1 /*
2  * Atheros CARL9170 driver
3  *
4  * 802.11 & command trap routines
5  *
6  * Copyright 2008, Johannes Berg <johannes@sipsolutions.net>
7  * Copyright 2009, 2010, Christian Lamparter <chunkeey@googlemail.com>
8  *
9  * This program is free software; you can redistribute it and/or modify
10  * it under the terms of the GNU General Public License as published by
11  * the Free Software Foundation; either version 2 of the License, or
12  * (at your option) any later version.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License
20  * along with this program; see the file COPYING.  If not, see
21  * http://www.gnu.org/licenses/.
22  *
23  * This file incorporates work covered by the following copyright and
24  * permission notice:
25  *    Copyright (c) 2007-2008 Atheros Communications, Inc.
26  *
27  *    Permission to use, copy, modify, and/or distribute this software for any
28  *    purpose with or without fee is hereby granted, provided that the above
29  *    copyright notice and this permission notice appear in all copies.
30  *
31  *    THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
32  *    WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
33  *    MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
34  *    ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
35  *    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
36  *    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
37  *    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
38  */
39 
40 #include <linux/slab.h>
41 #include <linux/module.h>
42 #include <linux/etherdevice.h>
43 #include <linux/crc32.h>
44 #include <net/mac80211.h>
45 #include "carl9170.h"
46 #include "hw.h"
47 #include "cmd.h"
48 
49 static void carl9170_dbg_message(struct ar9170 *ar, const char *buf, u32 len)
50 {
51 	bool restart = false;
52 	enum carl9170_restart_reasons reason = CARL9170_RR_NO_REASON;
53 
54 	if (len > 3) {
55 		if (memcmp(buf, CARL9170_ERR_MAGIC, 3) == 0) {
56 			ar->fw.err_counter++;
57 			if (ar->fw.err_counter > 3) {
58 				restart = true;
59 				reason = CARL9170_RR_TOO_MANY_FIRMWARE_ERRORS;
60 			}
61 		}
62 
63 		if (memcmp(buf, CARL9170_BUG_MAGIC, 3) == 0) {
64 			ar->fw.bug_counter++;
65 			restart = true;
66 			reason = CARL9170_RR_FATAL_FIRMWARE_ERROR;
67 		}
68 	}
69 
70 	wiphy_info(ar->hw->wiphy, "FW: %.*s\n", len, buf);
71 
72 	if (restart)
73 		carl9170_restart(ar, reason);
74 }
75 
76 static void carl9170_handle_ps(struct ar9170 *ar, struct carl9170_rsp *rsp)
77 {
78 	u32 ps;
79 	bool new_ps;
80 
81 	ps = le32_to_cpu(rsp->psm.state);
82 
83 	new_ps = (ps & CARL9170_PSM_COUNTER) != CARL9170_PSM_WAKE;
84 	if (ar->ps.state != new_ps) {
85 		if (!new_ps) {
86 			ar->ps.sleep_ms = jiffies_to_msecs(jiffies -
87 				ar->ps.last_action);
88 		}
89 
90 		ar->ps.last_action = jiffies;
91 
92 		ar->ps.state = new_ps;
93 	}
94 }
95 
96 static int carl9170_check_sequence(struct ar9170 *ar, unsigned int seq)
97 {
98 	if (ar->cmd_seq < -1)
99 		return 0;
100 
101 	/*
102 	 * Initialize Counter
103 	 */
104 	if (ar->cmd_seq < 0)
105 		ar->cmd_seq = seq;
106 
107 	/*
108 	 * The sequence is strictly monotonic increasing and it never skips!
109 	 *
110 	 * Therefore we can safely assume that whenever we received an
111 	 * unexpected sequence we have lost some valuable data.
112 	 */
113 	if (seq != ar->cmd_seq) {
114 		int count;
115 
116 		count = (seq - ar->cmd_seq) % ar->fw.cmd_bufs;
117 
118 		wiphy_err(ar->hw->wiphy, "lost %d command responses/traps! "
119 			  "w:%d g:%d\n", count, ar->cmd_seq, seq);
120 
121 		carl9170_restart(ar, CARL9170_RR_LOST_RSP);
122 		return -EIO;
123 	}
124 
125 	ar->cmd_seq = (ar->cmd_seq + 1) % ar->fw.cmd_bufs;
126 	return 0;
127 }
128 
129 static void carl9170_cmd_callback(struct ar9170 *ar, u32 len, void *buffer)
130 {
131 	/*
132 	 * Some commands may have a variable response length
133 	 * and we cannot predict the correct length in advance.
134 	 * So we only check if we provided enough space for the data.
135 	 */
136 	if (unlikely(ar->readlen != (len - 4))) {
137 		dev_warn(&ar->udev->dev, "received invalid command response:"
138 			 "got %d, instead of %d\n", len - 4, ar->readlen);
139 		print_hex_dump_bytes("carl9170 cmd:", DUMP_PREFIX_OFFSET,
140 			ar->cmd_buf, (ar->cmd.hdr.len + 4) & 0x3f);
141 		print_hex_dump_bytes("carl9170 rsp:", DUMP_PREFIX_OFFSET,
142 			buffer, len);
143 		/*
144 		 * Do not complete. The command times out,
145 		 * and we get a stack trace from there.
146 		 */
147 		carl9170_restart(ar, CARL9170_RR_INVALID_RSP);
148 	}
149 
150 	spin_lock(&ar->cmd_lock);
151 	if (ar->readbuf) {
152 		if (len >= 4)
153 			memcpy(ar->readbuf, buffer + 4, len - 4);
154 
155 		ar->readbuf = NULL;
156 	}
157 	complete(&ar->cmd_wait);
158 	spin_unlock(&ar->cmd_lock);
159 }
160 
161 void carl9170_handle_command_response(struct ar9170 *ar, void *buf, u32 len)
162 {
163 	struct carl9170_rsp *cmd = buf;
164 	struct ieee80211_vif *vif;
165 
166 	if ((cmd->hdr.cmd & CARL9170_RSP_FLAG) != CARL9170_RSP_FLAG) {
167 		if (!(cmd->hdr.cmd & CARL9170_CMD_ASYNC_FLAG))
168 			carl9170_cmd_callback(ar, len, buf);
169 
170 		return;
171 	}
172 
173 	if (unlikely(cmd->hdr.len != (len - 4))) {
174 		if (net_ratelimit()) {
175 			wiphy_err(ar->hw->wiphy, "FW: received over-/under"
176 				"sized event %x (%d, but should be %d).\n",
177 			       cmd->hdr.cmd, cmd->hdr.len, len - 4);
178 
179 			print_hex_dump_bytes("dump:", DUMP_PREFIX_NONE,
180 					     buf, len);
181 		}
182 
183 		return;
184 	}
185 
186 	/* hardware event handlers */
187 	switch (cmd->hdr.cmd) {
188 	case CARL9170_RSP_PRETBTT:
189 		/* pre-TBTT event */
190 		rcu_read_lock();
191 		vif = carl9170_get_main_vif(ar);
192 
193 		if (!vif) {
194 			rcu_read_unlock();
195 			break;
196 		}
197 
198 		switch (vif->type) {
199 		case NL80211_IFTYPE_STATION:
200 			carl9170_handle_ps(ar, cmd);
201 			break;
202 
203 		case NL80211_IFTYPE_AP:
204 		case NL80211_IFTYPE_ADHOC:
205 		case NL80211_IFTYPE_MESH_POINT:
206 			carl9170_update_beacon(ar, true);
207 			break;
208 
209 		default:
210 			break;
211 		}
212 		rcu_read_unlock();
213 
214 		break;
215 
216 
217 	case CARL9170_RSP_TXCOMP:
218 		/* TX status notification */
219 		carl9170_tx_process_status(ar, cmd);
220 		break;
221 
222 	case CARL9170_RSP_BEACON_CONFIG:
223 		/*
224 		 * (IBSS) beacon send notification
225 		 * bytes: 04 c2 XX YY B4 B3 B2 B1
226 		 *
227 		 * XX always 80
228 		 * YY always 00
229 		 * B1-B4 "should" be the number of send out beacons.
230 		 */
231 		break;
232 
233 	case CARL9170_RSP_ATIM:
234 		/* End of Atim Window */
235 		break;
236 
237 	case CARL9170_RSP_WATCHDOG:
238 		/* Watchdog Interrupt */
239 		carl9170_restart(ar, CARL9170_RR_WATCHDOG);
240 		break;
241 
242 	case CARL9170_RSP_TEXT:
243 		/* firmware debug */
244 		carl9170_dbg_message(ar, (char *)buf + 4, len - 4);
245 		break;
246 
247 	case CARL9170_RSP_HEXDUMP:
248 		wiphy_dbg(ar->hw->wiphy, "FW: HD %d\n", len - 4);
249 		print_hex_dump_bytes("FW:", DUMP_PREFIX_NONE,
250 				     (char *)buf + 4, len - 4);
251 		break;
252 
253 	case CARL9170_RSP_RADAR:
254 		if (!net_ratelimit())
255 			break;
256 
257 		wiphy_info(ar->hw->wiphy, "FW: RADAR! Please report this "
258 		       "incident to linux-wireless@vger.kernel.org !\n");
259 		break;
260 
261 	case CARL9170_RSP_GPIO:
262 #ifdef CONFIG_CARL9170_WPC
263 		if (ar->wps.pbc) {
264 			bool state = !!(cmd->gpio.gpio & cpu_to_le32(
265 				AR9170_GPIO_PORT_WPS_BUTTON_PRESSED));
266 
267 			if (state != ar->wps.pbc_state) {
268 				ar->wps.pbc_state = state;
269 				input_report_key(ar->wps.pbc, KEY_WPS_BUTTON,
270 						 state);
271 				input_sync(ar->wps.pbc);
272 			}
273 		}
274 #endif /* CONFIG_CARL9170_WPC */
275 		break;
276 
277 	case CARL9170_RSP_BOOT:
278 		complete(&ar->fw_boot_wait);
279 		break;
280 
281 	default:
282 		wiphy_err(ar->hw->wiphy, "FW: received unhandled event %x\n",
283 			cmd->hdr.cmd);
284 		print_hex_dump_bytes("dump:", DUMP_PREFIX_NONE, buf, len);
285 		break;
286 	}
287 }
288 
289 static int carl9170_rx_mac_status(struct ar9170 *ar,
290 	struct ar9170_rx_head *head, struct ar9170_rx_macstatus *mac,
291 	struct ieee80211_rx_status *status)
292 {
293 	struct ieee80211_channel *chan;
294 	u8 error, decrypt;
295 
296 	BUILD_BUG_ON(sizeof(struct ar9170_rx_head) != 12);
297 	BUILD_BUG_ON(sizeof(struct ar9170_rx_macstatus) != 4);
298 
299 	error = mac->error;
300 
301 	if (error & AR9170_RX_ERROR_WRONG_RA) {
302 		if (!ar->sniffer_enabled)
303 			return -EINVAL;
304 	}
305 
306 	if (error & AR9170_RX_ERROR_PLCP) {
307 		if (!(ar->filter_state & FIF_PLCPFAIL))
308 			return -EINVAL;
309 
310 		status->flag |= RX_FLAG_FAILED_PLCP_CRC;
311 	}
312 
313 	if (error & AR9170_RX_ERROR_FCS) {
314 		ar->tx_fcs_errors++;
315 
316 		if (!(ar->filter_state & FIF_FCSFAIL))
317 			return -EINVAL;
318 
319 		status->flag |= RX_FLAG_FAILED_FCS_CRC;
320 	}
321 
322 	decrypt = ar9170_get_decrypt_type(mac);
323 	if (!(decrypt & AR9170_RX_ENC_SOFTWARE) &&
324 	    decrypt != AR9170_ENC_ALG_NONE) {
325 		if ((decrypt == AR9170_ENC_ALG_TKIP) &&
326 		    (error & AR9170_RX_ERROR_MMIC))
327 			status->flag |= RX_FLAG_MMIC_ERROR;
328 
329 		status->flag |= RX_FLAG_DECRYPTED;
330 	}
331 
332 	if (error & AR9170_RX_ERROR_DECRYPT && !ar->sniffer_enabled)
333 		return -ENODATA;
334 
335 	error &= ~(AR9170_RX_ERROR_MMIC |
336 		   AR9170_RX_ERROR_FCS |
337 		   AR9170_RX_ERROR_WRONG_RA |
338 		   AR9170_RX_ERROR_DECRYPT |
339 		   AR9170_RX_ERROR_PLCP);
340 
341 	/* drop any other error frames */
342 	if (unlikely(error)) {
343 		/* TODO: update netdevice's RX dropped/errors statistics */
344 
345 		if (net_ratelimit())
346 			wiphy_dbg(ar->hw->wiphy, "received frame with "
347 			       "suspicious error code (%#x).\n", error);
348 
349 		return -EINVAL;
350 	}
351 
352 	chan = ar->channel;
353 	if (chan) {
354 		status->band = chan->band;
355 		status->freq = chan->center_freq;
356 	}
357 
358 	switch (mac->status & AR9170_RX_STATUS_MODULATION) {
359 	case AR9170_RX_STATUS_MODULATION_CCK:
360 		if (mac->status & AR9170_RX_STATUS_SHORT_PREAMBLE)
361 			status->enc_flags |= RX_ENC_FLAG_SHORTPRE;
362 		switch (head->plcp[0]) {
363 		case AR9170_RX_PHY_RATE_CCK_1M:
364 			status->rate_idx = 0;
365 			break;
366 		case AR9170_RX_PHY_RATE_CCK_2M:
367 			status->rate_idx = 1;
368 			break;
369 		case AR9170_RX_PHY_RATE_CCK_5M:
370 			status->rate_idx = 2;
371 			break;
372 		case AR9170_RX_PHY_RATE_CCK_11M:
373 			status->rate_idx = 3;
374 			break;
375 		default:
376 			if (net_ratelimit()) {
377 				wiphy_err(ar->hw->wiphy, "invalid plcp cck "
378 				       "rate (%x).\n", head->plcp[0]);
379 			}
380 
381 			return -EINVAL;
382 		}
383 		break;
384 
385 	case AR9170_RX_STATUS_MODULATION_DUPOFDM:
386 	case AR9170_RX_STATUS_MODULATION_OFDM:
387 		switch (head->plcp[0] & 0xf) {
388 		case AR9170_TXRX_PHY_RATE_OFDM_6M:
389 			status->rate_idx = 0;
390 			break;
391 		case AR9170_TXRX_PHY_RATE_OFDM_9M:
392 			status->rate_idx = 1;
393 			break;
394 		case AR9170_TXRX_PHY_RATE_OFDM_12M:
395 			status->rate_idx = 2;
396 			break;
397 		case AR9170_TXRX_PHY_RATE_OFDM_18M:
398 			status->rate_idx = 3;
399 			break;
400 		case AR9170_TXRX_PHY_RATE_OFDM_24M:
401 			status->rate_idx = 4;
402 			break;
403 		case AR9170_TXRX_PHY_RATE_OFDM_36M:
404 			status->rate_idx = 5;
405 			break;
406 		case AR9170_TXRX_PHY_RATE_OFDM_48M:
407 			status->rate_idx = 6;
408 			break;
409 		case AR9170_TXRX_PHY_RATE_OFDM_54M:
410 			status->rate_idx = 7;
411 			break;
412 		default:
413 			if (net_ratelimit()) {
414 				wiphy_err(ar->hw->wiphy, "invalid plcp ofdm "
415 					"rate (%x).\n", head->plcp[0]);
416 			}
417 
418 			return -EINVAL;
419 		}
420 		if (status->band == NL80211_BAND_2GHZ)
421 			status->rate_idx += 4;
422 		break;
423 
424 	case AR9170_RX_STATUS_MODULATION_HT:
425 		if (head->plcp[3] & 0x80)
426 			status->bw = RATE_INFO_BW_40;
427 		if (head->plcp[6] & 0x80)
428 			status->enc_flags |= RX_ENC_FLAG_SHORT_GI;
429 
430 		status->rate_idx = clamp(head->plcp[3] & 0x7f, 0, 75);
431 		status->encoding = RX_ENC_HT;
432 		break;
433 
434 	default:
435 		BUG();
436 		return -ENOSYS;
437 	}
438 
439 	return 0;
440 }
441 
442 static void carl9170_rx_phy_status(struct ar9170 *ar,
443 	struct ar9170_rx_phystatus *phy, struct ieee80211_rx_status *status)
444 {
445 	int i;
446 
447 	BUILD_BUG_ON(sizeof(struct ar9170_rx_phystatus) != 20);
448 
449 	for (i = 0; i < 3; i++)
450 		if (phy->rssi[i] != 0x80)
451 			status->antenna |= BIT(i);
452 
453 	/* post-process RSSI */
454 	for (i = 0; i < 7; i++)
455 		if (phy->rssi[i] & 0x80)
456 			phy->rssi[i] = ((~phy->rssi[i] & 0x7f) + 1) & 0x7f;
457 
458 	/* TODO: we could do something with phy_errors */
459 	status->signal = ar->noise[0] + phy->rssi_combined;
460 }
461 
462 static struct sk_buff *carl9170_rx_copy_data(u8 *buf, int len)
463 {
464 	struct sk_buff *skb;
465 	int reserved = 0;
466 	struct ieee80211_hdr *hdr = (void *) buf;
467 
468 	if (ieee80211_is_data_qos(hdr->frame_control)) {
469 		u8 *qc = ieee80211_get_qos_ctl(hdr);
470 		reserved += NET_IP_ALIGN;
471 
472 		if (*qc & IEEE80211_QOS_CTL_A_MSDU_PRESENT)
473 			reserved += NET_IP_ALIGN;
474 	}
475 
476 	if (ieee80211_has_a4(hdr->frame_control))
477 		reserved += NET_IP_ALIGN;
478 
479 	reserved = 32 + (reserved & NET_IP_ALIGN);
480 
481 	skb = dev_alloc_skb(len + reserved);
482 	if (likely(skb)) {
483 		skb_reserve(skb, reserved);
484 		skb_put_data(skb, buf, len);
485 	}
486 
487 	return skb;
488 }
489 
490 static u8 *carl9170_find_ie(u8 *data, unsigned int len, u8 ie)
491 {
492 	struct ieee80211_mgmt *mgmt = (void *)data;
493 	u8 *pos, *end;
494 
495 	pos = (u8 *)mgmt->u.beacon.variable;
496 	end = data + len;
497 	while (pos < end) {
498 		if (pos + 2 + pos[1] > end)
499 			return NULL;
500 
501 		if (pos[0] == ie)
502 			return pos;
503 
504 		pos += 2 + pos[1];
505 	}
506 	return NULL;
507 }
508 
509 /*
510  * NOTE:
511  *
512  * The firmware is in charge of waking up the device just before
513  * the AP is expected to transmit the next beacon.
514  *
515  * This leaves the driver with the important task of deciding when
516  * to set the PHY back to bed again.
517  */
518 static void carl9170_ps_beacon(struct ar9170 *ar, void *data, unsigned int len)
519 {
520 	struct ieee80211_hdr *hdr = data;
521 	struct ieee80211_tim_ie *tim_ie;
522 	struct ath_common *common = &ar->common;
523 	u8 *tim;
524 	u8 tim_len;
525 	bool cam;
526 
527 	if (likely(!(ar->hw->conf.flags & IEEE80211_CONF_PS)))
528 		return;
529 
530 	/* min. beacon length + FCS_LEN */
531 	if (len <= 40 + FCS_LEN)
532 		return;
533 
534 	/* check if this really is a beacon */
535 	/* and only beacons from the associated BSSID, please */
536 	if (!ath_is_mybeacon(common, hdr) || !common->curaid)
537 		return;
538 
539 	ar->ps.last_beacon = jiffies;
540 
541 	tim = carl9170_find_ie(data, len - FCS_LEN, WLAN_EID_TIM);
542 	if (!tim)
543 		return;
544 
545 	if (tim[1] < sizeof(*tim_ie))
546 		return;
547 
548 	tim_len = tim[1];
549 	tim_ie = (struct ieee80211_tim_ie *) &tim[2];
550 
551 	if (!WARN_ON_ONCE(!ar->hw->conf.ps_dtim_period))
552 		ar->ps.dtim_counter = (tim_ie->dtim_count - 1) %
553 			ar->hw->conf.ps_dtim_period;
554 
555 	/* Check whenever the PHY can be turned off again. */
556 
557 	/* 1. What about buffered unicast traffic for our AID? */
558 	cam = ieee80211_check_tim(tim_ie, tim_len, ar->common.curaid);
559 
560 	/* 2. Maybe the AP wants to send multicast/broadcast data? */
561 	cam |= !!(tim_ie->bitmap_ctrl & 0x01);
562 
563 	if (!cam) {
564 		/* back to low-power land. */
565 		ar->ps.off_override &= ~PS_OFF_BCN;
566 		carl9170_ps_check(ar);
567 	} else {
568 		/* force CAM */
569 		ar->ps.off_override |= PS_OFF_BCN;
570 	}
571 }
572 
573 static void carl9170_ba_check(struct ar9170 *ar, void *data, unsigned int len)
574 {
575 	struct ieee80211_bar *bar = data;
576 	struct carl9170_bar_list_entry *entry;
577 	unsigned int queue;
578 
579 	if (likely(!ieee80211_is_back(bar->frame_control)))
580 		return;
581 
582 	if (len <= sizeof(*bar) + FCS_LEN)
583 		return;
584 
585 	queue = TID_TO_WME_AC(((le16_to_cpu(bar->control) &
586 		IEEE80211_BAR_CTRL_TID_INFO_MASK) >>
587 		IEEE80211_BAR_CTRL_TID_INFO_SHIFT) & 7);
588 
589 	rcu_read_lock();
590 	list_for_each_entry_rcu(entry, &ar->bar_list[queue], list) {
591 		struct sk_buff *entry_skb = entry->skb;
592 		struct _carl9170_tx_superframe *super = (void *)entry_skb->data;
593 		struct ieee80211_bar *entry_bar = (void *)super->frame_data;
594 
595 #define TID_CHECK(a, b) (						\
596 	((a) & cpu_to_le16(IEEE80211_BAR_CTRL_TID_INFO_MASK)) ==	\
597 	((b) & cpu_to_le16(IEEE80211_BAR_CTRL_TID_INFO_MASK)))		\
598 
599 		if (bar->start_seq_num == entry_bar->start_seq_num &&
600 		    TID_CHECK(bar->control, entry_bar->control) &&
601 		    ether_addr_equal_64bits(bar->ra, entry_bar->ta) &&
602 		    ether_addr_equal_64bits(bar->ta, entry_bar->ra)) {
603 			struct ieee80211_tx_info *tx_info;
604 
605 			tx_info = IEEE80211_SKB_CB(entry_skb);
606 			tx_info->flags |= IEEE80211_TX_STAT_ACK;
607 
608 			spin_lock_bh(&ar->bar_list_lock[queue]);
609 			list_del_rcu(&entry->list);
610 			spin_unlock_bh(&ar->bar_list_lock[queue]);
611 			kfree_rcu(entry, head);
612 			break;
613 		}
614 	}
615 	rcu_read_unlock();
616 
617 #undef TID_CHECK
618 }
619 
620 static bool carl9170_ampdu_check(struct ar9170 *ar, u8 *buf, u8 ms,
621 				 struct ieee80211_rx_status *rx_status)
622 {
623 	__le16 fc;
624 
625 	if ((ms & AR9170_RX_STATUS_MPDU) == AR9170_RX_STATUS_MPDU_SINGLE) {
626 		/*
627 		 * This frame is not part of an aMPDU.
628 		 * Therefore it is not subjected to any
629 		 * of the following content restrictions.
630 		 */
631 		return true;
632 	}
633 
634 	rx_status->flag |= RX_FLAG_AMPDU_DETAILS | RX_FLAG_AMPDU_LAST_KNOWN;
635 	rx_status->ampdu_reference = ar->ampdu_ref;
636 
637 	/*
638 	 * "802.11n - 7.4a.3 A-MPDU contents" describes in which contexts
639 	 * certain frame types can be part of an aMPDU.
640 	 *
641 	 * In order to keep the processing cost down, I opted for a
642 	 * stateless filter solely based on the frame control field.
643 	 */
644 
645 	fc = ((struct ieee80211_hdr *)buf)->frame_control;
646 	if (ieee80211_is_data_qos(fc) && ieee80211_is_data_present(fc))
647 		return true;
648 
649 	if (ieee80211_is_ack(fc) || ieee80211_is_back(fc) ||
650 	    ieee80211_is_back_req(fc))
651 		return true;
652 
653 	if (ieee80211_is_action(fc))
654 		return true;
655 
656 	return false;
657 }
658 
659 static int carl9170_handle_mpdu(struct ar9170 *ar, u8 *buf, int len,
660 				struct ieee80211_rx_status *status)
661 {
662 	struct sk_buff *skb;
663 
664 	/* (driver) frame trap handler
665 	 *
666 	 * Because power-saving mode handing has to be implemented by
667 	 * the driver/firmware. We have to check each incoming beacon
668 	 * from the associated AP, if there's new data for us (either
669 	 * broadcast/multicast or unicast) we have to react quickly.
670 	 *
671 	 * So, if you have you want to add additional frame trap
672 	 * handlers, this would be the perfect place!
673 	 */
674 
675 	carl9170_ps_beacon(ar, buf, len);
676 
677 	carl9170_ba_check(ar, buf, len);
678 
679 	skb = carl9170_rx_copy_data(buf, len);
680 	if (!skb)
681 		return -ENOMEM;
682 
683 	memcpy(IEEE80211_SKB_RXCB(skb), status, sizeof(*status));
684 	ieee80211_rx(ar->hw, skb);
685 	return 0;
686 }
687 
688 /*
689  * If the frame alignment is right (or the kernel has
690  * CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS), and there
691  * is only a single MPDU in the USB frame, then we could
692  * submit to mac80211 the SKB directly. However, since
693  * there may be multiple packets in one SKB in stream
694  * mode, and we need to observe the proper ordering,
695  * this is non-trivial.
696  */
697 static void carl9170_rx_untie_data(struct ar9170 *ar, u8 *buf, int len)
698 {
699 	struct ar9170_rx_head *head;
700 	struct ar9170_rx_macstatus *mac;
701 	struct ar9170_rx_phystatus *phy = NULL;
702 	struct ieee80211_rx_status status;
703 	int mpdu_len;
704 	u8 mac_status;
705 
706 	if (!IS_STARTED(ar))
707 		return;
708 
709 	if (unlikely(len < sizeof(*mac)))
710 		goto drop;
711 
712 	memset(&status, 0, sizeof(status));
713 
714 	mpdu_len = len - sizeof(*mac);
715 
716 	mac = (void *)(buf + mpdu_len);
717 	mac_status = mac->status;
718 	switch (mac_status & AR9170_RX_STATUS_MPDU) {
719 	case AR9170_RX_STATUS_MPDU_FIRST:
720 		ar->ampdu_ref++;
721 		/* Aggregated MPDUs start with an PLCP header */
722 		if (likely(mpdu_len >= sizeof(struct ar9170_rx_head))) {
723 			head = (void *) buf;
724 
725 			/*
726 			 * The PLCP header needs to be cached for the
727 			 * following MIDDLE + LAST A-MPDU packets.
728 			 *
729 			 * So, if you are wondering why all frames seem
730 			 * to share a common RX status information,
731 			 * then you have the answer right here...
732 			 */
733 			memcpy(&ar->rx_plcp, (void *) buf,
734 			       sizeof(struct ar9170_rx_head));
735 
736 			mpdu_len -= sizeof(struct ar9170_rx_head);
737 			buf += sizeof(struct ar9170_rx_head);
738 
739 			ar->rx_has_plcp = true;
740 		} else {
741 			if (net_ratelimit()) {
742 				wiphy_err(ar->hw->wiphy, "plcp info "
743 					"is clipped.\n");
744 			}
745 
746 			goto drop;
747 		}
748 		break;
749 
750 	case AR9170_RX_STATUS_MPDU_LAST:
751 		status.flag |= RX_FLAG_AMPDU_IS_LAST;
752 
753 		/*
754 		 * The last frame of an A-MPDU has an extra tail
755 		 * which does contain the phy status of the whole
756 		 * aggregate.
757 		 */
758 		if (likely(mpdu_len >= sizeof(struct ar9170_rx_phystatus))) {
759 			mpdu_len -= sizeof(struct ar9170_rx_phystatus);
760 			phy = (void *)(buf + mpdu_len);
761 		} else {
762 			if (net_ratelimit()) {
763 				wiphy_err(ar->hw->wiphy, "frame tail "
764 					"is clipped.\n");
765 			}
766 
767 			goto drop;
768 		}
769 		/* fall through */
770 
771 	case AR9170_RX_STATUS_MPDU_MIDDLE:
772 		/*  These are just data + mac status */
773 		if (unlikely(!ar->rx_has_plcp)) {
774 			if (!net_ratelimit())
775 				return;
776 
777 			wiphy_err(ar->hw->wiphy, "rx stream does not start "
778 					"with a first_mpdu frame tag.\n");
779 
780 			goto drop;
781 		}
782 
783 		head = &ar->rx_plcp;
784 		break;
785 
786 	case AR9170_RX_STATUS_MPDU_SINGLE:
787 		/* single mpdu has both: plcp (head) and phy status (tail) */
788 		head = (void *) buf;
789 
790 		mpdu_len -= sizeof(struct ar9170_rx_head);
791 		mpdu_len -= sizeof(struct ar9170_rx_phystatus);
792 
793 		buf += sizeof(struct ar9170_rx_head);
794 		phy = (void *)(buf + mpdu_len);
795 		break;
796 
797 	default:
798 		BUG();
799 		break;
800 	}
801 
802 	/* FC + DU + RA + FCS */
803 	if (unlikely(mpdu_len < (2 + 2 + ETH_ALEN + FCS_LEN)))
804 		goto drop;
805 
806 	if (unlikely(carl9170_rx_mac_status(ar, head, mac, &status)))
807 		goto drop;
808 
809 	if (!carl9170_ampdu_check(ar, buf, mac_status, &status))
810 		goto drop;
811 
812 	if (phy)
813 		carl9170_rx_phy_status(ar, phy, &status);
814 	else
815 		status.flag |= RX_FLAG_NO_SIGNAL_VAL;
816 
817 	if (carl9170_handle_mpdu(ar, buf, mpdu_len, &status))
818 		goto drop;
819 
820 	return;
821 drop:
822 	ar->rx_dropped++;
823 }
824 
825 static void carl9170_rx_untie_cmds(struct ar9170 *ar, const u8 *respbuf,
826 				   const unsigned int resplen)
827 {
828 	struct carl9170_rsp *cmd;
829 	int i = 0;
830 
831 	while (i < resplen) {
832 		cmd = (void *) &respbuf[i];
833 
834 		i += cmd->hdr.len + 4;
835 		if (unlikely(i > resplen))
836 			break;
837 
838 		if (carl9170_check_sequence(ar, cmd->hdr.seq))
839 			break;
840 
841 		carl9170_handle_command_response(ar, cmd, cmd->hdr.len + 4);
842 	}
843 
844 	if (unlikely(i != resplen)) {
845 		if (!net_ratelimit())
846 			return;
847 
848 		wiphy_err(ar->hw->wiphy, "malformed firmware trap:\n");
849 		print_hex_dump_bytes("rxcmd:", DUMP_PREFIX_OFFSET,
850 				     respbuf, resplen);
851 	}
852 }
853 
854 static void __carl9170_rx(struct ar9170 *ar, u8 *buf, unsigned int len)
855 {
856 	unsigned int i = 0;
857 
858 	/* weird thing, but this is the same in the original driver */
859 	while (len > 2 && i < 12 && buf[0] == 0xff && buf[1] == 0xff) {
860 		i += 2;
861 		len -= 2;
862 		buf += 2;
863 	}
864 
865 	if (unlikely(len < 4))
866 		return;
867 
868 	/* found the 6 * 0xffff marker? */
869 	if (i == 12)
870 		carl9170_rx_untie_cmds(ar, buf, len);
871 	else
872 		carl9170_rx_untie_data(ar, buf, len);
873 }
874 
875 static void carl9170_rx_stream(struct ar9170 *ar, void *buf, unsigned int len)
876 {
877 	unsigned int tlen, wlen = 0, clen = 0;
878 	struct ar9170_stream *rx_stream;
879 	u8 *tbuf;
880 
881 	tbuf = buf;
882 	tlen = len;
883 
884 	while (tlen >= 4) {
885 		rx_stream = (void *) tbuf;
886 		clen = le16_to_cpu(rx_stream->length);
887 		wlen = ALIGN(clen, 4);
888 
889 		/* check if this is stream has a valid tag.*/
890 		if (rx_stream->tag != cpu_to_le16(AR9170_RX_STREAM_TAG)) {
891 			/*
892 			 * TODO: handle the highly unlikely event that the
893 			 * corrupted stream has the TAG at the right position.
894 			 */
895 
896 			/* check if the frame can be repaired. */
897 			if (!ar->rx_failover_missing) {
898 
899 				/* this is not "short read". */
900 				if (net_ratelimit()) {
901 					wiphy_err(ar->hw->wiphy,
902 						"missing tag!\n");
903 				}
904 
905 				__carl9170_rx(ar, tbuf, tlen);
906 				return;
907 			}
908 
909 			if (ar->rx_failover_missing > tlen) {
910 				if (net_ratelimit()) {
911 					wiphy_err(ar->hw->wiphy,
912 						"possible multi "
913 						"stream corruption!\n");
914 					goto err_telluser;
915 				} else {
916 					goto err_silent;
917 				}
918 			}
919 
920 			skb_put_data(ar->rx_failover, tbuf, tlen);
921 			ar->rx_failover_missing -= tlen;
922 
923 			if (ar->rx_failover_missing <= 0) {
924 				/*
925 				 * nested carl9170_rx_stream call!
926 				 *
927 				 * termination is guaranteed, even when the
928 				 * combined frame also have an element with
929 				 * a bad tag.
930 				 */
931 
932 				ar->rx_failover_missing = 0;
933 				carl9170_rx_stream(ar, ar->rx_failover->data,
934 						   ar->rx_failover->len);
935 
936 				skb_reset_tail_pointer(ar->rx_failover);
937 				skb_trim(ar->rx_failover, 0);
938 			}
939 
940 			return;
941 		}
942 
943 		/* check if stream is clipped */
944 		if (wlen > tlen - 4) {
945 			if (ar->rx_failover_missing) {
946 				/* TODO: handle double stream corruption. */
947 				if (net_ratelimit()) {
948 					wiphy_err(ar->hw->wiphy, "double rx "
949 						"stream corruption!\n");
950 					goto err_telluser;
951 				} else {
952 					goto err_silent;
953 				}
954 			}
955 
956 			/*
957 			 * save incomplete data set.
958 			 * the firmware will resend the missing bits when
959 			 * the rx - descriptor comes round again.
960 			 */
961 
962 			skb_put_data(ar->rx_failover, tbuf, tlen);
963 			ar->rx_failover_missing = clen - tlen;
964 			return;
965 		}
966 		__carl9170_rx(ar, rx_stream->payload, clen);
967 
968 		tbuf += wlen + 4;
969 		tlen -= wlen + 4;
970 	}
971 
972 	if (tlen) {
973 		if (net_ratelimit()) {
974 			wiphy_err(ar->hw->wiphy, "%d bytes of unprocessed "
975 				"data left in rx stream!\n", tlen);
976 		}
977 
978 		goto err_telluser;
979 	}
980 
981 	return;
982 
983 err_telluser:
984 	wiphy_err(ar->hw->wiphy, "damaged RX stream data [want:%d, "
985 		"data:%d, rx:%d, pending:%d ]\n", clen, wlen, tlen,
986 		ar->rx_failover_missing);
987 
988 	if (ar->rx_failover_missing)
989 		print_hex_dump_bytes("rxbuf:", DUMP_PREFIX_OFFSET,
990 				     ar->rx_failover->data,
991 				     ar->rx_failover->len);
992 
993 	print_hex_dump_bytes("stream:", DUMP_PREFIX_OFFSET,
994 			     buf, len);
995 
996 	wiphy_err(ar->hw->wiphy, "please check your hardware and cables, if "
997 		"you see this message frequently.\n");
998 
999 err_silent:
1000 	if (ar->rx_failover_missing) {
1001 		skb_reset_tail_pointer(ar->rx_failover);
1002 		skb_trim(ar->rx_failover, 0);
1003 		ar->rx_failover_missing = 0;
1004 	}
1005 }
1006 
1007 void carl9170_rx(struct ar9170 *ar, void *buf, unsigned int len)
1008 {
1009 	if (ar->fw.rx_stream)
1010 		carl9170_rx_stream(ar, buf, len);
1011 	else
1012 		__carl9170_rx(ar, buf, len);
1013 }
1014