1 // SPDX-License-Identifier: GPL-2.0
2 /*
3  * Intersil Prism2 driver with Host AP (software access point) support
4  * Copyright (c) 2001-2002, SSH Communications Security Corp and Jouni Malinen
5  * <j@w1.fi>
6  * Copyright (c) 2002-2005, Jouni Malinen <j@w1.fi>
7  *
8  * This file is to be included into hostap.c when S/W AP functionality is
9  * compiled.
10  *
11  * AP:  FIX:
12  * - if unicast Class 2 (assoc,reassoc,disassoc) frame received from
13  *   unauthenticated STA, send deauth. frame (8802.11: 5.5)
14  * - if unicast Class 3 (data with to/from DS,deauth,pspoll) frame received
15  *   from authenticated, but unassoc STA, send disassoc frame (8802.11: 5.5)
16  * - if unicast Class 3 received from unauthenticated STA, send deauth. frame
17  *   (8802.11: 5.5)
18  */
19 
20 #include <linux/proc_fs.h>
21 #include <linux/seq_file.h>
22 #include <linux/delay.h>
23 #include <linux/random.h>
24 #include <linux/if_arp.h>
25 #include <linux/slab.h>
26 #include <linux/export.h>
27 #include <linux/moduleparam.h>
28 #include <linux/etherdevice.h>
29 
30 #include "hostap_wlan.h"
31 #include "hostap.h"
32 #include "hostap_ap.h"
33 
34 static int other_ap_policy[MAX_PARM_DEVICES] = { AP_OTHER_AP_SKIP_ALL,
35 						 DEF_INTS };
36 module_param_array(other_ap_policy, int, NULL, 0444);
37 MODULE_PARM_DESC(other_ap_policy, "Other AP beacon monitoring policy (0-3)");
38 
39 static int ap_max_inactivity[MAX_PARM_DEVICES] = { AP_MAX_INACTIVITY_SEC,
40 						   DEF_INTS };
41 module_param_array(ap_max_inactivity, int, NULL, 0444);
42 MODULE_PARM_DESC(ap_max_inactivity, "AP timeout (in seconds) for station "
43 		 "inactivity");
44 
45 static int ap_bridge_packets[MAX_PARM_DEVICES] = { 1, DEF_INTS };
46 module_param_array(ap_bridge_packets, int, NULL, 0444);
47 MODULE_PARM_DESC(ap_bridge_packets, "Bridge packets directly between "
48 		 "stations");
49 
50 static int autom_ap_wds[MAX_PARM_DEVICES] = { 0, DEF_INTS };
51 module_param_array(autom_ap_wds, int, NULL, 0444);
52 MODULE_PARM_DESC(autom_ap_wds, "Add WDS connections to other APs "
53 		 "automatically");
54 
55 
56 static struct sta_info* ap_get_sta(struct ap_data *ap, u8 *sta);
57 static void hostap_event_expired_sta(struct net_device *dev,
58 				     struct sta_info *sta);
59 static void handle_add_proc_queue(struct work_struct *work);
60 
61 #ifndef PRISM2_NO_KERNEL_IEEE80211_MGMT
62 static void handle_wds_oper_queue(struct work_struct *work);
63 static void prism2_send_mgmt(struct net_device *dev,
64 			     u16 type_subtype, char *body,
65 			     int body_len, u8 *addr, u16 tx_cb_idx);
66 #endif /* PRISM2_NO_KERNEL_IEEE80211_MGMT */
67 
68 
69 #ifndef PRISM2_NO_PROCFS_DEBUG
70 static int ap_debug_proc_show(struct seq_file *m, void *v)
71 {
72 	struct ap_data *ap = m->private;
73 
74 	seq_printf(m, "BridgedUnicastFrames=%u\n", ap->bridged_unicast);
75 	seq_printf(m, "BridgedMulticastFrames=%u\n", ap->bridged_multicast);
76 	seq_printf(m, "max_inactivity=%u\n", ap->max_inactivity / HZ);
77 	seq_printf(m, "bridge_packets=%u\n", ap->bridge_packets);
78 	seq_printf(m, "nullfunc_ack=%u\n", ap->nullfunc_ack);
79 	seq_printf(m, "autom_ap_wds=%u\n", ap->autom_ap_wds);
80 	seq_printf(m, "auth_algs=%u\n", ap->local->auth_algs);
81 	seq_printf(m, "tx_drop_nonassoc=%u\n", ap->tx_drop_nonassoc);
82 	return 0;
83 }
84 
85 static int ap_debug_proc_open(struct inode *inode, struct file *file)
86 {
87 	return single_open(file, ap_debug_proc_show, PDE_DATA(inode));
88 }
89 
90 static const struct file_operations ap_debug_proc_fops = {
91 	.open		= ap_debug_proc_open,
92 	.read		= seq_read,
93 	.llseek		= seq_lseek,
94 	.release	= single_release,
95 };
96 #endif /* PRISM2_NO_PROCFS_DEBUG */
97 
98 
99 static void ap_sta_hash_add(struct ap_data *ap, struct sta_info *sta)
100 {
101 	sta->hnext = ap->sta_hash[STA_HASH(sta->addr)];
102 	ap->sta_hash[STA_HASH(sta->addr)] = sta;
103 }
104 
105 static void ap_sta_hash_del(struct ap_data *ap, struct sta_info *sta)
106 {
107 	struct sta_info *s;
108 
109 	s = ap->sta_hash[STA_HASH(sta->addr)];
110 	if (s == NULL) return;
111 	if (ether_addr_equal(s->addr, sta->addr)) {
112 		ap->sta_hash[STA_HASH(sta->addr)] = s->hnext;
113 		return;
114 	}
115 
116 	while (s->hnext != NULL && !ether_addr_equal(s->hnext->addr, sta->addr))
117 		s = s->hnext;
118 	if (s->hnext != NULL)
119 		s->hnext = s->hnext->hnext;
120 	else
121 		printk("AP: could not remove STA %pM from hash table\n",
122 		       sta->addr);
123 }
124 
125 static void ap_free_sta(struct ap_data *ap, struct sta_info *sta)
126 {
127 	if (sta->ap && sta->local)
128 		hostap_event_expired_sta(sta->local->dev, sta);
129 
130 	if (ap->proc != NULL) {
131 		char name[20];
132 		sprintf(name, "%pM", sta->addr);
133 		remove_proc_entry(name, ap->proc);
134 	}
135 
136 	if (sta->crypt) {
137 		sta->crypt->ops->deinit(sta->crypt->priv);
138 		kfree(sta->crypt);
139 		sta->crypt = NULL;
140 	}
141 
142 	skb_queue_purge(&sta->tx_buf);
143 
144 	ap->num_sta--;
145 #ifndef PRISM2_NO_KERNEL_IEEE80211_MGMT
146 	if (sta->aid > 0)
147 		ap->sta_aid[sta->aid - 1] = NULL;
148 
149 	if (!sta->ap)
150 		kfree(sta->u.sta.challenge);
151 	del_timer_sync(&sta->timer);
152 #endif /* PRISM2_NO_KERNEL_IEEE80211_MGMT */
153 
154 	kfree(sta);
155 }
156 
157 
158 static void hostap_set_tim(local_info_t *local, int aid, int set)
159 {
160 	if (local->func->set_tim)
161 		local->func->set_tim(local->dev, aid, set);
162 }
163 
164 
165 static void hostap_event_new_sta(struct net_device *dev, struct sta_info *sta)
166 {
167 	union iwreq_data wrqu;
168 	memset(&wrqu, 0, sizeof(wrqu));
169 	memcpy(wrqu.addr.sa_data, sta->addr, ETH_ALEN);
170 	wrqu.addr.sa_family = ARPHRD_ETHER;
171 	wireless_send_event(dev, IWEVREGISTERED, &wrqu, NULL);
172 }
173 
174 
175 static void hostap_event_expired_sta(struct net_device *dev,
176 				     struct sta_info *sta)
177 {
178 	union iwreq_data wrqu;
179 	memset(&wrqu, 0, sizeof(wrqu));
180 	memcpy(wrqu.addr.sa_data, sta->addr, ETH_ALEN);
181 	wrqu.addr.sa_family = ARPHRD_ETHER;
182 	wireless_send_event(dev, IWEVEXPIRED, &wrqu, NULL);
183 }
184 
185 
186 #ifndef PRISM2_NO_KERNEL_IEEE80211_MGMT
187 
188 static void ap_handle_timer(struct timer_list *t)
189 {
190 	struct sta_info *sta = from_timer(sta, t, timer);
191 	local_info_t *local;
192 	struct ap_data *ap;
193 	unsigned long next_time = 0;
194 	int was_assoc;
195 
196 	if (sta == NULL || sta->local == NULL || sta->local->ap == NULL) {
197 		PDEBUG(DEBUG_AP, "ap_handle_timer() called with NULL data\n");
198 		return;
199 	}
200 
201 	local = sta->local;
202 	ap = local->ap;
203 	was_assoc = sta->flags & WLAN_STA_ASSOC;
204 
205 	if (atomic_read(&sta->users) != 0)
206 		next_time = jiffies + HZ;
207 	else if ((sta->flags & WLAN_STA_PERM) && !(sta->flags & WLAN_STA_AUTH))
208 		next_time = jiffies + ap->max_inactivity;
209 
210 	if (time_before(jiffies, sta->last_rx + ap->max_inactivity)) {
211 		/* station activity detected; reset timeout state */
212 		sta->timeout_next = STA_NULLFUNC;
213 		next_time = sta->last_rx + ap->max_inactivity;
214 	} else if (sta->timeout_next == STA_DISASSOC &&
215 		   !(sta->flags & WLAN_STA_PENDING_POLL)) {
216 		/* STA ACKed data nullfunc frame poll */
217 		sta->timeout_next = STA_NULLFUNC;
218 		next_time = jiffies + ap->max_inactivity;
219 	}
220 
221 	if (next_time) {
222 		sta->timer.expires = next_time;
223 		add_timer(&sta->timer);
224 		return;
225 	}
226 
227 	if (sta->ap)
228 		sta->timeout_next = STA_DEAUTH;
229 
230 	if (sta->timeout_next == STA_DEAUTH && !(sta->flags & WLAN_STA_PERM)) {
231 		spin_lock(&ap->sta_table_lock);
232 		ap_sta_hash_del(ap, sta);
233 		list_del(&sta->list);
234 		spin_unlock(&ap->sta_table_lock);
235 		sta->flags &= ~(WLAN_STA_AUTH | WLAN_STA_ASSOC);
236 	} else if (sta->timeout_next == STA_DISASSOC)
237 		sta->flags &= ~WLAN_STA_ASSOC;
238 
239 	if (was_assoc && !(sta->flags & WLAN_STA_ASSOC) && !sta->ap)
240 		hostap_event_expired_sta(local->dev, sta);
241 
242 	if (sta->timeout_next == STA_DEAUTH && sta->aid > 0 &&
243 	    !skb_queue_empty(&sta->tx_buf)) {
244 		hostap_set_tim(local, sta->aid, 0);
245 		sta->flags &= ~WLAN_STA_TIM;
246 	}
247 
248 	if (sta->ap) {
249 		if (ap->autom_ap_wds) {
250 			PDEBUG(DEBUG_AP, "%s: removing automatic WDS "
251 			       "connection to AP %pM\n",
252 			       local->dev->name, sta->addr);
253 			hostap_wds_link_oper(local, sta->addr, WDS_DEL);
254 		}
255 	} else if (sta->timeout_next == STA_NULLFUNC) {
256 		/* send data frame to poll STA and check whether this frame
257 		 * is ACKed */
258 		/* FIX: IEEE80211_STYPE_NULLFUNC would be more appropriate, but
259 		 * it is apparently not retried so TX Exc events are not
260 		 * received for it */
261 		sta->flags |= WLAN_STA_PENDING_POLL;
262 		prism2_send_mgmt(local->dev, IEEE80211_FTYPE_DATA |
263 				 IEEE80211_STYPE_DATA, NULL, 0,
264 				 sta->addr, ap->tx_callback_poll);
265 	} else {
266 		int deauth = sta->timeout_next == STA_DEAUTH;
267 		__le16 resp;
268 		PDEBUG(DEBUG_AP, "%s: sending %s info to STA %pM"
269 		       "(last=%lu, jiffies=%lu)\n",
270 		       local->dev->name,
271 		       deauth ? "deauthentication" : "disassociation",
272 		       sta->addr, sta->last_rx, jiffies);
273 
274 		resp = cpu_to_le16(deauth ? WLAN_REASON_PREV_AUTH_NOT_VALID :
275 				   WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY);
276 		prism2_send_mgmt(local->dev, IEEE80211_FTYPE_MGMT |
277 				 (deauth ? IEEE80211_STYPE_DEAUTH :
278 				  IEEE80211_STYPE_DISASSOC),
279 				 (char *) &resp, 2, sta->addr, 0);
280 	}
281 
282 	if (sta->timeout_next == STA_DEAUTH) {
283 		if (sta->flags & WLAN_STA_PERM) {
284 			PDEBUG(DEBUG_AP, "%s: STA %pM"
285 			       " would have been removed, "
286 			       "but it has 'perm' flag\n",
287 			       local->dev->name, sta->addr);
288 		} else
289 			ap_free_sta(ap, sta);
290 		return;
291 	}
292 
293 	if (sta->timeout_next == STA_NULLFUNC) {
294 		sta->timeout_next = STA_DISASSOC;
295 		sta->timer.expires = jiffies + AP_DISASSOC_DELAY;
296 	} else {
297 		sta->timeout_next = STA_DEAUTH;
298 		sta->timer.expires = jiffies + AP_DEAUTH_DELAY;
299 	}
300 
301 	add_timer(&sta->timer);
302 }
303 
304 
305 void hostap_deauth_all_stas(struct net_device *dev, struct ap_data *ap,
306 			    int resend)
307 {
308 	u8 addr[ETH_ALEN];
309 	__le16 resp;
310 	int i;
311 
312 	PDEBUG(DEBUG_AP, "%s: Deauthenticate all stations\n", dev->name);
313 	eth_broadcast_addr(addr);
314 
315 	resp = cpu_to_le16(WLAN_REASON_PREV_AUTH_NOT_VALID);
316 
317 	/* deauth message sent; try to resend it few times; the message is
318 	 * broadcast, so it may be delayed until next DTIM; there is not much
319 	 * else we can do at this point since the driver is going to be shut
320 	 * down */
321 	for (i = 0; i < 5; i++) {
322 		prism2_send_mgmt(dev, IEEE80211_FTYPE_MGMT |
323 				 IEEE80211_STYPE_DEAUTH,
324 				 (char *) &resp, 2, addr, 0);
325 
326 		if (!resend || ap->num_sta <= 0)
327 			return;
328 
329 		mdelay(50);
330 	}
331 }
332 
333 
334 static int ap_control_proc_show(struct seq_file *m, void *v)
335 {
336 	struct ap_data *ap = m->private;
337 	char *policy_txt;
338 	struct mac_entry *entry;
339 
340 	if (v == SEQ_START_TOKEN) {
341 		switch (ap->mac_restrictions.policy) {
342 		case MAC_POLICY_OPEN:
343 			policy_txt = "open";
344 			break;
345 		case MAC_POLICY_ALLOW:
346 			policy_txt = "allow";
347 			break;
348 		case MAC_POLICY_DENY:
349 			policy_txt = "deny";
350 			break;
351 		default:
352 			policy_txt = "unknown";
353 			break;
354 		}
355 		seq_printf(m, "MAC policy: %s\n", policy_txt);
356 		seq_printf(m, "MAC entries: %u\n", ap->mac_restrictions.entries);
357 		seq_puts(m, "MAC list:\n");
358 		return 0;
359 	}
360 
361 	entry = v;
362 	seq_printf(m, "%pM\n", entry->addr);
363 	return 0;
364 }
365 
366 static void *ap_control_proc_start(struct seq_file *m, loff_t *_pos)
367 {
368 	struct ap_data *ap = m->private;
369 	spin_lock_bh(&ap->mac_restrictions.lock);
370 	return seq_list_start_head(&ap->mac_restrictions.mac_list, *_pos);
371 }
372 
373 static void *ap_control_proc_next(struct seq_file *m, void *v, loff_t *_pos)
374 {
375 	struct ap_data *ap = m->private;
376 	return seq_list_next(v, &ap->mac_restrictions.mac_list, _pos);
377 }
378 
379 static void ap_control_proc_stop(struct seq_file *m, void *v)
380 {
381 	struct ap_data *ap = m->private;
382 	spin_unlock_bh(&ap->mac_restrictions.lock);
383 }
384 
385 static const struct seq_operations ap_control_proc_seqops = {
386 	.start	= ap_control_proc_start,
387 	.next	= ap_control_proc_next,
388 	.stop	= ap_control_proc_stop,
389 	.show	= ap_control_proc_show,
390 };
391 
392 static int ap_control_proc_open(struct inode *inode, struct file *file)
393 {
394 	int ret = seq_open(file, &ap_control_proc_seqops);
395 	if (ret == 0) {
396 		struct seq_file *m = file->private_data;
397 		m->private = PDE_DATA(inode);
398 	}
399 	return ret;
400 }
401 
402 static const struct file_operations ap_control_proc_fops = {
403 	.open		= ap_control_proc_open,
404 	.read		= seq_read,
405 	.llseek		= seq_lseek,
406 	.release	= seq_release,
407 };
408 
409 
410 int ap_control_add_mac(struct mac_restrictions *mac_restrictions, u8 *mac)
411 {
412 	struct mac_entry *entry;
413 
414 	entry = kmalloc(sizeof(struct mac_entry), GFP_KERNEL);
415 	if (entry == NULL)
416 		return -ENOMEM;
417 
418 	memcpy(entry->addr, mac, ETH_ALEN);
419 
420 	spin_lock_bh(&mac_restrictions->lock);
421 	list_add_tail(&entry->list, &mac_restrictions->mac_list);
422 	mac_restrictions->entries++;
423 	spin_unlock_bh(&mac_restrictions->lock);
424 
425 	return 0;
426 }
427 
428 
429 int ap_control_del_mac(struct mac_restrictions *mac_restrictions, u8 *mac)
430 {
431 	struct list_head *ptr;
432 	struct mac_entry *entry;
433 
434 	spin_lock_bh(&mac_restrictions->lock);
435 	for (ptr = mac_restrictions->mac_list.next;
436 	     ptr != &mac_restrictions->mac_list; ptr = ptr->next) {
437 		entry = list_entry(ptr, struct mac_entry, list);
438 
439 		if (ether_addr_equal(entry->addr, mac)) {
440 			list_del(ptr);
441 			kfree(entry);
442 			mac_restrictions->entries--;
443 			spin_unlock_bh(&mac_restrictions->lock);
444 			return 0;
445 		}
446 	}
447 	spin_unlock_bh(&mac_restrictions->lock);
448 	return -1;
449 }
450 
451 
452 static int ap_control_mac_deny(struct mac_restrictions *mac_restrictions,
453 			       u8 *mac)
454 {
455 	struct mac_entry *entry;
456 	int found = 0;
457 
458 	if (mac_restrictions->policy == MAC_POLICY_OPEN)
459 		return 0;
460 
461 	spin_lock_bh(&mac_restrictions->lock);
462 	list_for_each_entry(entry, &mac_restrictions->mac_list, list) {
463 		if (ether_addr_equal(entry->addr, mac)) {
464 			found = 1;
465 			break;
466 		}
467 	}
468 	spin_unlock_bh(&mac_restrictions->lock);
469 
470 	if (mac_restrictions->policy == MAC_POLICY_ALLOW)
471 		return !found;
472 	else
473 		return found;
474 }
475 
476 
477 void ap_control_flush_macs(struct mac_restrictions *mac_restrictions)
478 {
479 	struct list_head *ptr, *n;
480 	struct mac_entry *entry;
481 
482 	if (mac_restrictions->entries == 0)
483 		return;
484 
485 	spin_lock_bh(&mac_restrictions->lock);
486 	for (ptr = mac_restrictions->mac_list.next, n = ptr->next;
487 	     ptr != &mac_restrictions->mac_list;
488 	     ptr = n, n = ptr->next) {
489 		entry = list_entry(ptr, struct mac_entry, list);
490 		list_del(ptr);
491 		kfree(entry);
492 	}
493 	mac_restrictions->entries = 0;
494 	spin_unlock_bh(&mac_restrictions->lock);
495 }
496 
497 
498 int ap_control_kick_mac(struct ap_data *ap, struct net_device *dev, u8 *mac)
499 {
500 	struct sta_info *sta;
501 	__le16 resp;
502 
503 	spin_lock_bh(&ap->sta_table_lock);
504 	sta = ap_get_sta(ap, mac);
505 	if (sta) {
506 		ap_sta_hash_del(ap, sta);
507 		list_del(&sta->list);
508 	}
509 	spin_unlock_bh(&ap->sta_table_lock);
510 
511 	if (!sta)
512 		return -EINVAL;
513 
514 	resp = cpu_to_le16(WLAN_REASON_PREV_AUTH_NOT_VALID);
515 	prism2_send_mgmt(dev, IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_DEAUTH,
516 			 (char *) &resp, 2, sta->addr, 0);
517 
518 	if ((sta->flags & WLAN_STA_ASSOC) && !sta->ap)
519 		hostap_event_expired_sta(dev, sta);
520 
521 	ap_free_sta(ap, sta);
522 
523 	return 0;
524 }
525 
526 #endif /* PRISM2_NO_KERNEL_IEEE80211_MGMT */
527 
528 
529 void ap_control_kickall(struct ap_data *ap)
530 {
531 	struct list_head *ptr, *n;
532 	struct sta_info *sta;
533 
534 	spin_lock_bh(&ap->sta_table_lock);
535 	for (ptr = ap->sta_list.next, n = ptr->next; ptr != &ap->sta_list;
536 	     ptr = n, n = ptr->next) {
537 		sta = list_entry(ptr, struct sta_info, list);
538 		ap_sta_hash_del(ap, sta);
539 		list_del(&sta->list);
540 		if ((sta->flags & WLAN_STA_ASSOC) && !sta->ap && sta->local)
541 			hostap_event_expired_sta(sta->local->dev, sta);
542 		ap_free_sta(ap, sta);
543 	}
544 	spin_unlock_bh(&ap->sta_table_lock);
545 }
546 
547 
548 #ifndef PRISM2_NO_KERNEL_IEEE80211_MGMT
549 
550 static int prism2_ap_proc_show(struct seq_file *m, void *v)
551 {
552 	struct sta_info *sta = v;
553 	int i;
554 
555 	if (v == SEQ_START_TOKEN) {
556 		seq_printf(m, "# BSSID CHAN SIGNAL NOISE RATE SSID FLAGS\n");
557 		return 0;
558 	}
559 
560 	if (!sta->ap)
561 		return 0;
562 
563 	seq_printf(m, "%pM %d %d %d %d '",
564 		   sta->addr,
565 		   sta->u.ap.channel, sta->last_rx_signal,
566 		   sta->last_rx_silence, sta->last_rx_rate);
567 
568 	for (i = 0; i < sta->u.ap.ssid_len; i++) {
569 		if (sta->u.ap.ssid[i] >= 32 && sta->u.ap.ssid[i] < 127)
570 			seq_putc(m, sta->u.ap.ssid[i]);
571 		else
572 			seq_printf(m, "<%02x>", sta->u.ap.ssid[i]);
573 	}
574 
575 	seq_putc(m, '\'');
576 	if (sta->capability & WLAN_CAPABILITY_ESS)
577 		seq_puts(m, " [ESS]");
578 	if (sta->capability & WLAN_CAPABILITY_IBSS)
579 		seq_puts(m, " [IBSS]");
580 	if (sta->capability & WLAN_CAPABILITY_PRIVACY)
581 		seq_puts(m, " [WEP]");
582 	seq_putc(m, '\n');
583 	return 0;
584 }
585 
586 static void *prism2_ap_proc_start(struct seq_file *m, loff_t *_pos)
587 {
588 	struct ap_data *ap = m->private;
589 	spin_lock_bh(&ap->sta_table_lock);
590 	return seq_list_start_head(&ap->sta_list, *_pos);
591 }
592 
593 static void *prism2_ap_proc_next(struct seq_file *m, void *v, loff_t *_pos)
594 {
595 	struct ap_data *ap = m->private;
596 	return seq_list_next(v, &ap->sta_list, _pos);
597 }
598 
599 static void prism2_ap_proc_stop(struct seq_file *m, void *v)
600 {
601 	struct ap_data *ap = m->private;
602 	spin_unlock_bh(&ap->sta_table_lock);
603 }
604 
605 static const struct seq_operations prism2_ap_proc_seqops = {
606 	.start	= prism2_ap_proc_start,
607 	.next	= prism2_ap_proc_next,
608 	.stop	= prism2_ap_proc_stop,
609 	.show	= prism2_ap_proc_show,
610 };
611 
612 static int prism2_ap_proc_open(struct inode *inode, struct file *file)
613 {
614 	int ret = seq_open(file, &prism2_ap_proc_seqops);
615 	if (ret == 0) {
616 		struct seq_file *m = file->private_data;
617 		m->private = PDE_DATA(inode);
618 	}
619 	return ret;
620 }
621 
622 static const struct file_operations prism2_ap_proc_fops = {
623 	.open		= prism2_ap_proc_open,
624 	.read		= seq_read,
625 	.llseek		= seq_lseek,
626 	.release	= seq_release,
627 };
628 #endif /* PRISM2_NO_KERNEL_IEEE80211_MGMT */
629 
630 
631 void hostap_check_sta_fw_version(struct ap_data *ap, int sta_fw_ver)
632 {
633 	if (!ap)
634 		return;
635 
636 	if (sta_fw_ver == PRISM2_FW_VER(0,8,0)) {
637 		PDEBUG(DEBUG_AP, "Using data::nullfunc ACK workaround - "
638 		       "firmware upgrade recommended\n");
639 		ap->nullfunc_ack = 1;
640 	} else
641 		ap->nullfunc_ack = 0;
642 
643 	if (sta_fw_ver == PRISM2_FW_VER(1,4,2)) {
644 		printk(KERN_WARNING "%s: Warning: secondary station firmware "
645 		       "version 1.4.2 does not seem to work in Host AP mode\n",
646 		       ap->local->dev->name);
647 	}
648 }
649 
650 
651 /* Called only as a tasklet (software IRQ) */
652 static void hostap_ap_tx_cb(struct sk_buff *skb, int ok, void *data)
653 {
654 	struct ap_data *ap = data;
655 	struct ieee80211_hdr *hdr;
656 
657 	if (!ap->local->hostapd || !ap->local->apdev) {
658 		dev_kfree_skb(skb);
659 		return;
660 	}
661 
662 	/* Pass the TX callback frame to the hostapd; use 802.11 header version
663 	 * 1 to indicate failure (no ACK) and 2 success (frame ACKed) */
664 
665 	hdr = (struct ieee80211_hdr *) skb->data;
666 	hdr->frame_control &= cpu_to_le16(~IEEE80211_FCTL_VERS);
667 	hdr->frame_control |= cpu_to_le16(ok ? BIT(1) : BIT(0));
668 
669 	skb->dev = ap->local->apdev;
670 	skb_pull(skb, hostap_80211_get_hdrlen(hdr->frame_control));
671 	skb->pkt_type = PACKET_OTHERHOST;
672 	skb->protocol = cpu_to_be16(ETH_P_802_2);
673 	memset(skb->cb, 0, sizeof(skb->cb));
674 	netif_rx(skb);
675 }
676 
677 
678 #ifndef PRISM2_NO_KERNEL_IEEE80211_MGMT
679 /* Called only as a tasklet (software IRQ) */
680 static void hostap_ap_tx_cb_auth(struct sk_buff *skb, int ok, void *data)
681 {
682 	struct ap_data *ap = data;
683 	struct net_device *dev = ap->local->dev;
684 	struct ieee80211_hdr *hdr;
685 	u16 auth_alg, auth_transaction, status;
686 	__le16 *pos;
687 	struct sta_info *sta = NULL;
688 	char *txt = NULL;
689 
690 	if (ap->local->hostapd) {
691 		dev_kfree_skb(skb);
692 		return;
693 	}
694 
695 	hdr = (struct ieee80211_hdr *) skb->data;
696 	if (!ieee80211_is_auth(hdr->frame_control) ||
697 	    skb->len < IEEE80211_MGMT_HDR_LEN + 6) {
698 		printk(KERN_DEBUG "%s: hostap_ap_tx_cb_auth received invalid "
699 		       "frame\n", dev->name);
700 		dev_kfree_skb(skb);
701 		return;
702 	}
703 
704 	pos = (__le16 *) (skb->data + IEEE80211_MGMT_HDR_LEN);
705 	auth_alg = le16_to_cpu(*pos++);
706 	auth_transaction = le16_to_cpu(*pos++);
707 	status = le16_to_cpu(*pos++);
708 
709 	if (!ok) {
710 		txt = "frame was not ACKed";
711 		goto done;
712 	}
713 
714 	spin_lock(&ap->sta_table_lock);
715 	sta = ap_get_sta(ap, hdr->addr1);
716 	if (sta)
717 		atomic_inc(&sta->users);
718 	spin_unlock(&ap->sta_table_lock);
719 
720 	if (!sta) {
721 		txt = "STA not found";
722 		goto done;
723 	}
724 
725 	if (status == WLAN_STATUS_SUCCESS &&
726 	    ((auth_alg == WLAN_AUTH_OPEN && auth_transaction == 2) ||
727 	     (auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 4))) {
728 		txt = "STA authenticated";
729 		sta->flags |= WLAN_STA_AUTH;
730 		sta->last_auth = jiffies;
731 	} else if (status != WLAN_STATUS_SUCCESS)
732 		txt = "authentication failed";
733 
734  done:
735 	if (sta)
736 		atomic_dec(&sta->users);
737 	if (txt) {
738 		PDEBUG(DEBUG_AP, "%s: %pM auth_cb - alg=%d "
739 		       "trans#=%d status=%d - %s\n",
740 		       dev->name, hdr->addr1,
741 		       auth_alg, auth_transaction, status, txt);
742 	}
743 	dev_kfree_skb(skb);
744 }
745 
746 
747 /* Called only as a tasklet (software IRQ) */
748 static void hostap_ap_tx_cb_assoc(struct sk_buff *skb, int ok, void *data)
749 {
750 	struct ap_data *ap = data;
751 	struct net_device *dev = ap->local->dev;
752 	struct ieee80211_hdr *hdr;
753 	u16 status;
754 	__le16 *pos;
755 	struct sta_info *sta = NULL;
756 	char *txt = NULL;
757 
758 	if (ap->local->hostapd) {
759 		dev_kfree_skb(skb);
760 		return;
761 	}
762 
763 	hdr = (struct ieee80211_hdr *) skb->data;
764 	if ((!ieee80211_is_assoc_resp(hdr->frame_control) &&
765 	     !ieee80211_is_reassoc_resp(hdr->frame_control)) ||
766 	    skb->len < IEEE80211_MGMT_HDR_LEN + 4) {
767 		printk(KERN_DEBUG "%s: hostap_ap_tx_cb_assoc received invalid "
768 		       "frame\n", dev->name);
769 		dev_kfree_skb(skb);
770 		return;
771 	}
772 
773 	if (!ok) {
774 		txt = "frame was not ACKed";
775 		goto done;
776 	}
777 
778 	spin_lock(&ap->sta_table_lock);
779 	sta = ap_get_sta(ap, hdr->addr1);
780 	if (sta)
781 		atomic_inc(&sta->users);
782 	spin_unlock(&ap->sta_table_lock);
783 
784 	if (!sta) {
785 		txt = "STA not found";
786 		goto done;
787 	}
788 
789 	pos = (__le16 *) (skb->data + IEEE80211_MGMT_HDR_LEN);
790 	pos++;
791 	status = le16_to_cpu(*pos++);
792 	if (status == WLAN_STATUS_SUCCESS) {
793 		if (!(sta->flags & WLAN_STA_ASSOC))
794 			hostap_event_new_sta(dev, sta);
795 		txt = "STA associated";
796 		sta->flags |= WLAN_STA_ASSOC;
797 		sta->last_assoc = jiffies;
798 	} else
799 		txt = "association failed";
800 
801  done:
802 	if (sta)
803 		atomic_dec(&sta->users);
804 	if (txt) {
805 		PDEBUG(DEBUG_AP, "%s: %pM assoc_cb - %s\n",
806 		       dev->name, hdr->addr1, txt);
807 	}
808 	dev_kfree_skb(skb);
809 }
810 
811 /* Called only as a tasklet (software IRQ); TX callback for poll frames used
812  * in verifying whether the STA is still present. */
813 static void hostap_ap_tx_cb_poll(struct sk_buff *skb, int ok, void *data)
814 {
815 	struct ap_data *ap = data;
816 	struct ieee80211_hdr *hdr;
817 	struct sta_info *sta;
818 
819 	if (skb->len < 24)
820 		goto fail;
821 	hdr = (struct ieee80211_hdr *) skb->data;
822 	if (ok) {
823 		spin_lock(&ap->sta_table_lock);
824 		sta = ap_get_sta(ap, hdr->addr1);
825 		if (sta)
826 			sta->flags &= ~WLAN_STA_PENDING_POLL;
827 		spin_unlock(&ap->sta_table_lock);
828 	} else {
829 		PDEBUG(DEBUG_AP,
830 		       "%s: STA %pM did not ACK activity poll frame\n",
831 		       ap->local->dev->name, hdr->addr1);
832 	}
833 
834  fail:
835 	dev_kfree_skb(skb);
836 }
837 #endif /* PRISM2_NO_KERNEL_IEEE80211_MGMT */
838 
839 
840 void hostap_init_data(local_info_t *local)
841 {
842 	struct ap_data *ap = local->ap;
843 
844 	if (ap == NULL) {
845 		printk(KERN_WARNING "hostap_init_data: ap == NULL\n");
846 		return;
847 	}
848 	memset(ap, 0, sizeof(struct ap_data));
849 	ap->local = local;
850 
851 	ap->ap_policy = GET_INT_PARM(other_ap_policy, local->card_idx);
852 	ap->bridge_packets = GET_INT_PARM(ap_bridge_packets, local->card_idx);
853 	ap->max_inactivity =
854 		GET_INT_PARM(ap_max_inactivity, local->card_idx) * HZ;
855 	ap->autom_ap_wds = GET_INT_PARM(autom_ap_wds, local->card_idx);
856 
857 	spin_lock_init(&ap->sta_table_lock);
858 	INIT_LIST_HEAD(&ap->sta_list);
859 
860 	/* Initialize task queue structure for AP management */
861 	INIT_WORK(&local->ap->add_sta_proc_queue, handle_add_proc_queue);
862 
863 	ap->tx_callback_idx =
864 		hostap_tx_callback_register(local, hostap_ap_tx_cb, ap);
865 	if (ap->tx_callback_idx == 0)
866 		printk(KERN_WARNING "%s: failed to register TX callback for "
867 		       "AP\n", local->dev->name);
868 #ifndef PRISM2_NO_KERNEL_IEEE80211_MGMT
869 	INIT_WORK(&local->ap->wds_oper_queue, handle_wds_oper_queue);
870 
871 	ap->tx_callback_auth =
872 		hostap_tx_callback_register(local, hostap_ap_tx_cb_auth, ap);
873 	ap->tx_callback_assoc =
874 		hostap_tx_callback_register(local, hostap_ap_tx_cb_assoc, ap);
875 	ap->tx_callback_poll =
876 		hostap_tx_callback_register(local, hostap_ap_tx_cb_poll, ap);
877 	if (ap->tx_callback_auth == 0 || ap->tx_callback_assoc == 0 ||
878 		ap->tx_callback_poll == 0)
879 		printk(KERN_WARNING "%s: failed to register TX callback for "
880 		       "AP\n", local->dev->name);
881 
882 	spin_lock_init(&ap->mac_restrictions.lock);
883 	INIT_LIST_HEAD(&ap->mac_restrictions.mac_list);
884 #endif /* PRISM2_NO_KERNEL_IEEE80211_MGMT */
885 
886 	ap->initialized = 1;
887 }
888 
889 
890 void hostap_init_ap_proc(local_info_t *local)
891 {
892 	struct ap_data *ap = local->ap;
893 
894 	ap->proc = local->proc;
895 	if (ap->proc == NULL)
896 		return;
897 
898 #ifndef PRISM2_NO_PROCFS_DEBUG
899 	proc_create_data("ap_debug", 0, ap->proc, &ap_debug_proc_fops, ap);
900 #endif /* PRISM2_NO_PROCFS_DEBUG */
901 
902 #ifndef PRISM2_NO_KERNEL_IEEE80211_MGMT
903 	proc_create_data("ap_control", 0, ap->proc, &ap_control_proc_fops, ap);
904 	proc_create_data("ap", 0, ap->proc, &prism2_ap_proc_fops, ap);
905 #endif /* PRISM2_NO_KERNEL_IEEE80211_MGMT */
906 
907 }
908 
909 
910 void hostap_free_data(struct ap_data *ap)
911 {
912 	struct sta_info *n, *sta;
913 
914 	if (ap == NULL || !ap->initialized) {
915 		printk(KERN_DEBUG "hostap_free_data: ap has not yet been "
916 		       "initialized - skip resource freeing\n");
917 		return;
918 	}
919 
920 	flush_work(&ap->add_sta_proc_queue);
921 
922 #ifndef PRISM2_NO_KERNEL_IEEE80211_MGMT
923 	flush_work(&ap->wds_oper_queue);
924 	if (ap->crypt)
925 		ap->crypt->deinit(ap->crypt_priv);
926 	ap->crypt = ap->crypt_priv = NULL;
927 #endif /* PRISM2_NO_KERNEL_IEEE80211_MGMT */
928 
929 	list_for_each_entry_safe(sta, n, &ap->sta_list, list) {
930 		ap_sta_hash_del(ap, sta);
931 		list_del(&sta->list);
932 		if ((sta->flags & WLAN_STA_ASSOC) && !sta->ap && sta->local)
933 			hostap_event_expired_sta(sta->local->dev, sta);
934 		ap_free_sta(ap, sta);
935 	}
936 
937 #ifndef PRISM2_NO_PROCFS_DEBUG
938 	if (ap->proc != NULL) {
939 		remove_proc_entry("ap_debug", ap->proc);
940 	}
941 #endif /* PRISM2_NO_PROCFS_DEBUG */
942 
943 #ifndef PRISM2_NO_KERNEL_IEEE80211_MGMT
944 	if (ap->proc != NULL) {
945 	  remove_proc_entry("ap", ap->proc);
946 		remove_proc_entry("ap_control", ap->proc);
947 	}
948 	ap_control_flush_macs(&ap->mac_restrictions);
949 #endif /* PRISM2_NO_KERNEL_IEEE80211_MGMT */
950 
951 	ap->initialized = 0;
952 }
953 
954 
955 /* caller should have mutex for AP STA list handling */
956 static struct sta_info* ap_get_sta(struct ap_data *ap, u8 *sta)
957 {
958 	struct sta_info *s;
959 
960 	s = ap->sta_hash[STA_HASH(sta)];
961 	while (s != NULL && !ether_addr_equal(s->addr, sta))
962 		s = s->hnext;
963 	return s;
964 }
965 
966 
967 #ifndef PRISM2_NO_KERNEL_IEEE80211_MGMT
968 
969 /* Called from timer handler and from scheduled AP queue handlers */
970 static void prism2_send_mgmt(struct net_device *dev,
971 			     u16 type_subtype, char *body,
972 			     int body_len, u8 *addr, u16 tx_cb_idx)
973 {
974 	struct hostap_interface *iface;
975 	local_info_t *local;
976 	struct ieee80211_hdr *hdr;
977 	u16 fc;
978 	struct sk_buff *skb;
979 	struct hostap_skb_tx_data *meta;
980 	int hdrlen;
981 
982 	iface = netdev_priv(dev);
983 	local = iface->local;
984 	dev = local->dev; /* always use master radio device */
985 	iface = netdev_priv(dev);
986 
987 	if (!(dev->flags & IFF_UP)) {
988 		PDEBUG(DEBUG_AP, "%s: prism2_send_mgmt - device is not UP - "
989 		       "cannot send frame\n", dev->name);
990 		return;
991 	}
992 
993 	skb = dev_alloc_skb(sizeof(*hdr) + body_len);
994 	if (skb == NULL) {
995 		PDEBUG(DEBUG_AP, "%s: prism2_send_mgmt failed to allocate "
996 		       "skb\n", dev->name);
997 		return;
998 	}
999 
1000 	fc = type_subtype;
1001 	hdrlen = hostap_80211_get_hdrlen(cpu_to_le16(type_subtype));
1002 	hdr = skb_put_zero(skb, hdrlen);
1003 	if (body)
1004 		skb_put_data(skb, body, body_len);
1005 
1006 	/* FIX: ctrl::ack sending used special HFA384X_TX_CTRL_802_11
1007 	 * tx_control instead of using local->tx_control */
1008 
1009 
1010 	memcpy(hdr->addr1, addr, ETH_ALEN); /* DA / RA */
1011 	if (ieee80211_is_data(hdr->frame_control)) {
1012 		fc |= IEEE80211_FCTL_FROMDS;
1013 		memcpy(hdr->addr2, dev->dev_addr, ETH_ALEN); /* BSSID */
1014 		memcpy(hdr->addr3, dev->dev_addr, ETH_ALEN); /* SA */
1015 	} else if (ieee80211_is_ctl(hdr->frame_control)) {
1016 		/* control:ACK does not have addr2 or addr3 */
1017 		eth_zero_addr(hdr->addr2);
1018 		eth_zero_addr(hdr->addr3);
1019 	} else {
1020 		memcpy(hdr->addr2, dev->dev_addr, ETH_ALEN); /* SA */
1021 		memcpy(hdr->addr3, dev->dev_addr, ETH_ALEN); /* BSSID */
1022 	}
1023 
1024 	hdr->frame_control = cpu_to_le16(fc);
1025 
1026 	meta = (struct hostap_skb_tx_data *) skb->cb;
1027 	memset(meta, 0, sizeof(*meta));
1028 	meta->magic = HOSTAP_SKB_TX_DATA_MAGIC;
1029 	meta->iface = iface;
1030 	meta->tx_cb_idx = tx_cb_idx;
1031 
1032 	skb->dev = dev;
1033 	skb_reset_mac_header(skb);
1034 	skb_reset_network_header(skb);
1035 	dev_queue_xmit(skb);
1036 }
1037 #endif /* PRISM2_NO_KERNEL_IEEE80211_MGMT */
1038 
1039 
1040 static int prism2_sta_proc_show(struct seq_file *m, void *v)
1041 {
1042 	struct sta_info *sta = m->private;
1043 	int i;
1044 
1045 	/* FIX: possible race condition.. the STA data could have just expired,
1046 	 * but proc entry was still here so that the read could have started;
1047 	 * some locking should be done here.. */
1048 
1049 	seq_printf(m,
1050 		   "%s=%pM\nusers=%d\naid=%d\n"
1051 		   "flags=0x%04x%s%s%s%s%s%s%s\n"
1052 		   "capability=0x%02x\nlisten_interval=%d\nsupported_rates=",
1053 		   sta->ap ? "AP" : "STA",
1054 		   sta->addr, atomic_read(&sta->users), sta->aid,
1055 		   sta->flags,
1056 		   sta->flags & WLAN_STA_AUTH ? " AUTH" : "",
1057 		   sta->flags & WLAN_STA_ASSOC ? " ASSOC" : "",
1058 		   sta->flags & WLAN_STA_PS ? " PS" : "",
1059 		   sta->flags & WLAN_STA_TIM ? " TIM" : "",
1060 		   sta->flags & WLAN_STA_PERM ? " PERM" : "",
1061 		   sta->flags & WLAN_STA_AUTHORIZED ? " AUTHORIZED" : "",
1062 		   sta->flags & WLAN_STA_PENDING_POLL ? " POLL" : "",
1063 		   sta->capability, sta->listen_interval);
1064 	/* supported_rates: 500 kbit/s units with msb ignored */
1065 	for (i = 0; i < sizeof(sta->supported_rates); i++)
1066 		if (sta->supported_rates[i] != 0)
1067 			seq_printf(m, "%d%sMbps ",
1068 				   (sta->supported_rates[i] & 0x7f) / 2,
1069 				   sta->supported_rates[i] & 1 ? ".5" : "");
1070 	seq_printf(m,
1071 		   "\njiffies=%lu\nlast_auth=%lu\nlast_assoc=%lu\n"
1072 		   "last_rx=%lu\nlast_tx=%lu\nrx_packets=%lu\n"
1073 		   "tx_packets=%lu\n"
1074 		   "rx_bytes=%lu\ntx_bytes=%lu\nbuffer_count=%d\n"
1075 		   "last_rx: silence=%d dBm signal=%d dBm rate=%d%s Mbps\n"
1076 		   "tx_rate=%d\ntx[1M]=%d\ntx[2M]=%d\ntx[5.5M]=%d\n"
1077 		   "tx[11M]=%d\n"
1078 		   "rx[1M]=%d\nrx[2M]=%d\nrx[5.5M]=%d\nrx[11M]=%d\n",
1079 		   jiffies, sta->last_auth, sta->last_assoc, sta->last_rx,
1080 		   sta->last_tx,
1081 		   sta->rx_packets, sta->tx_packets, sta->rx_bytes,
1082 		   sta->tx_bytes, skb_queue_len(&sta->tx_buf),
1083 		   sta->last_rx_silence,
1084 		   sta->last_rx_signal, sta->last_rx_rate / 10,
1085 		   sta->last_rx_rate % 10 ? ".5" : "",
1086 		   sta->tx_rate, sta->tx_count[0], sta->tx_count[1],
1087 		   sta->tx_count[2], sta->tx_count[3],  sta->rx_count[0],
1088 		   sta->rx_count[1], sta->rx_count[2], sta->rx_count[3]);
1089 	if (sta->crypt && sta->crypt->ops && sta->crypt->ops->print_stats)
1090 		sta->crypt->ops->print_stats(m, sta->crypt->priv);
1091 #ifndef PRISM2_NO_KERNEL_IEEE80211_MGMT
1092 	if (sta->ap) {
1093 		if (sta->u.ap.channel >= 0)
1094 			seq_printf(m, "channel=%d\n", sta->u.ap.channel);
1095 		seq_puts(m, "ssid=");
1096 		for (i = 0; i < sta->u.ap.ssid_len; i++) {
1097 			if (sta->u.ap.ssid[i] >= 32 && sta->u.ap.ssid[i] < 127)
1098 				seq_putc(m, sta->u.ap.ssid[i]);
1099 			else
1100 				seq_printf(m, "<%02x>", sta->u.ap.ssid[i]);
1101 		}
1102 		seq_putc(m, '\n');
1103 	}
1104 #endif /* PRISM2_NO_KERNEL_IEEE80211_MGMT */
1105 
1106 	return 0;
1107 }
1108 
1109 static int prism2_sta_proc_open(struct inode *inode, struct file *file)
1110 {
1111 	return single_open(file, prism2_sta_proc_show, PDE_DATA(inode));
1112 }
1113 
1114 static const struct file_operations prism2_sta_proc_fops = {
1115 	.open		= prism2_sta_proc_open,
1116 	.read		= seq_read,
1117 	.llseek		= seq_lseek,
1118 	.release	= single_release,
1119 };
1120 
1121 static void handle_add_proc_queue(struct work_struct *work)
1122 {
1123 	struct ap_data *ap = container_of(work, struct ap_data,
1124 					  add_sta_proc_queue);
1125 	struct sta_info *sta;
1126 	char name[20];
1127 	struct add_sta_proc_data *entry, *prev;
1128 
1129 	entry = ap->add_sta_proc_entries;
1130 	ap->add_sta_proc_entries = NULL;
1131 
1132 	while (entry) {
1133 		spin_lock_bh(&ap->sta_table_lock);
1134 		sta = ap_get_sta(ap, entry->addr);
1135 		if (sta)
1136 			atomic_inc(&sta->users);
1137 		spin_unlock_bh(&ap->sta_table_lock);
1138 
1139 		if (sta) {
1140 			sprintf(name, "%pM", sta->addr);
1141 			sta->proc = proc_create_data(
1142 				name, 0, ap->proc,
1143 				&prism2_sta_proc_fops, sta);
1144 
1145 			atomic_dec(&sta->users);
1146 		}
1147 
1148 		prev = entry;
1149 		entry = entry->next;
1150 		kfree(prev);
1151 	}
1152 }
1153 
1154 
1155 static struct sta_info * ap_add_sta(struct ap_data *ap, u8 *addr)
1156 {
1157 	struct sta_info *sta;
1158 
1159 	sta = kzalloc(sizeof(struct sta_info), GFP_ATOMIC);
1160 	if (sta == NULL) {
1161 		PDEBUG(DEBUG_AP, "AP: kmalloc failed\n");
1162 		return NULL;
1163 	}
1164 
1165 	/* initialize STA info data */
1166 	sta->local = ap->local;
1167 	skb_queue_head_init(&sta->tx_buf);
1168 	memcpy(sta->addr, addr, ETH_ALEN);
1169 
1170 	atomic_inc(&sta->users);
1171 	spin_lock_bh(&ap->sta_table_lock);
1172 	list_add(&sta->list, &ap->sta_list);
1173 	ap->num_sta++;
1174 	ap_sta_hash_add(ap, sta);
1175 	spin_unlock_bh(&ap->sta_table_lock);
1176 
1177 	if (ap->proc) {
1178 		struct add_sta_proc_data *entry;
1179 		/* schedule a non-interrupt context process to add a procfs
1180 		 * entry for the STA since procfs code use GFP_KERNEL */
1181 		entry = kmalloc(sizeof(*entry), GFP_ATOMIC);
1182 		if (entry) {
1183 			memcpy(entry->addr, sta->addr, ETH_ALEN);
1184 			entry->next = ap->add_sta_proc_entries;
1185 			ap->add_sta_proc_entries = entry;
1186 			schedule_work(&ap->add_sta_proc_queue);
1187 		} else
1188 			printk(KERN_DEBUG "Failed to add STA proc data\n");
1189 	}
1190 
1191 #ifndef PRISM2_NO_KERNEL_IEEE80211_MGMT
1192 	timer_setup(&sta->timer, ap_handle_timer, 0);
1193 	sta->timer.expires = jiffies + ap->max_inactivity;
1194 	if (!ap->local->hostapd)
1195 		add_timer(&sta->timer);
1196 #endif /* PRISM2_NO_KERNEL_IEEE80211_MGMT */
1197 
1198 	return sta;
1199 }
1200 
1201 
1202 static int ap_tx_rate_ok(int rateidx, struct sta_info *sta,
1203 			 local_info_t *local)
1204 {
1205 	if (rateidx > sta->tx_max_rate ||
1206 	    !(sta->tx_supp_rates & (1 << rateidx)))
1207 		return 0;
1208 
1209 	if (local->tx_rate_control != 0 &&
1210 	    !(local->tx_rate_control & (1 << rateidx)))
1211 		return 0;
1212 
1213 	return 1;
1214 }
1215 
1216 
1217 static void prism2_check_tx_rates(struct sta_info *sta)
1218 {
1219 	int i;
1220 
1221 	sta->tx_supp_rates = 0;
1222 	for (i = 0; i < sizeof(sta->supported_rates); i++) {
1223 		if ((sta->supported_rates[i] & 0x7f) == 2)
1224 			sta->tx_supp_rates |= WLAN_RATE_1M;
1225 		if ((sta->supported_rates[i] & 0x7f) == 4)
1226 			sta->tx_supp_rates |= WLAN_RATE_2M;
1227 		if ((sta->supported_rates[i] & 0x7f) == 11)
1228 			sta->tx_supp_rates |= WLAN_RATE_5M5;
1229 		if ((sta->supported_rates[i] & 0x7f) == 22)
1230 			sta->tx_supp_rates |= WLAN_RATE_11M;
1231 	}
1232 	sta->tx_max_rate = sta->tx_rate = sta->tx_rate_idx = 0;
1233 	if (sta->tx_supp_rates & WLAN_RATE_1M) {
1234 		sta->tx_max_rate = 0;
1235 		if (ap_tx_rate_ok(0, sta, sta->local)) {
1236 			sta->tx_rate = 10;
1237 			sta->tx_rate_idx = 0;
1238 		}
1239 	}
1240 	if (sta->tx_supp_rates & WLAN_RATE_2M) {
1241 		sta->tx_max_rate = 1;
1242 		if (ap_tx_rate_ok(1, sta, sta->local)) {
1243 			sta->tx_rate = 20;
1244 			sta->tx_rate_idx = 1;
1245 		}
1246 	}
1247 	if (sta->tx_supp_rates & WLAN_RATE_5M5) {
1248 		sta->tx_max_rate = 2;
1249 		if (ap_tx_rate_ok(2, sta, sta->local)) {
1250 			sta->tx_rate = 55;
1251 			sta->tx_rate_idx = 2;
1252 		}
1253 	}
1254 	if (sta->tx_supp_rates & WLAN_RATE_11M) {
1255 		sta->tx_max_rate = 3;
1256 		if (ap_tx_rate_ok(3, sta, sta->local)) {
1257 			sta->tx_rate = 110;
1258 			sta->tx_rate_idx = 3;
1259 		}
1260 	}
1261 }
1262 
1263 
1264 #ifndef PRISM2_NO_KERNEL_IEEE80211_MGMT
1265 
1266 static void ap_crypt_init(struct ap_data *ap)
1267 {
1268 	ap->crypt = lib80211_get_crypto_ops("WEP");
1269 
1270 	if (ap->crypt) {
1271 		if (ap->crypt->init) {
1272 			ap->crypt_priv = ap->crypt->init(0);
1273 			if (ap->crypt_priv == NULL)
1274 				ap->crypt = NULL;
1275 			else {
1276 				u8 key[WEP_KEY_LEN];
1277 				get_random_bytes(key, WEP_KEY_LEN);
1278 				ap->crypt->set_key(key, WEP_KEY_LEN, NULL,
1279 						   ap->crypt_priv);
1280 			}
1281 		}
1282 	}
1283 
1284 	if (ap->crypt == NULL) {
1285 		printk(KERN_WARNING "AP could not initialize WEP: load module "
1286 		       "lib80211_crypt_wep.ko\n");
1287 	}
1288 }
1289 
1290 
1291 /* Generate challenge data for shared key authentication. IEEE 802.11 specifies
1292  * that WEP algorithm is used for generating challenge. This should be unique,
1293  * but otherwise there is not really need for randomness etc. Initialize WEP
1294  * with pseudo random key and then use increasing IV to get unique challenge
1295  * streams.
1296  *
1297  * Called only as a scheduled task for pending AP frames.
1298  */
1299 static char * ap_auth_make_challenge(struct ap_data *ap)
1300 {
1301 	char *tmpbuf;
1302 	struct sk_buff *skb;
1303 
1304 	if (ap->crypt == NULL) {
1305 		ap_crypt_init(ap);
1306 		if (ap->crypt == NULL)
1307 			return NULL;
1308 	}
1309 
1310 	tmpbuf = kmalloc(WLAN_AUTH_CHALLENGE_LEN, GFP_ATOMIC);
1311 	if (tmpbuf == NULL) {
1312 		PDEBUG(DEBUG_AP, "AP: kmalloc failed for challenge\n");
1313 		return NULL;
1314 	}
1315 
1316 	skb = dev_alloc_skb(WLAN_AUTH_CHALLENGE_LEN +
1317 			    ap->crypt->extra_mpdu_prefix_len +
1318 			    ap->crypt->extra_mpdu_postfix_len);
1319 	if (skb == NULL) {
1320 		kfree(tmpbuf);
1321 		return NULL;
1322 	}
1323 
1324 	skb_reserve(skb, ap->crypt->extra_mpdu_prefix_len);
1325 	skb_put_zero(skb, WLAN_AUTH_CHALLENGE_LEN);
1326 	if (ap->crypt->encrypt_mpdu(skb, 0, ap->crypt_priv)) {
1327 		dev_kfree_skb(skb);
1328 		kfree(tmpbuf);
1329 		return NULL;
1330 	}
1331 
1332 	skb_copy_from_linear_data_offset(skb, ap->crypt->extra_mpdu_prefix_len,
1333 					 tmpbuf, WLAN_AUTH_CHALLENGE_LEN);
1334 	dev_kfree_skb(skb);
1335 
1336 	return tmpbuf;
1337 }
1338 
1339 
1340 /* Called only as a scheduled task for pending AP frames. */
1341 static void handle_authen(local_info_t *local, struct sk_buff *skb,
1342 			  struct hostap_80211_rx_status *rx_stats)
1343 {
1344 	struct net_device *dev = local->dev;
1345 	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
1346 	size_t hdrlen;
1347 	struct ap_data *ap = local->ap;
1348 	char body[8 + WLAN_AUTH_CHALLENGE_LEN], *challenge = NULL;
1349 	int len, olen;
1350 	u16 auth_alg, auth_transaction, status_code;
1351 	__le16 *pos;
1352 	u16 resp = WLAN_STATUS_SUCCESS;
1353 	struct sta_info *sta = NULL;
1354 	struct lib80211_crypt_data *crypt;
1355 	char *txt = "";
1356 
1357 	len = skb->len - IEEE80211_MGMT_HDR_LEN;
1358 
1359 	hdrlen = hostap_80211_get_hdrlen(hdr->frame_control);
1360 
1361 	if (len < 6) {
1362 		PDEBUG(DEBUG_AP, "%s: handle_authen - too short payload "
1363 		       "(len=%d) from %pM\n", dev->name, len, hdr->addr2);
1364 		return;
1365 	}
1366 
1367 	spin_lock_bh(&local->ap->sta_table_lock);
1368 	sta = ap_get_sta(local->ap, hdr->addr2);
1369 	if (sta)
1370 		atomic_inc(&sta->users);
1371 	spin_unlock_bh(&local->ap->sta_table_lock);
1372 
1373 	if (sta && sta->crypt)
1374 		crypt = sta->crypt;
1375 	else {
1376 		int idx = 0;
1377 		if (skb->len >= hdrlen + 3)
1378 			idx = skb->data[hdrlen + 3] >> 6;
1379 		crypt = local->crypt_info.crypt[idx];
1380 	}
1381 
1382 	pos = (__le16 *) (skb->data + IEEE80211_MGMT_HDR_LEN);
1383 	auth_alg = __le16_to_cpu(*pos);
1384 	pos++;
1385 	auth_transaction = __le16_to_cpu(*pos);
1386 	pos++;
1387 	status_code = __le16_to_cpu(*pos);
1388 	pos++;
1389 
1390 	if (ether_addr_equal(dev->dev_addr, hdr->addr2) ||
1391 	    ap_control_mac_deny(&ap->mac_restrictions, hdr->addr2)) {
1392 		txt = "authentication denied";
1393 		resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1394 		goto fail;
1395 	}
1396 
1397 	if (((local->auth_algs & PRISM2_AUTH_OPEN) &&
1398 	     auth_alg == WLAN_AUTH_OPEN) ||
1399 	    ((local->auth_algs & PRISM2_AUTH_SHARED_KEY) &&
1400 	     crypt && auth_alg == WLAN_AUTH_SHARED_KEY)) {
1401 	} else {
1402 		txt = "unsupported algorithm";
1403 		resp = WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG;
1404 		goto fail;
1405 	}
1406 
1407 	if (len >= 8) {
1408 		u8 *u = (u8 *) pos;
1409 		if (*u == WLAN_EID_CHALLENGE) {
1410 			if (*(u + 1) != WLAN_AUTH_CHALLENGE_LEN) {
1411 				txt = "invalid challenge len";
1412 				resp = WLAN_STATUS_CHALLENGE_FAIL;
1413 				goto fail;
1414 			}
1415 			if (len - 8 < WLAN_AUTH_CHALLENGE_LEN) {
1416 				txt = "challenge underflow";
1417 				resp = WLAN_STATUS_CHALLENGE_FAIL;
1418 				goto fail;
1419 			}
1420 			challenge = (char *) (u + 2);
1421 		}
1422 	}
1423 
1424 	if (sta && sta->ap) {
1425 		if (time_after(jiffies, sta->u.ap.last_beacon +
1426 			       (10 * sta->listen_interval * HZ) / 1024)) {
1427 			PDEBUG(DEBUG_AP, "%s: no beacons received for a while,"
1428 			       " assuming AP %pM is now STA\n",
1429 			       dev->name, sta->addr);
1430 			sta->ap = 0;
1431 			sta->flags = 0;
1432 			sta->u.sta.challenge = NULL;
1433 		} else {
1434 			txt = "AP trying to authenticate?";
1435 			resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1436 			goto fail;
1437 		}
1438 	}
1439 
1440 	if ((auth_alg == WLAN_AUTH_OPEN && auth_transaction == 1) ||
1441 	    (auth_alg == WLAN_AUTH_SHARED_KEY &&
1442 	     (auth_transaction == 1 ||
1443 	      (auth_transaction == 3 && sta != NULL &&
1444 	       sta->u.sta.challenge != NULL)))) {
1445 	} else {
1446 		txt = "unknown authentication transaction number";
1447 		resp = WLAN_STATUS_UNKNOWN_AUTH_TRANSACTION;
1448 		goto fail;
1449 	}
1450 
1451 	if (sta == NULL) {
1452 		txt = "new STA";
1453 
1454 		if (local->ap->num_sta >= MAX_STA_COUNT) {
1455 			/* FIX: might try to remove some old STAs first? */
1456 			txt = "no more room for new STAs";
1457 			resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1458 			goto fail;
1459 		}
1460 
1461 		sta = ap_add_sta(local->ap, hdr->addr2);
1462 		if (sta == NULL) {
1463 			txt = "ap_add_sta failed";
1464 			resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1465 			goto fail;
1466 		}
1467 	}
1468 
1469 	switch (auth_alg) {
1470 	case WLAN_AUTH_OPEN:
1471 		txt = "authOK";
1472 		/* IEEE 802.11 standard is not completely clear about
1473 		 * whether STA is considered authenticated after
1474 		 * authentication OK frame has been send or after it
1475 		 * has been ACKed. In order to reduce interoperability
1476 		 * issues, mark the STA authenticated before ACK. */
1477 		sta->flags |= WLAN_STA_AUTH;
1478 		break;
1479 
1480 	case WLAN_AUTH_SHARED_KEY:
1481 		if (auth_transaction == 1) {
1482 			if (sta->u.sta.challenge == NULL) {
1483 				sta->u.sta.challenge =
1484 					ap_auth_make_challenge(local->ap);
1485 				if (sta->u.sta.challenge == NULL) {
1486 					resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1487 					goto fail;
1488 				}
1489 			}
1490 		} else {
1491 			if (sta->u.sta.challenge == NULL ||
1492 			    challenge == NULL ||
1493 			    memcmp(sta->u.sta.challenge, challenge,
1494 				   WLAN_AUTH_CHALLENGE_LEN) != 0 ||
1495 			    !ieee80211_has_protected(hdr->frame_control)) {
1496 				txt = "challenge response incorrect";
1497 				resp = WLAN_STATUS_CHALLENGE_FAIL;
1498 				goto fail;
1499 			}
1500 
1501 			txt = "challenge OK - authOK";
1502 			/* IEEE 802.11 standard is not completely clear about
1503 			 * whether STA is considered authenticated after
1504 			 * authentication OK frame has been send or after it
1505 			 * has been ACKed. In order to reduce interoperability
1506 			 * issues, mark the STA authenticated before ACK. */
1507 			sta->flags |= WLAN_STA_AUTH;
1508 			kfree(sta->u.sta.challenge);
1509 			sta->u.sta.challenge = NULL;
1510 		}
1511 		break;
1512 	}
1513 
1514  fail:
1515 	pos = (__le16 *) body;
1516 	*pos = cpu_to_le16(auth_alg);
1517 	pos++;
1518 	*pos = cpu_to_le16(auth_transaction + 1);
1519 	pos++;
1520 	*pos = cpu_to_le16(resp); /* status_code */
1521 	pos++;
1522 	olen = 6;
1523 
1524 	if (resp == WLAN_STATUS_SUCCESS && sta != NULL &&
1525 	    sta->u.sta.challenge != NULL &&
1526 	    auth_alg == WLAN_AUTH_SHARED_KEY && auth_transaction == 1) {
1527 		u8 *tmp = (u8 *) pos;
1528 		*tmp++ = WLAN_EID_CHALLENGE;
1529 		*tmp++ = WLAN_AUTH_CHALLENGE_LEN;
1530 		pos++;
1531 		memcpy(pos, sta->u.sta.challenge, WLAN_AUTH_CHALLENGE_LEN);
1532 		olen += 2 + WLAN_AUTH_CHALLENGE_LEN;
1533 	}
1534 
1535 	prism2_send_mgmt(dev, IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_AUTH,
1536 			 body, olen, hdr->addr2, ap->tx_callback_auth);
1537 
1538 	if (sta) {
1539 		sta->last_rx = jiffies;
1540 		atomic_dec(&sta->users);
1541 	}
1542 
1543 	if (resp) {
1544 		PDEBUG(DEBUG_AP, "%s: %pM auth (alg=%d "
1545 		       "trans#=%d stat=%d len=%d fc=%04x) ==> %d (%s)\n",
1546 		       dev->name, hdr->addr2,
1547 		       auth_alg, auth_transaction, status_code, len,
1548 		       le16_to_cpu(hdr->frame_control), resp, txt);
1549 	}
1550 }
1551 
1552 
1553 /* Called only as a scheduled task for pending AP frames. */
1554 static void handle_assoc(local_info_t *local, struct sk_buff *skb,
1555 			 struct hostap_80211_rx_status *rx_stats, int reassoc)
1556 {
1557 	struct net_device *dev = local->dev;
1558 	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
1559 	char body[12], *p, *lpos;
1560 	int len, left;
1561 	__le16 *pos;
1562 	u16 resp = WLAN_STATUS_SUCCESS;
1563 	struct sta_info *sta = NULL;
1564 	int send_deauth = 0;
1565 	char *txt = "";
1566 	u8 prev_ap[ETH_ALEN];
1567 
1568 	left = len = skb->len - IEEE80211_MGMT_HDR_LEN;
1569 
1570 	if (len < (reassoc ? 10 : 4)) {
1571 		PDEBUG(DEBUG_AP, "%s: handle_assoc - too short payload "
1572 		       "(len=%d, reassoc=%d) from %pM\n",
1573 		       dev->name, len, reassoc, hdr->addr2);
1574 		return;
1575 	}
1576 
1577 	spin_lock_bh(&local->ap->sta_table_lock);
1578 	sta = ap_get_sta(local->ap, hdr->addr2);
1579 	if (sta == NULL || (sta->flags & WLAN_STA_AUTH) == 0) {
1580 		spin_unlock_bh(&local->ap->sta_table_lock);
1581 		txt = "trying to associate before authentication";
1582 		send_deauth = 1;
1583 		resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1584 		sta = NULL; /* do not decrement sta->users */
1585 		goto fail;
1586 	}
1587 	atomic_inc(&sta->users);
1588 	spin_unlock_bh(&local->ap->sta_table_lock);
1589 
1590 	pos = (__le16 *) (skb->data + IEEE80211_MGMT_HDR_LEN);
1591 	sta->capability = __le16_to_cpu(*pos);
1592 	pos++; left -= 2;
1593 	sta->listen_interval = __le16_to_cpu(*pos);
1594 	pos++; left -= 2;
1595 
1596 	if (reassoc) {
1597 		memcpy(prev_ap, pos, ETH_ALEN);
1598 		pos++; pos++; pos++; left -= 6;
1599 	} else
1600 		eth_zero_addr(prev_ap);
1601 
1602 	if (left >= 2) {
1603 		unsigned int ileft;
1604 		unsigned char *u = (unsigned char *) pos;
1605 
1606 		if (*u == WLAN_EID_SSID) {
1607 			u++; left--;
1608 			ileft = *u;
1609 			u++; left--;
1610 
1611 			if (ileft > left || ileft > MAX_SSID_LEN) {
1612 				txt = "SSID overflow";
1613 				resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1614 				goto fail;
1615 			}
1616 
1617 			if (ileft != strlen(local->essid) ||
1618 			    memcmp(local->essid, u, ileft) != 0) {
1619 				txt = "not our SSID";
1620 				resp = WLAN_STATUS_ASSOC_DENIED_UNSPEC;
1621 				goto fail;
1622 			}
1623 
1624 			u += ileft;
1625 			left -= ileft;
1626 		}
1627 
1628 		if (left >= 2 && *u == WLAN_EID_SUPP_RATES) {
1629 			u++; left--;
1630 			ileft = *u;
1631 			u++; left--;
1632 
1633 			if (ileft > left || ileft == 0 ||
1634 			    ileft > WLAN_SUPP_RATES_MAX) {
1635 				txt = "SUPP_RATES len error";
1636 				resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1637 				goto fail;
1638 			}
1639 
1640 			memset(sta->supported_rates, 0,
1641 			       sizeof(sta->supported_rates));
1642 			memcpy(sta->supported_rates, u, ileft);
1643 			prism2_check_tx_rates(sta);
1644 
1645 			u += ileft;
1646 			left -= ileft;
1647 		}
1648 
1649 		if (left > 0) {
1650 			PDEBUG(DEBUG_AP, "%s: assoc from %pM"
1651 			       " with extra data (%d bytes) [",
1652 			       dev->name, hdr->addr2, left);
1653 			while (left > 0) {
1654 				PDEBUG2(DEBUG_AP, "<%02x>", *u);
1655 				u++; left--;
1656 			}
1657 			PDEBUG2(DEBUG_AP, "]\n");
1658 		}
1659 	} else {
1660 		txt = "frame underflow";
1661 		resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
1662 		goto fail;
1663 	}
1664 
1665 	/* get a unique AID */
1666 	if (sta->aid > 0)
1667 		txt = "OK, old AID";
1668 	else {
1669 		spin_lock_bh(&local->ap->sta_table_lock);
1670 		for (sta->aid = 1; sta->aid <= MAX_AID_TABLE_SIZE; sta->aid++)
1671 			if (local->ap->sta_aid[sta->aid - 1] == NULL)
1672 				break;
1673 		if (sta->aid > MAX_AID_TABLE_SIZE) {
1674 			sta->aid = 0;
1675 			spin_unlock_bh(&local->ap->sta_table_lock);
1676 			resp = WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA;
1677 			txt = "no room for more AIDs";
1678 		} else {
1679 			local->ap->sta_aid[sta->aid - 1] = sta;
1680 			spin_unlock_bh(&local->ap->sta_table_lock);
1681 			txt = "OK, new AID";
1682 		}
1683 	}
1684 
1685  fail:
1686 	pos = (__le16 *) body;
1687 
1688 	if (send_deauth) {
1689 		*pos = cpu_to_le16(WLAN_REASON_STA_REQ_ASSOC_WITHOUT_AUTH);
1690 		pos++;
1691 	} else {
1692 		/* FIX: CF-Pollable and CF-PollReq should be set to match the
1693 		 * values in beacons/probe responses */
1694 		/* FIX: how about privacy and WEP? */
1695 		/* capability */
1696 		*pos = cpu_to_le16(WLAN_CAPABILITY_ESS);
1697 		pos++;
1698 
1699 		/* status_code */
1700 		*pos = cpu_to_le16(resp);
1701 		pos++;
1702 
1703 		*pos = cpu_to_le16((sta && sta->aid > 0 ? sta->aid : 0) |
1704 				     BIT(14) | BIT(15)); /* AID */
1705 		pos++;
1706 
1707 		/* Supported rates (Information element) */
1708 		p = (char *) pos;
1709 		*p++ = WLAN_EID_SUPP_RATES;
1710 		lpos = p;
1711 		*p++ = 0; /* len */
1712 		if (local->tx_rate_control & WLAN_RATE_1M) {
1713 			*p++ = local->basic_rates & WLAN_RATE_1M ? 0x82 : 0x02;
1714 			(*lpos)++;
1715 		}
1716 		if (local->tx_rate_control & WLAN_RATE_2M) {
1717 			*p++ = local->basic_rates & WLAN_RATE_2M ? 0x84 : 0x04;
1718 			(*lpos)++;
1719 		}
1720 		if (local->tx_rate_control & WLAN_RATE_5M5) {
1721 			*p++ = local->basic_rates & WLAN_RATE_5M5 ?
1722 				0x8b : 0x0b;
1723 			(*lpos)++;
1724 		}
1725 		if (local->tx_rate_control & WLAN_RATE_11M) {
1726 			*p++ = local->basic_rates & WLAN_RATE_11M ?
1727 				0x96 : 0x16;
1728 			(*lpos)++;
1729 		}
1730 		pos = (__le16 *) p;
1731 	}
1732 
1733 	prism2_send_mgmt(dev, IEEE80211_FTYPE_MGMT |
1734 			 (send_deauth ? IEEE80211_STYPE_DEAUTH :
1735 			  (reassoc ? IEEE80211_STYPE_REASSOC_RESP :
1736 			   IEEE80211_STYPE_ASSOC_RESP)),
1737 			 body, (u8 *) pos - (u8 *) body,
1738 			 hdr->addr2,
1739 			 send_deauth ? 0 : local->ap->tx_callback_assoc);
1740 
1741 	if (sta) {
1742 		if (resp == WLAN_STATUS_SUCCESS) {
1743 			sta->last_rx = jiffies;
1744 			/* STA will be marked associated from TX callback, if
1745 			 * AssocResp is ACKed */
1746 		}
1747 		atomic_dec(&sta->users);
1748 	}
1749 
1750 #if 0
1751 	PDEBUG(DEBUG_AP, "%s: %pM %sassoc (len=%d "
1752 	       "prev_ap=%pM) => %d(%d) (%s)\n",
1753 	       dev->name,
1754 	       hdr->addr2,
1755 	       reassoc ? "re" : "", len,
1756 	       prev_ap,
1757 	       resp, send_deauth, txt);
1758 #endif
1759 }
1760 
1761 
1762 /* Called only as a scheduled task for pending AP frames. */
1763 static void handle_deauth(local_info_t *local, struct sk_buff *skb,
1764 			  struct hostap_80211_rx_status *rx_stats)
1765 {
1766 	struct net_device *dev = local->dev;
1767 	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
1768 	char *body = (char *) (skb->data + IEEE80211_MGMT_HDR_LEN);
1769 	int len;
1770 	u16 reason_code;
1771 	__le16 *pos;
1772 	struct sta_info *sta = NULL;
1773 
1774 	len = skb->len - IEEE80211_MGMT_HDR_LEN;
1775 
1776 	if (len < 2) {
1777 		printk("handle_deauth - too short payload (len=%d)\n", len);
1778 		return;
1779 	}
1780 
1781 	pos = (__le16 *) body;
1782 	reason_code = le16_to_cpu(*pos);
1783 
1784 	PDEBUG(DEBUG_AP, "%s: deauthentication: %pM len=%d, "
1785 	       "reason_code=%d\n", dev->name, hdr->addr2,
1786 	       len, reason_code);
1787 
1788 	spin_lock_bh(&local->ap->sta_table_lock);
1789 	sta = ap_get_sta(local->ap, hdr->addr2);
1790 	if (sta != NULL) {
1791 		if ((sta->flags & WLAN_STA_ASSOC) && !sta->ap)
1792 			hostap_event_expired_sta(local->dev, sta);
1793 		sta->flags &= ~(WLAN_STA_AUTH | WLAN_STA_ASSOC);
1794 	}
1795 	spin_unlock_bh(&local->ap->sta_table_lock);
1796 	if (sta == NULL) {
1797 		printk("%s: deauthentication from %pM, "
1798 	       "reason_code=%d, but STA not authenticated\n", dev->name,
1799 		       hdr->addr2, reason_code);
1800 	}
1801 }
1802 
1803 
1804 /* Called only as a scheduled task for pending AP frames. */
1805 static void handle_disassoc(local_info_t *local, struct sk_buff *skb,
1806 			    struct hostap_80211_rx_status *rx_stats)
1807 {
1808 	struct net_device *dev = local->dev;
1809 	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
1810 	char *body = skb->data + IEEE80211_MGMT_HDR_LEN;
1811 	int len;
1812 	u16 reason_code;
1813 	__le16 *pos;
1814 	struct sta_info *sta = NULL;
1815 
1816 	len = skb->len - IEEE80211_MGMT_HDR_LEN;
1817 
1818 	if (len < 2) {
1819 		printk("handle_disassoc - too short payload (len=%d)\n", len);
1820 		return;
1821 	}
1822 
1823 	pos = (__le16 *) body;
1824 	reason_code = le16_to_cpu(*pos);
1825 
1826 	PDEBUG(DEBUG_AP, "%s: disassociation: %pM len=%d, "
1827 	       "reason_code=%d\n", dev->name, hdr->addr2,
1828 	       len, reason_code);
1829 
1830 	spin_lock_bh(&local->ap->sta_table_lock);
1831 	sta = ap_get_sta(local->ap, hdr->addr2);
1832 	if (sta != NULL) {
1833 		if ((sta->flags & WLAN_STA_ASSOC) && !sta->ap)
1834 			hostap_event_expired_sta(local->dev, sta);
1835 		sta->flags &= ~WLAN_STA_ASSOC;
1836 	}
1837 	spin_unlock_bh(&local->ap->sta_table_lock);
1838 	if (sta == NULL) {
1839 		printk("%s: disassociation from %pM, "
1840 		       "reason_code=%d, but STA not authenticated\n",
1841 		       dev->name, hdr->addr2, reason_code);
1842 	}
1843 }
1844 
1845 
1846 /* Called only as a scheduled task for pending AP frames. */
1847 static void ap_handle_data_nullfunc(local_info_t *local,
1848 				    struct ieee80211_hdr *hdr)
1849 {
1850 	struct net_device *dev = local->dev;
1851 
1852 	/* some STA f/w's seem to require control::ACK frame for
1853 	 * data::nullfunc, but at least Prism2 station f/w version 0.8.0 does
1854 	 * not send this..
1855 	 * send control::ACK for the data::nullfunc */
1856 
1857 	printk(KERN_DEBUG "Sending control::ACK for data::nullfunc\n");
1858 	prism2_send_mgmt(dev, IEEE80211_FTYPE_CTL | IEEE80211_STYPE_ACK,
1859 			 NULL, 0, hdr->addr2, 0);
1860 }
1861 
1862 
1863 /* Called only as a scheduled task for pending AP frames. */
1864 static void ap_handle_dropped_data(local_info_t *local,
1865 				   struct ieee80211_hdr *hdr)
1866 {
1867 	struct net_device *dev = local->dev;
1868 	struct sta_info *sta;
1869 	__le16 reason;
1870 
1871 	spin_lock_bh(&local->ap->sta_table_lock);
1872 	sta = ap_get_sta(local->ap, hdr->addr2);
1873 	if (sta)
1874 		atomic_inc(&sta->users);
1875 	spin_unlock_bh(&local->ap->sta_table_lock);
1876 
1877 	if (sta != NULL && (sta->flags & WLAN_STA_ASSOC)) {
1878 		PDEBUG(DEBUG_AP, "ap_handle_dropped_data: STA is now okay?\n");
1879 		atomic_dec(&sta->users);
1880 		return;
1881 	}
1882 
1883 	reason = cpu_to_le16(WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA);
1884 	prism2_send_mgmt(dev, IEEE80211_FTYPE_MGMT |
1885 			 ((sta == NULL || !(sta->flags & WLAN_STA_ASSOC)) ?
1886 			  IEEE80211_STYPE_DEAUTH : IEEE80211_STYPE_DISASSOC),
1887 			 (char *) &reason, sizeof(reason), hdr->addr2, 0);
1888 
1889 	if (sta)
1890 		atomic_dec(&sta->users);
1891 }
1892 
1893 #endif /* PRISM2_NO_KERNEL_IEEE80211_MGMT */
1894 
1895 
1896 /* Called only as a scheduled task for pending AP frames. */
1897 static void pspoll_send_buffered(local_info_t *local, struct sta_info *sta,
1898 				 struct sk_buff *skb)
1899 {
1900 	struct hostap_skb_tx_data *meta;
1901 
1902 	if (!(sta->flags & WLAN_STA_PS)) {
1903 		/* Station has moved to non-PS mode, so send all buffered
1904 		 * frames using normal device queue. */
1905 		dev_queue_xmit(skb);
1906 		return;
1907 	}
1908 
1909 	/* add a flag for hostap_handle_sta_tx() to know that this skb should
1910 	 * be passed through even though STA is using PS */
1911 	meta = (struct hostap_skb_tx_data *) skb->cb;
1912 	meta->flags |= HOSTAP_TX_FLAGS_BUFFERED_FRAME;
1913 	if (!skb_queue_empty(&sta->tx_buf)) {
1914 		/* indicate to STA that more frames follow */
1915 		meta->flags |= HOSTAP_TX_FLAGS_ADD_MOREDATA;
1916 	}
1917 	dev_queue_xmit(skb);
1918 }
1919 
1920 
1921 /* Called only as a scheduled task for pending AP frames. */
1922 static void handle_pspoll(local_info_t *local,
1923 			  struct ieee80211_hdr *hdr,
1924 			  struct hostap_80211_rx_status *rx_stats)
1925 {
1926 	struct net_device *dev = local->dev;
1927 	struct sta_info *sta;
1928 	u16 aid;
1929 	struct sk_buff *skb;
1930 
1931 	PDEBUG(DEBUG_PS2, "handle_pspoll: BSSID=%pM, TA=%pM PWRMGT=%d\n",
1932 	       hdr->addr1, hdr->addr2, !!ieee80211_has_pm(hdr->frame_control));
1933 
1934 	if (!ether_addr_equal(hdr->addr1, dev->dev_addr)) {
1935 		PDEBUG(DEBUG_AP,
1936 		       "handle_pspoll - addr1(BSSID)=%pM not own MAC\n",
1937 		       hdr->addr1);
1938 		return;
1939 	}
1940 
1941 	aid = le16_to_cpu(hdr->duration_id);
1942 	if ((aid & (BIT(15) | BIT(14))) != (BIT(15) | BIT(14))) {
1943 		PDEBUG(DEBUG_PS, "   PSPOLL and AID[15:14] not set\n");
1944 		return;
1945 	}
1946 	aid &= ~(BIT(15) | BIT(14));
1947 	if (aid == 0 || aid > MAX_AID_TABLE_SIZE) {
1948 		PDEBUG(DEBUG_PS, "   invalid aid=%d\n", aid);
1949 		return;
1950 	}
1951 	PDEBUG(DEBUG_PS2, "   aid=%d\n", aid);
1952 
1953 	spin_lock_bh(&local->ap->sta_table_lock);
1954 	sta = ap_get_sta(local->ap, hdr->addr2);
1955 	if (sta)
1956 		atomic_inc(&sta->users);
1957 	spin_unlock_bh(&local->ap->sta_table_lock);
1958 
1959 	if (sta == NULL) {
1960 		PDEBUG(DEBUG_PS, "   STA not found\n");
1961 		return;
1962 	}
1963 	if (sta->aid != aid) {
1964 		PDEBUG(DEBUG_PS, "   received aid=%i does not match with "
1965 		       "assoc.aid=%d\n", aid, sta->aid);
1966 		return;
1967 	}
1968 
1969 	/* FIX: todo:
1970 	 * - add timeout for buffering (clear aid in TIM vector if buffer timed
1971 	 *   out (expiry time must be longer than ListenInterval for
1972 	 *   the corresponding STA; "8802-11: 11.2.1.9 AP aging function"
1973 	 * - what to do, if buffered, pspolled, and sent frame is not ACKed by
1974 	 *   sta; store buffer for later use and leave TIM aid bit set? use
1975 	 *   TX event to check whether frame was ACKed?
1976 	 */
1977 
1978 	while ((skb = skb_dequeue(&sta->tx_buf)) != NULL) {
1979 		/* send buffered frame .. */
1980 		PDEBUG(DEBUG_PS2, "Sending buffered frame to STA after PS POLL"
1981 		       " (buffer_count=%d)\n", skb_queue_len(&sta->tx_buf));
1982 
1983 		pspoll_send_buffered(local, sta, skb);
1984 
1985 		if (sta->flags & WLAN_STA_PS) {
1986 			/* send only one buffered packet per PS Poll */
1987 			/* FIX: should ignore further PS Polls until the
1988 			 * buffered packet that was just sent is acknowledged
1989 			 * (Tx or TxExc event) */
1990 			break;
1991 		}
1992 	}
1993 
1994 	if (skb_queue_empty(&sta->tx_buf)) {
1995 		/* try to clear aid from TIM */
1996 		if (!(sta->flags & WLAN_STA_TIM))
1997 			PDEBUG(DEBUG_PS2,  "Re-unsetting TIM for aid %d\n",
1998 			       aid);
1999 		hostap_set_tim(local, aid, 0);
2000 		sta->flags &= ~WLAN_STA_TIM;
2001 	}
2002 
2003 	atomic_dec(&sta->users);
2004 }
2005 
2006 
2007 #ifndef PRISM2_NO_KERNEL_IEEE80211_MGMT
2008 
2009 static void handle_wds_oper_queue(struct work_struct *work)
2010 {
2011 	struct ap_data *ap = container_of(work, struct ap_data,
2012 					  wds_oper_queue);
2013 	local_info_t *local = ap->local;
2014 	struct wds_oper_data *entry, *prev;
2015 
2016 	spin_lock_bh(&local->lock);
2017 	entry = local->ap->wds_oper_entries;
2018 	local->ap->wds_oper_entries = NULL;
2019 	spin_unlock_bh(&local->lock);
2020 
2021 	while (entry) {
2022 		PDEBUG(DEBUG_AP, "%s: %s automatic WDS connection "
2023 		       "to AP %pM\n",
2024 		       local->dev->name,
2025 		       entry->type == WDS_ADD ? "adding" : "removing",
2026 		       entry->addr);
2027 		if (entry->type == WDS_ADD)
2028 			prism2_wds_add(local, entry->addr, 0);
2029 		else if (entry->type == WDS_DEL)
2030 			prism2_wds_del(local, entry->addr, 0, 1);
2031 
2032 		prev = entry;
2033 		entry = entry->next;
2034 		kfree(prev);
2035 	}
2036 }
2037 
2038 
2039 /* Called only as a scheduled task for pending AP frames. */
2040 static void handle_beacon(local_info_t *local, struct sk_buff *skb,
2041 			  struct hostap_80211_rx_status *rx_stats)
2042 {
2043 	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
2044 	char *body = skb->data + IEEE80211_MGMT_HDR_LEN;
2045 	int len, left;
2046 	u16 beacon_int, capability;
2047 	__le16 *pos;
2048 	char *ssid = NULL;
2049 	unsigned char *supp_rates = NULL;
2050 	int ssid_len = 0, supp_rates_len = 0;
2051 	struct sta_info *sta = NULL;
2052 	int new_sta = 0, channel = -1;
2053 
2054 	len = skb->len - IEEE80211_MGMT_HDR_LEN;
2055 
2056 	if (len < 8 + 2 + 2) {
2057 		printk(KERN_DEBUG "handle_beacon - too short payload "
2058 		       "(len=%d)\n", len);
2059 		return;
2060 	}
2061 
2062 	pos = (__le16 *) body;
2063 	left = len;
2064 
2065 	/* Timestamp (8 octets) */
2066 	pos += 4; left -= 8;
2067 	/* Beacon interval (2 octets) */
2068 	beacon_int = le16_to_cpu(*pos);
2069 	pos++; left -= 2;
2070 	/* Capability information (2 octets) */
2071 	capability = le16_to_cpu(*pos);
2072 	pos++; left -= 2;
2073 
2074 	if (local->ap->ap_policy != AP_OTHER_AP_EVEN_IBSS &&
2075 	    capability & WLAN_CAPABILITY_IBSS)
2076 		return;
2077 
2078 	if (left >= 2) {
2079 		unsigned int ileft;
2080 		unsigned char *u = (unsigned char *) pos;
2081 
2082 		if (*u == WLAN_EID_SSID) {
2083 			u++; left--;
2084 			ileft = *u;
2085 			u++; left--;
2086 
2087 			if (ileft > left || ileft > MAX_SSID_LEN) {
2088 				PDEBUG(DEBUG_AP, "SSID: overflow\n");
2089 				return;
2090 			}
2091 
2092 			if (local->ap->ap_policy == AP_OTHER_AP_SAME_SSID &&
2093 			    (ileft != strlen(local->essid) ||
2094 			     memcmp(local->essid, u, ileft) != 0)) {
2095 				/* not our SSID */
2096 				return;
2097 			}
2098 
2099 			ssid = u;
2100 			ssid_len = ileft;
2101 
2102 			u += ileft;
2103 			left -= ileft;
2104 		}
2105 
2106 		if (*u == WLAN_EID_SUPP_RATES) {
2107 			u++; left--;
2108 			ileft = *u;
2109 			u++; left--;
2110 
2111 			if (ileft > left || ileft == 0 || ileft > 8) {
2112 				PDEBUG(DEBUG_AP, " - SUPP_RATES len error\n");
2113 				return;
2114 			}
2115 
2116 			supp_rates = u;
2117 			supp_rates_len = ileft;
2118 
2119 			u += ileft;
2120 			left -= ileft;
2121 		}
2122 
2123 		if (*u == WLAN_EID_DS_PARAMS) {
2124 			u++; left--;
2125 			ileft = *u;
2126 			u++; left--;
2127 
2128 			if (ileft > left || ileft != 1) {
2129 				PDEBUG(DEBUG_AP, " - DS_PARAMS len error\n");
2130 				return;
2131 			}
2132 
2133 			channel = *u;
2134 
2135 			u += ileft;
2136 			left -= ileft;
2137 		}
2138 	}
2139 
2140 	spin_lock_bh(&local->ap->sta_table_lock);
2141 	sta = ap_get_sta(local->ap, hdr->addr2);
2142 	if (sta != NULL)
2143 		atomic_inc(&sta->users);
2144 	spin_unlock_bh(&local->ap->sta_table_lock);
2145 
2146 	if (sta == NULL) {
2147 		/* add new AP */
2148 		new_sta = 1;
2149 		sta = ap_add_sta(local->ap, hdr->addr2);
2150 		if (sta == NULL) {
2151 			printk(KERN_INFO "prism2: kmalloc failed for AP "
2152 			       "data structure\n");
2153 			return;
2154 		}
2155 		hostap_event_new_sta(local->dev, sta);
2156 
2157 		/* mark APs authentication and associated for pseudo ad-hoc
2158 		 * style communication */
2159 		sta->flags = WLAN_STA_AUTH | WLAN_STA_ASSOC;
2160 
2161 		if (local->ap->autom_ap_wds) {
2162 			hostap_wds_link_oper(local, sta->addr, WDS_ADD);
2163 		}
2164 	}
2165 
2166 	sta->ap = 1;
2167 	if (ssid) {
2168 		sta->u.ap.ssid_len = ssid_len;
2169 		memcpy(sta->u.ap.ssid, ssid, ssid_len);
2170 		sta->u.ap.ssid[ssid_len] = '\0';
2171 	} else {
2172 		sta->u.ap.ssid_len = 0;
2173 		sta->u.ap.ssid[0] = '\0';
2174 	}
2175 	sta->u.ap.channel = channel;
2176 	sta->rx_packets++;
2177 	sta->rx_bytes += len;
2178 	sta->u.ap.last_beacon = sta->last_rx = jiffies;
2179 	sta->capability = capability;
2180 	sta->listen_interval = beacon_int;
2181 
2182 	atomic_dec(&sta->users);
2183 
2184 	if (new_sta) {
2185 		memset(sta->supported_rates, 0, sizeof(sta->supported_rates));
2186 		memcpy(sta->supported_rates, supp_rates, supp_rates_len);
2187 		prism2_check_tx_rates(sta);
2188 	}
2189 }
2190 
2191 #endif /* PRISM2_NO_KERNEL_IEEE80211_MGMT */
2192 
2193 
2194 /* Called only as a tasklet. */
2195 static void handle_ap_item(local_info_t *local, struct sk_buff *skb,
2196 			   struct hostap_80211_rx_status *rx_stats)
2197 {
2198 #ifndef PRISM2_NO_KERNEL_IEEE80211_MGMT
2199 	struct net_device *dev = local->dev;
2200 #endif /* PRISM2_NO_KERNEL_IEEE80211_MGMT */
2201 	u16 fc, type, stype;
2202 	struct ieee80211_hdr *hdr;
2203 
2204 	/* FIX: should give skb->len to handler functions and check that the
2205 	 * buffer is long enough */
2206 	hdr = (struct ieee80211_hdr *) skb->data;
2207 	fc = le16_to_cpu(hdr->frame_control);
2208 	type = fc & IEEE80211_FCTL_FTYPE;
2209 	stype = fc & IEEE80211_FCTL_STYPE;
2210 
2211 #ifndef PRISM2_NO_KERNEL_IEEE80211_MGMT
2212 	if (!local->hostapd && type == IEEE80211_FTYPE_DATA) {
2213 		PDEBUG(DEBUG_AP, "handle_ap_item - data frame\n");
2214 
2215 		if (!(fc & IEEE80211_FCTL_TODS) ||
2216 		    (fc & IEEE80211_FCTL_FROMDS)) {
2217 			if (stype == IEEE80211_STYPE_NULLFUNC) {
2218 				/* no ToDS nullfunc seems to be used to check
2219 				 * AP association; so send reject message to
2220 				 * speed up re-association */
2221 				ap_handle_dropped_data(local, hdr);
2222 				goto done;
2223 			}
2224 			PDEBUG(DEBUG_AP, "   not ToDS frame (fc=0x%04x)\n",
2225 			       fc);
2226 			goto done;
2227 		}
2228 
2229 		if (!ether_addr_equal(hdr->addr1, dev->dev_addr)) {
2230 			PDEBUG(DEBUG_AP, "handle_ap_item - addr1(BSSID)=%pM"
2231 			       " not own MAC\n", hdr->addr1);
2232 			goto done;
2233 		}
2234 
2235 		if (local->ap->nullfunc_ack &&
2236 		    stype == IEEE80211_STYPE_NULLFUNC)
2237 			ap_handle_data_nullfunc(local, hdr);
2238 		else
2239 			ap_handle_dropped_data(local, hdr);
2240 		goto done;
2241 	}
2242 
2243 	if (type == IEEE80211_FTYPE_MGMT && stype == IEEE80211_STYPE_BEACON) {
2244 		handle_beacon(local, skb, rx_stats);
2245 		goto done;
2246 	}
2247 #endif /* PRISM2_NO_KERNEL_IEEE80211_MGMT */
2248 
2249 	if (type == IEEE80211_FTYPE_CTL && stype == IEEE80211_STYPE_PSPOLL) {
2250 		handle_pspoll(local, hdr, rx_stats);
2251 		goto done;
2252 	}
2253 
2254 	if (local->hostapd) {
2255 		PDEBUG(DEBUG_AP, "Unknown frame in AP queue: type=0x%02x "
2256 		       "subtype=0x%02x\n", type, stype);
2257 		goto done;
2258 	}
2259 
2260 #ifndef PRISM2_NO_KERNEL_IEEE80211_MGMT
2261 	if (type != IEEE80211_FTYPE_MGMT) {
2262 		PDEBUG(DEBUG_AP, "handle_ap_item - not a management frame?\n");
2263 		goto done;
2264 	}
2265 
2266 	if (!ether_addr_equal(hdr->addr1, dev->dev_addr)) {
2267 		PDEBUG(DEBUG_AP, "handle_ap_item - addr1(DA)=%pM"
2268 		       " not own MAC\n", hdr->addr1);
2269 		goto done;
2270 	}
2271 
2272 	if (!ether_addr_equal(hdr->addr3, dev->dev_addr)) {
2273 		PDEBUG(DEBUG_AP, "handle_ap_item - addr3(BSSID)=%pM"
2274 		       " not own MAC\n", hdr->addr3);
2275 		goto done;
2276 	}
2277 
2278 	switch (stype) {
2279 	case IEEE80211_STYPE_ASSOC_REQ:
2280 		handle_assoc(local, skb, rx_stats, 0);
2281 		break;
2282 	case IEEE80211_STYPE_ASSOC_RESP:
2283 		PDEBUG(DEBUG_AP, "==> ASSOC RESP (ignored)\n");
2284 		break;
2285 	case IEEE80211_STYPE_REASSOC_REQ:
2286 		handle_assoc(local, skb, rx_stats, 1);
2287 		break;
2288 	case IEEE80211_STYPE_REASSOC_RESP:
2289 		PDEBUG(DEBUG_AP, "==> REASSOC RESP (ignored)\n");
2290 		break;
2291 	case IEEE80211_STYPE_ATIM:
2292 		PDEBUG(DEBUG_AP, "==> ATIM (ignored)\n");
2293 		break;
2294 	case IEEE80211_STYPE_DISASSOC:
2295 		handle_disassoc(local, skb, rx_stats);
2296 		break;
2297 	case IEEE80211_STYPE_AUTH:
2298 		handle_authen(local, skb, rx_stats);
2299 		break;
2300 	case IEEE80211_STYPE_DEAUTH:
2301 		handle_deauth(local, skb, rx_stats);
2302 		break;
2303 	default:
2304 		PDEBUG(DEBUG_AP, "Unknown mgmt frame subtype 0x%02x\n",
2305 		       stype >> 4);
2306 		break;
2307 	}
2308 #endif /* PRISM2_NO_KERNEL_IEEE80211_MGMT */
2309 
2310  done:
2311 	dev_kfree_skb(skb);
2312 }
2313 
2314 
2315 /* Called only as a tasklet (software IRQ) */
2316 void hostap_rx(struct net_device *dev, struct sk_buff *skb,
2317 	       struct hostap_80211_rx_status *rx_stats)
2318 {
2319 	struct hostap_interface *iface;
2320 	local_info_t *local;
2321 	struct ieee80211_hdr *hdr;
2322 
2323 	iface = netdev_priv(dev);
2324 	local = iface->local;
2325 
2326 	if (skb->len < 16)
2327 		goto drop;
2328 
2329 	dev->stats.rx_packets++;
2330 
2331 	hdr = (struct ieee80211_hdr *) skb->data;
2332 
2333 	if (local->ap->ap_policy == AP_OTHER_AP_SKIP_ALL &&
2334 	    ieee80211_is_beacon(hdr->frame_control))
2335 		goto drop;
2336 
2337 	skb->protocol = cpu_to_be16(ETH_P_HOSTAP);
2338 	handle_ap_item(local, skb, rx_stats);
2339 	return;
2340 
2341  drop:
2342 	dev_kfree_skb(skb);
2343 }
2344 
2345 
2346 /* Called only as a tasklet (software IRQ) */
2347 static void schedule_packet_send(local_info_t *local, struct sta_info *sta)
2348 {
2349 	struct sk_buff *skb;
2350 	struct ieee80211_hdr *hdr;
2351 	struct hostap_80211_rx_status rx_stats;
2352 
2353 	if (skb_queue_empty(&sta->tx_buf))
2354 		return;
2355 
2356 	skb = dev_alloc_skb(16);
2357 	if (skb == NULL) {
2358 		printk(KERN_DEBUG "%s: schedule_packet_send: skb alloc "
2359 		       "failed\n", local->dev->name);
2360 		return;
2361 	}
2362 
2363 	hdr = skb_put(skb, 16);
2364 
2365 	/* Generate a fake pspoll frame to start packet delivery */
2366 	hdr->frame_control = cpu_to_le16(
2367 		IEEE80211_FTYPE_CTL | IEEE80211_STYPE_PSPOLL);
2368 	memcpy(hdr->addr1, local->dev->dev_addr, ETH_ALEN);
2369 	memcpy(hdr->addr2, sta->addr, ETH_ALEN);
2370 	hdr->duration_id = cpu_to_le16(sta->aid | BIT(15) | BIT(14));
2371 
2372 	PDEBUG(DEBUG_PS2,
2373 	       "%s: Scheduling buffered packet delivery for STA %pM\n",
2374 	       local->dev->name, sta->addr);
2375 
2376 	skb->dev = local->dev;
2377 
2378 	memset(&rx_stats, 0, sizeof(rx_stats));
2379 	hostap_rx(local->dev, skb, &rx_stats);
2380 }
2381 
2382 
2383 int prism2_ap_get_sta_qual(local_info_t *local, struct sockaddr addr[],
2384 			   struct iw_quality qual[], int buf_size,
2385 			   int aplist)
2386 {
2387 	struct ap_data *ap = local->ap;
2388 	struct list_head *ptr;
2389 	int count = 0;
2390 
2391 	spin_lock_bh(&ap->sta_table_lock);
2392 
2393 	for (ptr = ap->sta_list.next; ptr != NULL && ptr != &ap->sta_list;
2394 	     ptr = ptr->next) {
2395 		struct sta_info *sta = (struct sta_info *) ptr;
2396 
2397 		if (aplist && !sta->ap)
2398 			continue;
2399 		addr[count].sa_family = ARPHRD_ETHER;
2400 		memcpy(addr[count].sa_data, sta->addr, ETH_ALEN);
2401 		if (sta->last_rx_silence == 0)
2402 			qual[count].qual = sta->last_rx_signal < 27 ?
2403 				0 : (sta->last_rx_signal - 27) * 92 / 127;
2404 		else
2405 			qual[count].qual = sta->last_rx_signal -
2406 				sta->last_rx_silence - 35;
2407 		qual[count].level = HFA384X_LEVEL_TO_dBm(sta->last_rx_signal);
2408 		qual[count].noise = HFA384X_LEVEL_TO_dBm(sta->last_rx_silence);
2409 		qual[count].updated = sta->last_rx_updated;
2410 
2411 		sta->last_rx_updated = IW_QUAL_DBM;
2412 
2413 		count++;
2414 		if (count >= buf_size)
2415 			break;
2416 	}
2417 	spin_unlock_bh(&ap->sta_table_lock);
2418 
2419 	return count;
2420 }
2421 
2422 
2423 /* Translate our list of Access Points & Stations to a card independent
2424  * format that the Wireless Tools will understand - Jean II */
2425 int prism2_ap_translate_scan(struct net_device *dev,
2426 			     struct iw_request_info *info, char *buffer)
2427 {
2428 	struct hostap_interface *iface;
2429 	local_info_t *local;
2430 	struct ap_data *ap;
2431 	struct list_head *ptr;
2432 	struct iw_event iwe;
2433 	char *current_ev = buffer;
2434 	char *end_buf = buffer + IW_SCAN_MAX_DATA;
2435 #if !defined(PRISM2_NO_KERNEL_IEEE80211_MGMT)
2436 	char buf[64];
2437 #endif
2438 
2439 	iface = netdev_priv(dev);
2440 	local = iface->local;
2441 	ap = local->ap;
2442 
2443 	spin_lock_bh(&ap->sta_table_lock);
2444 
2445 	for (ptr = ap->sta_list.next; ptr != NULL && ptr != &ap->sta_list;
2446 	     ptr = ptr->next) {
2447 		struct sta_info *sta = (struct sta_info *) ptr;
2448 
2449 		/* First entry *MUST* be the AP MAC address */
2450 		memset(&iwe, 0, sizeof(iwe));
2451 		iwe.cmd = SIOCGIWAP;
2452 		iwe.u.ap_addr.sa_family = ARPHRD_ETHER;
2453 		memcpy(iwe.u.ap_addr.sa_data, sta->addr, ETH_ALEN);
2454 		iwe.len = IW_EV_ADDR_LEN;
2455 		current_ev = iwe_stream_add_event(info, current_ev, end_buf,
2456 						  &iwe, IW_EV_ADDR_LEN);
2457 
2458 		/* Use the mode to indicate if it's a station or
2459 		 * an Access Point */
2460 		memset(&iwe, 0, sizeof(iwe));
2461 		iwe.cmd = SIOCGIWMODE;
2462 		if (sta->ap)
2463 			iwe.u.mode = IW_MODE_MASTER;
2464 		else
2465 			iwe.u.mode = IW_MODE_INFRA;
2466 		iwe.len = IW_EV_UINT_LEN;
2467 		current_ev = iwe_stream_add_event(info, current_ev, end_buf,
2468 						  &iwe, IW_EV_UINT_LEN);
2469 
2470 		/* Some quality */
2471 		memset(&iwe, 0, sizeof(iwe));
2472 		iwe.cmd = IWEVQUAL;
2473 		if (sta->last_rx_silence == 0)
2474 			iwe.u.qual.qual = sta->last_rx_signal < 27 ?
2475 				0 : (sta->last_rx_signal - 27) * 92 / 127;
2476 		else
2477 			iwe.u.qual.qual = sta->last_rx_signal -
2478 				sta->last_rx_silence - 35;
2479 		iwe.u.qual.level = HFA384X_LEVEL_TO_dBm(sta->last_rx_signal);
2480 		iwe.u.qual.noise = HFA384X_LEVEL_TO_dBm(sta->last_rx_silence);
2481 		iwe.u.qual.updated = sta->last_rx_updated;
2482 		iwe.len = IW_EV_QUAL_LEN;
2483 		current_ev = iwe_stream_add_event(info, current_ev, end_buf,
2484 						  &iwe, IW_EV_QUAL_LEN);
2485 
2486 #ifndef PRISM2_NO_KERNEL_IEEE80211_MGMT
2487 		if (sta->ap) {
2488 			memset(&iwe, 0, sizeof(iwe));
2489 			iwe.cmd = SIOCGIWESSID;
2490 			iwe.u.data.length = sta->u.ap.ssid_len;
2491 			iwe.u.data.flags = 1;
2492 			current_ev = iwe_stream_add_point(info, current_ev,
2493 							  end_buf, &iwe,
2494 							  sta->u.ap.ssid);
2495 
2496 			memset(&iwe, 0, sizeof(iwe));
2497 			iwe.cmd = SIOCGIWENCODE;
2498 			if (sta->capability & WLAN_CAPABILITY_PRIVACY)
2499 				iwe.u.data.flags =
2500 					IW_ENCODE_ENABLED | IW_ENCODE_NOKEY;
2501 			else
2502 				iwe.u.data.flags = IW_ENCODE_DISABLED;
2503 			current_ev = iwe_stream_add_point(info, current_ev,
2504 							  end_buf, &iwe,
2505 							  sta->u.ap.ssid);
2506 
2507 			if (sta->u.ap.channel > 0 &&
2508 			    sta->u.ap.channel <= FREQ_COUNT) {
2509 				memset(&iwe, 0, sizeof(iwe));
2510 				iwe.cmd = SIOCGIWFREQ;
2511 				iwe.u.freq.m = freq_list[sta->u.ap.channel - 1]
2512 					* 100000;
2513 				iwe.u.freq.e = 1;
2514 				current_ev = iwe_stream_add_event(
2515 					info, current_ev, end_buf, &iwe,
2516 					IW_EV_FREQ_LEN);
2517 			}
2518 
2519 			memset(&iwe, 0, sizeof(iwe));
2520 			iwe.cmd = IWEVCUSTOM;
2521 			sprintf(buf, "beacon_interval=%d",
2522 				sta->listen_interval);
2523 			iwe.u.data.length = strlen(buf);
2524 			current_ev = iwe_stream_add_point(info, current_ev,
2525 							  end_buf, &iwe, buf);
2526 		}
2527 #endif /* PRISM2_NO_KERNEL_IEEE80211_MGMT */
2528 
2529 		sta->last_rx_updated = IW_QUAL_DBM;
2530 
2531 		/* To be continued, we should make good use of IWEVCUSTOM */
2532 	}
2533 
2534 	spin_unlock_bh(&ap->sta_table_lock);
2535 
2536 	return current_ev - buffer;
2537 }
2538 
2539 
2540 static int prism2_hostapd_add_sta(struct ap_data *ap,
2541 				  struct prism2_hostapd_param *param)
2542 {
2543 	struct sta_info *sta;
2544 
2545 	spin_lock_bh(&ap->sta_table_lock);
2546 	sta = ap_get_sta(ap, param->sta_addr);
2547 	if (sta)
2548 		atomic_inc(&sta->users);
2549 	spin_unlock_bh(&ap->sta_table_lock);
2550 
2551 	if (sta == NULL) {
2552 		sta = ap_add_sta(ap, param->sta_addr);
2553 		if (sta == NULL)
2554 			return -1;
2555 	}
2556 
2557 	if (!(sta->flags & WLAN_STA_ASSOC) && !sta->ap && sta->local)
2558 		hostap_event_new_sta(sta->local->dev, sta);
2559 
2560 	sta->flags |= WLAN_STA_AUTH | WLAN_STA_ASSOC;
2561 	sta->last_rx = jiffies;
2562 	sta->aid = param->u.add_sta.aid;
2563 	sta->capability = param->u.add_sta.capability;
2564 	sta->tx_supp_rates = param->u.add_sta.tx_supp_rates;
2565 	if (sta->tx_supp_rates & WLAN_RATE_1M)
2566 		sta->supported_rates[0] = 2;
2567 	if (sta->tx_supp_rates & WLAN_RATE_2M)
2568 		sta->supported_rates[1] = 4;
2569  	if (sta->tx_supp_rates & WLAN_RATE_5M5)
2570 		sta->supported_rates[2] = 11;
2571 	if (sta->tx_supp_rates & WLAN_RATE_11M)
2572 		sta->supported_rates[3] = 22;
2573 	prism2_check_tx_rates(sta);
2574 	atomic_dec(&sta->users);
2575 	return 0;
2576 }
2577 
2578 
2579 static int prism2_hostapd_remove_sta(struct ap_data *ap,
2580 				     struct prism2_hostapd_param *param)
2581 {
2582 	struct sta_info *sta;
2583 
2584 	spin_lock_bh(&ap->sta_table_lock);
2585 	sta = ap_get_sta(ap, param->sta_addr);
2586 	if (sta) {
2587 		ap_sta_hash_del(ap, sta);
2588 		list_del(&sta->list);
2589 	}
2590 	spin_unlock_bh(&ap->sta_table_lock);
2591 
2592 	if (!sta)
2593 		return -ENOENT;
2594 
2595 	if ((sta->flags & WLAN_STA_ASSOC) && !sta->ap && sta->local)
2596 		hostap_event_expired_sta(sta->local->dev, sta);
2597 	ap_free_sta(ap, sta);
2598 
2599 	return 0;
2600 }
2601 
2602 
2603 static int prism2_hostapd_get_info_sta(struct ap_data *ap,
2604 				       struct prism2_hostapd_param *param)
2605 {
2606 	struct sta_info *sta;
2607 
2608 	spin_lock_bh(&ap->sta_table_lock);
2609 	sta = ap_get_sta(ap, param->sta_addr);
2610 	if (sta)
2611 		atomic_inc(&sta->users);
2612 	spin_unlock_bh(&ap->sta_table_lock);
2613 
2614 	if (!sta)
2615 		return -ENOENT;
2616 
2617 	param->u.get_info_sta.inactive_sec = (jiffies - sta->last_rx) / HZ;
2618 
2619 	atomic_dec(&sta->users);
2620 
2621 	return 1;
2622 }
2623 
2624 
2625 static int prism2_hostapd_set_flags_sta(struct ap_data *ap,
2626 					struct prism2_hostapd_param *param)
2627 {
2628 	struct sta_info *sta;
2629 
2630 	spin_lock_bh(&ap->sta_table_lock);
2631 	sta = ap_get_sta(ap, param->sta_addr);
2632 	if (sta) {
2633 		sta->flags |= param->u.set_flags_sta.flags_or;
2634 		sta->flags &= param->u.set_flags_sta.flags_and;
2635 	}
2636 	spin_unlock_bh(&ap->sta_table_lock);
2637 
2638 	if (!sta)
2639 		return -ENOENT;
2640 
2641 	return 0;
2642 }
2643 
2644 
2645 static int prism2_hostapd_sta_clear_stats(struct ap_data *ap,
2646 					  struct prism2_hostapd_param *param)
2647 {
2648 	struct sta_info *sta;
2649 	int rate;
2650 
2651 	spin_lock_bh(&ap->sta_table_lock);
2652 	sta = ap_get_sta(ap, param->sta_addr);
2653 	if (sta) {
2654 		sta->rx_packets = sta->tx_packets = 0;
2655 		sta->rx_bytes = sta->tx_bytes = 0;
2656 		for (rate = 0; rate < WLAN_RATE_COUNT; rate++) {
2657 			sta->tx_count[rate] = 0;
2658 			sta->rx_count[rate] = 0;
2659 		}
2660 	}
2661 	spin_unlock_bh(&ap->sta_table_lock);
2662 
2663 	if (!sta)
2664 		return -ENOENT;
2665 
2666 	return 0;
2667 }
2668 
2669 
2670 int prism2_hostapd(struct ap_data *ap, struct prism2_hostapd_param *param)
2671 {
2672 	switch (param->cmd) {
2673 	case PRISM2_HOSTAPD_FLUSH:
2674 		ap_control_kickall(ap);
2675 		return 0;
2676 	case PRISM2_HOSTAPD_ADD_STA:
2677 		return prism2_hostapd_add_sta(ap, param);
2678 	case PRISM2_HOSTAPD_REMOVE_STA:
2679 		return prism2_hostapd_remove_sta(ap, param);
2680 	case PRISM2_HOSTAPD_GET_INFO_STA:
2681 		return prism2_hostapd_get_info_sta(ap, param);
2682 	case PRISM2_HOSTAPD_SET_FLAGS_STA:
2683 		return prism2_hostapd_set_flags_sta(ap, param);
2684 	case PRISM2_HOSTAPD_STA_CLEAR_STATS:
2685 		return prism2_hostapd_sta_clear_stats(ap, param);
2686 	default:
2687 		printk(KERN_WARNING "prism2_hostapd: unknown cmd=%d\n",
2688 		       param->cmd);
2689 		return -EOPNOTSUPP;
2690 	}
2691 }
2692 
2693 
2694 /* Update station info for host-based TX rate control and return current
2695  * TX rate */
2696 static int ap_update_sta_tx_rate(struct sta_info *sta, struct net_device *dev)
2697 {
2698 	int ret = sta->tx_rate;
2699 	struct hostap_interface *iface;
2700 	local_info_t *local;
2701 
2702 	iface = netdev_priv(dev);
2703 	local = iface->local;
2704 
2705 	sta->tx_count[sta->tx_rate_idx]++;
2706 	sta->tx_since_last_failure++;
2707 	sta->tx_consecutive_exc = 0;
2708 	if (sta->tx_since_last_failure >= WLAN_RATE_UPDATE_COUNT &&
2709 	    sta->tx_rate_idx < sta->tx_max_rate) {
2710 		/* use next higher rate */
2711 		int old_rate, new_rate;
2712 		old_rate = new_rate = sta->tx_rate_idx;
2713 		while (new_rate < sta->tx_max_rate) {
2714 			new_rate++;
2715 			if (ap_tx_rate_ok(new_rate, sta, local)) {
2716 				sta->tx_rate_idx = new_rate;
2717 				break;
2718 			}
2719 		}
2720 		if (old_rate != sta->tx_rate_idx) {
2721 			switch (sta->tx_rate_idx) {
2722 			case 0: sta->tx_rate = 10; break;
2723 			case 1: sta->tx_rate = 20; break;
2724 			case 2: sta->tx_rate = 55; break;
2725 			case 3: sta->tx_rate = 110; break;
2726 			default: sta->tx_rate = 0; break;
2727 			}
2728 			PDEBUG(DEBUG_AP, "%s: STA %pM TX rate raised to %d\n",
2729 			       dev->name, sta->addr, sta->tx_rate);
2730 		}
2731 		sta->tx_since_last_failure = 0;
2732 	}
2733 
2734 	return ret;
2735 }
2736 
2737 
2738 /* Called only from software IRQ. Called for each TX frame prior possible
2739  * encryption and transmit. */
2740 ap_tx_ret hostap_handle_sta_tx(local_info_t *local, struct hostap_tx_data *tx)
2741 {
2742 	struct sta_info *sta = NULL;
2743 	struct sk_buff *skb = tx->skb;
2744 	int set_tim, ret;
2745 	struct ieee80211_hdr *hdr;
2746 	struct hostap_skb_tx_data *meta;
2747 
2748 	meta = (struct hostap_skb_tx_data *) skb->cb;
2749 	ret = AP_TX_CONTINUE;
2750 	if (local->ap == NULL || skb->len < 10 ||
2751 	    meta->iface->type == HOSTAP_INTERFACE_STA)
2752 		goto out;
2753 
2754 	hdr = (struct ieee80211_hdr *) skb->data;
2755 
2756 	if (hdr->addr1[0] & 0x01) {
2757 		/* broadcast/multicast frame - no AP related processing */
2758 		if (local->ap->num_sta <= 0)
2759 			ret = AP_TX_DROP;
2760 		goto out;
2761 	}
2762 
2763 	/* unicast packet - check whether destination STA is associated */
2764 	spin_lock(&local->ap->sta_table_lock);
2765 	sta = ap_get_sta(local->ap, hdr->addr1);
2766 	if (sta)
2767 		atomic_inc(&sta->users);
2768 	spin_unlock(&local->ap->sta_table_lock);
2769 
2770 	if (local->iw_mode == IW_MODE_MASTER && sta == NULL &&
2771 	    !(meta->flags & HOSTAP_TX_FLAGS_WDS) &&
2772 	    meta->iface->type != HOSTAP_INTERFACE_MASTER &&
2773 	    meta->iface->type != HOSTAP_INTERFACE_AP) {
2774 #if 0
2775 		/* This can happen, e.g., when wlan0 is added to a bridge and
2776 		 * bridging code does not know which port is the correct target
2777 		 * for a unicast frame. In this case, the packet is send to all
2778 		 * ports of the bridge. Since this is a valid scenario, do not
2779 		 * print out any errors here. */
2780 		if (net_ratelimit()) {
2781 			printk(KERN_DEBUG "AP: drop packet to non-associated "
2782 			       "STA %pM\n", hdr->addr1);
2783 		}
2784 #endif
2785 		local->ap->tx_drop_nonassoc++;
2786 		ret = AP_TX_DROP;
2787 		goto out;
2788 	}
2789 
2790 	if (sta == NULL)
2791 		goto out;
2792 
2793 	if (!(sta->flags & WLAN_STA_AUTHORIZED))
2794 		ret = AP_TX_CONTINUE_NOT_AUTHORIZED;
2795 
2796 	/* Set tx_rate if using host-based TX rate control */
2797 	if (!local->fw_tx_rate_control)
2798 		local->ap->last_tx_rate = meta->rate =
2799 			ap_update_sta_tx_rate(sta, local->dev);
2800 
2801 	if (local->iw_mode != IW_MODE_MASTER)
2802 		goto out;
2803 
2804 	if (!(sta->flags & WLAN_STA_PS))
2805 		goto out;
2806 
2807 	if (meta->flags & HOSTAP_TX_FLAGS_ADD_MOREDATA) {
2808 		/* indicate to STA that more frames follow */
2809 		hdr->frame_control |=
2810 			cpu_to_le16(IEEE80211_FCTL_MOREDATA);
2811 	}
2812 
2813 	if (meta->flags & HOSTAP_TX_FLAGS_BUFFERED_FRAME) {
2814 		/* packet was already buffered and now send due to
2815 		 * PS poll, so do not rebuffer it */
2816 		goto out;
2817 	}
2818 
2819 	if (skb_queue_len(&sta->tx_buf) >= STA_MAX_TX_BUFFER) {
2820 		PDEBUG(DEBUG_PS, "%s: No more space in STA (%pM)'s"
2821 		       "PS mode buffer\n",
2822 		       local->dev->name, sta->addr);
2823 		/* Make sure that TIM is set for the station (it might not be
2824 		 * after AP wlan hw reset). */
2825 		/* FIX: should fix hw reset to restore bits based on STA
2826 		 * buffer state.. */
2827 		hostap_set_tim(local, sta->aid, 1);
2828 		sta->flags |= WLAN_STA_TIM;
2829 		ret = AP_TX_DROP;
2830 		goto out;
2831 	}
2832 
2833 	/* STA in PS mode, buffer frame for later delivery */
2834 	set_tim = skb_queue_empty(&sta->tx_buf);
2835 	skb_queue_tail(&sta->tx_buf, skb);
2836 	/* FIX: could save RX time to skb and expire buffered frames after
2837 	 * some time if STA does not poll for them */
2838 
2839 	if (set_tim) {
2840 		if (sta->flags & WLAN_STA_TIM)
2841 			PDEBUG(DEBUG_PS2, "Re-setting TIM for aid %d\n",
2842 			       sta->aid);
2843 		hostap_set_tim(local, sta->aid, 1);
2844 		sta->flags |= WLAN_STA_TIM;
2845 	}
2846 
2847 	ret = AP_TX_BUFFERED;
2848 
2849  out:
2850 	if (sta != NULL) {
2851 		if (ret == AP_TX_CONTINUE ||
2852 		    ret == AP_TX_CONTINUE_NOT_AUTHORIZED) {
2853 			sta->tx_packets++;
2854 			sta->tx_bytes += skb->len;
2855 			sta->last_tx = jiffies;
2856 		}
2857 
2858 		if ((ret == AP_TX_CONTINUE ||
2859 		     ret == AP_TX_CONTINUE_NOT_AUTHORIZED) &&
2860 		    sta->crypt && tx->host_encrypt) {
2861 			tx->crypt = sta->crypt;
2862 			tx->sta_ptr = sta; /* hostap_handle_sta_release() will
2863 					    * be called to release sta info
2864 					    * later */
2865 		} else
2866 			atomic_dec(&sta->users);
2867 	}
2868 
2869 	return ret;
2870 }
2871 
2872 
2873 void hostap_handle_sta_release(void *ptr)
2874 {
2875 	struct sta_info *sta = ptr;
2876 	atomic_dec(&sta->users);
2877 }
2878 
2879 
2880 /* Called only as a tasklet (software IRQ) */
2881 void hostap_handle_sta_tx_exc(local_info_t *local, struct sk_buff *skb)
2882 {
2883 	struct sta_info *sta;
2884 	struct ieee80211_hdr *hdr;
2885 	struct hostap_skb_tx_data *meta;
2886 
2887 	hdr = (struct ieee80211_hdr *) skb->data;
2888 	meta = (struct hostap_skb_tx_data *) skb->cb;
2889 
2890 	spin_lock(&local->ap->sta_table_lock);
2891 	sta = ap_get_sta(local->ap, hdr->addr1);
2892 	if (!sta) {
2893 		spin_unlock(&local->ap->sta_table_lock);
2894 		PDEBUG(DEBUG_AP, "%s: Could not find STA %pM"
2895 		       " for this TX error (@%lu)\n",
2896 		       local->dev->name, hdr->addr1, jiffies);
2897 		return;
2898 	}
2899 
2900 	sta->tx_since_last_failure = 0;
2901 	sta->tx_consecutive_exc++;
2902 
2903 	if (sta->tx_consecutive_exc >= WLAN_RATE_DECREASE_THRESHOLD &&
2904 	    sta->tx_rate_idx > 0 && meta->rate <= sta->tx_rate) {
2905 		/* use next lower rate */
2906 		int old, rate;
2907 		old = rate = sta->tx_rate_idx;
2908 		while (rate > 0) {
2909 			rate--;
2910 			if (ap_tx_rate_ok(rate, sta, local)) {
2911 				sta->tx_rate_idx = rate;
2912 				break;
2913 			}
2914 		}
2915 		if (old != sta->tx_rate_idx) {
2916 			switch (sta->tx_rate_idx) {
2917 			case 0: sta->tx_rate = 10; break;
2918 			case 1: sta->tx_rate = 20; break;
2919 			case 2: sta->tx_rate = 55; break;
2920 			case 3: sta->tx_rate = 110; break;
2921 			default: sta->tx_rate = 0; break;
2922 			}
2923 			PDEBUG(DEBUG_AP,
2924 			       "%s: STA %pM TX rate lowered to %d\n",
2925 			       local->dev->name, sta->addr, sta->tx_rate);
2926 		}
2927 		sta->tx_consecutive_exc = 0;
2928 	}
2929 	spin_unlock(&local->ap->sta_table_lock);
2930 }
2931 
2932 
2933 static void hostap_update_sta_ps2(local_info_t *local, struct sta_info *sta,
2934 				  int pwrmgt, int type, int stype)
2935 {
2936 	if (pwrmgt && !(sta->flags & WLAN_STA_PS)) {
2937 		sta->flags |= WLAN_STA_PS;
2938 		PDEBUG(DEBUG_PS2, "STA %pM changed to use PS "
2939 		       "mode (type=0x%02X, stype=0x%02X)\n",
2940 		       sta->addr, type >> 2, stype >> 4);
2941 	} else if (!pwrmgt && (sta->flags & WLAN_STA_PS)) {
2942 		sta->flags &= ~WLAN_STA_PS;
2943 		PDEBUG(DEBUG_PS2, "STA %pM changed to not use "
2944 		       "PS mode (type=0x%02X, stype=0x%02X)\n",
2945 		       sta->addr, type >> 2, stype >> 4);
2946 		if (type != IEEE80211_FTYPE_CTL ||
2947 		    stype != IEEE80211_STYPE_PSPOLL)
2948 			schedule_packet_send(local, sta);
2949 	}
2950 }
2951 
2952 
2953 /* Called only as a tasklet (software IRQ). Called for each RX frame to update
2954  * STA power saving state. pwrmgt is a flag from 802.11 frame_control field. */
2955 int hostap_update_sta_ps(local_info_t *local, struct ieee80211_hdr *hdr)
2956 {
2957 	struct sta_info *sta;
2958 	u16 fc;
2959 
2960 	spin_lock(&local->ap->sta_table_lock);
2961 	sta = ap_get_sta(local->ap, hdr->addr2);
2962 	if (sta)
2963 		atomic_inc(&sta->users);
2964 	spin_unlock(&local->ap->sta_table_lock);
2965 
2966 	if (!sta)
2967 		return -1;
2968 
2969 	fc = le16_to_cpu(hdr->frame_control);
2970 	hostap_update_sta_ps2(local, sta, fc & IEEE80211_FCTL_PM,
2971 			      fc & IEEE80211_FCTL_FTYPE,
2972 			      fc & IEEE80211_FCTL_STYPE);
2973 
2974 	atomic_dec(&sta->users);
2975 	return 0;
2976 }
2977 
2978 
2979 /* Called only as a tasklet (software IRQ). Called for each RX frame after
2980  * getting RX header and payload from hardware. */
2981 ap_rx_ret hostap_handle_sta_rx(local_info_t *local, struct net_device *dev,
2982 			       struct sk_buff *skb,
2983 			       struct hostap_80211_rx_status *rx_stats,
2984 			       int wds)
2985 {
2986 	int ret;
2987 	struct sta_info *sta;
2988 	u16 fc, type, stype;
2989 	struct ieee80211_hdr *hdr;
2990 
2991 	if (local->ap == NULL)
2992 		return AP_RX_CONTINUE;
2993 
2994 	hdr = (struct ieee80211_hdr *) skb->data;
2995 
2996 	fc = le16_to_cpu(hdr->frame_control);
2997 	type = fc & IEEE80211_FCTL_FTYPE;
2998 	stype = fc & IEEE80211_FCTL_STYPE;
2999 
3000 	spin_lock(&local->ap->sta_table_lock);
3001 	sta = ap_get_sta(local->ap, hdr->addr2);
3002 	if (sta)
3003 		atomic_inc(&sta->users);
3004 	spin_unlock(&local->ap->sta_table_lock);
3005 
3006 	if (sta && !(sta->flags & WLAN_STA_AUTHORIZED))
3007 		ret = AP_RX_CONTINUE_NOT_AUTHORIZED;
3008 	else
3009 		ret = AP_RX_CONTINUE;
3010 
3011 
3012 	if (fc & IEEE80211_FCTL_TODS) {
3013 		if (!wds && (sta == NULL || !(sta->flags & WLAN_STA_ASSOC))) {
3014 			if (local->hostapd) {
3015 				prism2_rx_80211(local->apdev, skb, rx_stats,
3016 						PRISM2_RX_NON_ASSOC);
3017 #ifndef PRISM2_NO_KERNEL_IEEE80211_MGMT
3018 			} else {
3019 				printk(KERN_DEBUG "%s: dropped received packet"
3020 				       " from non-associated STA %pM"
3021 				       " (type=0x%02x, subtype=0x%02x)\n",
3022 				       dev->name, hdr->addr2,
3023 				       type >> 2, stype >> 4);
3024 				hostap_rx(dev, skb, rx_stats);
3025 #endif /* PRISM2_NO_KERNEL_IEEE80211_MGMT */
3026 			}
3027 			ret = AP_RX_EXIT;
3028 			goto out;
3029 		}
3030 	} else if (fc & IEEE80211_FCTL_FROMDS) {
3031 		if (!wds) {
3032 			/* FromDS frame - not for us; probably
3033 			 * broadcast/multicast in another BSS - drop */
3034 			if (ether_addr_equal(hdr->addr1, dev->dev_addr)) {
3035 				printk(KERN_DEBUG "Odd.. FromDS packet "
3036 				       "received with own BSSID\n");
3037 				hostap_dump_rx_80211(dev->name, skb, rx_stats);
3038 			}
3039 			ret = AP_RX_DROP;
3040 			goto out;
3041 		}
3042 	} else if (stype == IEEE80211_STYPE_NULLFUNC && sta == NULL &&
3043 		   ether_addr_equal(hdr->addr1, dev->dev_addr)) {
3044 
3045 		if (local->hostapd) {
3046 			prism2_rx_80211(local->apdev, skb, rx_stats,
3047 					PRISM2_RX_NON_ASSOC);
3048 #ifndef PRISM2_NO_KERNEL_IEEE80211_MGMT
3049 		} else {
3050 			/* At least Lucent f/w seems to send data::nullfunc
3051 			 * frames with no ToDS flag when the current AP returns
3052 			 * after being unavailable for some time. Speed up
3053 			 * re-association by informing the station about it not
3054 			 * being associated. */
3055 			printk(KERN_DEBUG "%s: rejected received nullfunc frame"
3056 			       " without ToDS from not associated STA %pM\n",
3057 			       dev->name, hdr->addr2);
3058 			hostap_rx(dev, skb, rx_stats);
3059 #endif /* PRISM2_NO_KERNEL_IEEE80211_MGMT */
3060 		}
3061 		ret = AP_RX_EXIT;
3062 		goto out;
3063 	} else if (stype == IEEE80211_STYPE_NULLFUNC) {
3064 		/* At least Lucent cards seem to send periodic nullfunc
3065 		 * frames with ToDS. Let these through to update SQ
3066 		 * stats and PS state. Nullfunc frames do not contain
3067 		 * any data and they will be dropped below. */
3068 	} else {
3069 		/* If BSSID (Addr3) is foreign, this frame is a normal
3070 		 * broadcast frame from an IBSS network. Drop it silently.
3071 		 * If BSSID is own, report the dropping of this frame. */
3072 		if (ether_addr_equal(hdr->addr3, dev->dev_addr)) {
3073 			printk(KERN_DEBUG "%s: dropped received packet from %pM"
3074 			       " with no ToDS flag "
3075 			       "(type=0x%02x, subtype=0x%02x)\n", dev->name,
3076 			       hdr->addr2, type >> 2, stype >> 4);
3077 			hostap_dump_rx_80211(dev->name, skb, rx_stats);
3078 		}
3079 		ret = AP_RX_DROP;
3080 		goto out;
3081 	}
3082 
3083 	if (sta) {
3084 		hostap_update_sta_ps2(local, sta, fc & IEEE80211_FCTL_PM,
3085 				      type, stype);
3086 
3087 		sta->rx_packets++;
3088 		sta->rx_bytes += skb->len;
3089 		sta->last_rx = jiffies;
3090 	}
3091 
3092 	if (local->ap->nullfunc_ack && stype == IEEE80211_STYPE_NULLFUNC &&
3093 	    fc & IEEE80211_FCTL_TODS) {
3094 		if (local->hostapd) {
3095 			prism2_rx_80211(local->apdev, skb, rx_stats,
3096 					PRISM2_RX_NULLFUNC_ACK);
3097 #ifndef PRISM2_NO_KERNEL_IEEE80211_MGMT
3098 		} else {
3099 			/* some STA f/w's seem to require control::ACK frame
3100 			 * for data::nullfunc, but Prism2 f/w 0.8.0 (at least
3101 			 * from Compaq) does not send this.. Try to generate
3102 			 * ACK for these frames from the host driver to make
3103 			 * power saving work with, e.g., Lucent WaveLAN f/w */
3104 			hostap_rx(dev, skb, rx_stats);
3105 #endif /* PRISM2_NO_KERNEL_IEEE80211_MGMT */
3106 		}
3107 		ret = AP_RX_EXIT;
3108 		goto out;
3109 	}
3110 
3111  out:
3112 	if (sta)
3113 		atomic_dec(&sta->users);
3114 
3115 	return ret;
3116 }
3117 
3118 
3119 /* Called only as a tasklet (software IRQ) */
3120 int hostap_handle_sta_crypto(local_info_t *local,
3121 			     struct ieee80211_hdr *hdr,
3122 			     struct lib80211_crypt_data **crypt,
3123 			     void **sta_ptr)
3124 {
3125 	struct sta_info *sta;
3126 
3127 	spin_lock(&local->ap->sta_table_lock);
3128 	sta = ap_get_sta(local->ap, hdr->addr2);
3129 	if (sta)
3130 		atomic_inc(&sta->users);
3131 	spin_unlock(&local->ap->sta_table_lock);
3132 
3133 	if (!sta)
3134 		return -1;
3135 
3136 	if (sta->crypt) {
3137 		*crypt = sta->crypt;
3138 		*sta_ptr = sta;
3139 		/* hostap_handle_sta_release() will be called to release STA
3140 		 * info */
3141 	} else
3142 		atomic_dec(&sta->users);
3143 
3144 	return 0;
3145 }
3146 
3147 
3148 /* Called only as a tasklet (software IRQ) */
3149 int hostap_is_sta_assoc(struct ap_data *ap, u8 *sta_addr)
3150 {
3151 	struct sta_info *sta;
3152 	int ret = 0;
3153 
3154 	spin_lock(&ap->sta_table_lock);
3155 	sta = ap_get_sta(ap, sta_addr);
3156 	if (sta != NULL && (sta->flags & WLAN_STA_ASSOC) && !sta->ap)
3157 		ret = 1;
3158 	spin_unlock(&ap->sta_table_lock);
3159 
3160 	return ret;
3161 }
3162 
3163 
3164 /* Called only as a tasklet (software IRQ) */
3165 int hostap_is_sta_authorized(struct ap_data *ap, u8 *sta_addr)
3166 {
3167 	struct sta_info *sta;
3168 	int ret = 0;
3169 
3170 	spin_lock(&ap->sta_table_lock);
3171 	sta = ap_get_sta(ap, sta_addr);
3172 	if (sta != NULL && (sta->flags & WLAN_STA_ASSOC) && !sta->ap &&
3173 	    ((sta->flags & WLAN_STA_AUTHORIZED) ||
3174 	     ap->local->ieee_802_1x == 0))
3175 		ret = 1;
3176 	spin_unlock(&ap->sta_table_lock);
3177 
3178 	return ret;
3179 }
3180 
3181 
3182 /* Called only as a tasklet (software IRQ) */
3183 int hostap_add_sta(struct ap_data *ap, u8 *sta_addr)
3184 {
3185 	struct sta_info *sta;
3186 	int ret = 1;
3187 
3188 	if (!ap)
3189 		return -1;
3190 
3191 	spin_lock(&ap->sta_table_lock);
3192 	sta = ap_get_sta(ap, sta_addr);
3193 	if (sta)
3194 		ret = 0;
3195 	spin_unlock(&ap->sta_table_lock);
3196 
3197 	if (ret == 1) {
3198 		sta = ap_add_sta(ap, sta_addr);
3199 		if (!sta)
3200 			return -1;
3201 		sta->flags = WLAN_STA_AUTH | WLAN_STA_ASSOC;
3202 		sta->ap = 1;
3203 		memset(sta->supported_rates, 0, sizeof(sta->supported_rates));
3204 		/* No way of knowing which rates are supported since we did not
3205 		 * get supported rates element from beacon/assoc req. Assume
3206 		 * that remote end supports all 802.11b rates. */
3207 		sta->supported_rates[0] = 0x82;
3208 		sta->supported_rates[1] = 0x84;
3209 		sta->supported_rates[2] = 0x0b;
3210 		sta->supported_rates[3] = 0x16;
3211 		sta->tx_supp_rates = WLAN_RATE_1M | WLAN_RATE_2M |
3212 			WLAN_RATE_5M5 | WLAN_RATE_11M;
3213 		sta->tx_rate = 110;
3214 		sta->tx_max_rate = sta->tx_rate_idx = 3;
3215 	}
3216 
3217 	return ret;
3218 }
3219 
3220 
3221 /* Called only as a tasklet (software IRQ) */
3222 int hostap_update_rx_stats(struct ap_data *ap,
3223 			   struct ieee80211_hdr *hdr,
3224 			   struct hostap_80211_rx_status *rx_stats)
3225 {
3226 	struct sta_info *sta;
3227 
3228 	if (!ap)
3229 		return -1;
3230 
3231 	spin_lock(&ap->sta_table_lock);
3232 	sta = ap_get_sta(ap, hdr->addr2);
3233 	if (sta) {
3234 		sta->last_rx_silence = rx_stats->noise;
3235 		sta->last_rx_signal = rx_stats->signal;
3236 		sta->last_rx_rate = rx_stats->rate;
3237 		sta->last_rx_updated = IW_QUAL_ALL_UPDATED | IW_QUAL_DBM;
3238 		if (rx_stats->rate == 10)
3239 			sta->rx_count[0]++;
3240 		else if (rx_stats->rate == 20)
3241 			sta->rx_count[1]++;
3242 		else if (rx_stats->rate == 55)
3243 			sta->rx_count[2]++;
3244 		else if (rx_stats->rate == 110)
3245 			sta->rx_count[3]++;
3246 	}
3247 	spin_unlock(&ap->sta_table_lock);
3248 
3249 	return sta ? 0 : -1;
3250 }
3251 
3252 
3253 void hostap_update_rates(local_info_t *local)
3254 {
3255 	struct sta_info *sta;
3256 	struct ap_data *ap = local->ap;
3257 
3258 	if (!ap)
3259 		return;
3260 
3261 	spin_lock_bh(&ap->sta_table_lock);
3262 	list_for_each_entry(sta, &ap->sta_list, list) {
3263 		prism2_check_tx_rates(sta);
3264 	}
3265 	spin_unlock_bh(&ap->sta_table_lock);
3266 }
3267 
3268 
3269 void * ap_crypt_get_ptrs(struct ap_data *ap, u8 *addr, int permanent,
3270 			 struct lib80211_crypt_data ***crypt)
3271 {
3272 	struct sta_info *sta;
3273 
3274 	spin_lock_bh(&ap->sta_table_lock);
3275 	sta = ap_get_sta(ap, addr);
3276 	if (sta)
3277 		atomic_inc(&sta->users);
3278 	spin_unlock_bh(&ap->sta_table_lock);
3279 
3280 	if (!sta && permanent)
3281 		sta = ap_add_sta(ap, addr);
3282 
3283 	if (!sta)
3284 		return NULL;
3285 
3286 	if (permanent)
3287 		sta->flags |= WLAN_STA_PERM;
3288 
3289 	*crypt = &sta->crypt;
3290 
3291 	return sta;
3292 }
3293 
3294 
3295 void hostap_add_wds_links(local_info_t *local)
3296 {
3297 	struct ap_data *ap = local->ap;
3298 	struct sta_info *sta;
3299 
3300 	spin_lock_bh(&ap->sta_table_lock);
3301 	list_for_each_entry(sta, &ap->sta_list, list) {
3302 		if (sta->ap)
3303 			hostap_wds_link_oper(local, sta->addr, WDS_ADD);
3304 	}
3305 	spin_unlock_bh(&ap->sta_table_lock);
3306 
3307 	schedule_work(&local->ap->wds_oper_queue);
3308 }
3309 
3310 
3311 void hostap_wds_link_oper(local_info_t *local, u8 *addr, wds_oper_type type)
3312 {
3313 	struct wds_oper_data *entry;
3314 
3315 	entry = kmalloc(sizeof(*entry), GFP_ATOMIC);
3316 	if (!entry)
3317 		return;
3318 	memcpy(entry->addr, addr, ETH_ALEN);
3319 	entry->type = type;
3320 	spin_lock_bh(&local->lock);
3321 	entry->next = local->ap->wds_oper_entries;
3322 	local->ap->wds_oper_entries = entry;
3323 	spin_unlock_bh(&local->lock);
3324 
3325 	schedule_work(&local->ap->wds_oper_queue);
3326 }
3327 
3328 
3329 EXPORT_SYMBOL(hostap_init_data);
3330 EXPORT_SYMBOL(hostap_init_ap_proc);
3331 EXPORT_SYMBOL(hostap_free_data);
3332 EXPORT_SYMBOL(hostap_check_sta_fw_version);
3333 EXPORT_SYMBOL(hostap_handle_sta_tx_exc);
3334 #ifndef PRISM2_NO_KERNEL_IEEE80211_MGMT
3335 #endif /* PRISM2_NO_KERNEL_IEEE80211_MGMT */
3336