linux/net/mac80211/rx.c
<<
>>
Prefs
   1/*
   2 * Copyright 2002-2005, Instant802 Networks, Inc.
   3 * Copyright 2005-2006, Devicescape Software, Inc.
   4 * Copyright 2006-2007  Jiri Benc <jbenc@suse.cz>
   5 * Copyright 2007-2010  Johannes Berg <johannes@sipsolutions.net>
   6 *
   7 * This program is free software; you can redistribute it and/or modify
   8 * it under the terms of the GNU General Public License version 2 as
   9 * published by the Free Software Foundation.
  10 */
  11
  12#include <linux/jiffies.h>
  13#include <linux/slab.h>
  14#include <linux/kernel.h>
  15#include <linux/skbuff.h>
  16#include <linux/netdevice.h>
  17#include <linux/etherdevice.h>
  18#include <linux/rcupdate.h>
  19#include <linux/export.h>
  20#include <net/mac80211.h>
  21#include <net/ieee80211_radiotap.h>
  22#include <asm/unaligned.h>
  23
  24#include "ieee80211_i.h"
  25#include "driver-ops.h"
  26#include "led.h"
  27#include "mesh.h"
  28#include "wep.h"
  29#include "wpa.h"
  30#include "tkip.h"
  31#include "wme.h"
  32#include "rate.h"
  33
  34/*
  35 * monitor mode reception
  36 *
  37 * This function cleans up the SKB, i.e. it removes all the stuff
  38 * only useful for monitoring.
  39 */
  40static struct sk_buff *remove_monitor_info(struct ieee80211_local *local,
  41                                           struct sk_buff *skb)
  42{
  43        if (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS) {
  44                if (likely(skb->len > FCS_LEN))
  45                        __pskb_trim(skb, skb->len - FCS_LEN);
  46                else {
  47                        /* driver bug */
  48                        WARN_ON(1);
  49                        dev_kfree_skb(skb);
  50                        skb = NULL;
  51                }
  52        }
  53
  54        return skb;
  55}
  56
  57static inline int should_drop_frame(struct sk_buff *skb,
  58                                    int present_fcs_len)
  59{
  60        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
  61        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
  62
  63        if (status->flag & (RX_FLAG_FAILED_FCS_CRC | RX_FLAG_FAILED_PLCP_CRC))
  64                return 1;
  65        if (unlikely(skb->len < 16 + present_fcs_len))
  66                return 1;
  67        if (ieee80211_is_ctl(hdr->frame_control) &&
  68            !ieee80211_is_pspoll(hdr->frame_control) &&
  69            !ieee80211_is_back_req(hdr->frame_control))
  70                return 1;
  71        return 0;
  72}
  73
  74static int
  75ieee80211_rx_radiotap_len(struct ieee80211_local *local,
  76                          struct ieee80211_rx_status *status)
  77{
  78        int len;
  79
  80        /* always present fields */
  81        len = sizeof(struct ieee80211_radiotap_header) + 9;
  82
  83        if (status->flag & RX_FLAG_MACTIME_MPDU)
  84                len += 8;
  85        if (local->hw.flags & IEEE80211_HW_SIGNAL_DBM)
  86                len += 1;
  87
  88        if (len & 1) /* padding for RX_FLAGS if necessary */
  89                len++;
  90
  91        if (status->flag & RX_FLAG_HT) /* HT info */
  92                len += 3;
  93
  94        return len;
  95}
  96
  97/**
  98 * ieee80211_add_rx_radiotap_header - add radiotap header
  99 *
 100 * add a radiotap header containing all the fields which the hardware provided.
 101 */
 102static void
 103ieee80211_add_rx_radiotap_header(struct ieee80211_local *local,
 104                                 struct sk_buff *skb,
 105                                 struct ieee80211_rate *rate,
 106                                 int rtap_len, bool has_fcs)
 107{
 108        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
 109        struct ieee80211_radiotap_header *rthdr;
 110        unsigned char *pos;
 111        u16 rx_flags = 0;
 112
 113        rthdr = (struct ieee80211_radiotap_header *)skb_push(skb, rtap_len);
 114        memset(rthdr, 0, rtap_len);
 115
 116        /* radiotap header, set always present flags */
 117        rthdr->it_present =
 118                cpu_to_le32((1 << IEEE80211_RADIOTAP_FLAGS) |
 119                            (1 << IEEE80211_RADIOTAP_CHANNEL) |
 120                            (1 << IEEE80211_RADIOTAP_ANTENNA) |
 121                            (1 << IEEE80211_RADIOTAP_RX_FLAGS));
 122        rthdr->it_len = cpu_to_le16(rtap_len);
 123
 124        pos = (unsigned char *)(rthdr+1);
 125
 126        /* the order of the following fields is important */
 127
 128        /* IEEE80211_RADIOTAP_TSFT */
 129        if (status->flag & RX_FLAG_MACTIME_MPDU) {
 130                put_unaligned_le64(status->mactime, pos);
 131                rthdr->it_present |=
 132                        cpu_to_le32(1 << IEEE80211_RADIOTAP_TSFT);
 133                pos += 8;
 134        }
 135
 136        /* IEEE80211_RADIOTAP_FLAGS */
 137        if (has_fcs && (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS))
 138                *pos |= IEEE80211_RADIOTAP_F_FCS;
 139        if (status->flag & (RX_FLAG_FAILED_FCS_CRC | RX_FLAG_FAILED_PLCP_CRC))
 140                *pos |= IEEE80211_RADIOTAP_F_BADFCS;
 141        if (status->flag & RX_FLAG_SHORTPRE)
 142                *pos |= IEEE80211_RADIOTAP_F_SHORTPRE;
 143        pos++;
 144
 145        /* IEEE80211_RADIOTAP_RATE */
 146        if (!rate || status->flag & RX_FLAG_HT) {
 147                /*
 148                 * Without rate information don't add it. If we have,
 149                 * MCS information is a separate field in radiotap,
 150                 * added below. The byte here is needed as padding
 151                 * for the channel though, so initialise it to 0.
 152                 */
 153                *pos = 0;
 154        } else {
 155                rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_RATE);
 156                *pos = rate->bitrate / 5;
 157        }
 158        pos++;
 159
 160        /* IEEE80211_RADIOTAP_CHANNEL */
 161        put_unaligned_le16(status->freq, pos);
 162        pos += 2;
 163        if (status->band == IEEE80211_BAND_5GHZ)
 164                put_unaligned_le16(IEEE80211_CHAN_OFDM | IEEE80211_CHAN_5GHZ,
 165                                   pos);
 166        else if (status->flag & RX_FLAG_HT)
 167                put_unaligned_le16(IEEE80211_CHAN_DYN | IEEE80211_CHAN_2GHZ,
 168                                   pos);
 169        else if (rate && rate->flags & IEEE80211_RATE_ERP_G)
 170                put_unaligned_le16(IEEE80211_CHAN_OFDM | IEEE80211_CHAN_2GHZ,
 171                                   pos);
 172        else if (rate)
 173                put_unaligned_le16(IEEE80211_CHAN_CCK | IEEE80211_CHAN_2GHZ,
 174                                   pos);
 175        else
 176                put_unaligned_le16(IEEE80211_CHAN_2GHZ, pos);
 177        pos += 2;
 178
 179        /* IEEE80211_RADIOTAP_DBM_ANTSIGNAL */
 180        if (local->hw.flags & IEEE80211_HW_SIGNAL_DBM &&
 181            !(status->flag & RX_FLAG_NO_SIGNAL_VAL)) {
 182                *pos = status->signal;
 183                rthdr->it_present |=
 184                        cpu_to_le32(1 << IEEE80211_RADIOTAP_DBM_ANTSIGNAL);
 185                pos++;
 186        }
 187
 188        /* IEEE80211_RADIOTAP_LOCK_QUALITY is missing */
 189
 190        /* IEEE80211_RADIOTAP_ANTENNA */
 191        *pos = status->antenna;
 192        pos++;
 193
 194        /* IEEE80211_RADIOTAP_DB_ANTNOISE is not used */
 195
 196        /* IEEE80211_RADIOTAP_RX_FLAGS */
 197        /* ensure 2 byte alignment for the 2 byte field as required */
 198        if ((pos - (u8 *)rthdr) & 1)
 199                pos++;
 200        if (status->flag & RX_FLAG_FAILED_PLCP_CRC)
 201                rx_flags |= IEEE80211_RADIOTAP_F_RX_BADPLCP;
 202        put_unaligned_le16(rx_flags, pos);
 203        pos += 2;
 204
 205        if (status->flag & RX_FLAG_HT) {
 206                rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_MCS);
 207                *pos++ = local->hw.radiotap_mcs_details;
 208                *pos = 0;
 209                if (status->flag & RX_FLAG_SHORT_GI)
 210                        *pos |= IEEE80211_RADIOTAP_MCS_SGI;
 211                if (status->flag & RX_FLAG_40MHZ)
 212                        *pos |= IEEE80211_RADIOTAP_MCS_BW_40;
 213                if (status->flag & RX_FLAG_HT_GF)
 214                        *pos |= IEEE80211_RADIOTAP_MCS_FMT_GF;
 215                pos++;
 216                *pos++ = status->rate_idx;
 217        }
 218}
 219
 220/*
 221 * This function copies a received frame to all monitor interfaces and
 222 * returns a cleaned-up SKB that no longer includes the FCS nor the
 223 * radiotap header the driver might have added.
 224 */
 225static struct sk_buff *
 226ieee80211_rx_monitor(struct ieee80211_local *local, struct sk_buff *origskb,
 227                     struct ieee80211_rate *rate)
 228{
 229        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(origskb);
 230        struct ieee80211_sub_if_data *sdata;
 231        int needed_headroom;
 232        struct sk_buff *skb, *skb2;
 233        struct net_device *prev_dev = NULL;
 234        int present_fcs_len = 0;
 235
 236        /*
 237         * First, we may need to make a copy of the skb because
 238         *  (1) we need to modify it for radiotap (if not present), and
 239         *  (2) the other RX handlers will modify the skb we got.
 240         *
 241         * We don't need to, of course, if we aren't going to return
 242         * the SKB because it has a bad FCS/PLCP checksum.
 243         */
 244
 245        /* room for the radiotap header based on driver features */
 246        needed_headroom = ieee80211_rx_radiotap_len(local, status);
 247
 248        if (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS)
 249                present_fcs_len = FCS_LEN;
 250
 251        /* make sure hdr->frame_control is on the linear part */
 252        if (!pskb_may_pull(origskb, 2)) {
 253                dev_kfree_skb(origskb);
 254                return NULL;
 255        }
 256
 257        if (!local->monitors) {
 258                if (should_drop_frame(origskb, present_fcs_len)) {
 259                        dev_kfree_skb(origskb);
 260                        return NULL;
 261                }
 262
 263                return remove_monitor_info(local, origskb);
 264        }
 265
 266        if (should_drop_frame(origskb, present_fcs_len)) {
 267                /* only need to expand headroom if necessary */
 268                skb = origskb;
 269                origskb = NULL;
 270
 271                /*
 272                 * This shouldn't trigger often because most devices have an
 273                 * RX header they pull before we get here, and that should
 274                 * be big enough for our radiotap information. We should
 275                 * probably export the length to drivers so that we can have
 276                 * them allocate enough headroom to start with.
 277                 */
 278                if (skb_headroom(skb) < needed_headroom &&
 279                    pskb_expand_head(skb, needed_headroom, 0, GFP_ATOMIC)) {
 280                        dev_kfree_skb(skb);
 281                        return NULL;
 282                }
 283        } else {
 284                /*
 285                 * Need to make a copy and possibly remove radiotap header
 286                 * and FCS from the original.
 287                 */
 288                skb = skb_copy_expand(origskb, needed_headroom, 0, GFP_ATOMIC);
 289
 290                origskb = remove_monitor_info(local, origskb);
 291
 292                if (!skb)
 293                        return origskb;
 294        }
 295
 296        /* prepend radiotap information */
 297        ieee80211_add_rx_radiotap_header(local, skb, rate, needed_headroom,
 298                                         true);
 299
 300        skb_reset_mac_header(skb);
 301        skb->ip_summed = CHECKSUM_UNNECESSARY;
 302        skb->pkt_type = PACKET_OTHERHOST;
 303        skb->protocol = htons(ETH_P_802_2);
 304
 305        list_for_each_entry_rcu(sdata, &local->interfaces, list) {
 306                if (sdata->vif.type != NL80211_IFTYPE_MONITOR)
 307                        continue;
 308
 309                if (sdata->u.mntr_flags & MONITOR_FLAG_COOK_FRAMES)
 310                        continue;
 311
 312                if (!ieee80211_sdata_running(sdata))
 313                        continue;
 314
 315                if (prev_dev) {
 316                        skb2 = skb_clone(skb, GFP_ATOMIC);
 317                        if (skb2) {
 318                                skb2->dev = prev_dev;
 319                                netif_receive_skb(skb2);
 320                        }
 321                }
 322
 323                prev_dev = sdata->dev;
 324                sdata->dev->stats.rx_packets++;
 325                sdata->dev->stats.rx_bytes += skb->len;
 326        }
 327
 328        if (prev_dev) {
 329                skb->dev = prev_dev;
 330                netif_receive_skb(skb);
 331        } else
 332                dev_kfree_skb(skb);
 333
 334        return origskb;
 335}
 336
 337
 338static void ieee80211_parse_qos(struct ieee80211_rx_data *rx)
 339{
 340        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
 341        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
 342        int tid, seqno_idx, security_idx;
 343
 344        /* does the frame have a qos control field? */
 345        if (ieee80211_is_data_qos(hdr->frame_control)) {
 346                u8 *qc = ieee80211_get_qos_ctl(hdr);
 347                /* frame has qos control */
 348                tid = *qc & IEEE80211_QOS_CTL_TID_MASK;
 349                if (*qc & IEEE80211_QOS_CTL_A_MSDU_PRESENT)
 350                        status->rx_flags |= IEEE80211_RX_AMSDU;
 351
 352                seqno_idx = tid;
 353                security_idx = tid;
 354        } else {
 355                /*
 356                 * IEEE 802.11-2007, 7.1.3.4.1 ("Sequence Number field"):
 357                 *
 358                 *      Sequence numbers for management frames, QoS data
 359                 *      frames with a broadcast/multicast address in the
 360                 *      Address 1 field, and all non-QoS data frames sent
 361                 *      by QoS STAs are assigned using an additional single
 362                 *      modulo-4096 counter, [...]
 363                 *
 364                 * We also use that counter for non-QoS STAs.
 365                 */
 366                seqno_idx = NUM_RX_DATA_QUEUES;
 367                security_idx = 0;
 368                if (ieee80211_is_mgmt(hdr->frame_control))
 369                        security_idx = NUM_RX_DATA_QUEUES;
 370                tid = 0;
 371        }
 372
 373        rx->seqno_idx = seqno_idx;
 374        rx->security_idx = security_idx;
 375        /* Set skb->priority to 1d tag if highest order bit of TID is not set.
 376         * For now, set skb->priority to 0 for other cases. */
 377        rx->skb->priority = (tid > 7) ? 0 : tid;
 378}
 379
 380/**
 381 * DOC: Packet alignment
 382 *
 383 * Drivers always need to pass packets that are aligned to two-byte boundaries
 384 * to the stack.
 385 *
 386 * Additionally, should, if possible, align the payload data in a way that
 387 * guarantees that the contained IP header is aligned to a four-byte
 388 * boundary. In the case of regular frames, this simply means aligning the
 389 * payload to a four-byte boundary (because either the IP header is directly
 390 * contained, or IV/RFC1042 headers that have a length divisible by four are
 391 * in front of it).  If the payload data is not properly aligned and the
 392 * architecture doesn't support efficient unaligned operations, mac80211
 393 * will align the data.
 394 *
 395 * With A-MSDU frames, however, the payload data address must yield two modulo
 396 * four because there are 14-byte 802.3 headers within the A-MSDU frames that
 397 * push the IP header further back to a multiple of four again. Thankfully, the
 398 * specs were sane enough this time around to require padding each A-MSDU
 399 * subframe to a length that is a multiple of four.
 400 *
 401 * Padding like Atheros hardware adds which is between the 802.11 header and
 402 * the payload is not supported, the driver is required to move the 802.11
 403 * header to be directly in front of the payload in that case.
 404 */
 405static void ieee80211_verify_alignment(struct ieee80211_rx_data *rx)
 406{
 407#ifdef CONFIG_MAC80211_VERBOSE_DEBUG
 408        WARN_ONCE((unsigned long)rx->skb->data & 1,
 409                  "unaligned packet at 0x%p\n", rx->skb->data);
 410#endif
 411}
 412
 413
 414/* rx handlers */
 415
 416static int ieee80211_is_unicast_robust_mgmt_frame(struct sk_buff *skb)
 417{
 418        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
 419
 420        if (skb->len < 24 || is_multicast_ether_addr(hdr->addr1))
 421                return 0;
 422
 423        return ieee80211_is_robust_mgmt_frame(hdr);
 424}
 425
 426
 427static int ieee80211_is_multicast_robust_mgmt_frame(struct sk_buff *skb)
 428{
 429        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
 430
 431        if (skb->len < 24 || !is_multicast_ether_addr(hdr->addr1))
 432                return 0;
 433
 434        return ieee80211_is_robust_mgmt_frame(hdr);
 435}
 436
 437
 438/* Get the BIP key index from MMIE; return -1 if this is not a BIP frame */
 439static int ieee80211_get_mmie_keyidx(struct sk_buff *skb)
 440{
 441        struct ieee80211_mgmt *hdr = (struct ieee80211_mgmt *) skb->data;
 442        struct ieee80211_mmie *mmie;
 443
 444        if (skb->len < 24 + sizeof(*mmie) ||
 445            !is_multicast_ether_addr(hdr->da))
 446                return -1;
 447
 448        if (!ieee80211_is_robust_mgmt_frame((struct ieee80211_hdr *) hdr))
 449                return -1; /* not a robust management frame */
 450
 451        mmie = (struct ieee80211_mmie *)
 452                (skb->data + skb->len - sizeof(*mmie));
 453        if (mmie->element_id != WLAN_EID_MMIE ||
 454            mmie->length != sizeof(*mmie) - 2)
 455                return -1;
 456
 457        return le16_to_cpu(mmie->key_id);
 458}
 459
 460
 461static ieee80211_rx_result
 462ieee80211_rx_mesh_check(struct ieee80211_rx_data *rx)
 463{
 464        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
 465        char *dev_addr = rx->sdata->vif.addr;
 466
 467        if (ieee80211_is_data(hdr->frame_control)) {
 468                if (is_multicast_ether_addr(hdr->addr1)) {
 469                        if (ieee80211_has_tods(hdr->frame_control) ||
 470                                !ieee80211_has_fromds(hdr->frame_control))
 471                                return RX_DROP_MONITOR;
 472                        if (ether_addr_equal(hdr->addr3, dev_addr))
 473                                return RX_DROP_MONITOR;
 474                } else {
 475                        if (!ieee80211_has_a4(hdr->frame_control))
 476                                return RX_DROP_MONITOR;
 477                        if (ether_addr_equal(hdr->addr4, dev_addr))
 478                                return RX_DROP_MONITOR;
 479                }
 480        }
 481
 482        /* If there is not an established peer link and this is not a peer link
 483         * establisment frame, beacon or probe, drop the frame.
 484         */
 485
 486        if (!rx->sta || sta_plink_state(rx->sta) != NL80211_PLINK_ESTAB) {
 487                struct ieee80211_mgmt *mgmt;
 488
 489                if (!ieee80211_is_mgmt(hdr->frame_control))
 490                        return RX_DROP_MONITOR;
 491
 492                if (ieee80211_is_action(hdr->frame_control)) {
 493                        u8 category;
 494
 495                        /* make sure category field is present */
 496                        if (rx->skb->len < IEEE80211_MIN_ACTION_SIZE)
 497                                return RX_DROP_MONITOR;
 498
 499                        mgmt = (struct ieee80211_mgmt *)hdr;
 500                        category = mgmt->u.action.category;
 501                        if (category != WLAN_CATEGORY_MESH_ACTION &&
 502                                category != WLAN_CATEGORY_SELF_PROTECTED)
 503                                return RX_DROP_MONITOR;
 504                        return RX_CONTINUE;
 505                }
 506
 507                if (ieee80211_is_probe_req(hdr->frame_control) ||
 508                    ieee80211_is_probe_resp(hdr->frame_control) ||
 509                    ieee80211_is_beacon(hdr->frame_control) ||
 510                    ieee80211_is_auth(hdr->frame_control))
 511                        return RX_CONTINUE;
 512
 513                return RX_DROP_MONITOR;
 514
 515        }
 516
 517        return RX_CONTINUE;
 518}
 519
 520#define SEQ_MODULO 0x1000
 521#define SEQ_MASK   0xfff
 522
 523static inline int seq_less(u16 sq1, u16 sq2)
 524{
 525        return ((sq1 - sq2) & SEQ_MASK) > (SEQ_MODULO >> 1);
 526}
 527
 528static inline u16 seq_inc(u16 sq)
 529{
 530        return (sq + 1) & SEQ_MASK;
 531}
 532
 533static inline u16 seq_sub(u16 sq1, u16 sq2)
 534{
 535        return (sq1 - sq2) & SEQ_MASK;
 536}
 537
 538
 539static void ieee80211_release_reorder_frame(struct ieee80211_sub_if_data *sdata,
 540                                            struct tid_ampdu_rx *tid_agg_rx,
 541                                            int index)
 542{
 543        struct ieee80211_local *local = sdata->local;
 544        struct sk_buff *skb = tid_agg_rx->reorder_buf[index];
 545        struct ieee80211_rx_status *status;
 546
 547        lockdep_assert_held(&tid_agg_rx->reorder_lock);
 548
 549        if (!skb)
 550                goto no_frame;
 551
 552        /* release the frame from the reorder ring buffer */
 553        tid_agg_rx->stored_mpdu_num--;
 554        tid_agg_rx->reorder_buf[index] = NULL;
 555        status = IEEE80211_SKB_RXCB(skb);
 556        status->rx_flags |= IEEE80211_RX_DEFERRED_RELEASE;
 557        skb_queue_tail(&local->rx_skb_queue, skb);
 558
 559no_frame:
 560        tid_agg_rx->head_seq_num = seq_inc(tid_agg_rx->head_seq_num);
 561}
 562
 563static void ieee80211_release_reorder_frames(struct ieee80211_sub_if_data *sdata,
 564                                             struct tid_ampdu_rx *tid_agg_rx,
 565                                             u16 head_seq_num)
 566{
 567        int index;
 568
 569        lockdep_assert_held(&tid_agg_rx->reorder_lock);
 570
 571        while (seq_less(tid_agg_rx->head_seq_num, head_seq_num)) {
 572                index = seq_sub(tid_agg_rx->head_seq_num, tid_agg_rx->ssn) %
 573                                                        tid_agg_rx->buf_size;
 574                ieee80211_release_reorder_frame(sdata, tid_agg_rx, index);
 575        }
 576}
 577
 578/*
 579 * Timeout (in jiffies) for skb's that are waiting in the RX reorder buffer. If
 580 * the skb was added to the buffer longer than this time ago, the earlier
 581 * frames that have not yet been received are assumed to be lost and the skb
 582 * can be released for processing. This may also release other skb's from the
 583 * reorder buffer if there are no additional gaps between the frames.
 584 *
 585 * Callers must hold tid_agg_rx->reorder_lock.
 586 */
 587#define HT_RX_REORDER_BUF_TIMEOUT (HZ / 10)
 588
 589static void ieee80211_sta_reorder_release(struct ieee80211_sub_if_data *sdata,
 590                                          struct tid_ampdu_rx *tid_agg_rx)
 591{
 592        int index, j;
 593
 594        lockdep_assert_held(&tid_agg_rx->reorder_lock);
 595
 596        /* release the buffer until next missing frame */
 597        index = seq_sub(tid_agg_rx->head_seq_num, tid_agg_rx->ssn) %
 598                                                tid_agg_rx->buf_size;
 599        if (!tid_agg_rx->reorder_buf[index] &&
 600            tid_agg_rx->stored_mpdu_num) {
 601                /*
 602                 * No buffers ready to be released, but check whether any
 603                 * frames in the reorder buffer have timed out.
 604                 */
 605                int skipped = 1;
 606                for (j = (index + 1) % tid_agg_rx->buf_size; j != index;
 607                     j = (j + 1) % tid_agg_rx->buf_size) {
 608                        if (!tid_agg_rx->reorder_buf[j]) {
 609                                skipped++;
 610                                continue;
 611                        }
 612                        if (skipped &&
 613                            !time_after(jiffies, tid_agg_rx->reorder_time[j] +
 614                                        HT_RX_REORDER_BUF_TIMEOUT))
 615                                goto set_release_timer;
 616
 617                        ht_dbg_ratelimited(sdata,
 618                                           "release an RX reorder frame due to timeout on earlier frames\n");
 619                        ieee80211_release_reorder_frame(sdata, tid_agg_rx, j);
 620
 621                        /*
 622                         * Increment the head seq# also for the skipped slots.
 623                         */
 624                        tid_agg_rx->head_seq_num =
 625                                (tid_agg_rx->head_seq_num + skipped) & SEQ_MASK;
 626                        skipped = 0;
 627                }
 628        } else while (tid_agg_rx->reorder_buf[index]) {
 629                ieee80211_release_reorder_frame(sdata, tid_agg_rx, index);
 630                index = seq_sub(tid_agg_rx->head_seq_num, tid_agg_rx->ssn) %
 631                                                        tid_agg_rx->buf_size;
 632        }
 633
 634        if (tid_agg_rx->stored_mpdu_num) {
 635                j = index = seq_sub(tid_agg_rx->head_seq_num,
 636                                    tid_agg_rx->ssn) % tid_agg_rx->buf_size;
 637
 638                for (; j != (index - 1) % tid_agg_rx->buf_size;
 639                     j = (j + 1) % tid_agg_rx->buf_size) {
 640                        if (tid_agg_rx->reorder_buf[j])
 641                                break;
 642                }
 643
 644 set_release_timer:
 645
 646                mod_timer(&tid_agg_rx->reorder_timer,
 647                          tid_agg_rx->reorder_time[j] + 1 +
 648                          HT_RX_REORDER_BUF_TIMEOUT);
 649        } else {
 650                del_timer(&tid_agg_rx->reorder_timer);
 651        }
 652}
 653
 654/*
 655 * As this function belongs to the RX path it must be under
 656 * rcu_read_lock protection. It returns false if the frame
 657 * can be processed immediately, true if it was consumed.
 658 */
 659static bool ieee80211_sta_manage_reorder_buf(struct ieee80211_sub_if_data *sdata,
 660                                             struct tid_ampdu_rx *tid_agg_rx,
 661                                             struct sk_buff *skb)
 662{
 663        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
 664        u16 sc = le16_to_cpu(hdr->seq_ctrl);
 665        u16 mpdu_seq_num = (sc & IEEE80211_SCTL_SEQ) >> 4;
 666        u16 head_seq_num, buf_size;
 667        int index;
 668        bool ret = true;
 669
 670        spin_lock(&tid_agg_rx->reorder_lock);
 671
 672        buf_size = tid_agg_rx->buf_size;
 673        head_seq_num = tid_agg_rx->head_seq_num;
 674
 675        /* frame with out of date sequence number */
 676        if (seq_less(mpdu_seq_num, head_seq_num)) {
 677                dev_kfree_skb(skb);
 678                goto out;
 679        }
 680
 681        /*
 682         * If frame the sequence number exceeds our buffering window
 683         * size release some previous frames to make room for this one.
 684         */
 685        if (!seq_less(mpdu_seq_num, head_seq_num + buf_size)) {
 686                head_seq_num = seq_inc(seq_sub(mpdu_seq_num, buf_size));
 687                /* release stored frames up to new head to stack */
 688                ieee80211_release_reorder_frames(sdata, tid_agg_rx,
 689                                                 head_seq_num);
 690        }
 691
 692        /* Now the new frame is always in the range of the reordering buffer */
 693
 694        index = seq_sub(mpdu_seq_num, tid_agg_rx->ssn) % tid_agg_rx->buf_size;
 695
 696        /* check if we already stored this frame */
 697        if (tid_agg_rx->reorder_buf[index]) {
 698                dev_kfree_skb(skb);
 699                goto out;
 700        }
 701
 702        /*
 703         * If the current MPDU is in the right order and nothing else
 704         * is stored we can process it directly, no need to buffer it.
 705         * If it is first but there's something stored, we may be able
 706         * to release frames after this one.
 707         */
 708        if (mpdu_seq_num == tid_agg_rx->head_seq_num &&
 709            tid_agg_rx->stored_mpdu_num == 0) {
 710                tid_agg_rx->head_seq_num = seq_inc(tid_agg_rx->head_seq_num);
 711                ret = false;
 712                goto out;
 713        }
 714
 715        /* put the frame in the reordering buffer */
 716        tid_agg_rx->reorder_buf[index] = skb;
 717        tid_agg_rx->reorder_time[index] = jiffies;
 718        tid_agg_rx->stored_mpdu_num++;
 719        ieee80211_sta_reorder_release(sdata, tid_agg_rx);
 720
 721 out:
 722        spin_unlock(&tid_agg_rx->reorder_lock);
 723        return ret;
 724}
 725
 726/*
 727 * Reorder MPDUs from A-MPDUs, keeping them on a buffer. Returns
 728 * true if the MPDU was buffered, false if it should be processed.
 729 */
 730static void ieee80211_rx_reorder_ampdu(struct ieee80211_rx_data *rx)
 731{
 732        struct sk_buff *skb = rx->skb;
 733        struct ieee80211_local *local = rx->local;
 734        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
 735        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
 736        struct sta_info *sta = rx->sta;
 737        struct tid_ampdu_rx *tid_agg_rx;
 738        u16 sc;
 739        u8 tid, ack_policy;
 740
 741        if (!ieee80211_is_data_qos(hdr->frame_control))
 742                goto dont_reorder;
 743
 744        /*
 745         * filter the QoS data rx stream according to
 746         * STA/TID and check if this STA/TID is on aggregation
 747         */
 748
 749        if (!sta)
 750                goto dont_reorder;
 751
 752        ack_policy = *ieee80211_get_qos_ctl(hdr) &
 753                     IEEE80211_QOS_CTL_ACK_POLICY_MASK;
 754        tid = *ieee80211_get_qos_ctl(hdr) & IEEE80211_QOS_CTL_TID_MASK;
 755
 756        tid_agg_rx = rcu_dereference(sta->ampdu_mlme.tid_rx[tid]);
 757        if (!tid_agg_rx)
 758                goto dont_reorder;
 759
 760        /* qos null data frames are excluded */
 761        if (unlikely(hdr->frame_control & cpu_to_le16(IEEE80211_STYPE_NULLFUNC)))
 762                goto dont_reorder;
 763
 764        /* not part of a BA session */
 765        if (ack_policy != IEEE80211_QOS_CTL_ACK_POLICY_BLOCKACK &&
 766            ack_policy != IEEE80211_QOS_CTL_ACK_POLICY_NORMAL)
 767                goto dont_reorder;
 768
 769        /* not actually part of this BA session */
 770        if (!(status->rx_flags & IEEE80211_RX_RA_MATCH))
 771                goto dont_reorder;
 772
 773        /* new, potentially un-ordered, ampdu frame - process it */
 774
 775        /* reset session timer */
 776        if (tid_agg_rx->timeout)
 777                tid_agg_rx->last_rx = jiffies;
 778
 779        /* if this mpdu is fragmented - terminate rx aggregation session */
 780        sc = le16_to_cpu(hdr->seq_ctrl);
 781        if (sc & IEEE80211_SCTL_FRAG) {
 782                skb->pkt_type = IEEE80211_SDATA_QUEUE_TYPE_FRAME;
 783                skb_queue_tail(&rx->sdata->skb_queue, skb);
 784                ieee80211_queue_work(&local->hw, &rx->sdata->work);
 785                return;
 786        }
 787
 788        /*
 789         * No locking needed -- we will only ever process one
 790         * RX packet at a time, and thus own tid_agg_rx. All
 791         * other code manipulating it needs to (and does) make
 792         * sure that we cannot get to it any more before doing
 793         * anything with it.
 794         */
 795        if (ieee80211_sta_manage_reorder_buf(rx->sdata, tid_agg_rx, skb))
 796                return;
 797
 798 dont_reorder:
 799        skb_queue_tail(&local->rx_skb_queue, skb);
 800}
 801
 802static ieee80211_rx_result debug_noinline
 803ieee80211_rx_h_check(struct ieee80211_rx_data *rx)
 804{
 805        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
 806        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
 807
 808        /* Drop duplicate 802.11 retransmissions (IEEE 802.11 Chap. 9.2.9) */
 809        if (rx->sta && !is_multicast_ether_addr(hdr->addr1)) {
 810                if (unlikely(ieee80211_has_retry(hdr->frame_control) &&
 811                             rx->sta->last_seq_ctrl[rx->seqno_idx] ==
 812                             hdr->seq_ctrl)) {
 813                        if (status->rx_flags & IEEE80211_RX_RA_MATCH) {
 814                                rx->local->dot11FrameDuplicateCount++;
 815                                rx->sta->num_duplicates++;
 816                        }
 817                        return RX_DROP_UNUSABLE;
 818                } else
 819                        rx->sta->last_seq_ctrl[rx->seqno_idx] = hdr->seq_ctrl;
 820        }
 821
 822        if (unlikely(rx->skb->len < 16)) {
 823                I802_DEBUG_INC(rx->local->rx_handlers_drop_short);
 824                return RX_DROP_MONITOR;
 825        }
 826
 827        /* Drop disallowed frame classes based on STA auth/assoc state;
 828         * IEEE 802.11, Chap 5.5.
 829         *
 830         * mac80211 filters only based on association state, i.e. it drops
 831         * Class 3 frames from not associated stations. hostapd sends
 832         * deauth/disassoc frames when needed. In addition, hostapd is
 833         * responsible for filtering on both auth and assoc states.
 834         */
 835
 836        if (ieee80211_vif_is_mesh(&rx->sdata->vif))
 837                return ieee80211_rx_mesh_check(rx);
 838
 839        if (unlikely((ieee80211_is_data(hdr->frame_control) ||
 840                      ieee80211_is_pspoll(hdr->frame_control)) &&
 841                     rx->sdata->vif.type != NL80211_IFTYPE_ADHOC &&
 842                     rx->sdata->vif.type != NL80211_IFTYPE_WDS &&
 843                     (!rx->sta || !test_sta_flag(rx->sta, WLAN_STA_ASSOC)))) {
 844                /*
 845                 * accept port control frames from the AP even when it's not
 846                 * yet marked ASSOC to prevent a race where we don't set the
 847                 * assoc bit quickly enough before it sends the first frame
 848                 */
 849                if (rx->sta && rx->sdata->vif.type == NL80211_IFTYPE_STATION &&
 850                    ieee80211_is_data_present(hdr->frame_control)) {
 851                        unsigned int hdrlen;
 852                        __be16 ethertype;
 853
 854                        hdrlen = ieee80211_hdrlen(hdr->frame_control);
 855
 856                        if (rx->skb->len < hdrlen + 8)
 857                                return RX_DROP_MONITOR;
 858
 859                        skb_copy_bits(rx->skb, hdrlen + 6, &ethertype, 2);
 860                        if (ethertype == rx->sdata->control_port_protocol)
 861                                return RX_CONTINUE;
 862                }
 863
 864                if (rx->sdata->vif.type == NL80211_IFTYPE_AP &&
 865                    cfg80211_rx_spurious_frame(rx->sdata->dev,
 866                                               hdr->addr2,
 867                                               GFP_ATOMIC))
 868                        return RX_DROP_UNUSABLE;
 869
 870                return RX_DROP_MONITOR;
 871        }
 872
 873        return RX_CONTINUE;
 874}
 875
 876
 877static ieee80211_rx_result debug_noinline
 878ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx)
 879{
 880        struct sk_buff *skb = rx->skb;
 881        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
 882        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
 883        int keyidx;
 884        int hdrlen;
 885        ieee80211_rx_result result = RX_DROP_UNUSABLE;
 886        struct ieee80211_key *sta_ptk = NULL;
 887        int mmie_keyidx = -1;
 888        __le16 fc;
 889
 890        /*
 891         * Key selection 101
 892         *
 893         * There are four types of keys:
 894         *  - GTK (group keys)
 895         *  - IGTK (group keys for management frames)
 896         *  - PTK (pairwise keys)
 897         *  - STK (station-to-station pairwise keys)
 898         *
 899         * When selecting a key, we have to distinguish between multicast
 900         * (including broadcast) and unicast frames, the latter can only
 901         * use PTKs and STKs while the former always use GTKs and IGTKs.
 902         * Unless, of course, actual WEP keys ("pre-RSNA") are used, then
 903         * unicast frames can also use key indices like GTKs. Hence, if we
 904         * don't have a PTK/STK we check the key index for a WEP key.
 905         *
 906         * Note that in a regular BSS, multicast frames are sent by the
 907         * AP only, associated stations unicast the frame to the AP first
 908         * which then multicasts it on their behalf.
 909         *
 910         * There is also a slight problem in IBSS mode: GTKs are negotiated
 911         * with each station, that is something we don't currently handle.
 912         * The spec seems to expect that one negotiates the same key with
 913         * every station but there's no such requirement; VLANs could be
 914         * possible.
 915         */
 916
 917        /*
 918         * No point in finding a key and decrypting if the frame is neither
 919         * addressed to us nor a multicast frame.
 920         */
 921        if (!(status->rx_flags & IEEE80211_RX_RA_MATCH))
 922                return RX_CONTINUE;
 923
 924        /* start without a key */
 925        rx->key = NULL;
 926
 927        if (rx->sta)
 928                sta_ptk = rcu_dereference(rx->sta->ptk);
 929
 930        fc = hdr->frame_control;
 931
 932        if (!ieee80211_has_protected(fc))
 933                mmie_keyidx = ieee80211_get_mmie_keyidx(rx->skb);
 934
 935        if (!is_multicast_ether_addr(hdr->addr1) && sta_ptk) {
 936                rx->key = sta_ptk;
 937                if ((status->flag & RX_FLAG_DECRYPTED) &&
 938                    (status->flag & RX_FLAG_IV_STRIPPED))
 939                        return RX_CONTINUE;
 940                /* Skip decryption if the frame is not protected. */
 941                if (!ieee80211_has_protected(fc))
 942                        return RX_CONTINUE;
 943        } else if (mmie_keyidx >= 0) {
 944                /* Broadcast/multicast robust management frame / BIP */
 945                if ((status->flag & RX_FLAG_DECRYPTED) &&
 946                    (status->flag & RX_FLAG_IV_STRIPPED))
 947                        return RX_CONTINUE;
 948
 949                if (mmie_keyidx < NUM_DEFAULT_KEYS ||
 950                    mmie_keyidx >= NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS)
 951                        return RX_DROP_MONITOR; /* unexpected BIP keyidx */
 952                if (rx->sta)
 953                        rx->key = rcu_dereference(rx->sta->gtk[mmie_keyidx]);
 954                if (!rx->key)
 955                        rx->key = rcu_dereference(rx->sdata->keys[mmie_keyidx]);
 956        } else if (!ieee80211_has_protected(fc)) {
 957                /*
 958                 * The frame was not protected, so skip decryption. However, we
 959                 * need to set rx->key if there is a key that could have been
 960                 * used so that the frame may be dropped if encryption would
 961                 * have been expected.
 962                 */
 963                struct ieee80211_key *key = NULL;
 964                struct ieee80211_sub_if_data *sdata = rx->sdata;
 965                int i;
 966
 967                if (ieee80211_is_mgmt(fc) &&
 968                    is_multicast_ether_addr(hdr->addr1) &&
 969                    (key = rcu_dereference(rx->sdata->default_mgmt_key)))
 970                        rx->key = key;
 971                else {
 972                        if (rx->sta) {
 973                                for (i = 0; i < NUM_DEFAULT_KEYS; i++) {
 974                                        key = rcu_dereference(rx->sta->gtk[i]);
 975                                        if (key)
 976                                                break;
 977                                }
 978                        }
 979                        if (!key) {
 980                                for (i = 0; i < NUM_DEFAULT_KEYS; i++) {
 981                                        key = rcu_dereference(sdata->keys[i]);
 982                                        if (key)
 983                                                break;
 984                                }
 985                        }
 986                        if (key)
 987                                rx->key = key;
 988                }
 989                return RX_CONTINUE;
 990        } else {
 991                u8 keyid;
 992                /*
 993                 * The device doesn't give us the IV so we won't be
 994                 * able to look up the key. That's ok though, we
 995                 * don't need to decrypt the frame, we just won't
 996                 * be able to keep statistics accurate.
 997                 * Except for key threshold notifications, should
 998                 * we somehow allow the driver to tell us which key
 999                 * the hardware used if this flag is set?
1000                 */
1001                if ((status->flag & RX_FLAG_DECRYPTED) &&
1002                    (status->flag & RX_FLAG_IV_STRIPPED))
1003                        return RX_CONTINUE;
1004
1005                hdrlen = ieee80211_hdrlen(fc);
1006
1007                if (rx->skb->len < 8 + hdrlen)
1008                        return RX_DROP_UNUSABLE; /* TODO: count this? */
1009
1010                /*
1011                 * no need to call ieee80211_wep_get_keyidx,
1012                 * it verifies a bunch of things we've done already
1013                 */
1014                skb_copy_bits(rx->skb, hdrlen + 3, &keyid, 1);
1015                keyidx = keyid >> 6;
1016
1017                /* check per-station GTK first, if multicast packet */
1018                if (is_multicast_ether_addr(hdr->addr1) && rx->sta)
1019                        rx->key = rcu_dereference(rx->sta->gtk[keyidx]);
1020
1021                /* if not found, try default key */
1022                if (!rx->key) {
1023                        rx->key = rcu_dereference(rx->sdata->keys[keyidx]);
1024
1025                        /*
1026                         * RSNA-protected unicast frames should always be
1027                         * sent with pairwise or station-to-station keys,
1028                         * but for WEP we allow using a key index as well.
1029                         */
1030                        if (rx->key &&
1031                            rx->key->conf.cipher != WLAN_CIPHER_SUITE_WEP40 &&
1032                            rx->key->conf.cipher != WLAN_CIPHER_SUITE_WEP104 &&
1033                            !is_multicast_ether_addr(hdr->addr1))
1034                                rx->key = NULL;
1035                }
1036        }
1037
1038        if (rx->key) {
1039                if (unlikely(rx->key->flags & KEY_FLAG_TAINTED))
1040                        return RX_DROP_MONITOR;
1041
1042                rx->key->tx_rx_count++;
1043                /* TODO: add threshold stuff again */
1044        } else {
1045                return RX_DROP_MONITOR;
1046        }
1047
1048        switch (rx->key->conf.cipher) {
1049        case WLAN_CIPHER_SUITE_WEP40:
1050        case WLAN_CIPHER_SUITE_WEP104:
1051                result = ieee80211_crypto_wep_decrypt(rx);
1052                break;
1053        case WLAN_CIPHER_SUITE_TKIP:
1054                result = ieee80211_crypto_tkip_decrypt(rx);
1055                break;
1056        case WLAN_CIPHER_SUITE_CCMP:
1057                result = ieee80211_crypto_ccmp_decrypt(rx);
1058                break;
1059        case WLAN_CIPHER_SUITE_AES_CMAC:
1060                result = ieee80211_crypto_aes_cmac_decrypt(rx);
1061                break;
1062        default:
1063                /*
1064                 * We can reach here only with HW-only algorithms
1065                 * but why didn't it decrypt the frame?!
1066                 */
1067                return RX_DROP_UNUSABLE;
1068        }
1069
1070        /* the hdr variable is invalid after the decrypt handlers */
1071
1072        /* either the frame has been decrypted or will be dropped */
1073        status->flag |= RX_FLAG_DECRYPTED;
1074
1075        return result;
1076}
1077
1078static ieee80211_rx_result debug_noinline
1079ieee80211_rx_h_check_more_data(struct ieee80211_rx_data *rx)
1080{
1081        struct ieee80211_local *local;
1082        struct ieee80211_hdr *hdr;
1083        struct sk_buff *skb;
1084
1085        local = rx->local;
1086        skb = rx->skb;
1087        hdr = (struct ieee80211_hdr *) skb->data;
1088
1089        if (!local->pspolling)
1090                return RX_CONTINUE;
1091
1092        if (!ieee80211_has_fromds(hdr->frame_control))
1093                /* this is not from AP */
1094                return RX_CONTINUE;
1095
1096        if (!ieee80211_is_data(hdr->frame_control))
1097                return RX_CONTINUE;
1098
1099        if (!ieee80211_has_moredata(hdr->frame_control)) {
1100                /* AP has no more frames buffered for us */
1101                local->pspolling = false;
1102                return RX_CONTINUE;
1103        }
1104
1105        /* more data bit is set, let's request a new frame from the AP */
1106        ieee80211_send_pspoll(local, rx->sdata);
1107
1108        return RX_CONTINUE;
1109}
1110
1111static void ap_sta_ps_start(struct sta_info *sta)
1112{
1113        struct ieee80211_sub_if_data *sdata = sta->sdata;
1114        struct ieee80211_local *local = sdata->local;
1115
1116        atomic_inc(&sdata->bss->num_sta_ps);
1117        set_sta_flag(sta, WLAN_STA_PS_STA);
1118        if (!(local->hw.flags & IEEE80211_HW_AP_LINK_PS))
1119                drv_sta_notify(local, sdata, STA_NOTIFY_SLEEP, &sta->sta);
1120        ps_dbg(sdata, "STA %pM aid %d enters power save mode\n",
1121               sta->sta.addr, sta->sta.aid);
1122}
1123
1124static void ap_sta_ps_end(struct sta_info *sta)
1125{
1126        ps_dbg(sta->sdata, "STA %pM aid %d exits power save mode\n",
1127               sta->sta.addr, sta->sta.aid);
1128
1129        if (test_sta_flag(sta, WLAN_STA_PS_DRIVER)) {
1130                ps_dbg(sta->sdata, "STA %pM aid %d driver-ps-blocked\n",
1131                       sta->sta.addr, sta->sta.aid);
1132                return;
1133        }
1134
1135        ieee80211_sta_ps_deliver_wakeup(sta);
1136}
1137
1138int ieee80211_sta_ps_transition(struct ieee80211_sta *sta, bool start)
1139{
1140        struct sta_info *sta_inf = container_of(sta, struct sta_info, sta);
1141        bool in_ps;
1142
1143        WARN_ON(!(sta_inf->local->hw.flags & IEEE80211_HW_AP_LINK_PS));
1144
1145        /* Don't let the same PS state be set twice */
1146        in_ps = test_sta_flag(sta_inf, WLAN_STA_PS_STA);
1147        if ((start && in_ps) || (!start && !in_ps))
1148                return -EINVAL;
1149
1150        if (start)
1151                ap_sta_ps_start(sta_inf);
1152        else
1153                ap_sta_ps_end(sta_inf);
1154
1155        return 0;
1156}
1157EXPORT_SYMBOL(ieee80211_sta_ps_transition);
1158
1159static ieee80211_rx_result debug_noinline
1160ieee80211_rx_h_uapsd_and_pspoll(struct ieee80211_rx_data *rx)
1161{
1162        struct ieee80211_sub_if_data *sdata = rx->sdata;
1163        struct ieee80211_hdr *hdr = (void *)rx->skb->data;
1164        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
1165        int tid, ac;
1166
1167        if (!rx->sta || !(status->rx_flags & IEEE80211_RX_RA_MATCH))
1168                return RX_CONTINUE;
1169
1170        if (sdata->vif.type != NL80211_IFTYPE_AP &&
1171            sdata->vif.type != NL80211_IFTYPE_AP_VLAN)
1172                return RX_CONTINUE;
1173
1174        /*
1175         * The device handles station powersave, so don't do anything about
1176         * uAPSD and PS-Poll frames (the latter shouldn't even come up from
1177         * it to mac80211 since they're handled.)
1178         */
1179        if (sdata->local->hw.flags & IEEE80211_HW_AP_LINK_PS)
1180                return RX_CONTINUE;
1181
1182        /*
1183         * Don't do anything if the station isn't already asleep. In
1184         * the uAPSD case, the station will probably be marked asleep,
1185         * in the PS-Poll case the station must be confused ...
1186         */
1187        if (!test_sta_flag(rx->sta, WLAN_STA_PS_STA))
1188                return RX_CONTINUE;
1189
1190        if (unlikely(ieee80211_is_pspoll(hdr->frame_control))) {
1191                if (!test_sta_flag(rx->sta, WLAN_STA_SP)) {
1192                        if (!test_sta_flag(rx->sta, WLAN_STA_PS_DRIVER))
1193                                ieee80211_sta_ps_deliver_poll_response(rx->sta);
1194                        else
1195                                set_sta_flag(rx->sta, WLAN_STA_PSPOLL);
1196                }
1197
1198                /* Free PS Poll skb here instead of returning RX_DROP that would
1199                 * count as an dropped frame. */
1200                dev_kfree_skb(rx->skb);
1201
1202                return RX_QUEUED;
1203        } else if (!ieee80211_has_morefrags(hdr->frame_control) &&
1204                   !(status->rx_flags & IEEE80211_RX_DEFERRED_RELEASE) &&
1205                   ieee80211_has_pm(hdr->frame_control) &&
1206                   (ieee80211_is_data_qos(hdr->frame_control) ||
1207                    ieee80211_is_qos_nullfunc(hdr->frame_control))) {
1208                tid = *ieee80211_get_qos_ctl(hdr) & IEEE80211_QOS_CTL_TID_MASK;
1209                ac = ieee802_1d_to_ac[tid & 7];
1210
1211                /*
1212                 * If this AC is not trigger-enabled do nothing.
1213                 *
1214                 * NB: This could/should check a separate bitmap of trigger-
1215                 * enabled queues, but for now we only implement uAPSD w/o
1216                 * TSPEC changes to the ACs, so they're always the same.
1217                 */
1218                if (!(rx->sta->sta.uapsd_queues & BIT(ac)))
1219                        return RX_CONTINUE;
1220
1221                /* if we are in a service period, do nothing */
1222                if (test_sta_flag(rx->sta, WLAN_STA_SP))
1223                        return RX_CONTINUE;
1224
1225                if (!test_sta_flag(rx->sta, WLAN_STA_PS_DRIVER))
1226                        ieee80211_sta_ps_deliver_uapsd(rx->sta);
1227                else
1228                        set_sta_flag(rx->sta, WLAN_STA_UAPSD);
1229        }
1230
1231        return RX_CONTINUE;
1232}
1233
1234static ieee80211_rx_result debug_noinline
1235ieee80211_rx_h_sta_process(struct ieee80211_rx_data *rx)
1236{
1237        struct sta_info *sta = rx->sta;
1238        struct sk_buff *skb = rx->skb;
1239        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
1240        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
1241
1242        if (!sta)
1243                return RX_CONTINUE;
1244
1245        /*
1246         * Update last_rx only for IBSS packets which are for the current
1247         * BSSID to avoid keeping the current IBSS network alive in cases
1248         * where other STAs start using different BSSID.
1249         */
1250        if (rx->sdata->vif.type == NL80211_IFTYPE_ADHOC) {
1251                u8 *bssid = ieee80211_get_bssid(hdr, rx->skb->len,
1252                                                NL80211_IFTYPE_ADHOC);
1253                if (ether_addr_equal(bssid, rx->sdata->u.ibss.bssid)) {
1254                        sta->last_rx = jiffies;
1255                        if (ieee80211_is_data(hdr->frame_control)) {
1256                                sta->last_rx_rate_idx = status->rate_idx;
1257                                sta->last_rx_rate_flag = status->flag;
1258                        }
1259                }
1260        } else if (!is_multicast_ether_addr(hdr->addr1)) {
1261                /*
1262                 * Mesh beacons will update last_rx when if they are found to
1263                 * match the current local configuration when processed.
1264                 */
1265                sta->last_rx = jiffies;
1266                if (ieee80211_is_data(hdr->frame_control)) {
1267                        sta->last_rx_rate_idx = status->rate_idx;
1268                        sta->last_rx_rate_flag = status->flag;
1269                }
1270        }
1271
1272        if (!(status->rx_flags & IEEE80211_RX_RA_MATCH))
1273                return RX_CONTINUE;
1274
1275        if (rx->sdata->vif.type == NL80211_IFTYPE_STATION)
1276                ieee80211_sta_rx_notify(rx->sdata, hdr);
1277
1278        sta->rx_fragments++;
1279        sta->rx_bytes += rx->skb->len;
1280        if (!(status->flag & RX_FLAG_NO_SIGNAL_VAL)) {
1281                sta->last_signal = status->signal;
1282                ewma_add(&sta->avg_signal, -status->signal);
1283        }
1284
1285        /*
1286         * Change STA power saving mode only at the end of a frame
1287         * exchange sequence.
1288         */
1289        if (!(sta->local->hw.flags & IEEE80211_HW_AP_LINK_PS) &&
1290            !ieee80211_has_morefrags(hdr->frame_control) &&
1291            !(status->rx_flags & IEEE80211_RX_DEFERRED_RELEASE) &&
1292            (rx->sdata->vif.type == NL80211_IFTYPE_AP ||
1293             rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN)) {
1294                if (test_sta_flag(sta, WLAN_STA_PS_STA)) {
1295                        /*
1296                         * Ignore doze->wake transitions that are
1297                         * indicated by non-data frames, the standard
1298                         * is unclear here, but for example going to
1299                         * PS mode and then scanning would cause a
1300                         * doze->wake transition for the probe request,
1301                         * and that is clearly undesirable.
1302                         */
1303                        if (ieee80211_is_data(hdr->frame_control) &&
1304                            !ieee80211_has_pm(hdr->frame_control))
1305                                ap_sta_ps_end(sta);
1306                } else {
1307                        if (ieee80211_has_pm(hdr->frame_control))
1308                                ap_sta_ps_start(sta);
1309                }
1310        }
1311
1312        /*
1313         * Drop (qos-)data::nullfunc frames silently, since they
1314         * are used only to control station power saving mode.
1315         */
1316        if (ieee80211_is_nullfunc(hdr->frame_control) ||
1317            ieee80211_is_qos_nullfunc(hdr->frame_control)) {
1318                I802_DEBUG_INC(rx->local->rx_handlers_drop_nullfunc);
1319
1320                /*
1321                 * If we receive a 4-addr nullfunc frame from a STA
1322                 * that was not moved to a 4-addr STA vlan yet send
1323                 * the event to userspace and for older hostapd drop
1324                 * the frame to the monitor interface.
1325                 */
1326                if (ieee80211_has_a4(hdr->frame_control) &&
1327                    (rx->sdata->vif.type == NL80211_IFTYPE_AP ||
1328                     (rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN &&
1329                      !rx->sdata->u.vlan.sta))) {
1330                        if (!test_and_set_sta_flag(sta, WLAN_STA_4ADDR_EVENT))
1331                                cfg80211_rx_unexpected_4addr_frame(
1332                                        rx->sdata->dev, sta->sta.addr,
1333                                        GFP_ATOMIC);
1334                        return RX_DROP_MONITOR;
1335                }
1336                /*
1337                 * Update counter and free packet here to avoid
1338                 * counting this as a dropped packed.
1339                 */
1340                sta->rx_packets++;
1341                dev_kfree_skb(rx->skb);
1342                return RX_QUEUED;
1343        }
1344
1345        return RX_CONTINUE;
1346} /* ieee80211_rx_h_sta_process */
1347
1348static inline struct ieee80211_fragment_entry *
1349ieee80211_reassemble_add(struct ieee80211_sub_if_data *sdata,
1350                         unsigned int frag, unsigned int seq, int rx_queue,
1351                         struct sk_buff **skb)
1352{
1353        struct ieee80211_fragment_entry *entry;
1354        int idx;
1355
1356        idx = sdata->fragment_next;
1357        entry = &sdata->fragments[sdata->fragment_next++];
1358        if (sdata->fragment_next >= IEEE80211_FRAGMENT_MAX)
1359                sdata->fragment_next = 0;
1360
1361        if (!skb_queue_empty(&entry->skb_list))
1362                __skb_queue_purge(&entry->skb_list);
1363
1364        __skb_queue_tail(&entry->skb_list, *skb); /* no need for locking */
1365        *skb = NULL;
1366        entry->first_frag_time = jiffies;
1367        entry->seq = seq;
1368        entry->rx_queue = rx_queue;
1369        entry->last_frag = frag;
1370        entry->ccmp = 0;
1371        entry->extra_len = 0;
1372
1373        return entry;
1374}
1375
1376static inline struct ieee80211_fragment_entry *
1377ieee80211_reassemble_find(struct ieee80211_sub_if_data *sdata,
1378                          unsigned int frag, unsigned int seq,
1379                          int rx_queue, struct ieee80211_hdr *hdr)
1380{
1381        struct ieee80211_fragment_entry *entry;
1382        int i, idx;
1383
1384        idx = sdata->fragment_next;
1385        for (i = 0; i < IEEE80211_FRAGMENT_MAX; i++) {
1386                struct ieee80211_hdr *f_hdr;
1387
1388                idx--;
1389                if (idx < 0)
1390                        idx = IEEE80211_FRAGMENT_MAX - 1;
1391
1392                entry = &sdata->fragments[idx];
1393                if (skb_queue_empty(&entry->skb_list) || entry->seq != seq ||
1394                    entry->rx_queue != rx_queue ||
1395                    entry->last_frag + 1 != frag)
1396                        continue;
1397
1398                f_hdr = (struct ieee80211_hdr *)entry->skb_list.next->data;
1399
1400                /*
1401                 * Check ftype and addresses are equal, else check next fragment
1402                 */
1403                if (((hdr->frame_control ^ f_hdr->frame_control) &
1404                     cpu_to_le16(IEEE80211_FCTL_FTYPE)) ||
1405                    !ether_addr_equal(hdr->addr1, f_hdr->addr1) ||
1406                    !ether_addr_equal(hdr->addr2, f_hdr->addr2))
1407                        continue;
1408
1409                if (time_after(jiffies, entry->first_frag_time + 2 * HZ)) {
1410                        __skb_queue_purge(&entry->skb_list);
1411                        continue;
1412                }
1413                return entry;
1414        }
1415
1416        return NULL;
1417}
1418
1419static ieee80211_rx_result debug_noinline
1420ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
1421{
1422        struct ieee80211_hdr *hdr;
1423        u16 sc;
1424        __le16 fc;
1425        unsigned int frag, seq;
1426        struct ieee80211_fragment_entry *entry;
1427        struct sk_buff *skb;
1428        struct ieee80211_rx_status *status;
1429
1430        hdr = (struct ieee80211_hdr *)rx->skb->data;
1431        fc = hdr->frame_control;
1432
1433        if (ieee80211_is_ctl(fc))
1434                return RX_CONTINUE;
1435
1436        sc = le16_to_cpu(hdr->seq_ctrl);
1437        frag = sc & IEEE80211_SCTL_FRAG;
1438
1439        if (likely((!ieee80211_has_morefrags(fc) && frag == 0) ||
1440                   is_multicast_ether_addr(hdr->addr1))) {
1441                /* not fragmented */
1442                goto out;
1443        }
1444        I802_DEBUG_INC(rx->local->rx_handlers_fragments);
1445
1446        if (skb_linearize(rx->skb))
1447                return RX_DROP_UNUSABLE;
1448
1449        /*
1450         *  skb_linearize() might change the skb->data and
1451         *  previously cached variables (in this case, hdr) need to
1452         *  be refreshed with the new data.
1453         */
1454        hdr = (struct ieee80211_hdr *)rx->skb->data;
1455        seq = (sc & IEEE80211_SCTL_SEQ) >> 4;
1456
1457        if (frag == 0) {
1458                /* This is the first fragment of a new frame. */
1459                entry = ieee80211_reassemble_add(rx->sdata, frag, seq,
1460                                                 rx->seqno_idx, &(rx->skb));
1461                if (rx->key && rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP &&
1462                    ieee80211_has_protected(fc)) {
1463                        int queue = rx->security_idx;
1464                        /* Store CCMP PN so that we can verify that the next
1465                         * fragment has a sequential PN value. */
1466                        entry->ccmp = 1;
1467                        memcpy(entry->last_pn,
1468                               rx->key->u.ccmp.rx_pn[queue],
1469                               CCMP_PN_LEN);
1470                }
1471                return RX_QUEUED;
1472        }
1473
1474        /* This is a fragment for a frame that should already be pending in
1475         * fragment cache. Add this fragment to the end of the pending entry.
1476         */
1477        entry = ieee80211_reassemble_find(rx->sdata, frag, seq,
1478                                          rx->seqno_idx, hdr);
1479        if (!entry) {
1480                I802_DEBUG_INC(rx->local->rx_handlers_drop_defrag);
1481                return RX_DROP_MONITOR;
1482        }
1483
1484        /* Verify that MPDUs within one MSDU have sequential PN values.
1485         * (IEEE 802.11i, 8.3.3.4.5) */
1486        if (entry->ccmp) {
1487                int i;
1488                u8 pn[CCMP_PN_LEN], *rpn;
1489                int queue;
1490                if (!rx->key || rx->key->conf.cipher != WLAN_CIPHER_SUITE_CCMP)
1491                        return RX_DROP_UNUSABLE;
1492                memcpy(pn, entry->last_pn, CCMP_PN_LEN);
1493                for (i = CCMP_PN_LEN - 1; i >= 0; i--) {
1494                        pn[i]++;
1495                        if (pn[i])
1496                                break;
1497                }
1498                queue = rx->security_idx;
1499                rpn = rx->key->u.ccmp.rx_pn[queue];
1500                if (memcmp(pn, rpn, CCMP_PN_LEN))
1501                        return RX_DROP_UNUSABLE;
1502                memcpy(entry->last_pn, pn, CCMP_PN_LEN);
1503        }
1504
1505        skb_pull(rx->skb, ieee80211_hdrlen(fc));
1506        __skb_queue_tail(&entry->skb_list, rx->skb);
1507        entry->last_frag = frag;
1508        entry->extra_len += rx->skb->len;
1509        if (ieee80211_has_morefrags(fc)) {
1510                rx->skb = NULL;
1511                return RX_QUEUED;
1512        }
1513
1514        rx->skb = __skb_dequeue(&entry->skb_list);
1515        if (skb_tailroom(rx->skb) < entry->extra_len) {
1516                I802_DEBUG_INC(rx->local->rx_expand_skb_head2);
1517                if (unlikely(pskb_expand_head(rx->skb, 0, entry->extra_len,
1518                                              GFP_ATOMIC))) {
1519                        I802_DEBUG_INC(rx->local->rx_handlers_drop_defrag);
1520                        __skb_queue_purge(&entry->skb_list);
1521                        return RX_DROP_UNUSABLE;
1522                }
1523        }
1524        while ((skb = __skb_dequeue(&entry->skb_list))) {
1525                memcpy(skb_put(rx->skb, skb->len), skb->data, skb->len);
1526                dev_kfree_skb(skb);
1527        }
1528
1529        /* Complete frame has been reassembled - process it now */
1530        status = IEEE80211_SKB_RXCB(rx->skb);
1531        status->rx_flags |= IEEE80211_RX_FRAGMENTED;
1532
1533 out:
1534        if (rx->sta)
1535                rx->sta->rx_packets++;
1536        if (is_multicast_ether_addr(hdr->addr1))
1537                rx->local->dot11MulticastReceivedFrameCount++;
1538        else
1539                ieee80211_led_rx(rx->local);
1540        return RX_CONTINUE;
1541}
1542
1543static int
1544ieee80211_802_1x_port_control(struct ieee80211_rx_data *rx)
1545{
1546        if (unlikely(!rx->sta ||
1547            !test_sta_flag(rx->sta, WLAN_STA_AUTHORIZED)))
1548                return -EACCES;
1549
1550        return 0;
1551}
1552
1553static int
1554ieee80211_drop_unencrypted(struct ieee80211_rx_data *rx, __le16 fc)
1555{
1556        struct sk_buff *skb = rx->skb;
1557        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
1558
1559        /*
1560         * Pass through unencrypted frames if the hardware has
1561         * decrypted them already.
1562         */
1563        if (status->flag & RX_FLAG_DECRYPTED)
1564                return 0;
1565
1566        /* Drop unencrypted frames if key is set. */
1567        if (unlikely(!ieee80211_has_protected(fc) &&
1568                     !ieee80211_is_nullfunc(fc) &&
1569                     ieee80211_is_data(fc) &&
1570                     (rx->key || rx->sdata->drop_unencrypted)))
1571                return -EACCES;
1572
1573        return 0;
1574}
1575
1576static int
1577ieee80211_drop_unencrypted_mgmt(struct ieee80211_rx_data *rx)
1578{
1579        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
1580        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
1581        __le16 fc = hdr->frame_control;
1582
1583        /*
1584         * Pass through unencrypted frames if the hardware has
1585         * decrypted them already.
1586         */
1587        if (status->flag & RX_FLAG_DECRYPTED)
1588                return 0;
1589
1590        if (rx->sta && test_sta_flag(rx->sta, WLAN_STA_MFP)) {
1591                if (unlikely(!ieee80211_has_protected(fc) &&
1592                             ieee80211_is_unicast_robust_mgmt_frame(rx->skb) &&
1593                             rx->key)) {
1594                        if (ieee80211_is_deauth(fc))
1595                                cfg80211_send_unprot_deauth(rx->sdata->dev,
1596                                                            rx->skb->data,
1597                                                            rx->skb->len);
1598                        else if (ieee80211_is_disassoc(fc))
1599                                cfg80211_send_unprot_disassoc(rx->sdata->dev,
1600                                                              rx->skb->data,
1601                                                              rx->skb->len);
1602                        return -EACCES;
1603                }
1604                /* BIP does not use Protected field, so need to check MMIE */
1605                if (unlikely(ieee80211_is_multicast_robust_mgmt_frame(rx->skb) &&
1606                             ieee80211_get_mmie_keyidx(rx->skb) < 0)) {
1607                        if (ieee80211_is_deauth(fc))
1608                                cfg80211_send_unprot_deauth(rx->sdata->dev,
1609                                                            rx->skb->data,
1610                                                            rx->skb->len);
1611                        else if (ieee80211_is_disassoc(fc))
1612                                cfg80211_send_unprot_disassoc(rx->sdata->dev,
1613                                                              rx->skb->data,
1614                                                              rx->skb->len);
1615                        return -EACCES;
1616                }
1617                /*
1618                 * When using MFP, Action frames are not allowed prior to
1619                 * having configured keys.
1620                 */
1621                if (unlikely(ieee80211_is_action(fc) && !rx->key &&
1622                             ieee80211_is_robust_mgmt_frame(
1623                                     (struct ieee80211_hdr *) rx->skb->data)))
1624                        return -EACCES;
1625        }
1626
1627        return 0;
1628}
1629
1630static int
1631__ieee80211_data_to_8023(struct ieee80211_rx_data *rx, bool *port_control)
1632{
1633        struct ieee80211_sub_if_data *sdata = rx->sdata;
1634        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
1635        bool check_port_control = false;
1636        struct ethhdr *ehdr;
1637        int ret;
1638
1639        *port_control = false;
1640        if (ieee80211_has_a4(hdr->frame_control) &&
1641            sdata->vif.type == NL80211_IFTYPE_AP_VLAN && !sdata->u.vlan.sta)
1642                return -1;
1643
1644        if (sdata->vif.type == NL80211_IFTYPE_STATION &&
1645            !!sdata->u.mgd.use_4addr != !!ieee80211_has_a4(hdr->frame_control)) {
1646
1647                if (!sdata->u.mgd.use_4addr)
1648                        return -1;
1649                else
1650                        check_port_control = true;
1651        }
1652
1653        if (is_multicast_ether_addr(hdr->addr1) &&
1654            sdata->vif.type == NL80211_IFTYPE_AP_VLAN && sdata->u.vlan.sta)
1655                return -1;
1656
1657        ret = ieee80211_data_to_8023(rx->skb, sdata->vif.addr, sdata->vif.type);
1658        if (ret < 0)
1659                return ret;
1660
1661        ehdr = (struct ethhdr *) rx->skb->data;
1662        if (ehdr->h_proto == rx->sdata->control_port_protocol)
1663                *port_control = true;
1664        else if (check_port_control)
1665                return -1;
1666
1667        return 0;
1668}
1669
1670/*
1671 * requires that rx->skb is a frame with ethernet header
1672 */
1673static bool ieee80211_frame_allowed(struct ieee80211_rx_data *rx, __le16 fc)
1674{
1675        static const u8 pae_group_addr[ETH_ALEN] __aligned(2)
1676                = { 0x01, 0x80, 0xC2, 0x00, 0x00, 0x03 };
1677        struct ethhdr *ehdr = (struct ethhdr *) rx->skb->data;
1678
1679        /*
1680         * Allow EAPOL frames to us/the PAE group address regardless
1681         * of whether the frame was encrypted or not.
1682         */
1683        if (ehdr->h_proto == rx->sdata->control_port_protocol &&
1684            (ether_addr_equal(ehdr->h_dest, rx->sdata->vif.addr) ||
1685             ether_addr_equal(ehdr->h_dest, pae_group_addr)))
1686                return true;
1687
1688        if (ieee80211_802_1x_port_control(rx) ||
1689            ieee80211_drop_unencrypted(rx, fc))
1690                return false;
1691
1692        return true;
1693}
1694
1695/*
1696 * requires that rx->skb is a frame with ethernet header
1697 */
1698static void
1699ieee80211_deliver_skb(struct ieee80211_rx_data *rx)
1700{
1701        struct ieee80211_sub_if_data *sdata = rx->sdata;
1702        struct net_device *dev = sdata->dev;
1703        struct sk_buff *skb, *xmit_skb;
1704        struct ethhdr *ehdr = (struct ethhdr *) rx->skb->data;
1705        struct sta_info *dsta;
1706        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
1707
1708        skb = rx->skb;
1709        xmit_skb = NULL;
1710
1711        if ((sdata->vif.type == NL80211_IFTYPE_AP ||
1712             sdata->vif.type == NL80211_IFTYPE_AP_VLAN) &&
1713            !(sdata->flags & IEEE80211_SDATA_DONT_BRIDGE_PACKETS) &&
1714            (status->rx_flags & IEEE80211_RX_RA_MATCH) &&
1715            (sdata->vif.type != NL80211_IFTYPE_AP_VLAN || !sdata->u.vlan.sta)) {
1716                if (is_multicast_ether_addr(ehdr->h_dest)) {
1717                        /*
1718                         * send multicast frames both to higher layers in
1719                         * local net stack and back to the wireless medium
1720                         */
1721                        xmit_skb = skb_copy(skb, GFP_ATOMIC);
1722                        if (!xmit_skb)
1723                                net_info_ratelimited("%s: failed to clone multicast frame\n",
1724                                                    dev->name);
1725                } else {
1726                        dsta = sta_info_get(sdata, skb->data);
1727                        if (dsta) {
1728                                /*
1729                                 * The destination station is associated to
1730                                 * this AP (in this VLAN), so send the frame
1731                                 * directly to it and do not pass it to local
1732                                 * net stack.
1733                                 */
1734                                xmit_skb = skb;
1735                                skb = NULL;
1736                        }
1737                }
1738        }
1739
1740        if (skb) {
1741                int align __maybe_unused;
1742
1743#ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
1744                /*
1745                 * 'align' will only take the values 0 or 2 here
1746                 * since all frames are required to be aligned
1747                 * to 2-byte boundaries when being passed to
1748                 * mac80211. That also explains the __skb_push()
1749                 * below.
1750                 */
1751                align = ((unsigned long)(skb->data + sizeof(struct ethhdr))) & 3;
1752                if (align) {
1753                        if (WARN_ON(skb_headroom(skb) < 3)) {
1754                                dev_kfree_skb(skb);
1755                                skb = NULL;
1756                        } else {
1757                                u8 *data = skb->data;
1758                                size_t len = skb_headlen(skb);
1759                                skb->data -= align;
1760                                memmove(skb->data, data, len);
1761                                skb_set_tail_pointer(skb, len);
1762                        }
1763                }
1764#endif
1765
1766                if (skb) {
1767                        /* deliver to local stack */
1768                        skb->protocol = eth_type_trans(skb, dev);
1769                        memset(skb->cb, 0, sizeof(skb->cb));
1770                        netif_receive_skb(skb);
1771                }
1772        }
1773
1774        if (xmit_skb) {
1775                /*
1776                 * Send to wireless media and increase priority by 256 to
1777                 * keep the received priority instead of reclassifying
1778                 * the frame (see cfg80211_classify8021d).
1779                 */
1780                xmit_skb->priority += 256;
1781                xmit_skb->protocol = htons(ETH_P_802_3);
1782                skb_reset_network_header(xmit_skb);
1783                skb_reset_mac_header(xmit_skb);
1784                dev_queue_xmit(xmit_skb);
1785        }
1786}
1787
1788static ieee80211_rx_result debug_noinline
1789ieee80211_rx_h_amsdu(struct ieee80211_rx_data *rx)
1790{
1791        struct net_device *dev = rx->sdata->dev;
1792        struct sk_buff *skb = rx->skb;
1793        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
1794        __le16 fc = hdr->frame_control;
1795        struct sk_buff_head frame_list;
1796        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
1797
1798        if (unlikely(!ieee80211_is_data(fc)))
1799                return RX_CONTINUE;
1800
1801        if (unlikely(!ieee80211_is_data_present(fc)))
1802                return RX_DROP_MONITOR;
1803
1804        if (!(status->rx_flags & IEEE80211_RX_AMSDU))
1805                return RX_CONTINUE;
1806
1807        if (ieee80211_has_a4(hdr->frame_control) &&
1808            rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN &&
1809            !rx->sdata->u.vlan.sta)
1810                return RX_DROP_UNUSABLE;
1811
1812        if (is_multicast_ether_addr(hdr->addr1) &&
1813            ((rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN &&
1814              rx->sdata->u.vlan.sta) ||
1815             (rx->sdata->vif.type == NL80211_IFTYPE_STATION &&
1816              rx->sdata->u.mgd.use_4addr)))
1817                return RX_DROP_UNUSABLE;
1818
1819        skb->dev = dev;
1820        __skb_queue_head_init(&frame_list);
1821
1822        if (skb_linearize(skb))
1823                return RX_DROP_UNUSABLE;
1824
1825        ieee80211_amsdu_to_8023s(skb, &frame_list, dev->dev_addr,
1826                                 rx->sdata->vif.type,
1827                                 rx->local->hw.extra_tx_headroom, true);
1828
1829        while (!skb_queue_empty(&frame_list)) {
1830                rx->skb = __skb_dequeue(&frame_list);
1831
1832                if (!ieee80211_frame_allowed(rx, fc)) {
1833                        dev_kfree_skb(rx->skb);
1834                        continue;
1835                }
1836                dev->stats.rx_packets++;
1837                dev->stats.rx_bytes += rx->skb->len;
1838
1839                ieee80211_deliver_skb(rx);
1840        }
1841
1842        return RX_QUEUED;
1843}
1844
1845#ifdef CONFIG_MAC80211_MESH
1846static ieee80211_rx_result
1847ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
1848{
1849        struct ieee80211_hdr *fwd_hdr, *hdr;
1850        struct ieee80211_tx_info *info;
1851        struct ieee80211s_hdr *mesh_hdr;
1852        struct sk_buff *skb = rx->skb, *fwd_skb;
1853        struct ieee80211_local *local = rx->local;
1854        struct ieee80211_sub_if_data *sdata = rx->sdata;
1855        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
1856        struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh;
1857        __le16 reason = cpu_to_le16(WLAN_REASON_MESH_PATH_NOFORWARD);
1858        u16 q, hdrlen;
1859
1860        hdr = (struct ieee80211_hdr *) skb->data;
1861        hdrlen = ieee80211_hdrlen(hdr->frame_control);
1862
1863        /* make sure fixed part of mesh header is there, also checks skb len */
1864        if (!pskb_may_pull(rx->skb, hdrlen + 6))
1865                return RX_DROP_MONITOR;
1866
1867        mesh_hdr = (struct ieee80211s_hdr *) (skb->data + hdrlen);
1868
1869        /* make sure full mesh header is there, also checks skb len */
1870        if (!pskb_may_pull(rx->skb,
1871                           hdrlen + ieee80211_get_mesh_hdrlen(mesh_hdr)))
1872                return RX_DROP_MONITOR;
1873
1874        /* reload pointers */
1875        hdr = (struct ieee80211_hdr *) skb->data;
1876        mesh_hdr = (struct ieee80211s_hdr *) (skb->data + hdrlen);
1877
1878        /* frame is in RMC, don't forward */
1879        if (ieee80211_is_data(hdr->frame_control) &&
1880            is_multicast_ether_addr(hdr->addr1) &&
1881            mesh_rmc_check(hdr->addr3, mesh_hdr, rx->sdata))
1882                return RX_DROP_MONITOR;
1883
1884        if (!ieee80211_is_data(hdr->frame_control) ||
1885            !(status->rx_flags & IEEE80211_RX_RA_MATCH))
1886                return RX_CONTINUE;
1887
1888        if (!mesh_hdr->ttl)
1889                return RX_DROP_MONITOR;
1890
1891        if (mesh_hdr->flags & MESH_FLAGS_AE) {
1892                struct mesh_path *mppath;
1893                char *proxied_addr;
1894                char *mpp_addr;
1895
1896                if (is_multicast_ether_addr(hdr->addr1)) {
1897                        mpp_addr = hdr->addr3;
1898                        proxied_addr = mesh_hdr->eaddr1;
1899                } else if (mesh_hdr->flags & MESH_FLAGS_AE_A5_A6) {
1900                        /* has_a4 already checked in ieee80211_rx_mesh_check */
1901                        mpp_addr = hdr->addr4;
1902                        proxied_addr = mesh_hdr->eaddr2;
1903                } else {
1904                        return RX_DROP_MONITOR;
1905                }
1906
1907                rcu_read_lock();
1908                mppath = mpp_path_lookup(proxied_addr, sdata);
1909                if (!mppath) {
1910                        mpp_path_add(proxied_addr, mpp_addr, sdata);
1911                } else {
1912                        spin_lock_bh(&mppath->state_lock);
1913                        if (!ether_addr_equal(mppath->mpp, mpp_addr))
1914                                memcpy(mppath->mpp, mpp_addr, ETH_ALEN);
1915                        spin_unlock_bh(&mppath->state_lock);
1916                }
1917                rcu_read_unlock();
1918        }
1919
1920        /* Frame has reached destination.  Don't forward */
1921        if (!is_multicast_ether_addr(hdr->addr1) &&
1922            ether_addr_equal(sdata->vif.addr, hdr->addr3))
1923                return RX_CONTINUE;
1924
1925        q = ieee80211_select_queue_80211(sdata, skb, hdr);
1926        if (ieee80211_queue_stopped(&local->hw, q)) {
1927                IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_congestion);
1928                return RX_DROP_MONITOR;
1929        }
1930        skb_set_queue_mapping(skb, q);
1931
1932        if (!--mesh_hdr->ttl) {
1933                IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_ttl);
1934                return RX_DROP_MONITOR;
1935        }
1936
1937        if (!ifmsh->mshcfg.dot11MeshForwarding)
1938                goto out;
1939
1940        fwd_skb = skb_copy(skb, GFP_ATOMIC);
1941        if (!fwd_skb) {
1942                net_info_ratelimited("%s: failed to clone mesh frame\n",
1943                                    sdata->name);
1944                goto out;
1945        }
1946
1947        fwd_hdr =  (struct ieee80211_hdr *) fwd_skb->data;
1948        info = IEEE80211_SKB_CB(fwd_skb);
1949        memset(info, 0, sizeof(*info));
1950        info->flags |= IEEE80211_TX_INTFL_NEED_TXPROCESSING;
1951        info->control.vif = &rx->sdata->vif;
1952        info->control.jiffies = jiffies;
1953        if (is_multicast_ether_addr(fwd_hdr->addr1)) {
1954                IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, fwded_mcast);
1955                memcpy(fwd_hdr->addr2, sdata->vif.addr, ETH_ALEN);
1956        } else if (!mesh_nexthop_lookup(fwd_skb, sdata)) {
1957                IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, fwded_unicast);
1958        } else {
1959                /* unable to resolve next hop */
1960                mesh_path_error_tx(ifmsh->mshcfg.element_ttl, fwd_hdr->addr3,
1961                                    0, reason, fwd_hdr->addr2, sdata);
1962                IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_no_route);
1963                kfree_skb(fwd_skb);
1964                return RX_DROP_MONITOR;
1965        }
1966
1967        IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, fwded_frames);
1968        ieee80211_add_pending_skb(local, fwd_skb);
1969 out:
1970        if (is_multicast_ether_addr(hdr->addr1) ||
1971            sdata->dev->flags & IFF_PROMISC)
1972                return RX_CONTINUE;
1973        else
1974                return RX_DROP_MONITOR;
1975}
1976#endif
1977
1978static ieee80211_rx_result debug_noinline
1979ieee80211_rx_h_data(struct ieee80211_rx_data *rx)
1980{
1981        struct ieee80211_sub_if_data *sdata = rx->sdata;
1982        struct ieee80211_local *local = rx->local;
1983        struct net_device *dev = sdata->dev;
1984        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
1985        __le16 fc = hdr->frame_control;
1986        bool port_control;
1987        int err;
1988
1989        if (unlikely(!ieee80211_is_data(hdr->frame_control)))
1990                return RX_CONTINUE;
1991
1992        if (unlikely(!ieee80211_is_data_present(hdr->frame_control)))
1993                return RX_DROP_MONITOR;
1994
1995        /*
1996         * Send unexpected-4addr-frame event to hostapd. For older versions,
1997         * also drop the frame to cooked monitor interfaces.
1998         */
1999        if (ieee80211_has_a4(hdr->frame_control) &&
2000            sdata->vif.type == NL80211_IFTYPE_AP) {
2001                if (rx->sta &&
2002                    !test_and_set_sta_flag(rx->sta, WLAN_STA_4ADDR_EVENT))
2003                        cfg80211_rx_unexpected_4addr_frame(
2004                                rx->sdata->dev, rx->sta->sta.addr, GFP_ATOMIC);
2005                return RX_DROP_MONITOR;
2006        }
2007
2008        err = __ieee80211_data_to_8023(rx, &port_control);
2009        if (unlikely(err))
2010                return RX_DROP_UNUSABLE;
2011
2012        if (!ieee80211_frame_allowed(rx, fc))
2013                return RX_DROP_MONITOR;
2014
2015        if (rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN &&
2016            unlikely(port_control) && sdata->bss) {
2017                sdata = container_of(sdata->bss, struct ieee80211_sub_if_data,
2018                                     u.ap);
2019                dev = sdata->dev;
2020                rx->sdata = sdata;
2021        }
2022
2023        rx->skb->dev = dev;
2024
2025        dev->stats.rx_packets++;
2026        dev->stats.rx_bytes += rx->skb->len;
2027
2028        if (local->ps_sdata && local->hw.conf.dynamic_ps_timeout > 0 &&
2029            !is_multicast_ether_addr(
2030                    ((struct ethhdr *)rx->skb->data)->h_dest) &&
2031            (!local->scanning &&
2032             !test_bit(SDATA_STATE_OFFCHANNEL, &sdata->state))) {
2033                        mod_timer(&local->dynamic_ps_timer, jiffies +
2034                         msecs_to_jiffies(local->hw.conf.dynamic_ps_timeout));
2035        }
2036
2037        ieee80211_deliver_skb(rx);
2038
2039        return RX_QUEUED;
2040}
2041
2042static ieee80211_rx_result debug_noinline
2043ieee80211_rx_h_ctrl(struct ieee80211_rx_data *rx)
2044{
2045        struct sk_buff *skb = rx->skb;
2046        struct ieee80211_bar *bar = (struct ieee80211_bar *)skb->data;
2047        struct tid_ampdu_rx *tid_agg_rx;
2048        u16 start_seq_num;
2049        u16 tid;
2050
2051        if (likely(!ieee80211_is_ctl(bar->frame_control)))
2052                return RX_CONTINUE;
2053
2054        if (ieee80211_is_back_req(bar->frame_control)) {
2055                struct {
2056                        __le16 control, start_seq_num;
2057                } __packed bar_data;
2058
2059                if (!rx->sta)
2060                        return RX_DROP_MONITOR;
2061
2062                if (skb_copy_bits(skb, offsetof(struct ieee80211_bar, control),
2063                                  &bar_data, sizeof(bar_data)))
2064                        return RX_DROP_MONITOR;
2065
2066                tid = le16_to_cpu(bar_data.control) >> 12;
2067
2068                tid_agg_rx = rcu_dereference(rx->sta->ampdu_mlme.tid_rx[tid]);
2069                if (!tid_agg_rx)
2070                        return RX_DROP_MONITOR;
2071
2072                start_seq_num = le16_to_cpu(bar_data.start_seq_num) >> 4;
2073
2074                /* reset session timer */
2075                if (tid_agg_rx->timeout)
2076                        mod_timer(&tid_agg_rx->session_timer,
2077                                  TU_TO_EXP_TIME(tid_agg_rx->timeout));
2078
2079                spin_lock(&tid_agg_rx->reorder_lock);
2080                /* release stored frames up to start of BAR */
2081                ieee80211_release_reorder_frames(rx->sdata, tid_agg_rx,
2082                                                 start_seq_num);
2083                spin_unlock(&tid_agg_rx->reorder_lock);
2084
2085                kfree_skb(skb);
2086                return RX_QUEUED;
2087        }
2088
2089        /*
2090         * After this point, we only want management frames,
2091         * so we can drop all remaining control frames to
2092         * cooked monitor interfaces.
2093         */
2094        return RX_DROP_MONITOR;
2095}
2096
2097static void ieee80211_process_sa_query_req(struct ieee80211_sub_if_data *sdata,
2098                                           struct ieee80211_mgmt *mgmt,
2099                                           size_t len)
2100{
2101        struct ieee80211_local *local = sdata->local;
2102        struct sk_buff *skb;
2103        struct ieee80211_mgmt *resp;
2104
2105        if (!ether_addr_equal(mgmt->da, sdata->vif.addr)) {
2106                /* Not to own unicast address */
2107                return;
2108        }
2109
2110        if (!ether_addr_equal(mgmt->sa, sdata->u.mgd.bssid) ||
2111            !ether_addr_equal(mgmt->bssid, sdata->u.mgd.bssid)) {
2112                /* Not from the current AP or not associated yet. */
2113                return;
2114        }
2115
2116        if (len < 24 + 1 + sizeof(resp->u.action.u.sa_query)) {
2117                /* Too short SA Query request frame */
2118                return;
2119        }
2120
2121        skb = dev_alloc_skb(sizeof(*resp) + local->hw.extra_tx_headroom);
2122        if (skb == NULL)
2123                return;
2124
2125        skb_reserve(skb, local->hw.extra_tx_headroom);
2126        resp = (struct ieee80211_mgmt *) skb_put(skb, 24);
2127        memset(resp, 0, 24);
2128        memcpy(resp->da, mgmt->sa, ETH_ALEN);
2129        memcpy(resp->sa, sdata->vif.addr, ETH_ALEN);
2130        memcpy(resp->bssid, sdata->u.mgd.bssid, ETH_ALEN);
2131        resp->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT |
2132                                          IEEE80211_STYPE_ACTION);
2133        skb_put(skb, 1 + sizeof(resp->u.action.u.sa_query));
2134        resp->u.action.category = WLAN_CATEGORY_SA_QUERY;
2135        resp->u.action.u.sa_query.action = WLAN_ACTION_SA_QUERY_RESPONSE;
2136        memcpy(resp->u.action.u.sa_query.trans_id,
2137               mgmt->u.action.u.sa_query.trans_id,
2138               WLAN_SA_QUERY_TR_ID_LEN);
2139
2140        ieee80211_tx_skb(sdata, skb);
2141}
2142
2143static ieee80211_rx_result debug_noinline
2144ieee80211_rx_h_mgmt_check(struct ieee80211_rx_data *rx)
2145{
2146        struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *) rx->skb->data;
2147        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
2148
2149        /*
2150         * From here on, look only at management frames.
2151         * Data and control frames are already handled,
2152         * and unknown (reserved) frames are useless.
2153         */
2154        if (rx->skb->len < 24)
2155                return RX_DROP_MONITOR;
2156
2157        if (!ieee80211_is_mgmt(mgmt->frame_control))
2158                return RX_DROP_MONITOR;
2159
2160        if (rx->sdata->vif.type == NL80211_IFTYPE_AP &&
2161            ieee80211_is_beacon(mgmt->frame_control) &&
2162            !(rx->flags & IEEE80211_RX_BEACON_REPORTED)) {
2163                int sig = 0;
2164
2165                if (rx->local->hw.flags & IEEE80211_HW_SIGNAL_DBM)
2166                        sig = status->signal;
2167
2168                cfg80211_report_obss_beacon(rx->local->hw.wiphy,
2169                                            rx->skb->data, rx->skb->len,
2170                                            status->freq, sig, GFP_ATOMIC);
2171                rx->flags |= IEEE80211_RX_BEACON_REPORTED;
2172        }
2173
2174        if (!(status->rx_flags & IEEE80211_RX_RA_MATCH))
2175                return RX_DROP_MONITOR;
2176
2177        if (ieee80211_drop_unencrypted_mgmt(rx))
2178                return RX_DROP_UNUSABLE;
2179
2180        return RX_CONTINUE;
2181}
2182
2183static ieee80211_rx_result debug_noinline
2184ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
2185{
2186        struct ieee80211_local *local = rx->local;
2187        struct ieee80211_sub_if_data *sdata = rx->sdata;
2188        struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *) rx->skb->data;
2189        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
2190        int len = rx->skb->len;
2191
2192        if (!ieee80211_is_action(mgmt->frame_control))
2193                return RX_CONTINUE;
2194
2195        /* drop too small frames */
2196        if (len < IEEE80211_MIN_ACTION_SIZE)
2197                return RX_DROP_UNUSABLE;
2198
2199        if (!rx->sta && mgmt->u.action.category != WLAN_CATEGORY_PUBLIC)
2200                return RX_DROP_UNUSABLE;
2201
2202        if (!(status->rx_flags & IEEE80211_RX_RA_MATCH))
2203                return RX_DROP_UNUSABLE;
2204
2205        switch (mgmt->u.action.category) {
2206        case WLAN_CATEGORY_HT:
2207                /* reject HT action frames from stations not supporting HT */
2208                if (!rx->sta->sta.ht_cap.ht_supported)
2209                        goto invalid;
2210
2211                if (sdata->vif.type != NL80211_IFTYPE_STATION &&
2212                    sdata->vif.type != NL80211_IFTYPE_MESH_POINT &&
2213                    sdata->vif.type != NL80211_IFTYPE_AP_VLAN &&
2214                    sdata->vif.type != NL80211_IFTYPE_AP &&
2215                    sdata->vif.type != NL80211_IFTYPE_ADHOC)
2216                        break;
2217
2218                /* verify action & smps_control are present */
2219                if (len < IEEE80211_MIN_ACTION_SIZE + 2)
2220                        goto invalid;
2221
2222                switch (mgmt->u.action.u.ht_smps.action) {
2223                case WLAN_HT_ACTION_SMPS: {
2224                        struct ieee80211_supported_band *sband;
2225                        u8 smps;
2226
2227                        /* convert to HT capability */
2228                        switch (mgmt->u.action.u.ht_smps.smps_control) {
2229                        case WLAN_HT_SMPS_CONTROL_DISABLED:
2230                                smps = WLAN_HT_CAP_SM_PS_DISABLED;
2231                                break;
2232                        case WLAN_HT_SMPS_CONTROL_STATIC:
2233                                smps = WLAN_HT_CAP_SM_PS_STATIC;
2234                                break;
2235                        case WLAN_HT_SMPS_CONTROL_DYNAMIC:
2236                                smps = WLAN_HT_CAP_SM_PS_DYNAMIC;
2237                                break;
2238                        default:
2239                                goto invalid;
2240                        }
2241                        smps <<= IEEE80211_HT_CAP_SM_PS_SHIFT;
2242
2243                        /* if no change do nothing */
2244                        if ((rx->sta->sta.ht_cap.cap &
2245                                        IEEE80211_HT_CAP_SM_PS) == smps)
2246                                goto handled;
2247
2248                        rx->sta->sta.ht_cap.cap &= ~IEEE80211_HT_CAP_SM_PS;
2249                        rx->sta->sta.ht_cap.cap |= smps;
2250
2251                        sband = rx->local->hw.wiphy->bands[status->band];
2252
2253                        rate_control_rate_update(local, sband, rx->sta,
2254                                                 IEEE80211_RC_SMPS_CHANGED);
2255                        goto handled;
2256                }
2257                default:
2258                        goto invalid;
2259                }
2260
2261                break;
2262        case WLAN_CATEGORY_BACK:
2263                if (sdata->vif.type != NL80211_IFTYPE_STATION &&
2264                    sdata->vif.type != NL80211_IFTYPE_MESH_POINT &&
2265                    sdata->vif.type != NL80211_IFTYPE_AP_VLAN &&
2266                    sdata->vif.type != NL80211_IFTYPE_AP &&
2267                    sdata->vif.type != NL80211_IFTYPE_ADHOC)
2268                        break;
2269
2270                /* verify action_code is present */
2271                if (len < IEEE80211_MIN_ACTION_SIZE + 1)
2272                        break;
2273
2274                switch (mgmt->u.action.u.addba_req.action_code) {
2275                case WLAN_ACTION_ADDBA_REQ:
2276                        if (len < (IEEE80211_MIN_ACTION_SIZE +
2277                                   sizeof(mgmt->u.action.u.addba_req)))
2278                                goto invalid;
2279                        break;
2280                case WLAN_ACTION_ADDBA_RESP:
2281                        if (len < (IEEE80211_MIN_ACTION_SIZE +
2282                                   sizeof(mgmt->u.action.u.addba_resp)))
2283                                goto invalid;
2284                        break;
2285                case WLAN_ACTION_DELBA:
2286                        if (len < (IEEE80211_MIN_ACTION_SIZE +
2287                                   sizeof(mgmt->u.action.u.delba)))
2288                                goto invalid;
2289                        break;
2290                default:
2291                        goto invalid;
2292                }
2293
2294                goto queue;
2295        case WLAN_CATEGORY_SPECTRUM_MGMT:
2296                if (local->hw.conf.channel->band != IEEE80211_BAND_5GHZ)
2297                        break;
2298
2299                if (sdata->vif.type != NL80211_IFTYPE_STATION)
2300                        break;
2301
2302                /* verify action_code is present */
2303                if (len < IEEE80211_MIN_ACTION_SIZE + 1)
2304                        break;
2305
2306                switch (mgmt->u.action.u.measurement.action_code) {
2307                case WLAN_ACTION_SPCT_MSR_REQ:
2308                        if (len < (IEEE80211_MIN_ACTION_SIZE +
2309                                   sizeof(mgmt->u.action.u.measurement)))
2310                                break;
2311                        ieee80211_process_measurement_req(sdata, mgmt, len);
2312                        goto handled;
2313                case WLAN_ACTION_SPCT_CHL_SWITCH:
2314                        if (len < (IEEE80211_MIN_ACTION_SIZE +
2315                                   sizeof(mgmt->u.action.u.chan_switch)))
2316                                break;
2317
2318                        if (sdata->vif.type != NL80211_IFTYPE_STATION)
2319                                break;
2320
2321                        if (!ether_addr_equal(mgmt->bssid, sdata->u.mgd.bssid))
2322                                break;
2323
2324                        goto queue;
2325                }
2326                break;
2327        case WLAN_CATEGORY_SA_QUERY:
2328                if (len < (IEEE80211_MIN_ACTION_SIZE +
2329                           sizeof(mgmt->u.action.u.sa_query)))
2330                        break;
2331
2332                switch (mgmt->u.action.u.sa_query.action) {
2333                case WLAN_ACTION_SA_QUERY_REQUEST:
2334                        if (sdata->vif.type != NL80211_IFTYPE_STATION)
2335                                break;
2336                        ieee80211_process_sa_query_req(sdata, mgmt, len);
2337                        goto handled;
2338                }
2339                break;
2340        case WLAN_CATEGORY_SELF_PROTECTED:
2341                if (len < (IEEE80211_MIN_ACTION_SIZE +
2342                           sizeof(mgmt->u.action.u.self_prot.action_code)))
2343                        break;
2344
2345                switch (mgmt->u.action.u.self_prot.action_code) {
2346                case WLAN_SP_MESH_PEERING_OPEN:
2347                case WLAN_SP_MESH_PEERING_CLOSE:
2348                case WLAN_SP_MESH_PEERING_CONFIRM:
2349                        if (!ieee80211_vif_is_mesh(&sdata->vif))
2350                                goto invalid;
2351                        if (sdata->u.mesh.security != IEEE80211_MESH_SEC_NONE)
2352                                /* userspace handles this frame */
2353                                break;
2354                        goto queue;
2355                case WLAN_SP_MGK_INFORM:
2356                case WLAN_SP_MGK_ACK:
2357                        if (!ieee80211_vif_is_mesh(&sdata->vif))
2358                                goto invalid;
2359                        break;
2360                }
2361                break;
2362        case WLAN_CATEGORY_MESH_ACTION:
2363                if (len < (IEEE80211_MIN_ACTION_SIZE +
2364                           sizeof(mgmt->u.action.u.mesh_action.action_code)))
2365                        break;
2366
2367                if (!ieee80211_vif_is_mesh(&sdata->vif))
2368                        break;
2369                if (mesh_action_is_path_sel(mgmt) &&
2370                  (!mesh_path_sel_is_hwmp(sdata)))
2371                        break;
2372                goto queue;
2373        }
2374
2375        return RX_CONTINUE;
2376
2377 invalid:
2378        status->rx_flags |= IEEE80211_RX_MALFORMED_ACTION_FRM;
2379        /* will return in the next handlers */
2380        return RX_CONTINUE;
2381
2382 handled:
2383        if (rx->sta)
2384                rx->sta->rx_packets++;
2385        dev_kfree_skb(rx->skb);
2386        return RX_QUEUED;
2387
2388 queue:
2389        rx->skb->pkt_type = IEEE80211_SDATA_QUEUE_TYPE_FRAME;
2390        skb_queue_tail(&sdata->skb_queue, rx->skb);
2391        ieee80211_queue_work(&local->hw, &sdata->work);
2392        if (rx->sta)
2393                rx->sta->rx_packets++;
2394        return RX_QUEUED;
2395}
2396
2397static ieee80211_rx_result debug_noinline
2398ieee80211_rx_h_userspace_mgmt(struct ieee80211_rx_data *rx)
2399{
2400        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
2401        int sig = 0;
2402
2403        /* skip known-bad action frames and return them in the next handler */
2404        if (status->rx_flags & IEEE80211_RX_MALFORMED_ACTION_FRM)
2405                return RX_CONTINUE;
2406
2407        /*
2408         * Getting here means the kernel doesn't know how to handle
2409         * it, but maybe userspace does ... include returned frames
2410         * so userspace can register for those to know whether ones
2411         * it transmitted were processed or returned.
2412         */
2413
2414        if (rx->local->hw.flags & IEEE80211_HW_SIGNAL_DBM)
2415                sig = status->signal;
2416
2417        if (cfg80211_rx_mgmt(&rx->sdata->wdev, status->freq, sig,
2418                             rx->skb->data, rx->skb->len,
2419                             GFP_ATOMIC)) {
2420                if (rx->sta)
2421                        rx->sta->rx_packets++;
2422                dev_kfree_skb(rx->skb);
2423                return RX_QUEUED;
2424        }
2425
2426
2427        return RX_CONTINUE;
2428}
2429
2430static ieee80211_rx_result debug_noinline
2431ieee80211_rx_h_action_return(struct ieee80211_rx_data *rx)
2432{
2433        struct ieee80211_local *local = rx->local;
2434        struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *) rx->skb->data;
2435        struct sk_buff *nskb;
2436        struct ieee80211_sub_if_data *sdata = rx->sdata;
2437        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
2438
2439        if (!ieee80211_is_action(mgmt->frame_control))
2440                return RX_CONTINUE;
2441
2442        /*
2443         * For AP mode, hostapd is responsible for handling any action
2444         * frames that we didn't handle, including returning unknown
2445         * ones. For all other modes we will return them to the sender,
2446         * setting the 0x80 bit in the action category, as required by
2447         * 802.11-2012 9.24.4.
2448         * Newer versions of hostapd shall also use the management frame
2449         * registration mechanisms, but older ones still use cooked
2450         * monitor interfaces so push all frames there.
2451         */
2452        if (!(status->rx_flags & IEEE80211_RX_MALFORMED_ACTION_FRM) &&
2453            (sdata->vif.type == NL80211_IFTYPE_AP ||
2454             sdata->vif.type == NL80211_IFTYPE_AP_VLAN))
2455                return RX_DROP_MONITOR;
2456
2457        if (is_multicast_ether_addr(mgmt->da))
2458                return RX_DROP_MONITOR;
2459
2460        /* do not return rejected action frames */
2461        if (mgmt->u.action.category & 0x80)
2462                return RX_DROP_UNUSABLE;
2463
2464        nskb = skb_copy_expand(rx->skb, local->hw.extra_tx_headroom, 0,
2465                               GFP_ATOMIC);
2466        if (nskb) {
2467                struct ieee80211_mgmt *nmgmt = (void *)nskb->data;
2468
2469                nmgmt->u.action.category |= 0x80;
2470                memcpy(nmgmt->da, nmgmt->sa, ETH_ALEN);
2471                memcpy(nmgmt->sa, rx->sdata->vif.addr, ETH_ALEN);
2472
2473                memset(nskb->cb, 0, sizeof(nskb->cb));
2474
2475                ieee80211_tx_skb(rx->sdata, nskb);
2476        }
2477        dev_kfree_skb(rx->skb);
2478        return RX_QUEUED;
2479}
2480
2481static ieee80211_rx_result debug_noinline
2482ieee80211_rx_h_mgmt(struct ieee80211_rx_data *rx)
2483{
2484        struct ieee80211_sub_if_data *sdata = rx->sdata;
2485        struct ieee80211_mgmt *mgmt = (void *)rx->skb->data;
2486        __le16 stype;
2487
2488        stype = mgmt->frame_control & cpu_to_le16(IEEE80211_FCTL_STYPE);
2489
2490        if (!ieee80211_vif_is_mesh(&sdata->vif) &&
2491            sdata->vif.type != NL80211_IFTYPE_ADHOC &&
2492            sdata->vif.type != NL80211_IFTYPE_STATION)
2493                return RX_DROP_MONITOR;
2494
2495        switch (stype) {
2496        case cpu_to_le16(IEEE80211_STYPE_AUTH):
2497        case cpu_to_le16(IEEE80211_STYPE_BEACON):
2498        case cpu_to_le16(IEEE80211_STYPE_PROBE_RESP):
2499                /* process for all: mesh, mlme, ibss */
2500                break;
2501        case cpu_to_le16(IEEE80211_STYPE_ASSOC_RESP):
2502        case cpu_to_le16(IEEE80211_STYPE_REASSOC_RESP):
2503        case cpu_to_le16(IEEE80211_STYPE_DEAUTH):
2504        case cpu_to_le16(IEEE80211_STYPE_DISASSOC):
2505                if (is_multicast_ether_addr(mgmt->da) &&
2506                    !is_broadcast_ether_addr(mgmt->da))
2507                        return RX_DROP_MONITOR;
2508
2509                /* process only for station */
2510                if (sdata->vif.type != NL80211_IFTYPE_STATION)
2511                        return RX_DROP_MONITOR;
2512                break;
2513        case cpu_to_le16(IEEE80211_STYPE_PROBE_REQ):
2514                /* process only for ibss */
2515                if (sdata->vif.type != NL80211_IFTYPE_ADHOC)
2516                        return RX_DROP_MONITOR;
2517                break;
2518        default:
2519                return RX_DROP_MONITOR;
2520        }
2521
2522        /* queue up frame and kick off work to process it */
2523        rx->skb->pkt_type = IEEE80211_SDATA_QUEUE_TYPE_FRAME;
2524        skb_queue_tail(&sdata->skb_queue, rx->skb);
2525        ieee80211_queue_work(&rx->local->hw, &sdata->work);
2526        if (rx->sta)
2527                rx->sta->rx_packets++;
2528
2529        return RX_QUEUED;
2530}
2531
2532/* TODO: use IEEE80211_RX_FRAGMENTED */
2533static void ieee80211_rx_cooked_monitor(struct ieee80211_rx_data *rx,
2534                                        struct ieee80211_rate *rate)
2535{
2536        struct ieee80211_sub_if_data *sdata;
2537        struct ieee80211_local *local = rx->local;
2538        struct sk_buff *skb = rx->skb, *skb2;
2539        struct net_device *prev_dev = NULL;
2540        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
2541        int needed_headroom;
2542
2543        /*
2544         * If cooked monitor has been processed already, then
2545         * don't do it again. If not, set the flag.
2546         */
2547        if (rx->flags & IEEE80211_RX_CMNTR)
2548                goto out_free_skb;
2549        rx->flags |= IEEE80211_RX_CMNTR;
2550
2551        /* If there are no cooked monitor interfaces, just free the SKB */
2552        if (!local->cooked_mntrs)
2553                goto out_free_skb;
2554
2555        /* room for the radiotap header based on driver features */
2556        needed_headroom = ieee80211_rx_radiotap_len(local, status);
2557
2558        if (skb_headroom(skb) < needed_headroom &&
2559            pskb_expand_head(skb, needed_headroom, 0, GFP_ATOMIC))
2560                goto out_free_skb;
2561
2562        /* prepend radiotap information */
2563        ieee80211_add_rx_radiotap_header(local, skb, rate, needed_headroom,
2564                                         false);
2565
2566        skb_set_mac_header(skb, 0);
2567        skb->ip_summed = CHECKSUM_UNNECESSARY;
2568        skb->pkt_type = PACKET_OTHERHOST;
2569        skb->protocol = htons(ETH_P_802_2);
2570
2571        list_for_each_entry_rcu(sdata, &local->interfaces, list) {
2572                if (!ieee80211_sdata_running(sdata))
2573                        continue;
2574
2575                if (sdata->vif.type != NL80211_IFTYPE_MONITOR ||
2576                    !(sdata->u.mntr_flags & MONITOR_FLAG_COOK_FRAMES))
2577                        continue;
2578
2579                if (prev_dev) {
2580                        skb2 = skb_clone(skb, GFP_ATOMIC);
2581                        if (skb2) {
2582                                skb2->dev = prev_dev;
2583                                netif_receive_skb(skb2);
2584                        }
2585                }
2586
2587                prev_dev = sdata->dev;
2588                sdata->dev->stats.rx_packets++;
2589                sdata->dev->stats.rx_bytes += skb->len;
2590        }
2591
2592        if (prev_dev) {
2593                skb->dev = prev_dev;
2594                netif_receive_skb(skb);
2595                return;
2596        }
2597
2598 out_free_skb:
2599        dev_kfree_skb(skb);
2600}
2601
2602static void ieee80211_rx_handlers_result(struct ieee80211_rx_data *rx,
2603                                         ieee80211_rx_result res)
2604{
2605        switch (res) {
2606        case RX_DROP_MONITOR:
2607                I802_DEBUG_INC(rx->sdata->local->rx_handlers_drop);
2608                if (rx->sta)
2609                        rx->sta->rx_dropped++;
2610                /* fall through */
2611        case RX_CONTINUE: {
2612                struct ieee80211_rate *rate = NULL;
2613                struct ieee80211_supported_band *sband;
2614                struct ieee80211_rx_status *status;
2615
2616                status = IEEE80211_SKB_RXCB((rx->skb));
2617
2618                sband = rx->local->hw.wiphy->bands[status->band];
2619                if (!(status->flag & RX_FLAG_HT))
2620                        rate = &sband->bitrates[status->rate_idx];
2621
2622                ieee80211_rx_cooked_monitor(rx, rate);
2623                break;
2624                }
2625        case RX_DROP_UNUSABLE:
2626                I802_DEBUG_INC(rx->sdata->local->rx_handlers_drop);
2627                if (rx->sta)
2628                        rx->sta->rx_dropped++;
2629                dev_kfree_skb(rx->skb);
2630                break;
2631        case RX_QUEUED:
2632                I802_DEBUG_INC(rx->sdata->local->rx_handlers_queued);
2633                break;
2634        }
2635}
2636
2637static void ieee80211_rx_handlers(struct ieee80211_rx_data *rx)
2638{
2639        ieee80211_rx_result res = RX_DROP_MONITOR;
2640        struct sk_buff *skb;
2641
2642#define CALL_RXH(rxh)                   \
2643        do {                            \
2644                res = rxh(rx);          \
2645                if (res != RX_CONTINUE) \
2646                        goto rxh_next;  \
2647        } while (0);
2648
2649        spin_lock(&rx->local->rx_skb_queue.lock);
2650        if (rx->local->running_rx_handler)
2651                goto unlock;
2652
2653        rx->local->running_rx_handler = true;
2654
2655        while ((skb = __skb_dequeue(&rx->local->rx_skb_queue))) {
2656                spin_unlock(&rx->local->rx_skb_queue.lock);
2657
2658                /*
2659                 * all the other fields are valid across frames
2660                 * that belong to an aMPDU since they are on the
2661                 * same TID from the same station
2662                 */
2663                rx->skb = skb;
2664
2665                CALL_RXH(ieee80211_rx_h_decrypt)
2666                CALL_RXH(ieee80211_rx_h_check_more_data)
2667                CALL_RXH(ieee80211_rx_h_uapsd_and_pspoll)
2668                CALL_RXH(ieee80211_rx_h_sta_process)
2669                CALL_RXH(ieee80211_rx_h_defragment)
2670                CALL_RXH(ieee80211_rx_h_michael_mic_verify)
2671                /* must be after MMIC verify so header is counted in MPDU mic */
2672#ifdef CONFIG_MAC80211_MESH
2673                if (ieee80211_vif_is_mesh(&rx->sdata->vif))
2674                        CALL_RXH(ieee80211_rx_h_mesh_fwding);
2675#endif
2676                CALL_RXH(ieee80211_rx_h_amsdu)
2677                CALL_RXH(ieee80211_rx_h_data)
2678                CALL_RXH(ieee80211_rx_h_ctrl);
2679                CALL_RXH(ieee80211_rx_h_mgmt_check)
2680                CALL_RXH(ieee80211_rx_h_action)
2681                CALL_RXH(ieee80211_rx_h_userspace_mgmt)
2682                CALL_RXH(ieee80211_rx_h_action_return)
2683                CALL_RXH(ieee80211_rx_h_mgmt)
2684
2685 rxh_next:
2686                ieee80211_rx_handlers_result(rx, res);
2687                spin_lock(&rx->local->rx_skb_queue.lock);
2688#undef CALL_RXH
2689        }
2690
2691        rx->local->running_rx_handler = false;
2692
2693 unlock:
2694        spin_unlock(&rx->local->rx_skb_queue.lock);
2695}
2696
2697static void ieee80211_invoke_rx_handlers(struct ieee80211_rx_data *rx)
2698{
2699        ieee80211_rx_result res = RX_DROP_MONITOR;
2700
2701#define CALL_RXH(rxh)                   \
2702        do {                            \
2703                res = rxh(rx);          \
2704                if (res != RX_CONTINUE) \
2705                        goto rxh_next;  \
2706        } while (0);
2707
2708        CALL_RXH(ieee80211_rx_h_check)
2709
2710        ieee80211_rx_reorder_ampdu(rx);
2711
2712        ieee80211_rx_handlers(rx);
2713        return;
2714
2715 rxh_next:
2716        ieee80211_rx_handlers_result(rx, res);
2717
2718#undef CALL_RXH
2719}
2720
2721/*
2722 * This function makes calls into the RX path, therefore
2723 * it has to be invoked under RCU read lock.
2724 */
2725void ieee80211_release_reorder_timeout(struct sta_info *sta, int tid)
2726{
2727        struct ieee80211_rx_data rx = {
2728                .sta = sta,
2729                .sdata = sta->sdata,
2730                .local = sta->local,
2731                /* This is OK -- must be QoS data frame */
2732                .security_idx = tid,
2733                .seqno_idx = tid,
2734                .flags = 0,
2735        };
2736        struct tid_ampdu_rx *tid_agg_rx;
2737
2738        tid_agg_rx = rcu_dereference(sta->ampdu_mlme.tid_rx[tid]);
2739        if (!tid_agg_rx)
2740                return;
2741
2742        spin_lock(&tid_agg_rx->reorder_lock);
2743        ieee80211_sta_reorder_release(sta->sdata, tid_agg_rx);
2744        spin_unlock(&tid_agg_rx->reorder_lock);
2745
2746        ieee80211_rx_handlers(&rx);
2747}
2748
2749/* main receive path */
2750
2751static int prepare_for_handlers(struct ieee80211_rx_data *rx,
2752                                struct ieee80211_hdr *hdr)
2753{
2754        struct ieee80211_sub_if_data *sdata = rx->sdata;
2755        struct sk_buff *skb = rx->skb;
2756        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
2757        u8 *bssid = ieee80211_get_bssid(hdr, skb->len, sdata->vif.type);
2758        int multicast = is_multicast_ether_addr(hdr->addr1);
2759
2760        switch (sdata->vif.type) {
2761        case NL80211_IFTYPE_STATION:
2762                if (!bssid && !sdata->u.mgd.use_4addr)
2763                        return 0;
2764                if (!multicast &&
2765                    !ether_addr_equal(sdata->vif.addr, hdr->addr1)) {
2766                        if (!(sdata->dev->flags & IFF_PROMISC) ||
2767                            sdata->u.mgd.use_4addr)
2768                                return 0;
2769                        status->rx_flags &= ~IEEE80211_RX_RA_MATCH;
2770                }
2771                break;
2772        case NL80211_IFTYPE_ADHOC:
2773                if (!bssid)
2774                        return 0;
2775                if (ieee80211_is_beacon(hdr->frame_control)) {
2776                        return 1;
2777                } else if (!ieee80211_bssid_match(bssid, sdata->u.ibss.bssid)) {
2778                        return 0;
2779                } else if (!multicast &&
2780                           !ether_addr_equal(sdata->vif.addr, hdr->addr1)) {
2781                        if (!(sdata->dev->flags & IFF_PROMISC))
2782                                return 0;
2783                        status->rx_flags &= ~IEEE80211_RX_RA_MATCH;
2784                } else if (!rx->sta) {
2785                        int rate_idx;
2786                        if (status->flag & RX_FLAG_HT)
2787                                rate_idx = 0; /* TODO: HT rates */
2788                        else
2789                                rate_idx = status->rate_idx;
2790                        ieee80211_ibss_rx_no_sta(sdata, bssid, hdr->addr2,
2791                                                 BIT(rate_idx));
2792                }
2793                break;
2794        case NL80211_IFTYPE_MESH_POINT:
2795                if (!multicast &&
2796                    !ether_addr_equal(sdata->vif.addr, hdr->addr1)) {
2797                        if (!(sdata->dev->flags & IFF_PROMISC))
2798                                return 0;
2799
2800                        status->rx_flags &= ~IEEE80211_RX_RA_MATCH;
2801                }
2802                break;
2803        case NL80211_IFTYPE_AP_VLAN:
2804        case NL80211_IFTYPE_AP:
2805                if (!bssid) {
2806                        if (!ether_addr_equal(sdata->vif.addr, hdr->addr1))
2807                                return 0;
2808                } else if (!ieee80211_bssid_match(bssid,
2809                                        sdata->vif.addr)) {
2810                        /*
2811                         * Accept public action frames even when the
2812                         * BSSID doesn't match, this is used for P2P
2813                         * and location updates. Note that mac80211
2814                         * itself never looks at these frames.
2815                         */
2816                        if (ieee80211_is_public_action(hdr, skb->len))
2817                                return 1;
2818                        if (!ieee80211_is_beacon(hdr->frame_control))
2819                                return 0;
2820                        status->rx_flags &= ~IEEE80211_RX_RA_MATCH;
2821                }
2822                break;
2823        case NL80211_IFTYPE_WDS:
2824                if (bssid || !ieee80211_is_data(hdr->frame_control))
2825                        return 0;
2826                if (!ether_addr_equal(sdata->u.wds.remote_addr, hdr->addr2))
2827                        return 0;
2828                break;
2829        default:
2830                /* should never get here */
2831                WARN_ON(1);
2832                break;
2833        }
2834
2835        return 1;
2836}
2837
2838/*
2839 * This function returns whether or not the SKB
2840 * was destined for RX processing or not, which,
2841 * if consume is true, is equivalent to whether
2842 * or not the skb was consumed.
2843 */
2844static bool ieee80211_prepare_and_rx_handle(struct ieee80211_rx_data *rx,
2845                                            struct sk_buff *skb, bool consume)
2846{
2847        struct ieee80211_local *local = rx->local;
2848        struct ieee80211_sub_if_data *sdata = rx->sdata;
2849        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
2850        struct ieee80211_hdr *hdr = (void *)skb->data;
2851        int prepares;
2852
2853        rx->skb = skb;
2854        status->rx_flags |= IEEE80211_RX_RA_MATCH;
2855        prepares = prepare_for_handlers(rx, hdr);
2856
2857        if (!prepares)
2858                return false;
2859
2860        if (!consume) {
2861                skb = skb_copy(skb, GFP_ATOMIC);
2862                if (!skb) {
2863                        if (net_ratelimit())
2864                                wiphy_debug(local->hw.wiphy,
2865                                        "failed to copy skb for %s\n",
2866                                        sdata->name);
2867                        return true;
2868                }
2869
2870                rx->skb = skb;
2871        }
2872
2873        ieee80211_invoke_rx_handlers(rx);
2874        return true;
2875}
2876
2877/*
2878 * This is the actual Rx frames handler. as it blongs to Rx path it must
2879 * be called with rcu_read_lock protection.
2880 */
2881static void __ieee80211_rx_handle_packet(struct ieee80211_hw *hw,
2882                                         struct sk_buff *skb)
2883{
2884        struct ieee80211_local *local = hw_to_local(hw);
2885        struct ieee80211_sub_if_data *sdata;
2886        struct ieee80211_hdr *hdr;
2887        __le16 fc;
2888        struct ieee80211_rx_data rx;
2889        struct ieee80211_sub_if_data *prev;
2890        struct sta_info *sta, *tmp, *prev_sta;
2891        int err = 0;
2892
2893        fc = ((struct ieee80211_hdr *)skb->data)->frame_control;
2894        memset(&rx, 0, sizeof(rx));
2895        rx.skb = skb;
2896        rx.local = local;
2897
2898        if (ieee80211_is_data(fc) || ieee80211_is_mgmt(fc))
2899                local->dot11ReceivedFragmentCount++;
2900
2901        if (ieee80211_is_mgmt(fc)) {
2902                /* drop frame if too short for header */
2903                if (skb->len < ieee80211_hdrlen(fc))
2904                        err = -ENOBUFS;
2905                else
2906                        err = skb_linearize(skb);
2907        } else {
2908                err = !pskb_may_pull(skb, ieee80211_hdrlen(fc));
2909        }
2910
2911        if (err) {
2912                dev_kfree_skb(skb);
2913                return;
2914        }
2915
2916        hdr = (struct ieee80211_hdr *)skb->data;
2917        ieee80211_parse_qos(&rx);
2918        ieee80211_verify_alignment(&rx);
2919
2920        if (unlikely(ieee80211_is_probe_resp(hdr->frame_control) ||
2921                     ieee80211_is_beacon(hdr->frame_control)))
2922                ieee80211_scan_rx(local, skb);
2923
2924        if (ieee80211_is_data(fc)) {
2925                prev_sta = NULL;
2926
2927                for_each_sta_info(local, hdr->addr2, sta, tmp) {
2928                        if (!prev_sta) {
2929                                prev_sta = sta;
2930                                continue;
2931                        }
2932
2933                        rx.sta = prev_sta;
2934                        rx.sdata = prev_sta->sdata;
2935                        ieee80211_prepare_and_rx_handle(&rx, skb, false);
2936
2937                        prev_sta = sta;
2938                }
2939
2940                if (prev_sta) {
2941                        rx.sta = prev_sta;
2942                        rx.sdata = prev_sta->sdata;
2943
2944                        if (ieee80211_prepare_and_rx_handle(&rx, skb, true))
2945                                return;
2946                        goto out;
2947                }
2948        }
2949
2950        prev = NULL;
2951
2952        list_for_each_entry_rcu(sdata, &local->interfaces, list) {
2953                if (!ieee80211_sdata_running(sdata))
2954                        continue;
2955
2956                if (sdata->vif.type == NL80211_IFTYPE_MONITOR ||
2957                    sdata->vif.type == NL80211_IFTYPE_AP_VLAN)
2958                        continue;
2959
2960                /*
2961                 * frame is destined for this interface, but if it's
2962                 * not also for the previous one we handle that after
2963                 * the loop to avoid copying the SKB once too much
2964                 */
2965
2966                if (!prev) {
2967                        prev = sdata;
2968                        continue;
2969                }
2970
2971                rx.sta = sta_info_get_bss(prev, hdr->addr2);
2972                rx.sdata = prev;
2973                ieee80211_prepare_and_rx_handle(&rx, skb, false);
2974
2975                prev = sdata;
2976        }
2977
2978        if (prev) {
2979                rx.sta = sta_info_get_bss(prev, hdr->addr2);
2980                rx.sdata = prev;
2981
2982                if (ieee80211_prepare_and_rx_handle(&rx, skb, true))
2983                        return;
2984        }
2985
2986 out:
2987        dev_kfree_skb(skb);
2988}
2989
2990/*
2991 * This is the receive path handler. It is called by a low level driver when an
2992 * 802.11 MPDU is received from the hardware.
2993 */
2994void ieee80211_rx(struct ieee80211_hw *hw, struct sk_buff *skb)
2995{
2996        struct ieee80211_local *local = hw_to_local(hw);
2997        struct ieee80211_rate *rate = NULL;
2998        struct ieee80211_supported_band *sband;
2999        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
3000
3001        WARN_ON_ONCE(softirq_count() == 0);
3002
3003        if (WARN_ON(status->band < 0 ||
3004                    status->band >= IEEE80211_NUM_BANDS))
3005                goto drop;
3006
3007        sband = local->hw.wiphy->bands[status->band];
3008        if (WARN_ON(!sband))
3009                goto drop;
3010
3011        /*
3012         * If we're suspending, it is possible although not too likely
3013         * that we'd be receiving frames after having already partially
3014         * quiesced the stack. We can't process such frames then since
3015         * that might, for example, cause stations to be added or other
3016         * driver callbacks be invoked.
3017         */
3018        if (unlikely(local->quiescing || local->suspended))
3019                goto drop;
3020
3021        /* We might be during a HW reconfig, prevent Rx for the same reason */
3022        if (unlikely(local->in_reconfig))
3023                goto drop;
3024
3025        /*
3026         * The same happens when we're not even started,
3027         * but that's worth a warning.
3028         */
3029        if (WARN_ON(!local->started))
3030                goto drop;
3031
3032        if (likely(!(status->flag & RX_FLAG_FAILED_PLCP_CRC))) {
3033                /*
3034                 * Validate the rate, unless a PLCP error means that
3035                 * we probably can't have a valid rate here anyway.
3036                 */
3037
3038                if (status->flag & RX_FLAG_HT) {
3039                        /*
3040                         * rate_idx is MCS index, which can be [0-76]
3041                         * as documented on:
3042                         *
3043                         * http://wireless.kernel.org/en/developers/Documentation/ieee80211/802.11n
3044                         *
3045                         * Anything else would be some sort of driver or
3046                         * hardware error. The driver should catch hardware
3047                         * errors.
3048                         */
3049                        if (WARN((status->rate_idx < 0 ||
3050                                 status->rate_idx > 76),
3051                                 "Rate marked as an HT rate but passed "
3052                                 "status->rate_idx is not "
3053                                 "an MCS index [0-76]: %d (0x%02x)\n",
3054                                 status->rate_idx,
3055                                 status->rate_idx))
3056                                goto drop;
3057                } else {
3058                        if (WARN_ON(status->rate_idx < 0 ||
3059                                    status->rate_idx >= sband->n_bitrates))
3060                                goto drop;
3061                        rate = &sband->bitrates[status->rate_idx];
3062                }
3063        }
3064
3065        status->rx_flags = 0;
3066
3067        /*
3068         * key references and virtual interfaces are protected using RCU
3069         * and this requires that we are in a read-side RCU section during
3070         * receive processing
3071         */
3072        rcu_read_lock();
3073
3074        /*
3075         * Frames with failed FCS/PLCP checksum are not returned,
3076         * all other frames are returned without radiotap header
3077         * if it was previously present.
3078         * Also, frames with less than 16 bytes are dropped.
3079         */
3080        skb = ieee80211_rx_monitor(local, skb, rate);
3081        if (!skb) {
3082                rcu_read_unlock();
3083                return;
3084        }
3085
3086        ieee80211_tpt_led_trig_rx(local,
3087                        ((struct ieee80211_hdr *)skb->data)->frame_control,
3088                        skb->len);
3089        __ieee80211_rx_handle_packet(hw, skb);
3090
3091        rcu_read_unlock();
3092
3093        return;
3094 drop:
3095        kfree_skb(skb);
3096}
3097EXPORT_SYMBOL(ieee80211_rx);
3098
3099/* This is a version of the rx handler that can be called from hard irq
3100 * context. Post the skb on the queue and schedule the tasklet */
3101void ieee80211_rx_irqsafe(struct ieee80211_hw *hw, struct sk_buff *skb)
3102{
3103        struct ieee80211_local *local = hw_to_local(hw);
3104
3105        BUILD_BUG_ON(sizeof(struct ieee80211_rx_status) > sizeof(skb->cb));
3106
3107        skb->pkt_type = IEEE80211_RX_MSG;
3108        skb_queue_tail(&local->skb_queue, skb);
3109        tasklet_schedule(&local->tasklet);
3110}
3111EXPORT_SYMBOL(ieee80211_rx_irqsafe);
3112
lxr.linux.no kindly hosted by Redpill Linpro AS, provider of Linux consulting and operations services since 1995.