rx.c 133.1 KB
Newer Older
1
// SPDX-License-Identifier: GPL-2.0-only
2 3 4 5
/*
 * Copyright 2002-2005, Instant802 Networks, Inc.
 * Copyright 2005-2006, Devicescape Software, Inc.
 * Copyright 2006-2007	Jiri Benc <jbenc@suse.cz>
6
 * Copyright 2007-2010	Johannes Berg <johannes@sipsolutions.net>
7
 * Copyright 2013-2014  Intel Mobile Communications GmbH
8
 * Copyright(c) 2015 - 2017 Intel Deutschland GmbH
9
 * Copyright (C) 2018-2020 Intel Corporation
10 11
 */

12
#include <linux/jiffies.h>
13
#include <linux/slab.h>
14 15 16 17
#include <linux/kernel.h>
#include <linux/skbuff.h>
#include <linux/netdevice.h>
#include <linux/etherdevice.h>
18
#include <linux/rcupdate.h>
19
#include <linux/export.h>
20
#include <linux/bitops.h>
21 22
#include <net/mac80211.h>
#include <net/ieee80211_radiotap.h>
23
#include <asm/unaligned.h>
24 25

#include "ieee80211_i.h"
26
#include "driver-ops.h"
J
Johannes Berg 已提交
27
#include "led.h"
28
#include "mesh.h"
29 30 31 32
#include "wep.h"
#include "wpa.h"
#include "tkip.h"
#include "wme.h"
33
#include "rate.h"
34

35 36 37 38 39 40 41 42 43 44
static inline void ieee80211_rx_stats(struct net_device *dev, u32 len)
{
	struct pcpu_sw_netstats *tstats = this_cpu_ptr(dev->tstats);

	u64_stats_update_begin(&tstats->syncp);
	tstats->rx_packets++;
	tstats->rx_bytes += len;
	u64_stats_update_end(&tstats->syncp);
}

45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89
static u8 *ieee80211_get_bssid(struct ieee80211_hdr *hdr, size_t len,
			       enum nl80211_iftype type)
{
	__le16 fc = hdr->frame_control;

	if (ieee80211_is_data(fc)) {
		if (len < 24) /* drop incorrect hdr len (data) */
			return NULL;

		if (ieee80211_has_a4(fc))
			return NULL;
		if (ieee80211_has_tods(fc))
			return hdr->addr1;
		if (ieee80211_has_fromds(fc))
			return hdr->addr2;

		return hdr->addr3;
	}

	if (ieee80211_is_mgmt(fc)) {
		if (len < 24) /* drop incorrect hdr len (mgmt) */
			return NULL;
		return hdr->addr3;
	}

	if (ieee80211_is_ctl(fc)) {
		if (ieee80211_is_pspoll(fc))
			return hdr->addr1;

		if (ieee80211_is_back_req(fc)) {
			switch (type) {
			case NL80211_IFTYPE_STATION:
				return hdr->addr2;
			case NL80211_IFTYPE_AP:
			case NL80211_IFTYPE_AP_VLAN:
				return hdr->addr1;
			default:
				break; /* fall through to the return */
			}
		}
	}

	return NULL;
}

90 91 92 93 94 95
/*
 * monitor mode reception
 *
 * This function cleans up the SKB, i.e. it removes all the stuff
 * only useful for monitoring.
 */
96 97 98
static struct sk_buff *ieee80211_clean_skb(struct sk_buff *skb,
					   unsigned int present_fcs_len,
					   unsigned int rtap_space)
99
{
100 101 102 103
	struct ieee80211_hdr *hdr;
	unsigned int hdrlen;
	__le16 fc;

104 105
	if (present_fcs_len)
		__pskb_trim(skb, skb->len - present_fcs_len);
106
	__pskb_pull(skb, rtap_space);
107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133

	hdr = (void *)skb->data;
	fc = hdr->frame_control;

	/*
	 * Remove the HT-Control field (if present) on management
	 * frames after we've sent the frame to monitoring. We
	 * (currently) don't need it, and don't properly parse
	 * frames with it present, due to the assumption of a
	 * fixed management header length.
	 */
	if (likely(!ieee80211_is_mgmt(fc) || !ieee80211_has_order(fc)))
		return skb;

	hdrlen = ieee80211_hdrlen(fc);
	hdr->frame_control &= ~cpu_to_le16(IEEE80211_FCTL_ORDER);

	if (!pskb_may_pull(skb, hdrlen)) {
		dev_kfree_skb(skb);
		return NULL;
	}

	memmove(skb->data + IEEE80211_HT_CTL_LEN, skb->data,
		hdrlen - IEEE80211_HT_CTL_LEN);
	__pskb_pull(skb, IEEE80211_HT_CTL_LEN);

	return skb;
134 135
}

136
static inline bool should_drop_frame(struct sk_buff *skb, int present_fcs_len,
137
				     unsigned int rtap_space)
138
{
139
	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
140 141
	struct ieee80211_hdr *hdr;

142
	hdr = (void *)(skb->data + rtap_space);
143

144
	if (status->flag & (RX_FLAG_FAILED_FCS_CRC |
145
			    RX_FLAG_FAILED_PLCP_CRC |
146 147
			    RX_FLAG_ONLY_MONITOR |
			    RX_FLAG_NO_PSDU))
148 149
		return true;

150
	if (unlikely(skb->len < 16 + present_fcs_len + rtap_space))
151 152
		return true;

H
Harvey Harrison 已提交
153 154 155
	if (ieee80211_is_ctl(hdr->frame_control) &&
	    !ieee80211_is_pspoll(hdr->frame_control) &&
	    !ieee80211_is_back_req(hdr->frame_control))
156 157 158
		return true;

	return false;
159 160
}

161
static int
162 163 164
ieee80211_rx_radiotap_hdrlen(struct ieee80211_local *local,
			     struct ieee80211_rx_status *status,
			     struct sk_buff *skb)
165 166 167 168
{
	int len;

	/* always present fields */
169
	len = sizeof(struct ieee80211_radiotap_header) + 8;
170

171 172 173
	/* allocate extra bitmaps */
	if (status->chains)
		len += 4 * hweight8(status->chains);
174 175 176
	/* vendor presence bitmap */
	if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA)
		len += 4;
177 178 179

	if (ieee80211_have_rx_timestamp(status)) {
		len = ALIGN(len, 8);
180
		len += 8;
181
	}
182
	if (ieee80211_hw_check(&local->hw, SIGNAL_DBM))
183 184
		len += 1;

185 186 187 188
	/* antenna field, if we don't have per-chain info */
	if (!status->chains)
		len += 1;

189 190
	/* padding for RX_FLAGS if necessary */
	len = ALIGN(len, 2);
191

192
	if (status->encoding == RX_ENC_HT) /* HT info */
193 194
		len += 3;

195
	if (status->flag & RX_FLAG_AMPDU_DETAILS) {
196
		len = ALIGN(len, 4);
197 198 199
		len += 8;
	}

200
	if (status->encoding == RX_ENC_VHT) {
201 202 203 204
		len = ALIGN(len, 2);
		len += 12;
	}

205 206 207 208 209
	if (local->hw.radiotap_timestamp.units_pos >= 0) {
		len = ALIGN(len, 8);
		len += 12;
	}

L
Luca Coelho 已提交
210 211 212 213 214 215 216 217 218 219 220 221 222 223
	if (status->encoding == RX_ENC_HE &&
	    status->flag & RX_FLAG_RADIOTAP_HE) {
		len = ALIGN(len, 2);
		len += 12;
		BUILD_BUG_ON(sizeof(struct ieee80211_radiotap_he) != 12);
	}

	if (status->encoding == RX_ENC_HE &&
	    status->flag & RX_FLAG_RADIOTAP_HE_MU) {
		len = ALIGN(len, 2);
		len += 12;
		BUILD_BUG_ON(sizeof(struct ieee80211_radiotap_he_mu) != 12);
	}

224 225 226
	if (status->flag & RX_FLAG_NO_PSDU)
		len += 1;

227 228 229 230 231 232
	if (status->flag & RX_FLAG_RADIOTAP_LSIG) {
		len = ALIGN(len, 2);
		len += 4;
		BUILD_BUG_ON(sizeof(struct ieee80211_radiotap_lsig) != 4);
	}

233 234 235 236 237
	if (status->chains) {
		/* antenna and antenna signal fields */
		len += 2 * hweight8(status->chains);
	}

238
	if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA) {
239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256
		struct ieee80211_vendor_radiotap *rtap;
		int vendor_data_offset = 0;

		/*
		 * The position to look at depends on the existence (or non-
		 * existence) of other elements, so take that into account...
		 */
		if (status->flag & RX_FLAG_RADIOTAP_HE)
			vendor_data_offset +=
				sizeof(struct ieee80211_radiotap_he);
		if (status->flag & RX_FLAG_RADIOTAP_HE_MU)
			vendor_data_offset +=
				sizeof(struct ieee80211_radiotap_he_mu);
		if (status->flag & RX_FLAG_RADIOTAP_LSIG)
			vendor_data_offset +=
				sizeof(struct ieee80211_radiotap_lsig);

		rtap = (void *)&skb->data[vendor_data_offset];
257 258 259 260 261 262 263 264 265 266 267

		/* alignment for fixed 6-byte vendor data header */
		len = ALIGN(len, 2);
		/* vendor data header */
		len += 6;
		if (WARN_ON(rtap->align == 0))
			rtap->align = 1;
		len = ALIGN(len, rtap->align);
		len += rtap->len + rtap->pad;
	}

268 269 270
	return len;
}

271 272
static void ieee80211_handle_mu_mimo_mon(struct ieee80211_sub_if_data *sdata,
					 struct sk_buff *skb,
273
					 int rtap_space)
274 275 276 277 278
{
	struct {
		struct ieee80211_hdr_3addr hdr;
		u8 category;
		u8 action_code;
279
	} __packed __aligned(2) action;
280 281 282 283 284 285

	if (!sdata)
		return;

	BUILD_BUG_ON(sizeof(action) != IEEE80211_MIN_ACTION_SIZE + 1);

286
	if (skb->len < rtap_space + sizeof(action) +
287 288 289 290 291 292
		       VHT_MUMIMO_GROUPS_DATA_LEN)
		return;

	if (!is_valid_ether_addr(sdata->u.mntr.mu_follow_addr))
		return;

293
	skb_copy_bits(skb, rtap_space, &action, sizeof(action));
294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314

	if (!ieee80211_is_action(action.hdr.frame_control))
		return;

	if (action.category != WLAN_CATEGORY_VHT)
		return;

	if (action.action_code != WLAN_VHT_ACTION_GROUPID_MGMT)
		return;

	if (!ether_addr_equal(action.hdr.addr1, sdata->u.mntr.mu_follow_addr))
		return;

	skb = skb_copy(skb, GFP_ATOMIC);
	if (!skb)
		return;

	skb_queue_tail(&sdata->skb_queue, skb);
	ieee80211_queue_work(&sdata->local->hw, &sdata->work);
}

315
/*
316 317 318 319 320 321 322 323
 * ieee80211_add_rx_radiotap_header - add radiotap header
 *
 * add a radiotap header containing all the fields which the hardware provided.
 */
static void
ieee80211_add_rx_radiotap_header(struct ieee80211_local *local,
				 struct sk_buff *skb,
				 struct ieee80211_rate *rate,
324
				 int rtap_len, bool has_fcs)
325
{
326
	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
327 328
	struct ieee80211_radiotap_header *rthdr;
	unsigned char *pos;
329 330
	__le32 *it_present;
	u32 it_present_val;
331
	u16 rx_flags = 0;
332
	u16 channel_flags = 0;
333 334
	int mpdulen, chain;
	unsigned long chains = status->chains;
335
	struct ieee80211_vendor_radiotap rtap = {};
L
Luca Coelho 已提交
336 337
	struct ieee80211_radiotap_he he = {};
	struct ieee80211_radiotap_he_mu he_mu = {};
338
	struct ieee80211_radiotap_lsig lsig = {};
L
Luca Coelho 已提交
339 340 341 342 343 344 345 346 347 348 349

	if (status->flag & RX_FLAG_RADIOTAP_HE) {
		he = *(struct ieee80211_radiotap_he *)skb->data;
		skb_pull(skb, sizeof(he));
		WARN_ON_ONCE(status->encoding != RX_ENC_HE);
	}

	if (status->flag & RX_FLAG_RADIOTAP_HE_MU) {
		he_mu = *(struct ieee80211_radiotap_he_mu *)skb->data;
		skb_pull(skb, sizeof(he_mu));
	}
350

351 352 353 354 355
	if (status->flag & RX_FLAG_RADIOTAP_LSIG) {
		lsig = *(struct ieee80211_radiotap_lsig *)skb->data;
		skb_pull(skb, sizeof(lsig));
	}

356 357 358 359 360
	if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA) {
		rtap = *(struct ieee80211_vendor_radiotap *)skb->data;
		/* rtap.len and rtap.pad are undone immediately */
		skb_pull(skb, sizeof(rtap) + rtap.len + rtap.pad);
	}
361 362

	mpdulen = skb->len;
363
	if (!(has_fcs && ieee80211_hw_check(&local->hw, RX_INCLUDES_FCS)))
364
		mpdulen += FCS_LEN;
365

366
	rthdr = skb_push(skb, rtap_len);
367
	memset(rthdr, 0, rtap_len - rtap.len - rtap.pad);
368
	it_present = &rthdr->it_present;
369 370

	/* radiotap header, set always present flags */
371
	rthdr->it_len = cpu_to_le16(rtap_len);
372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387
	it_present_val = BIT(IEEE80211_RADIOTAP_FLAGS) |
			 BIT(IEEE80211_RADIOTAP_CHANNEL) |
			 BIT(IEEE80211_RADIOTAP_RX_FLAGS);

	if (!status->chains)
		it_present_val |= BIT(IEEE80211_RADIOTAP_ANTENNA);

	for_each_set_bit(chain, &chains, IEEE80211_MAX_CHAINS) {
		it_present_val |=
			BIT(IEEE80211_RADIOTAP_EXT) |
			BIT(IEEE80211_RADIOTAP_RADIOTAP_NAMESPACE);
		put_unaligned_le32(it_present_val, it_present);
		it_present++;
		it_present_val = BIT(IEEE80211_RADIOTAP_ANTENNA) |
				 BIT(IEEE80211_RADIOTAP_DBM_ANTSIGNAL);
	}
388

389 390 391 392 393 394 395 396
	if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA) {
		it_present_val |= BIT(IEEE80211_RADIOTAP_VENDOR_NAMESPACE) |
				  BIT(IEEE80211_RADIOTAP_EXT);
		put_unaligned_le32(it_present_val, it_present);
		it_present++;
		it_present_val = rtap.present;
	}

397 398 399 400
	put_unaligned_le32(it_present_val, it_present);

	pos = (void *)(it_present + 1);

401 402 403
	/* the order of the following fields is important */

	/* IEEE80211_RADIOTAP_TSFT */
404
	if (ieee80211_have_rx_timestamp(status)) {
405 406 407
		/* padding */
		while ((pos - (u8 *)rthdr) & 7)
			*pos++ = 0;
408 409 410 411
		put_unaligned_le64(
			ieee80211_calculate_rx_timestamp(local, status,
							 mpdulen, 0),
			pos);
J
Johannes Berg 已提交
412
		rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_TSFT);
413 414 415 416
		pos += 8;
	}

	/* IEEE80211_RADIOTAP_FLAGS */
417
	if (has_fcs && ieee80211_hw_check(&local->hw, RX_INCLUDES_FCS))
418
		*pos |= IEEE80211_RADIOTAP_F_FCS;
J
Johannes Berg 已提交
419 420
	if (status->flag & (RX_FLAG_FAILED_FCS_CRC | RX_FLAG_FAILED_PLCP_CRC))
		*pos |= IEEE80211_RADIOTAP_F_BADFCS;
421
	if (status->enc_flags & RX_ENC_FLAG_SHORTPRE)
422
		*pos |= IEEE80211_RADIOTAP_F_SHORTPRE;
423 424 425
	pos++;

	/* IEEE80211_RADIOTAP_RATE */
426
	if (!rate || status->encoding != RX_ENC_LEGACY) {
427
		/*
428
		 * Without rate information don't add it. If we have,
429
		 * MCS information is a separate field in radiotap,
430 431
		 * added below. The byte here is needed as padding
		 * for the channel though, so initialise it to 0.
432 433
		 */
		*pos = 0;
434
	} else {
435
		int shift = 0;
436
		rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_RATE);
437
		if (status->bw == RATE_INFO_BW_10)
438
			shift = 1;
439
		else if (status->bw == RATE_INFO_BW_5)
440 441
			shift = 2;
		*pos = DIV_ROUND_UP(rate->bitrate, 5 * (1 << shift));
442
	}
443 444 445
	pos++;

	/* IEEE80211_RADIOTAP_CHANNEL */
446
	/* TODO: frequency offset in KHz */
447
	put_unaligned_le16(status->freq, pos);
448
	pos += 2;
449
	if (status->bw == RATE_INFO_BW_10)
450
		channel_flags |= IEEE80211_CHAN_HALF;
451
	else if (status->bw == RATE_INFO_BW_5)
452 453
		channel_flags |= IEEE80211_CHAN_QUARTER;

454 455
	if (status->band == NL80211_BAND_5GHZ ||
	    status->band == NL80211_BAND_6GHZ)
456
		channel_flags |= IEEE80211_CHAN_OFDM | IEEE80211_CHAN_5GHZ;
457
	else if (status->encoding != RX_ENC_LEGACY)
458
		channel_flags |= IEEE80211_CHAN_DYN | IEEE80211_CHAN_2GHZ;
459
	else if (rate && rate->flags & IEEE80211_RATE_ERP_G)
460
		channel_flags |= IEEE80211_CHAN_OFDM | IEEE80211_CHAN_2GHZ;
461
	else if (rate)
462
		channel_flags |= IEEE80211_CHAN_CCK | IEEE80211_CHAN_2GHZ;
463
	else
464 465
		channel_flags |= IEEE80211_CHAN_2GHZ;
	put_unaligned_le16(channel_flags, pos);
466 467 468
	pos += 2;

	/* IEEE80211_RADIOTAP_DBM_ANTSIGNAL */
469
	if (ieee80211_hw_check(&local->hw, SIGNAL_DBM) &&
470
	    !(status->flag & RX_FLAG_NO_SIGNAL_VAL)) {
471 472 473 474 475 476 477 478
		*pos = status->signal;
		rthdr->it_present |=
			cpu_to_le32(1 << IEEE80211_RADIOTAP_DBM_ANTSIGNAL);
		pos++;
	}

	/* IEEE80211_RADIOTAP_LOCK_QUALITY is missing */

479 480 481 482 483
	if (!status->chains) {
		/* IEEE80211_RADIOTAP_ANTENNA */
		*pos = status->antenna;
		pos++;
	}
484 485 486 487 488

	/* IEEE80211_RADIOTAP_DB_ANTNOISE is not used */

	/* IEEE80211_RADIOTAP_RX_FLAGS */
	/* ensure 2 byte alignment for the 2 byte field as required */
489
	if ((pos - (u8 *)rthdr) & 1)
490
		*pos++ = 0;
J
Johannes Berg 已提交
491
	if (status->flag & RX_FLAG_FAILED_PLCP_CRC)
492 493
		rx_flags |= IEEE80211_RADIOTAP_F_RX_BADPLCP;
	put_unaligned_le16(rx_flags, pos);
494
	pos += 2;
495

496
	if (status->encoding == RX_ENC_HT) {
497 498
		unsigned int stbc;

499
		rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_MCS);
500
		*pos++ = local->hw.radiotap_mcs_details;
501
		*pos = 0;
502
		if (status->enc_flags & RX_ENC_FLAG_SHORT_GI)
503
			*pos |= IEEE80211_RADIOTAP_MCS_SGI;
504
		if (status->bw == RATE_INFO_BW_40)
505
			*pos |= IEEE80211_RADIOTAP_MCS_BW_40;
506
		if (status->enc_flags & RX_ENC_FLAG_HT_GF)
507
			*pos |= IEEE80211_RADIOTAP_MCS_FMT_GF;
508
		if (status->enc_flags & RX_ENC_FLAG_LDPC)
509
			*pos |= IEEE80211_RADIOTAP_MCS_FEC_LDPC;
510
		stbc = (status->enc_flags & RX_ENC_FLAG_STBC_MASK) >> RX_ENC_FLAG_STBC_SHIFT;
511
		*pos |= stbc << IEEE80211_RADIOTAP_MCS_STBC_SHIFT;
512 513 514
		pos++;
		*pos++ = status->rate_idx;
	}
515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533

	if (status->flag & RX_FLAG_AMPDU_DETAILS) {
		u16 flags = 0;

		/* ensure 4 byte alignment */
		while ((pos - (u8 *)rthdr) & 3)
			pos++;
		rthdr->it_present |=
			cpu_to_le32(1 << IEEE80211_RADIOTAP_AMPDU_STATUS);
		put_unaligned_le32(status->ampdu_reference, pos);
		pos += 4;
		if (status->flag & RX_FLAG_AMPDU_LAST_KNOWN)
			flags |= IEEE80211_RADIOTAP_AMPDU_LAST_KNOWN;
		if (status->flag & RX_FLAG_AMPDU_IS_LAST)
			flags |= IEEE80211_RADIOTAP_AMPDU_IS_LAST;
		if (status->flag & RX_FLAG_AMPDU_DELIM_CRC_ERROR)
			flags |= IEEE80211_RADIOTAP_AMPDU_DELIM_CRC_ERR;
		if (status->flag & RX_FLAG_AMPDU_DELIM_CRC_KNOWN)
			flags |= IEEE80211_RADIOTAP_AMPDU_DELIM_CRC_KNOWN;
534 535 536 537
		if (status->flag & RX_FLAG_AMPDU_EOF_BIT_KNOWN)
			flags |= IEEE80211_RADIOTAP_AMPDU_EOF_KNOWN;
		if (status->flag & RX_FLAG_AMPDU_EOF_BIT)
			flags |= IEEE80211_RADIOTAP_AMPDU_EOF;
538 539 540 541 542 543 544 545
		put_unaligned_le16(flags, pos);
		pos += 2;
		if (status->flag & RX_FLAG_AMPDU_DELIM_CRC_KNOWN)
			*pos++ = status->ampdu_delimiter_crc;
		else
			*pos++ = 0;
		*pos++ = 0;
	}
546

547
	if (status->encoding == RX_ENC_VHT) {
548 549 550 551 552 553
		u16 known = local->hw.radiotap_vht_details;

		rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_VHT);
		put_unaligned_le16(known, pos);
		pos += 2;
		/* flags */
554
		if (status->enc_flags & RX_ENC_FLAG_SHORT_GI)
555
			*pos |= IEEE80211_RADIOTAP_VHT_FLAG_SGI;
556
		/* in VHT, STBC is binary */
557
		if (status->enc_flags & RX_ENC_FLAG_STBC_MASK)
558
			*pos |= IEEE80211_RADIOTAP_VHT_FLAG_STBC;
559
		if (status->enc_flags & RX_ENC_FLAG_BF)
560
			*pos |= IEEE80211_RADIOTAP_VHT_FLAG_BEAMFORMED;
561 562
		pos++;
		/* bandwidth */
563 564
		switch (status->bw) {
		case RATE_INFO_BW_80:
565
			*pos++ = 4;
566 567
			break;
		case RATE_INFO_BW_160:
568
			*pos++ = 11;
569 570
			break;
		case RATE_INFO_BW_40:
571
			*pos++ = 1;
572 573
			break;
		default:
574
			*pos++ = 0;
575
		}
576
		/* MCS/NSS */
577
		*pos = (status->rate_idx << 4) | status->nss;
578 579
		pos += 4;
		/* coding field */
580
		if (status->enc_flags & RX_ENC_FLAG_LDPC)
581
			*pos |= IEEE80211_RADIOTAP_CODING_LDPC_USER0;
582 583 584 585 586 587 588
		pos++;
		/* group ID */
		pos++;
		/* partial_aid */
		pos += 2;
	}

589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613
	if (local->hw.radiotap_timestamp.units_pos >= 0) {
		u16 accuracy = 0;
		u8 flags = IEEE80211_RADIOTAP_TIMESTAMP_FLAG_32BIT;

		rthdr->it_present |=
			cpu_to_le32(1 << IEEE80211_RADIOTAP_TIMESTAMP);

		/* ensure 8 byte alignment */
		while ((pos - (u8 *)rthdr) & 7)
			pos++;

		put_unaligned_le64(status->device_timestamp, pos);
		pos += sizeof(u64);

		if (local->hw.radiotap_timestamp.accuracy >= 0) {
			accuracy = local->hw.radiotap_timestamp.accuracy;
			flags |= IEEE80211_RADIOTAP_TIMESTAMP_FLAG_ACCURACY;
		}
		put_unaligned_le16(accuracy, pos);
		pos += sizeof(u16);

		*pos++ = local->hw.radiotap_timestamp.units_pos;
		*pos++ = flags;
	}

L
Luca Coelho 已提交
614 615
	if (status->encoding == RX_ENC_HE &&
	    status->flag & RX_FLAG_RADIOTAP_HE) {
616
#define HE_PREP(f, val)	le16_encode_bits(val, IEEE80211_RADIOTAP_HE_##f)
L
Luca Coelho 已提交
617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696

		if (status->enc_flags & RX_ENC_FLAG_STBC_MASK) {
			he.data6 |= HE_PREP(DATA6_NSTS,
					    FIELD_GET(RX_ENC_FLAG_STBC_MASK,
						      status->enc_flags));
			he.data3 |= HE_PREP(DATA3_STBC, 1);
		} else {
			he.data6 |= HE_PREP(DATA6_NSTS, status->nss);
		}

#define CHECK_GI(s) \
	BUILD_BUG_ON(IEEE80211_RADIOTAP_HE_DATA5_GI_##s != \
		     (int)NL80211_RATE_INFO_HE_GI_##s)

		CHECK_GI(0_8);
		CHECK_GI(1_6);
		CHECK_GI(3_2);

		he.data3 |= HE_PREP(DATA3_DATA_MCS, status->rate_idx);
		he.data3 |= HE_PREP(DATA3_DATA_DCM, status->he_dcm);
		he.data3 |= HE_PREP(DATA3_CODING,
				    !!(status->enc_flags & RX_ENC_FLAG_LDPC));

		he.data5 |= HE_PREP(DATA5_GI, status->he_gi);

		switch (status->bw) {
		case RATE_INFO_BW_20:
			he.data5 |= HE_PREP(DATA5_DATA_BW_RU_ALLOC,
					    IEEE80211_RADIOTAP_HE_DATA5_DATA_BW_RU_ALLOC_20MHZ);
			break;
		case RATE_INFO_BW_40:
			he.data5 |= HE_PREP(DATA5_DATA_BW_RU_ALLOC,
					    IEEE80211_RADIOTAP_HE_DATA5_DATA_BW_RU_ALLOC_40MHZ);
			break;
		case RATE_INFO_BW_80:
			he.data5 |= HE_PREP(DATA5_DATA_BW_RU_ALLOC,
					    IEEE80211_RADIOTAP_HE_DATA5_DATA_BW_RU_ALLOC_80MHZ);
			break;
		case RATE_INFO_BW_160:
			he.data5 |= HE_PREP(DATA5_DATA_BW_RU_ALLOC,
					    IEEE80211_RADIOTAP_HE_DATA5_DATA_BW_RU_ALLOC_160MHZ);
			break;
		case RATE_INFO_BW_HE_RU:
#define CHECK_RU_ALLOC(s) \
	BUILD_BUG_ON(IEEE80211_RADIOTAP_HE_DATA5_DATA_BW_RU_ALLOC_##s##T != \
		     NL80211_RATE_INFO_HE_RU_ALLOC_##s + 4)

			CHECK_RU_ALLOC(26);
			CHECK_RU_ALLOC(52);
			CHECK_RU_ALLOC(106);
			CHECK_RU_ALLOC(242);
			CHECK_RU_ALLOC(484);
			CHECK_RU_ALLOC(996);
			CHECK_RU_ALLOC(2x996);

			he.data5 |= HE_PREP(DATA5_DATA_BW_RU_ALLOC,
					    status->he_ru + 4);
			break;
		default:
			WARN_ONCE(1, "Invalid SU BW %d\n", status->bw);
		}

		/* ensure 2 byte alignment */
		while ((pos - (u8 *)rthdr) & 1)
			pos++;
		rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_HE);
		memcpy(pos, &he, sizeof(he));
		pos += sizeof(he);
	}

	if (status->encoding == RX_ENC_HE &&
	    status->flag & RX_FLAG_RADIOTAP_HE_MU) {
		/* ensure 2 byte alignment */
		while ((pos - (u8 *)rthdr) & 1)
			pos++;
		rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_HE_MU);
		memcpy(pos, &he_mu, sizeof(he_mu));
		pos += sizeof(he_mu);
	}

697 698 699 700 701 702
	if (status->flag & RX_FLAG_NO_PSDU) {
		rthdr->it_present |=
			cpu_to_le32(1 << IEEE80211_RADIOTAP_ZERO_LEN_PSDU);
		*pos++ = status->zero_length_psdu_type;
	}

703 704 705 706 707 708 709 710 711
	if (status->flag & RX_FLAG_RADIOTAP_LSIG) {
		/* ensure 2 byte alignment */
		while ((pos - (u8 *)rthdr) & 1)
			pos++;
		rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_LSIG);
		memcpy(pos, &lsig, sizeof(lsig));
		pos += sizeof(lsig);
	}

712 713 714 715
	for_each_set_bit(chain, &chains, IEEE80211_MAX_CHAINS) {
		*pos++ = status->chain_signal[chain];
		*pos++ = chain;
	}
716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731

	if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA) {
		/* ensure 2 byte alignment for the vendor field as required */
		if ((pos - (u8 *)rthdr) & 1)
			*pos++ = 0;
		*pos++ = rtap.oui[0];
		*pos++ = rtap.oui[1];
		*pos++ = rtap.oui[2];
		*pos++ = rtap.subns;
		put_unaligned_le16(rtap.len, pos);
		pos += 2;
		/* align the actual payload as requested */
		while ((pos - (u8 *)rthdr) & (rtap.align - 1))
			*pos++ = 0;
		/* data (and possible padding) already follows */
	}
732 733
}

734 735 736 737
static struct sk_buff *
ieee80211_make_monitor_skb(struct ieee80211_local *local,
			   struct sk_buff **origskb,
			   struct ieee80211_rate *rate,
738
			   int rtap_space, bool use_origskb)
739 740 741 742 743 744 745
{
	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(*origskb);
	int rt_hdrlen, needed_headroom;
	struct sk_buff *skb;

	/* room for the radiotap header based on driver features */
	rt_hdrlen = ieee80211_rx_radiotap_hdrlen(local, status, *origskb);
746
	needed_headroom = rt_hdrlen - rtap_space;
747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786

	if (use_origskb) {
		/* only need to expand headroom if necessary */
		skb = *origskb;
		*origskb = NULL;

		/*
		 * This shouldn't trigger often because most devices have an
		 * RX header they pull before we get here, and that should
		 * be big enough for our radiotap information. We should
		 * probably export the length to drivers so that we can have
		 * them allocate enough headroom to start with.
		 */
		if (skb_headroom(skb) < needed_headroom &&
		    pskb_expand_head(skb, needed_headroom, 0, GFP_ATOMIC)) {
			dev_kfree_skb(skb);
			return NULL;
		}
	} else {
		/*
		 * Need to make a copy and possibly remove radiotap header
		 * and FCS from the original.
		 */
		skb = skb_copy_expand(*origskb, needed_headroom, 0, GFP_ATOMIC);

		if (!skb)
			return NULL;
	}

	/* prepend radiotap information */
	ieee80211_add_rx_radiotap_header(local, skb, rate, rt_hdrlen, true);

	skb_reset_mac_header(skb);
	skb->ip_summed = CHECKSUM_UNNECESSARY;
	skb->pkt_type = PACKET_OTHERHOST;
	skb->protocol = htons(ETH_P_802_2);

	return skb;
}

787 788 789 790 791 792 793
/*
 * This function copies a received frame to all monitor interfaces and
 * returns a cleaned-up SKB that no longer includes the FCS nor the
 * radiotap header the driver might have added.
 */
static struct sk_buff *
ieee80211_rx_monitor(struct ieee80211_local *local, struct sk_buff *origskb,
794
		     struct ieee80211_rate *rate)
795
{
796
	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(origskb);
797
	struct ieee80211_sub_if_data *sdata;
798
	struct sk_buff *monskb = NULL;
799
	int present_fcs_len = 0;
800
	unsigned int rtap_space = 0;
801 802
	struct ieee80211_sub_if_data *monitor_sdata =
		rcu_dereference(local->monitor_sdata);
803
	bool only_monitor = false;
804
	unsigned int min_head_len;
805

L
Luca Coelho 已提交
806 807 808 809 810 811
	if (status->flag & RX_FLAG_RADIOTAP_HE)
		rtap_space += sizeof(struct ieee80211_radiotap_he);

	if (status->flag & RX_FLAG_RADIOTAP_HE_MU)
		rtap_space += sizeof(struct ieee80211_radiotap_he_mu);

812 813 814
	if (status->flag & RX_FLAG_RADIOTAP_LSIG)
		rtap_space += sizeof(struct ieee80211_radiotap_lsig);

815
	if (unlikely(status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA)) {
816 817
		struct ieee80211_vendor_radiotap *rtap =
			(void *)(origskb->data + rtap_space);
818

819
		rtap_space += sizeof(*rtap) + rtap->len + rtap->pad;
820
	}
821

822 823
	min_head_len = rtap_space;

824 825 826 827 828 829 830 831
	/*
	 * First, we may need to make a copy of the skb because
	 *  (1) we need to modify it for radiotap (if not present), and
	 *  (2) the other RX handlers will modify the skb we got.
	 *
	 * We don't need to, of course, if we aren't going to return
	 * the SKB because it has a bad FCS/PLCP checksum.
	 */
J
Johannes Berg 已提交
832

833 834 835 836 837 838 839 840 841
	if (!(status->flag & RX_FLAG_NO_PSDU)) {
		if (ieee80211_hw_check(&local->hw, RX_INCLUDES_FCS)) {
			if (unlikely(origskb->len <= FCS_LEN + rtap_space)) {
				/* driver bug */
				WARN_ON(1);
				dev_kfree_skb(origskb);
				return NULL;
			}
			present_fcs_len = FCS_LEN;
842
		}
843 844 845

		/* also consider the hdr->frame_control */
		min_head_len += 2;
846
	}
847

848 849
	/* ensure that the expected data elements are in skb head */
	if (!pskb_may_pull(origskb, min_head_len)) {
Z
Zhu Yi 已提交
850 851 852 853
		dev_kfree_skb(origskb);
		return NULL;
	}

854
	only_monitor = should_drop_frame(origskb, present_fcs_len, rtap_space);
855

856
	if (!local->monitors || (status->flag & RX_FLAG_SKIP_MONITOR)) {
857
		if (only_monitor) {
858 859 860 861
			dev_kfree_skb(origskb);
			return NULL;
		}

862 863
		return ieee80211_clean_skb(origskb, present_fcs_len,
					   rtap_space);
864 865
	}

866
	ieee80211_handle_mu_mimo_mon(monitor_sdata, origskb, rtap_space);
867

868
	list_for_each_entry_rcu(sdata, &local->mon_list, u.mntr.list) {
869 870 871 872 873
		bool last_monitor = list_is_last(&sdata->u.mntr.list,
						 &local->mon_list);

		if (!monskb)
			monskb = ieee80211_make_monitor_skb(local, &origskb,
874
							    rate, rtap_space,
875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891
							    only_monitor &&
							    last_monitor);

		if (monskb) {
			struct sk_buff *skb;

			if (last_monitor) {
				skb = monskb;
				monskb = NULL;
			} else {
				skb = skb_clone(monskb, GFP_ATOMIC);
			}

			if (skb) {
				skb->dev = sdata->dev;
				ieee80211_rx_stats(skb->dev, skb->len);
				netif_receive_skb(skb);
892 893 894
			}
		}

895 896
		if (last_monitor)
			break;
897 898
	}

899 900 901 902 903 904
	/* this happens if last_monitor was erroneously false */
	dev_kfree_skb(monskb);

	/* ditto */
	if (!origskb)
		return NULL;
905

906
	return ieee80211_clean_skb(origskb, present_fcs_len, rtap_space);
907 908
}

909
static void ieee80211_parse_qos(struct ieee80211_rx_data *rx)
910
{
911
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
912
	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
913
	int tid, seqno_idx, security_idx;
914 915

	/* does the frame have a qos control field? */
916 917
	if (ieee80211_is_data_qos(hdr->frame_control)) {
		u8 *qc = ieee80211_get_qos_ctl(hdr);
918
		/* frame has qos control */
919
		tid = *qc & IEEE80211_QOS_CTL_TID_MASK;
920
		if (*qc & IEEE80211_QOS_CTL_A_MSDU_PRESENT)
921
			status->rx_flags |= IEEE80211_RX_AMSDU;
922 923 924

		seqno_idx = tid;
		security_idx = tid;
925
	} else {
926 927 928 929 930 931 932 933 934 935 936
		/*
		 * IEEE 802.11-2007, 7.1.3.4.1 ("Sequence Number field"):
		 *
		 *	Sequence numbers for management frames, QoS data
		 *	frames with a broadcast/multicast address in the
		 *	Address 1 field, and all non-QoS data frames sent
		 *	by QoS STAs are assigned using an additional single
		 *	modulo-4096 counter, [...]
		 *
		 * We also use that counter for non-QoS STAs.
		 */
937
		seqno_idx = IEEE80211_NUM_TIDS;
938 939
		security_idx = 0;
		if (ieee80211_is_mgmt(hdr->frame_control))
940
			security_idx = IEEE80211_NUM_TIDS;
941
		tid = 0;
942
	}
943

944 945
	rx->seqno_idx = seqno_idx;
	rx->security_idx = security_idx;
946 947 948
	/* Set skb->priority to 1d tag if highest order bit of TID is not set.
	 * For now, set skb->priority to 0 for other cases. */
	rx->skb->priority = (tid > 7) ? 0 : tid;
949
}
950

951 952 953 954 955 956 957 958 959 960 961
/**
 * DOC: Packet alignment
 *
 * Drivers always need to pass packets that are aligned to two-byte boundaries
 * to the stack.
 *
 * Additionally, should, if possible, align the payload data in a way that
 * guarantees that the contained IP header is aligned to a four-byte
 * boundary. In the case of regular frames, this simply means aligning the
 * payload to a four-byte boundary (because either the IP header is directly
 * contained, or IV/RFC1042 headers that have a length divisible by four are
962 963 964
 * in front of it).  If the payload data is not properly aligned and the
 * architecture doesn't support efficient unaligned operations, mac80211
 * will align the data.
965 966 967 968 969 970 971
 *
 * With A-MSDU frames, however, the payload data address must yield two modulo
 * four because there are 14-byte 802.3 headers within the A-MSDU frames that
 * push the IP header further back to a multiple of four again. Thankfully, the
 * specs were sane enough this time around to require padding each A-MSDU
 * subframe to a length that is a multiple of four.
 *
L
Lucas De Marchi 已提交
972
 * Padding like Atheros hardware adds which is between the 802.11 header and
973 974 975 976
 * the payload is not supported, the driver is required to move the 802.11
 * header to be directly in front of the payload in that case.
 */
static void ieee80211_verify_alignment(struct ieee80211_rx_data *rx)
977
{
978
#ifdef CONFIG_MAC80211_VERBOSE_DEBUG
979
	WARN_ON_ONCE((unsigned long)rx->skb->data & 1);
980
#endif
981 982
}

983

984 985
/* rx handlers */

986 987 988 989
static int ieee80211_is_unicast_robust_mgmt_frame(struct sk_buff *skb)
{
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;

990
	if (is_multicast_ether_addr(hdr->addr1))
991 992
		return 0;

993
	return ieee80211_is_robust_mgmt_frame(skb);
994 995 996 997 998 999 1000
}


static int ieee80211_is_multicast_robust_mgmt_frame(struct sk_buff *skb)
{
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;

1001
	if (!is_multicast_ether_addr(hdr->addr1))
1002 1003
		return 0;

1004
	return ieee80211_is_robust_mgmt_frame(skb);
1005 1006 1007 1008 1009 1010 1011 1012
}


/* Get the BIP key index from MMIE; return -1 if this is not a BIP frame */
static int ieee80211_get_mmie_keyidx(struct sk_buff *skb)
{
	struct ieee80211_mgmt *hdr = (struct ieee80211_mgmt *) skb->data;
	struct ieee80211_mmie *mmie;
1013
	struct ieee80211_mmie_16 *mmie16;
1014

J
Johannes Berg 已提交
1015
	if (skb->len < 24 + sizeof(*mmie) || !is_multicast_ether_addr(hdr->da))
1016 1017
		return -1;

1018 1019
	if (!ieee80211_is_robust_mgmt_frame(skb) &&
	    !ieee80211_is_beacon(hdr->frame_control))
1020 1021 1022 1023
		return -1; /* not a robust management frame */

	mmie = (struct ieee80211_mmie *)
		(skb->data + skb->len - sizeof(*mmie));
1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035
	if (mmie->element_id == WLAN_EID_MMIE &&
	    mmie->length == sizeof(*mmie) - 2)
		return le16_to_cpu(mmie->key_id);

	mmie16 = (struct ieee80211_mmie_16 *)
		(skb->data + skb->len - sizeof(*mmie16));
	if (skb->len >= 24 + sizeof(*mmie16) &&
	    mmie16->element_id == WLAN_EID_MMIE &&
	    mmie16->length == sizeof(*mmie16) - 2)
		return le16_to_cpu(mmie16->key_id);

	return -1;
1036 1037
}

1038 1039
static int ieee80211_get_keyid(struct sk_buff *skb,
			       const struct ieee80211_cipher_scheme *cs)
1040 1041 1042 1043
{
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
	__le16 fc;
	int hdrlen;
1044 1045 1046
	int minlen;
	u8 key_idx_off;
	u8 key_idx_shift;
1047 1048 1049 1050 1051
	u8 keyid;

	fc = hdr->frame_control;
	hdrlen = ieee80211_hdrlen(fc);

1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063
	if (cs) {
		minlen = hdrlen + cs->hdr_len;
		key_idx_off = hdrlen + cs->key_idx_off;
		key_idx_shift = cs->key_idx_shift;
	} else {
		/* WEP, TKIP, CCMP and GCMP */
		minlen = hdrlen + IEEE80211_WEP_IV_LEN;
		key_idx_off = hdrlen + 3;
		key_idx_shift = 6;
	}

	if (unlikely(skb->len < minlen))
1064 1065
		return -EINVAL;

1066 1067 1068 1069 1070 1071 1072 1073 1074
	skb_copy_bits(skb, key_idx_off, &keyid, 1);

	if (cs)
		keyid &= cs->key_idx_mask;
	keyid >>= key_idx_shift;

	/* cs could use more than the usual two bits for the keyid */
	if (unlikely(keyid >= NUM_DEFAULT_KEYS))
		return -EINVAL;
1075 1076 1077 1078

	return keyid;
}

J
Johannes Berg 已提交
1079
static ieee80211_rx_result ieee80211_rx_mesh_check(struct ieee80211_rx_data *rx)
1080
{
1081
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
1082
	char *dev_addr = rx->sdata->vif.addr;
1083

1084
	if (ieee80211_is_data(hdr->frame_control)) {
1085 1086
		if (is_multicast_ether_addr(hdr->addr1)) {
			if (ieee80211_has_tods(hdr->frame_control) ||
J
Johannes Berg 已提交
1087
			    !ieee80211_has_fromds(hdr->frame_control))
1088
				return RX_DROP_MONITOR;
1089
			if (ether_addr_equal(hdr->addr3, dev_addr))
1090 1091 1092 1093
				return RX_DROP_MONITOR;
		} else {
			if (!ieee80211_has_a4(hdr->frame_control))
				return RX_DROP_MONITOR;
1094
			if (ether_addr_equal(hdr->addr4, dev_addr))
1095 1096
				return RX_DROP_MONITOR;
		}
1097 1098 1099 1100 1101 1102
	}

	/* If there is not an established peer link and this is not a peer link
	 * establisment frame, beacon or probe, drop the frame.
	 */

1103
	if (!rx->sta || sta_plink_state(rx->sta) != NL80211_PLINK_ESTAB) {
1104
		struct ieee80211_mgmt *mgmt;
1105

1106
		if (!ieee80211_is_mgmt(hdr->frame_control))
1107 1108
			return RX_DROP_MONITOR;

1109
		if (ieee80211_is_action(hdr->frame_control)) {
1110
			u8 category;
1111 1112 1113 1114 1115

			/* make sure category field is present */
			if (rx->skb->len < IEEE80211_MIN_ACTION_SIZE)
				return RX_DROP_MONITOR;

1116
			mgmt = (struct ieee80211_mgmt *)hdr;
1117 1118
			category = mgmt->u.action.category;
			if (category != WLAN_CATEGORY_MESH_ACTION &&
J
Johannes Berg 已提交
1119
			    category != WLAN_CATEGORY_SELF_PROTECTED)
1120 1121 1122 1123
				return RX_DROP_MONITOR;
			return RX_CONTINUE;
		}

1124 1125
		if (ieee80211_is_probe_req(hdr->frame_control) ||
		    ieee80211_is_probe_resp(hdr->frame_control) ||
1126 1127
		    ieee80211_is_beacon(hdr->frame_control) ||
		    ieee80211_is_auth(hdr->frame_control))
1128 1129 1130 1131 1132
			return RX_CONTINUE;

		return RX_DROP_MONITOR;
	}

J
Johannes Berg 已提交
1133 1134
	return RX_CONTINUE;
}
1135

1136 1137 1138 1139 1140 1141 1142
static inline bool ieee80211_rx_reorder_ready(struct tid_ampdu_rx *tid_agg_rx,
					      int index)
{
	struct sk_buff_head *frames = &tid_agg_rx->reorder_buf[index];
	struct sk_buff *tail = skb_peek_tail(frames);
	struct ieee80211_rx_status *status;

1143 1144 1145
	if (tid_agg_rx->reorder_buf_filtered & BIT_ULL(index))
		return true;

1146 1147 1148 1149 1150 1151 1152 1153 1154 1155
	if (!tail)
		return false;

	status = IEEE80211_SKB_RXCB(tail);
	if (status->flag & RX_FLAG_AMSDU_MORE)
		return false;

	return true;
}

1156
static void ieee80211_release_reorder_frame(struct ieee80211_sub_if_data *sdata,
1157
					    struct tid_ampdu_rx *tid_agg_rx,
1158 1159
					    int index,
					    struct sk_buff_head *frames)
1160
{
1161 1162
	struct sk_buff_head *skb_list = &tid_agg_rx->reorder_buf[index];
	struct sk_buff *skb;
1163
	struct ieee80211_rx_status *status;
1164

1165 1166
	lockdep_assert_held(&tid_agg_rx->reorder_lock);

1167
	if (skb_queue_empty(skb_list))
1168 1169
		goto no_frame;

1170
	if (!ieee80211_rx_reorder_ready(tid_agg_rx, index)) {
1171 1172 1173 1174 1175
		__skb_queue_purge(skb_list);
		goto no_frame;
	}

	/* release frames from the reorder ring buffer */
1176
	tid_agg_rx->stored_mpdu_num--;
1177 1178 1179 1180 1181
	while ((skb = __skb_dequeue(skb_list))) {
		status = IEEE80211_SKB_RXCB(skb);
		status->rx_flags |= IEEE80211_RX_DEFERRED_RELEASE;
		__skb_queue_tail(frames, skb);
	}
1182 1183

no_frame:
1184
	tid_agg_rx->reorder_buf_filtered &= ~BIT_ULL(index);
1185
	tid_agg_rx->head_seq_num = ieee80211_sn_inc(tid_agg_rx->head_seq_num);
1186 1187
}

1188
static void ieee80211_release_reorder_frames(struct ieee80211_sub_if_data *sdata,
1189
					     struct tid_ampdu_rx *tid_agg_rx,
1190 1191
					     u16 head_seq_num,
					     struct sk_buff_head *frames)
1192 1193 1194
{
	int index;

1195 1196
	lockdep_assert_held(&tid_agg_rx->reorder_lock);

1197
	while (ieee80211_sn_less(tid_agg_rx->head_seq_num, head_seq_num)) {
1198
		index = tid_agg_rx->head_seq_num % tid_agg_rx->buf_size;
1199 1200
		ieee80211_release_reorder_frame(sdata, tid_agg_rx, index,
						frames);
1201 1202 1203 1204 1205 1206 1207 1208 1209
	}
}

/*
 * Timeout (in jiffies) for skb's that are waiting in the RX reorder buffer. If
 * the skb was added to the buffer longer than this time ago, the earlier
 * frames that have not yet been received are assumed to be lost and the skb
 * can be released for processing. This may also release other skb's from the
 * reorder buffer if there are no additional gaps between the frames.
1210 1211
 *
 * Callers must hold tid_agg_rx->reorder_lock.
1212 1213 1214
 */
#define HT_RX_REORDER_BUF_TIMEOUT (HZ / 10)

1215
static void ieee80211_sta_reorder_release(struct ieee80211_sub_if_data *sdata,
1216 1217
					  struct tid_ampdu_rx *tid_agg_rx,
					  struct sk_buff_head *frames)
1218
{
1219
	int index, i, j;
1220

1221 1222
	lockdep_assert_held(&tid_agg_rx->reorder_lock);

1223
	/* release the buffer until next missing frame */
1224
	index = tid_agg_rx->head_seq_num % tid_agg_rx->buf_size;
1225
	if (!ieee80211_rx_reorder_ready(tid_agg_rx, index) &&
1226
	    tid_agg_rx->stored_mpdu_num) {
1227 1228 1229 1230 1231 1232 1233
		/*
		 * No buffers ready to be released, but check whether any
		 * frames in the reorder buffer have timed out.
		 */
		int skipped = 1;
		for (j = (index + 1) % tid_agg_rx->buf_size; j != index;
		     j = (j + 1) % tid_agg_rx->buf_size) {
1234
			if (!ieee80211_rx_reorder_ready(tid_agg_rx, j)) {
1235 1236 1237
				skipped++;
				continue;
			}
1238 1239
			if (skipped &&
			    !time_after(jiffies, tid_agg_rx->reorder_time[j] +
1240
					HT_RX_REORDER_BUF_TIMEOUT))
1241
				goto set_release_timer;
1242

1243 1244 1245 1246 1247
			/* don't leave incomplete A-MSDUs around */
			for (i = (index + 1) % tid_agg_rx->buf_size; i != j;
			     i = (i + 1) % tid_agg_rx->buf_size)
				__skb_queue_purge(&tid_agg_rx->reorder_buf[i]);

J
Johannes Berg 已提交
1248 1249
			ht_dbg_ratelimited(sdata,
					   "release an RX reorder frame due to timeout on earlier frames\n");
1250 1251
			ieee80211_release_reorder_frame(sdata, tid_agg_rx, j,
							frames);
1252 1253 1254 1255 1256

			/*
			 * Increment the head seq# also for the skipped slots.
			 */
			tid_agg_rx->head_seq_num =
1257 1258
				(tid_agg_rx->head_seq_num +
				 skipped) & IEEE80211_SN_MASK;
1259 1260
			skipped = 0;
		}
1261
	} else while (ieee80211_rx_reorder_ready(tid_agg_rx, index)) {
1262 1263
		ieee80211_release_reorder_frame(sdata, tid_agg_rx, index,
						frames);
1264
		index =	tid_agg_rx->head_seq_num % tid_agg_rx->buf_size;
1265
	}
1266 1267

	if (tid_agg_rx->stored_mpdu_num) {
1268
		j = index = tid_agg_rx->head_seq_num % tid_agg_rx->buf_size;
1269 1270 1271

		for (; j != (index - 1) % tid_agg_rx->buf_size;
		     j = (j + 1) % tid_agg_rx->buf_size) {
1272
			if (ieee80211_rx_reorder_ready(tid_agg_rx, j))
1273 1274 1275 1276 1277
				break;
		}

 set_release_timer:

1278 1279 1280 1281
		if (!tid_agg_rx->removed)
			mod_timer(&tid_agg_rx->reorder_timer,
				  tid_agg_rx->reorder_time[j] + 1 +
				  HT_RX_REORDER_BUF_TIMEOUT);
1282 1283 1284
	} else {
		del_timer(&tid_agg_rx->reorder_timer);
	}
1285 1286
}

1287 1288 1289 1290 1291
/*
 * As this function belongs to the RX path it must be under
 * rcu_read_lock protection. It returns false if the frame
 * can be processed immediately, true if it was consumed.
 */
1292
static bool ieee80211_sta_manage_reorder_buf(struct ieee80211_sub_if_data *sdata,
1293
					     struct tid_ampdu_rx *tid_agg_rx,
1294 1295
					     struct sk_buff *skb,
					     struct sk_buff_head *frames)
1296 1297
{
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
1298
	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
1299 1300 1301 1302
	u16 sc = le16_to_cpu(hdr->seq_ctrl);
	u16 mpdu_seq_num = (sc & IEEE80211_SCTL_SEQ) >> 4;
	u16 head_seq_num, buf_size;
	int index;
1303
	bool ret = true;
1304

1305 1306
	spin_lock(&tid_agg_rx->reorder_lock);

1307 1308 1309 1310 1311 1312 1313 1314 1315 1316
	/*
	 * Offloaded BA sessions have no known starting sequence number so pick
	 * one from first Rxed frame for this tid after BA was started.
	 */
	if (unlikely(tid_agg_rx->auto_seq)) {
		tid_agg_rx->auto_seq = false;
		tid_agg_rx->ssn = mpdu_seq_num;
		tid_agg_rx->head_seq_num = mpdu_seq_num;
	}

1317 1318 1319
	buf_size = tid_agg_rx->buf_size;
	head_seq_num = tid_agg_rx->head_seq_num;

1320 1321 1322 1323 1324 1325 1326 1327 1328 1329 1330 1331
	/*
	 * If the current MPDU's SN is smaller than the SSN, it shouldn't
	 * be reordered.
	 */
	if (unlikely(!tid_agg_rx->started)) {
		if (ieee80211_sn_less(mpdu_seq_num, head_seq_num)) {
			ret = false;
			goto out;
		}
		tid_agg_rx->started = true;
	}

1332
	/* frame with out of date sequence number */
1333
	if (ieee80211_sn_less(mpdu_seq_num, head_seq_num)) {
1334
		dev_kfree_skb(skb);
1335
		goto out;
1336 1337 1338 1339 1340 1341
	}

	/*
	 * If frame the sequence number exceeds our buffering window
	 * size release some previous frames to make room for this one.
	 */
1342 1343 1344
	if (!ieee80211_sn_less(mpdu_seq_num, head_seq_num + buf_size)) {
		head_seq_num = ieee80211_sn_inc(
				ieee80211_sn_sub(mpdu_seq_num, buf_size));
1345
		/* release stored frames up to new head to stack */
1346
		ieee80211_release_reorder_frames(sdata, tid_agg_rx,
1347
						 head_seq_num, frames);
1348 1349 1350 1351
	}

	/* Now the new frame is always in the range of the reordering buffer */

1352
	index = mpdu_seq_num % tid_agg_rx->buf_size;
1353 1354

	/* check if we already stored this frame */
1355
	if (ieee80211_rx_reorder_ready(tid_agg_rx, index)) {
1356
		dev_kfree_skb(skb);
1357
		goto out;
1358 1359 1360 1361 1362
	}

	/*
	 * If the current MPDU is in the right order and nothing else
	 * is stored we can process it directly, no need to buffer it.
1363 1364
	 * If it is first but there's something stored, we may be able
	 * to release frames after this one.
1365 1366 1367
	 */
	if (mpdu_seq_num == tid_agg_rx->head_seq_num &&
	    tid_agg_rx->stored_mpdu_num == 0) {
1368 1369 1370
		if (!(status->flag & RX_FLAG_AMSDU_MORE))
			tid_agg_rx->head_seq_num =
				ieee80211_sn_inc(tid_agg_rx->head_seq_num);
1371 1372
		ret = false;
		goto out;
1373 1374 1375
	}

	/* put the frame in the reordering buffer */
1376 1377 1378 1379 1380 1381
	__skb_queue_tail(&tid_agg_rx->reorder_buf[index], skb);
	if (!(status->flag & RX_FLAG_AMSDU_MORE)) {
		tid_agg_rx->reorder_time[index] = jiffies;
		tid_agg_rx->stored_mpdu_num++;
		ieee80211_sta_reorder_release(sdata, tid_agg_rx, frames);
	}
1382

1383 1384 1385
 out:
	spin_unlock(&tid_agg_rx->reorder_lock);
	return ret;
1386 1387 1388 1389 1390 1391
}

/*
 * Reorder MPDUs from A-MPDUs, keeping them on a buffer. Returns
 * true if the MPDU was buffered, false if it should be processed.
 */
1392 1393
static void ieee80211_rx_reorder_ampdu(struct ieee80211_rx_data *rx,
				       struct sk_buff_head *frames)
1394
{
1395 1396
	struct sk_buff *skb = rx->skb;
	struct ieee80211_local *local = rx->local;
1397
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
1398
	struct sta_info *sta = rx->sta;
1399 1400
	struct tid_ampdu_rx *tid_agg_rx;
	u16 sc;
1401
	u8 tid, ack_policy;
1402

1403 1404
	if (!ieee80211_is_data_qos(hdr->frame_control) ||
	    is_multicast_ether_addr(hdr->addr1))
1405
		goto dont_reorder;
1406 1407 1408 1409 1410 1411 1412

	/*
	 * filter the QoS data rx stream according to
	 * STA/TID and check if this STA/TID is on aggregation
	 */

	if (!sta)
1413
		goto dont_reorder;
1414

1415 1416
	ack_policy = *ieee80211_get_qos_ctl(hdr) &
		     IEEE80211_QOS_CTL_ACK_POLICY_MASK;
S
Sara Sharon 已提交
1417
	tid = ieee80211_get_tid(hdr);
1418

1419
	tid_agg_rx = rcu_dereference(sta->ampdu_mlme.tid_rx[tid]);
1420 1421 1422 1423 1424 1425 1426
	if (!tid_agg_rx) {
		if (ack_policy == IEEE80211_QOS_CTL_ACK_POLICY_BLOCKACK &&
		    !test_bit(tid, rx->sta->ampdu_mlme.agg_session_valid) &&
		    !test_and_set_bit(tid, rx->sta->ampdu_mlme.unexpected_agg))
			ieee80211_send_delba(rx->sdata, rx->sta->sta.addr, tid,
					     WLAN_BACK_RECIPIENT,
					     WLAN_REASON_QSTA_REQUIRE_SETUP);
1427
		goto dont_reorder;
1428
	}
1429 1430 1431

	/* qos null data frames are excluded */
	if (unlikely(hdr->frame_control & cpu_to_le16(IEEE80211_STYPE_NULLFUNC)))
1432
		goto dont_reorder;
1433

1434 1435 1436 1437 1438
	/* not part of a BA session */
	if (ack_policy != IEEE80211_QOS_CTL_ACK_POLICY_BLOCKACK &&
	    ack_policy != IEEE80211_QOS_CTL_ACK_POLICY_NORMAL)
		goto dont_reorder;

1439 1440 1441 1442
	/* new, potentially un-ordered, ampdu frame - process it */

	/* reset session timer */
	if (tid_agg_rx->timeout)
1443
		tid_agg_rx->last_rx = jiffies;
1444 1445 1446 1447

	/* if this mpdu is fragmented - terminate rx aggregation session */
	sc = le16_to_cpu(hdr->seq_ctrl);
	if (sc & IEEE80211_SCTL_FRAG) {
1448 1449
		skb_queue_tail(&rx->sdata->skb_queue, skb);
		ieee80211_queue_work(&local->hw, &rx->sdata->work);
1450
		return;
1451 1452
	}

1453 1454 1455 1456 1457 1458 1459
	/*
	 * No locking needed -- we will only ever process one
	 * RX packet at a time, and thus own tid_agg_rx. All
	 * other code manipulating it needs to (and does) make
	 * sure that we cannot get to it any more before doing
	 * anything with it.
	 */
1460 1461
	if (ieee80211_sta_manage_reorder_buf(rx->sdata, tid_agg_rx, skb,
					     frames))
1462 1463 1464
		return;

 dont_reorder:
1465
	__skb_queue_tail(frames, skb);
1466
}
1467

1468
static ieee80211_rx_result debug_noinline
1469
ieee80211_rx_h_check_dup(struct ieee80211_rx_data *rx)
1470
{
1471
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
1472
	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
1473

1474 1475 1476
	if (status->flag & RX_FLAG_DUP_VALIDATED)
		return RX_CONTINUE;

1477 1478 1479 1480
	/*
	 * Drop duplicate 802.11 retransmissions
	 * (IEEE 802.11-2012: 9.3.2.10 "Duplicate detection and recovery")
	 */
1481 1482 1483 1484 1485

	if (rx->skb->len < 24)
		return RX_CONTINUE;

	if (ieee80211_is_ctl(hdr->frame_control) ||
1486
	    ieee80211_is_any_nullfunc(hdr->frame_control) ||
1487 1488 1489
	    is_multicast_ether_addr(hdr->addr1))
		return RX_CONTINUE;

1490 1491 1492 1493 1494 1495
	if (!rx->sta)
		return RX_CONTINUE;

	if (unlikely(ieee80211_has_retry(hdr->frame_control) &&
		     rx->sta->last_seq_ctrl[rx->seqno_idx] == hdr->seq_ctrl)) {
		I802_DEBUG_INC(rx->local->dot11FrameDuplicateCount);
1496
		rx->sta->rx_stats.num_duplicates++;
1497 1498 1499
		return RX_DROP_UNUSABLE;
	} else if (!(status->flag & RX_FLAG_AMSDU_MORE)) {
		rx->sta->last_seq_ctrl[rx->seqno_idx] = hdr->seq_ctrl;
1500 1501
	}

1502 1503 1504 1505 1506 1507 1508 1509
	return RX_CONTINUE;
}

static ieee80211_rx_result debug_noinline
ieee80211_rx_h_check(struct ieee80211_rx_data *rx)
{
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;

1510 1511 1512
	/* Drop disallowed frame classes based on STA auth/assoc state;
	 * IEEE 802.11, Chap 5.5.
	 *
J
Johannes Berg 已提交
1513 1514
	 * mac80211 filters only based on association state, i.e. it drops
	 * Class 3 frames from not associated stations. hostapd sends
1515 1516 1517
	 * deauth/disassoc frames when needed. In addition, hostapd is
	 * responsible for filtering on both auth and assoc states.
	 */
1518

J
Johannes Berg 已提交
1519
	if (ieee80211_vif_is_mesh(&rx->sdata->vif))
1520 1521
		return ieee80211_rx_mesh_check(rx);

1522 1523
	if (unlikely((ieee80211_is_data(hdr->frame_control) ||
		      ieee80211_is_pspoll(hdr->frame_control)) &&
1524
		     rx->sdata->vif.type != NL80211_IFTYPE_ADHOC &&
B
Bill Jordan 已提交
1525
		     rx->sdata->vif.type != NL80211_IFTYPE_WDS &&
1526
		     rx->sdata->vif.type != NL80211_IFTYPE_OCB &&
J
Johannes Berg 已提交
1527
		     (!rx->sta || !test_sta_flag(rx->sta, WLAN_STA_ASSOC)))) {
1528 1529 1530 1531 1532 1533
		/*
		 * accept port control frames from the AP even when it's not
		 * yet marked ASSOC to prevent a race where we don't set the
		 * assoc bit quickly enough before it sends the first frame
		 */
		if (rx->sta && rx->sdata->vif.type == NL80211_IFTYPE_STATION &&
1534
		    ieee80211_is_data_present(hdr->frame_control)) {
1535 1536 1537 1538 1539 1540 1541 1542 1543 1544
			unsigned int hdrlen;
			__be16 ethertype;

			hdrlen = ieee80211_hdrlen(hdr->frame_control);

			if (rx->skb->len < hdrlen + 8)
				return RX_DROP_MONITOR;

			skb_copy_bits(rx->skb, hdrlen + 6, &ethertype, 2);
			if (ethertype == rx->sdata->control_port_protocol)
1545 1546
				return RX_CONTINUE;
		}
1547 1548 1549 1550 1551 1552 1553

		if (rx->sdata->vif.type == NL80211_IFTYPE_AP &&
		    cfg80211_rx_spurious_frame(rx->sdata->dev,
					       hdr->addr2,
					       GFP_ATOMIC))
			return RX_DROP_UNUSABLE;

J
Johannes Berg 已提交
1554
		return RX_DROP_MONITOR;
1555
	}
1556

1557
	return RX_CONTINUE;
1558 1559 1560
}


1561 1562 1563 1564 1565 1566 1567 1568 1569 1570 1571 1572 1573 1574 1575 1576 1577 1578 1579 1580 1581 1582 1583 1584 1585 1586 1587 1588 1589 1590 1591 1592 1593
static ieee80211_rx_result debug_noinline
ieee80211_rx_h_check_more_data(struct ieee80211_rx_data *rx)
{
	struct ieee80211_local *local;
	struct ieee80211_hdr *hdr;
	struct sk_buff *skb;

	local = rx->local;
	skb = rx->skb;
	hdr = (struct ieee80211_hdr *) skb->data;

	if (!local->pspolling)
		return RX_CONTINUE;

	if (!ieee80211_has_fromds(hdr->frame_control))
		/* this is not from AP */
		return RX_CONTINUE;

	if (!ieee80211_is_data(hdr->frame_control))
		return RX_CONTINUE;

	if (!ieee80211_has_moredata(hdr->frame_control)) {
		/* AP has no more frames buffered for us */
		local->pspolling = false;
		return RX_CONTINUE;
	}

	/* more data bit is set, let's request a new frame from the AP */
	ieee80211_send_pspoll(local, rx->sdata);

	return RX_CONTINUE;
}

1594
static void sta_ps_start(struct sta_info *sta)
1595
{
1596
	struct ieee80211_sub_if_data *sdata = sta->sdata;
1597
	struct ieee80211_local *local = sdata->local;
1598
	struct ps_data *ps;
1599
	int tid;
1600

1601 1602 1603 1604 1605 1606 1607
	if (sta->sdata->vif.type == NL80211_IFTYPE_AP ||
	    sta->sdata->vif.type == NL80211_IFTYPE_AP_VLAN)
		ps = &sdata->bss->ps;
	else
		return;

	atomic_inc(&ps->num_sta_ps);
J
Johannes Berg 已提交
1608
	set_sta_flag(sta, WLAN_STA_PS_STA);
1609
	if (!ieee80211_hw_check(&local->hw, AP_LINK_PS))
1610
		drv_sta_notify(local, sdata, STA_NOTIFY_SLEEP, &sta->sta);
J
Johannes Berg 已提交
1611 1612
	ps_dbg(sdata, "STA %pM aid %d enters power save mode\n",
	       sta->sta.addr, sta->sta.aid);
1613

J
Johannes Berg 已提交
1614 1615
	ieee80211_clear_fast_xmit(sta);

1616 1617 1618
	if (!sta->sta.txq[0])
		return;

1619
	for (tid = 0; tid < IEEE80211_NUM_TIDS; tid++) {
1620 1621 1622 1623 1624 1625 1626 1627 1628
		struct ieee80211_txq *txq = sta->sta.txq[tid];
		struct txq_info *txqi = to_txq_info(txq);

		spin_lock(&local->active_txq_lock[txq->ac]);
		if (!list_empty(&txqi->schedule_order))
			list_del_init(&txqi->schedule_order);
		spin_unlock(&local->active_txq_lock[txq->ac]);

		if (txq_has_queue(txq))
1629 1630 1631 1632
			set_bit(tid, &sta->txq_buffered_tids);
		else
			clear_bit(tid, &sta->txq_buffered_tids);
	}
1633 1634
}

1635
static void sta_ps_end(struct sta_info *sta)
1636
{
J
Johannes Berg 已提交
1637 1638
	ps_dbg(sta->sdata, "STA %pM aid %d exits power save mode\n",
	       sta->sta.addr, sta->sta.aid);
1639

J
Johannes Berg 已提交
1640
	if (test_sta_flag(sta, WLAN_STA_PS_DRIVER)) {
1641 1642 1643 1644 1645 1646 1647
		/*
		 * Clear the flag only if the other one is still set
		 * so that the TX path won't start TX'ing new frames
		 * directly ... In the case that the driver flag isn't
		 * set ieee80211_sta_ps_deliver_wakeup() will clear it.
		 */
		clear_sta_flag(sta, WLAN_STA_PS_STA);
J
Johannes Berg 已提交
1648 1649
		ps_dbg(sta->sdata, "STA %pM aid %d driver-ps-blocked\n",
		       sta->sta.addr, sta->sta.aid);
1650 1651 1652
		return;
	}

1653 1654
	set_sta_flag(sta, WLAN_STA_PS_DELIVER);
	clear_sta_flag(sta, WLAN_STA_PS_STA);
1655
	ieee80211_sta_ps_deliver_wakeup(sta);
1656 1657
}

1658
int ieee80211_sta_ps_transition(struct ieee80211_sta *pubsta, bool start)
1659
{
1660
	struct sta_info *sta = container_of(pubsta, struct sta_info, sta);
1661 1662
	bool in_ps;

1663
	WARN_ON(!ieee80211_hw_check(&sta->local->hw, AP_LINK_PS));
1664 1665

	/* Don't let the same PS state be set twice */
1666
	in_ps = test_sta_flag(sta, WLAN_STA_PS_STA);
1667 1668 1669 1670
	if ((start && in_ps) || (!start && !in_ps))
		return -EINVAL;

	if (start)
1671
		sta_ps_start(sta);
1672
	else
1673
		sta_ps_end(sta);
1674 1675 1676 1677 1678

	return 0;
}
EXPORT_SYMBOL(ieee80211_sta_ps_transition);

1679 1680 1681 1682 1683 1684 1685 1686 1687 1688 1689 1690 1691 1692 1693 1694 1695
void ieee80211_sta_pspoll(struct ieee80211_sta *pubsta)
{
	struct sta_info *sta = container_of(pubsta, struct sta_info, sta);

	if (test_sta_flag(sta, WLAN_STA_SP))
		return;

	if (!test_sta_flag(sta, WLAN_STA_PS_DRIVER))
		ieee80211_sta_ps_deliver_poll_response(sta);
	else
		set_sta_flag(sta, WLAN_STA_PSPOLL);
}
EXPORT_SYMBOL(ieee80211_sta_pspoll);

void ieee80211_sta_uapsd_trigger(struct ieee80211_sta *pubsta, u8 tid)
{
	struct sta_info *sta = container_of(pubsta, struct sta_info, sta);
1696
	int ac = ieee80211_ac_from_tid(tid);
1697 1698

	/*
1699 1700
	 * If this AC is not trigger-enabled do nothing unless the
	 * driver is calling us after it already checked.
1701 1702 1703 1704 1705
	 *
	 * NB: This could/should check a separate bitmap of trigger-
	 * enabled queues, but for now we only implement uAPSD w/o
	 * TSPEC changes to the ACs, so they're always the same.
	 */
1706 1707
	if (!(sta->sta.uapsd_queues & ieee80211_ac_to_qos_mask[ac]) &&
	    tid != IEEE80211_NUM_TIDS)
1708 1709 1710 1711 1712 1713 1714 1715 1716 1717 1718 1719 1720
		return;

	/* if we are in a service period, do nothing */
	if (test_sta_flag(sta, WLAN_STA_SP))
		return;

	if (!test_sta_flag(sta, WLAN_STA_PS_DRIVER))
		ieee80211_sta_ps_deliver_uapsd(sta);
	else
		set_sta_flag(sta, WLAN_STA_UAPSD);
}
EXPORT_SYMBOL(ieee80211_sta_uapsd_trigger);

J
Johannes Berg 已提交
1721 1722 1723 1724 1725 1726 1727
static ieee80211_rx_result debug_noinline
ieee80211_rx_h_uapsd_and_pspoll(struct ieee80211_rx_data *rx)
{
	struct ieee80211_sub_if_data *sdata = rx->sdata;
	struct ieee80211_hdr *hdr = (void *)rx->skb->data;
	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);

1728
	if (!rx->sta)
J
Johannes Berg 已提交
1729 1730 1731 1732 1733 1734 1735 1736 1737 1738 1739
		return RX_CONTINUE;

	if (sdata->vif.type != NL80211_IFTYPE_AP &&
	    sdata->vif.type != NL80211_IFTYPE_AP_VLAN)
		return RX_CONTINUE;

	/*
	 * The device handles station powersave, so don't do anything about
	 * uAPSD and PS-Poll frames (the latter shouldn't even come up from
	 * it to mac80211 since they're handled.)
	 */
1740
	if (ieee80211_hw_check(&sdata->local->hw, AP_LINK_PS))
J
Johannes Berg 已提交
1741 1742 1743 1744 1745 1746 1747
		return RX_CONTINUE;

	/*
	 * Don't do anything if the station isn't already asleep. In
	 * the uAPSD case, the station will probably be marked asleep,
	 * in the PS-Poll case the station must be confused ...
	 */
J
Johannes Berg 已提交
1748
	if (!test_sta_flag(rx->sta, WLAN_STA_PS_STA))
J
Johannes Berg 已提交
1749 1750 1751
		return RX_CONTINUE;

	if (unlikely(ieee80211_is_pspoll(hdr->frame_control))) {
1752
		ieee80211_sta_pspoll(&rx->sta->sta);
J
Johannes Berg 已提交
1753 1754 1755 1756 1757 1758 1759 1760 1761 1762 1763

		/* Free PS Poll skb here instead of returning RX_DROP that would
		 * count as an dropped frame. */
		dev_kfree_skb(rx->skb);

		return RX_QUEUED;
	} else if (!ieee80211_has_morefrags(hdr->frame_control) &&
		   !(status->rx_flags & IEEE80211_RX_DEFERRED_RELEASE) &&
		   ieee80211_has_pm(hdr->frame_control) &&
		   (ieee80211_is_data_qos(hdr->frame_control) ||
		    ieee80211_is_qos_nullfunc(hdr->frame_control))) {
S
Sara Sharon 已提交
1764
		u8 tid = ieee80211_get_tid(hdr);
J
Johannes Berg 已提交
1765

1766
		ieee80211_sta_uapsd_trigger(&rx->sta->sta, tid);
J
Johannes Berg 已提交
1767 1768 1769 1770 1771
	}

	return RX_CONTINUE;
}

1772
static ieee80211_rx_result debug_noinline
1773
ieee80211_rx_h_sta_process(struct ieee80211_rx_data *rx)
1774 1775
{
	struct sta_info *sta = rx->sta;
J
Johannes Berg 已提交
1776 1777 1778
	struct sk_buff *skb = rx->skb;
	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
1779
	int i;
1780 1781

	if (!sta)
1782
		return RX_CONTINUE;
1783

J
Johannes Berg 已提交
1784 1785
	/*
	 * Update last_rx only for IBSS packets which are for the current
1786 1787 1788 1789 1790
	 * BSSID and for station already AUTHORIZED to avoid keeping the
	 * current IBSS network alive in cases where other STAs start
	 * using different BSSID. This will also give the station another
	 * chance to restart the authentication/authorization in case
	 * something went wrong the first time.
J
Johannes Berg 已提交
1791
	 */
1792
	if (rx->sdata->vif.type == NL80211_IFTYPE_ADHOC) {
1793
		u8 *bssid = ieee80211_get_bssid(hdr, rx->skb->len,
1794
						NL80211_IFTYPE_ADHOC);
1795 1796
		if (ether_addr_equal(bssid, rx->sdata->u.ibss.bssid) &&
		    test_sta_flag(sta, WLAN_STA_AUTHORIZED)) {
1797
			sta->rx_stats.last_rx = jiffies;
1798
			if (ieee80211_is_data(hdr->frame_control) &&
1799 1800 1801
			    !is_multicast_ether_addr(hdr->addr1))
				sta->rx_stats.last_rate =
					sta_stats_encode_rate(status);
1802
		}
1803
	} else if (rx->sdata->vif.type == NL80211_IFTYPE_OCB) {
1804
		sta->rx_stats.last_rx = jiffies;
J
Johannes Berg 已提交
1805 1806
	} else if (!is_multicast_ether_addr(hdr->addr1)) {
		/*
1807 1808
		 * Mesh beacons will update last_rx when if they are found to
		 * match the current local configuration when processed.
1809
		 */
1810
		sta->rx_stats.last_rx = jiffies;
1811 1812
		if (ieee80211_is_data(hdr->frame_control))
			sta->rx_stats.last_rate = sta_stats_encode_rate(status);
1813 1814
	}

1815
	sta->rx_stats.fragments++;
1816 1817

	u64_stats_update_begin(&rx->sta->rx_stats.syncp);
1818
	sta->rx_stats.bytes += rx->skb->len;
1819 1820
	u64_stats_update_end(&rx->sta->rx_stats.syncp);

1821
	if (!(status->flag & RX_FLAG_NO_SIGNAL_VAL)) {
1822
		sta->rx_stats.last_signal = status->signal;
1823
		ewma_signal_add(&sta->rx_stats_avg.signal, -status->signal);
1824
	}
1825

1826
	if (status->chains) {
1827
		sta->rx_stats.chains = status->chains;
1828 1829 1830 1831 1832 1833
		for (i = 0; i < ARRAY_SIZE(status->chain_signal); i++) {
			int signal = status->chain_signal[i];

			if (!(status->chains & BIT(i)))
				continue;

1834
			sta->rx_stats.chain_signal_last[i] = signal;
1835
			ewma_signal_add(&sta->rx_stats_avg.chain_signal[i],
1836
					-signal);
1837 1838 1839
		}
	}

1840 1841
	/*
	 * Change STA power saving mode only at the end of a frame
1842 1843
	 * exchange sequence, and only for a data or management
	 * frame as specified in IEEE 802.11-2016 11.2.3.2
1844
	 */
1845
	if (!ieee80211_hw_check(&sta->local->hw, AP_LINK_PS) &&
1846
	    !ieee80211_has_morefrags(hdr->frame_control) &&
1847
	    !is_multicast_ether_addr(hdr->addr1) &&
1848 1849
	    (ieee80211_is_mgmt(hdr->frame_control) ||
	     ieee80211_is_data(hdr->frame_control)) &&
1850
	    !(status->rx_flags & IEEE80211_RX_DEFERRED_RELEASE) &&
1851
	    (rx->sdata->vif.type == NL80211_IFTYPE_AP ||
1852
	     rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN)) {
J
Johannes Berg 已提交
1853
		if (test_sta_flag(sta, WLAN_STA_PS_STA)) {
1854
			if (!ieee80211_has_pm(hdr->frame_control))
1855
				sta_ps_end(sta);
1856 1857
		} else {
			if (ieee80211_has_pm(hdr->frame_control))
1858
				sta_ps_start(sta);
1859
		}
1860 1861
	}

M
Marco Porsch 已提交
1862 1863 1864 1865
	/* mesh power save support */
	if (ieee80211_vif_is_mesh(&rx->sdata->vif))
		ieee80211_mps_rx_h_sta_process(sta, hdr);

1866 1867 1868 1869
	/*
	 * Drop (qos-)data::nullfunc frames silently, since they
	 * are used only to control station power saving mode.
	 */
1870
	if (ieee80211_is_any_nullfunc(hdr->frame_control)) {
1871
		I802_DEBUG_INC(rx->local->rx_handlers_drop_nullfunc);
1872 1873 1874

		/*
		 * If we receive a 4-addr nullfunc frame from a STA
1875 1876 1877
		 * that was not moved to a 4-addr STA vlan yet send
		 * the event to userspace and for older hostapd drop
		 * the frame to the monitor interface.
1878 1879 1880 1881
		 */
		if (ieee80211_has_a4(hdr->frame_control) &&
		    (rx->sdata->vif.type == NL80211_IFTYPE_AP ||
		     (rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN &&
1882 1883 1884 1885 1886
		      !rx->sdata->u.vlan.sta))) {
			if (!test_and_set_sta_flag(sta, WLAN_STA_4ADDR_EVENT))
				cfg80211_rx_unexpected_4addr_frame(
					rx->sdata->dev, sta->sta.addr,
					GFP_ATOMIC);
1887
			return RX_DROP_MONITOR;
1888
		}
1889 1890 1891 1892
		/*
		 * Update counter and free packet here to avoid
		 * counting this as a dropped packed.
		 */
1893
		sta->rx_stats.packets++;
1894
		dev_kfree_skb(rx->skb);
1895
		return RX_QUEUED;
1896 1897
	}

1898
	return RX_CONTINUE;
1899 1900
} /* ieee80211_rx_h_sta_process */

1901 1902 1903 1904 1905 1906 1907 1908 1909 1910 1911 1912 1913 1914 1915 1916 1917 1918 1919 1920 1921 1922 1923 1924 1925 1926 1927 1928 1929 1930 1931 1932 1933 1934 1935
static struct ieee80211_key *
ieee80211_rx_get_bigtk(struct ieee80211_rx_data *rx, int idx)
{
	struct ieee80211_key *key = NULL;
	struct ieee80211_sub_if_data *sdata = rx->sdata;
	int idx2;

	/* Make sure key gets set if either BIGTK key index is set so that
	 * ieee80211_drop_unencrypted_mgmt() can properly drop both unprotected
	 * Beacon frames and Beacon frames that claim to use another BIGTK key
	 * index (i.e., a key that we do not have).
	 */

	if (idx < 0) {
		idx = NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS;
		idx2 = idx + 1;
	} else {
		if (idx == NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS)
			idx2 = idx + 1;
		else
			idx2 = idx - 1;
	}

	if (rx->sta)
		key = rcu_dereference(rx->sta->gtk[idx]);
	if (!key)
		key = rcu_dereference(sdata->keys[idx]);
	if (!key && rx->sta)
		key = rcu_dereference(rx->sta->gtk[idx2]);
	if (!key)
		key = rcu_dereference(sdata->keys[idx2]);

	return key;
}

1936 1937 1938 1939 1940 1941 1942 1943 1944
static ieee80211_rx_result debug_noinline
ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx)
{
	struct sk_buff *skb = rx->skb;
	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
	int keyidx;
	ieee80211_rx_result result = RX_DROP_UNUSABLE;
	struct ieee80211_key *sta_ptk = NULL;
1945
	struct ieee80211_key *ptk_idx = NULL;
1946 1947
	int mmie_keyidx = -1;
	__le16 fc;
1948
	const struct ieee80211_cipher_scheme *cs = NULL;
1949 1950 1951 1952

	/*
	 * Key selection 101
	 *
1953
	 * There are five types of keys:
1954 1955
	 *  - GTK (group keys)
	 *  - IGTK (group keys for management frames)
1956
	 *  - BIGTK (group keys for Beacon frames)
1957 1958 1959 1960 1961
	 *  - PTK (pairwise keys)
	 *  - STK (station-to-station pairwise keys)
	 *
	 * When selecting a key, we have to distinguish between multicast
	 * (including broadcast) and unicast frames, the latter can only
1962 1963 1964
	 * use PTKs and STKs while the former always use GTKs, IGTKs, and
	 * BIGTKs. Unless, of course, actual WEP keys ("pre-RSNA") are used,
	 * then unicast frames can also use key indices like GTKs. Hence, if we
1965 1966 1967 1968 1969 1970 1971 1972 1973 1974 1975 1976 1977 1978 1979
	 * don't have a PTK/STK we check the key index for a WEP key.
	 *
	 * Note that in a regular BSS, multicast frames are sent by the
	 * AP only, associated stations unicast the frame to the AP first
	 * which then multicasts it on their behalf.
	 *
	 * There is also a slight problem in IBSS mode: GTKs are negotiated
	 * with each station, that is something we don't currently handle.
	 * The spec seems to expect that one negotiates the same key with
	 * every station but there's no such requirement; VLANs could be
	 * possible.
	 */

	/* start without a key */
	rx->key = NULL;
1980
	fc = hdr->frame_control;
1981

1982 1983
	if (rx->sta) {
		int keyid = rx->sta->ptk_idx;
1984
		sta_ptk = rcu_dereference(rx->sta->ptk[keyid]);
1985

1986
		if (ieee80211_has_protected(fc)) {
1987
			cs = rx->sta->cipher_scheme;
1988 1989
			keyid = ieee80211_get_keyid(rx->skb, cs);

1990 1991
			if (unlikely(keyid < 0))
				return RX_DROP_UNUSABLE;
1992 1993

			ptk_idx = rcu_dereference(rx->sta->ptk[keyid]);
1994 1995
		}
	}
1996 1997 1998 1999 2000

	if (!ieee80211_has_protected(fc))
		mmie_keyidx = ieee80211_get_mmie_keyidx(rx->skb);

	if (!is_multicast_ether_addr(hdr->addr1) && sta_ptk) {
2001
		rx->key = ptk_idx ? ptk_idx : sta_ptk;
2002 2003 2004 2005 2006 2007
		if ((status->flag & RX_FLAG_DECRYPTED) &&
		    (status->flag & RX_FLAG_IV_STRIPPED))
			return RX_CONTINUE;
		/* Skip decryption if the frame is not protected. */
		if (!ieee80211_has_protected(fc))
			return RX_CONTINUE;
2008 2009 2010 2011 2012 2013 2014 2015
	} else if (mmie_keyidx >= 0 && ieee80211_is_beacon(fc)) {
		/* Broadcast/multicast robust management frame / BIP */
		if ((status->flag & RX_FLAG_DECRYPTED) &&
		    (status->flag & RX_FLAG_IV_STRIPPED))
			return RX_CONTINUE;

		if (mmie_keyidx < NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS ||
		    mmie_keyidx >= NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS +
2016 2017 2018 2019
		    NUM_DEFAULT_BEACON_KEYS) {
			cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
						     skb->data,
						     skb->len);
2020
			return RX_DROP_MONITOR; /* unexpected BIP keyidx */
2021
		}
2022 2023 2024 2025

		rx->key = ieee80211_rx_get_bigtk(rx, mmie_keyidx);
		if (!rx->key)
			return RX_CONTINUE; /* Beacon protection not in use */
2026 2027 2028 2029 2030 2031 2032 2033 2034
	} else if (mmie_keyidx >= 0) {
		/* Broadcast/multicast robust management frame / BIP */
		if ((status->flag & RX_FLAG_DECRYPTED) &&
		    (status->flag & RX_FLAG_IV_STRIPPED))
			return RX_CONTINUE;

		if (mmie_keyidx < NUM_DEFAULT_KEYS ||
		    mmie_keyidx >= NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS)
			return RX_DROP_MONITOR; /* unexpected BIP keyidx */
2035 2036 2037 2038 2039
		if (rx->sta) {
			if (ieee80211_is_group_privacy_action(skb) &&
			    test_sta_flag(rx->sta, WLAN_STA_MFP))
				return RX_DROP_MONITOR;

2040
			rx->key = rcu_dereference(rx->sta->gtk[mmie_keyidx]);
2041
		}
2042 2043 2044 2045 2046 2047 2048 2049 2050 2051 2052 2053 2054
		if (!rx->key)
			rx->key = rcu_dereference(rx->sdata->keys[mmie_keyidx]);
	} else if (!ieee80211_has_protected(fc)) {
		/*
		 * The frame was not protected, so skip decryption. However, we
		 * need to set rx->key if there is a key that could have been
		 * used so that the frame may be dropped if encryption would
		 * have been expected.
		 */
		struct ieee80211_key *key = NULL;
		struct ieee80211_sub_if_data *sdata = rx->sdata;
		int i;

2055 2056 2057 2058 2059 2060
		if (ieee80211_is_beacon(fc)) {
			key = ieee80211_rx_get_bigtk(rx, -1);
		} else if (ieee80211_is_mgmt(fc) &&
			   is_multicast_ether_addr(hdr->addr1)) {
			key = rcu_dereference(rx->sdata->default_mgmt_key);
		} else {
2061 2062 2063 2064 2065 2066 2067 2068 2069 2070 2071 2072 2073 2074 2075
			if (rx->sta) {
				for (i = 0; i < NUM_DEFAULT_KEYS; i++) {
					key = rcu_dereference(rx->sta->gtk[i]);
					if (key)
						break;
				}
			}
			if (!key) {
				for (i = 0; i < NUM_DEFAULT_KEYS; i++) {
					key = rcu_dereference(sdata->keys[i]);
					if (key)
						break;
				}
			}
		}
2076 2077
		if (key)
			rx->key = key;
2078 2079 2080 2081 2082 2083 2084 2085 2086 2087 2088 2089 2090 2091 2092
		return RX_CONTINUE;
	} else {
		/*
		 * The device doesn't give us the IV so we won't be
		 * able to look up the key. That's ok though, we
		 * don't need to decrypt the frame, we just won't
		 * be able to keep statistics accurate.
		 * Except for key threshold notifications, should
		 * we somehow allow the driver to tell us which key
		 * the hardware used if this flag is set?
		 */
		if ((status->flag & RX_FLAG_DECRYPTED) &&
		    (status->flag & RX_FLAG_IV_STRIPPED))
			return RX_CONTINUE;

2093
		keyidx = ieee80211_get_keyid(rx->skb, cs);
2094

2095 2096
		if (unlikely(keyidx < 0))
			return RX_DROP_UNUSABLE;
2097 2098 2099 2100 2101 2102 2103 2104 2105 2106 2107 2108 2109 2110 2111 2112 2113 2114 2115 2116 2117 2118 2119 2120 2121 2122 2123 2124 2125 2126 2127 2128 2129 2130 2131 2132 2133 2134 2135 2136

		/* check per-station GTK first, if multicast packet */
		if (is_multicast_ether_addr(hdr->addr1) && rx->sta)
			rx->key = rcu_dereference(rx->sta->gtk[keyidx]);

		/* if not found, try default key */
		if (!rx->key) {
			rx->key = rcu_dereference(rx->sdata->keys[keyidx]);

			/*
			 * RSNA-protected unicast frames should always be
			 * sent with pairwise or station-to-station keys,
			 * but for WEP we allow using a key index as well.
			 */
			if (rx->key &&
			    rx->key->conf.cipher != WLAN_CIPHER_SUITE_WEP40 &&
			    rx->key->conf.cipher != WLAN_CIPHER_SUITE_WEP104 &&
			    !is_multicast_ether_addr(hdr->addr1))
				rx->key = NULL;
		}
	}

	if (rx->key) {
		if (unlikely(rx->key->flags & KEY_FLAG_TAINTED))
			return RX_DROP_MONITOR;

		/* TODO: add threshold stuff again */
	} else {
		return RX_DROP_MONITOR;
	}

	switch (rx->key->conf.cipher) {
	case WLAN_CIPHER_SUITE_WEP40:
	case WLAN_CIPHER_SUITE_WEP104:
		result = ieee80211_crypto_wep_decrypt(rx);
		break;
	case WLAN_CIPHER_SUITE_TKIP:
		result = ieee80211_crypto_tkip_decrypt(rx);
		break;
	case WLAN_CIPHER_SUITE_CCMP:
J
Jouni Malinen 已提交
2137 2138 2139 2140 2141 2142
		result = ieee80211_crypto_ccmp_decrypt(
			rx, IEEE80211_CCMP_MIC_LEN);
		break;
	case WLAN_CIPHER_SUITE_CCMP_256:
		result = ieee80211_crypto_ccmp_decrypt(
			rx, IEEE80211_CCMP_256_MIC_LEN);
2143 2144 2145 2146
		break;
	case WLAN_CIPHER_SUITE_AES_CMAC:
		result = ieee80211_crypto_aes_cmac_decrypt(rx);
		break;
2147 2148 2149
	case WLAN_CIPHER_SUITE_BIP_CMAC_256:
		result = ieee80211_crypto_aes_cmac_256_decrypt(rx);
		break;
2150 2151 2152 2153
	case WLAN_CIPHER_SUITE_BIP_GMAC_128:
	case WLAN_CIPHER_SUITE_BIP_GMAC_256:
		result = ieee80211_crypto_aes_gmac_decrypt(rx);
		break;
2154 2155 2156 2157
	case WLAN_CIPHER_SUITE_GCMP:
	case WLAN_CIPHER_SUITE_GCMP_256:
		result = ieee80211_crypto_gcmp_decrypt(rx);
		break;
2158
	default:
2159
		result = ieee80211_crypto_hw_decrypt(rx);
2160 2161 2162 2163 2164 2165 2166
	}

	/* the hdr variable is invalid after the decrypt handlers */

	/* either the frame has been decrypted or will be dropped */
	status->flag |= RX_FLAG_DECRYPTED;

2167 2168 2169 2170
	if (unlikely(ieee80211_is_beacon(fc) && result == RX_DROP_UNUSABLE))
		cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
					     skb->data, skb->len);

2171 2172 2173
	return result;
}

2174 2175 2176 2177 2178 2179 2180 2181 2182 2183 2184
static inline struct ieee80211_fragment_entry *
ieee80211_reassemble_add(struct ieee80211_sub_if_data *sdata,
			 unsigned int frag, unsigned int seq, int rx_queue,
			 struct sk_buff **skb)
{
	struct ieee80211_fragment_entry *entry;

	entry = &sdata->fragments[sdata->fragment_next++];
	if (sdata->fragment_next >= IEEE80211_FRAGMENT_MAX)
		sdata->fragment_next = 0;

J
Johannes Berg 已提交
2185
	if (!skb_queue_empty(&entry->skb_list))
2186 2187 2188 2189 2190 2191 2192 2193
		__skb_queue_purge(&entry->skb_list);

	__skb_queue_tail(&entry->skb_list, *skb); /* no need for locking */
	*skb = NULL;
	entry->first_frag_time = jiffies;
	entry->seq = seq;
	entry->rx_queue = rx_queue;
	entry->last_frag = frag;
2194
	entry->check_sequential_pn = false;
2195 2196 2197 2198 2199 2200 2201
	entry->extra_len = 0;

	return entry;
}

static inline struct ieee80211_fragment_entry *
ieee80211_reassemble_find(struct ieee80211_sub_if_data *sdata,
2202
			  unsigned int frag, unsigned int seq,
2203 2204 2205 2206 2207 2208 2209 2210
			  int rx_queue, struct ieee80211_hdr *hdr)
{
	struct ieee80211_fragment_entry *entry;
	int i, idx;

	idx = sdata->fragment_next;
	for (i = 0; i < IEEE80211_FRAGMENT_MAX; i++) {
		struct ieee80211_hdr *f_hdr;
2211
		struct sk_buff *f_skb;
2212 2213 2214 2215 2216 2217 2218 2219 2220 2221 2222

		idx--;
		if (idx < 0)
			idx = IEEE80211_FRAGMENT_MAX - 1;

		entry = &sdata->fragments[idx];
		if (skb_queue_empty(&entry->skb_list) || entry->seq != seq ||
		    entry->rx_queue != rx_queue ||
		    entry->last_frag + 1 != frag)
			continue;

2223 2224
		f_skb = __skb_peek(&entry->skb_list);
		f_hdr = (struct ieee80211_hdr *) f_skb->data;
2225

2226 2227 2228 2229 2230
		/*
		 * Check ftype and addresses are equal, else check next fragment
		 */
		if (((hdr->frame_control ^ f_hdr->frame_control) &
		     cpu_to_le16(IEEE80211_FCTL_FTYPE)) ||
2231 2232
		    !ether_addr_equal(hdr->addr1, f_hdr->addr1) ||
		    !ether_addr_equal(hdr->addr2, f_hdr->addr2))
2233 2234
			continue;

2235
		if (time_after(jiffies, entry->first_frag_time + 2 * HZ)) {
2236 2237 2238 2239 2240 2241 2242 2243 2244
			__skb_queue_purge(&entry->skb_list);
			continue;
		}
		return entry;
	}

	return NULL;
}

2245
static ieee80211_rx_result debug_noinline
2246
ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
2247 2248 2249
{
	struct ieee80211_hdr *hdr;
	u16 sc;
2250
	__le16 fc;
2251 2252 2253 2254
	unsigned int frag, seq;
	struct ieee80211_fragment_entry *entry;
	struct sk_buff *skb;

2255
	hdr = (struct ieee80211_hdr *)rx->skb->data;
2256
	fc = hdr->frame_control;
2257 2258 2259 2260

	if (ieee80211_is_ctl(fc))
		return RX_CONTINUE;

2261 2262 2263
	sc = le16_to_cpu(hdr->seq_ctrl);
	frag = sc & IEEE80211_SCTL_FRAG;

2264
	if (is_multicast_ether_addr(hdr->addr1)) {
2265
		I802_DEBUG_INC(rx->local->dot11MulticastReceivedFrameCount);
2266
		goto out_no_led;
2267
	}
2268

2269 2270 2271
	if (likely(!ieee80211_has_morefrags(fc) && frag == 0))
		goto out;

2272 2273
	I802_DEBUG_INC(rx->local->rx_handlers_fragments);

Z
Zhu Yi 已提交
2274 2275 2276
	if (skb_linearize(rx->skb))
		return RX_DROP_UNUSABLE;

2277 2278 2279 2280 2281 2282
	/*
	 *  skb_linearize() might change the skb->data and
	 *  previously cached variables (in this case, hdr) need to
	 *  be refreshed with the new data.
	 */
	hdr = (struct ieee80211_hdr *)rx->skb->data;
2283 2284 2285 2286 2287
	seq = (sc & IEEE80211_SCTL_SEQ) >> 4;

	if (frag == 0) {
		/* This is the first fragment of a new frame. */
		entry = ieee80211_reassemble_add(rx->sdata, frag, seq,
2288
						 rx->seqno_idx, &(rx->skb));
J
Jouni Malinen 已提交
2289 2290
		if (rx->key &&
		    (rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP ||
2291 2292 2293
		     rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP_256 ||
		     rx->key->conf.cipher == WLAN_CIPHER_SUITE_GCMP ||
		     rx->key->conf.cipher == WLAN_CIPHER_SUITE_GCMP_256) &&
2294
		    ieee80211_has_protected(fc)) {
2295
			int queue = rx->security_idx;
2296 2297 2298 2299 2300

			/* Store CCMP/GCMP PN so that we can verify that the
			 * next fragment has a sequential PN value.
			 */
			entry->check_sequential_pn = true;
2301
			memcpy(entry->last_pn,
2302
			       rx->key->u.ccmp.rx_pn[queue],
2303
			       IEEE80211_CCMP_PN_LEN);
2304 2305 2306 2307 2308 2309 2310 2311
			BUILD_BUG_ON(offsetof(struct ieee80211_key,
					      u.ccmp.rx_pn) !=
				     offsetof(struct ieee80211_key,
					      u.gcmp.rx_pn));
			BUILD_BUG_ON(sizeof(rx->key->u.ccmp.rx_pn[queue]) !=
				     sizeof(rx->key->u.gcmp.rx_pn[queue]));
			BUILD_BUG_ON(IEEE80211_CCMP_PN_LEN !=
				     IEEE80211_GCMP_PN_LEN);
2312
		}
2313
		return RX_QUEUED;
2314 2315 2316 2317 2318
	}

	/* This is a fragment for a frame that should already be pending in
	 * fragment cache. Add this fragment to the end of the pending entry.
	 */
2319 2320
	entry = ieee80211_reassemble_find(rx->sdata, frag, seq,
					  rx->seqno_idx, hdr);
2321 2322
	if (!entry) {
		I802_DEBUG_INC(rx->local->rx_handlers_drop_defrag);
J
Johannes Berg 已提交
2323
		return RX_DROP_MONITOR;
2324 2325
	}

2326 2327 2328 2329 2330 2331
	/* "The receiver shall discard MSDUs and MMPDUs whose constituent
	 *  MPDU PN values are not incrementing in steps of 1."
	 * see IEEE P802.11-REVmc/D5.0, 12.5.3.4.4, item d (for CCMP)
	 * and IEEE P802.11-REVmc/D5.0, 12.5.5.4.4, item d (for GCMP)
	 */
	if (entry->check_sequential_pn) {
2332
		int i;
2333
		u8 pn[IEEE80211_CCMP_PN_LEN], *rpn;
2334
		int queue;
2335

J
Jouni Malinen 已提交
2336 2337
		if (!rx->key ||
		    (rx->key->conf.cipher != WLAN_CIPHER_SUITE_CCMP &&
2338 2339 2340
		     rx->key->conf.cipher != WLAN_CIPHER_SUITE_CCMP_256 &&
		     rx->key->conf.cipher != WLAN_CIPHER_SUITE_GCMP &&
		     rx->key->conf.cipher != WLAN_CIPHER_SUITE_GCMP_256))
J
Johannes Berg 已提交
2341
			return RX_DROP_UNUSABLE;
2342 2343
		memcpy(pn, entry->last_pn, IEEE80211_CCMP_PN_LEN);
		for (i = IEEE80211_CCMP_PN_LEN - 1; i >= 0; i--) {
2344 2345 2346 2347
			pn[i]++;
			if (pn[i])
				break;
		}
2348
		queue = rx->security_idx;
2349
		rpn = rx->key->u.ccmp.rx_pn[queue];
2350
		if (memcmp(pn, rpn, IEEE80211_CCMP_PN_LEN))
J
Johannes Berg 已提交
2351
			return RX_DROP_UNUSABLE;
2352
		memcpy(entry->last_pn, pn, IEEE80211_CCMP_PN_LEN);
2353 2354
	}

2355
	skb_pull(rx->skb, ieee80211_hdrlen(fc));
2356 2357 2358
	__skb_queue_tail(&entry->skb_list, rx->skb);
	entry->last_frag = frag;
	entry->extra_len += rx->skb->len;
2359
	if (ieee80211_has_morefrags(fc)) {
2360
		rx->skb = NULL;
2361
		return RX_QUEUED;
2362 2363 2364 2365
	}

	rx->skb = __skb_dequeue(&entry->skb_list);
	if (skb_tailroom(rx->skb) < entry->extra_len) {
2366
		I802_DEBUG_INC(rx->local->rx_expand_skb_head_defrag);
2367 2368 2369 2370
		if (unlikely(pskb_expand_head(rx->skb, 0, entry->extra_len,
					      GFP_ATOMIC))) {
			I802_DEBUG_INC(rx->local->rx_handlers_drop_defrag);
			__skb_queue_purge(&entry->skb_list);
J
Johannes Berg 已提交
2371
			return RX_DROP_UNUSABLE;
2372 2373 2374
		}
	}
	while ((skb = __skb_dequeue(&entry->skb_list))) {
2375
		skb_put_data(rx->skb, skb->data, skb->len);
2376 2377 2378 2379
		dev_kfree_skb(skb);
	}

 out:
2380 2381
	ieee80211_led_rx(rx->local);
 out_no_led:
2382
	if (rx->sta)
2383
		rx->sta->rx_stats.packets++;
2384
	return RX_CONTINUE;
2385 2386
}

J
Johannes Berg 已提交
2387
static int ieee80211_802_1x_port_control(struct ieee80211_rx_data *rx)
2388
{
J
Johannes Berg 已提交
2389
	if (unlikely(!rx->sta || !test_sta_flag(rx->sta, WLAN_STA_AUTHORIZED)))
2390
		return -EACCES;
2391

2392
	return 0;
2393 2394
}

J
Johannes Berg 已提交
2395
static int ieee80211_drop_unencrypted(struct ieee80211_rx_data *rx, __le16 fc)
2396
{
2397
	struct ieee80211_hdr *hdr = (void *)rx->skb->data;
J
Johannes Berg 已提交
2398 2399 2400
	struct sk_buff *skb = rx->skb;
	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);

2401
	/*
2402 2403
	 * Pass through unencrypted frames if the hardware has
	 * decrypted them already.
2404
	 */
J
Johannes Berg 已提交
2405
	if (status->flag & RX_FLAG_DECRYPTED)
2406
		return 0;
2407

2408 2409 2410 2411 2412 2413 2414 2415 2416 2417 2418 2419 2420 2421 2422 2423 2424 2425 2426 2427 2428 2429 2430 2431 2432
	/* check mesh EAPOL frames first */
	if (unlikely(rx->sta && ieee80211_vif_is_mesh(&rx->sdata->vif) &&
		     ieee80211_is_data(fc))) {
		struct ieee80211s_hdr *mesh_hdr;
		u16 hdr_len = ieee80211_hdrlen(fc);
		u16 ethertype_offset;
		__be16 ethertype;

		if (!ether_addr_equal(hdr->addr1, rx->sdata->vif.addr))
			goto drop_check;

		/* make sure fixed part of mesh header is there, also checks skb len */
		if (!pskb_may_pull(rx->skb, hdr_len + 6))
			goto drop_check;

		mesh_hdr = (struct ieee80211s_hdr *)(skb->data + hdr_len);
		ethertype_offset = hdr_len + ieee80211_get_mesh_hdrlen(mesh_hdr) +
				   sizeof(rfc1042_header);

		if (skb_copy_bits(rx->skb, ethertype_offset, &ethertype, 2) == 0 &&
		    ethertype == rx->sdata->control_port_protocol)
			return 0;
	}

drop_check:
2433
	/* Drop unencrypted frames if key is set. */
2434
	if (unlikely(!ieee80211_has_protected(fc) &&
2435
		     !ieee80211_is_any_nullfunc(fc) &&
2436
		     ieee80211_is_data(fc) && rx->key))
2437
		return -EACCES;
2438 2439 2440 2441

	return 0;
}

J
Johannes Berg 已提交
2442
static int ieee80211_drop_unencrypted_mgmt(struct ieee80211_rx_data *rx)
2443 2444
{
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
2445
	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
2446 2447
	__le16 fc = hdr->frame_control;

2448 2449 2450 2451 2452 2453
	/*
	 * Pass through unencrypted frames if the hardware has
	 * decrypted them already.
	 */
	if (status->flag & RX_FLAG_DECRYPTED)
		return 0;
2454

J
Johannes Berg 已提交
2455
	if (rx->sta && test_sta_flag(rx->sta, WLAN_STA_MFP)) {
2456 2457
		if (unlikely(!ieee80211_has_protected(fc) &&
			     ieee80211_is_unicast_robust_mgmt_frame(rx->skb) &&
2458
			     rx->key)) {
2459 2460 2461 2462 2463
			if (ieee80211_is_deauth(fc) ||
			    ieee80211_is_disassoc(fc))
				cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
							     rx->skb->data,
							     rx->skb->len);
2464
			return -EACCES;
2465
		}
2466
		/* BIP does not use Protected field, so need to check MMIE */
2467
		if (unlikely(ieee80211_is_multicast_robust_mgmt_frame(rx->skb) &&
2468
			     ieee80211_get_mmie_keyidx(rx->skb) < 0)) {
2469 2470 2471 2472 2473
			if (ieee80211_is_deauth(fc) ||
			    ieee80211_is_disassoc(fc))
				cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
							     rx->skb->data,
							     rx->skb->len);
2474
			return -EACCES;
2475
		}
2476
		if (unlikely(ieee80211_is_beacon(fc) && rx->key &&
2477 2478 2479 2480
			     ieee80211_get_mmie_keyidx(rx->skb) < 0)) {
			cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
						     rx->skb->data,
						     rx->skb->len);
2481
			return -EACCES;
2482
		}
2483 2484 2485 2486 2487
		/*
		 * When using MFP, Action frames are not allowed prior to
		 * having configured keys.
		 */
		if (unlikely(ieee80211_is_action(fc) && !rx->key &&
2488
			     ieee80211_is_robust_mgmt_frame(rx->skb)))
2489 2490
			return -EACCES;
	}
2491

2492
	return 0;
2493 2494
}

2495
static int
2496
__ieee80211_data_to_8023(struct ieee80211_rx_data *rx, bool *port_control)
2497
{
J
Johannes Berg 已提交
2498
	struct ieee80211_sub_if_data *sdata = rx->sdata;
2499
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
2500 2501 2502
	bool check_port_control = false;
	struct ethhdr *ehdr;
	int ret;
2503

2504
	*port_control = false;
2505 2506
	if (ieee80211_has_a4(hdr->frame_control) &&
	    sdata->vif.type == NL80211_IFTYPE_AP_VLAN && !sdata->u.vlan.sta)
2507
		return -1;
2508

2509 2510 2511 2512 2513
	if (sdata->vif.type == NL80211_IFTYPE_STATION &&
	    !!sdata->u.mgd.use_4addr != !!ieee80211_has_a4(hdr->frame_control)) {

		if (!sdata->u.mgd.use_4addr)
			return -1;
2514
		else if (!ether_addr_equal(hdr->addr1, sdata->vif.addr))
2515 2516 2517
			check_port_control = true;
	}

2518
	if (is_multicast_ether_addr(hdr->addr1) &&
2519
	    sdata->vif.type == NL80211_IFTYPE_AP_VLAN && sdata->u.vlan.sta)
2520
		return -1;
2521

2522
	ret = ieee80211_data_to_8023(rx->skb, sdata->vif.addr, sdata->vif.type);
2523
	if (ret < 0)
2524 2525 2526
		return ret;

	ehdr = (struct ethhdr *) rx->skb->data;
2527 2528 2529
	if (ehdr->h_proto == rx->sdata->control_port_protocol)
		*port_control = true;
	else if (check_port_control)
2530 2531 2532
		return -1;

	return 0;
2533
}
2534

2535 2536 2537
/*
 * requires that rx->skb is a frame with ethernet header
 */
2538
static bool ieee80211_frame_allowed(struct ieee80211_rx_data *rx, __le16 fc)
2539
{
2540
	static const u8 pae_group_addr[ETH_ALEN] __aligned(2)
2541 2542 2543 2544 2545 2546 2547
		= { 0x01, 0x80, 0xC2, 0x00, 0x00, 0x03 };
	struct ethhdr *ehdr = (struct ethhdr *) rx->skb->data;

	/*
	 * Allow EAPOL frames to us/the PAE group address regardless
	 * of whether the frame was encrypted or not.
	 */
2548
	if (ehdr->h_proto == rx->sdata->control_port_protocol &&
2549 2550
	    (ether_addr_equal(ehdr->h_dest, rx->sdata->vif.addr) ||
	     ether_addr_equal(ehdr->h_dest, pae_group_addr)))
2551 2552 2553
		return true;

	if (ieee80211_802_1x_port_control(rx) ||
2554
	    ieee80211_drop_unencrypted(rx, fc))
2555 2556 2557 2558 2559
		return false;

	return true;
}

2560 2561 2562 2563 2564 2565 2566
static void ieee80211_deliver_skb_to_local_stack(struct sk_buff *skb,
						 struct ieee80211_rx_data *rx)
{
	struct ieee80211_sub_if_data *sdata = rx->sdata;
	struct net_device *dev = sdata->dev;

	if (unlikely((skb->protocol == sdata->control_port_protocol ||
2567 2568
		     (skb->protocol == cpu_to_be16(ETH_P_PREAUTH) &&
		      !sdata->control_port_no_preauth)) &&
2569 2570
		     sdata->control_port_over_nl80211)) {
		struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
2571
		bool noencrypt = !(status->flag & RX_FLAG_DECRYPTED);
2572

2573
		cfg80211_rx_control_port(dev, skb, noencrypt);
2574 2575
		dev_kfree_skb(skb);
	} else {
2576 2577
		memset(skb->cb, 0, sizeof(skb->cb));

2578
		/* deliver to local stack */
2579 2580
		if (rx->list)
			list_add_tail(&skb->list, rx->list);
2581 2582 2583 2584 2585
		else
			netif_receive_skb(skb);
	}
}

2586 2587 2588
/*
 * requires that rx->skb is a frame with ethernet header
 */
2589
static void
2590
ieee80211_deliver_skb(struct ieee80211_rx_data *rx)
2591
{
J
Johannes Berg 已提交
2592 2593
	struct ieee80211_sub_if_data *sdata = rx->sdata;
	struct net_device *dev = sdata->dev;
2594
	struct sk_buff *skb, *xmit_skb;
2595 2596
	struct ethhdr *ehdr = (struct ethhdr *) rx->skb->data;
	struct sta_info *dsta;
2597

2598 2599
	skb = rx->skb;
	xmit_skb = NULL;
2600

2601 2602
	ieee80211_rx_stats(dev, skb->len);

2603 2604 2605 2606 2607 2608
	if (rx->sta) {
		/* The seqno index has the same property as needed
		 * for the rx_msdu field, i.e. it is IEEE80211_NUM_TIDS
		 * for non-QoS-data frames. Here we know it's a data
		 * frame, so count MSDUs.
		 */
2609
		u64_stats_update_begin(&rx->sta->rx_stats.syncp);
2610
		rx->sta->rx_stats.msdu[rx->seqno_idx]++;
2611
		u64_stats_update_end(&rx->sta->rx_stats.syncp);
2612 2613
	}

2614 2615
	if ((sdata->vif.type == NL80211_IFTYPE_AP ||
	     sdata->vif.type == NL80211_IFTYPE_AP_VLAN) &&
2616
	    !(sdata->flags & IEEE80211_SDATA_DONT_BRIDGE_PACKETS) &&
2617
	    (sdata->vif.type != NL80211_IFTYPE_AP_VLAN || !sdata->u.vlan.sta)) {
2618 2619
		if (is_multicast_ether_addr(ehdr->h_dest) &&
		    ieee80211_vif_get_num_mcast_if(sdata) != 0) {
2620 2621 2622 2623
			/*
			 * send multicast frames both to higher layers in
			 * local net stack and back to the wireless medium
			 */
2624
			xmit_skb = skb_copy(skb, GFP_ATOMIC);
2625
			if (!xmit_skb)
J
Johannes Berg 已提交
2626
				net_info_ratelimited("%s: failed to clone multicast frame\n",
2627
						    dev->name);
2628 2629 2630
		} else if (!is_multicast_ether_addr(ehdr->h_dest) &&
			   !ether_addr_equal(ehdr->h_dest, ehdr->h_source)) {
			dsta = sta_info_get(sdata, ehdr->h_dest);
2631
			if (dsta) {
2632 2633 2634 2635 2636
				/*
				 * The destination station is associated to
				 * this AP (in this VLAN), so send the frame
				 * directly to it and do not pass it to local
				 * net stack.
2637
				 */
2638
				xmit_skb = skb;
2639 2640 2641 2642 2643
				skb = NULL;
			}
		}
	}

2644
#ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
2645 2646 2647 2648 2649 2650
	if (skb) {
		/* 'align' will only take the values 0 or 2 here since all
		 * frames are required to be aligned to 2-byte boundaries
		 * when being passed to mac80211; the code here works just
		 * as well if that isn't true, but mac80211 assumes it can
		 * access fields as 2-byte aligned (e.g. for ether_addr_equal)
2651
		 */
2652 2653 2654
		int align;

		align = (unsigned long)(skb->data + sizeof(struct ethhdr)) & 3;
2655 2656 2657 2658 2659 2660
		if (align) {
			if (WARN_ON(skb_headroom(skb) < 3)) {
				dev_kfree_skb(skb);
				skb = NULL;
			} else {
				u8 *data = skb->data;
2661 2662 2663 2664
				size_t len = skb_headlen(skb);
				skb->data -= align;
				memmove(skb->data, data, len);
				skb_set_tail_pointer(skb, len);
2665 2666
			}
		}
2667
	}
2668 2669
#endif

2670 2671
	if (skb) {
		skb->protocol = eth_type_trans(skb, dev);
2672
		ieee80211_deliver_skb_to_local_stack(skb, rx);
2673 2674
	}

2675
	if (xmit_skb) {
2676 2677 2678 2679 2680 2681
		/*
		 * Send to wireless media and increase priority by 256 to
		 * keep the received priority instead of reclassifying
		 * the frame (see cfg80211_classify8021d).
		 */
		xmit_skb->priority += 256;
2682
		xmit_skb->protocol = htons(ETH_P_802_3);
2683 2684
		skb_reset_network_header(xmit_skb);
		skb_reset_mac_header(xmit_skb);
2685
		dev_queue_xmit(xmit_skb);
2686
	}
2687 2688
}

2689
static ieee80211_rx_result debug_noinline
2690
__ieee80211_rx_h_amsdu(struct ieee80211_rx_data *rx, u8 data_offset)
2691
{
J
Johannes Berg 已提交
2692
	struct net_device *dev = rx->sdata->dev;
Z
Zhu Yi 已提交
2693
	struct sk_buff *skb = rx->skb;
2694 2695
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
	__le16 fc = hdr->frame_control;
Z
Zhu Yi 已提交
2696
	struct sk_buff_head frame_list;
2697
	struct ethhdr ethhdr;
2698
	const u8 *check_da = ethhdr.h_dest, *check_sa = ethhdr.h_source;
2699

2700
	if (unlikely(ieee80211_has_a4(hdr->frame_control))) {
2701 2702 2703 2704 2705 2706 2707 2708 2709 2710 2711 2712 2713 2714 2715 2716 2717
		check_da = NULL;
		check_sa = NULL;
	} else switch (rx->sdata->vif.type) {
		case NL80211_IFTYPE_AP:
		case NL80211_IFTYPE_AP_VLAN:
			check_da = NULL;
			break;
		case NL80211_IFTYPE_STATION:
			if (!rx->sta ||
			    !test_sta_flag(rx->sta, WLAN_STA_TDLS_PEER))
				check_sa = NULL;
			break;
		case NL80211_IFTYPE_MESH_POINT:
			check_sa = NULL;
			break;
		default:
			break;
2718
	}
2719

Z
Zhu Yi 已提交
2720 2721
	skb->dev = dev;
	__skb_queue_head_init(&frame_list);
2722

2723 2724
	if (ieee80211_data_to_8023_exthdr(skb, &ethhdr,
					  rx->sdata->vif.addr,
2725 2726
					  rx->sdata->vif.type,
					  data_offset))
2727 2728
		return RX_DROP_UNUSABLE;

Z
Zhu Yi 已提交
2729 2730
	ieee80211_amsdu_to_8023s(skb, &frame_list, dev->dev_addr,
				 rx->sdata->vif.type,
2731
				 rx->local->hw.extra_tx_headroom,
2732
				 check_da, check_sa);
2733

Z
Zhu Yi 已提交
2734 2735
	while (!skb_queue_empty(&frame_list)) {
		rx->skb = __skb_dequeue(&frame_list);
2736

2737
		if (!ieee80211_frame_allowed(rx, fc)) {
Z
Zhu Yi 已提交
2738
			dev_kfree_skb(rx->skb);
2739 2740
			continue;
		}
2741 2742 2743 2744

		ieee80211_deliver_skb(rx);
	}

2745
	return RX_QUEUED;
2746 2747
}

2748 2749 2750 2751 2752 2753 2754 2755 2756 2757 2758 2759 2760 2761 2762 2763 2764 2765 2766 2767 2768 2769 2770 2771 2772 2773 2774 2775 2776 2777 2778 2779 2780 2781 2782 2783 2784 2785
static ieee80211_rx_result debug_noinline
ieee80211_rx_h_amsdu(struct ieee80211_rx_data *rx)
{
	struct sk_buff *skb = rx->skb;
	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
	__le16 fc = hdr->frame_control;

	if (!(status->rx_flags & IEEE80211_RX_AMSDU))
		return RX_CONTINUE;

	if (unlikely(!ieee80211_is_data(fc)))
		return RX_CONTINUE;

	if (unlikely(!ieee80211_is_data_present(fc)))
		return RX_DROP_MONITOR;

	if (unlikely(ieee80211_has_a4(hdr->frame_control))) {
		switch (rx->sdata->vif.type) {
		case NL80211_IFTYPE_AP_VLAN:
			if (!rx->sdata->u.vlan.sta)
				return RX_DROP_UNUSABLE;
			break;
		case NL80211_IFTYPE_STATION:
			if (!rx->sdata->u.mgd.use_4addr)
				return RX_DROP_UNUSABLE;
			break;
		default:
			return RX_DROP_UNUSABLE;
		}
	}

	if (is_multicast_ether_addr(hdr->addr1))
		return RX_DROP_UNUSABLE;

	return __ieee80211_rx_h_amsdu(rx, 0);
}

I
Ingo Molnar 已提交
2786
#ifdef CONFIG_MAC80211_MESH
2787
static ieee80211_rx_result
2788 2789
ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
{
2790 2791
	struct ieee80211_hdr *fwd_hdr, *hdr;
	struct ieee80211_tx_info *info;
2792 2793
	struct ieee80211s_hdr *mesh_hdr;
	struct sk_buff *skb = rx->skb, *fwd_skb;
J
Johannes Berg 已提交
2794
	struct ieee80211_local *local = rx->local;
J
Johannes Berg 已提交
2795
	struct ieee80211_sub_if_data *sdata = rx->sdata;
2796
	struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh;
2797
	u16 ac, q, hdrlen;
2798
	int tailroom = 0;
2799 2800 2801

	hdr = (struct ieee80211_hdr *) skb->data;
	hdrlen = ieee80211_hdrlen(hdr->frame_control);
2802 2803 2804 2805 2806 2807 2808 2809 2810 2811 2812 2813 2814 2815

	/* make sure fixed part of mesh header is there, also checks skb len */
	if (!pskb_may_pull(rx->skb, hdrlen + 6))
		return RX_DROP_MONITOR;

	mesh_hdr = (struct ieee80211s_hdr *) (skb->data + hdrlen);

	/* make sure full mesh header is there, also checks skb len */
	if (!pskb_may_pull(rx->skb,
			   hdrlen + ieee80211_get_mesh_hdrlen(mesh_hdr)))
		return RX_DROP_MONITOR;

	/* reload pointers */
	hdr = (struct ieee80211_hdr *) skb->data;
2816 2817
	mesh_hdr = (struct ieee80211s_hdr *) (skb->data + hdrlen);

2818 2819 2820
	if (ieee80211_drop_unencrypted(rx, hdr->frame_control))
		return RX_DROP_MONITOR;

2821 2822 2823
	/* frame is in RMC, don't forward */
	if (ieee80211_is_data(hdr->frame_control) &&
	    is_multicast_ether_addr(hdr->addr1) &&
J
Johannes Berg 已提交
2824
	    mesh_rmc_check(rx->sdata, hdr->addr3, mesh_hdr))
2825 2826
		return RX_DROP_MONITOR;

2827
	if (!ieee80211_is_data(hdr->frame_control))
2828 2829 2830 2831 2832
		return RX_CONTINUE;

	if (!mesh_hdr->ttl)
		return RX_DROP_MONITOR;

2833
	if (mesh_hdr->flags & MESH_FLAGS_AE) {
2834
		struct mesh_path *mppath;
2835 2836 2837 2838 2839 2840
		char *proxied_addr;
		char *mpp_addr;

		if (is_multicast_ether_addr(hdr->addr1)) {
			mpp_addr = hdr->addr3;
			proxied_addr = mesh_hdr->eaddr1;
2841 2842
		} else if ((mesh_hdr->flags & MESH_FLAGS_AE) ==
			    MESH_FLAGS_AE_A5_A6) {
2843
			/* has_a4 already checked in ieee80211_rx_mesh_check */
2844 2845
			mpp_addr = hdr->addr4;
			proxied_addr = mesh_hdr->eaddr2;
2846 2847
		} else {
			return RX_DROP_MONITOR;
2848
		}
2849 2850

		rcu_read_lock();
J
Johannes Berg 已提交
2851
		mppath = mpp_path_lookup(sdata, proxied_addr);
2852
		if (!mppath) {
J
Johannes Berg 已提交
2853
			mpp_path_add(sdata, proxied_addr, mpp_addr);
2854 2855
		} else {
			spin_lock_bh(&mppath->state_lock);
2856
			if (!ether_addr_equal(mppath->mpp, mpp_addr))
2857
				memcpy(mppath->mpp, mpp_addr, ETH_ALEN);
2858
			mppath->exp_time = jiffies;
2859 2860 2861 2862 2863
			spin_unlock_bh(&mppath->state_lock);
		}
		rcu_read_unlock();
	}

2864 2865
	/* Frame has reached destination.  Don't forward */
	if (!is_multicast_ether_addr(hdr->addr1) &&
2866
	    ether_addr_equal(sdata->vif.addr, hdr->addr3))
2867 2868
		return RX_CONTINUE;

2869 2870
	ac = ieee80211_select_queue_80211(sdata, skb, hdr);
	q = sdata->vif.hw_queue[ac];
2871
	if (ieee80211_queue_stopped(&local->hw, q)) {
2872
		IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_congestion);
2873 2874 2875
		return RX_DROP_MONITOR;
	}
	skb_set_queue_mapping(skb, q);
2876

2877
	if (!--mesh_hdr->ttl) {
2878 2879 2880
		if (!is_multicast_ether_addr(hdr->addr1))
			IEEE80211_IFSTA_MESH_CTR_INC(ifmsh,
						     dropped_frames_ttl);
2881
		goto out;
2882 2883
	}

2884 2885 2886
	if (!ifmsh->mshcfg.dot11MeshForwarding)
		goto out;

2887 2888 2889
	if (sdata->crypto_tx_tailroom_needed_cnt)
		tailroom = IEEE80211_ENCRYPT_TAILROOM;

2890
	fwd_skb = skb_copy_expand(skb, local->tx_headroom +
2891 2892
				       sdata->encrypt_headroom,
				  tailroom, GFP_ATOMIC);
2893
	if (!fwd_skb)
2894 2895 2896
		goto out;

	fwd_hdr =  (struct ieee80211_hdr *) fwd_skb->data;
2897
	fwd_hdr->frame_control &= ~cpu_to_le16(IEEE80211_FCTL_RETRY);
2898 2899
	info = IEEE80211_SKB_CB(fwd_skb);
	memset(info, 0, sizeof(*info));
2900
	info->control.flags |= IEEE80211_TX_INTCFL_NEED_TXPROCESSING;
2901 2902 2903 2904 2905
	info->control.vif = &rx->sdata->vif;
	info->control.jiffies = jiffies;
	if (is_multicast_ether_addr(fwd_hdr->addr1)) {
		IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, fwded_mcast);
		memcpy(fwd_hdr->addr2, sdata->vif.addr, ETH_ALEN);
M
Marco Porsch 已提交
2906 2907
		/* update power mode indication when forwarding */
		ieee80211_mps_set_frame_flags(sdata, NULL, fwd_hdr);
J
Johannes Berg 已提交
2908
	} else if (!mesh_nexthop_lookup(sdata, fwd_skb)) {
M
Marco Porsch 已提交
2909
		/* mesh power mode flags updated in mesh_nexthop_lookup */
2910 2911 2912
		IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, fwded_unicast);
	} else {
		/* unable to resolve next hop */
J
Johannes Berg 已提交
2913
		mesh_path_error_tx(sdata, ifmsh->mshcfg.element_ttl,
2914 2915 2916
				   fwd_hdr->addr3, 0,
				   WLAN_REASON_MESH_PATH_NOFORWARD,
				   fwd_hdr->addr2);
2917
		IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_no_route);
2918
		kfree_skb(fwd_skb);
2919
		return RX_DROP_MONITOR;
2920 2921
	}

2922 2923
	IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, fwded_frames);
	ieee80211_add_pending_skb(local, fwd_skb);
J
Johannes Berg 已提交
2924
 out:
2925
	if (is_multicast_ether_addr(hdr->addr1))
2926
		return RX_CONTINUE;
2927
	return RX_DROP_MONITOR;
2928
}
I
Ingo Molnar 已提交
2929
#endif
2930

2931
static ieee80211_rx_result debug_noinline
2932
ieee80211_rx_h_data(struct ieee80211_rx_data *rx)
2933
{
J
Johannes Berg 已提交
2934
	struct ieee80211_sub_if_data *sdata = rx->sdata;
2935
	struct ieee80211_local *local = rx->local;
J
Johannes Berg 已提交
2936
	struct net_device *dev = sdata->dev;
2937 2938
	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
	__le16 fc = hdr->frame_control;
2939
	bool port_control;
2940
	int err;
2941

2942
	if (unlikely(!ieee80211_is_data(hdr->frame_control)))
2943
		return RX_CONTINUE;
2944

2945
	if (unlikely(!ieee80211_is_data_present(hdr->frame_control)))
J
Johannes Berg 已提交
2946
		return RX_DROP_MONITOR;
2947

2948
	/*
2949 2950
	 * Send unexpected-4addr-frame event to hostapd. For older versions,
	 * also drop the frame to cooked monitor interfaces.
2951 2952
	 */
	if (ieee80211_has_a4(hdr->frame_control) &&
2953 2954 2955 2956 2957
	    sdata->vif.type == NL80211_IFTYPE_AP) {
		if (rx->sta &&
		    !test_and_set_sta_flag(rx->sta, WLAN_STA_4ADDR_EVENT))
			cfg80211_rx_unexpected_4addr_frame(
				rx->sdata->dev, rx->sta->sta.addr, GFP_ATOMIC);
2958
		return RX_DROP_MONITOR;
2959
	}
2960

2961
	err = __ieee80211_data_to_8023(rx, &port_control);
2962
	if (unlikely(err))
J
Johannes Berg 已提交
2963
		return RX_DROP_UNUSABLE;
2964

2965
	if (!ieee80211_frame_allowed(rx, fc))
J
Johannes Berg 已提交
2966
		return RX_DROP_MONITOR;
2967

2968 2969 2970 2971 2972 2973 2974 2975 2976 2977 2978
	/* directly handle TDLS channel switch requests/responses */
	if (unlikely(((struct ethhdr *)rx->skb->data)->h_proto ==
						cpu_to_be16(ETH_P_TDLS))) {
		struct ieee80211_tdls_data *tf = (void *)rx->skb->data;

		if (pskb_may_pull(rx->skb,
				  offsetof(struct ieee80211_tdls_data, u)) &&
		    tf->payload_type == WLAN_TDLS_SNAP_RFTYPE &&
		    tf->category == WLAN_CATEGORY_TDLS &&
		    (tf->action_code == WLAN_TDLS_CHANNEL_SWITCH_REQUEST ||
		     tf->action_code == WLAN_TDLS_CHANNEL_SWITCH_RESPONSE)) {
2979 2980
			skb_queue_tail(&local->skb_queue_tdls_chsw, rx->skb);
			schedule_work(&local->tdls_chsw_work);
2981
			if (rx->sta)
2982
				rx->sta->rx_stats.packets++;
2983 2984 2985 2986 2987

			return RX_QUEUED;
		}
	}

2988 2989 2990 2991 2992 2993 2994 2995
	if (rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN &&
	    unlikely(port_control) && sdata->bss) {
		sdata = container_of(sdata->bss, struct ieee80211_sub_if_data,
				     u.ap);
		dev = sdata->dev;
		rx->sdata = sdata;
	}

2996 2997
	rx->skb->dev = dev;

2998 2999
	if (!ieee80211_hw_check(&local->hw, SUPPORTS_DYNAMIC_PS) &&
	    local->ps_sdata && local->hw.conf.dynamic_ps_timeout > 0 &&
3000 3001 3002
	    !is_multicast_ether_addr(
		    ((struct ethhdr *)rx->skb->data)->h_dest) &&
	    (!local->scanning &&
3003 3004 3005
	     !test_bit(SDATA_STATE_OFFCHANNEL, &sdata->state)))
		mod_timer(&local->dynamic_ps_timer, jiffies +
			  msecs_to_jiffies(local->hw.conf.dynamic_ps_timeout));
3006

3007
	ieee80211_deliver_skb(rx);
3008

3009
	return RX_QUEUED;
3010 3011
}

3012
static ieee80211_rx_result debug_noinline
3013
ieee80211_rx_h_ctrl(struct ieee80211_rx_data *rx, struct sk_buff_head *frames)
3014 3015
{
	struct sk_buff *skb = rx->skb;
3016
	struct ieee80211_bar *bar = (struct ieee80211_bar *)skb->data;
3017 3018 3019 3020
	struct tid_ampdu_rx *tid_agg_rx;
	u16 start_seq_num;
	u16 tid;

3021
	if (likely(!ieee80211_is_ctl(bar->frame_control)))
3022
		return RX_CONTINUE;
3023

3024
	if (ieee80211_is_back_req(bar->frame_control)) {
3025 3026 3027
		struct {
			__le16 control, start_seq_num;
		} __packed bar_data;
3028 3029 3030
		struct ieee80211_event event = {
			.type = BAR_RX_EVENT,
		};
3031

3032
		if (!rx->sta)
3033
			return RX_DROP_MONITOR;
3034 3035 3036 3037 3038 3039

		if (skb_copy_bits(skb, offsetof(struct ieee80211_bar, control),
				  &bar_data, sizeof(bar_data)))
			return RX_DROP_MONITOR;

		tid = le16_to_cpu(bar_data.control) >> 12;
3040

3041 3042 3043 3044 3045 3046
		if (!test_bit(tid, rx->sta->ampdu_mlme.agg_session_valid) &&
		    !test_and_set_bit(tid, rx->sta->ampdu_mlme.unexpected_agg))
			ieee80211_send_delba(rx->sdata, rx->sta->sta.addr, tid,
					     WLAN_BACK_RECIPIENT,
					     WLAN_REASON_QSTA_REQUIRE_SETUP);

3047 3048
		tid_agg_rx = rcu_dereference(rx->sta->ampdu_mlme.tid_rx[tid]);
		if (!tid_agg_rx)
3049
			return RX_DROP_MONITOR;
3050

3051
		start_seq_num = le16_to_cpu(bar_data.start_seq_num) >> 4;
3052 3053 3054
		event.u.ba.tid = tid;
		event.u.ba.ssn = start_seq_num;
		event.u.ba.sta = &rx->sta->sta;
3055 3056

		/* reset session timer */
3057 3058 3059
		if (tid_agg_rx->timeout)
			mod_timer(&tid_agg_rx->session_timer,
				  TU_TO_EXP_TIME(tid_agg_rx->timeout));
3060

3061
		spin_lock(&tid_agg_rx->reorder_lock);
3062
		/* release stored frames up to start of BAR */
3063
		ieee80211_release_reorder_frames(rx->sdata, tid_agg_rx,
3064
						 start_seq_num, frames);
3065 3066
		spin_unlock(&tid_agg_rx->reorder_lock);

3067 3068
		drv_event_callback(rx->local, rx->sdata, &event);

3069 3070
		kfree_skb(skb);
		return RX_QUEUED;
3071 3072
	}

3073 3074 3075 3076 3077 3078
	/*
	 * After this point, we only want management frames,
	 * so we can drop all remaining control frames to
	 * cooked monitor interfaces.
	 */
	return RX_DROP_MONITOR;
3079 3080
}

3081 3082 3083
static void ieee80211_process_sa_query_req(struct ieee80211_sub_if_data *sdata,
					   struct ieee80211_mgmt *mgmt,
					   size_t len)
3084 3085 3086 3087 3088
{
	struct ieee80211_local *local = sdata->local;
	struct sk_buff *skb;
	struct ieee80211_mgmt *resp;

3089
	if (!ether_addr_equal(mgmt->da, sdata->vif.addr)) {
3090 3091 3092 3093
		/* Not to own unicast address */
		return;
	}

3094 3095
	if (!ether_addr_equal(mgmt->sa, sdata->u.mgd.bssid) ||
	    !ether_addr_equal(mgmt->bssid, sdata->u.mgd.bssid)) {
3096
		/* Not from the current AP or not associated yet. */
3097 3098 3099 3100 3101 3102 3103 3104 3105 3106 3107 3108 3109
		return;
	}

	if (len < 24 + 1 + sizeof(resp->u.action.u.sa_query)) {
		/* Too short SA Query request frame */
		return;
	}

	skb = dev_alloc_skb(sizeof(*resp) + local->hw.extra_tx_headroom);
	if (skb == NULL)
		return;

	skb_reserve(skb, local->hw.extra_tx_headroom);
3110
	resp = skb_put_zero(skb, 24);
3111
	memcpy(resp->da, mgmt->sa, ETH_ALEN);
3112
	memcpy(resp->sa, sdata->vif.addr, ETH_ALEN);
3113
	memcpy(resp->bssid, sdata->u.mgd.bssid, ETH_ALEN);
3114 3115 3116 3117 3118 3119 3120 3121 3122
	resp->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT |
					  IEEE80211_STYPE_ACTION);
	skb_put(skb, 1 + sizeof(resp->u.action.u.sa_query));
	resp->u.action.category = WLAN_CATEGORY_SA_QUERY;
	resp->u.action.u.sa_query.action = WLAN_ACTION_SA_QUERY_RESPONSE;
	memcpy(resp->u.action.u.sa_query.trans_id,
	       mgmt->u.action.u.sa_query.trans_id,
	       WLAN_SA_QUERY_TR_ID_LEN);

3123
	ieee80211_tx_skb(sdata, skb);
3124 3125
}

3126 3127 3128 3129
static ieee80211_rx_result debug_noinline
ieee80211_rx_h_mgmt_check(struct ieee80211_rx_data *rx)
{
	struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *) rx->skb->data;
3130
	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
3131 3132 3133 3134 3135 3136 3137 3138 3139 3140 3141 3142

	/*
	 * From here on, look only at management frames.
	 * Data and control frames are already handled,
	 * and unknown (reserved) frames are useless.
	 */
	if (rx->skb->len < 24)
		return RX_DROP_MONITOR;

	if (!ieee80211_is_mgmt(mgmt->frame_control))
		return RX_DROP_MONITOR;

J
Johannes Berg 已提交
3143 3144 3145
	if (rx->sdata->vif.type == NL80211_IFTYPE_AP &&
	    ieee80211_is_beacon(mgmt->frame_control) &&
	    !(rx->flags & IEEE80211_RX_BEACON_REPORTED)) {
3146 3147
		int sig = 0;

3148 3149
		if (ieee80211_hw_check(&rx->local->hw, SIGNAL_DBM) &&
		    !(status->flag & RX_FLAG_NO_SIGNAL_VAL))
3150 3151
			sig = status->signal;

3152 3153 3154 3155
		cfg80211_report_obss_beacon_khz(rx->local->hw.wiphy,
						rx->skb->data, rx->skb->len,
						ieee80211_rx_status_to_khz(status),
						sig);
J
Johannes Berg 已提交
3156 3157 3158
		rx->flags |= IEEE80211_RX_BEACON_REPORTED;
	}

3159 3160 3161 3162 3163 3164
	if (ieee80211_drop_unencrypted_mgmt(rx))
		return RX_DROP_UNUSABLE;

	return RX_CONTINUE;
}

3165 3166 3167 3168
static ieee80211_rx_result debug_noinline
ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
{
	struct ieee80211_local *local = rx->local;
J
Johannes Berg 已提交
3169
	struct ieee80211_sub_if_data *sdata = rx->sdata;
3170
	struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *) rx->skb->data;
3171
	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
3172 3173 3174 3175 3176
	int len = rx->skb->len;

	if (!ieee80211_is_action(mgmt->frame_control))
		return RX_CONTINUE;

3177 3178
	/* drop too small frames */
	if (len < IEEE80211_MIN_ACTION_SIZE)
3179
		return RX_DROP_UNUSABLE;
3180

3181
	if (!rx->sta && mgmt->u.action.category != WLAN_CATEGORY_PUBLIC &&
3182 3183
	    mgmt->u.action.category != WLAN_CATEGORY_SELF_PROTECTED &&
	    mgmt->u.action.category != WLAN_CATEGORY_SPECTRUM_MGMT)
3184
		return RX_DROP_UNUSABLE;
3185 3186

	switch (mgmt->u.action.category) {
3187 3188 3189 3190 3191 3192 3193 3194 3195 3196 3197 3198
	case WLAN_CATEGORY_HT:
		/* reject HT action frames from stations not supporting HT */
		if (!rx->sta->sta.ht_cap.ht_supported)
			goto invalid;

		if (sdata->vif.type != NL80211_IFTYPE_STATION &&
		    sdata->vif.type != NL80211_IFTYPE_MESH_POINT &&
		    sdata->vif.type != NL80211_IFTYPE_AP_VLAN &&
		    sdata->vif.type != NL80211_IFTYPE_AP &&
		    sdata->vif.type != NL80211_IFTYPE_ADHOC)
			break;

3199
		/* verify action & smps_control/chanwidth are present */
3200 3201 3202 3203 3204 3205
		if (len < IEEE80211_MIN_ACTION_SIZE + 2)
			goto invalid;

		switch (mgmt->u.action.u.ht_smps.action) {
		case WLAN_HT_ACTION_SMPS: {
			struct ieee80211_supported_band *sband;
3206
			enum ieee80211_smps_mode smps_mode;
3207
			struct sta_opmode_info sta_opmode = {};
3208

3209 3210 3211 3212
			if (sdata->vif.type != NL80211_IFTYPE_AP &&
			    sdata->vif.type != NL80211_IFTYPE_AP_VLAN)
				goto handled;

3213 3214 3215
			/* convert to HT capability */
			switch (mgmt->u.action.u.ht_smps.smps_control) {
			case WLAN_HT_SMPS_CONTROL_DISABLED:
3216
				smps_mode = IEEE80211_SMPS_OFF;
3217 3218
				break;
			case WLAN_HT_SMPS_CONTROL_STATIC:
3219
				smps_mode = IEEE80211_SMPS_STATIC;
3220 3221
				break;
			case WLAN_HT_SMPS_CONTROL_DYNAMIC:
3222
				smps_mode = IEEE80211_SMPS_DYNAMIC;
3223 3224 3225 3226 3227 3228
				break;
			default:
				goto invalid;
			}

			/* if no change do nothing */
3229
			if (rx->sta->sta.smps_mode == smps_mode)
3230
				goto handled;
3231
			rx->sta->sta.smps_mode = smps_mode;
3232 3233
			sta_opmode.smps_mode =
				ieee80211_smps_mode_to_smps_mode(smps_mode);
3234
			sta_opmode.changed = STA_OPMODE_SMPS_MODE_CHANGED;
3235 3236 3237

			sband = rx->local->hw.wiphy->bands[status->band];

3238 3239
			rate_control_rate_update(local, sband, rx->sta,
						 IEEE80211_RC_SMPS_CHANGED);
3240 3241 3242
			cfg80211_sta_opmode_change_notify(sdata->dev,
							  rx->sta->addr,
							  &sta_opmode,
3243
							  GFP_ATOMIC);
3244 3245
			goto handled;
		}
3246 3247 3248
		case WLAN_HT_ACTION_NOTIFY_CHANWIDTH: {
			struct ieee80211_supported_band *sband;
			u8 chanwidth = mgmt->u.action.u.ht_notify_cw.chanwidth;
3249
			enum ieee80211_sta_rx_bandwidth max_bw, new_bw;
3250
			struct sta_opmode_info sta_opmode = {};
3251 3252

			/* If it doesn't support 40 MHz it can't change ... */
3253 3254
			if (!(rx->sta->sta.ht_cap.cap &
					IEEE80211_HT_CAP_SUP_WIDTH_20_40))
3255 3256
				goto handled;

3257
			if (chanwidth == IEEE80211_HT_CHANWIDTH_20MHZ)
3258
				max_bw = IEEE80211_STA_RX_BW_20;
3259
			else
3260 3261 3262 3263 3264
				max_bw = ieee80211_sta_cap_rx_bw(rx->sta);

			/* set cur_max_bandwidth and recalc sta bw */
			rx->sta->cur_max_bandwidth = max_bw;
			new_bw = ieee80211_sta_cur_vht_bw(rx->sta);
3265

3266
			if (rx->sta->sta.bandwidth == new_bw)
3267 3268
				goto handled;

3269
			rx->sta->sta.bandwidth = new_bw;
3270
			sband = rx->local->hw.wiphy->bands[status->band];
3271 3272
			sta_opmode.bw =
				ieee80211_sta_rx_bw_to_chan_width(rx->sta);
3273
			sta_opmode.changed = STA_OPMODE_MAX_BW_CHANGED;
3274 3275 3276

			rate_control_rate_update(local, sband, rx->sta,
						 IEEE80211_RC_BW_CHANGED);
3277 3278 3279
			cfg80211_sta_opmode_change_notify(sdata->dev,
							  rx->sta->addr,
							  &sta_opmode,
3280
							  GFP_ATOMIC);
3281 3282
			goto handled;
		}
3283 3284 3285 3286
		default:
			goto invalid;
		}

3287
		break;
3288 3289 3290 3291 3292 3293 3294 3295 3296 3297 3298 3299 3300 3301 3302 3303
	case WLAN_CATEGORY_PUBLIC:
		if (len < IEEE80211_MIN_ACTION_SIZE + 1)
			goto invalid;
		if (sdata->vif.type != NL80211_IFTYPE_STATION)
			break;
		if (!rx->sta)
			break;
		if (!ether_addr_equal(mgmt->bssid, sdata->u.mgd.bssid))
			break;
		if (mgmt->u.action.u.ext_chan_switch.action_code !=
				WLAN_PUB_ACTION_EXT_CHANSW_ANN)
			break;
		if (len < offsetof(struct ieee80211_mgmt,
				   u.action.u.ext_chan_switch.variable))
			goto invalid;
		goto queue;
3304 3305 3306 3307 3308 3309 3310 3311 3312 3313 3314 3315 3316 3317 3318 3319 3320
	case WLAN_CATEGORY_VHT:
		if (sdata->vif.type != NL80211_IFTYPE_STATION &&
		    sdata->vif.type != NL80211_IFTYPE_MESH_POINT &&
		    sdata->vif.type != NL80211_IFTYPE_AP_VLAN &&
		    sdata->vif.type != NL80211_IFTYPE_AP &&
		    sdata->vif.type != NL80211_IFTYPE_ADHOC)
			break;

		/* verify action code is present */
		if (len < IEEE80211_MIN_ACTION_SIZE + 1)
			goto invalid;

		switch (mgmt->u.action.u.vht_opmode_notif.action_code) {
		case WLAN_VHT_ACTION_OPMODE_NOTIF: {
			/* verify opmode is present */
			if (len < IEEE80211_MIN_ACTION_SIZE + 2)
				goto invalid;
3321
			goto queue;
3322
		}
3323 3324 3325 3326 3327
		case WLAN_VHT_ACTION_GROUPID_MGMT: {
			if (len < IEEE80211_MIN_ACTION_SIZE + 25)
				goto invalid;
			goto queue;
		}
3328 3329 3330
		default:
			break;
		}
3331
		break;
3332
	case WLAN_CATEGORY_BACK:
3333
		if (sdata->vif.type != NL80211_IFTYPE_STATION &&
3334
		    sdata->vif.type != NL80211_IFTYPE_MESH_POINT &&
3335
		    sdata->vif.type != NL80211_IFTYPE_AP_VLAN &&
3336 3337
		    sdata->vif.type != NL80211_IFTYPE_AP &&
		    sdata->vif.type != NL80211_IFTYPE_ADHOC)
3338
			break;
3339

3340 3341 3342 3343
		/* verify action_code is present */
		if (len < IEEE80211_MIN_ACTION_SIZE + 1)
			break;

3344 3345 3346 3347
		switch (mgmt->u.action.u.addba_req.action_code) {
		case WLAN_ACTION_ADDBA_REQ:
			if (len < (IEEE80211_MIN_ACTION_SIZE +
				   sizeof(mgmt->u.action.u.addba_req)))
3348 3349
				goto invalid;
			break;
3350 3351 3352
		case WLAN_ACTION_ADDBA_RESP:
			if (len < (IEEE80211_MIN_ACTION_SIZE +
				   sizeof(mgmt->u.action.u.addba_resp)))
3353 3354
				goto invalid;
			break;
3355 3356 3357
		case WLAN_ACTION_DELBA:
			if (len < (IEEE80211_MIN_ACTION_SIZE +
				   sizeof(mgmt->u.action.u.delba)))
3358 3359 3360 3361
				goto invalid;
			break;
		default:
			goto invalid;
3362
		}
3363

3364
		goto queue;
3365
	case WLAN_CATEGORY_SPECTRUM_MGMT:
3366 3367 3368 3369
		/* verify action_code is present */
		if (len < IEEE80211_MIN_ACTION_SIZE + 1)
			break;

3370 3371
		switch (mgmt->u.action.u.measurement.action_code) {
		case WLAN_ACTION_SPCT_MSR_REQ:
3372
			if (status->band != NL80211_BAND_5GHZ)
3373 3374
				break;

3375 3376
			if (len < (IEEE80211_MIN_ACTION_SIZE +
				   sizeof(mgmt->u.action.u.measurement)))
3377
				break;
3378 3379 3380 3381

			if (sdata->vif.type != NL80211_IFTYPE_STATION)
				break;

3382
			ieee80211_process_measurement_req(sdata, mgmt, len);
3383
			goto handled;
3384 3385 3386 3387
		case WLAN_ACTION_SPCT_CHL_SWITCH: {
			u8 *bssid;
			if (len < (IEEE80211_MIN_ACTION_SIZE +
				   sizeof(mgmt->u.action.u.chan_switch)))
3388
				break;
3389

3390
			if (sdata->vif.type != NL80211_IFTYPE_STATION &&
3391 3392
			    sdata->vif.type != NL80211_IFTYPE_ADHOC &&
			    sdata->vif.type != NL80211_IFTYPE_MESH_POINT)
3393 3394 3395 3396 3397 3398
				break;

			if (sdata->vif.type == NL80211_IFTYPE_STATION)
				bssid = sdata->u.mgd.bssid;
			else if (sdata->vif.type == NL80211_IFTYPE_ADHOC)
				bssid = sdata->u.ibss.bssid;
3399 3400
			else if (sdata->vif.type == NL80211_IFTYPE_MESH_POINT)
				bssid = mgmt->sa;
3401 3402 3403 3404
			else
				break;

			if (!ether_addr_equal(mgmt->bssid, bssid))
3405
				break;
S
Sujith 已提交
3406

3407
			goto queue;
3408
			}
3409 3410
		}
		break;
3411
	case WLAN_CATEGORY_SELF_PROTECTED:
3412 3413 3414 3415
		if (len < (IEEE80211_MIN_ACTION_SIZE +
			   sizeof(mgmt->u.action.u.self_prot.action_code)))
			break;

3416 3417 3418 3419 3420 3421
		switch (mgmt->u.action.u.self_prot.action_code) {
		case WLAN_SP_MESH_PEERING_OPEN:
		case WLAN_SP_MESH_PEERING_CLOSE:
		case WLAN_SP_MESH_PEERING_CONFIRM:
			if (!ieee80211_vif_is_mesh(&sdata->vif))
				goto invalid;
3422
			if (sdata->u.mesh.user_mpm)
3423 3424 3425 3426 3427 3428 3429 3430 3431 3432
				/* userspace handles this frame */
				break;
			goto queue;
		case WLAN_SP_MGK_INFORM:
		case WLAN_SP_MGK_ACK:
			if (!ieee80211_vif_is_mesh(&sdata->vif))
				goto invalid;
			break;
		}
		break;
3433
	case WLAN_CATEGORY_MESH_ACTION:
3434 3435 3436 3437
		if (len < (IEEE80211_MIN_ACTION_SIZE +
			   sizeof(mgmt->u.action.u.mesh_action.action_code)))
			break;

3438 3439
		if (!ieee80211_vif_is_mesh(&sdata->vif))
			break;
3440
		if (mesh_action_is_path_sel(mgmt) &&
J
Johannes Berg 已提交
3441
		    !mesh_path_sel_is_hwmp(sdata))
3442 3443
			break;
		goto queue;
3444
	}
3445

3446 3447
	return RX_CONTINUE;

3448
 invalid:
3449
	status->rx_flags |= IEEE80211_RX_MALFORMED_ACTION_FRM;
3450 3451 3452 3453 3454
	/* will return in the next handlers */
	return RX_CONTINUE;

 handled:
	if (rx->sta)
3455
		rx->sta->rx_stats.packets++;
3456 3457 3458 3459 3460 3461 3462
	dev_kfree_skb(rx->skb);
	return RX_QUEUED;

 queue:
	skb_queue_tail(&sdata->skb_queue, rx->skb);
	ieee80211_queue_work(&local->hw, &sdata->work);
	if (rx->sta)
3463
		rx->sta->rx_stats.packets++;
3464 3465 3466 3467 3468 3469
	return RX_QUEUED;
}

static ieee80211_rx_result debug_noinline
ieee80211_rx_h_userspace_mgmt(struct ieee80211_rx_data *rx)
{
3470
	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
3471
	int sig = 0;
3472 3473

	/* skip known-bad action frames and return them in the next handler */
3474
	if (status->rx_flags & IEEE80211_RX_MALFORMED_ACTION_FRM)
3475
		return RX_CONTINUE;
3476

3477 3478 3479 3480 3481 3482 3483
	/*
	 * Getting here means the kernel doesn't know how to handle
	 * it, but maybe userspace does ... include returned frames
	 * so userspace can register for those to know whether ones
	 * it transmitted were processed or returned.
	 */

3484 3485
	if (ieee80211_hw_check(&rx->local->hw, SIGNAL_DBM) &&
	    !(status->flag & RX_FLAG_NO_SIGNAL_VAL))
3486 3487
		sig = status->signal;

3488 3489 3490
	if (cfg80211_rx_mgmt_khz(&rx->sdata->wdev,
				 ieee80211_rx_status_to_khz(status), sig,
				 rx->skb->data, rx->skb->len, 0)) {
3491
		if (rx->sta)
3492
			rx->sta->rx_stats.packets++;
3493 3494 3495 3496 3497 3498 3499
		dev_kfree_skb(rx->skb);
		return RX_QUEUED;
	}

	return RX_CONTINUE;
}

3500 3501 3502 3503 3504 3505 3506 3507 3508 3509 3510 3511 3512 3513 3514 3515 3516 3517 3518 3519 3520 3521 3522 3523 3524 3525 3526 3527 3528 3529 3530 3531 3532 3533 3534
static ieee80211_rx_result debug_noinline
ieee80211_rx_h_action_post_userspace(struct ieee80211_rx_data *rx)
{
	struct ieee80211_sub_if_data *sdata = rx->sdata;
	struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *) rx->skb->data;
	int len = rx->skb->len;

	if (!ieee80211_is_action(mgmt->frame_control))
		return RX_CONTINUE;

	switch (mgmt->u.action.category) {
	case WLAN_CATEGORY_SA_QUERY:
		if (len < (IEEE80211_MIN_ACTION_SIZE +
			   sizeof(mgmt->u.action.u.sa_query)))
			break;

		switch (mgmt->u.action.u.sa_query.action) {
		case WLAN_ACTION_SA_QUERY_REQUEST:
			if (sdata->vif.type != NL80211_IFTYPE_STATION)
				break;
			ieee80211_process_sa_query_req(sdata, mgmt, len);
			goto handled;
		}
		break;
	}

	return RX_CONTINUE;

 handled:
	if (rx->sta)
		rx->sta->rx_stats.packets++;
	dev_kfree_skb(rx->skb);
	return RX_QUEUED;
}

3535 3536 3537 3538 3539 3540 3541
static ieee80211_rx_result debug_noinline
ieee80211_rx_h_action_return(struct ieee80211_rx_data *rx)
{
	struct ieee80211_local *local = rx->local;
	struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *) rx->skb->data;
	struct sk_buff *nskb;
	struct ieee80211_sub_if_data *sdata = rx->sdata;
3542
	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
3543 3544 3545 3546 3547 3548 3549 3550 3551

	if (!ieee80211_is_action(mgmt->frame_control))
		return RX_CONTINUE;

	/*
	 * For AP mode, hostapd is responsible for handling any action
	 * frames that we didn't handle, including returning unknown
	 * ones. For all other modes we will return them to the sender,
	 * setting the 0x80 bit in the action category, as required by
3552
	 * 802.11-2012 9.24.4.
3553 3554 3555 3556
	 * Newer versions of hostapd shall also use the management frame
	 * registration mechanisms, but older ones still use cooked
	 * monitor interfaces so push all frames there.
	 */
3557
	if (!(status->rx_flags & IEEE80211_RX_MALFORMED_ACTION_FRM) &&
3558 3559 3560
	    (sdata->vif.type == NL80211_IFTYPE_AP ||
	     sdata->vif.type == NL80211_IFTYPE_AP_VLAN))
		return RX_DROP_MONITOR;
3561

3562 3563 3564
	if (is_multicast_ether_addr(mgmt->da))
		return RX_DROP_MONITOR;

3565 3566 3567 3568 3569 3570 3571
	/* do not return rejected action frames */
	if (mgmt->u.action.category & 0x80)
		return RX_DROP_UNUSABLE;

	nskb = skb_copy_expand(rx->skb, local->hw.extra_tx_headroom, 0,
			       GFP_ATOMIC);
	if (nskb) {
3572
		struct ieee80211_mgmt *nmgmt = (void *)nskb->data;
3573

3574 3575 3576
		nmgmt->u.action.category |= 0x80;
		memcpy(nmgmt->da, nmgmt->sa, ETH_ALEN);
		memcpy(nmgmt->sa, rx->sdata->vif.addr, ETH_ALEN);
3577 3578 3579

		memset(nskb->cb, 0, sizeof(nskb->cb));

3580 3581 3582 3583 3584 3585
		if (rx->sdata->vif.type == NL80211_IFTYPE_P2P_DEVICE) {
			struct ieee80211_tx_info *info = IEEE80211_SKB_CB(nskb);

			info->flags = IEEE80211_TX_CTL_TX_OFFCHAN |
				      IEEE80211_TX_INTFL_OFFCHAN_TX_OK |
				      IEEE80211_TX_CTL_NO_CCK_RATE;
3586
			if (ieee80211_hw_check(&local->hw, QUEUE_CONTROL))
3587 3588 3589 3590 3591
				info->hw_queue =
					local->hw.offchannel_tx_hw_queue;
		}

		__ieee80211_tx_skb_tid_band(rx->sdata, nskb, 7,
3592
					    status->band);
3593
	}
3594 3595
	dev_kfree_skb(rx->skb);
	return RX_QUEUED;
3596 3597
}

3598
static ieee80211_rx_result debug_noinline
3599
ieee80211_rx_h_mgmt(struct ieee80211_rx_data *rx)
3600
{
J
Johannes Berg 已提交
3601
	struct ieee80211_sub_if_data *sdata = rx->sdata;
3602 3603
	struct ieee80211_mgmt *mgmt = (void *)rx->skb->data;
	__le16 stype;
3604

3605
	stype = mgmt->frame_control & cpu_to_le16(IEEE80211_FCTL_STYPE);
3606

3607 3608
	if (!ieee80211_vif_is_mesh(&sdata->vif) &&
	    sdata->vif.type != NL80211_IFTYPE_ADHOC &&
3609
	    sdata->vif.type != NL80211_IFTYPE_OCB &&
3610 3611
	    sdata->vif.type != NL80211_IFTYPE_STATION)
		return RX_DROP_MONITOR;
3612

3613
	switch (stype) {
J
Johannes Berg 已提交
3614
	case cpu_to_le16(IEEE80211_STYPE_AUTH):
3615 3616 3617 3618
	case cpu_to_le16(IEEE80211_STYPE_BEACON):
	case cpu_to_le16(IEEE80211_STYPE_PROBE_RESP):
		/* process for all: mesh, mlme, ibss */
		break;
3619 3620 3621 3622 3623 3624 3625 3626 3627 3628
	case cpu_to_le16(IEEE80211_STYPE_DEAUTH):
		if (is_multicast_ether_addr(mgmt->da) &&
		    !is_broadcast_ether_addr(mgmt->da))
			return RX_DROP_MONITOR;

		/* process only for station/IBSS */
		if (sdata->vif.type != NL80211_IFTYPE_STATION &&
		    sdata->vif.type != NL80211_IFTYPE_ADHOC)
			return RX_DROP_MONITOR;
		break;
J
Johannes Berg 已提交
3629 3630
	case cpu_to_le16(IEEE80211_STYPE_ASSOC_RESP):
	case cpu_to_le16(IEEE80211_STYPE_REASSOC_RESP):
3631
	case cpu_to_le16(IEEE80211_STYPE_DISASSOC):
3632 3633 3634 3635
		if (is_multicast_ether_addr(mgmt->da) &&
		    !is_broadcast_ether_addr(mgmt->da))
			return RX_DROP_MONITOR;

3636 3637 3638 3639 3640
		/* process only for station */
		if (sdata->vif.type != NL80211_IFTYPE_STATION)
			return RX_DROP_MONITOR;
		break;
	case cpu_to_le16(IEEE80211_STYPE_PROBE_REQ):
3641 3642 3643
		/* process only for ibss and mesh */
		if (sdata->vif.type != NL80211_IFTYPE_ADHOC &&
		    sdata->vif.type != NL80211_IFTYPE_MESH_POINT)
3644 3645 3646 3647 3648
			return RX_DROP_MONITOR;
		break;
	default:
		return RX_DROP_MONITOR;
	}
3649

3650 3651 3652
	/* queue up frame and kick off work to process it */
	skb_queue_tail(&sdata->skb_queue, rx->skb);
	ieee80211_queue_work(&rx->local->hw, &sdata->work);
3653
	if (rx->sta)
3654
		rx->sta->rx_stats.packets++;
3655

3656
	return RX_QUEUED;
3657 3658
}

J
Johannes Berg 已提交
3659 3660
static void ieee80211_rx_cooked_monitor(struct ieee80211_rx_data *rx,
					struct ieee80211_rate *rate)
3661 3662 3663 3664 3665
{
	struct ieee80211_sub_if_data *sdata;
	struct ieee80211_local *local = rx->local;
	struct sk_buff *skb = rx->skb, *skb2;
	struct net_device *prev_dev = NULL;
J
Johannes Berg 已提交
3666
	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
3667
	int needed_headroom;
3668

3669 3670 3671 3672 3673
	/*
	 * If cooked monitor has been processed already, then
	 * don't do it again. If not, set the flag.
	 */
	if (rx->flags & IEEE80211_RX_CMNTR)
3674
		goto out_free_skb;
3675
	rx->flags |= IEEE80211_RX_CMNTR;
3676

3677 3678 3679 3680
	/* If there are no cooked monitor interfaces, just free the SKB */
	if (!local->cooked_mntrs)
		goto out_free_skb;

3681 3682
	/* vendor data is long removed here */
	status->flag &= ~RX_FLAG_RADIOTAP_VENDOR_DATA;
3683
	/* room for the radiotap header based on driver features */
3684
	needed_headroom = ieee80211_rx_radiotap_hdrlen(local, status, skb);
3685

3686 3687 3688
	if (skb_headroom(skb) < needed_headroom &&
	    pskb_expand_head(skb, needed_headroom, 0, GFP_ATOMIC))
		goto out_free_skb;
3689

3690
	/* prepend radiotap information */
3691 3692
	ieee80211_add_rx_radiotap_header(local, skb, rate, needed_headroom,
					 false);
3693

3694
	skb_reset_mac_header(skb);
3695 3696 3697 3698 3699
	skb->ip_summed = CHECKSUM_UNNECESSARY;
	skb->pkt_type = PACKET_OTHERHOST;
	skb->protocol = htons(ETH_P_802_2);

	list_for_each_entry_rcu(sdata, &local->interfaces, list) {
3700
		if (!ieee80211_sdata_running(sdata))
3701 3702
			continue;

3703
		if (sdata->vif.type != NL80211_IFTYPE_MONITOR ||
3704
		    !(sdata->u.mntr.flags & MONITOR_FLAG_COOK_FRAMES))
3705 3706 3707 3708 3709 3710
			continue;

		if (prev_dev) {
			skb2 = skb_clone(skb, GFP_ATOMIC);
			if (skb2) {
				skb2->dev = prev_dev;
3711
				netif_receive_skb(skb2);
3712 3713 3714 3715
			}
		}

		prev_dev = sdata->dev;
3716
		ieee80211_rx_stats(sdata->dev, skb->len);
3717 3718 3719 3720
	}

	if (prev_dev) {
		skb->dev = prev_dev;
3721
		netif_receive_skb(skb);
3722 3723
		return;
	}
3724 3725 3726 3727 3728

 out_free_skb:
	dev_kfree_skb(skb);
}

3729 3730 3731 3732 3733 3734 3735
static void ieee80211_rx_handlers_result(struct ieee80211_rx_data *rx,
					 ieee80211_rx_result res)
{
	switch (res) {
	case RX_DROP_MONITOR:
		I802_DEBUG_INC(rx->sdata->local->rx_handlers_drop);
		if (rx->sta)
3736
			rx->sta->rx_stats.dropped++;
3737
		fallthrough;
3738 3739 3740 3741 3742 3743 3744 3745
	case RX_CONTINUE: {
		struct ieee80211_rate *rate = NULL;
		struct ieee80211_supported_band *sband;
		struct ieee80211_rx_status *status;

		status = IEEE80211_SKB_RXCB((rx->skb));

		sband = rx->local->hw.wiphy->bands[status->band];
L
Luca Coelho 已提交
3746
		if (status->encoding == RX_ENC_LEGACY)
3747 3748 3749 3750 3751 3752 3753 3754
			rate = &sband->bitrates[status->rate_idx];

		ieee80211_rx_cooked_monitor(rx, rate);
		break;
		}
	case RX_DROP_UNUSABLE:
		I802_DEBUG_INC(rx->sdata->local->rx_handlers_drop);
		if (rx->sta)
3755
			rx->sta->rx_stats.dropped++;
3756 3757 3758 3759 3760 3761 3762
		dev_kfree_skb(rx->skb);
		break;
	case RX_QUEUED:
		I802_DEBUG_INC(rx->sdata->local->rx_handlers_queued);
		break;
	}
}
3763

3764 3765
static void ieee80211_rx_handlers(struct ieee80211_rx_data *rx,
				  struct sk_buff_head *frames)
3766 3767
{
	ieee80211_rx_result res = RX_DROP_MONITOR;
3768
	struct sk_buff *skb;
3769

3770 3771 3772 3773
#define CALL_RXH(rxh)			\
	do {				\
		res = rxh(rx);		\
		if (res != RX_CONTINUE)	\
3774
			goto rxh_next;  \
3775
	} while (0)
3776

3777 3778 3779 3780 3781 3782
	/* Lock here to avoid hitting all of the data used in the RX
	 * path (e.g. key data, station data, ...) concurrently when
	 * a frame is released from the reorder buffer due to timeout
	 * from the timer, potentially concurrently with RX from the
	 * driver.
	 */
3783
	spin_lock_bh(&rx->local->rx_path_lock);
3784

3785
	while ((skb = __skb_dequeue(frames))) {
3786 3787 3788 3789 3790 3791 3792
		/*
		 * all the other fields are valid across frames
		 * that belong to an aMPDU since they are on the
		 * same TID from the same station
		 */
		rx->skb = skb;

3793 3794 3795 3796 3797 3798
		CALL_RXH(ieee80211_rx_h_check_more_data);
		CALL_RXH(ieee80211_rx_h_uapsd_and_pspoll);
		CALL_RXH(ieee80211_rx_h_sta_process);
		CALL_RXH(ieee80211_rx_h_decrypt);
		CALL_RXH(ieee80211_rx_h_defragment);
		CALL_RXH(ieee80211_rx_h_michael_mic_verify);
3799
		/* must be after MMIC verify so header is counted in MPDU mic */
I
Ingo Molnar 已提交
3800
#ifdef CONFIG_MAC80211_MESH
3801
		if (ieee80211_vif_is_mesh(&rx->sdata->vif))
3802
			CALL_RXH(ieee80211_rx_h_mesh_fwding);
I
Ingo Molnar 已提交
3803
#endif
3804 3805
		CALL_RXH(ieee80211_rx_h_amsdu);
		CALL_RXH(ieee80211_rx_h_data);
3806 3807 3808 3809 3810 3811

		/* special treatment -- needs the queue */
		res = ieee80211_rx_h_ctrl(rx, frames);
		if (res != RX_CONTINUE)
			goto rxh_next;

3812 3813 3814
		CALL_RXH(ieee80211_rx_h_mgmt_check);
		CALL_RXH(ieee80211_rx_h_action);
		CALL_RXH(ieee80211_rx_h_userspace_mgmt);
3815
		CALL_RXH(ieee80211_rx_h_action_post_userspace);
3816 3817
		CALL_RXH(ieee80211_rx_h_action_return);
		CALL_RXH(ieee80211_rx_h_mgmt);
3818

3819 3820
 rxh_next:
		ieee80211_rx_handlers_result(rx, res);
3821

3822
#undef CALL_RXH
3823
	}
3824

3825
	spin_unlock_bh(&rx->local->rx_path_lock);
3826 3827
}

3828
static void ieee80211_invoke_rx_handlers(struct ieee80211_rx_data *rx)
3829
{
3830
	struct sk_buff_head reorder_release;
3831 3832
	ieee80211_rx_result res = RX_DROP_MONITOR;

3833 3834
	__skb_queue_head_init(&reorder_release);

3835 3836 3837 3838 3839
#define CALL_RXH(rxh)			\
	do {				\
		res = rxh(rx);		\
		if (res != RX_CONTINUE)	\
			goto rxh_next;  \
3840
	} while (0)
3841

3842 3843
	CALL_RXH(ieee80211_rx_h_check_dup);
	CALL_RXH(ieee80211_rx_h_check);
3844

3845
	ieee80211_rx_reorder_ampdu(rx, &reorder_release);
3846

3847
	ieee80211_rx_handlers(rx, &reorder_release);
3848
	return;
3849

3850
 rxh_next:
3851 3852 3853
	ieee80211_rx_handlers_result(rx, res);

#undef CALL_RXH
3854 3855
}

3856
/*
3857 3858
 * This function makes calls into the RX path, therefore
 * it has to be invoked under RCU read lock.
3859 3860 3861
 */
void ieee80211_release_reorder_timeout(struct sta_info *sta, int tid)
{
3862
	struct sk_buff_head frames;
3863 3864 3865 3866
	struct ieee80211_rx_data rx = {
		.sta = sta,
		.sdata = sta->sdata,
		.local = sta->local,
3867 3868 3869
		/* This is OK -- must be QoS data frame */
		.security_idx = tid,
		.seqno_idx = tid,
3870
	};
3871 3872 3873 3874 3875
	struct tid_ampdu_rx *tid_agg_rx;

	tid_agg_rx = rcu_dereference(sta->ampdu_mlme.tid_rx[tid]);
	if (!tid_agg_rx)
		return;
3876

3877 3878
	__skb_queue_head_init(&frames);

3879
	spin_lock(&tid_agg_rx->reorder_lock);
3880
	ieee80211_sta_reorder_release(sta->sdata, tid_agg_rx, &frames);
3881
	spin_unlock(&tid_agg_rx->reorder_lock);
3882

3883 3884 3885 3886 3887 3888 3889 3890 3891
	if (!skb_queue_empty(&frames)) {
		struct ieee80211_event event = {
			.type = BA_FRAME_TIMEOUT,
			.u.ba.tid = tid,
			.u.ba.sta = &sta->sta,
		};
		drv_event_callback(rx.local, rx.sdata, &event);
	}

3892
	ieee80211_rx_handlers(&rx, &frames);
3893 3894
}

3895 3896 3897 3898 3899 3900 3901 3902 3903 3904 3905 3906 3907 3908 3909 3910 3911 3912 3913 3914 3915 3916 3917 3918 3919 3920 3921 3922 3923 3924 3925 3926 3927 3928 3929 3930 3931 3932 3933 3934 3935 3936 3937 3938 3939 3940 3941 3942 3943 3944 3945 3946 3947 3948 3949 3950 3951 3952 3953 3954 3955 3956 3957 3958 3959 3960 3961 3962 3963 3964 3965 3966 3967 3968 3969 3970 3971 3972 3973
void ieee80211_mark_rx_ba_filtered_frames(struct ieee80211_sta *pubsta, u8 tid,
					  u16 ssn, u64 filtered,
					  u16 received_mpdus)
{
	struct sta_info *sta;
	struct tid_ampdu_rx *tid_agg_rx;
	struct sk_buff_head frames;
	struct ieee80211_rx_data rx = {
		/* This is OK -- must be QoS data frame */
		.security_idx = tid,
		.seqno_idx = tid,
	};
	int i, diff;

	if (WARN_ON(!pubsta || tid >= IEEE80211_NUM_TIDS))
		return;

	__skb_queue_head_init(&frames);

	sta = container_of(pubsta, struct sta_info, sta);

	rx.sta = sta;
	rx.sdata = sta->sdata;
	rx.local = sta->local;

	rcu_read_lock();
	tid_agg_rx = rcu_dereference(sta->ampdu_mlme.tid_rx[tid]);
	if (!tid_agg_rx)
		goto out;

	spin_lock_bh(&tid_agg_rx->reorder_lock);

	if (received_mpdus >= IEEE80211_SN_MODULO >> 1) {
		int release;

		/* release all frames in the reorder buffer */
		release = (tid_agg_rx->head_seq_num + tid_agg_rx->buf_size) %
			   IEEE80211_SN_MODULO;
		ieee80211_release_reorder_frames(sta->sdata, tid_agg_rx,
						 release, &frames);
		/* update ssn to match received ssn */
		tid_agg_rx->head_seq_num = ssn;
	} else {
		ieee80211_release_reorder_frames(sta->sdata, tid_agg_rx, ssn,
						 &frames);
	}

	/* handle the case that received ssn is behind the mac ssn.
	 * it can be tid_agg_rx->buf_size behind and still be valid */
	diff = (tid_agg_rx->head_seq_num - ssn) & IEEE80211_SN_MASK;
	if (diff >= tid_agg_rx->buf_size) {
		tid_agg_rx->reorder_buf_filtered = 0;
		goto release;
	}
	filtered = filtered >> diff;
	ssn += diff;

	/* update bitmap */
	for (i = 0; i < tid_agg_rx->buf_size; i++) {
		int index = (ssn + i) % tid_agg_rx->buf_size;

		tid_agg_rx->reorder_buf_filtered &= ~BIT_ULL(index);
		if (filtered & BIT_ULL(i))
			tid_agg_rx->reorder_buf_filtered |= BIT_ULL(index);
	}

	/* now process also frames that the filter marking released */
	ieee80211_sta_reorder_release(sta->sdata, tid_agg_rx, &frames);

release:
	spin_unlock_bh(&tid_agg_rx->reorder_lock);

	ieee80211_rx_handlers(&rx, &frames);

 out:
	rcu_read_unlock();
}
EXPORT_SYMBOL(ieee80211_mark_rx_ba_filtered_frames);

3974 3975
/* main receive path */

3976
static bool ieee80211_accept_frame(struct ieee80211_rx_data *rx)
3977
{
3978
	struct ieee80211_sub_if_data *sdata = rx->sdata;
J
Johannes Berg 已提交
3979
	struct sk_buff *skb = rx->skb;
3980
	struct ieee80211_hdr *hdr = (void *)skb->data;
J
Johannes Berg 已提交
3981 3982
	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
	u8 *bssid = ieee80211_get_bssid(hdr, skb->len, sdata->vif.type);
3983
	bool multicast = is_multicast_ether_addr(hdr->addr1);
3984

3985
	switch (sdata->vif.type) {
3986
	case NL80211_IFTYPE_STATION:
3987
		if (!bssid && !sdata->u.mgd.use_4addr)
3988
			return false;
3989 3990
		if (ieee80211_is_robust_mgmt_frame(skb) && !rx->sta)
			return false;
3991 3992 3993
		if (multicast)
			return true;
		return ether_addr_equal(sdata->vif.addr, hdr->addr1);
3994
	case NL80211_IFTYPE_ADHOC:
3995
		if (!bssid)
3996
			return false;
3997 3998
		if (ether_addr_equal(sdata->vif.addr, hdr->addr2) ||
		    ether_addr_equal(sdata->u.ibss.bssid, hdr->addr2))
3999
			return false;
4000
		if (ieee80211_is_beacon(hdr->frame_control))
4001
			return true;
4002
		if (!ieee80211_bssid_match(bssid, sdata->u.ibss.bssid))
4003
			return false;
4004 4005
		if (!multicast &&
		    !ether_addr_equal(sdata->vif.addr, hdr->addr1))
4006
			return false;
4007
		if (!rx->sta) {
4008
			int rate_idx;
4009
			if (status->encoding != RX_ENC_LEGACY)
4010
				rate_idx = 0; /* TODO: HT/VHT rates */
4011
			else
J
Johannes Berg 已提交
4012
				rate_idx = status->rate_idx;
4013 4014
			ieee80211_ibss_rx_no_sta(sdata, bssid, hdr->addr2,
						 BIT(rate_idx));
4015
		}
4016
		return true;
4017 4018 4019
	case NL80211_IFTYPE_OCB:
		if (!bssid)
			return false;
4020
		if (!ieee80211_is_data_present(hdr->frame_control))
4021
			return false;
4022
		if (!is_broadcast_ether_addr(bssid))
4023
			return false;
4024 4025
		if (!multicast &&
		    !ether_addr_equal(sdata->dev->dev_addr, hdr->addr1))
4026
			return false;
4027
		if (!rx->sta) {
4028
			int rate_idx;
4029
			if (status->encoding != RX_ENC_LEGACY)
4030 4031 4032 4033 4034 4035
				rate_idx = 0; /* TODO: HT rates */
			else
				rate_idx = status->rate_idx;
			ieee80211_ocb_rx_no_sta(sdata, bssid, hdr->addr2,
						BIT(rate_idx));
		}
4036
		return true;
4037
	case NL80211_IFTYPE_MESH_POINT:
4038 4039
		if (ether_addr_equal(sdata->vif.addr, hdr->addr2))
			return false;
4040 4041 4042
		if (multicast)
			return true;
		return ether_addr_equal(sdata->vif.addr, hdr->addr1);
4043 4044
	case NL80211_IFTYPE_AP_VLAN:
	case NL80211_IFTYPE_AP:
4045 4046 4047 4048
		if (!bssid)
			return ether_addr_equal(sdata->vif.addr, hdr->addr1);

		if (!ieee80211_bssid_match(bssid, sdata->vif.addr)) {
4049 4050 4051 4052 4053 4054
			/*
			 * Accept public action frames even when the
			 * BSSID doesn't match, this is used for P2P
			 * and location updates. Note that mac80211
			 * itself never looks at these frames.
			 */
4055 4056
			if (!multicast &&
			    !ether_addr_equal(sdata->vif.addr, hdr->addr1))
4057
				return false;
J
Johannes Berg 已提交
4058
			if (ieee80211_is_public_action(hdr, skb->len))
4059
				return true;
4060
			return ieee80211_is_beacon(hdr->frame_control);
4061 4062 4063
		}

		if (!ieee80211_has_tods(hdr->frame_control)) {
4064 4065 4066 4067 4068
			/* ignore data frames to TDLS-peers */
			if (ieee80211_is_data(hdr->frame_control))
				return false;
			/* ignore action frames to TDLS-peers */
			if (ieee80211_is_action(hdr->frame_control) &&
4069
			    !is_broadcast_ether_addr(bssid) &&
4070 4071
			    !ether_addr_equal(bssid, hdr->addr1))
				return false;
4072
		}
4073 4074 4075 4076 4077 4078 4079 4080 4081 4082 4083 4084 4085 4086 4087 4088 4089 4090 4091 4092 4093

		/*
		 * 802.11-2016 Table 9-26 says that for data frames, A1 must be
		 * the BSSID - we've checked that already but may have accepted
		 * the wildcard (ff:ff:ff:ff:ff:ff).
		 *
		 * It also says:
		 *	The BSSID of the Data frame is determined as follows:
		 *	a) If the STA is contained within an AP or is associated
		 *	   with an AP, the BSSID is the address currently in use
		 *	   by the STA contained in the AP.
		 *
		 * So we should not accept data frames with an address that's
		 * multicast.
		 *
		 * Accepting it also opens a security problem because stations
		 * could encrypt it with the GTK and inject traffic that way.
		 */
		if (ieee80211_is_data(hdr->frame_control) && multicast)
			return false;

4094
		return true;
4095
	case NL80211_IFTYPE_WDS:
4096
		if (bssid || !ieee80211_is_data(hdr->frame_control))
4097
			return false;
4098
		return ether_addr_equal(sdata->u.wds.remote_addr, hdr->addr2);
4099
	case NL80211_IFTYPE_P2P_DEVICE:
4100 4101 4102 4103
		return ieee80211_is_public_action(hdr, skb->len) ||
		       ieee80211_is_probe_req(hdr->frame_control) ||
		       ieee80211_is_probe_resp(hdr->frame_control) ||
		       ieee80211_is_beacon(hdr->frame_control);
4104 4105 4106
	case NL80211_IFTYPE_NAN:
		/* Currently no frames on NAN interface are allowed */
		return false;
4107
	default:
J
Johannes Berg 已提交
4108
		break;
4109 4110
	}

4111 4112
	WARN_ON_ONCE(1);
	return false;
4113 4114
}

J
Johannes Berg 已提交
4115 4116 4117 4118 4119 4120 4121 4122 4123 4124 4125 4126 4127 4128 4129 4130 4131 4132 4133 4134
void ieee80211_check_fast_rx(struct sta_info *sta)
{
	struct ieee80211_sub_if_data *sdata = sta->sdata;
	struct ieee80211_local *local = sdata->local;
	struct ieee80211_key *key;
	struct ieee80211_fast_rx fastrx = {
		.dev = sdata->dev,
		.vif_type = sdata->vif.type,
		.control_port_protocol = sdata->control_port_protocol,
	}, *old, *new = NULL;
	bool assign = false;

	/* use sparse to check that we don't return without updating */
	__acquire(check_fast_rx);

	BUILD_BUG_ON(sizeof(fastrx.rfc1042_hdr) != sizeof(rfc1042_header));
	BUILD_BUG_ON(sizeof(fastrx.rfc1042_hdr) != ETH_ALEN);
	ether_addr_copy(fastrx.rfc1042_hdr, rfc1042_header);
	ether_addr_copy(fastrx.vif_addr, sdata->vif.addr);

4135 4136
	fastrx.uses_rss = ieee80211_hw_check(&local->hw, USES_RSS);

J
Johannes Berg 已提交
4137 4138 4139 4140 4141 4142 4143 4144 4145 4146 4147 4148 4149 4150 4151 4152 4153
	/* fast-rx doesn't do reordering */
	if (ieee80211_hw_check(&local->hw, AMPDU_AGGREGATION) &&
	    !ieee80211_hw_check(&local->hw, SUPPORTS_REORDERING_BUFFER))
		goto clear;

	switch (sdata->vif.type) {
	case NL80211_IFTYPE_STATION:
		if (sta->sta.tdls) {
			fastrx.da_offs = offsetof(struct ieee80211_hdr, addr1);
			fastrx.sa_offs = offsetof(struct ieee80211_hdr, addr2);
			fastrx.expected_ds_bits = 0;
		} else {
			fastrx.da_offs = offsetof(struct ieee80211_hdr, addr1);
			fastrx.sa_offs = offsetof(struct ieee80211_hdr, addr3);
			fastrx.expected_ds_bits =
				cpu_to_le16(IEEE80211_FCTL_FROMDS);
		}
4154

4155 4156 4157 4158 4159 4160 4161
		if (sdata->u.mgd.use_4addr && !sta->sta.tdls) {
			fastrx.expected_ds_bits |=
				cpu_to_le16(IEEE80211_FCTL_TODS);
			fastrx.da_offs = offsetof(struct ieee80211_hdr, addr3);
			fastrx.sa_offs = offsetof(struct ieee80211_hdr, addr4);
		}

4162 4163 4164 4165 4166 4167 4168 4169 4170
		if (!sdata->u.mgd.powersave)
			break;

		/* software powersave is a huge mess, avoid all of it */
		if (ieee80211_hw_check(&local->hw, PS_NULLFUNC_STACK))
			goto clear;
		if (ieee80211_hw_check(&local->hw, SUPPORTS_PS) &&
		    !ieee80211_hw_check(&local->hw, SUPPORTS_DYNAMIC_PS))
			goto clear;
J
Johannes Berg 已提交
4171 4172 4173 4174 4175 4176 4177 4178 4179 4180 4181 4182 4183 4184 4185 4186
		break;
	case NL80211_IFTYPE_AP_VLAN:
	case NL80211_IFTYPE_AP:
		/* parallel-rx requires this, at least with calls to
		 * ieee80211_sta_ps_transition()
		 */
		if (!ieee80211_hw_check(&local->hw, AP_LINK_PS))
			goto clear;
		fastrx.da_offs = offsetof(struct ieee80211_hdr, addr3);
		fastrx.sa_offs = offsetof(struct ieee80211_hdr, addr2);
		fastrx.expected_ds_bits = cpu_to_le16(IEEE80211_FCTL_TODS);

		fastrx.internal_forward =
			!(sdata->flags & IEEE80211_SDATA_DONT_BRIDGE_PACKETS) &&
			(sdata->vif.type != NL80211_IFTYPE_AP_VLAN ||
			 !sdata->u.vlan.sta);
4187 4188 4189 4190 4191 4192 4193 4194 4195

		if (sdata->vif.type == NL80211_IFTYPE_AP_VLAN &&
		    sdata->u.vlan.sta) {
			fastrx.expected_ds_bits |=
				cpu_to_le16(IEEE80211_FCTL_FROMDS);
			fastrx.sa_offs = offsetof(struct ieee80211_hdr, addr4);
			fastrx.internal_forward = 0;
		}

J
Johannes Berg 已提交
4196 4197 4198 4199 4200 4201 4202 4203 4204 4205 4206 4207 4208 4209 4210 4211 4212 4213 4214 4215 4216
		break;
	default:
		goto clear;
	}

	if (!test_sta_flag(sta, WLAN_STA_AUTHORIZED))
		goto clear;

	rcu_read_lock();
	key = rcu_dereference(sta->ptk[sta->ptk_idx]);
	if (key) {
		switch (key->conf.cipher) {
		case WLAN_CIPHER_SUITE_TKIP:
			/* we don't want to deal with MMIC in fast-rx */
			goto clear_rcu;
		case WLAN_CIPHER_SUITE_CCMP:
		case WLAN_CIPHER_SUITE_CCMP_256:
		case WLAN_CIPHER_SUITE_GCMP:
		case WLAN_CIPHER_SUITE_GCMP_256:
			break;
		default:
4217 4218
			/* We also don't want to deal with
			 * WEP or cipher scheme.
J
Johannes Berg 已提交
4219 4220 4221 4222 4223 4224 4225 4226 4227 4228 4229 4230 4231 4232 4233 4234 4235 4236 4237 4238 4239 4240 4241 4242 4243 4244 4245 4246 4247 4248 4249 4250 4251 4252 4253 4254 4255 4256 4257 4258 4259 4260 4261 4262 4263 4264
			 */
			goto clear_rcu;
		}

		fastrx.key = true;
		fastrx.icv_len = key->conf.icv_len;
	}

	assign = true;
 clear_rcu:
	rcu_read_unlock();
 clear:
	__release(check_fast_rx);

	if (assign)
		new = kmemdup(&fastrx, sizeof(fastrx), GFP_KERNEL);

	spin_lock_bh(&sta->lock);
	old = rcu_dereference_protected(sta->fast_rx, true);
	rcu_assign_pointer(sta->fast_rx, new);
	spin_unlock_bh(&sta->lock);

	if (old)
		kfree_rcu(old, rcu_head);
}

void ieee80211_clear_fast_rx(struct sta_info *sta)
{
	struct ieee80211_fast_rx *old;

	spin_lock_bh(&sta->lock);
	old = rcu_dereference_protected(sta->fast_rx, true);
	RCU_INIT_POINTER(sta->fast_rx, NULL);
	spin_unlock_bh(&sta->lock);

	if (old)
		kfree_rcu(old, rcu_head);
}

void __ieee80211_check_fast_rx_iface(struct ieee80211_sub_if_data *sdata)
{
	struct ieee80211_local *local = sdata->local;
	struct sta_info *sta;

	lockdep_assert_held(&local->sta_mtx);

4265
	list_for_each_entry(sta, &local->sta_list, list) {
J
Johannes Berg 已提交
4266 4267 4268 4269 4270 4271 4272 4273 4274 4275 4276 4277 4278 4279 4280 4281 4282 4283 4284 4285 4286 4287 4288 4289
		if (sdata != sta->sdata &&
		    (!sta->sdata->bss || sta->sdata->bss != sdata->bss))
			continue;
		ieee80211_check_fast_rx(sta);
	}
}

void ieee80211_check_fast_rx_iface(struct ieee80211_sub_if_data *sdata)
{
	struct ieee80211_local *local = sdata->local;

	mutex_lock(&local->sta_mtx);
	__ieee80211_check_fast_rx_iface(sdata);
	mutex_unlock(&local->sta_mtx);
}

static bool ieee80211_invoke_fast_rx(struct ieee80211_rx_data *rx,
				     struct ieee80211_fast_rx *fast_rx)
{
	struct sk_buff *skb = rx->skb;
	struct ieee80211_hdr *hdr = (void *)skb->data;
	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
	struct sta_info *sta = rx->sta;
	int orig_len = skb->len;
4290 4291
	int hdrlen = ieee80211_hdrlen(hdr->frame_control);
	int snap_offs = hdrlen;
J
Johannes Berg 已提交
4292 4293 4294 4295 4296 4297 4298 4299
	struct {
		u8 snap[sizeof(rfc1042_header)];
		__be16 proto;
	} *payload __aligned(2);
	struct {
		u8 da[ETH_ALEN];
		u8 sa[ETH_ALEN];
	} addrs __aligned(2);
4300 4301 4302 4303
	struct ieee80211_sta_rx_stats *stats = &sta->rx_stats;

	if (fast_rx->uses_rss)
		stats = this_cpu_ptr(sta->pcpu_rx_stats);
J
Johannes Berg 已提交
4304 4305 4306 4307 4308 4309 4310 4311 4312 4313 4314 4315 4316 4317 4318 4319 4320 4321 4322 4323 4324 4325 4326 4327 4328 4329 4330 4331 4332 4333 4334 4335 4336 4337 4338 4339 4340 4341 4342

	/* for parallel-rx, we need to have DUP_VALIDATED, otherwise we write
	 * to a common data structure; drivers can implement that per queue
	 * but we don't have that information in mac80211
	 */
	if (!(status->flag & RX_FLAG_DUP_VALIDATED))
		return false;

#define FAST_RX_CRYPT_FLAGS	(RX_FLAG_PN_VALIDATED | RX_FLAG_DECRYPTED)

	/* If using encryption, we also need to have:
	 *  - PN_VALIDATED: similar, but the implementation is tricky
	 *  - DECRYPTED: necessary for PN_VALIDATED
	 */
	if (fast_rx->key &&
	    (status->flag & FAST_RX_CRYPT_FLAGS) != FAST_RX_CRYPT_FLAGS)
		return false;

	if (unlikely(!ieee80211_is_data_present(hdr->frame_control)))
		return false;

	if (unlikely(ieee80211_is_frag(hdr)))
		return false;

	/* Since our interface address cannot be multicast, this
	 * implicitly also rejects multicast frames without the
	 * explicit check.
	 *
	 * We shouldn't get any *data* frames not addressed to us
	 * (AP mode will accept multicast *management* frames), but
	 * punting here will make it go through the full checks in
	 * ieee80211_accept_frame().
	 */
	if (!ether_addr_equal(fast_rx->vif_addr, hdr->addr1))
		return false;

	if ((hdr->frame_control & cpu_to_le16(IEEE80211_FCTL_FROMDS |
					      IEEE80211_FCTL_TODS)) !=
	    fast_rx->expected_ds_bits)
4343
		return false;
J
Johannes Berg 已提交
4344 4345 4346 4347 4348 4349 4350 4351 4352

	/* assign the key to drop unencrypted frames (later)
	 * and strip the IV/MIC if necessary
	 */
	if (fast_rx->key && !(status->flag & RX_FLAG_IV_STRIPPED)) {
		/* GCMP header length is the same */
		snap_offs += IEEE80211_CCMP_HDR_LEN;
	}

4353 4354 4355
	if (!(status->rx_flags & IEEE80211_RX_AMSDU)) {
		if (!pskb_may_pull(skb, snap_offs + sizeof(*payload)))
			goto drop;
J
Johannes Berg 已提交
4356

4357
		payload = (void *)(skb->data + snap_offs);
J
Johannes Berg 已提交
4358

4359 4360 4361 4362 4363 4364 4365 4366 4367 4368 4369 4370
		if (!ether_addr_equal(payload->snap, fast_rx->rfc1042_hdr))
			return false;

		/* Don't handle these here since they require special code.
		 * Accept AARP and IPX even though they should come with a
		 * bridge-tunnel header - but if we get them this way then
		 * there's little point in discarding them.
		 */
		if (unlikely(payload->proto == cpu_to_be16(ETH_P_TDLS) ||
			     payload->proto == fast_rx->control_port_protocol))
			return false;
	}
J
Johannes Berg 已提交
4371 4372 4373 4374 4375 4376 4377 4378 4379

	/* after this point, don't punt to the slowpath! */

	if (rx->key && !(status->flag & RX_FLAG_MIC_STRIPPED) &&
	    pskb_trim(skb, skb->len - fast_rx->icv_len))
		goto drop;

	/* statistics part of ieee80211_rx_h_sta_process() */
	if (!(status->flag & RX_FLAG_NO_SIGNAL_VAL)) {
4380 4381 4382 4383
		stats->last_signal = status->signal;
		if (!fast_rx->uses_rss)
			ewma_signal_add(&sta->rx_stats_avg.signal,
					-status->signal);
J
Johannes Berg 已提交
4384 4385 4386 4387 4388
	}

	if (status->chains) {
		int i;

4389
		stats->chains = status->chains;
J
Johannes Berg 已提交
4390 4391 4392 4393 4394 4395
		for (i = 0; i < ARRAY_SIZE(status->chain_signal); i++) {
			int signal = status->chain_signal[i];

			if (!(status->chains & BIT(i)))
				continue;

4396 4397 4398 4399
			stats->chain_signal_last[i] = signal;
			if (!fast_rx->uses_rss)
				ewma_signal_add(&sta->rx_stats_avg.chain_signal[i],
						-signal);
J
Johannes Berg 已提交
4400 4401 4402 4403 4404 4405 4406
		}
	}
	/* end of statistics */

	if (rx->key && !ieee80211_has_protected(hdr->frame_control))
		goto drop;

4407 4408 4409 4410 4411 4412 4413 4414 4415 4416 4417 4418 4419 4420
	if (status->rx_flags & IEEE80211_RX_AMSDU) {
		if (__ieee80211_rx_h_amsdu(rx, snap_offs - hdrlen) !=
		    RX_QUEUED)
			goto drop;

		return true;
	}

	stats->last_rx = jiffies;
	stats->last_rate = sta_stats_encode_rate(status);

	stats->fragments++;
	stats->packets++;

J
Johannes Berg 已提交
4421 4422 4423 4424 4425 4426 4427 4428 4429 4430 4431 4432 4433 4434 4435 4436 4437
	/* do the header conversion - first grab the addresses */
	ether_addr_copy(addrs.da, skb->data + fast_rx->da_offs);
	ether_addr_copy(addrs.sa, skb->data + fast_rx->sa_offs);
	/* remove the SNAP but leave the ethertype */
	skb_pull(skb, snap_offs + sizeof(rfc1042_header));
	/* push the addresses in front */
	memcpy(skb_push(skb, sizeof(addrs)), &addrs, sizeof(addrs));

	skb->dev = fast_rx->dev;

	ieee80211_rx_stats(fast_rx->dev, skb->len);

	/* The seqno index has the same property as needed
	 * for the rx_msdu field, i.e. it is IEEE80211_NUM_TIDS
	 * for non-QoS-data frames. Here we know it's a data
	 * frame, so count MSDUs.
	 */
4438 4439 4440 4441
	u64_stats_update_begin(&stats->syncp);
	stats->msdu[rx->seqno_idx]++;
	stats->bytes += orig_len;
	u64_stats_update_end(&stats->syncp);
J
Johannes Berg 已提交
4442 4443

	if (fast_rx->internal_forward) {
4444
		struct sk_buff *xmit_skb = NULL;
4445
		if (is_multicast_ether_addr(addrs.da)) {
4446
			xmit_skb = skb_copy(skb, GFP_ATOMIC);
4447 4448
		} else if (!ether_addr_equal(addrs.da, addrs.sa) &&
			   sta_info_get(rx->sdata, addrs.da)) {
4449 4450 4451
			xmit_skb = skb;
			skb = NULL;
		}
J
Johannes Berg 已提交
4452

4453
		if (xmit_skb) {
J
Johannes Berg 已提交
4454 4455 4456 4457 4458
			/*
			 * Send to wireless media and increase priority by 256
			 * to keep the received priority instead of
			 * reclassifying the frame (see cfg80211_classify8021d).
			 */
4459 4460 4461 4462 4463
			xmit_skb->priority += 256;
			xmit_skb->protocol = htons(ETH_P_802_3);
			skb_reset_network_header(xmit_skb);
			skb_reset_mac_header(xmit_skb);
			dev_queue_xmit(xmit_skb);
J
Johannes Berg 已提交
4464
		}
4465 4466 4467

		if (!skb)
			return true;
J
Johannes Berg 已提交
4468 4469 4470 4471 4472
	}

	/* deliver to local stack */
	skb->protocol = eth_type_trans(skb, fast_rx->dev);
	memset(skb->cb, 0, sizeof(skb->cb));
4473 4474
	if (rx->list)
		list_add_tail(&skb->list, rx->list);
J
Johannes Berg 已提交
4475 4476 4477 4478 4479 4480
	else
		netif_receive_skb(skb);

	return true;
 drop:
	dev_kfree_skb(skb);
4481
	stats->dropped++;
J
Johannes Berg 已提交
4482 4483 4484
	return true;
}

4485 4486 4487 4488 4489 4490 4491 4492 4493 4494 4495 4496 4497 4498
/*
 * This function returns whether or not the SKB
 * was destined for RX processing or not, which,
 * if consume is true, is equivalent to whether
 * or not the skb was consumed.
 */
static bool ieee80211_prepare_and_rx_handle(struct ieee80211_rx_data *rx,
					    struct sk_buff *skb, bool consume)
{
	struct ieee80211_local *local = rx->local;
	struct ieee80211_sub_if_data *sdata = rx->sdata;

	rx->skb = skb;

J
Johannes Berg 已提交
4499 4500 4501 4502 4503 4504 4505 4506 4507 4508 4509 4510 4511 4512 4513
	/* See if we can do fast-rx; if we have to copy we already lost,
	 * so punt in that case. We should never have to deliver a data
	 * frame to multiple interfaces anyway.
	 *
	 * We skip the ieee80211_accept_frame() call and do the necessary
	 * checking inside ieee80211_invoke_fast_rx().
	 */
	if (consume && rx->sta) {
		struct ieee80211_fast_rx *fast_rx;

		fast_rx = rcu_dereference(rx->sta->fast_rx);
		if (fast_rx && ieee80211_invoke_fast_rx(rx, fast_rx))
			return true;
	}

4514
	if (!ieee80211_accept_frame(rx))
4515 4516 4517 4518 4519 4520 4521
		return false;

	if (!consume) {
		skb = skb_copy(skb, GFP_ATOMIC);
		if (!skb) {
			if (net_ratelimit())
				wiphy_debug(local->hw.wiphy,
4522
					"failed to copy skb for %s\n",
4523 4524 4525 4526 4527 4528 4529 4530 4531 4532 4533
					sdata->name);
			return true;
		}

		rx->skb = skb;
	}

	ieee80211_invoke_rx_handlers(rx);
	return true;
}

4534
/*
4535
 * This is the actual Rx frames handler. as it belongs to Rx path it must
4536
 * be called with rcu_read_lock protection.
4537
 */
4538
static void __ieee80211_rx_handle_packet(struct ieee80211_hw *hw,
4539
					 struct ieee80211_sta *pubsta,
4540
					 struct sk_buff *skb,
4541
					 struct list_head *list)
4542 4543 4544 4545
{
	struct ieee80211_local *local = hw_to_local(hw);
	struct ieee80211_sub_if_data *sdata;
	struct ieee80211_hdr *hdr;
Z
Zhu Yi 已提交
4546
	__le16 fc;
4547
	struct ieee80211_rx_data rx;
4548
	struct ieee80211_sub_if_data *prev;
4549
	struct rhlist_head *tmp;
Z
Zhu Yi 已提交
4550
	int err = 0;
4551

Z
Zhu Yi 已提交
4552
	fc = ((struct ieee80211_hdr *)skb->data)->frame_control;
4553 4554 4555
	memset(&rx, 0, sizeof(rx));
	rx.skb = skb;
	rx.local = local;
4556
	rx.list = list;
4557

Z
Zhu Yi 已提交
4558
	if (ieee80211_is_data(fc) || ieee80211_is_mgmt(fc))
4559
		I802_DEBUG_INC(local->dot11ReceivedFragmentCount);
4560

4561 4562 4563 4564 4565 4566 4567
	if (ieee80211_is_mgmt(fc)) {
		/* drop frame if too short for header */
		if (skb->len < ieee80211_hdrlen(fc))
			err = -ENOBUFS;
		else
			err = skb_linearize(skb);
	} else {
Z
Zhu Yi 已提交
4568
		err = !pskb_may_pull(skb, ieee80211_hdrlen(fc));
4569
	}
Z
Zhu Yi 已提交
4570 4571 4572 4573 4574 4575 4576

	if (err) {
		dev_kfree_skb(skb);
		return;
	}

	hdr = (struct ieee80211_hdr *)skb->data;
4577
	ieee80211_parse_qos(&rx);
4578
	ieee80211_verify_alignment(&rx);
4579

J
Johannes Berg 已提交
4580
	if (unlikely(ieee80211_is_probe_resp(hdr->frame_control) ||
4581 4582
		     ieee80211_is_beacon(hdr->frame_control) ||
		     ieee80211_is_s1g_beacon(hdr->frame_control)))
J
Johannes Berg 已提交
4583 4584
		ieee80211_scan_rx(local, skb);

4585
	if (ieee80211_is_data(fc)) {
4586
		struct sta_info *sta, *prev_sta;
4587

4588 4589 4590 4591 4592 4593 4594 4595
		if (pubsta) {
			rx.sta = container_of(pubsta, struct sta_info, sta);
			rx.sdata = rx.sta->sdata;
			if (ieee80211_prepare_and_rx_handle(&rx, skb, true))
				return;
			goto out;
		}

4596
		prev_sta = NULL;
4597

4598
		for_each_sta_info(local, hdr->addr2, sta, tmp) {
4599 4600 4601 4602 4603 4604 4605
			if (!prev_sta) {
				prev_sta = sta;
				continue;
			}

			rx.sta = prev_sta;
			rx.sdata = prev_sta->sdata;
4606
			ieee80211_prepare_and_rx_handle(&rx, skb, false);
4607

4608
			prev_sta = sta;
4609
		}
4610 4611 4612 4613 4614

		if (prev_sta) {
			rx.sta = prev_sta;
			rx.sdata = prev_sta->sdata;

4615
			if (ieee80211_prepare_and_rx_handle(&rx, skb, true))
4616
				return;
4617
			goto out;
4618
		}
4619 4620
	}

4621
	prev = NULL;
4622

4623 4624 4625
	list_for_each_entry_rcu(sdata, &local->interfaces, list) {
		if (!ieee80211_sdata_running(sdata))
			continue;
J
Johannes Berg 已提交
4626

4627 4628 4629
		if (sdata->vif.type == NL80211_IFTYPE_MONITOR ||
		    sdata->vif.type == NL80211_IFTYPE_AP_VLAN)
			continue;
J
Johannes Berg 已提交
4630

4631 4632 4633 4634 4635
		/*
		 * frame is destined for this interface, but if it's
		 * not also for the previous one we handle that after
		 * the loop to avoid copying the SKB once too much
		 */
4636

4637
		if (!prev) {
4638
			prev = sdata;
4639
			continue;
J
Johannes Berg 已提交
4640
		}
4641

4642
		rx.sta = sta_info_get_bss(prev, hdr->addr2);
4643 4644
		rx.sdata = prev;
		ieee80211_prepare_and_rx_handle(&rx, skb, false);
4645

4646 4647 4648 4649
		prev = sdata;
	}

	if (prev) {
4650
		rx.sta = sta_info_get_bss(prev, hdr->addr2);
4651
		rx.sdata = prev;
4652

4653 4654
		if (ieee80211_prepare_and_rx_handle(&rx, skb, true))
			return;
4655
	}
4656

4657
 out:
4658
	dev_kfree_skb(skb);
4659
}
4660 4661 4662 4663 4664

/*
 * This is the receive path handler. It is called by a low level driver when an
 * 802.11 MPDU is received from the hardware.
 */
4665 4666
void ieee80211_rx_list(struct ieee80211_hw *hw, struct ieee80211_sta *pubsta,
		       struct sk_buff *skb, struct list_head *list)
4667 4668
{
	struct ieee80211_local *local = hw_to_local(hw);
4669 4670
	struct ieee80211_rate *rate = NULL;
	struct ieee80211_supported_band *sband;
4671
	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
4672

4673 4674
	WARN_ON_ONCE(softirq_count() == 0);

4675
	if (WARN_ON(status->band >= NUM_NL80211_BANDS))
J
Johannes Berg 已提交
4676
		goto drop;
4677 4678

	sband = local->hw.wiphy->bands[status->band];
J
Johannes Berg 已提交
4679 4680
	if (WARN_ON(!sband))
		goto drop;
4681

J
Johannes Berg 已提交
4682 4683 4684 4685 4686 4687 4688
	/*
	 * If we're suspending, it is possible although not too likely
	 * that we'd be receiving frames after having already partially
	 * quiesced the stack. We can't process such frames then since
	 * that might, for example, cause stations to be added or other
	 * driver callbacks be invoked.
	 */
J
Johannes Berg 已提交
4689 4690
	if (unlikely(local->quiescing || local->suspended))
		goto drop;
J
Johannes Berg 已提交
4691

4692 4693 4694 4695
	/* We might be during a HW reconfig, prevent Rx for the same reason */
	if (unlikely(local->in_reconfig))
		goto drop;

4696 4697 4698 4699
	/*
	 * The same happens when we're not even started,
	 * but that's worth a warning.
	 */
J
Johannes Berg 已提交
4700 4701
	if (WARN_ON(!local->started))
		goto drop;
4702

4703
	if (likely(!(status->flag & RX_FLAG_FAILED_PLCP_CRC))) {
4704
		/*
4705 4706
		 * Validate the rate, unless a PLCP error means that
		 * we probably can't have a valid rate here anyway.
4707
		 */
4708

4709 4710
		switch (status->encoding) {
		case RX_ENC_HT:
4711 4712 4713 4714
			/*
			 * rate_idx is MCS index, which can be [0-76]
			 * as documented on:
			 *
4715
			 * https://wireless.wiki.kernel.org/en/developers/Documentation/ieee80211/802.11n
4716 4717 4718 4719 4720
			 *
			 * Anything else would be some sort of driver or
			 * hardware error. The driver should catch hardware
			 * errors.
			 */
J
Johannes Berg 已提交
4721
			if (WARN(status->rate_idx > 76,
4722 4723 4724 4725 4726 4727
				 "Rate marked as an HT rate but passed "
				 "status->rate_idx is not "
				 "an MCS index [0-76]: %d (0x%02x)\n",
				 status->rate_idx,
				 status->rate_idx))
				goto drop;
4728 4729
			break;
		case RX_ENC_VHT:
4730
			if (WARN_ONCE(status->rate_idx > 9 ||
4731 4732
				      !status->nss ||
				      status->nss > 8,
4733
				      "Rate marked as a VHT rate but data is invalid: MCS: %d, NSS: %d\n",
4734
				      status->rate_idx, status->nss))
4735
				goto drop;
4736
			break;
L
Luca Coelho 已提交
4737 4738 4739 4740 4741 4742 4743 4744
		case RX_ENC_HE:
			if (WARN_ONCE(status->rate_idx > 11 ||
				      !status->nss ||
				      status->nss > 8,
				      "Rate marked as an HE rate but data is invalid: MCS: %d, NSS: %d\n",
				      status->rate_idx, status->nss))
				goto drop;
			break;
4745 4746
		default:
			WARN_ON_ONCE(1);
4747
			fallthrough;
4748
		case RX_ENC_LEGACY:
J
Johannes Berg 已提交
4749
			if (WARN_ON(status->rate_idx >= sband->n_bitrates))
4750 4751 4752
				goto drop;
			rate = &sband->bitrates[status->rate_idx];
		}
4753
	}
4754

4755 4756
	status->rx_flags = 0;

4757 4758 4759 4760 4761 4762
	/*
	 * Frames with failed FCS/PLCP checksum are not returned,
	 * all other frames are returned without radiotap header
	 * if it was previously present.
	 * Also, frames with less than 16 bytes are dropped.
	 */
4763
	skb = ieee80211_rx_monitor(local, skb, rate);
4764
	if (!skb)
4765 4766
		return;

4767 4768 4769
	ieee80211_tpt_led_trig_rx(local,
			((struct ieee80211_hdr *)skb->data)->frame_control,
			skb->len);
4770

4771
	__ieee80211_rx_handle_packet(hw, pubsta, skb, list);
J
Johannes Berg 已提交
4772 4773 4774 4775

	return;
 drop:
	kfree_skb(skb);
4776
}
4777 4778 4779 4780 4781 4782 4783 4784 4785 4786 4787 4788 4789 4790 4791 4792 4793 4794 4795 4796 4797 4798 4799 4800 4801 4802 4803 4804
EXPORT_SYMBOL(ieee80211_rx_list);

void ieee80211_rx_napi(struct ieee80211_hw *hw, struct ieee80211_sta *pubsta,
		       struct sk_buff *skb, struct napi_struct *napi)
{
	struct sk_buff *tmp;
	LIST_HEAD(list);


	/*
	 * key references and virtual interfaces are protected using RCU
	 * and this requires that we are in a read-side RCU section during
	 * receive processing
	 */
	rcu_read_lock();
	ieee80211_rx_list(hw, pubsta, skb, &list);
	rcu_read_unlock();

	if (!napi) {
		netif_receive_skb_list(&list);
		return;
	}

	list_for_each_entry_safe(skb, tmp, &list, list) {
		skb_list_del_init(skb);
		napi_gro_receive(napi, skb);
	}
}
4805
EXPORT_SYMBOL(ieee80211_rx_napi);
4806 4807 4808

/* This is a version of the rx handler that can be called from hard irq
 * context. Post the skb on the queue and schedule the tasklet */
4809
void ieee80211_rx_irqsafe(struct ieee80211_hw *hw, struct sk_buff *skb)
4810 4811 4812 4813 4814 4815 4816 4817 4818 4819
{
	struct ieee80211_local *local = hw_to_local(hw);

	BUILD_BUG_ON(sizeof(struct ieee80211_rx_status) > sizeof(skb->cb));

	skb->pkt_type = IEEE80211_RX_MSG;
	skb_queue_tail(&local->skb_queue, skb);
	tasklet_schedule(&local->tasklet);
}
EXPORT_SYMBOL(ieee80211_rx_irqsafe);