Avoid reading past buffer when calling GETACL
[zen-stable.git] / drivers / net / wireless / mwifiex / 11n_aggr.c
blob079e5532e686c0c9f4256fc5b4207316b0248f1c
1 /*
2 * Marvell Wireless LAN device driver: 802.11n Aggregation
4 * Copyright (C) 2011, Marvell International Ltd.
6 * This software file (the "File") is distributed by Marvell International
7 * Ltd. under the terms of the GNU General Public License Version 2, June 1991
8 * (the "License"). You may use, redistribute and/or modify this File in
9 * accordance with the terms and conditions of the License, a copy of which
10 * is available by writing to the Free Software Foundation, Inc.,
11 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA or on the
12 * worldwide web at http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
14 * THE FILE IS DISTRIBUTED AS-IS, WITHOUT WARRANTY OF ANY KIND, AND THE
15 * IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE
16 * ARE EXPRESSLY DISCLAIMED. The License provides additional details about
17 * this warranty disclaimer.
20 #include "decl.h"
21 #include "ioctl.h"
22 #include "util.h"
23 #include "fw.h"
24 #include "main.h"
25 #include "wmm.h"
26 #include "11n.h"
27 #include "11n_aggr.h"
30 * Creates an AMSDU subframe for aggregation into one AMSDU packet.
32 * The resultant AMSDU subframe format is -
34 * +---- ~ -----+---- ~ ------+---- ~ -----+----- ~ -----+---- ~ -----+
35 * | DA | SA | Length | SNAP header | MSDU |
36 * | data[0..5] | data[6..11] | | | data[14..] |
37 * +---- ~ -----+---- ~ ------+---- ~ -----+----- ~ -----+---- ~ -----+
38 * <--6-bytes--> <--6-bytes--> <--2-bytes--><--8-bytes--> <--n-bytes-->
40 * This function also computes the amount of padding required to make the
41 * buffer length multiple of 4 bytes.
43 * Data => |DA|SA|SNAP-TYPE|........ .|
44 * MSDU => |DA|SA|Length|SNAP|...... ..|
46 static int
47 mwifiex_11n_form_amsdu_pkt(struct sk_buff *skb_aggr,
48 struct sk_buff *skb_src, int *pad)
51 int dt_offset;
52 struct rfc_1042_hdr snap = {
53 0xaa, /* LLC DSAP */
54 0xaa, /* LLC SSAP */
55 0x03, /* LLC CTRL */
56 {0x00, 0x00, 0x00}, /* SNAP OUI */
57 0x0000 /* SNAP type */
59 * This field will be overwritten
60 * later with ethertype
63 struct tx_packet_hdr *tx_header;
65 skb_put(skb_aggr, sizeof(*tx_header));
67 tx_header = (struct tx_packet_hdr *) skb_aggr->data;
69 /* Copy DA and SA */
70 dt_offset = 2 * ETH_ALEN;
71 memcpy(&tx_header->eth803_hdr, skb_src->data, dt_offset);
73 /* Copy SNAP header */
74 snap.snap_type = *(u16 *) ((u8 *)skb_src->data + dt_offset);
75 dt_offset += sizeof(u16);
77 memcpy(&tx_header->rfc1042_hdr, &snap, sizeof(struct rfc_1042_hdr));
79 skb_pull(skb_src, dt_offset);
81 /* Update Length field */
82 tx_header->eth803_hdr.h_proto = htons(skb_src->len + LLC_SNAP_LEN);
84 /* Add payload */
85 skb_put(skb_aggr, skb_src->len);
86 memcpy(skb_aggr->data + sizeof(*tx_header), skb_src->data,
87 skb_src->len);
88 *pad = (((skb_src->len + LLC_SNAP_LEN) & 3)) ? (4 - (((skb_src->len +
89 LLC_SNAP_LEN)) & 3)) : 0;
90 skb_put(skb_aggr, *pad);
92 return skb_aggr->len + *pad;
96 * Adds TxPD to AMSDU header.
98 * Each AMSDU packet will contain one TxPD at the beginning,
99 * followed by multiple AMSDU subframes.
101 static void
102 mwifiex_11n_form_amsdu_txpd(struct mwifiex_private *priv,
103 struct sk_buff *skb)
105 struct txpd *local_tx_pd;
107 skb_push(skb, sizeof(*local_tx_pd));
109 local_tx_pd = (struct txpd *) skb->data;
110 memset(local_tx_pd, 0, sizeof(struct txpd));
112 /* Original priority has been overwritten */
113 local_tx_pd->priority = (u8) skb->priority;
114 local_tx_pd->pkt_delay_2ms =
115 mwifiex_wmm_compute_drv_pkt_delay(priv, skb);
116 local_tx_pd->bss_num = priv->bss_num;
117 local_tx_pd->bss_type = priv->bss_type;
118 /* Always zero as the data is followed by struct txpd */
119 local_tx_pd->tx_pkt_offset = cpu_to_le16(sizeof(struct txpd));
120 local_tx_pd->tx_pkt_type = cpu_to_le16(PKT_TYPE_AMSDU);
121 local_tx_pd->tx_pkt_length = cpu_to_le16(skb->len -
122 sizeof(*local_tx_pd));
124 if (local_tx_pd->tx_control == 0)
125 /* TxCtrl set by user or default */
126 local_tx_pd->tx_control = cpu_to_le32(priv->pkt_tx_ctrl);
128 if ((GET_BSS_ROLE(priv) == MWIFIEX_BSS_ROLE_STA) &&
129 (priv->adapter->pps_uapsd_mode)) {
130 if (true == mwifiex_check_last_packet_indication(priv)) {
131 priv->adapter->tx_lock_flag = true;
132 local_tx_pd->flags =
133 MWIFIEX_TxPD_POWER_MGMT_LAST_PACKET;
139 * Create aggregated packet.
141 * This function creates an aggregated MSDU packet, by combining buffers
142 * from the RA list. Each individual buffer is encapsulated as an AMSDU
143 * subframe and all such subframes are concatenated together to form the
144 * AMSDU packet.
146 * A TxPD is also added to the front of the resultant AMSDU packets for
147 * transmission. The resultant packets format is -
149 * +---- ~ ----+------ ~ ------+------ ~ ------+-..-+------ ~ ------+
150 * | TxPD |AMSDU sub-frame|AMSDU sub-frame| .. |AMSDU sub-frame|
151 * | | 1 | 2 | .. | n |
152 * +---- ~ ----+------ ~ ------+------ ~ ------+ .. +------ ~ ------+
155 mwifiex_11n_aggregate_pkt(struct mwifiex_private *priv,
156 struct mwifiex_ra_list_tbl *pra_list, int headroom,
157 int ptrindex, unsigned long ra_list_flags)
158 __releases(&priv->wmm.ra_list_spinlock)
160 struct mwifiex_adapter *adapter = priv->adapter;
161 struct sk_buff *skb_aggr, *skb_src;
162 struct mwifiex_txinfo *tx_info_aggr, *tx_info_src;
163 int pad = 0, ret;
164 struct mwifiex_tx_param tx_param;
165 struct txpd *ptx_pd = NULL;
167 skb_src = skb_peek(&pra_list->skb_head);
168 if (!skb_src) {
169 spin_unlock_irqrestore(&priv->wmm.ra_list_spinlock,
170 ra_list_flags);
171 return 0;
174 tx_info_src = MWIFIEX_SKB_TXCB(skb_src);
175 skb_aggr = dev_alloc_skb(adapter->tx_buf_size);
176 if (!skb_aggr) {
177 dev_err(adapter->dev, "%s: alloc skb_aggr\n", __func__);
178 spin_unlock_irqrestore(&priv->wmm.ra_list_spinlock,
179 ra_list_flags);
180 return -1;
182 skb_reserve(skb_aggr, headroom + sizeof(struct txpd));
183 tx_info_aggr = MWIFIEX_SKB_TXCB(skb_aggr);
185 tx_info_aggr->bss_index = tx_info_src->bss_index;
186 skb_aggr->priority = skb_src->priority;
188 do {
189 /* Check if AMSDU can accommodate this MSDU */
190 if (skb_tailroom(skb_aggr) < (skb_src->len + LLC_SNAP_LEN))
191 break;
193 skb_src = skb_dequeue(&pra_list->skb_head);
195 pra_list->total_pkts_size -= skb_src->len;
197 atomic_dec(&priv->wmm.tx_pkts_queued);
199 spin_unlock_irqrestore(&priv->wmm.ra_list_spinlock,
200 ra_list_flags);
201 mwifiex_11n_form_amsdu_pkt(skb_aggr, skb_src, &pad);
203 mwifiex_write_data_complete(adapter, skb_src, 0);
205 spin_lock_irqsave(&priv->wmm.ra_list_spinlock, ra_list_flags);
207 if (!mwifiex_is_ralist_valid(priv, pra_list, ptrindex)) {
208 spin_unlock_irqrestore(&priv->wmm.ra_list_spinlock,
209 ra_list_flags);
210 return -1;
213 if (skb_tailroom(skb_aggr) < pad) {
214 pad = 0;
215 break;
217 skb_put(skb_aggr, pad);
219 skb_src = skb_peek(&pra_list->skb_head);
221 } while (skb_src);
223 spin_unlock_irqrestore(&priv->wmm.ra_list_spinlock, ra_list_flags);
225 /* Last AMSDU packet does not need padding */
226 skb_trim(skb_aggr, skb_aggr->len - pad);
228 /* Form AMSDU */
229 mwifiex_11n_form_amsdu_txpd(priv, skb_aggr);
230 if (GET_BSS_ROLE(priv) == MWIFIEX_BSS_ROLE_STA)
231 ptx_pd = (struct txpd *)skb_aggr->data;
233 skb_push(skb_aggr, headroom);
236 * Padding per MSDU will affect the length of next
237 * packet and hence the exact length of next packet
238 * is uncertain here.
240 * Also, aggregation of transmission buffer, while
241 * downloading the data to the card, wont gain much
242 * on the AMSDU packets as the AMSDU packets utilizes
243 * the transmission buffer space to the maximum
244 * (adapter->tx_buf_size).
246 tx_param.next_pkt_len = 0;
248 ret = adapter->if_ops.host_to_card(adapter, MWIFIEX_TYPE_DATA,
249 skb_aggr, &tx_param);
250 switch (ret) {
251 case -EBUSY:
252 spin_lock_irqsave(&priv->wmm.ra_list_spinlock, ra_list_flags);
253 if (!mwifiex_is_ralist_valid(priv, pra_list, ptrindex)) {
254 spin_unlock_irqrestore(&priv->wmm.ra_list_spinlock,
255 ra_list_flags);
256 mwifiex_write_data_complete(adapter, skb_aggr, -1);
257 return -1;
259 if ((GET_BSS_ROLE(priv) == MWIFIEX_BSS_ROLE_STA) &&
260 (adapter->pps_uapsd_mode) &&
261 (adapter->tx_lock_flag)) {
262 priv->adapter->tx_lock_flag = false;
263 if (ptx_pd)
264 ptx_pd->flags = 0;
267 skb_queue_tail(&pra_list->skb_head, skb_aggr);
269 pra_list->total_pkts_size += skb_aggr->len;
271 atomic_inc(&priv->wmm.tx_pkts_queued);
273 tx_info_aggr->flags |= MWIFIEX_BUF_FLAG_REQUEUED_PKT;
274 spin_unlock_irqrestore(&priv->wmm.ra_list_spinlock,
275 ra_list_flags);
276 dev_dbg(adapter->dev, "data: -EBUSY is returned\n");
277 break;
278 case -1:
279 adapter->data_sent = false;
280 dev_err(adapter->dev, "%s: host_to_card failed: %#x\n",
281 __func__, ret);
282 adapter->dbg.num_tx_host_to_card_failure++;
283 mwifiex_write_data_complete(adapter, skb_aggr, ret);
284 return 0;
285 case -EINPROGRESS:
286 adapter->data_sent = false;
287 break;
288 case 0:
289 mwifiex_write_data_complete(adapter, skb_aggr, ret);
290 break;
291 default:
292 break;
294 if (ret != -EBUSY) {
295 spin_lock_irqsave(&priv->wmm.ra_list_spinlock, ra_list_flags);
296 if (mwifiex_is_ralist_valid(priv, pra_list, ptrindex)) {
297 priv->wmm.packets_out[ptrindex]++;
298 priv->wmm.tid_tbl_ptr[ptrindex].ra_list_curr = pra_list;
300 /* Now bss_prio_cur pointer points to next node */
301 adapter->bss_prio_tbl[priv->bss_priority].bss_prio_cur =
302 list_first_entry(
303 &adapter->bss_prio_tbl[priv->bss_priority]
304 .bss_prio_cur->list,
305 struct mwifiex_bss_prio_node, list);
306 spin_unlock_irqrestore(&priv->wmm.ra_list_spinlock,
307 ra_list_flags);
310 return 0;