx data pending forever. 405 * This is true, in a way, but "forever" is only until the 406 * station struct is actually destroyed. In the meantime, 407 * leaving it around ensures that we don't transmit packets 408 * to the driver on this TID which might confuse it. 409 */ 410 411 return 0; 412 } 413 414 /* 415 * After sending add Block Ack request we activated a timer until 416 * add Block Ack response will arrive from the recipient. 417 * If this timer expires sta_addba_resp_timer_expired will be executed. 418 */ 419 static void sta_addba_resp_timer_expired(struct timer_list *t) 420 { 421 struct tid_ampdu_tx *tid_tx = from_timer(tid_tx, t, addba_resp_timer); 422 struct sta_info *sta = tid_tx->sta; 423 u8 tid = tid_tx->tid; 424 425 /* check if the TID waits for addBA response */ 426 if (test_bit(HT_AGG_STATE_RESPONSE_RECEIVED, &tid_tx->state)) { 427 ht_dbg(sta->sdata, 428 "timer expired on %pM tid %d not expecting addBA response\n", 429 sta->sta.addr, tid); 430 return; 431 } 432 433 ht_dbg(sta->sdata, "addBA response timer expired on %pM tid %d\n", 434 sta->sta.addr, tid); 435 436 ieee80211_stop_tx_ba_session(&sta->sta, tid); 437 } 438 439 static void ieee80211_send_addba_with_timeout(struct sta_info *sta, 440 struct tid_ampdu_tx *tid_tx) 441 { 442 struct ieee80211_sub_if_data *sdata = sta->sdata; 443 struct ieee80211_local *local = sta->local; 444 u8 tid = tid_tx->tid; 445 u16 buf_size; 446 447 if (WARN_ON_ONCE(test_bit(HT_AGG_STATE_STOPPING, &tid_tx->state) || 448 test_bit(HT_AGG_STATE_WANT_STOP, &tid_tx->state))) 449 return; 450 451 lockdep_assert_wiphy(sta->local->hw.wiphy); 452 453 /* activate the timer for the recipient's addBA response */ 454 mod_timer(&tid_tx->addba_resp_timer, jiffies + ADDBA_RESP_INTERVAL); 455 ht_dbg(sdata, "activated addBA response timer on %pM tid %d\n", 456 sta->sta.addr, tid); 457 458 spin_lock_bh(&sta->lock); 459 sta->ampdu_mlme.last_addba_req_time[tid] = jiffies; 460 sta->ampdu_mlme.addba_req_num[tid]++; 461 spin_unlock_bh(&sta->lock); 462 463 if (sta->sta.deflink.he_cap.has_he) { 464 buf_size = local->hw.max_tx_aggregation_subframes; 465 } else { 466 /* 467 * We really should use what the driver told us it will 468 * transmit as the maximum, but certain APs (e.g. the 469 * LinkSys WRT120N with FW v1.0.07 build 002 Jun 18 2012) 470 * will crash when we use a lower number. 471 */ 472 buf_size = IEEE80211_MAX_AMPDU_BUF_HT; 473 } 474 475 /* send AddBA request */ 476 ieee80211_send_addba_request(sdata, sta->sta.addr, tid, 477 tid_tx->dialog_token, tid_tx->ssn, 478 buf_size, tid_tx->timeout); 479 480 WARN_ON(test_and_set_bit(HT_AGG_STATE_SENT_ADDBA, &tid_tx->state)); 481 } 482 483 void ieee80211_tx_ba_session_handle_start(struct sta_info *sta, int tid) 484 { 485 struct tid_ampdu_tx *tid_tx; 486 struct ieee80211_local *local = sta->local; 487 struct ieee80211_sub_if_data *sdata = sta->sdata; 488 struct ieee80211_ampdu_params params = { 489 .sta = &sta->sta, 490 .action = IEEE80211_AMPDU_TX_START, 491 .tid = tid, 492 .buf_size = 0, 493 .amsdu = false, 494 .timeout = 0, 495 }; 496 int ret; 497 498 tid_tx = rcu_dereference_protected_tid_tx(sta, tid); 499 500 /* 501 * Start queuing up packets for this aggregation session. 502 * We're going to release them once the driver is OK with 503 * that. 504 */ 505 clear_bit(HT_AGG_STATE_WANT_START, &tid_tx->state); 506 507 /* 508 * Make sure no packets are being processed. This ensures that 509 * we have a valid starting sequence number and that in-flight 510 * packets have been flushed out and no packets for this TID 511 * will go into the driver during the ampdu_action call. 512 */ 513 synchronize_net(); 514 515 params.ssn = sta->tid_seq[tid] >> 4; 516 ret = drv_ampdu_action(local, sdata, ¶ms); 517 tid_tx->ssn = params.ssn; 518 if (ret == IEEE80211_AMPDU_TX_START_DELAY_ADDBA) { 519 return; 520 } else if (ret == IEEE80211_AMPDU_TX_START_IMMEDIATE) { 521 /* 522 * We didn't send the request yet, so don't need to check 523 * here if we already got a response, just mark as driver 524 * ready immediately. 525 */ 526 set_bit(HT_AGG_STATE_DRV_READY, &tid_tx->state); 527 } else if (ret) { 528 ht_dbg(sdata, 529 "BA request denied - HW unavailable for %pM tid %d\n", 530 sta->sta.addr, tid); 531 spin_lock_bh(&sta->lock); 532 ieee80211_agg_splice_packets(sdata, tid_tx, tid); 533 ieee80211_assign_tid_tx(sta, tid, NULL); 534 ieee80211_agg_splice_finish(sdata, tid); 535 spin_unlock_bh(&sta->lock); 536 537 ieee80211_agg_start_txq(sta, tid, false); 538 539 kfree_rcu(tid_tx, rcu_head); 540 return; 541 } 542 543 ieee80211_send_addba_with_timeout(sta, tid_tx); 544 } 545 546 void ieee80211_refresh_tx_agg_session_timer(struct ieee80211_sta *pubsta, 547 u16 tid) 548 { 549 struct sta_info *sta = container_of(pubsta, struct sta_info, sta); 550 struct tid_ampdu_tx *tid_tx; 551 552 if (WARN_ON_ONCE(tid >= IEEE80211_NUM_TIDS)) 553 return; 554 555 tid_tx = rcu_dereference(sta->ampdu_mlme.tid_tx[tid]); 556 if (!tid_tx) 557 return; 558 559 tid_tx->last_tx = jiffies; 560 } 561 EXPORT_SYMBOL(ieee80211_refresh_tx_agg_session_timer); 562 563 /* 564 * After accepting the AddBA Response we activated a timer, 565 * resetting it after each frame that we send. 566 */ 567 static void sta_tx_agg_session_timer_expired(struct timer_list *t) 568 { 569 struct tid_ampdu_tx *tid_tx = from_timer(tid_tx, t, session_timer); 570 struct sta_info *sta = tid_tx->sta; 571 u8 tid = tid_tx->tid; 572 unsigned long timeout; 573 574 if (test_bit(HT_AGG_STATE_STOPPING, &tid_tx->state)) { 575 return; 576 } 577 578 timeout = tid_tx->last_tx + TU_TO_JIFFIES(tid_tx->timeout); 579 if (time_is_after_jiffies(timeout)) { 580 mod_timer(&tid_tx->session_timer, timeout); 581 return; 582 } 583 584 ht_dbg(sta->sdata, "tx session timer expired on %pM tid %d\n", 585 sta->sta.addr, tid); 586 587 ieee80211_stop_tx_ba_session(&sta->sta, tid); 588 } 589 590 int ieee80211_start_tx_ba_session(struct ieee80211_sta *pubsta, u16 tid, 591 u16 timeout) 592 { 593 struct sta_info *sta = container_of(pubsta, struct sta_info, sta); 594 struct ieee80211_sub_if_data *sdata = sta->sdata; 595 struct ieee80211_local *local = sdata->local; 596 struct tid_ampdu_tx *tid_tx; 597 int ret = 0; 598 599 trace_api_start_tx_ba_session(pubsta, tid); 600 601 if (WARN(sta->reserved_tid == tid, 602 "Requested to start BA session on reserved tid=%d", tid)) 603 return -EINVAL; 604 605 if (!pubsta->deflink.ht_cap.ht_supported && 606 !pubsta->deflink.vht_cap.vht_supported && 607 !pubsta->deflink.he_cap.has_he && 608 !pubsta->deflink.eht_cap.has_eht) 609 return -EINVAL; 610 611 if (WARN_ON_ONCE(!local->ops->ampdu_action)) 612 return -EINVAL; 613 614 if ((tid >= IEEE80211_NUM_TIDS) || 615 !ieee80211_hw_check(&local->hw, AMPDU_AGGREGATION) || 616 ieee80211_hw_check(&local->hw, TX_AMPDU_SETUP_IN_HW)) 617 return -EINVAL; 618 619 if (WARN_ON(tid >= IEEE80211_FIRST_TSPEC_TSID)) 620 return -EINVAL; 621 622 ht_dbg(sdata, "Open BA session requested for %pM tid %u\n", 623 pubsta->addr, tid); 624 625 if (sdata->vif.type != NL80211_IFTYPE_STATION && 626 sdata->vif.type != NL80211_IFTYPE_MESH_POINT && 627 sdata->vif.type != NL80211_IFTYPE_AP_VLAN && 628 sdata->vif.type != NL80211_IFTYPE_AP && 629 sdata->vif.type != NL80211_IFTYPE_ADHOC) 630 return -EINVAL; 631 632 if (test_sta_flag(sta, WLAN_STA_BLOCK_BA)) { 633 ht_dbg(sdata, 634 "BA sessions blocked - Denying BA session request %pM tid %d\n", 635 sta->sta.addr, tid); 636 return -EINVAL; 637 } 638 639 if (test_sta_flag(sta, WLAN_STA_MFP) && 640 !test_sta_flag(sta, WLAN_STA_AUTHORIZED)) { 641 ht_dbg(sdata, 642 "MFP STA not authorized - deny BA session request %pM tid %d\n", 643 sta->sta.addr, tid); 644 return -EINVAL; 645 } 646 647 /* 648 * 802.11n-2009 11.5.1.1: If the initiating STA is an HT STA, is a 649 * member of an IBSS, and has no other existing Block Ack agreement 650 * with the recipient STA, then the initiating STA shall transmit a 651 * Probe Request frame to the recipient STA and shall not transmit an 652 * ADDBA Request frame unless it receives a Probe Response frame 653 * from the recipient within dot11ADDBAFailureTimeout. 654 * 655 * The probe request mechanism for ADDBA is currently not implemented, 656 * but we only build up Block Ack session with HT STAs. This information 657 * is set when we receive a bss info from a probe response or a beacon. 658 */ 659 if (sta->sdata->vif.type == NL80211_IFTYPE_ADHOC && 660 !sta->sta.deflink.ht_cap.ht_supported) { 661 ht_dbg(sdata, 662 "BA request denied - IBSS STA %pM does not advertise HT support\n", 663 pubsta->addr); 664 return -EINVAL; 665 } 666 667 spin_lock_bh(&sta->lock); 668 669 /* we have tried too many times, receiver does not want A-MPDU */ 670 if (sta->ampdu_mlme.addba_req_num[tid] > HT_AGG_MAX_RETRIES) { 671 ret = -EBUSY; 672 goto err_unlock_sta; 673 } 674 675 /* 676 * if we have tried more than HT_AGG_BURST_RETRIES times we 677 * will spread our requests in time to avoid stalling connection 678 * for too long 679 */ 680 if (sta->ampdu_mlme.addba_req_num[tid] > HT_AGG_BURST_RETRIES && 681 time_before(jiffies, sta->ampdu_mlme.last_addba_req_time[tid] + 682 HT_AGG_RETRIES_PERIOD)) { 683 ht_dbg(sdata, 684 "BA request denied - %d failed requests on %pM tid %u\n", 685 sta->ampdu_mlme.addba_req_num[tid], sta->sta.addr, tid); 686 ret = -EBUSY; 687 goto err_unlock_sta; 688 } 689 690 tid_tx = rcu_dereference_protected_tid_tx(sta, tid); 691 /* check if the TID is not in aggregation flow already */ 692 if (tid_tx || sta->ampdu_mlme.tid_start_tx[tid]) { 693 ht_dbg(sdata, 694 "BA request denied - session is not idle on %pM tid %u\n", 695 sta->sta.addr, tid); 696 ret = -EAGAIN; 697 goto err_unlock_sta; 698 } 699 700 /* prepare A-MPDU MLME for Tx aggregation */ 701 tid_tx = kzalloc(sizeof(struct tid_ampdu_tx), GFP_ATOMIC); 702 if (!tid_tx) { 703 ret = -ENOMEM; 704 goto err_unlock_sta; 705 } 706 707 skb_queue_head_init(&tid_tx->pending); 708 __set_bit(HT_AGG_STATE_WANT_START, &tid_tx->state); 709 710 tid_tx->timeout = timeout; 711 tid_tx->sta = sta; 712 tid_tx->tid = tid; 713 714 /* response timer */ 715 timer_setup(&tid_tx->addba_resp_timer, sta_addba_resp_timer_expired, 0); 716 717 /* tx timer */ 718 timer_setup(&tid_tx->session_timer, 719 sta_tx_agg_session_timer_expired, TIMER_DEFERRABLE); 720 721 /* assign a dialog token */ 722 sta->ampdu_mlme.dialog_token_allocator++; 723 tid_tx->dialog_token = sta->ampdu_mlme.dialog_token_allocator; 724 725 /* 726 * Finally, assign it to the start array; the work item will 727 * collect it and move it to the normal array. 728 */ 729 sta->ampdu_mlme.tid_start_tx[tid] = tid_tx; 730 731 wiphy_work_queue(local->hw.wiphy, &sta->ampdu_mlme.work); 732 733 /* this flow continues off the work */ 734 err_unlock_sta: 735 spin_unlock_bh(&sta->lock); 736 return ret; 737 } 738 EXPORT_SYMBOL(ieee80211_start_tx_ba_session); 739 740 static void ieee80211_agg_tx_operational(struct ieee80211_local *local, 741 struct sta_info *sta, u16 tid) 742 { 743 struct tid_ampdu_tx *tid_tx; 744 struct ieee80211_ampdu_params params = { 745 .sta = &sta->sta, 746 .action = IEEE80211_AMPDU_TX_OPERATIONAL, 747 .tid = tid, 748 .timeout = 0, 749 .ssn = 0, 750 }; 751 752 lockdep_assert_wiphy(sta->local->hw.wiphy); 753 754 tid_tx = rcu_dereference_protected_tid_tx(sta, tid); 755 params.buf_size = tid_tx->buf_size; 756 params.amsdu = tid_tx->amsdu; 757 758 ht_dbg(sta->sdata, "Aggregation is on for %pM tid %d\n", 759 sta->sta.addr, tid); 760 761 drv_ampdu_action(local, sta->sdata, ¶ms); 762 763 /* 764 * synchronize with TX path, while splicing the TX path 765 * should block so it won't put more packets onto pending. 766 */ 767 spin_lock_bh(&sta->lock); 768 769 ieee80211_agg_splice_packets(sta->sdata, tid_tx, tid); 770 /* 771 * Now mark as operational. This will be visible 772 * in the TX path, and lets it go lock-free in 773 * the common case. 774 */ 775 set_bit(HT_AGG_STATE_OPERATIONAL, &tid_tx->state); 776 ieee80211_agg_splice_finish(sta->sdata, tid); 777 778 spin_unlock_bh(&sta->lock); 779 780 ieee80211_agg_start_txq(sta, tid, true); 781 } 782 783 void ieee80211_start_tx_ba_cb(struct sta_info *sta, int tid, 784 struct tid_ampdu_tx *tid_tx) 785 { 786 struct ieee80211_sub_if_data *sdata = sta->sdata; 787 struct ieee80211_local *local = sdata->local; 788 789 lockdep_assert_wiphy(sta->local->hw.wiphy); 790 791 if (WARN_ON(test_and_set_bit(HT_AGG_STATE_DRV_READY, &tid_tx->state))) 792 return; 793 794 if (test_bit(HT_AGG_STATE_STOPPING, &tid_tx->state) || 795 test_bit(HT_AGG_STATE_WANT_STOP, &tid_tx->state)) 796 return; 797 798 if (!test_bit(HT_AGG_STATE_SENT_ADDBA, &tid_tx->state)) { 799 ieee80211_send_addba_with_timeout(sta, tid_tx); 800 /* RESPONSE_RECEIVED state would trigger the flow again */ 801 return; 802 } 803 804 if (test_bit(HT_AGG_STATE_RESPONSE_RECEIVED, &tid_tx->state)) 805 ieee80211_agg_tx_operational(local, sta, tid); 806 } 807 808 static struct tid_ampdu_tx * 809 ieee80211_lookup_tid_tx(struct ieee80211_sub_if_data *sdata, 810 const u8 *ra, u16 tid, struct sta_info **sta) 811 { 812 struct tid_ampdu_tx *tid_tx; 813 814 if (tid >= IEEE80211_NUM_TIDS) { 815 ht_dbg(sdata, "Bad TID value: tid = %d (>= %d)\n", 816 tid, IEEE80211_NUM_TIDS); 817 return NULL; 818 } 819 820 *sta = sta_info_get_bss(sdata, ra); 821 if (!*sta) { 822 ht_dbg(sdata, "Could not find station: %pM\n", ra); 823 return NULL; 824 } 825 826 tid_tx = rcu_dereference((*sta)->ampdu_mlme.tid_tx[tid]); 827 828 if (WARN_ON(!tid_tx)) 829 ht_dbg(sdata, "addBA was not requested!\n"); 830 831 return tid_tx; 832 } 833 834 void ieee80211_start_tx_ba_cb_irqsafe(struct ieee80211_vif *vif, 835 const u8 *ra, u16 tid) 836 { 837 struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif); 838 struct ieee80211_local *local = sdata->local; 839 struct sta_info *sta; 840 struct tid_ampdu_tx *tid_tx; 841 842 trace_api_start_tx_ba_cb(sdata, ra, tid); 843 844 rcu_read_lock(); 845 tid_tx = ieee80211_lookup_tid_tx(sdata, ra, tid, &sta); 846 if (!tid_tx) 847 goto out; 848 849 set_bit(HT_AGG_STATE_START_CB, &tid_tx->state); 850 wiphy_work_queue(local->hw.wiphy, &sta->ampdu_mlme.work); 851 out: 852 rcu_read_unlock(); 853 } 854 EXPORT_SYMBOL(ieee80211_start_tx_ba_cb_irqsafe); 855 856 int ieee80211_stop_tx_ba_session(struct ieee80211_sta *pubsta, u16 tid) 857 { 858 struct sta_info *sta = container_of(pubsta, struct sta_info, sta); 859 struct ieee80211_sub_if_data *sdata = sta->sdata; 860 struct ieee80211_local *local = sdata->local; 861 struct tid_ampdu_tx *tid_tx; 862 int ret = 0; 863 864 trace_api_stop_tx_ba_session(pubsta, tid); 865 866 if (!local->ops->ampdu_action) 867 return -EINVAL; 868 869 if (tid >= IEEE80211_NUM_TIDS) 870 return -EINVAL; 871 872 spin_lock_bh(&sta->lock); 873 tid_tx = rcu_dereference_protected_tid_tx(sta, tid); 874 875 if (!tid_tx) { 876 ret = -ENOENT; 877 goto unlock; 878 } 879 880 WARN(sta->reserved_tid == tid, 881 "Requested to stop BA session on reserved tid=%d", tid); 882 883 if (test_bit(HT_AGG_STATE_STOPPING, &tid_tx->state)) { 884 /* already in progress stopping it */ 885 ret = 0; 886 goto unlock; 887 } 888 889 set_bit(HT_AGG_STATE_WANT_STOP, &tid_tx->state); 890 wiphy_work_queue(local->hw.wiphy, &sta->ampdu_mlme.work); 891 892 unlock: 893 spin_unlock_bh(&sta->lock); 894 return ret; 895 } 896 EXPORT_SYMBOL(ieee80211_stop_tx_ba_session); 897 898 void ieee80211_stop_tx_ba_cb(struct sta_info *sta, int tid, 899 struct tid_ampdu_tx *tid_tx) 900 { 901 struct ieee80211_sub_if_data *sdata = sta->sdata; 902 bool send_delba = false; 903 bool start_txq = false; 904 905 ht_dbg(sdata, "Stopping Tx BA session for %pM tid %d\n", 906 sta->sta.addr, tid); 907 908 spin_lock_bh(&sta->lock); 909 910 if (!test_bit(HT_AGG_STATE_STOPPING, &tid_tx->state)) { 911 ht_dbg(sdata, 912 "unexpected callback to A-MPDU stop for %pM tid %d\n", 913 sta->sta.addr, tid); 914 goto unlock_sta; 915 } 916 917 if (tid_tx->stop_initiator == WLAN_BACK_INITIATOR && tid_tx->tx_stop) 918 send_delba = true; 919 920 ieee80211_remove_tid_tx(sta, tid); 921 start_txq = true; 922 923 unlock_sta: 924 spin_unlock_bh(&sta->lock); 925 926 if (start_txq) 927 ieee80211_agg_start_txq(sta, tid, false); 928 929 if (send_delba) 930 ieee80211_send_delba(sdata, sta->sta.addr, tid, 931 WLAN_BACK_INITIATOR, WLAN_REASON_QSTA_NOT_USE); 932 } 933 934 void ieee80211_stop_tx_ba_cb_irqsafe(struct ieee80211_vif *vif, 935 const u8 *ra, u16 tid) 936 { 937 struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif); 938 struct ieee80211_local *local = sdata->local; 939 struct sta_info *sta; 940 struct tid_ampdu_tx *tid_tx; 941 942 trace_api_stop_tx_ba_cb(sdata, ra, tid); 943 944 rcu_read_lock(); 945 tid_tx = ieee80211_lookup_tid_tx(sdata, ra, tid, &sta); 946 if (!tid_tx) 947 goto out; 948 949 set_bit(HT_AGG_STATE_STOP_CB, &tid_tx->state); 950 wiphy_work_queue(local->hw.wiphy, &sta->ampdu_mlme.work); 951 out: 952 rcu_read_unlock(); 953 } 954 EXPORT_SYMBOL(ieee80211_stop_tx_ba_cb_irqsafe); 955 956 957 void ieee80211_process_addba_resp(struct ieee80211_local *local, 958 struct sta_info *sta, 959 struct ieee80211_mgmt *mgmt, 960 size_t len) 961 { 962 struct tid_ampdu_tx *tid_tx; 963 struct ieee80211_txq *txq; 964 u16 capab, tid, buf_size; 965 bool amsdu; 966 967 lockdep_assert_wiphy(sta->local->hw.wiphy); 968 969 capab = le16_to_cpu(mgmt->u.action.u.addba_resp.capab); 970 amsdu = capab & IEEE80211_ADDBA_PARAM_AMSDU_MASK; 971 tid = u16_get_bits(capab, IEEE80211_ADDBA_PARAM_TID_MASK); 972 buf_size = u16_get_bits(capab, IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK); 973 buf_size = min(buf_size, local->hw.max_tx_aggregation_subframes); 974 975 txq = sta->sta.txq[tid]; 976 if (!amsdu && txq) 977 set_bit(IEEE80211_TXQ_NO_AMSDU, &to_txq_info(txq)->flags); 978 979 tid_tx = rcu_dereference_protected_tid_tx(sta, tid); 980 if (!tid_tx) 981 return; 982 983 if (mgmt->u.action.u.addba_resp.dialog_token != tid_tx->dialog_token) { 984 ht_dbg(sta->sdata, "wrong addBA response token, %pM tid %d\n", 985 sta->sta.addr, tid); 986 return; 987 } 988 989 del_timer_sync(&tid_tx->addba_resp_timer); 990 991 ht_dbg(sta->sdata, "switched off addBA timer for %pM tid %d\n", 992 sta->sta.addr, tid); 993 994 /* 995 * addba_resp_timer may have fired before we got here, and 996 * caused WANT_STOP to be set. If the stop then was already 997 * processed further, STOPPING might be set. 998 */ 999 if (test_bit(HT_AGG_STATE_WANT_STOP, &tid_tx->state) || 1000 test_bit(HT_AGG_STATE_STOPPING, &tid_tx->state)) { 1001 ht_dbg(sta->sdata, 1002 "got addBA resp for %pM tid %d but we already gave up\n", 1003 sta->sta.addr, tid); 1004 return; 1005 } 1006 1007 /* 1008 * IEEE 802.11-2007 7.3.1.14: 1009 * In an ADDBA Response frame, when the Status Code field 1010 * is set to 0, the Buffer Size subfield is set to a value 1011 * of at least 1. 1012 */ 1013 if (le16_to_cpu(mgmt->u.action.u.addba_resp.status) 1014 == WLAN_STATUS_SUCCESS && buf_size) { 1015 if (test_and_set_bit(HT_AGG_STATE_RESPONSE_RECEIVED, 1016 &tid_tx->state)) { 1017 /* ignore duplicate response */ 1018 return; 1019 } 1020 1021 tid_tx->buf_size = buf_size; 1022 tid_tx->amsdu = amsdu; 1023 1024 if (test_bit(HT_AGG_STATE_DRV_READY, &tid_tx->state)) 1025 ieee80211_agg_tx_operational(local, sta, tid); 1026 1027 sta->ampdu_mlme.addba_req_num[tid] = 0; 1028 1029 tid_tx->timeout = 1030 le16_to_cpu(mgmt->u.action.u.addba_resp.timeout); 1031 1032 if (tid_tx->timeout) { 1033 mod_timer(&tid_tx->session_timer, 1034 TU_TO_EXP_TIME(tid_tx->timeout)); 1035 tid_tx->last_tx = jiffies; 1036 } 1037 1038 } else { 1039 __ieee80211_stop_tx_ba_session(sta, tid, AGG_STOP_DECLINED); 1040 } 1041 } 1042