1 /* 2 * Copyright 2002-2005, Instant802 Networks, Inc. 3 * Copyright 2005-2006, Devicescape Software, Inc. 4 * Copyright 2006-2007 Jiri Benc <jbenc@suse.cz> 5 * Copyright 2007-2010 Johannes Berg <johannes@sipsolutions.net> 6 * Copyright 2013-2014 Intel Mobile Communications GmbH 7 * 8 * This program is free software; you can redistribute it and/or modify 9 * it under the terms of the GNU General Public License version 2 as 10 * published by the Free Software Foundation. 11 */ 12 13 #include <linux/jiffies.h> 14 #include <linux/slab.h> 15 #include <linux/kernel.h> 16 #include <linux/skbuff.h> 17 #include <linux/netdevice.h> 18 #include <linux/etherdevice.h> 19 #include <linux/rcupdate.h> 20 #include <linux/export.h> 21 #include <net/mac80211.h> 22 #include <net/ieee80211_radiotap.h> 23 #include <asm/unaligned.h> 24 25 #include "ieee80211_i.h" 26 #include "driver-ops.h" 27 #include "led.h" 28 #include "mesh.h" 29 #include "wep.h" 30 #include "wpa.h" 31 #include "tkip.h" 32 #include "wme.h" 33 #include "rate.h" 34 35 /* 36 * monitor mode reception 37 * 38 * This function cleans up the SKB, i.e. it removes all the stuff 39 * only useful for monitoring. 40 */ 41 static struct sk_buff *remove_monitor_info(struct ieee80211_local *local, 42 struct sk_buff *skb) 43 { 44 if (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS) { 45 if (likely(skb->len > FCS_LEN)) 46 __pskb_trim(skb, skb->len - FCS_LEN); 47 else { 48 /* driver bug */ 49 WARN_ON(1); 50 dev_kfree_skb(skb); 51 return NULL; 52 } 53 } 54 55 return skb; 56 } 57 58 static inline bool should_drop_frame(struct sk_buff *skb, int present_fcs_len) 59 { 60 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 61 struct ieee80211_hdr *hdr = (void *)skb->data; 62 63 if (status->flag & (RX_FLAG_FAILED_FCS_CRC | 64 RX_FLAG_FAILED_PLCP_CRC | 65 RX_FLAG_AMPDU_IS_ZEROLEN)) 66 return true; 67 68 if (unlikely(skb->len < 16 + present_fcs_len)) 69 return true; 70 71 if (ieee80211_is_ctl(hdr->frame_control) && 72 !ieee80211_is_pspoll(hdr->frame_control) && 73 !ieee80211_is_back_req(hdr->frame_control)) 74 return true; 75 76 return false; 77 } 78 79 static int 80 ieee80211_rx_radiotap_space(struct ieee80211_local *local, 81 struct ieee80211_rx_status *status) 82 { 83 int len; 84 85 /* always present fields */ 86 len = sizeof(struct ieee80211_radiotap_header) + 8; 87 88 /* allocate extra bitmaps */ 89 if (status->chains) 90 len += 4 * hweight8(status->chains); 91 92 if (ieee80211_have_rx_timestamp(status)) { 93 len = ALIGN(len, 8); 94 len += 8; 95 } 96 if (local->hw.flags & IEEE80211_HW_SIGNAL_DBM) 97 len += 1; 98 99 /* antenna field, if we don't have per-chain info */ 100 if (!status->chains) 101 len += 1; 102 103 /* padding for RX_FLAGS if necessary */ 104 len = ALIGN(len, 2); 105 106 if (status->flag & RX_FLAG_HT) /* HT info */ 107 len += 3; 108 109 if (status->flag & RX_FLAG_AMPDU_DETAILS) { 110 len = ALIGN(len, 4); 111 len += 8; 112 } 113 114 if (status->flag & RX_FLAG_VHT) { 115 len = ALIGN(len, 2); 116 len += 12; 117 } 118 119 if (status->chains) { 120 /* antenna and antenna signal fields */ 121 len += 2 * hweight8(status->chains); 122 } 123 124 return len; 125 } 126 127 /* 128 * ieee80211_add_rx_radiotap_header - add radiotap header 129 * 130 * add a radiotap header containing all the fields which the hardware provided. 131 */ 132 static void 133 ieee80211_add_rx_radiotap_header(struct ieee80211_local *local, 134 struct sk_buff *skb, 135 struct ieee80211_rate *rate, 136 int rtap_len, bool has_fcs) 137 { 138 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 139 struct ieee80211_radiotap_header *rthdr; 140 unsigned char *pos; 141 __le32 *it_present; 142 u32 it_present_val; 143 u16 rx_flags = 0; 144 u16 channel_flags = 0; 145 int mpdulen, chain; 146 unsigned long chains = status->chains; 147 148 mpdulen = skb->len; 149 if (!(has_fcs && (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS))) 150 mpdulen += FCS_LEN; 151 152 rthdr = (struct ieee80211_radiotap_header *)skb_push(skb, rtap_len); 153 memset(rthdr, 0, rtap_len); 154 it_present = &rthdr->it_present; 155 156 /* radiotap header, set always present flags */ 157 rthdr->it_len = cpu_to_le16(rtap_len); 158 it_present_val = BIT(IEEE80211_RADIOTAP_FLAGS) | 159 BIT(IEEE80211_RADIOTAP_CHANNEL) | 160 BIT(IEEE80211_RADIOTAP_RX_FLAGS); 161 162 if (!status->chains) 163 it_present_val |= BIT(IEEE80211_RADIOTAP_ANTENNA); 164 165 for_each_set_bit(chain, &chains, IEEE80211_MAX_CHAINS) { 166 it_present_val |= 167 BIT(IEEE80211_RADIOTAP_EXT) | 168 BIT(IEEE80211_RADIOTAP_RADIOTAP_NAMESPACE); 169 put_unaligned_le32(it_present_val, it_present); 170 it_present++; 171 it_present_val = BIT(IEEE80211_RADIOTAP_ANTENNA) | 172 BIT(IEEE80211_RADIOTAP_DBM_ANTSIGNAL); 173 } 174 175 put_unaligned_le32(it_present_val, it_present); 176 177 pos = (void *)(it_present + 1); 178 179 /* the order of the following fields is important */ 180 181 /* IEEE80211_RADIOTAP_TSFT */ 182 if (ieee80211_have_rx_timestamp(status)) { 183 /* padding */ 184 while ((pos - (u8 *)rthdr) & 7) 185 *pos++ = 0; 186 put_unaligned_le64( 187 ieee80211_calculate_rx_timestamp(local, status, 188 mpdulen, 0), 189 pos); 190 rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_TSFT); 191 pos += 8; 192 } 193 194 /* IEEE80211_RADIOTAP_FLAGS */ 195 if (has_fcs && (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS)) 196 *pos |= IEEE80211_RADIOTAP_F_FCS; 197 if (status->flag & (RX_FLAG_FAILED_FCS_CRC | RX_FLAG_FAILED_PLCP_CRC)) 198 *pos |= IEEE80211_RADIOTAP_F_BADFCS; 199 if (status->flag & RX_FLAG_SHORTPRE) 200 *pos |= IEEE80211_RADIOTAP_F_SHORTPRE; 201 pos++; 202 203 /* IEEE80211_RADIOTAP_RATE */ 204 if (!rate || status->flag & (RX_FLAG_HT | RX_FLAG_VHT)) { 205 /* 206 * Without rate information don't add it. If we have, 207 * MCS information is a separate field in radiotap, 208 * added below. The byte here is needed as padding 209 * for the channel though, so initialise it to 0. 210 */ 211 *pos = 0; 212 } else { 213 int shift = 0; 214 rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_RATE); 215 if (status->flag & RX_FLAG_10MHZ) 216 shift = 1; 217 else if (status->flag & RX_FLAG_5MHZ) 218 shift = 2; 219 *pos = DIV_ROUND_UP(rate->bitrate, 5 * (1 << shift)); 220 } 221 pos++; 222 223 /* IEEE80211_RADIOTAP_CHANNEL */ 224 put_unaligned_le16(status->freq, pos); 225 pos += 2; 226 if (status->flag & RX_FLAG_10MHZ) 227 channel_flags |= IEEE80211_CHAN_HALF; 228 else if (status->flag & RX_FLAG_5MHZ) 229 channel_flags |= IEEE80211_CHAN_QUARTER; 230 231 if (status->band == IEEE80211_BAND_5GHZ) 232 channel_flags |= IEEE80211_CHAN_OFDM | IEEE80211_CHAN_5GHZ; 233 else if (status->flag & (RX_FLAG_HT | RX_FLAG_VHT)) 234 channel_flags |= IEEE80211_CHAN_DYN | IEEE80211_CHAN_2GHZ; 235 else if (rate && rate->flags & IEEE80211_RATE_ERP_G) 236 channel_flags |= IEEE80211_CHAN_OFDM | IEEE80211_CHAN_2GHZ; 237 else if (rate) 238 channel_flags |= IEEE80211_CHAN_OFDM | IEEE80211_CHAN_2GHZ; 239 else 240 channel_flags |= IEEE80211_CHAN_2GHZ; 241 put_unaligned_le16(channel_flags, pos); 242 pos += 2; 243 244 /* IEEE80211_RADIOTAP_DBM_ANTSIGNAL */ 245 if (local->hw.flags & IEEE80211_HW_SIGNAL_DBM && 246 !(status->flag & RX_FLAG_NO_SIGNAL_VAL)) { 247 *pos = status->signal; 248 rthdr->it_present |= 249 cpu_to_le32(1 << IEEE80211_RADIOTAP_DBM_ANTSIGNAL); 250 pos++; 251 } 252 253 /* IEEE80211_RADIOTAP_LOCK_QUALITY is missing */ 254 255 if (!status->chains) { 256 /* IEEE80211_RADIOTAP_ANTENNA */ 257 *pos = status->antenna; 258 pos++; 259 } 260 261 /* IEEE80211_RADIOTAP_DB_ANTNOISE is not used */ 262 263 /* IEEE80211_RADIOTAP_RX_FLAGS */ 264 /* ensure 2 byte alignment for the 2 byte field as required */ 265 if ((pos - (u8 *)rthdr) & 1) 266 *pos++ = 0; 267 if (status->flag & RX_FLAG_FAILED_PLCP_CRC) 268 rx_flags |= IEEE80211_RADIOTAP_F_RX_BADPLCP; 269 put_unaligned_le16(rx_flags, pos); 270 pos += 2; 271 272 if (status->flag & RX_FLAG_HT) { 273 unsigned int stbc; 274 275 rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_MCS); 276 *pos++ = local->hw.radiotap_mcs_details; 277 *pos = 0; 278 if (status->flag & RX_FLAG_SHORT_GI) 279 *pos |= IEEE80211_RADIOTAP_MCS_SGI; 280 if (status->flag & RX_FLAG_40MHZ) 281 *pos |= IEEE80211_RADIOTAP_MCS_BW_40; 282 if (status->flag & RX_FLAG_HT_GF) 283 *pos |= IEEE80211_RADIOTAP_MCS_FMT_GF; 284 if (status->flag & RX_FLAG_LDPC) 285 *pos |= IEEE80211_RADIOTAP_MCS_FEC_LDPC; 286 stbc = (status->flag & RX_FLAG_STBC_MASK) >> RX_FLAG_STBC_SHIFT; 287 *pos |= stbc << IEEE80211_RADIOTAP_MCS_STBC_SHIFT; 288 pos++; 289 *pos++ = status->rate_idx; 290 } 291 292 if (status->flag & RX_FLAG_AMPDU_DETAILS) { 293 u16 flags = 0; 294 295 /* ensure 4 byte alignment */ 296 while ((pos - (u8 *)rthdr) & 3) 297 pos++; 298 rthdr->it_present |= 299 cpu_to_le32(1 << IEEE80211_RADIOTAP_AMPDU_STATUS); 300 put_unaligned_le32(status->ampdu_reference, pos); 301 pos += 4; 302 if (status->flag & RX_FLAG_AMPDU_REPORT_ZEROLEN) 303 flags |= IEEE80211_RADIOTAP_AMPDU_REPORT_ZEROLEN; 304 if (status->flag & RX_FLAG_AMPDU_IS_ZEROLEN) 305 flags |= IEEE80211_RADIOTAP_AMPDU_IS_ZEROLEN; 306 if (status->flag & RX_FLAG_AMPDU_LAST_KNOWN) 307 flags |= IEEE80211_RADIOTAP_AMPDU_LAST_KNOWN; 308 if (status->flag & RX_FLAG_AMPDU_IS_LAST) 309 flags |= IEEE80211_RADIOTAP_AMPDU_IS_LAST; 310 if (status->flag & RX_FLAG_AMPDU_DELIM_CRC_ERROR) 311 flags |= IEEE80211_RADIOTAP_AMPDU_DELIM_CRC_ERR; 312 if (status->flag & RX_FLAG_AMPDU_DELIM_CRC_KNOWN) 313 flags |= IEEE80211_RADIOTAP_AMPDU_DELIM_CRC_KNOWN; 314 put_unaligned_le16(flags, pos); 315 pos += 2; 316 if (status->flag & RX_FLAG_AMPDU_DELIM_CRC_KNOWN) 317 *pos++ = status->ampdu_delimiter_crc; 318 else 319 *pos++ = 0; 320 *pos++ = 0; 321 } 322 323 if (status->flag & RX_FLAG_VHT) { 324 u16 known = local->hw.radiotap_vht_details; 325 326 rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_VHT); 327 /* known field - how to handle 80+80? */ 328 if (status->vht_flag & RX_VHT_FLAG_80P80MHZ) 329 known &= ~IEEE80211_RADIOTAP_VHT_KNOWN_BANDWIDTH; 330 put_unaligned_le16(known, pos); 331 pos += 2; 332 /* flags */ 333 if (status->flag & RX_FLAG_SHORT_GI) 334 *pos |= IEEE80211_RADIOTAP_VHT_FLAG_SGI; 335 /* in VHT, STBC is binary */ 336 if (status->flag & RX_FLAG_STBC_MASK) 337 *pos |= IEEE80211_RADIOTAP_VHT_FLAG_STBC; 338 if (status->vht_flag & RX_VHT_FLAG_BF) 339 *pos |= IEEE80211_RADIOTAP_VHT_FLAG_BEAMFORMED; 340 pos++; 341 /* bandwidth */ 342 if (status->vht_flag & RX_VHT_FLAG_80MHZ) 343 *pos++ = 4; 344 else if (status->vht_flag & RX_VHT_FLAG_80P80MHZ) 345 *pos++ = 0; /* marked not known above */ 346 else if (status->vht_flag & RX_VHT_FLAG_160MHZ) 347 *pos++ = 11; 348 else if (status->flag & RX_FLAG_40MHZ) 349 *pos++ = 1; 350 else /* 20 MHz */ 351 *pos++ = 0; 352 /* MCS/NSS */ 353 *pos = (status->rate_idx << 4) | status->vht_nss; 354 pos += 4; 355 /* coding field */ 356 if (status->flag & RX_FLAG_LDPC) 357 *pos |= IEEE80211_RADIOTAP_CODING_LDPC_USER0; 358 pos++; 359 /* group ID */ 360 pos++; 361 /* partial_aid */ 362 pos += 2; 363 } 364 365 for_each_set_bit(chain, &chains, IEEE80211_MAX_CHAINS) { 366 *pos++ = status->chain_signal[chain]; 367 *pos++ = chain; 368 } 369 } 370 371 /* 372 * This function copies a received frame to all monitor interfaces and 373 * returns a cleaned-up SKB that no longer includes the FCS nor the 374 * radiotap header the driver might have added. 375 */ 376 static struct sk_buff * 377 ieee80211_rx_monitor(struct ieee80211_local *local, struct sk_buff *origskb, 378 struct ieee80211_rate *rate) 379 { 380 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(origskb); 381 struct ieee80211_sub_if_data *sdata; 382 int needed_headroom; 383 struct sk_buff *skb, *skb2; 384 struct net_device *prev_dev = NULL; 385 int present_fcs_len = 0; 386 387 /* 388 * First, we may need to make a copy of the skb because 389 * (1) we need to modify it for radiotap (if not present), and 390 * (2) the other RX handlers will modify the skb we got. 391 * 392 * We don't need to, of course, if we aren't going to return 393 * the SKB because it has a bad FCS/PLCP checksum. 394 */ 395 396 if (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS) 397 present_fcs_len = FCS_LEN; 398 399 /* ensure hdr->frame_control is in skb head */ 400 if (!pskb_may_pull(origskb, 2)) { 401 dev_kfree_skb(origskb); 402 return NULL; 403 } 404 405 if (!local->monitors) { 406 if (should_drop_frame(origskb, present_fcs_len)) { 407 dev_kfree_skb(origskb); 408 return NULL; 409 } 410 411 return remove_monitor_info(local, origskb); 412 } 413 414 /* room for the radiotap header based on driver features */ 415 needed_headroom = ieee80211_rx_radiotap_space(local, status); 416 417 if (should_drop_frame(origskb, present_fcs_len)) { 418 /* only need to expand headroom if necessary */ 419 skb = origskb; 420 origskb = NULL; 421 422 /* 423 * This shouldn't trigger often because most devices have an 424 * RX header they pull before we get here, and that should 425 * be big enough for our radiotap information. We should 426 * probably export the length to drivers so that we can have 427 * them allocate enough headroom to start with. 428 */ 429 if (skb_headroom(skb) < needed_headroom && 430 pskb_expand_head(skb, needed_headroom, 0, GFP_ATOMIC)) { 431 dev_kfree_skb(skb); 432 return NULL; 433 } 434 } else { 435 /* 436 * Need to make a copy and possibly remove radiotap header 437 * and FCS from the original. 438 */ 439 skb = skb_copy_expand(origskb, needed_headroom, 0, GFP_ATOMIC); 440 441 origskb = remove_monitor_info(local, origskb); 442 443 if (!skb) 444 return origskb; 445 } 446 447 /* prepend radiotap information */ 448 ieee80211_add_rx_radiotap_header(local, skb, rate, needed_headroom, 449 true); 450 451 skb_reset_mac_header(skb); 452 skb->ip_summed = CHECKSUM_UNNECESSARY; 453 skb->pkt_type = PACKET_OTHERHOST; 454 skb->protocol = htons(ETH_P_802_2); 455 456 list_for_each_entry_rcu(sdata, &local->interfaces, list) { 457 if (sdata->vif.type != NL80211_IFTYPE_MONITOR) 458 continue; 459 460 if (sdata->u.mntr_flags & MONITOR_FLAG_COOK_FRAMES) 461 continue; 462 463 if (!ieee80211_sdata_running(sdata)) 464 continue; 465 466 if (prev_dev) { 467 skb2 = skb_clone(skb, GFP_ATOMIC); 468 if (skb2) { 469 skb2->dev = prev_dev; 470 netif_receive_skb(skb2); 471 } 472 } 473 474 prev_dev = sdata->dev; 475 sdata->dev->stats.rx_packets++; 476 sdata->dev->stats.rx_bytes += skb->len; 477 } 478 479 if (prev_dev) { 480 skb->dev = prev_dev; 481 netif_receive_skb(skb); 482 } else 483 dev_kfree_skb(skb); 484 485 return origskb; 486 } 487 488 static void ieee80211_parse_qos(struct ieee80211_rx_data *rx) 489 { 490 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data; 491 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb); 492 int tid, seqno_idx, security_idx; 493 494 /* does the frame have a qos control field? */ 495 if (ieee80211_is_data_qos(hdr->frame_control)) { 496 u8 *qc = ieee80211_get_qos_ctl(hdr); 497 /* frame has qos control */ 498 tid = *qc & IEEE80211_QOS_CTL_TID_MASK; 499 if (*qc & IEEE80211_QOS_CTL_A_MSDU_PRESENT) 500 status->rx_flags |= IEEE80211_RX_AMSDU; 501 502 seqno_idx = tid; 503 security_idx = tid; 504 } else { 505 /* 506 * IEEE 802.11-2007, 7.1.3.4.1 ("Sequence Number field"): 507 * 508 * Sequence numbers for management frames, QoS data 509 * frames with a broadcast/multicast address in the 510 * Address 1 field, and all non-QoS data frames sent 511 * by QoS STAs are assigned using an additional single 512 * modulo-4096 counter, [...] 513 * 514 * We also use that counter for non-QoS STAs. 515 */ 516 seqno_idx = IEEE80211_NUM_TIDS; 517 security_idx = 0; 518 if (ieee80211_is_mgmt(hdr->frame_control)) 519 security_idx = IEEE80211_NUM_TIDS; 520 tid = 0; 521 } 522 523 rx->seqno_idx = seqno_idx; 524 rx->security_idx = security_idx; 525 /* Set skb->priority to 1d tag if highest order bit of TID is not set. 526 * For now, set skb->priority to 0 for other cases. */ 527 rx->skb->priority = (tid > 7) ? 0 : tid; 528 } 529 530 /** 531 * DOC: Packet alignment 532 * 533 * Drivers always need to pass packets that are aligned to two-byte boundaries 534 * to the stack. 535 * 536 * Additionally, should, if possible, align the payload data in a way that 537 * guarantees that the contained IP header is aligned to a four-byte 538 * boundary. In the case of regular frames, this simply means aligning the 539 * payload to a four-byte boundary (because either the IP header is directly 540 * contained, or IV/RFC1042 headers that have a length divisible by four are 541 * in front of it). If the payload data is not properly aligned and the 542 * architecture doesn't support efficient unaligned operations, mac80211 543 * will align the data. 544 * 545 * With A-MSDU frames, however, the payload data address must yield two modulo 546 * four because there are 14-byte 802.3 headers within the A-MSDU frames that 547 * push the IP header further back to a multiple of four again. Thankfully, the 548 * specs were sane enough this time around to require padding each A-MSDU 549 * subframe to a length that is a multiple of four. 550 * 551 * Padding like Atheros hardware adds which is between the 802.11 header and 552 * the payload is not supported, the driver is required to move the 802.11 553 * header to be directly in front of the payload in that case. 554 */ 555 static void ieee80211_verify_alignment(struct ieee80211_rx_data *rx) 556 { 557 #ifdef CONFIG_MAC80211_VERBOSE_DEBUG 558 WARN_ONCE((unsigned long)rx->skb->data & 1, 559 "unaligned packet at 0x%p\n", rx->skb->data); 560 #endif 561 } 562 563 564 /* rx handlers */ 565 566 static int ieee80211_is_unicast_robust_mgmt_frame(struct sk_buff *skb) 567 { 568 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data; 569 570 if (is_multicast_ether_addr(hdr->addr1)) 571 return 0; 572 573 return ieee80211_is_robust_mgmt_frame(skb); 574 } 575 576 577 static int ieee80211_is_multicast_robust_mgmt_frame(struct sk_buff *skb) 578 { 579 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data; 580 581 if (!is_multicast_ether_addr(hdr->addr1)) 582 return 0; 583 584 return ieee80211_is_robust_mgmt_frame(skb); 585 } 586 587 588 /* Get the BIP key index from MMIE; return -1 if this is not a BIP frame */ 589 static int ieee80211_get_mmie_keyidx(struct sk_buff *skb) 590 { 591 struct ieee80211_mgmt *hdr = (struct ieee80211_mgmt *) skb->data; 592 struct ieee80211_mmie *mmie; 593 594 if (skb->len < 24 + sizeof(*mmie) || !is_multicast_ether_addr(hdr->da)) 595 return -1; 596 597 if (!ieee80211_is_robust_mgmt_frame(skb)) 598 return -1; /* not a robust management frame */ 599 600 mmie = (struct ieee80211_mmie *) 601 (skb->data + skb->len - sizeof(*mmie)); 602 if (mmie->element_id != WLAN_EID_MMIE || 603 mmie->length != sizeof(*mmie) - 2) 604 return -1; 605 606 return le16_to_cpu(mmie->key_id); 607 } 608 609 static int iwl80211_get_cs_keyid(const struct ieee80211_cipher_scheme *cs, 610 struct sk_buff *skb) 611 { 612 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; 613 __le16 fc; 614 int hdrlen; 615 u8 keyid; 616 617 fc = hdr->frame_control; 618 hdrlen = ieee80211_hdrlen(fc); 619 620 if (skb->len < hdrlen + cs->hdr_len) 621 return -EINVAL; 622 623 skb_copy_bits(skb, hdrlen + cs->key_idx_off, &keyid, 1); 624 keyid &= cs->key_idx_mask; 625 keyid >>= cs->key_idx_shift; 626 627 return keyid; 628 } 629 630 static ieee80211_rx_result ieee80211_rx_mesh_check(struct ieee80211_rx_data *rx) 631 { 632 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data; 633 char *dev_addr = rx->sdata->vif.addr; 634 635 if (ieee80211_is_data(hdr->frame_control)) { 636 if (is_multicast_ether_addr(hdr->addr1)) { 637 if (ieee80211_has_tods(hdr->frame_control) || 638 !ieee80211_has_fromds(hdr->frame_control)) 639 return RX_DROP_MONITOR; 640 if (ether_addr_equal(hdr->addr3, dev_addr)) 641 return RX_DROP_MONITOR; 642 } else { 643 if (!ieee80211_has_a4(hdr->frame_control)) 644 return RX_DROP_MONITOR; 645 if (ether_addr_equal(hdr->addr4, dev_addr)) 646 return RX_DROP_MONITOR; 647 } 648 } 649 650 /* If there is not an established peer link and this is not a peer link 651 * establisment frame, beacon or probe, drop the frame. 652 */ 653 654 if (!rx->sta || sta_plink_state(rx->sta) != NL80211_PLINK_ESTAB) { 655 struct ieee80211_mgmt *mgmt; 656 657 if (!ieee80211_is_mgmt(hdr->frame_control)) 658 return RX_DROP_MONITOR; 659 660 if (ieee80211_is_action(hdr->frame_control)) { 661 u8 category; 662 663 /* make sure category field is present */ 664 if (rx->skb->len < IEEE80211_MIN_ACTION_SIZE) 665 return RX_DROP_MONITOR; 666 667 mgmt = (struct ieee80211_mgmt *)hdr; 668 category = mgmt->u.action.category; 669 if (category != WLAN_CATEGORY_MESH_ACTION && 670 category != WLAN_CATEGORY_SELF_PROTECTED) 671 return RX_DROP_MONITOR; 672 return RX_CONTINUE; 673 } 674 675 if (ieee80211_is_probe_req(hdr->frame_control) || 676 ieee80211_is_probe_resp(hdr->frame_control) || 677 ieee80211_is_beacon(hdr->frame_control) || 678 ieee80211_is_auth(hdr->frame_control)) 679 return RX_CONTINUE; 680 681 return RX_DROP_MONITOR; 682 } 683 684 return RX_CONTINUE; 685 } 686 687 static void ieee80211_release_reorder_frame(struct ieee80211_sub_if_data *sdata, 688 struct tid_ampdu_rx *tid_agg_rx, 689 int index, 690 struct sk_buff_head *frames) 691 { 692 struct sk_buff_head *skb_list = &tid_agg_rx->reorder_buf[index]; 693 struct sk_buff *skb; 694 struct ieee80211_rx_status *status; 695 696 lockdep_assert_held(&tid_agg_rx->reorder_lock); 697 698 if (skb_queue_empty(skb_list)) 699 goto no_frame; 700 701 if (!ieee80211_rx_reorder_ready(skb_list)) { 702 __skb_queue_purge(skb_list); 703 goto no_frame; 704 } 705 706 /* release frames from the reorder ring buffer */ 707 tid_agg_rx->stored_mpdu_num--; 708 while ((skb = __skb_dequeue(skb_list))) { 709 status = IEEE80211_SKB_RXCB(skb); 710 status->rx_flags |= IEEE80211_RX_DEFERRED_RELEASE; 711 __skb_queue_tail(frames, skb); 712 } 713 714 no_frame: 715 tid_agg_rx->head_seq_num = ieee80211_sn_inc(tid_agg_rx->head_seq_num); 716 } 717 718 static void ieee80211_release_reorder_frames(struct ieee80211_sub_if_data *sdata, 719 struct tid_ampdu_rx *tid_agg_rx, 720 u16 head_seq_num, 721 struct sk_buff_head *frames) 722 { 723 int index; 724 725 lockdep_assert_held(&tid_agg_rx->reorder_lock); 726 727 while (ieee80211_sn_less(tid_agg_rx->head_seq_num, head_seq_num)) { 728 index = tid_agg_rx->head_seq_num % tid_agg_rx->buf_size; 729 ieee80211_release_reorder_frame(sdata, tid_agg_rx, index, 730 frames); 731 } 732 } 733 734 /* 735 * Timeout (in jiffies) for skb's that are waiting in the RX reorder buffer. If 736 * the skb was added to the buffer longer than this time ago, the earlier 737 * frames that have not yet been received are assumed to be lost and the skb 738 * can be released for processing. This may also release other skb's from the 739 * reorder buffer if there are no additional gaps between the frames. 740 * 741 * Callers must hold tid_agg_rx->reorder_lock. 742 */ 743 #define HT_RX_REORDER_BUF_TIMEOUT (HZ / 10) 744 745 static void ieee80211_sta_reorder_release(struct ieee80211_sub_if_data *sdata, 746 struct tid_ampdu_rx *tid_agg_rx, 747 struct sk_buff_head *frames) 748 { 749 int index, i, j; 750 751 lockdep_assert_held(&tid_agg_rx->reorder_lock); 752 753 /* release the buffer until next missing frame */ 754 index = tid_agg_rx->head_seq_num % tid_agg_rx->buf_size; 755 if (!ieee80211_rx_reorder_ready(&tid_agg_rx->reorder_buf[index]) && 756 tid_agg_rx->stored_mpdu_num) { 757 /* 758 * No buffers ready to be released, but check whether any 759 * frames in the reorder buffer have timed out. 760 */ 761 int skipped = 1; 762 for (j = (index + 1) % tid_agg_rx->buf_size; j != index; 763 j = (j + 1) % tid_agg_rx->buf_size) { 764 if (!ieee80211_rx_reorder_ready( 765 &tid_agg_rx->reorder_buf[j])) { 766 skipped++; 767 continue; 768 } 769 if (skipped && 770 !time_after(jiffies, tid_agg_rx->reorder_time[j] + 771 HT_RX_REORDER_BUF_TIMEOUT)) 772 goto set_release_timer; 773 774 /* don't leave incomplete A-MSDUs around */ 775 for (i = (index + 1) % tid_agg_rx->buf_size; i != j; 776 i = (i + 1) % tid_agg_rx->buf_size) 777 __skb_queue_purge(&tid_agg_rx->reorder_buf[i]); 778 779 ht_dbg_ratelimited(sdata, 780 "release an RX reorder frame due to timeout on earlier frames\n"); 781 ieee80211_release_reorder_frame(sdata, tid_agg_rx, j, 782 frames); 783 784 /* 785 * Increment the head seq# also for the skipped slots. 786 */ 787 tid_agg_rx->head_seq_num = 788 (tid_agg_rx->head_seq_num + 789 skipped) & IEEE80211_SN_MASK; 790 skipped = 0; 791 } 792 } else while (ieee80211_rx_reorder_ready( 793 &tid_agg_rx->reorder_buf[index])) { 794 ieee80211_release_reorder_frame(sdata, tid_agg_rx, index, 795 frames); 796 index = tid_agg_rx->head_seq_num % tid_agg_rx->buf_size; 797 } 798 799 if (tid_agg_rx->stored_mpdu_num) { 800 j = index = tid_agg_rx->head_seq_num % tid_agg_rx->buf_size; 801 802 for (; j != (index - 1) % tid_agg_rx->buf_size; 803 j = (j + 1) % tid_agg_rx->buf_size) { 804 if (ieee80211_rx_reorder_ready( 805 &tid_agg_rx->reorder_buf[j])) 806 break; 807 } 808 809 set_release_timer: 810 811 mod_timer(&tid_agg_rx->reorder_timer, 812 tid_agg_rx->reorder_time[j] + 1 + 813 HT_RX_REORDER_BUF_TIMEOUT); 814 } else { 815 del_timer(&tid_agg_rx->reorder_timer); 816 } 817 } 818 819 /* 820 * As this function belongs to the RX path it must be under 821 * rcu_read_lock protection. It returns false if the frame 822 * can be processed immediately, true if it was consumed. 823 */ 824 static bool ieee80211_sta_manage_reorder_buf(struct ieee80211_sub_if_data *sdata, 825 struct tid_ampdu_rx *tid_agg_rx, 826 struct sk_buff *skb, 827 struct sk_buff_head *frames) 828 { 829 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data; 830 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 831 u16 sc = le16_to_cpu(hdr->seq_ctrl); 832 u16 mpdu_seq_num = (sc & IEEE80211_SCTL_SEQ) >> 4; 833 u16 head_seq_num, buf_size; 834 int index; 835 bool ret = true; 836 837 spin_lock(&tid_agg_rx->reorder_lock); 838 839 /* 840 * Offloaded BA sessions have no known starting sequence number so pick 841 * one from first Rxed frame for this tid after BA was started. 842 */ 843 if (unlikely(tid_agg_rx->auto_seq)) { 844 tid_agg_rx->auto_seq = false; 845 tid_agg_rx->ssn = mpdu_seq_num; 846 tid_agg_rx->head_seq_num = mpdu_seq_num; 847 } 848 849 buf_size = tid_agg_rx->buf_size; 850 head_seq_num = tid_agg_rx->head_seq_num; 851 852 /* frame with out of date sequence number */ 853 if (ieee80211_sn_less(mpdu_seq_num, head_seq_num)) { 854 dev_kfree_skb(skb); 855 goto out; 856 } 857 858 /* 859 * If frame the sequence number exceeds our buffering window 860 * size release some previous frames to make room for this one. 861 */ 862 if (!ieee80211_sn_less(mpdu_seq_num, head_seq_num + buf_size)) { 863 head_seq_num = ieee80211_sn_inc( 864 ieee80211_sn_sub(mpdu_seq_num, buf_size)); 865 /* release stored frames up to new head to stack */ 866 ieee80211_release_reorder_frames(sdata, tid_agg_rx, 867 head_seq_num, frames); 868 } 869 870 /* Now the new frame is always in the range of the reordering buffer */ 871 872 index = mpdu_seq_num % tid_agg_rx->buf_size; 873 874 /* check if we already stored this frame */ 875 if (ieee80211_rx_reorder_ready(&tid_agg_rx->reorder_buf[index])) { 876 dev_kfree_skb(skb); 877 goto out; 878 } 879 880 /* 881 * If the current MPDU is in the right order and nothing else 882 * is stored we can process it directly, no need to buffer it. 883 * If it is first but there's something stored, we may be able 884 * to release frames after this one. 885 */ 886 if (mpdu_seq_num == tid_agg_rx->head_seq_num && 887 tid_agg_rx->stored_mpdu_num == 0) { 888 if (!(status->flag & RX_FLAG_AMSDU_MORE)) 889 tid_agg_rx->head_seq_num = 890 ieee80211_sn_inc(tid_agg_rx->head_seq_num); 891 ret = false; 892 goto out; 893 } 894 895 /* put the frame in the reordering buffer */ 896 __skb_queue_tail(&tid_agg_rx->reorder_buf[index], skb); 897 if (!(status->flag & RX_FLAG_AMSDU_MORE)) { 898 tid_agg_rx->reorder_time[index] = jiffies; 899 tid_agg_rx->stored_mpdu_num++; 900 ieee80211_sta_reorder_release(sdata, tid_agg_rx, frames); 901 } 902 903 out: 904 spin_unlock(&tid_agg_rx->reorder_lock); 905 return ret; 906 } 907 908 /* 909 * Reorder MPDUs from A-MPDUs, keeping them on a buffer. Returns 910 * true if the MPDU was buffered, false if it should be processed. 911 */ 912 static void ieee80211_rx_reorder_ampdu(struct ieee80211_rx_data *rx, 913 struct sk_buff_head *frames) 914 { 915 struct sk_buff *skb = rx->skb; 916 struct ieee80211_local *local = rx->local; 917 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data; 918 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 919 struct sta_info *sta = rx->sta; 920 struct tid_ampdu_rx *tid_agg_rx; 921 u16 sc; 922 u8 tid, ack_policy; 923 924 if (!ieee80211_is_data_qos(hdr->frame_control) || 925 is_multicast_ether_addr(hdr->addr1)) 926 goto dont_reorder; 927 928 /* 929 * filter the QoS data rx stream according to 930 * STA/TID and check if this STA/TID is on aggregation 931 */ 932 933 if (!sta) 934 goto dont_reorder; 935 936 ack_policy = *ieee80211_get_qos_ctl(hdr) & 937 IEEE80211_QOS_CTL_ACK_POLICY_MASK; 938 tid = *ieee80211_get_qos_ctl(hdr) & IEEE80211_QOS_CTL_TID_MASK; 939 940 tid_agg_rx = rcu_dereference(sta->ampdu_mlme.tid_rx[tid]); 941 if (!tid_agg_rx) 942 goto dont_reorder; 943 944 /* qos null data frames are excluded */ 945 if (unlikely(hdr->frame_control & cpu_to_le16(IEEE80211_STYPE_NULLFUNC))) 946 goto dont_reorder; 947 948 /* not part of a BA session */ 949 if (ack_policy != IEEE80211_QOS_CTL_ACK_POLICY_BLOCKACK && 950 ack_policy != IEEE80211_QOS_CTL_ACK_POLICY_NORMAL) 951 goto dont_reorder; 952 953 /* not actually part of this BA session */ 954 if (!(status->rx_flags & IEEE80211_RX_RA_MATCH)) 955 goto dont_reorder; 956 957 /* new, potentially un-ordered, ampdu frame - process it */ 958 959 /* reset session timer */ 960 if (tid_agg_rx->timeout) 961 tid_agg_rx->last_rx = jiffies; 962 963 /* if this mpdu is fragmented - terminate rx aggregation session */ 964 sc = le16_to_cpu(hdr->seq_ctrl); 965 if (sc & IEEE80211_SCTL_FRAG) { 966 skb->pkt_type = IEEE80211_SDATA_QUEUE_TYPE_FRAME; 967 skb_queue_tail(&rx->sdata->skb_queue, skb); 968 ieee80211_queue_work(&local->hw, &rx->sdata->work); 969 return; 970 } 971 972 /* 973 * No locking needed -- we will only ever process one 974 * RX packet at a time, and thus own tid_agg_rx. All 975 * other code manipulating it needs to (and does) make 976 * sure that we cannot get to it any more before doing 977 * anything with it. 978 */ 979 if (ieee80211_sta_manage_reorder_buf(rx->sdata, tid_agg_rx, skb, 980 frames)) 981 return; 982 983 dont_reorder: 984 __skb_queue_tail(frames, skb); 985 } 986 987 static ieee80211_rx_result debug_noinline 988 ieee80211_rx_h_check(struct ieee80211_rx_data *rx) 989 { 990 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data; 991 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb); 992 993 /* 994 * Drop duplicate 802.11 retransmissions 995 * (IEEE 802.11-2012: 9.3.2.10 "Duplicate detection and recovery") 996 */ 997 if (rx->skb->len >= 24 && rx->sta && 998 !ieee80211_is_ctl(hdr->frame_control) && 999 !ieee80211_is_qos_nullfunc(hdr->frame_control) && 1000 !is_multicast_ether_addr(hdr->addr1)) { 1001 if (unlikely(ieee80211_has_retry(hdr->frame_control) && 1002 rx->sta->last_seq_ctrl[rx->seqno_idx] == 1003 hdr->seq_ctrl)) { 1004 if (status->rx_flags & IEEE80211_RX_RA_MATCH) { 1005 rx->local->dot11FrameDuplicateCount++; 1006 rx->sta->num_duplicates++; 1007 } 1008 return RX_DROP_UNUSABLE; 1009 } else if (!(status->flag & RX_FLAG_AMSDU_MORE)) { 1010 rx->sta->last_seq_ctrl[rx->seqno_idx] = hdr->seq_ctrl; 1011 } 1012 } 1013 1014 if (unlikely(rx->skb->len < 16)) { 1015 I802_DEBUG_INC(rx->local->rx_handlers_drop_short); 1016 return RX_DROP_MONITOR; 1017 } 1018 1019 /* Drop disallowed frame classes based on STA auth/assoc state; 1020 * IEEE 802.11, Chap 5.5. 1021 * 1022 * mac80211 filters only based on association state, i.e. it drops 1023 * Class 3 frames from not associated stations. hostapd sends 1024 * deauth/disassoc frames when needed. In addition, hostapd is 1025 * responsible for filtering on both auth and assoc states. 1026 */ 1027 1028 if (ieee80211_vif_is_mesh(&rx->sdata->vif)) 1029 return ieee80211_rx_mesh_check(rx); 1030 1031 if (unlikely((ieee80211_is_data(hdr->frame_control) || 1032 ieee80211_is_pspoll(hdr->frame_control)) && 1033 rx->sdata->vif.type != NL80211_IFTYPE_ADHOC && 1034 rx->sdata->vif.type != NL80211_IFTYPE_WDS && 1035 (!rx->sta || !test_sta_flag(rx->sta, WLAN_STA_ASSOC)))) { 1036 /* 1037 * accept port control frames from the AP even when it's not 1038 * yet marked ASSOC to prevent a race where we don't set the 1039 * assoc bit quickly enough before it sends the first frame 1040 */ 1041 if (rx->sta && rx->sdata->vif.type == NL80211_IFTYPE_STATION && 1042 ieee80211_is_data_present(hdr->frame_control)) { 1043 unsigned int hdrlen; 1044 __be16 ethertype; 1045 1046 hdrlen = ieee80211_hdrlen(hdr->frame_control); 1047 1048 if (rx->skb->len < hdrlen + 8) 1049 return RX_DROP_MONITOR; 1050 1051 skb_copy_bits(rx->skb, hdrlen + 6, ðertype, 2); 1052 if (ethertype == rx->sdata->control_port_protocol) 1053 return RX_CONTINUE; 1054 } 1055 1056 if (rx->sdata->vif.type == NL80211_IFTYPE_AP && 1057 cfg80211_rx_spurious_frame(rx->sdata->dev, 1058 hdr->addr2, 1059 GFP_ATOMIC)) 1060 return RX_DROP_UNUSABLE; 1061 1062 return RX_DROP_MONITOR; 1063 } 1064 1065 return RX_CONTINUE; 1066 } 1067 1068 1069 static ieee80211_rx_result debug_noinline 1070 ieee80211_rx_h_check_more_data(struct ieee80211_rx_data *rx) 1071 { 1072 struct ieee80211_local *local; 1073 struct ieee80211_hdr *hdr; 1074 struct sk_buff *skb; 1075 1076 local = rx->local; 1077 skb = rx->skb; 1078 hdr = (struct ieee80211_hdr *) skb->data; 1079 1080 if (!local->pspolling) 1081 return RX_CONTINUE; 1082 1083 if (!ieee80211_has_fromds(hdr->frame_control)) 1084 /* this is not from AP */ 1085 return RX_CONTINUE; 1086 1087 if (!ieee80211_is_data(hdr->frame_control)) 1088 return RX_CONTINUE; 1089 1090 if (!ieee80211_has_moredata(hdr->frame_control)) { 1091 /* AP has no more frames buffered for us */ 1092 local->pspolling = false; 1093 return RX_CONTINUE; 1094 } 1095 1096 /* more data bit is set, let's request a new frame from the AP */ 1097 ieee80211_send_pspoll(local, rx->sdata); 1098 1099 return RX_CONTINUE; 1100 } 1101 1102 static void sta_ps_start(struct sta_info *sta) 1103 { 1104 struct ieee80211_sub_if_data *sdata = sta->sdata; 1105 struct ieee80211_local *local = sdata->local; 1106 struct ps_data *ps; 1107 1108 if (sta->sdata->vif.type == NL80211_IFTYPE_AP || 1109 sta->sdata->vif.type == NL80211_IFTYPE_AP_VLAN) 1110 ps = &sdata->bss->ps; 1111 else 1112 return; 1113 1114 atomic_inc(&ps->num_sta_ps); 1115 set_sta_flag(sta, WLAN_STA_PS_STA); 1116 if (!(local->hw.flags & IEEE80211_HW_AP_LINK_PS)) 1117 drv_sta_notify(local, sdata, STA_NOTIFY_SLEEP, &sta->sta); 1118 ps_dbg(sdata, "STA %pM aid %d enters power save mode\n", 1119 sta->sta.addr, sta->sta.aid); 1120 } 1121 1122 static void sta_ps_end(struct sta_info *sta) 1123 { 1124 ps_dbg(sta->sdata, "STA %pM aid %d exits power save mode\n", 1125 sta->sta.addr, sta->sta.aid); 1126 1127 if (test_sta_flag(sta, WLAN_STA_PS_DRIVER)) { 1128 /* 1129 * Clear the flag only if the other one is still set 1130 * so that the TX path won't start TX'ing new frames 1131 * directly ... In the case that the driver flag isn't 1132 * set ieee80211_sta_ps_deliver_wakeup() will clear it. 1133 */ 1134 clear_sta_flag(sta, WLAN_STA_PS_STA); 1135 ps_dbg(sta->sdata, "STA %pM aid %d driver-ps-blocked\n", 1136 sta->sta.addr, sta->sta.aid); 1137 return; 1138 } 1139 1140 set_sta_flag(sta, WLAN_STA_PS_DELIVER); 1141 clear_sta_flag(sta, WLAN_STA_PS_STA); 1142 ieee80211_sta_ps_deliver_wakeup(sta); 1143 } 1144 1145 int ieee80211_sta_ps_transition(struct ieee80211_sta *sta, bool start) 1146 { 1147 struct sta_info *sta_inf = container_of(sta, struct sta_info, sta); 1148 bool in_ps; 1149 1150 WARN_ON(!(sta_inf->local->hw.flags & IEEE80211_HW_AP_LINK_PS)); 1151 1152 /* Don't let the same PS state be set twice */ 1153 in_ps = test_sta_flag(sta_inf, WLAN_STA_PS_STA); 1154 if ((start && in_ps) || (!start && !in_ps)) 1155 return -EINVAL; 1156 1157 if (start) 1158 sta_ps_start(sta_inf); 1159 else 1160 sta_ps_end(sta_inf); 1161 1162 return 0; 1163 } 1164 EXPORT_SYMBOL(ieee80211_sta_ps_transition); 1165 1166 static ieee80211_rx_result debug_noinline 1167 ieee80211_rx_h_uapsd_and_pspoll(struct ieee80211_rx_data *rx) 1168 { 1169 struct ieee80211_sub_if_data *sdata = rx->sdata; 1170 struct ieee80211_hdr *hdr = (void *)rx->skb->data; 1171 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb); 1172 int tid, ac; 1173 1174 if (!rx->sta || !(status->rx_flags & IEEE80211_RX_RA_MATCH)) 1175 return RX_CONTINUE; 1176 1177 if (sdata->vif.type != NL80211_IFTYPE_AP && 1178 sdata->vif.type != NL80211_IFTYPE_AP_VLAN) 1179 return RX_CONTINUE; 1180 1181 /* 1182 * The device handles station powersave, so don't do anything about 1183 * uAPSD and PS-Poll frames (the latter shouldn't even come up from 1184 * it to mac80211 since they're handled.) 1185 */ 1186 if (sdata->local->hw.flags & IEEE80211_HW_AP_LINK_PS) 1187 return RX_CONTINUE; 1188 1189 /* 1190 * Don't do anything if the station isn't already asleep. In 1191 * the uAPSD case, the station will probably be marked asleep, 1192 * in the PS-Poll case the station must be confused ... 1193 */ 1194 if (!test_sta_flag(rx->sta, WLAN_STA_PS_STA)) 1195 return RX_CONTINUE; 1196 1197 if (unlikely(ieee80211_is_pspoll(hdr->frame_control))) { 1198 if (!test_sta_flag(rx->sta, WLAN_STA_SP)) { 1199 if (!test_sta_flag(rx->sta, WLAN_STA_PS_DRIVER)) 1200 ieee80211_sta_ps_deliver_poll_response(rx->sta); 1201 else 1202 set_sta_flag(rx->sta, WLAN_STA_PSPOLL); 1203 } 1204 1205 /* Free PS Poll skb here instead of returning RX_DROP that would 1206 * count as an dropped frame. */ 1207 dev_kfree_skb(rx->skb); 1208 1209 return RX_QUEUED; 1210 } else if (!ieee80211_has_morefrags(hdr->frame_control) && 1211 !(status->rx_flags & IEEE80211_RX_DEFERRED_RELEASE) && 1212 ieee80211_has_pm(hdr->frame_control) && 1213 (ieee80211_is_data_qos(hdr->frame_control) || 1214 ieee80211_is_qos_nullfunc(hdr->frame_control))) { 1215 tid = *ieee80211_get_qos_ctl(hdr) & IEEE80211_QOS_CTL_TID_MASK; 1216 ac = ieee802_1d_to_ac[tid & 7]; 1217 1218 /* 1219 * If this AC is not trigger-enabled do nothing. 1220 * 1221 * NB: This could/should check a separate bitmap of trigger- 1222 * enabled queues, but for now we only implement uAPSD w/o 1223 * TSPEC changes to the ACs, so they're always the same. 1224 */ 1225 if (!(rx->sta->sta.uapsd_queues & BIT(ac))) 1226 return RX_CONTINUE; 1227 1228 /* if we are in a service period, do nothing */ 1229 if (test_sta_flag(rx->sta, WLAN_STA_SP)) 1230 return RX_CONTINUE; 1231 1232 if (!test_sta_flag(rx->sta, WLAN_STA_PS_DRIVER)) 1233 ieee80211_sta_ps_deliver_uapsd(rx->sta); 1234 else 1235 set_sta_flag(rx->sta, WLAN_STA_UAPSD); 1236 } 1237 1238 return RX_CONTINUE; 1239 } 1240 1241 static ieee80211_rx_result debug_noinline 1242 ieee80211_rx_h_sta_process(struct ieee80211_rx_data *rx) 1243 { 1244 struct sta_info *sta = rx->sta; 1245 struct sk_buff *skb = rx->skb; 1246 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 1247 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; 1248 int i; 1249 1250 if (!sta) 1251 return RX_CONTINUE; 1252 1253 /* 1254 * Update last_rx only for IBSS packets which are for the current 1255 * BSSID and for station already AUTHORIZED to avoid keeping the 1256 * current IBSS network alive in cases where other STAs start 1257 * using different BSSID. This will also give the station another 1258 * chance to restart the authentication/authorization in case 1259 * something went wrong the first time. 1260 */ 1261 if (rx->sdata->vif.type == NL80211_IFTYPE_ADHOC) { 1262 u8 *bssid = ieee80211_get_bssid(hdr, rx->skb->len, 1263 NL80211_IFTYPE_ADHOC); 1264 if (ether_addr_equal(bssid, rx->sdata->u.ibss.bssid) && 1265 test_sta_flag(sta, WLAN_STA_AUTHORIZED)) { 1266 sta->last_rx = jiffies; 1267 if (ieee80211_is_data(hdr->frame_control) && 1268 !is_multicast_ether_addr(hdr->addr1)) { 1269 sta->last_rx_rate_idx = status->rate_idx; 1270 sta->last_rx_rate_flag = status->flag; 1271 sta->last_rx_rate_vht_flag = status->vht_flag; 1272 sta->last_rx_rate_vht_nss = status->vht_nss; 1273 } 1274 } 1275 } else if (!is_multicast_ether_addr(hdr->addr1)) { 1276 /* 1277 * Mesh beacons will update last_rx when if they are found to 1278 * match the current local configuration when processed. 1279 */ 1280 sta->last_rx = jiffies; 1281 if (ieee80211_is_data(hdr->frame_control)) { 1282 sta->last_rx_rate_idx = status->rate_idx; 1283 sta->last_rx_rate_flag = status->flag; 1284 sta->last_rx_rate_vht_flag = status->vht_flag; 1285 sta->last_rx_rate_vht_nss = status->vht_nss; 1286 } 1287 } 1288 1289 if (!(status->rx_flags & IEEE80211_RX_RA_MATCH)) 1290 return RX_CONTINUE; 1291 1292 if (rx->sdata->vif.type == NL80211_IFTYPE_STATION) 1293 ieee80211_sta_rx_notify(rx->sdata, hdr); 1294 1295 sta->rx_fragments++; 1296 sta->rx_bytes += rx->skb->len; 1297 if (!(status->flag & RX_FLAG_NO_SIGNAL_VAL)) { 1298 sta->last_signal = status->signal; 1299 ewma_add(&sta->avg_signal, -status->signal); 1300 } 1301 1302 if (status->chains) { 1303 sta->chains = status->chains; 1304 for (i = 0; i < ARRAY_SIZE(status->chain_signal); i++) { 1305 int signal = status->chain_signal[i]; 1306 1307 if (!(status->chains & BIT(i))) 1308 continue; 1309 1310 sta->chain_signal_last[i] = signal; 1311 ewma_add(&sta->chain_signal_avg[i], -signal); 1312 } 1313 } 1314 1315 /* 1316 * Change STA power saving mode only at the end of a frame 1317 * exchange sequence. 1318 */ 1319 if (!(sta->local->hw.flags & IEEE80211_HW_AP_LINK_PS) && 1320 !ieee80211_has_morefrags(hdr->frame_control) && 1321 !(status->rx_flags & IEEE80211_RX_DEFERRED_RELEASE) && 1322 (rx->sdata->vif.type == NL80211_IFTYPE_AP || 1323 rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN) && 1324 /* PM bit is only checked in frames where it isn't reserved, 1325 * in AP mode it's reserved in non-bufferable management frames 1326 * (cf. IEEE 802.11-2012 8.2.4.1.7 Power Management field) 1327 */ 1328 (!ieee80211_is_mgmt(hdr->frame_control) || 1329 ieee80211_is_bufferable_mmpdu(hdr->frame_control))) { 1330 if (test_sta_flag(sta, WLAN_STA_PS_STA)) { 1331 if (!ieee80211_has_pm(hdr->frame_control)) 1332 sta_ps_end(sta); 1333 } else { 1334 if (ieee80211_has_pm(hdr->frame_control)) 1335 sta_ps_start(sta); 1336 } 1337 } 1338 1339 /* mesh power save support */ 1340 if (ieee80211_vif_is_mesh(&rx->sdata->vif)) 1341 ieee80211_mps_rx_h_sta_process(sta, hdr); 1342 1343 /* 1344 * Drop (qos-)data::nullfunc frames silently, since they 1345 * are used only to control station power saving mode. 1346 */ 1347 if (ieee80211_is_nullfunc(hdr->frame_control) || 1348 ieee80211_is_qos_nullfunc(hdr->frame_control)) { 1349 I802_DEBUG_INC(rx->local->rx_handlers_drop_nullfunc); 1350 1351 /* 1352 * If we receive a 4-addr nullfunc frame from a STA 1353 * that was not moved to a 4-addr STA vlan yet send 1354 * the event to userspace and for older hostapd drop 1355 * the frame to the monitor interface. 1356 */ 1357 if (ieee80211_has_a4(hdr->frame_control) && 1358 (rx->sdata->vif.type == NL80211_IFTYPE_AP || 1359 (rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN && 1360 !rx->sdata->u.vlan.sta))) { 1361 if (!test_and_set_sta_flag(sta, WLAN_STA_4ADDR_EVENT)) 1362 cfg80211_rx_unexpected_4addr_frame( 1363 rx->sdata->dev, sta->sta.addr, 1364 GFP_ATOMIC); 1365 return RX_DROP_MONITOR; 1366 } 1367 /* 1368 * Update counter and free packet here to avoid 1369 * counting this as a dropped packed. 1370 */ 1371 sta->rx_packets++; 1372 dev_kfree_skb(rx->skb); 1373 return RX_QUEUED; 1374 } 1375 1376 return RX_CONTINUE; 1377 } /* ieee80211_rx_h_sta_process */ 1378 1379 static ieee80211_rx_result debug_noinline 1380 ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx) 1381 { 1382 struct sk_buff *skb = rx->skb; 1383 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 1384 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; 1385 int keyidx; 1386 int hdrlen; 1387 ieee80211_rx_result result = RX_DROP_UNUSABLE; 1388 struct ieee80211_key *sta_ptk = NULL; 1389 int mmie_keyidx = -1; 1390 __le16 fc; 1391 const struct ieee80211_cipher_scheme *cs = NULL; 1392 1393 /* 1394 * Key selection 101 1395 * 1396 * There are four types of keys: 1397 * - GTK (group keys) 1398 * - IGTK (group keys for management frames) 1399 * - PTK (pairwise keys) 1400 * - STK (station-to-station pairwise keys) 1401 * 1402 * When selecting a key, we have to distinguish between multicast 1403 * (including broadcast) and unicast frames, the latter can only 1404 * use PTKs and STKs while the former always use GTKs and IGTKs. 1405 * Unless, of course, actual WEP keys ("pre-RSNA") are used, then 1406 * unicast frames can also use key indices like GTKs. Hence, if we 1407 * don't have a PTK/STK we check the key index for a WEP key. 1408 * 1409 * Note that in a regular BSS, multicast frames are sent by the 1410 * AP only, associated stations unicast the frame to the AP first 1411 * which then multicasts it on their behalf. 1412 * 1413 * There is also a slight problem in IBSS mode: GTKs are negotiated 1414 * with each station, that is something we don't currently handle. 1415 * The spec seems to expect that one negotiates the same key with 1416 * every station but there's no such requirement; VLANs could be 1417 * possible. 1418 */ 1419 1420 /* 1421 * No point in finding a key and decrypting if the frame is neither 1422 * addressed to us nor a multicast frame. 1423 */ 1424 if (!(status->rx_flags & IEEE80211_RX_RA_MATCH)) 1425 return RX_CONTINUE; 1426 1427 /* start without a key */ 1428 rx->key = NULL; 1429 fc = hdr->frame_control; 1430 1431 if (rx->sta) { 1432 int keyid = rx->sta->ptk_idx; 1433 1434 if (ieee80211_has_protected(fc) && rx->sta->cipher_scheme) { 1435 cs = rx->sta->cipher_scheme; 1436 keyid = iwl80211_get_cs_keyid(cs, rx->skb); 1437 if (unlikely(keyid < 0)) 1438 return RX_DROP_UNUSABLE; 1439 } 1440 sta_ptk = rcu_dereference(rx->sta->ptk[keyid]); 1441 } 1442 1443 if (!ieee80211_has_protected(fc)) 1444 mmie_keyidx = ieee80211_get_mmie_keyidx(rx->skb); 1445 1446 if (!is_multicast_ether_addr(hdr->addr1) && sta_ptk) { 1447 rx->key = sta_ptk; 1448 if ((status->flag & RX_FLAG_DECRYPTED) && 1449 (status->flag & RX_FLAG_IV_STRIPPED)) 1450 return RX_CONTINUE; 1451 /* Skip decryption if the frame is not protected. */ 1452 if (!ieee80211_has_protected(fc)) 1453 return RX_CONTINUE; 1454 } else if (mmie_keyidx >= 0) { 1455 /* Broadcast/multicast robust management frame / BIP */ 1456 if ((status->flag & RX_FLAG_DECRYPTED) && 1457 (status->flag & RX_FLAG_IV_STRIPPED)) 1458 return RX_CONTINUE; 1459 1460 if (mmie_keyidx < NUM_DEFAULT_KEYS || 1461 mmie_keyidx >= NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS) 1462 return RX_DROP_MONITOR; /* unexpected BIP keyidx */ 1463 if (rx->sta) 1464 rx->key = rcu_dereference(rx->sta->gtk[mmie_keyidx]); 1465 if (!rx->key) 1466 rx->key = rcu_dereference(rx->sdata->keys[mmie_keyidx]); 1467 } else if (!ieee80211_has_protected(fc)) { 1468 /* 1469 * The frame was not protected, so skip decryption. However, we 1470 * need to set rx->key if there is a key that could have been 1471 * used so that the frame may be dropped if encryption would 1472 * have been expected. 1473 */ 1474 struct ieee80211_key *key = NULL; 1475 struct ieee80211_sub_if_data *sdata = rx->sdata; 1476 int i; 1477 1478 if (ieee80211_is_mgmt(fc) && 1479 is_multicast_ether_addr(hdr->addr1) && 1480 (key = rcu_dereference(rx->sdata->default_mgmt_key))) 1481 rx->key = key; 1482 else { 1483 if (rx->sta) { 1484 for (i = 0; i < NUM_DEFAULT_KEYS; i++) { 1485 key = rcu_dereference(rx->sta->gtk[i]); 1486 if (key) 1487 break; 1488 } 1489 } 1490 if (!key) { 1491 for (i = 0; i < NUM_DEFAULT_KEYS; i++) { 1492 key = rcu_dereference(sdata->keys[i]); 1493 if (key) 1494 break; 1495 } 1496 } 1497 if (key) 1498 rx->key = key; 1499 } 1500 return RX_CONTINUE; 1501 } else { 1502 u8 keyid; 1503 1504 /* 1505 * The device doesn't give us the IV so we won't be 1506 * able to look up the key. That's ok though, we 1507 * don't need to decrypt the frame, we just won't 1508 * be able to keep statistics accurate. 1509 * Except for key threshold notifications, should 1510 * we somehow allow the driver to tell us which key 1511 * the hardware used if this flag is set? 1512 */ 1513 if ((status->flag & RX_FLAG_DECRYPTED) && 1514 (status->flag & RX_FLAG_IV_STRIPPED)) 1515 return RX_CONTINUE; 1516 1517 hdrlen = ieee80211_hdrlen(fc); 1518 1519 if (cs) { 1520 keyidx = iwl80211_get_cs_keyid(cs, rx->skb); 1521 1522 if (unlikely(keyidx < 0)) 1523 return RX_DROP_UNUSABLE; 1524 } else { 1525 if (rx->skb->len < 8 + hdrlen) 1526 return RX_DROP_UNUSABLE; /* TODO: count this? */ 1527 /* 1528 * no need to call ieee80211_wep_get_keyidx, 1529 * it verifies a bunch of things we've done already 1530 */ 1531 skb_copy_bits(rx->skb, hdrlen + 3, &keyid, 1); 1532 keyidx = keyid >> 6; 1533 } 1534 1535 /* check per-station GTK first, if multicast packet */ 1536 if (is_multicast_ether_addr(hdr->addr1) && rx->sta) 1537 rx->key = rcu_dereference(rx->sta->gtk[keyidx]); 1538 1539 /* if not found, try default key */ 1540 if (!rx->key) { 1541 rx->key = rcu_dereference(rx->sdata->keys[keyidx]); 1542 1543 /* 1544 * RSNA-protected unicast frames should always be 1545 * sent with pairwise or station-to-station keys, 1546 * but for WEP we allow using a key index as well. 1547 */ 1548 if (rx->key && 1549 rx->key->conf.cipher != WLAN_CIPHER_SUITE_WEP40 && 1550 rx->key->conf.cipher != WLAN_CIPHER_SUITE_WEP104 && 1551 !is_multicast_ether_addr(hdr->addr1)) 1552 rx->key = NULL; 1553 } 1554 } 1555 1556 if (rx->key) { 1557 if (unlikely(rx->key->flags & KEY_FLAG_TAINTED)) 1558 return RX_DROP_MONITOR; 1559 1560 rx->key->tx_rx_count++; 1561 /* TODO: add threshold stuff again */ 1562 } else { 1563 return RX_DROP_MONITOR; 1564 } 1565 1566 switch (rx->key->conf.cipher) { 1567 case WLAN_CIPHER_SUITE_WEP40: 1568 case WLAN_CIPHER_SUITE_WEP104: 1569 result = ieee80211_crypto_wep_decrypt(rx); 1570 break; 1571 case WLAN_CIPHER_SUITE_TKIP: 1572 result = ieee80211_crypto_tkip_decrypt(rx); 1573 break; 1574 case WLAN_CIPHER_SUITE_CCMP: 1575 result = ieee80211_crypto_ccmp_decrypt(rx); 1576 break; 1577 case WLAN_CIPHER_SUITE_AES_CMAC: 1578 result = ieee80211_crypto_aes_cmac_decrypt(rx); 1579 break; 1580 default: 1581 result = ieee80211_crypto_hw_decrypt(rx); 1582 } 1583 1584 /* the hdr variable is invalid after the decrypt handlers */ 1585 1586 /* either the frame has been decrypted or will be dropped */ 1587 status->flag |= RX_FLAG_DECRYPTED; 1588 1589 return result; 1590 } 1591 1592 static inline struct ieee80211_fragment_entry * 1593 ieee80211_reassemble_add(struct ieee80211_sub_if_data *sdata, 1594 unsigned int frag, unsigned int seq, int rx_queue, 1595 struct sk_buff **skb) 1596 { 1597 struct ieee80211_fragment_entry *entry; 1598 1599 entry = &sdata->fragments[sdata->fragment_next++]; 1600 if (sdata->fragment_next >= IEEE80211_FRAGMENT_MAX) 1601 sdata->fragment_next = 0; 1602 1603 if (!skb_queue_empty(&entry->skb_list)) 1604 __skb_queue_purge(&entry->skb_list); 1605 1606 __skb_queue_tail(&entry->skb_list, *skb); /* no need for locking */ 1607 *skb = NULL; 1608 entry->first_frag_time = jiffies; 1609 entry->seq = seq; 1610 entry->rx_queue = rx_queue; 1611 entry->last_frag = frag; 1612 entry->ccmp = 0; 1613 entry->extra_len = 0; 1614 1615 return entry; 1616 } 1617 1618 static inline struct ieee80211_fragment_entry * 1619 ieee80211_reassemble_find(struct ieee80211_sub_if_data *sdata, 1620 unsigned int frag, unsigned int seq, 1621 int rx_queue, struct ieee80211_hdr *hdr) 1622 { 1623 struct ieee80211_fragment_entry *entry; 1624 int i, idx; 1625 1626 idx = sdata->fragment_next; 1627 for (i = 0; i < IEEE80211_FRAGMENT_MAX; i++) { 1628 struct ieee80211_hdr *f_hdr; 1629 1630 idx--; 1631 if (idx < 0) 1632 idx = IEEE80211_FRAGMENT_MAX - 1; 1633 1634 entry = &sdata->fragments[idx]; 1635 if (skb_queue_empty(&entry->skb_list) || entry->seq != seq || 1636 entry->rx_queue != rx_queue || 1637 entry->last_frag + 1 != frag) 1638 continue; 1639 1640 f_hdr = (struct ieee80211_hdr *)entry->skb_list.next->data; 1641 1642 /* 1643 * Check ftype and addresses are equal, else check next fragment 1644 */ 1645 if (((hdr->frame_control ^ f_hdr->frame_control) & 1646 cpu_to_le16(IEEE80211_FCTL_FTYPE)) || 1647 !ether_addr_equal(hdr->addr1, f_hdr->addr1) || 1648 !ether_addr_equal(hdr->addr2, f_hdr->addr2)) 1649 continue; 1650 1651 if (time_after(jiffies, entry->first_frag_time + 2 * HZ)) { 1652 __skb_queue_purge(&entry->skb_list); 1653 continue; 1654 } 1655 return entry; 1656 } 1657 1658 return NULL; 1659 } 1660 1661 static ieee80211_rx_result debug_noinline 1662 ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx) 1663 { 1664 struct ieee80211_hdr *hdr; 1665 u16 sc; 1666 __le16 fc; 1667 unsigned int frag, seq; 1668 struct ieee80211_fragment_entry *entry; 1669 struct sk_buff *skb; 1670 struct ieee80211_rx_status *status; 1671 1672 hdr = (struct ieee80211_hdr *)rx->skb->data; 1673 fc = hdr->frame_control; 1674 1675 if (ieee80211_is_ctl(fc)) 1676 return RX_CONTINUE; 1677 1678 sc = le16_to_cpu(hdr->seq_ctrl); 1679 frag = sc & IEEE80211_SCTL_FRAG; 1680 1681 if (likely(!ieee80211_has_morefrags(fc) && frag == 0)) 1682 goto out; 1683 1684 if (is_multicast_ether_addr(hdr->addr1)) { 1685 rx->local->dot11MulticastReceivedFrameCount++; 1686 goto out; 1687 } 1688 1689 I802_DEBUG_INC(rx->local->rx_handlers_fragments); 1690 1691 if (skb_linearize(rx->skb)) 1692 return RX_DROP_UNUSABLE; 1693 1694 /* 1695 * skb_linearize() might change the skb->data and 1696 * previously cached variables (in this case, hdr) need to 1697 * be refreshed with the new data. 1698 */ 1699 hdr = (struct ieee80211_hdr *)rx->skb->data; 1700 seq = (sc & IEEE80211_SCTL_SEQ) >> 4; 1701 1702 if (frag == 0) { 1703 /* This is the first fragment of a new frame. */ 1704 entry = ieee80211_reassemble_add(rx->sdata, frag, seq, 1705 rx->seqno_idx, &(rx->skb)); 1706 if (rx->key && rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP && 1707 ieee80211_has_protected(fc)) { 1708 int queue = rx->security_idx; 1709 /* Store CCMP PN so that we can verify that the next 1710 * fragment has a sequential PN value. */ 1711 entry->ccmp = 1; 1712 memcpy(entry->last_pn, 1713 rx->key->u.ccmp.rx_pn[queue], 1714 IEEE80211_CCMP_PN_LEN); 1715 } 1716 return RX_QUEUED; 1717 } 1718 1719 /* This is a fragment for a frame that should already be pending in 1720 * fragment cache. Add this fragment to the end of the pending entry. 1721 */ 1722 entry = ieee80211_reassemble_find(rx->sdata, frag, seq, 1723 rx->seqno_idx, hdr); 1724 if (!entry) { 1725 I802_DEBUG_INC(rx->local->rx_handlers_drop_defrag); 1726 return RX_DROP_MONITOR; 1727 } 1728 1729 /* Verify that MPDUs within one MSDU have sequential PN values. 1730 * (IEEE 802.11i, 8.3.3.4.5) */ 1731 if (entry->ccmp) { 1732 int i; 1733 u8 pn[IEEE80211_CCMP_PN_LEN], *rpn; 1734 int queue; 1735 if (!rx->key || rx->key->conf.cipher != WLAN_CIPHER_SUITE_CCMP) 1736 return RX_DROP_UNUSABLE; 1737 memcpy(pn, entry->last_pn, IEEE80211_CCMP_PN_LEN); 1738 for (i = IEEE80211_CCMP_PN_LEN - 1; i >= 0; i--) { 1739 pn[i]++; 1740 if (pn[i]) 1741 break; 1742 } 1743 queue = rx->security_idx; 1744 rpn = rx->key->u.ccmp.rx_pn[queue]; 1745 if (memcmp(pn, rpn, IEEE80211_CCMP_PN_LEN)) 1746 return RX_DROP_UNUSABLE; 1747 memcpy(entry->last_pn, pn, IEEE80211_CCMP_PN_LEN); 1748 } 1749 1750 skb_pull(rx->skb, ieee80211_hdrlen(fc)); 1751 __skb_queue_tail(&entry->skb_list, rx->skb); 1752 entry->last_frag = frag; 1753 entry->extra_len += rx->skb->len; 1754 if (ieee80211_has_morefrags(fc)) { 1755 rx->skb = NULL; 1756 return RX_QUEUED; 1757 } 1758 1759 rx->skb = __skb_dequeue(&entry->skb_list); 1760 if (skb_tailroom(rx->skb) < entry->extra_len) { 1761 I802_DEBUG_INC(rx->local->rx_expand_skb_head2); 1762 if (unlikely(pskb_expand_head(rx->skb, 0, entry->extra_len, 1763 GFP_ATOMIC))) { 1764 I802_DEBUG_INC(rx->local->rx_handlers_drop_defrag); 1765 __skb_queue_purge(&entry->skb_list); 1766 return RX_DROP_UNUSABLE; 1767 } 1768 } 1769 while ((skb = __skb_dequeue(&entry->skb_list))) { 1770 memcpy(skb_put(rx->skb, skb->len), skb->data, skb->len); 1771 dev_kfree_skb(skb); 1772 } 1773 1774 /* Complete frame has been reassembled - process it now */ 1775 status = IEEE80211_SKB_RXCB(rx->skb); 1776 status->rx_flags |= IEEE80211_RX_FRAGMENTED; 1777 1778 out: 1779 if (rx->sta) 1780 rx->sta->rx_packets++; 1781 ieee80211_led_rx(rx->local); 1782 return RX_CONTINUE; 1783 } 1784 1785 static int ieee80211_802_1x_port_control(struct ieee80211_rx_data *rx) 1786 { 1787 if (unlikely(!rx->sta || !test_sta_flag(rx->sta, WLAN_STA_AUTHORIZED))) 1788 return -EACCES; 1789 1790 return 0; 1791 } 1792 1793 static int ieee80211_drop_unencrypted(struct ieee80211_rx_data *rx, __le16 fc) 1794 { 1795 struct sk_buff *skb = rx->skb; 1796 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 1797 1798 /* 1799 * Pass through unencrypted frames if the hardware has 1800 * decrypted them already. 1801 */ 1802 if (status->flag & RX_FLAG_DECRYPTED) 1803 return 0; 1804 1805 /* Drop unencrypted frames if key is set. */ 1806 if (unlikely(!ieee80211_has_protected(fc) && 1807 !ieee80211_is_nullfunc(fc) && 1808 ieee80211_is_data(fc) && 1809 (rx->key || rx->sdata->drop_unencrypted))) 1810 return -EACCES; 1811 1812 return 0; 1813 } 1814 1815 static int ieee80211_drop_unencrypted_mgmt(struct ieee80211_rx_data *rx) 1816 { 1817 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data; 1818 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb); 1819 __le16 fc = hdr->frame_control; 1820 1821 /* 1822 * Pass through unencrypted frames if the hardware has 1823 * decrypted them already. 1824 */ 1825 if (status->flag & RX_FLAG_DECRYPTED) 1826 return 0; 1827 1828 if (rx->sta && test_sta_flag(rx->sta, WLAN_STA_MFP)) { 1829 if (unlikely(!ieee80211_has_protected(fc) && 1830 ieee80211_is_unicast_robust_mgmt_frame(rx->skb) && 1831 rx->key)) { 1832 if (ieee80211_is_deauth(fc) || 1833 ieee80211_is_disassoc(fc)) 1834 cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev, 1835 rx->skb->data, 1836 rx->skb->len); 1837 return -EACCES; 1838 } 1839 /* BIP does not use Protected field, so need to check MMIE */ 1840 if (unlikely(ieee80211_is_multicast_robust_mgmt_frame(rx->skb) && 1841 ieee80211_get_mmie_keyidx(rx->skb) < 0)) { 1842 if (ieee80211_is_deauth(fc) || 1843 ieee80211_is_disassoc(fc)) 1844 cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev, 1845 rx->skb->data, 1846 rx->skb->len); 1847 return -EACCES; 1848 } 1849 /* 1850 * When using MFP, Action frames are not allowed prior to 1851 * having configured keys. 1852 */ 1853 if (unlikely(ieee80211_is_action(fc) && !rx->key && 1854 ieee80211_is_robust_mgmt_frame(rx->skb))) 1855 return -EACCES; 1856 } 1857 1858 return 0; 1859 } 1860 1861 static int 1862 __ieee80211_data_to_8023(struct ieee80211_rx_data *rx, bool *port_control) 1863 { 1864 struct ieee80211_sub_if_data *sdata = rx->sdata; 1865 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data; 1866 bool check_port_control = false; 1867 struct ethhdr *ehdr; 1868 int ret; 1869 1870 *port_control = false; 1871 if (ieee80211_has_a4(hdr->frame_control) && 1872 sdata->vif.type == NL80211_IFTYPE_AP_VLAN && !sdata->u.vlan.sta) 1873 return -1; 1874 1875 if (sdata->vif.type == NL80211_IFTYPE_STATION && 1876 !!sdata->u.mgd.use_4addr != !!ieee80211_has_a4(hdr->frame_control)) { 1877 1878 if (!sdata->u.mgd.use_4addr) 1879 return -1; 1880 else 1881 check_port_control = true; 1882 } 1883 1884 if (is_multicast_ether_addr(hdr->addr1) && 1885 sdata->vif.type == NL80211_IFTYPE_AP_VLAN && sdata->u.vlan.sta) 1886 return -1; 1887 1888 ret = ieee80211_data_to_8023(rx->skb, sdata->vif.addr, sdata->vif.type); 1889 if (ret < 0) 1890 return ret; 1891 1892 ehdr = (struct ethhdr *) rx->skb->data; 1893 if (ehdr->h_proto == rx->sdata->control_port_protocol) 1894 *port_control = true; 1895 else if (check_port_control) 1896 return -1; 1897 1898 return 0; 1899 } 1900 1901 /* 1902 * requires that rx->skb is a frame with ethernet header 1903 */ 1904 static bool ieee80211_frame_allowed(struct ieee80211_rx_data *rx, __le16 fc) 1905 { 1906 static const u8 pae_group_addr[ETH_ALEN] __aligned(2) 1907 = { 0x01, 0x80, 0xC2, 0x00, 0x00, 0x03 }; 1908 struct ethhdr *ehdr = (struct ethhdr *) rx->skb->data; 1909 1910 /* 1911 * Allow EAPOL frames to us/the PAE group address regardless 1912 * of whether the frame was encrypted or not. 1913 */ 1914 if (ehdr->h_proto == rx->sdata->control_port_protocol && 1915 (ether_addr_equal(ehdr->h_dest, rx->sdata->vif.addr) || 1916 ether_addr_equal(ehdr->h_dest, pae_group_addr))) 1917 return true; 1918 1919 if (ieee80211_802_1x_port_control(rx) || 1920 ieee80211_drop_unencrypted(rx, fc)) 1921 return false; 1922 1923 return true; 1924 } 1925 1926 /* 1927 * requires that rx->skb is a frame with ethernet header 1928 */ 1929 static void 1930 ieee80211_deliver_skb(struct ieee80211_rx_data *rx) 1931 { 1932 struct ieee80211_sub_if_data *sdata = rx->sdata; 1933 struct net_device *dev = sdata->dev; 1934 struct sk_buff *skb, *xmit_skb; 1935 struct ethhdr *ehdr = (struct ethhdr *) rx->skb->data; 1936 struct sta_info *dsta; 1937 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb); 1938 1939 skb = rx->skb; 1940 xmit_skb = NULL; 1941 1942 if ((sdata->vif.type == NL80211_IFTYPE_AP || 1943 sdata->vif.type == NL80211_IFTYPE_AP_VLAN) && 1944 !(sdata->flags & IEEE80211_SDATA_DONT_BRIDGE_PACKETS) && 1945 (status->rx_flags & IEEE80211_RX_RA_MATCH) && 1946 (sdata->vif.type != NL80211_IFTYPE_AP_VLAN || !sdata->u.vlan.sta)) { 1947 if (is_multicast_ether_addr(ehdr->h_dest)) { 1948 /* 1949 * send multicast frames both to higher layers in 1950 * local net stack and back to the wireless medium 1951 */ 1952 xmit_skb = skb_copy(skb, GFP_ATOMIC); 1953 if (!xmit_skb) 1954 net_info_ratelimited("%s: failed to clone multicast frame\n", 1955 dev->name); 1956 } else { 1957 dsta = sta_info_get(sdata, skb->data); 1958 if (dsta) { 1959 /* 1960 * The destination station is associated to 1961 * this AP (in this VLAN), so send the frame 1962 * directly to it and do not pass it to local 1963 * net stack. 1964 */ 1965 xmit_skb = skb; 1966 skb = NULL; 1967 } 1968 } 1969 } 1970 1971 #ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 1972 if (skb) { 1973 /* 'align' will only take the values 0 or 2 here since all 1974 * frames are required to be aligned to 2-byte boundaries 1975 * when being passed to mac80211; the code here works just 1976 * as well if that isn't true, but mac80211 assumes it can 1977 * access fields as 2-byte aligned (e.g. for ether_addr_equal) 1978 */ 1979 int align; 1980 1981 align = (unsigned long)(skb->data + sizeof(struct ethhdr)) & 3; 1982 if (align) { 1983 if (WARN_ON(skb_headroom(skb) < 3)) { 1984 dev_kfree_skb(skb); 1985 skb = NULL; 1986 } else { 1987 u8 *data = skb->data; 1988 size_t len = skb_headlen(skb); 1989 skb->data -= align; 1990 memmove(skb->data, data, len); 1991 skb_set_tail_pointer(skb, len); 1992 } 1993 } 1994 } 1995 #endif 1996 1997 if (skb) { 1998 /* deliver to local stack */ 1999 skb->protocol = eth_type_trans(skb, dev); 2000 memset(skb->cb, 0, sizeof(skb->cb)); 2001 if (rx->local->napi) 2002 napi_gro_receive(rx->local->napi, skb); 2003 else 2004 netif_receive_skb(skb); 2005 } 2006 2007 if (xmit_skb) { 2008 /* 2009 * Send to wireless media and increase priority by 256 to 2010 * keep the received priority instead of reclassifying 2011 * the frame (see cfg80211_classify8021d). 2012 */ 2013 xmit_skb->priority += 256; 2014 xmit_skb->protocol = htons(ETH_P_802_3); 2015 skb_reset_network_header(xmit_skb); 2016 skb_reset_mac_header(xmit_skb); 2017 dev_queue_xmit(xmit_skb); 2018 } 2019 } 2020 2021 static ieee80211_rx_result debug_noinline 2022 ieee80211_rx_h_amsdu(struct ieee80211_rx_data *rx) 2023 { 2024 struct net_device *dev = rx->sdata->dev; 2025 struct sk_buff *skb = rx->skb; 2026 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; 2027 __le16 fc = hdr->frame_control; 2028 struct sk_buff_head frame_list; 2029 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb); 2030 2031 if (unlikely(!ieee80211_is_data(fc))) 2032 return RX_CONTINUE; 2033 2034 if (unlikely(!ieee80211_is_data_present(fc))) 2035 return RX_DROP_MONITOR; 2036 2037 if (!(status->rx_flags & IEEE80211_RX_AMSDU)) 2038 return RX_CONTINUE; 2039 2040 if (ieee80211_has_a4(hdr->frame_control) && 2041 rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN && 2042 !rx->sdata->u.vlan.sta) 2043 return RX_DROP_UNUSABLE; 2044 2045 if (is_multicast_ether_addr(hdr->addr1) && 2046 ((rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN && 2047 rx->sdata->u.vlan.sta) || 2048 (rx->sdata->vif.type == NL80211_IFTYPE_STATION && 2049 rx->sdata->u.mgd.use_4addr))) 2050 return RX_DROP_UNUSABLE; 2051 2052 skb->dev = dev; 2053 __skb_queue_head_init(&frame_list); 2054 2055 if (skb_linearize(skb)) 2056 return RX_DROP_UNUSABLE; 2057 2058 ieee80211_amsdu_to_8023s(skb, &frame_list, dev->dev_addr, 2059 rx->sdata->vif.type, 2060 rx->local->hw.extra_tx_headroom, true); 2061 2062 while (!skb_queue_empty(&frame_list)) { 2063 rx->skb = __skb_dequeue(&frame_list); 2064 2065 if (!ieee80211_frame_allowed(rx, fc)) { 2066 dev_kfree_skb(rx->skb); 2067 continue; 2068 } 2069 dev->stats.rx_packets++; 2070 dev->stats.rx_bytes += rx->skb->len; 2071 2072 ieee80211_deliver_skb(rx); 2073 } 2074 2075 return RX_QUEUED; 2076 } 2077 2078 #ifdef CONFIG_MAC80211_MESH 2079 static ieee80211_rx_result 2080 ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx) 2081 { 2082 struct ieee80211_hdr *fwd_hdr, *hdr; 2083 struct ieee80211_tx_info *info; 2084 struct ieee80211s_hdr *mesh_hdr; 2085 struct sk_buff *skb = rx->skb, *fwd_skb; 2086 struct ieee80211_local *local = rx->local; 2087 struct ieee80211_sub_if_data *sdata = rx->sdata; 2088 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 2089 struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh; 2090 u16 q, hdrlen; 2091 2092 hdr = (struct ieee80211_hdr *) skb->data; 2093 hdrlen = ieee80211_hdrlen(hdr->frame_control); 2094 2095 /* make sure fixed part of mesh header is there, also checks skb len */ 2096 if (!pskb_may_pull(rx->skb, hdrlen + 6)) 2097 return RX_DROP_MONITOR; 2098 2099 mesh_hdr = (struct ieee80211s_hdr *) (skb->data + hdrlen); 2100 2101 /* make sure full mesh header is there, also checks skb len */ 2102 if (!pskb_may_pull(rx->skb, 2103 hdrlen + ieee80211_get_mesh_hdrlen(mesh_hdr))) 2104 return RX_DROP_MONITOR; 2105 2106 /* reload pointers */ 2107 hdr = (struct ieee80211_hdr *) skb->data; 2108 mesh_hdr = (struct ieee80211s_hdr *) (skb->data + hdrlen); 2109 2110 /* frame is in RMC, don't forward */ 2111 if (ieee80211_is_data(hdr->frame_control) && 2112 is_multicast_ether_addr(hdr->addr1) && 2113 mesh_rmc_check(rx->sdata, hdr->addr3, mesh_hdr)) 2114 return RX_DROP_MONITOR; 2115 2116 if (!ieee80211_is_data(hdr->frame_control) || 2117 !(status->rx_flags & IEEE80211_RX_RA_MATCH)) 2118 return RX_CONTINUE; 2119 2120 if (!mesh_hdr->ttl) 2121 return RX_DROP_MONITOR; 2122 2123 if (mesh_hdr->flags & MESH_FLAGS_AE) { 2124 struct mesh_path *mppath; 2125 char *proxied_addr; 2126 char *mpp_addr; 2127 2128 if (is_multicast_ether_addr(hdr->addr1)) { 2129 mpp_addr = hdr->addr3; 2130 proxied_addr = mesh_hdr->eaddr1; 2131 } else if (mesh_hdr->flags & MESH_FLAGS_AE_A5_A6) { 2132 /* has_a4 already checked in ieee80211_rx_mesh_check */ 2133 mpp_addr = hdr->addr4; 2134 proxied_addr = mesh_hdr->eaddr2; 2135 } else { 2136 return RX_DROP_MONITOR; 2137 } 2138 2139 rcu_read_lock(); 2140 mppath = mpp_path_lookup(sdata, proxied_addr); 2141 if (!mppath) { 2142 mpp_path_add(sdata, proxied_addr, mpp_addr); 2143 } else { 2144 spin_lock_bh(&mppath->state_lock); 2145 if (!ether_addr_equal(mppath->mpp, mpp_addr)) 2146 memcpy(mppath->mpp, mpp_addr, ETH_ALEN); 2147 spin_unlock_bh(&mppath->state_lock); 2148 } 2149 rcu_read_unlock(); 2150 } 2151 2152 /* Frame has reached destination. Don't forward */ 2153 if (!is_multicast_ether_addr(hdr->addr1) && 2154 ether_addr_equal(sdata->vif.addr, hdr->addr3)) 2155 return RX_CONTINUE; 2156 2157 q = ieee80211_select_queue_80211(sdata, skb, hdr); 2158 if (ieee80211_queue_stopped(&local->hw, q)) { 2159 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_congestion); 2160 return RX_DROP_MONITOR; 2161 } 2162 skb_set_queue_mapping(skb, q); 2163 2164 if (!--mesh_hdr->ttl) { 2165 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_ttl); 2166 goto out; 2167 } 2168 2169 if (!ifmsh->mshcfg.dot11MeshForwarding) 2170 goto out; 2171 2172 fwd_skb = skb_copy(skb, GFP_ATOMIC); 2173 if (!fwd_skb) { 2174 net_info_ratelimited("%s: failed to clone mesh frame\n", 2175 sdata->name); 2176 goto out; 2177 } 2178 2179 fwd_hdr = (struct ieee80211_hdr *) fwd_skb->data; 2180 fwd_hdr->frame_control &= ~cpu_to_le16(IEEE80211_FCTL_RETRY); 2181 info = IEEE80211_SKB_CB(fwd_skb); 2182 memset(info, 0, sizeof(*info)); 2183 info->flags |= IEEE80211_TX_INTFL_NEED_TXPROCESSING; 2184 info->control.vif = &rx->sdata->vif; 2185 info->control.jiffies = jiffies; 2186 if (is_multicast_ether_addr(fwd_hdr->addr1)) { 2187 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, fwded_mcast); 2188 memcpy(fwd_hdr->addr2, sdata->vif.addr, ETH_ALEN); 2189 /* update power mode indication when forwarding */ 2190 ieee80211_mps_set_frame_flags(sdata, NULL, fwd_hdr); 2191 } else if (!mesh_nexthop_lookup(sdata, fwd_skb)) { 2192 /* mesh power mode flags updated in mesh_nexthop_lookup */ 2193 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, fwded_unicast); 2194 } else { 2195 /* unable to resolve next hop */ 2196 mesh_path_error_tx(sdata, ifmsh->mshcfg.element_ttl, 2197 fwd_hdr->addr3, 0, 2198 WLAN_REASON_MESH_PATH_NOFORWARD, 2199 fwd_hdr->addr2); 2200 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_no_route); 2201 kfree_skb(fwd_skb); 2202 return RX_DROP_MONITOR; 2203 } 2204 2205 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, fwded_frames); 2206 ieee80211_add_pending_skb(local, fwd_skb); 2207 out: 2208 if (is_multicast_ether_addr(hdr->addr1) || 2209 sdata->dev->flags & IFF_PROMISC) 2210 return RX_CONTINUE; 2211 else 2212 return RX_DROP_MONITOR; 2213 } 2214 #endif 2215 2216 static ieee80211_rx_result debug_noinline 2217 ieee80211_rx_h_data(struct ieee80211_rx_data *rx) 2218 { 2219 struct ieee80211_sub_if_data *sdata = rx->sdata; 2220 struct ieee80211_local *local = rx->local; 2221 struct net_device *dev = sdata->dev; 2222 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data; 2223 __le16 fc = hdr->frame_control; 2224 bool port_control; 2225 int err; 2226 2227 if (unlikely(!ieee80211_is_data(hdr->frame_control))) 2228 return RX_CONTINUE; 2229 2230 if (unlikely(!ieee80211_is_data_present(hdr->frame_control))) 2231 return RX_DROP_MONITOR; 2232 2233 /* 2234 * Send unexpected-4addr-frame event to hostapd. For older versions, 2235 * also drop the frame to cooked monitor interfaces. 2236 */ 2237 if (ieee80211_has_a4(hdr->frame_control) && 2238 sdata->vif.type == NL80211_IFTYPE_AP) { 2239 if (rx->sta && 2240 !test_and_set_sta_flag(rx->sta, WLAN_STA_4ADDR_EVENT)) 2241 cfg80211_rx_unexpected_4addr_frame( 2242 rx->sdata->dev, rx->sta->sta.addr, GFP_ATOMIC); 2243 return RX_DROP_MONITOR; 2244 } 2245 2246 err = __ieee80211_data_to_8023(rx, &port_control); 2247 if (unlikely(err)) 2248 return RX_DROP_UNUSABLE; 2249 2250 if (!ieee80211_frame_allowed(rx, fc)) 2251 return RX_DROP_MONITOR; 2252 2253 if (rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN && 2254 unlikely(port_control) && sdata->bss) { 2255 sdata = container_of(sdata->bss, struct ieee80211_sub_if_data, 2256 u.ap); 2257 dev = sdata->dev; 2258 rx->sdata = sdata; 2259 } 2260 2261 rx->skb->dev = dev; 2262 2263 dev->stats.rx_packets++; 2264 dev->stats.rx_bytes += rx->skb->len; 2265 2266 if (local->ps_sdata && local->hw.conf.dynamic_ps_timeout > 0 && 2267 !is_multicast_ether_addr( 2268 ((struct ethhdr *)rx->skb->data)->h_dest) && 2269 (!local->scanning && 2270 !test_bit(SDATA_STATE_OFFCHANNEL, &sdata->state))) { 2271 mod_timer(&local->dynamic_ps_timer, jiffies + 2272 msecs_to_jiffies(local->hw.conf.dynamic_ps_timeout)); 2273 } 2274 2275 ieee80211_deliver_skb(rx); 2276 2277 return RX_QUEUED; 2278 } 2279 2280 static ieee80211_rx_result debug_noinline 2281 ieee80211_rx_h_ctrl(struct ieee80211_rx_data *rx, struct sk_buff_head *frames) 2282 { 2283 struct sk_buff *skb = rx->skb; 2284 struct ieee80211_bar *bar = (struct ieee80211_bar *)skb->data; 2285 struct tid_ampdu_rx *tid_agg_rx; 2286 u16 start_seq_num; 2287 u16 tid; 2288 2289 if (likely(!ieee80211_is_ctl(bar->frame_control))) 2290 return RX_CONTINUE; 2291 2292 if (ieee80211_is_back_req(bar->frame_control)) { 2293 struct { 2294 __le16 control, start_seq_num; 2295 } __packed bar_data; 2296 2297 if (!rx->sta) 2298 return RX_DROP_MONITOR; 2299 2300 if (skb_copy_bits(skb, offsetof(struct ieee80211_bar, control), 2301 &bar_data, sizeof(bar_data))) 2302 return RX_DROP_MONITOR; 2303 2304 tid = le16_to_cpu(bar_data.control) >> 12; 2305 2306 tid_agg_rx = rcu_dereference(rx->sta->ampdu_mlme.tid_rx[tid]); 2307 if (!tid_agg_rx) 2308 return RX_DROP_MONITOR; 2309 2310 start_seq_num = le16_to_cpu(bar_data.start_seq_num) >> 4; 2311 2312 /* reset session timer */ 2313 if (tid_agg_rx->timeout) 2314 mod_timer(&tid_agg_rx->session_timer, 2315 TU_TO_EXP_TIME(tid_agg_rx->timeout)); 2316 2317 spin_lock(&tid_agg_rx->reorder_lock); 2318 /* release stored frames up to start of BAR */ 2319 ieee80211_release_reorder_frames(rx->sdata, tid_agg_rx, 2320 start_seq_num, frames); 2321 spin_unlock(&tid_agg_rx->reorder_lock); 2322 2323 kfree_skb(skb); 2324 return RX_QUEUED; 2325 } 2326 2327 /* 2328 * After this point, we only want management frames, 2329 * so we can drop all remaining control frames to 2330 * cooked monitor interfaces. 2331 */ 2332 return RX_DROP_MONITOR; 2333 } 2334 2335 static void ieee80211_process_sa_query_req(struct ieee80211_sub_if_data *sdata, 2336 struct ieee80211_mgmt *mgmt, 2337 size_t len) 2338 { 2339 struct ieee80211_local *local = sdata->local; 2340 struct sk_buff *skb; 2341 struct ieee80211_mgmt *resp; 2342 2343 if (!ether_addr_equal(mgmt->da, sdata->vif.addr)) { 2344 /* Not to own unicast address */ 2345 return; 2346 } 2347 2348 if (!ether_addr_equal(mgmt->sa, sdata->u.mgd.bssid) || 2349 !ether_addr_equal(mgmt->bssid, sdata->u.mgd.bssid)) { 2350 /* Not from the current AP or not associated yet. */ 2351 return; 2352 } 2353 2354 if (len < 24 + 1 + sizeof(resp->u.action.u.sa_query)) { 2355 /* Too short SA Query request frame */ 2356 return; 2357 } 2358 2359 skb = dev_alloc_skb(sizeof(*resp) + local->hw.extra_tx_headroom); 2360 if (skb == NULL) 2361 return; 2362 2363 skb_reserve(skb, local->hw.extra_tx_headroom); 2364 resp = (struct ieee80211_mgmt *) skb_put(skb, 24); 2365 memset(resp, 0, 24); 2366 memcpy(resp->da, mgmt->sa, ETH_ALEN); 2367 memcpy(resp->sa, sdata->vif.addr, ETH_ALEN); 2368 memcpy(resp->bssid, sdata->u.mgd.bssid, ETH_ALEN); 2369 resp->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT | 2370 IEEE80211_STYPE_ACTION); 2371 skb_put(skb, 1 + sizeof(resp->u.action.u.sa_query)); 2372 resp->u.action.category = WLAN_CATEGORY_SA_QUERY; 2373 resp->u.action.u.sa_query.action = WLAN_ACTION_SA_QUERY_RESPONSE; 2374 memcpy(resp->u.action.u.sa_query.trans_id, 2375 mgmt->u.action.u.sa_query.trans_id, 2376 WLAN_SA_QUERY_TR_ID_LEN); 2377 2378 ieee80211_tx_skb(sdata, skb); 2379 } 2380 2381 static ieee80211_rx_result debug_noinline 2382 ieee80211_rx_h_mgmt_check(struct ieee80211_rx_data *rx) 2383 { 2384 struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *) rx->skb->data; 2385 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb); 2386 2387 /* 2388 * From here on, look only at management frames. 2389 * Data and control frames are already handled, 2390 * and unknown (reserved) frames are useless. 2391 */ 2392 if (rx->skb->len < 24) 2393 return RX_DROP_MONITOR; 2394 2395 if (!ieee80211_is_mgmt(mgmt->frame_control)) 2396 return RX_DROP_MONITOR; 2397 2398 if (rx->sdata->vif.type == NL80211_IFTYPE_AP && 2399 ieee80211_is_beacon(mgmt->frame_control) && 2400 !(rx->flags & IEEE80211_RX_BEACON_REPORTED)) { 2401 int sig = 0; 2402 2403 if (rx->local->hw.flags & IEEE80211_HW_SIGNAL_DBM) 2404 sig = status->signal; 2405 2406 cfg80211_report_obss_beacon(rx->local->hw.wiphy, 2407 rx->skb->data, rx->skb->len, 2408 status->freq, sig); 2409 rx->flags |= IEEE80211_RX_BEACON_REPORTED; 2410 } 2411 2412 if (!(status->rx_flags & IEEE80211_RX_RA_MATCH)) 2413 return RX_DROP_MONITOR; 2414 2415 if (ieee80211_drop_unencrypted_mgmt(rx)) 2416 return RX_DROP_UNUSABLE; 2417 2418 return RX_CONTINUE; 2419 } 2420 2421 static ieee80211_rx_result debug_noinline 2422 ieee80211_rx_h_action(struct ieee80211_rx_data *rx) 2423 { 2424 struct ieee80211_local *local = rx->local; 2425 struct ieee80211_sub_if_data *sdata = rx->sdata; 2426 struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *) rx->skb->data; 2427 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb); 2428 int len = rx->skb->len; 2429 2430 if (!ieee80211_is_action(mgmt->frame_control)) 2431 return RX_CONTINUE; 2432 2433 /* drop too small frames */ 2434 if (len < IEEE80211_MIN_ACTION_SIZE) 2435 return RX_DROP_UNUSABLE; 2436 2437 if (!rx->sta && mgmt->u.action.category != WLAN_CATEGORY_PUBLIC && 2438 mgmt->u.action.category != WLAN_CATEGORY_SELF_PROTECTED && 2439 mgmt->u.action.category != WLAN_CATEGORY_SPECTRUM_MGMT) 2440 return RX_DROP_UNUSABLE; 2441 2442 if (!(status->rx_flags & IEEE80211_RX_RA_MATCH)) 2443 return RX_DROP_UNUSABLE; 2444 2445 switch (mgmt->u.action.category) { 2446 case WLAN_CATEGORY_HT: 2447 /* reject HT action frames from stations not supporting HT */ 2448 if (!rx->sta->sta.ht_cap.ht_supported) 2449 goto invalid; 2450 2451 if (sdata->vif.type != NL80211_IFTYPE_STATION && 2452 sdata->vif.type != NL80211_IFTYPE_MESH_POINT && 2453 sdata->vif.type != NL80211_IFTYPE_AP_VLAN && 2454 sdata->vif.type != NL80211_IFTYPE_AP && 2455 sdata->vif.type != NL80211_IFTYPE_ADHOC) 2456 break; 2457 2458 /* verify action & smps_control/chanwidth are present */ 2459 if (len < IEEE80211_MIN_ACTION_SIZE + 2) 2460 goto invalid; 2461 2462 switch (mgmt->u.action.u.ht_smps.action) { 2463 case WLAN_HT_ACTION_SMPS: { 2464 struct ieee80211_supported_band *sband; 2465 enum ieee80211_smps_mode smps_mode; 2466 2467 /* convert to HT capability */ 2468 switch (mgmt->u.action.u.ht_smps.smps_control) { 2469 case WLAN_HT_SMPS_CONTROL_DISABLED: 2470 smps_mode = IEEE80211_SMPS_OFF; 2471 break; 2472 case WLAN_HT_SMPS_CONTROL_STATIC: 2473 smps_mode = IEEE80211_SMPS_STATIC; 2474 break; 2475 case WLAN_HT_SMPS_CONTROL_DYNAMIC: 2476 smps_mode = IEEE80211_SMPS_DYNAMIC; 2477 break; 2478 default: 2479 goto invalid; 2480 } 2481 2482 /* if no change do nothing */ 2483 if (rx->sta->sta.smps_mode == smps_mode) 2484 goto handled; 2485 rx->sta->sta.smps_mode = smps_mode; 2486 2487 sband = rx->local->hw.wiphy->bands[status->band]; 2488 2489 rate_control_rate_update(local, sband, rx->sta, 2490 IEEE80211_RC_SMPS_CHANGED); 2491 goto handled; 2492 } 2493 case WLAN_HT_ACTION_NOTIFY_CHANWIDTH: { 2494 struct ieee80211_supported_band *sband; 2495 u8 chanwidth = mgmt->u.action.u.ht_notify_cw.chanwidth; 2496 enum ieee80211_sta_rx_bandwidth new_bw; 2497 2498 /* If it doesn't support 40 MHz it can't change ... */ 2499 if (!(rx->sta->sta.ht_cap.cap & 2500 IEEE80211_HT_CAP_SUP_WIDTH_20_40)) 2501 goto handled; 2502 2503 if (chanwidth == IEEE80211_HT_CHANWIDTH_20MHZ) 2504 new_bw = IEEE80211_STA_RX_BW_20; 2505 else 2506 new_bw = ieee80211_sta_cur_vht_bw(rx->sta); 2507 2508 if (rx->sta->sta.bandwidth == new_bw) 2509 goto handled; 2510 2511 sband = rx->local->hw.wiphy->bands[status->band]; 2512 2513 rate_control_rate_update(local, sband, rx->sta, 2514 IEEE80211_RC_BW_CHANGED); 2515 goto handled; 2516 } 2517 default: 2518 goto invalid; 2519 } 2520 2521 break; 2522 case WLAN_CATEGORY_PUBLIC: 2523 if (len < IEEE80211_MIN_ACTION_SIZE + 1) 2524 goto invalid; 2525 if (sdata->vif.type != NL80211_IFTYPE_STATION) 2526 break; 2527 if (!rx->sta) 2528 break; 2529 if (!ether_addr_equal(mgmt->bssid, sdata->u.mgd.bssid)) 2530 break; 2531 if (mgmt->u.action.u.ext_chan_switch.action_code != 2532 WLAN_PUB_ACTION_EXT_CHANSW_ANN) 2533 break; 2534 if (len < offsetof(struct ieee80211_mgmt, 2535 u.action.u.ext_chan_switch.variable)) 2536 goto invalid; 2537 goto queue; 2538 case WLAN_CATEGORY_VHT: 2539 if (sdata->vif.type != NL80211_IFTYPE_STATION && 2540 sdata->vif.type != NL80211_IFTYPE_MESH_POINT && 2541 sdata->vif.type != NL80211_IFTYPE_AP_VLAN && 2542 sdata->vif.type != NL80211_IFTYPE_AP && 2543 sdata->vif.type != NL80211_IFTYPE_ADHOC) 2544 break; 2545 2546 /* verify action code is present */ 2547 if (len < IEEE80211_MIN_ACTION_SIZE + 1) 2548 goto invalid; 2549 2550 switch (mgmt->u.action.u.vht_opmode_notif.action_code) { 2551 case WLAN_VHT_ACTION_OPMODE_NOTIF: { 2552 u8 opmode; 2553 2554 /* verify opmode is present */ 2555 if (len < IEEE80211_MIN_ACTION_SIZE + 2) 2556 goto invalid; 2557 2558 opmode = mgmt->u.action.u.vht_opmode_notif.operating_mode; 2559 2560 ieee80211_vht_handle_opmode(rx->sdata, rx->sta, 2561 opmode, status->band, 2562 false); 2563 goto handled; 2564 } 2565 default: 2566 break; 2567 } 2568 break; 2569 case WLAN_CATEGORY_BACK: 2570 if (sdata->vif.type != NL80211_IFTYPE_STATION && 2571 sdata->vif.type != NL80211_IFTYPE_MESH_POINT && 2572 sdata->vif.type != NL80211_IFTYPE_AP_VLAN && 2573 sdata->vif.type != NL80211_IFTYPE_AP && 2574 sdata->vif.type != NL80211_IFTYPE_ADHOC) 2575 break; 2576 2577 /* verify action_code is present */ 2578 if (len < IEEE80211_MIN_ACTION_SIZE + 1) 2579 break; 2580 2581 switch (mgmt->u.action.u.addba_req.action_code) { 2582 case WLAN_ACTION_ADDBA_REQ: 2583 if (len < (IEEE80211_MIN_ACTION_SIZE + 2584 sizeof(mgmt->u.action.u.addba_req))) 2585 goto invalid; 2586 break; 2587 case WLAN_ACTION_ADDBA_RESP: 2588 if (len < (IEEE80211_MIN_ACTION_SIZE + 2589 sizeof(mgmt->u.action.u.addba_resp))) 2590 goto invalid; 2591 break; 2592 case WLAN_ACTION_DELBA: 2593 if (len < (IEEE80211_MIN_ACTION_SIZE + 2594 sizeof(mgmt->u.action.u.delba))) 2595 goto invalid; 2596 break; 2597 default: 2598 goto invalid; 2599 } 2600 2601 goto queue; 2602 case WLAN_CATEGORY_SPECTRUM_MGMT: 2603 /* verify action_code is present */ 2604 if (len < IEEE80211_MIN_ACTION_SIZE + 1) 2605 break; 2606 2607 switch (mgmt->u.action.u.measurement.action_code) { 2608 case WLAN_ACTION_SPCT_MSR_REQ: 2609 if (status->band != IEEE80211_BAND_5GHZ) 2610 break; 2611 2612 if (len < (IEEE80211_MIN_ACTION_SIZE + 2613 sizeof(mgmt->u.action.u.measurement))) 2614 break; 2615 2616 if (sdata->vif.type != NL80211_IFTYPE_STATION) 2617 break; 2618 2619 ieee80211_process_measurement_req(sdata, mgmt, len); 2620 goto handled; 2621 case WLAN_ACTION_SPCT_CHL_SWITCH: { 2622 u8 *bssid; 2623 if (len < (IEEE80211_MIN_ACTION_SIZE + 2624 sizeof(mgmt->u.action.u.chan_switch))) 2625 break; 2626 2627 if (sdata->vif.type != NL80211_IFTYPE_STATION && 2628 sdata->vif.type != NL80211_IFTYPE_ADHOC && 2629 sdata->vif.type != NL80211_IFTYPE_MESH_POINT) 2630 break; 2631 2632 if (sdata->vif.type == NL80211_IFTYPE_STATION) 2633 bssid = sdata->u.mgd.bssid; 2634 else if (sdata->vif.type == NL80211_IFTYPE_ADHOC) 2635 bssid = sdata->u.ibss.bssid; 2636 else if (sdata->vif.type == NL80211_IFTYPE_MESH_POINT) 2637 bssid = mgmt->sa; 2638 else 2639 break; 2640 2641 if (!ether_addr_equal(mgmt->bssid, bssid)) 2642 break; 2643 2644 goto queue; 2645 } 2646 } 2647 break; 2648 case WLAN_CATEGORY_SA_QUERY: 2649 if (len < (IEEE80211_MIN_ACTION_SIZE + 2650 sizeof(mgmt->u.action.u.sa_query))) 2651 break; 2652 2653 switch (mgmt->u.action.u.sa_query.action) { 2654 case WLAN_ACTION_SA_QUERY_REQUEST: 2655 if (sdata->vif.type != NL80211_IFTYPE_STATION) 2656 break; 2657 ieee80211_process_sa_query_req(sdata, mgmt, len); 2658 goto handled; 2659 } 2660 break; 2661 case WLAN_CATEGORY_SELF_PROTECTED: 2662 if (len < (IEEE80211_MIN_ACTION_SIZE + 2663 sizeof(mgmt->u.action.u.self_prot.action_code))) 2664 break; 2665 2666 switch (mgmt->u.action.u.self_prot.action_code) { 2667 case WLAN_SP_MESH_PEERING_OPEN: 2668 case WLAN_SP_MESH_PEERING_CLOSE: 2669 case WLAN_SP_MESH_PEERING_CONFIRM: 2670 if (!ieee80211_vif_is_mesh(&sdata->vif)) 2671 goto invalid; 2672 if (sdata->u.mesh.user_mpm) 2673 /* userspace handles this frame */ 2674 break; 2675 goto queue; 2676 case WLAN_SP_MGK_INFORM: 2677 case WLAN_SP_MGK_ACK: 2678 if (!ieee80211_vif_is_mesh(&sdata->vif)) 2679 goto invalid; 2680 break; 2681 } 2682 break; 2683 case WLAN_CATEGORY_MESH_ACTION: 2684 if (len < (IEEE80211_MIN_ACTION_SIZE + 2685 sizeof(mgmt->u.action.u.mesh_action.action_code))) 2686 break; 2687 2688 if (!ieee80211_vif_is_mesh(&sdata->vif)) 2689 break; 2690 if (mesh_action_is_path_sel(mgmt) && 2691 !mesh_path_sel_is_hwmp(sdata)) 2692 break; 2693 goto queue; 2694 } 2695 2696 return RX_CONTINUE; 2697 2698 invalid: 2699 status->rx_flags |= IEEE80211_RX_MALFORMED_ACTION_FRM; 2700 /* will return in the next handlers */ 2701 return RX_CONTINUE; 2702 2703 handled: 2704 if (rx->sta) 2705 rx->sta->rx_packets++; 2706 dev_kfree_skb(rx->skb); 2707 return RX_QUEUED; 2708 2709 queue: 2710 rx->skb->pkt_type = IEEE80211_SDATA_QUEUE_TYPE_FRAME; 2711 skb_queue_tail(&sdata->skb_queue, rx->skb); 2712 ieee80211_queue_work(&local->hw, &sdata->work); 2713 if (rx->sta) 2714 rx->sta->rx_packets++; 2715 return RX_QUEUED; 2716 } 2717 2718 static ieee80211_rx_result debug_noinline 2719 ieee80211_rx_h_userspace_mgmt(struct ieee80211_rx_data *rx) 2720 { 2721 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb); 2722 int sig = 0; 2723 2724 /* skip known-bad action frames and return them in the next handler */ 2725 if (status->rx_flags & IEEE80211_RX_MALFORMED_ACTION_FRM) 2726 return RX_CONTINUE; 2727 2728 /* 2729 * Getting here means the kernel doesn't know how to handle 2730 * it, but maybe userspace does ... include returned frames 2731 * so userspace can register for those to know whether ones 2732 * it transmitted were processed or returned. 2733 */ 2734 2735 if (rx->local->hw.flags & IEEE80211_HW_SIGNAL_DBM) 2736 sig = status->signal; 2737 2738 if (cfg80211_rx_mgmt(&rx->sdata->wdev, status->freq, sig, 2739 rx->skb->data, rx->skb->len, 0)) { 2740 if (rx->sta) 2741 rx->sta->rx_packets++; 2742 dev_kfree_skb(rx->skb); 2743 return RX_QUEUED; 2744 } 2745 2746 return RX_CONTINUE; 2747 } 2748 2749 static ieee80211_rx_result debug_noinline 2750 ieee80211_rx_h_action_return(struct ieee80211_rx_data *rx) 2751 { 2752 struct ieee80211_local *local = rx->local; 2753 struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *) rx->skb->data; 2754 struct sk_buff *nskb; 2755 struct ieee80211_sub_if_data *sdata = rx->sdata; 2756 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb); 2757 2758 if (!ieee80211_is_action(mgmt->frame_control)) 2759 return RX_CONTINUE; 2760 2761 /* 2762 * For AP mode, hostapd is responsible for handling any action 2763 * frames that we didn't handle, including returning unknown 2764 * ones. For all other modes we will return them to the sender, 2765 * setting the 0x80 bit in the action category, as required by 2766 * 802.11-2012 9.24.4. 2767 * Newer versions of hostapd shall also use the management frame 2768 * registration mechanisms, but older ones still use cooked 2769 * monitor interfaces so push all frames there. 2770 */ 2771 if (!(status->rx_flags & IEEE80211_RX_MALFORMED_ACTION_FRM) && 2772 (sdata->vif.type == NL80211_IFTYPE_AP || 2773 sdata->vif.type == NL80211_IFTYPE_AP_VLAN)) 2774 return RX_DROP_MONITOR; 2775 2776 if (is_multicast_ether_addr(mgmt->da)) 2777 return RX_DROP_MONITOR; 2778 2779 /* do not return rejected action frames */ 2780 if (mgmt->u.action.category & 0x80) 2781 return RX_DROP_UNUSABLE; 2782 2783 nskb = skb_copy_expand(rx->skb, local->hw.extra_tx_headroom, 0, 2784 GFP_ATOMIC); 2785 if (nskb) { 2786 struct ieee80211_mgmt *nmgmt = (void *)nskb->data; 2787 2788 nmgmt->u.action.category |= 0x80; 2789 memcpy(nmgmt->da, nmgmt->sa, ETH_ALEN); 2790 memcpy(nmgmt->sa, rx->sdata->vif.addr, ETH_ALEN); 2791 2792 memset(nskb->cb, 0, sizeof(nskb->cb)); 2793 2794 if (rx->sdata->vif.type == NL80211_IFTYPE_P2P_DEVICE) { 2795 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(nskb); 2796 2797 info->flags = IEEE80211_TX_CTL_TX_OFFCHAN | 2798 IEEE80211_TX_INTFL_OFFCHAN_TX_OK | 2799 IEEE80211_TX_CTL_NO_CCK_RATE; 2800 if (local->hw.flags & IEEE80211_HW_QUEUE_CONTROL) 2801 info->hw_queue = 2802 local->hw.offchannel_tx_hw_queue; 2803 } 2804 2805 __ieee80211_tx_skb_tid_band(rx->sdata, nskb, 7, 2806 status->band); 2807 } 2808 dev_kfree_skb(rx->skb); 2809 return RX_QUEUED; 2810 } 2811 2812 static ieee80211_rx_result debug_noinline 2813 ieee80211_rx_h_mgmt(struct ieee80211_rx_data *rx) 2814 { 2815 struct ieee80211_sub_if_data *sdata = rx->sdata; 2816 struct ieee80211_mgmt *mgmt = (void *)rx->skb->data; 2817 __le16 stype; 2818 2819 stype = mgmt->frame_control & cpu_to_le16(IEEE80211_FCTL_STYPE); 2820 2821 if (!ieee80211_vif_is_mesh(&sdata->vif) && 2822 sdata->vif.type != NL80211_IFTYPE_ADHOC && 2823 sdata->vif.type != NL80211_IFTYPE_STATION) 2824 return RX_DROP_MONITOR; 2825 2826 switch (stype) { 2827 case cpu_to_le16(IEEE80211_STYPE_AUTH): 2828 case cpu_to_le16(IEEE80211_STYPE_BEACON): 2829 case cpu_to_le16(IEEE80211_STYPE_PROBE_RESP): 2830 /* process for all: mesh, mlme, ibss */ 2831 break; 2832 case cpu_to_le16(IEEE80211_STYPE_ASSOC_RESP): 2833 case cpu_to_le16(IEEE80211_STYPE_REASSOC_RESP): 2834 case cpu_to_le16(IEEE80211_STYPE_DEAUTH): 2835 case cpu_to_le16(IEEE80211_STYPE_DISASSOC): 2836 if (is_multicast_ether_addr(mgmt->da) && 2837 !is_broadcast_ether_addr(mgmt->da)) 2838 return RX_DROP_MONITOR; 2839 2840 /* process only for station */ 2841 if (sdata->vif.type != NL80211_IFTYPE_STATION) 2842 return RX_DROP_MONITOR; 2843 break; 2844 case cpu_to_le16(IEEE80211_STYPE_PROBE_REQ): 2845 /* process only for ibss and mesh */ 2846 if (sdata->vif.type != NL80211_IFTYPE_ADHOC && 2847 sdata->vif.type != NL80211_IFTYPE_MESH_POINT) 2848 return RX_DROP_MONITOR; 2849 break; 2850 default: 2851 return RX_DROP_MONITOR; 2852 } 2853 2854 /* queue up frame and kick off work to process it */ 2855 rx->skb->pkt_type = IEEE80211_SDATA_QUEUE_TYPE_FRAME; 2856 skb_queue_tail(&sdata->skb_queue, rx->skb); 2857 ieee80211_queue_work(&rx->local->hw, &sdata->work); 2858 if (rx->sta) 2859 rx->sta->rx_packets++; 2860 2861 return RX_QUEUED; 2862 } 2863 2864 /* TODO: use IEEE80211_RX_FRAGMENTED */ 2865 static void ieee80211_rx_cooked_monitor(struct ieee80211_rx_data *rx, 2866 struct ieee80211_rate *rate) 2867 { 2868 struct ieee80211_sub_if_data *sdata; 2869 struct ieee80211_local *local = rx->local; 2870 struct sk_buff *skb = rx->skb, *skb2; 2871 struct net_device *prev_dev = NULL; 2872 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 2873 int needed_headroom; 2874 2875 /* 2876 * If cooked monitor has been processed already, then 2877 * don't do it again. If not, set the flag. 2878 */ 2879 if (rx->flags & IEEE80211_RX_CMNTR) 2880 goto out_free_skb; 2881 rx->flags |= IEEE80211_RX_CMNTR; 2882 2883 /* If there are no cooked monitor interfaces, just free the SKB */ 2884 if (!local->cooked_mntrs) 2885 goto out_free_skb; 2886 2887 /* room for the radiotap header based on driver features */ 2888 needed_headroom = ieee80211_rx_radiotap_space(local, status); 2889 2890 if (skb_headroom(skb) < needed_headroom && 2891 pskb_expand_head(skb, needed_headroom, 0, GFP_ATOMIC)) 2892 goto out_free_skb; 2893 2894 /* prepend radiotap information */ 2895 ieee80211_add_rx_radiotap_header(local, skb, rate, needed_headroom, 2896 false); 2897 2898 skb_set_mac_header(skb, 0); 2899 skb->ip_summed = CHECKSUM_UNNECESSARY; 2900 skb->pkt_type = PACKET_OTHERHOST; 2901 skb->protocol = htons(ETH_P_802_2); 2902 2903 list_for_each_entry_rcu(sdata, &local->interfaces, list) { 2904 if (!ieee80211_sdata_running(sdata)) 2905 continue; 2906 2907 if (sdata->vif.type != NL80211_IFTYPE_MONITOR || 2908 !(sdata->u.mntr_flags & MONITOR_FLAG_COOK_FRAMES)) 2909 continue; 2910 2911 if (prev_dev) { 2912 skb2 = skb_clone(skb, GFP_ATOMIC); 2913 if (skb2) { 2914 skb2->dev = prev_dev; 2915 netif_receive_skb(skb2); 2916 } 2917 } 2918 2919 prev_dev = sdata->dev; 2920 sdata->dev->stats.rx_packets++; 2921 sdata->dev->stats.rx_bytes += skb->len; 2922 } 2923 2924 if (prev_dev) { 2925 skb->dev = prev_dev; 2926 netif_receive_skb(skb); 2927 return; 2928 } 2929 2930 out_free_skb: 2931 dev_kfree_skb(skb); 2932 } 2933 2934 static void ieee80211_rx_handlers_result(struct ieee80211_rx_data *rx, 2935 ieee80211_rx_result res) 2936 { 2937 switch (res) { 2938 case RX_DROP_MONITOR: 2939 I802_DEBUG_INC(rx->sdata->local->rx_handlers_drop); 2940 if (rx->sta) 2941 rx->sta->rx_dropped++; 2942 /* fall through */ 2943 case RX_CONTINUE: { 2944 struct ieee80211_rate *rate = NULL; 2945 struct ieee80211_supported_band *sband; 2946 struct ieee80211_rx_status *status; 2947 2948 status = IEEE80211_SKB_RXCB((rx->skb)); 2949 2950 sband = rx->local->hw.wiphy->bands[status->band]; 2951 if (!(status->flag & RX_FLAG_HT) && 2952 !(status->flag & RX_FLAG_VHT)) 2953 rate = &sband->bitrates[status->rate_idx]; 2954 2955 ieee80211_rx_cooked_monitor(rx, rate); 2956 break; 2957 } 2958 case RX_DROP_UNUSABLE: 2959 I802_DEBUG_INC(rx->sdata->local->rx_handlers_drop); 2960 if (rx->sta) 2961 rx->sta->rx_dropped++; 2962 dev_kfree_skb(rx->skb); 2963 break; 2964 case RX_QUEUED: 2965 I802_DEBUG_INC(rx->sdata->local->rx_handlers_queued); 2966 break; 2967 } 2968 } 2969 2970 static void ieee80211_rx_handlers(struct ieee80211_rx_data *rx, 2971 struct sk_buff_head *frames) 2972 { 2973 ieee80211_rx_result res = RX_DROP_MONITOR; 2974 struct sk_buff *skb; 2975 2976 #define CALL_RXH(rxh) \ 2977 do { \ 2978 res = rxh(rx); \ 2979 if (res != RX_CONTINUE) \ 2980 goto rxh_next; \ 2981 } while (0); 2982 2983 spin_lock_bh(&rx->local->rx_path_lock); 2984 2985 while ((skb = __skb_dequeue(frames))) { 2986 /* 2987 * all the other fields are valid across frames 2988 * that belong to an aMPDU since they are on the 2989 * same TID from the same station 2990 */ 2991 rx->skb = skb; 2992 2993 CALL_RXH(ieee80211_rx_h_check_more_data) 2994 CALL_RXH(ieee80211_rx_h_uapsd_and_pspoll) 2995 CALL_RXH(ieee80211_rx_h_sta_process) 2996 CALL_RXH(ieee80211_rx_h_decrypt) 2997 CALL_RXH(ieee80211_rx_h_defragment) 2998 CALL_RXH(ieee80211_rx_h_michael_mic_verify) 2999 /* must be after MMIC verify so header is counted in MPDU mic */ 3000 #ifdef CONFIG_MAC80211_MESH 3001 if (ieee80211_vif_is_mesh(&rx->sdata->vif)) 3002 CALL_RXH(ieee80211_rx_h_mesh_fwding); 3003 #endif 3004 CALL_RXH(ieee80211_rx_h_amsdu) 3005 CALL_RXH(ieee80211_rx_h_data) 3006 3007 /* special treatment -- needs the queue */ 3008 res = ieee80211_rx_h_ctrl(rx, frames); 3009 if (res != RX_CONTINUE) 3010 goto rxh_next; 3011 3012 CALL_RXH(ieee80211_rx_h_mgmt_check) 3013 CALL_RXH(ieee80211_rx_h_action) 3014 CALL_RXH(ieee80211_rx_h_userspace_mgmt) 3015 CALL_RXH(ieee80211_rx_h_action_return) 3016 CALL_RXH(ieee80211_rx_h_mgmt) 3017 3018 rxh_next: 3019 ieee80211_rx_handlers_result(rx, res); 3020 3021 #undef CALL_RXH 3022 } 3023 3024 spin_unlock_bh(&rx->local->rx_path_lock); 3025 } 3026 3027 static void ieee80211_invoke_rx_handlers(struct ieee80211_rx_data *rx) 3028 { 3029 struct sk_buff_head reorder_release; 3030 ieee80211_rx_result res = RX_DROP_MONITOR; 3031 3032 __skb_queue_head_init(&reorder_release); 3033 3034 #define CALL_RXH(rxh) \ 3035 do { \ 3036 res = rxh(rx); \ 3037 if (res != RX_CONTINUE) \ 3038 goto rxh_next; \ 3039 } while (0); 3040 3041 CALL_RXH(ieee80211_rx_h_check) 3042 3043 ieee80211_rx_reorder_ampdu(rx, &reorder_release); 3044 3045 ieee80211_rx_handlers(rx, &reorder_release); 3046 return; 3047 3048 rxh_next: 3049 ieee80211_rx_handlers_result(rx, res); 3050 3051 #undef CALL_RXH 3052 } 3053 3054 /* 3055 * This function makes calls into the RX path, therefore 3056 * it has to be invoked under RCU read lock. 3057 */ 3058 void ieee80211_release_reorder_timeout(struct sta_info *sta, int tid) 3059 { 3060 struct sk_buff_head frames; 3061 struct ieee80211_rx_data rx = { 3062 .sta = sta, 3063 .sdata = sta->sdata, 3064 .local = sta->local, 3065 /* This is OK -- must be QoS data frame */ 3066 .security_idx = tid, 3067 .seqno_idx = tid, 3068 .flags = 0, 3069 }; 3070 struct tid_ampdu_rx *tid_agg_rx; 3071 3072 tid_agg_rx = rcu_dereference(sta->ampdu_mlme.tid_rx[tid]); 3073 if (!tid_agg_rx) 3074 return; 3075 3076 __skb_queue_head_init(&frames); 3077 3078 spin_lock(&tid_agg_rx->reorder_lock); 3079 ieee80211_sta_reorder_release(sta->sdata, tid_agg_rx, &frames); 3080 spin_unlock(&tid_agg_rx->reorder_lock); 3081 3082 ieee80211_rx_handlers(&rx, &frames); 3083 } 3084 3085 /* main receive path */ 3086 3087 static bool prepare_for_handlers(struct ieee80211_rx_data *rx, 3088 struct ieee80211_hdr *hdr) 3089 { 3090 struct ieee80211_sub_if_data *sdata = rx->sdata; 3091 struct sk_buff *skb = rx->skb; 3092 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 3093 u8 *bssid = ieee80211_get_bssid(hdr, skb->len, sdata->vif.type); 3094 int multicast = is_multicast_ether_addr(hdr->addr1); 3095 3096 switch (sdata->vif.type) { 3097 case NL80211_IFTYPE_STATION: 3098 if (!bssid && !sdata->u.mgd.use_4addr) 3099 return false; 3100 if (!multicast && 3101 !ether_addr_equal(sdata->vif.addr, hdr->addr1)) { 3102 if (!(sdata->dev->flags & IFF_PROMISC) || 3103 sdata->u.mgd.use_4addr) 3104 return false; 3105 status->rx_flags &= ~IEEE80211_RX_RA_MATCH; 3106 } 3107 break; 3108 case NL80211_IFTYPE_ADHOC: 3109 if (!bssid) 3110 return false; 3111 if (ether_addr_equal(sdata->vif.addr, hdr->addr2) || 3112 ether_addr_equal(sdata->u.ibss.bssid, hdr->addr2)) 3113 return false; 3114 if (ieee80211_is_beacon(hdr->frame_control)) { 3115 return true; 3116 } else if (!ieee80211_bssid_match(bssid, sdata->u.ibss.bssid)) { 3117 return false; 3118 } else if (!multicast && 3119 !ether_addr_equal(sdata->vif.addr, hdr->addr1)) { 3120 if (!(sdata->dev->flags & IFF_PROMISC)) 3121 return false; 3122 status->rx_flags &= ~IEEE80211_RX_RA_MATCH; 3123 } else if (!rx->sta) { 3124 int rate_idx; 3125 if (status->flag & (RX_FLAG_HT | RX_FLAG_VHT)) 3126 rate_idx = 0; /* TODO: HT/VHT rates */ 3127 else 3128 rate_idx = status->rate_idx; 3129 ieee80211_ibss_rx_no_sta(sdata, bssid, hdr->addr2, 3130 BIT(rate_idx)); 3131 } 3132 break; 3133 case NL80211_IFTYPE_MESH_POINT: 3134 if (!multicast && 3135 !ether_addr_equal(sdata->vif.addr, hdr->addr1)) { 3136 if (!(sdata->dev->flags & IFF_PROMISC)) 3137 return false; 3138 3139 status->rx_flags &= ~IEEE80211_RX_RA_MATCH; 3140 } 3141 break; 3142 case NL80211_IFTYPE_AP_VLAN: 3143 case NL80211_IFTYPE_AP: 3144 if (!bssid) { 3145 if (!ether_addr_equal(sdata->vif.addr, hdr->addr1)) 3146 return false; 3147 } else if (!ieee80211_bssid_match(bssid, sdata->vif.addr)) { 3148 /* 3149 * Accept public action frames even when the 3150 * BSSID doesn't match, this is used for P2P 3151 * and location updates. Note that mac80211 3152 * itself never looks at these frames. 3153 */ 3154 if (!multicast && 3155 !ether_addr_equal(sdata->vif.addr, hdr->addr1)) 3156 return false; 3157 if (ieee80211_is_public_action(hdr, skb->len)) 3158 return true; 3159 if (!ieee80211_is_beacon(hdr->frame_control)) 3160 return false; 3161 status->rx_flags &= ~IEEE80211_RX_RA_MATCH; 3162 } else if (!ieee80211_has_tods(hdr->frame_control)) { 3163 /* ignore data frames to TDLS-peers */ 3164 if (ieee80211_is_data(hdr->frame_control)) 3165 return false; 3166 /* ignore action frames to TDLS-peers */ 3167 if (ieee80211_is_action(hdr->frame_control) && 3168 !ether_addr_equal(bssid, hdr->addr1)) 3169 return false; 3170 } 3171 break; 3172 case NL80211_IFTYPE_WDS: 3173 if (bssid || !ieee80211_is_data(hdr->frame_control)) 3174 return false; 3175 if (!ether_addr_equal(sdata->u.wds.remote_addr, hdr->addr2)) 3176 return false; 3177 break; 3178 case NL80211_IFTYPE_P2P_DEVICE: 3179 if (!ieee80211_is_public_action(hdr, skb->len) && 3180 !ieee80211_is_probe_req(hdr->frame_control) && 3181 !ieee80211_is_probe_resp(hdr->frame_control) && 3182 !ieee80211_is_beacon(hdr->frame_control)) 3183 return false; 3184 if (!ether_addr_equal(sdata->vif.addr, hdr->addr1) && 3185 !multicast) 3186 status->rx_flags &= ~IEEE80211_RX_RA_MATCH; 3187 break; 3188 default: 3189 /* should never get here */ 3190 WARN_ON_ONCE(1); 3191 break; 3192 } 3193 3194 return true; 3195 } 3196 3197 /* 3198 * This function returns whether or not the SKB 3199 * was destined for RX processing or not, which, 3200 * if consume is true, is equivalent to whether 3201 * or not the skb was consumed. 3202 */ 3203 static bool ieee80211_prepare_and_rx_handle(struct ieee80211_rx_data *rx, 3204 struct sk_buff *skb, bool consume) 3205 { 3206 struct ieee80211_local *local = rx->local; 3207 struct ieee80211_sub_if_data *sdata = rx->sdata; 3208 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 3209 struct ieee80211_hdr *hdr = (void *)skb->data; 3210 3211 rx->skb = skb; 3212 status->rx_flags |= IEEE80211_RX_RA_MATCH; 3213 3214 if (!prepare_for_handlers(rx, hdr)) 3215 return false; 3216 3217 if (!consume) { 3218 skb = skb_copy(skb, GFP_ATOMIC); 3219 if (!skb) { 3220 if (net_ratelimit()) 3221 wiphy_debug(local->hw.wiphy, 3222 "failed to copy skb for %s\n", 3223 sdata->name); 3224 return true; 3225 } 3226 3227 rx->skb = skb; 3228 } 3229 3230 ieee80211_invoke_rx_handlers(rx); 3231 return true; 3232 } 3233 3234 /* 3235 * This is the actual Rx frames handler. as it belongs to Rx path it must 3236 * be called with rcu_read_lock protection. 3237 */ 3238 static void __ieee80211_rx_handle_packet(struct ieee80211_hw *hw, 3239 struct sk_buff *skb) 3240 { 3241 struct ieee80211_local *local = hw_to_local(hw); 3242 struct ieee80211_sub_if_data *sdata; 3243 struct ieee80211_hdr *hdr; 3244 __le16 fc; 3245 struct ieee80211_rx_data rx; 3246 struct ieee80211_sub_if_data *prev; 3247 struct sta_info *sta, *tmp, *prev_sta; 3248 int err = 0; 3249 3250 fc = ((struct ieee80211_hdr *)skb->data)->frame_control; 3251 memset(&rx, 0, sizeof(rx)); 3252 rx.skb = skb; 3253 rx.local = local; 3254 3255 if (ieee80211_is_data(fc) || ieee80211_is_mgmt(fc)) 3256 local->dot11ReceivedFragmentCount++; 3257 3258 if (ieee80211_is_mgmt(fc)) { 3259 /* drop frame if too short for header */ 3260 if (skb->len < ieee80211_hdrlen(fc)) 3261 err = -ENOBUFS; 3262 else 3263 err = skb_linearize(skb); 3264 } else { 3265 err = !pskb_may_pull(skb, ieee80211_hdrlen(fc)); 3266 } 3267 3268 if (err) { 3269 dev_kfree_skb(skb); 3270 return; 3271 } 3272 3273 hdr = (struct ieee80211_hdr *)skb->data; 3274 ieee80211_parse_qos(&rx); 3275 ieee80211_verify_alignment(&rx); 3276 3277 if (unlikely(ieee80211_is_probe_resp(hdr->frame_control) || 3278 ieee80211_is_beacon(hdr->frame_control))) 3279 ieee80211_scan_rx(local, skb); 3280 3281 if (ieee80211_is_data(fc)) { 3282 prev_sta = NULL; 3283 3284 for_each_sta_info(local, hdr->addr2, sta, tmp) { 3285 if (!prev_sta) { 3286 prev_sta = sta; 3287 continue; 3288 } 3289 3290 rx.sta = prev_sta; 3291 rx.sdata = prev_sta->sdata; 3292 ieee80211_prepare_and_rx_handle(&rx, skb, false); 3293 3294 prev_sta = sta; 3295 } 3296 3297 if (prev_sta) { 3298 rx.sta = prev_sta; 3299 rx.sdata = prev_sta->sdata; 3300 3301 if (ieee80211_prepare_and_rx_handle(&rx, skb, true)) 3302 return; 3303 goto out; 3304 } 3305 } 3306 3307 prev = NULL; 3308 3309 list_for_each_entry_rcu(sdata, &local->interfaces, list) { 3310 if (!ieee80211_sdata_running(sdata)) 3311 continue; 3312 3313 if (sdata->vif.type == NL80211_IFTYPE_MONITOR || 3314 sdata->vif.type == NL80211_IFTYPE_AP_VLAN) 3315 continue; 3316 3317 /* 3318 * frame is destined for this interface, but if it's 3319 * not also for the previous one we handle that after 3320 * the loop to avoid copying the SKB once too much 3321 */ 3322 3323 if (!prev) { 3324 prev = sdata; 3325 continue; 3326 } 3327 3328 rx.sta = sta_info_get_bss(prev, hdr->addr2); 3329 rx.sdata = prev; 3330 ieee80211_prepare_and_rx_handle(&rx, skb, false); 3331 3332 prev = sdata; 3333 } 3334 3335 if (prev) { 3336 rx.sta = sta_info_get_bss(prev, hdr->addr2); 3337 rx.sdata = prev; 3338 3339 if (ieee80211_prepare_and_rx_handle(&rx, skb, true)) 3340 return; 3341 } 3342 3343 out: 3344 dev_kfree_skb(skb); 3345 } 3346 3347 /* 3348 * This is the receive path handler. It is called by a low level driver when an 3349 * 802.11 MPDU is received from the hardware. 3350 */ 3351 void ieee80211_rx(struct ieee80211_hw *hw, struct sk_buff *skb) 3352 { 3353 struct ieee80211_local *local = hw_to_local(hw); 3354 struct ieee80211_rate *rate = NULL; 3355 struct ieee80211_supported_band *sband; 3356 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 3357 3358 WARN_ON_ONCE(softirq_count() == 0); 3359 3360 if (WARN_ON(status->band >= IEEE80211_NUM_BANDS)) 3361 goto drop; 3362 3363 sband = local->hw.wiphy->bands[status->band]; 3364 if (WARN_ON(!sband)) 3365 goto drop; 3366 3367 /* 3368 * If we're suspending, it is possible although not too likely 3369 * that we'd be receiving frames after having already partially 3370 * quiesced the stack. We can't process such frames then since 3371 * that might, for example, cause stations to be added or other 3372 * driver callbacks be invoked. 3373 */ 3374 if (unlikely(local->quiescing || local->suspended)) 3375 goto drop; 3376 3377 /* We might be during a HW reconfig, prevent Rx for the same reason */ 3378 if (unlikely(local->in_reconfig)) 3379 goto drop; 3380 3381 /* 3382 * The same happens when we're not even started, 3383 * but that's worth a warning. 3384 */ 3385 if (WARN_ON(!local->started)) 3386 goto drop; 3387 3388 if (likely(!(status->flag & RX_FLAG_FAILED_PLCP_CRC))) { 3389 /* 3390 * Validate the rate, unless a PLCP error means that 3391 * we probably can't have a valid rate here anyway. 3392 */ 3393 3394 if (status->flag & RX_FLAG_HT) { 3395 /* 3396 * rate_idx is MCS index, which can be [0-76] 3397 * as documented on: 3398 * 3399 * http://wireless.kernel.org/en/developers/Documentation/ieee80211/802.11n 3400 * 3401 * Anything else would be some sort of driver or 3402 * hardware error. The driver should catch hardware 3403 * errors. 3404 */ 3405 if (WARN(status->rate_idx > 76, 3406 "Rate marked as an HT rate but passed " 3407 "status->rate_idx is not " 3408 "an MCS index [0-76]: %d (0x%02x)\n", 3409 status->rate_idx, 3410 status->rate_idx)) 3411 goto drop; 3412 } else if (status->flag & RX_FLAG_VHT) { 3413 if (WARN_ONCE(status->rate_idx > 9 || 3414 !status->vht_nss || 3415 status->vht_nss > 8, 3416 "Rate marked as a VHT rate but data is invalid: MCS: %d, NSS: %d\n", 3417 status->rate_idx, status->vht_nss)) 3418 goto drop; 3419 } else { 3420 if (WARN_ON(status->rate_idx >= sband->n_bitrates)) 3421 goto drop; 3422 rate = &sband->bitrates[status->rate_idx]; 3423 } 3424 } 3425 3426 status->rx_flags = 0; 3427 3428 /* 3429 * key references and virtual interfaces are protected using RCU 3430 * and this requires that we are in a read-side RCU section during 3431 * receive processing 3432 */ 3433 rcu_read_lock(); 3434 3435 /* 3436 * Frames with failed FCS/PLCP checksum are not returned, 3437 * all other frames are returned without radiotap header 3438 * if it was previously present. 3439 * Also, frames with less than 16 bytes are dropped. 3440 */ 3441 skb = ieee80211_rx_monitor(local, skb, rate); 3442 if (!skb) { 3443 rcu_read_unlock(); 3444 return; 3445 } 3446 3447 ieee80211_tpt_led_trig_rx(local, 3448 ((struct ieee80211_hdr *)skb->data)->frame_control, 3449 skb->len); 3450 __ieee80211_rx_handle_packet(hw, skb); 3451 3452 rcu_read_unlock(); 3453 3454 return; 3455 drop: 3456 kfree_skb(skb); 3457 } 3458 EXPORT_SYMBOL(ieee80211_rx); 3459 3460 /* This is a version of the rx handler that can be called from hard irq 3461 * context. Post the skb on the queue and schedule the tasklet */ 3462 void ieee80211_rx_irqsafe(struct ieee80211_hw *hw, struct sk_buff *skb) 3463 { 3464 struct ieee80211_local *local = hw_to_local(hw); 3465 3466 BUILD_BUG_ON(sizeof(struct ieee80211_rx_status) > sizeof(skb->cb)); 3467 3468 skb->pkt_type = IEEE80211_RX_MSG; 3469 skb_queue_tail(&local->skb_queue, skb); 3470 tasklet_schedule(&local->tasklet); 3471 } 3472 EXPORT_SYMBOL(ieee80211_rx_irqsafe); 3473