// SPDX-License-Identifier: GPL-2.0-only
/*
 * Copyright 2002-2005, Instant802 Networks, Inc.
 * Copyright 2005-2006, Devicescape Software, Inc.
 * Copyright 2006-2007  Jiri Benc <jbenc@suse.cz>
 * Copyright 2007-2010  Johannes Berg <johannes@sipsolutions.net>
 * Copyright 2013-2014  Intel Mobile Communications GmbH
 * Copyright(c) 2015 - 2017 Intel Deutschland GmbH
 * Copyright (C) 2018-2021 Intel Corporation
 */

#include <linux/jiffies.h>
#include <linux/slab.h>
#include <linux/kernel.h>
#include <linux/skbuff.h>
#include <linux/netdevice.h>
#include <linux/etherdevice.h>
#include <linux/rcupdate.h>
#include <linux/export.h>
#include <linux/kcov.h>
#include <linux/bitops.h>
#include <net/mac80211.h>
#include <net/ieee80211_radiotap.h>
#include <asm/unaligned.h>

#include "ieee80211_i.h"
#include "driver-ops.h"
#include "led.h"
#include "mesh.h"
#include "wep.h"
#include "wpa.h"
#include "tkip.h"
#include "wme.h"
#include "rate.h"

/*
 * monitor mode reception
 *
 * This function cleans up the SKB, i.e. it removes all the stuff
 * only useful for monitoring.
 */
static struct sk_buff *ieee80211_clean_skb(struct sk_buff *skb,
                                           unsigned int present_fcs_len,
                                           unsigned int rtap_space)
{
        struct ieee80211_hdr *hdr;
        unsigned int hdrlen;
        __le16 fc;

        if (present_fcs_len)
                __pskb_trim(skb, skb->len - present_fcs_len);
        __pskb_pull(skb, rtap_space);

        hdr = (void *)skb->data;
        fc = hdr->frame_control;

        /*
         * Remove the HT-Control field (if present) on management
         * frames after we've sent the frame to monitoring. We
         * (currently) don't need it, and don't properly parse
         * frames with it present, due to the assumption of a
         * fixed management header length.
         */
        if (likely(!ieee80211_is_mgmt(fc) || !ieee80211_has_order(fc)))
                return skb;

        hdrlen = ieee80211_hdrlen(fc);
        hdr->frame_control &= ~cpu_to_le16(IEEE80211_FCTL_ORDER);

        if (!pskb_may_pull(skb, hdrlen)) {
                dev_kfree_skb(skb);
                return NULL;
        }

        memmove(skb->data + IEEE80211_HT_CTL_LEN, skb->data,
                hdrlen - IEEE80211_HT_CTL_LEN);
        __pskb_pull(skb, IEEE80211_HT_CTL_LEN);

        return skb;
}

static inline bool should_drop_frame(struct sk_buff *skb, int present_fcs_len,
                                     unsigned int rtap_space)
{
        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
        struct ieee80211_hdr *hdr;

        hdr = (void *)(skb->data + rtap_space);

        if (status->flag & (RX_FLAG_FAILED_FCS_CRC |
                            RX_FLAG_FAILED_PLCP_CRC |
                            RX_FLAG_ONLY_MONITOR |
                            RX_FLAG_NO_PSDU))
                return true;

        if (unlikely(skb->len < 16 + present_fcs_len + rtap_space))
                return true;

        if (ieee80211_is_ctl(hdr->frame_control) &&
            !ieee80211_is_pspoll(hdr->frame_control) &&
            !ieee80211_is_back_req(hdr->frame_control))
                return true;

        return false;
}

static int
ieee80211_rx_radiotap_hdrlen(struct ieee80211_local *local,
                             struct ieee80211_rx_status *status,
                             struct sk_buff *skb)
{
        int len;

        /* always present fields */
        len = sizeof(struct ieee80211_radiotap_header) + 8;

        /* allocate extra bitmaps */
        if (status->chains)
                len += 4 * hweight8(status->chains);
        /* vendor presence bitmap */
        if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA)
                len += 4;

        if (ieee80211_have_rx_timestamp(status)) {
                len = ALIGN(len, 8);
                len += 8;
        }
        if (ieee80211_hw_check(&local->hw, SIGNAL_DBM))
                len += 1;

        /* antenna field, if we don't have per-chain info */
        if (!status->chains)
                len += 1;

        /* padding for RX_FLAGS if necessary */
        len = ALIGN(len, 2);

        if (status->encoding == RX_ENC_HT) /* HT info */
                len += 3;

        if (status->flag & RX_FLAG_AMPDU_DETAILS) {
                len = ALIGN(len, 4);
                len += 8;
        }

        if (status->encoding == RX_ENC_VHT) {
                len = ALIGN(len, 2);
                len += 12;
        }

        if (local->hw.radiotap_timestamp.units_pos >= 0) {
                len = ALIGN(len, 8);
                len += 12;
        }

        if (status->encoding == RX_ENC_HE &&
            status->flag & RX_FLAG_RADIOTAP_HE) {
                len = ALIGN(len, 2);
                len += 12;
                BUILD_BUG_ON(sizeof(struct ieee80211_radiotap_he) != 12);
        }

        if (status->encoding == RX_ENC_HE &&
            status->flag & RX_FLAG_RADIOTAP_HE_MU) {
                len = ALIGN(len, 2);
                len += 12;
                BUILD_BUG_ON(sizeof(struct ieee80211_radiotap_he_mu) != 12);
        }

        if (status->flag & RX_FLAG_NO_PSDU)
                len += 1;

        if (status->flag & RX_FLAG_RADIOTAP_LSIG) {
                len = ALIGN(len, 2);
                len += 4;
                BUILD_BUG_ON(sizeof(struct ieee80211_radiotap_lsig) != 4);
        }

        if (status->chains) {
                /* antenna and antenna signal fields */
                len += 2 * hweight8(status->chains);
        }

        if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA) {
                struct ieee80211_vendor_radiotap *rtap;
                int vendor_data_offset = 0;

                /*
                 * The position to look at depends on the existence (or non-
                 * existence) of other elements, so take that into account...
                 */
                if (status->flag & RX_FLAG_RADIOTAP_HE)
                        vendor_data_offset +=
                                sizeof(struct ieee80211_radiotap_he);
                if (status->flag & RX_FLAG_RADIOTAP_HE_MU)
                        vendor_data_offset +=
                                sizeof(struct ieee80211_radiotap_he_mu);
                if (status->flag & RX_FLAG_RADIOTAP_LSIG)
                        vendor_data_offset +=
                                sizeof(struct ieee80211_radiotap_lsig);

                rtap = (void *)&skb->data[vendor_data_offset];

                /* alignment for fixed 6-byte vendor data header */
                len = ALIGN(len, 2);
                /* vendor data header */
                len += 6;
                if (WARN_ON(rtap->align == 0))
                        rtap->align = 1;
                len = ALIGN(len, rtap->align);
                len += rtap->len + rtap->pad;
        }

        return len;
}

static void __ieee80211_queue_skb_to_iface(struct ieee80211_sub_if_data *sdata,
                                           struct sta_info *sta,
                                           struct sk_buff *skb)
{
        skb_queue_tail(&sdata->skb_queue, skb);
        ieee80211_queue_work(&sdata->local->hw, &sdata->work);
        if (sta)
                sta->rx_stats.packets++;
}

static void ieee80211_queue_skb_to_iface(struct ieee80211_sub_if_data *sdata,
                                         struct sta_info *sta,
                                         struct sk_buff *skb)
{
        skb->protocol = 0;
        __ieee80211_queue_skb_to_iface(sdata, sta, skb);
}

static void ieee80211_handle_mu_mimo_mon(struct ieee80211_sub_if_data *sdata,
                                         struct sk_buff *skb,
                                         int rtap_space)
{
        struct {
                struct ieee80211_hdr_3addr hdr;
                u8 category;
                u8 action_code;
        } __packed __aligned(2) action;

        if (!sdata)
                return;

        BUILD_BUG_ON(sizeof(action) != IEEE80211_MIN_ACTION_SIZE + 1);

        if (skb->len < rtap_space + sizeof(action) +
                       VHT_MUMIMO_GROUPS_DATA_LEN)
                return;

        if (!is_valid_ether_addr(sdata->u.mntr.mu_follow_addr))
                return;

        skb_copy_bits(skb, rtap_space, &action, sizeof(action));

        if (!ieee80211_is_action(action.hdr.frame_control))
                return;

        if (action.category != WLAN_CATEGORY_VHT)
                return;

        if (action.action_code != WLAN_VHT_ACTION_GROUPID_MGMT)
                return;

        if (!ether_addr_equal(action.hdr.addr1, sdata->u.mntr.mu_follow_addr))
                return;

        skb = skb_copy(skb, GFP_ATOMIC);
        if (!skb)
                return;

        ieee80211_queue_skb_to_iface(sdata, NULL, skb);
}

/*
 * ieee80211_add_rx_radiotap_header - add radiotap header
 *
 * add a radiotap header containing all the fields which the hardware provided.
 */
static void
ieee80211_add_rx_radiotap_header(struct ieee80211_local *local,
                                 struct sk_buff *skb,
                                 struct ieee80211_rate *rate,
                                 int rtap_len, bool has_fcs)
{
        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
        struct ieee80211_radiotap_header *rthdr;
        unsigned char *pos;
        __le32 *it_present;
        u32 it_present_val;
        u16 rx_flags = 0;
        u16 channel_flags = 0;
        int mpdulen, chain;
        unsigned long chains = status->chains;
        struct ieee80211_vendor_radiotap rtap = {};
        struct ieee80211_radiotap_he he = {};
        struct ieee80211_radiotap_he_mu he_mu = {};
        struct ieee80211_radiotap_lsig lsig = {};

        if (status->flag & RX_FLAG_RADIOTAP_HE) {
                he = *(struct ieee80211_radiotap_he *)skb->data;
                skb_pull(skb, sizeof(he));
                WARN_ON_ONCE(status->encoding != RX_ENC_HE);
        }

        if (status->flag & RX_FLAG_RADIOTAP_HE_MU) {
                he_mu = *(struct ieee80211_radiotap_he_mu *)skb->data;
                skb_pull(skb, sizeof(he_mu));
        }

        if (status->flag & RX_FLAG_RADIOTAP_LSIG) {
                lsig = *(struct ieee80211_radiotap_lsig *)skb->data;
                skb_pull(skb, sizeof(lsig));
        }

        if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA) {
                rtap = *(struct ieee80211_vendor_radiotap *)skb->data;
                /* rtap.len and rtap.pad are undone immediately */
                skb_pull(skb, sizeof(rtap) + rtap.len + rtap.pad);
        }

        mpdulen = skb->len;
        if (!(has_fcs && ieee80211_hw_check(&local->hw, RX_INCLUDES_FCS)))
                mpdulen += FCS_LEN;

        rthdr = skb_push(skb, rtap_len);
        memset(rthdr, 0, rtap_len - rtap.len - rtap.pad);
        it_present = &rthdr->it_present;

        /* radiotap header, set always present flags */
        rthdr->it_len = cpu_to_le16(rtap_len);
        it_present_val = BIT(IEEE80211_RADIOTAP_FLAGS) |
                         BIT(IEEE80211_RADIOTAP_CHANNEL) |
                         BIT(IEEE80211_RADIOTAP_RX_FLAGS);

        if (!status->chains)
                it_present_val |= BIT(IEEE80211_RADIOTAP_ANTENNA);

        for_each_set_bit(chain, &chains, IEEE80211_MAX_CHAINS) {
                it_present_val |=
                        BIT(IEEE80211_RADIOTAP_EXT) |
                        BIT(IEEE80211_RADIOTAP_RADIOTAP_NAMESPACE);
                put_unaligned_le32(it_present_val, it_present);
                it_present++;
                it_present_val = BIT(IEEE80211_RADIOTAP_ANTENNA) |
                                 BIT(IEEE80211_RADIOTAP_DBM_ANTSIGNAL);
        }

        if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA) {
                it_present_val |= BIT(IEEE80211_RADIOTAP_VENDOR_NAMESPACE) |
                                  BIT(IEEE80211_RADIOTAP_EXT);
                put_unaligned_le32(it_present_val, it_present);
                it_present++;
                it_present_val = rtap.present;
        }

        put_unaligned_le32(it_present_val, it_present);

        /* This references through an offset into it_optional[] rather
         * than via it_present otherwise later uses of pos will cause
         * the compiler to think we have walked past the end of the
         * struct member.
         */
        pos = (void *)&rthdr->it_optional[it_present - rthdr->it_optional];

        /* the order of the following fields is important */

        /* IEEE80211_RADIOTAP_TSFT */
        if (ieee80211_have_rx_timestamp(status)) {
                /* padding */
                while ((pos - (u8 *)rthdr) & 7)
                        *pos++ = 0;
                put_unaligned_le64(
                        ieee80211_calculate_rx_timestamp(local, status,
                                                         mpdulen, 0),
                        pos);
                rthdr->it_present |= cpu_to_le32(BIT(IEEE80211_RADIOTAP_TSFT));
                pos += 8;
        }

        /* IEEE80211_RADIOTAP_FLAGS */
        if (has_fcs && ieee80211_hw_check(&local->hw, RX_INCLUDES_FCS))
                *pos |= IEEE80211_RADIOTAP_F_FCS;
        if (status->flag & (RX_FLAG_FAILED_FCS_CRC | RX_FLAG_FAILED_PLCP_CRC))
                *pos |= IEEE80211_RADIOTAP_F_BADFCS;
        if (status->enc_flags & RX_ENC_FLAG_SHORTPRE)
                *pos |= IEEE80211_RADIOTAP_F_SHORTPRE;
        pos++;

        /* IEEE80211_RADIOTAP_RATE */
        if (!rate || status->encoding != RX_ENC_LEGACY) {
                /*
                 * Without rate information don't add it. If we have,
                 * MCS information is a separate field in radiotap,
                 * added below. The byte here is needed as padding
                 * for the channel though, so initialise it to 0.
                 */
                *pos = 0;
        } else {
                int shift = 0;
                rthdr->it_present |= cpu_to_le32(BIT(IEEE80211_RADIOTAP_RATE));
                if (status->bw == RATE_INFO_BW_10)
                        shift = 1;
                else if (status->bw == RATE_INFO_BW_5)
                        shift = 2;
                *pos = DIV_ROUND_UP(rate->bitrate, 5 * (1 << shift));
        }
        pos++;

        /* IEEE80211_RADIOTAP_CHANNEL */
        /* TODO: frequency offset in KHz */
        put_unaligned_le16(status->freq, pos);
        pos += 2;
        if (status->bw == RATE_INFO_BW_10)
                channel_flags |= IEEE80211_CHAN_HALF;
        else if (status->bw == RATE_INFO_BW_5)
                channel_flags |= IEEE80211_CHAN_QUARTER;

        if (status->band == NL80211_BAND_5GHZ ||
            status->band == NL80211_BAND_6GHZ)
                channel_flags |= IEEE80211_CHAN_OFDM | IEEE80211_CHAN_5GHZ;
        else if (status->encoding != RX_ENC_LEGACY)
                channel_flags |= IEEE80211_CHAN_DYN | IEEE80211_CHAN_2GHZ;
        else if (rate && rate->flags & IEEE80211_RATE_ERP_G)
                channel_flags |= IEEE80211_CHAN_OFDM | IEEE80211_CHAN_2GHZ;
        else if (rate)
                channel_flags |= IEEE80211_CHAN_CCK | IEEE80211_CHAN_2GHZ;
        else
                channel_flags |= IEEE80211_CHAN_2GHZ;
        put_unaligned_le16(channel_flags, pos);
        pos += 2;

        /* IEEE80211_RADIOTAP_DBM_ANTSIGNAL */
        if (ieee80211_hw_check(&local->hw, SIGNAL_DBM) &&
            !(status->flag & RX_FLAG_NO_SIGNAL_VAL)) {
                *pos = status->signal;
                rthdr->it_present |=
                        cpu_to_le32(BIT(IEEE80211_RADIOTAP_DBM_ANTSIGNAL));
                pos++;
        }

        /* IEEE80211_RADIOTAP_LOCK_QUALITY is missing */

        if (!status->chains) {
                /* IEEE80211_RADIOTAP_ANTENNA */
                *pos = status->antenna;
                pos++;
        }

        /* IEEE80211_RADIOTAP_DB_ANTNOISE is not used */

        /* IEEE80211_RADIOTAP_RX_FLAGS */
        /* ensure 2 byte alignment for the 2 byte field as required */
        if ((pos - (u8 *)rthdr) & 1)
                *pos++ = 0;
        if (status->flag & RX_FLAG_FAILED_PLCP_CRC)
                rx_flags |= IEEE80211_RADIOTAP_F_RX_BADPLCP;
        put_unaligned_le16(rx_flags, pos);
        pos += 2;

        if (status->encoding == RX_ENC_HT) {
                unsigned int stbc;

                rthdr->it_present |= cpu_to_le32(BIT(IEEE80211_RADIOTAP_MCS));
                *pos++ = local->hw.radiotap_mcs_details;
                *pos = 0;
                if (status->enc_flags & RX_ENC_FLAG_SHORT_GI)
                        *pos |= IEEE80211_RADIOTAP_MCS_SGI;
                if (status->bw == RATE_INFO_BW_40)
                        *pos |= IEEE80211_RADIOTAP_MCS_BW_40;
                if (status->enc_flags & RX_ENC_FLAG_HT_GF)
                        *pos |= IEEE80211_RADIOTAP_MCS_FMT_GF;
                if (status->enc_flags & RX_ENC_FLAG_LDPC)
                        *pos |= IEEE80211_RADIOTAP_MCS_FEC_LDPC;
                stbc = (status->enc_flags & RX_ENC_FLAG_STBC_MASK) >> RX_ENC_FLAG_STBC_SHIFT;
                *pos |= stbc << IEEE80211_RADIOTAP_MCS_STBC_SHIFT;
                pos++;
                *pos++ = status->rate_idx;
        }

        if (status->flag & RX_FLAG_AMPDU_DETAILS) {
                u16 flags = 0;

                /* ensure 4 byte alignment */
                while ((pos - (u8 *)rthdr) & 3)
                        pos++;
                rthdr->it_present |=
                        cpu_to_le32(BIT(IEEE80211_RADIOTAP_AMPDU_STATUS));
                put_unaligned_le32(status->ampdu_reference, pos);
                pos += 4;
                if (status->flag & RX_FLAG_AMPDU_LAST_KNOWN)
                        flags |= IEEE80211_RADIOTAP_AMPDU_LAST_KNOWN;
                if (status->flag & RX_FLAG_AMPDU_IS_LAST)
                        flags |= IEEE80211_RADIOTAP_AMPDU_IS_LAST;
                if (status->flag & RX_FLAG_AMPDU_DELIM_CRC_ERROR)
                        flags |= IEEE80211_RADIOTAP_AMPDU_DELIM_CRC_ERR;
                if (status->flag & RX_FLAG_AMPDU_DELIM_CRC_KNOWN)
                        flags |= IEEE80211_RADIOTAP_AMPDU_DELIM_CRC_KNOWN;
                if (status->flag & RX_FLAG_AMPDU_EOF_BIT_KNOWN)
                        flags |= IEEE80211_RADIOTAP_AMPDU_EOF_KNOWN;
                if (status->flag & RX_FLAG_AMPDU_EOF_BIT)
                        flags |= IEEE80211_RADIOTAP_AMPDU_EOF;
                put_unaligned_le16(flags, pos);
                pos += 2;
                if (status->flag & RX_FLAG_AMPDU_DELIM_CRC_KNOWN)
                        *pos++ = status->ampdu_delimiter_crc;
                else
                        *pos++ = 0;
                *pos++ = 0;
        }

        if (status->encoding == RX_ENC_VHT) {
                u16 known = local->hw.radiotap_vht_details;

                rthdr->it_present |= cpu_to_le32(BIT(IEEE80211_RADIOTAP_VHT));
                put_unaligned_le16(known, pos);
                pos += 2;
                /* flags */
                if (status->enc_flags & RX_ENC_FLAG_SHORT_GI)
                        *pos |= IEEE80211_RADIOTAP_VHT_FLAG_SGI;
                /* in VHT, STBC is binary */
                if (status->enc_flags & RX_ENC_FLAG_STBC_MASK)
                        *pos |= IEEE80211_RADIOTAP_VHT_FLAG_STBC;
                if (status->enc_flags & RX_ENC_FLAG_BF)
                        *pos |= IEEE80211_RADIOTAP_VHT_FLAG_BEAMFORMED;
                pos++;
                /* bandwidth */
                switch (status->bw) {
                case RATE_INFO_BW_80:
                        *pos++ = 4;
                        break;
                case RATE_INFO_BW_160:
                        *pos++ = 11;
                        break;
                case RATE_INFO_BW_40:
                        *pos++ = 1;
                        break;
                default:
                        *pos++ = 0;
                }
                /* MCS/NSS */
                *pos = (status->rate_idx << 4) | status->nss;
                pos += 4;
                /* coding field */
                if (status->enc_flags & RX_ENC_FLAG_LDPC)
                        *pos |= IEEE80211_RADIOTAP_CODING_LDPC_USER0;
                pos++;
                /* group ID */
                pos++;
                /* partial_aid */
                pos += 2;
        }

        if (local->hw.radiotap_timestamp.units_pos >= 0) {
                u16 accuracy = 0;
                u8 flags = IEEE80211_RADIOTAP_TIMESTAMP_FLAG_32BIT;

                rthdr->it_present |=
                        cpu_to_le32(BIT(IEEE80211_RADIOTAP_TIMESTAMP));

                /* ensure 8 byte alignment */
                while ((pos - (u8 *)rthdr) & 7)
                        pos++;

                put_unaligned_le64(status->device_timestamp, pos);
                pos += sizeof(u64);

                if (local->hw.radiotap_timestamp.accuracy >= 0) {
                        accuracy = local->hw.radiotap_timestamp.accuracy;
                        flags |= IEEE80211_RADIOTAP_TIMESTAMP_FLAG_ACCURACY;
                }
                put_unaligned_le16(accuracy, pos);
                pos += sizeof(u16);

                *pos++ = local->hw.radiotap_timestamp.units_pos;
                *pos++ = flags;
        }

        if (status->encoding == RX_ENC_HE &&
            status->flag & RX_FLAG_RADIOTAP_HE) {
#define HE_PREP(f, val) le16_encode_bits(val, IEEE80211_RADIOTAP_HE_##f)

                if (status->enc_flags & RX_ENC_FLAG_STBC_MASK) {
                        he.data6 |= HE_PREP(DATA6_NSTS,
                                            FIELD_GET(RX_ENC_FLAG_STBC_MASK,
                                                      status->enc_flags));
                        he.data3 |= HE_PREP(DATA3_STBC, 1);
                } else {
                        he.data6 |= HE_PREP(DATA6_NSTS, status->nss);
                }

#define CHECK_GI(s) \
        BUILD_BUG_ON(IEEE80211_RADIOTAP_HE_DATA5_GI_##s != \
                     (int)NL80211_RATE_INFO_HE_GI_##s)

                CHECK_GI(0_8);
                CHECK_GI(1_6);
                CHECK_GI(3_2);

                he.data3 |= HE_PREP(DATA3_DATA_MCS, status->rate_idx);
                he.data3 |= HE_PREP(DATA3_DATA_DCM, status->he_dcm);
                he.data3 |= HE_PREP(DATA3_CODING,
                                    !!(status->enc_flags & RX_ENC_FLAG_LDPC));

                he.data5 |= HE_PREP(DATA5_GI, status->he_gi);

                switch (status->bw) {
                case RATE_INFO_BW_20:
                        he.data5 |= HE_PREP(DATA5_DATA_BW_RU_ALLOC,
                                            IEEE80211_RADIOTAP_HE_DATA5_DATA_BW_RU_ALLOC_20MHZ);
                        break;
                case RATE_INFO_BW_40:
                        he.data5 |= HE_PREP(DATA5_DATA_BW_RU_ALLOC,
                                            IEEE80211_RADIOTAP_HE_DATA5_DATA_BW_RU_ALLOC_40MHZ);
                        break;
                case RATE_INFO_BW_80:
                        he.data5 |= HE_PREP(DATA5_DATA_BW_RU_ALLOC,
                                            IEEE80211_RADIOTAP_HE_DATA5_DATA_BW_RU_ALLOC_80MHZ);
                        break;
                case RATE_INFO_BW_160:
                        he.data5 |= HE_PREP(DATA5_DATA_BW_RU_ALLOC,
                                            IEEE80211_RADIOTAP_HE_DATA5_DATA_BW_RU_ALLOC_160MHZ);
                        break;
                case RATE_INFO_BW_HE_RU:
#define CHECK_RU_ALLOC(s) \
        BUILD_BUG_ON(IEEE80211_RADIOTAP_HE_DATA5_DATA_BW_RU_ALLOC_##s##T != \
                     NL80211_RATE_INFO_HE_RU_ALLOC_##s + 4)

                        CHECK_RU_ALLOC(26);
                        CHECK_RU_ALLOC(52);
                        CHECK_RU_ALLOC(106);
                        CHECK_RU_ALLOC(242);
                        CHECK_RU_ALLOC(484);
                        CHECK_RU_ALLOC(996);
                        CHECK_RU_ALLOC(2x996);

                        he.data5 |= HE_PREP(DATA5_DATA_BW_RU_ALLOC,
                                            status->he_ru + 4);
                        break;
                default:
                        WARN_ONCE(1, "Invalid SU BW %d\n", status->bw);
                }

                /* ensure 2 byte alignment */
                while ((pos - (u8 *)rthdr) & 1)
                        pos++;
                rthdr->it_present |= cpu_to_le32(BIT(IEEE80211_RADIOTAP_HE));
                memcpy(pos, &he, sizeof(he));
                pos += sizeof(he);
        }

        if (status->encoding == RX_ENC_HE &&
            status->flag & RX_FLAG_RADIOTAP_HE_MU) {
                /* ensure 2 byte alignment */
                while ((pos - (u8 *)rthdr) & 1)
                        pos++;
                rthdr->it_present |= cpu_to_le32(BIT(IEEE80211_RADIOTAP_HE_MU));
                memcpy(pos, &he_mu, sizeof(he_mu));
                pos += sizeof(he_mu);
        }

        if (status->flag & RX_FLAG_NO_PSDU) {
                rthdr->it_present |=
                        cpu_to_le32(BIT(IEEE80211_RADIOTAP_ZERO_LEN_PSDU));
                *pos++ = status->zero_length_psdu_type;
        }

        if (status->flag & RX_FLAG_RADIOTAP_LSIG) {
                /* ensure 2 byte alignment */
                while ((pos - (u8 *)rthdr) & 1)
                        pos++;
                rthdr->it_present |= cpu_to_le32(BIT(IEEE80211_RADIOTAP_LSIG));
                memcpy(pos, &lsig, sizeof(lsig));
                pos += sizeof(lsig);
        }

        for_each_set_bit(chain, &chains, IEEE80211_MAX_CHAINS) {
                *pos++ = status->chain_signal[chain];
                *pos++ = chain;
        }

        if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA) {
                /* ensure 2 byte alignment for the vendor field as required */
                if ((pos - (u8 *)rthdr) & 1)
                        *pos++ = 0;
                *pos++ = rtap.oui[0];
                *pos++ = rtap.oui[1];
                *pos++ = rtap.oui[2];
                *pos++ = rtap.subns;
                put_unaligned_le16(rtap.len, pos);
                pos += 2;
                /* align the actual payload as requested */
                while ((pos - (u8 *)rthdr) & (rtap.align - 1))
                        *pos++ = 0;
                /* data (and possible padding) already follows */
        }
}

static struct sk_buff *
ieee80211_make_monitor_skb(struct ieee80211_local *local,
                           struct sk_buff **origskb,
                           struct ieee80211_rate *rate,
                           int rtap_space, bool use_origskb)
{
        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(*origskb);
        int rt_hdrlen, needed_headroom;
        struct sk_buff *skb;

        /* room for the radiotap header based on driver features */
        rt_hdrlen = ieee80211_rx_radiotap_hdrlen(local, status, *origskb);
        needed_headroom = rt_hdrlen - rtap_space;

        if (use_origskb) {
                /* only need to expand headroom if necessary */
                skb = *origskb;
                *origskb = NULL;

                /*
                 * This shouldn't trigger often because most devices have an
                 * RX header they pull before we get here, and that should
                 * be big enough for our radiotap information. We should
                 * probably export the length to drivers so that we can have
                 * them allocate enough headroom to start with.
                 */
                if (skb_headroom(skb) < needed_headroom &&
                    pskb_expand_head(skb, needed_headroom, 0, GFP_ATOMIC)) {
                        dev_kfree_skb(skb);
                        return NULL;
                }
        } else {
                /*
                 * Need to make a copy and possibly remove radiotap header
                 * and FCS from the original.
                 */
                skb = skb_copy_expand(*origskb, needed_headroom + NET_SKB_PAD,
                                      0, GFP_ATOMIC);

                if (!skb)
                        return NULL;
        }

        /* prepend radiotap information */
        ieee80211_add_rx_radiotap_header(local, skb, rate, rt_hdrlen, true);

        skb_reset_mac_header(skb);
        skb->ip_summed = CHECKSUM_UNNECESSARY;
        skb->pkt_type = PACKET_OTHERHOST;
        skb->protocol = htons(ETH_P_802_2);

        return skb;
}

/*
 * This function copies a received frame to all monitor interfaces and
 * returns a cleaned-up SKB that no longer includes the FCS nor the
 * radiotap header the driver might have added.
 */
static struct sk_buff *
ieee80211_rx_monitor(struct ieee80211_local *local, struct sk_buff *origskb,
                     struct ieee80211_rate *rate)
{
        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(origskb);
        struct ieee80211_sub_if_data *sdata;
        struct sk_buff *monskb = NULL;
        int present_fcs_len = 0;
        unsigned int rtap_space = 0;
        struct ieee80211_sub_if_data *monitor_sdata =
                rcu_dereference(local->monitor_sdata);
        bool only_monitor = false;
        unsigned int min_head_len;

        if (status->flag & RX_FLAG_RADIOTAP_HE)
                rtap_space += sizeof(struct ieee80211_radiotap_he);

        if (status->flag & RX_FLAG_RADIOTAP_HE_MU)
                rtap_space += sizeof(struct ieee80211_radiotap_he_mu);

        if (status->flag & RX_FLAG_RADIOTAP_LSIG)
                rtap_space += sizeof(struct ieee80211_radiotap_lsig);

        if (unlikely(status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA)) {
                struct ieee80211_vendor_radiotap *rtap =
                        (void *)(origskb->data + rtap_space);

                rtap_space += sizeof(*rtap) + rtap->len + rtap->pad;
        }

        min_head_len = rtap_space;

        /*
         * First, we may need to make a copy of the skb because
         *  (1) we need to modify it for radiotap (if not present), and
         *  (2) the other RX handlers will modify the skb we got.
         *
         * We don't need to, of course, if we aren't going to return
         * the SKB because it has a bad FCS/PLCP checksum.
         */

        if (!(status->flag & RX_FLAG_NO_PSDU)) {
                if (ieee80211_hw_check(&local->hw, RX_INCLUDES_FCS)) {
                        if (unlikely(origskb->len <= FCS_LEN + rtap_space)) {
                                /* driver bug */
                                WARN_ON(1);
                                dev_kfree_skb(origskb);
                                return NULL;
                        }
                        present_fcs_len = FCS_LEN;
                }

                /* also consider the hdr->frame_control */
                min_head_len += 2;
        }

        /* ensure that the expected data elements are in skb head */
        if (!pskb_may_pull(origskb, min_head_len)) {
                dev_kfree_skb(origskb);
                return NULL;
        }

        only_monitor = should_drop_frame(origskb, present_fcs_len, rtap_space);

        if (!local->monitors || (status->flag & RX_FLAG_SKIP_MONITOR)) {
                if (only_monitor) {
                        dev_kfree_skb(origskb);
                        return NULL;
                }

                return ieee80211_clean_skb(origskb, present_fcs_len,
                                           rtap_space);
        }

        ieee80211_handle_mu_mimo_mon(monitor_sdata, origskb, rtap_space);

        list_for_each_entry_rcu(sdata, &local->mon_list, u.mntr.list) {
                bool last_monitor = list_is_last(&sdata->u.mntr.list,
                                                 &local->mon_list);

                if (!monskb)
                        monskb = ieee80211_make_monitor_skb(local, &origskb,
                                                            rate, rtap_space,
                                                            only_monitor &&
                                                            last_monitor);

                if (monskb) {
                        struct sk_buff *skb;

                        if (last_monitor) {
                                skb = monskb;
                                monskb = NULL;
                        } else {
                                skb = skb_clone(monskb, GFP_ATOMIC);
                        }

                        if (skb) {
                                skb->dev = sdata->dev;
                                dev_sw_netstats_rx_add(skb->dev, skb->len);
                                netif_receive_skb(skb);
                        }
                }

                if (last_monitor)
                        break;
        }

        /* this happens if last_monitor was erroneously false */
        dev_kfree_skb(monskb);

        /* ditto */
        if (!origskb)
                return NULL;

        return ieee80211_clean_skb(origskb, present_fcs_len, rtap_space);
}

static void ieee80211_parse_qos(struct ieee80211_rx_data *rx)
{
        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
        int tid, seqno_idx, security_idx;

        /* does the frame have a qos control field? */
        if (ieee80211_is_data_qos(hdr->frame_control)) {
                u8 *qc = ieee80211_get_qos_ctl(hdr);
                /* frame has qos control */
                tid = *qc & IEEE80211_QOS_CTL_TID_MASK;
                if (*qc & IEEE80211_QOS_CTL_A_MSDU_PRESENT)
                        status->rx_flags |= IEEE80211_RX_AMSDU;

                seqno_idx = tid;
                security_idx = tid;
        } else {
                /*
                 * IEEE 802.11-2007, 7.1.3.4.1 ("Sequence Number field"):
                 *
                 *      Sequence numbers for management frames, QoS data
                 *      frames with a broadcast/multicast address in the
                 *      Address 1 field, and all non-QoS data frames sent
                 *      by QoS STAs are assigned using an additional single
                 *      modulo-4096 counter, [...]
                 *
                 * We also use that counter for non-QoS STAs.
                 */
                seqno_idx = IEEE80211_NUM_TIDS;
                security_idx = 0;
                if (ieee80211_is_mgmt(hdr->frame_control))
                        security_idx = IEEE80211_NUM_TIDS;
                tid = 0;
        }

        rx->seqno_idx = seqno_idx;
        rx->security_idx = security_idx;
        /* Set skb->priority to 1d tag if highest order bit of TID is not set.
         * For now, set skb->priority to 0 for other cases. */
        rx->skb->priority = (tid > 7) ? 0 : tid;
}

/**
 * DOC: Packet alignment
 *
 * Drivers always need to pass packets that are aligned to two-byte boundaries
 * to the stack.
 *
 * Additionally, should, if possible, align the payload data in a way that
 * guarantees that the contained IP header is aligned to a four-byte
 * boundary. In the case of regular frames, this simply means aligning the
 * payload to a four-byte boundary (because either the IP header is directly
 * contained, or IV/RFC1042 headers that have a length divisible by four are
 * in front of it).  If the payload data is not properly aligned and the
 * architecture doesn't support efficient unaligned operations, mac80211
 * will align the data.
 *
 * With A-MSDU frames, however, the payload data address must yield two modulo
 * four because there are 14-byte 802.3 headers within the A-MSDU frames that
 * push the IP header further back to a multiple of four again. Thankfully, the
 * specs were sane enough this time around to require padding each A-MSDU
 * subframe to a length that is a multiple of four.
 *
 * Padding like Atheros hardware adds which is between the 802.11 header and
 * the payload is not supported, the driver is required to move the 802.11
 * header to be directly in front of the payload in that case.
 */
static void ieee80211_verify_alignment(struct ieee80211_rx_data *rx)
{
#ifdef CONFIG_MAC80211_VERBOSE_DEBUG
        WARN_ON_ONCE((unsigned long)rx->skb->data & 1);
#endif
}


/* rx handlers */

static int ieee80211_is_unicast_robust_mgmt_frame(struct sk_buff *skb)
{
        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;

        if (is_multicast_ether_addr(hdr->addr1))
                return 0;

        return ieee80211_is_robust_mgmt_frame(skb);
}


static int ieee80211_is_multicast_robust_mgmt_frame(struct sk_buff *skb)
{
        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;

        if (!is_multicast_ether_addr(hdr->addr1))
                return 0;

        return ieee80211_is_robust_mgmt_frame(skb);
}


/* Get the BIP key index from MMIE; return -1 if this is not a BIP frame */
static int ieee80211_get_mmie_keyidx(struct sk_buff *skb)
{
        struct ieee80211_mgmt *hdr = (struct ieee80211_mgmt *) skb->data;
        struct ieee80211_mmie *mmie;
        struct ieee80211_mmie_16 *mmie16;

        if (skb->len < 24 + sizeof(*mmie) || !is_multicast_ether_addr(hdr->da))
                return -1;

        if (!ieee80211_is_robust_mgmt_frame(skb) &&
            !ieee80211_is_beacon(hdr->frame_control))
                return -1; /* not a robust management frame */

        mmie = (struct ieee80211_mmie *)
                (skb->data + skb->len - sizeof(*mmie));
        if (mmie->element_id == WLAN_EID_MMIE &&
            mmie->length == sizeof(*mmie) - 2)
                return le16_to_cpu(mmie->key_id);

        mmie16 = (struct ieee80211_mmie_16 *)
                (skb->data + skb->len - sizeof(*mmie16));
        if (skb->len >= 24 + sizeof(*mmie16) &&
            mmie16->element_id == WLAN_EID_MMIE &&

            mmie16->length == sizeof(*mmie16) - 2)
                return le16_to_cpu(mmie16->key_id);

        return -1;
}

static int ieee80211_get_keyid(struct sk_buff *skb,
                               const struct ieee80211_cipher_scheme *cs)
{
        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
        __le16 fc;
        int hdrlen;
        int minlen;
        u8 key_idx_off;
        u8 key_idx_shift;
        u8 keyid;

        fc = hdr->frame_control;
        hdrlen = ieee80211_hdrlen(fc);

        if (cs) {
                minlen = hdrlen + cs->hdr_len;
                key_idx_off = hdrlen + cs->key_idx_off;
                key_idx_shift = cs->key_idx_shift;
        } else {
                /* WEP, TKIP, CCMP and GCMP */
                minlen = hdrlen + IEEE80211_WEP_IV_LEN;
                key_idx_off = hdrlen + 3;
                key_idx_shift = 6;
        }

        if (unlikely(skb->len < minlen))
                return -EINVAL;

        skb_copy_bits(skb, key_idx_off, &keyid, 1);

        if (cs)
                keyid &= cs->key_idx_mask;
        keyid >>= key_idx_shift;

        /* cs could use more than the usual two bits for the keyid */
        if (unlikely(keyid >= NUM_DEFAULT_KEYS))
                return -EINVAL;

        return keyid;
}

static ieee80211_rx_result ieee80211_rx_mesh_check(struct ieee80211_rx_data *rx)
{
        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
        char *dev_addr = rx->sdata->vif.addr;

        if (ieee80211_is_data(hdr->frame_control)) {
                if (is_multicast_ether_addr(hdr->addr1)) {
                        if (ieee80211_has_tods(hdr->frame_control) ||
                            !ieee80211_has_fromds(hdr->frame_control))
                                return RX_DROP_MONITOR;
                        if (ether_addr_equal(hdr->addr3, dev_addr))
                                return RX_DROP_MONITOR;
                } else {
                        if (!ieee80211_has_a4(hdr->frame_control))
                                return RX_DROP_MONITOR;
                        if (ether_addr_equal(hdr->addr4, dev_addr))
                                return RX_DROP_MONITOR;
                }
        }

        /* If there is not an established peer link and this is not a peer link
         * establisment frame, beacon or probe, drop the frame.
         */

        if (!rx->sta || sta_plink_state(rx->sta) != NL80211_PLINK_ESTAB) {
                struct ieee80211_mgmt *mgmt;

                if (!ieee80211_is_mgmt(hdr->frame_control))
                        return RX_DROP_MONITOR;

                if (ieee80211_is_action(hdr->frame_control)) {
                        u8 category;

                        /* make sure category field is present */
                        if (rx->skb->len < IEEE80211_MIN_ACTION_SIZE)
                                return RX_DROP_MONITOR;

                        mgmt = (struct ieee80211_mgmt *)hdr;
                        category = mgmt->u.action.category;
                        if (category != WLAN_CATEGORY_MESH_ACTION &&
                            category != WLAN_CATEGORY_SELF_PROTECTED)
                                return RX_DROP_MONITOR;
                        return RX_CONTINUE;
                }

                if (ieee80211_is_probe_req(hdr->frame_control) ||
                    ieee80211_is_probe_resp(hdr->frame_control) ||
                    ieee80211_is_beacon(hdr->frame_control) ||
                    ieee80211_is_auth(hdr->frame_control))
                        return RX_CONTINUE;

                return RX_DROP_MONITOR;
        }

        return RX_CONTINUE;
}

static inline bool ieee80211_rx_reorder_ready(struct tid_ampdu_rx *tid_agg_rx,
                                              int index)
{
        struct sk_buff_head *frames = &tid_agg_rx->reorder_buf[index];
        struct sk_buff *tail = skb_peek_tail(frames);
        struct ieee80211_rx_status *status;

        if (tid_agg_rx->reorder_buf_filtered & BIT_ULL(index))
                return true;

        if (!tail)
                return false;

        status = IEEE80211_SKB_RXCB(tail);
        if (status->flag & RX_FLAG_AMSDU_MORE)
                return false;

        return true;
}

static void ieee80211_release_reorder_frame(struct ieee80211_sub_if_data *sdata,
                                            struct tid_ampdu_rx *tid_agg_rx,
                                            int index,
                                            struct sk_buff_head *frames)
{
        struct sk_buff_head *skb_list = &tid_agg_rx->reorder_buf[index];
        struct sk_buff *skb;
        struct ieee80211_rx_status *status;

        lockdep_assert_held(&tid_agg_rx->reorder_lock);

        if (skb_queue_empty(skb_list))
                goto no_frame;

        if (!ieee80211_rx_reorder_ready(tid_agg_rx, index)) {
                __skb_queue_purge(skb_list);
                goto no_frame;
        }

        /* release frames from the reorder ring buffer */
        tid_agg_rx->stored_mpdu_num--;
        while ((skb = __skb_dequeue(skb_list))) {
                status = IEEE80211_SKB_RXCB(skb);
                status->rx_flags |= IEEE80211_RX_DEFERRED_RELEASE;
                __skb_queue_tail(frames, skb);
        }

no_frame:
        tid_agg_rx->reorder_buf_filtered &= ~BIT_ULL(index);
        tid_agg_rx->head_seq_num = ieee80211_sn_inc(tid_agg_rx->head_seq_num);
}

static void ieee80211_release_reorder_frames(struct ieee80211_sub_if_data *sdata,
                                             struct tid_ampdu_rx *tid_agg_rx,
                                             u16 head_seq_num,
                                             struct sk_buff_head *frames)
{
        int index;

        lockdep_assert_held(&tid_agg_rx->reorder_lock);

        while (ieee80211_sn_less(tid_agg_rx->head_seq_num, head_seq_num)) {
                index = tid_agg_rx->head_seq_num % tid_agg_rx->buf_size;
                ieee80211_release_reorder_frame(sdata, tid_agg_rx, index,
                                                frames);
        }
}

/*
 * Timeout (in jiffies) for skb's that are waiting in the RX reorder buffer. If
 * the skb was added to the buffer longer than this time ago, the earlier
 * frames that have not yet been received are assumed to be lost and the skb
 * can be released for processing. This may also release other skb's from the
 * reorder buffer if there are no additional gaps between the frames.
 *
 * Callers must hold tid_agg_rx->reorder_lock.
 */
#define HT_RX_REORDER_BUF_TIMEOUT (HZ / 10)

static void ieee80211_sta_reorder_release(struct ieee80211_sub_if_data *sdata,
                                          struct tid_ampdu_rx *tid_agg_rx,
                                          struct sk_buff_head *frames)
{
        int index, i, j;

        lockdep_assert_held(&tid_agg_rx->reorder_lock);

        /* release the buffer until next missing frame */
        index = tid_agg_rx->head_seq_num % tid_agg_rx->buf_size;
        if (!ieee80211_rx_reorder_ready(tid_agg_rx, index) &&
            tid_agg_rx->stored_mpdu_num) {
                /*
                 * No buffers ready to be released, but check whether any
                 * frames in the reorder buffer have timed out.
                 */
                int skipped = 1;
                for (j = (index + 1) % tid_agg_rx->buf_size; j != index;
                     j = (j + 1) % tid_agg_rx->buf_size) {
                        if (!ieee80211_rx_reorder_ready(tid_agg_rx, j)) {
                                skipped++;
                                continue;
                        }
                        if (skipped &&
                            !time_after(jiffies, tid_agg_rx->reorder_time[j] +
                                        HT_RX_REORDER_BUF_TIMEOUT))
                                goto set_release_timer;

                        /* don't leave incomplete A-MSDUs around */
                        for (i = (index + 1) % tid_agg_rx->buf_size; i != j;
                             i = (i + 1) % tid_agg_rx->buf_size)
                                __skb_queue_purge(&tid_agg_rx->reorder_buf[i]);

                        ht_dbg_ratelimited(sdata,
                                           "release an RX reorder frame due to timeout on earlier frames\n");
                        ieee80211_release_reorder_frame(sdata, tid_agg_rx, j,
                                                        frames);

                        /*
                         * Increment the head seq# also for the skipped slots.
                         */
                        tid_agg_rx->head_seq_num =
                                (tid_agg_rx->head_seq_num +
                                 skipped) & IEEE80211_SN_MASK;
                        skipped = 0;
                }
        } else while (ieee80211_rx_reorder_ready(tid_agg_rx, index)) {
                ieee80211_release_reorder_frame(sdata, tid_agg_rx, index,
                                                frames);
                index = tid_agg_rx->head_seq_num % tid_agg_rx->buf_size;
        }

        if (tid_agg_rx->stored_mpdu_num) {
                j = index = tid_agg_rx->head_seq_num % tid_agg_rx->buf_size;

                for (; j != (index - 1) % tid_agg_rx->buf_size;
                     j = (j + 1) % tid_agg_rx->buf_size) {
                        if (ieee80211_rx_reorder_ready(tid_agg_rx, j))
                                break;
                }

 set_release_timer:

                if (!tid_agg_rx->removed)
                        mod_timer(&tid_agg_rx->reorder_timer,
                                  tid_agg_rx->reorder_time[j] + 1 +
                                  HT_RX_REORDER_BUF_TIMEOUT);
        } else {
                del_timer(&tid_agg_rx->reorder_timer);
        }
}

/*
 * As this function belongs to the RX path it must be under
 * rcu_read_lock protection. It returns false if the frame
 * can be processed immediately, true if it was consumed.
 */
static bool ieee80211_sta_manage_reorder_buf(struct ieee80211_sub_if_data *sdata,
                                             struct tid_ampdu_rx *tid_agg_rx,
                                             struct sk_buff *skb,
                                             struct sk_buff_head *frames)
{
        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
        u16 sc = le16_to_cpu(hdr->seq_ctrl);
        u16 mpdu_seq_num = (sc & IEEE80211_SCTL_SEQ) >> 4;
        u16 head_seq_num, buf_size;
        int index;
        bool ret = true;

        spin_lock(&tid_agg_rx->reorder_lock);

        /*
         * Offloaded BA sessions have no known starting sequence number so pick
         * one from first Rxed frame for this tid after BA was started.
         */
        if (unlikely(tid_agg_rx->auto_seq)) {
                tid_agg_rx->auto_seq = false;
                tid_agg_rx->ssn = mpdu_seq_num;
                tid_agg_rx->head_seq_num = mpdu_seq_num;
        }

        buf_size = tid_agg_rx->buf_size;
        head_seq_num = tid_agg_rx->head_seq_num;

        /*
         * If the current MPDU's SN is smaller than the SSN, it shouldn't
         * be reordered.
         */
        if (unlikely(!tid_agg_rx->started)) {
                if (ieee80211_sn_less(mpdu_seq_num, head_seq_num)) {
                        ret = false;
                        goto out;
                }
                tid_agg_rx->started = true;
        }

        /* frame with out of date sequence number */
        if (ieee80211_sn_less(mpdu_seq_num, head_seq_num)) {
                dev_kfree_skb(skb);
                goto out;
        }

        /*
         * If frame the sequence number exceeds our buffering window
         * size release some previous frames to make room for this one.
         */
        if (!ieee80211_sn_less(mpdu_seq_num, head_seq_num + buf_size)) {
                head_seq_num = ieee80211_sn_inc(
                                ieee80211_sn_sub(mpdu_seq_num, buf_size));
                /* release stored frames up to new head to stack */
                ieee80211_release_reorder_frames(sdata, tid_agg_rx,
                                                 head_seq_num, frames);
        }

        /* Now the new frame is always in the range of the reordering buffer */

        index = mpdu_seq_num % tid_agg_rx->buf_size;

        /* check if we already stored this frame */
        if (ieee80211_rx_reorder_ready(tid_agg_rx, index)) {
                dev_kfree_skb(skb);
                goto out;
        }

        /*
         * If the current MPDU is in the right order and nothing else
         * is stored we can process it directly, no need to buffer it.
         * If it is first but there's something stored, we may be able
         * to release frames after this one.
         */
        if (mpdu_seq_num == tid_agg_rx->head_seq_num &&
            tid_agg_rx->stored_mpdu_num == 0) {
                if (!(status->flag & RX_FLAG_AMSDU_MORE))
                        tid_agg_rx->head_seq_num =
                                ieee80211_sn_inc(tid_agg_rx->head_seq_num);
                ret = false;
                goto out;
        }

        /* put the frame in the reordering buffer */
        __skb_queue_tail(&tid_agg_rx->reorder_buf[index], skb);
        if (!(status->flag & RX_FLAG_AMSDU_MORE)) {
                tid_agg_rx->reorder_time[index] = jiffies;
                tid_agg_rx->stored_mpdu_num++;
                ieee80211_sta_reorder_release(sdata, tid_agg_rx, frames);
        }

 out:
        spin_unlock(&tid_agg_rx->reorder_lock);
        return ret;
}

/*
 * Reorder MPDUs from A-MPDUs, keeping them on a buffer. Returns
 * true if the MPDU was buffered, false if it should be processed.
 */
static void ieee80211_rx_reorder_ampdu(struct ieee80211_rx_data *rx,
                                       struct sk_buff_head *frames)
{
        struct sk_buff *skb = rx->skb;
        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
        struct sta_info *sta = rx->sta;
        struct tid_ampdu_rx *tid_agg_rx;
        u16 sc;
        u8 tid, ack_policy;

        if (!ieee80211_is_data_qos(hdr->frame_control) ||
            is_multicast_ether_addr(hdr->addr1))
                goto dont_reorder;

        /*
         * filter the QoS data rx stream according to
         * STA/TID and check if this STA/TID is on aggregation
         */

        if (!sta)
                goto dont_reorder;

        ack_policy = *ieee80211_get_qos_ctl(hdr) &
                     IEEE80211_QOS_CTL_ACK_POLICY_MASK;
        tid = ieee80211_get_tid(hdr);

        tid_agg_rx = rcu_dereference(sta->ampdu_mlme.tid_rx[tid]);
        if (!tid_agg_rx) {
                if (ack_policy == IEEE80211_QOS_CTL_ACK_POLICY_BLOCKACK &&
                    !test_bit(tid, rx->sta->ampdu_mlme.agg_session_valid) &&
                    !test_and_set_bit(tid, rx->sta->ampdu_mlme.unexpected_agg))
                        ieee80211_send_delba(rx->sdata, rx->sta->sta.addr, tid,
                                             WLAN_BACK_RECIPIENT,
                                             WLAN_REASON_QSTA_REQUIRE_SETUP);
                goto dont_reorder;
        }

        /* qos null data frames are excluded */
        if (unlikely(hdr->frame_control & cpu_to_le16(IEEE80211_STYPE_NULLFUNC)))
                goto dont_reorder;

        /* not part of a BA session */
        if (ack_policy != IEEE80211_QOS_CTL_ACK_POLICY_BLOCKACK &&
            ack_policy != IEEE80211_QOS_CTL_ACK_POLICY_NORMAL)
                goto dont_reorder;

        /* new, potentially un-ordered, ampdu frame - process it */

        /* reset session timer */
        if (tid_agg_rx->timeout)
                tid_agg_rx->last_rx = jiffies;

        /* if this mpdu is fragmented - terminate rx aggregation session */
        sc = le16_to_cpu(hdr->seq_ctrl);
        if (sc & IEEE80211_SCTL_FRAG) {
                ieee80211_queue_skb_to_iface(rx->sdata, NULL, skb);
                return;
        }

        /*
         * No locking needed -- we will only ever process one
         * RX packet at a time, and thus own tid_agg_rx. All
         * other code manipulating it needs to (and does) make
         * sure that we cannot get to it any more before doing
         * anything with it.
         */
        if (ieee80211_sta_manage_reorder_buf(rx->sdata, tid_agg_rx, skb,
                                             frames))
                return;

 dont_reorder:
        __skb_queue_tail(frames, skb);
}

static ieee80211_rx_result debug_noinline
ieee80211_rx_h_check_dup(struct ieee80211_rx_data *rx)
{
        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);

        if (status->flag & RX_FLAG_DUP_VALIDATED)
                return RX_CONTINUE;

        /*
         * Drop duplicate 802.11 retransmissions
         * (IEEE 802.11-2012: 9.3.2.10 "Duplicate detection and recovery")
         */

        if (rx->skb->len < 24)
                return RX_CONTINUE;

        if (ieee80211_is_ctl(hdr->frame_control) ||
            ieee80211_is_any_nullfunc(hdr->frame_control) ||
            is_multicast_ether_addr(hdr->addr1))
                return RX_CONTINUE;

        if (!rx->sta)
                return RX_CONTINUE;

        if (unlikely(ieee80211_has_retry(hdr->frame_control) &&
                     rx->sta->last_seq_ctrl[rx->seqno_idx] == hdr->seq_ctrl)) {
                I802_DEBUG_INC(rx->local->dot11FrameDuplicateCount);
                rx->sta->rx_stats.num_duplicates++;
                return RX_DROP_UNUSABLE;
        } else if (!(status->flag & RX_FLAG_AMSDU_MORE)) {
                rx->sta->last_seq_ctrl[rx->seqno_idx] = hdr->seq_ctrl;
        }

        return RX_CONTINUE;
}

static ieee80211_rx_result debug_noinline
ieee80211_rx_h_check(struct ieee80211_rx_data *rx)
{
        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;

        /* Drop disallowed frame classes based on STA auth/assoc state;
         * IEEE 802.11, Chap 5.5.
         *
         * mac80211 filters only based on association state, i.e. it drops
         * Class 3 frames from not associated stations. hostapd sends
         * deauth/disassoc frames when needed. In addition, hostapd is
         * responsible for filtering on both auth and assoc states.
         */

        if (ieee80211_vif_is_mesh(&rx->sdata->vif))
                return ieee80211_rx_mesh_check(rx);

        if (unlikely((ieee80211_is_data(hdr->frame_control) ||
                      ieee80211_is_pspoll(hdr->frame_control)) &&
                     rx->sdata->vif.type != NL80211_IFTYPE_ADHOC &&
                     rx->sdata->vif.type != NL80211_IFTYPE_OCB &&
                     (!rx->sta || !test_sta_flag(rx->sta, WLAN_STA_ASSOC)))) {
                /*
                 * accept port control frames from the AP even when it's not
                 * yet marked ASSOC to prevent a race where we don't set the
                 * assoc bit quickly enough before it sends the first frame
                 */
                if (rx->sta && rx->sdata->vif.type == NL80211_IFTYPE_STATION &&
                    ieee80211_is_data_present(hdr->frame_control)) {
                        unsigned int hdrlen;
                        __be16 ethertype;

                        hdrlen = ieee80211_hdrlen(hdr->frame_control);

                        if (rx->skb->len < hdrlen + 8)
                                return RX_DROP_MONITOR;

                        skb_copy_bits(rx->skb, hdrlen + 6, &ethertype, 2);
                        if (ethertype == rx->sdata->control_port_protocol)
                                return RX_CONTINUE;
                }

                if (rx->sdata->vif.type == NL80211_IFTYPE_AP &&
                    cfg80211_rx_spurious_frame(rx->sdata->dev,
                                               hdr->addr2,
                                               GFP_ATOMIC))
                        return RX_DROP_UNUSABLE;

                return RX_DROP_MONITOR;
        }

        return RX_CONTINUE;
}


static ieee80211_rx_result debug_noinline
ieee80211_rx_h_check_more_data(struct ieee80211_rx_data *rx)
{
        struct ieee80211_local *local;
        struct ieee80211_hdr *hdr;
        struct sk_buff *skb;

        local = rx->local;
        skb = rx->skb;
        hdr = (struct ieee80211_hdr *) skb->data;

        if (!local->pspolling)
                return RX_CONTINUE;

        if (!ieee80211_has_fromds(hdr->frame_control))
                /* this is not from AP */
                return RX_CONTINUE;

        if (!ieee80211_is_data(hdr->frame_control))
                return RX_CONTINUE;

        if (!ieee80211_has_moredata(hdr->frame_control)) {
                /* AP has no more frames buffered for us */
                local->pspolling = false;
                return RX_CONTINUE;
        }

        /* more data bit is set, let's request a new frame from the AP */
        ieee80211_send_pspoll(local, rx->sdata);

        return RX_CONTINUE;
}

static void sta_ps_start(struct sta_info *sta)
{
        struct ieee80211_sub_if_data *sdata = sta->sdata;
        struct ieee80211_local *local = sdata->local;
        struct ps_data *ps;
        int tid;

        if (sta->sdata->vif.type == NL80211_IFTYPE_AP ||
            sta->sdata->vif.type == NL80211_IFTYPE_AP_VLAN)
                ps = &sdata->bss->ps;
        else
                return;

        atomic_inc(&ps->num_sta_ps);
        set_sta_flag(sta, WLAN_STA_PS_STA);
        if (!ieee80211_hw_check(&local->hw, AP_LINK_PS))
                drv_sta_notify(local, sdata, STA_NOTIFY_SLEEP, &sta->sta);
        ps_dbg(sdata, "STA %pM aid %d enters power save mode\n",
               sta->sta.addr, sta->sta.aid);

        ieee80211_clear_fast_xmit(sta);

        if (!sta->sta.txq[0])
                return;

        for (tid = 0; tid < IEEE80211_NUM_TIDS; tid++) {
                struct ieee80211_txq *txq = sta->sta.txq[tid];

                ieee80211_unschedule_txq(&local->hw, txq, false);

                if (txq_has_queue(txq))
                        set_bit(tid, &sta->txq_buffered_tids);
                else
                        clear_bit(tid, &sta->txq_buffered_tids);
        }
}

static void sta_ps_end(struct sta_info *sta)
{
        ps_dbg(sta->sdata, "STA %pM aid %d exits power save mode\n",
               sta->sta.addr, sta->sta.aid);

        if (test_sta_flag(sta, WLAN_STA_PS_DRIVER)) {
                /*
                 * Clear the flag only if the other one is still set
                 * so that the TX path won't start TX'ing new frames
                 * directly ... In the case that the driver flag isn't
                 * set ieee80211_sta_ps_deliver_wakeup() will clear it.
                 */
                clear_sta_flag(sta, WLAN_STA_PS_STA);
                ps_dbg(sta->sdata, "STA %pM aid %d driver-ps-blocked\n",
                       sta->sta.addr, sta->sta.aid);
                return;
        }

        set_sta_flag(sta, WLAN_STA_PS_DELIVER);
        clear_sta_flag(sta, WLAN_STA_PS_STA);
        ieee80211_sta_ps_deliver_wakeup(sta);
}

int ieee80211_sta_ps_transition(struct ieee80211_sta *pubsta, bool start)
{
        struct sta_info *sta = container_of(pubsta, struct sta_info, sta);
        bool in_ps;

        WARN_ON(!ieee80211_hw_check(&sta->local->hw, AP_LINK_PS));

        /* Don't let the same PS state be set twice */
        in_ps = test_sta_flag(sta, WLAN_STA_PS_STA);
        if ((start && in_ps) || (!start && !in_ps))
                return -EINVAL;

        if (start)
                sta_ps_start(sta);
        else
                sta_ps_end(sta);

        return 0;
}
EXPORT_SYMBOL(ieee80211_sta_ps_transition);

void ieee80211_sta_pspoll(struct ieee80211_sta *pubsta)
{
        struct sta_info *sta = container_of(pubsta, struct sta_info, sta);

        if (test_sta_flag(sta, WLAN_STA_SP))
                return;

        if (!test_sta_flag(sta, WLAN_STA_PS_DRIVER))
                ieee80211_sta_ps_deliver_poll_response(sta);
        else
                set_sta_flag(sta, WLAN_STA_PSPOLL);
}
EXPORT_SYMBOL(ieee80211_sta_pspoll);

void ieee80211_sta_uapsd_trigger(struct ieee80211_sta *pubsta, u8 tid)
{
        struct sta_info *sta = container_of(pubsta, struct sta_info, sta);
        int ac = ieee80211_ac_from_tid(tid);

        /*
         * If this AC is not trigger-enabled do nothing unless the
         * driver is calling us after it already checked.
         *
         * NB: This could/should check a separate bitmap of trigger-
         * enabled queues, but for now we only implement uAPSD w/o
         * TSPEC changes to the ACs, so they're always the same.
         */
        if (!(sta->sta.uapsd_queues & ieee80211_ac_to_qos_mask[ac]) &&
            tid != IEEE80211_NUM_TIDS)
                return;

        /* if we are in a service period, do nothing */
        if (test_sta_flag(sta, WLAN_STA_SP))
                return;

        if (!test_sta_flag(sta, WLAN_STA_PS_DRIVER))
                ieee80211_sta_ps_deliver_uapsd(sta);
        else
                set_sta_flag(sta, WLAN_STA_UAPSD);
}
EXPORT_SYMBOL(ieee80211_sta_uapsd_trigger);

static ieee80211_rx_result debug_noinline
ieee80211_rx_h_uapsd_and_pspoll(struct ieee80211_rx_data *rx)
{
        struct ieee80211_sub_if_data *sdata = rx->sdata;
        struct ieee80211_hdr *hdr = (void *)rx->skb->data;
        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);

        if (!rx->sta)
                return RX_CONTINUE;

        if (sdata->vif.type != NL80211_IFTYPE_AP &&
            sdata->vif.type != NL80211_IFTYPE_AP_VLAN)
                return RX_CONTINUE;

        /*
         * The device handles station powersave, so don't do anything about
         * uAPSD and PS-Poll frames (the latter shouldn't even come up from
         * it to mac80211 since they're handled.)
         */
        if (ieee80211_hw_check(&sdata->local->hw, AP_LINK_PS))
                return RX_CONTINUE;

        /*
         * Don't do anything if the station isn't already asleep. In
         * the uAPSD case, the station will probably be marked asleep,
         * in the PS-Poll case the station must be confused ...
         */
        if (!test_sta_flag(rx->sta, WLAN_STA_PS_STA))
                return RX_CONTINUE;

        if (unlikely(ieee80211_is_pspoll(hdr->frame_control))) {
                ieee80211_sta_pspoll(&rx->sta->sta);

                /* Free PS Poll skb here instead of returning RX_DROP that would
                 * count as an dropped frame. */
                dev_kfree_skb(rx->skb);

                return RX_QUEUED;
        } else if (!ieee80211_has_morefrags(hdr->frame_control) &&
                   !(status->rx_flags & IEEE80211_RX_DEFERRED_RELEASE) &&
                   ieee80211_has_pm(hdr->frame_control) &&
                   (ieee80211_is_data_qos(hdr->frame_control) ||
                    ieee80211_is_qos_nullfunc(hdr->frame_control))) {
                u8 tid = ieee80211_get_tid(hdr);

                ieee80211_sta_uapsd_trigger(&rx->sta->sta, tid);
        }

        return RX_CONTINUE;
}

static ieee80211_rx_result debug_noinline
ieee80211_rx_h_sta_process(struct ieee80211_rx_data *rx)
{
        struct sta_info *sta = rx->sta;
        struct sk_buff *skb = rx->skb;
        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
        int i;

        if (!sta)
                return RX_CONTINUE;

        /*
         * Update last_rx only for IBSS packets which are for the current
         * BSSID and for station already AUTHORIZED to avoid keeping the
         * current IBSS network alive in cases where other STAs start
         * using different BSSID. This will also give the station another
         * chance to restart the authentication/authorization in case
         * something went wrong the first time.
         */
        if (rx->sdata->vif.type == NL80211_IFTYPE_ADHOC) {
                u8 *bssid = ieee80211_get_bssid(hdr, rx->skb->len,
                                                NL80211_IFTYPE_ADHOC);
                if (ether_addr_equal(bssid, rx->sdata->u.ibss.bssid) &&
                    test_sta_flag(sta, WLAN_STA_AUTHORIZED)) {
                        sta->rx_stats.last_rx = jiffies;
                        if (ieee80211_is_data(hdr->frame_control) &&
                            !is_multicast_ether_addr(hdr->addr1))
                                sta->rx_stats.last_rate =
                                        sta_stats_encode_rate(status);
                }
        } else if (rx->sdata->vif.type == NL80211_IFTYPE_OCB) {
                sta->rx_stats.last_rx = jiffies;
        } else if (!ieee80211_is_s1g_beacon(hdr->frame_control) &&
                   !is_multicast_ether_addr(hdr->addr1)) {
                /*
                 * Mesh beacons will update last_rx when if they are found to
                 * match the current local configuration when processed.
                 */
                sta->rx_stats.last_rx = jiffies;
                if (ieee80211_is_data(hdr->frame_control))
                        sta->rx_stats.last_rate = sta_stats_encode_rate(status);
        }

        sta->rx_stats.fragments++;

        u64_stats_update_begin(&rx->sta->rx_stats.syncp);
        sta->rx_stats.bytes += rx->skb->len;
        u64_stats_update_end(&rx->sta->rx_stats.syncp);

        if (!(status->flag & RX_FLAG_NO_SIGNAL_VAL)) {
                sta->rx_stats.last_signal = status->signal;
                ewma_signal_add(&sta->rx_stats_avg.signal, -status->signal);
        }

        if (status->chains) {
                sta->rx_stats.chains = status->chains;
                for (i = 0; i < ARRAY_SIZE(status->chain_signal); i++) {
                        int signal = status->chain_signal[i];

                        if (!(status->chains & BIT(i)))
                                continue;

                        sta->rx_stats.chain_signal_last[i] = signal;
                        ewma_signal_add(&sta->rx_stats_avg.chain_signal[i],
                                        -signal);
                }
        }

        if (ieee80211_is_s1g_beacon(hdr->frame_control))
                return RX_CONTINUE;

        /*
         * Change STA power saving mode only at the end of a frame
         * exchange sequence, and only for a data or management
         * frame as specified in IEEE 802.11-2016 11.2.3.2
         */
        if (!ieee80211_hw_check(&sta->local->hw, AP_LINK_PS) &&
            !ieee80211_has_morefrags(hdr->frame_control) &&
            !is_multicast_ether_addr(hdr->addr1) &&
            (ieee80211_is_mgmt(hdr->frame_control) ||
             ieee80211_is_data(hdr->frame_control)) &&
            !(status->rx_flags & IEEE80211_RX_DEFERRED_RELEASE) &&
            (rx->sdata->vif.type == NL80211_IFTYPE_AP ||
             rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN)) {
                if (test_sta_flag(sta, WLAN_STA_PS_STA)) {
                        if (!ieee80211_has_pm(hdr->frame_control))
                                sta_ps_end(sta);
                } else {
                        if (ieee80211_has_pm(hdr->frame_control))
                                sta_ps_start(sta);
                }
        }

        /* mesh power save support */
        if (ieee80211_vif_is_mesh(&rx->sdata->vif))
                ieee80211_mps_rx_h_sta_process(sta, hdr);

        /*
         * Drop (qos-)data::nullfunc frames silently, since they
         * are used only to control station power saving mode.
         */
        if (ieee80211_is_any_nullfunc(hdr->frame_control)) {
                I802_DEBUG_INC(rx->local->rx_handlers_drop_nullfunc);

                /*
                 * If we receive a 4-addr nullfunc frame from a STA
                 * that was not moved to a 4-addr STA vlan yet send
                 * the event to userspace and for older hostapd drop
                 * the frame to the monitor interface.
                 */
                if (ieee80211_has_a4(hdr->frame_control) &&
                    (rx->sdata->vif.type == NL80211_IFTYPE_AP ||
                     (rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN &&
                      !rx->sdata->u.vlan.sta))) {
                        if (!test_and_set_sta_flag(sta, WLAN_STA_4ADDR_EVENT))
                                cfg80211_rx_unexpected_4addr_frame(
                                        rx->sdata->dev, sta->sta.addr,
                                        GFP_ATOMIC);
                        return RX_DROP_MONITOR;
                }
                /*
                 * Update counter and free packet here to avoid
                 * counting this as a dropped packed.
                 */
                sta->rx_stats.packets++;
                dev_kfree_skb(rx->skb);
                return RX_QUEUED;
        }

        return RX_CONTINUE;
} /* ieee80211_rx_h_sta_process */

static struct ieee80211_key *
ieee80211_rx_get_bigtk(struct ieee80211_rx_data *rx, int idx)
{
        struct ieee80211_key *key = NULL;
        struct ieee80211_sub_if_data *sdata = rx->sdata;
        int idx2;

        /* Make sure key gets set if either BIGTK key index is set so that
         * ieee80211_drop_unencrypted_mgmt() can properly drop both unprotected
         * Beacon frames and Beacon frames that claim to use another BIGTK key
         * index (i.e., a key that we do not have).
         */

        if (idx < 0) {
                idx = NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS;
                idx2 = idx + 1;
        } else {
                if (idx == NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS)
                        idx2 = idx + 1;
                else
                        idx2 = idx - 1;
        }

        if (rx->sta)
                key = rcu_dereference(rx->sta->gtk[idx]);
        if (!key)
                key = rcu_dereference(sdata->keys[idx]);
        if (!key && rx->sta)
                key = rcu_dereference(rx->sta->gtk[idx2]);
        if (!key)
                key = rcu_dereference(sdata->keys[idx2]);

        return key;
}

static ieee80211_rx_result debug_noinline
ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx)
{
        struct sk_buff *skb = rx->skb;
        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
        int keyidx;
        ieee80211_rx_result result = RX_DROP_UNUSABLE;
        struct ieee80211_key *sta_ptk = NULL;
        struct ieee80211_key *ptk_idx = NULL;
        int mmie_keyidx = -1;
        __le16 fc;
        const struct ieee80211_cipher_scheme *cs = NULL;

        if (ieee80211_is_ext(hdr->frame_control))
                return RX_CONTINUE;

        /*
         * Key selection 101
         *
         * There are five types of keys:
         *  - GTK (group keys)
         *  - IGTK (group keys for management frames)
         *  - BIGTK (group keys for Beacon frames)
         *  - PTK (pairwise keys)
         *  - STK (station-to-station pairwise keys)
         *
         * When selecting a key, we have to distinguish between multicast
         * (including broadcast) and unicast frames, the latter can only
         * use PTKs and STKs while the former always use GTKs, IGTKs, and
         * BIGTKs. Unless, of course, actual WEP keys ("pre-RSNA") are used,
         * then unicast frames can also use key indices like GTKs. Hence, if we
         * don't have a PTK/STK we check the key index for a WEP key.
         *
         * Note that in a regular BSS, multicast frames are sent by the
         * AP only, associated stations unicast the frame to the AP first
         * which then multicasts it on their behalf.
         *
         * There is also a slight problem in IBSS mode: GTKs are negotiated
         * with each station, that is something we don't currently handle.
         * The spec seems to expect that one negotiates the same key with
         * every station but there's no such requirement; VLANs could be
         * possible.
         */

        /* start without a key */
        rx->key = NULL;
        fc = hdr->frame_control;

        if (rx->sta) {
                int keyid = rx->sta->ptk_idx;
                sta_ptk = rcu_dereference(rx->sta->ptk[keyid]);

                if (ieee80211_has_protected(fc)) {
                        cs = rx->sta->cipher_scheme;
                        keyid = ieee80211_get_keyid(rx->skb, cs);

                        if (unlikely(keyid < 0))
                                return RX_DROP_UNUSABLE;

                        ptk_idx = rcu_dereference(rx->sta->ptk[keyid]);
                }
        }

        if (!ieee80211_has_protected(fc))
                mmie_keyidx = ieee80211_get_mmie_keyidx(rx->skb);

        if (!is_multicast_ether_addr(hdr->addr1) && sta_ptk) {
                rx->key = ptk_idx ? ptk_idx : sta_ptk;
                if ((status->flag & RX_FLAG_DECRYPTED) &&
                    (status->flag & RX_FLAG_IV_STRIPPED))
                        return RX_CONTINUE;
                /* Skip decryption if the frame is not protected. */
                if (!ieee80211_has_protected(fc))
                        return RX_CONTINUE;
        } else if (mmie_keyidx >= 0 && ieee80211_is_beacon(fc)) {
                /* Broadcast/multicast robust management frame / BIP */
                if ((status->flag & RX_FLAG_DECRYPTED) &&
                    (status->flag & RX_FLAG_IV_STRIPPED))
                        return RX_CONTINUE;

                if (mmie_keyidx < NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS ||
                    mmie_keyidx >= NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS +
                    NUM_DEFAULT_BEACON_KEYS) {
                        cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
                                                     skb->data,
                                                     skb->len);
                        return RX_DROP_MONITOR; /* unexpected BIP keyidx */
                }

                rx->key = ieee80211_rx_get_bigtk(rx, mmie_keyidx);
                if (!rx->key)
                        return RX_CONTINUE; /* Beacon protection not in use */
        } else if (mmie_keyidx >= 0) {
                /* Broadcast/multicast robust management frame / BIP */
                if ((status->flag & RX_FLAG_DECRYPTED) &&
                    (status->flag & RX_FLAG_IV_STRIPPED))
                        return RX_CONTINUE;

                if (mmie_keyidx < NUM_DEFAULT_KEYS ||
                    mmie_keyidx >= NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS)
                        return RX_DROP_MONITOR; /* unexpected BIP keyidx */
                if (rx->sta) {
                        if (ieee80211_is_group_privacy_action(skb) &&
                            test_sta_flag(rx->sta, WLAN_STA_MFP))
                                return RX_DROP_MONITOR;

                        rx->key = rcu_dereference(rx->sta->gtk[mmie_keyidx]);
                }
                if (!rx->key)
                        rx->key = rcu_dereference(rx->sdata->keys[mmie_keyidx]);
        } else if (!ieee80211_has_protected(fc)) {
                /*
                 * The frame was not protected, so skip decryption. However, we
                 * need to set rx->key if there is a key that could have been
                 * used so that the frame may be dropped if encryption would
                 * have been expected.
                 */
                struct ieee80211_key *key = NULL;
                struct ieee80211_sub_if_data *sdata = rx->sdata;
                int i;

                if (ieee80211_is_beacon(fc)) {
                        key = ieee80211_rx_get_bigtk(rx, -1);
                } else if (ieee80211_is_mgmt(fc) &&
                           is_multicast_ether_addr(hdr->addr1)) {
                        key = rcu_dereference(rx->sdata->default_mgmt_key);
                } else {
                        if (rx->sta) {
                                for (i = 0; i < NUM_DEFAULT_KEYS; i++) {
                                        key = rcu_dereference(rx->sta->gtk[i]);
                                        if (key)
                                                break;
                                }
                        }
                        if (!key) {
                                for (i = 0; i < NUM_DEFAULT_KEYS; i++) {
                                        key = rcu_dereference(sdata->keys[i]);
                                        if (key)
                                                break;
                                }
                        }
                }
                if (key)
                        rx->key = key;
                return RX_CONTINUE;
        } else {
                /*
                 * The device doesn't give us the IV so we won't be
                 * able to look up the key. That's ok though, we
                 * don't need to decrypt the frame, we just won't
                 * be able to keep statistics accurate.
                 * Except for key threshold notifications, should
                 * we somehow allow the driver to tell us which key
                 * the hardware used if this flag is set?
                 */
                if ((status->flag & RX_FLAG_DECRYPTED) &&
                    (status->flag & RX_FLAG_IV_STRIPPED))
                        return RX_CONTINUE;

                keyidx = ieee80211_get_keyid(rx->skb, cs);

                if (unlikely(keyidx < 0))
                        return RX_DROP_UNUSABLE;

                /* check per-station GTK first, if multicast packet */
                if (is_multicast_ether_addr(hdr->addr1) && rx->sta)
                        rx->key = rcu_dereference(rx->sta->gtk[keyidx]);

                /* if not found, try default key */
                if (!rx->key) {
                        rx->key = rcu_dereference(rx->sdata->keys[keyidx]);

                        /*
                         * RSNA-protected unicast frames should always be
                         * sent with pairwise or station-to-station keys,
                         * but for WEP we allow using a key index as well.
                         */
                        if (rx->key &&
                            rx->key->conf.cipher != WLAN_CIPHER_SUITE_WEP40 &&
                            rx->key->conf.cipher != WLAN_CIPHER_SUITE_WEP104 &&
                            !is_multicast_ether_addr(hdr->addr1))
                                rx->key = NULL;
                }
        }

        if (rx->key) {
                if (unlikely(rx->key->flags & KEY_FLAG_TAINTED))
                        return RX_DROP_MONITOR;

                /* TODO: add threshold stuff again */
        } else {
                return RX_DROP_MONITOR;
        }

        switch (rx->key->conf.cipher) {
        case WLAN_CIPHER_SUITE_WEP40:
        case WLAN_CIPHER_SUITE_WEP104:
                result = ieee80211_crypto_wep_decrypt(rx);
                break;
        case WLAN_CIPHER_SUITE_TKIP:
                result = ieee80211_crypto_tkip_decrypt(rx);
                break;
        case WLAN_CIPHER_SUITE_CCMP:
                result = ieee80211_crypto_ccmp_decrypt(
                        rx, IEEE80211_CCMP_MIC_LEN);
                break;
        case WLAN_CIPHER_SUITE_CCMP_256:
                result = ieee80211_crypto_ccmp_decrypt(
                        rx, IEEE80211_CCMP_256_MIC_LEN);
                break;
        case WLAN_CIPHER_SUITE_AES_CMAC:
                result = ieee80211_crypto_aes_cmac_decrypt(rx);
                break;
        case WLAN_CIPHER_SUITE_BIP_CMAC_256:
                result = ieee80211_crypto_aes_cmac_256_decrypt(rx);
                break;
        case WLAN_CIPHER_SUITE_BIP_GMAC_128:
        case WLAN_CIPHER_SUITE_BIP_GMAC_256:
                result = ieee80211_crypto_aes_gmac_decrypt(rx);
                break;
        case WLAN_CIPHER_SUITE_GCMP:
        case WLAN_CIPHER_SUITE_GCMP_256:
                result = ieee80211_crypto_gcmp_decrypt(rx);
                break;
        default:
                result = ieee80211_crypto_hw_decrypt(rx);
        }

        /* the hdr variable is invalid after the decrypt handlers */

        /* either the frame has been decrypted or will be dropped */
        status->flag |= RX_FLAG_DECRYPTED;

        if (unlikely(ieee80211_is_beacon(fc) && result == RX_DROP_UNUSABLE))
                cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
                                             skb->data, skb->len);

        return result;
}

void ieee80211_init_frag_cache(struct ieee80211_fragment_cache *cache)
{
        int i;

        for (i = 0; i < ARRAY_SIZE(cache->entries); i++)
                skb_queue_head_init(&cache->entries[i].skb_list);
}

void ieee80211_destroy_frag_cache(struct ieee80211_fragment_cache *cache)
{
        int i;

        for (i = 0; i < ARRAY_SIZE(cache->entries); i++)
                __skb_queue_purge(&cache->entries[i].skb_list);
}

static inline struct ieee80211_fragment_entry *
ieee80211_reassemble_add(struct ieee80211_fragment_cache *cache,
                         unsigned int frag, unsigned int seq, int rx_queue,
                         struct sk_buff **skb)
{
        struct ieee80211_fragment_entry *entry;

        entry = &cache->entries[cache->next++];
        if (cache->next >= IEEE80211_FRAGMENT_MAX)
                cache->next = 0;

        __skb_queue_purge(&entry->skb_list);

        __skb_queue_tail(&entry->skb_list, *skb); /* no need for locking */
        *skb = NULL;
        entry->first_frag_time = jiffies;
        entry->seq = seq;
        entry->rx_queue = rx_queue;
        entry->last_frag = frag;
        entry->check_sequential_pn = false;
        entry->extra_len = 0;

        return entry;
}

static inline struct ieee80211_fragment_entry *
ieee80211_reassemble_find(struct ieee80211_fragment_cache *cache,
                          unsigned int frag, unsigned int seq,
                          int rx_queue, struct ieee80211_hdr *hdr)
{
        struct ieee80211_fragment_entry *entry;
        int i, idx;

        idx = cache->next;
        for (i = 0; i < IEEE80211_FRAGMENT_MAX; i++) {
                struct ieee80211_hdr *f_hdr;
                struct sk_buff *f_skb;

                idx--;
                if (idx < 0)
                        idx = IEEE80211_FRAGMENT_MAX - 1;

                entry = &cache->entries[idx];
                if (skb_queue_empty(&entry->skb_list) || entry->seq != seq ||
                    entry->rx_queue != rx_queue ||
                    entry->last_frag + 1 != frag)
                        continue;

                f_skb = __skb_peek(&entry->skb_list);
                f_hdr = (struct ieee80211_hdr *) f_skb->data;

                /*
                 * Check ftype and addresses are equal, else check next fragment
                 */
                if (((hdr->frame_control ^ f_hdr->frame_control) &
                     cpu_to_le16(IEEE80211_FCTL_FTYPE)) ||
                    !ether_addr_equal(hdr->addr1, f_hdr->addr1) ||
                    !ether_addr_equal(hdr->addr2, f_hdr->addr2))
                        continue;

                if (time_after(jiffies, entry->first_frag_time + 2 * HZ)) {
                        __skb_queue_purge(&entry->skb_list);
                        continue;
                }
                return entry;
        }

        return NULL;
}

static bool requires_sequential_pn(struct ieee80211_rx_data *rx, __le16 fc)
{
        return rx->key &&
                (rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP ||
                 rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP_256 ||
                 rx->key->conf.cipher == WLAN_CIPHER_SUITE_GCMP ||
                 rx->key->conf.cipher == WLAN_CIPHER_SUITE_GCMP_256) &&
                ieee80211_has_protected(fc);
}

static ieee80211_rx_result debug_noinline
ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
{
        struct ieee80211_fragment_cache *cache = &rx->sdata->frags;
        struct ieee80211_hdr *hdr;
        u16 sc;
        __le16 fc;
        unsigned int frag, seq;
        struct ieee80211_fragment_entry *entry;
        struct sk_buff *skb;
        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);

        hdr = (struct ieee80211_hdr *)rx->skb->data;
        fc = hdr->frame_control;

        if (ieee80211_is_ctl(fc) || ieee80211_is_ext(fc))
                return RX_CONTINUE;

        sc = le16_to_cpu(hdr->seq_ctrl);
        frag = sc & IEEE80211_SCTL_FRAG;

        if (rx->sta)
                cache = &rx->sta->frags;

        if (likely(!ieee80211_has_morefrags(fc) && frag == 0))
                goto out;

        if (is_multicast_ether_addr(hdr->addr1))
                return RX_DROP_MONITOR;

        I802_DEBUG_INC(rx->local->rx_handlers_fragments);

        if (skb_linearize(rx->skb))
                return RX_DROP_UNUSABLE;

        /*
         *  skb_linearize() might change the skb->data and
         *  previously cached variables (in this case, hdr) need to
         *  be refreshed with the new data.
         */
        hdr = (struct ieee80211_hdr *)rx->skb->data;
        seq = (sc & IEEE80211_SCTL_SEQ) >> 4;

        if (frag == 0) {
                /* This is the first fragment of a new frame. */
                entry = ieee80211_reassemble_add(cache, frag, seq,
                                                 rx->seqno_idx, &(rx->skb));
                if (requires_sequential_pn(rx, fc)) {
                        int queue = rx->security_idx;

                        /* Store CCMP/GCMP PN so that we can verify that the
                         * next fragment has a sequential PN value.
                         */
                        entry->check_sequential_pn = true;
                        entry->is_protected = true;
                        entry->key_color = rx->key->color;
                        memcpy(entry->last_pn,
                               rx->key->u.ccmp.rx_pn[queue],
                               IEEE80211_CCMP_PN_LEN);
                        BUILD_BUG_ON(offsetof(struct ieee80211_key,
                                              u.ccmp.rx_pn) !=
                                     offsetof(struct ieee80211_key,
                                              u.gcmp.rx_pn));
                        BUILD_BUG_ON(sizeof(rx->key->u.ccmp.rx_pn[queue]) !=
                                     sizeof(rx->key->u.gcmp.rx_pn[queue]));
                        BUILD_BUG_ON(IEEE80211_CCMP_PN_LEN !=
                                     IEEE80211_GCMP_PN_LEN);
                } else if (rx->key &&
                           (ieee80211_has_protected(fc) ||
                            (status->flag & RX_FLAG_DECRYPTED))) {
                        entry->is_protected = true;
                        entry->key_color = rx->key->color;
                }
                return RX_QUEUED;
        }

        /* This is a fragment for a frame that should already be pending in
         * fragment cache. Add this fragment to the end of the pending entry.
         */
        entry = ieee80211_reassemble_find(cache, frag, seq,
                                          rx->seqno_idx, hdr);
        if (!entry) {
                I802_DEBUG_INC(rx->local->rx_handlers_drop_defrag);
                return RX_DROP_MONITOR;
        }

        /* "The receiver shall discard MSDUs and MMPDUs whose constituent
         *  MPDU PN values are not incrementing in steps of 1."
         * see IEEE P802.11-REVmc/D5.0, 12.5.3.4.4, item d (for CCMP)
         * and IEEE P802.11-REVmc/D5.0, 12.5.5.4.4, item d (for GCMP)
         */
        if (entry->check_sequential_pn) {
                int i;
                u8 pn[IEEE80211_CCMP_PN_LEN], *rpn;

                if (!requires_sequential_pn(rx, fc))
                        return RX_DROP_UNUSABLE;

                /* Prevent mixed key and fragment cache attacks */
                if (entry->key_color != rx->key->color)
                        return RX_DROP_UNUSABLE;

                memcpy(pn, entry->last_pn, IEEE80211_CCMP_PN_LEN);
                for (i = IEEE80211_CCMP_PN_LEN - 1; i >= 0; i--) {
                        pn[i]++;
                        if (pn[i])
                                break;
                }

                rpn = rx->ccm_gcm.pn;
                if (memcmp(pn, rpn, IEEE80211_CCMP_PN_LEN))
                        return RX_DROP_UNUSABLE;
                memcpy(entry->last_pn, pn, IEEE80211_CCMP_PN_LEN);
        } else if (entry->is_protected &&
                   (!rx->key ||
                    (!ieee80211_has_protected(fc) &&
                     !(status->flag & RX_FLAG_DECRYPTED)) ||
                    rx->key->color != entry->key_color)) {
                /* Drop this as a mixed key or fragment cache attack, even
                 * if for TKIP Michael MIC should protect us, and WEP is a
                 * lost cause anyway.
                 */
                return RX_DROP_UNUSABLE;
        } else if (entry->is_protected && rx->key &&
                   entry->key_color != rx->key->color &&
                   (status->flag & RX_FLAG_DECRYPTED)) {
                return RX_DROP_UNUSABLE;
        }

        skb_pull(rx->skb, ieee80211_hdrlen(fc));
        __skb_queue_tail(&entry->skb_list, rx->skb);
        entry->last_frag = frag;
        entry->extra_len += rx->skb->len;
        if (ieee80211_has_morefrags(fc)) {
                rx->skb = NULL;
                return RX_QUEUED;
        }

        rx->skb = __skb_dequeue(&entry->skb_list);
        if (skb_tailroom(rx->skb) < entry->extra_len) {
                I802_DEBUG_INC(rx->local->rx_expand_skb_head_defrag);
                if (unlikely(pskb_expand_head(rx->skb, 0, entry->extra_len,
                                              GFP_ATOMIC))) {
                        I802_DEBUG_INC(rx->local->rx_handlers_drop_defrag);
                        __skb_queue_purge(&entry->skb_list);
                        return RX_DROP_UNUSABLE;
                }
        }
        while ((skb = __skb_dequeue(&entry->skb_list))) {
                skb_put_data(rx->skb, skb->data, skb->len);
                dev_kfree_skb(skb);
        }

 out:
        ieee80211_led_rx(rx->local);
        if (rx->sta)
                rx->sta->rx_stats.packets++;
        return RX_CONTINUE;
}

static int ieee80211_802_1x_port_control(struct ieee80211_rx_data *rx)
{
        if (unlikely(!rx->sta || !test_sta_flag(rx->sta, WLAN_STA_AUTHORIZED)))
                return -EACCES;

        return 0;
}

static int ieee80211_drop_unencrypted(struct ieee80211_rx_data *rx, __le16 fc)
{
        struct ieee80211_hdr *hdr = (void *)rx->skb->data;
        struct sk_buff *skb = rx->skb;
        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);

        /*
         * Pass through unencrypted frames if the hardware has
         * decrypted them already.
         */
        if (status->flag & RX_FLAG_DECRYPTED)
                return 0;

        /* check mesh EAPOL frames first */
        if (unlikely(rx->sta && ieee80211_vif_is_mesh(&rx->sdata->vif) &&
                     ieee80211_is_data(fc))) {
                struct ieee80211s_hdr *mesh_hdr;
                u16 hdr_len = ieee80211_hdrlen(fc);
                u16 ethertype_offset;
                __be16 ethertype;

                if (!ether_addr_equal(hdr->addr1, rx->sdata->vif.addr))
                        goto drop_check;

                /* make sure fixed part of mesh header is there, also checks skb len */
                if (!pskb_may_pull(rx->skb, hdr_len + 6))
                        goto drop_check;

                mesh_hdr = (struct ieee80211s_hdr *)(skb->data + hdr_len);
                ethertype_offset = hdr_len + ieee80211_get_mesh_hdrlen(mesh_hdr) +
                                   sizeof(rfc1042_header);

                if (skb_copy_bits(rx->skb, ethertype_offset, &ethertype, 2) == 0 &&
                    ethertype == rx->sdata->control_port_protocol)
                        return 0;
        }

drop_check:
        /* Drop unencrypted frames if key is set. */
        if (unlikely(!ieee80211_has_protected(fc) &&
                     !ieee80211_is_any_nullfunc(fc) &&
                     ieee80211_is_data(fc) && rx->key))
                return -EACCES;

        return 0;
}

static int ieee80211_drop_unencrypted_mgmt(struct ieee80211_rx_data *rx)
{
        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
        __le16 fc = hdr->frame_control;

        /*
         * Pass through unencrypted frames if the hardware has
         * decrypted them already.
         */
        if (status->flag & RX_FLAG_DECRYPTED)
                return 0;

        if (rx->sta && test_sta_flag(rx->sta, WLAN_STA_MFP)) {
                if (unlikely(!ieee80211_has_protected(fc) &&
                             ieee80211_is_unicast_robust_mgmt_frame(rx->skb) &&
                             rx->key)) {
                        if (ieee80211_is_deauth(fc) ||
                            ieee80211_is_disassoc(fc))
                                cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
                                                             rx->skb->data,
                                                             rx->skb->len);
                        return -EACCES;
                }
                /* BIP does not use Protected field, so need to check MMIE */
                if (unlikely(ieee80211_is_multicast_robust_mgmt_frame(rx->skb) &&
                             ieee80211_get_mmie_keyidx(rx->skb) < 0)) {
                        if (ieee80211_is_deauth(fc) ||
                            ieee80211_is_disassoc(fc))
                                cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
                                                             rx->skb->data,
                                                             rx->skb->len);
                        return -EACCES;
                }
                if (unlikely(ieee80211_is_beacon(fc) && rx->key &&
                             ieee80211_get_mmie_keyidx(rx->skb) < 0)) {
                        cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
                                                     rx->skb->data,
                                                     rx->skb->len);
                        return -EACCES;
                }
                /*
                 * When using MFP, Action frames are not allowed prior to
                 * having configured keys.
                 */
                if (unlikely(ieee80211_is_action(fc) && !rx->key &&
                             ieee80211_is_robust_mgmt_frame(rx->skb)))
                        return -EACCES;
        }

        return 0;
}

static int
__ieee80211_data_to_8023(struct ieee80211_rx_data *rx, bool *port_control)
{
        struct ieee80211_sub_if_data *sdata = rx->sdata;
        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
        bool check_port_control = false;
        struct ethhdr *ehdr;
        int ret;

        *port_control = false;
        if (ieee80211_has_a4(hdr->frame_control) &&
            sdata->vif.type == NL80211_IFTYPE_AP_VLAN && !sdata->u.vlan.sta)
                return -1;

        if (sdata->vif.type == NL80211_IFTYPE_STATION &&
            !!sdata->u.mgd.use_4addr != !!ieee80211_has_a4(hdr->frame_control)) {

                if (!sdata->u.mgd.use_4addr)
                        return -1;
                else if (!ether_addr_equal(hdr->addr1, sdata->vif.addr))
                        check_port_control = true;
        }

        if (is_multicast_ether_addr(hdr->addr1) &&
            sdata->vif.type == NL80211_IFTYPE_AP_VLAN && sdata->u.vlan.sta)
                return -1;

        ret = ieee80211_data_to_8023(rx->skb, sdata->vif.addr, sdata->vif.type);
        if (ret < 0)
                return ret;

        ehdr = (struct ethhdr *) rx->skb->data;
        if (ehdr->h_proto == rx->sdata->control_port_protocol)
                *port_control = true;
        else if (check_port_control)
                return -1;

        return 0;
}

/*
 * requires that rx->skb is a frame with ethernet header
 */
static bool ieee80211_frame_allowed(struct ieee80211_rx_data *rx, __le16 fc)
{
        static const u8 pae_group_addr[ETH_ALEN] __aligned(2)
                = { 0x01, 0x80, 0xC2, 0x00, 0x00, 0x03 };
        struct ethhdr *ehdr = (struct ethhdr *) rx->skb->data;

        /*
         * Allow EAPOL frames to us/the PAE group address regardless of
         * whether the frame was encrypted or not, and always disallow
         * all other destination addresses for them.
         */
        if (unlikely(ehdr->h_proto == rx->sdata->control_port_protocol))
                return ether_addr_equal(ehdr->h_dest, rx->sdata->vif.addr) ||
                       ether_addr_equal(ehdr->h_dest, pae_group_addr);

        if (ieee80211_802_1x_port_control(rx) ||
            ieee80211_drop_unencrypted(rx, fc))
                return false;

        return true;
}

static void ieee80211_deliver_skb_to_local_stack(struct sk_buff *skb,
                                                 struct ieee80211_rx_data *rx)
{
        struct ieee80211_sub_if_data *sdata = rx->sdata;
        struct net_device *dev = sdata->dev;

        if (unlikely((skb->protocol == sdata->control_port_protocol ||
                     (skb->protocol == cpu_to_be16(ETH_P_PREAUTH) &&
                      !sdata->control_port_no_preauth)) &&
                     sdata->control_port_over_nl80211)) {
                struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
                bool noencrypt = !(status->flag & RX_FLAG_DECRYPTED);

                cfg80211_rx_control_port(dev, skb, noencrypt);
                dev_kfree_skb(skb);
        } else {
                struct ethhdr *ehdr = (void *)skb_mac_header(skb);

                memset(skb->cb, 0, sizeof(skb->cb));

                /*
                 * 802.1X over 802.11 requires that the authenticator address
                 * be used for EAPOL frames. However, 802.1X allows the use of
                 * the PAE group address instead. If the interface is part of
                 * a bridge and we pass the frame with the PAE group address,
                 * then the bridge will forward it to the network (even if the
                 * client was not associated yet), which isn't supposed to
                 * happen.
                 * To avoid that, rewrite the destination address to our own
                 * address, so that the authenticator (e.g. hostapd) will see
                 * the frame, but bridge won't forward it anywhere else. Note
                 * that due to earlier filtering, the only other address can
                 * be the PAE group address.
                 */
                if (unlikely(skb->protocol == sdata->control_port_protocol &&
                             !ether_addr_equal(ehdr->h_dest, sdata->vif.addr)))
                        ether_addr_copy(ehdr->h_dest, sdata->vif.addr);

                /* deliver to local stack */
                if (rx->list)
                        list_add_tail(&skb->list, rx->list);
                else
                        netif_receive_skb(skb);
        }
}

/*
 * requires that rx->skb is a frame with ethernet header
 */
static void
ieee80211_deliver_skb(struct ieee80211_rx_data *rx)
{
        struct ieee80211_sub_if_data *sdata = rx->sdata;
        struct net_device *dev = sdata->dev;
        struct sk_buff *skb, *xmit_skb;
        struct ethhdr *ehdr = (struct ethhdr *) rx->skb->data;
        struct sta_info *dsta;

        skb = rx->skb;
        xmit_skb = NULL;

        dev_sw_netstats_rx_add(dev, skb->len);

        if (rx->sta) {
                /* The seqno index has the same property as needed
                 * for the rx_msdu field, i.e. it is IEEE80211_NUM_TIDS
                 * for non-QoS-data frames. Here we know it's a data
                 * frame, so count MSDUs.
                 */
                u64_stats_update_begin(&rx->sta->rx_stats.syncp);
                rx->sta->rx_stats.msdu[rx->seqno_idx]++;
                u64_stats_update_end(&rx->sta->rx_stats.syncp);
        }

        if ((sdata->vif.type == NL80211_IFTYPE_AP ||
             sdata->vif.type == NL80211_IFTYPE_AP_VLAN) &&
            !(sdata->flags & IEEE80211_SDATA_DONT_BRIDGE_PACKETS) &&
            ehdr->h_proto != rx->sdata->control_port_protocol &&
            (sdata->vif.type != NL80211_IFTYPE_AP_VLAN || !sdata->u.vlan.sta)) {
                if (is_multicast_ether_addr(ehdr->h_dest) &&
                    ieee80211_vif_get_num_mcast_if(sdata) != 0) {
                        /*
                         * send multicast frames both to higher layers in
                         * local net stack and back to the wireless medium
                         */
                        xmit_skb = skb_copy(skb, GFP_ATOMIC);
                        if (!xmit_skb)
                                net_info_ratelimited("%s: failed to clone multicast frame\n",
                                                    dev->name);
                } else if (!is_multicast_ether_addr(ehdr->h_dest) &&
                           !ether_addr_equal(ehdr->h_dest, ehdr->h_source)) {
                        dsta = sta_info_get(sdata, ehdr->h_dest);
                        if (dsta) {
                                /*
                                 * The destination station is associated to
                                 * this AP (in this VLAN), so send the frame
                                 * directly to it and do not pass it to local
                                 * net stack.
                                 */
                                xmit_skb = skb;
                                skb = NULL;
                        }
                }
        }

#ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
        if (skb) {
                /* 'align' will only take the values 0 or 2 here since all
                 * frames are required to be aligned to 2-byte boundaries
                 * when being passed to mac80211; the code here works just
                 * as well if that isn't true, but mac80211 assumes it can
                 * access fields as 2-byte aligned (e.g. for ether_addr_equal)
                 */
                int align;

                align = (unsigned long)(skb->data + sizeof(struct ethhdr)) & 3;
                if (align) {
                        if (WARN_ON(skb_headroom(skb) < 3)) {
                                dev_kfree_skb(skb);
                                skb = NULL;
                        } else {
                                u8 *data = skb->data;
                                size_t len = skb_headlen(skb);
                                skb->data -= align;
                                memmove(skb->data, data, len);
                                skb_set_tail_pointer(skb, len);
                        }
                }
        }
#endif

        if (skb) {
                skb->protocol = eth_type_trans(skb, dev);
                ieee80211_deliver_skb_to_local_stack(skb, rx);
        }

        if (xmit_skb) {
                /*
                 * Send to wireless media and increase priority by 256 to
                 * keep the received priority instead of reclassifying
                 * the frame (see cfg80211_classify8021d).
                 */
                xmit_skb->priority += 256;
                xmit_skb->protocol = htons(ETH_P_802_3);
                skb_reset_network_header(xmit_skb);
                skb_reset_mac_header(xmit_skb);
                dev_queue_xmit(xmit_skb);
        }
}

static ieee80211_rx_result debug_noinline
__ieee80211_rx_h_amsdu(struct ieee80211_rx_data *rx, u8 data_offset)
{
        struct net_device *dev = rx->sdata->dev;
        struct sk_buff *skb = rx->skb;
        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
        __le16 fc = hdr->frame_control;
        struct sk_buff_head frame_list;
        struct ethhdr ethhdr;
        const u8 *check_da = ethhdr.h_dest, *check_sa = ethhdr.h_source;

        if (unlikely(ieee80211_has_a4(hdr->frame_control))) {
                check_da = NULL;
                check_sa = NULL;
        } else switch (rx->sdata->vif.type) {
                case NL80211_IFTYPE_AP:
                case NL80211_IFTYPE_AP_VLAN:
                        check_da = NULL;
                        break;
                case NL80211_IFTYPE_STATION:
                        if (!rx->sta ||
                            !test_sta_flag(rx->sta, WLAN_STA_TDLS_PEER))
                                check_sa = NULL;
                        break;
                case NL80211_IFTYPE_MESH_POINT:
                        check_sa = NULL;
                        break;
                default:
                        break;
        }

        skb->dev = dev;
        __skb_queue_head_init(&frame_list);

        if (ieee80211_data_to_8023_exthdr(skb, &ethhdr,
                                          rx->sdata->vif.addr,
                                          rx->sdata->vif.type,
                                          data_offset, true))
                return RX_DROP_UNUSABLE;

        ieee80211_amsdu_to_8023s(skb, &frame_list, dev->dev_addr,
                                 rx->sdata->vif.type,
                                 rx->local->hw.extra_tx_headroom,
                                 check_da, check_sa);

        while (!skb_queue_empty(&frame_list)) {
                rx->skb = __skb_dequeue(&frame_list);

                if (!ieee80211_frame_allowed(rx, fc)) {
                        dev_kfree_skb(rx->skb);
                        continue;
                }

                ieee80211_deliver_skb(rx);
        }

        return RX_QUEUED;
}

static ieee80211_rx_result debug_noinline
ieee80211_rx_h_amsdu(struct ieee80211_rx_data *rx)
{
        struct sk_buff *skb = rx->skb;
        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
        __le16 fc = hdr->frame_control;

        if (!(status->rx_flags & IEEE80211_RX_AMSDU))
                return RX_CONTINUE;

        if (unlikely(!ieee80211_is_data(fc)))
                return RX_CONTINUE;

        if (unlikely(!ieee80211_is_data_present(fc)))
                return RX_DROP_MONITOR;

        if (unlikely(ieee80211_has_a4(hdr->frame_control))) {
                switch (rx->sdata->vif.type) {
                case NL80211_IFTYPE_AP_VLAN:
                        if (!rx->sdata->u.vlan.sta)
                                return RX_DROP_UNUSABLE;
                        break;
                case NL80211_IFTYPE_STATION:
                        if (!rx->sdata->u.mgd.use_4addr)
                                return RX_DROP_UNUSABLE;
                        break;
                default:
                        return RX_DROP_UNUSABLE;
                }
        }

        if (is_multicast_ether_addr(hdr->addr1))
                return RX_DROP_UNUSABLE;

        if (rx->key) {
                /*
                 * We should not receive A-MSDUs on pre-HT connections,
                 * and HT connections cannot use old ciphers. Thus drop
                 * them, as in those cases we couldn't even have SPP
                 * A-MSDUs or such.
                 */
                switch (rx->key->conf.cipher) {
                case WLAN_CIPHER_SUITE_WEP40:
                case WLAN_CIPHER_SUITE_WEP104:
                case WLAN_CIPHER_SUITE_TKIP:
                        return RX_DROP_UNUSABLE;
                default:
                        break;
                }
        }

        return __ieee80211_rx_h_amsdu(rx, 0);
}

#ifdef CONFIG_MAC80211_MESH
static ieee80211_rx_result
ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
{
        struct ieee80211_hdr *fwd_hdr, *hdr;
        struct ieee80211_tx_info *info;
        struct ieee80211s_hdr *mesh_hdr;
        struct sk_buff *skb = rx->skb, *fwd_skb;
        struct ieee80211_local *local = rx->local;
        struct ieee80211_sub_if_data *sdata = rx->sdata;
        struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh;
        u16 ac, q, hdrlen;
        int tailroom = 0;

        hdr = (struct ieee80211_hdr *) skb->data;
        hdrlen = ieee80211_hdrlen(hdr->frame_control);

        /* make sure fixed part of mesh header is there, also checks skb len */
        if (!pskb_may_pull(rx->skb, hdrlen + 6))
                return RX_DROP_MONITOR;

        mesh_hdr = (struct ieee80211s_hdr *) (skb->data + hdrlen);

        /* make sure full mesh header is there, also checks skb len */
        if (!pskb_may_pull(rx->skb,
                           hdrlen + ieee80211_get_mesh_hdrlen(mesh_hdr)))
                return RX_DROP_MONITOR;

        /* reload pointers */
        hdr = (struct ieee80211_hdr *) skb->data;
        mesh_hdr = (struct ieee80211s_hdr *) (skb->data + hdrlen);

        if (ieee80211_drop_unencrypted(rx, hdr->frame_control))
                return RX_DROP_MONITOR;

        /* frame is in RMC, don't forward */
        if (ieee80211_is_data(hdr->frame_control) &&
            is_multicast_ether_addr(hdr->addr1) &&
            mesh_rmc_check(rx->sdata, hdr->addr3, mesh_hdr))
                return RX_DROP_MONITOR;

        if (!ieee80211_is_data(hdr->frame_control))
                return RX_CONTINUE;

        if (!mesh_hdr->ttl)
                return RX_DROP_MONITOR;

        if (mesh_hdr->flags & MESH_FLAGS_AE) {
                struct mesh_path *mppath;
                char *proxied_addr;
                char *mpp_addr;

                if (is_multicast_ether_addr(hdr->addr1)) {
                        mpp_addr = hdr->addr3;
                        proxied_addr = mesh_hdr->eaddr1;
                } else if ((mesh_hdr->flags & MESH_FLAGS_AE) ==
                            MESH_FLAGS_AE_A5_A6) {
                        /* has_a4 already checked in ieee80211_rx_mesh_check */
                        mpp_addr = hdr->addr4;
                        proxied_addr = mesh_hdr->eaddr2;
                } else {
                        return RX_DROP_MONITOR;
                }

                rcu_read_lock();
                mppath = mpp_path_lookup(sdata, proxied_addr);
                if (!mppath) {
                        mpp_path_add(sdata, proxied_addr, mpp_addr);
                } else {
                        spin_lock_bh(&mppath->state_lock);
                        if (!ether_addr_equal(mppath->mpp, mpp_addr))
                                memcpy(mppath->mpp, mpp_addr, ETH_ALEN);
                        mppath->exp_time = jiffies;
                        spin_unlock_bh(&mppath->state_lock);
                }
                rcu_read_unlock();
        }

        /* Frame has reached destination.  Don't forward */
        if (!is_multicast_ether_addr(hdr->addr1) &&
            ether_addr_equal(sdata->vif.addr, hdr->addr3))
                return RX_CONTINUE;

        ac = ieee80211_select_queue_80211(sdata, skb, hdr);
        q = sdata->vif.hw_queue[ac];
        if (ieee80211_queue_stopped(&local->hw, q)) {
                IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_congestion);
                return RX_DROP_MONITOR;
        }
        skb_set_queue_mapping(skb, q);

        if (!--mesh_hdr->ttl) {
                if (!is_multicast_ether_addr(hdr->addr1))
                        IEEE80211_IFSTA_MESH_CTR_INC(ifmsh,
                                                     dropped_frames_ttl);
                goto out;
        }

        if (!ifmsh->mshcfg.dot11MeshForwarding)
                goto out;

        if (sdata->crypto_tx_tailroom_needed_cnt)
                tailroom = IEEE80211_ENCRYPT_TAILROOM;

        fwd_skb = skb_copy_expand(skb, local->tx_headroom +
                                       sdata->encrypt_headroom,
                                  tailroom, GFP_ATOMIC);
        if (!fwd_skb)
                goto out;

        fwd_hdr =  (struct ieee80211_hdr *) fwd_skb->data;
        fwd_hdr->frame_control &= ~cpu_to_le16(IEEE80211_FCTL_RETRY);
        info = IEEE80211_SKB_CB(fwd_skb);
        memset(info, 0, sizeof(*info));
        info->control.flags |= IEEE80211_TX_INTCFL_NEED_TXPROCESSING;
        info->control.vif = &rx->sdata->vif;
        info->control.jiffies = jiffies;
        if (is_multicast_ether_addr(fwd_hdr->addr1)) {
                IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, fwded_mcast);
                memcpy(fwd_hdr->addr2, sdata->vif.addr, ETH_ALEN);
                /* update power mode indication when forwarding */
                ieee80211_mps_set_frame_flags(sdata, NULL, fwd_hdr);
        } else if (!mesh_nexthop_lookup(sdata, fwd_skb)) {
                /* mesh power mode flags updated in mesh_nexthop_lookup */
                IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, fwded_unicast);
        } else {
                /* unable to resolve next hop */
                mesh_path_error_tx(sdata, ifmsh->mshcfg.element_ttl,
                                   fwd_hdr->addr3, 0,
                                   WLAN_REASON_MESH_PATH_NOFORWARD,
                                   fwd_hdr->addr2);
                IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_no_route);
                kfree_skb(fwd_skb);
                return RX_DROP_MONITOR;
        }

        IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, fwded_frames);
        ieee80211_add_pending_skb(local, fwd_skb);
 out:
        if (is_multicast_ether_addr(hdr->addr1))
                return RX_CONTINUE;
        return RX_DROP_MONITOR;
}
#endif

static ieee80211_rx_result debug_noinline
ieee80211_rx_h_data(struct ieee80211_rx_data *rx)
{
        struct ieee80211_sub_if_data *sdata = rx->sdata;
        struct ieee80211_local *local = rx->local;
        struct net_device *dev = sdata->dev;
        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
        __le16 fc = hdr->frame_control;
        bool port_control;
        int err;

        if (unlikely(!ieee80211_is_data(hdr->frame_control)))
                return RX_CONTINUE;

        if (unlikely(!ieee80211_is_data_present(hdr->frame_control)))
                return RX_DROP_MONITOR;

        /*
         * Send unexpected-4addr-frame event to hostapd. For older versions,
         * also drop the frame to cooked monitor interfaces.