wcn36xx: Add chained transfer support for AMSDU

WCNSS RX DMA transfer support is limited to 3872 bytes, which is
enough for simple MPDUs (single MSDU), but not enough for cases
with A-MSDU (depending on max AMSDU size or max MPDU size).

In that case the MPDU is spread over multiple transfers, with the
first transfer containing the MPDU header and (at least) the first
A-MSDU subframe and additional transfer(s) containing the following
A-MSDUs. This can be handled with a series of flags to tagging the
first and last A-MSDU transfers.

In that case we have to bufferize and re-linearize the A-MSDU buffers
into a proper MPDU skb before forwarding to mac80211 (in the same way
as it is done in ath10k).

This change also includes sanity check of the buffer descriptor to
prevent skb overflow.

Signed-off-by: Loic Poulain <loic.poulain@linaro.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/1634557705-11120-1-git-send-email-loic.poulain@linaro.org

diff --git a/drivers/net/wireless/ath/wcn36xx/main.c b/drivers/net/wireless/ath/wcn36xx/main.c
index 2ac8efa6fb12bf00a3ec87b1a5a244952ee309ce..80d818c5a64e966962d142faf51fa443afb4bf05 100644 (file)
--- a/drivers/net/wireless/ath/wcn36xx/main.c
+++ b/drivers/net/wireless/ath/wcn36xx/main.c
@@ -1499,6 +1499,7 @@ static int wcn36xx_probe(struct platform_device *pdev)
        mutex_init(&wcn->conf_mutex);
        mutex_init(&wcn->hal_mutex);
        mutex_init(&wcn->scan_lock);
+       __skb_queue_head_init(&wcn->amsdu);
 
        wcn->hal_buf = devm_kmalloc(wcn->dev, WCN36XX_HAL_BUF_SIZE, GFP_KERNEL);
        if (!wcn->hal_buf) {
@@ -1576,6 +1577,8 @@ static int wcn36xx_remove(struct platform_device *pdev)
        iounmap(wcn->dxe_base);
        iounmap(wcn->ccu_base);
 
+       __skb_queue_purge(&wcn->amsdu);
+
        mutex_destroy(&wcn->hal_mutex);
        ieee80211_free_hw(hw);
 

diff --git a/drivers/net/wireless/ath/wcn36xx/smd.c b/drivers/net/wireless/ath/wcn36xx/smd.c
index 3979171c92dd20b145085cd6775fea7e6e599357..3cecc8f9c96472bebf69e0cd821aaeb047b52379 100644 (file)
--- a/drivers/net/wireless/ath/wcn36xx/smd.c
+++ b/drivers/net/wireless/ath/wcn36xx/smd.c
@@ -266,7 +266,8 @@ static void wcn36xx_smd_set_sta_ht_params(struct ieee80211_sta *sta,
 
                sta_params->max_ampdu_size = sta->ht_cap.ampdu_factor;
                sta_params->max_ampdu_density = sta->ht_cap.ampdu_density;
-               sta_params->max_amsdu_size = is_cap_supported(caps,
+               /* max_amsdu_size: 1 : 3839 bytes, 0 : 7935 bytes (max) */
+               sta_params->max_amsdu_size = !is_cap_supported(caps,
                        IEEE80211_HT_CAP_MAX_AMSDU);
                sta_params->sgi_20Mhz = is_cap_supported(caps,
                        IEEE80211_HT_CAP_SGI_20);

diff --git a/drivers/net/wireless/ath/wcn36xx/txrx.c b/drivers/net/wireless/ath/wcn36xx/txrx.c
index c0f51fa13dfa1a62e1bbe5860a6a4b92234ad193..81db90f8e3c380c425c90ce249603f76ddf00082 100644 (file)
--- a/drivers/net/wireless/ath/wcn36xx/txrx.c
+++ b/drivers/net/wireless/ath/wcn36xx/txrx.c
@@ -231,6 +231,41 @@ static const struct wcn36xx_rate wcn36xx_rate_table[] = {
        { 4333, 9, RX_ENC_VHT, RX_ENC_FLAG_SHORT_GI, RATE_INFO_BW_80 },
 };
 
+static struct sk_buff *wcn36xx_unchain_msdu(struct sk_buff_head *amsdu)
+{
+       struct sk_buff *skb, *first;
+       int total_len = 0;
+       int space;
+
+       first = __skb_dequeue(amsdu);
+
+       skb_queue_walk(amsdu, skb)
+               total_len += skb->len;
+
+       space = total_len - skb_tailroom(first);
+       if (space > 0 && pskb_expand_head(first, 0, space, GFP_ATOMIC) < 0) {
+               __skb_queue_head(amsdu, first);
+               return NULL;
+       }
+
+       /* Walk list again, copying contents into msdu_head */
+       while ((skb = __skb_dequeue(amsdu))) {
+               skb_copy_from_linear_data(skb, skb_put(first, skb->len),
+                                         skb->len);
+               dev_kfree_skb_irq(skb);
+       }
+
+       return first;
+}
+
+static void __skb_queue_purge_irq(struct sk_buff_head *list)
+{
+       struct sk_buff *skb;
+
+       while ((skb = __skb_dequeue(list)) != NULL)
+               dev_kfree_skb_irq(skb);
+}
+
 int wcn36xx_rx_skb(struct wcn36xx *wcn, struct sk_buff *skb)
 {
        struct ieee80211_rx_status status;
@@ -252,6 +287,26 @@ int wcn36xx_rx_skb(struct wcn36xx *wcn, struct sk_buff *skb)
                         "BD   <<< ", (char *)bd,
                         sizeof(struct wcn36xx_rx_bd));
 
+       if (bd->pdu.mpdu_data_off <= bd->pdu.mpdu_header_off ||
+           bd->pdu.mpdu_len < bd->pdu.mpdu_header_len)
+               goto drop;
+
+       if (bd->asf && !bd->esf) { /* chained A-MSDU chunks */
+               /* Sanity check */
+               if (bd->pdu.mpdu_data_off + bd->pdu.mpdu_len > WCN36XX_PKT_SIZE)
+                       goto drop;
+
+               skb_put(skb, bd->pdu.mpdu_data_off + bd->pdu.mpdu_len);
+               skb_pull(skb, bd->pdu.mpdu_data_off);
+
+               /* Only set status for first chained BD (with mac header) */
+               goto done;
+       }
+
+       if (bd->pdu.mpdu_header_off < sizeof(*bd) ||
+           bd->pdu.mpdu_header_off + bd->pdu.mpdu_len > WCN36XX_PKT_SIZE)
+               goto drop;
+
        skb_put(skb, bd->pdu.mpdu_header_off + bd->pdu.mpdu_len);
        skb_pull(skb, bd->pdu.mpdu_header_off);
 
@@ -328,9 +383,37 @@ int wcn36xx_rx_skb(struct wcn36xx *wcn, struct sk_buff *skb)
                                 (char *)skb->data, skb->len);
        }
 
+done:
+       /*  Chained AMSDU ? slow path */
+       if (unlikely(bd->asf && !(bd->lsf && bd->esf))) {
+               if (bd->esf && !skb_queue_empty(&wcn->amsdu)) {
+                       wcn36xx_err("Discarding non complete chain");
+                       __skb_queue_purge_irq(&wcn->amsdu);
+               }
+
+               __skb_queue_tail(&wcn->amsdu, skb);
+
+               if (!bd->lsf)
+                       return 0; /* Not the last AMSDU, wait for more */
+
+               skb = wcn36xx_unchain_msdu(&wcn->amsdu);
+               if (!skb)
+                       goto drop;
+       }
+
        ieee80211_rx_irqsafe(wcn->hw, skb);
 
        return 0;
+
+drop: /* drop everything */
+       wcn36xx_err("Drop frame! skb:%p len:%u hoff:%u doff:%u asf=%u esf=%u lsf=%u\n",
+                   skb, bd->pdu.mpdu_len, bd->pdu.mpdu_header_off,
+                   bd->pdu.mpdu_data_off, bd->asf, bd->esf, bd->lsf);
+
+       dev_kfree_skb_irq(skb);
+       __skb_queue_purge_irq(&wcn->amsdu);
+
+       return -EINVAL;
 }
 
 static void wcn36xx_set_tx_pdu(struct wcn36xx_tx_bd *bd,

diff --git a/drivers/net/wireless/ath/wcn36xx/wcn36xx.h b/drivers/net/wireless/ath/wcn36xx/wcn36xx.h
index add6e527e83306eaa1a841c3b7c793f5289b692b..ae63bc6916d6605ece139a3f63b4a9e11e5e41a5 100644 (file)
--- a/drivers/net/wireless/ath/wcn36xx/wcn36xx.h
+++ b/drivers/net/wireless/ath/wcn36xx/wcn36xx.h
@@ -269,6 +269,9 @@ struct wcn36xx {
        struct sk_buff          *tx_ack_skb;
        struct timer_list       tx_ack_timer;
 
+       /* For A-MSDU re-aggregation */
+       struct sk_buff_head amsdu;
+
        /* RF module */
        unsigned                rf_id;
 
@@ -276,7 +279,6 @@ struct wcn36xx {
        /* Debug file system entry */
        struct wcn36xx_dfs_entry    dfs;
 #endif /* CONFIG_WCN36XX_DEBUGFS */
-
 };
 
 static inline bool wcn36xx_is_fw_version(struct wcn36xx *wcn,