1 /* 2 * Copyright 2002-2005, Instant802 Networks, Inc. 3 * Copyright 2005-2006, Devicescape Software, Inc. 4 * Copyright 2006-2007 Jiri Benc <jbenc@suse.cz> 5 * Copyright 2007-2010 Johannes Berg <johannes@sipsolutions.net> 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License version 2 as 9 * published by the Free Software Foundation. 10 */ 11 12 #include <linux/jiffies.h> 13 #include <linux/slab.h> 14 #include <linux/kernel.h> 15 #include <linux/skbuff.h> 16 #include <linux/netdevice.h> 17 #include <linux/etherdevice.h> 18 #include <linux/rcupdate.h> 19 #include <linux/export.h> 20 #include <net/mac80211.h> 21 #include <net/ieee80211_radiotap.h> 22 23 #include "ieee80211_i.h" 24 #include "driver-ops.h" 25 #include "led.h" 26 #include "mesh.h" 27 #include "wep.h" 28 #include "wpa.h" 29 #include "tkip.h" 30 #include "wme.h" 31 32 /* 33 * monitor mode reception 34 * 35 * This function cleans up the SKB, i.e. it removes all the stuff 36 * only useful for monitoring. 37 */ 38 static struct sk_buff *remove_monitor_info(struct ieee80211_local *local, 39 struct sk_buff *skb) 40 { 41 if (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS) { 42 if (likely(skb->len > FCS_LEN)) 43 __pskb_trim(skb, skb->len - FCS_LEN); 44 else { 45 /* driver bug */ 46 WARN_ON(1); 47 dev_kfree_skb(skb); 48 skb = NULL; 49 } 50 } 51 52 return skb; 53 } 54 55 static inline int should_drop_frame(struct sk_buff *skb, 56 int present_fcs_len) 57 { 58 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 59 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; 60 61 if (status->flag & (RX_FLAG_FAILED_FCS_CRC | RX_FLAG_FAILED_PLCP_CRC)) 62 return 1; 63 if (unlikely(skb->len < 16 + present_fcs_len)) 64 return 1; 65 if (ieee80211_is_ctl(hdr->frame_control) && 66 !ieee80211_is_pspoll(hdr->frame_control) && 67 !ieee80211_is_back_req(hdr->frame_control)) 68 return 1; 69 return 0; 70 } 71 72 static int 73 ieee80211_rx_radiotap_len(struct ieee80211_local *local, 74 struct ieee80211_rx_status *status) 75 { 76 int len; 77 78 /* always present fields */ 79 len = sizeof(struct ieee80211_radiotap_header) + 9; 80 81 if (status->flag & RX_FLAG_MACTIME_MPDU) 82 len += 8; 83 if (local->hw.flags & IEEE80211_HW_SIGNAL_DBM) 84 len += 1; 85 86 if (len & 1) /* padding for RX_FLAGS if necessary */ 87 len++; 88 89 if (status->flag & RX_FLAG_HT) /* HT info */ 90 len += 3; 91 92 return len; 93 } 94 95 /* 96 * ieee80211_add_rx_radiotap_header - add radiotap header 97 * 98 * add a radiotap header containing all the fields which the hardware provided. 99 */ 100 static void 101 ieee80211_add_rx_radiotap_header(struct ieee80211_local *local, 102 struct sk_buff *skb, 103 struct ieee80211_rate *rate, 104 int rtap_len) 105 { 106 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 107 struct ieee80211_radiotap_header *rthdr; 108 unsigned char *pos; 109 u16 rx_flags = 0; 110 111 rthdr = (struct ieee80211_radiotap_header *)skb_push(skb, rtap_len); 112 memset(rthdr, 0, rtap_len); 113 114 /* radiotap header, set always present flags */ 115 rthdr->it_present = 116 cpu_to_le32((1 << IEEE80211_RADIOTAP_FLAGS) | 117 (1 << IEEE80211_RADIOTAP_CHANNEL) | 118 (1 << IEEE80211_RADIOTAP_ANTENNA) | 119 (1 << IEEE80211_RADIOTAP_RX_FLAGS)); 120 rthdr->it_len = cpu_to_le16(rtap_len); 121 122 pos = (unsigned char *)(rthdr+1); 123 124 /* the order of the following fields is important */ 125 126 /* IEEE80211_RADIOTAP_TSFT */ 127 if (status->flag & RX_FLAG_MACTIME_MPDU) { 128 put_unaligned_le64(status->mactime, pos); 129 rthdr->it_present |= 130 cpu_to_le32(1 << IEEE80211_RADIOTAP_TSFT); 131 pos += 8; 132 } 133 134 /* IEEE80211_RADIOTAP_FLAGS */ 135 if (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS) 136 *pos |= IEEE80211_RADIOTAP_F_FCS; 137 if (status->flag & (RX_FLAG_FAILED_FCS_CRC | RX_FLAG_FAILED_PLCP_CRC)) 138 *pos |= IEEE80211_RADIOTAP_F_BADFCS; 139 if (status->flag & RX_FLAG_SHORTPRE) 140 *pos |= IEEE80211_RADIOTAP_F_SHORTPRE; 141 pos++; 142 143 /* IEEE80211_RADIOTAP_RATE */ 144 if (!rate || status->flag & RX_FLAG_HT) { 145 /* 146 * Without rate information don't add it. If we have, 147 * MCS information is a separate field in radiotap, 148 * added below. The byte here is needed as padding 149 * for the channel though, so initialise it to 0. 150 */ 151 *pos = 0; 152 } else { 153 rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_RATE); 154 *pos = rate->bitrate / 5; 155 } 156 pos++; 157 158 /* IEEE80211_RADIOTAP_CHANNEL */ 159 put_unaligned_le16(status->freq, pos); 160 pos += 2; 161 if (status->band == IEEE80211_BAND_5GHZ) 162 put_unaligned_le16(IEEE80211_CHAN_OFDM | IEEE80211_CHAN_5GHZ, 163 pos); 164 else if (status->flag & RX_FLAG_HT) 165 put_unaligned_le16(IEEE80211_CHAN_DYN | IEEE80211_CHAN_2GHZ, 166 pos); 167 else if (rate && rate->flags & IEEE80211_RATE_ERP_G) 168 put_unaligned_le16(IEEE80211_CHAN_OFDM | IEEE80211_CHAN_2GHZ, 169 pos); 170 else if (rate) 171 put_unaligned_le16(IEEE80211_CHAN_CCK | IEEE80211_CHAN_2GHZ, 172 pos); 173 else 174 put_unaligned_le16(IEEE80211_CHAN_2GHZ, pos); 175 pos += 2; 176 177 /* IEEE80211_RADIOTAP_DBM_ANTSIGNAL */ 178 if (local->hw.flags & IEEE80211_HW_SIGNAL_DBM) { 179 *pos = status->signal; 180 rthdr->it_present |= 181 cpu_to_le32(1 << IEEE80211_RADIOTAP_DBM_ANTSIGNAL); 182 pos++; 183 } 184 185 /* IEEE80211_RADIOTAP_LOCK_QUALITY is missing */ 186 187 /* IEEE80211_RADIOTAP_ANTENNA */ 188 *pos = status->antenna; 189 pos++; 190 191 /* IEEE80211_RADIOTAP_DB_ANTNOISE is not used */ 192 193 /* IEEE80211_RADIOTAP_RX_FLAGS */ 194 /* ensure 2 byte alignment for the 2 byte field as required */ 195 if ((pos - (u8 *)rthdr) & 1) 196 pos++; 197 if (status->flag & RX_FLAG_FAILED_PLCP_CRC) 198 rx_flags |= IEEE80211_RADIOTAP_F_RX_BADPLCP; 199 put_unaligned_le16(rx_flags, pos); 200 pos += 2; 201 202 if (status->flag & RX_FLAG_HT) { 203 rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_MCS); 204 *pos++ = IEEE80211_RADIOTAP_MCS_HAVE_MCS | 205 IEEE80211_RADIOTAP_MCS_HAVE_GI | 206 IEEE80211_RADIOTAP_MCS_HAVE_BW; 207 *pos = 0; 208 if (status->flag & RX_FLAG_SHORT_GI) 209 *pos |= IEEE80211_RADIOTAP_MCS_SGI; 210 if (status->flag & RX_FLAG_40MHZ) 211 *pos |= IEEE80211_RADIOTAP_MCS_BW_40; 212 pos++; 213 *pos++ = status->rate_idx; 214 } 215 } 216 217 /* 218 * This function copies a received frame to all monitor interfaces and 219 * returns a cleaned-up SKB that no longer includes the FCS nor the 220 * radiotap header the driver might have added. 221 */ 222 static struct sk_buff * 223 ieee80211_rx_monitor(struct ieee80211_local *local, struct sk_buff *origskb, 224 struct ieee80211_rate *rate) 225 { 226 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(origskb); 227 struct ieee80211_sub_if_data *sdata; 228 int needed_headroom = 0; 229 struct sk_buff *skb, *skb2; 230 struct net_device *prev_dev = NULL; 231 int present_fcs_len = 0; 232 233 /* 234 * First, we may need to make a copy of the skb because 235 * (1) we need to modify it for radiotap (if not present), and 236 * (2) the other RX handlers will modify the skb we got. 237 * 238 * We don't need to, of course, if we aren't going to return 239 * the SKB because it has a bad FCS/PLCP checksum. 240 */ 241 242 /* room for the radiotap header based on driver features */ 243 needed_headroom = ieee80211_rx_radiotap_len(local, status); 244 245 if (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS) 246 present_fcs_len = FCS_LEN; 247 248 /* make sure hdr->frame_control is on the linear part */ 249 if (!pskb_may_pull(origskb, 2)) { 250 dev_kfree_skb(origskb); 251 return NULL; 252 } 253 254 if (!local->monitors) { 255 if (should_drop_frame(origskb, present_fcs_len)) { 256 dev_kfree_skb(origskb); 257 return NULL; 258 } 259 260 return remove_monitor_info(local, origskb); 261 } 262 263 if (should_drop_frame(origskb, present_fcs_len)) { 264 /* only need to expand headroom if necessary */ 265 skb = origskb; 266 origskb = NULL; 267 268 /* 269 * This shouldn't trigger often because most devices have an 270 * RX header they pull before we get here, and that should 271 * be big enough for our radiotap information. We should 272 * probably export the length to drivers so that we can have 273 * them allocate enough headroom to start with. 274 */ 275 if (skb_headroom(skb) < needed_headroom && 276 pskb_expand_head(skb, needed_headroom, 0, GFP_ATOMIC)) { 277 dev_kfree_skb(skb); 278 return NULL; 279 } 280 } else { 281 /* 282 * Need to make a copy and possibly remove radiotap header 283 * and FCS from the original. 284 */ 285 skb = skb_copy_expand(origskb, needed_headroom, 0, GFP_ATOMIC); 286 287 origskb = remove_monitor_info(local, origskb); 288 289 if (!skb) 290 return origskb; 291 } 292 293 /* prepend radiotap information */ 294 ieee80211_add_rx_radiotap_header(local, skb, rate, needed_headroom); 295 296 skb_reset_mac_header(skb); 297 skb->ip_summed = CHECKSUM_UNNECESSARY; 298 skb->pkt_type = PACKET_OTHERHOST; 299 skb->protocol = htons(ETH_P_802_2); 300 301 list_for_each_entry_rcu(sdata, &local->interfaces, list) { 302 if (sdata->vif.type != NL80211_IFTYPE_MONITOR) 303 continue; 304 305 if (sdata->u.mntr_flags & MONITOR_FLAG_COOK_FRAMES) 306 continue; 307 308 if (!ieee80211_sdata_running(sdata)) 309 continue; 310 311 if (prev_dev) { 312 skb2 = skb_clone(skb, GFP_ATOMIC); 313 if (skb2) { 314 skb2->dev = prev_dev; 315 netif_receive_skb(skb2); 316 } 317 } 318 319 prev_dev = sdata->dev; 320 sdata->dev->stats.rx_packets++; 321 sdata->dev->stats.rx_bytes += skb->len; 322 } 323 324 if (prev_dev) { 325 skb->dev = prev_dev; 326 netif_receive_skb(skb); 327 } else 328 dev_kfree_skb(skb); 329 330 return origskb; 331 } 332 333 334 static void ieee80211_parse_qos(struct ieee80211_rx_data *rx) 335 { 336 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data; 337 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb); 338 int tid, seqno_idx, security_idx; 339 340 /* does the frame have a qos control field? */ 341 if (ieee80211_is_data_qos(hdr->frame_control)) { 342 u8 *qc = ieee80211_get_qos_ctl(hdr); 343 /* frame has qos control */ 344 tid = *qc & IEEE80211_QOS_CTL_TID_MASK; 345 if (*qc & IEEE80211_QOS_CTL_A_MSDU_PRESENT) 346 status->rx_flags |= IEEE80211_RX_AMSDU; 347 348 seqno_idx = tid; 349 security_idx = tid; 350 } else { 351 /* 352 * IEEE 802.11-2007, 7.1.3.4.1 ("Sequence Number field"): 353 * 354 * Sequence numbers for management frames, QoS data 355 * frames with a broadcast/multicast address in the 356 * Address 1 field, and all non-QoS data frames sent 357 * by QoS STAs are assigned using an additional single 358 * modulo-4096 counter, [...] 359 * 360 * We also use that counter for non-QoS STAs. 361 */ 362 seqno_idx = NUM_RX_DATA_QUEUES; 363 security_idx = 0; 364 if (ieee80211_is_mgmt(hdr->frame_control)) 365 security_idx = NUM_RX_DATA_QUEUES; 366 tid = 0; 367 } 368 369 rx->seqno_idx = seqno_idx; 370 rx->security_idx = security_idx; 371 /* Set skb->priority to 1d tag if highest order bit of TID is not set. 372 * For now, set skb->priority to 0 for other cases. */ 373 rx->skb->priority = (tid > 7) ? 0 : tid; 374 } 375 376 /** 377 * DOC: Packet alignment 378 * 379 * Drivers always need to pass packets that are aligned to two-byte boundaries 380 * to the stack. 381 * 382 * Additionally, should, if possible, align the payload data in a way that 383 * guarantees that the contained IP header is aligned to a four-byte 384 * boundary. In the case of regular frames, this simply means aligning the 385 * payload to a four-byte boundary (because either the IP header is directly 386 * contained, or IV/RFC1042 headers that have a length divisible by four are 387 * in front of it). If the payload data is not properly aligned and the 388 * architecture doesn't support efficient unaligned operations, mac80211 389 * will align the data. 390 * 391 * With A-MSDU frames, however, the payload data address must yield two modulo 392 * four because there are 14-byte 802.3 headers within the A-MSDU frames that 393 * push the IP header further back to a multiple of four again. Thankfully, the 394 * specs were sane enough this time around to require padding each A-MSDU 395 * subframe to a length that is a multiple of four. 396 * 397 * Padding like Atheros hardware adds which is between the 802.11 header and 398 * the payload is not supported, the driver is required to move the 802.11 399 * header to be directly in front of the payload in that case. 400 */ 401 static void ieee80211_verify_alignment(struct ieee80211_rx_data *rx) 402 { 403 #ifdef CONFIG_MAC80211_VERBOSE_DEBUG 404 WARN_ONCE((unsigned long)rx->skb->data & 1, 405 "unaligned packet at 0x%p\n", rx->skb->data); 406 #endif 407 } 408 409 410 /* rx handlers */ 411 412 static ieee80211_rx_result debug_noinline 413 ieee80211_rx_h_passive_scan(struct ieee80211_rx_data *rx) 414 { 415 struct ieee80211_local *local = rx->local; 416 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb); 417 struct sk_buff *skb = rx->skb; 418 419 if (likely(!(status->rx_flags & IEEE80211_RX_IN_SCAN) && 420 !local->sched_scanning)) 421 return RX_CONTINUE; 422 423 if (test_bit(SCAN_HW_SCANNING, &local->scanning) || 424 test_bit(SCAN_SW_SCANNING, &local->scanning) || 425 local->sched_scanning) 426 return ieee80211_scan_rx(rx->sdata, skb); 427 428 /* scanning finished during invoking of handlers */ 429 I802_DEBUG_INC(local->rx_handlers_drop_passive_scan); 430 return RX_DROP_UNUSABLE; 431 } 432 433 434 static int ieee80211_is_unicast_robust_mgmt_frame(struct sk_buff *skb) 435 { 436 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data; 437 438 if (skb->len < 24 || is_multicast_ether_addr(hdr->addr1)) 439 return 0; 440 441 return ieee80211_is_robust_mgmt_frame(hdr); 442 } 443 444 445 static int ieee80211_is_multicast_robust_mgmt_frame(struct sk_buff *skb) 446 { 447 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data; 448 449 if (skb->len < 24 || !is_multicast_ether_addr(hdr->addr1)) 450 return 0; 451 452 return ieee80211_is_robust_mgmt_frame(hdr); 453 } 454 455 456 /* Get the BIP key index from MMIE; return -1 if this is not a BIP frame */ 457 static int ieee80211_get_mmie_keyidx(struct sk_buff *skb) 458 { 459 struct ieee80211_mgmt *hdr = (struct ieee80211_mgmt *) skb->data; 460 struct ieee80211_mmie *mmie; 461 462 if (skb->len < 24 + sizeof(*mmie) || 463 !is_multicast_ether_addr(hdr->da)) 464 return -1; 465 466 if (!ieee80211_is_robust_mgmt_frame((struct ieee80211_hdr *) hdr)) 467 return -1; /* not a robust management frame */ 468 469 mmie = (struct ieee80211_mmie *) 470 (skb->data + skb->len - sizeof(*mmie)); 471 if (mmie->element_id != WLAN_EID_MMIE || 472 mmie->length != sizeof(*mmie) - 2) 473 return -1; 474 475 return le16_to_cpu(mmie->key_id); 476 } 477 478 479 static ieee80211_rx_result 480 ieee80211_rx_mesh_check(struct ieee80211_rx_data *rx) 481 { 482 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data; 483 char *dev_addr = rx->sdata->vif.addr; 484 485 if (ieee80211_is_data(hdr->frame_control)) { 486 if (is_multicast_ether_addr(hdr->addr1)) { 487 if (ieee80211_has_tods(hdr->frame_control) || 488 !ieee80211_has_fromds(hdr->frame_control)) 489 return RX_DROP_MONITOR; 490 if (memcmp(hdr->addr3, dev_addr, ETH_ALEN) == 0) 491 return RX_DROP_MONITOR; 492 } else { 493 if (!ieee80211_has_a4(hdr->frame_control)) 494 return RX_DROP_MONITOR; 495 if (memcmp(hdr->addr4, dev_addr, ETH_ALEN) == 0) 496 return RX_DROP_MONITOR; 497 } 498 } 499 500 /* If there is not an established peer link and this is not a peer link 501 * establisment frame, beacon or probe, drop the frame. 502 */ 503 504 if (!rx->sta || sta_plink_state(rx->sta) != NL80211_PLINK_ESTAB) { 505 struct ieee80211_mgmt *mgmt; 506 507 if (!ieee80211_is_mgmt(hdr->frame_control)) 508 return RX_DROP_MONITOR; 509 510 if (ieee80211_is_action(hdr->frame_control)) { 511 u8 category; 512 mgmt = (struct ieee80211_mgmt *)hdr; 513 category = mgmt->u.action.category; 514 if (category != WLAN_CATEGORY_MESH_ACTION && 515 category != WLAN_CATEGORY_SELF_PROTECTED) 516 return RX_DROP_MONITOR; 517 return RX_CONTINUE; 518 } 519 520 if (ieee80211_is_probe_req(hdr->frame_control) || 521 ieee80211_is_probe_resp(hdr->frame_control) || 522 ieee80211_is_beacon(hdr->frame_control) || 523 ieee80211_is_auth(hdr->frame_control)) 524 return RX_CONTINUE; 525 526 return RX_DROP_MONITOR; 527 528 } 529 530 return RX_CONTINUE; 531 } 532 533 #define SEQ_MODULO 0x1000 534 #define SEQ_MASK 0xfff 535 536 static inline int seq_less(u16 sq1, u16 sq2) 537 { 538 return ((sq1 - sq2) & SEQ_MASK) > (SEQ_MODULO >> 1); 539 } 540 541 static inline u16 seq_inc(u16 sq) 542 { 543 return (sq + 1) & SEQ_MASK; 544 } 545 546 static inline u16 seq_sub(u16 sq1, u16 sq2) 547 { 548 return (sq1 - sq2) & SEQ_MASK; 549 } 550 551 552 static void ieee80211_release_reorder_frame(struct ieee80211_hw *hw, 553 struct tid_ampdu_rx *tid_agg_rx, 554 int index) 555 { 556 struct ieee80211_local *local = hw_to_local(hw); 557 struct sk_buff *skb = tid_agg_rx->reorder_buf[index]; 558 struct ieee80211_rx_status *status; 559 560 lockdep_assert_held(&tid_agg_rx->reorder_lock); 561 562 if (!skb) 563 goto no_frame; 564 565 /* release the frame from the reorder ring buffer */ 566 tid_agg_rx->stored_mpdu_num--; 567 tid_agg_rx->reorder_buf[index] = NULL; 568 status = IEEE80211_SKB_RXCB(skb); 569 status->rx_flags |= IEEE80211_RX_DEFERRED_RELEASE; 570 skb_queue_tail(&local->rx_skb_queue, skb); 571 572 no_frame: 573 tid_agg_rx->head_seq_num = seq_inc(tid_agg_rx->head_seq_num); 574 } 575 576 static void ieee80211_release_reorder_frames(struct ieee80211_hw *hw, 577 struct tid_ampdu_rx *tid_agg_rx, 578 u16 head_seq_num) 579 { 580 int index; 581 582 lockdep_assert_held(&tid_agg_rx->reorder_lock); 583 584 while (seq_less(tid_agg_rx->head_seq_num, head_seq_num)) { 585 index = seq_sub(tid_agg_rx->head_seq_num, tid_agg_rx->ssn) % 586 tid_agg_rx->buf_size; 587 ieee80211_release_reorder_frame(hw, tid_agg_rx, index); 588 } 589 } 590 591 /* 592 * Timeout (in jiffies) for skb's that are waiting in the RX reorder buffer. If 593 * the skb was added to the buffer longer than this time ago, the earlier 594 * frames that have not yet been received are assumed to be lost and the skb 595 * can be released for processing. This may also release other skb's from the 596 * reorder buffer if there are no additional gaps between the frames. 597 * 598 * Callers must hold tid_agg_rx->reorder_lock. 599 */ 600 #define HT_RX_REORDER_BUF_TIMEOUT (HZ / 10) 601 602 static void ieee80211_sta_reorder_release(struct ieee80211_hw *hw, 603 struct tid_ampdu_rx *tid_agg_rx) 604 { 605 int index, j; 606 607 lockdep_assert_held(&tid_agg_rx->reorder_lock); 608 609 /* release the buffer until next missing frame */ 610 index = seq_sub(tid_agg_rx->head_seq_num, tid_agg_rx->ssn) % 611 tid_agg_rx->buf_size; 612 if (!tid_agg_rx->reorder_buf[index] && 613 tid_agg_rx->stored_mpdu_num > 1) { 614 /* 615 * No buffers ready to be released, but check whether any 616 * frames in the reorder buffer have timed out. 617 */ 618 int skipped = 1; 619 for (j = (index + 1) % tid_agg_rx->buf_size; j != index; 620 j = (j + 1) % tid_agg_rx->buf_size) { 621 if (!tid_agg_rx->reorder_buf[j]) { 622 skipped++; 623 continue; 624 } 625 if (skipped && 626 !time_after(jiffies, tid_agg_rx->reorder_time[j] + 627 HT_RX_REORDER_BUF_TIMEOUT)) 628 goto set_release_timer; 629 630 #ifdef CONFIG_MAC80211_HT_DEBUG 631 if (net_ratelimit()) 632 wiphy_debug(hw->wiphy, 633 "release an RX reorder frame due to timeout on earlier frames\n"); 634 #endif 635 ieee80211_release_reorder_frame(hw, tid_agg_rx, j); 636 637 /* 638 * Increment the head seq# also for the skipped slots. 639 */ 640 tid_agg_rx->head_seq_num = 641 (tid_agg_rx->head_seq_num + skipped) & SEQ_MASK; 642 skipped = 0; 643 } 644 } else while (tid_agg_rx->reorder_buf[index]) { 645 ieee80211_release_reorder_frame(hw, tid_agg_rx, index); 646 index = seq_sub(tid_agg_rx->head_seq_num, tid_agg_rx->ssn) % 647 tid_agg_rx->buf_size; 648 } 649 650 if (tid_agg_rx->stored_mpdu_num) { 651 j = index = seq_sub(tid_agg_rx->head_seq_num, 652 tid_agg_rx->ssn) % tid_agg_rx->buf_size; 653 654 for (; j != (index - 1) % tid_agg_rx->buf_size; 655 j = (j + 1) % tid_agg_rx->buf_size) { 656 if (tid_agg_rx->reorder_buf[j]) 657 break; 658 } 659 660 set_release_timer: 661 662 mod_timer(&tid_agg_rx->reorder_timer, 663 tid_agg_rx->reorder_time[j] + 1 + 664 HT_RX_REORDER_BUF_TIMEOUT); 665 } else { 666 del_timer(&tid_agg_rx->reorder_timer); 667 } 668 } 669 670 /* 671 * As this function belongs to the RX path it must be under 672 * rcu_read_lock protection. It returns false if the frame 673 * can be processed immediately, true if it was consumed. 674 */ 675 static bool ieee80211_sta_manage_reorder_buf(struct ieee80211_hw *hw, 676 struct tid_ampdu_rx *tid_agg_rx, 677 struct sk_buff *skb) 678 { 679 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data; 680 u16 sc = le16_to_cpu(hdr->seq_ctrl); 681 u16 mpdu_seq_num = (sc & IEEE80211_SCTL_SEQ) >> 4; 682 u16 head_seq_num, buf_size; 683 int index; 684 bool ret = true; 685 686 spin_lock(&tid_agg_rx->reorder_lock); 687 688 buf_size = tid_agg_rx->buf_size; 689 head_seq_num = tid_agg_rx->head_seq_num; 690 691 /* frame with out of date sequence number */ 692 if (seq_less(mpdu_seq_num, head_seq_num)) { 693 dev_kfree_skb(skb); 694 goto out; 695 } 696 697 /* 698 * If frame the sequence number exceeds our buffering window 699 * size release some previous frames to make room for this one. 700 */ 701 if (!seq_less(mpdu_seq_num, head_seq_num + buf_size)) { 702 head_seq_num = seq_inc(seq_sub(mpdu_seq_num, buf_size)); 703 /* release stored frames up to new head to stack */ 704 ieee80211_release_reorder_frames(hw, tid_agg_rx, head_seq_num); 705 } 706 707 /* Now the new frame is always in the range of the reordering buffer */ 708 709 index = seq_sub(mpdu_seq_num, tid_agg_rx->ssn) % tid_agg_rx->buf_size; 710 711 /* check if we already stored this frame */ 712 if (tid_agg_rx->reorder_buf[index]) { 713 dev_kfree_skb(skb); 714 goto out; 715 } 716 717 /* 718 * If the current MPDU is in the right order and nothing else 719 * is stored we can process it directly, no need to buffer it. 720 * If it is first but there's something stored, we may be able 721 * to release frames after this one. 722 */ 723 if (mpdu_seq_num == tid_agg_rx->head_seq_num && 724 tid_agg_rx->stored_mpdu_num == 0) { 725 tid_agg_rx->head_seq_num = seq_inc(tid_agg_rx->head_seq_num); 726 ret = false; 727 goto out; 728 } 729 730 /* put the frame in the reordering buffer */ 731 tid_agg_rx->reorder_buf[index] = skb; 732 tid_agg_rx->reorder_time[index] = jiffies; 733 tid_agg_rx->stored_mpdu_num++; 734 ieee80211_sta_reorder_release(hw, tid_agg_rx); 735 736 out: 737 spin_unlock(&tid_agg_rx->reorder_lock); 738 return ret; 739 } 740 741 /* 742 * Reorder MPDUs from A-MPDUs, keeping them on a buffer. Returns 743 * true if the MPDU was buffered, false if it should be processed. 744 */ 745 static void ieee80211_rx_reorder_ampdu(struct ieee80211_rx_data *rx) 746 { 747 struct sk_buff *skb = rx->skb; 748 struct ieee80211_local *local = rx->local; 749 struct ieee80211_hw *hw = &local->hw; 750 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data; 751 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 752 struct sta_info *sta = rx->sta; 753 struct tid_ampdu_rx *tid_agg_rx; 754 u16 sc; 755 u8 tid, ack_policy; 756 757 if (!ieee80211_is_data_qos(hdr->frame_control)) 758 goto dont_reorder; 759 760 /* 761 * filter the QoS data rx stream according to 762 * STA/TID and check if this STA/TID is on aggregation 763 */ 764 765 if (!sta) 766 goto dont_reorder; 767 768 ack_policy = *ieee80211_get_qos_ctl(hdr) & 769 IEEE80211_QOS_CTL_ACK_POLICY_MASK; 770 tid = *ieee80211_get_qos_ctl(hdr) & IEEE80211_QOS_CTL_TID_MASK; 771 772 tid_agg_rx = rcu_dereference(sta->ampdu_mlme.tid_rx[tid]); 773 if (!tid_agg_rx) 774 goto dont_reorder; 775 776 /* qos null data frames are excluded */ 777 if (unlikely(hdr->frame_control & cpu_to_le16(IEEE80211_STYPE_NULLFUNC))) 778 goto dont_reorder; 779 780 /* not part of a BA session */ 781 if (ack_policy != IEEE80211_QOS_CTL_ACK_POLICY_BLOCKACK && 782 ack_policy != IEEE80211_QOS_CTL_ACK_POLICY_NORMAL) 783 goto dont_reorder; 784 785 /* not actually part of this BA session */ 786 if (!(status->rx_flags & IEEE80211_RX_RA_MATCH)) 787 goto dont_reorder; 788 789 /* new, potentially un-ordered, ampdu frame - process it */ 790 791 /* reset session timer */ 792 if (tid_agg_rx->timeout) 793 mod_timer(&tid_agg_rx->session_timer, 794 TU_TO_EXP_TIME(tid_agg_rx->timeout)); 795 796 /* if this mpdu is fragmented - terminate rx aggregation session */ 797 sc = le16_to_cpu(hdr->seq_ctrl); 798 if (sc & IEEE80211_SCTL_FRAG) { 799 skb->pkt_type = IEEE80211_SDATA_QUEUE_TYPE_FRAME; 800 skb_queue_tail(&rx->sdata->skb_queue, skb); 801 ieee80211_queue_work(&local->hw, &rx->sdata->work); 802 return; 803 } 804 805 /* 806 * No locking needed -- we will only ever process one 807 * RX packet at a time, and thus own tid_agg_rx. All 808 * other code manipulating it needs to (and does) make 809 * sure that we cannot get to it any more before doing 810 * anything with it. 811 */ 812 if (ieee80211_sta_manage_reorder_buf(hw, tid_agg_rx, skb)) 813 return; 814 815 dont_reorder: 816 skb_queue_tail(&local->rx_skb_queue, skb); 817 } 818 819 static ieee80211_rx_result debug_noinline 820 ieee80211_rx_h_check(struct ieee80211_rx_data *rx) 821 { 822 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data; 823 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb); 824 825 /* Drop duplicate 802.11 retransmissions (IEEE 802.11 Chap. 9.2.9) */ 826 if (rx->sta && !is_multicast_ether_addr(hdr->addr1)) { 827 if (unlikely(ieee80211_has_retry(hdr->frame_control) && 828 rx->sta->last_seq_ctrl[rx->seqno_idx] == 829 hdr->seq_ctrl)) { 830 if (status->rx_flags & IEEE80211_RX_RA_MATCH) { 831 rx->local->dot11FrameDuplicateCount++; 832 rx->sta->num_duplicates++; 833 } 834 return RX_DROP_UNUSABLE; 835 } else 836 rx->sta->last_seq_ctrl[rx->seqno_idx] = hdr->seq_ctrl; 837 } 838 839 if (unlikely(rx->skb->len < 16)) { 840 I802_DEBUG_INC(rx->local->rx_handlers_drop_short); 841 return RX_DROP_MONITOR; 842 } 843 844 /* Drop disallowed frame classes based on STA auth/assoc state; 845 * IEEE 802.11, Chap 5.5. 846 * 847 * mac80211 filters only based on association state, i.e. it drops 848 * Class 3 frames from not associated stations. hostapd sends 849 * deauth/disassoc frames when needed. In addition, hostapd is 850 * responsible for filtering on both auth and assoc states. 851 */ 852 853 if (ieee80211_vif_is_mesh(&rx->sdata->vif)) 854 return ieee80211_rx_mesh_check(rx); 855 856 if (unlikely((ieee80211_is_data(hdr->frame_control) || 857 ieee80211_is_pspoll(hdr->frame_control)) && 858 rx->sdata->vif.type != NL80211_IFTYPE_ADHOC && 859 rx->sdata->vif.type != NL80211_IFTYPE_WDS && 860 (!rx->sta || !test_sta_flag(rx->sta, WLAN_STA_ASSOC)))) { 861 if (rx->sta && rx->sta->dummy && 862 ieee80211_is_data_present(hdr->frame_control)) { 863 u16 ethertype; 864 u8 *payload; 865 866 payload = rx->skb->data + 867 ieee80211_hdrlen(hdr->frame_control); 868 ethertype = (payload[6] << 8) | payload[7]; 869 if (cpu_to_be16(ethertype) == 870 rx->sdata->control_port_protocol) 871 return RX_CONTINUE; 872 } 873 874 if (rx->sdata->vif.type == NL80211_IFTYPE_AP && 875 cfg80211_rx_spurious_frame(rx->sdata->dev, 876 hdr->addr2, 877 GFP_ATOMIC)) 878 return RX_DROP_UNUSABLE; 879 880 return RX_DROP_MONITOR; 881 } 882 883 return RX_CONTINUE; 884 } 885 886 887 static ieee80211_rx_result debug_noinline 888 ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx) 889 { 890 struct sk_buff *skb = rx->skb; 891 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 892 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; 893 int keyidx; 894 int hdrlen; 895 ieee80211_rx_result result = RX_DROP_UNUSABLE; 896 struct ieee80211_key *sta_ptk = NULL; 897 int mmie_keyidx = -1; 898 __le16 fc; 899 900 /* 901 * Key selection 101 902 * 903 * There are four types of keys: 904 * - GTK (group keys) 905 * - IGTK (group keys for management frames) 906 * - PTK (pairwise keys) 907 * - STK (station-to-station pairwise keys) 908 * 909 * When selecting a key, we have to distinguish between multicast 910 * (including broadcast) and unicast frames, the latter can only 911 * use PTKs and STKs while the former always use GTKs and IGTKs. 912 * Unless, of course, actual WEP keys ("pre-RSNA") are used, then 913 * unicast frames can also use key indices like GTKs. Hence, if we 914 * don't have a PTK/STK we check the key index for a WEP key. 915 * 916 * Note that in a regular BSS, multicast frames are sent by the 917 * AP only, associated stations unicast the frame to the AP first 918 * which then multicasts it on their behalf. 919 * 920 * There is also a slight problem in IBSS mode: GTKs are negotiated 921 * with each station, that is something we don't currently handle. 922 * The spec seems to expect that one negotiates the same key with 923 * every station but there's no such requirement; VLANs could be 924 * possible. 925 */ 926 927 /* 928 * No point in finding a key and decrypting if the frame is neither 929 * addressed to us nor a multicast frame. 930 */ 931 if (!(status->rx_flags & IEEE80211_RX_RA_MATCH)) 932 return RX_CONTINUE; 933 934 /* start without a key */ 935 rx->key = NULL; 936 937 if (rx->sta) 938 sta_ptk = rcu_dereference(rx->sta->ptk); 939 940 fc = hdr->frame_control; 941 942 if (!ieee80211_has_protected(fc)) 943 mmie_keyidx = ieee80211_get_mmie_keyidx(rx->skb); 944 945 if (!is_multicast_ether_addr(hdr->addr1) && sta_ptk) { 946 rx->key = sta_ptk; 947 if ((status->flag & RX_FLAG_DECRYPTED) && 948 (status->flag & RX_FLAG_IV_STRIPPED)) 949 return RX_CONTINUE; 950 /* Skip decryption if the frame is not protected. */ 951 if (!ieee80211_has_protected(fc)) 952 return RX_CONTINUE; 953 } else if (mmie_keyidx >= 0) { 954 /* Broadcast/multicast robust management frame / BIP */ 955 if ((status->flag & RX_FLAG_DECRYPTED) && 956 (status->flag & RX_FLAG_IV_STRIPPED)) 957 return RX_CONTINUE; 958 959 if (mmie_keyidx < NUM_DEFAULT_KEYS || 960 mmie_keyidx >= NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS) 961 return RX_DROP_MONITOR; /* unexpected BIP keyidx */ 962 if (rx->sta) 963 rx->key = rcu_dereference(rx->sta->gtk[mmie_keyidx]); 964 if (!rx->key) 965 rx->key = rcu_dereference(rx->sdata->keys[mmie_keyidx]); 966 } else if (!ieee80211_has_protected(fc)) { 967 /* 968 * The frame was not protected, so skip decryption. However, we 969 * need to set rx->key if there is a key that could have been 970 * used so that the frame may be dropped if encryption would 971 * have been expected. 972 */ 973 struct ieee80211_key *key = NULL; 974 struct ieee80211_sub_if_data *sdata = rx->sdata; 975 int i; 976 977 if (ieee80211_is_mgmt(fc) && 978 is_multicast_ether_addr(hdr->addr1) && 979 (key = rcu_dereference(rx->sdata->default_mgmt_key))) 980 rx->key = key; 981 else { 982 if (rx->sta) { 983 for (i = 0; i < NUM_DEFAULT_KEYS; i++) { 984 key = rcu_dereference(rx->sta->gtk[i]); 985 if (key) 986 break; 987 } 988 } 989 if (!key) { 990 for (i = 0; i < NUM_DEFAULT_KEYS; i++) { 991 key = rcu_dereference(sdata->keys[i]); 992 if (key) 993 break; 994 } 995 } 996 if (key) 997 rx->key = key; 998 } 999 return RX_CONTINUE; 1000 } else { 1001 u8 keyid; 1002 /* 1003 * The device doesn't give us the IV so we won't be 1004 * able to look up the key. That's ok though, we 1005 * don't need to decrypt the frame, we just won't 1006 * be able to keep statistics accurate. 1007 * Except for key threshold notifications, should 1008 * we somehow allow the driver to tell us which key 1009 * the hardware used if this flag is set? 1010 */ 1011 if ((status->flag & RX_FLAG_DECRYPTED) && 1012 (status->flag & RX_FLAG_IV_STRIPPED)) 1013 return RX_CONTINUE; 1014 1015 hdrlen = ieee80211_hdrlen(fc); 1016 1017 if (rx->skb->len < 8 + hdrlen) 1018 return RX_DROP_UNUSABLE; /* TODO: count this? */ 1019 1020 /* 1021 * no need to call ieee80211_wep_get_keyidx, 1022 * it verifies a bunch of things we've done already 1023 */ 1024 skb_copy_bits(rx->skb, hdrlen + 3, &keyid, 1); 1025 keyidx = keyid >> 6; 1026 1027 /* check per-station GTK first, if multicast packet */ 1028 if (is_multicast_ether_addr(hdr->addr1) && rx->sta) 1029 rx->key = rcu_dereference(rx->sta->gtk[keyidx]); 1030 1031 /* if not found, try default key */ 1032 if (!rx->key) { 1033 rx->key = rcu_dereference(rx->sdata->keys[keyidx]); 1034 1035 /* 1036 * RSNA-protected unicast frames should always be 1037 * sent with pairwise or station-to-station keys, 1038 * but for WEP we allow using a key index as well. 1039 */ 1040 if (rx->key && 1041 rx->key->conf.cipher != WLAN_CIPHER_SUITE_WEP40 && 1042 rx->key->conf.cipher != WLAN_CIPHER_SUITE_WEP104 && 1043 !is_multicast_ether_addr(hdr->addr1)) 1044 rx->key = NULL; 1045 } 1046 } 1047 1048 if (rx->key) { 1049 if (unlikely(rx->key->flags & KEY_FLAG_TAINTED)) 1050 return RX_DROP_MONITOR; 1051 1052 rx->key->tx_rx_count++; 1053 /* TODO: add threshold stuff again */ 1054 } else { 1055 return RX_DROP_MONITOR; 1056 } 1057 1058 if (skb_linearize(rx->skb)) 1059 return RX_DROP_UNUSABLE; 1060 /* the hdr variable is invalid now! */ 1061 1062 switch (rx->key->conf.cipher) { 1063 case WLAN_CIPHER_SUITE_WEP40: 1064 case WLAN_CIPHER_SUITE_WEP104: 1065 /* Check for weak IVs if possible */ 1066 if (rx->sta && ieee80211_is_data(fc) && 1067 (!(status->flag & RX_FLAG_IV_STRIPPED) || 1068 !(status->flag & RX_FLAG_DECRYPTED)) && 1069 ieee80211_wep_is_weak_iv(rx->skb, rx->key)) 1070 rx->sta->wep_weak_iv_count++; 1071 1072 result = ieee80211_crypto_wep_decrypt(rx); 1073 break; 1074 case WLAN_CIPHER_SUITE_TKIP: 1075 result = ieee80211_crypto_tkip_decrypt(rx); 1076 break; 1077 case WLAN_CIPHER_SUITE_CCMP: 1078 result = ieee80211_crypto_ccmp_decrypt(rx); 1079 break; 1080 case WLAN_CIPHER_SUITE_AES_CMAC: 1081 result = ieee80211_crypto_aes_cmac_decrypt(rx); 1082 break; 1083 default: 1084 /* 1085 * We can reach here only with HW-only algorithms 1086 * but why didn't it decrypt the frame?! 1087 */ 1088 return RX_DROP_UNUSABLE; 1089 } 1090 1091 /* either the frame has been decrypted or will be dropped */ 1092 status->flag |= RX_FLAG_DECRYPTED; 1093 1094 return result; 1095 } 1096 1097 static ieee80211_rx_result debug_noinline 1098 ieee80211_rx_h_check_more_data(struct ieee80211_rx_data *rx) 1099 { 1100 struct ieee80211_local *local; 1101 struct ieee80211_hdr *hdr; 1102 struct sk_buff *skb; 1103 1104 local = rx->local; 1105 skb = rx->skb; 1106 hdr = (struct ieee80211_hdr *) skb->data; 1107 1108 if (!local->pspolling) 1109 return RX_CONTINUE; 1110 1111 if (!ieee80211_has_fromds(hdr->frame_control)) 1112 /* this is not from AP */ 1113 return RX_CONTINUE; 1114 1115 if (!ieee80211_is_data(hdr->frame_control)) 1116 return RX_CONTINUE; 1117 1118 if (!ieee80211_has_moredata(hdr->frame_control)) { 1119 /* AP has no more frames buffered for us */ 1120 local->pspolling = false; 1121 return RX_CONTINUE; 1122 } 1123 1124 /* more data bit is set, let's request a new frame from the AP */ 1125 ieee80211_send_pspoll(local, rx->sdata); 1126 1127 return RX_CONTINUE; 1128 } 1129 1130 static void ap_sta_ps_start(struct sta_info *sta) 1131 { 1132 struct ieee80211_sub_if_data *sdata = sta->sdata; 1133 struct ieee80211_local *local = sdata->local; 1134 1135 atomic_inc(&sdata->bss->num_sta_ps); 1136 set_sta_flag(sta, WLAN_STA_PS_STA); 1137 if (!(local->hw.flags & IEEE80211_HW_AP_LINK_PS)) 1138 drv_sta_notify(local, sdata, STA_NOTIFY_SLEEP, &sta->sta); 1139 #ifdef CONFIG_MAC80211_VERBOSE_PS_DEBUG 1140 printk(KERN_DEBUG "%s: STA %pM aid %d enters power save mode\n", 1141 sdata->name, sta->sta.addr, sta->sta.aid); 1142 #endif /* CONFIG_MAC80211_VERBOSE_PS_DEBUG */ 1143 } 1144 1145 static void ap_sta_ps_end(struct sta_info *sta) 1146 { 1147 struct ieee80211_sub_if_data *sdata = sta->sdata; 1148 1149 atomic_dec(&sdata->bss->num_sta_ps); 1150 1151 #ifdef CONFIG_MAC80211_VERBOSE_PS_DEBUG 1152 printk(KERN_DEBUG "%s: STA %pM aid %d exits power save mode\n", 1153 sdata->name, sta->sta.addr, sta->sta.aid); 1154 #endif /* CONFIG_MAC80211_VERBOSE_PS_DEBUG */ 1155 1156 if (test_sta_flag(sta, WLAN_STA_PS_DRIVER)) { 1157 #ifdef CONFIG_MAC80211_VERBOSE_PS_DEBUG 1158 printk(KERN_DEBUG "%s: STA %pM aid %d driver-ps-blocked\n", 1159 sdata->name, sta->sta.addr, sta->sta.aid); 1160 #endif /* CONFIG_MAC80211_VERBOSE_PS_DEBUG */ 1161 return; 1162 } 1163 1164 ieee80211_sta_ps_deliver_wakeup(sta); 1165 } 1166 1167 int ieee80211_sta_ps_transition(struct ieee80211_sta *sta, bool start) 1168 { 1169 struct sta_info *sta_inf = container_of(sta, struct sta_info, sta); 1170 bool in_ps; 1171 1172 WARN_ON(!(sta_inf->local->hw.flags & IEEE80211_HW_AP_LINK_PS)); 1173 1174 /* Don't let the same PS state be set twice */ 1175 in_ps = test_sta_flag(sta_inf, WLAN_STA_PS_STA); 1176 if ((start && in_ps) || (!start && !in_ps)) 1177 return -EINVAL; 1178 1179 if (start) 1180 ap_sta_ps_start(sta_inf); 1181 else 1182 ap_sta_ps_end(sta_inf); 1183 1184 return 0; 1185 } 1186 EXPORT_SYMBOL(ieee80211_sta_ps_transition); 1187 1188 static ieee80211_rx_result debug_noinline 1189 ieee80211_rx_h_uapsd_and_pspoll(struct ieee80211_rx_data *rx) 1190 { 1191 struct ieee80211_sub_if_data *sdata = rx->sdata; 1192 struct ieee80211_hdr *hdr = (void *)rx->skb->data; 1193 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb); 1194 int tid, ac; 1195 1196 if (!rx->sta || !(status->rx_flags & IEEE80211_RX_RA_MATCH)) 1197 return RX_CONTINUE; 1198 1199 if (sdata->vif.type != NL80211_IFTYPE_AP && 1200 sdata->vif.type != NL80211_IFTYPE_AP_VLAN) 1201 return RX_CONTINUE; 1202 1203 /* 1204 * The device handles station powersave, so don't do anything about 1205 * uAPSD and PS-Poll frames (the latter shouldn't even come up from 1206 * it to mac80211 since they're handled.) 1207 */ 1208 if (sdata->local->hw.flags & IEEE80211_HW_AP_LINK_PS) 1209 return RX_CONTINUE; 1210 1211 /* 1212 * Don't do anything if the station isn't already asleep. In 1213 * the uAPSD case, the station will probably be marked asleep, 1214 * in the PS-Poll case the station must be confused ... 1215 */ 1216 if (!test_sta_flag(rx->sta, WLAN_STA_PS_STA)) 1217 return RX_CONTINUE; 1218 1219 if (unlikely(ieee80211_is_pspoll(hdr->frame_control))) { 1220 if (!test_sta_flag(rx->sta, WLAN_STA_SP)) { 1221 if (!test_sta_flag(rx->sta, WLAN_STA_PS_DRIVER)) 1222 ieee80211_sta_ps_deliver_poll_response(rx->sta); 1223 else 1224 set_sta_flag(rx->sta, WLAN_STA_PSPOLL); 1225 } 1226 1227 /* Free PS Poll skb here instead of returning RX_DROP that would 1228 * count as an dropped frame. */ 1229 dev_kfree_skb(rx->skb); 1230 1231 return RX_QUEUED; 1232 } else if (!ieee80211_has_morefrags(hdr->frame_control) && 1233 !(status->rx_flags & IEEE80211_RX_DEFERRED_RELEASE) && 1234 ieee80211_has_pm(hdr->frame_control) && 1235 (ieee80211_is_data_qos(hdr->frame_control) || 1236 ieee80211_is_qos_nullfunc(hdr->frame_control))) { 1237 tid = *ieee80211_get_qos_ctl(hdr) & IEEE80211_QOS_CTL_TID_MASK; 1238 ac = ieee802_1d_to_ac[tid & 7]; 1239 1240 /* 1241 * If this AC is not trigger-enabled do nothing. 1242 * 1243 * NB: This could/should check a separate bitmap of trigger- 1244 * enabled queues, but for now we only implement uAPSD w/o 1245 * TSPEC changes to the ACs, so they're always the same. 1246 */ 1247 if (!(rx->sta->sta.uapsd_queues & BIT(ac))) 1248 return RX_CONTINUE; 1249 1250 /* if we are in a service period, do nothing */ 1251 if (test_sta_flag(rx->sta, WLAN_STA_SP)) 1252 return RX_CONTINUE; 1253 1254 if (!test_sta_flag(rx->sta, WLAN_STA_PS_DRIVER)) 1255 ieee80211_sta_ps_deliver_uapsd(rx->sta); 1256 else 1257 set_sta_flag(rx->sta, WLAN_STA_UAPSD); 1258 } 1259 1260 return RX_CONTINUE; 1261 } 1262 1263 static ieee80211_rx_result debug_noinline 1264 ieee80211_rx_h_sta_process(struct ieee80211_rx_data *rx) 1265 { 1266 struct sta_info *sta = rx->sta; 1267 struct sk_buff *skb = rx->skb; 1268 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 1269 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; 1270 1271 if (!sta) 1272 return RX_CONTINUE; 1273 1274 /* 1275 * Update last_rx only for IBSS packets which are for the current 1276 * BSSID to avoid keeping the current IBSS network alive in cases 1277 * where other STAs start using different BSSID. 1278 */ 1279 if (rx->sdata->vif.type == NL80211_IFTYPE_ADHOC) { 1280 u8 *bssid = ieee80211_get_bssid(hdr, rx->skb->len, 1281 NL80211_IFTYPE_ADHOC); 1282 if (compare_ether_addr(bssid, rx->sdata->u.ibss.bssid) == 0) { 1283 sta->last_rx = jiffies; 1284 if (ieee80211_is_data(hdr->frame_control)) { 1285 sta->last_rx_rate_idx = status->rate_idx; 1286 sta->last_rx_rate_flag = status->flag; 1287 } 1288 } 1289 } else if (!is_multicast_ether_addr(hdr->addr1)) { 1290 /* 1291 * Mesh beacons will update last_rx when if they are found to 1292 * match the current local configuration when processed. 1293 */ 1294 sta->last_rx = jiffies; 1295 if (ieee80211_is_data(hdr->frame_control)) { 1296 sta->last_rx_rate_idx = status->rate_idx; 1297 sta->last_rx_rate_flag = status->flag; 1298 } 1299 } 1300 1301 if (!(status->rx_flags & IEEE80211_RX_RA_MATCH)) 1302 return RX_CONTINUE; 1303 1304 if (rx->sdata->vif.type == NL80211_IFTYPE_STATION) 1305 ieee80211_sta_rx_notify(rx->sdata, hdr); 1306 1307 sta->rx_fragments++; 1308 sta->rx_bytes += rx->skb->len; 1309 sta->last_signal = status->signal; 1310 ewma_add(&sta->avg_signal, -status->signal); 1311 1312 /* 1313 * Change STA power saving mode only at the end of a frame 1314 * exchange sequence. 1315 */ 1316 if (!(sta->local->hw.flags & IEEE80211_HW_AP_LINK_PS) && 1317 !ieee80211_has_morefrags(hdr->frame_control) && 1318 !(status->rx_flags & IEEE80211_RX_DEFERRED_RELEASE) && 1319 (rx->sdata->vif.type == NL80211_IFTYPE_AP || 1320 rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN)) { 1321 if (test_sta_flag(sta, WLAN_STA_PS_STA)) { 1322 /* 1323 * Ignore doze->wake transitions that are 1324 * indicated by non-data frames, the standard 1325 * is unclear here, but for example going to 1326 * PS mode and then scanning would cause a 1327 * doze->wake transition for the probe request, 1328 * and that is clearly undesirable. 1329 */ 1330 if (ieee80211_is_data(hdr->frame_control) && 1331 !ieee80211_has_pm(hdr->frame_control)) 1332 ap_sta_ps_end(sta); 1333 } else { 1334 if (ieee80211_has_pm(hdr->frame_control)) 1335 ap_sta_ps_start(sta); 1336 } 1337 } 1338 1339 /* 1340 * Drop (qos-)data::nullfunc frames silently, since they 1341 * are used only to control station power saving mode. 1342 */ 1343 if (ieee80211_is_nullfunc(hdr->frame_control) || 1344 ieee80211_is_qos_nullfunc(hdr->frame_control)) { 1345 I802_DEBUG_INC(rx->local->rx_handlers_drop_nullfunc); 1346 1347 /* 1348 * If we receive a 4-addr nullfunc frame from a STA 1349 * that was not moved to a 4-addr STA vlan yet send 1350 * the event to userspace and for older hostapd drop 1351 * the frame to the monitor interface. 1352 */ 1353 if (ieee80211_has_a4(hdr->frame_control) && 1354 (rx->sdata->vif.type == NL80211_IFTYPE_AP || 1355 (rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN && 1356 !rx->sdata->u.vlan.sta))) { 1357 if (!test_and_set_sta_flag(sta, WLAN_STA_4ADDR_EVENT)) 1358 cfg80211_rx_unexpected_4addr_frame( 1359 rx->sdata->dev, sta->sta.addr, 1360 GFP_ATOMIC); 1361 return RX_DROP_MONITOR; 1362 } 1363 /* 1364 * Update counter and free packet here to avoid 1365 * counting this as a dropped packed. 1366 */ 1367 sta->rx_packets++; 1368 dev_kfree_skb(rx->skb); 1369 return RX_QUEUED; 1370 } 1371 1372 return RX_CONTINUE; 1373 } /* ieee80211_rx_h_sta_process */ 1374 1375 static inline struct ieee80211_fragment_entry * 1376 ieee80211_reassemble_add(struct ieee80211_sub_if_data *sdata, 1377 unsigned int frag, unsigned int seq, int rx_queue, 1378 struct sk_buff **skb) 1379 { 1380 struct ieee80211_fragment_entry *entry; 1381 int idx; 1382 1383 idx = sdata->fragment_next; 1384 entry = &sdata->fragments[sdata->fragment_next++]; 1385 if (sdata->fragment_next >= IEEE80211_FRAGMENT_MAX) 1386 sdata->fragment_next = 0; 1387 1388 if (!skb_queue_empty(&entry->skb_list)) { 1389 #ifdef CONFIG_MAC80211_VERBOSE_DEBUG 1390 struct ieee80211_hdr *hdr = 1391 (struct ieee80211_hdr *) entry->skb_list.next->data; 1392 printk(KERN_DEBUG "%s: RX reassembly removed oldest " 1393 "fragment entry (idx=%d age=%lu seq=%d last_frag=%d " 1394 "addr1=%pM addr2=%pM\n", 1395 sdata->name, idx, 1396 jiffies - entry->first_frag_time, entry->seq, 1397 entry->last_frag, hdr->addr1, hdr->addr2); 1398 #endif 1399 __skb_queue_purge(&entry->skb_list); 1400 } 1401 1402 __skb_queue_tail(&entry->skb_list, *skb); /* no need for locking */ 1403 *skb = NULL; 1404 entry->first_frag_time = jiffies; 1405 entry->seq = seq; 1406 entry->rx_queue = rx_queue; 1407 entry->last_frag = frag; 1408 entry->ccmp = 0; 1409 entry->extra_len = 0; 1410 1411 return entry; 1412 } 1413 1414 static inline struct ieee80211_fragment_entry * 1415 ieee80211_reassemble_find(struct ieee80211_sub_if_data *sdata, 1416 unsigned int frag, unsigned int seq, 1417 int rx_queue, struct ieee80211_hdr *hdr) 1418 { 1419 struct ieee80211_fragment_entry *entry; 1420 int i, idx; 1421 1422 idx = sdata->fragment_next; 1423 for (i = 0; i < IEEE80211_FRAGMENT_MAX; i++) { 1424 struct ieee80211_hdr *f_hdr; 1425 1426 idx--; 1427 if (idx < 0) 1428 idx = IEEE80211_FRAGMENT_MAX - 1; 1429 1430 entry = &sdata->fragments[idx]; 1431 if (skb_queue_empty(&entry->skb_list) || entry->seq != seq || 1432 entry->rx_queue != rx_queue || 1433 entry->last_frag + 1 != frag) 1434 continue; 1435 1436 f_hdr = (struct ieee80211_hdr *)entry->skb_list.next->data; 1437 1438 /* 1439 * Check ftype and addresses are equal, else check next fragment 1440 */ 1441 if (((hdr->frame_control ^ f_hdr->frame_control) & 1442 cpu_to_le16(IEEE80211_FCTL_FTYPE)) || 1443 compare_ether_addr(hdr->addr1, f_hdr->addr1) != 0 || 1444 compare_ether_addr(hdr->addr2, f_hdr->addr2) != 0) 1445 continue; 1446 1447 if (time_after(jiffies, entry->first_frag_time + 2 * HZ)) { 1448 __skb_queue_purge(&entry->skb_list); 1449 continue; 1450 } 1451 return entry; 1452 } 1453 1454 return NULL; 1455 } 1456 1457 static ieee80211_rx_result debug_noinline 1458 ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx) 1459 { 1460 struct ieee80211_hdr *hdr; 1461 u16 sc; 1462 __le16 fc; 1463 unsigned int frag, seq; 1464 struct ieee80211_fragment_entry *entry; 1465 struct sk_buff *skb; 1466 struct ieee80211_rx_status *status; 1467 1468 hdr = (struct ieee80211_hdr *)rx->skb->data; 1469 fc = hdr->frame_control; 1470 sc = le16_to_cpu(hdr->seq_ctrl); 1471 frag = sc & IEEE80211_SCTL_FRAG; 1472 1473 if (likely((!ieee80211_has_morefrags(fc) && frag == 0) || 1474 (rx->skb)->len < 24 || 1475 is_multicast_ether_addr(hdr->addr1))) { 1476 /* not fragmented */ 1477 goto out; 1478 } 1479 I802_DEBUG_INC(rx->local->rx_handlers_fragments); 1480 1481 if (skb_linearize(rx->skb)) 1482 return RX_DROP_UNUSABLE; 1483 1484 /* 1485 * skb_linearize() might change the skb->data and 1486 * previously cached variables (in this case, hdr) need to 1487 * be refreshed with the new data. 1488 */ 1489 hdr = (struct ieee80211_hdr *)rx->skb->data; 1490 seq = (sc & IEEE80211_SCTL_SEQ) >> 4; 1491 1492 if (frag == 0) { 1493 /* This is the first fragment of a new frame. */ 1494 entry = ieee80211_reassemble_add(rx->sdata, frag, seq, 1495 rx->seqno_idx, &(rx->skb)); 1496 if (rx->key && rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP && 1497 ieee80211_has_protected(fc)) { 1498 int queue = rx->security_idx; 1499 /* Store CCMP PN so that we can verify that the next 1500 * fragment has a sequential PN value. */ 1501 entry->ccmp = 1; 1502 memcpy(entry->last_pn, 1503 rx->key->u.ccmp.rx_pn[queue], 1504 CCMP_PN_LEN); 1505 } 1506 return RX_QUEUED; 1507 } 1508 1509 /* This is a fragment for a frame that should already be pending in 1510 * fragment cache. Add this fragment to the end of the pending entry. 1511 */ 1512 entry = ieee80211_reassemble_find(rx->sdata, frag, seq, 1513 rx->seqno_idx, hdr); 1514 if (!entry) { 1515 I802_DEBUG_INC(rx->local->rx_handlers_drop_defrag); 1516 return RX_DROP_MONITOR; 1517 } 1518 1519 /* Verify that MPDUs within one MSDU have sequential PN values. 1520 * (IEEE 802.11i, 8.3.3.4.5) */ 1521 if (entry->ccmp) { 1522 int i; 1523 u8 pn[CCMP_PN_LEN], *rpn; 1524 int queue; 1525 if (!rx->key || rx->key->conf.cipher != WLAN_CIPHER_SUITE_CCMP) 1526 return RX_DROP_UNUSABLE; 1527 memcpy(pn, entry->last_pn, CCMP_PN_LEN); 1528 for (i = CCMP_PN_LEN - 1; i >= 0; i--) { 1529 pn[i]++; 1530 if (pn[i]) 1531 break; 1532 } 1533 queue = rx->security_idx; 1534 rpn = rx->key->u.ccmp.rx_pn[queue]; 1535 if (memcmp(pn, rpn, CCMP_PN_LEN)) 1536 return RX_DROP_UNUSABLE; 1537 memcpy(entry->last_pn, pn, CCMP_PN_LEN); 1538 } 1539 1540 skb_pull(rx->skb, ieee80211_hdrlen(fc)); 1541 __skb_queue_tail(&entry->skb_list, rx->skb); 1542 entry->last_frag = frag; 1543 entry->extra_len += rx->skb->len; 1544 if (ieee80211_has_morefrags(fc)) { 1545 rx->skb = NULL; 1546 return RX_QUEUED; 1547 } 1548 1549 rx->skb = __skb_dequeue(&entry->skb_list); 1550 if (skb_tailroom(rx->skb) < entry->extra_len) { 1551 I802_DEBUG_INC(rx->local->rx_expand_skb_head2); 1552 if (unlikely(pskb_expand_head(rx->skb, 0, entry->extra_len, 1553 GFP_ATOMIC))) { 1554 I802_DEBUG_INC(rx->local->rx_handlers_drop_defrag); 1555 __skb_queue_purge(&entry->skb_list); 1556 return RX_DROP_UNUSABLE; 1557 } 1558 } 1559 while ((skb = __skb_dequeue(&entry->skb_list))) { 1560 memcpy(skb_put(rx->skb, skb->len), skb->data, skb->len); 1561 dev_kfree_skb(skb); 1562 } 1563 1564 /* Complete frame has been reassembled - process it now */ 1565 status = IEEE80211_SKB_RXCB(rx->skb); 1566 status->rx_flags |= IEEE80211_RX_FRAGMENTED; 1567 1568 out: 1569 if (rx->sta) 1570 rx->sta->rx_packets++; 1571 if (is_multicast_ether_addr(hdr->addr1)) 1572 rx->local->dot11MulticastReceivedFrameCount++; 1573 else 1574 ieee80211_led_rx(rx->local); 1575 return RX_CONTINUE; 1576 } 1577 1578 static ieee80211_rx_result debug_noinline 1579 ieee80211_rx_h_remove_qos_control(struct ieee80211_rx_data *rx) 1580 { 1581 u8 *data = rx->skb->data; 1582 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)data; 1583 1584 if (!ieee80211_is_data_qos(hdr->frame_control)) 1585 return RX_CONTINUE; 1586 1587 /* remove the qos control field, update frame type and meta-data */ 1588 memmove(data + IEEE80211_QOS_CTL_LEN, data, 1589 ieee80211_hdrlen(hdr->frame_control) - IEEE80211_QOS_CTL_LEN); 1590 hdr = (struct ieee80211_hdr *)skb_pull(rx->skb, IEEE80211_QOS_CTL_LEN); 1591 /* change frame type to non QOS */ 1592 hdr->frame_control &= ~cpu_to_le16(IEEE80211_STYPE_QOS_DATA); 1593 1594 return RX_CONTINUE; 1595 } 1596 1597 static int 1598 ieee80211_802_1x_port_control(struct ieee80211_rx_data *rx) 1599 { 1600 if (unlikely(!rx->sta || 1601 !test_sta_flag(rx->sta, WLAN_STA_AUTHORIZED))) 1602 return -EACCES; 1603 1604 return 0; 1605 } 1606 1607 static int 1608 ieee80211_drop_unencrypted(struct ieee80211_rx_data *rx, __le16 fc) 1609 { 1610 struct sk_buff *skb = rx->skb; 1611 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 1612 1613 /* 1614 * Pass through unencrypted frames if the hardware has 1615 * decrypted them already. 1616 */ 1617 if (status->flag & RX_FLAG_DECRYPTED) 1618 return 0; 1619 1620 /* Drop unencrypted frames if key is set. */ 1621 if (unlikely(!ieee80211_has_protected(fc) && 1622 !ieee80211_is_nullfunc(fc) && 1623 ieee80211_is_data(fc) && 1624 (rx->key || rx->sdata->drop_unencrypted))) 1625 return -EACCES; 1626 1627 return 0; 1628 } 1629 1630 static int 1631 ieee80211_drop_unencrypted_mgmt(struct ieee80211_rx_data *rx) 1632 { 1633 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data; 1634 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb); 1635 __le16 fc = hdr->frame_control; 1636 1637 /* 1638 * Pass through unencrypted frames if the hardware has 1639 * decrypted them already. 1640 */ 1641 if (status->flag & RX_FLAG_DECRYPTED) 1642 return 0; 1643 1644 if (rx->sta && test_sta_flag(rx->sta, WLAN_STA_MFP)) { 1645 if (unlikely(!ieee80211_has_protected(fc) && 1646 ieee80211_is_unicast_robust_mgmt_frame(rx->skb) && 1647 rx->key)) { 1648 if (ieee80211_is_deauth(fc)) 1649 cfg80211_send_unprot_deauth(rx->sdata->dev, 1650 rx->skb->data, 1651 rx->skb->len); 1652 else if (ieee80211_is_disassoc(fc)) 1653 cfg80211_send_unprot_disassoc(rx->sdata->dev, 1654 rx->skb->data, 1655 rx->skb->len); 1656 return -EACCES; 1657 } 1658 /* BIP does not use Protected field, so need to check MMIE */ 1659 if (unlikely(ieee80211_is_multicast_robust_mgmt_frame(rx->skb) && 1660 ieee80211_get_mmie_keyidx(rx->skb) < 0)) { 1661 if (ieee80211_is_deauth(fc)) 1662 cfg80211_send_unprot_deauth(rx->sdata->dev, 1663 rx->skb->data, 1664 rx->skb->len); 1665 else if (ieee80211_is_disassoc(fc)) 1666 cfg80211_send_unprot_disassoc(rx->sdata->dev, 1667 rx->skb->data, 1668 rx->skb->len); 1669 return -EACCES; 1670 } 1671 /* 1672 * When using MFP, Action frames are not allowed prior to 1673 * having configured keys. 1674 */ 1675 if (unlikely(ieee80211_is_action(fc) && !rx->key && 1676 ieee80211_is_robust_mgmt_frame( 1677 (struct ieee80211_hdr *) rx->skb->data))) 1678 return -EACCES; 1679 } 1680 1681 return 0; 1682 } 1683 1684 static int 1685 __ieee80211_data_to_8023(struct ieee80211_rx_data *rx, bool *port_control) 1686 { 1687 struct ieee80211_sub_if_data *sdata = rx->sdata; 1688 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data; 1689 bool check_port_control = false; 1690 struct ethhdr *ehdr; 1691 int ret; 1692 1693 *port_control = false; 1694 if (ieee80211_has_a4(hdr->frame_control) && 1695 sdata->vif.type == NL80211_IFTYPE_AP_VLAN && !sdata->u.vlan.sta) 1696 return -1; 1697 1698 if (sdata->vif.type == NL80211_IFTYPE_STATION && 1699 !!sdata->u.mgd.use_4addr != !!ieee80211_has_a4(hdr->frame_control)) { 1700 1701 if (!sdata->u.mgd.use_4addr) 1702 return -1; 1703 else 1704 check_port_control = true; 1705 } 1706 1707 if (is_multicast_ether_addr(hdr->addr1) && 1708 sdata->vif.type == NL80211_IFTYPE_AP_VLAN && sdata->u.vlan.sta) 1709 return -1; 1710 1711 ret = ieee80211_data_to_8023(rx->skb, sdata->vif.addr, sdata->vif.type); 1712 if (ret < 0) 1713 return ret; 1714 1715 ehdr = (struct ethhdr *) rx->skb->data; 1716 if (ehdr->h_proto == rx->sdata->control_port_protocol) 1717 *port_control = true; 1718 else if (check_port_control) 1719 return -1; 1720 1721 return 0; 1722 } 1723 1724 /* 1725 * requires that rx->skb is a frame with ethernet header 1726 */ 1727 static bool ieee80211_frame_allowed(struct ieee80211_rx_data *rx, __le16 fc) 1728 { 1729 static const u8 pae_group_addr[ETH_ALEN] __aligned(2) 1730 = { 0x01, 0x80, 0xC2, 0x00, 0x00, 0x03 }; 1731 struct ethhdr *ehdr = (struct ethhdr *) rx->skb->data; 1732 1733 /* 1734 * Allow EAPOL frames to us/the PAE group address regardless 1735 * of whether the frame was encrypted or not. 1736 */ 1737 if (ehdr->h_proto == rx->sdata->control_port_protocol && 1738 (compare_ether_addr(ehdr->h_dest, rx->sdata->vif.addr) == 0 || 1739 compare_ether_addr(ehdr->h_dest, pae_group_addr) == 0)) 1740 return true; 1741 1742 if (ieee80211_802_1x_port_control(rx) || 1743 ieee80211_drop_unencrypted(rx, fc)) 1744 return false; 1745 1746 return true; 1747 } 1748 1749 /* 1750 * requires that rx->skb is a frame with ethernet header 1751 */ 1752 static void 1753 ieee80211_deliver_skb(struct ieee80211_rx_data *rx) 1754 { 1755 struct ieee80211_sub_if_data *sdata = rx->sdata; 1756 struct net_device *dev = sdata->dev; 1757 struct sk_buff *skb, *xmit_skb; 1758 struct ethhdr *ehdr = (struct ethhdr *) rx->skb->data; 1759 struct sta_info *dsta; 1760 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb); 1761 1762 skb = rx->skb; 1763 xmit_skb = NULL; 1764 1765 if ((sdata->vif.type == NL80211_IFTYPE_AP || 1766 sdata->vif.type == NL80211_IFTYPE_AP_VLAN) && 1767 !(sdata->flags & IEEE80211_SDATA_DONT_BRIDGE_PACKETS) && 1768 (status->rx_flags & IEEE80211_RX_RA_MATCH) && 1769 (sdata->vif.type != NL80211_IFTYPE_AP_VLAN || !sdata->u.vlan.sta)) { 1770 if (is_multicast_ether_addr(ehdr->h_dest)) { 1771 /* 1772 * send multicast frames both to higher layers in 1773 * local net stack and back to the wireless medium 1774 */ 1775 xmit_skb = skb_copy(skb, GFP_ATOMIC); 1776 if (!xmit_skb && net_ratelimit()) 1777 printk(KERN_DEBUG "%s: failed to clone " 1778 "multicast frame\n", dev->name); 1779 } else { 1780 dsta = sta_info_get(sdata, skb->data); 1781 if (dsta) { 1782 /* 1783 * The destination station is associated to 1784 * this AP (in this VLAN), so send the frame 1785 * directly to it and do not pass it to local 1786 * net stack. 1787 */ 1788 xmit_skb = skb; 1789 skb = NULL; 1790 } 1791 } 1792 } 1793 1794 if (skb) { 1795 int align __maybe_unused; 1796 1797 #ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 1798 /* 1799 * 'align' will only take the values 0 or 2 here 1800 * since all frames are required to be aligned 1801 * to 2-byte boundaries when being passed to 1802 * mac80211. That also explains the __skb_push() 1803 * below. 1804 */ 1805 align = ((unsigned long)(skb->data + sizeof(struct ethhdr))) & 3; 1806 if (align) { 1807 if (WARN_ON(skb_headroom(skb) < 3)) { 1808 dev_kfree_skb(skb); 1809 skb = NULL; 1810 } else { 1811 u8 *data = skb->data; 1812 size_t len = skb_headlen(skb); 1813 skb->data -= align; 1814 memmove(skb->data, data, len); 1815 skb_set_tail_pointer(skb, len); 1816 } 1817 } 1818 #endif 1819 1820 if (skb) { 1821 /* deliver to local stack */ 1822 skb->protocol = eth_type_trans(skb, dev); 1823 memset(skb->cb, 0, sizeof(skb->cb)); 1824 netif_receive_skb(skb); 1825 } 1826 } 1827 1828 if (xmit_skb) { 1829 /* send to wireless media */ 1830 xmit_skb->protocol = htons(ETH_P_802_3); 1831 skb_reset_network_header(xmit_skb); 1832 skb_reset_mac_header(xmit_skb); 1833 dev_queue_xmit(xmit_skb); 1834 } 1835 } 1836 1837 static ieee80211_rx_result debug_noinline 1838 ieee80211_rx_h_amsdu(struct ieee80211_rx_data *rx) 1839 { 1840 struct net_device *dev = rx->sdata->dev; 1841 struct sk_buff *skb = rx->skb; 1842 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; 1843 __le16 fc = hdr->frame_control; 1844 struct sk_buff_head frame_list; 1845 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb); 1846 1847 if (unlikely(!ieee80211_is_data(fc))) 1848 return RX_CONTINUE; 1849 1850 if (unlikely(!ieee80211_is_data_present(fc))) 1851 return RX_DROP_MONITOR; 1852 1853 if (!(status->rx_flags & IEEE80211_RX_AMSDU)) 1854 return RX_CONTINUE; 1855 1856 if (ieee80211_has_a4(hdr->frame_control) && 1857 rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN && 1858 !rx->sdata->u.vlan.sta) 1859 return RX_DROP_UNUSABLE; 1860 1861 if (is_multicast_ether_addr(hdr->addr1) && 1862 ((rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN && 1863 rx->sdata->u.vlan.sta) || 1864 (rx->sdata->vif.type == NL80211_IFTYPE_STATION && 1865 rx->sdata->u.mgd.use_4addr))) 1866 return RX_DROP_UNUSABLE; 1867 1868 skb->dev = dev; 1869 __skb_queue_head_init(&frame_list); 1870 1871 if (skb_linearize(skb)) 1872 return RX_DROP_UNUSABLE; 1873 1874 ieee80211_amsdu_to_8023s(skb, &frame_list, dev->dev_addr, 1875 rx->sdata->vif.type, 1876 rx->local->hw.extra_tx_headroom, true); 1877 1878 while (!skb_queue_empty(&frame_list)) { 1879 rx->skb = __skb_dequeue(&frame_list); 1880 1881 if (!ieee80211_frame_allowed(rx, fc)) { 1882 dev_kfree_skb(rx->skb); 1883 continue; 1884 } 1885 dev->stats.rx_packets++; 1886 dev->stats.rx_bytes += rx->skb->len; 1887 1888 ieee80211_deliver_skb(rx); 1889 } 1890 1891 return RX_QUEUED; 1892 } 1893 1894 #ifdef CONFIG_MAC80211_MESH 1895 static ieee80211_rx_result 1896 ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx) 1897 { 1898 struct ieee80211_hdr *fwd_hdr, *hdr; 1899 struct ieee80211_tx_info *info; 1900 struct ieee80211s_hdr *mesh_hdr; 1901 struct sk_buff *skb = rx->skb, *fwd_skb; 1902 struct ieee80211_local *local = rx->local; 1903 struct ieee80211_sub_if_data *sdata = rx->sdata; 1904 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 1905 struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh; 1906 __le16 reason = cpu_to_le16(WLAN_REASON_MESH_PATH_NOFORWARD); 1907 u16 q, hdrlen; 1908 1909 hdr = (struct ieee80211_hdr *) skb->data; 1910 hdrlen = ieee80211_hdrlen(hdr->frame_control); 1911 mesh_hdr = (struct ieee80211s_hdr *) (skb->data + hdrlen); 1912 1913 /* frame is in RMC, don't forward */ 1914 if (ieee80211_is_data(hdr->frame_control) && 1915 is_multicast_ether_addr(hdr->addr1) && 1916 mesh_rmc_check(hdr->addr3, mesh_hdr, rx->sdata)) 1917 return RX_DROP_MONITOR; 1918 1919 if (!ieee80211_is_data(hdr->frame_control)) 1920 return RX_CONTINUE; 1921 1922 if (!mesh_hdr->ttl) 1923 return RX_DROP_MONITOR; 1924 1925 if (mesh_hdr->flags & MESH_FLAGS_AE) { 1926 struct mesh_path *mppath; 1927 char *proxied_addr; 1928 char *mpp_addr; 1929 1930 if (is_multicast_ether_addr(hdr->addr1)) { 1931 mpp_addr = hdr->addr3; 1932 proxied_addr = mesh_hdr->eaddr1; 1933 } else { 1934 mpp_addr = hdr->addr4; 1935 proxied_addr = mesh_hdr->eaddr2; 1936 } 1937 1938 rcu_read_lock(); 1939 mppath = mpp_path_lookup(proxied_addr, sdata); 1940 if (!mppath) { 1941 mpp_path_add(proxied_addr, mpp_addr, sdata); 1942 } else { 1943 spin_lock_bh(&mppath->state_lock); 1944 if (compare_ether_addr(mppath->mpp, mpp_addr) != 0) 1945 memcpy(mppath->mpp, mpp_addr, ETH_ALEN); 1946 spin_unlock_bh(&mppath->state_lock); 1947 } 1948 rcu_read_unlock(); 1949 } 1950 1951 /* Frame has reached destination. Don't forward */ 1952 if (!is_multicast_ether_addr(hdr->addr1) && 1953 compare_ether_addr(sdata->vif.addr, hdr->addr3) == 0) 1954 return RX_CONTINUE; 1955 1956 q = ieee80211_select_queue_80211(local, skb, hdr); 1957 if (ieee80211_queue_stopped(&local->hw, q)) { 1958 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_congestion); 1959 return RX_DROP_MONITOR; 1960 } 1961 skb_set_queue_mapping(skb, q); 1962 1963 if (!(status->rx_flags & IEEE80211_RX_RA_MATCH)) 1964 goto out; 1965 1966 if (!--mesh_hdr->ttl) { 1967 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_ttl); 1968 return RX_DROP_MONITOR; 1969 } 1970 1971 fwd_skb = skb_copy(skb, GFP_ATOMIC); 1972 if (!fwd_skb) { 1973 if (net_ratelimit()) 1974 printk(KERN_DEBUG "%s: failed to clone mesh frame\n", 1975 sdata->name); 1976 goto out; 1977 } 1978 1979 fwd_hdr = (struct ieee80211_hdr *) fwd_skb->data; 1980 info = IEEE80211_SKB_CB(fwd_skb); 1981 memset(info, 0, sizeof(*info)); 1982 info->flags |= IEEE80211_TX_INTFL_NEED_TXPROCESSING; 1983 info->control.vif = &rx->sdata->vif; 1984 info->control.jiffies = jiffies; 1985 if (is_multicast_ether_addr(fwd_hdr->addr1)) { 1986 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, fwded_mcast); 1987 memcpy(fwd_hdr->addr2, sdata->vif.addr, ETH_ALEN); 1988 } else if (!mesh_nexthop_lookup(fwd_skb, sdata)) { 1989 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, fwded_unicast); 1990 } else { 1991 /* unable to resolve next hop */ 1992 mesh_path_error_tx(ifmsh->mshcfg.element_ttl, fwd_hdr->addr3, 1993 0, reason, fwd_hdr->addr2, sdata); 1994 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_no_route); 1995 return RX_DROP_MONITOR; 1996 } 1997 1998 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, fwded_frames); 1999 ieee80211_add_pending_skb(local, fwd_skb); 2000 out: 2001 if (is_multicast_ether_addr(hdr->addr1) || 2002 sdata->dev->flags & IFF_PROMISC) 2003 return RX_CONTINUE; 2004 else 2005 return RX_DROP_MONITOR; 2006 } 2007 #endif 2008 2009 static ieee80211_rx_result debug_noinline 2010 ieee80211_rx_h_data(struct ieee80211_rx_data *rx) 2011 { 2012 struct ieee80211_sub_if_data *sdata = rx->sdata; 2013 struct ieee80211_local *local = rx->local; 2014 struct net_device *dev = sdata->dev; 2015 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data; 2016 __le16 fc = hdr->frame_control; 2017 bool port_control; 2018 int err; 2019 2020 if (unlikely(!ieee80211_is_data(hdr->frame_control))) 2021 return RX_CONTINUE; 2022 2023 if (unlikely(!ieee80211_is_data_present(hdr->frame_control))) 2024 return RX_DROP_MONITOR; 2025 2026 /* 2027 * Send unexpected-4addr-frame event to hostapd. For older versions, 2028 * also drop the frame to cooked monitor interfaces. 2029 */ 2030 if (ieee80211_has_a4(hdr->frame_control) && 2031 sdata->vif.type == NL80211_IFTYPE_AP) { 2032 if (rx->sta && 2033 !test_and_set_sta_flag(rx->sta, WLAN_STA_4ADDR_EVENT)) 2034 cfg80211_rx_unexpected_4addr_frame( 2035 rx->sdata->dev, rx->sta->sta.addr, GFP_ATOMIC); 2036 return RX_DROP_MONITOR; 2037 } 2038 2039 err = __ieee80211_data_to_8023(rx, &port_control); 2040 if (unlikely(err)) 2041 return RX_DROP_UNUSABLE; 2042 2043 if (!ieee80211_frame_allowed(rx, fc)) 2044 return RX_DROP_MONITOR; 2045 2046 if (rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN && 2047 unlikely(port_control) && sdata->bss) { 2048 sdata = container_of(sdata->bss, struct ieee80211_sub_if_data, 2049 u.ap); 2050 dev = sdata->dev; 2051 rx->sdata = sdata; 2052 } 2053 2054 rx->skb->dev = dev; 2055 2056 dev->stats.rx_packets++; 2057 dev->stats.rx_bytes += rx->skb->len; 2058 2059 if (local->ps_sdata && local->hw.conf.dynamic_ps_timeout > 0 && 2060 !is_multicast_ether_addr( 2061 ((struct ethhdr *)rx->skb->data)->h_dest) && 2062 (!local->scanning && 2063 !test_bit(SDATA_STATE_OFFCHANNEL, &sdata->state))) { 2064 mod_timer(&local->dynamic_ps_timer, jiffies + 2065 msecs_to_jiffies(local->hw.conf.dynamic_ps_timeout)); 2066 } 2067 2068 ieee80211_deliver_skb(rx); 2069 2070 return RX_QUEUED; 2071 } 2072 2073 static ieee80211_rx_result debug_noinline 2074 ieee80211_rx_h_ctrl(struct ieee80211_rx_data *rx) 2075 { 2076 struct ieee80211_local *local = rx->local; 2077 struct ieee80211_hw *hw = &local->hw; 2078 struct sk_buff *skb = rx->skb; 2079 struct ieee80211_bar *bar = (struct ieee80211_bar *)skb->data; 2080 struct tid_ampdu_rx *tid_agg_rx; 2081 u16 start_seq_num; 2082 u16 tid; 2083 2084 if (likely(!ieee80211_is_ctl(bar->frame_control))) 2085 return RX_CONTINUE; 2086 2087 if (ieee80211_is_back_req(bar->frame_control)) { 2088 struct { 2089 __le16 control, start_seq_num; 2090 } __packed bar_data; 2091 2092 if (!rx->sta) 2093 return RX_DROP_MONITOR; 2094 2095 if (skb_copy_bits(skb, offsetof(struct ieee80211_bar, control), 2096 &bar_data, sizeof(bar_data))) 2097 return RX_DROP_MONITOR; 2098 2099 tid = le16_to_cpu(bar_data.control) >> 12; 2100 2101 tid_agg_rx = rcu_dereference(rx->sta->ampdu_mlme.tid_rx[tid]); 2102 if (!tid_agg_rx) 2103 return RX_DROP_MONITOR; 2104 2105 start_seq_num = le16_to_cpu(bar_data.start_seq_num) >> 4; 2106 2107 /* reset session timer */ 2108 if (tid_agg_rx->timeout) 2109 mod_timer(&tid_agg_rx->session_timer, 2110 TU_TO_EXP_TIME(tid_agg_rx->timeout)); 2111 2112 spin_lock(&tid_agg_rx->reorder_lock); 2113 /* release stored frames up to start of BAR */ 2114 ieee80211_release_reorder_frames(hw, tid_agg_rx, start_seq_num); 2115 spin_unlock(&tid_agg_rx->reorder_lock); 2116 2117 kfree_skb(skb); 2118 return RX_QUEUED; 2119 } 2120 2121 /* 2122 * After this point, we only want management frames, 2123 * so we can drop all remaining control frames to 2124 * cooked monitor interfaces. 2125 */ 2126 return RX_DROP_MONITOR; 2127 } 2128 2129 static void ieee80211_process_sa_query_req(struct ieee80211_sub_if_data *sdata, 2130 struct ieee80211_mgmt *mgmt, 2131 size_t len) 2132 { 2133 struct ieee80211_local *local = sdata->local; 2134 struct sk_buff *skb; 2135 struct ieee80211_mgmt *resp; 2136 2137 if (compare_ether_addr(mgmt->da, sdata->vif.addr) != 0) { 2138 /* Not to own unicast address */ 2139 return; 2140 } 2141 2142 if (compare_ether_addr(mgmt->sa, sdata->u.mgd.bssid) != 0 || 2143 compare_ether_addr(mgmt->bssid, sdata->u.mgd.bssid) != 0) { 2144 /* Not from the current AP or not associated yet. */ 2145 return; 2146 } 2147 2148 if (len < 24 + 1 + sizeof(resp->u.action.u.sa_query)) { 2149 /* Too short SA Query request frame */ 2150 return; 2151 } 2152 2153 skb = dev_alloc_skb(sizeof(*resp) + local->hw.extra_tx_headroom); 2154 if (skb == NULL) 2155 return; 2156 2157 skb_reserve(skb, local->hw.extra_tx_headroom); 2158 resp = (struct ieee80211_mgmt *) skb_put(skb, 24); 2159 memset(resp, 0, 24); 2160 memcpy(resp->da, mgmt->sa, ETH_ALEN); 2161 memcpy(resp->sa, sdata->vif.addr, ETH_ALEN); 2162 memcpy(resp->bssid, sdata->u.mgd.bssid, ETH_ALEN); 2163 resp->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT | 2164 IEEE80211_STYPE_ACTION); 2165 skb_put(skb, 1 + sizeof(resp->u.action.u.sa_query)); 2166 resp->u.action.category = WLAN_CATEGORY_SA_QUERY; 2167 resp->u.action.u.sa_query.action = WLAN_ACTION_SA_QUERY_RESPONSE; 2168 memcpy(resp->u.action.u.sa_query.trans_id, 2169 mgmt->u.action.u.sa_query.trans_id, 2170 WLAN_SA_QUERY_TR_ID_LEN); 2171 2172 ieee80211_tx_skb(sdata, skb); 2173 } 2174 2175 static ieee80211_rx_result debug_noinline 2176 ieee80211_rx_h_mgmt_check(struct ieee80211_rx_data *rx) 2177 { 2178 struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *) rx->skb->data; 2179 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb); 2180 2181 /* 2182 * From here on, look only at management frames. 2183 * Data and control frames are already handled, 2184 * and unknown (reserved) frames are useless. 2185 */ 2186 if (rx->skb->len < 24) 2187 return RX_DROP_MONITOR; 2188 2189 if (!ieee80211_is_mgmt(mgmt->frame_control)) 2190 return RX_DROP_MONITOR; 2191 2192 if (rx->sdata->vif.type == NL80211_IFTYPE_AP && 2193 ieee80211_is_beacon(mgmt->frame_control) && 2194 !(rx->flags & IEEE80211_RX_BEACON_REPORTED)) { 2195 struct ieee80211_rx_status *status; 2196 2197 status = IEEE80211_SKB_RXCB(rx->skb); 2198 cfg80211_report_obss_beacon(rx->local->hw.wiphy, 2199 rx->skb->data, rx->skb->len, 2200 status->freq, GFP_ATOMIC); 2201 rx->flags |= IEEE80211_RX_BEACON_REPORTED; 2202 } 2203 2204 if (!(status->rx_flags & IEEE80211_RX_RA_MATCH)) 2205 return RX_DROP_MONITOR; 2206 2207 if (ieee80211_drop_unencrypted_mgmt(rx)) 2208 return RX_DROP_UNUSABLE; 2209 2210 return RX_CONTINUE; 2211 } 2212 2213 static ieee80211_rx_result debug_noinline 2214 ieee80211_rx_h_action(struct ieee80211_rx_data *rx) 2215 { 2216 struct ieee80211_local *local = rx->local; 2217 struct ieee80211_sub_if_data *sdata = rx->sdata; 2218 struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *) rx->skb->data; 2219 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb); 2220 int len = rx->skb->len; 2221 2222 if (!ieee80211_is_action(mgmt->frame_control)) 2223 return RX_CONTINUE; 2224 2225 /* drop too small frames */ 2226 if (len < IEEE80211_MIN_ACTION_SIZE) 2227 return RX_DROP_UNUSABLE; 2228 2229 if (!rx->sta && mgmt->u.action.category != WLAN_CATEGORY_PUBLIC) 2230 return RX_DROP_UNUSABLE; 2231 2232 if (!(status->rx_flags & IEEE80211_RX_RA_MATCH)) 2233 return RX_DROP_UNUSABLE; 2234 2235 switch (mgmt->u.action.category) { 2236 case WLAN_CATEGORY_BACK: 2237 if (sdata->vif.type != NL80211_IFTYPE_STATION && 2238 sdata->vif.type != NL80211_IFTYPE_MESH_POINT && 2239 sdata->vif.type != NL80211_IFTYPE_AP_VLAN && 2240 sdata->vif.type != NL80211_IFTYPE_AP && 2241 sdata->vif.type != NL80211_IFTYPE_ADHOC) 2242 break; 2243 2244 /* verify action_code is present */ 2245 if (len < IEEE80211_MIN_ACTION_SIZE + 1) 2246 break; 2247 2248 switch (mgmt->u.action.u.addba_req.action_code) { 2249 case WLAN_ACTION_ADDBA_REQ: 2250 if (len < (IEEE80211_MIN_ACTION_SIZE + 2251 sizeof(mgmt->u.action.u.addba_req))) 2252 goto invalid; 2253 break; 2254 case WLAN_ACTION_ADDBA_RESP: 2255 if (len < (IEEE80211_MIN_ACTION_SIZE + 2256 sizeof(mgmt->u.action.u.addba_resp))) 2257 goto invalid; 2258 break; 2259 case WLAN_ACTION_DELBA: 2260 if (len < (IEEE80211_MIN_ACTION_SIZE + 2261 sizeof(mgmt->u.action.u.delba))) 2262 goto invalid; 2263 break; 2264 default: 2265 goto invalid; 2266 } 2267 2268 goto queue; 2269 case WLAN_CATEGORY_SPECTRUM_MGMT: 2270 if (local->hw.conf.channel->band != IEEE80211_BAND_5GHZ) 2271 break; 2272 2273 if (sdata->vif.type != NL80211_IFTYPE_STATION) 2274 break; 2275 2276 /* verify action_code is present */ 2277 if (len < IEEE80211_MIN_ACTION_SIZE + 1) 2278 break; 2279 2280 switch (mgmt->u.action.u.measurement.action_code) { 2281 case WLAN_ACTION_SPCT_MSR_REQ: 2282 if (len < (IEEE80211_MIN_ACTION_SIZE + 2283 sizeof(mgmt->u.action.u.measurement))) 2284 break; 2285 ieee80211_process_measurement_req(sdata, mgmt, len); 2286 goto handled; 2287 case WLAN_ACTION_SPCT_CHL_SWITCH: 2288 if (len < (IEEE80211_MIN_ACTION_SIZE + 2289 sizeof(mgmt->u.action.u.chan_switch))) 2290 break; 2291 2292 if (sdata->vif.type != NL80211_IFTYPE_STATION) 2293 break; 2294 2295 if (memcmp(mgmt->bssid, sdata->u.mgd.bssid, ETH_ALEN)) 2296 break; 2297 2298 goto queue; 2299 } 2300 break; 2301 case WLAN_CATEGORY_SA_QUERY: 2302 if (len < (IEEE80211_MIN_ACTION_SIZE + 2303 sizeof(mgmt->u.action.u.sa_query))) 2304 break; 2305 2306 switch (mgmt->u.action.u.sa_query.action) { 2307 case WLAN_ACTION_SA_QUERY_REQUEST: 2308 if (sdata->vif.type != NL80211_IFTYPE_STATION) 2309 break; 2310 ieee80211_process_sa_query_req(sdata, mgmt, len); 2311 goto handled; 2312 } 2313 break; 2314 case WLAN_CATEGORY_SELF_PROTECTED: 2315 switch (mgmt->u.action.u.self_prot.action_code) { 2316 case WLAN_SP_MESH_PEERING_OPEN: 2317 case WLAN_SP_MESH_PEERING_CLOSE: 2318 case WLAN_SP_MESH_PEERING_CONFIRM: 2319 if (!ieee80211_vif_is_mesh(&sdata->vif)) 2320 goto invalid; 2321 if (sdata->u.mesh.security != IEEE80211_MESH_SEC_NONE) 2322 /* userspace handles this frame */ 2323 break; 2324 goto queue; 2325 case WLAN_SP_MGK_INFORM: 2326 case WLAN_SP_MGK_ACK: 2327 if (!ieee80211_vif_is_mesh(&sdata->vif)) 2328 goto invalid; 2329 break; 2330 } 2331 break; 2332 case WLAN_CATEGORY_MESH_ACTION: 2333 if (!ieee80211_vif_is_mesh(&sdata->vif)) 2334 break; 2335 if (mesh_action_is_path_sel(mgmt) && 2336 (!mesh_path_sel_is_hwmp(sdata))) 2337 break; 2338 goto queue; 2339 } 2340 2341 return RX_CONTINUE; 2342 2343 invalid: 2344 status->rx_flags |= IEEE80211_RX_MALFORMED_ACTION_FRM; 2345 /* will return in the next handlers */ 2346 return RX_CONTINUE; 2347 2348 handled: 2349 if (rx->sta) 2350 rx->sta->rx_packets++; 2351 dev_kfree_skb(rx->skb); 2352 return RX_QUEUED; 2353 2354 queue: 2355 rx->skb->pkt_type = IEEE80211_SDATA_QUEUE_TYPE_FRAME; 2356 skb_queue_tail(&sdata->skb_queue, rx->skb); 2357 ieee80211_queue_work(&local->hw, &sdata->work); 2358 if (rx->sta) 2359 rx->sta->rx_packets++; 2360 return RX_QUEUED; 2361 } 2362 2363 static ieee80211_rx_result debug_noinline 2364 ieee80211_rx_h_userspace_mgmt(struct ieee80211_rx_data *rx) 2365 { 2366 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb); 2367 2368 /* skip known-bad action frames and return them in the next handler */ 2369 if (status->rx_flags & IEEE80211_RX_MALFORMED_ACTION_FRM) 2370 return RX_CONTINUE; 2371 2372 /* 2373 * Getting here means the kernel doesn't know how to handle 2374 * it, but maybe userspace does ... include returned frames 2375 * so userspace can register for those to know whether ones 2376 * it transmitted were processed or returned. 2377 */ 2378 2379 if (cfg80211_rx_mgmt(rx->sdata->dev, status->freq, 2380 rx->skb->data, rx->skb->len, 2381 GFP_ATOMIC)) { 2382 if (rx->sta) 2383 rx->sta->rx_packets++; 2384 dev_kfree_skb(rx->skb); 2385 return RX_QUEUED; 2386 } 2387 2388 2389 return RX_CONTINUE; 2390 } 2391 2392 static ieee80211_rx_result debug_noinline 2393 ieee80211_rx_h_action_return(struct ieee80211_rx_data *rx) 2394 { 2395 struct ieee80211_local *local = rx->local; 2396 struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *) rx->skb->data; 2397 struct sk_buff *nskb; 2398 struct ieee80211_sub_if_data *sdata = rx->sdata; 2399 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb); 2400 2401 if (!ieee80211_is_action(mgmt->frame_control)) 2402 return RX_CONTINUE; 2403 2404 /* 2405 * For AP mode, hostapd is responsible for handling any action 2406 * frames that we didn't handle, including returning unknown 2407 * ones. For all other modes we will return them to the sender, 2408 * setting the 0x80 bit in the action category, as required by 2409 * 802.11-2007 7.3.1.11. 2410 * Newer versions of hostapd shall also use the management frame 2411 * registration mechanisms, but older ones still use cooked 2412 * monitor interfaces so push all frames there. 2413 */ 2414 if (!(status->rx_flags & IEEE80211_RX_MALFORMED_ACTION_FRM) && 2415 (sdata->vif.type == NL80211_IFTYPE_AP || 2416 sdata->vif.type == NL80211_IFTYPE_AP_VLAN)) 2417 return RX_DROP_MONITOR; 2418 2419 /* do not return rejected action frames */ 2420 if (mgmt->u.action.category & 0x80) 2421 return RX_DROP_UNUSABLE; 2422 2423 nskb = skb_copy_expand(rx->skb, local->hw.extra_tx_headroom, 0, 2424 GFP_ATOMIC); 2425 if (nskb) { 2426 struct ieee80211_mgmt *nmgmt = (void *)nskb->data; 2427 2428 nmgmt->u.action.category |= 0x80; 2429 memcpy(nmgmt->da, nmgmt->sa, ETH_ALEN); 2430 memcpy(nmgmt->sa, rx->sdata->vif.addr, ETH_ALEN); 2431 2432 memset(nskb->cb, 0, sizeof(nskb->cb)); 2433 2434 ieee80211_tx_skb(rx->sdata, nskb); 2435 } 2436 dev_kfree_skb(rx->skb); 2437 return RX_QUEUED; 2438 } 2439 2440 static ieee80211_rx_result debug_noinline 2441 ieee80211_rx_h_mgmt(struct ieee80211_rx_data *rx) 2442 { 2443 struct ieee80211_sub_if_data *sdata = rx->sdata; 2444 ieee80211_rx_result rxs; 2445 struct ieee80211_mgmt *mgmt = (void *)rx->skb->data; 2446 __le16 stype; 2447 2448 rxs = ieee80211_work_rx_mgmt(rx->sdata, rx->skb); 2449 if (rxs != RX_CONTINUE) 2450 return rxs; 2451 2452 stype = mgmt->frame_control & cpu_to_le16(IEEE80211_FCTL_STYPE); 2453 2454 if (!ieee80211_vif_is_mesh(&sdata->vif) && 2455 sdata->vif.type != NL80211_IFTYPE_ADHOC && 2456 sdata->vif.type != NL80211_IFTYPE_STATION) 2457 return RX_DROP_MONITOR; 2458 2459 switch (stype) { 2460 case cpu_to_le16(IEEE80211_STYPE_BEACON): 2461 case cpu_to_le16(IEEE80211_STYPE_PROBE_RESP): 2462 /* process for all: mesh, mlme, ibss */ 2463 break; 2464 case cpu_to_le16(IEEE80211_STYPE_DEAUTH): 2465 case cpu_to_le16(IEEE80211_STYPE_DISASSOC): 2466 if (is_multicast_ether_addr(mgmt->da) && 2467 !is_broadcast_ether_addr(mgmt->da)) 2468 return RX_DROP_MONITOR; 2469 2470 /* process only for station */ 2471 if (sdata->vif.type != NL80211_IFTYPE_STATION) 2472 return RX_DROP_MONITOR; 2473 break; 2474 case cpu_to_le16(IEEE80211_STYPE_PROBE_REQ): 2475 case cpu_to_le16(IEEE80211_STYPE_AUTH): 2476 /* process only for ibss */ 2477 if (sdata->vif.type != NL80211_IFTYPE_ADHOC) 2478 return RX_DROP_MONITOR; 2479 break; 2480 default: 2481 return RX_DROP_MONITOR; 2482 } 2483 2484 /* queue up frame and kick off work to process it */ 2485 rx->skb->pkt_type = IEEE80211_SDATA_QUEUE_TYPE_FRAME; 2486 skb_queue_tail(&sdata->skb_queue, rx->skb); 2487 ieee80211_queue_work(&rx->local->hw, &sdata->work); 2488 if (rx->sta) 2489 rx->sta->rx_packets++; 2490 2491 return RX_QUEUED; 2492 } 2493 2494 /* TODO: use IEEE80211_RX_FRAGMENTED */ 2495 static void ieee80211_rx_cooked_monitor(struct ieee80211_rx_data *rx, 2496 struct ieee80211_rate *rate) 2497 { 2498 struct ieee80211_sub_if_data *sdata; 2499 struct ieee80211_local *local = rx->local; 2500 struct ieee80211_rtap_hdr { 2501 struct ieee80211_radiotap_header hdr; 2502 u8 flags; 2503 u8 rate_or_pad; 2504 __le16 chan_freq; 2505 __le16 chan_flags; 2506 } __packed *rthdr; 2507 struct sk_buff *skb = rx->skb, *skb2; 2508 struct net_device *prev_dev = NULL; 2509 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 2510 2511 /* 2512 * If cooked monitor has been processed already, then 2513 * don't do it again. If not, set the flag. 2514 */ 2515 if (rx->flags & IEEE80211_RX_CMNTR) 2516 goto out_free_skb; 2517 rx->flags |= IEEE80211_RX_CMNTR; 2518 2519 /* If there are no cooked monitor interfaces, just free the SKB */ 2520 if (!local->cooked_mntrs) 2521 goto out_free_skb; 2522 2523 if (skb_headroom(skb) < sizeof(*rthdr) && 2524 pskb_expand_head(skb, sizeof(*rthdr), 0, GFP_ATOMIC)) 2525 goto out_free_skb; 2526 2527 rthdr = (void *)skb_push(skb, sizeof(*rthdr)); 2528 memset(rthdr, 0, sizeof(*rthdr)); 2529 rthdr->hdr.it_len = cpu_to_le16(sizeof(*rthdr)); 2530 rthdr->hdr.it_present = 2531 cpu_to_le32((1 << IEEE80211_RADIOTAP_FLAGS) | 2532 (1 << IEEE80211_RADIOTAP_CHANNEL)); 2533 2534 if (rate) { 2535 rthdr->rate_or_pad = rate->bitrate / 5; 2536 rthdr->hdr.it_present |= 2537 cpu_to_le32(1 << IEEE80211_RADIOTAP_RATE); 2538 } 2539 rthdr->chan_freq = cpu_to_le16(status->freq); 2540 2541 if (status->band == IEEE80211_BAND_5GHZ) 2542 rthdr->chan_flags = cpu_to_le16(IEEE80211_CHAN_OFDM | 2543 IEEE80211_CHAN_5GHZ); 2544 else 2545 rthdr->chan_flags = cpu_to_le16(IEEE80211_CHAN_DYN | 2546 IEEE80211_CHAN_2GHZ); 2547 2548 skb_set_mac_header(skb, 0); 2549 skb->ip_summed = CHECKSUM_UNNECESSARY; 2550 skb->pkt_type = PACKET_OTHERHOST; 2551 skb->protocol = htons(ETH_P_802_2); 2552 2553 list_for_each_entry_rcu(sdata, &local->interfaces, list) { 2554 if (!ieee80211_sdata_running(sdata)) 2555 continue; 2556 2557 if (sdata->vif.type != NL80211_IFTYPE_MONITOR || 2558 !(sdata->u.mntr_flags & MONITOR_FLAG_COOK_FRAMES)) 2559 continue; 2560 2561 if (prev_dev) { 2562 skb2 = skb_clone(skb, GFP_ATOMIC); 2563 if (skb2) { 2564 skb2->dev = prev_dev; 2565 netif_receive_skb(skb2); 2566 } 2567 } 2568 2569 prev_dev = sdata->dev; 2570 sdata->dev->stats.rx_packets++; 2571 sdata->dev->stats.rx_bytes += skb->len; 2572 } 2573 2574 if (prev_dev) { 2575 skb->dev = prev_dev; 2576 netif_receive_skb(skb); 2577 return; 2578 } 2579 2580 out_free_skb: 2581 dev_kfree_skb(skb); 2582 } 2583 2584 static void ieee80211_rx_handlers_result(struct ieee80211_rx_data *rx, 2585 ieee80211_rx_result res) 2586 { 2587 switch (res) { 2588 case RX_DROP_MONITOR: 2589 I802_DEBUG_INC(rx->sdata->local->rx_handlers_drop); 2590 if (rx->sta) 2591 rx->sta->rx_dropped++; 2592 /* fall through */ 2593 case RX_CONTINUE: { 2594 struct ieee80211_rate *rate = NULL; 2595 struct ieee80211_supported_band *sband; 2596 struct ieee80211_rx_status *status; 2597 2598 status = IEEE80211_SKB_RXCB((rx->skb)); 2599 2600 sband = rx->local->hw.wiphy->bands[status->band]; 2601 if (!(status->flag & RX_FLAG_HT)) 2602 rate = &sband->bitrates[status->rate_idx]; 2603 2604 ieee80211_rx_cooked_monitor(rx, rate); 2605 break; 2606 } 2607 case RX_DROP_UNUSABLE: 2608 I802_DEBUG_INC(rx->sdata->local->rx_handlers_drop); 2609 if (rx->sta) 2610 rx->sta->rx_dropped++; 2611 dev_kfree_skb(rx->skb); 2612 break; 2613 case RX_QUEUED: 2614 I802_DEBUG_INC(rx->sdata->local->rx_handlers_queued); 2615 break; 2616 } 2617 } 2618 2619 static void ieee80211_rx_handlers(struct ieee80211_rx_data *rx) 2620 { 2621 ieee80211_rx_result res = RX_DROP_MONITOR; 2622 struct sk_buff *skb; 2623 2624 #define CALL_RXH(rxh) \ 2625 do { \ 2626 res = rxh(rx); \ 2627 if (res != RX_CONTINUE) \ 2628 goto rxh_next; \ 2629 } while (0); 2630 2631 spin_lock(&rx->local->rx_skb_queue.lock); 2632 if (rx->local->running_rx_handler) 2633 goto unlock; 2634 2635 rx->local->running_rx_handler = true; 2636 2637 while ((skb = __skb_dequeue(&rx->local->rx_skb_queue))) { 2638 spin_unlock(&rx->local->rx_skb_queue.lock); 2639 2640 /* 2641 * all the other fields are valid across frames 2642 * that belong to an aMPDU since they are on the 2643 * same TID from the same station 2644 */ 2645 rx->skb = skb; 2646 2647 CALL_RXH(ieee80211_rx_h_decrypt) 2648 CALL_RXH(ieee80211_rx_h_check_more_data) 2649 CALL_RXH(ieee80211_rx_h_uapsd_and_pspoll) 2650 CALL_RXH(ieee80211_rx_h_sta_process) 2651 CALL_RXH(ieee80211_rx_h_defragment) 2652 CALL_RXH(ieee80211_rx_h_michael_mic_verify) 2653 /* must be after MMIC verify so header is counted in MPDU mic */ 2654 #ifdef CONFIG_MAC80211_MESH 2655 if (ieee80211_vif_is_mesh(&rx->sdata->vif)) 2656 CALL_RXH(ieee80211_rx_h_mesh_fwding); 2657 #endif 2658 CALL_RXH(ieee80211_rx_h_remove_qos_control) 2659 CALL_RXH(ieee80211_rx_h_amsdu) 2660 CALL_RXH(ieee80211_rx_h_data) 2661 CALL_RXH(ieee80211_rx_h_ctrl); 2662 CALL_RXH(ieee80211_rx_h_mgmt_check) 2663 CALL_RXH(ieee80211_rx_h_action) 2664 CALL_RXH(ieee80211_rx_h_userspace_mgmt) 2665 CALL_RXH(ieee80211_rx_h_action_return) 2666 CALL_RXH(ieee80211_rx_h_mgmt) 2667 2668 rxh_next: 2669 ieee80211_rx_handlers_result(rx, res); 2670 spin_lock(&rx->local->rx_skb_queue.lock); 2671 #undef CALL_RXH 2672 } 2673 2674 rx->local->running_rx_handler = false; 2675 2676 unlock: 2677 spin_unlock(&rx->local->rx_skb_queue.lock); 2678 } 2679 2680 static void ieee80211_invoke_rx_handlers(struct ieee80211_rx_data *rx) 2681 { 2682 ieee80211_rx_result res = RX_DROP_MONITOR; 2683 2684 #define CALL_RXH(rxh) \ 2685 do { \ 2686 res = rxh(rx); \ 2687 if (res != RX_CONTINUE) \ 2688 goto rxh_next; \ 2689 } while (0); 2690 2691 CALL_RXH(ieee80211_rx_h_passive_scan) 2692 CALL_RXH(ieee80211_rx_h_check) 2693 2694 ieee80211_rx_reorder_ampdu(rx); 2695 2696 ieee80211_rx_handlers(rx); 2697 return; 2698 2699 rxh_next: 2700 ieee80211_rx_handlers_result(rx, res); 2701 2702 #undef CALL_RXH 2703 } 2704 2705 /* 2706 * This function makes calls into the RX path, therefore 2707 * it has to be invoked under RCU read lock. 2708 */ 2709 void ieee80211_release_reorder_timeout(struct sta_info *sta, int tid) 2710 { 2711 struct ieee80211_rx_data rx = { 2712 .sta = sta, 2713 .sdata = sta->sdata, 2714 .local = sta->local, 2715 /* This is OK -- must be QoS data frame */ 2716 .security_idx = tid, 2717 .seqno_idx = tid, 2718 .flags = 0, 2719 }; 2720 struct tid_ampdu_rx *tid_agg_rx; 2721 2722 tid_agg_rx = rcu_dereference(sta->ampdu_mlme.tid_rx[tid]); 2723 if (!tid_agg_rx) 2724 return; 2725 2726 spin_lock(&tid_agg_rx->reorder_lock); 2727 ieee80211_sta_reorder_release(&sta->local->hw, tid_agg_rx); 2728 spin_unlock(&tid_agg_rx->reorder_lock); 2729 2730 ieee80211_rx_handlers(&rx); 2731 } 2732 2733 /* main receive path */ 2734 2735 static int prepare_for_handlers(struct ieee80211_rx_data *rx, 2736 struct ieee80211_hdr *hdr) 2737 { 2738 struct ieee80211_sub_if_data *sdata = rx->sdata; 2739 struct sk_buff *skb = rx->skb; 2740 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 2741 u8 *bssid = ieee80211_get_bssid(hdr, skb->len, sdata->vif.type); 2742 int multicast = is_multicast_ether_addr(hdr->addr1); 2743 2744 switch (sdata->vif.type) { 2745 case NL80211_IFTYPE_STATION: 2746 if (!bssid && !sdata->u.mgd.use_4addr) 2747 return 0; 2748 if (!multicast && 2749 compare_ether_addr(sdata->vif.addr, hdr->addr1) != 0) { 2750 if (!(sdata->dev->flags & IFF_PROMISC) || 2751 sdata->u.mgd.use_4addr) 2752 return 0; 2753 status->rx_flags &= ~IEEE80211_RX_RA_MATCH; 2754 } 2755 break; 2756 case NL80211_IFTYPE_ADHOC: 2757 if (!bssid) 2758 return 0; 2759 if (ieee80211_is_beacon(hdr->frame_control)) { 2760 return 1; 2761 } 2762 else if (!ieee80211_bssid_match(bssid, sdata->u.ibss.bssid)) { 2763 if (!(status->rx_flags & IEEE80211_RX_IN_SCAN)) 2764 return 0; 2765 status->rx_flags &= ~IEEE80211_RX_RA_MATCH; 2766 } else if (!multicast && 2767 compare_ether_addr(sdata->vif.addr, 2768 hdr->addr1) != 0) { 2769 if (!(sdata->dev->flags & IFF_PROMISC)) 2770 return 0; 2771 status->rx_flags &= ~IEEE80211_RX_RA_MATCH; 2772 } else if (!rx->sta) { 2773 int rate_idx; 2774 if (status->flag & RX_FLAG_HT) 2775 rate_idx = 0; /* TODO: HT rates */ 2776 else 2777 rate_idx = status->rate_idx; 2778 ieee80211_ibss_rx_no_sta(sdata, bssid, hdr->addr2, 2779 BIT(rate_idx)); 2780 } 2781 break; 2782 case NL80211_IFTYPE_MESH_POINT: 2783 if (!multicast && 2784 compare_ether_addr(sdata->vif.addr, 2785 hdr->addr1) != 0) { 2786 if (!(sdata->dev->flags & IFF_PROMISC)) 2787 return 0; 2788 2789 status->rx_flags &= ~IEEE80211_RX_RA_MATCH; 2790 } 2791 break; 2792 case NL80211_IFTYPE_AP_VLAN: 2793 case NL80211_IFTYPE_AP: 2794 if (!bssid) { 2795 if (compare_ether_addr(sdata->vif.addr, 2796 hdr->addr1)) 2797 return 0; 2798 } else if (!ieee80211_bssid_match(bssid, 2799 sdata->vif.addr)) { 2800 /* 2801 * Accept public action frames even when the 2802 * BSSID doesn't match, this is used for P2P 2803 * and location updates. Note that mac80211 2804 * itself never looks at these frames. 2805 */ 2806 if (!(status->rx_flags & IEEE80211_RX_IN_SCAN) && 2807 ieee80211_is_public_action(hdr, skb->len)) 2808 return 1; 2809 if (!(status->rx_flags & IEEE80211_RX_IN_SCAN) && 2810 !ieee80211_is_beacon(hdr->frame_control)) 2811 return 0; 2812 status->rx_flags &= ~IEEE80211_RX_RA_MATCH; 2813 } 2814 break; 2815 case NL80211_IFTYPE_WDS: 2816 if (bssid || !ieee80211_is_data(hdr->frame_control)) 2817 return 0; 2818 if (compare_ether_addr(sdata->u.wds.remote_addr, hdr->addr2)) 2819 return 0; 2820 break; 2821 default: 2822 /* should never get here */ 2823 WARN_ON(1); 2824 break; 2825 } 2826 2827 return 1; 2828 } 2829 2830 /* 2831 * This function returns whether or not the SKB 2832 * was destined for RX processing or not, which, 2833 * if consume is true, is equivalent to whether 2834 * or not the skb was consumed. 2835 */ 2836 static bool ieee80211_prepare_and_rx_handle(struct ieee80211_rx_data *rx, 2837 struct sk_buff *skb, bool consume) 2838 { 2839 struct ieee80211_local *local = rx->local; 2840 struct ieee80211_sub_if_data *sdata = rx->sdata; 2841 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 2842 struct ieee80211_hdr *hdr = (void *)skb->data; 2843 int prepares; 2844 2845 rx->skb = skb; 2846 status->rx_flags |= IEEE80211_RX_RA_MATCH; 2847 prepares = prepare_for_handlers(rx, hdr); 2848 2849 if (!prepares) 2850 return false; 2851 2852 if (!consume) { 2853 skb = skb_copy(skb, GFP_ATOMIC); 2854 if (!skb) { 2855 if (net_ratelimit()) 2856 wiphy_debug(local->hw.wiphy, 2857 "failed to copy skb for %s\n", 2858 sdata->name); 2859 return true; 2860 } 2861 2862 rx->skb = skb; 2863 } 2864 2865 ieee80211_invoke_rx_handlers(rx); 2866 return true; 2867 } 2868 2869 /* 2870 * This is the actual Rx frames handler. as it blongs to Rx path it must 2871 * be called with rcu_read_lock protection. 2872 */ 2873 static void __ieee80211_rx_handle_packet(struct ieee80211_hw *hw, 2874 struct sk_buff *skb) 2875 { 2876 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 2877 struct ieee80211_local *local = hw_to_local(hw); 2878 struct ieee80211_sub_if_data *sdata; 2879 struct ieee80211_hdr *hdr; 2880 __le16 fc; 2881 struct ieee80211_rx_data rx; 2882 struct ieee80211_sub_if_data *prev; 2883 struct sta_info *sta, *tmp, *prev_sta; 2884 int err = 0; 2885 2886 fc = ((struct ieee80211_hdr *)skb->data)->frame_control; 2887 memset(&rx, 0, sizeof(rx)); 2888 rx.skb = skb; 2889 rx.local = local; 2890 2891 if (ieee80211_is_data(fc) || ieee80211_is_mgmt(fc)) 2892 local->dot11ReceivedFragmentCount++; 2893 2894 if (unlikely(test_bit(SCAN_HW_SCANNING, &local->scanning) || 2895 test_bit(SCAN_SW_SCANNING, &local->scanning))) 2896 status->rx_flags |= IEEE80211_RX_IN_SCAN; 2897 2898 if (ieee80211_is_mgmt(fc)) 2899 err = skb_linearize(skb); 2900 else 2901 err = !pskb_may_pull(skb, ieee80211_hdrlen(fc)); 2902 2903 if (err) { 2904 dev_kfree_skb(skb); 2905 return; 2906 } 2907 2908 hdr = (struct ieee80211_hdr *)skb->data; 2909 ieee80211_parse_qos(&rx); 2910 ieee80211_verify_alignment(&rx); 2911 2912 if (ieee80211_is_data(fc)) { 2913 prev_sta = NULL; 2914 2915 for_each_sta_info_rx(local, hdr->addr2, sta, tmp) { 2916 if (!prev_sta) { 2917 prev_sta = sta; 2918 continue; 2919 } 2920 2921 rx.sta = prev_sta; 2922 rx.sdata = prev_sta->sdata; 2923 ieee80211_prepare_and_rx_handle(&rx, skb, false); 2924 2925 prev_sta = sta; 2926 } 2927 2928 if (prev_sta) { 2929 rx.sta = prev_sta; 2930 rx.sdata = prev_sta->sdata; 2931 2932 if (ieee80211_prepare_and_rx_handle(&rx, skb, true)) 2933 return; 2934 goto out; 2935 } 2936 } 2937 2938 prev = NULL; 2939 2940 list_for_each_entry_rcu(sdata, &local->interfaces, list) { 2941 if (!ieee80211_sdata_running(sdata)) 2942 continue; 2943 2944 if (sdata->vif.type == NL80211_IFTYPE_MONITOR || 2945 sdata->vif.type == NL80211_IFTYPE_AP_VLAN) 2946 continue; 2947 2948 /* 2949 * frame is destined for this interface, but if it's 2950 * not also for the previous one we handle that after 2951 * the loop to avoid copying the SKB once too much 2952 */ 2953 2954 if (!prev) { 2955 prev = sdata; 2956 continue; 2957 } 2958 2959 rx.sta = sta_info_get_bss_rx(prev, hdr->addr2); 2960 rx.sdata = prev; 2961 ieee80211_prepare_and_rx_handle(&rx, skb, false); 2962 2963 prev = sdata; 2964 } 2965 2966 if (prev) { 2967 rx.sta = sta_info_get_bss_rx(prev, hdr->addr2); 2968 rx.sdata = prev; 2969 2970 if (ieee80211_prepare_and_rx_handle(&rx, skb, true)) 2971 return; 2972 } 2973 2974 out: 2975 dev_kfree_skb(skb); 2976 } 2977 2978 /* 2979 * This is the receive path handler. It is called by a low level driver when an 2980 * 802.11 MPDU is received from the hardware. 2981 */ 2982 void ieee80211_rx(struct ieee80211_hw *hw, struct sk_buff *skb) 2983 { 2984 struct ieee80211_local *local = hw_to_local(hw); 2985 struct ieee80211_rate *rate = NULL; 2986 struct ieee80211_supported_band *sband; 2987 struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); 2988 2989 WARN_ON_ONCE(softirq_count() == 0); 2990 2991 if (WARN_ON(status->band < 0 || 2992 status->band >= IEEE80211_NUM_BANDS)) 2993 goto drop; 2994 2995 sband = local->hw.wiphy->bands[status->band]; 2996 if (WARN_ON(!sband)) 2997 goto drop; 2998 2999 /* 3000 * If we're suspending, it is possible although not too likely 3001 * that we'd be receiving frames after having already partially 3002 * quiesced the stack. We can't process such frames then since 3003 * that might, for example, cause stations to be added or other 3004 * driver callbacks be invoked. 3005 */ 3006 if (unlikely(local->quiescing || local->suspended)) 3007 goto drop; 3008 3009 /* 3010 * The same happens when we're not even started, 3011 * but that's worth a warning. 3012 */ 3013 if (WARN_ON(!local->started)) 3014 goto drop; 3015 3016 if (likely(!(status->flag & RX_FLAG_FAILED_PLCP_CRC))) { 3017 /* 3018 * Validate the rate, unless a PLCP error means that 3019 * we probably can't have a valid rate here anyway. 3020 */ 3021 3022 if (status->flag & RX_FLAG_HT) { 3023 /* 3024 * rate_idx is MCS index, which can be [0-76] 3025 * as documented on: 3026 * 3027 * http://wireless.kernel.org/en/developers/Documentation/ieee80211/802.11n 3028 * 3029 * Anything else would be some sort of driver or 3030 * hardware error. The driver should catch hardware 3031 * errors. 3032 */ 3033 if (WARN((status->rate_idx < 0 || 3034 status->rate_idx > 76), 3035 "Rate marked as an HT rate but passed " 3036 "status->rate_idx is not " 3037 "an MCS index [0-76]: %d (0x%02x)\n", 3038 status->rate_idx, 3039 status->rate_idx)) 3040 goto drop; 3041 } else { 3042 if (WARN_ON(status->rate_idx < 0 || 3043 status->rate_idx >= sband->n_bitrates)) 3044 goto drop; 3045 rate = &sband->bitrates[status->rate_idx]; 3046 } 3047 } 3048 3049 status->rx_flags = 0; 3050 3051 /* 3052 * key references and virtual interfaces are protected using RCU 3053 * and this requires that we are in a read-side RCU section during 3054 * receive processing 3055 */ 3056 rcu_read_lock(); 3057 3058 /* 3059 * Frames with failed FCS/PLCP checksum are not returned, 3060 * all other frames are returned without radiotap header 3061 * if it was previously present. 3062 * Also, frames with less than 16 bytes are dropped. 3063 */ 3064 skb = ieee80211_rx_monitor(local, skb, rate); 3065 if (!skb) { 3066 rcu_read_unlock(); 3067 return; 3068 } 3069 3070 ieee80211_tpt_led_trig_rx(local, 3071 ((struct ieee80211_hdr *)skb->data)->frame_control, 3072 skb->len); 3073 __ieee80211_rx_handle_packet(hw, skb); 3074 3075 rcu_read_unlock(); 3076 3077 return; 3078 drop: 3079 kfree_skb(skb); 3080 } 3081 EXPORT_SYMBOL(ieee80211_rx); 3082 3083 /* This is a version of the rx handler that can be called from hard irq 3084 * context. Post the skb on the queue and schedule the tasklet */ 3085 void ieee80211_rx_irqsafe(struct ieee80211_hw *hw, struct sk_buff *skb) 3086 { 3087 struct ieee80211_local *local = hw_to_local(hw); 3088 3089 BUILD_BUG_ON(sizeof(struct ieee80211_rx_status) > sizeof(skb->cb)); 3090 3091 skb->pkt_type = IEEE80211_RX_MSG; 3092 skb_queue_tail(&local->skb_queue, skb); 3093 tasklet_schedule(&local->tasklet); 3094 } 3095 EXPORT_SYMBOL(ieee80211_rx_irqsafe); 3096