1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Copyright 2002-2005, Instant802 Networks, Inc.
4 * Copyright 2005-2006, Devicescape Software, Inc.
5 * Copyright 2006-2007 Jiri Benc <jbenc@suse.cz>
6 * Copyright 2007-2010 Johannes Berg <johannes@sipsolutions.net>
7 * Copyright 2013-2014 Intel Mobile Communications GmbH
8 * Copyright(c) 2015 - 2017 Intel Deutschland GmbH
9 * Copyright (C) 2018-2025 Intel Corporation
10 */
11
12 #include <linux/jiffies.h>
13 #include <linux/slab.h>
14 #include <linux/kernel.h>
15 #include <linux/skbuff.h>
16 #include <linux/netdevice.h>
17 #include <linux/etherdevice.h>
18 #include <linux/rcupdate.h>
19 #include <linux/export.h>
20 #include <linux/kcov.h>
21 #include <linux/bitops.h>
22 #include <kunit/visibility.h>
23 #include <net/mac80211.h>
24 #include <net/ieee80211_radiotap.h>
25 #include <linux/unaligned.h>
26
27 #include "ieee80211_i.h"
28 #include "driver-ops.h"
29 #include "led.h"
30 #include "mesh.h"
31 #include "wep.h"
32 #include "wpa.h"
33 #include "tkip.h"
34 #include "wme.h"
35 #include "rate.h"
36
37 /*
38 * monitor mode reception
39 *
40 * This function cleans up the SKB, i.e. it removes all the stuff
41 * only useful for monitoring.
42 */
ieee80211_clean_skb(struct sk_buff * skb,unsigned int present_fcs_len,unsigned int rtap_space)43 static struct sk_buff *ieee80211_clean_skb(struct sk_buff *skb,
44 unsigned int present_fcs_len,
45 unsigned int rtap_space)
46 {
47 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
48 struct ieee80211_hdr *hdr;
49 unsigned int hdrlen;
50 __le16 fc;
51
52 if (present_fcs_len)
53 __pskb_trim(skb, skb->len - present_fcs_len);
54 pskb_pull(skb, rtap_space);
55
56 /* After pulling radiotap header, clear all flags that indicate
57 * info in skb->data.
58 */
59 status->flag &= ~(RX_FLAG_RADIOTAP_TLV_AT_END |
60 RX_FLAG_RADIOTAP_LSIG |
61 RX_FLAG_RADIOTAP_HE_MU |
62 RX_FLAG_RADIOTAP_HE);
63
64 hdr = (void *)skb->data;
65 fc = hdr->frame_control;
66
67 /*
68 * Remove the HT-Control field (if present) on management
69 * frames after we've sent the frame to monitoring. We
70 * (currently) don't need it, and don't properly parse
71 * frames with it present, due to the assumption of a
72 * fixed management header length.
73 */
74 if (likely(!ieee80211_is_mgmt(fc) || !ieee80211_has_order(fc)))
75 return skb;
76
77 hdrlen = ieee80211_hdrlen(fc);
78 hdr->frame_control &= ~cpu_to_le16(IEEE80211_FCTL_ORDER);
79
80 if (!pskb_may_pull(skb, hdrlen)) {
81 dev_kfree_skb(skb);
82 return NULL;
83 }
84
85 memmove(skb->data + IEEE80211_HT_CTL_LEN, skb->data,
86 hdrlen - IEEE80211_HT_CTL_LEN);
87 pskb_pull(skb, IEEE80211_HT_CTL_LEN);
88
89 return skb;
90 }
91
should_drop_frame(struct sk_buff * skb,int present_fcs_len,unsigned int rtap_space)92 static inline bool should_drop_frame(struct sk_buff *skb, int present_fcs_len,
93 unsigned int rtap_space)
94 {
95 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
96 struct ieee80211_hdr *hdr;
97
98 hdr = (void *)(skb->data + rtap_space);
99
100 if (status->flag & (RX_FLAG_FAILED_FCS_CRC |
101 RX_FLAG_FAILED_PLCP_CRC |
102 RX_FLAG_ONLY_MONITOR |
103 RX_FLAG_NO_PSDU))
104 return true;
105
106 if (unlikely(skb->len < 16 + present_fcs_len + rtap_space))
107 return true;
108
109 if (ieee80211_is_ctl(hdr->frame_control) &&
110 !ieee80211_is_pspoll(hdr->frame_control) &&
111 !ieee80211_is_back_req(hdr->frame_control))
112 return true;
113
114 return false;
115 }
116
117 static int
ieee80211_rx_radiotap_hdrlen(struct ieee80211_local * local,struct ieee80211_rx_status * status,struct sk_buff * skb)118 ieee80211_rx_radiotap_hdrlen(struct ieee80211_local *local,
119 struct ieee80211_rx_status *status,
120 struct sk_buff *skb)
121 {
122 int len;
123
124 /* always present fields */
125 len = sizeof(struct ieee80211_radiotap_header) + 8;
126
127 /* allocate extra bitmaps */
128 if (status->chains)
129 len += 4 * hweight8(status->chains);
130
131 if (ieee80211_have_rx_timestamp(status)) {
132 len = ALIGN(len, 8);
133 len += 8;
134 }
135 if (ieee80211_hw_check(&local->hw, SIGNAL_DBM))
136 len += 1;
137
138 /* antenna field, if we don't have per-chain info */
139 if (!status->chains)
140 len += 1;
141
142 /* padding for RX_FLAGS if necessary */
143 len = ALIGN(len, 2);
144
145 if (status->encoding == RX_ENC_HT) /* HT info */
146 len += 3;
147
148 if (status->flag & RX_FLAG_AMPDU_DETAILS) {
149 len = ALIGN(len, 4);
150 len += 8;
151 }
152
153 if (status->encoding == RX_ENC_VHT) {
154 len = ALIGN(len, 2);
155 len += 12;
156 }
157
158 if (local->hw.radiotap_timestamp.units_pos >= 0) {
159 len = ALIGN(len, 8);
160 len += 12;
161 }
162
163 if (status->encoding == RX_ENC_HE &&
164 status->flag & RX_FLAG_RADIOTAP_HE) {
165 len = ALIGN(len, 2);
166 len += 12;
167 BUILD_BUG_ON(sizeof(struct ieee80211_radiotap_he) != 12);
168 }
169
170 if (status->encoding == RX_ENC_HE &&
171 status->flag & RX_FLAG_RADIOTAP_HE_MU) {
172 len = ALIGN(len, 2);
173 len += 12;
174 BUILD_BUG_ON(sizeof(struct ieee80211_radiotap_he_mu) != 12);
175 }
176
177 if (status->flag & RX_FLAG_NO_PSDU)
178 len += 1;
179
180 if (status->flag & RX_FLAG_RADIOTAP_LSIG) {
181 len = ALIGN(len, 2);
182 len += 4;
183 BUILD_BUG_ON(sizeof(struct ieee80211_radiotap_lsig) != 4);
184 }
185
186 if (status->chains) {
187 /* antenna and antenna signal fields */
188 len += 2 * hweight8(status->chains);
189 }
190
191 if (status->flag & RX_FLAG_RADIOTAP_TLV_AT_END) {
192 int tlv_offset = 0;
193
194 /*
195 * The position to look at depends on the existence (or non-
196 * existence) of other elements, so take that into account...
197 */
198 if (status->flag & RX_FLAG_RADIOTAP_HE)
199 tlv_offset +=
200 sizeof(struct ieee80211_radiotap_he);
201 if (status->flag & RX_FLAG_RADIOTAP_HE_MU)
202 tlv_offset +=
203 sizeof(struct ieee80211_radiotap_he_mu);
204 if (status->flag & RX_FLAG_RADIOTAP_LSIG)
205 tlv_offset +=
206 sizeof(struct ieee80211_radiotap_lsig);
207
208 /* ensure 4 byte alignment for TLV */
209 len = ALIGN(len, 4);
210
211 /* TLVs until the mac header */
212 len += skb_mac_header(skb) - &skb->data[tlv_offset];
213 }
214
215 return len;
216 }
217
__ieee80211_queue_skb_to_iface(struct ieee80211_sub_if_data * sdata,int link_id,struct sta_info * sta,struct sk_buff * skb)218 static void __ieee80211_queue_skb_to_iface(struct ieee80211_sub_if_data *sdata,
219 int link_id,
220 struct sta_info *sta,
221 struct sk_buff *skb)
222 {
223 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
224
225 if (link_id >= 0) {
226 status->link_valid = 1;
227 status->link_id = link_id;
228 } else {
229 status->link_valid = 0;
230 }
231
232 skb_queue_tail(&sdata->skb_queue, skb);
233 wiphy_work_queue(sdata->local->hw.wiphy, &sdata->work);
234 if (sta) {
235 struct link_sta_info *link_sta_info;
236
237 if (link_id >= 0) {
238 link_sta_info = rcu_dereference(sta->link[link_id]);
239 if (!link_sta_info)
240 return;
241 } else {
242 link_sta_info = &sta->deflink;
243 }
244
245 link_sta_info->rx_stats.packets++;
246 }
247 }
248
ieee80211_queue_skb_to_iface(struct ieee80211_sub_if_data * sdata,int link_id,struct sta_info * sta,struct sk_buff * skb)249 static void ieee80211_queue_skb_to_iface(struct ieee80211_sub_if_data *sdata,
250 int link_id,
251 struct sta_info *sta,
252 struct sk_buff *skb)
253 {
254 skb->protocol = 0;
255 __ieee80211_queue_skb_to_iface(sdata, link_id, sta, skb);
256 }
257
ieee80211_handle_mu_mimo_mon(struct ieee80211_sub_if_data * sdata,struct sk_buff * skb,int rtap_space)258 static void ieee80211_handle_mu_mimo_mon(struct ieee80211_sub_if_data *sdata,
259 struct sk_buff *skb,
260 int rtap_space)
261 {
262 struct {
263 struct ieee80211_hdr_3addr hdr;
264 u8 category;
265 u8 action_code;
266 } __packed __aligned(2) action;
267
268 if (!sdata)
269 return;
270
271 BUILD_BUG_ON(sizeof(action) != IEEE80211_MIN_ACTION_SIZE + 1);
272
273 if (skb->len < rtap_space + sizeof(action) +
274 VHT_MUMIMO_GROUPS_DATA_LEN)
275 return;
276
277 if (!is_valid_ether_addr(sdata->u.mntr.mu_follow_addr))
278 return;
279
280 skb_copy_bits(skb, rtap_space, &action, sizeof(action));
281
282 if (!ieee80211_is_action(action.hdr.frame_control))
283 return;
284
285 if (action.category != WLAN_CATEGORY_VHT)
286 return;
287
288 if (action.action_code != WLAN_VHT_ACTION_GROUPID_MGMT)
289 return;
290
291 if (!ether_addr_equal(action.hdr.addr1, sdata->u.mntr.mu_follow_addr))
292 return;
293
294 skb = skb_copy(skb, GFP_ATOMIC);
295 if (!skb)
296 return;
297
298 ieee80211_queue_skb_to_iface(sdata, -1, NULL, skb);
299 }
300
301 /*
302 * ieee80211_add_rx_radiotap_header - add radiotap header
303 *
304 * add a radiotap header containing all the fields which the hardware provided.
305 */
306 static void
ieee80211_add_rx_radiotap_header(struct ieee80211_local * local,struct sk_buff * skb,struct ieee80211_rate * rate,int rtap_len,bool has_fcs)307 ieee80211_add_rx_radiotap_header(struct ieee80211_local *local,
308 struct sk_buff *skb,
309 struct ieee80211_rate *rate,
310 int rtap_len, bool has_fcs)
311 {
312 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
313 struct ieee80211_radiotap_header *rthdr;
314 unsigned char *pos;
315 __le32 *it_present;
316 u32 it_present_val;
317 u16 rx_flags = 0;
318 u16 channel_flags = 0;
319 u32 tlvs_len = 0;
320 int mpdulen, chain;
321 unsigned long chains = status->chains;
322 struct ieee80211_radiotap_he he = {};
323 struct ieee80211_radiotap_he_mu he_mu = {};
324 struct ieee80211_radiotap_lsig lsig = {};
325
326 if (status->flag & RX_FLAG_RADIOTAP_HE) {
327 he = *(struct ieee80211_radiotap_he *)skb->data;
328 skb_pull(skb, sizeof(he));
329 WARN_ON_ONCE(status->encoding != RX_ENC_HE);
330 }
331
332 if (status->flag & RX_FLAG_RADIOTAP_HE_MU) {
333 he_mu = *(struct ieee80211_radiotap_he_mu *)skb->data;
334 skb_pull(skb, sizeof(he_mu));
335 }
336
337 if (status->flag & RX_FLAG_RADIOTAP_LSIG) {
338 lsig = *(struct ieee80211_radiotap_lsig *)skb->data;
339 skb_pull(skb, sizeof(lsig));
340 }
341
342 if (status->flag & RX_FLAG_RADIOTAP_TLV_AT_END) {
343 /* data is pointer at tlv all other info was pulled off */
344 tlvs_len = skb_mac_header(skb) - skb->data;
345 }
346
347 mpdulen = skb->len;
348 if (!(has_fcs && ieee80211_hw_check(&local->hw, RX_INCLUDES_FCS)))
349 mpdulen += FCS_LEN;
350
351 rthdr = skb_push(skb, rtap_len - tlvs_len);
352 memset(rthdr, 0, rtap_len - tlvs_len);
353 it_present = &rthdr->it_present;
354
355 /* radiotap header, set always present flags */
356 rthdr->it_len = cpu_to_le16(rtap_len);
357 it_present_val = BIT(IEEE80211_RADIOTAP_FLAGS) |
358 BIT(IEEE80211_RADIOTAP_CHANNEL) |
359 BIT(IEEE80211_RADIOTAP_RX_FLAGS);
360
361 if (!status->chains)
362 it_present_val |= BIT(IEEE80211_RADIOTAP_ANTENNA);
363
364 for_each_set_bit(chain, &chains, IEEE80211_MAX_CHAINS) {
365 it_present_val |=
366 BIT(IEEE80211_RADIOTAP_EXT) |
367 BIT(IEEE80211_RADIOTAP_RADIOTAP_NAMESPACE);
368 put_unaligned_le32(it_present_val, it_present);
369 it_present++;
370 it_present_val = BIT(IEEE80211_RADIOTAP_ANTENNA) |
371 BIT(IEEE80211_RADIOTAP_DBM_ANTSIGNAL);
372 }
373
374 if (status->flag & RX_FLAG_RADIOTAP_TLV_AT_END)
375 it_present_val |= BIT(IEEE80211_RADIOTAP_TLV);
376
377 put_unaligned_le32(it_present_val, it_present);
378
379 /* This references through an offset into it_optional[] rather
380 * than via it_present otherwise later uses of pos will cause
381 * the compiler to think we have walked past the end of the
382 * struct member.
383 */
384 pos = (void *)&rthdr->it_optional[it_present + 1 - rthdr->it_optional];
385
386 /* the order of the following fields is important */
387
388 /* IEEE80211_RADIOTAP_TSFT */
389 if (ieee80211_have_rx_timestamp(status)) {
390 /* padding */
391 while ((pos - (u8 *)rthdr) & 7)
392 *pos++ = 0;
393 put_unaligned_le64(
394 ieee80211_calculate_rx_timestamp(local, status,
395 mpdulen, 0),
396 pos);
397 rthdr->it_present |= cpu_to_le32(BIT(IEEE80211_RADIOTAP_TSFT));
398 pos += 8;
399 }
400
401 /* IEEE80211_RADIOTAP_FLAGS */
402 if (has_fcs && ieee80211_hw_check(&local->hw, RX_INCLUDES_FCS))
403 *pos |= IEEE80211_RADIOTAP_F_FCS;
404 if (status->flag & (RX_FLAG_FAILED_FCS_CRC | RX_FLAG_FAILED_PLCP_CRC))
405 *pos |= IEEE80211_RADIOTAP_F_BADFCS;
406 if (status->enc_flags & RX_ENC_FLAG_SHORTPRE)
407 *pos |= IEEE80211_RADIOTAP_F_SHORTPRE;
408 pos++;
409
410 /* IEEE80211_RADIOTAP_RATE */
411 if (!rate || status->encoding != RX_ENC_LEGACY) {
412 /*
413 * Without rate information don't add it. If we have,
414 * MCS information is a separate field in radiotap,
415 * added below. The byte here is needed as padding
416 * for the channel though, so initialise it to 0.
417 */
418 *pos = 0;
419 } else {
420 int shift = 0;
421 rthdr->it_present |= cpu_to_le32(BIT(IEEE80211_RADIOTAP_RATE));
422 if (status->bw == RATE_INFO_BW_10)
423 shift = 1;
424 else if (status->bw == RATE_INFO_BW_5)
425 shift = 2;
426 *pos = DIV_ROUND_UP(rate->bitrate, 5 * (1 << shift));
427 }
428 pos++;
429
430 /* IEEE80211_RADIOTAP_CHANNEL */
431 /* TODO: frequency offset in KHz */
432 put_unaligned_le16(status->freq, pos);
433 pos += 2;
434 if (status->bw == RATE_INFO_BW_10)
435 channel_flags |= IEEE80211_CHAN_HALF;
436 else if (status->bw == RATE_INFO_BW_5)
437 channel_flags |= IEEE80211_CHAN_QUARTER;
438
439 if (status->band == NL80211_BAND_5GHZ ||
440 status->band == NL80211_BAND_6GHZ)
441 channel_flags |= IEEE80211_CHAN_OFDM | IEEE80211_CHAN_5GHZ;
442 else if (status->encoding != RX_ENC_LEGACY)
443 channel_flags |= IEEE80211_CHAN_DYN | IEEE80211_CHAN_2GHZ;
444 else if (rate && rate->flags & IEEE80211_RATE_ERP_G)
445 channel_flags |= IEEE80211_CHAN_OFDM | IEEE80211_CHAN_2GHZ;
446 else if (rate)
447 channel_flags |= IEEE80211_CHAN_CCK | IEEE80211_CHAN_2GHZ;
448 else
449 channel_flags |= IEEE80211_CHAN_2GHZ;
450 put_unaligned_le16(channel_flags, pos);
451 pos += 2;
452
453 /* IEEE80211_RADIOTAP_DBM_ANTSIGNAL */
454 if (ieee80211_hw_check(&local->hw, SIGNAL_DBM) &&
455 !(status->flag & RX_FLAG_NO_SIGNAL_VAL)) {
456 *pos = status->signal;
457 rthdr->it_present |=
458 cpu_to_le32(BIT(IEEE80211_RADIOTAP_DBM_ANTSIGNAL));
459 pos++;
460 }
461
462 /* IEEE80211_RADIOTAP_LOCK_QUALITY is missing */
463
464 if (!status->chains) {
465 /* IEEE80211_RADIOTAP_ANTENNA */
466 *pos = status->antenna;
467 pos++;
468 }
469
470 /* IEEE80211_RADIOTAP_DB_ANTNOISE is not used */
471
472 /* IEEE80211_RADIOTAP_RX_FLAGS */
473 /* ensure 2 byte alignment for the 2 byte field as required */
474 if ((pos - (u8 *)rthdr) & 1)
475 *pos++ = 0;
476 if (status->flag & RX_FLAG_FAILED_PLCP_CRC)
477 rx_flags |= IEEE80211_RADIOTAP_F_RX_BADPLCP;
478 put_unaligned_le16(rx_flags, pos);
479 pos += 2;
480
481 if (status->encoding == RX_ENC_HT) {
482 unsigned int stbc;
483
484 rthdr->it_present |= cpu_to_le32(BIT(IEEE80211_RADIOTAP_MCS));
485 *pos = local->hw.radiotap_mcs_details;
486 if (status->enc_flags & RX_ENC_FLAG_HT_GF)
487 *pos |= IEEE80211_RADIOTAP_MCS_HAVE_FMT;
488 if (status->enc_flags & RX_ENC_FLAG_LDPC)
489 *pos |= IEEE80211_RADIOTAP_MCS_HAVE_FEC;
490 pos++;
491 *pos = 0;
492 if (status->enc_flags & RX_ENC_FLAG_SHORT_GI)
493 *pos |= IEEE80211_RADIOTAP_MCS_SGI;
494 if (status->bw == RATE_INFO_BW_40)
495 *pos |= IEEE80211_RADIOTAP_MCS_BW_40;
496 if (status->enc_flags & RX_ENC_FLAG_HT_GF)
497 *pos |= IEEE80211_RADIOTAP_MCS_FMT_GF;
498 if (status->enc_flags & RX_ENC_FLAG_LDPC)
499 *pos |= IEEE80211_RADIOTAP_MCS_FEC_LDPC;
500 stbc = (status->enc_flags & RX_ENC_FLAG_STBC_MASK) >> RX_ENC_FLAG_STBC_SHIFT;
501 *pos |= stbc << IEEE80211_RADIOTAP_MCS_STBC_SHIFT;
502 pos++;
503 *pos++ = status->rate_idx;
504 }
505
506 if (status->flag & RX_FLAG_AMPDU_DETAILS) {
507 u16 flags = 0;
508
509 /* ensure 4 byte alignment */
510 while ((pos - (u8 *)rthdr) & 3)
511 pos++;
512 rthdr->it_present |=
513 cpu_to_le32(BIT(IEEE80211_RADIOTAP_AMPDU_STATUS));
514 put_unaligned_le32(status->ampdu_reference, pos);
515 pos += 4;
516 if (status->flag & RX_FLAG_AMPDU_LAST_KNOWN)
517 flags |= IEEE80211_RADIOTAP_AMPDU_LAST_KNOWN;
518 if (status->flag & RX_FLAG_AMPDU_IS_LAST)
519 flags |= IEEE80211_RADIOTAP_AMPDU_IS_LAST;
520 if (status->flag & RX_FLAG_AMPDU_DELIM_CRC_ERROR)
521 flags |= IEEE80211_RADIOTAP_AMPDU_DELIM_CRC_ERR;
522 if (status->flag & RX_FLAG_AMPDU_EOF_BIT_KNOWN)
523 flags |= IEEE80211_RADIOTAP_AMPDU_EOF_KNOWN;
524 if (status->flag & RX_FLAG_AMPDU_EOF_BIT)
525 flags |= IEEE80211_RADIOTAP_AMPDU_EOF;
526 put_unaligned_le16(flags, pos);
527 pos += 2;
528 *pos++ = 0;
529 *pos++ = 0;
530 }
531
532 if (status->encoding == RX_ENC_VHT) {
533 u16 known = local->hw.radiotap_vht_details;
534
535 rthdr->it_present |= cpu_to_le32(BIT(IEEE80211_RADIOTAP_VHT));
536 put_unaligned_le16(known, pos);
537 pos += 2;
538 /* flags */
539 if (status->enc_flags & RX_ENC_FLAG_SHORT_GI)
540 *pos |= IEEE80211_RADIOTAP_VHT_FLAG_SGI;
541 /* in VHT, STBC is binary */
542 if (status->enc_flags & RX_ENC_FLAG_STBC_MASK)
543 *pos |= IEEE80211_RADIOTAP_VHT_FLAG_STBC;
544 if (status->enc_flags & RX_ENC_FLAG_BF)
545 *pos |= IEEE80211_RADIOTAP_VHT_FLAG_BEAMFORMED;
546 pos++;
547 /* bandwidth */
548 switch (status->bw) {
549 case RATE_INFO_BW_80:
550 *pos++ = 4;
551 break;
552 case RATE_INFO_BW_160:
553 *pos++ = 11;
554 break;
555 case RATE_INFO_BW_40:
556 *pos++ = 1;
557 break;
558 default:
559 *pos++ = 0;
560 }
561 /* MCS/NSS */
562 *pos = (status->rate_idx << 4) | status->nss;
563 pos += 4;
564 /* coding field */
565 if (status->enc_flags & RX_ENC_FLAG_LDPC)
566 *pos |= IEEE80211_RADIOTAP_CODING_LDPC_USER0;
567 pos++;
568 /* group ID */
569 pos++;
570 /* partial_aid */
571 pos += 2;
572 }
573
574 if (local->hw.radiotap_timestamp.units_pos >= 0) {
575 u16 accuracy = 0;
576 u8 flags;
577 u64 ts;
578
579 rthdr->it_present |=
580 cpu_to_le32(BIT(IEEE80211_RADIOTAP_TIMESTAMP));
581
582 /* ensure 8 byte alignment */
583 while ((pos - (u8 *)rthdr) & 7)
584 pos++;
585
586 if (status->flag & RX_FLAG_MACTIME_IS_RTAP_TS64) {
587 flags = IEEE80211_RADIOTAP_TIMESTAMP_FLAG_64BIT;
588 ts = status->mactime;
589 } else {
590 flags = IEEE80211_RADIOTAP_TIMESTAMP_FLAG_32BIT;
591 ts = status->device_timestamp;
592 }
593
594 put_unaligned_le64(ts, pos);
595 pos += sizeof(u64);
596
597 if (local->hw.radiotap_timestamp.accuracy >= 0) {
598 accuracy = local->hw.radiotap_timestamp.accuracy;
599 flags |= IEEE80211_RADIOTAP_TIMESTAMP_FLAG_ACCURACY;
600 }
601 put_unaligned_le16(accuracy, pos);
602 pos += sizeof(u16);
603
604 *pos++ = local->hw.radiotap_timestamp.units_pos;
605 *pos++ = flags;
606 }
607
608 if (status->encoding == RX_ENC_HE &&
609 status->flag & RX_FLAG_RADIOTAP_HE) {
610 #define HE_PREP(f, val) le16_encode_bits(val, IEEE80211_RADIOTAP_HE_##f)
611
612 if (status->enc_flags & RX_ENC_FLAG_STBC_MASK) {
613 he.data6 |= HE_PREP(DATA6_NSTS,
614 FIELD_GET(RX_ENC_FLAG_STBC_MASK,
615 status->enc_flags));
616 he.data3 |= HE_PREP(DATA3_STBC, 1);
617 } else {
618 he.data6 |= HE_PREP(DATA6_NSTS, status->nss);
619 }
620
621 #define CHECK_GI(s) \
622 BUILD_BUG_ON(IEEE80211_RADIOTAP_HE_DATA5_GI_##s != \
623 (int)NL80211_RATE_INFO_HE_GI_##s)
624
625 CHECK_GI(0_8);
626 CHECK_GI(1_6);
627 CHECK_GI(3_2);
628
629 he.data3 |= HE_PREP(DATA3_DATA_MCS, status->rate_idx);
630 he.data3 |= HE_PREP(DATA3_DATA_DCM, status->he_dcm);
631 he.data3 |= HE_PREP(DATA3_CODING,
632 !!(status->enc_flags & RX_ENC_FLAG_LDPC));
633
634 he.data5 |= HE_PREP(DATA5_GI, status->he_gi);
635
636 switch (status->bw) {
637 case RATE_INFO_BW_20:
638 he.data5 |= HE_PREP(DATA5_DATA_BW_RU_ALLOC,
639 IEEE80211_RADIOTAP_HE_DATA5_DATA_BW_RU_ALLOC_20MHZ);
640 break;
641 case RATE_INFO_BW_40:
642 he.data5 |= HE_PREP(DATA5_DATA_BW_RU_ALLOC,
643 IEEE80211_RADIOTAP_HE_DATA5_DATA_BW_RU_ALLOC_40MHZ);
644 break;
645 case RATE_INFO_BW_80:
646 he.data5 |= HE_PREP(DATA5_DATA_BW_RU_ALLOC,
647 IEEE80211_RADIOTAP_HE_DATA5_DATA_BW_RU_ALLOC_80MHZ);
648 break;
649 case RATE_INFO_BW_160:
650 he.data5 |= HE_PREP(DATA5_DATA_BW_RU_ALLOC,
651 IEEE80211_RADIOTAP_HE_DATA5_DATA_BW_RU_ALLOC_160MHZ);
652 break;
653 case RATE_INFO_BW_HE_RU:
654 #define CHECK_RU_ALLOC(s) \
655 BUILD_BUG_ON(IEEE80211_RADIOTAP_HE_DATA5_DATA_BW_RU_ALLOC_##s##T != \
656 NL80211_RATE_INFO_HE_RU_ALLOC_##s + 4)
657
658 CHECK_RU_ALLOC(26);
659 CHECK_RU_ALLOC(52);
660 CHECK_RU_ALLOC(106);
661 CHECK_RU_ALLOC(242);
662 CHECK_RU_ALLOC(484);
663 CHECK_RU_ALLOC(996);
664 CHECK_RU_ALLOC(2x996);
665
666 he.data5 |= HE_PREP(DATA5_DATA_BW_RU_ALLOC,
667 status->he_ru + 4);
668 break;
669 default:
670 WARN_ONCE(1, "Invalid SU BW %d\n", status->bw);
671 }
672
673 /* ensure 2 byte alignment */
674 while ((pos - (u8 *)rthdr) & 1)
675 pos++;
676 rthdr->it_present |= cpu_to_le32(BIT(IEEE80211_RADIOTAP_HE));
677 memcpy(pos, &he, sizeof(he));
678 pos += sizeof(he);
679 }
680
681 if (status->encoding == RX_ENC_HE &&
682 status->flag & RX_FLAG_RADIOTAP_HE_MU) {
683 /* ensure 2 byte alignment */
684 while ((pos - (u8 *)rthdr) & 1)
685 pos++;
686 rthdr->it_present |= cpu_to_le32(BIT(IEEE80211_RADIOTAP_HE_MU));
687 memcpy(pos, &he_mu, sizeof(he_mu));
688 pos += sizeof(he_mu);
689 }
690
691 if (status->flag & RX_FLAG_NO_PSDU) {
692 rthdr->it_present |=
693 cpu_to_le32(BIT(IEEE80211_RADIOTAP_ZERO_LEN_PSDU));
694 *pos++ = status->zero_length_psdu_type;
695 }
696
697 if (status->flag & RX_FLAG_RADIOTAP_LSIG) {
698 /* ensure 2 byte alignment */
699 while ((pos - (u8 *)rthdr) & 1)
700 pos++;
701 rthdr->it_present |= cpu_to_le32(BIT(IEEE80211_RADIOTAP_LSIG));
702 memcpy(pos, &lsig, sizeof(lsig));
703 pos += sizeof(lsig);
704 }
705
706 for_each_set_bit(chain, &chains, IEEE80211_MAX_CHAINS) {
707 *pos++ = status->chain_signal[chain];
708 *pos++ = chain;
709 }
710 }
711
712 static struct sk_buff *
ieee80211_make_monitor_skb(struct ieee80211_local * local,struct sk_buff ** origskb,struct ieee80211_rate * rate,int rtap_space,bool use_origskb)713 ieee80211_make_monitor_skb(struct ieee80211_local *local,
714 struct sk_buff **origskb,
715 struct ieee80211_rate *rate,
716 int rtap_space, bool use_origskb)
717 {
718 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(*origskb);
719 int rt_hdrlen, needed_headroom;
720 struct sk_buff *skb;
721
722 /* room for the radiotap header based on driver features */
723 rt_hdrlen = ieee80211_rx_radiotap_hdrlen(local, status, *origskb);
724 needed_headroom = rt_hdrlen - rtap_space;
725
726 if (use_origskb) {
727 /* only need to expand headroom if necessary */
728 skb = *origskb;
729 *origskb = NULL;
730
731 /*
732 * This shouldn't trigger often because most devices have an
733 * RX header they pull before we get here, and that should
734 * be big enough for our radiotap information. We should
735 * probably export the length to drivers so that we can have
736 * them allocate enough headroom to start with.
737 */
738 if (skb_headroom(skb) < needed_headroom &&
739 pskb_expand_head(skb, needed_headroom, 0, GFP_ATOMIC)) {
740 dev_kfree_skb(skb);
741 return NULL;
742 }
743 } else {
744 /*
745 * Need to make a copy and possibly remove radiotap header
746 * and FCS from the original.
747 */
748 skb = skb_copy_expand(*origskb, needed_headroom + NET_SKB_PAD,
749 0, GFP_ATOMIC);
750
751 if (!skb)
752 return NULL;
753 }
754
755 /* prepend radiotap information */
756 ieee80211_add_rx_radiotap_header(local, skb, rate, rt_hdrlen, true);
757
758 skb_reset_mac_header(skb);
759 skb->ip_summed = CHECKSUM_UNNECESSARY;
760 skb->pkt_type = PACKET_OTHERHOST;
761 skb->protocol = htons(ETH_P_802_2);
762
763 return skb;
764 }
765
766 /*
767 * This function copies a received frame to all monitor interfaces and
768 * returns a cleaned-up SKB that no longer includes the FCS nor the
769 * radiotap header the driver might have added.
770 */
771 static struct sk_buff *
ieee80211_rx_monitor(struct ieee80211_local * local,struct sk_buff * origskb,struct ieee80211_rate * rate)772 ieee80211_rx_monitor(struct ieee80211_local *local, struct sk_buff *origskb,
773 struct ieee80211_rate *rate)
774 {
775 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(origskb);
776 struct ieee80211_sub_if_data *sdata, *prev_sdata = NULL;
777 struct sk_buff *skb, *monskb = NULL;
778 int present_fcs_len = 0;
779 unsigned int rtap_space = 0;
780 struct ieee80211_sub_if_data *monitor_sdata =
781 rcu_dereference(local->monitor_sdata);
782 bool only_monitor = false;
783 unsigned int min_head_len;
784
785 if (WARN_ON_ONCE(status->flag & RX_FLAG_RADIOTAP_TLV_AT_END &&
786 !skb_mac_header_was_set(origskb))) {
787 /* with this skb no way to know where frame payload starts */
788 dev_kfree_skb(origskb);
789 return NULL;
790 }
791
792 if (status->flag & RX_FLAG_RADIOTAP_HE)
793 rtap_space += sizeof(struct ieee80211_radiotap_he);
794
795 if (status->flag & RX_FLAG_RADIOTAP_HE_MU)
796 rtap_space += sizeof(struct ieee80211_radiotap_he_mu);
797
798 if (status->flag & RX_FLAG_RADIOTAP_LSIG)
799 rtap_space += sizeof(struct ieee80211_radiotap_lsig);
800
801 if (status->flag & RX_FLAG_RADIOTAP_TLV_AT_END)
802 rtap_space += skb_mac_header(origskb) - &origskb->data[rtap_space];
803
804 min_head_len = rtap_space;
805
806 /*
807 * First, we may need to make a copy of the skb because
808 * (1) we need to modify it for radiotap (if not present), and
809 * (2) the other RX handlers will modify the skb we got.
810 *
811 * We don't need to, of course, if we aren't going to return
812 * the SKB because it has a bad FCS/PLCP checksum.
813 */
814
815 if (!(status->flag & RX_FLAG_NO_PSDU)) {
816 if (ieee80211_hw_check(&local->hw, RX_INCLUDES_FCS)) {
817 if (unlikely(origskb->len <= FCS_LEN + rtap_space)) {
818 /* driver bug */
819 WARN_ON(1);
820 dev_kfree_skb(origskb);
821 return NULL;
822 }
823 present_fcs_len = FCS_LEN;
824 }
825
826 /* also consider the hdr->frame_control */
827 min_head_len += 2;
828 }
829
830 /* ensure that the expected data elements are in skb head */
831 if (!pskb_may_pull(origskb, min_head_len)) {
832 dev_kfree_skb(origskb);
833 return NULL;
834 }
835
836 only_monitor = should_drop_frame(origskb, present_fcs_len, rtap_space);
837
838 if (!local->monitors || (status->flag & RX_FLAG_SKIP_MONITOR)) {
839 if (only_monitor) {
840 dev_kfree_skb(origskb);
841 return NULL;
842 }
843
844 return ieee80211_clean_skb(origskb, present_fcs_len,
845 rtap_space);
846 }
847
848 ieee80211_handle_mu_mimo_mon(monitor_sdata, origskb, rtap_space);
849
850 list_for_each_entry_rcu(sdata, &local->mon_list, u.mntr.list) {
851 struct cfg80211_chan_def *chandef;
852
853 chandef = &sdata->vif.bss_conf.chanreq.oper;
854 if (chandef->chan &&
855 chandef->chan->center_freq != status->freq)
856 continue;
857
858 if (!prev_sdata) {
859 prev_sdata = sdata;
860 continue;
861 }
862
863 if (ieee80211_hw_check(&local->hw, NO_VIRTUAL_MONITOR))
864 ieee80211_handle_mu_mimo_mon(sdata, origskb, rtap_space);
865
866 if (!monskb)
867 monskb = ieee80211_make_monitor_skb(local, &origskb,
868 rate, rtap_space,
869 false);
870 if (!monskb)
871 continue;
872
873 skb = skb_clone(monskb, GFP_ATOMIC);
874 if (!skb)
875 continue;
876
877 skb->dev = prev_sdata->dev;
878 dev_sw_netstats_rx_add(skb->dev, skb->len);
879 netif_receive_skb(skb);
880 prev_sdata = sdata;
881 }
882
883 if (prev_sdata) {
884 if (monskb)
885 skb = monskb;
886 else
887 skb = ieee80211_make_monitor_skb(local, &origskb,
888 rate, rtap_space,
889 only_monitor);
890 if (skb) {
891 skb->dev = prev_sdata->dev;
892 dev_sw_netstats_rx_add(skb->dev, skb->len);
893 netif_receive_skb(skb);
894 }
895 }
896
897 if (!origskb)
898 return NULL;
899
900 return ieee80211_clean_skb(origskb, present_fcs_len, rtap_space);
901 }
902
ieee80211_parse_qos(struct ieee80211_rx_data * rx)903 static void ieee80211_parse_qos(struct ieee80211_rx_data *rx)
904 {
905 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
906 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
907 int tid, seqno_idx, security_idx;
908
909 /* does the frame have a qos control field? */
910 if (ieee80211_is_data_qos(hdr->frame_control)) {
911 u8 *qc = ieee80211_get_qos_ctl(hdr);
912 /* frame has qos control */
913 tid = *qc & IEEE80211_QOS_CTL_TID_MASK;
914 if (*qc & IEEE80211_QOS_CTL_A_MSDU_PRESENT)
915 status->rx_flags |= IEEE80211_RX_AMSDU;
916
917 seqno_idx = tid;
918 security_idx = tid;
919 } else {
920 /*
921 * IEEE 802.11-2007, 7.1.3.4.1 ("Sequence Number field"):
922 *
923 * Sequence numbers for management frames, QoS data
924 * frames with a broadcast/multicast address in the
925 * Address 1 field, and all non-QoS data frames sent
926 * by QoS STAs are assigned using an additional single
927 * modulo-4096 counter, [...]
928 *
929 * We also use that counter for non-QoS STAs.
930 */
931 seqno_idx = IEEE80211_NUM_TIDS;
932 security_idx = 0;
933 if (ieee80211_is_mgmt(hdr->frame_control))
934 security_idx = IEEE80211_NUM_TIDS;
935 tid = 0;
936 }
937
938 rx->seqno_idx = seqno_idx;
939 rx->security_idx = security_idx;
940 /* Set skb->priority to 1d tag if highest order bit of TID is not set.
941 * For now, set skb->priority to 0 for other cases. */
942 rx->skb->priority = (tid > 7) ? 0 : tid;
943 }
944
945 /**
946 * DOC: Packet alignment
947 *
948 * Drivers always need to pass packets that are aligned to two-byte boundaries
949 * to the stack.
950 *
951 * Additionally, they should, if possible, align the payload data in a way that
952 * guarantees that the contained IP header is aligned to a four-byte
953 * boundary. In the case of regular frames, this simply means aligning the
954 * payload to a four-byte boundary (because either the IP header is directly
955 * contained, or IV/RFC1042 headers that have a length divisible by four are
956 * in front of it). If the payload data is not properly aligned and the
957 * architecture doesn't support efficient unaligned operations, mac80211
958 * will align the data.
959 *
960 * With A-MSDU frames, however, the payload data address must yield two modulo
961 * four because there are 14-byte 802.3 headers within the A-MSDU frames that
962 * push the IP header further back to a multiple of four again. Thankfully, the
963 * specs were sane enough this time around to require padding each A-MSDU
964 * subframe to a length that is a multiple of four.
965 *
966 * Padding like Atheros hardware adds which is between the 802.11 header and
967 * the payload is not supported; the driver is required to move the 802.11
968 * header to be directly in front of the payload in that case.
969 */
ieee80211_verify_alignment(struct ieee80211_rx_data * rx)970 static void ieee80211_verify_alignment(struct ieee80211_rx_data *rx)
971 {
972 #ifdef CONFIG_MAC80211_VERBOSE_DEBUG
973 WARN_ON_ONCE((unsigned long)rx->skb->data & 1);
974 #endif
975 }
976
977
978 /* rx handlers */
979
ieee80211_is_unicast_robust_mgmt_frame(struct sk_buff * skb)980 static int ieee80211_is_unicast_robust_mgmt_frame(struct sk_buff *skb)
981 {
982 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
983
984 if (is_multicast_ether_addr(hdr->addr1))
985 return 0;
986
987 return ieee80211_is_robust_mgmt_frame(skb);
988 }
989
990
ieee80211_is_multicast_robust_mgmt_frame(struct sk_buff * skb)991 static int ieee80211_is_multicast_robust_mgmt_frame(struct sk_buff *skb)
992 {
993 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
994
995 if (!is_multicast_ether_addr(hdr->addr1))
996 return 0;
997
998 return ieee80211_is_robust_mgmt_frame(skb);
999 }
1000
1001
1002 /* Get the BIP key index from MMIE; return -1 if this is not a BIP frame */
ieee80211_get_mmie_keyidx(struct sk_buff * skb)1003 static int ieee80211_get_mmie_keyidx(struct sk_buff *skb)
1004 {
1005 struct ieee80211_mgmt *hdr = (struct ieee80211_mgmt *) skb->data;
1006 struct ieee80211_mmie *mmie;
1007 struct ieee80211_mmie_16 *mmie16;
1008
1009 if (skb->len < 24 + sizeof(*mmie) || !is_multicast_ether_addr(hdr->da))
1010 return -1;
1011
1012 if (!ieee80211_is_robust_mgmt_frame(skb) &&
1013 !ieee80211_is_beacon(hdr->frame_control))
1014 return -1; /* not a robust management frame */
1015
1016 mmie = (struct ieee80211_mmie *)
1017 (skb->data + skb->len - sizeof(*mmie));
1018 if (mmie->element_id == WLAN_EID_MMIE &&
1019 mmie->length == sizeof(*mmie) - 2)
1020 return le16_to_cpu(mmie->key_id);
1021
1022 mmie16 = (struct ieee80211_mmie_16 *)
1023 (skb->data + skb->len - sizeof(*mmie16));
1024 if (skb->len >= 24 + sizeof(*mmie16) &&
1025 mmie16->element_id == WLAN_EID_MMIE &&
1026 mmie16->length == sizeof(*mmie16) - 2)
1027 return le16_to_cpu(mmie16->key_id);
1028
1029 return -1;
1030 }
1031
ieee80211_get_keyid(struct sk_buff * skb)1032 static int ieee80211_get_keyid(struct sk_buff *skb)
1033 {
1034 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
1035 __le16 fc = hdr->frame_control;
1036 int hdrlen = ieee80211_hdrlen(fc);
1037 u8 keyid;
1038
1039 /* WEP, TKIP, CCMP and GCMP */
1040 if (unlikely(skb->len < hdrlen + IEEE80211_WEP_IV_LEN))
1041 return -EINVAL;
1042
1043 skb_copy_bits(skb, hdrlen + 3, &keyid, 1);
1044
1045 keyid >>= 6;
1046
1047 return keyid;
1048 }
1049
ieee80211_rx_mesh_check(struct ieee80211_rx_data * rx)1050 static ieee80211_rx_result ieee80211_rx_mesh_check(struct ieee80211_rx_data *rx)
1051 {
1052 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
1053 char *dev_addr = rx->sdata->vif.addr;
1054
1055 if (ieee80211_is_data(hdr->frame_control)) {
1056 if (is_multicast_ether_addr(hdr->addr1)) {
1057 if (ieee80211_has_tods(hdr->frame_control) ||
1058 !ieee80211_has_fromds(hdr->frame_control))
1059 return RX_DROP;
1060 if (ether_addr_equal(hdr->addr3, dev_addr))
1061 return RX_DROP;
1062 } else {
1063 if (!ieee80211_has_a4(hdr->frame_control))
1064 return RX_DROP;
1065 if (ether_addr_equal(hdr->addr4, dev_addr))
1066 return RX_DROP;
1067 }
1068 }
1069
1070 /* If there is not an established peer link and this is not a peer link
1071 * establisment frame, beacon or probe, drop the frame.
1072 */
1073
1074 if (!rx->sta || sta_plink_state(rx->sta) != NL80211_PLINK_ESTAB) {
1075 struct ieee80211_mgmt *mgmt;
1076
1077 if (!ieee80211_is_mgmt(hdr->frame_control))
1078 return RX_DROP;
1079
1080 if (ieee80211_is_action(hdr->frame_control)) {
1081 u8 category;
1082
1083 /* make sure category field is present */
1084 if (rx->skb->len < IEEE80211_MIN_ACTION_SIZE)
1085 return RX_DROP;
1086
1087 mgmt = (struct ieee80211_mgmt *)hdr;
1088 category = mgmt->u.action.category;
1089 if (category != WLAN_CATEGORY_MESH_ACTION &&
1090 category != WLAN_CATEGORY_SELF_PROTECTED)
1091 return RX_DROP;
1092 return RX_CONTINUE;
1093 }
1094
1095 if (ieee80211_is_probe_req(hdr->frame_control) ||
1096 ieee80211_is_probe_resp(hdr->frame_control) ||
1097 ieee80211_is_beacon(hdr->frame_control) ||
1098 ieee80211_is_auth(hdr->frame_control))
1099 return RX_CONTINUE;
1100
1101 return RX_DROP;
1102 }
1103
1104 return RX_CONTINUE;
1105 }
1106
ieee80211_rx_reorder_ready(struct tid_ampdu_rx * tid_agg_rx,int index)1107 static inline bool ieee80211_rx_reorder_ready(struct tid_ampdu_rx *tid_agg_rx,
1108 int index)
1109 {
1110 struct sk_buff_head *frames = &tid_agg_rx->reorder_buf[index];
1111 struct sk_buff *tail = skb_peek_tail(frames);
1112 struct ieee80211_rx_status *status;
1113
1114 if (tid_agg_rx->reorder_buf_filtered &&
1115 tid_agg_rx->reorder_buf_filtered & BIT_ULL(index))
1116 return true;
1117
1118 if (!tail)
1119 return false;
1120
1121 status = IEEE80211_SKB_RXCB(tail);
1122 if (status->flag & RX_FLAG_AMSDU_MORE)
1123 return false;
1124
1125 return true;
1126 }
1127
ieee80211_release_reorder_frame(struct ieee80211_sub_if_data * sdata,struct tid_ampdu_rx * tid_agg_rx,int index,struct sk_buff_head * frames)1128 static void ieee80211_release_reorder_frame(struct ieee80211_sub_if_data *sdata,
1129 struct tid_ampdu_rx *tid_agg_rx,
1130 int index,
1131 struct sk_buff_head *frames)
1132 {
1133 struct sk_buff_head *skb_list = &tid_agg_rx->reorder_buf[index];
1134 struct sk_buff *skb;
1135 struct ieee80211_rx_status *status;
1136
1137 lockdep_assert_held(&tid_agg_rx->reorder_lock);
1138
1139 if (skb_queue_empty(skb_list))
1140 goto no_frame;
1141
1142 if (!ieee80211_rx_reorder_ready(tid_agg_rx, index)) {
1143 __skb_queue_purge(skb_list);
1144 goto no_frame;
1145 }
1146
1147 /* release frames from the reorder ring buffer */
1148 tid_agg_rx->stored_mpdu_num--;
1149 while ((skb = __skb_dequeue(skb_list))) {
1150 status = IEEE80211_SKB_RXCB(skb);
1151 status->rx_flags |= IEEE80211_RX_DEFERRED_RELEASE;
1152 __skb_queue_tail(frames, skb);
1153 }
1154
1155 no_frame:
1156 if (tid_agg_rx->reorder_buf_filtered)
1157 tid_agg_rx->reorder_buf_filtered &= ~BIT_ULL(index);
1158 tid_agg_rx->head_seq_num = ieee80211_sn_inc(tid_agg_rx->head_seq_num);
1159 }
1160
ieee80211_release_reorder_frames(struct ieee80211_sub_if_data * sdata,struct tid_ampdu_rx * tid_agg_rx,u16 head_seq_num,struct sk_buff_head * frames)1161 static void ieee80211_release_reorder_frames(struct ieee80211_sub_if_data *sdata,
1162 struct tid_ampdu_rx *tid_agg_rx,
1163 u16 head_seq_num,
1164 struct sk_buff_head *frames)
1165 {
1166 int index;
1167
1168 lockdep_assert_held(&tid_agg_rx->reorder_lock);
1169
1170 while (ieee80211_sn_less(tid_agg_rx->head_seq_num, head_seq_num)) {
1171 index = tid_agg_rx->head_seq_num % tid_agg_rx->buf_size;
1172 ieee80211_release_reorder_frame(sdata, tid_agg_rx, index,
1173 frames);
1174 }
1175 }
1176
1177 /*
1178 * Timeout (in jiffies) for skb's that are waiting in the RX reorder buffer. If
1179 * the skb was added to the buffer longer than this time ago, the earlier
1180 * frames that have not yet been received are assumed to be lost and the skb
1181 * can be released for processing. This may also release other skb's from the
1182 * reorder buffer if there are no additional gaps between the frames.
1183 *
1184 * Callers must hold tid_agg_rx->reorder_lock.
1185 */
1186 #define HT_RX_REORDER_BUF_TIMEOUT (HZ / 10)
1187
ieee80211_sta_reorder_release(struct ieee80211_sub_if_data * sdata,struct tid_ampdu_rx * tid_agg_rx,struct sk_buff_head * frames)1188 static void ieee80211_sta_reorder_release(struct ieee80211_sub_if_data *sdata,
1189 struct tid_ampdu_rx *tid_agg_rx,
1190 struct sk_buff_head *frames)
1191 {
1192 int index, i, j;
1193
1194 lockdep_assert_held(&tid_agg_rx->reorder_lock);
1195
1196 /* release the buffer until next missing frame */
1197 index = tid_agg_rx->head_seq_num % tid_agg_rx->buf_size;
1198 if (!ieee80211_rx_reorder_ready(tid_agg_rx, index) &&
1199 tid_agg_rx->stored_mpdu_num) {
1200 /*
1201 * No buffers ready to be released, but check whether any
1202 * frames in the reorder buffer have timed out.
1203 */
1204 int skipped = 1;
1205 for (j = (index + 1) % tid_agg_rx->buf_size; j != index;
1206 j = (j + 1) % tid_agg_rx->buf_size) {
1207 if (!ieee80211_rx_reorder_ready(tid_agg_rx, j)) {
1208 skipped++;
1209 continue;
1210 }
1211 if (skipped &&
1212 !time_after(jiffies, tid_agg_rx->reorder_time[j] +
1213 HT_RX_REORDER_BUF_TIMEOUT))
1214 goto set_release_timer;
1215
1216 /* don't leave incomplete A-MSDUs around */
1217 for (i = (index + 1) % tid_agg_rx->buf_size; i != j;
1218 i = (i + 1) % tid_agg_rx->buf_size)
1219 __skb_queue_purge(&tid_agg_rx->reorder_buf[i]);
1220
1221 ht_dbg_ratelimited(sdata,
1222 "release an RX reorder frame due to timeout on earlier frames\n");
1223 ieee80211_release_reorder_frame(sdata, tid_agg_rx, j,
1224 frames);
1225
1226 /*
1227 * Increment the head seq# also for the skipped slots.
1228 */
1229 tid_agg_rx->head_seq_num =
1230 (tid_agg_rx->head_seq_num +
1231 skipped) & IEEE80211_SN_MASK;
1232 skipped = 0;
1233 }
1234 } else while (ieee80211_rx_reorder_ready(tid_agg_rx, index)) {
1235 ieee80211_release_reorder_frame(sdata, tid_agg_rx, index,
1236 frames);
1237 index = tid_agg_rx->head_seq_num % tid_agg_rx->buf_size;
1238 }
1239
1240 if (tid_agg_rx->stored_mpdu_num) {
1241 j = index = tid_agg_rx->head_seq_num % tid_agg_rx->buf_size;
1242
1243 for (; j != (index - 1) % tid_agg_rx->buf_size;
1244 j = (j + 1) % tid_agg_rx->buf_size) {
1245 if (ieee80211_rx_reorder_ready(tid_agg_rx, j))
1246 break;
1247 }
1248
1249 set_release_timer:
1250
1251 if (!tid_agg_rx->removed)
1252 mod_timer(&tid_agg_rx->reorder_timer,
1253 tid_agg_rx->reorder_time[j] + 1 +
1254 HT_RX_REORDER_BUF_TIMEOUT);
1255 } else {
1256 timer_delete(&tid_agg_rx->reorder_timer);
1257 }
1258 }
1259
1260 /*
1261 * As this function belongs to the RX path it must be under
1262 * rcu_read_lock protection. It returns false if the frame
1263 * can be processed immediately, true if it was consumed.
1264 */
ieee80211_sta_manage_reorder_buf(struct ieee80211_sub_if_data * sdata,struct tid_ampdu_rx * tid_agg_rx,struct sk_buff * skb,struct sk_buff_head * frames)1265 static bool ieee80211_sta_manage_reorder_buf(struct ieee80211_sub_if_data *sdata,
1266 struct tid_ampdu_rx *tid_agg_rx,
1267 struct sk_buff *skb,
1268 struct sk_buff_head *frames)
1269 {
1270 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
1271 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
1272 u16 mpdu_seq_num = ieee80211_get_sn(hdr);
1273 u16 head_seq_num, buf_size;
1274 int index;
1275 bool ret = true;
1276
1277 spin_lock(&tid_agg_rx->reorder_lock);
1278
1279 /*
1280 * Offloaded BA sessions have no known starting sequence number so pick
1281 * one from first Rxed frame for this tid after BA was started.
1282 */
1283 if (unlikely(tid_agg_rx->auto_seq)) {
1284 tid_agg_rx->auto_seq = false;
1285 tid_agg_rx->ssn = mpdu_seq_num;
1286 tid_agg_rx->head_seq_num = mpdu_seq_num;
1287 }
1288
1289 buf_size = tid_agg_rx->buf_size;
1290 head_seq_num = tid_agg_rx->head_seq_num;
1291
1292 /*
1293 * If the current MPDU's SN is smaller than the SSN, it shouldn't
1294 * be reordered.
1295 */
1296 if (unlikely(!tid_agg_rx->started)) {
1297 if (ieee80211_sn_less(mpdu_seq_num, head_seq_num)) {
1298 ret = false;
1299 goto out;
1300 }
1301 tid_agg_rx->started = true;
1302 }
1303
1304 /* frame with out of date sequence number */
1305 if (ieee80211_sn_less(mpdu_seq_num, head_seq_num)) {
1306 dev_kfree_skb(skb);
1307 goto out;
1308 }
1309
1310 /*
1311 * If frame the sequence number exceeds our buffering window
1312 * size release some previous frames to make room for this one.
1313 */
1314 if (!ieee80211_sn_less(mpdu_seq_num, head_seq_num + buf_size)) {
1315 head_seq_num = ieee80211_sn_inc(
1316 ieee80211_sn_sub(mpdu_seq_num, buf_size));
1317 /* release stored frames up to new head to stack */
1318 ieee80211_release_reorder_frames(sdata, tid_agg_rx,
1319 head_seq_num, frames);
1320 }
1321
1322 /* Now the new frame is always in the range of the reordering buffer */
1323
1324 index = mpdu_seq_num % tid_agg_rx->buf_size;
1325
1326 /* check if we already stored this frame */
1327 if (ieee80211_rx_reorder_ready(tid_agg_rx, index)) {
1328 dev_kfree_skb(skb);
1329 goto out;
1330 }
1331
1332 /*
1333 * If the current MPDU is in the right order and nothing else
1334 * is stored we can process it directly, no need to buffer it.
1335 * If it is first but there's something stored, we may be able
1336 * to release frames after this one.
1337 */
1338 if (mpdu_seq_num == tid_agg_rx->head_seq_num &&
1339 tid_agg_rx->stored_mpdu_num == 0) {
1340 if (!(status->flag & RX_FLAG_AMSDU_MORE))
1341 tid_agg_rx->head_seq_num =
1342 ieee80211_sn_inc(tid_agg_rx->head_seq_num);
1343 ret = false;
1344 goto out;
1345 }
1346
1347 /* put the frame in the reordering buffer */
1348 __skb_queue_tail(&tid_agg_rx->reorder_buf[index], skb);
1349 if (!(status->flag & RX_FLAG_AMSDU_MORE)) {
1350 tid_agg_rx->reorder_time[index] = jiffies;
1351 tid_agg_rx->stored_mpdu_num++;
1352 ieee80211_sta_reorder_release(sdata, tid_agg_rx, frames);
1353 }
1354
1355 out:
1356 spin_unlock(&tid_agg_rx->reorder_lock);
1357 return ret;
1358 }
1359
1360 /*
1361 * Reorder MPDUs from A-MPDUs, keeping them on a buffer. Returns
1362 * true if the MPDU was buffered, false if it should be processed.
1363 */
ieee80211_rx_reorder_ampdu(struct ieee80211_rx_data * rx,struct sk_buff_head * frames)1364 static void ieee80211_rx_reorder_ampdu(struct ieee80211_rx_data *rx,
1365 struct sk_buff_head *frames)
1366 {
1367 struct sk_buff *skb = rx->skb;
1368 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
1369 struct sta_info *sta = rx->sta;
1370 struct tid_ampdu_rx *tid_agg_rx;
1371 u16 sc;
1372 u8 tid, ack_policy;
1373
1374 if (!ieee80211_is_data_qos(hdr->frame_control) ||
1375 is_multicast_ether_addr(hdr->addr1))
1376 goto dont_reorder;
1377
1378 /*
1379 * filter the QoS data rx stream according to
1380 * STA/TID and check if this STA/TID is on aggregation
1381 */
1382
1383 if (!sta)
1384 goto dont_reorder;
1385
1386 ack_policy = *ieee80211_get_qos_ctl(hdr) &
1387 IEEE80211_QOS_CTL_ACK_POLICY_MASK;
1388 tid = ieee80211_get_tid(hdr);
1389
1390 tid_agg_rx = rcu_dereference(sta->ampdu_mlme.tid_rx[tid]);
1391 if (!tid_agg_rx) {
1392 if (ack_policy == IEEE80211_QOS_CTL_ACK_POLICY_BLOCKACK &&
1393 !test_bit(tid, rx->sta->ampdu_mlme.agg_session_valid) &&
1394 !test_and_set_bit(tid, rx->sta->ampdu_mlme.unexpected_agg))
1395 ieee80211_send_delba(rx->sdata, rx->sta->sta.addr, tid,
1396 WLAN_BACK_RECIPIENT,
1397 WLAN_REASON_QSTA_REQUIRE_SETUP);
1398 goto dont_reorder;
1399 }
1400
1401 /* qos null data frames are excluded */
1402 if (unlikely(hdr->frame_control & cpu_to_le16(IEEE80211_STYPE_NULLFUNC)))
1403 goto dont_reorder;
1404
1405 /* not part of a BA session */
1406 if (ack_policy == IEEE80211_QOS_CTL_ACK_POLICY_NOACK)
1407 goto dont_reorder;
1408
1409 /* new, potentially un-ordered, ampdu frame - process it */
1410
1411 /* reset session timer */
1412 if (tid_agg_rx->timeout)
1413 tid_agg_rx->last_rx = jiffies;
1414
1415 /* if this mpdu is fragmented - terminate rx aggregation session */
1416 sc = le16_to_cpu(hdr->seq_ctrl);
1417 if (sc & IEEE80211_SCTL_FRAG) {
1418 ieee80211_queue_skb_to_iface(rx->sdata, rx->link_id, NULL, skb);
1419 return;
1420 }
1421
1422 /*
1423 * No locking needed -- we will only ever process one
1424 * RX packet at a time, and thus own tid_agg_rx. All
1425 * other code manipulating it needs to (and does) make
1426 * sure that we cannot get to it any more before doing
1427 * anything with it.
1428 */
1429 if (ieee80211_sta_manage_reorder_buf(rx->sdata, tid_agg_rx, skb,
1430 frames))
1431 return;
1432
1433 dont_reorder:
1434 __skb_queue_tail(frames, skb);
1435 }
1436
1437 static ieee80211_rx_result debug_noinline
ieee80211_rx_h_check_dup(struct ieee80211_rx_data * rx)1438 ieee80211_rx_h_check_dup(struct ieee80211_rx_data *rx)
1439 {
1440 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
1441 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
1442
1443 if (status->flag & RX_FLAG_DUP_VALIDATED)
1444 return RX_CONTINUE;
1445
1446 /*
1447 * Drop duplicate 802.11 retransmissions
1448 * (IEEE 802.11-2012: 9.3.2.10 "Duplicate detection and recovery")
1449 */
1450
1451 if (rx->skb->len < 24)
1452 return RX_CONTINUE;
1453
1454 if (ieee80211_is_ctl(hdr->frame_control) ||
1455 ieee80211_is_any_nullfunc(hdr->frame_control))
1456 return RX_CONTINUE;
1457
1458 if (!rx->sta)
1459 return RX_CONTINUE;
1460
1461 if (unlikely(is_multicast_ether_addr(hdr->addr1))) {
1462 struct ieee80211_sub_if_data *sdata = rx->sdata;
1463 u16 sn = ieee80211_get_sn(hdr);
1464
1465 if (!ieee80211_is_data_present(hdr->frame_control))
1466 return RX_CONTINUE;
1467
1468 if (!ieee80211_vif_is_mld(&sdata->vif) ||
1469 sdata->vif.type != NL80211_IFTYPE_STATION)
1470 return RX_CONTINUE;
1471
1472 if (sdata->u.mgd.mcast_seq_last != IEEE80211_SN_MODULO &&
1473 ieee80211_sn_less_eq(sn, sdata->u.mgd.mcast_seq_last))
1474 return RX_DROP_U_DUP;
1475
1476 sdata->u.mgd.mcast_seq_last = sn;
1477 return RX_CONTINUE;
1478 }
1479
1480 if (unlikely(ieee80211_has_retry(hdr->frame_control) &&
1481 rx->sta->last_seq_ctrl[rx->seqno_idx] == hdr->seq_ctrl)) {
1482 I802_DEBUG_INC(rx->local->dot11FrameDuplicateCount);
1483 rx->link_sta->rx_stats.num_duplicates++;
1484 return RX_DROP_U_DUP;
1485 } else if (!(status->flag & RX_FLAG_AMSDU_MORE)) {
1486 rx->sta->last_seq_ctrl[rx->seqno_idx] = hdr->seq_ctrl;
1487 }
1488
1489 return RX_CONTINUE;
1490 }
1491
1492 static ieee80211_rx_result debug_noinline
ieee80211_rx_h_check(struct ieee80211_rx_data * rx)1493 ieee80211_rx_h_check(struct ieee80211_rx_data *rx)
1494 {
1495 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
1496
1497 /* Drop disallowed frame classes based on STA auth/assoc state;
1498 * IEEE 802.11, Chap 5.5.
1499 *
1500 * mac80211 filters only based on association state, i.e. it drops
1501 * Class 3 frames from not associated stations. hostapd sends
1502 * deauth/disassoc frames when needed. In addition, hostapd is
1503 * responsible for filtering on both auth and assoc states.
1504 */
1505
1506 if (ieee80211_vif_is_mesh(&rx->sdata->vif))
1507 return ieee80211_rx_mesh_check(rx);
1508
1509 if (unlikely((ieee80211_is_data(hdr->frame_control) ||
1510 ieee80211_is_pspoll(hdr->frame_control)) &&
1511 rx->sdata->vif.type != NL80211_IFTYPE_ADHOC &&
1512 rx->sdata->vif.type != NL80211_IFTYPE_OCB &&
1513 (!rx->sta || !test_sta_flag(rx->sta, WLAN_STA_ASSOC)))) {
1514 /*
1515 * accept port control frames from the AP even when it's not
1516 * yet marked ASSOC to prevent a race where we don't set the
1517 * assoc bit quickly enough before it sends the first frame
1518 */
1519 if (rx->sta && rx->sdata->vif.type == NL80211_IFTYPE_STATION &&
1520 ieee80211_is_data_present(hdr->frame_control)) {
1521 unsigned int hdrlen;
1522 __be16 ethertype;
1523
1524 hdrlen = ieee80211_hdrlen(hdr->frame_control);
1525
1526 if (rx->skb->len < hdrlen + 8)
1527 return RX_DROP;
1528
1529 skb_copy_bits(rx->skb, hdrlen + 6, ðertype, 2);
1530 if (ethertype == rx->sdata->control_port_protocol)
1531 return RX_CONTINUE;
1532 }
1533
1534 if (rx->sdata->vif.type == NL80211_IFTYPE_AP &&
1535 cfg80211_rx_spurious_frame(rx->sdata->dev, hdr->addr2,
1536 rx->link_id, GFP_ATOMIC))
1537 return RX_DROP_U_SPURIOUS;
1538
1539 return RX_DROP;
1540 }
1541
1542 return RX_CONTINUE;
1543 }
1544
1545
1546 static ieee80211_rx_result debug_noinline
ieee80211_rx_h_check_more_data(struct ieee80211_rx_data * rx)1547 ieee80211_rx_h_check_more_data(struct ieee80211_rx_data *rx)
1548 {
1549 struct ieee80211_local *local;
1550 struct ieee80211_hdr *hdr;
1551 struct sk_buff *skb;
1552
1553 local = rx->local;
1554 skb = rx->skb;
1555 hdr = (struct ieee80211_hdr *) skb->data;
1556
1557 if (!local->pspolling)
1558 return RX_CONTINUE;
1559
1560 if (!ieee80211_has_fromds(hdr->frame_control))
1561 /* this is not from AP */
1562 return RX_CONTINUE;
1563
1564 if (!ieee80211_is_data(hdr->frame_control))
1565 return RX_CONTINUE;
1566
1567 if (!ieee80211_has_moredata(hdr->frame_control)) {
1568 /* AP has no more frames buffered for us */
1569 local->pspolling = false;
1570 return RX_CONTINUE;
1571 }
1572
1573 /* more data bit is set, let's request a new frame from the AP */
1574 ieee80211_send_pspoll(local, rx->sdata);
1575
1576 return RX_CONTINUE;
1577 }
1578
sta_ps_start(struct sta_info * sta)1579 static void sta_ps_start(struct sta_info *sta)
1580 {
1581 struct ieee80211_sub_if_data *sdata = sta->sdata;
1582 struct ieee80211_local *local = sdata->local;
1583 struct ps_data *ps;
1584 int tid;
1585
1586 if (sta->sdata->vif.type == NL80211_IFTYPE_AP ||
1587 sta->sdata->vif.type == NL80211_IFTYPE_AP_VLAN)
1588 ps = &sdata->bss->ps;
1589 else
1590 return;
1591
1592 atomic_inc(&ps->num_sta_ps);
1593 set_sta_flag(sta, WLAN_STA_PS_STA);
1594 if (!ieee80211_hw_check(&local->hw, AP_LINK_PS))
1595 drv_sta_notify(local, sdata, STA_NOTIFY_SLEEP, &sta->sta);
1596 ps_dbg(sdata, "STA %pM aid %d enters power save mode\n",
1597 sta->sta.addr, sta->sta.aid);
1598
1599 ieee80211_clear_fast_xmit(sta);
1600
1601 for (tid = 0; tid < IEEE80211_NUM_TIDS; tid++) {
1602 struct ieee80211_txq *txq = sta->sta.txq[tid];
1603 struct txq_info *txqi = to_txq_info(txq);
1604
1605 spin_lock(&local->active_txq_lock[txq->ac]);
1606 if (!list_empty(&txqi->schedule_order))
1607 list_del_init(&txqi->schedule_order);
1608 spin_unlock(&local->active_txq_lock[txq->ac]);
1609
1610 if (txq_has_queue(txq))
1611 set_bit(tid, &sta->txq_buffered_tids);
1612 else
1613 clear_bit(tid, &sta->txq_buffered_tids);
1614 }
1615 }
1616
sta_ps_end(struct sta_info * sta)1617 static void sta_ps_end(struct sta_info *sta)
1618 {
1619 ps_dbg(sta->sdata, "STA %pM aid %d exits power save mode\n",
1620 sta->sta.addr, sta->sta.aid);
1621
1622 if (test_sta_flag(sta, WLAN_STA_PS_DRIVER)) {
1623 /*
1624 * Clear the flag only if the other one is still set
1625 * so that the TX path won't start TX'ing new frames
1626 * directly ... In the case that the driver flag isn't
1627 * set ieee80211_sta_ps_deliver_wakeup() will clear it.
1628 */
1629 clear_sta_flag(sta, WLAN_STA_PS_STA);
1630 ps_dbg(sta->sdata, "STA %pM aid %d driver-ps-blocked\n",
1631 sta->sta.addr, sta->sta.aid);
1632 return;
1633 }
1634
1635 set_sta_flag(sta, WLAN_STA_PS_DELIVER);
1636 clear_sta_flag(sta, WLAN_STA_PS_STA);
1637 ieee80211_sta_ps_deliver_wakeup(sta);
1638 }
1639
ieee80211_sta_ps_transition(struct ieee80211_sta * pubsta,bool start)1640 int ieee80211_sta_ps_transition(struct ieee80211_sta *pubsta, bool start)
1641 {
1642 struct sta_info *sta = container_of(pubsta, struct sta_info, sta);
1643 bool in_ps;
1644
1645 WARN_ON(!ieee80211_hw_check(&sta->local->hw, AP_LINK_PS));
1646
1647 /* Don't let the same PS state be set twice */
1648 in_ps = test_sta_flag(sta, WLAN_STA_PS_STA);
1649 if ((start && in_ps) || (!start && !in_ps))
1650 return -EINVAL;
1651
1652 if (start)
1653 sta_ps_start(sta);
1654 else
1655 sta_ps_end(sta);
1656
1657 return 0;
1658 }
1659 EXPORT_SYMBOL(ieee80211_sta_ps_transition);
1660
ieee80211_sta_pspoll(struct ieee80211_sta * pubsta)1661 void ieee80211_sta_pspoll(struct ieee80211_sta *pubsta)
1662 {
1663 struct sta_info *sta = container_of(pubsta, struct sta_info, sta);
1664
1665 if (test_sta_flag(sta, WLAN_STA_SP))
1666 return;
1667
1668 if (!test_sta_flag(sta, WLAN_STA_PS_DRIVER))
1669 ieee80211_sta_ps_deliver_poll_response(sta);
1670 else
1671 set_sta_flag(sta, WLAN_STA_PSPOLL);
1672 }
1673 EXPORT_SYMBOL(ieee80211_sta_pspoll);
1674
ieee80211_sta_uapsd_trigger(struct ieee80211_sta * pubsta,u8 tid)1675 void ieee80211_sta_uapsd_trigger(struct ieee80211_sta *pubsta, u8 tid)
1676 {
1677 struct sta_info *sta = container_of(pubsta, struct sta_info, sta);
1678 int ac = ieee80211_ac_from_tid(tid);
1679
1680 /*
1681 * If this AC is not trigger-enabled do nothing unless the
1682 * driver is calling us after it already checked.
1683 *
1684 * NB: This could/should check a separate bitmap of trigger-
1685 * enabled queues, but for now we only implement uAPSD w/o
1686 * TSPEC changes to the ACs, so they're always the same.
1687 */
1688 if (!(sta->sta.uapsd_queues & ieee80211_ac_to_qos_mask[ac]) &&
1689 tid != IEEE80211_NUM_TIDS)
1690 return;
1691
1692 /* if we are in a service period, do nothing */
1693 if (test_sta_flag(sta, WLAN_STA_SP))
1694 return;
1695
1696 if (!test_sta_flag(sta, WLAN_STA_PS_DRIVER))
1697 ieee80211_sta_ps_deliver_uapsd(sta);
1698 else
1699 set_sta_flag(sta, WLAN_STA_UAPSD);
1700 }
1701 EXPORT_SYMBOL(ieee80211_sta_uapsd_trigger);
1702
1703 static ieee80211_rx_result debug_noinline
ieee80211_rx_h_uapsd_and_pspoll(struct ieee80211_rx_data * rx)1704 ieee80211_rx_h_uapsd_and_pspoll(struct ieee80211_rx_data *rx)
1705 {
1706 struct ieee80211_sub_if_data *sdata = rx->sdata;
1707 struct ieee80211_hdr *hdr = (void *)rx->skb->data;
1708 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
1709
1710 if (!rx->sta)
1711 return RX_CONTINUE;
1712
1713 if (sdata->vif.type != NL80211_IFTYPE_AP &&
1714 sdata->vif.type != NL80211_IFTYPE_AP_VLAN)
1715 return RX_CONTINUE;
1716
1717 /*
1718 * The device handles station powersave, so don't do anything about
1719 * uAPSD and PS-Poll frames (the latter shouldn't even come up from
1720 * it to mac80211 since they're handled.)
1721 */
1722 if (ieee80211_hw_check(&sdata->local->hw, AP_LINK_PS))
1723 return RX_CONTINUE;
1724
1725 /*
1726 * Don't do anything if the station isn't already asleep. In
1727 * the uAPSD case, the station will probably be marked asleep,
1728 * in the PS-Poll case the station must be confused ...
1729 */
1730 if (!test_sta_flag(rx->sta, WLAN_STA_PS_STA))
1731 return RX_CONTINUE;
1732
1733 if (unlikely(ieee80211_is_pspoll(hdr->frame_control))) {
1734 ieee80211_sta_pspoll(&rx->sta->sta);
1735
1736 /* Free PS Poll skb here instead of returning RX_DROP that would
1737 * count as an dropped frame. */
1738 dev_kfree_skb(rx->skb);
1739
1740 return RX_QUEUED;
1741 } else if (!ieee80211_has_morefrags(hdr->frame_control) &&
1742 !(status->rx_flags & IEEE80211_RX_DEFERRED_RELEASE) &&
1743 ieee80211_has_pm(hdr->frame_control) &&
1744 (ieee80211_is_data_qos(hdr->frame_control) ||
1745 ieee80211_is_qos_nullfunc(hdr->frame_control))) {
1746 u8 tid = ieee80211_get_tid(hdr);
1747
1748 ieee80211_sta_uapsd_trigger(&rx->sta->sta, tid);
1749 }
1750
1751 return RX_CONTINUE;
1752 }
1753
1754 static ieee80211_rx_result debug_noinline
ieee80211_rx_h_sta_process(struct ieee80211_rx_data * rx)1755 ieee80211_rx_h_sta_process(struct ieee80211_rx_data *rx)
1756 {
1757 struct sta_info *sta = rx->sta;
1758 struct link_sta_info *link_sta = rx->link_sta;
1759 struct sk_buff *skb = rx->skb;
1760 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
1761 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
1762 int i;
1763
1764 if (!sta || !link_sta)
1765 return RX_CONTINUE;
1766
1767 /*
1768 * Update last_rx only for IBSS packets which are for the current
1769 * BSSID and for station already AUTHORIZED to avoid keeping the
1770 * current IBSS network alive in cases where other STAs start
1771 * using different BSSID. This will also give the station another
1772 * chance to restart the authentication/authorization in case
1773 * something went wrong the first time.
1774 */
1775 if (rx->sdata->vif.type == NL80211_IFTYPE_ADHOC) {
1776 u8 *bssid = ieee80211_get_bssid(hdr, rx->skb->len,
1777 NL80211_IFTYPE_ADHOC);
1778 if (ether_addr_equal(bssid, rx->sdata->u.ibss.bssid) &&
1779 test_sta_flag(sta, WLAN_STA_AUTHORIZED)) {
1780 link_sta->rx_stats.last_rx = jiffies;
1781 if (ieee80211_is_data_present(hdr->frame_control) &&
1782 !is_multicast_ether_addr(hdr->addr1))
1783 link_sta->rx_stats.last_rate =
1784 sta_stats_encode_rate(status);
1785 }
1786 } else if (rx->sdata->vif.type == NL80211_IFTYPE_OCB) {
1787 link_sta->rx_stats.last_rx = jiffies;
1788 } else if (!ieee80211_is_s1g_beacon(hdr->frame_control) &&
1789 !is_multicast_ether_addr(hdr->addr1)) {
1790 /*
1791 * Mesh beacons will update last_rx when if they are found to
1792 * match the current local configuration when processed.
1793 */
1794 link_sta->rx_stats.last_rx = jiffies;
1795 if (ieee80211_is_data_present(hdr->frame_control))
1796 link_sta->rx_stats.last_rate = sta_stats_encode_rate(status);
1797 }
1798
1799 link_sta->rx_stats.fragments++;
1800
1801 u64_stats_update_begin(&link_sta->rx_stats.syncp);
1802 link_sta->rx_stats.bytes += rx->skb->len;
1803 u64_stats_update_end(&link_sta->rx_stats.syncp);
1804
1805 if (!(status->flag & RX_FLAG_NO_SIGNAL_VAL)) {
1806 link_sta->rx_stats.last_signal = status->signal;
1807 ewma_signal_add(&link_sta->rx_stats_avg.signal,
1808 -status->signal);
1809 }
1810
1811 if (status->chains) {
1812 link_sta->rx_stats.chains = status->chains;
1813 for (i = 0; i < ARRAY_SIZE(status->chain_signal); i++) {
1814 int signal = status->chain_signal[i];
1815
1816 if (!(status->chains & BIT(i)))
1817 continue;
1818
1819 link_sta->rx_stats.chain_signal_last[i] = signal;
1820 ewma_signal_add(&link_sta->rx_stats_avg.chain_signal[i],
1821 -signal);
1822 }
1823 }
1824
1825 if (ieee80211_is_s1g_beacon(hdr->frame_control))
1826 return RX_CONTINUE;
1827
1828 /*
1829 * Change STA power saving mode only at the end of a frame
1830 * exchange sequence, and only for a data or management
1831 * frame as specified in IEEE 802.11-2016 11.2.3.2
1832 */
1833 if (!ieee80211_hw_check(&sta->local->hw, AP_LINK_PS) &&
1834 !ieee80211_has_morefrags(hdr->frame_control) &&
1835 !is_multicast_ether_addr(hdr->addr1) &&
1836 (ieee80211_is_mgmt(hdr->frame_control) ||
1837 ieee80211_is_data(hdr->frame_control)) &&
1838 !(status->rx_flags & IEEE80211_RX_DEFERRED_RELEASE) &&
1839 (rx->sdata->vif.type == NL80211_IFTYPE_AP ||
1840 rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN)) {
1841 if (test_sta_flag(sta, WLAN_STA_PS_STA)) {
1842 if (!ieee80211_has_pm(hdr->frame_control))
1843 sta_ps_end(sta);
1844 } else {
1845 if (ieee80211_has_pm(hdr->frame_control))
1846 sta_ps_start(sta);
1847 }
1848 }
1849
1850 /* mesh power save support */
1851 if (ieee80211_vif_is_mesh(&rx->sdata->vif))
1852 ieee80211_mps_rx_h_sta_process(sta, hdr);
1853
1854 /*
1855 * Drop (qos-)data::nullfunc frames silently, since they
1856 * are used only to control station power saving mode.
1857 */
1858 if (ieee80211_is_any_nullfunc(hdr->frame_control)) {
1859 I802_DEBUG_INC(rx->local->rx_handlers_drop_nullfunc);
1860
1861 /*
1862 * If we receive a 4-addr nullfunc frame from a STA
1863 * that was not moved to a 4-addr STA vlan yet send
1864 * the event to userspace and for older hostapd drop
1865 * the frame to the monitor interface.
1866 */
1867 if (ieee80211_has_a4(hdr->frame_control) &&
1868 (rx->sdata->vif.type == NL80211_IFTYPE_AP ||
1869 (rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN &&
1870 !rx->sdata->u.vlan.sta))) {
1871 if (!test_and_set_sta_flag(sta, WLAN_STA_4ADDR_EVENT))
1872 cfg80211_rx_unexpected_4addr_frame(
1873 rx->sdata->dev, sta->sta.addr,
1874 rx->link_id, GFP_ATOMIC);
1875 return RX_DROP_U_UNEXPECTED_4ADDR_FRAME;
1876 }
1877 /*
1878 * Update counter and free packet here to avoid
1879 * counting this as a dropped packed.
1880 */
1881 link_sta->rx_stats.packets++;
1882 dev_kfree_skb(rx->skb);
1883 return RX_QUEUED;
1884 }
1885
1886 return RX_CONTINUE;
1887 } /* ieee80211_rx_h_sta_process */
1888
1889 static struct ieee80211_key *
ieee80211_rx_get_bigtk(struct ieee80211_rx_data * rx,int idx)1890 ieee80211_rx_get_bigtk(struct ieee80211_rx_data *rx, int idx)
1891 {
1892 struct ieee80211_key *key = NULL;
1893 int idx2;
1894
1895 /* Make sure key gets set if either BIGTK key index is set so that
1896 * ieee80211_drop_unencrypted_mgmt() can properly drop both unprotected
1897 * Beacon frames and Beacon frames that claim to use another BIGTK key
1898 * index (i.e., a key that we do not have).
1899 */
1900
1901 if (idx < 0) {
1902 idx = NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS;
1903 idx2 = idx + 1;
1904 } else {
1905 if (idx == NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS)
1906 idx2 = idx + 1;
1907 else
1908 idx2 = idx - 1;
1909 }
1910
1911 if (rx->link_sta)
1912 key = rcu_dereference(rx->link_sta->gtk[idx]);
1913 if (!key)
1914 key = rcu_dereference(rx->link->gtk[idx]);
1915 if (!key && rx->link_sta)
1916 key = rcu_dereference(rx->link_sta->gtk[idx2]);
1917 if (!key)
1918 key = rcu_dereference(rx->link->gtk[idx2]);
1919
1920 return key;
1921 }
1922
1923 static ieee80211_rx_result debug_noinline
ieee80211_rx_h_decrypt(struct ieee80211_rx_data * rx)1924 ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx)
1925 {
1926 struct sk_buff *skb = rx->skb;
1927 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
1928 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
1929 int keyidx;
1930 ieee80211_rx_result result = RX_DROP_U_DECRYPT_FAIL;
1931 struct ieee80211_key *sta_ptk = NULL;
1932 struct ieee80211_key *ptk_idx = NULL;
1933 int mmie_keyidx = -1;
1934 __le16 fc;
1935
1936 if (ieee80211_is_ext(hdr->frame_control))
1937 return RX_CONTINUE;
1938
1939 /*
1940 * Key selection 101
1941 *
1942 * There are five types of keys:
1943 * - GTK (group keys)
1944 * - IGTK (group keys for management frames)
1945 * - BIGTK (group keys for Beacon frames)
1946 * - PTK (pairwise keys)
1947 * - STK (station-to-station pairwise keys)
1948 *
1949 * When selecting a key, we have to distinguish between multicast
1950 * (including broadcast) and unicast frames, the latter can only
1951 * use PTKs and STKs while the former always use GTKs, IGTKs, and
1952 * BIGTKs. Unless, of course, actual WEP keys ("pre-RSNA") are used,
1953 * then unicast frames can also use key indices like GTKs. Hence, if we
1954 * don't have a PTK/STK we check the key index for a WEP key.
1955 *
1956 * Note that in a regular BSS, multicast frames are sent by the
1957 * AP only, associated stations unicast the frame to the AP first
1958 * which then multicasts it on their behalf.
1959 *
1960 * There is also a slight problem in IBSS mode: GTKs are negotiated
1961 * with each station, that is something we don't currently handle.
1962 * The spec seems to expect that one negotiates the same key with
1963 * every station but there's no such requirement; VLANs could be
1964 * possible.
1965 */
1966
1967 /* start without a key */
1968 rx->key = NULL;
1969 fc = hdr->frame_control;
1970
1971 if (rx->sta) {
1972 int keyid = rx->sta->ptk_idx;
1973 sta_ptk = rcu_dereference(rx->sta->ptk[keyid]);
1974
1975 if (ieee80211_has_protected(fc) &&
1976 !(status->flag & RX_FLAG_IV_STRIPPED)) {
1977 keyid = ieee80211_get_keyid(rx->skb);
1978
1979 if (unlikely(keyid < 0))
1980 return RX_DROP_U_NO_KEY_ID;
1981
1982 ptk_idx = rcu_dereference(rx->sta->ptk[keyid]);
1983 }
1984 }
1985
1986 if (!ieee80211_has_protected(fc))
1987 mmie_keyidx = ieee80211_get_mmie_keyidx(rx->skb);
1988
1989 if (!is_multicast_ether_addr(hdr->addr1) && sta_ptk) {
1990 rx->key = ptk_idx ? ptk_idx : sta_ptk;
1991 if ((status->flag & RX_FLAG_DECRYPTED) &&
1992 (status->flag & RX_FLAG_IV_STRIPPED))
1993 return RX_CONTINUE;
1994 /* Skip decryption if the frame is not protected. */
1995 if (!ieee80211_has_protected(fc))
1996 return RX_CONTINUE;
1997 } else if (mmie_keyidx >= 0 && ieee80211_is_beacon(fc)) {
1998 /* Broadcast/multicast robust management frame / BIP */
1999 if ((status->flag & RX_FLAG_DECRYPTED) &&
2000 (status->flag & RX_FLAG_IV_STRIPPED))
2001 return RX_CONTINUE;
2002
2003 if (mmie_keyidx < NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS ||
2004 mmie_keyidx >= NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS +
2005 NUM_DEFAULT_BEACON_KEYS) {
2006 if (rx->sdata->dev)
2007 cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
2008 skb->data,
2009 skb->len);
2010 return RX_DROP_U_BAD_BCN_KEYIDX;
2011 }
2012
2013 rx->key = ieee80211_rx_get_bigtk(rx, mmie_keyidx);
2014 if (!rx->key)
2015 return RX_CONTINUE; /* Beacon protection not in use */
2016 } else if (mmie_keyidx >= 0) {
2017 /* Broadcast/multicast robust management frame / BIP */
2018 if ((status->flag & RX_FLAG_DECRYPTED) &&
2019 (status->flag & RX_FLAG_IV_STRIPPED))
2020 return RX_CONTINUE;
2021
2022 if (mmie_keyidx < NUM_DEFAULT_KEYS ||
2023 mmie_keyidx >= NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS)
2024 return RX_DROP_U_BAD_MGMT_KEYIDX; /* unexpected BIP keyidx */
2025 if (rx->link_sta) {
2026 if (ieee80211_is_group_privacy_action(skb) &&
2027 test_sta_flag(rx->sta, WLAN_STA_MFP))
2028 return RX_DROP;
2029
2030 rx->key = rcu_dereference(rx->link_sta->gtk[mmie_keyidx]);
2031 }
2032 if (!rx->key)
2033 rx->key = rcu_dereference(rx->link->gtk[mmie_keyidx]);
2034 } else if (!ieee80211_has_protected(fc)) {
2035 /*
2036 * The frame was not protected, so skip decryption. However, we
2037 * need to set rx->key if there is a key that could have been
2038 * used so that the frame may be dropped if encryption would
2039 * have been expected.
2040 */
2041 struct ieee80211_key *key = NULL;
2042 int i;
2043
2044 if (ieee80211_is_beacon(fc)) {
2045 key = ieee80211_rx_get_bigtk(rx, -1);
2046 } else if (ieee80211_is_mgmt(fc) &&
2047 is_multicast_ether_addr(hdr->addr1)) {
2048 key = rcu_dereference(rx->link->default_mgmt_key);
2049 } else {
2050 if (rx->link_sta) {
2051 for (i = 0; i < NUM_DEFAULT_KEYS; i++) {
2052 key = rcu_dereference(rx->link_sta->gtk[i]);
2053 if (key)
2054 break;
2055 }
2056 }
2057 if (!key) {
2058 for (i = 0; i < NUM_DEFAULT_KEYS; i++) {
2059 key = rcu_dereference(rx->link->gtk[i]);
2060 if (key)
2061 break;
2062 }
2063 }
2064 }
2065 if (key)
2066 rx->key = key;
2067 return RX_CONTINUE;
2068 } else {
2069 /*
2070 * The device doesn't give us the IV so we won't be
2071 * able to look up the key. That's ok though, we
2072 * don't need to decrypt the frame, we just won't
2073 * be able to keep statistics accurate.
2074 * Except for key threshold notifications, should
2075 * we somehow allow the driver to tell us which key
2076 * the hardware used if this flag is set?
2077 */
2078 if ((status->flag & RX_FLAG_DECRYPTED) &&
2079 (status->flag & RX_FLAG_IV_STRIPPED))
2080 return RX_CONTINUE;
2081
2082 keyidx = ieee80211_get_keyid(rx->skb);
2083
2084 if (unlikely(keyidx < 0))
2085 return RX_DROP_U_NO_KEY_ID;
2086
2087 /* check per-station GTK first, if multicast packet */
2088 if (is_multicast_ether_addr(hdr->addr1) && rx->link_sta)
2089 rx->key = rcu_dereference(rx->link_sta->gtk[keyidx]);
2090
2091 /* if not found, try default key */
2092 if (!rx->key) {
2093 if (is_multicast_ether_addr(hdr->addr1))
2094 rx->key = rcu_dereference(rx->link->gtk[keyidx]);
2095 if (!rx->key)
2096 rx->key = rcu_dereference(rx->sdata->keys[keyidx]);
2097
2098 /*
2099 * RSNA-protected unicast frames should always be
2100 * sent with pairwise or station-to-station keys,
2101 * but for WEP we allow using a key index as well.
2102 */
2103 if (rx->key &&
2104 rx->key->conf.cipher != WLAN_CIPHER_SUITE_WEP40 &&
2105 rx->key->conf.cipher != WLAN_CIPHER_SUITE_WEP104 &&
2106 !is_multicast_ether_addr(hdr->addr1))
2107 rx->key = NULL;
2108 }
2109 }
2110
2111 if (rx->key) {
2112 if (unlikely(rx->key->flags & KEY_FLAG_TAINTED))
2113 return RX_DROP;
2114
2115 /* TODO: add threshold stuff again */
2116 } else {
2117 return RX_DROP;
2118 }
2119
2120 switch (rx->key->conf.cipher) {
2121 case WLAN_CIPHER_SUITE_WEP40:
2122 case WLAN_CIPHER_SUITE_WEP104:
2123 result = ieee80211_crypto_wep_decrypt(rx);
2124 break;
2125 case WLAN_CIPHER_SUITE_TKIP:
2126 result = ieee80211_crypto_tkip_decrypt(rx);
2127 break;
2128 case WLAN_CIPHER_SUITE_CCMP:
2129 result = ieee80211_crypto_ccmp_decrypt(
2130 rx, IEEE80211_CCMP_MIC_LEN);
2131 break;
2132 case WLAN_CIPHER_SUITE_CCMP_256:
2133 result = ieee80211_crypto_ccmp_decrypt(
2134 rx, IEEE80211_CCMP_256_MIC_LEN);
2135 break;
2136 case WLAN_CIPHER_SUITE_AES_CMAC:
2137 result = ieee80211_crypto_aes_cmac_decrypt(rx);
2138 break;
2139 case WLAN_CIPHER_SUITE_BIP_CMAC_256:
2140 result = ieee80211_crypto_aes_cmac_256_decrypt(rx);
2141 break;
2142 case WLAN_CIPHER_SUITE_BIP_GMAC_128:
2143 case WLAN_CIPHER_SUITE_BIP_GMAC_256:
2144 result = ieee80211_crypto_aes_gmac_decrypt(rx);
2145 break;
2146 case WLAN_CIPHER_SUITE_GCMP:
2147 case WLAN_CIPHER_SUITE_GCMP_256:
2148 result = ieee80211_crypto_gcmp_decrypt(rx);
2149 break;
2150 default:
2151 result = RX_DROP_U_BAD_CIPHER;
2152 }
2153
2154 /* the hdr variable is invalid after the decrypt handlers */
2155
2156 /* either the frame has been decrypted or will be dropped */
2157 status->flag |= RX_FLAG_DECRYPTED;
2158
2159 if (unlikely(ieee80211_is_beacon(fc) && RX_RES_IS_UNUSABLE(result) &&
2160 rx->sdata->dev))
2161 cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
2162 skb->data, skb->len);
2163
2164 return result;
2165 }
2166
ieee80211_init_frag_cache(struct ieee80211_fragment_cache * cache)2167 void ieee80211_init_frag_cache(struct ieee80211_fragment_cache *cache)
2168 {
2169 int i;
2170
2171 for (i = 0; i < ARRAY_SIZE(cache->entries); i++)
2172 skb_queue_head_init(&cache->entries[i].skb_list);
2173 }
2174
ieee80211_destroy_frag_cache(struct ieee80211_fragment_cache * cache)2175 void ieee80211_destroy_frag_cache(struct ieee80211_fragment_cache *cache)
2176 {
2177 int i;
2178
2179 for (i = 0; i < ARRAY_SIZE(cache->entries); i++)
2180 __skb_queue_purge(&cache->entries[i].skb_list);
2181 }
2182
2183 static inline struct ieee80211_fragment_entry *
ieee80211_reassemble_add(struct ieee80211_fragment_cache * cache,unsigned int frag,unsigned int seq,int rx_queue,struct sk_buff ** skb)2184 ieee80211_reassemble_add(struct ieee80211_fragment_cache *cache,
2185 unsigned int frag, unsigned int seq, int rx_queue,
2186 struct sk_buff **skb)
2187 {
2188 struct ieee80211_fragment_entry *entry;
2189
2190 entry = &cache->entries[cache->next++];
2191 if (cache->next >= IEEE80211_FRAGMENT_MAX)
2192 cache->next = 0;
2193
2194 __skb_queue_purge(&entry->skb_list);
2195
2196 __skb_queue_tail(&entry->skb_list, *skb); /* no need for locking */
2197 *skb = NULL;
2198 entry->first_frag_time = jiffies;
2199 entry->seq = seq;
2200 entry->rx_queue = rx_queue;
2201 entry->last_frag = frag;
2202 entry->check_sequential_pn = false;
2203 entry->extra_len = 0;
2204
2205 return entry;
2206 }
2207
2208 static inline struct ieee80211_fragment_entry *
ieee80211_reassemble_find(struct ieee80211_fragment_cache * cache,unsigned int frag,unsigned int seq,int rx_queue,struct ieee80211_hdr * hdr)2209 ieee80211_reassemble_find(struct ieee80211_fragment_cache *cache,
2210 unsigned int frag, unsigned int seq,
2211 int rx_queue, struct ieee80211_hdr *hdr)
2212 {
2213 struct ieee80211_fragment_entry *entry;
2214 int i, idx;
2215
2216 idx = cache->next;
2217 for (i = 0; i < IEEE80211_FRAGMENT_MAX; i++) {
2218 struct ieee80211_hdr *f_hdr;
2219 struct sk_buff *f_skb;
2220
2221 idx--;
2222 if (idx < 0)
2223 idx = IEEE80211_FRAGMENT_MAX - 1;
2224
2225 entry = &cache->entries[idx];
2226 if (skb_queue_empty(&entry->skb_list) || entry->seq != seq ||
2227 entry->rx_queue != rx_queue ||
2228 entry->last_frag + 1 != frag)
2229 continue;
2230
2231 f_skb = __skb_peek(&entry->skb_list);
2232 f_hdr = (struct ieee80211_hdr *) f_skb->data;
2233
2234 /*
2235 * Check ftype and addresses are equal, else check next fragment
2236 */
2237 if (((hdr->frame_control ^ f_hdr->frame_control) &
2238 cpu_to_le16(IEEE80211_FCTL_FTYPE)) ||
2239 !ether_addr_equal(hdr->addr1, f_hdr->addr1) ||
2240 !ether_addr_equal(hdr->addr2, f_hdr->addr2))
2241 continue;
2242
2243 if (time_after(jiffies, entry->first_frag_time + 2 * HZ)) {
2244 __skb_queue_purge(&entry->skb_list);
2245 continue;
2246 }
2247 return entry;
2248 }
2249
2250 return NULL;
2251 }
2252
requires_sequential_pn(struct ieee80211_rx_data * rx,__le16 fc)2253 static bool requires_sequential_pn(struct ieee80211_rx_data *rx, __le16 fc)
2254 {
2255 return rx->key &&
2256 (rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP ||
2257 rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP_256 ||
2258 rx->key->conf.cipher == WLAN_CIPHER_SUITE_GCMP ||
2259 rx->key->conf.cipher == WLAN_CIPHER_SUITE_GCMP_256) &&
2260 ieee80211_has_protected(fc);
2261 }
2262
2263 static ieee80211_rx_result debug_noinline
ieee80211_rx_h_defragment(struct ieee80211_rx_data * rx)2264 ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
2265 {
2266 struct ieee80211_fragment_cache *cache = &rx->sdata->frags;
2267 struct ieee80211_hdr *hdr;
2268 u16 sc;
2269 __le16 fc;
2270 unsigned int frag, seq;
2271 struct ieee80211_fragment_entry *entry;
2272 struct sk_buff *skb;
2273 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
2274
2275 hdr = (struct ieee80211_hdr *)rx->skb->data;
2276 fc = hdr->frame_control;
2277
2278 if (ieee80211_is_ctl(fc) || ieee80211_is_ext(fc))
2279 return RX_CONTINUE;
2280
2281 sc = le16_to_cpu(hdr->seq_ctrl);
2282 frag = sc & IEEE80211_SCTL_FRAG;
2283
2284 if (rx->sta)
2285 cache = &rx->sta->frags;
2286
2287 if (likely(!ieee80211_has_morefrags(fc) && frag == 0))
2288 goto out;
2289
2290 if (is_multicast_ether_addr(hdr->addr1))
2291 return RX_DROP;
2292
2293 I802_DEBUG_INC(rx->local->rx_handlers_fragments);
2294
2295 if (skb_linearize(rx->skb))
2296 return RX_DROP_U_OOM;
2297
2298 /*
2299 * skb_linearize() might change the skb->data and
2300 * previously cached variables (in this case, hdr) need to
2301 * be refreshed with the new data.
2302 */
2303 hdr = (struct ieee80211_hdr *)rx->skb->data;
2304 seq = (sc & IEEE80211_SCTL_SEQ) >> 4;
2305
2306 if (frag == 0) {
2307 /* This is the first fragment of a new frame. */
2308 entry = ieee80211_reassemble_add(cache, frag, seq,
2309 rx->seqno_idx, &(rx->skb));
2310 if (requires_sequential_pn(rx, fc)) {
2311 int queue = rx->security_idx;
2312
2313 /* Store CCMP/GCMP PN so that we can verify that the
2314 * next fragment has a sequential PN value.
2315 */
2316 entry->check_sequential_pn = true;
2317 entry->is_protected = true;
2318 entry->key_color = rx->key->color;
2319 memcpy(entry->last_pn,
2320 rx->key->u.ccmp.rx_pn[queue],
2321 IEEE80211_CCMP_PN_LEN);
2322 BUILD_BUG_ON(offsetof(struct ieee80211_key,
2323 u.ccmp.rx_pn) !=
2324 offsetof(struct ieee80211_key,
2325 u.gcmp.rx_pn));
2326 BUILD_BUG_ON(sizeof(rx->key->u.ccmp.rx_pn[queue]) !=
2327 sizeof(rx->key->u.gcmp.rx_pn[queue]));
2328 BUILD_BUG_ON(IEEE80211_CCMP_PN_LEN !=
2329 IEEE80211_GCMP_PN_LEN);
2330 } else if (rx->key &&
2331 (ieee80211_has_protected(fc) ||
2332 (status->flag & RX_FLAG_DECRYPTED))) {
2333 entry->is_protected = true;
2334 entry->key_color = rx->key->color;
2335 }
2336 return RX_QUEUED;
2337 }
2338
2339 /* This is a fragment for a frame that should already be pending in
2340 * fragment cache. Add this fragment to the end of the pending entry.
2341 */
2342 entry = ieee80211_reassemble_find(cache, frag, seq,
2343 rx->seqno_idx, hdr);
2344 if (!entry) {
2345 I802_DEBUG_INC(rx->local->rx_handlers_drop_defrag);
2346 return RX_DROP;
2347 }
2348
2349 /* "The receiver shall discard MSDUs and MMPDUs whose constituent
2350 * MPDU PN values are not incrementing in steps of 1."
2351 * see IEEE P802.11-REVmc/D5.0, 12.5.3.4.4, item d (for CCMP)
2352 * and IEEE P802.11-REVmc/D5.0, 12.5.5.4.4, item d (for GCMP)
2353 */
2354 if (entry->check_sequential_pn) {
2355 int i;
2356 u8 pn[IEEE80211_CCMP_PN_LEN], *rpn;
2357
2358 if (!requires_sequential_pn(rx, fc))
2359 return RX_DROP_U_NONSEQ_PN;
2360
2361 /* Prevent mixed key and fragment cache attacks */
2362 if (entry->key_color != rx->key->color)
2363 return RX_DROP_U_BAD_KEY_COLOR;
2364
2365 memcpy(pn, entry->last_pn, IEEE80211_CCMP_PN_LEN);
2366 for (i = IEEE80211_CCMP_PN_LEN - 1; i >= 0; i--) {
2367 pn[i]++;
2368 if (pn[i])
2369 break;
2370 }
2371
2372 rpn = rx->ccm_gcm.pn;
2373 if (memcmp(pn, rpn, IEEE80211_CCMP_PN_LEN))
2374 return RX_DROP_U_REPLAY;
2375 memcpy(entry->last_pn, pn, IEEE80211_CCMP_PN_LEN);
2376 } else if (entry->is_protected &&
2377 (!rx->key ||
2378 (!ieee80211_has_protected(fc) &&
2379 !(status->flag & RX_FLAG_DECRYPTED)) ||
2380 rx->key->color != entry->key_color)) {
2381 /* Drop this as a mixed key or fragment cache attack, even
2382 * if for TKIP Michael MIC should protect us, and WEP is a
2383 * lost cause anyway.
2384 */
2385 return RX_DROP_U_EXPECT_DEFRAG_PROT;
2386 } else if (entry->is_protected && rx->key &&
2387 entry->key_color != rx->key->color &&
2388 (status->flag & RX_FLAG_DECRYPTED)) {
2389 return RX_DROP_U_BAD_KEY_COLOR;
2390 }
2391
2392 skb_pull(rx->skb, ieee80211_hdrlen(fc));
2393 __skb_queue_tail(&entry->skb_list, rx->skb);
2394 entry->last_frag = frag;
2395 entry->extra_len += rx->skb->len;
2396 if (ieee80211_has_morefrags(fc)) {
2397 rx->skb = NULL;
2398 return RX_QUEUED;
2399 }
2400
2401 rx->skb = __skb_dequeue(&entry->skb_list);
2402 if (skb_tailroom(rx->skb) < entry->extra_len) {
2403 I802_DEBUG_INC(rx->local->rx_expand_skb_head_defrag);
2404 if (unlikely(pskb_expand_head(rx->skb, 0, entry->extra_len,
2405 GFP_ATOMIC))) {
2406 I802_DEBUG_INC(rx->local->rx_handlers_drop_defrag);
2407 __skb_queue_purge(&entry->skb_list);
2408 return RX_DROP_U_OOM;
2409 }
2410 }
2411 while ((skb = __skb_dequeue(&entry->skb_list))) {
2412 skb_put_data(rx->skb, skb->data, skb->len);
2413 dev_kfree_skb(skb);
2414 }
2415
2416 out:
2417 ieee80211_led_rx(rx->local);
2418 if (rx->sta)
2419 rx->link_sta->rx_stats.packets++;
2420 return RX_CONTINUE;
2421 }
2422
ieee80211_802_1x_port_control(struct ieee80211_rx_data * rx)2423 static int ieee80211_802_1x_port_control(struct ieee80211_rx_data *rx)
2424 {
2425 if (unlikely(!rx->sta || !test_sta_flag(rx->sta, WLAN_STA_AUTHORIZED)))
2426 return -EACCES;
2427
2428 return 0;
2429 }
2430
ieee80211_drop_unencrypted(struct ieee80211_rx_data * rx,__le16 fc)2431 static int ieee80211_drop_unencrypted(struct ieee80211_rx_data *rx, __le16 fc)
2432 {
2433 struct sk_buff *skb = rx->skb;
2434 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
2435
2436 /*
2437 * Pass through unencrypted frames if the hardware has
2438 * decrypted them already.
2439 */
2440 if (status->flag & RX_FLAG_DECRYPTED)
2441 return 0;
2442
2443 /* Drop unencrypted frames if key is set. */
2444 if (unlikely(!ieee80211_has_protected(fc) &&
2445 !ieee80211_is_any_nullfunc(fc) &&
2446 ieee80211_is_data(fc) && rx->key))
2447 return -EACCES;
2448
2449 return 0;
2450 }
2451
2452 VISIBLE_IF_MAC80211_KUNIT ieee80211_rx_result
ieee80211_drop_unencrypted_mgmt(struct ieee80211_rx_data * rx)2453 ieee80211_drop_unencrypted_mgmt(struct ieee80211_rx_data *rx)
2454 {
2455 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
2456 struct ieee80211_mgmt *mgmt = (void *)rx->skb->data;
2457 __le16 fc = mgmt->frame_control;
2458
2459 /*
2460 * Pass through unencrypted frames if the hardware has
2461 * decrypted them already.
2462 */
2463 if (status->flag & RX_FLAG_DECRYPTED)
2464 return RX_CONTINUE;
2465
2466 /* drop unicast protected dual (that wasn't protected) */
2467 if (ieee80211_is_action(fc) &&
2468 mgmt->u.action.category == WLAN_CATEGORY_PROTECTED_DUAL_OF_ACTION)
2469 return RX_DROP_U_UNPROT_DUAL;
2470
2471 if (rx->sta && test_sta_flag(rx->sta, WLAN_STA_MFP)) {
2472 if (unlikely(!ieee80211_has_protected(fc) &&
2473 ieee80211_is_unicast_robust_mgmt_frame(rx->skb))) {
2474 if (ieee80211_is_deauth(fc) ||
2475 ieee80211_is_disassoc(fc)) {
2476 /*
2477 * Permit unprotected deauth/disassoc frames
2478 * during 4-way-HS (key is installed after HS).
2479 */
2480 if (!rx->key)
2481 return RX_CONTINUE;
2482
2483 cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
2484 rx->skb->data,
2485 rx->skb->len);
2486 }
2487 return RX_DROP_U_UNPROT_UCAST_MGMT;
2488 }
2489 /* BIP does not use Protected field, so need to check MMIE */
2490 if (unlikely(ieee80211_is_multicast_robust_mgmt_frame(rx->skb) &&
2491 ieee80211_get_mmie_keyidx(rx->skb) < 0)) {
2492 if (ieee80211_is_deauth(fc) ||
2493 ieee80211_is_disassoc(fc))
2494 cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
2495 rx->skb->data,
2496 rx->skb->len);
2497 return RX_DROP_U_UNPROT_MCAST_MGMT;
2498 }
2499 if (unlikely(ieee80211_is_beacon(fc) && rx->key &&
2500 ieee80211_get_mmie_keyidx(rx->skb) < 0)) {
2501 cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
2502 rx->skb->data,
2503 rx->skb->len);
2504 return RX_DROP_U_UNPROT_BEACON;
2505 }
2506 /*
2507 * When using MFP, Action frames are not allowed prior to
2508 * having configured keys.
2509 */
2510 if (unlikely(ieee80211_is_action(fc) && !rx->key &&
2511 ieee80211_is_robust_mgmt_frame(rx->skb)))
2512 return RX_DROP_U_UNPROT_ACTION;
2513
2514 /* drop unicast public action frames when using MPF */
2515 if (is_unicast_ether_addr(mgmt->da) &&
2516 ieee80211_is_protected_dual_of_public_action(rx->skb))
2517 return RX_DROP_U_UNPROT_UNICAST_PUB_ACTION;
2518 }
2519
2520 /*
2521 * Drop robust action frames before assoc regardless of MFP state,
2522 * after assoc we also have decided on MFP or not.
2523 */
2524 if (ieee80211_is_action(fc) &&
2525 ieee80211_is_robust_mgmt_frame(rx->skb) &&
2526 (!rx->sta || !test_sta_flag(rx->sta, WLAN_STA_ASSOC)))
2527 return RX_DROP_U_UNPROT_ROBUST_ACTION;
2528
2529 return RX_CONTINUE;
2530 }
2531 EXPORT_SYMBOL_IF_MAC80211_KUNIT(ieee80211_drop_unencrypted_mgmt);
2532
2533 static ieee80211_rx_result
__ieee80211_data_to_8023(struct ieee80211_rx_data * rx,bool * port_control)2534 __ieee80211_data_to_8023(struct ieee80211_rx_data *rx, bool *port_control)
2535 {
2536 struct ieee80211_sub_if_data *sdata = rx->sdata;
2537 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
2538 bool check_port_control = false;
2539 struct ethhdr *ehdr;
2540 int ret;
2541
2542 *port_control = false;
2543 if (ieee80211_has_a4(hdr->frame_control) &&
2544 sdata->vif.type == NL80211_IFTYPE_AP_VLAN && !sdata->u.vlan.sta)
2545 return RX_DROP_U_UNEXPECTED_VLAN_4ADDR;
2546
2547 if (sdata->vif.type == NL80211_IFTYPE_STATION &&
2548 !!sdata->u.mgd.use_4addr != !!ieee80211_has_a4(hdr->frame_control)) {
2549 if (!sdata->u.mgd.use_4addr)
2550 return RX_DROP_U_UNEXPECTED_STA_4ADDR;
2551 else if (!ether_addr_equal(hdr->addr1, sdata->vif.addr))
2552 check_port_control = true;
2553 }
2554
2555 if (is_multicast_ether_addr(hdr->addr1) &&
2556 sdata->vif.type == NL80211_IFTYPE_AP_VLAN && sdata->u.vlan.sta)
2557 return RX_DROP_U_UNEXPECTED_VLAN_MCAST;
2558
2559 ret = ieee80211_data_to_8023(rx->skb, sdata->vif.addr, sdata->vif.type);
2560 if (ret < 0)
2561 return RX_DROP_U_INVALID_8023;
2562
2563 ehdr = (struct ethhdr *) rx->skb->data;
2564 if (ehdr->h_proto == rx->sdata->control_port_protocol)
2565 *port_control = true;
2566 else if (check_port_control)
2567 return RX_DROP_U_NOT_PORT_CONTROL;
2568
2569 return RX_CONTINUE;
2570 }
2571
ieee80211_is_our_addr(struct ieee80211_sub_if_data * sdata,const u8 * addr,int * out_link_id)2572 bool ieee80211_is_our_addr(struct ieee80211_sub_if_data *sdata,
2573 const u8 *addr, int *out_link_id)
2574 {
2575 unsigned int link_id;
2576
2577 /* non-MLO, or MLD address replaced by hardware */
2578 if (ether_addr_equal(sdata->vif.addr, addr))
2579 return true;
2580
2581 if (!ieee80211_vif_is_mld(&sdata->vif))
2582 return false;
2583
2584 for (link_id = 0; link_id < ARRAY_SIZE(sdata->vif.link_conf); link_id++) {
2585 struct ieee80211_bss_conf *conf;
2586
2587 conf = rcu_dereference(sdata->vif.link_conf[link_id]);
2588
2589 if (!conf)
2590 continue;
2591 if (ether_addr_equal(conf->addr, addr)) {
2592 if (out_link_id)
2593 *out_link_id = link_id;
2594 return true;
2595 }
2596 }
2597
2598 return false;
2599 }
2600
2601 /*
2602 * requires that rx->skb is a frame with ethernet header
2603 */
ieee80211_frame_allowed(struct ieee80211_rx_data * rx,__le16 fc)2604 static bool ieee80211_frame_allowed(struct ieee80211_rx_data *rx, __le16 fc)
2605 {
2606 static const u8 pae_group_addr[ETH_ALEN] __aligned(2)
2607 = { 0x01, 0x80, 0xC2, 0x00, 0x00, 0x03 };
2608 struct ethhdr *ehdr = (struct ethhdr *) rx->skb->data;
2609
2610 /*
2611 * Allow EAPOL frames to us/the PAE group address regardless of
2612 * whether the frame was encrypted or not, and always disallow
2613 * all other destination addresses for them.
2614 */
2615 if (unlikely(ehdr->h_proto == rx->sdata->control_port_protocol))
2616 return ieee80211_is_our_addr(rx->sdata, ehdr->h_dest, NULL) ||
2617 ether_addr_equal(ehdr->h_dest, pae_group_addr);
2618
2619 if (ieee80211_802_1x_port_control(rx) ||
2620 ieee80211_drop_unencrypted(rx, fc))
2621 return false;
2622
2623 return true;
2624 }
2625
ieee80211_deliver_skb_to_local_stack(struct sk_buff * skb,struct ieee80211_rx_data * rx)2626 static void ieee80211_deliver_skb_to_local_stack(struct sk_buff *skb,
2627 struct ieee80211_rx_data *rx)
2628 {
2629 struct ieee80211_sub_if_data *sdata = rx->sdata;
2630 struct net_device *dev = sdata->dev;
2631
2632 if (unlikely((skb->protocol == sdata->control_port_protocol ||
2633 (skb->protocol == cpu_to_be16(ETH_P_PREAUTH) &&
2634 !sdata->control_port_no_preauth)) &&
2635 sdata->control_port_over_nl80211)) {
2636 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
2637 bool noencrypt = !(status->flag & RX_FLAG_DECRYPTED);
2638
2639 cfg80211_rx_control_port(dev, skb, noencrypt, rx->link_id);
2640 dev_kfree_skb(skb);
2641 } else {
2642 struct ethhdr *ehdr = (void *)skb_mac_header(skb);
2643
2644 memset(skb->cb, 0, sizeof(skb->cb));
2645
2646 /*
2647 * 802.1X over 802.11 requires that the authenticator address
2648 * be used for EAPOL frames. However, 802.1X allows the use of
2649 * the PAE group address instead. If the interface is part of
2650 * a bridge and we pass the frame with the PAE group address,
2651 * then the bridge will forward it to the network (even if the
2652 * client was not associated yet), which isn't supposed to
2653 * happen.
2654 * To avoid that, rewrite the destination address to our own
2655 * address, so that the authenticator (e.g. hostapd) will see
2656 * the frame, but bridge won't forward it anywhere else. Note
2657 * that due to earlier filtering, the only other address can
2658 * be the PAE group address, unless the hardware allowed them
2659 * through in 802.3 offloaded mode.
2660 */
2661 if (unlikely(skb->protocol == sdata->control_port_protocol &&
2662 !ether_addr_equal(ehdr->h_dest, sdata->vif.addr)))
2663 ether_addr_copy(ehdr->h_dest, sdata->vif.addr);
2664
2665 /* deliver to local stack */
2666 if (rx->list)
2667 list_add_tail(&skb->list, rx->list);
2668 else
2669 netif_receive_skb(skb);
2670 }
2671 }
2672
2673 /*
2674 * requires that rx->skb is a frame with ethernet header
2675 */
2676 static void
ieee80211_deliver_skb(struct ieee80211_rx_data * rx)2677 ieee80211_deliver_skb(struct ieee80211_rx_data *rx)
2678 {
2679 struct ieee80211_sub_if_data *sdata = rx->sdata;
2680 struct net_device *dev = sdata->dev;
2681 struct sk_buff *skb, *xmit_skb;
2682 struct ethhdr *ehdr = (struct ethhdr *) rx->skb->data;
2683 struct sta_info *dsta;
2684
2685 skb = rx->skb;
2686 xmit_skb = NULL;
2687
2688 dev_sw_netstats_rx_add(dev, skb->len);
2689
2690 if (rx->sta) {
2691 /* The seqno index has the same property as needed
2692 * for the rx_msdu field, i.e. it is IEEE80211_NUM_TIDS
2693 * for non-QoS-data frames. Here we know it's a data
2694 * frame, so count MSDUs.
2695 */
2696 u64_stats_update_begin(&rx->link_sta->rx_stats.syncp);
2697 rx->link_sta->rx_stats.msdu[rx->seqno_idx]++;
2698 u64_stats_update_end(&rx->link_sta->rx_stats.syncp);
2699 }
2700
2701 if ((sdata->vif.type == NL80211_IFTYPE_AP ||
2702 sdata->vif.type == NL80211_IFTYPE_AP_VLAN) &&
2703 !(sdata->flags & IEEE80211_SDATA_DONT_BRIDGE_PACKETS) &&
2704 ehdr->h_proto != rx->sdata->control_port_protocol &&
2705 (sdata->vif.type != NL80211_IFTYPE_AP_VLAN || !sdata->u.vlan.sta)) {
2706 if (is_multicast_ether_addr(ehdr->h_dest) &&
2707 ieee80211_vif_get_num_mcast_if(sdata) != 0) {
2708 /*
2709 * send multicast frames both to higher layers in
2710 * local net stack and back to the wireless medium
2711 */
2712 xmit_skb = skb_copy(skb, GFP_ATOMIC);
2713 if (!xmit_skb)
2714 net_info_ratelimited("%s: failed to clone multicast frame\n",
2715 dev->name);
2716 } else if (!is_multicast_ether_addr(ehdr->h_dest) &&
2717 !ether_addr_equal(ehdr->h_dest, ehdr->h_source)) {
2718 dsta = sta_info_get(sdata, ehdr->h_dest);
2719 if (dsta) {
2720 /*
2721 * The destination station is associated to
2722 * this AP (in this VLAN), so send the frame
2723 * directly to it and do not pass it to local
2724 * net stack.
2725 */
2726 xmit_skb = skb;
2727 skb = NULL;
2728 }
2729 }
2730 }
2731
2732 #ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
2733 if (skb) {
2734 /* 'align' will only take the values 0 or 2 here since all
2735 * frames are required to be aligned to 2-byte boundaries
2736 * when being passed to mac80211; the code here works just
2737 * as well if that isn't true, but mac80211 assumes it can
2738 * access fields as 2-byte aligned (e.g. for ether_addr_equal)
2739 */
2740 int align;
2741
2742 align = (unsigned long)(skb->data + sizeof(struct ethhdr)) & 3;
2743 if (align) {
2744 if (WARN_ON(skb_headroom(skb) < 3)) {
2745 dev_kfree_skb(skb);
2746 skb = NULL;
2747 } else {
2748 u8 *data = skb->data;
2749 size_t len = skb_headlen(skb);
2750 skb->data -= align;
2751 memmove(skb->data, data, len);
2752 skb_set_tail_pointer(skb, len);
2753 }
2754 }
2755 }
2756 #endif
2757
2758 if (skb) {
2759 skb->protocol = eth_type_trans(skb, dev);
2760 ieee80211_deliver_skb_to_local_stack(skb, rx);
2761 }
2762
2763 if (xmit_skb) {
2764 /*
2765 * Send to wireless media and increase priority by 256 to
2766 * keep the received priority instead of reclassifying
2767 * the frame (see cfg80211_classify8021d).
2768 */
2769 xmit_skb->priority += 256;
2770 xmit_skb->protocol = htons(ETH_P_802_3);
2771 skb_reset_network_header(xmit_skb);
2772 skb_reset_mac_header(xmit_skb);
2773 dev_queue_xmit(xmit_skb);
2774 }
2775 }
2776
2777 #ifdef CONFIG_MAC80211_MESH
2778 static bool
ieee80211_rx_mesh_fast_forward(struct ieee80211_sub_if_data * sdata,struct sk_buff * skb,int hdrlen)2779 ieee80211_rx_mesh_fast_forward(struct ieee80211_sub_if_data *sdata,
2780 struct sk_buff *skb, int hdrlen)
2781 {
2782 struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh;
2783 struct ieee80211_mesh_fast_tx_key key = {
2784 .type = MESH_FAST_TX_TYPE_FORWARDED
2785 };
2786 struct ieee80211_mesh_fast_tx *entry;
2787 struct ieee80211s_hdr *mesh_hdr;
2788 struct tid_ampdu_tx *tid_tx;
2789 struct sta_info *sta;
2790 struct ethhdr eth;
2791 u8 tid;
2792
2793 mesh_hdr = (struct ieee80211s_hdr *)(skb->data + sizeof(eth));
2794 if ((mesh_hdr->flags & MESH_FLAGS_AE) == MESH_FLAGS_AE_A5_A6)
2795 ether_addr_copy(key.addr, mesh_hdr->eaddr1);
2796 else if (!(mesh_hdr->flags & MESH_FLAGS_AE))
2797 ether_addr_copy(key.addr, skb->data);
2798 else
2799 return false;
2800
2801 entry = mesh_fast_tx_get(sdata, &key);
2802 if (!entry)
2803 return false;
2804
2805 sta = rcu_dereference(entry->mpath->next_hop);
2806 if (!sta)
2807 return false;
2808
2809 if (skb_linearize(skb))
2810 return false;
2811
2812 tid = skb->priority & IEEE80211_QOS_CTL_TAG1D_MASK;
2813 tid_tx = rcu_dereference(sta->ampdu_mlme.tid_tx[tid]);
2814 if (tid_tx) {
2815 if (!test_bit(HT_AGG_STATE_OPERATIONAL, &tid_tx->state))
2816 return false;
2817
2818 if (tid_tx->timeout)
2819 tid_tx->last_tx = jiffies;
2820 }
2821
2822 ieee80211_aggr_check(sdata, sta, skb);
2823
2824 if (ieee80211_get_8023_tunnel_proto(skb->data + hdrlen,
2825 &skb->protocol))
2826 hdrlen += ETH_ALEN;
2827 else
2828 skb->protocol = htons(skb->len - hdrlen);
2829 skb_set_network_header(skb, hdrlen + 2);
2830
2831 skb->dev = sdata->dev;
2832 memcpy(ð, skb->data, ETH_HLEN - 2);
2833 skb_pull(skb, 2);
2834 __ieee80211_xmit_fast(sdata, sta, &entry->fast_tx, skb, tid_tx,
2835 eth.h_dest, eth.h_source);
2836 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, fwded_unicast);
2837 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, fwded_frames);
2838
2839 return true;
2840 }
2841 #endif
2842
2843 static ieee80211_rx_result
ieee80211_rx_mesh_data(struct ieee80211_sub_if_data * sdata,struct sta_info * sta,struct sk_buff * skb)2844 ieee80211_rx_mesh_data(struct ieee80211_sub_if_data *sdata, struct sta_info *sta,
2845 struct sk_buff *skb)
2846 {
2847 #ifdef CONFIG_MAC80211_MESH
2848 struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh;
2849 struct ieee80211_local *local = sdata->local;
2850 uint16_t fc = IEEE80211_FTYPE_DATA | IEEE80211_STYPE_QOS_DATA;
2851 struct ieee80211_hdr hdr = {
2852 .frame_control = cpu_to_le16(fc)
2853 };
2854 struct ieee80211_hdr *fwd_hdr;
2855 struct ieee80211s_hdr *mesh_hdr;
2856 struct ieee80211_tx_info *info;
2857 struct sk_buff *fwd_skb;
2858 struct ethhdr *eth;
2859 bool multicast;
2860 int tailroom = 0;
2861 int hdrlen, mesh_hdrlen;
2862 u8 *qos;
2863
2864 if (!ieee80211_vif_is_mesh(&sdata->vif))
2865 return RX_CONTINUE;
2866
2867 if (!pskb_may_pull(skb, sizeof(*eth) + 6))
2868 return RX_DROP;
2869
2870 mesh_hdr = (struct ieee80211s_hdr *)(skb->data + sizeof(*eth));
2871 mesh_hdrlen = ieee80211_get_mesh_hdrlen(mesh_hdr);
2872
2873 if (!pskb_may_pull(skb, sizeof(*eth) + mesh_hdrlen))
2874 return RX_DROP;
2875
2876 eth = (struct ethhdr *)skb->data;
2877 multicast = is_multicast_ether_addr(eth->h_dest);
2878
2879 mesh_hdr = (struct ieee80211s_hdr *)(eth + 1);
2880 if (!mesh_hdr->ttl)
2881 return RX_DROP;
2882
2883 /* frame is in RMC, don't forward */
2884 if (is_multicast_ether_addr(eth->h_dest) &&
2885 mesh_rmc_check(sdata, eth->h_source, mesh_hdr))
2886 return RX_DROP;
2887
2888 /* forward packet */
2889 if (sdata->crypto_tx_tailroom_needed_cnt)
2890 tailroom = IEEE80211_ENCRYPT_TAILROOM;
2891
2892 if (mesh_hdr->flags & MESH_FLAGS_AE) {
2893 struct mesh_path *mppath;
2894 char *proxied_addr;
2895 bool update = false;
2896
2897 if (multicast)
2898 proxied_addr = mesh_hdr->eaddr1;
2899 else if ((mesh_hdr->flags & MESH_FLAGS_AE) == MESH_FLAGS_AE_A5_A6)
2900 /* has_a4 already checked in ieee80211_rx_mesh_check */
2901 proxied_addr = mesh_hdr->eaddr2;
2902 else
2903 return RX_DROP;
2904
2905 rcu_read_lock();
2906 mppath = mpp_path_lookup(sdata, proxied_addr);
2907 if (!mppath) {
2908 mpp_path_add(sdata, proxied_addr, eth->h_source);
2909 } else {
2910 spin_lock_bh(&mppath->state_lock);
2911 if (!ether_addr_equal(mppath->mpp, eth->h_source)) {
2912 memcpy(mppath->mpp, eth->h_source, ETH_ALEN);
2913 update = true;
2914 }
2915 mppath->exp_time = jiffies;
2916 spin_unlock_bh(&mppath->state_lock);
2917 }
2918
2919 /* flush fast xmit cache if the address path changed */
2920 if (update)
2921 mesh_fast_tx_flush_addr(sdata, proxied_addr);
2922
2923 rcu_read_unlock();
2924 }
2925
2926 /* Frame has reached destination. Don't forward */
2927 if (ether_addr_equal(sdata->vif.addr, eth->h_dest))
2928 goto rx_accept;
2929
2930 if (!--mesh_hdr->ttl) {
2931 if (multicast)
2932 goto rx_accept;
2933
2934 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_ttl);
2935 return RX_DROP;
2936 }
2937
2938 if (!ifmsh->mshcfg.dot11MeshForwarding) {
2939 if (is_multicast_ether_addr(eth->h_dest))
2940 goto rx_accept;
2941
2942 return RX_DROP;
2943 }
2944
2945 skb_set_queue_mapping(skb, ieee802_1d_to_ac[skb->priority]);
2946
2947 if (!multicast &&
2948 ieee80211_rx_mesh_fast_forward(sdata, skb, mesh_hdrlen))
2949 return RX_QUEUED;
2950
2951 ieee80211_fill_mesh_addresses(&hdr, &hdr.frame_control,
2952 eth->h_dest, eth->h_source);
2953 hdrlen = ieee80211_hdrlen(hdr.frame_control);
2954 if (multicast) {
2955 int extra_head = sizeof(struct ieee80211_hdr) - sizeof(*eth);
2956
2957 fwd_skb = skb_copy_expand(skb, local->tx_headroom + extra_head +
2958 IEEE80211_ENCRYPT_HEADROOM,
2959 tailroom, GFP_ATOMIC);
2960 if (!fwd_skb)
2961 goto rx_accept;
2962 } else {
2963 fwd_skb = skb;
2964 skb = NULL;
2965
2966 if (skb_cow_head(fwd_skb, hdrlen - sizeof(struct ethhdr)))
2967 return RX_DROP_U_OOM;
2968
2969 if (skb_linearize(fwd_skb))
2970 return RX_DROP_U_OOM;
2971 }
2972
2973 fwd_hdr = skb_push(fwd_skb, hdrlen - sizeof(struct ethhdr));
2974 memcpy(fwd_hdr, &hdr, hdrlen - 2);
2975 qos = ieee80211_get_qos_ctl(fwd_hdr);
2976 qos[0] = qos[1] = 0;
2977
2978 skb_reset_mac_header(fwd_skb);
2979 hdrlen += mesh_hdrlen;
2980 if (ieee80211_get_8023_tunnel_proto(fwd_skb->data + hdrlen,
2981 &fwd_skb->protocol))
2982 hdrlen += ETH_ALEN;
2983 else
2984 fwd_skb->protocol = htons(fwd_skb->len - hdrlen);
2985 skb_set_network_header(fwd_skb, hdrlen + 2);
2986
2987 info = IEEE80211_SKB_CB(fwd_skb);
2988 memset(info, 0, sizeof(*info));
2989 info->control.flags |= IEEE80211_TX_INTCFL_NEED_TXPROCESSING;
2990 info->control.vif = &sdata->vif;
2991 info->control.jiffies = jiffies;
2992 fwd_skb->dev = sdata->dev;
2993 if (multicast) {
2994 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, fwded_mcast);
2995 memcpy(fwd_hdr->addr2, sdata->vif.addr, ETH_ALEN);
2996 /* update power mode indication when forwarding */
2997 ieee80211_mps_set_frame_flags(sdata, NULL, fwd_hdr);
2998 } else if (!mesh_nexthop_lookup(sdata, fwd_skb)) {
2999 /* mesh power mode flags updated in mesh_nexthop_lookup */
3000 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, fwded_unicast);
3001 } else {
3002 /* unable to resolve next hop */
3003 if (sta)
3004 mesh_path_error_tx(sdata, ifmsh->mshcfg.element_ttl,
3005 hdr.addr3, 0,
3006 WLAN_REASON_MESH_PATH_NOFORWARD,
3007 sta->sta.addr);
3008 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_no_route);
3009 kfree_skb(fwd_skb);
3010 goto rx_accept;
3011 }
3012
3013 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, fwded_frames);
3014 ieee80211_set_qos_hdr(sdata, fwd_skb);
3015 ieee80211_add_pending_skb(local, fwd_skb);
3016
3017 rx_accept:
3018 if (!skb)
3019 return RX_QUEUED;
3020
3021 ieee80211_strip_8023_mesh_hdr(skb);
3022 #endif
3023
3024 return RX_CONTINUE;
3025 }
3026
3027 static ieee80211_rx_result debug_noinline
__ieee80211_rx_h_amsdu(struct ieee80211_rx_data * rx,u8 data_offset)3028 __ieee80211_rx_h_amsdu(struct ieee80211_rx_data *rx, u8 data_offset)
3029 {
3030 struct net_device *dev = rx->sdata->dev;
3031 struct sk_buff *skb = rx->skb;
3032 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
3033 __le16 fc = hdr->frame_control;
3034 struct sk_buff_head frame_list;
3035 struct ethhdr ethhdr;
3036 const u8 *check_da = ethhdr.h_dest, *check_sa = ethhdr.h_source;
3037
3038 if (unlikely(ieee80211_has_a4(hdr->frame_control))) {
3039 check_da = NULL;
3040 check_sa = NULL;
3041 } else switch (rx->sdata->vif.type) {
3042 case NL80211_IFTYPE_AP:
3043 case NL80211_IFTYPE_AP_VLAN:
3044 check_da = NULL;
3045 break;
3046 case NL80211_IFTYPE_STATION:
3047 if (!test_sta_flag(rx->sta, WLAN_STA_TDLS_PEER))
3048 check_sa = NULL;
3049 break;
3050 case NL80211_IFTYPE_MESH_POINT:
3051 check_sa = NULL;
3052 check_da = NULL;
3053 break;
3054 default:
3055 break;
3056 }
3057
3058 skb->dev = dev;
3059 __skb_queue_head_init(&frame_list);
3060
3061 if (ieee80211_data_to_8023_exthdr(skb, ðhdr,
3062 rx->sdata->vif.addr,
3063 rx->sdata->vif.type,
3064 data_offset, true))
3065 return RX_DROP_U_BAD_AMSDU;
3066
3067 if (rx->sta->amsdu_mesh_control < 0) {
3068 s8 valid = -1;
3069 int i;
3070
3071 for (i = 0; i <= 2; i++) {
3072 if (!ieee80211_is_valid_amsdu(skb, i))
3073 continue;
3074
3075 if (valid >= 0) {
3076 /* ambiguous */
3077 valid = -1;
3078 break;
3079 }
3080
3081 valid = i;
3082 }
3083
3084 rx->sta->amsdu_mesh_control = valid;
3085 }
3086
3087 ieee80211_amsdu_to_8023s(skb, &frame_list, dev->dev_addr,
3088 rx->sdata->vif.type,
3089 rx->local->hw.extra_tx_headroom,
3090 check_da, check_sa,
3091 rx->sta->amsdu_mesh_control);
3092
3093 while (!skb_queue_empty(&frame_list)) {
3094 rx->skb = __skb_dequeue(&frame_list);
3095
3096 switch (ieee80211_rx_mesh_data(rx->sdata, rx->sta, rx->skb)) {
3097 case RX_QUEUED:
3098 break;
3099 case RX_CONTINUE:
3100 if (ieee80211_frame_allowed(rx, fc)) {
3101 ieee80211_deliver_skb(rx);
3102 break;
3103 }
3104 fallthrough;
3105 default:
3106 dev_kfree_skb(rx->skb);
3107 }
3108 }
3109
3110 return RX_QUEUED;
3111 }
3112
3113 static ieee80211_rx_result debug_noinline
ieee80211_rx_h_amsdu(struct ieee80211_rx_data * rx)3114 ieee80211_rx_h_amsdu(struct ieee80211_rx_data *rx)
3115 {
3116 struct sk_buff *skb = rx->skb;
3117 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
3118 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
3119 __le16 fc = hdr->frame_control;
3120
3121 if (!(status->rx_flags & IEEE80211_RX_AMSDU))
3122 return RX_CONTINUE;
3123
3124 if (unlikely(!ieee80211_is_data(fc)))
3125 return RX_CONTINUE;
3126
3127 if (unlikely(!ieee80211_is_data_present(fc)))
3128 return RX_DROP;
3129
3130 if (unlikely(ieee80211_has_a4(hdr->frame_control))) {
3131 switch (rx->sdata->vif.type) {
3132 case NL80211_IFTYPE_AP_VLAN:
3133 if (!rx->sdata->u.vlan.sta)
3134 return RX_DROP_U_BAD_4ADDR;
3135 break;
3136 case NL80211_IFTYPE_STATION:
3137 if (!rx->sdata->u.mgd.use_4addr)
3138 return RX_DROP_U_BAD_4ADDR;
3139 break;
3140 case NL80211_IFTYPE_MESH_POINT:
3141 break;
3142 default:
3143 return RX_DROP_U_BAD_4ADDR;
3144 }
3145 }
3146
3147 if (is_multicast_ether_addr(hdr->addr1) || !rx->sta)
3148 return RX_DROP_U_BAD_AMSDU;
3149
3150 if (rx->key) {
3151 /*
3152 * We should not receive A-MSDUs on pre-HT connections,
3153 * and HT connections cannot use old ciphers. Thus drop
3154 * them, as in those cases we couldn't even have SPP
3155 * A-MSDUs or such.
3156 */
3157 switch (rx->key->conf.cipher) {
3158 case WLAN_CIPHER_SUITE_WEP40:
3159 case WLAN_CIPHER_SUITE_WEP104:
3160 case WLAN_CIPHER_SUITE_TKIP:
3161 return RX_DROP_U_BAD_AMSDU_CIPHER;
3162 default:
3163 break;
3164 }
3165 }
3166
3167 return __ieee80211_rx_h_amsdu(rx, 0);
3168 }
3169
3170 static ieee80211_rx_result debug_noinline
ieee80211_rx_h_data(struct ieee80211_rx_data * rx)3171 ieee80211_rx_h_data(struct ieee80211_rx_data *rx)
3172 {
3173 struct ieee80211_sub_if_data *sdata = rx->sdata;
3174 struct ieee80211_local *local = rx->local;
3175 struct net_device *dev = sdata->dev;
3176 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
3177 __le16 fc = hdr->frame_control;
3178 ieee80211_rx_result res;
3179 bool port_control;
3180
3181 if (unlikely(!ieee80211_is_data(hdr->frame_control)))
3182 return RX_CONTINUE;
3183
3184 if (unlikely(!ieee80211_is_data_present(hdr->frame_control)))
3185 return RX_DROP;
3186
3187 /* Send unexpected-4addr-frame event to hostapd */
3188 if (ieee80211_has_a4(hdr->frame_control) &&
3189 sdata->vif.type == NL80211_IFTYPE_AP) {
3190 if (rx->sta &&
3191 !test_and_set_sta_flag(rx->sta, WLAN_STA_4ADDR_EVENT))
3192 cfg80211_rx_unexpected_4addr_frame(
3193 rx->sdata->dev, rx->sta->sta.addr, rx->link_id,
3194 GFP_ATOMIC);
3195 return RX_DROP;
3196 }
3197
3198 res = __ieee80211_data_to_8023(rx, &port_control);
3199 if (unlikely(res != RX_CONTINUE))
3200 return res;
3201
3202 res = ieee80211_rx_mesh_data(rx->sdata, rx->sta, rx->skb);
3203 if (res != RX_CONTINUE)
3204 return res;
3205
3206 if (!ieee80211_frame_allowed(rx, fc))
3207 return RX_DROP;
3208
3209 /* directly handle TDLS channel switch requests/responses */
3210 if (unlikely(((struct ethhdr *)rx->skb->data)->h_proto ==
3211 cpu_to_be16(ETH_P_TDLS))) {
3212 struct ieee80211_tdls_data *tf = (void *)rx->skb->data;
3213
3214 if (pskb_may_pull(rx->skb,
3215 offsetof(struct ieee80211_tdls_data, u)) &&
3216 tf->payload_type == WLAN_TDLS_SNAP_RFTYPE &&
3217 tf->category == WLAN_CATEGORY_TDLS &&
3218 (tf->action_code == WLAN_TDLS_CHANNEL_SWITCH_REQUEST ||
3219 tf->action_code == WLAN_TDLS_CHANNEL_SWITCH_RESPONSE)) {
3220 rx->skb->protocol = cpu_to_be16(ETH_P_TDLS);
3221 __ieee80211_queue_skb_to_iface(sdata, rx->link_id,
3222 rx->sta, rx->skb);
3223 return RX_QUEUED;
3224 }
3225 }
3226
3227 if (rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN &&
3228 unlikely(port_control) && sdata->bss) {
3229 sdata = container_of(sdata->bss, struct ieee80211_sub_if_data,
3230 u.ap);
3231 dev = sdata->dev;
3232 rx->sdata = sdata;
3233 }
3234
3235 rx->skb->dev = dev;
3236
3237 if (!ieee80211_hw_check(&local->hw, SUPPORTS_DYNAMIC_PS) &&
3238 local->ps_sdata && local->hw.conf.dynamic_ps_timeout > 0 &&
3239 !is_multicast_ether_addr(
3240 ((struct ethhdr *)rx->skb->data)->h_dest) &&
3241 (!local->scanning &&
3242 !test_bit(SDATA_STATE_OFFCHANNEL, &sdata->state)))
3243 mod_timer(&local->dynamic_ps_timer, jiffies +
3244 msecs_to_jiffies(local->hw.conf.dynamic_ps_timeout));
3245
3246 ieee80211_deliver_skb(rx);
3247
3248 return RX_QUEUED;
3249 }
3250
3251 static ieee80211_rx_result debug_noinline
ieee80211_rx_h_ctrl(struct ieee80211_rx_data * rx,struct sk_buff_head * frames)3252 ieee80211_rx_h_ctrl(struct ieee80211_rx_data *rx, struct sk_buff_head *frames)
3253 {
3254 struct sk_buff *skb = rx->skb;
3255 struct ieee80211_bar *bar = (struct ieee80211_bar *)skb->data;
3256 struct tid_ampdu_rx *tid_agg_rx;
3257 u16 start_seq_num;
3258 u16 tid;
3259
3260 if (likely(!ieee80211_is_ctl(bar->frame_control)))
3261 return RX_CONTINUE;
3262
3263 if (ieee80211_is_back_req(bar->frame_control)) {
3264 struct {
3265 __le16 control, start_seq_num;
3266 } __packed bar_data;
3267 struct ieee80211_event event = {
3268 .type = BAR_RX_EVENT,
3269 };
3270
3271 if (!rx->sta)
3272 return RX_DROP;
3273
3274 if (skb_copy_bits(skb, offsetof(struct ieee80211_bar, control),
3275 &bar_data, sizeof(bar_data)))
3276 return RX_DROP;
3277
3278 tid = le16_to_cpu(bar_data.control) >> 12;
3279
3280 if (!test_bit(tid, rx->sta->ampdu_mlme.agg_session_valid) &&
3281 !test_and_set_bit(tid, rx->sta->ampdu_mlme.unexpected_agg))
3282 ieee80211_send_delba(rx->sdata, rx->sta->sta.addr, tid,
3283 WLAN_BACK_RECIPIENT,
3284 WLAN_REASON_QSTA_REQUIRE_SETUP);
3285
3286 tid_agg_rx = rcu_dereference(rx->sta->ampdu_mlme.tid_rx[tid]);
3287 if (!tid_agg_rx)
3288 return RX_DROP;
3289
3290 start_seq_num = le16_to_cpu(bar_data.start_seq_num) >> 4;
3291 event.u.ba.tid = tid;
3292 event.u.ba.ssn = start_seq_num;
3293 event.u.ba.sta = &rx->sta->sta;
3294
3295 /* reset session timer */
3296 if (tid_agg_rx->timeout)
3297 mod_timer(&tid_agg_rx->session_timer,
3298 TU_TO_EXP_TIME(tid_agg_rx->timeout));
3299
3300 spin_lock(&tid_agg_rx->reorder_lock);
3301 /* release stored frames up to start of BAR */
3302 ieee80211_release_reorder_frames(rx->sdata, tid_agg_rx,
3303 start_seq_num, frames);
3304 spin_unlock(&tid_agg_rx->reorder_lock);
3305
3306 drv_event_callback(rx->local, rx->sdata, &event);
3307
3308 kfree_skb(skb);
3309 return RX_QUEUED;
3310 }
3311
3312 return RX_DROP;
3313 }
3314
ieee80211_process_sa_query_req(struct ieee80211_sub_if_data * sdata,struct ieee80211_mgmt * mgmt,size_t len)3315 static void ieee80211_process_sa_query_req(struct ieee80211_sub_if_data *sdata,
3316 struct ieee80211_mgmt *mgmt,
3317 size_t len)
3318 {
3319 struct ieee80211_local *local = sdata->local;
3320 struct sk_buff *skb;
3321 struct ieee80211_mgmt *resp;
3322
3323 if (!ether_addr_equal(mgmt->da, sdata->vif.addr)) {
3324 /* Not to own unicast address */
3325 return;
3326 }
3327
3328 if (!ether_addr_equal(mgmt->sa, sdata->vif.cfg.ap_addr) ||
3329 !ether_addr_equal(mgmt->bssid, sdata->vif.cfg.ap_addr)) {
3330 /* Not from the current AP or not associated yet. */
3331 return;
3332 }
3333
3334 if (len < 24 + 1 + sizeof(resp->u.action.u.sa_query)) {
3335 /* Too short SA Query request frame */
3336 return;
3337 }
3338
3339 skb = dev_alloc_skb(sizeof(*resp) + local->hw.extra_tx_headroom);
3340 if (skb == NULL)
3341 return;
3342
3343 skb_reserve(skb, local->hw.extra_tx_headroom);
3344 resp = skb_put_zero(skb, 24);
3345 memcpy(resp->da, sdata->vif.cfg.ap_addr, ETH_ALEN);
3346 memcpy(resp->sa, sdata->vif.addr, ETH_ALEN);
3347 memcpy(resp->bssid, sdata->vif.cfg.ap_addr, ETH_ALEN);
3348 resp->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT |
3349 IEEE80211_STYPE_ACTION);
3350 skb_put(skb, 1 + sizeof(resp->u.action.u.sa_query));
3351 resp->u.action.category = WLAN_CATEGORY_SA_QUERY;
3352 resp->u.action.u.sa_query.action = WLAN_ACTION_SA_QUERY_RESPONSE;
3353 memcpy(resp->u.action.u.sa_query.trans_id,
3354 mgmt->u.action.u.sa_query.trans_id,
3355 WLAN_SA_QUERY_TR_ID_LEN);
3356
3357 ieee80211_tx_skb(sdata, skb);
3358 }
3359
3360 static void
ieee80211_rx_check_bss_color_collision(struct ieee80211_rx_data * rx)3361 ieee80211_rx_check_bss_color_collision(struct ieee80211_rx_data *rx)
3362 {
3363 struct ieee80211_mgmt *mgmt = (void *)rx->skb->data;
3364 struct ieee80211_bss_conf *bss_conf;
3365 const struct element *ie;
3366 size_t baselen;
3367
3368 if (!wiphy_ext_feature_isset(rx->local->hw.wiphy,
3369 NL80211_EXT_FEATURE_BSS_COLOR))
3370 return;
3371
3372 if (ieee80211_hw_check(&rx->local->hw, DETECTS_COLOR_COLLISION))
3373 return;
3374
3375 bss_conf = rx->link->conf;
3376 if (bss_conf->csa_active || bss_conf->color_change_active ||
3377 !bss_conf->he_bss_color.enabled)
3378 return;
3379
3380 baselen = mgmt->u.beacon.variable - rx->skb->data;
3381 if (baselen > rx->skb->len)
3382 return;
3383
3384 ie = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_OPERATION,
3385 mgmt->u.beacon.variable,
3386 rx->skb->len - baselen);
3387 if (ie && ie->datalen >= sizeof(struct ieee80211_he_operation) &&
3388 ie->datalen >= ieee80211_he_oper_size(ie->data + 1)) {
3389 const struct ieee80211_he_operation *he_oper;
3390 u8 color;
3391
3392 he_oper = (void *)(ie->data + 1);
3393 if (le32_get_bits(he_oper->he_oper_params,
3394 IEEE80211_HE_OPERATION_BSS_COLOR_DISABLED))
3395 return;
3396
3397 color = le32_get_bits(he_oper->he_oper_params,
3398 IEEE80211_HE_OPERATION_BSS_COLOR_MASK);
3399 if (color == bss_conf->he_bss_color.color)
3400 ieee80211_obss_color_collision_notify(&rx->sdata->vif,
3401 BIT_ULL(color),
3402 bss_conf->link_id);
3403 }
3404 }
3405
3406 static ieee80211_rx_result debug_noinline
ieee80211_rx_h_mgmt_check(struct ieee80211_rx_data * rx)3407 ieee80211_rx_h_mgmt_check(struct ieee80211_rx_data *rx)
3408 {
3409 struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *) rx->skb->data;
3410 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
3411
3412 if (ieee80211_is_s1g_beacon(mgmt->frame_control))
3413 return RX_CONTINUE;
3414
3415 /*
3416 * From here on, look only at management frames.
3417 * Data and control frames are already handled,
3418 * and unknown (reserved) frames are useless.
3419 */
3420 if (rx->skb->len < 24)
3421 return RX_DROP;
3422
3423 if (!ieee80211_is_mgmt(mgmt->frame_control))
3424 return RX_DROP;
3425
3426 /* drop too small action frames */
3427 if (ieee80211_is_action(mgmt->frame_control) &&
3428 rx->skb->len < IEEE80211_MIN_ACTION_SIZE)
3429 return RX_DROP_U_RUNT_ACTION;
3430
3431 if (rx->sdata->vif.type == NL80211_IFTYPE_AP &&
3432 ieee80211_is_beacon(mgmt->frame_control) &&
3433 !(rx->flags & IEEE80211_RX_BEACON_REPORTED)) {
3434 int sig = 0;
3435
3436 /* sw bss color collision detection */
3437 ieee80211_rx_check_bss_color_collision(rx);
3438
3439 if (ieee80211_hw_check(&rx->local->hw, SIGNAL_DBM) &&
3440 !(status->flag & RX_FLAG_NO_SIGNAL_VAL))
3441 sig = status->signal;
3442
3443 cfg80211_report_obss_beacon_khz(rx->local->hw.wiphy,
3444 rx->skb->data, rx->skb->len,
3445 ieee80211_rx_status_to_khz(status),
3446 sig);
3447 rx->flags |= IEEE80211_RX_BEACON_REPORTED;
3448 }
3449
3450 return ieee80211_drop_unencrypted_mgmt(rx);
3451 }
3452
3453 static bool
ieee80211_process_rx_twt_action(struct ieee80211_rx_data * rx)3454 ieee80211_process_rx_twt_action(struct ieee80211_rx_data *rx)
3455 {
3456 struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *)rx->skb->data;
3457 struct ieee80211_sub_if_data *sdata = rx->sdata;
3458
3459 /* TWT actions are only supported in AP for the moment */
3460 if (sdata->vif.type != NL80211_IFTYPE_AP)
3461 return false;
3462
3463 if (!rx->local->ops->add_twt_setup)
3464 return false;
3465
3466 if (!sdata->vif.bss_conf.twt_responder)
3467 return false;
3468
3469 if (!rx->sta)
3470 return false;
3471
3472 switch (mgmt->u.action.u.s1g.action_code) {
3473 case WLAN_S1G_TWT_SETUP: {
3474 struct ieee80211_twt_setup *twt;
3475
3476 if (rx->skb->len < IEEE80211_MIN_ACTION_SIZE +
3477 1 + /* action code */
3478 sizeof(struct ieee80211_twt_setup) +
3479 2 /* TWT req_type agrt */)
3480 break;
3481
3482 twt = (void *)mgmt->u.action.u.s1g.variable;
3483 if (twt->element_id != WLAN_EID_S1G_TWT)
3484 break;
3485
3486 if (rx->skb->len < IEEE80211_MIN_ACTION_SIZE +
3487 4 + /* action code + token + tlv */
3488 twt->length)
3489 break;
3490
3491 return true; /* queue the frame */
3492 }
3493 case WLAN_S1G_TWT_TEARDOWN:
3494 if (rx->skb->len < IEEE80211_MIN_ACTION_SIZE + 2)
3495 break;
3496
3497 return true; /* queue the frame */
3498 default:
3499 break;
3500 }
3501
3502 return false;
3503 }
3504
3505 static ieee80211_rx_result debug_noinline
ieee80211_rx_h_action(struct ieee80211_rx_data * rx)3506 ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
3507 {
3508 struct ieee80211_local *local = rx->local;
3509 struct ieee80211_sub_if_data *sdata = rx->sdata;
3510 struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *) rx->skb->data;
3511 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
3512 int len = rx->skb->len;
3513
3514 if (!ieee80211_is_action(mgmt->frame_control))
3515 return RX_CONTINUE;
3516
3517 if (!rx->sta && mgmt->u.action.category != WLAN_CATEGORY_PUBLIC &&
3518 mgmt->u.action.category != WLAN_CATEGORY_SELF_PROTECTED &&
3519 mgmt->u.action.category != WLAN_CATEGORY_SPECTRUM_MGMT)
3520 return RX_DROP_U_ACTION_UNKNOWN_SRC;
3521
3522 switch (mgmt->u.action.category) {
3523 case WLAN_CATEGORY_HT:
3524 /* reject HT action frames from stations not supporting HT */
3525 if (!rx->link_sta->pub->ht_cap.ht_supported)
3526 goto invalid;
3527
3528 if (sdata->vif.type != NL80211_IFTYPE_STATION &&
3529 sdata->vif.type != NL80211_IFTYPE_MESH_POINT &&
3530 sdata->vif.type != NL80211_IFTYPE_AP_VLAN &&
3531 sdata->vif.type != NL80211_IFTYPE_AP &&
3532 sdata->vif.type != NL80211_IFTYPE_ADHOC)
3533 break;
3534
3535 /* verify action & smps_control/chanwidth are present */
3536 if (len < IEEE80211_MIN_ACTION_SIZE + 2)
3537 goto invalid;
3538
3539 switch (mgmt->u.action.u.ht_smps.action) {
3540 case WLAN_HT_ACTION_SMPS: {
3541 struct ieee80211_supported_band *sband;
3542 enum ieee80211_smps_mode smps_mode;
3543 struct sta_opmode_info sta_opmode = {};
3544
3545 if (sdata->vif.type != NL80211_IFTYPE_AP &&
3546 sdata->vif.type != NL80211_IFTYPE_AP_VLAN)
3547 goto handled;
3548
3549 /* convert to HT capability */
3550 switch (mgmt->u.action.u.ht_smps.smps_control) {
3551 case WLAN_HT_SMPS_CONTROL_DISABLED:
3552 smps_mode = IEEE80211_SMPS_OFF;
3553 break;
3554 case WLAN_HT_SMPS_CONTROL_STATIC:
3555 smps_mode = IEEE80211_SMPS_STATIC;
3556 break;
3557 case WLAN_HT_SMPS_CONTROL_DYNAMIC:
3558 smps_mode = IEEE80211_SMPS_DYNAMIC;
3559 break;
3560 default:
3561 goto invalid;
3562 }
3563
3564 /* if no change do nothing */
3565 if (rx->link_sta->pub->smps_mode == smps_mode)
3566 goto handled;
3567 rx->link_sta->pub->smps_mode = smps_mode;
3568 sta_opmode.smps_mode =
3569 ieee80211_smps_mode_to_smps_mode(smps_mode);
3570 sta_opmode.changed = STA_OPMODE_SMPS_MODE_CHANGED;
3571
3572 sband = rx->local->hw.wiphy->bands[status->band];
3573
3574 rate_control_rate_update(local, sband, rx->link_sta,
3575 IEEE80211_RC_SMPS_CHANGED);
3576 cfg80211_sta_opmode_change_notify(sdata->dev,
3577 rx->sta->addr,
3578 &sta_opmode,
3579 GFP_ATOMIC);
3580 goto handled;
3581 }
3582 case WLAN_HT_ACTION_NOTIFY_CHANWIDTH: {
3583 u8 chanwidth = mgmt->u.action.u.ht_notify_cw.chanwidth;
3584
3585 if (chanwidth != IEEE80211_HT_CHANWIDTH_20MHZ &&
3586 chanwidth != IEEE80211_HT_CHANWIDTH_ANY)
3587 goto invalid;
3588
3589 /* If it doesn't support 40 MHz it can't change ... */
3590 if (!(rx->link_sta->pub->ht_cap.cap &
3591 IEEE80211_HT_CAP_SUP_WIDTH_20_40))
3592 goto handled;
3593
3594 goto queue;
3595 }
3596 default:
3597 goto invalid;
3598 }
3599
3600 break;
3601 case WLAN_CATEGORY_PUBLIC:
3602 case WLAN_CATEGORY_PROTECTED_DUAL_OF_ACTION:
3603 if (len < IEEE80211_MIN_ACTION_SIZE + 1)
3604 goto invalid;
3605 if (sdata->vif.type != NL80211_IFTYPE_STATION)
3606 break;
3607 if (!rx->sta)
3608 break;
3609 if (!ether_addr_equal(mgmt->bssid, sdata->deflink.u.mgd.bssid))
3610 break;
3611 if (mgmt->u.action.u.ext_chan_switch.action_code !=
3612 WLAN_PUB_ACTION_EXT_CHANSW_ANN)
3613 break;
3614 if (len < offsetof(struct ieee80211_mgmt,
3615 u.action.u.ext_chan_switch.variable))
3616 goto invalid;
3617 goto queue;
3618 case WLAN_CATEGORY_VHT:
3619 if (sdata->vif.type != NL80211_IFTYPE_STATION &&
3620 sdata->vif.type != NL80211_IFTYPE_MESH_POINT &&
3621 sdata->vif.type != NL80211_IFTYPE_AP_VLAN &&
3622 sdata->vif.type != NL80211_IFTYPE_AP &&
3623 sdata->vif.type != NL80211_IFTYPE_ADHOC)
3624 break;
3625
3626 /* verify action code is present */
3627 if (len < IEEE80211_MIN_ACTION_SIZE + 1)
3628 goto invalid;
3629
3630 switch (mgmt->u.action.u.vht_opmode_notif.action_code) {
3631 case WLAN_VHT_ACTION_OPMODE_NOTIF: {
3632 /* verify opmode is present */
3633 if (len < IEEE80211_MIN_ACTION_SIZE + 2)
3634 goto invalid;
3635 goto queue;
3636 }
3637 case WLAN_VHT_ACTION_GROUPID_MGMT: {
3638 if (len < IEEE80211_MIN_ACTION_SIZE + 25)
3639 goto invalid;
3640 goto queue;
3641 }
3642 default:
3643 break;
3644 }
3645 break;
3646 case WLAN_CATEGORY_BACK:
3647 if (sdata->vif.type != NL80211_IFTYPE_STATION &&
3648 sdata->vif.type != NL80211_IFTYPE_MESH_POINT &&
3649 sdata->vif.type != NL80211_IFTYPE_AP_VLAN &&
3650 sdata->vif.type != NL80211_IFTYPE_AP &&
3651 sdata->vif.type != NL80211_IFTYPE_ADHOC)
3652 break;
3653
3654 /* verify action_code is present */
3655 if (len < IEEE80211_MIN_ACTION_SIZE + 1)
3656 break;
3657
3658 switch (mgmt->u.action.u.addba_req.action_code) {
3659 case WLAN_ACTION_ADDBA_REQ:
3660 if (len < (IEEE80211_MIN_ACTION_SIZE +
3661 sizeof(mgmt->u.action.u.addba_req)))
3662 goto invalid;
3663 break;
3664 case WLAN_ACTION_ADDBA_RESP:
3665 if (len < (IEEE80211_MIN_ACTION_SIZE +
3666 sizeof(mgmt->u.action.u.addba_resp)))
3667 goto invalid;
3668 break;
3669 case WLAN_ACTION_DELBA:
3670 if (len < (IEEE80211_MIN_ACTION_SIZE +
3671 sizeof(mgmt->u.action.u.delba)))
3672 goto invalid;
3673 break;
3674 default:
3675 goto invalid;
3676 }
3677
3678 goto queue;
3679 case WLAN_CATEGORY_SPECTRUM_MGMT:
3680 /* verify action_code is present */
3681 if (len < IEEE80211_MIN_ACTION_SIZE + 1)
3682 break;
3683
3684 switch (mgmt->u.action.u.measurement.action_code) {
3685 case WLAN_ACTION_SPCT_MSR_REQ:
3686 if (status->band != NL80211_BAND_5GHZ)
3687 break;
3688
3689 if (len < (IEEE80211_MIN_ACTION_SIZE +
3690 sizeof(mgmt->u.action.u.measurement)))
3691 break;
3692
3693 if (sdata->vif.type != NL80211_IFTYPE_STATION)
3694 break;
3695
3696 ieee80211_process_measurement_req(sdata, mgmt, len);
3697 goto handled;
3698 case WLAN_ACTION_SPCT_CHL_SWITCH: {
3699 u8 *bssid;
3700 if (len < (IEEE80211_MIN_ACTION_SIZE +
3701 sizeof(mgmt->u.action.u.chan_switch)))
3702 break;
3703
3704 if (sdata->vif.type != NL80211_IFTYPE_STATION &&
3705 sdata->vif.type != NL80211_IFTYPE_ADHOC &&
3706 sdata->vif.type != NL80211_IFTYPE_MESH_POINT)
3707 break;
3708
3709 if (sdata->vif.type == NL80211_IFTYPE_STATION)
3710 bssid = sdata->deflink.u.mgd.bssid;
3711 else if (sdata->vif.type == NL80211_IFTYPE_ADHOC)
3712 bssid = sdata->u.ibss.bssid;
3713 else if (sdata->vif.type == NL80211_IFTYPE_MESH_POINT)
3714 bssid = mgmt->sa;
3715 else
3716 break;
3717
3718 if (!ether_addr_equal(mgmt->bssid, bssid))
3719 break;
3720
3721 goto queue;
3722 }
3723 }
3724 break;
3725 case WLAN_CATEGORY_SELF_PROTECTED:
3726 if (len < (IEEE80211_MIN_ACTION_SIZE +
3727 sizeof(mgmt->u.action.u.self_prot.action_code)))
3728 break;
3729
3730 switch (mgmt->u.action.u.self_prot.action_code) {
3731 case WLAN_SP_MESH_PEERING_OPEN:
3732 case WLAN_SP_MESH_PEERING_CLOSE:
3733 case WLAN_SP_MESH_PEERING_CONFIRM:
3734 if (!ieee80211_vif_is_mesh(&sdata->vif))
3735 goto invalid;
3736 if (sdata->u.mesh.user_mpm)
3737 /* userspace handles this frame */
3738 break;
3739 goto queue;
3740 case WLAN_SP_MGK_INFORM:
3741 case WLAN_SP_MGK_ACK:
3742 if (!ieee80211_vif_is_mesh(&sdata->vif))
3743 goto invalid;
3744 break;
3745 }
3746 break;
3747 case WLAN_CATEGORY_MESH_ACTION:
3748 if (len < (IEEE80211_MIN_ACTION_SIZE +
3749 sizeof(mgmt->u.action.u.mesh_action.action_code)))
3750 break;
3751
3752 if (!ieee80211_vif_is_mesh(&sdata->vif))
3753 break;
3754 if (mesh_action_is_path_sel(mgmt) &&
3755 !mesh_path_sel_is_hwmp(sdata))
3756 break;
3757 goto queue;
3758 case WLAN_CATEGORY_S1G:
3759 if (len < offsetofend(typeof(*mgmt),
3760 u.action.u.s1g.action_code))
3761 break;
3762
3763 switch (mgmt->u.action.u.s1g.action_code) {
3764 case WLAN_S1G_TWT_SETUP:
3765 case WLAN_S1G_TWT_TEARDOWN:
3766 if (ieee80211_process_rx_twt_action(rx))
3767 goto queue;
3768 break;
3769 default:
3770 break;
3771 }
3772 break;
3773 case WLAN_CATEGORY_PROTECTED_EHT:
3774 if (len < offsetofend(typeof(*mgmt),
3775 u.action.u.ttlm_req.action_code))
3776 break;
3777
3778 switch (mgmt->u.action.u.ttlm_req.action_code) {
3779 case WLAN_PROTECTED_EHT_ACTION_TTLM_REQ:
3780 if (sdata->vif.type != NL80211_IFTYPE_STATION)
3781 break;
3782
3783 if (len < offsetofend(typeof(*mgmt),
3784 u.action.u.ttlm_req))
3785 goto invalid;
3786 goto queue;
3787 case WLAN_PROTECTED_EHT_ACTION_TTLM_RES:
3788 if (sdata->vif.type != NL80211_IFTYPE_STATION)
3789 break;
3790
3791 if (len < offsetofend(typeof(*mgmt),
3792 u.action.u.ttlm_res))
3793 goto invalid;
3794 goto queue;
3795 case WLAN_PROTECTED_EHT_ACTION_TTLM_TEARDOWN:
3796 if (sdata->vif.type != NL80211_IFTYPE_STATION)
3797 break;
3798
3799 if (len < offsetofend(typeof(*mgmt),
3800 u.action.u.ttlm_tear_down))
3801 goto invalid;
3802 goto queue;
3803 case WLAN_PROTECTED_EHT_ACTION_LINK_RECONFIG_RESP:
3804 if (sdata->vif.type != NL80211_IFTYPE_STATION)
3805 break;
3806
3807 /* The reconfiguration response action frame must
3808 * least one 'Status Duple' entry (3 octets)
3809 */
3810 if (len <
3811 offsetofend(typeof(*mgmt),
3812 u.action.u.ml_reconf_resp) + 3)
3813 goto invalid;
3814 goto queue;
3815 case WLAN_PROTECTED_EHT_ACTION_EPCS_ENABLE_RESP:
3816 if (sdata->vif.type != NL80211_IFTYPE_STATION)
3817 break;
3818
3819 if (len < offsetofend(typeof(*mgmt),
3820 u.action.u.epcs) +
3821 IEEE80211_EPCS_ENA_RESP_BODY_LEN)
3822 goto invalid;
3823 goto queue;
3824 case WLAN_PROTECTED_EHT_ACTION_EPCS_ENABLE_TEARDOWN:
3825 if (sdata->vif.type != NL80211_IFTYPE_STATION)
3826 break;
3827
3828 if (len < offsetofend(typeof(*mgmt),
3829 u.action.u.epcs))
3830 goto invalid;
3831 goto queue;
3832 default:
3833 break;
3834 }
3835 break;
3836 }
3837
3838 return RX_CONTINUE;
3839
3840 invalid:
3841 status->rx_flags |= IEEE80211_RX_MALFORMED_ACTION_FRM;
3842 /* will return in the next handlers */
3843 return RX_CONTINUE;
3844
3845 handled:
3846 if (rx->sta)
3847 rx->link_sta->rx_stats.packets++;
3848 dev_kfree_skb(rx->skb);
3849 return RX_QUEUED;
3850
3851 queue:
3852 ieee80211_queue_skb_to_iface(sdata, rx->link_id, rx->sta, rx->skb);
3853 return RX_QUEUED;
3854 }
3855
3856 static ieee80211_rx_result debug_noinline
ieee80211_rx_h_userspace_mgmt(struct ieee80211_rx_data * rx)3857 ieee80211_rx_h_userspace_mgmt(struct ieee80211_rx_data *rx)
3858 {
3859 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
3860 struct cfg80211_rx_info info = {
3861 .freq = ieee80211_rx_status_to_khz(status),
3862 .buf = rx->skb->data,
3863 .len = rx->skb->len,
3864 .link_id = rx->link_id,
3865 .have_link_id = rx->link_id >= 0,
3866 };
3867
3868 /* skip known-bad action frames and return them in the next handler */
3869 if (status->rx_flags & IEEE80211_RX_MALFORMED_ACTION_FRM)
3870 return RX_CONTINUE;
3871
3872 /*
3873 * Getting here means the kernel doesn't know how to handle
3874 * it, but maybe userspace does ... include returned frames
3875 * so userspace can register for those to know whether ones
3876 * it transmitted were processed or returned.
3877 */
3878
3879 if (ieee80211_hw_check(&rx->local->hw, SIGNAL_DBM) &&
3880 !(status->flag & RX_FLAG_NO_SIGNAL_VAL))
3881 info.sig_dbm = status->signal;
3882
3883 if (ieee80211_is_timing_measurement(rx->skb) ||
3884 ieee80211_is_ftm(rx->skb)) {
3885 info.rx_tstamp = ktime_to_ns(skb_hwtstamps(rx->skb)->hwtstamp);
3886 info.ack_tstamp = ktime_to_ns(status->ack_tx_hwtstamp);
3887 }
3888
3889 if (cfg80211_rx_mgmt_ext(&rx->sdata->wdev, &info)) {
3890 if (rx->sta)
3891 rx->link_sta->rx_stats.packets++;
3892 dev_kfree_skb(rx->skb);
3893 return RX_QUEUED;
3894 }
3895
3896 return RX_CONTINUE;
3897 }
3898
3899 static ieee80211_rx_result debug_noinline
ieee80211_rx_h_action_post_userspace(struct ieee80211_rx_data * rx)3900 ieee80211_rx_h_action_post_userspace(struct ieee80211_rx_data *rx)
3901 {
3902 struct ieee80211_sub_if_data *sdata = rx->sdata;
3903 struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *) rx->skb->data;
3904 int len = rx->skb->len;
3905
3906 if (!ieee80211_is_action(mgmt->frame_control))
3907 return RX_CONTINUE;
3908
3909 switch (mgmt->u.action.category) {
3910 case WLAN_CATEGORY_SA_QUERY:
3911 if (len < (IEEE80211_MIN_ACTION_SIZE +
3912 sizeof(mgmt->u.action.u.sa_query)))
3913 break;
3914
3915 switch (mgmt->u.action.u.sa_query.action) {
3916 case WLAN_ACTION_SA_QUERY_REQUEST:
3917 if (sdata->vif.type != NL80211_IFTYPE_STATION)
3918 break;
3919 ieee80211_process_sa_query_req(sdata, mgmt, len);
3920 goto handled;
3921 }
3922 break;
3923 }
3924
3925 return RX_CONTINUE;
3926
3927 handled:
3928 if (rx->sta)
3929 rx->link_sta->rx_stats.packets++;
3930 dev_kfree_skb(rx->skb);
3931 return RX_QUEUED;
3932 }
3933
3934 static ieee80211_rx_result debug_noinline
ieee80211_rx_h_action_return(struct ieee80211_rx_data * rx)3935 ieee80211_rx_h_action_return(struct ieee80211_rx_data *rx)
3936 {
3937 struct ieee80211_local *local = rx->local;
3938 struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *) rx->skb->data;
3939 struct sk_buff *nskb;
3940 struct ieee80211_sub_if_data *sdata = rx->sdata;
3941 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
3942
3943 if (!ieee80211_is_action(mgmt->frame_control))
3944 return RX_CONTINUE;
3945
3946 /*
3947 * For AP mode, hostapd is responsible for handling any action
3948 * frames that we didn't handle, including returning unknown
3949 * ones. For all other modes we will return them to the sender,
3950 * setting the 0x80 bit in the action category, as required by
3951 * 802.11-2012 9.24.4.
3952 * Newer versions of hostapd use the management frame registration
3953 * mechanisms and old cooked monitor interface is no longer supported.
3954 */
3955 if (!(status->rx_flags & IEEE80211_RX_MALFORMED_ACTION_FRM) &&
3956 (sdata->vif.type == NL80211_IFTYPE_AP ||
3957 sdata->vif.type == NL80211_IFTYPE_AP_VLAN))
3958 return RX_DROP;
3959
3960 if (is_multicast_ether_addr(mgmt->da))
3961 return RX_DROP;
3962
3963 /* do not return rejected action frames */
3964 if (mgmt->u.action.category & 0x80)
3965 return RX_DROP_U_REJECTED_ACTION_RESPONSE;
3966
3967 nskb = skb_copy_expand(rx->skb, local->hw.extra_tx_headroom, 0,
3968 GFP_ATOMIC);
3969 if (nskb) {
3970 struct ieee80211_mgmt *nmgmt = (void *)nskb->data;
3971
3972 nmgmt->u.action.category |= 0x80;
3973 memcpy(nmgmt->da, nmgmt->sa, ETH_ALEN);
3974 memcpy(nmgmt->sa, rx->sdata->vif.addr, ETH_ALEN);
3975
3976 memset(nskb->cb, 0, sizeof(nskb->cb));
3977
3978 if (rx->sdata->vif.type == NL80211_IFTYPE_P2P_DEVICE) {
3979 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(nskb);
3980
3981 info->flags = IEEE80211_TX_CTL_TX_OFFCHAN |
3982 IEEE80211_TX_INTFL_OFFCHAN_TX_OK |
3983 IEEE80211_TX_CTL_NO_CCK_RATE;
3984 if (ieee80211_hw_check(&local->hw, QUEUE_CONTROL))
3985 info->hw_queue =
3986 local->hw.offchannel_tx_hw_queue;
3987 }
3988
3989 __ieee80211_tx_skb_tid_band(rx->sdata, nskb, 7, -1,
3990 status->band);
3991 }
3992
3993 return RX_DROP_U_UNKNOWN_ACTION_REJECTED;
3994 }
3995
3996 static ieee80211_rx_result debug_noinline
ieee80211_rx_h_ext(struct ieee80211_rx_data * rx)3997 ieee80211_rx_h_ext(struct ieee80211_rx_data *rx)
3998 {
3999 struct ieee80211_sub_if_data *sdata = rx->sdata;
4000 struct ieee80211_hdr *hdr = (void *)rx->skb->data;
4001
4002 if (!ieee80211_is_ext(hdr->frame_control))
4003 return RX_CONTINUE;
4004
4005 if (sdata->vif.type != NL80211_IFTYPE_STATION)
4006 return RX_DROP;
4007
4008 /* for now only beacons are ext, so queue them */
4009 ieee80211_queue_skb_to_iface(sdata, rx->link_id, rx->sta, rx->skb);
4010
4011 return RX_QUEUED;
4012 }
4013
4014 static ieee80211_rx_result debug_noinline
ieee80211_rx_h_mgmt(struct ieee80211_rx_data * rx)4015 ieee80211_rx_h_mgmt(struct ieee80211_rx_data *rx)
4016 {
4017 struct ieee80211_sub_if_data *sdata = rx->sdata;
4018 struct ieee80211_mgmt *mgmt = (void *)rx->skb->data;
4019 __le16 stype;
4020
4021 stype = mgmt->frame_control & cpu_to_le16(IEEE80211_FCTL_STYPE);
4022
4023 if (!ieee80211_vif_is_mesh(&sdata->vif) &&
4024 sdata->vif.type != NL80211_IFTYPE_ADHOC &&
4025 sdata->vif.type != NL80211_IFTYPE_OCB &&
4026 sdata->vif.type != NL80211_IFTYPE_STATION)
4027 return RX_DROP;
4028
4029 switch (stype) {
4030 case cpu_to_le16(IEEE80211_STYPE_AUTH):
4031 case cpu_to_le16(IEEE80211_STYPE_BEACON):
4032 case cpu_to_le16(IEEE80211_STYPE_PROBE_RESP):
4033 /* process for all: mesh, mlme, ibss */
4034 break;
4035 case cpu_to_le16(IEEE80211_STYPE_DEAUTH):
4036 if (is_multicast_ether_addr(mgmt->da) &&
4037 !is_broadcast_ether_addr(mgmt->da))
4038 return RX_DROP;
4039
4040 /* process only for station/IBSS */
4041 if (sdata->vif.type != NL80211_IFTYPE_STATION &&
4042 sdata->vif.type != NL80211_IFTYPE_ADHOC)
4043 return RX_DROP;
4044 break;
4045 case cpu_to_le16(IEEE80211_STYPE_ASSOC_RESP):
4046 case cpu_to_le16(IEEE80211_STYPE_REASSOC_RESP):
4047 case cpu_to_le16(IEEE80211_STYPE_DISASSOC):
4048 if (is_multicast_ether_addr(mgmt->da) &&
4049 !is_broadcast_ether_addr(mgmt->da))
4050 return RX_DROP;
4051
4052 /* process only for station */
4053 if (sdata->vif.type != NL80211_IFTYPE_STATION)
4054 return RX_DROP;
4055 break;
4056 case cpu_to_le16(IEEE80211_STYPE_PROBE_REQ):
4057 /* process only for ibss and mesh */
4058 if (sdata->vif.type != NL80211_IFTYPE_ADHOC &&
4059 sdata->vif.type != NL80211_IFTYPE_MESH_POINT)
4060 return RX_DROP;
4061 break;
4062 default:
4063 return RX_DROP;
4064 }
4065
4066 ieee80211_queue_skb_to_iface(sdata, rx->link_id, rx->sta, rx->skb);
4067
4068 return RX_QUEUED;
4069 }
4070
ieee80211_rx_handlers_result(struct ieee80211_rx_data * rx,ieee80211_rx_result res)4071 static void ieee80211_rx_handlers_result(struct ieee80211_rx_data *rx,
4072 ieee80211_rx_result res)
4073 {
4074 if (res == RX_QUEUED) {
4075 I802_DEBUG_INC(rx->sdata->local->rx_handlers_queued);
4076 return;
4077 }
4078
4079 if (res != RX_CONTINUE) {
4080 I802_DEBUG_INC(rx->sdata->local->rx_handlers_drop);
4081 if (rx->sta)
4082 rx->link_sta->rx_stats.dropped++;
4083 }
4084
4085 kfree_skb_reason(rx->skb, (__force u32)res);
4086 }
4087
ieee80211_rx_handlers(struct ieee80211_rx_data * rx,struct sk_buff_head * frames)4088 static void ieee80211_rx_handlers(struct ieee80211_rx_data *rx,
4089 struct sk_buff_head *frames)
4090 {
4091 ieee80211_rx_result res = RX_DROP;
4092 struct sk_buff *skb;
4093
4094 #define CALL_RXH(rxh) \
4095 do { \
4096 res = rxh(rx); \
4097 if (res != RX_CONTINUE) \
4098 goto rxh_next; \
4099 } while (0)
4100
4101 /* Lock here to avoid hitting all of the data used in the RX
4102 * path (e.g. key data, station data, ...) concurrently when
4103 * a frame is released from the reorder buffer due to timeout
4104 * from the timer, potentially concurrently with RX from the
4105 * driver.
4106 */
4107 spin_lock_bh(&rx->local->rx_path_lock);
4108
4109 while ((skb = __skb_dequeue(frames))) {
4110 /*
4111 * all the other fields are valid across frames
4112 * that belong to an aMPDU since they are on the
4113 * same TID from the same station
4114 */
4115 rx->skb = skb;
4116
4117 if (WARN_ON_ONCE(!rx->link))
4118 goto rxh_next;
4119
4120 CALL_RXH(ieee80211_rx_h_check_more_data);
4121 CALL_RXH(ieee80211_rx_h_uapsd_and_pspoll);
4122 CALL_RXH(ieee80211_rx_h_sta_process);
4123 CALL_RXH(ieee80211_rx_h_decrypt);
4124 CALL_RXH(ieee80211_rx_h_defragment);
4125 CALL_RXH(ieee80211_rx_h_michael_mic_verify);
4126 /* must be after MMIC verify so header is counted in MPDU mic */
4127 CALL_RXH(ieee80211_rx_h_amsdu);
4128 CALL_RXH(ieee80211_rx_h_data);
4129
4130 /* special treatment -- needs the queue */
4131 res = ieee80211_rx_h_ctrl(rx, frames);
4132 if (res != RX_CONTINUE)
4133 goto rxh_next;
4134
4135 CALL_RXH(ieee80211_rx_h_mgmt_check);
4136 CALL_RXH(ieee80211_rx_h_action);
4137 CALL_RXH(ieee80211_rx_h_userspace_mgmt);
4138 CALL_RXH(ieee80211_rx_h_action_post_userspace);
4139 CALL_RXH(ieee80211_rx_h_action_return);
4140 CALL_RXH(ieee80211_rx_h_ext);
4141 CALL_RXH(ieee80211_rx_h_mgmt);
4142
4143 rxh_next:
4144 ieee80211_rx_handlers_result(rx, res);
4145
4146 #undef CALL_RXH
4147 }
4148
4149 spin_unlock_bh(&rx->local->rx_path_lock);
4150 }
4151
ieee80211_invoke_rx_handlers(struct ieee80211_rx_data * rx)4152 static void ieee80211_invoke_rx_handlers(struct ieee80211_rx_data *rx)
4153 {
4154 struct sk_buff_head reorder_release;
4155 ieee80211_rx_result res = RX_DROP;
4156
4157 __skb_queue_head_init(&reorder_release);
4158
4159 #define CALL_RXH(rxh) \
4160 do { \
4161 res = rxh(rx); \
4162 if (res != RX_CONTINUE) \
4163 goto rxh_next; \
4164 } while (0)
4165
4166 CALL_RXH(ieee80211_rx_h_check_dup);
4167 CALL_RXH(ieee80211_rx_h_check);
4168
4169 ieee80211_rx_reorder_ampdu(rx, &reorder_release);
4170
4171 ieee80211_rx_handlers(rx, &reorder_release);
4172 return;
4173
4174 rxh_next:
4175 ieee80211_rx_handlers_result(rx, res);
4176
4177 #undef CALL_RXH
4178 }
4179
4180 static bool
ieee80211_rx_is_valid_sta_link_id(struct ieee80211_sta * sta,u8 link_id)4181 ieee80211_rx_is_valid_sta_link_id(struct ieee80211_sta *sta, u8 link_id)
4182 {
4183 return !!(sta->valid_links & BIT(link_id));
4184 }
4185
ieee80211_rx_data_set_link(struct ieee80211_rx_data * rx,u8 link_id)4186 static bool ieee80211_rx_data_set_link(struct ieee80211_rx_data *rx,
4187 u8 link_id)
4188 {
4189 rx->link_id = link_id;
4190 rx->link = rcu_dereference(rx->sdata->link[link_id]);
4191
4192 if (!rx->sta)
4193 return rx->link;
4194
4195 if (!ieee80211_rx_is_valid_sta_link_id(&rx->sta->sta, link_id))
4196 return false;
4197
4198 rx->link_sta = rcu_dereference(rx->sta->link[link_id]);
4199
4200 return rx->link && rx->link_sta;
4201 }
4202
ieee80211_rx_data_set_sta(struct ieee80211_rx_data * rx,struct sta_info * sta,int link_id)4203 static bool ieee80211_rx_data_set_sta(struct ieee80211_rx_data *rx,
4204 struct sta_info *sta, int link_id)
4205 {
4206 rx->link_id = link_id;
4207 rx->sta = sta;
4208
4209 if (sta) {
4210 rx->local = sta->sdata->local;
4211 if (!rx->sdata)
4212 rx->sdata = sta->sdata;
4213 rx->link_sta = &sta->deflink;
4214 } else {
4215 rx->link_sta = NULL;
4216 }
4217
4218 if (link_id < 0) {
4219 if (ieee80211_vif_is_mld(&rx->sdata->vif) &&
4220 sta && !sta->sta.valid_links)
4221 rx->link =
4222 rcu_dereference(rx->sdata->link[sta->deflink.link_id]);
4223 else
4224 rx->link = &rx->sdata->deflink;
4225 } else if (!ieee80211_rx_data_set_link(rx, link_id)) {
4226 return false;
4227 }
4228
4229 return true;
4230 }
4231
4232 /*
4233 * This function makes calls into the RX path, therefore
4234 * it has to be invoked under RCU read lock.
4235 */
ieee80211_release_reorder_timeout(struct sta_info * sta,int tid)4236 void ieee80211_release_reorder_timeout(struct sta_info *sta, int tid)
4237 {
4238 struct sk_buff_head frames;
4239 struct ieee80211_rx_data rx = {
4240 /* This is OK -- must be QoS data frame */
4241 .security_idx = tid,
4242 .seqno_idx = tid,
4243 };
4244 struct tid_ampdu_rx *tid_agg_rx;
4245 int link_id = -1;
4246
4247 /* FIXME: statistics won't be right with this */
4248 if (sta->sta.valid_links)
4249 link_id = ffs(sta->sta.valid_links) - 1;
4250
4251 if (!ieee80211_rx_data_set_sta(&rx, sta, link_id))
4252 return;
4253
4254 tid_agg_rx = rcu_dereference(sta->ampdu_mlme.tid_rx[tid]);
4255 if (!tid_agg_rx)
4256 return;
4257
4258 __skb_queue_head_init(&frames);
4259
4260 spin_lock(&tid_agg_rx->reorder_lock);
4261 ieee80211_sta_reorder_release(sta->sdata, tid_agg_rx, &frames);
4262 spin_unlock(&tid_agg_rx->reorder_lock);
4263
4264 if (!skb_queue_empty(&frames)) {
4265 struct ieee80211_event event = {
4266 .type = BA_FRAME_TIMEOUT,
4267 .u.ba.tid = tid,
4268 .u.ba.sta = &sta->sta,
4269 };
4270 drv_event_callback(rx.local, rx.sdata, &event);
4271 }
4272
4273 ieee80211_rx_handlers(&rx, &frames);
4274 }
4275
ieee80211_mark_rx_ba_filtered_frames(struct ieee80211_sta * pubsta,u8 tid,u16 ssn,u64 filtered,u16 received_mpdus)4276 void ieee80211_mark_rx_ba_filtered_frames(struct ieee80211_sta *pubsta, u8 tid,
4277 u16 ssn, u64 filtered,
4278 u16 received_mpdus)
4279 {
4280 struct ieee80211_local *local;
4281 struct sta_info *sta;
4282 struct tid_ampdu_rx *tid_agg_rx;
4283 struct sk_buff_head frames;
4284 struct ieee80211_rx_data rx = {
4285 /* This is OK -- must be QoS data frame */
4286 .security_idx = tid,
4287 .seqno_idx = tid,
4288 };
4289 int i, diff;
4290
4291 if (WARN_ON(!pubsta || tid >= IEEE80211_NUM_TIDS))
4292 return;
4293
4294 __skb_queue_head_init(&frames);
4295
4296 sta = container_of(pubsta, struct sta_info, sta);
4297
4298 local = sta->sdata->local;
4299 WARN_ONCE(local->hw.max_rx_aggregation_subframes > 64,
4300 "RX BA marker can't support max_rx_aggregation_subframes %u > 64\n",
4301 local->hw.max_rx_aggregation_subframes);
4302
4303 if (!ieee80211_rx_data_set_sta(&rx, sta, -1))
4304 return;
4305
4306 rcu_read_lock();
4307 tid_agg_rx = rcu_dereference(sta->ampdu_mlme.tid_rx[tid]);
4308 if (!tid_agg_rx)
4309 goto out;
4310
4311 spin_lock_bh(&tid_agg_rx->reorder_lock);
4312
4313 if (received_mpdus >= IEEE80211_SN_MODULO >> 1) {
4314 int release;
4315
4316 /* release all frames in the reorder buffer */
4317 release = (tid_agg_rx->head_seq_num + tid_agg_rx->buf_size) %
4318 IEEE80211_SN_MODULO;
4319 ieee80211_release_reorder_frames(sta->sdata, tid_agg_rx,
4320 release, &frames);
4321 /* update ssn to match received ssn */
4322 tid_agg_rx->head_seq_num = ssn;
4323 } else {
4324 ieee80211_release_reorder_frames(sta->sdata, tid_agg_rx, ssn,
4325 &frames);
4326 }
4327
4328 /* handle the case that received ssn is behind the mac ssn.
4329 * it can be tid_agg_rx->buf_size behind and still be valid */
4330 diff = (tid_agg_rx->head_seq_num - ssn) & IEEE80211_SN_MASK;
4331 if (diff >= tid_agg_rx->buf_size) {
4332 tid_agg_rx->reorder_buf_filtered = 0;
4333 goto release;
4334 }
4335 filtered = filtered >> diff;
4336 ssn += diff;
4337
4338 /* update bitmap */
4339 for (i = 0; i < tid_agg_rx->buf_size; i++) {
4340 int index = (ssn + i) % tid_agg_rx->buf_size;
4341
4342 tid_agg_rx->reorder_buf_filtered &= ~BIT_ULL(index);
4343 if (filtered & BIT_ULL(i))
4344 tid_agg_rx->reorder_buf_filtered |= BIT_ULL(index);
4345 }
4346
4347 /* now process also frames that the filter marking released */
4348 ieee80211_sta_reorder_release(sta->sdata, tid_agg_rx, &frames);
4349
4350 release:
4351 spin_unlock_bh(&tid_agg_rx->reorder_lock);
4352
4353 ieee80211_rx_handlers(&rx, &frames);
4354
4355 out:
4356 rcu_read_unlock();
4357 }
4358 EXPORT_SYMBOL(ieee80211_mark_rx_ba_filtered_frames);
4359
4360 /* main receive path */
4361
ieee80211_bssid_match(const u8 * raddr,const u8 * addr)4362 static inline int ieee80211_bssid_match(const u8 *raddr, const u8 *addr)
4363 {
4364 return ether_addr_equal(raddr, addr) ||
4365 is_broadcast_ether_addr(raddr);
4366 }
4367
ieee80211_accept_frame(struct ieee80211_rx_data * rx)4368 static bool ieee80211_accept_frame(struct ieee80211_rx_data *rx)
4369 {
4370 struct ieee80211_sub_if_data *sdata = rx->sdata;
4371 struct sk_buff *skb = rx->skb;
4372 struct ieee80211_hdr *hdr = (void *)skb->data;
4373 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
4374 u8 *bssid = ieee80211_get_bssid(hdr, skb->len, sdata->vif.type);
4375 bool multicast = is_multicast_ether_addr(hdr->addr1) ||
4376 ieee80211_is_s1g_beacon(hdr->frame_control);
4377
4378 switch (sdata->vif.type) {
4379 case NL80211_IFTYPE_STATION:
4380 if (!bssid && !sdata->u.mgd.use_4addr)
4381 return false;
4382 if (ieee80211_is_first_frag(hdr->seq_ctrl) &&
4383 ieee80211_is_robust_mgmt_frame(skb) && !rx->sta)
4384 return false;
4385 if (multicast)
4386 return true;
4387 return ieee80211_is_our_addr(sdata, hdr->addr1, &rx->link_id);
4388 case NL80211_IFTYPE_ADHOC:
4389 if (!bssid)
4390 return false;
4391 if (ether_addr_equal(sdata->vif.addr, hdr->addr2) ||
4392 ether_addr_equal(sdata->u.ibss.bssid, hdr->addr2) ||
4393 !is_valid_ether_addr(hdr->addr2))
4394 return false;
4395 if (ieee80211_is_beacon(hdr->frame_control))
4396 return true;
4397 if (!ieee80211_bssid_match(bssid, sdata->u.ibss.bssid))
4398 return false;
4399 if (!multicast &&
4400 !ether_addr_equal(sdata->vif.addr, hdr->addr1))
4401 return false;
4402 if (!rx->sta) {
4403 int rate_idx;
4404 if (status->encoding != RX_ENC_LEGACY)
4405 rate_idx = 0; /* TODO: HT/VHT rates */
4406 else
4407 rate_idx = status->rate_idx;
4408 ieee80211_ibss_rx_no_sta(sdata, bssid, hdr->addr2,
4409 BIT(rate_idx));
4410 }
4411 return true;
4412 case NL80211_IFTYPE_OCB:
4413 if (!bssid)
4414 return false;
4415 if (!ieee80211_is_data_present(hdr->frame_control))
4416 return false;
4417 if (!is_broadcast_ether_addr(bssid))
4418 return false;
4419 if (!multicast &&
4420 !ether_addr_equal(sdata->dev->dev_addr, hdr->addr1))
4421 return false;
4422 /* reject invalid/our STA address */
4423 if (!is_valid_ether_addr(hdr->addr2) ||
4424 ether_addr_equal(sdata->dev->dev_addr, hdr->addr2))
4425 return false;
4426 if (!rx->sta) {
4427 int rate_idx;
4428 if (status->encoding != RX_ENC_LEGACY)
4429 rate_idx = 0; /* TODO: HT rates */
4430 else
4431 rate_idx = status->rate_idx;
4432 ieee80211_ocb_rx_no_sta(sdata, bssid, hdr->addr2,
4433 BIT(rate_idx));
4434 }
4435 return true;
4436 case NL80211_IFTYPE_MESH_POINT:
4437 if (ether_addr_equal(sdata->vif.addr, hdr->addr2))
4438 return false;
4439 if (multicast)
4440 return true;
4441 return ether_addr_equal(sdata->vif.addr, hdr->addr1);
4442 case NL80211_IFTYPE_AP_VLAN:
4443 case NL80211_IFTYPE_AP:
4444 if (!bssid)
4445 return ieee80211_is_our_addr(sdata, hdr->addr1,
4446 &rx->link_id);
4447
4448 if (!is_broadcast_ether_addr(bssid) &&
4449 !ieee80211_is_our_addr(sdata, bssid, NULL)) {
4450 /*
4451 * Accept public action frames even when the
4452 * BSSID doesn't match, this is used for P2P
4453 * and location updates. Note that mac80211
4454 * itself never looks at these frames.
4455 */
4456 if (!multicast &&
4457 !ieee80211_is_our_addr(sdata, hdr->addr1,
4458 &rx->link_id))
4459 return false;
4460 if (ieee80211_is_public_action(hdr, skb->len))
4461 return true;
4462 return ieee80211_is_beacon(hdr->frame_control);
4463 }
4464
4465 if (!ieee80211_has_tods(hdr->frame_control)) {
4466 /* ignore data frames to TDLS-peers */
4467 if (ieee80211_is_data(hdr->frame_control))
4468 return false;
4469 /* ignore action frames to TDLS-peers */
4470 if (ieee80211_is_action(hdr->frame_control) &&
4471 !is_broadcast_ether_addr(bssid) &&
4472 !ether_addr_equal(bssid, hdr->addr1))
4473 return false;
4474 }
4475
4476 /*
4477 * 802.11-2016 Table 9-26 says that for data frames, A1 must be
4478 * the BSSID - we've checked that already but may have accepted
4479 * the wildcard (ff:ff:ff:ff:ff:ff).
4480 *
4481 * It also says:
4482 * The BSSID of the Data frame is determined as follows:
4483 * a) If the STA is contained within an AP or is associated
4484 * with an AP, the BSSID is the address currently in use
4485 * by the STA contained in the AP.
4486 *
4487 * So we should not accept data frames with an address that's
4488 * multicast.
4489 *
4490 * Accepting it also opens a security problem because stations
4491 * could encrypt it with the GTK and inject traffic that way.
4492 */
4493 if (ieee80211_is_data(hdr->frame_control) && multicast)
4494 return false;
4495
4496 return true;
4497 case NL80211_IFTYPE_P2P_DEVICE:
4498 return ieee80211_is_public_action(hdr, skb->len) ||
4499 ieee80211_is_probe_req(hdr->frame_control) ||
4500 ieee80211_is_probe_resp(hdr->frame_control) ||
4501 ieee80211_is_beacon(hdr->frame_control) ||
4502 (ieee80211_is_auth(hdr->frame_control) &&
4503 ether_addr_equal(sdata->vif.addr, hdr->addr1));
4504 case NL80211_IFTYPE_NAN:
4505 /* Currently no frames on NAN interface are allowed */
4506 return false;
4507 default:
4508 break;
4509 }
4510
4511 WARN_ON_ONCE(1);
4512 return false;
4513 }
4514
ieee80211_check_fast_rx(struct sta_info * sta)4515 void ieee80211_check_fast_rx(struct sta_info *sta)
4516 {
4517 struct ieee80211_sub_if_data *sdata = sta->sdata;
4518 struct ieee80211_local *local = sdata->local;
4519 struct ieee80211_key *key;
4520 struct ieee80211_fast_rx fastrx = {
4521 .dev = sdata->dev,
4522 .vif_type = sdata->vif.type,
4523 .control_port_protocol = sdata->control_port_protocol,
4524 }, *old, *new = NULL;
4525 u32 offload_flags;
4526 bool set_offload = false;
4527 bool assign = false;
4528 bool offload;
4529
4530 /* use sparse to check that we don't return without updating */
4531 __acquire(check_fast_rx);
4532
4533 BUILD_BUG_ON(sizeof(fastrx.rfc1042_hdr) != sizeof(rfc1042_header));
4534 BUILD_BUG_ON(sizeof(fastrx.rfc1042_hdr) != ETH_ALEN);
4535 ether_addr_copy(fastrx.rfc1042_hdr, rfc1042_header);
4536 ether_addr_copy(fastrx.vif_addr, sdata->vif.addr);
4537
4538 fastrx.uses_rss = ieee80211_hw_check(&local->hw, USES_RSS);
4539
4540 /* fast-rx doesn't do reordering */
4541 if (ieee80211_hw_check(&local->hw, AMPDU_AGGREGATION) &&
4542 !ieee80211_hw_check(&local->hw, SUPPORTS_REORDERING_BUFFER))
4543 goto clear;
4544
4545 switch (sdata->vif.type) {
4546 case NL80211_IFTYPE_STATION:
4547 if (sta->sta.tdls) {
4548 fastrx.da_offs = offsetof(struct ieee80211_hdr, addr1);
4549 fastrx.sa_offs = offsetof(struct ieee80211_hdr, addr2);
4550 fastrx.expected_ds_bits = 0;
4551 } else {
4552 fastrx.da_offs = offsetof(struct ieee80211_hdr, addr1);
4553 fastrx.sa_offs = offsetof(struct ieee80211_hdr, addr3);
4554 fastrx.expected_ds_bits =
4555 cpu_to_le16(IEEE80211_FCTL_FROMDS);
4556 }
4557
4558 if (sdata->u.mgd.use_4addr && !sta->sta.tdls) {
4559 fastrx.expected_ds_bits |=
4560 cpu_to_le16(IEEE80211_FCTL_TODS);
4561 fastrx.da_offs = offsetof(struct ieee80211_hdr, addr3);
4562 fastrx.sa_offs = offsetof(struct ieee80211_hdr, addr4);
4563 }
4564
4565 if (!sdata->u.mgd.powersave)
4566 break;
4567
4568 /* software powersave is a huge mess, avoid all of it */
4569 if (ieee80211_hw_check(&local->hw, PS_NULLFUNC_STACK))
4570 goto clear;
4571 if (ieee80211_hw_check(&local->hw, SUPPORTS_PS) &&
4572 !ieee80211_hw_check(&local->hw, SUPPORTS_DYNAMIC_PS))
4573 goto clear;
4574 break;
4575 case NL80211_IFTYPE_AP_VLAN:
4576 case NL80211_IFTYPE_AP:
4577 /* parallel-rx requires this, at least with calls to
4578 * ieee80211_sta_ps_transition()
4579 */
4580 if (!ieee80211_hw_check(&local->hw, AP_LINK_PS))
4581 goto clear;
4582 fastrx.da_offs = offsetof(struct ieee80211_hdr, addr3);
4583 fastrx.sa_offs = offsetof(struct ieee80211_hdr, addr2);
4584 fastrx.expected_ds_bits = cpu_to_le16(IEEE80211_FCTL_TODS);
4585
4586 fastrx.internal_forward =
4587 !(sdata->flags & IEEE80211_SDATA_DONT_BRIDGE_PACKETS) &&
4588 (sdata->vif.type != NL80211_IFTYPE_AP_VLAN ||
4589 !sdata->u.vlan.sta);
4590
4591 if (sdata->vif.type == NL80211_IFTYPE_AP_VLAN &&
4592 sdata->u.vlan.sta) {
4593 fastrx.expected_ds_bits |=
4594 cpu_to_le16(IEEE80211_FCTL_FROMDS);
4595 fastrx.sa_offs = offsetof(struct ieee80211_hdr, addr4);
4596 fastrx.internal_forward = 0;
4597 }
4598
4599 break;
4600 case NL80211_IFTYPE_MESH_POINT:
4601 fastrx.expected_ds_bits = cpu_to_le16(IEEE80211_FCTL_FROMDS |
4602 IEEE80211_FCTL_TODS);
4603 fastrx.da_offs = offsetof(struct ieee80211_hdr, addr3);
4604 fastrx.sa_offs = offsetof(struct ieee80211_hdr, addr4);
4605 break;
4606 default:
4607 goto clear;
4608 }
4609
4610 if (!test_sta_flag(sta, WLAN_STA_AUTHORIZED))
4611 goto clear;
4612
4613 rcu_read_lock();
4614 key = rcu_dereference(sta->ptk[sta->ptk_idx]);
4615 if (!key)
4616 key = rcu_dereference(sdata->default_unicast_key);
4617 if (key) {
4618 switch (key->conf.cipher) {
4619 case WLAN_CIPHER_SUITE_TKIP:
4620 /* we don't want to deal with MMIC in fast-rx */
4621 goto clear_rcu;
4622 case WLAN_CIPHER_SUITE_CCMP:
4623 case WLAN_CIPHER_SUITE_CCMP_256:
4624 case WLAN_CIPHER_SUITE_GCMP:
4625 case WLAN_CIPHER_SUITE_GCMP_256:
4626 break;
4627 default:
4628 /* We also don't want to deal with
4629 * WEP or cipher scheme.
4630 */
4631 goto clear_rcu;
4632 }
4633
4634 fastrx.key = true;
4635 fastrx.icv_len = key->conf.icv_len;
4636 }
4637
4638 assign = true;
4639 clear_rcu:
4640 rcu_read_unlock();
4641 clear:
4642 __release(check_fast_rx);
4643
4644 if (assign)
4645 new = kmemdup(&fastrx, sizeof(fastrx), GFP_KERNEL);
4646
4647 offload_flags = get_bss_sdata(sdata)->vif.offload_flags;
4648 offload = offload_flags & IEEE80211_OFFLOAD_DECAP_ENABLED;
4649
4650 if (assign && offload)
4651 set_offload = !test_and_set_sta_flag(sta, WLAN_STA_DECAP_OFFLOAD);
4652 else
4653 set_offload = test_and_clear_sta_flag(sta, WLAN_STA_DECAP_OFFLOAD);
4654
4655 if (set_offload)
4656 drv_sta_set_decap_offload(local, sdata, &sta->sta, assign);
4657
4658 spin_lock_bh(&sta->lock);
4659 old = rcu_dereference_protected(sta->fast_rx, true);
4660 rcu_assign_pointer(sta->fast_rx, new);
4661 spin_unlock_bh(&sta->lock);
4662
4663 if (old)
4664 kfree_rcu(old, rcu_head);
4665 }
4666
ieee80211_clear_fast_rx(struct sta_info * sta)4667 void ieee80211_clear_fast_rx(struct sta_info *sta)
4668 {
4669 struct ieee80211_fast_rx *old;
4670
4671 spin_lock_bh(&sta->lock);
4672 old = rcu_dereference_protected(sta->fast_rx, true);
4673 RCU_INIT_POINTER(sta->fast_rx, NULL);
4674 spin_unlock_bh(&sta->lock);
4675
4676 if (old)
4677 kfree_rcu(old, rcu_head);
4678 }
4679
__ieee80211_check_fast_rx_iface(struct ieee80211_sub_if_data * sdata)4680 void __ieee80211_check_fast_rx_iface(struct ieee80211_sub_if_data *sdata)
4681 {
4682 struct ieee80211_local *local = sdata->local;
4683 struct sta_info *sta;
4684
4685 lockdep_assert_wiphy(local->hw.wiphy);
4686
4687 list_for_each_entry(sta, &local->sta_list, list) {
4688 if (sdata != sta->sdata &&
4689 (!sta->sdata->bss || sta->sdata->bss != sdata->bss))
4690 continue;
4691 ieee80211_check_fast_rx(sta);
4692 }
4693 }
4694
ieee80211_check_fast_rx_iface(struct ieee80211_sub_if_data * sdata)4695 void ieee80211_check_fast_rx_iface(struct ieee80211_sub_if_data *sdata)
4696 {
4697 struct ieee80211_local *local = sdata->local;
4698
4699 lockdep_assert_wiphy(local->hw.wiphy);
4700
4701 __ieee80211_check_fast_rx_iface(sdata);
4702 }
4703
ieee80211_rx_8023(struct ieee80211_rx_data * rx,struct ieee80211_fast_rx * fast_rx,int orig_len)4704 static void ieee80211_rx_8023(struct ieee80211_rx_data *rx,
4705 struct ieee80211_fast_rx *fast_rx,
4706 int orig_len)
4707 {
4708 struct ieee80211_sta_rx_stats *stats;
4709 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
4710 struct sta_info *sta = rx->sta;
4711 struct link_sta_info *link_sta;
4712 struct sk_buff *skb = rx->skb;
4713 void *sa = skb->data + ETH_ALEN;
4714 void *da = skb->data;
4715
4716 if (rx->link_id >= 0) {
4717 link_sta = rcu_dereference(sta->link[rx->link_id]);
4718 if (WARN_ON_ONCE(!link_sta)) {
4719 dev_kfree_skb(rx->skb);
4720 return;
4721 }
4722 } else {
4723 link_sta = &sta->deflink;
4724 }
4725
4726 stats = &link_sta->rx_stats;
4727 if (fast_rx->uses_rss)
4728 stats = this_cpu_ptr(link_sta->pcpu_rx_stats);
4729
4730 /* statistics part of ieee80211_rx_h_sta_process() */
4731 if (!(status->flag & RX_FLAG_NO_SIGNAL_VAL)) {
4732 stats->last_signal = status->signal;
4733 if (!fast_rx->uses_rss)
4734 ewma_signal_add(&link_sta->rx_stats_avg.signal,
4735 -status->signal);
4736 }
4737
4738 if (status->chains) {
4739 int i;
4740
4741 stats->chains = status->chains;
4742 for (i = 0; i < ARRAY_SIZE(status->chain_signal); i++) {
4743 int signal = status->chain_signal[i];
4744
4745 if (!(status->chains & BIT(i)))
4746 continue;
4747
4748 stats->chain_signal_last[i] = signal;
4749 if (!fast_rx->uses_rss)
4750 ewma_signal_add(&link_sta->rx_stats_avg.chain_signal[i],
4751 -signal);
4752 }
4753 }
4754 /* end of statistics */
4755
4756 stats->last_rx = jiffies;
4757 stats->last_rate = sta_stats_encode_rate(status);
4758
4759 stats->fragments++;
4760 stats->packets++;
4761
4762 skb->dev = fast_rx->dev;
4763
4764 dev_sw_netstats_rx_add(fast_rx->dev, skb->len);
4765
4766 /* The seqno index has the same property as needed
4767 * for the rx_msdu field, i.e. it is IEEE80211_NUM_TIDS
4768 * for non-QoS-data frames. Here we know it's a data
4769 * frame, so count MSDUs.
4770 */
4771 u64_stats_update_begin(&stats->syncp);
4772 stats->msdu[rx->seqno_idx]++;
4773 stats->bytes += orig_len;
4774 u64_stats_update_end(&stats->syncp);
4775
4776 if (fast_rx->internal_forward) {
4777 struct sk_buff *xmit_skb = NULL;
4778 if (is_multicast_ether_addr(da)) {
4779 xmit_skb = skb_copy(skb, GFP_ATOMIC);
4780 } else if (!ether_addr_equal(da, sa) &&
4781 sta_info_get(rx->sdata, da)) {
4782 xmit_skb = skb;
4783 skb = NULL;
4784 }
4785
4786 if (xmit_skb) {
4787 /*
4788 * Send to wireless media and increase priority by 256
4789 * to keep the received priority instead of
4790 * reclassifying the frame (see cfg80211_classify8021d).
4791 */
4792 xmit_skb->priority += 256;
4793 xmit_skb->protocol = htons(ETH_P_802_3);
4794 skb_reset_network_header(xmit_skb);
4795 skb_reset_mac_header(xmit_skb);
4796 dev_queue_xmit(xmit_skb);
4797 }
4798
4799 if (!skb)
4800 return;
4801 }
4802
4803 /* deliver to local stack */
4804 skb->protocol = eth_type_trans(skb, fast_rx->dev);
4805 ieee80211_deliver_skb_to_local_stack(skb, rx);
4806 }
4807
ieee80211_invoke_fast_rx(struct ieee80211_rx_data * rx,struct ieee80211_fast_rx * fast_rx)4808 static bool ieee80211_invoke_fast_rx(struct ieee80211_rx_data *rx,
4809 struct ieee80211_fast_rx *fast_rx)
4810 {
4811 struct sk_buff *skb = rx->skb;
4812 struct ieee80211_hdr *hdr = (void *)skb->data;
4813 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
4814 static ieee80211_rx_result res;
4815 int orig_len = skb->len;
4816 int hdrlen = ieee80211_hdrlen(hdr->frame_control);
4817 int snap_offs = hdrlen;
4818 struct {
4819 u8 snap[sizeof(rfc1042_header)];
4820 __be16 proto;
4821 } *payload __aligned(2);
4822 struct {
4823 u8 da[ETH_ALEN];
4824 u8 sa[ETH_ALEN];
4825 } addrs __aligned(2);
4826 struct ieee80211_sta_rx_stats *stats;
4827
4828 /* for parallel-rx, we need to have DUP_VALIDATED, otherwise we write
4829 * to a common data structure; drivers can implement that per queue
4830 * but we don't have that information in mac80211
4831 */
4832 if (!(status->flag & RX_FLAG_DUP_VALIDATED))
4833 return false;
4834
4835 #define FAST_RX_CRYPT_FLAGS (RX_FLAG_PN_VALIDATED | RX_FLAG_DECRYPTED)
4836
4837 /* If using encryption, we also need to have:
4838 * - PN_VALIDATED: similar, but the implementation is tricky
4839 * - DECRYPTED: necessary for PN_VALIDATED
4840 */
4841 if (fast_rx->key &&
4842 (status->flag & FAST_RX_CRYPT_FLAGS) != FAST_RX_CRYPT_FLAGS)
4843 return false;
4844
4845 if (unlikely(!ieee80211_is_data_present(hdr->frame_control)))
4846 return false;
4847
4848 if (unlikely(ieee80211_is_frag(hdr)))
4849 return false;
4850
4851 /* Since our interface address cannot be multicast, this
4852 * implicitly also rejects multicast frames without the
4853 * explicit check.
4854 *
4855 * We shouldn't get any *data* frames not addressed to us
4856 * (AP mode will accept multicast *management* frames), but
4857 * punting here will make it go through the full checks in
4858 * ieee80211_accept_frame().
4859 */
4860 if (!ether_addr_equal(fast_rx->vif_addr, hdr->addr1))
4861 return false;
4862
4863 if ((hdr->frame_control & cpu_to_le16(IEEE80211_FCTL_FROMDS |
4864 IEEE80211_FCTL_TODS)) !=
4865 fast_rx->expected_ds_bits)
4866 return false;
4867
4868 /* assign the key to drop unencrypted frames (later)
4869 * and strip the IV/MIC if necessary
4870 */
4871 if (fast_rx->key && !(status->flag & RX_FLAG_IV_STRIPPED)) {
4872 /* GCMP header length is the same */
4873 snap_offs += IEEE80211_CCMP_HDR_LEN;
4874 }
4875
4876 if (!ieee80211_vif_is_mesh(&rx->sdata->vif) &&
4877 !(status->rx_flags & IEEE80211_RX_AMSDU)) {
4878 if (!pskb_may_pull(skb, snap_offs + sizeof(*payload)))
4879 return false;
4880
4881 payload = (void *)(skb->data + snap_offs);
4882
4883 if (!ether_addr_equal(payload->snap, fast_rx->rfc1042_hdr))
4884 return false;
4885
4886 /* Don't handle these here since they require special code.
4887 * Accept AARP and IPX even though they should come with a
4888 * bridge-tunnel header - but if we get them this way then
4889 * there's little point in discarding them.
4890 */
4891 if (unlikely(payload->proto == cpu_to_be16(ETH_P_TDLS) ||
4892 payload->proto == fast_rx->control_port_protocol))
4893 return false;
4894 }
4895
4896 /* after this point, don't punt to the slowpath! */
4897
4898 if (rx->key && !(status->flag & RX_FLAG_MIC_STRIPPED) &&
4899 pskb_trim(skb, skb->len - fast_rx->icv_len))
4900 goto drop;
4901
4902 if (rx->key && !ieee80211_has_protected(hdr->frame_control))
4903 goto drop;
4904
4905 if (status->rx_flags & IEEE80211_RX_AMSDU) {
4906 if (__ieee80211_rx_h_amsdu(rx, snap_offs - hdrlen) !=
4907 RX_QUEUED)
4908 goto drop;
4909
4910 return true;
4911 }
4912
4913 /* do the header conversion - first grab the addresses */
4914 ether_addr_copy(addrs.da, skb->data + fast_rx->da_offs);
4915 ether_addr_copy(addrs.sa, skb->data + fast_rx->sa_offs);
4916 if (ieee80211_vif_is_mesh(&rx->sdata->vif)) {
4917 skb_pull(skb, snap_offs - 2);
4918 put_unaligned_be16(skb->len - 2, skb->data);
4919 } else {
4920 skb_postpull_rcsum(skb, skb->data + snap_offs,
4921 sizeof(rfc1042_header) + 2);
4922
4923 /* remove the SNAP but leave the ethertype */
4924 skb_pull(skb, snap_offs + sizeof(rfc1042_header));
4925 }
4926 /* push the addresses in front */
4927 memcpy(skb_push(skb, sizeof(addrs)), &addrs, sizeof(addrs));
4928
4929 res = ieee80211_rx_mesh_data(rx->sdata, rx->sta, rx->skb);
4930 switch (res) {
4931 case RX_QUEUED:
4932 return true;
4933 case RX_CONTINUE:
4934 break;
4935 default:
4936 goto drop;
4937 }
4938
4939 ieee80211_rx_8023(rx, fast_rx, orig_len);
4940
4941 return true;
4942 drop:
4943 dev_kfree_skb(skb);
4944
4945 if (fast_rx->uses_rss)
4946 stats = this_cpu_ptr(rx->link_sta->pcpu_rx_stats);
4947 else
4948 stats = &rx->link_sta->rx_stats;
4949
4950 stats->dropped++;
4951 return true;
4952 }
4953
4954 /*
4955 * This function returns whether or not the SKB
4956 * was destined for RX processing or not, which,
4957 * if consume is true, is equivalent to whether
4958 * or not the skb was consumed.
4959 */
ieee80211_prepare_and_rx_handle(struct ieee80211_rx_data * rx,struct sk_buff * skb,bool consume)4960 static bool ieee80211_prepare_and_rx_handle(struct ieee80211_rx_data *rx,
4961 struct sk_buff *skb, bool consume)
4962 {
4963 struct ieee80211_local *local = rx->local;
4964 struct ieee80211_sub_if_data *sdata = rx->sdata;
4965 struct ieee80211_hdr *hdr = (void *)skb->data;
4966 struct link_sta_info *link_sta = rx->link_sta;
4967 struct ieee80211_link_data *link = rx->link;
4968
4969 rx->skb = skb;
4970
4971 /* See if we can do fast-rx; if we have to copy we already lost,
4972 * so punt in that case. We should never have to deliver a data
4973 * frame to multiple interfaces anyway.
4974 *
4975 * We skip the ieee80211_accept_frame() call and do the necessary
4976 * checking inside ieee80211_invoke_fast_rx().
4977 */
4978 if (consume && rx->sta) {
4979 struct ieee80211_fast_rx *fast_rx;
4980
4981 fast_rx = rcu_dereference(rx->sta->fast_rx);
4982 if (fast_rx && ieee80211_invoke_fast_rx(rx, fast_rx))
4983 return true;
4984 }
4985
4986 if (!ieee80211_accept_frame(rx))
4987 return false;
4988
4989 if (!consume) {
4990 struct skb_shared_hwtstamps *shwt;
4991
4992 rx->skb = skb_copy(skb, GFP_ATOMIC);
4993 if (!rx->skb) {
4994 if (net_ratelimit())
4995 wiphy_debug(local->hw.wiphy,
4996 "failed to copy skb for %s\n",
4997 sdata->name);
4998 return true;
4999 }
5000
5001 /* skb_copy() does not copy the hw timestamps, so copy it
5002 * explicitly
5003 */
5004 shwt = skb_hwtstamps(rx->skb);
5005 shwt->hwtstamp = skb_hwtstamps(skb)->hwtstamp;
5006
5007 /* Update the hdr pointer to the new skb for translation below */
5008 hdr = (struct ieee80211_hdr *)rx->skb->data;
5009 }
5010
5011 if (unlikely(rx->sta && rx->sta->sta.mlo) &&
5012 is_unicast_ether_addr(hdr->addr1) &&
5013 !ieee80211_is_probe_resp(hdr->frame_control) &&
5014 !ieee80211_is_beacon(hdr->frame_control)) {
5015 /* translate to MLD addresses */
5016 if (ether_addr_equal(link->conf->addr, hdr->addr1))
5017 ether_addr_copy(hdr->addr1, rx->sdata->vif.addr);
5018 if (ether_addr_equal(link_sta->addr, hdr->addr2))
5019 ether_addr_copy(hdr->addr2, rx->sta->addr);
5020 /* translate A3 only if it's the BSSID */
5021 if (!ieee80211_has_tods(hdr->frame_control) &&
5022 !ieee80211_has_fromds(hdr->frame_control)) {
5023 if (ether_addr_equal(link_sta->addr, hdr->addr3))
5024 ether_addr_copy(hdr->addr3, rx->sta->addr);
5025 else if (ether_addr_equal(link->conf->addr, hdr->addr3))
5026 ether_addr_copy(hdr->addr3, rx->sdata->vif.addr);
5027 }
5028 /* not needed for A4 since it can only carry the SA */
5029 }
5030
5031 ieee80211_invoke_rx_handlers(rx);
5032 return true;
5033 }
5034
__ieee80211_rx_handle_8023(struct ieee80211_hw * hw,struct ieee80211_sta * pubsta,struct sk_buff * skb,struct list_head * list)5035 static void __ieee80211_rx_handle_8023(struct ieee80211_hw *hw,
5036 struct ieee80211_sta *pubsta,
5037 struct sk_buff *skb,
5038 struct list_head *list)
5039 {
5040 struct ieee80211_local *local = hw_to_local(hw);
5041 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
5042 struct ieee80211_fast_rx *fast_rx;
5043 struct ieee80211_rx_data rx;
5044 struct sta_info *sta;
5045 int link_id = -1;
5046
5047 memset(&rx, 0, sizeof(rx));
5048 rx.skb = skb;
5049 rx.local = local;
5050 rx.list = list;
5051 rx.link_id = -1;
5052
5053 I802_DEBUG_INC(local->dot11ReceivedFragmentCount);
5054
5055 /* drop frame if too short for header */
5056 if (skb->len < sizeof(struct ethhdr))
5057 goto drop;
5058
5059 if (!pubsta)
5060 goto drop;
5061
5062 if (status->link_valid)
5063 link_id = status->link_id;
5064
5065 /*
5066 * TODO: Should the frame be dropped if the right link_id is not
5067 * available? Or may be it is fine in the current form to proceed with
5068 * the frame processing because with frame being in 802.3 format,
5069 * link_id is used only for stats purpose and updating the stats on
5070 * the deflink is fine?
5071 */
5072 sta = container_of(pubsta, struct sta_info, sta);
5073 if (!ieee80211_rx_data_set_sta(&rx, sta, link_id))
5074 goto drop;
5075
5076 fast_rx = rcu_dereference(rx.sta->fast_rx);
5077 if (!fast_rx)
5078 goto drop;
5079
5080 ieee80211_rx_8023(&rx, fast_rx, skb->len);
5081 return;
5082
5083 drop:
5084 dev_kfree_skb(skb);
5085 }
5086
ieee80211_rx_for_interface(struct ieee80211_rx_data * rx,struct sk_buff * skb,bool consume)5087 static bool ieee80211_rx_for_interface(struct ieee80211_rx_data *rx,
5088 struct sk_buff *skb, bool consume)
5089 {
5090 struct link_sta_info *link_sta;
5091 struct ieee80211_hdr *hdr = (void *)skb->data;
5092 struct sta_info *sta;
5093 int link_id = -1;
5094
5095 /*
5096 * Look up link station first, in case there's a
5097 * chance that they might have a link address that
5098 * is identical to the MLD address, that way we'll
5099 * have the link information if needed.
5100 */
5101 link_sta = link_sta_info_get_bss(rx->sdata, hdr->addr2);
5102 if (link_sta) {
5103 sta = link_sta->sta;
5104 link_id = link_sta->link_id;
5105 } else {
5106 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
5107
5108 sta = sta_info_get_bss(rx->sdata, hdr->addr2);
5109 if (status->link_valid) {
5110 link_id = status->link_id;
5111 } else if (ieee80211_vif_is_mld(&rx->sdata->vif) &&
5112 status->freq) {
5113 struct ieee80211_link_data *link;
5114 struct ieee80211_chanctx_conf *conf;
5115
5116 for_each_link_data_rcu(rx->sdata, link) {
5117 conf = rcu_dereference(link->conf->chanctx_conf);
5118 if (!conf || !conf->def.chan)
5119 continue;
5120
5121 if (status->freq == conf->def.chan->center_freq) {
5122 link_id = link->link_id;
5123 break;
5124 }
5125 }
5126 }
5127 }
5128
5129 if (!ieee80211_rx_data_set_sta(rx, sta, link_id))
5130 return false;
5131
5132 return ieee80211_prepare_and_rx_handle(rx, skb, consume);
5133 }
5134
5135 /*
5136 * This is the actual Rx frames handler. as it belongs to Rx path it must
5137 * be called with rcu_read_lock protection.
5138 */
__ieee80211_rx_handle_packet(struct ieee80211_hw * hw,struct ieee80211_sta * pubsta,struct sk_buff * skb,struct list_head * list)5139 static void __ieee80211_rx_handle_packet(struct ieee80211_hw *hw,
5140 struct ieee80211_sta *pubsta,
5141 struct sk_buff *skb,
5142 struct list_head *list)
5143 {
5144 struct ieee80211_local *local = hw_to_local(hw);
5145 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
5146 struct ieee80211_sub_if_data *sdata;
5147 struct ieee80211_hdr *hdr;
5148 __le16 fc;
5149 struct ieee80211_rx_data rx;
5150 struct ieee80211_sub_if_data *prev;
5151 struct rhlist_head *tmp;
5152 int err = 0;
5153
5154 fc = ((struct ieee80211_hdr *)skb->data)->frame_control;
5155 memset(&rx, 0, sizeof(rx));
5156 rx.skb = skb;
5157 rx.local = local;
5158 rx.list = list;
5159 rx.link_id = -1;
5160
5161 if (ieee80211_is_data(fc) || ieee80211_is_mgmt(fc))
5162 I802_DEBUG_INC(local->dot11ReceivedFragmentCount);
5163
5164 if (ieee80211_is_mgmt(fc)) {
5165 /* drop frame if too short for header */
5166 if (skb->len < ieee80211_hdrlen(fc))
5167 err = -ENOBUFS;
5168 else
5169 err = skb_linearize(skb);
5170 } else {
5171 err = !pskb_may_pull(skb, ieee80211_hdrlen(fc));
5172 }
5173
5174 if (err) {
5175 dev_kfree_skb(skb);
5176 return;
5177 }
5178
5179 hdr = (struct ieee80211_hdr *)skb->data;
5180 ieee80211_parse_qos(&rx);
5181 ieee80211_verify_alignment(&rx);
5182
5183 if (unlikely(ieee80211_is_probe_resp(hdr->frame_control) ||
5184 ieee80211_is_beacon(hdr->frame_control) ||
5185 ieee80211_is_s1g_beacon(hdr->frame_control)))
5186 ieee80211_scan_rx(local, skb);
5187
5188 if (ieee80211_is_data(fc)) {
5189 struct sta_info *sta, *prev_sta;
5190 int link_id = -1;
5191
5192 if (status->link_valid)
5193 link_id = status->link_id;
5194
5195 if (pubsta) {
5196 sta = container_of(pubsta, struct sta_info, sta);
5197 if (!ieee80211_rx_data_set_sta(&rx, sta, link_id))
5198 goto out;
5199
5200 /*
5201 * In MLO connection, fetch the link_id using addr2
5202 * when the driver does not pass link_id in status.
5203 * When the address translation is already performed by
5204 * driver/hw, the valid link_id must be passed in
5205 * status.
5206 */
5207
5208 if (!status->link_valid && pubsta->mlo) {
5209 struct link_sta_info *link_sta;
5210
5211 link_sta = link_sta_info_get_bss(rx.sdata,
5212 hdr->addr2);
5213 if (!link_sta)
5214 goto out;
5215
5216 ieee80211_rx_data_set_link(&rx, link_sta->link_id);
5217 }
5218
5219 if (ieee80211_prepare_and_rx_handle(&rx, skb, true))
5220 return;
5221 goto out;
5222 }
5223
5224 prev_sta = NULL;
5225
5226 for_each_sta_info(local, hdr->addr2, sta, tmp) {
5227 if (!prev_sta) {
5228 prev_sta = sta;
5229 continue;
5230 }
5231
5232 rx.sdata = prev_sta->sdata;
5233 if (!ieee80211_rx_data_set_sta(&rx, prev_sta, link_id))
5234 goto out;
5235
5236 if (!status->link_valid && prev_sta->sta.mlo)
5237 continue;
5238
5239 ieee80211_prepare_and_rx_handle(&rx, skb, false);
5240
5241 prev_sta = sta;
5242 }
5243
5244 if (prev_sta) {
5245 rx.sdata = prev_sta->sdata;
5246 if (!ieee80211_rx_data_set_sta(&rx, prev_sta, link_id))
5247 goto out;
5248
5249 if (!status->link_valid && prev_sta->sta.mlo)
5250 goto out;
5251
5252 if (ieee80211_prepare_and_rx_handle(&rx, skb, true))
5253 return;
5254 goto out;
5255 }
5256 }
5257
5258 prev = NULL;
5259
5260 list_for_each_entry_rcu(sdata, &local->interfaces, list) {
5261 if (!ieee80211_sdata_running(sdata))
5262 continue;
5263
5264 if (sdata->vif.type == NL80211_IFTYPE_MONITOR ||
5265 sdata->vif.type == NL80211_IFTYPE_AP_VLAN)
5266 continue;
5267
5268 /*
5269 * frame is destined for this interface, but if it's
5270 * not also for the previous one we handle that after
5271 * the loop to avoid copying the SKB once too much
5272 */
5273
5274 if (!prev) {
5275 prev = sdata;
5276 continue;
5277 }
5278
5279 rx.sdata = prev;
5280 ieee80211_rx_for_interface(&rx, skb, false);
5281
5282 prev = sdata;
5283 }
5284
5285 if (prev) {
5286 rx.sdata = prev;
5287
5288 if (ieee80211_rx_for_interface(&rx, skb, true))
5289 return;
5290 }
5291
5292 out:
5293 dev_kfree_skb(skb);
5294 }
5295
5296 /*
5297 * This is the receive path handler. It is called by a low level driver when an
5298 * 802.11 MPDU is received from the hardware.
5299 */
ieee80211_rx_list(struct ieee80211_hw * hw,struct ieee80211_sta * pubsta,struct sk_buff * skb,struct list_head * list)5300 void ieee80211_rx_list(struct ieee80211_hw *hw, struct ieee80211_sta *pubsta,
5301 struct sk_buff *skb, struct list_head *list)
5302 {
5303 struct ieee80211_local *local = hw_to_local(hw);
5304 struct ieee80211_rate *rate = NULL;
5305 struct ieee80211_supported_band *sband;
5306 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
5307 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
5308
5309 WARN_ON_ONCE(softirq_count() == 0);
5310
5311 if (WARN_ON(status->band >= NUM_NL80211_BANDS))
5312 goto drop;
5313
5314 sband = local->hw.wiphy->bands[status->band];
5315 if (WARN_ON(!sband))
5316 goto drop;
5317
5318 /*
5319 * If we're suspending, it is possible although not too likely
5320 * that we'd be receiving frames after having already partially
5321 * quiesced the stack. We can't process such frames then since
5322 * that might, for example, cause stations to be added or other
5323 * driver callbacks be invoked.
5324 */
5325 if (unlikely(local->quiescing || local->suspended))
5326 goto drop;
5327
5328 /* We might be during a HW reconfig, prevent Rx for the same reason */
5329 if (unlikely(local->in_reconfig))
5330 goto drop;
5331
5332 /*
5333 * The same happens when we're not even started,
5334 * but that's worth a warning.
5335 */
5336 if (WARN_ON(!local->started))
5337 goto drop;
5338
5339 if (likely(!(status->flag & RX_FLAG_FAILED_PLCP_CRC))) {
5340 /*
5341 * Validate the rate, unless a PLCP error means that
5342 * we probably can't have a valid rate here anyway.
5343 */
5344
5345 switch (status->encoding) {
5346 case RX_ENC_HT:
5347 /*
5348 * rate_idx is MCS index, which can be [0-76]
5349 * as documented on:
5350 *
5351 * https://wireless.wiki.kernel.org/en/developers/Documentation/ieee80211/802.11n
5352 *
5353 * Anything else would be some sort of driver or
5354 * hardware error. The driver should catch hardware
5355 * errors.
5356 */
5357 if (WARN(status->rate_idx > 76,
5358 "Rate marked as an HT rate but passed "
5359 "status->rate_idx is not "
5360 "an MCS index [0-76]: %d (0x%02x)\n",
5361 status->rate_idx,
5362 status->rate_idx))
5363 goto drop;
5364 break;
5365 case RX_ENC_VHT:
5366 if (WARN_ONCE(status->rate_idx > 11 ||
5367 !status->nss ||
5368 status->nss > 8,
5369 "Rate marked as a VHT rate but data is invalid: MCS: %d, NSS: %d\n",
5370 status->rate_idx, status->nss))
5371 goto drop;
5372 break;
5373 case RX_ENC_HE:
5374 if (WARN_ONCE(status->rate_idx > 11 ||
5375 !status->nss ||
5376 status->nss > 8,
5377 "Rate marked as an HE rate but data is invalid: MCS: %d, NSS: %d\n",
5378 status->rate_idx, status->nss))
5379 goto drop;
5380 break;
5381 case RX_ENC_EHT:
5382 if (WARN_ONCE(status->rate_idx > 15 ||
5383 !status->nss ||
5384 status->nss > 8 ||
5385 status->eht.gi > NL80211_RATE_INFO_EHT_GI_3_2,
5386 "Rate marked as an EHT rate but data is invalid: MCS:%d, NSS:%d, GI:%d\n",
5387 status->rate_idx, status->nss, status->eht.gi))
5388 goto drop;
5389 break;
5390 default:
5391 WARN_ON_ONCE(1);
5392 fallthrough;
5393 case RX_ENC_LEGACY:
5394 if (WARN_ON(status->rate_idx >= sband->n_bitrates))
5395 goto drop;
5396 rate = &sband->bitrates[status->rate_idx];
5397 }
5398 }
5399
5400 if (WARN_ON_ONCE(status->link_id >= IEEE80211_LINK_UNSPECIFIED))
5401 goto drop;
5402
5403 status->rx_flags = 0;
5404
5405 kcov_remote_start_common(skb_get_kcov_handle(skb));
5406
5407 /*
5408 * Frames with failed FCS/PLCP checksum are not returned,
5409 * all other frames are returned without radiotap header
5410 * if it was previously present.
5411 * Also, frames with less than 16 bytes are dropped.
5412 */
5413 if (!(status->flag & RX_FLAG_8023))
5414 skb = ieee80211_rx_monitor(local, skb, rate);
5415 if (skb) {
5416 if ((status->flag & RX_FLAG_8023) ||
5417 ieee80211_is_data_present(hdr->frame_control))
5418 ieee80211_tpt_led_trig_rx(local, skb->len);
5419
5420 if (status->flag & RX_FLAG_8023)
5421 __ieee80211_rx_handle_8023(hw, pubsta, skb, list);
5422 else
5423 __ieee80211_rx_handle_packet(hw, pubsta, skb, list);
5424 }
5425
5426 kcov_remote_stop();
5427 return;
5428 drop:
5429 kfree_skb(skb);
5430 }
5431 EXPORT_SYMBOL(ieee80211_rx_list);
5432
ieee80211_rx_napi(struct ieee80211_hw * hw,struct ieee80211_sta * pubsta,struct sk_buff * skb,struct napi_struct * napi)5433 void ieee80211_rx_napi(struct ieee80211_hw *hw, struct ieee80211_sta *pubsta,
5434 struct sk_buff *skb, struct napi_struct *napi)
5435 {
5436 struct sk_buff *tmp;
5437 LIST_HEAD(list);
5438
5439
5440 /*
5441 * key references and virtual interfaces are protected using RCU
5442 * and this requires that we are in a read-side RCU section during
5443 * receive processing
5444 */
5445 rcu_read_lock();
5446 ieee80211_rx_list(hw, pubsta, skb, &list);
5447 rcu_read_unlock();
5448
5449 if (!napi) {
5450 netif_receive_skb_list(&list);
5451 return;
5452 }
5453
5454 list_for_each_entry_safe(skb, tmp, &list, list) {
5455 skb_list_del_init(skb);
5456 napi_gro_receive(napi, skb);
5457 }
5458 }
5459 EXPORT_SYMBOL(ieee80211_rx_napi);
5460
5461 /* This is a version of the rx handler that can be called from hard irq
5462 * context. Post the skb on the queue and schedule the tasklet */
ieee80211_rx_irqsafe(struct ieee80211_hw * hw,struct sk_buff * skb)5463 void ieee80211_rx_irqsafe(struct ieee80211_hw *hw, struct sk_buff *skb)
5464 {
5465 struct ieee80211_local *local = hw_to_local(hw);
5466
5467 BUILD_BUG_ON(sizeof(struct ieee80211_rx_status) > sizeof(skb->cb));
5468
5469 skb->pkt_type = IEEE80211_RX_MSG;
5470 skb_queue_tail(&local->skb_queue, skb);
5471 tasklet_schedule(&local->tasklet);
5472 }
5473 EXPORT_SYMBOL(ieee80211_rx_irqsafe);
5474