1 /* 2 * Copyright 2002-2005, Instant802 Networks, Inc. 3 * Copyright 2005-2006, Devicescape Software, Inc. 4 * Copyright 2006-2007 Jiri Benc <jbenc@suse.cz> 5 * Copyright 2007 Johannes Berg <johannes@sipsolutions.net> 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License version 2 as 9 * published by the Free Software Foundation. 10 */ 11 12 #include <linux/jiffies.h> 13 #include <linux/kernel.h> 14 #include <linux/skbuff.h> 15 #include <linux/netdevice.h> 16 #include <linux/etherdevice.h> 17 #include <linux/rcupdate.h> 18 #include <net/mac80211.h> 19 #include <net/ieee80211_radiotap.h> 20 21 #include "ieee80211_i.h" 22 #include "driver-ops.h" 23 #include "led.h" 24 #include "mesh.h" 25 #include "wep.h" 26 #include "wpa.h" 27 #include "tkip.h" 28 #include "wme.h" 29 30 /* 31 * monitor mode reception 32 * 33 * This function cleans up the SKB, i.e. it removes all the stuff 34 * only useful for monitoring. 35 */ 36 static struct sk_buff *remove_monitor_info(struct ieee80211_local *local, 37 struct sk_buff *skb) 38 { 39 if (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS) { 40 if (likely(skb->len > FCS_LEN)) 41 skb_trim(skb, skb->len - FCS_LEN); 42 else { 43 /* driver bug */ 44 WARN_ON(1); 45 dev_kfree_skb(skb); 46 skb = NULL; 47 } 48 } 49 50 return skb; 51 } 52 53 static inline int should_drop_frame(struct sk_buff *skb, 54 int present_fcs_len) 55 { 56 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 57 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; 58 59 if (status->flag & (RX_FLAG_FAILED_FCS_CRC | RX_FLAG_FAILED_PLCP_CRC)) 60 return 1; 61 if (unlikely(skb->len < 16 + present_fcs_len)) 62 return 1; 63 if (ieee80211_is_ctl(hdr->frame_control) && 64 !ieee80211_is_pspoll(hdr->frame_control) && 65 !ieee80211_is_back_req(hdr->frame_control)) 66 return 1; 67 return 0; 68 } 69 70 static int 71 ieee80211_rx_radiotap_len(struct ieee80211_local *local, 72 struct ieee80211_rx_status *status) 73 { 74 int len; 75 76 /* always present fields */ 77 len = sizeof(struct ieee80211_radiotap_header) + 9; 78 79 if (status->flag & RX_FLAG_TSFT) 80 len += 8; 81 if (local->hw.flags & IEEE80211_HW_SIGNAL_DBM) 82 len += 1; 83 if (local->hw.flags & IEEE80211_HW_NOISE_DBM) 84 len += 1; 85 86 if (len & 1) /* padding for RX_FLAGS if necessary */ 87 len++; 88 89 return len; 90 } 91 92 /* 93 * ieee80211_add_rx_radiotap_header - add radiotap header 94 * 95 * add a radiotap header containing all the fields which the hardware provided. 96 */ 97 static void 98 ieee80211_add_rx_radiotap_header(struct ieee80211_local *local, 99 struct sk_buff *skb, 100 struct ieee80211_rate *rate, 101 int rtap_len) 102 { 103 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 104 struct ieee80211_radiotap_header *rthdr; 105 unsigned char *pos; 106 u16 rx_flags = 0; 107 108 rthdr = (struct ieee80211_radiotap_header *)skb_push(skb, rtap_len); 109 memset(rthdr, 0, rtap_len); 110 111 /* radiotap header, set always present flags */ 112 rthdr->it_present = 113 cpu_to_le32((1 << IEEE80211_RADIOTAP_FLAGS) | 114 (1 << IEEE80211_RADIOTAP_CHANNEL) | 115 (1 << IEEE80211_RADIOTAP_ANTENNA) | 116 (1 << IEEE80211_RADIOTAP_RX_FLAGS)); 117 rthdr->it_len = cpu_to_le16(rtap_len); 118 119 pos = (unsigned char *)(rthdr+1); 120 121 /* the order of the following fields is important */ 122 123 /* IEEE80211_RADIOTAP_TSFT */ 124 if (status->flag & RX_FLAG_TSFT) { 125 put_unaligned_le64(status->mactime, pos); 126 rthdr->it_present |= 127 cpu_to_le32(1 << IEEE80211_RADIOTAP_TSFT); 128 pos += 8; 129 } 130 131 /* IEEE80211_RADIOTAP_FLAGS */ 132 if (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS) 133 *pos |= IEEE80211_RADIOTAP_F_FCS; 134 if (status->flag & (RX_FLAG_FAILED_FCS_CRC | RX_FLAG_FAILED_PLCP_CRC)) 135 *pos |= IEEE80211_RADIOTAP_F_BADFCS; 136 if (status->flag & RX_FLAG_SHORTPRE) 137 *pos |= IEEE80211_RADIOTAP_F_SHORTPRE; 138 pos++; 139 140 /* IEEE80211_RADIOTAP_RATE */ 141 if (status->flag & RX_FLAG_HT) { 142 /* 143 * TODO: add following information into radiotap header once 144 * suitable fields are defined for it: 145 * - MCS index (status->rate_idx) 146 * - HT40 (status->flag & RX_FLAG_40MHZ) 147 * - short-GI (status->flag & RX_FLAG_SHORT_GI) 148 */ 149 *pos = 0; 150 } else { 151 rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_RATE); 152 *pos = rate->bitrate / 5; 153 } 154 pos++; 155 156 /* IEEE80211_RADIOTAP_CHANNEL */ 157 put_unaligned_le16(status->freq, pos); 158 pos += 2; 159 if (status->band == IEEE80211_BAND_5GHZ) 160 put_unaligned_le16(IEEE80211_CHAN_OFDM | IEEE80211_CHAN_5GHZ, 161 pos); 162 else if (status->flag & RX_FLAG_HT) 163 put_unaligned_le16(IEEE80211_CHAN_DYN | IEEE80211_CHAN_2GHZ, 164 pos); 165 else if (rate->flags & IEEE80211_RATE_ERP_G) 166 put_unaligned_le16(IEEE80211_CHAN_OFDM | IEEE80211_CHAN_2GHZ, 167 pos); 168 else 169 put_unaligned_le16(IEEE80211_CHAN_CCK | IEEE80211_CHAN_2GHZ, 170 pos); 171 pos += 2; 172 173 /* IEEE80211_RADIOTAP_DBM_ANTSIGNAL */ 174 if (local->hw.flags & IEEE80211_HW_SIGNAL_DBM) { 175 *pos = status->signal; 176 rthdr->it_present |= 177 cpu_to_le32(1 << IEEE80211_RADIOTAP_DBM_ANTSIGNAL); 178 pos++; 179 } 180 181 /* IEEE80211_RADIOTAP_DBM_ANTNOISE */ 182 if (local->hw.flags & IEEE80211_HW_NOISE_DBM) { 183 *pos = status->noise; 184 rthdr->it_present |= 185 cpu_to_le32(1 << IEEE80211_RADIOTAP_DBM_ANTNOISE); 186 pos++; 187 } 188 189 /* IEEE80211_RADIOTAP_LOCK_QUALITY is missing */ 190 191 /* IEEE80211_RADIOTAP_ANTENNA */ 192 *pos = status->antenna; 193 pos++; 194 195 /* IEEE80211_RADIOTAP_DB_ANTNOISE is not used */ 196 197 /* IEEE80211_RADIOTAP_RX_FLAGS */ 198 /* ensure 2 byte alignment for the 2 byte field as required */ 199 if ((pos - (u8 *)rthdr) & 1) 200 pos++; 201 if (status->flag & RX_FLAG_FAILED_PLCP_CRC) 202 rx_flags |= IEEE80211_RADIOTAP_F_RX_BADPLCP; 203 put_unaligned_le16(rx_flags, pos); 204 pos += 2; 205 } 206 207 /* 208 * This function copies a received frame to all monitor interfaces and 209 * returns a cleaned-up SKB that no longer includes the FCS nor the 210 * radiotap header the driver might have added. 211 */ 212 static struct sk_buff * 213 ieee80211_rx_monitor(struct ieee80211_local *local, struct sk_buff *origskb, 214 struct ieee80211_rate *rate) 215 { 216 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(origskb); 217 struct ieee80211_sub_if_data *sdata; 218 int needed_headroom = 0; 219 struct sk_buff *skb, *skb2; 220 struct net_device *prev_dev = NULL; 221 int present_fcs_len = 0; 222 223 /* 224 * First, we may need to make a copy of the skb because 225 * (1) we need to modify it for radiotap (if not present), and 226 * (2) the other RX handlers will modify the skb we got. 227 * 228 * We don't need to, of course, if we aren't going to return 229 * the SKB because it has a bad FCS/PLCP checksum. 230 */ 231 232 /* room for the radiotap header based on driver features */ 233 needed_headroom = ieee80211_rx_radiotap_len(local, status); 234 235 if (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS) 236 present_fcs_len = FCS_LEN; 237 238 if (!local->monitors) { 239 if (should_drop_frame(origskb, present_fcs_len)) { 240 dev_kfree_skb(origskb); 241 return NULL; 242 } 243 244 return remove_monitor_info(local, origskb); 245 } 246 247 if (should_drop_frame(origskb, present_fcs_len)) { 248 /* only need to expand headroom if necessary */ 249 skb = origskb; 250 origskb = NULL; 251 252 /* 253 * This shouldn't trigger often because most devices have an 254 * RX header they pull before we get here, and that should 255 * be big enough for our radiotap information. We should 256 * probably export the length to drivers so that we can have 257 * them allocate enough headroom to start with. 258 */ 259 if (skb_headroom(skb) < needed_headroom && 260 pskb_expand_head(skb, needed_headroom, 0, GFP_ATOMIC)) { 261 dev_kfree_skb(skb); 262 return NULL; 263 } 264 } else { 265 /* 266 * Need to make a copy and possibly remove radiotap header 267 * and FCS from the original. 268 */ 269 skb = skb_copy_expand(origskb, needed_headroom, 0, GFP_ATOMIC); 270 271 origskb = remove_monitor_info(local, origskb); 272 273 if (!skb) 274 return origskb; 275 } 276 277 /* prepend radiotap information */ 278 ieee80211_add_rx_radiotap_header(local, skb, rate, needed_headroom); 279 280 skb_reset_mac_header(skb); 281 skb->ip_summed = CHECKSUM_UNNECESSARY; 282 skb->pkt_type = PACKET_OTHERHOST; 283 skb->protocol = htons(ETH_P_802_2); 284 285 list_for_each_entry_rcu(sdata, &local->interfaces, list) { 286 if (!netif_running(sdata->dev)) 287 continue; 288 289 if (sdata->vif.type != NL80211_IFTYPE_MONITOR) 290 continue; 291 292 if (sdata->u.mntr_flags & MONITOR_FLAG_COOK_FRAMES) 293 continue; 294 295 if (prev_dev) { 296 skb2 = skb_clone(skb, GFP_ATOMIC); 297 if (skb2) { 298 skb2->dev = prev_dev; 299 netif_rx(skb2); 300 } 301 } 302 303 prev_dev = sdata->dev; 304 sdata->dev->stats.rx_packets++; 305 sdata->dev->stats.rx_bytes += skb->len; 306 } 307 308 if (prev_dev) { 309 skb->dev = prev_dev; 310 netif_rx(skb); 311 } else 312 dev_kfree_skb(skb); 313 314 return origskb; 315 } 316 317 318 static void ieee80211_parse_qos(struct ieee80211_rx_data *rx) 319 { 320 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data; 321 int tid; 322 323 /* does the frame have a qos control field? */ 324 if (ieee80211_is_data_qos(hdr->frame_control)) { 325 u8 *qc = ieee80211_get_qos_ctl(hdr); 326 /* frame has qos control */ 327 tid = *qc & IEEE80211_QOS_CTL_TID_MASK; 328 if (*qc & IEEE80211_QOS_CONTROL_A_MSDU_PRESENT) 329 rx->flags |= IEEE80211_RX_AMSDU; 330 else 331 rx->flags &= ~IEEE80211_RX_AMSDU; 332 } else { 333 /* 334 * IEEE 802.11-2007, 7.1.3.4.1 ("Sequence Number field"): 335 * 336 * Sequence numbers for management frames, QoS data 337 * frames with a broadcast/multicast address in the 338 * Address 1 field, and all non-QoS data frames sent 339 * by QoS STAs are assigned using an additional single 340 * modulo-4096 counter, [...] 341 * 342 * We also use that counter for non-QoS STAs. 343 */ 344 tid = NUM_RX_DATA_QUEUES - 1; 345 } 346 347 rx->queue = tid; 348 /* Set skb->priority to 1d tag if highest order bit of TID is not set. 349 * For now, set skb->priority to 0 for other cases. */ 350 rx->skb->priority = (tid > 7) ? 0 : tid; 351 } 352 353 /** 354 * DOC: Packet alignment 355 * 356 * Drivers always need to pass packets that are aligned to two-byte boundaries 357 * to the stack. 358 * 359 * Additionally, should, if possible, align the payload data in a way that 360 * guarantees that the contained IP header is aligned to a four-byte 361 * boundary. In the case of regular frames, this simply means aligning the 362 * payload to a four-byte boundary (because either the IP header is directly 363 * contained, or IV/RFC1042 headers that have a length divisible by four are 364 * in front of it). 365 * 366 * With A-MSDU frames, however, the payload data address must yield two modulo 367 * four because there are 14-byte 802.3 headers within the A-MSDU frames that 368 * push the IP header further back to a multiple of four again. Thankfully, the 369 * specs were sane enough this time around to require padding each A-MSDU 370 * subframe to a length that is a multiple of four. 371 * 372 * Padding like Atheros hardware adds which is inbetween the 802.11 header and 373 * the payload is not supported, the driver is required to move the 802.11 374 * header to be directly in front of the payload in that case. 375 */ 376 static void ieee80211_verify_alignment(struct ieee80211_rx_data *rx) 377 { 378 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data; 379 int hdrlen; 380 381 #ifndef CONFIG_MAC80211_DEBUG_PACKET_ALIGNMENT 382 return; 383 #endif 384 385 if (WARN_ONCE((unsigned long)rx->skb->data & 1, 386 "unaligned packet at 0x%p\n", rx->skb->data)) 387 return; 388 389 if (!ieee80211_is_data_present(hdr->frame_control)) 390 return; 391 392 hdrlen = ieee80211_hdrlen(hdr->frame_control); 393 if (rx->flags & IEEE80211_RX_AMSDU) 394 hdrlen += ETH_HLEN; 395 WARN_ONCE(((unsigned long)(rx->skb->data + hdrlen)) & 3, 396 "unaligned IP payload at 0x%p\n", rx->skb->data + hdrlen); 397 } 398 399 400 /* rx handlers */ 401 402 static ieee80211_rx_result debug_noinline 403 ieee80211_rx_h_passive_scan(struct ieee80211_rx_data *rx) 404 { 405 struct ieee80211_local *local = rx->local; 406 struct sk_buff *skb = rx->skb; 407 408 if (unlikely(test_bit(SCAN_HW_SCANNING, &local->scanning))) 409 return ieee80211_scan_rx(rx->sdata, skb); 410 411 if (unlikely(test_bit(SCAN_SW_SCANNING, &local->scanning) && 412 (rx->flags & IEEE80211_RX_IN_SCAN))) { 413 /* drop all the other packets during a software scan anyway */ 414 if (ieee80211_scan_rx(rx->sdata, skb) != RX_QUEUED) 415 dev_kfree_skb(skb); 416 return RX_QUEUED; 417 } 418 419 if (unlikely(rx->flags & IEEE80211_RX_IN_SCAN)) { 420 /* scanning finished during invoking of handlers */ 421 I802_DEBUG_INC(local->rx_handlers_drop_passive_scan); 422 return RX_DROP_UNUSABLE; 423 } 424 425 return RX_CONTINUE; 426 } 427 428 429 static int ieee80211_is_unicast_robust_mgmt_frame(struct sk_buff *skb) 430 { 431 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data; 432 433 if (skb->len < 24 || is_multicast_ether_addr(hdr->addr1)) 434 return 0; 435 436 return ieee80211_is_robust_mgmt_frame(hdr); 437 } 438 439 440 static int ieee80211_is_multicast_robust_mgmt_frame(struct sk_buff *skb) 441 { 442 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data; 443 444 if (skb->len < 24 || !is_multicast_ether_addr(hdr->addr1)) 445 return 0; 446 447 return ieee80211_is_robust_mgmt_frame(hdr); 448 } 449 450 451 /* Get the BIP key index from MMIE; return -1 if this is not a BIP frame */ 452 static int ieee80211_get_mmie_keyidx(struct sk_buff *skb) 453 { 454 struct ieee80211_mgmt *hdr = (struct ieee80211_mgmt *) skb->data; 455 struct ieee80211_mmie *mmie; 456 457 if (skb->len < 24 + sizeof(*mmie) || 458 !is_multicast_ether_addr(hdr->da)) 459 return -1; 460 461 if (!ieee80211_is_robust_mgmt_frame((struct ieee80211_hdr *) hdr)) 462 return -1; /* not a robust management frame */ 463 464 mmie = (struct ieee80211_mmie *) 465 (skb->data + skb->len - sizeof(*mmie)); 466 if (mmie->element_id != WLAN_EID_MMIE || 467 mmie->length != sizeof(*mmie) - 2) 468 return -1; 469 470 return le16_to_cpu(mmie->key_id); 471 } 472 473 474 static ieee80211_rx_result 475 ieee80211_rx_mesh_check(struct ieee80211_rx_data *rx) 476 { 477 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data; 478 unsigned int hdrlen = ieee80211_hdrlen(hdr->frame_control); 479 char *dev_addr = rx->sdata->dev->dev_addr; 480 481 if (ieee80211_is_data(hdr->frame_control)) { 482 if (is_multicast_ether_addr(hdr->addr1)) { 483 if (ieee80211_has_tods(hdr->frame_control) || 484 !ieee80211_has_fromds(hdr->frame_control)) 485 return RX_DROP_MONITOR; 486 if (memcmp(hdr->addr3, dev_addr, ETH_ALEN) == 0) 487 return RX_DROP_MONITOR; 488 } else { 489 if (!ieee80211_has_a4(hdr->frame_control)) 490 return RX_DROP_MONITOR; 491 if (memcmp(hdr->addr4, dev_addr, ETH_ALEN) == 0) 492 return RX_DROP_MONITOR; 493 } 494 } 495 496 /* If there is not an established peer link and this is not a peer link 497 * establisment frame, beacon or probe, drop the frame. 498 */ 499 500 if (!rx->sta || sta_plink_state(rx->sta) != PLINK_ESTAB) { 501 struct ieee80211_mgmt *mgmt; 502 503 if (!ieee80211_is_mgmt(hdr->frame_control)) 504 return RX_DROP_MONITOR; 505 506 if (ieee80211_is_action(hdr->frame_control)) { 507 mgmt = (struct ieee80211_mgmt *)hdr; 508 if (mgmt->u.action.category != MESH_PLINK_CATEGORY) 509 return RX_DROP_MONITOR; 510 return RX_CONTINUE; 511 } 512 513 if (ieee80211_is_probe_req(hdr->frame_control) || 514 ieee80211_is_probe_resp(hdr->frame_control) || 515 ieee80211_is_beacon(hdr->frame_control)) 516 return RX_CONTINUE; 517 518 return RX_DROP_MONITOR; 519 520 } 521 522 #define msh_h_get(h, l) ((struct ieee80211s_hdr *) ((u8 *)h + l)) 523 524 if (ieee80211_is_data(hdr->frame_control) && 525 is_multicast_ether_addr(hdr->addr1) && 526 mesh_rmc_check(hdr->addr3, msh_h_get(hdr, hdrlen), rx->sdata)) 527 return RX_DROP_MONITOR; 528 #undef msh_h_get 529 530 return RX_CONTINUE; 531 } 532 533 #define SEQ_MODULO 0x1000 534 #define SEQ_MASK 0xfff 535 536 static inline int seq_less(u16 sq1, u16 sq2) 537 { 538 return ((sq1 - sq2) & SEQ_MASK) > (SEQ_MODULO >> 1); 539 } 540 541 static inline u16 seq_inc(u16 sq) 542 { 543 return (sq + 1) & SEQ_MASK; 544 } 545 546 static inline u16 seq_sub(u16 sq1, u16 sq2) 547 { 548 return (sq1 - sq2) & SEQ_MASK; 549 } 550 551 552 static void ieee80211_release_reorder_frame(struct ieee80211_hw *hw, 553 struct tid_ampdu_rx *tid_agg_rx, 554 int index, 555 struct sk_buff_head *frames) 556 { 557 struct ieee80211_supported_band *sband; 558 struct ieee80211_rate *rate = NULL; 559 struct sk_buff *skb = tid_agg_rx->reorder_buf[index]; 560 struct ieee80211_rx_status *status; 561 562 if (!skb) 563 goto no_frame; 564 565 status = IEEE80211_SKB_RXCB(skb); 566 567 /* release the reordered frames to stack */ 568 sband = hw->wiphy->bands[status->band]; 569 if (!(status->flag & RX_FLAG_HT)) 570 rate = &sband->bitrates[status->rate_idx]; 571 tid_agg_rx->stored_mpdu_num--; 572 tid_agg_rx->reorder_buf[index] = NULL; 573 __skb_queue_tail(frames, skb); 574 575 no_frame: 576 tid_agg_rx->head_seq_num = seq_inc(tid_agg_rx->head_seq_num); 577 } 578 579 static void ieee80211_release_reorder_frames(struct ieee80211_hw *hw, 580 struct tid_ampdu_rx *tid_agg_rx, 581 u16 head_seq_num, 582 struct sk_buff_head *frames) 583 { 584 int index; 585 586 while (seq_less(tid_agg_rx->head_seq_num, head_seq_num)) { 587 index = seq_sub(tid_agg_rx->head_seq_num, tid_agg_rx->ssn) % 588 tid_agg_rx->buf_size; 589 ieee80211_release_reorder_frame(hw, tid_agg_rx, index, frames); 590 } 591 } 592 593 /* 594 * Timeout (in jiffies) for skb's that are waiting in the RX reorder buffer. If 595 * the skb was added to the buffer longer than this time ago, the earlier 596 * frames that have not yet been received are assumed to be lost and the skb 597 * can be released for processing. This may also release other skb's from the 598 * reorder buffer if there are no additional gaps between the frames. 599 */ 600 #define HT_RX_REORDER_BUF_TIMEOUT (HZ / 10) 601 602 /* 603 * As this function belongs to the RX path it must be under 604 * rcu_read_lock protection. It returns false if the frame 605 * can be processed immediately, true if it was consumed. 606 */ 607 static bool ieee80211_sta_manage_reorder_buf(struct ieee80211_hw *hw, 608 struct tid_ampdu_rx *tid_agg_rx, 609 struct sk_buff *skb, 610 struct sk_buff_head *frames) 611 { 612 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data; 613 u16 sc = le16_to_cpu(hdr->seq_ctrl); 614 u16 mpdu_seq_num = (sc & IEEE80211_SCTL_SEQ) >> 4; 615 u16 head_seq_num, buf_size; 616 int index; 617 618 buf_size = tid_agg_rx->buf_size; 619 head_seq_num = tid_agg_rx->head_seq_num; 620 621 /* frame with out of date sequence number */ 622 if (seq_less(mpdu_seq_num, head_seq_num)) { 623 dev_kfree_skb(skb); 624 return true; 625 } 626 627 /* 628 * If frame the sequence number exceeds our buffering window 629 * size release some previous frames to make room for this one. 630 */ 631 if (!seq_less(mpdu_seq_num, head_seq_num + buf_size)) { 632 head_seq_num = seq_inc(seq_sub(mpdu_seq_num, buf_size)); 633 /* release stored frames up to new head to stack */ 634 ieee80211_release_reorder_frames(hw, tid_agg_rx, head_seq_num, 635 frames); 636 } 637 638 /* Now the new frame is always in the range of the reordering buffer */ 639 640 index = seq_sub(mpdu_seq_num, tid_agg_rx->ssn) % tid_agg_rx->buf_size; 641 642 /* check if we already stored this frame */ 643 if (tid_agg_rx->reorder_buf[index]) { 644 dev_kfree_skb(skb); 645 return true; 646 } 647 648 /* 649 * If the current MPDU is in the right order and nothing else 650 * is stored we can process it directly, no need to buffer it. 651 */ 652 if (mpdu_seq_num == tid_agg_rx->head_seq_num && 653 tid_agg_rx->stored_mpdu_num == 0) { 654 tid_agg_rx->head_seq_num = seq_inc(tid_agg_rx->head_seq_num); 655 return false; 656 } 657 658 /* put the frame in the reordering buffer */ 659 tid_agg_rx->reorder_buf[index] = skb; 660 tid_agg_rx->reorder_time[index] = jiffies; 661 tid_agg_rx->stored_mpdu_num++; 662 /* release the buffer until next missing frame */ 663 index = seq_sub(tid_agg_rx->head_seq_num, tid_agg_rx->ssn) % 664 tid_agg_rx->buf_size; 665 if (!tid_agg_rx->reorder_buf[index] && 666 tid_agg_rx->stored_mpdu_num > 1) { 667 /* 668 * No buffers ready to be released, but check whether any 669 * frames in the reorder buffer have timed out. 670 */ 671 int j; 672 int skipped = 1; 673 for (j = (index + 1) % tid_agg_rx->buf_size; j != index; 674 j = (j + 1) % tid_agg_rx->buf_size) { 675 if (!tid_agg_rx->reorder_buf[j]) { 676 skipped++; 677 continue; 678 } 679 if (!time_after(jiffies, tid_agg_rx->reorder_time[j] + 680 HT_RX_REORDER_BUF_TIMEOUT)) 681 break; 682 683 #ifdef CONFIG_MAC80211_HT_DEBUG 684 if (net_ratelimit()) 685 printk(KERN_DEBUG "%s: release an RX reorder " 686 "frame due to timeout on earlier " 687 "frames\n", 688 wiphy_name(hw->wiphy)); 689 #endif 690 ieee80211_release_reorder_frame(hw, tid_agg_rx, 691 j, frames); 692 693 /* 694 * Increment the head seq# also for the skipped slots. 695 */ 696 tid_agg_rx->head_seq_num = 697 (tid_agg_rx->head_seq_num + skipped) & SEQ_MASK; 698 skipped = 0; 699 } 700 } else while (tid_agg_rx->reorder_buf[index]) { 701 ieee80211_release_reorder_frame(hw, tid_agg_rx, index, frames); 702 index = seq_sub(tid_agg_rx->head_seq_num, tid_agg_rx->ssn) % 703 tid_agg_rx->buf_size; 704 } 705 706 return true; 707 } 708 709 /* 710 * Reorder MPDUs from A-MPDUs, keeping them on a buffer. Returns 711 * true if the MPDU was buffered, false if it should be processed. 712 */ 713 static void ieee80211_rx_reorder_ampdu(struct ieee80211_rx_data *rx, 714 struct sk_buff_head *frames) 715 { 716 struct sk_buff *skb = rx->skb; 717 struct ieee80211_local *local = rx->local; 718 struct ieee80211_hw *hw = &local->hw; 719 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data; 720 struct sta_info *sta = rx->sta; 721 struct tid_ampdu_rx *tid_agg_rx; 722 u16 sc; 723 int tid; 724 725 if (!ieee80211_is_data_qos(hdr->frame_control)) 726 goto dont_reorder; 727 728 /* 729 * filter the QoS data rx stream according to 730 * STA/TID and check if this STA/TID is on aggregation 731 */ 732 733 if (!sta) 734 goto dont_reorder; 735 736 tid = *ieee80211_get_qos_ctl(hdr) & IEEE80211_QOS_CTL_TID_MASK; 737 738 if (sta->ampdu_mlme.tid_state_rx[tid] != HT_AGG_STATE_OPERATIONAL) 739 goto dont_reorder; 740 741 tid_agg_rx = sta->ampdu_mlme.tid_rx[tid]; 742 743 /* qos null data frames are excluded */ 744 if (unlikely(hdr->frame_control & cpu_to_le16(IEEE80211_STYPE_NULLFUNC))) 745 goto dont_reorder; 746 747 /* new, potentially un-ordered, ampdu frame - process it */ 748 749 /* reset session timer */ 750 if (tid_agg_rx->timeout) 751 mod_timer(&tid_agg_rx->session_timer, 752 TU_TO_EXP_TIME(tid_agg_rx->timeout)); 753 754 /* if this mpdu is fragmented - terminate rx aggregation session */ 755 sc = le16_to_cpu(hdr->seq_ctrl); 756 if (sc & IEEE80211_SCTL_FRAG) { 757 ieee80211_sta_stop_rx_ba_session(sta->sdata, sta->sta.addr, 758 tid, 0, WLAN_REASON_QSTA_REQUIRE_SETUP); 759 dev_kfree_skb(skb); 760 return; 761 } 762 763 if (ieee80211_sta_manage_reorder_buf(hw, tid_agg_rx, skb, frames)) 764 return; 765 766 dont_reorder: 767 __skb_queue_tail(frames, skb); 768 } 769 770 static ieee80211_rx_result debug_noinline 771 ieee80211_rx_h_check(struct ieee80211_rx_data *rx) 772 { 773 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data; 774 775 /* Drop duplicate 802.11 retransmissions (IEEE 802.11 Chap. 9.2.9) */ 776 if (rx->sta && !is_multicast_ether_addr(hdr->addr1)) { 777 if (unlikely(ieee80211_has_retry(hdr->frame_control) && 778 rx->sta->last_seq_ctrl[rx->queue] == 779 hdr->seq_ctrl)) { 780 if (rx->flags & IEEE80211_RX_RA_MATCH) { 781 rx->local->dot11FrameDuplicateCount++; 782 rx->sta->num_duplicates++; 783 } 784 return RX_DROP_MONITOR; 785 } else 786 rx->sta->last_seq_ctrl[rx->queue] = hdr->seq_ctrl; 787 } 788 789 if (unlikely(rx->skb->len < 16)) { 790 I802_DEBUG_INC(rx->local->rx_handlers_drop_short); 791 return RX_DROP_MONITOR; 792 } 793 794 /* Drop disallowed frame classes based on STA auth/assoc state; 795 * IEEE 802.11, Chap 5.5. 796 * 797 * mac80211 filters only based on association state, i.e. it drops 798 * Class 3 frames from not associated stations. hostapd sends 799 * deauth/disassoc frames when needed. In addition, hostapd is 800 * responsible for filtering on both auth and assoc states. 801 */ 802 803 if (ieee80211_vif_is_mesh(&rx->sdata->vif)) 804 return ieee80211_rx_mesh_check(rx); 805 806 if (unlikely((ieee80211_is_data(hdr->frame_control) || 807 ieee80211_is_pspoll(hdr->frame_control)) && 808 rx->sdata->vif.type != NL80211_IFTYPE_ADHOC && 809 (!rx->sta || !test_sta_flags(rx->sta, WLAN_STA_ASSOC)))) { 810 if ((!ieee80211_has_fromds(hdr->frame_control) && 811 !ieee80211_has_tods(hdr->frame_control) && 812 ieee80211_is_data(hdr->frame_control)) || 813 !(rx->flags & IEEE80211_RX_RA_MATCH)) { 814 /* Drop IBSS frames and frames for other hosts 815 * silently. */ 816 return RX_DROP_MONITOR; 817 } 818 819 return RX_DROP_MONITOR; 820 } 821 822 return RX_CONTINUE; 823 } 824 825 826 static ieee80211_rx_result debug_noinline 827 ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx) 828 { 829 struct sk_buff *skb = rx->skb; 830 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 831 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; 832 int keyidx; 833 int hdrlen; 834 ieee80211_rx_result result = RX_DROP_UNUSABLE; 835 struct ieee80211_key *stakey = NULL; 836 int mmie_keyidx = -1; 837 838 /* 839 * Key selection 101 840 * 841 * There are four types of keys: 842 * - GTK (group keys) 843 * - IGTK (group keys for management frames) 844 * - PTK (pairwise keys) 845 * - STK (station-to-station pairwise keys) 846 * 847 * When selecting a key, we have to distinguish between multicast 848 * (including broadcast) and unicast frames, the latter can only 849 * use PTKs and STKs while the former always use GTKs and IGTKs. 850 * Unless, of course, actual WEP keys ("pre-RSNA") are used, then 851 * unicast frames can also use key indices like GTKs. Hence, if we 852 * don't have a PTK/STK we check the key index for a WEP key. 853 * 854 * Note that in a regular BSS, multicast frames are sent by the 855 * AP only, associated stations unicast the frame to the AP first 856 * which then multicasts it on their behalf. 857 * 858 * There is also a slight problem in IBSS mode: GTKs are negotiated 859 * with each station, that is something we don't currently handle. 860 * The spec seems to expect that one negotiates the same key with 861 * every station but there's no such requirement; VLANs could be 862 * possible. 863 */ 864 865 /* 866 * No point in finding a key and decrypting if the frame is neither 867 * addressed to us nor a multicast frame. 868 */ 869 if (!(rx->flags & IEEE80211_RX_RA_MATCH)) 870 return RX_CONTINUE; 871 872 /* start without a key */ 873 rx->key = NULL; 874 875 if (rx->sta) 876 stakey = rcu_dereference(rx->sta->key); 877 878 if (!ieee80211_has_protected(hdr->frame_control)) 879 mmie_keyidx = ieee80211_get_mmie_keyidx(rx->skb); 880 881 if (!is_multicast_ether_addr(hdr->addr1) && stakey) { 882 rx->key = stakey; 883 /* Skip decryption if the frame is not protected. */ 884 if (!ieee80211_has_protected(hdr->frame_control)) 885 return RX_CONTINUE; 886 } else if (mmie_keyidx >= 0) { 887 /* Broadcast/multicast robust management frame / BIP */ 888 if ((status->flag & RX_FLAG_DECRYPTED) && 889 (status->flag & RX_FLAG_IV_STRIPPED)) 890 return RX_CONTINUE; 891 892 if (mmie_keyidx < NUM_DEFAULT_KEYS || 893 mmie_keyidx >= NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS) 894 return RX_DROP_MONITOR; /* unexpected BIP keyidx */ 895 rx->key = rcu_dereference(rx->sdata->keys[mmie_keyidx]); 896 } else if (!ieee80211_has_protected(hdr->frame_control)) { 897 /* 898 * The frame was not protected, so skip decryption. However, we 899 * need to set rx->key if there is a key that could have been 900 * used so that the frame may be dropped if encryption would 901 * have been expected. 902 */ 903 struct ieee80211_key *key = NULL; 904 if (ieee80211_is_mgmt(hdr->frame_control) && 905 is_multicast_ether_addr(hdr->addr1) && 906 (key = rcu_dereference(rx->sdata->default_mgmt_key))) 907 rx->key = key; 908 else if ((key = rcu_dereference(rx->sdata->default_key))) 909 rx->key = key; 910 return RX_CONTINUE; 911 } else { 912 /* 913 * The device doesn't give us the IV so we won't be 914 * able to look up the key. That's ok though, we 915 * don't need to decrypt the frame, we just won't 916 * be able to keep statistics accurate. 917 * Except for key threshold notifications, should 918 * we somehow allow the driver to tell us which key 919 * the hardware used if this flag is set? 920 */ 921 if ((status->flag & RX_FLAG_DECRYPTED) && 922 (status->flag & RX_FLAG_IV_STRIPPED)) 923 return RX_CONTINUE; 924 925 hdrlen = ieee80211_hdrlen(hdr->frame_control); 926 927 if (rx->skb->len < 8 + hdrlen) 928 return RX_DROP_UNUSABLE; /* TODO: count this? */ 929 930 /* 931 * no need to call ieee80211_wep_get_keyidx, 932 * it verifies a bunch of things we've done already 933 */ 934 keyidx = rx->skb->data[hdrlen + 3] >> 6; 935 936 rx->key = rcu_dereference(rx->sdata->keys[keyidx]); 937 938 /* 939 * RSNA-protected unicast frames should always be sent with 940 * pairwise or station-to-station keys, but for WEP we allow 941 * using a key index as well. 942 */ 943 if (rx->key && rx->key->conf.alg != ALG_WEP && 944 !is_multicast_ether_addr(hdr->addr1)) 945 rx->key = NULL; 946 } 947 948 if (rx->key) { 949 rx->key->tx_rx_count++; 950 /* TODO: add threshold stuff again */ 951 } else { 952 return RX_DROP_MONITOR; 953 } 954 955 /* Check for weak IVs if possible */ 956 if (rx->sta && rx->key->conf.alg == ALG_WEP && 957 ieee80211_is_data(hdr->frame_control) && 958 (!(status->flag & RX_FLAG_IV_STRIPPED) || 959 !(status->flag & RX_FLAG_DECRYPTED)) && 960 ieee80211_wep_is_weak_iv(rx->skb, rx->key)) 961 rx->sta->wep_weak_iv_count++; 962 963 switch (rx->key->conf.alg) { 964 case ALG_WEP: 965 result = ieee80211_crypto_wep_decrypt(rx); 966 break; 967 case ALG_TKIP: 968 result = ieee80211_crypto_tkip_decrypt(rx); 969 break; 970 case ALG_CCMP: 971 result = ieee80211_crypto_ccmp_decrypt(rx); 972 break; 973 case ALG_AES_CMAC: 974 result = ieee80211_crypto_aes_cmac_decrypt(rx); 975 break; 976 } 977 978 /* either the frame has been decrypted or will be dropped */ 979 status->flag |= RX_FLAG_DECRYPTED; 980 981 return result; 982 } 983 984 static ieee80211_rx_result debug_noinline 985 ieee80211_rx_h_check_more_data(struct ieee80211_rx_data *rx) 986 { 987 struct ieee80211_local *local; 988 struct ieee80211_hdr *hdr; 989 struct sk_buff *skb; 990 991 local = rx->local; 992 skb = rx->skb; 993 hdr = (struct ieee80211_hdr *) skb->data; 994 995 if (!local->pspolling) 996 return RX_CONTINUE; 997 998 if (!ieee80211_has_fromds(hdr->frame_control)) 999 /* this is not from AP */ 1000 return RX_CONTINUE; 1001 1002 if (!ieee80211_is_data(hdr->frame_control)) 1003 return RX_CONTINUE; 1004 1005 if (!ieee80211_has_moredata(hdr->frame_control)) { 1006 /* AP has no more frames buffered for us */ 1007 local->pspolling = false; 1008 return RX_CONTINUE; 1009 } 1010 1011 /* more data bit is set, let's request a new frame from the AP */ 1012 ieee80211_send_pspoll(local, rx->sdata); 1013 1014 return RX_CONTINUE; 1015 } 1016 1017 static void ap_sta_ps_start(struct sta_info *sta) 1018 { 1019 struct ieee80211_sub_if_data *sdata = sta->sdata; 1020 struct ieee80211_local *local = sdata->local; 1021 1022 atomic_inc(&sdata->bss->num_sta_ps); 1023 set_sta_flags(sta, WLAN_STA_PS_STA); 1024 drv_sta_notify(local, &sdata->vif, STA_NOTIFY_SLEEP, &sta->sta); 1025 #ifdef CONFIG_MAC80211_VERBOSE_PS_DEBUG 1026 printk(KERN_DEBUG "%s: STA %pM aid %d enters power save mode\n", 1027 sdata->dev->name, sta->sta.addr, sta->sta.aid); 1028 #endif /* CONFIG_MAC80211_VERBOSE_PS_DEBUG */ 1029 } 1030 1031 static void ap_sta_ps_end(struct sta_info *sta) 1032 { 1033 struct ieee80211_sub_if_data *sdata = sta->sdata; 1034 1035 atomic_dec(&sdata->bss->num_sta_ps); 1036 1037 clear_sta_flags(sta, WLAN_STA_PS_STA); 1038 1039 #ifdef CONFIG_MAC80211_VERBOSE_PS_DEBUG 1040 printk(KERN_DEBUG "%s: STA %pM aid %d exits power save mode\n", 1041 sdata->dev->name, sta->sta.addr, sta->sta.aid); 1042 #endif /* CONFIG_MAC80211_VERBOSE_PS_DEBUG */ 1043 1044 if (test_sta_flags(sta, WLAN_STA_PS_DRIVER)) { 1045 #ifdef CONFIG_MAC80211_VERBOSE_PS_DEBUG 1046 printk(KERN_DEBUG "%s: STA %pM aid %d driver-ps-blocked\n", 1047 sdata->dev->name, sta->sta.addr, sta->sta.aid); 1048 #endif /* CONFIG_MAC80211_VERBOSE_PS_DEBUG */ 1049 return; 1050 } 1051 1052 ieee80211_sta_ps_deliver_wakeup(sta); 1053 } 1054 1055 static ieee80211_rx_result debug_noinline 1056 ieee80211_rx_h_sta_process(struct ieee80211_rx_data *rx) 1057 { 1058 struct sta_info *sta = rx->sta; 1059 struct sk_buff *skb = rx->skb; 1060 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 1061 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; 1062 1063 if (!sta) 1064 return RX_CONTINUE; 1065 1066 /* 1067 * Update last_rx only for IBSS packets which are for the current 1068 * BSSID to avoid keeping the current IBSS network alive in cases 1069 * where other STAs start using different BSSID. 1070 */ 1071 if (rx->sdata->vif.type == NL80211_IFTYPE_ADHOC) { 1072 u8 *bssid = ieee80211_get_bssid(hdr, rx->skb->len, 1073 NL80211_IFTYPE_ADHOC); 1074 if (compare_ether_addr(bssid, rx->sdata->u.ibss.bssid) == 0) 1075 sta->last_rx = jiffies; 1076 } else if (!is_multicast_ether_addr(hdr->addr1)) { 1077 /* 1078 * Mesh beacons will update last_rx when if they are found to 1079 * match the current local configuration when processed. 1080 */ 1081 sta->last_rx = jiffies; 1082 } 1083 1084 if (!(rx->flags & IEEE80211_RX_RA_MATCH)) 1085 return RX_CONTINUE; 1086 1087 if (rx->sdata->vif.type == NL80211_IFTYPE_STATION) 1088 ieee80211_sta_rx_notify(rx->sdata, hdr); 1089 1090 sta->rx_fragments++; 1091 sta->rx_bytes += rx->skb->len; 1092 sta->last_signal = status->signal; 1093 sta->last_noise = status->noise; 1094 1095 /* 1096 * Change STA power saving mode only at the end of a frame 1097 * exchange sequence. 1098 */ 1099 if (!ieee80211_has_morefrags(hdr->frame_control) && 1100 (rx->sdata->vif.type == NL80211_IFTYPE_AP || 1101 rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN)) { 1102 if (test_sta_flags(sta, WLAN_STA_PS_STA)) { 1103 /* 1104 * Ignore doze->wake transitions that are 1105 * indicated by non-data frames, the standard 1106 * is unclear here, but for example going to 1107 * PS mode and then scanning would cause a 1108 * doze->wake transition for the probe request, 1109 * and that is clearly undesirable. 1110 */ 1111 if (ieee80211_is_data(hdr->frame_control) && 1112 !ieee80211_has_pm(hdr->frame_control)) 1113 ap_sta_ps_end(sta); 1114 } else { 1115 if (ieee80211_has_pm(hdr->frame_control)) 1116 ap_sta_ps_start(sta); 1117 } 1118 } 1119 1120 /* 1121 * Drop (qos-)data::nullfunc frames silently, since they 1122 * are used only to control station power saving mode. 1123 */ 1124 if (ieee80211_is_nullfunc(hdr->frame_control) || 1125 ieee80211_is_qos_nullfunc(hdr->frame_control)) { 1126 I802_DEBUG_INC(rx->local->rx_handlers_drop_nullfunc); 1127 /* 1128 * Update counter and free packet here to avoid 1129 * counting this as a dropped packed. 1130 */ 1131 sta->rx_packets++; 1132 dev_kfree_skb(rx->skb); 1133 return RX_QUEUED; 1134 } 1135 1136 return RX_CONTINUE; 1137 } /* ieee80211_rx_h_sta_process */ 1138 1139 static inline struct ieee80211_fragment_entry * 1140 ieee80211_reassemble_add(struct ieee80211_sub_if_data *sdata, 1141 unsigned int frag, unsigned int seq, int rx_queue, 1142 struct sk_buff **skb) 1143 { 1144 struct ieee80211_fragment_entry *entry; 1145 int idx; 1146 1147 idx = sdata->fragment_next; 1148 entry = &sdata->fragments[sdata->fragment_next++]; 1149 if (sdata->fragment_next >= IEEE80211_FRAGMENT_MAX) 1150 sdata->fragment_next = 0; 1151 1152 if (!skb_queue_empty(&entry->skb_list)) { 1153 #ifdef CONFIG_MAC80211_VERBOSE_DEBUG 1154 struct ieee80211_hdr *hdr = 1155 (struct ieee80211_hdr *) entry->skb_list.next->data; 1156 printk(KERN_DEBUG "%s: RX reassembly removed oldest " 1157 "fragment entry (idx=%d age=%lu seq=%d last_frag=%d " 1158 "addr1=%pM addr2=%pM\n", 1159 sdata->dev->name, idx, 1160 jiffies - entry->first_frag_time, entry->seq, 1161 entry->last_frag, hdr->addr1, hdr->addr2); 1162 #endif 1163 __skb_queue_purge(&entry->skb_list); 1164 } 1165 1166 __skb_queue_tail(&entry->skb_list, *skb); /* no need for locking */ 1167 *skb = NULL; 1168 entry->first_frag_time = jiffies; 1169 entry->seq = seq; 1170 entry->rx_queue = rx_queue; 1171 entry->last_frag = frag; 1172 entry->ccmp = 0; 1173 entry->extra_len = 0; 1174 1175 return entry; 1176 } 1177 1178 static inline struct ieee80211_fragment_entry * 1179 ieee80211_reassemble_find(struct ieee80211_sub_if_data *sdata, 1180 unsigned int frag, unsigned int seq, 1181 int rx_queue, struct ieee80211_hdr *hdr) 1182 { 1183 struct ieee80211_fragment_entry *entry; 1184 int i, idx; 1185 1186 idx = sdata->fragment_next; 1187 for (i = 0; i < IEEE80211_FRAGMENT_MAX; i++) { 1188 struct ieee80211_hdr *f_hdr; 1189 1190 idx--; 1191 if (idx < 0) 1192 idx = IEEE80211_FRAGMENT_MAX - 1; 1193 1194 entry = &sdata->fragments[idx]; 1195 if (skb_queue_empty(&entry->skb_list) || entry->seq != seq || 1196 entry->rx_queue != rx_queue || 1197 entry->last_frag + 1 != frag) 1198 continue; 1199 1200 f_hdr = (struct ieee80211_hdr *)entry->skb_list.next->data; 1201 1202 /* 1203 * Check ftype and addresses are equal, else check next fragment 1204 */ 1205 if (((hdr->frame_control ^ f_hdr->frame_control) & 1206 cpu_to_le16(IEEE80211_FCTL_FTYPE)) || 1207 compare_ether_addr(hdr->addr1, f_hdr->addr1) != 0 || 1208 compare_ether_addr(hdr->addr2, f_hdr->addr2) != 0) 1209 continue; 1210 1211 if (time_after(jiffies, entry->first_frag_time + 2 * HZ)) { 1212 __skb_queue_purge(&entry->skb_list); 1213 continue; 1214 } 1215 return entry; 1216 } 1217 1218 return NULL; 1219 } 1220 1221 static ieee80211_rx_result debug_noinline 1222 ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx) 1223 { 1224 struct ieee80211_hdr *hdr; 1225 u16 sc; 1226 __le16 fc; 1227 unsigned int frag, seq; 1228 struct ieee80211_fragment_entry *entry; 1229 struct sk_buff *skb; 1230 1231 hdr = (struct ieee80211_hdr *)rx->skb->data; 1232 fc = hdr->frame_control; 1233 sc = le16_to_cpu(hdr->seq_ctrl); 1234 frag = sc & IEEE80211_SCTL_FRAG; 1235 1236 if (likely((!ieee80211_has_morefrags(fc) && frag == 0) || 1237 (rx->skb)->len < 24 || 1238 is_multicast_ether_addr(hdr->addr1))) { 1239 /* not fragmented */ 1240 goto out; 1241 } 1242 I802_DEBUG_INC(rx->local->rx_handlers_fragments); 1243 1244 seq = (sc & IEEE80211_SCTL_SEQ) >> 4; 1245 1246 if (frag == 0) { 1247 /* This is the first fragment of a new frame. */ 1248 entry = ieee80211_reassemble_add(rx->sdata, frag, seq, 1249 rx->queue, &(rx->skb)); 1250 if (rx->key && rx->key->conf.alg == ALG_CCMP && 1251 ieee80211_has_protected(fc)) { 1252 /* Store CCMP PN so that we can verify that the next 1253 * fragment has a sequential PN value. */ 1254 entry->ccmp = 1; 1255 memcpy(entry->last_pn, 1256 rx->key->u.ccmp.rx_pn[rx->queue], 1257 CCMP_PN_LEN); 1258 } 1259 return RX_QUEUED; 1260 } 1261 1262 /* This is a fragment for a frame that should already be pending in 1263 * fragment cache. Add this fragment to the end of the pending entry. 1264 */ 1265 entry = ieee80211_reassemble_find(rx->sdata, frag, seq, rx->queue, hdr); 1266 if (!entry) { 1267 I802_DEBUG_INC(rx->local->rx_handlers_drop_defrag); 1268 return RX_DROP_MONITOR; 1269 } 1270 1271 /* Verify that MPDUs within one MSDU have sequential PN values. 1272 * (IEEE 802.11i, 8.3.3.4.5) */ 1273 if (entry->ccmp) { 1274 int i; 1275 u8 pn[CCMP_PN_LEN], *rpn; 1276 if (!rx->key || rx->key->conf.alg != ALG_CCMP) 1277 return RX_DROP_UNUSABLE; 1278 memcpy(pn, entry->last_pn, CCMP_PN_LEN); 1279 for (i = CCMP_PN_LEN - 1; i >= 0; i--) { 1280 pn[i]++; 1281 if (pn[i]) 1282 break; 1283 } 1284 rpn = rx->key->u.ccmp.rx_pn[rx->queue]; 1285 if (memcmp(pn, rpn, CCMP_PN_LEN)) 1286 return RX_DROP_UNUSABLE; 1287 memcpy(entry->last_pn, pn, CCMP_PN_LEN); 1288 } 1289 1290 skb_pull(rx->skb, ieee80211_hdrlen(fc)); 1291 __skb_queue_tail(&entry->skb_list, rx->skb); 1292 entry->last_frag = frag; 1293 entry->extra_len += rx->skb->len; 1294 if (ieee80211_has_morefrags(fc)) { 1295 rx->skb = NULL; 1296 return RX_QUEUED; 1297 } 1298 1299 rx->skb = __skb_dequeue(&entry->skb_list); 1300 if (skb_tailroom(rx->skb) < entry->extra_len) { 1301 I802_DEBUG_INC(rx->local->rx_expand_skb_head2); 1302 if (unlikely(pskb_expand_head(rx->skb, 0, entry->extra_len, 1303 GFP_ATOMIC))) { 1304 I802_DEBUG_INC(rx->local->rx_handlers_drop_defrag); 1305 __skb_queue_purge(&entry->skb_list); 1306 return RX_DROP_UNUSABLE; 1307 } 1308 } 1309 while ((skb = __skb_dequeue(&entry->skb_list))) { 1310 memcpy(skb_put(rx->skb, skb->len), skb->data, skb->len); 1311 dev_kfree_skb(skb); 1312 } 1313 1314 /* Complete frame has been reassembled - process it now */ 1315 rx->flags |= IEEE80211_RX_FRAGMENTED; 1316 1317 out: 1318 if (rx->sta) 1319 rx->sta->rx_packets++; 1320 if (is_multicast_ether_addr(hdr->addr1)) 1321 rx->local->dot11MulticastReceivedFrameCount++; 1322 else 1323 ieee80211_led_rx(rx->local); 1324 return RX_CONTINUE; 1325 } 1326 1327 static ieee80211_rx_result debug_noinline 1328 ieee80211_rx_h_ps_poll(struct ieee80211_rx_data *rx) 1329 { 1330 struct ieee80211_sub_if_data *sdata = rx->sdata; 1331 __le16 fc = ((struct ieee80211_hdr *)rx->skb->data)->frame_control; 1332 1333 if (likely(!rx->sta || !ieee80211_is_pspoll(fc) || 1334 !(rx->flags & IEEE80211_RX_RA_MATCH))) 1335 return RX_CONTINUE; 1336 1337 if ((sdata->vif.type != NL80211_IFTYPE_AP) && 1338 (sdata->vif.type != NL80211_IFTYPE_AP_VLAN)) 1339 return RX_DROP_UNUSABLE; 1340 1341 if (!test_sta_flags(rx->sta, WLAN_STA_PS_DRIVER)) 1342 ieee80211_sta_ps_deliver_poll_response(rx->sta); 1343 else 1344 set_sta_flags(rx->sta, WLAN_STA_PSPOLL); 1345 1346 /* Free PS Poll skb here instead of returning RX_DROP that would 1347 * count as an dropped frame. */ 1348 dev_kfree_skb(rx->skb); 1349 1350 return RX_QUEUED; 1351 } 1352 1353 static ieee80211_rx_result debug_noinline 1354 ieee80211_rx_h_remove_qos_control(struct ieee80211_rx_data *rx) 1355 { 1356 u8 *data = rx->skb->data; 1357 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)data; 1358 1359 if (!ieee80211_is_data_qos(hdr->frame_control)) 1360 return RX_CONTINUE; 1361 1362 /* remove the qos control field, update frame type and meta-data */ 1363 memmove(data + IEEE80211_QOS_CTL_LEN, data, 1364 ieee80211_hdrlen(hdr->frame_control) - IEEE80211_QOS_CTL_LEN); 1365 hdr = (struct ieee80211_hdr *)skb_pull(rx->skb, IEEE80211_QOS_CTL_LEN); 1366 /* change frame type to non QOS */ 1367 hdr->frame_control &= ~cpu_to_le16(IEEE80211_STYPE_QOS_DATA); 1368 1369 return RX_CONTINUE; 1370 } 1371 1372 static int 1373 ieee80211_802_1x_port_control(struct ieee80211_rx_data *rx) 1374 { 1375 if (unlikely(!rx->sta || 1376 !test_sta_flags(rx->sta, WLAN_STA_AUTHORIZED))) 1377 return -EACCES; 1378 1379 return 0; 1380 } 1381 1382 static int 1383 ieee80211_drop_unencrypted(struct ieee80211_rx_data *rx, __le16 fc) 1384 { 1385 struct sk_buff *skb = rx->skb; 1386 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 1387 1388 /* 1389 * Pass through unencrypted frames if the hardware has 1390 * decrypted them already. 1391 */ 1392 if (status->flag & RX_FLAG_DECRYPTED) 1393 return 0; 1394 1395 /* Drop unencrypted frames if key is set. */ 1396 if (unlikely(!ieee80211_has_protected(fc) && 1397 !ieee80211_is_nullfunc(fc) && 1398 ieee80211_is_data(fc) && 1399 (rx->key || rx->sdata->drop_unencrypted))) 1400 return -EACCES; 1401 if (rx->sta && test_sta_flags(rx->sta, WLAN_STA_MFP)) { 1402 if (unlikely(ieee80211_is_unicast_robust_mgmt_frame(rx->skb) && 1403 rx->key)) 1404 return -EACCES; 1405 /* BIP does not use Protected field, so need to check MMIE */ 1406 if (unlikely(ieee80211_is_multicast_robust_mgmt_frame(rx->skb) && 1407 ieee80211_get_mmie_keyidx(rx->skb) < 0 && 1408 rx->key)) 1409 return -EACCES; 1410 /* 1411 * When using MFP, Action frames are not allowed prior to 1412 * having configured keys. 1413 */ 1414 if (unlikely(ieee80211_is_action(fc) && !rx->key && 1415 ieee80211_is_robust_mgmt_frame( 1416 (struct ieee80211_hdr *) rx->skb->data))) 1417 return -EACCES; 1418 } 1419 1420 return 0; 1421 } 1422 1423 static int 1424 __ieee80211_data_to_8023(struct ieee80211_rx_data *rx) 1425 { 1426 struct ieee80211_sub_if_data *sdata = rx->sdata; 1427 struct net_device *dev = sdata->dev; 1428 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data; 1429 1430 if (ieee80211_has_a4(hdr->frame_control) && 1431 sdata->vif.type == NL80211_IFTYPE_AP_VLAN && !sdata->u.vlan.sta) 1432 return -1; 1433 1434 if (is_multicast_ether_addr(hdr->addr1) && 1435 ((sdata->vif.type == NL80211_IFTYPE_AP_VLAN && sdata->u.vlan.sta) || 1436 (sdata->vif.type == NL80211_IFTYPE_STATION && sdata->u.mgd.use_4addr))) 1437 return -1; 1438 1439 return ieee80211_data_to_8023(rx->skb, dev->dev_addr, sdata->vif.type); 1440 } 1441 1442 /* 1443 * requires that rx->skb is a frame with ethernet header 1444 */ 1445 static bool ieee80211_frame_allowed(struct ieee80211_rx_data *rx, __le16 fc) 1446 { 1447 static const u8 pae_group_addr[ETH_ALEN] __aligned(2) 1448 = { 0x01, 0x80, 0xC2, 0x00, 0x00, 0x03 }; 1449 struct ethhdr *ehdr = (struct ethhdr *) rx->skb->data; 1450 1451 /* 1452 * Allow EAPOL frames to us/the PAE group address regardless 1453 * of whether the frame was encrypted or not. 1454 */ 1455 if (ehdr->h_proto == htons(ETH_P_PAE) && 1456 (compare_ether_addr(ehdr->h_dest, rx->sdata->dev->dev_addr) == 0 || 1457 compare_ether_addr(ehdr->h_dest, pae_group_addr) == 0)) 1458 return true; 1459 1460 if (ieee80211_802_1x_port_control(rx) || 1461 ieee80211_drop_unencrypted(rx, fc)) 1462 return false; 1463 1464 return true; 1465 } 1466 1467 /* 1468 * requires that rx->skb is a frame with ethernet header 1469 */ 1470 static void 1471 ieee80211_deliver_skb(struct ieee80211_rx_data *rx) 1472 { 1473 struct ieee80211_sub_if_data *sdata = rx->sdata; 1474 struct net_device *dev = sdata->dev; 1475 struct ieee80211_local *local = rx->local; 1476 struct sk_buff *skb, *xmit_skb; 1477 struct ethhdr *ehdr = (struct ethhdr *) rx->skb->data; 1478 struct sta_info *dsta; 1479 1480 skb = rx->skb; 1481 xmit_skb = NULL; 1482 1483 if ((sdata->vif.type == NL80211_IFTYPE_AP || 1484 sdata->vif.type == NL80211_IFTYPE_AP_VLAN) && 1485 !(sdata->flags & IEEE80211_SDATA_DONT_BRIDGE_PACKETS) && 1486 (rx->flags & IEEE80211_RX_RA_MATCH) && 1487 (sdata->vif.type != NL80211_IFTYPE_AP_VLAN || !sdata->u.vlan.sta)) { 1488 if (is_multicast_ether_addr(ehdr->h_dest)) { 1489 /* 1490 * send multicast frames both to higher layers in 1491 * local net stack and back to the wireless medium 1492 */ 1493 xmit_skb = skb_copy(skb, GFP_ATOMIC); 1494 if (!xmit_skb && net_ratelimit()) 1495 printk(KERN_DEBUG "%s: failed to clone " 1496 "multicast frame\n", dev->name); 1497 } else { 1498 dsta = sta_info_get(local, skb->data); 1499 if (dsta && dsta->sdata->dev == dev) { 1500 /* 1501 * The destination station is associated to 1502 * this AP (in this VLAN), so send the frame 1503 * directly to it and do not pass it to local 1504 * net stack. 1505 */ 1506 xmit_skb = skb; 1507 skb = NULL; 1508 } 1509 } 1510 } 1511 1512 if (skb) { 1513 int align __maybe_unused; 1514 1515 #if defined(CONFIG_MAC80211_DEBUG_PACKET_ALIGNMENT) || !defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) 1516 /* 1517 * 'align' will only take the values 0 or 2 here 1518 * since all frames are required to be aligned 1519 * to 2-byte boundaries when being passed to 1520 * mac80211. That also explains the __skb_push() 1521 * below. 1522 */ 1523 align = ((unsigned long)(skb->data + sizeof(struct ethhdr))) & 3; 1524 if (align) { 1525 if (WARN_ON(skb_headroom(skb) < 3)) { 1526 dev_kfree_skb(skb); 1527 skb = NULL; 1528 } else { 1529 u8 *data = skb->data; 1530 size_t len = skb_headlen(skb); 1531 skb->data -= align; 1532 memmove(skb->data, data, len); 1533 skb_set_tail_pointer(skb, len); 1534 } 1535 } 1536 #endif 1537 1538 if (skb) { 1539 /* deliver to local stack */ 1540 skb->protocol = eth_type_trans(skb, dev); 1541 memset(skb->cb, 0, sizeof(skb->cb)); 1542 netif_rx(skb); 1543 } 1544 } 1545 1546 if (xmit_skb) { 1547 /* send to wireless media */ 1548 xmit_skb->protocol = htons(ETH_P_802_3); 1549 skb_reset_network_header(xmit_skb); 1550 skb_reset_mac_header(xmit_skb); 1551 dev_queue_xmit(xmit_skb); 1552 } 1553 } 1554 1555 static ieee80211_rx_result debug_noinline 1556 ieee80211_rx_h_amsdu(struct ieee80211_rx_data *rx) 1557 { 1558 struct net_device *dev = rx->sdata->dev; 1559 struct ieee80211_local *local = rx->local; 1560 u16 ethertype; 1561 u8 *payload; 1562 struct sk_buff *skb = rx->skb, *frame = NULL; 1563 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; 1564 __le16 fc = hdr->frame_control; 1565 const struct ethhdr *eth; 1566 int remaining, err; 1567 u8 dst[ETH_ALEN]; 1568 u8 src[ETH_ALEN]; 1569 1570 if (unlikely(!ieee80211_is_data(fc))) 1571 return RX_CONTINUE; 1572 1573 if (unlikely(!ieee80211_is_data_present(fc))) 1574 return RX_DROP_MONITOR; 1575 1576 if (!(rx->flags & IEEE80211_RX_AMSDU)) 1577 return RX_CONTINUE; 1578 1579 err = __ieee80211_data_to_8023(rx); 1580 if (unlikely(err)) 1581 return RX_DROP_UNUSABLE; 1582 1583 skb->dev = dev; 1584 1585 dev->stats.rx_packets++; 1586 dev->stats.rx_bytes += skb->len; 1587 1588 /* skip the wrapping header */ 1589 eth = (struct ethhdr *) skb_pull(skb, sizeof(struct ethhdr)); 1590 if (!eth) 1591 return RX_DROP_UNUSABLE; 1592 1593 while (skb != frame) { 1594 u8 padding; 1595 __be16 len = eth->h_proto; 1596 unsigned int subframe_len = sizeof(struct ethhdr) + ntohs(len); 1597 1598 remaining = skb->len; 1599 memcpy(dst, eth->h_dest, ETH_ALEN); 1600 memcpy(src, eth->h_source, ETH_ALEN); 1601 1602 padding = ((4 - subframe_len) & 0x3); 1603 /* the last MSDU has no padding */ 1604 if (subframe_len > remaining) 1605 return RX_DROP_UNUSABLE; 1606 1607 skb_pull(skb, sizeof(struct ethhdr)); 1608 /* if last subframe reuse skb */ 1609 if (remaining <= subframe_len + padding) 1610 frame = skb; 1611 else { 1612 /* 1613 * Allocate and reserve two bytes more for payload 1614 * alignment since sizeof(struct ethhdr) is 14. 1615 */ 1616 frame = dev_alloc_skb( 1617 ALIGN(local->hw.extra_tx_headroom, 4) + 1618 subframe_len + 2); 1619 1620 if (frame == NULL) 1621 return RX_DROP_UNUSABLE; 1622 1623 skb_reserve(frame, 1624 ALIGN(local->hw.extra_tx_headroom, 4) + 1625 sizeof(struct ethhdr) + 2); 1626 memcpy(skb_put(frame, ntohs(len)), skb->data, 1627 ntohs(len)); 1628 1629 eth = (struct ethhdr *) skb_pull(skb, ntohs(len) + 1630 padding); 1631 if (!eth) { 1632 dev_kfree_skb(frame); 1633 return RX_DROP_UNUSABLE; 1634 } 1635 } 1636 1637 skb_reset_network_header(frame); 1638 frame->dev = dev; 1639 frame->priority = skb->priority; 1640 rx->skb = frame; 1641 1642 payload = frame->data; 1643 ethertype = (payload[6] << 8) | payload[7]; 1644 1645 if (likely((compare_ether_addr(payload, rfc1042_header) == 0 && 1646 ethertype != ETH_P_AARP && ethertype != ETH_P_IPX) || 1647 compare_ether_addr(payload, 1648 bridge_tunnel_header) == 0)) { 1649 /* remove RFC1042 or Bridge-Tunnel 1650 * encapsulation and replace EtherType */ 1651 skb_pull(frame, 6); 1652 memcpy(skb_push(frame, ETH_ALEN), src, ETH_ALEN); 1653 memcpy(skb_push(frame, ETH_ALEN), dst, ETH_ALEN); 1654 } else { 1655 memcpy(skb_push(frame, sizeof(__be16)), 1656 &len, sizeof(__be16)); 1657 memcpy(skb_push(frame, ETH_ALEN), src, ETH_ALEN); 1658 memcpy(skb_push(frame, ETH_ALEN), dst, ETH_ALEN); 1659 } 1660 1661 if (!ieee80211_frame_allowed(rx, fc)) { 1662 if (skb == frame) /* last frame */ 1663 return RX_DROP_UNUSABLE; 1664 dev_kfree_skb(frame); 1665 continue; 1666 } 1667 1668 ieee80211_deliver_skb(rx); 1669 } 1670 1671 return RX_QUEUED; 1672 } 1673 1674 #ifdef CONFIG_MAC80211_MESH 1675 static ieee80211_rx_result 1676 ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx) 1677 { 1678 struct ieee80211_hdr *hdr; 1679 struct ieee80211s_hdr *mesh_hdr; 1680 unsigned int hdrlen; 1681 struct sk_buff *skb = rx->skb, *fwd_skb; 1682 struct ieee80211_local *local = rx->local; 1683 struct ieee80211_sub_if_data *sdata = rx->sdata; 1684 1685 hdr = (struct ieee80211_hdr *) skb->data; 1686 hdrlen = ieee80211_hdrlen(hdr->frame_control); 1687 mesh_hdr = (struct ieee80211s_hdr *) (skb->data + hdrlen); 1688 1689 if (!ieee80211_is_data(hdr->frame_control)) 1690 return RX_CONTINUE; 1691 1692 if (!mesh_hdr->ttl) 1693 /* illegal frame */ 1694 return RX_DROP_MONITOR; 1695 1696 if (mesh_hdr->flags & MESH_FLAGS_AE) { 1697 struct mesh_path *mppath; 1698 char *proxied_addr; 1699 char *mpp_addr; 1700 1701 if (is_multicast_ether_addr(hdr->addr1)) { 1702 mpp_addr = hdr->addr3; 1703 proxied_addr = mesh_hdr->eaddr1; 1704 } else { 1705 mpp_addr = hdr->addr4; 1706 proxied_addr = mesh_hdr->eaddr2; 1707 } 1708 1709 rcu_read_lock(); 1710 mppath = mpp_path_lookup(proxied_addr, sdata); 1711 if (!mppath) { 1712 mpp_path_add(proxied_addr, mpp_addr, sdata); 1713 } else { 1714 spin_lock_bh(&mppath->state_lock); 1715 if (compare_ether_addr(mppath->mpp, mpp_addr) != 0) 1716 memcpy(mppath->mpp, mpp_addr, ETH_ALEN); 1717 spin_unlock_bh(&mppath->state_lock); 1718 } 1719 rcu_read_unlock(); 1720 } 1721 1722 /* Frame has reached destination. Don't forward */ 1723 if (!is_multicast_ether_addr(hdr->addr1) && 1724 compare_ether_addr(sdata->dev->dev_addr, hdr->addr3) == 0) 1725 return RX_CONTINUE; 1726 1727 mesh_hdr->ttl--; 1728 1729 if (rx->flags & IEEE80211_RX_RA_MATCH) { 1730 if (!mesh_hdr->ttl) 1731 IEEE80211_IFSTA_MESH_CTR_INC(&rx->sdata->u.mesh, 1732 dropped_frames_ttl); 1733 else { 1734 struct ieee80211_hdr *fwd_hdr; 1735 struct ieee80211_tx_info *info; 1736 1737 fwd_skb = skb_copy(skb, GFP_ATOMIC); 1738 1739 if (!fwd_skb && net_ratelimit()) 1740 printk(KERN_DEBUG "%s: failed to clone mesh frame\n", 1741 sdata->dev->name); 1742 1743 fwd_hdr = (struct ieee80211_hdr *) fwd_skb->data; 1744 memcpy(fwd_hdr->addr2, sdata->dev->dev_addr, ETH_ALEN); 1745 info = IEEE80211_SKB_CB(fwd_skb); 1746 memset(info, 0, sizeof(*info)); 1747 info->flags |= IEEE80211_TX_INTFL_NEED_TXPROCESSING; 1748 info->control.vif = &rx->sdata->vif; 1749 skb_set_queue_mapping(skb, 1750 ieee80211_select_queue(rx->sdata, fwd_skb)); 1751 ieee80211_set_qos_hdr(local, skb); 1752 if (is_multicast_ether_addr(fwd_hdr->addr1)) 1753 IEEE80211_IFSTA_MESH_CTR_INC(&sdata->u.mesh, 1754 fwded_mcast); 1755 else { 1756 int err; 1757 /* 1758 * Save TA to addr1 to send TA a path error if a 1759 * suitable next hop is not found 1760 */ 1761 memcpy(fwd_hdr->addr1, fwd_hdr->addr2, 1762 ETH_ALEN); 1763 err = mesh_nexthop_lookup(fwd_skb, sdata); 1764 /* Failed to immediately resolve next hop: 1765 * fwded frame was dropped or will be added 1766 * later to the pending skb queue. */ 1767 if (err) 1768 return RX_DROP_MONITOR; 1769 1770 IEEE80211_IFSTA_MESH_CTR_INC(&sdata->u.mesh, 1771 fwded_unicast); 1772 } 1773 IEEE80211_IFSTA_MESH_CTR_INC(&sdata->u.mesh, 1774 fwded_frames); 1775 ieee80211_add_pending_skb(local, fwd_skb); 1776 } 1777 } 1778 1779 if (is_multicast_ether_addr(hdr->addr1) || 1780 sdata->dev->flags & IFF_PROMISC) 1781 return RX_CONTINUE; 1782 else 1783 return RX_DROP_MONITOR; 1784 } 1785 #endif 1786 1787 static ieee80211_rx_result debug_noinline 1788 ieee80211_rx_h_data(struct ieee80211_rx_data *rx) 1789 { 1790 struct ieee80211_sub_if_data *sdata = rx->sdata; 1791 struct net_device *dev = sdata->dev; 1792 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data; 1793 __le16 fc = hdr->frame_control; 1794 int err; 1795 1796 if (unlikely(!ieee80211_is_data(hdr->frame_control))) 1797 return RX_CONTINUE; 1798 1799 if (unlikely(!ieee80211_is_data_present(hdr->frame_control))) 1800 return RX_DROP_MONITOR; 1801 1802 /* 1803 * Allow the cooked monitor interface of an AP to see 4-addr frames so 1804 * that a 4-addr station can be detected and moved into a separate VLAN 1805 */ 1806 if (ieee80211_has_a4(hdr->frame_control) && 1807 sdata->vif.type == NL80211_IFTYPE_AP) 1808 return RX_DROP_MONITOR; 1809 1810 err = __ieee80211_data_to_8023(rx); 1811 if (unlikely(err)) 1812 return RX_DROP_UNUSABLE; 1813 1814 if (!ieee80211_frame_allowed(rx, fc)) 1815 return RX_DROP_MONITOR; 1816 1817 rx->skb->dev = dev; 1818 1819 dev->stats.rx_packets++; 1820 dev->stats.rx_bytes += rx->skb->len; 1821 1822 ieee80211_deliver_skb(rx); 1823 1824 return RX_QUEUED; 1825 } 1826 1827 static ieee80211_rx_result debug_noinline 1828 ieee80211_rx_h_ctrl(struct ieee80211_rx_data *rx, struct sk_buff_head *frames) 1829 { 1830 struct ieee80211_local *local = rx->local; 1831 struct ieee80211_hw *hw = &local->hw; 1832 struct sk_buff *skb = rx->skb; 1833 struct ieee80211_bar *bar = (struct ieee80211_bar *)skb->data; 1834 struct tid_ampdu_rx *tid_agg_rx; 1835 u16 start_seq_num; 1836 u16 tid; 1837 1838 if (likely(!ieee80211_is_ctl(bar->frame_control))) 1839 return RX_CONTINUE; 1840 1841 if (ieee80211_is_back_req(bar->frame_control)) { 1842 if (!rx->sta) 1843 return RX_DROP_MONITOR; 1844 tid = le16_to_cpu(bar->control) >> 12; 1845 if (rx->sta->ampdu_mlme.tid_state_rx[tid] 1846 != HT_AGG_STATE_OPERATIONAL) 1847 return RX_DROP_MONITOR; 1848 tid_agg_rx = rx->sta->ampdu_mlme.tid_rx[tid]; 1849 1850 start_seq_num = le16_to_cpu(bar->start_seq_num) >> 4; 1851 1852 /* reset session timer */ 1853 if (tid_agg_rx->timeout) 1854 mod_timer(&tid_agg_rx->session_timer, 1855 TU_TO_EXP_TIME(tid_agg_rx->timeout)); 1856 1857 /* release stored frames up to start of BAR */ 1858 ieee80211_release_reorder_frames(hw, tid_agg_rx, start_seq_num, 1859 frames); 1860 kfree_skb(skb); 1861 return RX_QUEUED; 1862 } 1863 1864 return RX_CONTINUE; 1865 } 1866 1867 static void ieee80211_process_sa_query_req(struct ieee80211_sub_if_data *sdata, 1868 struct ieee80211_mgmt *mgmt, 1869 size_t len) 1870 { 1871 struct ieee80211_local *local = sdata->local; 1872 struct sk_buff *skb; 1873 struct ieee80211_mgmt *resp; 1874 1875 if (compare_ether_addr(mgmt->da, sdata->dev->dev_addr) != 0) { 1876 /* Not to own unicast address */ 1877 return; 1878 } 1879 1880 if (compare_ether_addr(mgmt->sa, sdata->u.mgd.bssid) != 0 || 1881 compare_ether_addr(mgmt->bssid, sdata->u.mgd.bssid) != 0) { 1882 /* Not from the current AP or not associated yet. */ 1883 return; 1884 } 1885 1886 if (len < 24 + 1 + sizeof(resp->u.action.u.sa_query)) { 1887 /* Too short SA Query request frame */ 1888 return; 1889 } 1890 1891 skb = dev_alloc_skb(sizeof(*resp) + local->hw.extra_tx_headroom); 1892 if (skb == NULL) 1893 return; 1894 1895 skb_reserve(skb, local->hw.extra_tx_headroom); 1896 resp = (struct ieee80211_mgmt *) skb_put(skb, 24); 1897 memset(resp, 0, 24); 1898 memcpy(resp->da, mgmt->sa, ETH_ALEN); 1899 memcpy(resp->sa, sdata->dev->dev_addr, ETH_ALEN); 1900 memcpy(resp->bssid, sdata->u.mgd.bssid, ETH_ALEN); 1901 resp->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT | 1902 IEEE80211_STYPE_ACTION); 1903 skb_put(skb, 1 + sizeof(resp->u.action.u.sa_query)); 1904 resp->u.action.category = WLAN_CATEGORY_SA_QUERY; 1905 resp->u.action.u.sa_query.action = WLAN_ACTION_SA_QUERY_RESPONSE; 1906 memcpy(resp->u.action.u.sa_query.trans_id, 1907 mgmt->u.action.u.sa_query.trans_id, 1908 WLAN_SA_QUERY_TR_ID_LEN); 1909 1910 ieee80211_tx_skb(sdata, skb); 1911 } 1912 1913 static ieee80211_rx_result debug_noinline 1914 ieee80211_rx_h_action(struct ieee80211_rx_data *rx) 1915 { 1916 struct ieee80211_local *local = rx->local; 1917 struct ieee80211_sub_if_data *sdata = rx->sdata; 1918 struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *) rx->skb->data; 1919 int len = rx->skb->len; 1920 1921 if (!ieee80211_is_action(mgmt->frame_control)) 1922 return RX_CONTINUE; 1923 1924 if (!rx->sta) 1925 return RX_DROP_MONITOR; 1926 1927 if (!(rx->flags & IEEE80211_RX_RA_MATCH)) 1928 return RX_DROP_MONITOR; 1929 1930 if (ieee80211_drop_unencrypted(rx, mgmt->frame_control)) 1931 return RX_DROP_MONITOR; 1932 1933 /* all categories we currently handle have action_code */ 1934 if (len < IEEE80211_MIN_ACTION_SIZE + 1) 1935 return RX_DROP_MONITOR; 1936 1937 switch (mgmt->u.action.category) { 1938 case WLAN_CATEGORY_BACK: 1939 /* 1940 * The aggregation code is not prepared to handle 1941 * anything but STA/AP due to the BSSID handling; 1942 * IBSS could work in the code but isn't supported 1943 * by drivers or the standard. 1944 */ 1945 if (sdata->vif.type != NL80211_IFTYPE_STATION && 1946 sdata->vif.type != NL80211_IFTYPE_AP_VLAN && 1947 sdata->vif.type != NL80211_IFTYPE_AP) 1948 return RX_DROP_MONITOR; 1949 1950 switch (mgmt->u.action.u.addba_req.action_code) { 1951 case WLAN_ACTION_ADDBA_REQ: 1952 if (len < (IEEE80211_MIN_ACTION_SIZE + 1953 sizeof(mgmt->u.action.u.addba_req))) 1954 return RX_DROP_MONITOR; 1955 ieee80211_process_addba_request(local, rx->sta, mgmt, len); 1956 break; 1957 case WLAN_ACTION_ADDBA_RESP: 1958 if (len < (IEEE80211_MIN_ACTION_SIZE + 1959 sizeof(mgmt->u.action.u.addba_resp))) 1960 return RX_DROP_MONITOR; 1961 ieee80211_process_addba_resp(local, rx->sta, mgmt, len); 1962 break; 1963 case WLAN_ACTION_DELBA: 1964 if (len < (IEEE80211_MIN_ACTION_SIZE + 1965 sizeof(mgmt->u.action.u.delba))) 1966 return RX_DROP_MONITOR; 1967 ieee80211_process_delba(sdata, rx->sta, mgmt, len); 1968 break; 1969 } 1970 break; 1971 case WLAN_CATEGORY_SPECTRUM_MGMT: 1972 if (local->hw.conf.channel->band != IEEE80211_BAND_5GHZ) 1973 return RX_DROP_MONITOR; 1974 1975 if (sdata->vif.type != NL80211_IFTYPE_STATION) 1976 return RX_DROP_MONITOR; 1977 1978 switch (mgmt->u.action.u.measurement.action_code) { 1979 case WLAN_ACTION_SPCT_MSR_REQ: 1980 if (len < (IEEE80211_MIN_ACTION_SIZE + 1981 sizeof(mgmt->u.action.u.measurement))) 1982 return RX_DROP_MONITOR; 1983 ieee80211_process_measurement_req(sdata, mgmt, len); 1984 break; 1985 case WLAN_ACTION_SPCT_CHL_SWITCH: 1986 if (len < (IEEE80211_MIN_ACTION_SIZE + 1987 sizeof(mgmt->u.action.u.chan_switch))) 1988 return RX_DROP_MONITOR; 1989 1990 if (sdata->vif.type != NL80211_IFTYPE_STATION) 1991 return RX_DROP_MONITOR; 1992 1993 if (memcmp(mgmt->bssid, sdata->u.mgd.bssid, ETH_ALEN)) 1994 return RX_DROP_MONITOR; 1995 1996 return ieee80211_sta_rx_mgmt(sdata, rx->skb); 1997 } 1998 break; 1999 case WLAN_CATEGORY_SA_QUERY: 2000 if (len < (IEEE80211_MIN_ACTION_SIZE + 2001 sizeof(mgmt->u.action.u.sa_query))) 2002 return RX_DROP_MONITOR; 2003 switch (mgmt->u.action.u.sa_query.action) { 2004 case WLAN_ACTION_SA_QUERY_REQUEST: 2005 if (sdata->vif.type != NL80211_IFTYPE_STATION) 2006 return RX_DROP_MONITOR; 2007 ieee80211_process_sa_query_req(sdata, mgmt, len); 2008 break; 2009 case WLAN_ACTION_SA_QUERY_RESPONSE: 2010 /* 2011 * SA Query response is currently only used in AP mode 2012 * and it is processed in user space. 2013 */ 2014 return RX_CONTINUE; 2015 } 2016 break; 2017 default: 2018 /* do not process rejected action frames */ 2019 if (mgmt->u.action.category & 0x80) 2020 return RX_DROP_MONITOR; 2021 2022 return RX_CONTINUE; 2023 } 2024 2025 rx->sta->rx_packets++; 2026 dev_kfree_skb(rx->skb); 2027 return RX_QUEUED; 2028 } 2029 2030 static ieee80211_rx_result debug_noinline 2031 ieee80211_rx_h_mgmt(struct ieee80211_rx_data *rx) 2032 { 2033 struct ieee80211_sub_if_data *sdata = rx->sdata; 2034 struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *) rx->skb->data; 2035 2036 if (!(rx->flags & IEEE80211_RX_RA_MATCH)) 2037 return RX_DROP_MONITOR; 2038 2039 if (ieee80211_drop_unencrypted(rx, mgmt->frame_control)) 2040 return RX_DROP_MONITOR; 2041 2042 if (ieee80211_vif_is_mesh(&sdata->vif)) 2043 return ieee80211_mesh_rx_mgmt(sdata, rx->skb); 2044 2045 if (sdata->vif.type == NL80211_IFTYPE_ADHOC) 2046 return ieee80211_ibss_rx_mgmt(sdata, rx->skb); 2047 2048 if (sdata->vif.type == NL80211_IFTYPE_STATION) 2049 return ieee80211_sta_rx_mgmt(sdata, rx->skb); 2050 2051 return RX_DROP_MONITOR; 2052 } 2053 2054 static void ieee80211_rx_michael_mic_report(struct ieee80211_hdr *hdr, 2055 struct ieee80211_rx_data *rx) 2056 { 2057 int keyidx; 2058 unsigned int hdrlen; 2059 2060 hdrlen = ieee80211_hdrlen(hdr->frame_control); 2061 if (rx->skb->len >= hdrlen + 4) 2062 keyidx = rx->skb->data[hdrlen + 3] >> 6; 2063 else 2064 keyidx = -1; 2065 2066 if (!rx->sta) { 2067 /* 2068 * Some hardware seem to generate incorrect Michael MIC 2069 * reports; ignore them to avoid triggering countermeasures. 2070 */ 2071 return; 2072 } 2073 2074 if (!ieee80211_has_protected(hdr->frame_control)) 2075 return; 2076 2077 if (rx->sdata->vif.type == NL80211_IFTYPE_AP && keyidx) { 2078 /* 2079 * APs with pairwise keys should never receive Michael MIC 2080 * errors for non-zero keyidx because these are reserved for 2081 * group keys and only the AP is sending real multicast 2082 * frames in the BSS. 2083 */ 2084 return; 2085 } 2086 2087 if (!ieee80211_is_data(hdr->frame_control) && 2088 !ieee80211_is_auth(hdr->frame_control)) 2089 return; 2090 2091 mac80211_ev_michael_mic_failure(rx->sdata, keyidx, hdr, NULL, 2092 GFP_ATOMIC); 2093 } 2094 2095 /* TODO: use IEEE80211_RX_FRAGMENTED */ 2096 static void ieee80211_rx_cooked_monitor(struct ieee80211_rx_data *rx, 2097 struct ieee80211_rate *rate) 2098 { 2099 struct ieee80211_sub_if_data *sdata; 2100 struct ieee80211_local *local = rx->local; 2101 struct ieee80211_rtap_hdr { 2102 struct ieee80211_radiotap_header hdr; 2103 u8 flags; 2104 u8 rate_or_pad; 2105 __le16 chan_freq; 2106 __le16 chan_flags; 2107 } __attribute__ ((packed)) *rthdr; 2108 struct sk_buff *skb = rx->skb, *skb2; 2109 struct net_device *prev_dev = NULL; 2110 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 2111 2112 if (status->flag & RX_FLAG_INTERNAL_CMTR) 2113 goto out_free_skb; 2114 2115 if (skb_headroom(skb) < sizeof(*rthdr) && 2116 pskb_expand_head(skb, sizeof(*rthdr), 0, GFP_ATOMIC)) 2117 goto out_free_skb; 2118 2119 rthdr = (void *)skb_push(skb, sizeof(*rthdr)); 2120 memset(rthdr, 0, sizeof(*rthdr)); 2121 rthdr->hdr.it_len = cpu_to_le16(sizeof(*rthdr)); 2122 rthdr->hdr.it_present = 2123 cpu_to_le32((1 << IEEE80211_RADIOTAP_FLAGS) | 2124 (1 << IEEE80211_RADIOTAP_CHANNEL)); 2125 2126 if (rate) { 2127 rthdr->rate_or_pad = rate->bitrate / 5; 2128 rthdr->hdr.it_present |= 2129 cpu_to_le32(1 << IEEE80211_RADIOTAP_RATE); 2130 } 2131 rthdr->chan_freq = cpu_to_le16(status->freq); 2132 2133 if (status->band == IEEE80211_BAND_5GHZ) 2134 rthdr->chan_flags = cpu_to_le16(IEEE80211_CHAN_OFDM | 2135 IEEE80211_CHAN_5GHZ); 2136 else 2137 rthdr->chan_flags = cpu_to_le16(IEEE80211_CHAN_DYN | 2138 IEEE80211_CHAN_2GHZ); 2139 2140 skb_set_mac_header(skb, 0); 2141 skb->ip_summed = CHECKSUM_UNNECESSARY; 2142 skb->pkt_type = PACKET_OTHERHOST; 2143 skb->protocol = htons(ETH_P_802_2); 2144 2145 list_for_each_entry_rcu(sdata, &local->interfaces, list) { 2146 if (!netif_running(sdata->dev)) 2147 continue; 2148 2149 if (sdata->vif.type != NL80211_IFTYPE_MONITOR || 2150 !(sdata->u.mntr_flags & MONITOR_FLAG_COOK_FRAMES)) 2151 continue; 2152 2153 if (prev_dev) { 2154 skb2 = skb_clone(skb, GFP_ATOMIC); 2155 if (skb2) { 2156 skb2->dev = prev_dev; 2157 netif_rx(skb2); 2158 } 2159 } 2160 2161 prev_dev = sdata->dev; 2162 sdata->dev->stats.rx_packets++; 2163 sdata->dev->stats.rx_bytes += skb->len; 2164 } 2165 2166 if (prev_dev) { 2167 skb->dev = prev_dev; 2168 netif_rx(skb); 2169 skb = NULL; 2170 } else 2171 goto out_free_skb; 2172 2173 status->flag |= RX_FLAG_INTERNAL_CMTR; 2174 return; 2175 2176 out_free_skb: 2177 dev_kfree_skb(skb); 2178 } 2179 2180 2181 static void ieee80211_invoke_rx_handlers(struct ieee80211_sub_if_data *sdata, 2182 struct ieee80211_rx_data *rx, 2183 struct sk_buff *skb, 2184 struct ieee80211_rate *rate) 2185 { 2186 struct sk_buff_head reorder_release; 2187 ieee80211_rx_result res = RX_DROP_MONITOR; 2188 2189 __skb_queue_head_init(&reorder_release); 2190 2191 rx->skb = skb; 2192 rx->sdata = sdata; 2193 2194 #define CALL_RXH(rxh) \ 2195 do { \ 2196 res = rxh(rx); \ 2197 if (res != RX_CONTINUE) \ 2198 goto rxh_next; \ 2199 } while (0); 2200 2201 /* 2202 * NB: the rxh_next label works even if we jump 2203 * to it from here because then the list will 2204 * be empty, which is a trivial check 2205 */ 2206 CALL_RXH(ieee80211_rx_h_passive_scan) 2207 CALL_RXH(ieee80211_rx_h_check) 2208 2209 ieee80211_rx_reorder_ampdu(rx, &reorder_release); 2210 2211 while ((skb = __skb_dequeue(&reorder_release))) { 2212 /* 2213 * all the other fields are valid across frames 2214 * that belong to an aMPDU since they are on the 2215 * same TID from the same station 2216 */ 2217 rx->skb = skb; 2218 2219 CALL_RXH(ieee80211_rx_h_decrypt) 2220 CALL_RXH(ieee80211_rx_h_check_more_data) 2221 CALL_RXH(ieee80211_rx_h_sta_process) 2222 CALL_RXH(ieee80211_rx_h_defragment) 2223 CALL_RXH(ieee80211_rx_h_ps_poll) 2224 CALL_RXH(ieee80211_rx_h_michael_mic_verify) 2225 /* must be after MMIC verify so header is counted in MPDU mic */ 2226 CALL_RXH(ieee80211_rx_h_remove_qos_control) 2227 CALL_RXH(ieee80211_rx_h_amsdu) 2228 #ifdef CONFIG_MAC80211_MESH 2229 if (ieee80211_vif_is_mesh(&sdata->vif)) 2230 CALL_RXH(ieee80211_rx_h_mesh_fwding); 2231 #endif 2232 CALL_RXH(ieee80211_rx_h_data) 2233 2234 /* special treatment -- needs the queue */ 2235 res = ieee80211_rx_h_ctrl(rx, &reorder_release); 2236 if (res != RX_CONTINUE) 2237 goto rxh_next; 2238 2239 CALL_RXH(ieee80211_rx_h_action) 2240 CALL_RXH(ieee80211_rx_h_mgmt) 2241 2242 #undef CALL_RXH 2243 2244 rxh_next: 2245 switch (res) { 2246 case RX_DROP_MONITOR: 2247 I802_DEBUG_INC(sdata->local->rx_handlers_drop); 2248 if (rx->sta) 2249 rx->sta->rx_dropped++; 2250 /* fall through */ 2251 case RX_CONTINUE: 2252 ieee80211_rx_cooked_monitor(rx, rate); 2253 break; 2254 case RX_DROP_UNUSABLE: 2255 I802_DEBUG_INC(sdata->local->rx_handlers_drop); 2256 if (rx->sta) 2257 rx->sta->rx_dropped++; 2258 dev_kfree_skb(rx->skb); 2259 break; 2260 case RX_QUEUED: 2261 I802_DEBUG_INC(sdata->local->rx_handlers_queued); 2262 break; 2263 } 2264 } 2265 } 2266 2267 /* main receive path */ 2268 2269 static int prepare_for_handlers(struct ieee80211_sub_if_data *sdata, 2270 struct ieee80211_rx_data *rx, 2271 struct ieee80211_hdr *hdr) 2272 { 2273 struct sk_buff *skb = rx->skb; 2274 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 2275 u8 *bssid = ieee80211_get_bssid(hdr, skb->len, sdata->vif.type); 2276 int multicast = is_multicast_ether_addr(hdr->addr1); 2277 2278 switch (sdata->vif.type) { 2279 case NL80211_IFTYPE_STATION: 2280 if (!bssid && !sdata->u.mgd.use_4addr) 2281 return 0; 2282 if (!multicast && 2283 compare_ether_addr(sdata->dev->dev_addr, hdr->addr1) != 0) { 2284 if (!(sdata->dev->flags & IFF_PROMISC)) 2285 return 0; 2286 rx->flags &= ~IEEE80211_RX_RA_MATCH; 2287 } 2288 break; 2289 case NL80211_IFTYPE_ADHOC: 2290 if (!bssid) 2291 return 0; 2292 if (ieee80211_is_beacon(hdr->frame_control)) { 2293 return 1; 2294 } 2295 else if (!ieee80211_bssid_match(bssid, sdata->u.ibss.bssid)) { 2296 if (!(rx->flags & IEEE80211_RX_IN_SCAN)) 2297 return 0; 2298 rx->flags &= ~IEEE80211_RX_RA_MATCH; 2299 } else if (!multicast && 2300 compare_ether_addr(sdata->dev->dev_addr, 2301 hdr->addr1) != 0) { 2302 if (!(sdata->dev->flags & IFF_PROMISC)) 2303 return 0; 2304 rx->flags &= ~IEEE80211_RX_RA_MATCH; 2305 } else if (!rx->sta) { 2306 int rate_idx; 2307 if (status->flag & RX_FLAG_HT) 2308 rate_idx = 0; /* TODO: HT rates */ 2309 else 2310 rate_idx = status->rate_idx; 2311 rx->sta = ieee80211_ibss_add_sta(sdata, bssid, hdr->addr2, 2312 BIT(rate_idx)); 2313 } 2314 break; 2315 case NL80211_IFTYPE_MESH_POINT: 2316 if (!multicast && 2317 compare_ether_addr(sdata->dev->dev_addr, 2318 hdr->addr1) != 0) { 2319 if (!(sdata->dev->flags & IFF_PROMISC)) 2320 return 0; 2321 2322 rx->flags &= ~IEEE80211_RX_RA_MATCH; 2323 } 2324 break; 2325 case NL80211_IFTYPE_AP_VLAN: 2326 case NL80211_IFTYPE_AP: 2327 if (!bssid) { 2328 if (compare_ether_addr(sdata->dev->dev_addr, 2329 hdr->addr1)) 2330 return 0; 2331 } else if (!ieee80211_bssid_match(bssid, 2332 sdata->dev->dev_addr)) { 2333 if (!(rx->flags & IEEE80211_RX_IN_SCAN)) 2334 return 0; 2335 rx->flags &= ~IEEE80211_RX_RA_MATCH; 2336 } 2337 break; 2338 case NL80211_IFTYPE_WDS: 2339 if (bssid || !ieee80211_is_data(hdr->frame_control)) 2340 return 0; 2341 if (compare_ether_addr(sdata->u.wds.remote_addr, hdr->addr2)) 2342 return 0; 2343 break; 2344 case NL80211_IFTYPE_MONITOR: 2345 case NL80211_IFTYPE_UNSPECIFIED: 2346 case __NL80211_IFTYPE_AFTER_LAST: 2347 /* should never get here */ 2348 WARN_ON(1); 2349 break; 2350 } 2351 2352 return 1; 2353 } 2354 2355 /* 2356 * This is the actual Rx frames handler. as it blongs to Rx path it must 2357 * be called with rcu_read_lock protection. 2358 */ 2359 static void __ieee80211_rx_handle_packet(struct ieee80211_hw *hw, 2360 struct sk_buff *skb, 2361 struct ieee80211_rate *rate) 2362 { 2363 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 2364 struct ieee80211_local *local = hw_to_local(hw); 2365 struct ieee80211_sub_if_data *sdata; 2366 struct ieee80211_hdr *hdr; 2367 struct ieee80211_rx_data rx; 2368 int prepares; 2369 struct ieee80211_sub_if_data *prev = NULL; 2370 struct sk_buff *skb_new; 2371 2372 hdr = (struct ieee80211_hdr *)skb->data; 2373 memset(&rx, 0, sizeof(rx)); 2374 rx.skb = skb; 2375 rx.local = local; 2376 2377 if (ieee80211_is_data(hdr->frame_control) || ieee80211_is_mgmt(hdr->frame_control)) 2378 local->dot11ReceivedFragmentCount++; 2379 2380 if (unlikely(test_bit(SCAN_HW_SCANNING, &local->scanning) || 2381 test_bit(SCAN_OFF_CHANNEL, &local->scanning))) 2382 rx.flags |= IEEE80211_RX_IN_SCAN; 2383 2384 ieee80211_parse_qos(&rx); 2385 ieee80211_verify_alignment(&rx); 2386 2387 rx.sta = sta_info_get(local, hdr->addr2); 2388 if (rx.sta) 2389 rx.sdata = rx.sta->sdata; 2390 2391 if (rx.sdata && ieee80211_is_data(hdr->frame_control)) { 2392 rx.flags |= IEEE80211_RX_RA_MATCH; 2393 prepares = prepare_for_handlers(rx.sdata, &rx, hdr); 2394 if (prepares) { 2395 if (status->flag & RX_FLAG_MMIC_ERROR) { 2396 if (rx.flags & IEEE80211_RX_RA_MATCH) 2397 ieee80211_rx_michael_mic_report(hdr, &rx); 2398 } else 2399 prev = rx.sdata; 2400 } 2401 } else list_for_each_entry_rcu(sdata, &local->interfaces, list) { 2402 if (!netif_running(sdata->dev)) 2403 continue; 2404 2405 if (sdata->vif.type == NL80211_IFTYPE_MONITOR || 2406 sdata->vif.type == NL80211_IFTYPE_AP_VLAN) 2407 continue; 2408 2409 rx.flags |= IEEE80211_RX_RA_MATCH; 2410 prepares = prepare_for_handlers(sdata, &rx, hdr); 2411 2412 if (!prepares) 2413 continue; 2414 2415 if (status->flag & RX_FLAG_MMIC_ERROR) { 2416 rx.sdata = sdata; 2417 if (rx.flags & IEEE80211_RX_RA_MATCH) 2418 ieee80211_rx_michael_mic_report(hdr, &rx); 2419 continue; 2420 } 2421 2422 /* 2423 * frame is destined for this interface, but if it's not 2424 * also for the previous one we handle that after the 2425 * loop to avoid copying the SKB once too much 2426 */ 2427 2428 if (!prev) { 2429 prev = sdata; 2430 continue; 2431 } 2432 2433 /* 2434 * frame was destined for the previous interface 2435 * so invoke RX handlers for it 2436 */ 2437 2438 skb_new = skb_copy(skb, GFP_ATOMIC); 2439 if (!skb_new) { 2440 if (net_ratelimit()) 2441 printk(KERN_DEBUG "%s: failed to copy " 2442 "multicast frame for %s\n", 2443 wiphy_name(local->hw.wiphy), 2444 prev->dev->name); 2445 continue; 2446 } 2447 ieee80211_invoke_rx_handlers(prev, &rx, skb_new, rate); 2448 prev = sdata; 2449 } 2450 if (prev) 2451 ieee80211_invoke_rx_handlers(prev, &rx, skb, rate); 2452 else 2453 dev_kfree_skb(skb); 2454 } 2455 2456 /* 2457 * This is the receive path handler. It is called by a low level driver when an 2458 * 802.11 MPDU is received from the hardware. 2459 */ 2460 void ieee80211_rx(struct ieee80211_hw *hw, struct sk_buff *skb) 2461 { 2462 struct ieee80211_local *local = hw_to_local(hw); 2463 struct ieee80211_rate *rate = NULL; 2464 struct ieee80211_supported_band *sband; 2465 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 2466 2467 WARN_ON_ONCE(softirq_count() == 0); 2468 2469 if (WARN_ON(status->band < 0 || 2470 status->band >= IEEE80211_NUM_BANDS)) 2471 goto drop; 2472 2473 sband = local->hw.wiphy->bands[status->band]; 2474 if (WARN_ON(!sband)) 2475 goto drop; 2476 2477 /* 2478 * If we're suspending, it is possible although not too likely 2479 * that we'd be receiving frames after having already partially 2480 * quiesced the stack. We can't process such frames then since 2481 * that might, for example, cause stations to be added or other 2482 * driver callbacks be invoked. 2483 */ 2484 if (unlikely(local->quiescing || local->suspended)) 2485 goto drop; 2486 2487 /* 2488 * The same happens when we're not even started, 2489 * but that's worth a warning. 2490 */ 2491 if (WARN_ON(!local->started)) 2492 goto drop; 2493 2494 if (status->flag & RX_FLAG_HT) { 2495 /* 2496 * rate_idx is MCS index, which can be [0-76] as documented on: 2497 * 2498 * http://wireless.kernel.org/en/developers/Documentation/ieee80211/802.11n 2499 * 2500 * Anything else would be some sort of driver or hardware error. 2501 * The driver should catch hardware errors. 2502 */ 2503 if (WARN((status->rate_idx < 0 || 2504 status->rate_idx > 76), 2505 "Rate marked as an HT rate but passed " 2506 "status->rate_idx is not " 2507 "an MCS index [0-76]: %d (0x%02x)\n", 2508 status->rate_idx, 2509 status->rate_idx)) 2510 goto drop; 2511 } else { 2512 if (WARN_ON(status->rate_idx < 0 || 2513 status->rate_idx >= sband->n_bitrates)) 2514 goto drop; 2515 rate = &sband->bitrates[status->rate_idx]; 2516 } 2517 2518 /* 2519 * key references and virtual interfaces are protected using RCU 2520 * and this requires that we are in a read-side RCU section during 2521 * receive processing 2522 */ 2523 rcu_read_lock(); 2524 2525 /* 2526 * Frames with failed FCS/PLCP checksum are not returned, 2527 * all other frames are returned without radiotap header 2528 * if it was previously present. 2529 * Also, frames with less than 16 bytes are dropped. 2530 */ 2531 skb = ieee80211_rx_monitor(local, skb, rate); 2532 if (!skb) { 2533 rcu_read_unlock(); 2534 return; 2535 } 2536 2537 __ieee80211_rx_handle_packet(hw, skb, rate); 2538 2539 rcu_read_unlock(); 2540 2541 return; 2542 drop: 2543 kfree_skb(skb); 2544 } 2545 EXPORT_SYMBOL(ieee80211_rx); 2546 2547 /* This is a version of the rx handler that can be called from hard irq 2548 * context. Post the skb on the queue and schedule the tasklet */ 2549 void ieee80211_rx_irqsafe(struct ieee80211_hw *hw, struct sk_buff *skb) 2550 { 2551 struct ieee80211_local *local = hw_to_local(hw); 2552 2553 BUILD_BUG_ON(sizeof(struct ieee80211_rx_status) > sizeof(skb->cb)); 2554 2555 skb->pkt_type = IEEE80211_RX_MSG; 2556 skb_queue_tail(&local->skb_queue, skb); 2557 tasklet_schedule(&local->tasklet); 2558 } 2559 EXPORT_SYMBOL(ieee80211_rx_irqsafe); 2560