mac80211: don't reorder frames with SN smaller than SSN

When RX aggregation starts, transmitter may continue send frames with SN smaller than SSN until the AddBA response is received. However, the reorder buffer is already initialized at this point, which will cause the drop of such frames as duplicates since the head SN of the reorder buffer is set to the SSN, which is bigger. Cc: stable@vger.kernel.org Signed-off-by: Sara Sharon <sara.sharon@intel.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
author: Sara Sharon <sara.sharon@intel.com> 2017-02-06 08:28:42 -0500
committer: Johannes Berg <johannes.berg@intel.com> 2017-02-27 08:00:26 -0500
commit: b7540d8f25c8034de7e4163fc23ac457bf057731 (patch)
tree: 1b54f82ea1459a2f79697992034269d4ec91f812
parent: a9e9200d8661c1a0be8c39f93deb383dc940de35 (diff)
3 files changed, 18 insertions, 3 deletions
diff --git a/net/mac80211/agg-rx.c b/net/mac80211/agg-rx.c
index 3b5fd4188f2a..58ad23a44109 100644
--- a/net/mac80211/agg-rx.c
+++ b/net/mac80211/agg-rx.c
@@ -398,6 +398,7 @@ void __ieee80211_start_rx_ba_session(struct sta_info *sta,
        tid_agg_rx->timeout = timeout;
        tid_agg_rx->stored_mpdu_num = 0;
        tid_agg_rx->auto_seq = auto_seq;
+        tid_agg_rx->started = false;
        tid_agg_rx->reorder_buf_filtered = 0;
        status = WLAN_STATUS_SUCCESS;
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index a8443d8bc233..28cc494a774d 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -4,7 +4,7 @@
 * Copyright 2006-2007  Jiri Benc <jbenc@suse.cz>
 * Copyright 2007-2010  Johannes Berg <johannes@sipsolutions.net>
 * Copyright 2013-2014  Intel Mobile Communications GmbH
- * Copyright(c) 2015 - 2016 Intel Deutschland GmbH
+ * Copyright(c) 2015 - 2017 Intel Deutschland GmbH
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as
@@ -1034,6 +1034,18 @@ static bool ieee80211_sta_manage_reorder_buf(struct ieee80211_sub_if_data *sdata
        buf_size = tid_agg_rx->buf_size;
        head_seq_num = tid_agg_rx->head_seq_num;
+        /*
+         * If the current MPDU's SN is smaller than the SSN, it shouldn't
+         * be reordered.
+         */
+        if (unlikely(!tid_agg_rx->started)) {
+                if (ieee80211_sn_less(mpdu_seq_num, head_seq_num)) {
+                        ret = false;
+                        goto out;
+                }
+                tid_agg_rx->started = true;
+        }
        /* frame with out of date sequence number */
        if (ieee80211_sn_less(mpdu_seq_num, head_seq_num)) {
                dev_kfree_skb(skb);
diff --git a/net/mac80211/sta_info.h b/net/mac80211/sta_info.h
index dd06ef0b8861..15599c70a38f 100644
--- a/net/mac80211/sta_info.h
+++ b/net/mac80211/sta_info.h
@@ -189,6 +189,7 @@ struct tid_ampdu_tx {
 * @auto_seq: used for offloaded BA sessions to automatically pick head_seq_and
 *      and ssn.
 * @removed: this session is removed (but might have been found due to RCU)
+ * @started: this session has started (head ssn or higher was received)
 *
 * This structure's lifetime is managed by RCU, assignments to
 * the array holding it must hold the aggregation mutex.
@@ -212,8 +213,9 @@ struct tid_ampdu_rx {
        u16 ssn;
        u16 buf_size;
        u16 timeout;
-        bool auto_seq;
+        u8 auto_seq:1,
-        bool removed;
+           removed:1,
+           started:1;
 };
 /**
author	Sara Sharon <sara.sharon@intel.com>	2017-02-06 08:28:42 -0500
committer	Johannes Berg <johannes.berg@intel.com>	2017-02-27 08:00:26 -0500
commit	b7540d8f25c8034de7e4163fc23ac457bf057731 (patch)
tree	1b54f82ea1459a2f79697992034269d4ec91f812
parent	a9e9200d8661c1a0be8c39f93deb383dc940de35 (diff)