LXR linux/net/mac80211/rx.c

   1/*
   2 * Copyright 2002-2005, Instant802 Networks, Inc.
   3 * Copyright 2005-2006, Devicescape Software, Inc.
   4 * Copyright 2006-2007  Jiri Benc <jbenc@suse.cz>
   5 * Copyright 2007       Johannes Berg <johannes@sipsolutions.net>
   6 *
   7 * This program is free software; you can redistribute it and/or modify
   8 * it under the terms of the GNU General Public License version 2 as
   9 * published by the Free Software Foundation.
  10 */
  11
  12#include <linux/jiffies.h>
  13#include <linux/kernel.h>
  14#include <linux/skbuff.h>
  15#include <linux/netdevice.h>
  16#include <linux/etherdevice.h>
  17#include <linux/rcupdate.h>
  18#include <net/mac80211.h>
  19#include <net/ieee80211_radiotap.h>
  20
  21#include "ieee80211_i.h"
  22#include "driver-ops.h"
  23#include "led.h"
  24#include "mesh.h"
  25#include "wep.h"
  26#include "wpa.h"
  27#include "tkip.h"
  28#include "wme.h"
  29
  30static u8 ieee80211_sta_manage_reorder_buf(struct ieee80211_hw *hw,
  31                                           struct tid_ampdu_rx *tid_agg_rx,
  32                                           struct sk_buff *skb,
  33                                           u16 mpdu_seq_num,
  34                                           int bar_req);
  35/*
  36 * monitor mode reception
  37 *
  38 * This function cleans up the SKB, i.e. it removes all the stuff
  39 * only useful for monitoring.
  40 */
  41static struct sk_buff *remove_monitor_info(struct ieee80211_local *local,
  42                                           struct sk_buff *skb,
  43                                           int rtap_len)
  44{
  45        skb_pull(skb, rtap_len);
  46
  47        if (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS) {
  48                if (likely(skb->len > FCS_LEN))
  49                        skb_trim(skb, skb->len - FCS_LEN);
  50                else {
  51                        /* driver bug */
  52                        WARN_ON(1);
  53                        dev_kfree_skb(skb);
  54                        skb = NULL;
  55                }
  56        }
  57
  58        return skb;
  59}
  60
  61static inline int should_drop_frame(struct sk_buff *skb,
  62                                    int present_fcs_len,
  63                                    int radiotap_len)
  64{
  65        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
  66        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
  67
  68        if (status->flag & (RX_FLAG_FAILED_FCS_CRC | RX_FLAG_FAILED_PLCP_CRC))
  69                return 1;
  70        if (unlikely(skb->len < 16 + present_fcs_len + radiotap_len))
  71                return 1;
  72        if (ieee80211_is_ctl(hdr->frame_control) &&
  73            !ieee80211_is_pspoll(hdr->frame_control) &&
  74            !ieee80211_is_back_req(hdr->frame_control))
  75                return 1;
  76        return 0;
  77}
  78
  79static int
  80ieee80211_rx_radiotap_len(struct ieee80211_local *local,
  81                          struct ieee80211_rx_status *status)
  82{
  83        int len;
  84
  85        /* always present fields */
  86        len = sizeof(struct ieee80211_radiotap_header) + 9;
  87
  88        if (status->flag & RX_FLAG_TSFT)
  89                len += 8;
  90        if (local->hw.flags & IEEE80211_HW_SIGNAL_DBM)
  91                len += 1;
  92        if (local->hw.flags & IEEE80211_HW_NOISE_DBM)
  93                len += 1;
  94
  95        if (len & 1) /* padding for RX_FLAGS if necessary */
  96                len++;
  97
  98        /* make sure radiotap starts at a naturally aligned address */
  99        if (len % 8)
 100                len = roundup(len, 8);
 101
 102        return len;
 103}
 104
 105/*
 106 * ieee80211_add_rx_radiotap_header - add radiotap header
 107 *
 108 * add a radiotap header containing all the fields which the hardware provided.
 109 */
 110static void
 111ieee80211_add_rx_radiotap_header(struct ieee80211_local *local,
 112                                 struct sk_buff *skb,
 113                                 struct ieee80211_rate *rate,
 114                                 int rtap_len)
 115{
 116        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
 117        struct ieee80211_radiotap_header *rthdr;
 118        unsigned char *pos;
 119
 120        rthdr = (struct ieee80211_radiotap_header *)skb_push(skb, rtap_len);
 121        memset(rthdr, 0, rtap_len);
 122
 123        /* radiotap header, set always present flags */
 124        rthdr->it_present =
 125                cpu_to_le32((1 << IEEE80211_RADIOTAP_FLAGS) |
 126                            (1 << IEEE80211_RADIOTAP_CHANNEL) |
 127                            (1 << IEEE80211_RADIOTAP_ANTENNA) |
 128                            (1 << IEEE80211_RADIOTAP_RX_FLAGS));
 129        rthdr->it_len = cpu_to_le16(rtap_len);
 130
 131        pos = (unsigned char *)(rthdr+1);
 132
 133        /* the order of the following fields is important */
 134
 135        /* IEEE80211_RADIOTAP_TSFT */
 136        if (status->flag & RX_FLAG_TSFT) {
 137                *(__le64 *)pos = cpu_to_le64(status->mactime);
 138                rthdr->it_present |=
 139                        cpu_to_le32(1 << IEEE80211_RADIOTAP_TSFT);
 140                pos += 8;
 141        }
 142
 143        /* IEEE80211_RADIOTAP_FLAGS */
 144        if (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS)
 145                *pos |= IEEE80211_RADIOTAP_F_FCS;
 146        if (status->flag & (RX_FLAG_FAILED_FCS_CRC | RX_FLAG_FAILED_PLCP_CRC))
 147                *pos |= IEEE80211_RADIOTAP_F_BADFCS;
 148        if (status->flag & RX_FLAG_SHORTPRE)
 149                *pos |= IEEE80211_RADIOTAP_F_SHORTPRE;
 150        pos++;
 151
 152        /* IEEE80211_RADIOTAP_RATE */
 153        if (status->flag & RX_FLAG_HT) {
 154                /*
 155                 * TODO: add following information into radiotap header once
 156                 * suitable fields are defined for it:
 157                 * - MCS index (status->rate_idx)
 158                 * - HT40 (status->flag & RX_FLAG_40MHZ)
 159                 * - short-GI (status->flag & RX_FLAG_SHORT_GI)
 160                 */
 161                *pos = 0;
 162        } else {
 163                rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_RATE);
 164                *pos = rate->bitrate / 5;
 165        }
 166        pos++;
 167
 168        /* IEEE80211_RADIOTAP_CHANNEL */
 169        *(__le16 *)pos = cpu_to_le16(status->freq);
 170        pos += 2;
 171        if (status->band == IEEE80211_BAND_5GHZ)
 172                *(__le16 *)pos = cpu_to_le16(IEEE80211_CHAN_OFDM |
 173                                             IEEE80211_CHAN_5GHZ);
 174        else if (rate->flags & IEEE80211_RATE_ERP_G)
 175                *(__le16 *)pos = cpu_to_le16(IEEE80211_CHAN_OFDM |
 176                                             IEEE80211_CHAN_2GHZ);
 177        else
 178                *(__le16 *)pos = cpu_to_le16(IEEE80211_CHAN_CCK |
 179                                             IEEE80211_CHAN_2GHZ);
 180        pos += 2;
 181
 182        /* IEEE80211_RADIOTAP_DBM_ANTSIGNAL */
 183        if (local->hw.flags & IEEE80211_HW_SIGNAL_DBM) {
 184                *pos = status->signal;
 185                rthdr->it_present |=
 186                        cpu_to_le32(1 << IEEE80211_RADIOTAP_DBM_ANTSIGNAL);
 187                pos++;
 188        }
 189
 190        /* IEEE80211_RADIOTAP_DBM_ANTNOISE */
 191        if (local->hw.flags & IEEE80211_HW_NOISE_DBM) {
 192                *pos = status->noise;
 193                rthdr->it_present |=
 194                        cpu_to_le32(1 << IEEE80211_RADIOTAP_DBM_ANTNOISE);
 195                pos++;
 196        }
 197
 198        /* IEEE80211_RADIOTAP_LOCK_QUALITY is missing */
 199
 200        /* IEEE80211_RADIOTAP_ANTENNA */
 201        *pos = status->antenna;
 202        pos++;
 203
 204        /* IEEE80211_RADIOTAP_DB_ANTNOISE is not used */
 205
 206        /* IEEE80211_RADIOTAP_RX_FLAGS */
 207        /* ensure 2 byte alignment for the 2 byte field as required */
 208        if ((pos - (unsigned char *)rthdr) & 1)
 209                pos++;
 210        if (status->flag & RX_FLAG_FAILED_PLCP_CRC)
 211                *(__le16 *)pos |= cpu_to_le16(IEEE80211_RADIOTAP_F_RX_BADPLCP);
 212        pos += 2;
 213}
 214
 215/*
 216 * This function copies a received frame to all monitor interfaces and
 217 * returns a cleaned-up SKB that no longer includes the FCS nor the
 218 * radiotap header the driver might have added.
 219 */
 220static struct sk_buff *
 221ieee80211_rx_monitor(struct ieee80211_local *local, struct sk_buff *origskb,
 222                     struct ieee80211_rate *rate)
 223{
 224        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(origskb);
 225        struct ieee80211_sub_if_data *sdata;
 226        int needed_headroom = 0;
 227        struct sk_buff *skb, *skb2;
 228        struct net_device *prev_dev = NULL;
 229        int present_fcs_len = 0;
 230        int rtap_len = 0;
 231
 232        /*
 233         * First, we may need to make a copy of the skb because
 234         *  (1) we need to modify it for radiotap (if not present), and
 235         *  (2) the other RX handlers will modify the skb we got.
 236         *
 237         * We don't need to, of course, if we aren't going to return
 238         * the SKB because it has a bad FCS/PLCP checksum.
 239         */
 240        if (status->flag & RX_FLAG_RADIOTAP)
 241                rtap_len = ieee80211_get_radiotap_len(origskb->data);
 242        else
 243                /* room for the radiotap header based on driver features */
 244                needed_headroom = ieee80211_rx_radiotap_len(local, status);
 245
 246        if (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS)
 247                present_fcs_len = FCS_LEN;
 248
 249        if (!local->monitors) {
 250                if (should_drop_frame(origskb, present_fcs_len, rtap_len)) {
 251                        dev_kfree_skb(origskb);
 252                        return NULL;
 253                }
 254
 255                return remove_monitor_info(local, origskb, rtap_len);
 256        }
 257
 258        if (should_drop_frame(origskb, present_fcs_len, rtap_len)) {
 259                /* only need to expand headroom if necessary */
 260                skb = origskb;
 261                origskb = NULL;
 262
 263                /*
 264                 * This shouldn't trigger often because most devices have an
 265                 * RX header they pull before we get here, and that should
 266                 * be big enough for our radiotap information. We should
 267                 * probably export the length to drivers so that we can have
 268                 * them allocate enough headroom to start with.
 269                 */
 270                if (skb_headroom(skb) < needed_headroom &&
 271                    pskb_expand_head(skb, needed_headroom, 0, GFP_ATOMIC)) {
 272                        dev_kfree_skb(skb);
 273                        return NULL;
 274                }
 275        } else {
 276                /*
 277                 * Need to make a copy and possibly remove radiotap header
 278                 * and FCS from the original.
 279                 */
 280                skb = skb_copy_expand(origskb, needed_headroom, 0, GFP_ATOMIC);
 281
 282                origskb = remove_monitor_info(local, origskb, rtap_len);
 283
 284                if (!skb)
 285                        return origskb;
 286        }
 287
 288        /* if necessary, prepend radiotap information */
 289        if (!(status->flag & RX_FLAG_RADIOTAP))
 290                ieee80211_add_rx_radiotap_header(local, skb, rate,
 291                                                 needed_headroom);
 292
 293        skb_reset_mac_header(skb);
 294        skb->ip_summed = CHECKSUM_UNNECESSARY;
 295        skb->pkt_type = PACKET_OTHERHOST;
 296        skb->protocol = htons(ETH_P_802_2);
 297
 298        list_for_each_entry_rcu(sdata, &local->interfaces, list) {
 299                if (!netif_running(sdata->dev))
 300                        continue;
 301
 302                if (sdata->vif.type != NL80211_IFTYPE_MONITOR)
 303                        continue;
 304
 305                if (sdata->u.mntr_flags & MONITOR_FLAG_COOK_FRAMES)
 306                        continue;
 307
 308                if (prev_dev) {
 309                        skb2 = skb_clone(skb, GFP_ATOMIC);
 310                        if (skb2) {
 311                                skb2->dev = prev_dev;
 312                                netif_rx(skb2);
 313                        }
 314                }
 315
 316                prev_dev = sdata->dev;
 317                sdata->dev->stats.rx_packets++;
 318                sdata->dev->stats.rx_bytes += skb->len;
 319        }
 320
 321        if (prev_dev) {
 322                skb->dev = prev_dev;
 323                netif_rx(skb);
 324        } else
 325                dev_kfree_skb(skb);
 326
 327        return origskb;
 328}
 329
 330
 331static void ieee80211_parse_qos(struct ieee80211_rx_data *rx)
 332{
 333        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
 334        int tid;
 335
 336        /* does the frame have a qos control field? */
 337        if (ieee80211_is_data_qos(hdr->frame_control)) {
 338                u8 *qc = ieee80211_get_qos_ctl(hdr);
 339                /* frame has qos control */
 340                tid = *qc & IEEE80211_QOS_CTL_TID_MASK;
 341                if (*qc & IEEE80211_QOS_CONTROL_A_MSDU_PRESENT)
 342                        rx->flags |= IEEE80211_RX_AMSDU;
 343                else
 344                        rx->flags &= ~IEEE80211_RX_AMSDU;
 345        } else {
 346                /*
 347                 * IEEE 802.11-2007, 7.1.3.4.1 ("Sequence Number field"):
 348                 *
 349                 *      Sequence numbers for management frames, QoS data
 350                 *      frames with a broadcast/multicast address in the
 351                 *      Address 1 field, and all non-QoS data frames sent
 352                 *      by QoS STAs are assigned using an additional single
 353                 *      modulo-4096 counter, [...]
 354                 *
 355                 * We also use that counter for non-QoS STAs.
 356                 */
 357                tid = NUM_RX_DATA_QUEUES - 1;
 358        }
 359
 360        rx->queue = tid;
 361        /* Set skb->priority to 1d tag if highest order bit of TID is not set.
 362         * For now, set skb->priority to 0 for other cases. */
 363        rx->skb->priority = (tid > 7) ? 0 : tid;
 364}
 365
 366/**
 367 * DOC: Packet alignment
 368 *
 369 * Drivers always need to pass packets that are aligned to two-byte boundaries
 370 * to the stack.
 371 *
 372 * Additionally, should, if possible, align the payload data in a way that
 373 * guarantees that the contained IP header is aligned to a four-byte
 374 * boundary. In the case of regular frames, this simply means aligning the
 375 * payload to a four-byte boundary (because either the IP header is directly
 376 * contained, or IV/RFC1042 headers that have a length divisible by four are
 377 * in front of it).
 378 *
 379 * With A-MSDU frames, however, the payload data address must yield two modulo
 380 * four because there are 14-byte 802.3 headers within the A-MSDU frames that
 381 * push the IP header further back to a multiple of four again. Thankfully, the
 382 * specs were sane enough this time around to require padding each A-MSDU
 383 * subframe to a length that is a multiple of four.
 384 *
 385 * Padding like Atheros hardware adds which is inbetween the 802.11 header and
 386 * the payload is not supported, the driver is required to move the 802.11
 387 * header to be directly in front of the payload in that case.
 388 */
 389static void ieee80211_verify_alignment(struct ieee80211_rx_data *rx)
 390{
 391        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
 392        int hdrlen;
 393
 394#ifndef CONFIG_MAC80211_DEBUG_PACKET_ALIGNMENT
 395        return;
 396#endif
 397
 398        if (WARN_ONCE((unsigned long)rx->skb->data & 1,
 399                      "unaligned packet at 0x%p\n", rx->skb->data))
 400                return;
 401
 402        if (!ieee80211_is_data_present(hdr->frame_control))
 403                return;
 404
 405        hdrlen = ieee80211_hdrlen(hdr->frame_control);
 406        if (rx->flags & IEEE80211_RX_AMSDU)
 407                hdrlen += ETH_HLEN;
 408        WARN_ONCE(((unsigned long)(rx->skb->data + hdrlen)) & 3,
 409                  "unaligned IP payload at 0x%p\n", rx->skb->data + hdrlen);
 410}
 411
 412
 413/* rx handlers */
 414
 415static ieee80211_rx_result debug_noinline
 416ieee80211_rx_h_passive_scan(struct ieee80211_rx_data *rx)
 417{
 418        struct ieee80211_local *local = rx->local;
 419        struct sk_buff *skb = rx->skb;
 420
 421        if (unlikely(test_bit(SCAN_HW_SCANNING, &local->scanning)))
 422                return ieee80211_scan_rx(rx->sdata, skb);
 423
 424        if (unlikely(test_bit(SCAN_SW_SCANNING, &local->scanning) &&
 425                     (rx->flags & IEEE80211_RX_IN_SCAN))) {
 426                /* drop all the other packets during a software scan anyway */
 427                if (ieee80211_scan_rx(rx->sdata, skb) != RX_QUEUED)
 428                        dev_kfree_skb(skb);
 429                return RX_QUEUED;
 430        }
 431
 432        if (unlikely(rx->flags & IEEE80211_RX_IN_SCAN)) {
 433                /* scanning finished during invoking of handlers */
 434                I802_DEBUG_INC(local->rx_handlers_drop_passive_scan);
 435                return RX_DROP_UNUSABLE;
 436        }
 437
 438        return RX_CONTINUE;
 439}
 440
 441
 442static int ieee80211_is_unicast_robust_mgmt_frame(struct sk_buff *skb)
 443{
 444        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
 445
 446        if (skb->len < 24 || is_multicast_ether_addr(hdr->addr1))
 447                return 0;
 448
 449        return ieee80211_is_robust_mgmt_frame(hdr);
 450}
 451
 452
 453static int ieee80211_is_multicast_robust_mgmt_frame(struct sk_buff *skb)
 454{
 455        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
 456
 457        if (skb->len < 24 || !is_multicast_ether_addr(hdr->addr1))
 458                return 0;
 459
 460        return ieee80211_is_robust_mgmt_frame(hdr);
 461}
 462
 463
 464/* Get the BIP key index from MMIE; return -1 if this is not a BIP frame */
 465static int ieee80211_get_mmie_keyidx(struct sk_buff *skb)
 466{
 467        struct ieee80211_mgmt *hdr = (struct ieee80211_mgmt *) skb->data;
 468        struct ieee80211_mmie *mmie;
 469
 470        if (skb->len < 24 + sizeof(*mmie) ||
 471            !is_multicast_ether_addr(hdr->da))
 472                return -1;
 473
 474        if (!ieee80211_is_robust_mgmt_frame((struct ieee80211_hdr *) hdr))
 475                return -1; /* not a robust management frame */
 476
 477        mmie = (struct ieee80211_mmie *)
 478                (skb->data + skb->len - sizeof(*mmie));
 479        if (mmie->element_id != WLAN_EID_MMIE ||
 480            mmie->length != sizeof(*mmie) - 2)
 481                return -1;
 482
 483        return le16_to_cpu(mmie->key_id);
 484}
 485
 486
 487static ieee80211_rx_result
 488ieee80211_rx_mesh_check(struct ieee80211_rx_data *rx)
 489{
 490        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
 491        unsigned int hdrlen = ieee80211_hdrlen(hdr->frame_control);
 492        char *dev_addr = rx->dev->dev_addr;
 493
 494        if (ieee80211_is_data(hdr->frame_control)) {
 495                if (is_multicast_ether_addr(hdr->addr1)) {
 496                        if (ieee80211_has_tods(hdr->frame_control) ||
 497                                !ieee80211_has_fromds(hdr->frame_control))
 498                                return RX_DROP_MONITOR;
 499                        if (memcmp(hdr->addr3, dev_addr, ETH_ALEN) == 0)
 500                                return RX_DROP_MONITOR;
 501                } else {
 502                        if (!ieee80211_has_a4(hdr->frame_control))
 503                                return RX_DROP_MONITOR;
 504                        if (memcmp(hdr->addr4, dev_addr, ETH_ALEN) == 0)
 505                                return RX_DROP_MONITOR;
 506                }
 507        }
 508
 509        /* If there is not an established peer link and this is not a peer link
 510         * establisment frame, beacon or probe, drop the frame.
 511         */
 512
 513        if (!rx->sta || sta_plink_state(rx->sta) != PLINK_ESTAB) {
 514                struct ieee80211_mgmt *mgmt;
 515
 516                if (!ieee80211_is_mgmt(hdr->frame_control))
 517                        return RX_DROP_MONITOR;
 518
 519                if (ieee80211_is_action(hdr->frame_control)) {
 520                        mgmt = (struct ieee80211_mgmt *)hdr;
 521                        if (mgmt->u.action.category != PLINK_CATEGORY)
 522                                return RX_DROP_MONITOR;
 523                        return RX_CONTINUE;
 524                }
 525
 526                if (ieee80211_is_probe_req(hdr->frame_control) ||
 527                    ieee80211_is_probe_resp(hdr->frame_control) ||
 528                    ieee80211_is_beacon(hdr->frame_control))
 529                        return RX_CONTINUE;
 530
 531                return RX_DROP_MONITOR;
 532
 533        }
 534
 535#define msh_h_get(h, l) ((struct ieee80211s_hdr *) ((u8 *)h + l))
 536
 537        if (ieee80211_is_data(hdr->frame_control) &&
 538            is_multicast_ether_addr(hdr->addr1) &&
 539            mesh_rmc_check(hdr->addr3, msh_h_get(hdr, hdrlen), rx->sdata))
 540                return RX_DROP_MONITOR;
 541#undef msh_h_get
 542
 543        return RX_CONTINUE;
 544}
 545
 546
 547static ieee80211_rx_result debug_noinline
 548ieee80211_rx_h_check(struct ieee80211_rx_data *rx)
 549{
 550        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
 551
 552        /* Drop duplicate 802.11 retransmissions (IEEE 802.11 Chap. 9.2.9) */
 553        if (rx->sta && !is_multicast_ether_addr(hdr->addr1)) {
 554                if (unlikely(ieee80211_has_retry(hdr->frame_control) &&
 555                             rx->sta->last_seq_ctrl[rx->queue] ==
 556                             hdr->seq_ctrl)) {
 557                        if (rx->flags & IEEE80211_RX_RA_MATCH) {
 558                                rx->local->dot11FrameDuplicateCount++;
 559                                rx->sta->num_duplicates++;
 560                        }
 561                        return RX_DROP_MONITOR;
 562                } else
 563                        rx->sta->last_seq_ctrl[rx->queue] = hdr->seq_ctrl;
 564        }
 565
 566        if (unlikely(rx->skb->len < 16)) {
 567                I802_DEBUG_INC(rx->local->rx_handlers_drop_short);
 568                return RX_DROP_MONITOR;
 569        }
 570
 571        /* Drop disallowed frame classes based on STA auth/assoc state;
 572         * IEEE 802.11, Chap 5.5.
 573         *
 574         * mac80211 filters only based on association state, i.e. it drops
 575         * Class 3 frames from not associated stations. hostapd sends
 576         * deauth/disassoc frames when needed. In addition, hostapd is
 577         * responsible for filtering on both auth and assoc states.
 578         */
 579
 580        if (ieee80211_vif_is_mesh(&rx->sdata->vif))
 581                return ieee80211_rx_mesh_check(rx);
 582
 583        if (unlikely((ieee80211_is_data(hdr->frame_control) ||
 584                      ieee80211_is_pspoll(hdr->frame_control)) &&
 585                     rx->sdata->vif.type != NL80211_IFTYPE_ADHOC &&
 586                     (!rx->sta || !test_sta_flags(rx->sta, WLAN_STA_ASSOC)))) {
 587                if ((!ieee80211_has_fromds(hdr->frame_control) &&
 588                     !ieee80211_has_tods(hdr->frame_control) &&
 589                     ieee80211_is_data(hdr->frame_control)) ||
 590                    !(rx->flags & IEEE80211_RX_RA_MATCH)) {
 591                        /* Drop IBSS frames and frames for other hosts
 592                         * silently. */
 593                        return RX_DROP_MONITOR;
 594                }
 595
 596                return RX_DROP_MONITOR;
 597        }
 598
 599        return RX_CONTINUE;
 600}
 601
 602
 603static ieee80211_rx_result debug_noinline
 604ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx)
 605{
 606        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
 607        int keyidx;
 608        int hdrlen;
 609        ieee80211_rx_result result = RX_DROP_UNUSABLE;
 610        struct ieee80211_key *stakey = NULL;
 611        int mmie_keyidx = -1;
 612
 613        /*
 614         * Key selection 101
 615         *
 616         * There are four types of keys:
 617         *  - GTK (group keys)
 618         *  - IGTK (group keys for management frames)
 619         *  - PTK (pairwise keys)
 620         *  - STK (station-to-station pairwise keys)
 621         *
 622         * When selecting a key, we have to distinguish between multicast
 623         * (including broadcast) and unicast frames, the latter can only
 624         * use PTKs and STKs while the former always use GTKs and IGTKs.
 625         * Unless, of course, actual WEP keys ("pre-RSNA") are used, then
 626         * unicast frames can also use key indices like GTKs. Hence, if we
 627         * don't have a PTK/STK we check the key index for a WEP key.
 628         *
 629         * Note that in a regular BSS, multicast frames are sent by the
 630         * AP only, associated stations unicast the frame to the AP first
 631         * which then multicasts it on their behalf.
 632         *
 633         * There is also a slight problem in IBSS mode: GTKs are negotiated
 634         * with each station, that is something we don't currently handle.
 635         * The spec seems to expect that one negotiates the same key with
 636         * every station but there's no such requirement; VLANs could be
 637         * possible.
 638         */
 639
 640        /*
 641         * No point in finding a key and decrypting if the frame is neither
 642         * addressed to us nor a multicast frame.
 643         */
 644        if (!(rx->flags & IEEE80211_RX_RA_MATCH))
 645                return RX_CONTINUE;
 646
 647        if (rx->sta)
 648                stakey = rcu_dereference(rx->sta->key);
 649
 650        if (!ieee80211_has_protected(hdr->frame_control))
 651                mmie_keyidx = ieee80211_get_mmie_keyidx(rx->skb);
 652
 653        if (!is_multicast_ether_addr(hdr->addr1) && stakey) {
 654                rx->key = stakey;
 655                /* Skip decryption if the frame is not protected. */
 656                if (!ieee80211_has_protected(hdr->frame_control))
 657                        return RX_CONTINUE;
 658        } else if (mmie_keyidx >= 0) {
 659                /* Broadcast/multicast robust management frame / BIP */
 660                if ((rx->status->flag & RX_FLAG_DECRYPTED) &&
 661                    (rx->status->flag & RX_FLAG_IV_STRIPPED))
 662                        return RX_CONTINUE;
 663
 664                if (mmie_keyidx < NUM_DEFAULT_KEYS ||
 665                    mmie_keyidx >= NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS)
 666                        return RX_DROP_MONITOR; /* unexpected BIP keyidx */
 667                rx->key = rcu_dereference(rx->sdata->keys[mmie_keyidx]);
 668        } else if (!ieee80211_has_protected(hdr->frame_control)) {
 669                /*
 670                 * The frame was not protected, so skip decryption. However, we
 671                 * need to set rx->key if there is a key that could have been
 672                 * used so that the frame may be dropped if encryption would
 673                 * have been expected.
 674                 */
 675                struct ieee80211_key *key = NULL;
 676                if (ieee80211_is_mgmt(hdr->frame_control) &&
 677                    is_multicast_ether_addr(hdr->addr1) &&
 678                    (key = rcu_dereference(rx->sdata->default_mgmt_key)))
 679                        rx->key = key;
 680                else if ((key = rcu_dereference(rx->sdata->default_key)))
 681                        rx->key = key;
 682                return RX_CONTINUE;
 683        } else {
 684                /*
 685                 * The device doesn't give us the IV so we won't be
 686                 * able to look up the key. That's ok though, we
 687                 * don't need to decrypt the frame, we just won't
 688                 * be able to keep statistics accurate.
 689                 * Except for key threshold notifications, should
 690                 * we somehow allow the driver to tell us which key
 691                 * the hardware used if this flag is set?
 692                 */
 693                if ((rx->status->flag & RX_FLAG_DECRYPTED) &&
 694                    (rx->status->flag & RX_FLAG_IV_STRIPPED))
 695                        return RX_CONTINUE;
 696
 697                hdrlen = ieee80211_hdrlen(hdr->frame_control);
 698
 699                if (rx->skb->len < 8 + hdrlen)
 700                        return RX_DROP_UNUSABLE; /* TODO: count this? */
 701
 702                /*
 703                 * no need to call ieee80211_wep_get_keyidx,
 704                 * it verifies a bunch of things we've done already
 705                 */
 706                keyidx = rx->skb->data[hdrlen + 3] >> 6;
 707
 708                rx->key = rcu_dereference(rx->sdata->keys[keyidx]);
 709
 710                /*
 711                 * RSNA-protected unicast frames should always be sent with
 712                 * pairwise or station-to-station keys, but for WEP we allow
 713                 * using a key index as well.
 714                 */
 715                if (rx->key && rx->key->conf.alg != ALG_WEP &&
 716                    !is_multicast_ether_addr(hdr->addr1))
 717                        rx->key = NULL;
 718        }
 719
 720        if (rx->key) {
 721                rx->key->tx_rx_count++;
 722                /* TODO: add threshold stuff again */
 723        } else {
 724                return RX_DROP_MONITOR;
 725        }
 726
 727        /* Check for weak IVs if possible */
 728        if (rx->sta && rx->key->conf.alg == ALG_WEP &&
 729            ieee80211_is_data(hdr->frame_control) &&
 730            (!(rx->status->flag & RX_FLAG_IV_STRIPPED) ||
 731             !(rx->status->flag & RX_FLAG_DECRYPTED)) &&
 732            ieee80211_wep_is_weak_iv(rx->skb, rx->key))
 733                rx->sta->wep_weak_iv_count++;
 734
 735        switch (rx->key->conf.alg) {
 736        case ALG_WEP:
 737                result = ieee80211_crypto_wep_decrypt(rx);
 738                break;
 739        case ALG_TKIP:
 740                result = ieee80211_crypto_tkip_decrypt(rx);
 741                break;
 742        case ALG_CCMP:
 743                result = ieee80211_crypto_ccmp_decrypt(rx);
 744                break;
 745        case ALG_AES_CMAC:
 746                result = ieee80211_crypto_aes_cmac_decrypt(rx);
 747                break;
 748        }
 749
 750        /* either the frame has been decrypted or will be dropped */
 751        rx->status->flag |= RX_FLAG_DECRYPTED;
 752
 753        return result;
 754}
 755
 756static ieee80211_rx_result debug_noinline
 757ieee80211_rx_h_check_more_data(struct ieee80211_rx_data *rx)
 758{
 759        struct ieee80211_local *local;
 760        struct ieee80211_hdr *hdr;
 761        struct sk_buff *skb;
 762
 763        local = rx->local;
 764        skb = rx->skb;
 765        hdr = (struct ieee80211_hdr *) skb->data;
 766
 767        if (!local->pspolling)
 768                return RX_CONTINUE;
 769
 770        if (!ieee80211_has_fromds(hdr->frame_control))
 771                /* this is not from AP */
 772                return RX_CONTINUE;
 773
 774        if (!ieee80211_is_data(hdr->frame_control))
 775                return RX_CONTINUE;
 776
 777        if (!ieee80211_has_moredata(hdr->frame_control)) {
 778                /* AP has no more frames buffered for us */
 779                local->pspolling = false;
 780                return RX_CONTINUE;
 781        }
 782
 783        /* more data bit is set, let's request a new frame from the AP */
 784        ieee80211_send_pspoll(local, rx->sdata);
 785
 786        return RX_CONTINUE;
 787}
 788
 789static void ap_sta_ps_start(struct sta_info *sta)
 790{
 791        struct ieee80211_sub_if_data *sdata = sta->sdata;
 792        struct ieee80211_local *local = sdata->local;
 793
 794        atomic_inc(&sdata->bss->num_sta_ps);
 795        set_sta_flags(sta, WLAN_STA_PS);
 796        drv_sta_notify(local, &sdata->vif, STA_NOTIFY_SLEEP, &sta->sta);
 797#ifdef CONFIG_MAC80211_VERBOSE_PS_DEBUG
 798        printk(KERN_DEBUG "%s: STA %pM aid %d enters power save mode\n",
 799               sdata->dev->name, sta->sta.addr, sta->sta.aid);
 800#endif /* CONFIG_MAC80211_VERBOSE_PS_DEBUG */
 801}
 802
 803static int ap_sta_ps_end(struct sta_info *sta)
 804{
 805        struct ieee80211_sub_if_data *sdata = sta->sdata;
 806        struct ieee80211_local *local = sdata->local;
 807        int sent, buffered;
 808
 809        atomic_dec(&sdata->bss->num_sta_ps);
 810
 811        clear_sta_flags(sta, WLAN_STA_PS);
 812        drv_sta_notify(local, &sdata->vif, STA_NOTIFY_AWAKE, &sta->sta);
 813
 814        if (!skb_queue_empty(&sta->ps_tx_buf))
 815                sta_info_clear_tim_bit(sta);
 816
 817#ifdef CONFIG_MAC80211_VERBOSE_PS_DEBUG
 818        printk(KERN_DEBUG "%s: STA %pM aid %d exits power save mode\n",
 819               sdata->dev->name, sta->sta.addr, sta->sta.aid);
 820#endif /* CONFIG_MAC80211_VERBOSE_PS_DEBUG */
 821
 822        /* Send all buffered frames to the station */
 823        sent = ieee80211_add_pending_skbs(local, &sta->tx_filtered);
 824        buffered = ieee80211_add_pending_skbs(local, &sta->ps_tx_buf);
 825        sent += buffered;
 826        local->total_ps_buffered -= buffered;
 827
 828#ifdef CONFIG_MAC80211_VERBOSE_PS_DEBUG
 829        printk(KERN_DEBUG "%s: STA %pM aid %d sending %d filtered/%d PS frames "
 830               "since STA not sleeping anymore\n", sdata->dev->name,
 831               sta->sta.addr, sta->sta.aid, sent - buffered, buffered);
 832#endif /* CONFIG_MAC80211_VERBOSE_PS_DEBUG */
 833
 834        return sent;
 835}
 836
 837static ieee80211_rx_result debug_noinline
 838ieee80211_rx_h_sta_process(struct ieee80211_rx_data *rx)
 839{
 840        struct sta_info *sta = rx->sta;
 841        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
 842
 843        if (!sta)
 844                return RX_CONTINUE;
 845
 846        /*
 847         * Update last_rx only for IBSS packets which are for the current
 848         * BSSID to avoid keeping the current IBSS network alive in cases
 849         * where other STAs start using different BSSID.
 850         */
 851        if (rx->sdata->vif.type == NL80211_IFTYPE_ADHOC) {
 852                u8 *bssid = ieee80211_get_bssid(hdr, rx->skb->len,
 853                                                NL80211_IFTYPE_ADHOC);
 854                if (compare_ether_addr(bssid, rx->sdata->u.ibss.bssid) == 0)
 855                        sta->last_rx = jiffies;
 856        } else if (!is_multicast_ether_addr(hdr->addr1)) {
 857                /*
 858                 * Mesh beacons will update last_rx when if they are found to
 859                 * match the current local configuration when processed.
 860                 */
 861                sta->last_rx = jiffies;
 862        }
 863
 864        if (!(rx->flags & IEEE80211_RX_RA_MATCH))
 865                return RX_CONTINUE;
 866
 867        if (rx->sdata->vif.type == NL80211_IFTYPE_STATION)
 868                ieee80211_sta_rx_notify(rx->sdata, hdr);
 869
 870        sta->rx_fragments++;
 871        sta->rx_bytes += rx->skb->len;
 872        sta->last_signal = rx->status->signal;
 873        sta->last_qual = rx->status->qual;
 874        sta->last_noise = rx->status->noise;
 875
 876        /*
 877         * Change STA power saving mode only at the end of a frame
 878         * exchange sequence.
 879         */
 880        if (!ieee80211_has_morefrags(hdr->frame_control) &&
 881            (rx->sdata->vif.type == NL80211_IFTYPE_AP ||
 882             rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN)) {
 883                if (test_sta_flags(sta, WLAN_STA_PS)) {
 884                        /*
 885                         * Ignore doze->wake transitions that are
 886                         * indicated by non-data frames, the standard
 887                         * is unclear here, but for example going to
 888                         * PS mode and then scanning would cause a
 889                         * doze->wake transition for the probe request,
 890                         * and that is clearly undesirable.
 891                         */
 892                        if (ieee80211_is_data(hdr->frame_control) &&
 893                            !ieee80211_has_pm(hdr->frame_control))
 894                                rx->sent_ps_buffered += ap_sta_ps_end(sta);
 895                } else {
 896                        if (ieee80211_has_pm(hdr->frame_control))
 897                                ap_sta_ps_start(sta);
 898                }
 899        }
 900
 901        /* Drop data::nullfunc frames silently, since they are used only to
 902         * control station power saving mode. */
 903        if (ieee80211_is_nullfunc(hdr->frame_control)) {
 904                I802_DEBUG_INC(rx->local->rx_handlers_drop_nullfunc);
 905                /* Update counter and free packet here to avoid counting this
 906                 * as a dropped packed. */
 907                sta->rx_packets++;
 908                dev_kfree_skb(rx->skb);
 909                return RX_QUEUED;
 910        }
 911
 912        return RX_CONTINUE;
 913} /* ieee80211_rx_h_sta_process */
 914
 915static inline struct ieee80211_fragment_entry *
 916ieee80211_reassemble_add(struct ieee80211_sub_if_data *sdata,
 917                         unsigned int frag, unsigned int seq, int rx_queue,
 918                         struct sk_buff **skb)
 919{
 920        struct ieee80211_fragment_entry *entry;
 921        int idx;
 922
 923        idx = sdata->fragment_next;
 924        entry = &sdata->fragments[sdata->fragment_next++];
 925        if (sdata->fragment_next >= IEEE80211_FRAGMENT_MAX)
 926                sdata->fragment_next = 0;
 927
 928        if (!skb_queue_empty(&entry->skb_list)) {
 929#ifdef CONFIG_MAC80211_VERBOSE_DEBUG
 930                struct ieee80211_hdr *hdr =
 931                        (struct ieee80211_hdr *) entry->skb_list.next->data;
 932                printk(KERN_DEBUG "%s: RX reassembly removed oldest "
 933                       "fragment entry (idx=%d age=%lu seq=%d last_frag=%d "
 934                       "addr1=%pM addr2=%pM\n",
 935                       sdata->dev->name, idx,
 936                       jiffies - entry->first_frag_time, entry->seq,
 937                       entry->last_frag, hdr->addr1, hdr->addr2);
 938#endif
 939                __skb_queue_purge(&entry->skb_list);
 940        }
 941
 942        __skb_queue_tail(&entry->skb_list, *skb); /* no need for locking */
 943        *skb = NULL;
 944        entry->first_frag_time = jiffies;
 945        entry->seq = seq;
 946        entry->rx_queue = rx_queue;
 947        entry->last_frag = frag;
 948        entry->ccmp = 0;
 949        entry->extra_len = 0;
 950
 951        return entry;
 952}
 953
 954static inline struct ieee80211_fragment_entry *
 955ieee80211_reassemble_find(struct ieee80211_sub_if_data *sdata,
 956                          unsigned int frag, unsigned int seq,
 957                          int rx_queue, struct ieee80211_hdr *hdr)
 958{
 959        struct ieee80211_fragment_entry *entry;
 960        int i, idx;
 961
 962        idx = sdata->fragment_next;
 963        for (i = 0; i < IEEE80211_FRAGMENT_MAX; i++) {
 964                struct ieee80211_hdr *f_hdr;
 965
 966                idx--;
 967                if (idx < 0)
 968                        idx = IEEE80211_FRAGMENT_MAX - 1;
 969
 970                entry = &sdata->fragments[idx];
 971                if (skb_queue_empty(&entry->skb_list) || entry->seq != seq ||
 972                    entry->rx_queue != rx_queue ||
 973                    entry->last_frag + 1 != frag)
 974                        continue;
 975
 976                f_hdr = (struct ieee80211_hdr *)entry->skb_list.next->data;
 977
 978                /*
 979                 * Check ftype and addresses are equal, else check next fragment
 980                 */
 981                if (((hdr->frame_control ^ f_hdr->frame_control) &
 982                     cpu_to_le16(IEEE80211_FCTL_FTYPE)) ||
 983                    compare_ether_addr(hdr->addr1, f_hdr->addr1) != 0 ||
 984                    compare_ether_addr(hdr->addr2, f_hdr->addr2) != 0)
 985                        continue;
 986
 987                if (time_after(jiffies, entry->first_frag_time + 2 * HZ)) {
 988                        __skb_queue_purge(&entry->skb_list);
 989                        continue;
 990                }
 991                return entry;
 992        }
 993
 994        return NULL;
 995}
 996
 997static ieee80211_rx_result debug_noinline
 998ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
 999{
1000        struct ieee80211_hdr *hdr;

1001        u16 sc;
1002        __le16 fc;
1003        unsigned int frag, seq;
1004        struct ieee80211_fragment_entry *entry;
1005        struct sk_buff *skb;
1006
1007        hdr = (struct ieee80211_hdr *)rx->skb->data;
1008        fc = hdr->frame_control;
1009        sc = le16_to_cpu(hdr->seq_ctrl);
1010        frag = sc & IEEE80211_SCTL_FRAG;
1011
1012        if (likely((!ieee80211_has_morefrags(fc) && frag == 0) ||
1013                   (rx->skb)->len < 24 ||
1014                   is_multicast_ether_addr(hdr->addr1))) {
1015                /* not fragmented */
1016                goto out;
1017        }
1018        I802_DEBUG_INC(rx->local->rx_handlers_fragments);
1019
1020        seq = (sc & IEEE80211_SCTL_SEQ) >> 4;
1021
1022        if (frag == 0) {
1023                /* This is the first fragment of a new frame. */
1024                entry = ieee80211_reassemble_add(rx->sdata, frag, seq,
1025                                                 rx->queue, &(rx->skb));
1026                if (rx->key && rx->key->conf.alg == ALG_CCMP &&
1027                    ieee80211_has_protected(fc)) {
1028                        /* Store CCMP PN so that we can verify that the next
1029                         * fragment has a sequential PN value. */
1030                        entry->ccmp = 1;
1031                        memcpy(entry->last_pn,
1032                               rx->key->u.ccmp.rx_pn[rx->queue],
1033                               CCMP_PN_LEN);
1034                }
1035                return RX_QUEUED;
1036        }
1037
1038        /* This is a fragment for a frame that should already be pending in
1039         * fragment cache. Add this fragment to the end of the pending entry.
1040         */
1041        entry = ieee80211_reassemble_find(rx->sdata, frag, seq, rx->queue, hdr);
1042        if (!entry) {
1043                I802_DEBUG_INC(rx->local->rx_handlers_drop_defrag);
1044                return RX_DROP_MONITOR;
1045        }
1046
1047        /* Verify that MPDUs within one MSDU have sequential PN values.
1048         * (IEEE 802.11i, 8.3.3.4.5) */
1049        if (entry->ccmp) {
1050                int i;
1051                u8 pn[CCMP_PN_LEN], *rpn;
1052                if (!rx->key || rx->key->conf.alg != ALG_CCMP)
1053                        return RX_DROP_UNUSABLE;
1054                memcpy(pn, entry->last_pn, CCMP_PN_LEN);
1055                for (i = CCMP_PN_LEN - 1; i >= 0; i--) {
1056                        pn[i]++;
1057                        if (pn[i])
1058                                break;
1059                }
1060                rpn = rx->key->u.ccmp.rx_pn[rx->queue];
1061                if (memcmp(pn, rpn, CCMP_PN_LEN))
1062                        return RX_DROP_UNUSABLE;
1063                memcpy(entry->last_pn, pn, CCMP_PN_LEN);
1064        }
1065
1066        skb_pull(rx->skb, ieee80211_hdrlen(fc));
1067        __skb_queue_tail(&entry->skb_list, rx->skb);
1068        entry->last_frag = frag;
1069        entry->extra_len += rx->skb->len;
1070        if (ieee80211_has_morefrags(fc)) {
1071                rx->skb = NULL;
1072                return RX_QUEUED;
1073        }
1074
1075        rx->skb = __skb_dequeue(&entry->skb_list);
1076        if (skb_tailroom(rx->skb) < entry->extra_len) {
1077                I802_DEBUG_INC(rx->local->rx_expand_skb_head2);
1078                if (unlikely(pskb_expand_head(rx->skb, 0, entry->extra_len,
1079                                              GFP_ATOMIC))) {
1080                        I802_DEBUG_INC(rx->local->rx_handlers_drop_defrag);
1081                        __skb_queue_purge(&entry->skb_list);
1082                        return RX_DROP_UNUSABLE;
1083                }
1084        }
1085        while ((skb = __skb_dequeue(&entry->skb_list))) {
1086                memcpy(skb_put(rx->skb, skb->len), skb->data, skb->len);
1087                dev_kfree_skb(skb);
1088        }
1089
1090        /* Complete frame has been reassembled - process it now */
1091        rx->flags |= IEEE80211_RX_FRAGMENTED;
1092
1093 out:
1094        if (rx->sta)
1095                rx->sta->rx_packets++;
1096        if (is_multicast_ether_addr(hdr->addr1))
1097                rx->local->dot11MulticastReceivedFrameCount++;
1098        else
1099                ieee80211_led_rx(rx->local);
1100        return RX_CONTINUE;
1101}
1102
1103static ieee80211_rx_result debug_noinline
1104ieee80211_rx_h_ps_poll(struct ieee80211_rx_data *rx)
1105{
1106        struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(rx->dev);
1107        struct sk_buff *skb;
1108        int no_pending_pkts;
1109        __le16 fc = ((struct ieee80211_hdr *)rx->skb->data)->frame_control;
1110
1111        if (likely(!rx->sta || !ieee80211_is_pspoll(fc) ||
1112                   !(rx->flags & IEEE80211_RX_RA_MATCH)))
1113                return RX_CONTINUE;
1114
1115        if ((sdata->vif.type != NL80211_IFTYPE_AP) &&
1116            (sdata->vif.type != NL80211_IFTYPE_AP_VLAN))
1117                return RX_DROP_UNUSABLE;
1118
1119        skb = skb_dequeue(&rx->sta->tx_filtered);
1120        if (!skb) {
1121                skb = skb_dequeue(&rx->sta->ps_tx_buf);
1122                if (skb)
1123                        rx->local->total_ps_buffered--;
1124        }
1125        no_pending_pkts = skb_queue_empty(&rx->sta->tx_filtered) &&
1126                skb_queue_empty(&rx->sta->ps_tx_buf);
1127
1128        if (skb) {
1129                struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
1130                struct ieee80211_hdr *hdr =
1131                        (struct ieee80211_hdr *) skb->data;
1132
1133                /*
1134                 * Tell TX path to send this frame even though the STA may
1135                 * still remain is PS mode after this frame exchange.
1136                 */
1137                info->flags |= IEEE80211_TX_CTL_PSPOLL_RESPONSE;
1138
1139#ifdef CONFIG_MAC80211_VERBOSE_PS_DEBUG
1140                printk(KERN_DEBUG "STA %pM aid %d: PS Poll (entries after %d)\n",
1141                       rx->sta->sta.addr, rx->sta->sta.aid,
1142                       skb_queue_len(&rx->sta->ps_tx_buf));
1143#endif /* CONFIG_MAC80211_VERBOSE_PS_DEBUG */
1144
1145                /* Use MoreData flag to indicate whether there are more
1146                 * buffered frames for this STA */
1147                if (no_pending_pkts)
1148                        hdr->frame_control &= cpu_to_le16(~IEEE80211_FCTL_MOREDATA);
1149                else
1150                        hdr->frame_control |= cpu_to_le16(IEEE80211_FCTL_MOREDATA);
1151
1152                ieee80211_add_pending_skb(rx->local, skb);
1153
1154                if (no_pending_pkts)
1155                        sta_info_clear_tim_bit(rx->sta);
1156#ifdef CONFIG_MAC80211_VERBOSE_PS_DEBUG
1157        } else if (!rx->sent_ps_buffered) {
1158                /*
1159                 * FIXME: This can be the result of a race condition between
1160                 *        us expiring a frame and the station polling for it.
1161                 *        Should we send it a null-func frame indicating we
1162                 *        have nothing buffered for it?
1163                 */
1164                printk(KERN_DEBUG "%s: STA %pM sent PS Poll even "
1165                       "though there are no buffered frames for it\n",
1166                       rx->dev->name, rx->sta->sta.addr);
1167#endif /* CONFIG_MAC80211_VERBOSE_PS_DEBUG */
1168        }
1169
1170        /* Free PS Poll skb here instead of returning RX_DROP that would
1171         * count as an dropped frame. */
1172        dev_kfree_skb(rx->skb);
1173
1174        return RX_QUEUED;
1175}
1176
1177static ieee80211_rx_result debug_noinline
1178ieee80211_rx_h_remove_qos_control(struct ieee80211_rx_data *rx)
1179{
1180        u8 *data = rx->skb->data;
1181        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)data;
1182
1183        if (!ieee80211_is_data_qos(hdr->frame_control))
1184                return RX_CONTINUE;
1185
1186        /* remove the qos control field, update frame type and meta-data */
1187        memmove(data + IEEE80211_QOS_CTL_LEN, data,
1188                ieee80211_hdrlen(hdr->frame_control) - IEEE80211_QOS_CTL_LEN);
1189        hdr = (struct ieee80211_hdr *)skb_pull(rx->skb, IEEE80211_QOS_CTL_LEN);
1190        /* change frame type to non QOS */
1191        hdr->frame_control &= ~cpu_to_le16(IEEE80211_STYPE_QOS_DATA);
1192
1193        return RX_CONTINUE;
1194}
1195
1196static int
1197ieee80211_802_1x_port_control(struct ieee80211_rx_data *rx)
1198{
1199        if (unlikely(!rx->sta ||
1200            !test_sta_flags(rx->sta, WLAN_STA_AUTHORIZED)))
1201                return -EACCES;
1202
1203        return 0;
1204}
1205
1206static int
1207ieee80211_drop_unencrypted(struct ieee80211_rx_data *rx, __le16 fc)
1208{
1209        /*
1210         * Pass through unencrypted frames if the hardware has
1211         * decrypted them already.
1212         */
1213        if (rx->status->flag & RX_FLAG_DECRYPTED)
1214                return 0;
1215
1216        /* Drop unencrypted frames if key is set. */
1217        if (unlikely(!ieee80211_has_protected(fc) &&
1218                     !ieee80211_is_nullfunc(fc) &&
1219                     ieee80211_is_data(fc) &&
1220                     (rx->key || rx->sdata->drop_unencrypted)))
1221                return -EACCES;
1222        if (rx->sta && test_sta_flags(rx->sta, WLAN_STA_MFP)) {
1223                if (unlikely(ieee80211_is_unicast_robust_mgmt_frame(rx->skb) &&
1224                             rx->key))
1225                        return -EACCES;
1226                /* BIP does not use Protected field, so need to check MMIE */
1227                if (unlikely(ieee80211_is_multicast_robust_mgmt_frame(rx->skb)
1228                             && ieee80211_get_mmie_keyidx(rx->skb) < 0 &&
1229                             rx->key))
1230                        return -EACCES;
1231                /*
1232                 * When using MFP, Action frames are not allowed prior to
1233                 * having configured keys.
1234                 */
1235                if (unlikely(ieee80211_is_action(fc) && !rx->key &&
1236                             ieee80211_is_robust_mgmt_frame(
1237                                     (struct ieee80211_hdr *) rx->skb->data)))
1238                        return -EACCES;
1239        }
1240
1241        return 0;
1242}
1243
1244static int
1245__ieee80211_data_to_8023(struct ieee80211_rx_data *rx)
1246{
1247        struct net_device *dev = rx->dev;
1248        struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
1249
1250        return ieee80211_data_to_8023(rx->skb, dev->dev_addr, sdata->vif.type);
1251}
1252
1253/*
1254 * requires that rx->skb is a frame with ethernet header
1255 */
1256static bool ieee80211_frame_allowed(struct ieee80211_rx_data *rx, __le16 fc)
1257{
1258        static const u8 pae_group_addr[ETH_ALEN] __aligned(2)
1259                = { 0x01, 0x80, 0xC2, 0x00, 0x00, 0x03 };
1260        struct ethhdr *ehdr = (struct ethhdr *) rx->skb->data;
1261
1262        /*
1263         * Allow EAPOL frames to us/the PAE group address regardless
1264         * of whether the frame was encrypted or not.
1265         */
1266        if (ehdr->h_proto == htons(ETH_P_PAE) &&
1267            (compare_ether_addr(ehdr->h_dest, rx->dev->dev_addr) == 0 ||
1268             compare_ether_addr(ehdr->h_dest, pae_group_addr) == 0))
1269                return true;
1270
1271        if (ieee80211_802_1x_port_control(rx) ||
1272            ieee80211_drop_unencrypted(rx, fc))
1273                return false;
1274
1275        return true;
1276}
1277
1278/*
1279 * requires that rx->skb is a frame with ethernet header
1280 */
1281static void
1282ieee80211_deliver_skb(struct ieee80211_rx_data *rx)
1283{
1284        struct net_device *dev = rx->dev;
1285        struct ieee80211_local *local = rx->local;
1286        struct sk_buff *skb, *xmit_skb;
1287        struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
1288        struct ethhdr *ehdr = (struct ethhdr *) rx->skb->data;
1289        struct sta_info *dsta;
1290
1291        skb = rx->skb;
1292        xmit_skb = NULL;
1293
1294        if ((sdata->vif.type == NL80211_IFTYPE_AP ||
1295             sdata->vif.type == NL80211_IFTYPE_AP_VLAN) &&
1296            !(sdata->flags & IEEE80211_SDATA_DONT_BRIDGE_PACKETS) &&
1297            (rx->flags & IEEE80211_RX_RA_MATCH)) {
1298                if (is_multicast_ether_addr(ehdr->h_dest)) {
1299                        /*
1300                         * send multicast frames both to higher layers in
1301                         * local net stack and back to the wireless medium
1302                         */
1303                        xmit_skb = skb_copy(skb, GFP_ATOMIC);
1304                        if (!xmit_skb && net_ratelimit())
1305                                printk(KERN_DEBUG "%s: failed to clone "
1306                                       "multicast frame\n", dev->name);
1307                } else {
1308                        dsta = sta_info_get(local, skb->data);
1309                        if (dsta && dsta->sdata->dev == dev) {
1310                                /*
1311                                 * The destination station is associated to
1312                                 * this AP (in this VLAN), so send the frame
1313                                 * directly to it and do not pass it to local
1314                                 * net stack.
1315                                 */
1316                                xmit_skb = skb;
1317                                skb = NULL;
1318                        }
1319                }
1320        }
1321
1322        if (skb) {
1323                int align __maybe_unused;
1324
1325#if defined(CONFIG_MAC80211_DEBUG_PACKET_ALIGNMENT) || !defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)
1326                /*
1327                 * 'align' will only take the values 0 or 2 here
1328                 * since all frames are required to be aligned
1329                 * to 2-byte boundaries when being passed to
1330                 * mac80211. That also explains the __skb_push()
1331                 * below.
1332                 */
1333                align = ((unsigned long)(skb->data + sizeof(struct ethhdr))) & 3;
1334                if (align) {
1335                        if (WARN_ON(skb_headroom(skb) < 3)) {
1336                                dev_kfree_skb(skb);
1337                                skb = NULL;
1338                        } else {
1339                                u8 *data = skb->data;
1340                                size_t len = skb->len;
1341                                u8 *new = __skb_push(skb, align);
1342                                memmove(new, data, len);
1343                                __skb_trim(skb, len);
1344                        }
1345                }
1346#endif
1347
1348                if (skb) {
1349                        /* deliver to local stack */
1350                        skb->protocol = eth_type_trans(skb, dev);
1351                        memset(skb->cb, 0, sizeof(skb->cb));
1352                        netif_rx(skb);
1353                }
1354        }
1355
1356        if (xmit_skb) {
1357                /* send to wireless media */
1358                xmit_skb->protocol = htons(ETH_P_802_3);
1359                skb_reset_network_header(xmit_skb);
1360                skb_reset_mac_header(xmit_skb);
1361                dev_queue_xmit(xmit_skb);
1362        }
1363}
1364
1365static ieee80211_rx_result debug_noinline
1366ieee80211_rx_h_amsdu(struct ieee80211_rx_data *rx)
1367{
1368        struct net_device *dev = rx->dev;
1369        struct ieee80211_local *local = rx->local;
1370        u16 ethertype;
1371        u8 *payload;
1372        struct sk_buff *skb = rx->skb, *frame = NULL;
1373        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
1374        __le16 fc = hdr->frame_control;
1375        const struct ethhdr *eth;
1376        int remaining, err;
1377        u8 dst[ETH_ALEN];
1378        u8 src[ETH_ALEN];
1379
1380        if (unlikely(!ieee80211_is_data(fc)))
1381                return RX_CONTINUE;
1382
1383        if (unlikely(!ieee80211_is_data_present(fc)))
1384                return RX_DROP_MONITOR;
1385
1386        if (!(rx->flags & IEEE80211_RX_AMSDU))
1387                return RX_CONTINUE;
1388
1389        err = __ieee80211_data_to_8023(rx);
1390        if (unlikely(err))
1391                return RX_DROP_UNUSABLE;
1392
1393        skb->dev = dev;
1394
1395        dev->stats.rx_packets++;
1396        dev->stats.rx_bytes += skb->len;
1397
1398        /* skip the wrapping header */
1399        eth = (struct ethhdr *) skb_pull(skb, sizeof(struct ethhdr));
1400        if (!eth)
1401                return RX_DROP_UNUSABLE;
1402
1403        while (skb != frame) {
1404                u8 padding;
1405                __be16 len = eth->h_proto;
1406                unsigned int subframe_len = sizeof(struct ethhdr) + ntohs(len);
1407
1408                remaining = skb->len;
1409                memcpy(dst, eth->h_dest, ETH_ALEN);
1410                memcpy(src, eth->h_source, ETH_ALEN);
1411
1412                padding = ((4 - subframe_len) & 0x3);
1413                /* the last MSDU has no padding */
1414                if (subframe_len > remaining)
1415                        return RX_DROP_UNUSABLE;
1416
1417                skb_pull(skb, sizeof(struct ethhdr));
1418                /* if last subframe reuse skb */
1419                if (remaining <= subframe_len + padding)
1420                        frame = skb;
1421                else {
1422                        /*
1423                         * Allocate and reserve two bytes more for payload
1424                         * alignment since sizeof(struct ethhdr) is 14.
1425                         */
1426                        frame = dev_alloc_skb(
1427                                ALIGN(local->hw.extra_tx_headroom, 4) +
1428                                subframe_len + 2);
1429
1430                        if (frame == NULL)
1431                                return RX_DROP_UNUSABLE;
1432
1433                        skb_reserve(frame,
1434                                    ALIGN(local->hw.extra_tx_headroom, 4) +
1435                                    sizeof(struct ethhdr) + 2);
1436                        memcpy(skb_put(frame, ntohs(len)), skb->data,
1437                                ntohs(len));
1438
1439                        eth = (struct ethhdr *) skb_pull(skb, ntohs(len) +
1440                                                        padding);
1441                        if (!eth) {
1442                                dev_kfree_skb(frame);
1443                                return RX_DROP_UNUSABLE;
1444                        }
1445                }
1446
1447                skb_reset_network_header(frame);
1448                frame->dev = dev;
1449                frame->priority = skb->priority;
1450                rx->skb = frame;
1451
1452                payload = frame->data;
1453                ethertype = (payload[6] << 8) | payload[7];
1454
1455                if (likely((compare_ether_addr(payload, rfc1042_header) == 0 &&
1456                            ethertype != ETH_P_AARP && ethertype != ETH_P_IPX) ||
1457                           compare_ether_addr(payload,
1458                                              bridge_tunnel_header) == 0)) {
1459                        /* remove RFC1042 or Bridge-Tunnel
1460                         * encapsulation and replace EtherType */
1461                        skb_pull(frame, 6);
1462                        memcpy(skb_push(frame, ETH_ALEN), src, ETH_ALEN);
1463                        memcpy(skb_push(frame, ETH_ALEN), dst, ETH_ALEN);
1464                } else {
1465                        memcpy(skb_push(frame, sizeof(__be16)),
1466                               &len, sizeof(__be16));
1467                        memcpy(skb_push(frame, ETH_ALEN), src, ETH_ALEN);
1468                        memcpy(skb_push(frame, ETH_ALEN), dst, ETH_ALEN);
1469                }
1470
1471                if (!ieee80211_frame_allowed(rx, fc)) {
1472                        if (skb == frame) /* last frame */
1473                                return RX_DROP_UNUSABLE;
1474                        dev_kfree_skb(frame);
1475                        continue;
1476                }
1477
1478                ieee80211_deliver_skb(rx);
1479        }
1480
1481        return RX_QUEUED;
1482}
1483
1484#ifdef CONFIG_MAC80211_MESH
1485static ieee80211_rx_result
1486ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
1487{
1488        struct ieee80211_hdr *hdr;
1489        struct ieee80211s_hdr *mesh_hdr;
1490        unsigned int hdrlen;
1491        struct sk_buff *skb = rx->skb, *fwd_skb;
1492        struct ieee80211_local *local = rx->local;
1493        struct ieee80211_sub_if_data *sdata;
1494
1495        hdr = (struct ieee80211_hdr *) skb->data;
1496        hdrlen = ieee80211_hdrlen(hdr->frame_control);
1497        mesh_hdr = (struct ieee80211s_hdr *) (skb->data + hdrlen);
1498        sdata = IEEE80211_DEV_TO_SUB_IF(rx->dev);
1499
1500        if (!ieee80211_is_data(hdr->frame_control))
1501                return RX_CONTINUE;
1502
1503        if (!mesh_hdr->ttl)
1504                /* illegal frame */
1505                return RX_DROP_MONITOR;
1506
1507        if (!is_multicast_ether_addr(hdr->addr1) &&
1508                        (mesh_hdr->flags & MESH_FLAGS_AE_A5_A6)) {
1509                struct mesh_path *mppath;
1510
1511                rcu_read_lock();
1512                mppath = mpp_path_lookup(mesh_hdr->eaddr2, sdata);
1513                if (!mppath) {
1514                        mpp_path_add(mesh_hdr->eaddr2, hdr->addr4, sdata);
1515                } else {
1516                        spin_lock_bh(&mppath->state_lock);
1517                        mppath->exp_time = jiffies;
1518                        if (compare_ether_addr(mppath->mpp, hdr->addr4) != 0)
1519                                memcpy(mppath->mpp, hdr->addr4, ETH_ALEN);
1520                        spin_unlock_bh(&mppath->state_lock);
1521                }
1522                rcu_read_unlock();
1523        }
1524
1525        /* Frame has reached destination.  Don't forward */
1526        if (!is_multicast_ether_addr(hdr->addr1) &&
1527                        compare_ether_addr(rx->dev->dev_addr, hdr->addr3) == 0)
1528                return RX_CONTINUE;
1529
1530        mesh_hdr->ttl--;
1531
1532        if (rx->flags & IEEE80211_RX_RA_MATCH) {
1533                if (!mesh_hdr->ttl)
1534                        IEEE80211_IFSTA_MESH_CTR_INC(&rx->sdata->u.mesh,
1535                                                     dropped_frames_ttl);
1536                else {
1537                        struct ieee80211_hdr *fwd_hdr;
1538                        struct ieee80211_tx_info *info;
1539
1540                        fwd_skb = skb_copy(skb, GFP_ATOMIC);
1541
1542                        if (!fwd_skb && net_ratelimit())
1543                                printk(KERN_DEBUG "%s: failed to clone mesh frame\n",
1544                                                   rx->dev->name);
1545
1546                        fwd_hdr =  (struct ieee80211_hdr *) fwd_skb->data;
1547                        memcpy(fwd_hdr->addr2, rx->dev->dev_addr, ETH_ALEN);
1548                        info = IEEE80211_SKB_CB(fwd_skb);
1549                        memset(info, 0, sizeof(*info));
1550                        info->flags |= IEEE80211_TX_INTFL_NEED_TXPROCESSING;
1551                        info->control.vif = &rx->sdata->vif;
1552                        ieee80211_select_queue(local, fwd_skb);
1553                        if (is_multicast_ether_addr(fwd_hdr->addr1))
1554                                IEEE80211_IFSTA_MESH_CTR_INC(&sdata->u.mesh,
1555                                                                fwded_mcast);
1556                        else {
1557                                int err;
1558                                /*
1559                                 * Save TA to addr1 to send TA a path error if a
1560                                 * suitable next hop is not found
1561                                 */
1562                                memcpy(fwd_hdr->addr1, fwd_hdr->addr2,
1563                                                ETH_ALEN);
1564                                err = mesh_nexthop_lookup(fwd_skb, sdata);
1565                                /* Failed to immediately resolve next hop:
1566                                 * fwded frame was dropped or will be added
1567                                 * later to the pending skb queue.  */
1568                                if (err)
1569                                        return RX_DROP_MONITOR;
1570
1571                                IEEE80211_IFSTA_MESH_CTR_INC(&sdata->u.mesh,
1572                                                                fwded_unicast);
1573                        }
1574                        IEEE80211_IFSTA_MESH_CTR_INC(&sdata->u.mesh,
1575                                                     fwded_frames);
1576                        ieee80211_add_pending_skb(local, fwd_skb);
1577                }
1578        }
1579
1580        if (is_multicast_ether_addr(hdr->addr1) ||
1581            rx->dev->flags & IFF_PROMISC)
1582                return RX_CONTINUE;
1583        else
1584                return RX_DROP_MONITOR;
1585}
1586#endif
1587
1588static ieee80211_rx_result debug_noinline
1589ieee80211_rx_h_data(struct ieee80211_rx_data *rx)
1590{
1591        struct net_device *dev = rx->dev;
1592        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
1593        __le16 fc = hdr->frame_control;
1594        int err;
1595
1596        if (unlikely(!ieee80211_is_data(hdr->frame_control)))
1597                return RX_CONTINUE;
1598
1599        if (unlikely(!ieee80211_is_data_present(hdr->frame_control)))
1600                return RX_DROP_MONITOR;
1601
1602        err = __ieee80211_data_to_8023(rx);
1603        if (unlikely(err))
1604                return RX_DROP_UNUSABLE;
1605
1606        if (!ieee80211_frame_allowed(rx, fc))
1607                return RX_DROP_MONITOR;
1608
1609        rx->skb->dev = dev;
1610
1611        dev->stats.rx_packets++;
1612        dev->stats.rx_bytes += rx->skb->len;
1613
1614        ieee80211_deliver_skb(rx);
1615
1616        return RX_QUEUED;
1617}
1618
1619static ieee80211_rx_result debug_noinline
1620ieee80211_rx_h_ctrl(struct ieee80211_rx_data *rx)
1621{
1622        struct ieee80211_local *local = rx->local;
1623        struct ieee80211_hw *hw = &local->hw;
1624        struct sk_buff *skb = rx->skb;
1625        struct ieee80211_bar *bar = (struct ieee80211_bar *)skb->data;
1626        struct tid_ampdu_rx *tid_agg_rx;
1627        u16 start_seq_num;
1628        u16 tid;
1629
1630        if (likely(!ieee80211_is_ctl(bar->frame_control)))
1631                return RX_CONTINUE;
1632
1633        if (ieee80211_is_back_req(bar->frame_control)) {
1634                if (!rx->sta)
1635                        return RX_CONTINUE;
1636                tid = le16_to_cpu(bar->control) >> 12;
1637                if (rx->sta->ampdu_mlme.tid_state_rx[tid]
1638                                        != HT_AGG_STATE_OPERATIONAL)
1639                        return RX_CONTINUE;
1640                tid_agg_rx = rx->sta->ampdu_mlme.tid_rx[tid];
1641
1642                start_seq_num = le16_to_cpu(bar->start_seq_num) >> 4;
1643
1644                /* reset session timer */
1645                if (tid_agg_rx->timeout)
1646                        mod_timer(&tid_agg_rx->session_timer,
1647                                  TU_TO_EXP_TIME(tid_agg_rx->timeout));
1648
1649                /* manage reordering buffer according to requested */
1650                /* sequence number */
1651                rcu_read_lock();
1652                ieee80211_sta_manage_reorder_buf(hw, tid_agg_rx, NULL,
1653                                                 start_seq_num, 1);
1654                rcu_read_unlock();
1655                return RX_DROP_UNUSABLE;
1656        }
1657
1658        return RX_CONTINUE;
1659}
1660
1661static void ieee80211_process_sa_query_req(struct ieee80211_sub_if_data *sdata,
1662                                           struct ieee80211_mgmt *mgmt,
1663                                           size_t len)
1664{
1665        struct ieee80211_local *local = sdata->local;
1666        struct sk_buff *skb;
1667        struct ieee80211_mgmt *resp;
1668
1669        if (compare_ether_addr(mgmt->da, sdata->dev->dev_addr) != 0) {
1670                /* Not to own unicast address */
1671                return;
1672        }
1673
1674        if (compare_ether_addr(mgmt->sa, sdata->u.mgd.bssid) != 0 ||
1675            compare_ether_addr(mgmt->bssid, sdata->u.mgd.bssid) != 0) {
1676                /* Not from the current AP or not associated yet. */
1677                return;
1678        }
1679
1680        if (len < 24 + 1 + sizeof(resp->u.action.u.sa_query)) {
1681                /* Too short SA Query request frame */
1682                return;
1683        }
1684
1685        skb = dev_alloc_skb(sizeof(*resp) + local->hw.extra_tx_headroom);
1686        if (skb == NULL)
1687                return;
1688
1689        skb_reserve(skb, local->hw.extra_tx_headroom);
1690        resp = (struct ieee80211_mgmt *) skb_put(skb, 24);
1691        memset(resp, 0, 24);
1692        memcpy(resp->da, mgmt->sa, ETH_ALEN);
1693        memcpy(resp->sa, sdata->dev->dev_addr, ETH_ALEN);
1694        memcpy(resp->bssid, sdata->u.mgd.bssid, ETH_ALEN);
1695        resp->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT |
1696                                          IEEE80211_STYPE_ACTION);
1697        skb_put(skb, 1 + sizeof(resp->u.action.u.sa_query));
1698        resp->u.action.category = WLAN_CATEGORY_SA_QUERY;
1699        resp->u.action.u.sa_query.action = WLAN_ACTION_SA_QUERY_RESPONSE;
1700        memcpy(resp->u.action.u.sa_query.trans_id,
1701               mgmt->u.action.u.sa_query.trans_id,
1702               WLAN_SA_QUERY_TR_ID_LEN);
1703
1704        ieee80211_tx_skb(sdata, skb, 1);
1705}
1706
1707static ieee80211_rx_result debug_noinline
1708ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
1709{
1710        struct ieee80211_local *local = rx->local;
1711        struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(rx->dev);
1712        struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *) rx->skb->data;
1713        int len = rx->skb->len;
1714
1715        if (!ieee80211_is_action(mgmt->frame_control))
1716                return RX_CONTINUE;
1717
1718        if (!rx->sta)
1719                return RX_DROP_MONITOR;
1720
1721        if (!(rx->flags & IEEE80211_RX_RA_MATCH))
1722                return RX_DROP_MONITOR;
1723
1724        if (ieee80211_drop_unencrypted(rx, mgmt->frame_control))
1725                return RX_DROP_MONITOR;
1726
1727        /* all categories we currently handle have action_code */
1728        if (len < IEEE80211_MIN_ACTION_SIZE + 1)
1729                return RX_DROP_MONITOR;
1730
1731        switch (mgmt->u.action.category) {
1732        case WLAN_CATEGORY_BACK:
1733                /*
1734                 * The aggregation code is not prepared to handle
1735                 * anything but STA/AP due to the BSSID handling;
1736                 * IBSS could work in the code but isn't supported
1737                 * by drivers or the standard.
1738                 */
1739                if (sdata->vif.type != NL80211_IFTYPE_STATION &&
1740                    sdata->vif.type != NL80211_IFTYPE_AP_VLAN &&
1741                    sdata->vif.type != NL80211_IFTYPE_AP)
1742                        return RX_DROP_MONITOR;
1743
1744                switch (mgmt->u.action.u.addba_req.action_code) {
1745                case WLAN_ACTION_ADDBA_REQ:
1746                        if (len < (IEEE80211_MIN_ACTION_SIZE +
1747                                   sizeof(mgmt->u.action.u.addba_req)))
1748                                return RX_DROP_MONITOR;
1749                        ieee80211_process_addba_request(local, rx->sta, mgmt, len);
1750                        break;
1751                case WLAN_ACTION_ADDBA_RESP:
1752                        if (len < (IEEE80211_MIN_ACTION_SIZE +
1753                                   sizeof(mgmt->u.action.u.addba_resp)))
1754                                return RX_DROP_MONITOR;
1755                        ieee80211_process_addba_resp(local, rx->sta, mgmt, len);
1756                        break;
1757                case WLAN_ACTION_DELBA:
1758                        if (len < (IEEE80211_MIN_ACTION_SIZE +
1759                                   sizeof(mgmt->u.action.u.delba)))
1760                                return RX_DROP_MONITOR;
1761                        ieee80211_process_delba(sdata, rx->sta, mgmt, len);
1762                        break;
1763                }
1764                break;
1765        case WLAN_CATEGORY_SPECTRUM_MGMT:
1766                if (local->hw.conf.channel->band != IEEE80211_BAND_5GHZ)
1767                        return RX_DROP_MONITOR;
1768
1769                if (sdata->vif.type != NL80211_IFTYPE_STATION)
1770                        return RX_DROP_MONITOR;
1771
1772                switch (mgmt->u.action.u.measurement.action_code) {
1773                case WLAN_ACTION_SPCT_MSR_REQ:
1774                        if (len < (IEEE80211_MIN_ACTION_SIZE +
1775                                   sizeof(mgmt->u.action.u.measurement)))
1776                                return RX_DROP_MONITOR;
1777                        ieee80211_process_measurement_req(sdata, mgmt, len);
1778                        break;
1779                case WLAN_ACTION_SPCT_CHL_SWITCH:
1780                        if (len < (IEEE80211_MIN_ACTION_SIZE +
1781                                   sizeof(mgmt->u.action.u.chan_switch)))
1782                                return RX_DROP_MONITOR;
1783
1784                        if (sdata->vif.type != NL80211_IFTYPE_STATION)
1785                                return RX_DROP_MONITOR;
1786
1787                        if (memcmp(mgmt->bssid, sdata->u.mgd.bssid, ETH_ALEN))
1788                                return RX_DROP_MONITOR;
1789
1790                        return ieee80211_sta_rx_mgmt(sdata, rx->skb);
1791                }
1792                break;
1793        case WLAN_CATEGORY_SA_QUERY:
1794                if (len < (IEEE80211_MIN_ACTION_SIZE +
1795                           sizeof(mgmt->u.action.u.sa_query)))
1796                        return RX_DROP_MONITOR;
1797                switch (mgmt->u.action.u.sa_query.action) {
1798                case WLAN_ACTION_SA_QUERY_REQUEST:
1799                        if (sdata->vif.type != NL80211_IFTYPE_STATION)
1800                                return RX_DROP_MONITOR;
1801                        ieee80211_process_sa_query_req(sdata, mgmt, len);
1802                        break;
1803                case WLAN_ACTION_SA_QUERY_RESPONSE:
1804                        /*
1805                         * SA Query response is currently only used in AP mode
1806                         * and it is processed in user space.
1807                         */
1808                        return RX_CONTINUE;
1809                }
1810                break;
1811        default:
1812                return RX_CONTINUE;
1813        }
1814
1815        rx->sta->rx_packets++;
1816        dev_kfree_skb(rx->skb);
1817        return RX_QUEUED;
1818}
1819
1820static ieee80211_rx_result debug_noinline
1821ieee80211_rx_h_mgmt(struct ieee80211_rx_data *rx)
1822{
1823        struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(rx->dev);
1824        struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *) rx->skb->data;
1825
1826        if (!(rx->flags & IEEE80211_RX_RA_MATCH))
1827                return RX_DROP_MONITOR;
1828
1829        if (ieee80211_drop_unencrypted(rx, mgmt->frame_control))
1830                return RX_DROP_MONITOR;
1831
1832        if (ieee80211_vif_is_mesh(&sdata->vif))
1833                return ieee80211_mesh_rx_mgmt(sdata, rx->skb);
1834
1835        if (sdata->vif.type == NL80211_IFTYPE_ADHOC)
1836                return ieee80211_ibss_rx_mgmt(sdata, rx->skb);
1837
1838        if (sdata->vif.type == NL80211_IFTYPE_STATION)
1839                return ieee80211_sta_rx_mgmt(sdata, rx->skb);
1840
1841        return RX_DROP_MONITOR;
1842}
1843
1844static void ieee80211_rx_michael_mic_report(struct ieee80211_hdr *hdr,
1845                                            struct ieee80211_rx_data *rx)
1846{
1847        int keyidx;
1848        unsigned int hdrlen;
1849
1850        hdrlen = ieee80211_hdrlen(hdr->frame_control);
1851        if (rx->skb->len >= hdrlen + 4)
1852                keyidx = rx->skb->data[hdrlen + 3] >> 6;
1853        else
1854                keyidx = -1;
1855
1856        if (!rx->sta) {
1857                /*
1858                 * Some hardware seem to generate incorrect Michael MIC
1859                 * reports; ignore them to avoid triggering countermeasures.
1860                 */
1861                goto ignore;
1862        }
1863
1864        if (!ieee80211_has_protected(hdr->frame_control))
1865                goto ignore;
1866
1867        if (rx->sdata->vif.type == NL80211_IFTYPE_AP && keyidx) {
1868                /*
1869                 * APs with pairwise keys should never receive Michael MIC
1870                 * errors for non-zero keyidx because these are reserved for
1871                 * group keys and only the AP is sending real multicast
1872                 * frames in the BSS.
1873                 */
1874                goto ignore;
1875        }
1876
1877        if (!ieee80211_is_data(hdr->frame_control) &&
1878            !ieee80211_is_auth(hdr->frame_control))
1879                goto ignore;
1880
1881        mac80211_ev_michael_mic_failure(rx->sdata, keyidx, hdr, NULL,
1882                                        GFP_ATOMIC);
1883 ignore:
1884        dev_kfree_skb(rx->skb);
1885        rx->skb = NULL;
1886}
1887
1888/* TODO: use IEEE80211_RX_FRAGMENTED */
1889static void ieee80211_rx_cooked_monitor(struct ieee80211_rx_data *rx)
1890{
1891        struct ieee80211_sub_if_data *sdata;
1892        struct ieee80211_local *local = rx->local;
1893        struct ieee80211_rtap_hdr {
1894                struct ieee80211_radiotap_header hdr;
1895                u8 flags;
1896                u8 rate;
1897                __le16 chan_freq;
1898                __le16 chan_flags;
1899        } __attribute__ ((packed)) *rthdr;
1900        struct sk_buff *skb = rx->skb, *skb2;
1901        struct net_device *prev_dev = NULL;
1902        struct ieee80211_rx_status *status = rx->status;
1903
1904        if (rx->flags & IEEE80211_RX_CMNTR_REPORTED)
1905                goto out_free_skb;
1906
1907        if (skb_headroom(skb) < sizeof(*rthdr) &&
1908            pskb_expand_head(skb, sizeof(*rthdr), 0, GFP_ATOMIC))
1909                goto out_free_skb;
1910
1911        rthdr = (void *)skb_push(skb, sizeof(*rthdr));
1912        memset(rthdr, 0, sizeof(*rthdr));
1913        rthdr->hdr.it_len = cpu_to_le16(sizeof(*rthdr));
1914        rthdr->hdr.it_present =
1915                cpu_to_le32((1 << IEEE80211_RADIOTAP_FLAGS) |
1916                            (1 << IEEE80211_RADIOTAP_RATE) |
1917                            (1 << IEEE80211_RADIOTAP_CHANNEL));
1918
1919        rthdr->rate = rx->rate->bitrate / 5;
1920        rthdr->chan_freq = cpu_to_le16(status->freq);
1921
1922        if (status->band == IEEE80211_BAND_5GHZ)
1923                rthdr->chan_flags = cpu_to_le16(IEEE80211_CHAN_OFDM |
1924                                                IEEE80211_CHAN_5GHZ);
1925        else
1926                rthdr->chan_flags = cpu_to_le16(IEEE80211_CHAN_DYN |
1927                                                IEEE80211_CHAN_2GHZ);
1928
1929        skb_set_mac_header(skb, 0);
1930        skb->ip_summed = CHECKSUM_UNNECESSARY;
1931        skb->pkt_type = PACKET_OTHERHOST;
1932        skb->protocol = htons(ETH_P_802_2);
1933
1934        list_for_each_entry_rcu(sdata, &local->interfaces, list) {
1935                if (!netif_running(sdata->dev))
1936                        continue;
1937
1938                if (sdata->vif.type != NL80211_IFTYPE_MONITOR ||
1939                    !(sdata->u.mntr_flags & MONITOR_FLAG_COOK_FRAMES))
1940                        continue;
1941
1942                if (prev_dev) {
1943                        skb2 = skb_clone(skb, GFP_ATOMIC);
1944                        if (skb2) {
1945                                skb2->dev = prev_dev;
1946                                netif_rx(skb2);
1947                        }
1948                }
1949
1950                prev_dev = sdata->dev;
1951                sdata->dev->stats.rx_packets++;
1952                sdata->dev->stats.rx_bytes += skb->len;
1953        }
1954
1955        if (prev_dev) {
1956                skb->dev = prev_dev;
1957                netif_rx(skb);
1958                skb = NULL;
1959        } else
1960                goto out_free_skb;
1961
1962        rx->flags |= IEEE80211_RX_CMNTR_REPORTED;
1963        return;
1964
1965 out_free_skb:
1966        dev_kfree_skb(skb);
1967}
1968
1969
1970static void ieee80211_invoke_rx_handlers(struct ieee80211_sub_if_data *sdata,
1971                                         struct ieee80211_rx_data *rx,
1972                                         struct sk_buff *skb)
1973{
1974        ieee80211_rx_result res = RX_DROP_MONITOR;
1975
1976        rx->skb = skb;
1977        rx->sdata = sdata;
1978        rx->dev = sdata->dev;
1979
1980#define CALL_RXH(rxh)                   \
1981        do {                            \
1982                res = rxh(rx);          \
1983                if (res != RX_CONTINUE) \
1984                        goto rxh_done;  \
1985        } while (0);
1986
1987        CALL_RXH(ieee80211_rx_h_passive_scan)
1988        CALL_RXH(ieee80211_rx_h_check)
1989        CALL_RXH(ieee80211_rx_h_decrypt)
1990        CALL_RXH(ieee80211_rx_h_check_more_data)
1991        CALL_RXH(ieee80211_rx_h_sta_process)
1992        CALL_RXH(ieee80211_rx_h_defragment)
1993        CALL_RXH(ieee80211_rx_h_ps_poll)
1994        CALL_RXH(ieee80211_rx_h_michael_mic_verify)
1995        /* must be after MMIC verify so header is counted in MPDU mic */
1996        CALL_RXH(ieee80211_rx_h_remove_qos_control)
1997        CALL_RXH(ieee80211_rx_h_amsdu)
1998#ifdef CONFIG_MAC80211_MESH
1999        if (ieee80211_vif_is_mesh(&sdata->vif))
2000                CALL_RXH(ieee80211_rx_h_mesh_fwding);

2001#endif
2002        CALL_RXH(ieee80211_rx_h_data)
2003        CALL_RXH(ieee80211_rx_h_ctrl)
2004        CALL_RXH(ieee80211_rx_h_action)
2005        CALL_RXH(ieee80211_rx_h_mgmt)
2006
2007#undef CALL_RXH
2008
2009 rxh_done:
2010        switch (res) {
2011        case RX_DROP_MONITOR:
2012                I802_DEBUG_INC(sdata->local->rx_handlers_drop);
2013                if (rx->sta)
2014                        rx->sta->rx_dropped++;
2015                /* fall through */
2016        case RX_CONTINUE:
2017                ieee80211_rx_cooked_monitor(rx);
2018                break;
2019        case RX_DROP_UNUSABLE:
2020                I802_DEBUG_INC(sdata->local->rx_handlers_drop);
2021                if (rx->sta)
2022                        rx->sta->rx_dropped++;
2023                dev_kfree_skb(rx->skb);
2024                break;
2025        case RX_QUEUED:
2026                I802_DEBUG_INC(sdata->local->rx_handlers_queued);
2027                break;
2028        }
2029}
2030
2031/* main receive path */
2032
2033static int prepare_for_handlers(struct ieee80211_sub_if_data *sdata,
2034                                struct ieee80211_rx_data *rx,
2035                                struct ieee80211_hdr *hdr)
2036{
2037        u8 *bssid = ieee80211_get_bssid(hdr, rx->skb->len, sdata->vif.type);
2038        int multicast = is_multicast_ether_addr(hdr->addr1);
2039
2040        switch (sdata->vif.type) {
2041        case NL80211_IFTYPE_STATION:
2042                if (!bssid)
2043                        return 0;
2044                if (!multicast &&
2045                    compare_ether_addr(sdata->dev->dev_addr, hdr->addr1) != 0) {
2046                        if (!(sdata->dev->flags & IFF_PROMISC))
2047                                return 0;
2048                        rx->flags &= ~IEEE80211_RX_RA_MATCH;
2049                }
2050                break;
2051        case NL80211_IFTYPE_ADHOC:
2052                if (!bssid)
2053                        return 0;
2054                if (ieee80211_is_beacon(hdr->frame_control)) {
2055                        return 1;
2056                }
2057                else if (!ieee80211_bssid_match(bssid, sdata->u.ibss.bssid)) {
2058                        if (!(rx->flags & IEEE80211_RX_IN_SCAN))
2059                                return 0;
2060                        rx->flags &= ~IEEE80211_RX_RA_MATCH;
2061                } else if (!multicast &&
2062                           compare_ether_addr(sdata->dev->dev_addr,
2063                                              hdr->addr1) != 0) {
2064                        if (!(sdata->dev->flags & IFF_PROMISC))
2065                                return 0;
2066                        rx->flags &= ~IEEE80211_RX_RA_MATCH;
2067                } else if (!rx->sta) {
2068                        int rate_idx;
2069                        if (rx->status->flag & RX_FLAG_HT)
2070                                rate_idx = 0; /* TODO: HT rates */
2071                        else
2072                                rate_idx = rx->status->rate_idx;
2073                        rx->sta = ieee80211_ibss_add_sta(sdata, bssid, hdr->addr2,
2074                                BIT(rate_idx));
2075                }
2076                break;
2077        case NL80211_IFTYPE_MESH_POINT:
2078                if (!multicast &&
2079                    compare_ether_addr(sdata->dev->dev_addr,
2080                                       hdr->addr1) != 0) {
2081                        if (!(sdata->dev->flags & IFF_PROMISC))
2082                                return 0;
2083
2084                        rx->flags &= ~IEEE80211_RX_RA_MATCH;
2085                }
2086                break;
2087        case NL80211_IFTYPE_AP_VLAN:
2088        case NL80211_IFTYPE_AP:
2089                if (!bssid) {
2090                        if (compare_ether_addr(sdata->dev->dev_addr,
2091                                               hdr->addr1))
2092                                return 0;
2093                } else if (!ieee80211_bssid_match(bssid,
2094                                        sdata->dev->dev_addr)) {
2095                        if (!(rx->flags & IEEE80211_RX_IN_SCAN))
2096                                return 0;
2097                        rx->flags &= ~IEEE80211_RX_RA_MATCH;
2098                }
2099                break;
2100        case NL80211_IFTYPE_WDS:
2101                if (bssid || !ieee80211_is_data(hdr->frame_control))
2102                        return 0;
2103                if (compare_ether_addr(sdata->u.wds.remote_addr, hdr->addr2))
2104                        return 0;
2105                break;
2106        case NL80211_IFTYPE_MONITOR:
2107                /* take everything */
2108                break;
2109        case NL80211_IFTYPE_UNSPECIFIED:
2110        case __NL80211_IFTYPE_AFTER_LAST:
2111                /* should never get here */
2112                WARN_ON(1);
2113                break;
2114        }
2115
2116        return 1;
2117}
2118
2119/*
2120 * This is the actual Rx frames handler. as it blongs to Rx path it must
2121 * be called with rcu_read_lock protection.
2122 */
2123static void __ieee80211_rx_handle_packet(struct ieee80211_hw *hw,
2124                                         struct sk_buff *skb,
2125                                         struct ieee80211_rate *rate)
2126{
2127        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
2128        struct ieee80211_local *local = hw_to_local(hw);
2129        struct ieee80211_sub_if_data *sdata;
2130        struct ieee80211_hdr *hdr;
2131        struct ieee80211_rx_data rx;
2132        int prepares;
2133        struct ieee80211_sub_if_data *prev = NULL;
2134        struct sk_buff *skb_new;
2135
2136        hdr = (struct ieee80211_hdr *)skb->data;
2137        memset(&rx, 0, sizeof(rx));
2138        rx.skb = skb;
2139        rx.local = local;
2140
2141        rx.status = status;
2142        rx.rate = rate;
2143
2144        if (ieee80211_is_data(hdr->frame_control) || ieee80211_is_mgmt(hdr->frame_control))
2145                local->dot11ReceivedFragmentCount++;
2146
2147        rx.sta = sta_info_get(local, hdr->addr2);
2148        if (rx.sta) {
2149                rx.sdata = rx.sta->sdata;
2150                rx.dev = rx.sta->sdata->dev;
2151        }
2152
2153        if ((status->flag & RX_FLAG_MMIC_ERROR)) {
2154                ieee80211_rx_michael_mic_report(hdr, &rx);
2155                return;
2156        }
2157
2158        if (unlikely(test_bit(SCAN_HW_SCANNING, &local->scanning) ||
2159                     test_bit(SCAN_OFF_CHANNEL, &local->scanning)))
2160                rx.flags |= IEEE80211_RX_IN_SCAN;
2161
2162        ieee80211_parse_qos(&rx);
2163        ieee80211_verify_alignment(&rx);
2164
2165        skb = rx.skb;
2166
2167        if (rx.sdata && ieee80211_is_data(hdr->frame_control)) {
2168                rx.flags |= IEEE80211_RX_RA_MATCH;
2169                prepares = prepare_for_handlers(rx.sdata, &rx, hdr);
2170                if (prepares)
2171                        prev = rx.sdata;
2172        } else list_for_each_entry_rcu(sdata, &local->interfaces, list) {
2173                if (!netif_running(sdata->dev))
2174                        continue;
2175
2176                if (sdata->vif.type == NL80211_IFTYPE_MONITOR ||
2177                    sdata->vif.type == NL80211_IFTYPE_AP_VLAN)
2178                        continue;
2179
2180                rx.flags |= IEEE80211_RX_RA_MATCH;
2181                prepares = prepare_for_handlers(sdata, &rx, hdr);
2182
2183                if (!prepares)
2184                        continue;
2185
2186                /*
2187                 * frame is destined for this interface, but if it's not
2188                 * also for the previous one we handle that after the
2189                 * loop to avoid copying the SKB once too much
2190                 */
2191
2192                if (!prev) {
2193                        prev = sdata;
2194                        continue;
2195                }
2196
2197                /*
2198                 * frame was destined for the previous interface
2199                 * so invoke RX handlers for it
2200                 */
2201
2202                skb_new = skb_copy(skb, GFP_ATOMIC);
2203                if (!skb_new) {
2204                        if (net_ratelimit())
2205                                printk(KERN_DEBUG "%s: failed to copy "
2206                                       "multicast frame for %s\n",
2207                                       wiphy_name(local->hw.wiphy),
2208                                       prev->dev->name);
2209                        continue;
2210                }
2211                ieee80211_invoke_rx_handlers(prev, &rx, skb_new);
2212                prev = sdata;
2213        }
2214        if (prev)
2215                ieee80211_invoke_rx_handlers(prev, &rx, skb);
2216        else
2217                dev_kfree_skb(skb);
2218}
2219
2220#define SEQ_MODULO 0x1000
2221#define SEQ_MASK   0xfff
2222
2223static inline int seq_less(u16 sq1, u16 sq2)
2224{
2225        return ((sq1 - sq2) & SEQ_MASK) > (SEQ_MODULO >> 1);
2226}
2227
2228static inline u16 seq_inc(u16 sq)
2229{
2230        return (sq + 1) & SEQ_MASK;
2231}
2232
2233static inline u16 seq_sub(u16 sq1, u16 sq2)
2234{
2235        return (sq1 - sq2) & SEQ_MASK;
2236}
2237
2238
2239static void ieee80211_release_reorder_frame(struct ieee80211_hw *hw,
2240                                            struct tid_ampdu_rx *tid_agg_rx,
2241                                            int index)
2242{
2243        struct ieee80211_supported_band *sband;
2244        struct ieee80211_rate *rate;
2245        struct sk_buff *skb = tid_agg_rx->reorder_buf[index];
2246        struct ieee80211_rx_status *status;
2247
2248        if (!skb)
2249                goto no_frame;
2250
2251        status = IEEE80211_SKB_RXCB(skb);
2252
2253        /* release the reordered frames to stack */
2254        sband = hw->wiphy->bands[status->band];
2255        if (status->flag & RX_FLAG_HT)
2256                rate = sband->bitrates; /* TODO: HT rates */
2257        else
2258                rate = &sband->bitrates[status->rate_idx];
2259        __ieee80211_rx_handle_packet(hw, skb, rate);
2260        tid_agg_rx->stored_mpdu_num--;
2261        tid_agg_rx->reorder_buf[index] = NULL;
2262
2263no_frame:
2264        tid_agg_rx->head_seq_num = seq_inc(tid_agg_rx->head_seq_num);
2265}
2266
2267
2268/*
2269 * Timeout (in jiffies) for skb's that are waiting in the RX reorder buffer. If
2270 * the skb was added to the buffer longer than this time ago, the earlier
2271 * frames that have not yet been received are assumed to be lost and the skb
2272 * can be released for processing. This may also release other skb's from the
2273 * reorder buffer if there are no additional gaps between the frames.
2274 */
2275#define HT_RX_REORDER_BUF_TIMEOUT (HZ / 10)
2276
2277/*
2278 * As it function blongs to Rx path it must be called with
2279 * the proper rcu_read_lock protection for its flow.
2280 */
2281static u8 ieee80211_sta_manage_reorder_buf(struct ieee80211_hw *hw,
2282                                           struct tid_ampdu_rx *tid_agg_rx,
2283                                           struct sk_buff *skb,
2284                                           u16 mpdu_seq_num,
2285                                           int bar_req)
2286{
2287        u16 head_seq_num, buf_size;
2288        int index;
2289
2290        buf_size = tid_agg_rx->buf_size;
2291        head_seq_num = tid_agg_rx->head_seq_num;
2292
2293        /* frame with out of date sequence number */
2294        if (seq_less(mpdu_seq_num, head_seq_num)) {
2295                dev_kfree_skb(skb);
2296                return 1;
2297        }
2298
2299        /* if frame sequence number exceeds our buffering window size or
2300         * block Ack Request arrived - release stored frames */
2301        if ((!seq_less(mpdu_seq_num, head_seq_num + buf_size)) || (bar_req)) {
2302                /* new head to the ordering buffer */
2303                if (bar_req)
2304                        head_seq_num = mpdu_seq_num;
2305                else
2306                        head_seq_num =
2307                                seq_inc(seq_sub(mpdu_seq_num, buf_size));
2308                /* release stored frames up to new head to stack */
2309                while (seq_less(tid_agg_rx->head_seq_num, head_seq_num)) {
2310                        index = seq_sub(tid_agg_rx->head_seq_num,
2311                                tid_agg_rx->ssn)
2312                                % tid_agg_rx->buf_size;
2313                        ieee80211_release_reorder_frame(hw, tid_agg_rx,
2314                                                        index);
2315                }
2316                if (bar_req)
2317                        return 1;
2318        }
2319
2320        /* now the new frame is always in the range of the reordering */
2321        /* buffer window */
2322        index = seq_sub(mpdu_seq_num, tid_agg_rx->ssn)
2323                                % tid_agg_rx->buf_size;
2324        /* check if we already stored this frame */
2325        if (tid_agg_rx->reorder_buf[index]) {
2326                dev_kfree_skb(skb);
2327                return 1;
2328        }
2329
2330        /* if arrived mpdu is in the right order and nothing else stored */
2331        /* release it immediately */
2332        if (mpdu_seq_num == tid_agg_rx->head_seq_num &&
2333                        tid_agg_rx->stored_mpdu_num == 0) {
2334                tid_agg_rx->head_seq_num =
2335                        seq_inc(tid_agg_rx->head_seq_num);
2336                return 0;
2337        }
2338
2339        /* put the frame in the reordering buffer */
2340        tid_agg_rx->reorder_buf[index] = skb;
2341        tid_agg_rx->reorder_time[index] = jiffies;
2342        tid_agg_rx->stored_mpdu_num++;
2343        /* release the buffer until next missing frame */
2344        index = seq_sub(tid_agg_rx->head_seq_num, tid_agg_rx->ssn)
2345                                                % tid_agg_rx->buf_size;
2346        if (!tid_agg_rx->reorder_buf[index] &&
2347            tid_agg_rx->stored_mpdu_num > 1) {
2348                /*
2349                 * No buffers ready to be released, but check whether any
2350                 * frames in the reorder buffer have timed out.
2351                 */
2352                int j;
2353                int skipped = 1;
2354                for (j = (index + 1) % tid_agg_rx->buf_size; j != index;
2355                     j = (j + 1) % tid_agg_rx->buf_size) {
2356                        if (tid_agg_rx->reorder_buf[j] == NULL) {
2357                                skipped++;
2358                                continue;
2359                        }
2360                        if (!time_after(jiffies, tid_agg_rx->reorder_time[j] +
2361                                        HZ / 10))
2362                                break;
2363
2364#ifdef CONFIG_MAC80211_HT_DEBUG
2365                        if (net_ratelimit())
2366                                printk(KERN_DEBUG "%s: release an RX reorder "
2367                                       "frame due to timeout on earlier "
2368                                       "frames\n",
2369                                       wiphy_name(hw->wiphy));
2370#endif
2371                        ieee80211_release_reorder_frame(hw, tid_agg_rx, j);
2372
2373                        /*
2374                         * Increment the head seq# also for the skipped slots.
2375                         */
2376                        tid_agg_rx->head_seq_num =
2377                                (tid_agg_rx->head_seq_num + skipped) &
2378                                SEQ_MASK;
2379                        skipped = 0;
2380                }
2381        } else while (tid_agg_rx->reorder_buf[index]) {
2382                ieee80211_release_reorder_frame(hw, tid_agg_rx, index);
2383                index = seq_sub(tid_agg_rx->head_seq_num,
2384                        tid_agg_rx->ssn) % tid_agg_rx->buf_size;
2385        }
2386        return 1;
2387}
2388
2389static u8 ieee80211_rx_reorder_ampdu(struct ieee80211_local *local,
2390                                     struct sk_buff *skb)
2391{
2392        struct ieee80211_hw *hw = &local->hw;
2393        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
2394        struct sta_info *sta;
2395        struct tid_ampdu_rx *tid_agg_rx;
2396        u16 sc;
2397        u16 mpdu_seq_num;
2398        u8 ret = 0;
2399        int tid;
2400
2401        sta = sta_info_get(local, hdr->addr2);
2402        if (!sta)
2403                return ret;
2404
2405        /* filter the QoS data rx stream according to
2406         * STA/TID and check if this STA/TID is on aggregation */
2407        if (!ieee80211_is_data_qos(hdr->frame_control))
2408                goto end_reorder;
2409
2410        tid = *ieee80211_get_qos_ctl(hdr) & IEEE80211_QOS_CTL_TID_MASK;
2411
2412        if (sta->ampdu_mlme.tid_state_rx[tid] != HT_AGG_STATE_OPERATIONAL)
2413                goto end_reorder;
2414
2415        tid_agg_rx = sta->ampdu_mlme.tid_rx[tid];
2416
2417        /* qos null data frames are excluded */
2418        if (unlikely(hdr->frame_control & cpu_to_le16(IEEE80211_STYPE_NULLFUNC)))
2419                goto end_reorder;
2420
2421        /* new un-ordered ampdu frame - process it */
2422
2423        /* reset session timer */
2424        if (tid_agg_rx->timeout)
2425                mod_timer(&tid_agg_rx->session_timer,
2426                          TU_TO_EXP_TIME(tid_agg_rx->timeout));
2427
2428        /* if this mpdu is fragmented - terminate rx aggregation session */
2429        sc = le16_to_cpu(hdr->seq_ctrl);
2430        if (sc & IEEE80211_SCTL_FRAG) {
2431                ieee80211_sta_stop_rx_ba_session(sta->sdata, sta->sta.addr,
2432                        tid, 0, WLAN_REASON_QSTA_REQUIRE_SETUP);
2433                ret = 1;
2434                goto end_reorder;
2435        }
2436
2437        /* according to mpdu sequence number deal with reordering buffer */
2438        mpdu_seq_num = (sc & IEEE80211_SCTL_SEQ) >> 4;
2439        ret = ieee80211_sta_manage_reorder_buf(hw, tid_agg_rx, skb,
2440                                                mpdu_seq_num, 0);
2441 end_reorder:
2442        return ret;
2443}
2444
2445/*
2446 * This is the receive path handler. It is called by a low level driver when an
2447 * 802.11 MPDU is received from the hardware.
2448 */
2449void ieee80211_rx(struct ieee80211_hw *hw, struct sk_buff *skb)
2450{
2451        struct ieee80211_local *local = hw_to_local(hw);
2452        struct ieee80211_rate *rate = NULL;
2453        struct ieee80211_supported_band *sband;
2454        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
2455
2456        WARN_ON_ONCE(softirq_count() == 0);
2457
2458        if (WARN_ON(status->band < 0 ||
2459                    status->band >= IEEE80211_NUM_BANDS))
2460                goto drop;
2461
2462        sband = local->hw.wiphy->bands[status->band];
2463        if (WARN_ON(!sband))
2464                goto drop;
2465
2466        /*
2467         * If we're suspending, it is possible although not too likely
2468         * that we'd be receiving frames after having already partially
2469         * quiesced the stack. We can't process such frames then since
2470         * that might, for example, cause stations to be added or other
2471         * driver callbacks be invoked.
2472         */
2473        if (unlikely(local->quiescing || local->suspended))
2474                goto drop;
2475
2476        /*
2477         * The same happens when we're not even started,
2478         * but that's worth a warning.
2479         */
2480        if (WARN_ON(!local->started))
2481                goto drop;
2482
2483        if (status->flag & RX_FLAG_HT) {
2484                /* rate_idx is MCS index */
2485                if (WARN_ON(status->rate_idx < 0 ||
2486                            status->rate_idx >= 76))
2487                        goto drop;
2488                /* HT rates are not in the table - use the highest legacy rate
2489                 * for now since other parts of mac80211 may not yet be fully
2490                 * MCS aware. */
2491                rate = &sband->bitrates[sband->n_bitrates - 1];
2492        } else {
2493                if (WARN_ON(status->rate_idx < 0 ||
2494                            status->rate_idx >= sband->n_bitrates))
2495                        goto drop;
2496                rate = &sband->bitrates[status->rate_idx];
2497        }
2498
2499        /*
2500         * key references and virtual interfaces are protected using RCU
2501         * and this requires that we are in a read-side RCU section during
2502         * receive processing
2503         */
2504        rcu_read_lock();
2505
2506        /*
2507         * Frames with failed FCS/PLCP checksum are not returned,
2508         * all other frames are returned without radiotap header
2509         * if it was previously present.
2510         * Also, frames with less than 16 bytes are dropped.
2511         */
2512        skb = ieee80211_rx_monitor(local, skb, rate);
2513        if (!skb) {
2514                rcu_read_unlock();
2515                return;
2516        }
2517
2518        /*
2519         * In theory, the block ack reordering should happen after duplicate
2520         * removal (ieee80211_rx_h_check(), which is an RX handler). As such,
2521         * the call to ieee80211_rx_reorder_ampdu() should really be moved to
2522         * happen as a new RX handler between ieee80211_rx_h_check and
2523         * ieee80211_rx_h_decrypt. This cleanup may eventually happen, but for
2524         * the time being, the call can be here since RX reorder buf processing
2525         * will implicitly skip duplicates. We could, in theory at least,
2526         * process frames that ieee80211_rx_h_passive_scan would drop (e.g.,
2527         * frames from other than operational channel), but that should not
2528         * happen in normal networks.
2529         */
2530        if (!ieee80211_rx_reorder_ampdu(local, skb))
2531                __ieee80211_rx_handle_packet(hw, skb, rate);
2532
2533        rcu_read_unlock();
2534
2535        return;
2536 drop:
2537        kfree_skb(skb);
2538}
2539EXPORT_SYMBOL(ieee80211_rx);
2540
2541/* This is a version of the rx handler that can be called from hard irq
2542 * context. Post the skb on the queue and schedule the tasklet */
2543void ieee80211_rx_irqsafe(struct ieee80211_hw *hw, struct sk_buff *skb)
2544{
2545        struct ieee80211_local *local = hw_to_local(hw);
2546
2547        BUILD_BUG_ON(sizeof(struct ieee80211_rx_status) > sizeof(skb->cb));
2548
2549        skb->pkt_type = IEEE80211_RX_MSG;
2550        skb_queue_tail(&local->skb_queue, skb);
2551        tasklet_schedule(&local->tasklet);
2552}
2553EXPORT_SYMBOL(ieee80211_rx_irqsafe);
2554