tx.c 61.5 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
/*
 * Copyright 2002-2005, Instant802 Networks, Inc.
 * Copyright 2005-2006, Devicescape Software, Inc.
 * Copyright 2006-2007	Jiri Benc <jbenc@suse.cz>
 * Copyright 2007	Johannes Berg <johannes@sipsolutions.net>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 *
 *
 * Transmit and frame generation functions.
 */

#include <linux/kernel.h>
#include <linux/slab.h>
#include <linux/skbuff.h>
#include <linux/etherdevice.h>
#include <linux/bitmap.h>
20
#include <linux/rcupdate.h>
21
#include <net/net_namespace.h>
22
23
24
25
26
27
#include <net/ieee80211_radiotap.h>
#include <net/cfg80211.h>
#include <net/mac80211.h>
#include <asm/unaligned.h>

#include "ieee80211_i.h"
Johannes Berg's avatar
Johannes Berg committed
28
#include "led.h"
29
#include "mesh.h"
30
31
32
#include "wep.h"
#include "wpa.h"
#include "wme.h"
Johannes Berg's avatar
Johannes Berg committed
33
#include "rate.h"
34
35
36

#define IEEE80211_TX_OK		0
#define IEEE80211_TX_AGAIN	1
37
#define IEEE80211_TX_PENDING	2
38
39
40

/* misc utils */

Johannes Berg's avatar
Johannes Berg committed
41
42
static __le16 ieee80211_duration(struct ieee80211_tx_data *tx, int group_addr,
				 int next_frag_len)
43
44
{
	int rate, mrate, erp, dur, i;
45
	struct ieee80211_rate *txrate;
46
	struct ieee80211_local *local = tx->local;
47
	struct ieee80211_supported_band *sband;
48
	struct ieee80211_hdr *hdr;
49
50
51
52
53
54
55
56
57
	struct ieee80211_tx_info *info = IEEE80211_SKB_CB(tx->skb);

	/* assume HW handles this */
	if (info->control.rates[0].flags & IEEE80211_TX_RC_MCS)
		return 0;

	/* uh huh? */
	if (WARN_ON_ONCE(info->control.rates[0].idx < 0))
		return 0;
58

59
	sband = local->hw.wiphy->bands[tx->channel->band];
60
	txrate = &sband->bitrates[info->control.rates[0].idx];
61

62
	erp = txrate->flags & IEEE80211_RATE_ERP_G;
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80

	/*
	 * data and mgmt (except PS Poll):
	 * - during CFP: 32768
	 * - during contention period:
	 *   if addr1 is group address: 0
	 *   if more fragments = 0 and addr1 is individual address: time to
	 *      transmit one ACK plus SIFS
	 *   if more fragments = 1 and addr1 is individual address: time to
	 *      transmit next fragment plus 2 x ACK plus 3 x SIFS
	 *
	 * IEEE 802.11, 9.6:
	 * - control response frame (CTS or ACK) shall be transmitted using the
	 *   same rate as the immediately previous frame in the frame exchange
	 *   sequence, if this rate belongs to the PHY mandatory rates, or else
	 *   at the highest possible rate belonging to the PHY rates in the
	 *   BSSBasicRateSet
	 */
81
82
	hdr = (struct ieee80211_hdr *)tx->skb->data;
	if (ieee80211_is_ctl(hdr->frame_control)) {
83
		/* TODO: These control frames are not currently sent by
84
		 * mac80211, but should they be implemented, this function
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
		 * needs to be updated to support duration field calculation.
		 *
		 * RTS: time needed to transmit pending data/mgmt frame plus
		 *    one CTS frame plus one ACK frame plus 3 x SIFS
		 * CTS: duration of immediately previous RTS minus time
		 *    required to transmit CTS and its SIFS
		 * ACK: 0 if immediately previous directed data/mgmt had
		 *    more=0, with more=1 duration in ACK frame is duration
		 *    from previous frame minus time needed to transmit ACK
		 *    and its SIFS
		 * PS Poll: BIT(15) | BIT(14) | aid
		 */
		return 0;
	}

	/* data/mgmt */
	if (0 /* FIX: data/mgmt during CFP */)
Johannes Berg's avatar
Johannes Berg committed
102
		return cpu_to_le16(32768);
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117

	if (group_addr) /* Group address as the destination - no ACK */
		return 0;

	/* Individual destination address:
	 * IEEE 802.11, Ch. 9.6 (after IEEE 802.11g changes)
	 * CTS and ACK frames shall be transmitted using the highest rate in
	 * basic rate set that is less than or equal to the rate of the
	 * immediately previous frame and that is using the same modulation
	 * (CCK or OFDM). If no basic rate set matches with these requirements,
	 * the highest mandatory rate of the PHY that is less than or equal to
	 * the rate of the previous frame is used.
	 * Mandatory rates for IEEE 802.11g PHY: 1, 2, 5.5, 11, 6, 12, 24 Mbps
	 */
	rate = -1;
118
119
120
121
	/* use lowest available if everything fails */
	mrate = sband->bitrates[0].bitrate;
	for (i = 0; i < sband->n_bitrates; i++) {
		struct ieee80211_rate *r = &sband->bitrates[i];
122

123
124
		if (r->bitrate > txrate->bitrate)
			break;
125

126
		if (tx->sdata->vif.bss_conf.basic_rates & BIT(i))
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
			rate = r->bitrate;

		switch (sband->band) {
		case IEEE80211_BAND_2GHZ: {
			u32 flag;
			if (tx->sdata->flags & IEEE80211_SDATA_OPERATING_GMODE)
				flag = IEEE80211_RATE_MANDATORY_G;
			else
				flag = IEEE80211_RATE_MANDATORY_B;
			if (r->flags & flag)
				mrate = r->bitrate;
			break;
		}
		case IEEE80211_BAND_5GHZ:
			if (r->flags & IEEE80211_RATE_MANDATORY_A)
				mrate = r->bitrate;
			break;
		case IEEE80211_NUM_BANDS:
			WARN_ON(1);
			break;
		}
148
149
150
151
152
153
154
155
156
157
158
159
	}
	if (rate == -1) {
		/* No matching basic rate found; use highest suitable mandatory
		 * PHY rate */
		rate = mrate;
	}

	/* Time needed to transmit ACK
	 * (10 bytes + 4-byte FCS = 112 bits) plus SIFS; rounded up
	 * to closest integer */

	dur = ieee80211_frame_duration(local, 10, rate, erp,
160
				tx->sdata->vif.bss_conf.use_short_preamble);
161
162
163
164
165
166
167

	if (next_frag_len) {
		/* Frame is fragmented: duration increases with time needed to
		 * transmit next fragment plus ACK and 2 x SIFS. */
		dur *= 2; /* ACK + SIFS */
		/* next fragment */
		dur += ieee80211_frame_duration(local, next_frag_len,
168
				txrate->bitrate, erp,
169
				tx->sdata->vif.bss_conf.use_short_preamble);
170
171
	}

Johannes Berg's avatar
Johannes Berg committed
172
	return cpu_to_le16(dur);
173
174
}

175
176
static int inline is_ieee80211_device(struct ieee80211_local *local,
				      struct net_device *dev)
177
{
178
	return local == wdev_priv(dev->ieee80211_ptr);
179
180
181
182
}

/* tx handlers */

183
static ieee80211_tx_result debug_noinline
184
ieee80211_tx_h_check_assoc(struct ieee80211_tx_data *tx)
185
{
186

187
188
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)tx->skb->data;
	struct ieee80211_tx_info *info = IEEE80211_SKB_CB(tx->skb);
189
190
	u32 sta_flags;

191
	if (unlikely(info->flags & IEEE80211_TX_CTL_INJECTED))
192
		return TX_CONTINUE;
193

194
	if (unlikely(tx->local->sw_scanning) &&
195
196
197
198
199
200
201
202
203
204
205
206
207
	    !ieee80211_is_probe_req(hdr->frame_control) &&
	    !ieee80211_is_nullfunc(hdr->frame_control))
		/*
		 * When software scanning only nullfunc frames (to notify
		 * the sleep state to the AP) and probe requests (for the
		 * active scan) are allowed, all other frames should not be
		 * sent and we should not get here, but if we do
		 * nonetheless, drop them to avoid sending them
		 * off-channel. See the link below and
		 * ieee80211_start_scan() for more.
		 *
		 * http://article.gmane.org/gmane.linux.kernel.wireless.general/30089
		 */
208
		return TX_DROP;
209

210
	if (tx->sdata->vif.type == NL80211_IFTYPE_MESH_POINT)
211
212
		return TX_CONTINUE;

213
	if (tx->flags & IEEE80211_TX_PS_BUFFERED)
214
		return TX_CONTINUE;
215

216
	sta_flags = tx->sta ? get_sta_flags(tx->sta) : 0;
217

218
	if (likely(tx->flags & IEEE80211_TX_UNICAST)) {
219
		if (unlikely(!(sta_flags & WLAN_STA_ASSOC) &&
220
			     tx->sdata->vif.type != NL80211_IFTYPE_ADHOC &&
221
			     ieee80211_is_data(hdr->frame_control))) {
222
223
#ifdef CONFIG_MAC80211_VERBOSE_DEBUG
			printk(KERN_DEBUG "%s: dropped data frame to not "
224
225
			       "associated station %pM\n",
			       tx->dev->name, hdr->addr1);
226
227
#endif /* CONFIG_MAC80211_VERBOSE_DEBUG */
			I802_DEBUG_INC(tx->local->tx_handlers_drop_not_assoc);
228
			return TX_DROP;
229
230
		}
	} else {
231
		if (unlikely(ieee80211_is_data(hdr->frame_control) &&
232
			     tx->local->num_sta == 0 &&
233
			     tx->sdata->vif.type != NL80211_IFTYPE_ADHOC)) {
234
235
236
237
			/*
			 * No associated STAs - no need to send multicast
			 * frames.
			 */
238
			return TX_DROP;
239
		}
240
		return TX_CONTINUE;
241
242
	}

243
	return TX_CONTINUE;
244
245
246
247
248
249
250
251
252
253
254
255
256
}

/* This function is called whenever the AP is about to exceed the maximum limit
 * of buffered frames for power saving STAs. This situation should not really
 * happen often during normal operation, so dropping the oldest buffered packet
 * from each queue should be OK to make some room for new frames. */
static void purge_old_ps_buffers(struct ieee80211_local *local)
{
	int total = 0, purged = 0;
	struct sk_buff *skb;
	struct ieee80211_sub_if_data *sdata;
	struct sta_info *sta;

257
258
259
260
261
262
	/*
	 * virtual interfaces are protected by RCU
	 */
	rcu_read_lock();

	list_for_each_entry_rcu(sdata, &local->interfaces, list) {
263
		struct ieee80211_if_ap *ap;
264
		if (sdata->vif.type != NL80211_IFTYPE_AP)
265
266
267
268
269
270
271
272
273
274
			continue;
		ap = &sdata->u.ap;
		skb = skb_dequeue(&ap->ps_bc_buf);
		if (skb) {
			purged++;
			dev_kfree_skb(skb);
		}
		total += skb_queue_len(&ap->ps_bc_buf);
	}

275
	list_for_each_entry_rcu(sta, &local->sta_list, list) {
276
277
278
279
280
281
282
		skb = skb_dequeue(&sta->ps_tx_buf);
		if (skb) {
			purged++;
			dev_kfree_skb(skb);
		}
		total += skb_queue_len(&sta->ps_tx_buf);
	}
283
284

	rcu_read_unlock();
285
286

	local->total_ps_buffered = total;
287
#ifdef CONFIG_MAC80211_VERBOSE_PS_DEBUG
288
	printk(KERN_DEBUG "%s: PS buffers full - purged %d frames\n",
289
	       wiphy_name(local->hw.wiphy), purged);
290
#endif
291
292
}

293
static ieee80211_tx_result
294
ieee80211_tx_h_multicast_ps_buf(struct ieee80211_tx_data *tx)
295
{
296
	struct ieee80211_tx_info *info = IEEE80211_SKB_CB(tx->skb);
297
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)tx->skb->data;
298

299
300
301
302
303
304
305
306
	/*
	 * broadcast/multicast frame
	 *
	 * If any of the associated stations is in power save mode,
	 * the frame is buffered to be sent after DTIM beacon frame.
	 * This is done either by the hardware or us.
	 */

307
308
309
310
311
	/* powersaving STAs only in AP/VLAN mode */
	if (!tx->sdata->bss)
		return TX_CONTINUE;

	/* no buffering for ordered frames */
312
	if (ieee80211_has_order(hdr->frame_control))
313
		return TX_CONTINUE;
314
315
316

	/* no stations in PS mode */
	if (!atomic_read(&tx->sdata->bss->num_sta_ps))
317
		return TX_CONTINUE;
318
319
320

	/* buffered in mac80211 */
	if (tx->local->hw.flags & IEEE80211_HW_HOST_BROADCAST_PS_BUFFERING) {
321
322
323
324
		if (tx->local->total_ps_buffered >= TOTAL_MAX_TX_BUFFER)
			purge_old_ps_buffers(tx->local);
		if (skb_queue_len(&tx->sdata->bss->ps_bc_buf) >=
		    AP_MAX_BC_BUFFER) {
325
#ifdef CONFIG_MAC80211_VERBOSE_PS_DEBUG
326
327
328
329
330
			if (net_ratelimit()) {
				printk(KERN_DEBUG "%s: BC TX buffer full - "
				       "dropping the oldest frame\n",
				       tx->dev->name);
			}
331
#endif
332
333
334
335
			dev_kfree_skb(skb_dequeue(&tx->sdata->bss->ps_bc_buf));
		} else
			tx->local->total_ps_buffered++;
		skb_queue_tail(&tx->sdata->bss->ps_bc_buf, tx->skb);
336
		return TX_QUEUED;
337
338
	}

339
	/* buffered in hardware */
340
	info->flags |= IEEE80211_TX_CTL_SEND_AFTER_DTIM;
341

342
	return TX_CONTINUE;
343
344
}

345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
static int ieee80211_use_mfp(__le16 fc, struct sta_info *sta,
			     struct sk_buff *skb)
{
	if (!ieee80211_is_mgmt(fc))
		return 0;

	if (sta == NULL || !test_sta_flags(sta, WLAN_STA_MFP))
		return 0;

	if (!ieee80211_is_robust_mgmt_frame((struct ieee80211_hdr *)
					    skb->data))
		return 0;

	return 1;
}

361
static ieee80211_tx_result
362
ieee80211_tx_h_unicast_ps_buf(struct ieee80211_tx_data *tx)
363
364
{
	struct sta_info *sta = tx->sta;
365
	struct ieee80211_tx_info *info = IEEE80211_SKB_CB(tx->skb);
366
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)tx->skb->data;
367
	u32 staflags;
368

369
	if (unlikely(!sta || ieee80211_is_probe_resp(hdr->frame_control)))
370
		return TX_CONTINUE;
371

372
373
374
375
	staflags = get_sta_flags(sta);

	if (unlikely((staflags & WLAN_STA_PS) &&
		     !(staflags & WLAN_STA_PSPOLL))) {
376
#ifdef CONFIG_MAC80211_VERBOSE_PS_DEBUG
377
		printk(KERN_DEBUG "STA %pM aid %d: PS buffer (entries "
378
		       "before %d)\n",
379
		       sta->sta.addr, sta->sta.aid,
380
381
382
383
384
385
		       skb_queue_len(&sta->ps_tx_buf));
#endif /* CONFIG_MAC80211_VERBOSE_PS_DEBUG */
		if (tx->local->total_ps_buffered >= TOTAL_MAX_TX_BUFFER)
			purge_old_ps_buffers(tx->local);
		if (skb_queue_len(&sta->ps_tx_buf) >= STA_MAX_TX_BUFFER) {
			struct sk_buff *old = skb_dequeue(&sta->ps_tx_buf);
386
#ifdef CONFIG_MAC80211_VERBOSE_PS_DEBUG
387
			if (net_ratelimit()) {
388
				printk(KERN_DEBUG "%s: STA %pM TX "
389
				       "buffer full - dropping oldest frame\n",
390
				       tx->dev->name, sta->sta.addr);
391
			}
392
#endif
393
394
395
			dev_kfree_skb(old);
		} else
			tx->local->total_ps_buffered++;
396

397
		/* Queue frame to be sent after STA sends an PS Poll frame */
398
399
400
		if (skb_queue_empty(&sta->ps_tx_buf))
			sta_info_set_tim_bit(sta);

401
		info->control.jiffies = jiffies;
402
		skb_queue_tail(&sta->ps_tx_buf, tx->skb);
403
		return TX_QUEUED;
404
405
	}
#ifdef CONFIG_MAC80211_VERBOSE_PS_DEBUG
406
	else if (unlikely(test_sta_flags(sta, WLAN_STA_PS))) {
407
		printk(KERN_DEBUG "%s: STA %pM in PS mode, but pspoll "
408
		       "set -> send frame\n", tx->dev->name,
409
		       sta->sta.addr);
410
411
	}
#endif /* CONFIG_MAC80211_VERBOSE_PS_DEBUG */
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
	if (test_and_clear_sta_flags(sta, WLAN_STA_PSPOLL)) {
		/*
		 * The sleeping station with pending data is now snoozing.
		 * It queried us for its buffered frames and will go back
		 * to deep sleep once it got everything.
		 *
		 * inform the driver, in case the hardware does powersave
		 * frame filtering and keeps a station  blacklist on its own
		 * (e.g: p54), so that frames can be delivered unimpeded.
		 *
		 * Note: It should be save to disable the filter now.
		 * As, it is really unlikely that we still have any pending
		 * frame for this station in the hw's buffers/fifos left,
		 * that is not rejected with a unsuccessful tx_status yet.
		 */
427

428
429
		info->flags |= IEEE80211_TX_CTL_CLEAR_PS_FILT;
	}
430
	return TX_CONTINUE;
431
432
}

433
static ieee80211_tx_result debug_noinline
434
ieee80211_tx_h_ps_buf(struct ieee80211_tx_data *tx)
435
{
436
	if (unlikely(tx->flags & IEEE80211_TX_PS_BUFFERED))
437
		return TX_CONTINUE;
438

439
	if (tx->flags & IEEE80211_TX_UNICAST)
440
441
442
443
444
		return ieee80211_tx_h_unicast_ps_buf(tx);
	else
		return ieee80211_tx_h_multicast_ps_buf(tx);
}

445
static ieee80211_tx_result debug_noinline
446
ieee80211_tx_h_select_key(struct ieee80211_tx_data *tx)
447
{
448
	struct ieee80211_key *key;
449
	struct ieee80211_tx_info *info = IEEE80211_SKB_CB(tx->skb);
450
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)tx->skb->data;
451

452
	if (unlikely(tx->skb->do_not_encrypt))
453
		tx->key = NULL;
454
455
	else if (tx->sta && (key = rcu_dereference(tx->sta->key)))
		tx->key = key;
456
457
458
	else if (ieee80211_is_mgmt(hdr->frame_control) &&
		 (key = rcu_dereference(tx->sdata->default_mgmt_key)))
		tx->key = key;
459
460
	else if ((key = rcu_dereference(tx->sdata->default_key)))
		tx->key = key;
461
	else if (tx->sdata->drop_unencrypted &&
462
		 (tx->skb->protocol != cpu_to_be16(ETH_P_PAE)) &&
463
464
465
466
		 !(info->flags & IEEE80211_TX_CTL_INJECTED) &&
		 (!ieee80211_is_robust_mgmt_frame(hdr) ||
		  (ieee80211_is_action(hdr->frame_control) &&
		   tx->sta && test_sta_flags(tx->sta, WLAN_STA_MFP)))) {
467
		I802_DEBUG_INC(tx->local->tx_handlers_drop_unencrypted);
468
		return TX_DROP;
469
	} else
470
471
472
473
		tx->key = NULL;

	if (tx->key) {
		tx->key->tx_rx_count++;
474
		/* TODO: add threshold stuff again */
475
476
477

		switch (tx->key->conf.alg) {
		case ALG_WEP:
478
			if (ieee80211_is_auth(hdr->frame_control))
479
480
				break;
		case ALG_TKIP:
481
			if (!ieee80211_is_data_present(hdr->frame_control))
482
483
				tx->key = NULL;
			break;
484
485
486
487
488
489
		case ALG_CCMP:
			if (!ieee80211_is_data_present(hdr->frame_control) &&
			    !ieee80211_use_mfp(hdr->frame_control, tx->sta,
					       tx->skb))
				tx->key = NULL;
			break;
490
491
492
493
		case ALG_AES_CMAC:
			if (!ieee80211_is_mgmt(hdr->frame_control))
				tx->key = NULL;
			break;
494
		}
495
496
	}

497
	if (!tx->key || !(tx->key->flags & KEY_FLAG_UPLOADED_TO_HARDWARE))
498
		tx->skb->do_not_encrypt = 1;
499

500
	return TX_CONTINUE;
501
502
}

503
static ieee80211_tx_result debug_noinline
504
ieee80211_tx_h_rate_ctrl(struct ieee80211_tx_data *tx)
505
{
506
	struct ieee80211_tx_info *info = IEEE80211_SKB_CB(tx->skb);
507
508
509
510
511
512
	struct ieee80211_hdr *hdr = (void *)tx->skb->data;
	struct ieee80211_supported_band *sband;
	struct ieee80211_rate *rate;
	int i, len;
	bool inval = false, rts = false, short_preamble = false;
	struct ieee80211_tx_rate_control txrc;
513

514
	memset(&txrc, 0, sizeof(txrc));
515

516
	sband = tx->local->hw.wiphy->bands[tx->channel->band];
517

518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
	len = min_t(int, tx->skb->len + FCS_LEN,
			 tx->local->fragmentation_threshold);

	/* set up the tx rate control struct we give the RC algo */
	txrc.hw = local_to_hw(tx->local);
	txrc.sband = sband;
	txrc.bss_conf = &tx->sdata->vif.bss_conf;
	txrc.skb = tx->skb;
	txrc.reported_rate.idx = -1;
	txrc.max_rate_idx = tx->sdata->max_ratectrl_rateidx;

	/* set up RTS protection if desired */
	if (tx->local->rts_threshold < IEEE80211_MAX_RTS_THRESHOLD &&
	    len > tx->local->rts_threshold) {
		txrc.rts = rts = true;
533
534
	}

535
536
537
538
539
540
541
542
543
544
	/*
	 * Use short preamble if the BSS can handle it, but not for
	 * management frames unless we know the receiver can handle
	 * that -- the management frame might be to a station that
	 * just wants a probe response.
	 */
	if (tx->sdata->vif.bss_conf.use_short_preamble &&
	    (ieee80211_is_data(hdr->frame_control) ||
	     (tx->sta && test_sta_flags(tx->sta, WLAN_STA_SHORT_PREAMBLE))))
		txrc.short_preamble = short_preamble = true;
545

546

547
548
549
550
551
552
553
	rate_control_get_rate(tx->sdata, tx->sta, &txrc);

	if (unlikely(info->control.rates[0].idx < 0))
		return TX_DROP;

	if (txrc.reported_rate.idx < 0)
		txrc.reported_rate = info->control.rates[0];
554

555
	if (tx->sta)
556
		tx->sta->last_tx_rate = txrc.reported_rate;
557

558
559
	if (unlikely(!info->control.rates[0].count))
		info->control.rates[0].count = 1;
560

561
562
563
564
565
	if (is_multicast_ether_addr(hdr->addr1)) {
		/*
		 * XXX: verify the rate is in the basic rateset
		 */
		return TX_CONTINUE;
566
567
	}

568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
	/*
	 * set up the RTS/CTS rate as the fastest basic rate
	 * that is not faster than the data rate
	 *
	 * XXX: Should this check all retry rates?
	 */
	if (!(info->control.rates[0].flags & IEEE80211_TX_RC_MCS)) {
		s8 baserate = 0;

		rate = &sband->bitrates[info->control.rates[0].idx];

		for (i = 0; i < sband->n_bitrates; i++) {
			/* must be a basic rate */
			if (!(tx->sdata->vif.bss_conf.basic_rates & BIT(i)))
				continue;
			/* must not be faster than the data rate */
			if (sband->bitrates[i].bitrate > rate->bitrate)
				continue;
			/* maximum */
			if (sband->bitrates[baserate].bitrate <
			     sband->bitrates[i].bitrate)
				baserate = i;
		}

		info->control.rts_cts_rate_idx = baserate;
593
594
	}

595
596
597
598
599
600
601
602
603
604
605
606
607
608
	for (i = 0; i < IEEE80211_TX_MAX_RATES; i++) {
		/*
		 * make sure there's no valid rate following
		 * an invalid one, just in case drivers don't
		 * take the API seriously to stop at -1.
		 */
		if (inval) {
			info->control.rates[i].idx = -1;
			continue;
		}
		if (info->control.rates[i].idx < 0) {
			inval = true;
			continue;
		}
609

610
611
612
613
614
615
616
617
		/*
		 * For now assume MCS is already set up correctly, this
		 * needs to be fixed.
		 */
		if (info->control.rates[i].flags & IEEE80211_TX_RC_MCS) {
			WARN_ON(info->control.rates[i].idx > 76);
			continue;
		}
618

619
620
621
622
		/* set up RTS protection if desired */
		if (rts)
			info->control.rates[i].flags |=
				IEEE80211_TX_RC_USE_RTS_CTS;
623

624
		/* RC is busted */
625
626
		if (WARN_ON_ONCE(info->control.rates[i].idx >=
				 sband->n_bitrates)) {
627
628
			info->control.rates[i].idx = -1;
			continue;
629
		}
630

631
632
633
634
635
636
637
638
639
640
641
642
643
		rate = &sband->bitrates[info->control.rates[i].idx];

		/* set up short preamble */
		if (short_preamble &&
		    rate->flags & IEEE80211_RATE_SHORT_PREAMBLE)
			info->control.rates[i].flags |=
				IEEE80211_TX_RC_USE_SHORT_PREAMBLE;

		/* set up G protection */
		if (!rts && tx->sdata->vif.bss_conf.use_cts_prot &&
		    rate->flags & IEEE80211_RATE_ERP_G)
			info->control.rates[i].flags |=
				IEEE80211_TX_RC_USE_CTS_PROTECT;
644
645
	}

646
647
648
649
650
651
652
653
	return TX_CONTINUE;
}

static ieee80211_tx_result debug_noinline
ieee80211_tx_h_misc(struct ieee80211_tx_data *tx)
{
	struct ieee80211_tx_info *info = IEEE80211_SKB_CB(tx->skb);

654
	if (tx->sta)
655
		info->control.sta = &tx->sta->sta;
656
657
658
659

	return TX_CONTINUE;
}

660
661
662
663
664
665
666
667
668
static ieee80211_tx_result debug_noinline
ieee80211_tx_h_sequence(struct ieee80211_tx_data *tx)
{
	struct ieee80211_tx_info *info = IEEE80211_SKB_CB(tx->skb);
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)tx->skb->data;
	u16 *seq;
	u8 *qc;
	int tid;

669
670
671
672
673
674
675
676
	/*
	 * Packet injection may want to control the sequence
	 * number, if we have no matching interface then we
	 * neither assign one ourselves nor ask the driver to.
	 */
	if (unlikely(!info->control.vif))
		return TX_CONTINUE;

677
678
679
680
681
682
	if (unlikely(ieee80211_is_ctl(hdr->frame_control)))
		return TX_CONTINUE;

	if (ieee80211_hdrlen(hdr->frame_control) < 24)
		return TX_CONTINUE;

683
684
685
686
687
	/*
	 * Anything but QoS data that has a sequence number field
	 * (is long enough) gets a sequence number from the global
	 * counter.
	 */
688
	if (!ieee80211_is_data_qos(hdr->frame_control)) {
689
		/* driver should assign sequence number */
690
		info->flags |= IEEE80211_TX_CTL_ASSIGN_SEQ;
691
692
693
694
		/* for pure STA mode without beacons, we can do it */
		hdr->seq_ctrl = cpu_to_le16(tx->sdata->sequence_number);
		tx->sdata->sequence_number += 0x10;
		tx->sdata->sequence_number &= IEEE80211_SCTL_SEQ;
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
		return TX_CONTINUE;
	}

	/*
	 * This should be true for injected/management frames only, for
	 * management frames we have set the IEEE80211_TX_CTL_ASSIGN_SEQ
	 * above since they are not QoS-data frames.
	 */
	if (!tx->sta)
		return TX_CONTINUE;

	/* include per-STA, per-TID sequence counter */

	qc = ieee80211_get_qos_ctl(hdr);
	tid = *qc & IEEE80211_QOS_CTL_TID_MASK;
	seq = &tx->sta->tid_seq[tid];

	hdr->seq_ctrl = cpu_to_le16(*seq);

	/* Increase the sequence number. */
	*seq = (*seq + 0x10) & IEEE80211_SCTL_SEQ;

	return TX_CONTINUE;
}

720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
static int ieee80211_fragment(struct ieee80211_local *local,
			      struct sk_buff *skb, int hdrlen,
			      int frag_threshold)
{
	struct sk_buff *tail = skb, *tmp;
	int per_fragm = frag_threshold - hdrlen - FCS_LEN;
	int pos = hdrlen + per_fragm;
	int rem = skb->len - hdrlen - per_fragm;

	if (WARN_ON(rem < 0))
		return -EINVAL;

	while (rem) {
		int fraglen = per_fragm;

		if (fraglen > rem)
			fraglen = rem;
		rem -= fraglen;
		tmp = dev_alloc_skb(local->tx_headroom +
				    frag_threshold +
				    IEEE80211_ENCRYPT_HEADROOM +
				    IEEE80211_ENCRYPT_TAILROOM);
		if (!tmp)
			return -ENOMEM;
		tail->next = tmp;
		tail = tmp;
		skb_reserve(tmp, local->tx_headroom +
				 IEEE80211_ENCRYPT_HEADROOM);
		/* copy control information */
		memcpy(tmp->cb, skb->cb, sizeof(tmp->cb));
		skb_copy_queue_mapping(tmp, skb);
		tmp->priority = skb->priority;
		tmp->do_not_encrypt = skb->do_not_encrypt;
		tmp->dev = skb->dev;
		tmp->iif = skb->iif;

		/* copy header and data */
		memcpy(skb_put(tmp, hdrlen), skb->data, hdrlen);
		memcpy(skb_put(tmp, fraglen), skb->data + pos, fraglen);

		pos += fraglen;
	}

	skb->len = hdrlen + per_fragm;
	return 0;
}

767
static ieee80211_tx_result debug_noinline
768
769
ieee80211_tx_h_fragment(struct ieee80211_tx_data *tx)
{
770
771
772
	struct sk_buff *skb = tx->skb;
	struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
	struct ieee80211_hdr *hdr = (void *)skb->data;
773
	int frag_threshold = tx->local->fragmentation_threshold;
774
775
	int hdrlen;
	int fragnum;
776
777
778
779

	if (!(tx->flags & IEEE80211_TX_FRAGMENTED))
		return TX_CONTINUE;

780
781
	/*
	 * Warn when submitting a fragmented A-MPDU frame and drop it.
782
783
	 * This scenario is handled in __ieee80211_tx_prepare but extra
	 * caution taken here as fragmented ampdu may cause Tx stop.
784
	 */
Sujith's avatar
Sujith committed
785
	if (WARN_ON(info->flags & IEEE80211_TX_CTL_AMPDU))
786
787
		return TX_DROP;

788
	hdrlen = ieee80211_hdrlen(hdr->frame_control);
789

790
791
792
	/* internal error, why is TX_FRAGMENTED set? */
	if (WARN_ON(skb->len <= frag_threshold))
		return TX_DROP;
793

794
795
796
797
798
799
800
801
802
803
	/*
	 * Now fragment the frame. This will allocate all the fragments and
	 * chain them (using skb as the first fragment) to skb->next.
	 * During transmission, we will remove the successfully transmitted
	 * fragments from this list. When the low-level driver rejects one
	 * of the fragments then we will simply pretend to accept the skb
	 * but store it away as pending.
	 */
	if (ieee80211_fragment(tx->local, skb, hdrlen, frag_threshold))
		return TX_DROP;
804

805
806
807
808
809
	/* update duration/seq/flags of fragments */
	fragnum = 0;
	do {
		int next_len;
		const __le16 morefrags = cpu_to_le16(IEEE80211_FCTL_MOREFRAGS);
810

811
812
		hdr = (void *)skb->data;
		info = IEEE80211_SKB_CB(skb);
813

814
815
816
		if (skb->next) {
			hdr->frame_control |= morefrags;
			next_len = skb->next->len;
817
818
819
820
821
822
823
824
825
826
			/*
			 * No multi-rate retries for fragmented frames, that
			 * would completely throw off the NAV at other STAs.
			 */
			info->control.rates[1].idx = -1;
			info->control.rates[2].idx = -1;
			info->control.rates[3].idx = -1;
			info->control.rates[4].idx = -1;
			BUILD_BUG_ON(IEEE80211_TX_MAX_RATES != 5);
			info->flags &= ~IEEE80211_TX_CTL_RATE_CTRL_PROBE;
827
828
829
		} else {
			hdr->frame_control &= ~morefrags;
			next_len = 0;
830
		}
831
832
833
834
		hdr->duration_id = ieee80211_duration(tx, 0, next_len);
		hdr->seq_ctrl |= cpu_to_le16(fragnum & IEEE80211_SCTL_FRAG);
		fragnum++;
	} while ((skb = skb->next));
835

836
	return TX_CONTINUE;
837
838
}

839
static ieee80211_tx_result debug_noinline
840
841
842
843
844
845
846
847
848
849
850
851
ieee80211_tx_h_encrypt(struct ieee80211_tx_data *tx)
{
	if (!tx->key)
		return TX_CONTINUE;

	switch (tx->key->conf.alg) {
	case ALG_WEP:
		return ieee80211_crypto_wep_encrypt(tx);
	case ALG_TKIP:
		return ieee80211_crypto_tkip_encrypt(tx);
	case ALG_CCMP:
		return ieee80211_crypto_ccmp_encrypt(tx);
852
853
	case ALG_AES_CMAC:
		return ieee80211_crypto_aes_cmac_encrypt(tx);
854
855
856
857
858
859
860
	}

	/* not reached */
	WARN_ON(1);
	return TX_DROP;
}

861
static ieee80211_tx_result debug_noinline
Johannes Berg's avatar
Johannes Berg committed
862
863
ieee80211_tx_h_calculate_duration(struct ieee80211_tx_data *tx)
{
864
865
866
867
	struct sk_buff *skb = tx->skb;
	struct ieee80211_hdr *hdr;
	int next_len;
	bool group_addr;
Johannes Berg's avatar
Johannes Berg committed
868

869
870
871
872
	do {
		hdr = (void *) skb->data;
		next_len = skb->next ? skb->next->len : 0;
		group_addr = is_multicast_ether_addr(hdr->addr1);
Johannes Berg's avatar
Johannes Berg committed
873

874
875
876
		hdr->duration_id =
			ieee80211_duration(tx, group_addr, next_len);
	} while ((skb = skb->next));
Johannes Berg's avatar
Johannes Berg committed
877
878
879
880

	return TX_CONTINUE;
}

881
static ieee80211_tx_result debug_noinline
882
ieee80211_tx_h_stats(struct ieee80211_tx_data *tx)
883
{
884
	struct sk_buff *skb = tx->skb;
885

886
887
	if (!tx->sta)
		return TX_CONTINUE;
888

889
	tx->sta->tx_packets++;
890
891
892
893
	do {
		tx->sta->tx_fragments++;
		tx->sta->tx_bytes += skb->len;
	} while ((skb = skb->next));
894

895
	return TX_CONTINUE;
896
897
898
899
900
901
902
903
}

/* actual transmit path */

/*
 * deal with packet injection down monitor interface
 * with Radiotap Header -- only called for monitor mode interface
 */
904
static ieee80211_tx_result
905
__ieee80211_parse_tx_radiotap(struct ieee80211_tx_data *tx,
906
			      struct sk_buff *skb)
907
908
909
910
911
912
913
914
915
916
917
918
{
	/*
	 * this is the moment to interpret and discard the radiotap header that
	 * must be at the start of the packet injected in Monitor mode
	 *
	 * Need to take some care with endian-ness since radiotap
	 * args are little-endian
	 */

	struct ieee80211_radiotap_iterator iterator;
	struct ieee80211_radiotap_header *rthdr =
		(struct ieee80211_radiotap_header *) skb->data;
919
	struct ieee80211_supported_band *sband;
920
921
	int ret = ieee80211_radiotap_iterator_init(&iterator, rthdr, skb->len);

922
	sband = tx->local->hw.wiphy->bands[tx->channel->band];
923

924
	skb->do_not_encrypt = 1;
925
	tx->flags &= ~IEEE80211_TX_FRAGMENTED;
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956

	/*
	 * for every radiotap entry that is present
	 * (ieee80211_radiotap_iterator_next returns -ENOENT when no more
	 * entries present, or -EINVAL on error)
	 */

	while (!ret) {
		ret = ieee80211_radiotap_iterator_next(&iterator);

		if (ret)
			continue;

		/* see if this argument is something we can use */
		switch (iterator.this_arg_index) {
		/*
		 * You must take care when dereferencing iterator.this_arg
		 * for multibyte types... the pointer is not aligned.  Use
		 * get_unaligned((type *)iterator.this_arg) to dereference
		 * iterator.this_arg for type "type" safely on all arches.
		*/
		case IEEE80211_RADIOTAP_FLAGS:
			if (*iterator.this_arg & IEEE80211_RADIOTAP_F_FCS) {
				/*
				 * this indicates that the skb we have been
				 * handed has the 32-bit FCS CRC at the end...
				 * we should react to that by snipping it off
				 * because it will be recomputed and added
				 * on transmission
				 */
				if (skb->len < (iterator.max_length + FCS_LEN))
957
					return TX_DROP;
958
959
960

				skb_trim(skb, skb->len - FCS_LEN);
			}
961
			if (*iterator.this_arg & IEEE80211_RADIOTAP_F_WEP)
962
				tx->skb->do_not_encrypt = 0;
963
			if (*iterator.this_arg & IEEE80211_RADIOTAP_F_FRAG)
964
				tx->flags |= IEEE80211_TX_FRAGMENTED;
965
966
			break;

967
968
969
970
971
972
		/*
		 * Please update the file
		 * Documentation/networking/mac80211-injection.txt
		 * when parsing new fields here.
		 */

973
974
975
976
977
978
		default:
			break;
		}
	}

	if (ret != -ENOENT) /* ie, if we didn't simply run out of fields */
979
		return TX_DROP;
980
981
982
983
984
985
986
987

	/*
	 * remove the radiotap header
	 * iterator->max_length was sanity-checked against
	 * skb->len by iterator init
	 */
	skb_pull(skb, iterator.max_length);

988
	return TX_CONTINUE;
989
990
}

991
992
993
/*
 * initialises @tx
 */
994
static ieee80211_tx_result
995
__ieee80211_tx_prepare(struct ieee80211_tx_data *tx,
996
		       struct sk_buff *skb,
997
		       struct net_device *dev)
998
999
{
	struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr);
1000
	struct ieee80211_hdr *hdr;
1001
	struct ieee80211_sub_if_data *sdata;
1002
	struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
Sujith's avatar
Sujith committed
1003
1004
	int hdrlen, tid;
	u8 *qc, *state;
1005
	bool queued = false;
1006
1007
1008
1009
1010
1011

	memset(tx, 0, sizeof(*tx));
	tx->skb = skb;
	tx->dev = dev; /* use original interface */
	tx->local = local;
	tx->sdata = IEEE80211_DEV_TO_SUB_IF(dev);
1012
	tx->channel = local->hw.conf.channel;
1013
	/*
1014
1015
	 * Set this flag (used below to indicate "automatic fragmentation"),
	 * it will be cleared/left by radiotap as desired.
1016
	 */
1017
	tx->flags |= IEEE80211_TX_FRAGMENTED;
1018
1019
1020

	/* process and remove the injection radiotap header */
	sdata = IEEE80211_DEV_TO_SUB_IF(dev);
1021
	if (unlikely(info->flags & IEEE80211_TX_CTL_INJECTED)) {
1022
1023
		if (__ieee80211_parse_tx_radiotap(tx, skb) == TX_DROP)
			return TX_DROP;
1024

1025
		/*
1026
1027
1028
		 * __ieee80211_parse_tx_radiotap has now removed
		 * the radiotap header that was present and pre-filled
		 * 'tx' with tx control information.
1029
1030
1031
		 */
	}

1032
1033
1034
1035
1036
1037
1038
	/*
	 * If this flag is set to true anywhere, and we get here,
	 * we are doing the needed processing, so remove the flag
	 * now.
	 */
	info->flags &= ~IEEE80211_TX_INTFL_NEED_TXPROCESSING;

1039
1040
	hdr = (struct ieee80211_hdr *) skb->data;

1041
	tx->sta = sta_info_get(local, hdr->addr1);
1042

1043
1044
	if (tx->sta && ieee80211_is_data_qos(hdr->frame_control) &&
	    (local->hw.flags & IEEE80211_HW_AMPDU_AGGREGATION)) {
1045
		unsigned long flags;
1046
1047
		struct tid_ampdu_tx *tid_tx;

Sujith's avatar
Sujith committed
1048
1049
1050
		qc = ieee80211_get_qos_ctl(hdr);
		tid = *qc & IEEE80211_QOS_CTL_TID_MASK;

1051
		spin_lock_irqsave(&tx->sta->lock, flags);
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
		/*
		 * XXX: This spinlock could be fairly expensive, but see the
		 *	comment in agg-tx.c:ieee80211_agg_tx_operational().
		 *	One way to solve this would be to do something RCU-like
		 *	for managing the tid_tx struct and using atomic bitops
		 *	for the actual state -- by introducing an actual
		 *	'operational' bit that would be possible. It would
		 *	require changing ieee80211_agg_tx_operational() to
		 *	set that bit, and changing the way tid_tx is managed
		 *	everywhere, including races between that bit and
		 *	tid_tx going away (tid_tx being added can be easily
		 *	committed to memory before the 'operational' bit).
		 */
		tid_tx = tx->sta->ampdu_mlme.tid_tx[tid];
Sujith's avatar
Sujith committed
1066
		state = &tx->sta->ampdu_mlme.tid_state_tx[tid];
1067
		if (*state == HT_AGG_STATE_OPERATIONAL) {
Sujith's avatar
Sujith committed
1068
			info->flags |= IEEE80211_TX_CTL_AMPDU;
1069
1070
1071
1072
1073
1074
		} else if (*state != HT_AGG_STATE_IDLE) {
			/* in progress */
			queued = true;
			info->flags |= IEEE80211_TX_INTFL_NEED_TXPROCESSING;
			__skb_queue_tail(&tid_tx->pending, skb);
		}
1075
		spin_unlock_irqrestore(&tx->sta->lock, flags);
1076
1077
1078

		if (unlikely(queued))
			return TX_QUEUED;
Sujith's avatar
Sujith committed
1079
1080
	}

1081
	if (is_multicast_ether_addr(hdr->addr1)) {
1082
		tx->flags &= ~IEEE80211_TX_UNICAST;
1083
		info->flags |= IEEE80211_TX_CTL_NO_ACK;
1084
	} else {
1085
		tx->flags |= IEEE80211_TX_UNICAST;
1086
		info->flags &= ~IEEE80211_TX_CTL_NO_ACK;
1087
	}
1088

1089
1090
	if (tx->flags & IEEE80211_TX_FRAGMENTED) {
		if ((tx->flags & IEEE80211_TX_UNICAST) &&
1091
		    skb->len + FCS_LEN > local->fragmentation_threshold &&
1092
		    !(info->flags & IEEE80211_TX_CTL_AMPDU))
1093
			tx->flags |= IEEE80211_TX_FRAGMENTED;
1094
		else
1095
			tx->flags &= ~IEEE80211_TX_FRAGMENTED;
1096
1097
	}

1098
	if (!tx->sta)
1099
		info->flags |= IEEE80211_TX_CTL_CLEAR_PS_FILT;
1100
	else if (test_and_clear_sta_flags(tx->sta, WLAN_STA_CLEAR_PS_FILT))
1101
		info->flags |= IEEE80211_TX_CTL_CLEAR_PS_FILT;
1102

1103
	hdrlen = ieee80211_hdrlen(hdr->frame_control);
1104
1105
1106
1107
	if (skb->len > hdrlen + sizeof(rfc1042_header) + 2) {
		u8 *pos = &skb->data[hdrlen + sizeof(rfc1042_header)];
		tx->ethertype = (pos[0] << 8) | pos[1];
	}
1108
	info->flags |= IEEE80211_TX_CTL_FIRST_FRAGMENT;
1109

1110
	return TX_CONTINUE;
1111
1112
}

1113
/*
1114
1115
 * NB: @tx is uninitialised when passed in here
 */
1116
1117
1118
static int ieee80211_tx_prepare(struct ieee80211_local *local,
				struct ieee80211_tx_data *tx,
				struct sk_buff *skb)
1119
1120
1121
{
	struct net_device *dev;

1122
	dev = dev_get_by_index(&init_net, skb->iif);
1123
	if (unlikely(dev && !is_ieee80211_device(local, dev))) {
1124
1125
1126
1127
1128
		dev_put(dev);
		dev = NULL;
	}
	if (unlikely(!dev))
		return -ENODEV;
1129
1130
1131
1132
1133
1134
1135
1136
	/*
	 * initialises tx with control
	 *
	 * return value is safe to ignore here because this function
	 * can only be invoked for multicast frames
	 *
	 * XXX: clean up
	 */
1137
	__ieee80211_tx_prepare(tx, skb, dev);
1138
	dev_put(dev);
1139
1140
1141
	return 0;
}

1142
static int __ieee80211_tx(struct ieee80211_local *local,
1143
1144
			  struct sk_buff **skbp,
			  struct sta_info *sta)
1145
{
1146
	struct sk_buff *skb = *skbp, *next;
1147
	struct ieee80211_tx_info *info;
1148
	int ret, len;
1149
	bool fragm = false;
1150

Johannes Berg's avatar