1 /* 2 * Copyright 2002-2005, Instant802 Networks, Inc. 3 * Copyright 2005-2006, Devicescape Software, Inc. 4 * Copyright 2006-2007 Jiri Benc <jbenc@suse.cz> 5 * Copyright 2007 Johannes Berg <johannes@sipsolutions.net> 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License version 2 as 9 * published by the Free Software Foundation. 10 */ 11 12 #include <linux/jiffies.h> 13 #include <linux/kernel.h> 14 #include <linux/skbuff.h> 15 #include <linux/netdevice.h> 16 #include <linux/etherdevice.h> 17 #include <linux/rcupdate.h> 18 #include <net/mac80211.h> 19 #include <net/ieee80211_radiotap.h> 20 21 #include "ieee80211_i.h" 22 #include "driver-ops.h" 23 #include "led.h" 24 #include "mesh.h" 25 #include "wep.h" 26 #include "wpa.h" 27 #include "tkip.h" 28 #include "wme.h" 29 30 /* 31 * monitor mode reception 32 * 33 * This function cleans up the SKB, i.e. it removes all the stuff 34 * only useful for monitoring. 35 */ 36 static struct sk_buff *remove_monitor_info(struct ieee80211_local *local, 37 struct sk_buff *skb) 38 { 39 if (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS) { 40 if (likely(skb->len > FCS_LEN)) 41 skb_trim(skb, skb->len - FCS_LEN); 42 else { 43 /* driver bug */ 44 WARN_ON(1); 45 dev_kfree_skb(skb); 46 skb = NULL; 47 } 48 } 49 50 return skb; 51 } 52 53 static inline int should_drop_frame(struct sk_buff *skb, 54 int present_fcs_len) 55 { 56 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 57 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; 58 59 if (status->flag & (RX_FLAG_FAILED_FCS_CRC | RX_FLAG_FAILED_PLCP_CRC)) 60 return 1; 61 if (unlikely(skb->len < 16 + present_fcs_len)) 62 return 1; 63 if (ieee80211_is_ctl(hdr->frame_control) && 64 !ieee80211_is_pspoll(hdr->frame_control) && 65 !ieee80211_is_back_req(hdr->frame_control)) 66 return 1; 67 return 0; 68 } 69 70 static int 71 ieee80211_rx_radiotap_len(struct ieee80211_local *local, 72 struct ieee80211_rx_status *status) 73 { 74 int len; 75 76 /* always present fields */ 77 len = sizeof(struct ieee80211_radiotap_header) + 9; 78 79 if (status->flag & RX_FLAG_TSFT) 80 len += 8; 81 if (local->hw.flags & IEEE80211_HW_SIGNAL_DBM) 82 len += 1; 83 if (local->hw.flags & IEEE80211_HW_NOISE_DBM) 84 len += 1; 85 86 if (len & 1) /* padding for RX_FLAGS if necessary */ 87 len++; 88 89 return len; 90 } 91 92 /* 93 * ieee80211_add_rx_radiotap_header - add radiotap header 94 * 95 * add a radiotap header containing all the fields which the hardware provided. 96 */ 97 static void 98 ieee80211_add_rx_radiotap_header(struct ieee80211_local *local, 99 struct sk_buff *skb, 100 struct ieee80211_rate *rate, 101 int rtap_len) 102 { 103 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 104 struct ieee80211_radiotap_header *rthdr; 105 unsigned char *pos; 106 u16 rx_flags = 0; 107 108 rthdr = (struct ieee80211_radiotap_header *)skb_push(skb, rtap_len); 109 memset(rthdr, 0, rtap_len); 110 111 /* radiotap header, set always present flags */ 112 rthdr->it_present = 113 cpu_to_le32((1 << IEEE80211_RADIOTAP_FLAGS) | 114 (1 << IEEE80211_RADIOTAP_CHANNEL) | 115 (1 << IEEE80211_RADIOTAP_ANTENNA) | 116 (1 << IEEE80211_RADIOTAP_RX_FLAGS)); 117 rthdr->it_len = cpu_to_le16(rtap_len); 118 119 pos = (unsigned char *)(rthdr+1); 120 121 /* the order of the following fields is important */ 122 123 /* IEEE80211_RADIOTAP_TSFT */ 124 if (status->flag & RX_FLAG_TSFT) { 125 put_unaligned_le64(status->mactime, pos); 126 rthdr->it_present |= 127 cpu_to_le32(1 << IEEE80211_RADIOTAP_TSFT); 128 pos += 8; 129 } 130 131 /* IEEE80211_RADIOTAP_FLAGS */ 132 if (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS) 133 *pos |= IEEE80211_RADIOTAP_F_FCS; 134 if (status->flag & (RX_FLAG_FAILED_FCS_CRC | RX_FLAG_FAILED_PLCP_CRC)) 135 *pos |= IEEE80211_RADIOTAP_F_BADFCS; 136 if (status->flag & RX_FLAG_SHORTPRE) 137 *pos |= IEEE80211_RADIOTAP_F_SHORTPRE; 138 pos++; 139 140 /* IEEE80211_RADIOTAP_RATE */ 141 if (status->flag & RX_FLAG_HT) { 142 /* 143 * TODO: add following information into radiotap header once 144 * suitable fields are defined for it: 145 * - MCS index (status->rate_idx) 146 * - HT40 (status->flag & RX_FLAG_40MHZ) 147 * - short-GI (status->flag & RX_FLAG_SHORT_GI) 148 */ 149 *pos = 0; 150 } else { 151 rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_RATE); 152 *pos = rate->bitrate / 5; 153 } 154 pos++; 155 156 /* IEEE80211_RADIOTAP_CHANNEL */ 157 put_unaligned_le16(status->freq, pos); 158 pos += 2; 159 if (status->band == IEEE80211_BAND_5GHZ) 160 put_unaligned_le16(IEEE80211_CHAN_OFDM | IEEE80211_CHAN_5GHZ, 161 pos); 162 else if (status->flag & RX_FLAG_HT) 163 put_unaligned_le16(IEEE80211_CHAN_DYN | IEEE80211_CHAN_2GHZ, 164 pos); 165 else if (rate->flags & IEEE80211_RATE_ERP_G) 166 put_unaligned_le16(IEEE80211_CHAN_OFDM | IEEE80211_CHAN_2GHZ, 167 pos); 168 else 169 put_unaligned_le16(IEEE80211_CHAN_CCK | IEEE80211_CHAN_2GHZ, 170 pos); 171 pos += 2; 172 173 /* IEEE80211_RADIOTAP_DBM_ANTSIGNAL */ 174 if (local->hw.flags & IEEE80211_HW_SIGNAL_DBM) { 175 *pos = status->signal; 176 rthdr->it_present |= 177 cpu_to_le32(1 << IEEE80211_RADIOTAP_DBM_ANTSIGNAL); 178 pos++; 179 } 180 181 /* IEEE80211_RADIOTAP_DBM_ANTNOISE */ 182 if (local->hw.flags & IEEE80211_HW_NOISE_DBM) { 183 *pos = status->noise; 184 rthdr->it_present |= 185 cpu_to_le32(1 << IEEE80211_RADIOTAP_DBM_ANTNOISE); 186 pos++; 187 } 188 189 /* IEEE80211_RADIOTAP_LOCK_QUALITY is missing */ 190 191 /* IEEE80211_RADIOTAP_ANTENNA */ 192 *pos = status->antenna; 193 pos++; 194 195 /* IEEE80211_RADIOTAP_DB_ANTNOISE is not used */ 196 197 /* IEEE80211_RADIOTAP_RX_FLAGS */ 198 /* ensure 2 byte alignment for the 2 byte field as required */ 199 if ((pos - (u8 *)rthdr) & 1) 200 pos++; 201 if (status->flag & RX_FLAG_FAILED_PLCP_CRC) 202 rx_flags |= IEEE80211_RADIOTAP_F_RX_BADPLCP; 203 put_unaligned_le16(rx_flags, pos); 204 pos += 2; 205 } 206 207 /* 208 * This function copies a received frame to all monitor interfaces and 209 * returns a cleaned-up SKB that no longer includes the FCS nor the 210 * radiotap header the driver might have added. 211 */ 212 static struct sk_buff * 213 ieee80211_rx_monitor(struct ieee80211_local *local, struct sk_buff *origskb, 214 struct ieee80211_rate *rate) 215 { 216 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(origskb); 217 struct ieee80211_sub_if_data *sdata; 218 int needed_headroom = 0; 219 struct sk_buff *skb, *skb2; 220 struct net_device *prev_dev = NULL; 221 int present_fcs_len = 0; 222 223 /* 224 * First, we may need to make a copy of the skb because 225 * (1) we need to modify it for radiotap (if not present), and 226 * (2) the other RX handlers will modify the skb we got. 227 * 228 * We don't need to, of course, if we aren't going to return 229 * the SKB because it has a bad FCS/PLCP checksum. 230 */ 231 232 /* room for the radiotap header based on driver features */ 233 needed_headroom = ieee80211_rx_radiotap_len(local, status); 234 235 if (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS) 236 present_fcs_len = FCS_LEN; 237 238 if (!local->monitors) { 239 if (should_drop_frame(origskb, present_fcs_len)) { 240 dev_kfree_skb(origskb); 241 return NULL; 242 } 243 244 return remove_monitor_info(local, origskb); 245 } 246 247 if (should_drop_frame(origskb, present_fcs_len)) { 248 /* only need to expand headroom if necessary */ 249 skb = origskb; 250 origskb = NULL; 251 252 /* 253 * This shouldn't trigger often because most devices have an 254 * RX header they pull before we get here, and that should 255 * be big enough for our radiotap information. We should 256 * probably export the length to drivers so that we can have 257 * them allocate enough headroom to start with. 258 */ 259 if (skb_headroom(skb) < needed_headroom && 260 pskb_expand_head(skb, needed_headroom, 0, GFP_ATOMIC)) { 261 dev_kfree_skb(skb); 262 return NULL; 263 } 264 } else { 265 /* 266 * Need to make a copy and possibly remove radiotap header 267 * and FCS from the original. 268 */ 269 skb = skb_copy_expand(origskb, needed_headroom, 0, GFP_ATOMIC); 270 271 origskb = remove_monitor_info(local, origskb); 272 273 if (!skb) 274 return origskb; 275 } 276 277 /* prepend radiotap information */ 278 ieee80211_add_rx_radiotap_header(local, skb, rate, needed_headroom); 279 280 skb_reset_mac_header(skb); 281 skb->ip_summed = CHECKSUM_UNNECESSARY; 282 skb->pkt_type = PACKET_OTHERHOST; 283 skb->protocol = htons(ETH_P_802_2); 284 285 list_for_each_entry_rcu(sdata, &local->interfaces, list) { 286 if (!netif_running(sdata->dev)) 287 continue; 288 289 if (sdata->vif.type != NL80211_IFTYPE_MONITOR) 290 continue; 291 292 if (sdata->u.mntr_flags & MONITOR_FLAG_COOK_FRAMES) 293 continue; 294 295 if (prev_dev) { 296 skb2 = skb_clone(skb, GFP_ATOMIC); 297 if (skb2) { 298 skb2->dev = prev_dev; 299 netif_rx(skb2); 300 } 301 } 302 303 prev_dev = sdata->dev; 304 sdata->dev->stats.rx_packets++; 305 sdata->dev->stats.rx_bytes += skb->len; 306 } 307 308 if (prev_dev) { 309 skb->dev = prev_dev; 310 netif_rx(skb); 311 } else 312 dev_kfree_skb(skb); 313 314 return origskb; 315 } 316 317 318 static void ieee80211_parse_qos(struct ieee80211_rx_data *rx) 319 { 320 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data; 321 int tid; 322 323 /* does the frame have a qos control field? */ 324 if (ieee80211_is_data_qos(hdr->frame_control)) { 325 u8 *qc = ieee80211_get_qos_ctl(hdr); 326 /* frame has qos control */ 327 tid = *qc & IEEE80211_QOS_CTL_TID_MASK; 328 if (*qc & IEEE80211_QOS_CONTROL_A_MSDU_PRESENT) 329 rx->flags |= IEEE80211_RX_AMSDU; 330 else 331 rx->flags &= ~IEEE80211_RX_AMSDU; 332 } else { 333 /* 334 * IEEE 802.11-2007, 7.1.3.4.1 ("Sequence Number field"): 335 * 336 * Sequence numbers for management frames, QoS data 337 * frames with a broadcast/multicast address in the 338 * Address 1 field, and all non-QoS data frames sent 339 * by QoS STAs are assigned using an additional single 340 * modulo-4096 counter, [...] 341 * 342 * We also use that counter for non-QoS STAs. 343 */ 344 tid = NUM_RX_DATA_QUEUES - 1; 345 } 346 347 rx->queue = tid; 348 /* Set skb->priority to 1d tag if highest order bit of TID is not set. 349 * For now, set skb->priority to 0 for other cases. */ 350 rx->skb->priority = (tid > 7) ? 0 : tid; 351 } 352 353 /** 354 * DOC: Packet alignment 355 * 356 * Drivers always need to pass packets that are aligned to two-byte boundaries 357 * to the stack. 358 * 359 * Additionally, should, if possible, align the payload data in a way that 360 * guarantees that the contained IP header is aligned to a four-byte 361 * boundary. In the case of regular frames, this simply means aligning the 362 * payload to a four-byte boundary (because either the IP header is directly 363 * contained, or IV/RFC1042 headers that have a length divisible by four are 364 * in front of it). 365 * 366 * With A-MSDU frames, however, the payload data address must yield two modulo 367 * four because there are 14-byte 802.3 headers within the A-MSDU frames that 368 * push the IP header further back to a multiple of four again. Thankfully, the 369 * specs were sane enough this time around to require padding each A-MSDU 370 * subframe to a length that is a multiple of four. 371 * 372 * Padding like Atheros hardware adds which is inbetween the 802.11 header and 373 * the payload is not supported, the driver is required to move the 802.11 374 * header to be directly in front of the payload in that case. 375 */ 376 static void ieee80211_verify_alignment(struct ieee80211_rx_data *rx) 377 { 378 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data; 379 int hdrlen; 380 381 #ifndef CONFIG_MAC80211_DEBUG_PACKET_ALIGNMENT 382 return; 383 #endif 384 385 if (WARN_ONCE((unsigned long)rx->skb->data & 1, 386 "unaligned packet at 0x%p\n", rx->skb->data)) 387 return; 388 389 if (!ieee80211_is_data_present(hdr->frame_control)) 390 return; 391 392 hdrlen = ieee80211_hdrlen(hdr->frame_control); 393 if (rx->flags & IEEE80211_RX_AMSDU) 394 hdrlen += ETH_HLEN; 395 WARN_ONCE(((unsigned long)(rx->skb->data + hdrlen)) & 3, 396 "unaligned IP payload at 0x%p\n", rx->skb->data + hdrlen); 397 } 398 399 400 /* rx handlers */ 401 402 static ieee80211_rx_result debug_noinline 403 ieee80211_rx_h_passive_scan(struct ieee80211_rx_data *rx) 404 { 405 struct ieee80211_local *local = rx->local; 406 struct sk_buff *skb = rx->skb; 407 408 if (unlikely(test_bit(SCAN_HW_SCANNING, &local->scanning))) 409 return ieee80211_scan_rx(rx->sdata, skb); 410 411 if (unlikely(test_bit(SCAN_SW_SCANNING, &local->scanning) && 412 (rx->flags & IEEE80211_RX_IN_SCAN))) { 413 /* drop all the other packets during a software scan anyway */ 414 if (ieee80211_scan_rx(rx->sdata, skb) != RX_QUEUED) 415 dev_kfree_skb(skb); 416 return RX_QUEUED; 417 } 418 419 if (unlikely(rx->flags & IEEE80211_RX_IN_SCAN)) { 420 /* scanning finished during invoking of handlers */ 421 I802_DEBUG_INC(local->rx_handlers_drop_passive_scan); 422 return RX_DROP_UNUSABLE; 423 } 424 425 return RX_CONTINUE; 426 } 427 428 429 static int ieee80211_is_unicast_robust_mgmt_frame(struct sk_buff *skb) 430 { 431 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data; 432 433 if (skb->len < 24 || is_multicast_ether_addr(hdr->addr1)) 434 return 0; 435 436 return ieee80211_is_robust_mgmt_frame(hdr); 437 } 438 439 440 static int ieee80211_is_multicast_robust_mgmt_frame(struct sk_buff *skb) 441 { 442 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data; 443 444 if (skb->len < 24 || !is_multicast_ether_addr(hdr->addr1)) 445 return 0; 446 447 return ieee80211_is_robust_mgmt_frame(hdr); 448 } 449 450 451 /* Get the BIP key index from MMIE; return -1 if this is not a BIP frame */ 452 static int ieee80211_get_mmie_keyidx(struct sk_buff *skb) 453 { 454 struct ieee80211_mgmt *hdr = (struct ieee80211_mgmt *) skb->data; 455 struct ieee80211_mmie *mmie; 456 457 if (skb->len < 24 + sizeof(*mmie) || 458 !is_multicast_ether_addr(hdr->da)) 459 return -1; 460 461 if (!ieee80211_is_robust_mgmt_frame((struct ieee80211_hdr *) hdr)) 462 return -1; /* not a robust management frame */ 463 464 mmie = (struct ieee80211_mmie *) 465 (skb->data + skb->len - sizeof(*mmie)); 466 if (mmie->element_id != WLAN_EID_MMIE || 467 mmie->length != sizeof(*mmie) - 2) 468 return -1; 469 470 return le16_to_cpu(mmie->key_id); 471 } 472 473 474 static ieee80211_rx_result 475 ieee80211_rx_mesh_check(struct ieee80211_rx_data *rx) 476 { 477 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data; 478 unsigned int hdrlen = ieee80211_hdrlen(hdr->frame_control); 479 char *dev_addr = rx->sdata->dev->dev_addr; 480 481 if (ieee80211_is_data(hdr->frame_control)) { 482 if (is_multicast_ether_addr(hdr->addr1)) { 483 if (ieee80211_has_tods(hdr->frame_control) || 484 !ieee80211_has_fromds(hdr->frame_control)) 485 return RX_DROP_MONITOR; 486 if (memcmp(hdr->addr3, dev_addr, ETH_ALEN) == 0) 487 return RX_DROP_MONITOR; 488 } else { 489 if (!ieee80211_has_a4(hdr->frame_control)) 490 return RX_DROP_MONITOR; 491 if (memcmp(hdr->addr4, dev_addr, ETH_ALEN) == 0) 492 return RX_DROP_MONITOR; 493 } 494 } 495 496 /* If there is not an established peer link and this is not a peer link 497 * establisment frame, beacon or probe, drop the frame. 498 */ 499 500 if (!rx->sta || sta_plink_state(rx->sta) != PLINK_ESTAB) { 501 struct ieee80211_mgmt *mgmt; 502 503 if (!ieee80211_is_mgmt(hdr->frame_control)) 504 return RX_DROP_MONITOR; 505 506 if (ieee80211_is_action(hdr->frame_control)) { 507 mgmt = (struct ieee80211_mgmt *)hdr; 508 if (mgmt->u.action.category != MESH_PLINK_CATEGORY) 509 return RX_DROP_MONITOR; 510 return RX_CONTINUE; 511 } 512 513 if (ieee80211_is_probe_req(hdr->frame_control) || 514 ieee80211_is_probe_resp(hdr->frame_control) || 515 ieee80211_is_beacon(hdr->frame_control)) 516 return RX_CONTINUE; 517 518 return RX_DROP_MONITOR; 519 520 } 521 522 #define msh_h_get(h, l) ((struct ieee80211s_hdr *) ((u8 *)h + l)) 523 524 if (ieee80211_is_data(hdr->frame_control) && 525 is_multicast_ether_addr(hdr->addr1) && 526 mesh_rmc_check(hdr->addr3, msh_h_get(hdr, hdrlen), rx->sdata)) 527 return RX_DROP_MONITOR; 528 #undef msh_h_get 529 530 return RX_CONTINUE; 531 } 532 533 #define SEQ_MODULO 0x1000 534 #define SEQ_MASK 0xfff 535 536 static inline int seq_less(u16 sq1, u16 sq2) 537 { 538 return ((sq1 - sq2) & SEQ_MASK) > (SEQ_MODULO >> 1); 539 } 540 541 static inline u16 seq_inc(u16 sq) 542 { 543 return (sq + 1) & SEQ_MASK; 544 } 545 546 static inline u16 seq_sub(u16 sq1, u16 sq2) 547 { 548 return (sq1 - sq2) & SEQ_MASK; 549 } 550 551 552 static void ieee80211_release_reorder_frame(struct ieee80211_hw *hw, 553 struct tid_ampdu_rx *tid_agg_rx, 554 int index, 555 struct sk_buff_head *frames) 556 { 557 struct ieee80211_supported_band *sband; 558 struct ieee80211_rate *rate = NULL; 559 struct sk_buff *skb = tid_agg_rx->reorder_buf[index]; 560 struct ieee80211_rx_status *status; 561 562 if (!skb) 563 goto no_frame; 564 565 status = IEEE80211_SKB_RXCB(skb); 566 567 /* release the reordered frames to stack */ 568 sband = hw->wiphy->bands[status->band]; 569 if (!(status->flag & RX_FLAG_HT)) 570 rate = &sband->bitrates[status->rate_idx]; 571 tid_agg_rx->stored_mpdu_num--; 572 tid_agg_rx->reorder_buf[index] = NULL; 573 __skb_queue_tail(frames, skb); 574 575 no_frame: 576 tid_agg_rx->head_seq_num = seq_inc(tid_agg_rx->head_seq_num); 577 } 578 579 static void ieee80211_release_reorder_frames(struct ieee80211_hw *hw, 580 struct tid_ampdu_rx *tid_agg_rx, 581 u16 head_seq_num, 582 struct sk_buff_head *frames) 583 { 584 int index; 585 586 while (seq_less(tid_agg_rx->head_seq_num, head_seq_num)) { 587 index = seq_sub(tid_agg_rx->head_seq_num, tid_agg_rx->ssn) % 588 tid_agg_rx->buf_size; 589 ieee80211_release_reorder_frame(hw, tid_agg_rx, index, frames); 590 } 591 } 592 593 /* 594 * Timeout (in jiffies) for skb's that are waiting in the RX reorder buffer. If 595 * the skb was added to the buffer longer than this time ago, the earlier 596 * frames that have not yet been received are assumed to be lost and the skb 597 * can be released for processing. This may also release other skb's from the 598 * reorder buffer if there are no additional gaps between the frames. 599 */ 600 #define HT_RX_REORDER_BUF_TIMEOUT (HZ / 10) 601 602 /* 603 * As this function belongs to the RX path it must be under 604 * rcu_read_lock protection. It returns false if the frame 605 * can be processed immediately, true if it was consumed. 606 */ 607 static bool ieee80211_sta_manage_reorder_buf(struct ieee80211_hw *hw, 608 struct tid_ampdu_rx *tid_agg_rx, 609 struct sk_buff *skb, 610 struct sk_buff_head *frames) 611 { 612 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data; 613 u16 sc = le16_to_cpu(hdr->seq_ctrl); 614 u16 mpdu_seq_num = (sc & IEEE80211_SCTL_SEQ) >> 4; 615 u16 head_seq_num, buf_size; 616 int index; 617 618 buf_size = tid_agg_rx->buf_size; 619 head_seq_num = tid_agg_rx->head_seq_num; 620 621 /* frame with out of date sequence number */ 622 if (seq_less(mpdu_seq_num, head_seq_num)) { 623 dev_kfree_skb(skb); 624 return true; 625 } 626 627 /* 628 * If frame the sequence number exceeds our buffering window 629 * size release some previous frames to make room for this one. 630 */ 631 if (!seq_less(mpdu_seq_num, head_seq_num + buf_size)) { 632 head_seq_num = seq_inc(seq_sub(mpdu_seq_num, buf_size)); 633 /* release stored frames up to new head to stack */ 634 ieee80211_release_reorder_frames(hw, tid_agg_rx, head_seq_num, 635 frames); 636 } 637 638 /* Now the new frame is always in the range of the reordering buffer */ 639 640 index = seq_sub(mpdu_seq_num, tid_agg_rx->ssn) % tid_agg_rx->buf_size; 641 642 /* check if we already stored this frame */ 643 if (tid_agg_rx->reorder_buf[index]) { 644 dev_kfree_skb(skb); 645 return true; 646 } 647 648 /* 649 * If the current MPDU is in the right order and nothing else 650 * is stored we can process it directly, no need to buffer it. 651 */ 652 if (mpdu_seq_num == tid_agg_rx->head_seq_num && 653 tid_agg_rx->stored_mpdu_num == 0) { 654 tid_agg_rx->head_seq_num = seq_inc(tid_agg_rx->head_seq_num); 655 return false; 656 } 657 658 /* put the frame in the reordering buffer */ 659 tid_agg_rx->reorder_buf[index] = skb; 660 tid_agg_rx->reorder_time[index] = jiffies; 661 tid_agg_rx->stored_mpdu_num++; 662 /* release the buffer until next missing frame */ 663 index = seq_sub(tid_agg_rx->head_seq_num, tid_agg_rx->ssn) % 664 tid_agg_rx->buf_size; 665 if (!tid_agg_rx->reorder_buf[index] && 666 tid_agg_rx->stored_mpdu_num > 1) { 667 /* 668 * No buffers ready to be released, but check whether any 669 * frames in the reorder buffer have timed out. 670 */ 671 int j; 672 int skipped = 1; 673 for (j = (index + 1) % tid_agg_rx->buf_size; j != index; 674 j = (j + 1) % tid_agg_rx->buf_size) { 675 if (!tid_agg_rx->reorder_buf[j]) { 676 skipped++; 677 continue; 678 } 679 if (!time_after(jiffies, tid_agg_rx->reorder_time[j] + 680 HT_RX_REORDER_BUF_TIMEOUT)) 681 break; 682 683 #ifdef CONFIG_MAC80211_HT_DEBUG 684 if (net_ratelimit()) 685 printk(KERN_DEBUG "%s: release an RX reorder " 686 "frame due to timeout on earlier " 687 "frames\n", 688 wiphy_name(hw->wiphy)); 689 #endif 690 ieee80211_release_reorder_frame(hw, tid_agg_rx, 691 j, frames); 692 693 /* 694 * Increment the head seq# also for the skipped slots. 695 */ 696 tid_agg_rx->head_seq_num = 697 (tid_agg_rx->head_seq_num + skipped) & SEQ_MASK; 698 skipped = 0; 699 } 700 } else while (tid_agg_rx->reorder_buf[index]) { 701 ieee80211_release_reorder_frame(hw, tid_agg_rx, index, frames); 702 index = seq_sub(tid_agg_rx->head_seq_num, tid_agg_rx->ssn) % 703 tid_agg_rx->buf_size; 704 } 705 706 return true; 707 } 708 709 /* 710 * Reorder MPDUs from A-MPDUs, keeping them on a buffer. Returns 711 * true if the MPDU was buffered, false if it should be processed. 712 */ 713 static void ieee80211_rx_reorder_ampdu(struct ieee80211_rx_data *rx, 714 struct sk_buff_head *frames) 715 { 716 struct sk_buff *skb = rx->skb; 717 struct ieee80211_local *local = rx->local; 718 struct ieee80211_hw *hw = &local->hw; 719 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data; 720 struct sta_info *sta = rx->sta; 721 struct tid_ampdu_rx *tid_agg_rx; 722 u16 sc; 723 int tid; 724 725 if (!ieee80211_is_data_qos(hdr->frame_control)) 726 goto dont_reorder; 727 728 /* 729 * filter the QoS data rx stream according to 730 * STA/TID and check if this STA/TID is on aggregation 731 */ 732 733 if (!sta) 734 goto dont_reorder; 735 736 tid = *ieee80211_get_qos_ctl(hdr) & IEEE80211_QOS_CTL_TID_MASK; 737 738 if (sta->ampdu_mlme.tid_state_rx[tid] != HT_AGG_STATE_OPERATIONAL) 739 goto dont_reorder; 740 741 tid_agg_rx = sta->ampdu_mlme.tid_rx[tid]; 742 743 /* qos null data frames are excluded */ 744 if (unlikely(hdr->frame_control & cpu_to_le16(IEEE80211_STYPE_NULLFUNC))) 745 goto dont_reorder; 746 747 /* new, potentially un-ordered, ampdu frame - process it */ 748 749 /* reset session timer */ 750 if (tid_agg_rx->timeout) 751 mod_timer(&tid_agg_rx->session_timer, 752 TU_TO_EXP_TIME(tid_agg_rx->timeout)); 753 754 /* if this mpdu is fragmented - terminate rx aggregation session */ 755 sc = le16_to_cpu(hdr->seq_ctrl); 756 if (sc & IEEE80211_SCTL_FRAG) { 757 ieee80211_sta_stop_rx_ba_session(sta->sdata, sta->sta.addr, 758 tid, 0, WLAN_REASON_QSTA_REQUIRE_SETUP); 759 dev_kfree_skb(skb); 760 return; 761 } 762 763 if (ieee80211_sta_manage_reorder_buf(hw, tid_agg_rx, skb, frames)) 764 return; 765 766 dont_reorder: 767 __skb_queue_tail(frames, skb); 768 } 769 770 static ieee80211_rx_result debug_noinline 771 ieee80211_rx_h_check(struct ieee80211_rx_data *rx) 772 { 773 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data; 774 775 /* Drop duplicate 802.11 retransmissions (IEEE 802.11 Chap. 9.2.9) */ 776 if (rx->sta && !is_multicast_ether_addr(hdr->addr1)) { 777 if (unlikely(ieee80211_has_retry(hdr->frame_control) && 778 rx->sta->last_seq_ctrl[rx->queue] == 779 hdr->seq_ctrl)) { 780 if (rx->flags & IEEE80211_RX_RA_MATCH) { 781 rx->local->dot11FrameDuplicateCount++; 782 rx->sta->num_duplicates++; 783 } 784 return RX_DROP_MONITOR; 785 } else 786 rx->sta->last_seq_ctrl[rx->queue] = hdr->seq_ctrl; 787 } 788 789 if (unlikely(rx->skb->len < 16)) { 790 I802_DEBUG_INC(rx->local->rx_handlers_drop_short); 791 return RX_DROP_MONITOR; 792 } 793 794 /* Drop disallowed frame classes based on STA auth/assoc state; 795 * IEEE 802.11, Chap 5.5. 796 * 797 * mac80211 filters only based on association state, i.e. it drops 798 * Class 3 frames from not associated stations. hostapd sends 799 * deauth/disassoc frames when needed. In addition, hostapd is 800 * responsible for filtering on both auth and assoc states. 801 */ 802 803 if (ieee80211_vif_is_mesh(&rx->sdata->vif)) 804 return ieee80211_rx_mesh_check(rx); 805 806 if (unlikely((ieee80211_is_data(hdr->frame_control) || 807 ieee80211_is_pspoll(hdr->frame_control)) && 808 rx->sdata->vif.type != NL80211_IFTYPE_ADHOC && 809 (!rx->sta || !test_sta_flags(rx->sta, WLAN_STA_ASSOC)))) { 810 if ((!ieee80211_has_fromds(hdr->frame_control) && 811 !ieee80211_has_tods(hdr->frame_control) && 812 ieee80211_is_data(hdr->frame_control)) || 813 !(rx->flags & IEEE80211_RX_RA_MATCH)) { 814 /* Drop IBSS frames and frames for other hosts 815 * silently. */ 816 return RX_DROP_MONITOR; 817 } 818 819 return RX_DROP_MONITOR; 820 } 821 822 return RX_CONTINUE; 823 } 824 825 826 static ieee80211_rx_result debug_noinline 827 ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx) 828 { 829 struct sk_buff *skb = rx->skb; 830 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 831 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; 832 int keyidx; 833 int hdrlen; 834 ieee80211_rx_result result = RX_DROP_UNUSABLE; 835 struct ieee80211_key *stakey = NULL; 836 int mmie_keyidx = -1; 837 838 /* 839 * Key selection 101 840 * 841 * There are four types of keys: 842 * - GTK (group keys) 843 * - IGTK (group keys for management frames) 844 * - PTK (pairwise keys) 845 * - STK (station-to-station pairwise keys) 846 * 847 * When selecting a key, we have to distinguish between multicast 848 * (including broadcast) and unicast frames, the latter can only 849 * use PTKs and STKs while the former always use GTKs and IGTKs. 850 * Unless, of course, actual WEP keys ("pre-RSNA") are used, then 851 * unicast frames can also use key indices like GTKs. Hence, if we 852 * don't have a PTK/STK we check the key index for a WEP key. 853 * 854 * Note that in a regular BSS, multicast frames are sent by the 855 * AP only, associated stations unicast the frame to the AP first 856 * which then multicasts it on their behalf. 857 * 858 * There is also a slight problem in IBSS mode: GTKs are negotiated 859 * with each station, that is something we don't currently handle. 860 * The spec seems to expect that one negotiates the same key with 861 * every station but there's no such requirement; VLANs could be 862 * possible. 863 */ 864 865 /* 866 * No point in finding a key and decrypting if the frame is neither 867 * addressed to us nor a multicast frame. 868 */ 869 if (!(rx->flags & IEEE80211_RX_RA_MATCH)) 870 return RX_CONTINUE; 871 872 /* start without a key */ 873 rx->key = NULL; 874 875 if (rx->sta) 876 stakey = rcu_dereference(rx->sta->key); 877 878 if (!ieee80211_has_protected(hdr->frame_control)) 879 mmie_keyidx = ieee80211_get_mmie_keyidx(rx->skb); 880 881 if (!is_multicast_ether_addr(hdr->addr1) && stakey) { 882 rx->key = stakey; 883 /* Skip decryption if the frame is not protected. */ 884 if (!ieee80211_has_protected(hdr->frame_control)) 885 return RX_CONTINUE; 886 } else if (mmie_keyidx >= 0) { 887 /* Broadcast/multicast robust management frame / BIP */ 888 if ((status->flag & RX_FLAG_DECRYPTED) && 889 (status->flag & RX_FLAG_IV_STRIPPED)) 890 return RX_CONTINUE; 891 892 if (mmie_keyidx < NUM_DEFAULT_KEYS || 893 mmie_keyidx >= NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS) 894 return RX_DROP_MONITOR; /* unexpected BIP keyidx */ 895 rx->key = rcu_dereference(rx->sdata->keys[mmie_keyidx]); 896 } else if (!ieee80211_has_protected(hdr->frame_control)) { 897 /* 898 * The frame was not protected, so skip decryption. However, we 899 * need to set rx->key if there is a key that could have been 900 * used so that the frame may be dropped if encryption would 901 * have been expected. 902 */ 903 struct ieee80211_key *key = NULL; 904 if (ieee80211_is_mgmt(hdr->frame_control) && 905 is_multicast_ether_addr(hdr->addr1) && 906 (key = rcu_dereference(rx->sdata->default_mgmt_key))) 907 rx->key = key; 908 else if ((key = rcu_dereference(rx->sdata->default_key))) 909 rx->key = key; 910 return RX_CONTINUE; 911 } else { 912 /* 913 * The device doesn't give us the IV so we won't be 914 * able to look up the key. That's ok though, we 915 * don't need to decrypt the frame, we just won't 916 * be able to keep statistics accurate. 917 * Except for key threshold notifications, should 918 * we somehow allow the driver to tell us which key 919 * the hardware used if this flag is set? 920 */ 921 if ((status->flag & RX_FLAG_DECRYPTED) && 922 (status->flag & RX_FLAG_IV_STRIPPED)) 923 return RX_CONTINUE; 924 925 hdrlen = ieee80211_hdrlen(hdr->frame_control); 926 927 if (rx->skb->len < 8 + hdrlen) 928 return RX_DROP_UNUSABLE; /* TODO: count this? */ 929 930 /* 931 * no need to call ieee80211_wep_get_keyidx, 932 * it verifies a bunch of things we've done already 933 */ 934 keyidx = rx->skb->data[hdrlen + 3] >> 6; 935 936 rx->key = rcu_dereference(rx->sdata->keys[keyidx]); 937 938 /* 939 * RSNA-protected unicast frames should always be sent with 940 * pairwise or station-to-station keys, but for WEP we allow 941 * using a key index as well. 942 */ 943 if (rx->key && rx->key->conf.alg != ALG_WEP && 944 !is_multicast_ether_addr(hdr->addr1)) 945 rx->key = NULL; 946 } 947 948 if (rx->key) { 949 rx->key->tx_rx_count++; 950 /* TODO: add threshold stuff again */ 951 } else { 952 return RX_DROP_MONITOR; 953 } 954 955 /* Check for weak IVs if possible */ 956 if (rx->sta && rx->key->conf.alg == ALG_WEP && 957 ieee80211_is_data(hdr->frame_control) && 958 (!(status->flag & RX_FLAG_IV_STRIPPED) || 959 !(status->flag & RX_FLAG_DECRYPTED)) && 960 ieee80211_wep_is_weak_iv(rx->skb, rx->key)) 961 rx->sta->wep_weak_iv_count++; 962 963 switch (rx->key->conf.alg) { 964 case ALG_WEP: 965 result = ieee80211_crypto_wep_decrypt(rx); 966 break; 967 case ALG_TKIP: 968 result = ieee80211_crypto_tkip_decrypt(rx); 969 break; 970 case ALG_CCMP: 971 result = ieee80211_crypto_ccmp_decrypt(rx); 972 break; 973 case ALG_AES_CMAC: 974 result = ieee80211_crypto_aes_cmac_decrypt(rx); 975 break; 976 } 977 978 /* either the frame has been decrypted or will be dropped */ 979 status->flag |= RX_FLAG_DECRYPTED; 980 981 return result; 982 } 983 984 static ieee80211_rx_result debug_noinline 985 ieee80211_rx_h_check_more_data(struct ieee80211_rx_data *rx) 986 { 987 struct ieee80211_local *local; 988 struct ieee80211_hdr *hdr; 989 struct sk_buff *skb; 990 991 local = rx->local; 992 skb = rx->skb; 993 hdr = (struct ieee80211_hdr *) skb->data; 994 995 if (!local->pspolling) 996 return RX_CONTINUE; 997 998 if (!ieee80211_has_fromds(hdr->frame_control)) 999 /* this is not from AP */ 1000 return RX_CONTINUE; 1001 1002 if (!ieee80211_is_data(hdr->frame_control)) 1003 return RX_CONTINUE; 1004 1005 if (!ieee80211_has_moredata(hdr->frame_control)) { 1006 /* AP has no more frames buffered for us */ 1007 local->pspolling = false; 1008 return RX_CONTINUE; 1009 } 1010 1011 /* more data bit is set, let's request a new frame from the AP */ 1012 ieee80211_send_pspoll(local, rx->sdata); 1013 1014 return RX_CONTINUE; 1015 } 1016 1017 static void ap_sta_ps_start(struct sta_info *sta) 1018 { 1019 struct ieee80211_sub_if_data *sdata = sta->sdata; 1020 struct ieee80211_local *local = sdata->local; 1021 1022 atomic_inc(&sdata->bss->num_sta_ps); 1023 set_sta_flags(sta, WLAN_STA_PS_STA); 1024 drv_sta_notify(local, &sdata->vif, STA_NOTIFY_SLEEP, &sta->sta); 1025 #ifdef CONFIG_MAC80211_VERBOSE_PS_DEBUG 1026 printk(KERN_DEBUG "%s: STA %pM aid %d enters power save mode\n", 1027 sdata->dev->name, sta->sta.addr, sta->sta.aid); 1028 #endif /* CONFIG_MAC80211_VERBOSE_PS_DEBUG */ 1029 } 1030 1031 static void ap_sta_ps_end(struct sta_info *sta) 1032 { 1033 struct ieee80211_sub_if_data *sdata = sta->sdata; 1034 1035 atomic_dec(&sdata->bss->num_sta_ps); 1036 1037 clear_sta_flags(sta, WLAN_STA_PS_STA); 1038 1039 #ifdef CONFIG_MAC80211_VERBOSE_PS_DEBUG 1040 printk(KERN_DEBUG "%s: STA %pM aid %d exits power save mode\n", 1041 sdata->dev->name, sta->sta.addr, sta->sta.aid); 1042 #endif /* CONFIG_MAC80211_VERBOSE_PS_DEBUG */ 1043 1044 if (test_sta_flags(sta, WLAN_STA_PS_DRIVER)) { 1045 #ifdef CONFIG_MAC80211_VERBOSE_PS_DEBUG 1046 printk(KERN_DEBUG "%s: STA %pM aid %d driver-ps-blocked\n", 1047 sdata->dev->name, sta->sta.addr, sta->sta.aid); 1048 #endif /* CONFIG_MAC80211_VERBOSE_PS_DEBUG */ 1049 return; 1050 } 1051 1052 ieee80211_sta_ps_deliver_wakeup(sta); 1053 } 1054 1055 static ieee80211_rx_result debug_noinline 1056 ieee80211_rx_h_sta_process(struct ieee80211_rx_data *rx) 1057 { 1058 struct sta_info *sta = rx->sta; 1059 struct sk_buff *skb = rx->skb; 1060 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 1061 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; 1062 1063 if (!sta) 1064 return RX_CONTINUE; 1065 1066 /* 1067 * Update last_rx only for IBSS packets which are for the current 1068 * BSSID to avoid keeping the current IBSS network alive in cases 1069 * where other STAs start using different BSSID. 1070 */ 1071 if (rx->sdata->vif.type == NL80211_IFTYPE_ADHOC) { 1072 u8 *bssid = ieee80211_get_bssid(hdr, rx->skb->len, 1073 NL80211_IFTYPE_ADHOC); 1074 if (compare_ether_addr(bssid, rx->sdata->u.ibss.bssid) == 0) 1075 sta->last_rx = jiffies; 1076 } else if (!is_multicast_ether_addr(hdr->addr1)) { 1077 /* 1078 * Mesh beacons will update last_rx when if they are found to 1079 * match the current local configuration when processed. 1080 */ 1081 sta->last_rx = jiffies; 1082 } 1083 1084 if (!(rx->flags & IEEE80211_RX_RA_MATCH)) 1085 return RX_CONTINUE; 1086 1087 if (rx->sdata->vif.type == NL80211_IFTYPE_STATION) 1088 ieee80211_sta_rx_notify(rx->sdata, hdr); 1089 1090 sta->rx_fragments++; 1091 sta->rx_bytes += rx->skb->len; 1092 sta->last_signal = status->signal; 1093 sta->last_noise = status->noise; 1094 1095 /* 1096 * Change STA power saving mode only at the end of a frame 1097 * exchange sequence. 1098 */ 1099 if (!ieee80211_has_morefrags(hdr->frame_control) && 1100 (rx->sdata->vif.type == NL80211_IFTYPE_AP || 1101 rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN)) { 1102 if (test_sta_flags(sta, WLAN_STA_PS_STA)) { 1103 /* 1104 * Ignore doze->wake transitions that are 1105 * indicated by non-data frames, the standard 1106 * is unclear here, but for example going to 1107 * PS mode and then scanning would cause a 1108 * doze->wake transition for the probe request, 1109 * and that is clearly undesirable. 1110 */ 1111 if (ieee80211_is_data(hdr->frame_control) && 1112 !ieee80211_has_pm(hdr->frame_control)) 1113 ap_sta_ps_end(sta); 1114 } else { 1115 if (ieee80211_has_pm(hdr->frame_control)) 1116 ap_sta_ps_start(sta); 1117 } 1118 } 1119 1120 /* 1121 * Drop (qos-)data::nullfunc frames silently, since they 1122 * are used only to control station power saving mode. 1123 */ 1124 if (ieee80211_is_nullfunc(hdr->frame_control) || 1125 ieee80211_is_qos_nullfunc(hdr->frame_control)) { 1126 I802_DEBUG_INC(rx->local->rx_handlers_drop_nullfunc); 1127 /* 1128 * Update counter and free packet here to avoid 1129 * counting this as a dropped packed. 1130 */ 1131 sta->rx_packets++; 1132 dev_kfree_skb(rx->skb); 1133 return RX_QUEUED; 1134 } 1135 1136 return RX_CONTINUE; 1137 } /* ieee80211_rx_h_sta_process */ 1138 1139 static inline struct ieee80211_fragment_entry * 1140 ieee80211_reassemble_add(struct ieee80211_sub_if_data *sdata, 1141 unsigned int frag, unsigned int seq, int rx_queue, 1142 struct sk_buff **skb) 1143 { 1144 struct ieee80211_fragment_entry *entry; 1145 int idx; 1146 1147 idx = sdata->fragment_next; 1148 entry = &sdata->fragments[sdata->fragment_next++]; 1149 if (sdata->fragment_next >= IEEE80211_FRAGMENT_MAX) 1150 sdata->fragment_next = 0; 1151 1152 if (!skb_queue_empty(&entry->skb_list)) { 1153 #ifdef CONFIG_MAC80211_VERBOSE_DEBUG 1154 struct ieee80211_hdr *hdr = 1155 (struct ieee80211_hdr *) entry->skb_list.next->data; 1156 printk(KERN_DEBUG "%s: RX reassembly removed oldest " 1157 "fragment entry (idx=%d age=%lu seq=%d last_frag=%d " 1158 "addr1=%pM addr2=%pM\n", 1159 sdata->dev->name, idx, 1160 jiffies - entry->first_frag_time, entry->seq, 1161 entry->last_frag, hdr->addr1, hdr->addr2); 1162 #endif 1163 __skb_queue_purge(&entry->skb_list); 1164 } 1165 1166 __skb_queue_tail(&entry->skb_list, *skb); /* no need for locking */ 1167 *skb = NULL; 1168 entry->first_frag_time = jiffies; 1169 entry->seq = seq; 1170 entry->rx_queue = rx_queue; 1171 entry->last_frag = frag; 1172 entry->ccmp = 0; 1173 entry->extra_len = 0; 1174 1175 return entry; 1176 } 1177 1178 static inline struct ieee80211_fragment_entry * 1179 ieee80211_reassemble_find(struct ieee80211_sub_if_data *sdata, 1180 unsigned int frag, unsigned int seq, 1181 int rx_queue, struct ieee80211_hdr *hdr) 1182 { 1183 struct ieee80211_fragment_entry *entry; 1184 int i, idx; 1185 1186 idx = sdata->fragment_next; 1187 for (i = 0; i < IEEE80211_FRAGMENT_MAX; i++) { 1188 struct ieee80211_hdr *f_hdr; 1189 1190 idx--; 1191 if (idx < 0) 1192 idx = IEEE80211_FRAGMENT_MAX - 1; 1193 1194 entry = &sdata->fragments[idx]; 1195 if (skb_queue_empty(&entry->skb_list) || entry->seq != seq || 1196 entry->rx_queue != rx_queue || 1197 entry->last_frag + 1 != frag) 1198 continue; 1199 1200 f_hdr = (struct ieee80211_hdr *)entry->skb_list.next->data; 1201 1202 /* 1203 * Check ftype and addresses are equal, else check next fragment 1204 */ 1205 if (((hdr->frame_control ^ f_hdr->frame_control) & 1206 cpu_to_le16(IEEE80211_FCTL_FTYPE)) || 1207 compare_ether_addr(hdr->addr1, f_hdr->addr1) != 0 || 1208 compare_ether_addr(hdr->addr2, f_hdr->addr2) != 0) 1209 continue; 1210 1211 if (time_after(jiffies, entry->first_frag_time + 2 * HZ)) { 1212 __skb_queue_purge(&entry->skb_list); 1213 continue; 1214 } 1215 return entry; 1216 } 1217 1218 return NULL; 1219 } 1220 1221 static ieee80211_rx_result debug_noinline 1222 ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx) 1223 { 1224 struct ieee80211_hdr *hdr; 1225 u16 sc; 1226 __le16 fc; 1227 unsigned int frag, seq; 1228 struct ieee80211_fragment_entry *entry; 1229 struct sk_buff *skb; 1230 1231 hdr = (struct ieee80211_hdr *)rx->skb->data; 1232 fc = hdr->frame_control; 1233 sc = le16_to_cpu(hdr->seq_ctrl); 1234 frag = sc & IEEE80211_SCTL_FRAG; 1235 1236 if (likely((!ieee80211_has_morefrags(fc) && frag == 0) || 1237 (rx->skb)->len < 24 || 1238 is_multicast_ether_addr(hdr->addr1))) { 1239 /* not fragmented */ 1240 goto out; 1241 } 1242 I802_DEBUG_INC(rx->local->rx_handlers_fragments); 1243 1244 seq = (sc & IEEE80211_SCTL_SEQ) >> 4; 1245 1246 if (frag == 0) { 1247 /* This is the first fragment of a new frame. */ 1248 entry = ieee80211_reassemble_add(rx->sdata, frag, seq, 1249 rx->queue, &(rx->skb)); 1250 if (rx->key && rx->key->conf.alg == ALG_CCMP && 1251 ieee80211_has_protected(fc)) { 1252 /* Store CCMP PN so that we can verify that the next 1253 * fragment has a sequential PN value. */ 1254 entry->ccmp = 1; 1255 memcpy(entry->last_pn, 1256 rx->key->u.ccmp.rx_pn[rx->queue], 1257 CCMP_PN_LEN); 1258 } 1259 return RX_QUEUED; 1260 } 1261 1262 /* This is a fragment for a frame that should already be pending in 1263 * fragment cache. Add this fragment to the end of the pending entry. 1264 */ 1265 entry = ieee80211_reassemble_find(rx->sdata, frag, seq, rx->queue, hdr); 1266 if (!entry) { 1267 I802_DEBUG_INC(rx->local->rx_handlers_drop_defrag); 1268 return RX_DROP_MONITOR; 1269 } 1270 1271 /* Verify that MPDUs within one MSDU have sequential PN values. 1272 * (IEEE 802.11i, 8.3.3.4.5) */ 1273 if (entry->ccmp) { 1274 int i; 1275 u8 pn[CCMP_PN_LEN], *rpn; 1276 if (!rx->key || rx->key->conf.alg != ALG_CCMP) 1277 return RX_DROP_UNUSABLE; 1278 memcpy(pn, entry->last_pn, CCMP_PN_LEN); 1279 for (i = CCMP_PN_LEN - 1; i >= 0; i--) { 1280 pn[i]++; 1281 if (pn[i]) 1282 break; 1283 } 1284 rpn = rx->key->u.ccmp.rx_pn[rx->queue]; 1285 if (memcmp(pn, rpn, CCMP_PN_LEN)) 1286 return RX_DROP_UNUSABLE; 1287 memcpy(entry->last_pn, pn, CCMP_PN_LEN); 1288 } 1289 1290 skb_pull(rx->skb, ieee80211_hdrlen(fc)); 1291 __skb_queue_tail(&entry->skb_list, rx->skb); 1292 entry->last_frag = frag; 1293 entry->extra_len += rx->skb->len; 1294 if (ieee80211_has_morefrags(fc)) { 1295 rx->skb = NULL; 1296 return RX_QUEUED; 1297 } 1298 1299 rx->skb = __skb_dequeue(&entry->skb_list); 1300 if (skb_tailroom(rx->skb) < entry->extra_len) { 1301 I802_DEBUG_INC(rx->local->rx_expand_skb_head2); 1302 if (unlikely(pskb_expand_head(rx->skb, 0, entry->extra_len, 1303 GFP_ATOMIC))) { 1304 I802_DEBUG_INC(rx->local->rx_handlers_drop_defrag); 1305 __skb_queue_purge(&entry->skb_list); 1306 return RX_DROP_UNUSABLE; 1307 } 1308 } 1309 while ((skb = __skb_dequeue(&entry->skb_list))) { 1310 memcpy(skb_put(rx->skb, skb->len), skb->data, skb->len); 1311 dev_kfree_skb(skb); 1312 } 1313 1314 /* Complete frame has been reassembled - process it now */ 1315 rx->flags |= IEEE80211_RX_FRAGMENTED; 1316 1317 out: 1318 if (rx->sta) 1319 rx->sta->rx_packets++; 1320 if (is_multicast_ether_addr(hdr->addr1)) 1321 rx->local->dot11MulticastReceivedFrameCount++; 1322 else 1323 ieee80211_led_rx(rx->local); 1324 return RX_CONTINUE; 1325 } 1326 1327 static ieee80211_rx_result debug_noinline 1328 ieee80211_rx_h_ps_poll(struct ieee80211_rx_data *rx) 1329 { 1330 struct ieee80211_sub_if_data *sdata = rx->sdata; 1331 __le16 fc = ((struct ieee80211_hdr *)rx->skb->data)->frame_control; 1332 1333 if (likely(!rx->sta || !ieee80211_is_pspoll(fc) || 1334 !(rx->flags & IEEE80211_RX_RA_MATCH))) 1335 return RX_CONTINUE; 1336 1337 if ((sdata->vif.type != NL80211_IFTYPE_AP) && 1338 (sdata->vif.type != NL80211_IFTYPE_AP_VLAN)) 1339 return RX_DROP_UNUSABLE; 1340 1341 if (!test_sta_flags(rx->sta, WLAN_STA_PS_DRIVER)) 1342 ieee80211_sta_ps_deliver_poll_response(rx->sta); 1343 else 1344 set_sta_flags(rx->sta, WLAN_STA_PSPOLL); 1345 1346 /* Free PS Poll skb here instead of returning RX_DROP that would 1347 * count as an dropped frame. */ 1348 dev_kfree_skb(rx->skb); 1349 1350 return RX_QUEUED; 1351 } 1352 1353 static ieee80211_rx_result debug_noinline 1354 ieee80211_rx_h_remove_qos_control(struct ieee80211_rx_data *rx) 1355 { 1356 u8 *data = rx->skb->data; 1357 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)data; 1358 1359 if (!ieee80211_is_data_qos(hdr->frame_control)) 1360 return RX_CONTINUE; 1361 1362 /* remove the qos control field, update frame type and meta-data */ 1363 memmove(data + IEEE80211_QOS_CTL_LEN, data, 1364 ieee80211_hdrlen(hdr->frame_control) - IEEE80211_QOS_CTL_LEN); 1365 hdr = (struct ieee80211_hdr *)skb_pull(rx->skb, IEEE80211_QOS_CTL_LEN); 1366 /* change frame type to non QOS */ 1367 hdr->frame_control &= ~cpu_to_le16(IEEE80211_STYPE_QOS_DATA); 1368 1369 return RX_CONTINUE; 1370 } 1371 1372 static int 1373 ieee80211_802_1x_port_control(struct ieee80211_rx_data *rx) 1374 { 1375 if (unlikely(!rx->sta || 1376 !test_sta_flags(rx->sta, WLAN_STA_AUTHORIZED))) 1377 return -EACCES; 1378 1379 return 0; 1380 } 1381 1382 static int 1383 ieee80211_drop_unencrypted(struct ieee80211_rx_data *rx, __le16 fc) 1384 { 1385 struct sk_buff *skb = rx->skb; 1386 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 1387 1388 /* 1389 * Pass through unencrypted frames if the hardware has 1390 * decrypted them already. 1391 */ 1392 if (status->flag & RX_FLAG_DECRYPTED) 1393 return 0; 1394 1395 /* Drop unencrypted frames if key is set. */ 1396 if (unlikely(!ieee80211_has_protected(fc) && 1397 !ieee80211_is_nullfunc(fc) && 1398 ieee80211_is_data(fc) && 1399 (rx->key || rx->sdata->drop_unencrypted))) 1400 return -EACCES; 1401 if (rx->sta && test_sta_flags(rx->sta, WLAN_STA_MFP)) { 1402 if (unlikely(ieee80211_is_unicast_robust_mgmt_frame(rx->skb) && 1403 rx->key)) 1404 return -EACCES; 1405 /* BIP does not use Protected field, so need to check MMIE */ 1406 if (unlikely(ieee80211_is_multicast_robust_mgmt_frame(rx->skb) && 1407 ieee80211_get_mmie_keyidx(rx->skb) < 0 && 1408 rx->key)) 1409 return -EACCES; 1410 /* 1411 * When using MFP, Action frames are not allowed prior to 1412 * having configured keys. 1413 */ 1414 if (unlikely(ieee80211_is_action(fc) && !rx->key && 1415 ieee80211_is_robust_mgmt_frame( 1416 (struct ieee80211_hdr *) rx->skb->data))) 1417 return -EACCES; 1418 } 1419 1420 return 0; 1421 } 1422 1423 static int 1424 __ieee80211_data_to_8023(struct ieee80211_rx_data *rx) 1425 { 1426 struct ieee80211_sub_if_data *sdata = rx->sdata; 1427 struct net_device *dev = sdata->dev; 1428 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data; 1429 1430 if (ieee80211_has_a4(hdr->frame_control) && 1431 sdata->vif.type == NL80211_IFTYPE_AP_VLAN && !sdata->u.vlan.sta) 1432 return -1; 1433 1434 if (is_multicast_ether_addr(hdr->addr1) && 1435 ((sdata->vif.type == NL80211_IFTYPE_AP_VLAN && sdata->u.vlan.sta) || 1436 (sdata->vif.type == NL80211_IFTYPE_STATION && sdata->u.mgd.use_4addr))) 1437 return -1; 1438 1439 return ieee80211_data_to_8023(rx->skb, dev->dev_addr, sdata->vif.type); 1440 } 1441 1442 /* 1443 * requires that rx->skb is a frame with ethernet header 1444 */ 1445 static bool ieee80211_frame_allowed(struct ieee80211_rx_data *rx, __le16 fc) 1446 { 1447 static const u8 pae_group_addr[ETH_ALEN] __aligned(2) 1448 = { 0x01, 0x80, 0xC2, 0x00, 0x00, 0x03 }; 1449 struct ethhdr *ehdr = (struct ethhdr *) rx->skb->data; 1450 1451 /* 1452 * Allow EAPOL frames to us/the PAE group address regardless 1453 * of whether the frame was encrypted or not. 1454 */ 1455 if (ehdr->h_proto == htons(ETH_P_PAE) && 1456 (compare_ether_addr(ehdr->h_dest, rx->sdata->dev->dev_addr) == 0 || 1457 compare_ether_addr(ehdr->h_dest, pae_group_addr) == 0)) 1458 return true; 1459 1460 if (ieee80211_802_1x_port_control(rx) || 1461 ieee80211_drop_unencrypted(rx, fc)) 1462 return false; 1463 1464 return true; 1465 } 1466 1467 /* 1468 * requires that rx->skb is a frame with ethernet header 1469 */ 1470 static void 1471 ieee80211_deliver_skb(struct ieee80211_rx_data *rx) 1472 { 1473 struct ieee80211_sub_if_data *sdata = rx->sdata; 1474 struct net_device *dev = sdata->dev; 1475 struct ieee80211_local *local = rx->local; 1476 struct sk_buff *skb, *xmit_skb; 1477 struct ethhdr *ehdr = (struct ethhdr *) rx->skb->data; 1478 struct sta_info *dsta; 1479 1480 skb = rx->skb; 1481 xmit_skb = NULL; 1482 1483 if ((sdata->vif.type == NL80211_IFTYPE_AP || 1484 sdata->vif.type == NL80211_IFTYPE_AP_VLAN) && 1485 !(sdata->flags & IEEE80211_SDATA_DONT_BRIDGE_PACKETS) && 1486 (rx->flags & IEEE80211_RX_RA_MATCH) && 1487 (sdata->vif.type != NL80211_IFTYPE_AP_VLAN || !sdata->u.vlan.sta)) { 1488 if (is_multicast_ether_addr(ehdr->h_dest)) { 1489 /* 1490 * send multicast frames both to higher layers in 1491 * local net stack and back to the wireless medium 1492 */ 1493 xmit_skb = skb_copy(skb, GFP_ATOMIC); 1494 if (!xmit_skb && net_ratelimit()) 1495 printk(KERN_DEBUG "%s: failed to clone " 1496 "multicast frame\n", dev->name); 1497 } else { 1498 dsta = sta_info_get(local, skb->data); 1499 if (dsta && dsta->sdata->dev == dev) { 1500 /* 1501 * The destination station is associated to 1502 * this AP (in this VLAN), so send the frame 1503 * directly to it and do not pass it to local 1504 * net stack. 1505 */ 1506 xmit_skb = skb; 1507 skb = NULL; 1508 } 1509 } 1510 } 1511 1512 if (skb) { 1513 int align __maybe_unused; 1514 1515 #if defined(CONFIG_MAC80211_DEBUG_PACKET_ALIGNMENT) || !defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) 1516 /* 1517 * 'align' will only take the values 0 or 2 here 1518 * since all frames are required to be aligned 1519 * to 2-byte boundaries when being passed to 1520 * mac80211. That also explains the __skb_push() 1521 * below. 1522 */ 1523 align = ((unsigned long)(skb->data + sizeof(struct ethhdr))) & 3; 1524 if (align) { 1525 if (WARN_ON(skb_headroom(skb) < 3)) { 1526 dev_kfree_skb(skb); 1527 skb = NULL; 1528 } else { 1529 u8 *data = skb->data; 1530 size_t len = skb_headlen(skb); 1531 skb->data -= align; 1532 memmove(skb->data, data, len); 1533 skb_set_tail_pointer(skb, len); 1534 } 1535 } 1536 #endif 1537 1538 if (skb) { 1539 /* deliver to local stack */ 1540 skb->protocol = eth_type_trans(skb, dev); 1541 memset(skb->cb, 0, sizeof(skb->cb)); 1542 netif_rx(skb); 1543 } 1544 } 1545 1546 if (xmit_skb) { 1547 /* send to wireless media */ 1548 xmit_skb->protocol = htons(ETH_P_802_3); 1549 skb_reset_network_header(xmit_skb); 1550 skb_reset_mac_header(xmit_skb); 1551 dev_queue_xmit(xmit_skb); 1552 } 1553 } 1554 1555 static ieee80211_rx_result debug_noinline 1556 ieee80211_rx_h_amsdu(struct ieee80211_rx_data *rx) 1557 { 1558 struct net_device *dev = rx->sdata->dev; 1559 struct ieee80211_local *local = rx->local; 1560 u16 ethertype; 1561 u8 *payload; 1562 struct sk_buff *skb = rx->skb, *frame = NULL; 1563 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; 1564 __le16 fc = hdr->frame_control; 1565 const struct ethhdr *eth; 1566 int remaining, err; 1567 u8 dst[ETH_ALEN]; 1568 u8 src[ETH_ALEN]; 1569 1570 if (unlikely(!ieee80211_is_data(fc))) 1571 return RX_CONTINUE; 1572 1573 if (unlikely(!ieee80211_is_data_present(fc))) 1574 return RX_DROP_MONITOR; 1575 1576 if (!(rx->flags & IEEE80211_RX_AMSDU)) 1577 return RX_CONTINUE; 1578 1579 err = __ieee80211_data_to_8023(rx); 1580 if (unlikely(err)) 1581 return RX_DROP_UNUSABLE; 1582 1583 skb->dev = dev; 1584 1585 dev->stats.rx_packets++; 1586 dev->stats.rx_bytes += skb->len; 1587 1588 /* skip the wrapping header */ 1589 eth = (struct ethhdr *) skb_pull(skb, sizeof(struct ethhdr)); 1590 if (!eth) 1591 return RX_DROP_UNUSABLE; 1592 1593 while (skb != frame) { 1594 u8 padding; 1595 __be16 len = eth->h_proto; 1596 unsigned int subframe_len = sizeof(struct ethhdr) + ntohs(len); 1597 1598 remaining = skb->len; 1599 memcpy(dst, eth->h_dest, ETH_ALEN); 1600 memcpy(src, eth->h_source, ETH_ALEN); 1601 1602 padding = ((4 - subframe_len) & 0x3); 1603 /* the last MSDU has no padding */ 1604 if (subframe_len > remaining) 1605 return RX_DROP_UNUSABLE; 1606 1607 skb_pull(skb, sizeof(struct ethhdr)); 1608 /* if last subframe reuse skb */ 1609 if (remaining <= subframe_len + padding) 1610 frame = skb; 1611 else { 1612 /* 1613 * Allocate and reserve two bytes more for payload 1614 * alignment since sizeof(struct ethhdr) is 14. 1615 */ 1616 frame = dev_alloc_skb( 1617 ALIGN(local->hw.extra_tx_headroom, 4) + 1618 subframe_len + 2); 1619 1620 if (frame == NULL) 1621 return RX_DROP_UNUSABLE; 1622 1623 skb_reserve(frame, 1624 ALIGN(local->hw.extra_tx_headroom, 4) + 1625 sizeof(struct ethhdr) + 2); 1626 memcpy(skb_put(frame, ntohs(len)), skb->data, 1627 ntohs(len)); 1628 1629 eth = (struct ethhdr *) skb_pull(skb, ntohs(len) + 1630 padding); 1631 if (!eth) { 1632 dev_kfree_skb(frame); 1633 return RX_DROP_UNUSABLE; 1634 } 1635 } 1636 1637 skb_reset_network_header(frame); 1638 frame->dev = dev; 1639 frame->priority = skb->priority; 1640 rx->skb = frame; 1641 1642 payload = frame->data; 1643 ethertype = (payload[6] << 8) | payload[7]; 1644 1645 if (likely((compare_ether_addr(payload, rfc1042_header) == 0 && 1646 ethertype != ETH_P_AARP && ethertype != ETH_P_IPX) || 1647 compare_ether_addr(payload, 1648 bridge_tunnel_header) == 0)) { 1649 /* remove RFC1042 or Bridge-Tunnel 1650 * encapsulation and replace EtherType */ 1651 skb_pull(frame, 6); 1652 memcpy(skb_push(frame, ETH_ALEN), src, ETH_ALEN); 1653 memcpy(skb_push(frame, ETH_ALEN), dst, ETH_ALEN); 1654 } else { 1655 memcpy(skb_push(frame, sizeof(__be16)), 1656 &len, sizeof(__be16)); 1657 memcpy(skb_push(frame, ETH_ALEN), src, ETH_ALEN); 1658 memcpy(skb_push(frame, ETH_ALEN), dst, ETH_ALEN); 1659 } 1660 1661 if (!ieee80211_frame_allowed(rx, fc)) { 1662 if (skb == frame) /* last frame */ 1663 return RX_DROP_UNUSABLE; 1664 dev_kfree_skb(frame); 1665 continue; 1666 } 1667 1668 ieee80211_deliver_skb(rx); 1669 } 1670 1671 return RX_QUEUED; 1672 } 1673 1674 #ifdef CONFIG_MAC80211_MESH 1675 static ieee80211_rx_result 1676 ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx) 1677 { 1678 struct ieee80211_hdr *hdr; 1679 struct ieee80211s_hdr *mesh_hdr; 1680 unsigned int hdrlen; 1681 struct sk_buff *skb = rx->skb, *fwd_skb; 1682 struct ieee80211_local *local = rx->local; 1683 struct ieee80211_sub_if_data *sdata = rx->sdata; 1684 1685 hdr = (struct ieee80211_hdr *) skb->data; 1686 hdrlen = ieee80211_hdrlen(hdr->frame_control); 1687 mesh_hdr = (struct ieee80211s_hdr *) (skb->data + hdrlen); 1688 1689 if (!ieee80211_is_data(hdr->frame_control)) 1690 return RX_CONTINUE; 1691 1692 if (!mesh_hdr->ttl) 1693 /* illegal frame */ 1694 return RX_DROP_MONITOR; 1695 1696 if (mesh_hdr->flags & MESH_FLAGS_AE) { 1697 struct mesh_path *mppath; 1698 char *proxied_addr; 1699 char *mpp_addr; 1700 1701 if (is_multicast_ether_addr(hdr->addr1)) { 1702 mpp_addr = hdr->addr3; 1703 proxied_addr = mesh_hdr->eaddr1; 1704 } else { 1705 mpp_addr = hdr->addr4; 1706 proxied_addr = mesh_hdr->eaddr2; 1707 } 1708 1709 rcu_read_lock(); 1710 mppath = mpp_path_lookup(proxied_addr, sdata); 1711 if (!mppath) { 1712 mpp_path_add(proxied_addr, mpp_addr, sdata); 1713 } else { 1714 spin_lock_bh(&mppath->state_lock); 1715 if (compare_ether_addr(mppath->mpp, mpp_addr) != 0) 1716 memcpy(mppath->mpp, mpp_addr, ETH_ALEN); 1717 spin_unlock_bh(&mppath->state_lock); 1718 } 1719 rcu_read_unlock(); 1720 } 1721 1722 /* Frame has reached destination. Don't forward */ 1723 if (!is_multicast_ether_addr(hdr->addr1) && 1724 compare_ether_addr(sdata->dev->dev_addr, hdr->addr3) == 0) 1725 return RX_CONTINUE; 1726 1727 mesh_hdr->ttl--; 1728 1729 if (rx->flags & IEEE80211_RX_RA_MATCH) { 1730 if (!mesh_hdr->ttl) 1731 IEEE80211_IFSTA_MESH_CTR_INC(&rx->sdata->u.mesh, 1732 dropped_frames_ttl); 1733 else { 1734 struct ieee80211_hdr *fwd_hdr; 1735 struct ieee80211_tx_info *info; 1736 1737 fwd_skb = skb_copy(skb, GFP_ATOMIC); 1738 1739 if (!fwd_skb && net_ratelimit()) 1740 printk(KERN_DEBUG "%s: failed to clone mesh frame\n", 1741 sdata->dev->name); 1742 1743 fwd_hdr = (struct ieee80211_hdr *) fwd_skb->data; 1744 memcpy(fwd_hdr->addr2, sdata->dev->dev_addr, ETH_ALEN); 1745 info = IEEE80211_SKB_CB(fwd_skb); 1746 memset(info, 0, sizeof(*info)); 1747 info->flags |= IEEE80211_TX_INTFL_NEED_TXPROCESSING; 1748 info->control.vif = &rx->sdata->vif; 1749 ieee80211_select_queue(local, fwd_skb); 1750 if (is_multicast_ether_addr(fwd_hdr->addr1)) 1751 IEEE80211_IFSTA_MESH_CTR_INC(&sdata->u.mesh, 1752 fwded_mcast); 1753 else { 1754 int err; 1755 /* 1756 * Save TA to addr1 to send TA a path error if a 1757 * suitable next hop is not found 1758 */ 1759 memcpy(fwd_hdr->addr1, fwd_hdr->addr2, 1760 ETH_ALEN); 1761 err = mesh_nexthop_lookup(fwd_skb, sdata); 1762 /* Failed to immediately resolve next hop: 1763 * fwded frame was dropped or will be added 1764 * later to the pending skb queue. */ 1765 if (err) 1766 return RX_DROP_MONITOR; 1767 1768 IEEE80211_IFSTA_MESH_CTR_INC(&sdata->u.mesh, 1769 fwded_unicast); 1770 } 1771 IEEE80211_IFSTA_MESH_CTR_INC(&sdata->u.mesh, 1772 fwded_frames); 1773 ieee80211_add_pending_skb(local, fwd_skb); 1774 } 1775 } 1776 1777 if (is_multicast_ether_addr(hdr->addr1) || 1778 sdata->dev->flags & IFF_PROMISC) 1779 return RX_CONTINUE; 1780 else 1781 return RX_DROP_MONITOR; 1782 } 1783 #endif 1784 1785 static ieee80211_rx_result debug_noinline 1786 ieee80211_rx_h_data(struct ieee80211_rx_data *rx) 1787 { 1788 struct ieee80211_sub_if_data *sdata = rx->sdata; 1789 struct net_device *dev = sdata->dev; 1790 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data; 1791 __le16 fc = hdr->frame_control; 1792 int err; 1793 1794 if (unlikely(!ieee80211_is_data(hdr->frame_control))) 1795 return RX_CONTINUE; 1796 1797 if (unlikely(!ieee80211_is_data_present(hdr->frame_control))) 1798 return RX_DROP_MONITOR; 1799 1800 /* 1801 * Allow the cooked monitor interface of an AP to see 4-addr frames so 1802 * that a 4-addr station can be detected and moved into a separate VLAN 1803 */ 1804 if (ieee80211_has_a4(hdr->frame_control) && 1805 sdata->vif.type == NL80211_IFTYPE_AP) 1806 return RX_DROP_MONITOR; 1807 1808 err = __ieee80211_data_to_8023(rx); 1809 if (unlikely(err)) 1810 return RX_DROP_UNUSABLE; 1811 1812 if (!ieee80211_frame_allowed(rx, fc)) 1813 return RX_DROP_MONITOR; 1814 1815 rx->skb->dev = dev; 1816 1817 dev->stats.rx_packets++; 1818 dev->stats.rx_bytes += rx->skb->len; 1819 1820 ieee80211_deliver_skb(rx); 1821 1822 return RX_QUEUED; 1823 } 1824 1825 static ieee80211_rx_result debug_noinline 1826 ieee80211_rx_h_ctrl(struct ieee80211_rx_data *rx, struct sk_buff_head *frames) 1827 { 1828 struct ieee80211_local *local = rx->local; 1829 struct ieee80211_hw *hw = &local->hw; 1830 struct sk_buff *skb = rx->skb; 1831 struct ieee80211_bar *bar = (struct ieee80211_bar *)skb->data; 1832 struct tid_ampdu_rx *tid_agg_rx; 1833 u16 start_seq_num; 1834 u16 tid; 1835 1836 if (likely(!ieee80211_is_ctl(bar->frame_control))) 1837 return RX_CONTINUE; 1838 1839 if (ieee80211_is_back_req(bar->frame_control)) { 1840 if (!rx->sta) 1841 return RX_DROP_MONITOR; 1842 tid = le16_to_cpu(bar->control) >> 12; 1843 if (rx->sta->ampdu_mlme.tid_state_rx[tid] 1844 != HT_AGG_STATE_OPERATIONAL) 1845 return RX_DROP_MONITOR; 1846 tid_agg_rx = rx->sta->ampdu_mlme.tid_rx[tid]; 1847 1848 start_seq_num = le16_to_cpu(bar->start_seq_num) >> 4; 1849 1850 /* reset session timer */ 1851 if (tid_agg_rx->timeout) 1852 mod_timer(&tid_agg_rx->session_timer, 1853 TU_TO_EXP_TIME(tid_agg_rx->timeout)); 1854 1855 /* release stored frames up to start of BAR */ 1856 ieee80211_release_reorder_frames(hw, tid_agg_rx, start_seq_num, 1857 frames); 1858 kfree_skb(skb); 1859 return RX_QUEUED; 1860 } 1861 1862 return RX_CONTINUE; 1863 } 1864 1865 static void ieee80211_process_sa_query_req(struct ieee80211_sub_if_data *sdata, 1866 struct ieee80211_mgmt *mgmt, 1867 size_t len) 1868 { 1869 struct ieee80211_local *local = sdata->local; 1870 struct sk_buff *skb; 1871 struct ieee80211_mgmt *resp; 1872 1873 if (compare_ether_addr(mgmt->da, sdata->dev->dev_addr) != 0) { 1874 /* Not to own unicast address */ 1875 return; 1876 } 1877 1878 if (compare_ether_addr(mgmt->sa, sdata->u.mgd.bssid) != 0 || 1879 compare_ether_addr(mgmt->bssid, sdata->u.mgd.bssid) != 0) { 1880 /* Not from the current AP or not associated yet. */ 1881 return; 1882 } 1883 1884 if (len < 24 + 1 + sizeof(resp->u.action.u.sa_query)) { 1885 /* Too short SA Query request frame */ 1886 return; 1887 } 1888 1889 skb = dev_alloc_skb(sizeof(*resp) + local->hw.extra_tx_headroom); 1890 if (skb == NULL) 1891 return; 1892 1893 skb_reserve(skb, local->hw.extra_tx_headroom); 1894 resp = (struct ieee80211_mgmt *) skb_put(skb, 24); 1895 memset(resp, 0, 24); 1896 memcpy(resp->da, mgmt->sa, ETH_ALEN); 1897 memcpy(resp->sa, sdata->dev->dev_addr, ETH_ALEN); 1898 memcpy(resp->bssid, sdata->u.mgd.bssid, ETH_ALEN); 1899 resp->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT | 1900 IEEE80211_STYPE_ACTION); 1901 skb_put(skb, 1 + sizeof(resp->u.action.u.sa_query)); 1902 resp->u.action.category = WLAN_CATEGORY_SA_QUERY; 1903 resp->u.action.u.sa_query.action = WLAN_ACTION_SA_QUERY_RESPONSE; 1904 memcpy(resp->u.action.u.sa_query.trans_id, 1905 mgmt->u.action.u.sa_query.trans_id, 1906 WLAN_SA_QUERY_TR_ID_LEN); 1907 1908 ieee80211_tx_skb(sdata, skb); 1909 } 1910 1911 static ieee80211_rx_result debug_noinline 1912 ieee80211_rx_h_action(struct ieee80211_rx_data *rx) 1913 { 1914 struct ieee80211_local *local = rx->local; 1915 struct ieee80211_sub_if_data *sdata = rx->sdata; 1916 struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *) rx->skb->data; 1917 int len = rx->skb->len; 1918 1919 if (!ieee80211_is_action(mgmt->frame_control)) 1920 return RX_CONTINUE; 1921 1922 if (!rx->sta) 1923 return RX_DROP_MONITOR; 1924 1925 if (!(rx->flags & IEEE80211_RX_RA_MATCH)) 1926 return RX_DROP_MONITOR; 1927 1928 if (ieee80211_drop_unencrypted(rx, mgmt->frame_control)) 1929 return RX_DROP_MONITOR; 1930 1931 /* all categories we currently handle have action_code */ 1932 if (len < IEEE80211_MIN_ACTION_SIZE + 1) 1933 return RX_DROP_MONITOR; 1934 1935 switch (mgmt->u.action.category) { 1936 case WLAN_CATEGORY_BACK: 1937 /* 1938 * The aggregation code is not prepared to handle 1939 * anything but STA/AP due to the BSSID handling; 1940 * IBSS could work in the code but isn't supported 1941 * by drivers or the standard. 1942 */ 1943 if (sdata->vif.type != NL80211_IFTYPE_STATION && 1944 sdata->vif.type != NL80211_IFTYPE_AP_VLAN && 1945 sdata->vif.type != NL80211_IFTYPE_AP) 1946 return RX_DROP_MONITOR; 1947 1948 switch (mgmt->u.action.u.addba_req.action_code) { 1949 case WLAN_ACTION_ADDBA_REQ: 1950 if (len < (IEEE80211_MIN_ACTION_SIZE + 1951 sizeof(mgmt->u.action.u.addba_req))) 1952 return RX_DROP_MONITOR; 1953 ieee80211_process_addba_request(local, rx->sta, mgmt, len); 1954 break; 1955 case WLAN_ACTION_ADDBA_RESP: 1956 if (len < (IEEE80211_MIN_ACTION_SIZE + 1957 sizeof(mgmt->u.action.u.addba_resp))) 1958 return RX_DROP_MONITOR; 1959 ieee80211_process_addba_resp(local, rx->sta, mgmt, len); 1960 break; 1961 case WLAN_ACTION_DELBA: 1962 if (len < (IEEE80211_MIN_ACTION_SIZE + 1963 sizeof(mgmt->u.action.u.delba))) 1964 return RX_DROP_MONITOR; 1965 ieee80211_process_delba(sdata, rx->sta, mgmt, len); 1966 break; 1967 } 1968 break; 1969 case WLAN_CATEGORY_SPECTRUM_MGMT: 1970 if (local->hw.conf.channel->band != IEEE80211_BAND_5GHZ) 1971 return RX_DROP_MONITOR; 1972 1973 if (sdata->vif.type != NL80211_IFTYPE_STATION) 1974 return RX_DROP_MONITOR; 1975 1976 switch (mgmt->u.action.u.measurement.action_code) { 1977 case WLAN_ACTION_SPCT_MSR_REQ: 1978 if (len < (IEEE80211_MIN_ACTION_SIZE + 1979 sizeof(mgmt->u.action.u.measurement))) 1980 return RX_DROP_MONITOR; 1981 ieee80211_process_measurement_req(sdata, mgmt, len); 1982 break; 1983 case WLAN_ACTION_SPCT_CHL_SWITCH: 1984 if (len < (IEEE80211_MIN_ACTION_SIZE + 1985 sizeof(mgmt->u.action.u.chan_switch))) 1986 return RX_DROP_MONITOR; 1987 1988 if (sdata->vif.type != NL80211_IFTYPE_STATION) 1989 return RX_DROP_MONITOR; 1990 1991 if (memcmp(mgmt->bssid, sdata->u.mgd.bssid, ETH_ALEN)) 1992 return RX_DROP_MONITOR; 1993 1994 return ieee80211_sta_rx_mgmt(sdata, rx->skb); 1995 } 1996 break; 1997 case WLAN_CATEGORY_SA_QUERY: 1998 if (len < (IEEE80211_MIN_ACTION_SIZE + 1999 sizeof(mgmt->u.action.u.sa_query))) 2000 return RX_DROP_MONITOR; 2001 switch (mgmt->u.action.u.sa_query.action) { 2002 case WLAN_ACTION_SA_QUERY_REQUEST: 2003 if (sdata->vif.type != NL80211_IFTYPE_STATION) 2004 return RX_DROP_MONITOR; 2005 ieee80211_process_sa_query_req(sdata, mgmt, len); 2006 break; 2007 case WLAN_ACTION_SA_QUERY_RESPONSE: 2008 /* 2009 * SA Query response is currently only used in AP mode 2010 * and it is processed in user space. 2011 */ 2012 return RX_CONTINUE; 2013 } 2014 break; 2015 default: 2016 return RX_CONTINUE; 2017 } 2018 2019 rx->sta->rx_packets++; 2020 dev_kfree_skb(rx->skb); 2021 return RX_QUEUED; 2022 } 2023 2024 static ieee80211_rx_result debug_noinline 2025 ieee80211_rx_h_mgmt(struct ieee80211_rx_data *rx) 2026 { 2027 struct ieee80211_sub_if_data *sdata = rx->sdata; 2028 struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *) rx->skb->data; 2029 2030 if (!(rx->flags & IEEE80211_RX_RA_MATCH)) 2031 return RX_DROP_MONITOR; 2032 2033 if (ieee80211_drop_unencrypted(rx, mgmt->frame_control)) 2034 return RX_DROP_MONITOR; 2035 2036 if (ieee80211_vif_is_mesh(&sdata->vif)) 2037 return ieee80211_mesh_rx_mgmt(sdata, rx->skb); 2038 2039 if (sdata->vif.type == NL80211_IFTYPE_ADHOC) 2040 return ieee80211_ibss_rx_mgmt(sdata, rx->skb); 2041 2042 if (sdata->vif.type == NL80211_IFTYPE_STATION) 2043 return ieee80211_sta_rx_mgmt(sdata, rx->skb); 2044 2045 return RX_DROP_MONITOR; 2046 } 2047 2048 static void ieee80211_rx_michael_mic_report(struct ieee80211_hdr *hdr, 2049 struct ieee80211_rx_data *rx) 2050 { 2051 int keyidx; 2052 unsigned int hdrlen; 2053 2054 hdrlen = ieee80211_hdrlen(hdr->frame_control); 2055 if (rx->skb->len >= hdrlen + 4) 2056 keyidx = rx->skb->data[hdrlen + 3] >> 6; 2057 else 2058 keyidx = -1; 2059 2060 if (!rx->sta) { 2061 /* 2062 * Some hardware seem to generate incorrect Michael MIC 2063 * reports; ignore them to avoid triggering countermeasures. 2064 */ 2065 return; 2066 } 2067 2068 if (!ieee80211_has_protected(hdr->frame_control)) 2069 return; 2070 2071 if (rx->sdata->vif.type == NL80211_IFTYPE_AP && keyidx) { 2072 /* 2073 * APs with pairwise keys should never receive Michael MIC 2074 * errors for non-zero keyidx because these are reserved for 2075 * group keys and only the AP is sending real multicast 2076 * frames in the BSS. 2077 */ 2078 return; 2079 } 2080 2081 if (!ieee80211_is_data(hdr->frame_control) && 2082 !ieee80211_is_auth(hdr->frame_control)) 2083 return; 2084 2085 mac80211_ev_michael_mic_failure(rx->sdata, keyidx, hdr, NULL, 2086 GFP_ATOMIC); 2087 } 2088 2089 /* TODO: use IEEE80211_RX_FRAGMENTED */ 2090 static void ieee80211_rx_cooked_monitor(struct ieee80211_rx_data *rx, 2091 struct ieee80211_rate *rate) 2092 { 2093 struct ieee80211_sub_if_data *sdata; 2094 struct ieee80211_local *local = rx->local; 2095 struct ieee80211_rtap_hdr { 2096 struct ieee80211_radiotap_header hdr; 2097 u8 flags; 2098 u8 rate_or_pad; 2099 __le16 chan_freq; 2100 __le16 chan_flags; 2101 } __attribute__ ((packed)) *rthdr; 2102 struct sk_buff *skb = rx->skb, *skb2; 2103 struct net_device *prev_dev = NULL; 2104 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 2105 2106 if (status->flag & RX_FLAG_INTERNAL_CMTR) 2107 goto out_free_skb; 2108 2109 if (skb_headroom(skb) < sizeof(*rthdr) && 2110 pskb_expand_head(skb, sizeof(*rthdr), 0, GFP_ATOMIC)) 2111 goto out_free_skb; 2112 2113 rthdr = (void *)skb_push(skb, sizeof(*rthdr)); 2114 memset(rthdr, 0, sizeof(*rthdr)); 2115 rthdr->hdr.it_len = cpu_to_le16(sizeof(*rthdr)); 2116 rthdr->hdr.it_present = 2117 cpu_to_le32((1 << IEEE80211_RADIOTAP_FLAGS) | 2118 (1 << IEEE80211_RADIOTAP_CHANNEL)); 2119 2120 if (rate) { 2121 rthdr->rate_or_pad = rate->bitrate / 5; 2122 rthdr->hdr.it_present |= 2123 cpu_to_le32(1 << IEEE80211_RADIOTAP_RATE); 2124 } 2125 rthdr->chan_freq = cpu_to_le16(status->freq); 2126 2127 if (status->band == IEEE80211_BAND_5GHZ) 2128 rthdr->chan_flags = cpu_to_le16(IEEE80211_CHAN_OFDM | 2129 IEEE80211_CHAN_5GHZ); 2130 else 2131 rthdr->chan_flags = cpu_to_le16(IEEE80211_CHAN_DYN | 2132 IEEE80211_CHAN_2GHZ); 2133 2134 skb_set_mac_header(skb, 0); 2135 skb->ip_summed = CHECKSUM_UNNECESSARY; 2136 skb->pkt_type = PACKET_OTHERHOST; 2137 skb->protocol = htons(ETH_P_802_2); 2138 2139 list_for_each_entry_rcu(sdata, &local->interfaces, list) { 2140 if (!netif_running(sdata->dev)) 2141 continue; 2142 2143 if (sdata->vif.type != NL80211_IFTYPE_MONITOR || 2144 !(sdata->u.mntr_flags & MONITOR_FLAG_COOK_FRAMES)) 2145 continue; 2146 2147 if (prev_dev) { 2148 skb2 = skb_clone(skb, GFP_ATOMIC); 2149 if (skb2) { 2150 skb2->dev = prev_dev; 2151 netif_rx(skb2); 2152 } 2153 } 2154 2155 prev_dev = sdata->dev; 2156 sdata->dev->stats.rx_packets++; 2157 sdata->dev->stats.rx_bytes += skb->len; 2158 } 2159 2160 if (prev_dev) { 2161 skb->dev = prev_dev; 2162 netif_rx(skb); 2163 skb = NULL; 2164 } else 2165 goto out_free_skb; 2166 2167 status->flag |= RX_FLAG_INTERNAL_CMTR; 2168 return; 2169 2170 out_free_skb: 2171 dev_kfree_skb(skb); 2172 } 2173 2174 2175 static void ieee80211_invoke_rx_handlers(struct ieee80211_sub_if_data *sdata, 2176 struct ieee80211_rx_data *rx, 2177 struct sk_buff *skb, 2178 struct ieee80211_rate *rate) 2179 { 2180 struct sk_buff_head reorder_release; 2181 ieee80211_rx_result res = RX_DROP_MONITOR; 2182 2183 __skb_queue_head_init(&reorder_release); 2184 2185 rx->skb = skb; 2186 rx->sdata = sdata; 2187 2188 #define CALL_RXH(rxh) \ 2189 do { \ 2190 res = rxh(rx); \ 2191 if (res != RX_CONTINUE) \ 2192 goto rxh_next; \ 2193 } while (0); 2194 2195 /* 2196 * NB: the rxh_next label works even if we jump 2197 * to it from here because then the list will 2198 * be empty, which is a trivial check 2199 */ 2200 CALL_RXH(ieee80211_rx_h_passive_scan) 2201 CALL_RXH(ieee80211_rx_h_check) 2202 2203 ieee80211_rx_reorder_ampdu(rx, &reorder_release); 2204 2205 while ((skb = __skb_dequeue(&reorder_release))) { 2206 /* 2207 * all the other fields are valid across frames 2208 * that belong to an aMPDU since they are on the 2209 * same TID from the same station 2210 */ 2211 rx->skb = skb; 2212 2213 CALL_RXH(ieee80211_rx_h_decrypt) 2214 CALL_RXH(ieee80211_rx_h_check_more_data) 2215 CALL_RXH(ieee80211_rx_h_sta_process) 2216 CALL_RXH(ieee80211_rx_h_defragment) 2217 CALL_RXH(ieee80211_rx_h_ps_poll) 2218 CALL_RXH(ieee80211_rx_h_michael_mic_verify) 2219 /* must be after MMIC verify so header is counted in MPDU mic */ 2220 CALL_RXH(ieee80211_rx_h_remove_qos_control) 2221 CALL_RXH(ieee80211_rx_h_amsdu) 2222 #ifdef CONFIG_MAC80211_MESH 2223 if (ieee80211_vif_is_mesh(&sdata->vif)) 2224 CALL_RXH(ieee80211_rx_h_mesh_fwding); 2225 #endif 2226 CALL_RXH(ieee80211_rx_h_data) 2227 2228 /* special treatment -- needs the queue */ 2229 res = ieee80211_rx_h_ctrl(rx, &reorder_release); 2230 if (res != RX_CONTINUE) 2231 goto rxh_next; 2232 2233 CALL_RXH(ieee80211_rx_h_action) 2234 CALL_RXH(ieee80211_rx_h_mgmt) 2235 2236 #undef CALL_RXH 2237 2238 rxh_next: 2239 switch (res) { 2240 case RX_DROP_MONITOR: 2241 I802_DEBUG_INC(sdata->local->rx_handlers_drop); 2242 if (rx->sta) 2243 rx->sta->rx_dropped++; 2244 /* fall through */ 2245 case RX_CONTINUE: 2246 ieee80211_rx_cooked_monitor(rx, rate); 2247 break; 2248 case RX_DROP_UNUSABLE: 2249 I802_DEBUG_INC(sdata->local->rx_handlers_drop); 2250 if (rx->sta) 2251 rx->sta->rx_dropped++; 2252 dev_kfree_skb(rx->skb); 2253 break; 2254 case RX_QUEUED: 2255 I802_DEBUG_INC(sdata->local->rx_handlers_queued); 2256 break; 2257 } 2258 } 2259 } 2260 2261 /* main receive path */ 2262 2263 static int prepare_for_handlers(struct ieee80211_sub_if_data *sdata, 2264 struct ieee80211_rx_data *rx, 2265 struct ieee80211_hdr *hdr) 2266 { 2267 struct sk_buff *skb = rx->skb; 2268 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 2269 u8 *bssid = ieee80211_get_bssid(hdr, skb->len, sdata->vif.type); 2270 int multicast = is_multicast_ether_addr(hdr->addr1); 2271 2272 switch (sdata->vif.type) { 2273 case NL80211_IFTYPE_STATION: 2274 if (!bssid && !sdata->u.mgd.use_4addr) 2275 return 0; 2276 if (!multicast && 2277 compare_ether_addr(sdata->dev->dev_addr, hdr->addr1) != 0) { 2278 if (!(sdata->dev->flags & IFF_PROMISC)) 2279 return 0; 2280 rx->flags &= ~IEEE80211_RX_RA_MATCH; 2281 } 2282 break; 2283 case NL80211_IFTYPE_ADHOC: 2284 if (!bssid) 2285 return 0; 2286 if (ieee80211_is_beacon(hdr->frame_control)) { 2287 return 1; 2288 } 2289 else if (!ieee80211_bssid_match(bssid, sdata->u.ibss.bssid)) { 2290 if (!(rx->flags & IEEE80211_RX_IN_SCAN)) 2291 return 0; 2292 rx->flags &= ~IEEE80211_RX_RA_MATCH; 2293 } else if (!multicast && 2294 compare_ether_addr(sdata->dev->dev_addr, 2295 hdr->addr1) != 0) { 2296 if (!(sdata->dev->flags & IFF_PROMISC)) 2297 return 0; 2298 rx->flags &= ~IEEE80211_RX_RA_MATCH; 2299 } else if (!rx->sta) { 2300 int rate_idx; 2301 if (status->flag & RX_FLAG_HT) 2302 rate_idx = 0; /* TODO: HT rates */ 2303 else 2304 rate_idx = status->rate_idx; 2305 rx->sta = ieee80211_ibss_add_sta(sdata, bssid, hdr->addr2, 2306 BIT(rate_idx)); 2307 } 2308 break; 2309 case NL80211_IFTYPE_MESH_POINT: 2310 if (!multicast && 2311 compare_ether_addr(sdata->dev->dev_addr, 2312 hdr->addr1) != 0) { 2313 if (!(sdata->dev->flags & IFF_PROMISC)) 2314 return 0; 2315 2316 rx->flags &= ~IEEE80211_RX_RA_MATCH; 2317 } 2318 break; 2319 case NL80211_IFTYPE_AP_VLAN: 2320 case NL80211_IFTYPE_AP: 2321 if (!bssid) { 2322 if (compare_ether_addr(sdata->dev->dev_addr, 2323 hdr->addr1)) 2324 return 0; 2325 } else if (!ieee80211_bssid_match(bssid, 2326 sdata->dev->dev_addr)) { 2327 if (!(rx->flags & IEEE80211_RX_IN_SCAN)) 2328 return 0; 2329 rx->flags &= ~IEEE80211_RX_RA_MATCH; 2330 } 2331 break; 2332 case NL80211_IFTYPE_WDS: 2333 if (bssid || !ieee80211_is_data(hdr->frame_control)) 2334 return 0; 2335 if (compare_ether_addr(sdata->u.wds.remote_addr, hdr->addr2)) 2336 return 0; 2337 break; 2338 case NL80211_IFTYPE_MONITOR: 2339 case NL80211_IFTYPE_UNSPECIFIED: 2340 case __NL80211_IFTYPE_AFTER_LAST: 2341 /* should never get here */ 2342 WARN_ON(1); 2343 break; 2344 } 2345 2346 return 1; 2347 } 2348 2349 /* 2350 * This is the actual Rx frames handler. as it blongs to Rx path it must 2351 * be called with rcu_read_lock protection. 2352 */ 2353 static void __ieee80211_rx_handle_packet(struct ieee80211_hw *hw, 2354 struct sk_buff *skb, 2355 struct ieee80211_rate *rate) 2356 { 2357 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 2358 struct ieee80211_local *local = hw_to_local(hw); 2359 struct ieee80211_sub_if_data *sdata; 2360 struct ieee80211_hdr *hdr; 2361 struct ieee80211_rx_data rx; 2362 int prepares; 2363 struct ieee80211_sub_if_data *prev = NULL; 2364 struct sk_buff *skb_new; 2365 2366 hdr = (struct ieee80211_hdr *)skb->data; 2367 memset(&rx, 0, sizeof(rx)); 2368 rx.skb = skb; 2369 rx.local = local; 2370 2371 if (ieee80211_is_data(hdr->frame_control) || ieee80211_is_mgmt(hdr->frame_control)) 2372 local->dot11ReceivedFragmentCount++; 2373 2374 if (unlikely(test_bit(SCAN_HW_SCANNING, &local->scanning) || 2375 test_bit(SCAN_OFF_CHANNEL, &local->scanning))) 2376 rx.flags |= IEEE80211_RX_IN_SCAN; 2377 2378 ieee80211_parse_qos(&rx); 2379 ieee80211_verify_alignment(&rx); 2380 2381 rx.sta = sta_info_get(local, hdr->addr2); 2382 if (rx.sta) 2383 rx.sdata = rx.sta->sdata; 2384 2385 if (rx.sdata && ieee80211_is_data(hdr->frame_control)) { 2386 rx.flags |= IEEE80211_RX_RA_MATCH; 2387 prepares = prepare_for_handlers(rx.sdata, &rx, hdr); 2388 if (prepares) { 2389 if (status->flag & RX_FLAG_MMIC_ERROR) { 2390 if (rx.flags & IEEE80211_RX_RA_MATCH) 2391 ieee80211_rx_michael_mic_report(hdr, &rx); 2392 } else 2393 prev = rx.sdata; 2394 } 2395 } else list_for_each_entry_rcu(sdata, &local->interfaces, list) { 2396 if (!netif_running(sdata->dev)) 2397 continue; 2398 2399 if (sdata->vif.type == NL80211_IFTYPE_MONITOR || 2400 sdata->vif.type == NL80211_IFTYPE_AP_VLAN) 2401 continue; 2402 2403 rx.flags |= IEEE80211_RX_RA_MATCH; 2404 prepares = prepare_for_handlers(sdata, &rx, hdr); 2405 2406 if (!prepares) 2407 continue; 2408 2409 if (status->flag & RX_FLAG_MMIC_ERROR) { 2410 rx.sdata = sdata; 2411 if (rx.flags & IEEE80211_RX_RA_MATCH) 2412 ieee80211_rx_michael_mic_report(hdr, &rx); 2413 continue; 2414 } 2415 2416 /* 2417 * frame is destined for this interface, but if it's not 2418 * also for the previous one we handle that after the 2419 * loop to avoid copying the SKB once too much 2420 */ 2421 2422 if (!prev) { 2423 prev = sdata; 2424 continue; 2425 } 2426 2427 /* 2428 * frame was destined for the previous interface 2429 * so invoke RX handlers for it 2430 */ 2431 2432 skb_new = skb_copy(skb, GFP_ATOMIC); 2433 if (!skb_new) { 2434 if (net_ratelimit()) 2435 printk(KERN_DEBUG "%s: failed to copy " 2436 "multicast frame for %s\n", 2437 wiphy_name(local->hw.wiphy), 2438 prev->dev->name); 2439 continue; 2440 } 2441 ieee80211_invoke_rx_handlers(prev, &rx, skb_new, rate); 2442 prev = sdata; 2443 } 2444 if (prev) 2445 ieee80211_invoke_rx_handlers(prev, &rx, skb, rate); 2446 else 2447 dev_kfree_skb(skb); 2448 } 2449 2450 /* 2451 * This is the receive path handler. It is called by a low level driver when an 2452 * 802.11 MPDU is received from the hardware. 2453 */ 2454 void ieee80211_rx(struct ieee80211_hw *hw, struct sk_buff *skb) 2455 { 2456 struct ieee80211_local *local = hw_to_local(hw); 2457 struct ieee80211_rate *rate = NULL; 2458 struct ieee80211_supported_band *sband; 2459 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 2460 2461 WARN_ON_ONCE(softirq_count() == 0); 2462 2463 if (WARN_ON(status->band < 0 || 2464 status->band >= IEEE80211_NUM_BANDS)) 2465 goto drop; 2466 2467 sband = local->hw.wiphy->bands[status->band]; 2468 if (WARN_ON(!sband)) 2469 goto drop; 2470 2471 /* 2472 * If we're suspending, it is possible although not too likely 2473 * that we'd be receiving frames after having already partially 2474 * quiesced the stack. We can't process such frames then since 2475 * that might, for example, cause stations to be added or other 2476 * driver callbacks be invoked. 2477 */ 2478 if (unlikely(local->quiescing || local->suspended)) 2479 goto drop; 2480 2481 /* 2482 * The same happens when we're not even started, 2483 * but that's worth a warning. 2484 */ 2485 if (WARN_ON(!local->started)) 2486 goto drop; 2487 2488 if (status->flag & RX_FLAG_HT) { 2489 /* 2490 * rate_idx is MCS index, which can be [0-76] as documented on: 2491 * 2492 * http://wireless.kernel.org/en/developers/Documentation/ieee80211/802.11n 2493 * 2494 * Anything else would be some sort of driver or hardware error. 2495 * The driver should catch hardware errors. 2496 */ 2497 if (WARN((status->rate_idx < 0 || 2498 status->rate_idx > 76), 2499 "Rate marked as an HT rate but passed " 2500 "status->rate_idx is not " 2501 "an MCS index [0-76]: %d (0x%02x)\n", 2502 status->rate_idx, 2503 status->rate_idx)) 2504 goto drop; 2505 } else { 2506 if (WARN_ON(status->rate_idx < 0 || 2507 status->rate_idx >= sband->n_bitrates)) 2508 goto drop; 2509 rate = &sband->bitrates[status->rate_idx]; 2510 } 2511 2512 /* 2513 * key references and virtual interfaces are protected using RCU 2514 * and this requires that we are in a read-side RCU section during 2515 * receive processing 2516 */ 2517 rcu_read_lock(); 2518 2519 /* 2520 * Frames with failed FCS/PLCP checksum are not returned, 2521 * all other frames are returned without radiotap header 2522 * if it was previously present. 2523 * Also, frames with less than 16 bytes are dropped. 2524 */ 2525 skb = ieee80211_rx_monitor(local, skb, rate); 2526 if (!skb) { 2527 rcu_read_unlock(); 2528 return; 2529 } 2530 2531 __ieee80211_rx_handle_packet(hw, skb, rate); 2532 2533 rcu_read_unlock(); 2534 2535 return; 2536 drop: 2537 kfree_skb(skb); 2538 } 2539 EXPORT_SYMBOL(ieee80211_rx); 2540 2541 /* This is a version of the rx handler that can be called from hard irq 2542 * context. Post the skb on the queue and schedule the tasklet */ 2543 void ieee80211_rx_irqsafe(struct ieee80211_hw *hw, struct sk_buff *skb) 2544 { 2545 struct ieee80211_local *local = hw_to_local(hw); 2546 2547 BUILD_BUG_ON(sizeof(struct ieee80211_rx_status) > sizeof(skb->cb)); 2548 2549 skb->pkt_type = IEEE80211_RX_MSG; 2550 skb_queue_tail(&local->skb_queue, skb); 2551 tasklet_schedule(&local->tasklet); 2552 } 2553 EXPORT_SYMBOL(ieee80211_rx_irqsafe); 2554