linux/net/mac80211/rx.c
<<
>>
Prefs
   1// SPDX-License-Identifier: GPL-2.0-only
   2/*
   3 * Copyright 2002-2005, Instant802 Networks, Inc.
   4 * Copyright 2005-2006, Devicescape Software, Inc.
   5 * Copyright 2006-2007  Jiri Benc <jbenc@suse.cz>
   6 * Copyright 2007-2010  Johannes Berg <johannes@sipsolutions.net>
   7 * Copyright 2013-2014  Intel Mobile Communications GmbH
   8 * Copyright(c) 2015 - 2017 Intel Deutschland GmbH
   9 * Copyright (C) 2018-2021 Intel Corporation
  10 */
  11
  12#include <linux/jiffies.h>
  13#include <linux/slab.h>
  14#include <linux/kernel.h>
  15#include <linux/skbuff.h>
  16#include <linux/netdevice.h>
  17#include <linux/etherdevice.h>
  18#include <linux/rcupdate.h>
  19#include <linux/export.h>
  20#include <linux/kcov.h>
  21#include <linux/bitops.h>
  22#include <net/mac80211.h>
  23#include <net/ieee80211_radiotap.h>
  24#include <asm/unaligned.h>
  25
  26#include "ieee80211_i.h"
  27#include "driver-ops.h"
  28#include "led.h"
  29#include "mesh.h"
  30#include "wep.h"
  31#include "wpa.h"
  32#include "tkip.h"
  33#include "wme.h"
  34#include "rate.h"
  35
  36/*
  37 * monitor mode reception
  38 *
  39 * This function cleans up the SKB, i.e. it removes all the stuff
  40 * only useful for monitoring.
  41 */
  42static struct sk_buff *ieee80211_clean_skb(struct sk_buff *skb,
  43                                           unsigned int present_fcs_len,
  44                                           unsigned int rtap_space)
  45{
  46        struct ieee80211_hdr *hdr;
  47        unsigned int hdrlen;
  48        __le16 fc;
  49
  50        if (present_fcs_len)
  51                __pskb_trim(skb, skb->len - present_fcs_len);
  52        __pskb_pull(skb, rtap_space);
  53
  54        hdr = (void *)skb->data;
  55        fc = hdr->frame_control;
  56
  57        /*
  58         * Remove the HT-Control field (if present) on management
  59         * frames after we've sent the frame to monitoring. We
  60         * (currently) don't need it, and don't properly parse
  61         * frames with it present, due to the assumption of a
  62         * fixed management header length.
  63         */
  64        if (likely(!ieee80211_is_mgmt(fc) || !ieee80211_has_order(fc)))
  65                return skb;
  66
  67        hdrlen = ieee80211_hdrlen(fc);
  68        hdr->frame_control &= ~cpu_to_le16(IEEE80211_FCTL_ORDER);
  69
  70        if (!pskb_may_pull(skb, hdrlen)) {
  71                dev_kfree_skb(skb);
  72                return NULL;
  73        }
  74
  75        memmove(skb->data + IEEE80211_HT_CTL_LEN, skb->data,
  76                hdrlen - IEEE80211_HT_CTL_LEN);
  77        __pskb_pull(skb, IEEE80211_HT_CTL_LEN);
  78
  79        return skb;
  80}
  81
  82static inline bool should_drop_frame(struct sk_buff *skb, int present_fcs_len,
  83                                     unsigned int rtap_space)
  84{
  85        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
  86        struct ieee80211_hdr *hdr;
  87
  88        hdr = (void *)(skb->data + rtap_space);
  89
  90        if (status->flag & (RX_FLAG_FAILED_FCS_CRC |
  91                            RX_FLAG_FAILED_PLCP_CRC |
  92                            RX_FLAG_ONLY_MONITOR |
  93                            RX_FLAG_NO_PSDU))
  94                return true;
  95
  96        if (unlikely(skb->len < 16 + present_fcs_len + rtap_space))
  97                return true;
  98
  99        if (ieee80211_is_ctl(hdr->frame_control) &&
 100            !ieee80211_is_pspoll(hdr->frame_control) &&
 101            !ieee80211_is_back_req(hdr->frame_control))
 102                return true;
 103
 104        return false;
 105}
 106
 107static int
 108ieee80211_rx_radiotap_hdrlen(struct ieee80211_local *local,
 109                             struct ieee80211_rx_status *status,
 110                             struct sk_buff *skb)
 111{
 112        int len;
 113
 114        /* always present fields */
 115        len = sizeof(struct ieee80211_radiotap_header) + 8;
 116
 117        /* allocate extra bitmaps */
 118        if (status->chains)
 119                len += 4 * hweight8(status->chains);
 120        /* vendor presence bitmap */
 121        if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA)
 122                len += 4;
 123
 124        if (ieee80211_have_rx_timestamp(status)) {
 125                len = ALIGN(len, 8);
 126                len += 8;
 127        }
 128        if (ieee80211_hw_check(&local->hw, SIGNAL_DBM))
 129                len += 1;
 130
 131        /* antenna field, if we don't have per-chain info */
 132        if (!status->chains)
 133                len += 1;
 134
 135        /* padding for RX_FLAGS if necessary */
 136        len = ALIGN(len, 2);
 137
 138        if (status->encoding == RX_ENC_HT) /* HT info */
 139                len += 3;
 140
 141        if (status->flag & RX_FLAG_AMPDU_DETAILS) {
 142                len = ALIGN(len, 4);
 143                len += 8;
 144        }
 145
 146        if (status->encoding == RX_ENC_VHT) {
 147                len = ALIGN(len, 2);
 148                len += 12;
 149        }
 150
 151        if (local->hw.radiotap_timestamp.units_pos >= 0) {
 152                len = ALIGN(len, 8);
 153                len += 12;
 154        }
 155
 156        if (status->encoding == RX_ENC_HE &&
 157            status->flag & RX_FLAG_RADIOTAP_HE) {
 158                len = ALIGN(len, 2);
 159                len += 12;
 160                BUILD_BUG_ON(sizeof(struct ieee80211_radiotap_he) != 12);
 161        }
 162
 163        if (status->encoding == RX_ENC_HE &&
 164            status->flag & RX_FLAG_RADIOTAP_HE_MU) {
 165                len = ALIGN(len, 2);
 166                len += 12;
 167                BUILD_BUG_ON(sizeof(struct ieee80211_radiotap_he_mu) != 12);
 168        }
 169
 170        if (status->flag & RX_FLAG_NO_PSDU)
 171                len += 1;
 172
 173        if (status->flag & RX_FLAG_RADIOTAP_LSIG) {
 174                len = ALIGN(len, 2);
 175                len += 4;
 176                BUILD_BUG_ON(sizeof(struct ieee80211_radiotap_lsig) != 4);
 177        }
 178
 179        if (status->chains) {
 180                /* antenna and antenna signal fields */
 181                len += 2 * hweight8(status->chains);
 182        }
 183
 184        if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA) {
 185                struct ieee80211_vendor_radiotap *rtap;
 186                int vendor_data_offset = 0;
 187
 188                /*
 189                 * The position to look at depends on the existence (or non-
 190                 * existence) of other elements, so take that into account...
 191                 */
 192                if (status->flag & RX_FLAG_RADIOTAP_HE)
 193                        vendor_data_offset +=
 194                                sizeof(struct ieee80211_radiotap_he);
 195                if (status->flag & RX_FLAG_RADIOTAP_HE_MU)
 196                        vendor_data_offset +=
 197                                sizeof(struct ieee80211_radiotap_he_mu);
 198                if (status->flag & RX_FLAG_RADIOTAP_LSIG)
 199                        vendor_data_offset +=
 200                                sizeof(struct ieee80211_radiotap_lsig);
 201
 202                rtap = (void *)&skb->data[vendor_data_offset];
 203
 204                /* alignment for fixed 6-byte vendor data header */
 205                len = ALIGN(len, 2);
 206                /* vendor data header */
 207                len += 6;
 208                if (WARN_ON(rtap->align == 0))
 209                        rtap->align = 1;
 210                len = ALIGN(len, rtap->align);
 211                len += rtap->len + rtap->pad;
 212        }
 213
 214        return len;
 215}
 216
 217static void __ieee80211_queue_skb_to_iface(struct ieee80211_sub_if_data *sdata,
 218                                           struct sta_info *sta,
 219                                           struct sk_buff *skb)
 220{
 221        skb_queue_tail(&sdata->skb_queue, skb);
 222        ieee80211_queue_work(&sdata->local->hw, &sdata->work);
 223        if (sta)
 224                sta->rx_stats.packets++;
 225}
 226
 227static void ieee80211_queue_skb_to_iface(struct ieee80211_sub_if_data *sdata,
 228                                         struct sta_info *sta,
 229                                         struct sk_buff *skb)
 230{
 231        skb->protocol = 0;
 232        __ieee80211_queue_skb_to_iface(sdata, sta, skb);
 233}
 234
 235static void ieee80211_handle_mu_mimo_mon(struct ieee80211_sub_if_data *sdata,
 236                                         struct sk_buff *skb,
 237                                         int rtap_space)
 238{
 239        struct {
 240                struct ieee80211_hdr_3addr hdr;
 241                u8 category;
 242                u8 action_code;
 243        } __packed __aligned(2) action;
 244
 245        if (!sdata)
 246                return;
 247
 248        BUILD_BUG_ON(sizeof(action) != IEEE80211_MIN_ACTION_SIZE + 1);
 249
 250        if (skb->len < rtap_space + sizeof(action) +
 251                       VHT_MUMIMO_GROUPS_DATA_LEN)
 252                return;
 253
 254        if (!is_valid_ether_addr(sdata->u.mntr.mu_follow_addr))
 255                return;
 256
 257        skb_copy_bits(skb, rtap_space, &action, sizeof(action));
 258
 259        if (!ieee80211_is_action(action.hdr.frame_control))
 260                return;
 261
 262        if (action.category != WLAN_CATEGORY_VHT)
 263                return;
 264
 265        if (action.action_code != WLAN_VHT_ACTION_GROUPID_MGMT)
 266                return;
 267
 268        if (!ether_addr_equal(action.hdr.addr1, sdata->u.mntr.mu_follow_addr))
 269                return;
 270
 271        skb = skb_copy(skb, GFP_ATOMIC);
 272        if (!skb)
 273                return;
 274
 275        ieee80211_queue_skb_to_iface(sdata, NULL, skb);
 276}
 277
 278/*
 279 * ieee80211_add_rx_radiotap_header - add radiotap header
 280 *
 281 * add a radiotap header containing all the fields which the hardware provided.
 282 */
 283static void
 284ieee80211_add_rx_radiotap_header(struct ieee80211_local *local,
 285                                 struct sk_buff *skb,
 286                                 struct ieee80211_rate *rate,
 287                                 int rtap_len, bool has_fcs)
 288{
 289        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
 290        struct ieee80211_radiotap_header *rthdr;
 291        unsigned char *pos;
 292        __le32 *it_present;
 293        u32 it_present_val;
 294        u16 rx_flags = 0;
 295        u16 channel_flags = 0;
 296        int mpdulen, chain;
 297        unsigned long chains = status->chains;
 298        struct ieee80211_vendor_radiotap rtap = {};
 299        struct ieee80211_radiotap_he he = {};
 300        struct ieee80211_radiotap_he_mu he_mu = {};
 301        struct ieee80211_radiotap_lsig lsig = {};
 302
 303        if (status->flag & RX_FLAG_RADIOTAP_HE) {
 304                he = *(struct ieee80211_radiotap_he *)skb->data;
 305                skb_pull(skb, sizeof(he));
 306                WARN_ON_ONCE(status->encoding != RX_ENC_HE);
 307        }
 308
 309        if (status->flag & RX_FLAG_RADIOTAP_HE_MU) {
 310                he_mu = *(struct ieee80211_radiotap_he_mu *)skb->data;
 311                skb_pull(skb, sizeof(he_mu));
 312        }
 313
 314        if (status->flag & RX_FLAG_RADIOTAP_LSIG) {
 315                lsig = *(struct ieee80211_radiotap_lsig *)skb->data;
 316                skb_pull(skb, sizeof(lsig));
 317        }
 318
 319        if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA) {
 320                rtap = *(struct ieee80211_vendor_radiotap *)skb->data;
 321                /* rtap.len and rtap.pad are undone immediately */
 322                skb_pull(skb, sizeof(rtap) + rtap.len + rtap.pad);
 323        }
 324
 325        mpdulen = skb->len;
 326        if (!(has_fcs && ieee80211_hw_check(&local->hw, RX_INCLUDES_FCS)))
 327                mpdulen += FCS_LEN;
 328
 329        rthdr = skb_push(skb, rtap_len);
 330        memset(rthdr, 0, rtap_len - rtap.len - rtap.pad);
 331        it_present = &rthdr->it_present;
 332
 333        /* radiotap header, set always present flags */
 334        rthdr->it_len = cpu_to_le16(rtap_len);
 335        it_present_val = BIT(IEEE80211_RADIOTAP_FLAGS) |
 336                         BIT(IEEE80211_RADIOTAP_CHANNEL) |
 337                         BIT(IEEE80211_RADIOTAP_RX_FLAGS);
 338
 339        if (!status->chains)
 340                it_present_val |= BIT(IEEE80211_RADIOTAP_ANTENNA);
 341
 342        for_each_set_bit(chain, &chains, IEEE80211_MAX_CHAINS) {
 343                it_present_val |=
 344                        BIT(IEEE80211_RADIOTAP_EXT) |
 345                        BIT(IEEE80211_RADIOTAP_RADIOTAP_NAMESPACE);
 346                put_unaligned_le32(it_present_val, it_present);
 347                it_present++;
 348                it_present_val = BIT(IEEE80211_RADIOTAP_ANTENNA) |
 349                                 BIT(IEEE80211_RADIOTAP_DBM_ANTSIGNAL);
 350        }
 351
 352        if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA) {
 353                it_present_val |= BIT(IEEE80211_RADIOTAP_VENDOR_NAMESPACE) |
 354                                  BIT(IEEE80211_RADIOTAP_EXT);
 355                put_unaligned_le32(it_present_val, it_present);
 356                it_present++;
 357                it_present_val = rtap.present;
 358        }
 359
 360        put_unaligned_le32(it_present_val, it_present);
 361
 362        pos = (void *)(it_present + 1);
 363
 364        /* the order of the following fields is important */
 365
 366        /* IEEE80211_RADIOTAP_TSFT */
 367        if (ieee80211_have_rx_timestamp(status)) {
 368                /* padding */
 369                while ((pos - (u8 *)rthdr) & 7)
 370                        *pos++ = 0;
 371                put_unaligned_le64(
 372                        ieee80211_calculate_rx_timestamp(local, status,
 373                                                         mpdulen, 0),
 374                        pos);
 375                rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_TSFT);
 376                pos += 8;
 377        }
 378
 379        /* IEEE80211_RADIOTAP_FLAGS */
 380        if (has_fcs && ieee80211_hw_check(&local->hw, RX_INCLUDES_FCS))
 381                *pos |= IEEE80211_RADIOTAP_F_FCS;
 382        if (status->flag & (RX_FLAG_FAILED_FCS_CRC | RX_FLAG_FAILED_PLCP_CRC))
 383                *pos |= IEEE80211_RADIOTAP_F_BADFCS;
 384        if (status->enc_flags & RX_ENC_FLAG_SHORTPRE)
 385                *pos |= IEEE80211_RADIOTAP_F_SHORTPRE;
 386        pos++;
 387
 388        /* IEEE80211_RADIOTAP_RATE */
 389        if (!rate || status->encoding != RX_ENC_LEGACY) {
 390                /*
 391                 * Without rate information don't add it. If we have,
 392                 * MCS information is a separate field in radiotap,
 393                 * added below. The byte here is needed as padding
 394                 * for the channel though, so initialise it to 0.
 395                 */
 396                *pos = 0;
 397        } else {
 398                int shift = 0;
 399                rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_RATE);
 400                if (status->bw == RATE_INFO_BW_10)
 401                        shift = 1;
 402                else if (status->bw == RATE_INFO_BW_5)
 403                        shift = 2;
 404                *pos = DIV_ROUND_UP(rate->bitrate, 5 * (1 << shift));
 405        }
 406        pos++;
 407
 408        /* IEEE80211_RADIOTAP_CHANNEL */
 409        /* TODO: frequency offset in KHz */
 410        put_unaligned_le16(status->freq, pos);
 411        pos += 2;
 412        if (status->bw == RATE_INFO_BW_10)
 413                channel_flags |= IEEE80211_CHAN_HALF;
 414        else if (status->bw == RATE_INFO_BW_5)
 415                channel_flags |= IEEE80211_CHAN_QUARTER;
 416
 417        if (status->band == NL80211_BAND_5GHZ ||
 418            status->band == NL80211_BAND_6GHZ)
 419                channel_flags |= IEEE80211_CHAN_OFDM | IEEE80211_CHAN_5GHZ;
 420        else if (status->encoding != RX_ENC_LEGACY)
 421                channel_flags |= IEEE80211_CHAN_DYN | IEEE80211_CHAN_2GHZ;
 422        else if (rate && rate->flags & IEEE80211_RATE_ERP_G)
 423                channel_flags |= IEEE80211_CHAN_OFDM | IEEE80211_CHAN_2GHZ;
 424        else if (rate)
 425                channel_flags |= IEEE80211_CHAN_CCK | IEEE80211_CHAN_2GHZ;
 426        else
 427                channel_flags |= IEEE80211_CHAN_2GHZ;
 428        put_unaligned_le16(channel_flags, pos);
 429        pos += 2;
 430
 431        /* IEEE80211_RADIOTAP_DBM_ANTSIGNAL */
 432        if (ieee80211_hw_check(&local->hw, SIGNAL_DBM) &&
 433            !(status->flag & RX_FLAG_NO_SIGNAL_VAL)) {
 434                *pos = status->signal;
 435                rthdr->it_present |=
 436                        cpu_to_le32(1 << IEEE80211_RADIOTAP_DBM_ANTSIGNAL);
 437                pos++;
 438        }
 439
 440        /* IEEE80211_RADIOTAP_LOCK_QUALITY is missing */
 441
 442        if (!status->chains) {
 443                /* IEEE80211_RADIOTAP_ANTENNA */
 444                *pos = status->antenna;
 445                pos++;
 446        }
 447
 448        /* IEEE80211_RADIOTAP_DB_ANTNOISE is not used */
 449
 450        /* IEEE80211_RADIOTAP_RX_FLAGS */
 451        /* ensure 2 byte alignment for the 2 byte field as required */
 452        if ((pos - (u8 *)rthdr) & 1)
 453                *pos++ = 0;
 454        if (status->flag & RX_FLAG_FAILED_PLCP_CRC)
 455                rx_flags |= IEEE80211_RADIOTAP_F_RX_BADPLCP;
 456        put_unaligned_le16(rx_flags, pos);
 457        pos += 2;
 458
 459        if (status->encoding == RX_ENC_HT) {
 460                unsigned int stbc;
 461
 462                rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_MCS);
 463                *pos++ = local->hw.radiotap_mcs_details;
 464                *pos = 0;
 465                if (status->enc_flags & RX_ENC_FLAG_SHORT_GI)
 466                        *pos |= IEEE80211_RADIOTAP_MCS_SGI;
 467                if (status->bw == RATE_INFO_BW_40)
 468                        *pos |= IEEE80211_RADIOTAP_MCS_BW_40;
 469                if (status->enc_flags & RX_ENC_FLAG_HT_GF)
 470                        *pos |= IEEE80211_RADIOTAP_MCS_FMT_GF;
 471                if (status->enc_flags & RX_ENC_FLAG_LDPC)
 472                        *pos |= IEEE80211_RADIOTAP_MCS_FEC_LDPC;
 473                stbc = (status->enc_flags & RX_ENC_FLAG_STBC_MASK) >> RX_ENC_FLAG_STBC_SHIFT;
 474                *pos |= stbc << IEEE80211_RADIOTAP_MCS_STBC_SHIFT;
 475                pos++;
 476                *pos++ = status->rate_idx;
 477        }
 478
 479        if (status->flag & RX_FLAG_AMPDU_DETAILS) {
 480                u16 flags = 0;
 481
 482                /* ensure 4 byte alignment */
 483                while ((pos - (u8 *)rthdr) & 3)
 484                        pos++;
 485                rthdr->it_present |=
 486                        cpu_to_le32(1 << IEEE80211_RADIOTAP_AMPDU_STATUS);
 487                put_unaligned_le32(status->ampdu_reference, pos);
 488                pos += 4;
 489                if (status->flag & RX_FLAG_AMPDU_LAST_KNOWN)
 490                        flags |= IEEE80211_RADIOTAP_AMPDU_LAST_KNOWN;
 491                if (status->flag & RX_FLAG_AMPDU_IS_LAST)
 492                        flags |= IEEE80211_RADIOTAP_AMPDU_IS_LAST;
 493                if (status->flag & RX_FLAG_AMPDU_DELIM_CRC_ERROR)
 494                        flags |= IEEE80211_RADIOTAP_AMPDU_DELIM_CRC_ERR;
 495                if (status->flag & RX_FLAG_AMPDU_DELIM_CRC_KNOWN)
 496                        flags |= IEEE80211_RADIOTAP_AMPDU_DELIM_CRC_KNOWN;
 497                if (status->flag & RX_FLAG_AMPDU_EOF_BIT_KNOWN)
 498                        flags |= IEEE80211_RADIOTAP_AMPDU_EOF_KNOWN;
 499                if (status->flag & RX_FLAG_AMPDU_EOF_BIT)
 500                        flags |= IEEE80211_RADIOTAP_AMPDU_EOF;
 501                put_unaligned_le16(flags, pos);
 502                pos += 2;
 503                if (status->flag & RX_FLAG_AMPDU_DELIM_CRC_KNOWN)
 504                        *pos++ = status->ampdu_delimiter_crc;
 505                else
 506                        *pos++ = 0;
 507                *pos++ = 0;
 508        }
 509
 510        if (status->encoding == RX_ENC_VHT) {
 511                u16 known = local->hw.radiotap_vht_details;
 512
 513                rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_VHT);
 514                put_unaligned_le16(known, pos);
 515                pos += 2;
 516                /* flags */
 517                if (status->enc_flags & RX_ENC_FLAG_SHORT_GI)
 518                        *pos |= IEEE80211_RADIOTAP_VHT_FLAG_SGI;
 519                /* in VHT, STBC is binary */
 520                if (status->enc_flags & RX_ENC_FLAG_STBC_MASK)
 521                        *pos |= IEEE80211_RADIOTAP_VHT_FLAG_STBC;
 522                if (status->enc_flags & RX_ENC_FLAG_BF)
 523                        *pos |= IEEE80211_RADIOTAP_VHT_FLAG_BEAMFORMED;
 524                pos++;
 525                /* bandwidth */
 526                switch (status->bw) {
 527                case RATE_INFO_BW_80:
 528                        *pos++ = 4;
 529                        break;
 530                case RATE_INFO_BW_160:
 531                        *pos++ = 11;
 532                        break;
 533                case RATE_INFO_BW_40:
 534                        *pos++ = 1;
 535                        break;
 536                default:
 537                        *pos++ = 0;
 538                }
 539                /* MCS/NSS */
 540                *pos = (status->rate_idx << 4) | status->nss;
 541                pos += 4;
 542                /* coding field */
 543                if (status->enc_flags & RX_ENC_FLAG_LDPC)
 544                        *pos |= IEEE80211_RADIOTAP_CODING_LDPC_USER0;
 545                pos++;
 546                /* group ID */
 547                pos++;
 548                /* partial_aid */
 549                pos += 2;
 550        }
 551
 552        if (local->hw.radiotap_timestamp.units_pos >= 0) {
 553                u16 accuracy = 0;
 554                u8 flags = IEEE80211_RADIOTAP_TIMESTAMP_FLAG_32BIT;
 555
 556                rthdr->it_present |=
 557                        cpu_to_le32(1 << IEEE80211_RADIOTAP_TIMESTAMP);
 558
 559                /* ensure 8 byte alignment */
 560                while ((pos - (u8 *)rthdr) & 7)
 561                        pos++;
 562
 563                put_unaligned_le64(status->device_timestamp, pos);
 564                pos += sizeof(u64);
 565
 566                if (local->hw.radiotap_timestamp.accuracy >= 0) {
 567                        accuracy = local->hw.radiotap_timestamp.accuracy;
 568                        flags |= IEEE80211_RADIOTAP_TIMESTAMP_FLAG_ACCURACY;
 569                }
 570                put_unaligned_le16(accuracy, pos);
 571                pos += sizeof(u16);
 572
 573                *pos++ = local->hw.radiotap_timestamp.units_pos;
 574                *pos++ = flags;
 575        }
 576
 577        if (status->encoding == RX_ENC_HE &&
 578            status->flag & RX_FLAG_RADIOTAP_HE) {
 579#define HE_PREP(f, val) le16_encode_bits(val, IEEE80211_RADIOTAP_HE_##f)
 580
 581                if (status->enc_flags & RX_ENC_FLAG_STBC_MASK) {
 582                        he.data6 |= HE_PREP(DATA6_NSTS,
 583                                            FIELD_GET(RX_ENC_FLAG_STBC_MASK,
 584                                                      status->enc_flags));
 585                        he.data3 |= HE_PREP(DATA3_STBC, 1);
 586                } else {
 587                        he.data6 |= HE_PREP(DATA6_NSTS, status->nss);
 588                }
 589
 590#define CHECK_GI(s) \
 591        BUILD_BUG_ON(IEEE80211_RADIOTAP_HE_DATA5_GI_##s != \
 592                     (int)NL80211_RATE_INFO_HE_GI_##s)
 593
 594                CHECK_GI(0_8);
 595                CHECK_GI(1_6);
 596                CHECK_GI(3_2);
 597
 598                he.data3 |= HE_PREP(DATA3_DATA_MCS, status->rate_idx);
 599                he.data3 |= HE_PREP(DATA3_DATA_DCM, status->he_dcm);
 600                he.data3 |= HE_PREP(DATA3_CODING,
 601                                    !!(status->enc_flags & RX_ENC_FLAG_LDPC));
 602
 603                he.data5 |= HE_PREP(DATA5_GI, status->he_gi);
 604
 605                switch (status->bw) {
 606                case RATE_INFO_BW_20:
 607                        he.data5 |= HE_PREP(DATA5_DATA_BW_RU_ALLOC,
 608                                            IEEE80211_RADIOTAP_HE_DATA5_DATA_BW_RU_ALLOC_20MHZ);
 609                        break;
 610                case RATE_INFO_BW_40:
 611                        he.data5 |= HE_PREP(DATA5_DATA_BW_RU_ALLOC,
 612                                            IEEE80211_RADIOTAP_HE_DATA5_DATA_BW_RU_ALLOC_40MHZ);
 613                        break;
 614                case RATE_INFO_BW_80:
 615                        he.data5 |= HE_PREP(DATA5_DATA_BW_RU_ALLOC,
 616                                            IEEE80211_RADIOTAP_HE_DATA5_DATA_BW_RU_ALLOC_80MHZ);
 617                        break;
 618                case RATE_INFO_BW_160:
 619                        he.data5 |= HE_PREP(DATA5_DATA_BW_RU_ALLOC,
 620                                            IEEE80211_RADIOTAP_HE_DATA5_DATA_BW_RU_ALLOC_160MHZ);
 621                        break;
 622                case RATE_INFO_BW_HE_RU:
 623#define CHECK_RU_ALLOC(s) \
 624        BUILD_BUG_ON(IEEE80211_RADIOTAP_HE_DATA5_DATA_BW_RU_ALLOC_##s##T != \
 625                     NL80211_RATE_INFO_HE_RU_ALLOC_##s + 4)
 626
 627                        CHECK_RU_ALLOC(26);
 628                        CHECK_RU_ALLOC(52);
 629                        CHECK_RU_ALLOC(106);
 630                        CHECK_RU_ALLOC(242);
 631                        CHECK_RU_ALLOC(484);
 632                        CHECK_RU_ALLOC(996);
 633                        CHECK_RU_ALLOC(2x996);
 634
 635                        he.data5 |= HE_PREP(DATA5_DATA_BW_RU_ALLOC,
 636                                            status->he_ru + 4);
 637                        break;
 638                default:
 639                        WARN_ONCE(1, "Invalid SU BW %d\n", status->bw);
 640                }
 641
 642                /* ensure 2 byte alignment */
 643                while ((pos - (u8 *)rthdr) & 1)
 644                        pos++;
 645                rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_HE);
 646                memcpy(pos, &he, sizeof(he));
 647                pos += sizeof(he);
 648        }
 649
 650        if (status->encoding == RX_ENC_HE &&
 651            status->flag & RX_FLAG_RADIOTAP_HE_MU) {
 652                /* ensure 2 byte alignment */
 653                while ((pos - (u8 *)rthdr) & 1)
 654                        pos++;
 655                rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_HE_MU);
 656                memcpy(pos, &he_mu, sizeof(he_mu));
 657                pos += sizeof(he_mu);
 658        }
 659
 660        if (status->flag & RX_FLAG_NO_PSDU) {
 661                rthdr->it_present |=
 662                        cpu_to_le32(1 << IEEE80211_RADIOTAP_ZERO_LEN_PSDU);
 663                *pos++ = status->zero_length_psdu_type;
 664        }
 665
 666        if (status->flag & RX_FLAG_RADIOTAP_LSIG) {
 667                /* ensure 2 byte alignment */
 668                while ((pos - (u8 *)rthdr) & 1)
 669                        pos++;
 670                rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_LSIG);
 671                memcpy(pos, &lsig, sizeof(lsig));
 672                pos += sizeof(lsig);
 673        }
 674
 675        for_each_set_bit(chain, &chains, IEEE80211_MAX_CHAINS) {
 676                *pos++ = status->chain_signal[chain];
 677                *pos++ = chain;
 678        }
 679
 680        if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA) {
 681                /* ensure 2 byte alignment for the vendor field as required */
 682                if ((pos - (u8 *)rthdr) & 1)
 683                        *pos++ = 0;
 684                *pos++ = rtap.oui[0];
 685                *pos++ = rtap.oui[1];
 686                *pos++ = rtap.oui[2];
 687                *pos++ = rtap.subns;
 688                put_unaligned_le16(rtap.len, pos);
 689                pos += 2;
 690                /* align the actual payload as requested */
 691                while ((pos - (u8 *)rthdr) & (rtap.align - 1))
 692                        *pos++ = 0;
 693                /* data (and possible padding) already follows */
 694        }
 695}
 696
 697static struct sk_buff *
 698ieee80211_make_monitor_skb(struct ieee80211_local *local,
 699                           struct sk_buff **origskb,
 700                           struct ieee80211_rate *rate,
 701                           int rtap_space, bool use_origskb)
 702{
 703        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(*origskb);
 704        int rt_hdrlen, needed_headroom;
 705        struct sk_buff *skb;
 706
 707        /* room for the radiotap header based on driver features */
 708        rt_hdrlen = ieee80211_rx_radiotap_hdrlen(local, status, *origskb);
 709        needed_headroom = rt_hdrlen - rtap_space;
 710
 711        if (use_origskb) {
 712                /* only need to expand headroom if necessary */
 713                skb = *origskb;
 714                *origskb = NULL;
 715
 716                /*
 717                 * This shouldn't trigger often because most devices have an
 718                 * RX header they pull before we get here, and that should
 719                 * be big enough for our radiotap information. We should
 720                 * probably export the length to drivers so that we can have
 721                 * them allocate enough headroom to start with.
 722                 */
 723                if (skb_headroom(skb) < needed_headroom &&
 724                    pskb_expand_head(skb, needed_headroom, 0, GFP_ATOMIC)) {
 725                        dev_kfree_skb(skb);
 726                        return NULL;
 727                }
 728        } else {
 729                /*
 730                 * Need to make a copy and possibly remove radiotap header
 731                 * and FCS from the original.
 732                 */
 733                skb = skb_copy_expand(*origskb, needed_headroom + NET_SKB_PAD,
 734                                      0, GFP_ATOMIC);
 735
 736                if (!skb)
 737                        return NULL;
 738        }
 739
 740        /* prepend radiotap information */
 741        ieee80211_add_rx_radiotap_header(local, skb, rate, rt_hdrlen, true);
 742
 743        skb_reset_mac_header(skb);
 744        skb->ip_summed = CHECKSUM_UNNECESSARY;
 745        skb->pkt_type = PACKET_OTHERHOST;
 746        skb->protocol = htons(ETH_P_802_2);
 747
 748        return skb;
 749}
 750
 751/*
 752 * This function copies a received frame to all monitor interfaces and
 753 * returns a cleaned-up SKB that no longer includes the FCS nor the
 754 * radiotap header the driver might have added.
 755 */
 756static struct sk_buff *
 757ieee80211_rx_monitor(struct ieee80211_local *local, struct sk_buff *origskb,
 758                     struct ieee80211_rate *rate)
 759{
 760        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(origskb);
 761        struct ieee80211_sub_if_data *sdata;
 762        struct sk_buff *monskb = NULL;
 763        int present_fcs_len = 0;
 764        unsigned int rtap_space = 0;
 765        struct ieee80211_sub_if_data *monitor_sdata =
 766                rcu_dereference(local->monitor_sdata);
 767        bool only_monitor = false;
 768        unsigned int min_head_len;
 769
 770        if (status->flag & RX_FLAG_RADIOTAP_HE)
 771                rtap_space += sizeof(struct ieee80211_radiotap_he);
 772
 773        if (status->flag & RX_FLAG_RADIOTAP_HE_MU)
 774                rtap_space += sizeof(struct ieee80211_radiotap_he_mu);
 775
 776        if (status->flag & RX_FLAG_RADIOTAP_LSIG)
 777                rtap_space += sizeof(struct ieee80211_radiotap_lsig);
 778
 779        if (unlikely(status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA)) {
 780                struct ieee80211_vendor_radiotap *rtap =
 781                        (void *)(origskb->data + rtap_space);
 782
 783                rtap_space += sizeof(*rtap) + rtap->len + rtap->pad;
 784        }
 785
 786        min_head_len = rtap_space;
 787
 788        /*
 789         * First, we may need to make a copy of the skb because
 790         *  (1) we need to modify it for radiotap (if not present), and
 791         *  (2) the other RX handlers will modify the skb we got.
 792         *
 793         * We don't need to, of course, if we aren't going to return
 794         * the SKB because it has a bad FCS/PLCP checksum.
 795         */
 796
 797        if (!(status->flag & RX_FLAG_NO_PSDU)) {
 798                if (ieee80211_hw_check(&local->hw, RX_INCLUDES_FCS)) {
 799                        if (unlikely(origskb->len <= FCS_LEN + rtap_space)) {
 800                                /* driver bug */
 801                                WARN_ON(1);
 802                                dev_kfree_skb(origskb);
 803                                return NULL;
 804                        }
 805                        present_fcs_len = FCS_LEN;
 806                }
 807
 808                /* also consider the hdr->frame_control */
 809                min_head_len += 2;
 810        }
 811
 812        /* ensure that the expected data elements are in skb head */
 813        if (!pskb_may_pull(origskb, min_head_len)) {
 814                dev_kfree_skb(origskb);
 815                return NULL;
 816        }
 817
 818        only_monitor = should_drop_frame(origskb, present_fcs_len, rtap_space);
 819
 820        if (!local->monitors || (status->flag & RX_FLAG_SKIP_MONITOR)) {
 821                if (only_monitor) {
 822                        dev_kfree_skb(origskb);
 823                        return NULL;
 824                }
 825
 826                return ieee80211_clean_skb(origskb, present_fcs_len,
 827                                           rtap_space);
 828        }
 829
 830        ieee80211_handle_mu_mimo_mon(monitor_sdata, origskb, rtap_space);
 831
 832        list_for_each_entry_rcu(sdata, &local->mon_list, u.mntr.list) {
 833                bool last_monitor = list_is_last(&sdata->u.mntr.list,
 834                                                 &local->mon_list);
 835
 836                if (!monskb)
 837                        monskb = ieee80211_make_monitor_skb(local, &origskb,
 838                                                            rate, rtap_space,
 839                                                            only_monitor &&
 840                                                            last_monitor);
 841
 842                if (monskb) {
 843                        struct sk_buff *skb;
 844
 845                        if (last_monitor) {
 846                                skb = monskb;
 847                                monskb = NULL;
 848                        } else {
 849                                skb = skb_clone(monskb, GFP_ATOMIC);
 850                        }
 851
 852                        if (skb) {
 853                                skb->dev = sdata->dev;
 854                                dev_sw_netstats_rx_add(skb->dev, skb->len);
 855                                netif_receive_skb(skb);
 856                        }
 857                }
 858
 859                if (last_monitor)
 860                        break;
 861        }
 862
 863        /* this happens if last_monitor was erroneously false */
 864        dev_kfree_skb(monskb);
 865
 866        /* ditto */
 867        if (!origskb)
 868                return NULL;
 869
 870        return ieee80211_clean_skb(origskb, present_fcs_len, rtap_space);
 871}
 872
 873static void ieee80211_parse_qos(struct ieee80211_rx_data *rx)
 874{
 875        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
 876        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
 877        int tid, seqno_idx, security_idx;
 878
 879        /* does the frame have a qos control field? */
 880        if (ieee80211_is_data_qos(hdr->frame_control)) {
 881                u8 *qc = ieee80211_get_qos_ctl(hdr);
 882                /* frame has qos control */
 883                tid = *qc & IEEE80211_QOS_CTL_TID_MASK;
 884                if (*qc & IEEE80211_QOS_CTL_A_MSDU_PRESENT)
 885                        status->rx_flags |= IEEE80211_RX_AMSDU;
 886
 887                seqno_idx = tid;
 888                security_idx = tid;
 889        } else {
 890                /*
 891                 * IEEE 802.11-2007, 7.1.3.4.1 ("Sequence Number field"):
 892                 *
 893                 *      Sequence numbers for management frames, QoS data
 894                 *      frames with a broadcast/multicast address in the
 895                 *      Address 1 field, and all non-QoS data frames sent
 896                 *      by QoS STAs are assigned using an additional single
 897                 *      modulo-4096 counter, [...]
 898                 *
 899                 * We also use that counter for non-QoS STAs.
 900                 */
 901                seqno_idx = IEEE80211_NUM_TIDS;
 902                security_idx = 0;
 903                if (ieee80211_is_mgmt(hdr->frame_control))
 904                        security_idx = IEEE80211_NUM_TIDS;
 905                tid = 0;
 906        }
 907
 908        rx->seqno_idx = seqno_idx;
 909        rx->security_idx = security_idx;
 910        /* Set skb->priority to 1d tag if highest order bit of TID is not set.
 911         * For now, set skb->priority to 0 for other cases. */
 912        rx->skb->priority = (tid > 7) ? 0 : tid;
 913}
 914
 915/**
 916 * DOC: Packet alignment
 917 *
 918 * Drivers always need to pass packets that are aligned to two-byte boundaries
 919 * to the stack.
 920 *
 921 * Additionally, should, if possible, align the payload data in a way that
 922 * guarantees that the contained IP header is aligned to a four-byte
 923 * boundary. In the case of regular frames, this simply means aligning the
 924 * payload to a four-byte boundary (because either the IP header is directly
 925 * contained, or IV/RFC1042 headers that have a length divisible by four are
 926 * in front of it).  If the payload data is not properly aligned and the
 927 * architecture doesn't support efficient unaligned operations, mac80211
 928 * will align the data.
 929 *
 930 * With A-MSDU frames, however, the payload data address must yield two modulo
 931 * four because there are 14-byte 802.3 headers within the A-MSDU frames that
 932 * push the IP header further back to a multiple of four again. Thankfully, the
 933 * specs were sane enough this time around to require padding each A-MSDU
 934 * subframe to a length that is a multiple of four.
 935 *
 936 * Padding like Atheros hardware adds which is between the 802.11 header and
 937 * the payload is not supported, the driver is required to move the 802.11
 938 * header to be directly in front of the payload in that case.
 939 */
 940static void ieee80211_verify_alignment(struct ieee80211_rx_data *rx)
 941{
 942#ifdef CONFIG_MAC80211_VERBOSE_DEBUG
 943        WARN_ON_ONCE((unsigned long)rx->skb->data & 1);
 944#endif
 945}
 946
 947
 948/* rx handlers */
 949
 950static int ieee80211_is_unicast_robust_mgmt_frame(struct sk_buff *skb)
 951{
 952        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
 953
 954        if (is_multicast_ether_addr(hdr->addr1))
 955                return 0;
 956
 957        return ieee80211_is_robust_mgmt_frame(skb);
 958}
 959
 960
 961static int ieee80211_is_multicast_robust_mgmt_frame(struct sk_buff *skb)
 962{
 963        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
 964
 965        if (!is_multicast_ether_addr(hdr->addr1))
 966                return 0;
 967
 968        return ieee80211_is_robust_mgmt_frame(skb);
 969}
 970
 971
 972/* Get the BIP key index from MMIE; return -1 if this is not a BIP frame */
 973static int ieee80211_get_mmie_keyidx(struct sk_buff *skb)
 974{
 975        struct ieee80211_mgmt *hdr = (struct ieee80211_mgmt *) skb->data;
 976        struct ieee80211_mmie *mmie;
 977        struct ieee80211_mmie_16 *mmie16;
 978
 979        if (skb->len < 24 + sizeof(*mmie) || !is_multicast_ether_addr(hdr->da))
 980                return -1;
 981
 982        if (!ieee80211_is_robust_mgmt_frame(skb) &&
 983            !ieee80211_is_beacon(hdr->frame_control))
 984                return -1; /* not a robust management frame */
 985
 986        mmie = (struct ieee80211_mmie *)
 987                (skb->data + skb->len - sizeof(*mmie));
 988        if (mmie->element_id == WLAN_EID_MMIE &&
 989            mmie->length == sizeof(*mmie) - 2)
 990                return le16_to_cpu(mmie->key_id);
 991
 992        mmie16 = (struct ieee80211_mmie_16 *)
 993                (skb->data + skb->len - sizeof(*mmie16));
 994        if (skb->len >= 24 + sizeof(*mmie16) &&
 995            mmie16->element_id == WLAN_EID_MMIE &&
 996            mmie16->length == sizeof(*mmie16) - 2)
 997                return le16_to_cpu(mmie16->key_id);
 998
 999        return -1;
1000}
1001
1002static int ieee80211_get_keyid(struct sk_buff *skb,
1003                               const struct ieee80211_cipher_scheme *cs)
1004{
1005        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
1006        __le16 fc;
1007        int hdrlen;
1008        int minlen;
1009        u8 key_idx_off;
1010        u8 key_idx_shift;
1011        u8 keyid;
1012
1013        fc = hdr->frame_control;
1014        hdrlen = ieee80211_hdrlen(fc);
1015
1016        if (cs) {
1017                minlen = hdrlen + cs->hdr_len;
1018                key_idx_off = hdrlen + cs->key_idx_off;
1019                key_idx_shift = cs->key_idx_shift;
1020        } else {
1021                /* WEP, TKIP, CCMP and GCMP */
1022                minlen = hdrlen + IEEE80211_WEP_IV_LEN;
1023                key_idx_off = hdrlen + 3;
1024                key_idx_shift = 6;
1025        }
1026
1027        if (unlikely(skb->len < minlen))
1028                return -EINVAL;
1029
1030        skb_copy_bits(skb, key_idx_off, &keyid, 1);
1031
1032        if (cs)
1033                keyid &= cs->key_idx_mask;
1034        keyid >>= key_idx_shift;
1035
1036        /* cs could use more than the usual two bits for the keyid */
1037        if (unlikely(keyid >= NUM_DEFAULT_KEYS))
1038                return -EINVAL;
1039
1040        return keyid;
1041}
1042
1043static ieee80211_rx_result ieee80211_rx_mesh_check(struct ieee80211_rx_data *rx)
1044{
1045        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
1046        char *dev_addr = rx->sdata->vif.addr;
1047
1048        if (ieee80211_is_data(hdr->frame_control)) {
1049                if (is_multicast_ether_addr(hdr->addr1)) {
1050                        if (ieee80211_has_tods(hdr->frame_control) ||
1051                            !ieee80211_has_fromds(hdr->frame_control))
1052                                return RX_DROP_MONITOR;
1053                        if (ether_addr_equal(hdr->addr3, dev_addr))
1054                                return RX_DROP_MONITOR;
1055                } else {
1056                        if (!ieee80211_has_a4(hdr->frame_control))
1057                                return RX_DROP_MONITOR;
1058                        if (ether_addr_equal(hdr->addr4, dev_addr))
1059                                return RX_DROP_MONITOR;
1060                }
1061        }
1062
1063        /* If there is not an established peer link and this is not a peer link
1064         * establisment frame, beacon or probe, drop the frame.
1065         */
1066
1067        if (!rx->sta || sta_plink_state(rx->sta) != NL80211_PLINK_ESTAB) {
1068                struct ieee80211_mgmt *mgmt;
1069
1070                if (!ieee80211_is_mgmt(hdr->frame_control))
1071                        return RX_DROP_MONITOR;
1072
1073                if (ieee80211_is_action(hdr->frame_control)) {
1074                        u8 category;
1075
1076                        /* make sure category field is present */
1077                        if (rx->skb->len < IEEE80211_MIN_ACTION_SIZE)
1078                                return RX_DROP_MONITOR;
1079
1080                        mgmt = (struct ieee80211_mgmt *)hdr;
1081                        category = mgmt->u.action.category;
1082                        if (category != WLAN_CATEGORY_MESH_ACTION &&
1083                            category != WLAN_CATEGORY_SELF_PROTECTED)
1084                                return RX_DROP_MONITOR;
1085                        return RX_CONTINUE;
1086                }
1087
1088                if (ieee80211_is_probe_req(hdr->frame_control) ||
1089                    ieee80211_is_probe_resp(hdr->frame_control) ||
1090                    ieee80211_is_beacon(hdr->frame_control) ||
1091                    ieee80211_is_auth(hdr->frame_control))
1092                        return RX_CONTINUE;
1093
1094                return RX_DROP_MONITOR;
1095        }
1096
1097        return RX_CONTINUE;
1098}
1099
1100static inline bool ieee80211_rx_reorder_ready(struct tid_ampdu_rx *tid_agg_rx,
1101                                              int index)
1102{
1103        struct sk_buff_head *frames = &tid_agg_rx->reorder_buf[index];
1104        struct sk_buff *tail = skb_peek_tail(frames);
1105        struct ieee80211_rx_status *status;
1106
1107        if (tid_agg_rx->reorder_buf_filtered & BIT_ULL(index))
1108                return true;
1109
1110        if (!tail)
1111                return false;
1112
1113        status = IEEE80211_SKB_RXCB(tail);
1114        if (status->flag & RX_FLAG_AMSDU_MORE)
1115                return false;
1116
1117        return true;
1118}
1119
1120static void ieee80211_release_reorder_frame(struct ieee80211_sub_if_data *sdata,
1121                                            struct tid_ampdu_rx *tid_agg_rx,
1122                                            int index,
1123                                            struct sk_buff_head *frames)
1124{
1125        struct sk_buff_head *skb_list = &tid_agg_rx->reorder_buf[index];
1126        struct sk_buff *skb;
1127        struct ieee80211_rx_status *status;
1128
1129        lockdep_assert_held(&tid_agg_rx->reorder_lock);
1130
1131        if (skb_queue_empty(skb_list))
1132                goto no_frame;
1133
1134        if (!ieee80211_rx_reorder_ready(tid_agg_rx, index)) {
1135                __skb_queue_purge(skb_list);
1136                goto no_frame;
1137        }
1138
1139        /* release frames from the reorder ring buffer */
1140        tid_agg_rx->stored_mpdu_num--;
1141        while ((skb = __skb_dequeue(skb_list))) {
1142                status = IEEE80211_SKB_RXCB(skb);
1143                status->rx_flags |= IEEE80211_RX_DEFERRED_RELEASE;
1144                __skb_queue_tail(frames, skb);
1145        }
1146
1147no_frame:
1148        tid_agg_rx->reorder_buf_filtered &= ~BIT_ULL(index);
1149        tid_agg_rx->head_seq_num = ieee80211_sn_inc(tid_agg_rx->head_seq_num);
1150}
1151
1152static void ieee80211_release_reorder_frames(struct ieee80211_sub_if_data *sdata,
1153                                             struct tid_ampdu_rx *tid_agg_rx,
1154                                             u16 head_seq_num,
1155                                             struct sk_buff_head *frames)
1156{
1157        int index;
1158
1159        lockdep_assert_held(&tid_agg_rx->reorder_lock);
1160
1161        while (ieee80211_sn_less(tid_agg_rx->head_seq_num, head_seq_num)) {
1162                index = tid_agg_rx->head_seq_num % tid_agg_rx->buf_size;
1163                ieee80211_release_reorder_frame(sdata, tid_agg_rx, index,
1164                                                frames);
1165        }
1166}
1167
1168/*
1169 * Timeout (in jiffies) for skb's that are waiting in the RX reorder buffer. If
1170 * the skb was added to the buffer longer than this time ago, the earlier
1171 * frames that have not yet been received are assumed to be lost and the skb
1172 * can be released for processing. This may also release other skb's from the
1173 * reorder buffer if there are no additional gaps between the frames.
1174 *
1175 * Callers must hold tid_agg_rx->reorder_lock.
1176 */
1177#define HT_RX_REORDER_BUF_TIMEOUT (HZ / 10)
1178
1179static void ieee80211_sta_reorder_release(struct ieee80211_sub_if_data *sdata,
1180                                          struct tid_ampdu_rx *tid_agg_rx,
1181                                          struct sk_buff_head *frames)
1182{
1183        int index, i, j;
1184
1185        lockdep_assert_held(&tid_agg_rx->reorder_lock);
1186
1187        /* release the buffer until next missing frame */
1188        index = tid_agg_rx->head_seq_num % tid_agg_rx->buf_size;
1189        if (!ieee80211_rx_reorder_ready(tid_agg_rx, index) &&
1190            tid_agg_rx->stored_mpdu_num) {
1191                /*
1192                 * No buffers ready to be released, but check whether any
1193                 * frames in the reorder buffer have timed out.
1194                 */
1195                int skipped = 1;
1196                for (j = (index + 1) % tid_agg_rx->buf_size; j != index;
1197                     j = (j + 1) % tid_agg_rx->buf_size) {
1198                        if (!ieee80211_rx_reorder_ready(tid_agg_rx, j)) {
1199                                skipped++;
1200                                continue;
1201                        }
1202                        if (skipped &&
1203                            !time_after(jiffies, tid_agg_rx->reorder_time[j] +
1204                                        HT_RX_REORDER_BUF_TIMEOUT))
1205                                goto set_release_timer;
1206
1207                        /* don't leave incomplete A-MSDUs around */
1208                        for (i = (index + 1) % tid_agg_rx->buf_size; i != j;
1209                             i = (i + 1) % tid_agg_rx->buf_size)
1210                                __skb_queue_purge(&tid_agg_rx->reorder_buf[i]);
1211
1212                        ht_dbg_ratelimited(sdata,
1213                                           "release an RX reorder frame due to timeout on earlier frames\n");
1214                        ieee80211_release_reorder_frame(sdata, tid_agg_rx, j,
1215                                                        frames);
1216
1217                        /*
1218                         * Increment the head seq# also for the skipped slots.
1219                         */
1220                        tid_agg_rx->head_seq_num =
1221                                (tid_agg_rx->head_seq_num +
1222                                 skipped) & IEEE80211_SN_MASK;
1223                        skipped = 0;
1224                }
1225        } else while (ieee80211_rx_reorder_ready(tid_agg_rx, index)) {
1226                ieee80211_release_reorder_frame(sdata, tid_agg_rx, index,
1227                                                frames);
1228                index = tid_agg_rx->head_seq_num % tid_agg_rx->buf_size;
1229        }
1230
1231        if (tid_agg_rx->stored_mpdu_num) {
1232                j = index = tid_agg_rx->head_seq_num % tid_agg_rx->buf_size;
1233
1234                for (; j != (index - 1) % tid_agg_rx->buf_size;
1235                     j = (j + 1) % tid_agg_rx->buf_size) {
1236                        if (ieee80211_rx_reorder_ready(tid_agg_rx, j))
1237                                break;
1238                }
1239
1240 set_release_timer:
1241
1242                if (!tid_agg_rx->removed)
1243                        mod_timer(&tid_agg_rx->reorder_timer,
1244                                  tid_agg_rx->reorder_time[j] + 1 +
1245                                  HT_RX_REORDER_BUF_TIMEOUT);
1246        } else {
1247                del_timer(&tid_agg_rx->reorder_timer);
1248        }
1249}
1250
1251/*
1252 * As this function belongs to the RX path it must be under
1253 * rcu_read_lock protection. It returns false if the frame
1254 * can be processed immediately, true if it was consumed.
1255 */
1256static bool ieee80211_sta_manage_reorder_buf(struct ieee80211_sub_if_data *sdata,
1257                                             struct tid_ampdu_rx *tid_agg_rx,
1258                                             struct sk_buff *skb,
1259                                             struct sk_buff_head *frames)
1260{
1261        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
1262        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
1263        u16 sc = le16_to_cpu(hdr->seq_ctrl);
1264        u16 mpdu_seq_num = (sc & IEEE80211_SCTL_SEQ) >> 4;
1265        u16 head_seq_num, buf_size;
1266        int index;
1267        bool ret = true;
1268
1269        spin_lock(&tid_agg_rx->reorder_lock);
1270
1271        /*
1272         * Offloaded BA sessions have no known starting sequence number so pick
1273         * one from first Rxed frame for this tid after BA was started.
1274         */
1275        if (unlikely(tid_agg_rx->auto_seq)) {
1276                tid_agg_rx->auto_seq = false;
1277                tid_agg_rx->ssn = mpdu_seq_num;
1278                tid_agg_rx->head_seq_num = mpdu_seq_num;
1279        }
1280
1281        buf_size = tid_agg_rx->buf_size;
1282        head_seq_num = tid_agg_rx->head_seq_num;
1283
1284        /*
1285         * If the current MPDU's SN is smaller than the SSN, it shouldn't
1286         * be reordered.
1287         */
1288        if (unlikely(!tid_agg_rx->started)) {
1289                if (ieee80211_sn_less(mpdu_seq_num, head_seq_num)) {
1290                        ret = false;
1291                        goto out;
1292                }
1293                tid_agg_rx->started = true;
1294        }
1295
1296        /* frame with out of date sequence number */
1297        if (ieee80211_sn_less(mpdu_seq_num, head_seq_num)) {
1298                dev_kfree_skb(skb);
1299                goto out;
1300        }
1301
1302        /*
1303         * If frame the sequence number exceeds our buffering window
1304         * size release some previous frames to make room for this one.
1305         */
1306        if (!ieee80211_sn_less(mpdu_seq_num, head_seq_num + buf_size)) {
1307                head_seq_num = ieee80211_sn_inc(
1308                                ieee80211_sn_sub(mpdu_seq_num, buf_size));
1309                /* release stored frames up to new head to stack */
1310                ieee80211_release_reorder_frames(sdata, tid_agg_rx,
1311                                                 head_seq_num, frames);
1312        }
1313
1314        /* Now the new frame is always in the range of the reordering buffer */
1315
1316        index = mpdu_seq_num % tid_agg_rx->buf_size;
1317
1318        /* check if we already stored this frame */
1319        if (ieee80211_rx_reorder_ready(tid_agg_rx, index)) {
1320                dev_kfree_skb(skb);
1321                goto out;
1322        }
1323
1324        /*
1325         * If the current MPDU is in the right order and nothing else
1326         * is stored we can process it directly, no need to buffer it.
1327         * If it is first but there's something stored, we may be able
1328         * to release frames after this one.
1329         */
1330        if (mpdu_seq_num == tid_agg_rx->head_seq_num &&
1331            tid_agg_rx->stored_mpdu_num == 0) {
1332                if (!(status->flag & RX_FLAG_AMSDU_MORE))
1333                        tid_agg_rx->head_seq_num =
1334                                ieee80211_sn_inc(tid_agg_rx->head_seq_num);
1335                ret = false;
1336                goto out;
1337        }
1338
1339        /* put the frame in the reordering buffer */
1340        __skb_queue_tail(&tid_agg_rx->reorder_buf[index], skb);
1341        if (!(status->flag & RX_FLAG_AMSDU_MORE)) {
1342                tid_agg_rx->reorder_time[index] = jiffies;
1343                tid_agg_rx->stored_mpdu_num++;
1344                ieee80211_sta_reorder_release(sdata, tid_agg_rx, frames);
1345        }
1346
1347 out:
1348        spin_unlock(&tid_agg_rx->reorder_lock);
1349        return ret;
1350}
1351
1352/*
1353 * Reorder MPDUs from A-MPDUs, keeping them on a buffer. Returns
1354 * true if the MPDU was buffered, false if it should be processed.
1355 */
1356static void ieee80211_rx_reorder_ampdu(struct ieee80211_rx_data *rx,
1357                                       struct sk_buff_head *frames)
1358{
1359        struct sk_buff *skb = rx->skb;
1360        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
1361        struct sta_info *sta = rx->sta;
1362        struct tid_ampdu_rx *tid_agg_rx;
1363        u16 sc;
1364        u8 tid, ack_policy;
1365
1366        if (!ieee80211_is_data_qos(hdr->frame_control) ||
1367            is_multicast_ether_addr(hdr->addr1))
1368                goto dont_reorder;
1369
1370        /*
1371         * filter the QoS data rx stream according to
1372         * STA/TID and check if this STA/TID is on aggregation
1373         */
1374
1375        if (!sta)
1376                goto dont_reorder;
1377
1378        ack_policy = *ieee80211_get_qos_ctl(hdr) &
1379                     IEEE80211_QOS_CTL_ACK_POLICY_MASK;
1380        tid = ieee80211_get_tid(hdr);
1381
1382        tid_agg_rx = rcu_dereference(sta->ampdu_mlme.tid_rx[tid]);
1383        if (!tid_agg_rx) {
1384                if (ack_policy == IEEE80211_QOS_CTL_ACK_POLICY_BLOCKACK &&
1385                    !test_bit(tid, rx->sta->ampdu_mlme.agg_session_valid) &&
1386                    !test_and_set_bit(tid, rx->sta->ampdu_mlme.unexpected_agg))
1387                        ieee80211_send_delba(rx->sdata, rx->sta->sta.addr, tid,
1388                                             WLAN_BACK_RECIPIENT,
1389                                             WLAN_REASON_QSTA_REQUIRE_SETUP);
1390                goto dont_reorder;
1391        }
1392
1393        /* qos null data frames are excluded */
1394        if (unlikely(hdr->frame_control & cpu_to_le16(IEEE80211_STYPE_NULLFUNC)))
1395                goto dont_reorder;
1396
1397        /* not part of a BA session */
1398        if (ack_policy != IEEE80211_QOS_CTL_ACK_POLICY_BLOCKACK &&
1399            ack_policy != IEEE80211_QOS_CTL_ACK_POLICY_NORMAL)
1400                goto dont_reorder;
1401
1402        /* new, potentially un-ordered, ampdu frame - process it */
1403
1404        /* reset session timer */
1405        if (tid_agg_rx->timeout)
1406                tid_agg_rx->last_rx = jiffies;
1407
1408        /* if this mpdu is fragmented - terminate rx aggregation session */
1409        sc = le16_to_cpu(hdr->seq_ctrl);
1410        if (sc & IEEE80211_SCTL_FRAG) {
1411                ieee80211_queue_skb_to_iface(rx->sdata, NULL, skb);
1412                return;
1413        }
1414
1415        /*
1416         * No locking needed -- we will only ever process one
1417         * RX packet at a time, and thus own tid_agg_rx. All
1418         * other code manipulating it needs to (and does) make
1419         * sure that we cannot get to it any more before doing
1420         * anything with it.
1421         */
1422        if (ieee80211_sta_manage_reorder_buf(rx->sdata, tid_agg_rx, skb,
1423                                             frames))
1424                return;
1425
1426 dont_reorder:
1427        __skb_queue_tail(frames, skb);
1428}
1429
1430static ieee80211_rx_result debug_noinline
1431ieee80211_rx_h_check_dup(struct ieee80211_rx_data *rx)
1432{
1433        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
1434        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
1435
1436        if (status->flag & RX_FLAG_DUP_VALIDATED)
1437                return RX_CONTINUE;
1438
1439        /*
1440         * Drop duplicate 802.11 retransmissions
1441         * (IEEE 802.11-2012: 9.3.2.10 "Duplicate detection and recovery")
1442         */
1443
1444        if (rx->skb->len < 24)
1445                return RX_CONTINUE;
1446
1447        if (ieee80211_is_ctl(hdr->frame_control) ||
1448            ieee80211_is_any_nullfunc(hdr->frame_control) ||
1449            is_multicast_ether_addr(hdr->addr1))
1450                return RX_CONTINUE;
1451
1452        if (!rx->sta)
1453                return RX_CONTINUE;
1454
1455        if (unlikely(ieee80211_has_retry(hdr->frame_control) &&
1456                     rx->sta->last_seq_ctrl[rx->seqno_idx] == hdr->seq_ctrl)) {
1457                I802_DEBUG_INC(rx->local->dot11FrameDuplicateCount);
1458                rx->sta->rx_stats.num_duplicates++;
1459                return RX_DROP_UNUSABLE;
1460        } else if (!(status->flag & RX_FLAG_AMSDU_MORE)) {
1461                rx->sta->last_seq_ctrl[rx->seqno_idx] = hdr->seq_ctrl;
1462        }
1463
1464        return RX_CONTINUE;
1465}
1466
1467static ieee80211_rx_result debug_noinline
1468ieee80211_rx_h_check(struct ieee80211_rx_data *rx)
1469{
1470        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
1471
1472        /* Drop disallowed frame classes based on STA auth/assoc state;
1473         * IEEE 802.11, Chap 5.5.
1474         *
1475         * mac80211 filters only based on association state, i.e. it drops
1476         * Class 3 frames from not associated stations. hostapd sends
1477         * deauth/disassoc frames when needed. In addition, hostapd is
1478         * responsible for filtering on both auth and assoc states.
1479         */
1480
1481        if (ieee80211_vif_is_mesh(&rx->sdata->vif))
1482                return ieee80211_rx_mesh_check(rx);
1483
1484        if (unlikely((ieee80211_is_data(hdr->frame_control) ||
1485                      ieee80211_is_pspoll(hdr->frame_control)) &&
1486                     rx->sdata->vif.type != NL80211_IFTYPE_ADHOC &&
1487                     rx->sdata->vif.type != NL80211_IFTYPE_OCB &&
1488                     (!rx->sta || !test_sta_flag(rx->sta, WLAN_STA_ASSOC)))) {
1489                /*
1490                 * accept port control frames from the AP even when it's not
1491                 * yet marked ASSOC to prevent a race where we don't set the
1492                 * assoc bit quickly enough before it sends the first frame
1493                 */
1494                if (rx->sta && rx->sdata->vif.type == NL80211_IFTYPE_STATION &&
1495                    ieee80211_is_data_present(hdr->frame_control)) {
1496                        unsigned int hdrlen;
1497                        __be16 ethertype;
1498
1499                        hdrlen = ieee80211_hdrlen(hdr->frame_control);
1500
1501                        if (rx->skb->len < hdrlen + 8)
1502                                return RX_DROP_MONITOR;
1503
1504                        skb_copy_bits(rx->skb, hdrlen + 6, &ethertype, 2);
1505                        if (ethertype == rx->sdata->control_port_protocol)
1506                                return RX_CONTINUE;
1507                }
1508
1509                if (rx->sdata->vif.type == NL80211_IFTYPE_AP &&
1510                    cfg80211_rx_spurious_frame(rx->sdata->dev,
1511                                               hdr->addr2,
1512                                               GFP_ATOMIC))
1513                        return RX_DROP_UNUSABLE;
1514
1515                return RX_DROP_MONITOR;
1516        }
1517
1518        return RX_CONTINUE;
1519}
1520
1521
1522static ieee80211_rx_result debug_noinline
1523ieee80211_rx_h_check_more_data(struct ieee80211_rx_data *rx)
1524{
1525        struct ieee80211_local *local;
1526        struct ieee80211_hdr *hdr;
1527        struct sk_buff *skb;
1528
1529        local = rx->local;
1530        skb = rx->skb;
1531        hdr = (struct ieee80211_hdr *) skb->data;
1532
1533        if (!local->pspolling)
1534                return RX_CONTINUE;
1535
1536        if (!ieee80211_has_fromds(hdr->frame_control))
1537                /* this is not from AP */
1538                return RX_CONTINUE;
1539
1540        if (!ieee80211_is_data(hdr->frame_control))
1541                return RX_CONTINUE;
1542
1543        if (!ieee80211_has_moredata(hdr->frame_control)) {
1544                /* AP has no more frames buffered for us */
1545                local->pspolling = false;
1546                return RX_CONTINUE;
1547        }
1548
1549        /* more data bit is set, let's request a new frame from the AP */
1550        ieee80211_send_pspoll(local, rx->sdata);
1551
1552        return RX_CONTINUE;
1553}
1554
1555static void sta_ps_start(struct sta_info *sta)
1556{
1557        struct ieee80211_sub_if_data *sdata = sta->sdata;
1558        struct ieee80211_local *local = sdata->local;
1559        struct ps_data *ps;
1560        int tid;
1561
1562        if (sta->sdata->vif.type == NL80211_IFTYPE_AP ||
1563            sta->sdata->vif.type == NL80211_IFTYPE_AP_VLAN)
1564                ps = &sdata->bss->ps;
1565        else
1566                return;
1567
1568        atomic_inc(&ps->num_sta_ps);
1569        set_sta_flag(sta, WLAN_STA_PS_STA);
1570        if (!ieee80211_hw_check(&local->hw, AP_LINK_PS))
1571                drv_sta_notify(local, sdata, STA_NOTIFY_SLEEP, &sta->sta);
1572        ps_dbg(sdata, "STA %pM aid %d enters power save mode\n",
1573               sta->sta.addr, sta->sta.aid);
1574
1575        ieee80211_clear_fast_xmit(sta);
1576
1577        if (!sta->sta.txq[0])
1578                return;
1579
1580        for (tid = 0; tid < IEEE80211_NUM_TIDS; tid++) {
1581                struct ieee80211_txq *txq = sta->sta.txq[tid];
1582
1583                ieee80211_unschedule_txq(&local->hw, txq, false);
1584
1585                if (txq_has_queue(txq))
1586                        set_bit(tid, &sta->txq_buffered_tids);
1587                else
1588                        clear_bit(tid, &sta->txq_buffered_tids);
1589        }
1590}
1591
1592static void sta_ps_end(struct sta_info *sta)
1593{
1594        ps_dbg(sta->sdata, "STA %pM aid %d exits power save mode\n",
1595               sta->sta.addr, sta->sta.aid);
1596
1597        if (test_sta_flag(sta, WLAN_STA_PS_DRIVER)) {
1598                /*
1599                 * Clear the flag only if the other one is still set
1600                 * so that the TX path won't start TX'ing new frames
1601                 * directly ... In the case that the driver flag isn't
1602                 * set ieee80211_sta_ps_deliver_wakeup() will clear it.
1603                 */
1604                clear_sta_flag(sta, WLAN_STA_PS_STA);
1605                ps_dbg(sta->sdata, "STA %pM aid %d driver-ps-blocked\n",
1606                       sta->sta.addr, sta->sta.aid);
1607                return;
1608        }
1609
1610        set_sta_flag(sta, WLAN_STA_PS_DELIVER);
1611        clear_sta_flag(sta, WLAN_STA_PS_STA);
1612        ieee80211_sta_ps_deliver_wakeup(sta);
1613}
1614
1615int ieee80211_sta_ps_transition(struct ieee80211_sta *pubsta, bool start)
1616{
1617        struct sta_info *sta = container_of(pubsta, struct sta_info, sta);
1618        bool in_ps;
1619
1620        WARN_ON(!ieee80211_hw_check(&sta->local->hw, AP_LINK_PS));
1621
1622        /* Don't let the same PS state be set twice */
1623        in_ps = test_sta_flag(sta, WLAN_STA_PS_STA);
1624        if ((start && in_ps) || (!start && !in_ps))
1625                return -EINVAL;
1626
1627        if (start)
1628                sta_ps_start(sta);
1629        else
1630                sta_ps_end(sta);
1631
1632        return 0;
1633}
1634EXPORT_SYMBOL(ieee80211_sta_ps_transition);
1635
1636void ieee80211_sta_pspoll(struct ieee80211_sta *pubsta)
1637{
1638        struct sta_info *sta = container_of(pubsta, struct sta_info, sta);
1639
1640        if (test_sta_flag(sta, WLAN_STA_SP))
1641                return;
1642
1643        if (!test_sta_flag(sta, WLAN_STA_PS_DRIVER))
1644                ieee80211_sta_ps_deliver_poll_response(sta);
1645        else
1646                set_sta_flag(sta, WLAN_STA_PSPOLL);
1647}
1648EXPORT_SYMBOL(ieee80211_sta_pspoll);
1649
1650void ieee80211_sta_uapsd_trigger(struct ieee80211_sta *pubsta, u8 tid)
1651{
1652        struct sta_info *sta = container_of(pubsta, struct sta_info, sta);
1653        int ac = ieee80211_ac_from_tid(tid);
1654
1655        /*
1656         * If this AC is not trigger-enabled do nothing unless the
1657         * driver is calling us after it already checked.
1658         *
1659         * NB: This could/should check a separate bitmap of trigger-
1660         * enabled queues, but for now we only implement uAPSD w/o
1661         * TSPEC changes to the ACs, so they're always the same.
1662         */
1663        if (!(sta->sta.uapsd_queues & ieee80211_ac_to_qos_mask[ac]) &&
1664            tid != IEEE80211_NUM_TIDS)
1665                return;
1666
1667        /* if we are in a service period, do nothing */
1668        if (test_sta_flag(sta, WLAN_STA_SP))
1669                return;
1670
1671        if (!test_sta_flag(sta, WLAN_STA_PS_DRIVER))
1672                ieee80211_sta_ps_deliver_uapsd(sta);
1673        else
1674                set_sta_flag(sta, WLAN_STA_UAPSD);
1675}
1676EXPORT_SYMBOL(ieee80211_sta_uapsd_trigger);
1677
1678static ieee80211_rx_result debug_noinline
1679ieee80211_rx_h_uapsd_and_pspoll(struct ieee80211_rx_data *rx)
1680{
1681        struct ieee80211_sub_if_data *sdata = rx->sdata;
1682        struct ieee80211_hdr *hdr = (void *)rx->skb->data;
1683        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
1684
1685        if (!rx->sta)
1686                return RX_CONTINUE;
1687
1688        if (sdata->vif.type != NL80211_IFTYPE_AP &&
1689            sdata->vif.type != NL80211_IFTYPE_AP_VLAN)
1690                return RX_CONTINUE;
1691
1692        /*
1693         * The device handles station powersave, so don't do anything about
1694         * uAPSD and PS-Poll frames (the latter shouldn't even come up from
1695         * it to mac80211 since they're handled.)
1696         */
1697        if (ieee80211_hw_check(&sdata->local->hw, AP_LINK_PS))
1698                return RX_CONTINUE;
1699
1700        /*
1701         * Don't do anything if the station isn't already asleep. In
1702         * the uAPSD case, the station will probably be marked asleep,
1703         * in the PS-Poll case the station must be confused ...
1704         */
1705        if (!test_sta_flag(rx->sta, WLAN_STA_PS_STA))
1706                return RX_CONTINUE;
1707
1708        if (unlikely(ieee80211_is_pspoll(hdr->frame_control))) {
1709                ieee80211_sta_pspoll(&rx->sta->sta);
1710
1711                /* Free PS Poll skb here instead of returning RX_DROP that would
1712                 * count as an dropped frame. */
1713                dev_kfree_skb(rx->skb);
1714
1715                return RX_QUEUED;
1716        } else if (!ieee80211_has_morefrags(hdr->frame_control) &&
1717                   !(status->rx_flags & IEEE80211_RX_DEFERRED_RELEASE) &&
1718                   ieee80211_has_pm(hdr->frame_control) &&
1719                   (ieee80211_is_data_qos(hdr->frame_control) ||
1720                    ieee80211_is_qos_nullfunc(hdr->frame_control))) {
1721                u8 tid = ieee80211_get_tid(hdr);
1722
1723                ieee80211_sta_uapsd_trigger(&rx->sta->sta, tid);
1724        }
1725
1726        return RX_CONTINUE;
1727}
1728
1729static ieee80211_rx_result debug_noinline
1730ieee80211_rx_h_sta_process(struct ieee80211_rx_data *rx)
1731{
1732        struct sta_info *sta = rx->sta;
1733        struct sk_buff *skb = rx->skb;
1734        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
1735        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
1736        int i;
1737
1738        if (!sta)
1739                return RX_CONTINUE;
1740
1741        /*
1742         * Update last_rx only for IBSS packets which are for the current
1743         * BSSID and for station already AUTHORIZED to avoid keeping the
1744         * current IBSS network alive in cases where other STAs start
1745         * using different BSSID. This will also give the station another
1746         * chance to restart the authentication/authorization in case
1747         * something went wrong the first time.
1748         */
1749        if (rx->sdata->vif.type == NL80211_IFTYPE_ADHOC) {
1750                u8 *bssid = ieee80211_get_bssid(hdr, rx->skb->len,
1751                                                NL80211_IFTYPE_ADHOC);
1752                if (ether_addr_equal(bssid, rx->sdata->u.ibss.bssid) &&
1753                    test_sta_flag(sta, WLAN_STA_AUTHORIZED)) {
1754                        sta->rx_stats.last_rx = jiffies;
1755                        if (ieee80211_is_data(hdr->frame_control) &&
1756                            !is_multicast_ether_addr(hdr->addr1))
1757                                sta->rx_stats.last_rate =
1758                                        sta_stats_encode_rate(status);
1759                }
1760        } else if (rx->sdata->vif.type == NL80211_IFTYPE_OCB) {
1761                sta->rx_stats.last_rx = jiffies;
1762        } else if (!ieee80211_is_s1g_beacon(hdr->frame_control) &&
1763                   !is_multicast_ether_addr(hdr->addr1)) {
1764                /*
1765                 * Mesh beacons will update last_rx when if they are found to
1766                 * match the current local configuration when processed.
1767                 */
1768                sta->rx_stats.last_rx = jiffies;
1769                if (ieee80211_is_data(hdr->frame_control))
1770                        sta->rx_stats.last_rate = sta_stats_encode_rate(status);
1771        }
1772
1773        sta->rx_stats.fragments++;
1774
1775        u64_stats_update_begin(&rx->sta->rx_stats.syncp);
1776        sta->rx_stats.bytes += rx->skb->len;
1777        u64_stats_update_end(&rx->sta->rx_stats.syncp);
1778
1779        if (!(status->flag & RX_FLAG_NO_SIGNAL_VAL)) {
1780                sta->rx_stats.last_signal = status->signal;
1781                ewma_signal_add(&sta->rx_stats_avg.signal, -status->signal);
1782        }
1783
1784        if (status->chains) {
1785                sta->rx_stats.chains = status->chains;
1786                for (i = 0; i < ARRAY_SIZE(status->chain_signal); i++) {
1787                        int signal = status->chain_signal[i];
1788
1789                        if (!(status->chains & BIT(i)))
1790                                continue;
1791
1792                        sta->rx_stats.chain_signal_last[i] = signal;
1793                        ewma_signal_add(&sta->rx_stats_avg.chain_signal[i],
1794                                        -signal);
1795                }
1796        }
1797
1798        if (ieee80211_is_s1g_beacon(hdr->frame_control))
1799                return RX_CONTINUE;
1800
1801        /*
1802         * Change STA power saving mode only at the end of a frame
1803         * exchange sequence, and only for a data or management
1804         * frame as specified in IEEE 802.11-2016 11.2.3.2
1805         */
1806        if (!ieee80211_hw_check(&sta->local->hw, AP_LINK_PS) &&
1807            !ieee80211_has_morefrags(hdr->frame_control) &&
1808            !is_multicast_ether_addr(hdr->addr1) &&
1809            (ieee80211_is_mgmt(hdr->frame_control) ||
1810             ieee80211_is_data(hdr->frame_control)) &&
1811            !(status->rx_flags & IEEE80211_RX_DEFERRED_RELEASE) &&
1812            (rx->sdata->vif.type == NL80211_IFTYPE_AP ||
1813             rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN)) {
1814                if (test_sta_flag(sta, WLAN_STA_PS_STA)) {
1815                        if (!ieee80211_has_pm(hdr->frame_control))
1816                                sta_ps_end(sta);
1817                } else {
1818                        if (ieee80211_has_pm(hdr->frame_control))
1819                                sta_ps_start(sta);
1820                }
1821        }
1822
1823        /* mesh power save support */
1824        if (ieee80211_vif_is_mesh(&rx->sdata->vif))
1825                ieee80211_mps_rx_h_sta_process(sta, hdr);
1826
1827        /*
1828         * Drop (qos-)data::nullfunc frames silently, since they
1829         * are used only to control station power saving mode.
1830         */
1831        if (ieee80211_is_any_nullfunc(hdr->frame_control)) {
1832                I802_DEBUG_INC(rx->local->rx_handlers_drop_nullfunc);
1833
1834                /*
1835                 * If we receive a 4-addr nullfunc frame from a STA
1836                 * that was not moved to a 4-addr STA vlan yet send
1837                 * the event to userspace and for older hostapd drop
1838                 * the frame to the monitor interface.
1839                 */
1840                if (ieee80211_has_a4(hdr->frame_control) &&
1841                    (rx->sdata->vif.type == NL80211_IFTYPE_AP ||
1842                     (rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN &&
1843                      !rx->sdata->u.vlan.sta))) {
1844                        if (!test_and_set_sta_flag(sta, WLAN_STA_4ADDR_EVENT))
1845                                cfg80211_rx_unexpected_4addr_frame(
1846                                        rx->sdata->dev, sta->sta.addr,
1847                                        GFP_ATOMIC);
1848                        return RX_DROP_MONITOR;
1849                }
1850                /*
1851                 * Update counter and free packet here to avoid
1852                 * counting this as a dropped packed.
1853                 */
1854                sta->rx_stats.packets++;
1855                dev_kfree_skb(rx->skb);
1856                return RX_QUEUED;
1857        }
1858
1859        return RX_CONTINUE;
1860} /* ieee80211_rx_h_sta_process */
1861
1862static struct ieee80211_key *
1863ieee80211_rx_get_bigtk(struct ieee80211_rx_data *rx, int idx)
1864{
1865        struct ieee80211_key *key = NULL;
1866        struct ieee80211_sub_if_data *sdata = rx->sdata;
1867        int idx2;
1868
1869        /* Make sure key gets set if either BIGTK key index is set so that
1870         * ieee80211_drop_unencrypted_mgmt() can properly drop both unprotected
1871         * Beacon frames and Beacon frames that claim to use another BIGTK key
1872         * index (i.e., a key that we do not have).
1873         */
1874
1875        if (idx < 0) {
1876                idx = NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS;
1877                idx2 = idx + 1;
1878        } else {
1879                if (idx == NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS)
1880                        idx2 = idx + 1;
1881                else
1882                        idx2 = idx - 1;
1883        }
1884
1885        if (rx->sta)
1886                key = rcu_dereference(rx->sta->gtk[idx]);
1887        if (!key)
1888                key = rcu_dereference(sdata->keys[idx]);
1889        if (!key && rx->sta)
1890                key = rcu_dereference(rx->sta->gtk[idx2]);
1891        if (!key)
1892                key = rcu_dereference(sdata->keys[idx2]);
1893
1894        return key;
1895}
1896
1897static ieee80211_rx_result debug_noinline
1898ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx)
1899{
1900        struct sk_buff *skb = rx->skb;
1901        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
1902        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
1903        int keyidx;
1904        ieee80211_rx_result result = RX_DROP_UNUSABLE;
1905        struct ieee80211_key *sta_ptk = NULL;
1906        struct ieee80211_key *ptk_idx = NULL;
1907        int mmie_keyidx = -1;
1908        __le16 fc;
1909        const struct ieee80211_cipher_scheme *cs = NULL;
1910
1911        if (ieee80211_is_ext(hdr->frame_control))
1912                return RX_CONTINUE;
1913
1914        /*
1915         * Key selection 101
1916         *
1917         * There are five types of keys:
1918         *  - GTK (group keys)
1919         *  - IGTK (group keys for management frames)
1920         *  - BIGTK (group keys for Beacon frames)
1921         *  - PTK (pairwise keys)
1922         *  - STK (station-to-station pairwise keys)
1923         *
1924         * When selecting a key, we have to distinguish between multicast
1925         * (including broadcast) and unicast frames, the latter can only
1926         * use PTKs and STKs while the former always use GTKs, IGTKs, and
1927         * BIGTKs. Unless, of course, actual WEP keys ("pre-RSNA") are used,
1928         * then unicast frames can also use key indices like GTKs. Hence, if we
1929         * don't have a PTK/STK we check the key index for a WEP key.
1930         *
1931         * Note that in a regular BSS, multicast frames are sent by the
1932         * AP only, associated stations unicast the frame to the AP first
1933         * which then multicasts it on their behalf.
1934         *
1935         * There is also a slight problem in IBSS mode: GTKs are negotiated
1936         * with each station, that is something we don't currently handle.
1937         * The spec seems to expect that one negotiates the same key with
1938         * every station but there's no such requirement; VLANs could be
1939         * possible.
1940         */
1941
1942        /* start without a key */
1943        rx->key = NULL;
1944        fc = hdr->frame_control;
1945
1946        if (rx->sta) {
1947                int keyid = rx->sta->ptk_idx;
1948                sta_ptk = rcu_dereference(rx->sta->ptk[keyid]);
1949
1950                if (ieee80211_has_protected(fc)) {
1951                        cs = rx->sta->cipher_scheme;
1952                        keyid = ieee80211_get_keyid(rx->skb, cs);
1953
1954                        if (unlikely(keyid < 0))
1955                                return RX_DROP_UNUSABLE;
1956
1957                        ptk_idx = rcu_dereference(rx->sta->ptk[keyid]);
1958                }
1959        }
1960
1961        if (!ieee80211_has_protected(fc))
1962                mmie_keyidx = ieee80211_get_mmie_keyidx(rx->skb);
1963
1964        if (!is_multicast_ether_addr(hdr->addr1) && sta_ptk) {
1965                rx->key = ptk_idx ? ptk_idx : sta_ptk;
1966                if ((status->flag & RX_FLAG_DECRYPTED) &&
1967                    (status->flag & RX_FLAG_IV_STRIPPED))
1968                        return RX_CONTINUE;
1969                /* Skip decryption if the frame is not protected. */
1970                if (!ieee80211_has_protected(fc))
1971                        return RX_CONTINUE;
1972        } else if (mmie_keyidx >= 0 && ieee80211_is_beacon(fc)) {
1973                /* Broadcast/multicast robust management frame / BIP */
1974                if ((status->flag & RX_FLAG_DECRYPTED) &&
1975                    (status->flag & RX_FLAG_IV_STRIPPED))
1976                        return RX_CONTINUE;
1977
1978                if (mmie_keyidx < NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS ||
1979                    mmie_keyidx >= NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS +
1980                    NUM_DEFAULT_BEACON_KEYS) {
1981                        cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
1982                                                     skb->data,
1983                                                     skb->len);
1984                        return RX_DROP_MONITOR; /* unexpected BIP keyidx */
1985                }
1986
1987                rx->key = ieee80211_rx_get_bigtk(rx, mmie_keyidx);
1988                if (!rx->key)
1989                        return RX_CONTINUE; /* Beacon protection not in use */
1990        } else if (mmie_keyidx >= 0) {
1991                /* Broadcast/multicast robust management frame / BIP */
1992                if ((status->flag & RX_FLAG_DECRYPTED) &&
1993                    (status->flag & RX_FLAG_IV_STRIPPED))
1994                        return RX_CONTINUE;
1995
1996                if (mmie_keyidx < NUM_DEFAULT_KEYS ||
1997                    mmie_keyidx >= NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS)
1998                        return RX_DROP_MONITOR; /* unexpected BIP keyidx */
1999                if (rx->sta) {
2000                        if (ieee80211_is_group_privacy_action(skb) &&
2001                            test_sta_flag(rx->sta, WLAN_STA_MFP))
2002                                return RX_DROP_MONITOR;
2003
2004                        rx->key = rcu_dereference(rx->sta->gtk[mmie_keyidx]);
2005                }
2006                if (!rx->key)
2007                        rx->key = rcu_dereference(rx->sdata->keys[mmie_keyidx]);
2008        } else if (!ieee80211_has_protected(fc)) {
2009                /*
2010                 * The frame was not protected, so skip decryption. However, we
2011                 * need to set rx->key if there is a key that could have been
2012                 * used so that the frame may be dropped if encryption would
2013                 * have been expected.
2014                 */
2015                struct ieee80211_key *key = NULL;
2016                struct ieee80211_sub_if_data *sdata = rx->sdata;
2017                int i;
2018
2019                if (ieee80211_is_beacon(fc)) {
2020                        key = ieee80211_rx_get_bigtk(rx, -1);
2021                } else if (ieee80211_is_mgmt(fc) &&
2022                           is_multicast_ether_addr(hdr->addr1)) {
2023                        key = rcu_dereference(rx->sdata->default_mgmt_key);
2024                } else {
2025                        if (rx->sta) {
2026                                for (i = 0; i < NUM_DEFAULT_KEYS; i++) {
2027                                        key = rcu_dereference(rx->sta->gtk[i]);
2028                                        if (key)
2029                                                break;
2030                                }
2031                        }
2032                        if (!key) {
2033                                for (i = 0; i < NUM_DEFAULT_KEYS; i++) {
2034                                        key = rcu_dereference(sdata->keys[i]);
2035                                        if (key)
2036                                                break;
2037                                }
2038                        }
2039                }
2040                if (key)
2041                        rx->key = key;
2042                return RX_CONTINUE;
2043        } else {
2044                /*
2045                 * The device doesn't give us the IV so we won't be
2046                 * able to look up the key. That's ok though, we
2047                 * don't need to decrypt the frame, we just won't
2048                 * be able to keep statistics accurate.
2049                 * Except for key threshold notifications, should
2050                 * we somehow allow the driver to tell us which key
2051                 * the hardware used if this flag is set?
2052                 */
2053                if ((status->flag & RX_FLAG_DECRYPTED) &&
2054                    (status->flag & RX_FLAG_IV_STRIPPED))
2055                        return RX_CONTINUE;
2056
2057                keyidx = ieee80211_get_keyid(rx->skb, cs);
2058
2059                if (unlikely(keyidx < 0))
2060                        return RX_DROP_UNUSABLE;
2061
2062                /* check per-station GTK first, if multicast packet */
2063                if (is_multicast_ether_addr(hdr->addr1) && rx->sta)
2064                        rx->key = rcu_dereference(rx->sta->gtk[keyidx]);
2065
2066                /* if not found, try default key */
2067                if (!rx->key) {
2068                        rx->key = rcu_dereference(rx->sdata->keys[keyidx]);
2069
2070                        /*
2071                         * RSNA-protected unicast frames should always be
2072                         * sent with pairwise or station-to-station keys,
2073                         * but for WEP we allow using a key index as well.
2074                         */
2075                        if (rx->key &&
2076                            rx->key->conf.cipher != WLAN_CIPHER_SUITE_WEP40 &&
2077                            rx->key->conf.cipher != WLAN_CIPHER_SUITE_WEP104 &&
2078                            !is_multicast_ether_addr(hdr->addr1))
2079                                rx->key = NULL;
2080                }
2081        }
2082
2083        if (rx->key) {
2084                if (unlikely(rx->key->flags & KEY_FLAG_TAINTED))
2085                        return RX_DROP_MONITOR;
2086
2087                /* TODO: add threshold stuff again */
2088        } else {
2089                return RX_DROP_MONITOR;
2090        }
2091
2092        switch (rx->key->conf.cipher) {
2093        case WLAN_CIPHER_SUITE_WEP40:
2094        case WLAN_CIPHER_SUITE_WEP104:
2095                result = ieee80211_crypto_wep_decrypt(rx);
2096                break;
2097        case WLAN_CIPHER_SUITE_TKIP:
2098                result = ieee80211_crypto_tkip_decrypt(rx);
2099                break;
2100        case WLAN_CIPHER_SUITE_CCMP:
2101                result = ieee80211_crypto_ccmp_decrypt(
2102                        rx, IEEE80211_CCMP_MIC_LEN);
2103                break;
2104        case WLAN_CIPHER_SUITE_CCMP_256:
2105                result = ieee80211_crypto_ccmp_decrypt(
2106                        rx, IEEE80211_CCMP_256_MIC_LEN);
2107                break;
2108        case WLAN_CIPHER_SUITE_AES_CMAC:
2109                result = ieee80211_crypto_aes_cmac_decrypt(rx);
2110                break;
2111        case WLAN_CIPHER_SUITE_BIP_CMAC_256:
2112                result = ieee80211_crypto_aes_cmac_256_decrypt(rx);
2113                break;
2114        case WLAN_CIPHER_SUITE_BIP_GMAC_128:
2115        case WLAN_CIPHER_SUITE_BIP_GMAC_256:
2116                result = ieee80211_crypto_aes_gmac_decrypt(rx);
2117                break;
2118        case WLAN_CIPHER_SUITE_GCMP:
2119        case WLAN_CIPHER_SUITE_GCMP_256:
2120                result = ieee80211_crypto_gcmp_decrypt(rx);
2121                break;
2122        default:
2123                result = ieee80211_crypto_hw_decrypt(rx);
2124        }
2125
2126        /* the hdr variable is invalid after the decrypt handlers */
2127
2128        /* either the frame has been decrypted or will be dropped */
2129        status->flag |= RX_FLAG_DECRYPTED;
2130
2131        if (unlikely(ieee80211_is_beacon(fc) && result == RX_DROP_UNUSABLE))
2132                cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
2133                                             skb->data, skb->len);
2134
2135        return result;
2136}
2137
2138void ieee80211_init_frag_cache(struct ieee80211_fragment_cache *cache)
2139{
2140        int i;
2141
2142        for (i = 0; i < ARRAY_SIZE(cache->entries); i++)
2143                skb_queue_head_init(&cache->entries[i].skb_list);
2144}
2145
2146void ieee80211_destroy_frag_cache(struct ieee80211_fragment_cache *cache)
2147{
2148        int i;
2149
2150        for (i = 0; i < ARRAY_SIZE(cache->entries); i++)
2151                __skb_queue_purge(&cache->entries[i].skb_list);
2152}
2153
2154static inline struct ieee80211_fragment_entry *
2155ieee80211_reassemble_add(struct ieee80211_fragment_cache *cache,
2156                         unsigned int frag, unsigned int seq, int rx_queue,
2157                         struct sk_buff **skb)
2158{
2159        struct ieee80211_fragment_entry *entry;
2160
2161        entry = &cache->entries[cache->next++];
2162        if (cache->next >= IEEE80211_FRAGMENT_MAX)
2163                cache->next = 0;
2164
2165        __skb_queue_purge(&entry->skb_list);
2166
2167        __skb_queue_tail(&entry->skb_list, *skb); /* no need for locking */
2168        *skb = NULL;
2169        entry->first_frag_time = jiffies;
2170        entry->seq = seq;
2171        entry->rx_queue = rx_queue;
2172        entry->last_frag = frag;
2173        entry->check_sequential_pn = false;
2174        entry->extra_len = 0;
2175
2176        return entry;
2177}
2178
2179static inline struct ieee80211_fragment_entry *
2180ieee80211_reassemble_find(struct ieee80211_fragment_cache *cache,
2181                          unsigned int frag, unsigned int seq,
2182                          int rx_queue, struct ieee80211_hdr *hdr)
2183{
2184        struct ieee80211_fragment_entry *entry;
2185        int i, idx;
2186
2187        idx = cache->next;
2188        for (i = 0; i < IEEE80211_FRAGMENT_MAX; i++) {
2189                struct ieee80211_hdr *f_hdr;
2190                struct sk_buff *f_skb;
2191
2192                idx--;
2193                if (idx < 0)
2194                        idx = IEEE80211_FRAGMENT_MAX - 1;
2195
2196                entry = &cache->entries[idx];
2197                if (skb_queue_empty(&entry->skb_list) || entry->seq != seq ||
2198                    entry->rx_queue != rx_queue ||
2199                    entry->last_frag + 1 != frag)
2200                        continue;
2201
2202                f_skb = __skb_peek(&entry->skb_list);
2203                f_hdr = (struct ieee80211_hdr *) f_skb->data;
2204
2205                /*
2206                 * Check ftype and addresses are equal, else check next fragment
2207                 */
2208                if (((hdr->frame_control ^ f_hdr->frame_control) &
2209                     cpu_to_le16(IEEE80211_FCTL_FTYPE)) ||
2210                    !ether_addr_equal(hdr->addr1, f_hdr->addr1) ||
2211                    !ether_addr_equal(hdr->addr2, f_hdr->addr2))
2212                        continue;
2213
2214                if (time_after(jiffies, entry->first_frag_time + 2 * HZ)) {
2215                        __skb_queue_purge(&entry->skb_list);
2216                        continue;
2217                }
2218                return entry;
2219        }
2220
2221        return NULL;
2222}
2223
2224static bool requires_sequential_pn(struct ieee80211_rx_data *rx, __le16 fc)
2225{
2226        return rx->key &&
2227                (rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP ||
2228                 rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP_256 ||
2229                 rx->key->conf.cipher == WLAN_CIPHER_SUITE_GCMP ||
2230                 rx->key->conf.cipher == WLAN_CIPHER_SUITE_GCMP_256) &&
2231                ieee80211_has_protected(fc);
2232}
2233
2234static ieee80211_rx_result debug_noinline
2235ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
2236{
2237        struct ieee80211_fragment_cache *cache = &rx->sdata->frags;
2238        struct ieee80211_hdr *hdr;
2239        u16 sc;
2240        __le16 fc;
2241        unsigned int frag, seq;
2242        struct ieee80211_fragment_entry *entry;
2243        struct sk_buff *skb;
2244        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
2245
2246        hdr = (struct ieee80211_hdr *)rx->skb->data;
2247        fc = hdr->frame_control;
2248
2249        if (ieee80211_is_ctl(fc) || ieee80211_is_ext(fc))
2250                return RX_CONTINUE;
2251
2252        sc = le16_to_cpu(hdr->seq_ctrl);
2253        frag = sc & IEEE80211_SCTL_FRAG;
2254
2255        if (rx->sta)
2256                cache = &rx->sta->frags;
2257
2258        if (likely(!ieee80211_has_morefrags(fc) && frag == 0))
2259                goto out;
2260
2261        if (is_multicast_ether_addr(hdr->addr1))
2262                return RX_DROP_MONITOR;
2263
2264        I802_DEBUG_INC(rx->local->rx_handlers_fragments);
2265
2266        if (skb_linearize(rx->skb))
2267                return RX_DROP_UNUSABLE;
2268
2269        /*
2270         *  skb_linearize() might change the skb->data and
2271         *  previously cached variables (in this case, hdr) need to
2272         *  be refreshed with the new data.
2273         */
2274        hdr = (struct ieee80211_hdr *)rx->skb->data;
2275        seq = (sc & IEEE80211_SCTL_SEQ) >> 4;
2276
2277        if (frag == 0) {
2278                /* This is the first fragment of a new frame. */
2279                entry = ieee80211_reassemble_add(cache, frag, seq,
2280                                                 rx->seqno_idx, &(rx->skb));
2281                if (requires_sequential_pn(rx, fc)) {
2282                        int queue = rx->security_idx;
2283
2284                        /* Store CCMP/GCMP PN so that we can verify that the
2285                         * next fragment has a sequential PN value.
2286                         */
2287                        entry->check_sequential_pn = true;
2288                        entry->is_protected = true;
2289                        entry->key_color = rx->key->color;
2290                        memcpy(entry->last_pn,
2291                               rx->key->u.ccmp.rx_pn[queue],
2292                               IEEE80211_CCMP_PN_LEN);
2293                        BUILD_BUG_ON(offsetof(struct ieee80211_key,
2294                                              u.ccmp.rx_pn) !=
2295                                     offsetof(struct ieee80211_key,
2296                                              u.gcmp.rx_pn));
2297                        BUILD_BUG_ON(sizeof(rx->key->u.ccmp.rx_pn[queue]) !=
2298                                     sizeof(rx->key->u.gcmp.rx_pn[queue]));
2299                        BUILD_BUG_ON(IEEE80211_CCMP_PN_LEN !=
2300                                     IEEE80211_GCMP_PN_LEN);
2301                } else if (rx->key &&
2302                           (ieee80211_has_protected(fc) ||
2303                            (status->flag & RX_FLAG_DECRYPTED))) {
2304                        entry->is_protected = true;
2305                        entry->key_color = rx->key->color;
2306                }
2307                return RX_QUEUED;
2308        }
2309
2310        /* This is a fragment for a frame that should already be pending in
2311         * fragment cache. Add this fragment to the end of the pending entry.
2312         */
2313        entry = ieee80211_reassemble_find(cache, frag, seq,
2314                                          rx->seqno_idx, hdr);
2315        if (!entry) {
2316                I802_DEBUG_INC(rx->local->rx_handlers_drop_defrag);
2317                return RX_DROP_MONITOR;
2318        }
2319
2320        /* "The receiver shall discard MSDUs and MMPDUs whose constituent
2321         *  MPDU PN values are not incrementing in steps of 1."
2322         * see IEEE P802.11-REVmc/D5.0, 12.5.3.4.4, item d (for CCMP)
2323         * and IEEE P802.11-REVmc/D5.0, 12.5.5.4.4, item d (for GCMP)
2324         */
2325        if (entry->check_sequential_pn) {
2326                int i;
2327                u8 pn[IEEE80211_CCMP_PN_LEN], *rpn;
2328
2329                if (!requires_sequential_pn(rx, fc))
2330                        return RX_DROP_UNUSABLE;
2331
2332                /* Prevent mixed key and fragment cache attacks */
2333                if (entry->key_color != rx->key->color)
2334                        return RX_DROP_UNUSABLE;
2335
2336                memcpy(pn, entry->last_pn, IEEE80211_CCMP_PN_LEN);
2337                for (i = IEEE80211_CCMP_PN_LEN - 1; i >= 0; i--) {
2338                        pn[i]++;
2339                        if (pn[i])
2340                                break;
2341                }
2342
2343                rpn = rx->ccm_gcm.pn;
2344                if (memcmp(pn, rpn, IEEE80211_CCMP_PN_LEN))
2345                        return RX_DROP_UNUSABLE;
2346                memcpy(entry->last_pn, pn, IEEE80211_CCMP_PN_LEN);
2347        } else if (entry->is_protected &&
2348                   (!rx->key ||
2349                    (!ieee80211_has_protected(fc) &&
2350                     !(status->flag & RX_FLAG_DECRYPTED)) ||
2351                    rx->key->color != entry->key_color)) {
2352                /* Drop this as a mixed key or fragment cache attack, even
2353                 * if for TKIP Michael MIC should protect us, and WEP is a
2354                 * lost cause anyway.
2355                 */
2356                return RX_DROP_UNUSABLE;
2357        } else if (entry->is_protected && rx->key &&
2358                   entry->key_color != rx->key->color &&
2359                   (status->flag & RX_FLAG_DECRYPTED)) {
2360                return RX_DROP_UNUSABLE;
2361        }
2362
2363        skb_pull(rx->skb, ieee80211_hdrlen(fc));
2364        __skb_queue_tail(&entry->skb_list, rx->skb);
2365        entry->last_frag = frag;
2366        entry->extra_len += rx->skb->len;
2367        if (ieee80211_has_morefrags(fc)) {
2368                rx->skb = NULL;
2369                return RX_QUEUED;
2370        }
2371
2372        rx->skb = __skb_dequeue(&entry->skb_list);
2373        if (skb_tailroom(rx->skb) < entry->extra_len) {
2374                I802_DEBUG_INC(rx->local->rx_expand_skb_head_defrag);
2375                if (unlikely(pskb_expand_head(rx->skb, 0, entry->extra_len,
2376                                              GFP_ATOMIC))) {
2377                        I802_DEBUG_INC(rx->local->rx_handlers_drop_defrag);
2378                        __skb_queue_purge(&entry->skb_list);
2379                        return RX_DROP_UNUSABLE;
2380                }
2381        }
2382        while ((skb = __skb_dequeue(&entry->skb_list))) {
2383                skb_put_data(rx->skb, skb->data, skb->len);
2384                dev_kfree_skb(skb);
2385        }
2386
2387 out:
2388        ieee80211_led_rx(rx->local);
2389        if (rx->sta)
2390                rx->sta->rx_stats.packets++;
2391        return RX_CONTINUE;
2392}
2393
2394static int ieee80211_802_1x_port_control(struct ieee80211_rx_data *rx)
2395{
2396        if (unlikely(!rx->sta || !test_sta_flag(rx->sta, WLAN_STA_AUTHORIZED)))
2397                return -EACCES;
2398
2399        return 0;
2400}
2401
2402static int ieee80211_drop_unencrypted(struct ieee80211_rx_data *rx, __le16 fc)
2403{
2404        struct ieee80211_hdr *hdr = (void *)rx->skb->data;
2405        struct sk_buff *skb = rx->skb;
2406        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
2407
2408        /*
2409         * Pass through unencrypted frames if the hardware has
2410         * decrypted them already.
2411         */
2412        if (status->flag & RX_FLAG_DECRYPTED)
2413                return 0;
2414
2415        /* check mesh EAPOL frames first */
2416        if (unlikely(rx->sta && ieee80211_vif_is_mesh(&rx->sdata->vif) &&
2417                     ieee80211_is_data(fc))) {
2418                struct ieee80211s_hdr *mesh_hdr;
2419                u16 hdr_len = ieee80211_hdrlen(fc);
2420                u16 ethertype_offset;
2421                __be16 ethertype;
2422
2423                if (!ether_addr_equal(hdr->addr1, rx->sdata->vif.addr))
2424                        goto drop_check;
2425
2426                /* make sure fixed part of mesh header is there, also checks skb len */
2427                if (!pskb_may_pull(rx->skb, hdr_len + 6))
2428                        goto drop_check;
2429
2430                mesh_hdr = (struct ieee80211s_hdr *)(skb->data + hdr_len);
2431                ethertype_offset = hdr_len + ieee80211_get_mesh_hdrlen(mesh_hdr) +
2432                                   sizeof(rfc1042_header);
2433
2434                if (skb_copy_bits(rx->skb, ethertype_offset, &ethertype, 2) == 0 &&
2435                    ethertype == rx->sdata->control_port_protocol)
2436                        return 0;
2437        }
2438
2439drop_check:
2440        /* Drop unencrypted frames if key is set. */
2441        if (unlikely(!ieee80211_has_protected(fc) &&
2442                     !ieee80211_is_any_nullfunc(fc) &&
2443                     ieee80211_is_data(fc) && rx->key))
2444                return -EACCES;
2445
2446        return 0;
2447}
2448
2449static int ieee80211_drop_unencrypted_mgmt(struct ieee80211_rx_data *rx)
2450{
2451        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
2452        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
2453        __le16 fc = hdr->frame_control;
2454
2455        /*
2456         * Pass through unencrypted frames if the hardware has
2457         * decrypted them already.
2458         */
2459        if (status->flag & RX_FLAG_DECRYPTED)
2460                return 0;
2461
2462        if (rx->sta && test_sta_flag(rx->sta, WLAN_STA_MFP)) {
2463                if (unlikely(!ieee80211_has_protected(fc) &&
2464                             ieee80211_is_unicast_robust_mgmt_frame(rx->skb) &&
2465                             rx->key)) {
2466                        if (ieee80211_is_deauth(fc) ||
2467                            ieee80211_is_disassoc(fc))
2468                                cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
2469                                                             rx->skb->data,
2470                                                             rx->skb->len);
2471                        return -EACCES;
2472                }
2473                /* BIP does not use Protected field, so need to check MMIE */
2474                if (unlikely(ieee80211_is_multicast_robust_mgmt_frame(rx->skb) &&
2475                             ieee80211_get_mmie_keyidx(rx->skb) < 0)) {
2476                        if (ieee80211_is_deauth(fc) ||
2477                            ieee80211_is_disassoc(fc))
2478                                cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
2479                                                             rx->skb->data,
2480                                                             rx->skb->len);
2481                        return -EACCES;
2482                }
2483                if (unlikely(ieee80211_is_beacon(fc) && rx->key &&
2484                             ieee80211_get_mmie_keyidx(rx->skb) < 0)) {
2485                        cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
2486                                                     rx->skb->data,
2487                                                     rx->skb->len);
2488                        return -EACCES;
2489                }
2490                /*
2491                 * When using MFP, Action frames are not allowed prior to
2492                 * having configured keys.
2493                 */
2494                if (unlikely(ieee80211_is_action(fc) && !rx->key &&
2495                             ieee80211_is_robust_mgmt_frame(rx->skb)))
2496                        return -EACCES;
2497        }
2498
2499        return 0;
2500}
2501
2502static int
2503__ieee80211_data_to_8023(struct ieee80211_rx_data *rx, bool *port_control)
2504{
2505        struct ieee80211_sub_if_data *sdata = rx->sdata;
2506        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
2507        bool check_port_control = false;
2508        struct ethhdr *ehdr;
2509        int ret;
2510
2511        *port_control = false;
2512        if (ieee80211_has_a4(hdr->frame_control) &&
2513            sdata->vif.type == NL80211_IFTYPE_AP_VLAN && !sdata->u.vlan.sta)
2514                return -1;
2515
2516        if (sdata->vif.type == NL80211_IFTYPE_STATION &&
2517            !!sdata->u.mgd.use_4addr != !!ieee80211_has_a4(hdr->frame_control)) {
2518
2519                if (!sdata->u.mgd.use_4addr)
2520                        return -1;
2521                else if (!ether_addr_equal(hdr->addr1, sdata->vif.addr))
2522                        check_port_control = true;
2523        }
2524
2525        if (is_multicast_ether_addr(hdr->addr1) &&
2526            sdata->vif.type == NL80211_IFTYPE_AP_VLAN && sdata->u.vlan.sta)
2527                return -1;
2528
2529        ret = ieee80211_data_to_8023(rx->skb, sdata->vif.addr, sdata->vif.type);
2530        if (ret < 0)
2531                return ret;
2532
2533        ehdr = (struct ethhdr *) rx->skb->data;
2534        if (ehdr->h_proto == rx->sdata->control_port_protocol)
2535                *port_control = true;
2536        else if (check_port_control)
2537                return -1;
2538
2539        return 0;
2540}
2541
2542/*
2543 * requires that rx->skb is a frame with ethernet header
2544 */
2545static bool ieee80211_frame_allowed(struct ieee80211_rx_data *rx, __le16 fc)
2546{
2547        static const u8 pae_group_addr[ETH_ALEN] __aligned(2)
2548                = { 0x01, 0x80, 0xC2, 0x00, 0x00, 0x03 };
2549        struct ethhdr *ehdr = (struct ethhdr *) rx->skb->data;
2550
2551        /*
2552         * Allow EAPOL frames to us/the PAE group address regardless of
2553         * whether the frame was encrypted or not, and always disallow
2554         * all other destination addresses for them.
2555         */
2556        if (unlikely(ehdr->h_proto == rx->sdata->control_port_protocol))
2557                return ether_addr_equal(ehdr->h_dest, rx->sdata->vif.addr) ||
2558                       ether_addr_equal(ehdr->h_dest, pae_group_addr);
2559
2560        if (ieee80211_802_1x_port_control(rx) ||
2561            ieee80211_drop_unencrypted(rx, fc))
2562                return false;
2563
2564        return true;
2565}
2566
2567static void ieee80211_deliver_skb_to_local_stack(struct sk_buff *skb,
2568                                                 struct ieee80211_rx_data *rx)
2569{
2570        struct ieee80211_sub_if_data *sdata = rx->sdata;
2571        struct net_device *dev = sdata->dev;
2572
2573        if (unlikely((skb->protocol == sdata->control_port_protocol ||
2574                     (skb->protocol == cpu_to_be16(ETH_P_PREAUTH) &&
2575                      !sdata->control_port_no_preauth)) &&
2576                     sdata->control_port_over_nl80211)) {
2577                struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
2578                bool noencrypt = !(status->flag & RX_FLAG_DECRYPTED);
2579
2580                cfg80211_rx_control_port(dev, skb, noencrypt);
2581                dev_kfree_skb(skb);
2582        } else {
2583                struct ethhdr *ehdr = (void *)skb_mac_header(skb);
2584
2585                memset(skb->cb, 0, sizeof(skb->cb));
2586
2587                /*
2588                 * 802.1X over 802.11 requires that the authenticator address
2589                 * be used for EAPOL frames. However, 802.1X allows the use of
2590                 * the PAE group address instead. If the interface is part of
2591                 * a bridge and we pass the frame with the PAE group address,
2592                 * then the bridge will forward it to the network (even if the
2593                 * client was not associated yet), which isn't supposed to
2594                 * happen.
2595                 * To avoid that, rewrite the destination address to our own
2596                 * address, so that the authenticator (e.g. hostapd) will see
2597                 * the frame, but bridge won't forward it anywhere else. Note
2598                 * that due to earlier filtering, the only other address can
2599                 * be the PAE group address.
2600                 */
2601                if (unlikely(skb->protocol == sdata->control_port_protocol &&
2602                             !ether_addr_equal(ehdr->h_dest, sdata->vif.addr)))
2603                        ether_addr_copy(ehdr->h_dest, sdata->vif.addr);
2604
2605                /* deliver to local stack */
2606                if (rx->list)
2607                        list_add_tail(&skb->list, rx->list);
2608                else
2609                        netif_receive_skb(skb);
2610        }
2611}
2612
2613/*
2614 * requires that rx->skb is a frame with ethernet header
2615 */
2616static void
2617ieee80211_deliver_skb(struct ieee80211_rx_data *rx)
2618{
2619        struct ieee80211_sub_if_data *sdata = rx->sdata;
2620        struct net_device *dev = sdata->dev;
2621        struct sk_buff *skb, *xmit_skb;
2622        struct ethhdr *ehdr = (struct ethhdr *) rx->skb->data;
2623        struct sta_info *dsta;
2624
2625        skb = rx->skb;
2626        xmit_skb = NULL;
2627
2628        dev_sw_netstats_rx_add(dev, skb->len);
2629
2630        if (rx->sta) {
2631                /* The seqno index has the same property as needed
2632                 * for the rx_msdu field, i.e. it is IEEE80211_NUM_TIDS
2633                 * for non-QoS-data frames. Here we know it's a data
2634                 * frame, so count MSDUs.
2635                 */
2636                u64_stats_update_begin(&rx->sta->rx_stats.syncp);
2637                rx->sta->rx_stats.msdu[rx->seqno_idx]++;
2638                u64_stats_update_end(&rx->sta->rx_stats.syncp);
2639        }
2640
2641        if ((sdata->vif.type == NL80211_IFTYPE_AP ||
2642             sdata->vif.type == NL80211_IFTYPE_AP_VLAN) &&
2643            !(sdata->flags & IEEE80211_SDATA_DONT_BRIDGE_PACKETS) &&
2644            ehdr->h_proto != rx->sdata->control_port_protocol &&
2645            (sdata->vif.type != NL80211_IFTYPE_AP_VLAN || !sdata->u.vlan.sta)) {
2646                if (is_multicast_ether_addr(ehdr->h_dest) &&
2647                    ieee80211_vif_get_num_mcast_if(sdata) != 0) {
2648                        /*
2649                         * send multicast frames both to higher layers in
2650                         * local net stack and back to the wireless medium
2651                         */
2652                        xmit_skb = skb_copy(skb, GFP_ATOMIC);
2653                        if (!xmit_skb)
2654                                net_info_ratelimited("%s: failed to clone multicast frame\n",
2655                                                    dev->name);
2656                } else if (!is_multicast_ether_addr(ehdr->h_dest) &&
2657                           !ether_addr_equal(ehdr->h_dest, ehdr->h_source)) {
2658                        dsta = sta_info_get(sdata, ehdr->h_dest);
2659                        if (dsta) {
2660                                /*
2661                                 * The destination station is associated to
2662                                 * this AP (in this VLAN), so send the frame
2663                                 * directly to it and do not pass it to local
2664                                 * net stack.
2665                                 */
2666                                xmit_skb = skb;
2667                                skb = NULL;
2668                        }
2669                }
2670        }
2671
2672#ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
2673        if (skb) {
2674                /* 'align' will only take the values 0 or 2 here since all
2675                 * frames are required to be aligned to 2-byte boundaries
2676                 * when being passed to mac80211; the code here works just
2677                 * as well if that isn't true, but mac80211 assumes it can
2678                 * access fields as 2-byte aligned (e.g. for ether_addr_equal)
2679                 */
2680                int align;
2681
2682                align = (unsigned long)(skb->data + sizeof(struct ethhdr)) & 3;
2683                if (align) {
2684                        if (WARN_ON(skb_headroom(skb) < 3)) {
2685                                dev_kfree_skb(skb);
2686                                skb = NULL;
2687                        } else {
2688                                u8 *data = skb->data;
2689                                size_t len = skb_headlen(skb);
2690                                skb->data -= align;
2691                                memmove(skb->data, data, len);
2692                                skb_set_tail_pointer(skb, len);
2693                        }
2694                }
2695        }
2696#endif
2697
2698        if (skb) {
2699                skb->protocol = eth_type_trans(skb, dev);
2700                ieee80211_deliver_skb_to_local_stack(skb, rx);
2701        }
2702
2703        if (xmit_skb) {
2704                /*
2705                 * Send to wireless media and increase priority by 256 to
2706                 * keep the received priority instead of reclassifying
2707                 * the frame (see cfg80211_classify8021d).
2708                 */
2709                xmit_skb->priority += 256;
2710                xmit_skb->protocol = htons(ETH_P_802_3);
2711                skb_reset_network_header(xmit_skb);
2712                skb_reset_mac_header(xmit_skb);
2713                dev_queue_xmit(xmit_skb);
2714        }
2715}
2716
2717static ieee80211_rx_result debug_noinline
2718__ieee80211_rx_h_amsdu(struct ieee80211_rx_data *rx, u8 data_offset)
2719{
2720        struct net_device *dev = rx->sdata->dev;
2721        struct sk_buff *skb = rx->skb;
2722        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
2723        __le16 fc = hdr->frame_control;
2724        struct sk_buff_head frame_list;
2725        struct ethhdr ethhdr;
2726        const u8 *check_da = ethhdr.h_dest, *check_sa = ethhdr.h_source;
2727
2728        if (unlikely(ieee80211_has_a4(hdr->frame_control))) {
2729                check_da = NULL;
2730                check_sa = NULL;
2731        } else switch (rx->sdata->vif.type) {
2732                case NL80211_IFTYPE_AP:
2733                case NL80211_IFTYPE_AP_VLAN:
2734                        check_da = NULL;
2735                        break;
2736                case NL80211_IFTYPE_STATION:
2737                        if (!rx->sta ||
2738                            !test_sta_flag(rx->sta, WLAN_STA_TDLS_PEER))
2739                                check_sa = NULL;
2740                        break;
2741                case NL80211_IFTYPE_MESH_POINT:
2742                        check_sa = NULL;
2743                        break;
2744                default:
2745                        break;
2746        }
2747
2748        skb->dev = dev;
2749        __skb_queue_head_init(&frame_list);
2750
2751        if (ieee80211_data_to_8023_exthdr(skb, &ethhdr,
2752                                          rx->sdata->vif.addr,
2753                                          rx->sdata->vif.type,
2754                                          data_offset, true))
2755                return RX_DROP_UNUSABLE;
2756
2757        ieee80211_amsdu_to_8023s(skb, &frame_list, dev->dev_addr,
2758                                 rx->sdata->vif.type,
2759                                 rx->local->hw.extra_tx_headroom,
2760                                 check_da, check_sa);
2761
2762        while (!skb_queue_empty(&frame_list)) {
2763                rx->skb = __skb_dequeue(&frame_list);
2764
2765                if (!ieee80211_frame_allowed(rx, fc)) {
2766                        dev_kfree_skb(rx->skb);
2767                        continue;
2768                }
2769
2770                ieee80211_deliver_skb(rx);
2771        }
2772
2773        return RX_QUEUED;
2774}
2775
2776static ieee80211_rx_result debug_noinline
2777ieee80211_rx_h_amsdu(struct ieee80211_rx_data *rx)
2778{
2779        struct sk_buff *skb = rx->skb;
2780        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
2781        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
2782        __le16 fc = hdr->frame_control;
2783
2784        if (!(status->rx_flags & IEEE80211_RX_AMSDU))
2785                return RX_CONTINUE;
2786
2787        if (unlikely(!ieee80211_is_data(fc)))
2788                return RX_CONTINUE;
2789
2790        if (unlikely(!ieee80211_is_data_present(fc)))
2791                return RX_DROP_MONITOR;
2792
2793        if (unlikely(ieee80211_has_a4(hdr->frame_control))) {
2794                switch (rx->sdata->vif.type) {
2795                case NL80211_IFTYPE_AP_VLAN:
2796                        if (!rx->sdata->u.vlan.sta)
2797                                return RX_DROP_UNUSABLE;
2798                        break;
2799                case NL80211_IFTYPE_STATION:
2800                        if (!rx->sdata->u.mgd.use_4addr)
2801                                return RX_DROP_UNUSABLE;
2802                        break;
2803                default:
2804                        return RX_DROP_UNUSABLE;
2805                }
2806        }
2807
2808        if (is_multicast_ether_addr(hdr->addr1))
2809                return RX_DROP_UNUSABLE;
2810
2811        if (rx->key) {
2812                /*
2813                 * We should not receive A-MSDUs on pre-HT connections,
2814                 * and HT connections cannot use old ciphers. Thus drop
2815                 * them, as in those cases we couldn't even have SPP
2816                 * A-MSDUs or such.
2817                 */
2818                switch (rx->key->conf.cipher) {
2819                case WLAN_CIPHER_SUITE_WEP40:
2820                case WLAN_CIPHER_SUITE_WEP104:
2821                case WLAN_CIPHER_SUITE_TKIP:
2822                        return RX_DROP_UNUSABLE;
2823                default:
2824                        break;
2825                }
2826        }
2827
2828        return __ieee80211_rx_h_amsdu(rx, 0);
2829}
2830
2831#ifdef CONFIG_MAC80211_MESH
2832static ieee80211_rx_result
2833ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
2834{
2835        struct ieee80211_hdr *fwd_hdr, *hdr;
2836        struct ieee80211_tx_info *info;
2837        struct ieee80211s_hdr *mesh_hdr;
2838        struct sk_buff *skb = rx->skb, *fwd_skb;
2839        struct ieee80211_local *local = rx->local;
2840        struct ieee80211_sub_if_data *sdata = rx->sdata;
2841        struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh;
2842        u16 ac, q, hdrlen;
2843        int tailroom = 0;
2844
2845        hdr = (struct ieee80211_hdr *) skb->data;
2846        hdrlen = ieee80211_hdrlen(hdr->frame_control);
2847
2848        /* make sure fixed part of mesh header is there, also checks skb len */
2849        if (!pskb_may_pull(rx->skb, hdrlen + 6))
2850                return RX_DROP_MONITOR;
2851
2852        mesh_hdr = (struct ieee80211s_hdr *) (skb->data + hdrlen);
2853
2854        /* make sure full mesh header is there, also checks skb len */
2855        if (!pskb_may_pull(rx->skb,
2856                           hdrlen + ieee80211_get_mesh_hdrlen(mesh_hdr)))
2857                return RX_DROP_MONITOR;
2858
2859        /* reload pointers */
2860        hdr = (struct ieee80211_hdr *) skb->data;
2861        mesh_hdr = (struct ieee80211s_hdr *) (skb->data + hdrlen);
2862
2863        if (ieee80211_drop_unencrypted(rx, hdr->frame_control))
2864                return RX_DROP_MONITOR;
2865
2866        /* frame is in RMC, don't forward */
2867        if (ieee80211_is_data(hdr->frame_control) &&
2868            is_multicast_ether_addr(hdr->addr1) &&
2869            mesh_rmc_check(rx->sdata, hdr->addr3, mesh_hdr))
2870                return RX_DROP_MONITOR;
2871
2872        if (!ieee80211_is_data(hdr->frame_control))
2873                return RX_CONTINUE;
2874
2875        if (!mesh_hdr->ttl)
2876                return RX_DROP_MONITOR;
2877
2878        if (mesh_hdr->flags & MESH_FLAGS_AE) {
2879                struct mesh_path *mppath;
2880                char *proxied_addr;
2881                char *mpp_addr;
2882
2883                if (is_multicast_ether_addr(hdr->addr1)) {
2884                        mpp_addr = hdr->addr3;
2885                        proxied_addr = mesh_hdr->eaddr1;
2886                } else if ((mesh_hdr->flags & MESH_FLAGS_AE) ==
2887                            MESH_FLAGS_AE_A5_A6) {
2888                        /* has_a4 already checked in ieee80211_rx_mesh_check */
2889                        mpp_addr = hdr->addr4;
2890                        proxied_addr = mesh_hdr->eaddr2;
2891                } else {
2892                        return RX_DROP_MONITOR;
2893                }
2894
2895                rcu_read_lock();
2896                mppath = mpp_path_lookup(sdata, proxied_addr);
2897                if (!mppath) {
2898                        mpp_path_add(sdata, proxied_addr, mpp_addr);
2899                } else {
2900                        spin_lock_bh(&mppath->state_lock);
2901                        if (!ether_addr_equal(mppath->mpp, mpp_addr))
2902                                memcpy(mppath->mpp, mpp_addr, ETH_ALEN);
2903                        mppath->exp_time = jiffies;
2904                        spin_unlock_bh(&mppath->state_lock);
2905                }
2906                rcu_read_unlock();
2907        }
2908
2909        /* Frame has reached destination.  Don't forward */
2910        if (!is_multicast_ether_addr(hdr->addr1) &&
2911            ether_addr_equal(sdata->vif.addr, hdr->addr3))
2912                return RX_CONTINUE;
2913
2914        ac = ieee80211_select_queue_80211(sdata, skb, hdr);
2915        q = sdata->vif.hw_queue[ac];
2916        if (ieee80211_queue_stopped(&local->hw, q)) {
2917                IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_congestion);
2918                return RX_DROP_MONITOR;
2919        }
2920        skb_set_queue_mapping(skb, q);
2921
2922        if (!--mesh_hdr->ttl) {
2923                if (!is_multicast_ether_addr(hdr->addr1))
2924                        IEEE80211_IFSTA_MESH_CTR_INC(ifmsh,
2925                                                     dropped_frames_ttl);
2926                goto out;
2927        }
2928
2929        if (!ifmsh->mshcfg.dot11MeshForwarding)
2930                goto out;
2931
2932        if (sdata->crypto_tx_tailroom_needed_cnt)
2933                tailroom = IEEE80211_ENCRYPT_TAILROOM;
2934
2935        fwd_skb = skb_copy_expand(skb, local->tx_headroom +
2936                                       sdata->encrypt_headroom,
2937                                  tailroom, GFP_ATOMIC);
2938        if (!fwd_skb)
2939                goto out;
2940
2941        fwd_hdr =  (struct ieee80211_hdr *) fwd_skb->data;
2942        fwd_hdr->frame_control &= ~cpu_to_le16(IEEE80211_FCTL_RETRY);
2943        info = IEEE80211_SKB_CB(fwd_skb);
2944        memset(info, 0, sizeof(*info));
2945        info->control.flags |= IEEE80211_TX_INTCFL_NEED_TXPROCESSING;
2946        info->control.vif = &rx->sdata->vif;
2947        info->control.jiffies = jiffies;
2948        if (is_multicast_ether_addr(fwd_hdr->addr1)) {
2949                IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, fwded_mcast);
2950                memcpy(fwd_hdr->addr2, sdata->vif.addr, ETH_ALEN);
2951                /* update power mode indication when forwarding */
2952                ieee80211_mps_set_frame_flags(sdata, NULL, fwd_hdr);
2953        } else if (!mesh_nexthop_lookup(sdata, fwd_skb)) {
2954                /* mesh power mode flags updated in mesh_nexthop_lookup */
2955                IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, fwded_unicast);
2956        } else {
2957                /* unable to resolve next hop */
2958                mesh_path_error_tx(sdata, ifmsh->mshcfg.element_ttl,
2959                                   fwd_hdr->addr3, 0,
2960                                   WLAN_REASON_MESH_PATH_NOFORWARD,
2961                                   fwd_hdr->addr2);
2962                IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_no_route);
2963                kfree_skb(fwd_skb);
2964                return RX_DROP_MONITOR;
2965        }
2966
2967        IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, fwded_frames);
2968        ieee80211_add_pending_skb(local, fwd_skb);
2969 out:
2970        if (is_multicast_ether_addr(hdr->addr1))
2971                return RX_CONTINUE;
2972        return RX_DROP_MONITOR;
2973}
2974#endif
2975
2976static ieee80211_rx_result debug_noinline
2977ieee80211_rx_h_data(struct ieee80211_rx_data *rx)
2978{
2979        struct ieee80211_sub_if_data *sdata = rx->sdata;
2980        struct ieee80211_local *local = rx->local;
2981        struct net_device *dev = sdata->dev;
2982        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
2983        __le16 fc = hdr->frame_control;
2984        bool port_control;
2985        int err;
2986
2987        if (unlikely(!ieee80211_is_data(hdr->frame_control)))
2988                return RX_CONTINUE;
2989
2990        if (unlikely(!ieee80211_is_data_present(hdr->frame_control)))
2991                return RX_DROP_MONITOR;
2992
2993        /*
2994         * Send unexpected-4addr-frame event to hostapd. For older versions,
2995         * also drop the frame to cooked monitor interfaces.
2996         */
2997        if (ieee80211_has_a4(hdr->frame_control) &&
2998            sdata->vif.type == NL80211_IFTYPE_AP) {
2999                if (rx->sta &&
3000                    !test_and_set_sta_flag(rx->sta, WLAN_STA_4ADDR_EVENT))
3001                        cfg80211_rx_unexpected_4addr_frame(
3002                                rx->sdata->dev, rx->sta->sta.addr, GFP_ATOMIC);
3003                return RX_DROP_MONITOR;
3004        }
3005
3006        err = __ieee80211_data_to_8023(rx, &port_control);
3007        if (unlikely(err))
3008                return RX_DROP_UNUSABLE;
3009
3010        if (!ieee80211_frame_allowed(rx, fc))
3011                return RX_DROP_MONITOR;
3012
3013        /* directly handle TDLS channel switch requests/responses */
3014        if (unlikely(((struct ethhdr *)rx->skb->data)->h_proto ==
3015                                                cpu_to_be16(ETH_P_TDLS))) {
3016                struct ieee80211_tdls_data *tf = (void *)rx->skb->data;
3017
3018                if (pskb_may_pull(rx->skb,
3019                                  offsetof(struct ieee80211_tdls_data, u)) &&
3020                    tf->payload_type == WLAN_TDLS_SNAP_RFTYPE &&
3021                    tf->category == WLAN_CATEGORY_TDLS &&
3022                    (tf->action_code == WLAN_TDLS_CHANNEL_SWITCH_REQUEST ||
3023                     tf->action_code == WLAN_TDLS_CHANNEL_SWITCH_RESPONSE)) {
3024                        rx->skb->protocol = cpu_to_be16(ETH_P_TDLS);
3025                        __ieee80211_queue_skb_to_iface(sdata, rx->sta, rx->skb);
3026                        return RX_QUEUED;
3027                }
3028        }
3029
3030        if (rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN &&
3031            unlikely(port_control) && sdata->bss) {
3032                sdata = container_of(sdata->bss, struct ieee80211_sub_if_data,
3033                                     u.ap);
3034                dev = sdata->dev;
3035                rx->sdata = sdata;
3036        }
3037
3038        rx->skb->dev = dev;
3039
3040        if (!ieee80211_hw_check(&local->hw, SUPPORTS_DYNAMIC_PS) &&
3041            local->ps_sdata && local->hw.conf.dynamic_ps_timeout > 0 &&
3042            !is_multicast_ether_addr(
3043                    ((struct ethhdr *)rx->skb->data)->h_dest) &&
3044            (!local->scanning &&
3045             !test_bit(SDATA_STATE_OFFCHANNEL, &sdata->state)))
3046                mod_timer(&local->dynamic_ps_timer, jiffies +
3047                          msecs_to_jiffies(local->hw.conf.dynamic_ps_timeout));
3048
3049        ieee80211_deliver_skb(rx);
3050
3051        return RX_QUEUED;
3052}
3053
3054static ieee80211_rx_result debug_noinline
3055ieee80211_rx_h_ctrl(struct ieee80211_rx_data *rx, struct sk_buff_head *frames)
3056{
3057        struct sk_buff *skb = rx->skb;
3058        struct ieee80211_bar *bar = (struct ieee80211_bar *)skb->data;
3059        struct tid_ampdu_rx *tid_agg_rx;
3060        u16 start_seq_num;
3061        u16 tid;
3062
3063        if (likely(!ieee80211_is_ctl(bar->frame_control)))
3064                return RX_CONTINUE;
3065
3066        if (ieee80211_is_back_req(bar->frame_control)) {
3067                struct {
3068                        __le16 control, start_seq_num;
3069                } __packed bar_data;
3070                struct ieee80211_event event = {
3071                        .type = BAR_RX_EVENT,
3072                };
3073
3074                if (!rx->sta)
3075                        return RX_DROP_MONITOR;
3076
3077                if (skb_copy_bits(skb, offsetof(struct ieee80211_bar, control),
3078                                  &bar_data, sizeof(bar_data)))
3079                        return RX_DROP_MONITOR;
3080
3081                tid = le16_to_cpu(bar_data.control) >> 12;
3082
3083                if (!test_bit(tid, rx->sta->ampdu_mlme.agg_session_valid) &&
3084                    !test_and_set_bit(tid, rx->sta->ampdu_mlme.unexpected_agg))
3085                        ieee80211_send_delba(rx->sdata, rx->sta->sta.addr, tid,
3086                                             WLAN_BACK_RECIPIENT,
3087                                             WLAN_REASON_QSTA_REQUIRE_SETUP);
3088
3089                tid_agg_rx = rcu_dereference(rx->sta->ampdu_mlme.tid_rx[tid]);
3090                if (!tid_agg_rx)
3091                        return RX_DROP_MONITOR;
3092
3093                start_seq_num = le16_to_cpu(bar_data.start_seq_num) >> 4;
3094                event.u.ba.tid = tid;
3095                event.u.ba.ssn = start_seq_num;
3096                event.u.ba.sta = &rx->sta->sta;
3097
3098                /* reset session timer */
3099                if (tid_agg_rx->timeout)
3100                        mod_timer(&tid_agg_rx->session_timer,
3101                                  TU_TO_EXP_TIME(tid_agg_rx->timeout));
3102
3103                spin_lock(&tid_agg_rx->reorder_lock);
3104                /* release stored frames up to start of BAR */
3105                ieee80211_release_reorder_frames(rx->sdata, tid_agg_rx,
3106                                                 start_seq_num, frames);
3107                spin_unlock(&tid_agg_rx->reorder_lock);
3108
3109                drv_event_callback(rx->local, rx->sdata, &event);
3110
3111                kfree_skb(skb);
3112                return RX_QUEUED;
3113        }
3114
3115        /*
3116         * After this point, we only want management frames,
3117         * so we can drop all remaining control frames to
3118         * cooked monitor interfaces.
3119         */
3120        return RX_DROP_MONITOR;
3121}
3122
3123static void ieee80211_process_sa_query_req(struct ieee80211_sub_if_data *sdata,
3124                                           struct ieee80211_mgmt *mgmt,
3125                                           size_t len)
3126{
3127        struct ieee80211_local *local = sdata->local;
3128        struct sk_buff *skb;
3129        struct ieee80211_mgmt *resp;
3130
3131        if (!ether_addr_equal(mgmt->da, sdata->vif.addr)) {
3132                /* Not to own unicast address */
3133                return;
3134        }
3135
3136        if (!ether_addr_equal(mgmt->sa, sdata->u.mgd.bssid) ||
3137            !ether_addr_equal(mgmt->bssid, sdata->u.mgd.bssid)) {
3138                /* Not from the current AP or not associated yet. */
3139                return;
3140        }
3141
3142        if (len < 24 + 1 + sizeof(resp->u.action.u.sa_query)) {
3143                /* Too short SA Query request frame */
3144                return;
3145        }
3146
3147        skb = dev_alloc_skb(sizeof(*resp) + local->hw.extra_tx_headroom);
3148        if (skb == NULL)
3149                return;
3150
3151        skb_reserve(skb, local->hw.extra_tx_headroom);
3152        resp = skb_put_zero(skb, 24);
3153        memcpy(resp->da, mgmt->sa, ETH_ALEN);
3154        memcpy(resp->sa, sdata->vif.addr, ETH_ALEN);
3155        memcpy(resp->bssid, sdata->u.mgd.bssid, ETH_ALEN);
3156        resp->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT |
3157                                          IEEE80211_STYPE_ACTION);
3158        skb_put(skb, 1 + sizeof(resp->u.action.u.sa_query));
3159        resp->u.action.category = WLAN_CATEGORY_SA_QUERY;
3160        resp->u.action.u.sa_query.action = WLAN_ACTION_SA_QUERY_RESPONSE;
3161        memcpy(resp->u.action.u.sa_query.trans_id,
3162               mgmt->u.action.u.sa_query.trans_id,
3163               WLAN_SA_QUERY_TR_ID_LEN);
3164
3165        ieee80211_tx_skb(sdata, skb);
3166}
3167
3168static ieee80211_rx_result debug_noinline
3169ieee80211_rx_h_mgmt_check(struct ieee80211_rx_data *rx)
3170{
3171        struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *) rx->skb->data;
3172        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
3173
3174        if (ieee80211_is_s1g_beacon(mgmt->frame_control))
3175                return RX_CONTINUE;
3176
3177        /*
3178         * From here on, look only at management frames.
3179         * Data and control frames are already handled,
3180         * and unknown (reserved) frames are useless.
3181         */
3182        if (rx->skb->len < 24)
3183                return RX_DROP_MONITOR;
3184
3185        if (!ieee80211_is_mgmt(mgmt->frame_control))
3186                return RX_DROP_MONITOR;
3187
3188        if (rx->sdata->vif.type == NL80211_IFTYPE_AP &&
3189            ieee80211_is_beacon(mgmt->frame_control) &&
3190            !(rx->flags & IEEE80211_RX_BEACON_REPORTED)) {
3191                int sig = 0;
3192
3193                if (ieee80211_hw_check(&rx->local->hw, SIGNAL_DBM) &&
3194                    !(status->flag & RX_FLAG_NO_SIGNAL_VAL))
3195                        sig = status->signal;
3196
3197                cfg80211_report_obss_beacon_khz(rx->local->hw.wiphy,
3198                                                rx->skb->data, rx->skb->len,
3199                                                ieee80211_rx_status_to_khz(status),
3200                                                sig);
3201                rx->flags |= IEEE80211_RX_BEACON_REPORTED;
3202        }
3203
3204        if (ieee80211_drop_unencrypted_mgmt(rx))
3205                return RX_DROP_UNUSABLE;
3206
3207        return RX_CONTINUE;
3208}
3209
3210static ieee80211_rx_result debug_noinline
3211ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
3212{
3213        struct ieee80211_local *local = rx->local;
3214        struct ieee80211_sub_if_data *sdata = rx->sdata;
3215        struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *) rx->skb->data;
3216        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
3217        int len = rx->skb->len;
3218
3219        if (!ieee80211_is_action(mgmt->frame_control))
3220                return RX_CONTINUE;
3221
3222        /* drop too small frames */
3223        if (len < IEEE80211_MIN_ACTION_SIZE)
3224                return RX_DROP_UNUSABLE;
3225
3226        if (!rx->sta && mgmt->u.action.category != WLAN_CATEGORY_PUBLIC &&
3227            mgmt->u.action.category != WLAN_CATEGORY_SELF_PROTECTED &&
3228            mgmt->u.action.category != WLAN_CATEGORY_SPECTRUM_MGMT)
3229                return RX_DROP_UNUSABLE;
3230
3231        switch (mgmt->u.action.category) {
3232        case WLAN_CATEGORY_HT:
3233                /* reject HT action frames from stations not supporting HT */
3234                if (!rx->sta->sta.ht_cap.ht_supported)
3235                        goto invalid;
3236
3237                if (sdata->vif.type != NL80211_IFTYPE_STATION &&
3238                    sdata->vif.type != NL80211_IFTYPE_MESH_POINT &&
3239                    sdata->vif.type != NL80211_IFTYPE_AP_VLAN &&
3240                    sdata->vif.type != NL80211_IFTYPE_AP &&
3241                    sdata->vif.type != NL80211_IFTYPE_ADHOC)
3242                        break;
3243
3244                /* verify action & smps_control/chanwidth are present */
3245                if (len < IEEE80211_MIN_ACTION_SIZE + 2)
3246                        goto invalid;
3247
3248                switch (mgmt->u.action.u.ht_smps.action) {
3249                case WLAN_HT_ACTION_SMPS: {
3250                        struct ieee80211_supported_band *sband;
3251                        enum ieee80211_smps_mode smps_mode;
3252                        struct sta_opmode_info sta_opmode = {};
3253
3254                        if (sdata->vif.type != NL80211_IFTYPE_AP &&
3255                            sdata->vif.type != NL80211_IFTYPE_AP_VLAN)
3256                                goto handled;
3257
3258                        /* convert to HT capability */
3259                        switch (mgmt->u.action.u.ht_smps.smps_control) {
3260                        case WLAN_HT_SMPS_CONTROL_DISABLED:
3261                                smps_mode = IEEE80211_SMPS_OFF;
3262                                break;
3263                        case WLAN_HT_SMPS_CONTROL_STATIC:
3264                                smps_mode = IEEE80211_SMPS_STATIC;
3265                                break;
3266                        case WLAN_HT_SMPS_CONTROL_DYNAMIC:
3267                                smps_mode = IEEE80211_SMPS_DYNAMIC;
3268                                break;
3269                        default:
3270                                goto invalid;
3271                        }
3272
3273                        /* if no change do nothing */
3274                        if (rx->sta->sta.smps_mode == smps_mode)
3275                                goto handled;
3276                        rx->sta->sta.smps_mode = smps_mode;
3277                        sta_opmode.smps_mode =
3278                                ieee80211_smps_mode_to_smps_mode(smps_mode);
3279                        sta_opmode.changed = STA_OPMODE_SMPS_MODE_CHANGED;
3280
3281                        sband = rx->local->hw.wiphy->bands[status->band];
3282
3283                        rate_control_rate_update(local, sband, rx->sta,
3284                                                 IEEE80211_RC_SMPS_CHANGED);
3285                        cfg80211_sta_opmode_change_notify(sdata->dev,
3286                                                          rx->sta->addr,
3287                                                          &sta_opmode,
3288                                                          GFP_ATOMIC);
3289                        goto handled;
3290                }
3291                case WLAN_HT_ACTION_NOTIFY_CHANWIDTH: {
3292                        struct ieee80211_supported_band *sband;
3293                        u8 chanwidth = mgmt->u.action.u.ht_notify_cw.chanwidth;
3294                        enum ieee80211_sta_rx_bandwidth max_bw, new_bw;
3295                        struct sta_opmode_info sta_opmode = {};
3296
3297                        /* If it doesn't support 40 MHz it can't change ... */
3298                        if (!(rx->sta->sta.ht_cap.cap &
3299                                        IEEE80211_HT_CAP_SUP_WIDTH_20_40))
3300                                goto handled;
3301
3302                        if (chanwidth == IEEE80211_HT_CHANWIDTH_20MHZ)
3303                                max_bw = IEEE80211_STA_RX_BW_20;
3304                        else
3305                                max_bw = ieee80211_sta_cap_rx_bw(rx->sta);
3306
3307                        /* set cur_max_bandwidth and recalc sta bw */
3308                        rx->sta->cur_max_bandwidth = max_bw;
3309                        new_bw = ieee80211_sta_cur_vht_bw(rx->sta);
3310
3311                        if (rx->sta->sta.bandwidth == new_bw)
3312                                goto handled;
3313
3314                        rx->sta->sta.bandwidth = new_bw;
3315                        sband = rx->local->hw.wiphy->bands[status->band];
3316                        sta_opmode.bw =
3317                                ieee80211_sta_rx_bw_to_chan_width(rx->sta);
3318                        sta_opmode.changed = STA_OPMODE_MAX_BW_CHANGED;
3319
3320                        rate_control_rate_update(local, sband, rx->sta,
3321                                                 IEEE80211_RC_BW_CHANGED);
3322                        cfg80211_sta_opmode_change_notify(sdata->dev,
3323                                                          rx->sta->addr,
3324                                                          &sta_opmode,
3325                                                          GFP_ATOMIC);
3326                        goto handled;
3327                }
3328                default:
3329                        goto invalid;
3330                }
3331
3332                break;
3333        case WLAN_CATEGORY_PUBLIC:
3334                if (len < IEEE80211_MIN_ACTION_SIZE + 1)
3335                        goto invalid;
3336                if (sdata->vif.type != NL80211_IFTYPE_STATION)
3337                        break;
3338                if (!rx->sta)
3339                        break;
3340                if (!ether_addr_equal(mgmt->bssid, sdata->u.mgd.bssid))
3341                        break;
3342                if (mgmt->u.action.u.ext_chan_switch.action_code !=
3343                                WLAN_PUB_ACTION_EXT_CHANSW_ANN)
3344                        break;
3345                if (len < offsetof(struct ieee80211_mgmt,
3346                                   u.action.u.ext_chan_switch.variable))
3347                        goto invalid;
3348                goto queue;
3349        case WLAN_CATEGORY_VHT:
3350                if (sdata->vif.type != NL80211_IFTYPE_STATION &&
3351                    sdata->vif.type != NL80211_IFTYPE_MESH_POINT &&
3352                    sdata->vif.type != NL80211_IFTYPE_AP_VLAN &&
3353                    sdata->vif.type != NL80211_IFTYPE_AP &&
3354                    sdata->vif.type != NL80211_IFTYPE_ADHOC)
3355                        break;
3356
3357                /* verify action code is present */
3358                if (len < IEEE80211_MIN_ACTION_SIZE + 1)
3359                        goto invalid;
3360
3361                switch (mgmt->u.action.u.vht_opmode_notif.action_code) {
3362                case WLAN_VHT_ACTION_OPMODE_NOTIF: {
3363                        /* verify opmode is present */
3364                        if (len < IEEE80211_MIN_ACTION_SIZE + 2)
3365                                goto invalid;
3366                        goto queue;
3367                }
3368                case WLAN_VHT_ACTION_GROUPID_MGMT: {
3369                        if (len < IEEE80211_MIN_ACTION_SIZE + 25)
3370                                goto invalid;
3371                        goto queue;
3372                }
3373                default:
3374                        break;
3375                }
3376                break;
3377        case WLAN_CATEGORY_BACK:
3378                if (sdata->vif.type != NL80211_IFTYPE_STATION &&
3379                    sdata->vif.type != NL80211_IFTYPE_MESH_POINT &&
3380                    sdata->vif.type != NL80211_IFTYPE_AP_VLAN &&
3381                    sdata->vif.type != NL80211_IFTYPE_AP &&
3382                    sdata->vif.type != NL80211_IFTYPE_ADHOC)
3383                        break;
3384
3385                /* verify action_code is present */
3386                if (len < IEEE80211_MIN_ACTION_SIZE + 1)
3387                        break;
3388
3389                switch (mgmt->u.action.u.addba_req.action_code) {
3390                case WLAN_ACTION_ADDBA_REQ:
3391                        if (len < (IEEE80211_MIN_ACTION_SIZE +
3392                                   sizeof(mgmt->u.action.u.addba_req)))
3393                                goto invalid;
3394                        break;
3395                case WLAN_ACTION_ADDBA_RESP:
3396                        if (len < (IEEE80211_MIN_ACTION_SIZE +
3397                                   sizeof(mgmt->u.action.u.addba_resp)))
3398                                goto invalid;
3399                        break;
3400                case WLAN_ACTION_DELBA:
3401                        if (len < (IEEE80211_MIN_ACTION_SIZE +
3402                                   sizeof(mgmt->u.action.u.delba)))
3403                                goto invalid;
3404                        break;
3405                default:
3406                        goto invalid;
3407                }
3408
3409                goto queue;
3410        case WLAN_CATEGORY_SPECTRUM_MGMT:
3411                /* verify action_code is present */
3412                if (len < IEEE80211_MIN_ACTION_SIZE + 1)
3413                        break;
3414
3415                switch (mgmt->u.action.u.measurement.action_code) {
3416                case WLAN_ACTION_SPCT_MSR_REQ:
3417                        if (status->band != NL80211_BAND_5GHZ)
3418                                break;
3419
3420                        if (len < (IEEE80211_MIN_ACTION_SIZE +
3421                                   sizeof(mgmt->u.action.u.measurement)))
3422                                break;
3423
3424                        if (sdata->vif.type != NL80211_IFTYPE_STATION)
3425                                break;
3426
3427                        ieee80211_process_measurement_req(sdata, mgmt, len);
3428                        goto handled;
3429                case WLAN_ACTION_SPCT_CHL_SWITCH: {
3430                        u8 *bssid;
3431                        if (len < (IEEE80211_MIN_ACTION_SIZE +
3432                                   sizeof(mgmt->u.action.u.chan_switch)))
3433                                break;
3434
3435                        if (sdata->vif.type != NL80211_IFTYPE_STATION &&
3436                            sdata->vif.type != NL80211_IFTYPE_ADHOC &&
3437                            sdata->vif.type != NL80211_IFTYPE_MESH_POINT)
3438                                break;
3439
3440                        if (sdata->vif.type == NL80211_IFTYPE_STATION)
3441                                bssid = sdata->u.mgd.bssid;
3442                        else if (sdata->vif.type == NL80211_IFTYPE_ADHOC)
3443                                bssid = sdata->u.ibss.bssid;
3444                        else if (sdata->vif.type == NL80211_IFTYPE_MESH_POINT)
3445                                bssid = mgmt->sa;
3446                        else
3447                                break;
3448
3449                        if (!ether_addr_equal(mgmt->bssid, bssid))
3450                                break;
3451
3452                        goto queue;
3453                        }
3454                }
3455                break;
3456        case WLAN_CATEGORY_SELF_PROTECTED:
3457                if (len < (IEEE80211_MIN_ACTION_SIZE +
3458                           sizeof(mgmt->u.action.u.self_prot.action_code)))
3459                        break;
3460
3461                switch (mgmt->u.action.u.self_prot.action_code) {
3462                case WLAN_SP_MESH_PEERING_OPEN:
3463                case WLAN_SP_MESH_PEERING_CLOSE:
3464                case WLAN_SP_MESH_PEERING_CONFIRM:
3465                        if (!ieee80211_vif_is_mesh(&sdata->vif))
3466                                goto invalid;
3467                        if (sdata->u.mesh.user_mpm)
3468                                /* userspace handles this frame */
3469                                break;
3470                        goto queue;
3471                case WLAN_SP_MGK_INFORM:
3472                case WLAN_SP_MGK_ACK:
3473                        if (!ieee80211_vif_is_mesh(&sdata->vif))
3474                                goto invalid;
3475                        break;
3476                }
3477                break;
3478        case WLAN_CATEGORY_MESH_ACTION:
3479                if (len < (IEEE80211_MIN_ACTION_SIZE +
3480                           sizeof(mgmt->u.action.u.mesh_action.action_code)))
3481                        break;
3482
3483                if (!ieee80211_vif_is_mesh(&sdata->vif))
3484                        break;
3485                if (mesh_action_is_path_sel(mgmt) &&
3486                    !mesh_path_sel_is_hwmp(sdata))
3487                        break;
3488                goto queue;
3489        }
3490
3491        return RX_CONTINUE;
3492
3493 invalid:
3494        status->rx_flags |= IEEE80211_RX_MALFORMED_ACTION_FRM;
3495        /* will return in the next handlers */
3496        return RX_CONTINUE;
3497
3498 handled:
3499        if (rx->sta)
3500                rx->sta->rx_stats.packets++;
3501        dev_kfree_skb(rx->skb);
3502        return RX_QUEUED;
3503
3504 queue:
3505        ieee80211_queue_skb_to_iface(sdata, rx->sta, rx->skb);
3506        return RX_QUEUED;
3507}
3508
3509static ieee80211_rx_result debug_noinline
3510ieee80211_rx_h_userspace_mgmt(struct ieee80211_rx_data *rx)
3511{
3512        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
3513        int sig = 0;
3514
3515        /* skip known-bad action frames and return them in the next handler */
3516        if (status->rx_flags & IEEE80211_RX_MALFORMED_ACTION_FRM)
3517                return RX_CONTINUE;
3518
3519        /*
3520         * Getting here means the kernel doesn't know how to handle
3521         * it, but maybe userspace does ... include returned frames
3522         * so userspace can register for those to know whether ones
3523         * it transmitted were processed or returned.
3524         */
3525
3526        if (ieee80211_hw_check(&rx->local->hw, SIGNAL_DBM) &&
3527            !(status->flag & RX_FLAG_NO_SIGNAL_VAL))
3528                sig = status->signal;
3529
3530        if (cfg80211_rx_mgmt_khz(&rx->sdata->wdev,
3531                                 ieee80211_rx_status_to_khz(status), sig,
3532                                 rx->skb->data, rx->skb->len, 0)) {
3533                if (rx->sta)
3534                        rx->sta->rx_stats.packets++;
3535                dev_kfree_skb(rx->skb);
3536                return RX_QUEUED;
3537        }
3538
3539        return RX_CONTINUE;
3540}
3541
3542static ieee80211_rx_result debug_noinline
3543ieee80211_rx_h_action_post_userspace(struct ieee80211_rx_data *rx)
3544{
3545        struct ieee80211_sub_if_data *sdata = rx->sdata;
3546        struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *) rx->skb->data;
3547        int len = rx->skb->len;
3548
3549        if (!ieee80211_is_action(mgmt->frame_control))
3550                return RX_CONTINUE;
3551
3552        switch (mgmt->u.action.category) {
3553        case WLAN_CATEGORY_SA_QUERY:
3554                if (len < (IEEE80211_MIN_ACTION_SIZE +
3555                           sizeof(mgmt->u.action.u.sa_query)))
3556                        break;
3557
3558                switch (mgmt->u.action.u.sa_query.action) {
3559                case WLAN_ACTION_SA_QUERY_REQUEST:
3560                        if (sdata->vif.type != NL80211_IFTYPE_STATION)
3561                                break;
3562                        ieee80211_process_sa_query_req(sdata, mgmt, len);
3563                        goto handled;
3564                }
3565                break;
3566        }
3567
3568        return RX_CONTINUE;
3569
3570 handled:
3571        if (rx->sta)
3572                rx->sta->rx_stats.packets++;
3573        dev_kfree_skb(rx->skb);
3574        return RX_QUEUED;
3575}
3576
3577static ieee80211_rx_result debug_noinline
3578ieee80211_rx_h_action_return(struct ieee80211_rx_data *rx)
3579{
3580        struct ieee80211_local *local = rx->local;
3581        struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *) rx->skb->data;
3582        struct sk_buff *nskb;
3583        struct ieee80211_sub_if_data *sdata = rx->sdata;
3584        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
3585
3586        if (!ieee80211_is_action(mgmt->frame_control))
3587                return RX_CONTINUE;
3588
3589        /*
3590         * For AP mode, hostapd is responsible for handling any action
3591         * frames that we didn't handle, including returning unknown
3592         * ones. For all other modes we will return them to the sender,
3593         * setting the 0x80 bit in the action category, as required by
3594         * 802.11-2012 9.24.4.
3595         * Newer versions of hostapd shall also use the management frame
3596         * registration mechanisms, but older ones still use cooked
3597         * monitor interfaces so push all frames there.
3598         */
3599        if (!(status->rx_flags & IEEE80211_RX_MALFORMED_ACTION_FRM) &&
3600            (sdata->vif.type == NL80211_IFTYPE_AP ||
3601             sdata->vif.type == NL80211_IFTYPE_AP_VLAN))
3602                return RX_DROP_MONITOR;
3603
3604        if (is_multicast_ether_addr(mgmt->da))
3605                return RX_DROP_MONITOR;
3606
3607        /* do not return rejected action frames */
3608        if (mgmt->u.action.category & 0x80)
3609                return RX_DROP_UNUSABLE;
3610
3611        nskb = skb_copy_expand(rx->skb, local->hw.extra_tx_headroom, 0,
3612                               GFP_ATOMIC);
3613        if (nskb) {
3614                struct ieee80211_mgmt *nmgmt = (void *)nskb->data;
3615
3616                nmgmt->u.action.category |= 0x80;
3617                memcpy(nmgmt->da, nmgmt->sa, ETH_ALEN);
3618                memcpy(nmgmt->sa, rx->sdata->vif.addr, ETH_ALEN);
3619
3620                memset(nskb->cb, 0, sizeof(nskb->cb));
3621
3622                if (rx->sdata->vif.type == NL80211_IFTYPE_P2P_DEVICE) {
3623                        struct ieee80211_tx_info *info = IEEE80211_SKB_CB(nskb);
3624
3625                        info->flags = IEEE80211_TX_CTL_TX_OFFCHAN |
3626                                      IEEE80211_TX_INTFL_OFFCHAN_TX_OK |
3627                                      IEEE80211_TX_CTL_NO_CCK_RATE;
3628                        if (ieee80211_hw_check(&local->hw, QUEUE_CONTROL))
3629                                info->hw_queue =
3630                                        local->hw.offchannel_tx_hw_queue;
3631                }
3632
3633                __ieee80211_tx_skb_tid_band(rx->sdata, nskb, 7,
3634                                            status->band);
3635        }
3636        dev_kfree_skb(rx->skb);
3637        return RX_QUEUED;
3638}
3639
3640static ieee80211_rx_result debug_noinline
3641ieee80211_rx_h_ext(struct ieee80211_rx_data *rx)
3642{
3643        struct ieee80211_sub_if_data *sdata = rx->sdata;
3644        struct ieee80211_hdr *hdr = (void *)rx->skb->data;
3645
3646        if (!ieee80211_is_ext(hdr->frame_control))
3647                return RX_CONTINUE;
3648
3649        if (sdata->vif.type != NL80211_IFTYPE_STATION)
3650                return RX_DROP_MONITOR;
3651
3652        /* for now only beacons are ext, so queue them */
3653        ieee80211_queue_skb_to_iface(sdata, rx->sta, rx->skb);
3654
3655        return RX_QUEUED;
3656}
3657
3658static ieee80211_rx_result debug_noinline
3659ieee80211_rx_h_mgmt(struct ieee80211_rx_data *rx)
3660{
3661        struct ieee80211_sub_if_data *sdata = rx->sdata;
3662        struct ieee80211_mgmt *mgmt = (void *)rx->skb->data;
3663        __le16 stype;
3664
3665        stype = mgmt->frame_control & cpu_to_le16(IEEE80211_FCTL_STYPE);
3666
3667        if (!ieee80211_vif_is_mesh(&sdata->vif) &&
3668            sdata->vif.type != NL80211_IFTYPE_ADHOC &&
3669            sdata->vif.type != NL80211_IFTYPE_OCB &&
3670            sdata->vif.type != NL80211_IFTYPE_STATION)
3671                return RX_DROP_MONITOR;
3672
3673        switch (stype) {
3674        case cpu_to_le16(IEEE80211_STYPE_AUTH):
3675        case cpu_to_le16(IEEE80211_STYPE_BEACON):
3676        case cpu_to_le16(IEEE80211_STYPE_PROBE_RESP):
3677                /* process for all: mesh, mlme, ibss */
3678                break;
3679        case cpu_to_le16(IEEE80211_STYPE_DEAUTH):
3680                if (is_multicast_ether_addr(mgmt->da) &&
3681                    !is_broadcast_ether_addr(mgmt->da))
3682                        return RX_DROP_MONITOR;
3683
3684                /* process only for station/IBSS */
3685                if (sdata->vif.type != NL80211_IFTYPE_STATION &&
3686                    sdata->vif.type != NL80211_IFTYPE_ADHOC)
3687                        return RX_DROP_MONITOR;
3688                break;
3689        case cpu_to_le16(IEEE80211_STYPE_ASSOC_RESP):
3690        case cpu_to_le16(IEEE80211_STYPE_REASSOC_RESP):
3691        case cpu_to_le16(IEEE80211_STYPE_DISASSOC):
3692                if (is_multicast_ether_addr(mgmt->da) &&
3693                    !is_broadcast_ether_addr(mgmt->da))
3694                        return RX_DROP_MONITOR;
3695
3696                /* process only for station */
3697                if (sdata->vif.type != NL80211_IFTYPE_STATION)
3698                        return RX_DROP_MONITOR;
3699                break;
3700        case cpu_to_le16(IEEE80211_STYPE_PROBE_REQ):
3701                /* process only for ibss and mesh */
3702                if (sdata->vif.type != NL80211_IFTYPE_ADHOC &&
3703                    sdata->vif.type != NL80211_IFTYPE_MESH_POINT)
3704                        return RX_DROP_MONITOR;
3705                break;
3706        default:
3707                return RX_DROP_MONITOR;
3708        }
3709
3710        ieee80211_queue_skb_to_iface(sdata, rx->sta, rx->skb);
3711
3712        return RX_QUEUED;
3713}
3714
3715static void ieee80211_rx_cooked_monitor(struct ieee80211_rx_data *rx,
3716                                        struct ieee80211_rate *rate)
3717{
3718        struct ieee80211_sub_if_data *sdata;
3719        struct ieee80211_local *local = rx->local;
3720        struct sk_buff *skb = rx->skb, *skb2;
3721        struct net_device *prev_dev = NULL;
3722        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
3723        int needed_headroom;
3724
3725        /*
3726         * If cooked monitor has been processed already, then
3727         * don't do it again. If not, set the flag.
3728         */
3729        if (rx->flags & IEEE80211_RX_CMNTR)
3730                goto out_free_skb;
3731        rx->flags |= IEEE80211_RX_CMNTR;
3732
3733        /* If there are no cooked monitor interfaces, just free the SKB */
3734        if (!local->cooked_mntrs)
3735                goto out_free_skb;
3736
3737        /* vendor data is long removed here */
3738        status->flag &= ~RX_FLAG_RADIOTAP_VENDOR_DATA;
3739        /* room for the radiotap header based on driver features */
3740        needed_headroom = ieee80211_rx_radiotap_hdrlen(local, status, skb);
3741
3742        if (skb_headroom(skb) < needed_headroom &&
3743            pskb_expand_head(skb, needed_headroom, 0, GFP_ATOMIC))
3744                goto out_free_skb;
3745
3746        /* prepend radiotap information */
3747        ieee80211_add_rx_radiotap_header(local, skb, rate, needed_headroom,
3748                                         false);
3749
3750        skb_reset_mac_header(skb);
3751        skb->ip_summed = CHECKSUM_UNNECESSARY;
3752        skb->pkt_type = PACKET_OTHERHOST;
3753        skb->protocol = htons(ETH_P_802_2);
3754
3755        list_for_each_entry_rcu(sdata, &local->interfaces, list) {
3756                if (!ieee80211_sdata_running(sdata))
3757                        continue;
3758
3759                if (sdata->vif.type != NL80211_IFTYPE_MONITOR ||
3760                    !(sdata->u.mntr.flags & MONITOR_FLAG_COOK_FRAMES))
3761                        continue;
3762
3763                if (prev_dev) {
3764                        skb2 = skb_clone(skb, GFP_ATOMIC);
3765                        if (skb2) {
3766                                skb2->dev = prev_dev;
3767                                netif_receive_skb(skb2);
3768                        }
3769                }
3770
3771                prev_dev = sdata->dev;
3772                dev_sw_netstats_rx_add(sdata->dev, skb->len);
3773        }
3774
3775        if (prev_dev) {
3776                skb->dev = prev_dev;
3777                netif_receive_skb(skb);
3778                return;
3779        }
3780
3781 out_free_skb:
3782        dev_kfree_skb(skb);
3783}
3784
3785static void ieee80211_rx_handlers_result(struct ieee80211_rx_data *rx,
3786                                         ieee80211_rx_result res)
3787{
3788        switch (res) {
3789        case RX_DROP_MONITOR:
3790                I802_DEBUG_INC(rx->sdata->local->rx_handlers_drop);
3791                if (rx->sta)
3792                        rx->sta->rx_stats.dropped++;
3793                fallthrough;
3794        case RX_CONTINUE: {
3795                struct ieee80211_rate *rate = NULL;
3796                struct ieee80211_supported_band *sband;
3797                struct ieee80211_rx_status *status;
3798
3799                status = IEEE80211_SKB_RXCB((rx->skb));
3800
3801                sband = rx->local->hw.wiphy->bands[status->band];
3802                if (status->encoding == RX_ENC_LEGACY)
3803                        rate = &sband->bitrates[status->rate_idx];
3804
3805                ieee80211_rx_cooked_monitor(rx, rate);
3806                break;
3807                }
3808        case RX_DROP_UNUSABLE:
3809                I802_DEBUG_INC(rx->sdata->local->rx_handlers_drop);
3810                if (rx->sta)
3811                        rx->sta->rx_stats.dropped++;
3812                dev_kfree_skb(rx->skb);
3813                break;
3814        case RX_QUEUED:
3815                I802_DEBUG_INC(rx->sdata->local->rx_handlers_queued);
3816                break;
3817        }
3818}
3819
3820static void ieee80211_rx_handlers(struct ieee80211_rx_data *rx,
3821                                  struct sk_buff_head *frames)
3822{
3823        ieee80211_rx_result res = RX_DROP_MONITOR;
3824        struct sk_buff *skb;
3825
3826#define CALL_RXH(rxh)                   \
3827        do {                            \
3828                res = rxh(rx);          \
3829                if (res != RX_CONTINUE) \
3830                        goto rxh_next;  \
3831        } while (0)
3832
3833        /* Lock here to avoid hitting all of the data used in the RX
3834         * path (e.g. key data, station data, ...) concurrently when
3835         * a frame is released from the reorder buffer due to timeout
3836         * from the timer, potentially concurrently with RX from the
3837         * driver.
3838         */
3839        spin_lock_bh(&rx->local->rx_path_lock);
3840
3841        while ((skb = __skb_dequeue(frames))) {
3842                /*
3843                 * all the other fields are valid across frames
3844                 * that belong to an aMPDU since they are on the
3845                 * same TID from the same station
3846                 */
3847                rx->skb = skb;
3848
3849                CALL_RXH(ieee80211_rx_h_check_more_data);
3850                CALL_RXH(ieee80211_rx_h_uapsd_and_pspoll);
3851                CALL_RXH(ieee80211_rx_h_sta_process);
3852                CALL_RXH(ieee80211_rx_h_decrypt);
3853                CALL_RXH(ieee80211_rx_h_defragment);
3854                CALL_RXH(ieee80211_rx_h_michael_mic_verify);
3855                /* must be after MMIC verify so header is counted in MPDU mic */
3856#ifdef CONFIG_MAC80211_MESH
3857                if (ieee80211_vif_is_mesh(&rx->sdata->vif))
3858                        CALL_RXH(ieee80211_rx_h_mesh_fwding);
3859#endif
3860                CALL_RXH(ieee80211_rx_h_amsdu);
3861                CALL_RXH(ieee80211_rx_h_data);
3862
3863                /* special treatment -- needs the queue */
3864                res = ieee80211_rx_h_ctrl(rx, frames);
3865                if (res != RX_CONTINUE)
3866                        goto rxh_next;
3867
3868                CALL_RXH(ieee80211_rx_h_mgmt_check);
3869                CALL_RXH(ieee80211_rx_h_action);
3870                CALL_RXH(ieee80211_rx_h_userspace_mgmt);
3871                CALL_RXH(ieee80211_rx_h_action_post_userspace);
3872                CALL_RXH(ieee80211_rx_h_action_return);
3873                CALL_RXH(ieee80211_rx_h_ext);
3874                CALL_RXH(ieee80211_rx_h_mgmt);
3875
3876 rxh_next:
3877                ieee80211_rx_handlers_result(rx, res);
3878
3879#undef CALL_RXH
3880        }
3881
3882        spin_unlock_bh(&rx->local->rx_path_lock);
3883}
3884
3885static void ieee80211_invoke_rx_handlers(struct ieee80211_rx_data *rx)
3886{
3887        struct sk_buff_head reorder_release;
3888        ieee80211_rx_result res = RX_DROP_MONITOR;
3889
3890        __skb_queue_head_init(&reorder_release);
3891
3892#define CALL_RXH(rxh)                   \
3893        do {                            \
3894                res = rxh(rx);          \
3895                if (res != RX_CONTINUE) \
3896                        goto rxh_next;  \
3897        } while (0)
3898
3899        CALL_RXH(ieee80211_rx_h_check_dup);
3900        CALL_RXH(ieee80211_rx_h_check);
3901
3902        ieee80211_rx_reorder_ampdu(rx, &reorder_release);
3903
3904        ieee80211_rx_handlers(rx, &reorder_release);
3905        return;
3906
3907 rxh_next:
3908        ieee80211_rx_handlers_result(rx, res);
3909
3910#undef CALL_RXH
3911}
3912
3913/*
3914 * This function makes calls into the RX path, therefore
3915 * it has to be invoked under RCU read lock.
3916 */
3917void ieee80211_release_reorder_timeout(struct sta_info *sta, int tid)
3918{
3919        struct sk_buff_head frames;
3920        struct ieee80211_rx_data rx = {
3921                .sta = sta,
3922                .sdata = sta->sdata,
3923                .local = sta->local,
3924                /* This is OK -- must be QoS data frame */
3925                .security_idx = tid,
3926                .seqno_idx = tid,
3927        };
3928        struct tid_ampdu_rx *tid_agg_rx;
3929
3930        tid_agg_rx = rcu_dereference(sta->ampdu_mlme.tid_rx[tid]);
3931        if (!tid_agg_rx)
3932                return;
3933
3934        __skb_queue_head_init(&frames);
3935
3936        spin_lock(&tid_agg_rx->reorder_lock);
3937        ieee80211_sta_reorder_release(sta->sdata, tid_agg_rx, &frames);
3938        spin_unlock(&tid_agg_rx->reorder_lock);
3939
3940        if (!skb_queue_empty(&frames)) {
3941                struct ieee80211_event event = {
3942                        .type = BA_FRAME_TIMEOUT,
3943                        .u.ba.tid = tid,
3944                        .u.ba.sta = &sta->sta,
3945                };
3946                drv_event_callback(rx.local, rx.sdata, &event);
3947        }
3948
3949        ieee80211_rx_handlers(&rx, &frames);
3950}
3951
3952void ieee80211_mark_rx_ba_filtered_frames(struct ieee80211_sta *pubsta, u8 tid,
3953                                          u16 ssn, u64 filtered,
3954                                          u16 received_mpdus)
3955{
3956        struct sta_info *sta;
3957        struct tid_ampdu_rx *tid_agg_rx;
3958        struct sk_buff_head frames;
3959        struct ieee80211_rx_data rx = {
3960                /* This is OK -- must be QoS data frame */
3961                .security_idx = tid,
3962                .seqno_idx = tid,
3963        };
3964        int i, diff;
3965
3966        if (WARN_ON(!pubsta || tid >= IEEE80211_NUM_TIDS))
3967                return;
3968
3969        __skb_queue_head_init(&frames);
3970
3971        sta = container_of(pubsta, struct sta_info, sta);
3972
3973        rx.sta = sta;
3974        rx.sdata = sta->sdata;
3975        rx.local = sta->local;
3976
3977        rcu_read_lock();
3978        tid_agg_rx = rcu_dereference(sta->ampdu_mlme.tid_rx[tid]);
3979        if (!tid_agg_rx)
3980                goto out;
3981
3982        spin_lock_bh(&tid_agg_rx->reorder_lock);
3983
3984        if (received_mpdus >= IEEE80211_SN_MODULO >> 1) {
3985                int release;
3986
3987                /* release all frames in the reorder buffer */
3988                release = (tid_agg_rx->head_seq_num + tid_agg_rx->buf_size) %
3989                           IEEE80211_SN_MODULO;
3990                ieee80211_release_reorder_frames(sta->sdata, tid_agg_rx,
3991                                                 release, &frames);
3992                /* update ssn to match received ssn */
3993                tid_agg_rx->head_seq_num = ssn;
3994        } else {
3995                ieee80211_release_reorder_frames(sta->sdata, tid_agg_rx, ssn,
3996                                                 &frames);
3997        }
3998
3999        /* handle the case that received ssn is behind the mac ssn.
4000         * it can be tid_agg_rx->buf_size behind and still be valid */
4001        diff = (tid_agg_rx->head_seq_num - ssn) & IEEE80211_SN_MASK;
4002        if (diff >= tid_agg_rx->buf_size) {
4003                tid_agg_rx->reorder_buf_filtered = 0;
4004                goto release;
4005        }
4006        filtered = filtered >> diff;
4007        ssn += diff;
4008
4009        /* update bitmap */
4010        for (i = 0; i < tid_agg_rx->buf_size; i++) {
4011                int index = (ssn + i) % tid_agg_rx->buf_size;
4012
4013                tid_agg_rx->reorder_buf_filtered &= ~BIT_ULL(index);
4014                if (filtered & BIT_ULL(i))
4015                        tid_agg_rx->reorder_buf_filtered |= BIT_ULL(index);
4016        }
4017
4018        /* now process also frames that the filter marking released */
4019        ieee80211_sta_reorder_release(sta->sdata, tid_agg_rx, &frames);
4020
4021release:
4022        spin_unlock_bh(&tid_agg_rx->reorder_lock);
4023
4024        ieee80211_rx_handlers(&rx, &frames);
4025
4026 out:
4027        rcu_read_unlock();
4028}
4029EXPORT_SYMBOL(ieee80211_mark_rx_ba_filtered_frames);
4030
4031/* main receive path */
4032
4033static bool ieee80211_accept_frame(struct ieee80211_rx_data *rx)
4034{
4035        struct ieee80211_sub_if_data *sdata = rx->sdata;
4036        struct sk_buff *skb = rx->skb;
4037        struct ieee80211_hdr *hdr = (void *)skb->data;
4038        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
4039        u8 *bssid = ieee80211_get_bssid(hdr, skb->len, sdata->vif.type);
4040        bool multicast = is_multicast_ether_addr(hdr->addr1) ||
4041                         ieee80211_is_s1g_beacon(hdr->frame_control);
4042
4043        switch (sdata->vif.type) {
4044        case NL80211_IFTYPE_STATION:
4045                if (!bssid && !sdata->u.mgd.use_4addr)
4046                        return false;
4047                if (ieee80211_is_robust_mgmt_frame(skb) && !rx->sta)
4048                        return false;
4049                if (multicast)
4050                        return true;
4051                return ether_addr_equal(sdata->vif.addr, hdr->addr1);
4052        case NL80211_IFTYPE_ADHOC:
4053                if (!bssid)
4054                        return false;
4055                if (ether_addr_equal(sdata->vif.addr, hdr->addr2) ||
4056                    ether_addr_equal(sdata->u.ibss.bssid, hdr->addr2))
4057                        return false;
4058                if (ieee80211_is_beacon(hdr->frame_control))
4059                        return true;
4060                if (!ieee80211_bssid_match(bssid, sdata->u.ibss.bssid))
4061                        return false;
4062                if (!multicast &&
4063                    !ether_addr_equal(sdata->vif.addr, hdr->addr1))
4064                        return false;
4065                if (!rx->sta) {
4066                        int rate_idx;
4067                        if (status->encoding != RX_ENC_LEGACY)
4068                                rate_idx = 0; /* TODO: HT/VHT rates */
4069                        else
4070                                rate_idx = status->rate_idx;
4071                        ieee80211_ibss_rx_no_sta(sdata, bssid, hdr->addr2,
4072                                                 BIT(rate_idx));
4073                }
4074                return true;
4075        case NL80211_IFTYPE_OCB:
4076                if (!bssid)
4077                        return false;
4078                if (!ieee80211_is_data_present(hdr->frame_control))
4079                        return false;
4080                if (!is_broadcast_ether_addr(bssid))
4081                        return false;
4082                if (!multicast &&
4083                    !ether_addr_equal(sdata->dev->dev_addr, hdr->addr1))
4084                        return false;
4085                if (!rx->sta) {
4086                        int rate_idx;
4087                        if (status->encoding != RX_ENC_LEGACY)
4088                                rate_idx = 0; /* TODO: HT rates */
4089                        else
4090                                rate_idx = status->rate_idx;
4091                        ieee80211_ocb_rx_no_sta(sdata, bssid, hdr->addr2,
4092                                                BIT(rate_idx));
4093                }
4094                return true;
4095        case NL80211_IFTYPE_MESH_POINT:
4096                if (ether_addr_equal(sdata->vif.addr, hdr->addr2))
4097                        return false;
4098                if (multicast)
4099                        return true;
4100                return ether_addr_equal(sdata->vif.addr, hdr->addr1);
4101        case NL80211_IFTYPE_AP_VLAN:
4102        case NL80211_IFTYPE_AP:
4103                if (!bssid)
4104                        return ether_addr_equal(sdata->vif.addr, hdr->addr1);
4105
4106                if (!ieee80211_bssid_match(bssid, sdata->vif.addr)) {
4107                        /*
4108                         * Accept public action frames even when the
4109                         * BSSID doesn't match, this is used for P2P
4110                         * and location updates. Note that mac80211
4111                         * itself never looks at these frames.
4112                         */
4113                        if (!multicast &&
4114                            !ether_addr_equal(sdata->vif.addr, hdr->addr1))
4115                                return false;
4116                        if (ieee80211_is_public_action(hdr, skb->len))
4117                                return true;
4118                        return ieee80211_is_beacon(hdr->frame_control);
4119                }
4120
4121                if (!ieee80211_has_tods(hdr->frame_control)) {
4122                        /* ignore data frames to TDLS-peers */
4123                        if (ieee80211_is_data(hdr->frame_control))
4124                                return false;
4125                        /* ignore action frames to TDLS-peers */
4126                        if (ieee80211_is_action(hdr->frame_control) &&
4127                            !is_broadcast_ether_addr(bssid) &&
4128                            !ether_addr_equal(bssid, hdr->addr1))
4129                                return false;
4130                }
4131
4132                /*
4133                 * 802.11-2016 Table 9-26 says that for data frames, A1 must be
4134                 * the BSSID - we've checked that already but may have accepted
4135                 * the wildcard (ff:ff:ff:ff:ff:ff).
4136                 *
4137                 * It also says:
4138                 *      The BSSID of the Data frame is determined as follows:
4139                 *      a) If the STA is contained within an AP or is associated
4140                 *         with an AP, the BSSID is the address currently in use
4141                 *         by the STA contained in the AP.
4142                 *
4143                 * So we should not accept data frames with an address that's
4144                 * multicast.
4145                 *
4146                 * Accepting it also opens a security problem because stations
4147                 * could encrypt it with the GTK and inject traffic that way.
4148                 */
4149                if (ieee80211_is_data(hdr->frame_control) && multicast)
4150                        return false;
4151
4152                return true;
4153        case NL80211_IFTYPE_P2P_DEVICE:
4154                return ieee80211_is_public_action(hdr, skb->len) ||
4155                       ieee80211_is_probe_req(hdr->frame_control) ||
4156                       ieee80211_is_probe_resp(hdr->frame_control) ||
4157                       ieee80211_is_beacon(hdr->frame_control);
4158        case NL80211_IFTYPE_NAN:
4159                /* Currently no frames on NAN interface are allowed */
4160                return false;
4161        default:
4162                break;
4163        }
4164
4165        WARN_ON_ONCE(1);
4166        return false;
4167}
4168
4169void ieee80211_check_fast_rx(struct sta_info *sta)
4170{
4171        struct ieee80211_sub_if_data *sdata = sta->sdata;
4172        struct ieee80211_local *local = sdata->local;
4173        struct ieee80211_key *key;
4174        struct ieee80211_fast_rx fastrx = {
4175                .dev = sdata->dev,
4176                .vif_type = sdata->vif.type,
4177                .control_port_protocol = sdata->control_port_protocol,
4178        }, *old, *new = NULL;
4179        bool set_offload = false;
4180        bool assign = false;
4181        bool offload;
4182
4183        /* use sparse to check that we don't return without updating */
4184        __acquire(check_fast_rx);
4185
4186        BUILD_BUG_ON(sizeof(fastrx.rfc1042_hdr) != sizeof(rfc1042_header));
4187        BUILD_BUG_ON(sizeof(fastrx.rfc1042_hdr) != ETH_ALEN);
4188        ether_addr_copy(fastrx.rfc1042_hdr, rfc1042_header);
4189        ether_addr_copy(fastrx.vif_addr, sdata->vif.addr);
4190
4191        fastrx.uses_rss = ieee80211_hw_check(&local->hw, USES_RSS);
4192
4193        /* fast-rx doesn't do reordering */
4194        if (ieee80211_hw_check(&local->hw, AMPDU_AGGREGATION) &&
4195            !ieee80211_hw_check(&local->hw, SUPPORTS_REORDERING_BUFFER))
4196                goto clear;
4197
4198        switch (sdata->vif.type) {
4199        case NL80211_IFTYPE_STATION:
4200                if (sta->sta.tdls) {
4201                        fastrx.da_offs = offsetof(struct ieee80211_hdr, addr1);
4202                        fastrx.sa_offs = offsetof(struct ieee80211_hdr, addr2);
4203                        fastrx.expected_ds_bits = 0;
4204                } else {
4205                        fastrx.da_offs = offsetof(struct ieee80211_hdr, addr1);
4206                        fastrx.sa_offs = offsetof(struct ieee80211_hdr, addr3);
4207                        fastrx.expected_ds_bits =
4208                                cpu_to_le16(IEEE80211_FCTL_FROMDS);
4209                }
4210
4211                if (sdata->u.mgd.use_4addr && !sta->sta.tdls) {
4212                        fastrx.expected_ds_bits |=
4213                                cpu_to_le16(IEEE80211_FCTL_TODS);
4214                        fastrx.da_offs = offsetof(struct ieee80211_hdr, addr3);
4215                        fastrx.sa_offs = offsetof(struct ieee80211_hdr, addr4);
4216                }
4217
4218                if (!sdata->u.mgd.powersave)
4219                        break;
4220
4221                /* software powersave is a huge mess, avoid all of it */
4222                if (ieee80211_hw_check(&local->hw, PS_NULLFUNC_STACK))
4223                        goto clear;
4224                if (ieee80211_hw_check(&local->hw, SUPPORTS_PS) &&
4225                    !ieee80211_hw_check(&local->hw, SUPPORTS_DYNAMIC_PS))
4226                        goto clear;
4227                break;
4228        case NL80211_IFTYPE_AP_VLAN:
4229        case NL80211_IFTYPE_AP:
4230                /* parallel-rx requires this, at least with calls to
4231                 * ieee80211_sta_ps_transition()
4232                 */
4233                if (!ieee80211_hw_check(&local->hw, AP_LINK_PS))
4234                        goto clear;
4235                fastrx.da_offs = offsetof(struct ieee80211_hdr, addr3);
4236                fastrx.sa_offs = offsetof(struct ieee80211_hdr, addr2);
4237                fastrx.expected_ds_bits = cpu_to_le16(IEEE80211_FCTL_TODS);
4238
4239                fastrx.internal_forward =
4240                        !(sdata->flags & IEEE80211_SDATA_DONT_BRIDGE_PACKETS) &&
4241                        (sdata->vif.type != NL80211_IFTYPE_AP_VLAN ||
4242                         !sdata->u.vlan.sta);
4243
4244                if (sdata->vif.type == NL80211_IFTYPE_AP_VLAN &&
4245                    sdata->u.vlan.sta) {
4246                        fastrx.expected_ds_bits |=
4247                                cpu_to_le16(IEEE80211_FCTL_FROMDS);
4248                        fastrx.sa_offs = offsetof(struct ieee80211_hdr, addr4);
4249                        fastrx.internal_forward = 0;
4250                }
4251
4252                break;
4253        default:
4254                goto clear;
4255        }
4256
4257        if (!test_sta_flag(sta, WLAN_STA_AUTHORIZED))
4258                goto clear;
4259
4260        rcu_read_lock();
4261        key = rcu_dereference(sta->ptk[sta->ptk_idx]);
4262        if (!key)
4263                key = rcu_dereference(sdata->default_unicast_key);
4264        if (key) {
4265                switch (key->conf.cipher) {
4266                case WLAN_CIPHER_SUITE_TKIP:
4267                        /* we don't want to deal with MMIC in fast-rx */
4268                        goto clear_rcu;
4269                case WLAN_CIPHER_SUITE_CCMP:
4270                case WLAN_CIPHER_SUITE_CCMP_256:
4271                case WLAN_CIPHER_SUITE_GCMP:
4272                case WLAN_CIPHER_SUITE_GCMP_256:
4273                        break;
4274                default:
4275                        /* We also don't want to deal with
4276                         * WEP or cipher scheme.
4277                         */
4278                        goto clear_rcu;
4279                }
4280
4281                fastrx.key = true;
4282                fastrx.icv_len = key->conf.icv_len;
4283        }
4284
4285        assign = true;
4286 clear_rcu:
4287        rcu_read_unlock();
4288 clear:
4289        __release(check_fast_rx);
4290
4291        if (assign)
4292                new = kmemdup(&fastrx, sizeof(fastrx), GFP_KERNEL);
4293
4294        offload = assign &&
4295                  (sdata->vif.offload_flags & IEEE80211_OFFLOAD_DECAP_ENABLED);
4296
4297        if (offload)
4298                set_offload = !test_and_set_sta_flag(sta, WLAN_STA_DECAP_OFFLOAD);
4299        else
4300                set_offload = test_and_clear_sta_flag(sta, WLAN_STA_DECAP_OFFLOAD);
4301
4302        if (set_offload)
4303                drv_sta_set_decap_offload(local, sdata, &sta->sta, assign);
4304
4305        spin_lock_bh(&sta->lock);
4306        old = rcu_dereference_protected(sta->fast_rx, true);
4307        rcu_assign_pointer(sta->fast_rx, new);
4308        spin_unlock_bh(&sta->lock);
4309
4310        if (old)
4311                kfree_rcu(old, rcu_head);
4312}
4313
4314void ieee80211_clear_fast_rx(struct sta_info *sta)
4315{
4316        struct ieee80211_fast_rx *old;
4317
4318        spin_lock_bh(&sta->lock);
4319        old = rcu_dereference_protected(sta->fast_rx, true);
4320        RCU_INIT_POINTER(sta->fast_rx, NULL);
4321        spin_unlock_bh(&sta->lock);
4322
4323        if (old)
4324                kfree_rcu(old, rcu_head);
4325}
4326
4327void __ieee80211_check_fast_rx_iface(struct ieee80211_sub_if_data *sdata)
4328{
4329        struct ieee80211_local *local = sdata->local;
4330        struct sta_info *sta;
4331
4332        lockdep_assert_held(&local->sta_mtx);
4333
4334        list_for_each_entry(sta, &local->sta_list, list) {
4335                if (sdata != sta->sdata &&
4336                    (!sta->sdata->bss || sta->sdata->bss != sdata->bss))
4337                        continue;
4338                ieee80211_check_fast_rx(sta);
4339        }
4340}
4341
4342void ieee80211_check_fast_rx_iface(struct ieee80211_sub_if_data *sdata)
4343{
4344        struct ieee80211_local *local = sdata->local;
4345
4346        mutex_lock(&local->sta_mtx);
4347        __ieee80211_check_fast_rx_iface(sdata);
4348        mutex_unlock(&local->sta_mtx);
4349}
4350
4351static void ieee80211_rx_8023(struct ieee80211_rx_data *rx,
4352                              struct ieee80211_fast_rx *fast_rx,
4353                              int orig_len)
4354{
4355        struct ieee80211_sta_rx_stats *stats;
4356        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
4357        struct sta_info *sta = rx->sta;
4358        struct sk_buff *skb = rx->skb;
4359        void *sa = skb->data + ETH_ALEN;
4360        void *da = skb->data;
4361
4362        stats = &sta->