1 /* 2 * Copyright (c) 2017-2018 The Linux Foundation. All rights reserved. 3 * 4 * Permission to use, copy, modify, and/or distribute this software for 5 * any purpose with or without fee is hereby granted, provided that the 6 * above copyright notice and this permission notice appear in all 7 * copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL 10 * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED 11 * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE 12 * AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL 13 * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR 14 * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER 15 * TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 16 * PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #include "dp_types.h" 20 #include "dp_rx.h" 21 #include "dp_peer.h" 22 #include "hal_api.h" 23 #include "qdf_trace.h" 24 #include "qdf_nbuf.h" 25 #include "dp_rx_defrag.h" 26 #include <enet.h> /* LLC_SNAP_HDR_LEN */ 27 #include "dp_rx_defrag.h" 28 29 const struct dp_rx_defrag_cipher dp_f_ccmp = { 30 "AES-CCM", 31 IEEE80211_WEP_IVLEN + IEEE80211_WEP_KIDLEN + IEEE80211_WEP_EXTIVLEN, 32 IEEE80211_WEP_MICLEN, 33 0, 34 }; 35 36 const struct dp_rx_defrag_cipher dp_f_tkip = { 37 "TKIP", 38 IEEE80211_WEP_IVLEN + IEEE80211_WEP_KIDLEN + IEEE80211_WEP_EXTIVLEN, 39 IEEE80211_WEP_CRCLEN, 40 IEEE80211_WEP_MICLEN, 41 }; 42 43 const struct dp_rx_defrag_cipher dp_f_wep = { 44 "WEP", 45 IEEE80211_WEP_IVLEN + IEEE80211_WEP_KIDLEN, 46 IEEE80211_WEP_CRCLEN, 47 0, 48 }; 49 50 /* 51 * dp_rx_defrag_frames_free(): Free fragment chain 52 * @frames: Fragment chain 53 * 54 * Iterates through the fragment chain and frees them 55 * Returns: None 56 */ 57 static void dp_rx_defrag_frames_free(qdf_nbuf_t frames) 58 { 59 qdf_nbuf_t next, frag = frames; 60 61 while (frag) { 62 next = qdf_nbuf_next(frag); 63 qdf_nbuf_free(frag); 64 frag = next; 65 } 66 } 67 68 /* 69 * dp_rx_clear_saved_desc_info(): Clears descriptor info 70 * @peer: Pointer to the peer data structure 71 * @tid: Transmit ID (TID) 72 * 73 * Saves MPDU descriptor info and MSDU link pointer from REO 74 * ring descriptor. The cache is created per peer, per TID 75 * 76 * Returns: None 77 */ 78 static void dp_rx_clear_saved_desc_info(struct dp_peer *peer, unsigned tid) 79 { 80 if (peer->rx_tid[tid].dst_ring_desc) 81 qdf_mem_free(peer->rx_tid[tid].dst_ring_desc); 82 83 peer->rx_tid[tid].dst_ring_desc = NULL; 84 } 85 86 /* 87 * dp_rx_reorder_flush_frag(): Flush the frag list 88 * @peer: Pointer to the peer data structure 89 * @tid: Transmit ID (TID) 90 * 91 * Flush the per-TID frag list 92 * 93 * Returns: None 94 */ 95 void dp_rx_reorder_flush_frag(struct dp_peer *peer, 96 unsigned int tid) 97 { 98 struct dp_rx_reorder_array_elem *rx_reorder_array_elem; 99 100 QDF_TRACE(QDF_MODULE_ID_DP, QDF_TRACE_LEVEL_ERROR, 101 FL("Flushing TID %d"), tid); 102 103 rx_reorder_array_elem = peer->rx_tid[tid].array; 104 if (rx_reorder_array_elem->head) { 105 dp_rx_defrag_frames_free(rx_reorder_array_elem->head); 106 rx_reorder_array_elem->head = NULL; 107 rx_reorder_array_elem->tail = NULL; 108 } 109 } 110 111 /* 112 * dp_rx_defrag_waitlist_flush(): Flush SOC defrag wait list 113 * @soc: DP SOC 114 * 115 * Flush fragments of all waitlisted TID's 116 * 117 * Returns: None 118 */ 119 void dp_rx_defrag_waitlist_flush(struct dp_soc *soc) 120 { 121 struct dp_rx_tid *rx_reorder, *tmp; 122 uint32_t now_ms = qdf_system_ticks_to_msecs(qdf_system_ticks()); 123 124 TAILQ_FOREACH_SAFE(rx_reorder, &soc->rx.defrag.waitlist, 125 defrag_waitlist_elem, tmp) { 126 struct dp_peer *peer; 127 struct dp_rx_tid *rx_reorder_base; 128 unsigned int tid; 129 130 QDF_TRACE(QDF_MODULE_ID_DP, QDF_TRACE_LEVEL_ERROR, 131 FL("Current time %u"), now_ms); 132 133 if (rx_reorder->defrag_timeout_ms > now_ms) 134 break; 135 136 tid = rx_reorder->tid; 137 if (tid >= DP_MAX_TIDS) { 138 QDF_TRACE(QDF_MODULE_ID_DP, QDF_TRACE_LEVEL_ERROR, 139 "%s: TID out of bounds: %d", __func__, tid); 140 qdf_assert(0); 141 continue; 142 } 143 /* get index 0 of the rx_reorder array */ 144 rx_reorder_base = rx_reorder - tid; 145 peer = 146 container_of(rx_reorder_base, struct dp_peer, 147 rx_tid[0]); 148 149 TAILQ_REMOVE(&soc->rx.defrag.waitlist, rx_reorder, 150 defrag_waitlist_elem); 151 //dp_rx_defrag_waitlist_remove(peer, tid); 152 dp_rx_reorder_flush_frag(peer, tid); 153 } 154 } 155 156 /* 157 * dp_rx_defrag_waitlist_add(): Update per-PDEV defrag wait list 158 * @peer: Pointer to the peer data structure 159 * @tid: Transmit ID (TID) 160 * 161 * Appends per-tid fragments to global fragment wait list 162 * 163 * Returns: None 164 */ 165 static void dp_rx_defrag_waitlist_add(struct dp_peer *peer, unsigned tid) 166 { 167 struct dp_soc *psoc = peer->vdev->pdev->soc; 168 struct dp_rx_tid *rx_reorder = &peer->rx_tid[tid]; 169 170 QDF_TRACE(QDF_MODULE_ID_DP, QDF_TRACE_LEVEL_ERROR, 171 FL("Adding TID %u to waitlist"), tid); 172 173 /* TODO: use LIST macros instead of TAIL macros */ 174 TAILQ_INSERT_TAIL(&psoc->rx.defrag.waitlist, rx_reorder, 175 defrag_waitlist_elem); 176 } 177 178 /* 179 * dp_rx_defrag_waitlist_remove(): Remove fragments from waitlist 180 * @peer: Pointer to the peer data structure 181 * @tid: Transmit ID (TID) 182 * 183 * Remove fragments from waitlist 184 * 185 * Returns: None 186 */ 187 void dp_rx_defrag_waitlist_remove(struct dp_peer *peer, unsigned tid) 188 { 189 struct dp_pdev *pdev = peer->vdev->pdev; 190 struct dp_soc *soc = pdev->soc; 191 struct dp_rx_tid *rx_reorder; 192 193 if (tid > DP_MAX_TIDS) { 194 QDF_TRACE(QDF_MODULE_ID_TXRX, QDF_TRACE_LEVEL_ERROR, 195 "TID out of bounds: %d", tid); 196 qdf_assert(0); 197 return; 198 } 199 200 QDF_TRACE(QDF_MODULE_ID_DP, QDF_TRACE_LEVEL_ERROR, 201 FL("Remove TID %u from waitlist"), tid); 202 203 TAILQ_FOREACH(rx_reorder, &soc->rx.defrag.waitlist, 204 defrag_waitlist_elem) { 205 if (rx_reorder->tid == tid) 206 TAILQ_REMOVE(&soc->rx.defrag.waitlist, 207 rx_reorder, defrag_waitlist_elem); 208 } 209 } 210 211 /* 212 * dp_rx_defrag_fraglist_insert(): Create a per-sequence fragment list 213 * @peer: Pointer to the peer data structure 214 * @tid: Transmit ID (TID) 215 * @head_addr: Pointer to head list 216 * @tail_addr: Pointer to tail list 217 * @frag: Incoming fragment 218 * @all_frag_present: Flag to indicate whether all fragments are received 219 * 220 * Build a per-tid, per-sequence fragment list. 221 * 222 * Returns: Success, if inserted 223 */ 224 static QDF_STATUS dp_rx_defrag_fraglist_insert(struct dp_peer *peer, unsigned tid, 225 qdf_nbuf_t *head_addr, qdf_nbuf_t *tail_addr, qdf_nbuf_t frag, 226 uint8_t *all_frag_present) 227 { 228 qdf_nbuf_t next; 229 qdf_nbuf_t prev = NULL; 230 qdf_nbuf_t cur; 231 uint16_t head_fragno, cur_fragno, next_fragno; 232 uint8_t last_morefrag = 1, count = 0; 233 struct dp_rx_tid *rx_tid = &peer->rx_tid[tid]; 234 uint8_t *rx_desc_info; 235 236 237 qdf_assert(frag); 238 qdf_assert(head_addr); 239 qdf_assert(tail_addr); 240 241 *all_frag_present = 0; 242 rx_desc_info = qdf_nbuf_data(frag); 243 cur_fragno = dp_rx_frag_get_mpdu_frag_number(rx_desc_info); 244 245 /* If this is the first fragment */ 246 if (!(*head_addr)) { 247 *head_addr = *tail_addr = frag; 248 qdf_nbuf_set_next(*tail_addr, NULL); 249 rx_tid->curr_frag_num = cur_fragno; 250 251 goto insert_done; 252 } 253 254 /* In sequence fragment */ 255 if (cur_fragno > rx_tid->curr_frag_num) { 256 qdf_nbuf_set_next(*tail_addr, frag); 257 *tail_addr = frag; 258 qdf_nbuf_set_next(*tail_addr, NULL); 259 rx_tid->curr_frag_num = cur_fragno; 260 } else { 261 /* Out of sequence fragment */ 262 cur = *head_addr; 263 rx_desc_info = qdf_nbuf_data(cur); 264 head_fragno = dp_rx_frag_get_mpdu_frag_number(rx_desc_info); 265 266 if (cur_fragno == head_fragno) { 267 qdf_nbuf_free(frag); 268 goto insert_fail; 269 } else if (head_fragno > cur_fragno) { 270 qdf_nbuf_set_next(frag, cur); 271 cur = frag; 272 *head_addr = frag; /* head pointer to be updated */ 273 } else { 274 while ((cur_fragno > head_fragno) && cur != NULL) { 275 prev = cur; 276 cur = qdf_nbuf_next(cur); 277 rx_desc_info = qdf_nbuf_data(cur); 278 head_fragno = 279 dp_rx_frag_get_mpdu_frag_number( 280 rx_desc_info); 281 } 282 283 if (cur_fragno == head_fragno) { 284 qdf_nbuf_free(frag); 285 goto insert_fail; 286 } 287 288 qdf_nbuf_set_next(prev, frag); 289 qdf_nbuf_set_next(frag, cur); 290 } 291 } 292 293 next = qdf_nbuf_next(*head_addr); 294 295 rx_desc_info = qdf_nbuf_data(*tail_addr); 296 last_morefrag = dp_rx_frag_get_more_frag_bit(rx_desc_info); 297 298 /* TODO: optimize the loop */ 299 if (!last_morefrag) { 300 /* Check if all fragments are present */ 301 do { 302 rx_desc_info = qdf_nbuf_data(next); 303 next_fragno = 304 dp_rx_frag_get_mpdu_frag_number(rx_desc_info); 305 count++; 306 307 if (next_fragno != count) 308 break; 309 310 next = qdf_nbuf_next(next); 311 } while (next); 312 313 if (!next) { 314 *all_frag_present = 1; 315 return QDF_STATUS_SUCCESS; 316 } 317 } 318 319 insert_done: 320 return QDF_STATUS_SUCCESS; 321 322 insert_fail: 323 return QDF_STATUS_E_FAILURE; 324 } 325 326 327 /* 328 * dp_rx_defrag_tkip_decap(): decap tkip encrypted fragment 329 * @msdu: Pointer to the fragment 330 * @hdrlen: 802.11 header length (mostly useful in 4 addr frames) 331 * 332 * decap tkip encrypted fragment 333 * 334 * Returns: QDF_STATUS 335 */ 336 static QDF_STATUS dp_rx_defrag_tkip_decap(qdf_nbuf_t msdu, uint16_t hdrlen) 337 { 338 uint8_t *ivp, *orig_hdr; 339 int rx_desc_len = sizeof(struct rx_pkt_tlvs); 340 341 /* start of 802.11 header info */ 342 orig_hdr = (uint8_t *)(qdf_nbuf_data(msdu) + rx_desc_len); 343 344 /* TKIP header is located post 802.11 header */ 345 ivp = orig_hdr + hdrlen; 346 if (!(ivp[IEEE80211_WEP_IVLEN] & IEEE80211_WEP_EXTIV)) { 347 QDF_TRACE(QDF_MODULE_ID_TXRX, QDF_TRACE_LEVEL_ERROR, 348 "IEEE80211_WEP_EXTIV is missing in TKIP fragment"); 349 return QDF_STATUS_E_DEFRAG_ERROR; 350 } 351 352 qdf_mem_move(orig_hdr + dp_f_tkip.ic_header, orig_hdr, hdrlen); 353 354 qdf_nbuf_pull_head(msdu, dp_f_tkip.ic_header); 355 qdf_nbuf_trim_tail(msdu, dp_f_tkip.ic_trailer); 356 357 return QDF_STATUS_SUCCESS; 358 } 359 360 /* 361 * dp_rx_defrag_ccmp_demic(): Remove MIC information from CCMP fragment 362 * @nbuf: Pointer to the fragment buffer 363 * @hdrlen: 802.11 header length (mostly useful in 4 addr frames) 364 * 365 * Remove MIC information from CCMP fragment 366 * 367 * Returns: QDF_STATUS 368 */ 369 static QDF_STATUS dp_rx_defrag_ccmp_demic(qdf_nbuf_t nbuf, uint16_t hdrlen) 370 { 371 uint8_t *ivp, *orig_hdr; 372 int rx_desc_len = sizeof(struct rx_pkt_tlvs); 373 374 /* start of the 802.11 header */ 375 orig_hdr = (uint8_t *)(qdf_nbuf_data(nbuf) + rx_desc_len); 376 377 /* CCMP header is located after 802.11 header */ 378 ivp = orig_hdr + hdrlen; 379 if (!(ivp[IEEE80211_WEP_IVLEN] & IEEE80211_WEP_EXTIV)) 380 return QDF_STATUS_E_DEFRAG_ERROR; 381 382 qdf_nbuf_trim_tail(nbuf, dp_f_ccmp.ic_trailer); 383 384 return QDF_STATUS_SUCCESS; 385 } 386 387 /* 388 * dp_rx_defrag_ccmp_decap(): decap CCMP encrypted fragment 389 * @nbuf: Pointer to the fragment 390 * @hdrlen: length of the header information 391 * 392 * decap CCMP encrypted fragment 393 * 394 * Returns: QDF_STATUS 395 */ 396 static QDF_STATUS dp_rx_defrag_ccmp_decap(qdf_nbuf_t nbuf, uint16_t hdrlen) 397 { 398 uint8_t *ivp, *origHdr; 399 int rx_desc_len = sizeof(struct rx_pkt_tlvs); 400 401 origHdr = (uint8_t *) (qdf_nbuf_data(nbuf) + rx_desc_len); 402 ivp = origHdr + hdrlen; 403 404 if (!(ivp[IEEE80211_WEP_IVLEN] & IEEE80211_WEP_EXTIV)) 405 return QDF_STATUS_E_DEFRAG_ERROR; 406 407 /* Let's pull the header later */ 408 409 return QDF_STATUS_SUCCESS; 410 } 411 412 /* 413 * dp_rx_defrag_wep_decap(): decap WEP encrypted fragment 414 * @msdu: Pointer to the fragment 415 * @hdrlen: length of the header information 416 * 417 * decap WEP encrypted fragment 418 * 419 * Returns: QDF_STATUS 420 */ 421 static QDF_STATUS dp_rx_defrag_wep_decap(qdf_nbuf_t msdu, uint16_t hdrlen) 422 { 423 uint8_t *origHdr; 424 int rx_desc_len = sizeof(struct rx_pkt_tlvs); 425 426 origHdr = (uint8_t *) (qdf_nbuf_data(msdu) + rx_desc_len); 427 qdf_mem_move(origHdr + dp_f_wep.ic_header, origHdr, hdrlen); 428 429 qdf_nbuf_trim_tail(msdu, dp_f_wep.ic_trailer); 430 431 return QDF_STATUS_SUCCESS; 432 } 433 434 /* 435 * dp_rx_defrag_hdrsize(): Calculate the header size of the received fragment 436 * @nbuf: Pointer to the fragment 437 * 438 * Calculate the header size of the received fragment 439 * 440 * Returns: header size (uint16_t) 441 */ 442 static uint16_t dp_rx_defrag_hdrsize(qdf_nbuf_t nbuf) 443 { 444 uint8_t *rx_tlv_hdr = qdf_nbuf_data(nbuf); 445 uint16_t size = sizeof(struct ieee80211_frame); 446 uint16_t fc = 0; 447 uint32_t to_ds, fr_ds; 448 uint8_t frm_ctrl_valid; 449 uint16_t frm_ctrl_field; 450 451 to_ds = hal_rx_mpdu_get_to_ds(rx_tlv_hdr); 452 fr_ds = hal_rx_mpdu_get_fr_ds(rx_tlv_hdr); 453 frm_ctrl_valid = hal_rx_get_mpdu_frame_control_valid(rx_tlv_hdr); 454 frm_ctrl_field = hal_rx_get_frame_ctrl_field(rx_tlv_hdr); 455 456 if (to_ds && fr_ds) 457 size += IEEE80211_ADDR_LEN; 458 459 if (frm_ctrl_valid) { 460 fc = frm_ctrl_field; 461 462 /* use 1-st byte for validation */ 463 if (DP_RX_DEFRAG_IEEE80211_QOS_HAS_SEQ(fc & 0xff)) { 464 size += sizeof(uint16_t); 465 /* use 2-nd byte for validation */ 466 if (((fc & 0xff00) >> 8) & IEEE80211_FC1_ORDER) 467 size += sizeof(struct ieee80211_htc); 468 } 469 } 470 471 return size; 472 } 473 474 /* 475 * dp_rx_defrag_michdr(): Calculate a psuedo MIC header 476 * @wh0: Pointer to the wireless header of the fragment 477 * @hdr: Array to hold the psuedo header 478 * 479 * Calculate a psuedo MIC header 480 * 481 * Returns: None 482 */ 483 static void dp_rx_defrag_michdr(const struct ieee80211_frame *wh0, 484 uint8_t hdr[]) 485 { 486 const struct ieee80211_frame_addr4 *wh = 487 (const struct ieee80211_frame_addr4 *)wh0; 488 489 switch (wh->i_fc[1] & IEEE80211_FC1_DIR_MASK) { 490 case IEEE80211_FC1_DIR_NODS: 491 DP_RX_DEFRAG_IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */ 492 DP_RX_DEFRAG_IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, 493 wh->i_addr2); 494 break; 495 case IEEE80211_FC1_DIR_TODS: 496 DP_RX_DEFRAG_IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */ 497 DP_RX_DEFRAG_IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, 498 wh->i_addr2); 499 break; 500 case IEEE80211_FC1_DIR_FROMDS: 501 DP_RX_DEFRAG_IEEE80211_ADDR_COPY(hdr, wh->i_addr1); /* DA */ 502 DP_RX_DEFRAG_IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, 503 wh->i_addr3); 504 break; 505 case IEEE80211_FC1_DIR_DSTODS: 506 DP_RX_DEFRAG_IEEE80211_ADDR_COPY(hdr, wh->i_addr3); /* DA */ 507 DP_RX_DEFRAG_IEEE80211_ADDR_COPY(hdr + IEEE80211_ADDR_LEN, 508 wh->i_addr4); 509 break; 510 } 511 512 /* 513 * Bit 7 is IEEE80211_FC0_SUBTYPE_QOS for data frame, but 514 * it could also be set for deauth, disassoc, action, etc. for 515 * a mgt type frame. It comes into picture for MFP. 516 */ 517 if (wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_QOS) { 518 const struct ieee80211_qosframe *qwh = 519 (const struct ieee80211_qosframe *)wh; 520 hdr[12] = qwh->i_qos[0] & IEEE80211_QOS_TID; 521 } else { 522 hdr[12] = 0; 523 } 524 525 hdr[13] = hdr[14] = hdr[15] = 0; /* reserved */ 526 } 527 528 /* 529 * dp_rx_defrag_mic(): Calculate MIC header 530 * @key: Pointer to the key 531 * @wbuf: fragment buffer 532 * @off: Offset 533 * @data_len: Data lengh 534 * @mic: Array to hold MIC 535 * 536 * Calculate a psuedo MIC header 537 * 538 * Returns: QDF_STATUS 539 */ 540 static QDF_STATUS dp_rx_defrag_mic(const uint8_t *key, qdf_nbuf_t wbuf, 541 uint16_t off, uint16_t data_len, uint8_t mic[]) 542 { 543 uint8_t hdr[16] = { 0, }; 544 uint32_t l, r; 545 const uint8_t *data; 546 uint32_t space; 547 int rx_desc_len = sizeof(struct rx_pkt_tlvs); 548 549 dp_rx_defrag_michdr((struct ieee80211_frame *)(qdf_nbuf_data(wbuf) 550 + rx_desc_len), hdr); 551 l = dp_rx_get_le32(key); 552 r = dp_rx_get_le32(key + 4); 553 554 /* Michael MIC pseudo header: DA, SA, 3 x 0, Priority */ 555 l ^= dp_rx_get_le32(hdr); 556 dp_rx_michael_block(l, r); 557 l ^= dp_rx_get_le32(&hdr[4]); 558 dp_rx_michael_block(l, r); 559 l ^= dp_rx_get_le32(&hdr[8]); 560 dp_rx_michael_block(l, r); 561 l ^= dp_rx_get_le32(&hdr[12]); 562 dp_rx_michael_block(l, r); 563 564 /* first buffer has special handling */ 565 data = (uint8_t *) qdf_nbuf_data(wbuf) + rx_desc_len + off; 566 space = qdf_nbuf_len(wbuf) - rx_desc_len - off; 567 568 for (;; ) { 569 if (space > data_len) 570 space = data_len; 571 572 /* collect 32-bit blocks from current buffer */ 573 while (space >= sizeof(uint32_t)) { 574 l ^= dp_rx_get_le32(data); 575 dp_rx_michael_block(l, r); 576 data += sizeof(uint32_t); 577 space -= sizeof(uint32_t); 578 data_len -= sizeof(uint32_t); 579 } 580 if (data_len < sizeof(uint32_t)) 581 break; 582 583 wbuf = qdf_nbuf_next(wbuf); 584 if (wbuf == NULL) 585 return QDF_STATUS_E_DEFRAG_ERROR; 586 587 if (space != 0) { 588 const uint8_t *data_next; 589 /* 590 * Block straddles buffers, split references. 591 */ 592 data_next = 593 (uint8_t *) qdf_nbuf_data(wbuf) + rx_desc_len; 594 if ((qdf_nbuf_len(wbuf) - rx_desc_len) < 595 sizeof(uint32_t) - space) { 596 return QDF_STATUS_E_DEFRAG_ERROR; 597 } 598 switch (space) { 599 case 1: 600 l ^= dp_rx_get_le32_split(data[0], 601 data_next[0], data_next[1], 602 data_next[2]); 603 data = data_next + 3; 604 space = (qdf_nbuf_len(wbuf) - rx_desc_len) 605 - 3; 606 break; 607 case 2: 608 l ^= dp_rx_get_le32_split(data[0], data[1], 609 data_next[0], data_next[1]); 610 data = data_next + 2; 611 space = (qdf_nbuf_len(wbuf) - rx_desc_len) 612 - 2; 613 break; 614 case 3: 615 l ^= dp_rx_get_le32_split(data[0], data[1], 616 data[2], data_next[0]); 617 data = data_next + 1; 618 space = (qdf_nbuf_len(wbuf) - rx_desc_len) 619 - 1; 620 break; 621 } 622 dp_rx_michael_block(l, r); 623 data_len -= sizeof(uint32_t); 624 } else { 625 /* 626 * Setup for next buffer. 627 */ 628 data = (uint8_t *) qdf_nbuf_data(wbuf) + rx_desc_len; 629 space = qdf_nbuf_len(wbuf) - rx_desc_len; 630 } 631 } 632 /* Last block and padding (0x5a, 4..7 x 0) */ 633 switch (data_len) { 634 case 0: 635 l ^= dp_rx_get_le32_split(0x5a, 0, 0, 0); 636 break; 637 case 1: 638 l ^= dp_rx_get_le32_split(data[0], 0x5a, 0, 0); 639 break; 640 case 2: 641 l ^= dp_rx_get_le32_split(data[0], data[1], 0x5a, 0); 642 break; 643 case 3: 644 l ^= dp_rx_get_le32_split(data[0], data[1], data[2], 0x5a); 645 break; 646 } 647 dp_rx_michael_block(l, r); 648 dp_rx_michael_block(l, r); 649 dp_rx_put_le32(mic, l); 650 dp_rx_put_le32(mic + 4, r); 651 652 return QDF_STATUS_SUCCESS; 653 } 654 655 /* 656 * dp_rx_defrag_tkip_demic(): Remove MIC header from the TKIP frame 657 * @key: Pointer to the key 658 * @msdu: fragment buffer 659 * @hdrlen: Length of the header information 660 * 661 * Remove MIC information from the TKIP frame 662 * 663 * Returns: QDF_STATUS 664 */ 665 static QDF_STATUS dp_rx_defrag_tkip_demic(const uint8_t *key, 666 qdf_nbuf_t msdu, uint16_t hdrlen) 667 { 668 QDF_STATUS status; 669 uint32_t pktlen; 670 uint8_t mic[IEEE80211_WEP_MICLEN]; 671 uint8_t mic0[IEEE80211_WEP_MICLEN]; 672 int rx_desc_len = sizeof(struct rx_pkt_tlvs); 673 674 pktlen = qdf_nbuf_len(msdu) - rx_desc_len; 675 676 status = dp_rx_defrag_mic(key, msdu, hdrlen, 677 pktlen - (hdrlen + dp_f_tkip.ic_miclen), mic); 678 679 if (QDF_IS_STATUS_ERROR(status)) 680 return status; 681 682 qdf_nbuf_copy_bits(msdu, pktlen - dp_f_tkip.ic_miclen + rx_desc_len, 683 dp_f_tkip.ic_miclen, (caddr_t)mic0); 684 685 if (!qdf_mem_cmp(mic, mic0, dp_f_tkip.ic_miclen)) 686 return QDF_STATUS_E_DEFRAG_ERROR; 687 688 qdf_nbuf_trim_tail(msdu, dp_f_tkip.ic_miclen); 689 690 return QDF_STATUS_SUCCESS; 691 } 692 693 /* 694 * dp_rx_frag_pull_hdr(): Pulls the RXTLV & the 802.11 headers 695 * @nbuf: buffer pointer 696 * @hdrsize: size of the header to be pulled 697 * 698 * Pull the RXTLV & the 802.11 headers 699 * 700 * Returns: None 701 */ 702 static void dp_rx_frag_pull_hdr(qdf_nbuf_t nbuf, uint16_t hdrsize) 703 { 704 qdf_nbuf_pull_head(nbuf, 705 RX_PKT_TLVS_LEN + hdrsize); 706 707 QDF_TRACE(QDF_MODULE_ID_DP, QDF_TRACE_LEVEL_INFO, 708 "%s: final pktlen %d .11len %d\n", 709 __func__, 710 (uint32_t)qdf_nbuf_len(nbuf), hdrsize); 711 } 712 713 /* 714 * dp_rx_construct_fraglist(): Construct a nbuf fraglist 715 * @peer: Pointer to the peer 716 * @head: Pointer to list of fragments 717 * @hdrsize: Size of the header to be pulled 718 * 719 * Construct a nbuf fraglist 720 * 721 * Returns: None 722 */ 723 static void 724 dp_rx_construct_fraglist(struct dp_peer *peer, 725 qdf_nbuf_t head, uint16_t hdrsize) 726 { 727 qdf_nbuf_t msdu = qdf_nbuf_next(head); 728 qdf_nbuf_t rx_nbuf = msdu; 729 uint32_t len = 0; 730 731 while (msdu) { 732 dp_rx_frag_pull_hdr(msdu, hdrsize); 733 len += qdf_nbuf_len(msdu); 734 msdu = qdf_nbuf_next(msdu); 735 } 736 737 qdf_nbuf_append_ext_list(head, rx_nbuf, len); 738 qdf_nbuf_set_next(head, NULL); 739 740 QDF_TRACE(QDF_MODULE_ID_DP, QDF_TRACE_LEVEL_INFO, 741 "%s: head len %d ext len %d data len %d \n", 742 __func__, 743 (uint32_t)qdf_nbuf_len(head), 744 (uint32_t)qdf_nbuf_len(rx_nbuf), 745 (uint32_t)(head->data_len)); 746 } 747 748 /** 749 * dp_rx_defrag_err() - rx err handler 750 * @pdev: handle to pdev object 751 * @vdev_id: vdev id 752 * @peer_mac_addr: peer mac address 753 * @tid: TID 754 * @tsf32: TSF 755 * @err_type: error type 756 * @rx_frame: rx frame 757 * @pn: PN Number 758 * @key_id: key id 759 * 760 * This function handles rx error and send MIC error notification 761 * 762 * Return: None 763 */ 764 static void dp_rx_defrag_err(uint8_t vdev_id, uint8_t *peer_mac_addr, 765 int tid, uint32_t tsf32, uint32_t err_type, qdf_nbuf_t rx_frame, 766 uint64_t *pn, uint8_t key_id) 767 { 768 /* TODO: Who needs to know about the TKIP MIC error */ 769 } 770 771 772 /* 773 * dp_rx_defrag_nwifi_to_8023(): Transcap 802.11 to 802.3 774 * @nbuf: Pointer to the fragment buffer 775 * @hdrsize: Size of headers 776 * 777 * Transcap the fragment from 802.11 to 802.3 778 * 779 * Returns: None 780 */ 781 static void 782 dp_rx_defrag_nwifi_to_8023(qdf_nbuf_t nbuf, uint16_t hdrsize) 783 { 784 struct llc_snap_hdr_t *llchdr; 785 struct ethernet_hdr_t *eth_hdr; 786 uint8_t ether_type[2]; 787 uint16_t fc = 0; 788 union dp_align_mac_addr mac_addr; 789 uint8_t *rx_desc_info = qdf_mem_malloc(RX_PKT_TLVS_LEN); 790 791 if (rx_desc_info == NULL) { 792 QDF_TRACE(QDF_MODULE_ID_DP, QDF_TRACE_LEVEL_ERROR, 793 "%s: Memory alloc failed ! \n", __func__); 794 QDF_ASSERT(0); 795 return; 796 } 797 798 qdf_mem_copy(rx_desc_info, qdf_nbuf_data(nbuf), RX_PKT_TLVS_LEN); 799 800 llchdr = (struct llc_snap_hdr_t *)(qdf_nbuf_data(nbuf) + 801 RX_PKT_TLVS_LEN + hdrsize); 802 qdf_mem_copy(ether_type, llchdr->ethertype, 2); 803 804 qdf_nbuf_pull_head(nbuf, (RX_PKT_TLVS_LEN + hdrsize + 805 sizeof(struct llc_snap_hdr_t) - 806 sizeof(struct ethernet_hdr_t))); 807 808 eth_hdr = (struct ethernet_hdr_t *)(qdf_nbuf_data(nbuf)); 809 810 if (hal_rx_get_mpdu_frame_control_valid(rx_desc_info)) 811 fc = hal_rx_get_frame_ctrl_field(rx_desc_info); 812 813 switch (((fc & 0xff00) >> 8) & IEEE80211_FC1_DIR_MASK) { 814 815 QDF_TRACE(QDF_MODULE_ID_DP, QDF_TRACE_LEVEL_INFO, 816 "%s: frame control type: 0x%x", __func__, fc); 817 818 case IEEE80211_FC1_DIR_NODS: 819 hal_rx_mpdu_get_addr1(rx_desc_info, 820 &mac_addr.raw[0]); 821 qdf_mem_copy(eth_hdr->dest_addr, &mac_addr.raw[0], 822 IEEE80211_ADDR_LEN); 823 hal_rx_mpdu_get_addr2(rx_desc_info, 824 &mac_addr.raw[0]); 825 qdf_mem_copy(eth_hdr->src_addr, &mac_addr.raw[0], 826 IEEE80211_ADDR_LEN); 827 break; 828 case IEEE80211_FC1_DIR_TODS: 829 hal_rx_mpdu_get_addr3(rx_desc_info, 830 &mac_addr.raw[0]); 831 qdf_mem_copy(eth_hdr->dest_addr, &mac_addr.raw[0], 832 IEEE80211_ADDR_LEN); 833 hal_rx_mpdu_get_addr2(rx_desc_info, 834 &mac_addr.raw[0]); 835 qdf_mem_copy(eth_hdr->src_addr, &mac_addr.raw[0], 836 IEEE80211_ADDR_LEN); 837 break; 838 case IEEE80211_FC1_DIR_FROMDS: 839 hal_rx_mpdu_get_addr1(rx_desc_info, 840 &mac_addr.raw[0]); 841 qdf_mem_copy(eth_hdr->dest_addr, &mac_addr.raw[0], 842 IEEE80211_ADDR_LEN); 843 hal_rx_mpdu_get_addr3(rx_desc_info, 844 &mac_addr.raw[0]); 845 qdf_mem_copy(eth_hdr->src_addr, &mac_addr.raw[0], 846 IEEE80211_ADDR_LEN); 847 break; 848 849 case IEEE80211_FC1_DIR_DSTODS: 850 hal_rx_mpdu_get_addr3(rx_desc_info, 851 &mac_addr.raw[0]); 852 qdf_mem_copy(eth_hdr->dest_addr, &mac_addr.raw[0], 853 IEEE80211_ADDR_LEN); 854 hal_rx_mpdu_get_addr4(rx_desc_info, 855 &mac_addr.raw[0]); 856 qdf_mem_copy(eth_hdr->src_addr, &mac_addr.raw[0], 857 IEEE80211_ADDR_LEN); 858 break; 859 860 default: 861 QDF_TRACE(QDF_MODULE_ID_DP, QDF_TRACE_LEVEL_ERROR, 862 "%s: Unknown frame control type: 0x%x", __func__, fc); 863 } 864 865 qdf_mem_copy(eth_hdr->ethertype, ether_type, 866 sizeof(ether_type)); 867 868 qdf_nbuf_push_head(nbuf, RX_PKT_TLVS_LEN); 869 qdf_mem_copy(qdf_nbuf_data(nbuf), rx_desc_info, RX_PKT_TLVS_LEN); 870 qdf_mem_free(rx_desc_info); 871 } 872 873 /* 874 * dp_rx_defrag_reo_reinject(): Reinject the fragment chain back into REO 875 * @peer: Pointer to the peer 876 * @tid: Transmit Identifier 877 * @head: Buffer to be reinjected back 878 * 879 * Reinject the fragment chain back into REO 880 * 881 * Returns: QDF_STATUS 882 */ 883 static QDF_STATUS dp_rx_defrag_reo_reinject(struct dp_peer *peer, 884 unsigned tid, qdf_nbuf_t head) 885 { 886 struct dp_pdev *pdev = peer->vdev->pdev; 887 struct dp_soc *soc = pdev->soc; 888 struct hal_buf_info buf_info; 889 void *link_desc_va; 890 void *msdu0, *msdu_desc_info; 891 void *ent_ring_desc, *ent_mpdu_desc_info, *ent_qdesc_addr; 892 void *dst_mpdu_desc_info, *dst_qdesc_addr; 893 qdf_dma_addr_t paddr; 894 uint32_t nbuf_len, seq_no, dst_ind; 895 uint32_t *mpdu_wrd; 896 uint32_t ret, cookie; 897 898 void *dst_ring_desc = 899 peer->rx_tid[tid].dst_ring_desc; 900 void *hal_srng = soc->reo_reinject_ring.hal_srng; 901 902 hal_rx_reo_buf_paddr_get(dst_ring_desc, &buf_info); 903 904 link_desc_va = dp_rx_cookie_2_link_desc_va(soc, &buf_info); 905 906 qdf_assert(link_desc_va); 907 908 msdu0 = (uint8_t *)link_desc_va + 909 RX_MSDU_LINK_8_RX_MSDU_DETAILS_MSDU_0_OFFSET; 910 911 nbuf_len = qdf_nbuf_len(head) - RX_PKT_TLVS_LEN; 912 913 HAL_RX_UNIFORM_HDR_SET(link_desc_va, OWNER, UNI_DESC_OWNER_SW); 914 HAL_RX_UNIFORM_HDR_SET(link_desc_va, BUFFER_TYPE, 915 UNI_DESC_BUF_TYPE_RX_MSDU_LINK); 916 917 /* msdu reconfig */ 918 msdu_desc_info = (uint8_t *)msdu0 + 919 RX_MSDU_DETAILS_2_RX_MSDU_DESC_INFO_RX_MSDU_DESC_INFO_DETAILS_OFFSET; 920 921 dst_ind = hal_rx_msdu_reo_dst_ind_get(link_desc_va); 922 923 qdf_mem_zero(msdu_desc_info, sizeof(struct rx_msdu_desc_info)); 924 925 HAL_RX_MSDU_DESC_INFO_SET(msdu_desc_info, 926 FIRST_MSDU_IN_MPDU_FLAG, 1); 927 HAL_RX_MSDU_DESC_INFO_SET(msdu_desc_info, 928 LAST_MSDU_IN_MPDU_FLAG, 1); 929 HAL_RX_MSDU_DESC_INFO_SET(msdu_desc_info, 930 MSDU_CONTINUATION, 0x0); 931 HAL_RX_MSDU_DESC_INFO_SET(msdu_desc_info, 932 REO_DESTINATION_INDICATION, dst_ind); 933 HAL_RX_MSDU_DESC_INFO_SET(msdu_desc_info, 934 MSDU_LENGTH, nbuf_len); 935 HAL_RX_MSDU_DESC_INFO_SET(msdu_desc_info, 936 SA_IS_VALID, 1); 937 HAL_RX_MSDU_DESC_INFO_SET(msdu_desc_info, 938 DA_IS_VALID, 1); 939 940 /* change RX TLV's */ 941 hal_rx_msdu_start_msdu_len_set( 942 qdf_nbuf_data(head), nbuf_len); 943 944 cookie = HAL_RX_BUF_COOKIE_GET(msdu0); 945 946 /* map the nbuf before reinject it into HW */ 947 ret = qdf_nbuf_map_single(soc->osdev, head, 948 QDF_DMA_BIDIRECTIONAL); 949 950 if (qdf_unlikely(ret == QDF_STATUS_E_FAILURE)) { 951 QDF_TRACE(QDF_MODULE_ID_DP, QDF_TRACE_LEVEL_ERROR, 952 "%s: nbuf map failed !\n", __func__); 953 qdf_nbuf_free(head); 954 return QDF_STATUS_E_FAILURE; 955 } 956 957 paddr = qdf_nbuf_get_frag_paddr(head, 0); 958 959 ret = check_x86_paddr(soc, &head, &paddr, pdev); 960 961 if (ret == QDF_STATUS_E_FAILURE) { 962 QDF_TRACE(QDF_MODULE_ID_DP, QDF_TRACE_LEVEL_ERROR, 963 "%s: x86 check failed !\n", __func__); 964 return QDF_STATUS_E_FAILURE; 965 } 966 967 hal_rxdma_buff_addr_info_set(msdu0, paddr, cookie, 968 HAL_RX_BUF_RBM_SW3_BM); 969 970 /* Lets fill entrance ring now !!! */ 971 if (qdf_unlikely(hal_srng_access_start(soc->hal_soc, hal_srng))) { 972 QDF_TRACE(QDF_MODULE_ID_DP, QDF_TRACE_LEVEL_ERROR, 973 "HAL RING Access For REO entrance SRNG Failed: %pK", 974 hal_srng); 975 976 return QDF_STATUS_E_FAILURE; 977 } 978 979 ent_ring_desc = hal_srng_src_get_next(soc->hal_soc, hal_srng); 980 981 qdf_assert(ent_ring_desc); 982 983 paddr = (uint64_t)buf_info.paddr; 984 /* buf addr */ 985 hal_rxdma_buff_addr_info_set(ent_ring_desc, paddr, 986 buf_info.sw_cookie, 987 HAL_RX_BUF_RBM_WBM_IDLE_DESC_LIST); 988 /* mpdu desc info */ 989 ent_mpdu_desc_info = (uint8_t *)ent_ring_desc + 990 RX_MPDU_DETAILS_2_RX_MPDU_DESC_INFO_RX_MPDU_DESC_INFO_DETAILS_OFFSET; 991 992 dst_mpdu_desc_info = (uint8_t *)dst_ring_desc + 993 REO_DESTINATION_RING_2_RX_MPDU_DESC_INFO_RX_MPDU_DESC_INFO_DETAILS_OFFSET; 994 995 qdf_mem_copy(ent_mpdu_desc_info, dst_mpdu_desc_info, 996 sizeof(struct rx_mpdu_desc_info)); 997 qdf_mem_zero(ent_mpdu_desc_info, sizeof(uint32_t)); 998 999 mpdu_wrd = (uint32_t *)dst_mpdu_desc_info; 1000 seq_no = HAL_RX_MPDU_SEQUENCE_NUMBER_GET(mpdu_wrd); 1001 1002 HAL_RX_MPDU_DESC_INFO_SET(ent_mpdu_desc_info, 1003 MSDU_COUNT, 0x1); 1004 HAL_RX_MPDU_DESC_INFO_SET(ent_mpdu_desc_info, 1005 MPDU_SEQUENCE_NUMBER, seq_no); 1006 1007 /* unset frag bit */ 1008 HAL_RX_MPDU_DESC_INFO_SET(ent_mpdu_desc_info, 1009 FRAGMENT_FLAG, 0x0); 1010 1011 /* set sa/da valid bits */ 1012 HAL_RX_MPDU_DESC_INFO_SET(ent_mpdu_desc_info, 1013 SA_IS_VALID, 0x1); 1014 HAL_RX_MPDU_DESC_INFO_SET(ent_mpdu_desc_info, 1015 DA_IS_VALID, 0x1); 1016 HAL_RX_MPDU_DESC_INFO_SET(ent_mpdu_desc_info, 1017 RAW_MPDU, 0x0); 1018 1019 /* qdesc addr */ 1020 ent_qdesc_addr = (uint8_t *)ent_ring_desc + 1021 REO_ENTRANCE_RING_4_RX_REO_QUEUE_DESC_ADDR_31_0_OFFSET; 1022 1023 dst_qdesc_addr = (uint8_t *)dst_ring_desc + 1024 REO_DESTINATION_RING_6_RX_REO_QUEUE_DESC_ADDR_31_0_OFFSET; 1025 1026 qdf_mem_copy(ent_qdesc_addr, dst_qdesc_addr, 8); 1027 1028 HAL_RX_FLD_SET(ent_ring_desc, REO_ENTRANCE_RING_5, 1029 REO_DESTINATION_INDICATION, dst_ind); 1030 1031 hal_srng_access_end(soc->hal_soc, hal_srng); 1032 1033 QDF_TRACE(QDF_MODULE_ID_DP, QDF_TRACE_LEVEL_INFO, 1034 "%s: reinjection done !\n", __func__); 1035 return QDF_STATUS_SUCCESS; 1036 } 1037 1038 /* 1039 * dp_rx_defrag(): Defragment the fragment chain 1040 * @peer: Pointer to the peer 1041 * @tid: Transmit Identifier 1042 * @frag_list_head: Pointer to head list 1043 * @frag_list_tail: Pointer to tail list 1044 * 1045 * Defragment the fragment chain 1046 * 1047 * Returns: QDF_STATUS 1048 */ 1049 static QDF_STATUS dp_rx_defrag(struct dp_peer *peer, unsigned tid, 1050 qdf_nbuf_t frag_list_head, qdf_nbuf_t frag_list_tail) 1051 { 1052 qdf_nbuf_t tmp_next, prev; 1053 qdf_nbuf_t cur = frag_list_head, msdu; 1054 uint32_t index, tkip_demic = 0; 1055 uint16_t hdr_space; 1056 uint8_t key[DEFRAG_IEEE80211_KEY_LEN]; 1057 struct dp_vdev *vdev = peer->vdev; 1058 1059 hdr_space = dp_rx_defrag_hdrsize(cur); 1060 index = hal_rx_msdu_is_wlan_mcast(cur) ? 1061 dp_sec_mcast : dp_sec_ucast; 1062 1063 /* Remove FCS from all fragments */ 1064 while (cur) { 1065 tmp_next = qdf_nbuf_next(cur); 1066 qdf_nbuf_set_next(cur, NULL); 1067 qdf_nbuf_trim_tail(cur, DEFRAG_IEEE80211_FCS_LEN); 1068 prev = cur; 1069 qdf_nbuf_set_next(cur, tmp_next); 1070 cur = tmp_next; 1071 } 1072 cur = frag_list_head; 1073 1074 QDF_TRACE(QDF_MODULE_ID_TXRX, QDF_TRACE_LEVEL_INFO, 1075 "%s: Security type: %d\n", __func__, 1076 peer->security[index].sec_type); 1077 1078 /* Temporary fix to drop TKIP encrypted packets */ 1079 if (peer->security[index].sec_type == 1080 htt_sec_type_tkip) { 1081 return QDF_STATUS_E_DEFRAG_ERROR; 1082 } 1083 1084 switch (peer->security[index].sec_type) { 1085 case htt_sec_type_tkip: 1086 tkip_demic = 1; 1087 1088 case htt_sec_type_tkip_nomic: 1089 while (cur) { 1090 tmp_next = qdf_nbuf_next(cur); 1091 if (dp_rx_defrag_tkip_decap(cur, hdr_space)) { 1092 1093 /* TKIP decap failed, discard frags */ 1094 dp_rx_defrag_frames_free(frag_list_head); 1095 1096 QDF_TRACE(QDF_MODULE_ID_TXRX, 1097 QDF_TRACE_LEVEL_ERROR, 1098 "dp_rx_defrag: TKIP decap failed"); 1099 1100 return QDF_STATUS_E_DEFRAG_ERROR; 1101 } 1102 cur = tmp_next; 1103 } 1104 break; 1105 1106 case htt_sec_type_aes_ccmp: 1107 while (cur) { 1108 tmp_next = qdf_nbuf_next(cur); 1109 if (dp_rx_defrag_ccmp_demic(cur, hdr_space)) { 1110 1111 /* CCMP demic failed, discard frags */ 1112 dp_rx_defrag_frames_free(frag_list_head); 1113 1114 QDF_TRACE(QDF_MODULE_ID_TXRX, 1115 QDF_TRACE_LEVEL_ERROR, 1116 "dp_rx_defrag: CCMP demic failed"); 1117 1118 return QDF_STATUS_E_DEFRAG_ERROR; 1119 } 1120 if (dp_rx_defrag_ccmp_decap(cur, hdr_space)) { 1121 1122 /* CCMP decap failed, discard frags */ 1123 dp_rx_defrag_frames_free(frag_list_head); 1124 1125 QDF_TRACE(QDF_MODULE_ID_TXRX, 1126 QDF_TRACE_LEVEL_ERROR, 1127 "dp_rx_defrag: CCMP decap failed"); 1128 1129 return QDF_STATUS_E_DEFRAG_ERROR; 1130 } 1131 cur = tmp_next; 1132 } 1133 1134 /* If success, increment header to be stripped later */ 1135 hdr_space += dp_f_ccmp.ic_header; 1136 break; 1137 case htt_sec_type_wep40: 1138 case htt_sec_type_wep104: 1139 case htt_sec_type_wep128: 1140 while (cur) { 1141 tmp_next = qdf_nbuf_next(cur); 1142 if (dp_rx_defrag_wep_decap(cur, hdr_space)) { 1143 1144 /* WEP decap failed, discard frags */ 1145 dp_rx_defrag_frames_free(frag_list_head); 1146 1147 QDF_TRACE(QDF_MODULE_ID_TXRX, 1148 QDF_TRACE_LEVEL_ERROR, 1149 "dp_rx_defrag: WEP decap failed"); 1150 1151 return QDF_STATUS_E_DEFRAG_ERROR; 1152 } 1153 cur = tmp_next; 1154 } 1155 1156 /* If success, increment header to be stripped later */ 1157 hdr_space += dp_f_wep.ic_header; 1158 break; 1159 default: 1160 QDF_TRACE(QDF_MODULE_ID_TXRX, 1161 QDF_TRACE_LEVEL_ERROR, 1162 "dp_rx_defrag: Did not match any security type"); 1163 break; 1164 } 1165 1166 if (tkip_demic) { 1167 msdu = frag_list_tail; /* Only last fragment has the MIC */ 1168 1169 qdf_mem_copy(key, 1170 peer->security[index].michael_key, 1171 sizeof(peer->security[index].michael_key)); 1172 if (dp_rx_defrag_tkip_demic(key, msdu, hdr_space)) { 1173 qdf_nbuf_free(msdu); 1174 dp_rx_defrag_err(vdev->vdev_id, peer->mac_addr.raw, 1175 tid, 0, QDF_STATUS_E_DEFRAG_ERROR, msdu, 1176 NULL, 0); 1177 QDF_TRACE(QDF_MODULE_ID_TXRX, QDF_TRACE_LEVEL_ERROR, 1178 "dp_rx_defrag: TKIP demic failed"); 1179 return QDF_STATUS_E_DEFRAG_ERROR; 1180 } 1181 } 1182 1183 /* Convert the header to 802.3 header */ 1184 dp_rx_defrag_nwifi_to_8023(frag_list_head, hdr_space); 1185 dp_rx_construct_fraglist(peer, frag_list_head, hdr_space); 1186 1187 return QDF_STATUS_SUCCESS; 1188 } 1189 1190 /* 1191 * dp_rx_defrag_cleanup(): Clean up activities 1192 * @peer: Pointer to the peer 1193 * @tid: Transmit Identifier 1194 * 1195 * Returns: None 1196 */ 1197 static void dp_rx_defrag_cleanup(struct dp_peer *peer, unsigned tid) 1198 { 1199 struct dp_rx_reorder_array_elem *rx_reorder_array_elem = 1200 peer->rx_tid[tid].array; 1201 1202 /* Free up nbufs */ 1203 dp_rx_defrag_frames_free(rx_reorder_array_elem->head); 1204 1205 /* Free up saved ring descriptors */ 1206 dp_rx_clear_saved_desc_info(peer, tid); 1207 1208 rx_reorder_array_elem->head = NULL; 1209 rx_reorder_array_elem->tail = NULL; 1210 peer->rx_tid[tid].defrag_timeout_ms = 0; 1211 peer->rx_tid[tid].curr_frag_num = 0; 1212 peer->rx_tid[tid].curr_seq_num = 0; 1213 } 1214 1215 /* 1216 * dp_rx_defrag_save_info_from_ring_desc(): Save info from REO ring descriptor 1217 * @ring_desc: Pointer to the dst ring descriptor 1218 * @peer: Pointer to the peer 1219 * @tid: Transmit Identifier 1220 * 1221 * Returns: None 1222 */ 1223 static QDF_STATUS dp_rx_defrag_save_info_from_ring_desc(void *ring_desc, 1224 struct dp_peer *peer, unsigned tid) 1225 { 1226 void *dst_ring_desc = qdf_mem_malloc( 1227 sizeof(struct reo_destination_ring)); 1228 1229 if (dst_ring_desc == NULL) { 1230 QDF_TRACE(QDF_MODULE_ID_DP, QDF_TRACE_LEVEL_ERROR, 1231 "%s: Memory alloc failed !\n", __func__); 1232 QDF_ASSERT(0); 1233 return QDF_STATUS_E_NOMEM; 1234 } 1235 1236 qdf_mem_copy(dst_ring_desc, ring_desc, 1237 sizeof(struct reo_destination_ring)); 1238 1239 peer->rx_tid[tid].dst_ring_desc = dst_ring_desc; 1240 1241 return QDF_STATUS_SUCCESS; 1242 } 1243 1244 /* 1245 * dp_rx_defrag_store_fragment(): Store incoming fragments 1246 * @soc: Pointer to the SOC data structure 1247 * @ring_desc: Pointer to the ring descriptor 1248 * @mpdu_desc_info: MPDU descriptor info 1249 * @tid: Traffic Identifier 1250 * @rx_desc: Pointer to rx descriptor 1251 * @rx_bfs: Number of bfs consumed 1252 * 1253 * Returns: QDF_STATUS 1254 */ 1255 static QDF_STATUS dp_rx_defrag_store_fragment(struct dp_soc *soc, 1256 void *ring_desc, 1257 union dp_rx_desc_list_elem_t **head, 1258 union dp_rx_desc_list_elem_t **tail, 1259 struct hal_rx_mpdu_desc_info *mpdu_desc_info, 1260 unsigned tid, struct dp_rx_desc *rx_desc, 1261 uint32_t *rx_bfs) 1262 { 1263 struct dp_rx_reorder_array_elem *rx_reorder_array_elem; 1264 struct dp_pdev *pdev; 1265 struct dp_peer *peer; 1266 uint16_t peer_id; 1267 uint8_t fragno, more_frag, all_frag_present = 0; 1268 uint16_t rxseq = mpdu_desc_info->mpdu_seq; 1269 QDF_STATUS status; 1270 struct dp_rx_tid *rx_tid; 1271 uint8_t mpdu_sequence_control_valid; 1272 uint8_t mpdu_frame_control_valid; 1273 qdf_nbuf_t frag = rx_desc->nbuf; 1274 1275 /* Check if the packet is from a valid peer */ 1276 peer_id = DP_PEER_METADATA_PEER_ID_GET( 1277 mpdu_desc_info->peer_meta_data); 1278 peer = dp_peer_find_by_id(soc, peer_id); 1279 1280 if (!peer) { 1281 /* We should not recieve anything from unknown peer 1282 * however, that might happen while we are in the monitor mode. 1283 * We don't need to handle that here 1284 */ 1285 QDF_TRACE(QDF_MODULE_ID_TXRX, QDF_TRACE_LEVEL_ERROR, 1286 "Unknown peer, dropping the fragment"); 1287 1288 qdf_nbuf_free(frag); 1289 dp_rx_add_to_free_desc_list(head, tail, rx_desc); 1290 1291 return QDF_STATUS_E_DEFRAG_ERROR; 1292 } 1293 1294 pdev = peer->vdev->pdev; 1295 rx_tid = &peer->rx_tid[tid]; 1296 1297 rx_reorder_array_elem = peer->rx_tid[tid].array; 1298 1299 mpdu_sequence_control_valid = 1300 hal_rx_get_mpdu_sequence_control_valid(rx_desc->rx_buf_start); 1301 1302 /* Invalid MPDU sequence control field, MPDU is of no use */ 1303 if (!mpdu_sequence_control_valid) { 1304 QDF_TRACE(QDF_MODULE_ID_TXRX, QDF_TRACE_LEVEL_ERROR, 1305 "Invalid MPDU seq control field, dropping MPDU"); 1306 qdf_nbuf_free(frag); 1307 dp_rx_add_to_free_desc_list(head, tail, rx_desc); 1308 1309 qdf_assert(0); 1310 goto end; 1311 } 1312 1313 mpdu_frame_control_valid = 1314 hal_rx_get_mpdu_frame_control_valid(rx_desc->rx_buf_start); 1315 1316 /* Invalid frame control field */ 1317 if (!mpdu_frame_control_valid) { 1318 QDF_TRACE(QDF_MODULE_ID_TXRX, QDF_TRACE_LEVEL_ERROR, 1319 "Invalid frame control field, dropping MPDU"); 1320 qdf_nbuf_free(frag); 1321 dp_rx_add_to_free_desc_list(head, tail, rx_desc); 1322 1323 qdf_assert(0); 1324 goto end; 1325 } 1326 1327 /* Current mpdu sequence */ 1328 more_frag = dp_rx_frag_get_more_frag_bit(rx_desc->rx_buf_start); 1329 1330 /* HW does not populate the fragment number as of now 1331 * need to get from the 802.11 header 1332 */ 1333 fragno = dp_rx_frag_get_mpdu_frag_number(rx_desc->rx_buf_start); 1334 1335 /* 1336 * !more_frag: no more fragments to be delivered 1337 * !frag_no: packet is not fragmented 1338 * !rx_reorder_array_elem->head: no saved fragments so far 1339 */ 1340 if ((!more_frag) && (!fragno) && (!rx_reorder_array_elem->head)) { 1341 /* We should not get into this situation here. 1342 * It means an unfragmented packet with fragment flag 1343 * is delivered over the REO exception ring. 1344 * Typically it follows normal rx path. 1345 */ 1346 QDF_TRACE(QDF_MODULE_ID_TXRX, QDF_TRACE_LEVEL_ERROR, 1347 "Rcvd unfragmented pkt on REO Err srng, dropping"); 1348 qdf_nbuf_free(frag); 1349 dp_rx_add_to_free_desc_list(head, tail, rx_desc); 1350 1351 qdf_assert(0); 1352 goto end; 1353 } 1354 1355 /* Check if the fragment is for the same sequence or a different one */ 1356 if (rx_reorder_array_elem->head) { 1357 if (rxseq != rx_tid->curr_seq_num) { 1358 1359 /* Drop stored fragments if out of sequence 1360 * fragment is received 1361 */ 1362 dp_rx_defrag_frames_free(rx_reorder_array_elem->head); 1363 1364 rx_reorder_array_elem->head = NULL; 1365 rx_reorder_array_elem->tail = NULL; 1366 1367 QDF_TRACE(QDF_MODULE_ID_TXRX, QDF_TRACE_LEVEL_ERROR, 1368 "%s mismatch, dropping earlier sequence ", 1369 (rxseq == rx_tid->curr_seq_num) 1370 ? "address" 1371 : "seq number"); 1372 1373 /* 1374 * The sequence number for this fragment becomes the 1375 * new sequence number to be processed 1376 */ 1377 rx_tid->curr_seq_num = rxseq; 1378 1379 } 1380 } else { 1381 /* Start of a new sequence */ 1382 dp_rx_defrag_cleanup(peer, tid); 1383 rx_tid->curr_seq_num = rxseq; 1384 } 1385 1386 /* 1387 * If the earlier sequence was dropped, this will be the fresh start. 1388 * Else, continue with next fragment in a given sequence 1389 */ 1390 status = dp_rx_defrag_fraglist_insert(peer, tid, &rx_reorder_array_elem->head, 1391 &rx_reorder_array_elem->tail, frag, 1392 &all_frag_present); 1393 1394 /* 1395 * Currently, we can have only 6 MSDUs per-MPDU, if the current 1396 * packet sequence has more than 6 MSDUs for some reason, we will 1397 * have to use the next MSDU link descriptor and chain them together 1398 * before reinjection 1399 */ 1400 if ((fragno == 0) && (status == QDF_STATUS_SUCCESS) && 1401 (rx_reorder_array_elem->head == frag)) { 1402 1403 status = dp_rx_defrag_save_info_from_ring_desc(ring_desc, 1404 peer, tid); 1405 1406 if (status != QDF_STATUS_SUCCESS) { 1407 QDF_TRACE(QDF_MODULE_ID_DP, QDF_TRACE_LEVEL_ERROR, 1408 "%s: Unable to store ring desc !\n", __func__); 1409 goto end; 1410 } 1411 } else { 1412 dp_rx_add_to_free_desc_list(head, tail, rx_desc); 1413 *rx_bfs = 1; 1414 1415 /* Return the non-head link desc */ 1416 if (dp_rx_link_desc_return(soc, ring_desc, 1417 HAL_BM_ACTION_PUT_IN_IDLE_LIST) != 1418 QDF_STATUS_SUCCESS) 1419 QDF_TRACE(QDF_MODULE_ID_DP, QDF_TRACE_LEVEL_ERROR, 1420 "%s: Failed to return link desc\n", 1421 __func__); 1422 1423 } 1424 1425 if (pdev->soc->rx.flags.defrag_timeout_check) 1426 dp_rx_defrag_waitlist_remove(peer, tid); 1427 1428 /* Yet to receive more fragments for this sequence number */ 1429 if (!all_frag_present) { 1430 uint32_t now_ms = 1431 qdf_system_ticks_to_msecs(qdf_system_ticks()); 1432 1433 peer->rx_tid[tid].defrag_timeout_ms = 1434 now_ms + pdev->soc->rx.defrag.timeout_ms; 1435 1436 dp_rx_defrag_waitlist_add(peer, tid); 1437 1438 return QDF_STATUS_SUCCESS; 1439 } 1440 1441 QDF_TRACE(QDF_MODULE_ID_TXRX, QDF_TRACE_LEVEL_INFO, 1442 "All fragments received for sequence: %d", rxseq); 1443 1444 /* Process the fragments */ 1445 status = dp_rx_defrag(peer, tid, rx_reorder_array_elem->head, 1446 rx_reorder_array_elem->tail); 1447 if (QDF_IS_STATUS_ERROR(status)) { 1448 QDF_TRACE(QDF_MODULE_ID_TXRX, QDF_TRACE_LEVEL_ERROR, 1449 "Fragment processing failed"); 1450 if (dp_rx_link_desc_return(soc, 1451 peer->rx_tid[tid].dst_ring_desc, 1452 HAL_BM_ACTION_PUT_IN_IDLE_LIST) != 1453 QDF_STATUS_SUCCESS) 1454 QDF_TRACE(QDF_MODULE_ID_DP, QDF_TRACE_LEVEL_ERROR, 1455 "%s: Failed to return link desc\n", 1456 __func__); 1457 dp_rx_defrag_cleanup(peer, tid); 1458 goto end; 1459 } 1460 1461 /* Re-inject the fragments back to REO for further processing */ 1462 status = dp_rx_defrag_reo_reinject(peer, tid, 1463 rx_reorder_array_elem->head); 1464 if (QDF_IS_STATUS_SUCCESS(status)) { 1465 rx_reorder_array_elem->head = NULL; 1466 rx_reorder_array_elem->tail = NULL; 1467 QDF_TRACE(QDF_MODULE_ID_TXRX, QDF_TRACE_LEVEL_INFO, 1468 "Fragmented sequence successfully reinjected"); 1469 } 1470 else 1471 QDF_TRACE(QDF_MODULE_ID_TXRX, QDF_TRACE_LEVEL_ERROR, 1472 "Fragmented sequence reinjection failed"); 1473 1474 dp_rx_defrag_cleanup(peer, tid); 1475 return QDF_STATUS_SUCCESS; 1476 1477 end: 1478 return QDF_STATUS_E_DEFRAG_ERROR; 1479 } 1480 1481 /** 1482 * dp_rx_frag_handle() - Handles fragmented Rx frames 1483 * 1484 * @soc: core txrx main context 1485 * @ring_desc: opaque pointer to the REO error ring descriptor 1486 * @mpdu_desc_info: MPDU descriptor information from ring descriptor 1487 * @head: head of the local descriptor free-list 1488 * @tail: tail of the local descriptor free-list 1489 * @quota: No. of units (packets) that can be serviced in one shot. 1490 * 1491 * This function implements RX 802.11 fragmentation handling 1492 * The handling is mostly same as legacy fragmentation handling. 1493 * If required, this function can re-inject the frames back to 1494 * REO ring (with proper setting to by-pass fragmentation check 1495 * but use duplicate detection / re-ordering and routing these frames 1496 * to a different core. 1497 * 1498 * Return: uint32_t: No. of elements processed 1499 */ 1500 uint32_t dp_rx_frag_handle(struct dp_soc *soc, void *ring_desc, 1501 struct hal_rx_mpdu_desc_info *mpdu_desc_info, 1502 union dp_rx_desc_list_elem_t **head, 1503 union dp_rx_desc_list_elem_t **tail, 1504 uint32_t quota) 1505 { 1506 uint32_t rx_bufs_used = 0; 1507 void *link_desc_va; 1508 struct hal_buf_info buf_info; 1509 struct hal_rx_msdu_list msdu_list; /* per MPDU list of MSDUs */ 1510 qdf_nbuf_t msdu = NULL; 1511 uint32_t tid, msdu_len; 1512 int idx, rx_bfs = 0; 1513 QDF_STATUS status; 1514 1515 qdf_assert(soc); 1516 qdf_assert(mpdu_desc_info); 1517 1518 /* Fragment from a valid peer */ 1519 hal_rx_reo_buf_paddr_get(ring_desc, &buf_info); 1520 1521 link_desc_va = dp_rx_cookie_2_link_desc_va(soc, &buf_info); 1522 1523 qdf_assert(link_desc_va); 1524 1525 QDF_TRACE(QDF_MODULE_ID_TXRX, QDF_TRACE_LEVEL_INFO_HIGH, 1526 "Number of MSDUs to process, num_msdus: %d", 1527 mpdu_desc_info->msdu_count); 1528 1529 1530 if (qdf_unlikely(mpdu_desc_info->msdu_count == 0)) { 1531 QDF_TRACE(QDF_MODULE_ID_TXRX, QDF_TRACE_LEVEL_ERROR, 1532 "Not sufficient MSDUs to process"); 1533 return rx_bufs_used; 1534 } 1535 1536 /* Get msdu_list for the given MPDU */ 1537 hal_rx_msdu_list_get(link_desc_va, &msdu_list, 1538 &mpdu_desc_info->msdu_count); 1539 1540 /* Process all MSDUs in the current MPDU */ 1541 for (idx = 0; (idx < mpdu_desc_info->msdu_count) && quota--; idx++) { 1542 struct dp_rx_desc *rx_desc = 1543 dp_rx_cookie_2_va_rxdma_buf(soc, 1544 msdu_list.sw_cookie[idx]); 1545 1546 qdf_assert(rx_desc); 1547 1548 msdu = rx_desc->nbuf; 1549 1550 qdf_nbuf_unmap_single(soc->osdev, msdu, 1551 QDF_DMA_BIDIRECTIONAL); 1552 1553 rx_desc->rx_buf_start = qdf_nbuf_data(msdu); 1554 1555 msdu_len = hal_rx_msdu_start_msdu_len_get( 1556 rx_desc->rx_buf_start); 1557 1558 qdf_nbuf_set_pktlen(msdu, (msdu_len + RX_PKT_TLVS_LEN)); 1559 1560 tid = hal_rx_mpdu_start_tid_get(rx_desc->rx_buf_start); 1561 1562 /* Process fragment-by-fragment */ 1563 status = dp_rx_defrag_store_fragment(soc, ring_desc, 1564 head, tail, mpdu_desc_info, 1565 tid, rx_desc, &rx_bfs); 1566 1567 if (QDF_IS_STATUS_SUCCESS(status)) { 1568 if (rx_bfs) 1569 rx_bufs_used++; 1570 } else { 1571 QDF_TRACE(QDF_MODULE_ID_TXRX, QDF_TRACE_LEVEL_ERROR, 1572 "Rx Defrag err seq#:0x%x msdu_count:%d flags:%d", 1573 mpdu_desc_info->mpdu_seq, 1574 mpdu_desc_info->msdu_count, 1575 mpdu_desc_info->mpdu_flags); 1576 1577 /* No point in processing rest of the fragments */ 1578 break; 1579 } 1580 } 1581 1582 return rx_bufs_used; 1583 } 1584