Loading...
1/*
2 * Copyright 2002-2005, Instant802 Networks, Inc.
3 * Copyright 2005-2006, Devicescape Software, Inc.
4 * Copyright 2006-2007 Jiri Benc <jbenc@suse.cz>
5 * Copyright 2007-2010 Johannes Berg <johannes@sipsolutions.net>
6 * Copyright 2013-2014 Intel Mobile Communications GmbH
7 * Copyright(c) 2015 - 2017 Intel Deutschland GmbH
8 *
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License version 2 as
11 * published by the Free Software Foundation.
12 */
13
14#include <linux/jiffies.h>
15#include <linux/slab.h>
16#include <linux/kernel.h>
17#include <linux/skbuff.h>
18#include <linux/netdevice.h>
19#include <linux/etherdevice.h>
20#include <linux/rcupdate.h>
21#include <linux/export.h>
22#include <linux/bitops.h>
23#include <net/mac80211.h>
24#include <net/ieee80211_radiotap.h>
25#include <asm/unaligned.h>
26
27#include "ieee80211_i.h"
28#include "driver-ops.h"
29#include "led.h"
30#include "mesh.h"
31#include "wep.h"
32#include "wpa.h"
33#include "tkip.h"
34#include "wme.h"
35#include "rate.h"
36
37static inline void ieee80211_rx_stats(struct net_device *dev, u32 len)
38{
39 struct pcpu_sw_netstats *tstats = this_cpu_ptr(dev->tstats);
40
41 u64_stats_update_begin(&tstats->syncp);
42 tstats->rx_packets++;
43 tstats->rx_bytes += len;
44 u64_stats_update_end(&tstats->syncp);
45}
46
47static u8 *ieee80211_get_bssid(struct ieee80211_hdr *hdr, size_t len,
48 enum nl80211_iftype type)
49{
50 __le16 fc = hdr->frame_control;
51
52 if (ieee80211_is_data(fc)) {
53 if (len < 24) /* drop incorrect hdr len (data) */
54 return NULL;
55
56 if (ieee80211_has_a4(fc))
57 return NULL;
58 if (ieee80211_has_tods(fc))
59 return hdr->addr1;
60 if (ieee80211_has_fromds(fc))
61 return hdr->addr2;
62
63 return hdr->addr3;
64 }
65
66 if (ieee80211_is_mgmt(fc)) {
67 if (len < 24) /* drop incorrect hdr len (mgmt) */
68 return NULL;
69 return hdr->addr3;
70 }
71
72 if (ieee80211_is_ctl(fc)) {
73 if (ieee80211_is_pspoll(fc))
74 return hdr->addr1;
75
76 if (ieee80211_is_back_req(fc)) {
77 switch (type) {
78 case NL80211_IFTYPE_STATION:
79 return hdr->addr2;
80 case NL80211_IFTYPE_AP:
81 case NL80211_IFTYPE_AP_VLAN:
82 return hdr->addr1;
83 default:
84 break; /* fall through to the return */
85 }
86 }
87 }
88
89 return NULL;
90}
91
92/*
93 * monitor mode reception
94 *
95 * This function cleans up the SKB, i.e. it removes all the stuff
96 * only useful for monitoring.
97 */
98static struct sk_buff *remove_monitor_info(struct ieee80211_local *local,
99 struct sk_buff *skb,
100 unsigned int rtap_vendor_space)
101{
102 if (ieee80211_hw_check(&local->hw, RX_INCLUDES_FCS)) {
103 if (likely(skb->len > FCS_LEN))
104 __pskb_trim(skb, skb->len - FCS_LEN);
105 else {
106 /* driver bug */
107 WARN_ON(1);
108 dev_kfree_skb(skb);
109 return NULL;
110 }
111 }
112
113 __pskb_pull(skb, rtap_vendor_space);
114
115 return skb;
116}
117
118static inline bool should_drop_frame(struct sk_buff *skb, int present_fcs_len,
119 unsigned int rtap_vendor_space)
120{
121 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
122 struct ieee80211_hdr *hdr;
123
124 hdr = (void *)(skb->data + rtap_vendor_space);
125
126 if (status->flag & (RX_FLAG_FAILED_FCS_CRC |
127 RX_FLAG_FAILED_PLCP_CRC |
128 RX_FLAG_ONLY_MONITOR))
129 return true;
130
131 if (unlikely(skb->len < 16 + present_fcs_len + rtap_vendor_space))
132 return true;
133
134 if (ieee80211_is_ctl(hdr->frame_control) &&
135 !ieee80211_is_pspoll(hdr->frame_control) &&
136 !ieee80211_is_back_req(hdr->frame_control))
137 return true;
138
139 return false;
140}
141
142static int
143ieee80211_rx_radiotap_hdrlen(struct ieee80211_local *local,
144 struct ieee80211_rx_status *status,
145 struct sk_buff *skb)
146{
147 int len;
148
149 /* always present fields */
150 len = sizeof(struct ieee80211_radiotap_header) + 8;
151
152 /* allocate extra bitmaps */
153 if (status->chains)
154 len += 4 * hweight8(status->chains);
155
156 if (ieee80211_have_rx_timestamp(status)) {
157 len = ALIGN(len, 8);
158 len += 8;
159 }
160 if (ieee80211_hw_check(&local->hw, SIGNAL_DBM))
161 len += 1;
162
163 /* antenna field, if we don't have per-chain info */
164 if (!status->chains)
165 len += 1;
166
167 /* padding for RX_FLAGS if necessary */
168 len = ALIGN(len, 2);
169
170 if (status->flag & RX_FLAG_HT) /* HT info */
171 len += 3;
172
173 if (status->flag & RX_FLAG_AMPDU_DETAILS) {
174 len = ALIGN(len, 4);
175 len += 8;
176 }
177
178 if (status->flag & RX_FLAG_VHT) {
179 len = ALIGN(len, 2);
180 len += 12;
181 }
182
183 if (local->hw.radiotap_timestamp.units_pos >= 0) {
184 len = ALIGN(len, 8);
185 len += 12;
186 }
187
188 if (status->chains) {
189 /* antenna and antenna signal fields */
190 len += 2 * hweight8(status->chains);
191 }
192
193 if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA) {
194 struct ieee80211_vendor_radiotap *rtap = (void *)skb->data;
195
196 /* vendor presence bitmap */
197 len += 4;
198 /* alignment for fixed 6-byte vendor data header */
199 len = ALIGN(len, 2);
200 /* vendor data header */
201 len += 6;
202 if (WARN_ON(rtap->align == 0))
203 rtap->align = 1;
204 len = ALIGN(len, rtap->align);
205 len += rtap->len + rtap->pad;
206 }
207
208 return len;
209}
210
211/*
212 * ieee80211_add_rx_radiotap_header - add radiotap header
213 *
214 * add a radiotap header containing all the fields which the hardware provided.
215 */
216static void
217ieee80211_add_rx_radiotap_header(struct ieee80211_local *local,
218 struct sk_buff *skb,
219 struct ieee80211_rate *rate,
220 int rtap_len, bool has_fcs)
221{
222 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
223 struct ieee80211_radiotap_header *rthdr;
224 unsigned char *pos;
225 __le32 *it_present;
226 u32 it_present_val;
227 u16 rx_flags = 0;
228 u16 channel_flags = 0;
229 int mpdulen, chain;
230 unsigned long chains = status->chains;
231 struct ieee80211_vendor_radiotap rtap = {};
232
233 if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA) {
234 rtap = *(struct ieee80211_vendor_radiotap *)skb->data;
235 /* rtap.len and rtap.pad are undone immediately */
236 skb_pull(skb, sizeof(rtap) + rtap.len + rtap.pad);
237 }
238
239 mpdulen = skb->len;
240 if (!(has_fcs && ieee80211_hw_check(&local->hw, RX_INCLUDES_FCS)))
241 mpdulen += FCS_LEN;
242
243 rthdr = (struct ieee80211_radiotap_header *)skb_push(skb, rtap_len);
244 memset(rthdr, 0, rtap_len - rtap.len - rtap.pad);
245 it_present = &rthdr->it_present;
246
247 /* radiotap header, set always present flags */
248 rthdr->it_len = cpu_to_le16(rtap_len);
249 it_present_val = BIT(IEEE80211_RADIOTAP_FLAGS) |
250 BIT(IEEE80211_RADIOTAP_CHANNEL) |
251 BIT(IEEE80211_RADIOTAP_RX_FLAGS);
252
253 if (!status->chains)
254 it_present_val |= BIT(IEEE80211_RADIOTAP_ANTENNA);
255
256 for_each_set_bit(chain, &chains, IEEE80211_MAX_CHAINS) {
257 it_present_val |=
258 BIT(IEEE80211_RADIOTAP_EXT) |
259 BIT(IEEE80211_RADIOTAP_RADIOTAP_NAMESPACE);
260 put_unaligned_le32(it_present_val, it_present);
261 it_present++;
262 it_present_val = BIT(IEEE80211_RADIOTAP_ANTENNA) |
263 BIT(IEEE80211_RADIOTAP_DBM_ANTSIGNAL);
264 }
265
266 if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA) {
267 it_present_val |= BIT(IEEE80211_RADIOTAP_VENDOR_NAMESPACE) |
268 BIT(IEEE80211_RADIOTAP_EXT);
269 put_unaligned_le32(it_present_val, it_present);
270 it_present++;
271 it_present_val = rtap.present;
272 }
273
274 put_unaligned_le32(it_present_val, it_present);
275
276 pos = (void *)(it_present + 1);
277
278 /* the order of the following fields is important */
279
280 /* IEEE80211_RADIOTAP_TSFT */
281 if (ieee80211_have_rx_timestamp(status)) {
282 /* padding */
283 while ((pos - (u8 *)rthdr) & 7)
284 *pos++ = 0;
285 put_unaligned_le64(
286 ieee80211_calculate_rx_timestamp(local, status,
287 mpdulen, 0),
288 pos);
289 rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_TSFT);
290 pos += 8;
291 }
292
293 /* IEEE80211_RADIOTAP_FLAGS */
294 if (has_fcs && ieee80211_hw_check(&local->hw, RX_INCLUDES_FCS))
295 *pos |= IEEE80211_RADIOTAP_F_FCS;
296 if (status->flag & (RX_FLAG_FAILED_FCS_CRC | RX_FLAG_FAILED_PLCP_CRC))
297 *pos |= IEEE80211_RADIOTAP_F_BADFCS;
298 if (status->flag & RX_FLAG_SHORTPRE)
299 *pos |= IEEE80211_RADIOTAP_F_SHORTPRE;
300 pos++;
301
302 /* IEEE80211_RADIOTAP_RATE */
303 if (!rate || status->flag & (RX_FLAG_HT | RX_FLAG_VHT)) {
304 /*
305 * Without rate information don't add it. If we have,
306 * MCS information is a separate field in radiotap,
307 * added below. The byte here is needed as padding
308 * for the channel though, so initialise it to 0.
309 */
310 *pos = 0;
311 } else {
312 int shift = 0;
313 rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_RATE);
314 if (status->flag & RX_FLAG_10MHZ)
315 shift = 1;
316 else if (status->flag & RX_FLAG_5MHZ)
317 shift = 2;
318 *pos = DIV_ROUND_UP(rate->bitrate, 5 * (1 << shift));
319 }
320 pos++;
321
322 /* IEEE80211_RADIOTAP_CHANNEL */
323 put_unaligned_le16(status->freq, pos);
324 pos += 2;
325 if (status->flag & RX_FLAG_10MHZ)
326 channel_flags |= IEEE80211_CHAN_HALF;
327 else if (status->flag & RX_FLAG_5MHZ)
328 channel_flags |= IEEE80211_CHAN_QUARTER;
329
330 if (status->band == NL80211_BAND_5GHZ)
331 channel_flags |= IEEE80211_CHAN_OFDM | IEEE80211_CHAN_5GHZ;
332 else if (status->flag & (RX_FLAG_HT | RX_FLAG_VHT))
333 channel_flags |= IEEE80211_CHAN_DYN | IEEE80211_CHAN_2GHZ;
334 else if (rate && rate->flags & IEEE80211_RATE_ERP_G)
335 channel_flags |= IEEE80211_CHAN_OFDM | IEEE80211_CHAN_2GHZ;
336 else if (rate)
337 channel_flags |= IEEE80211_CHAN_CCK | IEEE80211_CHAN_2GHZ;
338 else
339 channel_flags |= IEEE80211_CHAN_2GHZ;
340 put_unaligned_le16(channel_flags, pos);
341 pos += 2;
342
343 /* IEEE80211_RADIOTAP_DBM_ANTSIGNAL */
344 if (ieee80211_hw_check(&local->hw, SIGNAL_DBM) &&
345 !(status->flag & RX_FLAG_NO_SIGNAL_VAL)) {
346 *pos = status->signal;
347 rthdr->it_present |=
348 cpu_to_le32(1 << IEEE80211_RADIOTAP_DBM_ANTSIGNAL);
349 pos++;
350 }
351
352 /* IEEE80211_RADIOTAP_LOCK_QUALITY is missing */
353
354 if (!status->chains) {
355 /* IEEE80211_RADIOTAP_ANTENNA */
356 *pos = status->antenna;
357 pos++;
358 }
359
360 /* IEEE80211_RADIOTAP_DB_ANTNOISE is not used */
361
362 /* IEEE80211_RADIOTAP_RX_FLAGS */
363 /* ensure 2 byte alignment for the 2 byte field as required */
364 if ((pos - (u8 *)rthdr) & 1)
365 *pos++ = 0;
366 if (status->flag & RX_FLAG_FAILED_PLCP_CRC)
367 rx_flags |= IEEE80211_RADIOTAP_F_RX_BADPLCP;
368 put_unaligned_le16(rx_flags, pos);
369 pos += 2;
370
371 if (status->flag & RX_FLAG_HT) {
372 unsigned int stbc;
373
374 rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_MCS);
375 *pos++ = local->hw.radiotap_mcs_details;
376 *pos = 0;
377 if (status->flag & RX_FLAG_SHORT_GI)
378 *pos |= IEEE80211_RADIOTAP_MCS_SGI;
379 if (status->flag & RX_FLAG_40MHZ)
380 *pos |= IEEE80211_RADIOTAP_MCS_BW_40;
381 if (status->flag & RX_FLAG_HT_GF)
382 *pos |= IEEE80211_RADIOTAP_MCS_FMT_GF;
383 if (status->flag & RX_FLAG_LDPC)
384 *pos |= IEEE80211_RADIOTAP_MCS_FEC_LDPC;
385 stbc = (status->flag & RX_FLAG_STBC_MASK) >> RX_FLAG_STBC_SHIFT;
386 *pos |= stbc << IEEE80211_RADIOTAP_MCS_STBC_SHIFT;
387 pos++;
388 *pos++ = status->rate_idx;
389 }
390
391 if (status->flag & RX_FLAG_AMPDU_DETAILS) {
392 u16 flags = 0;
393
394 /* ensure 4 byte alignment */
395 while ((pos - (u8 *)rthdr) & 3)
396 pos++;
397 rthdr->it_present |=
398 cpu_to_le32(1 << IEEE80211_RADIOTAP_AMPDU_STATUS);
399 put_unaligned_le32(status->ampdu_reference, pos);
400 pos += 4;
401 if (status->flag & RX_FLAG_AMPDU_LAST_KNOWN)
402 flags |= IEEE80211_RADIOTAP_AMPDU_LAST_KNOWN;
403 if (status->flag & RX_FLAG_AMPDU_IS_LAST)
404 flags |= IEEE80211_RADIOTAP_AMPDU_IS_LAST;
405 if (status->flag & RX_FLAG_AMPDU_DELIM_CRC_ERROR)
406 flags |= IEEE80211_RADIOTAP_AMPDU_DELIM_CRC_ERR;
407 if (status->flag & RX_FLAG_AMPDU_DELIM_CRC_KNOWN)
408 flags |= IEEE80211_RADIOTAP_AMPDU_DELIM_CRC_KNOWN;
409 put_unaligned_le16(flags, pos);
410 pos += 2;
411 if (status->flag & RX_FLAG_AMPDU_DELIM_CRC_KNOWN)
412 *pos++ = status->ampdu_delimiter_crc;
413 else
414 *pos++ = 0;
415 *pos++ = 0;
416 }
417
418 if (status->flag & RX_FLAG_VHT) {
419 u16 known = local->hw.radiotap_vht_details;
420
421 rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_VHT);
422 put_unaligned_le16(known, pos);
423 pos += 2;
424 /* flags */
425 if (status->flag & RX_FLAG_SHORT_GI)
426 *pos |= IEEE80211_RADIOTAP_VHT_FLAG_SGI;
427 /* in VHT, STBC is binary */
428 if (status->flag & RX_FLAG_STBC_MASK)
429 *pos |= IEEE80211_RADIOTAP_VHT_FLAG_STBC;
430 if (status->vht_flag & RX_VHT_FLAG_BF)
431 *pos |= IEEE80211_RADIOTAP_VHT_FLAG_BEAMFORMED;
432 pos++;
433 /* bandwidth */
434 if (status->vht_flag & RX_VHT_FLAG_80MHZ)
435 *pos++ = 4;
436 else if (status->vht_flag & RX_VHT_FLAG_160MHZ)
437 *pos++ = 11;
438 else if (status->flag & RX_FLAG_40MHZ)
439 *pos++ = 1;
440 else /* 20 MHz */
441 *pos++ = 0;
442 /* MCS/NSS */
443 *pos = (status->rate_idx << 4) | status->vht_nss;
444 pos += 4;
445 /* coding field */
446 if (status->flag & RX_FLAG_LDPC)
447 *pos |= IEEE80211_RADIOTAP_CODING_LDPC_USER0;
448 pos++;
449 /* group ID */
450 pos++;
451 /* partial_aid */
452 pos += 2;
453 }
454
455 if (local->hw.radiotap_timestamp.units_pos >= 0) {
456 u16 accuracy = 0;
457 u8 flags = IEEE80211_RADIOTAP_TIMESTAMP_FLAG_32BIT;
458
459 rthdr->it_present |=
460 cpu_to_le32(1 << IEEE80211_RADIOTAP_TIMESTAMP);
461
462 /* ensure 8 byte alignment */
463 while ((pos - (u8 *)rthdr) & 7)
464 pos++;
465
466 put_unaligned_le64(status->device_timestamp, pos);
467 pos += sizeof(u64);
468
469 if (local->hw.radiotap_timestamp.accuracy >= 0) {
470 accuracy = local->hw.radiotap_timestamp.accuracy;
471 flags |= IEEE80211_RADIOTAP_TIMESTAMP_FLAG_ACCURACY;
472 }
473 put_unaligned_le16(accuracy, pos);
474 pos += sizeof(u16);
475
476 *pos++ = local->hw.radiotap_timestamp.units_pos;
477 *pos++ = flags;
478 }
479
480 for_each_set_bit(chain, &chains, IEEE80211_MAX_CHAINS) {
481 *pos++ = status->chain_signal[chain];
482 *pos++ = chain;
483 }
484
485 if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA) {
486 /* ensure 2 byte alignment for the vendor field as required */
487 if ((pos - (u8 *)rthdr) & 1)
488 *pos++ = 0;
489 *pos++ = rtap.oui[0];
490 *pos++ = rtap.oui[1];
491 *pos++ = rtap.oui[2];
492 *pos++ = rtap.subns;
493 put_unaligned_le16(rtap.len, pos);
494 pos += 2;
495 /* align the actual payload as requested */
496 while ((pos - (u8 *)rthdr) & (rtap.align - 1))
497 *pos++ = 0;
498 /* data (and possible padding) already follows */
499 }
500}
501
502/*
503 * This function copies a received frame to all monitor interfaces and
504 * returns a cleaned-up SKB that no longer includes the FCS nor the
505 * radiotap header the driver might have added.
506 */
507static struct sk_buff *
508ieee80211_rx_monitor(struct ieee80211_local *local, struct sk_buff *origskb,
509 struct ieee80211_rate *rate)
510{
511 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(origskb);
512 struct ieee80211_sub_if_data *sdata;
513 int rt_hdrlen, needed_headroom;
514 struct sk_buff *skb, *skb2;
515 struct net_device *prev_dev = NULL;
516 int present_fcs_len = 0;
517 unsigned int rtap_vendor_space = 0;
518 struct ieee80211_mgmt *mgmt;
519 struct ieee80211_sub_if_data *monitor_sdata =
520 rcu_dereference(local->monitor_sdata);
521
522 if (unlikely(status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA)) {
523 struct ieee80211_vendor_radiotap *rtap = (void *)origskb->data;
524
525 rtap_vendor_space = sizeof(*rtap) + rtap->len + rtap->pad;
526 }
527
528 /*
529 * First, we may need to make a copy of the skb because
530 * (1) we need to modify it for radiotap (if not present), and
531 * (2) the other RX handlers will modify the skb we got.
532 *
533 * We don't need to, of course, if we aren't going to return
534 * the SKB because it has a bad FCS/PLCP checksum.
535 */
536
537 if (ieee80211_hw_check(&local->hw, RX_INCLUDES_FCS))
538 present_fcs_len = FCS_LEN;
539
540 /* ensure hdr->frame_control and vendor radiotap data are in skb head */
541 if (!pskb_may_pull(origskb, 2 + rtap_vendor_space)) {
542 dev_kfree_skb(origskb);
543 return NULL;
544 }
545
546 if (!local->monitors || (status->flag & RX_FLAG_SKIP_MONITOR)) {
547 if (should_drop_frame(origskb, present_fcs_len,
548 rtap_vendor_space)) {
549 dev_kfree_skb(origskb);
550 return NULL;
551 }
552
553 return remove_monitor_info(local, origskb, rtap_vendor_space);
554 }
555
556 /* room for the radiotap header based on driver features */
557 rt_hdrlen = ieee80211_rx_radiotap_hdrlen(local, status, origskb);
558 needed_headroom = rt_hdrlen - rtap_vendor_space;
559
560 if (should_drop_frame(origskb, present_fcs_len, rtap_vendor_space)) {
561 /* only need to expand headroom if necessary */
562 skb = origskb;
563 origskb = NULL;
564
565 /*
566 * This shouldn't trigger often because most devices have an
567 * RX header they pull before we get here, and that should
568 * be big enough for our radiotap information. We should
569 * probably export the length to drivers so that we can have
570 * them allocate enough headroom to start with.
571 */
572 if (skb_headroom(skb) < needed_headroom &&
573 pskb_expand_head(skb, needed_headroom, 0, GFP_ATOMIC)) {
574 dev_kfree_skb(skb);
575 return NULL;
576 }
577 } else {
578 /*
579 * Need to make a copy and possibly remove radiotap header
580 * and FCS from the original.
581 */
582 skb = skb_copy_expand(origskb, needed_headroom, 0, GFP_ATOMIC);
583
584 origskb = remove_monitor_info(local, origskb,
585 rtap_vendor_space);
586
587 if (!skb)
588 return origskb;
589 }
590
591 /* prepend radiotap information */
592 ieee80211_add_rx_radiotap_header(local, skb, rate, rt_hdrlen, true);
593
594 skb_reset_mac_header(skb);
595 skb->ip_summed = CHECKSUM_UNNECESSARY;
596 skb->pkt_type = PACKET_OTHERHOST;
597 skb->protocol = htons(ETH_P_802_2);
598
599 list_for_each_entry_rcu(sdata, &local->interfaces, list) {
600 if (sdata->vif.type != NL80211_IFTYPE_MONITOR)
601 continue;
602
603 if (sdata->u.mntr.flags & MONITOR_FLAG_COOK_FRAMES)
604 continue;
605
606 if (!ieee80211_sdata_running(sdata))
607 continue;
608
609 if (prev_dev) {
610 skb2 = skb_clone(skb, GFP_ATOMIC);
611 if (skb2) {
612 skb2->dev = prev_dev;
613 netif_receive_skb(skb2);
614 }
615 }
616
617 prev_dev = sdata->dev;
618 ieee80211_rx_stats(sdata->dev, skb->len);
619 }
620
621 mgmt = (void *)skb->data;
622 if (monitor_sdata &&
623 skb->len >= IEEE80211_MIN_ACTION_SIZE + 1 + VHT_MUMIMO_GROUPS_DATA_LEN &&
624 ieee80211_is_action(mgmt->frame_control) &&
625 mgmt->u.action.category == WLAN_CATEGORY_VHT &&
626 mgmt->u.action.u.vht_group_notif.action_code == WLAN_VHT_ACTION_GROUPID_MGMT &&
627 is_valid_ether_addr(monitor_sdata->u.mntr.mu_follow_addr) &&
628 ether_addr_equal(mgmt->da, monitor_sdata->u.mntr.mu_follow_addr)) {
629 struct sk_buff *mu_skb = skb_copy(skb, GFP_ATOMIC);
630
631 if (mu_skb) {
632 mu_skb->pkt_type = IEEE80211_SDATA_QUEUE_TYPE_FRAME;
633 skb_queue_tail(&monitor_sdata->skb_queue, mu_skb);
634 ieee80211_queue_work(&local->hw, &monitor_sdata->work);
635 }
636 }
637
638 if (prev_dev) {
639 skb->dev = prev_dev;
640 netif_receive_skb(skb);
641 } else
642 dev_kfree_skb(skb);
643
644 return origskb;
645}
646
647static void ieee80211_parse_qos(struct ieee80211_rx_data *rx)
648{
649 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
650 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
651 int tid, seqno_idx, security_idx;
652
653 /* does the frame have a qos control field? */
654 if (ieee80211_is_data_qos(hdr->frame_control)) {
655 u8 *qc = ieee80211_get_qos_ctl(hdr);
656 /* frame has qos control */
657 tid = *qc & IEEE80211_QOS_CTL_TID_MASK;
658 if (*qc & IEEE80211_QOS_CTL_A_MSDU_PRESENT)
659 status->rx_flags |= IEEE80211_RX_AMSDU;
660
661 seqno_idx = tid;
662 security_idx = tid;
663 } else {
664 /*
665 * IEEE 802.11-2007, 7.1.3.4.1 ("Sequence Number field"):
666 *
667 * Sequence numbers for management frames, QoS data
668 * frames with a broadcast/multicast address in the
669 * Address 1 field, and all non-QoS data frames sent
670 * by QoS STAs are assigned using an additional single
671 * modulo-4096 counter, [...]
672 *
673 * We also use that counter for non-QoS STAs.
674 */
675 seqno_idx = IEEE80211_NUM_TIDS;
676 security_idx = 0;
677 if (ieee80211_is_mgmt(hdr->frame_control))
678 security_idx = IEEE80211_NUM_TIDS;
679 tid = 0;
680 }
681
682 rx->seqno_idx = seqno_idx;
683 rx->security_idx = security_idx;
684 /* Set skb->priority to 1d tag if highest order bit of TID is not set.
685 * For now, set skb->priority to 0 for other cases. */
686 rx->skb->priority = (tid > 7) ? 0 : tid;
687}
688
689/**
690 * DOC: Packet alignment
691 *
692 * Drivers always need to pass packets that are aligned to two-byte boundaries
693 * to the stack.
694 *
695 * Additionally, should, if possible, align the payload data in a way that
696 * guarantees that the contained IP header is aligned to a four-byte
697 * boundary. In the case of regular frames, this simply means aligning the
698 * payload to a four-byte boundary (because either the IP header is directly
699 * contained, or IV/RFC1042 headers that have a length divisible by four are
700 * in front of it). If the payload data is not properly aligned and the
701 * architecture doesn't support efficient unaligned operations, mac80211
702 * will align the data.
703 *
704 * With A-MSDU frames, however, the payload data address must yield two modulo
705 * four because there are 14-byte 802.3 headers within the A-MSDU frames that
706 * push the IP header further back to a multiple of four again. Thankfully, the
707 * specs were sane enough this time around to require padding each A-MSDU
708 * subframe to a length that is a multiple of four.
709 *
710 * Padding like Atheros hardware adds which is between the 802.11 header and
711 * the payload is not supported, the driver is required to move the 802.11
712 * header to be directly in front of the payload in that case.
713 */
714static void ieee80211_verify_alignment(struct ieee80211_rx_data *rx)
715{
716#ifdef CONFIG_MAC80211_VERBOSE_DEBUG
717 WARN_ON_ONCE((unsigned long)rx->skb->data & 1);
718#endif
719}
720
721
722/* rx handlers */
723
724static int ieee80211_is_unicast_robust_mgmt_frame(struct sk_buff *skb)
725{
726 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
727
728 if (is_multicast_ether_addr(hdr->addr1))
729 return 0;
730
731 return ieee80211_is_robust_mgmt_frame(skb);
732}
733
734
735static int ieee80211_is_multicast_robust_mgmt_frame(struct sk_buff *skb)
736{
737 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
738
739 if (!is_multicast_ether_addr(hdr->addr1))
740 return 0;
741
742 return ieee80211_is_robust_mgmt_frame(skb);
743}
744
745
746/* Get the BIP key index from MMIE; return -1 if this is not a BIP frame */
747static int ieee80211_get_mmie_keyidx(struct sk_buff *skb)
748{
749 struct ieee80211_mgmt *hdr = (struct ieee80211_mgmt *) skb->data;
750 struct ieee80211_mmie *mmie;
751 struct ieee80211_mmie_16 *mmie16;
752
753 if (skb->len < 24 + sizeof(*mmie) || !is_multicast_ether_addr(hdr->da))
754 return -1;
755
756 if (!ieee80211_is_robust_mgmt_frame(skb))
757 return -1; /* not a robust management frame */
758
759 mmie = (struct ieee80211_mmie *)
760 (skb->data + skb->len - sizeof(*mmie));
761 if (mmie->element_id == WLAN_EID_MMIE &&
762 mmie->length == sizeof(*mmie) - 2)
763 return le16_to_cpu(mmie->key_id);
764
765 mmie16 = (struct ieee80211_mmie_16 *)
766 (skb->data + skb->len - sizeof(*mmie16));
767 if (skb->len >= 24 + sizeof(*mmie16) &&
768 mmie16->element_id == WLAN_EID_MMIE &&
769 mmie16->length == sizeof(*mmie16) - 2)
770 return le16_to_cpu(mmie16->key_id);
771
772 return -1;
773}
774
775static int ieee80211_get_cs_keyid(const struct ieee80211_cipher_scheme *cs,
776 struct sk_buff *skb)
777{
778 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
779 __le16 fc;
780 int hdrlen;
781 u8 keyid;
782
783 fc = hdr->frame_control;
784 hdrlen = ieee80211_hdrlen(fc);
785
786 if (skb->len < hdrlen + cs->hdr_len)
787 return -EINVAL;
788
789 skb_copy_bits(skb, hdrlen + cs->key_idx_off, &keyid, 1);
790 keyid &= cs->key_idx_mask;
791 keyid >>= cs->key_idx_shift;
792
793 return keyid;
794}
795
796static ieee80211_rx_result ieee80211_rx_mesh_check(struct ieee80211_rx_data *rx)
797{
798 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
799 char *dev_addr = rx->sdata->vif.addr;
800
801 if (ieee80211_is_data(hdr->frame_control)) {
802 if (is_multicast_ether_addr(hdr->addr1)) {
803 if (ieee80211_has_tods(hdr->frame_control) ||
804 !ieee80211_has_fromds(hdr->frame_control))
805 return RX_DROP_MONITOR;
806 if (ether_addr_equal(hdr->addr3, dev_addr))
807 return RX_DROP_MONITOR;
808 } else {
809 if (!ieee80211_has_a4(hdr->frame_control))
810 return RX_DROP_MONITOR;
811 if (ether_addr_equal(hdr->addr4, dev_addr))
812 return RX_DROP_MONITOR;
813 }
814 }
815
816 /* If there is not an established peer link and this is not a peer link
817 * establisment frame, beacon or probe, drop the frame.
818 */
819
820 if (!rx->sta || sta_plink_state(rx->sta) != NL80211_PLINK_ESTAB) {
821 struct ieee80211_mgmt *mgmt;
822
823 if (!ieee80211_is_mgmt(hdr->frame_control))
824 return RX_DROP_MONITOR;
825
826 if (ieee80211_is_action(hdr->frame_control)) {
827 u8 category;
828
829 /* make sure category field is present */
830 if (rx->skb->len < IEEE80211_MIN_ACTION_SIZE)
831 return RX_DROP_MONITOR;
832
833 mgmt = (struct ieee80211_mgmt *)hdr;
834 category = mgmt->u.action.category;
835 if (category != WLAN_CATEGORY_MESH_ACTION &&
836 category != WLAN_CATEGORY_SELF_PROTECTED)
837 return RX_DROP_MONITOR;
838 return RX_CONTINUE;
839 }
840
841 if (ieee80211_is_probe_req(hdr->frame_control) ||
842 ieee80211_is_probe_resp(hdr->frame_control) ||
843 ieee80211_is_beacon(hdr->frame_control) ||
844 ieee80211_is_auth(hdr->frame_control))
845 return RX_CONTINUE;
846
847 return RX_DROP_MONITOR;
848 }
849
850 return RX_CONTINUE;
851}
852
853static inline bool ieee80211_rx_reorder_ready(struct tid_ampdu_rx *tid_agg_rx,
854 int index)
855{
856 struct sk_buff_head *frames = &tid_agg_rx->reorder_buf[index];
857 struct sk_buff *tail = skb_peek_tail(frames);
858 struct ieee80211_rx_status *status;
859
860 if (tid_agg_rx->reorder_buf_filtered & BIT_ULL(index))
861 return true;
862
863 if (!tail)
864 return false;
865
866 status = IEEE80211_SKB_RXCB(tail);
867 if (status->flag & RX_FLAG_AMSDU_MORE)
868 return false;
869
870 return true;
871}
872
873static void ieee80211_release_reorder_frame(struct ieee80211_sub_if_data *sdata,
874 struct tid_ampdu_rx *tid_agg_rx,
875 int index,
876 struct sk_buff_head *frames)
877{
878 struct sk_buff_head *skb_list = &tid_agg_rx->reorder_buf[index];
879 struct sk_buff *skb;
880 struct ieee80211_rx_status *status;
881
882 lockdep_assert_held(&tid_agg_rx->reorder_lock);
883
884 if (skb_queue_empty(skb_list))
885 goto no_frame;
886
887 if (!ieee80211_rx_reorder_ready(tid_agg_rx, index)) {
888 __skb_queue_purge(skb_list);
889 goto no_frame;
890 }
891
892 /* release frames from the reorder ring buffer */
893 tid_agg_rx->stored_mpdu_num--;
894 while ((skb = __skb_dequeue(skb_list))) {
895 status = IEEE80211_SKB_RXCB(skb);
896 status->rx_flags |= IEEE80211_RX_DEFERRED_RELEASE;
897 __skb_queue_tail(frames, skb);
898 }
899
900no_frame:
901 tid_agg_rx->reorder_buf_filtered &= ~BIT_ULL(index);
902 tid_agg_rx->head_seq_num = ieee80211_sn_inc(tid_agg_rx->head_seq_num);
903}
904
905static void ieee80211_release_reorder_frames(struct ieee80211_sub_if_data *sdata,
906 struct tid_ampdu_rx *tid_agg_rx,
907 u16 head_seq_num,
908 struct sk_buff_head *frames)
909{
910 int index;
911
912 lockdep_assert_held(&tid_agg_rx->reorder_lock);
913
914 while (ieee80211_sn_less(tid_agg_rx->head_seq_num, head_seq_num)) {
915 index = tid_agg_rx->head_seq_num % tid_agg_rx->buf_size;
916 ieee80211_release_reorder_frame(sdata, tid_agg_rx, index,
917 frames);
918 }
919}
920
921/*
922 * Timeout (in jiffies) for skb's that are waiting in the RX reorder buffer. If
923 * the skb was added to the buffer longer than this time ago, the earlier
924 * frames that have not yet been received are assumed to be lost and the skb
925 * can be released for processing. This may also release other skb's from the
926 * reorder buffer if there are no additional gaps between the frames.
927 *
928 * Callers must hold tid_agg_rx->reorder_lock.
929 */
930#define HT_RX_REORDER_BUF_TIMEOUT (HZ / 10)
931
932static void ieee80211_sta_reorder_release(struct ieee80211_sub_if_data *sdata,
933 struct tid_ampdu_rx *tid_agg_rx,
934 struct sk_buff_head *frames)
935{
936 int index, i, j;
937
938 lockdep_assert_held(&tid_agg_rx->reorder_lock);
939
940 /* release the buffer until next missing frame */
941 index = tid_agg_rx->head_seq_num % tid_agg_rx->buf_size;
942 if (!ieee80211_rx_reorder_ready(tid_agg_rx, index) &&
943 tid_agg_rx->stored_mpdu_num) {
944 /*
945 * No buffers ready to be released, but check whether any
946 * frames in the reorder buffer have timed out.
947 */
948 int skipped = 1;
949 for (j = (index + 1) % tid_agg_rx->buf_size; j != index;
950 j = (j + 1) % tid_agg_rx->buf_size) {
951 if (!ieee80211_rx_reorder_ready(tid_agg_rx, j)) {
952 skipped++;
953 continue;
954 }
955 if (skipped &&
956 !time_after(jiffies, tid_agg_rx->reorder_time[j] +
957 HT_RX_REORDER_BUF_TIMEOUT))
958 goto set_release_timer;
959
960 /* don't leave incomplete A-MSDUs around */
961 for (i = (index + 1) % tid_agg_rx->buf_size; i != j;
962 i = (i + 1) % tid_agg_rx->buf_size)
963 __skb_queue_purge(&tid_agg_rx->reorder_buf[i]);
964
965 ht_dbg_ratelimited(sdata,
966 "release an RX reorder frame due to timeout on earlier frames\n");
967 ieee80211_release_reorder_frame(sdata, tid_agg_rx, j,
968 frames);
969
970 /*
971 * Increment the head seq# also for the skipped slots.
972 */
973 tid_agg_rx->head_seq_num =
974 (tid_agg_rx->head_seq_num +
975 skipped) & IEEE80211_SN_MASK;
976 skipped = 0;
977 }
978 } else while (ieee80211_rx_reorder_ready(tid_agg_rx, index)) {
979 ieee80211_release_reorder_frame(sdata, tid_agg_rx, index,
980 frames);
981 index = tid_agg_rx->head_seq_num % tid_agg_rx->buf_size;
982 }
983
984 if (tid_agg_rx->stored_mpdu_num) {
985 j = index = tid_agg_rx->head_seq_num % tid_agg_rx->buf_size;
986
987 for (; j != (index - 1) % tid_agg_rx->buf_size;
988 j = (j + 1) % tid_agg_rx->buf_size) {
989 if (ieee80211_rx_reorder_ready(tid_agg_rx, j))
990 break;
991 }
992
993 set_release_timer:
994
995 if (!tid_agg_rx->removed)
996 mod_timer(&tid_agg_rx->reorder_timer,
997 tid_agg_rx->reorder_time[j] + 1 +
998 HT_RX_REORDER_BUF_TIMEOUT);
999 } else {
1000 del_timer(&tid_agg_rx->reorder_timer);
1001 }
1002}
1003
1004/*
1005 * As this function belongs to the RX path it must be under
1006 * rcu_read_lock protection. It returns false if the frame
1007 * can be processed immediately, true if it was consumed.
1008 */
1009static bool ieee80211_sta_manage_reorder_buf(struct ieee80211_sub_if_data *sdata,
1010 struct tid_ampdu_rx *tid_agg_rx,
1011 struct sk_buff *skb,
1012 struct sk_buff_head *frames)
1013{
1014 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
1015 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
1016 u16 sc = le16_to_cpu(hdr->seq_ctrl);
1017 u16 mpdu_seq_num = (sc & IEEE80211_SCTL_SEQ) >> 4;
1018 u16 head_seq_num, buf_size;
1019 int index;
1020 bool ret = true;
1021
1022 spin_lock(&tid_agg_rx->reorder_lock);
1023
1024 /*
1025 * Offloaded BA sessions have no known starting sequence number so pick
1026 * one from first Rxed frame for this tid after BA was started.
1027 */
1028 if (unlikely(tid_agg_rx->auto_seq)) {
1029 tid_agg_rx->auto_seq = false;
1030 tid_agg_rx->ssn = mpdu_seq_num;
1031 tid_agg_rx->head_seq_num = mpdu_seq_num;
1032 }
1033
1034 buf_size = tid_agg_rx->buf_size;
1035 head_seq_num = tid_agg_rx->head_seq_num;
1036
1037 /*
1038 * If the current MPDU's SN is smaller than the SSN, it shouldn't
1039 * be reordered.
1040 */
1041 if (unlikely(!tid_agg_rx->started)) {
1042 if (ieee80211_sn_less(mpdu_seq_num, head_seq_num)) {
1043 ret = false;
1044 goto out;
1045 }
1046 tid_agg_rx->started = true;
1047 }
1048
1049 /* frame with out of date sequence number */
1050 if (ieee80211_sn_less(mpdu_seq_num, head_seq_num)) {
1051 dev_kfree_skb(skb);
1052 goto out;
1053 }
1054
1055 /*
1056 * If frame the sequence number exceeds our buffering window
1057 * size release some previous frames to make room for this one.
1058 */
1059 if (!ieee80211_sn_less(mpdu_seq_num, head_seq_num + buf_size)) {
1060 head_seq_num = ieee80211_sn_inc(
1061 ieee80211_sn_sub(mpdu_seq_num, buf_size));
1062 /* release stored frames up to new head to stack */
1063 ieee80211_release_reorder_frames(sdata, tid_agg_rx,
1064 head_seq_num, frames);
1065 }
1066
1067 /* Now the new frame is always in the range of the reordering buffer */
1068
1069 index = mpdu_seq_num % tid_agg_rx->buf_size;
1070
1071 /* check if we already stored this frame */
1072 if (ieee80211_rx_reorder_ready(tid_agg_rx, index)) {
1073 dev_kfree_skb(skb);
1074 goto out;
1075 }
1076
1077 /*
1078 * If the current MPDU is in the right order and nothing else
1079 * is stored we can process it directly, no need to buffer it.
1080 * If it is first but there's something stored, we may be able
1081 * to release frames after this one.
1082 */
1083 if (mpdu_seq_num == tid_agg_rx->head_seq_num &&
1084 tid_agg_rx->stored_mpdu_num == 0) {
1085 if (!(status->flag & RX_FLAG_AMSDU_MORE))
1086 tid_agg_rx->head_seq_num =
1087 ieee80211_sn_inc(tid_agg_rx->head_seq_num);
1088 ret = false;
1089 goto out;
1090 }
1091
1092 /* put the frame in the reordering buffer */
1093 __skb_queue_tail(&tid_agg_rx->reorder_buf[index], skb);
1094 if (!(status->flag & RX_FLAG_AMSDU_MORE)) {
1095 tid_agg_rx->reorder_time[index] = jiffies;
1096 tid_agg_rx->stored_mpdu_num++;
1097 ieee80211_sta_reorder_release(sdata, tid_agg_rx, frames);
1098 }
1099
1100 out:
1101 spin_unlock(&tid_agg_rx->reorder_lock);
1102 return ret;
1103}
1104
1105/*
1106 * Reorder MPDUs from A-MPDUs, keeping them on a buffer. Returns
1107 * true if the MPDU was buffered, false if it should be processed.
1108 */
1109static void ieee80211_rx_reorder_ampdu(struct ieee80211_rx_data *rx,
1110 struct sk_buff_head *frames)
1111{
1112 struct sk_buff *skb = rx->skb;
1113 struct ieee80211_local *local = rx->local;
1114 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
1115 struct sta_info *sta = rx->sta;
1116 struct tid_ampdu_rx *tid_agg_rx;
1117 u16 sc;
1118 u8 tid, ack_policy;
1119
1120 if (!ieee80211_is_data_qos(hdr->frame_control) ||
1121 is_multicast_ether_addr(hdr->addr1))
1122 goto dont_reorder;
1123
1124 /*
1125 * filter the QoS data rx stream according to
1126 * STA/TID and check if this STA/TID is on aggregation
1127 */
1128
1129 if (!sta)
1130 goto dont_reorder;
1131
1132 ack_policy = *ieee80211_get_qos_ctl(hdr) &
1133 IEEE80211_QOS_CTL_ACK_POLICY_MASK;
1134 tid = *ieee80211_get_qos_ctl(hdr) & IEEE80211_QOS_CTL_TID_MASK;
1135
1136 tid_agg_rx = rcu_dereference(sta->ampdu_mlme.tid_rx[tid]);
1137 if (!tid_agg_rx) {
1138 if (ack_policy == IEEE80211_QOS_CTL_ACK_POLICY_BLOCKACK &&
1139 !test_bit(tid, rx->sta->ampdu_mlme.agg_session_valid) &&
1140 !test_and_set_bit(tid, rx->sta->ampdu_mlme.unexpected_agg))
1141 ieee80211_send_delba(rx->sdata, rx->sta->sta.addr, tid,
1142 WLAN_BACK_RECIPIENT,
1143 WLAN_REASON_QSTA_REQUIRE_SETUP);
1144 goto dont_reorder;
1145 }
1146
1147 /* qos null data frames are excluded */
1148 if (unlikely(hdr->frame_control & cpu_to_le16(IEEE80211_STYPE_NULLFUNC)))
1149 goto dont_reorder;
1150
1151 /* not part of a BA session */
1152 if (ack_policy != IEEE80211_QOS_CTL_ACK_POLICY_BLOCKACK &&
1153 ack_policy != IEEE80211_QOS_CTL_ACK_POLICY_NORMAL)
1154 goto dont_reorder;
1155
1156 /* new, potentially un-ordered, ampdu frame - process it */
1157
1158 /* reset session timer */
1159 if (tid_agg_rx->timeout)
1160 tid_agg_rx->last_rx = jiffies;
1161
1162 /* if this mpdu is fragmented - terminate rx aggregation session */
1163 sc = le16_to_cpu(hdr->seq_ctrl);
1164 if (sc & IEEE80211_SCTL_FRAG) {
1165 skb->pkt_type = IEEE80211_SDATA_QUEUE_TYPE_FRAME;
1166 skb_queue_tail(&rx->sdata->skb_queue, skb);
1167 ieee80211_queue_work(&local->hw, &rx->sdata->work);
1168 return;
1169 }
1170
1171 /*
1172 * No locking needed -- we will only ever process one
1173 * RX packet at a time, and thus own tid_agg_rx. All
1174 * other code manipulating it needs to (and does) make
1175 * sure that we cannot get to it any more before doing
1176 * anything with it.
1177 */
1178 if (ieee80211_sta_manage_reorder_buf(rx->sdata, tid_agg_rx, skb,
1179 frames))
1180 return;
1181
1182 dont_reorder:
1183 __skb_queue_tail(frames, skb);
1184}
1185
1186static ieee80211_rx_result debug_noinline
1187ieee80211_rx_h_check_dup(struct ieee80211_rx_data *rx)
1188{
1189 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
1190 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
1191
1192 if (status->flag & RX_FLAG_DUP_VALIDATED)
1193 return RX_CONTINUE;
1194
1195 /*
1196 * Drop duplicate 802.11 retransmissions
1197 * (IEEE 802.11-2012: 9.3.2.10 "Duplicate detection and recovery")
1198 */
1199
1200 if (rx->skb->len < 24)
1201 return RX_CONTINUE;
1202
1203 if (ieee80211_is_ctl(hdr->frame_control) ||
1204 ieee80211_is_qos_nullfunc(hdr->frame_control) ||
1205 is_multicast_ether_addr(hdr->addr1))
1206 return RX_CONTINUE;
1207
1208 if (!rx->sta)
1209 return RX_CONTINUE;
1210
1211 if (unlikely(ieee80211_has_retry(hdr->frame_control) &&
1212 rx->sta->last_seq_ctrl[rx->seqno_idx] == hdr->seq_ctrl)) {
1213 I802_DEBUG_INC(rx->local->dot11FrameDuplicateCount);
1214 rx->sta->rx_stats.num_duplicates++;
1215 return RX_DROP_UNUSABLE;
1216 } else if (!(status->flag & RX_FLAG_AMSDU_MORE)) {
1217 rx->sta->last_seq_ctrl[rx->seqno_idx] = hdr->seq_ctrl;
1218 }
1219
1220 return RX_CONTINUE;
1221}
1222
1223static ieee80211_rx_result debug_noinline
1224ieee80211_rx_h_check(struct ieee80211_rx_data *rx)
1225{
1226 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
1227
1228 /* Drop disallowed frame classes based on STA auth/assoc state;
1229 * IEEE 802.11, Chap 5.5.
1230 *
1231 * mac80211 filters only based on association state, i.e. it drops
1232 * Class 3 frames from not associated stations. hostapd sends
1233 * deauth/disassoc frames when needed. In addition, hostapd is
1234 * responsible for filtering on both auth and assoc states.
1235 */
1236
1237 if (ieee80211_vif_is_mesh(&rx->sdata->vif))
1238 return ieee80211_rx_mesh_check(rx);
1239
1240 if (unlikely((ieee80211_is_data(hdr->frame_control) ||
1241 ieee80211_is_pspoll(hdr->frame_control)) &&
1242 rx->sdata->vif.type != NL80211_IFTYPE_ADHOC &&
1243 rx->sdata->vif.type != NL80211_IFTYPE_WDS &&
1244 rx->sdata->vif.type != NL80211_IFTYPE_OCB &&
1245 (!rx->sta || !test_sta_flag(rx->sta, WLAN_STA_ASSOC)))) {
1246 /*
1247 * accept port control frames from the AP even when it's not
1248 * yet marked ASSOC to prevent a race where we don't set the
1249 * assoc bit quickly enough before it sends the first frame
1250 */
1251 if (rx->sta && rx->sdata->vif.type == NL80211_IFTYPE_STATION &&
1252 ieee80211_is_data_present(hdr->frame_control)) {
1253 unsigned int hdrlen;
1254 __be16 ethertype;
1255
1256 hdrlen = ieee80211_hdrlen(hdr->frame_control);
1257
1258 if (rx->skb->len < hdrlen + 8)
1259 return RX_DROP_MONITOR;
1260
1261 skb_copy_bits(rx->skb, hdrlen + 6, ðertype, 2);
1262 if (ethertype == rx->sdata->control_port_protocol)
1263 return RX_CONTINUE;
1264 }
1265
1266 if (rx->sdata->vif.type == NL80211_IFTYPE_AP &&
1267 cfg80211_rx_spurious_frame(rx->sdata->dev,
1268 hdr->addr2,
1269 GFP_ATOMIC))
1270 return RX_DROP_UNUSABLE;
1271
1272 return RX_DROP_MONITOR;
1273 }
1274
1275 return RX_CONTINUE;
1276}
1277
1278
1279static ieee80211_rx_result debug_noinline
1280ieee80211_rx_h_check_more_data(struct ieee80211_rx_data *rx)
1281{
1282 struct ieee80211_local *local;
1283 struct ieee80211_hdr *hdr;
1284 struct sk_buff *skb;
1285
1286 local = rx->local;
1287 skb = rx->skb;
1288 hdr = (struct ieee80211_hdr *) skb->data;
1289
1290 if (!local->pspolling)
1291 return RX_CONTINUE;
1292
1293 if (!ieee80211_has_fromds(hdr->frame_control))
1294 /* this is not from AP */
1295 return RX_CONTINUE;
1296
1297 if (!ieee80211_is_data(hdr->frame_control))
1298 return RX_CONTINUE;
1299
1300 if (!ieee80211_has_moredata(hdr->frame_control)) {
1301 /* AP has no more frames buffered for us */
1302 local->pspolling = false;
1303 return RX_CONTINUE;
1304 }
1305
1306 /* more data bit is set, let's request a new frame from the AP */
1307 ieee80211_send_pspoll(local, rx->sdata);
1308
1309 return RX_CONTINUE;
1310}
1311
1312static void sta_ps_start(struct sta_info *sta)
1313{
1314 struct ieee80211_sub_if_data *sdata = sta->sdata;
1315 struct ieee80211_local *local = sdata->local;
1316 struct ps_data *ps;
1317 int tid;
1318
1319 if (sta->sdata->vif.type == NL80211_IFTYPE_AP ||
1320 sta->sdata->vif.type == NL80211_IFTYPE_AP_VLAN)
1321 ps = &sdata->bss->ps;
1322 else
1323 return;
1324
1325 atomic_inc(&ps->num_sta_ps);
1326 set_sta_flag(sta, WLAN_STA_PS_STA);
1327 if (!ieee80211_hw_check(&local->hw, AP_LINK_PS))
1328 drv_sta_notify(local, sdata, STA_NOTIFY_SLEEP, &sta->sta);
1329 ps_dbg(sdata, "STA %pM aid %d enters power save mode\n",
1330 sta->sta.addr, sta->sta.aid);
1331
1332 ieee80211_clear_fast_xmit(sta);
1333
1334 if (!sta->sta.txq[0])
1335 return;
1336
1337 for (tid = 0; tid < ARRAY_SIZE(sta->sta.txq); tid++) {
1338 if (txq_has_queue(sta->sta.txq[tid]))
1339 set_bit(tid, &sta->txq_buffered_tids);
1340 else
1341 clear_bit(tid, &sta->txq_buffered_tids);
1342 }
1343}
1344
1345static void sta_ps_end(struct sta_info *sta)
1346{
1347 ps_dbg(sta->sdata, "STA %pM aid %d exits power save mode\n",
1348 sta->sta.addr, sta->sta.aid);
1349
1350 if (test_sta_flag(sta, WLAN_STA_PS_DRIVER)) {
1351 /*
1352 * Clear the flag only if the other one is still set
1353 * so that the TX path won't start TX'ing new frames
1354 * directly ... In the case that the driver flag isn't
1355 * set ieee80211_sta_ps_deliver_wakeup() will clear it.
1356 */
1357 clear_sta_flag(sta, WLAN_STA_PS_STA);
1358 ps_dbg(sta->sdata, "STA %pM aid %d driver-ps-blocked\n",
1359 sta->sta.addr, sta->sta.aid);
1360 return;
1361 }
1362
1363 set_sta_flag(sta, WLAN_STA_PS_DELIVER);
1364 clear_sta_flag(sta, WLAN_STA_PS_STA);
1365 ieee80211_sta_ps_deliver_wakeup(sta);
1366}
1367
1368int ieee80211_sta_ps_transition(struct ieee80211_sta *pubsta, bool start)
1369{
1370 struct sta_info *sta = container_of(pubsta, struct sta_info, sta);
1371 bool in_ps;
1372
1373 WARN_ON(!ieee80211_hw_check(&sta->local->hw, AP_LINK_PS));
1374
1375 /* Don't let the same PS state be set twice */
1376 in_ps = test_sta_flag(sta, WLAN_STA_PS_STA);
1377 if ((start && in_ps) || (!start && !in_ps))
1378 return -EINVAL;
1379
1380 if (start)
1381 sta_ps_start(sta);
1382 else
1383 sta_ps_end(sta);
1384
1385 return 0;
1386}
1387EXPORT_SYMBOL(ieee80211_sta_ps_transition);
1388
1389void ieee80211_sta_pspoll(struct ieee80211_sta *pubsta)
1390{
1391 struct sta_info *sta = container_of(pubsta, struct sta_info, sta);
1392
1393 if (test_sta_flag(sta, WLAN_STA_SP))
1394 return;
1395
1396 if (!test_sta_flag(sta, WLAN_STA_PS_DRIVER))
1397 ieee80211_sta_ps_deliver_poll_response(sta);
1398 else
1399 set_sta_flag(sta, WLAN_STA_PSPOLL);
1400}
1401EXPORT_SYMBOL(ieee80211_sta_pspoll);
1402
1403void ieee80211_sta_uapsd_trigger(struct ieee80211_sta *pubsta, u8 tid)
1404{
1405 struct sta_info *sta = container_of(pubsta, struct sta_info, sta);
1406 u8 ac = ieee802_1d_to_ac[tid & 7];
1407
1408 /*
1409 * If this AC is not trigger-enabled do nothing unless the
1410 * driver is calling us after it already checked.
1411 *
1412 * NB: This could/should check a separate bitmap of trigger-
1413 * enabled queues, but for now we only implement uAPSD w/o
1414 * TSPEC changes to the ACs, so they're always the same.
1415 */
1416 if (!(sta->sta.uapsd_queues & ieee80211_ac_to_qos_mask[ac]) &&
1417 tid != IEEE80211_NUM_TIDS)
1418 return;
1419
1420 /* if we are in a service period, do nothing */
1421 if (test_sta_flag(sta, WLAN_STA_SP))
1422 return;
1423
1424 if (!test_sta_flag(sta, WLAN_STA_PS_DRIVER))
1425 ieee80211_sta_ps_deliver_uapsd(sta);
1426 else
1427 set_sta_flag(sta, WLAN_STA_UAPSD);
1428}
1429EXPORT_SYMBOL(ieee80211_sta_uapsd_trigger);
1430
1431static ieee80211_rx_result debug_noinline
1432ieee80211_rx_h_uapsd_and_pspoll(struct ieee80211_rx_data *rx)
1433{
1434 struct ieee80211_sub_if_data *sdata = rx->sdata;
1435 struct ieee80211_hdr *hdr = (void *)rx->skb->data;
1436 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
1437
1438 if (!rx->sta)
1439 return RX_CONTINUE;
1440
1441 if (sdata->vif.type != NL80211_IFTYPE_AP &&
1442 sdata->vif.type != NL80211_IFTYPE_AP_VLAN)
1443 return RX_CONTINUE;
1444
1445 /*
1446 * The device handles station powersave, so don't do anything about
1447 * uAPSD and PS-Poll frames (the latter shouldn't even come up from
1448 * it to mac80211 since they're handled.)
1449 */
1450 if (ieee80211_hw_check(&sdata->local->hw, AP_LINK_PS))
1451 return RX_CONTINUE;
1452
1453 /*
1454 * Don't do anything if the station isn't already asleep. In
1455 * the uAPSD case, the station will probably be marked asleep,
1456 * in the PS-Poll case the station must be confused ...
1457 */
1458 if (!test_sta_flag(rx->sta, WLAN_STA_PS_STA))
1459 return RX_CONTINUE;
1460
1461 if (unlikely(ieee80211_is_pspoll(hdr->frame_control))) {
1462 ieee80211_sta_pspoll(&rx->sta->sta);
1463
1464 /* Free PS Poll skb here instead of returning RX_DROP that would
1465 * count as an dropped frame. */
1466 dev_kfree_skb(rx->skb);
1467
1468 return RX_QUEUED;
1469 } else if (!ieee80211_has_morefrags(hdr->frame_control) &&
1470 !(status->rx_flags & IEEE80211_RX_DEFERRED_RELEASE) &&
1471 ieee80211_has_pm(hdr->frame_control) &&
1472 (ieee80211_is_data_qos(hdr->frame_control) ||
1473 ieee80211_is_qos_nullfunc(hdr->frame_control))) {
1474 u8 tid;
1475
1476 tid = *ieee80211_get_qos_ctl(hdr) & IEEE80211_QOS_CTL_TID_MASK;
1477
1478 ieee80211_sta_uapsd_trigger(&rx->sta->sta, tid);
1479 }
1480
1481 return RX_CONTINUE;
1482}
1483
1484static ieee80211_rx_result debug_noinline
1485ieee80211_rx_h_sta_process(struct ieee80211_rx_data *rx)
1486{
1487 struct sta_info *sta = rx->sta;
1488 struct sk_buff *skb = rx->skb;
1489 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
1490 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
1491 int i;
1492
1493 if (!sta)
1494 return RX_CONTINUE;
1495
1496 /*
1497 * Update last_rx only for IBSS packets which are for the current
1498 * BSSID and for station already AUTHORIZED to avoid keeping the
1499 * current IBSS network alive in cases where other STAs start
1500 * using different BSSID. This will also give the station another
1501 * chance to restart the authentication/authorization in case
1502 * something went wrong the first time.
1503 */
1504 if (rx->sdata->vif.type == NL80211_IFTYPE_ADHOC) {
1505 u8 *bssid = ieee80211_get_bssid(hdr, rx->skb->len,
1506 NL80211_IFTYPE_ADHOC);
1507 if (ether_addr_equal(bssid, rx->sdata->u.ibss.bssid) &&
1508 test_sta_flag(sta, WLAN_STA_AUTHORIZED)) {
1509 sta->rx_stats.last_rx = jiffies;
1510 if (ieee80211_is_data(hdr->frame_control) &&
1511 !is_multicast_ether_addr(hdr->addr1))
1512 sta->rx_stats.last_rate =
1513 sta_stats_encode_rate(status);
1514 }
1515 } else if (rx->sdata->vif.type == NL80211_IFTYPE_OCB) {
1516 sta->rx_stats.last_rx = jiffies;
1517 } else if (!is_multicast_ether_addr(hdr->addr1)) {
1518 /*
1519 * Mesh beacons will update last_rx when if they are found to
1520 * match the current local configuration when processed.
1521 */
1522 sta->rx_stats.last_rx = jiffies;
1523 if (ieee80211_is_data(hdr->frame_control))
1524 sta->rx_stats.last_rate = sta_stats_encode_rate(status);
1525 }
1526
1527 if (rx->sdata->vif.type == NL80211_IFTYPE_STATION)
1528 ieee80211_sta_rx_notify(rx->sdata, hdr);
1529
1530 sta->rx_stats.fragments++;
1531
1532 u64_stats_update_begin(&rx->sta->rx_stats.syncp);
1533 sta->rx_stats.bytes += rx->skb->len;
1534 u64_stats_update_end(&rx->sta->rx_stats.syncp);
1535
1536 if (!(status->flag & RX_FLAG_NO_SIGNAL_VAL)) {
1537 sta->rx_stats.last_signal = status->signal;
1538 ewma_signal_add(&sta->rx_stats_avg.signal, -status->signal);
1539 }
1540
1541 if (status->chains) {
1542 sta->rx_stats.chains = status->chains;
1543 for (i = 0; i < ARRAY_SIZE(status->chain_signal); i++) {
1544 int signal = status->chain_signal[i];
1545
1546 if (!(status->chains & BIT(i)))
1547 continue;
1548
1549 sta->rx_stats.chain_signal_last[i] = signal;
1550 ewma_signal_add(&sta->rx_stats_avg.chain_signal[i],
1551 -signal);
1552 }
1553 }
1554
1555 /*
1556 * Change STA power saving mode only at the end of a frame
1557 * exchange sequence.
1558 */
1559 if (!ieee80211_hw_check(&sta->local->hw, AP_LINK_PS) &&
1560 !ieee80211_has_morefrags(hdr->frame_control) &&
1561 !(status->rx_flags & IEEE80211_RX_DEFERRED_RELEASE) &&
1562 (rx->sdata->vif.type == NL80211_IFTYPE_AP ||
1563 rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN) &&
1564 /* PM bit is only checked in frames where it isn't reserved,
1565 * in AP mode it's reserved in non-bufferable management frames
1566 * (cf. IEEE 802.11-2012 8.2.4.1.7 Power Management field)
1567 */
1568 (!ieee80211_is_mgmt(hdr->frame_control) ||
1569 ieee80211_is_bufferable_mmpdu(hdr->frame_control))) {
1570 if (test_sta_flag(sta, WLAN_STA_PS_STA)) {
1571 if (!ieee80211_has_pm(hdr->frame_control))
1572 sta_ps_end(sta);
1573 } else {
1574 if (ieee80211_has_pm(hdr->frame_control))
1575 sta_ps_start(sta);
1576 }
1577 }
1578
1579 /* mesh power save support */
1580 if (ieee80211_vif_is_mesh(&rx->sdata->vif))
1581 ieee80211_mps_rx_h_sta_process(sta, hdr);
1582
1583 /*
1584 * Drop (qos-)data::nullfunc frames silently, since they
1585 * are used only to control station power saving mode.
1586 */
1587 if (ieee80211_is_nullfunc(hdr->frame_control) ||
1588 ieee80211_is_qos_nullfunc(hdr->frame_control)) {
1589 I802_DEBUG_INC(rx->local->rx_handlers_drop_nullfunc);
1590
1591 /*
1592 * If we receive a 4-addr nullfunc frame from a STA
1593 * that was not moved to a 4-addr STA vlan yet send
1594 * the event to userspace and for older hostapd drop
1595 * the frame to the monitor interface.
1596 */
1597 if (ieee80211_has_a4(hdr->frame_control) &&
1598 (rx->sdata->vif.type == NL80211_IFTYPE_AP ||
1599 (rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN &&
1600 !rx->sdata->u.vlan.sta))) {
1601 if (!test_and_set_sta_flag(sta, WLAN_STA_4ADDR_EVENT))
1602 cfg80211_rx_unexpected_4addr_frame(
1603 rx->sdata->dev, sta->sta.addr,
1604 GFP_ATOMIC);
1605 return RX_DROP_MONITOR;
1606 }
1607 /*
1608 * Update counter and free packet here to avoid
1609 * counting this as a dropped packed.
1610 */
1611 sta->rx_stats.packets++;
1612 dev_kfree_skb(rx->skb);
1613 return RX_QUEUED;
1614 }
1615
1616 return RX_CONTINUE;
1617} /* ieee80211_rx_h_sta_process */
1618
1619static ieee80211_rx_result debug_noinline
1620ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx)
1621{
1622 struct sk_buff *skb = rx->skb;
1623 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
1624 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
1625 int keyidx;
1626 int hdrlen;
1627 ieee80211_rx_result result = RX_DROP_UNUSABLE;
1628 struct ieee80211_key *sta_ptk = NULL;
1629 int mmie_keyidx = -1;
1630 __le16 fc;
1631 const struct ieee80211_cipher_scheme *cs = NULL;
1632
1633 /*
1634 * Key selection 101
1635 *
1636 * There are four types of keys:
1637 * - GTK (group keys)
1638 * - IGTK (group keys for management frames)
1639 * - PTK (pairwise keys)
1640 * - STK (station-to-station pairwise keys)
1641 *
1642 * When selecting a key, we have to distinguish between multicast
1643 * (including broadcast) and unicast frames, the latter can only
1644 * use PTKs and STKs while the former always use GTKs and IGTKs.
1645 * Unless, of course, actual WEP keys ("pre-RSNA") are used, then
1646 * unicast frames can also use key indices like GTKs. Hence, if we
1647 * don't have a PTK/STK we check the key index for a WEP key.
1648 *
1649 * Note that in a regular BSS, multicast frames are sent by the
1650 * AP only, associated stations unicast the frame to the AP first
1651 * which then multicasts it on their behalf.
1652 *
1653 * There is also a slight problem in IBSS mode: GTKs are negotiated
1654 * with each station, that is something we don't currently handle.
1655 * The spec seems to expect that one negotiates the same key with
1656 * every station but there's no such requirement; VLANs could be
1657 * possible.
1658 */
1659
1660 /* start without a key */
1661 rx->key = NULL;
1662 fc = hdr->frame_control;
1663
1664 if (rx->sta) {
1665 int keyid = rx->sta->ptk_idx;
1666
1667 if (ieee80211_has_protected(fc) && rx->sta->cipher_scheme) {
1668 cs = rx->sta->cipher_scheme;
1669 keyid = ieee80211_get_cs_keyid(cs, rx->skb);
1670 if (unlikely(keyid < 0))
1671 return RX_DROP_UNUSABLE;
1672 }
1673 sta_ptk = rcu_dereference(rx->sta->ptk[keyid]);
1674 }
1675
1676 if (!ieee80211_has_protected(fc))
1677 mmie_keyidx = ieee80211_get_mmie_keyidx(rx->skb);
1678
1679 if (!is_multicast_ether_addr(hdr->addr1) && sta_ptk) {
1680 rx->key = sta_ptk;
1681 if ((status->flag & RX_FLAG_DECRYPTED) &&
1682 (status->flag & RX_FLAG_IV_STRIPPED))
1683 return RX_CONTINUE;
1684 /* Skip decryption if the frame is not protected. */
1685 if (!ieee80211_has_protected(fc))
1686 return RX_CONTINUE;
1687 } else if (mmie_keyidx >= 0) {
1688 /* Broadcast/multicast robust management frame / BIP */
1689 if ((status->flag & RX_FLAG_DECRYPTED) &&
1690 (status->flag & RX_FLAG_IV_STRIPPED))
1691 return RX_CONTINUE;
1692
1693 if (mmie_keyidx < NUM_DEFAULT_KEYS ||
1694 mmie_keyidx >= NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS)
1695 return RX_DROP_MONITOR; /* unexpected BIP keyidx */
1696 if (rx->sta) {
1697 if (ieee80211_is_group_privacy_action(skb) &&
1698 test_sta_flag(rx->sta, WLAN_STA_MFP))
1699 return RX_DROP_MONITOR;
1700
1701 rx->key = rcu_dereference(rx->sta->gtk[mmie_keyidx]);
1702 }
1703 if (!rx->key)
1704 rx->key = rcu_dereference(rx->sdata->keys[mmie_keyidx]);
1705 } else if (!ieee80211_has_protected(fc)) {
1706 /*
1707 * The frame was not protected, so skip decryption. However, we
1708 * need to set rx->key if there is a key that could have been
1709 * used so that the frame may be dropped if encryption would
1710 * have been expected.
1711 */
1712 struct ieee80211_key *key = NULL;
1713 struct ieee80211_sub_if_data *sdata = rx->sdata;
1714 int i;
1715
1716 if (ieee80211_is_mgmt(fc) &&
1717 is_multicast_ether_addr(hdr->addr1) &&
1718 (key = rcu_dereference(rx->sdata->default_mgmt_key)))
1719 rx->key = key;
1720 else {
1721 if (rx->sta) {
1722 for (i = 0; i < NUM_DEFAULT_KEYS; i++) {
1723 key = rcu_dereference(rx->sta->gtk[i]);
1724 if (key)
1725 break;
1726 }
1727 }
1728 if (!key) {
1729 for (i = 0; i < NUM_DEFAULT_KEYS; i++) {
1730 key = rcu_dereference(sdata->keys[i]);
1731 if (key)
1732 break;
1733 }
1734 }
1735 if (key)
1736 rx->key = key;
1737 }
1738 return RX_CONTINUE;
1739 } else {
1740 u8 keyid;
1741
1742 /*
1743 * The device doesn't give us the IV so we won't be
1744 * able to look up the key. That's ok though, we
1745 * don't need to decrypt the frame, we just won't
1746 * be able to keep statistics accurate.
1747 * Except for key threshold notifications, should
1748 * we somehow allow the driver to tell us which key
1749 * the hardware used if this flag is set?
1750 */
1751 if ((status->flag & RX_FLAG_DECRYPTED) &&
1752 (status->flag & RX_FLAG_IV_STRIPPED))
1753 return RX_CONTINUE;
1754
1755 hdrlen = ieee80211_hdrlen(fc);
1756
1757 if (cs) {
1758 keyidx = ieee80211_get_cs_keyid(cs, rx->skb);
1759
1760 if (unlikely(keyidx < 0))
1761 return RX_DROP_UNUSABLE;
1762 } else {
1763 if (rx->skb->len < 8 + hdrlen)
1764 return RX_DROP_UNUSABLE; /* TODO: count this? */
1765 /*
1766 * no need to call ieee80211_wep_get_keyidx,
1767 * it verifies a bunch of things we've done already
1768 */
1769 skb_copy_bits(rx->skb, hdrlen + 3, &keyid, 1);
1770 keyidx = keyid >> 6;
1771 }
1772
1773 /* check per-station GTK first, if multicast packet */
1774 if (is_multicast_ether_addr(hdr->addr1) && rx->sta)
1775 rx->key = rcu_dereference(rx->sta->gtk[keyidx]);
1776
1777 /* if not found, try default key */
1778 if (!rx->key) {
1779 rx->key = rcu_dereference(rx->sdata->keys[keyidx]);
1780
1781 /*
1782 * RSNA-protected unicast frames should always be
1783 * sent with pairwise or station-to-station keys,
1784 * but for WEP we allow using a key index as well.
1785 */
1786 if (rx->key &&
1787 rx->key->conf.cipher != WLAN_CIPHER_SUITE_WEP40 &&
1788 rx->key->conf.cipher != WLAN_CIPHER_SUITE_WEP104 &&
1789 !is_multicast_ether_addr(hdr->addr1))
1790 rx->key = NULL;
1791 }
1792 }
1793
1794 if (rx->key) {
1795 if (unlikely(rx->key->flags & KEY_FLAG_TAINTED))
1796 return RX_DROP_MONITOR;
1797
1798 /* TODO: add threshold stuff again */
1799 } else {
1800 return RX_DROP_MONITOR;
1801 }
1802
1803 switch (rx->key->conf.cipher) {
1804 case WLAN_CIPHER_SUITE_WEP40:
1805 case WLAN_CIPHER_SUITE_WEP104:
1806 result = ieee80211_crypto_wep_decrypt(rx);
1807 break;
1808 case WLAN_CIPHER_SUITE_TKIP:
1809 result = ieee80211_crypto_tkip_decrypt(rx);
1810 break;
1811 case WLAN_CIPHER_SUITE_CCMP:
1812 result = ieee80211_crypto_ccmp_decrypt(
1813 rx, IEEE80211_CCMP_MIC_LEN);
1814 break;
1815 case WLAN_CIPHER_SUITE_CCMP_256:
1816 result = ieee80211_crypto_ccmp_decrypt(
1817 rx, IEEE80211_CCMP_256_MIC_LEN);
1818 break;
1819 case WLAN_CIPHER_SUITE_AES_CMAC:
1820 result = ieee80211_crypto_aes_cmac_decrypt(rx);
1821 break;
1822 case WLAN_CIPHER_SUITE_BIP_CMAC_256:
1823 result = ieee80211_crypto_aes_cmac_256_decrypt(rx);
1824 break;
1825 case WLAN_CIPHER_SUITE_BIP_GMAC_128:
1826 case WLAN_CIPHER_SUITE_BIP_GMAC_256:
1827 result = ieee80211_crypto_aes_gmac_decrypt(rx);
1828 break;
1829 case WLAN_CIPHER_SUITE_GCMP:
1830 case WLAN_CIPHER_SUITE_GCMP_256:
1831 result = ieee80211_crypto_gcmp_decrypt(rx);
1832 break;
1833 default:
1834 result = ieee80211_crypto_hw_decrypt(rx);
1835 }
1836
1837 /* the hdr variable is invalid after the decrypt handlers */
1838
1839 /* either the frame has been decrypted or will be dropped */
1840 status->flag |= RX_FLAG_DECRYPTED;
1841
1842 return result;
1843}
1844
1845static inline struct ieee80211_fragment_entry *
1846ieee80211_reassemble_add(struct ieee80211_sub_if_data *sdata,
1847 unsigned int frag, unsigned int seq, int rx_queue,
1848 struct sk_buff **skb)
1849{
1850 struct ieee80211_fragment_entry *entry;
1851
1852 entry = &sdata->fragments[sdata->fragment_next++];
1853 if (sdata->fragment_next >= IEEE80211_FRAGMENT_MAX)
1854 sdata->fragment_next = 0;
1855
1856 if (!skb_queue_empty(&entry->skb_list))
1857 __skb_queue_purge(&entry->skb_list);
1858
1859 __skb_queue_tail(&entry->skb_list, *skb); /* no need for locking */
1860 *skb = NULL;
1861 entry->first_frag_time = jiffies;
1862 entry->seq = seq;
1863 entry->rx_queue = rx_queue;
1864 entry->last_frag = frag;
1865 entry->check_sequential_pn = false;
1866 entry->extra_len = 0;
1867
1868 return entry;
1869}
1870
1871static inline struct ieee80211_fragment_entry *
1872ieee80211_reassemble_find(struct ieee80211_sub_if_data *sdata,
1873 unsigned int frag, unsigned int seq,
1874 int rx_queue, struct ieee80211_hdr *hdr)
1875{
1876 struct ieee80211_fragment_entry *entry;
1877 int i, idx;
1878
1879 idx = sdata->fragment_next;
1880 for (i = 0; i < IEEE80211_FRAGMENT_MAX; i++) {
1881 struct ieee80211_hdr *f_hdr;
1882
1883 idx--;
1884 if (idx < 0)
1885 idx = IEEE80211_FRAGMENT_MAX - 1;
1886
1887 entry = &sdata->fragments[idx];
1888 if (skb_queue_empty(&entry->skb_list) || entry->seq != seq ||
1889 entry->rx_queue != rx_queue ||
1890 entry->last_frag + 1 != frag)
1891 continue;
1892
1893 f_hdr = (struct ieee80211_hdr *)entry->skb_list.next->data;
1894
1895 /*
1896 * Check ftype and addresses are equal, else check next fragment
1897 */
1898 if (((hdr->frame_control ^ f_hdr->frame_control) &
1899 cpu_to_le16(IEEE80211_FCTL_FTYPE)) ||
1900 !ether_addr_equal(hdr->addr1, f_hdr->addr1) ||
1901 !ether_addr_equal(hdr->addr2, f_hdr->addr2))
1902 continue;
1903
1904 if (time_after(jiffies, entry->first_frag_time + 2 * HZ)) {
1905 __skb_queue_purge(&entry->skb_list);
1906 continue;
1907 }
1908 return entry;
1909 }
1910
1911 return NULL;
1912}
1913
1914static ieee80211_rx_result debug_noinline
1915ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
1916{
1917 struct ieee80211_hdr *hdr;
1918 u16 sc;
1919 __le16 fc;
1920 unsigned int frag, seq;
1921 struct ieee80211_fragment_entry *entry;
1922 struct sk_buff *skb;
1923 struct ieee80211_rx_status *status;
1924
1925 hdr = (struct ieee80211_hdr *)rx->skb->data;
1926 fc = hdr->frame_control;
1927
1928 if (ieee80211_is_ctl(fc))
1929 return RX_CONTINUE;
1930
1931 sc = le16_to_cpu(hdr->seq_ctrl);
1932 frag = sc & IEEE80211_SCTL_FRAG;
1933
1934 if (is_multicast_ether_addr(hdr->addr1)) {
1935 I802_DEBUG_INC(rx->local->dot11MulticastReceivedFrameCount);
1936 goto out_no_led;
1937 }
1938
1939 if (likely(!ieee80211_has_morefrags(fc) && frag == 0))
1940 goto out;
1941
1942 I802_DEBUG_INC(rx->local->rx_handlers_fragments);
1943
1944 if (skb_linearize(rx->skb))
1945 return RX_DROP_UNUSABLE;
1946
1947 /*
1948 * skb_linearize() might change the skb->data and
1949 * previously cached variables (in this case, hdr) need to
1950 * be refreshed with the new data.
1951 */
1952 hdr = (struct ieee80211_hdr *)rx->skb->data;
1953 seq = (sc & IEEE80211_SCTL_SEQ) >> 4;
1954
1955 if (frag == 0) {
1956 /* This is the first fragment of a new frame. */
1957 entry = ieee80211_reassemble_add(rx->sdata, frag, seq,
1958 rx->seqno_idx, &(rx->skb));
1959 if (rx->key &&
1960 (rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP ||
1961 rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP_256 ||
1962 rx->key->conf.cipher == WLAN_CIPHER_SUITE_GCMP ||
1963 rx->key->conf.cipher == WLAN_CIPHER_SUITE_GCMP_256) &&
1964 ieee80211_has_protected(fc)) {
1965 int queue = rx->security_idx;
1966
1967 /* Store CCMP/GCMP PN so that we can verify that the
1968 * next fragment has a sequential PN value.
1969 */
1970 entry->check_sequential_pn = true;
1971 memcpy(entry->last_pn,
1972 rx->key->u.ccmp.rx_pn[queue],
1973 IEEE80211_CCMP_PN_LEN);
1974 BUILD_BUG_ON(offsetof(struct ieee80211_key,
1975 u.ccmp.rx_pn) !=
1976 offsetof(struct ieee80211_key,
1977 u.gcmp.rx_pn));
1978 BUILD_BUG_ON(sizeof(rx->key->u.ccmp.rx_pn[queue]) !=
1979 sizeof(rx->key->u.gcmp.rx_pn[queue]));
1980 BUILD_BUG_ON(IEEE80211_CCMP_PN_LEN !=
1981 IEEE80211_GCMP_PN_LEN);
1982 }
1983 return RX_QUEUED;
1984 }
1985
1986 /* This is a fragment for a frame that should already be pending in
1987 * fragment cache. Add this fragment to the end of the pending entry.
1988 */
1989 entry = ieee80211_reassemble_find(rx->sdata, frag, seq,
1990 rx->seqno_idx, hdr);
1991 if (!entry) {
1992 I802_DEBUG_INC(rx->local->rx_handlers_drop_defrag);
1993 return RX_DROP_MONITOR;
1994 }
1995
1996 /* "The receiver shall discard MSDUs and MMPDUs whose constituent
1997 * MPDU PN values are not incrementing in steps of 1."
1998 * see IEEE P802.11-REVmc/D5.0, 12.5.3.4.4, item d (for CCMP)
1999 * and IEEE P802.11-REVmc/D5.0, 12.5.5.4.4, item d (for GCMP)
2000 */
2001 if (entry->check_sequential_pn) {
2002 int i;
2003 u8 pn[IEEE80211_CCMP_PN_LEN], *rpn;
2004 int queue;
2005
2006 if (!rx->key ||
2007 (rx->key->conf.cipher != WLAN_CIPHER_SUITE_CCMP &&
2008 rx->key->conf.cipher != WLAN_CIPHER_SUITE_CCMP_256 &&
2009 rx->key->conf.cipher != WLAN_CIPHER_SUITE_GCMP &&
2010 rx->key->conf.cipher != WLAN_CIPHER_SUITE_GCMP_256))
2011 return RX_DROP_UNUSABLE;
2012 memcpy(pn, entry->last_pn, IEEE80211_CCMP_PN_LEN);
2013 for (i = IEEE80211_CCMP_PN_LEN - 1; i >= 0; i--) {
2014 pn[i]++;
2015 if (pn[i])
2016 break;
2017 }
2018 queue = rx->security_idx;
2019 rpn = rx->key->u.ccmp.rx_pn[queue];
2020 if (memcmp(pn, rpn, IEEE80211_CCMP_PN_LEN))
2021 return RX_DROP_UNUSABLE;
2022 memcpy(entry->last_pn, pn, IEEE80211_CCMP_PN_LEN);
2023 }
2024
2025 skb_pull(rx->skb, ieee80211_hdrlen(fc));
2026 __skb_queue_tail(&entry->skb_list, rx->skb);
2027 entry->last_frag = frag;
2028 entry->extra_len += rx->skb->len;
2029 if (ieee80211_has_morefrags(fc)) {
2030 rx->skb = NULL;
2031 return RX_QUEUED;
2032 }
2033
2034 rx->skb = __skb_dequeue(&entry->skb_list);
2035 if (skb_tailroom(rx->skb) < entry->extra_len) {
2036 I802_DEBUG_INC(rx->local->rx_expand_skb_head_defrag);
2037 if (unlikely(pskb_expand_head(rx->skb, 0, entry->extra_len,
2038 GFP_ATOMIC))) {
2039 I802_DEBUG_INC(rx->local->rx_handlers_drop_defrag);
2040 __skb_queue_purge(&entry->skb_list);
2041 return RX_DROP_UNUSABLE;
2042 }
2043 }
2044 while ((skb = __skb_dequeue(&entry->skb_list))) {
2045 memcpy(skb_put(rx->skb, skb->len), skb->data, skb->len);
2046 dev_kfree_skb(skb);
2047 }
2048
2049 /* Complete frame has been reassembled - process it now */
2050 status = IEEE80211_SKB_RXCB(rx->skb);
2051
2052 out:
2053 ieee80211_led_rx(rx->local);
2054 out_no_led:
2055 if (rx->sta)
2056 rx->sta->rx_stats.packets++;
2057 return RX_CONTINUE;
2058}
2059
2060static int ieee80211_802_1x_port_control(struct ieee80211_rx_data *rx)
2061{
2062 if (unlikely(!rx->sta || !test_sta_flag(rx->sta, WLAN_STA_AUTHORIZED)))
2063 return -EACCES;
2064
2065 return 0;
2066}
2067
2068static int ieee80211_drop_unencrypted(struct ieee80211_rx_data *rx, __le16 fc)
2069{
2070 struct sk_buff *skb = rx->skb;
2071 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
2072
2073 /*
2074 * Pass through unencrypted frames if the hardware has
2075 * decrypted them already.
2076 */
2077 if (status->flag & RX_FLAG_DECRYPTED)
2078 return 0;
2079
2080 /* Drop unencrypted frames if key is set. */
2081 if (unlikely(!ieee80211_has_protected(fc) &&
2082 !ieee80211_is_nullfunc(fc) &&
2083 ieee80211_is_data(fc) && rx->key))
2084 return -EACCES;
2085
2086 return 0;
2087}
2088
2089static int ieee80211_drop_unencrypted_mgmt(struct ieee80211_rx_data *rx)
2090{
2091 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
2092 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
2093 __le16 fc = hdr->frame_control;
2094
2095 /*
2096 * Pass through unencrypted frames if the hardware has
2097 * decrypted them already.
2098 */
2099 if (status->flag & RX_FLAG_DECRYPTED)
2100 return 0;
2101
2102 if (rx->sta && test_sta_flag(rx->sta, WLAN_STA_MFP)) {
2103 if (unlikely(!ieee80211_has_protected(fc) &&
2104 ieee80211_is_unicast_robust_mgmt_frame(rx->skb) &&
2105 rx->key)) {
2106 if (ieee80211_is_deauth(fc) ||
2107 ieee80211_is_disassoc(fc))
2108 cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
2109 rx->skb->data,
2110 rx->skb->len);
2111 return -EACCES;
2112 }
2113 /* BIP does not use Protected field, so need to check MMIE */
2114 if (unlikely(ieee80211_is_multicast_robust_mgmt_frame(rx->skb) &&
2115 ieee80211_get_mmie_keyidx(rx->skb) < 0)) {
2116 if (ieee80211_is_deauth(fc) ||
2117 ieee80211_is_disassoc(fc))
2118 cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
2119 rx->skb->data,
2120 rx->skb->len);
2121 return -EACCES;
2122 }
2123 /*
2124 * When using MFP, Action frames are not allowed prior to
2125 * having configured keys.
2126 */
2127 if (unlikely(ieee80211_is_action(fc) && !rx->key &&
2128 ieee80211_is_robust_mgmt_frame(rx->skb)))
2129 return -EACCES;
2130 }
2131
2132 return 0;
2133}
2134
2135static int
2136__ieee80211_data_to_8023(struct ieee80211_rx_data *rx, bool *port_control)
2137{
2138 struct ieee80211_sub_if_data *sdata = rx->sdata;
2139 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
2140 bool check_port_control = false;
2141 struct ethhdr *ehdr;
2142 int ret;
2143
2144 *port_control = false;
2145 if (ieee80211_has_a4(hdr->frame_control) &&
2146 sdata->vif.type == NL80211_IFTYPE_AP_VLAN && !sdata->u.vlan.sta)
2147 return -1;
2148
2149 if (sdata->vif.type == NL80211_IFTYPE_STATION &&
2150 !!sdata->u.mgd.use_4addr != !!ieee80211_has_a4(hdr->frame_control)) {
2151
2152 if (!sdata->u.mgd.use_4addr)
2153 return -1;
2154 else
2155 check_port_control = true;
2156 }
2157
2158 if (is_multicast_ether_addr(hdr->addr1) &&
2159 sdata->vif.type == NL80211_IFTYPE_AP_VLAN && sdata->u.vlan.sta)
2160 return -1;
2161
2162 ret = ieee80211_data_to_8023(rx->skb, sdata->vif.addr, sdata->vif.type);
2163 if (ret < 0)
2164 return ret;
2165
2166 ehdr = (struct ethhdr *) rx->skb->data;
2167 if (ehdr->h_proto == rx->sdata->control_port_protocol)
2168 *port_control = true;
2169 else if (check_port_control)
2170 return -1;
2171
2172 return 0;
2173}
2174
2175/*
2176 * requires that rx->skb is a frame with ethernet header
2177 */
2178static bool ieee80211_frame_allowed(struct ieee80211_rx_data *rx, __le16 fc)
2179{
2180 static const u8 pae_group_addr[ETH_ALEN] __aligned(2)
2181 = { 0x01, 0x80, 0xC2, 0x00, 0x00, 0x03 };
2182 struct ethhdr *ehdr = (struct ethhdr *) rx->skb->data;
2183
2184 /*
2185 * Allow EAPOL frames to us/the PAE group address regardless
2186 * of whether the frame was encrypted or not.
2187 */
2188 if (ehdr->h_proto == rx->sdata->control_port_protocol &&
2189 (ether_addr_equal(ehdr->h_dest, rx->sdata->vif.addr) ||
2190 ether_addr_equal(ehdr->h_dest, pae_group_addr)))
2191 return true;
2192
2193 if (ieee80211_802_1x_port_control(rx) ||
2194 ieee80211_drop_unencrypted(rx, fc))
2195 return false;
2196
2197 return true;
2198}
2199
2200/*
2201 * requires that rx->skb is a frame with ethernet header
2202 */
2203static void
2204ieee80211_deliver_skb(struct ieee80211_rx_data *rx)
2205{
2206 struct ieee80211_sub_if_data *sdata = rx->sdata;
2207 struct net_device *dev = sdata->dev;
2208 struct sk_buff *skb, *xmit_skb;
2209 struct ethhdr *ehdr = (struct ethhdr *) rx->skb->data;
2210 struct sta_info *dsta;
2211
2212 skb = rx->skb;
2213 xmit_skb = NULL;
2214
2215 ieee80211_rx_stats(dev, skb->len);
2216
2217 if (rx->sta) {
2218 /* The seqno index has the same property as needed
2219 * for the rx_msdu field, i.e. it is IEEE80211_NUM_TIDS
2220 * for non-QoS-data frames. Here we know it's a data
2221 * frame, so count MSDUs.
2222 */
2223 u64_stats_update_begin(&rx->sta->rx_stats.syncp);
2224 rx->sta->rx_stats.msdu[rx->seqno_idx]++;
2225 u64_stats_update_end(&rx->sta->rx_stats.syncp);
2226 }
2227
2228 if ((sdata->vif.type == NL80211_IFTYPE_AP ||
2229 sdata->vif.type == NL80211_IFTYPE_AP_VLAN) &&
2230 !(sdata->flags & IEEE80211_SDATA_DONT_BRIDGE_PACKETS) &&
2231 (sdata->vif.type != NL80211_IFTYPE_AP_VLAN || !sdata->u.vlan.sta)) {
2232 if (is_multicast_ether_addr(ehdr->h_dest) &&
2233 ieee80211_vif_get_num_mcast_if(sdata) != 0) {
2234 /*
2235 * send multicast frames both to higher layers in
2236 * local net stack and back to the wireless medium
2237 */
2238 xmit_skb = skb_copy(skb, GFP_ATOMIC);
2239 if (!xmit_skb)
2240 net_info_ratelimited("%s: failed to clone multicast frame\n",
2241 dev->name);
2242 } else if (!is_multicast_ether_addr(ehdr->h_dest)) {
2243 dsta = sta_info_get(sdata, skb->data);
2244 if (dsta) {
2245 /*
2246 * The destination station is associated to
2247 * this AP (in this VLAN), so send the frame
2248 * directly to it and do not pass it to local
2249 * net stack.
2250 */
2251 xmit_skb = skb;
2252 skb = NULL;
2253 }
2254 }
2255 }
2256
2257#ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
2258 if (skb) {
2259 /* 'align' will only take the values 0 or 2 here since all
2260 * frames are required to be aligned to 2-byte boundaries
2261 * when being passed to mac80211; the code here works just
2262 * as well if that isn't true, but mac80211 assumes it can
2263 * access fields as 2-byte aligned (e.g. for ether_addr_equal)
2264 */
2265 int align;
2266
2267 align = (unsigned long)(skb->data + sizeof(struct ethhdr)) & 3;
2268 if (align) {
2269 if (WARN_ON(skb_headroom(skb) < 3)) {
2270 dev_kfree_skb(skb);
2271 skb = NULL;
2272 } else {
2273 u8 *data = skb->data;
2274 size_t len = skb_headlen(skb);
2275 skb->data -= align;
2276 memmove(skb->data, data, len);
2277 skb_set_tail_pointer(skb, len);
2278 }
2279 }
2280 }
2281#endif
2282
2283 if (skb) {
2284 /* deliver to local stack */
2285 skb->protocol = eth_type_trans(skb, dev);
2286 memset(skb->cb, 0, sizeof(skb->cb));
2287 if (rx->napi)
2288 napi_gro_receive(rx->napi, skb);
2289 else
2290 netif_receive_skb(skb);
2291 }
2292
2293 if (xmit_skb) {
2294 /*
2295 * Send to wireless media and increase priority by 256 to
2296 * keep the received priority instead of reclassifying
2297 * the frame (see cfg80211_classify8021d).
2298 */
2299 xmit_skb->priority += 256;
2300 xmit_skb->protocol = htons(ETH_P_802_3);
2301 skb_reset_network_header(xmit_skb);
2302 skb_reset_mac_header(xmit_skb);
2303 dev_queue_xmit(xmit_skb);
2304 }
2305}
2306
2307static ieee80211_rx_result debug_noinline
2308ieee80211_rx_h_amsdu(struct ieee80211_rx_data *rx)
2309{
2310 struct net_device *dev = rx->sdata->dev;
2311 struct sk_buff *skb = rx->skb;
2312 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
2313 __le16 fc = hdr->frame_control;
2314 struct sk_buff_head frame_list;
2315 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
2316 struct ethhdr ethhdr;
2317 const u8 *check_da = ethhdr.h_dest, *check_sa = ethhdr.h_source;
2318
2319 if (unlikely(!ieee80211_is_data(fc)))
2320 return RX_CONTINUE;
2321
2322 if (unlikely(!ieee80211_is_data_present(fc)))
2323 return RX_DROP_MONITOR;
2324
2325 if (!(status->rx_flags & IEEE80211_RX_AMSDU))
2326 return RX_CONTINUE;
2327
2328 if (unlikely(ieee80211_has_a4(hdr->frame_control))) {
2329 switch (rx->sdata->vif.type) {
2330 case NL80211_IFTYPE_AP_VLAN:
2331 if (!rx->sdata->u.vlan.sta)
2332 return RX_DROP_UNUSABLE;
2333 break;
2334 case NL80211_IFTYPE_STATION:
2335 if (!rx->sdata->u.mgd.use_4addr)
2336 return RX_DROP_UNUSABLE;
2337 break;
2338 default:
2339 return RX_DROP_UNUSABLE;
2340 }
2341 check_da = NULL;
2342 check_sa = NULL;
2343 } else switch (rx->sdata->vif.type) {
2344 case NL80211_IFTYPE_AP:
2345 case NL80211_IFTYPE_AP_VLAN:
2346 check_da = NULL;
2347 break;
2348 case NL80211_IFTYPE_STATION:
2349 if (!rx->sta ||
2350 !test_sta_flag(rx->sta, WLAN_STA_TDLS_PEER))
2351 check_sa = NULL;
2352 break;
2353 case NL80211_IFTYPE_MESH_POINT:
2354 check_sa = NULL;
2355 break;
2356 default:
2357 break;
2358 }
2359
2360 if (is_multicast_ether_addr(hdr->addr1))
2361 return RX_DROP_UNUSABLE;
2362
2363 skb->dev = dev;
2364 __skb_queue_head_init(&frame_list);
2365
2366 if (ieee80211_data_to_8023_exthdr(skb, ðhdr,
2367 rx->sdata->vif.addr,
2368 rx->sdata->vif.type))
2369 return RX_DROP_UNUSABLE;
2370
2371 ieee80211_amsdu_to_8023s(skb, &frame_list, dev->dev_addr,
2372 rx->sdata->vif.type,
2373 rx->local->hw.extra_tx_headroom,
2374 check_da, check_sa);
2375
2376 while (!skb_queue_empty(&frame_list)) {
2377 rx->skb = __skb_dequeue(&frame_list);
2378
2379 if (!ieee80211_frame_allowed(rx, fc)) {
2380 dev_kfree_skb(rx->skb);
2381 continue;
2382 }
2383
2384 ieee80211_deliver_skb(rx);
2385 }
2386
2387 return RX_QUEUED;
2388}
2389
2390#ifdef CONFIG_MAC80211_MESH
2391static ieee80211_rx_result
2392ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
2393{
2394 struct ieee80211_hdr *fwd_hdr, *hdr;
2395 struct ieee80211_tx_info *info;
2396 struct ieee80211s_hdr *mesh_hdr;
2397 struct sk_buff *skb = rx->skb, *fwd_skb;
2398 struct ieee80211_local *local = rx->local;
2399 struct ieee80211_sub_if_data *sdata = rx->sdata;
2400 struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh;
2401 u16 ac, q, hdrlen;
2402
2403 hdr = (struct ieee80211_hdr *) skb->data;
2404 hdrlen = ieee80211_hdrlen(hdr->frame_control);
2405
2406 /* make sure fixed part of mesh header is there, also checks skb len */
2407 if (!pskb_may_pull(rx->skb, hdrlen + 6))
2408 return RX_DROP_MONITOR;
2409
2410 mesh_hdr = (struct ieee80211s_hdr *) (skb->data + hdrlen);
2411
2412 /* make sure full mesh header is there, also checks skb len */
2413 if (!pskb_may_pull(rx->skb,
2414 hdrlen + ieee80211_get_mesh_hdrlen(mesh_hdr)))
2415 return RX_DROP_MONITOR;
2416
2417 /* reload pointers */
2418 hdr = (struct ieee80211_hdr *) skb->data;
2419 mesh_hdr = (struct ieee80211s_hdr *) (skb->data + hdrlen);
2420
2421 if (ieee80211_drop_unencrypted(rx, hdr->frame_control))
2422 return RX_DROP_MONITOR;
2423
2424 /* frame is in RMC, don't forward */
2425 if (ieee80211_is_data(hdr->frame_control) &&
2426 is_multicast_ether_addr(hdr->addr1) &&
2427 mesh_rmc_check(rx->sdata, hdr->addr3, mesh_hdr))
2428 return RX_DROP_MONITOR;
2429
2430 if (!ieee80211_is_data(hdr->frame_control))
2431 return RX_CONTINUE;
2432
2433 if (!mesh_hdr->ttl)
2434 return RX_DROP_MONITOR;
2435
2436 if (mesh_hdr->flags & MESH_FLAGS_AE) {
2437 struct mesh_path *mppath;
2438 char *proxied_addr;
2439 char *mpp_addr;
2440
2441 if (is_multicast_ether_addr(hdr->addr1)) {
2442 mpp_addr = hdr->addr3;
2443 proxied_addr = mesh_hdr->eaddr1;
2444 } else if (mesh_hdr->flags & MESH_FLAGS_AE_A5_A6) {
2445 /* has_a4 already checked in ieee80211_rx_mesh_check */
2446 mpp_addr = hdr->addr4;
2447 proxied_addr = mesh_hdr->eaddr2;
2448 } else {
2449 return RX_DROP_MONITOR;
2450 }
2451
2452 rcu_read_lock();
2453 mppath = mpp_path_lookup(sdata, proxied_addr);
2454 if (!mppath) {
2455 mpp_path_add(sdata, proxied_addr, mpp_addr);
2456 } else {
2457 spin_lock_bh(&mppath->state_lock);
2458 if (!ether_addr_equal(mppath->mpp, mpp_addr))
2459 memcpy(mppath->mpp, mpp_addr, ETH_ALEN);
2460 mppath->exp_time = jiffies;
2461 spin_unlock_bh(&mppath->state_lock);
2462 }
2463 rcu_read_unlock();
2464 }
2465
2466 /* Frame has reached destination. Don't forward */
2467 if (!is_multicast_ether_addr(hdr->addr1) &&
2468 ether_addr_equal(sdata->vif.addr, hdr->addr3))
2469 return RX_CONTINUE;
2470
2471 ac = ieee80211_select_queue_80211(sdata, skb, hdr);
2472 q = sdata->vif.hw_queue[ac];
2473 if (ieee80211_queue_stopped(&local->hw, q)) {
2474 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_congestion);
2475 return RX_DROP_MONITOR;
2476 }
2477 skb_set_queue_mapping(skb, q);
2478
2479 if (!--mesh_hdr->ttl) {
2480 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_ttl);
2481 goto out;
2482 }
2483
2484 if (!ifmsh->mshcfg.dot11MeshForwarding)
2485 goto out;
2486
2487 fwd_skb = skb_copy_expand(skb, local->tx_headroom +
2488 sdata->encrypt_headroom, 0, GFP_ATOMIC);
2489 if (!fwd_skb) {
2490 net_info_ratelimited("%s: failed to clone mesh frame\n",
2491 sdata->name);
2492 goto out;
2493 }
2494
2495 fwd_hdr = (struct ieee80211_hdr *) fwd_skb->data;
2496 fwd_hdr->frame_control &= ~cpu_to_le16(IEEE80211_FCTL_RETRY);
2497 info = IEEE80211_SKB_CB(fwd_skb);
2498 memset(info, 0, sizeof(*info));
2499 info->flags |= IEEE80211_TX_INTFL_NEED_TXPROCESSING;
2500 info->control.vif = &rx->sdata->vif;
2501 info->control.jiffies = jiffies;
2502 if (is_multicast_ether_addr(fwd_hdr->addr1)) {
2503 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, fwded_mcast);
2504 memcpy(fwd_hdr->addr2, sdata->vif.addr, ETH_ALEN);
2505 /* update power mode indication when forwarding */
2506 ieee80211_mps_set_frame_flags(sdata, NULL, fwd_hdr);
2507 } else if (!mesh_nexthop_lookup(sdata, fwd_skb)) {
2508 /* mesh power mode flags updated in mesh_nexthop_lookup */
2509 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, fwded_unicast);
2510 } else {
2511 /* unable to resolve next hop */
2512 mesh_path_error_tx(sdata, ifmsh->mshcfg.element_ttl,
2513 fwd_hdr->addr3, 0,
2514 WLAN_REASON_MESH_PATH_NOFORWARD,
2515 fwd_hdr->addr2);
2516 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_no_route);
2517 kfree_skb(fwd_skb);
2518 return RX_DROP_MONITOR;
2519 }
2520
2521 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, fwded_frames);
2522 ieee80211_add_pending_skb(local, fwd_skb);
2523 out:
2524 if (is_multicast_ether_addr(hdr->addr1))
2525 return RX_CONTINUE;
2526 return RX_DROP_MONITOR;
2527}
2528#endif
2529
2530static ieee80211_rx_result debug_noinline
2531ieee80211_rx_h_data(struct ieee80211_rx_data *rx)
2532{
2533 struct ieee80211_sub_if_data *sdata = rx->sdata;
2534 struct ieee80211_local *local = rx->local;
2535 struct net_device *dev = sdata->dev;
2536 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
2537 __le16 fc = hdr->frame_control;
2538 bool port_control;
2539 int err;
2540
2541 if (unlikely(!ieee80211_is_data(hdr->frame_control)))
2542 return RX_CONTINUE;
2543
2544 if (unlikely(!ieee80211_is_data_present(hdr->frame_control)))
2545 return RX_DROP_MONITOR;
2546
2547 /*
2548 * Send unexpected-4addr-frame event to hostapd. For older versions,
2549 * also drop the frame to cooked monitor interfaces.
2550 */
2551 if (ieee80211_has_a4(hdr->frame_control) &&
2552 sdata->vif.type == NL80211_IFTYPE_AP) {
2553 if (rx->sta &&
2554 !test_and_set_sta_flag(rx->sta, WLAN_STA_4ADDR_EVENT))
2555 cfg80211_rx_unexpected_4addr_frame(
2556 rx->sdata->dev, rx->sta->sta.addr, GFP_ATOMIC);
2557 return RX_DROP_MONITOR;
2558 }
2559
2560 err = __ieee80211_data_to_8023(rx, &port_control);
2561 if (unlikely(err))
2562 return RX_DROP_UNUSABLE;
2563
2564 if (!ieee80211_frame_allowed(rx, fc))
2565 return RX_DROP_MONITOR;
2566
2567 /* directly handle TDLS channel switch requests/responses */
2568 if (unlikely(((struct ethhdr *)rx->skb->data)->h_proto ==
2569 cpu_to_be16(ETH_P_TDLS))) {
2570 struct ieee80211_tdls_data *tf = (void *)rx->skb->data;
2571
2572 if (pskb_may_pull(rx->skb,
2573 offsetof(struct ieee80211_tdls_data, u)) &&
2574 tf->payload_type == WLAN_TDLS_SNAP_RFTYPE &&
2575 tf->category == WLAN_CATEGORY_TDLS &&
2576 (tf->action_code == WLAN_TDLS_CHANNEL_SWITCH_REQUEST ||
2577 tf->action_code == WLAN_TDLS_CHANNEL_SWITCH_RESPONSE)) {
2578 skb_queue_tail(&local->skb_queue_tdls_chsw, rx->skb);
2579 schedule_work(&local->tdls_chsw_work);
2580 if (rx->sta)
2581 rx->sta->rx_stats.packets++;
2582
2583 return RX_QUEUED;
2584 }
2585 }
2586
2587 if (rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN &&
2588 unlikely(port_control) && sdata->bss) {
2589 sdata = container_of(sdata->bss, struct ieee80211_sub_if_data,
2590 u.ap);
2591 dev = sdata->dev;
2592 rx->sdata = sdata;
2593 }
2594
2595 rx->skb->dev = dev;
2596
2597 if (!ieee80211_hw_check(&local->hw, SUPPORTS_DYNAMIC_PS) &&
2598 local->ps_sdata && local->hw.conf.dynamic_ps_timeout > 0 &&
2599 !is_multicast_ether_addr(
2600 ((struct ethhdr *)rx->skb->data)->h_dest) &&
2601 (!local->scanning &&
2602 !test_bit(SDATA_STATE_OFFCHANNEL, &sdata->state)))
2603 mod_timer(&local->dynamic_ps_timer, jiffies +
2604 msecs_to_jiffies(local->hw.conf.dynamic_ps_timeout));
2605
2606 ieee80211_deliver_skb(rx);
2607
2608 return RX_QUEUED;
2609}
2610
2611static ieee80211_rx_result debug_noinline
2612ieee80211_rx_h_ctrl(struct ieee80211_rx_data *rx, struct sk_buff_head *frames)
2613{
2614 struct sk_buff *skb = rx->skb;
2615 struct ieee80211_bar *bar = (struct ieee80211_bar *)skb->data;
2616 struct tid_ampdu_rx *tid_agg_rx;
2617 u16 start_seq_num;
2618 u16 tid;
2619
2620 if (likely(!ieee80211_is_ctl(bar->frame_control)))
2621 return RX_CONTINUE;
2622
2623 if (ieee80211_is_back_req(bar->frame_control)) {
2624 struct {
2625 __le16 control, start_seq_num;
2626 } __packed bar_data;
2627 struct ieee80211_event event = {
2628 .type = BAR_RX_EVENT,
2629 };
2630
2631 if (!rx->sta)
2632 return RX_DROP_MONITOR;
2633
2634 if (skb_copy_bits(skb, offsetof(struct ieee80211_bar, control),
2635 &bar_data, sizeof(bar_data)))
2636 return RX_DROP_MONITOR;
2637
2638 tid = le16_to_cpu(bar_data.control) >> 12;
2639
2640 if (!test_bit(tid, rx->sta->ampdu_mlme.agg_session_valid) &&
2641 !test_and_set_bit(tid, rx->sta->ampdu_mlme.unexpected_agg))
2642 ieee80211_send_delba(rx->sdata, rx->sta->sta.addr, tid,
2643 WLAN_BACK_RECIPIENT,
2644 WLAN_REASON_QSTA_REQUIRE_SETUP);
2645
2646 tid_agg_rx = rcu_dereference(rx->sta->ampdu_mlme.tid_rx[tid]);
2647 if (!tid_agg_rx)
2648 return RX_DROP_MONITOR;
2649
2650 start_seq_num = le16_to_cpu(bar_data.start_seq_num) >> 4;
2651 event.u.ba.tid = tid;
2652 event.u.ba.ssn = start_seq_num;
2653 event.u.ba.sta = &rx->sta->sta;
2654
2655 /* reset session timer */
2656 if (tid_agg_rx->timeout)
2657 mod_timer(&tid_agg_rx->session_timer,
2658 TU_TO_EXP_TIME(tid_agg_rx->timeout));
2659
2660 spin_lock(&tid_agg_rx->reorder_lock);
2661 /* release stored frames up to start of BAR */
2662 ieee80211_release_reorder_frames(rx->sdata, tid_agg_rx,
2663 start_seq_num, frames);
2664 spin_unlock(&tid_agg_rx->reorder_lock);
2665
2666 drv_event_callback(rx->local, rx->sdata, &event);
2667
2668 kfree_skb(skb);
2669 return RX_QUEUED;
2670 }
2671
2672 /*
2673 * After this point, we only want management frames,
2674 * so we can drop all remaining control frames to
2675 * cooked monitor interfaces.
2676 */
2677 return RX_DROP_MONITOR;
2678}
2679
2680static void ieee80211_process_sa_query_req(struct ieee80211_sub_if_data *sdata,
2681 struct ieee80211_mgmt *mgmt,
2682 size_t len)
2683{
2684 struct ieee80211_local *local = sdata->local;
2685 struct sk_buff *skb;
2686 struct ieee80211_mgmt *resp;
2687
2688 if (!ether_addr_equal(mgmt->da, sdata->vif.addr)) {
2689 /* Not to own unicast address */
2690 return;
2691 }
2692
2693 if (!ether_addr_equal(mgmt->sa, sdata->u.mgd.bssid) ||
2694 !ether_addr_equal(mgmt->bssid, sdata->u.mgd.bssid)) {
2695 /* Not from the current AP or not associated yet. */
2696 return;
2697 }
2698
2699 if (len < 24 + 1 + sizeof(resp->u.action.u.sa_query)) {
2700 /* Too short SA Query request frame */
2701 return;
2702 }
2703
2704 skb = dev_alloc_skb(sizeof(*resp) + local->hw.extra_tx_headroom);
2705 if (skb == NULL)
2706 return;
2707
2708 skb_reserve(skb, local->hw.extra_tx_headroom);
2709 resp = (struct ieee80211_mgmt *) skb_put(skb, 24);
2710 memset(resp, 0, 24);
2711 memcpy(resp->da, mgmt->sa, ETH_ALEN);
2712 memcpy(resp->sa, sdata->vif.addr, ETH_ALEN);
2713 memcpy(resp->bssid, sdata->u.mgd.bssid, ETH_ALEN);
2714 resp->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT |
2715 IEEE80211_STYPE_ACTION);
2716 skb_put(skb, 1 + sizeof(resp->u.action.u.sa_query));
2717 resp->u.action.category = WLAN_CATEGORY_SA_QUERY;
2718 resp->u.action.u.sa_query.action = WLAN_ACTION_SA_QUERY_RESPONSE;
2719 memcpy(resp->u.action.u.sa_query.trans_id,
2720 mgmt->u.action.u.sa_query.trans_id,
2721 WLAN_SA_QUERY_TR_ID_LEN);
2722
2723 ieee80211_tx_skb(sdata, skb);
2724}
2725
2726static ieee80211_rx_result debug_noinline
2727ieee80211_rx_h_mgmt_check(struct ieee80211_rx_data *rx)
2728{
2729 struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *) rx->skb->data;
2730 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
2731
2732 /*
2733 * From here on, look only at management frames.
2734 * Data and control frames are already handled,
2735 * and unknown (reserved) frames are useless.
2736 */
2737 if (rx->skb->len < 24)
2738 return RX_DROP_MONITOR;
2739
2740 if (!ieee80211_is_mgmt(mgmt->frame_control))
2741 return RX_DROP_MONITOR;
2742
2743 if (rx->sdata->vif.type == NL80211_IFTYPE_AP &&
2744 ieee80211_is_beacon(mgmt->frame_control) &&
2745 !(rx->flags & IEEE80211_RX_BEACON_REPORTED)) {
2746 int sig = 0;
2747
2748 if (ieee80211_hw_check(&rx->local->hw, SIGNAL_DBM))
2749 sig = status->signal;
2750
2751 cfg80211_report_obss_beacon(rx->local->hw.wiphy,
2752 rx->skb->data, rx->skb->len,
2753 status->freq, sig);
2754 rx->flags |= IEEE80211_RX_BEACON_REPORTED;
2755 }
2756
2757 if (ieee80211_drop_unencrypted_mgmt(rx))
2758 return RX_DROP_UNUSABLE;
2759
2760 return RX_CONTINUE;
2761}
2762
2763static ieee80211_rx_result debug_noinline
2764ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
2765{
2766 struct ieee80211_local *local = rx->local;
2767 struct ieee80211_sub_if_data *sdata = rx->sdata;
2768 struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *) rx->skb->data;
2769 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
2770 int len = rx->skb->len;
2771
2772 if (!ieee80211_is_action(mgmt->frame_control))
2773 return RX_CONTINUE;
2774
2775 /* drop too small frames */
2776 if (len < IEEE80211_MIN_ACTION_SIZE)
2777 return RX_DROP_UNUSABLE;
2778
2779 if (!rx->sta && mgmt->u.action.category != WLAN_CATEGORY_PUBLIC &&
2780 mgmt->u.action.category != WLAN_CATEGORY_SELF_PROTECTED &&
2781 mgmt->u.action.category != WLAN_CATEGORY_SPECTRUM_MGMT)
2782 return RX_DROP_UNUSABLE;
2783
2784 switch (mgmt->u.action.category) {
2785 case WLAN_CATEGORY_HT:
2786 /* reject HT action frames from stations not supporting HT */
2787 if (!rx->sta->sta.ht_cap.ht_supported)
2788 goto invalid;
2789
2790 if (sdata->vif.type != NL80211_IFTYPE_STATION &&
2791 sdata->vif.type != NL80211_IFTYPE_MESH_POINT &&
2792 sdata->vif.type != NL80211_IFTYPE_AP_VLAN &&
2793 sdata->vif.type != NL80211_IFTYPE_AP &&
2794 sdata->vif.type != NL80211_IFTYPE_ADHOC)
2795 break;
2796
2797 /* verify action & smps_control/chanwidth are present */
2798 if (len < IEEE80211_MIN_ACTION_SIZE + 2)
2799 goto invalid;
2800
2801 switch (mgmt->u.action.u.ht_smps.action) {
2802 case WLAN_HT_ACTION_SMPS: {
2803 struct ieee80211_supported_band *sband;
2804 enum ieee80211_smps_mode smps_mode;
2805
2806 /* convert to HT capability */
2807 switch (mgmt->u.action.u.ht_smps.smps_control) {
2808 case WLAN_HT_SMPS_CONTROL_DISABLED:
2809 smps_mode = IEEE80211_SMPS_OFF;
2810 break;
2811 case WLAN_HT_SMPS_CONTROL_STATIC:
2812 smps_mode = IEEE80211_SMPS_STATIC;
2813 break;
2814 case WLAN_HT_SMPS_CONTROL_DYNAMIC:
2815 smps_mode = IEEE80211_SMPS_DYNAMIC;
2816 break;
2817 default:
2818 goto invalid;
2819 }
2820
2821 /* if no change do nothing */
2822 if (rx->sta->sta.smps_mode == smps_mode)
2823 goto handled;
2824 rx->sta->sta.smps_mode = smps_mode;
2825
2826 sband = rx->local->hw.wiphy->bands[status->band];
2827
2828 rate_control_rate_update(local, sband, rx->sta,
2829 IEEE80211_RC_SMPS_CHANGED);
2830 goto handled;
2831 }
2832 case WLAN_HT_ACTION_NOTIFY_CHANWIDTH: {
2833 struct ieee80211_supported_band *sband;
2834 u8 chanwidth = mgmt->u.action.u.ht_notify_cw.chanwidth;
2835 enum ieee80211_sta_rx_bandwidth max_bw, new_bw;
2836
2837 /* If it doesn't support 40 MHz it can't change ... */
2838 if (!(rx->sta->sta.ht_cap.cap &
2839 IEEE80211_HT_CAP_SUP_WIDTH_20_40))
2840 goto handled;
2841
2842 if (chanwidth == IEEE80211_HT_CHANWIDTH_20MHZ)
2843 max_bw = IEEE80211_STA_RX_BW_20;
2844 else
2845 max_bw = ieee80211_sta_cap_rx_bw(rx->sta);
2846
2847 /* set cur_max_bandwidth and recalc sta bw */
2848 rx->sta->cur_max_bandwidth = max_bw;
2849 new_bw = ieee80211_sta_cur_vht_bw(rx->sta);
2850
2851 if (rx->sta->sta.bandwidth == new_bw)
2852 goto handled;
2853
2854 rx->sta->sta.bandwidth = new_bw;
2855 sband = rx->local->hw.wiphy->bands[status->band];
2856
2857 rate_control_rate_update(local, sband, rx->sta,
2858 IEEE80211_RC_BW_CHANGED);
2859 goto handled;
2860 }
2861 default:
2862 goto invalid;
2863 }
2864
2865 break;
2866 case WLAN_CATEGORY_PUBLIC:
2867 if (len < IEEE80211_MIN_ACTION_SIZE + 1)
2868 goto invalid;
2869 if (sdata->vif.type != NL80211_IFTYPE_STATION)
2870 break;
2871 if (!rx->sta)
2872 break;
2873 if (!ether_addr_equal(mgmt->bssid, sdata->u.mgd.bssid))
2874 break;
2875 if (mgmt->u.action.u.ext_chan_switch.action_code !=
2876 WLAN_PUB_ACTION_EXT_CHANSW_ANN)
2877 break;
2878 if (len < offsetof(struct ieee80211_mgmt,
2879 u.action.u.ext_chan_switch.variable))
2880 goto invalid;
2881 goto queue;
2882 case WLAN_CATEGORY_VHT:
2883 if (sdata->vif.type != NL80211_IFTYPE_STATION &&
2884 sdata->vif.type != NL80211_IFTYPE_MESH_POINT &&
2885 sdata->vif.type != NL80211_IFTYPE_AP_VLAN &&
2886 sdata->vif.type != NL80211_IFTYPE_AP &&
2887 sdata->vif.type != NL80211_IFTYPE_ADHOC)
2888 break;
2889
2890 /* verify action code is present */
2891 if (len < IEEE80211_MIN_ACTION_SIZE + 1)
2892 goto invalid;
2893
2894 switch (mgmt->u.action.u.vht_opmode_notif.action_code) {
2895 case WLAN_VHT_ACTION_OPMODE_NOTIF: {
2896 /* verify opmode is present */
2897 if (len < IEEE80211_MIN_ACTION_SIZE + 2)
2898 goto invalid;
2899 goto queue;
2900 }
2901 case WLAN_VHT_ACTION_GROUPID_MGMT: {
2902 if (len < IEEE80211_MIN_ACTION_SIZE + 25)
2903 goto invalid;
2904 goto queue;
2905 }
2906 default:
2907 break;
2908 }
2909 break;
2910 case WLAN_CATEGORY_BACK:
2911 if (sdata->vif.type != NL80211_IFTYPE_STATION &&
2912 sdata->vif.type != NL80211_IFTYPE_MESH_POINT &&
2913 sdata->vif.type != NL80211_IFTYPE_AP_VLAN &&
2914 sdata->vif.type != NL80211_IFTYPE_AP &&
2915 sdata->vif.type != NL80211_IFTYPE_ADHOC)
2916 break;
2917
2918 /* verify action_code is present */
2919 if (len < IEEE80211_MIN_ACTION_SIZE + 1)
2920 break;
2921
2922 switch (mgmt->u.action.u.addba_req.action_code) {
2923 case WLAN_ACTION_ADDBA_REQ:
2924 if (len < (IEEE80211_MIN_ACTION_SIZE +
2925 sizeof(mgmt->u.action.u.addba_req)))
2926 goto invalid;
2927 break;
2928 case WLAN_ACTION_ADDBA_RESP:
2929 if (len < (IEEE80211_MIN_ACTION_SIZE +
2930 sizeof(mgmt->u.action.u.addba_resp)))
2931 goto invalid;
2932 break;
2933 case WLAN_ACTION_DELBA:
2934 if (len < (IEEE80211_MIN_ACTION_SIZE +
2935 sizeof(mgmt->u.action.u.delba)))
2936 goto invalid;
2937 break;
2938 default:
2939 goto invalid;
2940 }
2941
2942 goto queue;
2943 case WLAN_CATEGORY_SPECTRUM_MGMT:
2944 /* verify action_code is present */
2945 if (len < IEEE80211_MIN_ACTION_SIZE + 1)
2946 break;
2947
2948 switch (mgmt->u.action.u.measurement.action_code) {
2949 case WLAN_ACTION_SPCT_MSR_REQ:
2950 if (status->band != NL80211_BAND_5GHZ)
2951 break;
2952
2953 if (len < (IEEE80211_MIN_ACTION_SIZE +
2954 sizeof(mgmt->u.action.u.measurement)))
2955 break;
2956
2957 if (sdata->vif.type != NL80211_IFTYPE_STATION)
2958 break;
2959
2960 ieee80211_process_measurement_req(sdata, mgmt, len);
2961 goto handled;
2962 case WLAN_ACTION_SPCT_CHL_SWITCH: {
2963 u8 *bssid;
2964 if (len < (IEEE80211_MIN_ACTION_SIZE +
2965 sizeof(mgmt->u.action.u.chan_switch)))
2966 break;
2967
2968 if (sdata->vif.type != NL80211_IFTYPE_STATION &&
2969 sdata->vif.type != NL80211_IFTYPE_ADHOC &&
2970 sdata->vif.type != NL80211_IFTYPE_MESH_POINT)
2971 break;
2972
2973 if (sdata->vif.type == NL80211_IFTYPE_STATION)
2974 bssid = sdata->u.mgd.bssid;
2975 else if (sdata->vif.type == NL80211_IFTYPE_ADHOC)
2976 bssid = sdata->u.ibss.bssid;
2977 else if (sdata->vif.type == NL80211_IFTYPE_MESH_POINT)
2978 bssid = mgmt->sa;
2979 else
2980 break;
2981
2982 if (!ether_addr_equal(mgmt->bssid, bssid))
2983 break;
2984
2985 goto queue;
2986 }
2987 }
2988 break;
2989 case WLAN_CATEGORY_SA_QUERY:
2990 if (len < (IEEE80211_MIN_ACTION_SIZE +
2991 sizeof(mgmt->u.action.u.sa_query)))
2992 break;
2993
2994 switch (mgmt->u.action.u.sa_query.action) {
2995 case WLAN_ACTION_SA_QUERY_REQUEST:
2996 if (sdata->vif.type != NL80211_IFTYPE_STATION)
2997 break;
2998 ieee80211_process_sa_query_req(sdata, mgmt, len);
2999 goto handled;
3000 }
3001 break;
3002 case WLAN_CATEGORY_SELF_PROTECTED:
3003 if (len < (IEEE80211_MIN_ACTION_SIZE +
3004 sizeof(mgmt->u.action.u.self_prot.action_code)))
3005 break;
3006
3007 switch (mgmt->u.action.u.self_prot.action_code) {
3008 case WLAN_SP_MESH_PEERING_OPEN:
3009 case WLAN_SP_MESH_PEERING_CLOSE:
3010 case WLAN_SP_MESH_PEERING_CONFIRM:
3011 if (!ieee80211_vif_is_mesh(&sdata->vif))
3012 goto invalid;
3013 if (sdata->u.mesh.user_mpm)
3014 /* userspace handles this frame */
3015 break;
3016 goto queue;
3017 case WLAN_SP_MGK_INFORM:
3018 case WLAN_SP_MGK_ACK:
3019 if (!ieee80211_vif_is_mesh(&sdata->vif))
3020 goto invalid;
3021 break;
3022 }
3023 break;
3024 case WLAN_CATEGORY_MESH_ACTION:
3025 if (len < (IEEE80211_MIN_ACTION_SIZE +
3026 sizeof(mgmt->u.action.u.mesh_action.action_code)))
3027 break;
3028
3029 if (!ieee80211_vif_is_mesh(&sdata->vif))
3030 break;
3031 if (mesh_action_is_path_sel(mgmt) &&
3032 !mesh_path_sel_is_hwmp(sdata))
3033 break;
3034 goto queue;
3035 }
3036
3037 return RX_CONTINUE;
3038
3039 invalid:
3040 status->rx_flags |= IEEE80211_RX_MALFORMED_ACTION_FRM;
3041 /* will return in the next handlers */
3042 return RX_CONTINUE;
3043
3044 handled:
3045 if (rx->sta)
3046 rx->sta->rx_stats.packets++;
3047 dev_kfree_skb(rx->skb);
3048 return RX_QUEUED;
3049
3050 queue:
3051 rx->skb->pkt_type = IEEE80211_SDATA_QUEUE_TYPE_FRAME;
3052 skb_queue_tail(&sdata->skb_queue, rx->skb);
3053 ieee80211_queue_work(&local->hw, &sdata->work);
3054 if (rx->sta)
3055 rx->sta->rx_stats.packets++;
3056 return RX_QUEUED;
3057}
3058
3059static ieee80211_rx_result debug_noinline
3060ieee80211_rx_h_userspace_mgmt(struct ieee80211_rx_data *rx)
3061{
3062 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
3063 int sig = 0;
3064
3065 /* skip known-bad action frames and return them in the next handler */
3066 if (status->rx_flags & IEEE80211_RX_MALFORMED_ACTION_FRM)
3067 return RX_CONTINUE;
3068
3069 /*
3070 * Getting here means the kernel doesn't know how to handle
3071 * it, but maybe userspace does ... include returned frames
3072 * so userspace can register for those to know whether ones
3073 * it transmitted were processed or returned.
3074 */
3075
3076 if (ieee80211_hw_check(&rx->local->hw, SIGNAL_DBM))
3077 sig = status->signal;
3078
3079 if (cfg80211_rx_mgmt(&rx->sdata->wdev, status->freq, sig,
3080 rx->skb->data, rx->skb->len, 0)) {
3081 if (rx->sta)
3082 rx->sta->rx_stats.packets++;
3083 dev_kfree_skb(rx->skb);
3084 return RX_QUEUED;
3085 }
3086
3087 return RX_CONTINUE;
3088}
3089
3090static ieee80211_rx_result debug_noinline
3091ieee80211_rx_h_action_return(struct ieee80211_rx_data *rx)
3092{
3093 struct ieee80211_local *local = rx->local;
3094 struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *) rx->skb->data;
3095 struct sk_buff *nskb;
3096 struct ieee80211_sub_if_data *sdata = rx->sdata;
3097 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
3098
3099 if (!ieee80211_is_action(mgmt->frame_control))
3100 return RX_CONTINUE;
3101
3102 /*
3103 * For AP mode, hostapd is responsible for handling any action
3104 * frames that we didn't handle, including returning unknown
3105 * ones. For all other modes we will return them to the sender,
3106 * setting the 0x80 bit in the action category, as required by
3107 * 802.11-2012 9.24.4.
3108 * Newer versions of hostapd shall also use the management frame
3109 * registration mechanisms, but older ones still use cooked
3110 * monitor interfaces so push all frames there.
3111 */
3112 if (!(status->rx_flags & IEEE80211_RX_MALFORMED_ACTION_FRM) &&
3113 (sdata->vif.type == NL80211_IFTYPE_AP ||
3114 sdata->vif.type == NL80211_IFTYPE_AP_VLAN))
3115 return RX_DROP_MONITOR;
3116
3117 if (is_multicast_ether_addr(mgmt->da))
3118 return RX_DROP_MONITOR;
3119
3120 /* do not return rejected action frames */
3121 if (mgmt->u.action.category & 0x80)
3122 return RX_DROP_UNUSABLE;
3123
3124 nskb = skb_copy_expand(rx->skb, local->hw.extra_tx_headroom, 0,
3125 GFP_ATOMIC);
3126 if (nskb) {
3127 struct ieee80211_mgmt *nmgmt = (void *)nskb->data;
3128
3129 nmgmt->u.action.category |= 0x80;
3130 memcpy(nmgmt->da, nmgmt->sa, ETH_ALEN);
3131 memcpy(nmgmt->sa, rx->sdata->vif.addr, ETH_ALEN);
3132
3133 memset(nskb->cb, 0, sizeof(nskb->cb));
3134
3135 if (rx->sdata->vif.type == NL80211_IFTYPE_P2P_DEVICE) {
3136 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(nskb);
3137
3138 info->flags = IEEE80211_TX_CTL_TX_OFFCHAN |
3139 IEEE80211_TX_INTFL_OFFCHAN_TX_OK |
3140 IEEE80211_TX_CTL_NO_CCK_RATE;
3141 if (ieee80211_hw_check(&local->hw, QUEUE_CONTROL))
3142 info->hw_queue =
3143 local->hw.offchannel_tx_hw_queue;
3144 }
3145
3146 __ieee80211_tx_skb_tid_band(rx->sdata, nskb, 7,
3147 status->band);
3148 }
3149 dev_kfree_skb(rx->skb);
3150 return RX_QUEUED;
3151}
3152
3153static ieee80211_rx_result debug_noinline
3154ieee80211_rx_h_mgmt(struct ieee80211_rx_data *rx)
3155{
3156 struct ieee80211_sub_if_data *sdata = rx->sdata;
3157 struct ieee80211_mgmt *mgmt = (void *)rx->skb->data;
3158 __le16 stype;
3159
3160 stype = mgmt->frame_control & cpu_to_le16(IEEE80211_FCTL_STYPE);
3161
3162 if (!ieee80211_vif_is_mesh(&sdata->vif) &&
3163 sdata->vif.type != NL80211_IFTYPE_ADHOC &&
3164 sdata->vif.type != NL80211_IFTYPE_OCB &&
3165 sdata->vif.type != NL80211_IFTYPE_STATION)
3166 return RX_DROP_MONITOR;
3167
3168 switch (stype) {
3169 case cpu_to_le16(IEEE80211_STYPE_AUTH):
3170 case cpu_to_le16(IEEE80211_STYPE_BEACON):
3171 case cpu_to_le16(IEEE80211_STYPE_PROBE_RESP):
3172 /* process for all: mesh, mlme, ibss */
3173 break;
3174 case cpu_to_le16(IEEE80211_STYPE_ASSOC_RESP):
3175 case cpu_to_le16(IEEE80211_STYPE_REASSOC_RESP):
3176 case cpu_to_le16(IEEE80211_STYPE_DEAUTH):
3177 case cpu_to_le16(IEEE80211_STYPE_DISASSOC):
3178 if (is_multicast_ether_addr(mgmt->da) &&
3179 !is_broadcast_ether_addr(mgmt->da))
3180 return RX_DROP_MONITOR;
3181
3182 /* process only for station */
3183 if (sdata->vif.type != NL80211_IFTYPE_STATION)
3184 return RX_DROP_MONITOR;
3185 break;
3186 case cpu_to_le16(IEEE80211_STYPE_PROBE_REQ):
3187 /* process only for ibss and mesh */
3188 if (sdata->vif.type != NL80211_IFTYPE_ADHOC &&
3189 sdata->vif.type != NL80211_IFTYPE_MESH_POINT)
3190 return RX_DROP_MONITOR;
3191 break;
3192 default:
3193 return RX_DROP_MONITOR;
3194 }
3195
3196 /* queue up frame and kick off work to process it */
3197 rx->skb->pkt_type = IEEE80211_SDATA_QUEUE_TYPE_FRAME;
3198 skb_queue_tail(&sdata->skb_queue, rx->skb);
3199 ieee80211_queue_work(&rx->local->hw, &sdata->work);
3200 if (rx->sta)
3201 rx->sta->rx_stats.packets++;
3202
3203 return RX_QUEUED;
3204}
3205
3206static void ieee80211_rx_cooked_monitor(struct ieee80211_rx_data *rx,
3207 struct ieee80211_rate *rate)
3208{
3209 struct ieee80211_sub_if_data *sdata;
3210 struct ieee80211_local *local = rx->local;
3211 struct sk_buff *skb = rx->skb, *skb2;
3212 struct net_device *prev_dev = NULL;
3213 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
3214 int needed_headroom;
3215
3216 /*
3217 * If cooked monitor has been processed already, then
3218 * don't do it again. If not, set the flag.
3219 */
3220 if (rx->flags & IEEE80211_RX_CMNTR)
3221 goto out_free_skb;
3222 rx->flags |= IEEE80211_RX_CMNTR;
3223
3224 /* If there are no cooked monitor interfaces, just free the SKB */
3225 if (!local->cooked_mntrs)
3226 goto out_free_skb;
3227
3228 /* vendor data is long removed here */
3229 status->flag &= ~RX_FLAG_RADIOTAP_VENDOR_DATA;
3230 /* room for the radiotap header based on driver features */
3231 needed_headroom = ieee80211_rx_radiotap_hdrlen(local, status, skb);
3232
3233 if (skb_headroom(skb) < needed_headroom &&
3234 pskb_expand_head(skb, needed_headroom, 0, GFP_ATOMIC))
3235 goto out_free_skb;
3236
3237 /* prepend radiotap information */
3238 ieee80211_add_rx_radiotap_header(local, skb, rate, needed_headroom,
3239 false);
3240
3241 skb_reset_mac_header(skb);
3242 skb->ip_summed = CHECKSUM_UNNECESSARY;
3243 skb->pkt_type = PACKET_OTHERHOST;
3244 skb->protocol = htons(ETH_P_802_2);
3245
3246 list_for_each_entry_rcu(sdata, &local->interfaces, list) {
3247 if (!ieee80211_sdata_running(sdata))
3248 continue;
3249
3250 if (sdata->vif.type != NL80211_IFTYPE_MONITOR ||
3251 !(sdata->u.mntr.flags & MONITOR_FLAG_COOK_FRAMES))
3252 continue;
3253
3254 if (prev_dev) {
3255 skb2 = skb_clone(skb, GFP_ATOMIC);
3256 if (skb2) {
3257 skb2->dev = prev_dev;
3258 netif_receive_skb(skb2);
3259 }
3260 }
3261
3262 prev_dev = sdata->dev;
3263 ieee80211_rx_stats(sdata->dev, skb->len);
3264 }
3265
3266 if (prev_dev) {
3267 skb->dev = prev_dev;
3268 netif_receive_skb(skb);
3269 return;
3270 }
3271
3272 out_free_skb:
3273 dev_kfree_skb(skb);
3274}
3275
3276static void ieee80211_rx_handlers_result(struct ieee80211_rx_data *rx,
3277 ieee80211_rx_result res)
3278{
3279 switch (res) {
3280 case RX_DROP_MONITOR:
3281 I802_DEBUG_INC(rx->sdata->local->rx_handlers_drop);
3282 if (rx->sta)
3283 rx->sta->rx_stats.dropped++;
3284 /* fall through */
3285 case RX_CONTINUE: {
3286 struct ieee80211_rate *rate = NULL;
3287 struct ieee80211_supported_band *sband;
3288 struct ieee80211_rx_status *status;
3289
3290 status = IEEE80211_SKB_RXCB((rx->skb));
3291
3292 sband = rx->local->hw.wiphy->bands[status->band];
3293 if (!(status->flag & RX_FLAG_HT) &&
3294 !(status->flag & RX_FLAG_VHT))
3295 rate = &sband->bitrates[status->rate_idx];
3296
3297 ieee80211_rx_cooked_monitor(rx, rate);
3298 break;
3299 }
3300 case RX_DROP_UNUSABLE:
3301 I802_DEBUG_INC(rx->sdata->local->rx_handlers_drop);
3302 if (rx->sta)
3303 rx->sta->rx_stats.dropped++;
3304 dev_kfree_skb(rx->skb);
3305 break;
3306 case RX_QUEUED:
3307 I802_DEBUG_INC(rx->sdata->local->rx_handlers_queued);
3308 break;
3309 }
3310}
3311
3312static void ieee80211_rx_handlers(struct ieee80211_rx_data *rx,
3313 struct sk_buff_head *frames)
3314{
3315 ieee80211_rx_result res = RX_DROP_MONITOR;
3316 struct sk_buff *skb;
3317
3318#define CALL_RXH(rxh) \
3319 do { \
3320 res = rxh(rx); \
3321 if (res != RX_CONTINUE) \
3322 goto rxh_next; \
3323 } while (0)
3324
3325 /* Lock here to avoid hitting all of the data used in the RX
3326 * path (e.g. key data, station data, ...) concurrently when
3327 * a frame is released from the reorder buffer due to timeout
3328 * from the timer, potentially concurrently with RX from the
3329 * driver.
3330 */
3331 spin_lock_bh(&rx->local->rx_path_lock);
3332
3333 while ((skb = __skb_dequeue(frames))) {
3334 /*
3335 * all the other fields are valid across frames
3336 * that belong to an aMPDU since they are on the
3337 * same TID from the same station
3338 */
3339 rx->skb = skb;
3340
3341 CALL_RXH(ieee80211_rx_h_check_more_data);
3342 CALL_RXH(ieee80211_rx_h_uapsd_and_pspoll);
3343 CALL_RXH(ieee80211_rx_h_sta_process);
3344 CALL_RXH(ieee80211_rx_h_decrypt);
3345 CALL_RXH(ieee80211_rx_h_defragment);
3346 CALL_RXH(ieee80211_rx_h_michael_mic_verify);
3347 /* must be after MMIC verify so header is counted in MPDU mic */
3348#ifdef CONFIG_MAC80211_MESH
3349 if (ieee80211_vif_is_mesh(&rx->sdata->vif))
3350 CALL_RXH(ieee80211_rx_h_mesh_fwding);
3351#endif
3352 CALL_RXH(ieee80211_rx_h_amsdu);
3353 CALL_RXH(ieee80211_rx_h_data);
3354
3355 /* special treatment -- needs the queue */
3356 res = ieee80211_rx_h_ctrl(rx, frames);
3357 if (res != RX_CONTINUE)
3358 goto rxh_next;
3359
3360 CALL_RXH(ieee80211_rx_h_mgmt_check);
3361 CALL_RXH(ieee80211_rx_h_action);
3362 CALL_RXH(ieee80211_rx_h_userspace_mgmt);
3363 CALL_RXH(ieee80211_rx_h_action_return);
3364 CALL_RXH(ieee80211_rx_h_mgmt);
3365
3366 rxh_next:
3367 ieee80211_rx_handlers_result(rx, res);
3368
3369#undef CALL_RXH
3370 }
3371
3372 spin_unlock_bh(&rx->local->rx_path_lock);
3373}
3374
3375static void ieee80211_invoke_rx_handlers(struct ieee80211_rx_data *rx)
3376{
3377 struct sk_buff_head reorder_release;
3378 ieee80211_rx_result res = RX_DROP_MONITOR;
3379
3380 __skb_queue_head_init(&reorder_release);
3381
3382#define CALL_RXH(rxh) \
3383 do { \
3384 res = rxh(rx); \
3385 if (res != RX_CONTINUE) \
3386 goto rxh_next; \
3387 } while (0)
3388
3389 CALL_RXH(ieee80211_rx_h_check_dup);
3390 CALL_RXH(ieee80211_rx_h_check);
3391
3392 ieee80211_rx_reorder_ampdu(rx, &reorder_release);
3393
3394 ieee80211_rx_handlers(rx, &reorder_release);
3395 return;
3396
3397 rxh_next:
3398 ieee80211_rx_handlers_result(rx, res);
3399
3400#undef CALL_RXH
3401}
3402
3403/*
3404 * This function makes calls into the RX path, therefore
3405 * it has to be invoked under RCU read lock.
3406 */
3407void ieee80211_release_reorder_timeout(struct sta_info *sta, int tid)
3408{
3409 struct sk_buff_head frames;
3410 struct ieee80211_rx_data rx = {
3411 .sta = sta,
3412 .sdata = sta->sdata,
3413 .local = sta->local,
3414 /* This is OK -- must be QoS data frame */
3415 .security_idx = tid,
3416 .seqno_idx = tid,
3417 .napi = NULL, /* must be NULL to not have races */
3418 };
3419 struct tid_ampdu_rx *tid_agg_rx;
3420
3421 tid_agg_rx = rcu_dereference(sta->ampdu_mlme.tid_rx[tid]);
3422 if (!tid_agg_rx)
3423 return;
3424
3425 __skb_queue_head_init(&frames);
3426
3427 spin_lock(&tid_agg_rx->reorder_lock);
3428 ieee80211_sta_reorder_release(sta->sdata, tid_agg_rx, &frames);
3429 spin_unlock(&tid_agg_rx->reorder_lock);
3430
3431 if (!skb_queue_empty(&frames)) {
3432 struct ieee80211_event event = {
3433 .type = BA_FRAME_TIMEOUT,
3434 .u.ba.tid = tid,
3435 .u.ba.sta = &sta->sta,
3436 };
3437 drv_event_callback(rx.local, rx.sdata, &event);
3438 }
3439
3440 ieee80211_rx_handlers(&rx, &frames);
3441}
3442
3443void ieee80211_mark_rx_ba_filtered_frames(struct ieee80211_sta *pubsta, u8 tid,
3444 u16 ssn, u64 filtered,
3445 u16 received_mpdus)
3446{
3447 struct sta_info *sta;
3448 struct tid_ampdu_rx *tid_agg_rx;
3449 struct sk_buff_head frames;
3450 struct ieee80211_rx_data rx = {
3451 /* This is OK -- must be QoS data frame */
3452 .security_idx = tid,
3453 .seqno_idx = tid,
3454 };
3455 int i, diff;
3456
3457 if (WARN_ON(!pubsta || tid >= IEEE80211_NUM_TIDS))
3458 return;
3459
3460 __skb_queue_head_init(&frames);
3461
3462 sta = container_of(pubsta, struct sta_info, sta);
3463
3464 rx.sta = sta;
3465 rx.sdata = sta->sdata;
3466 rx.local = sta->local;
3467
3468 rcu_read_lock();
3469 tid_agg_rx = rcu_dereference(sta->ampdu_mlme.tid_rx[tid]);
3470 if (!tid_agg_rx)
3471 goto out;
3472
3473 spin_lock_bh(&tid_agg_rx->reorder_lock);
3474
3475 if (received_mpdus >= IEEE80211_SN_MODULO >> 1) {
3476 int release;
3477
3478 /* release all frames in the reorder buffer */
3479 release = (tid_agg_rx->head_seq_num + tid_agg_rx->buf_size) %
3480 IEEE80211_SN_MODULO;
3481 ieee80211_release_reorder_frames(sta->sdata, tid_agg_rx,
3482 release, &frames);
3483 /* update ssn to match received ssn */
3484 tid_agg_rx->head_seq_num = ssn;
3485 } else {
3486 ieee80211_release_reorder_frames(sta->sdata, tid_agg_rx, ssn,
3487 &frames);
3488 }
3489
3490 /* handle the case that received ssn is behind the mac ssn.
3491 * it can be tid_agg_rx->buf_size behind and still be valid */
3492 diff = (tid_agg_rx->head_seq_num - ssn) & IEEE80211_SN_MASK;
3493 if (diff >= tid_agg_rx->buf_size) {
3494 tid_agg_rx->reorder_buf_filtered = 0;
3495 goto release;
3496 }
3497 filtered = filtered >> diff;
3498 ssn += diff;
3499
3500 /* update bitmap */
3501 for (i = 0; i < tid_agg_rx->buf_size; i++) {
3502 int index = (ssn + i) % tid_agg_rx->buf_size;
3503
3504 tid_agg_rx->reorder_buf_filtered &= ~BIT_ULL(index);
3505 if (filtered & BIT_ULL(i))
3506 tid_agg_rx->reorder_buf_filtered |= BIT_ULL(index);
3507 }
3508
3509 /* now process also frames that the filter marking released */
3510 ieee80211_sta_reorder_release(sta->sdata, tid_agg_rx, &frames);
3511
3512release:
3513 spin_unlock_bh(&tid_agg_rx->reorder_lock);
3514
3515 ieee80211_rx_handlers(&rx, &frames);
3516
3517 out:
3518 rcu_read_unlock();
3519}
3520EXPORT_SYMBOL(ieee80211_mark_rx_ba_filtered_frames);
3521
3522/* main receive path */
3523
3524static bool ieee80211_accept_frame(struct ieee80211_rx_data *rx)
3525{
3526 struct ieee80211_sub_if_data *sdata = rx->sdata;
3527 struct sk_buff *skb = rx->skb;
3528 struct ieee80211_hdr *hdr = (void *)skb->data;
3529 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
3530 u8 *bssid = ieee80211_get_bssid(hdr, skb->len, sdata->vif.type);
3531 int multicast = is_multicast_ether_addr(hdr->addr1);
3532
3533 switch (sdata->vif.type) {
3534 case NL80211_IFTYPE_STATION:
3535 if (!bssid && !sdata->u.mgd.use_4addr)
3536 return false;
3537 if (multicast)
3538 return true;
3539 return ether_addr_equal(sdata->vif.addr, hdr->addr1);
3540 case NL80211_IFTYPE_ADHOC:
3541 if (!bssid)
3542 return false;
3543 if (ether_addr_equal(sdata->vif.addr, hdr->addr2) ||
3544 ether_addr_equal(sdata->u.ibss.bssid, hdr->addr2))
3545 return false;
3546 if (ieee80211_is_beacon(hdr->frame_control))
3547 return true;
3548 if (!ieee80211_bssid_match(bssid, sdata->u.ibss.bssid))
3549 return false;
3550 if (!multicast &&
3551 !ether_addr_equal(sdata->vif.addr, hdr->addr1))
3552 return false;
3553 if (!rx->sta) {
3554 int rate_idx;
3555 if (status->flag & (RX_FLAG_HT | RX_FLAG_VHT))
3556 rate_idx = 0; /* TODO: HT/VHT rates */
3557 else
3558 rate_idx = status->rate_idx;
3559 ieee80211_ibss_rx_no_sta(sdata, bssid, hdr->addr2,
3560 BIT(rate_idx));
3561 }
3562 return true;
3563 case NL80211_IFTYPE_OCB:
3564 if (!bssid)
3565 return false;
3566 if (!ieee80211_is_data_present(hdr->frame_control))
3567 return false;
3568 if (!is_broadcast_ether_addr(bssid))
3569 return false;
3570 if (!multicast &&
3571 !ether_addr_equal(sdata->dev->dev_addr, hdr->addr1))
3572 return false;
3573 if (!rx->sta) {
3574 int rate_idx;
3575 if (status->flag & RX_FLAG_HT)
3576 rate_idx = 0; /* TODO: HT rates */
3577 else
3578 rate_idx = status->rate_idx;
3579 ieee80211_ocb_rx_no_sta(sdata, bssid, hdr->addr2,
3580 BIT(rate_idx));
3581 }
3582 return true;
3583 case NL80211_IFTYPE_MESH_POINT:
3584 if (multicast)
3585 return true;
3586 return ether_addr_equal(sdata->vif.addr, hdr->addr1);
3587 case NL80211_IFTYPE_AP_VLAN:
3588 case NL80211_IFTYPE_AP:
3589 if (!bssid)
3590 return ether_addr_equal(sdata->vif.addr, hdr->addr1);
3591
3592 if (!ieee80211_bssid_match(bssid, sdata->vif.addr)) {
3593 /*
3594 * Accept public action frames even when the
3595 * BSSID doesn't match, this is used for P2P
3596 * and location updates. Note that mac80211
3597 * itself never looks at these frames.
3598 */
3599 if (!multicast &&
3600 !ether_addr_equal(sdata->vif.addr, hdr->addr1))
3601 return false;
3602 if (ieee80211_is_public_action(hdr, skb->len))
3603 return true;
3604 return ieee80211_is_beacon(hdr->frame_control);
3605 }
3606
3607 if (!ieee80211_has_tods(hdr->frame_control)) {
3608 /* ignore data frames to TDLS-peers */
3609 if (ieee80211_is_data(hdr->frame_control))
3610 return false;
3611 /* ignore action frames to TDLS-peers */
3612 if (ieee80211_is_action(hdr->frame_control) &&
3613 !is_broadcast_ether_addr(bssid) &&
3614 !ether_addr_equal(bssid, hdr->addr1))
3615 return false;
3616 }
3617 return true;
3618 case NL80211_IFTYPE_WDS:
3619 if (bssid || !ieee80211_is_data(hdr->frame_control))
3620 return false;
3621 return ether_addr_equal(sdata->u.wds.remote_addr, hdr->addr2);
3622 case NL80211_IFTYPE_P2P_DEVICE:
3623 return ieee80211_is_public_action(hdr, skb->len) ||
3624 ieee80211_is_probe_req(hdr->frame_control) ||
3625 ieee80211_is_probe_resp(hdr->frame_control) ||
3626 ieee80211_is_beacon(hdr->frame_control);
3627 case NL80211_IFTYPE_NAN:
3628 /* Currently no frames on NAN interface are allowed */
3629 return false;
3630 default:
3631 break;
3632 }
3633
3634 WARN_ON_ONCE(1);
3635 return false;
3636}
3637
3638void ieee80211_check_fast_rx(struct sta_info *sta)
3639{
3640 struct ieee80211_sub_if_data *sdata = sta->sdata;
3641 struct ieee80211_local *local = sdata->local;
3642 struct ieee80211_key *key;
3643 struct ieee80211_fast_rx fastrx = {
3644 .dev = sdata->dev,
3645 .vif_type = sdata->vif.type,
3646 .control_port_protocol = sdata->control_port_protocol,
3647 }, *old, *new = NULL;
3648 bool assign = false;
3649
3650 /* use sparse to check that we don't return without updating */
3651 __acquire(check_fast_rx);
3652
3653 BUILD_BUG_ON(sizeof(fastrx.rfc1042_hdr) != sizeof(rfc1042_header));
3654 BUILD_BUG_ON(sizeof(fastrx.rfc1042_hdr) != ETH_ALEN);
3655 ether_addr_copy(fastrx.rfc1042_hdr, rfc1042_header);
3656 ether_addr_copy(fastrx.vif_addr, sdata->vif.addr);
3657
3658 fastrx.uses_rss = ieee80211_hw_check(&local->hw, USES_RSS);
3659
3660 /* fast-rx doesn't do reordering */
3661 if (ieee80211_hw_check(&local->hw, AMPDU_AGGREGATION) &&
3662 !ieee80211_hw_check(&local->hw, SUPPORTS_REORDERING_BUFFER))
3663 goto clear;
3664
3665 switch (sdata->vif.type) {
3666 case NL80211_IFTYPE_STATION:
3667 /* 4-addr is harder to deal with, later maybe */
3668 if (sdata->u.mgd.use_4addr)
3669 goto clear;
3670 /* software powersave is a huge mess, avoid all of it */
3671 if (ieee80211_hw_check(&local->hw, PS_NULLFUNC_STACK))
3672 goto clear;
3673 if (ieee80211_hw_check(&local->hw, SUPPORTS_PS) &&
3674 !ieee80211_hw_check(&local->hw, SUPPORTS_DYNAMIC_PS))
3675 goto clear;
3676 if (sta->sta.tdls) {
3677 fastrx.da_offs = offsetof(struct ieee80211_hdr, addr1);
3678 fastrx.sa_offs = offsetof(struct ieee80211_hdr, addr2);
3679 fastrx.expected_ds_bits = 0;
3680 } else {
3681 fastrx.sta_notify = sdata->u.mgd.probe_send_count > 0;
3682 fastrx.da_offs = offsetof(struct ieee80211_hdr, addr1);
3683 fastrx.sa_offs = offsetof(struct ieee80211_hdr, addr3);
3684 fastrx.expected_ds_bits =
3685 cpu_to_le16(IEEE80211_FCTL_FROMDS);
3686 }
3687 break;
3688 case NL80211_IFTYPE_AP_VLAN:
3689 case NL80211_IFTYPE_AP:
3690 /* parallel-rx requires this, at least with calls to
3691 * ieee80211_sta_ps_transition()
3692 */
3693 if (!ieee80211_hw_check(&local->hw, AP_LINK_PS))
3694 goto clear;
3695 fastrx.da_offs = offsetof(struct ieee80211_hdr, addr3);
3696 fastrx.sa_offs = offsetof(struct ieee80211_hdr, addr2);
3697 fastrx.expected_ds_bits = cpu_to_le16(IEEE80211_FCTL_TODS);
3698
3699 fastrx.internal_forward =
3700 !(sdata->flags & IEEE80211_SDATA_DONT_BRIDGE_PACKETS) &&
3701 (sdata->vif.type != NL80211_IFTYPE_AP_VLAN ||
3702 !sdata->u.vlan.sta);
3703 break;
3704 default:
3705 goto clear;
3706 }
3707
3708 if (!test_sta_flag(sta, WLAN_STA_AUTHORIZED))
3709 goto clear;
3710
3711 rcu_read_lock();
3712 key = rcu_dereference(sta->ptk[sta->ptk_idx]);
3713 if (key) {
3714 switch (key->conf.cipher) {
3715 case WLAN_CIPHER_SUITE_TKIP:
3716 /* we don't want to deal with MMIC in fast-rx */
3717 goto clear_rcu;
3718 case WLAN_CIPHER_SUITE_CCMP:
3719 case WLAN_CIPHER_SUITE_CCMP_256:
3720 case WLAN_CIPHER_SUITE_GCMP:
3721 case WLAN_CIPHER_SUITE_GCMP_256:
3722 break;
3723 default:
3724 /* we also don't want to deal with WEP or cipher scheme
3725 * since those require looking up the key idx in the
3726 * frame, rather than assuming the PTK is used
3727 * (we need to revisit this once we implement the real
3728 * PTK index, which is now valid in the spec, but we
3729 * haven't implemented that part yet)
3730 */
3731 goto clear_rcu;
3732 }
3733
3734 fastrx.key = true;
3735 fastrx.icv_len = key->conf.icv_len;
3736 }
3737
3738 assign = true;
3739 clear_rcu:
3740 rcu_read_unlock();
3741 clear:
3742 __release(check_fast_rx);
3743
3744 if (assign)
3745 new = kmemdup(&fastrx, sizeof(fastrx), GFP_KERNEL);
3746
3747 spin_lock_bh(&sta->lock);
3748 old = rcu_dereference_protected(sta->fast_rx, true);
3749 rcu_assign_pointer(sta->fast_rx, new);
3750 spin_unlock_bh(&sta->lock);
3751
3752 if (old)
3753 kfree_rcu(old, rcu_head);
3754}
3755
3756void ieee80211_clear_fast_rx(struct sta_info *sta)
3757{
3758 struct ieee80211_fast_rx *old;
3759
3760 spin_lock_bh(&sta->lock);
3761 old = rcu_dereference_protected(sta->fast_rx, true);
3762 RCU_INIT_POINTER(sta->fast_rx, NULL);
3763 spin_unlock_bh(&sta->lock);
3764
3765 if (old)
3766 kfree_rcu(old, rcu_head);
3767}
3768
3769void __ieee80211_check_fast_rx_iface(struct ieee80211_sub_if_data *sdata)
3770{
3771 struct ieee80211_local *local = sdata->local;
3772 struct sta_info *sta;
3773
3774 lockdep_assert_held(&local->sta_mtx);
3775
3776 list_for_each_entry_rcu(sta, &local->sta_list, list) {
3777 if (sdata != sta->sdata &&
3778 (!sta->sdata->bss || sta->sdata->bss != sdata->bss))
3779 continue;
3780 ieee80211_check_fast_rx(sta);
3781 }
3782}
3783
3784void ieee80211_check_fast_rx_iface(struct ieee80211_sub_if_data *sdata)
3785{
3786 struct ieee80211_local *local = sdata->local;
3787
3788 mutex_lock(&local->sta_mtx);
3789 __ieee80211_check_fast_rx_iface(sdata);
3790 mutex_unlock(&local->sta_mtx);
3791}
3792
3793static bool ieee80211_invoke_fast_rx(struct ieee80211_rx_data *rx,
3794 struct ieee80211_fast_rx *fast_rx)
3795{
3796 struct sk_buff *skb = rx->skb;
3797 struct ieee80211_hdr *hdr = (void *)skb->data;
3798 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
3799 struct sta_info *sta = rx->sta;
3800 int orig_len = skb->len;
3801 int snap_offs = ieee80211_hdrlen(hdr->frame_control);
3802 struct {
3803 u8 snap[sizeof(rfc1042_header)];
3804 __be16 proto;
3805 } *payload __aligned(2);
3806 struct {
3807 u8 da[ETH_ALEN];
3808 u8 sa[ETH_ALEN];
3809 } addrs __aligned(2);
3810 struct ieee80211_sta_rx_stats *stats = &sta->rx_stats;
3811
3812 if (fast_rx->uses_rss)
3813 stats = this_cpu_ptr(sta->pcpu_rx_stats);
3814
3815 /* for parallel-rx, we need to have DUP_VALIDATED, otherwise we write
3816 * to a common data structure; drivers can implement that per queue
3817 * but we don't have that information in mac80211
3818 */
3819 if (!(status->flag & RX_FLAG_DUP_VALIDATED))
3820 return false;
3821
3822#define FAST_RX_CRYPT_FLAGS (RX_FLAG_PN_VALIDATED | RX_FLAG_DECRYPTED)
3823
3824 /* If using encryption, we also need to have:
3825 * - PN_VALIDATED: similar, but the implementation is tricky
3826 * - DECRYPTED: necessary for PN_VALIDATED
3827 */
3828 if (fast_rx->key &&
3829 (status->flag & FAST_RX_CRYPT_FLAGS) != FAST_RX_CRYPT_FLAGS)
3830 return false;
3831
3832 /* we don't deal with A-MSDU deaggregation here */
3833 if (status->rx_flags & IEEE80211_RX_AMSDU)
3834 return false;
3835
3836 if (unlikely(!ieee80211_is_data_present(hdr->frame_control)))
3837 return false;
3838
3839 if (unlikely(ieee80211_is_frag(hdr)))
3840 return false;
3841
3842 /* Since our interface address cannot be multicast, this
3843 * implicitly also rejects multicast frames without the
3844 * explicit check.
3845 *
3846 * We shouldn't get any *data* frames not addressed to us
3847 * (AP mode will accept multicast *management* frames), but
3848 * punting here will make it go through the full checks in
3849 * ieee80211_accept_frame().
3850 */
3851 if (!ether_addr_equal(fast_rx->vif_addr, hdr->addr1))
3852 return false;
3853
3854 if ((hdr->frame_control & cpu_to_le16(IEEE80211_FCTL_FROMDS |
3855 IEEE80211_FCTL_TODS)) !=
3856 fast_rx->expected_ds_bits)
3857 goto drop;
3858
3859 /* assign the key to drop unencrypted frames (later)
3860 * and strip the IV/MIC if necessary
3861 */
3862 if (fast_rx->key && !(status->flag & RX_FLAG_IV_STRIPPED)) {
3863 /* GCMP header length is the same */
3864 snap_offs += IEEE80211_CCMP_HDR_LEN;
3865 }
3866
3867 if (!pskb_may_pull(skb, snap_offs + sizeof(*payload)))
3868 goto drop;
3869 payload = (void *)(skb->data + snap_offs);
3870
3871 if (!ether_addr_equal(payload->snap, fast_rx->rfc1042_hdr))
3872 return false;
3873
3874 /* Don't handle these here since they require special code.
3875 * Accept AARP and IPX even though they should come with a
3876 * bridge-tunnel header - but if we get them this way then
3877 * there's little point in discarding them.
3878 */
3879 if (unlikely(payload->proto == cpu_to_be16(ETH_P_TDLS) ||
3880 payload->proto == fast_rx->control_port_protocol))
3881 return false;
3882
3883 /* after this point, don't punt to the slowpath! */
3884
3885 if (rx->key && !(status->flag & RX_FLAG_MIC_STRIPPED) &&
3886 pskb_trim(skb, skb->len - fast_rx->icv_len))
3887 goto drop;
3888
3889 if (unlikely(fast_rx->sta_notify)) {
3890 ieee80211_sta_rx_notify(rx->sdata, hdr);
3891 fast_rx->sta_notify = false;
3892 }
3893
3894 /* statistics part of ieee80211_rx_h_sta_process() */
3895 stats->last_rx = jiffies;
3896 stats->last_rate = sta_stats_encode_rate(status);
3897
3898 stats->fragments++;
3899
3900 if (!(status->flag & RX_FLAG_NO_SIGNAL_VAL)) {
3901 stats->last_signal = status->signal;
3902 if (!fast_rx->uses_rss)
3903 ewma_signal_add(&sta->rx_stats_avg.signal,
3904 -status->signal);
3905 }
3906
3907 if (status->chains) {
3908 int i;
3909
3910 stats->chains = status->chains;
3911 for (i = 0; i < ARRAY_SIZE(status->chain_signal); i++) {
3912 int signal = status->chain_signal[i];
3913
3914 if (!(status->chains & BIT(i)))
3915 continue;
3916
3917 stats->chain_signal_last[i] = signal;
3918 if (!fast_rx->uses_rss)
3919 ewma_signal_add(&sta->rx_stats_avg.chain_signal[i],
3920 -signal);
3921 }
3922 }
3923 /* end of statistics */
3924
3925 if (rx->key && !ieee80211_has_protected(hdr->frame_control))
3926 goto drop;
3927
3928 /* do the header conversion - first grab the addresses */
3929 ether_addr_copy(addrs.da, skb->data + fast_rx->da_offs);
3930 ether_addr_copy(addrs.sa, skb->data + fast_rx->sa_offs);
3931 /* remove the SNAP but leave the ethertype */
3932 skb_pull(skb, snap_offs + sizeof(rfc1042_header));
3933 /* push the addresses in front */
3934 memcpy(skb_push(skb, sizeof(addrs)), &addrs, sizeof(addrs));
3935
3936 skb->dev = fast_rx->dev;
3937
3938 ieee80211_rx_stats(fast_rx->dev, skb->len);
3939
3940 /* The seqno index has the same property as needed
3941 * for the rx_msdu field, i.e. it is IEEE80211_NUM_TIDS
3942 * for non-QoS-data frames. Here we know it's a data
3943 * frame, so count MSDUs.
3944 */
3945 u64_stats_update_begin(&stats->syncp);
3946 stats->msdu[rx->seqno_idx]++;
3947 stats->bytes += orig_len;
3948 u64_stats_update_end(&stats->syncp);
3949
3950 if (fast_rx->internal_forward) {
3951 struct sk_buff *xmit_skb = NULL;
3952 bool multicast = is_multicast_ether_addr(skb->data);
3953
3954 if (multicast) {
3955 xmit_skb = skb_copy(skb, GFP_ATOMIC);
3956 } else if (sta_info_get(rx->sdata, skb->data)) {
3957 xmit_skb = skb;
3958 skb = NULL;
3959 }
3960
3961 if (xmit_skb) {
3962 /*
3963 * Send to wireless media and increase priority by 256
3964 * to keep the received priority instead of
3965 * reclassifying the frame (see cfg80211_classify8021d).
3966 */
3967 xmit_skb->priority += 256;
3968 xmit_skb->protocol = htons(ETH_P_802_3);
3969 skb_reset_network_header(xmit_skb);
3970 skb_reset_mac_header(xmit_skb);
3971 dev_queue_xmit(xmit_skb);
3972 }
3973
3974 if (!skb)
3975 return true;
3976 }
3977
3978 /* deliver to local stack */
3979 skb->protocol = eth_type_trans(skb, fast_rx->dev);
3980 memset(skb->cb, 0, sizeof(skb->cb));
3981 if (rx->napi)
3982 napi_gro_receive(rx->napi, skb);
3983 else
3984 netif_receive_skb(skb);
3985
3986 return true;
3987 drop:
3988 dev_kfree_skb(skb);
3989 stats->dropped++;
3990 return true;
3991}
3992
3993/*
3994 * This function returns whether or not the SKB
3995 * was destined for RX processing or not, which,
3996 * if consume is true, is equivalent to whether
3997 * or not the skb was consumed.
3998 */
3999static bool ieee80211_prepare_and_rx_handle(struct ieee80211_rx_data *rx,
4000 struct sk_buff *skb, bool consume)
4001{
4002 struct ieee80211_local *local = rx->local;
4003 struct ieee80211_sub_if_data *sdata = rx->sdata;
4004
4005 rx->skb = skb;
4006
4007 /* See if we can do fast-rx; if we have to copy we already lost,
4008 * so punt in that case. We should never have to deliver a data
4009 * frame to multiple interfaces anyway.
4010 *
4011 * We skip the ieee80211_accept_frame() call and do the necessary
4012 * checking inside ieee80211_invoke_fast_rx().
4013 */
4014 if (consume && rx->sta) {
4015 struct ieee80211_fast_rx *fast_rx;
4016
4017 fast_rx = rcu_dereference(rx->sta->fast_rx);
4018 if (fast_rx && ieee80211_invoke_fast_rx(rx, fast_rx))
4019 return true;
4020 }
4021
4022 if (!ieee80211_accept_frame(rx))
4023 return false;
4024
4025 if (!consume) {
4026 skb = skb_copy(skb, GFP_ATOMIC);
4027 if (!skb) {
4028 if (net_ratelimit())
4029 wiphy_debug(local->hw.wiphy,
4030 "failed to copy skb for %s\n",
4031 sdata->name);
4032 return true;
4033 }
4034
4035 rx->skb = skb;
4036 }
4037
4038 ieee80211_invoke_rx_handlers(rx);
4039 return true;
4040}
4041
4042/*
4043 * This is the actual Rx frames handler. as it belongs to Rx path it must
4044 * be called with rcu_read_lock protection.
4045 */
4046static void __ieee80211_rx_handle_packet(struct ieee80211_hw *hw,
4047 struct ieee80211_sta *pubsta,
4048 struct sk_buff *skb,
4049 struct napi_struct *napi)
4050{
4051 struct ieee80211_local *local = hw_to_local(hw);
4052 struct ieee80211_sub_if_data *sdata;
4053 struct ieee80211_hdr *hdr;
4054 __le16 fc;
4055 struct ieee80211_rx_data rx;
4056 struct ieee80211_sub_if_data *prev;
4057 struct rhlist_head *tmp;
4058 int err = 0;
4059
4060 fc = ((struct ieee80211_hdr *)skb->data)->frame_control;
4061 memset(&rx, 0, sizeof(rx));
4062 rx.skb = skb;
4063 rx.local = local;
4064 rx.napi = napi;
4065
4066 if (ieee80211_is_data(fc) || ieee80211_is_mgmt(fc))
4067 I802_DEBUG_INC(local->dot11ReceivedFragmentCount);
4068
4069 if (ieee80211_is_mgmt(fc)) {
4070 /* drop frame if too short for header */
4071 if (skb->len < ieee80211_hdrlen(fc))
4072 err = -ENOBUFS;
4073 else
4074 err = skb_linearize(skb);
4075 } else {
4076 err = !pskb_may_pull(skb, ieee80211_hdrlen(fc));
4077 }
4078
4079 if (err) {
4080 dev_kfree_skb(skb);
4081 return;
4082 }
4083
4084 hdr = (struct ieee80211_hdr *)skb->data;
4085 ieee80211_parse_qos(&rx);
4086 ieee80211_verify_alignment(&rx);
4087
4088 if (unlikely(ieee80211_is_probe_resp(hdr->frame_control) ||
4089 ieee80211_is_beacon(hdr->frame_control)))
4090 ieee80211_scan_rx(local, skb);
4091
4092 if (ieee80211_is_data(fc)) {
4093 struct sta_info *sta, *prev_sta;
4094
4095 if (pubsta) {
4096 rx.sta = container_of(pubsta, struct sta_info, sta);
4097 rx.sdata = rx.sta->sdata;
4098 if (ieee80211_prepare_and_rx_handle(&rx, skb, true))
4099 return;
4100 goto out;
4101 }
4102
4103 prev_sta = NULL;
4104
4105 for_each_sta_info(local, hdr->addr2, sta, tmp) {
4106 if (!prev_sta) {
4107 prev_sta = sta;
4108 continue;
4109 }
4110
4111 rx.sta = prev_sta;
4112 rx.sdata = prev_sta->sdata;
4113 ieee80211_prepare_and_rx_handle(&rx, skb, false);
4114
4115 prev_sta = sta;
4116 }
4117
4118 if (prev_sta) {
4119 rx.sta = prev_sta;
4120 rx.sdata = prev_sta->sdata;
4121
4122 if (ieee80211_prepare_and_rx_handle(&rx, skb, true))
4123 return;
4124 goto out;
4125 }
4126 }
4127
4128 prev = NULL;
4129
4130 list_for_each_entry_rcu(sdata, &local->interfaces, list) {
4131 if (!ieee80211_sdata_running(sdata))
4132 continue;
4133
4134 if (sdata->vif.type == NL80211_IFTYPE_MONITOR ||
4135 sdata->vif.type == NL80211_IFTYPE_AP_VLAN)
4136 continue;
4137
4138 /*
4139 * frame is destined for this interface, but if it's
4140 * not also for the previous one we handle that after
4141 * the loop to avoid copying the SKB once too much
4142 */
4143
4144 if (!prev) {
4145 prev = sdata;
4146 continue;
4147 }
4148
4149 rx.sta = sta_info_get_bss(prev, hdr->addr2);
4150 rx.sdata = prev;
4151 ieee80211_prepare_and_rx_handle(&rx, skb, false);
4152
4153 prev = sdata;
4154 }
4155
4156 if (prev) {
4157 rx.sta = sta_info_get_bss(prev, hdr->addr2);
4158 rx.sdata = prev;
4159
4160 if (ieee80211_prepare_and_rx_handle(&rx, skb, true))
4161 return;
4162 }
4163
4164 out:
4165 dev_kfree_skb(skb);
4166}
4167
4168/*
4169 * This is the receive path handler. It is called by a low level driver when an
4170 * 802.11 MPDU is received from the hardware.
4171 */
4172void ieee80211_rx_napi(struct ieee80211_hw *hw, struct ieee80211_sta *pubsta,
4173 struct sk_buff *skb, struct napi_struct *napi)
4174{
4175 struct ieee80211_local *local = hw_to_local(hw);
4176 struct ieee80211_rate *rate = NULL;
4177 struct ieee80211_supported_band *sband;
4178 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
4179
4180 WARN_ON_ONCE(softirq_count() == 0);
4181
4182 if (WARN_ON(status->band >= NUM_NL80211_BANDS))
4183 goto drop;
4184
4185 sband = local->hw.wiphy->bands[status->band];
4186 if (WARN_ON(!sband))
4187 goto drop;
4188
4189 /*
4190 * If we're suspending, it is possible although not too likely
4191 * that we'd be receiving frames after having already partially
4192 * quiesced the stack. We can't process such frames then since
4193 * that might, for example, cause stations to be added or other
4194 * driver callbacks be invoked.
4195 */
4196 if (unlikely(local->quiescing || local->suspended))
4197 goto drop;
4198
4199 /* We might be during a HW reconfig, prevent Rx for the same reason */
4200 if (unlikely(local->in_reconfig))
4201 goto drop;
4202
4203 /*
4204 * The same happens when we're not even started,
4205 * but that's worth a warning.
4206 */
4207 if (WARN_ON(!local->started))
4208 goto drop;
4209
4210 if (likely(!(status->flag & RX_FLAG_FAILED_PLCP_CRC))) {
4211 /*
4212 * Validate the rate, unless a PLCP error means that
4213 * we probably can't have a valid rate here anyway.
4214 */
4215
4216 if (status->flag & RX_FLAG_HT) {
4217 /*
4218 * rate_idx is MCS index, which can be [0-76]
4219 * as documented on:
4220 *
4221 * http://wireless.kernel.org/en/developers/Documentation/ieee80211/802.11n
4222 *
4223 * Anything else would be some sort of driver or
4224 * hardware error. The driver should catch hardware
4225 * errors.
4226 */
4227 if (WARN(status->rate_idx > 76,
4228 "Rate marked as an HT rate but passed "
4229 "status->rate_idx is not "
4230 "an MCS index [0-76]: %d (0x%02x)\n",
4231 status->rate_idx,
4232 status->rate_idx))
4233 goto drop;
4234 } else if (status->flag & RX_FLAG_VHT) {
4235 if (WARN_ONCE(status->rate_idx > 9 ||
4236 !status->vht_nss ||
4237 status->vht_nss > 8,
4238 "Rate marked as a VHT rate but data is invalid: MCS: %d, NSS: %d\n",
4239 status->rate_idx, status->vht_nss))
4240 goto drop;
4241 } else {
4242 if (WARN_ON(status->rate_idx >= sband->n_bitrates))
4243 goto drop;
4244 rate = &sband->bitrates[status->rate_idx];
4245 }
4246 }
4247
4248 status->rx_flags = 0;
4249
4250 /*
4251 * key references and virtual interfaces are protected using RCU
4252 * and this requires that we are in a read-side RCU section during
4253 * receive processing
4254 */
4255 rcu_read_lock();
4256
4257 /*
4258 * Frames with failed FCS/PLCP checksum are not returned,
4259 * all other frames are returned without radiotap header
4260 * if it was previously present.
4261 * Also, frames with less than 16 bytes are dropped.
4262 */
4263 skb = ieee80211_rx_monitor(local, skb, rate);
4264 if (!skb) {
4265 rcu_read_unlock();
4266 return;
4267 }
4268
4269 ieee80211_tpt_led_trig_rx(local,
4270 ((struct ieee80211_hdr *)skb->data)->frame_control,
4271 skb->len);
4272
4273 __ieee80211_rx_handle_packet(hw, pubsta, skb, napi);
4274
4275 rcu_read_unlock();
4276
4277 return;
4278 drop:
4279 kfree_skb(skb);
4280}
4281EXPORT_SYMBOL(ieee80211_rx_napi);
4282
4283/* This is a version of the rx handler that can be called from hard irq
4284 * context. Post the skb on the queue and schedule the tasklet */
4285void ieee80211_rx_irqsafe(struct ieee80211_hw *hw, struct sk_buff *skb)
4286{
4287 struct ieee80211_local *local = hw_to_local(hw);
4288
4289 BUILD_BUG_ON(sizeof(struct ieee80211_rx_status) > sizeof(skb->cb));
4290
4291 skb->pkt_type = IEEE80211_RX_MSG;
4292 skb_queue_tail(&local->skb_queue, skb);
4293 tasklet_schedule(&local->tasklet);
4294}
4295EXPORT_SYMBOL(ieee80211_rx_irqsafe);
1// SPDX-License-Identifier: GPL-2.0-only
2/*
3 * Copyright 2002-2005, Instant802 Networks, Inc.
4 * Copyright 2005-2006, Devicescape Software, Inc.
5 * Copyright 2006-2007 Jiri Benc <jbenc@suse.cz>
6 * Copyright 2007-2010 Johannes Berg <johannes@sipsolutions.net>
7 * Copyright 2013-2014 Intel Mobile Communications GmbH
8 * Copyright(c) 2015 - 2017 Intel Deutschland GmbH
9 * Copyright (C) 2018-2019 Intel Corporation
10 */
11
12#include <linux/jiffies.h>
13#include <linux/slab.h>
14#include <linux/kernel.h>
15#include <linux/skbuff.h>
16#include <linux/netdevice.h>
17#include <linux/etherdevice.h>
18#include <linux/rcupdate.h>
19#include <linux/export.h>
20#include <linux/bitops.h>
21#include <net/mac80211.h>
22#include <net/ieee80211_radiotap.h>
23#include <asm/unaligned.h>
24
25#include "ieee80211_i.h"
26#include "driver-ops.h"
27#include "led.h"
28#include "mesh.h"
29#include "wep.h"
30#include "wpa.h"
31#include "tkip.h"
32#include "wme.h"
33#include "rate.h"
34
35static inline void ieee80211_rx_stats(struct net_device *dev, u32 len)
36{
37 struct pcpu_sw_netstats *tstats = this_cpu_ptr(dev->tstats);
38
39 u64_stats_update_begin(&tstats->syncp);
40 tstats->rx_packets++;
41 tstats->rx_bytes += len;
42 u64_stats_update_end(&tstats->syncp);
43}
44
45static u8 *ieee80211_get_bssid(struct ieee80211_hdr *hdr, size_t len,
46 enum nl80211_iftype type)
47{
48 __le16 fc = hdr->frame_control;
49
50 if (ieee80211_is_data(fc)) {
51 if (len < 24) /* drop incorrect hdr len (data) */
52 return NULL;
53
54 if (ieee80211_has_a4(fc))
55 return NULL;
56 if (ieee80211_has_tods(fc))
57 return hdr->addr1;
58 if (ieee80211_has_fromds(fc))
59 return hdr->addr2;
60
61 return hdr->addr3;
62 }
63
64 if (ieee80211_is_mgmt(fc)) {
65 if (len < 24) /* drop incorrect hdr len (mgmt) */
66 return NULL;
67 return hdr->addr3;
68 }
69
70 if (ieee80211_is_ctl(fc)) {
71 if (ieee80211_is_pspoll(fc))
72 return hdr->addr1;
73
74 if (ieee80211_is_back_req(fc)) {
75 switch (type) {
76 case NL80211_IFTYPE_STATION:
77 return hdr->addr2;
78 case NL80211_IFTYPE_AP:
79 case NL80211_IFTYPE_AP_VLAN:
80 return hdr->addr1;
81 default:
82 break; /* fall through to the return */
83 }
84 }
85 }
86
87 return NULL;
88}
89
90/*
91 * monitor mode reception
92 *
93 * This function cleans up the SKB, i.e. it removes all the stuff
94 * only useful for monitoring.
95 */
96static void remove_monitor_info(struct sk_buff *skb,
97 unsigned int present_fcs_len,
98 unsigned int rtap_space)
99{
100 if (present_fcs_len)
101 __pskb_trim(skb, skb->len - present_fcs_len);
102 __pskb_pull(skb, rtap_space);
103}
104
105static inline bool should_drop_frame(struct sk_buff *skb, int present_fcs_len,
106 unsigned int rtap_space)
107{
108 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
109 struct ieee80211_hdr *hdr;
110
111 hdr = (void *)(skb->data + rtap_space);
112
113 if (status->flag & (RX_FLAG_FAILED_FCS_CRC |
114 RX_FLAG_FAILED_PLCP_CRC |
115 RX_FLAG_ONLY_MONITOR |
116 RX_FLAG_NO_PSDU))
117 return true;
118
119 if (unlikely(skb->len < 16 + present_fcs_len + rtap_space))
120 return true;
121
122 if (ieee80211_is_ctl(hdr->frame_control) &&
123 !ieee80211_is_pspoll(hdr->frame_control) &&
124 !ieee80211_is_back_req(hdr->frame_control))
125 return true;
126
127 return false;
128}
129
130static int
131ieee80211_rx_radiotap_hdrlen(struct ieee80211_local *local,
132 struct ieee80211_rx_status *status,
133 struct sk_buff *skb)
134{
135 int len;
136
137 /* always present fields */
138 len = sizeof(struct ieee80211_radiotap_header) + 8;
139
140 /* allocate extra bitmaps */
141 if (status->chains)
142 len += 4 * hweight8(status->chains);
143 /* vendor presence bitmap */
144 if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA)
145 len += 4;
146
147 if (ieee80211_have_rx_timestamp(status)) {
148 len = ALIGN(len, 8);
149 len += 8;
150 }
151 if (ieee80211_hw_check(&local->hw, SIGNAL_DBM))
152 len += 1;
153
154 /* antenna field, if we don't have per-chain info */
155 if (!status->chains)
156 len += 1;
157
158 /* padding for RX_FLAGS if necessary */
159 len = ALIGN(len, 2);
160
161 if (status->encoding == RX_ENC_HT) /* HT info */
162 len += 3;
163
164 if (status->flag & RX_FLAG_AMPDU_DETAILS) {
165 len = ALIGN(len, 4);
166 len += 8;
167 }
168
169 if (status->encoding == RX_ENC_VHT) {
170 len = ALIGN(len, 2);
171 len += 12;
172 }
173
174 if (local->hw.radiotap_timestamp.units_pos >= 0) {
175 len = ALIGN(len, 8);
176 len += 12;
177 }
178
179 if (status->encoding == RX_ENC_HE &&
180 status->flag & RX_FLAG_RADIOTAP_HE) {
181 len = ALIGN(len, 2);
182 len += 12;
183 BUILD_BUG_ON(sizeof(struct ieee80211_radiotap_he) != 12);
184 }
185
186 if (status->encoding == RX_ENC_HE &&
187 status->flag & RX_FLAG_RADIOTAP_HE_MU) {
188 len = ALIGN(len, 2);
189 len += 12;
190 BUILD_BUG_ON(sizeof(struct ieee80211_radiotap_he_mu) != 12);
191 }
192
193 if (status->flag & RX_FLAG_NO_PSDU)
194 len += 1;
195
196 if (status->flag & RX_FLAG_RADIOTAP_LSIG) {
197 len = ALIGN(len, 2);
198 len += 4;
199 BUILD_BUG_ON(sizeof(struct ieee80211_radiotap_lsig) != 4);
200 }
201
202 if (status->chains) {
203 /* antenna and antenna signal fields */
204 len += 2 * hweight8(status->chains);
205 }
206
207 if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA) {
208 struct ieee80211_vendor_radiotap *rtap;
209 int vendor_data_offset = 0;
210
211 /*
212 * The position to look at depends on the existence (or non-
213 * existence) of other elements, so take that into account...
214 */
215 if (status->flag & RX_FLAG_RADIOTAP_HE)
216 vendor_data_offset +=
217 sizeof(struct ieee80211_radiotap_he);
218 if (status->flag & RX_FLAG_RADIOTAP_HE_MU)
219 vendor_data_offset +=
220 sizeof(struct ieee80211_radiotap_he_mu);
221 if (status->flag & RX_FLAG_RADIOTAP_LSIG)
222 vendor_data_offset +=
223 sizeof(struct ieee80211_radiotap_lsig);
224
225 rtap = (void *)&skb->data[vendor_data_offset];
226
227 /* alignment for fixed 6-byte vendor data header */
228 len = ALIGN(len, 2);
229 /* vendor data header */
230 len += 6;
231 if (WARN_ON(rtap->align == 0))
232 rtap->align = 1;
233 len = ALIGN(len, rtap->align);
234 len += rtap->len + rtap->pad;
235 }
236
237 return len;
238}
239
240static void ieee80211_handle_mu_mimo_mon(struct ieee80211_sub_if_data *sdata,
241 struct sk_buff *skb,
242 int rtap_space)
243{
244 struct {
245 struct ieee80211_hdr_3addr hdr;
246 u8 category;
247 u8 action_code;
248 } __packed __aligned(2) action;
249
250 if (!sdata)
251 return;
252
253 BUILD_BUG_ON(sizeof(action) != IEEE80211_MIN_ACTION_SIZE + 1);
254
255 if (skb->len < rtap_space + sizeof(action) +
256 VHT_MUMIMO_GROUPS_DATA_LEN)
257 return;
258
259 if (!is_valid_ether_addr(sdata->u.mntr.mu_follow_addr))
260 return;
261
262 skb_copy_bits(skb, rtap_space, &action, sizeof(action));
263
264 if (!ieee80211_is_action(action.hdr.frame_control))
265 return;
266
267 if (action.category != WLAN_CATEGORY_VHT)
268 return;
269
270 if (action.action_code != WLAN_VHT_ACTION_GROUPID_MGMT)
271 return;
272
273 if (!ether_addr_equal(action.hdr.addr1, sdata->u.mntr.mu_follow_addr))
274 return;
275
276 skb = skb_copy(skb, GFP_ATOMIC);
277 if (!skb)
278 return;
279
280 skb_queue_tail(&sdata->skb_queue, skb);
281 ieee80211_queue_work(&sdata->local->hw, &sdata->work);
282}
283
284/*
285 * ieee80211_add_rx_radiotap_header - add radiotap header
286 *
287 * add a radiotap header containing all the fields which the hardware provided.
288 */
289static void
290ieee80211_add_rx_radiotap_header(struct ieee80211_local *local,
291 struct sk_buff *skb,
292 struct ieee80211_rate *rate,
293 int rtap_len, bool has_fcs)
294{
295 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
296 struct ieee80211_radiotap_header *rthdr;
297 unsigned char *pos;
298 __le32 *it_present;
299 u32 it_present_val;
300 u16 rx_flags = 0;
301 u16 channel_flags = 0;
302 int mpdulen, chain;
303 unsigned long chains = status->chains;
304 struct ieee80211_vendor_radiotap rtap = {};
305 struct ieee80211_radiotap_he he = {};
306 struct ieee80211_radiotap_he_mu he_mu = {};
307 struct ieee80211_radiotap_lsig lsig = {};
308
309 if (status->flag & RX_FLAG_RADIOTAP_HE) {
310 he = *(struct ieee80211_radiotap_he *)skb->data;
311 skb_pull(skb, sizeof(he));
312 WARN_ON_ONCE(status->encoding != RX_ENC_HE);
313 }
314
315 if (status->flag & RX_FLAG_RADIOTAP_HE_MU) {
316 he_mu = *(struct ieee80211_radiotap_he_mu *)skb->data;
317 skb_pull(skb, sizeof(he_mu));
318 }
319
320 if (status->flag & RX_FLAG_RADIOTAP_LSIG) {
321 lsig = *(struct ieee80211_radiotap_lsig *)skb->data;
322 skb_pull(skb, sizeof(lsig));
323 }
324
325 if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA) {
326 rtap = *(struct ieee80211_vendor_radiotap *)skb->data;
327 /* rtap.len and rtap.pad are undone immediately */
328 skb_pull(skb, sizeof(rtap) + rtap.len + rtap.pad);
329 }
330
331 mpdulen = skb->len;
332 if (!(has_fcs && ieee80211_hw_check(&local->hw, RX_INCLUDES_FCS)))
333 mpdulen += FCS_LEN;
334
335 rthdr = skb_push(skb, rtap_len);
336 memset(rthdr, 0, rtap_len - rtap.len - rtap.pad);
337 it_present = &rthdr->it_present;
338
339 /* radiotap header, set always present flags */
340 rthdr->it_len = cpu_to_le16(rtap_len);
341 it_present_val = BIT(IEEE80211_RADIOTAP_FLAGS) |
342 BIT(IEEE80211_RADIOTAP_CHANNEL) |
343 BIT(IEEE80211_RADIOTAP_RX_FLAGS);
344
345 if (!status->chains)
346 it_present_val |= BIT(IEEE80211_RADIOTAP_ANTENNA);
347
348 for_each_set_bit(chain, &chains, IEEE80211_MAX_CHAINS) {
349 it_present_val |=
350 BIT(IEEE80211_RADIOTAP_EXT) |
351 BIT(IEEE80211_RADIOTAP_RADIOTAP_NAMESPACE);
352 put_unaligned_le32(it_present_val, it_present);
353 it_present++;
354 it_present_val = BIT(IEEE80211_RADIOTAP_ANTENNA) |
355 BIT(IEEE80211_RADIOTAP_DBM_ANTSIGNAL);
356 }
357
358 if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA) {
359 it_present_val |= BIT(IEEE80211_RADIOTAP_VENDOR_NAMESPACE) |
360 BIT(IEEE80211_RADIOTAP_EXT);
361 put_unaligned_le32(it_present_val, it_present);
362 it_present++;
363 it_present_val = rtap.present;
364 }
365
366 put_unaligned_le32(it_present_val, it_present);
367
368 pos = (void *)(it_present + 1);
369
370 /* the order of the following fields is important */
371
372 /* IEEE80211_RADIOTAP_TSFT */
373 if (ieee80211_have_rx_timestamp(status)) {
374 /* padding */
375 while ((pos - (u8 *)rthdr) & 7)
376 *pos++ = 0;
377 put_unaligned_le64(
378 ieee80211_calculate_rx_timestamp(local, status,
379 mpdulen, 0),
380 pos);
381 rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_TSFT);
382 pos += 8;
383 }
384
385 /* IEEE80211_RADIOTAP_FLAGS */
386 if (has_fcs && ieee80211_hw_check(&local->hw, RX_INCLUDES_FCS))
387 *pos |= IEEE80211_RADIOTAP_F_FCS;
388 if (status->flag & (RX_FLAG_FAILED_FCS_CRC | RX_FLAG_FAILED_PLCP_CRC))
389 *pos |= IEEE80211_RADIOTAP_F_BADFCS;
390 if (status->enc_flags & RX_ENC_FLAG_SHORTPRE)
391 *pos |= IEEE80211_RADIOTAP_F_SHORTPRE;
392 pos++;
393
394 /* IEEE80211_RADIOTAP_RATE */
395 if (!rate || status->encoding != RX_ENC_LEGACY) {
396 /*
397 * Without rate information don't add it. If we have,
398 * MCS information is a separate field in radiotap,
399 * added below. The byte here is needed as padding
400 * for the channel though, so initialise it to 0.
401 */
402 *pos = 0;
403 } else {
404 int shift = 0;
405 rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_RATE);
406 if (status->bw == RATE_INFO_BW_10)
407 shift = 1;
408 else if (status->bw == RATE_INFO_BW_5)
409 shift = 2;
410 *pos = DIV_ROUND_UP(rate->bitrate, 5 * (1 << shift));
411 }
412 pos++;
413
414 /* IEEE80211_RADIOTAP_CHANNEL */
415 put_unaligned_le16(status->freq, pos);
416 pos += 2;
417 if (status->bw == RATE_INFO_BW_10)
418 channel_flags |= IEEE80211_CHAN_HALF;
419 else if (status->bw == RATE_INFO_BW_5)
420 channel_flags |= IEEE80211_CHAN_QUARTER;
421
422 if (status->band == NL80211_BAND_5GHZ)
423 channel_flags |= IEEE80211_CHAN_OFDM | IEEE80211_CHAN_5GHZ;
424 else if (status->encoding != RX_ENC_LEGACY)
425 channel_flags |= IEEE80211_CHAN_DYN | IEEE80211_CHAN_2GHZ;
426 else if (rate && rate->flags & IEEE80211_RATE_ERP_G)
427 channel_flags |= IEEE80211_CHAN_OFDM | IEEE80211_CHAN_2GHZ;
428 else if (rate)
429 channel_flags |= IEEE80211_CHAN_CCK | IEEE80211_CHAN_2GHZ;
430 else
431 channel_flags |= IEEE80211_CHAN_2GHZ;
432 put_unaligned_le16(channel_flags, pos);
433 pos += 2;
434
435 /* IEEE80211_RADIOTAP_DBM_ANTSIGNAL */
436 if (ieee80211_hw_check(&local->hw, SIGNAL_DBM) &&
437 !(status->flag & RX_FLAG_NO_SIGNAL_VAL)) {
438 *pos = status->signal;
439 rthdr->it_present |=
440 cpu_to_le32(1 << IEEE80211_RADIOTAP_DBM_ANTSIGNAL);
441 pos++;
442 }
443
444 /* IEEE80211_RADIOTAP_LOCK_QUALITY is missing */
445
446 if (!status->chains) {
447 /* IEEE80211_RADIOTAP_ANTENNA */
448 *pos = status->antenna;
449 pos++;
450 }
451
452 /* IEEE80211_RADIOTAP_DB_ANTNOISE is not used */
453
454 /* IEEE80211_RADIOTAP_RX_FLAGS */
455 /* ensure 2 byte alignment for the 2 byte field as required */
456 if ((pos - (u8 *)rthdr) & 1)
457 *pos++ = 0;
458 if (status->flag & RX_FLAG_FAILED_PLCP_CRC)
459 rx_flags |= IEEE80211_RADIOTAP_F_RX_BADPLCP;
460 put_unaligned_le16(rx_flags, pos);
461 pos += 2;
462
463 if (status->encoding == RX_ENC_HT) {
464 unsigned int stbc;
465
466 rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_MCS);
467 *pos++ = local->hw.radiotap_mcs_details;
468 *pos = 0;
469 if (status->enc_flags & RX_ENC_FLAG_SHORT_GI)
470 *pos |= IEEE80211_RADIOTAP_MCS_SGI;
471 if (status->bw == RATE_INFO_BW_40)
472 *pos |= IEEE80211_RADIOTAP_MCS_BW_40;
473 if (status->enc_flags & RX_ENC_FLAG_HT_GF)
474 *pos |= IEEE80211_RADIOTAP_MCS_FMT_GF;
475 if (status->enc_flags & RX_ENC_FLAG_LDPC)
476 *pos |= IEEE80211_RADIOTAP_MCS_FEC_LDPC;
477 stbc = (status->enc_flags & RX_ENC_FLAG_STBC_MASK) >> RX_ENC_FLAG_STBC_SHIFT;
478 *pos |= stbc << IEEE80211_RADIOTAP_MCS_STBC_SHIFT;
479 pos++;
480 *pos++ = status->rate_idx;
481 }
482
483 if (status->flag & RX_FLAG_AMPDU_DETAILS) {
484 u16 flags = 0;
485
486 /* ensure 4 byte alignment */
487 while ((pos - (u8 *)rthdr) & 3)
488 pos++;
489 rthdr->it_present |=
490 cpu_to_le32(1 << IEEE80211_RADIOTAP_AMPDU_STATUS);
491 put_unaligned_le32(status->ampdu_reference, pos);
492 pos += 4;
493 if (status->flag & RX_FLAG_AMPDU_LAST_KNOWN)
494 flags |= IEEE80211_RADIOTAP_AMPDU_LAST_KNOWN;
495 if (status->flag & RX_FLAG_AMPDU_IS_LAST)
496 flags |= IEEE80211_RADIOTAP_AMPDU_IS_LAST;
497 if (status->flag & RX_FLAG_AMPDU_DELIM_CRC_ERROR)
498 flags |= IEEE80211_RADIOTAP_AMPDU_DELIM_CRC_ERR;
499 if (status->flag & RX_FLAG_AMPDU_DELIM_CRC_KNOWN)
500 flags |= IEEE80211_RADIOTAP_AMPDU_DELIM_CRC_KNOWN;
501 if (status->flag & RX_FLAG_AMPDU_EOF_BIT_KNOWN)
502 flags |= IEEE80211_RADIOTAP_AMPDU_EOF_KNOWN;
503 if (status->flag & RX_FLAG_AMPDU_EOF_BIT)
504 flags |= IEEE80211_RADIOTAP_AMPDU_EOF;
505 put_unaligned_le16(flags, pos);
506 pos += 2;
507 if (status->flag & RX_FLAG_AMPDU_DELIM_CRC_KNOWN)
508 *pos++ = status->ampdu_delimiter_crc;
509 else
510 *pos++ = 0;
511 *pos++ = 0;
512 }
513
514 if (status->encoding == RX_ENC_VHT) {
515 u16 known = local->hw.radiotap_vht_details;
516
517 rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_VHT);
518 put_unaligned_le16(known, pos);
519 pos += 2;
520 /* flags */
521 if (status->enc_flags & RX_ENC_FLAG_SHORT_GI)
522 *pos |= IEEE80211_RADIOTAP_VHT_FLAG_SGI;
523 /* in VHT, STBC is binary */
524 if (status->enc_flags & RX_ENC_FLAG_STBC_MASK)
525 *pos |= IEEE80211_RADIOTAP_VHT_FLAG_STBC;
526 if (status->enc_flags & RX_ENC_FLAG_BF)
527 *pos |= IEEE80211_RADIOTAP_VHT_FLAG_BEAMFORMED;
528 pos++;
529 /* bandwidth */
530 switch (status->bw) {
531 case RATE_INFO_BW_80:
532 *pos++ = 4;
533 break;
534 case RATE_INFO_BW_160:
535 *pos++ = 11;
536 break;
537 case RATE_INFO_BW_40:
538 *pos++ = 1;
539 break;
540 default:
541 *pos++ = 0;
542 }
543 /* MCS/NSS */
544 *pos = (status->rate_idx << 4) | status->nss;
545 pos += 4;
546 /* coding field */
547 if (status->enc_flags & RX_ENC_FLAG_LDPC)
548 *pos |= IEEE80211_RADIOTAP_CODING_LDPC_USER0;
549 pos++;
550 /* group ID */
551 pos++;
552 /* partial_aid */
553 pos += 2;
554 }
555
556 if (local->hw.radiotap_timestamp.units_pos >= 0) {
557 u16 accuracy = 0;
558 u8 flags = IEEE80211_RADIOTAP_TIMESTAMP_FLAG_32BIT;
559
560 rthdr->it_present |=
561 cpu_to_le32(1 << IEEE80211_RADIOTAP_TIMESTAMP);
562
563 /* ensure 8 byte alignment */
564 while ((pos - (u8 *)rthdr) & 7)
565 pos++;
566
567 put_unaligned_le64(status->device_timestamp, pos);
568 pos += sizeof(u64);
569
570 if (local->hw.radiotap_timestamp.accuracy >= 0) {
571 accuracy = local->hw.radiotap_timestamp.accuracy;
572 flags |= IEEE80211_RADIOTAP_TIMESTAMP_FLAG_ACCURACY;
573 }
574 put_unaligned_le16(accuracy, pos);
575 pos += sizeof(u16);
576
577 *pos++ = local->hw.radiotap_timestamp.units_pos;
578 *pos++ = flags;
579 }
580
581 if (status->encoding == RX_ENC_HE &&
582 status->flag & RX_FLAG_RADIOTAP_HE) {
583#define HE_PREP(f, val) le16_encode_bits(val, IEEE80211_RADIOTAP_HE_##f)
584
585 if (status->enc_flags & RX_ENC_FLAG_STBC_MASK) {
586 he.data6 |= HE_PREP(DATA6_NSTS,
587 FIELD_GET(RX_ENC_FLAG_STBC_MASK,
588 status->enc_flags));
589 he.data3 |= HE_PREP(DATA3_STBC, 1);
590 } else {
591 he.data6 |= HE_PREP(DATA6_NSTS, status->nss);
592 }
593
594#define CHECK_GI(s) \
595 BUILD_BUG_ON(IEEE80211_RADIOTAP_HE_DATA5_GI_##s != \
596 (int)NL80211_RATE_INFO_HE_GI_##s)
597
598 CHECK_GI(0_8);
599 CHECK_GI(1_6);
600 CHECK_GI(3_2);
601
602 he.data3 |= HE_PREP(DATA3_DATA_MCS, status->rate_idx);
603 he.data3 |= HE_PREP(DATA3_DATA_DCM, status->he_dcm);
604 he.data3 |= HE_PREP(DATA3_CODING,
605 !!(status->enc_flags & RX_ENC_FLAG_LDPC));
606
607 he.data5 |= HE_PREP(DATA5_GI, status->he_gi);
608
609 switch (status->bw) {
610 case RATE_INFO_BW_20:
611 he.data5 |= HE_PREP(DATA5_DATA_BW_RU_ALLOC,
612 IEEE80211_RADIOTAP_HE_DATA5_DATA_BW_RU_ALLOC_20MHZ);
613 break;
614 case RATE_INFO_BW_40:
615 he.data5 |= HE_PREP(DATA5_DATA_BW_RU_ALLOC,
616 IEEE80211_RADIOTAP_HE_DATA5_DATA_BW_RU_ALLOC_40MHZ);
617 break;
618 case RATE_INFO_BW_80:
619 he.data5 |= HE_PREP(DATA5_DATA_BW_RU_ALLOC,
620 IEEE80211_RADIOTAP_HE_DATA5_DATA_BW_RU_ALLOC_80MHZ);
621 break;
622 case RATE_INFO_BW_160:
623 he.data5 |= HE_PREP(DATA5_DATA_BW_RU_ALLOC,
624 IEEE80211_RADIOTAP_HE_DATA5_DATA_BW_RU_ALLOC_160MHZ);
625 break;
626 case RATE_INFO_BW_HE_RU:
627#define CHECK_RU_ALLOC(s) \
628 BUILD_BUG_ON(IEEE80211_RADIOTAP_HE_DATA5_DATA_BW_RU_ALLOC_##s##T != \
629 NL80211_RATE_INFO_HE_RU_ALLOC_##s + 4)
630
631 CHECK_RU_ALLOC(26);
632 CHECK_RU_ALLOC(52);
633 CHECK_RU_ALLOC(106);
634 CHECK_RU_ALLOC(242);
635 CHECK_RU_ALLOC(484);
636 CHECK_RU_ALLOC(996);
637 CHECK_RU_ALLOC(2x996);
638
639 he.data5 |= HE_PREP(DATA5_DATA_BW_RU_ALLOC,
640 status->he_ru + 4);
641 break;
642 default:
643 WARN_ONCE(1, "Invalid SU BW %d\n", status->bw);
644 }
645
646 /* ensure 2 byte alignment */
647 while ((pos - (u8 *)rthdr) & 1)
648 pos++;
649 rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_HE);
650 memcpy(pos, &he, sizeof(he));
651 pos += sizeof(he);
652 }
653
654 if (status->encoding == RX_ENC_HE &&
655 status->flag & RX_FLAG_RADIOTAP_HE_MU) {
656 /* ensure 2 byte alignment */
657 while ((pos - (u8 *)rthdr) & 1)
658 pos++;
659 rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_HE_MU);
660 memcpy(pos, &he_mu, sizeof(he_mu));
661 pos += sizeof(he_mu);
662 }
663
664 if (status->flag & RX_FLAG_NO_PSDU) {
665 rthdr->it_present |=
666 cpu_to_le32(1 << IEEE80211_RADIOTAP_ZERO_LEN_PSDU);
667 *pos++ = status->zero_length_psdu_type;
668 }
669
670 if (status->flag & RX_FLAG_RADIOTAP_LSIG) {
671 /* ensure 2 byte alignment */
672 while ((pos - (u8 *)rthdr) & 1)
673 pos++;
674 rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_LSIG);
675 memcpy(pos, &lsig, sizeof(lsig));
676 pos += sizeof(lsig);
677 }
678
679 for_each_set_bit(chain, &chains, IEEE80211_MAX_CHAINS) {
680 *pos++ = status->chain_signal[chain];
681 *pos++ = chain;
682 }
683
684 if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA) {
685 /* ensure 2 byte alignment for the vendor field as required */
686 if ((pos - (u8 *)rthdr) & 1)
687 *pos++ = 0;
688 *pos++ = rtap.oui[0];
689 *pos++ = rtap.oui[1];
690 *pos++ = rtap.oui[2];
691 *pos++ = rtap.subns;
692 put_unaligned_le16(rtap.len, pos);
693 pos += 2;
694 /* align the actual payload as requested */
695 while ((pos - (u8 *)rthdr) & (rtap.align - 1))
696 *pos++ = 0;
697 /* data (and possible padding) already follows */
698 }
699}
700
701static struct sk_buff *
702ieee80211_make_monitor_skb(struct ieee80211_local *local,
703 struct sk_buff **origskb,
704 struct ieee80211_rate *rate,
705 int rtap_space, bool use_origskb)
706{
707 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(*origskb);
708 int rt_hdrlen, needed_headroom;
709 struct sk_buff *skb;
710
711 /* room for the radiotap header based on driver features */
712 rt_hdrlen = ieee80211_rx_radiotap_hdrlen(local, status, *origskb);
713 needed_headroom = rt_hdrlen - rtap_space;
714
715 if (use_origskb) {
716 /* only need to expand headroom if necessary */
717 skb = *origskb;
718 *origskb = NULL;
719
720 /*
721 * This shouldn't trigger often because most devices have an
722 * RX header they pull before we get here, and that should
723 * be big enough for our radiotap information. We should
724 * probably export the length to drivers so that we can have
725 * them allocate enough headroom to start with.
726 */
727 if (skb_headroom(skb) < needed_headroom &&
728 pskb_expand_head(skb, needed_headroom, 0, GFP_ATOMIC)) {
729 dev_kfree_skb(skb);
730 return NULL;
731 }
732 } else {
733 /*
734 * Need to make a copy and possibly remove radiotap header
735 * and FCS from the original.
736 */
737 skb = skb_copy_expand(*origskb, needed_headroom, 0, GFP_ATOMIC);
738
739 if (!skb)
740 return NULL;
741 }
742
743 /* prepend radiotap information */
744 ieee80211_add_rx_radiotap_header(local, skb, rate, rt_hdrlen, true);
745
746 skb_reset_mac_header(skb);
747 skb->ip_summed = CHECKSUM_UNNECESSARY;
748 skb->pkt_type = PACKET_OTHERHOST;
749 skb->protocol = htons(ETH_P_802_2);
750
751 return skb;
752}
753
754/*
755 * This function copies a received frame to all monitor interfaces and
756 * returns a cleaned-up SKB that no longer includes the FCS nor the
757 * radiotap header the driver might have added.
758 */
759static struct sk_buff *
760ieee80211_rx_monitor(struct ieee80211_local *local, struct sk_buff *origskb,
761 struct ieee80211_rate *rate)
762{
763 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(origskb);
764 struct ieee80211_sub_if_data *sdata;
765 struct sk_buff *monskb = NULL;
766 int present_fcs_len = 0;
767 unsigned int rtap_space = 0;
768 struct ieee80211_sub_if_data *monitor_sdata =
769 rcu_dereference(local->monitor_sdata);
770 bool only_monitor = false;
771 unsigned int min_head_len;
772
773 if (status->flag & RX_FLAG_RADIOTAP_HE)
774 rtap_space += sizeof(struct ieee80211_radiotap_he);
775
776 if (status->flag & RX_FLAG_RADIOTAP_HE_MU)
777 rtap_space += sizeof(struct ieee80211_radiotap_he_mu);
778
779 if (status->flag & RX_FLAG_RADIOTAP_LSIG)
780 rtap_space += sizeof(struct ieee80211_radiotap_lsig);
781
782 if (unlikely(status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA)) {
783 struct ieee80211_vendor_radiotap *rtap =
784 (void *)(origskb->data + rtap_space);
785
786 rtap_space += sizeof(*rtap) + rtap->len + rtap->pad;
787 }
788
789 min_head_len = rtap_space;
790
791 /*
792 * First, we may need to make a copy of the skb because
793 * (1) we need to modify it for radiotap (if not present), and
794 * (2) the other RX handlers will modify the skb we got.
795 *
796 * We don't need to, of course, if we aren't going to return
797 * the SKB because it has a bad FCS/PLCP checksum.
798 */
799
800 if (!(status->flag & RX_FLAG_NO_PSDU)) {
801 if (ieee80211_hw_check(&local->hw, RX_INCLUDES_FCS)) {
802 if (unlikely(origskb->len <= FCS_LEN + rtap_space)) {
803 /* driver bug */
804 WARN_ON(1);
805 dev_kfree_skb(origskb);
806 return NULL;
807 }
808 present_fcs_len = FCS_LEN;
809 }
810
811 /* also consider the hdr->frame_control */
812 min_head_len += 2;
813 }
814
815 /* ensure that the expected data elements are in skb head */
816 if (!pskb_may_pull(origskb, min_head_len)) {
817 dev_kfree_skb(origskb);
818 return NULL;
819 }
820
821 only_monitor = should_drop_frame(origskb, present_fcs_len, rtap_space);
822
823 if (!local->monitors || (status->flag & RX_FLAG_SKIP_MONITOR)) {
824 if (only_monitor) {
825 dev_kfree_skb(origskb);
826 return NULL;
827 }
828
829 remove_monitor_info(origskb, present_fcs_len, rtap_space);
830 return origskb;
831 }
832
833 ieee80211_handle_mu_mimo_mon(monitor_sdata, origskb, rtap_space);
834
835 list_for_each_entry_rcu(sdata, &local->mon_list, u.mntr.list) {
836 bool last_monitor = list_is_last(&sdata->u.mntr.list,
837 &local->mon_list);
838
839 if (!monskb)
840 monskb = ieee80211_make_monitor_skb(local, &origskb,
841 rate, rtap_space,
842 only_monitor &&
843 last_monitor);
844
845 if (monskb) {
846 struct sk_buff *skb;
847
848 if (last_monitor) {
849 skb = monskb;
850 monskb = NULL;
851 } else {
852 skb = skb_clone(monskb, GFP_ATOMIC);
853 }
854
855 if (skb) {
856 skb->dev = sdata->dev;
857 ieee80211_rx_stats(skb->dev, skb->len);
858 netif_receive_skb(skb);
859 }
860 }
861
862 if (last_monitor)
863 break;
864 }
865
866 /* this happens if last_monitor was erroneously false */
867 dev_kfree_skb(monskb);
868
869 /* ditto */
870 if (!origskb)
871 return NULL;
872
873 remove_monitor_info(origskb, present_fcs_len, rtap_space);
874 return origskb;
875}
876
877static void ieee80211_parse_qos(struct ieee80211_rx_data *rx)
878{
879 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
880 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
881 int tid, seqno_idx, security_idx;
882
883 /* does the frame have a qos control field? */
884 if (ieee80211_is_data_qos(hdr->frame_control)) {
885 u8 *qc = ieee80211_get_qos_ctl(hdr);
886 /* frame has qos control */
887 tid = *qc & IEEE80211_QOS_CTL_TID_MASK;
888 if (*qc & IEEE80211_QOS_CTL_A_MSDU_PRESENT)
889 status->rx_flags |= IEEE80211_RX_AMSDU;
890
891 seqno_idx = tid;
892 security_idx = tid;
893 } else {
894 /*
895 * IEEE 802.11-2007, 7.1.3.4.1 ("Sequence Number field"):
896 *
897 * Sequence numbers for management frames, QoS data
898 * frames with a broadcast/multicast address in the
899 * Address 1 field, and all non-QoS data frames sent
900 * by QoS STAs are assigned using an additional single
901 * modulo-4096 counter, [...]
902 *
903 * We also use that counter for non-QoS STAs.
904 */
905 seqno_idx = IEEE80211_NUM_TIDS;
906 security_idx = 0;
907 if (ieee80211_is_mgmt(hdr->frame_control))
908 security_idx = IEEE80211_NUM_TIDS;
909 tid = 0;
910 }
911
912 rx->seqno_idx = seqno_idx;
913 rx->security_idx = security_idx;
914 /* Set skb->priority to 1d tag if highest order bit of TID is not set.
915 * For now, set skb->priority to 0 for other cases. */
916 rx->skb->priority = (tid > 7) ? 0 : tid;
917}
918
919/**
920 * DOC: Packet alignment
921 *
922 * Drivers always need to pass packets that are aligned to two-byte boundaries
923 * to the stack.
924 *
925 * Additionally, should, if possible, align the payload data in a way that
926 * guarantees that the contained IP header is aligned to a four-byte
927 * boundary. In the case of regular frames, this simply means aligning the
928 * payload to a four-byte boundary (because either the IP header is directly
929 * contained, or IV/RFC1042 headers that have a length divisible by four are
930 * in front of it). If the payload data is not properly aligned and the
931 * architecture doesn't support efficient unaligned operations, mac80211
932 * will align the data.
933 *
934 * With A-MSDU frames, however, the payload data address must yield two modulo
935 * four because there are 14-byte 802.3 headers within the A-MSDU frames that
936 * push the IP header further back to a multiple of four again. Thankfully, the
937 * specs were sane enough this time around to require padding each A-MSDU
938 * subframe to a length that is a multiple of four.
939 *
940 * Padding like Atheros hardware adds which is between the 802.11 header and
941 * the payload is not supported, the driver is required to move the 802.11
942 * header to be directly in front of the payload in that case.
943 */
944static void ieee80211_verify_alignment(struct ieee80211_rx_data *rx)
945{
946#ifdef CONFIG_MAC80211_VERBOSE_DEBUG
947 WARN_ON_ONCE((unsigned long)rx->skb->data & 1);
948#endif
949}
950
951
952/* rx handlers */
953
954static int ieee80211_is_unicast_robust_mgmt_frame(struct sk_buff *skb)
955{
956 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
957
958 if (is_multicast_ether_addr(hdr->addr1))
959 return 0;
960
961 return ieee80211_is_robust_mgmt_frame(skb);
962}
963
964
965static int ieee80211_is_multicast_robust_mgmt_frame(struct sk_buff *skb)
966{
967 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
968
969 if (!is_multicast_ether_addr(hdr->addr1))
970 return 0;
971
972 return ieee80211_is_robust_mgmt_frame(skb);
973}
974
975
976/* Get the BIP key index from MMIE; return -1 if this is not a BIP frame */
977static int ieee80211_get_mmie_keyidx(struct sk_buff *skb)
978{
979 struct ieee80211_mgmt *hdr = (struct ieee80211_mgmt *) skb->data;
980 struct ieee80211_mmie *mmie;
981 struct ieee80211_mmie_16 *mmie16;
982
983 if (skb->len < 24 + sizeof(*mmie) || !is_multicast_ether_addr(hdr->da))
984 return -1;
985
986 if (!ieee80211_is_robust_mgmt_frame(skb))
987 return -1; /* not a robust management frame */
988
989 mmie = (struct ieee80211_mmie *)
990 (skb->data + skb->len - sizeof(*mmie));
991 if (mmie->element_id == WLAN_EID_MMIE &&
992 mmie->length == sizeof(*mmie) - 2)
993 return le16_to_cpu(mmie->key_id);
994
995 mmie16 = (struct ieee80211_mmie_16 *)
996 (skb->data + skb->len - sizeof(*mmie16));
997 if (skb->len >= 24 + sizeof(*mmie16) &&
998 mmie16->element_id == WLAN_EID_MMIE &&
999 mmie16->length == sizeof(*mmie16) - 2)
1000 return le16_to_cpu(mmie16->key_id);
1001
1002 return -1;
1003}
1004
1005static int ieee80211_get_keyid(struct sk_buff *skb,
1006 const struct ieee80211_cipher_scheme *cs)
1007{
1008 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
1009 __le16 fc;
1010 int hdrlen;
1011 int minlen;
1012 u8 key_idx_off;
1013 u8 key_idx_shift;
1014 u8 keyid;
1015
1016 fc = hdr->frame_control;
1017 hdrlen = ieee80211_hdrlen(fc);
1018
1019 if (cs) {
1020 minlen = hdrlen + cs->hdr_len;
1021 key_idx_off = hdrlen + cs->key_idx_off;
1022 key_idx_shift = cs->key_idx_shift;
1023 } else {
1024 /* WEP, TKIP, CCMP and GCMP */
1025 minlen = hdrlen + IEEE80211_WEP_IV_LEN;
1026 key_idx_off = hdrlen + 3;
1027 key_idx_shift = 6;
1028 }
1029
1030 if (unlikely(skb->len < minlen))
1031 return -EINVAL;
1032
1033 skb_copy_bits(skb, key_idx_off, &keyid, 1);
1034
1035 if (cs)
1036 keyid &= cs->key_idx_mask;
1037 keyid >>= key_idx_shift;
1038
1039 /* cs could use more than the usual two bits for the keyid */
1040 if (unlikely(keyid >= NUM_DEFAULT_KEYS))
1041 return -EINVAL;
1042
1043 return keyid;
1044}
1045
1046static ieee80211_rx_result ieee80211_rx_mesh_check(struct ieee80211_rx_data *rx)
1047{
1048 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
1049 char *dev_addr = rx->sdata->vif.addr;
1050
1051 if (ieee80211_is_data(hdr->frame_control)) {
1052 if (is_multicast_ether_addr(hdr->addr1)) {
1053 if (ieee80211_has_tods(hdr->frame_control) ||
1054 !ieee80211_has_fromds(hdr->frame_control))
1055 return RX_DROP_MONITOR;
1056 if (ether_addr_equal(hdr->addr3, dev_addr))
1057 return RX_DROP_MONITOR;
1058 } else {
1059 if (!ieee80211_has_a4(hdr->frame_control))
1060 return RX_DROP_MONITOR;
1061 if (ether_addr_equal(hdr->addr4, dev_addr))
1062 return RX_DROP_MONITOR;
1063 }
1064 }
1065
1066 /* If there is not an established peer link and this is not a peer link
1067 * establisment frame, beacon or probe, drop the frame.
1068 */
1069
1070 if (!rx->sta || sta_plink_state(rx->sta) != NL80211_PLINK_ESTAB) {
1071 struct ieee80211_mgmt *mgmt;
1072
1073 if (!ieee80211_is_mgmt(hdr->frame_control))
1074 return RX_DROP_MONITOR;
1075
1076 if (ieee80211_is_action(hdr->frame_control)) {
1077 u8 category;
1078
1079 /* make sure category field is present */
1080 if (rx->skb->len < IEEE80211_MIN_ACTION_SIZE)
1081 return RX_DROP_MONITOR;
1082
1083 mgmt = (struct ieee80211_mgmt *)hdr;
1084 category = mgmt->u.action.category;
1085 if (category != WLAN_CATEGORY_MESH_ACTION &&
1086 category != WLAN_CATEGORY_SELF_PROTECTED)
1087 return RX_DROP_MONITOR;
1088 return RX_CONTINUE;
1089 }
1090
1091 if (ieee80211_is_probe_req(hdr->frame_control) ||
1092 ieee80211_is_probe_resp(hdr->frame_control) ||
1093 ieee80211_is_beacon(hdr->frame_control) ||
1094 ieee80211_is_auth(hdr->frame_control))
1095 return RX_CONTINUE;
1096
1097 return RX_DROP_MONITOR;
1098 }
1099
1100 return RX_CONTINUE;
1101}
1102
1103static inline bool ieee80211_rx_reorder_ready(struct tid_ampdu_rx *tid_agg_rx,
1104 int index)
1105{
1106 struct sk_buff_head *frames = &tid_agg_rx->reorder_buf[index];
1107 struct sk_buff *tail = skb_peek_tail(frames);
1108 struct ieee80211_rx_status *status;
1109
1110 if (tid_agg_rx->reorder_buf_filtered & BIT_ULL(index))
1111 return true;
1112
1113 if (!tail)
1114 return false;
1115
1116 status = IEEE80211_SKB_RXCB(tail);
1117 if (status->flag & RX_FLAG_AMSDU_MORE)
1118 return false;
1119
1120 return true;
1121}
1122
1123static void ieee80211_release_reorder_frame(struct ieee80211_sub_if_data *sdata,
1124 struct tid_ampdu_rx *tid_agg_rx,
1125 int index,
1126 struct sk_buff_head *frames)
1127{
1128 struct sk_buff_head *skb_list = &tid_agg_rx->reorder_buf[index];
1129 struct sk_buff *skb;
1130 struct ieee80211_rx_status *status;
1131
1132 lockdep_assert_held(&tid_agg_rx->reorder_lock);
1133
1134 if (skb_queue_empty(skb_list))
1135 goto no_frame;
1136
1137 if (!ieee80211_rx_reorder_ready(tid_agg_rx, index)) {
1138 __skb_queue_purge(skb_list);
1139 goto no_frame;
1140 }
1141
1142 /* release frames from the reorder ring buffer */
1143 tid_agg_rx->stored_mpdu_num--;
1144 while ((skb = __skb_dequeue(skb_list))) {
1145 status = IEEE80211_SKB_RXCB(skb);
1146 status->rx_flags |= IEEE80211_RX_DEFERRED_RELEASE;
1147 __skb_queue_tail(frames, skb);
1148 }
1149
1150no_frame:
1151 tid_agg_rx->reorder_buf_filtered &= ~BIT_ULL(index);
1152 tid_agg_rx->head_seq_num = ieee80211_sn_inc(tid_agg_rx->head_seq_num);
1153}
1154
1155static void ieee80211_release_reorder_frames(struct ieee80211_sub_if_data *sdata,
1156 struct tid_ampdu_rx *tid_agg_rx,
1157 u16 head_seq_num,
1158 struct sk_buff_head *frames)
1159{
1160 int index;
1161
1162 lockdep_assert_held(&tid_agg_rx->reorder_lock);
1163
1164 while (ieee80211_sn_less(tid_agg_rx->head_seq_num, head_seq_num)) {
1165 index = tid_agg_rx->head_seq_num % tid_agg_rx->buf_size;
1166 ieee80211_release_reorder_frame(sdata, tid_agg_rx, index,
1167 frames);
1168 }
1169}
1170
1171/*
1172 * Timeout (in jiffies) for skb's that are waiting in the RX reorder buffer. If
1173 * the skb was added to the buffer longer than this time ago, the earlier
1174 * frames that have not yet been received are assumed to be lost and the skb
1175 * can be released for processing. This may also release other skb's from the
1176 * reorder buffer if there are no additional gaps between the frames.
1177 *
1178 * Callers must hold tid_agg_rx->reorder_lock.
1179 */
1180#define HT_RX_REORDER_BUF_TIMEOUT (HZ / 10)
1181
1182static void ieee80211_sta_reorder_release(struct ieee80211_sub_if_data *sdata,
1183 struct tid_ampdu_rx *tid_agg_rx,
1184 struct sk_buff_head *frames)
1185{
1186 int index, i, j;
1187
1188 lockdep_assert_held(&tid_agg_rx->reorder_lock);
1189
1190 /* release the buffer until next missing frame */
1191 index = tid_agg_rx->head_seq_num % tid_agg_rx->buf_size;
1192 if (!ieee80211_rx_reorder_ready(tid_agg_rx, index) &&
1193 tid_agg_rx->stored_mpdu_num) {
1194 /*
1195 * No buffers ready to be released, but check whether any
1196 * frames in the reorder buffer have timed out.
1197 */
1198 int skipped = 1;
1199 for (j = (index + 1) % tid_agg_rx->buf_size; j != index;
1200 j = (j + 1) % tid_agg_rx->buf_size) {
1201 if (!ieee80211_rx_reorder_ready(tid_agg_rx, j)) {
1202 skipped++;
1203 continue;
1204 }
1205 if (skipped &&
1206 !time_after(jiffies, tid_agg_rx->reorder_time[j] +
1207 HT_RX_REORDER_BUF_TIMEOUT))
1208 goto set_release_timer;
1209
1210 /* don't leave incomplete A-MSDUs around */
1211 for (i = (index + 1) % tid_agg_rx->buf_size; i != j;
1212 i = (i + 1) % tid_agg_rx->buf_size)
1213 __skb_queue_purge(&tid_agg_rx->reorder_buf[i]);
1214
1215 ht_dbg_ratelimited(sdata,
1216 "release an RX reorder frame due to timeout on earlier frames\n");
1217 ieee80211_release_reorder_frame(sdata, tid_agg_rx, j,
1218 frames);
1219
1220 /*
1221 * Increment the head seq# also for the skipped slots.
1222 */
1223 tid_agg_rx->head_seq_num =
1224 (tid_agg_rx->head_seq_num +
1225 skipped) & IEEE80211_SN_MASK;
1226 skipped = 0;
1227 }
1228 } else while (ieee80211_rx_reorder_ready(tid_agg_rx, index)) {
1229 ieee80211_release_reorder_frame(sdata, tid_agg_rx, index,
1230 frames);
1231 index = tid_agg_rx->head_seq_num % tid_agg_rx->buf_size;
1232 }
1233
1234 if (tid_agg_rx->stored_mpdu_num) {
1235 j = index = tid_agg_rx->head_seq_num % tid_agg_rx->buf_size;
1236
1237 for (; j != (index - 1) % tid_agg_rx->buf_size;
1238 j = (j + 1) % tid_agg_rx->buf_size) {
1239 if (ieee80211_rx_reorder_ready(tid_agg_rx, j))
1240 break;
1241 }
1242
1243 set_release_timer:
1244
1245 if (!tid_agg_rx->removed)
1246 mod_timer(&tid_agg_rx->reorder_timer,
1247 tid_agg_rx->reorder_time[j] + 1 +
1248 HT_RX_REORDER_BUF_TIMEOUT);
1249 } else {
1250 del_timer(&tid_agg_rx->reorder_timer);
1251 }
1252}
1253
1254/*
1255 * As this function belongs to the RX path it must be under
1256 * rcu_read_lock protection. It returns false if the frame
1257 * can be processed immediately, true if it was consumed.
1258 */
1259static bool ieee80211_sta_manage_reorder_buf(struct ieee80211_sub_if_data *sdata,
1260 struct tid_ampdu_rx *tid_agg_rx,
1261 struct sk_buff *skb,
1262 struct sk_buff_head *frames)
1263{
1264 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
1265 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
1266 u16 sc = le16_to_cpu(hdr->seq_ctrl);
1267 u16 mpdu_seq_num = (sc & IEEE80211_SCTL_SEQ) >> 4;
1268 u16 head_seq_num, buf_size;
1269 int index;
1270 bool ret = true;
1271
1272 spin_lock(&tid_agg_rx->reorder_lock);
1273
1274 /*
1275 * Offloaded BA sessions have no known starting sequence number so pick
1276 * one from first Rxed frame for this tid after BA was started.
1277 */
1278 if (unlikely(tid_agg_rx->auto_seq)) {
1279 tid_agg_rx->auto_seq = false;
1280 tid_agg_rx->ssn = mpdu_seq_num;
1281 tid_agg_rx->head_seq_num = mpdu_seq_num;
1282 }
1283
1284 buf_size = tid_agg_rx->buf_size;
1285 head_seq_num = tid_agg_rx->head_seq_num;
1286
1287 /*
1288 * If the current MPDU's SN is smaller than the SSN, it shouldn't
1289 * be reordered.
1290 */
1291 if (unlikely(!tid_agg_rx->started)) {
1292 if (ieee80211_sn_less(mpdu_seq_num, head_seq_num)) {
1293 ret = false;
1294 goto out;
1295 }
1296 tid_agg_rx->started = true;
1297 }
1298
1299 /* frame with out of date sequence number */
1300 if (ieee80211_sn_less(mpdu_seq_num, head_seq_num)) {
1301 dev_kfree_skb(skb);
1302 goto out;
1303 }
1304
1305 /*
1306 * If frame the sequence number exceeds our buffering window
1307 * size release some previous frames to make room for this one.
1308 */
1309 if (!ieee80211_sn_less(mpdu_seq_num, head_seq_num + buf_size)) {
1310 head_seq_num = ieee80211_sn_inc(
1311 ieee80211_sn_sub(mpdu_seq_num, buf_size));
1312 /* release stored frames up to new head to stack */
1313 ieee80211_release_reorder_frames(sdata, tid_agg_rx,
1314 head_seq_num, frames);
1315 }
1316
1317 /* Now the new frame is always in the range of the reordering buffer */
1318
1319 index = mpdu_seq_num % tid_agg_rx->buf_size;
1320
1321 /* check if we already stored this frame */
1322 if (ieee80211_rx_reorder_ready(tid_agg_rx, index)) {
1323 dev_kfree_skb(skb);
1324 goto out;
1325 }
1326
1327 /*
1328 * If the current MPDU is in the right order and nothing else
1329 * is stored we can process it directly, no need to buffer it.
1330 * If it is first but there's something stored, we may be able
1331 * to release frames after this one.
1332 */
1333 if (mpdu_seq_num == tid_agg_rx->head_seq_num &&
1334 tid_agg_rx->stored_mpdu_num == 0) {
1335 if (!(status->flag & RX_FLAG_AMSDU_MORE))
1336 tid_agg_rx->head_seq_num =
1337 ieee80211_sn_inc(tid_agg_rx->head_seq_num);
1338 ret = false;
1339 goto out;
1340 }
1341
1342 /* put the frame in the reordering buffer */
1343 __skb_queue_tail(&tid_agg_rx->reorder_buf[index], skb);
1344 if (!(status->flag & RX_FLAG_AMSDU_MORE)) {
1345 tid_agg_rx->reorder_time[index] = jiffies;
1346 tid_agg_rx->stored_mpdu_num++;
1347 ieee80211_sta_reorder_release(sdata, tid_agg_rx, frames);
1348 }
1349
1350 out:
1351 spin_unlock(&tid_agg_rx->reorder_lock);
1352 return ret;
1353}
1354
1355/*
1356 * Reorder MPDUs from A-MPDUs, keeping them on a buffer. Returns
1357 * true if the MPDU was buffered, false if it should be processed.
1358 */
1359static void ieee80211_rx_reorder_ampdu(struct ieee80211_rx_data *rx,
1360 struct sk_buff_head *frames)
1361{
1362 struct sk_buff *skb = rx->skb;
1363 struct ieee80211_local *local = rx->local;
1364 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
1365 struct sta_info *sta = rx->sta;
1366 struct tid_ampdu_rx *tid_agg_rx;
1367 u16 sc;
1368 u8 tid, ack_policy;
1369
1370 if (!ieee80211_is_data_qos(hdr->frame_control) ||
1371 is_multicast_ether_addr(hdr->addr1))
1372 goto dont_reorder;
1373
1374 /*
1375 * filter the QoS data rx stream according to
1376 * STA/TID and check if this STA/TID is on aggregation
1377 */
1378
1379 if (!sta)
1380 goto dont_reorder;
1381
1382 ack_policy = *ieee80211_get_qos_ctl(hdr) &
1383 IEEE80211_QOS_CTL_ACK_POLICY_MASK;
1384 tid = ieee80211_get_tid(hdr);
1385
1386 tid_agg_rx = rcu_dereference(sta->ampdu_mlme.tid_rx[tid]);
1387 if (!tid_agg_rx) {
1388 if (ack_policy == IEEE80211_QOS_CTL_ACK_POLICY_BLOCKACK &&
1389 !test_bit(tid, rx->sta->ampdu_mlme.agg_session_valid) &&
1390 !test_and_set_bit(tid, rx->sta->ampdu_mlme.unexpected_agg))
1391 ieee80211_send_delba(rx->sdata, rx->sta->sta.addr, tid,
1392 WLAN_BACK_RECIPIENT,
1393 WLAN_REASON_QSTA_REQUIRE_SETUP);
1394 goto dont_reorder;
1395 }
1396
1397 /* qos null data frames are excluded */
1398 if (unlikely(hdr->frame_control & cpu_to_le16(IEEE80211_STYPE_NULLFUNC)))
1399 goto dont_reorder;
1400
1401 /* not part of a BA session */
1402 if (ack_policy != IEEE80211_QOS_CTL_ACK_POLICY_BLOCKACK &&
1403 ack_policy != IEEE80211_QOS_CTL_ACK_POLICY_NORMAL)
1404 goto dont_reorder;
1405
1406 /* new, potentially un-ordered, ampdu frame - process it */
1407
1408 /* reset session timer */
1409 if (tid_agg_rx->timeout)
1410 tid_agg_rx->last_rx = jiffies;
1411
1412 /* if this mpdu is fragmented - terminate rx aggregation session */
1413 sc = le16_to_cpu(hdr->seq_ctrl);
1414 if (sc & IEEE80211_SCTL_FRAG) {
1415 skb_queue_tail(&rx->sdata->skb_queue, skb);
1416 ieee80211_queue_work(&local->hw, &rx->sdata->work);
1417 return;
1418 }
1419
1420 /*
1421 * No locking needed -- we will only ever process one
1422 * RX packet at a time, and thus own tid_agg_rx. All
1423 * other code manipulating it needs to (and does) make
1424 * sure that we cannot get to it any more before doing
1425 * anything with it.
1426 */
1427 if (ieee80211_sta_manage_reorder_buf(rx->sdata, tid_agg_rx, skb,
1428 frames))
1429 return;
1430
1431 dont_reorder:
1432 __skb_queue_tail(frames, skb);
1433}
1434
1435static ieee80211_rx_result debug_noinline
1436ieee80211_rx_h_check_dup(struct ieee80211_rx_data *rx)
1437{
1438 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
1439 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
1440
1441 if (status->flag & RX_FLAG_DUP_VALIDATED)
1442 return RX_CONTINUE;
1443
1444 /*
1445 * Drop duplicate 802.11 retransmissions
1446 * (IEEE 802.11-2012: 9.3.2.10 "Duplicate detection and recovery")
1447 */
1448
1449 if (rx->skb->len < 24)
1450 return RX_CONTINUE;
1451
1452 if (ieee80211_is_ctl(hdr->frame_control) ||
1453 ieee80211_is_nullfunc(hdr->frame_control) ||
1454 ieee80211_is_qos_nullfunc(hdr->frame_control) ||
1455 is_multicast_ether_addr(hdr->addr1))
1456 return RX_CONTINUE;
1457
1458 if (!rx->sta)
1459 return RX_CONTINUE;
1460
1461 if (unlikely(ieee80211_has_retry(hdr->frame_control) &&
1462 rx->sta->last_seq_ctrl[rx->seqno_idx] == hdr->seq_ctrl)) {
1463 I802_DEBUG_INC(rx->local->dot11FrameDuplicateCount);
1464 rx->sta->rx_stats.num_duplicates++;
1465 return RX_DROP_UNUSABLE;
1466 } else if (!(status->flag & RX_FLAG_AMSDU_MORE)) {
1467 rx->sta->last_seq_ctrl[rx->seqno_idx] = hdr->seq_ctrl;
1468 }
1469
1470 return RX_CONTINUE;
1471}
1472
1473static ieee80211_rx_result debug_noinline
1474ieee80211_rx_h_check(struct ieee80211_rx_data *rx)
1475{
1476 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
1477
1478 /* Drop disallowed frame classes based on STA auth/assoc state;
1479 * IEEE 802.11, Chap 5.5.
1480 *
1481 * mac80211 filters only based on association state, i.e. it drops
1482 * Class 3 frames from not associated stations. hostapd sends
1483 * deauth/disassoc frames when needed. In addition, hostapd is
1484 * responsible for filtering on both auth and assoc states.
1485 */
1486
1487 if (ieee80211_vif_is_mesh(&rx->sdata->vif))
1488 return ieee80211_rx_mesh_check(rx);
1489
1490 if (unlikely((ieee80211_is_data(hdr->frame_control) ||
1491 ieee80211_is_pspoll(hdr->frame_control)) &&
1492 rx->sdata->vif.type != NL80211_IFTYPE_ADHOC &&
1493 rx->sdata->vif.type != NL80211_IFTYPE_WDS &&
1494 rx->sdata->vif.type != NL80211_IFTYPE_OCB &&
1495 (!rx->sta || !test_sta_flag(rx->sta, WLAN_STA_ASSOC)))) {
1496 /*
1497 * accept port control frames from the AP even when it's not
1498 * yet marked ASSOC to prevent a race where we don't set the
1499 * assoc bit quickly enough before it sends the first frame
1500 */
1501 if (rx->sta && rx->sdata->vif.type == NL80211_IFTYPE_STATION &&
1502 ieee80211_is_data_present(hdr->frame_control)) {
1503 unsigned int hdrlen;
1504 __be16 ethertype;
1505
1506 hdrlen = ieee80211_hdrlen(hdr->frame_control);
1507
1508 if (rx->skb->len < hdrlen + 8)
1509 return RX_DROP_MONITOR;
1510
1511 skb_copy_bits(rx->skb, hdrlen + 6, ðertype, 2);
1512 if (ethertype == rx->sdata->control_port_protocol)
1513 return RX_CONTINUE;
1514 }
1515
1516 if (rx->sdata->vif.type == NL80211_IFTYPE_AP &&
1517 cfg80211_rx_spurious_frame(rx->sdata->dev,
1518 hdr->addr2,
1519 GFP_ATOMIC))
1520 return RX_DROP_UNUSABLE;
1521
1522 return RX_DROP_MONITOR;
1523 }
1524
1525 return RX_CONTINUE;
1526}
1527
1528
1529static ieee80211_rx_result debug_noinline
1530ieee80211_rx_h_check_more_data(struct ieee80211_rx_data *rx)
1531{
1532 struct ieee80211_local *local;
1533 struct ieee80211_hdr *hdr;
1534 struct sk_buff *skb;
1535
1536 local = rx->local;
1537 skb = rx->skb;
1538 hdr = (struct ieee80211_hdr *) skb->data;
1539
1540 if (!local->pspolling)
1541 return RX_CONTINUE;
1542
1543 if (!ieee80211_has_fromds(hdr->frame_control))
1544 /* this is not from AP */
1545 return RX_CONTINUE;
1546
1547 if (!ieee80211_is_data(hdr->frame_control))
1548 return RX_CONTINUE;
1549
1550 if (!ieee80211_has_moredata(hdr->frame_control)) {
1551 /* AP has no more frames buffered for us */
1552 local->pspolling = false;
1553 return RX_CONTINUE;
1554 }
1555
1556 /* more data bit is set, let's request a new frame from the AP */
1557 ieee80211_send_pspoll(local, rx->sdata);
1558
1559 return RX_CONTINUE;
1560}
1561
1562static void sta_ps_start(struct sta_info *sta)
1563{
1564 struct ieee80211_sub_if_data *sdata = sta->sdata;
1565 struct ieee80211_local *local = sdata->local;
1566 struct ps_data *ps;
1567 int tid;
1568
1569 if (sta->sdata->vif.type == NL80211_IFTYPE_AP ||
1570 sta->sdata->vif.type == NL80211_IFTYPE_AP_VLAN)
1571 ps = &sdata->bss->ps;
1572 else
1573 return;
1574
1575 atomic_inc(&ps->num_sta_ps);
1576 set_sta_flag(sta, WLAN_STA_PS_STA);
1577 if (!ieee80211_hw_check(&local->hw, AP_LINK_PS))
1578 drv_sta_notify(local, sdata, STA_NOTIFY_SLEEP, &sta->sta);
1579 ps_dbg(sdata, "STA %pM aid %d enters power save mode\n",
1580 sta->sta.addr, sta->sta.aid);
1581
1582 ieee80211_clear_fast_xmit(sta);
1583
1584 if (!sta->sta.txq[0])
1585 return;
1586
1587 for (tid = 0; tid < IEEE80211_NUM_TIDS; tid++) {
1588 struct ieee80211_txq *txq = sta->sta.txq[tid];
1589 struct txq_info *txqi = to_txq_info(txq);
1590
1591 spin_lock(&local->active_txq_lock[txq->ac]);
1592 if (!list_empty(&txqi->schedule_order))
1593 list_del_init(&txqi->schedule_order);
1594 spin_unlock(&local->active_txq_lock[txq->ac]);
1595
1596 if (txq_has_queue(txq))
1597 set_bit(tid, &sta->txq_buffered_tids);
1598 else
1599 clear_bit(tid, &sta->txq_buffered_tids);
1600 }
1601}
1602
1603static void sta_ps_end(struct sta_info *sta)
1604{
1605 ps_dbg(sta->sdata, "STA %pM aid %d exits power save mode\n",
1606 sta->sta.addr, sta->sta.aid);
1607
1608 if (test_sta_flag(sta, WLAN_STA_PS_DRIVER)) {
1609 /*
1610 * Clear the flag only if the other one is still set
1611 * so that the TX path won't start TX'ing new frames
1612 * directly ... In the case that the driver flag isn't
1613 * set ieee80211_sta_ps_deliver_wakeup() will clear it.
1614 */
1615 clear_sta_flag(sta, WLAN_STA_PS_STA);
1616 ps_dbg(sta->sdata, "STA %pM aid %d driver-ps-blocked\n",
1617 sta->sta.addr, sta->sta.aid);
1618 return;
1619 }
1620
1621 set_sta_flag(sta, WLAN_STA_PS_DELIVER);
1622 clear_sta_flag(sta, WLAN_STA_PS_STA);
1623 ieee80211_sta_ps_deliver_wakeup(sta);
1624}
1625
1626int ieee80211_sta_ps_transition(struct ieee80211_sta *pubsta, bool start)
1627{
1628 struct sta_info *sta = container_of(pubsta, struct sta_info, sta);
1629 bool in_ps;
1630
1631 WARN_ON(!ieee80211_hw_check(&sta->local->hw, AP_LINK_PS));
1632
1633 /* Don't let the same PS state be set twice */
1634 in_ps = test_sta_flag(sta, WLAN_STA_PS_STA);
1635 if ((start && in_ps) || (!start && !in_ps))
1636 return -EINVAL;
1637
1638 if (start)
1639 sta_ps_start(sta);
1640 else
1641 sta_ps_end(sta);
1642
1643 return 0;
1644}
1645EXPORT_SYMBOL(ieee80211_sta_ps_transition);
1646
1647void ieee80211_sta_pspoll(struct ieee80211_sta *pubsta)
1648{
1649 struct sta_info *sta = container_of(pubsta, struct sta_info, sta);
1650
1651 if (test_sta_flag(sta, WLAN_STA_SP))
1652 return;
1653
1654 if (!test_sta_flag(sta, WLAN_STA_PS_DRIVER))
1655 ieee80211_sta_ps_deliver_poll_response(sta);
1656 else
1657 set_sta_flag(sta, WLAN_STA_PSPOLL);
1658}
1659EXPORT_SYMBOL(ieee80211_sta_pspoll);
1660
1661void ieee80211_sta_uapsd_trigger(struct ieee80211_sta *pubsta, u8 tid)
1662{
1663 struct sta_info *sta = container_of(pubsta, struct sta_info, sta);
1664 int ac = ieee80211_ac_from_tid(tid);
1665
1666 /*
1667 * If this AC is not trigger-enabled do nothing unless the
1668 * driver is calling us after it already checked.
1669 *
1670 * NB: This could/should check a separate bitmap of trigger-
1671 * enabled queues, but for now we only implement uAPSD w/o
1672 * TSPEC changes to the ACs, so they're always the same.
1673 */
1674 if (!(sta->sta.uapsd_queues & ieee80211_ac_to_qos_mask[ac]) &&
1675 tid != IEEE80211_NUM_TIDS)
1676 return;
1677
1678 /* if we are in a service period, do nothing */
1679 if (test_sta_flag(sta, WLAN_STA_SP))
1680 return;
1681
1682 if (!test_sta_flag(sta, WLAN_STA_PS_DRIVER))
1683 ieee80211_sta_ps_deliver_uapsd(sta);
1684 else
1685 set_sta_flag(sta, WLAN_STA_UAPSD);
1686}
1687EXPORT_SYMBOL(ieee80211_sta_uapsd_trigger);
1688
1689static ieee80211_rx_result debug_noinline
1690ieee80211_rx_h_uapsd_and_pspoll(struct ieee80211_rx_data *rx)
1691{
1692 struct ieee80211_sub_if_data *sdata = rx->sdata;
1693 struct ieee80211_hdr *hdr = (void *)rx->skb->data;
1694 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
1695
1696 if (!rx->sta)
1697 return RX_CONTINUE;
1698
1699 if (sdata->vif.type != NL80211_IFTYPE_AP &&
1700 sdata->vif.type != NL80211_IFTYPE_AP_VLAN)
1701 return RX_CONTINUE;
1702
1703 /*
1704 * The device handles station powersave, so don't do anything about
1705 * uAPSD and PS-Poll frames (the latter shouldn't even come up from
1706 * it to mac80211 since they're handled.)
1707 */
1708 if (ieee80211_hw_check(&sdata->local->hw, AP_LINK_PS))
1709 return RX_CONTINUE;
1710
1711 /*
1712 * Don't do anything if the station isn't already asleep. In
1713 * the uAPSD case, the station will probably be marked asleep,
1714 * in the PS-Poll case the station must be confused ...
1715 */
1716 if (!test_sta_flag(rx->sta, WLAN_STA_PS_STA))
1717 return RX_CONTINUE;
1718
1719 if (unlikely(ieee80211_is_pspoll(hdr->frame_control))) {
1720 ieee80211_sta_pspoll(&rx->sta->sta);
1721
1722 /* Free PS Poll skb here instead of returning RX_DROP that would
1723 * count as an dropped frame. */
1724 dev_kfree_skb(rx->skb);
1725
1726 return RX_QUEUED;
1727 } else if (!ieee80211_has_morefrags(hdr->frame_control) &&
1728 !(status->rx_flags & IEEE80211_RX_DEFERRED_RELEASE) &&
1729 ieee80211_has_pm(hdr->frame_control) &&
1730 (ieee80211_is_data_qos(hdr->frame_control) ||
1731 ieee80211_is_qos_nullfunc(hdr->frame_control))) {
1732 u8 tid = ieee80211_get_tid(hdr);
1733
1734 ieee80211_sta_uapsd_trigger(&rx->sta->sta, tid);
1735 }
1736
1737 return RX_CONTINUE;
1738}
1739
1740static ieee80211_rx_result debug_noinline
1741ieee80211_rx_h_sta_process(struct ieee80211_rx_data *rx)
1742{
1743 struct sta_info *sta = rx->sta;
1744 struct sk_buff *skb = rx->skb;
1745 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
1746 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
1747 int i;
1748
1749 if (!sta)
1750 return RX_CONTINUE;
1751
1752 /*
1753 * Update last_rx only for IBSS packets which are for the current
1754 * BSSID and for station already AUTHORIZED to avoid keeping the
1755 * current IBSS network alive in cases where other STAs start
1756 * using different BSSID. This will also give the station another
1757 * chance to restart the authentication/authorization in case
1758 * something went wrong the first time.
1759 */
1760 if (rx->sdata->vif.type == NL80211_IFTYPE_ADHOC) {
1761 u8 *bssid = ieee80211_get_bssid(hdr, rx->skb->len,
1762 NL80211_IFTYPE_ADHOC);
1763 if (ether_addr_equal(bssid, rx->sdata->u.ibss.bssid) &&
1764 test_sta_flag(sta, WLAN_STA_AUTHORIZED)) {
1765 sta->rx_stats.last_rx = jiffies;
1766 if (ieee80211_is_data(hdr->frame_control) &&
1767 !is_multicast_ether_addr(hdr->addr1))
1768 sta->rx_stats.last_rate =
1769 sta_stats_encode_rate(status);
1770 }
1771 } else if (rx->sdata->vif.type == NL80211_IFTYPE_OCB) {
1772 sta->rx_stats.last_rx = jiffies;
1773 } else if (!is_multicast_ether_addr(hdr->addr1)) {
1774 /*
1775 * Mesh beacons will update last_rx when if they are found to
1776 * match the current local configuration when processed.
1777 */
1778 sta->rx_stats.last_rx = jiffies;
1779 if (ieee80211_is_data(hdr->frame_control))
1780 sta->rx_stats.last_rate = sta_stats_encode_rate(status);
1781 }
1782
1783 if (rx->sdata->vif.type == NL80211_IFTYPE_STATION)
1784 ieee80211_sta_rx_notify(rx->sdata, hdr);
1785
1786 sta->rx_stats.fragments++;
1787
1788 u64_stats_update_begin(&rx->sta->rx_stats.syncp);
1789 sta->rx_stats.bytes += rx->skb->len;
1790 u64_stats_update_end(&rx->sta->rx_stats.syncp);
1791
1792 if (!(status->flag & RX_FLAG_NO_SIGNAL_VAL)) {
1793 sta->rx_stats.last_signal = status->signal;
1794 ewma_signal_add(&sta->rx_stats_avg.signal, -status->signal);
1795 }
1796
1797 if (status->chains) {
1798 sta->rx_stats.chains = status->chains;
1799 for (i = 0; i < ARRAY_SIZE(status->chain_signal); i++) {
1800 int signal = status->chain_signal[i];
1801
1802 if (!(status->chains & BIT(i)))
1803 continue;
1804
1805 sta->rx_stats.chain_signal_last[i] = signal;
1806 ewma_signal_add(&sta->rx_stats_avg.chain_signal[i],
1807 -signal);
1808 }
1809 }
1810
1811 /*
1812 * Change STA power saving mode only at the end of a frame
1813 * exchange sequence, and only for a data or management
1814 * frame as specified in IEEE 802.11-2016 11.2.3.2
1815 */
1816 if (!ieee80211_hw_check(&sta->local->hw, AP_LINK_PS) &&
1817 !ieee80211_has_morefrags(hdr->frame_control) &&
1818 !is_multicast_ether_addr(hdr->addr1) &&
1819 (ieee80211_is_mgmt(hdr->frame_control) ||
1820 ieee80211_is_data(hdr->frame_control)) &&
1821 !(status->rx_flags & IEEE80211_RX_DEFERRED_RELEASE) &&
1822 (rx->sdata->vif.type == NL80211_IFTYPE_AP ||
1823 rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN)) {
1824 if (test_sta_flag(sta, WLAN_STA_PS_STA)) {
1825 if (!ieee80211_has_pm(hdr->frame_control))
1826 sta_ps_end(sta);
1827 } else {
1828 if (ieee80211_has_pm(hdr->frame_control))
1829 sta_ps_start(sta);
1830 }
1831 }
1832
1833 /* mesh power save support */
1834 if (ieee80211_vif_is_mesh(&rx->sdata->vif))
1835 ieee80211_mps_rx_h_sta_process(sta, hdr);
1836
1837 /*
1838 * Drop (qos-)data::nullfunc frames silently, since they
1839 * are used only to control station power saving mode.
1840 */
1841 if (ieee80211_is_nullfunc(hdr->frame_control) ||
1842 ieee80211_is_qos_nullfunc(hdr->frame_control)) {
1843 I802_DEBUG_INC(rx->local->rx_handlers_drop_nullfunc);
1844
1845 /*
1846 * If we receive a 4-addr nullfunc frame from a STA
1847 * that was not moved to a 4-addr STA vlan yet send
1848 * the event to userspace and for older hostapd drop
1849 * the frame to the monitor interface.
1850 */
1851 if (ieee80211_has_a4(hdr->frame_control) &&
1852 (rx->sdata->vif.type == NL80211_IFTYPE_AP ||
1853 (rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN &&
1854 !rx->sdata->u.vlan.sta))) {
1855 if (!test_and_set_sta_flag(sta, WLAN_STA_4ADDR_EVENT))
1856 cfg80211_rx_unexpected_4addr_frame(
1857 rx->sdata->dev, sta->sta.addr,
1858 GFP_ATOMIC);
1859 return RX_DROP_MONITOR;
1860 }
1861 /*
1862 * Update counter and free packet here to avoid
1863 * counting this as a dropped packed.
1864 */
1865 sta->rx_stats.packets++;
1866 dev_kfree_skb(rx->skb);
1867 return RX_QUEUED;
1868 }
1869
1870 return RX_CONTINUE;
1871} /* ieee80211_rx_h_sta_process */
1872
1873static ieee80211_rx_result debug_noinline
1874ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx)
1875{
1876 struct sk_buff *skb = rx->skb;
1877 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
1878 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
1879 int keyidx;
1880 ieee80211_rx_result result = RX_DROP_UNUSABLE;
1881 struct ieee80211_key *sta_ptk = NULL;
1882 struct ieee80211_key *ptk_idx = NULL;
1883 int mmie_keyidx = -1;
1884 __le16 fc;
1885 const struct ieee80211_cipher_scheme *cs = NULL;
1886
1887 /*
1888 * Key selection 101
1889 *
1890 * There are four types of keys:
1891 * - GTK (group keys)
1892 * - IGTK (group keys for management frames)
1893 * - PTK (pairwise keys)
1894 * - STK (station-to-station pairwise keys)
1895 *
1896 * When selecting a key, we have to distinguish between multicast
1897 * (including broadcast) and unicast frames, the latter can only
1898 * use PTKs and STKs while the former always use GTKs and IGTKs.
1899 * Unless, of course, actual WEP keys ("pre-RSNA") are used, then
1900 * unicast frames can also use key indices like GTKs. Hence, if we
1901 * don't have a PTK/STK we check the key index for a WEP key.
1902 *
1903 * Note that in a regular BSS, multicast frames are sent by the
1904 * AP only, associated stations unicast the frame to the AP first
1905 * which then multicasts it on their behalf.
1906 *
1907 * There is also a slight problem in IBSS mode: GTKs are negotiated
1908 * with each station, that is something we don't currently handle.
1909 * The spec seems to expect that one negotiates the same key with
1910 * every station but there's no such requirement; VLANs could be
1911 * possible.
1912 */
1913
1914 /* start without a key */
1915 rx->key = NULL;
1916 fc = hdr->frame_control;
1917
1918 if (rx->sta) {
1919 int keyid = rx->sta->ptk_idx;
1920 sta_ptk = rcu_dereference(rx->sta->ptk[keyid]);
1921
1922 if (ieee80211_has_protected(fc)) {
1923 cs = rx->sta->cipher_scheme;
1924 keyid = ieee80211_get_keyid(rx->skb, cs);
1925
1926 if (unlikely(keyid < 0))
1927 return RX_DROP_UNUSABLE;
1928
1929 ptk_idx = rcu_dereference(rx->sta->ptk[keyid]);
1930 }
1931 }
1932
1933 if (!ieee80211_has_protected(fc))
1934 mmie_keyidx = ieee80211_get_mmie_keyidx(rx->skb);
1935
1936 if (!is_multicast_ether_addr(hdr->addr1) && sta_ptk) {
1937 rx->key = ptk_idx ? ptk_idx : sta_ptk;
1938 if ((status->flag & RX_FLAG_DECRYPTED) &&
1939 (status->flag & RX_FLAG_IV_STRIPPED))
1940 return RX_CONTINUE;
1941 /* Skip decryption if the frame is not protected. */
1942 if (!ieee80211_has_protected(fc))
1943 return RX_CONTINUE;
1944 } else if (mmie_keyidx >= 0) {
1945 /* Broadcast/multicast robust management frame / BIP */
1946 if ((status->flag & RX_FLAG_DECRYPTED) &&
1947 (status->flag & RX_FLAG_IV_STRIPPED))
1948 return RX_CONTINUE;
1949
1950 if (mmie_keyidx < NUM_DEFAULT_KEYS ||
1951 mmie_keyidx >= NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS)
1952 return RX_DROP_MONITOR; /* unexpected BIP keyidx */
1953 if (rx->sta) {
1954 if (ieee80211_is_group_privacy_action(skb) &&
1955 test_sta_flag(rx->sta, WLAN_STA_MFP))
1956 return RX_DROP_MONITOR;
1957
1958 rx->key = rcu_dereference(rx->sta->gtk[mmie_keyidx]);
1959 }
1960 if (!rx->key)
1961 rx->key = rcu_dereference(rx->sdata->keys[mmie_keyidx]);
1962 } else if (!ieee80211_has_protected(fc)) {
1963 /*
1964 * The frame was not protected, so skip decryption. However, we
1965 * need to set rx->key if there is a key that could have been
1966 * used so that the frame may be dropped if encryption would
1967 * have been expected.
1968 */
1969 struct ieee80211_key *key = NULL;
1970 struct ieee80211_sub_if_data *sdata = rx->sdata;
1971 int i;
1972
1973 if (ieee80211_is_mgmt(fc) &&
1974 is_multicast_ether_addr(hdr->addr1) &&
1975 (key = rcu_dereference(rx->sdata->default_mgmt_key)))
1976 rx->key = key;
1977 else {
1978 if (rx->sta) {
1979 for (i = 0; i < NUM_DEFAULT_KEYS; i++) {
1980 key = rcu_dereference(rx->sta->gtk[i]);
1981 if (key)
1982 break;
1983 }
1984 }
1985 if (!key) {
1986 for (i = 0; i < NUM_DEFAULT_KEYS; i++) {
1987 key = rcu_dereference(sdata->keys[i]);
1988 if (key)
1989 break;
1990 }
1991 }
1992 if (key)
1993 rx->key = key;
1994 }
1995 return RX_CONTINUE;
1996 } else {
1997 /*
1998 * The device doesn't give us the IV so we won't be
1999 * able to look up the key. That's ok though, we
2000 * don't need to decrypt the frame, we just won't
2001 * be able to keep statistics accurate.
2002 * Except for key threshold notifications, should
2003 * we somehow allow the driver to tell us which key
2004 * the hardware used if this flag is set?
2005 */
2006 if ((status->flag & RX_FLAG_DECRYPTED) &&
2007 (status->flag & RX_FLAG_IV_STRIPPED))
2008 return RX_CONTINUE;
2009
2010 keyidx = ieee80211_get_keyid(rx->skb, cs);
2011
2012 if (unlikely(keyidx < 0))
2013 return RX_DROP_UNUSABLE;
2014
2015 /* check per-station GTK first, if multicast packet */
2016 if (is_multicast_ether_addr(hdr->addr1) && rx->sta)
2017 rx->key = rcu_dereference(rx->sta->gtk[keyidx]);
2018
2019 /* if not found, try default key */
2020 if (!rx->key) {
2021 rx->key = rcu_dereference(rx->sdata->keys[keyidx]);
2022
2023 /*
2024 * RSNA-protected unicast frames should always be
2025 * sent with pairwise or station-to-station keys,
2026 * but for WEP we allow using a key index as well.
2027 */
2028 if (rx->key &&
2029 rx->key->conf.cipher != WLAN_CIPHER_SUITE_WEP40 &&
2030 rx->key->conf.cipher != WLAN_CIPHER_SUITE_WEP104 &&
2031 !is_multicast_ether_addr(hdr->addr1))
2032 rx->key = NULL;
2033 }
2034 }
2035
2036 if (rx->key) {
2037 if (unlikely(rx->key->flags & KEY_FLAG_TAINTED))
2038 return RX_DROP_MONITOR;
2039
2040 /* TODO: add threshold stuff again */
2041 } else {
2042 return RX_DROP_MONITOR;
2043 }
2044
2045 switch (rx->key->conf.cipher) {
2046 case WLAN_CIPHER_SUITE_WEP40:
2047 case WLAN_CIPHER_SUITE_WEP104:
2048 result = ieee80211_crypto_wep_decrypt(rx);
2049 break;
2050 case WLAN_CIPHER_SUITE_TKIP:
2051 result = ieee80211_crypto_tkip_decrypt(rx);
2052 break;
2053 case WLAN_CIPHER_SUITE_CCMP:
2054 result = ieee80211_crypto_ccmp_decrypt(
2055 rx, IEEE80211_CCMP_MIC_LEN);
2056 break;
2057 case WLAN_CIPHER_SUITE_CCMP_256:
2058 result = ieee80211_crypto_ccmp_decrypt(
2059 rx, IEEE80211_CCMP_256_MIC_LEN);
2060 break;
2061 case WLAN_CIPHER_SUITE_AES_CMAC:
2062 result = ieee80211_crypto_aes_cmac_decrypt(rx);
2063 break;
2064 case WLAN_CIPHER_SUITE_BIP_CMAC_256:
2065 result = ieee80211_crypto_aes_cmac_256_decrypt(rx);
2066 break;
2067 case WLAN_CIPHER_SUITE_BIP_GMAC_128:
2068 case WLAN_CIPHER_SUITE_BIP_GMAC_256:
2069 result = ieee80211_crypto_aes_gmac_decrypt(rx);
2070 break;
2071 case WLAN_CIPHER_SUITE_GCMP:
2072 case WLAN_CIPHER_SUITE_GCMP_256:
2073 result = ieee80211_crypto_gcmp_decrypt(rx);
2074 break;
2075 default:
2076 result = ieee80211_crypto_hw_decrypt(rx);
2077 }
2078
2079 /* the hdr variable is invalid after the decrypt handlers */
2080
2081 /* either the frame has been decrypted or will be dropped */
2082 status->flag |= RX_FLAG_DECRYPTED;
2083
2084 return result;
2085}
2086
2087static inline struct ieee80211_fragment_entry *
2088ieee80211_reassemble_add(struct ieee80211_sub_if_data *sdata,
2089 unsigned int frag, unsigned int seq, int rx_queue,
2090 struct sk_buff **skb)
2091{
2092 struct ieee80211_fragment_entry *entry;
2093
2094 entry = &sdata->fragments[sdata->fragment_next++];
2095 if (sdata->fragment_next >= IEEE80211_FRAGMENT_MAX)
2096 sdata->fragment_next = 0;
2097
2098 if (!skb_queue_empty(&entry->skb_list))
2099 __skb_queue_purge(&entry->skb_list);
2100
2101 __skb_queue_tail(&entry->skb_list, *skb); /* no need for locking */
2102 *skb = NULL;
2103 entry->first_frag_time = jiffies;
2104 entry->seq = seq;
2105 entry->rx_queue = rx_queue;
2106 entry->last_frag = frag;
2107 entry->check_sequential_pn = false;
2108 entry->extra_len = 0;
2109
2110 return entry;
2111}
2112
2113static inline struct ieee80211_fragment_entry *
2114ieee80211_reassemble_find(struct ieee80211_sub_if_data *sdata,
2115 unsigned int frag, unsigned int seq,
2116 int rx_queue, struct ieee80211_hdr *hdr)
2117{
2118 struct ieee80211_fragment_entry *entry;
2119 int i, idx;
2120
2121 idx = sdata->fragment_next;
2122 for (i = 0; i < IEEE80211_FRAGMENT_MAX; i++) {
2123 struct ieee80211_hdr *f_hdr;
2124 struct sk_buff *f_skb;
2125
2126 idx--;
2127 if (idx < 0)
2128 idx = IEEE80211_FRAGMENT_MAX - 1;
2129
2130 entry = &sdata->fragments[idx];
2131 if (skb_queue_empty(&entry->skb_list) || entry->seq != seq ||
2132 entry->rx_queue != rx_queue ||
2133 entry->last_frag + 1 != frag)
2134 continue;
2135
2136 f_skb = __skb_peek(&entry->skb_list);
2137 f_hdr = (struct ieee80211_hdr *) f_skb->data;
2138
2139 /*
2140 * Check ftype and addresses are equal, else check next fragment
2141 */
2142 if (((hdr->frame_control ^ f_hdr->frame_control) &
2143 cpu_to_le16(IEEE80211_FCTL_FTYPE)) ||
2144 !ether_addr_equal(hdr->addr1, f_hdr->addr1) ||
2145 !ether_addr_equal(hdr->addr2, f_hdr->addr2))
2146 continue;
2147
2148 if (time_after(jiffies, entry->first_frag_time + 2 * HZ)) {
2149 __skb_queue_purge(&entry->skb_list);
2150 continue;
2151 }
2152 return entry;
2153 }
2154
2155 return NULL;
2156}
2157
2158static ieee80211_rx_result debug_noinline
2159ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
2160{
2161 struct ieee80211_hdr *hdr;
2162 u16 sc;
2163 __le16 fc;
2164 unsigned int frag, seq;
2165 struct ieee80211_fragment_entry *entry;
2166 struct sk_buff *skb;
2167
2168 hdr = (struct ieee80211_hdr *)rx->skb->data;
2169 fc = hdr->frame_control;
2170
2171 if (ieee80211_is_ctl(fc))
2172 return RX_CONTINUE;
2173
2174 sc = le16_to_cpu(hdr->seq_ctrl);
2175 frag = sc & IEEE80211_SCTL_FRAG;
2176
2177 if (is_multicast_ether_addr(hdr->addr1)) {
2178 I802_DEBUG_INC(rx->local->dot11MulticastReceivedFrameCount);
2179 goto out_no_led;
2180 }
2181
2182 if (likely(!ieee80211_has_morefrags(fc) && frag == 0))
2183 goto out;
2184
2185 I802_DEBUG_INC(rx->local->rx_handlers_fragments);
2186
2187 if (skb_linearize(rx->skb))
2188 return RX_DROP_UNUSABLE;
2189
2190 /*
2191 * skb_linearize() might change the skb->data and
2192 * previously cached variables (in this case, hdr) need to
2193 * be refreshed with the new data.
2194 */
2195 hdr = (struct ieee80211_hdr *)rx->skb->data;
2196 seq = (sc & IEEE80211_SCTL_SEQ) >> 4;
2197
2198 if (frag == 0) {
2199 /* This is the first fragment of a new frame. */
2200 entry = ieee80211_reassemble_add(rx->sdata, frag, seq,
2201 rx->seqno_idx, &(rx->skb));
2202 if (rx->key &&
2203 (rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP ||
2204 rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP_256 ||
2205 rx->key->conf.cipher == WLAN_CIPHER_SUITE_GCMP ||
2206 rx->key->conf.cipher == WLAN_CIPHER_SUITE_GCMP_256) &&
2207 ieee80211_has_protected(fc)) {
2208 int queue = rx->security_idx;
2209
2210 /* Store CCMP/GCMP PN so that we can verify that the
2211 * next fragment has a sequential PN value.
2212 */
2213 entry->check_sequential_pn = true;
2214 memcpy(entry->last_pn,
2215 rx->key->u.ccmp.rx_pn[queue],
2216 IEEE80211_CCMP_PN_LEN);
2217 BUILD_BUG_ON(offsetof(struct ieee80211_key,
2218 u.ccmp.rx_pn) !=
2219 offsetof(struct ieee80211_key,
2220 u.gcmp.rx_pn));
2221 BUILD_BUG_ON(sizeof(rx->key->u.ccmp.rx_pn[queue]) !=
2222 sizeof(rx->key->u.gcmp.rx_pn[queue]));
2223 BUILD_BUG_ON(IEEE80211_CCMP_PN_LEN !=
2224 IEEE80211_GCMP_PN_LEN);
2225 }
2226 return RX_QUEUED;
2227 }
2228
2229 /* This is a fragment for a frame that should already be pending in
2230 * fragment cache. Add this fragment to the end of the pending entry.
2231 */
2232 entry = ieee80211_reassemble_find(rx->sdata, frag, seq,
2233 rx->seqno_idx, hdr);
2234 if (!entry) {
2235 I802_DEBUG_INC(rx->local->rx_handlers_drop_defrag);
2236 return RX_DROP_MONITOR;
2237 }
2238
2239 /* "The receiver shall discard MSDUs and MMPDUs whose constituent
2240 * MPDU PN values are not incrementing in steps of 1."
2241 * see IEEE P802.11-REVmc/D5.0, 12.5.3.4.4, item d (for CCMP)
2242 * and IEEE P802.11-REVmc/D5.0, 12.5.5.4.4, item d (for GCMP)
2243 */
2244 if (entry->check_sequential_pn) {
2245 int i;
2246 u8 pn[IEEE80211_CCMP_PN_LEN], *rpn;
2247 int queue;
2248
2249 if (!rx->key ||
2250 (rx->key->conf.cipher != WLAN_CIPHER_SUITE_CCMP &&
2251 rx->key->conf.cipher != WLAN_CIPHER_SUITE_CCMP_256 &&
2252 rx->key->conf.cipher != WLAN_CIPHER_SUITE_GCMP &&
2253 rx->key->conf.cipher != WLAN_CIPHER_SUITE_GCMP_256))
2254 return RX_DROP_UNUSABLE;
2255 memcpy(pn, entry->last_pn, IEEE80211_CCMP_PN_LEN);
2256 for (i = IEEE80211_CCMP_PN_LEN - 1; i >= 0; i--) {
2257 pn[i]++;
2258 if (pn[i])
2259 break;
2260 }
2261 queue = rx->security_idx;
2262 rpn = rx->key->u.ccmp.rx_pn[queue];
2263 if (memcmp(pn, rpn, IEEE80211_CCMP_PN_LEN))
2264 return RX_DROP_UNUSABLE;
2265 memcpy(entry->last_pn, pn, IEEE80211_CCMP_PN_LEN);
2266 }
2267
2268 skb_pull(rx->skb, ieee80211_hdrlen(fc));
2269 __skb_queue_tail(&entry->skb_list, rx->skb);
2270 entry->last_frag = frag;
2271 entry->extra_len += rx->skb->len;
2272 if (ieee80211_has_morefrags(fc)) {
2273 rx->skb = NULL;
2274 return RX_QUEUED;
2275 }
2276
2277 rx->skb = __skb_dequeue(&entry->skb_list);
2278 if (skb_tailroom(rx->skb) < entry->extra_len) {
2279 I802_DEBUG_INC(rx->local->rx_expand_skb_head_defrag);
2280 if (unlikely(pskb_expand_head(rx->skb, 0, entry->extra_len,
2281 GFP_ATOMIC))) {
2282 I802_DEBUG_INC(rx->local->rx_handlers_drop_defrag);
2283 __skb_queue_purge(&entry->skb_list);
2284 return RX_DROP_UNUSABLE;
2285 }
2286 }
2287 while ((skb = __skb_dequeue(&entry->skb_list))) {
2288 skb_put_data(rx->skb, skb->data, skb->len);
2289 dev_kfree_skb(skb);
2290 }
2291
2292 out:
2293 ieee80211_led_rx(rx->local);
2294 out_no_led:
2295 if (rx->sta)
2296 rx->sta->rx_stats.packets++;
2297 return RX_CONTINUE;
2298}
2299
2300static int ieee80211_802_1x_port_control(struct ieee80211_rx_data *rx)
2301{
2302 if (unlikely(!rx->sta || !test_sta_flag(rx->sta, WLAN_STA_AUTHORIZED)))
2303 return -EACCES;
2304
2305 return 0;
2306}
2307
2308static int ieee80211_drop_unencrypted(struct ieee80211_rx_data *rx, __le16 fc)
2309{
2310 struct sk_buff *skb = rx->skb;
2311 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
2312
2313 /*
2314 * Pass through unencrypted frames if the hardware has
2315 * decrypted them already.
2316 */
2317 if (status->flag & RX_FLAG_DECRYPTED)
2318 return 0;
2319
2320 /* Drop unencrypted frames if key is set. */
2321 if (unlikely(!ieee80211_has_protected(fc) &&
2322 !ieee80211_is_nullfunc(fc) &&
2323 ieee80211_is_data(fc) && rx->key))
2324 return -EACCES;
2325
2326 return 0;
2327}
2328
2329static int ieee80211_drop_unencrypted_mgmt(struct ieee80211_rx_data *rx)
2330{
2331 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
2332 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
2333 __le16 fc = hdr->frame_control;
2334
2335 /*
2336 * Pass through unencrypted frames if the hardware has
2337 * decrypted them already.
2338 */
2339 if (status->flag & RX_FLAG_DECRYPTED)
2340 return 0;
2341
2342 if (rx->sta && test_sta_flag(rx->sta, WLAN_STA_MFP)) {
2343 if (unlikely(!ieee80211_has_protected(fc) &&
2344 ieee80211_is_unicast_robust_mgmt_frame(rx->skb) &&
2345 rx->key)) {
2346 if (ieee80211_is_deauth(fc) ||
2347 ieee80211_is_disassoc(fc))
2348 cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
2349 rx->skb->data,
2350 rx->skb->len);
2351 return -EACCES;
2352 }
2353 /* BIP does not use Protected field, so need to check MMIE */
2354 if (unlikely(ieee80211_is_multicast_robust_mgmt_frame(rx->skb) &&
2355 ieee80211_get_mmie_keyidx(rx->skb) < 0)) {
2356 if (ieee80211_is_deauth(fc) ||
2357 ieee80211_is_disassoc(fc))
2358 cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
2359 rx->skb->data,
2360 rx->skb->len);
2361 return -EACCES;
2362 }
2363 /*
2364 * When using MFP, Action frames are not allowed prior to
2365 * having configured keys.
2366 */
2367 if (unlikely(ieee80211_is_action(fc) && !rx->key &&
2368 ieee80211_is_robust_mgmt_frame(rx->skb)))
2369 return -EACCES;
2370 }
2371
2372 return 0;
2373}
2374
2375static int
2376__ieee80211_data_to_8023(struct ieee80211_rx_data *rx, bool *port_control)
2377{
2378 struct ieee80211_sub_if_data *sdata = rx->sdata;
2379 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
2380 bool check_port_control = false;
2381 struct ethhdr *ehdr;
2382 int ret;
2383
2384 *port_control = false;
2385 if (ieee80211_has_a4(hdr->frame_control) &&
2386 sdata->vif.type == NL80211_IFTYPE_AP_VLAN && !sdata->u.vlan.sta)
2387 return -1;
2388
2389 if (sdata->vif.type == NL80211_IFTYPE_STATION &&
2390 !!sdata->u.mgd.use_4addr != !!ieee80211_has_a4(hdr->frame_control)) {
2391
2392 if (!sdata->u.mgd.use_4addr)
2393 return -1;
2394 else if (!ether_addr_equal(hdr->addr1, sdata->vif.addr))
2395 check_port_control = true;
2396 }
2397
2398 if (is_multicast_ether_addr(hdr->addr1) &&
2399 sdata->vif.type == NL80211_IFTYPE_AP_VLAN && sdata->u.vlan.sta)
2400 return -1;
2401
2402 ret = ieee80211_data_to_8023(rx->skb, sdata->vif.addr, sdata->vif.type);
2403 if (ret < 0)
2404 return ret;
2405
2406 ehdr = (struct ethhdr *) rx->skb->data;
2407 if (ehdr->h_proto == rx->sdata->control_port_protocol)
2408 *port_control = true;
2409 else if (check_port_control)
2410 return -1;
2411
2412 return 0;
2413}
2414
2415/*
2416 * requires that rx->skb is a frame with ethernet header
2417 */
2418static bool ieee80211_frame_allowed(struct ieee80211_rx_data *rx, __le16 fc)
2419{
2420 static const u8 pae_group_addr[ETH_ALEN] __aligned(2)
2421 = { 0x01, 0x80, 0xC2, 0x00, 0x00, 0x03 };
2422 struct ethhdr *ehdr = (struct ethhdr *) rx->skb->data;
2423
2424 /*
2425 * Allow EAPOL frames to us/the PAE group address regardless
2426 * of whether the frame was encrypted or not.
2427 */
2428 if (ehdr->h_proto == rx->sdata->control_port_protocol &&
2429 (ether_addr_equal(ehdr->h_dest, rx->sdata->vif.addr) ||
2430 ether_addr_equal(ehdr->h_dest, pae_group_addr)))
2431 return true;
2432
2433 if (ieee80211_802_1x_port_control(rx) ||
2434 ieee80211_drop_unencrypted(rx, fc))
2435 return false;
2436
2437 return true;
2438}
2439
2440static void ieee80211_deliver_skb_to_local_stack(struct sk_buff *skb,
2441 struct ieee80211_rx_data *rx)
2442{
2443 struct ieee80211_sub_if_data *sdata = rx->sdata;
2444 struct net_device *dev = sdata->dev;
2445
2446 if (unlikely((skb->protocol == sdata->control_port_protocol ||
2447 skb->protocol == cpu_to_be16(ETH_P_PREAUTH)) &&
2448 sdata->control_port_over_nl80211)) {
2449 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
2450 bool noencrypt = !(status->flag & RX_FLAG_DECRYPTED);
2451
2452 cfg80211_rx_control_port(dev, skb, noencrypt);
2453 dev_kfree_skb(skb);
2454 } else {
2455 memset(skb->cb, 0, sizeof(skb->cb));
2456
2457 /* deliver to local stack */
2458 if (rx->napi)
2459 napi_gro_receive(rx->napi, skb);
2460 else
2461 netif_receive_skb(skb);
2462 }
2463}
2464
2465/*
2466 * requires that rx->skb is a frame with ethernet header
2467 */
2468static void
2469ieee80211_deliver_skb(struct ieee80211_rx_data *rx)
2470{
2471 struct ieee80211_sub_if_data *sdata = rx->sdata;
2472 struct net_device *dev = sdata->dev;
2473 struct sk_buff *skb, *xmit_skb;
2474 struct ethhdr *ehdr = (struct ethhdr *) rx->skb->data;
2475 struct sta_info *dsta;
2476
2477 skb = rx->skb;
2478 xmit_skb = NULL;
2479
2480 ieee80211_rx_stats(dev, skb->len);
2481
2482 if (rx->sta) {
2483 /* The seqno index has the same property as needed
2484 * for the rx_msdu field, i.e. it is IEEE80211_NUM_TIDS
2485 * for non-QoS-data frames. Here we know it's a data
2486 * frame, so count MSDUs.
2487 */
2488 u64_stats_update_begin(&rx->sta->rx_stats.syncp);
2489 rx->sta->rx_stats.msdu[rx->seqno_idx]++;
2490 u64_stats_update_end(&rx->sta->rx_stats.syncp);
2491 }
2492
2493 if ((sdata->vif.type == NL80211_IFTYPE_AP ||
2494 sdata->vif.type == NL80211_IFTYPE_AP_VLAN) &&
2495 !(sdata->flags & IEEE80211_SDATA_DONT_BRIDGE_PACKETS) &&
2496 (sdata->vif.type != NL80211_IFTYPE_AP_VLAN || !sdata->u.vlan.sta)) {
2497 if (is_multicast_ether_addr(ehdr->h_dest) &&
2498 ieee80211_vif_get_num_mcast_if(sdata) != 0) {
2499 /*
2500 * send multicast frames both to higher layers in
2501 * local net stack and back to the wireless medium
2502 */
2503 xmit_skb = skb_copy(skb, GFP_ATOMIC);
2504 if (!xmit_skb)
2505 net_info_ratelimited("%s: failed to clone multicast frame\n",
2506 dev->name);
2507 } else if (!is_multicast_ether_addr(ehdr->h_dest) &&
2508 !ether_addr_equal(ehdr->h_dest, ehdr->h_source)) {
2509 dsta = sta_info_get(sdata, ehdr->h_dest);
2510 if (dsta) {
2511 /*
2512 * The destination station is associated to
2513 * this AP (in this VLAN), so send the frame
2514 * directly to it and do not pass it to local
2515 * net stack.
2516 */
2517 xmit_skb = skb;
2518 skb = NULL;
2519 }
2520 }
2521 }
2522
2523#ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
2524 if (skb) {
2525 /* 'align' will only take the values 0 or 2 here since all
2526 * frames are required to be aligned to 2-byte boundaries
2527 * when being passed to mac80211; the code here works just
2528 * as well if that isn't true, but mac80211 assumes it can
2529 * access fields as 2-byte aligned (e.g. for ether_addr_equal)
2530 */
2531 int align;
2532
2533 align = (unsigned long)(skb->data + sizeof(struct ethhdr)) & 3;
2534 if (align) {
2535 if (WARN_ON(skb_headroom(skb) < 3)) {
2536 dev_kfree_skb(skb);
2537 skb = NULL;
2538 } else {
2539 u8 *data = skb->data;
2540 size_t len = skb_headlen(skb);
2541 skb->data -= align;
2542 memmove(skb->data, data, len);
2543 skb_set_tail_pointer(skb, len);
2544 }
2545 }
2546 }
2547#endif
2548
2549 if (skb) {
2550 skb->protocol = eth_type_trans(skb, dev);
2551 ieee80211_deliver_skb_to_local_stack(skb, rx);
2552 }
2553
2554 if (xmit_skb) {
2555 /*
2556 * Send to wireless media and increase priority by 256 to
2557 * keep the received priority instead of reclassifying
2558 * the frame (see cfg80211_classify8021d).
2559 */
2560 xmit_skb->priority += 256;
2561 xmit_skb->protocol = htons(ETH_P_802_3);
2562 skb_reset_network_header(xmit_skb);
2563 skb_reset_mac_header(xmit_skb);
2564 dev_queue_xmit(xmit_skb);
2565 }
2566}
2567
2568static ieee80211_rx_result debug_noinline
2569__ieee80211_rx_h_amsdu(struct ieee80211_rx_data *rx, u8 data_offset)
2570{
2571 struct net_device *dev = rx->sdata->dev;
2572 struct sk_buff *skb = rx->skb;
2573 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
2574 __le16 fc = hdr->frame_control;
2575 struct sk_buff_head frame_list;
2576 struct ethhdr ethhdr;
2577 const u8 *check_da = ethhdr.h_dest, *check_sa = ethhdr.h_source;
2578
2579 if (unlikely(ieee80211_has_a4(hdr->frame_control))) {
2580 check_da = NULL;
2581 check_sa = NULL;
2582 } else switch (rx->sdata->vif.type) {
2583 case NL80211_IFTYPE_AP:
2584 case NL80211_IFTYPE_AP_VLAN:
2585 check_da = NULL;
2586 break;
2587 case NL80211_IFTYPE_STATION:
2588 if (!rx->sta ||
2589 !test_sta_flag(rx->sta, WLAN_STA_TDLS_PEER))
2590 check_sa = NULL;
2591 break;
2592 case NL80211_IFTYPE_MESH_POINT:
2593 check_sa = NULL;
2594 break;
2595 default:
2596 break;
2597 }
2598
2599 skb->dev = dev;
2600 __skb_queue_head_init(&frame_list);
2601
2602 if (ieee80211_data_to_8023_exthdr(skb, ðhdr,
2603 rx->sdata->vif.addr,
2604 rx->sdata->vif.type,
2605 data_offset))
2606 return RX_DROP_UNUSABLE;
2607
2608 ieee80211_amsdu_to_8023s(skb, &frame_list, dev->dev_addr,
2609 rx->sdata->vif.type,
2610 rx->local->hw.extra_tx_headroom,
2611 check_da, check_sa);
2612
2613 while (!skb_queue_empty(&frame_list)) {
2614 rx->skb = __skb_dequeue(&frame_list);
2615
2616 if (!ieee80211_frame_allowed(rx, fc)) {
2617 dev_kfree_skb(rx->skb);
2618 continue;
2619 }
2620
2621 ieee80211_deliver_skb(rx);
2622 }
2623
2624 return RX_QUEUED;
2625}
2626
2627static ieee80211_rx_result debug_noinline
2628ieee80211_rx_h_amsdu(struct ieee80211_rx_data *rx)
2629{
2630 struct sk_buff *skb = rx->skb;
2631 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
2632 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
2633 __le16 fc = hdr->frame_control;
2634
2635 if (!(status->rx_flags & IEEE80211_RX_AMSDU))
2636 return RX_CONTINUE;
2637
2638 if (unlikely(!ieee80211_is_data(fc)))
2639 return RX_CONTINUE;
2640
2641 if (unlikely(!ieee80211_is_data_present(fc)))
2642 return RX_DROP_MONITOR;
2643
2644 if (unlikely(ieee80211_has_a4(hdr->frame_control))) {
2645 switch (rx->sdata->vif.type) {
2646 case NL80211_IFTYPE_AP_VLAN:
2647 if (!rx->sdata->u.vlan.sta)
2648 return RX_DROP_UNUSABLE;
2649 break;
2650 case NL80211_IFTYPE_STATION:
2651 if (!rx->sdata->u.mgd.use_4addr)
2652 return RX_DROP_UNUSABLE;
2653 break;
2654 default:
2655 return RX_DROP_UNUSABLE;
2656 }
2657 }
2658
2659 if (is_multicast_ether_addr(hdr->addr1))
2660 return RX_DROP_UNUSABLE;
2661
2662 return __ieee80211_rx_h_amsdu(rx, 0);
2663}
2664
2665#ifdef CONFIG_MAC80211_MESH
2666static ieee80211_rx_result
2667ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
2668{
2669 struct ieee80211_hdr *fwd_hdr, *hdr;
2670 struct ieee80211_tx_info *info;
2671 struct ieee80211s_hdr *mesh_hdr;
2672 struct sk_buff *skb = rx->skb, *fwd_skb;
2673 struct ieee80211_local *local = rx->local;
2674 struct ieee80211_sub_if_data *sdata = rx->sdata;
2675 struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh;
2676 u16 ac, q, hdrlen;
2677 int tailroom = 0;
2678
2679 hdr = (struct ieee80211_hdr *) skb->data;
2680 hdrlen = ieee80211_hdrlen(hdr->frame_control);
2681
2682 /* make sure fixed part of mesh header is there, also checks skb len */
2683 if (!pskb_may_pull(rx->skb, hdrlen + 6))
2684 return RX_DROP_MONITOR;
2685
2686 mesh_hdr = (struct ieee80211s_hdr *) (skb->data + hdrlen);
2687
2688 /* make sure full mesh header is there, also checks skb len */
2689 if (!pskb_may_pull(rx->skb,
2690 hdrlen + ieee80211_get_mesh_hdrlen(mesh_hdr)))
2691 return RX_DROP_MONITOR;
2692
2693 /* reload pointers */
2694 hdr = (struct ieee80211_hdr *) skb->data;
2695 mesh_hdr = (struct ieee80211s_hdr *) (skb->data + hdrlen);
2696
2697 if (ieee80211_drop_unencrypted(rx, hdr->frame_control))
2698 return RX_DROP_MONITOR;
2699
2700 /* frame is in RMC, don't forward */
2701 if (ieee80211_is_data(hdr->frame_control) &&
2702 is_multicast_ether_addr(hdr->addr1) &&
2703 mesh_rmc_check(rx->sdata, hdr->addr3, mesh_hdr))
2704 return RX_DROP_MONITOR;
2705
2706 if (!ieee80211_is_data(hdr->frame_control))
2707 return RX_CONTINUE;
2708
2709 if (!mesh_hdr->ttl)
2710 return RX_DROP_MONITOR;
2711
2712 if (mesh_hdr->flags & MESH_FLAGS_AE) {
2713 struct mesh_path *mppath;
2714 char *proxied_addr;
2715 char *mpp_addr;
2716
2717 if (is_multicast_ether_addr(hdr->addr1)) {
2718 mpp_addr = hdr->addr3;
2719 proxied_addr = mesh_hdr->eaddr1;
2720 } else if ((mesh_hdr->flags & MESH_FLAGS_AE) ==
2721 MESH_FLAGS_AE_A5_A6) {
2722 /* has_a4 already checked in ieee80211_rx_mesh_check */
2723 mpp_addr = hdr->addr4;
2724 proxied_addr = mesh_hdr->eaddr2;
2725 } else {
2726 return RX_DROP_MONITOR;
2727 }
2728
2729 rcu_read_lock();
2730 mppath = mpp_path_lookup(sdata, proxied_addr);
2731 if (!mppath) {
2732 mpp_path_add(sdata, proxied_addr, mpp_addr);
2733 } else {
2734 spin_lock_bh(&mppath->state_lock);
2735 if (!ether_addr_equal(mppath->mpp, mpp_addr))
2736 memcpy(mppath->mpp, mpp_addr, ETH_ALEN);
2737 mppath->exp_time = jiffies;
2738 spin_unlock_bh(&mppath->state_lock);
2739 }
2740 rcu_read_unlock();
2741 }
2742
2743 /* Frame has reached destination. Don't forward */
2744 if (!is_multicast_ether_addr(hdr->addr1) &&
2745 ether_addr_equal(sdata->vif.addr, hdr->addr3))
2746 return RX_CONTINUE;
2747
2748 ac = ieee80211_select_queue_80211(sdata, skb, hdr);
2749 q = sdata->vif.hw_queue[ac];
2750 if (ieee80211_queue_stopped(&local->hw, q)) {
2751 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_congestion);
2752 return RX_DROP_MONITOR;
2753 }
2754 skb_set_queue_mapping(skb, q);
2755
2756 if (!--mesh_hdr->ttl) {
2757 if (!is_multicast_ether_addr(hdr->addr1))
2758 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh,
2759 dropped_frames_ttl);
2760 goto out;
2761 }
2762
2763 if (!ifmsh->mshcfg.dot11MeshForwarding)
2764 goto out;
2765
2766 if (sdata->crypto_tx_tailroom_needed_cnt)
2767 tailroom = IEEE80211_ENCRYPT_TAILROOM;
2768
2769 fwd_skb = skb_copy_expand(skb, local->tx_headroom +
2770 sdata->encrypt_headroom,
2771 tailroom, GFP_ATOMIC);
2772 if (!fwd_skb)
2773 goto out;
2774
2775 fwd_hdr = (struct ieee80211_hdr *) fwd_skb->data;
2776 fwd_hdr->frame_control &= ~cpu_to_le16(IEEE80211_FCTL_RETRY);
2777 info = IEEE80211_SKB_CB(fwd_skb);
2778 memset(info, 0, sizeof(*info));
2779 info->flags |= IEEE80211_TX_INTFL_NEED_TXPROCESSING;
2780 info->control.vif = &rx->sdata->vif;
2781 info->control.jiffies = jiffies;
2782 if (is_multicast_ether_addr(fwd_hdr->addr1)) {
2783 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, fwded_mcast);
2784 memcpy(fwd_hdr->addr2, sdata->vif.addr, ETH_ALEN);
2785 /* update power mode indication when forwarding */
2786 ieee80211_mps_set_frame_flags(sdata, NULL, fwd_hdr);
2787 } else if (!mesh_nexthop_lookup(sdata, fwd_skb)) {
2788 /* mesh power mode flags updated in mesh_nexthop_lookup */
2789 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, fwded_unicast);
2790 } else {
2791 /* unable to resolve next hop */
2792 mesh_path_error_tx(sdata, ifmsh->mshcfg.element_ttl,
2793 fwd_hdr->addr3, 0,
2794 WLAN_REASON_MESH_PATH_NOFORWARD,
2795 fwd_hdr->addr2);
2796 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_no_route);
2797 kfree_skb(fwd_skb);
2798 return RX_DROP_MONITOR;
2799 }
2800
2801 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, fwded_frames);
2802 ieee80211_add_pending_skb(local, fwd_skb);
2803 out:
2804 if (is_multicast_ether_addr(hdr->addr1))
2805 return RX_CONTINUE;
2806 return RX_DROP_MONITOR;
2807}
2808#endif
2809
2810static ieee80211_rx_result debug_noinline
2811ieee80211_rx_h_data(struct ieee80211_rx_data *rx)
2812{
2813 struct ieee80211_sub_if_data *sdata = rx->sdata;
2814 struct ieee80211_local *local = rx->local;
2815 struct net_device *dev = sdata->dev;
2816 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
2817 __le16 fc = hdr->frame_control;
2818 bool port_control;
2819 int err;
2820
2821 if (unlikely(!ieee80211_is_data(hdr->frame_control)))
2822 return RX_CONTINUE;
2823
2824 if (unlikely(!ieee80211_is_data_present(hdr->frame_control)))
2825 return RX_DROP_MONITOR;
2826
2827 /*
2828 * Send unexpected-4addr-frame event to hostapd. For older versions,
2829 * also drop the frame to cooked monitor interfaces.
2830 */
2831 if (ieee80211_has_a4(hdr->frame_control) &&
2832 sdata->vif.type == NL80211_IFTYPE_AP) {
2833 if (rx->sta &&
2834 !test_and_set_sta_flag(rx->sta, WLAN_STA_4ADDR_EVENT))
2835 cfg80211_rx_unexpected_4addr_frame(
2836 rx->sdata->dev, rx->sta->sta.addr, GFP_ATOMIC);
2837 return RX_DROP_MONITOR;
2838 }
2839
2840 err = __ieee80211_data_to_8023(rx, &port_control);
2841 if (unlikely(err))
2842 return RX_DROP_UNUSABLE;
2843
2844 if (!ieee80211_frame_allowed(rx, fc))
2845 return RX_DROP_MONITOR;
2846
2847 /* directly handle TDLS channel switch requests/responses */
2848 if (unlikely(((struct ethhdr *)rx->skb->data)->h_proto ==
2849 cpu_to_be16(ETH_P_TDLS))) {
2850 struct ieee80211_tdls_data *tf = (void *)rx->skb->data;
2851
2852 if (pskb_may_pull(rx->skb,
2853 offsetof(struct ieee80211_tdls_data, u)) &&
2854 tf->payload_type == WLAN_TDLS_SNAP_RFTYPE &&
2855 tf->category == WLAN_CATEGORY_TDLS &&
2856 (tf->action_code == WLAN_TDLS_CHANNEL_SWITCH_REQUEST ||
2857 tf->action_code == WLAN_TDLS_CHANNEL_SWITCH_RESPONSE)) {
2858 skb_queue_tail(&local->skb_queue_tdls_chsw, rx->skb);
2859 schedule_work(&local->tdls_chsw_work);
2860 if (rx->sta)
2861 rx->sta->rx_stats.packets++;
2862
2863 return RX_QUEUED;
2864 }
2865 }
2866
2867 if (rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN &&
2868 unlikely(port_control) && sdata->bss) {
2869 sdata = container_of(sdata->bss, struct ieee80211_sub_if_data,
2870 u.ap);
2871 dev = sdata->dev;
2872 rx->sdata = sdata;
2873 }
2874
2875 rx->skb->dev = dev;
2876
2877 if (!ieee80211_hw_check(&local->hw, SUPPORTS_DYNAMIC_PS) &&
2878 local->ps_sdata && local->hw.conf.dynamic_ps_timeout > 0 &&
2879 !is_multicast_ether_addr(
2880 ((struct ethhdr *)rx->skb->data)->h_dest) &&
2881 (!local->scanning &&
2882 !test_bit(SDATA_STATE_OFFCHANNEL, &sdata->state)))
2883 mod_timer(&local->dynamic_ps_timer, jiffies +
2884 msecs_to_jiffies(local->hw.conf.dynamic_ps_timeout));
2885
2886 ieee80211_deliver_skb(rx);
2887
2888 return RX_QUEUED;
2889}
2890
2891static ieee80211_rx_result debug_noinline
2892ieee80211_rx_h_ctrl(struct ieee80211_rx_data *rx, struct sk_buff_head *frames)
2893{
2894 struct sk_buff *skb = rx->skb;
2895 struct ieee80211_bar *bar = (struct ieee80211_bar *)skb->data;
2896 struct tid_ampdu_rx *tid_agg_rx;
2897 u16 start_seq_num;
2898 u16 tid;
2899
2900 if (likely(!ieee80211_is_ctl(bar->frame_control)))
2901 return RX_CONTINUE;
2902
2903 if (ieee80211_is_back_req(bar->frame_control)) {
2904 struct {
2905 __le16 control, start_seq_num;
2906 } __packed bar_data;
2907 struct ieee80211_event event = {
2908 .type = BAR_RX_EVENT,
2909 };
2910
2911 if (!rx->sta)
2912 return RX_DROP_MONITOR;
2913
2914 if (skb_copy_bits(skb, offsetof(struct ieee80211_bar, control),
2915 &bar_data, sizeof(bar_data)))
2916 return RX_DROP_MONITOR;
2917
2918 tid = le16_to_cpu(bar_data.control) >> 12;
2919
2920 if (!test_bit(tid, rx->sta->ampdu_mlme.agg_session_valid) &&
2921 !test_and_set_bit(tid, rx->sta->ampdu_mlme.unexpected_agg))
2922 ieee80211_send_delba(rx->sdata, rx->sta->sta.addr, tid,
2923 WLAN_BACK_RECIPIENT,
2924 WLAN_REASON_QSTA_REQUIRE_SETUP);
2925
2926 tid_agg_rx = rcu_dereference(rx->sta->ampdu_mlme.tid_rx[tid]);
2927 if (!tid_agg_rx)
2928 return RX_DROP_MONITOR;
2929
2930 start_seq_num = le16_to_cpu(bar_data.start_seq_num) >> 4;
2931 event.u.ba.tid = tid;
2932 event.u.ba.ssn = start_seq_num;
2933 event.u.ba.sta = &rx->sta->sta;
2934
2935 /* reset session timer */
2936 if (tid_agg_rx->timeout)
2937 mod_timer(&tid_agg_rx->session_timer,
2938 TU_TO_EXP_TIME(tid_agg_rx->timeout));
2939
2940 spin_lock(&tid_agg_rx->reorder_lock);
2941 /* release stored frames up to start of BAR */
2942 ieee80211_release_reorder_frames(rx->sdata, tid_agg_rx,
2943 start_seq_num, frames);
2944 spin_unlock(&tid_agg_rx->reorder_lock);
2945
2946 drv_event_callback(rx->local, rx->sdata, &event);
2947
2948 kfree_skb(skb);
2949 return RX_QUEUED;
2950 }
2951
2952 /*
2953 * After this point, we only want management frames,
2954 * so we can drop all remaining control frames to
2955 * cooked monitor interfaces.
2956 */
2957 return RX_DROP_MONITOR;
2958}
2959
2960static void ieee80211_process_sa_query_req(struct ieee80211_sub_if_data *sdata,
2961 struct ieee80211_mgmt *mgmt,
2962 size_t len)
2963{
2964 struct ieee80211_local *local = sdata->local;
2965 struct sk_buff *skb;
2966 struct ieee80211_mgmt *resp;
2967
2968 if (!ether_addr_equal(mgmt->da, sdata->vif.addr)) {
2969 /* Not to own unicast address */
2970 return;
2971 }
2972
2973 if (!ether_addr_equal(mgmt->sa, sdata->u.mgd.bssid) ||
2974 !ether_addr_equal(mgmt->bssid, sdata->u.mgd.bssid)) {
2975 /* Not from the current AP or not associated yet. */
2976 return;
2977 }
2978
2979 if (len < 24 + 1 + sizeof(resp->u.action.u.sa_query)) {
2980 /* Too short SA Query request frame */
2981 return;
2982 }
2983
2984 skb = dev_alloc_skb(sizeof(*resp) + local->hw.extra_tx_headroom);
2985 if (skb == NULL)
2986 return;
2987
2988 skb_reserve(skb, local->hw.extra_tx_headroom);
2989 resp = skb_put_zero(skb, 24);
2990 memcpy(resp->da, mgmt->sa, ETH_ALEN);
2991 memcpy(resp->sa, sdata->vif.addr, ETH_ALEN);
2992 memcpy(resp->bssid, sdata->u.mgd.bssid, ETH_ALEN);
2993 resp->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT |
2994 IEEE80211_STYPE_ACTION);
2995 skb_put(skb, 1 + sizeof(resp->u.action.u.sa_query));
2996 resp->u.action.category = WLAN_CATEGORY_SA_QUERY;
2997 resp->u.action.u.sa_query.action = WLAN_ACTION_SA_QUERY_RESPONSE;
2998 memcpy(resp->u.action.u.sa_query.trans_id,
2999 mgmt->u.action.u.sa_query.trans_id,
3000 WLAN_SA_QUERY_TR_ID_LEN);
3001
3002 ieee80211_tx_skb(sdata, skb);
3003}
3004
3005static ieee80211_rx_result debug_noinline
3006ieee80211_rx_h_mgmt_check(struct ieee80211_rx_data *rx)
3007{
3008 struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *) rx->skb->data;
3009 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
3010
3011 /*
3012 * From here on, look only at management frames.
3013 * Data and control frames are already handled,
3014 * and unknown (reserved) frames are useless.
3015 */
3016 if (rx->skb->len < 24)
3017 return RX_DROP_MONITOR;
3018
3019 if (!ieee80211_is_mgmt(mgmt->frame_control))
3020 return RX_DROP_MONITOR;
3021
3022 if (rx->sdata->vif.type == NL80211_IFTYPE_AP &&
3023 ieee80211_is_beacon(mgmt->frame_control) &&
3024 !(rx->flags & IEEE80211_RX_BEACON_REPORTED)) {
3025 int sig = 0;
3026
3027 if (ieee80211_hw_check(&rx->local->hw, SIGNAL_DBM) &&
3028 !(status->flag & RX_FLAG_NO_SIGNAL_VAL))
3029 sig = status->signal;
3030
3031 cfg80211_report_obss_beacon(rx->local->hw.wiphy,
3032 rx->skb->data, rx->skb->len,
3033 status->freq, sig);
3034 rx->flags |= IEEE80211_RX_BEACON_REPORTED;
3035 }
3036
3037 if (ieee80211_drop_unencrypted_mgmt(rx))
3038 return RX_DROP_UNUSABLE;
3039
3040 return RX_CONTINUE;
3041}
3042
3043static ieee80211_rx_result debug_noinline
3044ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
3045{
3046 struct ieee80211_local *local = rx->local;
3047 struct ieee80211_sub_if_data *sdata = rx->sdata;
3048 struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *) rx->skb->data;
3049 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
3050 int len = rx->skb->len;
3051
3052 if (!ieee80211_is_action(mgmt->frame_control))
3053 return RX_CONTINUE;
3054
3055 /* drop too small frames */
3056 if (len < IEEE80211_MIN_ACTION_SIZE)
3057 return RX_DROP_UNUSABLE;
3058
3059 if (!rx->sta && mgmt->u.action.category != WLAN_CATEGORY_PUBLIC &&
3060 mgmt->u.action.category != WLAN_CATEGORY_SELF_PROTECTED &&
3061 mgmt->u.action.category != WLAN_CATEGORY_SPECTRUM_MGMT)
3062 return RX_DROP_UNUSABLE;
3063
3064 switch (mgmt->u.action.category) {
3065 case WLAN_CATEGORY_HT:
3066 /* reject HT action frames from stations not supporting HT */
3067 if (!rx->sta->sta.ht_cap.ht_supported)
3068 goto invalid;
3069
3070 if (sdata->vif.type != NL80211_IFTYPE_STATION &&
3071 sdata->vif.type != NL80211_IFTYPE_MESH_POINT &&
3072 sdata->vif.type != NL80211_IFTYPE_AP_VLAN &&
3073 sdata->vif.type != NL80211_IFTYPE_AP &&
3074 sdata->vif.type != NL80211_IFTYPE_ADHOC)
3075 break;
3076
3077 /* verify action & smps_control/chanwidth are present */
3078 if (len < IEEE80211_MIN_ACTION_SIZE + 2)
3079 goto invalid;
3080
3081 switch (mgmt->u.action.u.ht_smps.action) {
3082 case WLAN_HT_ACTION_SMPS: {
3083 struct ieee80211_supported_band *sband;
3084 enum ieee80211_smps_mode smps_mode;
3085 struct sta_opmode_info sta_opmode = {};
3086
3087 /* convert to HT capability */
3088 switch (mgmt->u.action.u.ht_smps.smps_control) {
3089 case WLAN_HT_SMPS_CONTROL_DISABLED:
3090 smps_mode = IEEE80211_SMPS_OFF;
3091 break;
3092 case WLAN_HT_SMPS_CONTROL_STATIC:
3093 smps_mode = IEEE80211_SMPS_STATIC;
3094 break;
3095 case WLAN_HT_SMPS_CONTROL_DYNAMIC:
3096 smps_mode = IEEE80211_SMPS_DYNAMIC;
3097 break;
3098 default:
3099 goto invalid;
3100 }
3101
3102 /* if no change do nothing */
3103 if (rx->sta->sta.smps_mode == smps_mode)
3104 goto handled;
3105 rx->sta->sta.smps_mode = smps_mode;
3106 sta_opmode.smps_mode =
3107 ieee80211_smps_mode_to_smps_mode(smps_mode);
3108 sta_opmode.changed = STA_OPMODE_SMPS_MODE_CHANGED;
3109
3110 sband = rx->local->hw.wiphy->bands[status->band];
3111
3112 rate_control_rate_update(local, sband, rx->sta,
3113 IEEE80211_RC_SMPS_CHANGED);
3114 cfg80211_sta_opmode_change_notify(sdata->dev,
3115 rx->sta->addr,
3116 &sta_opmode,
3117 GFP_ATOMIC);
3118 goto handled;
3119 }
3120 case WLAN_HT_ACTION_NOTIFY_CHANWIDTH: {
3121 struct ieee80211_supported_band *sband;
3122 u8 chanwidth = mgmt->u.action.u.ht_notify_cw.chanwidth;
3123 enum ieee80211_sta_rx_bandwidth max_bw, new_bw;
3124 struct sta_opmode_info sta_opmode = {};
3125
3126 /* If it doesn't support 40 MHz it can't change ... */
3127 if (!(rx->sta->sta.ht_cap.cap &
3128 IEEE80211_HT_CAP_SUP_WIDTH_20_40))
3129 goto handled;
3130
3131 if (chanwidth == IEEE80211_HT_CHANWIDTH_20MHZ)
3132 max_bw = IEEE80211_STA_RX_BW_20;
3133 else
3134 max_bw = ieee80211_sta_cap_rx_bw(rx->sta);
3135
3136 /* set cur_max_bandwidth and recalc sta bw */
3137 rx->sta->cur_max_bandwidth = max_bw;
3138 new_bw = ieee80211_sta_cur_vht_bw(rx->sta);
3139
3140 if (rx->sta->sta.bandwidth == new_bw)
3141 goto handled;
3142
3143 rx->sta->sta.bandwidth = new_bw;
3144 sband = rx->local->hw.wiphy->bands[status->band];
3145 sta_opmode.bw =
3146 ieee80211_sta_rx_bw_to_chan_width(rx->sta);
3147 sta_opmode.changed = STA_OPMODE_MAX_BW_CHANGED;
3148
3149 rate_control_rate_update(local, sband, rx->sta,
3150 IEEE80211_RC_BW_CHANGED);
3151 cfg80211_sta_opmode_change_notify(sdata->dev,
3152 rx->sta->addr,
3153 &sta_opmode,
3154 GFP_ATOMIC);
3155 goto handled;
3156 }
3157 default:
3158 goto invalid;
3159 }
3160
3161 break;
3162 case WLAN_CATEGORY_PUBLIC:
3163 if (len < IEEE80211_MIN_ACTION_SIZE + 1)
3164 goto invalid;
3165 if (sdata->vif.type != NL80211_IFTYPE_STATION)
3166 break;
3167 if (!rx->sta)
3168 break;
3169 if (!ether_addr_equal(mgmt->bssid, sdata->u.mgd.bssid))
3170 break;
3171 if (mgmt->u.action.u.ext_chan_switch.action_code !=
3172 WLAN_PUB_ACTION_EXT_CHANSW_ANN)
3173 break;
3174 if (len < offsetof(struct ieee80211_mgmt,
3175 u.action.u.ext_chan_switch.variable))
3176 goto invalid;
3177 goto queue;
3178 case WLAN_CATEGORY_VHT:
3179 if (sdata->vif.type != NL80211_IFTYPE_STATION &&
3180 sdata->vif.type != NL80211_IFTYPE_MESH_POINT &&
3181 sdata->vif.type != NL80211_IFTYPE_AP_VLAN &&
3182 sdata->vif.type != NL80211_IFTYPE_AP &&
3183 sdata->vif.type != NL80211_IFTYPE_ADHOC)
3184 break;
3185
3186 /* verify action code is present */
3187 if (len < IEEE80211_MIN_ACTION_SIZE + 1)
3188 goto invalid;
3189
3190 switch (mgmt->u.action.u.vht_opmode_notif.action_code) {
3191 case WLAN_VHT_ACTION_OPMODE_NOTIF: {
3192 /* verify opmode is present */
3193 if (len < IEEE80211_MIN_ACTION_SIZE + 2)
3194 goto invalid;
3195 goto queue;
3196 }
3197 case WLAN_VHT_ACTION_GROUPID_MGMT: {
3198 if (len < IEEE80211_MIN_ACTION_SIZE + 25)
3199 goto invalid;
3200 goto queue;
3201 }
3202 default:
3203 break;
3204 }
3205 break;
3206 case WLAN_CATEGORY_BACK:
3207 if (sdata->vif.type != NL80211_IFTYPE_STATION &&
3208 sdata->vif.type != NL80211_IFTYPE_MESH_POINT &&
3209 sdata->vif.type != NL80211_IFTYPE_AP_VLAN &&
3210 sdata->vif.type != NL80211_IFTYPE_AP &&
3211 sdata->vif.type != NL80211_IFTYPE_ADHOC)
3212 break;
3213
3214 /* verify action_code is present */
3215 if (len < IEEE80211_MIN_ACTION_SIZE + 1)
3216 break;
3217
3218 switch (mgmt->u.action.u.addba_req.action_code) {
3219 case WLAN_ACTION_ADDBA_REQ:
3220 if (len < (IEEE80211_MIN_ACTION_SIZE +
3221 sizeof(mgmt->u.action.u.addba_req)))
3222 goto invalid;
3223 break;
3224 case WLAN_ACTION_ADDBA_RESP:
3225 if (len < (IEEE80211_MIN_ACTION_SIZE +
3226 sizeof(mgmt->u.action.u.addba_resp)))
3227 goto invalid;
3228 break;
3229 case WLAN_ACTION_DELBA:
3230 if (len < (IEEE80211_MIN_ACTION_SIZE +
3231 sizeof(mgmt->u.action.u.delba)))
3232 goto invalid;
3233 break;
3234 default:
3235 goto invalid;
3236 }
3237
3238 goto queue;
3239 case WLAN_CATEGORY_SPECTRUM_MGMT:
3240 /* verify action_code is present */
3241 if (len < IEEE80211_MIN_ACTION_SIZE + 1)
3242 break;
3243
3244 switch (mgmt->u.action.u.measurement.action_code) {
3245 case WLAN_ACTION_SPCT_MSR_REQ:
3246 if (status->band != NL80211_BAND_5GHZ)
3247 break;
3248
3249 if (len < (IEEE80211_MIN_ACTION_SIZE +
3250 sizeof(mgmt->u.action.u.measurement)))
3251 break;
3252
3253 if (sdata->vif.type != NL80211_IFTYPE_STATION)
3254 break;
3255
3256 ieee80211_process_measurement_req(sdata, mgmt, len);
3257 goto handled;
3258 case WLAN_ACTION_SPCT_CHL_SWITCH: {
3259 u8 *bssid;
3260 if (len < (IEEE80211_MIN_ACTION_SIZE +
3261 sizeof(mgmt->u.action.u.chan_switch)))
3262 break;
3263
3264 if (sdata->vif.type != NL80211_IFTYPE_STATION &&
3265 sdata->vif.type != NL80211_IFTYPE_ADHOC &&
3266 sdata->vif.type != NL80211_IFTYPE_MESH_POINT)
3267 break;
3268
3269 if (sdata->vif.type == NL80211_IFTYPE_STATION)
3270 bssid = sdata->u.mgd.bssid;
3271 else if (sdata->vif.type == NL80211_IFTYPE_ADHOC)
3272 bssid = sdata->u.ibss.bssid;
3273 else if (sdata->vif.type == NL80211_IFTYPE_MESH_POINT)
3274 bssid = mgmt->sa;
3275 else
3276 break;
3277
3278 if (!ether_addr_equal(mgmt->bssid, bssid))
3279 break;
3280
3281 goto queue;
3282 }
3283 }
3284 break;
3285 case WLAN_CATEGORY_SA_QUERY:
3286 if (len < (IEEE80211_MIN_ACTION_SIZE +
3287 sizeof(mgmt->u.action.u.sa_query)))
3288 break;
3289
3290 switch (mgmt->u.action.u.sa_query.action) {
3291 case WLAN_ACTION_SA_QUERY_REQUEST:
3292 if (sdata->vif.type != NL80211_IFTYPE_STATION)
3293 break;
3294 ieee80211_process_sa_query_req(sdata, mgmt, len);
3295 goto handled;
3296 }
3297 break;
3298 case WLAN_CATEGORY_SELF_PROTECTED:
3299 if (len < (IEEE80211_MIN_ACTION_SIZE +
3300 sizeof(mgmt->u.action.u.self_prot.action_code)))
3301 break;
3302
3303 switch (mgmt->u.action.u.self_prot.action_code) {
3304 case WLAN_SP_MESH_PEERING_OPEN:
3305 case WLAN_SP_MESH_PEERING_CLOSE:
3306 case WLAN_SP_MESH_PEERING_CONFIRM:
3307 if (!ieee80211_vif_is_mesh(&sdata->vif))
3308 goto invalid;
3309 if (sdata->u.mesh.user_mpm)
3310 /* userspace handles this frame */
3311 break;
3312 goto queue;
3313 case WLAN_SP_MGK_INFORM:
3314 case WLAN_SP_MGK_ACK:
3315 if (!ieee80211_vif_is_mesh(&sdata->vif))
3316 goto invalid;
3317 break;
3318 }
3319 break;
3320 case WLAN_CATEGORY_MESH_ACTION:
3321 if (len < (IEEE80211_MIN_ACTION_SIZE +
3322 sizeof(mgmt->u.action.u.mesh_action.action_code)))
3323 break;
3324
3325 if (!ieee80211_vif_is_mesh(&sdata->vif))
3326 break;
3327 if (mesh_action_is_path_sel(mgmt) &&
3328 !mesh_path_sel_is_hwmp(sdata))
3329 break;
3330 goto queue;
3331 }
3332
3333 return RX_CONTINUE;
3334
3335 invalid:
3336 status->rx_flags |= IEEE80211_RX_MALFORMED_ACTION_FRM;
3337 /* will return in the next handlers */
3338 return RX_CONTINUE;
3339
3340 handled:
3341 if (rx->sta)
3342 rx->sta->rx_stats.packets++;
3343 dev_kfree_skb(rx->skb);
3344 return RX_QUEUED;
3345
3346 queue:
3347 skb_queue_tail(&sdata->skb_queue, rx->skb);
3348 ieee80211_queue_work(&local->hw, &sdata->work);
3349 if (rx->sta)
3350 rx->sta->rx_stats.packets++;
3351 return RX_QUEUED;
3352}
3353
3354static ieee80211_rx_result debug_noinline
3355ieee80211_rx_h_userspace_mgmt(struct ieee80211_rx_data *rx)
3356{
3357 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
3358 int sig = 0;
3359
3360 /* skip known-bad action frames and return them in the next handler */
3361 if (status->rx_flags & IEEE80211_RX_MALFORMED_ACTION_FRM)
3362 return RX_CONTINUE;
3363
3364 /*
3365 * Getting here means the kernel doesn't know how to handle
3366 * it, but maybe userspace does ... include returned frames
3367 * so userspace can register for those to know whether ones
3368 * it transmitted were processed or returned.
3369 */
3370
3371 if (ieee80211_hw_check(&rx->local->hw, SIGNAL_DBM) &&
3372 !(status->flag & RX_FLAG_NO_SIGNAL_VAL))
3373 sig = status->signal;
3374
3375 if (cfg80211_rx_mgmt(&rx->sdata->wdev, status->freq, sig,
3376 rx->skb->data, rx->skb->len, 0)) {
3377 if (rx->sta)
3378 rx->sta->rx_stats.packets++;
3379 dev_kfree_skb(rx->skb);
3380 return RX_QUEUED;
3381 }
3382
3383 return RX_CONTINUE;
3384}
3385
3386static ieee80211_rx_result debug_noinline
3387ieee80211_rx_h_action_return(struct ieee80211_rx_data *rx)
3388{
3389 struct ieee80211_local *local = rx->local;
3390 struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *) rx->skb->data;
3391 struct sk_buff *nskb;
3392 struct ieee80211_sub_if_data *sdata = rx->sdata;
3393 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
3394
3395 if (!ieee80211_is_action(mgmt->frame_control))
3396 return RX_CONTINUE;
3397
3398 /*
3399 * For AP mode, hostapd is responsible for handling any action
3400 * frames that we didn't handle, including returning unknown
3401 * ones. For all other modes we will return them to the sender,
3402 * setting the 0x80 bit in the action category, as required by
3403 * 802.11-2012 9.24.4.
3404 * Newer versions of hostapd shall also use the management frame
3405 * registration mechanisms, but older ones still use cooked
3406 * monitor interfaces so push all frames there.
3407 */
3408 if (!(status->rx_flags & IEEE80211_RX_MALFORMED_ACTION_FRM) &&
3409 (sdata->vif.type == NL80211_IFTYPE_AP ||
3410 sdata->vif.type == NL80211_IFTYPE_AP_VLAN))
3411 return RX_DROP_MONITOR;
3412
3413 if (is_multicast_ether_addr(mgmt->da))
3414 return RX_DROP_MONITOR;
3415
3416 /* do not return rejected action frames */
3417 if (mgmt->u.action.category & 0x80)
3418 return RX_DROP_UNUSABLE;
3419
3420 nskb = skb_copy_expand(rx->skb, local->hw.extra_tx_headroom, 0,
3421 GFP_ATOMIC);
3422 if (nskb) {
3423 struct ieee80211_mgmt *nmgmt = (void *)nskb->data;
3424
3425 nmgmt->u.action.category |= 0x80;
3426 memcpy(nmgmt->da, nmgmt->sa, ETH_ALEN);
3427 memcpy(nmgmt->sa, rx->sdata->vif.addr, ETH_ALEN);
3428
3429 memset(nskb->cb, 0, sizeof(nskb->cb));
3430
3431 if (rx->sdata->vif.type == NL80211_IFTYPE_P2P_DEVICE) {
3432 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(nskb);
3433
3434 info->flags = IEEE80211_TX_CTL_TX_OFFCHAN |
3435 IEEE80211_TX_INTFL_OFFCHAN_TX_OK |
3436 IEEE80211_TX_CTL_NO_CCK_RATE;
3437 if (ieee80211_hw_check(&local->hw, QUEUE_CONTROL))
3438 info->hw_queue =
3439 local->hw.offchannel_tx_hw_queue;
3440 }
3441
3442 __ieee80211_tx_skb_tid_band(rx->sdata, nskb, 7,
3443 status->band, 0);
3444 }
3445 dev_kfree_skb(rx->skb);
3446 return RX_QUEUED;
3447}
3448
3449static ieee80211_rx_result debug_noinline
3450ieee80211_rx_h_mgmt(struct ieee80211_rx_data *rx)
3451{
3452 struct ieee80211_sub_if_data *sdata = rx->sdata;
3453 struct ieee80211_mgmt *mgmt = (void *)rx->skb->data;
3454 __le16 stype;
3455
3456 stype = mgmt->frame_control & cpu_to_le16(IEEE80211_FCTL_STYPE);
3457
3458 if (!ieee80211_vif_is_mesh(&sdata->vif) &&
3459 sdata->vif.type != NL80211_IFTYPE_ADHOC &&
3460 sdata->vif.type != NL80211_IFTYPE_OCB &&
3461 sdata->vif.type != NL80211_IFTYPE_STATION)
3462 return RX_DROP_MONITOR;
3463
3464 switch (stype) {
3465 case cpu_to_le16(IEEE80211_STYPE_AUTH):
3466 case cpu_to_le16(IEEE80211_STYPE_BEACON):
3467 case cpu_to_le16(IEEE80211_STYPE_PROBE_RESP):
3468 /* process for all: mesh, mlme, ibss */
3469 break;
3470 case cpu_to_le16(IEEE80211_STYPE_DEAUTH):
3471 if (is_multicast_ether_addr(mgmt->da) &&
3472 !is_broadcast_ether_addr(mgmt->da))
3473 return RX_DROP_MONITOR;
3474
3475 /* process only for station/IBSS */
3476 if (sdata->vif.type != NL80211_IFTYPE_STATION &&
3477 sdata->vif.type != NL80211_IFTYPE_ADHOC)
3478 return RX_DROP_MONITOR;
3479 break;
3480 case cpu_to_le16(IEEE80211_STYPE_ASSOC_RESP):
3481 case cpu_to_le16(IEEE80211_STYPE_REASSOC_RESP):
3482 case cpu_to_le16(IEEE80211_STYPE_DISASSOC):
3483 if (is_multicast_ether_addr(mgmt->da) &&
3484 !is_broadcast_ether_addr(mgmt->da))
3485 return RX_DROP_MONITOR;
3486
3487 /* process only for station */
3488 if (sdata->vif.type != NL80211_IFTYPE_STATION)
3489 return RX_DROP_MONITOR;
3490 break;
3491 case cpu_to_le16(IEEE80211_STYPE_PROBE_REQ):
3492 /* process only for ibss and mesh */
3493 if (sdata->vif.type != NL80211_IFTYPE_ADHOC &&
3494 sdata->vif.type != NL80211_IFTYPE_MESH_POINT)
3495 return RX_DROP_MONITOR;
3496 break;
3497 default:
3498 return RX_DROP_MONITOR;
3499 }
3500
3501 /* queue up frame and kick off work to process it */
3502 skb_queue_tail(&sdata->skb_queue, rx->skb);
3503 ieee80211_queue_work(&rx->local->hw, &sdata->work);
3504 if (rx->sta)
3505 rx->sta->rx_stats.packets++;
3506
3507 return RX_QUEUED;
3508}
3509
3510static void ieee80211_rx_cooked_monitor(struct ieee80211_rx_data *rx,
3511 struct ieee80211_rate *rate)
3512{
3513 struct ieee80211_sub_if_data *sdata;
3514 struct ieee80211_local *local = rx->local;
3515 struct sk_buff *skb = rx->skb, *skb2;
3516 struct net_device *prev_dev = NULL;
3517 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
3518 int needed_headroom;
3519
3520 /*
3521 * If cooked monitor has been processed already, then
3522 * don't do it again. If not, set the flag.
3523 */
3524 if (rx->flags & IEEE80211_RX_CMNTR)
3525 goto out_free_skb;
3526 rx->flags |= IEEE80211_RX_CMNTR;
3527
3528 /* If there are no cooked monitor interfaces, just free the SKB */
3529 if (!local->cooked_mntrs)
3530 goto out_free_skb;
3531
3532 /* vendor data is long removed here */
3533 status->flag &= ~RX_FLAG_RADIOTAP_VENDOR_DATA;
3534 /* room for the radiotap header based on driver features */
3535 needed_headroom = ieee80211_rx_radiotap_hdrlen(local, status, skb);
3536
3537 if (skb_headroom(skb) < needed_headroom &&
3538 pskb_expand_head(skb, needed_headroom, 0, GFP_ATOMIC))
3539 goto out_free_skb;
3540
3541 /* prepend radiotap information */
3542 ieee80211_add_rx_radiotap_header(local, skb, rate, needed_headroom,
3543 false);
3544
3545 skb_reset_mac_header(skb);
3546 skb->ip_summed = CHECKSUM_UNNECESSARY;
3547 skb->pkt_type = PACKET_OTHERHOST;
3548 skb->protocol = htons(ETH_P_802_2);
3549
3550 list_for_each_entry_rcu(sdata, &local->interfaces, list) {
3551 if (!ieee80211_sdata_running(sdata))
3552 continue;
3553
3554 if (sdata->vif.type != NL80211_IFTYPE_MONITOR ||
3555 !(sdata->u.mntr.flags & MONITOR_FLAG_COOK_FRAMES))
3556 continue;
3557
3558 if (prev_dev) {
3559 skb2 = skb_clone(skb, GFP_ATOMIC);
3560 if (skb2) {
3561 skb2->dev = prev_dev;
3562 netif_receive_skb(skb2);
3563 }
3564 }
3565
3566 prev_dev = sdata->dev;
3567 ieee80211_rx_stats(sdata->dev, skb->len);
3568 }
3569
3570 if (prev_dev) {
3571 skb->dev = prev_dev;
3572 netif_receive_skb(skb);
3573 return;
3574 }
3575
3576 out_free_skb:
3577 dev_kfree_skb(skb);
3578}
3579
3580static void ieee80211_rx_handlers_result(struct ieee80211_rx_data *rx,
3581 ieee80211_rx_result res)
3582{
3583 switch (res) {
3584 case RX_DROP_MONITOR:
3585 I802_DEBUG_INC(rx->sdata->local->rx_handlers_drop);
3586 if (rx->sta)
3587 rx->sta->rx_stats.dropped++;
3588 /* fall through */
3589 case RX_CONTINUE: {
3590 struct ieee80211_rate *rate = NULL;
3591 struct ieee80211_supported_band *sband;
3592 struct ieee80211_rx_status *status;
3593
3594 status = IEEE80211_SKB_RXCB((rx->skb));
3595
3596 sband = rx->local->hw.wiphy->bands[status->band];
3597 if (status->encoding == RX_ENC_LEGACY)
3598 rate = &sband->bitrates[status->rate_idx];
3599
3600 ieee80211_rx_cooked_monitor(rx, rate);
3601 break;
3602 }
3603 case RX_DROP_UNUSABLE:
3604 I802_DEBUG_INC(rx->sdata->local->rx_handlers_drop);
3605 if (rx->sta)
3606 rx->sta->rx_stats.dropped++;
3607 dev_kfree_skb(rx->skb);
3608 break;
3609 case RX_QUEUED:
3610 I802_DEBUG_INC(rx->sdata->local->rx_handlers_queued);
3611 break;
3612 }
3613}
3614
3615static void ieee80211_rx_handlers(struct ieee80211_rx_data *rx,
3616 struct sk_buff_head *frames)
3617{
3618 ieee80211_rx_result res = RX_DROP_MONITOR;
3619 struct sk_buff *skb;
3620
3621#define CALL_RXH(rxh) \
3622 do { \
3623 res = rxh(rx); \
3624 if (res != RX_CONTINUE) \
3625 goto rxh_next; \
3626 } while (0)
3627
3628 /* Lock here to avoid hitting all of the data used in the RX
3629 * path (e.g. key data, station data, ...) concurrently when
3630 * a frame is released from the reorder buffer due to timeout
3631 * from the timer, potentially concurrently with RX from the
3632 * driver.
3633 */
3634 spin_lock_bh(&rx->local->rx_path_lock);
3635
3636 while ((skb = __skb_dequeue(frames))) {
3637 /*
3638 * all the other fields are valid across frames
3639 * that belong to an aMPDU since they are on the
3640 * same TID from the same station
3641 */
3642 rx->skb = skb;
3643
3644 CALL_RXH(ieee80211_rx_h_check_more_data);
3645 CALL_RXH(ieee80211_rx_h_uapsd_and_pspoll);
3646 CALL_RXH(ieee80211_rx_h_sta_process);
3647 CALL_RXH(ieee80211_rx_h_decrypt);
3648 CALL_RXH(ieee80211_rx_h_defragment);
3649 CALL_RXH(ieee80211_rx_h_michael_mic_verify);
3650 /* must be after MMIC verify so header is counted in MPDU mic */
3651#ifdef CONFIG_MAC80211_MESH
3652 if (ieee80211_vif_is_mesh(&rx->sdata->vif))
3653 CALL_RXH(ieee80211_rx_h_mesh_fwding);
3654#endif
3655 CALL_RXH(ieee80211_rx_h_amsdu);
3656 CALL_RXH(ieee80211_rx_h_data);
3657
3658 /* special treatment -- needs the queue */
3659 res = ieee80211_rx_h_ctrl(rx, frames);
3660 if (res != RX_CONTINUE)
3661 goto rxh_next;
3662
3663 CALL_RXH(ieee80211_rx_h_mgmt_check);
3664 CALL_RXH(ieee80211_rx_h_action);
3665 CALL_RXH(ieee80211_rx_h_userspace_mgmt);
3666 CALL_RXH(ieee80211_rx_h_action_return);
3667 CALL_RXH(ieee80211_rx_h_mgmt);
3668
3669 rxh_next:
3670 ieee80211_rx_handlers_result(rx, res);
3671
3672#undef CALL_RXH
3673 }
3674
3675 spin_unlock_bh(&rx->local->rx_path_lock);
3676}
3677
3678static void ieee80211_invoke_rx_handlers(struct ieee80211_rx_data *rx)
3679{
3680 struct sk_buff_head reorder_release;
3681 ieee80211_rx_result res = RX_DROP_MONITOR;
3682
3683 __skb_queue_head_init(&reorder_release);
3684
3685#define CALL_RXH(rxh) \
3686 do { \
3687 res = rxh(rx); \
3688 if (res != RX_CONTINUE) \
3689 goto rxh_next; \
3690 } while (0)
3691
3692 CALL_RXH(ieee80211_rx_h_check_dup);
3693 CALL_RXH(ieee80211_rx_h_check);
3694
3695 ieee80211_rx_reorder_ampdu(rx, &reorder_release);
3696
3697 ieee80211_rx_handlers(rx, &reorder_release);
3698 return;
3699
3700 rxh_next:
3701 ieee80211_rx_handlers_result(rx, res);
3702
3703#undef CALL_RXH
3704}
3705
3706/*
3707 * This function makes calls into the RX path, therefore
3708 * it has to be invoked under RCU read lock.
3709 */
3710void ieee80211_release_reorder_timeout(struct sta_info *sta, int tid)
3711{
3712 struct sk_buff_head frames;
3713 struct ieee80211_rx_data rx = {
3714 .sta = sta,
3715 .sdata = sta->sdata,
3716 .local = sta->local,
3717 /* This is OK -- must be QoS data frame */
3718 .security_idx = tid,
3719 .seqno_idx = tid,
3720 .napi = NULL, /* must be NULL to not have races */
3721 };
3722 struct tid_ampdu_rx *tid_agg_rx;
3723
3724 tid_agg_rx = rcu_dereference(sta->ampdu_mlme.tid_rx[tid]);
3725 if (!tid_agg_rx)
3726 return;
3727
3728 __skb_queue_head_init(&frames);
3729
3730 spin_lock(&tid_agg_rx->reorder_lock);
3731 ieee80211_sta_reorder_release(sta->sdata, tid_agg_rx, &frames);
3732 spin_unlock(&tid_agg_rx->reorder_lock);
3733
3734 if (!skb_queue_empty(&frames)) {
3735 struct ieee80211_event event = {
3736 .type = BA_FRAME_TIMEOUT,
3737 .u.ba.tid = tid,
3738 .u.ba.sta = &sta->sta,
3739 };
3740 drv_event_callback(rx.local, rx.sdata, &event);
3741 }
3742
3743 ieee80211_rx_handlers(&rx, &frames);
3744}
3745
3746void ieee80211_mark_rx_ba_filtered_frames(struct ieee80211_sta *pubsta, u8 tid,
3747 u16 ssn, u64 filtered,
3748 u16 received_mpdus)
3749{
3750 struct sta_info *sta;
3751 struct tid_ampdu_rx *tid_agg_rx;
3752 struct sk_buff_head frames;
3753 struct ieee80211_rx_data rx = {
3754 /* This is OK -- must be QoS data frame */
3755 .security_idx = tid,
3756 .seqno_idx = tid,
3757 };
3758 int i, diff;
3759
3760 if (WARN_ON(!pubsta || tid >= IEEE80211_NUM_TIDS))
3761 return;
3762
3763 __skb_queue_head_init(&frames);
3764
3765 sta = container_of(pubsta, struct sta_info, sta);
3766
3767 rx.sta = sta;
3768 rx.sdata = sta->sdata;
3769 rx.local = sta->local;
3770
3771 rcu_read_lock();
3772 tid_agg_rx = rcu_dereference(sta->ampdu_mlme.tid_rx[tid]);
3773 if (!tid_agg_rx)
3774 goto out;
3775
3776 spin_lock_bh(&tid_agg_rx->reorder_lock);
3777
3778 if (received_mpdus >= IEEE80211_SN_MODULO >> 1) {
3779 int release;
3780
3781 /* release all frames in the reorder buffer */
3782 release = (tid_agg_rx->head_seq_num + tid_agg_rx->buf_size) %
3783 IEEE80211_SN_MODULO;
3784 ieee80211_release_reorder_frames(sta->sdata, tid_agg_rx,
3785 release, &frames);
3786 /* update ssn to match received ssn */
3787 tid_agg_rx->head_seq_num = ssn;
3788 } else {
3789 ieee80211_release_reorder_frames(sta->sdata, tid_agg_rx, ssn,
3790 &frames);
3791 }
3792
3793 /* handle the case that received ssn is behind the mac ssn.
3794 * it can be tid_agg_rx->buf_size behind and still be valid */
3795 diff = (tid_agg_rx->head_seq_num - ssn) & IEEE80211_SN_MASK;
3796 if (diff >= tid_agg_rx->buf_size) {
3797 tid_agg_rx->reorder_buf_filtered = 0;
3798 goto release;
3799 }
3800 filtered = filtered >> diff;
3801 ssn += diff;
3802
3803 /* update bitmap */
3804 for (i = 0; i < tid_agg_rx->buf_size; i++) {
3805 int index = (ssn + i) % tid_agg_rx->buf_size;
3806
3807 tid_agg_rx->reorder_buf_filtered &= ~BIT_ULL(index);
3808 if (filtered & BIT_ULL(i))
3809 tid_agg_rx->reorder_buf_filtered |= BIT_ULL(index);
3810 }
3811
3812 /* now process also frames that the filter marking released */
3813 ieee80211_sta_reorder_release(sta->sdata, tid_agg_rx, &frames);
3814
3815release:
3816 spin_unlock_bh(&tid_agg_rx->reorder_lock);
3817
3818 ieee80211_rx_handlers(&rx, &frames);
3819
3820 out:
3821 rcu_read_unlock();
3822}
3823EXPORT_SYMBOL(ieee80211_mark_rx_ba_filtered_frames);
3824
3825/* main receive path */
3826
3827static bool ieee80211_accept_frame(struct ieee80211_rx_data *rx)
3828{
3829 struct ieee80211_sub_if_data *sdata = rx->sdata;
3830 struct sk_buff *skb = rx->skb;
3831 struct ieee80211_hdr *hdr = (void *)skb->data;
3832 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
3833 u8 *bssid = ieee80211_get_bssid(hdr, skb->len, sdata->vif.type);
3834 bool multicast = is_multicast_ether_addr(hdr->addr1);
3835
3836 switch (sdata->vif.type) {
3837 case NL80211_IFTYPE_STATION:
3838 if (!bssid && !sdata->u.mgd.use_4addr)
3839 return false;
3840 if (ieee80211_is_robust_mgmt_frame(skb) && !rx->sta)
3841 return false;
3842 if (multicast)
3843 return true;
3844 return ether_addr_equal(sdata->vif.addr, hdr->addr1);
3845 case NL80211_IFTYPE_ADHOC:
3846 if (!bssid)
3847 return false;
3848 if (ether_addr_equal(sdata->vif.addr, hdr->addr2) ||
3849 ether_addr_equal(sdata->u.ibss.bssid, hdr->addr2))
3850 return false;
3851 if (ieee80211_is_beacon(hdr->frame_control))
3852 return true;
3853 if (!ieee80211_bssid_match(bssid, sdata->u.ibss.bssid))
3854 return false;
3855 if (!multicast &&
3856 !ether_addr_equal(sdata->vif.addr, hdr->addr1))
3857 return false;
3858 if (!rx->sta) {
3859 int rate_idx;
3860 if (status->encoding != RX_ENC_LEGACY)
3861 rate_idx = 0; /* TODO: HT/VHT rates */
3862 else
3863 rate_idx = status->rate_idx;
3864 ieee80211_ibss_rx_no_sta(sdata, bssid, hdr->addr2,
3865 BIT(rate_idx));
3866 }
3867 return true;
3868 case NL80211_IFTYPE_OCB:
3869 if (!bssid)
3870 return false;
3871 if (!ieee80211_is_data_present(hdr->frame_control))
3872 return false;
3873 if (!is_broadcast_ether_addr(bssid))
3874 return false;
3875 if (!multicast &&
3876 !ether_addr_equal(sdata->dev->dev_addr, hdr->addr1))
3877 return false;
3878 if (!rx->sta) {
3879 int rate_idx;
3880 if (status->encoding != RX_ENC_LEGACY)
3881 rate_idx = 0; /* TODO: HT rates */
3882 else
3883 rate_idx = status->rate_idx;
3884 ieee80211_ocb_rx_no_sta(sdata, bssid, hdr->addr2,
3885 BIT(rate_idx));
3886 }
3887 return true;
3888 case NL80211_IFTYPE_MESH_POINT:
3889 if (ether_addr_equal(sdata->vif.addr, hdr->addr2))
3890 return false;
3891 if (multicast)
3892 return true;
3893 return ether_addr_equal(sdata->vif.addr, hdr->addr1);
3894 case NL80211_IFTYPE_AP_VLAN:
3895 case NL80211_IFTYPE_AP:
3896 if (!bssid)
3897 return ether_addr_equal(sdata->vif.addr, hdr->addr1);
3898
3899 if (!ieee80211_bssid_match(bssid, sdata->vif.addr)) {
3900 /*
3901 * Accept public action frames even when the
3902 * BSSID doesn't match, this is used for P2P
3903 * and location updates. Note that mac80211
3904 * itself never looks at these frames.
3905 */
3906 if (!multicast &&
3907 !ether_addr_equal(sdata->vif.addr, hdr->addr1))
3908 return false;
3909 if (ieee80211_is_public_action(hdr, skb->len))
3910 return true;
3911 return ieee80211_is_beacon(hdr->frame_control);
3912 }
3913
3914 if (!ieee80211_has_tods(hdr->frame_control)) {
3915 /* ignore data frames to TDLS-peers */
3916 if (ieee80211_is_data(hdr->frame_control))
3917 return false;
3918 /* ignore action frames to TDLS-peers */
3919 if (ieee80211_is_action(hdr->frame_control) &&
3920 !is_broadcast_ether_addr(bssid) &&
3921 !ether_addr_equal(bssid, hdr->addr1))
3922 return false;
3923 }
3924
3925 /*
3926 * 802.11-2016 Table 9-26 says that for data frames, A1 must be
3927 * the BSSID - we've checked that already but may have accepted
3928 * the wildcard (ff:ff:ff:ff:ff:ff).
3929 *
3930 * It also says:
3931 * The BSSID of the Data frame is determined as follows:
3932 * a) If the STA is contained within an AP or is associated
3933 * with an AP, the BSSID is the address currently in use
3934 * by the STA contained in the AP.
3935 *
3936 * So we should not accept data frames with an address that's
3937 * multicast.
3938 *
3939 * Accepting it also opens a security problem because stations
3940 * could encrypt it with the GTK and inject traffic that way.
3941 */
3942 if (ieee80211_is_data(hdr->frame_control) && multicast)
3943 return false;
3944
3945 return true;
3946 case NL80211_IFTYPE_WDS:
3947 if (bssid || !ieee80211_is_data(hdr->frame_control))
3948 return false;
3949 return ether_addr_equal(sdata->u.wds.remote_addr, hdr->addr2);
3950 case NL80211_IFTYPE_P2P_DEVICE:
3951 return ieee80211_is_public_action(hdr, skb->len) ||
3952 ieee80211_is_probe_req(hdr->frame_control) ||
3953 ieee80211_is_probe_resp(hdr->frame_control) ||
3954 ieee80211_is_beacon(hdr->frame_control);
3955 case NL80211_IFTYPE_NAN:
3956 /* Currently no frames on NAN interface are allowed */
3957 return false;
3958 default:
3959 break;
3960 }
3961
3962 WARN_ON_ONCE(1);
3963 return false;
3964}
3965
3966void ieee80211_check_fast_rx(struct sta_info *sta)
3967{
3968 struct ieee80211_sub_if_data *sdata = sta->sdata;
3969 struct ieee80211_local *local = sdata->local;
3970 struct ieee80211_key *key;
3971 struct ieee80211_fast_rx fastrx = {
3972 .dev = sdata->dev,
3973 .vif_type = sdata->vif.type,
3974 .control_port_protocol = sdata->control_port_protocol,
3975 }, *old, *new = NULL;
3976 bool assign = false;
3977
3978 /* use sparse to check that we don't return without updating */
3979 __acquire(check_fast_rx);
3980
3981 BUILD_BUG_ON(sizeof(fastrx.rfc1042_hdr) != sizeof(rfc1042_header));
3982 BUILD_BUG_ON(sizeof(fastrx.rfc1042_hdr) != ETH_ALEN);
3983 ether_addr_copy(fastrx.rfc1042_hdr, rfc1042_header);
3984 ether_addr_copy(fastrx.vif_addr, sdata->vif.addr);
3985
3986 fastrx.uses_rss = ieee80211_hw_check(&local->hw, USES_RSS);
3987
3988 /* fast-rx doesn't do reordering */
3989 if (ieee80211_hw_check(&local->hw, AMPDU_AGGREGATION) &&
3990 !ieee80211_hw_check(&local->hw, SUPPORTS_REORDERING_BUFFER))
3991 goto clear;
3992
3993 switch (sdata->vif.type) {
3994 case NL80211_IFTYPE_STATION:
3995 if (sta->sta.tdls) {
3996 fastrx.da_offs = offsetof(struct ieee80211_hdr, addr1);
3997 fastrx.sa_offs = offsetof(struct ieee80211_hdr, addr2);
3998 fastrx.expected_ds_bits = 0;
3999 } else {
4000 fastrx.sta_notify = sdata->u.mgd.probe_send_count > 0;
4001 fastrx.da_offs = offsetof(struct ieee80211_hdr, addr1);
4002 fastrx.sa_offs = offsetof(struct ieee80211_hdr, addr3);
4003 fastrx.expected_ds_bits =
4004 cpu_to_le16(IEEE80211_FCTL_FROMDS);
4005 }
4006
4007 if (sdata->u.mgd.use_4addr && !sta->sta.tdls) {
4008 fastrx.expected_ds_bits |=
4009 cpu_to_le16(IEEE80211_FCTL_TODS);
4010 fastrx.da_offs = offsetof(struct ieee80211_hdr, addr3);
4011 fastrx.sa_offs = offsetof(struct ieee80211_hdr, addr4);
4012 }
4013
4014 if (!sdata->u.mgd.powersave)
4015 break;
4016
4017 /* software powersave is a huge mess, avoid all of it */
4018 if (ieee80211_hw_check(&local->hw, PS_NULLFUNC_STACK))
4019 goto clear;
4020 if (ieee80211_hw_check(&local->hw, SUPPORTS_PS) &&
4021 !ieee80211_hw_check(&local->hw, SUPPORTS_DYNAMIC_PS))
4022 goto clear;
4023 break;
4024 case NL80211_IFTYPE_AP_VLAN:
4025 case NL80211_IFTYPE_AP:
4026 /* parallel-rx requires this, at least with calls to
4027 * ieee80211_sta_ps_transition()
4028 */
4029 if (!ieee80211_hw_check(&local->hw, AP_LINK_PS))
4030 goto clear;
4031 fastrx.da_offs = offsetof(struct ieee80211_hdr, addr3);
4032 fastrx.sa_offs = offsetof(struct ieee80211_hdr, addr2);
4033 fastrx.expected_ds_bits = cpu_to_le16(IEEE80211_FCTL_TODS);
4034
4035 fastrx.internal_forward =
4036 !(sdata->flags & IEEE80211_SDATA_DONT_BRIDGE_PACKETS) &&
4037 (sdata->vif.type != NL80211_IFTYPE_AP_VLAN ||
4038 !sdata->u.vlan.sta);
4039
4040 if (sdata->vif.type == NL80211_IFTYPE_AP_VLAN &&
4041 sdata->u.vlan.sta) {
4042 fastrx.expected_ds_bits |=
4043 cpu_to_le16(IEEE80211_FCTL_FROMDS);
4044 fastrx.sa_offs = offsetof(struct ieee80211_hdr, addr4);
4045 fastrx.internal_forward = 0;
4046 }
4047
4048 break;
4049 default:
4050 goto clear;
4051 }
4052
4053 if (!test_sta_flag(sta, WLAN_STA_AUTHORIZED))
4054 goto clear;
4055
4056 rcu_read_lock();
4057 key = rcu_dereference(sta->ptk[sta->ptk_idx]);
4058 if (key) {
4059 switch (key->conf.cipher) {
4060 case WLAN_CIPHER_SUITE_TKIP:
4061 /* we don't want to deal with MMIC in fast-rx */
4062 goto clear_rcu;
4063 case WLAN_CIPHER_SUITE_CCMP:
4064 case WLAN_CIPHER_SUITE_CCMP_256:
4065 case WLAN_CIPHER_SUITE_GCMP:
4066 case WLAN_CIPHER_SUITE_GCMP_256:
4067 break;
4068 default:
4069 /* We also don't want to deal with
4070 * WEP or cipher scheme.
4071 */
4072 goto clear_rcu;
4073 }
4074
4075 fastrx.key = true;
4076 fastrx.icv_len = key->conf.icv_len;
4077 }
4078
4079 assign = true;
4080 clear_rcu:
4081 rcu_read_unlock();
4082 clear:
4083 __release(check_fast_rx);
4084
4085 if (assign)
4086 new = kmemdup(&fastrx, sizeof(fastrx), GFP_KERNEL);
4087
4088 spin_lock_bh(&sta->lock);
4089 old = rcu_dereference_protected(sta->fast_rx, true);
4090 rcu_assign_pointer(sta->fast_rx, new);
4091 spin_unlock_bh(&sta->lock);
4092
4093 if (old)
4094 kfree_rcu(old, rcu_head);
4095}
4096
4097void ieee80211_clear_fast_rx(struct sta_info *sta)
4098{
4099 struct ieee80211_fast_rx *old;
4100
4101 spin_lock_bh(&sta->lock);
4102 old = rcu_dereference_protected(sta->fast_rx, true);
4103 RCU_INIT_POINTER(sta->fast_rx, NULL);
4104 spin_unlock_bh(&sta->lock);
4105
4106 if (old)
4107 kfree_rcu(old, rcu_head);
4108}
4109
4110void __ieee80211_check_fast_rx_iface(struct ieee80211_sub_if_data *sdata)
4111{
4112 struct ieee80211_local *local = sdata->local;
4113 struct sta_info *sta;
4114
4115 lockdep_assert_held(&local->sta_mtx);
4116
4117 list_for_each_entry_rcu(sta, &local->sta_list, list) {
4118 if (sdata != sta->sdata &&
4119 (!sta->sdata->bss || sta->sdata->bss != sdata->bss))
4120 continue;
4121 ieee80211_check_fast_rx(sta);
4122 }
4123}
4124
4125void ieee80211_check_fast_rx_iface(struct ieee80211_sub_if_data *sdata)
4126{
4127 struct ieee80211_local *local = sdata->local;
4128
4129 mutex_lock(&local->sta_mtx);
4130 __ieee80211_check_fast_rx_iface(sdata);
4131 mutex_unlock(&local->sta_mtx);
4132}
4133
4134static bool ieee80211_invoke_fast_rx(struct ieee80211_rx_data *rx,
4135 struct ieee80211_fast_rx *fast_rx)
4136{
4137 struct sk_buff *skb = rx->skb;
4138 struct ieee80211_hdr *hdr = (void *)skb->data;
4139 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
4140 struct sta_info *sta = rx->sta;
4141 int orig_len = skb->len;
4142 int hdrlen = ieee80211_hdrlen(hdr->frame_control);
4143 int snap_offs = hdrlen;
4144 struct {
4145 u8 snap[sizeof(rfc1042_header)];
4146 __be16 proto;
4147 } *payload __aligned(2);
4148 struct {
4149 u8 da[ETH_ALEN];
4150 u8 sa[ETH_ALEN];
4151 } addrs __aligned(2);
4152 struct ieee80211_sta_rx_stats *stats = &sta->rx_stats;
4153
4154 if (fast_rx->uses_rss)
4155 stats = this_cpu_ptr(sta->pcpu_rx_stats);
4156
4157 /* for parallel-rx, we need to have DUP_VALIDATED, otherwise we write
4158 * to a common data structure; drivers can implement that per queue
4159 * but we don't have that information in mac80211
4160 */
4161 if (!(status->flag & RX_FLAG_DUP_VALIDATED))
4162 return false;
4163
4164#define FAST_RX_CRYPT_FLAGS (RX_FLAG_PN_VALIDATED | RX_FLAG_DECRYPTED)
4165
4166 /* If using encryption, we also need to have:
4167 * - PN_VALIDATED: similar, but the implementation is tricky
4168 * - DECRYPTED: necessary for PN_VALIDATED
4169 */
4170 if (fast_rx->key &&
4171 (status->flag & FAST_RX_CRYPT_FLAGS) != FAST_RX_CRYPT_FLAGS)
4172 return false;
4173
4174 if (unlikely(!ieee80211_is_data_present(hdr->frame_control)))
4175 return false;
4176
4177 if (unlikely(ieee80211_is_frag(hdr)))
4178 return false;
4179
4180 /* Since our interface address cannot be multicast, this
4181 * implicitly also rejects multicast frames without the
4182 * explicit check.
4183 *
4184 * We shouldn't get any *data* frames not addressed to us
4185 * (AP mode will accept multicast *management* frames), but
4186 * punting here will make it go through the full checks in
4187 * ieee80211_accept_frame().
4188 */
4189 if (!ether_addr_equal(fast_rx->vif_addr, hdr->addr1))
4190 return false;
4191
4192 if ((hdr->frame_control & cpu_to_le16(IEEE80211_FCTL_FROMDS |
4193 IEEE80211_FCTL_TODS)) !=
4194 fast_rx->expected_ds_bits)
4195 return false;
4196
4197 /* assign the key to drop unencrypted frames (later)
4198 * and strip the IV/MIC if necessary
4199 */
4200 if (fast_rx->key && !(status->flag & RX_FLAG_IV_STRIPPED)) {
4201 /* GCMP header length is the same */
4202 snap_offs += IEEE80211_CCMP_HDR_LEN;
4203 }
4204
4205 if (!(status->rx_flags & IEEE80211_RX_AMSDU)) {
4206 if (!pskb_may_pull(skb, snap_offs + sizeof(*payload)))
4207 goto drop;
4208
4209 payload = (void *)(skb->data + snap_offs);
4210
4211 if (!ether_addr_equal(payload->snap, fast_rx->rfc1042_hdr))
4212 return false;
4213
4214 /* Don't handle these here since they require special code.
4215 * Accept AARP and IPX even though they should come with a
4216 * bridge-tunnel header - but if we get them this way then
4217 * there's little point in discarding them.
4218 */
4219 if (unlikely(payload->proto == cpu_to_be16(ETH_P_TDLS) ||
4220 payload->proto == fast_rx->control_port_protocol))
4221 return false;
4222 }
4223
4224 /* after this point, don't punt to the slowpath! */
4225
4226 if (rx->key && !(status->flag & RX_FLAG_MIC_STRIPPED) &&
4227 pskb_trim(skb, skb->len - fast_rx->icv_len))
4228 goto drop;
4229
4230 if (unlikely(fast_rx->sta_notify)) {
4231 ieee80211_sta_rx_notify(rx->sdata, hdr);
4232 fast_rx->sta_notify = false;
4233 }
4234
4235 /* statistics part of ieee80211_rx_h_sta_process() */
4236 if (!(status->flag & RX_FLAG_NO_SIGNAL_VAL)) {
4237 stats->last_signal = status->signal;
4238 if (!fast_rx->uses_rss)
4239 ewma_signal_add(&sta->rx_stats_avg.signal,
4240 -status->signal);
4241 }
4242
4243 if (status->chains) {
4244 int i;
4245
4246 stats->chains = status->chains;
4247 for (i = 0; i < ARRAY_SIZE(status->chain_signal); i++) {
4248 int signal = status->chain_signal[i];
4249
4250 if (!(status->chains & BIT(i)))
4251 continue;
4252
4253 stats->chain_signal_last[i] = signal;
4254 if (!fast_rx->uses_rss)
4255 ewma_signal_add(&sta->rx_stats_avg.chain_signal[i],
4256 -signal);
4257 }
4258 }
4259 /* end of statistics */
4260
4261 if (rx->key && !ieee80211_has_protected(hdr->frame_control))
4262 goto drop;
4263
4264 if (status->rx_flags & IEEE80211_RX_AMSDU) {
4265 if (__ieee80211_rx_h_amsdu(rx, snap_offs - hdrlen) !=
4266 RX_QUEUED)
4267 goto drop;
4268
4269 return true;
4270 }
4271
4272 stats->last_rx = jiffies;
4273 stats->last_rate = sta_stats_encode_rate(status);
4274
4275 stats->fragments++;
4276 stats->packets++;
4277
4278 /* do the header conversion - first grab the addresses */
4279 ether_addr_copy(addrs.da, skb->data + fast_rx->da_offs);
4280 ether_addr_copy(addrs.sa, skb->data + fast_rx->sa_offs);
4281 /* remove the SNAP but leave the ethertype */
4282 skb_pull(skb, snap_offs + sizeof(rfc1042_header));
4283 /* push the addresses in front */
4284 memcpy(skb_push(skb, sizeof(addrs)), &addrs, sizeof(addrs));
4285
4286 skb->dev = fast_rx->dev;
4287
4288 ieee80211_rx_stats(fast_rx->dev, skb->len);
4289
4290 /* The seqno index has the same property as needed
4291 * for the rx_msdu field, i.e. it is IEEE80211_NUM_TIDS
4292 * for non-QoS-data frames. Here we know it's a data
4293 * frame, so count MSDUs.
4294 */
4295 u64_stats_update_begin(&stats->syncp);
4296 stats->msdu[rx->seqno_idx]++;
4297 stats->bytes += orig_len;
4298 u64_stats_update_end(&stats->syncp);
4299
4300 if (fast_rx->internal_forward) {
4301 struct sk_buff *xmit_skb = NULL;
4302 if (is_multicast_ether_addr(addrs.da)) {
4303 xmit_skb = skb_copy(skb, GFP_ATOMIC);
4304 } else if (!ether_addr_equal(addrs.da, addrs.sa) &&
4305 sta_info_get(rx->sdata, addrs.da)) {
4306 xmit_skb = skb;
4307 skb = NULL;
4308 }
4309
4310 if (xmit_skb) {
4311 /*
4312 * Send to wireless media and increase priority by 256
4313 * to keep the received priority instead of
4314 * reclassifying the frame (see cfg80211_classify8021d).
4315 */
4316 xmit_skb->priority += 256;
4317 xmit_skb->protocol = htons(ETH_P_802_3);
4318 skb_reset_network_header(xmit_skb);
4319 skb_reset_mac_header(xmit_skb);
4320 dev_queue_xmit(xmit_skb);
4321 }
4322
4323 if (!skb)
4324 return true;
4325 }
4326
4327 /* deliver to local stack */
4328 skb->protocol = eth_type_trans(skb, fast_rx->dev);
4329 memset(skb->cb, 0, sizeof(skb->cb));
4330 if (rx->napi)
4331 napi_gro_receive(rx->napi, skb);
4332 else
4333 netif_receive_skb(skb);
4334
4335 return true;
4336 drop:
4337 dev_kfree_skb(skb);
4338 stats->dropped++;
4339 return true;
4340}
4341
4342/*
4343 * This function returns whether or not the SKB
4344 * was destined for RX processing or not, which,
4345 * if consume is true, is equivalent to whether
4346 * or not the skb was consumed.
4347 */
4348static bool ieee80211_prepare_and_rx_handle(struct ieee80211_rx_data *rx,
4349 struct sk_buff *skb, bool consume)
4350{
4351 struct ieee80211_local *local = rx->local;
4352 struct ieee80211_sub_if_data *sdata = rx->sdata;
4353
4354 rx->skb = skb;
4355
4356 /* See if we can do fast-rx; if we have to copy we already lost,
4357 * so punt in that case. We should never have to deliver a data
4358 * frame to multiple interfaces anyway.
4359 *
4360 * We skip the ieee80211_accept_frame() call and do the necessary
4361 * checking inside ieee80211_invoke_fast_rx().
4362 */
4363 if (consume && rx->sta) {
4364 struct ieee80211_fast_rx *fast_rx;
4365
4366 fast_rx = rcu_dereference(rx->sta->fast_rx);
4367 if (fast_rx && ieee80211_invoke_fast_rx(rx, fast_rx))
4368 return true;
4369 }
4370
4371 if (!ieee80211_accept_frame(rx))
4372 return false;
4373
4374 if (!consume) {
4375 skb = skb_copy(skb, GFP_ATOMIC);
4376 if (!skb) {
4377 if (net_ratelimit())
4378 wiphy_debug(local->hw.wiphy,
4379 "failed to copy skb for %s\n",
4380 sdata->name);
4381 return true;
4382 }
4383
4384 rx->skb = skb;
4385 }
4386
4387 ieee80211_invoke_rx_handlers(rx);
4388 return true;
4389}
4390
4391/*
4392 * This is the actual Rx frames handler. as it belongs to Rx path it must
4393 * be called with rcu_read_lock protection.
4394 */
4395static void __ieee80211_rx_handle_packet(struct ieee80211_hw *hw,
4396 struct ieee80211_sta *pubsta,
4397 struct sk_buff *skb,
4398 struct napi_struct *napi)
4399{
4400 struct ieee80211_local *local = hw_to_local(hw);
4401 struct ieee80211_sub_if_data *sdata;
4402 struct ieee80211_hdr *hdr;
4403 __le16 fc;
4404 struct ieee80211_rx_data rx;
4405 struct ieee80211_sub_if_data *prev;
4406 struct rhlist_head *tmp;
4407 int err = 0;
4408
4409 fc = ((struct ieee80211_hdr *)skb->data)->frame_control;
4410 memset(&rx, 0, sizeof(rx));
4411 rx.skb = skb;
4412 rx.local = local;
4413 rx.napi = napi;
4414
4415 if (ieee80211_is_data(fc) || ieee80211_is_mgmt(fc))
4416 I802_DEBUG_INC(local->dot11ReceivedFragmentCount);
4417
4418 if (ieee80211_is_mgmt(fc)) {
4419 /* drop frame if too short for header */
4420 if (skb->len < ieee80211_hdrlen(fc))
4421 err = -ENOBUFS;
4422 else
4423 err = skb_linearize(skb);
4424 } else {
4425 err = !pskb_may_pull(skb, ieee80211_hdrlen(fc));
4426 }
4427
4428 if (err) {
4429 dev_kfree_skb(skb);
4430 return;
4431 }
4432
4433 hdr = (struct ieee80211_hdr *)skb->data;
4434 ieee80211_parse_qos(&rx);
4435 ieee80211_verify_alignment(&rx);
4436
4437 if (unlikely(ieee80211_is_probe_resp(hdr->frame_control) ||
4438 ieee80211_is_beacon(hdr->frame_control)))
4439 ieee80211_scan_rx(local, skb);
4440
4441 if (ieee80211_is_data(fc)) {
4442 struct sta_info *sta, *prev_sta;
4443
4444 if (pubsta) {
4445 rx.sta = container_of(pubsta, struct sta_info, sta);
4446 rx.sdata = rx.sta->sdata;
4447 if (ieee80211_prepare_and_rx_handle(&rx, skb, true))
4448 return;
4449 goto out;
4450 }
4451
4452 prev_sta = NULL;
4453
4454 for_each_sta_info(local, hdr->addr2, sta, tmp) {
4455 if (!prev_sta) {
4456 prev_sta = sta;
4457 continue;
4458 }
4459
4460 rx.sta = prev_sta;
4461 rx.sdata = prev_sta->sdata;
4462 ieee80211_prepare_and_rx_handle(&rx, skb, false);
4463
4464 prev_sta = sta;
4465 }
4466
4467 if (prev_sta) {
4468 rx.sta = prev_sta;
4469 rx.sdata = prev_sta->sdata;
4470
4471 if (ieee80211_prepare_and_rx_handle(&rx, skb, true))
4472 return;
4473 goto out;
4474 }
4475 }
4476
4477 prev = NULL;
4478
4479 list_for_each_entry_rcu(sdata, &local->interfaces, list) {
4480 if (!ieee80211_sdata_running(sdata))
4481 continue;
4482
4483 if (sdata->vif.type == NL80211_IFTYPE_MONITOR ||
4484 sdata->vif.type == NL80211_IFTYPE_AP_VLAN)
4485 continue;
4486
4487 /*
4488 * frame is destined for this interface, but if it's
4489 * not also for the previous one we handle that after
4490 * the loop to avoid copying the SKB once too much
4491 */
4492
4493 if (!prev) {
4494 prev = sdata;
4495 continue;
4496 }
4497
4498 rx.sta = sta_info_get_bss(prev, hdr->addr2);
4499 rx.sdata = prev;
4500 ieee80211_prepare_and_rx_handle(&rx, skb, false);
4501
4502 prev = sdata;
4503 }
4504
4505 if (prev) {
4506 rx.sta = sta_info_get_bss(prev, hdr->addr2);
4507 rx.sdata = prev;
4508
4509 if (ieee80211_prepare_and_rx_handle(&rx, skb, true))
4510 return;
4511 }
4512
4513 out:
4514 dev_kfree_skb(skb);
4515}
4516
4517/*
4518 * This is the receive path handler. It is called by a low level driver when an
4519 * 802.11 MPDU is received from the hardware.
4520 */
4521void ieee80211_rx_napi(struct ieee80211_hw *hw, struct ieee80211_sta *pubsta,
4522 struct sk_buff *skb, struct napi_struct *napi)
4523{
4524 struct ieee80211_local *local = hw_to_local(hw);
4525 struct ieee80211_rate *rate = NULL;
4526 struct ieee80211_supported_band *sband;
4527 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
4528
4529 WARN_ON_ONCE(softirq_count() == 0);
4530
4531 if (WARN_ON(status->band >= NUM_NL80211_BANDS))
4532 goto drop;
4533
4534 sband = local->hw.wiphy->bands[status->band];
4535 if (WARN_ON(!sband))
4536 goto drop;
4537
4538 /*
4539 * If we're suspending, it is possible although not too likely
4540 * that we'd be receiving frames after having already partially
4541 * quiesced the stack. We can't process such frames then since
4542 * that might, for example, cause stations to be added or other
4543 * driver callbacks be invoked.
4544 */
4545 if (unlikely(local->quiescing || local->suspended))
4546 goto drop;
4547
4548 /* We might be during a HW reconfig, prevent Rx for the same reason */
4549 if (unlikely(local->in_reconfig))
4550 goto drop;
4551
4552 /*
4553 * The same happens when we're not even started,
4554 * but that's worth a warning.
4555 */
4556 if (WARN_ON(!local->started))
4557 goto drop;
4558
4559 if (likely(!(status->flag & RX_FLAG_FAILED_PLCP_CRC))) {
4560 /*
4561 * Validate the rate, unless a PLCP error means that
4562 * we probably can't have a valid rate here anyway.
4563 */
4564
4565 switch (status->encoding) {
4566 case RX_ENC_HT:
4567 /*
4568 * rate_idx is MCS index, which can be [0-76]
4569 * as documented on:
4570 *
4571 * http://wireless.kernel.org/en/developers/Documentation/ieee80211/802.11n
4572 *
4573 * Anything else would be some sort of driver or
4574 * hardware error. The driver should catch hardware
4575 * errors.
4576 */
4577 if (WARN(status->rate_idx > 76,
4578 "Rate marked as an HT rate but passed "
4579 "status->rate_idx is not "
4580 "an MCS index [0-76]: %d (0x%02x)\n",
4581 status->rate_idx,
4582 status->rate_idx))
4583 goto drop;
4584 break;
4585 case RX_ENC_VHT:
4586 if (WARN_ONCE(status->rate_idx > 9 ||
4587 !status->nss ||
4588 status->nss > 8,
4589 "Rate marked as a VHT rate but data is invalid: MCS: %d, NSS: %d\n",
4590 status->rate_idx, status->nss))
4591 goto drop;
4592 break;
4593 case RX_ENC_HE:
4594 if (WARN_ONCE(status->rate_idx > 11 ||
4595 !status->nss ||
4596 status->nss > 8,
4597 "Rate marked as an HE rate but data is invalid: MCS: %d, NSS: %d\n",
4598 status->rate_idx, status->nss))
4599 goto drop;
4600 break;
4601 default:
4602 WARN_ON_ONCE(1);
4603 /* fall through */
4604 case RX_ENC_LEGACY:
4605 if (WARN_ON(status->rate_idx >= sband->n_bitrates))
4606 goto drop;
4607 rate = &sband->bitrates[status->rate_idx];
4608 }
4609 }
4610
4611 status->rx_flags = 0;
4612
4613 /*
4614 * key references and virtual interfaces are protected using RCU
4615 * and this requires that we are in a read-side RCU section during
4616 * receive processing
4617 */
4618 rcu_read_lock();
4619
4620 /*
4621 * Frames with failed FCS/PLCP checksum are not returned,
4622 * all other frames are returned without radiotap header
4623 * if it was previously present.
4624 * Also, frames with less than 16 bytes are dropped.
4625 */
4626 skb = ieee80211_rx_monitor(local, skb, rate);
4627 if (!skb) {
4628 rcu_read_unlock();
4629 return;
4630 }
4631
4632 ieee80211_tpt_led_trig_rx(local,
4633 ((struct ieee80211_hdr *)skb->data)->frame_control,
4634 skb->len);
4635
4636 __ieee80211_rx_handle_packet(hw, pubsta, skb, napi);
4637
4638 rcu_read_unlock();
4639
4640 return;
4641 drop:
4642 kfree_skb(skb);
4643}
4644EXPORT_SYMBOL(ieee80211_rx_napi);
4645
4646/* This is a version of the rx handler that can be called from hard irq
4647 * context. Post the skb on the queue and schedule the tasklet */
4648void ieee80211_rx_irqsafe(struct ieee80211_hw *hw, struct sk_buff *skb)
4649{
4650 struct ieee80211_local *local = hw_to_local(hw);
4651
4652 BUILD_BUG_ON(sizeof(struct ieee80211_rx_status) > sizeof(skb->cb));
4653
4654 skb->pkt_type = IEEE80211_RX_MSG;
4655 skb_queue_tail(&local->skb_queue, skb);
4656 tasklet_schedule(&local->tasklet);
4657}
4658EXPORT_SYMBOL(ieee80211_rx_irqsafe);