1 /* 2 * Copyright 2002-2005, Instant802 Networks, Inc. 3 * Copyright 2005-2006, Devicescape Software, Inc. 4 * Copyright 2006-2007 Jiri Benc <jbenc@suse.cz> 5 * Copyright 2007 Johannes Berg <johannes@sipsolutions.net> 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License version 2 as 9 * published by the Free Software Foundation. 10 */ 11 12 #include <linux/kernel.h> 13 #include <linux/skbuff.h> 14 #include <linux/netdevice.h> 15 #include <linux/etherdevice.h> 16 #include <linux/rcupdate.h> 17 #include <net/mac80211.h> 18 #include <net/ieee80211_radiotap.h> 19 20 #include "ieee80211_i.h" 21 #include "ieee80211_led.h" 22 #include "wep.h" 23 #include "wpa.h" 24 #include "tkip.h" 25 #include "wme.h" 26 27 u8 ieee80211_sta_manage_reorder_buf(struct ieee80211_hw *hw, 28 struct tid_ampdu_rx *tid_agg_rx, 29 struct sk_buff *skb, u16 mpdu_seq_num, 30 int bar_req); 31 /* 32 * monitor mode reception 33 * 34 * This function cleans up the SKB, i.e. it removes all the stuff 35 * only useful for monitoring. 36 */ 37 static struct sk_buff *remove_monitor_info(struct ieee80211_local *local, 38 struct sk_buff *skb, 39 int rtap_len) 40 { 41 skb_pull(skb, rtap_len); 42 43 if (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS) { 44 if (likely(skb->len > FCS_LEN)) 45 skb_trim(skb, skb->len - FCS_LEN); 46 else { 47 /* driver bug */ 48 WARN_ON(1); 49 dev_kfree_skb(skb); 50 skb = NULL; 51 } 52 } 53 54 return skb; 55 } 56 57 static inline int should_drop_frame(struct ieee80211_rx_status *status, 58 struct sk_buff *skb, 59 int present_fcs_len, 60 int radiotap_len) 61 { 62 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data; 63 64 if (status->flag & (RX_FLAG_FAILED_FCS_CRC | RX_FLAG_FAILED_PLCP_CRC)) 65 return 1; 66 if (unlikely(skb->len < 16 + present_fcs_len + radiotap_len)) 67 return 1; 68 if (((hdr->frame_control & cpu_to_le16(IEEE80211_FCTL_FTYPE)) == 69 cpu_to_le16(IEEE80211_FTYPE_CTL)) && 70 ((hdr->frame_control & cpu_to_le16(IEEE80211_FCTL_STYPE)) != 71 cpu_to_le16(IEEE80211_STYPE_PSPOLL)) && 72 ((hdr->frame_control & cpu_to_le16(IEEE80211_FCTL_STYPE)) != 73 cpu_to_le16(IEEE80211_STYPE_BACK_REQ))) 74 return 1; 75 return 0; 76 } 77 78 /* 79 * This function copies a received frame to all monitor interfaces and 80 * returns a cleaned-up SKB that no longer includes the FCS nor the 81 * radiotap header the driver might have added. 82 */ 83 static struct sk_buff * 84 ieee80211_rx_monitor(struct ieee80211_local *local, struct sk_buff *origskb, 85 struct ieee80211_rx_status *status) 86 { 87 struct ieee80211_sub_if_data *sdata; 88 struct ieee80211_rate *rate; 89 int needed_headroom = 0; 90 struct ieee80211_radiotap_header *rthdr; 91 __le64 *rttsft = NULL; 92 struct ieee80211_rtap_fixed_data { 93 u8 flags; 94 u8 rate; 95 __le16 chan_freq; 96 __le16 chan_flags; 97 u8 antsignal; 98 u8 padding_for_rxflags; 99 __le16 rx_flags; 100 } __attribute__ ((packed)) *rtfixed; 101 struct sk_buff *skb, *skb2; 102 struct net_device *prev_dev = NULL; 103 int present_fcs_len = 0; 104 int rtap_len = 0; 105 106 /* 107 * First, we may need to make a copy of the skb because 108 * (1) we need to modify it for radiotap (if not present), and 109 * (2) the other RX handlers will modify the skb we got. 110 * 111 * We don't need to, of course, if we aren't going to return 112 * the SKB because it has a bad FCS/PLCP checksum. 113 */ 114 if (status->flag & RX_FLAG_RADIOTAP) 115 rtap_len = ieee80211_get_radiotap_len(origskb->data); 116 else 117 /* room for radiotap header, always present fields and TSFT */ 118 needed_headroom = sizeof(*rthdr) + sizeof(*rtfixed) + 8; 119 120 if (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS) 121 present_fcs_len = FCS_LEN; 122 123 if (!local->monitors) { 124 if (should_drop_frame(status, origskb, present_fcs_len, 125 rtap_len)) { 126 dev_kfree_skb(origskb); 127 return NULL; 128 } 129 130 return remove_monitor_info(local, origskb, rtap_len); 131 } 132 133 if (should_drop_frame(status, origskb, present_fcs_len, rtap_len)) { 134 /* only need to expand headroom if necessary */ 135 skb = origskb; 136 origskb = NULL; 137 138 /* 139 * This shouldn't trigger often because most devices have an 140 * RX header they pull before we get here, and that should 141 * be big enough for our radiotap information. We should 142 * probably export the length to drivers so that we can have 143 * them allocate enough headroom to start with. 144 */ 145 if (skb_headroom(skb) < needed_headroom && 146 pskb_expand_head(skb, needed_headroom, 0, GFP_ATOMIC)) { 147 dev_kfree_skb(skb); 148 return NULL; 149 } 150 } else { 151 /* 152 * Need to make a copy and possibly remove radiotap header 153 * and FCS from the original. 154 */ 155 skb = skb_copy_expand(origskb, needed_headroom, 0, GFP_ATOMIC); 156 157 origskb = remove_monitor_info(local, origskb, rtap_len); 158 159 if (!skb) 160 return origskb; 161 } 162 163 /* if necessary, prepend radiotap information */ 164 if (!(status->flag & RX_FLAG_RADIOTAP)) { 165 rtfixed = (void *) skb_push(skb, sizeof(*rtfixed)); 166 rtap_len = sizeof(*rthdr) + sizeof(*rtfixed); 167 if (status->flag & RX_FLAG_TSFT) { 168 rttsft = (void *) skb_push(skb, sizeof(*rttsft)); 169 rtap_len += 8; 170 } 171 rthdr = (void *) skb_push(skb, sizeof(*rthdr)); 172 memset(rthdr, 0, sizeof(*rthdr)); 173 memset(rtfixed, 0, sizeof(*rtfixed)); 174 rthdr->it_present = 175 cpu_to_le32((1 << IEEE80211_RADIOTAP_FLAGS) | 176 (1 << IEEE80211_RADIOTAP_RATE) | 177 (1 << IEEE80211_RADIOTAP_CHANNEL) | 178 (1 << IEEE80211_RADIOTAP_DB_ANTSIGNAL) | 179 (1 << IEEE80211_RADIOTAP_RX_FLAGS)); 180 rtfixed->flags = 0; 181 if (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS) 182 rtfixed->flags |= IEEE80211_RADIOTAP_F_FCS; 183 184 if (rttsft) { 185 *rttsft = cpu_to_le64(status->mactime); 186 rthdr->it_present |= 187 cpu_to_le32(1 << IEEE80211_RADIOTAP_TSFT); 188 } 189 190 /* FIXME: when radiotap gets a 'bad PLCP' flag use it here */ 191 rtfixed->rx_flags = 0; 192 if (status->flag & 193 (RX_FLAG_FAILED_FCS_CRC | RX_FLAG_FAILED_PLCP_CRC)) 194 rtfixed->rx_flags |= 195 cpu_to_le16(IEEE80211_RADIOTAP_F_RX_BADFCS); 196 197 rate = ieee80211_get_rate(local, status->phymode, 198 status->rate); 199 if (rate) 200 rtfixed->rate = rate->rate / 5; 201 202 rtfixed->chan_freq = cpu_to_le16(status->freq); 203 204 if (status->phymode == MODE_IEEE80211A) 205 rtfixed->chan_flags = 206 cpu_to_le16(IEEE80211_CHAN_OFDM | 207 IEEE80211_CHAN_5GHZ); 208 else 209 rtfixed->chan_flags = 210 cpu_to_le16(IEEE80211_CHAN_DYN | 211 IEEE80211_CHAN_2GHZ); 212 213 rtfixed->antsignal = status->ssi; 214 rthdr->it_len = cpu_to_le16(rtap_len); 215 } 216 217 skb_reset_mac_header(skb); 218 skb->ip_summed = CHECKSUM_UNNECESSARY; 219 skb->pkt_type = PACKET_OTHERHOST; 220 skb->protocol = htons(ETH_P_802_2); 221 222 list_for_each_entry_rcu(sdata, &local->interfaces, list) { 223 if (!netif_running(sdata->dev)) 224 continue; 225 226 if (sdata->vif.type != IEEE80211_IF_TYPE_MNTR) 227 continue; 228 229 if (prev_dev) { 230 skb2 = skb_clone(skb, GFP_ATOMIC); 231 if (skb2) { 232 skb2->dev = prev_dev; 233 netif_rx(skb2); 234 } 235 } 236 237 prev_dev = sdata->dev; 238 sdata->dev->stats.rx_packets++; 239 sdata->dev->stats.rx_bytes += skb->len; 240 } 241 242 if (prev_dev) { 243 skb->dev = prev_dev; 244 netif_rx(skb); 245 } else 246 dev_kfree_skb(skb); 247 248 return origskb; 249 } 250 251 252 /* pre-rx handlers 253 * 254 * these don't have dev/sdata fields in the rx data 255 * The sta value should also not be used because it may 256 * be NULL even though a STA (in IBSS mode) will be added. 257 */ 258 259 static ieee80211_txrx_result 260 ieee80211_rx_h_parse_qos(struct ieee80211_txrx_data *rx) 261 { 262 u8 *data = rx->skb->data; 263 int tid; 264 265 /* does the frame have a qos control field? */ 266 if (WLAN_FC_IS_QOS_DATA(rx->fc)) { 267 u8 *qc = data + ieee80211_get_hdrlen(rx->fc) - QOS_CONTROL_LEN; 268 /* frame has qos control */ 269 tid = qc[0] & QOS_CONTROL_TID_MASK; 270 if (qc[0] & IEEE80211_QOS_CONTROL_A_MSDU_PRESENT) 271 rx->flags |= IEEE80211_TXRXD_RX_AMSDU; 272 else 273 rx->flags &= ~IEEE80211_TXRXD_RX_AMSDU; 274 } else { 275 if (unlikely((rx->fc & IEEE80211_FCTL_FTYPE) == IEEE80211_FTYPE_MGMT)) { 276 /* Separate TID for management frames */ 277 tid = NUM_RX_DATA_QUEUES - 1; 278 } else { 279 /* no qos control present */ 280 tid = 0; /* 802.1d - Best Effort */ 281 } 282 } 283 284 I802_DEBUG_INC(rx->local->wme_rx_queue[tid]); 285 /* only a debug counter, sta might not be assigned properly yet */ 286 if (rx->sta) 287 I802_DEBUG_INC(rx->sta->wme_rx_queue[tid]); 288 289 rx->u.rx.queue = tid; 290 /* Set skb->priority to 1d tag if highest order bit of TID is not set. 291 * For now, set skb->priority to 0 for other cases. */ 292 rx->skb->priority = (tid > 7) ? 0 : tid; 293 294 return TXRX_CONTINUE; 295 } 296 297 298 static u32 ieee80211_rx_load_stats(struct ieee80211_local *local, 299 struct sk_buff *skb, 300 struct ieee80211_rx_status *status) 301 { 302 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data; 303 u32 load = 0, hdrtime; 304 struct ieee80211_rate *rate; 305 struct ieee80211_hw_mode *mode = local->hw.conf.mode; 306 int i; 307 308 /* Estimate total channel use caused by this frame */ 309 310 if (unlikely(mode->num_rates < 0)) 311 return TXRX_CONTINUE; 312 313 rate = &mode->rates[0]; 314 for (i = 0; i < mode->num_rates; i++) { 315 if (mode->rates[i].val == status->rate) { 316 rate = &mode->rates[i]; 317 break; 318 } 319 } 320 321 /* 1 bit at 1 Mbit/s takes 1 usec; in channel_use values, 322 * 1 usec = 1/8 * (1080 / 10) = 13.5 */ 323 324 if (mode->mode == MODE_IEEE80211A || 325 (mode->mode == MODE_IEEE80211G && 326 rate->flags & IEEE80211_RATE_ERP)) 327 hdrtime = CHAN_UTIL_HDR_SHORT; 328 else 329 hdrtime = CHAN_UTIL_HDR_LONG; 330 331 load = hdrtime; 332 if (!is_multicast_ether_addr(hdr->addr1)) 333 load += hdrtime; 334 335 load += skb->len * rate->rate_inv; 336 337 /* Divide channel_use by 8 to avoid wrapping around the counter */ 338 load >>= CHAN_UTIL_SHIFT; 339 340 return load; 341 } 342 343 #ifdef CONFIG_MAC80211_DEBUG_PACKET_ALIGNMENT 344 static ieee80211_txrx_result 345 ieee80211_rx_h_verify_ip_alignment(struct ieee80211_txrx_data *rx) 346 { 347 int hdrlen; 348 349 if (!WLAN_FC_DATA_PRESENT(rx->fc)) 350 return TXRX_CONTINUE; 351 352 /* 353 * Drivers are required to align the payload data in a way that 354 * guarantees that the contained IP header is aligned to a four- 355 * byte boundary. In the case of regular frames, this simply means 356 * aligning the payload to a four-byte boundary (because either 357 * the IP header is directly contained, or IV/RFC1042 headers that 358 * have a length divisible by four are in front of it. 359 * 360 * With A-MSDU frames, however, the payload data address must 361 * yield two modulo four because there are 14-byte 802.3 headers 362 * within the A-MSDU frames that push the IP header further back 363 * to a multiple of four again. Thankfully, the specs were sane 364 * enough this time around to require padding each A-MSDU subframe 365 * to a length that is a multiple of four. 366 * 367 * Padding like atheros hardware adds which is inbetween the 802.11 368 * header and the payload is not supported, the driver is required 369 * to move the 802.11 header further back in that case. 370 */ 371 hdrlen = ieee80211_get_hdrlen(rx->fc); 372 if (rx->flags & IEEE80211_TXRXD_RX_AMSDU) 373 hdrlen += ETH_HLEN; 374 WARN_ON_ONCE(((unsigned long)(rx->skb->data + hdrlen)) & 3); 375 376 return TXRX_CONTINUE; 377 } 378 #endif 379 380 ieee80211_rx_handler ieee80211_rx_pre_handlers[] = 381 { 382 ieee80211_rx_h_parse_qos, 383 #ifdef CONFIG_MAC80211_DEBUG_PACKET_ALIGNMENT 384 ieee80211_rx_h_verify_ip_alignment, 385 #endif 386 NULL 387 }; 388 389 /* rx handlers */ 390 391 static ieee80211_txrx_result 392 ieee80211_rx_h_if_stats(struct ieee80211_txrx_data *rx) 393 { 394 if (rx->sta) 395 rx->sta->channel_use_raw += rx->u.rx.load; 396 rx->sdata->channel_use_raw += rx->u.rx.load; 397 return TXRX_CONTINUE; 398 } 399 400 static ieee80211_txrx_result 401 ieee80211_rx_h_passive_scan(struct ieee80211_txrx_data *rx) 402 { 403 struct ieee80211_local *local = rx->local; 404 struct sk_buff *skb = rx->skb; 405 406 if (unlikely(local->sta_hw_scanning)) 407 return ieee80211_sta_rx_scan(rx->dev, skb, rx->u.rx.status); 408 409 if (unlikely(local->sta_sw_scanning)) { 410 /* drop all the other packets during a software scan anyway */ 411 if (ieee80211_sta_rx_scan(rx->dev, skb, rx->u.rx.status) 412 != TXRX_QUEUED) 413 dev_kfree_skb(skb); 414 return TXRX_QUEUED; 415 } 416 417 if (unlikely(rx->flags & IEEE80211_TXRXD_RXIN_SCAN)) { 418 /* scanning finished during invoking of handlers */ 419 I802_DEBUG_INC(local->rx_handlers_drop_passive_scan); 420 return TXRX_DROP; 421 } 422 423 return TXRX_CONTINUE; 424 } 425 426 static ieee80211_txrx_result 427 ieee80211_rx_h_check(struct ieee80211_txrx_data *rx) 428 { 429 struct ieee80211_hdr *hdr; 430 hdr = (struct ieee80211_hdr *) rx->skb->data; 431 432 /* Drop duplicate 802.11 retransmissions (IEEE 802.11 Chap. 9.2.9) */ 433 if (rx->sta && !is_multicast_ether_addr(hdr->addr1)) { 434 if (unlikely(rx->fc & IEEE80211_FCTL_RETRY && 435 rx->sta->last_seq_ctrl[rx->u.rx.queue] == 436 hdr->seq_ctrl)) { 437 if (rx->flags & IEEE80211_TXRXD_RXRA_MATCH) { 438 rx->local->dot11FrameDuplicateCount++; 439 rx->sta->num_duplicates++; 440 } 441 return TXRX_DROP; 442 } else 443 rx->sta->last_seq_ctrl[rx->u.rx.queue] = hdr->seq_ctrl; 444 } 445 446 if (unlikely(rx->skb->len < 16)) { 447 I802_DEBUG_INC(rx->local->rx_handlers_drop_short); 448 return TXRX_DROP; 449 } 450 451 /* Drop disallowed frame classes based on STA auth/assoc state; 452 * IEEE 802.11, Chap 5.5. 453 * 454 * 80211.o does filtering only based on association state, i.e., it 455 * drops Class 3 frames from not associated stations. hostapd sends 456 * deauth/disassoc frames when needed. In addition, hostapd is 457 * responsible for filtering on both auth and assoc states. 458 */ 459 if (unlikely(((rx->fc & IEEE80211_FCTL_FTYPE) == IEEE80211_FTYPE_DATA || 460 ((rx->fc & IEEE80211_FCTL_FTYPE) == IEEE80211_FTYPE_CTL && 461 (rx->fc & IEEE80211_FCTL_STYPE) == IEEE80211_STYPE_PSPOLL)) && 462 rx->sdata->vif.type != IEEE80211_IF_TYPE_IBSS && 463 (!rx->sta || !(rx->sta->flags & WLAN_STA_ASSOC)))) { 464 if ((!(rx->fc & IEEE80211_FCTL_FROMDS) && 465 !(rx->fc & IEEE80211_FCTL_TODS) && 466 (rx->fc & IEEE80211_FCTL_FTYPE) == IEEE80211_FTYPE_DATA) 467 || !(rx->flags & IEEE80211_TXRXD_RXRA_MATCH)) { 468 /* Drop IBSS frames and frames for other hosts 469 * silently. */ 470 return TXRX_DROP; 471 } 472 473 return TXRX_DROP; 474 } 475 476 return TXRX_CONTINUE; 477 } 478 479 480 static ieee80211_txrx_result 481 ieee80211_rx_h_decrypt(struct ieee80211_txrx_data *rx) 482 { 483 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) rx->skb->data; 484 int keyidx; 485 int hdrlen; 486 ieee80211_txrx_result result = TXRX_DROP; 487 struct ieee80211_key *stakey = NULL; 488 489 /* 490 * Key selection 101 491 * 492 * There are three types of keys: 493 * - GTK (group keys) 494 * - PTK (pairwise keys) 495 * - STK (station-to-station pairwise keys) 496 * 497 * When selecting a key, we have to distinguish between multicast 498 * (including broadcast) and unicast frames, the latter can only 499 * use PTKs and STKs while the former always use GTKs. Unless, of 500 * course, actual WEP keys ("pre-RSNA") are used, then unicast 501 * frames can also use key indizes like GTKs. Hence, if we don't 502 * have a PTK/STK we check the key index for a WEP key. 503 * 504 * Note that in a regular BSS, multicast frames are sent by the 505 * AP only, associated stations unicast the frame to the AP first 506 * which then multicasts it on their behalf. 507 * 508 * There is also a slight problem in IBSS mode: GTKs are negotiated 509 * with each station, that is something we don't currently handle. 510 * The spec seems to expect that one negotiates the same key with 511 * every station but there's no such requirement; VLANs could be 512 * possible. 513 */ 514 515 if (!(rx->fc & IEEE80211_FCTL_PROTECTED)) 516 return TXRX_CONTINUE; 517 518 /* 519 * No point in finding a key and decrypting if the frame is neither 520 * addressed to us nor a multicast frame. 521 */ 522 if (!(rx->flags & IEEE80211_TXRXD_RXRA_MATCH)) 523 return TXRX_CONTINUE; 524 525 if (rx->sta) 526 stakey = rcu_dereference(rx->sta->key); 527 528 if (!is_multicast_ether_addr(hdr->addr1) && stakey) { 529 rx->key = stakey; 530 } else { 531 /* 532 * The device doesn't give us the IV so we won't be 533 * able to look up the key. That's ok though, we 534 * don't need to decrypt the frame, we just won't 535 * be able to keep statistics accurate. 536 * Except for key threshold notifications, should 537 * we somehow allow the driver to tell us which key 538 * the hardware used if this flag is set? 539 */ 540 if ((rx->u.rx.status->flag & RX_FLAG_DECRYPTED) && 541 (rx->u.rx.status->flag & RX_FLAG_IV_STRIPPED)) 542 return TXRX_CONTINUE; 543 544 hdrlen = ieee80211_get_hdrlen(rx->fc); 545 546 if (rx->skb->len < 8 + hdrlen) 547 return TXRX_DROP; /* TODO: count this? */ 548 549 /* 550 * no need to call ieee80211_wep_get_keyidx, 551 * it verifies a bunch of things we've done already 552 */ 553 keyidx = rx->skb->data[hdrlen + 3] >> 6; 554 555 rx->key = rcu_dereference(rx->sdata->keys[keyidx]); 556 557 /* 558 * RSNA-protected unicast frames should always be sent with 559 * pairwise or station-to-station keys, but for WEP we allow 560 * using a key index as well. 561 */ 562 if (rx->key && rx->key->conf.alg != ALG_WEP && 563 !is_multicast_ether_addr(hdr->addr1)) 564 rx->key = NULL; 565 } 566 567 if (rx->key) { 568 rx->key->tx_rx_count++; 569 /* TODO: add threshold stuff again */ 570 } else { 571 #ifdef CONFIG_MAC80211_DEBUG 572 if (net_ratelimit()) 573 printk(KERN_DEBUG "%s: RX protected frame," 574 " but have no key\n", rx->dev->name); 575 #endif /* CONFIG_MAC80211_DEBUG */ 576 return TXRX_DROP; 577 } 578 579 /* Check for weak IVs if possible */ 580 if (rx->sta && rx->key->conf.alg == ALG_WEP && 581 ((rx->fc & IEEE80211_FCTL_FTYPE) == IEEE80211_FTYPE_DATA) && 582 (!(rx->u.rx.status->flag & RX_FLAG_IV_STRIPPED) || 583 !(rx->u.rx.status->flag & RX_FLAG_DECRYPTED)) && 584 ieee80211_wep_is_weak_iv(rx->skb, rx->key)) 585 rx->sta->wep_weak_iv_count++; 586 587 switch (rx->key->conf.alg) { 588 case ALG_WEP: 589 result = ieee80211_crypto_wep_decrypt(rx); 590 break; 591 case ALG_TKIP: 592 result = ieee80211_crypto_tkip_decrypt(rx); 593 break; 594 case ALG_CCMP: 595 result = ieee80211_crypto_ccmp_decrypt(rx); 596 break; 597 } 598 599 /* either the frame has been decrypted or will be dropped */ 600 rx->u.rx.status->flag |= RX_FLAG_DECRYPTED; 601 602 return result; 603 } 604 605 static void ap_sta_ps_start(struct net_device *dev, struct sta_info *sta) 606 { 607 struct ieee80211_sub_if_data *sdata; 608 DECLARE_MAC_BUF(mac); 609 610 sdata = IEEE80211_DEV_TO_SUB_IF(sta->dev); 611 612 if (sdata->bss) 613 atomic_inc(&sdata->bss->num_sta_ps); 614 sta->flags |= WLAN_STA_PS; 615 sta->pspoll = 0; 616 #ifdef CONFIG_MAC80211_VERBOSE_PS_DEBUG 617 printk(KERN_DEBUG "%s: STA %s aid %d enters power save mode\n", 618 dev->name, print_mac(mac, sta->addr), sta->aid); 619 #endif /* CONFIG_MAC80211_VERBOSE_PS_DEBUG */ 620 } 621 622 static int ap_sta_ps_end(struct net_device *dev, struct sta_info *sta) 623 { 624 struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr); 625 struct sk_buff *skb; 626 int sent = 0; 627 struct ieee80211_sub_if_data *sdata; 628 struct ieee80211_tx_packet_data *pkt_data; 629 DECLARE_MAC_BUF(mac); 630 631 sdata = IEEE80211_DEV_TO_SUB_IF(sta->dev); 632 if (sdata->bss) 633 atomic_dec(&sdata->bss->num_sta_ps); 634 sta->flags &= ~(WLAN_STA_PS | WLAN_STA_TIM); 635 sta->pspoll = 0; 636 if (!skb_queue_empty(&sta->ps_tx_buf)) { 637 if (local->ops->set_tim) 638 local->ops->set_tim(local_to_hw(local), sta->aid, 0); 639 if (sdata->bss) 640 bss_tim_clear(local, sdata->bss, sta->aid); 641 } 642 #ifdef CONFIG_MAC80211_VERBOSE_PS_DEBUG 643 printk(KERN_DEBUG "%s: STA %s aid %d exits power save mode\n", 644 dev->name, print_mac(mac, sta->addr), sta->aid); 645 #endif /* CONFIG_MAC80211_VERBOSE_PS_DEBUG */ 646 /* Send all buffered frames to the station */ 647 while ((skb = skb_dequeue(&sta->tx_filtered)) != NULL) { 648 pkt_data = (struct ieee80211_tx_packet_data *) skb->cb; 649 sent++; 650 pkt_data->flags |= IEEE80211_TXPD_REQUEUE; 651 dev_queue_xmit(skb); 652 } 653 while ((skb = skb_dequeue(&sta->ps_tx_buf)) != NULL) { 654 pkt_data = (struct ieee80211_tx_packet_data *) skb->cb; 655 local->total_ps_buffered--; 656 sent++; 657 #ifdef CONFIG_MAC80211_VERBOSE_PS_DEBUG 658 printk(KERN_DEBUG "%s: STA %s aid %d send PS frame " 659 "since STA not sleeping anymore\n", dev->name, 660 print_mac(mac, sta->addr), sta->aid); 661 #endif /* CONFIG_MAC80211_VERBOSE_PS_DEBUG */ 662 pkt_data->flags |= IEEE80211_TXPD_REQUEUE; 663 dev_queue_xmit(skb); 664 } 665 666 return sent; 667 } 668 669 static ieee80211_txrx_result 670 ieee80211_rx_h_sta_process(struct ieee80211_txrx_data *rx) 671 { 672 struct sta_info *sta = rx->sta; 673 struct net_device *dev = rx->dev; 674 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) rx->skb->data; 675 676 if (!sta) 677 return TXRX_CONTINUE; 678 679 /* Update last_rx only for IBSS packets which are for the current 680 * BSSID to avoid keeping the current IBSS network alive in cases where 681 * other STAs are using different BSSID. */ 682 if (rx->sdata->vif.type == IEEE80211_IF_TYPE_IBSS) { 683 u8 *bssid = ieee80211_get_bssid(hdr, rx->skb->len, 684 IEEE80211_IF_TYPE_IBSS); 685 if (compare_ether_addr(bssid, rx->sdata->u.sta.bssid) == 0) 686 sta->last_rx = jiffies; 687 } else 688 if (!is_multicast_ether_addr(hdr->addr1) || 689 rx->sdata->vif.type == IEEE80211_IF_TYPE_STA) { 690 /* Update last_rx only for unicast frames in order to prevent 691 * the Probe Request frames (the only broadcast frames from a 692 * STA in infrastructure mode) from keeping a connection alive. 693 */ 694 sta->last_rx = jiffies; 695 } 696 697 if (!(rx->flags & IEEE80211_TXRXD_RXRA_MATCH)) 698 return TXRX_CONTINUE; 699 700 sta->rx_fragments++; 701 sta->rx_bytes += rx->skb->len; 702 sta->last_rssi = rx->u.rx.status->ssi; 703 sta->last_signal = rx->u.rx.status->signal; 704 sta->last_noise = rx->u.rx.status->noise; 705 706 if (!(rx->fc & IEEE80211_FCTL_MOREFRAGS)) { 707 /* Change STA power saving mode only in the end of a frame 708 * exchange sequence */ 709 if ((sta->flags & WLAN_STA_PS) && !(rx->fc & IEEE80211_FCTL_PM)) 710 rx->u.rx.sent_ps_buffered += ap_sta_ps_end(dev, sta); 711 else if (!(sta->flags & WLAN_STA_PS) && 712 (rx->fc & IEEE80211_FCTL_PM)) 713 ap_sta_ps_start(dev, sta); 714 } 715 716 /* Drop data::nullfunc frames silently, since they are used only to 717 * control station power saving mode. */ 718 if ((rx->fc & IEEE80211_FCTL_FTYPE) == IEEE80211_FTYPE_DATA && 719 (rx->fc & IEEE80211_FCTL_STYPE) == IEEE80211_STYPE_NULLFUNC) { 720 I802_DEBUG_INC(rx->local->rx_handlers_drop_nullfunc); 721 /* Update counter and free packet here to avoid counting this 722 * as a dropped packed. */ 723 sta->rx_packets++; 724 dev_kfree_skb(rx->skb); 725 return TXRX_QUEUED; 726 } 727 728 return TXRX_CONTINUE; 729 } /* ieee80211_rx_h_sta_process */ 730 731 static inline struct ieee80211_fragment_entry * 732 ieee80211_reassemble_add(struct ieee80211_sub_if_data *sdata, 733 unsigned int frag, unsigned int seq, int rx_queue, 734 struct sk_buff **skb) 735 { 736 struct ieee80211_fragment_entry *entry; 737 int idx; 738 739 idx = sdata->fragment_next; 740 entry = &sdata->fragments[sdata->fragment_next++]; 741 if (sdata->fragment_next >= IEEE80211_FRAGMENT_MAX) 742 sdata->fragment_next = 0; 743 744 if (!skb_queue_empty(&entry->skb_list)) { 745 #ifdef CONFIG_MAC80211_DEBUG 746 struct ieee80211_hdr *hdr = 747 (struct ieee80211_hdr *) entry->skb_list.next->data; 748 DECLARE_MAC_BUF(mac); 749 DECLARE_MAC_BUF(mac2); 750 printk(KERN_DEBUG "%s: RX reassembly removed oldest " 751 "fragment entry (idx=%d age=%lu seq=%d last_frag=%d " 752 "addr1=%s addr2=%s\n", 753 sdata->dev->name, idx, 754 jiffies - entry->first_frag_time, entry->seq, 755 entry->last_frag, print_mac(mac, hdr->addr1), 756 print_mac(mac2, hdr->addr2)); 757 #endif /* CONFIG_MAC80211_DEBUG */ 758 __skb_queue_purge(&entry->skb_list); 759 } 760 761 __skb_queue_tail(&entry->skb_list, *skb); /* no need for locking */ 762 *skb = NULL; 763 entry->first_frag_time = jiffies; 764 entry->seq = seq; 765 entry->rx_queue = rx_queue; 766 entry->last_frag = frag; 767 entry->ccmp = 0; 768 entry->extra_len = 0; 769 770 return entry; 771 } 772 773 static inline struct ieee80211_fragment_entry * 774 ieee80211_reassemble_find(struct ieee80211_sub_if_data *sdata, 775 u16 fc, unsigned int frag, unsigned int seq, 776 int rx_queue, struct ieee80211_hdr *hdr) 777 { 778 struct ieee80211_fragment_entry *entry; 779 int i, idx; 780 781 idx = sdata->fragment_next; 782 for (i = 0; i < IEEE80211_FRAGMENT_MAX; i++) { 783 struct ieee80211_hdr *f_hdr; 784 u16 f_fc; 785 786 idx--; 787 if (idx < 0) 788 idx = IEEE80211_FRAGMENT_MAX - 1; 789 790 entry = &sdata->fragments[idx]; 791 if (skb_queue_empty(&entry->skb_list) || entry->seq != seq || 792 entry->rx_queue != rx_queue || 793 entry->last_frag + 1 != frag) 794 continue; 795 796 f_hdr = (struct ieee80211_hdr *) entry->skb_list.next->data; 797 f_fc = le16_to_cpu(f_hdr->frame_control); 798 799 if ((fc & IEEE80211_FCTL_FTYPE) != (f_fc & IEEE80211_FCTL_FTYPE) || 800 compare_ether_addr(hdr->addr1, f_hdr->addr1) != 0 || 801 compare_ether_addr(hdr->addr2, f_hdr->addr2) != 0) 802 continue; 803 804 if (entry->first_frag_time + 2 * HZ < jiffies) { 805 __skb_queue_purge(&entry->skb_list); 806 continue; 807 } 808 return entry; 809 } 810 811 return NULL; 812 } 813 814 static ieee80211_txrx_result 815 ieee80211_rx_h_defragment(struct ieee80211_txrx_data *rx) 816 { 817 struct ieee80211_hdr *hdr; 818 u16 sc; 819 unsigned int frag, seq; 820 struct ieee80211_fragment_entry *entry; 821 struct sk_buff *skb; 822 DECLARE_MAC_BUF(mac); 823 824 hdr = (struct ieee80211_hdr *) rx->skb->data; 825 sc = le16_to_cpu(hdr->seq_ctrl); 826 frag = sc & IEEE80211_SCTL_FRAG; 827 828 if (likely((!(rx->fc & IEEE80211_FCTL_MOREFRAGS) && frag == 0) || 829 (rx->skb)->len < 24 || 830 is_multicast_ether_addr(hdr->addr1))) { 831 /* not fragmented */ 832 goto out; 833 } 834 I802_DEBUG_INC(rx->local->rx_handlers_fragments); 835 836 seq = (sc & IEEE80211_SCTL_SEQ) >> 4; 837 838 if (frag == 0) { 839 /* This is the first fragment of a new frame. */ 840 entry = ieee80211_reassemble_add(rx->sdata, frag, seq, 841 rx->u.rx.queue, &(rx->skb)); 842 if (rx->key && rx->key->conf.alg == ALG_CCMP && 843 (rx->fc & IEEE80211_FCTL_PROTECTED)) { 844 /* Store CCMP PN so that we can verify that the next 845 * fragment has a sequential PN value. */ 846 entry->ccmp = 1; 847 memcpy(entry->last_pn, 848 rx->key->u.ccmp.rx_pn[rx->u.rx.queue], 849 CCMP_PN_LEN); 850 } 851 return TXRX_QUEUED; 852 } 853 854 /* This is a fragment for a frame that should already be pending in 855 * fragment cache. Add this fragment to the end of the pending entry. 856 */ 857 entry = ieee80211_reassemble_find(rx->sdata, rx->fc, frag, seq, 858 rx->u.rx.queue, hdr); 859 if (!entry) { 860 I802_DEBUG_INC(rx->local->rx_handlers_drop_defrag); 861 return TXRX_DROP; 862 } 863 864 /* Verify that MPDUs within one MSDU have sequential PN values. 865 * (IEEE 802.11i, 8.3.3.4.5) */ 866 if (entry->ccmp) { 867 int i; 868 u8 pn[CCMP_PN_LEN], *rpn; 869 if (!rx->key || rx->key->conf.alg != ALG_CCMP) 870 return TXRX_DROP; 871 memcpy(pn, entry->last_pn, CCMP_PN_LEN); 872 for (i = CCMP_PN_LEN - 1; i >= 0; i--) { 873 pn[i]++; 874 if (pn[i]) 875 break; 876 } 877 rpn = rx->key->u.ccmp.rx_pn[rx->u.rx.queue]; 878 if (memcmp(pn, rpn, CCMP_PN_LEN) != 0) { 879 if (net_ratelimit()) 880 printk(KERN_DEBUG "%s: defrag: CCMP PN not " 881 "sequential A2=%s" 882 " PN=%02x%02x%02x%02x%02x%02x " 883 "(expected %02x%02x%02x%02x%02x%02x)\n", 884 rx->dev->name, print_mac(mac, hdr->addr2), 885 rpn[0], rpn[1], rpn[2], rpn[3], rpn[4], 886 rpn[5], pn[0], pn[1], pn[2], pn[3], 887 pn[4], pn[5]); 888 return TXRX_DROP; 889 } 890 memcpy(entry->last_pn, pn, CCMP_PN_LEN); 891 } 892 893 skb_pull(rx->skb, ieee80211_get_hdrlen(rx->fc)); 894 __skb_queue_tail(&entry->skb_list, rx->skb); 895 entry->last_frag = frag; 896 entry->extra_len += rx->skb->len; 897 if (rx->fc & IEEE80211_FCTL_MOREFRAGS) { 898 rx->skb = NULL; 899 return TXRX_QUEUED; 900 } 901 902 rx->skb = __skb_dequeue(&entry->skb_list); 903 if (skb_tailroom(rx->skb) < entry->extra_len) { 904 I802_DEBUG_INC(rx->local->rx_expand_skb_head2); 905 if (unlikely(pskb_expand_head(rx->skb, 0, entry->extra_len, 906 GFP_ATOMIC))) { 907 I802_DEBUG_INC(rx->local->rx_handlers_drop_defrag); 908 __skb_queue_purge(&entry->skb_list); 909 return TXRX_DROP; 910 } 911 } 912 while ((skb = __skb_dequeue(&entry->skb_list))) { 913 memcpy(skb_put(rx->skb, skb->len), skb->data, skb->len); 914 dev_kfree_skb(skb); 915 } 916 917 /* Complete frame has been reassembled - process it now */ 918 rx->flags |= IEEE80211_TXRXD_FRAGMENTED; 919 920 out: 921 if (rx->sta) 922 rx->sta->rx_packets++; 923 if (is_multicast_ether_addr(hdr->addr1)) 924 rx->local->dot11MulticastReceivedFrameCount++; 925 else 926 ieee80211_led_rx(rx->local); 927 return TXRX_CONTINUE; 928 } 929 930 static ieee80211_txrx_result 931 ieee80211_rx_h_ps_poll(struct ieee80211_txrx_data *rx) 932 { 933 struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(rx->dev); 934 struct sk_buff *skb; 935 int no_pending_pkts; 936 DECLARE_MAC_BUF(mac); 937 938 if (likely(!rx->sta || 939 (rx->fc & IEEE80211_FCTL_FTYPE) != IEEE80211_FTYPE_CTL || 940 (rx->fc & IEEE80211_FCTL_STYPE) != IEEE80211_STYPE_PSPOLL || 941 !(rx->flags & IEEE80211_TXRXD_RXRA_MATCH))) 942 return TXRX_CONTINUE; 943 944 if ((sdata->vif.type != IEEE80211_IF_TYPE_AP) && 945 (sdata->vif.type != IEEE80211_IF_TYPE_VLAN)) 946 return TXRX_DROP; 947 948 skb = skb_dequeue(&rx->sta->tx_filtered); 949 if (!skb) { 950 skb = skb_dequeue(&rx->sta->ps_tx_buf); 951 if (skb) 952 rx->local->total_ps_buffered--; 953 } 954 no_pending_pkts = skb_queue_empty(&rx->sta->tx_filtered) && 955 skb_queue_empty(&rx->sta->ps_tx_buf); 956 957 if (skb) { 958 struct ieee80211_hdr *hdr = 959 (struct ieee80211_hdr *) skb->data; 960 961 /* tell TX path to send one frame even though the STA may 962 * still remain is PS mode after this frame exchange */ 963 rx->sta->pspoll = 1; 964 965 #ifdef CONFIG_MAC80211_VERBOSE_PS_DEBUG 966 printk(KERN_DEBUG "STA %s aid %d: PS Poll (entries after %d)\n", 967 print_mac(mac, rx->sta->addr), rx->sta->aid, 968 skb_queue_len(&rx->sta->ps_tx_buf)); 969 #endif /* CONFIG_MAC80211_VERBOSE_PS_DEBUG */ 970 971 /* Use MoreData flag to indicate whether there are more 972 * buffered frames for this STA */ 973 if (no_pending_pkts) { 974 hdr->frame_control &= cpu_to_le16(~IEEE80211_FCTL_MOREDATA); 975 rx->sta->flags &= ~WLAN_STA_TIM; 976 } else 977 hdr->frame_control |= cpu_to_le16(IEEE80211_FCTL_MOREDATA); 978 979 dev_queue_xmit(skb); 980 981 if (no_pending_pkts) { 982 if (rx->local->ops->set_tim) 983 rx->local->ops->set_tim(local_to_hw(rx->local), 984 rx->sta->aid, 0); 985 if (rx->sdata->bss) 986 bss_tim_clear(rx->local, rx->sdata->bss, rx->sta->aid); 987 } 988 #ifdef CONFIG_MAC80211_VERBOSE_PS_DEBUG 989 } else if (!rx->u.rx.sent_ps_buffered) { 990 printk(KERN_DEBUG "%s: STA %s sent PS Poll even " 991 "though there is no buffered frames for it\n", 992 rx->dev->name, print_mac(mac, rx->sta->addr)); 993 #endif /* CONFIG_MAC80211_VERBOSE_PS_DEBUG */ 994 995 } 996 997 /* Free PS Poll skb here instead of returning TXRX_DROP that would 998 * count as an dropped frame. */ 999 dev_kfree_skb(rx->skb); 1000 1001 return TXRX_QUEUED; 1002 } 1003 1004 static ieee80211_txrx_result 1005 ieee80211_rx_h_remove_qos_control(struct ieee80211_txrx_data *rx) 1006 { 1007 u16 fc = rx->fc; 1008 u8 *data = rx->skb->data; 1009 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) data; 1010 1011 if (!WLAN_FC_IS_QOS_DATA(fc)) 1012 return TXRX_CONTINUE; 1013 1014 /* remove the qos control field, update frame type and meta-data */ 1015 memmove(data + 2, data, ieee80211_get_hdrlen(fc) - 2); 1016 hdr = (struct ieee80211_hdr *) skb_pull(rx->skb, 2); 1017 /* change frame type to non QOS */ 1018 rx->fc = fc &= ~IEEE80211_STYPE_QOS_DATA; 1019 hdr->frame_control = cpu_to_le16(fc); 1020 1021 return TXRX_CONTINUE; 1022 } 1023 1024 static int 1025 ieee80211_802_1x_port_control(struct ieee80211_txrx_data *rx) 1026 { 1027 if (unlikely(rx->sdata->ieee802_1x_pac && 1028 (!rx->sta || !(rx->sta->flags & WLAN_STA_AUTHORIZED)))) { 1029 #ifdef CONFIG_MAC80211_DEBUG 1030 printk(KERN_DEBUG "%s: dropped frame " 1031 "(unauthorized port)\n", rx->dev->name); 1032 #endif /* CONFIG_MAC80211_DEBUG */ 1033 return -EACCES; 1034 } 1035 1036 return 0; 1037 } 1038 1039 static int 1040 ieee80211_drop_unencrypted(struct ieee80211_txrx_data *rx) 1041 { 1042 /* 1043 * Pass through unencrypted frames if the hardware has 1044 * decrypted them already. 1045 */ 1046 if (rx->u.rx.status->flag & RX_FLAG_DECRYPTED) 1047 return 0; 1048 1049 /* Drop unencrypted frames if key is set. */ 1050 if (unlikely(!(rx->fc & IEEE80211_FCTL_PROTECTED) && 1051 (rx->fc & IEEE80211_FCTL_FTYPE) == IEEE80211_FTYPE_DATA && 1052 (rx->fc & IEEE80211_FCTL_STYPE) != IEEE80211_STYPE_NULLFUNC && 1053 (rx->key || rx->sdata->drop_unencrypted))) { 1054 if (net_ratelimit()) 1055 printk(KERN_DEBUG "%s: RX non-WEP frame, but expected " 1056 "encryption\n", rx->dev->name); 1057 return -EACCES; 1058 } 1059 return 0; 1060 } 1061 1062 static int 1063 ieee80211_data_to_8023(struct ieee80211_txrx_data *rx) 1064 { 1065 struct net_device *dev = rx->dev; 1066 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) rx->skb->data; 1067 u16 fc, hdrlen, ethertype; 1068 u8 *payload; 1069 u8 dst[ETH_ALEN]; 1070 u8 src[ETH_ALEN]; 1071 struct sk_buff *skb = rx->skb; 1072 struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev); 1073 DECLARE_MAC_BUF(mac); 1074 DECLARE_MAC_BUF(mac2); 1075 DECLARE_MAC_BUF(mac3); 1076 DECLARE_MAC_BUF(mac4); 1077 1078 fc = rx->fc; 1079 1080 if (unlikely(!WLAN_FC_DATA_PRESENT(fc))) 1081 return -1; 1082 1083 hdrlen = ieee80211_get_hdrlen(fc); 1084 1085 /* convert IEEE 802.11 header + possible LLC headers into Ethernet 1086 * header 1087 * IEEE 802.11 address fields: 1088 * ToDS FromDS Addr1 Addr2 Addr3 Addr4 1089 * 0 0 DA SA BSSID n/a 1090 * 0 1 DA BSSID SA n/a 1091 * 1 0 BSSID SA DA n/a 1092 * 1 1 RA TA DA SA 1093 */ 1094 1095 switch (fc & (IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS)) { 1096 case IEEE80211_FCTL_TODS: 1097 /* BSSID SA DA */ 1098 memcpy(dst, hdr->addr3, ETH_ALEN); 1099 memcpy(src, hdr->addr2, ETH_ALEN); 1100 1101 if (unlikely(sdata->vif.type != IEEE80211_IF_TYPE_AP && 1102 sdata->vif.type != IEEE80211_IF_TYPE_VLAN)) { 1103 if (net_ratelimit()) 1104 printk(KERN_DEBUG "%s: dropped ToDS frame " 1105 "(BSSID=%s SA=%s DA=%s)\n", 1106 dev->name, 1107 print_mac(mac, hdr->addr1), 1108 print_mac(mac2, hdr->addr2), 1109 print_mac(mac3, hdr->addr3)); 1110 return -1; 1111 } 1112 break; 1113 case (IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS): 1114 /* RA TA DA SA */ 1115 memcpy(dst, hdr->addr3, ETH_ALEN); 1116 memcpy(src, hdr->addr4, ETH_ALEN); 1117 1118 if (unlikely(sdata->vif.type != IEEE80211_IF_TYPE_WDS)) { 1119 if (net_ratelimit()) 1120 printk(KERN_DEBUG "%s: dropped FromDS&ToDS " 1121 "frame (RA=%s TA=%s DA=%s SA=%s)\n", 1122 rx->dev->name, 1123 print_mac(mac, hdr->addr1), 1124 print_mac(mac2, hdr->addr2), 1125 print_mac(mac3, hdr->addr3), 1126 print_mac(mac4, hdr->addr4)); 1127 return -1; 1128 } 1129 break; 1130 case IEEE80211_FCTL_FROMDS: 1131 /* DA BSSID SA */ 1132 memcpy(dst, hdr->addr1, ETH_ALEN); 1133 memcpy(src, hdr->addr3, ETH_ALEN); 1134 1135 if (sdata->vif.type != IEEE80211_IF_TYPE_STA || 1136 (is_multicast_ether_addr(dst) && 1137 !compare_ether_addr(src, dev->dev_addr))) 1138 return -1; 1139 break; 1140 case 0: 1141 /* DA SA BSSID */ 1142 memcpy(dst, hdr->addr1, ETH_ALEN); 1143 memcpy(src, hdr->addr2, ETH_ALEN); 1144 1145 if (sdata->vif.type != IEEE80211_IF_TYPE_IBSS) { 1146 if (net_ratelimit()) { 1147 printk(KERN_DEBUG "%s: dropped IBSS frame " 1148 "(DA=%s SA=%s BSSID=%s)\n", 1149 dev->name, 1150 print_mac(mac, hdr->addr1), 1151 print_mac(mac2, hdr->addr2), 1152 print_mac(mac3, hdr->addr3)); 1153 } 1154 return -1; 1155 } 1156 break; 1157 } 1158 1159 if (unlikely(skb->len - hdrlen < 8)) { 1160 if (net_ratelimit()) { 1161 printk(KERN_DEBUG "%s: RX too short data frame " 1162 "payload\n", dev->name); 1163 } 1164 return -1; 1165 } 1166 1167 payload = skb->data + hdrlen; 1168 ethertype = (payload[6] << 8) | payload[7]; 1169 1170 if (likely((compare_ether_addr(payload, rfc1042_header) == 0 && 1171 ethertype != ETH_P_AARP && ethertype != ETH_P_IPX) || 1172 compare_ether_addr(payload, bridge_tunnel_header) == 0)) { 1173 /* remove RFC1042 or Bridge-Tunnel encapsulation and 1174 * replace EtherType */ 1175 skb_pull(skb, hdrlen + 6); 1176 memcpy(skb_push(skb, ETH_ALEN), src, ETH_ALEN); 1177 memcpy(skb_push(skb, ETH_ALEN), dst, ETH_ALEN); 1178 } else { 1179 struct ethhdr *ehdr; 1180 __be16 len; 1181 1182 skb_pull(skb, hdrlen); 1183 len = htons(skb->len); 1184 ehdr = (struct ethhdr *) skb_push(skb, sizeof(struct ethhdr)); 1185 memcpy(ehdr->h_dest, dst, ETH_ALEN); 1186 memcpy(ehdr->h_source, src, ETH_ALEN); 1187 ehdr->h_proto = len; 1188 } 1189 return 0; 1190 } 1191 1192 /* 1193 * requires that rx->skb is a frame with ethernet header 1194 */ 1195 static bool ieee80211_frame_allowed(struct ieee80211_txrx_data *rx) 1196 { 1197 static const u8 pae_group_addr[ETH_ALEN] 1198 = { 0x01, 0x80, 0xC2, 0x00, 0x00, 0x03 }; 1199 struct ethhdr *ehdr = (struct ethhdr *) rx->skb->data; 1200 1201 /* 1202 * Allow EAPOL frames to us/the PAE group address regardless 1203 * of whether the frame was encrypted or not. 1204 */ 1205 if (ehdr->h_proto == htons(ETH_P_PAE) && 1206 (compare_ether_addr(ehdr->h_dest, rx->dev->dev_addr) == 0 || 1207 compare_ether_addr(ehdr->h_dest, pae_group_addr) == 0)) 1208 return true; 1209 1210 if (ieee80211_802_1x_port_control(rx) || 1211 ieee80211_drop_unencrypted(rx)) 1212 return false; 1213 1214 return true; 1215 } 1216 1217 /* 1218 * requires that rx->skb is a frame with ethernet header 1219 */ 1220 static void 1221 ieee80211_deliver_skb(struct ieee80211_txrx_data *rx) 1222 { 1223 struct net_device *dev = rx->dev; 1224 struct ieee80211_local *local = rx->local; 1225 struct sk_buff *skb, *xmit_skb; 1226 struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev); 1227 struct ethhdr *ehdr = (struct ethhdr *) rx->skb->data; 1228 struct sta_info *dsta; 1229 1230 skb = rx->skb; 1231 xmit_skb = NULL; 1232 1233 if (local->bridge_packets && (sdata->vif.type == IEEE80211_IF_TYPE_AP || 1234 sdata->vif.type == IEEE80211_IF_TYPE_VLAN) && 1235 (rx->flags & IEEE80211_TXRXD_RXRA_MATCH)) { 1236 if (is_multicast_ether_addr(ehdr->h_dest)) { 1237 /* 1238 * send multicast frames both to higher layers in 1239 * local net stack and back to the wireless medium 1240 */ 1241 xmit_skb = skb_copy(skb, GFP_ATOMIC); 1242 if (!xmit_skb && net_ratelimit()) 1243 printk(KERN_DEBUG "%s: failed to clone " 1244 "multicast frame\n", dev->name); 1245 } else { 1246 dsta = sta_info_get(local, skb->data); 1247 if (dsta && dsta->dev == dev) { 1248 /* 1249 * The destination station is associated to 1250 * this AP (in this VLAN), so send the frame 1251 * directly to it and do not pass it to local 1252 * net stack. 1253 */ 1254 xmit_skb = skb; 1255 skb = NULL; 1256 } 1257 if (dsta) 1258 sta_info_put(dsta); 1259 } 1260 } 1261 1262 if (skb) { 1263 /* deliver to local stack */ 1264 skb->protocol = eth_type_trans(skb, dev); 1265 memset(skb->cb, 0, sizeof(skb->cb)); 1266 netif_rx(skb); 1267 } 1268 1269 if (xmit_skb) { 1270 /* send to wireless media */ 1271 xmit_skb->protocol = htons(ETH_P_802_3); 1272 skb_reset_network_header(xmit_skb); 1273 skb_reset_mac_header(xmit_skb); 1274 dev_queue_xmit(xmit_skb); 1275 } 1276 } 1277 1278 static ieee80211_txrx_result 1279 ieee80211_rx_h_amsdu(struct ieee80211_txrx_data *rx) 1280 { 1281 struct net_device *dev = rx->dev; 1282 struct ieee80211_local *local = rx->local; 1283 u16 fc, ethertype; 1284 u8 *payload; 1285 struct sk_buff *skb = rx->skb, *frame = NULL; 1286 const struct ethhdr *eth; 1287 int remaining, err; 1288 u8 dst[ETH_ALEN]; 1289 u8 src[ETH_ALEN]; 1290 DECLARE_MAC_BUF(mac); 1291 1292 fc = rx->fc; 1293 if (unlikely((fc & IEEE80211_FCTL_FTYPE) != IEEE80211_FTYPE_DATA)) 1294 return TXRX_CONTINUE; 1295 1296 if (unlikely(!WLAN_FC_DATA_PRESENT(fc))) 1297 return TXRX_DROP; 1298 1299 if (!(rx->flags & IEEE80211_TXRXD_RX_AMSDU)) 1300 return TXRX_CONTINUE; 1301 1302 err = ieee80211_data_to_8023(rx); 1303 if (unlikely(err)) 1304 return TXRX_DROP; 1305 1306 skb->dev = dev; 1307 1308 dev->stats.rx_packets++; 1309 dev->stats.rx_bytes += skb->len; 1310 1311 /* skip the wrapping header */ 1312 eth = (struct ethhdr *) skb_pull(skb, sizeof(struct ethhdr)); 1313 if (!eth) 1314 return TXRX_DROP; 1315 1316 while (skb != frame) { 1317 u8 padding; 1318 __be16 len = eth->h_proto; 1319 unsigned int subframe_len = sizeof(struct ethhdr) + ntohs(len); 1320 1321 remaining = skb->len; 1322 memcpy(dst, eth->h_dest, ETH_ALEN); 1323 memcpy(src, eth->h_source, ETH_ALEN); 1324 1325 padding = ((4 - subframe_len) & 0x3); 1326 /* the last MSDU has no padding */ 1327 if (subframe_len > remaining) { 1328 printk(KERN_DEBUG "%s: wrong buffer size", dev->name); 1329 return TXRX_DROP; 1330 } 1331 1332 skb_pull(skb, sizeof(struct ethhdr)); 1333 /* if last subframe reuse skb */ 1334 if (remaining <= subframe_len + padding) 1335 frame = skb; 1336 else { 1337 frame = dev_alloc_skb(local->hw.extra_tx_headroom + 1338 subframe_len); 1339 1340 if (frame == NULL) 1341 return TXRX_DROP; 1342 1343 skb_reserve(frame, local->hw.extra_tx_headroom + 1344 sizeof(struct ethhdr)); 1345 memcpy(skb_put(frame, ntohs(len)), skb->data, 1346 ntohs(len)); 1347 1348 eth = (struct ethhdr *) skb_pull(skb, ntohs(len) + 1349 padding); 1350 if (!eth) { 1351 printk(KERN_DEBUG "%s: wrong buffer size ", 1352 dev->name); 1353 dev_kfree_skb(frame); 1354 return TXRX_DROP; 1355 } 1356 } 1357 1358 skb_reset_network_header(frame); 1359 frame->dev = dev; 1360 frame->priority = skb->priority; 1361 rx->skb = frame; 1362 1363 payload = frame->data; 1364 ethertype = (payload[6] << 8) | payload[7]; 1365 1366 if (likely((compare_ether_addr(payload, rfc1042_header) == 0 && 1367 ethertype != ETH_P_AARP && ethertype != ETH_P_IPX) || 1368 compare_ether_addr(payload, 1369 bridge_tunnel_header) == 0)) { 1370 /* remove RFC1042 or Bridge-Tunnel 1371 * encapsulation and replace EtherType */ 1372 skb_pull(frame, 6); 1373 memcpy(skb_push(frame, ETH_ALEN), src, ETH_ALEN); 1374 memcpy(skb_push(frame, ETH_ALEN), dst, ETH_ALEN); 1375 } else { 1376 memcpy(skb_push(frame, sizeof(__be16)), 1377 &len, sizeof(__be16)); 1378 memcpy(skb_push(frame, ETH_ALEN), src, ETH_ALEN); 1379 memcpy(skb_push(frame, ETH_ALEN), dst, ETH_ALEN); 1380 } 1381 1382 if (!ieee80211_frame_allowed(rx)) { 1383 if (skb == frame) /* last frame */ 1384 return TXRX_DROP; 1385 dev_kfree_skb(frame); 1386 continue; 1387 } 1388 1389 ieee80211_deliver_skb(rx); 1390 } 1391 1392 return TXRX_QUEUED; 1393 } 1394 1395 static ieee80211_txrx_result 1396 ieee80211_rx_h_data(struct ieee80211_txrx_data *rx) 1397 { 1398 struct net_device *dev = rx->dev; 1399 u16 fc; 1400 int err; 1401 1402 fc = rx->fc; 1403 if (unlikely((fc & IEEE80211_FCTL_FTYPE) != IEEE80211_FTYPE_DATA)) 1404 return TXRX_CONTINUE; 1405 1406 if (unlikely(!WLAN_FC_DATA_PRESENT(fc))) 1407 return TXRX_DROP; 1408 1409 err = ieee80211_data_to_8023(rx); 1410 if (unlikely(err)) 1411 return TXRX_DROP; 1412 1413 if (!ieee80211_frame_allowed(rx)) 1414 return TXRX_DROP; 1415 1416 rx->skb->dev = dev; 1417 1418 dev->stats.rx_packets++; 1419 dev->stats.rx_bytes += rx->skb->len; 1420 1421 ieee80211_deliver_skb(rx); 1422 1423 return TXRX_QUEUED; 1424 } 1425 1426 static ieee80211_txrx_result 1427 ieee80211_rx_h_ctrl(struct ieee80211_txrx_data *rx) 1428 { 1429 struct ieee80211_local *local = rx->local; 1430 struct ieee80211_hw *hw = &local->hw; 1431 struct sk_buff *skb = rx->skb; 1432 struct ieee80211_bar *bar = (struct ieee80211_bar *) skb->data; 1433 struct tid_ampdu_rx *tid_agg_rx; 1434 u16 start_seq_num; 1435 u16 tid; 1436 1437 if (likely((rx->fc & IEEE80211_FCTL_FTYPE) != IEEE80211_FTYPE_CTL)) 1438 return TXRX_CONTINUE; 1439 1440 if ((rx->fc & IEEE80211_FCTL_STYPE) == IEEE80211_STYPE_BACK_REQ) { 1441 if (!rx->sta) 1442 return TXRX_CONTINUE; 1443 tid = le16_to_cpu(bar->control) >> 12; 1444 tid_agg_rx = &(rx->sta->ampdu_mlme.tid_rx[tid]); 1445 if (tid_agg_rx->state != HT_AGG_STATE_OPERATIONAL) 1446 return TXRX_CONTINUE; 1447 1448 start_seq_num = le16_to_cpu(bar->start_seq_num) >> 4; 1449 1450 /* reset session timer */ 1451 if (tid_agg_rx->timeout) { 1452 unsigned long expires = 1453 jiffies + (tid_agg_rx->timeout / 1000) * HZ; 1454 mod_timer(&tid_agg_rx->session_timer, expires); 1455 } 1456 1457 /* manage reordering buffer according to requested */ 1458 /* sequence number */ 1459 rcu_read_lock(); 1460 ieee80211_sta_manage_reorder_buf(hw, tid_agg_rx, NULL, 1461 start_seq_num, 1); 1462 rcu_read_unlock(); 1463 return TXRX_DROP; 1464 } 1465 1466 return TXRX_CONTINUE; 1467 } 1468 1469 static ieee80211_txrx_result 1470 ieee80211_rx_h_mgmt(struct ieee80211_txrx_data *rx) 1471 { 1472 struct ieee80211_sub_if_data *sdata; 1473 1474 if (!(rx->flags & IEEE80211_TXRXD_RXRA_MATCH)) 1475 return TXRX_DROP; 1476 1477 sdata = IEEE80211_DEV_TO_SUB_IF(rx->dev); 1478 if ((sdata->vif.type == IEEE80211_IF_TYPE_STA || 1479 sdata->vif.type == IEEE80211_IF_TYPE_IBSS) && 1480 !(sdata->flags & IEEE80211_SDATA_USERSPACE_MLME)) 1481 ieee80211_sta_rx_mgmt(rx->dev, rx->skb, rx->u.rx.status); 1482 else 1483 return TXRX_DROP; 1484 1485 return TXRX_QUEUED; 1486 } 1487 1488 static inline ieee80211_txrx_result __ieee80211_invoke_rx_handlers( 1489 struct ieee80211_local *local, 1490 ieee80211_rx_handler *handlers, 1491 struct ieee80211_txrx_data *rx, 1492 struct sta_info *sta) 1493 { 1494 ieee80211_rx_handler *handler; 1495 ieee80211_txrx_result res = TXRX_DROP; 1496 1497 for (handler = handlers; *handler != NULL; handler++) { 1498 res = (*handler)(rx); 1499 1500 switch (res) { 1501 case TXRX_CONTINUE: 1502 continue; 1503 case TXRX_DROP: 1504 I802_DEBUG_INC(local->rx_handlers_drop); 1505 if (sta) 1506 sta->rx_dropped++; 1507 break; 1508 case TXRX_QUEUED: 1509 I802_DEBUG_INC(local->rx_handlers_queued); 1510 break; 1511 } 1512 break; 1513 } 1514 1515 if (res == TXRX_DROP) 1516 dev_kfree_skb(rx->skb); 1517 return res; 1518 } 1519 1520 static inline void ieee80211_invoke_rx_handlers(struct ieee80211_local *local, 1521 ieee80211_rx_handler *handlers, 1522 struct ieee80211_txrx_data *rx, 1523 struct sta_info *sta) 1524 { 1525 if (__ieee80211_invoke_rx_handlers(local, handlers, rx, sta) == 1526 TXRX_CONTINUE) 1527 dev_kfree_skb(rx->skb); 1528 } 1529 1530 static void ieee80211_rx_michael_mic_report(struct net_device *dev, 1531 struct ieee80211_hdr *hdr, 1532 struct sta_info *sta, 1533 struct ieee80211_txrx_data *rx) 1534 { 1535 int keyidx, hdrlen; 1536 DECLARE_MAC_BUF(mac); 1537 DECLARE_MAC_BUF(mac2); 1538 1539 hdrlen = ieee80211_get_hdrlen_from_skb(rx->skb); 1540 if (rx->skb->len >= hdrlen + 4) 1541 keyidx = rx->skb->data[hdrlen + 3] >> 6; 1542 else 1543 keyidx = -1; 1544 1545 if (net_ratelimit()) 1546 printk(KERN_DEBUG "%s: TKIP hwaccel reported Michael MIC " 1547 "failure from %s to %s keyidx=%d\n", 1548 dev->name, print_mac(mac, hdr->addr2), 1549 print_mac(mac2, hdr->addr1), keyidx); 1550 1551 if (!sta) { 1552 /* 1553 * Some hardware seem to generate incorrect Michael MIC 1554 * reports; ignore them to avoid triggering countermeasures. 1555 */ 1556 if (net_ratelimit()) 1557 printk(KERN_DEBUG "%s: ignored spurious Michael MIC " 1558 "error for unknown address %s\n", 1559 dev->name, print_mac(mac, hdr->addr2)); 1560 goto ignore; 1561 } 1562 1563 if (!(rx->fc & IEEE80211_FCTL_PROTECTED)) { 1564 if (net_ratelimit()) 1565 printk(KERN_DEBUG "%s: ignored spurious Michael MIC " 1566 "error for a frame with no PROTECTED flag (src " 1567 "%s)\n", dev->name, print_mac(mac, hdr->addr2)); 1568 goto ignore; 1569 } 1570 1571 if (rx->sdata->vif.type == IEEE80211_IF_TYPE_AP && keyidx) { 1572 /* 1573 * APs with pairwise keys should never receive Michael MIC 1574 * errors for non-zero keyidx because these are reserved for 1575 * group keys and only the AP is sending real multicast 1576 * frames in the BSS. 1577 */ 1578 if (net_ratelimit()) 1579 printk(KERN_DEBUG "%s: ignored Michael MIC error for " 1580 "a frame with non-zero keyidx (%d)" 1581 " (src %s)\n", dev->name, keyidx, 1582 print_mac(mac, hdr->addr2)); 1583 goto ignore; 1584 } 1585 1586 if ((rx->fc & IEEE80211_FCTL_FTYPE) != IEEE80211_FTYPE_DATA && 1587 ((rx->fc & IEEE80211_FCTL_FTYPE) != IEEE80211_FTYPE_MGMT || 1588 (rx->fc & IEEE80211_FCTL_STYPE) != IEEE80211_STYPE_AUTH)) { 1589 if (net_ratelimit()) 1590 printk(KERN_DEBUG "%s: ignored spurious Michael MIC " 1591 "error for a frame that cannot be encrypted " 1592 "(fc=0x%04x) (src %s)\n", 1593 dev->name, rx->fc, print_mac(mac, hdr->addr2)); 1594 goto ignore; 1595 } 1596 1597 mac80211_ev_michael_mic_failure(rx->dev, keyidx, hdr); 1598 ignore: 1599 dev_kfree_skb(rx->skb); 1600 rx->skb = NULL; 1601 } 1602 1603 ieee80211_rx_handler ieee80211_rx_handlers[] = 1604 { 1605 ieee80211_rx_h_if_stats, 1606 ieee80211_rx_h_passive_scan, 1607 ieee80211_rx_h_check, 1608 ieee80211_rx_h_decrypt, 1609 ieee80211_rx_h_sta_process, 1610 ieee80211_rx_h_defragment, 1611 ieee80211_rx_h_ps_poll, 1612 ieee80211_rx_h_michael_mic_verify, 1613 /* this must be after decryption - so header is counted in MPDU mic 1614 * must be before pae and data, so QOS_DATA format frames 1615 * are not passed to user space by these functions 1616 */ 1617 ieee80211_rx_h_remove_qos_control, 1618 ieee80211_rx_h_amsdu, 1619 ieee80211_rx_h_data, 1620 ieee80211_rx_h_ctrl, 1621 ieee80211_rx_h_mgmt, 1622 NULL 1623 }; 1624 1625 /* main receive path */ 1626 1627 static int prepare_for_handlers(struct ieee80211_sub_if_data *sdata, 1628 u8 *bssid, struct ieee80211_txrx_data *rx, 1629 struct ieee80211_hdr *hdr) 1630 { 1631 int multicast = is_multicast_ether_addr(hdr->addr1); 1632 1633 switch (sdata->vif.type) { 1634 case IEEE80211_IF_TYPE_STA: 1635 if (!bssid) 1636 return 0; 1637 if (!ieee80211_bssid_match(bssid, sdata->u.sta.bssid)) { 1638 if (!(rx->flags & IEEE80211_TXRXD_RXIN_SCAN)) 1639 return 0; 1640 rx->flags &= ~IEEE80211_TXRXD_RXRA_MATCH; 1641 } else if (!multicast && 1642 compare_ether_addr(sdata->dev->dev_addr, 1643 hdr->addr1) != 0) { 1644 if (!(sdata->dev->flags & IFF_PROMISC)) 1645 return 0; 1646 rx->flags &= ~IEEE80211_TXRXD_RXRA_MATCH; 1647 } 1648 break; 1649 case IEEE80211_IF_TYPE_IBSS: 1650 if (!bssid) 1651 return 0; 1652 if (!ieee80211_bssid_match(bssid, sdata->u.sta.bssid)) { 1653 if (!(rx->flags & IEEE80211_TXRXD_RXIN_SCAN)) 1654 return 0; 1655 rx->flags &= ~IEEE80211_TXRXD_RXRA_MATCH; 1656 } else if (!multicast && 1657 compare_ether_addr(sdata->dev->dev_addr, 1658 hdr->addr1) != 0) { 1659 if (!(sdata->dev->flags & IFF_PROMISC)) 1660 return 0; 1661 rx->flags &= ~IEEE80211_TXRXD_RXRA_MATCH; 1662 } else if (!rx->sta) 1663 rx->sta = ieee80211_ibss_add_sta(sdata->dev, rx->skb, 1664 bssid, hdr->addr2); 1665 break; 1666 case IEEE80211_IF_TYPE_VLAN: 1667 case IEEE80211_IF_TYPE_AP: 1668 if (!bssid) { 1669 if (compare_ether_addr(sdata->dev->dev_addr, 1670 hdr->addr1)) 1671 return 0; 1672 } else if (!ieee80211_bssid_match(bssid, 1673 sdata->dev->dev_addr)) { 1674 if (!(rx->flags & IEEE80211_TXRXD_RXIN_SCAN)) 1675 return 0; 1676 rx->flags &= ~IEEE80211_TXRXD_RXRA_MATCH; 1677 } 1678 if (sdata->dev == sdata->local->mdev && 1679 !(rx->flags & IEEE80211_TXRXD_RXIN_SCAN)) 1680 /* do not receive anything via 1681 * master device when not scanning */ 1682 return 0; 1683 break; 1684 case IEEE80211_IF_TYPE_WDS: 1685 if (bssid || 1686 (rx->fc & IEEE80211_FCTL_FTYPE) != IEEE80211_FTYPE_DATA) 1687 return 0; 1688 if (compare_ether_addr(sdata->u.wds.remote_addr, hdr->addr2)) 1689 return 0; 1690 break; 1691 case IEEE80211_IF_TYPE_MNTR: 1692 /* take everything */ 1693 break; 1694 case IEEE80211_IF_TYPE_INVALID: 1695 /* should never get here */ 1696 WARN_ON(1); 1697 break; 1698 } 1699 1700 return 1; 1701 } 1702 1703 /* 1704 * This is the actual Rx frames handler. as it blongs to Rx path it must 1705 * be called with rcu_read_lock protection. 1706 */ 1707 static void __ieee80211_rx_handle_packet(struct ieee80211_hw *hw, 1708 struct sk_buff *skb, 1709 struct ieee80211_rx_status *status, 1710 u32 load) 1711 { 1712 struct ieee80211_local *local = hw_to_local(hw); 1713 struct ieee80211_sub_if_data *sdata; 1714 struct sta_info *sta; 1715 struct ieee80211_hdr *hdr; 1716 struct ieee80211_txrx_data rx; 1717 u16 type; 1718 int prepares; 1719 struct ieee80211_sub_if_data *prev = NULL; 1720 struct sk_buff *skb_new; 1721 u8 *bssid; 1722 1723 hdr = (struct ieee80211_hdr *) skb->data; 1724 memset(&rx, 0, sizeof(rx)); 1725 rx.skb = skb; 1726 rx.local = local; 1727 1728 rx.u.rx.status = status; 1729 rx.u.rx.load = load; 1730 rx.fc = le16_to_cpu(hdr->frame_control); 1731 type = rx.fc & IEEE80211_FCTL_FTYPE; 1732 1733 if (type == IEEE80211_FTYPE_DATA || type == IEEE80211_FTYPE_MGMT) 1734 local->dot11ReceivedFragmentCount++; 1735 1736 sta = rx.sta = sta_info_get(local, hdr->addr2); 1737 if (sta) { 1738 rx.dev = rx.sta->dev; 1739 rx.sdata = IEEE80211_DEV_TO_SUB_IF(rx.dev); 1740 } 1741 1742 if ((status->flag & RX_FLAG_MMIC_ERROR)) { 1743 ieee80211_rx_michael_mic_report(local->mdev, hdr, sta, &rx); 1744 goto end; 1745 } 1746 1747 if (unlikely(local->sta_sw_scanning || local->sta_hw_scanning)) 1748 rx.flags |= IEEE80211_TXRXD_RXIN_SCAN; 1749 1750 if (__ieee80211_invoke_rx_handlers(local, local->rx_pre_handlers, &rx, 1751 sta) != TXRX_CONTINUE) 1752 goto end; 1753 skb = rx.skb; 1754 1755 if (sta && !(sta->flags & (WLAN_STA_WDS | WLAN_STA_ASSOC_AP)) && 1756 !atomic_read(&local->iff_promiscs) && 1757 !is_multicast_ether_addr(hdr->addr1)) { 1758 rx.flags |= IEEE80211_TXRXD_RXRA_MATCH; 1759 ieee80211_invoke_rx_handlers(local, local->rx_handlers, &rx, 1760 rx.sta); 1761 sta_info_put(sta); 1762 return; 1763 } 1764 1765 list_for_each_entry_rcu(sdata, &local->interfaces, list) { 1766 if (!netif_running(sdata->dev)) 1767 continue; 1768 1769 if (sdata->vif.type == IEEE80211_IF_TYPE_MNTR) 1770 continue; 1771 1772 bssid = ieee80211_get_bssid(hdr, skb->len, sdata->vif.type); 1773 rx.flags |= IEEE80211_TXRXD_RXRA_MATCH; 1774 prepares = prepare_for_handlers(sdata, bssid, &rx, hdr); 1775 /* prepare_for_handlers can change sta */ 1776 sta = rx.sta; 1777 1778 if (!prepares) 1779 continue; 1780 1781 /* 1782 * frame is destined for this interface, but if it's not 1783 * also for the previous one we handle that after the 1784 * loop to avoid copying the SKB once too much 1785 */ 1786 1787 if (!prev) { 1788 prev = sdata; 1789 continue; 1790 } 1791 1792 /* 1793 * frame was destined for the previous interface 1794 * so invoke RX handlers for it 1795 */ 1796 1797 skb_new = skb_copy(skb, GFP_ATOMIC); 1798 if (!skb_new) { 1799 if (net_ratelimit()) 1800 printk(KERN_DEBUG "%s: failed to copy " 1801 "multicast frame for %s", 1802 wiphy_name(local->hw.wiphy), 1803 prev->dev->name); 1804 continue; 1805 } 1806 rx.fc = le16_to_cpu(hdr->frame_control); 1807 rx.skb = skb_new; 1808 rx.dev = prev->dev; 1809 rx.sdata = prev; 1810 ieee80211_invoke_rx_handlers(local, local->rx_handlers, 1811 &rx, sta); 1812 prev = sdata; 1813 } 1814 if (prev) { 1815 rx.fc = le16_to_cpu(hdr->frame_control); 1816 rx.skb = skb; 1817 rx.dev = prev->dev; 1818 rx.sdata = prev; 1819 ieee80211_invoke_rx_handlers(local, local->rx_handlers, 1820 &rx, sta); 1821 } else 1822 dev_kfree_skb(skb); 1823 1824 end: 1825 if (sta) 1826 sta_info_put(sta); 1827 } 1828 1829 #define SEQ_MODULO 0x1000 1830 #define SEQ_MASK 0xfff 1831 1832 static inline int seq_less(u16 sq1, u16 sq2) 1833 { 1834 return (((sq1 - sq2) & SEQ_MASK) > (SEQ_MODULO >> 1)); 1835 } 1836 1837 static inline u16 seq_inc(u16 sq) 1838 { 1839 return ((sq + 1) & SEQ_MASK); 1840 } 1841 1842 static inline u16 seq_sub(u16 sq1, u16 sq2) 1843 { 1844 return ((sq1 - sq2) & SEQ_MASK); 1845 } 1846 1847 1848 /* 1849 * As it function blongs to Rx path it must be called with 1850 * the proper rcu_read_lock protection for its flow. 1851 */ 1852 u8 ieee80211_sta_manage_reorder_buf(struct ieee80211_hw *hw, 1853 struct tid_ampdu_rx *tid_agg_rx, 1854 struct sk_buff *skb, u16 mpdu_seq_num, 1855 int bar_req) 1856 { 1857 struct ieee80211_local *local = hw_to_local(hw); 1858 struct ieee80211_rx_status status; 1859 u16 head_seq_num, buf_size; 1860 int index; 1861 u32 pkt_load; 1862 1863 buf_size = tid_agg_rx->buf_size; 1864 head_seq_num = tid_agg_rx->head_seq_num; 1865 1866 /* frame with out of date sequence number */ 1867 if (seq_less(mpdu_seq_num, head_seq_num)) { 1868 dev_kfree_skb(skb); 1869 return 1; 1870 } 1871 1872 /* if frame sequence number exceeds our buffering window size or 1873 * block Ack Request arrived - release stored frames */ 1874 if ((!seq_less(mpdu_seq_num, head_seq_num + buf_size)) || (bar_req)) { 1875 /* new head to the ordering buffer */ 1876 if (bar_req) 1877 head_seq_num = mpdu_seq_num; 1878 else 1879 head_seq_num = 1880 seq_inc(seq_sub(mpdu_seq_num, buf_size)); 1881 /* release stored frames up to new head to stack */ 1882 while (seq_less(tid_agg_rx->head_seq_num, head_seq_num)) { 1883 index = seq_sub(tid_agg_rx->head_seq_num, 1884 tid_agg_rx->ssn) 1885 % tid_agg_rx->buf_size; 1886 1887 if (tid_agg_rx->reorder_buf[index]) { 1888 /* release the reordered frames to stack */ 1889 memcpy(&status, 1890 tid_agg_rx->reorder_buf[index]->cb, 1891 sizeof(status)); 1892 pkt_load = ieee80211_rx_load_stats(local, 1893 tid_agg_rx->reorder_buf[index], 1894 &status); 1895 __ieee80211_rx_handle_packet(hw, 1896 tid_agg_rx->reorder_buf[index], 1897 &status, pkt_load); 1898 tid_agg_rx->stored_mpdu_num--; 1899 tid_agg_rx->reorder_buf[index] = NULL; 1900 } 1901 tid_agg_rx->head_seq_num = 1902 seq_inc(tid_agg_rx->head_seq_num); 1903 } 1904 if (bar_req) 1905 return 1; 1906 } 1907 1908 /* now the new frame is always in the range of the reordering */ 1909 /* buffer window */ 1910 index = seq_sub(mpdu_seq_num, tid_agg_rx->ssn) 1911 % tid_agg_rx->buf_size; 1912 /* check if we already stored this frame */ 1913 if (tid_agg_rx->reorder_buf[index]) { 1914 dev_kfree_skb(skb); 1915 return 1; 1916 } 1917 1918 /* if arrived mpdu is in the right order and nothing else stored */ 1919 /* release it immediately */ 1920 if (mpdu_seq_num == tid_agg_rx->head_seq_num && 1921 tid_agg_rx->stored_mpdu_num == 0) { 1922 tid_agg_rx->head_seq_num = 1923 seq_inc(tid_agg_rx->head_seq_num); 1924 return 0; 1925 } 1926 1927 /* put the frame in the reordering buffer */ 1928 tid_agg_rx->reorder_buf[index] = skb; 1929 tid_agg_rx->stored_mpdu_num++; 1930 /* release the buffer until next missing frame */ 1931 index = seq_sub(tid_agg_rx->head_seq_num, tid_agg_rx->ssn) 1932 % tid_agg_rx->buf_size; 1933 while (tid_agg_rx->reorder_buf[index]) { 1934 /* release the reordered frame back to stack */ 1935 memcpy(&status, tid_agg_rx->reorder_buf[index]->cb, 1936 sizeof(status)); 1937 pkt_load = ieee80211_rx_load_stats(local, 1938 tid_agg_rx->reorder_buf[index], 1939 &status); 1940 __ieee80211_rx_handle_packet(hw, tid_agg_rx->reorder_buf[index], 1941 &status, pkt_load); 1942 tid_agg_rx->stored_mpdu_num--; 1943 tid_agg_rx->reorder_buf[index] = NULL; 1944 tid_agg_rx->head_seq_num = seq_inc(tid_agg_rx->head_seq_num); 1945 index = seq_sub(tid_agg_rx->head_seq_num, 1946 tid_agg_rx->ssn) % tid_agg_rx->buf_size; 1947 } 1948 return 1; 1949 } 1950 1951 static u8 ieee80211_rx_reorder_ampdu(struct ieee80211_local *local, 1952 struct sk_buff *skb) 1953 { 1954 struct ieee80211_hw *hw = &local->hw; 1955 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data; 1956 struct sta_info *sta; 1957 struct tid_ampdu_rx *tid_agg_rx; 1958 u16 fc, sc; 1959 u16 mpdu_seq_num; 1960 u8 ret = 0, *qc; 1961 int tid; 1962 1963 sta = sta_info_get(local, hdr->addr2); 1964 if (!sta) 1965 return ret; 1966 1967 fc = le16_to_cpu(hdr->frame_control); 1968 1969 /* filter the QoS data rx stream according to 1970 * STA/TID and check if this STA/TID is on aggregation */ 1971 if (!WLAN_FC_IS_QOS_DATA(fc)) 1972 goto end_reorder; 1973 1974 qc = skb->data + ieee80211_get_hdrlen(fc) - QOS_CONTROL_LEN; 1975 tid = qc[0] & QOS_CONTROL_TID_MASK; 1976 tid_agg_rx = &(sta->ampdu_mlme.tid_rx[tid]); 1977 1978 if (tid_agg_rx->state != HT_AGG_STATE_OPERATIONAL) 1979 goto end_reorder; 1980 1981 /* null data frames are excluded */ 1982 if (unlikely(fc & IEEE80211_STYPE_NULLFUNC)) 1983 goto end_reorder; 1984 1985 /* new un-ordered ampdu frame - process it */ 1986 1987 /* reset session timer */ 1988 if (tid_agg_rx->timeout) { 1989 unsigned long expires = 1990 jiffies + (tid_agg_rx->timeout / 1000) * HZ; 1991 mod_timer(&tid_agg_rx->session_timer, expires); 1992 } 1993 1994 /* if this mpdu is fragmented - terminate rx aggregation session */ 1995 sc = le16_to_cpu(hdr->seq_ctrl); 1996 if (sc & IEEE80211_SCTL_FRAG) { 1997 ieee80211_sta_stop_rx_ba_session(sta->dev, sta->addr, 1998 tid, 0, WLAN_REASON_QSTA_REQUIRE_SETUP); 1999 ret = 1; 2000 goto end_reorder; 2001 } 2002 2003 /* according to mpdu sequence number deal with reordering buffer */ 2004 mpdu_seq_num = (sc & IEEE80211_SCTL_SEQ) >> 4; 2005 ret = ieee80211_sta_manage_reorder_buf(hw, tid_agg_rx, skb, 2006 mpdu_seq_num, 0); 2007 end_reorder: 2008 if (sta) 2009 sta_info_put(sta); 2010 return ret; 2011 } 2012 2013 /* 2014 * This is the receive path handler. It is called by a low level driver when an 2015 * 802.11 MPDU is received from the hardware. 2016 */ 2017 void __ieee80211_rx(struct ieee80211_hw *hw, struct sk_buff *skb, 2018 struct ieee80211_rx_status *status) 2019 { 2020 struct ieee80211_local *local = hw_to_local(hw); 2021 u32 pkt_load; 2022 2023 /* 2024 * key references and virtual interfaces are protected using RCU 2025 * and this requires that we are in a read-side RCU section during 2026 * receive processing 2027 */ 2028 rcu_read_lock(); 2029 2030 /* 2031 * Frames with failed FCS/PLCP checksum are not returned, 2032 * all other frames are returned without radiotap header 2033 * if it was previously present. 2034 * Also, frames with less than 16 bytes are dropped. 2035 */ 2036 skb = ieee80211_rx_monitor(local, skb, status); 2037 if (!skb) { 2038 rcu_read_unlock(); 2039 return; 2040 } 2041 2042 pkt_load = ieee80211_rx_load_stats(local, skb, status); 2043 local->channel_use_raw += pkt_load; 2044 2045 if (!ieee80211_rx_reorder_ampdu(local, skb)) 2046 __ieee80211_rx_handle_packet(hw, skb, status, pkt_load); 2047 2048 rcu_read_unlock(); 2049 } 2050 EXPORT_SYMBOL(__ieee80211_rx); 2051 2052 /* This is a version of the rx handler that can be called from hard irq 2053 * context. Post the skb on the queue and schedule the tasklet */ 2054 void ieee80211_rx_irqsafe(struct ieee80211_hw *hw, struct sk_buff *skb, 2055 struct ieee80211_rx_status *status) 2056 { 2057 struct ieee80211_local *local = hw_to_local(hw); 2058 2059 BUILD_BUG_ON(sizeof(struct ieee80211_rx_status) > sizeof(skb->cb)); 2060 2061 skb->dev = local->mdev; 2062 /* copy status into skb->cb for use by tasklet */ 2063 memcpy(skb->cb, status, sizeof(*status)); 2064 skb->pkt_type = IEEE80211_RX_MSG; 2065 skb_queue_tail(&local->skb_queue, skb); 2066 tasklet_schedule(&local->tasklet); 2067 } 2068 EXPORT_SYMBOL(ieee80211_rx_irqsafe); 2069