1 /*
2  * Atheros CARL9170 driver
3  *
4  * 802.11 & command trap routines
5  *
6  * Copyright 2008, Johannes Berg <johannes@sipsolutions.net>
7  * Copyright 2009, 2010, Christian Lamparter <chunkeey@googlemail.com>
8  *
9  * This program is free software; you can redistribute it and/or modify
10  * it under the terms of the GNU General Public License as published by
11  * the Free Software Foundation; either version 2 of the License, or
12  * (at your option) any later version.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License
20  * along with this program; see the file COPYING.  If not, see
21  * http://www.gnu.org/licenses/.
22  *
23  * This file incorporates work covered by the following copyright and
24  * permission notice:
25  *    Copyright (c) 2007-2008 Atheros Communications, Inc.
26  *
27  *    Permission to use, copy, modify, and/or distribute this software for any
28  *    purpose with or without fee is hereby granted, provided that the above
29  *    copyright notice and this permission notice appear in all copies.
30  *
31  *    THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
32  *    WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
33  *    MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
34  *    ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
35  *    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
36  *    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
37  *    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
38  */
39 
40 #include <linux/init.h>
41 #include <linux/slab.h>
42 #include <linux/module.h>
43 #include <linux/etherdevice.h>
44 #include <linux/crc32.h>
45 #include <net/mac80211.h>
46 #include "carl9170.h"
47 #include "hw.h"
48 #include "cmd.h"
49 
50 static void carl9170_dbg_message(struct ar9170 *ar, const char *buf, u32 len)
51 {
52 	bool restart = false;
53 	enum carl9170_restart_reasons reason = CARL9170_RR_NO_REASON;
54 
55 	if (len > 3) {
56 		if (memcmp(buf, CARL9170_ERR_MAGIC, 3) == 0) {
57 			ar->fw.err_counter++;
58 			if (ar->fw.err_counter > 3) {
59 				restart = true;
60 				reason = CARL9170_RR_TOO_MANY_FIRMWARE_ERRORS;
61 			}
62 		}
63 
64 		if (memcmp(buf, CARL9170_BUG_MAGIC, 3) == 0) {
65 			ar->fw.bug_counter++;
66 			restart = true;
67 			reason = CARL9170_RR_FATAL_FIRMWARE_ERROR;
68 		}
69 	}
70 
71 	wiphy_info(ar->hw->wiphy, "FW: %.*s\n", len, buf);
72 
73 	if (restart)
74 		carl9170_restart(ar, reason);
75 }
76 
77 static void carl9170_handle_ps(struct ar9170 *ar, struct carl9170_rsp *rsp)
78 {
79 	u32 ps;
80 	bool new_ps;
81 
82 	ps = le32_to_cpu(rsp->psm.state);
83 
84 	new_ps = (ps & CARL9170_PSM_COUNTER) != CARL9170_PSM_WAKE;
85 	if (ar->ps.state != new_ps) {
86 		if (!new_ps) {
87 			ar->ps.sleep_ms = jiffies_to_msecs(jiffies -
88 				ar->ps.last_action);
89 		}
90 
91 		ar->ps.last_action = jiffies;
92 
93 		ar->ps.state = new_ps;
94 	}
95 }
96 
97 static int carl9170_check_sequence(struct ar9170 *ar, unsigned int seq)
98 {
99 	if (ar->cmd_seq < -1)
100 		return 0;
101 
102 	/*
103 	 * Initialize Counter
104 	 */
105 	if (ar->cmd_seq < 0)
106 		ar->cmd_seq = seq;
107 
108 	/*
109 	 * The sequence is strictly monotonic increasing and it never skips!
110 	 *
111 	 * Therefore we can safely assume that whenever we received an
112 	 * unexpected sequence we have lost some valuable data.
113 	 */
114 	if (seq != ar->cmd_seq) {
115 		int count;
116 
117 		count = (seq - ar->cmd_seq) % ar->fw.cmd_bufs;
118 
119 		wiphy_err(ar->hw->wiphy, "lost %d command responses/traps! "
120 			  "w:%d g:%d\n", count, ar->cmd_seq, seq);
121 
122 		carl9170_restart(ar, CARL9170_RR_LOST_RSP);
123 		return -EIO;
124 	}
125 
126 	ar->cmd_seq = (ar->cmd_seq + 1) % ar->fw.cmd_bufs;
127 	return 0;
128 }
129 
130 static void carl9170_cmd_callback(struct ar9170 *ar, u32 len, void *buffer)
131 {
132 	/*
133 	 * Some commands may have a variable response length
134 	 * and we cannot predict the correct length in advance.
135 	 * So we only check if we provided enough space for the data.
136 	 */
137 	if (unlikely(ar->readlen != (len - 4))) {
138 		dev_warn(&ar->udev->dev, "received invalid command response:"
139 			 "got %d, instead of %d\n", len - 4, ar->readlen);
140 		print_hex_dump_bytes("carl9170 cmd:", DUMP_PREFIX_OFFSET,
141 			ar->cmd_buf, (ar->cmd.hdr.len + 4) & 0x3f);
142 		print_hex_dump_bytes("carl9170 rsp:", DUMP_PREFIX_OFFSET,
143 			buffer, len);
144 		/*
145 		 * Do not complete. The command times out,
146 		 * and we get a stack trace from there.
147 		 */
148 		carl9170_restart(ar, CARL9170_RR_INVALID_RSP);
149 	}
150 
151 	spin_lock(&ar->cmd_lock);
152 	if (ar->readbuf) {
153 		if (len >= 4)
154 			memcpy(ar->readbuf, buffer + 4, len - 4);
155 
156 		ar->readbuf = NULL;
157 	}
158 	complete(&ar->cmd_wait);
159 	spin_unlock(&ar->cmd_lock);
160 }
161 
162 void carl9170_handle_command_response(struct ar9170 *ar, void *buf, u32 len)
163 {
164 	struct carl9170_rsp *cmd = buf;
165 	struct ieee80211_vif *vif;
166 
167 	if ((cmd->hdr.cmd & CARL9170_RSP_FLAG) != CARL9170_RSP_FLAG) {
168 		if (!(cmd->hdr.cmd & CARL9170_CMD_ASYNC_FLAG))
169 			carl9170_cmd_callback(ar, len, buf);
170 
171 		return;
172 	}
173 
174 	if (unlikely(cmd->hdr.len != (len - 4))) {
175 		if (net_ratelimit()) {
176 			wiphy_err(ar->hw->wiphy, "FW: received over-/under"
177 				"sized event %x (%d, but should be %d).\n",
178 			       cmd->hdr.cmd, cmd->hdr.len, len - 4);
179 
180 			print_hex_dump_bytes("dump:", DUMP_PREFIX_NONE,
181 					     buf, len);
182 		}
183 
184 		return;
185 	}
186 
187 	/* hardware event handlers */
188 	switch (cmd->hdr.cmd) {
189 	case CARL9170_RSP_PRETBTT:
190 		/* pre-TBTT event */
191 		rcu_read_lock();
192 		vif = carl9170_get_main_vif(ar);
193 
194 		if (!vif) {
195 			rcu_read_unlock();
196 			break;
197 		}
198 
199 		switch (vif->type) {
200 		case NL80211_IFTYPE_STATION:
201 			carl9170_handle_ps(ar, cmd);
202 			break;
203 
204 		case NL80211_IFTYPE_AP:
205 		case NL80211_IFTYPE_ADHOC:
206 		case NL80211_IFTYPE_MESH_POINT:
207 			carl9170_update_beacon(ar, true);
208 			break;
209 
210 		default:
211 			break;
212 		}
213 		rcu_read_unlock();
214 
215 		break;
216 
217 
218 	case CARL9170_RSP_TXCOMP:
219 		/* TX status notification */
220 		carl9170_tx_process_status(ar, cmd);
221 		break;
222 
223 	case CARL9170_RSP_BEACON_CONFIG:
224 		/*
225 		 * (IBSS) beacon send notification
226 		 * bytes: 04 c2 XX YY B4 B3 B2 B1
227 		 *
228 		 * XX always 80
229 		 * YY always 00
230 		 * B1-B4 "should" be the number of send out beacons.
231 		 */
232 		break;
233 
234 	case CARL9170_RSP_ATIM:
235 		/* End of Atim Window */
236 		break;
237 
238 	case CARL9170_RSP_WATCHDOG:
239 		/* Watchdog Interrupt */
240 		carl9170_restart(ar, CARL9170_RR_WATCHDOG);
241 		break;
242 
243 	case CARL9170_RSP_TEXT:
244 		/* firmware debug */
245 		carl9170_dbg_message(ar, (char *)buf + 4, len - 4);
246 		break;
247 
248 	case CARL9170_RSP_HEXDUMP:
249 		wiphy_dbg(ar->hw->wiphy, "FW: HD %d\n", len - 4);
250 		print_hex_dump_bytes("FW:", DUMP_PREFIX_NONE,
251 				     (char *)buf + 4, len - 4);
252 		break;
253 
254 	case CARL9170_RSP_RADAR:
255 		if (!net_ratelimit())
256 			break;
257 
258 		wiphy_info(ar->hw->wiphy, "FW: RADAR! Please report this "
259 		       "incident to linux-wireless@vger.kernel.org !\n");
260 		break;
261 
262 	case CARL9170_RSP_GPIO:
263 #ifdef CONFIG_CARL9170_WPC
264 		if (ar->wps.pbc) {
265 			bool state = !!(cmd->gpio.gpio & cpu_to_le32(
266 				AR9170_GPIO_PORT_WPS_BUTTON_PRESSED));
267 
268 			if (state != ar->wps.pbc_state) {
269 				ar->wps.pbc_state = state;
270 				input_report_key(ar->wps.pbc, KEY_WPS_BUTTON,
271 						 state);
272 				input_sync(ar->wps.pbc);
273 			}
274 		}
275 #endif /* CONFIG_CARL9170_WPC */
276 		break;
277 
278 	case CARL9170_RSP_BOOT:
279 		complete(&ar->fw_boot_wait);
280 		break;
281 
282 	default:
283 		wiphy_err(ar->hw->wiphy, "FW: received unhandled event %x\n",
284 			cmd->hdr.cmd);
285 		print_hex_dump_bytes("dump:", DUMP_PREFIX_NONE, buf, len);
286 		break;
287 	}
288 }
289 
290 static int carl9170_rx_mac_status(struct ar9170 *ar,
291 	struct ar9170_rx_head *head, struct ar9170_rx_macstatus *mac,
292 	struct ieee80211_rx_status *status)
293 {
294 	struct ieee80211_channel *chan;
295 	u8 error, decrypt;
296 
297 	BUILD_BUG_ON(sizeof(struct ar9170_rx_head) != 12);
298 	BUILD_BUG_ON(sizeof(struct ar9170_rx_macstatus) != 4);
299 
300 	error = mac->error;
301 
302 	if (error & AR9170_RX_ERROR_WRONG_RA) {
303 		if (!ar->sniffer_enabled)
304 			return -EINVAL;
305 	}
306 
307 	if (error & AR9170_RX_ERROR_PLCP) {
308 		if (!(ar->filter_state & FIF_PLCPFAIL))
309 			return -EINVAL;
310 
311 		status->flag |= RX_FLAG_FAILED_PLCP_CRC;
312 	}
313 
314 	if (error & AR9170_RX_ERROR_FCS) {
315 		ar->tx_fcs_errors++;
316 
317 		if (!(ar->filter_state & FIF_FCSFAIL))
318 			return -EINVAL;
319 
320 		status->flag |= RX_FLAG_FAILED_FCS_CRC;
321 	}
322 
323 	decrypt = ar9170_get_decrypt_type(mac);
324 	if (!(decrypt & AR9170_RX_ENC_SOFTWARE) &&
325 	    decrypt != AR9170_ENC_ALG_NONE) {
326 		if ((decrypt == AR9170_ENC_ALG_TKIP) &&
327 		    (error & AR9170_RX_ERROR_MMIC))
328 			status->flag |= RX_FLAG_MMIC_ERROR;
329 
330 		status->flag |= RX_FLAG_DECRYPTED;
331 	}
332 
333 	if (error & AR9170_RX_ERROR_DECRYPT && !ar->sniffer_enabled)
334 		return -ENODATA;
335 
336 	error &= ~(AR9170_RX_ERROR_MMIC |
337 		   AR9170_RX_ERROR_FCS |
338 		   AR9170_RX_ERROR_WRONG_RA |
339 		   AR9170_RX_ERROR_DECRYPT |
340 		   AR9170_RX_ERROR_PLCP);
341 
342 	/* drop any other error frames */
343 	if (unlikely(error)) {
344 		/* TODO: update netdevice's RX dropped/errors statistics */
345 
346 		if (net_ratelimit())
347 			wiphy_dbg(ar->hw->wiphy, "received frame with "
348 			       "suspicious error code (%#x).\n", error);
349 
350 		return -EINVAL;
351 	}
352 
353 	chan = ar->channel;
354 	if (chan) {
355 		status->band = chan->band;
356 		status->freq = chan->center_freq;
357 	}
358 
359 	switch (mac->status & AR9170_RX_STATUS_MODULATION) {
360 	case AR9170_RX_STATUS_MODULATION_CCK:
361 		if (mac->status & AR9170_RX_STATUS_SHORT_PREAMBLE)
362 			status->flag |= RX_FLAG_SHORTPRE;
363 		switch (head->plcp[0]) {
364 		case AR9170_RX_PHY_RATE_CCK_1M:
365 			status->rate_idx = 0;
366 			break;
367 		case AR9170_RX_PHY_RATE_CCK_2M:
368 			status->rate_idx = 1;
369 			break;
370 		case AR9170_RX_PHY_RATE_CCK_5M:
371 			status->rate_idx = 2;
372 			break;
373 		case AR9170_RX_PHY_RATE_CCK_11M:
374 			status->rate_idx = 3;
375 			break;
376 		default:
377 			if (net_ratelimit()) {
378 				wiphy_err(ar->hw->wiphy, "invalid plcp cck "
379 				       "rate (%x).\n", head->plcp[0]);
380 			}
381 
382 			return -EINVAL;
383 		}
384 		break;
385 
386 	case AR9170_RX_STATUS_MODULATION_DUPOFDM:
387 	case AR9170_RX_STATUS_MODULATION_OFDM:
388 		switch (head->plcp[0] & 0xf) {
389 		case AR9170_TXRX_PHY_RATE_OFDM_6M:
390 			status->rate_idx = 0;
391 			break;
392 		case AR9170_TXRX_PHY_RATE_OFDM_9M:
393 			status->rate_idx = 1;
394 			break;
395 		case AR9170_TXRX_PHY_RATE_OFDM_12M:
396 			status->rate_idx = 2;
397 			break;
398 		case AR9170_TXRX_PHY_RATE_OFDM_18M:
399 			status->rate_idx = 3;
400 			break;
401 		case AR9170_TXRX_PHY_RATE_OFDM_24M:
402 			status->rate_idx = 4;
403 			break;
404 		case AR9170_TXRX_PHY_RATE_OFDM_36M:
405 			status->rate_idx = 5;
406 			break;
407 		case AR9170_TXRX_PHY_RATE_OFDM_48M:
408 			status->rate_idx = 6;
409 			break;
410 		case AR9170_TXRX_PHY_RATE_OFDM_54M:
411 			status->rate_idx = 7;
412 			break;
413 		default:
414 			if (net_ratelimit()) {
415 				wiphy_err(ar->hw->wiphy, "invalid plcp ofdm "
416 					"rate (%x).\n", head->plcp[0]);
417 			}
418 
419 			return -EINVAL;
420 		}
421 		if (status->band == IEEE80211_BAND_2GHZ)
422 			status->rate_idx += 4;
423 		break;
424 
425 	case AR9170_RX_STATUS_MODULATION_HT:
426 		if (head->plcp[3] & 0x80)
427 			status->flag |= RX_FLAG_40MHZ;
428 		if (head->plcp[6] & 0x80)
429 			status->flag |= RX_FLAG_SHORT_GI;
430 
431 		status->rate_idx = clamp(0, 75, head->plcp[3] & 0x7f);
432 		status->flag |= RX_FLAG_HT;
433 		break;
434 
435 	default:
436 		BUG();
437 		return -ENOSYS;
438 	}
439 
440 	return 0;
441 }
442 
443 static void carl9170_rx_phy_status(struct ar9170 *ar,
444 	struct ar9170_rx_phystatus *phy, struct ieee80211_rx_status *status)
445 {
446 	int i;
447 
448 	BUILD_BUG_ON(sizeof(struct ar9170_rx_phystatus) != 20);
449 
450 	for (i = 0; i < 3; i++)
451 		if (phy->rssi[i] != 0x80)
452 			status->antenna |= BIT(i);
453 
454 	/* post-process RSSI */
455 	for (i = 0; i < 7; i++)
456 		if (phy->rssi[i] & 0x80)
457 			phy->rssi[i] = ((phy->rssi[i] & 0x7f) + 1) & 0x7f;
458 
459 	/* TODO: we could do something with phy_errors */
460 	status->signal = ar->noise[0] + phy->rssi_combined;
461 }
462 
463 static struct sk_buff *carl9170_rx_copy_data(u8 *buf, int len)
464 {
465 	struct sk_buff *skb;
466 	int reserved = 0;
467 	struct ieee80211_hdr *hdr = (void *) buf;
468 
469 	if (ieee80211_is_data_qos(hdr->frame_control)) {
470 		u8 *qc = ieee80211_get_qos_ctl(hdr);
471 		reserved += NET_IP_ALIGN;
472 
473 		if (*qc & IEEE80211_QOS_CTL_A_MSDU_PRESENT)
474 			reserved += NET_IP_ALIGN;
475 	}
476 
477 	if (ieee80211_has_a4(hdr->frame_control))
478 		reserved += NET_IP_ALIGN;
479 
480 	reserved = 32 + (reserved & NET_IP_ALIGN);
481 
482 	skb = dev_alloc_skb(len + reserved);
483 	if (likely(skb)) {
484 		skb_reserve(skb, reserved);
485 		memcpy(skb_put(skb, len), buf, len);
486 	}
487 
488 	return skb;
489 }
490 
491 static u8 *carl9170_find_ie(u8 *data, unsigned int len, u8 ie)
492 {
493 	struct ieee80211_mgmt *mgmt = (void *)data;
494 	u8 *pos, *end;
495 
496 	pos = (u8 *)mgmt->u.beacon.variable;
497 	end = data + len;
498 	while (pos < end) {
499 		if (pos + 2 + pos[1] > end)
500 			return NULL;
501 
502 		if (pos[0] == ie)
503 			return pos;
504 
505 		pos += 2 + pos[1];
506 	}
507 	return NULL;
508 }
509 
510 /*
511  * NOTE:
512  *
513  * The firmware is in charge of waking up the device just before
514  * the AP is expected to transmit the next beacon.
515  *
516  * This leaves the driver with the important task of deciding when
517  * to set the PHY back to bed again.
518  */
519 static void carl9170_ps_beacon(struct ar9170 *ar, void *data, unsigned int len)
520 {
521 	struct ieee80211_hdr *hdr = data;
522 	struct ieee80211_tim_ie *tim_ie;
523 	u8 *tim;
524 	u8 tim_len;
525 	bool cam;
526 
527 	if (likely(!(ar->hw->conf.flags & IEEE80211_CONF_PS)))
528 		return;
529 
530 	/* check if this really is a beacon */
531 	if (!ieee80211_is_beacon(hdr->frame_control))
532 		return;
533 
534 	/* min. beacon length + FCS_LEN */
535 	if (len <= 40 + FCS_LEN)
536 		return;
537 
538 	/* and only beacons from the associated BSSID, please */
539 	if (!ether_addr_equal(hdr->addr3, ar->common.curbssid) ||
540 	    !ar->common.curaid)
541 		return;
542 
543 	ar->ps.last_beacon = jiffies;
544 
545 	tim = carl9170_find_ie(data, len - FCS_LEN, WLAN_EID_TIM);
546 	if (!tim)
547 		return;
548 
549 	if (tim[1] < sizeof(*tim_ie))
550 		return;
551 
552 	tim_len = tim[1];
553 	tim_ie = (struct ieee80211_tim_ie *) &tim[2];
554 
555 	if (!WARN_ON_ONCE(!ar->hw->conf.ps_dtim_period))
556 		ar->ps.dtim_counter = (tim_ie->dtim_count - 1) %
557 			ar->hw->conf.ps_dtim_period;
558 
559 	/* Check whenever the PHY can be turned off again. */
560 
561 	/* 1. What about buffered unicast traffic for our AID? */
562 	cam = ieee80211_check_tim(tim_ie, tim_len, ar->common.curaid);
563 
564 	/* 2. Maybe the AP wants to send multicast/broadcast data? */
565 	cam |= !!(tim_ie->bitmap_ctrl & 0x01);
566 
567 	if (!cam) {
568 		/* back to low-power land. */
569 		ar->ps.off_override &= ~PS_OFF_BCN;
570 		carl9170_ps_check(ar);
571 	} else {
572 		/* force CAM */
573 		ar->ps.off_override |= PS_OFF_BCN;
574 	}
575 }
576 
577 static void carl9170_ba_check(struct ar9170 *ar, void *data, unsigned int len)
578 {
579 	struct ieee80211_bar *bar = (void *) data;
580 	struct carl9170_bar_list_entry *entry;
581 	unsigned int queue;
582 
583 	if (likely(!ieee80211_is_back(bar->frame_control)))
584 		return;
585 
586 	if (len <= sizeof(*bar) + FCS_LEN)
587 		return;
588 
589 	queue = TID_TO_WME_AC(((le16_to_cpu(bar->control) &
590 		IEEE80211_BAR_CTRL_TID_INFO_MASK) >>
591 		IEEE80211_BAR_CTRL_TID_INFO_SHIFT) & 7);
592 
593 	rcu_read_lock();
594 	list_for_each_entry_rcu(entry, &ar->bar_list[queue], list) {
595 		struct sk_buff *entry_skb = entry->skb;
596 		struct _carl9170_tx_superframe *super = (void *)entry_skb->data;
597 		struct ieee80211_bar *entry_bar = (void *)super->frame_data;
598 
599 #define TID_CHECK(a, b) (						\
600 	((a) & cpu_to_le16(IEEE80211_BAR_CTRL_TID_INFO_MASK)) ==	\
601 	((b) & cpu_to_le16(IEEE80211_BAR_CTRL_TID_INFO_MASK)))		\
602 
603 		if (bar->start_seq_num == entry_bar->start_seq_num &&
604 		    TID_CHECK(bar->control, entry_bar->control) &&
605 		    ether_addr_equal(bar->ra, entry_bar->ta) &&
606 		    ether_addr_equal(bar->ta, entry_bar->ra)) {
607 			struct ieee80211_tx_info *tx_info;
608 
609 			tx_info = IEEE80211_SKB_CB(entry_skb);
610 			tx_info->flags |= IEEE80211_TX_STAT_ACK;
611 
612 			spin_lock_bh(&ar->bar_list_lock[queue]);
613 			list_del_rcu(&entry->list);
614 			spin_unlock_bh(&ar->bar_list_lock[queue]);
615 			kfree_rcu(entry, head);
616 			break;
617 		}
618 	}
619 	rcu_read_unlock();
620 
621 #undef TID_CHECK
622 }
623 
624 static bool carl9170_ampdu_check(struct ar9170 *ar, u8 *buf, u8 ms,
625 				 struct ieee80211_rx_status *rx_status)
626 {
627 	__le16 fc;
628 
629 	if ((ms & AR9170_RX_STATUS_MPDU) == AR9170_RX_STATUS_MPDU_SINGLE) {
630 		/*
631 		 * This frame is not part of an aMPDU.
632 		 * Therefore it is not subjected to any
633 		 * of the following content restrictions.
634 		 */
635 		return true;
636 	}
637 
638 	rx_status->flag |= RX_FLAG_AMPDU_DETAILS | RX_FLAG_AMPDU_LAST_KNOWN;
639 	rx_status->ampdu_reference = ar->ampdu_ref;
640 
641 	/*
642 	 * "802.11n - 7.4a.3 A-MPDU contents" describes in which contexts
643 	 * certain frame types can be part of an aMPDU.
644 	 *
645 	 * In order to keep the processing cost down, I opted for a
646 	 * stateless filter solely based on the frame control field.
647 	 */
648 
649 	fc = ((struct ieee80211_hdr *)buf)->frame_control;
650 	if (ieee80211_is_data_qos(fc) && ieee80211_is_data_present(fc))
651 		return true;
652 
653 	if (ieee80211_is_ack(fc) || ieee80211_is_back(fc) ||
654 	    ieee80211_is_back_req(fc))
655 		return true;
656 
657 	if (ieee80211_is_action(fc))
658 		return true;
659 
660 	return false;
661 }
662 
663 static int carl9170_handle_mpdu(struct ar9170 *ar, u8 *buf, int len,
664 				struct ieee80211_rx_status *status)
665 {
666 	struct sk_buff *skb;
667 
668 	/* (driver) frame trap handler
669 	 *
670 	 * Because power-saving mode handing has to be implemented by
671 	 * the driver/firmware. We have to check each incoming beacon
672 	 * from the associated AP, if there's new data for us (either
673 	 * broadcast/multicast or unicast) we have to react quickly.
674 	 *
675 	 * So, if you have you want to add additional frame trap
676 	 * handlers, this would be the perfect place!
677 	 */
678 
679 	carl9170_ps_beacon(ar, buf, len);
680 
681 	carl9170_ba_check(ar, buf, len);
682 
683 	skb = carl9170_rx_copy_data(buf, len);
684 	if (!skb)
685 		return -ENOMEM;
686 
687 	memcpy(IEEE80211_SKB_RXCB(skb), status, sizeof(*status));
688 	ieee80211_rx(ar->hw, skb);
689 	return 0;
690 }
691 
692 /*
693  * If the frame alignment is right (or the kernel has
694  * CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS), and there
695  * is only a single MPDU in the USB frame, then we could
696  * submit to mac80211 the SKB directly. However, since
697  * there may be multiple packets in one SKB in stream
698  * mode, and we need to observe the proper ordering,
699  * this is non-trivial.
700  */
701 static void carl9170_rx_untie_data(struct ar9170 *ar, u8 *buf, int len)
702 {
703 	struct ar9170_rx_head *head;
704 	struct ar9170_rx_macstatus *mac;
705 	struct ar9170_rx_phystatus *phy = NULL;
706 	struct ieee80211_rx_status status;
707 	int mpdu_len;
708 	u8 mac_status;
709 
710 	if (!IS_STARTED(ar))
711 		return;
712 
713 	if (unlikely(len < sizeof(*mac)))
714 		goto drop;
715 
716 	memset(&status, 0, sizeof(status));
717 
718 	mpdu_len = len - sizeof(*mac);
719 
720 	mac = (void *)(buf + mpdu_len);
721 	mac_status = mac->status;
722 	switch (mac_status & AR9170_RX_STATUS_MPDU) {
723 	case AR9170_RX_STATUS_MPDU_FIRST:
724 		ar->ampdu_ref++;
725 		/* Aggregated MPDUs start with an PLCP header */
726 		if (likely(mpdu_len >= sizeof(struct ar9170_rx_head))) {
727 			head = (void *) buf;
728 
729 			/*
730 			 * The PLCP header needs to be cached for the
731 			 * following MIDDLE + LAST A-MPDU packets.
732 			 *
733 			 * So, if you are wondering why all frames seem
734 			 * to share a common RX status information,
735 			 * then you have the answer right here...
736 			 */
737 			memcpy(&ar->rx_plcp, (void *) buf,
738 			       sizeof(struct ar9170_rx_head));
739 
740 			mpdu_len -= sizeof(struct ar9170_rx_head);
741 			buf += sizeof(struct ar9170_rx_head);
742 
743 			ar->rx_has_plcp = true;
744 		} else {
745 			if (net_ratelimit()) {
746 				wiphy_err(ar->hw->wiphy, "plcp info "
747 					"is clipped.\n");
748 			}
749 
750 			goto drop;
751 		}
752 		break;
753 
754 	case AR9170_RX_STATUS_MPDU_LAST:
755 		status.flag |= RX_FLAG_AMPDU_IS_LAST;
756 
757 		/*
758 		 * The last frame of an A-MPDU has an extra tail
759 		 * which does contain the phy status of the whole
760 		 * aggregate.
761 		 */
762 		if (likely(mpdu_len >= sizeof(struct ar9170_rx_phystatus))) {
763 			mpdu_len -= sizeof(struct ar9170_rx_phystatus);
764 			phy = (void *)(buf + mpdu_len);
765 		} else {
766 			if (net_ratelimit()) {
767 				wiphy_err(ar->hw->wiphy, "frame tail "
768 					"is clipped.\n");
769 			}
770 
771 			goto drop;
772 		}
773 
774 	case AR9170_RX_STATUS_MPDU_MIDDLE:
775 		/*  These are just data + mac status */
776 		if (unlikely(!ar->rx_has_plcp)) {
777 			if (!net_ratelimit())
778 				return;
779 
780 			wiphy_err(ar->hw->wiphy, "rx stream does not start "
781 					"with a first_mpdu frame tag.\n");
782 
783 			goto drop;
784 		}
785 
786 		head = &ar->rx_plcp;
787 		break;
788 
789 	case AR9170_RX_STATUS_MPDU_SINGLE:
790 		/* single mpdu has both: plcp (head) and phy status (tail) */
791 		head = (void *) buf;
792 
793 		mpdu_len -= sizeof(struct ar9170_rx_head);
794 		mpdu_len -= sizeof(struct ar9170_rx_phystatus);
795 
796 		buf += sizeof(struct ar9170_rx_head);
797 		phy = (void *)(buf + mpdu_len);
798 		break;
799 
800 	default:
801 		BUG_ON(1);
802 		break;
803 	}
804 
805 	/* FC + DU + RA + FCS */
806 	if (unlikely(mpdu_len < (2 + 2 + ETH_ALEN + FCS_LEN)))
807 		goto drop;
808 
809 	if (unlikely(carl9170_rx_mac_status(ar, head, mac, &status)))
810 		goto drop;
811 
812 	if (!carl9170_ampdu_check(ar, buf, mac_status, &status))
813 		goto drop;
814 
815 	if (phy)
816 		carl9170_rx_phy_status(ar, phy, &status);
817 	else
818 		status.flag |= RX_FLAG_NO_SIGNAL_VAL;
819 
820 	if (carl9170_handle_mpdu(ar, buf, mpdu_len, &status))
821 		goto drop;
822 
823 	return;
824 drop:
825 	ar->rx_dropped++;
826 }
827 
828 static void carl9170_rx_untie_cmds(struct ar9170 *ar, const u8 *respbuf,
829 				   const unsigned int resplen)
830 {
831 	struct carl9170_rsp *cmd;
832 	int i = 0;
833 
834 	while (i < resplen) {
835 		cmd = (void *) &respbuf[i];
836 
837 		i += cmd->hdr.len + 4;
838 		if (unlikely(i > resplen))
839 			break;
840 
841 		if (carl9170_check_sequence(ar, cmd->hdr.seq))
842 			break;
843 
844 		carl9170_handle_command_response(ar, cmd, cmd->hdr.len + 4);
845 	}
846 
847 	if (unlikely(i != resplen)) {
848 		if (!net_ratelimit())
849 			return;
850 
851 		wiphy_err(ar->hw->wiphy, "malformed firmware trap:\n");
852 		print_hex_dump_bytes("rxcmd:", DUMP_PREFIX_OFFSET,
853 				     respbuf, resplen);
854 	}
855 }
856 
857 static void __carl9170_rx(struct ar9170 *ar, u8 *buf, unsigned int len)
858 {
859 	unsigned int i = 0;
860 
861 	/* weird thing, but this is the same in the original driver */
862 	while (len > 2 && i < 12 && buf[0] == 0xff && buf[1] == 0xff) {
863 		i += 2;
864 		len -= 2;
865 		buf += 2;
866 	}
867 
868 	if (unlikely(len < 4))
869 		return;
870 
871 	/* found the 6 * 0xffff marker? */
872 	if (i == 12)
873 		carl9170_rx_untie_cmds(ar, buf, len);
874 	else
875 		carl9170_rx_untie_data(ar, buf, len);
876 }
877 
878 static void carl9170_rx_stream(struct ar9170 *ar, void *buf, unsigned int len)
879 {
880 	unsigned int tlen, wlen = 0, clen = 0;
881 	struct ar9170_stream *rx_stream;
882 	u8 *tbuf;
883 
884 	tbuf = buf;
885 	tlen = len;
886 
887 	while (tlen >= 4) {
888 		rx_stream = (void *) tbuf;
889 		clen = le16_to_cpu(rx_stream->length);
890 		wlen = ALIGN(clen, 4);
891 
892 		/* check if this is stream has a valid tag.*/
893 		if (rx_stream->tag != cpu_to_le16(AR9170_RX_STREAM_TAG)) {
894 			/*
895 			 * TODO: handle the highly unlikely event that the
896 			 * corrupted stream has the TAG at the right position.
897 			 */
898 
899 			/* check if the frame can be repaired. */
900 			if (!ar->rx_failover_missing) {
901 
902 				/* this is not "short read". */
903 				if (net_ratelimit()) {
904 					wiphy_err(ar->hw->wiphy,
905 						"missing tag!\n");
906 				}
907 
908 				__carl9170_rx(ar, tbuf, tlen);
909 				return;
910 			}
911 
912 			if (ar->rx_failover_missing > tlen) {
913 				if (net_ratelimit()) {
914 					wiphy_err(ar->hw->wiphy,
915 						"possible multi "
916 						"stream corruption!\n");
917 					goto err_telluser;
918 				} else {
919 					goto err_silent;
920 				}
921 			}
922 
923 			memcpy(skb_put(ar->rx_failover, tlen), tbuf, tlen);
924 			ar->rx_failover_missing -= tlen;
925 
926 			if (ar->rx_failover_missing <= 0) {
927 				/*
928 				 * nested carl9170_rx_stream call!
929 				 *
930 				 * termination is guaranteed, even when the
931 				 * combined frame also have an element with
932 				 * a bad tag.
933 				 */
934 
935 				ar->rx_failover_missing = 0;
936 				carl9170_rx_stream(ar, ar->rx_failover->data,
937 						   ar->rx_failover->len);
938 
939 				skb_reset_tail_pointer(ar->rx_failover);
940 				skb_trim(ar->rx_failover, 0);
941 			}
942 
943 			return;
944 		}
945 
946 		/* check if stream is clipped */
947 		if (wlen > tlen - 4) {
948 			if (ar->rx_failover_missing) {
949 				/* TODO: handle double stream corruption. */
950 				if (net_ratelimit()) {
951 					wiphy_err(ar->hw->wiphy, "double rx "
952 						"stream corruption!\n");
953 					goto err_telluser;
954 				} else {
955 					goto err_silent;
956 				}
957 			}
958 
959 			/*
960 			 * save incomplete data set.
961 			 * the firmware will resend the missing bits when
962 			 * the rx - descriptor comes round again.
963 			 */
964 
965 			memcpy(skb_put(ar->rx_failover, tlen), tbuf, tlen);
966 			ar->rx_failover_missing = clen - tlen;
967 			return;
968 		}
969 		__carl9170_rx(ar, rx_stream->payload, clen);
970 
971 		tbuf += wlen + 4;
972 		tlen -= wlen + 4;
973 	}
974 
975 	if (tlen) {
976 		if (net_ratelimit()) {
977 			wiphy_err(ar->hw->wiphy, "%d bytes of unprocessed "
978 				"data left in rx stream!\n", tlen);
979 		}
980 
981 		goto err_telluser;
982 	}
983 
984 	return;
985 
986 err_telluser:
987 	wiphy_err(ar->hw->wiphy, "damaged RX stream data [want:%d, "
988 		"data:%d, rx:%d, pending:%d ]\n", clen, wlen, tlen,
989 		ar->rx_failover_missing);
990 
991 	if (ar->rx_failover_missing)
992 		print_hex_dump_bytes("rxbuf:", DUMP_PREFIX_OFFSET,
993 				     ar->rx_failover->data,
994 				     ar->rx_failover->len);
995 
996 	print_hex_dump_bytes("stream:", DUMP_PREFIX_OFFSET,
997 			     buf, len);
998 
999 	wiphy_err(ar->hw->wiphy, "please check your hardware and cables, if "
1000 		"you see this message frequently.\n");
1001 
1002 err_silent:
1003 	if (ar->rx_failover_missing) {
1004 		skb_reset_tail_pointer(ar->rx_failover);
1005 		skb_trim(ar->rx_failover, 0);
1006 		ar->rx_failover_missing = 0;
1007 	}
1008 }
1009 
1010 void carl9170_rx(struct ar9170 *ar, void *buf, unsigned int len)
1011 {
1012 	if (ar->fw.rx_stream)
1013 		carl9170_rx_stream(ar, buf, len);
1014 	else
1015 		__carl9170_rx(ar, buf, len);
1016 }
1017