1	// SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause
2	/*
3	* Copyright (C) 2012-2014, 2018-2024 Intel Corporation
4	* Copyright (C) 2013-2015 Intel Mobile Communications GmbH
5	* Copyright (C) 2015-2017 Intel Deutschland GmbH
6	*/
7	#include <linux/etherdevice.h>
8	#include <linux/skbuff.h>
9	#include "iwl-trans.h"
10	#include "mvm.h"
11	#include "fw-api.h"
12	#include "time-sync.h"
13
14	static inline int iwl_mvm_check_pn(struct iwl_mvm *mvm, struct sk_buff *skb,
15	int queue, struct ieee80211_sta *sta)
16	{
17	struct iwl_mvm_sta *mvmsta;
18	struct ieee80211_hdr *hdr = (void *)skb_mac_header(skb);
19	struct ieee80211_rx_status *stats = IEEE80211_SKB_RXCB(skb);
20	struct iwl_mvm_key_pn *ptk_pn;
21	int res;
22	u8 tid, keyidx;
23	u8 pn[IEEE80211_CCMP_PN_LEN];
24	u8 *extiv;
25
26	/* do PN checking */
27
28	/* multicast and non-data only arrives on default queue */
29	if (!ieee80211_is_data(fc: hdr->frame_control) ||
30	is_multicast_ether_addr(addr: hdr->addr1))
31	return 0;
32
33	/* do not check PN for open AP */
34	if (!(stats->flag & RX_FLAG_DECRYPTED))
35	return 0;
36
37	/*
38	* avoid checking for default queue - we don't want to replicate
39	* all the logic that's necessary for checking the PN on fragmented
40	* frames, leave that to mac80211
41	*/
42	if (queue == 0)
43	return 0;
44
45	/* if we are here - this for sure is either CCMP or GCMP */
46	if (IS_ERR_OR_NULL(ptr: sta)) {
47	IWL_DEBUG_DROP(mvm,
48	"expected hw-decrypted unicast frame for station\n");
49	return -1;
50	}
51
52	mvmsta = iwl_mvm_sta_from_mac80211(sta);
53
54	extiv = (u8 *)hdr + ieee80211_hdrlen(fc: hdr->frame_control);
55	keyidx = extiv[3] >> 6;
56
57	ptk_pn = rcu_dereference(mvmsta->ptk_pn[keyidx]);
58	if (!ptk_pn)
59	return -1;
60
61	if (ieee80211_is_data_qos(fc: hdr->frame_control))
62	tid = ieee80211_get_tid(hdr);
63	else
64	tid = 0;
65
66	/* we don't use HCCA/802.11 QoS TSPECs, so drop such frames */
67	if (tid >= IWL_MAX_TID_COUNT)
68	return -1;
69
70	/* load pn */
71	pn[0] = extiv[7];
72	pn[1] = extiv[6];
73	pn[2] = extiv[5];
74	pn[3] = extiv[4];
75	pn[4] = extiv[1];
76	pn[5] = extiv[0];
77
78	res = memcmp(p: pn, q: ptk_pn->q[queue].pn[tid], IEEE80211_CCMP_PN_LEN);
79	if (res < 0)
80	return -1;
81	if (!res && !(stats->flag & RX_FLAG_ALLOW_SAME_PN))
82	return -1;
83
84	memcpy(ptk_pn->q[queue].pn[tid], pn, IEEE80211_CCMP_PN_LEN);
85	stats->flag |= RX_FLAG_PN_VALIDATED;
86
87	return 0;
88	}
89
90	/* iwl_mvm_create_skb Adds the rxb to a new skb */
91	static int iwl_mvm_create_skb(struct iwl_mvm *mvm, struct sk_buff *skb,
92	struct ieee80211_hdr *hdr, u16 len, u8 crypt_len,
93	struct iwl_rx_cmd_buffer *rxb)
94	{
95	struct iwl_rx_packet *pkt = rxb_addr(rxb);
96	struct iwl_rx_mpdu_desc *desc = (void *)pkt->data;
97	unsigned int headlen, fraglen, pad_len = 0;
98	unsigned int hdrlen = ieee80211_hdrlen(fc: hdr->frame_control);
99	u8 mic_crc_len = u8_get_bits(v: desc->mac_flags1,
100	field: IWL_RX_MPDU_MFLG1_MIC_CRC_LEN_MASK) << 1;
101
102	if (desc->mac_flags2 & IWL_RX_MPDU_MFLG2_PAD) {
103	len -= 2;
104	pad_len = 2;
105	}
106
107	/*
108	* For non monitor interface strip the bytes the RADA might not have
109	* removed (it might be disabled, e.g. for mgmt frames). As a monitor
110	* interface cannot exist with other interfaces, this removal is safe
111	* and sufficient, in monitor mode there's no decryption being done.
112	*/
113	if (len > mic_crc_len && !ieee80211_hw_check(mvm->hw, RX_INCLUDES_FCS))
114	len -= mic_crc_len;
115
116	/* If frame is small enough to fit in skb->head, pull it completely.
117	* If not, only pull ieee80211_hdr (including crypto if present, and
118	* an additional 8 bytes for SNAP/ethertype, see below) so that
119	* splice() or TCP coalesce are more efficient.
120	*
121	* Since, in addition, ieee80211_data_to_8023() always pull in at
122	* least 8 bytes (possibly more for mesh) we can do the same here
123	* to save the cost of doing it later. That still doesn't pull in
124	* the actual IP header since the typical case has a SNAP header.
125	* If the latter changes (there are efforts in the standards group
126	* to do so) we should revisit this and ieee80211_data_to_8023().
127	*/
128	headlen = (len <= skb_tailroom(skb)) ? len :
129	hdrlen + crypt_len + 8;
130
131	/* The firmware may align the packet to DWORD.
132	* The padding is inserted after the IV.
133	* After copying the header + IV skip the padding if
134	* present before copying packet data.
135	*/
136	hdrlen += crypt_len;
137
138	if (unlikely(headlen < hdrlen))
139	return -EINVAL;
140
141	/* Since data doesn't move data while putting data on skb and that is
142	* the only way we use, data + len is the next place that hdr would be put
143	*/
144	skb_set_mac_header(skb, offset: skb->len);
145	skb_put_data(skb, data: hdr, len: hdrlen);
146	skb_put_data(skb, data: (u8 *)hdr + hdrlen + pad_len, len: headlen - hdrlen);
147
148	/*
149	* If we did CHECKSUM_COMPLETE, the hardware only does it right for
150	* certain cases and starts the checksum after the SNAP. Check if
151	* this is the case - it's easier to just bail out to CHECKSUM_NONE
152	* in the cases the hardware didn't handle, since it's rare to see
153	* such packets, even though the hardware did calculate the checksum
154	* in this case, just starting after the MAC header instead.
155	*
156	* Starting from Bz hardware, it calculates starting directly after
157	* the MAC header, so that matches mac80211's expectation.
158	*/
159	if (skb->ip_summed == CHECKSUM_COMPLETE) {
160	struct {
161	u8 hdr[6];
162	__be16 type;
163	} __packed *shdr = (void *)((u8 *)hdr + hdrlen + pad_len);
164
165	if (unlikely(headlen - hdrlen < sizeof(*shdr) ||
166	!ether_addr_equal(shdr->hdr, rfc1042_header) ||
167	(shdr->type != htons(ETH_P_IP) &&
168	shdr->type != htons(ETH_P_ARP) &&
169	shdr->type != htons(ETH_P_IPV6) &&
170	shdr->type != htons(ETH_P_8021Q) &&
171	shdr->type != htons(ETH_P_PAE) &&
172	shdr->type != htons(ETH_P_TDLS))))
173	skb->ip_summed = CHECKSUM_NONE;
174	else if (mvm->trans->trans_cfg->device_family < IWL_DEVICE_FAMILY_BZ)
175	/* mac80211 assumes full CSUM including SNAP header */
176	skb_postpush_rcsum(skb, start: shdr, len: sizeof(*shdr));
177	}
178
179	fraglen = len - headlen;
180
181	if (fraglen) {
182	int offset = (u8 *)hdr + headlen + pad_len -
183	(u8 *)rxb_addr(rxb) + rxb_offset(rxb);
184
185	skb_add_rx_frag(skb, i: 0, page: rxb_steal_page(rxb), off: offset,
186	size: fraglen, truesize: rxb->truesize);
187	}
188
189	return 0;
190	}
191
192	/* put a TLV on the skb and return data pointer
193	*
194	* Also pad to 4 the len and zero out all data part
195	*/
196	static void *
197	iwl_mvm_radiotap_put_tlv(struct sk_buff *skb, u16 type, u16 len)
198	{
199	struct ieee80211_radiotap_tlv *tlv;
200
201	tlv = skb_put(skb, len: sizeof(*tlv));
202	tlv->type = cpu_to_le16(type);
203	tlv->len = cpu_to_le16(len);
204	return skb_put_zero(skb, ALIGN(len, 4));
205	}
206
207	static void iwl_mvm_add_rtap_sniffer_config(struct iwl_mvm *mvm,
208	struct sk_buff *skb)
209	{
210	struct ieee80211_rx_status *rx_status = IEEE80211_SKB_RXCB(skb);
211	struct ieee80211_radiotap_vendor_content *radiotap;
212	const u16 vendor_data_len = sizeof(mvm->cur_aid);
213
214	if (!mvm->cur_aid)
215	return;
216
217	radiotap = iwl_mvm_radiotap_put_tlv(skb,
218	type: IEEE80211_RADIOTAP_VENDOR_NAMESPACE,
219	len: sizeof(*radiotap) + vendor_data_len);
220
221	/* Intel OUI */
222	radiotap->oui[0] = 0xf6;
223	radiotap->oui[1] = 0x54;
224	radiotap->oui[2] = 0x25;
225	/* radiotap sniffer config sub-namespace */
226	radiotap->oui_subtype = 1;
227	radiotap->vendor_type = 0;
228
229	/* fill the data now */
230	memcpy(radiotap->data, &mvm->cur_aid, sizeof(mvm->cur_aid));
231
232	rx_status->flag |= RX_FLAG_RADIOTAP_TLV_AT_END;
233	}
234
235	/* iwl_mvm_pass_packet_to_mac80211 - passes the packet for mac80211 */
236	static void iwl_mvm_pass_packet_to_mac80211(struct iwl_mvm *mvm,
237	struct napi_struct *napi,
238	struct sk_buff *skb, int queue,
239	struct ieee80211_sta *sta)
240	{
241	if (unlikely(iwl_mvm_check_pn(mvm, skb, queue, sta))) {
242	kfree_skb(skb);
243	return;
244	}
245
246	ieee80211_rx_napi(hw: mvm->hw, sta, skb, napi);
247	}
248
249	static void iwl_mvm_get_signal_strength(struct iwl_mvm *mvm,
250	struct ieee80211_rx_status *rx_status,
251	u32 rate_n_flags, int energy_a,
252	int energy_b)
253	{
254	int max_energy;
255	u32 rate_flags = rate_n_flags;
256
257	energy_a = energy_a ? -energy_a : S8_MIN;
258	energy_b = energy_b ? -energy_b : S8_MIN;
259	max_energy = max(energy_a, energy_b);
260
261	IWL_DEBUG_STATS(mvm, "energy In A %d B %d, and max %d\n",
262	energy_a, energy_b, max_energy);
263
264	rx_status->signal = max_energy;
265	rx_status->chains =
266	(rate_flags & RATE_MCS_ANT_AB_MSK) >> RATE_MCS_ANT_POS;
267	rx_status->chain_signal[0] = energy_a;
268	rx_status->chain_signal[1] = energy_b;
269	}
270
271	static int iwl_mvm_rx_mgmt_prot(struct ieee80211_sta *sta,
272	struct ieee80211_hdr *hdr,
273	struct iwl_rx_mpdu_desc *desc,
274	u32 status,
275	struct ieee80211_rx_status *stats)
276	{
277	struct wireless_dev *wdev;
278	struct iwl_mvm_sta *mvmsta;
279	struct iwl_mvm_vif *mvmvif;
280	u8 keyid;
281	struct ieee80211_key_conf *key;
282	u32 len = le16_to_cpu(desc->mpdu_len);
283	const u8 *frame = (void *)hdr;
284
285	if ((status & IWL_RX_MPDU_STATUS_SEC_MASK) == IWL_RX_MPDU_STATUS_SEC_NONE)
286	return 0;
287
288	/*
289	* For non-beacon, we don't really care. But beacons may
290	* be filtered out, and we thus need the firmware's replay
291	* detection, otherwise beacons the firmware previously
292	* filtered could be replayed, or something like that, and
293	* it can filter a lot - though usually only if nothing has
294	* changed.
295	*/
296	if (!ieee80211_is_beacon(fc: hdr->frame_control))
297	return 0;
298
299	if (!sta)
300	return -1;
301
302	mvmsta = iwl_mvm_sta_from_mac80211(sta);
303	mvmvif = iwl_mvm_vif_from_mac80211(vif: mvmsta->vif);
304
305	/* key mismatch - will also report !MIC_OK but we shouldn't count it */
306	if (!(status & IWL_RX_MPDU_STATUS_KEY_VALID))
307	goto report;
308
309	/* good cases */
310	if (likely(status & IWL_RX_MPDU_STATUS_MIC_OK &&
311	!(status & IWL_RX_MPDU_STATUS_REPLAY_ERROR))) {
312	stats->flag |= RX_FLAG_DECRYPTED;
313	return 0;
314	}
315
316	/*
317	* both keys will have the same cipher and MIC length, use
318	* whichever one is available
319	*/
320	key = rcu_dereference(mvmvif->bcn_prot.keys[0]);
321	if (!key) {
322	key = rcu_dereference(mvmvif->bcn_prot.keys[1]);
323	if (!key)
324	goto report;
325	}
326
327	if (len < key->icv_len + IEEE80211_GMAC_PN_LEN + 2)
328	goto report;
329
330	/* get the real key ID */
331	keyid = frame[len - key->icv_len - IEEE80211_GMAC_PN_LEN - 2];
332	/* and if that's the other key, look it up */
333	if (keyid != key->keyidx) {
334	/*
335	* shouldn't happen since firmware checked, but be safe
336	* in case the MIC length is wrong too, for example
337	*/
338	if (keyid != 6 && keyid != 7)
339	return -1;
340	key = rcu_dereference(mvmvif->bcn_prot.keys[keyid - 6]);
341	if (!key)
342	goto report;
343	}
344
345	/* Report status to mac80211 */
346	if (!(status & IWL_RX_MPDU_STATUS_MIC_OK))
347	ieee80211_key_mic_failure(keyconf: key);
348	else if (status & IWL_RX_MPDU_STATUS_REPLAY_ERROR)
349	ieee80211_key_replay(keyconf: key);
350	report:
351	wdev = ieee80211_vif_to_wdev(vif: mvmsta->vif);
352	if (wdev->netdev)
353	cfg80211_rx_unprot_mlme_mgmt(dev: wdev->netdev, buf: (void *)hdr, len);
354
355	return -1;
356	}
357
358	static int iwl_mvm_rx_crypto(struct iwl_mvm *mvm, struct ieee80211_sta *sta,
359	struct ieee80211_hdr *hdr,
360	struct ieee80211_rx_status *stats, u16 phy_info,
361	struct iwl_rx_mpdu_desc *desc,
362	u32 pkt_flags, int queue, u8 *crypt_len)
363	{
364	u32 status = le32_to_cpu(desc->status);
365
366	/*
367	* Drop UNKNOWN frames in aggregation, unless in monitor mode
368	* (where we don't have the keys).
369	* We limit this to aggregation because in TKIP this is a valid
370	* scenario, since we may not have the (correct) TTAK (phase 1
371	* key) in the firmware.
372	*/
373	if (phy_info & IWL_RX_MPDU_PHY_AMPDU &&
374	(status & IWL_RX_MPDU_STATUS_SEC_MASK) ==
375	IWL_RX_MPDU_STATUS_SEC_UNKNOWN && !mvm->monitor_on) {
376	IWL_DEBUG_DROP(mvm, "Dropping packets, bad enc status\n");
377	return -1;
378	}
379
380	if (unlikely(ieee80211_is_mgmt(hdr->frame_control) &&
381	!ieee80211_has_protected(hdr->frame_control)))
382	return iwl_mvm_rx_mgmt_prot(sta, hdr, desc, status, stats);
383
384	if (!ieee80211_has_protected(hdr->frame_control) ||
385	(status & IWL_RX_MPDU_STATUS_SEC_MASK) ==
386	IWL_RX_MPDU_STATUS_SEC_NONE)
387	return 0;
388
389	/* TODO: handle packets encrypted with unknown alg */
390
391	switch (status & IWL_RX_MPDU_STATUS_SEC_MASK) {
392	case IWL_RX_MPDU_STATUS_SEC_CCM:
393	case IWL_RX_MPDU_STATUS_SEC_GCM:
394	BUILD_BUG_ON(IEEE80211_CCMP_PN_LEN != IEEE80211_GCMP_PN_LEN);
395	/* alg is CCM: check MIC only */
396	if (!(status & IWL_RX_MPDU_STATUS_MIC_OK)) {
397	IWL_DEBUG_DROP(mvm,
398	"Dropping packet, bad MIC (CCM/GCM)\n");
399	return -1;
400	}
401
402	stats->flag |= RX_FLAG_DECRYPTED | RX_FLAG_MIC_STRIPPED;
403	*crypt_len = IEEE80211_CCMP_HDR_LEN;
404	return 0;
405	case IWL_RX_MPDU_STATUS_SEC_TKIP:
406	/* Don't drop the frame and decrypt it in SW */
407	if (!fw_has_api(&mvm->fw->ucode_capa,
408	IWL_UCODE_TLV_API_DEPRECATE_TTAK) &&
409	!(status & IWL_RX_MPDU_RES_STATUS_TTAK_OK))
410	return 0;
411
412	if (mvm->trans->trans_cfg->gen2 &&
413	!(status & RX_MPDU_RES_STATUS_MIC_OK))
414	stats->flag |= RX_FLAG_MMIC_ERROR;
415
416	*crypt_len = IEEE80211_TKIP_IV_LEN;
417	fallthrough;
418	case IWL_RX_MPDU_STATUS_SEC_WEP:
419	if (!(status & IWL_RX_MPDU_STATUS_ICV_OK))
420	return -1;
421
422	stats->flag |= RX_FLAG_DECRYPTED;
423	if ((status & IWL_RX_MPDU_STATUS_SEC_MASK) ==
424	IWL_RX_MPDU_STATUS_SEC_WEP)
425	*crypt_len = IEEE80211_WEP_IV_LEN;
426
427	if (pkt_flags & FH_RSCSR_RADA_EN) {
428	stats->flag |= RX_FLAG_ICV_STRIPPED;
429	if (mvm->trans->trans_cfg->gen2)
430	stats->flag |= RX_FLAG_MMIC_STRIPPED;
431	}
432
433	return 0;
434	case IWL_RX_MPDU_STATUS_SEC_EXT_ENC:
435	if (!(status & IWL_RX_MPDU_STATUS_MIC_OK))
436	return -1;
437	stats->flag |= RX_FLAG_DECRYPTED;
438	return 0;
439	case RX_MPDU_RES_STATUS_SEC_CMAC_GMAC_ENC:
440	break;
441	default:
442	/*
443	* Sometimes we can get frames that were not decrypted
444	* because the firmware didn't have the keys yet. This can
445	* happen after connection where we can get multicast frames
446	* before the GTK is installed.
447	* Silently drop those frames.
448	* Also drop un-decrypted frames in monitor mode.
449	*/
450	if (!is_multicast_ether_addr(addr: hdr->addr1) &&
451	!mvm->monitor_on && net_ratelimit())
452	IWL_WARN(mvm, "Unhandled alg: 0x%x\n", status);
453	}
454
455	return 0;
456	}
457
458	static void iwl_mvm_rx_csum(struct iwl_mvm *mvm,
459	struct ieee80211_sta *sta,
460	struct sk_buff *skb,
461	struct iwl_rx_packet *pkt)
462	{
463	struct iwl_rx_mpdu_desc *desc = (void *)pkt->data;
464
465	if (mvm->trans->trans_cfg->device_family >= IWL_DEVICE_FAMILY_AX210) {
466	if (pkt->len_n_flags & cpu_to_le32(FH_RSCSR_RPA_EN)) {
467	u16 hwsum = be16_to_cpu(desc->v3.raw_xsum);
468
469	skb->ip_summed = CHECKSUM_COMPLETE;
470	skb->csum = csum_unfold(n: ~(__force __sum16)hwsum);
471	}
472	} else {
473	struct iwl_mvm_sta *mvmsta = iwl_mvm_sta_from_mac80211(sta);
474	struct iwl_mvm_vif *mvmvif;
475	u16 flags = le16_to_cpu(desc->l3l4_flags);
476	u8 l3_prot = (u8)((flags & IWL_RX_L3L4_L3_PROTO_MASK) >>
477	IWL_RX_L3_PROTO_POS);
478
479	mvmvif = iwl_mvm_vif_from_mac80211(vif: mvmsta->vif);
480
481	if (mvmvif->features & NETIF_F_RXCSUM &&
482	flags & IWL_RX_L3L4_TCP_UDP_CSUM_OK &&
483	(flags & IWL_RX_L3L4_IP_HDR_CSUM_OK ||
484	l3_prot == IWL_RX_L3_TYPE_IPV6 ||
485	l3_prot == IWL_RX_L3_TYPE_IPV6_FRAG))
486	skb->ip_summed = CHECKSUM_UNNECESSARY;
487	}
488	}
489
490	/*
491	* returns true if a packet is a duplicate or invalid tid and should be dropped.
492	* Updates AMSDU PN tracking info
493	*/
494	static bool iwl_mvm_is_dup(struct ieee80211_sta *sta, int queue,
495	struct ieee80211_rx_status *rx_status,
496	struct ieee80211_hdr *hdr,
497	struct iwl_rx_mpdu_desc *desc)
498	{
499	struct iwl_mvm_sta *mvm_sta;
500	struct iwl_mvm_rxq_dup_data *dup_data;
501	u8 tid, sub_frame_idx;
502
503	if (WARN_ON(IS_ERR_OR_NULL(sta)))
504	return false;
505
506	mvm_sta = iwl_mvm_sta_from_mac80211(sta);
507
508	if (WARN_ON_ONCE(!mvm_sta->dup_data))
509	return false;
510
511	dup_data = &mvm_sta->dup_data[queue];
512
513	/*
514	* Drop duplicate 802.11 retransmissions
515	* (IEEE 802.11-2012: 9.3.2.10 "Duplicate detection and recovery")
516	*/
517	if (ieee80211_is_ctl(fc: hdr->frame_control) ||
518	ieee80211_is_any_nullfunc(fc: hdr->frame_control) ||
519	is_multicast_ether_addr(addr: hdr->addr1))
520	return false;
521
522	if (ieee80211_is_data_qos(fc: hdr->frame_control)) {
523	/* frame has qos control */
524	tid = ieee80211_get_tid(hdr);
525	if (tid >= IWL_MAX_TID_COUNT)
526	return true;
527	} else {
528	tid = IWL_MAX_TID_COUNT;
529	}
530
531	/* If this wasn't a part of an A-MSDU the sub-frame index will be 0 */
532	sub_frame_idx = desc->amsdu_info &
533	IWL_RX_MPDU_AMSDU_SUBFRAME_IDX_MASK;
534
535	if (unlikely(ieee80211_has_retry(hdr->frame_control) &&
536	dup_data->last_seq[tid] == hdr->seq_ctrl &&
537	dup_data->last_sub_frame[tid] >= sub_frame_idx))
538	return true;
539
540	/* Allow same PN as the first subframe for following sub frames */
541	if (dup_data->last_seq[tid] == hdr->seq_ctrl &&
542	sub_frame_idx > dup_data->last_sub_frame[tid] &&
543	desc->mac_flags2 & IWL_RX_MPDU_MFLG2_AMSDU)
544	rx_status->flag |= RX_FLAG_ALLOW_SAME_PN;
545
546	dup_data->last_seq[tid] = hdr->seq_ctrl;
547	dup_data->last_sub_frame[tid] = sub_frame_idx;
548
549	rx_status->flag |= RX_FLAG_DUP_VALIDATED;
550
551	return false;
552	}
553
554	static void iwl_mvm_release_frames(struct iwl_mvm *mvm,
555	struct ieee80211_sta *sta,
556	struct napi_struct *napi,
557	struct iwl_mvm_baid_data *baid_data,
558	struct iwl_mvm_reorder_buffer *reorder_buf,
559	u16 nssn)
560	{
561	struct iwl_mvm_reorder_buf_entry *entries =
562	&baid_data->entries[reorder_buf->queue *
563	baid_data->entries_per_queue];
564	u16 ssn = reorder_buf->head_sn;
565
566	lockdep_assert_held(&reorder_buf->lock);
567
568	while (ieee80211_sn_less(sn1: ssn, sn2: nssn)) {
569	int index = ssn % reorder_buf->buf_size;
570	struct sk_buff_head *skb_list = &entries[index].frames;
571	struct sk_buff *skb;
572
573	ssn = ieee80211_sn_inc(sn: ssn);
574
575	/*
576	* Empty the list. Will have more than one frame for A-MSDU.
577	* Empty list is valid as well since nssn indicates frames were
578	* received.
579	*/
580	while ((skb = __skb_dequeue(list: skb_list))) {
581	iwl_mvm_pass_packet_to_mac80211(mvm, napi, skb,
582	queue: reorder_buf->queue,
583	sta);
584	reorder_buf->num_stored--;
585	}
586	}
587	reorder_buf->head_sn = nssn;
588	}
589
590	static void iwl_mvm_del_ba(struct iwl_mvm *mvm, int queue,
591	struct iwl_mvm_delba_data *data)
592	{
593	struct iwl_mvm_baid_data *ba_data;
594	struct ieee80211_sta *sta;
595	struct iwl_mvm_reorder_buffer *reorder_buf;
596	u8 baid = data->baid;
597	u32 sta_id;
598
599	if (WARN_ONCE(baid >= IWL_MAX_BAID, "invalid BAID: %x\n", baid))
600	return;
601
602	rcu_read_lock();
603
604	ba_data = rcu_dereference(mvm->baid_map[baid]);
605	if (WARN_ON_ONCE(!ba_data))
606	goto out;
607
608	/* pick any STA ID to find the pointer */
609	sta_id = ffs(ba_data->sta_mask) - 1;
610	sta = rcu_dereference(mvm->fw_id_to_mac_id[sta_id]);
611	if (WARN_ON_ONCE(IS_ERR_OR_NULL(sta)))
612	goto out;
613
614	reorder_buf = &ba_data->reorder_buf[queue];
615
616	/* release all frames that are in the reorder buffer to the stack */
617	spin_lock_bh(lock: &reorder_buf->lock);
618	iwl_mvm_release_frames(mvm, sta, NULL, baid_data: ba_data, reorder_buf,
619	nssn: ieee80211_sn_add(sn1: reorder_buf->head_sn,
620	sn2: reorder_buf->buf_size));
621	spin_unlock_bh(lock: &reorder_buf->lock);
622
623	out:
624	rcu_read_unlock();
625	}
626
627	static void iwl_mvm_release_frames_from_notif(struct iwl_mvm *mvm,
628	struct napi_struct *napi,
629	u8 baid, u16 nssn, int queue)
630	{
631	struct ieee80211_sta *sta;
632	struct iwl_mvm_reorder_buffer *reorder_buf;
633	struct iwl_mvm_baid_data *ba_data;
634	u32 sta_id;
635
636	IWL_DEBUG_HT(mvm, "Frame release notification for BAID %u, NSSN %d\n",
637	baid, nssn);
638
639	if (WARN_ON_ONCE(baid == IWL_RX_REORDER_DATA_INVALID_BAID ||
640	baid >= ARRAY_SIZE(mvm->baid_map)))
641	return;
642
643	rcu_read_lock();
644
645	ba_data = rcu_dereference(mvm->baid_map[baid]);
646	if (WARN(!ba_data, "BAID %d not found in map\n", baid))
647	goto out;
648
649	/* pick any STA ID to find the pointer */
650	sta_id = ffs(ba_data->sta_mask) - 1;
651	sta = rcu_dereference(mvm->fw_id_to_mac_id[sta_id]);
652	if (WARN_ON_ONCE(IS_ERR_OR_NULL(sta)))
653	goto out;
654
655	reorder_buf = &ba_data->reorder_buf[queue];
656
657	spin_lock_bh(lock: &reorder_buf->lock);
658	iwl_mvm_release_frames(mvm, sta, napi, baid_data: ba_data,
659	reorder_buf, nssn);
660	spin_unlock_bh(lock: &reorder_buf->lock);
661
662	out:
663	rcu_read_unlock();
664	}
665
666	void iwl_mvm_rx_queue_notif(struct iwl_mvm *mvm, struct napi_struct *napi,
667	struct iwl_rx_cmd_buffer *rxb, int queue)
668	{
669	struct iwl_rx_packet *pkt = rxb_addr(rxb);
670	struct iwl_rxq_sync_notification *notif;
671	struct iwl_mvm_internal_rxq_notif *internal_notif;
672	u32 len = iwl_rx_packet_payload_len(pkt);
673
674	notif = (void *)pkt->data;
675	internal_notif = (void *)notif->payload;
676
677	if (WARN_ONCE(len < sizeof(*notif) + sizeof(*internal_notif),
678	"invalid notification size %d (%d)",
679	len, (int)(sizeof(*notif) + sizeof(*internal_notif))))
680	return;
681	len -= sizeof(*notif) + sizeof(*internal_notif);
682
683	if (WARN_ONCE(internal_notif->sync &&
684	mvm->queue_sync_cookie != internal_notif->cookie,
685	"Received expired RX queue sync message (cookie %d but wanted %d, queue %d)\n",
686	internal_notif->cookie, mvm->queue_sync_cookie, queue))
687	return;
688
689	switch (internal_notif->type) {
690	case IWL_MVM_RXQ_EMPTY:
691	WARN_ONCE(len, "invalid empty notification size %d", len);
692	break;
693	case IWL_MVM_RXQ_NOTIF_DEL_BA:
694	if (WARN_ONCE(len != sizeof(struct iwl_mvm_delba_data),
695	"invalid delba notification size %d (%d)",
696	len, (int)sizeof(struct iwl_mvm_delba_data)))
697	break;
698	iwl_mvm_del_ba(mvm, queue, data: (void *)internal_notif->data);
699	break;
700	default:
701	WARN_ONCE(1, "Invalid identifier %d", internal_notif->type);
702	}
703
704	if (internal_notif->sync) {
705	WARN_ONCE(!test_and_clear_bit(queue, &mvm->queue_sync_state),
706	"queue sync: queue %d responded a second time!\n",
707	queue);
708	if (READ_ONCE(mvm->queue_sync_state) == 0)
709	wake_up(&mvm->rx_sync_waitq);
710	}
711	}
712
713	/*
714	* Returns true if the MPDU was buffered\dropped, false if it should be passed
715	* to upper layer.
716	*/
717	static bool iwl_mvm_reorder(struct iwl_mvm *mvm,
718	struct napi_struct *napi,
719	int queue,
720	struct ieee80211_sta *sta,
721	struct sk_buff *skb,
722	struct iwl_rx_mpdu_desc *desc)
723	{
724	struct ieee80211_hdr *hdr = (void *)skb_mac_header(skb);
725	struct iwl_mvm_baid_data *baid_data;
726	struct iwl_mvm_reorder_buffer *buffer;
727	u32 reorder = le32_to_cpu(desc->reorder_data);
728	bool amsdu = desc->mac_flags2 & IWL_RX_MPDU_MFLG2_AMSDU;
729	bool last_subframe =
730	desc->amsdu_info & IWL_RX_MPDU_AMSDU_LAST_SUBFRAME;
731	u8 tid = ieee80211_get_tid(hdr);
732	u8 sub_frame_idx = desc->amsdu_info &
733	IWL_RX_MPDU_AMSDU_SUBFRAME_IDX_MASK;
734	struct iwl_mvm_reorder_buf_entry *entries;
735	u32 sta_mask;
736	int index;
737	u16 nssn, sn;
738	u8 baid;
739
740	baid = (reorder & IWL_RX_MPDU_REORDER_BAID_MASK) >>
741	IWL_RX_MPDU_REORDER_BAID_SHIFT;
742
743	if (mvm->trans->trans_cfg->device_family == IWL_DEVICE_FAMILY_9000)
744	return false;
745
746	/*
747	* This also covers the case of receiving a Block Ack Request
748	* outside a BA session; we'll pass it to mac80211 and that
749	* then sends a delBA action frame.
750	* This also covers pure monitor mode, in which case we won't
751	* have any BA sessions.
752	*/
753	if (baid == IWL_RX_REORDER_DATA_INVALID_BAID)
754	return false;
755
756	/* no sta yet */
757	if (WARN_ONCE(IS_ERR_OR_NULL(sta),
758	"Got valid BAID without a valid station assigned\n"))
759	return false;
760
761	/* not a data packet or a bar */
762	if (!ieee80211_is_back_req(fc: hdr->frame_control) &&
763	(!ieee80211_is_data_qos(fc: hdr->frame_control) ||
764	is_multicast_ether_addr(addr: hdr->addr1)))
765	return false;
766
767	if (unlikely(!ieee80211_is_data_present(hdr->frame_control)))
768	return false;
769
770	baid_data = rcu_dereference(mvm->baid_map[baid]);
771	if (!baid_data) {
772	IWL_DEBUG_RX(mvm,
773	"Got valid BAID but no baid allocated, bypass the re-ordering buffer. Baid %d reorder 0x%x\n",
774	baid, reorder);
775	return false;
776	}
777
778	rcu_read_lock();
779	sta_mask = iwl_mvm_sta_fw_id_mask(mvm, sta, filter_link_id: -1);
780	rcu_read_unlock();
781
782	if (IWL_FW_CHECK(mvm,
783	tid != baid_data->tid ||
784	!(sta_mask & baid_data->sta_mask),
785	"baid 0x%x is mapped to sta_mask:0x%x tid:%d, but was received for sta_mask:0x%x tid:%d\n",
786	baid, baid_data->sta_mask, baid_data->tid,
787	sta_mask, tid))
788	return false;
789
790	nssn = reorder & IWL_RX_MPDU_REORDER_NSSN_MASK;
791	sn = (reorder & IWL_RX_MPDU_REORDER_SN_MASK) >>
792	IWL_RX_MPDU_REORDER_SN_SHIFT;
793
794	buffer = &baid_data->reorder_buf[queue];
795	entries = &baid_data->entries[queue * baid_data->entries_per_queue];
796
797	spin_lock_bh(lock: &buffer->lock);
798
799	if (!buffer->valid) {
800	if (reorder & IWL_RX_MPDU_REORDER_BA_OLD_SN) {
801	spin_unlock_bh(lock: &buffer->lock);
802	return false;
803	}
804	buffer->valid = true;
805	}
806
807	/* drop any duplicated packets */
808	if (desc->status & cpu_to_le32(IWL_RX_MPDU_STATUS_DUPLICATE))
809	goto drop;
810
811	/* drop any oudated packets */
812	if (reorder & IWL_RX_MPDU_REORDER_BA_OLD_SN)
813	goto drop;
814
815	/* release immediately if allowed by nssn and no stored frames */
816	if (!buffer->num_stored && ieee80211_sn_less(sn1: sn, sn2: nssn)) {
817	if (!amsdu || last_subframe)
818	buffer->head_sn = nssn;
819	/* No need to update AMSDU last SN - we are moving the head */
820	spin_unlock_bh(lock: &buffer->lock);
821	return false;
822	}
823
824	/*
825	* release immediately if there are no stored frames, and the sn is
826	* equal to the head.
827	* This can happen due to reorder timer, where NSSN is behind head_sn.
828	* When we released everything, and we got the next frame in the
829	* sequence, according to the NSSN we can't release immediately,
830	* while technically there is no hole and we can move forward.
831	*/
832	if (!buffer->num_stored && sn == buffer->head_sn) {
833	if (!amsdu || last_subframe)
834	buffer->head_sn = ieee80211_sn_inc(sn: buffer->head_sn);
835
836	/* No need to update AMSDU last SN - we are moving the head */
837	spin_unlock_bh(lock: &buffer->lock);
838	return false;
839	}
840
841	/* put in reorder buffer */
842	index = sn % buffer->buf_size;
843	__skb_queue_tail(list: &entries[index].frames, newsk: skb);
844	buffer->num_stored++;
845
846	if (amsdu) {
847	buffer->last_amsdu = sn;
848	buffer->last_sub_index = sub_frame_idx;
849	}
850
851	/*
852	* We cannot trust NSSN for AMSDU sub-frames that are not the last.
853	* The reason is that NSSN advances on the first sub-frame, and may
854	* cause the reorder buffer to advance before all the sub-frames arrive.
855	* Example: reorder buffer contains SN 0 & 2, and we receive AMSDU with
856	* SN 1. NSSN for first sub frame will be 3 with the result of driver
857	* releasing SN 0,1, 2. When sub-frame 1 arrives - reorder buffer is
858	* already ahead and it will be dropped.
859	* If the last sub-frame is not on this queue - we will get frame
860	* release notification with up to date NSSN.
861	*/
862	if (!amsdu || last_subframe)
863	iwl_mvm_release_frames(mvm, sta, napi, baid_data,
864	reorder_buf: buffer, nssn);
865
866	spin_unlock_bh(lock: &buffer->lock);
867	return true;
868
869	drop:
870	kfree_skb(skb);
871	spin_unlock_bh(lock: &buffer->lock);
872	return true;
873	}
874
875	static void iwl_mvm_agg_rx_received(struct iwl_mvm *mvm,
876	u32 reorder_data, u8 baid)
877	{
878	unsigned long now = jiffies;
879	unsigned long timeout;
880	struct iwl_mvm_baid_data *data;
881
882	rcu_read_lock();
883
884	data = rcu_dereference(mvm->baid_map[baid]);
885	if (!data) {
886	IWL_DEBUG_RX(mvm,
887	"Got valid BAID but no baid allocated, bypass the re-ordering buffer. Baid %d reorder 0x%x\n",
888	baid, reorder_data);
889	goto out;
890	}
891
892	if (!data->timeout)
893	goto out;
894
895	timeout = data->timeout;
896	/*
897	* Do not update last rx all the time to avoid cache bouncing
898	* between the rx queues.
899	* Update it every timeout. Worst case is the session will
900	* expire after ~ 2 * timeout, which doesn't matter that much.
901	*/
902	if (time_before(data->last_rx + TU_TO_JIFFIES(timeout), now))
903	/* Update is atomic */
904	data->last_rx = now;
905
906	out:
907	rcu_read_unlock();
908	}
909
910	static void iwl_mvm_flip_address(u8 *addr)
911	{
912	int i;
913	u8 mac_addr[ETH_ALEN];
914
915	for (i = 0; i < ETH_ALEN; i++)
916	mac_addr[i] = addr[ETH_ALEN - i - 1];
917	ether_addr_copy(dst: addr, src: mac_addr);
918	}
919
920	struct iwl_mvm_rx_phy_data {
921	enum iwl_rx_phy_info_type info_type;
922	__le32 d0, d1, d2, d3, eht_d4, d5;
923	__le16 d4;
924	bool with_data;
925	bool first_subframe;
926	__le32 rx_vec[4];
927
928	u32 rate_n_flags;
929	u32 gp2_on_air_rise;
930	u16 phy_info;
931	u8 energy_a, energy_b;
932	u8 channel;
933	};
934
935	static void iwl_mvm_decode_he_mu_ext(struct iwl_mvm *mvm,
936	struct iwl_mvm_rx_phy_data *phy_data,
937	struct ieee80211_radiotap_he_mu *he_mu)
938	{
939	u32 phy_data2 = le32_to_cpu(phy_data->d2);
940	u32 phy_data3 = le32_to_cpu(phy_data->d3);
941	u16 phy_data4 = le16_to_cpu(phy_data->d4);
942	u32 rate_n_flags = phy_data->rate_n_flags;
943
944	if (FIELD_GET(IWL_RX_PHY_DATA4_HE_MU_EXT_CH1_CRC_OK, phy_data4)) {
945	he_mu->flags1 |=
946	cpu_to_le16(IEEE80211_RADIOTAP_HE_MU_FLAGS1_CH1_RU_KNOWN |
947	IEEE80211_RADIOTAP_HE_MU_FLAGS1_CH1_CTR_26T_RU_KNOWN);
948
949	he_mu->flags1 |=
950	le16_encode_bits(FIELD_GET(IWL_RX_PHY_DATA4_HE_MU_EXT_CH1_CTR_RU,
951	phy_data4),
952	IEEE80211_RADIOTAP_HE_MU_FLAGS1_CH1_CTR_26T_RU);
953
954	he_mu->ru_ch1[0] = FIELD_GET(IWL_RX_PHY_DATA2_HE_MU_EXT_CH1_RU0,
955	phy_data2);
956	he_mu->ru_ch1[1] = FIELD_GET(IWL_RX_PHY_DATA3_HE_MU_EXT_CH1_RU1,
957	phy_data3);
958	he_mu->ru_ch1[2] = FIELD_GET(IWL_RX_PHY_DATA2_HE_MU_EXT_CH1_RU2,
959	phy_data2);
960	he_mu->ru_ch1[3] = FIELD_GET(IWL_RX_PHY_DATA3_HE_MU_EXT_CH1_RU3,
961	phy_data3);
962	}
963
964	if (FIELD_GET(IWL_RX_PHY_DATA4_HE_MU_EXT_CH2_CRC_OK, phy_data4) &&
965	(rate_n_flags & RATE_MCS_CHAN_WIDTH_MSK_V1) != RATE_MCS_CHAN_WIDTH_20) {
966	he_mu->flags1 |=
967	cpu_to_le16(IEEE80211_RADIOTAP_HE_MU_FLAGS1_CH2_RU_KNOWN |
968	IEEE80211_RADIOTAP_HE_MU_FLAGS1_CH2_CTR_26T_RU_KNOWN);
969
970	he_mu->flags2 |=
971	le16_encode_bits(FIELD_GET(IWL_RX_PHY_DATA4_HE_MU_EXT_CH2_CTR_RU,
972	phy_data4),
973	IEEE80211_RADIOTAP_HE_MU_FLAGS2_CH2_CTR_26T_RU);
974
975	he_mu->ru_ch2[0] = FIELD_GET(IWL_RX_PHY_DATA2_HE_MU_EXT_CH2_RU0,
976	phy_data2);
977	he_mu->ru_ch2[1] = FIELD_GET(IWL_RX_PHY_DATA3_HE_MU_EXT_CH2_RU1,
978	phy_data3);
979	he_mu->ru_ch2[2] = FIELD_GET(IWL_RX_PHY_DATA2_HE_MU_EXT_CH2_RU2,
980	phy_data2);
981	he_mu->ru_ch2[3] = FIELD_GET(IWL_RX_PHY_DATA3_HE_MU_EXT_CH2_RU3,
982	phy_data3);
983	}
984	}
985
986	static void
987	iwl_mvm_decode_he_phy_ru_alloc(struct iwl_mvm_rx_phy_data *phy_data,
988	struct ieee80211_radiotap_he *he,
989	struct ieee80211_radiotap_he_mu *he_mu,
990	struct ieee80211_rx_status *rx_status)
991	{
992	/*
993	* Unfortunately, we have to leave the mac80211 data
994	* incorrect for the case that we receive an HE-MU
995	* transmission and *don't* have the HE phy data (due
996	* to the bits being used for TSF). This shouldn't
997	* happen though as management frames where we need
998	* the TSF/timers are not be transmitted in HE-MU.
999	*/
1000	u8 ru = le32_get_bits(phy_data->d1, IWL_RX_PHY_DATA1_HE_RU_ALLOC_MASK);
1001	u32 rate_n_flags = phy_data->rate_n_flags;
1002	u32 he_type = rate_n_flags & RATE_MCS_HE_TYPE_MSK_V1;
1003	u8 offs = 0;
1004
1005	rx_status->bw = RATE_INFO_BW_HE_RU;
1006
1007	he->data1 |= cpu_to_le16(IEEE80211_RADIOTAP_HE_DATA1_BW_RU_ALLOC_KNOWN);
1008
1009	switch (ru) {
1010	case 0 ... 36:
1011	rx_status->he_ru = NL80211_RATE_INFO_HE_RU_ALLOC_26;
1012	offs = ru;
1013	break;
1014	case 37 ... 52:
1015	rx_status->he_ru = NL80211_RATE_INFO_HE_RU_ALLOC_52;
1016	offs = ru - 37;
1017	break;
1018	case 53 ... 60:
1019	rx_status->he_ru = NL80211_RATE_INFO_HE_RU_ALLOC_106;
1020	offs = ru - 53;
1021	break;
1022	case 61 ... 64:
1023	rx_status->he_ru = NL80211_RATE_INFO_HE_RU_ALLOC_242;
1024	offs = ru - 61;
1025	break;
1026	case 65 ... 66:
1027	rx_status->he_ru = NL80211_RATE_INFO_HE_RU_ALLOC_484;
1028	offs = ru - 65;
1029	break;
1030	case 67:
1031	rx_status->he_ru = NL80211_RATE_INFO_HE_RU_ALLOC_996;
1032	break;
1033	case 68:
1034	rx_status->he_ru = NL80211_RATE_INFO_HE_RU_ALLOC_2x996;
1035	break;
1036	}
1037	he->data2 |= le16_encode_bits(v: offs,
1038	field: IEEE80211_RADIOTAP_HE_DATA2_RU_OFFSET);
1039	he->data2 |= cpu_to_le16(IEEE80211_RADIOTAP_HE_DATA2_PRISEC_80_KNOWN |
1040	IEEE80211_RADIOTAP_HE_DATA2_RU_OFFSET_KNOWN);
1041	if (phy_data->d1 & cpu_to_le32(IWL_RX_PHY_DATA1_HE_RU_ALLOC_SEC80))
1042	he->data2 |=
1043	cpu_to_le16(IEEE80211_RADIOTAP_HE_DATA2_PRISEC_80_SEC);
1044
1045	#define CHECK_BW(bw) \
1046	BUILD_BUG_ON(IEEE80211_RADIOTAP_HE_MU_FLAGS2_BW_FROM_SIG_A_BW_ ## bw ## MHZ != \
1047	RATE_MCS_CHAN_WIDTH_##bw >> RATE_MCS_CHAN_WIDTH_POS); \
1048	BUILD_BUG_ON(IEEE80211_RADIOTAP_HE_DATA6_TB_PPDU_BW_ ## bw ## MHZ != \
1049	RATE_MCS_CHAN_WIDTH_##bw >> RATE_MCS_CHAN_WIDTH_POS)
1050	CHECK_BW(20);
1051	CHECK_BW(40);
1052	CHECK_BW(80);
1053	CHECK_BW(160);
1054
1055	if (he_mu)
1056	he_mu->flags2 |=
1057	le16_encode_bits(FIELD_GET(RATE_MCS_CHAN_WIDTH_MSK_V1,
1058	rate_n_flags),
1059	IEEE80211_RADIOTAP_HE_MU_FLAGS2_BW_FROM_SIG_A_BW);
1060	else if (he_type == RATE_MCS_HE_TYPE_TRIG_V1)
1061	he->data6 |=
1062	cpu_to_le16(IEEE80211_RADIOTAP_HE_DATA6_TB_PPDU_BW_KNOWN) |
1063	le16_encode_bits(FIELD_GET(RATE_MCS_CHAN_WIDTH_MSK_V1,
1064	rate_n_flags),
1065	IEEE80211_RADIOTAP_HE_DATA6_TB_PPDU_BW);
1066	}
1067
1068	static void iwl_mvm_decode_he_phy_data(struct iwl_mvm *mvm,
1069	struct iwl_mvm_rx_phy_data *phy_data,
1070	struct ieee80211_radiotap_he *he,
1071	struct ieee80211_radiotap_he_mu *he_mu,
1072	struct ieee80211_rx_status *rx_status,
1073	int queue)
1074	{
1075	switch (phy_data->info_type) {
1076	case IWL_RX_PHY_INFO_TYPE_NONE:
1077	case IWL_RX_PHY_INFO_TYPE_CCK:
1078	case IWL_RX_PHY_INFO_TYPE_OFDM_LGCY:
1079	case IWL_RX_PHY_INFO_TYPE_HT:
1080	case IWL_RX_PHY_INFO_TYPE_VHT_SU:
1081	case IWL_RX_PHY_INFO_TYPE_VHT_MU:
1082	case IWL_RX_PHY_INFO_TYPE_EHT_MU:
1083	case IWL_RX_PHY_INFO_TYPE_EHT_TB:
1084	case IWL_RX_PHY_INFO_TYPE_EHT_MU_EXT:
1085	case IWL_RX_PHY_INFO_TYPE_EHT_TB_EXT:
1086	return;
1087	case IWL_RX_PHY_INFO_TYPE_HE_TB_EXT:
1088	he->data1 |= cpu_to_le16(IEEE80211_RADIOTAP_HE_DATA1_SPTL_REUSE_KNOWN |
1089	IEEE80211_RADIOTAP_HE_DATA1_SPTL_REUSE2_KNOWN |
1090	IEEE80211_RADIOTAP_HE_DATA1_SPTL_REUSE3_KNOWN |
1091	IEEE80211_RADIOTAP_HE_DATA1_SPTL_REUSE4_KNOWN);
1092	he->data4 |= le16_encode_bits(le32_get_bits(phy_data->d2,
1093	IWL_RX_PHY_DATA2_HE_TB_EXT_SPTL_REUSE1),
1094	IEEE80211_RADIOTAP_HE_DATA4_TB_SPTL_REUSE1);
1095	he->data4 |= le16_encode_bits(le32_get_bits(phy_data->d2,
1096	IWL_RX_PHY_DATA2_HE_TB_EXT_SPTL_REUSE2),
1097	IEEE80211_RADIOTAP_HE_DATA4_TB_SPTL_REUSE2);
1098	he->data4 |= le16_encode_bits(le32_get_bits(phy_data->d2,
1099	IWL_RX_PHY_DATA2_HE_TB_EXT_SPTL_REUSE3),
1100	IEEE80211_RADIOTAP_HE_DATA4_TB_SPTL_REUSE3);
1101	he->data4 |= le16_encode_bits(le32_get_bits(phy_data->d2,
1102	IWL_RX_PHY_DATA2_HE_TB_EXT_SPTL_REUSE4),
1103	IEEE80211_RADIOTAP_HE_DATA4_TB_SPTL_REUSE4);
1104	fallthrough;
1105	case IWL_RX_PHY_INFO_TYPE_HE_SU:
1106	case IWL_RX_PHY_INFO_TYPE_HE_MU:
1107	case IWL_RX_PHY_INFO_TYPE_HE_MU_EXT:
1108	case IWL_RX_PHY_INFO_TYPE_HE_TB:
1109	/* HE common */
1110	he->data1 |= cpu_to_le16(IEEE80211_RADIOTAP_HE_DATA1_LDPC_XSYMSEG_KNOWN |
1111	IEEE80211_RADIOTAP_HE_DATA1_DOPPLER_KNOWN |
1112	IEEE80211_RADIOTAP_HE_DATA1_BSS_COLOR_KNOWN);
1113	he->data2 |= cpu_to_le16(IEEE80211_RADIOTAP_HE_DATA2_PRE_FEC_PAD_KNOWN |
1114	IEEE80211_RADIOTAP_HE_DATA2_PE_DISAMBIG_KNOWN |
1115	IEEE80211_RADIOTAP_HE_DATA2_TXOP_KNOWN |
1116	IEEE80211_RADIOTAP_HE_DATA2_NUM_LTF_SYMS_KNOWN);
1117	he->data3 |= le16_encode_bits(le32_get_bits(phy_data->d0,
1118	IWL_RX_PHY_DATA0_HE_BSS_COLOR_MASK),
1119	IEEE80211_RADIOTAP_HE_DATA3_BSS_COLOR);
1120	if (phy_data->info_type != IWL_RX_PHY_INFO_TYPE_HE_TB &&
1121	phy_data->info_type != IWL_RX_PHY_INFO_TYPE_HE_TB_EXT) {
1122	he->data1 |= cpu_to_le16(IEEE80211_RADIOTAP_HE_DATA1_UL_DL_KNOWN);
1123	he->data3 |= le16_encode_bits(le32_get_bits(phy_data->d0,
1124	IWL_RX_PHY_DATA0_HE_UPLINK),
1125	IEEE80211_RADIOTAP_HE_DATA3_UL_DL);
1126	}
1127	he->data3 |= le16_encode_bits(le32_get_bits(phy_data->d0,
1128	IWL_RX_PHY_DATA0_HE_LDPC_EXT_SYM),
1129	IEEE80211_RADIOTAP_HE_DATA3_LDPC_XSYMSEG);
1130	he->data5 |= le16_encode_bits(le32_get_bits(phy_data->d0,
1131	IWL_RX_PHY_DATA0_HE_PRE_FEC_PAD_MASK),
1132	IEEE80211_RADIOTAP_HE_DATA5_PRE_FEC_PAD);
1133	he->data5 |= le16_encode_bits(le32_get_bits(phy_data->d0,
1134	IWL_RX_PHY_DATA0_HE_PE_DISAMBIG),
1135	IEEE80211_RADIOTAP_HE_DATA5_PE_DISAMBIG);
1136	he->data5 |= le16_encode_bits(le32_get_bits(phy_data->d1,
1137	IWL_RX_PHY_DATA1_HE_LTF_NUM_MASK),
1138	IEEE80211_RADIOTAP_HE_DATA5_NUM_LTF_SYMS);
1139	he->data6 |= le16_encode_bits(le32_get_bits(phy_data->d0,
1140	IWL_RX_PHY_DATA0_HE_TXOP_DUR_MASK),
1141	IEEE80211_RADIOTAP_HE_DATA6_TXOP);
1142	he->data6 |= le16_encode_bits(le32_get_bits(phy_data->d0,
1143	IWL_RX_PHY_DATA0_HE_DOPPLER),
1144	IEEE80211_RADIOTAP_HE_DATA6_DOPPLER);
1145	break;
1146	}
1147
1148	switch (phy_data->info_type) {
1149	case IWL_RX_PHY_INFO_TYPE_HE_MU_EXT:
1150	case IWL_RX_PHY_INFO_TYPE_HE_MU:
1151	case IWL_RX_PHY_INFO_TYPE_HE_SU:
1152	he->data1 |= cpu_to_le16(IEEE80211_RADIOTAP_HE_DATA1_SPTL_REUSE_KNOWN);
1153	he->data4 |= le16_encode_bits(le32_get_bits(phy_data->d0,
1154	IWL_RX_PHY_DATA0_HE_SPATIAL_REUSE_MASK),
1155	IEEE80211_RADIOTAP_HE_DATA4_SU_MU_SPTL_REUSE);
1156	break;
1157	default:
1158	/* nothing here */
1159	break;
1160	}
1161
1162	switch (phy_data->info_type) {
1163	case IWL_RX_PHY_INFO_TYPE_HE_MU_EXT:
1164	he_mu->flags1 |=
1165	le16_encode_bits(le16_get_bits(phy_data->d4,
1166	IWL_RX_PHY_DATA4_HE_MU_EXT_SIGB_DCM),
1167	IEEE80211_RADIOTAP_HE_MU_FLAGS1_SIG_B_DCM);
1168	he_mu->flags1 |=
1169	le16_encode_bits(le16_get_bits(phy_data->d4,
1170	IWL_RX_PHY_DATA4_HE_MU_EXT_SIGB_MCS_MASK),
1171	IEEE80211_RADIOTAP_HE_MU_FLAGS1_SIG_B_MCS);
1172	he_mu->flags2 |=
1173	le16_encode_bits(le16_get_bits(phy_data->d4,
1174	IWL_RX_PHY_DATA4_HE_MU_EXT_PREAMBLE_PUNC_TYPE_MASK),
1175	IEEE80211_RADIOTAP_HE_MU_FLAGS2_PUNC_FROM_SIG_A_BW);
1176	iwl_mvm_decode_he_mu_ext(mvm, phy_data, he_mu);
1177	fallthrough;
1178	case IWL_RX_PHY_INFO_TYPE_HE_MU:
1179	he_mu->flags2 |=
1180	le16_encode_bits(le32_get_bits(phy_data->d1,
1181	IWL_RX_PHY_DATA1_HE_MU_SIBG_SYM_OR_USER_NUM_MASK),
1182	IEEE80211_RADIOTAP_HE_MU_FLAGS2_SIG_B_SYMS_USERS);
1183	he_mu->flags2 |=
1184	le16_encode_bits(le32_get_bits(phy_data->d1,
1185	IWL_RX_PHY_DATA1_HE_MU_SIGB_COMPRESSION),
1186	IEEE80211_RADIOTAP_HE_MU_FLAGS2_SIG_B_COMP);
1187	fallthrough;
1188	case IWL_RX_PHY_INFO_TYPE_HE_TB:
1189	case IWL_RX_PHY_INFO_TYPE_HE_TB_EXT:
1190	iwl_mvm_decode_he_phy_ru_alloc(phy_data, he, he_mu, rx_status);
1191	break;
1192	case IWL_RX_PHY_INFO_TYPE_HE_SU:
1193	he->data1 |= cpu_to_le16(IEEE80211_RADIOTAP_HE_DATA1_BEAM_CHANGE_KNOWN);
1194	he->data3 |= le16_encode_bits(le32_get_bits(phy_data->d0,
1195	IWL_RX_PHY_DATA0_HE_BEAM_CHNG),
1196	IEEE80211_RADIOTAP_HE_DATA3_BEAM_CHANGE);
1197	break;
1198	default:
1199	/* nothing */
1200	break;
1201	}
1202	}
1203
1204	#define LE32_DEC_ENC(value, dec_bits, enc_bits) \
1205	le32_encode_bits(le32_get_bits(value, dec_bits), enc_bits)
1206
1207	#define IWL_MVM_ENC_USIG_VALUE_MASK(usig, in_value, dec_bits, enc_bits) do { \
1208	typeof(enc_bits) _enc_bits = enc_bits; \
1209	typeof(usig) _usig = usig; \
1210	(_usig)->mask |= cpu_to_le32(_enc_bits); \
1211	(_usig)->value |= LE32_DEC_ENC(in_value, dec_bits, _enc_bits); \
1212	} while (0)
1213
1214	#define __IWL_MVM_ENC_EHT_RU(rt_data, rt_ru, fw_data, fw_ru) \
1215	eht->data[(rt_data)] |= \
1216	(cpu_to_le32 \
1217	(IEEE80211_RADIOTAP_EHT_DATA ## rt_data ## _RU_ALLOC_CC_ ## rt_ru ## _KNOWN) | \
1218	LE32_DEC_ENC(data ## fw_data, \
1219	IWL_RX_PHY_DATA ## fw_data ## _EHT_MU_EXT_RU_ALLOC_ ## fw_ru, \
1220	IEEE80211_RADIOTAP_EHT_DATA ## rt_data ## _RU_ALLOC_CC_ ## rt_ru))
1221
1222	#define _IWL_MVM_ENC_EHT_RU(rt_data, rt_ru, fw_data, fw_ru) \
1223	__IWL_MVM_ENC_EHT_RU(rt_data, rt_ru, fw_data, fw_ru)
1224
1225	#define IEEE80211_RADIOTAP_RU_DATA_1_1_1 1
1226	#define IEEE80211_RADIOTAP_RU_DATA_2_1_1 2
1227	#define IEEE80211_RADIOTAP_RU_DATA_1_1_2 2
1228	#define IEEE80211_RADIOTAP_RU_DATA_2_1_2 2
1229	#define IEEE80211_RADIOTAP_RU_DATA_1_2_1 3
1230	#define IEEE80211_RADIOTAP_RU_DATA_2_2_1 3
1231	#define IEEE80211_RADIOTAP_RU_DATA_1_2_2 3
1232	#define IEEE80211_RADIOTAP_RU_DATA_2_2_2 4
1233
1234	#define IWL_RX_RU_DATA_A1 2
1235	#define IWL_RX_RU_DATA_A2 2
1236	#define IWL_RX_RU_DATA_B1 2
1237	#define IWL_RX_RU_DATA_B2 4
1238	#define IWL_RX_RU_DATA_C1 3
1239	#define IWL_RX_RU_DATA_C2 3
1240	#define IWL_RX_RU_DATA_D1 4
1241	#define IWL_RX_RU_DATA_D2 4
1242
1243	#define IWL_MVM_ENC_EHT_RU(rt_ru, fw_ru) \
1244	_IWL_MVM_ENC_EHT_RU(IEEE80211_RADIOTAP_RU_DATA_ ## rt_ru, \
1245	rt_ru, \
1246	IWL_RX_RU_DATA_ ## fw_ru, \
1247	fw_ru)
1248
1249	static void iwl_mvm_decode_eht_ext_mu(struct iwl_mvm *mvm,
1250	struct iwl_mvm_rx_phy_data *phy_data,
1251	struct ieee80211_rx_status *rx_status,
1252	struct ieee80211_radiotap_eht *eht,
1253	struct ieee80211_radiotap_eht_usig *usig)
1254	{
1255	if (phy_data->with_data) {
1256	__le32 data1 = phy_data->d1;
1257	__le32 data2 = phy_data->d2;
1258	__le32 data3 = phy_data->d3;
1259	__le32 data4 = phy_data->eht_d4;
1260	__le32 data5 = phy_data->d5;
1261	u32 phy_bw = phy_data->rate_n_flags & RATE_MCS_CHAN_WIDTH_MSK;
1262
1263	IWL_MVM_ENC_USIG_VALUE_MASK(usig, data5,
1264	IWL_RX_PHY_DATA5_EHT_TYPE_AND_COMP,
1265	IEEE80211_RADIOTAP_EHT_USIG2_MU_B0_B1_PPDU_TYPE);
1266	IWL_MVM_ENC_USIG_VALUE_MASK(usig, data5,
1267	IWL_RX_PHY_DATA5_EHT_MU_PUNC_CH_CODE,
1268	IEEE80211_RADIOTAP_EHT_USIG2_MU_B3_B7_PUNCTURED_INFO);
1269	IWL_MVM_ENC_USIG_VALUE_MASK(usig, data4,
1270	IWL_RX_PHY_DATA4_EHT_MU_EXT_SIGB_MCS,
1271	IEEE80211_RADIOTAP_EHT_USIG2_MU_B9_B10_SIG_MCS);
1272	IWL_MVM_ENC_USIG_VALUE_MASK
1273	(usig, data1, IWL_RX_PHY_DATA1_EHT_MU_NUM_SIG_SYM_USIGA2,
1274	IEEE80211_RADIOTAP_EHT_USIG2_MU_B11_B15_EHT_SIG_SYMBOLS);
1275
1276	eht->user_info[0] |=
1277	cpu_to_le32(IEEE80211_RADIOTAP_EHT_USER_INFO_STA_ID_KNOWN) |
1278	LE32_DEC_ENC(data5, IWL_RX_PHY_DATA5_EHT_MU_STA_ID_USR,
1279	IEEE80211_RADIOTAP_EHT_USER_INFO_STA_ID);
1280
1281	eht->known |= cpu_to_le32(IEEE80211_RADIOTAP_EHT_KNOWN_NR_NON_OFDMA_USERS_M);
1282	eht->data[7] |= LE32_DEC_ENC
1283	(data5, IWL_RX_PHY_DATA5_EHT_MU_NUM_USR_NON_OFDMA,
1284	IEEE80211_RADIOTAP_EHT_DATA7_NUM_OF_NON_OFDMA_USERS);
1285
1286	/*
1287	* Hardware labels the content channels/RU allocation values
1288	* as follows:
1289	* Content Channel 1 Content Channel 2
1290	* 20 MHz: A1
1291	* 40 MHz: A1 B1
1292	* 80 MHz: A1 C1 B1 D1
1293	* 160 MHz: A1 C1 A2 C2 B1 D1 B2 D2
1294	* 320 MHz: A1 C1 A2 C2 A3 C3 A4 C4 B1 D1 B2 D2 B3 D3 B4 D4
1295	*
1296	* However firmware can only give us A1-D2, so the higher
1297	* frequencies are missing.
1298	*/
1299
1300	switch (phy_bw) {
1301	case RATE_MCS_CHAN_WIDTH_320:
1302	/* additional values are missing in RX metadata */
1303	case RATE_MCS_CHAN_WIDTH_160:
1304	/* content channel 1 */
1305	IWL_MVM_ENC_EHT_RU(1_2_1, A2);
1306	IWL_MVM_ENC_EHT_RU(1_2_2, C2);
1307	/* content channel 2 */
1308	IWL_MVM_ENC_EHT_RU(2_2_1, B2);
1309	IWL_MVM_ENC_EHT_RU(2_2_2, D2);
1310	fallthrough;
1311	case RATE_MCS_CHAN_WIDTH_80:
1312	/* content channel 1 */
1313	IWL_MVM_ENC_EHT_RU(1_1_2, C1);
1314	/* content channel 2 */
1315	IWL_MVM_ENC_EHT_RU(2_1_2, D1);
1316	fallthrough;
1317	case RATE_MCS_CHAN_WIDTH_40:
1318	/* content channel 2 */
1319	IWL_MVM_ENC_EHT_RU(2_1_1, B1);
1320	fallthrough;
1321	case RATE_MCS_CHAN_WIDTH_20:
1322	IWL_MVM_ENC_EHT_RU(1_1_1, A1);
1323	break;
1324	}
1325	} else {
1326	__le32 usig_a1 = phy_data->rx_vec[0];
1327	__le32 usig_a2 = phy_data->rx_vec[1];
1328
1329	IWL_MVM_ENC_USIG_VALUE_MASK(usig, usig_a1,
1330	IWL_RX_USIG_A1_DISREGARD,
1331	IEEE80211_RADIOTAP_EHT_USIG1_MU_B20_B24_DISREGARD);
1332	IWL_MVM_ENC_USIG_VALUE_MASK(usig, usig_a1,
1333	IWL_RX_USIG_A1_VALIDATE,
1334	IEEE80211_RADIOTAP_EHT_USIG1_MU_B25_VALIDATE);
1335	IWL_MVM_ENC_USIG_VALUE_MASK(usig, usig_a2,
1336	IWL_RX_USIG_A2_EHT_PPDU_TYPE,
1337	IEEE80211_RADIOTAP_EHT_USIG2_MU_B0_B1_PPDU_TYPE);
1338	IWL_MVM_ENC_USIG_VALUE_MASK(usig, usig_a2,
1339	IWL_RX_USIG_A2_EHT_USIG2_VALIDATE_B2,
1340	IEEE80211_RADIOTAP_EHT_USIG2_MU_B2_VALIDATE);
1341	IWL_MVM_ENC_USIG_VALUE_MASK(usig, usig_a2,
1342	IWL_RX_USIG_A2_EHT_PUNC_CHANNEL,
1343	IEEE80211_RADIOTAP_EHT_USIG2_MU_B3_B7_PUNCTURED_INFO);
1344	IWL_MVM_ENC_USIG_VALUE_MASK(usig, usig_a2,
1345	IWL_RX_USIG_A2_EHT_USIG2_VALIDATE_B8,
1346	IEEE80211_RADIOTAP_EHT_USIG2_MU_B8_VALIDATE);
1347	IWL_MVM_ENC_USIG_VALUE_MASK(usig, usig_a2,
1348	IWL_RX_USIG_A2_EHT_SIG_MCS,
1349	IEEE80211_RADIOTAP_EHT_USIG2_MU_B9_B10_SIG_MCS);
1350	IWL_MVM_ENC_USIG_VALUE_MASK
1351	(usig, usig_a2, IWL_RX_USIG_A2_EHT_SIG_SYM_NUM,
1352	IEEE80211_RADIOTAP_EHT_USIG2_MU_B11_B15_EHT_SIG_SYMBOLS);
1353	IWL_MVM_ENC_USIG_VALUE_MASK(usig, usig_a2,
1354	IWL_RX_USIG_A2_EHT_CRC_OK,
1355	IEEE80211_RADIOTAP_EHT_USIG2_MU_B16_B19_CRC);
1356	}
1357	}
1358
1359	static void iwl_mvm_decode_eht_ext_tb(struct iwl_mvm *mvm,
1360	struct iwl_mvm_rx_phy_data *phy_data,
1361	struct ieee80211_rx_status *rx_status,
1362	struct ieee80211_radiotap_eht *eht,
1363	struct ieee80211_radiotap_eht_usig *usig)
1364	{
1365	if (phy_data->with_data) {
1366	__le32 data5 = phy_data->d5;
1367
1368	IWL_MVM_ENC_USIG_VALUE_MASK(usig, data5,
1369	IWL_RX_PHY_DATA5_EHT_TYPE_AND_COMP,
1370	IEEE80211_RADIOTAP_EHT_USIG2_TB_B0_B1_PPDU_TYPE);
1371	IWL_MVM_ENC_USIG_VALUE_MASK(usig, data5,
1372	IWL_RX_PHY_DATA5_EHT_TB_SPATIAL_REUSE1,
1373	IEEE80211_RADIOTAP_EHT_USIG2_TB_B3_B6_SPATIAL_REUSE_1);
1374
1375	IWL_MVM_ENC_USIG_VALUE_MASK(usig, data5,
1376	IWL_RX_PHY_DATA5_EHT_TB_SPATIAL_REUSE2,
1377	IEEE80211_RADIOTAP_EHT_USIG2_TB_B7_B10_SPATIAL_REUSE_2);
1378	} else {
1379	__le32 usig_a1 = phy_data->rx_vec[0];
1380	__le32 usig_a2 = phy_data->rx_vec[1];
1381
1382	IWL_MVM_ENC_USIG_VALUE_MASK(usig, usig_a1,
1383	IWL_RX_USIG_A1_DISREGARD,
1384	IEEE80211_RADIOTAP_EHT_USIG1_TB_B20_B25_DISREGARD);
1385	IWL_MVM_ENC_USIG_VALUE_MASK(usig, usig_a2,
1386	IWL_RX_USIG_A2_EHT_PPDU_TYPE,
1387	IEEE80211_RADIOTAP_EHT_USIG2_TB_B0_B1_PPDU_TYPE);
1388	IWL_MVM_ENC_USIG_VALUE_MASK(usig, usig_a2,
1389	IWL_RX_USIG_A2_EHT_USIG2_VALIDATE_B2,
1390	IEEE80211_RADIOTAP_EHT_USIG2_TB_B2_VALIDATE);
1391	IWL_MVM_ENC_USIG_VALUE_MASK(usig, usig_a2,
1392	IWL_RX_USIG_A2_EHT_TRIG_SPATIAL_REUSE_1,
1393	IEEE80211_RADIOTAP_EHT_USIG2_TB_B3_B6_SPATIAL_REUSE_1);
1394	IWL_MVM_ENC_USIG_VALUE_MASK(usig, usig_a2,
1395	IWL_RX_USIG_A2_EHT_TRIG_SPATIAL_REUSE_2,
1396	IEEE80211_RADIOTAP_EHT_USIG2_TB_B7_B10_SPATIAL_REUSE_2);
1397	IWL_MVM_ENC_USIG_VALUE_MASK(usig, usig_a2,
1398	IWL_RX_USIG_A2_EHT_TRIG_USIG2_DISREGARD,
1399	IEEE80211_RADIOTAP_EHT_USIG2_TB_B11_B15_DISREGARD);
1400	IWL_MVM_ENC_USIG_VALUE_MASK(usig, usig_a2,
1401	IWL_RX_USIG_A2_EHT_CRC_OK,
1402	IEEE80211_RADIOTAP_EHT_USIG2_TB_B16_B19_CRC);
1403	}
1404	}
1405
1406	static void iwl_mvm_decode_eht_ru(struct iwl_mvm *mvm,
1407	struct ieee80211_rx_status *rx_status,
1408	struct ieee80211_radiotap_eht *eht)
1409	{
1410	u32 ru = le32_get_bits(v: eht->data[8],
1411	field: IEEE80211_RADIOTAP_EHT_DATA8_RU_ALLOC_TB_FMT_B7_B1);
1412	enum nl80211_eht_ru_alloc nl_ru;
1413
1414	/* Using D1.5 Table 9-53a - Encoding of PS160 and RU Allocation subfields
1415	* in an EHT variant User Info field
1416	*/
1417
1418	switch (ru) {
1419	case 0 ... 36:
1420	nl_ru = NL80211_RATE_INFO_EHT_RU_ALLOC_26;
1421	break;
1422	case 37 ... 52:
1423	nl_ru = NL80211_RATE_INFO_EHT_RU_ALLOC_52;
1424	break;
1425	case 53 ... 60:
1426	nl_ru = NL80211_RATE_INFO_EHT_RU_ALLOC_106;
1427	break;
1428	case 61 ... 64:
1429	nl_ru = NL80211_RATE_INFO_EHT_RU_ALLOC_242;
1430	break;
1431	case 65 ... 66:
1432	nl_ru = NL80211_RATE_INFO_EHT_RU_ALLOC_484;
1433	break;
1434	case 67:
1435	nl_ru = NL80211_RATE_INFO_EHT_RU_ALLOC_996;
1436	break;
1437	case 68:
1438	nl_ru = NL80211_RATE_INFO_EHT_RU_ALLOC_2x996;
1439	break;
1440	case 69:
1441	nl_ru = NL80211_RATE_INFO_EHT_RU_ALLOC_4x996;
1442	break;
1443	case 70 ... 81:
1444	nl_ru = NL80211_RATE_INFO_EHT_RU_ALLOC_52P26;
1445	break;
1446	case 82 ... 89:
1447	nl_ru = NL80211_RATE_INFO_EHT_RU_ALLOC_106P26;
1448	break;
1449	case 90 ... 93:
1450	nl_ru = NL80211_RATE_INFO_EHT_RU_ALLOC_484P242;
1451	break;
1452	case 94 ... 95:
1453	nl_ru = NL80211_RATE_INFO_EHT_RU_ALLOC_996P484;
1454	break;
1455	case 96 ... 99:
1456	nl_ru = NL80211_RATE_INFO_EHT_RU_ALLOC_996P484P242;
1457	break;
1458	case 100 ... 103:
1459	nl_ru = NL80211_RATE_INFO_EHT_RU_ALLOC_2x996P484;
1460	break;
1461	case 104:
1462	nl_ru = NL80211_RATE_INFO_EHT_RU_ALLOC_3x996;
1463	break;
1464	case 105 ... 106:
1465	nl_ru = NL80211_RATE_INFO_EHT_RU_ALLOC_3x996P484;
1466	break;
1467	default:
1468	return;
1469	}
1470
1471	rx_status->bw = RATE_INFO_BW_EHT_RU;
1472	rx_status->eht.ru = nl_ru;
1473	}
1474
1475	static void iwl_mvm_decode_eht_phy_data(struct iwl_mvm *mvm,
1476	struct iwl_mvm_rx_phy_data *phy_data,
1477	struct ieee80211_rx_status *rx_status,
1478	struct ieee80211_radiotap_eht *eht,
1479	struct ieee80211_radiotap_eht_usig *usig)
1480
1481	{
1482	__le32 data0 = phy_data->d0;
1483	__le32 data1 = phy_data->d1;
1484	__le32 usig_a1 = phy_data->rx_vec[0];
1485	u8 info_type = phy_data->info_type;
1486
1487	/* Not in EHT range */
1488	if (info_type < IWL_RX_PHY_INFO_TYPE_EHT_MU ||
1489	info_type > IWL_RX_PHY_INFO_TYPE_EHT_TB_EXT)
1490	return;
1491
1492	usig->common |= cpu_to_le32
1493	(IEEE80211_RADIOTAP_EHT_USIG_COMMON_UL_DL_KNOWN |
1494	IEEE80211_RADIOTAP_EHT_USIG_COMMON_BSS_COLOR_KNOWN);
1495	if (phy_data->with_data) {
1496	usig->common |= LE32_DEC_ENC(data0,
1497	IWL_RX_PHY_DATA0_EHT_UPLINK,
1498	IEEE80211_RADIOTAP_EHT_USIG_COMMON_UL_DL);
1499	usig->common |= LE32_DEC_ENC(data0,
1500	IWL_RX_PHY_DATA0_EHT_BSS_COLOR_MASK,
1501	IEEE80211_RADIOTAP_EHT_USIG_COMMON_BSS_COLOR);
1502	} else {
1503	usig->common |= LE32_DEC_ENC(usig_a1,
1504	IWL_RX_USIG_A1_UL_FLAG,
1505	IEEE80211_RADIOTAP_EHT_USIG_COMMON_UL_DL);
1506	usig->common |= LE32_DEC_ENC(usig_a1,
1507	IWL_RX_USIG_A1_BSS_COLOR,
1508	IEEE80211_RADIOTAP_EHT_USIG_COMMON_BSS_COLOR);
1509	}
1510
1511	if (fw_has_capa(&mvm->fw->ucode_capa,
1512	IWL_UCODE_TLV_CAPA_SNIFF_VALIDATE_SUPPORT)) {
1513	usig->common |=
1514	cpu_to_le32(IEEE80211_RADIOTAP_EHT_USIG_COMMON_VALIDATE_BITS_CHECKED);
1515	usig->common |=
1516	LE32_DEC_ENC(data0, IWL_RX_PHY_DATA0_EHT_VALIDATE,
1517	IEEE80211_RADIOTAP_EHT_USIG_COMMON_VALIDATE_BITS_OK);
1518	}
1519
1520	eht->known |= cpu_to_le32(IEEE80211_RADIOTAP_EHT_KNOWN_SPATIAL_REUSE);
1521	eht->data[0] |= LE32_DEC_ENC(data0,
1522	IWL_RX_PHY_DATA0_ETH_SPATIAL_REUSE_MASK,
1523	IEEE80211_RADIOTAP_EHT_DATA0_SPATIAL_REUSE);
1524
1525	/* All RU allocating size/index is in TB format */
1526	eht->known |= cpu_to_le32(IEEE80211_RADIOTAP_EHT_KNOWN_RU_ALLOC_TB_FMT);
1527	eht->data[8] |= LE32_DEC_ENC(data0, IWL_RX_PHY_DATA0_EHT_PS160,
1528	IEEE80211_RADIOTAP_EHT_DATA8_RU_ALLOC_TB_FMT_PS_160);
1529	eht->data[8] |= LE32_DEC_ENC(data1, IWL_RX_PHY_DATA1_EHT_RU_ALLOC_B0,
1530	IEEE80211_RADIOTAP_EHT_DATA8_RU_ALLOC_TB_FMT_B0);
1531	eht->data[8] |= LE32_DEC_ENC(data1, IWL_RX_PHY_DATA1_EHT_RU_ALLOC_B1_B7,
1532	IEEE80211_RADIOTAP_EHT_DATA8_RU_ALLOC_TB_FMT_B7_B1);
1533
1534	iwl_mvm_decode_eht_ru(mvm, rx_status, eht);
1535
1536	/* We only get here in case of IWL_RX_MPDU_PHY_TSF_OVERLOAD is set
1537	* which is on only in case of monitor mode so no need to check monitor
1538	* mode
1539	*/
1540	eht->known |= cpu_to_le32(IEEE80211_RADIOTAP_EHT_KNOWN_PRIMARY_80);
1541	eht->data[1] |=
1542	le32_encode_bits(v: mvm->monitor_p80,
1543	field: IEEE80211_RADIOTAP_EHT_DATA1_PRIMARY_80);
1544
1545	usig->common |= cpu_to_le32(IEEE80211_RADIOTAP_EHT_USIG_COMMON_TXOP_KNOWN);
1546	if (phy_data->with_data)
1547	usig->common |= LE32_DEC_ENC(data0, IWL_RX_PHY_DATA0_EHT_TXOP_DUR_MASK,
1548	IEEE80211_RADIOTAP_EHT_USIG_COMMON_TXOP);
1549	else
1550	usig->common |= LE32_DEC_ENC(usig_a1, IWL_RX_USIG_A1_TXOP_DURATION,
1551	IEEE80211_RADIOTAP_EHT_USIG_COMMON_TXOP);
1552
1553	eht->known |= cpu_to_le32(IEEE80211_RADIOTAP_EHT_KNOWN_LDPC_EXTRA_SYM_OM);
1554	eht->data[0] |= LE32_DEC_ENC(data0, IWL_RX_PHY_DATA0_EHT_LDPC_EXT_SYM,
1555	IEEE80211_RADIOTAP_EHT_DATA0_LDPC_EXTRA_SYM_OM);
1556
1557	eht->known |= cpu_to_le32(IEEE80211_RADIOTAP_EHT_KNOWN_PRE_PADD_FACOR_OM);
1558	eht->data[0] |= LE32_DEC_ENC(data0, IWL_RX_PHY_DATA0_EHT_PRE_FEC_PAD_MASK,
1559	IEEE80211_RADIOTAP_EHT_DATA0_PRE_PADD_FACOR_OM);
1560
1561	eht->known |= cpu_to_le32(IEEE80211_RADIOTAP_EHT_KNOWN_PE_DISAMBIGUITY_OM);
1562	eht->data[0] |= LE32_DEC_ENC(data0, IWL_RX_PHY_DATA0_EHT_PE_DISAMBIG,
1563	IEEE80211_RADIOTAP_EHT_DATA0_PE_DISAMBIGUITY_OM);
1564
1565	/* TODO: what about IWL_RX_PHY_DATA0_EHT_BW320_SLOT */
1566
1567	if (!le32_get_bits(data0, IWL_RX_PHY_DATA0_EHT_SIGA_CRC_OK))
1568	usig->common |= cpu_to_le32(IEEE80211_RADIOTAP_EHT_USIG_COMMON_BAD_USIG_CRC);
1569
1570	usig->common |= cpu_to_le32(IEEE80211_RADIOTAP_EHT_USIG_COMMON_PHY_VER_KNOWN);
1571	usig->common |= LE32_DEC_ENC(data0, IWL_RX_PHY_DATA0_EHT_PHY_VER,
1572	IEEE80211_RADIOTAP_EHT_USIG_COMMON_PHY_VER);
1573
1574	/*
1575	* TODO: what about TB - IWL_RX_PHY_DATA1_EHT_TB_PILOT_TYPE,
1576	* IWL_RX_PHY_DATA1_EHT_TB_LOW_SS
1577	*/
1578
1579	eht->known |= cpu_to_le32(IEEE80211_RADIOTAP_EHT_KNOWN_EHT_LTF);
1580	eht->data[0] |= LE32_DEC_ENC(data1, IWL_RX_PHY_DATA1_EHT_SIG_LTF_NUM,
1581	IEEE80211_RADIOTAP_EHT_DATA0_EHT_LTF);
1582
1583	if (info_type == IWL_RX_PHY_INFO_TYPE_EHT_TB_EXT ||
1584	info_type == IWL_RX_PHY_INFO_TYPE_EHT_TB)
1585	iwl_mvm_decode_eht_ext_tb(mvm, phy_data, rx_status, eht, usig);
1586
1587	if (info_type == IWL_RX_PHY_INFO_TYPE_EHT_MU_EXT ||
1588	info_type == IWL_RX_PHY_INFO_TYPE_EHT_MU)
1589	iwl_mvm_decode_eht_ext_mu(mvm, phy_data, rx_status, eht, usig);
1590	}
1591
1592	static void iwl_mvm_rx_eht(struct iwl_mvm *mvm, struct sk_buff *skb,
1593	struct iwl_mvm_rx_phy_data *phy_data,
1594	int queue)
1595	{
1596	struct ieee80211_rx_status *rx_status = IEEE80211_SKB_RXCB(skb);
1597
1598	struct ieee80211_radiotap_eht *eht;
1599	struct ieee80211_radiotap_eht_usig *usig;
1600	size_t eht_len = sizeof(*eht);
1601
1602	u32 rate_n_flags = phy_data->rate_n_flags;
1603	u32 he_type = rate_n_flags & RATE_MCS_HE_TYPE_MSK;
1604	/* EHT and HE have the same valus for LTF */
1605	u8 ltf = IEEE80211_RADIOTAP_HE_DATA5_LTF_SIZE_UNKNOWN;
1606	u16 phy_info = phy_data->phy_info;
1607	u32 bw;
1608
1609	/* u32 for 1 user_info */
1610	if (phy_data->with_data)
1611	eht_len += sizeof(u32);
1612
1613	eht = iwl_mvm_radiotap_put_tlv(skb, type: IEEE80211_RADIOTAP_EHT, len: eht_len);
1614
1615	usig = iwl_mvm_radiotap_put_tlv(skb, type: IEEE80211_RADIOTAP_EHT_USIG,
1616	len: sizeof(*usig));
1617	rx_status->flag |= RX_FLAG_RADIOTAP_TLV_AT_END;
1618	usig->common |=
1619	cpu_to_le32(IEEE80211_RADIOTAP_EHT_USIG_COMMON_BW_KNOWN);
1620
1621	/* specific handling for 320MHz */
1622	bw = FIELD_GET(RATE_MCS_CHAN_WIDTH_MSK, rate_n_flags);
1623	if (bw == RATE_MCS_CHAN_WIDTH_320_VAL)
1624	bw += FIELD_GET(IWL_RX_PHY_DATA0_EHT_BW320_SLOT,
1625	le32_to_cpu(phy_data->d0));
1626
1627	usig->common |= cpu_to_le32
1628	(FIELD_PREP(IEEE80211_RADIOTAP_EHT_USIG_COMMON_BW, bw));
1629
1630	/* report the AMPDU-EOF bit on single frames */
1631	if (!queue && !(phy_info & IWL_RX_MPDU_PHY_AMPDU)) {
1632	rx_status->flag |= RX_FLAG_AMPDU_DETAILS;
1633	rx_status->flag |= RX_FLAG_AMPDU_EOF_BIT_KNOWN;
1634	if (phy_data->d0 & cpu_to_le32(IWL_RX_PHY_DATA0_EHT_DELIM_EOF))
1635	rx_status->flag |= RX_FLAG_AMPDU_EOF_BIT;
1636	}
1637
1638	/* update aggregation data for monitor sake on default queue */
1639	if (!queue && (phy_info & IWL_RX_MPDU_PHY_TSF_OVERLOAD) &&
1640	(phy_info & IWL_RX_MPDU_PHY_AMPDU) && phy_data->first_subframe) {
1641	rx_status->flag |= RX_FLAG_AMPDU_EOF_BIT_KNOWN;
1642	if (phy_data->d0 & cpu_to_le32(IWL_RX_PHY_DATA0_EHT_DELIM_EOF))
1643	rx_status->flag |= RX_FLAG_AMPDU_EOF_BIT;
1644	}
1645
1646	if (phy_info & IWL_RX_MPDU_PHY_TSF_OVERLOAD)
1647	iwl_mvm_decode_eht_phy_data(mvm, phy_data, rx_status, eht, usig);
1648
1649	#define CHECK_TYPE(F) \
1650	BUILD_BUG_ON(IEEE80211_RADIOTAP_HE_DATA1_FORMAT_ ## F != \
1651	(RATE_MCS_HE_TYPE_ ## F >> RATE_MCS_HE_TYPE_POS))
1652
1653	CHECK_TYPE(SU);
1654	CHECK_TYPE(EXT_SU);
1655	CHECK_TYPE(MU);
1656	CHECK_TYPE(TRIG);
1657
1658	switch (FIELD_GET(RATE_MCS_HE_GI_LTF_MSK, rate_n_flags)) {
1659	case 0:
1660	if (he_type == RATE_MCS_HE_TYPE_TRIG) {
1661	rx_status->eht.gi = NL80211_RATE_INFO_EHT_GI_1_6;
1662	ltf = IEEE80211_RADIOTAP_HE_DATA5_LTF_SIZE_1X;
1663	} else {
1664	rx_status->eht.gi = NL80211_RATE_INFO_EHT_GI_0_8;
1665	ltf = IEEE80211_RADIOTAP_HE_DATA5_LTF_SIZE_2X;
1666	}
1667	break;
1668	case 1:
1669	rx_status->eht.gi = NL80211_RATE_INFO_EHT_GI_1_6;
1670	ltf = IEEE80211_RADIOTAP_HE_DATA5_LTF_SIZE_2X;
1671	break;
1672	case 2:
1673	ltf = IEEE80211_RADIOTAP_HE_DATA5_LTF_SIZE_4X;
1674	if (he_type == RATE_MCS_HE_TYPE_TRIG)
1675	rx_status->eht.gi = NL80211_RATE_INFO_EHT_GI_3_2;
1676	else
1677	rx_status->eht.gi = NL80211_RATE_INFO_EHT_GI_0_8;
1678	break;
1679	case 3:
1680	if (he_type != RATE_MCS_HE_TYPE_TRIG) {
1681	ltf = IEEE80211_RADIOTAP_HE_DATA5_LTF_SIZE_4X;
1682	rx_status->eht.gi = NL80211_RATE_INFO_EHT_GI_3_2;
1683	}
1684	break;
1685	default:
1686	/* nothing here */
1687	break;
1688	}
1689
1690	if (ltf != IEEE80211_RADIOTAP_HE_DATA5_LTF_SIZE_UNKNOWN) {
1691	eht->known |= cpu_to_le32(IEEE80211_RADIOTAP_EHT_KNOWN_GI);
1692	eht->data[0] |= cpu_to_le32
1693	(FIELD_PREP(IEEE80211_RADIOTAP_EHT_DATA0_LTF,
1694	ltf) |
1695	FIELD_PREP(IEEE80211_RADIOTAP_EHT_DATA0_GI,
1696	rx_status->eht.gi));
1697	}
1698
1699
1700	if (!phy_data->with_data) {
1701	eht->known |= cpu_to_le32(IEEE80211_RADIOTAP_EHT_KNOWN_NSS_S |
1702	IEEE80211_RADIOTAP_EHT_KNOWN_BEAMFORMED_S);
1703	eht->data[7] |=
1704	le32_encode_bits(le32_get_bits(phy_data->rx_vec[2],
1705	RX_NO_DATA_RX_VEC2_EHT_NSTS_MSK),
1706	IEEE80211_RADIOTAP_EHT_DATA7_NSS_S);
1707	if (rate_n_flags & RATE_MCS_BF_MSK)
1708	eht->data[7] |=
1709	cpu_to_le32(IEEE80211_RADIOTAP_EHT_DATA7_BEAMFORMED_S);
1710	} else {
1711	eht->user_info[0] |=
1712	cpu_to_le32(IEEE80211_RADIOTAP_EHT_USER_INFO_MCS_KNOWN |
1713	IEEE80211_RADIOTAP_EHT_USER_INFO_CODING_KNOWN |
1714	IEEE80211_RADIOTAP_EHT_USER_INFO_NSS_KNOWN_O |
1715	IEEE80211_RADIOTAP_EHT_USER_INFO_BEAMFORMING_KNOWN_O |
1716	IEEE80211_RADIOTAP_EHT_USER_INFO_DATA_FOR_USER);
1717
1718	if (rate_n_flags & RATE_MCS_BF_MSK)
1719	eht->user_info[0] |=
1720	cpu_to_le32(IEEE80211_RADIOTAP_EHT_USER_INFO_BEAMFORMING_O);
1721
1722	if (rate_n_flags & RATE_MCS_LDPC_MSK)
1723	eht->user_info[0] |=
1724	cpu_to_le32(IEEE80211_RADIOTAP_EHT_USER_INFO_CODING);
1725
1726	eht->user_info[0] |= cpu_to_le32
1727	(FIELD_PREP(IEEE80211_RADIOTAP_EHT_USER_INFO_MCS,
1728	FIELD_GET(RATE_VHT_MCS_RATE_CODE_MSK,
1729	rate_n_flags)) |
1730	FIELD_PREP(IEEE80211_RADIOTAP_EHT_USER_INFO_NSS_O,
1731	FIELD_GET(RATE_MCS_NSS_MSK, rate_n_flags)));
1732	}
1733	}
1734
1735	static void iwl_mvm_rx_he(struct iwl_mvm *mvm, struct sk_buff *skb,
1736	struct iwl_mvm_rx_phy_data *phy_data,
1737	int queue)
1738	{
1739	struct ieee80211_rx_status *rx_status = IEEE80211_SKB_RXCB(skb);
1740	struct ieee80211_radiotap_he *he = NULL;
1741	struct ieee80211_radiotap_he_mu *he_mu = NULL;
1742	u32 rate_n_flags = phy_data->rate_n_flags;
1743	u32 he_type = rate_n_flags & RATE_MCS_HE_TYPE_MSK;
1744	u8 ltf;
1745	static const struct ieee80211_radiotap_he known = {
1746	.data1 = cpu_to_le16(IEEE80211_RADIOTAP_HE_DATA1_DATA_MCS_KNOWN |
1747	IEEE80211_RADIOTAP_HE_DATA1_DATA_DCM_KNOWN |
1748	IEEE80211_RADIOTAP_HE_DATA1_STBC_KNOWN |
1749	IEEE80211_RADIOTAP_HE_DATA1_CODING_KNOWN),
1750	.data2 = cpu_to_le16(IEEE80211_RADIOTAP_HE_DATA2_GI_KNOWN |
1751	IEEE80211_RADIOTAP_HE_DATA2_TXBF_KNOWN),
1752	};
1753	static const struct ieee80211_radiotap_he_mu mu_known = {
1754	.flags1 = cpu_to_le16(IEEE80211_RADIOTAP_HE_MU_FLAGS1_SIG_B_MCS_KNOWN |
1755	IEEE80211_RADIOTAP_HE_MU_FLAGS1_SIG_B_DCM_KNOWN |
1756	IEEE80211_RADIOTAP_HE_MU_FLAGS1_SIG_B_SYMS_USERS_KNOWN |
1757	IEEE80211_RADIOTAP_HE_MU_FLAGS1_SIG_B_COMP_KNOWN),
1758	.flags2 = cpu_to_le16(IEEE80211_RADIOTAP_HE_MU_FLAGS2_PUNC_FROM_SIG_A_BW_KNOWN |
1759	IEEE80211_RADIOTAP_HE_MU_FLAGS2_BW_FROM_SIG_A_BW_KNOWN),
1760	};
1761	u16 phy_info = phy_data->phy_info;
1762
1763	he = skb_put_data(skb, data: &known, len: sizeof(known));
1764	rx_status->flag |= RX_FLAG_RADIOTAP_HE;
1765
1766	if (phy_data->info_type == IWL_RX_PHY_INFO_TYPE_HE_MU ||
1767	phy_data->info_type == IWL_RX_PHY_INFO_TYPE_HE_MU_EXT) {
1768	he_mu = skb_put_data(skb, data: &mu_known, len: sizeof(mu_known));
1769	rx_status->flag |= RX_FLAG_RADIOTAP_HE_MU;
1770	}
1771
1772	/* report the AMPDU-EOF bit on single frames */
1773	if (!queue && !(phy_info & IWL_RX_MPDU_PHY_AMPDU)) {
1774	rx_status->flag |= RX_FLAG_AMPDU_DETAILS;
1775	rx_status->flag |= RX_FLAG_AMPDU_EOF_BIT_KNOWN;
1776	if (phy_data->d0 & cpu_to_le32(IWL_RX_PHY_DATA0_HE_DELIM_EOF))
1777	rx_status->flag |= RX_FLAG_AMPDU_EOF_BIT;
1778	}
1779
1780	if (phy_info & IWL_RX_MPDU_PHY_TSF_OVERLOAD)
1781	iwl_mvm_decode_he_phy_data(mvm, phy_data, he, he_mu, rx_status,
1782	queue);
1783
1784	/* update aggregation data for monitor sake on default queue */
1785	if (!queue && (phy_info & IWL_RX_MPDU_PHY_TSF_OVERLOAD) &&
1786	(phy_info & IWL_RX_MPDU_PHY_AMPDU) && phy_data->first_subframe) {
1787	rx_status->flag |= RX_FLAG_AMPDU_EOF_BIT_KNOWN;
1788	if (phy_data->d0 & cpu_to_le32(IWL_RX_PHY_DATA0_EHT_DELIM_EOF))
1789	rx_status->flag |= RX_FLAG_AMPDU_EOF_BIT;
1790	}
1791
1792	if (he_type == RATE_MCS_HE_TYPE_EXT_SU &&
1793	rate_n_flags & RATE_MCS_HE_106T_MSK) {
1794	rx_status->bw = RATE_INFO_BW_HE_RU;
1795	rx_status->he_ru = NL80211_RATE_INFO_HE_RU_ALLOC_106;
1796	}
1797
1798	/* actually data is filled in mac80211 */
1799	if (he_type == RATE_MCS_HE_TYPE_SU ||
1800	he_type == RATE_MCS_HE_TYPE_EXT_SU)
1801	he->data1 |=
1802	cpu_to_le16(IEEE80211_RADIOTAP_HE_DATA1_BW_RU_ALLOC_KNOWN);
1803
1804	#define CHECK_TYPE(F) \
1805	BUILD_BUG_ON(IEEE80211_RADIOTAP_HE_DATA1_FORMAT_ ## F != \
1806	(RATE_MCS_HE_TYPE_ ## F >> RATE_MCS_HE_TYPE_POS))
1807
1808	CHECK_TYPE(SU);
1809	CHECK_TYPE(EXT_SU);
1810	CHECK_TYPE(MU);
1811	CHECK_TYPE(TRIG);
1812
1813	he->data1 |= cpu_to_le16(he_type >> RATE_MCS_HE_TYPE_POS);
1814
1815	if (rate_n_flags & RATE_MCS_BF_MSK)
1816	he->data5 |= cpu_to_le16(IEEE80211_RADIOTAP_HE_DATA5_TXBF);
1817
1818	switch ((rate_n_flags & RATE_MCS_HE_GI_LTF_MSK) >>
1819	RATE_MCS_HE_GI_LTF_POS) {
1820	case 0:
1821	if (he_type == RATE_MCS_HE_TYPE_TRIG)
1822	rx_status->he_gi = NL80211_RATE_INFO_HE_GI_1_6;
1823	else
1824	rx_status->he_gi = NL80211_RATE_INFO_HE_GI_0_8;
1825	if (he_type == RATE_MCS_HE_TYPE_MU)
1826	ltf = IEEE80211_RADIOTAP_HE_DATA5_LTF_SIZE_4X;
1827	else
1828	ltf = IEEE80211_RADIOTAP_HE_DATA5_LTF_SIZE_1X;
1829	break;
1830	case 1:
1831	if (he_type == RATE_MCS_HE_TYPE_TRIG)
1832	rx_status->he_gi = NL80211_RATE_INFO_HE_GI_1_6;
1833	else
1834	rx_status->he_gi = NL80211_RATE_INFO_HE_GI_0_8;
1835	ltf = IEEE80211_RADIOTAP_HE_DATA5_LTF_SIZE_2X;
1836	break;
1837	case 2:
1838	if (he_type == RATE_MCS_HE_TYPE_TRIG) {
1839	rx_status->he_gi = NL80211_RATE_INFO_HE_GI_3_2;
1840	ltf = IEEE80211_RADIOTAP_HE_DATA5_LTF_SIZE_4X;
1841	} else {
1842	rx_status->he_gi = NL80211_RATE_INFO_HE_GI_1_6;
1843	ltf = IEEE80211_RADIOTAP_HE_DATA5_LTF_SIZE_2X;
1844	}
1845	break;
1846	case 3:
1847	rx_status->he_gi = NL80211_RATE_INFO_HE_GI_3_2;
1848	ltf = IEEE80211_RADIOTAP_HE_DATA5_LTF_SIZE_4X;
1849	break;
1850	case 4:
1851	rx_status->he_gi = NL80211_RATE_INFO_HE_GI_0_8;
1852	ltf = IEEE80211_RADIOTAP_HE_DATA5_LTF_SIZE_4X;
1853	break;
1854	default:
1855	ltf = IEEE80211_RADIOTAP_HE_DATA5_LTF_SIZE_UNKNOWN;
1856	}
1857
1858	he->data5 |= le16_encode_bits(v: ltf,
1859	field: IEEE80211_RADIOTAP_HE_DATA5_LTF_SIZE);
1860	}
1861
1862	static void iwl_mvm_decode_lsig(struct sk_buff *skb,
1863	struct iwl_mvm_rx_phy_data *phy_data)
1864	{
1865	struct ieee80211_rx_status *rx_status = IEEE80211_SKB_RXCB(skb);
1866	struct ieee80211_radiotap_lsig *lsig;
1867
1868	switch (phy_data->info_type) {
1869	case IWL_RX_PHY_INFO_TYPE_HT:
1870	case IWL_RX_PHY_INFO_TYPE_VHT_SU:
1871	case IWL_RX_PHY_INFO_TYPE_VHT_MU:
1872	case IWL_RX_PHY_INFO_TYPE_HE_TB_EXT:
1873	case IWL_RX_PHY_INFO_TYPE_HE_SU:
1874	case IWL_RX_PHY_INFO_TYPE_HE_MU:
1875	case IWL_RX_PHY_INFO_TYPE_HE_MU_EXT:
1876	case IWL_RX_PHY_INFO_TYPE_HE_TB:
1877	case IWL_RX_PHY_INFO_TYPE_EHT_MU:
1878	case IWL_RX_PHY_INFO_TYPE_EHT_TB:
1879	case IWL_RX_PHY_INFO_TYPE_EHT_MU_EXT:
1880	case IWL_RX_PHY_INFO_TYPE_EHT_TB_EXT:
1881	lsig = skb_put(skb, len: sizeof(*lsig));
1882	lsig->data1 = cpu_to_le16(IEEE80211_RADIOTAP_LSIG_DATA1_LENGTH_KNOWN);
1883	lsig->data2 = le16_encode_bits(le32_get_bits(phy_data->d1,
1884	IWL_RX_PHY_DATA1_LSIG_LEN_MASK),
1885	IEEE80211_RADIOTAP_LSIG_DATA2_LENGTH);
1886	rx_status->flag |= RX_FLAG_RADIOTAP_LSIG;
1887	break;
1888	default:
1889	break;
1890	}
1891	}
1892
1893	static inline u8 iwl_mvm_nl80211_band_from_rx_msdu(u8 phy_band)
1894	{
1895	switch (phy_band) {
1896	case PHY_BAND_24:
1897	return NL80211_BAND_2GHZ;
1898	case PHY_BAND_5:
1899	return NL80211_BAND_5GHZ;
1900	case PHY_BAND_6:
1901	return NL80211_BAND_6GHZ;
1902	default:
1903	WARN_ONCE(1, "Unsupported phy band (%u)\n", phy_band);
1904	return NL80211_BAND_5GHZ;
1905	}
1906	}
1907
1908	struct iwl_rx_sta_csa {
1909	bool all_sta_unblocked;
1910	struct ieee80211_vif *vif;
1911	};
1912
1913	static void iwl_mvm_rx_get_sta_block_tx(void *data, struct ieee80211_sta *sta)
1914	{
1915	struct iwl_mvm_sta *mvmsta = iwl_mvm_sta_from_mac80211(sta);
1916	struct iwl_rx_sta_csa *rx_sta_csa = data;
1917
1918	if (mvmsta->vif != rx_sta_csa->vif)
1919	return;
1920
1921	if (mvmsta->disable_tx)
1922	rx_sta_csa->all_sta_unblocked = false;
1923	}
1924
1925	/*
1926	* Note: requires also rx_status->band to be prefilled, as well
1927	* as phy_data (apart from phy_data->info_type)
1928	*/
1929	static void iwl_mvm_rx_fill_status(struct iwl_mvm *mvm,
1930	struct sk_buff *skb,
1931	struct iwl_mvm_rx_phy_data *phy_data,
1932	int queue)
1933	{
1934	struct ieee80211_rx_status *rx_status = IEEE80211_SKB_RXCB(skb);
1935	u32 rate_n_flags = phy_data->rate_n_flags;
1936	u8 stbc = u32_get_bits(rate_n_flags, RATE_MCS_STBC_MSK);
1937	u32 format = rate_n_flags & RATE_MCS_MOD_TYPE_MSK;
1938	bool is_sgi;
1939
1940	phy_data->info_type = IWL_RX_PHY_INFO_TYPE_NONE;
1941
1942	if (phy_data->phy_info & IWL_RX_MPDU_PHY_TSF_OVERLOAD)
1943	phy_data->info_type =
1944	le32_get_bits(phy_data->d1,
1945	IWL_RX_PHY_DATA1_INFO_TYPE_MASK);
1946
1947	/* This may be overridden by iwl_mvm_rx_he() to HE_RU */
1948	switch (rate_n_flags & RATE_MCS_CHAN_WIDTH_MSK) {
1949	case RATE_MCS_CHAN_WIDTH_20:
1950	break;
1951	case RATE_MCS_CHAN_WIDTH_40:
1952	rx_status->bw = RATE_INFO_BW_40;
1953	break;
1954	case RATE_MCS_CHAN_WIDTH_80:
1955	rx_status->bw = RATE_INFO_BW_80;
1956	break;
1957	case RATE_MCS_CHAN_WIDTH_160:
1958	rx_status->bw = RATE_INFO_BW_160;
1959	break;
1960	case RATE_MCS_CHAN_WIDTH_320:
1961	rx_status->bw = RATE_INFO_BW_320;
1962	break;
1963	}
1964
1965	/* must be before L-SIG data */
1966	if (format == RATE_MCS_HE_MSK)
1967	iwl_mvm_rx_he(mvm, skb, phy_data, queue);
1968
1969	iwl_mvm_decode_lsig(skb, phy_data);
1970
1971	rx_status->device_timestamp = phy_data->gp2_on_air_rise;
1972	rx_status->freq = ieee80211_channel_to_frequency(chan: phy_data->channel,
1973	band: rx_status->band);
1974	iwl_mvm_get_signal_strength(mvm, rx_status, rate_n_flags,
1975	energy_a: phy_data->energy_a, energy_b: phy_data->energy_b);
1976
1977	/* using TLV format and must be after all fixed len fields */
1978	if (format == RATE_MCS_EHT_MSK)
1979	iwl_mvm_rx_eht(mvm, skb, phy_data, queue);
1980
1981	if (unlikely(mvm->monitor_on))
1982	iwl_mvm_add_rtap_sniffer_config(mvm, skb);
1983
1984	is_sgi = format == RATE_MCS_HE_MSK ?
1985	iwl_he_is_sgi(rate_n_flags) :
1986	rate_n_flags & RATE_MCS_SGI_MSK;
1987
1988	if (!(format == RATE_MCS_CCK_MSK) && is_sgi)
1989	rx_status->enc_flags |= RX_ENC_FLAG_SHORT_GI;
1990
1991	if (rate_n_flags & RATE_MCS_LDPC_MSK)
1992	rx_status->enc_flags |= RX_ENC_FLAG_LDPC;
1993
1994	switch (format) {
1995	case RATE_MCS_VHT_MSK:
1996	rx_status->encoding = RX_ENC_VHT;
1997	break;
1998	case RATE_MCS_HE_MSK:
1999	rx_status->encoding = RX_ENC_HE;
2000	rx_status->he_dcm =
2001	!!(rate_n_flags & RATE_HE_DUAL_CARRIER_MODE_MSK);
2002	break;
2003	case RATE_MCS_EHT_MSK:
2004	rx_status->encoding = RX_ENC_EHT;
2005	break;
2006	}
2007
2008	switch (format) {
2009	case RATE_MCS_HT_MSK:
2010	rx_status->encoding = RX_ENC_HT;
2011	rx_status->rate_idx = RATE_HT_MCS_INDEX(rate_n_flags);
2012	rx_status->enc_flags |= stbc << RX_ENC_FLAG_STBC_SHIFT;
2013	break;
2014	case RATE_MCS_VHT_MSK:
2015	case RATE_MCS_HE_MSK:
2016	case RATE_MCS_EHT_MSK:
2017	rx_status->nss =
2018	u32_get_bits(rate_n_flags, RATE_MCS_NSS_MSK) + 1;
2019	rx_status->rate_idx = rate_n_flags & RATE_MCS_CODE_MSK;
2020	rx_status->enc_flags |= stbc << RX_ENC_FLAG_STBC_SHIFT;
2021	break;
2022	default: {
2023	int rate = iwl_mvm_legacy_hw_idx_to_mac80211_idx(rate_n_flags,
2024	band: rx_status->band);
2025
2026	rx_status->rate_idx = rate;
2027
2028	if ((rate < 0 || rate > 0xFF)) {
2029	rx_status->rate_idx = 0;
2030	if (net_ratelimit())
2031	IWL_ERR(mvm, "Invalid rate flags 0x%x, band %d,\n",
2032	rate_n_flags, rx_status->band);
2033	}
2034
2035	break;
2036	}
2037	}
2038	}
2039
2040	void iwl_mvm_rx_mpdu_mq(struct iwl_mvm *mvm, struct napi_struct *napi,
2041	struct iwl_rx_cmd_buffer *rxb, int queue)
2042	{
2043	struct ieee80211_rx_status *rx_status;
2044	struct iwl_rx_packet *pkt = rxb_addr(rxb);
2045	struct iwl_rx_mpdu_desc *desc = (void *)pkt->data;
2046	struct ieee80211_hdr *hdr;
2047	u32 len;
2048	u32 pkt_len = iwl_rx_packet_payload_len(pkt);
2049	struct ieee80211_sta *sta = NULL;
2050	struct ieee80211_link_sta *link_sta = NULL;
2051	struct sk_buff *skb;
2052	u8 crypt_len = 0;
2053	size_t desc_size;
2054	struct iwl_mvm_rx_phy_data phy_data = {};
2055	u32 format;
2056
2057	if (unlikely(test_bit(IWL_MVM_STATUS_IN_HW_RESTART, &mvm->status)))
2058	return;
2059
2060	if (mvm->trans->trans_cfg->device_family >= IWL_DEVICE_FAMILY_AX210)
2061	desc_size = sizeof(*desc);
2062	else
2063	desc_size = IWL_RX_DESC_SIZE_V1;
2064
2065	if (unlikely(pkt_len < desc_size)) {
2066	IWL_DEBUG_DROP(mvm, "Bad REPLY_RX_MPDU_CMD size\n");
2067	return;
2068	}
2069
2070	if (mvm->trans->trans_cfg->device_family >= IWL_DEVICE_FAMILY_AX210) {
2071	phy_data.rate_n_flags = le32_to_cpu(desc->v3.rate_n_flags);
2072	phy_data.channel = desc->v3.channel;
2073	phy_data.gp2_on_air_rise = le32_to_cpu(desc->v3.gp2_on_air_rise);
2074	phy_data.energy_a = desc->v3.energy_a;
2075	phy_data.energy_b = desc->v3.energy_b;
2076
2077	phy_data.d0 = desc->v3.phy_data0;
2078	phy_data.d1 = desc->v3.phy_data1;
2079	phy_data.d2 = desc->v3.phy_data2;
2080	phy_data.d3 = desc->v3.phy_data3;
2081	phy_data.eht_d4 = desc->phy_eht_data4;
2082	phy_data.d5 = desc->v3.phy_data5;
2083	} else {
2084	phy_data.rate_n_flags = le32_to_cpu(desc->v1.rate_n_flags);
2085	phy_data.channel = desc->v1.channel;
2086	phy_data.gp2_on_air_rise = le32_to_cpu(desc->v1.gp2_on_air_rise);
2087	phy_data.energy_a = desc->v1.energy_a;
2088	phy_data.energy_b = desc->v1.energy_b;
2089
2090	phy_data.d0 = desc->v1.phy_data0;
2091	phy_data.d1 = desc->v1.phy_data1;
2092	phy_data.d2 = desc->v1.phy_data2;
2093	phy_data.d3 = desc->v1.phy_data3;
2094	}
2095
2096	if (iwl_fw_lookup_notif_ver(mvm->fw, LEGACY_GROUP,
2097	REPLY_RX_MPDU_CMD, 0) < 4) {
2098	phy_data.rate_n_flags = iwl_new_rate_from_v1(phy_data.rate_n_flags);
2099	IWL_DEBUG_DROP(mvm, "Got old format rate, converting. New rate: 0x%x\n",
2100	phy_data.rate_n_flags);
2101	}
2102
2103	format = phy_data.rate_n_flags & RATE_MCS_MOD_TYPE_MSK;
2104
2105	len = le16_to_cpu(desc->mpdu_len);
2106
2107	if (unlikely(len + desc_size > pkt_len)) {
2108	IWL_DEBUG_DROP(mvm, "FW lied about packet len\n");
2109	return;
2110	}
2111
2112	phy_data.with_data = true;
2113	phy_data.phy_info = le16_to_cpu(desc->phy_info);
2114	phy_data.d4 = desc->phy_data4;
2115
2116	hdr = (void *)(pkt->data + desc_size);
2117	/* Dont use dev_alloc_skb(), we'll have enough headroom once
2118	* ieee80211_hdr pulled.
2119	*/
2120	skb = alloc_skb(size: 128, GFP_ATOMIC);
2121	if (!skb) {
2122	IWL_ERR(mvm, "alloc_skb failed\n");
2123	return;
2124	}
2125
2126	if (desc->mac_flags2 & IWL_RX_MPDU_MFLG2_PAD) {
2127	/*
2128	* If the device inserted padding it means that (it thought)
2129	* the 802.11 header wasn't a multiple of 4 bytes long. In
2130	* this case, reserve two bytes at the start of the SKB to
2131	* align the payload properly in case we end up copying it.
2132	*/
2133	skb_reserve(skb, len: 2);
2134	}
2135
2136	rx_status = IEEE80211_SKB_RXCB(skb);
2137
2138	/*
2139	* Keep packets with CRC errors (and with overrun) for monitor mode
2140	* (otherwise the firmware discards them) but mark them as bad.
2141	*/
2142	if (!(desc->status & cpu_to_le32(IWL_RX_MPDU_STATUS_CRC_OK)) ||
2143	!(desc->status & cpu_to_le32(IWL_RX_MPDU_STATUS_OVERRUN_OK))) {
2144	IWL_DEBUG_RX(mvm, "Bad CRC or FIFO: 0x%08X.\n",
2145	le32_to_cpu(desc->status));
2146	rx_status->flag |= RX_FLAG_FAILED_FCS_CRC;
2147	}
2148
2149	/* set the preamble flag if appropriate */
2150	if (format == RATE_MCS_CCK_MSK &&
2151	phy_data.phy_info & IWL_RX_MPDU_PHY_SHORT_PREAMBLE)
2152	rx_status->enc_flags |= RX_ENC_FLAG_SHORTPRE;
2153
2154	if (likely(!(phy_data.phy_info & IWL_RX_MPDU_PHY_TSF_OVERLOAD))) {
2155	u64 tsf_on_air_rise;
2156
2157	if (mvm->trans->trans_cfg->device_family >=
2158	IWL_DEVICE_FAMILY_AX210)
2159	tsf_on_air_rise = le64_to_cpu(desc->v3.tsf_on_air_rise);
2160	else
2161	tsf_on_air_rise = le64_to_cpu(desc->v1.tsf_on_air_rise);
2162
2163	rx_status->mactime = tsf_on_air_rise;
2164	/* TSF as indicated by the firmware is at INA time */
2165	rx_status->flag |= RX_FLAG_MACTIME_PLCP_START;
2166	}
2167
2168	if (iwl_mvm_is_band_in_rx_supported(mvm)) {
2169	u8 band = BAND_IN_RX_STATUS(desc->mac_phy_idx);
2170
2171	rx_status->band = iwl_mvm_nl80211_band_from_rx_msdu(phy_band: band);
2172	} else {
2173	rx_status->band = phy_data.channel > 14 ? NL80211_BAND_5GHZ :
2174	NL80211_BAND_2GHZ;
2175	}
2176
2177	/* update aggregation data for monitor sake on default queue */
2178	if (!queue && (phy_data.phy_info & IWL_RX_MPDU_PHY_AMPDU)) {
2179	bool toggle_bit;
2180
2181	toggle_bit = phy_data.phy_info & IWL_RX_MPDU_PHY_AMPDU_TOGGLE;
2182	rx_status->flag |= RX_FLAG_AMPDU_DETAILS;
2183	/*
2184	* Toggle is switched whenever new aggregation starts. Make
2185	* sure ampdu_reference is never 0 so we can later use it to
2186	* see if the frame was really part of an A-MPDU or not.
2187	*/
2188	if (toggle_bit != mvm->ampdu_toggle) {
2189	mvm->ampdu_ref++;
2190	if (mvm->ampdu_ref == 0)
2191	mvm->ampdu_ref++;
2192	mvm->ampdu_toggle = toggle_bit;
2193	phy_data.first_subframe = true;
2194	}
2195	rx_status->ampdu_reference = mvm->ampdu_ref;
2196	}
2197
2198	rcu_read_lock();
2199
2200	if (desc->status & cpu_to_le32(IWL_RX_MPDU_STATUS_SRC_STA_FOUND)) {
2201	u8 id = le32_get_bits(desc->status, IWL_RX_MPDU_STATUS_STA_ID);
2202
2203	if (!WARN_ON_ONCE(id >= mvm->fw->ucode_capa.num_stations)) {
2204	sta = rcu_dereference(mvm->fw_id_to_mac_id[id]);
2205	if (IS_ERR(ptr: sta))
2206	sta = NULL;
2207	link_sta = rcu_dereference(mvm->fw_id_to_link_sta[id]);
2208
2209	if (sta && sta->valid_links && link_sta) {
2210	rx_status->link_valid = 1;
2211	rx_status->link_id = link_sta->link_id;
2212	}
2213	}
2214	} else if (!is_multicast_ether_addr(addr: hdr->addr2)) {
2215	/*
2216	* This is fine since we prevent two stations with the same
2217	* address from being added.
2218	*/
2219	sta = ieee80211_find_sta_by_ifaddr(hw: mvm->hw, addr: hdr->addr2, NULL);
2220	}
2221
2222	if (iwl_mvm_rx_crypto(mvm, sta, hdr, stats: rx_status, phy_info: phy_data.phy_info, desc,
2223	le32_to_cpu(pkt->len_n_flags), queue,
2224	crypt_len: &crypt_len)) {
2225	kfree_skb(skb);
2226	goto out;
2227	}
2228
2229	iwl_mvm_rx_fill_status(mvm, skb, phy_data: &phy_data, queue);
2230
2231	if (sta) {
2232	struct iwl_mvm_sta *mvmsta = iwl_mvm_sta_from_mac80211(sta);
2233	struct ieee80211_vif *tx_blocked_vif =
2234	rcu_dereference(mvm->csa_tx_blocked_vif);
2235	u8 baid = (u8)((le32_to_cpu(desc->reorder_data) &
2236	IWL_RX_MPDU_REORDER_BAID_MASK) >>
2237	IWL_RX_MPDU_REORDER_BAID_SHIFT);
2238	struct iwl_fw_dbg_trigger_tlv *trig;
2239	struct ieee80211_vif *vif = mvmsta->vif;
2240
2241	if (!mvm->tcm.paused && len >= sizeof(*hdr) &&
2242	!is_multicast_ether_addr(addr: hdr->addr1) &&
2243	ieee80211_is_data(fc: hdr->frame_control) &&
2244	time_after(jiffies, mvm->tcm.ts + MVM_TCM_PERIOD))
2245	schedule_delayed_work(dwork: &mvm->tcm.work, delay: 0);
2246
2247	/*
2248	* We have tx blocked stations (with CS bit). If we heard
2249	* frames from a blocked station on a new channel we can
2250	* TX to it again.
2251	*/
2252	if (unlikely(tx_blocked_vif) && tx_blocked_vif == vif) {
2253	struct iwl_mvm_vif *mvmvif =
2254	iwl_mvm_vif_from_mac80211(vif: tx_blocked_vif);
2255	struct iwl_rx_sta_csa rx_sta_csa = {
2256	.all_sta_unblocked = true,
2257	.vif = tx_blocked_vif,
2258	};
2259
2260	if (mvmvif->csa_target_freq == rx_status->freq)
2261	iwl_mvm_sta_modify_disable_tx_ap(mvm, sta,
2262	disable: false);
2263	ieee80211_iterate_stations_atomic(hw: mvm->hw,
2264	iterator: iwl_mvm_rx_get_sta_block_tx,
2265	data: &rx_sta_csa);
2266
2267	if (rx_sta_csa.all_sta_unblocked) {
2268	RCU_INIT_POINTER(mvm->csa_tx_blocked_vif, NULL);
2269	/* Unblock BCAST / MCAST station */
2270	iwl_mvm_modify_all_sta_disable_tx(mvm, mvmvif, disable: false);
2271	cancel_delayed_work(dwork: &mvm->cs_tx_unblock_dwork);
2272	}
2273	}
2274
2275	rs_update_last_rssi(mvm, mvmsta, rx_status);
2276
2277	trig = iwl_fw_dbg_trigger_on(&mvm->fwrt,
2278	ieee80211_vif_to_wdev(vif),
2279	FW_DBG_TRIGGER_RSSI);
2280
2281	if (trig && ieee80211_is_beacon(fc: hdr->frame_control)) {
2282	struct iwl_fw_dbg_trigger_low_rssi *rssi_trig;
2283	s32 rssi;
2284
2285	rssi_trig = (void *)trig->data;
2286	rssi = le32_to_cpu(rssi_trig->rssi);
2287
2288	if (rx_status->signal < rssi)
2289	iwl_fw_dbg_collect_trig(&mvm->fwrt, trig,
2290	NULL);
2291	}
2292
2293	if (ieee80211_is_data(fc: hdr->frame_control))
2294	iwl_mvm_rx_csum(mvm, sta, skb, pkt);
2295
2296	if (iwl_mvm_is_dup(sta, queue, rx_status, hdr, desc)) {
2297	IWL_DEBUG_DROP(mvm, "Dropping duplicate packet 0x%x\n",
2298	le16_to_cpu(hdr->seq_ctrl));
2299	kfree_skb(skb);
2300	goto out;
2301	}
2302
2303	/*
2304	* Our hardware de-aggregates AMSDUs but copies the mac header
2305	* as it to the de-aggregated MPDUs. We need to turn off the
2306	* AMSDU bit in the QoS control ourselves.
2307	* In addition, HW reverses addr3 and addr4 - reverse it back.
2308	*/
2309	if ((desc->mac_flags2 & IWL_RX_MPDU_MFLG2_AMSDU) &&
2310	!WARN_ON(!ieee80211_is_data_qos(hdr->frame_control))) {
2311	u8 *qc = ieee80211_get_qos_ctl(hdr);
2312
2313	*qc &= ~IEEE80211_QOS_CTL_A_MSDU_PRESENT;
2314
2315	if (mvm->trans->trans_cfg->device_family ==
2316	IWL_DEVICE_FAMILY_9000) {
2317	iwl_mvm_flip_address(addr: hdr->addr3);
2318
2319	if (ieee80211_has_a4(fc: hdr->frame_control))
2320	iwl_mvm_flip_address(addr: hdr->addr4);
2321	}
2322	}
2323	if (baid != IWL_RX_REORDER_DATA_INVALID_BAID) {
2324	u32 reorder_data = le32_to_cpu(desc->reorder_data);
2325
2326	iwl_mvm_agg_rx_received(mvm, reorder_data, baid);
2327	}
2328	}
2329
2330	/* management stuff on default queue */
2331	if (!queue) {
2332	if (unlikely((ieee80211_is_beacon(hdr->frame_control) ||
2333	ieee80211_is_probe_resp(hdr->frame_control)) &&
2334	mvm->sched_scan_pass_all ==
2335	SCHED_SCAN_PASS_ALL_ENABLED))
2336	mvm->sched_scan_pass_all = SCHED_SCAN_PASS_ALL_FOUND;
2337
2338	if (unlikely(ieee80211_is_beacon(hdr->frame_control) ||
2339	ieee80211_is_probe_resp(hdr->frame_control)))
2340	rx_status->boottime_ns = ktime_get_boottime_ns();
2341	}
2342
2343	if (iwl_mvm_create_skb(mvm, skb, hdr, len, crypt_len, rxb)) {
2344	kfree_skb(skb);
2345	goto out;
2346	}
2347
2348	if (!iwl_mvm_reorder(mvm, napi, queue, sta, skb, desc) &&
2349	likely(!iwl_mvm_time_sync_frame(mvm, skb, hdr->addr2)) &&
2350	likely(!iwl_mvm_mei_filter_scan(mvm, skb))) {
2351	if (mvm->trans->trans_cfg->device_family == IWL_DEVICE_FAMILY_9000 &&
2352	(desc->mac_flags2 & IWL_RX_MPDU_MFLG2_AMSDU) &&
2353	!(desc->amsdu_info & IWL_RX_MPDU_AMSDU_LAST_SUBFRAME))
2354	rx_status->flag |= RX_FLAG_AMSDU_MORE;
2355
2356	iwl_mvm_pass_packet_to_mac80211(mvm, napi, skb, queue, sta);
2357	}
2358	out:
2359	rcu_read_unlock();
2360	}
2361
2362	void iwl_mvm_rx_monitor_no_data(struct iwl_mvm *mvm, struct napi_struct *napi,
2363	struct iwl_rx_cmd_buffer *rxb, int queue)
2364	{
2365	struct ieee80211_rx_status *rx_status;
2366	struct iwl_rx_packet *pkt = rxb_addr(rxb);
2367	struct iwl_rx_no_data_ver_3 *desc = (void *)pkt->data;
2368	u32 rssi;
2369	u32 info_type;
2370	struct ieee80211_sta *sta = NULL;
2371	struct sk_buff *skb;
2372	struct iwl_mvm_rx_phy_data phy_data;
2373	u32 format;
2374
2375	if (unlikely(test_bit(IWL_MVM_STATUS_IN_HW_RESTART, &mvm->status)))
2376	return;
2377
2378	if (unlikely(iwl_rx_packet_payload_len(pkt) < sizeof(struct iwl_rx_no_data)))
2379	return;
2380
2381	rssi = le32_to_cpu(desc->rssi);
2382	info_type = le32_to_cpu(desc->info) & RX_NO_DATA_INFO_TYPE_MSK;
2383	phy_data.d0 = desc->phy_info[0];
2384	phy_data.d1 = desc->phy_info[1];
2385	phy_data.phy_info = IWL_RX_MPDU_PHY_TSF_OVERLOAD;
2386	phy_data.gp2_on_air_rise = le32_to_cpu(desc->on_air_rise_time);
2387	phy_data.rate_n_flags = le32_to_cpu(desc->rate);
2388	phy_data.energy_a = u32_get_bits(rssi, RX_NO_DATA_CHAIN_A_MSK);
2389	phy_data.energy_b = u32_get_bits(rssi, RX_NO_DATA_CHAIN_B_MSK);
2390	phy_data.channel = u32_get_bits(rssi, RX_NO_DATA_CHANNEL_MSK);
2391	phy_data.with_data = false;
2392	phy_data.rx_vec[0] = desc->rx_vec[0];
2393	phy_data.rx_vec[1] = desc->rx_vec[1];
2394
2395	if (iwl_fw_lookup_notif_ver(mvm->fw, DATA_PATH_GROUP,
2396	RX_NO_DATA_NOTIF, 0) < 2) {
2397	IWL_DEBUG_DROP(mvm, "Got an old rate format. Old rate: 0x%x\n",
2398	phy_data.rate_n_flags);
2399	phy_data.rate_n_flags = iwl_new_rate_from_v1(phy_data.rate_n_flags);
2400	IWL_DEBUG_DROP(mvm, " Rate after conversion to the new format: 0x%x\n",
2401	phy_data.rate_n_flags);
2402	}
2403
2404	format = phy_data.rate_n_flags & RATE_MCS_MOD_TYPE_MSK;
2405
2406	if (iwl_fw_lookup_notif_ver(mvm->fw, DATA_PATH_GROUP,
2407	RX_NO_DATA_NOTIF, 0) >= 3) {
2408	if (unlikely(iwl_rx_packet_payload_len(pkt) <
2409	sizeof(struct iwl_rx_no_data_ver_3)))
2410	/* invalid len for ver 3 */
2411	return;
2412	phy_data.rx_vec[2] = desc->rx_vec[2];
2413	phy_data.rx_vec[3] = desc->rx_vec[3];
2414	} else {
2415	if (format == RATE_MCS_EHT_MSK)
2416	/* no support for EHT before version 3 API */
2417	return;
2418	}
2419
2420	/* Dont use dev_alloc_skb(), we'll have enough headroom once
2421	* ieee80211_hdr pulled.
2422	*/
2423	skb = alloc_skb(size: 128, GFP_ATOMIC);
2424	if (!skb) {
2425	IWL_ERR(mvm, "alloc_skb failed\n");
2426	return;
2427	}
2428
2429	rx_status = IEEE80211_SKB_RXCB(skb);
2430
2431	/* 0-length PSDU */
2432	rx_status->flag |= RX_FLAG_NO_PSDU;
2433
2434	switch (info_type) {
2435	case RX_NO_DATA_INFO_TYPE_NDP:
2436	rx_status->zero_length_psdu_type =
2437	IEEE80211_RADIOTAP_ZERO_LEN_PSDU_SOUNDING;
2438	break;
2439	case RX_NO_DATA_INFO_TYPE_MU_UNMATCHED:
2440	case RX_NO_DATA_INFO_TYPE_TB_UNMATCHED:
2441	rx_status->zero_length_psdu_type =
2442	IEEE80211_RADIOTAP_ZERO_LEN_PSDU_NOT_CAPTURED;
2443	break;
2444	default:
2445	rx_status->zero_length_psdu_type =
2446	IEEE80211_RADIOTAP_ZERO_LEN_PSDU_VENDOR;
2447	break;
2448	}
2449
2450	rx_status->band = phy_data.channel > 14 ? NL80211_BAND_5GHZ :
2451	NL80211_BAND_2GHZ;
2452
2453	iwl_mvm_rx_fill_status(mvm, skb, phy_data: &phy_data, queue);
2454
2455	/* no more radio tap info should be put after this point.
2456	*
2457	* We mark it as mac header, for upper layers to know where
2458	* all radio tap header ends.
2459	*/
2460	skb_reset_mac_header(skb);
2461
2462	/*
2463	* Override the nss from the rx_vec since the rate_n_flags has
2464	* only 2 bits for the nss which gives a max of 4 ss but there
2465	* may be up to 8 spatial streams.
2466	*/
2467	switch (format) {
2468	case RATE_MCS_VHT_MSK:
2469	rx_status->nss =
2470	le32_get_bits(desc->rx_vec[0],
2471	RX_NO_DATA_RX_VEC0_VHT_NSTS_MSK) + 1;
2472	break;
2473	case RATE_MCS_HE_MSK:
2474	rx_status->nss =
2475	le32_get_bits(desc->rx_vec[0],
2476	RX_NO_DATA_RX_VEC0_HE_NSTS_MSK) + 1;
2477	break;
2478	case RATE_MCS_EHT_MSK:
2479	rx_status->nss =
2480	le32_get_bits(desc->rx_vec[2],
2481	RX_NO_DATA_RX_VEC2_EHT_NSTS_MSK) + 1;
2482	}
2483
2484	rcu_read_lock();
2485	ieee80211_rx_napi(hw: mvm->hw, sta, skb, napi);
2486	rcu_read_unlock();
2487	}
2488
2489	void iwl_mvm_rx_frame_release(struct iwl_mvm *mvm, struct napi_struct *napi,
2490	struct iwl_rx_cmd_buffer *rxb, int queue)
2491	{
2492	struct iwl_rx_packet *pkt = rxb_addr(rxb);
2493	struct iwl_frame_release *release = (void *)pkt->data;
2494
2495	if (unlikely(iwl_rx_packet_payload_len(pkt) < sizeof(*release)))
2496	return;
2497
2498	iwl_mvm_release_frames_from_notif(mvm, napi, baid: release->baid,
2499	le16_to_cpu(release->nssn),
2500	queue);
2501	}
2502
2503	void iwl_mvm_rx_bar_frame_release(struct iwl_mvm *mvm, struct napi_struct *napi,
2504	struct iwl_rx_cmd_buffer *rxb, int queue)
2505	{
2506	struct iwl_rx_packet *pkt = rxb_addr(rxb);
2507	struct iwl_bar_frame_release *release = (void *)pkt->data;
2508	unsigned int baid = le32_get_bits(release->ba_info,
2509	IWL_BAR_FRAME_RELEASE_BAID_MASK);
2510	unsigned int nssn = le32_get_bits(release->ba_info,
2511	IWL_BAR_FRAME_RELEASE_NSSN_MASK);
2512	unsigned int sta_id = le32_get_bits(release->sta_tid,
2513	IWL_BAR_FRAME_RELEASE_STA_MASK);
2514	unsigned int tid = le32_get_bits(release->sta_tid,
2515	IWL_BAR_FRAME_RELEASE_TID_MASK);
2516	struct iwl_mvm_baid_data *baid_data;
2517
2518	if (unlikely(iwl_rx_packet_payload_len(pkt) < sizeof(*release)))
2519	return;
2520
2521	if (WARN_ON_ONCE(baid == IWL_RX_REORDER_DATA_INVALID_BAID ||
2522	baid >= ARRAY_SIZE(mvm->baid_map)))
2523	return;
2524
2525	rcu_read_lock();
2526	baid_data = rcu_dereference(mvm->baid_map[baid]);
2527	if (!baid_data) {
2528	IWL_DEBUG_RX(mvm,
2529	"Got valid BAID %d but not allocated, invalid BAR release!\n",
2530	baid);
2531	goto out;
2532	}
2533
2534	if (WARN(tid != baid_data->tid || sta_id > IWL_MVM_STATION_COUNT_MAX ||
2535	!(baid_data->sta_mask & BIT(sta_id)),
2536	"baid 0x%x is mapped to sta_mask:0x%x tid:%d, but BAR release received for sta:%d tid:%d\n",
2537	baid, baid_data->sta_mask, baid_data->tid, sta_id,
2538	tid))
2539	goto out;
2540
2541	IWL_DEBUG_DROP(mvm, "Received a BAR, expect packet loss: nssn %d\n",
2542	nssn);
2543
2544	iwl_mvm_release_frames_from_notif(mvm, napi, baid, nssn, queue);
2545	out:
2546	rcu_read_unlock();
2547	}
2548