1 /* 2 * Copyright 2002-2005, Instant802 Networks, Inc. 3 * Copyright 2005-2006, Devicescape Software, Inc. 4 * Copyright 2006-2007 Jiri Benc <jbenc@suse.cz> 5 * Copyright 2007-2010 Johannes Berg <johannes@sipsolutions.net> 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License version 2 as 9 * published by the Free Software Foundation. 10 */ 11 12 #include <linux/jiffies.h> 13 #include <linux/slab.h> 14 #include <linux/kernel.h> 15 #include <linux/skbuff.h> 16 #include <linux/netdevice.h> 17 #include <linux/etherdevice.h> 18 #include <linux/rcupdate.h> 19 #include <linux/export.h> 20 #include <net/mac80211.h> 21 #include <net/ieee80211_radiotap.h> 22 #include <asm/unaligned.h> 23 24 #include "ieee80211_i.h" 25 #include "driver-ops.h" 26 #include "led.h" 27 #include "mesh.h" 28 #include "wep.h" 29 #include "wpa.h" 30 #include "tkip.h" 31 #include "wme.h" 32 #include "rate.h" 33 34 /* 35 * monitor mode reception 36 * 37 * This function cleans up the SKB, i.e. it removes all the stuff 38 * only useful for monitoring. 39 */ 40 static struct sk_buff *remove_monitor_info(struct ieee80211_local *local, 41 struct sk_buff *skb) 42 { 43 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 44 45 if (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS) { 46 if (likely(skb->len > FCS_LEN)) 47 __pskb_trim(skb, skb->len - FCS_LEN); 48 else { 49 /* driver bug */ 50 WARN_ON(1); 51 dev_kfree_skb(skb); 52 return NULL; 53 } 54 } 55 56 if (status->vendor_radiotap_len) 57 __pskb_pull(skb, status->vendor_radiotap_len); 58 59 return skb; 60 } 61 62 static inline int should_drop_frame(struct sk_buff *skb, int present_fcs_len) 63 { 64 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 65 struct ieee80211_hdr *hdr; 66 67 hdr = (void *)(skb->data + status->vendor_radiotap_len); 68 69 if (status->flag & (RX_FLAG_FAILED_FCS_CRC | 70 RX_FLAG_FAILED_PLCP_CRC | 71 RX_FLAG_AMPDU_IS_ZEROLEN)) 72 return 1; 73 if (unlikely(skb->len < 16 + present_fcs_len + 74 status->vendor_radiotap_len)) 75 return 1; 76 if (ieee80211_is_ctl(hdr->frame_control) && 77 !ieee80211_is_pspoll(hdr->frame_control) && 78 !ieee80211_is_back_req(hdr->frame_control)) 79 return 1; 80 return 0; 81 } 82 83 static int 84 ieee80211_rx_radiotap_space(struct ieee80211_local *local, 85 struct ieee80211_rx_status *status) 86 { 87 int len; 88 89 /* always present fields */ 90 len = sizeof(struct ieee80211_radiotap_header) + 9; 91 92 /* allocate extra bitmap */ 93 if (status->vendor_radiotap_len) 94 len += 4; 95 96 if (ieee80211_have_rx_timestamp(status)) { 97 len = ALIGN(len, 8); 98 len += 8; 99 } 100 if (local->hw.flags & IEEE80211_HW_SIGNAL_DBM) 101 len += 1; 102 103 /* padding for RX_FLAGS if necessary */ 104 len = ALIGN(len, 2); 105 106 if (status->flag & RX_FLAG_HT) /* HT info */ 107 len += 3; 108 109 if (status->flag & RX_FLAG_AMPDU_DETAILS) { 110 len = ALIGN(len, 4); 111 len += 8; 112 } 113 114 if (status->flag & RX_FLAG_VHT) { 115 len = ALIGN(len, 2); 116 len += 12; 117 } 118 119 if (status->vendor_radiotap_len) { 120 if (WARN_ON_ONCE(status->vendor_radiotap_align == 0)) 121 status->vendor_radiotap_align = 1; 122 /* align standard part of vendor namespace */ 123 len = ALIGN(len, 2); 124 /* allocate standard part of vendor namespace */ 125 len += 6; 126 /* align vendor-defined part */ 127 len = ALIGN(len, status->vendor_radiotap_align); 128 /* vendor-defined part is already in skb */ 129 } 130 131 return len; 132 } 133 134 /* 135 * ieee80211_add_rx_radiotap_header - add radiotap header 136 * 137 * add a radiotap header containing all the fields which the hardware provided. 138 */ 139 static void 140 ieee80211_add_rx_radiotap_header(struct ieee80211_local *local, 141 struct sk_buff *skb, 142 struct ieee80211_rate *rate, 143 int rtap_len, bool has_fcs) 144 { 145 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 146 struct ieee80211_radiotap_header *rthdr; 147 unsigned char *pos; 148 u16 rx_flags = 0; 149 int mpdulen; 150 151 mpdulen = skb->len; 152 if (!(has_fcs && (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS))) 153 mpdulen += FCS_LEN; 154 155 rthdr = (struct ieee80211_radiotap_header *)skb_push(skb, rtap_len); 156 memset(rthdr, 0, rtap_len); 157 158 /* radiotap header, set always present flags */ 159 rthdr->it_present = 160 cpu_to_le32((1 << IEEE80211_RADIOTAP_FLAGS) | 161 (1 << IEEE80211_RADIOTAP_CHANNEL) | 162 (1 << IEEE80211_RADIOTAP_ANTENNA) | 163 (1 << IEEE80211_RADIOTAP_RX_FLAGS)); 164 rthdr->it_len = cpu_to_le16(rtap_len + status->vendor_radiotap_len); 165 166 pos = (unsigned char *)(rthdr + 1); 167 168 if (status->vendor_radiotap_len) { 169 rthdr->it_present |= 170 cpu_to_le32(BIT(IEEE80211_RADIOTAP_VENDOR_NAMESPACE)) | 171 cpu_to_le32(BIT(IEEE80211_RADIOTAP_EXT)); 172 put_unaligned_le32(status->vendor_radiotap_bitmap, pos); 173 pos += 4; 174 } 175 176 /* the order of the following fields is important */ 177 178 /* IEEE80211_RADIOTAP_TSFT */ 179 if (ieee80211_have_rx_timestamp(status)) { 180 /* padding */ 181 while ((pos - (u8 *)rthdr) & 7) 182 *pos++ = 0; 183 put_unaligned_le64( 184 ieee80211_calculate_rx_timestamp(local, status, 185 mpdulen, 0), 186 pos); 187 rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_TSFT); 188 pos += 8; 189 } 190 191 /* IEEE80211_RADIOTAP_FLAGS */ 192 if (has_fcs && (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS)) 193 *pos |= IEEE80211_RADIOTAP_F_FCS; 194 if (status->flag & (RX_FLAG_FAILED_FCS_CRC | RX_FLAG_FAILED_PLCP_CRC)) 195 *pos |= IEEE80211_RADIOTAP_F_BADFCS; 196 if (status->flag & RX_FLAG_SHORTPRE) 197 *pos |= IEEE80211_RADIOTAP_F_SHORTPRE; 198 pos++; 199 200 /* IEEE80211_RADIOTAP_RATE */ 201 if (!rate || status->flag & (RX_FLAG_HT | RX_FLAG_VHT)) { 202 /* 203 * Without rate information don't add it. If we have, 204 * MCS information is a separate field in radiotap, 205 * added below. The byte here is needed as padding 206 * for the channel though, so initialise it to 0. 207 */ 208 *pos = 0; 209 } else { 210 rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_RATE); 211 *pos = rate->bitrate / 5; 212 } 213 pos++; 214 215 /* IEEE80211_RADIOTAP_CHANNEL */ 216 put_unaligned_le16(status->freq, pos); 217 pos += 2; 218 if (status->band == IEEE80211_BAND_5GHZ) 219 put_unaligned_le16(IEEE80211_CHAN_OFDM | IEEE80211_CHAN_5GHZ, 220 pos); 221 else if (status->flag & (RX_FLAG_HT | RX_FLAG_VHT)) 222 put_unaligned_le16(IEEE80211_CHAN_DYN | IEEE80211_CHAN_2GHZ, 223 pos); 224 else if (rate && rate->flags & IEEE80211_RATE_ERP_G) 225 put_unaligned_le16(IEEE80211_CHAN_OFDM | IEEE80211_CHAN_2GHZ, 226 pos); 227 else if (rate) 228 put_unaligned_le16(IEEE80211_CHAN_CCK | IEEE80211_CHAN_2GHZ, 229 pos); 230 else 231 put_unaligned_le16(IEEE80211_CHAN_2GHZ, pos); 232 pos += 2; 233 234 /* IEEE80211_RADIOTAP_DBM_ANTSIGNAL */ 235 if (local->hw.flags & IEEE80211_HW_SIGNAL_DBM && 236 !(status->flag & RX_FLAG_NO_SIGNAL_VAL)) { 237 *pos = status->signal; 238 rthdr->it_present |= 239 cpu_to_le32(1 << IEEE80211_RADIOTAP_DBM_ANTSIGNAL); 240 pos++; 241 } 242 243 /* IEEE80211_RADIOTAP_LOCK_QUALITY is missing */ 244 245 /* IEEE80211_RADIOTAP_ANTENNA */ 246 *pos = status->antenna; 247 pos++; 248 249 /* IEEE80211_RADIOTAP_DB_ANTNOISE is not used */ 250 251 /* IEEE80211_RADIOTAP_RX_FLAGS */ 252 /* ensure 2 byte alignment for the 2 byte field as required */ 253 if ((pos - (u8 *)rthdr) & 1) 254 *pos++ = 0; 255 if (status->flag & RX_FLAG_FAILED_PLCP_CRC) 256 rx_flags |= IEEE80211_RADIOTAP_F_RX_BADPLCP; 257 put_unaligned_le16(rx_flags, pos); 258 pos += 2; 259 260 if (status->flag & RX_FLAG_HT) { 261 rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_MCS); 262 *pos++ = local->hw.radiotap_mcs_details; 263 *pos = 0; 264 if (status->flag & RX_FLAG_SHORT_GI) 265 *pos |= IEEE80211_RADIOTAP_MCS_SGI; 266 if (status->flag & RX_FLAG_40MHZ) 267 *pos |= IEEE80211_RADIOTAP_MCS_BW_40; 268 if (status->flag & RX_FLAG_HT_GF) 269 *pos |= IEEE80211_RADIOTAP_MCS_FMT_GF; 270 pos++; 271 *pos++ = status->rate_idx; 272 } 273 274 if (status->flag & RX_FLAG_AMPDU_DETAILS) { 275 u16 flags = 0; 276 277 /* ensure 4 byte alignment */ 278 while ((pos - (u8 *)rthdr) & 3) 279 pos++; 280 rthdr->it_present |= 281 cpu_to_le32(1 << IEEE80211_RADIOTAP_AMPDU_STATUS); 282 put_unaligned_le32(status->ampdu_reference, pos); 283 pos += 4; 284 if (status->flag & RX_FLAG_AMPDU_REPORT_ZEROLEN) 285 flags |= IEEE80211_RADIOTAP_AMPDU_REPORT_ZEROLEN; 286 if (status->flag & RX_FLAG_AMPDU_IS_ZEROLEN) 287 flags |= IEEE80211_RADIOTAP_AMPDU_IS_ZEROLEN; 288 if (status->flag & RX_FLAG_AMPDU_LAST_KNOWN) 289 flags |= IEEE80211_RADIOTAP_AMPDU_LAST_KNOWN; 290 if (status->flag & RX_FLAG_AMPDU_IS_LAST) 291 flags |= IEEE80211_RADIOTAP_AMPDU_IS_LAST; 292 if (status->flag & RX_FLAG_AMPDU_DELIM_CRC_ERROR) 293 flags |= IEEE80211_RADIOTAP_AMPDU_DELIM_CRC_ERR; 294 if (status->flag & RX_FLAG_AMPDU_DELIM_CRC_KNOWN) 295 flags |= IEEE80211_RADIOTAP_AMPDU_DELIM_CRC_KNOWN; 296 put_unaligned_le16(flags, pos); 297 pos += 2; 298 if (status->flag & RX_FLAG_AMPDU_DELIM_CRC_KNOWN) 299 *pos++ = status->ampdu_delimiter_crc; 300 else 301 *pos++ = 0; 302 *pos++ = 0; 303 } 304 305 if (status->flag & RX_FLAG_VHT) { 306 u16 known = local->hw.radiotap_vht_details; 307 308 rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_VHT); 309 /* known field - how to handle 80+80? */ 310 if (status->flag & RX_FLAG_80P80MHZ) 311 known &= ~IEEE80211_RADIOTAP_VHT_KNOWN_BANDWIDTH; 312 put_unaligned_le16(known, pos); 313 pos += 2; 314 /* flags */ 315 if (status->flag & RX_FLAG_SHORT_GI) 316 *pos |= IEEE80211_RADIOTAP_VHT_FLAG_SGI; 317 pos++; 318 /* bandwidth */ 319 if (status->flag & RX_FLAG_80MHZ) 320 *pos++ = 4; 321 else if (status->flag & RX_FLAG_80P80MHZ) 322 *pos++ = 0; /* marked not known above */ 323 else if (status->flag & RX_FLAG_160MHZ) 324 *pos++ = 11; 325 else if (status->flag & RX_FLAG_40MHZ) 326 *pos++ = 1; 327 else /* 20 MHz */ 328 *pos++ = 0; 329 /* MCS/NSS */ 330 *pos = (status->rate_idx << 4) | status->vht_nss; 331 pos += 4; 332 /* coding field */ 333 pos++; 334 /* group ID */ 335 pos++; 336 /* partial_aid */ 337 pos += 2; 338 } 339 340 if (status->vendor_radiotap_len) { 341 /* ensure 2 byte alignment for the vendor field as required */ 342 if ((pos - (u8 *)rthdr) & 1) 343 *pos++ = 0; 344 *pos++ = status->vendor_radiotap_oui[0]; 345 *pos++ = status->vendor_radiotap_oui[1]; 346 *pos++ = status->vendor_radiotap_oui[2]; 347 *pos++ = status->vendor_radiotap_subns; 348 put_unaligned_le16(status->vendor_radiotap_len, pos); 349 pos += 2; 350 /* align the actual payload as requested */ 351 while ((pos - (u8 *)rthdr) & (status->vendor_radiotap_align - 1)) 352 *pos++ = 0; 353 } 354 } 355 356 /* 357 * This function copies a received frame to all monitor interfaces and 358 * returns a cleaned-up SKB that no longer includes the FCS nor the 359 * radiotap header the driver might have added. 360 */ 361 static struct sk_buff * 362 ieee80211_rx_monitor(struct ieee80211_local *local, struct sk_buff *origskb, 363 struct ieee80211_rate *rate) 364 { 365 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(origskb); 366 struct ieee80211_sub_if_data *sdata; 367 int needed_headroom; 368 struct sk_buff *skb, *skb2; 369 struct net_device *prev_dev = NULL; 370 int present_fcs_len = 0; 371 372 /* 373 * First, we may need to make a copy of the skb because 374 * (1) we need to modify it for radiotap (if not present), and 375 * (2) the other RX handlers will modify the skb we got. 376 * 377 * We don't need to, of course, if we aren't going to return 378 * the SKB because it has a bad FCS/PLCP checksum. 379 */ 380 381 if (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS) 382 present_fcs_len = FCS_LEN; 383 384 /* ensure hdr->frame_control and vendor radiotap data are in skb head */ 385 if (!pskb_may_pull(origskb, 2 + status->vendor_radiotap_len)) { 386 dev_kfree_skb(origskb); 387 return NULL; 388 } 389 390 if (!local->monitors) { 391 if (should_drop_frame(origskb, present_fcs_len)) { 392 dev_kfree_skb(origskb); 393 return NULL; 394 } 395 396 return remove_monitor_info(local, origskb); 397 } 398 399 /* room for the radiotap header based on driver features */ 400 needed_headroom = ieee80211_rx_radiotap_space(local, status); 401 402 if (should_drop_frame(origskb, present_fcs_len)) { 403 /* only need to expand headroom if necessary */ 404 skb = origskb; 405 origskb = NULL; 406 407 /* 408 * This shouldn't trigger often because most devices have an 409 * RX header they pull before we get here, and that should 410 * be big enough for our radiotap information. We should 411 * probably export the length to drivers so that we can have 412 * them allocate enough headroom to start with. 413 */ 414 if (skb_headroom(skb) < needed_headroom && 415 pskb_expand_head(skb, needed_headroom, 0, GFP_ATOMIC)) { 416 dev_kfree_skb(skb); 417 return NULL; 418 } 419 } else { 420 /* 421 * Need to make a copy and possibly remove radiotap header 422 * and FCS from the original. 423 */ 424 skb = skb_copy_expand(origskb, needed_headroom, 0, GFP_ATOMIC); 425 426 origskb = remove_monitor_info(local, origskb); 427 428 if (!skb) 429 return origskb; 430 } 431 432 /* prepend radiotap information */ 433 ieee80211_add_rx_radiotap_header(local, skb, rate, needed_headroom, 434 true); 435 436 skb_reset_mac_header(skb); 437 skb->ip_summed = CHECKSUM_UNNECESSARY; 438 skb->pkt_type = PACKET_OTHERHOST; 439 skb->protocol = htons(ETH_P_802_2); 440 441 list_for_each_entry_rcu(sdata, &local->interfaces, list) { 442 if (sdata->vif.type != NL80211_IFTYPE_MONITOR) 443 continue; 444 445 if (sdata->u.mntr_flags & MONITOR_FLAG_COOK_FRAMES) 446 continue; 447 448 if (!ieee80211_sdata_running(sdata)) 449 continue; 450 451 if (prev_dev) { 452 skb2 = skb_clone(skb, GFP_ATOMIC); 453 if (skb2) { 454 skb2->dev = prev_dev; 455 netif_receive_skb(skb2); 456 } 457 } 458 459 prev_dev = sdata->dev; 460 sdata->dev->stats.rx_packets++; 461 sdata->dev->stats.rx_bytes += skb->len; 462 } 463 464 if (prev_dev) { 465 skb->dev = prev_dev; 466 netif_receive_skb(skb); 467 } else 468 dev_kfree_skb(skb); 469 470 return origskb; 471 } 472 473 static void ieee80211_parse_qos(struct ieee80211_rx_data *rx) 474 { 475 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data; 476 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb); 477 int tid, seqno_idx, security_idx; 478 479 /* does the frame have a qos control field? */ 480 if (ieee80211_is_data_qos(hdr->frame_control)) { 481 u8 *qc = ieee80211_get_qos_ctl(hdr); 482 /* frame has qos control */ 483 tid = *qc & IEEE80211_QOS_CTL_TID_MASK; 484 if (*qc & IEEE80211_QOS_CTL_A_MSDU_PRESENT) 485 status->rx_flags |= IEEE80211_RX_AMSDU; 486 487 seqno_idx = tid; 488 security_idx = tid; 489 } else { 490 /* 491 * IEEE 802.11-2007, 7.1.3.4.1 ("Sequence Number field"): 492 * 493 * Sequence numbers for management frames, QoS data 494 * frames with a broadcast/multicast address in the 495 * Address 1 field, and all non-QoS data frames sent 496 * by QoS STAs are assigned using an additional single 497 * modulo-4096 counter, [...] 498 * 499 * We also use that counter for non-QoS STAs. 500 */ 501 seqno_idx = IEEE80211_NUM_TIDS; 502 security_idx = 0; 503 if (ieee80211_is_mgmt(hdr->frame_control)) 504 security_idx = IEEE80211_NUM_TIDS; 505 tid = 0; 506 } 507 508 rx->seqno_idx = seqno_idx; 509 rx->security_idx = security_idx; 510 /* Set skb->priority to 1d tag if highest order bit of TID is not set. 511 * For now, set skb->priority to 0 for other cases. */ 512 rx->skb->priority = (tid > 7) ? 0 : tid; 513 } 514 515 /** 516 * DOC: Packet alignment 517 * 518 * Drivers always need to pass packets that are aligned to two-byte boundaries 519 * to the stack. 520 * 521 * Additionally, should, if possible, align the payload data in a way that 522 * guarantees that the contained IP header is aligned to a four-byte 523 * boundary. In the case of regular frames, this simply means aligning the 524 * payload to a four-byte boundary (because either the IP header is directly 525 * contained, or IV/RFC1042 headers that have a length divisible by four are 526 * in front of it). If the payload data is not properly aligned and the 527 * architecture doesn't support efficient unaligned operations, mac80211 528 * will align the data. 529 * 530 * With A-MSDU frames, however, the payload data address must yield two modulo 531 * four because there are 14-byte 802.3 headers within the A-MSDU frames that 532 * push the IP header further back to a multiple of four again. Thankfully, the 533 * specs were sane enough this time around to require padding each A-MSDU 534 * subframe to a length that is a multiple of four. 535 * 536 * Padding like Atheros hardware adds which is between the 802.11 header and 537 * the payload is not supported, the driver is required to move the 802.11 538 * header to be directly in front of the payload in that case. 539 */ 540 static void ieee80211_verify_alignment(struct ieee80211_rx_data *rx) 541 { 542 #ifdef CONFIG_MAC80211_VERBOSE_DEBUG 543 WARN_ONCE((unsigned long)rx->skb->data & 1, 544 "unaligned packet at 0x%p\n", rx->skb->data); 545 #endif 546 } 547 548 549 /* rx handlers */ 550 551 static int ieee80211_is_unicast_robust_mgmt_frame(struct sk_buff *skb) 552 { 553 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data; 554 555 if (skb->len < 24 || is_multicast_ether_addr(hdr->addr1)) 556 return 0; 557 558 return ieee80211_is_robust_mgmt_frame(hdr); 559 } 560 561 562 static int ieee80211_is_multicast_robust_mgmt_frame(struct sk_buff *skb) 563 { 564 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data; 565 566 if (skb->len < 24 || !is_multicast_ether_addr(hdr->addr1)) 567 return 0; 568 569 return ieee80211_is_robust_mgmt_frame(hdr); 570 } 571 572 573 /* Get the BIP key index from MMIE; return -1 if this is not a BIP frame */ 574 static int ieee80211_get_mmie_keyidx(struct sk_buff *skb) 575 { 576 struct ieee80211_mgmt *hdr = (struct ieee80211_mgmt *) skb->data; 577 struct ieee80211_mmie *mmie; 578 579 if (skb->len < 24 + sizeof(*mmie) || !is_multicast_ether_addr(hdr->da)) 580 return -1; 581 582 if (!ieee80211_is_robust_mgmt_frame((struct ieee80211_hdr *) hdr)) 583 return -1; /* not a robust management frame */ 584 585 mmie = (struct ieee80211_mmie *) 586 (skb->data + skb->len - sizeof(*mmie)); 587 if (mmie->element_id != WLAN_EID_MMIE || 588 mmie->length != sizeof(*mmie) - 2) 589 return -1; 590 591 return le16_to_cpu(mmie->key_id); 592 } 593 594 static ieee80211_rx_result ieee80211_rx_mesh_check(struct ieee80211_rx_data *rx) 595 { 596 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data; 597 char *dev_addr = rx->sdata->vif.addr; 598 599 if (ieee80211_is_data(hdr->frame_control)) { 600 if (is_multicast_ether_addr(hdr->addr1)) { 601 if (ieee80211_has_tods(hdr->frame_control) || 602 !ieee80211_has_fromds(hdr->frame_control)) 603 return RX_DROP_MONITOR; 604 if (ether_addr_equal(hdr->addr3, dev_addr)) 605 return RX_DROP_MONITOR; 606 } else { 607 if (!ieee80211_has_a4(hdr->frame_control)) 608 return RX_DROP_MONITOR; 609 if (ether_addr_equal(hdr->addr4, dev_addr)) 610 return RX_DROP_MONITOR; 611 } 612 } 613 614 /* If there is not an established peer link and this is not a peer link 615 * establisment frame, beacon or probe, drop the frame. 616 */ 617 618 if (!rx->sta || sta_plink_state(rx->sta) != NL80211_PLINK_ESTAB) { 619 struct ieee80211_mgmt *mgmt; 620 621 if (!ieee80211_is_mgmt(hdr->frame_control)) 622 return RX_DROP_MONITOR; 623 624 if (ieee80211_is_action(hdr->frame_control)) { 625 u8 category; 626 627 /* make sure category field is present */ 628 if (rx->skb->len < IEEE80211_MIN_ACTION_SIZE) 629 return RX_DROP_MONITOR; 630 631 mgmt = (struct ieee80211_mgmt *)hdr; 632 category = mgmt->u.action.category; 633 if (category != WLAN_CATEGORY_MESH_ACTION && 634 category != WLAN_CATEGORY_SELF_PROTECTED) 635 return RX_DROP_MONITOR; 636 return RX_CONTINUE; 637 } 638 639 if (ieee80211_is_probe_req(hdr->frame_control) || 640 ieee80211_is_probe_resp(hdr->frame_control) || 641 ieee80211_is_beacon(hdr->frame_control) || 642 ieee80211_is_auth(hdr->frame_control)) 643 return RX_CONTINUE; 644 645 return RX_DROP_MONITOR; 646 } 647 648 return RX_CONTINUE; 649 } 650 651 static void ieee80211_release_reorder_frame(struct ieee80211_sub_if_data *sdata, 652 struct tid_ampdu_rx *tid_agg_rx, 653 int index, 654 struct sk_buff_head *frames) 655 { 656 struct sk_buff *skb = tid_agg_rx->reorder_buf[index]; 657 struct ieee80211_rx_status *status; 658 659 lockdep_assert_held(&tid_agg_rx->reorder_lock); 660 661 if (!skb) 662 goto no_frame; 663 664 /* release the frame from the reorder ring buffer */ 665 tid_agg_rx->stored_mpdu_num--; 666 tid_agg_rx->reorder_buf[index] = NULL; 667 status = IEEE80211_SKB_RXCB(skb); 668 status->rx_flags |= IEEE80211_RX_DEFERRED_RELEASE; 669 __skb_queue_tail(frames, skb); 670 671 no_frame: 672 tid_agg_rx->head_seq_num = ieee80211_sn_inc(tid_agg_rx->head_seq_num); 673 } 674 675 static void ieee80211_release_reorder_frames(struct ieee80211_sub_if_data *sdata, 676 struct tid_ampdu_rx *tid_agg_rx, 677 u16 head_seq_num, 678 struct sk_buff_head *frames) 679 { 680 int index; 681 682 lockdep_assert_held(&tid_agg_rx->reorder_lock); 683 684 while (ieee80211_sn_less(tid_agg_rx->head_seq_num, head_seq_num)) { 685 index = ieee80211_sn_sub(tid_agg_rx->head_seq_num, 686 tid_agg_rx->ssn) % 687 tid_agg_rx->buf_size; 688 ieee80211_release_reorder_frame(sdata, tid_agg_rx, index, 689 frames); 690 } 691 } 692 693 /* 694 * Timeout (in jiffies) for skb's that are waiting in the RX reorder buffer. If 695 * the skb was added to the buffer longer than this time ago, the earlier 696 * frames that have not yet been received are assumed to be lost and the skb 697 * can be released for processing. This may also release other skb's from the 698 * reorder buffer if there are no additional gaps between the frames. 699 * 700 * Callers must hold tid_agg_rx->reorder_lock. 701 */ 702 #define HT_RX_REORDER_BUF_TIMEOUT (HZ / 10) 703 704 static void ieee80211_sta_reorder_release(struct ieee80211_sub_if_data *sdata, 705 struct tid_ampdu_rx *tid_agg_rx, 706 struct sk_buff_head *frames) 707 { 708 int index, j; 709 710 lockdep_assert_held(&tid_agg_rx->reorder_lock); 711 712 /* release the buffer until next missing frame */ 713 index = ieee80211_sn_sub(tid_agg_rx->head_seq_num, 714 tid_agg_rx->ssn) % tid_agg_rx->buf_size; 715 if (!tid_agg_rx->reorder_buf[index] && 716 tid_agg_rx->stored_mpdu_num) { 717 /* 718 * No buffers ready to be released, but check whether any 719 * frames in the reorder buffer have timed out. 720 */ 721 int skipped = 1; 722 for (j = (index + 1) % tid_agg_rx->buf_size; j != index; 723 j = (j + 1) % tid_agg_rx->buf_size) { 724 if (!tid_agg_rx->reorder_buf[j]) { 725 skipped++; 726 continue; 727 } 728 if (skipped && 729 !time_after(jiffies, tid_agg_rx->reorder_time[j] + 730 HT_RX_REORDER_BUF_TIMEOUT)) 731 goto set_release_timer; 732 733 ht_dbg_ratelimited(sdata, 734 "release an RX reorder frame due to timeout on earlier frames\n"); 735 ieee80211_release_reorder_frame(sdata, tid_agg_rx, j, 736 frames); 737 738 /* 739 * Increment the head seq# also for the skipped slots. 740 */ 741 tid_agg_rx->head_seq_num = 742 (tid_agg_rx->head_seq_num + 743 skipped) & IEEE80211_SN_MASK; 744 skipped = 0; 745 } 746 } else while (tid_agg_rx->reorder_buf[index]) { 747 ieee80211_release_reorder_frame(sdata, tid_agg_rx, index, 748 frames); 749 index = ieee80211_sn_sub(tid_agg_rx->head_seq_num, 750 tid_agg_rx->ssn) % 751 tid_agg_rx->buf_size; 752 } 753 754 if (tid_agg_rx->stored_mpdu_num) { 755 j = index = ieee80211_sn_sub(tid_agg_rx->head_seq_num, 756 tid_agg_rx->ssn) % 757 tid_agg_rx->buf_size; 758 759 for (; j != (index - 1) % tid_agg_rx->buf_size; 760 j = (j + 1) % tid_agg_rx->buf_size) { 761 if (tid_agg_rx->reorder_buf[j]) 762 break; 763 } 764 765 set_release_timer: 766 767 mod_timer(&tid_agg_rx->reorder_timer, 768 tid_agg_rx->reorder_time[j] + 1 + 769 HT_RX_REORDER_BUF_TIMEOUT); 770 } else { 771 del_timer(&tid_agg_rx->reorder_timer); 772 } 773 } 774 775 /* 776 * As this function belongs to the RX path it must be under 777 * rcu_read_lock protection. It returns false if the frame 778 * can be processed immediately, true if it was consumed. 779 */ 780 static bool ieee80211_sta_manage_reorder_buf(struct ieee80211_sub_if_data *sdata, 781 struct tid_ampdu_rx *tid_agg_rx, 782 struct sk_buff *skb, 783 struct sk_buff_head *frames) 784 { 785 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data; 786 u16 sc = le16_to_cpu(hdr->seq_ctrl); 787 u16 mpdu_seq_num = (sc & IEEE80211_SCTL_SEQ) >> 4; 788 u16 head_seq_num, buf_size; 789 int index; 790 bool ret = true; 791 792 spin_lock(&tid_agg_rx->reorder_lock); 793 794 buf_size = tid_agg_rx->buf_size; 795 head_seq_num = tid_agg_rx->head_seq_num; 796 797 /* frame with out of date sequence number */ 798 if (ieee80211_sn_less(mpdu_seq_num, head_seq_num)) { 799 dev_kfree_skb(skb); 800 goto out; 801 } 802 803 /* 804 * If frame the sequence number exceeds our buffering window 805 * size release some previous frames to make room for this one. 806 */ 807 if (!ieee80211_sn_less(mpdu_seq_num, head_seq_num + buf_size)) { 808 head_seq_num = ieee80211_sn_inc( 809 ieee80211_sn_sub(mpdu_seq_num, buf_size)); 810 /* release stored frames up to new head to stack */ 811 ieee80211_release_reorder_frames(sdata, tid_agg_rx, 812 head_seq_num, frames); 813 } 814 815 /* Now the new frame is always in the range of the reordering buffer */ 816 817 index = ieee80211_sn_sub(mpdu_seq_num, 818 tid_agg_rx->ssn) % tid_agg_rx->buf_size; 819 820 /* check if we already stored this frame */ 821 if (tid_agg_rx->reorder_buf[index]) { 822 dev_kfree_skb(skb); 823 goto out; 824 } 825 826 /* 827 * If the current MPDU is in the right order and nothing else 828 * is stored we can process it directly, no need to buffer it. 829 * If it is first but there's something stored, we may be able 830 * to release frames after this one. 831 */ 832 if (mpdu_seq_num == tid_agg_rx->head_seq_num && 833 tid_agg_rx->stored_mpdu_num == 0) { 834 tid_agg_rx->head_seq_num = 835 ieee80211_sn_inc(tid_agg_rx->head_seq_num); 836 ret = false; 837 goto out; 838 } 839 840 /* put the frame in the reordering buffer */ 841 tid_agg_rx->reorder_buf[index] = skb; 842 tid_agg_rx->reorder_time[index] = jiffies; 843 tid_agg_rx->stored_mpdu_num++; 844 ieee80211_sta_reorder_release(sdata, tid_agg_rx, frames); 845 846 out: 847 spin_unlock(&tid_agg_rx->reorder_lock); 848 return ret; 849 } 850 851 /* 852 * Reorder MPDUs from A-MPDUs, keeping them on a buffer. Returns 853 * true if the MPDU was buffered, false if it should be processed. 854 */ 855 static void ieee80211_rx_reorder_ampdu(struct ieee80211_rx_data *rx, 856 struct sk_buff_head *frames) 857 { 858 struct sk_buff *skb = rx->skb; 859 struct ieee80211_local *local = rx->local; 860 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data; 861 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 862 struct sta_info *sta = rx->sta; 863 struct tid_ampdu_rx *tid_agg_rx; 864 u16 sc; 865 u8 tid, ack_policy; 866 867 if (!ieee80211_is_data_qos(hdr->frame_control)) 868 goto dont_reorder; 869 870 /* 871 * filter the QoS data rx stream according to 872 * STA/TID and check if this STA/TID is on aggregation 873 */ 874 875 if (!sta) 876 goto dont_reorder; 877 878 ack_policy = *ieee80211_get_qos_ctl(hdr) & 879 IEEE80211_QOS_CTL_ACK_POLICY_MASK; 880 tid = *ieee80211_get_qos_ctl(hdr) & IEEE80211_QOS_CTL_TID_MASK; 881 882 tid_agg_rx = rcu_dereference(sta->ampdu_mlme.tid_rx[tid]); 883 if (!tid_agg_rx) 884 goto dont_reorder; 885 886 /* qos null data frames are excluded */ 887 if (unlikely(hdr->frame_control & cpu_to_le16(IEEE80211_STYPE_NULLFUNC))) 888 goto dont_reorder; 889 890 /* not part of a BA session */ 891 if (ack_policy != IEEE80211_QOS_CTL_ACK_POLICY_BLOCKACK && 892 ack_policy != IEEE80211_QOS_CTL_ACK_POLICY_NORMAL) 893 goto dont_reorder; 894 895 /* not actually part of this BA session */ 896 if (!(status->rx_flags & IEEE80211_RX_RA_MATCH)) 897 goto dont_reorder; 898 899 /* new, potentially un-ordered, ampdu frame - process it */ 900 901 /* reset session timer */ 902 if (tid_agg_rx->timeout) 903 tid_agg_rx->last_rx = jiffies; 904 905 /* if this mpdu is fragmented - terminate rx aggregation session */ 906 sc = le16_to_cpu(hdr->seq_ctrl); 907 if (sc & IEEE80211_SCTL_FRAG) { 908 skb->pkt_type = IEEE80211_SDATA_QUEUE_TYPE_FRAME; 909 skb_queue_tail(&rx->sdata->skb_queue, skb); 910 ieee80211_queue_work(&local->hw, &rx->sdata->work); 911 return; 912 } 913 914 /* 915 * No locking needed -- we will only ever process one 916 * RX packet at a time, and thus own tid_agg_rx. All 917 * other code manipulating it needs to (and does) make 918 * sure that we cannot get to it any more before doing 919 * anything with it. 920 */ 921 if (ieee80211_sta_manage_reorder_buf(rx->sdata, tid_agg_rx, skb, 922 frames)) 923 return; 924 925 dont_reorder: 926 __skb_queue_tail(frames, skb); 927 } 928 929 static ieee80211_rx_result debug_noinline 930 ieee80211_rx_h_check(struct ieee80211_rx_data *rx) 931 { 932 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data; 933 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb); 934 935 /* Drop duplicate 802.11 retransmissions (IEEE 802.11 Chap. 9.2.9) */ 936 if (rx->sta && !is_multicast_ether_addr(hdr->addr1)) { 937 if (unlikely(ieee80211_has_retry(hdr->frame_control) && 938 rx->sta->last_seq_ctrl[rx->seqno_idx] == 939 hdr->seq_ctrl)) { 940 if (status->rx_flags & IEEE80211_RX_RA_MATCH) { 941 rx->local->dot11FrameDuplicateCount++; 942 rx->sta->num_duplicates++; 943 } 944 return RX_DROP_UNUSABLE; 945 } else 946 rx->sta->last_seq_ctrl[rx->seqno_idx] = hdr->seq_ctrl; 947 } 948 949 if (unlikely(rx->skb->len < 16)) { 950 I802_DEBUG_INC(rx->local->rx_handlers_drop_short); 951 return RX_DROP_MONITOR; 952 } 953 954 /* Drop disallowed frame classes based on STA auth/assoc state; 955 * IEEE 802.11, Chap 5.5. 956 * 957 * mac80211 filters only based on association state, i.e. it drops 958 * Class 3 frames from not associated stations. hostapd sends 959 * deauth/disassoc frames when needed. In addition, hostapd is 960 * responsible for filtering on both auth and assoc states. 961 */ 962 963 if (ieee80211_vif_is_mesh(&rx->sdata->vif)) 964 return ieee80211_rx_mesh_check(rx); 965 966 if (unlikely((ieee80211_is_data(hdr->frame_control) || 967 ieee80211_is_pspoll(hdr->frame_control)) && 968 rx->sdata->vif.type != NL80211_IFTYPE_ADHOC && 969 rx->sdata->vif.type != NL80211_IFTYPE_WDS && 970 (!rx->sta || !test_sta_flag(rx->sta, WLAN_STA_ASSOC)))) { 971 /* 972 * accept port control frames from the AP even when it's not 973 * yet marked ASSOC to prevent a race where we don't set the 974 * assoc bit quickly enough before it sends the first frame 975 */ 976 if (rx->sta && rx->sdata->vif.type == NL80211_IFTYPE_STATION && 977 ieee80211_is_data_present(hdr->frame_control)) { 978 unsigned int hdrlen; 979 __be16 ethertype; 980 981 hdrlen = ieee80211_hdrlen(hdr->frame_control); 982 983 if (rx->skb->len < hdrlen + 8) 984 return RX_DROP_MONITOR; 985 986 skb_copy_bits(rx->skb, hdrlen + 6, ðertype, 2); 987 if (ethertype == rx->sdata->control_port_protocol) 988 return RX_CONTINUE; 989 } 990 991 if (rx->sdata->vif.type == NL80211_IFTYPE_AP && 992 cfg80211_rx_spurious_frame(rx->sdata->dev, 993 hdr->addr2, 994 GFP_ATOMIC)) 995 return RX_DROP_UNUSABLE; 996 997 return RX_DROP_MONITOR; 998 } 999 1000 return RX_CONTINUE; 1001 } 1002 1003 1004 static ieee80211_rx_result debug_noinline 1005 ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx) 1006 { 1007 struct sk_buff *skb = rx->skb; 1008 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 1009 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; 1010 int keyidx; 1011 int hdrlen; 1012 ieee80211_rx_result result = RX_DROP_UNUSABLE; 1013 struct ieee80211_key *sta_ptk = NULL; 1014 int mmie_keyidx = -1; 1015 __le16 fc; 1016 1017 /* 1018 * Key selection 101 1019 * 1020 * There are four types of keys: 1021 * - GTK (group keys) 1022 * - IGTK (group keys for management frames) 1023 * - PTK (pairwise keys) 1024 * - STK (station-to-station pairwise keys) 1025 * 1026 * When selecting a key, we have to distinguish between multicast 1027 * (including broadcast) and unicast frames, the latter can only 1028 * use PTKs and STKs while the former always use GTKs and IGTKs. 1029 * Unless, of course, actual WEP keys ("pre-RSNA") are used, then 1030 * unicast frames can also use key indices like GTKs. Hence, if we 1031 * don't have a PTK/STK we check the key index for a WEP key. 1032 * 1033 * Note that in a regular BSS, multicast frames are sent by the 1034 * AP only, associated stations unicast the frame to the AP first 1035 * which then multicasts it on their behalf. 1036 * 1037 * There is also a slight problem in IBSS mode: GTKs are negotiated 1038 * with each station, that is something we don't currently handle. 1039 * The spec seems to expect that one negotiates the same key with 1040 * every station but there's no such requirement; VLANs could be 1041 * possible. 1042 */ 1043 1044 /* 1045 * No point in finding a key and decrypting if the frame is neither 1046 * addressed to us nor a multicast frame. 1047 */ 1048 if (!(status->rx_flags & IEEE80211_RX_RA_MATCH)) 1049 return RX_CONTINUE; 1050 1051 /* start without a key */ 1052 rx->key = NULL; 1053 1054 if (rx->sta) 1055 sta_ptk = rcu_dereference(rx->sta->ptk); 1056 1057 fc = hdr->frame_control; 1058 1059 if (!ieee80211_has_protected(fc)) 1060 mmie_keyidx = ieee80211_get_mmie_keyidx(rx->skb); 1061 1062 if (!is_multicast_ether_addr(hdr->addr1) && sta_ptk) { 1063 rx->key = sta_ptk; 1064 if ((status->flag & RX_FLAG_DECRYPTED) && 1065 (status->flag & RX_FLAG_IV_STRIPPED)) 1066 return RX_CONTINUE; 1067 /* Skip decryption if the frame is not protected. */ 1068 if (!ieee80211_has_protected(fc)) 1069 return RX_CONTINUE; 1070 } else if (mmie_keyidx >= 0) { 1071 /* Broadcast/multicast robust management frame / BIP */ 1072 if ((status->flag & RX_FLAG_DECRYPTED) && 1073 (status->flag & RX_FLAG_IV_STRIPPED)) 1074 return RX_CONTINUE; 1075 1076 if (mmie_keyidx < NUM_DEFAULT_KEYS || 1077 mmie_keyidx >= NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS) 1078 return RX_DROP_MONITOR; /* unexpected BIP keyidx */ 1079 if (rx->sta) 1080 rx->key = rcu_dereference(rx->sta->gtk[mmie_keyidx]); 1081 if (!rx->key) 1082 rx->key = rcu_dereference(rx->sdata->keys[mmie_keyidx]); 1083 } else if (!ieee80211_has_protected(fc)) { 1084 /* 1085 * The frame was not protected, so skip decryption. However, we 1086 * need to set rx->key if there is a key that could have been 1087 * used so that the frame may be dropped if encryption would 1088 * have been expected. 1089 */ 1090 struct ieee80211_key *key = NULL; 1091 struct ieee80211_sub_if_data *sdata = rx->sdata; 1092 int i; 1093 1094 if (ieee80211_is_mgmt(fc) && 1095 is_multicast_ether_addr(hdr->addr1) && 1096 (key = rcu_dereference(rx->sdata->default_mgmt_key))) 1097 rx->key = key; 1098 else { 1099 if (rx->sta) { 1100 for (i = 0; i < NUM_DEFAULT_KEYS; i++) { 1101 key = rcu_dereference(rx->sta->gtk[i]); 1102 if (key) 1103 break; 1104 } 1105 } 1106 if (!key) { 1107 for (i = 0; i < NUM_DEFAULT_KEYS; i++) { 1108 key = rcu_dereference(sdata->keys[i]); 1109 if (key) 1110 break; 1111 } 1112 } 1113 if (key) 1114 rx->key = key; 1115 } 1116 return RX_CONTINUE; 1117 } else { 1118 u8 keyid; 1119 /* 1120 * The device doesn't give us the IV so we won't be 1121 * able to look up the key. That's ok though, we 1122 * don't need to decrypt the frame, we just won't 1123 * be able to keep statistics accurate. 1124 * Except for key threshold notifications, should 1125 * we somehow allow the driver to tell us which key 1126 * the hardware used if this flag is set? 1127 */ 1128 if ((status->flag & RX_FLAG_DECRYPTED) && 1129 (status->flag & RX_FLAG_IV_STRIPPED)) 1130 return RX_CONTINUE; 1131 1132 hdrlen = ieee80211_hdrlen(fc); 1133 1134 if (rx->skb->len < 8 + hdrlen) 1135 return RX_DROP_UNUSABLE; /* TODO: count this? */ 1136 1137 /* 1138 * no need to call ieee80211_wep_get_keyidx, 1139 * it verifies a bunch of things we've done already 1140 */ 1141 skb_copy_bits(rx->skb, hdrlen + 3, &keyid, 1); 1142 keyidx = keyid >> 6; 1143 1144 /* check per-station GTK first, if multicast packet */ 1145 if (is_multicast_ether_addr(hdr->addr1) && rx->sta) 1146 rx->key = rcu_dereference(rx->sta->gtk[keyidx]); 1147 1148 /* if not found, try default key */ 1149 if (!rx->key) { 1150 rx->key = rcu_dereference(rx->sdata->keys[keyidx]); 1151 1152 /* 1153 * RSNA-protected unicast frames should always be 1154 * sent with pairwise or station-to-station keys, 1155 * but for WEP we allow using a key index as well. 1156 */ 1157 if (rx->key && 1158 rx->key->conf.cipher != WLAN_CIPHER_SUITE_WEP40 && 1159 rx->key->conf.cipher != WLAN_CIPHER_SUITE_WEP104 && 1160 !is_multicast_ether_addr(hdr->addr1)) 1161 rx->key = NULL; 1162 } 1163 } 1164 1165 if (rx->key) { 1166 if (unlikely(rx->key->flags & KEY_FLAG_TAINTED)) 1167 return RX_DROP_MONITOR; 1168 1169 rx->key->tx_rx_count++; 1170 /* TODO: add threshold stuff again */ 1171 } else { 1172 return RX_DROP_MONITOR; 1173 } 1174 1175 switch (rx->key->conf.cipher) { 1176 case WLAN_CIPHER_SUITE_WEP40: 1177 case WLAN_CIPHER_SUITE_WEP104: 1178 result = ieee80211_crypto_wep_decrypt(rx); 1179 break; 1180 case WLAN_CIPHER_SUITE_TKIP: 1181 result = ieee80211_crypto_tkip_decrypt(rx); 1182 break; 1183 case WLAN_CIPHER_SUITE_CCMP: 1184 result = ieee80211_crypto_ccmp_decrypt(rx); 1185 break; 1186 case WLAN_CIPHER_SUITE_AES_CMAC: 1187 result = ieee80211_crypto_aes_cmac_decrypt(rx); 1188 break; 1189 default: 1190 /* 1191 * We can reach here only with HW-only algorithms 1192 * but why didn't it decrypt the frame?! 1193 */ 1194 return RX_DROP_UNUSABLE; 1195 } 1196 1197 /* the hdr variable is invalid after the decrypt handlers */ 1198 1199 /* either the frame has been decrypted or will be dropped */ 1200 status->flag |= RX_FLAG_DECRYPTED; 1201 1202 return result; 1203 } 1204 1205 static ieee80211_rx_result debug_noinline 1206 ieee80211_rx_h_check_more_data(struct ieee80211_rx_data *rx) 1207 { 1208 struct ieee80211_local *local; 1209 struct ieee80211_hdr *hdr; 1210 struct sk_buff *skb; 1211 1212 local = rx->local; 1213 skb = rx->skb; 1214 hdr = (struct ieee80211_hdr *) skb->data; 1215 1216 if (!local->pspolling) 1217 return RX_CONTINUE; 1218 1219 if (!ieee80211_has_fromds(hdr->frame_control)) 1220 /* this is not from AP */ 1221 return RX_CONTINUE; 1222 1223 if (!ieee80211_is_data(hdr->frame_control)) 1224 return RX_CONTINUE; 1225 1226 if (!ieee80211_has_moredata(hdr->frame_control)) { 1227 /* AP has no more frames buffered for us */ 1228 local->pspolling = false; 1229 return RX_CONTINUE; 1230 } 1231 1232 /* more data bit is set, let's request a new frame from the AP */ 1233 ieee80211_send_pspoll(local, rx->sdata); 1234 1235 return RX_CONTINUE; 1236 } 1237 1238 static void sta_ps_start(struct sta_info *sta) 1239 { 1240 struct ieee80211_sub_if_data *sdata = sta->sdata; 1241 struct ieee80211_local *local = sdata->local; 1242 struct ps_data *ps; 1243 1244 if (sta->sdata->vif.type == NL80211_IFTYPE_AP || 1245 sta->sdata->vif.type == NL80211_IFTYPE_AP_VLAN) 1246 ps = &sdata->bss->ps; 1247 else 1248 return; 1249 1250 atomic_inc(&ps->num_sta_ps); 1251 set_sta_flag(sta, WLAN_STA_PS_STA); 1252 if (!(local->hw.flags & IEEE80211_HW_AP_LINK_PS)) 1253 drv_sta_notify(local, sdata, STA_NOTIFY_SLEEP, &sta->sta); 1254 ps_dbg(sdata, "STA %pM aid %d enters power save mode\n", 1255 sta->sta.addr, sta->sta.aid); 1256 } 1257 1258 static void sta_ps_end(struct sta_info *sta) 1259 { 1260 ps_dbg(sta->sdata, "STA %pM aid %d exits power save mode\n", 1261 sta->sta.addr, sta->sta.aid); 1262 1263 if (test_sta_flag(sta, WLAN_STA_PS_DRIVER)) { 1264 ps_dbg(sta->sdata, "STA %pM aid %d driver-ps-blocked\n", 1265 sta->sta.addr, sta->sta.aid); 1266 return; 1267 } 1268 1269 ieee80211_sta_ps_deliver_wakeup(sta); 1270 } 1271 1272 int ieee80211_sta_ps_transition(struct ieee80211_sta *sta, bool start) 1273 { 1274 struct sta_info *sta_inf = container_of(sta, struct sta_info, sta); 1275 bool in_ps; 1276 1277 WARN_ON(!(sta_inf->local->hw.flags & IEEE80211_HW_AP_LINK_PS)); 1278 1279 /* Don't let the same PS state be set twice */ 1280 in_ps = test_sta_flag(sta_inf, WLAN_STA_PS_STA); 1281 if ((start && in_ps) || (!start && !in_ps)) 1282 return -EINVAL; 1283 1284 if (start) 1285 sta_ps_start(sta_inf); 1286 else 1287 sta_ps_end(sta_inf); 1288 1289 return 0; 1290 } 1291 EXPORT_SYMBOL(ieee80211_sta_ps_transition); 1292 1293 static ieee80211_rx_result debug_noinline 1294 ieee80211_rx_h_uapsd_and_pspoll(struct ieee80211_rx_data *rx) 1295 { 1296 struct ieee80211_sub_if_data *sdata = rx->sdata; 1297 struct ieee80211_hdr *hdr = (void *)rx->skb->data; 1298 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb); 1299 int tid, ac; 1300 1301 if (!rx->sta || !(status->rx_flags & IEEE80211_RX_RA_MATCH)) 1302 return RX_CONTINUE; 1303 1304 if (sdata->vif.type != NL80211_IFTYPE_AP && 1305 sdata->vif.type != NL80211_IFTYPE_AP_VLAN) 1306 return RX_CONTINUE; 1307 1308 /* 1309 * The device handles station powersave, so don't do anything about 1310 * uAPSD and PS-Poll frames (the latter shouldn't even come up from 1311 * it to mac80211 since they're handled.) 1312 */ 1313 if (sdata->local->hw.flags & IEEE80211_HW_AP_LINK_PS) 1314 return RX_CONTINUE; 1315 1316 /* 1317 * Don't do anything if the station isn't already asleep. In 1318 * the uAPSD case, the station will probably be marked asleep, 1319 * in the PS-Poll case the station must be confused ... 1320 */ 1321 if (!test_sta_flag(rx->sta, WLAN_STA_PS_STA)) 1322 return RX_CONTINUE; 1323 1324 if (unlikely(ieee80211_is_pspoll(hdr->frame_control))) { 1325 if (!test_sta_flag(rx->sta, WLAN_STA_SP)) { 1326 if (!test_sta_flag(rx->sta, WLAN_STA_PS_DRIVER)) 1327 ieee80211_sta_ps_deliver_poll_response(rx->sta); 1328 else 1329 set_sta_flag(rx->sta, WLAN_STA_PSPOLL); 1330 } 1331 1332 /* Free PS Poll skb here instead of returning RX_DROP that would 1333 * count as an dropped frame. */ 1334 dev_kfree_skb(rx->skb); 1335 1336 return RX_QUEUED; 1337 } else if (!ieee80211_has_morefrags(hdr->frame_control) && 1338 !(status->rx_flags & IEEE80211_RX_DEFERRED_RELEASE) && 1339 ieee80211_has_pm(hdr->frame_control) && 1340 (ieee80211_is_data_qos(hdr->frame_control) || 1341 ieee80211_is_qos_nullfunc(hdr->frame_control))) { 1342 tid = *ieee80211_get_qos_ctl(hdr) & IEEE80211_QOS_CTL_TID_MASK; 1343 ac = ieee802_1d_to_ac[tid & 7]; 1344 1345 /* 1346 * If this AC is not trigger-enabled do nothing. 1347 * 1348 * NB: This could/should check a separate bitmap of trigger- 1349 * enabled queues, but for now we only implement uAPSD w/o 1350 * TSPEC changes to the ACs, so they're always the same. 1351 */ 1352 if (!(rx->sta->sta.uapsd_queues & BIT(ac))) 1353 return RX_CONTINUE; 1354 1355 /* if we are in a service period, do nothing */ 1356 if (test_sta_flag(rx->sta, WLAN_STA_SP)) 1357 return RX_CONTINUE; 1358 1359 if (!test_sta_flag(rx->sta, WLAN_STA_PS_DRIVER)) 1360 ieee80211_sta_ps_deliver_uapsd(rx->sta); 1361 else 1362 set_sta_flag(rx->sta, WLAN_STA_UAPSD); 1363 } 1364 1365 return RX_CONTINUE; 1366 } 1367 1368 static ieee80211_rx_result debug_noinline 1369 ieee80211_rx_h_sta_process(struct ieee80211_rx_data *rx) 1370 { 1371 struct sta_info *sta = rx->sta; 1372 struct sk_buff *skb = rx->skb; 1373 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 1374 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; 1375 1376 if (!sta) 1377 return RX_CONTINUE; 1378 1379 /* 1380 * Update last_rx only for IBSS packets which are for the current 1381 * BSSID and for station already AUTHORIZED to avoid keeping the 1382 * current IBSS network alive in cases where other STAs start 1383 * using different BSSID. This will also give the station another 1384 * chance to restart the authentication/authorization in case 1385 * something went wrong the first time. 1386 */ 1387 if (rx->sdata->vif.type == NL80211_IFTYPE_ADHOC) { 1388 u8 *bssid = ieee80211_get_bssid(hdr, rx->skb->len, 1389 NL80211_IFTYPE_ADHOC); 1390 if (ether_addr_equal(bssid, rx->sdata->u.ibss.bssid) && 1391 test_sta_flag(sta, WLAN_STA_AUTHORIZED)) { 1392 sta->last_rx = jiffies; 1393 if (ieee80211_is_data(hdr->frame_control)) { 1394 sta->last_rx_rate_idx = status->rate_idx; 1395 sta->last_rx_rate_flag = status->flag; 1396 sta->last_rx_rate_vht_nss = status->vht_nss; 1397 } 1398 } 1399 } else if (!is_multicast_ether_addr(hdr->addr1)) { 1400 /* 1401 * Mesh beacons will update last_rx when if they are found to 1402 * match the current local configuration when processed. 1403 */ 1404 sta->last_rx = jiffies; 1405 if (ieee80211_is_data(hdr->frame_control)) { 1406 sta->last_rx_rate_idx = status->rate_idx; 1407 sta->last_rx_rate_flag = status->flag; 1408 sta->last_rx_rate_vht_nss = status->vht_nss; 1409 } 1410 } 1411 1412 if (!(status->rx_flags & IEEE80211_RX_RA_MATCH)) 1413 return RX_CONTINUE; 1414 1415 if (rx->sdata->vif.type == NL80211_IFTYPE_STATION) 1416 ieee80211_sta_rx_notify(rx->sdata, hdr); 1417 1418 sta->rx_fragments++; 1419 sta->rx_bytes += rx->skb->len; 1420 if (!(status->flag & RX_FLAG_NO_SIGNAL_VAL)) { 1421 sta->last_signal = status->signal; 1422 ewma_add(&sta->avg_signal, -status->signal); 1423 } 1424 1425 /* 1426 * Change STA power saving mode only at the end of a frame 1427 * exchange sequence. 1428 */ 1429 if (!(sta->local->hw.flags & IEEE80211_HW_AP_LINK_PS) && 1430 !ieee80211_has_morefrags(hdr->frame_control) && 1431 !(status->rx_flags & IEEE80211_RX_DEFERRED_RELEASE) && 1432 (rx->sdata->vif.type == NL80211_IFTYPE_AP || 1433 rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN)) { 1434 if (test_sta_flag(sta, WLAN_STA_PS_STA)) { 1435 /* 1436 * Ignore doze->wake transitions that are 1437 * indicated by non-data frames, the standard 1438 * is unclear here, but for example going to 1439 * PS mode and then scanning would cause a 1440 * doze->wake transition for the probe request, 1441 * and that is clearly undesirable. 1442 */ 1443 if (ieee80211_is_data(hdr->frame_control) && 1444 !ieee80211_has_pm(hdr->frame_control)) 1445 sta_ps_end(sta); 1446 } else { 1447 if (ieee80211_has_pm(hdr->frame_control)) 1448 sta_ps_start(sta); 1449 } 1450 } 1451 1452 /* mesh power save support */ 1453 if (ieee80211_vif_is_mesh(&rx->sdata->vif)) 1454 ieee80211_mps_rx_h_sta_process(sta, hdr); 1455 1456 /* 1457 * Drop (qos-)data::nullfunc frames silently, since they 1458 * are used only to control station power saving mode. 1459 */ 1460 if (ieee80211_is_nullfunc(hdr->frame_control) || 1461 ieee80211_is_qos_nullfunc(hdr->frame_control)) { 1462 I802_DEBUG_INC(rx->local->rx_handlers_drop_nullfunc); 1463 1464 /* 1465 * If we receive a 4-addr nullfunc frame from a STA 1466 * that was not moved to a 4-addr STA vlan yet send 1467 * the event to userspace and for older hostapd drop 1468 * the frame to the monitor interface. 1469 */ 1470 if (ieee80211_has_a4(hdr->frame_control) && 1471 (rx->sdata->vif.type == NL80211_IFTYPE_AP || 1472 (rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN && 1473 !rx->sdata->u.vlan.sta))) { 1474 if (!test_and_set_sta_flag(sta, WLAN_STA_4ADDR_EVENT)) 1475 cfg80211_rx_unexpected_4addr_frame( 1476 rx->sdata->dev, sta->sta.addr, 1477 GFP_ATOMIC); 1478 return RX_DROP_MONITOR; 1479 } 1480 /* 1481 * Update counter and free packet here to avoid 1482 * counting this as a dropped packed. 1483 */ 1484 sta->rx_packets++; 1485 dev_kfree_skb(rx->skb); 1486 return RX_QUEUED; 1487 } 1488 1489 return RX_CONTINUE; 1490 } /* ieee80211_rx_h_sta_process */ 1491 1492 static inline struct ieee80211_fragment_entry * 1493 ieee80211_reassemble_add(struct ieee80211_sub_if_data *sdata, 1494 unsigned int frag, unsigned int seq, int rx_queue, 1495 struct sk_buff **skb) 1496 { 1497 struct ieee80211_fragment_entry *entry; 1498 1499 entry = &sdata->fragments[sdata->fragment_next++]; 1500 if (sdata->fragment_next >= IEEE80211_FRAGMENT_MAX) 1501 sdata->fragment_next = 0; 1502 1503 if (!skb_queue_empty(&entry->skb_list)) 1504 __skb_queue_purge(&entry->skb_list); 1505 1506 __skb_queue_tail(&entry->skb_list, *skb); /* no need for locking */ 1507 *skb = NULL; 1508 entry->first_frag_time = jiffies; 1509 entry->seq = seq; 1510 entry->rx_queue = rx_queue; 1511 entry->last_frag = frag; 1512 entry->ccmp = 0; 1513 entry->extra_len = 0; 1514 1515 return entry; 1516 } 1517 1518 static inline struct ieee80211_fragment_entry * 1519 ieee80211_reassemble_find(struct ieee80211_sub_if_data *sdata, 1520 unsigned int frag, unsigned int seq, 1521 int rx_queue, struct ieee80211_hdr *hdr) 1522 { 1523 struct ieee80211_fragment_entry *entry; 1524 int i, idx; 1525 1526 idx = sdata->fragment_next; 1527 for (i = 0; i < IEEE80211_FRAGMENT_MAX; i++) { 1528 struct ieee80211_hdr *f_hdr; 1529 1530 idx--; 1531 if (idx < 0) 1532 idx = IEEE80211_FRAGMENT_MAX - 1; 1533 1534 entry = &sdata->fragments[idx]; 1535 if (skb_queue_empty(&entry->skb_list) || entry->seq != seq || 1536 entry->rx_queue != rx_queue || 1537 entry->last_frag + 1 != frag) 1538 continue; 1539 1540 f_hdr = (struct ieee80211_hdr *)entry->skb_list.next->data; 1541 1542 /* 1543 * Check ftype and addresses are equal, else check next fragment 1544 */ 1545 if (((hdr->frame_control ^ f_hdr->frame_control) & 1546 cpu_to_le16(IEEE80211_FCTL_FTYPE)) || 1547 !ether_addr_equal(hdr->addr1, f_hdr->addr1) || 1548 !ether_addr_equal(hdr->addr2, f_hdr->addr2)) 1549 continue; 1550 1551 if (time_after(jiffies, entry->first_frag_time + 2 * HZ)) { 1552 __skb_queue_purge(&entry->skb_list); 1553 continue; 1554 } 1555 return entry; 1556 } 1557 1558 return NULL; 1559 } 1560 1561 static ieee80211_rx_result debug_noinline 1562 ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx) 1563 { 1564 struct ieee80211_hdr *hdr; 1565 u16 sc; 1566 __le16 fc; 1567 unsigned int frag, seq; 1568 struct ieee80211_fragment_entry *entry; 1569 struct sk_buff *skb; 1570 struct ieee80211_rx_status *status; 1571 1572 hdr = (struct ieee80211_hdr *)rx->skb->data; 1573 fc = hdr->frame_control; 1574 1575 if (ieee80211_is_ctl(fc)) 1576 return RX_CONTINUE; 1577 1578 sc = le16_to_cpu(hdr->seq_ctrl); 1579 frag = sc & IEEE80211_SCTL_FRAG; 1580 1581 if (likely((!ieee80211_has_morefrags(fc) && frag == 0) || 1582 is_multicast_ether_addr(hdr->addr1))) { 1583 /* not fragmented */ 1584 goto out; 1585 } 1586 I802_DEBUG_INC(rx->local->rx_handlers_fragments); 1587 1588 if (skb_linearize(rx->skb)) 1589 return RX_DROP_UNUSABLE; 1590 1591 /* 1592 * skb_linearize() might change the skb->data and 1593 * previously cached variables (in this case, hdr) need to 1594 * be refreshed with the new data. 1595 */ 1596 hdr = (struct ieee80211_hdr *)rx->skb->data; 1597 seq = (sc & IEEE80211_SCTL_SEQ) >> 4; 1598 1599 if (frag == 0) { 1600 /* This is the first fragment of a new frame. */ 1601 entry = ieee80211_reassemble_add(rx->sdata, frag, seq, 1602 rx->seqno_idx, &(rx->skb)); 1603 if (rx->key && rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP && 1604 ieee80211_has_protected(fc)) { 1605 int queue = rx->security_idx; 1606 /* Store CCMP PN so that we can verify that the next 1607 * fragment has a sequential PN value. */ 1608 entry->ccmp = 1; 1609 memcpy(entry->last_pn, 1610 rx->key->u.ccmp.rx_pn[queue], 1611 CCMP_PN_LEN); 1612 } 1613 return RX_QUEUED; 1614 } 1615 1616 /* This is a fragment for a frame that should already be pending in 1617 * fragment cache. Add this fragment to the end of the pending entry. 1618 */ 1619 entry = ieee80211_reassemble_find(rx->sdata, frag, seq, 1620 rx->seqno_idx, hdr); 1621 if (!entry) { 1622 I802_DEBUG_INC(rx->local->rx_handlers_drop_defrag); 1623 return RX_DROP_MONITOR; 1624 } 1625 1626 /* Verify that MPDUs within one MSDU have sequential PN values. 1627 * (IEEE 802.11i, 8.3.3.4.5) */ 1628 if (entry->ccmp) { 1629 int i; 1630 u8 pn[CCMP_PN_LEN], *rpn; 1631 int queue; 1632 if (!rx->key || rx->key->conf.cipher != WLAN_CIPHER_SUITE_CCMP) 1633 return RX_DROP_UNUSABLE; 1634 memcpy(pn, entry->last_pn, CCMP_PN_LEN); 1635 for (i = CCMP_PN_LEN - 1; i >= 0; i--) { 1636 pn[i]++; 1637 if (pn[i]) 1638 break; 1639 } 1640 queue = rx->security_idx; 1641 rpn = rx->key->u.ccmp.rx_pn[queue]; 1642 if (memcmp(pn, rpn, CCMP_PN_LEN)) 1643 return RX_DROP_UNUSABLE; 1644 memcpy(entry->last_pn, pn, CCMP_PN_LEN); 1645 } 1646 1647 skb_pull(rx->skb, ieee80211_hdrlen(fc)); 1648 __skb_queue_tail(&entry->skb_list, rx->skb); 1649 entry->last_frag = frag; 1650 entry->extra_len += rx->skb->len; 1651 if (ieee80211_has_morefrags(fc)) { 1652 rx->skb = NULL; 1653 return RX_QUEUED; 1654 } 1655 1656 rx->skb = __skb_dequeue(&entry->skb_list); 1657 if (skb_tailroom(rx->skb) < entry->extra_len) { 1658 I802_DEBUG_INC(rx->local->rx_expand_skb_head2); 1659 if (unlikely(pskb_expand_head(rx->skb, 0, entry->extra_len, 1660 GFP_ATOMIC))) { 1661 I802_DEBUG_INC(rx->local->rx_handlers_drop_defrag); 1662 __skb_queue_purge(&entry->skb_list); 1663 return RX_DROP_UNUSABLE; 1664 } 1665 } 1666 while ((skb = __skb_dequeue(&entry->skb_list))) { 1667 memcpy(skb_put(rx->skb, skb->len), skb->data, skb->len); 1668 dev_kfree_skb(skb); 1669 } 1670 1671 /* Complete frame has been reassembled - process it now */ 1672 status = IEEE80211_SKB_RXCB(rx->skb); 1673 status->rx_flags |= IEEE80211_RX_FRAGMENTED; 1674 1675 out: 1676 if (rx->sta) 1677 rx->sta->rx_packets++; 1678 if (is_multicast_ether_addr(hdr->addr1)) 1679 rx->local->dot11MulticastReceivedFrameCount++; 1680 else 1681 ieee80211_led_rx(rx->local); 1682 return RX_CONTINUE; 1683 } 1684 1685 static int ieee80211_802_1x_port_control(struct ieee80211_rx_data *rx) 1686 { 1687 if (unlikely(!rx->sta || !test_sta_flag(rx->sta, WLAN_STA_AUTHORIZED))) 1688 return -EACCES; 1689 1690 return 0; 1691 } 1692 1693 static int ieee80211_drop_unencrypted(struct ieee80211_rx_data *rx, __le16 fc) 1694 { 1695 struct sk_buff *skb = rx->skb; 1696 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 1697 1698 /* 1699 * Pass through unencrypted frames if the hardware has 1700 * decrypted them already. 1701 */ 1702 if (status->flag & RX_FLAG_DECRYPTED) 1703 return 0; 1704 1705 /* Drop unencrypted frames if key is set. */ 1706 if (unlikely(!ieee80211_has_protected(fc) && 1707 !ieee80211_is_nullfunc(fc) && 1708 ieee80211_is_data(fc) && 1709 (rx->key || rx->sdata->drop_unencrypted))) 1710 return -EACCES; 1711 1712 return 0; 1713 } 1714 1715 static int ieee80211_drop_unencrypted_mgmt(struct ieee80211_rx_data *rx) 1716 { 1717 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data; 1718 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb); 1719 __le16 fc = hdr->frame_control; 1720 1721 /* 1722 * Pass through unencrypted frames if the hardware has 1723 * decrypted them already. 1724 */ 1725 if (status->flag & RX_FLAG_DECRYPTED) 1726 return 0; 1727 1728 if (rx->sta && test_sta_flag(rx->sta, WLAN_STA_MFP)) { 1729 if (unlikely(!ieee80211_has_protected(fc) && 1730 ieee80211_is_unicast_robust_mgmt_frame(rx->skb) && 1731 rx->key)) { 1732 if (ieee80211_is_deauth(fc)) 1733 cfg80211_send_unprot_deauth(rx->sdata->dev, 1734 rx->skb->data, 1735 rx->skb->len); 1736 else if (ieee80211_is_disassoc(fc)) 1737 cfg80211_send_unprot_disassoc(rx->sdata->dev, 1738 rx->skb->data, 1739 rx->skb->len); 1740 return -EACCES; 1741 } 1742 /* BIP does not use Protected field, so need to check MMIE */ 1743 if (unlikely(ieee80211_is_multicast_robust_mgmt_frame(rx->skb) && 1744 ieee80211_get_mmie_keyidx(rx->skb) < 0)) { 1745 if (ieee80211_is_deauth(fc)) 1746 cfg80211_send_unprot_deauth(rx->sdata->dev, 1747 rx->skb->data, 1748 rx->skb->len); 1749 else if (ieee80211_is_disassoc(fc)) 1750 cfg80211_send_unprot_disassoc(rx->sdata->dev, 1751 rx->skb->data, 1752 rx->skb->len); 1753 return -EACCES; 1754 } 1755 /* 1756 * When using MFP, Action frames are not allowed prior to 1757 * having configured keys. 1758 */ 1759 if (unlikely(ieee80211_is_action(fc) && !rx->key && 1760 ieee80211_is_robust_mgmt_frame( 1761 (struct ieee80211_hdr *) rx->skb->data))) 1762 return -EACCES; 1763 } 1764 1765 return 0; 1766 } 1767 1768 static int 1769 __ieee80211_data_to_8023(struct ieee80211_rx_data *rx, bool *port_control) 1770 { 1771 struct ieee80211_sub_if_data *sdata = rx->sdata; 1772 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data; 1773 bool check_port_control = false; 1774 struct ethhdr *ehdr; 1775 int ret; 1776 1777 *port_control = false; 1778 if (ieee80211_has_a4(hdr->frame_control) && 1779 sdata->vif.type == NL80211_IFTYPE_AP_VLAN && !sdata->u.vlan.sta) 1780 return -1; 1781 1782 if (sdata->vif.type == NL80211_IFTYPE_STATION && 1783 !!sdata->u.mgd.use_4addr != !!ieee80211_has_a4(hdr->frame_control)) { 1784 1785 if (!sdata->u.mgd.use_4addr) 1786 return -1; 1787 else 1788 check_port_control = true; 1789 } 1790 1791 if (is_multicast_ether_addr(hdr->addr1) && 1792 sdata->vif.type == NL80211_IFTYPE_AP_VLAN && sdata->u.vlan.sta) 1793 return -1; 1794 1795 ret = ieee80211_data_to_8023(rx->skb, sdata->vif.addr, sdata->vif.type); 1796 if (ret < 0) 1797 return ret; 1798 1799 ehdr = (struct ethhdr *) rx->skb->data; 1800 if (ehdr->h_proto == rx->sdata->control_port_protocol) 1801 *port_control = true; 1802 else if (check_port_control) 1803 return -1; 1804 1805 return 0; 1806 } 1807 1808 /* 1809 * requires that rx->skb is a frame with ethernet header 1810 */ 1811 static bool ieee80211_frame_allowed(struct ieee80211_rx_data *rx, __le16 fc) 1812 { 1813 static const u8 pae_group_addr[ETH_ALEN] __aligned(2) 1814 = { 0x01, 0x80, 0xC2, 0x00, 0x00, 0x03 }; 1815 struct ethhdr *ehdr = (struct ethhdr *) rx->skb->data; 1816 1817 /* 1818 * Allow EAPOL frames to us/the PAE group address regardless 1819 * of whether the frame was encrypted or not. 1820 */ 1821 if (ehdr->h_proto == rx->sdata->control_port_protocol && 1822 (ether_addr_equal(ehdr->h_dest, rx->sdata->vif.addr) || 1823 ether_addr_equal(ehdr->h_dest, pae_group_addr))) 1824 return true; 1825 1826 if (ieee80211_802_1x_port_control(rx) || 1827 ieee80211_drop_unencrypted(rx, fc)) 1828 return false; 1829 1830 return true; 1831 } 1832 1833 /* 1834 * requires that rx->skb is a frame with ethernet header 1835 */ 1836 static void 1837 ieee80211_deliver_skb(struct ieee80211_rx_data *rx) 1838 { 1839 struct ieee80211_sub_if_data *sdata = rx->sdata; 1840 struct net_device *dev = sdata->dev; 1841 struct sk_buff *skb, *xmit_skb; 1842 struct ethhdr *ehdr = (struct ethhdr *) rx->skb->data; 1843 struct sta_info *dsta; 1844 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb); 1845 1846 skb = rx->skb; 1847 xmit_skb = NULL; 1848 1849 if ((sdata->vif.type == NL80211_IFTYPE_AP || 1850 sdata->vif.type == NL80211_IFTYPE_AP_VLAN) && 1851 !(sdata->flags & IEEE80211_SDATA_DONT_BRIDGE_PACKETS) && 1852 (status->rx_flags & IEEE80211_RX_RA_MATCH) && 1853 (sdata->vif.type != NL80211_IFTYPE_AP_VLAN || !sdata->u.vlan.sta)) { 1854 if (is_multicast_ether_addr(ehdr->h_dest)) { 1855 /* 1856 * send multicast frames both to higher layers in 1857 * local net stack and back to the wireless medium 1858 */ 1859 xmit_skb = skb_copy(skb, GFP_ATOMIC); 1860 if (!xmit_skb) 1861 net_info_ratelimited("%s: failed to clone multicast frame\n", 1862 dev->name); 1863 } else { 1864 dsta = sta_info_get(sdata, skb->data); 1865 if (dsta) { 1866 /* 1867 * The destination station is associated to 1868 * this AP (in this VLAN), so send the frame 1869 * directly to it and do not pass it to local 1870 * net stack. 1871 */ 1872 xmit_skb = skb; 1873 skb = NULL; 1874 } 1875 } 1876 } 1877 1878 if (skb) { 1879 int align __maybe_unused; 1880 1881 #ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 1882 /* 1883 * 'align' will only take the values 0 or 2 here 1884 * since all frames are required to be aligned 1885 * to 2-byte boundaries when being passed to 1886 * mac80211; the code here works just as well if 1887 * that isn't true, but mac80211 assumes it can 1888 * access fields as 2-byte aligned (e.g. for 1889 * compare_ether_addr) 1890 */ 1891 align = ((unsigned long)(skb->data + sizeof(struct ethhdr))) & 3; 1892 if (align) { 1893 if (WARN_ON(skb_headroom(skb) < 3)) { 1894 dev_kfree_skb(skb); 1895 skb = NULL; 1896 } else { 1897 u8 *data = skb->data; 1898 size_t len = skb_headlen(skb); 1899 skb->data -= align; 1900 memmove(skb->data, data, len); 1901 skb_set_tail_pointer(skb, len); 1902 } 1903 } 1904 #endif 1905 1906 if (skb) { 1907 /* deliver to local stack */ 1908 skb->protocol = eth_type_trans(skb, dev); 1909 memset(skb->cb, 0, sizeof(skb->cb)); 1910 netif_receive_skb(skb); 1911 } 1912 } 1913 1914 if (xmit_skb) { 1915 /* 1916 * Send to wireless media and increase priority by 256 to 1917 * keep the received priority instead of reclassifying 1918 * the frame (see cfg80211_classify8021d). 1919 */ 1920 xmit_skb->priority += 256; 1921 xmit_skb->protocol = htons(ETH_P_802_3); 1922 skb_reset_network_header(xmit_skb); 1923 skb_reset_mac_header(xmit_skb); 1924 dev_queue_xmit(xmit_skb); 1925 } 1926 } 1927 1928 static ieee80211_rx_result debug_noinline 1929 ieee80211_rx_h_amsdu(struct ieee80211_rx_data *rx) 1930 { 1931 struct net_device *dev = rx->sdata->dev; 1932 struct sk_buff *skb = rx->skb; 1933 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; 1934 __le16 fc = hdr->frame_control; 1935 struct sk_buff_head frame_list; 1936 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb); 1937 1938 if (unlikely(!ieee80211_is_data(fc))) 1939 return RX_CONTINUE; 1940 1941 if (unlikely(!ieee80211_is_data_present(fc))) 1942 return RX_DROP_MONITOR; 1943 1944 if (!(status->rx_flags & IEEE80211_RX_AMSDU)) 1945 return RX_CONTINUE; 1946 1947 if (ieee80211_has_a4(hdr->frame_control) && 1948 rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN && 1949 !rx->sdata->u.vlan.sta) 1950 return RX_DROP_UNUSABLE; 1951 1952 if (is_multicast_ether_addr(hdr->addr1) && 1953 ((rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN && 1954 rx->sdata->u.vlan.sta) || 1955 (rx->sdata->vif.type == NL80211_IFTYPE_STATION && 1956 rx->sdata->u.mgd.use_4addr))) 1957 return RX_DROP_UNUSABLE; 1958 1959 skb->dev = dev; 1960 __skb_queue_head_init(&frame_list); 1961 1962 if (skb_linearize(skb)) 1963 return RX_DROP_UNUSABLE; 1964 1965 ieee80211_amsdu_to_8023s(skb, &frame_list, dev->dev_addr, 1966 rx->sdata->vif.type, 1967 rx->local->hw.extra_tx_headroom, true); 1968 1969 while (!skb_queue_empty(&frame_list)) { 1970 rx->skb = __skb_dequeue(&frame_list); 1971 1972 if (!ieee80211_frame_allowed(rx, fc)) { 1973 dev_kfree_skb(rx->skb); 1974 continue; 1975 } 1976 dev->stats.rx_packets++; 1977 dev->stats.rx_bytes += rx->skb->len; 1978 1979 ieee80211_deliver_skb(rx); 1980 } 1981 1982 return RX_QUEUED; 1983 } 1984 1985 #ifdef CONFIG_MAC80211_MESH 1986 static ieee80211_rx_result 1987 ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx) 1988 { 1989 struct ieee80211_hdr *fwd_hdr, *hdr; 1990 struct ieee80211_tx_info *info; 1991 struct ieee80211s_hdr *mesh_hdr; 1992 struct sk_buff *skb = rx->skb, *fwd_skb; 1993 struct ieee80211_local *local = rx->local; 1994 struct ieee80211_sub_if_data *sdata = rx->sdata; 1995 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 1996 struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh; 1997 __le16 reason = cpu_to_le16(WLAN_REASON_MESH_PATH_NOFORWARD); 1998 u16 q, hdrlen; 1999 2000 hdr = (struct ieee80211_hdr *) skb->data; 2001 hdrlen = ieee80211_hdrlen(hdr->frame_control); 2002 2003 /* make sure fixed part of mesh header is there, also checks skb len */ 2004 if (!pskb_may_pull(rx->skb, hdrlen + 6)) 2005 return RX_DROP_MONITOR; 2006 2007 mesh_hdr = (struct ieee80211s_hdr *) (skb->data + hdrlen); 2008 2009 /* make sure full mesh header is there, also checks skb len */ 2010 if (!pskb_may_pull(rx->skb, 2011 hdrlen + ieee80211_get_mesh_hdrlen(mesh_hdr))) 2012 return RX_DROP_MONITOR; 2013 2014 /* reload pointers */ 2015 hdr = (struct ieee80211_hdr *) skb->data; 2016 mesh_hdr = (struct ieee80211s_hdr *) (skb->data + hdrlen); 2017 2018 /* frame is in RMC, don't forward */ 2019 if (ieee80211_is_data(hdr->frame_control) && 2020 is_multicast_ether_addr(hdr->addr1) && 2021 mesh_rmc_check(rx->sdata, hdr->addr3, mesh_hdr)) 2022 return RX_DROP_MONITOR; 2023 2024 if (!ieee80211_is_data(hdr->frame_control) || 2025 !(status->rx_flags & IEEE80211_RX_RA_MATCH)) 2026 return RX_CONTINUE; 2027 2028 if (!mesh_hdr->ttl) 2029 return RX_DROP_MONITOR; 2030 2031 if (mesh_hdr->flags & MESH_FLAGS_AE) { 2032 struct mesh_path *mppath; 2033 char *proxied_addr; 2034 char *mpp_addr; 2035 2036 if (is_multicast_ether_addr(hdr->addr1)) { 2037 mpp_addr = hdr->addr3; 2038 proxied_addr = mesh_hdr->eaddr1; 2039 } else if (mesh_hdr->flags & MESH_FLAGS_AE_A5_A6) { 2040 /* has_a4 already checked in ieee80211_rx_mesh_check */ 2041 mpp_addr = hdr->addr4; 2042 proxied_addr = mesh_hdr->eaddr2; 2043 } else { 2044 return RX_DROP_MONITOR; 2045 } 2046 2047 rcu_read_lock(); 2048 mppath = mpp_path_lookup(sdata, proxied_addr); 2049 if (!mppath) { 2050 mpp_path_add(sdata, proxied_addr, mpp_addr); 2051 } else { 2052 spin_lock_bh(&mppath->state_lock); 2053 if (!ether_addr_equal(mppath->mpp, mpp_addr)) 2054 memcpy(mppath->mpp, mpp_addr, ETH_ALEN); 2055 spin_unlock_bh(&mppath->state_lock); 2056 } 2057 rcu_read_unlock(); 2058 } 2059 2060 /* Frame has reached destination. Don't forward */ 2061 if (!is_multicast_ether_addr(hdr->addr1) && 2062 ether_addr_equal(sdata->vif.addr, hdr->addr3)) 2063 return RX_CONTINUE; 2064 2065 q = ieee80211_select_queue_80211(sdata, skb, hdr); 2066 if (ieee80211_queue_stopped(&local->hw, q)) { 2067 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_congestion); 2068 return RX_DROP_MONITOR; 2069 } 2070 skb_set_queue_mapping(skb, q); 2071 2072 if (!--mesh_hdr->ttl) { 2073 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_ttl); 2074 goto out; 2075 } 2076 2077 if (!ifmsh->mshcfg.dot11MeshForwarding) 2078 goto out; 2079 2080 fwd_skb = skb_copy(skb, GFP_ATOMIC); 2081 if (!fwd_skb) { 2082 net_info_ratelimited("%s: failed to clone mesh frame\n", 2083 sdata->name); 2084 goto out; 2085 } 2086 2087 fwd_hdr = (struct ieee80211_hdr *) fwd_skb->data; 2088 fwd_hdr->frame_control &= ~cpu_to_le16(IEEE80211_FCTL_RETRY); 2089 info = IEEE80211_SKB_CB(fwd_skb); 2090 memset(info, 0, sizeof(*info)); 2091 info->flags |= IEEE80211_TX_INTFL_NEED_TXPROCESSING; 2092 info->control.vif = &rx->sdata->vif; 2093 info->control.jiffies = jiffies; 2094 if (is_multicast_ether_addr(fwd_hdr->addr1)) { 2095 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, fwded_mcast); 2096 memcpy(fwd_hdr->addr2, sdata->vif.addr, ETH_ALEN); 2097 /* update power mode indication when forwarding */ 2098 ieee80211_mps_set_frame_flags(sdata, NULL, fwd_hdr); 2099 } else if (!mesh_nexthop_lookup(sdata, fwd_skb)) { 2100 /* mesh power mode flags updated in mesh_nexthop_lookup */ 2101 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, fwded_unicast); 2102 } else { 2103 /* unable to resolve next hop */ 2104 mesh_path_error_tx(sdata, ifmsh->mshcfg.element_ttl, 2105 fwd_hdr->addr3, 0, reason, fwd_hdr->addr2); 2106 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_no_route); 2107 kfree_skb(fwd_skb); 2108 return RX_DROP_MONITOR; 2109 } 2110 2111 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, fwded_frames); 2112 ieee80211_add_pending_skb(local, fwd_skb); 2113 out: 2114 if (is_multicast_ether_addr(hdr->addr1) || 2115 sdata->dev->flags & IFF_PROMISC) 2116 return RX_CONTINUE; 2117 else 2118 return RX_DROP_MONITOR; 2119 } 2120 #endif 2121 2122 static ieee80211_rx_result debug_noinline 2123 ieee80211_rx_h_data(struct ieee80211_rx_data *rx) 2124 { 2125 struct ieee80211_sub_if_data *sdata = rx->sdata; 2126 struct ieee80211_local *local = rx->local; 2127 struct net_device *dev = sdata->dev; 2128 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data; 2129 __le16 fc = hdr->frame_control; 2130 bool port_control; 2131 int err; 2132 2133 if (unlikely(!ieee80211_is_data(hdr->frame_control))) 2134 return RX_CONTINUE; 2135 2136 if (unlikely(!ieee80211_is_data_present(hdr->frame_control))) 2137 return RX_DROP_MONITOR; 2138 2139 /* 2140 * Send unexpected-4addr-frame event to hostapd. For older versions, 2141 * also drop the frame to cooked monitor interfaces. 2142 */ 2143 if (ieee80211_has_a4(hdr->frame_control) && 2144 sdata->vif.type == NL80211_IFTYPE_AP) { 2145 if (rx->sta && 2146 !test_and_set_sta_flag(rx->sta, WLAN_STA_4ADDR_EVENT)) 2147 cfg80211_rx_unexpected_4addr_frame( 2148 rx->sdata->dev, rx->sta->sta.addr, GFP_ATOMIC); 2149 return RX_DROP_MONITOR; 2150 } 2151 2152 err = __ieee80211_data_to_8023(rx, &port_control); 2153 if (unlikely(err)) 2154 return RX_DROP_UNUSABLE; 2155 2156 if (!ieee80211_frame_allowed(rx, fc)) 2157 return RX_DROP_MONITOR; 2158 2159 if (rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN && 2160 unlikely(port_control) && sdata->bss) { 2161 sdata = container_of(sdata->bss, struct ieee80211_sub_if_data, 2162 u.ap); 2163 dev = sdata->dev; 2164 rx->sdata = sdata; 2165 } 2166 2167 rx->skb->dev = dev; 2168 2169 dev->stats.rx_packets++; 2170 dev->stats.rx_bytes += rx->skb->len; 2171 2172 if (local->ps_sdata && local->hw.conf.dynamic_ps_timeout > 0 && 2173 !is_multicast_ether_addr( 2174 ((struct ethhdr *)rx->skb->data)->h_dest) && 2175 (!local->scanning && 2176 !test_bit(SDATA_STATE_OFFCHANNEL, &sdata->state))) { 2177 mod_timer(&local->dynamic_ps_timer, jiffies + 2178 msecs_to_jiffies(local->hw.conf.dynamic_ps_timeout)); 2179 } 2180 2181 ieee80211_deliver_skb(rx); 2182 2183 return RX_QUEUED; 2184 } 2185 2186 static ieee80211_rx_result debug_noinline 2187 ieee80211_rx_h_ctrl(struct ieee80211_rx_data *rx, struct sk_buff_head *frames) 2188 { 2189 struct sk_buff *skb = rx->skb; 2190 struct ieee80211_bar *bar = (struct ieee80211_bar *)skb->data; 2191 struct tid_ampdu_rx *tid_agg_rx; 2192 u16 start_seq_num; 2193 u16 tid; 2194 2195 if (likely(!ieee80211_is_ctl(bar->frame_control))) 2196 return RX_CONTINUE; 2197 2198 if (ieee80211_is_back_req(bar->frame_control)) { 2199 struct { 2200 __le16 control, start_seq_num; 2201 } __packed bar_data; 2202 2203 if (!rx->sta) 2204 return RX_DROP_MONITOR; 2205 2206 if (skb_copy_bits(skb, offsetof(struct ieee80211_bar, control), 2207 &bar_data, sizeof(bar_data))) 2208 return RX_DROP_MONITOR; 2209 2210 tid = le16_to_cpu(bar_data.control) >> 12; 2211 2212 tid_agg_rx = rcu_dereference(rx->sta->ampdu_mlme.tid_rx[tid]); 2213 if (!tid_agg_rx) 2214 return RX_DROP_MONITOR; 2215 2216 start_seq_num = le16_to_cpu(bar_data.start_seq_num) >> 4; 2217 2218 /* reset session timer */ 2219 if (tid_agg_rx->timeout) 2220 mod_timer(&tid_agg_rx->session_timer, 2221 TU_TO_EXP_TIME(tid_agg_rx->timeout)); 2222 2223 spin_lock(&tid_agg_rx->reorder_lock); 2224 /* release stored frames up to start of BAR */ 2225 ieee80211_release_reorder_frames(rx->sdata, tid_agg_rx, 2226 start_seq_num, frames); 2227 spin_unlock(&tid_agg_rx->reorder_lock); 2228 2229 kfree_skb(skb); 2230 return RX_QUEUED; 2231 } 2232 2233 /* 2234 * After this point, we only want management frames, 2235 * so we can drop all remaining control frames to 2236 * cooked monitor interfaces. 2237 */ 2238 return RX_DROP_MONITOR; 2239 } 2240 2241 static void ieee80211_process_sa_query_req(struct ieee80211_sub_if_data *sdata, 2242 struct ieee80211_mgmt *mgmt, 2243 size_t len) 2244 { 2245 struct ieee80211_local *local = sdata->local; 2246 struct sk_buff *skb; 2247 struct ieee80211_mgmt *resp; 2248 2249 if (!ether_addr_equal(mgmt->da, sdata->vif.addr)) { 2250 /* Not to own unicast address */ 2251 return; 2252 } 2253 2254 if (!ether_addr_equal(mgmt->sa, sdata->u.mgd.bssid) || 2255 !ether_addr_equal(mgmt->bssid, sdata->u.mgd.bssid)) { 2256 /* Not from the current AP or not associated yet. */ 2257 return; 2258 } 2259 2260 if (len < 24 + 1 + sizeof(resp->u.action.u.sa_query)) { 2261 /* Too short SA Query request frame */ 2262 return; 2263 } 2264 2265 skb = dev_alloc_skb(sizeof(*resp) + local->hw.extra_tx_headroom); 2266 if (skb == NULL) 2267 return; 2268 2269 skb_reserve(skb, local->hw.extra_tx_headroom); 2270 resp = (struct ieee80211_mgmt *) skb_put(skb, 24); 2271 memset(resp, 0, 24); 2272 memcpy(resp->da, mgmt->sa, ETH_ALEN); 2273 memcpy(resp->sa, sdata->vif.addr, ETH_ALEN); 2274 memcpy(resp->bssid, sdata->u.mgd.bssid, ETH_ALEN); 2275 resp->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT | 2276 IEEE80211_STYPE_ACTION); 2277 skb_put(skb, 1 + sizeof(resp->u.action.u.sa_query)); 2278 resp->u.action.category = WLAN_CATEGORY_SA_QUERY; 2279 resp->u.action.u.sa_query.action = WLAN_ACTION_SA_QUERY_RESPONSE; 2280 memcpy(resp->u.action.u.sa_query.trans_id, 2281 mgmt->u.action.u.sa_query.trans_id, 2282 WLAN_SA_QUERY_TR_ID_LEN); 2283 2284 ieee80211_tx_skb(sdata, skb); 2285 } 2286 2287 static ieee80211_rx_result debug_noinline 2288 ieee80211_rx_h_mgmt_check(struct ieee80211_rx_data *rx) 2289 { 2290 struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *) rx->skb->data; 2291 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb); 2292 2293 /* 2294 * From here on, look only at management frames. 2295 * Data and control frames are already handled, 2296 * and unknown (reserved) frames are useless. 2297 */ 2298 if (rx->skb->len < 24) 2299 return RX_DROP_MONITOR; 2300 2301 if (!ieee80211_is_mgmt(mgmt->frame_control)) 2302 return RX_DROP_MONITOR; 2303 2304 if (rx->sdata->vif.type == NL80211_IFTYPE_AP && 2305 ieee80211_is_beacon(mgmt->frame_control) && 2306 !(rx->flags & IEEE80211_RX_BEACON_REPORTED)) { 2307 int sig = 0; 2308 2309 if (rx->local->hw.flags & IEEE80211_HW_SIGNAL_DBM) 2310 sig = status->signal; 2311 2312 cfg80211_report_obss_beacon(rx->local->hw.wiphy, 2313 rx->skb->data, rx->skb->len, 2314 status->freq, sig); 2315 rx->flags |= IEEE80211_RX_BEACON_REPORTED; 2316 } 2317 2318 if (!(status->rx_flags & IEEE80211_RX_RA_MATCH)) 2319 return RX_DROP_MONITOR; 2320 2321 if (ieee80211_drop_unencrypted_mgmt(rx)) 2322 return RX_DROP_UNUSABLE; 2323 2324 return RX_CONTINUE; 2325 } 2326 2327 static ieee80211_rx_result debug_noinline 2328 ieee80211_rx_h_action(struct ieee80211_rx_data *rx) 2329 { 2330 struct ieee80211_local *local = rx->local; 2331 struct ieee80211_sub_if_data *sdata = rx->sdata; 2332 struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *) rx->skb->data; 2333 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb); 2334 int len = rx->skb->len; 2335 2336 if (!ieee80211_is_action(mgmt->frame_control)) 2337 return RX_CONTINUE; 2338 2339 /* drop too small frames */ 2340 if (len < IEEE80211_MIN_ACTION_SIZE) 2341 return RX_DROP_UNUSABLE; 2342 2343 if (!rx->sta && mgmt->u.action.category != WLAN_CATEGORY_PUBLIC && 2344 mgmt->u.action.category != WLAN_CATEGORY_SELF_PROTECTED) 2345 return RX_DROP_UNUSABLE; 2346 2347 if (!(status->rx_flags & IEEE80211_RX_RA_MATCH)) 2348 return RX_DROP_UNUSABLE; 2349 2350 switch (mgmt->u.action.category) { 2351 case WLAN_CATEGORY_HT: 2352 /* reject HT action frames from stations not supporting HT */ 2353 if (!rx->sta->sta.ht_cap.ht_supported) 2354 goto invalid; 2355 2356 if (sdata->vif.type != NL80211_IFTYPE_STATION && 2357 sdata->vif.type != NL80211_IFTYPE_MESH_POINT && 2358 sdata->vif.type != NL80211_IFTYPE_AP_VLAN && 2359 sdata->vif.type != NL80211_IFTYPE_AP && 2360 sdata->vif.type != NL80211_IFTYPE_ADHOC) 2361 break; 2362 2363 /* verify action & smps_control/chanwidth are present */ 2364 if (len < IEEE80211_MIN_ACTION_SIZE + 2) 2365 goto invalid; 2366 2367 switch (mgmt->u.action.u.ht_smps.action) { 2368 case WLAN_HT_ACTION_SMPS: { 2369 struct ieee80211_supported_band *sband; 2370 enum ieee80211_smps_mode smps_mode; 2371 2372 /* convert to HT capability */ 2373 switch (mgmt->u.action.u.ht_smps.smps_control) { 2374 case WLAN_HT_SMPS_CONTROL_DISABLED: 2375 smps_mode = IEEE80211_SMPS_OFF; 2376 break; 2377 case WLAN_HT_SMPS_CONTROL_STATIC: 2378 smps_mode = IEEE80211_SMPS_STATIC; 2379 break; 2380 case WLAN_HT_SMPS_CONTROL_DYNAMIC: 2381 smps_mode = IEEE80211_SMPS_DYNAMIC; 2382 break; 2383 default: 2384 goto invalid; 2385 } 2386 2387 /* if no change do nothing */ 2388 if (rx->sta->sta.smps_mode == smps_mode) 2389 goto handled; 2390 rx->sta->sta.smps_mode = smps_mode; 2391 2392 sband = rx->local->hw.wiphy->bands[status->band]; 2393 2394 rate_control_rate_update(local, sband, rx->sta, 2395 IEEE80211_RC_SMPS_CHANGED); 2396 goto handled; 2397 } 2398 case WLAN_HT_ACTION_NOTIFY_CHANWIDTH: { 2399 struct ieee80211_supported_band *sband; 2400 u8 chanwidth = mgmt->u.action.u.ht_notify_cw.chanwidth; 2401 enum ieee80211_sta_rx_bandwidth new_bw; 2402 2403 /* If it doesn't support 40 MHz it can't change ... */ 2404 if (!(rx->sta->sta.ht_cap.cap & 2405 IEEE80211_HT_CAP_SUP_WIDTH_20_40)) 2406 goto handled; 2407 2408 if (chanwidth == IEEE80211_HT_CHANWIDTH_20MHZ) 2409 new_bw = IEEE80211_STA_RX_BW_20; 2410 else 2411 new_bw = ieee80211_sta_cur_vht_bw(rx->sta); 2412 2413 if (rx->sta->sta.bandwidth == new_bw) 2414 goto handled; 2415 2416 sband = rx->local->hw.wiphy->bands[status->band]; 2417 2418 rate_control_rate_update(local, sband, rx->sta, 2419 IEEE80211_RC_BW_CHANGED); 2420 goto handled; 2421 } 2422 default: 2423 goto invalid; 2424 } 2425 2426 break; 2427 case WLAN_CATEGORY_PUBLIC: 2428 if (len < IEEE80211_MIN_ACTION_SIZE + 1) 2429 goto invalid; 2430 if (sdata->vif.type != NL80211_IFTYPE_STATION) 2431 break; 2432 if (!rx->sta) 2433 break; 2434 if (!ether_addr_equal(mgmt->bssid, sdata->u.mgd.bssid)) 2435 break; 2436 if (mgmt->u.action.u.ext_chan_switch.action_code != 2437 WLAN_PUB_ACTION_EXT_CHANSW_ANN) 2438 break; 2439 if (len < offsetof(struct ieee80211_mgmt, 2440 u.action.u.ext_chan_switch.variable)) 2441 goto invalid; 2442 goto queue; 2443 case WLAN_CATEGORY_VHT: 2444 if (sdata->vif.type != NL80211_IFTYPE_STATION && 2445 sdata->vif.type != NL80211_IFTYPE_MESH_POINT && 2446 sdata->vif.type != NL80211_IFTYPE_AP_VLAN && 2447 sdata->vif.type != NL80211_IFTYPE_AP && 2448 sdata->vif.type != NL80211_IFTYPE_ADHOC) 2449 break; 2450 2451 /* verify action code is present */ 2452 if (len < IEEE80211_MIN_ACTION_SIZE + 1) 2453 goto invalid; 2454 2455 switch (mgmt->u.action.u.vht_opmode_notif.action_code) { 2456 case WLAN_VHT_ACTION_OPMODE_NOTIF: { 2457 u8 opmode; 2458 2459 /* verify opmode is present */ 2460 if (len < IEEE80211_MIN_ACTION_SIZE + 2) 2461 goto invalid; 2462 2463 opmode = mgmt->u.action.u.vht_opmode_notif.operating_mode; 2464 2465 ieee80211_vht_handle_opmode(rx->sdata, rx->sta, 2466 opmode, status->band, 2467 false); 2468 goto handled; 2469 } 2470 default: 2471 break; 2472 } 2473 break; 2474 case WLAN_CATEGORY_BACK: 2475 if (sdata->vif.type != NL80211_IFTYPE_STATION && 2476 sdata->vif.type != NL80211_IFTYPE_MESH_POINT && 2477 sdata->vif.type != NL80211_IFTYPE_AP_VLAN && 2478 sdata->vif.type != NL80211_IFTYPE_AP && 2479 sdata->vif.type != NL80211_IFTYPE_ADHOC) 2480 break; 2481 2482 /* verify action_code is present */ 2483 if (len < IEEE80211_MIN_ACTION_SIZE + 1) 2484 break; 2485 2486 switch (mgmt->u.action.u.addba_req.action_code) { 2487 case WLAN_ACTION_ADDBA_REQ: 2488 if (len < (IEEE80211_MIN_ACTION_SIZE + 2489 sizeof(mgmt->u.action.u.addba_req))) 2490 goto invalid; 2491 break; 2492 case WLAN_ACTION_ADDBA_RESP: 2493 if (len < (IEEE80211_MIN_ACTION_SIZE + 2494 sizeof(mgmt->u.action.u.addba_resp))) 2495 goto invalid; 2496 break; 2497 case WLAN_ACTION_DELBA: 2498 if (len < (IEEE80211_MIN_ACTION_SIZE + 2499 sizeof(mgmt->u.action.u.delba))) 2500 goto invalid; 2501 break; 2502 default: 2503 goto invalid; 2504 } 2505 2506 goto queue; 2507 case WLAN_CATEGORY_SPECTRUM_MGMT: 2508 if (status->band != IEEE80211_BAND_5GHZ) 2509 break; 2510 2511 if (sdata->vif.type != NL80211_IFTYPE_STATION) 2512 break; 2513 2514 /* verify action_code is present */ 2515 if (len < IEEE80211_MIN_ACTION_SIZE + 1) 2516 break; 2517 2518 switch (mgmt->u.action.u.measurement.action_code) { 2519 case WLAN_ACTION_SPCT_MSR_REQ: 2520 if (len < (IEEE80211_MIN_ACTION_SIZE + 2521 sizeof(mgmt->u.action.u.measurement))) 2522 break; 2523 ieee80211_process_measurement_req(sdata, mgmt, len); 2524 goto handled; 2525 case WLAN_ACTION_SPCT_CHL_SWITCH: 2526 if (sdata->vif.type != NL80211_IFTYPE_STATION) 2527 break; 2528 2529 if (!ether_addr_equal(mgmt->bssid, sdata->u.mgd.bssid)) 2530 break; 2531 2532 goto queue; 2533 } 2534 break; 2535 case WLAN_CATEGORY_SA_QUERY: 2536 if (len < (IEEE80211_MIN_ACTION_SIZE + 2537 sizeof(mgmt->u.action.u.sa_query))) 2538 break; 2539 2540 switch (mgmt->u.action.u.sa_query.action) { 2541 case WLAN_ACTION_SA_QUERY_REQUEST: 2542 if (sdata->vif.type != NL80211_IFTYPE_STATION) 2543 break; 2544 ieee80211_process_sa_query_req(sdata, mgmt, len); 2545 goto handled; 2546 } 2547 break; 2548 case WLAN_CATEGORY_SELF_PROTECTED: 2549 if (len < (IEEE80211_MIN_ACTION_SIZE + 2550 sizeof(mgmt->u.action.u.self_prot.action_code))) 2551 break; 2552 2553 switch (mgmt->u.action.u.self_prot.action_code) { 2554 case WLAN_SP_MESH_PEERING_OPEN: 2555 case WLAN_SP_MESH_PEERING_CLOSE: 2556 case WLAN_SP_MESH_PEERING_CONFIRM: 2557 if (!ieee80211_vif_is_mesh(&sdata->vif)) 2558 goto invalid; 2559 if (sdata->u.mesh.user_mpm) 2560 /* userspace handles this frame */ 2561 break; 2562 goto queue; 2563 case WLAN_SP_MGK_INFORM: 2564 case WLAN_SP_MGK_ACK: 2565 if (!ieee80211_vif_is_mesh(&sdata->vif)) 2566 goto invalid; 2567 break; 2568 } 2569 break; 2570 case WLAN_CATEGORY_MESH_ACTION: 2571 if (len < (IEEE80211_MIN_ACTION_SIZE + 2572 sizeof(mgmt->u.action.u.mesh_action.action_code))) 2573 break; 2574 2575 if (!ieee80211_vif_is_mesh(&sdata->vif)) 2576 break; 2577 if (mesh_action_is_path_sel(mgmt) && 2578 !mesh_path_sel_is_hwmp(sdata)) 2579 break; 2580 goto queue; 2581 } 2582 2583 return RX_CONTINUE; 2584 2585 invalid: 2586 status->rx_flags |= IEEE80211_RX_MALFORMED_ACTION_FRM; 2587 /* will return in the next handlers */ 2588 return RX_CONTINUE; 2589 2590 handled: 2591 if (rx->sta) 2592 rx->sta->rx_packets++; 2593 dev_kfree_skb(rx->skb); 2594 return RX_QUEUED; 2595 2596 queue: 2597 rx->skb->pkt_type = IEEE80211_SDATA_QUEUE_TYPE_FRAME; 2598 skb_queue_tail(&sdata->skb_queue, rx->skb); 2599 ieee80211_queue_work(&local->hw, &sdata->work); 2600 if (rx->sta) 2601 rx->sta->rx_packets++; 2602 return RX_QUEUED; 2603 } 2604 2605 static ieee80211_rx_result debug_noinline 2606 ieee80211_rx_h_userspace_mgmt(struct ieee80211_rx_data *rx) 2607 { 2608 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb); 2609 int sig = 0; 2610 2611 /* skip known-bad action frames and return them in the next handler */ 2612 if (status->rx_flags & IEEE80211_RX_MALFORMED_ACTION_FRM) 2613 return RX_CONTINUE; 2614 2615 /* 2616 * Getting here means the kernel doesn't know how to handle 2617 * it, but maybe userspace does ... include returned frames 2618 * so userspace can register for those to know whether ones 2619 * it transmitted were processed or returned. 2620 */ 2621 2622 if (rx->local->hw.flags & IEEE80211_HW_SIGNAL_DBM) 2623 sig = status->signal; 2624 2625 if (cfg80211_rx_mgmt(&rx->sdata->wdev, status->freq, sig, 2626 rx->skb->data, rx->skb->len, 2627 GFP_ATOMIC)) { 2628 if (rx->sta) 2629 rx->sta->rx_packets++; 2630 dev_kfree_skb(rx->skb); 2631 return RX_QUEUED; 2632 } 2633 2634 return RX_CONTINUE; 2635 } 2636 2637 static ieee80211_rx_result debug_noinline 2638 ieee80211_rx_h_action_return(struct ieee80211_rx_data *rx) 2639 { 2640 struct ieee80211_local *local = rx->local; 2641 struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *) rx->skb->data; 2642 struct sk_buff *nskb; 2643 struct ieee80211_sub_if_data *sdata = rx->sdata; 2644 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb); 2645 2646 if (!ieee80211_is_action(mgmt->frame_control)) 2647 return RX_CONTINUE; 2648 2649 /* 2650 * For AP mode, hostapd is responsible for handling any action 2651 * frames that we didn't handle, including returning unknown 2652 * ones. For all other modes we will return them to the sender, 2653 * setting the 0x80 bit in the action category, as required by 2654 * 802.11-2012 9.24.4. 2655 * Newer versions of hostapd shall also use the management frame 2656 * registration mechanisms, but older ones still use cooked 2657 * monitor interfaces so push all frames there. 2658 */ 2659 if (!(status->rx_flags & IEEE80211_RX_MALFORMED_ACTION_FRM) && 2660 (sdata->vif.type == NL80211_IFTYPE_AP || 2661 sdata->vif.type == NL80211_IFTYPE_AP_VLAN)) 2662 return RX_DROP_MONITOR; 2663 2664 if (is_multicast_ether_addr(mgmt->da)) 2665 return RX_DROP_MONITOR; 2666 2667 /* do not return rejected action frames */ 2668 if (mgmt->u.action.category & 0x80) 2669 return RX_DROP_UNUSABLE; 2670 2671 nskb = skb_copy_expand(rx->skb, local->hw.extra_tx_headroom, 0, 2672 GFP_ATOMIC); 2673 if (nskb) { 2674 struct ieee80211_mgmt *nmgmt = (void *)nskb->data; 2675 2676 nmgmt->u.action.category |= 0x80; 2677 memcpy(nmgmt->da, nmgmt->sa, ETH_ALEN); 2678 memcpy(nmgmt->sa, rx->sdata->vif.addr, ETH_ALEN); 2679 2680 memset(nskb->cb, 0, sizeof(nskb->cb)); 2681 2682 if (rx->sdata->vif.type == NL80211_IFTYPE_P2P_DEVICE) { 2683 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(nskb); 2684 2685 info->flags = IEEE80211_TX_CTL_TX_OFFCHAN | 2686 IEEE80211_TX_INTFL_OFFCHAN_TX_OK | 2687 IEEE80211_TX_CTL_NO_CCK_RATE; 2688 if (local->hw.flags & IEEE80211_HW_QUEUE_CONTROL) 2689 info->hw_queue = 2690 local->hw.offchannel_tx_hw_queue; 2691 } 2692 2693 __ieee80211_tx_skb_tid_band(rx->sdata, nskb, 7, 2694 status->band); 2695 } 2696 dev_kfree_skb(rx->skb); 2697 return RX_QUEUED; 2698 } 2699 2700 static ieee80211_rx_result debug_noinline 2701 ieee80211_rx_h_mgmt(struct ieee80211_rx_data *rx) 2702 { 2703 struct ieee80211_sub_if_data *sdata = rx->sdata; 2704 struct ieee80211_mgmt *mgmt = (void *)rx->skb->data; 2705 __le16 stype; 2706 2707 stype = mgmt->frame_control & cpu_to_le16(IEEE80211_FCTL_STYPE); 2708 2709 if (!ieee80211_vif_is_mesh(&sdata->vif) && 2710 sdata->vif.type != NL80211_IFTYPE_ADHOC && 2711 sdata->vif.type != NL80211_IFTYPE_STATION) 2712 return RX_DROP_MONITOR; 2713 2714 switch (stype) { 2715 case cpu_to_le16(IEEE80211_STYPE_AUTH): 2716 case cpu_to_le16(IEEE80211_STYPE_BEACON): 2717 case cpu_to_le16(IEEE80211_STYPE_PROBE_RESP): 2718 /* process for all: mesh, mlme, ibss */ 2719 break; 2720 case cpu_to_le16(IEEE80211_STYPE_ASSOC_RESP): 2721 case cpu_to_le16(IEEE80211_STYPE_REASSOC_RESP): 2722 case cpu_to_le16(IEEE80211_STYPE_DEAUTH): 2723 case cpu_to_le16(IEEE80211_STYPE_DISASSOC): 2724 if (is_multicast_ether_addr(mgmt->da) && 2725 !is_broadcast_ether_addr(mgmt->da)) 2726 return RX_DROP_MONITOR; 2727 2728 /* process only for station */ 2729 if (sdata->vif.type != NL80211_IFTYPE_STATION) 2730 return RX_DROP_MONITOR; 2731 break; 2732 case cpu_to_le16(IEEE80211_STYPE_PROBE_REQ): 2733 /* process only for ibss and mesh */ 2734 if (sdata->vif.type != NL80211_IFTYPE_ADHOC && 2735 sdata->vif.type != NL80211_IFTYPE_MESH_POINT) 2736 return RX_DROP_MONITOR; 2737 break; 2738 default: 2739 return RX_DROP_MONITOR; 2740 } 2741 2742 /* queue up frame and kick off work to process it */ 2743 rx->skb->pkt_type = IEEE80211_SDATA_QUEUE_TYPE_FRAME; 2744 skb_queue_tail(&sdata->skb_queue, rx->skb); 2745 ieee80211_queue_work(&rx->local->hw, &sdata->work); 2746 if (rx->sta) 2747 rx->sta->rx_packets++; 2748 2749 return RX_QUEUED; 2750 } 2751 2752 /* TODO: use IEEE80211_RX_FRAGMENTED */ 2753 static void ieee80211_rx_cooked_monitor(struct ieee80211_rx_data *rx, 2754 struct ieee80211_rate *rate) 2755 { 2756 struct ieee80211_sub_if_data *sdata; 2757 struct ieee80211_local *local = rx->local; 2758 struct sk_buff *skb = rx->skb, *skb2; 2759 struct net_device *prev_dev = NULL; 2760 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 2761 int needed_headroom; 2762 2763 /* 2764 * If cooked monitor has been processed already, then 2765 * don't do it again. If not, set the flag. 2766 */ 2767 if (rx->flags & IEEE80211_RX_CMNTR) 2768 goto out_free_skb; 2769 rx->flags |= IEEE80211_RX_CMNTR; 2770 2771 /* If there are no cooked monitor interfaces, just free the SKB */ 2772 if (!local->cooked_mntrs) 2773 goto out_free_skb; 2774 2775 /* room for the radiotap header based on driver features */ 2776 needed_headroom = ieee80211_rx_radiotap_space(local, status); 2777 2778 if (skb_headroom(skb) < needed_headroom && 2779 pskb_expand_head(skb, needed_headroom, 0, GFP_ATOMIC)) 2780 goto out_free_skb; 2781 2782 /* prepend radiotap information */ 2783 ieee80211_add_rx_radiotap_header(local, skb, rate, needed_headroom, 2784 false); 2785 2786 skb_set_mac_header(skb, 0); 2787 skb->ip_summed = CHECKSUM_UNNECESSARY; 2788 skb->pkt_type = PACKET_OTHERHOST; 2789 skb->protocol = htons(ETH_P_802_2); 2790 2791 list_for_each_entry_rcu(sdata, &local->interfaces, list) { 2792 if (!ieee80211_sdata_running(sdata)) 2793 continue; 2794 2795 if (sdata->vif.type != NL80211_IFTYPE_MONITOR || 2796 !(sdata->u.mntr_flags & MONITOR_FLAG_COOK_FRAMES)) 2797 continue; 2798 2799 if (prev_dev) { 2800 skb2 = skb_clone(skb, GFP_ATOMIC); 2801 if (skb2) { 2802 skb2->dev = prev_dev; 2803 netif_receive_skb(skb2); 2804 } 2805 } 2806 2807 prev_dev = sdata->dev; 2808 sdata->dev->stats.rx_packets++; 2809 sdata->dev->stats.rx_bytes += skb->len; 2810 } 2811 2812 if (prev_dev) { 2813 skb->dev = prev_dev; 2814 netif_receive_skb(skb); 2815 return; 2816 } 2817 2818 out_free_skb: 2819 dev_kfree_skb(skb); 2820 } 2821 2822 static void ieee80211_rx_handlers_result(struct ieee80211_rx_data *rx, 2823 ieee80211_rx_result res) 2824 { 2825 switch (res) { 2826 case RX_DROP_MONITOR: 2827 I802_DEBUG_INC(rx->sdata->local->rx_handlers_drop); 2828 if (rx->sta) 2829 rx->sta->rx_dropped++; 2830 /* fall through */ 2831 case RX_CONTINUE: { 2832 struct ieee80211_rate *rate = NULL; 2833 struct ieee80211_supported_band *sband; 2834 struct ieee80211_rx_status *status; 2835 2836 status = IEEE80211_SKB_RXCB((rx->skb)); 2837 2838 sband = rx->local->hw.wiphy->bands[status->band]; 2839 if (!(status->flag & RX_FLAG_HT) && 2840 !(status->flag & RX_FLAG_VHT)) 2841 rate = &sband->bitrates[status->rate_idx]; 2842 2843 ieee80211_rx_cooked_monitor(rx, rate); 2844 break; 2845 } 2846 case RX_DROP_UNUSABLE: 2847 I802_DEBUG_INC(rx->sdata->local->rx_handlers_drop); 2848 if (rx->sta) 2849 rx->sta->rx_dropped++; 2850 dev_kfree_skb(rx->skb); 2851 break; 2852 case RX_QUEUED: 2853 I802_DEBUG_INC(rx->sdata->local->rx_handlers_queued); 2854 break; 2855 } 2856 } 2857 2858 static void ieee80211_rx_handlers(struct ieee80211_rx_data *rx, 2859 struct sk_buff_head *frames) 2860 { 2861 ieee80211_rx_result res = RX_DROP_MONITOR; 2862 struct sk_buff *skb; 2863 2864 #define CALL_RXH(rxh) \ 2865 do { \ 2866 res = rxh(rx); \ 2867 if (res != RX_CONTINUE) \ 2868 goto rxh_next; \ 2869 } while (0); 2870 2871 spin_lock_bh(&rx->local->rx_path_lock); 2872 2873 while ((skb = __skb_dequeue(frames))) { 2874 /* 2875 * all the other fields are valid across frames 2876 * that belong to an aMPDU since they are on the 2877 * same TID from the same station 2878 */ 2879 rx->skb = skb; 2880 2881 CALL_RXH(ieee80211_rx_h_decrypt) 2882 CALL_RXH(ieee80211_rx_h_check_more_data) 2883 CALL_RXH(ieee80211_rx_h_uapsd_and_pspoll) 2884 CALL_RXH(ieee80211_rx_h_sta_process) 2885 CALL_RXH(ieee80211_rx_h_defragment) 2886 CALL_RXH(ieee80211_rx_h_michael_mic_verify) 2887 /* must be after MMIC verify so header is counted in MPDU mic */ 2888 #ifdef CONFIG_MAC80211_MESH 2889 if (ieee80211_vif_is_mesh(&rx->sdata->vif)) 2890 CALL_RXH(ieee80211_rx_h_mesh_fwding); 2891 #endif 2892 CALL_RXH(ieee80211_rx_h_amsdu) 2893 CALL_RXH(ieee80211_rx_h_data) 2894 2895 /* special treatment -- needs the queue */ 2896 res = ieee80211_rx_h_ctrl(rx, frames); 2897 if (res != RX_CONTINUE) 2898 goto rxh_next; 2899 2900 CALL_RXH(ieee80211_rx_h_mgmt_check) 2901 CALL_RXH(ieee80211_rx_h_action) 2902 CALL_RXH(ieee80211_rx_h_userspace_mgmt) 2903 CALL_RXH(ieee80211_rx_h_action_return) 2904 CALL_RXH(ieee80211_rx_h_mgmt) 2905 2906 rxh_next: 2907 ieee80211_rx_handlers_result(rx, res); 2908 2909 #undef CALL_RXH 2910 } 2911 2912 spin_unlock_bh(&rx->local->rx_path_lock); 2913 } 2914 2915 static void ieee80211_invoke_rx_handlers(struct ieee80211_rx_data *rx) 2916 { 2917 struct sk_buff_head reorder_release; 2918 ieee80211_rx_result res = RX_DROP_MONITOR; 2919 2920 __skb_queue_head_init(&reorder_release); 2921 2922 #define CALL_RXH(rxh) \ 2923 do { \ 2924 res = rxh(rx); \ 2925 if (res != RX_CONTINUE) \ 2926 goto rxh_next; \ 2927 } while (0); 2928 2929 CALL_RXH(ieee80211_rx_h_check) 2930 2931 ieee80211_rx_reorder_ampdu(rx, &reorder_release); 2932 2933 ieee80211_rx_handlers(rx, &reorder_release); 2934 return; 2935 2936 rxh_next: 2937 ieee80211_rx_handlers_result(rx, res); 2938 2939 #undef CALL_RXH 2940 } 2941 2942 /* 2943 * This function makes calls into the RX path, therefore 2944 * it has to be invoked under RCU read lock. 2945 */ 2946 void ieee80211_release_reorder_timeout(struct sta_info *sta, int tid) 2947 { 2948 struct sk_buff_head frames; 2949 struct ieee80211_rx_data rx = { 2950 .sta = sta, 2951 .sdata = sta->sdata, 2952 .local = sta->local, 2953 /* This is OK -- must be QoS data frame */ 2954 .security_idx = tid, 2955 .seqno_idx = tid, 2956 .flags = 0, 2957 }; 2958 struct tid_ampdu_rx *tid_agg_rx; 2959 2960 tid_agg_rx = rcu_dereference(sta->ampdu_mlme.tid_rx[tid]); 2961 if (!tid_agg_rx) 2962 return; 2963 2964 __skb_queue_head_init(&frames); 2965 2966 spin_lock(&tid_agg_rx->reorder_lock); 2967 ieee80211_sta_reorder_release(sta->sdata, tid_agg_rx, &frames); 2968 spin_unlock(&tid_agg_rx->reorder_lock); 2969 2970 ieee80211_rx_handlers(&rx, &frames); 2971 } 2972 2973 /* main receive path */ 2974 2975 static int prepare_for_handlers(struct ieee80211_rx_data *rx, 2976 struct ieee80211_hdr *hdr) 2977 { 2978 struct ieee80211_sub_if_data *sdata = rx->sdata; 2979 struct sk_buff *skb = rx->skb; 2980 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 2981 u8 *bssid = ieee80211_get_bssid(hdr, skb->len, sdata->vif.type); 2982 int multicast = is_multicast_ether_addr(hdr->addr1); 2983 2984 switch (sdata->vif.type) { 2985 case NL80211_IFTYPE_STATION: 2986 if (!bssid && !sdata->u.mgd.use_4addr) 2987 return 0; 2988 if (!multicast && 2989 !ether_addr_equal(sdata->vif.addr, hdr->addr1)) { 2990 if (!(sdata->dev->flags & IFF_PROMISC) || 2991 sdata->u.mgd.use_4addr) 2992 return 0; 2993 status->rx_flags &= ~IEEE80211_RX_RA_MATCH; 2994 } 2995 break; 2996 case NL80211_IFTYPE_ADHOC: 2997 if (!bssid) 2998 return 0; 2999 if (ieee80211_is_beacon(hdr->frame_control)) { 3000 return 1; 3001 } else if (!ieee80211_bssid_match(bssid, sdata->u.ibss.bssid)) { 3002 return 0; 3003 } else if (!multicast && 3004 !ether_addr_equal(sdata->vif.addr, hdr->addr1)) { 3005 if (!(sdata->dev->flags & IFF_PROMISC)) 3006 return 0; 3007 status->rx_flags &= ~IEEE80211_RX_RA_MATCH; 3008 } else if (!rx->sta) { 3009 int rate_idx; 3010 if (status->flag & (RX_FLAG_HT | RX_FLAG_VHT)) 3011 rate_idx = 0; /* TODO: HT/VHT rates */ 3012 else 3013 rate_idx = status->rate_idx; 3014 ieee80211_ibss_rx_no_sta(sdata, bssid, hdr->addr2, 3015 BIT(rate_idx)); 3016 } 3017 break; 3018 case NL80211_IFTYPE_MESH_POINT: 3019 if (!multicast && 3020 !ether_addr_equal(sdata->vif.addr, hdr->addr1)) { 3021 if (!(sdata->dev->flags & IFF_PROMISC)) 3022 return 0; 3023 3024 status->rx_flags &= ~IEEE80211_RX_RA_MATCH; 3025 } 3026 break; 3027 case NL80211_IFTYPE_AP_VLAN: 3028 case NL80211_IFTYPE_AP: 3029 if (!bssid) { 3030 if (!ether_addr_equal(sdata->vif.addr, hdr->addr1)) 3031 return 0; 3032 } else if (!ieee80211_bssid_match(bssid, sdata->vif.addr)) { 3033 /* 3034 * Accept public action frames even when the 3035 * BSSID doesn't match, this is used for P2P 3036 * and location updates. Note that mac80211 3037 * itself never looks at these frames. 3038 */ 3039 if (!multicast && 3040 !ether_addr_equal(sdata->vif.addr, hdr->addr1)) 3041 return 0; 3042 if (ieee80211_is_public_action(hdr, skb->len)) 3043 return 1; 3044 if (!ieee80211_is_beacon(hdr->frame_control)) 3045 return 0; 3046 status->rx_flags &= ~IEEE80211_RX_RA_MATCH; 3047 } 3048 break; 3049 case NL80211_IFTYPE_WDS: 3050 if (bssid || !ieee80211_is_data(hdr->frame_control)) 3051 return 0; 3052 if (!ether_addr_equal(sdata->u.wds.remote_addr, hdr->addr2)) 3053 return 0; 3054 break; 3055 case NL80211_IFTYPE_P2P_DEVICE: 3056 if (!ieee80211_is_public_action(hdr, skb->len) && 3057 !ieee80211_is_probe_req(hdr->frame_control) && 3058 !ieee80211_is_probe_resp(hdr->frame_control) && 3059 !ieee80211_is_beacon(hdr->frame_control)) 3060 return 0; 3061 if (!ether_addr_equal(sdata->vif.addr, hdr->addr1) && 3062 !multicast) 3063 status->rx_flags &= ~IEEE80211_RX_RA_MATCH; 3064 break; 3065 default: 3066 /* should never get here */ 3067 WARN_ON_ONCE(1); 3068 break; 3069 } 3070 3071 return 1; 3072 } 3073 3074 /* 3075 * This function returns whether or not the SKB 3076 * was destined for RX processing or not, which, 3077 * if consume is true, is equivalent to whether 3078 * or not the skb was consumed. 3079 */ 3080 static bool ieee80211_prepare_and_rx_handle(struct ieee80211_rx_data *rx, 3081 struct sk_buff *skb, bool consume) 3082 { 3083 struct ieee80211_local *local = rx->local; 3084 struct ieee80211_sub_if_data *sdata = rx->sdata; 3085 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 3086 struct ieee80211_hdr *hdr = (void *)skb->data; 3087 int prepares; 3088 3089 rx->skb = skb; 3090 status->rx_flags |= IEEE80211_RX_RA_MATCH; 3091 prepares = prepare_for_handlers(rx, hdr); 3092 3093 if (!prepares) 3094 return false; 3095 3096 if (!consume) { 3097 skb = skb_copy(skb, GFP_ATOMIC); 3098 if (!skb) { 3099 if (net_ratelimit()) 3100 wiphy_debug(local->hw.wiphy, 3101 "failed to copy skb for %s\n", 3102 sdata->name); 3103 return true; 3104 } 3105 3106 rx->skb = skb; 3107 } 3108 3109 ieee80211_invoke_rx_handlers(rx); 3110 return true; 3111 } 3112 3113 /* 3114 * This is the actual Rx frames handler. as it blongs to Rx path it must 3115 * be called with rcu_read_lock protection. 3116 */ 3117 static void __ieee80211_rx_handle_packet(struct ieee80211_hw *hw, 3118 struct sk_buff *skb) 3119 { 3120 struct ieee80211_local *local = hw_to_local(hw); 3121 struct ieee80211_sub_if_data *sdata; 3122 struct ieee80211_hdr *hdr; 3123 __le16 fc; 3124 struct ieee80211_rx_data rx; 3125 struct ieee80211_sub_if_data *prev; 3126 struct sta_info *sta, *tmp, *prev_sta; 3127 int err = 0; 3128 3129 fc = ((struct ieee80211_hdr *)skb->data)->frame_control; 3130 memset(&rx, 0, sizeof(rx)); 3131 rx.skb = skb; 3132 rx.local = local; 3133 3134 if (ieee80211_is_data(fc) || ieee80211_is_mgmt(fc)) 3135 local->dot11ReceivedFragmentCount++; 3136 3137 if (ieee80211_is_mgmt(fc)) { 3138 /* drop frame if too short for header */ 3139 if (skb->len < ieee80211_hdrlen(fc)) 3140 err = -ENOBUFS; 3141 else 3142 err = skb_linearize(skb); 3143 } else { 3144 err = !pskb_may_pull(skb, ieee80211_hdrlen(fc)); 3145 } 3146 3147 if (err) { 3148 dev_kfree_skb(skb); 3149 return; 3150 } 3151 3152 hdr = (struct ieee80211_hdr *)skb->data; 3153 ieee80211_parse_qos(&rx); 3154 ieee80211_verify_alignment(&rx); 3155 3156 if (unlikely(ieee80211_is_probe_resp(hdr->frame_control) || 3157 ieee80211_is_beacon(hdr->frame_control))) 3158 ieee80211_scan_rx(local, skb); 3159 3160 if (ieee80211_is_data(fc)) { 3161 prev_sta = NULL; 3162 3163 for_each_sta_info(local, hdr->addr2, sta, tmp) { 3164 if (!prev_sta) { 3165 prev_sta = sta; 3166 continue; 3167 } 3168 3169 rx.sta = prev_sta; 3170 rx.sdata = prev_sta->sdata; 3171 ieee80211_prepare_and_rx_handle(&rx, skb, false); 3172 3173 prev_sta = sta; 3174 } 3175 3176 if (prev_sta) { 3177 rx.sta = prev_sta; 3178 rx.sdata = prev_sta->sdata; 3179 3180 if (ieee80211_prepare_and_rx_handle(&rx, skb, true)) 3181 return; 3182 goto out; 3183 } 3184 } 3185 3186 prev = NULL; 3187 3188 list_for_each_entry_rcu(sdata, &local->interfaces, list) { 3189 if (!ieee80211_sdata_running(sdata)) 3190 continue; 3191 3192 if (sdata->vif.type == NL80211_IFTYPE_MONITOR || 3193 sdata->vif.type == NL80211_IFTYPE_AP_VLAN) 3194 continue; 3195 3196 /* 3197 * frame is destined for this interface, but if it's 3198 * not also for the previous one we handle that after 3199 * the loop to avoid copying the SKB once too much 3200 */ 3201 3202 if (!prev) { 3203 prev = sdata; 3204 continue; 3205 } 3206 3207 rx.sta = sta_info_get_bss(prev, hdr->addr2); 3208 rx.sdata = prev; 3209 ieee80211_prepare_and_rx_handle(&rx, skb, false); 3210 3211 prev = sdata; 3212 } 3213 3214 if (prev) { 3215 rx.sta = sta_info_get_bss(prev, hdr->addr2); 3216 rx.sdata = prev; 3217 3218 if (ieee80211_prepare_and_rx_handle(&rx, skb, true)) 3219 return; 3220 } 3221 3222 out: 3223 dev_kfree_skb(skb); 3224 } 3225 3226 /* 3227 * This is the receive path handler. It is called by a low level driver when an 3228 * 802.11 MPDU is received from the hardware. 3229 */ 3230 void ieee80211_rx(struct ieee80211_hw *hw, struct sk_buff *skb) 3231 { 3232 struct ieee80211_local *local = hw_to_local(hw); 3233 struct ieee80211_rate *rate = NULL; 3234 struct ieee80211_supported_band *sband; 3235 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 3236 3237 WARN_ON_ONCE(softirq_count() == 0); 3238 3239 if (WARN_ON(status->band >= IEEE80211_NUM_BANDS)) 3240 goto drop; 3241 3242 sband = local->hw.wiphy->bands[status->band]; 3243 if (WARN_ON(!sband)) 3244 goto drop; 3245 3246 /* 3247 * If we're suspending, it is possible although not too likely 3248 * that we'd be receiving frames after having already partially 3249 * quiesced the stack. We can't process such frames then since 3250 * that might, for example, cause stations to be added or other 3251 * driver callbacks be invoked. 3252 */ 3253 if (unlikely(local->quiescing || local->suspended)) 3254 goto drop; 3255 3256 /* We might be during a HW reconfig, prevent Rx for the same reason */ 3257 if (unlikely(local->in_reconfig)) 3258 goto drop; 3259 3260 /* 3261 * The same happens when we're not even started, 3262 * but that's worth a warning. 3263 */ 3264 if (WARN_ON(!local->started)) 3265 goto drop; 3266 3267 if (likely(!(status->flag & RX_FLAG_FAILED_PLCP_CRC))) { 3268 /* 3269 * Validate the rate, unless a PLCP error means that 3270 * we probably can't have a valid rate here anyway. 3271 */ 3272 3273 if (status->flag & RX_FLAG_HT) { 3274 /* 3275 * rate_idx is MCS index, which can be [0-76] 3276 * as documented on: 3277 * 3278 * http://wireless.kernel.org/en/developers/Documentation/ieee80211/802.11n 3279 * 3280 * Anything else would be some sort of driver or 3281 * hardware error. The driver should catch hardware 3282 * errors. 3283 */ 3284 if (WARN(status->rate_idx > 76, 3285 "Rate marked as an HT rate but passed " 3286 "status->rate_idx is not " 3287 "an MCS index [0-76]: %d (0x%02x)\n", 3288 status->rate_idx, 3289 status->rate_idx)) 3290 goto drop; 3291 } else if (status->flag & RX_FLAG_VHT) { 3292 if (WARN_ONCE(status->rate_idx > 9 || 3293 !status->vht_nss || 3294 status->vht_nss > 8, 3295 "Rate marked as a VHT rate but data is invalid: MCS: %d, NSS: %d\n", 3296 status->rate_idx, status->vht_nss)) 3297 goto drop; 3298 } else { 3299 if (WARN_ON(status->rate_idx >= sband->n_bitrates)) 3300 goto drop; 3301 rate = &sband->bitrates[status->rate_idx]; 3302 } 3303 } 3304 3305 status->rx_flags = 0; 3306 3307 /* 3308 * key references and virtual interfaces are protected using RCU 3309 * and this requires that we are in a read-side RCU section during 3310 * receive processing 3311 */ 3312 rcu_read_lock(); 3313 3314 /* 3315 * Frames with failed FCS/PLCP checksum are not returned, 3316 * all other frames are returned without radiotap header 3317 * if it was previously present. 3318 * Also, frames with less than 16 bytes are dropped. 3319 */ 3320 skb = ieee80211_rx_monitor(local, skb, rate); 3321 if (!skb) { 3322 rcu_read_unlock(); 3323 return; 3324 } 3325 3326 ieee80211_tpt_led_trig_rx(local, 3327 ((struct ieee80211_hdr *)skb->data)->frame_control, 3328 skb->len); 3329 __ieee80211_rx_handle_packet(hw, skb); 3330 3331 rcu_read_unlock(); 3332 3333 return; 3334 drop: 3335 kfree_skb(skb); 3336 } 3337 EXPORT_SYMBOL(ieee80211_rx); 3338 3339 /* This is a version of the rx handler that can be called from hard irq 3340 * context. Post the skb on the queue and schedule the tasklet */ 3341 void ieee80211_rx_irqsafe(struct ieee80211_hw *hw, struct sk_buff *skb) 3342 { 3343 struct ieee80211_local *local = hw_to_local(hw); 3344 3345 BUILD_BUG_ON(sizeof(struct ieee80211_rx_status) > sizeof(skb->cb)); 3346 3347 skb->pkt_type = IEEE80211_RX_MSG; 3348 skb_queue_tail(&local->skb_queue, skb); 3349 tasklet_schedule(&local->tasklet); 3350 } 3351 EXPORT_SYMBOL(ieee80211_rx_irqsafe); 3352